Merge branch 'master' of https://github.com/NixOS/nixpkgs

2014-06-07 23:29:48 -04:00 · 2014-06-07 23:29:48 -04:00 · 632ccf8bc6
commit 632ccf8bc6
parent 2f4517697e 476a3d818f
2387 changed files with 54707 additions and 23736 deletions
--- a/.version
+++ b/.version
@ -1 +1 @@
-14.04
+14.10
--- a/README.md
+++ b/README.md
@ -1,7 +1,7 @@
 Nixpkgs is a collection of packages for [Nix](http://nixos.org/nix/) package
 manager. Nixpkgs also includes [NixOS](http://nixos.org/nixos/) linux distribution source code.
-* [NixOS installation instructions](http://nixos.org/nixos/manual/#installing-nixos)
+* [NixOS installation instructions](http://nixos.org/nixos/manual/#ch-installation)
 * [Manual (How to write packages for Nix)](http://nixos.org/nixpkgs/manual/)
 * [Manual (NixOS)](http://nixos.org/nixos/manual/)
 * [Continuous build](http://hydra.nixos.org/jobset/nixos/trunk-combined)
--- a/doc/meta.xml
+++ b/doc/meta.xml
@ -164,7 +164,7 @@ meta.hydraPlatforms = [];
    <listitem><para>If set to <literal>true</literal>, the package is
    marked as “broken”, meaning that it won’t show up in
    <literal>nix-env -qa</literal>, and cannot be built or installed.
-    Sush packages should be removed from Nixpkgs eventually unless
+    Such packages should be removed from Nixpkgs eventually unless
    they are fixed.</para></listitem>
  </varlistentry>
--- a/doc/quick-start.xml
+++ b/doc/quick-start.xml
@ -71,7 +71,7 @@ $ git add pkgs/development/libraries/libfoo/default.nix</screen>
        <listitem>
          <para>GNU Multiple Precision arithmetic library (GMP): <link
-          xlink:href="https://github.com/NixOS/nixpkgs/blob/master/pkgs/development/libraries/gmp/5.1.1.nix"><filename>pkgs/development/libraries/gmp/5.1.1.nix</filename></link>.
+          xlink:href="https://github.com/NixOS/nixpkgs/blob/master/pkgs/development/libraries/gmp/5.1.x.nix"><filename>pkgs/development/libraries/gmp/5.1.x.nix</filename></link>.
          Also done by the generic builder, but has a dependency on
          <varname>m4</varname>.</para>
        </listitem>
--- a/lib/composable-derivation.nix
+++ b/lib/composable-derivation.nix
@ -1,15 +1,74 @@
 {lib, pkgs} :
 let inherit (lib) nv nvs; in
 {
-  # see for example:
+
-  # - development/interpreters/php_configurable/default.nix
+  # composableDerivation basically mixes these features:
-  # - .. search composableDerivation in all-packages.nix ..
+  # - fix function
  # - mergeAttrBy
  # - provides shortcuts for "options" such as "--enable-foo" and adding
  #   buildInputs, see php example
  #
-  # You should be able to override anything you like easily
+  # It predates styles which are common today, such as
-  # grep the mailinglist by title "python proposal" (dec 08)
+  #  * the config attr
-  # -> http://mail.cs.uu.nl/pipermail/nix-dev/2008-December/001571.html
+  #  * mkDerivation.override feature
-  # to see why this got complicated when using all its features
+  #  * overrideDerivation (lib/customization.nix)
-  # TODO add newer example using new syntax (kernel derivation proposal -> mailinglist)
+  #
  # Some of the most more important usage examples (which could be rewritten if it was important):
  # * php
  # * postgis
  # * vim_configurable
  #
  # A minimal example illustrating most features would look like this:
  # let base = composableDerivation { (fixed : let inherit (fixed.fixed) name in {
  #    src = fetchurl {
  #    }
  #    buildInputs = [A];
  #    preConfigre = "echo ${name}";
  #    # attention, "name" attr is missing, thus you cannot instantiate "base".
  # }
  # in {
  #  # These all add name attribute, thus you can instantiate those:
  #  v1 = base.merge   ({ name = "foo-add-B"; buildInputs = [B]; });       // B gets merged into buildInputs
  #  v2 = base.merge   ({ name = "mix-in-pre-configure-lines" preConfigre = ""; });
  #  v3 = base.replace ({ name = "foo-no-A-only-B;" buildInputs = [B]; });
  # }
  #
  # So yes, you can think about it being something like nixos modules, and
  # you'd be merging "features" in one at a time using .merge or .replace
  # Thanks Shea for telling me that I rethink the documentation ..
  #
  # issues:
  # * its complicated to understand
  # * some "features" such as exact merge behaviour are burried in mergeAttrBy
  #   and defaultOverridableDelayableArgs assuming the default behaviour does
  #   the right thing in the common case
  # * Eelco once said using such fix style functions are slow to evaluate
  # * Too quick & dirty. Hard to understand for others. The benefit was that
  #   you were able to create a kernel builder like base derivation and replace
  #   / add patches the way you want without having to declare function arguments
  #
  # nice features:
  # declaring "optional featuers" is modular. For instance:
  #   flags.curl = {
  #     configureFlags = ["--with-curl=${curl}" "--with-curlwrappers"];
  #     buildInputs = [curl openssl];
  #   };
  #   flags.other = { .. }
  # (Example taken from PHP)
  #
  # alternative styles / related features:
  #  * Eg see function supporting building the kernel
  #  * versionedDerivation (discussion about this is still going on - or ended)
  #  * composedArgsAndFun
  #  * mkDerivation.override
  #  * overrideDerivation
  #  * using { .., *Support ? false }: like configurable options.
  # To find those examples use grep
  #
  # To sum up: It exists for historical reasons - and for most commonly used
  # tasks the alternatives should be used
  #
  # If you have questions about this code ping Marc Weber.
  composableDerivation = {
        mkDerivation ? pkgs.stdenv.mkDerivation,
--- a/lib/licenses.nix
+++ b/lib/licenses.nix
@ -64,6 +64,12 @@
    url = https://fedoraproject.org/wiki/Licensing/BSD;
  };
  cc-by-30 = {
    shortName = "CC BY 3.0";
    fullName = "Creative Commons Attribution 3.0";
    url = http://creativecommons.org/licenses/by/3.0;
  };
  cddl = {
    shortName = "CDDL";
    fullName = "Common Development Distribution License ";
@ -202,6 +208,12 @@
    url = https://www.mozilla.org/MPL/2.0;
  };
  ofl = {
    shortName = "OFL";
    fullName = "SIL Open Font License";
    url = "http://scripts.sil.org/cms/scripts/page.php?site_id=nrsi&id=OFL_web";
  };
  openssl = {
    shortName = "openssl";
    fullName = "OpenSSL license";
@ -254,4 +266,22 @@
    fullName  = "Sleepycat Public License";
    url       = "https://en.wikipedia.org/wiki/Sleepycat_License";
  };
  cecill-c = {
    shortName = "CeCILL-C";
    fullName  = "CEA CNRS INRIA Logiciel Libre";
    url       = "http://www.cecill.info/licences.en.html";
  };
  msrla = {
    shortName = "MSR-LA";
    fullName  = "Microsoft Research License Agreement";
    url       = "http://research.microsoft.com/en-us/projects/pex/msr-la.txt";
  };
  inria = {
    shortName = "INRIA-NCLA";
    fullName  = "INRIA Non-Commercial License Agreement";
    url       = "http://compcert.inria.fr/doc/LICENSE";
  };
 }
--- a/lib/lists.nix
+++ b/lib/lists.nix
@ -227,6 +227,4 @@ in rec {
  crossLists = f: foldl (fs: args: concatMap (f: map f args) fs) [f];
  # List difference, xs - ys. Removes elements of ys from xs.
  difference = xs: ys: filter (y: !(builtins.elem y ys)) xs;
 }
--- a/lib/maintainers.nix
+++ b/lib/maintainers.nix
@ -14,23 +14,29 @@
  AndersonTorres = "Anderson Torres <torres.anderson.85@gmail.com>";
  andres = "Andres Loeh <ksnixos@andres-loeh.de>";
  antono = "Antono Vasiljev <self@antono.info>";
  arobyn = "Alexei Robyn <shados@shados.net>";
  astsmtl = "Alexander Tsamutali <astsmtl@yandex.ru>";
  aszlig = "aszlig <aszlig@redmoonstudios.org>";
  bbenoist = "Baptist BENOIST <return_0@live.com>";
  bennofs = "Benno Fünfstück <benno.fuenfstueck@gmail.com>";
  berdario = "Dario Bertini <berdario@gmail.com>";
  bjg = "Brian Gough <bjg@gnu.org>";
  bjornfor = "Bjørn Forsman <bjorn.forsman@gmail.com>";
  bluescreen303 = "Mathijs Kwik <mathijs@bluescreen303.nl>";
  bodil = "Bodil Stokke <nix@bodil.org>";
  calrama = "Moritz Maxeiner <moritz@ucworks.org>";
  cfouche = "Chaddaï Fouché <chaddai.fouche@gmail.com>";
  chaoflow = "Florian Friesdorf <flo@chaoflow.net>";
  coconnor = "Corey O'Connor <coreyoconnor@gmail.com>";
  coroa = "Jonas Hörsch <jonas@chaoflow.net>";
  cstrahan = "Charles Strahan <charles.c.strahan@gmail.com>";
  ederoyd46 = "Matthew Brown <matt@ederoyd.co.uk>";
  edwtjo = "Edward Tjörnhammar <ed@cflags.cc>";
  eelco = "Eelco Dolstra <eelco.dolstra@logicblox.com>";
-  emery = "Emery Hemingawy <emery@vfemail.net>";
+  emery = "Emery Hemingway <emery@vfemail.net>";
  ertes = "Ertugrul Söylemez <ertesx@gmx.de>";
  falsifian = "James Cook <james.cook@utoronto.ca>";
  fuuzetsu = "Mateusz Kowalczyk <fuuzetsu@fuuzetsu.co.uk>";
  garbas = "Rok Garbas <rok@garbas.si>";
  goibhniu = "Cillian de Róiste <cillian.deroiste@gmail.com>";
  guibert = "David Guibert <david.guibert@gmail.com>";
@ -39,6 +45,8 @@
  iElectric = "Domen Kozar <domen@dev.si>";
  iyzsong = "Song Wenwu <iyzsong@gmail.com>";
  jcumming = "Jack Cummings <jack@mudshark.org>";
  joelteon = "Joel Taylor <me@joelt.io>";
  jwiegley = "John Wiegley <johnw@newartisans.com>";
  kkallio = "Karn Kallio <tierpluspluslists@gmail.com>";
  ktosiek = "Tomasz Kontusz <tomasz.kontusz@gmail.com>";
  lethalman = "Luca Bruno <lucabru@src.gnome.org>";
@ -59,10 +67,12 @@
  pierron = "Nicolas B. Pierron <nixos@nbp.name>";
  piotr = "Piotr Pietraszkiewicz <ppietrasa@gmail.com>";
  pkmx = "Chih-Mao Chen <pkmx.tw@gmail.com>";
  plcplc = "Philip Lykke Carlsen <plcplc@gmail.com>";
  pSub = "Pascal Wittmann <mail@pascal-wittmann.de>";
  qknight = "Joachim Schiele <js@lastlog.de>";
  raskin = "Michael Raskin <7c6f434c@mail.ru>";
  redbaron = "Maxim Ivanov <ivanov.maxim@gmail.com>";
  relrod = "Ricky Elrod <ricky@elrod.me>";
  rickynils = "Rickard Nilsson <rickynils@gmail.com>";
  rob = "Rob Vermaas <rob.vermaas@gmail.com>";
  roconnor = "Russell O'Connor <roconnor@theorem.ca>";
@ -80,12 +90,14 @@
  tomberek = "Thomas Bereknyei <tomberek@gmail.com>";
  ttuegel = "Thomas Tuegel <ttuegel@gmail.com>";
  urkud = "Yury G. Kudryashov <urkud+nix@ya.ru>";
  vbmithr = "Vincent Bernardoff <vb@luminar.eu.org>";
  vcunat = "Vladimír Čunát <vcunat@gmail.com>";
  viric = "Lluís Batlle i Rossell <viric@viric.name>";
  vizanto = "Danny Wilson <danny@prime.vc>";
  vlstill = "Vladimír Štill <xstill@fi.muni.cz>";
  winden = "Antonio Vargas Gonzalez <windenntw@gmail.com>";
  wizeman = "Ricardo M. Correia <rcorreia@wizy.org>";
  wmertens = "Wout Mertens <Wout.Mertens@gmail.com>";
  z77z = "Marco Maggesi <maggesi@math.unifi.it>";
  zef = "Zef Hemel <zef@zef.me>";
  zimbatm = "zimbatm <zimbatm@zimbatm.com>";
--- a/lib/modules.nix
+++ b/lib/modules.nix
@ -319,6 +319,8 @@ rec {
  mkForce = mkOverride 50;
  mkVMOverride = mkOverride 10; # used by ‘nixos-rebuild build-vm’
  mkStrict = builtins.trace "`mkStrict' is obsolete; use `mkOverride 0' instead." (mkOverride 0);
  mkFixStrictness = id; # obsolete, no-op
  mkOrder = priority: content:
--- a/lib/strings.nix
+++ b/lib/strings.nix
@ -56,12 +56,14 @@ rec {
  optionalString = cond: string: if cond then string else "";
-  # Determine whether a filename ends in the given suffix.
+  # Determine whether a string has given prefix/suffix.
-  hasSuffix = ext: fileName:
+  hasPrefix = pref: str:
-    let lenFileName = stringLength fileName;
+     substring 0 (stringLength pref) str == pref;
-        lenExt = stringLength ext;
+  hasSuffix = suff: str:
-    in !(lessThan lenFileName lenExt) &&
+    let lenStr = stringLength str;
-       substring (sub lenFileName lenExt) lenFileName fileName == ext;
+        lenSuff = stringLength suff;
    in lenStr >= lenSuff &&
       substring (lenStr - lenSuff) lenStr str == suff;
  # Convert a string to a list of characters (i.e. singleton strings).
@ -155,8 +157,18 @@ rec {
      preLen = stringLength pre;
      sLen = stringLength s;
    in
-      if pre == substring 0 preLen s then
+      if hasPrefix pre s then
-        substring preLen (sub sLen preLen) s
+        substring preLen (sLen - preLen) s
      else
        s;
  removeSuffix = suf: s:
    let
      sufLen = stringLength suf;
      sLen = stringLength s;
    in
      if sufLen <= sLen && suf == substring (sLen - sufLen) sufLen s then
        substring 0 (sLen - sufLen) s
      else
        s;
--- a/lib/types.nix
+++ b/lib/types.nix
@ -194,6 +194,12 @@ rec {
            args = { name = ""; }; }).options;
      };
    enum = values: mkOptionType {
      name = "one of ${concatStringsSep ", " values}";
      check = flip elem values;
      merge = mergeOneOption;
    };
    # Obsolete alternative to configOf.  It takes its option
    # declarations from the ‘options’ attribute of containing option
    # declaration.
--- a/maintainers/scripts/copy-tarballs.pl
+++ b/maintainers/scripts/copy-tarballs.pl
@ -75,7 +75,6 @@ foreach my $file (@{$data->{list}->{attrs}}) {
    waitpid($pid, 0) or die;
    if ($? != 0) {
        print STDERR "failed to fetch $url: $?\n";
        last if $? >> 8 == 255;
        next;
    }
    <$fh>; my $storePath = <$fh>; chomp $storePath;
@ -92,4 +91,7 @@ foreach my $file (@{$data->{list}->{attrs}}) {
    my $sha256 = hashFile("sha256", 0, $storePath) or die;
    symlink("../$fn", "$tarballsCache/sha256/$sha256");
    $sha256 = hashFile("sha256", 1, $storePath) or die;
    symlink("../$fn", "$tarballsCache/sha256/$sha256");
 }
--- a/nixos/doc/manual/configuration.xml
+++ b/nixos/doc/manual/configuration.xml
@ -237,7 +237,7 @@ postgresql.package = pkgs.postgresql90;
 </section>
-<section><title>Abstractions</title>
+<section xml:id="sec-module-abstractions"><title>Abstractions</title>
 <para>If you find yourself repeating yourself over and over, it’s time
 to abstract.  Take, for instance, this Apache HTTP Server configuration:
@ -399,7 +399,7 @@ of an expression to be spliced into a string.</para>
 </section>
-<section><title>Modularity</title>
+<section xml:id="sec-modularity"><title>Modularity</title>
 <para>The NixOS configuration mechanism is modular.  If your
 <filename>configuration.nix</filename> becomes too big, you can split
@ -538,7 +538,7 @@ nix-repl> map (x: x.hostName) config.services.httpd.virtualHosts
 </section>
-<section><title>Syntax summary</title>
+<section xml:id="sec-nix-syntax-summary"><title>Syntax summary</title>
 <para>Below is a summary of the most important syntactic constructs in
 the Nix expression language.  It’s not complete.  In particular, there
@ -730,7 +730,7 @@ manual</link> for the rest.</para>
 <!--===============================================================-->
-<section><title>Package management</title>
+<section xml:id="sec-package-management"><title>Package management</title>
 <para>This section describes how to add additional packages to your
 system.  NixOS has two distinct styles of package management:
@ -935,7 +935,7 @@ environment.systemPackages = [ (import ./my-hello.nix) ];
 </programlisting>
 where <filename>my-hello.nix</filename> contains:
 <programlisting>
-with &lt;nixpkgs> {}; # bring all of Nixpkgs into scope
+with import &lt;nixpkgs> {}; # bring all of Nixpkgs into scope
 stdenv.mkDerivation rec {
  name = "hello-2.8";
@ -1183,7 +1183,7 @@ fileSystems."/".device = "/dev/mapper/crypted";
 <!--===============================================================-->
-<section><title>X Window System</title>
+<section xml:id="sec-x11"><title>X Window System</title>
 <para>The X Window System (X11) provides the basis of NixOS’ graphical
 user interface.  It can be enabled as follows:
@ -1195,7 +1195,7 @@ driver from a set of X.org drivers (such as <literal>vesa</literal>
 and <literal>intel</literal>).  You can also specify a driver
 manually, e.g.
