Merge branch 'master' of https://github.com/NixOS/nixpkgs into update

Conflicts: pkgs/development/libraries/haskell/text-binary/default.nix pkgs/top-level/haskell-defaults.nix pkgs/top-level/haskell-packages.nix
2014-12-05 07:54:48 +01:00 · 2014-12-05 07:54:48 +01:00 · 6fa969839a
commit 6fa969839a
parent 21566e7c56 e51ece3a65
3039 changed files with 70306 additions and 43067 deletions
--- a/.travis.yml
+++ b/.travis.yml
@ -1,3 +1,5 @@
 language: python
 python: "3.4"
-script: ./maintainers/scripts/travis-nox-review-pr.sh
+before_install: ./maintainers/scripts/travis-nox-review-pr.sh nix
 install: ./maintainers/scripts/travis-nox-review-pr.sh nox
 script: ./maintainers/scripts/travis-nox-review-pr.sh build
--- a/.version
+++ b/.version
@ -1 +1 @@
-14.10
+14.11
--- a/doc/contributing.xml
+++ b/doc/contributing.xml
@ -10,9 +10,7 @@
  <listitem><para><command>$ git clone git://github.com/NixOS/nixpkgs.git</command></para></listitem>
-  <listitem><para><command>$ cd nixpkgs/pkgs/top-level</command></para></listitem>
+  <listitem><para><command>$ nix-build -A manual nixpkgs/pkgs/top-level/release.nix</command></para></listitem>
  <listitem><para><command>$ nix-build -A tarball release.nix</command></para></listitem>
  <listitem><para>Inside the built derivation you shall see <literal>manual/index.html</literal> file.</para></listitem>
--- a/doc/language-support.xml
+++ b/doc/language-support.xml
@ -108,7 +108,7 @@ a <varname>preConfigure</varname> hook to generate a configuration
 file used by <filename>Makefile.PL</filename>:
 <programlisting>
-{buildPerlPackage, fetchurl, db}:
+{ buildPerlPackage, fetchurl, db }:
 buildPerlPackage rec {
  name = "BerkeleyDB-0.36";
@ -191,45 +191,424 @@ you need it.</para>
 </section>
-<section><title>Python</title>
+<section xml:id="python"><title>Python</title>
 <para>
  Currently supported interpreters are <varname>python26</varname>, <varname>python27</varname>,
  <varname>python32</varname>, <varname>python33</varname>, <varname>python34</varname>
  and <varname>pypy</varname>.
 </para>
 <para>
  <varname>python</varname> is an alias of <varname>python27</varname> and <varname>python3</varname> is an alias of <varname>python34</varname>.
 </para>
 <para>
  <varname>python26</varname> and <varname>python27</varname> do not include modules that require
  external dependencies (to reduce dependency bloat). Following modules need to be added as
  <varname>buildInput</varname> explicitly:
 </para>
 <itemizedlist>
  <listitem><para><varname>python.modules.bsddb</varname></para></listitem>
  <listitem><para><varname>python.modules.curses</varname></para></listitem>
  <listitem><para><varname>python.modules.curses_panel</varname></para></listitem>
  <listitem><para><varname>python.modules.crypt</varname></para></listitem>
  <listitem><para><varname>python.modules.gdbm</varname></para></listitem>
  <listitem><para><varname>python.modules.sqlite3</varname></para></listitem>
  <listitem><para><varname>python.modules.tkinter</varname></para></listitem>
  <listitem><para><varname>python.modules.readline</varname></para></listitem>
 </itemizedlist>
 <para>For convenience <varname>python27Full</varname> and <varname>python26Full</varname>
 are provided with all modules included.</para>
 <para>
  Python packages that
-  use <link xlink:href="http://pypi.python.org/pypi/setuptools/"><literal>setuptools</literal></link>,
+  use <link xlink:href="http://pypi.python.org/pypi/setuptools/"><literal>setuptools</literal></link> or <literal>distutils</literal>,
-  which many Python packages do nowadays, can be built very simply using
+  can be built using the <varname>buildPythonPackage</varname> function as documented below.
  the <varname>buildPythonPackage</varname> function.  This function is
  implemented
  in <link xlink:href="https://github.com/NixOS/nixpkgs/blob/master/pkgs/development/python-modules/generic/default.nix"><filename>pkgs/development/python-modules/generic/default.nix</filename></link>
  and works similarly to <varname>buildPerlPackage</varname>. (See
  <xref linkend="ssec-language-perl"/> for details.)
 </para>
 <para>
-  Python packages that use <varname>buildPythonPackage</varname> are
+ All packages depending on any Python interpreter get appended <varname>$out/${python.libPrefix}/site-packages</varname>
-  defined
+ to <literal>$PYTHONPATH</literal> if such directory exists.
  in <link xlink:href="https://github.com/NixOS/nixpkgs/blob/master/pkgs/top-level/python-packages.nix"><filename>pkgs/top-level/python-packages.nix</filename></link>.
  Most of them are simple.  For example:
  <programlisting>
 twisted = buildPythonPackage {
  name = "twisted-8.1.0";
  src = fetchurl {
    url = http://tmrc.mit.edu/mirror/twisted/Twisted/8.1/Twisted-8.1.0.tar.bz2;
    sha256 = "0q25zbr4xzknaghha72mq57kh53qw1bf8csgp63pm9sfi72qhirl";
  };
  propagatedBuildInputs = [ pkgs.ZopeInterface ];
  meta = {
    homepage = http://twistedmatrix.com/;
    description = "Twisted, an event-driven networking engine written in Python";
    license = "MIT";
  };
 };
  </programlisting>
 </para>
 <variablelist>
  <title>
     Useful attributes on interpreters packages:
  </title>
  <varlistentry>
    <term><varname>libPrefix</varname></term>
    <listitem><para>
        Name of the folder in <literal>${python}/lib/</literal> for corresponding interpreter.
    </para></listitem>
  </varlistentry>
  <varlistentry>
    <term><varname>interpreter</varname></term>
    <listitem><para>
        Alias for <literal>${python}/bin/${executable}.</literal>
    </para></listitem>
  </varlistentry>
  <varlistentry>
    <term><varname>buildEnv</varname></term>
    <listitem><para>
        Function to build python interpreter environments with extra packages bundled together.
        See <xref linkend="python-build-env" /> for usage and documentation.
    </para></listitem>
  </varlistentry>
  <varlistentry>
    <term><varname>sitePackages</varname></term>
    <listitem><para>
      Alias for <literal>lib/${libPrefix}/site-packages</literal>.
    </para></listitem>
  </varlistentry>
  <varlistentry>
    <term><varname>executable</varname></term>
    <listitem><para>
      Name of the interpreter executable, ie <literal>python3.4</literal>.
    </para></listitem>
  </varlistentry>
 </variablelist>
 <section xml:id="build-python-package"><title><varname>buildPythonPackage</varname> function</title>
  <para>
  The function is implemented in <link xlink:href="https://github.com/NixOS/nixpkgs/blob/master/pkgs/development/python-modules/generic/default.nix">
  <filename>pkgs/development/python-modules/generic/default.nix</filename></link>.
  Example usage:
    <programlisting language="nix">
      twisted = buildPythonPackage {
        name = "twisted-8.1.0";
        src = pkgs.fetchurl {
          url = http://tmrc.mit.edu/mirror/twisted/Twisted/8.1/Twisted-8.1.0.tar.bz2;
          sha256 = "0q25zbr4xzknaghha72mq57kh53qw1bf8csgp63pm9sfi72qhirl";
        };
        propagatedBuildInputs = [ self.ZopeInterface ];
        meta = {
          homepage = http://twistedmatrix.com/;
          description = "Twisted, an event-driven networking engine written in Python";
          license = stdenv.lib.licenses.mit;
        };
      };
    </programlisting>
  Most of Python packages that use <varname>buildPythonPackage</varname> are defined
  in <link xlink:href="https://github.com/NixOS/nixpkgs/blob/master/pkgs/top-level/python-packages.nix"><filename>pkgs/top-level/python-packages.nix</filename></link>
  and generated for each python interpreter separately into attribute sets <varname>python26Packages</varname>,
  <varname>python27Packages</varname>, <varname>python32Packages</varname>, <varname>python33Packages</varname>,
  <varname>python34Packages</varname> and <varname>pypyPackages</varname>.
  </para>
  <para>
    <function>buildPythonPackage</function> mainly does four things:
    <orderedlist>
      <listitem><para>
        In the <varname>configurePhase</varname>, it patches
        <literal>setup.py</literal> to always include setuptools before
        distutils for monkeypatching machinery to take place.
      </para></listitem>
      <listitem><para>
        In the <varname>buildPhase</varname>, it calls 
        <literal>${python.interpreter} setup.py build ...</literal>
      </para></listitem>
      <listitem><para>
        In the <varname>installPhase</varname>, it calls 
        <literal>${python.interpreter} setup.py install ...</literal>
      </para></listitem>
      <listitem><para>
        In the <varname>postFixup</varname> phase, <literal>wrapPythonPrograms</literal>
        bash function is called to wrap all programs in <filename>$out/bin/*</filename>
        directory to include <literal>$PYTHONPATH</literal> and <literal>$PATH</literal>
        environment variables.
      </para></listitem>
    </orderedlist>
  </para>
  <para>By default <varname>doCheck = true</varname> is set and tests are run with 
  <literal>${python.interpreter} setup.py test</literal> command in <varname>checkPhase</varname>.</para>
  <para><varname>propagatedBuildInputs</varname> packages are propagated to user environment.</para>
  <para>
    By default <varname>meta.platforms</varname> is set to the same value
    as the interpreter unless overriden otherwise.
  </para>
  <variablelist>
    <title>
      <varname>buildPythonPackage</varname> parameters
      (all parameters from <varname>mkDerivation</varname> function are still supported)
    </title>
    <varlistentry>
      <term><varname>namePrefix</varname></term>
      <listitem><para>
        Prepended text to <varname>${name}</varname> parameter.
        Defaults to <literal>"python3.3-"</literal> for Python 3.3, etc. Set it to
        <literal>""</literal>
        if you're packaging an application or a command line tool.
      </para></listitem>
    </varlistentry>
    <varlistentry>
      <term><varname>disabled</varname></term>
      <listitem><para>
        If <varname>true</varname>, package is not build for
        particular python interpreter version. Grep around
        <filename>pkgs/top-level/python-packages.nix</filename>
        for examples.
      </para></listitem>
    </varlistentry>
    <varlistentry>
      <term><varname>setupPyInstallFlags</varname></term>
      <listitem><para>
        List of flags passed to <command>setup.py install</command> command.
      </para></listitem>
    </varlistentry>
    <varlistentry>
      <term><varname>setupPyBuildFlags</varname></term>
      <listitem><para>
        List of flags passed to <command>setup.py build</command> command.
      </para></listitem>
    </varlistentry>
    <varlistentry>
      <term><varname>pythonPath</varname></term>
      <listitem><para>
        List of packages to be added into <literal>$PYTHONPATH</literal>.
        Packages in <varname>pythonPath</varname> are not propagated into user environment
        (contrary to <varname>propagatedBuildInputs</varname>).
      </para></listitem>
    </varlistentry>
    <varlistentry>
      <term><varname>preShellHook</varname></term>
      <listitem><para>
        Hook to execute commands before <varname>shellHook</varname>.
      </para></listitem>
    </varlistentry>
    <varlistentry>
      <term><varname>postShellHook</varname></term>
      <listitem><para>
        Hook to execute commands after <varname>shellHook</varname>.
      </para></listitem>
    </varlistentry>
    <varlistentry>
      <term><varname>distutilsExtraCfg</varname></term>
      <listitem><para>
        Extra lines passed to <varname>[easy_install]</varname> section of
        <filename>distutils.cfg</filename> (acts as global setup.cfg
        configuration).
      </para></listitem>
    </varlistentry>
  </variablelist>
 </section>
 <section xml:id="python-build-env"><title><function>python.buildEnv</function> function</title>
  <para>
    Create Python environments using low-level <function>pkgs.buildEnv</function> function. Example <filename>default.nix</filename>:
    <programlisting language="nix">
    <![CDATA[
      with import <nixpkgs> {};
      python.buildEnv.override {
        extraLibs = [ pkgs.pythonPackages.pyramid ];
        ignoreCollisions = true;
      }
    ]]>
    </programlisting>
    Running <command>nix-build</command> will create
    <filename>/nix/store/cf1xhjwzmdki7fasgr4kz6di72ykicl5-python-2.7.8-env</filename>
    with wrapped binaries in <filename>bin/</filename>.
  </para>
  <variablelist>
    <title>
      <function>python.buildEnv</function> arguments
    </title>
    <varlistentry>
      <term><varname>extraLibs</varname></term>
      <listitem><para>
        List of packages installed inside the environment.
      </para></listitem>
    </varlistentry>
    <varlistentry>
      <term><varname>postBuild</varname></term>
      <listitem><para>
        Shell command executed after the build of environment.
      </para></listitem>
    </varlistentry>
    <varlistentry>
      <term><varname>ignoreCollisions</varname></term>
      <listitem><para>
         Ignore file collisions inside the environment (default is <varname>false</varname>).
      </para></listitem>
    </varlistentry>
  </variablelist>
 </section>
 <section xml:id="python-tools"><title>Tools</title>
 <para>Packages inside nixpkgs are written by hand. However many tools
 exist in community to help save time. No tool is preferred at the moment.
 </para>
 <itemizedlist>
  <listitem><para>
    <link xlink:href="https://github.com/proger/python2nix">python2nix</link>
    by Vladimir Kirillov
  </para></listitem>
  <listitem><para>
    <link xlink:href="https://github.com/garbas/pypi2nix">pypi2nix</link>
    by Rok Garbas
  </para></listitem>
  <listitem><para>
    <link xlink:href="https://github.com/offlinehacker/pypi2nix">pypi2nix</link>
    by Jaka Hudoklin
  </para></listitem>
 </itemizedlist>
 </section>
 <section xml:id="python-development"><title>Development</title>
  <para>
    To develop Python packages <function>bulidPythonPackage</function> has
    additional logic inside <varname>shellPhase</varname> to run
    <command>${python.interpreter} setup.py develop</command> for the package.
  </para>
  <para>
    Given a <filename>default.nix</filename>:
    <programlisting language="nix">
    <![CDATA[
      with import <nixpkgs> {};
      buildPythonPackage {
        name = "myproject";
        buildInputs = with pkgs.pythonPackages; [ pyramid ];
        src = ./.;
      }
    ]]>
    </programlisting>
    Running <command>nix-shell</command> with no arguments should give you
    the environment in which the package would be build with
    <command>nix-build</command>.
  </para>
  <para>
    Shortcut to setup environments with C headers/libraries and python packages:
    <programlisting language="bash">$ nix-shell -p pythonPackages.pyramid zlib libjpeg git</programlisting>
  </para>
  <note><para>
    There is a boolean value <varname>lib.inNixShell</varname> set to
    <varname>true</varname> if nix-shell is invoked.
  </para></note>
 </section>
 <section xml:id="python-faq"><title>FAQ</title>
 <variablelist>
  <varlistentry>
    <term>How to solve circular dependencies?</term>
    <listitem><para>
      If you have packages <varname>A</varname> and <varname>B</varname> that
      depend on each other, when packaging <varname>B</varname> override package
      <varname>A</varname> not to depend on <varname>B</varname> as input
      (and also the other way around).
    </para></listitem>
  </varlistentry>
  <varlistentry>
    <term><varname>install_data / data_files</varname> problems resulting into <literal>error: could not create '/nix/store/6l1bvljpy8gazlsw2aw9skwwp4pmvyxw-python-2.7.8/etc': Permission denied</literal></term>
    <listitem><para>
      <link xlink:href="https://bitbucket.org/pypa/setuptools/issue/130/install_data-doesnt-respect-prefix">
      Known bug in setuptools <varname>install_data</varname> does not respect --prefix</link>. Example of
      such package using the feature is <filename>pkgs/tools/X11/xpra/default.nix</filename>. As workaround
      install it as an extra <varname>preInstall</varname> step:
      <programlisting>${python.interpreter} setup.py install_data --install-dir=$out --root=$out
 sed -i '/ = data_files/d' setup.py</programlisting>
    </para></listitem>
  </varlistentry>
  <varlistentry>
    <term>Rationale of non-existent global site-packages</term>
    <listitem><para>
      There is no need to have global site-packages in Nix. Each package has isolated
      dependency tree and installing any python package will only populate <varname>$PATH</varname>
      inside user environment. See <xref linkend="python-build-env" /> to create self-contained
      interpreter with a set of packages.
    </para></listitem>
  </varlistentry>
 </variablelist>
 </section>
 <section xml:id="python-contrib"><title>Contributing guidelines</title>
 <para>
  Following rules are desired to be respected:
 </para>
 <itemizedlist>
  <listitem><para>
    Make sure package builds for all python interpreters. Use <varname>disabled</varname> argument to
    <function>buildPythonPackage</function> to set unsupported interpreters.
  </para></listitem>
  <listitem><para>
    If tests need to be disabled for a package, make sure you leave a comment about reasoning.
  </para></listitem>
  <listitem><para>
    Packages in <link xlink:href="https://github.com/NixOS/nixpkgs/blob/master/pkgs/top-level/python-packages.nix"><filename>pkgs/top-level/python-packages.nix</filename></link>
    are sorted quasi-alphabetically to avoid merge conflicts.
  </para></listitem>
 </itemizedlist>
 </section>
 </section>
--- a/doc/meta.xml
+++ b/doc/meta.xml
@ -116,6 +116,13 @@ hello-2.3  A program that produces a familiar, friendly greeting
    <listitem><para>Package version.</para></listitem>
  </varlistentry>
  <varlistentry>
    <term><varname>branch</varname></term>
    <listitem><para>Release branch. Used to specify that a package is not
    going to receive updates that are not in this branch; for example, Linux
    kernel 3.0 is supposed to be updated to 3.0.X, not 3.1.</para></listitem>
  </varlistentry>
  <varlistentry>
    <term><varname>homepage</varname></term>
    <listitem><para>The package’s homepage.  Example:
--- a/doc/quote-literals.xsl
+++ b/doc/quote-literals.xsl
@ -1,44 +0,0 @@
 <?xml version="1.0"?>
 <xsl:stylesheet
  version="1.0"
  xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
  xmlns:str="http://exslt.org/strings"
  extension-element-prefixes="str">
  <xsl:output method="xml"/>
  <xsl:template match="function|command|literal|varname|filename|option|quote">`<xsl:apply-templates/>'</xsl:template>
  <xsl:template match="token"><xsl:text>    </xsl:text><xsl:apply-templates /><xsl:text>
 </xsl:text></xsl:template>
  <xsl:template match="screen|programlisting">
    <screen><xsl:apply-templates select="str:split(., '&#xA;')" /></screen>
  </xsl:template>
  <xsl:template match="section[following::section]">
    <section>
      <xsl:apply-templates />
      <screen><xsl:text>
      </xsl:text></screen>        
    </section>
  </xsl:template>
  <xsl:template match="*">
    <xsl:element name="{name(.)}" namespace="{namespace-uri(.)}">
      <xsl:copy-of select="namespace::*" />
      <xsl:for-each select="@*">
 	<xsl:attribute name="{name(.)}" namespace="{namespace-uri(.)}">
 	  <xsl:value-of select="."/>
 	</xsl:attribute>
      </xsl:for-each>
      <xsl:apply-templates/>
    </xsl:element>
  </xsl:template>
  <xsl:template match="text()">
    <xsl:value-of select="translate(., '‘’“”—', concat(&quot;`'&quot;, '&quot;&quot;-'))" />
  </xsl:template>
 </xsl:stylesheet>
--- a/doc/stdenv.xml
+++ b/doc/stdenv.xml
@ -150,8 +150,8 @@ genericBuild
  <listitem><para>GNU <command>tar</command>.</para></listitem>
-  <listitem><para><command>gzip</command> and
+  <listitem><para><command>gzip</command>, <command>bzip2</command>
-  <command>bzip2</command>.</para></listitem>
+  and <command>xz</command>.</para></listitem>
  <listitem><para>GNU Make.  It has been patched to provide
  <quote>nested</quote> output that can be fed into the
@ -341,9 +341,11 @@ It supports the following files by default:
    <term>Tar files</term>
    <listitem><para>These can optionally be compressed using
    <command>gzip</command> (<filename>.tar.gz</filename>,
-    <filename>.tgz</filename> or <filename>.tar.Z</filename>) or
+    <filename>.tgz</filename> or <filename>.tar.Z</filename>),
    <command>bzip2</command> (<filename>.tar.bz2</filename> or
-    <filename>.tbz2</filename>).</para></listitem>
+    <filename>.tbz2</filename>) or <command>xz</command>
    (<filename>.tar.xz</filename> or
    <filename>.tar.lzma</filename>).</para></listitem>
  </varlistentry>
  <varlistentry>
@ -445,9 +447,10 @@ Additional file types can be supported by setting the
    <listitem><para>The list of patches.  They must be in the format
    accepted by the <command>patch</command> command, and may
    optionally be compressed using <command>gzip</command>
-    (<filename>.gz</filename>) or <command>bzip2</command>
+    (<filename>.gz</filename>), <command>bzip2</command>
-    (<filename>.bz2</filename>).</para></listitem>
+    (<filename>.bz2</filename>) or <command>xz</command>
-  </varlistentry>  
+    (<filename>.xz</filename>).</para></listitem>
  </varlistentry>
  <varlistentry>
    <term><varname>patchFlags</varname></term>
@ -1117,12 +1120,9 @@ echo @foo@
  <varlistentry>
    <term>Python</term>
    <listitem><para>Adds the
-    <filename>lib/python2.5/site-packages</filename> subdirectory of
+    <filename>lib/${python.libPrefix}/site-packages</filename> subdirectory of
    each build input to the <envar>PYTHONPATH</envar> environment
-    variable.</para>
+    variable.</para></listitem>
    <note><para>This should be generalised: the Python version
    shouldn’t be hard-coded.</para></note></listitem>
  </varlistentry>
  <varlistentry>
--- a/lib/customisation.nix
+++ b/lib/customisation.nix
@ -62,6 +62,8 @@ rec {
            makeOverridable f (origArgs // (if builtins.isFunction newArgs then newArgs origArgs else newArgs));
          deepOverride = newArgs:
            makeOverridable f (lib.overrideExisting (lib.mapAttrs (deepOverrider newArgs) origArgs) newArgs);
          overrideDerivation = fdrv:
            makeOverridable (args: overrideDerivation (f args) fdrv) origArgs;
        })
      else ff;
--- a/lib/licenses.nix
+++ b/lib/licenses.nix
@ -1,303 +1,405 @@
 let
  lib = import ./default.nix;
  spdx = lic: lic // {
-      url = "http://spdx.org/licenses/${lic.shortName}";
+    url = "http://spdx.org/licenses/${lic.spdxId}";
-    };
+  };
 in
-rec {
+lib.mapAttrs (n: v: v // { shortName = n; }) rec {
  /* License identifiers from spdx.org where possible.
