Merge remote-tracking branch 'upstream/master' into consistent-bazel-ref

2020-04-01 16:16:30 -04:00 · 2020-04-01 16:16:30 -04:00 · 6bf6ec8a96
commit 6bf6ec8a96
parent 6f94f8fd3f 094f7ddd5a
3594 changed files with 114013 additions and 71489 deletions
--- a/.github/CODEOWNERS
+++ b/.github/CODEOWNERS
@ -31,6 +31,9 @@
 /pkgs/build-support/bintools-wrapper  @Ericson2314 @orivej
 /pkgs/build-support/setup-hooks       @Ericson2314
 # Nixpkgs build-support
 /pkgs/build-support/writers @lassulus @Profpatsch
 # NixOS Internals
 /nixos/default.nix          @nbp @infinisil
 /nixos/lib/from-env.nix     @nbp @infinisil
@ -63,11 +66,11 @@
 /doc/languages-frameworks/python.section.md     @FRidh
 # Haskell
-/pkgs/development/compilers/ghc                       @basvandijk @cdepillabout
+/pkgs/development/compilers/ghc                       @cdepillabout
-/pkgs/development/haskell-modules                     @basvandijk @cdepillabout @infinisil
+/pkgs/development/haskell-modules		      @cdepillabout @infinisil
-/pkgs/development/haskell-modules/default.nix         @basvandijk @cdepillabout
+/pkgs/development/haskell-modules/default.nix	      @cdepillabout
-/pkgs/development/haskell-modules/generic-builder.nix @basvandijk @cdepillabout
+/pkgs/development/haskell-modules/generic-builder.nix @cdepillabout
-/pkgs/development/haskell-modules/hoogle.nix          @basvandijk @cdepillabout
+/pkgs/development/haskell-modules/hoogle.nix	      @cdepillabout
 # Perl
 /pkgs/development/interpreters/perl @volth
@ -79,8 +82,8 @@
 /pkgs/development/r-modules         @peti
 # Ruby
-/pkgs/development/interpreters/ruby @alyssais @zimbatm
+/pkgs/development/interpreters/ruby @alyssais
-/pkgs/development/ruby-modules      @alyssais @zimbatm
+/pkgs/development/ruby-modules      @alyssais
 # Rust
 /pkgs/development/compilers/rust @Mic92 @LnL7
--- a/.gitignore
+++ b/.gitignore
@ -11,6 +11,7 @@ result-*
 .version-suffix
 .DS_Store
 .mypy_cache
 /pkgs/development/libraries/qt-5/*/tmp/
 /pkgs/desktops/kde-5/*/tmp/
--- a/.version
+++ b/.version
@ -1 +1 @@
-20.03
+20.09
--- a/README.md
+++ b/README.md
@ -24,6 +24,7 @@
 * [IRC - #nixos on freenode.net](irc://irc.freenode.net/#nixos)
 * [NixOS Weekly](https://weekly.nixos.org/)
 * [Community-maintained wiki](https://nixos.wiki/)
 * [Community-maintained list of ways to get in touch](https://nixos.wiki/wiki/Get_In_Touch#Chat) (Discord, Matrix, Telegram, other IRC channels, etc.)
 # Other Project Repositories
--- a/doc/Makefile
+++ b/doc/Makefile
@ -87,7 +87,7 @@ functions/library/generated: doc-support/result
 	ln -rfs ./doc-support/result/function-docs functions/library/generated
 %.section.xml: %.section.md
-	pandoc $^ -w docbook+smart \
+	pandoc $^ -w docbook \
 		-f markdown+smart \
 	  | sed -e 's|<ulink url=|<link xlink:href=|' \
 	      -e 's|</ulink>|</link>|' \
@ -98,7 +98,7 @@ functions/library/generated: doc-support/result
 	| cat  > $@
 %.chapter.xml: %.chapter.md
-	pandoc $^ -w docbook+smart \
+	pandoc $^ -w docbook \
 		--top-level-division=chapter \
 		-f markdown+smart \
 	  | sed -e 's|<ulink url=|<link xlink:href=|' \
--- a/doc/builders/images/ocitools.xml
+++ b/doc/builders/images/ocitools.xml
@ -25,7 +25,7 @@
 buildContainer {
  args = [ (with pkgs; writeScript "run.sh" ''
    #!${bash}/bin/bash
-    ${coreutils}/bin/exec ${bash}/bin/bash
+    exec ${bash}/bin/bash
  '').outPath ]; <co xml:id='ex-ociTools-buildContainer-1' />
  mounts = {
--- a/doc/contributing/quick-start.xml
+++ b/doc/contributing/quick-start.xml
@ -69,8 +69,7 @@
      <listitem>
       <para>
        JDiskReport, a Java utility: <link
-          xlink:href="https://github.com/NixOS/nixpkgs/blob/master/pkgs/tools/misc/jdiskreport/default.nix"><filename>pkgs/tools/misc/jdiskreport/default.nix</filename></link> (and the <link
+          xlink:href="https://github.com/NixOS/nixpkgs/blob/master/pkgs/tools/misc/jdiskreport/default.nix"><filename>pkgs/tools/misc/jdiskreport/default.nix</filename></link>. Nixpkgs doesn’t have a decent <varname>stdenv</varname> for Java yet so this is pretty ad-hoc.
          xlink:href="https://github.com/NixOS/nixpkgs/blob/master/pkgs/tools/misc/jdiskreport/builder.sh">builder</link>). Nixpkgs doesn’t have a decent <varname>stdenv</varname> for Java yet so this is pretty ad-hoc.
       </para>
      </listitem>
      <listitem>
--- a/doc/functions/library/attrsets.xml
+++ b/doc/functions/library/attrsets.xml
@ -1667,4 +1667,48 @@ recursiveUpdate
 ]]></programlisting>
  </example>
 </section>
 <section xml:id="function-library-lib.attrsets.recurseIntoAttrs">
  <title><function>lib.attrsets.recurseIntoAttrs</function></title>
  <subtitle><literal>recurseIntoAttrs :: AttrSet -> AttrSet</literal>
  </subtitle>
  <xi:include href="./locations.xml" xpointer="lib.attrsets.recurseIntoAttrs" />
  <para>
   Make various Nix tools consider the contents of the resulting
   attribute set when looking for what to build, find, etc.
  </para>
  <para>
   This function only affects a single attribute set; it does not apply itself recursively for nested attribute sets.
  </para>
  <variablelist>
   <varlistentry>
    <term>
     <varname>attrs</varname>
    </term>
    <listitem>
     <para>
      An attribute set to scan for derivations.
     </para>
    </listitem>
   </varlistentry>
  </variablelist>
  <example xml:id="function-library-lib.attrsets.recurseIntoAttrs-example">
   <title>Making Nix look inside an attribute set</title>
 <programlisting><![CDATA[
 { pkgs ? import <nixpkgs> {} }:
 {
  myTools = pkgs.lib.recurseIntoAttrs {
    inherit (pkgs) hello figlet;
  };
 }
 ]]></programlisting>
  </example>
 </section>
 </section>
--- a/doc/languages-frameworks/android.section.md
+++ b/doc/languages-frameworks/android.section.md
@ -235,5 +235,5 @@ package manager uses. To update the expressions run the `generate.sh` script
 that is stored in the `pkgs/development/mobile/androidenv/` sub directory:
 ```bash
-sh ./generate.sh
+./generate.sh
 ```
--- a/doc/languages-frameworks/crystal.section.md
+++ b/doc/languages-frameworks/crystal.section.md
@ -66,6 +66,6 @@ crystal.buildCrystalPackage rec {
  shardsFile = ./shards.nix;
  crystalBinaries.mint.src = "src/mint.cr";
-  buildInputs = [ openssl_1_0_2 ];
+  buildInputs = [ openssl ];
 }
 ```
--- a/doc/languages-frameworks/gnome.xml
+++ b/doc/languages-frameworks/gnome.xml
@ -233,7 +233,7 @@ mkDerivation {
    </term>
    <listitem>
     <para>
-      You can rely on applications depending on the library set the necessary environment variables but that it often easy to miss. Instead we recommend to patch the paths in the source code whenever possible. Here are some examples:
+      You can rely on applications depending on the library setting the necessary environment variables but that is often easy to miss. Instead we recommend to patch the paths in the source code whenever possible. Here are some examples:
      <itemizedlist>
       <listitem xml:id="ssec-gnome-common-issues-unwrappable-package-gnome-shell-ext">
        <para>
--- a/doc/languages-frameworks/go.xml
+++ b/doc/languages-frameworks/go.xml
@ -42,7 +42,7 @@ pet = buildGoModule rec {
  meta = with lib; {
    description = "Simple command-line snippet manager, written in Go";
-    homepage = https://github.com/knqyf263/pet;
+    homepage = "https://github.com/knqyf263/pet";
    license = licenses.mit;
    maintainers = with maintainers; [ kalbasit ];
    platforms = platforms.linux ++ platforms.darwin;
--- a/doc/languages-frameworks/haskell.section.md
+++ b/doc/languages-frameworks/haskell.section.md
@ -84,18 +84,18 @@ nix-env -qaP -A nixos.haskellPackages
 nix-env -iA nixos.haskellPackages.cabal-install
 ```
-Our current default compiler is GHC 8.6.x and the `haskellPackages` set
+Our current default compiler is GHC 8.8.x and the `haskellPackages` set
 contains packages built with that particular version. Nixpkgs contains the last
 three major releases of GHC and there is a whole family of package sets
 available that defines Hackage packages built with each of those compilers,
 too:
 ```shell
-nix-env -f "<nixpkgs>" -qaP -A haskell.packages.ghc844
+nix-env -f "<nixpkgs>" -qaP -A haskell.packages.ghc865
-nix-env -f "<nixpkgs>" -qaP -A haskell.packages.ghc882
+nix-env -f "<nixpkgs>" -qaP -A haskell.packages.ghc8101
 ```
 The name `haskellPackages` is really just a synonym for
-`haskell.packages.ghc865`, because we prefer that package set internally and
+`haskell.packages.ghc882`, because we prefer that package set internally and
 recommend it to our users as their default choice, but ultimately you are free
 to compile your Haskell packages with any GHC version you please. The following
 command displays the complete list of available compilers:
@ -112,8 +112,10 @@ haskell.compiler.ghc865                  ghc-8.6.5
 haskell.compiler.integer-simple.ghc865   ghc-8.6.5
 haskell.compiler.ghc881                  ghc-8.8.1
 haskell.compiler.integer-simple.ghc881   ghc-8.8.1
-haskell.compiler.ghc882                  ghc-8.8.1.20191211
+haskell.compiler.ghc882                  ghc-8.8.2
-haskell.compiler.integer-simple.ghc882   ghc-8.8.1.20191211
+haskell.compiler.integer-simple.ghc882   ghc-8.8.2
 haskell.compiler.ghc883                  ghc-8.8.3
 haskell.compiler.integer-simple.ghc883   ghc-8.8.3
 haskell.compiler.ghcjs                   ghcjs-8.6.0.1
 ```
@ -367,7 +369,7 @@ automatically select the right version of GHC and other build tools to build,
 test and execute apps in an existing project downloaded from somewhere on the
 Internet. Pass the `--nix` flag to any `stack` command to do so, e.g.
 ```shell
-git clone --recursive https://github.com/yesodweb/wai
+git clone --recurse-submodules https://github.com/yesodweb/wai.git
 cd wai
 stack --nix build
 ```
--- a/doc/languages-frameworks/idris.section.md
+++ b/doc/languages-frameworks/idris.section.md
@ -96,7 +96,7 @@ build-idris-package  {
  meta = {
    description = "Idris YAML lib";
-    homepage = https://github.com/Heather/Idris.Yaml;
+    homepage = "https://github.com/Heather/Idris.Yaml";
    license = lib.licenses.mit;
    maintainers = [ lib.maintainers.brainrape ];
  };
--- a/doc/languages-frameworks/ocaml.xml
+++ b/doc/languages-frameworks/ocaml.xml
@ -36,7 +36,7 @@ buildDunePackage rec {
  doCheck = true;
  meta = {
-    homepage = https://github.com/inhabitedtype/angstrom;
+    homepage = "https://github.com/inhabitedtype/angstrom";
    description = "OCaml parser combinators built for speed and memory efficiency";
    license = stdenv.lib.licenses.bsd3;
    maintainers = with stdenv.lib.maintainers; [ sternenseemann ];
@ -63,7 +63,7 @@ buildDunePackage rec {
  };
  meta = with stdenv.lib; {
-    homepage = https://github.com/flowtype/ocaml-wtf8;
+    homepage = "https://github.com/flowtype/ocaml-wtf8";
    description = "WTF-8 is a superset of UTF-8 that allows unpaired surrogates.";
    license = licenses.mit;
    maintainers = [ maintainers.eqyiel ];
--- a/doc/languages-frameworks/python.section.md
+++ b/doc/languages-frameworks/python.section.md
@ -72,8 +72,9 @@ Now you can use the Python interpreter, as well as the extra packages (`numpy`,
 ##### Environment defined in `~/.config/nixpkgs/config.nix`
-If you prefer to, you could also add the environment as a package override to the Nixpkgs set, e.g.
+If you prefer you could also add the environment as a package override to the
-using `config.nix`,
+Nixpkgs set, e.g. using `config.nix`,
 ```nix
 { # ...
@ -83,15 +84,18 @@ using `config.nix`,
 }
 ```
 and install it in your profile with
 ```shell
 nix-env -iA nixpkgs.myEnv
 ```
 The environment is is installed by referring to the attribute, and considering
 the `nixpkgs` channel was used.
 ##### Environment defined in `/etc/nixos/configuration.nix`
-For the sake of completeness, here's another example how to install the environment system-wide.
+For the sake of completeness, here's another example how to install the
 environment system-wide.
 ```nix
 { # ...
@ -109,40 +113,56 @@ into a profile. For development you may need to use multiple environments.
 `nix-shell` gives the possibility to temporarily load another environment, akin
 to `virtualenv`.
-There are two methods for loading a shell with Python packages. The first and recommended method
+There are two methods for loading a shell with Python packages. The first and
-is to create an environment with `python.buildEnv` or `python.withPackages` and load that. E.g.
+recommended method is to create an environment with `python.buildEnv` or
 `python.withPackages` and load that. E.g.
 ```sh
 $ nix-shell -p 'python35.withPackages(ps: with ps; [ numpy toolz ])'
 ```
 opens a shell from which you can launch the interpreter
 ```sh
 [nix-shell:~] python3
 ```
-The other method, which is not recommended, does not create an environment and requires you to list the packages directly,
+
 The other method, which is not recommended, does not create an environment and
 requires you to list the packages directly,
 ```sh
 $ nix-shell -p python35.pkgs.numpy python35.pkgs.toolz
 ```
-Again, it is possible to launch the interpreter from the shell.
+
-The Python interpreter has the attribute `pkgs` which contains all Python libraries for that specific interpreter.
+Again, it is possible to launch the interpreter from the shell. The Python
 interpreter has the attribute `pkgs` which contains all Python libraries for
 that specific interpreter.
 ##### Load environment from `.nix` expression
 As explained in the Nix manual, `nix-shell` can also load an
 expression from a `.nix` file. Say we want to have Python 3.5, `numpy`
 and `toolz`, like before, in an environment. Consider a `shell.nix` file
 with
 ```nix
 with import <nixpkgs> {};
 (python35.withPackages (ps: [ps.numpy ps.toolz])).env
 ```
 Executing `nix-shell` gives you again a Nix shell from which you can run Python.
 What's happening here?
-1. We begin with importing the Nix Packages collections. `import <nixpkgs>` imports the `<nixpkgs>` function, `{}` calls it and the `with` statement brings all attributes of `nixpkgs` in the local scope. These attributes form the main package set.
+1. We begin with importing the Nix Packages collections. `import <nixpkgs>`
   imports the `<nixpkgs>` function, `{}` calls it and the `with` statement
   brings all attributes of `nixpkgs` in the local scope. These attributes form
   the main package set.
 2. Then we create a Python 3.5 environment with the `withPackages` function.
-3. The `withPackages` function expects us to provide a function as an argument that takes the set of all python packages and returns a list of packages to include in the environment. Here, we select the packages `numpy` and `toolz` from the package set.
+3. The `withPackages` function expects us to provide a function as an argument
   that takes the set of all python packages and returns a list of packages to
   include in the environment. Here, we select the packages `numpy` and `toolz`
   from the package set.
 To combine this with `mkShell` you can:
@ -166,20 +186,23 @@ in mkShell {
 A convenient option with `nix-shell` is the `--run`
 option, with which you can execute a command in the `nix-shell`. We can
 e.g. directly open a Python shell
 ```sh
 $ nix-shell -p python35Packages.numpy python35Packages.toolz --run "python3"
 ```
 or run a script
 ```sh
 $ nix-shell -p python35Packages.numpy python35Packages.toolz --run "python3 myscript.py"
 ```
 ##### `nix-shell` as shebang
-In fact, for the second use case, there is a more convenient method. You can
+In fact, for the second use case, there is a more convenient method. You can add
-add a [shebang](https://en.wikipedia.org/wiki/Shebang_(Unix)) to your script
+a [shebang](https://en.wikipedia.org/wiki/Shebang_(Unix)) to your script
 specifying which dependencies `nix-shell` needs. With the following shebang, you
-can just execute `./myscript.py`, and it will make available all dependencies and
+can just execute `./myscript.py`, and it will make available all dependencies
-run the script in the `python3` shell.
+and run the script in the `python3` shell.
 ```py
 #! /usr/bin/env nix-shell
@ -218,7 +241,7 @@ buildPythonPackage rec {
  doCheck = false;
  meta = with lib; {
-    homepage = https://github.com/pytoolz/toolz;
+    homepage = "https://github.com/pytoolz/toolz";
    description = "List processing tools and functional utilities";
    license = licenses.bsd3;
    maintainers = with maintainers; [ fridh ];
@ -270,6 +293,7 @@ with import <nixpkgs> {};
  in python35.withPackages (ps: [ps.numpy my_toolz])
 ).env
 ```
 Executing `nix-shell` will result in an environment in which you can use
 Python 3.5 and the `toolz` package. As you can see we had to explicitly mention
 for which Python version we want to build a package.
@ -311,7 +335,7 @@ buildPythonPackage rec {
  propagatedBuildInputs = [ numpy multipledispatch dateutil ];
  meta = with lib; {
-    homepage = https://github.com/ContinuumIO/datashape;
+    homepage = "https://github.com/ContinuumIO/datashape";
    description = "A data description language";
    license = licenses.bsd2;
    maintainers = with maintainers; [ fridh ];
@ -345,7 +369,7 @@ buildPythonPackage rec {
  meta = with lib; {
    description = "Pythonic binding for the libxml2 and libxslt libraries";
-    homepage = https://lxml.de;
+    homepage = "https://lxml.de";
    license = licenses.bsd3;
    maintainers = with maintainers; [ sjourdois ];
  };
@ -355,12 +379,12 @@ buildPythonPackage rec {
 In this example `lxml` and Nix are able to work out exactly where the relevant
 files of the dependencies are. This is not always the case.
-The example below shows bindings to The Fastest Fourier Transform in the West, commonly known as
+The example below shows bindings to The Fastest Fourier Transform in the West,
-FFTW. On Nix we have separate packages of FFTW for the different types of floats
+commonly known as FFTW. On Nix we have separate packages of FFTW for the
-(`"single"`, `"double"`, `"long-double"`). The bindings need all three types,
+different types of floats (`"single"`, `"double"`, `"long-double"`). The
-and therefore we add all three as `buildInputs`. The bindings don't expect to
+bindings need all three types, and therefore we add all three as `buildInputs`.
-find each of them in a different folder, and therefore we have to set `LDFLAGS`
+The bindings don't expect to find each of them in a different folder, and
-and `CFLAGS`.
+therefore we have to set `LDFLAGS` and `CFLAGS`.
 ```nix
 { lib, pkgs, buildPythonPackage, fetchPypi, numpy, scipy }:
@ -404,17 +428,18 @@ instead of installing the package this command creates a special link to the pro
 That way, you can run updated code without having to reinstall after each and every change you make.
 Development mode is also available. Let's see how you can use it.
-In the previous Nix expression the source was fetched from an url. We can also refer to a local source instead using
+In the previous Nix expression the source was fetched from an url. We can also
-`src = ./path/to/source/tree;`
+refer to a local source instead using `src = ./path/to/source/tree;`
 If we create a `shell.nix` file which calls `buildPythonPackage`, and if `src`
 is a local source, and if the local source has a `setup.py`, then development
 mode is activated.
-In the following example we create a simple environment that
+In the following example we create a simple environment that has a Python 3.5
-has a Python 3.5 version of our package in it, as well as its dependencies and
+version of our package in it, as well as its dependencies and other packages we
-other packages we like to have in the environment, all specified with `propagatedBuildInputs`.
+like to have in the environment, all specified with `propagatedBuildInputs`.
-Indeed, we can just add any package we like to have in our environment to `propagatedBuildInputs`.
+Indeed, we can just add any package we like to have in our environment to
 `propagatedBuildInputs`.
 ```nix
 with import <nixpkgs> {};
@ -427,7 +452,8 @@ buildPythonPackage rec {
 }
 ```
-It is important to note that due to how development mode is implemented on Nix it is not possible to have multiple packages simultaneously in development mode.
+It is important to note that due to how development mode is implemented on Nix
 it is not possible to have multiple packages simultaneously in development mode.
 ### Organising your packages
@ -497,13 +523,13 @@ and in this case the `python35` interpreter is automatically used.
 ### Interpreters
 Versions 2.7, 3.5, 3.6, 3.7 and 3.8 of the CPython interpreter are available as
-respectively `python27`, `python35`, `python36`, `python37` and `python38`. The aliases
+respectively `python27`, `python35`, `python36`, `python37` and `python38`. The
-`python2` and `python3` correspond to respectively `python27` and
+aliases `python2` and `python3` correspond to respectively `python27` and
 `python37`. The default interpreter, `python`, maps to `python2`. The PyPy
 interpreters compatible with Python 2.7 and 3 are available as `pypy27` and
-`pypy3`, with aliases `pypy2` mapping to `pypy27` and `pypy` mapping to
+`pypy3`, with aliases `pypy2` mapping to `pypy27` and `pypy` mapping to `pypy2`.
-`pypy2`. The Nix expressions for the interpreters can be
+The Nix expressions for the interpreters can be found in
-found in `pkgs/development/interpreters/python`.
+`pkgs/development/interpreters/python`.
 All packages depending on any Python interpreter get appended
 `out/{python.sitePackages}` to `$PYTHONPATH` if such directory
@ -532,9 +558,10 @@ Python libraries and applications that use `setuptools` or
 `buildPythonApplication` functions. These two functions also support installing a `wheel`.
 All Python packages reside in `pkgs/top-level/python-packages.nix` and all
-applications elsewhere. In case a package is used as both a library and an application,
+applications elsewhere. In case a package is used as both a library and an
-then the package should be in `pkgs/top-level/python-packages.nix` since only those packages are made
+application, then the package should be in `pkgs/top-level/python-packages.nix`
-available for all interpreter versions. The preferred location for library expressions is in
+since only those packages are made available for all interpreter versions. The
 preferred location for library expressions is in
 `pkgs/development/python-modules`. It is important that these packages are
 called from `pkgs/top-level/python-packages.nix` and not elsewhere, to guarantee
 the right version of the package is built.
@ -562,6 +589,7 @@ The `buildPythonPackage` function is implemented in
 using setup hooks.
 The following is an example:
 ```nix
 { lib, buildPythonPackage, fetchPypi, hypothesis, setuptools_scm, attrs, py, setuptools, six, pluggy }:
@ -608,38 +636,67 @@ as the interpreter unless overridden otherwise.
 ##### `buildPythonPackage` parameters
-All parameters from `stdenv.mkDerivation` function are still supported. The following are specific to `buildPythonPackage`:
+All parameters from `stdenv.mkDerivation` function are still supported. The
 following are specific to `buildPythonPackage`:
-* `catchConflicts ? true`: If `true`, abort package build if a package name appears more than once in dependency tree. Default is `true`.
+* `catchConflicts ? true`: If `true`, abort package build if a package name
-* `disabled` ? false: If `true`, package is not built for the particular Python interpreter version.
+  appears more than once in dependency tree. Default is `true`.
 * `disabled` ? false: If `true`, package is not built for the particular Python
  interpreter version.