 <programlisting>
-hardware.opengl.videoDrivers = [ "r128" ];
+services.xserver.videoDrivers = [ "r128" ];
 </programlisting>
 to enable X.org’s <literal>xf86-video-r128</literal> driver.</para>
@ -1238,7 +1238,7 @@ $ systemctl start display-manager.service
 has better 3D performance than the X.org drivers.  It is not enabled
 by default because it’s not free software.  You can enable it as follows:
 <programlisting>
-hardware.opengl.videoDrivers = [ "nvidia" ];
+services.xserver.videoDrivers = [ "nvidia" ];
 </programlisting>
 You may need to reboot after enabling this driver to prevent a clash
 with other kernel modules.</para>
@ -1275,9 +1275,9 @@ services.xserver.synaptics.twoFingerScroll = true;
 <!--===============================================================-->
-<section><title>Networking</title>
+<section xml:id="sec-networking"><title>Networking</title>
-<section><title>Secure shell access</title>
+<section xml:id="sec-ssh"><title>Secure shell access</title>
 <para>Secure shell (SSH) access to your machine can be enabled by
 setting:
@ -1305,7 +1305,7 @@ users.extraUsers.alice.openssh.authorizedKeys.keys =
 </section>
-<section><title>IPv4 configuration</title>
+<section xml:id="sec-ipv4"><title>IPv4 configuration</title>
 <para>By default, NixOS uses DHCP (specifically,
 <command>dhcpcd</command>) to automatically configure network
@ -1348,7 +1348,7 @@ provide the host name.</para>
 </section>
-<section><title>IPv6 configuration</title>
+<section xml:id="sec-ipv6"><title>IPv6 configuration</title>
 <para>IPv6 is enabled by default.  Stateless address autoconfiguration
 is used to automatically assign IPv6 addresses to all interfaces.  You
@ -1363,17 +1363,19 @@ networking.enableIPv6 = false;
 </section>
-<section><title>Firewall</title>
+<section xml:id="sec-firewall"><title>Firewall</title>
 <para>NixOS has a simple stateful firewall that blocks incoming
 connections and other unexpected packets.  The firewall applies to
-both IPv4 and IPv6 traffic.  It can be enabled as follows:
+both IPv4 and IPv6 traffic. It is enabled by default. It can be
 disabled as follows:
 <programlisting>
-networking.firewall.enable = true;
+networking.firewall.enable = false;
 </programlisting>
-You can open specific TCP ports to the outside world:
+If the firewall is enabled, you can open specific TCP ports to the
 outside world:
 <programlisting>
 networking.firewall.allowedTCPPorts = [ 80 443 ];
@ -1395,7 +1397,7 @@ always allowed.)</para>
 </section>
-<section><title>Wireless networks</title>
+<section xml:id="sec-wireless"><title>Wireless networks</title>
 <para>
 NixOS will start wpa_supplicant for you if you enable this setting:
@ -1456,7 +1458,7 @@ networking.localCommands =
 <!--===============================================================-->
-<section><title>Linux kernel</title>
+<section xml:id="sec-kernel-config"><title>Linux kernel</title>
 <para>You can override the Linux kernel and associated packages using
 the option <option>boot.kernelPackages</option>.  For instance, this
--- a/nixos/doc/manual/containers.xml
+++ b/nixos/doc/manual/containers.xml
@ -213,8 +213,8 @@ $ ping -c1 10.233.4.2
 <para>Networking is implemented using a pair of virtual Ethernet
 devices. The network interface in the container is called
 <literal>eth0</literal>, while the matching interface in the host is
-called <literal>c-<replaceable>container-name</replaceable></literal>
+called <literal>ve-<replaceable>container-name</replaceable></literal>
-(e.g., <literal>c-foo</literal>).  The container has its own network
+(e.g., <literal>ve-foo</literal>).  The container has its own network
 namespace and the <literal>CAP_NET_ADMIN</literal> capability, so it
 can perform arbitrary network configuration such as setting up
 firewall rules, without affecting or having access to the host’s
@ -228,11 +228,11 @@ on the host:
 <programlisting>
 networking.nat.enable = true;
-networking.nat.internalInterfaces = ["c-+"];
+networking.nat.internalInterfaces = ["ve-+"];
 networking.nat.externalInterface = "eth0";
 </programlisting>
 where <literal>eth0</literal> should be replaced with the desired
-external interface. Note that <literal>c-+</literal> is a wildcard
+external interface. Note that <literal>ve-+</literal> is a wildcard
 that matches all container interfaces.</para>
 </section>
--- a/nixos/doc/manual/development.xml
+++ b/nixos/doc/manual/development.xml
@ -1,5 +1,6 @@
 <chapter xmlns="http://docbook.org/ns/docbook"
-         xmlns:xlink="http://www.w3.org/1999/xlink">
+         xmlns:xlink="http://www.w3.org/1999/xlink"
         xml:id="ch-development">
 <title>Development</title>
@ -9,7 +10,7 @@ NixOS.</para>
 <!--===============================================================-->
-<section>
+<section xml:id="sec-getting-sources">
 <title>Getting the sources</title>
@ -38,7 +39,37 @@ This will check out the latest NixOS sources to
 and the Nixpkgs sources to
 <filename><replaceable>/my/sources</replaceable>/nixpkgs</filename>.
 (The NixOS source tree lives in a subdirectory of the Nixpkgs
-repository.)  If you want to rebuild your system using your (modified)
+repository.)</para>
 <para>It’s often inconvenient to develop directly on the master
 branch, since if somebody has just committed (say) a change to GCC,
 then the binary cache may not have caught up yet and you’ll have to
 rebuild everything from source. So you may want to create a local
 branch based on your current NixOS version:
 <screen>
 $ nixos-version
 14.04.273.ea1952b (Baboon)
 $ git checkout -b local ea1952b
 </screen>
 Or, to base your local branch on the latest version available in the
 NixOS channel:
 <screen>
 $ curl -sI http://nixos.org/channels/nixos-unstable/ | grep Location
 Location: http://releases.nixos.org/nixos/unstable/nixos-14.10pre43986.acaf4a6/
 $ git checkout -b local acaf4a6
 </screen>
 You can then use <command>git rebase</command> to sync your local
 branch with the upstream branch, and use <command>git
 cherry-pick</command> to copy commits from your local branch to the
 upstream branch.</para>
 <para>If you want to rebuild your system using your (modified)
 sources, you need to tell <command>nixos-rebuild</command> about them
 using the <option>-I</option> flag:
@ -74,7 +105,7 @@ in <filename>nixos/</filename> as packages.</para>
 <!--===============================================================-->
-<section>
+<section xml:id="sec-writing-modules">
 <title>Writing NixOS modules</title>
@ -188,9 +219,9 @@ commands to be executed periodically by <command>cron</command>).</para>
 <example xml:id='locate-example'><title>NixOS module for the “locate” service</title>
 <programlisting>
-{ config, pkgs, ... }:
+{ config, lib, pkgs, ... }:
-with pkgs.lib;
+with lib;
 let locatedb = "/var/cache/locatedb"; in
@ -579,7 +610,7 @@ systemd.services.dhcpcd =
 <!--===============================================================-->
-<section>
+<section xml:id="sec-building-parts">
 <title>Building specific parts of NixOS</title>
@ -692,7 +723,7 @@ $ systemctl start tmp-httpd.service
 <!--===============================================================-->
-<section>
+<section xml:id="sec-building-cd">
 <title>Building your own NixOS CD</title>
@ -728,18 +759,22 @@ $ mount -o loop -t iso9660 ./result/iso/cd.iso /mnt/iso</screen>
 <title>Testing the installer</title>
-<para>Building, burning, and
+<para>Building, burning, and booting from an installation CD is rather
 booting from an installation CD is rather
 tedious, so here is a quick way to see if the installer works
 properly:
 <screen>
 $ nix-build -A config.system.build.nixos-install
-$ dd if=/dev/zero of=diskimage seek=2G count=0 bs=1
+$ mount -t tmpfs none /mnt
 $ yes | mke2fs -j diskimage
 $ mount -o loop diskimage /mnt
 $ ./result/bin/nixos-install</screen>
 To start a login shell in the new NixOS installation in
 <filename>/mnt</filename>:
 <screen>
 $ ./result/bin/nixos-install --chroot
 </screen>
 </para>
 </section>
@ -748,57 +783,310 @@ $ ./result/bin/nixos-install</screen>
 <!--===============================================================-->
-<section><title>Whole-system testing using virtual machines</title>
+<section xml:id="sec-nixos-tests">
-<para>Complete NixOS GNU/Linux systems can be tested in virtual
+<title>NixOS tests</title>
 machines (VMs).  This makes it possible to test a system upgrade or
 configuration change before rebooting into it, using the
 <command>nixos-rebuild build-vm</command> or <command>nixos-rebuild
 build-vm-with-bootloader</command> command.</para>
-<!-- The following is adapted from
+<para>When you add some feature to NixOS, you should write a test for
-     http://wiki.nixos.org/wiki/NixOS_VM_tests, by Eelco Dolstra. -->
+it. NixOS tests are kept in the directory <filename
-<para>The <filename>tests/</filename> directory in the NixOS source
+xlink:href="https://github.com/NixOS/nixpkgs/tree/master/nixos/tests">nixos/tests</filename>,
-tree contains several <emphasis>whole-system unit tests</emphasis>.
+and are executed (using Nix) by a testing framework that automatically
-These tests can be run<footnote><para>NixOS tests can be run both from
+starts one or more virtual machines containing the NixOS system(s)
-NixOS and from a non-NixOS GNU/Linux distribution, provided the Nix
+required for the test.</para>
-package manager is installed.</para></footnote> from the NixOS source
+
-tree as follows:
+<simplesect><title>Writing tests</title>
 <para>A NixOS test is a Nix expression that has the following structure:
 <programlisting>
 import ./make-test.nix {
  # Either the configuration of a single machine:
  machine =
    { config, pkgs, ... }:
    { <replaceable>configuration…</replaceable>
    };
  # Or a set of machines:
  nodes =
    { <replaceable>machine1</replaceable> =
        { config, pkgs, ... }: { <replaceable>…</replaceable> };
      <replaceable>machine2</replaceable> =
        { config, pkgs, ... }: { <replaceable>…</replaceable> };
      …
    };
  testScript =
    ''
      <replaceable>Perl code…</replaceable>
    '';
 }
 </programlisting>
 The attribute <literal>testScript</literal> is a bit of Perl code that
 executes the test (described below). During the test, it will start
 one or more virtual machines, the configuration of which is described
 by the attribute <literal>machine</literal> (if you need only one
 machine in your test) or by the attribute <literal>nodes</literal> (if
 you need multiple machines). For instance, <filename
 xlink:href="https://github.com/NixOS/nixpkgs/blob/master/nixos/tests/login.nix">login.nix</filename>
 only needs a single machine to test whether users can log in on the
 virtual console, whether device ownership is correctly maintained when
 switching between consoles, and so on. On the other hand, <filename
 xlink:href="https://github.com/NixOS/nixpkgs/blob/master/nixos/tests/nfs.nix">nfs.nix</filename>,
 which tests NFS client and server functionality in the Linux kernel
 (including whether locks are maintained across server crashes),
 requires three machines: a server and two clients.</para>
 <para>There are a few special NixOS configuration options for test
 VMs:
 <!-- FIXME: would be nice to generate this automatically. -->
 <variablelist>
  <varlistentry>
    <term><option>virtualisation.memorySize</option></term>
    <listitem><para>The memory of the VM in
    megabytes.</para></listitem>
  </varlistentry>
  <varlistentry>
    <term><option>virtualisation.vlans</option></term>
    <listitem><para>The virtual networks to which the VM is
    connected. See <filename
    xlink:href="https://github.com/NixOS/nixpkgs/blob/master/nixos/tests/nat.nix">nat.nix</filename>
    for an example.</para></listitem>
  </varlistentry>
  <varlistentry>
    <term><option>virtualisation.writableStore</option></term>
    <listitem><para>By default, the Nix store in the VM is not
    writable. If you enable this option, a writable union file system
    is mounted on top of the Nix store to make it appear
    writable. This is necessary for tests that run Nix operations that
    modify the store.</para></listitem>
  </varlistentry>
 </variablelist>
 For more options, see the module <filename
 xlink:href="https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/virtualisation/qemu-vm.nix">qemu-vm.nix</filename>.</para>
 <para>The test script is a sequence of Perl statements that perform
 various actions, such as starting VMs, executing commands in the VMs,
 and so on. Each virtual machine is represented as an object stored in
 the variable <literal>$<replaceable>name</replaceable></literal>,
 where <replaceable>name</replaceable> is the identifier of the machine
 (which is just <literal>machine</literal> if you didn’t specify
 multiple machines using the <literal>nodes</literal> attribute). For
 instance, the following starts the machine, waits until it has
 finished booting, then executes a command and checks that the output
 is more-or-less correct:
 <programlisting>
 $machine->start;
 $machine->waitForUnit("default.target");
 $machine->succeed("uname") =~ /Linux/;
 </programlisting>
 The first line is actually unnecessary; machines are implicitly
 started when you first execute an action on them (such as
 <literal>waitForUnit</literal> or <literal>succeed</literal>). If you
 have multiple machines, you can speed up the test by starting them in
 parallel:
 <programlisting>
 startAll;
 </programlisting>
 </para>
 <para>The following methods are available on machine objects:
 <variablelist>
  <varlistentry>
    <term><methodname>start</methodname></term>
    <listitem><para>Start the virtual machine. This method is
    asynchronous — it does not wait for the machine to finish
    booting.</para></listitem>
  </varlistentry>
  <varlistentry>
    <term><methodname>shutdown</methodname></term>
    <listitem><para>Shut down the machine, waiting for the VM to
    exit.</para></listitem>
  </varlistentry>
  <varlistentry>
    <term><methodname>crash</methodname></term>
    <listitem><para>Simulate a sudden power failure, by telling the VM
    to exit immediately.</para></listitem>
  </varlistentry>
  <varlistentry>
    <term><methodname>block</methodname></term>
    <listitem><para>Simulate unplugging the Ethernet cable that
    connects the machine to the other machines.</para></listitem>
  </varlistentry>
  <varlistentry>
    <term><methodname>unblock</methodname></term>
    <listitem><para>Undo the effect of
    <methodname>block</methodname>.</para></listitem>
  </varlistentry>
  <varlistentry>
    <term><methodname>screenshot</methodname></term>
    <listitem><para>Take a picture of the display of the virtual
    machine, in PNG format. The screenshot is linked from the HTML
    log.</para></listitem>
  </varlistentry>
  <varlistentry>
    <term><methodname>sendMonitorCommand</methodname></term>
    <listitem><para>Send a command to the QEMU monitor. This is rarely
    used, but allows doing stuff such as attaching virtual USB disks
    to a running machine.</para></listitem>
  </varlistentry>
  <varlistentry>
    <term><methodname>sendKeys</methodname></term>
    <listitem><para>Simulate pressing keys on the virtual keyboard,
    e.g., <literal>sendKeys("ctrl-alt-delete")</literal>.</para></listitem>
  </varlistentry>
  <varlistentry>
    <term><methodname>sendChars</methodname></term>
    <listitem><para>Simulate typing a sequence of characters on the
    virtual keyboard, e.g., <literal>sendKeys("foobar\n")</literal>
    will type the string <literal>foobar</literal> followed by the
    Enter key.</para></listitem>
  </varlistentry>
  <varlistentry>
    <term><methodname>execute</methodname></term>
    <listitem><para>Execute a shell command, returning a list
    <literal>(<replaceable>status</replaceable>,
    <replaceable>stdout</replaceable>)</literal>.</para></listitem>
  </varlistentry>
  <varlistentry>
    <term><methodname>succeed</methodname></term>
    <listitem><para>Execute a shell command, raising an exception if
    the exit status is not zero, otherwise returning the standard
    output.</para></listitem>
  </varlistentry>
  <varlistentry>
    <term><methodname>fail</methodname></term>
    <listitem><para>Like <methodname>succeed</methodname>, but raising
    an exception if the command returns a zero status.</para></listitem>
  </varlistentry>
  <varlistentry>
    <term><methodname>waitUntilSucceeds</methodname></term>
    <listitem><para>Repeat a shell command with 1-second intervals
    until it succeeds.</para></listitem>
  </varlistentry>
  <varlistentry>
    <term><methodname>waitUntilFails</methodname></term>
    <listitem><para>Repeat a shell command with 1-second intervals
    until it fails.</para></listitem>
  </varlistentry>
  <varlistentry>
    <term><methodname>waitForUnit</methodname></term>
    <listitem><para>Wait until the specified systemd unit has reached
    the “active” state.</para></listitem>
  </varlistentry>
  <varlistentry>
    <term><methodname>waitForFile</methodname></term>
    <listitem><para>Wait until the specified file
    exists.</para></listitem>
  </varlistentry>
  <varlistentry>
    <term><methodname>waitForOpenPort</methodname></term>
    <listitem><para>Wait until a process is listening on the given TCP
    port (on <literal>localhost</literal>, at least).</para></listitem>
  </varlistentry>
  <varlistentry>
    <term><methodname>waitForClosedPort</methodname></term>
    <listitem><para>Wait until nobody is listening on the given TCP
    port.</para></listitem>
  </varlistentry>
  <varlistentry>
    <term><methodname>waitForX</methodname></term>
    <listitem><para>Wait until the X11 server is accepting
    connections.</para></listitem>
  </varlistentry>
  <varlistentry>
    <term><methodname>waitForWindow</methodname></term>
    <listitem><para>Wait until an X11 window has appeared whose name
    matches the given regular expression, e.g.,
    <literal>waitForWindow(qr/Terminal/)</literal>.</para></listitem>
  </varlistentry>
 </variablelist>
 </para>
 </simplesect>
 <simplesect><title>Running tests</title>
 <para>You can run tests using <command>nix-build</command>. For
 example, to run the test <filename
 xlink:href="https://github.com/NixOS/nixpkgs/blob/master/nixos/tests/login.nix">login.nix</filename>,
 you just do:
 <screen>
-$ nix-build tests/ -A nfs.test
+$ nix-build '&lt;nixpkgs/nixos/tests/login.nix>'
 </screen>
-This performs an automated test of the NFS client and server
+or, if you don’t want to rely on <envar>NIX_PATH</envar>:
-functionality in the Linux kernel, including file locking semantics
+
-(e.g., whether locks are maintained across server crashes).  It will
+<screen>
-first build or download all the dependencies of the test (e.g., all
+$ cd /my/nixpkgs/nixos/tests
-packages needed to run a NixOS VM). The test is defined in <link
+$ nix-build login.nix
-xlink:href="https://nixos.org/repos/nix/nixos/trunk/tests/nfs.nix">
+…
-<filename>tests/nfs.nix</filename></link>.  If the test succeeds,
+running the VM test script
-<command>nix-build</command> will place a symlink
+machine: QEMU running (pid 8841)
-<filename>./result</filename> in the current directory pointing at the
+…
-location in the Nix store of the test results (e.g., screenshots, test
+6 out of 6 tests succeeded
-reports, and so on).  In particular, a pretty-printed log of the test
+</screen>
-is written to <filename>log.html</filename>, which can be viewed using
+
-a web browser like this:
+After building/downloading all required dependencies, this will
 perform a build that starts a QEMU/KVM virtual machine containing a
 NixOS system. The virtual machine mounts the Nix store of the host;
 this makes VM creation very fast, as no disk image needs to be
 created. Afterwards, you can view a pretty-printed log of the test:
 <screen>
 $ firefox result/log.html
 </screen>
 </para>
 <para>It is also possible to run the test environment interactively,
 allowing you to experiment with the VMs.  For example:
 <screen>
-$ nix-build tests/ -A nfs.driver
+$ nix-build login.nix -A driver
 $ ./result/bin/nixos-run-vms
 </screen>
-The script <command>nixos-run-vms</command> starts the three virtual
+The script <command>nixos-run-vms</command> starts the virtual
-machines defined in the NFS test using QEMU/KVM.  The root file system
+machines defined by test.  The root file system of the VMs is created
-of the VMs is created on the fly and kept across VM restarts in
+on the fly and kept across VM restarts in
 <filename>./</filename><varname>hostname</varname><filename>.qcow2</filename>.</para>
 <para>Finally, the test itself can be run interactively.  This is
@ -811,17 +1099,11 @@ starting VDE switch for network 1
 &gt;
 </screen>
-Perl statements can now be typed in to start or manipulate the VMs:
+You can then take any Perl statement, e.g.