   * If you cannot find your license here, then look for a similar license or
   * add it to this list. The URL mentioned above is a good source for inspiration.
   */
  afl21 = spdx {
    spdxId = "AFL-2.1";
    fullName = "Academic Free License";
  };
  agpl3 = spdx {
-    shortName = "AGPL-3.0";
+    spdxId = "AGPL-3.0";
    fullName = "GNU Affero General Public License v3.0";
  };
  agpl3Plus = {
    shortName = "AGPL-3.0+";
    fullName = "GNU Affero General Public License v3.0 or later";
    inherit (agpl3) url;
  };
  amazonsl = {
    fullName = "Amazon Software License";
    url = http://aws.amazon.com/asl/;
    free = false;
  };
  amd = {
    shortName = "amd";
    fullName = "AMD License Agreement";
    url = http://developer.amd.com/amd-license-agreement/;
  };
  apsl20 = spdx {
-    shortName = "APSL-2.0";
+    spdxId = "APSL-2.0";
    fullName = "Apple Public Source License 2.0";
  };
  artistic1 = spdx {
    spdxId = "Artistic-1.0";
    fullName = "Artistic License 1.0";
  };
  artistic2 = spdx {
-    shortName = "Artistic-2.0";
+    spdxId = "Artistic-2.0";
    fullName = "Artistic License 2.0";
  };
  asl20 = spdx {
-    shortName = "Apache-2.0";
+    spdxId = "Apache-2.0";
    fullName = "Apache License 2.0";
  };
  boost = spdx {
-    shortName = "BSL-1.0";
+    spdxId = "BSL-1.0";
    fullName = "Boost Software License 1.0";
  };
  bsd2 = spdx {
-    shortName = "BSD-2-Clause";
+    spdxId = "BSD-2-Clause";
    fullName = ''BSD 2-clause "Simplified" License'';
  };
  bsd3 = spdx {
-    shortName = "BSD-3-Clause";
+    spdxId = "BSD-3-Clause";
    fullName = ''BSD 3-clause "New" or "Revised" License'';
  };
  bsdOriginal = spdx {
-    shortName = "BSD-4-Clause";
+    spdxId = "BSD-4-Clause";
    fullName = ''BSD 4-clause "Original" or "Old" License'';
  };
  cc0 = spdx {
-    shortName = "CC0-1.0";
+    spdxId = "CC0-1.0";
-    fullName = ''Creative Commons Zero v1.0 Universal'';
+    fullName = "Creative Commons Zero v1.0 Universal";
  };
  cc-by-30 = spdx {
-    shortName = "CC-BY-3.0";
+    spdxId = "CC-BY-3.0";
    fullName = "Creative Commons Attribution 3.0";
  };
  cc-by-sa-30 = spdx {
    spdxId = "CC-BY-SA-3.0";
    fullName = "Creative Commons Attribution Share Alike 3.0";
  };
  cc-by-40 = spdx {
-    shortName = "CC-BY-4.0";
+    spdxId = "CC-BY-4.0";
    fullName = "Creative Commons Attribution 4.0";
  };
  cddl = spdx {
-    shortName = "CDDL-1.0";
+    spdxId = "CDDL-1.0";
    fullName = "Common Development and Distribution License 1.0";
  };
  cecill20 = spdx {
    spdxId = "CECILL-2.0";
    fullName = "CeCILL Free Software License Agreement v2.0";
  };
  cecill-b = spdx {
-    shortName = "CECILL-B";
+    spdxId = "CECILL-B";
    fullName  = "CeCILL-B Free Software License Agreement";
  };
  cecill-c = spdx {
-    shortName = "CECILL-C";
+    spdxId = "CECILL-C";
    fullName  = "CeCILL-C Free Software License Agreement";
  };
  cpl10 = spdx {
-    shortName = "CPL-1.0";
+    spdxId = "CPL-1.0";
    fullName = "Common Public License 1.0";
  };
  epl10 = spdx {
-    shortName = "EPL-1.0";
+    spdxId = "EPL-1.0";
    fullName = "Eclipse Public License 1.0";
  };
-  free = "free";
+  free = {
    fullName = "Unspecified free software license";
  };
  gpl1 = spdx {
    shortName = "GPL-1.0";
    fullName = "GNU General Public License v1.0 only";
  };
  gpl1Plus = spdx {
    spdxId = "GPL-1.0+";
    fullName = "GNU General Public License v1.0 or later";
  };
  gpl2 = spdx {
-    shortName = "GPL-2.0";
+    spdxId = "GPL-2.0";
    fullName = "GNU General Public License v2.0 only";
  };
  gpl2ClasspathPlus = {
    fullName = "GNU General Public License v2.0 or later (with Classpath exception)";
    url = https://fedoraproject.org/wiki/Licensing/GPL_Classpath_Exception;
  };
  gpl2Oss = {
    shortName = "GPL-2.0-with-OSS";
    fullName = "GNU General Public License version 2 only (with OSI approved licenses linking exception)";
    url = http://www.mysql.com/about/legal/licensing/foss-exception;
  };
  gpl2Plus = spdx {
-    shortName = "GPL-2.0+";
+    spdxId = "GPL-2.0+";
    fullName = "GNU General Public License v2.0 or later";
  };
  gpl3 = spdx {
-    shortName = "GPL-3.0";
+    spdxId = "GPL-3.0";
    fullName = "GNU General Public License v3.0 only";
  };
  gpl3Plus = spdx {
-    shortName = "GPL-3.0+";
+    spdxId = "GPL-3.0+";
    fullName = "GNU General Public License v3.0 or later";
  };
  gpl3ClasspathPlus = {
    shortName = "GPL-3.0+-with-classpath-exception";
    fullName = "GNU General Public License v3.0 or later (with Classpath exception)";
    url = https://fedoraproject.org/wiki/Licensing/GPL_Classpath_Exception;
  };
  # Intel's license, seems free
  iasl = {
    fullName = "iASL";
    url = http://www.calculate-linux.org/packages/licenses/iASL;
  };
  inria = {
    shortName = "INRIA-NCLA";
    fullName  = "INRIA Non-Commercial License Agreement";
    url       = "http://compcert.inria.fr/doc/LICENSE";
  };
  ipa = spdx {
-    shortName = "IPA";
+    spdxId = "IPA";
    fullName = "IPA Font License";
  };
  ipl10 = spdx {
-    shortName = "IPL-1.0";
+    spdxId = "IPL-1.0";
    fullName = "IBM Public License v1.0";
  };
  isc = spdx {
-    shortName = "ISC";
+    spdxId = "ISC";
    fullName = "ISC License";
  };
  lgpl2 = spdx {
-    shortName = "LGPL-2.0";
+    spdxId = "LGPL-2.0";
    fullName = "GNU Library General Public License v2 only";
  };
  lgpl2Plus = spdx {
-    shortName = "LGPL-2.0+";
+    spdxId = "LGPL-2.0+";
    fullName = "GNU Library General Public License v2 or later";
  };
  lgpl21 = spdx {
-    shortName = "LGPL-2.1";
+    spdxId = "LGPL-2.1";
    fullName = "GNU Library General Public License v2.1 only";
  };
  lgpl21Plus = spdx {
-    shortName = "LGPL-2.1+";
+    spdxId = "LGPL-2.1+";
    fullName = "GNU Library General Public License v2.1 or later";
  };
  lgpl3 = spdx {
-    shortName = "LGPL-3.0";
+    spdxId = "LGPL-3.0";
    fullName = "GNU Lesser General Public License v3.0 only";
  };
  lgpl3Plus = spdx {
-    shortName = "LGPL-3.0+";
+    spdxId = "LGPL-3.0+";
    fullName = "GNU Lesser General Public License v3.0 or later";
  };
  libpng = spdx {
-    shortName = "Libpng";
+    spdxId = "Libpng";
    fullName = "libpng License";
  };
-  libtiff = {
+  libtiff = spdx {
-    shortName = "libtiff";
+    spdxId = "libtiff";
-    fullName = "libtiff license";
+    fullName = "libtiff License";
    url = https://fedoraproject.org/wiki/Licensing/libtiff;
  };
  llgpl21 = {
    shortName = "LLGPL-2.1";
    fullName = "Lisp LGPL; GNU Lesser General Public License version 2.1 with Franz Inc. preamble for clarification of LGPL terms in context of Lisp";
    url = http://opensource.franz.com/preamble.html;
  };
  lppl12 = spdx {
    spdxId = "LPPL-1.2";
    fullName = "LaTeX Project Public License v1.2";
  };
  lpl-102 = spdx {
-    shortName = "LPL-1.02";
+    spdxId = "LPL-1.02";
    fullName = "Lucent Public License v1.02";
  };
  # spdx.org does not (yet) differentiate between the X11 and Expat versions
  # for details see http://en.wikipedia.org/wiki/MIT_License#Various_versions
  mit = spdx {
-    shortName = "MIT";
+    spdxId = "MIT";
    fullName = "MIT License";
  };
  mpl11 = spdx {
-    shortName = "MPL-1.1";
+    spdxId = "MPL-1.1";
    fullName = "Mozilla Public License 1.1";
  };
  mpl20 = spdx {
-    shortName = "MPL-2.0";
+    spdxId = "MPL-2.0";
    fullName = "Mozilla Public License 2.0";
  };
  msrla = {
    shortName = "MSR-LA";
    fullName  = "Microsoft Research License Agreement";
    url       = "http://research.microsoft.com/en-us/projects/pex/msr-la.txt";
  };
  ncsa = spdx {
-    shortName = "NCSA";
+    spdxId = "NCSA";
    fullName  = "University of Illinois/NCSA Open Source License";
  };
  ofl = spdx {
-    shortName = "OFL-1.1";
+    spdxId = "OFL-1.1";
    fullName = "SIL Open Font License 1.1";
  };
  openssl = spdx {
-    shortName = "OpenSSL";
+    spdxId = "OpenSSL";
    fullName = "OpenSSL License";
  };
  php301 = spdx {
    spdxId = "PHP-3.01";
    fullName = "PHP License v3.01";
  };
  postgresql = spdx {
-    shortName = "PostgreSQL";
+    spdxId = "PostgreSQL";
    fullName = "PostgreSQL License";
  };
  psfl = spdx {
-    shortName = "Python-2.0";
+    spdxId = "Python-2.0";
    fullName = "Python Software Foundation License version 2";
    #url = http://docs.python.org/license.html;
  };
  publicDomain = {
-    shortName = "Public Domain";
+    fullName = "Public Domain";
-    fullname = "Public Domain";
+  };
  qpl = spdx {
    spdxId = "QPL-1.0";
    fullName = "Q Public License 1.0";
  };
  qwt = {
    fullName = "Qwt License, Version 1.0";
    url = http://qwt.sourceforge.net/qwtlicense.html;
  };
  ruby = spdx {
    spdxId = "Ruby";
    fullName = "Ruby License";
  };
  sgi-b-20 = spdx {
    spdxId = "SGI-B-2.0";
    fullName = "SGI Free Software License B v2.0";
  };
  sleepycat = spdx {
-    shortName = "Sleepycat";
+    spdxId = "Sleepycat";
-    fullName  = "Sleepycat License";
+    fullName = "Sleepycat License";
  };
-  tcltk = {
+  tcltk = spdx {
-    shortName = "Tcl/Tk";
+    spdxId = "TCL";
-    fullName = "Tcl/Tk license";
+    fullName = "TCL/TK License";
    url = http://www.tcl.tk/software/tcltk/license.html;
  };
-  unfree = "unfree";
+  unfree = {
    fullName = "Unfree";
    free = false;
  };
-  unfreeRedistributable = "unfree-redistributable";
+  unfreeRedistributable = {
    fullName = "Unfree redistributable";
    free = false;
  };
-  unfreeRedistributableFirmware = "unfree-redistributable-firmware";
+  unfreeRedistributableFirmware = {
    fullName = "Unfree redistributable firmware";
    # Note: we currently consider these "free" for inclusion in the
    # channel and NixOS images.
  };
  unlicense = spdx {
    spdxId = "Unlicense";
    fullName = "The Unlicense";
  };
  vsl10 = spdx {
    spdxId = "VSL-1.0";
    fullName = "Vovida Software License v1.0";
  };
  w3c = spdx {
    spdxId = "W3C";
    fullName = "W3C Software Notice and License";
  };
  wadalab = {
    shortName = "wadalab";
    fullName = "Wadalab Font License";
    url = https://fedoraproject.org/wiki/Licensing:Wadalab?rd=Licensing/Wadalab;
  };
  wtfpl = spdx {
    spdxId = "WTFPL";
    fullName = "Do What The F*ck You Want To Public License";
  };
  zlib = spdx {
-    shortName = "Zlib";
+    spdxId = "Zlib";
    fullName = "zlib License";
  };
  zpt20 = spdx { # FIXME: why zpt* instead of zpl*
-    shortName = "ZPL-2.0";
+    spdxId = "ZPL-2.0";
    fullName = "Zope Public License 2.0";
  };
  zpt21 = spdx {
-    shortName = "ZPL-2.1";
+    spdxId = "ZPL-2.1";
    fullName = "Zope Public License 2.1";
  };
--- a/lib/lists.nix
+++ b/lib/lists.nix
@ -223,4 +223,14 @@ rec {
  crossLists = f: foldl (fs: args: concatMap (f: map f args) fs) [f];
  # Remove duplicate elements from the list
  unique = list:
    if list == [] then
      []
    else
      let
        x = head list;
        xs = unique (drop 1 list);
      in [x] ++ remove x xs;
 }
--- a/lib/maintainers.nix
+++ b/lib/maintainers.nix
@ -5,12 +5,13 @@
     alphabetically sorted.  */
  _1126 = "Christian Lask <mail@elfsechsundzwanzig.de>";
  abbradar = "Nikolay Amiantov <ab@fmap.me>";
  aforemny = "Alexander Foremny <alexanderforemny@googlemail.com>";
  aherrmann = "Andreas Herrmann <andreash87@gmx.ch>";
  ak = "Alexander Kjeldaas <ak@formalprivacy.com>";
  akc = "Anders Claesson <akc@akc.is>";
  algorith = "Dries Van Daele <dries_van_daele@telenet.be>";
  all = "Nix Committers <nix-commits@lists.science.uu.nl>";
  abbradar = "Nikolay Amiantov <ab@fmap.me>";
  amiddelk = "Arie Middelkoop <amiddelk@gmail.com>";
  amorsillo = "Andrew Morsillo <andrew.morsillo@gmail.com>";
  AndersonTorres = "Anderson Torres <torres.anderson.85@gmail.com>";
@ -18,10 +19,12 @@
  antono = "Antono Vasiljev <self@antono.info>";
  aristid = "Aristid Breitkreuz <aristidb@gmail.com>";
  arobyn = "Alexei Robyn <shados@shados.net>";
  asppsa = "Alastair Pharo <asppsa@gmail.com>";
  astsmtl = "Alexander Tsamutali <astsmtl@yandex.ru>";
  aszlig = "aszlig <aszlig@redmoonstudios.org>";
  auntie = "Jonathan Glines <auntieNeo@gmail.com>";
  aycanirican = "Aycan iRiCAN <iricanaycan@gmail.com>";
  balajisivaraman = "Balaji Sivaraman<sivaraman.balaji@gmail.com>";
  bbenoist = "Baptist BENOIST <return_0@live.com>";
  bennofs = "Benno Fünfstück <benno.fuenfstueck@gmail.com>";
  berdario = "Dario Bertini <berdario@gmail.com>";
@ -37,42 +40,57 @@
  cdepillabout = "Dennis Gosnell <cdep.illabout@gmail.com>";
  cfouche = "Chaddaï Fouché <chaddai.fouche@gmail.com>";
  chaoflow = "Florian Friesdorf <flo@chaoflow.net>";
  christopherpoole = "Christopher Mark Poole <mail@christopherpoole.net>";
  coconnor = "Corey O'Connor <coreyoconnor@gmail.com>";
  codyopel = "Cody Opel <codyopel@gmail.com>";
  copumpkin = "Dan Peebles <pumpkingod@gmail.com>";
  coroa = "Jonas Hörsch <jonas@chaoflow.net>";
  cstrahan = "Charles Strahan <charles.c.strahan@gmail.com>";
  DamienCassou = "Damien Cassou <damien.cassou@gmail.com>";
-  DerGuteMoritz = "Moritz Heidkamp <moritz@twoticketsplease.de>";
+  davidrusu = "David Rusu <davidrusu.me@gmail.com>";
  dbohdan = "Danyil Bohdan <danyil.bohdan@gmail.com>";
  DerGuteMoritz = "Moritz Heidkamp <moritz@twoticketsplease.de>";
  dmalikov = "Dmitry Malikov <malikov.d.y@gmail.com>";
  doublec = "Chris Double <chris.double@double.co.nz>";
  ederoyd46 = "Matthew Brown <matt@ederoyd.co.uk>";
  edwtjo = "Edward Tjörnhammar <ed@cflags.cc>";
  eelco = "Eelco Dolstra <eelco.dolstra@logicblox.com>";
  eikek = "Eike Kettner <eike.kettner@posteo.de>";
  ellis = "Ellis Whitehead <nixos@ellisw.net>";
  emery = "Emery Hemingway <emery@vfemail.net>";
  ertes = "Ertugrul Söylemez <ertesx@gmx.de>";
  exlevan = "Alexey Levan <exlevan@gmail.com>";
  falsifian = "James Cook <james.cook@utoronto.ca>";
  flosse = "Markus Kohlhase <mail@markus-kohlhase.de>";
  fluffynukeit = "Daniel Austin <dan@fluffynukeit.com>";
  fpletz = "Franz Pletz <fpletz@fnordicwalking.de>";
  ftrvxmtrx = "Siarhei Zirukin <ftrvxmtrx@gmail.com>";
  funfunctor = "Edward O'Callaghan <eocallaghan@alterapraxis.com>";
  fuuzetsu = "Mateusz Kowalczyk <fuuzetsu@fuuzetsu.co.uk>";
  gal_bolle = "Florent Becker <florent.becker@ens-lyon.org>";
  garbas = "Rok Garbas <rok@garbas.si>";
  gavin = "Gavin Rogers <gavin@praxeology.co.uk>";
  goibhniu = "Cillian de Róiste <cillian.deroiste@gmail.com>";
  guibert = "David Guibert <david.guibert@gmail.com>";
  henrytill = "Henry Till <henrytill@gmail.com>";
  hinton = "Tom Hinton <t@larkery.com>";
  hrdinka = "Christoph Hrdinka <c.nix@hrdinka.at>";
  ianwookim = "Ian-Woo Kim <ianwookim@gmail.com>";
  iElectric = "Domen Kozar <domen@dev.si>";
  iyzsong = "Song Wenwu <iyzsong@gmail.com>";
  jagajaga = "Arseniy Seroka <ars.seroka@gmail.com>";
  jcumming = "Jack Cummings <jack@mudshark.org>";
  jgeerds = "Jascha Geerds <jg@ekby.de>";
  jirkamarsik = "Jirka Marsik <jiri.marsik89@gmail.com>";
  joachifm = "Joachim Fasting <joachifm@fastmail.fm>";
  joamaki = "Jussi Maki <joamaki@gmail.com>";
  joelteon = "Joel Taylor <me@joelt.io>";
  jpbernardy = "Jean-Philippe Bernardy <jeanphilippe.bernardy@gmail.com>";
  jwiegley = "John Wiegley <johnw@newartisans.com>";
  jzellner = "Jeff Zellner <jeffz@eml.cc>";
  kkallio = "Karn Kallio <tierpluspluslists@gmail.com>";
  koral = "Koral <koral@mailoo.org>";
  kragniz = "Louis Taylor <kragniz@gmail.com>";
  ktosiek = "Tomasz Kontusz <tomasz.kontusz@gmail.com>";
  lethalman = "Luca Bruno <lucabru@src.gnome.org>";
  lhvwb = "Nathaniel Baxter <nathaniel.baxter@gmail.com>";
@ -80,6 +98,7 @@
  lovek323 = "Jason O'Conal <jason@oconal.id.au>";
  ludo = "Ludovic Courtès <ludo@gnu.org>";
  madjar = "Georges Dubus <georges.dubus@compiletoi.net>";
  magnetophon = "Bart Brouns <bart@magnetophon.nl>";
  manveru = "Michael Fellinger <m.fellinger@gmail.com>";
  marcweber = "Marc Weber <marco-oweber@gmx.de>";
  matejc = "Matej Cotman <cotman.matej@gmail.com>";
@ -89,19 +108,24 @@
  mornfall = "Petr Ročkai <me@mornfall.net>";
  MP2E = "Cray Elliott <MP2E@archlinux.us>";
  msackman = "Matthew Sackman <matthew@wellquite.org>";
  muflax = "Stefan Dorn <mail@muflax.com>";
  nathan-gs = "Nathan Bijnens <nathan@nathan.gs>";
  nckx = "Tobias Geerinckx-Rice <tobias.geerinckx.rice@gmail.com>";
  notthemessiah = "Brian Cohen <brian.cohen.88@gmail.com>";
  nslqqq = "Nikita Mikhailov <nslqqq@gmail.com>";
  ocharles = "Oliver Charles <ollie@ocharles.org.uk>";
  offline = "Jaka Hudoklin <jakahudoklin@gmail.com>";
  olcai = "Erik Timan <dev@timan.info>";
  orbitz = "Malcolm Matalka <mmatalka@gmail.com>";
  page = "Carles Pagès <page@cubata.homelinux.net>";
  pashev = "Igor Pashev <pashev.igor@gmail.com>";
  phreedom = "Evgeny Egorochkin <phreedom@yandex.ru>";
  pierron = "Nicolas B. Pierron <nixos@nbp.name>";
  piotr = "Piotr Pietraszkiewicz <ppietrasa@gmail.com>";
  pkmx = "Chih-Mao Chen <pkmx.tw@gmail.com>";
  plcplc = "Philip Lykke Carlsen <plcplc@gmail.com>";
  pSub = "Pascal Wittmann <mail@pascal-wittmann.de>";
  puffnfresh = "Brian McKenna <brian@brianmckenna.org>";
  qknight = "Joachim Schiele <js@lastlog.de>";
  raskin = "Michael Raskin <7c6f434c@mail.ru>";
  redbaron = "Maxim Ivanov <ivanov.maxim@gmail.com>";
@ -116,20 +140,27 @@
  rszibele = "Richard Szibele <richard_szibele@hotmail.com>";
  rycee = "Robert Helgesson <robert@rycee.net>";
  sander = "Sander van der Burg <s.vanderburg@tudelft.nl>";
  schristo = "Scott Christopher <schristopher@konputa.com>";
  sepi = "Raffael Mancini <raffael@mancini.lu>";
  shell = "Shell Turner <cam.turn@gmail.com>";
  shlevy = "Shea Levy <shea@shealevy.com>";
  simons = "Peter Simons <simons@cryp.to>";
  sjmackenzie = "Stewart Mackenzie <setori88@gmail.com>";
  skeidel = "Sven Keidel <svenkeidel@gmail.com>";
  smironov = "Sergey Mironov <ierton@gmail.com>";
  sprock = "Roger Mason <rmason@mun.ca>";
  spwhitt = "Spencer Whitt <sw@swhitt.me>";
  sztupi = "Attila Sztupak <attila.sztupak@gmail.com>";
  tailhook = "Paul Colomiets <paul@colomiets.name>";
  thammers = "Tobias Hammerschmidt <jawr@gmx.de>";
  the-kenny = "Moritz Ulrich <moritz@tarn-vedra.de>";
  thoughtpolice = "Austin Seipp <aseipp@pobox.com>";
  titanous = "Jonathan Rudenberg <jonathan@titanous.com>";
  tomberek = "Thomas Bereknyei <tomberek@gmail.com>";
  tstrobel = "Thomas Strobel <ts468@cam.ac.uk>";
  ttuegel = "Thomas Tuegel <ttuegel@gmail.com>";
  tv = "Tomislav Viljetić <tv@shackspace.de>";
  twey = "James ‘Twey’ Kay <twey@twey.co.uk>";
  urkud = "Yury G. Kudryashov <urkud+nix@ya.ru>";
  vandenoever = "Jos van den Oever <jos@vandenoever.info>";
  vbgl = "Vincent Laporte <Vincent.Laporte@gmail.com>";
@ -138,6 +169,7 @@
  viric = "Lluís Batlle i Rossell <viric@viric.name>";
  vizanto = "Danny Wilson <danny@prime.vc>";
  vlstill = "Vladimír Štill <xstill@fi.muni.cz>";
  vozz = "Oliver Hunt <oliver.huntuk@gmail.com>";
  winden = "Antonio Vargas Gonzalez <windenntw@gmail.com>";
  wizeman = "Ricardo M. Correia <rcorreia@wizy.org>";
  wjlroe = "William Roe <willroe@gmail.com>";
@ -149,4 +181,5 @@
  zef = "Zef Hemel <zef@zef.me>";
  zimbatm = "zimbatm <zimbatm@zimbatm.com>";
  zoomulator = "Kim Simmons <zoomulator@gmail.com>";
  Gonzih = "Max Gonzih <gonzih@gmail.com>";
 }
--- a/lib/modules.nix
+++ b/lib/modules.nix
@ -58,7 +58,7 @@ rec {
    if m ? config || m ? options then
      let badAttrs = removeAttrs m ["imports" "options" "config" "key" "_file"]; in
      if badAttrs != {} then
-        throw "Module `${key}' has an unsupported attribute `${head (attrNames badAttrs)}'."