 * `dontWrapPythonPrograms ? false`: Skip wrapping of python programs.
-* `permitUserSite ? false`: Skip setting the `PYTHONNOUSERSITE` environment variable in wrapped programs.
+* `permitUserSite ? false`: Skip setting the `PYTHONNOUSERSITE` environment
-* `installFlags ? []`: A list of strings. Arguments to be passed to `pip install`. To pass options to `python setup.py install`, use `--install-option`. E.g., `installFlags=["--install-option='--cpp_implementation'"]`.
+  variable in wrapped programs.
-* `format ? "setuptools"`: Format of the source. Valid options are `"setuptools"`, `"pyproject"`, `"flit"`, `"wheel"`, and `"other"`. `"setuptools"` is for when the source has a `setup.py` and `setuptools` is used to build a wheel, `flit`, in case `flit` should be used to build a wheel, and `wheel` in case a wheel is provided. Use `other` when a custom `buildPhase` and/or `installPhase` is needed.
+* `installFlags ? []`: A list of strings. Arguments to be passed to `pip
-* `makeWrapperArgs ? []`: A list of strings. Arguments to be passed to `makeWrapper`, which wraps generated binaries. By default, the arguments to `makeWrapper` set `PATH` and `PYTHONPATH` environment variables before calling the binary. Additional arguments here can allow a developer to set environment variables which will be available when the binary is run. For example, `makeWrapperArgs = ["--set FOO BAR" "--set BAZ QUX"]`.
+  install`. To pass options to `python setup.py install`, use
-* `namePrefix`: Prepends text to `${name}` parameter. In case of libraries, this defaults to `"python3.5-"` for Python 3.5, etc., and in case of applications to `""`.
+  `--install-option`. E.g., `installFlags=["--install-option='--cpp_implementation'"]`.
-* `pythonPath ? []`: List of packages to be added into `$PYTHONPATH`. Packages in `pythonPath` are not propagated (contrary to `propagatedBuildInputs`).
+* `format ? "setuptools"`: Format of the source. Valid options are
  `"setuptools"`, `"pyproject"`, `"flit"`, `"wheel"`, and `"other"`.
  `"setuptools"` is for when the source has a `setup.py` and `setuptools` is
  used to build a wheel, `flit`, in case `flit` should be used to build a wheel,
  and `wheel` in case a wheel is provided. Use `other` when a custom
  `buildPhase` and/or `installPhase` is needed.
 * `makeWrapperArgs ? []`: A list of strings. Arguments to be passed to
  `makeWrapper`, which wraps generated binaries. By default, the arguments to
  `makeWrapper` set `PATH` and `PYTHONPATH` environment variables before calling
  the binary. Additional arguments here can allow a developer to set environment
  variables which will be available when the binary is run. For example,
  `makeWrapperArgs = ["--set FOO BAR" "--set BAZ QUX"]`.
 * `namePrefix`: Prepends text to `${name}` parameter. In case of libraries, this
  defaults to `"python3.5-"` for Python 3.5, etc., and in case of applications
  to `""`.
 * `pythonPath ? []`: List of packages to be added into `$PYTHONPATH`. Packages
  in `pythonPath` are not propagated (contrary to `propagatedBuildInputs`).
 * `preShellHook`: Hook to execute commands before `shellHook`.
 * `postShellHook`: Hook to execute commands after `shellHook`.
-* `removeBinByteCode ? true`: Remove bytecode from `/bin`. Bytecode is only created when the filenames end with `.py`.
+* `removeBinByteCode ? true`: Remove bytecode from `/bin`. Bytecode is only
  created when the filenames end with `.py`.
 * `setupPyGlobalFlags ? []`: List of flags passed to `setup.py` command.
 * `setupPyBuildFlags ? []`: List of flags passed to `setup.py build_ext` command.
-The `stdenv.mkDerivation` function accepts various parameters for describing build inputs (see "Specifying dependencies"). The following are of special
+The `stdenv.mkDerivation` function accepts various parameters for describing
-interest for Python packages, either because these are primarily used, or because their behaviour is different:
+build inputs (see "Specifying dependencies"). The following are of special
 interest for Python packages, either because these are primarily used, or
 because their behaviour is different:
-* `nativeBuildInputs ? []`: Build-time only dependencies. Typically executables as well as the items listed in `setup_requires`.
+* `nativeBuildInputs ? []`: Build-time only dependencies. Typically executables
-* `buildInputs ? []`: Build and/or run-time dependencies that need to be be compiled for the host machine. Typically non-Python libraries which are being linked.
+  as well as the items listed in `setup_requires`.
-* `checkInputs ? []`: Dependencies needed for running the `checkPhase`. These are added to `nativeBuildInputs` when `doCheck = true`. Items listed in `tests_require` go here.
+* `buildInputs ? []`: Build and/or run-time dependencies that need to be be
-* `propagatedBuildInputs ? []`: Aside from propagating dependencies, `buildPythonPackage` also injects code into and wraps executables with the paths included in this list. Items listed in `install_requires` go here.
+  compiled for the host machine. Typically non-Python libraries which are being
  linked.
 * `checkInputs ? []`: Dependencies needed for running the `checkPhase`. These
  are added to `nativeBuildInputs` when `doCheck = true`. Items listed in
  `tests_require` go here.
 * `propagatedBuildInputs ? []`: Aside from propagating dependencies,
  `buildPythonPackage` also injects code into and wraps executables with the
  paths included in this list. Items listed in `install_requires` go here.
 ##### Overriding Python packages
-The `buildPythonPackage` function has a `overridePythonAttrs` method that
+The `buildPythonPackage` function has a `overridePythonAttrs` method that can be
-can be used to override the package. In the following example we create an
+used to override the package. In the following example we create an environment
-environment where we have the `blaze` package using an older version of `pandas`.
+where we have the `blaze` package using an older version of `pandas`. We
-We override first the Python interpreter and pass
+override first the Python interpreter and pass `packageOverrides` which contains
-`packageOverrides` which contains the overrides for packages in the package set.
+the overrides for packages in the package set.
 ```nix
 with import <nixpkgs> {};
@ -725,15 +782,18 @@ youtube-dl = with pythonPackages; toPythonApplication youtube-dl;
 #### `toPythonModule` function
 In some cases, such as bindings, a package is created using
-`stdenv.mkDerivation` and added as attribute in `all-packages.nix`.
+`stdenv.mkDerivation` and added as attribute in `all-packages.nix`. The Python
-The Python bindings should be made available from `python-packages.nix`.
+bindings should be made available from `python-packages.nix`. The
-The `toPythonModule` function takes a derivation and makes certain Python-specific modifications.
+`toPythonModule` function takes a derivation and makes certain Python-specific
 modifications.
 ```nix
 opencv = toPythonModule (pkgs.opencv.override {
  enablePython = true;
  pythonPackages = self;
 });
 ```
 Do pay attention to passing in the right Python version!
 #### `python.buildEnv` function
@ -741,6 +801,7 @@ Do pay attention to passing in the right Python version!
 Python environments can be created using the low-level `pkgs.buildEnv` function.
 This example shows how to create an environment that has the Pyramid Web Framework.
 Saving the following as `default.nix`
 ```nix
 with import <nixpkgs> {};
@ -751,6 +812,7 @@ python.buildEnv.override {
 ```
 and running `nix-build` will create
 ```
 /nix/store/cf1xhjwzmdki7fasgr4kz6di72ykicl5-python-2.7.8-env
 ```
@ -760,6 +822,7 @@ with wrapped binaries in `bin/`.
 You can also use the `env` attribute to create local environments with needed
 packages installed. This is somewhat comparable to `virtualenv`. For example,
 running `nix-shell` with the following `shell.nix`
 ```nix
 with import <nixpkgs> {};
@ -777,7 +840,8 @@ specified packages in its path.
 * `extraLibs`: List of packages installed inside the environment.
 * `postBuild`: Shell command executed after the build of environment.
 * `ignoreCollisions`: Ignore file collisions inside the environment (default is `false`).
-* `permitUserSite`: Skip setting the `PYTHONNOUSERSITE` environment variable in wrapped binaries in the environment.
+* `permitUserSite`: Skip setting the `PYTHONNOUSERSITE` environment variable in
  wrapped binaries in the environment.
 #### `python.withPackages` function
@ -785,15 +849,17 @@ The `python.withPackages` function provides a simpler interface to the `python.b
 It takes a function as an argument that is passed the set of python packages and returns the list
 of the packages to be included in the environment. Using the `withPackages` function, the previous
 example for the Pyramid Web Framework environment can be written like this:
 ```nix
 with import <nixpkgs> {};
 python.withPackages (ps: [ps.pyramid])
 ```
-`withPackages` passes the correct package set for the specific interpreter version as an
+`withPackages` passes the correct package set for the specific interpreter
-argument to the function. In the above example, `ps` equals `pythonPackages`.
+version as an argument to the function. In the above example, `ps` equals
-But you can also easily switch to using python3:
+`pythonPackages`. But you can also easily switch to using python3:
 ```nix
 with import <nixpkgs> {};
@ -802,30 +868,35 @@ python3.withPackages (ps: [ps.pyramid])
 Now, `ps` is set to `python3Packages`, matching the version of the interpreter.
-As `python.withPackages` simply uses `python.buildEnv` under the hood, it also supports the `env`
+As `python.withPackages` simply uses `python.buildEnv` under the hood, it also
-attribute. The `shell.nix` file from the previous section can thus be also written like this:
+supports the `env` attribute. The `shell.nix` file from the previous section can
 thus be also written like this:
 ```nix
 with import <nixpkgs> {};
 (python36.withPackages (ps: [ps.numpy ps.requests])).env
 ```
-In contrast to `python.buildEnv`, `python.withPackages` does not support the more advanced options
+In contrast to `python.buildEnv`, `python.withPackages` does not support the
-such as `ignoreCollisions = true` or `postBuild`. If you need them, you have to use `python.buildEnv`.
+more advanced options such as `ignoreCollisions = true` or `postBuild`. If you
 need them, you have to use `python.buildEnv`.
-Python 2 namespace packages may provide `__init__.py` that collide. In that case `python.buildEnv`
+Python 2 namespace packages may provide `__init__.py` that collide. In that case
-should be used with `ignoreCollisions = true`.
+`python.buildEnv` should be used with `ignoreCollisions = true`.
 #### Setup hooks
-The following are setup hooks specifically for Python packages. Most of these are
+The following are setup hooks specifically for Python packages. Most of these
-used in `buildPythonPackage`.
+are used in `buildPythonPackage`.
- `eggUnpackhook` to move an egg to the correct folder so it can be installed with the `eggInstallHook`
+- `eggUnpackhook` to move an egg to the correct folder so it can be installed
  with the `eggInstallHook`
 - `eggBuildHook` to skip building for eggs.
 - `eggInstallHook` to install eggs.
 - `flitBuildHook` to build a wheel using `flit`.
- `pipBuildHook` to build a wheel using `pip` and PEP 517. Note a build system (e.g. `setuptools` or `flit`) should still be added as `nativeBuildInput`.
+- `pipBuildHook` to build a wheel using `pip` and PEP 517. Note a build system
  (e.g. `setuptools` or `flit`) should still be added as `nativeBuildInput`.
 - `pipInstallHook` to install wheels.
 - `pytestCheckHook` to run tests with `pytest`.
 - `pythonCatchConflictsHook` to check whether a Python package is not already existing.
@ -833,8 +904,10 @@ used in `buildPythonPackage`.
 - `pythonRemoveBinBytecode` to remove bytecode from the `/bin` folder.
 - `setuptoolsBuildHook` to build a wheel using `setuptools`.
 - `setuptoolsCheckHook` to run tests with `python setup.py test`.
- `venvShellHook` to source a Python 3 `venv` at the `venvDir` location. A `venv` is created if it does not yet exist.
+- `venvShellHook` to source a Python 3 `venv` at the `venvDir` location. A
- `wheelUnpackHook` to move a wheel to the correct folder so it can be installed with the `pipInstallHook`.
+  `venv` is created if it does not yet exist.
 - `wheelUnpackHook` to move a wheel to the correct folder so it can be installed
  with the `pipInstallHook`.
 ### Development mode
@ -856,11 +929,11 @@ pythonPackages.buildPythonPackage {
 }
 ```
-Running `nix-shell` with no arguments should give you
+Running `nix-shell` with no arguments should give you the environment in which
-the environment in which the package would be built with
+the package would be built with `nix-build`.
 `nix-build`.
 Shortcut to setup environments with C headers/libraries and python packages:
 ```shell
 nix-shell -p pythonPackages.pyramid zlib libjpeg git
 ```
@ -872,19 +945,22 @@ Note: There is a boolean value `lib.inNixShell` set to `true` if nix-shell is in
 Packages inside nixpkgs are written by hand. However many tools exist in
 community to help save time. No tool is preferred at the moment.
- [pypi2nix](https://github.com/nix-community/pypi2nix): Generate Nix expressions for your Python project. Note that [sharing derivations from pypi2nix with nixpkgs is possible but not encouraged](https://github.com/nix-community/pypi2nix/issues/222#issuecomment-443497376).
+- [pypi2nix](https://github.com/nix-community/pypi2nix): Generate Nix
  expressions for your Python project. Note that [sharing derivations from
  pypi2nix with nixpkgs is possible but not
  encouraged](https://github.com/nix-community/pypi2nix/issues/222#issuecomment-443497376).
 - [python2nix](https://github.com/proger/python2nix) by Vladimir Kirillov.
 ### Deterministic builds
-The Python interpreters are now built deterministically.
+The Python interpreters are now built deterministically. Minor modifications had
-Minor modifications had to be made to the interpreters in order to generate
+to be made to the interpreters in order to generate deterministic bytecode. This
-deterministic bytecode. This has security implications and is relevant for
+has security implications and is relevant for those using Python in a
-those using Python in a `nix-shell`.
+`nix-shell`.
-When the environment variable `DETERMINISTIC_BUILD` is set, all bytecode will have timestamp 1.
+When the environment variable `DETERMINISTIC_BUILD` is set, all bytecode will
-The `buildPythonPackage` function sets `DETERMINISTIC_BUILD=1` and
+have timestamp 1. The `buildPythonPackage` function sets `DETERMINISTIC_BUILD=1`
-[PYTHONHASHSEED=0](https://docs.python.org/3.5/using/cmdline.html#envvar-PYTHONHASHSEED).
+and [PYTHONHASHSEED=0](https://docs.python.org/3.5/using/cmdline.html#envvar-PYTHONHASHSEED).
 Both are also exported in `nix-shell`.
@ -899,9 +975,10 @@ example of such a situation is when `py.test` is used.
 #### Common issues
- Non-working tests can often be deselected. By default `buildPythonPackage` runs `python setup.py test`.
+* Non-working tests can often be deselected. By default `buildPythonPackage`
-  Most python modules follows the standard test protocol where the pytest runner can be used instead.
+  runs `python setup.py test`. Most python modules follows the standard test
-  `py.test` supports a `-k` parameter to ignore test methods or classes:
+  protocol where the pytest runner can be used instead. `py.test` supports a
  `-k` parameter to ignore test methods or classes:
  ```nix
  buildPythonPackage {
@ -913,7 +990,8 @@ example of such a situation is when `py.test` is used.
    '';
  }
  ```
- Tests that attempt to access `$HOME` can be fixed by using the following work-around before running tests (e.g. `preCheck`): `export HOME=$(mktemp -d)`
+* Tests that attempt to access `$HOME` can be fixed by using the following
  work-around before running tests (e.g. `preCheck`): `export HOME=$(mktemp -d)`
 ## FAQ
@ -925,8 +1003,9 @@ should also be done when packaging `A`.
 ### How to override a Python package?
-We can override the interpreter and pass `packageOverrides`.
+We can override the interpreter and pass `packageOverrides`. In the following
-In the following example we rename the `pandas` package and build it.
+example we rename the `pandas` package and build it.
 ```nix
 with import <nixpkgs> {};
@ -939,14 +1018,16 @@ with import <nixpkgs> {};
 in python.withPackages(ps: [ps.pandas])).env
 ```
 Using `nix-build` on this expression will build an environment that contains the
 package `pandas` but with the new name `foo`.
-All packages in the package set will use the renamed package.
+All packages in the package set will use the renamed package. A typical use case
-A typical use case is to switch to another version of a certain package.
+is to switch to another version of a certain package. For example, in the
-For example, in the Nixpkgs repository we have multiple versions of `django` and `scipy`.
+Nixpkgs repository we have multiple versions of `django` and `scipy`. In the
-In the following example we use a different version of `scipy` and create an environment that uses it.
+following example we use a different version of `scipy` and create an
-All packages in the Python package set will now use the updated `scipy` version.
+environment that uses it. All packages in the Python package set will now use
 the updated `scipy` version.
 ```nix
 with import <nixpkgs> {};
@ -958,10 +1039,13 @@ with import <nixpkgs> {};
  in (pkgs.python35.override {inherit packageOverrides;}).withPackages (ps: [ps.blaze])
 ).env
 ```
 The requested package `blaze` depends on `pandas` which itself depends on `scipy`.
-If you want the whole of Nixpkgs to use your modifications, then you can use `overlays`
+If you want the whole of Nixpkgs to use your modifications, then you can use
-as explained in this manual. In the following example we build a `inkscape` using a different version of `numpy`.
+`overlays` as explained in this manual. In the following example we build a
 `inkscape` using a different version of `numpy`.
 ```nix
 let
  pkgs = import <nixpkgs> {};
@ -982,19 +1066,28 @@ Executing `python setup.py bdist_wheel` in a `nix-shell `fails with
 ValueError: ZIP does not support timestamps before 1980
 ```
-This is because files from the Nix store (which have a timestamp of the UNIX epoch of January 1, 1970) are included in the .ZIP, but .ZIP archives follow the DOS convention of counting timestamps from 1980.
+This is because files from the Nix store (which have a timestamp of the UNIX
 epoch of January 1, 1970) are included in the .ZIP, but .ZIP archives follow the
 DOS convention of counting timestamps from 1980.
-The command `bdist_wheel` reads the `SOURCE_DATE_EPOCH` environment variable, which `nix-shell` sets to 1. Unsetting this variable or giving it a value corresponding to 1980 or later enables building wheels.
+The command `bdist_wheel` reads the `SOURCE_DATE_EPOCH` environment variable,
 which `nix-shell` sets to 1. Unsetting this variable or giving it a value
 corresponding to 1980 or later enables building wheels.
 Use 1980 as timestamp:
 ```shell
 nix-shell --run "SOURCE_DATE_EPOCH=315532800 python3 setup.py bdist_wheel"
 ```
 or the current time:
 ```shell
 nix-shell --run "SOURCE_DATE_EPOCH=$(date +%s) python3 setup.py bdist_wheel"
 ```
 or unset `SOURCE_DATE_EPOCH`:
 ```shell
 nix-shell --run "unset SOURCE_DATE_EPOCH; python3 setup.py bdist_wheel"
 ```
@ -1002,13 +1095,18 @@ nix-shell --run "unset SOURCE_DATE_EPOCH; python3 setup.py bdist_wheel"
 ### `install_data` / `data_files` problems
 If you get the following error:
 ```
 could not create '/nix/store/6l1bvljpy8gazlsw2aw9skwwp4pmvyxw-python-2.7.8/etc':
 Permission denied
 ```
-This is a [known bug](https://github.com/pypa/setuptools/issues/130) in `setuptools`.
+
-Setuptools `install_data` does not respect `--prefix`. An example of such package using the feature is `pkgs/tools/X11/xpra/default.nix`.
+This is a [known bug](https://github.com/pypa/setuptools/issues/130) in
 `setuptools`. Setuptools `install_data` does not respect `--prefix`. An example
 of such package using the feature is `pkgs/tools/X11/xpra/default.nix`.
 As workaround install it as an extra `preInstall` step:
 ```shell
 ${python.interpreter} setup.py install_data --install-dir=$out --root=$out
 sed -i '/ = data\_files/d' setup.py
@ -1031,13 +1129,16 @@ function.
 ### How to consume python modules using pip in a virtual environment like I am used to on other Operating Systems?
-While this approach is not very idiomatic from Nix perspective, it can still be useful when dealing with pre-existing
+While this approach is not very idiomatic from Nix perspective, it can still be
-projects or in situations where it's not feasible or desired to write derivations for all required dependencies.
+useful when dealing with pre-existing projects or in situations where it's not
 feasible or desired to write derivations for all required dependencies.
-This is an example of a `default.nix` for a `nix-shell`, which allows to consume a virtual environment created by `venv`,
+This is an example of a `default.nix` for a `nix-shell`, which allows to consume
-and install python modules through `pip` the traditional way.
+a virtual environment created by `venv`, and install python modules through
 `pip` the traditional way.
-Create this `default.nix` file, together with a `requirements.txt` and simply execute `nix-shell`.
+Create this `default.nix` file, together with a `requirements.txt` and simply
 execute `nix-shell`.
 ```nix
 with import <nixpkgs> { };
@ -1082,8 +1183,9 @@ in pkgs.mkShell rec {
 }
 ```
-In case the supplied venvShellHook is insufficient, or when python 2 support is needed,
+In case the supplied venvShellHook is insufficient, or when python 2 support is
-you can define your own shell hook and adapt to your needs like in the following example:
+needed, you can define your own shell hook and adapt to your needs like in the
 following example:
 ```nix
 with import <nixpkgs> { };
@ -1152,11 +1254,11 @@ If you need to change a package's attribute(s) from `configuration.nix` you coul
 ```
 `pythonPackages.zerobin` is now globally overridden. All packages and also the
-`zerobin` NixOS service use the new definition.
+`zerobin` NixOS service use the new definition. Note that `python-super` refers
-Note that `python-super` refers to the old package set and `python-self`
+to the old package set and `python-self` to the new, overridden version.
 to the new, overridden version.
-To modify only a Python package set instead of a whole Python derivation, use this snippet:
+To modify only a Python package set instead of a whole Python derivation, use
 this snippet:
 ```nix
  myPythonPackages = pythonPackages.override {
@ -1188,11 +1290,12 @@ self: super: {
 ### How to use Intel's MKL with numpy and scipy?
-A `site.cfg` is created that configures BLAS based on the `blas` parameter
+A `site.cfg` is created that configures BLAS based on the `blas` parameter of
-of the `numpy` derivation. By passing in `mkl`, `numpy` and packages depending
+the `numpy` derivation. By passing in `mkl`, `numpy` and packages depending on
-on `numpy` will be built with `mkl`.
+`numpy` will be built with `mkl`.
 The following is an overlay that configures `numpy` to use `mkl`:
 ```nix
 self: super: {
  python37 = super.python37.override {
@ -1228,10 +1331,21 @@ In a `setup.py` or `setup.cfg` it is common to declare dependencies:
 Following rules are desired to be respected:
-* Python libraries are called from `python-packages.nix` and packaged with `buildPythonPackage`. The expression of a library should be in `pkgs/development/python-modules/<name>/default.nix`. Libraries in `pkgs/top-level/python-packages.nix` are sorted quasi-alphabetically to avoid merge conflicts.
+* Python libraries are called from `python-packages.nix` and packaged with
-* Python applications live outside of `python-packages.nix` and are packaged with `buildPythonApplication`.
+  `buildPythonPackage`. The expression of a library should be in
  `pkgs/development/python-modules/<name>/default.nix`. Libraries in
  `pkgs/top-level/python-packages.nix` are sorted quasi-alphabetically to avoid
  merge conflicts.
 * Python applications live outside of `python-packages.nix` and are packaged
  with `buildPythonApplication`.
 * Make sure libraries build for all Python interpreters.
-* By default we enable tests. Make sure the tests are found and, in the case of libraries, are passing for all interpreters. If certain tests fail they can be disabled individually. Try to avoid disabling the tests altogether. In any case, when you disable tests, leave a comment explaining why.
+* By default we enable tests. Make sure the tests are found and, in the case of
-* Commit names of Python libraries should reflect that they are Python libraries, so write for example `pythonPackages.numpy: 1.11 -> 1.12`.
+  libraries, are passing for all interpreters. If certain tests fail they can be
-* Attribute names in `python-packages.nix` should be normalized according to [PEP 0503](https://www.python.org/dev/peps/pep-0503/#normalized-names).
+  disabled individually. Try to avoid disabling the tests altogether. In any
-  This means that characters should be converted to lowercase and `.` and `_` should be replaced by a single `-` (foo-bar-baz instead of Foo__Bar.baz )
+  case, when you disable tests, leave a comment explaining why.