 <screen>
-&gt; startAll;
+&gt; startAll
-(the VMs start booting)
+&gt; $machine->succeed("touch /tmp/foo")
 &gt; $server-&gt;waitForJob("nfs-kernel-nfsd");
 &gt; $client1-&gt;succeed("flock -x /data/lock -c 'sleep 100000' &amp;");
 &gt; $client2-&gt;fail("flock -n -s /data/lock true");
 &gt; $client1-&gt;shutdown;
 (this releases client1's lock)
 &gt; $client2-&gt;succeed("flock -n -s /data/lock true");
 </screen>
 The function <command>testScript</command> executes the entire test
@ -829,54 +1111,7 @@ script and drops you back into the test driver command line upon its
 completion.  This allows you to inspect the state of the VMs after the
 test (e.g. to debug the test script).</para>
-<para>This and other tests are continuously run on <link
+</simplesect>
 xlink:href="http://hydra.nixos.org/jobset/nixos/trunk">the Hydra
 instance at <literal>nixos.org</literal></link>, which allows
 developers to be notified of any regressions introduced by a NixOS or
 Nixpkgs change.</para>
 <para>The actual Nix programming interface to VM testing is in NixOS,
 under <link
 xlink:href="https://nixos.org/repos/nix/nixos/trunk/lib/testing.nix">
 <filename>lib/testing.nix</filename></link>.  This file defines a
 function which takes an attribute set containing a
 <literal>nixpkgs</literal> attribute (the path to a Nixpkgs checkout),
 and a <literal>system</literal> attribute (the system type).  It
 returns an attribute set containing several utility functions, among
 which the main entry point is <literal>makeTest</literal>.
 </para>
 <para>The <literal>makeTest</literal> function takes a function
 similar to that found in <link
 xlink:href="https://nixos.org/repos/nix/nixos/trunk/tests/nfs.nix">
 <filename>tests/nfs.nix</filename></link> (discussed above).  It
 returns an attribute set containing (among others):
 <variablelist>
  <varlistentry>
    <term><varname>test</varname></term>
    <listitem><para>A derivation containing the test log as an HTML
    file, as seen above, suitable for presentation in the Hydra
    continuous build system.</para></listitem>
  </varlistentry>
  <varlistentry>
    <term><varname>report</varname></term>
    <listitem><para>A derivation containing a code coverage report, with
    meta-data suitable for Hydra.</para></listitem>
  </varlistentry>
  <varlistentry>
    <term><varname>driver</varname></term>
    <listitem><para>A derivation containing scripts to run the VM test or
    interact with the VM network interactively, as seen above.</para>
    </listitem>
  </varlistentry>
 </variablelist>
 </para>
 </section>
--- a/nixos/doc/manual/installation.xml
+++ b/nixos/doc/manual/installation.xml
@ -1,13 +1,13 @@
 <chapter xmlns="http://docbook.org/ns/docbook"
         xmlns:xlink="http://www.w3.org/1999/xlink"
-         xml:id="installing-nixos">
+         xml:id="ch-installation">
 <title>Installing NixOS</title>
 <!--===============================================================-->
-<section>
+<section xml:id="sec-obtaining">
 <title>Obtaining NixOS</title>
@ -51,7 +51,7 @@ running NixOS system through several other means:
 <!--===============================================================-->
-<section>
+<section xml:id="sec-installation">
 <title>Installation</title>
@ -209,7 +209,20 @@ $ nixos-install</screen>
    a network issue while downloading binaries from the NixOS binary
    cache), you can just re-run <command>nixos-install</command>.
    Otherwise, fix your <filename>configuration.nix</filename> and
-    then re-run <command>nixos-install</command>.</para></listitem>
+    then re-run <command>nixos-install</command>.</para>
    <para>As the last step, <command>nixos-install</command> will ask
    you to set the password for the <literal>root</literal> user, e.g.
 <screen>
 setting root password...
 Enter new UNIX password: ***
 Retype new UNIX password: ***
 </screen>
    </para>
  </listitem>
  <listitem><para>If everything went well:
@ -318,8 +331,7 @@ changes:
  </listitem>
  <listitem>
    <para>You must set <option>boot.loader.gummiboot.enable</option> to
-    <literal>true</literal>, and <option>boot.loader.grub.enable</option>
+    <literal>true</literal>. <command>nixos-generate-config</command>
    to <literal>false</literal>. <command>nixos-generate-config</command>
    should do this automatically for new configurations when booted in
    UEFI mode.</para>
  </listitem>
@ -339,7 +351,7 @@ changes:
 <section>
-<title>Booting from a USB stick</title>
+<title xml:id="sec-booting-from-usb">Booting from a USB stick</title>
 <para>For systems withoua CD drive, the NixOS livecd can be booted from
 a usb stick. For non-UEFI installations,
@ -473,7 +485,7 @@ been built.  These channels are:
 <itemizedlist>
  <listitem>
    <para>Stable channels, such as <literal
-    xlink:href="http://nixos.org/channels/nixos-13.10">nixos-13.10</literal>.
+    xlink:href="http://nixos.org/channels/nixos-14.04">nixos-14.04</literal>.
    These only get conservative bug fixes and package upgrades.  For
    instance, a channel update may cause the Linux kernel on your
    system to be upgraded from 3.4.66 to 3.4.67 (a minor bug fix), but
@ -499,8 +511,8 @@ appliances.)</para>
 <para>When you first install NixOS, you’re automatically subscribed to
 the NixOS channel that corresponds to your installation source.   For
-instance, if you installed from a 13.10 ISO, you will be subscribed to
+instance, if you installed from a 14.04 ISO, you will be subscribed to
-the <literal>nixos-13.10</literal> channel.  To see which NixOS
+the <literal>nixos-14.04</literal> channel.  To see which NixOS
 channel you’re subscribed to, run the following as root:
 <screen>
@ -515,10 +527,10 @@ $ nix-channel --add http://nixos.org/channels/<replaceable>channel-name</replace
 </screen>
 (Be sure to include the <literal>nixos</literal> parameter at the
-end.)  For instance, to use the NixOS 13.10 stable channel:
+end.)  For instance, to use the NixOS 14.04 stable channel:
 <screen>
-$ nix-channel --add http://nixos.org/channels/nixos-13.10 nixos
+$ nix-channel --add http://nixos.org/channels/nixos-14.04 nixos
 </screen>
 But it you want to live on the bleeding edge:
--- a/nixos/doc/manual/man-nixos-install.xml
+++ b/nixos/doc/manual/man-nixos-install.xml
@ -42,6 +42,9 @@ the following steps:
  and generates a GRUB configuration file that boots into the NixOS
  configuration just installed.</para></listitem>
  <listitem><para>It prompts you for a password for the root
  account.</para></listitem>
 </itemizedlist>
 </para>
--- a/nixos/doc/manual/manual.xml
+++ b/nixos/doc/manual/manual.xml
@ -60,7 +60,7 @@
  <xi:include href="release-notes.xml" />
  <appendix xml:id="ch-options">
-    <title>List of options</title>
+    <title>Configuration options</title>
    <xi:include href="options-db.xml" />
  </appendix>
--- a/nixos/doc/manual/options-to-docbook.xsl
+++ b/nixos/doc/manual/options-to-docbook.xsl
@ -18,13 +18,12 @@
      <variablelist>
        <xsl:for-each select="attrs">
          <xsl:variable name="id" select="concat('opt-', str:replace(str:replace(str:replace(str:replace(attr[@name = 'name']/string/@value, '*', '_'), '&lt;', '_'), '>', '_'), '?', '_'))" />
          <varlistentry>
-            <term xml:id="{generate-id(attr[@name = 'name']/string/@value)}" xlink:href="#{generate-id(attr[@name = 'name']/string/@value)}">
+            <term xlink:href="#{$id}">
              <xsl:attribute name="xml:id"><xsl:value-of select="$id"/></xsl:attribute>
              <option>
-                 <xsl:for-each select="attr[@name = 'name']/string">
+                <xsl:value-of select="attr[@name = 'name']/string/@value" />
                   <xsl:value-of select="@value" />
                   <xsl:if test="position() != last()">.</xsl:if>
                 </xsl:for-each>
              </option>
             </term>
--- a/nixos/doc/manual/release-notes.xml
+++ b/nixos/doc/manual/release-notes.xml
@ -1,16 +1,40 @@
 <appendix xmlns="http://docbook.org/ns/docbook"
          xmlns:xlink="http://www.w3.org/1999/xlink"
          xml:id="ch-release-notes">
 <title>Release notes</title>
 <!--==================================================================-->
-<section xml:id="sec-release-14.02">
+<section xml:id="sec-release-14.10">
-<title>Release 14.04 (“Baboon”, 2014/04/??)</title>
+<title>Release 14.10 (“Caterpillar”, 2014/10/??)</title>
-<para>This is the second stable release branch of NixOS.  The main
+<para>When upgrading from a previous release, please be aware of the
-enhancements are the following:
+following incompatible changes:
 <itemizedlist>
  <listitem><para>The host side of a container virtual Ethernet pair
  is now called <literal>ve-<replaceable>container-name</replaceable></literal>
  rather than <literal>c-<replaceable>container-name</replaceable></literal>.</para></listitem>
 </itemizedlist>
 </para>
 </section>
 <!--==================================================================-->
 <section xml:id="sec-release-14.04">
 <title>Release 14.04 (“Baboon”, 2014/04/30)</title>
 <para>This is the second stable release branch of NixOS.  In addition
 to numerous new and upgraded packages and modules, this release has
 the following highlights:
 <itemizedlist>
@ -18,9 +42,65 @@ enhancements are the following:
  <xref linkend="sec-uefi-installation"/> for
  details.</para></listitem>
  <listitem><para>Systemd has been updated to version 212, which has
  <link xlink:href="http://cgit.freedesktop.org/systemd/systemd/plain/NEWS?id=v212">numerous
  improvements</link>. NixOS now automatically starts systemd user
  instances when you log in. You can define global user units through
  the <option>systemd.unit.*</option> options.</para></listitem>
  <listitem><para>NixOS is now based on Glibc 2.19 and GCC
  4.8.</para></listitem>
  <listitem><para>The default Linux kernel has been updated to
  3.12.</para></listitem>
  <listitem><para>KDE has been updated to 4.12.</para></listitem>
  <listitem><para>GNOME 3.10 experimental support has been added.</para></listitem>
  <listitem><para>Nix has been updated to 1.7 (<link
  xlink:href="http://nixos.org/nix/manual/#ssec-relnotes-1.7">details</link>).</para></listitem>
  <listitem><para>NixOS now supports fully declarative management of
  users and groups. If you set <option>users.mutableUsers</option> to
  <literal>false</literal>, then the contents of
  <filename>/etc/passwd</filename> and <filename>/etc/group</filename>
  will be <link
  xlink:href="https://www.usenix.org/legacy/event/lisa02/tech/full_papers/traugott/traugott_html/">congruent</link>
  to your NixOS configuration. For instance, if you remove a user from
  <option>users.extraUsers</option> and run
  <command>nixos-rebuild</command>, the user account will cease to
  exist. Also, imperative commands for managing users and groups, such
  as <command>useradd</command>, are no longer available. If
  <option>users.mutableUsers</option> is <literal>true</literal> (the
  default), then behaviour is unchanged from NixOS
  13.10.</para></listitem>
  <listitem><para>NixOS now has basic container support, meaning you
  can easily run a NixOS instance as a container in a NixOS host
  system. These containers are suitable for testing and
  experimentation but not production use, since they’re not fully
  isolated from the host. See <xref linkend="ch-containers"/> for
  details.</para></listitem>
  <listitem><para>Systemd units provided by packages can now be
  overridden from the NixOS configuration. For instance, if a package
  <literal>foo</literal> provides systemd units, you can say:
 <programlisting>
 systemd.packages = [ pkgs.foo ];
 </programlisting>
  to enable those units. You can then set or override unit options in
  the usual way, e.g.
 <programlisting>
 systemd.services.foo.wantedBy = [ "multi-user.target" ];
 systemd.services.foo.serviceConfig.MemoryLimit = "512M";
 </programlisting>
  </para></listitem>
 </itemizedlist>
 </para>
@ -47,6 +127,18 @@ error: package ‘nvidia-x11-331.49-3.12.17’ in ‘…/nvidia-x11/default.nix:
  </para></listitem>
  <listitem><para>The Adobe Flash player is no longer enabled by
  default in the Firefox and Chromium wrappers. To enable it, you must
  set:
 <programlisting>
 nixpkgs.config.allowUnfree = true;
 nixpkgs.config.firefox.enableAdobeFlash = true; # for Firefox
 nixpkgs.config.chromium.enableAdobeFlash = true; # for Chromium
 </programlisting>
  </para></listitem>
  <listitem><para>The firewall is now enabled by default. If you don’t
  want this, you need to disable it explicitly:
@ -65,6 +157,28 @@ networking.firewall.enable = false;
  sets a default for the option
  <option>services.mysql.package</option>.</para></listitem>
  <listitem><para>Package variants are now differentiated by suffixing
  the name, rather than the version. For instance,
  <filename>sqlite-3.8.4.3-interactive</filename> is now called
  <filename>sqlite-interactive-3.8.4.3</filename>. This ensures that
  <literal>nix-env -i sqlite</literal> is unambiguous, and that
  <literal>nix-env -u</literal> won’t “upgrade”
  <literal>sqlite</literal> to <literal>sqlite-interactive</literal>
  or vice versa. Notably, this change affects the Firefox wrapper
  (which provides plugins), as it is now called
  <literal>firefox-wrapper</literal>. So when using
  <command>nix-env</command>, you should do <literal>nix-env -e
  firefox; nix-env -i firefox-wrapper</literal> if you want to keep
  using the wrapper. This change does not affect declarative package
  management, since attribute names like
  <literal>pkgs.firefoxWrapper</literal> were already
  unambiguous.</para></listitem>
  <listitem><para>The symlink <filename>/etc/ca-bundle.crt</filename>
  is gone. Programs should instead use the environment variable
  <envar>OPENSSL_X509_CERT_FILE</envar> (which points to
  <filename>/etc/ssl/certs/ca-bundle.crt</filename>).</para></listitem>
 </itemizedlist>
 </para>
--- a/nixos/doc/manual/running.xml
+++ b/nixos/doc/manual/running.xml
@ -11,7 +11,7 @@ service manager.</para>
 <!--===============================================================-->
-<section><title>Service management</title>
+<section xml:id="sec-systemctl"><title>Service management</title>
 <para>In NixOS, all system services are started and monitored using
 the systemd program.  Systemd is the “init” process of the system
@ -92,7 +92,7 @@ necessary).</para>
 <!--===============================================================-->
-<section><title>Rebooting and shutting down</title>
+<section xml:id="sec-rebooting"><title>Rebooting and shutting down</title>
 <para>The system can be shut down (and automatically powered off) by
 doing:
@ -134,7 +134,7 @@ authentication.</para>
 <!--===============================================================-->
-<section><title>User sessions</title>
+<section xml:id="sec-user-sessions"><title>User sessions</title>
 <para>Systemd keeps track of all users who are logged into the system
 (e.g. on a virtual console or remotely via SSH).  The command
@ -185,7 +185,7 @@ $ loginctl terminate-session c3
 <!--===============================================================-->
-<section><title>Control groups</title>
+<section xml:id="sec-cgroups"><title>Control groups</title>
 <para>To keep track of the processes in a running system, systemd uses
 <emphasis>control groups</emphasis> (cgroups).  A control group is a
@ -258,7 +258,7 @@ usage.</para>
 <!--===============================================================-->
-<section><title>Logging</title>
+<section xml:id="sec-logging"><title>Logging</title>
 <para>System-wide logging is provided by systemd’s
 <emphasis>journal</emphasis>, which subsumes traditional logging
@ -308,7 +308,7 @@ groups.  All users have a private journal that can be read using
 <!--===============================================================-->
-<section><title>Cleaning up the Nix store</title>
+<section xml:id="sec-nix-gc"><title>Cleaning up the Nix store</title>
 <para>Nix has a purely functional model, meaning that packages are
 never upgraded in place.  Instead new versions of packages end up in a
--- a/nixos/doc/manual/troubleshooting.xml
+++ b/nixos/doc/manual/troubleshooting.xml
@ -1,12 +1,13 @@
 <chapter xmlns="http://docbook.org/ns/docbook"
-         xmlns:xlink="http://www.w3.org/1999/xlink">
+         xmlns:xlink="http://www.w3.org/1999/xlink"
         xml:id="ch-troubleshooting">
 <title>Troubleshooting</title>
 <!--===============================================================-->
-<section><title>Boot problems</title>
+<section xml:id="sec-boot-problems"><title>Boot problems</title>
 <para>If NixOS fails to boot, there are a number of kernel command
 line parameters that may help you to identify or fix the issue.  You
@ -69,7 +70,7 @@ unless something is very wrong.)</para>
 <!--===============================================================-->
-<section><title>Maintenance mode</title>
+<section xml:id="sec-maintenance-mode"><title>Maintenance mode</title>
 <para>You can enter rescue mode by running:
@ -85,7 +86,7 @@ just exit from the rescue shell.</para>
 <!--===============================================================-->
-<section><title>Rolling back configuration changes</title>
+<section xml:id="sec-rollback"><title>Rolling back configuration changes</title>
 <para>After running <command>nixos-rebuild</command> to switch to a
 new configuration, you may find that the new configuration doesn’t
@ -131,7 +132,7 @@ lrwxrwxrwx 1 root root 78 Aug 12 13:54 /nix/var/nix/profiles/system-268-link ->
 <!--===============================================================-->
-<section><title>Nix store corruption</title>
+<section xml:id="sec-nix-store-corruption"><title>Nix store corruption</title>
 <para>After a system crash, it’s possible for files in the Nix store
 to become corrupted.  (For instance, the Ext4 file system has the
@ -166,7 +167,7 @@ binary cache; otherwise, they cannot be repaired.</para>
 <!--===============================================================-->
-<section><title>Nix network issues</title>
+<section xml:id="sec-nix-network-issues"><title>Nix network issues</title>
 <para>Nix uses a so-called <emphasis>binary cache</emphasis> to
 optimise building a package from source into downloading it as a
--- a/nixos/lib/eval-config.nix
+++ b/nixos/lib/eval-config.nix
@ -58,7 +58,7 @@ rec {
          inherit system extraArgs modules prefix;
          # For efficiency, leave out most NixOS modules; they don't
          # define nixpkgs.config, so it's pointless to evaluate them.
-          baseModules = [ ../modules/misc/nixpkgs.nix ];
+          baseModules = [ ../modules/misc/nixpkgs.nix ../modules/config/no-x-libs.nix ];
          pkgs = import ./nixpkgs.nix { system = system_; config = {}; };
          check = false;
        }).config.nixpkgs;
--- a/nixos/lib/test-driver/Machine.pm
+++ b/nixos/lib/test-driver/Machine.pm
@ -495,7 +495,7 @@ sub waitForX {
    my ($self, $regexp) = @_;
    $self->nest("waiting for the X11 server", sub {
        retry sub {
-            my ($status, $out) = $self->execute("journalctl -bu systemd-logind | grep Linked");
+            my ($status, $out) = $self->execute("journalctl -b SYSLOG_IDENTIFIER=systemd | grep 'session opened'");
            return 0 if $status != 0;
            ($status, $out) = $self->execute("xwininfo -root > /dev/null 2>&1");
            return 1 if $status == 0;
--- a/nixos/lib/test-driver/test-driver.pl
+++ b/nixos/lib/test-driver/test-driver.pl
@ -52,12 +52,12 @@ sub createMachine {
    my ($args) = @_;
    my $vm = Machine->new({%{$args}, log => $log, redirectSerial => ($ENV{USE_SERIAL} // "0") ne "1"});
    $vms{$vm->name} = $vm;
    $context .= "my \$" . $vm->name . " = \$vms{'" . $vm->name . "'}; ";
    return $vm;
 }
 foreach my $vmScript (@ARGV) {
    my $vm = createMachine({startCommand => $vmScript});
    $context .= "my \$" . $vm->name . " = \$vms{'" . $vm->name . "'}; ";
 }
--- a/nixos/lib/testing.nix
+++ b/nixos/lib/testing.nix
@ -67,57 +67,55 @@ rec {
    };
-  makeTest = testFun: complete (call testFun);
+  makeTest =
-  makeTests = testsFun: lib.mapAttrs (name: complete) (call testsFun);
+    { testScript, makeCoverageReport ? false, ... } @ t:
-  apply = makeTest; # compatibility
+    let
  call = f: f { inherit pkgs system; };
-  complete = { testScript, ... } @ t: t // rec {
+      nodes = buildVirtualNetwork (
        t.nodes or (if t ? machine then { machine = t.machine; } else { }));
-    nodes = buildVirtualNetwork (
+      testScript' =
-      t.nodes or (if t ? machine then { machine = t.machine; } else { }));
+        # Call the test script with the computed nodes.