+        throw "Module `${key}' has an unsupported attribute `${head (attrNames badAttrs)}'. This is caused by assignments to the top-level attributes `config' or `options'."
      else
        { file = m._file or file;
          key = toString m.key or key;
--- a/maintainers/docker/.dockerignore
+++ b/maintainers/docker/.dockerignore
@ -0,0 +1,14 @@
 *~
 ,*
 .*.swp
 .*.swo
 result
 result-*
 /doc/NEWS.html
 /doc/NEWS.txt
 /doc/manual.html
 /doc/manual.pdf
 .version-suffix
 .DS_Store
 .git
--- a/maintainers/docker/Dockerfile
+++ b/maintainers/docker/Dockerfile
@ -0,0 +1,12 @@
 FROM busybox
 RUN dir=`mktemp -d` && trap 'rm -rf "$dir"' EXIT && \
    wget -O- http://nixos.org/releases/nix/nix-1.7/nix-1.7-x86_64-linux.tar.bz2  | bzcat | tar x -C $dir && \
    mkdir -m 0755 /nix && USER=root sh $dir/*/install && \
    echo ". /root/.nix-profile/etc/profile.d/nix.sh" >> /etc/profile
 ADD . /root/nix/nixpkgs
 ONBUILD ENV NIX_PATH nixpkgs=/root/nix/nixpkgs:nixos=/root/nix/nixpkgs/nixos
 ONBUILD ENV PATH /root/.nix-profile/bin:/root/.nix-profile/sbin:/bin:/sbin:/usr/bin:/usr/sbin
 ONBUILD ENV ENV /etc/profile
 ENV ENV /etc/profile
--- a/maintainers/scripts/travis-nox-review-pr.sh
+++ b/maintainers/scripts/travis-nox-review-pr.sh
@ -1,29 +1,40 @@
 #! /usr/bin/env bash
 set -e
-# Install Nix
+export NIX_CURL_FLAGS=-sS
 bash <(curl https://nixos.org/nix/install)
 source $HOME/.nix-profile/etc/profile.d/nix.sh
-# Make sure we can use hydra's binary cache
+if [[ $1 == nix ]]; then
-sudo mkdir /etc/nix
+    echo "=== Installing Nix..."
-sudo tee /etc/nix/nix.conf <<EOF
+    # Install Nix
    bash <(curl -sS https://nixos.org/nix/install)
    source $HOME/.nix-profile/etc/profile.d/nix.sh
    # Make sure we can use hydra's binary cache
    sudo mkdir /etc/nix
    sudo tee /etc/nix/nix.conf <<EOF >/dev/null
 binary-caches = http://cache.nixos.org http://hydra.nixos.org
 trusted-binary-caches = http://hydra.nixos.org
 build-max-jobs = 4
 EOF
-if [ "${TRAVIS_PULL_REQUEST}" = "false" ]; then
+    # Verify evaluation
-    echo "Not a pull request, checking evaluation"
+    echo "=== Verifying that nixpkgs evaluates..."
-    nix-build pkgs/top-level/release.nix -A tarball
+    nix-env -f. -qa --json >/dev/null
-    exit 0
+elif [[ $1 == nox ]]; then
    echo "=== Installing nox..."
    git clone -q https://github.com/madjar/nox
    pip --quiet install -e nox
 elif [[ $1 == build ]]; then
    source $HOME/.nix-profile/etc/profile.d/nix.sh
    if [[ $TRAVIS_PULL_REQUEST == false ]]; then
        echo "===> Not a pull request, checking evaluation"
        nix-build pkgs/top-level/release.nix -A tarball
    else
        echo "=== Checking PR"
        nox-review pr ${TRAVIS_PULL_REQUEST}
    fi
 else
    echo "$0: Unknown option $1" >&2
    false
 fi
 echo "Installing nox"
 git clone https://github.com/madjar/nox
 pip --quiet install -e nox
 echo "Reviewing PR"
 # The current HEAD is the PR merged into origin/master, so we compare
 # against origin/master
 nox-review wip --against origin/master
--- a/maintainers/scripts/vanity-manual-equalities.txt
+++ b/maintainers/scripts/vanity-manual-equalities.txt
@ -1,3 +1,6 @@
 viric	viriketo@gmail.com
 Pjotr Prins	pjotr.public01@thebird.nl
 Pjotr Prins	pjotr.public05@thebird.nl
 Wouter den Breejen	wbreejen
 MarcWeber	marcweber
 Ricardo Correia	Ricardo M. Correia
--- a/maintainers/scripts/vanity.sh
+++ b/maintainers/scripts/vanity.sh
@ -3,25 +3,55 @@
 export LANG=C LC_ALL=C LC_COLLATE=C
 # Load git log
-git_data="$(git log | grep 'Author:' | 
+raw_git_log="$(git log)"
-  sed -e 's/^ *Author://; s/\\//g; s/^ *//; s/ *$//; 
+git_data="$(echo "$raw_git_log" | grep 'Author:' |
  sed -e 's/^ *Author://; s/\\//g; s/^ *//; s/ *$//;
  s/ @ .*//; s/ *[<]/\t/; s/[>]//')"
 # Name - nick - email correspondence from log and from maintainer list
 # Also there are a few manual entries
-maintainers="$(cat "$(dirname "$0")/../../lib/maintainers.nix" | 
+maintainers="$(cat "$(dirname "$0")/../../lib/maintainers.nix" |
  grep '=' | sed -re 's/\\"/''/g;
  s/ *([^ =]*) *= *" *(.*[^ ]) *[<](.*)[>] *".*/\1\t\2\t\3/')"
-git_lines="$( ( echo "$git_data"; 
+git_lines="$( ( echo "$git_data";
-  cat vanity-manual-equalities.txt) | sort |uniq)"
+    cat "$(dirname "$0")/vanity-manual-equalities.txt") | sort |uniq)"
 emails="$(
    ( echo "$maintainers" | cut -f 3; echo "$git_data" | cut -f 2 ) |
    sort | uniq | grep -E ".+@.+[.].+"
    )"
 fetchGithubName () {
    commitid="$(
        echo "$raw_git_log" | grep -B3 "Author: .*[<]$1[>]" | head -n 3 |
            grep '^commit ' | tail -n 1 | sed -e 's/^commit //'
    )"
    userid="$(
        curl https://github.com/NixOS/nixpkgs/commit/"$commitid" 2>/dev/null |
        grep authored -B10 | grep 'href="/' |
        sed -re 's@.* href="/@@; s@".*@@' |
 	grep -v "/commit/"
    )";
    echo "$userid"
 }
 [ -n "$NIXPKGS_GITHUB_NAME_CACHE" ] && {
    echo "$emails" | while read email; do
        line="$(grep "$email	" "$NIXPKGS_GITHUB_NAME_CACHE")"
 	[ -z "$line" ] && {
            echo "$email	$(fetchGithubName "$email")" >> \
                "$NIXPKGS_GITHUB_NAME_CACHE"
        }
    done
 }
 # For RDF
 normalize_name () {
-	sed -e 's/ /_/g; s/'\''/*/g; s/"/**/g;'
+	sed -e 's/%/%25/g; s/ /%20/g; s/'\''/%27/g; s/"/%22/g; s/`/%60/g'
 }
 denormalize_name () {
-	sed -e 's/_/ /g; s/[*][*]/"/g; s/[*]/'\''/g;'
+	sed -e 's/%20/ /g; s/%27/'\''/g; s/%22/"/g; s/%60/`/g; s/%25/%/g;';
 }
 n3="$(mktemp --suffix .n3)"
@ -37,6 +67,9 @@ echo "$maintainers" | sed -re 's@(.*)\t(.*)\t(.*)@<my://name/\3>	<my://can-be>	<
 echo "$git_lines" | grep ' ' | cut -f 1 | sed -e 's@.*@<my://name/&>	<my://is-name>	<my://0>.@'
 echo "$git_lines" | grep -v ' ' | cut -f 1 | sed -e 's@.*@<my://name/&>	<my://is-name>	<my://1>.@'
 echo "$maintainers" | cut -f 2 | sed -e 's@.*@<my://name/&>	<my://is-name>	<my://0>.@'
 [ -n "$NIXPKGS_GITHUB_NAME_CACHE" ] && cat "$NIXPKGS_GITHUB_NAME_CACHE" |
    grep -v "	$" |
    sed -re 's@(.*)\t(.*)@<my://name/\1>	<my://at-github>	<my://github/\2>.@'
 ) | normalize_name | grep -E '<my://[-a-z]+>' | sort | uniq > "$n3"
 # Get transitive closure
@ -47,19 +80,43 @@ name_list="$(
 	  ?x <my://can-be>+ ?y.
 	  ?x <my://is-name> ?g.
        }
-	" | tail -n +2 | 
+	" | tail -n +2 |
-	sed -re 's@<my://name/@@g; s@<my://@@g; s@>@@g;' | 
+	sed -re 's@<my://name/@@g; s@<my://@@g; s@>@@g;' |
 	sort -k 2,3 -t '	'
 )"
 github_name_list="$(
 	"$sparql" --results=TSV --data="$n3" "
 	select ?x ?y where {
 	  ?x (<my://can-be>+ / <my://at-github>) ?y.
        }
 	" | tail -n +2 |
 	sed -re 's@<my://(name|github)/@@g; s@<my://@@g; s@>@@g;'
 )"
 # Take first spelling option for every person
 name_list_canonical="$(echo "$name_list" | cut -f 1,2 | uniq -f1)"
-cleaner_script="$(echo "$name_list_canonical" | denormalize_name | 
+cleaner_script="$(echo "$name_list_canonical" | denormalize_name |
  sed -re 's/(.*)\t(.*)/s#^\2$#\1#g/g')"
 # Add github usernames
 if [ -n "$NIXPKGS_GITHUB_NAME_CACHE" ]; then
    github_adder_script="$(echo "$github_name_list" |
        grep -E "$(echo "$name_list_canonical" | cut -f 2 |
 	    tr '\n' '|' )" |
 	sort | uniq |
        sed -re 's/(.*)\t(.*)/s| \1$| \1\t\2|g;/' |
 	denormalize_name
 	)"
 else
    github_adder_script=''
 fi
 echo "$name_list" | denormalize_name
 echo
-echo "$git_data" | cut -f 1 | sed -re "$cleaner_script" | sort | uniq -c | sort -k1n
+echo "$git_data" | cut -f 1 |
    sed -e "$cleaner_script" |
    sort | uniq -c | sort -k1n | sed -re "$github_adder_script" |
    sed -re 's/^ *([0-9]+) /\1\t/'
--- a/nixos/doc/manual/configuration/linux-kernel.xml
+++ b/nixos/doc/manual/configuration/linux-kernel.xml
@ -56,7 +56,7 @@ root file system), you can use
 boot.initrd.extraKernelModules = [ "cifs" ];
 </programlisting>
 This causes the specified modules and their dependencies to be added
-to the initial ramdark.</para>
+to the initial ramdisk.</para>
 <para>Kernel runtime parameters can be set through
 <option>boot.kernel.sysctl</option>, e.g.
--- a/nixos/doc/manual/configuration/network-manager.xml
+++ b/nixos/doc/manual/configuration/network-manager.xml
@ -13,7 +13,7 @@ use NetworkManager. You can enable NetworkManager by setting:
 services.networkmanager.enable = true;
 </programlisting>
-Some desktop managers (e.g., GNOME) enable NetworkManager
+some desktop managers (e.g., GNOME) enable NetworkManager
 automatically for you.</para>
 <para>All users that should have permission to change network settings
--- a/nixos/doc/manual/default.nix
+++ b/nixos/doc/manual/default.nix
@ -30,34 +30,13 @@ let
    else
      fn;
-  # Convert the list of options into an XML file and a JSON file.  The builtin
+  # Convert the list of options into an XML file.  The builtin
-  # unsafeDiscardStringContext is used to prevent the realisation of the store
+  # unsafeDiscardStringContext is used to prevent the realisation of
-  # paths which are used in options definitions.
+  # the store paths which are used in options definitions.
  optionsXML = builtins.toFile "options.xml" (builtins.unsafeDiscardStringContext (builtins.toXML optionsList'));
  optionsJSON = builtins.toFile "options.json" (builtins.unsafeDiscardStringContext (builtins.toJSON optionsList'));
  # Tools-friendly version of the list of NixOS options.
  options' = stdenv.mkDerivation {
    name = "options";
    buildCommand = ''
      # Export list of options in different format.
      dst=$out/share/doc/nixos
      mkdir -p $dst
      cp ${optionsJSON} $dst/options.json
      cp ${optionsXML} $dst/options.xml
      mkdir -p $out/nix-support
      echo "file json $dst/options.json" >> $out/nix-support/hydra-build-products
      echo "file xml $dst/options.xml" >> $out/nix-support/hydra-build-products
    ''; # */
    meta.description = "List of NixOS options in various formats.";
  };
  optionsDocBook = runCommand "options-db.xml" {} ''
-    optionsXML=${options'}/share/doc/nixos/options.xml
+    optionsXML=${optionsXML}
    if grep /nixpkgs/nixos/modules $optionsXML; then
      echo "The manual appears to depend on the location of Nixpkgs, which is bad"
      echo "since this prevents sharing via the NixOS channel.  This is typically"
@ -83,8 +62,25 @@ let
 in rec {
-  # Tools-friendly version of the list of NixOS options.
+  # The NixOS options in JSON format.
-  options = options';
+  optionsJSON = stdenv.mkDerivation {
    name = "options-json";
    buildCommand = ''
      # Export list of options in different format.
      dst=$out/share/doc/nixos
      mkdir -p $dst
      cp ${builtins.toFile "options.json" (builtins.unsafeDiscardStringContext (builtins.toJSON
        (listToAttrs (map (o: { name = o.name; value = removeAttrs o ["name" "visible" "internal"]; }) optionsList'))))
      } $dst/options.json
      mkdir -p $out/nix-support
      echo "file json $dst/options.json" >> $out/nix-support/hydra-build-products
    ''; # */
    meta.description = "List of NixOS options in JSON format";
  };
  # Generate the NixOS manual.
  manual = stdenv.mkDerivation {
--- a/nixos/doc/manual/development/running-nixos-tests.xml
+++ b/nixos/doc/manual/development/running-nixos-tests.xml
@ -39,24 +39,13 @@ $ firefox result/log.html
 </para>
-<para>It is also possible to run the test environment interactively,
+<title>Running Tests interactively</title>
 allowing you to experiment with the VMs.  For example:
-<screen>
+<para>The test itself can be run interactively.  This is
 $ nix-build login.nix -A driver
 $ ./result/bin/nixos-run-vms
 </screen>
 The script <command>nixos-run-vms</command> starts the virtual
 machines defined by test.  The root file system of the VMs is created
 on the fly and kept across VM restarts in
 <filename>./</filename><varname>hostname</varname><filename>.qcow2</filename>.</para>
 <para>Finally, the test itself can be run interactively.  This is
 particularly useful when developing or debugging a test:
 <screen>
-$ nix-build tests/ -A nfs.driver
+$ nix-build nixos/tests/login.nix -A driver
 $ ./result/bin/nixos-test-driver
 starting VDE switch for network 1
 &gt;
@ -66,6 +55,7 @@ You can then take any Perl statement, e.g.
 <screen>
 &gt; startAll
 &gt; testScript
 &gt; $machine->succeed("touch /tmp/foo")
 </screen>
@ -74,4 +64,16 @@ script and drops you back into the test driver command line upon its
 completion.  This allows you to inspect the state of the VMs after the
 test (e.g. to debug the test script).</para>
-</section>
+<para>To just start and experiment with the VMs, run:
 <screen>
 $ nix-build nixos/tests/login.nix -A driver
 $ ./result/bin/nixos-run-vms
 </screen>
 The script <command>nixos-run-vms</command> starts the virtual
 machines defined by test.  The root file system of the VMs is created
 on the fly and kept across VM restarts in
 <filename>./</filename><varname>hostname</varname><filename>.qcow2</filename>.</para>
 </section>
--- a/nixos/doc/manual/installation/installing.xml
+++ b/nixos/doc/manual/installation/installing.xml
@ -11,14 +11,9 @@
  <listitem><para>Boot from the CD.</para></listitem>
  <listitem><para>The CD contains a basic NixOS installation.  (It
-  also contains Memtest86+, useful if you want to test new hardware.)