 * Commit names of Python libraries should reflect that they are Python
  libraries, so write for example `pythonPackages.numpy: 1.11 -> 1.12`.
 * Attribute names in `python-packages.nix` should be normalized according to
  [PEP 0503](https://www.python.org/dev/peps/pep-0503/#normalized-names). This
  means that characters should be converted to lowercase and `.` and `_` should
  be replaced by a single `-` (foo-bar-baz instead of Foo__Bar.baz )
--- a/doc/languages-frameworks/rust.section.md
+++ b/doc/languages-frameworks/rust.section.md
@ -37,11 +37,10 @@ rustPlatform.buildRustPackage rec {
  };
  cargoSha256 = "17ldqr3asrdcsh4l29m3b5r37r5d0b3npq1lrgjmxb6vlx6a36qh";
  verifyCargoDeps = true;
  meta = with stdenv.lib; {
    description = "A fast line-oriented regex search tool, similar to ag and ack";
-    homepage = https://github.com/BurntSushi/ripgrep;
+    homepage = "https://github.com/BurntSushi/ripgrep";
    license = licenses.unlicense;
    maintainers = [ maintainers.tailhook ];
    platforms = platforms.all;
@ -54,17 +53,16 @@ all crate sources of this package. Currently it is obtained by inserting a
 fake checksum into the expression and building the package once. The correct
 checksum can be then take from the failed build.
-When the `Cargo.lock`, provided by upstream, is not in sync with the
+Per the instructions in the [Cargo Book](https://doc.rust-lang.org/cargo/guide/cargo-toml-vs-cargo-lock.html)
-`Cargo.toml`, it is possible to use `cargoPatches` to update it. All patches
+best practices guide, Rust applications should always commit the `Cargo.lock`
-added in `cargoPatches` will also be prepended to the patches in `patches` at
+file in git to ensure a reproducible build. However, a few packages do not, and
-build-time.
+Nix depends on this file, so if it missing you can use `cargoPatches` to apply
 it in the `patchPhase`. Consider sending a PR upstream with a note to the
 maintainer describing why it's important to include in the application.
-When `verifyCargoDeps` is set to `true`, the build will also verify that the
+The fetcher will verify that the `Cargo.lock` file is in sync with the `src`
-`cargoSha256` is not out of date by comparing the `Cargo.lock` file in both the
+attribute, and fail the build if not. It will also will compress the vendor
-`cargoDeps` and `src`. Note that this option changes the value of `cargoSha256`
+directory into a tar.gz archive.
 since it also copies the `Cargo.lock` in it. To avoid breaking
 backward-compatibility this option is not enabled by default but hopefully will
 be in the future.
 ### Building a crate for a different target
--- a/doc/languages-frameworks/vim.section.md
+++ b/doc/languages-frameworks/vim.section.md
@ -261,12 +261,7 @@ deoplete-fish = super.deoplete-fish.overrideAttrs(old: {
 Sometimes plugins require an override that must be changed when the plugin is updated. This can cause issues when Vim plugins are auto-updated but the associated override isn't updated. For these plugins, the override should be written so that it specifies all information required to install the plugin, and running `./update.py` doesn't change the derivation for the plugin. Manually updating the override is required to update these types of plugins. An example of such a plugin is `LanguageClient-neovim`.
-To add a new plugin:
+To add a new plugin, run `./update.py --add "[owner]/[name]"`. **NOTE**: This script automatically commits to your git repository. Be sure to check out a fresh branch before running.
  1. run `./update.py` and create a commit named "vimPlugins: Update",
  2. add the new plugin to [vim-plugin-names](/pkgs/misc/vim-plugins/vim-plugin-names) and add overrides if required to [overrides.nix](/pkgs/misc/vim-plugins/overrides.nix),
  3. run `./update.py` again and create a commit named "vimPlugins.[name]: init at [version]" (where `name` and `version` can be found in [generated.nix](/pkgs/misc/vim-plugins/generated.nix)), and
  4. create a pull request.
 ## Important repositories
--- a/doc/stdenv/meta.xml
+++ b/doc/stdenv/meta.xml
@ -11,7 +11,7 @@ meta = with stdenv.lib; {
    GNU Hello is a program that prints "Hello, world!" when you run it.
    It is fully customizable.
  '';
-  homepage = https://www.gnu.org/software/hello/manual/;
+  homepage = "https://www.gnu.org/software/hello/manual/";
  license = licenses.gpl3Plus;
  maintainers = [ maintainers.eelco ];
  platforms = platforms.all;
--- a/lib/attrsets.nix
+++ b/lib/attrsets.nix
@ -473,6 +473,20 @@ rec {
  /* Pick the outputs of packages to place in buildInputs */
  chooseDevOutputs = drvs: builtins.map getDev drvs;
  /* Make various Nix tools consider the contents of the resulting
     attribute set when looking for what to build, find, etc.
     This function only affects a single attribute set; it does not
     apply itself recursively for nested attribute sets.
   */
  recurseIntoAttrs =
    attrs: attrs // { recurseForDerivations = true; };
  /* Undo the effect of recurseIntoAttrs.
   */
  dontRecurseIntoAttrs =
    attrs: attrs // { recurseForDerivations = false; };
  /*** deprecated stuff ***/
  zipWithNames = zipAttrsWithNames;
--- a/lib/customisation.nix
+++ b/lib/customisation.nix
@ -131,7 +131,12 @@ rec {
      origArgs = auto // args;
      pkgs = f origArgs;
      mkAttrOverridable = name: _: makeOverridable (newArgs: (f newArgs).${name}) origArgs;
-    in lib.mapAttrs mkAttrOverridable pkgs;
+    in
      if lib.isDerivation pkgs then throw
        ("function `callPackages` was called on a *single* derivation "
          + ''"${pkgs.name or "<unknown-name>"}";''
          + " did you mean to use `callPackage` instead?")
      else lib.mapAttrs mkAttrOverridable pkgs;
  /* Add attributes to each output of a derivation without changing
--- a/lib/default.nix
+++ b/lib/default.nix
@ -24,6 +24,7 @@ let
    # packaging
    customisation = callLibs ./customisation.nix;
    maintainers = import ../maintainers/maintainer-list.nix;
    teams = callLibs ../maintainers/team-list.nix;
    meta = callLibs ./meta.nix;
    sources = callLibs ./sources.nix;
    versions = callLibs ./versions.nix;
@ -55,6 +56,9 @@ let
    # back-compat aliases
    platforms = systems.doubles;
    # linux kernel configuration
    kernel = callLibs ./kernel.nix;
    inherit (builtins) add addErrorContext attrNames concatLists
      deepSeq elem elemAt filter genericClosure genList getAttr
      hasAttr head isAttrs isBool isInt isList isString length
@ -73,7 +77,8 @@ let
      genAttrs isDerivation toDerivation optionalAttrs
      zipAttrsWithNames zipAttrsWith zipAttrs recursiveUpdateUntil
      recursiveUpdate matchAttrs overrideExisting getOutput getBin
-      getLib getDev chooseDevOutputs zipWithNames zip;
+      getLib getDev chooseDevOutputs zipWithNames zip
      recurseIntoAttrs dontRecurseIntoAttrs;
    inherit (lists) singleton forEach foldr fold foldl foldl' imap0 imap1
      concatMap flatten remove findSingle findFirst any all count
      optional optionals toList range partition zipListsWith zipLists
--- a/lib/generators.nix
+++ b/lib/generators.nix
@ -76,10 +76,14 @@ rec {
   * mkKeyValue is the same as in toINI.
   */
  toKeyValue = {
-    mkKeyValue ? mkKeyValueDefault {} "="
+    mkKeyValue ? mkKeyValueDefault {} "=",
-  }: attrs:
+    listsAsDuplicateKeys ? false
-    let mkLine = k: v: mkKeyValue k v + "\n";
+  }:
-    in libStr.concatStrings (libAttr.mapAttrsToList mkLine attrs);
+  let mkLine = k: v: mkKeyValue k v + "\n";
      mkLines = if listsAsDuplicateKeys
        then k: v: map (mkLine k) (if lib.isList v then v else [v])
        else k: v: [ (mkLine k v) ];
  in attrs: libStr.concatStrings (lib.concatLists (libAttr.mapAttrsToList mkLines attrs));
  /* Generate an INI-style config file from an
@ -106,7 +110,9 @@ rec {
    # apply transformations (e.g. escapes) to section names
    mkSectionName ? (name: libStr.escape [ "[" "]" ] name),
    # format a setting line from key and value
-    mkKeyValue    ? mkKeyValueDefault {} "="
+    mkKeyValue    ? mkKeyValueDefault {} "=",
    # allow lists as values for duplicate keys
    listsAsDuplicateKeys ? false
  }: attrsOfAttrs:
    let
        # map function to string for each key val
@ -115,11 +121,64 @@ rec {
            (libAttr.mapAttrsToList mapFn attrs);
        mkSection = sectName: sectValues: ''
          [${mkSectionName sectName}]
-        '' + toKeyValue { inherit mkKeyValue; } sectValues;
+        '' + toKeyValue { inherit mkKeyValue listsAsDuplicateKeys; } sectValues;
    in
      # map input to ini sections
      mapAttrsToStringsSep "\n" mkSection attrsOfAttrs;
  /* Generate a git-config file from an attrset.
   *
   * It has two major differences from the regular INI format:
   *
   * 1. values are indented with tabs
   * 2. sections can have sub-sections
   *
   * generators.toGitINI {
   *   url."ssh://git@github.com/".insteadOf = "https://github.com";
   *   user.name = "edolstra";
   * }
   *
   *> [url "ssh://git@github.com/"]
   *>   insteadOf = https://github.com/
   *>
   *> [user]
   *>   name = edolstra
   */
  toGitINI = attrs:
    with builtins;
    let
      mkSectionName = name:
        let
          containsQuote = libStr.hasInfix ''"'' name;
          sections = libStr.splitString "." name;
          section = head sections;
          subsections = tail sections;
          subsection = concatStringsSep "." subsections;
        in if containsQuote || subsections == [ ] then
          name
        else
          ''${section} "${subsection}"'';
      # generation for multiple ini values
      mkKeyValue = k: v:
        let mkKeyValue = mkKeyValueDefault { } " = " k;
        in concatStringsSep "\n" (map (kv: "\t" + mkKeyValue kv) (lib.toList v));
      # converts { a.b.c = 5; } to { "a.b".c = 5; } for toINI
      gitFlattenAttrs = let
        recurse = path: value:
          if isAttrs value then
            lib.mapAttrsToList (name: value: recurse ([ name ] ++ path) value) value
          else if length path > 1 then {
            ${concatStringsSep "." (lib.reverseList (tail path))}.${head path} = value;
          } else {
            ${head path} = value;
          };
      in attrs: lib.foldl lib.recursiveUpdate { } (lib.flatten (recurse [ ] attrs));
      toINI_ = toINI { inherit mkKeyValue mkSectionName; };
    in
      toINI_ (gitFlattenAttrs attrs);
  /* Generates JSON from an arbitrary (non-function) value.
    * For more information see the documentation of the builtin.
--- a/lib/kernel.nix
+++ b/lib/kernel.nix
@ -1,12 +1,7 @@
-{ lib, version }:
+{ lib }:
 with lib;
 {
  # Common patterns/legacy
  whenAtLeast = ver: mkIf (versionAtLeast version ver);
  whenOlder   = ver: mkIf (versionOlder version ver);
  # range is (inclusive, exclusive)
  whenBetween = verLow: verHigh: mkIf (versionAtLeast version verLow && versionOlder version verHigh);
  # Keeping these around in case we decide to change this horrible implementation :)
@ -18,4 +13,14 @@ with lib;
  module   = { tristate    = "m"; };
  freeform = x: { freeform = x; };
  /*
    Common patterns/legacy used in common-config/hardened-config.nix
   */
  whenHelpers = version: {
    whenAtLeast = ver: mkIf (versionAtLeast version ver);
    whenOlder   = ver: mkIf (versionOlder version ver);
    # range is (inclusive, exclusive)
    whenBetween = verLow: verHigh: mkIf (versionAtLeast version verLow && versionOlder version verHigh);
  };
 }
--- a/lib/licenses.nix
+++ b/lib/licenses.nix
@ -649,6 +649,13 @@ lib.mapAttrs (n: v: v // { shortName = n; }) {
    url = http://metadata.ftp-master.debian.org/changelogs/main/d/debianutils/debianutils_4.8.1_copyright;
  };
  sspl = {
    shortName = "SSPL";
    fullName = "Server Side Public License";
    url = https://www.mongodb.com/licensing/server-side-public-license;
    free = false;
  };
  tcltk = spdx {
    spdxId = "TCL";
    fullName = "TCL/TK License";
@ -675,6 +682,11 @@ lib.mapAttrs (n: v: v // { shortName = n; }) {
    # channel and NixOS images.
  };
  unicode-dfs-2016 = spdx {
    spdxId = "Unicode-DFS-2016";
    fullName = "Unicode License Agreement - Data Files and Software (2016)";
  };
  unlicense = spdx {
    spdxId = "Unlicense";
    fullName = "The Unlicense";
--- a/lib/modules.nix
+++ b/lib/modules.nix
@ -93,7 +93,11 @@ rec {
            res set._definedNames
        else
          res;
-      result = { inherit options config; };
+      result = {
        inherit options;
        config = removeAttrs config [ "_module" ];
        inherit (config) _module;
      };
    in result;
  # collectModules :: (modulesPath: String) -> (modules: [ Module ]) -> (args: Attrs) -> [ Module ]
@ -389,7 +393,7 @@ rec {
      let
        # Process mkMerge and mkIf properties.
        defs' = concatMap (m:
-          map (value: { inherit (m) file; inherit value; }) (dischargeProperties m.value)
+          map (value: { inherit (m) file; inherit value; }) (builtins.addErrorContext "while evaluating definitions from `${m.file}':" (dischargeProperties m.value))
        ) defs;
        # Process mkOverride properties.
@ -410,10 +414,9 @@ rec {
    # Type-check the remaining definitions, and merge them. Or throw if no definitions.
    mergedValue =
      if isDefined then
-        foldl' (res: def:
+        if all (def: type.check def.value) defsFinal then type.merge loc defsFinal
-          if type.check def.value then res
+        else let firstInvalid = findFirst (def: ! type.check def.value) null defsFinal;
-          else throw "The option value `${showOption loc}' in `${def.file}' is not of type `${type.description}'."
+        in throw "The option value `${showOption loc}' in `${firstInvalid.file}' is not of type `${type.description}'."
        ) (type.merge loc defsFinal) defsFinal
      else
        # (nixos-option detects this specific error message and gives it special
        # handling.  If changed here, please change it there too.)
--- a/lib/options.nix
+++ b/lib/options.nix
@ -159,7 +159,7 @@ rec {
          let ss = opt.type.getSubOptions opt.loc;
          in if ss != {} then optionAttrSetToDocList' opt.loc ss else [];
      in
-        [ docOption ] ++ subOptions) (collect isOption options);
+        [ docOption ] ++ optionals docOption.visible subOptions) (collect isOption options);
  /* This function recursively removes all derivation attributes from
--- a/lib/sources.nix
+++ b/lib/sources.nix
@ -63,17 +63,14 @@ rec {
  #             https://nixos.org/nix/manual/#builtin-filterSource
  #
  #   name:     Optional name to use as part of the store path.
-  #             This defaults `src.name` or otherwise `baseNameOf src`.
+  #             This defaults to `src.name` or otherwise `"source"`.
  #             We recommend setting `name` whenever `src` is syntactically `./.`.
  #             Otherwise, you depend on `./.`'s name in the parent directory,
  #             which can cause inconsistent names, defeating caching.
  #
  cleanSourceWith = { filter ? _path: _type: true, src, name ? null }:
    let
      isFiltered = src ? _isLibCleanSourceWith;
      origSrc = if isFiltered then src.origSrc else src;
      filter' = if isFiltered then name: type: filter name type && src.filter name type else filter;
-      name' = if name != null then name else if isFiltered then src.name else baseNameOf src;
+      name' = if name != null then name else if isFiltered then src.name else "source";
    in {
      inherit origSrc;
      filter = filter';
--- a/lib/systems/default.nix
+++ b/lib/systems/default.nix
@ -65,6 +65,7 @@ rec {
          freebsd = "FreeBSD";
          openbsd = "OpenBSD";
          wasi = "Wasi";
          genode = "Genode";
        }.${final.parsed.kernel.name} or null;
         # uname -p
--- a/lib/systems/doubles.nix
+++ b/lib/systems/doubles.nix
@ -35,6 +35,8 @@ let
    "vc4-none"
    "js-ghcjs"
    "aarch64-genode" "x86_64-genode"
  ];
  allParsed = map parse.mkSystemFromString all;
@ -68,6 +70,7 @@ in {
  unix    = filterDoubles predicates.isUnix;
  wasi    = filterDoubles predicates.isWasi;
  windows = filterDoubles predicates.isWindows;
  genode  = filterDoubles predicates.isGenode;
  embedded = filterDoubles predicates.isNone;
--- a/lib/systems/inspect.nix
+++ b/lib/systems/inspect.nix
@ -47,6 +47,7 @@ rec {
    isMinGW        = { kernel = kernels.windows; abi = abis.gnu; };
    isWasi         = { kernel = kernels.wasi; };
    isGhcjs        = { kernel = kernels.ghcjs; };
    isGenode       = { kernel = kernels.genode; };
    isNone         = { kernel = kernels.none; };
    isAndroid      = [ { abi = abis.android; } { abi = abis.androideabi; } ];
--- a/lib/systems/parse.nix
+++ b/lib/systems/parse.nix
@ -279,6 +279,7 @@ rec {
    wasi    = { execFormat = wasm;    families = { }; };
    windows = { execFormat = pe;      families = { }; };
    ghcjs   = { execFormat = unknown; families = { }; };
    genode  = { execFormat = elf;     families = { }; };
  } // { # aliases
    # 'darwin' is the kernel for all of them. We choose macOS by default.
    darwin = kernels.macos;
@ -395,6 +396,8 @@ rec {
        then { cpu = elemAt l 0; vendor = "unknown"; kernel = elemAt l 1; abi = elemAt l 2; }
      else if (elemAt l 2 == "ghcjs")
        then { cpu = elemAt l 0; vendor = "unknown"; kernel = elemAt l 2; }
      else if hasPrefix "genode" (elemAt l 2)
        then { cpu = elemAt l 0; vendor = elemAt l 1; kernel = elemAt l 2; }
      else throw "Target specification with 3 components is ambiguous";
    "4" =    { cpu = elemAt l 0; vendor = elemAt l 1; kernel = elemAt l 2; abi = elemAt l 3; };
  }.${toString (length l)}
--- a/lib/tests/misc.nix
+++ b/lib/tests/misc.nix
@ -348,6 +348,18 @@ runTests {
    '';
  };
  testToINIDuplicateKeys = {
    expr = generators.toINI { listsAsDuplicateKeys = true; } { foo.bar = true; baz.qux = [ 1 false ]; };
    expected = ''
      [baz]
      qux=1
      qux=false
      [foo]
      bar=true
    '';
  };
  testToINIDefaultEscapes = {
    expr = generators.toINI {} {
      "no [ and ] allowed unescaped" = {
--- a/lib/tests/modules.sh
+++ b/lib/tests/modules.sh
@ -185,6 +185,14 @@ checkConfigError 'The option .* defined in .* does not exist' config.enable ./di
 # Check that imports can depend on derivations
 checkConfigOutput "true" config.enable ./import-from-store.nix
 # Check that configs can be conditional on option existence
 checkConfigOutput true config.enable ./define-option-dependently.nix ./declare-enable.nix ./declare-int-positive-value.nix
 checkConfigOutput 360 config.value ./define-option-dependently.nix ./declare-enable.nix ./declare-int-positive-value.nix
 checkConfigOutput 7 config.value ./define-option-dependently.nix ./declare-int-positive-value.nix
 checkConfigOutput true config.set.enable ./define-option-dependently-nested.nix ./declare-enable-nested.nix ./declare-int-positive-value-nested.nix
 checkConfigOutput 360 config.set.value ./define-option-dependently-nested.nix ./declare-enable-nested.nix ./declare-int-positive-value-nested.nix
 checkConfigOutput 7 config.set.value ./define-option-dependently-nested.nix ./declare-int-positive-value-nested.nix
 # Check attrsOf and lazyAttrsOf. Only lazyAttrsOf should be lazy, and only
 # attrsOf should work with conditional definitions
 # In addition, lazyAttrsOf should honor an options emptyValue
@ -194,6 +202,11 @@ checkConfigOutput "true" config.conditionalWorks ./declare-attrsOf.nix ./attrsOf
 checkConfigOutput "false" config.conditionalWorks ./declare-lazyAttrsOf.nix ./attrsOf-conditional-check.nix
 checkConfigOutput "empty" config.value.foo ./declare-lazyAttrsOf.nix ./attrsOf-conditional-check.nix
 # Even with multiple assignments, a type error should be thrown if any of them aren't valid
 checkConfigError 'The option value .* in .* is not of type .*' \
  config.value ./declare-int-unsigned-value.nix ./define-value-list.nix ./define-value-int-positive.nix
 cat <<EOF
 ====== module tests ======
 $pass Pass
--- a/lib/tests/modules/declare-enable-nested.nix
+++ b/lib/tests/modules/declare-enable-nested.nix
@ -0,0 +1,14 @@
 { lib, ... }:
 {
  options.set = {
    enable = lib.mkOption {
      default = false;
      example = true;
      type = lib.types.bool;
      description = ''
        Some descriptive text
      '';
    };
  };
 }
--- a/lib/tests/modules/declare-int-positive-value-nested.nix
+++ b/lib/tests/modules/declare-int-positive-value-nested.nix
@ -0,0 +1,9 @@
 { lib, ... }:
 {
  options.set = {
    value = lib.mkOption {
      type = lib.types.ints.positive;
    };
  };
 }
--- a/lib/tests/modules/define-option-dependently-nested.nix
+++ b/lib/tests/modules/define-option-dependently-nested.nix
@ -0,0 +1,16 @@
 { lib, options, ... }:
 # Some modules may be distributed separately and need to adapt to other modules
 # that are distributed and versioned separately.
 {
  # Always defined, but the value depends on the presence of an option.
  config.set = {
    value = if options ? set.enable then 360 else 7;
  }
  # Only define if possible.
  // lib.optionalAttrs (options ? set.enable) {
    enable = true;
  };
 }
--- a/lib/tests/modules/define-option-dependently.nix
+++ b/lib/tests/modules/define-option-dependently.nix
@ -0,0 +1,16 @@
 { lib, options, ... }:
 # Some modules may be distributed separately and need to adapt to other modules
 # that are distributed and versioned separately.
 {
  # Always defined, but the value depends on the presence of an option.
  config = {
    value = if options ? enable then 360 else 7;
  } 
  # Only define if possible.
  // lib.optionalAttrs (options ? enable) {
    enable = true;
  };
 }
--- a/lib/tests/systems.nix
+++ b/lib/tests/systems.nix
@ -12,16 +12,17 @@ let
    expected = lib.sort lib.lessThan y;
  };
 in with lib.systems.doubles; lib.runTests {
-  testall = mseteq all (linux ++ darwin ++ freebsd ++ openbsd ++ netbsd ++ illumos ++ wasi ++ windows ++ embedded ++ js);
+  testall = mseteq all (linux ++ darwin ++ freebsd ++ openbsd ++ netbsd ++ illumos ++ wasi ++ windows ++ embedded ++ js ++ genode);
  testarm = mseteq arm [ "armv5tel-linux" "armv6l-linux" "armv6l-none" "armv7a-linux" "armv7l-linux" "arm-none" "armv7a-darwin" ];
  testi686 = mseteq i686 [ "i686-linux" "i686-freebsd" "i686-netbsd" "i686-openbsd" "i686-cygwin" "i686-windows" "i686-none" "i686-darwin" ];
  testmips = mseteq mips [ "mipsel-linux" ];
-  testx86_64 = mseteq x86_64 [ "x86_64-linux" "x86_64-darwin" "x86_64-freebsd" "x86_64-openbsd" "x86_64-netbsd" "x86_64-cygwin" "x86_64-solaris" "x86_64-windows" "x86_64-none" ];
+  testx86_64 = mseteq x86_64 [ "x86_64-linux" "x86_64-darwin" "x86_64-freebsd" "x86_64-genode" "x86_64-openbsd" "x86_64-netbsd" "x86_64-cygwin" "x86_64-solaris" "x86_64-windows" "x86_64-none" ];
  testcygwin = mseteq cygwin [ "i686-cygwin" "x86_64-cygwin" ];
  testdarwin = mseteq darwin [ "x86_64-darwin" "i686-darwin" "aarch64-darwin" "armv7a-darwin" ];
  testfreebsd = mseteq freebsd [ "i686-freebsd" "x86_64-freebsd" ];
  testgenode = mseteq genode [ "aarch64-genode" "x86_64-genode" ];
  testgnu = mseteq gnu (linux /* ++ kfreebsd ++ ... */);
  testillumos = mseteq illumos [ "x86_64-solaris" ];
  testlinux = mseteq linux [ "aarch64-linux" "armv5tel-linux" "armv6l-linux" "armv7a-linux" "armv7l-linux" "i686-linux" "mipsel-linux" "riscv32-linux" "riscv64-linux" "x86_64-linux" "powerpc64le-linux" ];
--- a/lib/trivial.nix
+++ b/lib/trivial.nix
@ -171,7 +171,7 @@ rec {
     On each release the first letter is bumped and a new animal is chosen
     starting with that new letter.