        if builtins.isFunction testScript
        then testScript { inherit nodes; }
        else testScript;
-    testScript =
+      vlans = map (m: m.config.virtualisation.vlans) (lib.attrValues nodes);
      # Call the test script with the computed nodes.
      if builtins.isFunction t.testScript
      then t.testScript { inherit nodes; }
      else t.testScript;
-    vlans = map (m: m.config.virtualisation.vlans) (lib.attrValues nodes);
+      vms = map (m: m.config.system.build.vm) (lib.attrValues nodes);
-    vms = map (m: m.config.system.build.vm) (lib.attrValues nodes);
+      # Generate onvenience wrappers for running the test driver
      # interactively with the specified network, and for starting the
      # VMs from the command line.
      driver = runCommand "nixos-test-driver"
        { buildInputs = [ makeWrapper];
          testScript = testScript';
          preferLocalBuild = true;
        }
        ''
          mkdir -p $out/bin
          echo "$testScript" > $out/test-script
          ln -s ${testDriver}/bin/nixos-test-driver $out/bin/
          vms="$(for i in ${toString vms}; do echo $i/bin/run-*-vm; done)"
          wrapProgram $out/bin/nixos-test-driver \
            --add-flags "$vms" \
            --run "testScript=\"\$(cat $out/test-script)\"" \
            --set testScript '"$testScript"' \
            --set VLANS '"${toString vlans}"'
          ln -s ${testDriver}/bin/nixos-test-driver $out/bin/nixos-run-vms
          wrapProgram $out/bin/nixos-run-vms \
            --add-flags "$vms" \
            --set tests '"startAll; joinAll;"' \
            --set VLANS '"${toString vlans}"' \
            ${lib.optionalString (builtins.length vms == 1) "--set USE_SERIAL 1"}
        ''; # "
-    # Generate onvenience wrappers for running the test driver
+      test = runTests driver;
    # interactively with the specified network, and for starting the
    # VMs from the command line.
    driver = runCommand "nixos-test-driver"
      { buildInputs = [ makeWrapper];
        inherit testScript;
        preferLocalBuild = true;
      }
      ''
        mkdir -p $out/bin
        echo "$testScript" > $out/test-script
        ln -s ${testDriver}/bin/nixos-test-driver $out/bin/
        vms="$(for i in ${toString vms}; do echo $i/bin/run-*-vm; done)"
        wrapProgram $out/bin/nixos-test-driver \
          --add-flags "$vms" \
          --run "testScript=\"\$(cat $out/test-script)\"" \
          --set testScript '"$testScript"' \
          --set VLANS '"${toString vlans}"'
        ln -s ${testDriver}/bin/nixos-test-driver $out/bin/nixos-run-vms
        wrapProgram $out/bin/nixos-run-vms \
          --add-flags "$vms" \
          --set tests '"startAll; joinAll;"' \
          --set VLANS '"${toString vlans}"' \
          ${lib.optionalString (builtins.length vms == 1) "--set USE_SERIAL 1"}
      ''; # "
-    test = runTests driver;
+      report = releaseTools.gcovReport { coverageRuns = [ test ]; };
-    report = releaseTools.gcovReport { coverageRuns = [ test ]; };
+    in (if makeCoverageReport then report else test) // { inherit driver test; };
  };
  runInMachine =
@ -147,7 +145,7 @@ rec {
        exit $?
      '';
-      testscript = ''
+      testScript = ''
        startAll;
        $client->waitForUnit("multi-user.target");
        ${preBuild}
@ -160,7 +158,7 @@ rec {
        ${coreutils}/bin/mkdir $out
        ${coreutils}/bin/mkdir -p vm-state-client/xchg
        export > vm-state-client/xchg/saved-env
-        export tests='${testscript}'
+        export tests='${testScript}'
        ${testDriver}/bin/nixos-test-driver ${vm.config.system.build.vm}/bin/run-*-vm
      ''; # */
@ -198,6 +196,6 @@ rec {
      } // args);
-  simpleTest = as: (makeTest ({ ... }: as)).test;
+  simpleTest = as: (makeTest as).test;
 }
--- a/nixos/maintainers/scripts/ec2/amazon-base-config.nix
+++ b/nixos/maintainers/scripts/ec2/amazon-base-config.nix
@ -0,0 +1,5 @@
 { modulesPath, ...}:
 {
  imports = [ "${modulesPath}/virtualisation/amazon-config.nix" ];
  services.journald.rateLimitBurst = 0;
 }
--- a/nixos/maintainers/scripts/ec2/amazon-hvm-config.nix
+++ b/nixos/maintainers/scripts/ec2/amazon-hvm-config.nix
@ -0,0 +1,5 @@
 { config, pkgs, ...}:
 {
  imports = [ ./amazon-base-config.nix ];
  ec2.hvm = true;
 }
--- a/nixos/maintainers/scripts/ec2/amazon-hvm-install-config.nix
+++ b/nixos/maintainers/scripts/ec2/amazon-hvm-install-config.nix
@ -0,0 +1,33 @@
 { config, pkgs, lib, ...}:
 let
  cloudUtils = pkgs.fetchurl {
    url = "https://launchpad.net/cloud-utils/trunk/0.27/+download/cloud-utils-0.27.tar.gz";
    sha256 = "16shlmg36lidp614km41y6qk3xccil02f5n3r4wf6d1zr5n4v8vd";
  };
  growpart = pkgs.stdenv.mkDerivation {
    name = "growpart";
    src = cloudUtils;
    buildPhase = ''
      cp bin/growpart $out
      sed -i 's|awk|gawk|' $out
      sed -i 's|sed|gnused|' $out
    '';
    dontInstall = true;
    dontPatchShebangs = true;
  };
 in
 {
  imports = [ ./amazon-base-config.nix ];
  ec2.hvm = true;
  boot.loader.grub.device = lib.mkOverride 0 "nodev";
  boot.initrd.extraUtilsCommands = ''
    cp -v ${pkgs.gawk}/bin/gawk $out/bin/gawk
    cp -v ${pkgs.gnused}/bin/sed $out/bin/gnused
    cp -v ${pkgs.utillinux}/sbin/sfdisk $out/bin/sfdisk
    cp -v ${growpart} $out/bin/growpart
  '';
  boot.initrd.postDeviceCommands = ''
    [ -e /dev/xvda ] && [ -e /dev/xvda1 ] && TMPDIR=/run sh $(type -P growpart) /dev/xvda 1
  '';
 }
--- a/nixos/maintainers/scripts/ec2/create-ebs-amis.py
+++ b/nixos/maintainers/scripts/ec2/create-ebs-amis.py
@ -8,15 +8,17 @@ import nixops.util
 from nixops import deployment
 from boto.ec2.blockdevicemapping import BlockDeviceMapping, BlockDeviceType
 import boto.ec2
 from nixops.statefile import StateFile, get_default_state_file
 parser = argparse.ArgumentParser(description='Create an EBS-backed NixOS AMI')
 parser.add_argument('--region', dest='region', required=True, help='EC2 region to create the image in')
 parser.add_argument('--channel', dest='channel', default="13.10", help='Channel to use')
 parser.add_argument('--keep', dest='keep', action='store_true', help='Keep NixOps machine after use')
 parser.add_argument('--hvm', dest='hvm', action='store_true', help='Create HVM image')
 parser.add_argument('--key', dest='key_name', action='store_true', help='Keypair used for HVM instance creation', default="rob")
 args = parser.parse_args()
-instance_type = "m3.xlarge" if args.hvm else "m1.small"
+instance_type = "m3.medium" if args.hvm else "m1.small"
 ebs_size = 8 if args.hvm else 20
@ -37,11 +39,11 @@ f.write('''{{
 '''.format(args.region, ebs_size))
 f.close()
-db = deployment.open_database(deployment.get_default_state_file())
+db = StateFile(get_default_state_file())
 try:
-    depl = deployment.open_deployment(db, "ebs-creator")
+    depl = db.open_deployment("ebs-creator")
 except Exception:
-    depl = deployment.create_deployment(db)
+    depl = db.create_deployment()
    depl.name = "ebs-creator"
 depl.auto_response = "y"
 depl.nix_exprs = [os.path.abspath("./ebs-creator.nix"), os.path.abspath("./ebs-creator-config.nix")]
@ -50,7 +52,6 @@ depl.deploy(allow_reboot=True)
 m = depl.machines['machine']
 # Do the installation.
 device="/dev/xvdg"
 if args.hvm:
@ -64,24 +65,27 @@ m.run_command("mkdir -p /mnt")
 m.run_command("mount {0} /mnt".format(device))
 m.run_command("touch /mnt/.ebs")
 m.run_command("mkdir -p /mnt/etc/nixos")
-m.run_command("nix-channel --add http://nixos.org/channels/nixos-unstable")
+
 m.run_command("nix-channel --add http://nixos.org/channels/nixos-{} nixos".format(args.channel))
 m.run_command("nix-channel --update")
-m.run_command("nixos-rebuild switch")
+
-version = m.run_command("nixos-version", capture_stdout=True).split(' ')[0]
+version = m.run_command("nix-instantiate --eval-only -A lib.nixpkgsVersion '<nixpkgs>'", capture_stdout=True).split(' ')[0].replace('"','').strip()
 print >> sys.stderr, "NixOS version is {0}".format(version)
 m.upload_file("./amazon-base-config.nix", "/mnt/etc/nixos/configuration.nix")
 m.run_command("nixos-install")
 if args.hvm:
    m.upload_file("./amazon-base-config.nix", "/mnt/etc/nixos/amazon-base-config.nix")
    m.upload_file("./amazon-hvm-config.nix", "/mnt/etc/nixos/configuration.nix")
    m.upload_file("./amazon-hvm-install-config.nix", "/mnt/etc/nixos/amazon-hvm-install-config.nix")
    m.run_command("NIXOS_CONFIG=/etc/nixos/amazon-hvm-install-config.nix nixos-install")
    m.run_command('nix-env -iA nixos.pkgs.grub')
    m.run_command('cp /nix/store/*-grub-0.97*/lib/grub/i386-pc/* /mnt/boot/grub')
    m.run_command('sed -i "s|hd0|hd0,0|" /mnt/boot/grub/menu.lst')
    m.run_command('echo "(hd1) /dev/xvdg" > device.map')
    m.run_command('echo -e "root (hd1,0)\nsetup (hd1)" | grub --device-map=device.map --batch')
-
+else:
    m.upload_file("./amazon-base-config.nix", "/mnt/etc/nixos/configuration.nix")
    m.run_command("nixos-install")
 m.run_command("umount /mnt")
 if args.hvm:
    ami_name = "nixos-{0}-x86_64-ebs-hvm".format(version)
    description = "NixOS {0} (x86_64; EBS root; hvm)".format(version)
--- a/nixos/maintainers/scripts/ec2/ebs-creator.nix
+++ b/nixos/maintainers/scripts/ec2/ebs-creator.nix
@ -4,10 +4,11 @@
  machine =
    { config, pkgs, resources, ... }:
    { deployment.targetEnv = "ec2";
-      deployment.ec2.instanceType = "m1.large";
+      deployment.ec2.instanceType = "c3.large";
      deployment.ec2.securityGroups = [ "admin" ];
      deployment.ec2.ebsBoot = false;
      deployment.ec2.keyPair = resources.ec2KeyPairs.keypair.name;
      deployment.ec2.zone = "us-east-1e";
      environment.systemPackages = [ pkgs.parted ];
    };
 }
--- a/nixos/maintainers/scripts/gce/create-gce.sh
+++ b/nixos/maintainers/scripts/gce/create-gce.sh
@ -0,0 +1,14 @@
 #! /bin/sh -e
 export NIX_PATH=nixpkgs=../../../..
 export NIXOS_CONFIG=$(dirname $(readlink -f $0))/../../../modules/virtualisation/google-compute-image.nix
 export TIMESTAMP=$(date +%Y%m%d%H%M)
 nix-build '<nixpkgs/nixos>' \
   -A config.system.build.googleComputeImage --argstr system x86_64-linux -o gce --option extra-binary-caches http://hydra.nixos.org -j 10
 img=$(echo gce/*.tar.gz)
 if ! gsutil ls gs://nixos/$(basename $img); then
  gsutil cp $img gs://nixos/$(basename $img)
 fi
 gcutil addimage $(basename $img .raw.tar.gz | sed 's|\.|-|' | sed 's|_|-|') gs://nixos/$(basename $img)
--- a/nixos/modules/config/fonts/corefonts.nix
+++ b/nixos/modules/config/fonts/corefonts.nix
@ -1,6 +1,6 @@
-{ config, pkgs, ... }:
+{ config, lib, pkgs, ... }:
-with pkgs.lib;
+with lib;
 {
@ -25,7 +25,7 @@ with pkgs.lib;
  config = mkIf config.fonts.enableCoreFonts {
-    fonts.extraFonts = [ pkgs.corefonts ];
+    fonts.fonts = [ pkgs.corefonts ];
  };
--- a/nixos/modules/config/fonts/fontconfig.nix
+++ b/nixos/modules/config/fonts/fontconfig.nix
@ -1,6 +1,6 @@
-{ config, pkgs, ... }:
+{ config, lib, pkgs, ... }:
-with pkgs.lib;
+with lib;
 {
--- a/nixos/modules/config/fonts/fontdir.nix
+++ b/nixos/modules/config/fonts/fontdir.nix
@ -1,6 +1,6 @@
-{ config, pkgs, ... }:
+{ config, lib, pkgs, ... }:
-with pkgs.lib;
+with lib;
 let
--- a/nixos/modules/config/fonts/fonts.nix
+++ b/nixos/modules/config/fonts/fonts.nix
@ -1,6 +1,6 @@
-{ config, pkgs, ... }:
+{ config, lib, pkgs, ... }:
-with pkgs.lib;
+with lib;
 {
@ -10,40 +10,37 @@ with pkgs.lib;
      # TODO: find another name for it.
      fonts = mkOption {
-        default = [
+        type = types.listOf types.path;
          # - the user's .fonts directory
          "~/.fonts"
          # - the user's current profile
          "~/.nix-profile/lib/X11/fonts"
          "~/.nix-profile/share/fonts"
          # - the default profile
          "/nix/var/nix/profiles/default/lib/X11/fonts"
          "/nix/var/nix/profiles/default/share/fonts"
        ];
        description = "List of primary font paths.";
        apply = list: list ++ [
          # - a few statically built locations
          pkgs.xorg.fontbhttf
          pkgs.xorg.fontbhlucidatypewriter100dpi
          pkgs.xorg.fontbhlucidatypewriter75dpi
          pkgs.ttf_bitstream_vera
          pkgs.freefont_ttf
          pkgs.liberation_ttf
          pkgs.xorg.fontbh100dpi
          pkgs.xorg.fontmiscmisc
          pkgs.xorg.fontcursormisc
        ]
        ++ config.fonts.extraFonts;
      };
      extraFonts = mkOption {
        default = [];
        example = [ pkgs.dejavu_fonts ];
-        description = "List of packages with additional fonts.";
+        description = "List of primary font paths.";
        apply = list: list ++
          [ # - the user's current profile
            "~/.nix-profile/lib/X11/fonts"
            "~/.nix-profile/share/fonts"
            # - the default profile
            "/nix/var/nix/profiles/default/lib/X11/fonts"
            "/nix/var/nix/profiles/default/share/fonts"
          ];
      };
    };
  };
  config = {
    fonts.fonts =
      [ pkgs.xorg.fontbhttf
        pkgs.xorg.fontbhlucidatypewriter100dpi
        pkgs.xorg.fontbhlucidatypewriter75dpi
        pkgs.ttf_bitstream_vera
        pkgs.freefont_ttf
        pkgs.liberation_ttf
        pkgs.xorg.fontbh100dpi
        pkgs.xorg.fontmiscmisc
        pkgs.xorg.fontcursormisc
      ];
  };
 }
--- a/nixos/modules/config/fonts/ghostscript.nix
+++ b/nixos/modules/config/fonts/ghostscript.nix
@ -1,6 +1,6 @@
-{ config, pkgs, ... }:
+{ config, lib, pkgs, ... }:
-with pkgs.lib;
+with lib;
 {
@ -25,7 +25,7 @@ with pkgs.lib;
  config = mkIf config.fonts.enableGhostscriptFonts {
-    fonts.extraFonts = [ "${pkgs.ghostscript}/share/ghostscript/fonts" ];
+    fonts.fonts = [ "${pkgs.ghostscript}/share/ghostscript/fonts" ];
  };
--- a/nixos/modules/config/gnu.nix
+++ b/nixos/modules/config/gnu.nix
@ -1,6 +1,6 @@
-{ config, pkgs, ... }:
+{ config, lib, pkgs, ... }:
-with pkgs.lib;
+with lib;
 {
  options = {
@ -36,7 +36,7 @@ with pkgs.lib;
    # GNU lsh.
    services.openssh.enable = false;
    services.lshd.enable = true;
-    services.xserver.startOpenSSHAgent = false;
+    programs.ssh.startAgent = false;
    services.xserver.startGnuPGAgent = true;
    # TODO: GNU dico.
--- a/nixos/modules/config/i18n.nix
+++ b/nixos/modules/config/i18n.nix
@ -1,6 +1,6 @@
-{ config, pkgs, ... }:
+{ config, lib, pkgs, ... }:
-with pkgs.lib;
+with lib;
 let
@ -76,7 +76,12 @@ in
    environment.systemPackages = [ glibcLocales ];
-    environment.variables.LANG = config.i18n.defaultLocale;
+    environment.variables =
      { LANG = config.i18n.defaultLocale;
        LOCALE_ARCHIVE = "/run/current-system/sw/lib/locale/locale-archive";
      };
    systemd.globalEnvironment.LOCALE_ARCHIVE = "${glibcLocales}/lib/locale/locale-archive";
    # ‘/etc/locale.conf’ is used by systemd.
    environment.etc = singleton
--- a/nixos/modules/config/krb5.nix
+++ b/nixos/modules/config/krb5.nix
@ -1,6 +1,6 @@
-{ config, pkgs, ... }:
+{ config, lib, pkgs, ... }:
-with pkgs.lib;
+with lib;
 let
--- a/nixos/modules/config/ldap.nix
+++ b/nixos/modules/config/ldap.nix
@ -1,6 +1,6 @@
-{ config, pkgs, ... }:
+{ config, lib, pkgs, ... }:
-with pkgs.lib;
+with lib;
 with pkgs;
 let
--- a/nixos/modules/config/networking.nix
+++ b/nixos/modules/config/networking.nix
@ -1,8 +1,8 @@
 # /etc files related to networking, such as /etc/services.
-{ config, pkgs, ... }:
+{ config, lib, pkgs, ... }:
-with pkgs.lib;
+with lib;
 let
--- a/nixos/modules/config/no-x-libs.nix
+++ b/nixos/modules/config/no-x-libs.nix
@ -1,6 +1,9 @@
-{ config, pkgs, ... }:
+# This module gets rid of all dependencies on X11 client libraries
 # (including fontconfig).
-with pkgs.lib;
+{ config, lib, pkgs, ... }:
 with lib;
 {
  options = {
@ -8,18 +11,22 @@ with pkgs.lib;
      type = types.bool;
      default = false;
      description = ''
-        Switch off the options in the default configuration that require X libraries.