+  also contains Memtest86+, useful if you want to test new hardware).
  When it’s finished booting, it should have detected most of your
-  hardware and brought up networking (check
+  hardware.</para></listitem>
  <command>ifconfig</command>).  Networking is necessary for the
  installer, since it will download lots of stuff (such as source
  tarballs or Nixpkgs channel binaries).  It’s best if you have a DHCP
  server on your network.  Otherwise configure networking manually
  using <command>ifconfig</command>.</para></listitem>
  <listitem><para>The NixOS manual is available on virtual console 8
  (press Alt+F8 to access).</para></listitem>
@ -29,6 +24,16 @@
  <listitem><para>If you downloaded the graphical ISO image, you can
  run <command>start display-manager</command> to start KDE.</para></listitem>
  <listitem><para>The boot process should have brought up networking (check
  <command>ip a</command>).  Networking is necessary for the
  installer, since it will download lots of stuff (such as source
  tarballs or Nixpkgs channel binaries).  It’s best if you have a DHCP
  server on your network. Otherwise configure networking manually
  using <command>ifconfig</command>.</para>
  <para>To manually configure the network on the graphical installer,
  first disable network-manager with
  <command>systemctl stop network-manager</command>.</para></listitem>
  <listitem><para>The NixOS installer doesn’t do any partitioning or
  formatting yet, so you need to that yourself.  Use the following
  commands:
--- a/nixos/doc/manual/installation/upgrading.xml
+++ b/nixos/doc/manual/installation/upgrading.xml
@ -63,7 +63,7 @@ end.)  For instance, to use the NixOS 14.04 stable channel:
 $ nix-channel --add http://nixos.org/channels/nixos-14.04 nixos
 </screen>
-But it you want to live on the bleeding edge:
+But if you want to live on the bleeding edge:
 <screen>
 $ nix-channel --add http://nixos.org/channels/nixos-unstable nixos
--- a/nixos/doc/manual/release-notes/release-notes.xml
+++ b/nixos/doc/manual/release-notes/release-notes.xml
@ -10,7 +10,7 @@
 <para>This section lists the release notes for each stable version of NixOS.</para>
 </partintro>
-<xi:include href="rl-1410.xml" />
+<xi:include href="rl-1411.xml" />
 <xi:include href="rl-1404.xml" />
 <xi:include href="rl-1310.xml" />
--- a/nixos/doc/manual/release-notes/rl-1410.xml
+++ b/nixos/doc/manual/release-notes/rl-1410.xml
@ -1,22 +0,0 @@
 <chapter xmlns="http://docbook.org/ns/docbook"
        xmlns:xlink="http://www.w3.org/1999/xlink"
        xmlns:xi="http://www.w3.org/2001/XInclude"
        version="5.0"
        xml:id="sec-release-14.10">
 <title>Release 14.10 (“Caterpillar”, 2014/10/??)</title>
 <para>When upgrading from a previous release, please be aware of the
 following incompatible changes:
 <itemizedlist>
  <listitem><para>The host side of a container virtual Ethernet pair
  is now called <literal>ve-<replaceable>container-name</replaceable></literal>
  rather than <literal>c-<replaceable>container-name</replaceable></literal>.</para></listitem>
 </itemizedlist>
 </para>
 </chapter>
--- a/nixos/doc/manual/release-notes/rl-1411.xml
+++ b/nixos/doc/manual/release-notes/rl-1411.xml
@ -0,0 +1,37 @@
 <chapter xmlns="http://docbook.org/ns/docbook"
        xmlns:xlink="http://www.w3.org/1999/xlink"
        xmlns:xi="http://www.w3.org/2001/XInclude"
        version="5.0"
        xml:id="sec-release-14.11">
 <title>Release 14.11 (“Caterpillar”, 2014/11/??)</title>
 <para>When upgrading from a previous release, please be aware of the
 following incompatible changes:
 <itemizedlist>
  <listitem><para>The default version of Apache httpd is now 2.4. If
  you use the <option>extraConfig</option> option to pass literal
  Apache configuration text, you may need to update it — see <link
  xlink:href="http://httpd.apache.org/docs/2.4/upgrading.html">Apache’s
  documentation</link> for details. If you wish to continue to use
  httpd 2.2, add the following line to your NixOS configuration:
 <programlisting>
 services.httpd.package = pkgs.apacheHttpd_2_2;
 </programlisting>
  </para></listitem>
  <listitem><para>The host side of a container virtual Ethernet pair
  is now called <literal>ve-<replaceable>container-name</replaceable></literal>
  rather than <literal>c-<replaceable>container-name</replaceable></literal>.</para></listitem>
  <listitem><para>GNOME 3.10 support has been dropped. The default GNOME version is now 3.12.</para></listitem>
 </itemizedlist>
 </para>
 </chapter>
--- a/nixos/maintainers/scripts/ec2/amazon-hvm-install-config.nix
+++ b/nixos/maintainers/scripts/ec2/amazon-hvm-install-config.nix
@ -19,7 +19,8 @@ in
 {
  imports = [ ./amazon-base-config.nix ];
  ec2.hvm = true;
-  boot.loader.grub.device = lib.mkOverride 0 "nodev";
+  boot.loader.grub.device = lib.mkOverride 0 "/dev/xvdg";
  boot.kernelParams = [ "console=ttyS0" ];
  boot.initrd.extraUtilsCommands = ''
    cp -v ${pkgs.gawk}/bin/gawk $out/bin/gawk
--- a/nixos/maintainers/scripts/ec2/create-ebs-amis.py
+++ b/nixos/maintainers/scripts/ec2/create-ebs-amis.py
@ -19,8 +19,17 @@ parser.add_argument('--key', dest='key_name', action='store_true', help='Keypair
 args = parser.parse_args()
 instance_type = "m3.medium" if args.hvm else "m1.small"
 ebs_size = 8 if args.hvm else 20
 if args.hvm:
    virtualization_type = "hvm"
    root_block = "/dev/sda1"
    image_type = 'hvm'
 else:
    virtualization_type = "paravirtual"
    root_block = "/dev/sda"
    image_type = 'ebs'
 ebs_size = 20
 # Start a NixOS machine in the given region.
 f = open("ebs-creator-config.nix", "w")
@ -76,10 +85,6 @@ if args.hvm:
    m.upload_file("./amazon-hvm-config.nix", "/mnt/etc/nixos/configuration.nix")
    m.upload_file("./amazon-hvm-install-config.nix", "/mnt/etc/nixos/amazon-hvm-install-config.nix")
    m.run_command("NIXOS_CONFIG=/etc/nixos/amazon-hvm-install-config.nix nixos-install")
    m.run_command('nix-env -iA nixos.pkgs.grub')
    m.run_command('cp /nix/store/*-grub-0.97*/lib/grub/i386-pc/* /mnt/boot/grub')
    m.run_command('echo "(hd1) /dev/xvdg" > device.map')
    m.run_command('echo -e "root (hd1,0)\nsetup (hd1)" | grub --device-map=device.map --batch')
 else:
    m.upload_file("./amazon-base-config.nix", "/mnt/etc/nixos/configuration.nix")
    m.run_command("nixos-install")
@ -87,7 +92,7 @@ else:
 m.run_command("umount /mnt")
 if args.hvm:
-    ami_name = "nixos-{0}-x86_64-ebs-hvm".format(version)
+    ami_name = "nixos-{0}-x86_64-hvm".format(version)
    description = "NixOS {0} (x86_64; EBS root; hvm)".format(version)
 else:
    ami_name = "nixos-{0}-x86_64-ebs".format(version)
@ -102,58 +107,40 @@ def check():
 m.connect()
 volume = m._conn.get_all_volumes([], filters={'attachment.instance-id': m.resource_id, 'attachment.device': "/dev/sdg"})[0]
 if args.hvm:
    instance = m._conn.run_instances( image_id="ami-5f491f36"
                                    , instance_type=instance_type
                                    , key_name=args.key_name
                                    , placement=m.zone
                                    , security_groups=["eelco-test"]).instances[0]
    nixops.util.check_wait(lambda: instance.update() == 'running', max_tries=120)
    instance.stop()
    nixops.util.check_wait(lambda: instance.update() == 'stopped', max_tries=120)
    old_root_volume = m._conn.get_all_volumes([], filters={'attachment.instance-id': instance.id, 'attachment.device': "/dev/sda1"})[0]
    old_root_volume.detach()
    volume.detach()
    nixops.util.check_wait(lambda: volume.update() == 'available', max_tries=120)
    nixops.util.check_wait(lambda: old_root_volume.update() == 'available', max_tries=120)
    volume.attach(instance.id, '/dev/sda1')
    nixops.util.check_wait(lambda: volume.update() == 'in-use', max_tries=120)
-    ami_id = m._conn.create_image(instance.id, ami_name, description)
+# Create a snapshot.
-    time.sleep(5)
+snapshot = volume.create_snapshot(description=description)
-    image = m._conn.get_all_images([ami_id])[0]
+print >> sys.stderr, "created snapshot {0}".format(snapshot.id)
    nixops.util.check_wait(lambda: image.update() == 'available', max_tries=120)
    instance.terminate()
-else:
+nixops.util.check_wait(check, max_tries=120)
    # Create a snapshot.
    snapshot = volume.create_snapshot(description=description)
    print >> sys.stderr, "created snapshot {0}".format(snapshot.id)
-    nixops.util.check_wait(check, max_tries=120)
+m._conn.create_tags([snapshot.id], {'Name': ami_name})
-    m._conn.create_tags([snapshot.id], {'Name': ami_name})
+if not args.keep: depl.destroy_resources()
-    if not args.keep: depl.destroy_resources()
+# Register the image.
 aki = m._conn.get_all_images(filters={'manifest-location': 'ec2*pv-grub-hd0_1.03-x86_64*'})[0]
 print >> sys.stderr, "using kernel image {0} - {1}".format(aki.id, aki.location)
-     # Register the image.
+block_map = BlockDeviceMapping()
-    aki = m._conn.get_all_images(filters={'manifest-location': '*pv-grub-hd0_1.03-x86_64*'})[0]
+block_map[root_block] = BlockDeviceType(snapshot_id=snapshot.id, delete_on_termination=True, size=ebs_size, volume_type="gp2")
-    print >> sys.stderr, "using kernel image {0} - {1}".format(aki.id, aki.location)
+block_map['/dev/sdb'] = BlockDeviceType(ephemeral_name="ephemeral0")
 block_map['/dev/sdc'] = BlockDeviceType(ephemeral_name="ephemeral1")
 block_map['/dev/sdd'] = BlockDeviceType(ephemeral_name="ephemeral2")
 block_map['/dev/sde'] = BlockDeviceType(ephemeral_name="ephemeral3")
-    block_map = BlockDeviceMapping()
+common_args = dict(
    block_map['/dev/sda'] = BlockDeviceType(snapshot_id=snapshot.id, delete_on_termination=True)
    block_map['/dev/sdb'] = BlockDeviceType(ephemeral_name="ephemeral0")
    block_map['/dev/sdc'] = BlockDeviceType(ephemeral_name="ephemeral1")
    block_map['/dev/sdd'] = BlockDeviceType(ephemeral_name="ephemeral2")
    block_map['/dev/sde'] = BlockDeviceType(ephemeral_name="ephemeral3")
    ami_id = m._conn.register_image(
        name=ami_name,
        description=description,
        architecture="x86_64",
-        root_device_name="/dev/sda",
+        root_device_name=root_block,
-        kernel_id=aki.id,
+        block_device_map=block_map,
-        block_device_map=block_map)
+        virtualization_type=virtualization_type,
        delete_root_volume_on_termination=True
        )
 if not args.hvm:
    common_args['kernel_id']=aki.id
 ami_id = m._conn.register_image(**common_args)
 print >> sys.stderr, "registered AMI {0}".format(ami_id)
@ -197,17 +184,12 @@ test_depl.nix_exprs = [os.path.abspath("./ebs-test.nix")]
 test_depl.deploy(create_only=True)
 test_depl.machines['machine'].run_command("nixos-version")
 if args.hvm:
    image_type = 'hvm'
 else:
    image_type = 'ebs'
 # Log the AMI ID.
 f = open("{0}.{1}.ami-id".format(args.region, image_type), "w")
 f.write("{0}".format(ami_id))
 f.close()
-for dest in [ 'us-east-1', 'us-west-1', 'us-west-2', 'eu-west-1', 'ap-southeast-1', 'ap-southeast-2', 'ap-northeast-1', 'sa-east-1']:
+for dest in [ 'us-east-1', 'us-west-1', 'us-west-2', 'eu-west-1', 'eu-central-1', 'ap-southeast-1', 'ap-southeast-2', 'ap-northeast-1', 'sa-east-1']:
    if args.region != dest:
        print >> sys.stderr, "copying image from region {0} to {1}".format(args.region, dest)
        conn = boto.ec2.connect_to_region(dest)
--- a/nixos/modules/config/fonts/fontconfig.nix
+++ b/nixos/modules/config/fonts/fontconfig.nix
@ -27,9 +27,11 @@ with lib;
  config = mkIf config.fonts.enableFontConfig {
-    # Bring in the default (upstream) fontconfig configuration.
+    # Fontconfig 2.10 backward compatibility
    # Bring in the default (upstream) fontconfig configuration, only for fontconfig 2.10
    environment.etc."fonts/fonts.conf".source =
-      pkgs.makeFontsConf { fontDirectories = config.fonts.fonts; };
+      pkgs.makeFontsConf { fontconfig = pkgs.fontconfig_210; fontDirectories = config.fonts.fonts; };
    environment.etc."fonts/conf.d/00-nixos.conf".text =
      ''
@ -47,6 +49,29 @@ with lib;
        </fontconfig>
      '';
    # Versioned fontconfig > 2.10. Take shared fonts.conf from fontconfig.
    # Otherwise specify only font directories.
    environment.etc."fonts/${pkgs.fontconfig.configVersion}/fonts.conf".source =
      "${pkgs.fontconfig}/etc/fonts/fonts.conf";
    environment.etc."fonts/${pkgs.fontconfig.configVersion}/conf.d/00-nixos.conf".text =
      ''
        <?xml version='1.0'?>
        <!DOCTYPE fontconfig SYSTEM 'fonts.dtd'>
        <fontconfig>
          <!-- Set the default hinting style to "slight". -->
          <match target="font">
            <edit mode="assign" name="hintstyle">
              <const>hintslight</const>
            </edit>
          </match>
          <!-- Font directories -->
          ${concatStringsSep "\n" (map (font: "<dir>${font}</dir>") config.fonts.fonts)}
        </fontconfig>
      '';
    environment.systemPackages = [ pkgs.fontconfig ];
  };
--- a/nixos/modules/config/fonts/fonts.nix
+++ b/nixos/modules/config/fonts/fonts.nix
@ -13,14 +13,6 @@ with lib;
        type = types.listOf types.path;
        example = literalExample "[ pkgs.dejavu_fonts ]";
        description = "List of primary font paths.";
        apply = list: list ++
          [ # - the user's current profile
            "~/.nix-profile/lib/X11/fonts"
            "~/.nix-profile/share/fonts"
            # - the default profile
            "/nix/var/nix/profiles/default/lib/X11/fonts"
            "/nix/var/nix/profiles/default/share/fonts"
          ];
      };
    };
--- a/nixos/modules/config/networking.nix
+++ b/nixos/modules/config/networking.nix
@ -39,6 +39,73 @@ in
      '';
    };
    networking.proxy = {
      default = lib.mkOption {
        type = types.nullOr types.str;
        default = null;
        description = ''
          This option specifies the default value for httpProxy, httpsProxy, ftpProxy and rsyncProxy.
        '';
        example = "http://127.0.0.1:3128";
      };
      httpProxy = lib.mkOption {
        type = types.nullOr types.str;
        default = cfg.proxy.default;
        description = ''
          This option specifies the http_proxy environment variable.
        '';
        example = "http://127.0.0.1:3128";
      };
      httpsProxy = lib.mkOption {
        type = types.nullOr types.str;
        default = cfg.proxy.default;
        description = ''
          This option specifies the https_proxy environment variable.
        '';
        example = "http://127.0.0.1:3128";
      };
      ftpProxy = lib.mkOption {
        type = types.nullOr types.str;
        default = cfg.proxy.default;
        description = ''
          This option specifies the ftp_proxy environment variable.
        '';
        example = "http://127.0.0.1:3128";
      };
      rsyncProxy = lib.mkOption {
        type = types.nullOr types.str;
        default = cfg.proxy.default;
        description = ''
          This option specifies the rsync_proxy environment variable.
        '';
        example = "http://127.0.0.1:3128";
      };
      noProxy = lib.mkOption {
        type = types.nullOr types.str;
        default = null;
        description = ''
          This option specifies the no_proxy environment variable.
          If a default proxy is used and noProxy is null,
          then noProxy will be set to 127.0.0.1,localhost.
        '';
        example = "127.0.0.1,localhost,.localdomain";
      };
      envVars = lib.mkOption {
        type = types.attrs;
        internal = true;
        default = {};
        description = ''
          Environment variables used for the network proxy.
        '';
      };
    };
  };
  config = {
@ -84,13 +151,59 @@ in
              dnsmasq_conf=/etc/dnsmasq-conf.conf
              dnsmasq_resolv=/etc/dnsmasq-resolv.conf
            '';
-      };
+
      } // (optionalAttrs config.services.resolved.enable (
        if dnsmasqResolve then {
          "dnsmasq-resolv.conf".source = "/run/systemd/resolve/resolv.conf";
        } else {
          "resolv.conf".source = "/run/systemd/resolve/resolv.conf";
        }
      ));
      networking.proxy.envVars =
        optionalAttrs (cfg.proxy.default != null) {
          # other options already fallback to proxy.default
          no_proxy = "127.0.0.1,localhost";
        } // optionalAttrs (cfg.proxy.httpProxy != null) {
          http_proxy  = cfg.proxy.httpProxy;
        } // optionalAttrs (cfg.proxy.httpsProxy != null) {
          https_proxy = cfg.proxy.httpsProxy;
        } // optionalAttrs (cfg.proxy.rsyncProxy != null) {
          rsync_proxy = cfg.proxy.rsyncProxy;
        } // optionalAttrs (cfg.proxy.ftpProxy != null) {
          ftp_proxy   = cfg.proxy.ftpProxy;
        } // optionalAttrs (cfg.proxy.noProxy != null) {
          no_proxy    = cfg.proxy.noProxy;
        };
    # Install the proxy environment variables
    environment.sessionVariables = cfg.proxy.envVars;
    # The ‘ip-up’ target is started when we have IP connectivity.  So
    # services that depend on IP connectivity (like ntpd) should be
    # pulled in by this target.
    systemd.targets.ip-up.description = "Services Requiring IP Connectivity";
    # This is needed when /etc/resolv.conf is being overriden by networkd
    # and other configurations. If the file is destroyed by an environment
    # activation then it must be rebuilt so that applications which interface
    # with /etc/resolv.conf directly don't break.
    system.activationScripts.resolvconf = stringAfter [ "etc" "tmpfs" "var" ]
      ''
        # Systemd resolved controls its own resolv.conf
        rm -f /run/resolvconf/interfaces/systemd
        ${optionalString config.services.resolved.enable ''
          rm -rf /run/resolvconf/interfaces
          mkdir -p /run/resolvconf/interfaces
          ln -s /run/systemd/resolve/resolv.conf /run/resolvconf/interfaces/systemd
        ''}
        # Make sure resolv.conf is up to date if not managed by systemd
        ${optionalString (!config.services.resolved.enable) ''
          ${pkgs.openresolv}/bin/resolvconf -u
        ''}
      '';
  };
-}
+  }
--- a/nixos/modules/config/nsswitch.nix
+++ b/nixos/modules/config/nsswitch.nix
@ -35,29 +35,27 @@ in
  config = {
-    environment.etc =
+    # Name Service Switch configuration file.  Required by the C
-      [ # Name Service Switch configuration file.  Required by the C library.
+    # library.  !!! Factor out the mdns stuff.  The avahi module
-        # !!! Factor out the mdns stuff.  The avahi module should define
+    # should define an option used by this module.
-        # an option used by this module.
+    environment.etc."nsswitch.conf".text =
-        { source = pkgs.writeText "nsswitch.conf"
+      ''
-            ''
+        passwd:    files ldap
-              passwd:    files ldap
+        group:     files ldap
-              group:     files ldap
+        shadow:    files ldap
-              shadow:    files ldap
+        hosts:     files ${optionalString nssmdns "mdns_minimal [NOTFOUND=return]"} dns ${optionalString nssmdns "mdns"} ${optionalString nsswins "wins"} myhostname mymachines
-              hosts:     files ${optionalString nssmdns "mdns_minimal [NOTFOUND=return]"} dns ${optionalString nssmdns "mdns"} ${optionalString nsswins "wins"} myhostname
+        networks:  files dns
-              networks:  files dns
+        ethers:    files
-              ethers:    files
+        services:  files
-              services:  files
+        protocols: files
-              protocols: files
+      '';
            '';
          target = "nsswitch.conf";
        }
      ];
-    # Use nss-myhostname to ensure that our hostname always resolves to
+    # Systemd provides nss-myhostname to ensure that our hostname
-    # a valid IP address.  It returns all locally configured IP
+    # always resolves to a valid IP address.  It returns all locally
-    # addresses, or ::1 and 127.0.0.2 as fallbacks.