  */
-  codeName = "Markhor";
+  codeName = "Nightingale";
  /* Returns the current nixpkgs version suffix as string. */
  versionSuffix =
--- a/maintainers/maintainer-list.nix
+++ b/maintainers/maintainer-list.nix
@ -1,5 +1,5 @@
 /* List of NixOS maintainers.
-
+    ```nix
    handle = {
      # Required
      name = "Your name";
@ -13,32 +13,33 @@
        fingerprint = "AAAA BBBB CCCC DDDD EEEE  FFFF 0000 1111 2222 3333";
      }];
    };
    ```
-  where
+    where
-  - `handle` is the handle you are going to use in nixpkgs expressions,
+    - `handle` is the handle you are going to use in nixpkgs expressions,
-  - `name` is your, preferably real, name,
+    - `name` is your, preferably real, name,
-  - `email` is your maintainer email address, and
+    - `email` is your maintainer email address, and
-  - `github` is your GitHub handle (as it appears in the URL of your profile page, `https://github.com/<userhandle>`),
+    - `github` is your GitHub handle (as it appears in the URL of your profile page, `https://github.com/<userhandle>`),
-  - `githubId` is your GitHub user ID, which can be found at `https://api.github.com/users/<userhandle>`,
+    - `githubId` is your GitHub user ID, which can be found at `https://api.github.com/users/<userhandle>`,
-  - `keys` is a list of your PGP/GPG key IDs and fingerprints.
+    - `keys` is a list of your PGP/GPG key IDs and fingerprints.
-  `handle == github` is strongly preferred whenever `github` is an acceptable attribute name and is short and convenient.
+    `handle == github` is strongly preferred whenever `github` is an acceptable attribute name and is short and convenient.
-  Add PGP/GPG keys only if you actually use them to sign commits and/or mail.
+    Add PGP/GPG keys only if you actually use them to sign commits and/or mail.
-  To get the required PGP/GPG values for a key run
+    To get the required PGP/GPG values for a key run
-  ```shell
+    ```shell
-  gpg --keyid-format 0xlong --fingerprint <email> | head -n 2
+    gpg --keyid-format 0xlong --fingerprint <email> | head -n 2
-  ```
+    ```
-  !!! Note that PGP/GPG values stored here are for informational purposes only, don't use this file as a source of truth.
+    !!! Note that PGP/GPG values stored here are for informational purposes only, don't use this file as a source of truth.
-  More fields may be added in the future.
+    More fields may be added in the future.
-  Please keep the list alphabetically sorted.
+    Please keep the list alphabetically sorted.
-  See `./scripts/check-maintainer-github-handles.sh` for an example on how to work with this data.
+    See `./scripts/check-maintainer-github-handles.sh` for an example on how to work with this data.
-  */
+*/
 {
  "0x4A6F" = {
    email = "0x4A6F@shackspace.de";
@ -301,6 +302,12 @@
    githubId = 786394;
    name = "Alexander Krupenkin ";
  };
  albakham = {
    email = "dev@geber.ga";
    github = "albakham";
    githubId = 43479487;
    name = "Titouan Biteau";
  };
  alexarice = {
    email = "alexrice999@hotmail.co.uk";
    github = "alexarice";
@ -357,6 +364,22 @@
    githubId = 5892756;
    name = "Alec Snyder";
  };
  AluisioASG = {
    name = "Aluísio Augusto Silva Gonçalves";
    email = "aluisio@aasg.name";
    github = "AluisioASG";
    githubId = 1904165;
    keys = [{
      longkeyid = "rsa4096/0x9FAA63E097506D9D";
      fingerprint = "7FDB 17B3 C29B 5BA6 E5A9  8BB2 9FAA 63E0 9750 6D9D";
    }];
  };
  almac = {
    email = "alma.cemerlic@gmail.com";
    github = "a1mac";
    githubId = 60479013;
    name = "Alma Cemerlic";
  };
  alunduil = {
    email = "alunduil@gmail.com";
    github = "alunduil";
@ -395,10 +418,15 @@
    githubId = 20530052;
    name = "Andrew Miloradovsky";
  };
-  aminb = {
+  notbandali = {
    email = "amin@aminb.org";
    github = "aminb";
    name = "Amin Bandali";
    email = "bandali@gnu.org";
    github = "notbandali";
    githubId = 1254858;
    keys = [{
      longkeyid = "rsa4096/0xA21A020248816103";
      fingerprint = "BE62 7373 8E61 6D6D 1B3A  08E8 A21A 0202 4881 6103";
    }];
  };
  aminechikhaoui = {
    email = "amine.chikhaoui91@gmail.com";
@ -628,6 +656,12 @@
    githubId = 10285250;
    name = "Artur E. Ruuge";
  };
  asbachb = {
    email = "asbachb-nixpkgs-5c2a@impl.it";
    github = "asbachb";
    githubId = 1482768;
    name = "Benjamin Asbach";
  };
  ashalkhakov = {
    email = "artyom.shalkhakov@gmail.com";
    github = "ashalkhakov";
@ -694,6 +728,12 @@
    githubId = 55833;
    name = "Troels Henriksen";
  };
  atkinschang = {
    email = "atkinschang+nixpkgs@gmail.com";
    github = "AtkinsChang";
    githubId = 5193600;
    name = "Atkins Chang";
  };
  atnnn = {
    email = "etienne@atnnn.com";
    github = "atnnn";
@ -1069,6 +1109,18 @@
    githubId = 7716744;
    name = "Berno Strik";
  };
  brettlyons = {
    email = "blyons@fastmail.com";
    github = "brettlyons";
    githubId = 3043718;
    name = "Brett Lyons";
  };
  btlvr = {
    email = "btlvr@protonmail.com";
    github = "btlvr";
    githubId = 32319131;
    name = "Brett L";
  };
  buffet = {
    email = "niclas@countingsort.com";
    github = "buffet";
@ -1222,6 +1274,20 @@
    githubId = 5949913;
    name = "Carlos Fernandez Sanz";
  };
  cge = {
    email = "cevans@evanslabs.org";
    github = "cgevans";
    githubId = 2054509;
    name = "Constantine Evans";
    keys = [
      { longkeyid = "rsa4096/0xB67DB1D20A93A9F9";
        fingerprint = "32B1 6EE7 DBA5 16DE 526E  4C5A B67D B1D2 0A93 A9F9";
      }
      { longkeyid = "rsa4096/0x1A1D58B86AE2AABD";
        fingerprint = "669C 1D24 5A87 DB34 6BE4  3216 1A1D 58B8 6AE2 AABD";
      }
    ];
  };
  chaduffy = {
    email = "charles@dyfis.net";
    github = "charles-dyfis-net";
@ -1340,6 +1406,12 @@
    githubId = 25088352;
    name = "Christian Kögler";
  };
  clkamp = {
    email = "c@lkamp.de";
    github = "clkamp";
    githubId = 46303707;
    name = "Christian Lütke-Stetzkamp";
  };
  kampka = {
    email = "christian@kampka.net";
    github = "kampka";
@ -1427,6 +1499,16 @@
    githubId = 5684605;
    name = "Cole Scott";
  };
  cole-h = {
    name = "Cole Helbling";
    email = "cole.e.helbling@outlook.com";
    github = "cole-h";
    githubId = 28582702;
    keys = [{
      longkeyid = "rsa4096/0xB37E0F2371016A4C";
      fingerprint = "68B8 0D57 B2E5 4AC3 EC1F  49B0 B37E 0F23 7101 6A4C";
    }];
  };
  copumpkin = {
    email = "pumpkingod@gmail.com";
    github = "copumpkin";
@ -1528,10 +1610,12 @@
    githubId = 2217136;
    name = "Ștefan D. Mihăilă";
    keys = [
-      { longkeyid = "rsa4096/6E68A39BF16A3ECB";
+      {
        longkeyid = "rsa4096/6E68A39BF16A3ECB";
        fingerprint = "CBC9 C7CC 51F0 4A61 3901 C723 6E68 A39B F16A 3ECB";
      }
-      { longkeyid = "rsa4096/6220AD7846220A52";
+      {
        longkeyid = "rsa4096/6220AD7846220A52";
        fingerprint = "7EAB 1447 5BBA 7DDE 7092 7276 6220 AD78 4622 0A52";
      }
    ];
@ -1748,7 +1832,7 @@
    name = "Didier J. Devroye";
  };
  devhell = {
-    email = "\"^\"@regexmail.net";
+    email = ''"^"@regexmail.net'';
    github = "devhell";
    githubId = 896182;
    name = "devhell";
@ -1872,6 +1956,12 @@
    githubId = 126339;
    name = "Domen Kozar";
  };
  dominikh = {
    email = "dominik@honnef.co";
    github = "dominikh";
    githubId = 39825;
    name = "Dominik Honnef";
  };
  doronbehar = {
    email = "me@doronbehar.com";
    github = "doronbehar";
@ -1914,7 +2004,7 @@
  drewrisinger = {
    email = "drisinger+nixpkgs@gmail.com";
    github = "drewrisinger";
-    gitHubId = 10198051;
+    githubId = 10198051;
    name = "Drew Risinger";
  };
  dsferruzza = {
@ -2087,7 +2177,7 @@
  };
  ehmry = {
    email = "ehmry@posteo.net";
-    github= "ehmry";
+    github = "ehmry";
    githubId = 537775;
    name = "Emery Hemingway";
  };
@ -2175,10 +2265,10 @@
    name = "Jack Kelly";
  };
  enorris = {
-      name = "Eric Norris";
+    name = "Eric Norris";
-      email = "erictnorris@gmail.com";
+    email = "erictnorris@gmail.com";
-      github = "ericnorris";
+    github = "ericnorris";
-      githubId = 1906605;
+    githubId = 1906605;
  };
  Enteee = {
    email = "nix@duckpond.ch";
@ -2235,6 +2325,7 @@
  ericdallo = {
    email = "ercdll1337@gmail.com";
    github = "ericdallo";
    githubId = 7820865;
    name = "Eric Dallo";
  };
  ericsagnes = {
@ -2578,7 +2669,7 @@
    email = "ftrvxmtrx@gmail.com";
    github = "ftrvxmtrx";
    githubId = 248148;
-    name = "Siarhei Zirukin";
+    name = "Sigrid Solveig Haflínudóttir";
  };
  fuerbringer = {
    email = "severin@fuerbringer.info";
@ -2700,6 +2791,12 @@
    githubId = 3217744;
    name = "Peter Ferenczy";
  };
  gila = {
    email = "jeffry.molanus@gmail.com";
    github = "gila";
    githubId = 15957973;
    name = "Jeffry Molanus";
  };
  gilligan = {
    email = "tobias.pflug@gmail.com";
    github = "gilligan";
@ -2773,9 +2870,14 @@
    name = "Graham Christensen";
  };
  grburst = {
-    email = "grburst@openmailbox.org";
+    email = "GRBurst@protonmail.com";
-    github = "grburst";
+    github = "GRBurst";
-    name = "Julius Elias";
+    githubId = 4647221;
    name = "GRBurst";
    keys = [{
      longkeyid = "rsa4096/0x797F623868CD00C2";
      fingerprint = "7FC7 98AB 390E 1646 ED4D  8F1F 797F 6238 68CD 00C2";
    }];
  };
  greydot = {
    email = "lanablack@amok.cc";
@ -2841,7 +2943,7 @@
    github = "hansjoergschurr";
    githubId = 9850776;
    name = "Hans-Jörg Schurr";
-    };
+  };
  HaoZeke = {
    email = "r95g10@gmail.com";
    github = "haozeke";
@ -2980,6 +3082,12 @@
    githubId = 12491746;
    name = "Masato Yonekawa";
  };
  i077 = {
    email = "nixpkgs@imranhossa.in";
    github = "i077";
    githubId = 2789926;
    name = "Imran Hossain";
  };
  iand675 = {
    email = "ian@iankduncan.com";
    github = "iand675";
@ -3040,6 +3148,12 @@
    githubId = 4401220;
    name = "Michael Eden";
  };
  illiusdope = {
    email = "mat@marini.ca";
    github = "illiusdope";
    githubId = 61913481;
    name = "Mat Marini";
  };
  ilya-fedin = {
    email = "fedin-ilja2010@ya.ru";
    github = "ilya-fedin";
@ -3275,6 +3389,12 @@
    githubId = 1198065;
    name = "Jeffrey David Johnson";
  };
  jefflabonte = {
    email = "grimsleepless@protonmail.com";
    github = "jefflabonte";
    githubId = 9425955;
    name = "Jean-François Labonté";
  };
  jensbin = {
    email = "jensbin+git@pm.me";
    github = "jensbin";
@ -3528,6 +3648,12 @@
    github = "jorsn";
    githubId = 4646725;
  };
  joshuafern = {
    name = "Joshua Fern";
    email = "joshuafern@protonmail.com";
    github = "JoshuaFern";
    githubId = 4300747;
  };
  jpas = {
    name = "Jarrod Pas";
    email = "jarrod@jarrodpas.com";
@ -3636,6 +3762,16 @@
    githubId = 66669;
    name = "Jeff Zellner";
  };
  kaction = {
    name  = "Dmitry Bogatov";
    email = "KAction@disroot.org";
    github = "kaction";
    githubId = 44864956;
    key = [{
      longkeyid = "ed25519/0x749FD4DFA2E94236";
      fingerprint = "3F87 0A7C A7B4 3731 2F13  6083 749F D4DF A2E9 4236";
    }];
  };
  kaiha = {
    email = "kai.harries@gmail.com";
    github = "kaiha";
@ -3669,6 +3805,12 @@
    github = "kampfschlaefer";
    name = "Arnold Krille";
  };
  karantan = {
    name = "Gasper Vozel";
    email = "karantan@gmail.com";
    github = "karantan";
    githubId = 7062631;
  };
  karolchmist = {
    email = "info+nix@chmist.com";
    name = "karolchmist";
@ -3837,6 +3979,11 @@
    githubId = 13721712;
    name = "Konrad Langenberg";
  };
  kolbycrouch = {
    email = "kjc.devel@gmail.com";
    github = "kolbycrouch";
    name = "Kolby Crouch";
  };
  konimex = {
    email = "herdiansyah@netc.eu";
    github = "konimex";
@ -4055,6 +4202,12 @@
    github = "leonardoce";
    name = "Leonardo Cecchi";
  };
  leshainc = {
    email = "leshainc@fomalhaut.me";
    github = "LeshaInc";
    githubId = 42153076;
    name = "Alexey Nikashkin";
  };
  lethalman = {
    email = "lucabru@src.gnome.org";
    github = "lethalman";
@ -4067,6 +4220,16 @@
    githubId = 3425311;
    name = "Antoine Eiche";
  };
  lexuge = {
    name = "Harry Ying";
    email = "lexugeyky@outlook.com";
    github = "LEXUGE";
    githubId = 13804737;
    keys = [{
      longkeyid = "rsa4096/0xAE53B4C2E58EDD45";
      fingerprint = "7FE2 113A A08B 695A C8B8  DDE6 AE53 B4C2 E58E DD45";
    }];
  };
  lheckemann = {
    email = "git@sphalerite.org";
    github = "lheckemann";
@ -4150,10 +4313,10 @@
    }];
  };
  luis = {
-      email = "luis.nixos@gmail.com";
+    email = "luis.nixos@gmail.com";
-      github = "Luis-Hebendanz";
+    github = "Luis-Hebendanz";
-      githubId = 22085373;
+    githubId = 22085373;
-      name = "Luis Hebendanz";
+    name = "Luis Hebendanz";
  };
  lionello = {
    email = "lio@lunesu.com";
@ -4241,6 +4404,12 @@
    github = "ltavard";
    name = "Laure Tavard";
  };
  luc65r = {
    email = "lucas@ransan.tk";
    github = "luc65r";
    githubId = 59375051;
    name = "Lucas Ransan";
  };
  lucus16 = {
    email = "lars.jellema@gmail.com";
    github = "Lucus16";
@ -4259,6 +4428,16 @@
    githubId = 1784379;
    name = "Kyohei Kadota";
  };
  Luflosi = {
    name = "Luflosi";
    email = "luflosi@luflosi.de";
    github = "Luflosi";
    githubId = 15217907;
    keys = [{
      longkeyid = "rsa4096/0x6F987CCF224D20B9";
      fingerprint = "66D1 3048 2B5F 2069 81A6  6B83 6F98 7CCF 224D 20B9";
    }];
  };
  luispedro = {
    email = "luis@luispedro.org";
    github = "luispedro";
@ -4386,12 +4565,12 @@
    githubId = 50230945;
    name = "Marcus Boyd";
  };
-	marenz = {
+  marenz = {
-		email = "marenz@arkom.men";
+    email = "marenz@arkom.men";
-		github = "marenz2569";
+    github = "marenz2569";
-		githubId = 12773269;
+    githubId = 12773269;
-		name = "Markus Schmidl";
+    name = "Markus Schmidl";
-	};
+  };
  markus1189 = {
    email = "markus1189@gmail.com";
    github = "markus1189";
@ -4460,6 +4639,12 @@
    githubId = 1711539;
    name = "matklad";
  };
  matt-snider = {
    email = "matt.snider@protonmail.com";
    github = "matt-snider";
    githubId = 11810057;
    name = "Matt Snider";
  };
  matthewbauer = {
    email = "mjbauer95@gmail.com";
    github = "matthewbauer";
@ -4494,6 +4679,12 @@
    githubId = 1269099;
    name = "Marius Bakke";
  };
  mbaillie = {
    email = "martin@baillie.email";
    github = "martinbaillie";
    githubId = 613740;
    name = "Martin Baillie";
  };
  mbbx6spp = {
    email = "me@susanpotter.net";
    github = "mbbx6spp";
@ -4635,7 +4826,7 @@
    githubId = 668926;
    name = "Maximilian Güntner";
  };
-   mhaselsteiner = {
+  mhaselsteiner = {
    email = "magdalena.haselsteiner@gmx.at";
    github = "mhaselsteiner";
    githubId = 20536514;
@ -4698,12 +4889,24 @@
    githubId = 3958340;
    name = "Eshin Kunishima";
  };
  mikesperber = {
    email = "sperber@deinprogramm.de";
    github = "mikesperber";
    githubId = 1387206;
    name = "Mike Sperber";
  };
  mildlyincompetent = {
    email = "nix@kch.dev";
    github = "mildlyincompetent";
    githubId = 19479662;
    name = "Kajetan Champlewski";
  };
  millerjason = {
    email = "mailings-github@millerjason.com";
    github = "millerjason";
    githubId = 7610974;
    name = "Jason Miller";
  };
  miltador = {
    email = "miltador@yandex.ua";
    name = "Vasiliy Solovey";
@ -4717,7 +4920,12 @@
  minijackson = {
    email = "minijackson@riseup.net";
    github = "minijackson";
    githubId = 1200507;
    name = "Rémi Nicole";
    keys = [{
      longkeyid = "rsa2048/0xFEA888C9F5D64F62";
      fingerprint = "3196 83D3 9A1B 4DE1 3DC2  51FD FEA8 88C9 F5D6 4F62";
    }];
  };
  mirdhyn = {
    email = "mirdhyn@gmail.com";
@ -4800,11 +5008,11 @@
  mmilata = {
    email = "martin@martinmilata.cz";
    github = "mmilata";
-    gitHubId = 85857;
+    githubId = 85857;
    name = "Martin Milata";
  };
  mmlb = {
-    email = "me.mmlb@mmlb.me";
+    email = "manny@peekaboo.mmlb.icu";
    github = "mmlb";
    name = "Manuel Mendez";
  };
@ -4877,6 +5085,12 @@
    githubId = 118035;
    name = "Corbin Simpson";
  };
  mothsart = {
    email = "jerem.ferry@gmail.com";
    github = "mothsart";
    githubId = 10601196;
    name = "Jérémie Ferry";
  };
  mounium = {
    email = "muoniurn@gmail.com";
    github = "mounium";
@ -5414,6 +5628,12 @@
    githubId = 11016164;
    name = "Fedor Pakhomov";
  };
  paluh = {
    email = "paluho@gmail.com";
    github = "paluh";
    githubId = 190249;
    name = "Tomasz Rybarczyk";
  };
  pamplemousse = {
    email = "xav.maso@gmail.com";
    github = "Pamplemousse";
@ -5687,11 +5907,10 @@
    github = "pradyuman";
    githubId = 9904569;
    name = "Pradyuman Vig";
-    keys = [
+    keys = [{
-      { longkeyid = "rsa4096/4F74D5361C4CA31E";
+      longkeyid = "rsa4096/4F74D5361C4CA31E";
-        fingerprint = "240B 57DE 4271 2480 7CE3  EAC8 4F74 D536 1C4C A31E";
+      fingerprint = "240B 57DE 4271 2480 7CE3  EAC8 4F74 D536 1C4C A31E";
-      }
+    }];
    ];
  };
  prikhi = {
    email = "pavan.rikhi@gmail.com";
@ -5705,10 +5924,12 @@
    githubId = 7537109;
    name = "Michael Weiss";
    keys = [
-      { longkeyid = "ed25519/0x130826A6C2A389FD"; # Git only
+      {
        longkeyid = "ed25519/0x130826A6C2A389FD"; # Git only
        fingerprint = "86A7 4A55 07D0 58D1 322E  37FD 1308 26A6 C2A3 89FD";
      }
-      { longkeyid = "rsa3072/0xBCA9943DD1DF4C04"; # Email, etc.