+        Switch off the options in the default configuration that
-        Currently this includes: ssh X11 forwarding, dbus, fonts.enableCoreFonts,
+        require X11 libraries. This includes client-side font
-        fonts.enableFontConfig
+        configuration and SSH forwarding of X11 authentication
        in. Thus, you probably do not want to enable this option if
        you want to run X11 programs on this machine via SSH.
      '';
    };
  };
  config = mkIf config.environment.noXlibs {
    programs.ssh.setXAuthLocation = false;
-    fonts = {
+    security.pam.services.su.forwardXAuth = lib.mkForce false;
-      enableCoreFonts = false;
+
-      enableFontConfig = false;
+    fonts.enableFontConfig = false;
-    };
+
    nixpkgs.config.packageOverrides = pkgs:
      { dbus = pkgs.dbus.override { useX11 = false; }; };
  };
 }
--- a/nixos/modules/config/nsswitch.nix
+++ b/nixos/modules/config/nsswitch.nix
@ -1,8 +1,8 @@
 # Configuration for the Name Service Switch (/etc/nsswitch.conf).
-{ config, pkgs, ... }:
+{ config, lib, pkgs, ... }:
-with pkgs.lib;
+with lib;
 let
--- a/nixos/modules/config/power-management.nix
+++ b/nixos/modules/config/power-management.nix
@ -1,6 +1,6 @@
-{ config, pkgs, ... }:
+{ config, lib, pkgs, ... }:
-with pkgs.lib;
+with lib;
 let
@ -65,11 +65,7 @@ in
  config = mkIf cfg.enable {
-    boot.kernelModules =
+    # FIXME: Implement powersave governor for sandy bridge or later Intel CPUs
      [ "acpi_cpufreq" "powernow-k8" "cpufreq_performance" "cpufreq_powersave" "cpufreq_ondemand"
        "cpufreq_conservative"
      ];
    powerManagement.cpuFreqGovernor = mkDefault "ondemand";
    powerManagement.scsiLinkPolicy = mkDefault "min_power";
--- a/nixos/modules/config/pulseaudio.nix
+++ b/nixos/modules/config/pulseaudio.nix
@ -1,24 +1,26 @@
-{ config, pkgs, ... }:
+{ config, lib, pkgs, ... }:
-with pkgs.lib;
+with lib;
 with pkgs;
 let
  cfg = config.hardware.pulseaudio;
  systemWide = cfg.enable && cfg.systemWide;
  nonSystemWide = cfg.enable && !cfg.systemWide;
  uid = config.ids.uids.pulseaudio;
  gid = config.ids.gids.pulseaudio;
-  pulseRuntimePath = "/var/run/pulse";
+  stateDir = "/run/pulse";
  # Create pulse/client.conf even if PulseAudio is disabled so
  # that we can disable the autospawn feature in programs that
  # are built with PulseAudio support (like KDE).
  clientConf = writeText "client.conf" ''
-    autospawn=${if (cfg.enable && !cfg.systemWide) then "yes" else "no"}
+    autospawn=${if nonSystemWide then "yes" else "no"}
-    ${optionalString (cfg.enable && !cfg.systemWide)
+    ${optionalString nonSystemWide "daemon-binary=${cfg.package}/bin/pulseaudio"}
      "daemon-binary=${cfg.package}/bin/pulseaudio"}
  '';
  # Write an /etc/asound.conf that causes all ALSA applications to
@ -68,7 +70,7 @@ in {
      configFile = mkOption {
        type = types.uniq types.path;
-        default = "${pulseaudio}/etc/pulse/default.pa";
+        default = "${cfg.package}/etc/pulse/default.pa";
        description = ''
          The path to the configuration the PulseAudio server
          should use. By default, the "default.pa" configuration
@ -86,6 +88,17 @@ in {
          default PulseAudio in Nixpkgs.
        '';
      };
      daemon = {
        logLevel = mkOption {
          type = types.str;
          default = "notice";
          description = ''
            The log level that the system-wide pulseaudio daemon should use,
            if activated.
          '';
        };
      };
    };
  };
@ -111,21 +124,20 @@ in {
      security.rtkit.enable = true;
    })
-    (mkIf (cfg.enable && !cfg.systemWide) {
+    (mkIf nonSystemWide {
      environment.etc = singleton {
        target = "pulse/default.pa";
        source = cfg.configFile;
      };
    })
-    (mkIf (cfg.enable && cfg.systemWide) {
+    (mkIf systemWide {
      users.extraUsers.pulse = {
        # For some reason, PulseAudio wants UID == GID.
        uid = assert uid == gid; uid;
        group = "pulse";
        extraGroups = [ "audio" ];
        description = "PulseAudio system service user";
        home = pulseRuntimePath;
      };
      users.extraGroups.pulse.gid = gid;
@ -134,15 +146,15 @@ in {
        description = "PulseAudio System-Wide Server";
        wantedBy = [ "sound.target" ];
        before = [ "sound.target" ];
-        path = [ cfg.package ];
+        environment.PULSE_RUNTIME_PATH = stateDir;
        environment.PULSE_RUNTIME_PATH = pulseRuntimePath;
        preStart = ''
-          mkdir -p --mode 755 ${pulseRuntimePath}
+          mkdir -p --mode 755 ${stateDir}
-          chown -R pulse:pulse ${pulseRuntimePath}
+          chown -R pulse:pulse ${stateDir}
        '';
        script = ''
          exec pulseaudio --system -n --file="${cfg.configFile}"
        '';
        serviceConfig = {
          ExecStart = "${cfg.package}/bin/pulseaudio -D --log-level=${cfg.daemon.logLevel} --system --use-pid-file -n --file=${cfg.configFile}";
          PIDFile = "${stateDir}/pid";
        };
      };
    })
  ];
--- a/nixos/modules/config/shells-environment.nix
+++ b/nixos/modules/config/shells-environment.nix
@ -1,9 +1,9 @@
 # This module defines a global environment configuration and
 # a common configuration for all shells.
-{ config, pkgs, ... }:
+{ config, lib, pkgs, ... }:
-with pkgs.lib;
+with lib;
 let
--- a/nixos/modules/config/swap.nix
+++ b/nixos/modules/config/swap.nix
@ -1,6 +1,6 @@
-{ config, pkgs, utils, ... }:
+{ config, lib, pkgs, utils, ... }:
-with pkgs.lib;
+with lib;
 with utils;
 {
@ -106,6 +106,7 @@ with utils;
                if [ ! -e "${sw.device}" ]; then
                  fallocate -l ${toString sw.size}M "${sw.device}" ||
                    dd if=/dev/zero of="${sw.device}" bs=1M count=${toString sw.size}
                  chmod 0600 ${sw.device}
                  mkswap ${sw.device}
                fi
              '';
--- a/nixos/modules/config/sysctl.nix
+++ b/nixos/modules/config/sysctl.nix
@ -1,6 +1,6 @@
-{ config, pkgs, ... }:
+{ config, lib, pkgs, ... }:
-with pkgs.lib;
+with lib;
 let
@ -45,19 +45,8 @@ in
      ) config.boot.kernel.sysctl);
    systemd.services.systemd-sysctl =
-      { description = "Apply Kernel Variables";
+      { wantedBy = [ "multi-user.target" ];
        before = [ "sysinit.target" "shutdown.target" ];
        wantedBy = [ "sysinit.target" "multi-user.target" ];
        restartTriggers = [ config.environment.etc."sysctl.d/nixos.conf".source ];
        unitConfig = {
          DefaultDependencies = false; # needed to prevent a cycle
          ConditionPathIsReadWrite = "/proc/sys/"; # prevent systemd-sysctl in containers
        };
        serviceConfig = {
          Type = "oneshot";
          RemainAfterExit = true;
          ExecStart = "${config.systemd.package}/lib/systemd/systemd-sysctl";
        };
      };
    # Enable hardlink and symlink restrictions.  See
--- a/nixos/modules/config/system-path.nix
+++ b/nixos/modules/config/system-path.nix
@ -1,9 +1,9 @@
 # This module defines the packages that appear in
 # /run/current-system/sw.
-{ config, pkgs, ... }:
+{ config, lib, pkgs, ... }:
-with pkgs.lib;
+with lib;
 let
@ -135,6 +135,10 @@ in
          if [ -x $out/bin/glib-compile-schemas -a -w $out/share/glib-2.0/schemas ]; then
              $out/bin/glib-compile-schemas $out/share/glib-2.0/schemas
          fi
          if [ -x $out/bin/update-desktop-database -a -w $out/share/applications ]; then
              $out/bin/update-desktop-database $out/share/applications
          fi
        '';
    };
--- a/nixos/modules/config/timezone.nix
+++ b/nixos/modules/config/timezone.nix
@ -1,6 +1,12 @@
-{ config, pkgs, ... }:
+{ config, lib, pkgs, ... }:
-with pkgs.lib;
+with lib;
 let
  tzdir = "${pkgs.tzdata}/share/zoneinfo";
 in
 {
  options = {
@ -26,8 +32,10 @@ with pkgs.lib;
    environment.variables.TZDIR = "/etc/zoneinfo";
    systemd.globalEnvironment.TZDIR = tzdir;
    environment.etc.localtime =
-      { source = "${pkgs.tzdata}/share/zoneinfo/${config.time.timeZone}";
+      { source = "${tzdir}/${config.time.timeZone}";
        mode = "direct-symlink";
      };
--- a/nixos/modules/config/unix-odbc-drivers.nix
+++ b/nixos/modules/config/unix-odbc-drivers.nix
@ -1,6 +1,6 @@
-{ config, pkgs, ... }:
+{ config, lib, pkgs, ... }:
-with pkgs.lib;
+with lib;
 # unixODBC drivers (this solution is not perfect.. Because the user has to
 # ask the admin to add a driver.. but it's simple and works
--- a/nixos/modules/config/users-groups.nix
+++ b/nixos/modules/config/users-groups.nix
@ -1,6 +1,6 @@
-{pkgs, config, ...}:
+{ config, lib, pkgs, ... }:
-with pkgs.lib;
+with lib;
 let
@ -55,13 +55,27 @@ let
        type = with types; nullOr int;
        default = null;
        description = ''
-          The account UID. If the <literal>mutableUsers</literal> option
+          The account UID. If the <option>mutableUsers</option> option
          is false, the UID cannot be null. Otherwise, the UID might be
          null, in which case a free UID is picked on activation (by the
          useradd command).
        '';
      };
      isSystemUser = mkOption {
        type = types.bool;
        default = false;
        description = ''
          Indicates if the user is a system user or not. This option
          only has an effect if <option>mutableUsers</option> is
          <literal>true</literal> and <option>uid</option> is
          <option>null</option>, in which case it determines whether
          the user's UID is allocated in the range for system users
          (below 500) or in the range for normal users (starting at
          1000).
        '';
      };
      group = mkOption {
        type = types.str;
        default = "nogroup";
@ -360,8 +374,8 @@ in {
    security.initialRootPassword = mkOption {
      type = types.str;
-      default = "";
+      default = "!";
-      example = "!";
+      example = "";
      description = ''
        The (hashed) password for the root account set on initial
        installation. The empty string denotes that root can login
@ -369,9 +383,9 @@ in {
        as SSH, or indirectly via <command>su</command> or
        <command>sudo</command>). The string <literal>!</literal>
        prevents root from logging in using a password.
-        Note, setting this option sets
+        Note that setting this option sets
        <literal>users.extraUsers.root.hashedPassword</literal>.
-        Note, if <literal>users.mutableUsers</literal> is false
+        Also, if <literal>users.mutableUsers</literal> is false
        you cannot change the root password manually, so in that case
        the name of this option is a bit misleading, since it will define
        the root password beyond the user initialisation phase.
@ -459,17 +473,17 @@ in {
        '';
        groupadd = n: g: ''
          if [ -z "$(getent group "${g.name}")" ]; then
            echo "Adding group ${g.name}"
            ${pkgs.shadow}/sbin/groupadd "${g.name}"
          fi
        '';
        useradd = n: u: ''
          if ! id "${u.name}" &>/dev/null; then
            echo "Adding user ${u.name}"
            ${pkgs.shadow}/sbin/useradd \
              -g "${u.group}" \
              -G "${concatStringsSep "," u.extraGroups}" \
              -s "${u.shell}" \
              -d "${u.home}" \
              ${optionalString u.isSystemUser "--system"} \
              "${u.name}"
            echo "${u.name}:x" | ${pkgs.shadow}/sbin/chpasswd -e
          fi
@ -495,7 +509,7 @@ in {
        message = "uids and gids must be unique!";
      }
      { assertion = cfg.mutableUsers || (nonUidUsers == {});
-        message = "When mutableUsers is false, no uid can be null";
+        message = "When mutableUsers is false, no uid can be null: ${toString (attrNames nonUidUsers)}";
      }
      { assertion = cfg.mutableUsers || (nonGidGroups == {});
        message = "When mutableUsers is false, no gid can be null";
--- a/nixos/modules/hardware/all-firmware.nix
+++ b/nixos/modules/hardware/all-firmware.nix
@ -1,6 +1,6 @@
-{ config, pkgs, ... }:
+{ config, lib, pkgs, ... }:
-with pkgs.lib;
+with lib;
 {
--- a/nixos/modules/hardware/cpu/amd-microcode.nix
+++ b/nixos/modules/hardware/cpu/amd-microcode.nix
@ -1,6 +1,6 @@
-{ config, pkgs, ... }:
+{ config, lib, pkgs, ... }:
-with pkgs.lib;
+with lib;
 {
--- a/nixos/modules/hardware/cpu/intel-microcode.nix
+++ b/nixos/modules/hardware/cpu/intel-microcode.nix
@ -1,6 +1,6 @@
-{ config, pkgs, ... }:
+{ config, lib, pkgs, ... }:
-with pkgs.lib;
+with lib;
 {
--- a/nixos/modules/hardware/network/b43.nix
+++ b/nixos/modules/hardware/network/b43.nix
@ -1,6 +1,6 @@
-{ config, pkgs, ... }:
+{ config, lib, pkgs, ... }:
-with pkgs.lib;
+with lib;
 let kernelVersion = config.boot.kernelPackages.kernel.version; in
--- a/nixos/modules/hardware/opengl.nix
+++ b/nixos/modules/hardware/opengl.nix
@ -1,14 +1,31 @@
-{ config, pkgs, pkgs_i686, ... }:
+{ config, lib, pkgs, pkgs_i686, ... }:
 with lib;
 let
  inherit (pkgs.lib) mkOption types mkIf optional optionals elem optionalString optionalAttrs;
  cfg = config.hardware.opengl;
  kernelPackages = config.boot.kernelPackages;
-in {
+
  videoDrivers = config.services.xserver.videoDrivers;
  makePackage = p: p.buildEnv {
    name = "mesa-drivers+txc-${p.mesa_drivers.version}";
    paths =
      [ p.mesa_drivers
        p.mesa_noglu # mainly for libGL
        (if cfg.s3tcSupport then p.libtxc_dxtn else p.libtxc_dxtn_s2tc)
 	p.udev
      ];
  };
 in
 {
  options = {
    hardware.opengl.enable = mkOption {
-      description = "Whether this configuration requires opengl.";
+      description = "Whether this configuration requires OpenGL.";
      type = types.bool;
      default = false;
      internal = true;
@ -39,83 +56,70 @@ in {
      default = false;
      description = ''
        Make S3TC(S3 Texture Compression) via libtxc_dxtn available
-        to OpenGL drivers. It is essential for many games to work
+        to OpenGL drivers instead of the patent-free S2TC replacement.
        with FOSS GPU drivers.
        Using this library may require a patent license depending on your location.
      '';
    };
-
+    hardware.opengl.package = mkOption {
-    hardware.opengl.videoDrivers = mkOption {
+      type = types.package;
-      type = types.listOf types.str;
+      internal = true;
      # !!! We'd like "nv" here, but it segfaults the X server.
      default = [ "ati" "cirrus" "intel" "vesa" "vmware" ];
      example = [ "vesa" ];
      description = ''
-        The names of the opengl video drivers the configuration
+        The package that provides the OpenGL implementation.
        supports. They will be tried in order until one that
        supports your card is found.
      '';
    };
    hardware.opengl.package32 = mkOption {
      type = types.package;
      internal = true;
      description = ''
        The package that provides the 32-bit OpenGL implementation on
        64-bit systems.  Used when <option>driSupport32Bit</option> is
        set.
      '';
    };
  };
  config = mkIf cfg.enable {
    assertions = pkgs.lib.singleton {
      assertion = cfg.driSupport32Bit -> pkgs.stdenv.isx86_64;
-      message = "Option driSupport32Bit only makes sens on a 64-bit system.";
+      message = "Option driSupport32Bit only makes sense on a 64-bit system.";
    };
-    system.activationScripts.setup-opengl.deps = [];
+    system.activationScripts.setup-opengl =
-    system.activationScripts.setup-opengl.text = ''
+      ''
-      rm -f /run/opengl-driver{,-32}
+        ln -sfn ${cfg.package} /run/opengl-driver
-      ${optionalString (pkgs.stdenv.isi686) "ln -sf opengl-driver /run/opengl-driver-32"}
+        ${if pkgs.stdenv.isi686 then ''
-    ''
+          ln -sfn opengl-driver /run/opengl-driver-32
-      #TODO:  The OpenGL driver should depend on what's detected at runtime.
+        '' else if cfg.driSupport32Bit then ''
-     +( if elem "nvidia" cfg.videoDrivers then
+          ln -sfn ${cfg.package32} /run/opengl-driver-32
-          ''
+        '' else ''
-            ln -sf ${kernelPackages.nvidia_x11} /run/opengl-driver
+          rm -f /run/opengl-driver-32
-            ${optionalString cfg.driSupport32Bit
+        ''}
-              "ln -sf ${pkgs_i686.linuxPackages.nvidia_x11.override { libsOnly = true; kernel = null; } } /run/opengl-driver-32"}
+      '';
          ''
        else if elem "nvidiaLegacy173" cfg.videoDrivers then
          "ln -sf ${kernelPackages.nvidia_x11_legacy173} /run/opengl-driver"
        else if elem "nvidiaLegacy304" cfg.videoDrivers then
          ''
            ln -sf ${kernelPackages.nvidia_x11_legacy304} /run/opengl-driver
            ${optionalString cfg.driSupport32Bit
              "ln -sf ${pkgs_i686.linuxPackages.nvidia_x11_legacy304.override { libsOnly = true; kernel = null; } } /run/opengl-driver-32"}
          ''
        else if elem "ati_unfree" cfg.videoDrivers then
          "ln -sf ${kernelPackages.ati_drivers_x11} /run/opengl-driver"
        else
          ''
            ${optionalString cfg.driSupport "ln -sf ${pkgs.mesa_drivers} /run/opengl-driver"}
            ${optionalString cfg.driSupport32Bit
              "ln -sf ${pkgs_i686.mesa_drivers} /run/opengl-driver-32"}
          ''
      );
    environment.variables.LD_LIBRARY_PATH =
-      [ "/run/opengl-driver/lib" "/run/opengl-driver-32/lib" ]
+      [ "/run/opengl-driver/lib" "/run/opengl-driver-32/lib" ];
-      ++ optional cfg.s3tcSupport "${pkgs.libtxc_dxtn}/lib"
+
-      ++ optional (cfg.s3tcSupport && cfg.driSupport32Bit) "${pkgs_i686.libtxc_dxtn}/lib";
+    # FIXME: move this into card-specific modules.
    hardware.opengl.package = mkDefault
      (if elem "ati_unfree" videoDrivers then
        kernelPackages.ati_drivers_x11
      else
        makePackage pkgs);
    hardware.opengl.package32 = mkDefault (makePackage pkgs_i686);
    boot.extraModulePackages =
-      optional (elem "nvidia" cfg.videoDrivers) kernelPackages.nvidia_x11 ++
+      optional (elem "virtualbox" videoDrivers) kernelPackages.virtualboxGuestAdditions ++
-      optional (elem "nvidiaLegacy173" cfg.videoDrivers) kernelPackages.nvidia_x11_legacy173 ++
+      optional (elem "ati_unfree" videoDrivers) kernelPackages.ati_drivers_x11;
      optional (elem "nvidiaLegacy304" cfg.videoDrivers) kernelPackages.nvidia_x11_legacy304 ++
      optional (elem "virtualbox" cfg.videoDrivers) kernelPackages.virtualboxGuestAdditions ++
      optional (elem "ati_unfree" cfg.videoDrivers) kernelPackages.ati_drivers_x11;
-    boot.blacklistedKernelModules =
+    environment.etc =
-      optionals (elem "nvidia" cfg.videoDrivers) [ "nouveau" "nvidiafb" ];
+      optionalAttrs (elem "ati_unfree" videoDrivers) {
    environment.etc =  (optionalAttrs (elem "ati_unfree" cfg.videoDrivers) {
        "ati".source = "${kernelPackages.ati_drivers_x11}/etc/ati";
-      })
+      };
      // (optionalAttrs (elem "nvidia" cfg.videoDrivers) {
        "OpenCL/vendors/nvidia.icd".source = "${kernelPackages.nvidia_x11}/lib/vendors/nvidia.icd";
      });
  };
 }
--- a/nixos/modules/hardware/pcmcia.nix
+++ b/nixos/modules/hardware/pcmcia.nix
@ -1,6 +1,6 @@
-{ config, pkgs, ... }:
+{ config, lib, pkgs, ... }:
-with pkgs.lib;
+with lib;
 let
--- a/nixos/modules/hardware/video/bumblebee.nix
+++ b/nixos/modules/hardware/video/bumblebee.nix
@ -1,7 +1,7 @@
-{ config, pkgs, ... }:
+{ config, lib, pkgs, ... }:
 let kernel = config.boot.kernelPackages; in
-with pkgs.lib;
+with lib;
 {
@ -17,6 +17,12 @@ with pkgs.lib;
        Only nvidia driver is supported so far.