+    # configured IP addresses, or ::1 and 127.0.0.2 as
-    system.nssModules = [ pkgs.systemd ];
+    # fallbacks. Systemd also provides nss-mymachines to return IP
    # addresses of local containers.
    system.nssModules = [ config.systemd.package ];
  };
 }
--- a/nixos/modules/config/pulseaudio.nix
+++ b/nixos/modules/config/pulseaudio.nix
@ -12,7 +12,7 @@ let
  # Forces 32bit pulseaudio and alsaPlugins to be built/supported for apps
  # using 32bit alsa on 64bit linux.
-  enable32BitAlsaPlugins = stdenv.isx86_64 && (pkgs_i686.alsaLib != null);
+  enable32BitAlsaPlugins = stdenv.isx86_64 && (pkgs_i686.alsaLib != null && pkgs_i686.pulseaudio != null);
  ids = config.ids;
@ -126,8 +126,7 @@ in {
    (mkIf cfg.enable {
      environment.systemPackages = [
        cfg.package
-        (lib.optional enable32BitAlsaPlugins pkgs_i686.pulseaudio)
+      ] ++ lib.optionals enable32BitAlsaPlugins [ pkgs_i686.pulseaudio ];
      ];
      environment.etc = singleton {
        target = "asound.conf";
--- a/nixos/modules/config/update-users-groups.pl
+++ b/nixos/modules/config/update-users-groups.pl
@ -6,6 +6,15 @@ use JSON;
 make_path("/var/lib/nixos", { mode => 0755 });
 sub hashPassword {
    my ($password) = @_;
    my $salt = "";
    my @chars = ('.', '/', 0..9, 'A'..'Z', 'a'..'z');
    $salt .= $chars[rand 64] for (1..8);
    return crypt($password, '$6$' . $salt . '$');
 }
 # Functions for allocating free GIDs/UIDs. FIXME: respect ID ranges in
 # /etc/login.defs.
 sub allocId {
@ -114,7 +123,7 @@ foreach my $g (@{$spec->{groups}}) {
 }
 # Update the persistent list of declarative groups.
-write_file($declGroupsFile, join(" ", sort(keys %groupsOut)));
+write_file($declGroupsFile, { binmode => ':utf8' }, join(" ", sort(keys %groupsOut)));
 # Merge in the existing /etc/group.
 foreach my $name (keys %groupsCur) {
@ -131,7 +140,7 @@ foreach my $name (keys %groupsCur) {
 # Rewrite /etc/group. FIXME: acquire lock.
 my @lines = map { join(":", $_->{name}, $_->{password}, $_->{gid}, $_->{members}) . "\n" }
    (sort { $a->{gid} <=> $b->{gid} } values(%groupsOut));
-write_file("/etc/group.tmp", @lines);
+write_file("/etc/group.tmp", { binmode => ':utf8' }, @lines);
 rename("/etc/group.tmp", "/etc/group") or die;
 system("nscd --invalidate group");
@ -160,6 +169,12 @@ foreach my $u (@{$spec->{users}}) {
    } else {
        $u->{uid} = allocUid($u->{isSystemUser}) if !defined $u->{uid};
        if (defined $u->{initialPassword}) {
            $u->{hashedPassword} = hashPassword($u->{initialPassword});
        } elsif (defined $u->{initialHashedPassword}) {
            $u->{hashedPassword} = $u->{initialHashedPassword};
        }
        # Create a home directory.
        if ($u->{createHome}) {
            make_path($u->{home}, { mode => 0700 }) if ! -e $u->{home};
@ -174,6 +189,8 @@ foreach my $u (@{$spec->{users}}) {
        } else {
            warn "warning: password file ‘$u->{passwordFile}’ does not exist\n";
        }
    } elsif (defined $u->{password}) {
        $u->{hashedPassword} = hashPassword($u->{password});
    }
    $u->{fakePassword} = $existing->{fakePassword} // "x";
@ -181,7 +198,7 @@ foreach my $u (@{$spec->{users}}) {
 }
 # Update the persistent list of declarative users.
-write_file($declUsersFile, join(" ", sort(keys %usersOut)));
+write_file($declUsersFile, { binmode => ':utf8' }, join(" ", sort(keys %usersOut)));
 # Merge in the existing /etc/passwd.
 foreach my $name (keys %usersCur) {
@ -197,7 +214,7 @@ foreach my $name (keys %usersCur) {
 # Rewrite /etc/passwd. FIXME: acquire lock.
@lines = map { join(":", $_->{name}, $_->{fakePassword}, $_->{uid}, $_->{gid}, $_->{description}, $_->{home}, $_->{shell}) . "\n" }
    (sort { $a->{uid} <=> $b->{uid} } (values %usersOut));
-write_file("/etc/passwd.tmp", @lines);
+write_file("/etc/passwd.tmp", { binmode => ':utf8' }, @lines);
 rename("/etc/passwd.tmp", "/etc/passwd") or die;
 system("nscd --invalidate passwd");
@ -208,32 +225,22 @@ my %shadowSeen;
 foreach my $line (-f "/etc/shadow" ? read_file("/etc/shadow") : ()) {
    chomp $line;
-    my ($name, $password, @rest) = split(':', $line, -9);
+    my ($name, $hashedPassword, @rest) = split(':', $line, -9);
    my $u = $usersOut{$name};;
    next if !defined $u;
-    $password = $u->{hashedPassword} if defined $u->{hashedPassword} && !$spec->{mutableUsers}; # FIXME
+    $hashedPassword = "!" if !$spec->{mutableUsers};
-    push @shadowNew, join(":", $name, $password, @rest) . "\n";
+    $hashedPassword = $u->{hashedPassword} if defined $u->{hashedPassword} && !$spec->{mutableUsers}; # FIXME
    push @shadowNew, join(":", $name, $hashedPassword, @rest) . "\n";
    $shadowSeen{$name} = 1;
 }
 foreach my $u (values %usersOut) {
    next if defined $shadowSeen{$u->{name}};
-    my $password = "!";
+    my $hashedPassword = "!";
-    $password = $u->{hashedPassword} if defined $u->{hashedPassword};
+    $hashedPassword = $u->{hashedPassword} if defined $u->{hashedPassword};
    # FIXME: set correct value for sp_lstchg.
-    push @shadowNew, join(":", $u->{name}, $password, "1::::::") . "\n";
+    push @shadowNew, join(":", $u->{name}, $hashedPassword, "1::::::") . "\n";
 }
-write_file("/etc/shadow.tmp", { perms => 0600 }, @shadowNew);
+write_file("/etc/shadow.tmp", { binmode => ':utf8', perms => 0600 }, @shadowNew);
 rename("/etc/shadow.tmp", "/etc/shadow") or die;
 # Call chpasswd to apply password. FIXME: generate the hashes directly
 # and merge into the /etc/shadow updating above.
 foreach my $u (@{$spec->{users}}) {
    if (defined $u->{password}) {
        my $pid = open(PW, "| chpasswd") or die;
        print PW "$u->{name}:$u->{password}\n";
        close PW or die "unable to change password of user ‘$u->{name}’: $?\n";
    }
 }
--- a/nixos/modules/config/users-groups.nix
+++ b/nixos/modules/config/users-groups.nix
@ -8,19 +8,19 @@ let
  cfg = config.users;
  passwordDescription = ''
-    The options <literal>hashedPassword</literal>,
+    The options <option>hashedPassword</option>,
-    <literal>password</literal> and <literal>passwordFile</literal>
+    <option>password</option> and <option>passwordFile</option>
    controls what password is set for the user.
-    <literal>hashedPassword</literal> overrides both
+    <option>hashedPassword</option> overrides both
-    <literal>password</literal> and <literal>passwordFile</literal>.
+    <option>password</option> and <option>passwordFile</option>.
-    <literal>password</literal> overrides <literal>passwordFile</literal>.
+    <option>password</option> overrides <option>passwordFile</option>.
    If none of these three options are set, no password is assigned to
    the user, and the user will not be able to do password logins.
-    If the option <literal>users.mutableUsers</literal> is true, the
+    If the option <option>users.mutableUsers</option> is true, the
    password defined in one of the three options will only be set when
    the user is created for the first time. After that, you are free to
    change the password with the ordinary user management commands. If
-    <literal>users.mutableUsers</literal> is false, you cannot change
+    <option>users.mutableUsers</option> is false, you cannot change
    user passwords, they will always be set according to the password
    options.
  '';
@ -155,7 +155,7 @@ let
        default = false;
        description = ''
          If true, the user's shell will be set to
-          <literal>cfg.defaultUserShell</literal>.
+          <option>users.defaultUserShell</option>.
        '';
      };
@ -163,7 +163,7 @@ let
        type = with types; uniq (nullOr str);
        default = null;
        description = ''
-          Specifies the (hashed) password for the user.
+          Specifies the hashed password for the user.
          ${passwordDescription}
        '';
      };
@ -184,13 +184,44 @@ let
        type = with types; uniq (nullOr string);
        default = null;
        description = ''
-          The path to a file that contains the user's password. The password
+          The full path to a file that contains the user's password. The password
          file is read on each system activation. The file should contain
          exactly one line, which should be the password in an encrypted form
          that is suitable for the <literal>chpasswd -e</literal> command.
          ${passwordDescription}
        '';
      };
      initialHashedPassword = mkOption {
        type = with types; uniq (nullOr str);
        default = null;
        description = ''
          Specifies the initial hashed password for the user, i.e. the
          hashed password assigned if the user does not already
          exist. If <option>users.mutableUsers</option> is true, the
          password can be changed subsequently using the
          <command>passwd</command> command. Otherwise, it's
          equivalent to setting the <option>password</option> option.
        '';
      };
      initialPassword = mkOption {
        type = with types; uniq (nullOr str);
        default = null;
        description = ''
          Specifies the initial password for the user, i.e. the
          password assigned if the user does not already exist. If
          <option>users.mutableUsers</option> is true, the password
          can be changed subsequently using the
          <command>passwd</command> command. Otherwise, it's
          equivalent to setting the <option>password</option>
          option. The same caveat applies: the password specified here
          is world-readable in the Nix store, so it should only be
          used for guest accounts or passwords that will be changed
          promptly.
        '';
      };
    };
    config = mkMerge
@ -204,6 +235,14 @@ let
          useDefaultShell = mkDefault true;
          isSystemUser = mkDefault false;
        })
        # If !mutableUsers, setting ‘initialPassword’ is equivalent to
        # setting ‘password’ (and similarly for hashed passwords).
        (mkIf (!cfg.mutableUsers && config.initialPassword != null) {
          password = mkDefault config.initialPassword;
        })
        (mkIf (!cfg.mutableUsers && config.initialHashedPassword != null) {
          hashedPassword = mkDefault config.initialHashedPassword;
        })
      ];
  };
@ -306,7 +345,8 @@ let
    users = mapAttrsToList (n: u:
      { inherit (u)
          name uid group description home shell createHome isSystemUser
-          password passwordFile hashedPassword;
+          password passwordFile hashedPassword
          initialPassword initialHashedPassword;
      }) cfg.extraUsers;
    groups = mapAttrsToList (n: g:
      { inherit (g) name gid;
@ -386,24 +426,12 @@ in {
      options = [ groupOpts ];
    };
    # FIXME: obsolete - will remove.
    security.initialRootPassword = mkOption {
      type = types.str;
      default = "!";
      example = "";
-      description = ''
+      visible = false;
        The (hashed) password for the root account set on initial
        installation. The empty string denotes that root can login
        locally without a password (but not via remote services such
        as SSH, or indirectly via <command>su</command> or
        <command>sudo</command>). The string <literal>!</literal>
        prevents root from logging in using a password.
        Note that setting this option sets
        <literal>users.extraUsers.root.hashedPassword</literal>.
        Also, if <literal>users.mutableUsers</literal> is false
        you cannot change the root password manually, so in that case
        the name of this option is a bit misleading, since it will define
        the root password beyond the user initialisation phase.
      '';
    };
  };
@ -421,7 +449,7 @@ in {
        shell = mkDefault cfg.defaultUserShell;
        group = "root";
        extraGroups = [ "grsecurity" ];
-        hashedPassword = mkDefault config.security.initialRootPassword;
+        initialHashedPassword = mkDefault config.security.initialRootPassword;
      };
      nobody = {
        uid = ids.uids.nobody;
--- a/nixos/modules/hardware/all-firmware.nix
+++ b/nixos/modules/hardware/all-firmware.nix
@ -12,7 +12,8 @@ with lib;
      default = false;
      type = types.bool;
      description = ''
-        Turn on this option if you want to enable all the firmware shipped with Debian/Ubuntu.
+        Turn on this option if you want to enable all the firmware shipped with Debian/Ubuntu
        and iwlwifi.
      '';
    };
@ -22,7 +23,11 @@ with lib;
  ###### implementation
  config = mkIf config.hardware.enableAllFirmware {
-    hardware.firmware = [ "${pkgs.firmwareLinuxNonfree}/lib/firmware" ];
+    hardware.firmware = [
      "${pkgs.firmwareLinuxNonfree}/lib/firmware"
      "${pkgs.iwlegacy}/lib/firmware"
      "${pkgs.iwlwifi}/lib/firmware"
    ];
  };
 }
--- a/nixos/modules/hardware/video/bumblebee.nix
+++ b/nixos/modules/hardware/video/bumblebee.nix
@ -30,7 +30,7 @@ with lib;
    boot.kernelModules = [ "bbswitch" ];
    boot.extraModulePackages = [ kernel.bbswitch kernel.nvidia_x11 ];
-    environment.systemPackages = [ pkgs.bumblebee ];
+    environment.systemPackages = [ pkgs.bumblebee pkgs.primus ];
    systemd.services.bumblebeed = {
      description = "Bumblebee Hybrid Graphics Switcher";
--- a/nixos/modules/hardware/video/nvidia.nix
+++ b/nixos/modules/hardware/video/nvidia.nix
@ -11,7 +11,8 @@ let
  # FIXME: should introduce an option like
  # ‘hardware.video.nvidia.package’ for overriding the default NVIDIA
  # driver.
-  enabled = elem "nvidia" drivers || elem "nvidiaLegacy173" drivers || elem "nvidiaLegacy304" drivers;
+  enabled = elem "nvidia" drivers || elem "nvidiaLegacy173" drivers
    || elem "nvidiaLegacy304" drivers || elem "nvidiaLegacy340" drivers;
  nvidia_x11 =
    if elem "nvidia" drivers then
@ -20,6 +21,8 @@ let
      config.boot.kernelPackages.nvidia_x11_legacy173
    else if elem "nvidiaLegacy304" drivers then
      config.boot.kernelPackages.nvidia_x11_legacy304
    else if elem "nvidiaLegacy340" drivers then
      config.boot.kernelPackages.nvidia_x11_legacy340
    else throw "impossible";
 in
--- a/nixos/modules/installer/cd-dvd/installation-cd-base.nix
+++ b/nixos/modules/installer/cd-dvd/installation-cd-base.nix
@ -42,6 +42,12 @@ with lib;
  # Get a console as soon as the initrd loads fbcon on EFI boot.
  boot.initrd.kernelModules = [ "fbcon" ];
  # Add support for cow filesystems and their utilities
  boot.supportedFilesystems = [ "zfs" "btrfs" ];
  # Configure host id for ZFS to work
  networking.hostId = "8425e349";
  # Allow the user to log in as root without a password.
-  security.initialRootPassword = "";
+  users.extraUsers.root.initialHashedPassword = "";
 }
--- a/nixos/modules/installer/cd-dvd/installation-cd-graphical.nix
+++ b/nixos/modules/installer/cd-dvd/installation-cd-graphical.nix
@ -11,6 +11,13 @@ with lib;
  # Provide wicd for easy wireless configuration.
  #networking.wicd.enable = true;
  # Include gparted for partitioning disks
  environment.systemPackages = [ pkgs.gparted ];
  # Provide networkmanager for easy wireless configuration.
  networking.networkmanager.enable = true;
  networking.wireless.enable = mkForce false;
  # KDE complains if power management is disabled (to be precise, if
  # there is no power management backend such as upower).
  powerManagement.enable = true;
@ -27,4 +34,70 @@ with lib;
      AutoLoginUser=root
      AutoLoginPass=""
    '';
  # Custom kde-workspace adding some icons on the desktop
  system.activationScripts.installerDesktop = let
    openManual = pkgs.writeScript "nixos-manual.sh" ''
      #!${pkgs.stdenv.shell}
      cd ${config.system.build.manual.manual}/share/doc/nixos/
      konqueror ./index.html
    '';
    desktopFile = pkgs.writeText "nixos-manual.desktop" ''
      [Desktop Entry]
      Version=1.0
      Type=Application
      Name=NixOS Manual
      Exec=${openManual}
      Icon=konqueror
    '';
  in ''
    mkdir -p /root/Desktop
    ln -sfT ${desktopFile} /root/Desktop/nixos-manual.desktop
    ln -sfT ${pkgs.kde4.konsole}/share/applications/kde4/konsole.desktop /root/Desktop/konsole.desktop
    ln -sfT ${pkgs.gparted}/share/applications/gparted.desktop /root/Desktop/gparted.desktop
  '';
  services.xserver.desktopManager.kde4.kdeWorkspacePackage = let
    pkg = pkgs.kde4.kde_workspace;
    plasmaInit = pkgs.writeText "00-defaultLayout.js" ''
      loadTemplate("org.kde.plasma-desktop.defaultPanel")
      for (var i = 0; i < screenCount; ++i) {
      	var desktop = new Activity
        desktop.name = i18n("Desktop")
        desktop.screen = i
        desktop.wallpaperPlugin = 'image'
        desktop.wallpaperMode = 'SingleImage'
        var folderview = desktop.addWidget("folderview");
        folderview.writeConfig("url", "desktop:/");
        //Create more panels for other screens
        if (i > 0){
          var panel = new Panel
          panel.screen = i
          panel.location = 'bottom'
          panel.height = screenGeometry(i).height > 1024 ? 35 : 27
          var tasks = panel.addWidget("tasks")
          tasks.writeConfig("showOnlyCurrentScreen", true);
        }
      }
    '';
  in
    pkgs.stdenv.mkDerivation {
      inherit (pkg) name meta;
      buildCommand = ''
        mkdir -p $out
        cp -prf ${pkg}/* $out/
        chmod a+w $out/share/apps/plasma-desktop/init
        cp -f ${plasmaInit} $out/share/apps/plasma-desktop/init/00-defaultLayout.js
      '';
    };
 }
--- a/nixos/modules/installer/cd-dvd/iso-image.nix
+++ b/nixos/modules/installer/cd-dvd/iso-image.nix
@ -176,7 +176,10 @@ in
    # UUID of the USB stick.  It would be nicer to write
    # `root=/dev/disk/by-label/...' here, but UNetbootin doesn't
    # recognise that.
-    boot.kernelParams = [ "root=LABEL=${config.isoImage.volumeID}" ];
+    boot.kernelParams =
      [ "root=LABEL=${config.isoImage.volumeID}"
        "boot.shell_on_fail"
      ];
    fileSystems."/" =
      { fsType = "tmpfs";
--- a/nixos/modules/installer/cd-dvd/system-tarball-fuloong2f.nix
+++ b/nixos/modules/installer/cd-dvd/system-tarball-fuloong2f.nix
@ -76,7 +76,6 @@ in
      pkgs.ntfsprogs # for resizing NTFS partitions
      pkgs.btrfsProgs
      pkgs.jfsutils
      pkgs.jfsrec
      # Some compression/archiver tools.
      pkgs.unzip
--- a/nixos/modules/installer/tools/nixos-generate-config.pl
+++ b/nixos/modules/installer/tools/nixos-generate-config.pl
@ -235,7 +235,7 @@ chomp $virt;
 # Check if we're a VirtualBox guest.  If so, enable the guest
 # additions.
 if ($virt eq "oracle") {
-    push @attrs, "services.virtualbox.enable = true;"
+    push @attrs, "services.virtualboxGuest.enable = true;"
 }
@ -430,7 +430,7 @@ my $hwConfig = <<EOF;
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
-{ config, pkgs, ... }:
+{ config, lib, pkgs, ... }:
 {
  imports =${\multiLineList("    ", @imports)};
@ -476,6 +476,14 @@ EOF
 EOF
        }
        # Generate a random 32-bit value to use as the host id
        open my $rnd, "<", "/dev/urandom" or die $!;
        read $rnd, $hostIdBin, 4;
        close $rnd;
        # Convert the 32-bit value to a hex string
        my $hostIdHex = unpack("H*", $hostIdBin);
        write_file($fn, <<EOF);
 # Edit this configuration file to define what should be installed on
 # your system.  Help is available in the configuration.nix(5) man page
@ -491,6 +499,7 @@ EOF
 $bootLoaderConfig
  # networking.hostName = "nixos"; # Define your hostname.
  networking.hostId = "$hostIdHex";