+      {
        longkeyid = "rsa3072/0xBCA9943DD1DF4C04"; # Email, etc.
        fingerprint = "AF85 991C C950 49A2 4205  1933 BCA9 943D D1DF 4C04";
      }
    ];
@ -5793,6 +6014,12 @@
    githubId = 37715;
    name = "Brian McKenna";
  };
  puzzlewolf = {
    email = "nixos@nora.pink";
    github = "puzzlewolf";
    githubId = 23097564;
    name = "Nora Widdecke";
  };
  pxc = {
    email = "patrick.callahan@latitudeengineering.com";
    name = "Patrick Callahan";
@ -5803,6 +6030,12 @@
    githubId = 4579165;
    name = "Danny Bautista";
  };
  peelz = {
    email = "peelz.dev+nixpkgs@gmail.com";
    github = "louistakepillz";
    githubId = 920910;
    name = "peelz";
  };
  q3k = {
    email = "q3k@q3k.org";
    github = "q3k";
@ -5831,6 +6064,11 @@
      fingerprint = "7573 56D7 79BB B888 773E  415E 736C CDF9 EF51 BD97";
    }];
  };
  raboof = {
    email = "arnout@bzzt.net";
    github = "raboof";
    name = "Arnout Engelen";
  };
  rafaelgg = {
    email = "rafael.garcia.gallego@gmail.com";
    github = "rafaelgg";
@ -6025,6 +6263,20 @@
    githubId = 807447;
    name = "Robert Scott";
  };
  risson = {
    name = "Marc Schmitt";
    email = "marc.schmitt@risson.space";
    github = "rissson";
    githubId = 18313093;
    keys = [
      { longkeyid = "rsa4096/0xF6FD87B15C263EC9";
        fingerprint = "8A0E 6A7C 08AB B9DE 67DE  2A13 F6FD 87B1 5C26 3EC9";
      }
      { longkeyid = "ed25519/0xBBB7A6801DF1E03F";
        fingerprint = "C0A7 A9BB 115B C857 4D75  EA99 BBB7 A680 1DF1 E03F";
      }
    ];
  };
  rittelle = {
    email = "rittelle@posteo.de";
    github = "rittelle";
@ -6043,6 +6295,12 @@
    githubId = 2507744;
    name = "Roland Koebler";
  };
  rkrzr = {
    email = "ops+nixpkgs@channable.com";
    github = "rkrzr";
    githubId = 82817;
    name = "Robert Kreuzer";
  };
  rlupton20 = {
    email = "richard.lupton@gmail.com";
    github = "rlupton20";
@ -6054,12 +6312,10 @@
    github = "rnhmjoj";
    githubId = 2817565;
    name = "Michele Guerini Rocco";
-    keys =
+    keys = [{
-    [
+      longkeyid = "ed25519/0xBFBAF4C975F76450";
-      { longkeyid   = "ed25519/0xBFBAF4C975F76450";
+      fingerprint = "92B2 904F D293 C94D C4C9  3E6B BFBA F4C9 75F7 6450";
-        fingerprint = "92B2 904F D293 C94D C4C9  3E6B BFBA F4C9 75F7 6450";
+    }];
      }
    ];
  };
  rob = {
    email = "rob.vermaas@gmail.com";
@ -6241,6 +6497,12 @@
    githubId = 766350;
    name = "Richard Zetterberg";
  };
  samdoshi = {
    email = "sam@metal-fish.co.uk";
    github = "samdoshi";
    githubId = 112490;
    name = "Sam Doshi";
  };
  samdroid-apps = {
    email = "sam@sam.today";
    github = "samdroid-apps";
@ -6258,10 +6520,10 @@
    }];
  };
  samrose = {
-   email = "samuel.rose@gmail.com";
+    email = "samuel.rose@gmail.com";
-   github = "samrose";
+    github = "samrose";
-   githubId = 115821;
+    githubId = 115821;
-   name = "Sam Rose";
+    name = "Sam Rose";
  };
  samueldr = {
    email = "samuel@dionne-riel.com";
@ -6573,6 +6835,12 @@
    githubId = 848812;
    name = "Stephan Jau";
  };
  sjfloat = {
    email = "steve+nixpkgs@jonescape.com";
    github = "sjfloat";
    githubId = 216167;
    name = "Steve Jones";
  };
  sjmackenzie = {
    email = "setori88@gmail.com";
    github = "sjmackenzie";
@ -6592,6 +6860,12 @@
    email = "jot.skrzyp@gmail.com";
    name = "Jakub Skrzypnik";
  };
  skykanin = {
    email = "skykanin@users.noreply.github.com";
    github = "skykanin";
    githubId = 3789764;
    name = "skykanin";
  };
  sleexyz = {
    email = "freshdried@gmail.com";
    github = "sleexyz";
@ -6734,6 +7008,12 @@
    githubId = 4061736;
    name = "Severen Redwood";
  };
  sstef = {
    email = "stephane@nix.frozenid.net";
    github = "fkstef";
    githubId = 8668915;
    name = "Stephane Schitter";
  };
  steell = {
    email = "steve@steellworks.com";
    github = "Steell";
@ -7056,6 +7336,12 @@
    githubId = 378734;
    name = "TG ⊗ Θ";
  };
  th0rgal = {
    email = "thomas.marchand@tuta.io";
    github = "Th0rgal";
    githubId = 41830259;
    name = "Thomas Marchand";
  };
  thall = {
    email = "niclas.thall@gmail.com";
    github = "thall";
@ -7097,6 +7383,12 @@
    githubId = 8547242;
    name = "Stefan Rohrbacher";
  };
  "thelegy" = {
    email = "mail+nixos@0jb.de";
    github = "thelegy";
    githubId = 3105057;
    name = "Jan Beinke";
  };
  thesola10 = {
    email = "thesola10@bobile.fr";
    github = "thesola10";
@ -7119,6 +7411,12 @@
    githubId = 844343;
    name = "Thiago K. Okada";
  };
  thmzlt = {
    email = "git@thomazleite.com";
    github = "thmzlt";
    githubId = 7709;
    name = "Thomaz Leite";
  };
  ThomasMader = {
    email = "thomas.mader@gmail.com";
    github = "ThomasMader";
@ -7194,10 +7492,10 @@
    github = "tkerber";
    githubId = 5722198;
    name = "Thomas Kerber";
-    keys = [ {
+    keys = [{
      longkeyid = "rsa4096/0x8489B911F9ED617B";
      fingerprint = "556A 403F B0A2 D423 F656  3424 8489 B911 F9ED 617B";
-    } ];
+    }];
  };
  tmplt = {
    email = "tmplt@dragons.rocks";
@ -7428,6 +7726,12 @@
    github = "valeriangalliat";
    name = "Valérian Galliat";
  };
  valodim = {
    email = "look@my.amazin.horse";
    github = "valodim";
    githubId = 27813;
    name = "Vincent Breitmoser";
  };
  vandenoever = {
    email = "jos@vandenoever.info";
    github = "vandenoever";
@ -7471,7 +7775,8 @@
  };
  vcunat = {
    name = "Vladimír Čunát";
-    email = "v@cunat.cz"; # vcunat@gmail.com predominated in commits before 2019/03
+    # vcunat@gmail.com predominated in commits before 2019/03
    email = "v@cunat.cz";
    github = "vcunat";
    githubId = 1785925;
    keys = [{
@ -7686,7 +7991,7 @@
    email = "worldofpeace@protonmail.ch";
    github = "worldofpeace";
    githubId = 28888242;
-    name = "Worldofpeace";
+    name = "worldofpeace";
  };
  wscott = {
    email = "wsc9tt@gmail.com";
@ -8040,4 +8345,21 @@
    githubId = 3674056;
    name = "Asad Saeeduddin";
  };
  ngerstle = {
    name  = "Nicholas Gerstle";
    email = "ngerstle@gmail.com";
    github = "ngerstle";
  };
  xavierzwirtz = {
    email = "me@xavierzwirtz.com";
    github = "xavierzwirtz";
    githubId = 474343;
    name = "Xavier Zwirtz";
  };
  ymeister = {
    name = "Yuri Meister";
    email = "47071325+ymeister@users.noreply.github.com";
    github = "ymeister";
    githubId = 47071325;
  };
 }
--- a/maintainers/scripts/luarocks-packages.csv
+++ b/maintainers/scripts/luarocks-packages.csv
@ -6,8 +6,10 @@ basexx,,,,,
 binaryheap,,,,,vcunat
 bit32,,,,lua5_1,lblasc
 busted,,,,,
 cassowary,,,,,marsam
 cjson,lua-cjson,,,,
 compat53,,,,,vcunat
 cosmo,,,,,marsam
 coxpcall,,,1.17.0-1,,
 cqueues,,,,,vcunat
 cyrussasl,,,,,vcunat
--- a/maintainers/scripts/nix-generate-from-cpan.pl
+++ b/maintainers/scripts/nix-generate-from-cpan.pl
@ -6,6 +6,7 @@ use warnings;
 use CPAN::Meta();
 use CPANPLUS::Backend();
 use Module::CoreList;
 use Getopt::Long::Descriptive qw( describe_options );
 use JSON::PP qw( encode_json );
 use Log::Log4perl qw(:easy);
@ -164,7 +165,7 @@ Readonly::Hash my %LICENSE_MAP => (
    # License not provided in metadata.
    unknown => {
-        licenses => [qw( unknown )],
+        licenses => [],
        amb      => 1
    }
 );
@ -278,14 +279,8 @@ sub get_deps {
    foreach my $n ( $deps->required_modules ) {
        next if $n eq "perl";
-        # Figure out whether the module is a core module by attempting
+        my @core = Module::CoreList->find_modules(qr/^$n$/);
-        # to `use` the module in a pure Perl interpreter and checking
+        next if (@core);
        # whether it succeeded. Note, $^X is a magic variable holding
        # the path to the running Perl interpreter.
        if ( system("env -i $^X -M$n -e1 >/dev/null 2>&1") == 0 ) {
            DEBUG("skipping Perl-builtin module $n");
            next;
        }
        my $pkg = module_to_pkg( $cb, $n );
--- a/maintainers/scripts/update.nix
+++ b/maintainers/scripts/update.nix
@ -2,6 +2,7 @@
 , maintainer ? null
 , path ? null
 , max-workers ? null
 , include-overlays ? false
 , keep-going ? null
 }:
@ -20,9 +21,7 @@ let
      in
        [x] ++ nubOn f xs;
-  pkgs = import ./../../default.nix {
+  pkgs = import ./../../default.nix (if include-overlays then { } else { overlays = []; });
    overlays = [];
  };
  packagesWith = cond: return: set:
    nubOn (pkg: pkg.updateScript)
--- a/maintainers/team-list.nix
+++ b/maintainers/team-list.nix
@ -0,0 +1,33 @@
 /* List of maintainer teams.
    name = {
      # Required
      members = [ maintainer1 maintainer2 ];
      scope = "Maintain foo packages.";
    };
  where
  - `members` is the list of maintainers belonging to the group,
  - `scope` describes the scope of the group.
  More fields may be added in the future.
  Please keep the list alphabetically sorted.
  */
 { lib }:
 with lib.maintainers; {
  freedesktop = {
    members = [ jtojnar worldofpeace ];
    scope = "Maintain Freedesktop.org packages for graphical desktop.";
  };
  gnome = {
    members = [
      hedning
      jtojnar
      worldofpeace
    ];
    scope = "Maintain GNOME desktop environment and platform.";
  };
 }
--- a/nixos/doc/manual/configuration/configuration.xml
+++ b/nixos/doc/manual/configuration/configuration.xml
@ -21,7 +21,6 @@
 <xi:include href="xfce.xml" />
 <xi:include href="networking.xml" />
 <xi:include href="linux-kernel.xml" />
 <xi:include href="matrix.xml" />
 <xi:include href="../generated/modules.xml" xpointer="xpointer(//section[@id='modules']/*)" />
 <xi:include href="profiles.xml" />
 <xi:include href="kubernetes.xml" />
--- a/nixos/doc/manual/configuration/modularity.xml
+++ b/nixos/doc/manual/configuration/modularity.xml
@ -36,6 +36,7 @@
 { <xref linkend="opt-services.xserver.enable"/> = true;
  <xref linkend="opt-services.xserver.displayManager.sddm.enable"/> = true;
  <xref linkend="opt-services.xserver.desktopManager.plasma5.enable"/> = true;
  <xref linkend="opt-environment.systemPackages"/> = [ pkgs.vim ];
 }
 </programlisting>
  Note that both <filename>configuration.nix</filename> and
--- a/nixos/doc/manual/configuration/xfce.xml
+++ b/nixos/doc/manual/configuration/xfce.xml
@ -9,7 +9,6 @@
 <programlisting>
 <xref linkend="opt-services.xserver.desktopManager.xfce.enable" /> = true;
 <xref linkend="opt-services.xserver.displayManager.defaultSession" /> = "xfce";
 };
 </programlisting>
 </para>
 <para>
--- a/nixos/doc/manual/development/releases.xml
+++ b/nixos/doc/manual/development/releases.xml
@ -71,8 +71,9 @@
     <para>
      <link xlink:href="https://github.com/NixOS/nixpkgs/commit/d6b08acd1ccac0d9d502c4b635e00b04d3387f06">
      Update <literal>versionSuffix</literal> in
-      <literal>nixos/release.nix</literal></link>, use <literal>git log
+      <literal>nixos/release.nix</literal></link>, use
-      --format=%an|wc -l</literal> to get the commit count
+      <literal>git rev-list --count 17.09-beta</literal>
      to get the commit count.
     </para>
    </listitem>
    <listitem>
--- a/nixos/doc/manual/installation/installing.xml
+++ b/nixos/doc/manual/installation/installing.xml
@ -24,8 +24,7 @@
  </para>
  <para>
-   The NixOS manual is available on virtual console 8 (press Alt+F8 to access)
+   The NixOS manual is available by running <command>nixos-help</command>.
   or by running <command>nixos-help</command>.
  </para>
  <para>
--- a/nixos/doc/manual/release-notes/release-notes.xml
+++ b/nixos/doc/manual/release-notes/release-notes.xml
@ -8,6 +8,7 @@
  This section lists the release notes for each stable version of NixOS and
  current unstable revision.
 </para>
 <xi:include href="rl-2009.xml" />
 <xi:include href="rl-2003.xml" />
 <xi:include href="rl-1909.xml" />
 <xi:include href="rl-1903.xml" />
--- a/nixos/doc/manual/release-notes/rl-2003.xml
+++ b/nixos/doc/manual/release-notes/rl-2003.xml
@ -154,7 +154,7 @@ services.xserver.displayManager.defaultSession = "xfce+icewm";
   </listitem>
   <listitem>
    <para>
-     The <literal>99-main.network</literal> file was removed. Maching all
+     The <literal>99-main.network</literal> file was removed. Matching all
     network interfaces caused many breakages, see
     <link xlink:href="https://github.com/NixOS/nixpkgs/pull/18962">#18962</link>
       and <link xlink:href="https://github.com/NixOS/nixpkgs/pull/71106">#71106</link>.
@ -196,10 +196,10 @@ services.xserver.displayManager.defaultSession = "xfce+icewm";
   </listitem>
   <listitem>
    <para>
-     There is now only one Xfce package-set and module. This means attributes, <literal>xfce4-14</literal>
+     There is now only one Xfce package-set and module. This means that attributes <literal>xfce4-14</literal>
-     <literal>xfce4-12</literal>, and <literal>xfceUnstable</literal> all now point to the latest Xfce 4.14
+     and <literal>xfceUnstable</literal> all now point to the latest Xfce 4.14
-     packages. And in future NixOS releases will be the latest released version of Xfce available at the
+     packages. And in the future NixOS releases will be the latest released version of Xfce available at the
-     time during the releases development (if viable).
+     time of the release's development (if viable).
    </para>
   </listitem>
   <listitem>
@ -235,7 +235,7 @@ services.xserver.displayManager.defaultSession = "xfce+icewm";
   <listitem>
    <para>
      The <literal>buildRustCrate</literal> infrastructure now produces <literal>lib</literal> outputs in addition to the <literal>out</literal> output.
-      This has led to drastically reduced closed sizes for some rust crates since development dependencies are now in the <literal>lib</literal> output.
+      This has led to drastically reduced closure sizes for some rust crates since development dependencies are now in the <literal>lib</literal> output.
    </para>
    </listitem>
   <listitem>
@ -625,6 +625,138 @@ auth required pam_succeed_if.so uid >= 1000 quiet
     to a fairly old snapshot  from the <package>gcc7</package>-branch.
    </para>
   </listitem>
   <listitem>
    <para>
     The <citerefentry><refentrytitle>nixos-build-vms</refentrytitle><manvolnum>8</manvolnum>
     </citerefentry>-script now uses the python test-driver.
    </para>
   </listitem>
   <listitem>
    <para>
     The <package>riot-web</package> package now accepts configuration overrides as an attribute set instead of a string.
     A formerly used JSON configuration can be converted to an attribute set with <literal>builtins.fromJSON</literal>.
    </para>
    <para>
     The new default configuration also disables automatic guest account registration and analytics to improve privacy.
     The previous behavior can be restored by setting <literal>config.riot-web.conf = { disable_guests = false; piwik = true; }</literal>.
    </para>
   </listitem>
   <listitem>
     <para>
       Stand-alone usage of <literal>Upower</literal> now requires
       <option>services.upower.enable</option> instead of just installing into
       <xref linkend="opt-environment.systemPackages"/>.
     </para>
   </listitem>
   <listitem>
    <para>
     <package>nextcloud</package> has been updated to <literal>v18.0.2</literal>. This means
     that users from NixOS 19.09 can't upgrade directly since you can only move one version
      forward and 19.09 uses <literal>v16.0.8</literal>.
    </para>
    <para>
     To provide a safe upgrade-path and to circumvent similar issues in the future, the following
     measures were taken:
     <itemizedlist>
      <listitem>
       <para>
        The <package>pkgs.nextcloud</package>-attribute has been removed and replaced with
        versioned attributes (currently <package>pkgs.nextcloud17</package> and
        <package>pkgs.nextcloud18</package>). With this change major-releases can be backported
        without breaking stuff and to make upgrade-paths easier.
       </para>
      </listitem>
      <listitem>
       <para>
        Existing setups will be detected using
        <link linkend="opt-system.stateVersion">system.stateVersion</link>: by default,
        <package>nextcloud17</package> will be used, but will raise a warning which notes
        that after that deploy it's recommended to update to the latest stable version
        (<package>nextcloud18</package>) by declaring the newly introduced setting
        <link linkend="opt-services.nextcloud.package">services.nextcloud.package</link>.
       </para>
      </listitem>
      <listitem>
       <para>
        Users with an overlay (e.g. to use <package>nextcloud</package> at version
        <literal>v18</literal> on <literal>19.09</literal>) will get an evaluation error
        by default. This is done to ensure that our
        <link linkend="opt-services.nextcloud.package">package</link>-option doesn't select an
        older version by accident. It's recommended to use <package>pkgs.nextcloud18</package>
        or to set <link linkend="opt-services.nextcloud.package">package</link> to
        <package>pkgs.nextcloud</package> explicitly.
       </para>
      </listitem>
     </itemizedlist>
    </para>
    <warning>
     <para>
      Please note that if you're comming from <literal>19.03</literal> or older, you have
      to manually upgrade to <literal>19.09</literal> first to upgrade your server
      to Nextcloud v16.
     </para>
    </warning>
   </listitem>
   <listitem>
    <para>
     <package>Hydra</package> has gained a massive performance improvement due to
     <link xlink:href="https://github.com/NixOS/hydra/pull/710">some database schema
     changes</link> by adding several IDs and better indexing. However, it's necessary
     to upgrade Hydra in multiple steps:
     <itemizedlist>
      <listitem>
       <para>
        At first, an older version of Hydra needs to be deployed which adds those
        (nullable) columns. When having set <link linkend="opt-system.stateVersion">stateVersion
        </link> to a value older than <literal>20.03</literal>, this package will be selected
        by default from the module when upgrading. Otherwise, the package can be deployed using
        the following config:
 <programlisting>{ pkgs, ... }: {
  <link linkend="opt-services.hydra.package">services.hydra.package</link> = pkgs.hydra-migration;
 }</programlisting>
       </para>
      </listitem>
      <listitem>
       <para>
        Automatically fill the newly added ID columns on the server by running the following
        command:
 <screen>
 <prompt>$ </prompt>hydra-backfill-ids
 </screen>
        <warning>
         <para>Please note that this process can take a while depending on your database-size!</para>
        </warning>
       </para>
      </listitem>
      <listitem>
       <para>
        Deploy a newer version of Hydra to activate the DB optimizations. You can choose from
        either <package>hydra-unstable</package> (latest <literal>master</literal> compiled
        against <package>nixUnstable</package>) and <package>hydra-flakes</package> (latest
        version with flake-support).
        <warning>
         <para>
          If your <link linkend="opt-system.stateVersion">stateVersion</link> is set to
          <literal>20.03</literal> or greater, <package>hydra-unstable</package> will be used
          automatically! This will break your setup if you didn't run the migration.
         </para>
        </warning>
        Please note that Hydra is currently not available with <package>nixStable</package>
        as this doesn't compile anymore.
       </para>
      </listitem>
     </itemizedlist>
     <warning>
      <para>
       <package>pkgs.hydra</package> has been removed to ensure a graceful database-migration
       using the dedicated package-attributes. If you still have <package>pkgs.hydra</package>
       defined in e.g. an overlay, an assertion error will be thrown. To circumvent this,
       you need to set <xref linkend="opt-services.hydra.package" /> to <package>pkgs.hydra</package>
       explicitly and make sure you know what you're doing!
      </para>
     </warning>
    </para>
   </listitem>
  </itemizedlist>
 </section>
@ -687,6 +819,86 @@ auth required pam_succeed_if.so uid >= 1000 quiet
    via <option>boot.initrd.luks.fido2Support</option>.
    </para>
   </listitem>
   <listitem>
    <para>
     Predicatbly named network-interfaces get renamed in stage-1. This means that it's possible
     to use the proper interface name for e.g. dropbear-setups.
    </para>
    <para>
     For further reference, please read <link xlink:href="https://github.com/NixOS/nixpkgs/pull/68953">#68953</link> or the corresponding <link xlink:href="https://discourse.nixos.org/t/predictable-network-interface-names-in-initrd/4055">discourse thread</link>.
    </para>
   </listitem>
   <listitem>
    <para>
     The <package>matrix-synapse</package>-package has been updated to
     <link xlink:href="https://github.com/matrix-org/synapse/releases/tag/v1.11.1">v1.11.1</link>.
     Due to <link xlink:href="https://github.com/matrix-org/synapse/releases/tag/v1.10.0rc1">stricter requirements</link>
     for database configuration when using <package>postgresql</package>, the automated database setup
     of the module has been removed to avoid any further edge-cases.
    </para>
    <para>
     <package>matrix-synapse</package> expects <literal>postgresql</literal>-databases to have the options
     <literal>LC_COLLATE</literal> and <literal>LC_CTYPE</literal> set to
     <link xlink:href="https://www.postgresql.org/docs/12/locale.html"><literal>'C'</literal></link> which basically
     instructs <literal>postgresql</literal> to ignore any locale-based preferences.
    </para>
    <para>
     Depending on your setup, you need to incorporate one of the following changes in your setup to
     upgrade to 20.03:
     <itemizedlist>
      <listitem><para>If you use <literal>sqlite3</literal> you don't need to do anything.</para></listitem>
      <listitem><para>If you use <literal>postgresql</literal> on a different server, you don't need
       to change anything as well since this module was never designed to configure remote databases.
      </para></listitem>
      <listitem><para>If you use <literal>postgresql</literal> and configured your synapse initially on
       <literal>19.09</literal> or older, you simply need to enable <package>postgresql</package>-support
        explicitly:
 <programlisting>{ ... }: {
  services.matrix-synapse = {
    <link linkend="opt-services.matrix-synapse.enable">enable</link> = true;
    /* and all the other config you've defined here */
  };
  <link linkend="opt-services.postgresql.enable">services.postgresql.enable</link> = true;
 }</programlisting>
      </para></listitem>
      <listitem><para>If you deploy a fresh <package>matrix-synapse</package>, you need to configure
       the database yourself (e.g. by using the
       <link linkend="opt-services.postgresql.initialScript">services.postgresql.initialScript</link>
       option). An example for this can be found in the
       <link linkend="module-services-matrix">documentation of the Matrix module</link>.
      </para></listitem>
      <listitem><para>If you initially deployed your <package>matrix-synapse</package> on
       <literal>nixos-unstable</literal> <emphasis>after</emphasis> the <literal>19.09</literal>-release,
       your database is misconfigured due to a regression in NixOS. For now, <package>matrix-synapse</package> will
       startup with a warning, but it's recommended to reconfigure the database to set the values
       <literal>LC_COLLATE</literal> and <literal>LC_CTYPE</literal> to
       <link xlink:href="https://www.postgresql.org/docs/12/locale.html"><literal>'C'</literal></link>.
      </para></listitem>
     </itemizedlist>
    </para>
  </listitem>
  <listitem>
   <para>
    The <link linkend="opt-systemd.network.links">systemd.network.links</link> option is now respected
    even when <link linkend="opt-systemd.network.enable">systemd-networkd</link> is disabled.
    This mirrors the behaviour of systemd - It's udev that parses <literal>.link</literal> files,
    not <command>systemd-networkd</command>.
   </para>
  </listitem>
  <listitem>
   <para>
    <package>mongodb</package> has been updated to version <literal>3.4.24</literal>.
    <warning>
     <para>
      Please note that <package>mongodb</package> has been relicensed under their own
      <link xlink:href="https://www.mongodb.com/licensing/server-side-public-license/faq"><literal>
      sspl</literal></link>-license. Since it's not entirely free and not OSI-approved,
      it's listed as non-free. This means that Hydra doesn't provide prebuilt
      <package>mongodb</package>-packages and needs to be built locally.