      '';
    };
    hardware.bumblebee.group = mkOption {
      default = "wheel";
      example = "video";
      type = types.uniq types.str;
      description = ''Group for bumblebee socket'';
    };
  };
  config = mkIf config.hardware.bumblebee.enable {
@ -29,13 +35,15 @@ with pkgs.lib;
    systemd.services.bumblebeed = {
      description = "Bumblebee Hybrid Graphics Switcher";
      wantedBy = [ "display-manager.service" ];
-      script = "bumblebeed --use-syslog";
+      script = "bumblebeed --use-syslog -g ${config.hardware.bumblebee.group}";
      path = [ kernel.bbswitch pkgs.bumblebee ];
      serviceConfig = {
        Restart = "always";
        RestartSec = 60;
        CPUSchedulingPolicy = "idle";
      };
      environment.LD_LIBRARY_PATH="/run/opengl-driver/lib/";
      environment.MODULE_DIR="/run/current-system/kernel-modules/lib/modules/";
    };
  };
 }
--- a/nixos/modules/hardware/video/nvidia.nix
+++ b/nixos/modules/hardware/video/nvidia.nix
@ -0,0 +1,54 @@
 # This module provides the proprietary NVIDIA X11 / OpenGL drivers.
 { config, lib, pkgs, pkgs_i686, ... }:
 with lib;
 let
  drivers = config.services.xserver.videoDrivers;
  # FIXME: should introduce an option like
  # ‘hardware.video.nvidia.package’ for overriding the default NVIDIA
  # driver.
  enabled = elem "nvidia" drivers || elem "nvidiaLegacy173" drivers || elem "nvidiaLegacy304" drivers;
  nvidia_x11 =
    if elem "nvidia" drivers then
      config.boot.kernelPackages.nvidia_x11
    else if elem "nvidiaLegacy173" drivers then
      config.boot.kernelPackages.nvidia_x11_legacy173
    else if elem "nvidiaLegacy304" drivers then
      config.boot.kernelPackages.nvidia_x11_legacy304
    else throw "impossible";
 in
 {
  config = mkIf enabled {
    services.xserver.drivers = singleton
      { name = "nvidia"; modules = [ nvidia_x11 ]; libPath = [ nvidia_x11 ]; };
    services.xserver.screenSection =
      ''
        Option "RandRRotation" "on"
      '';
    hardware.opengl.package = nvidia_x11;
    hardware.opengl.package32 = pkgs_i686.linuxPackages.nvidia_x11.override { libsOnly = true; kernel = null; };
    environment.systemPackages = [ nvidia_x11 ];
    boot.extraModulePackages = [ nvidia_x11 ];
    boot.blacklistedKernelModules = [ "nouveau" "nvidiafb" ];
    services.acpid.enable = true;
    environment.etc."OpenCL/vendors/nvidia.icd".source = "${nvidia_x11}/lib/vendors/nvidia.icd";
  };
 }
--- a/nixos/modules/installer/cd-dvd/channel.nix
+++ b/nixos/modules/installer/cd-dvd/channel.nix
@ -1,9 +1,9 @@
 # Provide an initial copy of the NixOS channel so that the user
 # doesn't need to run "nix-channel --update" first.
-{ config, pkgs, ... }:
+{ config, lib, pkgs, ... }:
-with pkgs.lib;
+with lib;
 let
--- a/nixos/modules/installer/cd-dvd/installation-cd-base.nix
+++ b/nixos/modules/installer/cd-dvd/installation-cd-base.nix
@ -1,9 +1,9 @@
 # This module contains the basic configuration for building a NixOS
 # installation CD.
-{ config, pkgs, ... }:
+{ config, lib, pkgs, ... }:
-with pkgs.lib;
+with lib;
 {
  imports =
@ -39,6 +39,9 @@ with pkgs.lib;
  # Add Memtest86+ to the CD.
  boot.loader.grub.memtest86.enable = true;
-  # Get a console as soon as the initrd loads fbcon on EFI boot
+  # Get a console as soon as the initrd loads fbcon on EFI boot.
  boot.initrd.kernelModules = [ "fbcon" ];
  # Allow the user to log in as root without a password.
  security.initialRootPassword = "";
 }
--- a/nixos/modules/installer/cd-dvd/installation-cd-graphical.nix
+++ b/nixos/modules/installer/cd-dvd/installation-cd-graphical.nix
@ -1,9 +1,9 @@
 # This module defines a NixOS installation CD that contains X11 and
 # KDE 4.
-{ config, pkgs, ... }:
+{ config, lib, pkgs, ... }:
-with pkgs.lib;
+with lib;
 {
  imports = [ ./installation-cd-base.nix ../../profiles/graphical.nix ];
--- a/nixos/modules/installer/cd-dvd/iso-image.nix
+++ b/nixos/modules/installer/cd-dvd/iso-image.nix
@ -2,9 +2,9 @@
 # configuration.  The derivation for the ISO image will be placed in
 # config.system.build.isoImage.
-{ config, pkgs, ... }:
+{ config, lib, pkgs, ... }:
-with pkgs.lib;
+with lib;
 let
@ -67,7 +67,7 @@ let
        ${config.boot.kernelPackages.kernel}/bzImage ::boot/bzImage
      mcopy -v -i "$out" \
        ${config.system.build.initialRamdisk}/initrd ::boot/initrd
-    '';
+    ''; # */
  targetArch = if pkgs.stdenv.isi686 then
    "ia32"
@ -177,39 +177,45 @@ in
    # recognise that.
    boot.kernelParams = [ "root=LABEL=${config.isoImage.volumeID}" ];
-    # Note that /dev/root is a symlink to the actual root device
+    fileSystems."/" =
-    # specified on the kernel command line, created in the stage 1 init
+      { fsType = "tmpfs";
-    # script.
+        device = "none";
-    fileSystems."/".device = "/dev/root";
+        options = "mode=0755";
      };
-    fileSystems."/nix/store" =
+    # Note that /dev/root is a symlink to the actual root device
    # specified on the kernel command line, created in the stage 1
    # init script.
    fileSystems."/iso" =
      { device = "/dev/root";
        neededForBoot = true;
        noCheck = true;
      };
    fileSystems."/nix/.ro-store" =
      { fsType = "squashfs";
-        device = "/nix-store.squashfs";
+        device = "/iso/nix-store.squashfs";
        options = "loop";
        neededForBoot = true;
      };
    fileSystems."/nix/.rw-store" =
      { fsType = "tmpfs";
        device = "none";
        options = "mode=0755";
        neededForBoot = true;
      };
    boot.initrd.availableKernelModules = [ "squashfs" "iso9660" ];
    boot.initrd.kernelModules = [ "loop" ];
-    # In stage 1, mount a tmpfs on top of / (the ISO image) and
+    # In stage 1, mount a tmpfs on top of /nix/store (the squashfs
-    # /nix/store (the squashfs image) to make this a live CD.
+    # image) to make this a live CD.
    boot.initrd.postMountCommands =
      ''
-        mkdir -p /unionfs-chroot/ro-root
+        mkdir -p $targetRoot/nix/store
-        mount --rbind $targetRoot /unionfs-chroot/ro-root
+        unionfs -o allow_other,cow,nonempty,chroot=$targetRoot,max_files=32768 /nix/.rw-store=RW:/nix/.ro-store=RO $targetRoot/nix/store
        mkdir /unionfs-chroot/rw-root
        mount -t tmpfs -o "mode=755" none /unionfs-chroot/rw-root
        mkdir /mnt-root-union
        unionfs -o allow_other,cow,chroot=/unionfs-chroot,max_files=32768 /rw-root=RW:/ro-root=RO /mnt-root-union
        oldTargetRoot=$targetRoot
        targetRoot=/mnt-root-union
        mkdir /unionfs-chroot/rw-store
        mount -t tmpfs -o "mode=755" none /unionfs-chroot/rw-store
        mkdir -p $oldTargetRoot/nix/store
        unionfs -o allow_other,cow,nonempty,chroot=/unionfs-chroot,max_files=32768 /rw-store=RW:/ro-root/nix/store=RO /mnt-root-union/nix/store
      '';
    # Closures to be copied to the Nix store on the CD, namely the init
@ -253,10 +259,6 @@ in
        { source = config.system.build.squashfsStore;
          target = "/nix-store.squashfs";
        }
        { # Quick hack: need a mount point for the store.
          source = pkgs.runCommand "empty" {} "mkdir -p $out";
          target = "/nix/store";
        }
      ] ++ optionals config.isoImage.makeEfiBootable [
        { source = efiImg;
          target = "/boot/efi.img";
--- a/nixos/modules/installer/cd-dvd/system-tarball-fuloong2f.nix
+++ b/nixos/modules/installer/cd-dvd/system-tarball-fuloong2f.nix
@ -1,6 +1,6 @@
-{ config, pkgs, ... }:
+{ config, lib, pkgs, ... }:
-with pkgs.lib;
+with lib;
 let
--- a/nixos/modules/installer/cd-dvd/system-tarball-pc.nix
+++ b/nixos/modules/installer/cd-dvd/system-tarball-pc.nix
@ -1,9 +1,9 @@
 # This module contains the basic configuration for building a NixOS
 # tarball, that can directly boot, maybe using PXE or unpacking on a fs.
-{ config, pkgs, ... }:
+{ config, lib, pkgs, ... }:
-with pkgs.lib;
+with lib;
 let
--- a/nixos/modules/installer/cd-dvd/system-tarball-sheevaplug.nix
+++ b/nixos/modules/installer/cd-dvd/system-tarball-sheevaplug.nix
@ -1,9 +1,9 @@
 # This module contains the basic configuration for building a NixOS
 # tarball for the sheevaplug.
-{ config, pkgs, ... }:
+{ config, lib, pkgs, ... }:
-with pkgs.lib;
+with lib;
 let
@ -138,7 +138,8 @@ in
  };
  # Setting vesa, we don't get the nvidia driver, which can't work in arm.
-  hardware.opengl.videoDrivers = [ "vesa" ];
+  services.xserver.videoDrivers = [ "vesa" ];
  services.nixosManual.enable = false;
  # Include the firmware for various wireless cards.
--- a/nixos/modules/installer/cd-dvd/system-tarball.nix
+++ b/nixos/modules/installer/cd-dvd/system-tarball.nix
@ -2,9 +2,9 @@
 # configuration.  The derivation for the ISO image will be placed in
 # config.system.build.tarball.
-{ config, pkgs, ... }:
+{ config, lib, pkgs, ... }:
-with pkgs.lib;
+with lib;
 let
--- a/nixos/modules/installer/scan/detected.nix
+++ b/nixos/modules/installer/scan/detected.nix
@ -1,8 +1,8 @@
 # List all devices which are detected by nixos-hardware-scan.
 # Common devices are enabled by default.
-{config, pkgs, ...}:
+{ config, lib, pkgs, ... }:
-with pkgs.lib;
+with lib;
 {
  config = mkDefault {
--- a/nixos/modules/installer/scan/not-detected.nix
+++ b/nixos/modules/installer/scan/not-detected.nix
@ -1,8 +1,8 @@
 # List all devices which are _not_ detected by nixos-hardware-scan.
 # Common devices are enabled by default.
-{ config, pkgs, ... }:
+{ config, lib, pkgs, ... }:
-with pkgs.lib;
+with lib;
 {
  hardware.enableAllFirmware = true;
--- a/nixos/modules/installer/tools/get-version-suffix
+++ b/nixos/modules/installer/tools/get-version-suffix
@ -17,6 +17,6 @@ getVersion() {
 if nixpkgs=$(nix-instantiate --find-file nixpkgs "$@"); then
    getVersion $nixpkgs
    if [ -n "$rev" ]; then
-        echo "pre-$rev"
+        echo ".git.$rev"
    fi
 fi
--- a/nixos/modules/installer/tools/nixos-checkout.nix
+++ b/nixos/modules/installer/tools/nixos-checkout.nix
@ -1,9 +1,9 @@
 # This module generates the nixos-checkout script, which replaces the
 # Nixpkgs source trees in /etc/nixos/nixpkgs with a Git checkout.
-{ config, pkgs, ... }:
+{ config, lib, pkgs, ... }:
-with pkgs.lib;
+with lib;
 let
--- a/nixos/modules/installer/tools/nixos-generate-config.pl
+++ b/nixos/modules/installer/tools/nixos-generate-config.pl
@ -1,9 +1,11 @@
 #! @perl@
 use Cwd 'abs_path';
 use File::Spec;
 use File::Path;
 use File::Basename;
 use File::Slurp;
 use File::stat;
 sub uniq {
@ -130,13 +132,14 @@ sub pciCheck {
    # broadcom STA driver (wl.ko)
    # list taken from http://www.broadcom.com/docs/linux_sta/README.txt
    # FIXME: still needed?
    if ($vendor eq "0x14e4" &&
        ($device eq "0x4311" || $device eq "0x4312" || $device eq "0x4313" ||
         $device eq "0x4315" || $device eq "0x4327" || $device eq "0x4328" ||
         $device eq "0x4329" || $device eq "0x432a" || $device eq "0x432b" ||
         $device eq "0x432c" || $device eq "0x432d" || $device eq "0x4353" ||
-         $device eq "0x4357" || $device eq "0x4358" || $device eq "0x4359" ) )
+         $device eq "0x4357" || $device eq "0x4358" || $device eq "0x4359" ||
         $device eq "0x4331" || $device eq "0x43a0" || $device eq "0x43b1"
        ) )
     {
        push @modulePackages, "config.boot.kernelPackages.broadcom_sta";
        push @kernelModules, "wl";
@ -158,14 +161,14 @@ sub pciCheck {
    # Assume that all NVIDIA cards are supported by the NVIDIA driver.
    # There may be exceptions (e.g. old cards).
    # FIXME: do we want to enable an unfree driver here?
-    $videoDriver = "nvidia" if $vendor eq "0x10de" && $class =~ /^0x03/;
+    #$videoDriver = "nvidia" if $vendor eq "0x10de" && $class =~ /^0x03/;
 }
 foreach my $path (glob "/sys/bus/pci/devices/*") {
    pciCheck $path;
 }
-push @attrs, "hardware.opengl.videoDrivers = [ \"$videoDriver\" ];" if $videoDriver;
+push @attrs, "services.xserver.videoDrivers = [ \"$videoDriver\" ];" if $videoDriver;
 # Idem for USB devices.
@ -218,22 +221,41 @@ foreach my $path (glob "/sys/class/block/*") {
 }
-my $dmi = `@dmidecode@/sbin/dmidecode`;
+my $virt = `systemd-detect-virt`;
 chomp $virt;
 # Check if we're a VirtualBox guest.  If so, enable the guest
 # additions.
-if ($dmi =~ /Manufacturer: innotek/) {
+if ($virt eq "oracle") {
    push @attrs, "services.virtualbox.enable = true;"
 }
 # Likewise for QEMU.
-if ($dmi =~ /Manufacturer: Bochs/) {
+if ($virt eq "qemu" || $virt eq "kvm" || $virt eq "bochs") {
    push @imports, "<nixpkgs/nixos/modules/profiles/qemu-guest.nix>";
 }
 # For a device name like /dev/sda1, find a more stable path like
 # /dev/disk/by-uuid/X or /dev/disk/by-label/Y.
 sub findStableDevPath {
    my ($dev) = @_;
    return $dev if substr($dev, 0, 1) ne "/";
    return $dev unless -e $dev;
    my $st = stat($dev) or return $dev;
    foreach my $dev2 (glob("/dev/disk/by-uuid/*"), glob("/dev/mapper/*"), glob("/dev/disk/by-label/*")) {
        my $st2 = stat($dev2) or next;
        return $dev2 if $st->rdev == $st2->rdev;
    }
    return $dev;
 }
 # Generate the swapDevices option from the currently activated swap
 # devices.
 my @swaps = read_file("/proc/swaps");
@ -241,7 +263,9 @@ shift @swaps;
 my @swapDevices;
 foreach my $swap (@swaps) {
    $swap =~ /^(\S+)\s/;
-    push @swapDevices, "{ device = \"$1\"; }";
+    next unless -e $1;
    my $dev = findStableDevPath $1;
    push @swapDevices, "{ device = \"$dev\"; }";
 }
@ -267,6 +291,7 @@ foreach my $fs (read_file("/proc/self/mountinfo")) {
    # Skip special filesystems.
    next if in($mountPoint, "/proc") || in($mountPoint, "/dev") || in($mountPoint, "/sys") || in($mountPoint, "/run") || $mountPoint eq "/var/lib/nfs/rpc_pipefs";
    next if $mountPoint eq "/var/setuid-wrappers";
    # Skip the optional fields.
    my $n = 6; $n++ while $fields[$n] ne "-"; $n++;
@ -280,9 +305,11 @@ foreach my $fs (read_file("/proc/self/mountinfo")) {
    # Maybe this is a bind-mount of a filesystem we saw earlier?
    if (defined $fsByDev{$fields[2]}) {
        my $path = $fields[3]; $path = "" if $path eq "/";
        my $base = $fsByDev{$fields[2]};
        $base = "" if $base eq "/";
        $fileSystems .= <<EOF;
  fileSystems.\"$mountPoint\" =
-    { device = \"$fsByDev{$fields[2]}$path\";
+    { device = \"$base$path\";
      fsType = \"none\";
      options = \"bind\";
    };