  # networking.wireless.enable = true;  # Enables wireless.
  # Select internationalisation properties.
--- a/nixos/modules/installer/tools/tools.nix
+++ b/nixos/modules/installer/tools/tools.nix
@ -1,7 +1,7 @@
 # This module generates nixos-install, nixos-rebuild,
 # nixos-generate-config, etc.
-{ config, pkgs, modulesPath, lib, ... }:
+{ config, pkgs, modulesPath, ... }:
 let
--- a/nixos/modules/misc/ids.nix
+++ b/nixos/modules/misc/ids.nix
@ -154,6 +154,24 @@
      collectd = 144;
      consul = 145;
      mailpile = 146;
      redmine = 147;
      seeks = 148;
      prosody = 149;
      i2pd = 150;
      dnscrypt-proxy = 151;
      systemd-network = 152;
      systemd-resolve = 153;
      systemd-timesync = 154;
      liquidsoap = 155;
      etcd = 156;
      docker-registry = 157;
      hbase = 158;
      opentsdb = 159;
      scollector = 160;
      bosun = 161;
      kubernetes = 162;
      peerflix = 163;
      chronos = 164;
      # When adding a uid, make sure it doesn't match an existing gid. And don't use uids above 399!
@ -273,8 +291,21 @@
      mlmmj = 135;
      riemann = 137;
      riemanndash = 138;
      hbase = 139;
      opentsdb = 140;
      uhub = 142;
      mailpile = 146;
      redmine = 147;
      seeks = 148;
      prosody = 149;
      i2pd = 150;
      systemd-network = 152;
      systemd-resolve = 153;
      systemd-timesync = 154;
      liquidsoap = 155;
      scollector = 156;
      bosun = 157;
      kubernetes = 158;
      # When adding a gid, make sure it doesn't match an existing uid. And don't use gids above 399!
--- a/nixos/modules/module-list.nix
+++ b/nixos/modules/module-list.nix
@ -58,6 +58,7 @@
  ./programs/dconf.nix
  ./programs/environment.nix
  ./programs/info.nix
  ./programs/light.nix
  ./programs/nano.nix
  ./programs/screen.nix
  ./programs/shadow.nix
@ -66,6 +67,7 @@
  ./programs/ssmtp.nix
  ./programs/uim.nix
  ./programs/venus.nix
  ./programs/virtualbox-host.nix
  ./programs/wvdial.nix
  ./programs/freetds.nix
  ./programs/zsh/zsh.nix
@ -88,10 +90,12 @@
  ./services/audio/alsa.nix
  # Disabled as fuppes it does no longer builds.
  # ./services/audio/fuppes.nix
  ./services/audio/liquidsoap.nix
  ./services/audio/mpd.nix
  ./services/audio/mopidy.nix
  ./services/backup/almir.nix
  ./services/backup/bacula.nix
  ./services/backup/crashplan.nix
  ./services/backup/mysql-backup.nix
  ./services/backup/postgresql-backup.nix
  ./services/backup/rsnapshot.nix
@ -105,13 +109,15 @@
  ./services/databases/4store.nix
  ./services/databases/couchdb.nix
  ./services/databases/firebird.nix
  ./services/databases/hbase.nix
  ./services/databases/influxdb.nix
  ./services/databases/memcached.nix
  ./services/databases/monetdb.nix
  ./services/databases/mongodb.nix
  ./services/databases/mysql.nix
-  ./services/databases/neo4j.nix 
+  ./services/databases/neo4j.nix
  ./services/databases/openldap.nix
  ./services/databases/opentsdb.nix
  ./services/databases/postgresql.nix
  ./services/databases/redis.nix
  ./services/databases/virtuoso.nix
@ -163,6 +169,8 @@
  ./services/misc/cgminer.nix
  ./services/misc/dictd.nix
  ./services/misc/disnix.nix
  ./services/misc/docker-registry.nix
  ./services/misc/etcd.nix
  ./services/misc/felix.nix
  ./services/misc/folding-at-home.nix
  ./services/misc/gitolite.nix
@ -174,6 +182,7 @@
  ./services/misc/nixos-manual.nix
  ./services/misc/nix-ssh-serve.nix
  ./services/misc/phd.nix
  ./services/misc/redmine.nix
  ./services/misc/rippled.nix
  ./services/misc/rogue.nix
  ./services/misc/siproxd.nix
@ -182,6 +191,7 @@
  ./services/misc/uhub.nix
  ./services/misc/zookeeper.nix
  ./services/monitoring/apcupsd.nix
  ./services/monitoring/bosun.nix
  ./services/monitoring/collectd.nix
  ./services/monitoring/dd-agent.nix
  ./services/monitoring/graphite.nix
@ -190,6 +200,7 @@
  ./services/monitoring/nagios.nix
  ./services/monitoring/riemann.nix
  ./services/monitoring/riemann-dash.nix
  ./services/monitoring/scollector.nix
  ./services/monitoring/smartd.nix
  ./services/monitoring/statsd.nix
  ./services/monitoring/systemhealth.nix
@ -218,6 +229,7 @@
  ./services/networking/ddclient.nix
  ./services/networking/dhcpcd.nix
  ./services/networking/dhcpd.nix
  ./services/networking/dnscrypt-proxy.nix
  ./services/networking/dnsmasq.nix
  ./services/networking/ejabberd.nix
  ./services/networking/firewall.nix
@ -229,6 +241,7 @@
  ./services/networking/gvpe.nix
  ./services/networking/haproxy.nix
  ./services/networking/hostapd.nix
  ./services/networking/i2pd.nix
  ./services/networking/ifplugd.nix
  ./services/networking/iodined.nix
  ./services/networking/ircd-hybrid/default.nix
@ -250,6 +263,7 @@
  ./services/networking/polipo.nix
  ./services/networking/prayer.nix
  ./services/networking/privoxy.nix
  ./services/networking/prosody.nix
  ./services/networking/quassel.nix
  ./services/networking/radicale.nix
  ./services/networking/radvd.nix
@ -257,9 +271,11 @@
  ./services/networking/rpcbind.nix
  ./services/networking/sabnzbd.nix
  ./services/networking/searx.nix
  ./services/networking/seeks.nix
  ./services/networking/spiped.nix
  ./services/networking/ssh/lshd.nix
  ./services/networking/ssh/sshd.nix
  ./services/networking/strongswan.nix
  ./services/networking/supybot.nix
  ./services/networking/syncthing.nix
  ./services/networking/tcpcrypt.nix
@ -276,6 +292,7 @@
  ./services/networking/znc.nix
  ./services/printing/cupsd.nix
  ./services/scheduling/atd.nix
  ./services/scheduling/chronos.nix
  ./services/scheduling/cron.nix
  ./services/scheduling/fcron.nix
  ./services/search/elasticsearch.nix
@ -293,6 +310,7 @@
  ./services/system/nscd.nix
  ./services/system/uptimed.nix
  ./services/torrent/deluge.nix
  ./services/torrent/peerflix.nix
  ./services/torrent/transmission.nix
  ./services/ttys/agetty.nix
  ./services/ttys/gpm.nix
@ -341,6 +359,7 @@
  ./system/boot/loader/efi.nix
  ./system/boot/loader/generations-dir/generations-dir.nix
  ./system/boot/loader/grub/grub.nix
  ./system/boot/loader/grub/ipxe.nix
  ./system/boot/loader/grub/memtest.nix
  ./system/boot/loader/gummiboot/gummiboot.nix
  ./system/boot/loader/init-script/init-script.nix
@ -354,6 +373,7 @@
  ./system/boot/tmp.nix
  ./system/etc/etc.nix
  ./system/upstart/upstart.nix
  ./tasks/bcache.nix
  ./tasks/cpu-freq.nix
  ./tasks/encrypted-devices.nix
  ./tasks/filesystems.nix
@ -361,6 +381,7 @@
  ./tasks/filesystems/cifs.nix
  ./tasks/filesystems/ext.nix
  ./tasks/filesystems/f2fs.nix
  ./tasks/filesystems/jfs.nix
  ./tasks/filesystems/nfs.nix
  ./tasks/filesystems/reiserfs.nix
  ./tasks/filesystems/unionfs-fuse.nix
@ -370,6 +391,8 @@
  ./tasks/kbd.nix
  ./tasks/lvm.nix
  ./tasks/network-interfaces.nix
  ./tasks/network-interfaces-systemd.nix
  ./tasks/network-interfaces-scripted.nix
  ./tasks/scsi-link-power-management.nix
  ./tasks/swraid.nix
  ./tasks/trackpoint.nix
@ -377,9 +400,12 @@
  ./virtualisation/container-config.nix
  ./virtualisation/containers.nix
  ./virtualisation/docker.nix
  ./virtualisation/kubernetes.nix
  ./virtualisation/libvirtd.nix
  ./virtualisation/lxc.nix
  #./virtualisation/nova.nix
  ./virtualisation/openvswitch.nix
  ./virtualisation/parallels-guest.nix
  ./virtualisation/virtualbox-guest.nix
  #./virtualisation/xen-dom0.nix
 ]
--- a/nixos/modules/profiles/base.nix
+++ b/nixos/modules/profiles/base.nix
@ -34,7 +34,6 @@
    pkgs.xfsprogs
    pkgs.jfsutils
    pkgs.f2fs-tools
    #pkgs.jfsrec # disabled because of Boost dependency
    # Some compression/archiver tools.
    pkgs.unzip
--- a/nixos/modules/programs/environment.nix
+++ b/nixos/modules/programs/environment.nix
@ -40,7 +40,6 @@ in
    # TODO: move most of these elsewhere
    environment.profileRelativeEnvVars =
      { PATH = [ "/bin" "/sbin" "/lib/kde4/libexec" ];
        MANPATH = [ "/man" "/share/man" ];
        INFOPATH = [ "/info" "/share/info" ];
        PKG_CONFIG_PATH = [ "/lib/pkgconfig" ];
        TERMINFO_DIRS = [ "/share/terminfo" ];
--- a/nixos/modules/programs/light.nix
+++ b/nixos/modules/programs/light.nix
@ -0,0 +1,26 @@
 { config, lib, pkgs, ... }:
 with lib;
 let
  cfg = config.programs.light;
 in
 {
  options = {
    programs.light = {
      enable = mkOption {
        default = false;
        type = types.bool;
        description = ''
          Whether to install Light backlight control with setuid wrapper.
        '';
      };
    };
  };
  config = mkIf cfg.enable {
    environment.systemPackages = [ pkgs.light ];
    security.setuidPrograms = [ "light" ];
  };
 }
--- a/nixos/modules/programs/ssh.nix
+++ b/nixos/modules/programs/ssh.nix
@ -59,6 +59,14 @@ in
        '';
      };
      agentTimeout = mkOption {
        type = types.nullOr types.string;
        default = "1h";
        description = ''
          How long to keep the private keys in memory. Use null to keep them forever.
        '';
      };
      package = mkOption {
        default = pkgs.openssh;
        description = ''
@ -99,7 +107,10 @@ in
        wantedBy = [ "default.target" ];
        serviceConfig =
          { ExecStartPre = "${pkgs.coreutils}/bin/rm -f %t/ssh-agent";
-            ExecStart = "${cfg.package}/bin/ssh-agent -a %t/ssh-agent";
+            ExecStart =
                "${cfg.package}/bin/ssh-agent " +
                optionalString (cfg.agentTimeout != null) ("-t ${cfg.agentTimeout} ") +
                "-a %t/ssh-agent";
            StandardOutput = "null";
            Type = "forking";
            Restart = "on-failure";
--- a/nixos/modules/programs/ssmtp.nix
+++ b/nixos/modules/programs/ssmtp.nix
@ -20,6 +20,7 @@ in
    networking.defaultMailServer = {
      directDelivery = mkOption {
        type = types.bool;
        default = false;
        example = true;
        description = ''
@ -35,6 +36,7 @@ in
      };
      hostName = mkOption {
        type = types.str;
        example = "mail.example.org";
        description = ''
          The host name of the default mail server to use to deliver
@ -42,7 +44,17 @@ in
        '';
      };
      root = mkOption {
        type = types.str;
        default = "";
        example = "root@example.org";
        description = ''
          The e-mail to which mail for users with UID &lt; 1000 is forwarded.
        '';
      };
      domain = mkOption {
        type = types.str;
        default = "";
        example = "example.org";
        description = ''
@ -51,6 +63,7 @@ in
      };
      useTLS = mkOption {
        type = types.bool;
        default = false;
        example = true;
        description = ''
@ -60,6 +73,7 @@ in
      };
      useSTARTTLS = mkOption {
        type = types.bool;
        default = false;
        example = true;
        description = ''
@ -70,6 +84,7 @@ in
      };
      authUser = mkOption {
        type = types.str;
        default = "";
        example = "foo@example.org";
        description = ''
@ -78,6 +93,7 @@ in
      };
      authPass = mkOption {
        type = types.str;
        default = "";
        example = "correctHorseBatteryStaple";
        description = ''
@ -96,6 +112,7 @@ in
      ''
        MailHub=${cfg.hostName}
        FromLineOverride=YES
        ${if cfg.root != "" then "root=${cfg.root}" else ""}
        ${if cfg.domain != "" then "rewriteDomain=${cfg.domain}" else ""}
        UseTLS=${if cfg.useTLS then "YES" else "NO"}
        UseSTARTTLS=${if cfg.useSTARTTLS then "YES" else "NO"}
--- a/nixos/modules/programs/virtualbox-host.nix
+++ b/nixos/modules/programs/virtualbox-host.nix
@ -0,0 +1,72 @@
 { config, lib, pkgs, ... }:
 with lib;
 let
  virtualbox = config.boot.kernelPackages.virtualbox;
 in
 {
  options = {
    services.virtualboxHost.enable = mkEnableOption "VirtualBox Host support";
  };
  config = mkIf config.services.virtualboxHost.enable {
    boot.kernelModules = [ "vboxdrv" "vboxnetadp" "vboxnetflt" ];
    boot.extraModulePackages = [ virtualbox ];
    environment.systemPackages = [ virtualbox ];
    security.setuidOwners = let
      mkVboxStub = program: {
        inherit program;
        owner = "root";
        group = "vboxusers";
        setuid = true;
      };
    in map mkVboxStub [
      "VBoxBFE"
      "VBoxBalloonCtrl"
      "VBoxHeadless"
      "VBoxManage"
      "VBoxSDL"
      "VirtualBox"
    ];
    users.extraGroups.vboxusers.gid = config.ids.gids.vboxusers;
    services.udev.extraRules =
      ''
        KERNEL=="vboxdrv",    OWNER="root", GROUP="vboxusers", MODE="0660", TAG+="systemd"
        KERNEL=="vboxdrvu",   OWNER="root", GROUP="root",      MODE="0666", TAG+="systemd"
        KERNEL=="vboxnetctl", OWNER="root", GROUP="vboxusers", MODE="0660", TAG+="systemd"
        SUBSYSTEM=="usb_device", ACTION=="add", RUN+="${virtualbox}/libexec/virtualbox/VBoxCreateUSBNode.sh $major $minor $attr{bDeviceClass}"
        SUBSYSTEM=="usb", ACTION=="add", ENV{DEVTYPE}=="usb_device", RUN+="${virtualbox}/libexec/virtualbox/VBoxCreateUSBNode.sh $major $minor $attr{bDeviceClass}"
        SUBSYSTEM=="usb_device", ACTION=="remove", RUN+="${virtualbox}/libexec/virtualbox/VBoxCreateUSBNode.sh --remove $major $minor"
        SUBSYSTEM=="usb", ACTION=="remove", ENV{DEVTYPE}=="usb_device", RUN+="${virtualbox}/libexec/virtualbox/VBoxCreateUSBNode.sh --remove $major $minor"
      '';
    # Since we lack the right setuid binaries, set up a host-only network by default.
    systemd.services."vboxnet0" =
      { description = "VirtualBox vboxnet0 Interface";
        requires = [ "dev-vboxnetctl.device" ];
        after = [ "dev-vboxnetctl.device" ];
        wantedBy = [ "network.target" "sys-subsystem-net-devices-vboxnet0.device" ];
        path = [ virtualbox ];
        serviceConfig.RemainAfterExit = true;
        serviceConfig.Type = "oneshot";
        script =
          ''
            if ! [ -e /sys/class/net/vboxnet0 ]; then
              VBoxManage hostonlyif create
            fi
          '';
        postStop =
          ''
            VBoxManage hostonlyif remove vboxnet0
          '';
      };
    networking.interfaces.vboxnet0.ip4 = [ { address = "192.168.56.1"; prefixLength = 24; } ];
  };
 }
--- a/nixos/modules/programs/virtualbox.nix
+++ b/nixos/modules/programs/virtualbox.nix
@ -1,48 +1,8 @@
-{ config, lib, pkgs, ... }:
+let
-
+  msg = "Importing <nixpkgs/nixos/modules/programs/virtualbox.nix> is "
-with lib;
+      + "deprecated, please use `services.virtualboxHost.enable = true' "
-
+      + "instead.";
-let virtualbox = config.boot.kernelPackages.virtualbox; in
+in {
-
+  config.warnings = [ msg ];
-{
+  config.services.virtualboxHost.enable = true;
  boot.kernelModules = [ "vboxdrv" "vboxnetadp" "vboxnetflt" ];
  boot.extraModulePackages = [ virtualbox ];
  environment.systemPackages = [ virtualbox ];
  users.extraGroups.vboxusers.gid = config.ids.gids.vboxusers;
  services.udev.extraRules =
    ''
      KERNEL=="vboxdrv",    OWNER="root", GROUP="vboxusers", MODE="0660", TAG+="systemd"
      KERNEL=="vboxdrvu",   OWNER="root", GROUP="root",      MODE="0666", TAG+="systemd"
      KERNEL=="vboxnetctl", OWNER="root", GROUP="vboxusers", MODE="0660", TAG+="systemd"
      SUBSYSTEM=="usb_device", ACTION=="add", RUN+="${virtualbox}/libexec/virtualbox/VBoxCreateUSBNode.sh $major $minor $attr{bDeviceClass}"
      SUBSYSTEM=="usb", ACTION=="add", ENV{DEVTYPE}=="usb_device", RUN+="${virtualbox}/libexec/virtualbox/VBoxCreateUSBNode.sh $major $minor $attr{bDeviceClass}"
      SUBSYSTEM=="usb_device", ACTION=="remove", RUN+="${virtualbox}/libexec/virtualbox/VBoxCreateUSBNode.sh --remove $major $minor"
      SUBSYSTEM=="usb", ACTION=="remove", ENV{DEVTYPE}=="usb_device", RUN+="${virtualbox}/libexec/virtualbox/VBoxCreateUSBNode.sh --remove $major $minor"
    '';
  # Since we lack the right setuid binaries, set up a host-only network by default.
  systemd.services."vboxnet0" =
    { description = "VirtualBox vboxnet0 Interface";
      requires = [ "dev-vboxnetctl.device" ];
      after = [ "dev-vboxnetctl.device" ];
      wantedBy = [ "network.target" "sys-subsystem-net-devices-vboxnet0.device" ];
      path = [ virtualbox ];
      serviceConfig.RemainAfterExit = true;
      serviceConfig.Type = "oneshot";
      script =
        ''
          if ! [ -e /sys/class/net/vboxnet0 ]; then
            VBoxManage hostonlyif create
          fi
        '';
      postStop =
        ''
          VBoxManage hostonlyif remove vboxnet0
        '';
    };
  networking.interfaces.vboxnet0.ip4 = [ { address = "192.168.56.1"; prefixLength = 24; } ];
 }
--- a/nixos/modules/rename.nix
+++ b/nixos/modules/rename.nix
@ -107,6 +107,12 @@ in zipModules ([]
 ++ obsolete [ "services" "xserver" "startOpenSSHAgent" ] [ "programs" "ssh" "startAgent" ]
 ++ obsolete [ "services" "xserver" "windowManager" "xbmc" ] [ "services" "xserver" "desktopManager" "xbmc" ]
 # VirtualBox
 ++ obsolete [ "services" "virtualbox" "enable" ] [ "services" "virtualboxGuest" "enable" ]
 # proxy
 ++ obsolete [ "nix" "proxy" ] [ "networking" "proxy" "default" ]
 # KDE
 ++ deprecated [ "kde" "extraPackages" ] [ "environment" "kdePackages" ]
 # ++ obsolete [ "environment" "kdePackages" ] [ "environment" "systemPackages" ] # !!! doesn't work!
@ -130,5 +136,7 @@ in zipModules ([]
 ++ obsolete' [ "boot" "initrd" "luks" "enable" ]
 ++ obsolete' [ "programs" "bash" "enable" ]
 ++ obsolete' [ "services" "samba" "defaultShare" ]
 ++ obsolete' [ "services" "syslog-ng" "serviceName" ]
 ++ obsolete' [ "services" "syslog-ng" "listenToJournal" ]
 )
--- a/nixos/modules/security/ca.nix
+++ b/nixos/modules/security/ca.nix
@ -16,6 +16,7 @@ with lib;
      { SSL_CERT_FILE          = "/etc/ssl/certs/ca-bundle.crt";
        # FIXME: unneeded - remove eventually.
        OPENSSL_X509_CERT_FILE = "/etc/ssl/certs/ca-bundle.crt";
        # FIXME: unneeded - remove eventually.
        GIT_SSL_CAINFO         = "/etc/ssl/certs/ca-bundle.crt";
      };
--- a/nixos/modules/security/grsecurity.nix
+++ b/nixos/modules/security/grsecurity.nix
@ -30,7 +30,7 @@ in
        type = types.bool;
        default = false;
        description = ''
-          Enable the stable grsecurity patch, based on Linux 3.2.
+          Enable the stable grsecurity patch, based on Linux 3.14.
        '';
      };
@ -38,7 +38,7 @@ in
        type = types.bool;
        default = false;
        description = ''
-          Enable the testing grsecurity patch, based on Linux 3.13.
+          Enable the testing grsecurity patch, based on Linux 3.17.