     </para>
    </warning>
   </para>
  </listitem>
  </itemizedlist>
 </section>
 </section>
--- a/nixos/doc/manual/release-notes/rl-2009.xml
+++ b/nixos/doc/manual/release-notes/rl-2009.xml
@ -0,0 +1,144 @@
 <section xmlns="http://docbook.org/ns/docbook"
         xmlns:xlink="http://www.w3.org/1999/xlink"
         xmlns:xi="http://www.w3.org/2001/XInclude"
         version="5.0"
         xml:id="sec-release-20.09">
 <title>Release 20.09 (“Nightingale”, 2020.09/??)</title>
 <section xmlns="http://docbook.org/ns/docbook"
         xmlns:xlink="http://www.w3.org/1999/xlink"
         xmlns:xi="http://www.w3.org/2001/XInclude"
         version="5.0"
         xml:id="sec-release-20.09-highlights">
  <title>Highlights</title>
  <para>
   In addition to numerous new and upgraded packages, this release has the
   following highlights:
  </para>
  <itemizedlist>
   <listitem>
    <para>
     Support is planned until the end of April 2021, handing over to 21.03.
    </para>
   </listitem>
   <listitem>
    <para>
     PHP now defaults to PHP 7.4, updated from 7.3.
    </para>
   </listitem>
   <listitem>
    <para>
     Two new options, <link linkend="opt-services.openssh.authorizedKeysCommand">authorizedKeysCommand</link>
     and <link linkend="opt-services.openssh.authorizedKeysCommandUser">authorizedKeysCommandUser</link>, have
     been added to the <literal>openssh</literal> module. If you have <literal>AuthorizedKeysCommand</literal>
     in your <link linkend="opt-services.openssh.extraConfig">services.openssh.extraConfig</link> you should
     make use of these new options instead.
    </para>
   </listitem>
  </itemizedlist>
 </section>
 <section xmlns="http://docbook.org/ns/docbook"
         xmlns:xlink="http://www.w3.org/1999/xlink"
         xmlns:xi="http://www.w3.org/2001/XInclude"
         version="5.0"
         xml:id="sec-release-20.09-new-services">
  <title>New Services</title>
  <para>
   The following new services were added since the last release:
  </para>
  <itemizedlist>
   <listitem>
    <para />
   </listitem>
  </itemizedlist>
 </section>
 <section xmlns="http://docbook.org/ns/docbook"
         xmlns:xlink="http://www.w3.org/1999/xlink"
         xmlns:xi="http://www.w3.org/2001/XInclude"
         version="5.0"
         xml:id="sec-release-20.09-incompatibilities">
  <title>Backward Incompatibilities</title>
  <para>
   When upgrading from a previous release, please be aware of the following
   incompatible changes:
  </para>
  <itemizedlist>
   <listitem>
    <para>
     Grafana is now built without support for phantomjs by default. Phantomjs support has been
     <link xlink:href="https://grafana.com/docs/grafana/latest/guides/whats-new-in-v6-4/">deprecated in Grafana</link>
     and the <package>phantomjs</package> project is
     <link xlink:href="https://github.com/ariya/phantomjs/issues/15344#issue-302015362">currently unmaintained</link>.
     It can still be enabled by providing <literal>phantomJsSupport = true</literal> to the package instanciation:
 <programlisting>{
  services.grafana.package = pkgs.grafana.overrideAttrs (oldAttrs: rec {
    phantomJsSupport = false;
  });
 }</programlisting>
    </para>
   </listitem>
   <listitem>
    <para>
      The <link linkend="opt-services.supybot.enable">supybot</link> module now uses <literal>/var/lib/supybot</literal>
      as its default <link linkend="opt-services.supybot.stateDir">stateDir</link> path if <literal>stateVersion</literal>
      is 20.09 or higher. It also enables number of
      <link xlink:href="https://www.freedesktop.org/software/systemd/man/systemd.exec.html#Sandboxing">systemd sandboxing options</link>
      which may possibly interfere with some plugins. If this is the case you can disable the options through attributes in
      <option>systemd.services.supybot.serviceConfig</option>.
    </para>
   </listitem>
   <listitem>
    <para>
      The <literal>security.duosec.skey</literal> option, which stored a secret in the
      nix store, has been replaced by a new
      <link linkend="opt-security.duosec.secretKeyFile">security.duosec.secretKeyFile</link>
      option for better security.
    </para>
    <para>
      <literal>security.duosec.ikey</literal> has been renamed to
      <link linkend="opt-security.duosec.integrationKey">security.duosec.integrationKey</link>.
    </para>
   </listitem>
   <listitem>
    <para>
     The initrd SSH support now uses OpenSSH rather than Dropbear to
     allow the use of Ed25519 keys and other OpenSSH-specific
     functionality. Host keys must now be in the OpenSSH format, and at
     least one pre-generated key must be specified.
    </para>
    <para>
     If you used the <option>boot.initrd.network.ssh.host*Key</option>
     options, you'll get an error explaining how to convert your host
     keys and migrate to the new
     <option>boot.initrd.network.ssh.hostKeys</option> option.
     Otherwise, if you don't have any host keys set, you'll need to
     generate some; see the <option>hostKeys</option> option
     documentation for instructions.
    </para>
   </listitem>
  </itemizedlist>
 </section>
 <section xmlns="http://docbook.org/ns/docbook"
         xmlns:xlink="http://www.w3.org/1999/xlink"
         xmlns:xi="http://www.w3.org/2001/XInclude"
         version="5.0"
         xml:id="sec-release-20.09-notable-changes">
  <title>Other Notable Changes</title>
  <itemizedlist>
   <listitem>
    <para />
   </listitem>
  </itemizedlist>
 </section>
 </section>
--- a/nixos/lib/eval-config.nix
+++ b/nixos/lib/eval-config.nix
@ -41,6 +41,12 @@ let
      # default to the argument. That way this new default could propagate all
      # they way through, but has the last priority behind everything else.
      nixpkgs.system = lib.mkDefault system;
      # Stash the value of the `system` argument. When using `nesting.children`
      # we want to have the same default value behavior (immediately above)
      # without any interference from the user's configuration.
      nixpkgs.initialSystem = system;
      _module.args.pkgs = lib.mkIf (pkgs_ != null) (lib.mkForce pkgs_);
    };
  };
@ -55,7 +61,7 @@ in rec {
    args = extraArgs;
    specialArgs =
      { modulesPath = builtins.toString ../modules; } // specialArgs;
-  }) config options;
+  }) config options _module;
  # These are the extra arguments passed to every module.  In
  # particular, Nixpkgs is passed through the "pkgs" argument.
@ -63,5 +69,5 @@ in rec {
    inherit baseModules extraModules modules;
  };
-  inherit (config._module.args) pkgs;
+  inherit (_module.args) pkgs;
 }
--- a/nixos/lib/make-options-doc/default.nix
+++ b/nixos/lib/make-options-doc/default.nix
@ -133,6 +133,7 @@ in {
  optionsJSON = pkgs.runCommand "options.json"
    { meta.description = "List of NixOS options in JSON format";
      buildInputs = [ pkgs.brotli ];
    }
    ''
      # Export list of options in different format.
@ -141,8 +142,11 @@ in {
      cp ${builtins.toFile "options.json" (builtins.unsafeDiscardStringContext (builtins.toJSON optionsNix))} $dst/options.json
      brotli -9 < $dst/options.json > $dst/options.json.br
      mkdir -p $out/nix-support
      echo "file json $dst/options.json" >> $out/nix-support/hydra-build-products
      echo "file json-br $dst/options.json.br" >> $out/nix-support/hydra-build-products
    ''; # */
  optionsDocBook = pkgs.runCommand "options-docbook.xml" {} ''
--- a/nixos/lib/test-driver/test-driver.py
+++ b/nixos/lib/test-driver/test-driver.py
@ -6,6 +6,7 @@ from xml.sax.saxutils import XMLGenerator
 import _thread
 import atexit
 import base64
 import codecs
 import os
 import pathlib
 import ptpython.repl
@ -101,10 +102,12 @@ def make_command(args: list) -> str:
 def create_vlan(vlan_nr: str) -> Tuple[str, str, "subprocess.Popen[bytes]", Any]:
    global log
    log.log("starting VDE switch for network {}".format(vlan_nr))
-    vde_socket = os.path.abspath("./vde{}.ctl".format(vlan_nr))
+    vde_socket = tempfile.mkdtemp(
        prefix="nixos-test-vde-", suffix="-vde{}.ctl".format(vlan_nr)
    )
    pty_master, pty_slave = pty.openpty()
    vde_process = subprocess.Popen(
-        ["vde_switch", "-s", vde_socket, "--dirmode", "0777"],
+        ["vde_switch", "-s", vde_socket, "--dirmode", "0700"],
        bufsize=1,
        stdin=pty_slave,
        stdout=subprocess.PIPE,
@ -115,6 +118,7 @@ def create_vlan(vlan_nr: str) -> Tuple[str, str, "subprocess.Popen[bytes]", Any]
    fd.write("version\n")
    # TODO: perl version checks if this can be read from
    # an if not, dies. we could hang here forever. Fix it.
    assert vde_process.stdout is not None
    vde_process.stdout.readline()
    if not os.path.exists(os.path.join(vde_socket, "ctl")):
        raise Exception("cannot start vde_switch")
@ -139,7 +143,7 @@ def retry(fn: Callable) -> None:
 class Logger:
    def __init__(self) -> None:
        self.logfile = os.environ.get("LOGFILE", "/dev/null")
-        self.logfile_handle = open(self.logfile, "wb")
+        self.logfile_handle = codecs.open(self.logfile, "wb")
        self.xml = XMLGenerator(self.logfile_handle, encoding="utf-8")
        self.queue: "Queue[Dict[str, str]]" = Queue(1000)
@ -739,6 +743,7 @@ class Machine:
        self.shell, _ = self.shell_socket.accept()
        def process_serial_output() -> None:
            assert self.process.stdout is not None
            for _line in self.process.stdout:
                # Ignore undecodable bytes that may occur in boot menus
                line = _line.decode(errors="ignore").replace("\r", "").rstrip()
@ -911,7 +916,7 @@ def subtest(name: str) -> Iterator[None]:
 if __name__ == "__main__":
    log = Logger()
-    vlan_nrs = list(dict.fromkeys(os.environ["VLANS"].split()))
+    vlan_nrs = list(dict.fromkeys(os.environ.get("VLANS", "").split()))
    vde_sockets = [create_vlan(v) for v in vlan_nrs]
    for nr, vde_socket, _, _ in vde_sockets:
        os.environ["QEMU_VDE_SOCKET_{}".format(nr)] = vde_socket
@ -936,7 +941,7 @@ if __name__ == "__main__":
                machine.process.kill()
            for _, _, process, _ in vde_sockets:
-                process.kill()
+                process.terminate()
        log.close()
    tic = time.time()
--- a/nixos/lib/testing-python.nix
+++ b/nixos/lib/testing-python.nix
@ -175,13 +175,13 @@ in rec {
      nodeNames = builtins.attrNames nodes;
      invalidNodeNames = lib.filter
-        (node: builtins.match "^[A-z_][A-z0-9_]+$" node == null) nodeNames;
+        (node: builtins.match "^[A-z_]([A-z0-9_]+)?$" node == null) nodeNames;
    in
      if lib.length invalidNodeNames > 0 then
        throw ''
          Cannot create machines out of (${lib.concatStringsSep ", " invalidNodeNames})!
-          All machines are referenced as perl variables in the testing framework which will break the
+          All machines are referenced as python variables in the testing framework which will break the
          script when special characters are used.
          Please stick to alphanumeric chars and underscores as separation.
@ -218,12 +218,12 @@ in rec {
      '';
      testScript = ''
-        startAll;
+        start_all()
-        $client->waitForUnit("multi-user.target");
+        client.wait_for_unit("multi-user.target")
        ${preBuild}
-        $client->succeed("env -i ${bash}/bin/bash ${buildrunner} /tmp/xchg/saved-env >&2");
+        client.succeed("env -i ${bash}/bin/bash ${buildrunner} /tmp/xchg/saved-env >&2")
        ${postBuild}
-        $client->succeed("sync"); # flush all data before pulling the plug
+        client.succeed("sync") # flush all data before pulling the plug
      '';
      vmRunCommand = writeText "vm-run" ''
@ -263,9 +263,12 @@ in rec {
        { ... }:
        {
          inherit require;
          imports = [
            ../tests/common/auto.nix
          ];
          virtualisation.memorySize = 1024;
          services.xserver.enable = true;
-          services.xserver.displayManager.auto.enable = true;
+          test-support.displayManager.auto.enable = true;
          services.xserver.displayManager.defaultSession = "none+icewm";
          services.xserver.windowManager.icewm.enable = true;
        };
@ -274,7 +277,7 @@ in rec {
        machine = client;
        preBuild =
          ''
-            $client->waitForX;
+            client.wait_for_x()
          '';
      } // args);
--- a/nixos/lib/testing.nix
+++ b/nixos/lib/testing.nix
@ -250,9 +250,12 @@ in rec {
        { ... }:
        {
          inherit require;
          imports = [
            ../tests/common/auto.nix
          ];
          virtualisation.memorySize = 1024;
          services.xserver.enable = true;
-          services.xserver.displayManager.auto.enable = true;
+          test-support.displayManager.auto.enable = true;
          services.xserver.displayManager.defaultSession = "none+icewm";
          services.xserver.windowManager.icewm.enable = true;
        };
--- a/nixos/lib/utils.nix
+++ b/nixos/lib/utils.nix
@ -14,7 +14,7 @@ rec {
  # becomes dev-xyzzy.  FIXME: slow.
  escapeSystemdPath = s:
   replaceChars ["/" "-" " "] ["-" "\\x2d" "\\x20"]
-    (if hasPrefix "/" s then substring 1 (stringLength s) s else s);
+   (removePrefix "/" s);
  # Returns a system path for a given shell package
  toShellPath = shell:
--- a/nixos/maintainers/scripts/azure-new/.gitignore
+++ b/nixos/maintainers/scripts/azure-new/.gitignore
@ -0,0 +1 @@
 azure
--- a/nixos/maintainers/scripts/azure-new/README.md
+++ b/nixos/maintainers/scripts/azure-new/README.md
@ -0,0 +1,42 @@
 # azure
 ## Demo
 Here's a demo of this being used: https://asciinema.org/a/euXb9dIeUybE3VkstLWLbvhmp
 ## Usage
 This is meant to be an example image that you can copy into your own
 project and modify to your own needs. Notice that the example image
 includes a built-in test user account, which by default uses your
 `~/.ssh/id_ed25519.pub` as an `authorized_key`.
 Build and upload the image
 ```shell
 $ ./upload-image.sh ./examples/basic/image.nix
 ...
 + attr=azbasic
 + nix-build ./examples/basic/image.nix --out-link azure
 /nix/store/qdpzknpskzw30vba92mb24xzll1dqsmd-azure-image
 ...
 95.5 %, 0 Done, 0 Failed, 1 Pending, 0 Skipped, 1 Total, 2-sec Throughput (Mb/s): 932.9565 
 ...
 /subscriptions/aff271ee-e9be-4441-b9bb-42f5af4cbaeb/resourceGroups/nixos-images/providers/Microsoft.Compute/images/azure-image-todo-makethisbetter
 ```
 Take the output, boot an Azure VM:
 ```
 img="/subscriptions/.../..." # use output from last command
 ./boot-vm.sh "${img}"
 ...
 => booted
 ```
 ## Future Work
 1. If the user specifies a hard-coded user, then the agent could be removed.
   Probably has security benefits; definitely has closure-size benefits.
   (It's likely the VM will need to be booted with a special flag. See:
   https://github.com/Azure/azure-cli/issues/12775 for details.)
--- a/nixos/maintainers/scripts/azure-new/boot-vm.sh
+++ b/nixos/maintainers/scripts/azure-new/boot-vm.sh
@ -0,0 +1,36 @@
 #!/usr/bin/env bash
 set -euo pipefail
 set -x
 image="${1}"
 location="westus2"
 group="nixos-test-vm"
 vm_size="Standard_D2s_v3";  os_size=42;
 # ensure group
 az group create --location "westus2" --name "${group}"
 group_id="$(az group show --name "${group}" -o tsv --query "[id]")"
 # (optional) identity
 if ! az identity show -n "${group}-identity" -g "${group}" &>/dev/stderr; then
  az identity create --name "${group}-identity" --resource-group "${group}"
 fi
 # (optional) role assignment, to the resource group, bad but not really great alternatives
 identity_id="$(az identity show --name "${group}-identity" --resource-group "${group}" -o tsv --query "[id]")"
 principal_id="$(az identity show --name "${group}-identity" --resource-group "${group}" -o tsv --query "[principalId]")"
 until az role assignment create --assignee "${principal_id}" --role "Owner" --scope "${group_id}"; do sleep 1; done
 # boot vm
 az vm create \
  --name "${group}-vm" \
  --resource-group "${group}" \
  --assign-identity "${identity_id}" \
  --size "${vm_size}" \
  --os-disk-size-gb "${os_size}" \
  --image "${image}" \
  --admin-username "${USER}" \
  --location "westus2" \
  --storage-sku "Premium_LRS" \
  --ssh-key-values "$(ssh-add -L)"
--- a/nixos/maintainers/scripts/azure-new/common.sh
+++ b/nixos/maintainers/scripts/azure-new/common.sh
@ -0,0 +1,7 @@
 export group="${AZURE_RESOURCE_GROUP:-"azure"}"
 export location="${AZURE_LOCATION:-"westus2"}"
 img_file=$(echo azure/*.vhd)
 img_name="$(basename "${img_file}")"
 img_name="${img_name%".vhd"}"
 export img_name="${img_name//[._]/-}"
--- a/nixos/maintainers/scripts/azure-new/examples/basic/image.nix
+++ b/nixos/maintainers/scripts/azure-new/examples/basic/image.nix
@ -0,0 +1,10 @@
 let
  pkgs = (import <nixpkgs> {});
  machine = import "${pkgs.path}/nixos/lib/eval-config.nix" {
    system = "x86_64-linux";
    modules = [
      ({config, ...}: { imports = [ ./system.nix ]; })
    ];
  };
 in
  machine.config.system.build.azureImage
--- a/nixos/maintainers/scripts/azure-new/examples/basic/system.nix
+++ b/nixos/maintainers/scripts/azure-new/examples/basic/system.nix
@ -0,0 +1,34 @@
 { pkgs, modulesPath, ... }:
 let username = "azurenixosuser";
 in
 {
  imports = [
    "${modulesPath}/virtualisation/azure-common.nix"
    "${modulesPath}/virtualisation/azure-image.nix"
  ];
  ## NOTE: This is just an example of how to hard-code a user.
  ## The normal Azure agent IS included and DOES provision a user based
  ## on the information passed at VM creation time.
  users.users."${username}" = {
    isNormalUser = true;
    home = "/home/${username}";
    description = "Azure NixOS Test User";
    openssh.authorizedKeys.keys = [ (builtins.readFile ~/.ssh/id_ed25519.pub) ];
  };
  nix.trustedUsers = [ username ];
  virtualisation.azureImage.diskSize = 2500;
  system.stateVersion = "20.03";
  boot.kernelPackages = pkgs.linuxPackages_latest;
  # test user doesn't have a password
  services.openssh.passwordAuthentication = false;
  security.sudo.wheelNeedsPassword = false;
  environment.systemPackages = with pkgs; [
    git file htop wget curl
  ];
 }
--- a/nixos/maintainers/scripts/azure-new/shell.nix
+++ b/nixos/maintainers/scripts/azure-new/shell.nix
@ -0,0 +1,13 @@
 with (import ../../../../default.nix {});
 stdenv.mkDerivation {
  name = "nixcfg-azure-devenv";
  nativeBuildInputs = [
    azure-cli
    bash
    cacert
    azure-storage-azcopy
  ];
  AZURE_CONFIG_DIR="/tmp/azure-cli/.azure";
 }
--- a/nixos/maintainers/scripts/azure-new/upload-image.sh
+++ b/nixos/maintainers/scripts/azure-new/upload-image.sh
@ -0,0 +1,58 @@
 #!/usr/bin/env bash
 set -euo pipefail
 set -x
 image_nix="${1:-"./examples/basic/image.nix"}"
 nix-build "${image_nix}" --out-link "azure"
 group="nixos-images"
 location="westus2"
 img_name="nixos-image"
 img_file="$(readlink -f ./azure/disk.vhd)"
 if ! az group show -n "${group}" &>/dev/null; then
  az group create --name "${group}" --location "${location}"
 fi
 # note: the disk access token song/dance is tedious
 # but allows us to upload direct to a disk image
 # thereby avoid storage accounts (and naming them) entirely!
 if ! az disk show -g "${group}" -n "${img_name}" &>/dev/null; then
  bytes="$(stat -c %s ${img_file})"
  size="30"
  az disk create \
    --resource-group "${group}" \
    --name "${img_name}" \
    --for-upload true --upload-size-bytes "${bytes}"
  timeout=$(( 60 * 60 )) # disk access token timeout
  sasurl="$(\
    az disk grant-access \
      --access-level Write \
      --resource-group "${group}" \
      --name "${img_name}" \
      --duration-in-seconds ${timeout} \
        | jq -r '.accessSas'
  )"
  azcopy copy "${img_file}" "${sasurl}" \
    --blob-type PageBlob 
  az disk revoke-access \
    --resource-group "${group}" \
    --name "${img_name}"
 fi
 if ! az image show -g "${group}" -n "${img_name}" &>/dev/null; then
  diskid="$(az disk show -g "${group}" -n "${img_name}" -o json | jq -r .id)"
  az image create \
    --resource-group "${group}" \
    --name "${img_name}" \
    --source "${diskid}" \
    --os-type "linux" >/dev/null
 fi
 imageid="$(az image show -g "${group}" -n "${img_name}" -o json | jq -r .id)"
 echo "${imageid}"
--- a/nixos/maintainers/scripts/ec2/amazon-image.nix
+++ b/nixos/maintainers/scripts/ec2/amazon-image.nix
@ -8,10 +8,15 @@ in {
  imports = [ ../../../modules/virtualisation/amazon-image.nix ];
-  # Required to provide good EBS experience,
+  # Amazon recomments setting this to the highest possible value for a good EBS
  # experience, which prior to 4.15 was 255.
  # https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nvme-ebs-volumes.html#timeout-nvme-ebs-volumes
-  # TODO change value to 4294967295 when kernel is updated to 4.15 or later
+  config.boot.kernelParams =
-  config.boot.kernelParams = [ "nvme_core.io_timeout=255" ];
+    let timeout =
      if pkgs.lib.versionAtLeast config.boot.kernelPackages.kernel.version "4.15"
      then "4294967295"
      else  "255";
    in [ "nvme_core.io_timeout=${timeout}" ];
  options.amazonImage = {
    name = mkOption {
--- a/nixos/maintainers/scripts/ec2/create-amis.sh
+++ b/nixos/maintainers/scripts/ec2/create-amis.sh
@ -18,7 +18,7 @@ state_dir=$HOME/amis/ec2-images
 home_region=eu-west-1
 bucket=nixos-amis
-regions=(eu-west-1 eu-west-2 eu-west-3 eu-central-1
+regions=(eu-west-1 eu-west-2 eu-west-3 eu-central-1 eu-north-1
         us-east-1 us-east-2 us-west-1 us-west-2
         ca-central-1
         ap-southeast-1 ap-southeast-2 ap-northeast-1 ap-northeast-2
--- a/nixos/modules/config/networking.nix
+++ b/nixos/modules/config/networking.nix
@ -35,12 +35,22 @@ in
      '';
    };
    networking.hostFiles = lib.mkOption {
      type = types.listOf types.path;
      defaultText = lib.literalExample "Hosts from `networking.hosts` and `networking.extraHosts`";
      example = lib.literalExample ''[ "''${pkgs.my-blocklist-package}/share/my-blocklist/hosts" ]'';
      description = ''
        Files that should be concatenated together to form <filename>/etc/hosts</filename>.
      '';
    };
    networking.extraHosts = lib.mkOption {
      type = types.lines;
      default = "";
      example = "192.168.0.1 lanlocalhost";
      description = ''
        Additional verbatim entries to be appended to <filename>/etc/hosts</filename>.
        For adding hosts from derivation results, use <option>networking.hostFiles</option> instead.