@ -313,7 +340,7 @@ EOF
    # Emit the filesystem.
    $fileSystems .= <<EOF;
  fileSystems.\"$mountPoint\" =
-    { device = \"$device\";
+    { device = \"${\(findStableDevPath $device)}\";
      fsType = \"$fsType\";
 EOF
@ -342,7 +369,7 @@ sub toNixExpr {
 sub multiLineList {
    my $indent = shift;
-    return "[ ]" if !@_;
+    return " [ ]" if !@_;
    $res = "\n${indent}[ ";
    my $first = 1;
    foreach my $s (@_) {
@ -401,7 +428,6 @@ if ($showHardwareConfig) {
        if (-e "/sys/firmware/efi/efivars") {
            $bootLoaderConfig = <<EOF;
  # Use the gummiboot efi boot loader.
  boot.loader.grub.enable = false;
  boot.loader.gummiboot.enable = true;
  boot.loader.efi.canTouchEfiVariables = true;
 EOF
@ -439,6 +465,12 @@ $bootLoaderConfig
  #   defaultLocale = "en_US.UTF-8";
  # };
  # List packages installed in system profile. To search by name, run:
  # $ nix-env -qaP | grep wget
  # environment.systemPackages = with pkgs; [
  #   wget
  # ];
  # List services that you want to enable:
  # Enable the OpenSSH daemon.
@ -455,6 +487,17 @@ $bootLoaderConfig
  # Enable the KDE Desktop Environment.
  # services.xserver.displayManager.kdm.enable = true;
  # services.xserver.desktopManager.kde4.enable = true;
  # Define a user account. Don't forget to set a password with ‘passwd’.
  # users.extraUsers.guest = {
  #   name = "guest";
  #   group = "users";
  #   uid = 1000;
  #   createHome = true;
  #   home = "/home/guest";
  #   shell = "/run/current-system/sw/bin/bash";
  # };
 }
 EOF
    } else {
--- a/nixos/modules/installer/tools/nixos-install.sh
+++ b/nixos/modules/installer/tools/nixos-install.sh
@ -1,15 +1,26 @@
 #! @shell@
 # - [mount target device] <- currently disabled
 # - make Nix store etc.
 # - copy closure of Nix to target device
 # - register validity
 # - with a chroot to the target device:
 #   * nix-env -p /nix/var/nix/profiles/system -i <nix-expr for the configuration>
-#   * run the activation script of the configuration (also installs Grub)
+#   * install the boot loader
 # Re-exec ourselves in a private mount namespace so that our bind
 # mounts get cleaned up automatically.
 if [ "$(id -u)" = 0 ]; then
    if [ -z "$NIXOS_INSTALL_REEXEC" ]; then
        export NIXOS_INSTALL_REEXEC=1
        exec unshare --mount --uts -- "$0" "$@"
    else
        mount --make-rprivate /
    fi
 fi
 # Parse the command line for the -I flag
 extraBuildFlags=()
 chrootCommand=(/run/current-system/sw/bin/bash)
 while [ "$#" -gt 0 ]; do
    i="$1"; shift 1
@ -19,6 +30,14 @@ while [ "$#" -gt 0 ]; do
            absolute_path=$(readlink -m $given_path)
            extraBuildFlags+=("$i" "/mnt$absolute_path")
            ;;
        --show-trace)
            extraBuildFlags+=("$i")
            ;;
        --chroot)
            runChroot=1
            chrootCommand=("$@")
            break
            ;;
        --help)
            exec man nixos-install
            exit 1
@ -37,10 +56,6 @@ if test -z "$mountPoint"; then
    mountPoint=/mnt
 fi
 if test -z "$NIXOS_CONFIG"; then
    NIXOS_CONFIG=/etc/nixos/configuration.nix
 fi
 if ! test -e "$mountPoint"; then
    echo "mount point $mountPoint doesn't exist"
    exit 1
@ -51,53 +66,45 @@ if ! grep -F -q " $mountPoint " /proc/mounts; then
    exit 1
 fi
 # Mount some stuff in the target root directory.
 mkdir -m 0755 -p $mountPoint/dev $mountPoint/proc $mountPoint/sys $mountPoint/etc $mountPoint/run $mountPoint/home
 mkdir -m 01777 -p $mountPoint/tmp
 mkdir -m 0755 -p $mountPoint/tmp/root
 mkdir -m 0755 -p $mountPoint/var/setuid-wrappers
 mount --rbind /dev $mountPoint/dev
 mount --rbind /proc $mountPoint/proc
 mount --rbind /sys $mountPoint/sys
 mount --rbind / $mountPoint/tmp/root
 mount -t tmpfs -o "mode=0755" none $mountPoint/run
 mount -t tmpfs -o "mode=0755" none $mountPoint/var/setuid-wrappers
 rm -rf $mountPoint/var/run
 ln -s /run $mountPoint/var/run
 rm -f $mountPoint/etc/{resolv.conf,hosts}
 cp -f /etc/resolv.conf /etc/hosts $mountPoint/etc/
 if [ -n "$runChroot" ]; then
    if ! [ -L $mountPoint/nix/var/nix/profiles/system ]; then
        echo "$0: installation not finished; cannot chroot into installation directory"
        exit 1
    fi
    ln -s /nix/var/nix/profiles/system $mountPoint/run/current-system
    exec chroot $mountPoint "${chrootCommand[@]}"
 fi
 # Get the path of the NixOS configuration file.
 if test -z "$NIXOS_CONFIG"; then
    NIXOS_CONFIG=/etc/nixos/configuration.nix
 fi
 if ! test -e "$mountPoint/$NIXOS_CONFIG"; then
    echo "configuration file $mountPoint/$NIXOS_CONFIG doesn't exist"
    exit 1
 fi
 # Mount some stuff in the target root directory.  We bind-mount /etc
 # into the chroot because we need networking and the nixbld user
 # accounts in /etc/passwd.  But we do need the target's /etc/nixos.
 mkdir -m 0755 -p $mountPoint/dev $mountPoint/proc $mountPoint/sys $mountPoint/mnt $mountPoint/mnt2 $mountPoint/mnt-nixpkgs $mountPoint/etc /etc/nixos
 mount --make-private / # systemd makes / shared, which is annoying
 mount --bind / $mountPoint/mnt
 mount --bind /nix $mountPoint/mnt/nix
 mount --bind /nix/store $mountPoint/mnt/nix/store
 mount --bind /dev $mountPoint/dev
 mount --bind /dev/shm $mountPoint/dev/shm
 mount --bind /proc $mountPoint/proc
 mount --bind /sys $mountPoint/sys
 mount --bind /sys/firmware/efi/efivars $mountPoint/sys/firmware/efi/efivars &>/dev/null || true
 mount --bind $mountPoint/etc/nixos $mountPoint/mnt2
 mount --bind /etc $mountPoint/etc
 mount --bind $mountPoint/mnt2 $mountPoint/etc/nixos
 cleanup() {
    set +e
    mountpoint -q $mountPoint/etc/nixos && umount $mountPoint/etc/nixos
    mountpoint -q $mountPoint/etc && umount $mountPoint/etc
    umount $mountPoint/mnt2
    umount $mountPoint/mnt-nixpkgs
    umount $mountPoint/sys/firmware/efi/efivars &>/dev/null || true
    umount $mountPoint/sys
    umount $mountPoint/proc
    umount $mountPoint/dev/shm
    umount $mountPoint/dev
    umount $mountPoint/mnt/nix/store
    umount $mountPoint/mnt/nix
    umount $mountPoint/mnt
    rmdir $mountPoint/mnt $mountPoint/mnt2 $mountPoint/mnt-nixpkgs
 }
 trap "cleanup" EXIT
 mkdir -m 01777 -p $mountPoint/tmp
 mkdir -m 0755 -p $mountPoint/var
 # Create the necessary Nix directories on the target device, if they
 # don't already exist.
 mkdir -m 0755 -p \
@ -110,25 +117,11 @@ mkdir -m 0755 -p \
    $mountPoint/nix/var/log/nix/drvs
 mkdir -m 1775 -p $mountPoint/nix/store
-build_users_group=$(@perl@/bin/perl -I @nix@/lib/perl5/site_perl/*/* -e 'use Nix::Config; Nix::Config::readConfig; print $Nix::Config::config{"build-users-group"};')
+chown root:nixbld $mountPoint/nix/store
 if test -n "$build_users_group"; then
    chown root:"$build_users_group" $mountPoint/nix/store
 else
    chown root $mountPoint/nix/store
 fi
-# Get the store paths to copy from the references graph.
+# There is no daemon in the chroot.
-storePaths=$(@perl@/bin/perl @pathsFromGraph@ @nixClosure@)
+unset NIX_REMOTE
 # Copy Nix to the Nix store on the target device.
 echo "copying Nix to $mountPoint...."
 for i in $storePaths; do
    echo "  $i"
    chattr -R -i $mountPoint/$i 2> /dev/null || true # clear immutable bit
    rsync -a $i $mountPoint/nix/store/
 done
 # We don't have locale-archive in the chroot, so clear $LANG.
@ -137,28 +130,36 @@ export LC_ALL=
 export LC_TIME=
 # There is no daemon in the chroot
 unset NIX_REMOTE
 # Create a temporary Nix config file that causes the nixbld users to
 # be used.
-if test -n "$build_users_group"; then
+echo "build-users-group = nixbld" > $mountPoint/tmp/nix.conf # FIXME: remove in Nix 1.8
    echo "build-users-group = $build_users_group" > $mountPoint/tmp/nix.conf
 fi
 binary_caches=$(@perl@/bin/perl -I @nix@/lib/perl5/site_perl/*/* -e 'use Nix::Config; Nix::Config::readConfig; print $Nix::Config::config{"binary-caches"};')
 if test -n "$binary_caches"; then
    echo "binary-caches = $binary_caches" >> $mountPoint/tmp/nix.conf
 fi
 export NIX_CONF_DIR=/tmp
 touch $mountPoint/etc/passwd $mountPoint/etc/group
 mount --bind -o ro /etc/passwd $mountPoint/etc/passwd
 mount --bind -o ro /etc/group $mountPoint/etc/group
-# Register the paths in the Nix closure as valid.  This is necessary
+
-# to prevent them from being deleted the first time we install
+# Copy Nix to the Nix store on the target device, unless it's already there.
-# something.  (I.e., Nix will see that, e.g., the glibc path is not
+if ! NIX_DB_DIR=$mountPoint/nix/var/nix/db nix-store --check-validity @nix@ 2> /dev/null; then
-# valid, delete it to get it out of the way, but as a result nothing
+    echo "copying Nix to $mountPoint...."
-# will work anymore.)
+    for i in $(@perl@/bin/perl @pathsFromGraph@ @nixClosure@); do
-chroot $mountPoint @nix@/bin/nix-store --register-validity < @nixClosure@
+        echo "  $i"
        chattr -R -i $mountPoint/$i 2> /dev/null || true # clear immutable bit
        rsync -a $i $mountPoint/nix/store/
    done
    # Register the paths in the Nix closure as valid.  This is necessary
    # to prevent them from being deleted the first time we install
    # something.  (I.e., Nix will see that, e.g., the glibc path is not
    # valid, delete it to get it out of the way, but as a result nothing
    # will work anymore.)
    chroot $mountPoint @nix@/bin/nix-store --register-validity < @nixClosure@
 fi
 # Create the required /bin/sh symlink; otherwise lots of things
@ -168,15 +169,9 @@ mkdir -m 0755 -p $mountPoint/bin
 ln -sf @shell@ $mountPoint/bin/sh
 if test -n "$NIXOS_PREPARE_CHROOT_ONLY"; then
    echo "User requested only to prepare chroot. Exiting."
    exit 0
 fi
 # Make the build below copy paths from the CD if possible.  Note that
-# /mnt in the chroot is the root of the CD.
+# /tmp/root in the chroot is the root of the CD.
-export NIX_OTHER_STORES=/mnt/nix:$NIX_OTHER_STORES
+export NIX_OTHER_STORES=/tmp/root/nix:$NIX_OTHER_STORES
 p=@nix@/libexec/nix/substituters
 export NIX_SUBSTITUTERS=$p/copy-from-other-stores.pl:$p/download-from-binary-cache.pl
@ -191,15 +186,15 @@ done
 # Get the absolute path to the NixOS/Nixpkgs sources.
-mount --bind $(readlink -f $(nix-instantiate --find-file nixpkgs)) $mountPoint/mnt-nixpkgs
+nixpkgs="$(readlink -f $(nix-instantiate --find-file nixpkgs))"
 # Build the specified Nix expression in the target store and install
 # it into the system configuration profile.
 echo "building the system configuration..."
-NIX_PATH="nixpkgs=/mnt-nixpkgs:nixos=/mnt-nixpkgs/nixos:nixos-config=$NIXOS_CONFIG" NIXOS_CONFIG= \
+NIX_PATH="nixpkgs=/tmp/root/$nixpkgs:nixos-config=$NIXOS_CONFIG" NIXOS_CONFIG= \
    chroot $mountPoint @nix@/bin/nix-env \
-    "${extraBuildFlags[@]}" -p /nix/var/nix/profiles/system -f '<nixos>' --set -A system --show-trace
+    "${extraBuildFlags[@]}" -p /nix/var/nix/profiles/system -f '<nixpkgs/nixos>' --set -A system
 # Copy the NixOS/Nixpkgs sources to the target as the initial contents
@ -217,10 +212,8 @@ mkdir -m 0700 -p $mountPoint/root/.nix-defexpr
 ln -sfn /nix/var/nix/profiles/per-user/root/channels $mountPoint/root/.nix-defexpr/channels
-# We're done building/downloading, so we don't need the /etc bind
+# Get rid of the /etc bind mounts.
-# mount anymore.  In fact, below we want to modify the target's /etc.
+umount $mountPoint/etc/passwd $mountPoint/etc/group
 umount $mountPoint/etc/nixos
 umount $mountPoint/etc
 # Grub needs an mtab.
@ -238,3 +231,17 @@ touch $mountPoint/etc/NIXOS
 echo "finalising the installation..."
 NIXOS_INSTALL_GRUB=1 chroot $mountPoint \
    /nix/var/nix/profiles/system/bin/switch-to-configuration boot
 # Run the activation script.
 chroot $mountPoint /nix/var/nix/profiles/system/activate
 # Ask the user to set a root password.
 if [ -t 0 ] ; then
    echo "setting root password..."
    chroot $mountPoint passwd
 fi
 echo "installation finished!"
--- a/nixos/modules/installer/tools/nixos-rebuild.sh
+++ b/nixos/modules/installer/tools/nixos-rebuild.sh
@ -1,4 +1,8 @@
-#! @shell@ -e
+#! @shell@
 if [ -x "@shell@" ]; then export SHELL="@shell@"; fi;
 set -e
 showSyntax() {
    exec man nixos-rebuild
@ -7,6 +11,7 @@ showSyntax() {
 # Parse the command line.
 origArgs=("$@")
 extraBuildFlags=()
 action=
 buildNix=1
@ -76,8 +81,30 @@ done
 if [ -z "$action" ]; then showSyntax; fi
-if [ -n "$rollback" ]; then
+# Only run shell scripts from the Nixpkgs tree if the action is
-    buildNix=
+# "switch", "boot", or "test". With other actions (such as "build"),
 # the user may reasonably expect that no code from the Nixpkgs tree is
 # executed, so it's safe to run nixos-rebuild against a potentially
 # untrusted tree.
 canRun=
 if [ "$action" = switch -o "$action" = boot -o "$action" = test ]; then
    canRun=1
 fi
 # If ‘--upgrade’ is given, run ‘nix-channel --update nixos’.
 if [ -n "$upgrade" -a -z "$_NIXOS_REBUILD_REEXEC" ]; then
    nix-channel --update nixos
 fi
 # Re-execute nixos-rebuild from the Nixpkgs tree.
 if [ -z "$_NIXOS_REBUILD_REEXEC" -a -n "$canRun" ]; then
    if p=$(nix-instantiate --find-file nixpkgs/nixos/modules/installer/tools/nixos-rebuild.sh "${extraBuildFlags[@]}"); then
        export _NIXOS_REBUILD_REEXEC=1
        exec $SHELL -e $p "${origArgs[@]}"
        exit 1
    fi
 fi
@ -98,20 +125,33 @@ if [ -z "$repair" ] && systemctl show nix-daemon.socket nix-daemon.service | gre
 fi
-# If ‘--upgrade’ is given, run ‘nix-channel --update nixos’.
+# First build Nix, since NixOS may require a newer version than the
-if [ -n "$upgrade" ]; then
+# current one.
-    nix-channel --update nixos
+if [ -n "$rollback" -o "$action" = dry-run ]; then
    buildNix=
 fi
-
+if [ -n "$buildNix" ]; then
 # First build Nix, since NixOS may require a newer version than the
 # current one.  Of course, the same goes for Nixpkgs, but Nixpkgs is
 # more conservative.
 if [ "$action" != dry-run -a -n "$buildNix" ]; then
    echo "building Nix..." >&2
    if ! nix-build '<nixpkgs/nixos>' -A config.nix.package -o $tmpDir/nix "${extraBuildFlags[@]}" > /dev/null; then
        if ! nix-build '<nixpkgs/nixos>' -A nixFallback -o $tmpDir/nix "${extraBuildFlags[@]}" > /dev/null; then
-            nix-build '<nixpkgs>' -A nixUnstable -o $tmpDir/nix "${extraBuildFlags[@]}" > /dev/null
+            if ! nix-build '<nixpkgs>' -A nix -o $tmpDir/nix "${extraBuildFlags[@]}" > /dev/null; then
                machine="$(uname -m)"
                if [ "$machine" = x86_64 ]; then
                    nixStorePath=/nix/store/d34q3q2zj9nriq4ifhn3dnnngqvinjb3-nix-1.7
                elif [[ "$machine" =~ i.86 ]]; then
                    nixStorePath=/nix/store/qlah0darpcn6sf3lr2226rl04l1gn4xz-nix-1.7
                else
                    echo "$0: unsupported platform"
                    exit 1
                fi
                if ! nix-store -r $nixStorePath --add-root $tmpDir/nix --indirect \
                    --option extra-binary-caches http://cache.nixos.org/; then
                    echo "warning: don't know how to get latest Nix" >&2
                fi
                # Older version of nix-store -r don't support --add-root.
                [ -e $tmpDir/nix ] || ln -sf $nixStorePath $tmpDir/nix
            fi
        fi
    fi
    PATH=$tmpDir/nix/bin:$PATH
@ -120,10 +160,12 @@ fi
 # Update the version suffix if we're building from Git (so that
 # nixos-version shows something useful).
-if nixpkgs=$(nix-instantiate --find-file nixpkgs "${extraBuildFlags[@]}"); then
+if [ -n "$canRun" ]; then
-    suffix=$(@shell@ $nixpkgs/nixos/modules/installer/tools/get-version-suffix "${extraBuildFlags[@]}" || true)
+    if nixpkgs=$(nix-instantiate --find-file nixpkgs "${extraBuildFlags[@]}"); then
-    if [ -n "$suffix" ]; then
+        suffix=$($SHELL $nixpkgs/nixos/modules/installer/tools/get-version-suffix "${extraBuildFlags[@]}" || true)
-        echo -n "$suffix" > "$nixpkgs/.version-suffix" || true
+        if [ -n "$suffix" ]; then
            echo -n "$suffix" > "$nixpkgs/.version-suffix" || true
        fi
    fi
 fi
--- a/nixos/modules/installer/tools/tools.nix
+++ b/nixos/modules/installer/tools/tools.nix
@ -38,7 +38,6 @@ let
    name = "nixos-generate-config";
    src = ./nixos-generate-config.pl;
    perl = "${pkgs.perl}/bin/perl -I${pkgs.perlPackages.FileSlurp}/lib/perl5/site_perl";
    inherit (pkgs) dmidecode;
  };
  nixos-option = makeProg {
@ -80,9 +79,9 @@ in
  /*
  options = {
-    installer.enableGraphicalTools = pkgs.lib.mkOption {
+    installer.enableGraphicalTools = mkOption {
      default = false;
-      type = with pkgs.lib.types; bool;
+      type = types.bool;
      example = true;
      description = ''
        Enable the installation of graphical tools.