        '';
      };
@ -226,8 +226,8 @@ in
      [ { assertion = cfg.stable || cfg.testing;
          message   = ''
            If grsecurity is enabled, you must select either the
-            stable patch (with kernel 3.2), or the testing patch (with
+            stable patch (with kernel 3.14), or the testing patch (with
-            kernel 3.13) to continue.
+            kernel 3.17) to continue.
          '';
        }
        { assertion = (cfg.stable -> !cfg.testing) || (cfg.testing -> !cfg.stable);
--- a/nixos/modules/security/sudo.nix
+++ b/nixos/modules/security/sudo.nix
@ -46,6 +46,14 @@ in
          <filename>sudoers</filename> file.
        '';
    };
    security.sudo.extraConfig = mkOption {
      type = types.lines;
      default = "";
      description = ''
        Extra configuration text appended to <filename>sudoers</filename>.
      '';
    };
  };
@ -55,7 +63,8 @@ in
    security.sudo.configFile =
      ''
-        # Don't edit this file. Set the NixOS option ‘security.sudo.configFile’ instead.
+        # Don't edit this file. Set the NixOS options ‘security.sudo.configFile’
        # and security.sudo.extraConfig instead.
        # Environment variables to keep for root and %wheel.
        Defaults:root,%wheel env_keep+=TERMINFO_DIRS
@ -69,6 +78,7 @@ in
        # Users in the "wheel" group can do anything.
        %wheel      ALL=(ALL) ${if cfg.wheelNeedsPassword then "" else "NOPASSWD: ALL, "}SETENV: ALL
        ${cfg.extraConfig}
      '';
    security.setuidPrograms = [ "sudo" "sudoedit" ];
--- a/nixos/modules/services/audio/liquidsoap.nix
+++ b/nixos/modules/services/audio/liquidsoap.nix
@ -0,0 +1,74 @@
 { config, lib, pkgs, ... }:
 with lib;
 let
  streams = builtins.attrNames config.services.liquidsoap.streams;
  streamService =
    name:
    let stream = builtins.getAttr name config.services.liquidsoap.streams; in
    { inherit name;
      value = {
        after = [ "network-online.target" "sound.target" ];
        description = "${name} liquidsoap stream";
        wantedBy = [ "multi-user.target" ];
        path = [ pkgs.wget ];
        preStart =
          ''
            mkdir -p /var/log/liquidsoap
            chown liquidsoap -R /var/log/liquidsoap
          '';
        serviceConfig = {
          PermissionsStartOnly="true";
          ExecStart = "${pkgs.liquidsoap}/bin/liquidsoap ${stream}";
          User = "liquidsoap";
        };
      };
    };
 in
 {
  ##### interface
  options = {
    services.liquidsoap.streams = mkOption {
      description =
        ''
          Set of Liquidsoap streams to start,
          one systemd service per stream.
        '';
      default = {};
      example = {
        myStream1 = literalExample "\"/etc/liquidsoap/myStream1.liq\"";
        myStream2 = literalExample "./myStream2.liq";
        myStream3 = literalExample "\"out(playlist(\"/srv/music/\"))\"";
      };
      type = types.attrsOf (types.either types.path types.str);
    };
  };
  ##### implementation
  config = mkIf (builtins.length streams != 0) {
    users.extraUsers.liquidsoap = {
      uid = config.ids.uids.liquidsoap;
      group = "liquidsoap";
      extraGroups = [ "audio" ];
      description = "Liquidsoap streaming user";
      home = "/var/lib/liquidsoap";
      createHome = true;
    };
    users.extraGroups.liquidsoap.gid = config.ids.gids.liquidsoap;
    systemd.services = builtins.listToAttrs ( map streamService streams );
  };
 }
--- a/nixos/modules/services/backup/almir.nix
+++ b/nixos/modules/services/backup/almir.nix
@ -109,6 +109,7 @@ in {
      };
      sqlalchemy_engine_url = mkOption {
        default = "postgresql:///bacula";
        example = ''
          postgresql://bacula:bacula@localhost:5432/bacula
          mysql+mysqlconnector://<user>:<password>@<hostname>/<database>'
--- a/nixos/modules/services/backup/crashplan.nix
+++ b/nixos/modules/services/backup/crashplan.nix
@ -0,0 +1,63 @@
 { config, pkgs, lib, ... }:
 let
  cfg = config.services.crashplan;
  crashplan = pkgs.crashplan;
  varDir = "/var/lib/crashplan";
 in
 with lib;
 {
  options = {
    services.crashplan = {
      enable = mkOption {
        default = false;
        type = types.bool;
        description = ''
          Starts crashplan background service.
        '';
      };
    };
  };
  config = mkIf cfg.enable {
    environment.systemPackages = [ crashplan ];
    systemd.services.crashplan = {
      description = "CrashPlan Backup Engine";
      wantedBy = [ "multi-user.target" ];
      after    = [ "network.target" ];
      preStart = ''
        ensureDir() {
          dir=$1
          mode=$2
          if ! test -e $dir; then
            ${pkgs.coreutils}/bin/mkdir -m $mode -p $dir
          elif [ "$(${pkgs.coreutils}/bin/stat -c %a $dir)" != "$mode" ]; then
            ${pkgs.coreutils}/bin/chmod $mode $dir
          fi
        }
        ensureDir ${crashplan.vardir} 755
        ensureDir ${crashplan.vardir}/conf 700
        ensureDir ${crashplan.manifestdir} 700
        ensureDir ${crashplan.vardir}/cache 700
        ensureDir ${crashplan.vardir}/backupArchives 700
        ensureDir ${crashplan.vardir}/log 777
      '';
      serviceConfig = {
        Type = "forking";
        EnvironmentFile = "${crashplan}/bin/run.conf";
        ExecStart = "${crashplan}/bin/CrashPlanEngine start";
        ExecStop = "${crashplan}/bin/CrashPlanEngine stop";
        PIDFile = "${crashplan.vardir}/CrashPlanEngine.pid";
        WorkingDirectory = crashplan;
      };
    };
  };
 }
--- a/nixos/modules/services/backup/rsnapshot.nix
+++ b/nixos/modules/services/backup/rsnapshot.nix
@ -39,11 +39,20 @@ in
          as retain options.
        '';
      };
      package = mkOption {
        type = types.package;
        default = pkgs.rsnapshot;
        example = literalExample "pkgs.rsnapshotGit";
        description = ''
          RSnapshot package to use.
        '';
      };
    };
  };
  config = mkIf cfg.enable (let
-    myRsnapshot = pkgs.rsnapshot.override { configFile = rsnapshotCfg; };
+    myRsnapshot = cfg.package.override { configFile = rsnapshotCfg; };
    rsnapshotCfg = with pkgs; writeText "gen-rsnapshot.conf" (''
        config_version	1.2
        cmd_cp	${coreutils}/bin/cp
--- a/nixos/modules/services/databases/4store-endpoint.nix
+++ b/nixos/modules/services/databases/4store-endpoint.nix
@ -56,14 +56,13 @@ with lib;
      { name = endpointUser;
        uid = config.ids.uids.fourstorehttp;
        description = "4Store SPARQL endpoint user";
 #        home = stateDir;
      };
    services.avahi.enable = true;
    jobs.fourStoreEndpoint = {
      name = "4store-endpoint";
-      startOn = "filesystem";
+      startOn = "ip-up";
      exec = ''
        ${run} '${pkgs.rdf4store}/bin/4s-httpd -D ${cfg.options} ${if cfg.listenAddress!=null then "-H ${cfg.listenAddress}" else "" } -p ${toString cfg.port} ${cfg.database}'
--- a/nixos/modules/services/databases/4store.nix
+++ b/nixos/modules/services/databases/4store.nix
@ -54,7 +54,7 @@ with lib;
    jobs.fourStore = {
      name = "4store";
-      startOn = "filesystem";
+      startOn = "ip-up";
      preStart = ''
        mkdir -p ${stateDir}/
--- a/nixos/modules/services/databases/hbase.nix
+++ b/nixos/modules/services/databases/hbase.nix
@ -0,0 +1,133 @@
 { config, lib, pkgs, ... }:
 with lib;
 let
  cfg = config.services.hbase;
  configFile = pkgs.writeText "hbase-site.xml" ''
    <configuration>
      <property>
        <name>hbase.rootdir</name>
        <value>file://${cfg.dataDir}/hbase</value>
      </property>
      <property>
        <name>hbase.zookeeper.property.dataDir</name>
        <value>${cfg.dataDir}/zookeeper</value>
      </property>
    </configuration>
  '';
  configDir = pkgs.runCommand "hbase-config-dir" {} ''
    mkdir -p $out
    cp ${cfg.package}/conf/* $out/
    rm $out/hbase-site.xml
    ln -s ${configFile} $out/hbase-site.xml
  '' ;
 in {
  ###### interface
  options = {
    services.hbase = {
      enable = mkOption {
        type = types.bool;
        default = false;
        description = ''
          Whether to run HBase.
        '';
      };
      package = mkOption {
        type = types.package;
        default = pkgs.hbase;
        example = literalExample "pkgs.hbase";
        description = ''
          HBase package to use.
        '';
      };
      user = mkOption {
        type = types.string;
        default = "hbase";
        description = ''
          User account under which HBase runs.
        '';
      };
      group = mkOption {
        type = types.string;
        default = "hbase";
        description = ''
          Group account under which HBase runs.
        '';
      };
      dataDir = mkOption {
        type = types.path;
        default = "/var/lib/hbase";
        description = ''
          Specifies location of HBase database files. This location should be
          writable and readable for the user the HBase service runs as
          (hbase by default).
        '';
      };
      logDir = mkOption {
        type = types.path;
        default = "/var/log/hbase";
        description = ''
          Specifies the location of HBase log files.
        '';
      };
    };
  };
  ###### implementation
  config = mkIf config.services.hbase.enable {
    systemd.services.hbase = {
      description = "HBase Server";
      wantedBy = [ "multi-user.target" ];
      environment = {
        JAVA_HOME = "${pkgs.jre}";
        HBASE_LOG_DIR = cfg.logDir;
      };
      preStart =
        ''
        mkdir -p ${cfg.dataDir};
        mkdir -p ${cfg.logDir};
        if [ "$(id -u)" = 0 ]; then
          chown ${cfg.user}:${cfg.group} ${cfg.dataDir}
          chown ${cfg.user}:${cfg.group} ${cfg.logDir}
        fi
        '';
      serviceConfig = {
        PermissionsStartOnly = true;
        User = cfg.user;
        Group = cfg.group;
        ExecStart = "${cfg.package}/bin/hbase --config ${configDir} master start";
      };
    };
    users.extraUsers.hbase = {
      description = "HBase Server user";
      group = "hbase";
      uid = config.ids.uids.hbase;
    };
    users.extraGroups.hbase.gid = config.ids.gids.hbase;
  };
 }
--- a/nixos/modules/services/databases/neo4j.nix
+++ b/nixos/modules/services/databases/neo4j.nix
@ -19,7 +19,7 @@ let
    org.neo4j.server.webadmin.rrdb.location=${cfg.dataDir}/data/rrd
    org.neo4j.server.webadmin.data.uri=/db/data/
    org.neo4j.server.webadmin.management.uri=/db/manage/
-    org.neo4j.server.db.tuning.properties=${pkgs.neo4j}/share/neo4j/conf/neo4j.properties
+    org.neo4j.server.db.tuning.properties=${cfg.package}/share/neo4j/conf/neo4j.properties
    org.neo4j.server.manage.console_engines=shell
    ${cfg.extraServerConfig}
  '';
@ -46,6 +46,12 @@ in {
      type = types.uniq types.bool;
    };
    package = mkOption {
      description = "Neo4j package to use.";
      default = pkgs.neo4j;
      type = types.package;
    };
    host = mkOption {
      description = "Neo4j listen address.";
      default = "127.0.0.1";
@ -119,7 +125,7 @@ in {
      after = [ "network-interfaces.target" ];
      environment = { NEO4J_INSTANCE = cfg.dataDir; };
      serviceConfig = {
-        ExecStart = "${pkgs.neo4j}/bin/neo4j console";
+        ExecStart = "${cfg.package}/bin/neo4j console";
        User = "neo4j";
        PermissionsStartOnly = true;
      };
--- a/nixos/modules/services/databases/opentsdb.nix
+++ b/nixos/modules/services/databases/opentsdb.nix
@ -0,0 +1,100 @@
 { config, lib, pkgs, ... }:
 with lib;
 let
  cfg = config.services.opentsdb;
  configFile = pkgs.writeText "opentsdb.conf" ''
    tsd.core.auto_create_metrics = true
    tsd.http.request.enable_chunked  = true
  '';
 in {
  ###### interface
  options = {
    services.opentsdb = {
      enable = mkOption {
        type = types.bool;
        default = false;
        description = ''
          Whether to run OpenTSDB.
        '';
      };
      package = mkOption {
        type = types.package;
        default = pkgs.opentsdb;
        example = literalExample "pkgs.opentsdb";
        description = ''
          OpenTSDB package to use.
        '';
      };
      user = mkOption {
        type = types.string;
        default = "opentsdb";
        description = ''
          User account under which OpenTSDB runs.
        '';
      };
      group = mkOption {
        type = types.string;
        default = "opentsdb";
        description = ''
          Group account under which OpenTSDB runs.
        '';
      };
      port = mkOption {
        type = types.int;
        default = 4242;
        description = ''
          Which port OpenTSDB listens on.
        '';
      };
    };
  };
  ###### implementation
  config = mkIf config.services.opentsdb.enable {
    systemd.services.opentsdb = {
      description = "OpenTSDB Server";
      wantedBy = [ "multi-user.target" ];
      requires = [ "hbase.service" ];
      environment.JAVA_HOME = "${pkgs.jre}";
      path = [ pkgs.gnuplot ];
      preStart =
        ''
        COMPRESSION=NONE HBASE_HOME=${config.services.hbase.package} ${cfg.package}/share/opentsdb/tools/create_table.sh
        '';
      serviceConfig = {
        PermissionsStartOnly = true;
        User = cfg.user;
        Group = cfg.group;
        ExecStart = "${cfg.package}/bin/tsdb tsd --staticroot=${cfg.package}/share/opentsdb/static --cachedir=/tmp/opentsdb --port=${toString cfg.port} --config=${configFile}";
      };
    };
    users.extraUsers.opentsdb = {
      description = "OpenTSDB Server user";
      group = "opentsdb";
      uid = config.ids.uids.opentsdb;
    };
    users.extraGroups.opentsdb.gid = config.ids.gids.opentsdb;
  };
 }
--- a/nixos/modules/services/databases/virtuoso.nix
+++ b/nixos/modules/services/databases/virtuoso.nix
@ -63,7 +63,7 @@ with lib;
    jobs.virtuoso = {
      name = "virtuoso";
-      startOn = "filesystem";
+      startOn = "ip-up";
      preStart = ''
 	mkdir -p ${stateDir}
--- a/nixos/modules/services/hardware/thermald.nix
+++ b/nixos/modules/services/hardware/thermald.nix
@ -19,6 +19,8 @@ in {
  ###### implementation
  config = mkIf cfg.enable {
    services.dbus.packages = [ pkgs.thermald ];
    systemd.services.thermald = {
      description = "Thermal Daemon Service";
      wantedBy = [ "multi-user.target" ];
--- a/nixos/modules/services/hardware/udev.nix
+++ b/nixos/modules/services/hardware/udev.nix
@ -31,6 +31,7 @@ let
    buildCommand = ''
      mkdir -p $out
      shopt -s nullglob
      set +o pipefail
      # Set a reasonable $PATH for programs called by udev rules.
      echo 'ENV{PATH}="${udevPath}/bin:${udevPath}/sbin"' > $out/00-path.rules
@ -168,7 +169,6 @@ in
    hardware.firmware = mkOption {
      type = types.listOf types.path;
      default = [];
      example = [ "/root/my-firmware" ];
      description = ''
        List of directories containing firmware files.  Such files
        will be loaded automatically if the kernel asks for them
@ -177,10 +177,10 @@ in
        firmware file with the same name, the first path in the list
        takes precedence.  Note that you must rebuild your system if
        you add files to any of these directories.  For quick testing,
-        put firmware files in /root/test-firmware and add that
+        put firmware files in <filename>/root/test-firmware</filename>
-        directory to the list.
+        and add that directory to the list.  Note that you can also
-        Note that you can also add firmware packages to this
+        add firmware packages to this list as these are directories in
-        list as these are directories in the nix store.
+        the nix store.
      '';
      apply = list: pkgs.buildEnv {
        name = "firmware";
@ -244,6 +244,11 @@ in
          echo "regenerating udev hardware database..."
          ${config.systemd.package}/bin/udevadm hwdb --update && ln -sfn ${config.systemd.package} /var/lib/udev/prev-systemd
        fi
        # Allow the kernel to find our firmware.
        if [ -e /sys/module/firmware_class/parameters/path ]; then
          echo -n "${config.hardware.firmware}" > /sys/module/firmware_class/parameters/path
        fi
      '';
    systemd.services.systemd-udevd =
--- a/nixos/modules/services/logging/logrotate.nix
+++ b/nixos/modules/services/logging/logrotate.nix
@ -21,6 +21,7 @@ in
      config = mkOption {
        default = "";
        type = types.lines;
        description = ''
          The contents of the logrotate config file
        '';
--- a/nixos/modules/services/logging/logstash.nix
+++ b/nixos/modules/services/logging/logstash.nix
@ -4,6 +4,16 @@ with lib;
 let
  cfg = config.services.logstash;
  pluginPath = lib.concatStringsSep ":" cfg.plugins;
  havePluginPath = lib.length cfg.plugins > 0;
  ops = lib.optionalString;
  verbosityFlag = {
    debug = "--debug";
    info  = "--verbose";
    warn  = ""; # intentionally empty
    error = "--quiet";
    fatal = "--silent";
  }."${cfg.logLevel}";
 in
@ -20,12 +30,56 @@ in
        description = "Enable logstash.";
      };
      package = mkOption {
        type = types.package;
        default = pkgs.logstash;
        example = literalExample "pkgs.logstash";
        description = "Logstash package to use.";
      };
      plugins = mkOption {
        type = types.listOf types.path;
        default = [ ];
        example = literalExample "[ pkgs.logstash-contrib ]";
        description = "The paths to find other logstash plugins in.";
      };
      logLevel = mkOption {
        type = types.enum [ "debug" "info" "warn" "error" "fatal" ];
        default = "warn";
        description = "Logging verbosity level.";
      };
      watchdogTimeout = mkOption {
        type = types.int;
        default = 10;
        description = "Set watchdog timeout value in seconds.";
      };
      filterWorkers = mkOption {
        type = types.int;
        default = 1;
        description = "The quantity of filter workers to run.";
      };
      enableWeb = mkOption {
        type = types.bool;
        default = false;
        description = "Enable the logstash web interface.";
      };
      address = mkOption {
        type = types.str;
        default = "0.0.0.0";
        description = "Address on which to start webserver.";
      };
      port = mkOption {
        type = types.str;
        default = "9292";
        description = "Port on which to start webserver.";
      };
      inputConfig = mkOption {
        type = types.lines;
        default = ''stdin { type => "example" }'';
@ -79,19 +133,26 @@ in
      wantedBy = [ "multi-user.target" ];
      environment = { JAVA_HOME = jre; };
      serviceConfig = {
-        ExecStart = "${logstash}/bin/logstash agent -f ${writeText "logstash.conf" ''
+        ExecStart =
-          input {
+          "${cfg.package}/bin/logstash agent " +
-            ${cfg.inputConfig}
+          "-w ${toString cfg.filterWorkers} " +
-          }
+          ops havePluginPath "--pluginpath ${pluginPath} " +
          "${verbosityFlag} " +
          "--watchdog-timeout ${toString cfg.watchdogTimeout} " +
          "-f ${writeText "logstash.conf" ''
            input {
              ${cfg.inputConfig}
            }
-          filter {
+            filter {
-            ${cfg.filterConfig}
+              ${cfg.filterConfig}
-          }
+            }
-          output {
+            output {
-            ${cfg.outputConfig}
+              ${cfg.outputConfig}
-          }
+            }
-        ''} ${optionalString cfg.enableWeb "-- web"}";
+          ''} " +
          ops cfg.enableWeb "-- web -a ${cfg.address} -p ${cfg.port}";
      };
    };
  };
--- a/nixos/modules/services/logging/syslog-ng.nix
+++ b/nixos/modules/services/logging/syslog-ng.nix
@ -7,8 +7,7 @@ let
  cfg = config.services.syslog-ng;
  syslogngConfig = pkgs.writeText "syslog-ng.conf" ''
-    @version: 3.5
+    ${cfg.configHeader}
    @include "scl.conf"
    ${cfg.extraConfig}
  '';
@ -44,15 +43,6 @@ in {
          The package providing syslog-ng binaries.
        '';
      };
      serviceName = mkOption {
        type = types.str;
        default = "syslog-ng";
        description = ''
          The name of the systemd service that runs syslog-ng. Set this to
          <literal>syslog</literal> if you want journald to automatically
          forward all logs to syslog-ng.
        '';
      };
      extraModulePaths = mkOption {
        type = types.listOf types.str;
        default = [];
@ -72,16 +62,28 @@ in {
          Configuration added to the end of <literal>syslog-ng.conf</literal>.
        '';
      };
      configHeader = mkOption {
        type = types.lines;
        default = ''
          @version: 3.6
          @include "scl.conf"
        '';
        description = ''
          The very first lines of the configuration file. Should usually contain
          the syslog-ng version header.