      '';
    };
@ -159,6 +169,15 @@ in
      "::1" = [ "localhost" ];
    };
    networking.hostFiles = let
      stringHosts =
        let
          oneToString = set: ip: ip + " " + concatStringsSep " " set.${ip} + "\n";
          allToString = set: concatMapStrings (oneToString set) (attrNames set);
        in pkgs.writeText "string-hosts" (allToString (filterAttrs (_: v: v != []) cfg.hosts));
      extraHosts = pkgs.writeText "extra-hosts" cfg.extraHosts;
    in mkBefore [ stringHosts extraHosts ];
    environment.etc =
      { # /etc/services: TCP/UDP port assignments.
        services.source = pkgs.iana-etc + "/etc/services";
@ -167,12 +186,8 @@ in
        protocols.source  = pkgs.iana-etc + "/etc/protocols";
        # /etc/hosts: Hostname-to-IP mappings.
-        hosts.text = let
+        hosts.source = pkgs.runCommandNoCC "hosts" {} ''
-          oneToString = set: ip: ip + " " + concatStringsSep " " set.${ip};
+          cat ${escapeShellArgs cfg.hostFiles} > $out
          allToString = set: concatMapStringsSep "\n" (oneToString set) (attrNames set);
        in ''
          ${allToString (filterAttrs (_: v: v != []) cfg.hosts)}
          ${cfg.extraHosts}
        '';
        # /etc/host.conf: resolver configuration file
--- a/nixos/modules/config/swap.nix
+++ b/nixos/modules/config/swap.nix
@ -185,6 +185,8 @@ in
          { description = "Initialisation of swap device ${sw.device}";
            wantedBy = [ "${realDevice'}.swap" ];
            before = [ "${realDevice'}.swap" ];
            # If swap is encrypted, depending on rngd resolves a possible entropy starvation during boot
            after = mkIf (config.security.rngd.enable && sw.randomEncryption.enable) [ "rngd.service" ];
            path = [ pkgs.utillinux ] ++ optional sw.randomEncryption.enable pkgs.cryptsetup;
            script =
--- a/nixos/modules/config/system-path.nix
+++ b/nixos/modules/config/system-path.nix
@ -116,6 +116,7 @@ in
        "/lib" # FIXME: remove and update debug-info.nix
        "/sbin"
        "/share/emacs"
        "/share/hunspell"
        "/share/nano"
        "/share/org"
        "/share/themes"
--- a/nixos/modules/hardware/brightnessctl.nix
+++ b/nixos/modules/hardware/brightnessctl.nix
@ -1,31 +0,0 @@
 { config, lib, pkgs, ... }:
 with lib;
 let
  cfg = config.hardware.brightnessctl;
 in
 {
  options = {
    hardware.brightnessctl = {
      enable = mkOption {
        default = false;
        type = types.bool;
        description = ''
          Enable brightnessctl in userspace.
          This will allow brightness control from users in the video group.
        '';
      };
    };
  };
  config = mkIf cfg.enable {
    services.udev.packages = with pkgs; [ brightnessctl ];
    environment.systemPackages = with pkgs; [ brightnessctl ];
  };
 }
--- a/nixos/modules/hardware/sensor/iio.nix
+++ b/nixos/modules/hardware/sensor/iio.nix
@ -8,7 +8,12 @@ with lib;
  options = {
    hardware.sensor.iio = {
      enable = mkOption {
-        description = "Enable this option to support IIO sensors.";
+        description = ''
          Enable this option to support IIO sensors.
          IIO sensors are used for orientation and ambient light
          sensors on some mobile devices.
        '';
        type = types.bool;
        default = false;
      };
--- a/nixos/modules/hardware/uinput.nix
+++ b/nixos/modules/hardware/uinput.nix
@ -0,0 +1,19 @@
 { config, pkgs, lib, ... }:
 let
  cfg = config.hardware.uinput;
 in {
  options.hardware.uinput = {
    enable = lib.mkEnableOption "uinput support";
  };
  config = lib.mkIf cfg.enable {
    boot.kernelModules = [ "uinput" ];
    users.groups.uinput = {};
    services.udev.extraRules = ''
      SUBSYSTEM=="misc", KERNEL=="uinput", MODE="0660", GROUP="uinput", OPTIONS+="static_node=uinput"
    '';
  };
 }
--- a/nixos/modules/hardware/video/amdgpu-pro.nix
+++ b/nixos/modules/hardware/video/amdgpu-pro.nix
@ -30,7 +30,7 @@ in
    nixpkgs.config.xorg.abiCompat = "1.19";
    services.xserver.drivers = singleton
-      { name = "amdgpu"; modules = [ package ]; };
+      { name = "amdgpu"; modules = [ package ]; display = true; };
    hardware.opengl.package = package;
    hardware.opengl.package32 = package32;
--- a/nixos/modules/hardware/video/ati.nix
+++ b/nixos/modules/hardware/video/ati.nix
@ -21,7 +21,7 @@ in
    nixpkgs.config.xorg.abiCompat = "1.17";
    services.xserver.drivers = singleton
-      { name = "fglrx"; modules = [ ati_x11 ]; };
+      { name = "fglrx"; modules = [ ati_x11 ]; display = true; };
    hardware.opengl.package = ati_x11;
    hardware.opengl.package32 = pkgs.pkgsi686Linux.linuxPackages.ati_drivers_x11.override { libsOnly = true; kernel = null; };
--- a/nixos/modules/hardware/video/nvidia.nix
+++ b/nixos/modules/hardware/video/nvidia.nix
@ -34,26 +34,57 @@ let
  enabled = nvidia_x11 != null;
  cfg = config.hardware.nvidia;
-  optimusCfg = cfg.optimus_prime;
+  pCfg = cfg.prime;
  syncCfg = pCfg.sync;
  offloadCfg = pCfg.offload;
  primeEnabled = syncCfg.enable || offloadCfg.enable;
 in
 {
  imports =
    [
      (mkRenamedOptionModule [ "hardware" "nvidia" "optimus_prime" "enable" ] [ "hardware" "nvidia" "prime" "sync" "enable" ])
      (mkRenamedOptionModule [ "hardware" "nvidia" "optimus_prime" "allowExternalGpu" ] [ "hardware" "nvidia" "prime" "sync" "allowExternalGpu" ])
      (mkRenamedOptionModule [ "hardware" "nvidia" "optimus_prime" "nvidiaBusId" ] [ "hardware" "nvidia" "prime" "nvidiaBusId" ])
      (mkRenamedOptionModule [ "hardware" "nvidia" "optimus_prime" "intelBusId" ] [ "hardware" "nvidia" "prime" "intelBusId" ])
    ];
  options = {
-    hardware.nvidia.modesetting.enable = lib.mkOption {
+    hardware.nvidia.modesetting.enable = mkOption {
-      type = lib.types.bool;
+      type = types.bool;
      default = false;
      description = ''
        Enable kernel modesetting when using the NVIDIA proprietary driver.
        Enabling this fixes screen tearing when using Optimus via PRIME (see
-        <option>hardware.nvidia.optimus_prime.enable</option>. This is not enabled
+        <option>hardware.nvidia.prime.sync.enable</option>. This is not enabled
        by default because it is not officially supported by NVIDIA and would not
        work with SLI.
      '';
    };
-    hardware.nvidia.optimus_prime.enable = lib.mkOption {
+    hardware.nvidia.prime.nvidiaBusId = mkOption {
-      type = lib.types.bool;
+      type = types.str;
      default = "";
      example = "PCI:1:0:0";
      description = ''
        Bus ID of the NVIDIA GPU. You can find it using lspci; for example if lspci
        shows the NVIDIA GPU at "01:00.0", set this option to "PCI:1:0:0".
      '';
    };
    hardware.nvidia.prime.intelBusId = mkOption {
      type = types.str;
      default = "";
      example = "PCI:0:2:0";
      description = ''
        Bus ID of the Intel GPU. You can find it using lspci; for example if lspci
        shows the Intel GPU at "00:02.0", set this option to "PCI:0:2:0".
      '';
    };
    hardware.nvidia.prime.sync.enable = mkOption {
      type = types.bool;
      default = false;
      description = ''
        Enable NVIDIA Optimus support using the NVIDIA proprietary driver via PRIME.
@ -66,8 +97,8 @@ in
        be the only driver there.
        If this is enabled, then the bus IDs of the NVIDIA and Intel GPUs have to be
-        specified (<option>hardware.nvidia.optimus_prime.nvidiaBusId</option> and
+        specified (<option>hardware.nvidia.prime.nvidiaBusId</option> and
-        <option>hardware.nvidia.optimus_prime.intelBusId</option>).
+        <option>hardware.nvidia.prime.intelBusId</option>).
        If you enable this, you may want to also enable kernel modesetting for the
        NVIDIA driver (<option>hardware.nvidia.modesetting.enable</option>) in order
@ -79,31 +110,23 @@ in
      '';
    };
-    hardware.nvidia.optimus_prime.allowExternalGpu = lib.mkOption {
+    hardware.nvidia.prime.sync.allowExternalGpu = mkOption {
-      type = lib.types.bool;
+      type = types.bool;
      default = false;
      description = ''
        Configure X to allow external NVIDIA GPUs when using optimus.
      '';
    };
-    hardware.nvidia.optimus_prime.nvidiaBusId = lib.mkOption {
+    hardware.nvidia.prime.offload.enable = mkOption {
-      type = lib.types.str;
+      type = types.bool;
-      default = "";
+      default = false;
      example = "PCI:1:0:0";
      description = ''
-        Bus ID of the NVIDIA GPU. You can find it using lspci; for example if lspci
+        Enable render offload support using the NVIDIA proprietary driver via PRIME.
        shows the NVIDIA GPU at "01:00.0", set this option to "PCI:1:0:0".
      '';
    };
-    hardware.nvidia.optimus_prime.intelBusId = lib.mkOption {
+        If this is enabled, then the bus IDs of the NVIDIA and Intel GPUs have to be
-      type = lib.types.str;
+        specified (<option>hardware.nvidia.prime.nvidiaBusId</option> and
-      default = "";
+        <option>hardware.nvidia.prime.intelBusId</option>).
      example = "PCI:0:2:0";
      description = ''
        Bus ID of the Intel GPU. You can find it using lspci; for example if lspci
        shows the Intel GPU at "00:02.0", set this option to "PCI:0:2:0".
      '';
    };
  };
@ -116,12 +139,19 @@ in
      }
      {
-        assertion = !optimusCfg.enable ||
+        assertion = primeEnabled -> pCfg.nvidiaBusId != "" && pCfg.intelBusId != "";
          (optimusCfg.nvidiaBusId != "" && optimusCfg.intelBusId != "");
        message = ''
-          When NVIDIA Optimus via PRIME is enabled, the GPU bus IDs must configured.
+          When NVIDIA PRIME is enabled, the GPU bus IDs must configured.
        '';
      }
      {
        assertion = offloadCfg.enable -> versionAtLeast nvidia_x11.version "435.21";
        message = "NVIDIA PRIME render offload is currently only supported on versions >= 435.21.";
      }
      {
        assertion = !(syncCfg.enable && offloadCfg.enable);
        message = "Only one NVIDIA PRIME solution may be used at a time.";
      }
    ];
    # If Optimus/PRIME is enabled, we:
@ -136,36 +166,38 @@ in
    # - Configure the display manager to run specific `xrandr` commands which will
    #   configure/enable displays connected to the Intel GPU.
-    services.xserver.drivers = singleton {
+    services.xserver.useGlamor = mkDefault offloadCfg.enable;
    services.xserver.drivers = optional primeEnabled {
      name = "modesetting";
      display = offloadCfg.enable;
      deviceSection = ''
        BusID "${pCfg.intelBusId}"
        ${optionalString syncCfg.enable ''Option "AccelMethod" "none"''}
      '';
    } ++ singleton {
      name = "nvidia";
      modules = [ nvidia_x11.bin ];
-      deviceSection = optionalString optimusCfg.enable
+      display = !offloadCfg.enable;
      deviceSection = optionalString primeEnabled
        ''
-          BusID "${optimusCfg.nvidiaBusId}"
+          BusID "${pCfg.nvidiaBusId}"
-          ${optionalString optimusCfg.allowExternalGpu "Option \"AllowExternalGpus\""}
+          ${optionalString syncCfg.allowExternalGpu "Option \"AllowExternalGpus\""}
        '';
      screenSection =
        ''
          Option "RandRRotation" "on"
-          ${optionalString optimusCfg.enable "Option \"AllowEmptyInitialConfiguration\""}
+          ${optionalString syncCfg.enable "Option \"AllowEmptyInitialConfiguration\""}
        '';
    };
-    services.xserver.extraConfig = optionalString optimusCfg.enable
+    services.xserver.serverLayoutSection = optionalString syncCfg.enable ''
-      ''
+      Inactive "Device-modesetting[0]"
-        Section "Device"
+    '' + optionalString offloadCfg.enable ''
-          Identifier "nvidia-optimus-intel"
+      Option "AllowNVIDIAGPUScreens"
-          Driver "modesetting"
+    '';
          BusID  "${optimusCfg.intelBusId}"
          Option "AccelMethod" "none"
        EndSection
      '';
    services.xserver.serverLayoutSection = optionalString optimusCfg.enable
      ''
        Inactive "nvidia-optimus-intel"
      '';
-    services.xserver.displayManager.setupCommands = optionalString optimusCfg.enable ''
+    services.xserver.displayManager.setupCommands = optionalString syncCfg.enable ''
      # Added by nvidia configuration module for Optimus/PRIME.
      ${pkgs.xorg.xrandr}/bin/xrandr --setprovideroutputsource modesetting NVIDIA-0
      ${pkgs.xorg.xrandr}/bin/xrandr --auto
@ -175,11 +207,13 @@ in
      source = "${nvidia_x11.bin}/share/nvidia/nvidia-application-profiles-rc";
    };
-    hardware.opengl.package = nvidia_x11.out;
+    hardware.opengl.package = mkIf (!offloadCfg.enable) nvidia_x11.out;
-    hardware.opengl.package32 = nvidia_libs32;
+    hardware.opengl.package32 = mkIf (!offloadCfg.enable) nvidia_libs32;
    hardware.opengl.extraPackages = optional offloadCfg.enable nvidia_x11.out;
    hardware.opengl.extraPackages32 = optional offloadCfg.enable nvidia_libs32;
    environment.systemPackages = [ nvidia_x11.bin nvidia_x11.settings ]
-      ++ lib.filter (p: p != null) [ nvidia_x11.persistenced ];
+      ++ filter (p: p != null) [ nvidia_x11.persistenced ];
    systemd.tmpfiles.rules = optional config.virtualisation.docker.enableNvidia
        "L+ /run/nvidia-docker/bin - - - - ${nvidia_x11.bin}/origBin"
@ -190,10 +224,10 @@ in
    # nvidia-uvm is required by CUDA applications.
    boot.kernelModules = [ "nvidia-uvm" ] ++
-      lib.optionals config.services.xserver.enable [ "nvidia" "nvidia_modeset" "nvidia_drm" ];
+      optionals config.services.xserver.enable [ "nvidia" "nvidia_modeset" "nvidia_drm" ];
    # If requested enable modesetting via kernel parameter.
-    boot.kernelParams = optional cfg.modesetting.enable "nvidia-drm.modeset=1";
+    boot.kernelParams = optional (offloadCfg.enable || cfg.modesetting.enable) "nvidia-drm.modeset=1";
    # Create /dev/nvidia-uvm when the nvidia-uvm module is loaded.
    services.udev.extraRules =
--- a/nixos/modules/hardware/wooting.nix
+++ b/nixos/modules/hardware/wooting.nix
@ -0,0 +1,12 @@
 { config, lib, pkgs, ... }:
 with lib;
 {
  options.hardware.wooting.enable =
    mkEnableOption "Enable support for Wooting keyboards";
  config = mkIf config.hardware.wooting.enable {
    environment.systemPackages = [ pkgs.wootility ];
    services.udev.packages = [ pkgs.wooting-udev-rules ];
  };
 }
--- a/nixos/modules/i18n/input-method/ibus.nix
+++ b/nixos/modules/i18n/input-method/ibus.nix
@ -75,5 +75,9 @@ in
      QT_IM_MODULE = "ibus";
      XMODIFIERS = "@im=ibus";
    };
    xdg.portal.extraPortals = mkIf xdg.portal.enable [
      ibusPackage
    ];
  };
 }
--- a/nixos/modules/installer/cd-dvd/channel.nix
+++ b/nixos/modules/installer/cd-dvd/channel.nix
@ -21,7 +21,9 @@ let
      if [ ! -e $out/nixos/nixpkgs ]; then
        ln -s . $out/nixos/nixpkgs
      fi
-      echo -n ${config.system.nixos.revision} > $out/nixos/.git-revision
+      ${optionalString (config.system.nixos.revision != null) ''
        echo -n ${config.system.nixos.revision} > $out/nixos/.git-revision
      ''}
      echo -n ${config.system.nixos.versionSuffix} > $out/nixos/.version-suffix
      echo ${config.system.nixos.versionSuffix} | sed -e s/pre// > $out/nixos/svn-revision
    '';
--- a/nixos/modules/installer/cd-dvd/installation-cd-graphical-base.nix
+++ b/nixos/modules/installer/cd-dvd/installation-cd-graphical-base.nix
@ -44,6 +44,9 @@ with lib;
    pkgs.bvi # binary editor
    pkgs.joe
    # Include some version control tools.
    pkgs.git
    # Firefox for reading the manual.
    pkgs.firefox
--- a/nixos/modules/installer/cd-dvd/installation-cd-graphical-gnome.nix
+++ b/nixos/modules/installer/cd-dvd/installation-cd-graphical-gnome.nix
@ -1,5 +1,4 @@
-# This module defines a NixOS installation CD that contains X11 and
+# This module defines a NixOS installation CD that contains GNOME.
 # GNOME 3.
 { lib, ... }:
@ -10,10 +9,22 @@ with lib;
  services.xserver.desktopManager.gnome3.enable = true;
-  # Auto-login as root.
+  # Wayland can be problematic for some hardware like Nvidia graphics cards.
-  services.xserver.displayManager.gdm.autoLogin = {
+  services.xserver.displayManager.defaultSession = "gnome-xorg";
  services.xserver.displayManager.gdm = {
    enable = true;
-    user = "root";
+    # autoSuspend makes the machine automatically suspend after inactivity.
    # It's possible someone could/try to ssh'd into the machine and obviously
    # have issues because it's inactive.
    # See:
    # * https://github.com/NixOS/nixpkgs/pull/63790
    # * https://gitlab.gnome.org/GNOME/gnome-control-center/issues/22
    autoSuspend = false;
    autoLogin = {
      enable = true;
      user = "nixos";
    };
  };
 }
--- a/nixos/modules/installer/tools/nix-fallback-paths.nix
+++ b/nixos/modules/installer/tools/nix-fallback-paths.nix
@ -1,6 +1,6 @@
 {
-  x86_64-linux = "/nix/store/0q5qnh10m2sfrriszc1ysmggw659q6qm-nix-2.3.2";
+  x86_64-linux = "/nix/store/ddmmzn4ggz1f66lwxjy64n89864yj9w9-nix-2.3.3";
-  i686-linux = "/nix/store/i7ad7r5d8a5b3l22hg4a1im2qq05y6vd-nix-2.3.2";
+  i686-linux = "/nix/store/5axys7hsggb4282dsbps5k5p0v59yv13-nix-2.3.3";
-  aarch64-linux = "/nix/store/bv06pavfw0dbqzr8w3l7s71nx27gnxa0-nix-2.3.2";
+  aarch64-linux = "/nix/store/k80nwvi19hxwbz3c9cxgp24f1jjxwmcc-nix-2.3.3";
-  x86_64-darwin = "/nix/store/x6mnl1nij7y4v5ihlplr4k937ayr403r-nix-2.3.2";
+  x86_64-darwin = "/nix/store/lrnvapsqmf0ja6zfyx4cpxr7ahdr7f9b-nix-2.3.3";
 }
--- a/nixos/modules/installer/tools/nixos-build-vms/build-vms.nix
+++ b/nixos/modules/installer/tools/nixos-build-vms/build-vms.nix
@ -5,7 +5,7 @@
 let nodes = import networkExpr; in
-with import ../../../../lib/testing.nix {
+with import ../../../../lib/testing-python.nix {
  inherit system;
  pkgs = import ../../../../.. { inherit system config; };
 };
--- a/nixos/modules/installer/tools/nixos-enter.sh
+++ b/nixos/modules/installer/tools/nixos-enter.sh
@ -60,15 +60,15 @@ chmod 0755 "$mountPoint/dev" "$mountPoint/sys"
 mount --rbind /dev "$mountPoint/dev"
 mount --rbind /sys "$mountPoint/sys"
-# If silent, write both stdout and stderr of activation script to /dev/null
+(
-# otherwise, write both streams to stderr of this process
+    # If silent, write both stdout and stderr of activation script to /dev/null
-if [ "$silent" -eq 0 ]; then
+    # otherwise, write both streams to stderr of this process
-    PIPE_TARGET="/dev/stderr"
+    if [ "$silent" -eq 1 ]; then
-else
+        exec 2>/dev/null
-    PIPE_TARGET="/dev/null"
+    fi
 fi
-# Run the activation script. Set $LOCALE_ARCHIVE to supress some Perl locale warnings.
+    # Run the activation script. Set $LOCALE_ARCHIVE to supress some Perl locale warnings.
-LOCALE_ARCHIVE="$system/sw/lib/locale/locale-archive" chroot "$mountPoint" "$system/activate" >>$PIPE_TARGET 2>&1 || true
+    LOCALE_ARCHIVE="$system/sw/lib/locale/locale-archive" chroot "$mountPoint" "$system/activate" 1>&2 || true
 )
 exec chroot "$mountPoint" "${command[@]}"
--- a/nixos/modules/installer/tools/tools.nix
+++ b/nixos/modules/installer/tools/tools.nix
@ -42,7 +42,10 @@ let
    inherit (config.system.nixos-generate-config) configuration;
  };
-  nixos-option = pkgs.callPackage ./nixos-option { };
+  nixos-option =
    if lib.versionAtLeast (lib.getVersion pkgs.nix) "2.4pre"
    then null
    else pkgs.callPackage ./nixos-option { };
  nixos-version = makeProg {
    name = "nixos-version";
@ -184,10 +187,9 @@ in
        nixos-install
        nixos-rebuild
        nixos-generate-config
        nixos-option
        nixos-version
        nixos-enter
-      ];
+      ] ++ lib.optional (nixos-option != null) nixos-option;
    system.build = {
      inherit nixos-install nixos-generate-config nixos-option nixos-rebuild nixos-enter;
--- a/nixos/modules/misc/documentation.nix
+++ b/nixos/modules/misc/documentation.nix
@ -17,6 +17,7 @@ let
    inherit pkgs config;
    version = config.system.nixos.release;
    revision = "release-${version}";
    extraSources = cfg.nixos.extraModuleSources;
    options =
      let
        scrubbedEval = evalModules {
@ -163,6 +164,19 @@ in
        '';
      };
      nixos.extraModuleSources = mkOption {
        type = types.listOf (types.either types.path types.str);
        default = [ ];
        description = ''
          Which extra NixOS module paths the generated NixOS's documentation should strip
          from options.
        '';
        example = literalExample ''
          # e.g. with options from modules in ''${pkgs.customModules}/nix:
          [ pkgs.customModules ]
        '';
      };
    };
  };
@ -204,9 +218,7 @@ in
           ++ optionals config.services.xserver.enable [ desktopItem pkgs.nixos-icons ]);
      services.mingetty.helpLine = mkIf cfg.doc.enable (
-          "\nRun `nixos-help` "
+          "\nRun 'nixos-help' for the NixOS manual."
        + optionalString config.services.nixosManual.showManual "or press <Alt-F${toString config.services.nixosManual.ttyNumber}> "
        + "for the NixOS manual."
      );
    })
--- a/nixos/modules/misc/ids.nix
+++ b/nixos/modules/misc/ids.nix
@ -133,7 +133,7 @@ in
      tcpcryptd = 93; # tcpcryptd uses a hard-coded uid. We patch it in Nixpkgs to match this choice.
      firebird = 95;
      #keys = 96; # unused
-      #haproxy = 97; # DynamicUser as of 2019-11-08
+      #haproxy = 97; # dynamically allocated as of 2020-03-11
      mongodb = 98;
      openldap = 99;
      #users = 100; # unused
@ -448,7 +448,7 @@ in
      #tcpcryptd = 93; # unused
      firebird = 95;
      keys = 96;
-      #haproxy = 97; # DynamicUser as of 2019-11-08
+      #haproxy = 97; # dynamically allocated as of 2020-03-11
      #mongodb = 98; # unused
      openldap = 99;
      munin = 102;
--- a/nixos/modules/misc/nixpkgs.nix
+++ b/nixos/modules/misc/nixpkgs.nix
@ -216,6 +216,14 @@ in
        Ignored when <code>nixpkgs.pkgs</code> is set.