--- a/nixos/modules/installer/virtualbox-demo.nix
+++ b/nixos/modules/installer/virtualbox-demo.nix
@ -1,6 +1,6 @@
-{ config, pkgs, ... }:
+{ config, lib, pkgs, ... }:
-with pkgs.lib;
+with lib;
 {
  imports =
@ -15,5 +15,5 @@ with pkgs.lib;
  # Add some more video drivers to give X11 a shot at working in
  # VMware and QEMU.
-  hardware.opengl.videoDrivers = mkOverride 40 [ "virtualbox" "vmware" "cirrus" "vesa" ];
+  services.xserver.videoDrivers = mkOverride 40 [ "virtualbox" "vmware" "cirrus" "vesa" ];
 }
--- a/nixos/modules/misc/assertions.nix
+++ b/nixos/modules/misc/assertions.nix
@ -1,14 +1,6 @@
-{ config, pkgs, ... }:
+{ config, lib, pkgs, ... }:
-with pkgs.lib;
+with lib;
 let
  failed = map (x: x.message) (filter (x: !x.assertion) config.assertions);
  showWarnings = res: fold (w: x: builtins.trace "[1;31mwarning: ${w}[0m" x) res config.warnings;
 in
 {
@ -38,15 +30,5 @@ in
    };
  };
-
+  # impl of assertions is in <nixos/modules/system/activation/top-level.nix>
  config = {
    # This option is evaluated always. Thus the assertions are checked
    # as well. Hacky!
    environment.systemPackages = showWarnings (
      if [] == failed then []
      else throw "\nFailed assertions:\n${concatStringsSep "\n" (map (x: "- ${x}") failed)}");
  };
 }
--- a/nixos/modules/misc/check-config.nix
+++ b/nixos/modules/misc/check-config.nix
@ -1,6 +1,6 @@
-{ pkgs, ... }:
+{ lib, ... }:
-with pkgs.lib;
+with lib;
 {
  options = {
--- a/nixos/modules/misc/crashdump.nix
+++ b/nixos/modules/misc/crashdump.nix
@ -1,6 +1,6 @@
-{pkgs, config, ...}:
+{ config, lib, pkgs, ... }:
-with pkgs.lib;
+with lib;
 let
  crashdump = config.boot.crashDump;
--- a/nixos/modules/misc/ids.nix
+++ b/nixos/modules/misc/ids.nix
@ -52,13 +52,13 @@
      osgi = 34;
      tor = 35;
      cups = 36;
-      foldingAtHome = 37;
+      foldingathome = 37;
      sabnzbd = 38;
      kdm = 39;
-      ghostOne = 40;
+      ghostone = 40;
      git = 41;
-      fourStore = 42;
+      fourstore = 42;
-      fourStoreEndpoint = 43;
+      fourstorehttp = 43;
      virtuoso = 44;
      rtkit = 45;
      dovecot2 = 46;
@ -84,7 +84,7 @@
      postgres = 71;
      smbguest = 74;
      varnish = 75;
-      dd-agent = 76;
+      datadog = 76;
      lighttpd = 77;
      lightdm = 78;
      freenet = 79;
@ -129,8 +129,12 @@
      foundationdb = 118;
      newrelic = 119;
      starbound = 120;
      hydra = 122;
      spiped = 123;
      teamspeak = 124;
      influxdb = 125;
-      # When adding a uid, make sure it doesn't match an existing gid.
+      # When adding a uid, make sure it doesn't match an existing gid. And don't use uids above 399!
      nixbld = 30000; # start of range of uids
      nobody = 65534;
@ -171,8 +175,8 @@
      osgi = 34;
      ghostOne = 40;
      git = 41;
-      fourStore = 42;
+      fourstore = 42;
-      fourStoreEndpoint = 43;
+      fourstorehttpd = 43;
      virtuoso = 44;
      dovecot2 = 46;
      prayer = 49;
@ -199,7 +203,7 @@
      vboxsf = 73;
      smbguest = 74;
      varnish = 75;
-      dd-agent = 76;
+      datadog = 76;
      lighttpd = 77;
      lightdm = 78;
      freenet = 79;
@ -232,8 +236,12 @@
      newrelic = 119;
      starbound = 120;
      grsecurity = 121;
      hydra = 122;
      spiped = 123;
      teamspeak = 124;
      influxdb = 125;
-      # When adding a gid, make sure it doesn't match an existing uid.
+      # When adding a gid, make sure it doesn't match an existing uid. And don't use gids above 399!
      users = 100;
      nixbld = 30000;
--- a/nixos/modules/misc/locate.nix
+++ b/nixos/modules/misc/locate.nix
@ -1,6 +1,6 @@
-{ config, pkgs, ... }:
+{ config, lib, pkgs, ... }:
-with pkgs.lib;
+with lib;
 let
--- a/nixos/modules/misc/nixpkgs.nix
+++ b/nixos/modules/misc/nixpkgs.nix
@ -1,6 +1,6 @@
-{ config, pkgs, ... }:
+{ config, lib, pkgs, ... }:
-with pkgs.lib;
+with lib;
 let
  isConfig = x:
@ -62,8 +62,7 @@ in
      type = types.str;
      description = ''
        Specifies the Nix platform type for which NixOS should be built.
-        If unset, it defaults to the platform type of your host system
+        If unset, it defaults to the platform type of your host system.
        (<literal>${builtins.currentSystem}</literal>).
        Specifying this option is useful when doing distributed
        multi-platform deployment, or when building virtual machines.
      '';
--- a/nixos/modules/misc/version.nix
+++ b/nixos/modules/misc/version.nix
@ -1,6 +1,6 @@
-{ config, pkgs, ... }:
+{ config, lib, pkgs, ... }:
-with pkgs.lib;
+with lib;
 {
@ -53,7 +53,7 @@ with pkgs.lib;
      mkDefault (if pathExists fn then readFile fn else "master");
    # Note: code names must only increase in alphabetical order.
-    system.nixosCodeName = "Baboon";
+    system.nixosCodeName = "Caterpillar";
    # Generate /etc/os-release.  See
    # http://0pointer.de/public/systemd-man/os-release.html for the
--- a/nixos/modules/module-list.nix
+++ b/nixos/modules/module-list.nix
@ -32,6 +32,7 @@
  ./hardware/opengl.nix
  ./hardware/pcmcia.nix
  ./hardware/video/bumblebee.nix
  ./hardware/video/nvidia.nix
  ./installer/tools/nixos-checkout.nix
  ./installer/tools/tools.nix
  ./misc/assertions.nix
@ -97,10 +98,20 @@
  ./services/databases/postgresql.nix
  ./services/databases/virtuoso.nix
  ./services/databases/monetdb.nix
  ./services/databases/influxdb.nix
  ./services/desktops/accountservice.nix
  ./services/desktops/geoclue2.nix
  ./services/desktops/gnome3/at-spi2-core.nix
  ./services/desktops/gnome3/evolution-data-server.nix
  ./services/desktops/gnome3/gnome-documents.nix
  ./services/desktops/gnome3/gnome-keyring.nix
  ./services/desktops/gnome3/gnome-online-accounts.nix
  ./services/desktops/gnome3/gnome-online-miners.nix
  ./services/desktops/gnome3/gnome-user-share.nix
  ./services/desktops/gnome3/gvfs.nix
  ./services/desktops/gnome3/seahorse.nix
  ./services/desktops/gnome3/sushi.nix
  ./services/desktops/gnome3/tracker.nix
  ./services/desktops/telepathy.nix
  ./services/games/ghost-one.nix
  ./services/games/minecraft-server.nix
@ -112,7 +123,6 @@
  ./services/hardware/pommed.nix
  ./services/hardware/sane.nix
  ./services/hardware/udev.nix
  ./services/hardware/udisks.nix
  ./services/hardware/udisks2.nix
  ./services/hardware/upower.nix
  ./services/hardware/thinkfan.nix
@ -128,7 +138,7 @@
  ./services/mail/opensmtpd.nix
  ./services/mail/postfix.nix
  ./services/mail/spamassassin.nix
-  ./services/misc/autofs.nix
+  #./services/misc/autofs.nix
  ./services/misc/cgminer.nix
  ./services/misc/dictd.nix
  ./services/misc/disnix.nix
@ -159,6 +169,7 @@
  ./services/network-filesystems/drbd.nix
  ./services/network-filesystems/nfsd.nix
  ./services/network-filesystems/openafs-client/default.nix
  ./services/network-filesystems/rsyncd.nix
  ./services/network-filesystems/samba.nix
  ./services/networking/amuled.nix
  ./services/networking/avahi-daemon.nix
@ -207,10 +218,12 @@
  ./services/networking/rpcbind.nix
  ./services/networking/sabnzbd.nix
  ./services/networking/searx.nix
  ./services/networking/spiped.nix
  ./services/networking/supybot.nix
  ./services/networking/syncthing.nix
  ./services/networking/ssh/lshd.nix
  ./services/networking/ssh/sshd.nix
  ./services/networking/teamspeak3.nix
  ./services/networking/tftpd.nix
  ./services/networking/unbound.nix
  ./services/networking/vsftpd.nix
@ -242,6 +255,7 @@
  ./services/ttys/agetty.nix
  ./services/ttys/kmscon.nix
  ./services/web-servers/apache-httpd/default.nix
  ./services/web-servers/fcgiwrap.nix
  ./services/web-servers/jboss/default.nix
  ./services/web-servers/lighttpd/default.nix
  ./services/web-servers/lighttpd/cgit.nix
@ -296,17 +310,20 @@
  ./tasks/filesystems.nix
  ./tasks/filesystems/btrfs.nix
  ./tasks/filesystems/ext.nix
  ./tasks/filesystems/f2fs.nix
  ./tasks/filesystems/nfs.nix
  ./tasks/filesystems/reiserfs.nix
  ./tasks/filesystems/unionfs-fuse.nix
  ./tasks/filesystems/vfat.nix
  ./tasks/filesystems/xfs.nix
  ./tasks/filesystems/zfs.nix
  ./tasks/encrypted-devices.nix
  ./tasks/kbd.nix
  ./tasks/lvm.nix
  ./tasks/network-interfaces.nix
  ./tasks/scsi-link-power-management.nix
  ./tasks/swraid.nix
  ./tasks/trackpoint.nix
  ./testing/service-runner.nix
  ./virtualisation/container-config.nix
  ./virtualisation/containers.nix
--- a/nixos/modules/profiles/base.nix
+++ b/nixos/modules/profiles/base.nix
@ -34,6 +34,7 @@
    pkgs.dosfstools
    pkgs.xfsprogs
    pkgs.jfsutils
    pkgs.f2fs-tools
    #pkgs.jfsrec # disabled because of Boost dependency
    # Some compression/archiver tools.
@ -50,6 +51,6 @@
  ];
  # Include support for various filesystems.
-  boot.supportedFilesystems = [ "btrfs" "reiserfs" "vfat" ];
+  boot.supportedFilesystems = [ "btrfs" "reiserfs" "vfat" "f2fs" ];
 }
--- a/nixos/modules/profiles/clone-config.nix
+++ b/nixos/modules/profiles/clone-config.nix
@ -1,6 +1,6 @@
-{ config, pkgs, modules, ... }:
+{ config, lib, pkgs, modules, ... }:
-with pkgs.lib;
+with lib;
 let
--- a/nixos/modules/profiles/headless.nix
+++ b/nixos/modules/profiles/headless.nix
@ -1,9 +1,9 @@
 # Common configuration for headless machines (e.g., Amazon EC2
 # instances).
-{ config, pkgs, ... }:
+{ config, lib, pkgs, ... }:
-with pkgs.lib;
+with lib;
 {
  sound.enable = false;
@ -12,6 +12,8 @@ with pkgs.lib;
  # Don't start a tty on the serial consoles.
  systemd.services."serial-getty@ttyS0".enable = false;
  systemd.services."serial-getty@hvc0".enable = false;
  systemd.services."getty@tty1".enable = false;
  systemd.services."autovt@".enable = false;
  # Since we can't manually respond to a panic, just reboot.
  boot.kernelParams = [ "panic=1" "boot.panic_on_fail" ];
--- a/nixos/modules/profiles/installation-device.nix
+++ b/nixos/modules/profiles/installation-device.nix
@ -1,7 +1,7 @@
 # Provide a basic configuration for installation devices like CDs.
-{ config, pkgs, modules, ... }:
+{ config, lib, ... }:
-with pkgs.lib;
+with lib;
 {
  imports =
@ -45,7 +45,7 @@ with pkgs.lib;
    # Enable wpa_supplicant, but don't start it by default.
    networking.wireless.enable = true;
-    jobs.wpa_supplicant.startOn = pkgs.lib.mkOverride 50 "";
+    jobs.wpa_supplicant.startOn = mkOverride 50 "";
    # Tell the Nix evaluator to garbage collect more aggressively.
    # This is desirable in memory-constrained environments that don't
--- a/nixos/modules/profiles/minimal.nix
+++ b/nixos/modules/profiles/minimal.nix
@ -1,11 +1,8 @@
 # This module defines a small NixOS configuration.  It does not
 # contain any graphical stuff.
-{ config, pkgs, ... }:
+{ config, lib, pkgs, ... }:
 {
-  # Don't include X libraries.
+  environment.noXlibs = true;
  programs.ssh.setXAuthLocation = false;
  fonts.enableFontConfig = false;
  fonts.enableCoreFonts = false;
 }
--- a/nixos/modules/profiles/qemu-guest.nix
+++ b/nixos/modules/profiles/qemu-guest.nix
@ -5,7 +5,7 @@
 {
  boot.initrd.availableKernelModules = [ "virtio_net" "virtio_pci" "virtio_blk" "9p" "9pnet_virtio" ];
-  boot.initrd.kernelModules = [ "virtio_balloon" "virtio_console" ];
+  boot.initrd.kernelModules = [ "virtio_balloon" "virtio_console" "virtio_rng" ];
  boot.initrd.postDeviceCommands =
    ''
--- a/nixos/modules/programs/atop.nix
+++ b/nixos/modules/programs/atop.nix
@ -1,8 +1,8 @@
 # Global configuration for atop.
-{config, pkgs, ...}:
+{ config, lib, pkgs, ... }:
-with pkgs.lib;
+with lib;
 let cfg = config.programs.atop;
--- a/nixos/modules/programs/bash/bash.nix
+++ b/nixos/modules/programs/bash/bash.nix
@ -1,9 +1,9 @@
 # This module defines global configuration for the Bash shell, in
 # particular /etc/bashrc and /etc/profile.
-{ config, pkgs, ... }:
+{ config, lib, pkgs, ... }:
-with pkgs.lib;
+with lib;
 let
@ -40,6 +40,7 @@ in
    programs.bash = {
      /*
      enable = mkOption {
        default = true;
        description = ''
@ -52,6 +53,7 @@ in
        '';
        type = types.bool;
      };
      */
      shellAliases = mkOption {
        default = config.environment.shellAliases // { which = "type -P"; };
@ -114,7 +116,7 @@ in
  };
-  config = mkIf cfg.enable {
+  config = /* mkIf cfg.enable */ {
    programs.bash = {
--- a/nixos/modules/programs/bash/command-not-found.nix
+++ b/nixos/modules/programs/bash/command-not-found.nix
@ -3,9 +3,9 @@
 # SQLite database that maps program names to Nix package names (e.g.,
 # "pdflatex" is mapped to "tetex").
-{ config, pkgs, ... }:
+{ config, lib, pkgs, ... }:
-with pkgs.lib;
+with lib;
 let
--- a/nixos/modules/programs/environment.nix
+++ b/nixos/modules/programs/environment.nix
@ -2,9 +2,9 @@
 # Most of the stuff here should probably be moved elsewhere sometime.
-{ config, pkgs, ... }:
+{ config, lib, pkgs, ... }:
-with pkgs.lib;
+with lib;
 let
@ -17,8 +17,7 @@ in
  config = {
    environment.variables =
-      { LOCALE_ARCHIVE = "/run/current-system/sw/lib/locale/locale-archive";
+      { LOCATE_PATH = "/var/cache/locatedb";
        LOCATE_PATH = "/var/cache/locatedb";
        NIXPKGS_CONFIG = "/etc/nix/nixpkgs-config.nix";
        NIX_PATH =
          [ "/nix/var/nix/profiles/per-user/root/channels/nixos"
--- a/nixos/modules/programs/shadow.nix
+++ b/nixos/modules/programs/shadow.nix
@ -1,8 +1,8 @@
 # Configuration for the pwdutils suite of tools: passwd, useradd, etc.
-{ config, pkgs, ... }:
+{ config, lib, pkgs, ... }:
-with pkgs.lib;
+with lib;
 let
@ -10,12 +10,12 @@ let
    ''
      DEFAULT_HOME yes
-      SYS_UID_MIN  100
+      SYS_UID_MIN  400
      SYS_UID_MAX  499
      UID_MIN      1000
      UID_MAX      29999
-      SYS_GID_MIN  100
+      SYS_GID_MIN  400
      SYS_GID_MAX  499
      GID_MIN      1000
      GID_MAX      29999
--- a/nixos/modules/programs/shell.nix
+++ b/nixos/modules/programs/shell.nix
@ -1,8 +1,8 @@
 # This module defines a standard configuration for NixOS shells.
-{ config, pkgs, ... }:
+{ config, lib, pkgs, ... }:
-with pkgs.lib;
+with lib;
 let
--- a/nixos/modules/programs/ssh.nix
+++ b/nixos/modules/programs/ssh.nix
@ -1,8 +1,8 @@
 # Global configuration for the SSH client.
-{ config, pkgs, ... }:
+{ config, lib, pkgs, ... }:
-with pkgs.lib;
+with lib;
 let cfg  = config.programs.ssh;
    cfgd = config.services.openssh;
@ -47,7 +47,20 @@ in
          for help.
        '';
      };
      startAgent = mkOption {
        type = types.bool;
        default = true;
        description = ''
          Whether to start the OpenSSH agent when you log in.  The OpenSSH agent
          remembers private keys for you so that you don't have to type in
          passphrases every time you make an SSH connection.  Use
          <command>ssh-add</command> to add a key to the agent.
        '';
      };
    };
  };
  config = {
@ -71,5 +84,28 @@ in
          target = "ssh/ssh_config";
        }
      ];
    # FIXME: this should really be socket-activated for über-awesomeness.
    systemd.user.services.ssh-agent =
      { enable = cfg.startAgent;
        description = "SSH Agent";
        wantedBy = [ "default.target" ];
        serviceConfig =
          { ExecStartPre = "${pkgs.coreutils}/bin/rm -f %t/ssh-agent";
            ExecStart = "${pkgs.openssh}/bin/ssh-agent -a %t/ssh-agent";
            StandardOutput = "null";
            Type = "forking";
            Restart = "on-failure";
            SuccessExitStatus = "0 2";
          };
      };
    environment.extraInit = optionalString cfg.startAgent
      ''
        if [ -z "$SSH_AUTH_SOCK" -a -n "$XDG_RUNTIME_DIR" ]; then
          export SSH_AUTH_SOCK="$XDG_RUNTIME_DIR/ssh-agent"
        fi
      '';
  };
 }
--- a/nixos/modules/programs/ssmtp.nix
+++ b/nixos/modules/programs/ssmtp.nix
@ -3,9 +3,9 @@
 # directly to an SMTP server defined in its configuration file, wihout
 # queueing mail locally.
-{ config, pkgs, ... }:
+{ config, lib, pkgs, ... }:
-with pkgs.lib;
+with lib;
 let
--- a/Show More
+++ b/Show More