      '';
    };
    initialSystem = mkOption {
      type = types.str;
      internal = true;
      description = ''
        Preserved value of <literal>system</literal> passed to <literal>eval-config.nix</literal>.
      '';
    };
  };
  config = {
@ -228,8 +236,8 @@ in
        let
          nixosExpectedSystem =
            if config.nixpkgs.crossSystem != null
-            then config.nixpkgs.crossSystem.system
+            then config.nixpkgs.crossSystem.system or (lib.systems.parse.doubleFromSystem (lib.systems.parse.mkSystemFromString config.nixpkgs.crossSystem.config))
-            else config.nixpkgs.localSystem.system;
+            else config.nixpkgs.localSystem.system or (lib.systems.parse.doubleFromSystem (lib.systems.parse.mkSystemFromString config.nixpkgs.localSystem.config));
          nixosOption =
            if config.nixpkgs.crossSystem != null
            then "nixpkgs.crossSystem"
--- a/nixos/modules/misc/version.nix
+++ b/nixos/modules/misc/version.nix
@ -4,10 +4,6 @@ with lib;
 let
  cfg = config.system.nixos;
  gitRepo      = "${toString pkgs.path}/.git";
  gitRepoValid = lib.pathIsGitRepo gitRepo;
  gitCommitId  = lib.substring 0 7 (commitIdFromGitRepo gitRepo);
 in
 {
@ -98,8 +94,6 @@ in
      # These defaults are set here rather than up there so that
      # changing them would not rebuild the manual
      version = mkDefault (cfg.release + cfg.versionSuffix);
      revision      = mkIf gitRepoValid (mkDefault            gitCommitId);
      versionSuffix = mkIf gitRepoValid (mkDefault (".git." + gitCommitId));
    };
    # Generate /etc/os-release.  See
--- a/nixos/modules/module-list.nix
+++ b/nixos/modules/module-list.nix
@ -41,7 +41,6 @@
  ./hardware/acpilight.nix
  ./hardware/all-firmware.nix
  ./hardware/bladeRF.nix
  ./hardware/brightnessctl.nix
  ./hardware/brillo.nix
  ./hardware/ckb-next.nix
  ./hardware/cpu/amd-microcode.nix
@ -65,6 +64,8 @@
  ./hardware/tuxedo-keyboard.nix
  ./hardware/usb-wwan.nix
  ./hardware/onlykey.nix
  ./hardware/wooting.nix
  ./hardware/uinput.nix
  ./hardware/video/amdgpu.nix
  ./hardware/video/amdgpu-pro.nix
  ./hardware/video/ati.nix
@ -201,6 +202,7 @@
  ./security/wrappers/default.nix
  ./security/sudo.nix
  ./security/systemd-confinement.nix
  ./security/tpm2.nix
  ./services/admin/oxidized.nix
  ./services/admin/salt/master.nix
  ./services/admin/salt/minion.nix
@ -248,9 +250,10 @@
  ./services/cluster/kubernetes/proxy.nix
  ./services/cluster/kubernetes/scheduler.nix
  ./services/computing/boinc/client.nix
-  ./services/computing/torque/server.nix
+  ./services/computing/foldingathome/client.nix
  ./services/computing/torque/mom.nix
  ./services/computing/slurm/slurm.nix
  ./services/computing/torque/mom.nix
  ./services/computing/torque/server.nix
  ./services/continuous-integration/buildbot/master.nix
  ./services/continuous-integration/buildbot/worker.nix
  ./services/continuous-integration/buildkite-agents.nix
@ -292,12 +295,12 @@
  ./services/desktops/deepin/deepin.nix
  ./services/desktops/dleyna-renderer.nix
  ./services/desktops/dleyna-server.nix
  ./services/desktops/pantheon/contractor.nix
  ./services/desktops/pantheon/files.nix
  ./services/desktops/flatpak.nix
  ./services/desktops/geoclue2.nix
  ./services/desktops/gsignond.nix
  ./services/desktops/gvfs.nix
  ./services/desktops/malcontent.nix
  ./services/desktops/pipewire.nix
  ./services/desktops/gnome3/at-spi2-core.nix
  ./services/desktops/gnome3/chrome-gnome-shell.nix
@ -365,6 +368,7 @@
  ./services/hardware/thermald.nix
  ./services/hardware/undervolt.nix
  ./services/hardware/vdr.nix
  ./services/hardware/xow.nix
  ./services/logging/SystemdJournal2Gelf.nix
  ./services/logging/awstats.nix
  ./services/logging/fluentd.nix
@ -406,6 +410,7 @@
  ./services/mail/sympa.nix
  ./services/mail/nullmailer.nix
  ./services/misc/airsonic.nix
  ./services/misc/ankisyncd.nix
  ./services/misc/apache-kafka.nix
  ./services/misc/autofs.nix
  ./services/misc/autorandr.nix
@ -431,7 +436,6 @@
  ./services/misc/ethminer.nix
  ./services/misc/exhibitor.nix
  ./services/misc/felix.nix
  ./services/misc/folding-at-home.nix
  ./services/misc/freeswitch.nix
  ./services/misc/fstrim.nix
  ./services/misc/gammu-smsd.nix
@ -466,7 +470,6 @@
  ./services/misc/nix-daemon.nix
  ./services/misc/nix-gc.nix
  ./services/misc/nix-optimise.nix
  ./services/misc/nixos-manual.nix
  ./services/misc/nix-ssh-serve.nix
  ./services/misc/novacomd.nix
  ./services/misc/nzbget.nix
@ -482,7 +485,6 @@
  ./services/misc/redmine.nix
  ./services/misc/rippled.nix
  ./services/misc/ripple-data-api.nix
  ./services/misc/rogue.nix
  ./services/misc/serviio.nix
  ./services/misc/safeeyes.nix
  ./services/misc/sickbeard.nix
@ -641,6 +643,7 @@
  ./services/networking/lldpd.nix
  ./services/networking/logmein-hamachi.nix
  ./services/networking/mailpile.nix
  ./services/networking/magic-wormhole-mailbox-server.nix
  ./services/networking/matterbridge.nix
  ./services/networking/mjpg-streamer.nix
  ./services/networking/minidlna.nix
@ -651,6 +654,7 @@
  ./services/networking/miredo.nix
  ./services/networking/mstpd.nix
  ./services/networking/mtprotoproxy.nix
  ./services/networking/mullvad-vpn.nix
  ./services/networking/murmur.nix
  ./services/networking/mxisd.nix
  ./services/networking/namecoind.nix
@ -661,6 +665,7 @@
  ./services/networking/ngircd.nix
  ./services/networking/nghttpx/default.nix
  ./services/networking/nix-serve.nix
  ./services/networking/nix-store-gcs-proxy.nix
  ./services/networking/nixops-dns.nix
  ./services/networking/nntp-proxy.nix
  ./services/networking/nsd.nix
@ -688,6 +693,7 @@
  ./services/networking/prosody.nix
  ./services/networking/quagga.nix
  ./services/networking/quassel.nix
  ./services/networking/quorum.nix
  ./services/networking/quicktun.nix
  ./services/networking/racoon.nix
  ./services/networking/radicale.nix
@ -707,6 +713,7 @@
  ./services/networking/shorewall6.nix
  ./services/networking/shout.nix
  ./services/networking/sniproxy.nix
  ./services/networking/smartdns.nix
  ./services/networking/smokeping.nix
  ./services/networking/softether.nix
  ./services/networking/spacecookie.nix
@ -724,6 +731,7 @@
  ./services/networking/syncthing.nix
  ./services/networking/syncthing-relay.nix
  ./services/networking/syncplay.nix
  ./services/networking/tailscale.nix
  ./services/networking/tcpcrypt.nix
  ./services/networking/teamspeak3.nix
  ./services/networking/tedicross.nix
@ -808,6 +816,7 @@
  ./services/ttys/agetty.nix
  ./services/ttys/gpm.nix
  ./services/ttys/kmscon.nix
  ./services/wayland/cage.nix
  ./services/web-apps/atlassian/confluence.nix
  ./services/web-apps/atlassian/crowd.nix
  ./services/web-apps/atlassian/jira.nix
@ -816,11 +825,13 @@
  ./services/web-apps/documize.nix
  ./services/web-apps/dokuwiki.nix
  ./services/web-apps/frab.nix
  ./services/web-apps/gerrit.nix
  ./services/web-apps/gotify-server.nix
  ./services/web-apps/grocy.nix
  ./services/web-apps/icingaweb2/icingaweb2.nix
  ./services/web-apps/icingaweb2/module-monitoring.nix
  ./services/web-apps/ihatemoney
  ./services/web-apps/jirafeau.nix
  ./services/web-apps/limesurvey.nix
  ./services/web-apps/mattermost.nix
  ./services/web-apps/mediawiki.nix
--- a/nixos/modules/profiles/installation-device.nix
+++ b/nixos/modules/profiles/installation-device.nix
@ -26,10 +26,6 @@ with lib;
    # Show the manual.
    documentation.nixos.enable = mkForce true;
    services.nixosManual.showManual = true;
    # Let the user play Rogue on TTY 8 during the installation.
    #services.rogue.enable = true;
    # Use less privileged nixos user
    users.users.nixos = {
--- a/nixos/modules/programs/firejail.nix
+++ b/nixos/modules/programs/firejail.nix
@ -5,28 +5,34 @@ with lib;
 let
  cfg = config.programs.firejail;
-  wrappedBins = pkgs.stdenv.mkDerivation {
+  wrappedBins = pkgs.runCommand "firejail-wrapped-binaries"
-    name = "firejail-wrapped-binaries";
+    { preferLocalBuild = true;
-    nativeBuildInputs = with pkgs; [ makeWrapper ];
+      allowSubstitutes = false;
-    buildCommand = ''
+    }
    ''
      mkdir -p $out/bin
      ${lib.concatStringsSep "\n" (lib.mapAttrsToList (command: binary: ''
-      cat <<_EOF >$out/bin/${command}
+        cat <<_EOF >$out/bin/${command}
-      #!${pkgs.stdenv.shell} -e
+        #! ${pkgs.runtimeShell} -e
-      /run/wrappers/bin/firejail ${binary} "\$@"
+        exec /run/wrappers/bin/firejail ${binary} "\$@"
-      _EOF
+        _EOF
-      chmod 0755 $out/bin/${command}
+        chmod 0755 $out/bin/${command}
      '') cfg.wrappedBinaries)}
    '';
  };
 in {
  options.programs.firejail = {
    enable = mkEnableOption "firejail";
    wrappedBinaries = mkOption {
-      type = types.attrs;
+      type = types.attrsOf types.path;
      default = {};
      example = literalExample ''
        {
          firefox = "''${lib.getBin pkgs.firefox}/bin/firefox";
          mpv = "''${lib.getBin pkgs.mpv}/bin/mpv";
        }
      '';
      description = ''
        Wrap the binaries in firejail and place them in the global path.
        </para>
@ -41,7 +47,7 @@ in {
  config = mkIf cfg.enable {
    security.wrappers.firejail.source = "${lib.getBin pkgs.firejail}/bin/firejail";
-    environment.systemPackages = [ wrappedBins ];
+    environment.systemPackages = [ pkgs.firejail ] ++ [ wrappedBins ];
  };
  meta.maintainers = with maintainers; [ peterhoeg ];
--- a/nixos/modules/programs/fish_completion-generator.patch
+++ b/nixos/modules/programs/fish_completion-generator.patch
@ -1,11 +1,13 @@
 --- a/create_manpage_completions.py
 +++ b/create_manpage_completions.py
-@@ -776,8 +776,6 @@ def parse_manpage_at_path(manpage_path, output_directory):
+@@ -844,10 +844,6 @@ def parse_manpage_at_path(manpage_path, output_directory):
-
+ 
             built_command_output.insert(0, "# " + CMDNAME)
-
+ 
 -            # Output the magic word Autogenerated so we can tell if we can overwrite this
-            built_command_output.insert(1, "# Autogenerated from man page " + manpage_path)
+-            built_command_output.insert(
 -                1, "# Autogenerated from man page " + manpage_path
 -            )
             # built_command_output.insert(2, "# using " + parser.__class__.__name__) # XXX MISATTRIBUTES THE CULPABILE PARSER! Was really using Type2 but reporting TypeDeroffManParser
-
+ 
             for line in built_command_output:
--- a/nixos/modules/programs/ssmtp.nix
+++ b/nixos/modules/programs/ssmtp.nix
@ -14,8 +14,16 @@ in
 {
  imports = [
-    (mkRenamedOptionModule [ "networking" "defaultMailServer" ] [ "services" "ssmtp" ])
+    (mkRenamedOptionModule [ "networking" "defaultMailServer" "directDelivery" ] [ "services" "ssmtp" "enable" ])
-    (mkRenamedOptionModule [ "services" "ssmtp" "directDelivery" ] [ "services" "ssmtp" "enable" ])
+    (mkRenamedOptionModule [ "networking" "defaultMailServer" "hostName" ] [ "services" "ssmtp" "hostName" ])
    (mkRenamedOptionModule [ "networking" "defaultMailServer" "domain" ] [ "services" "ssmtp" "domain" ])
    (mkRenamedOptionModule [ "networking" "defaultMailServer" "root" ] [ "services" "ssmtp" "root" ])
    (mkRenamedOptionModule [ "networking" "defaultMailServer" "useTLS" ] [ "services" "ssmtp" "useTLS" ])
    (mkRenamedOptionModule [ "networking" "defaultMailServer" "useSTARTTLS" ] [ "services" "ssmtp" "useSTARTTLS" ])
    (mkRenamedOptionModule [ "networking" "defaultMailServer" "authUser" ] [ "services" "ssmtp" "authUser" ])
    (mkRenamedOptionModule [ "networking" "defaultMailServer" "authPass" ] [ "services" "ssmtp" "authPass" ])
    (mkRenamedOptionModule [ "networking" "defaultMailServer" "authPassFile" ] [ "services" "ssmtp" "authPassFile" ])
    (mkRenamedOptionModule [ "networking" "defaultMailServer" "setSendmail" ] [ "services" "ssmtp" "setSendmail" ])
  ];
  options = {
--- a/nixos/modules/programs/sway.nix
+++ b/nixos/modules/programs/sway.nix
@ -88,10 +88,10 @@ in {
      default = with pkgs; [
        swaylock swayidle
        xwayland alacritty dmenu
-        rxvt_unicode # For backward compatibility (old default terminal)
+        rxvt-unicode # For backward compatibility (old default terminal)
      ];
      defaultText = literalExample ''
-        with pkgs; [ swaylock swayidle xwayland rxvt_unicode dmenu ];
+        with pkgs; [ swaylock swayidle xwayland rxvt-unicode dmenu ];
      '';
      example = literalExample ''
        with pkgs; [
--- a/nixos/modules/programs/zsh/zsh.nix
+++ b/nixos/modules/programs/zsh/zsh.nix
@ -162,9 +162,8 @@ in
        # This file is read for all shells.
        # Only execute this file once per shell.
        # But don't clobber the environment of interactive non-login children!
        if [ -n "$__ETC_ZSHENV_SOURCED" ]; then return; fi
-        export __ETC_ZSHENV_SOURCED=1
+        __ETC_ZSHENV_SOURCED=1
        if [ -z "$__NIXOS_SET_ENVIRONMENT_DONE" ]; then
            . ${config.system.build.setEnvironment}
--- a/nixos/modules/rename.nix
+++ b/nixos/modules/rename.nix
@ -21,12 +21,12 @@ with lib;
    (mkRemovedOptionModule [ "services" "firefox" "syncserver" "group" ] "")
    (mkRemovedOptionModule [ "services" "winstone" ] "The corresponding package was removed from nixpkgs.")
    (mkRemovedOptionModule [ "networking" "vpnc" ] "Use environment.etc.\"vpnc/service.conf\" instead.")
-    (mkRemovedOptionModule [ "environment.blcr.enable" ] "The BLCR module has been removed")
+    (mkRemovedOptionModule [ "environment" "blcr" "enable" ] "The BLCR module has been removed")
-    (mkRemovedOptionModule [ "services.beegfsEnable" ] "The BeeGFS module has been removed")
+    (mkRemovedOptionModule [ "services" "beegfsEnable" ] "The BeeGFS module has been removed")
-    (mkRemovedOptionModule [ "services.beegfs" ] "The BeeGFS module has been removed")
+    (mkRemovedOptionModule [ "services" "beegfs" ] "The BeeGFS module has been removed")
-    (mkRemovedOptionModule [ "services.osquery" ] "The osquery module has been removed")
+    (mkRemovedOptionModule [ "services" "osquery" ] "The osquery module has been removed")
-    (mkRemovedOptionModule [ "services.fourStore" ] "The fourStore module has been removed")
+    (mkRemovedOptionModule [ "services" "fourStore" ] "The fourStore module has been removed")
-    (mkRemovedOptionModule [ "services.fourStoreEndpoint" ] "The fourStoreEndpoint module has been removed")
+    (mkRemovedOptionModule [ "services" "fourStoreEndpoint" ] "The fourStoreEndpoint module has been removed")
    (mkRemovedOptionModule [ "programs" "way-cooler" ] ("way-cooler is abandoned by its author: " +
      "https://way-cooler.org/blog/2020/01/09/way-cooler-post-mortem.html"))
    (mkRemovedOptionModule [ "services" "xserver" "multitouch" ] ''
@ -42,6 +42,12 @@ with lib;
      instead, or any other display manager in NixOS as they all support auto-login.
    '')
    (mkRemovedOptionModule [ "services" "dnscrypt-proxy" ] "Use services.dnscrypt-proxy2 instead")
    (mkRemovedOptionModule ["hardware" "brightnessctl" ] ''
      The brightnessctl module was removed because newer versions of
      brightnessctl don't require the udev rules anymore (they can use the
      systemd-logind API). Instead of using the module you can now
      simply add the brightnessctl package to environment.systemPackages.
    '')
    # Do NOT add any option renames here, see top of the file
  ];
--- a/nixos/modules/security/acme.nix
+++ b/nixos/modules/security/acme.nix
@ -136,6 +136,27 @@ let
          challenge to ensure the DNS entries required are available.
        '';
      };
      ocspMustStaple = mkOption {
        type = types.bool;
        default = false;
        description = ''
          Turns on the OCSP Must-Staple TLS extension.
          Make sure you know what you're doing! See:
          <itemizedlist>
            <listitem><para><link xlink:href="https://blog.apnic.net/2019/01/15/is-the-web-ready-for-ocsp-must-staple/" /></para></listitem>
            <listitem><para><link xlink:href="https://blog.hboeck.de/archives/886-The-Problem-with-OCSP-Stapling-and-Must-Staple-and-why-Certificate-Revocation-is-still-broken.html" /></para></listitem>
          </itemizedlist>
        '';
      };
      extraLegoRenewFlags = mkOption {
        type = types.listOf types.str;
        default = [];
        description = ''
          Additional flags to pass to lego renew.
        '';
      };
    };
  };
@ -174,7 +195,7 @@ in
      renewInterval = mkOption {
        type = types.str;
-        default = "weekly";
+        default = "daily";
        description = ''
          Systemd calendar expression when to check for renewal. See
          <citerefentry><refentrytitle>systemd.time</refentrytitle>
@ -281,19 +302,23 @@ in
                lpath = "acme/${cert}";
                apath = "/var/lib/${lpath}";
                spath = "/var/lib/acme/.lego";
-                rights = if data.allowKeysForGroup then "750" else "700";
+                fileMode = if data.allowKeysForGroup then "640" else "600";
                globalOpts = [ "-d" data.domain "--email" data.email "--path" "." "--key-type" data.keyType ]
                          ++ optionals (cfg.acceptTerms) [ "--accept-tos" ]
                          ++ optionals (data.dnsProvider != null && !data.dnsPropagationCheck) [ "--dns.disable-cp" ]
                          ++ concatLists (mapAttrsToList (name: root: [ "-d" name ]) data.extraDomains)
                          ++ (if data.dnsProvider != null then [ "--dns" data.dnsProvider ] else [ "--http" "--http.webroot" data.webroot ])
                          ++ optionals (cfg.server != null || data.server != null) ["--server" (if data.server == null then cfg.server else data.server)];
-                runOpts = escapeShellArgs (globalOpts ++ [ "run" ]);
+                certOpts = optionals data.ocspMustStaple [ "--must-staple" ];
-                renewOpts = escapeShellArgs (globalOpts ++ [ "renew" "--days" (toString cfg.validMinDays) ]);
+                runOpts = escapeShellArgs (globalOpts ++ [ "run" ] ++ certOpts);
                renewOpts = escapeShellArgs (globalOpts ++
                  [ "renew" "--days" (toString cfg.validMinDays) ] ++
                  certOpts ++ data.extraLegoRenewFlags);
                acmeService = {
                  description = "Renew ACME Certificate for ${cert}";
                  after = [ "network.target" "network-online.target" ];
                  wants = [ "network-online.target" ];
                  wantedBy = mkIf (!config.boot.isContainer) [ "multi-user.target" ];
                  serviceConfig = {
                    Type = "oneshot";
                    # With RemainAfterExit the service is considered active even
@ -306,7 +331,7 @@ in
                    Group = data.group;
                    PrivateTmp = true;
                    StateDirectory = "acme/.lego ${lpath}";
-                    StateDirectoryMode = rights;
+                    StateDirectoryMode = if data.allowKeysForGroup then "750" else "700";
                    WorkingDirectory = spath;
                    # Only try loading the credentialsFile if the dns challenge is enabled
                    EnvironmentFile = if data.dnsProvider != null then data.credentialsFile else null;
@ -325,14 +350,15 @@ in
                          KEY=${spath}/certificates/${keyName}.key
                          if [ -e $KEY -a $KEY -nt key.pem ]; then
                            cp -p ${spath}/certificates/${keyName}.key key.pem
-                            cp -p ${spath}/certificates/${keyName}.crt cert.pem
+                            cp -p ${spath}/certificates/${keyName}.crt fullchain.pem
                            cp -p ${spath}/certificates/${keyName}.issuer.crt chain.pem
-                            cat cert.pem chain.pem > fullchain.pem
+                            ln -sf fullchain.pem cert.pem
-                            cat key.pem cert.pem chain.pem > full.pem
+                            cat key.pem fullchain.pem > full.pem
                            chmod ${rights} *.pem
                            chown '${data.user}:${data.group}' *.pem
                          fi
                          chmod ${fileMode} *.pem
                          chown '${data.user}:${data.group}' *.pem
                          ${data.postRun}
                        '';
                      in
@ -374,7 +400,7 @@ in
                      # Give key acme permissions
                      chown '${data.user}:${data.group}' "${apath}/"{key,fullchain,full}.pem
-                      chmod ${rights} "${apath}/"{key,fullchain,full}.pem
+                      chmod ${fileMode} "${apath}/"{key,fullchain,full}.pem
                    '';
                  serviceConfig = {
                    Type = "oneshot";
@ -399,7 +425,17 @@ in
      systemd.tmpfiles.rules =
        map (data: "d ${data.webroot}/.well-known/acme-challenge - ${data.user} ${data.group}") (filter (data: data.webroot != null) (attrValues cfg.certs));
-      systemd.timers = flip mapAttrs' cfg.certs (cert: data: nameValuePair
+      systemd.timers = let
        # Allow systemd to pick a convenient time within the day
        # to run the check.
        # This allows the coalescing of multiple timer jobs.
        # We divide by the number of certificates so that if you
        # have many certificates, the renewals are distributed over
        # the course of the day to avoid rate limits.
        numCerts = length (attrNames cfg.certs);
        _24hSecs = 60 * 60 * 24;
        AccuracySec = "${toString (_24hSecs / numCerts)}s";
      in flip mapAttrs' cfg.certs (cert: data: nameValuePair
        ("acme-${cert}")
        ({
          description = "Renew ACME Certificate for ${cert}";
@ -408,8 +444,9 @@ in
            OnCalendar = cfg.renewInterval;
            Unit = "acme-${cert}.service";
            Persistent = "yes";
-            AccuracySec = "5m";
+            inherit AccuracySec;
-            RandomizedDelaySec = "1h";
+            # Skew randomly within the day, per https://letsencrypt.org/docs/integration-guide/.
            RandomizedDelaySec = "24h";
          };
        })
      );
--- a/Show More
+++ b/Show More