        '';
      };
    };
  };
  config = mkIf cfg.enable {
-    systemd.services."${cfg.serviceName}" = {
+    systemd.services.syslog-ng = {
-      wantedBy = [ "multi-user.target" ];
+      description = "syslog-ng daemon";
      preStart = "mkdir -p /{var,run}/syslog-ng";
      wantedBy = [ "multi-user.target" ];
      after = [ "multi-user.target" ]; # makes sure hostname etc is set
      serviceConfig = {
        Type = "notify";
        Sockets = "syslog.socket";
        StandardOutput = "null";
        Restart = "on-failure";
        ExecStart = "${cfg.package}/sbin/syslog-ng ${concatStringsSep " " syslogngOptions}";
--- a/nixos/modules/services/misc/docker-registry.nix
+++ b/nixos/modules/services/misc/docker-registry.nix
@ -0,0 +1,82 @@
 { config, lib, pkgs, ... }:
 with lib;
 let
  cfg = config.services.dockerRegistry;
 in {
  ###### interface
  options.services.dockerRegistry = {
    enable = mkOption {
      description = "Whether to enable docker registry server.";
      default = false;
      type = types.bool;
    };
    host = mkOption {
      description = "Docker registry host or ip to bind to.";
      default = "127.0.0.1";
      type = types.str;
    };
    port = mkOption {
      description = "Docker registry port to bind to.";
      default = 5000;
      type = types.int;
    };
    storagePath = mkOption {
      type = types.path;
      default = "/var/lib/docker/registry";
      description = "Docker registry strorage path.";
    };
    extraConfig = mkOption {
      description = ''
        Docker extra registry configuration. See
        <link xlink:href="https://github.com/docker/docker-registry/blob/master/config/config_sample.yml"/>
      '';
      default = {};
      type = types.attrsOf types.str;
    };
  };
  config = mkIf cfg.enable {
    systemd.services.docker-registry = {
      description = "Docker Container Registry";
      wantedBy = [ "multi-user.target" ];
      after = [ "network.target" ];
      environment = {
        REGISTRY_HOST = cfg.host;
        REGISTRY_PORT = toString cfg.port;
        GUNICORN_OPTS = "[--preload]"; # see https://github.com/docker/docker-registry#sqlalchemy
        STORAGE_PATH = cfg.storagePath;
      } // cfg.extraConfig;
      serviceConfig = {
        ExecStart = "${pkgs.pythonPackages.docker_registry}/bin/docker-registry";
        User = "docker-registry";
        Group = "docker";
        PermissionsStartOnly = true;
      };
      preStart = ''
        mkdir -p ${cfg.storagePath}
        if [ "$(id -u)" = 0 ]; then
          chown -R docker-registry:docker ${cfg.storagePath}
        fi
      '';
      postStart = ''
        until ${pkgs.curl}/bin/curl -s -o /dev/null 'http://${cfg.host}:${toString cfg.port}/'; do
          sleep 1;
        done
      '';
    };
    users.extraGroups.docker.gid = mkDefault config.ids.gids.docker;
    users.extraUsers.docker-registry.uid = config.ids.uids.docker-registry;
  };
 }
--- a/nixos/modules/services/misc/etcd.nix
+++ b/nixos/modules/services/misc/etcd.nix
@ -0,0 +1,144 @@
 { config, lib, pkgs, ... }:
 with lib;
 let
  cfg = config.services.etcd;
 in {
  options.services.etcd = {
    enable = mkOption {
      description = "Whether to enable etcd.";
      default = false;
      type = types.uniq types.bool;
    };
    name = mkOption {
      description = "Etcd unique node name.";
      default = config.networking.hostName;
      type = types.str;
    };
    advertiseClientUrls = mkOption {
      description = "Etcd list of this member's client URLs to advertise to the rest of the cluster.";
      default = cfg.listenClientUrls;
      type = types.listOf types.str;
    };
    listenClientUrls = mkOption {
      description = "Etcd list of URLs to listen on for client traffic.";
      default = ["http://localhost:4001"];
      type = types.listOf types.str;
    };
    listenPeerUrls = mkOption {
      description = "Etcd list of URLs to listen on for peer traffic.";
      default = ["http://localhost:7001"];
      type = types.listOf types.str;
    };
    initialAdvertisePeerUrls = mkOption {
      description = "Etcd list of this member's peer URLs to advertise to rest of the cluster.";
      default = cfg.listenPeerUrls;
      type = types.listOf types.str;
    };
    initialCluster = mkOption {
      description = "Etcd initial cluster configuration for bootstrapping.";
      default = ["${cfg.name}=http://localhost:7001"];
      type = types.listOf types.str;
    };
    initialClusterState = mkOption {
      description = "Etcd initial cluster configuration for bootstrapping.";
      default = "new";
      type = types.enum ["new" "existing"];
    };
    initialClusterToken = mkOption {
      description = "Etcd initial cluster token for etcd cluster during bootstrap.";
      default = "etcd-cluster";
      type = types.str;
    };
    discovery = mkOption {
      description = "Etcd discovery url";
      default = "";
      type = types.str;
    };
    extraConf = mkOption {
      description = ''
        Etcd extra configuration. See
        <link xlink:href='https://github.com/coreos/etcd/blob/master/Documentation/configuration.md#environment-variables' />
      '';
      type = types.attrsOf types.str;
      default = {};
      example = literalExample ''
        {
          "CORS": "*",
          "NAME": "default-name",
          "MAX_RESULT_BUFFER": "1024",
          "MAX_CLUSTER_SIZE": "9",
          "MAX_RETRY_ATTEMPTS": "3"
        }
      '';
    };
    dataDir = mkOption {
      type = types.path;
      default = "/var/lib/etcd";
      description = "Etcd data directory.";
    };
  };
  config = mkIf cfg.enable {
    systemd.services.etcd = {
      description = "Etcd Daemon";
      wantedBy = [ "multi-user.target" ];
      after = [ "network-interfaces.target" ];
      environment = {
        ETCD_NAME = cfg.name;
        ETCD_DISCOVERY = cfg.discovery;
        ETCD_DATA_DIR = cfg.dataDir;
        ETCD_ADVERTISE_CLIENT_URLS = concatStringsSep "," cfg.advertiseClientUrls;
        ETCD_LISTEN_CLIENT_URLS = concatStringsSep "," cfg.listenClientUrls;
        ETCD_LISTEN_PEER_URLS = concatStringsSep "," cfg.listenPeerUrls;
        ETCD_INITIAL_ADVERTISE_PEER_URLS = concatStringsSep "," cfg.initialAdvertisePeerUrls;
      } // (optionalAttrs (cfg.discovery == ""){
        ETCD_INITIAL_CLUSTER = concatStringsSep "," cfg.initialCluster;
        ETCD_INITIAL_CLUSTER_STATE = cfg.initialClusterState;
        ETCD_INITIAL_CLUSTER_TOKEN = cfg.initialClusterToken;
      }) // (mapAttrs' (n: v: nameValuePair "ETCD_${n}" v) cfg.extraConf);
      serviceConfig = {
        ExecStart = "${pkgs.etcd}/bin/etcd";
        User = "etcd";
        PermissionsStartOnly = true;
      };
      preStart = ''
        mkdir -m 0700 -p ${cfg.dataDir}
        if [ "$(id -u)" = 0 ]; then chown etcd ${cfg.dataDir}; fi
      '';
      postStart = ''
        until ${pkgs.etcdctl}/bin/etcdctl set /nixos/state 'up'; do
          sleep 1;
        done
        until ${pkgs.etcdctl}/bin/etcdctl get /nixos/state | grep up; do
          sleep 1;
        done
      '';
    };
    environment.systemPackages = [ pkgs.etcdctl ];
    users.extraUsers = singleton {
      name = "etcd";
      uid = config.ids.uids.etcd;
      description = "Etcd daemon user";
      home = cfg.dataDir;
    };
  };
 }
--- a/nixos/modules/services/misc/gitolite.nix
+++ b/nixos/modules/services/misc/gitolite.nix
@ -15,14 +15,21 @@ in
        default = false;
        description = ''
          Enable gitolite management under the
-          <literal>gitolite</literal> user. The Gitolite home
+          <literal>gitolite</literal> user. After
          directory is <literal>/var/lib/gitolite</literal>. After
          switching to a configuration with Gitolite enabled, you can
          then run <literal>git clone
          gitolite@host:gitolite-admin.git</literal> to manage it further.
        '';
      };
      dataDir = mkOption {
        type = types.str;
        default = "/var/lib/gitolite";
        description = ''
          Gitolite home directory (used to store all the repositories).
        '';
      };
      adminPubkey = mkOption {
        type = types.str;
        description = ''
@ -39,13 +46,21 @@ in
          A list of custom git hooks that get copied to <literal>~/.gitolite/hooks/common</literal>.
        '';
      };
      user = mkOption {
        type = types.str;
        default = "gitolite";
        description = ''
          Gitolite user account. This is the username of the gitolite endpoint.
        '';
      };
    };
  };
  config = mkIf cfg.enable {
-    users.extraUsers.gitolite = {
+    users.extraUsers.${cfg.user} = {
      description     = "Gitolite user";
-      home            = "/var/lib/gitolite";
+      home            = cfg.dataDir;
      createHome      = true;
      uid             = config.ids.uids.gitolite;
      useDefaultShell = true;
@ -55,13 +70,13 @@ in
      description = "Gitolite initialization";
      wantedBy    = [ "multi-user.target" ];
-      serviceConfig.User = "gitolite";
+      serviceConfig.User = "${cfg.user}";
      serviceConfig.Type = "oneshot";
      serviceConfig.RemainAfterExit = true;
      path = [ pkgs.gitolite pkgs.git pkgs.perl pkgs.bash pkgs.openssh ];
      script = ''
-        cd /var/lib/gitolite
+        cd ${cfg.dataDir}
        mkdir -p .gitolite/logs
        if [ ! -d repositories ]; then
          gitolite setup -pk ${pubkeyFile}
--- a/nixos/modules/services/misc/mesos-master.nix
+++ b/nixos/modules/services/misc/mesos-master.nix
@ -4,11 +4,11 @@ with lib;
 let
  cfg = config.services.mesos.master;
-  
+
 in {
  options.services.mesos = {
-    
+
    master = {
      enable = mkOption {
        description = "Whether to enable the Mesos Master.";
@ -31,36 +31,36 @@ in {
        '';
        type = types.str;
      };
-      
+
      workDir = mkOption {
        description = "The Mesos work directory.";
        default = "/var/lib/mesos/master";
        type = types.str;
      };
-      
+
      extraCmdLineOptions = mkOption {
        description = ''
 	  Extra command line options for Mesos Master.
-	  
+
 	  See https://mesos.apache.org/documentation/latest/configuration/
 	'';
        default = [ "" ];
        type = types.listOf types.string;
        example = [ "--credentials=VALUE" ];
      };
-      
+
      quorum = mkOption {
        description = ''
          The size of the quorum of replicas when using 'replicated_log' based
          registry. It is imperative to set this value to be a majority of
          masters i.e., quorum > (number of masters)/2.
-          
+
          If 0 will fall back to --registry=in_memory.
        '';
        default = 0;
        type = types.int;
      };
-      
+
      logLevel = mkOption {
        description = ''
          The logging level used. Possible values:
@ -86,11 +86,12 @@ in {
 	  ${pkgs.mesos}/bin/mesos-master \
 	    --port=${toString cfg.port} \
 	    --zk=${cfg.zk} \
-	    ${if cfg.quorum == 0 then "--registry=in_memory" else "--registry=replicated_log --quorum=${cfg.quorum}"} \
+	    ${if cfg.quorum == 0 then "--registry=in_memory" else "--registry=replicated_log --quorum=${toString cfg.quorum}"} \
 	    --work_dir=${cfg.workDir} \
 	    --logging_level=${cfg.logLevel} \
 	    ${toString cfg.extraCmdLineOptions}
 	'';
 	Restart = "on-failure";
 	PermissionsStartOnly = true;
      };
      preStart = ''
@ -98,6 +99,6 @@ in {
      '';
    };
  };
-  
+
 }
--- a/nixos/modules/services/misc/mesos-slave.nix
+++ b/nixos/modules/services/misc/mesos-slave.nix
@ -4,7 +4,7 @@ with lib;
 let
  cfg = config.services.mesos.slave;
-  
+
 in {
  options.services.mesos = {
@ -29,30 +29,30 @@ in {
        '';
        type = types.str;
      };
-      
+
      withHadoop = mkOption {
 	description = "Add the HADOOP_HOME to the slave.";
 	default = false;
 	type = types.bool;
      };
-      
+
      workDir = mkOption {
        description = "The Mesos work directory.";
        default = "/var/lib/mesos/slave";
        type = types.str;
      };
-      
+
      extraCmdLineOptions = mkOption {
        description = ''
 	  Extra command line options for Mesos Slave.
-	  
+
 	  See https://mesos.apache.org/documentation/latest/configuration/
 	'';
        default = [ "" ];
        type = types.listOf types.string;
        example = [ "--gc_delay=3days" ];
      };
-      
+
      logLevel = mkOption {
        description = ''
          The logging level used. Possible values:
@ -72,6 +72,7 @@ in {
      description = "Mesos Slave";
      wantedBy = [ "multi-user.target" ];
      after = [ "network-interfaces.target" ];
      environment.MESOS_CONTAINERIZERS = "docker,mesos";
      serviceConfig = {
 	ExecStart = ''
 	  ${pkgs.mesos}/bin/mesos-slave \
@ -80,6 +81,7 @@ in {
 	    ${optionalString cfg.withHadoop "--hadoop-home=${pkgs.hadoop}"} \
 	    --work_dir=${cfg.workDir} \
 	    --logging_level=${cfg.logLevel} \
 	    --docker=${pkgs.docker}/libexec/docker/docker \
 	    ${toString cfg.extraCmdLineOptions}
 	'';
 	PermissionsStartOnly = true;
@ -89,5 +91,5 @@ in {
      '';
    };
  };
-  
+
-}
+}
--- a/nixos/modules/services/misc/nix-daemon.nix
+++ b/nixos/modules/services/misc/nix-daemon.nix
@ -36,6 +36,7 @@ let
        # /etc/nixos/configuration.nix.  Do not edit it!
        build-users-group = nixbld
        build-max-jobs = ${toString (cfg.maxJobs)}
        build-cores = ${toString (cfg.buildCores)}
        build-use-chroot = ${if cfg.useChroot then "true" else "false"}
        build-chroot-dirs = ${toString cfg.chrootDirs} /bin/sh=${sh} $(echo $extraPaths)
        binary-caches = ${toString cfg.binaryCaches}
@ -74,6 +75,19 @@ in
        ";
      };
      buildCores = mkOption {
        type = types.int;
        default = 1;
        example = 64;
        description = ''
          This option defines the maximum number of concurrent tasks during
          one build. It affects, e.g., -j option for make. The default is 1.
          Some builds may become non-deterministic with this option; use with
          care! Packages will only be affected if enableParallelBuilding is
          set for them.
        '';
      };
      useChroot = mkOption {
        type = types.bool;
        default = false;
@ -179,17 +193,6 @@ in
        '';
      };
      proxy = mkOption {
        type = types.str;
        default = "";
        description = ''
          This option specifies the proxy to use for fetchurl. The real effect
          is just exporting http_proxy, https_proxy and ftp_proxy with that
          value.
        '';
        example = "http://127.0.0.1:3128";
      };
      # Environment variables for running Nix.
      envVars = mkOption {
        type = types.attrs;
@ -278,7 +281,9 @@ in
      { path = [ nix pkgs.openssl pkgs.utillinux pkgs.openssh ]
          ++ optionals cfg.distributedBuilds [ pkgs.gzip ];
-        environment = cfg.envVars // { CURL_CA_BUNDLE = "/etc/ssl/certs/ca-bundle.crt"; };
+        environment = cfg.envVars
          // { CURL_CA_BUNDLE = "/etc/ssl/certs/ca-bundle.crt"; }
          // config.networking.proxy.envVars;
        serviceConfig =
          { Nice = cfg.daemonNiceLevel;
@ -303,13 +308,6 @@ in
        NIX_BUILD_HOOK = "${nix}/libexec/nix/build-remote.pl";
        NIX_REMOTE_SYSTEMS = "/etc/nix/machines";
        NIX_CURRENT_LOAD = "/run/nix/current-load";
      }
      # !!! These should not be defined here, but in some general proxy configuration module!
      // optionalAttrs (cfg.proxy != "") {
        http_proxy = cfg.proxy;
        https_proxy = cfg.proxy;
        ftp_proxy = cfg.proxy;
      };
    # Set up the environment variables for running Nix.
--- a/nixos/modules/services/misc/redmine.nix
+++ b/nixos/modules/services/misc/redmine.nix
@ -0,0 +1,222 @@
 { config, lib, pkgs, ... }:
 # TODO: support non-postgresql
 with lib;
 let
  cfg = config.services.redmine;
  ruby = pkgs.ruby;
  rubyLibs = pkgs.rubyLibs;
  databaseYml = ''
    production:
      adapter: postgresql
      database: ${cfg.databaseName}
      host: ${cfg.databaseHost}
      password: ${cfg.databasePassword}
      username: ${cfg.databaseUsername}
      encoding: utf8
  '';
  configurationYml = ''
    default:
      # Absolute path to the directory where attachments are stored.
      # The default is the 'files' directory in your Redmine instance.
      # Your Redmine instance needs to have write permission on this
      # directory.
      # Examples:
      # attachments_storage_path: /var/redmine/files
      # attachments_storage_path: D:/redmine/files
      attachments_storage_path: ${cfg.stateDir}/files
      # Absolute path to the SCM commands errors (stderr) log file.
      # The default is to log in the 'log' directory of your Redmine instance.
      # Example:
      # scm_stderr_log_file: /var/log/redmine_scm_stderr.log
      scm_stderr_log_file: ${cfg.stateDir}/redmine_scm_stderr.log
      ${cfg.extraConfig}
  '';
  unpackTheme = unpack "theme";
  unpackPlugin = unpack "plugin";
  unpack = id: (name: source:
    pkgs.stdenv.mkDerivation {
      name = "redmine-${id}-${name}";
      buildInputs = [ pkgs.unzip ];
      buildCommand = ''
        mkdir -p $out
        cd $out
        unpackFile ${source}
      '';
    });
 in {
  options = {
    services.redmine = {
      enable = mkOption {
        type = types.bool;
        default = false;
        description = ''
          Enable the redmine service.
        '';
      };
      stateDir = mkOption {
        type = types.str;
        default = "/var/redmine";
        description = "The state directory, logs and plugins are stored here";
      };
      extraConfig = mkOption {
        type = types.str;
        default = "";
        description = "Extra configuration in configuration.yml";
      };
      themes = mkOption {
        type = types.attrsOf types.path;
        default = {};
        description = "Set of themes";
      };
      plugins = mkOption {
        type = types.attrsOf types.path;
        default = {};
        description = "Set of plugins";
      };
      #databaseType = mkOption {
      #  type = types.str;
      #  default = "postgresql";
      #  description = "Type of database";
      #};
      databaseHost = mkOption {
        type = types.str;
        default = "127.0.0.1";
        description = "Database hostname";
      };
      databasePassword = mkOption {
        type = types.str;
        default = "";
        description = "Database user password";
      };
      databaseName = mkOption {
        type = types.str;
        default = "redmine";
        description = "Database name";
      };
      databaseUsername = mkOption {
        type = types.str;
        default = "redmine";
        description = "Database user";
      };
    };
  };
  config = mkIf cfg.enable {
    assertions = [
      { assertion = cfg.databasePassword != "";
        message = "databasePassword must be set";
      }
    ];
    users.extraUsers = [
      { name = "redmine";
        group = "redmine";
        uid = config.ids.uids.redmine;
      } ];
    users.extraGroups = [
      { name = "redmine";
        gid = config.ids.gids.redmine;
      } ];
    systemd.services.redmine = {
      after = [ "network.target" "postgresql.service" ];
      wantedBy = [ "multi-user.target" ];
      environment.RAILS_ENV = "production";
      environment.RAILS_ETC = "${cfg.stateDir}/config";
      environment.RAILS_LOG = "${cfg.stateDir}/log";
      environment.RAILS_VAR = "${cfg.stateDir}/var";
      environment.RAILS_CACHE = "${cfg.stateDir}/cache";
      environment.RAILS_PLUGINS = "${cfg.stateDir}/plugins";
      environment.RAILS_PUBLIC = "${cfg.stateDir}/public";
      environment.RAILS_TMP = "${cfg.stateDir}/tmp";
      environment.SCHEMA = "${cfg.stateDir}/cache/schema.db";
      environment.HOME = "${pkgs.redmine}/share/redmine";
      environment.REDMINE_LANG = "en";
      environment.GEM_HOME = "${pkgs.redmine}/share/redmine/vendor/bundle/ruby/1.9.1";
      environment.GEM_PATH = "${rubyLibs.bundler}/lib/ruby/gems/1.9";
      path = with pkgs; [
        imagemagickBig
        subversion
        mercurial
        cvs
        config.services.postgresql.package
        bazaar
        gitAndTools.git
        # once we build binaries for darc enable it
        #darcs
      ];
      preStart = ''
        # TODO: use env vars
        for i in plugins public/plugin_assets db files log config cache var/files tmp; do
          mkdir -p ${cfg.stateDir}/$i
        done
        chown -R redmine:redmine ${cfg.stateDir}
        chmod -R 755 ${cfg.stateDir}
        rm -rf ${cfg.stateDir}/public/*
        cp -R ${pkgs.redmine}/share/redmine/public/* ${cfg.stateDir}/public/
        for theme in ${concatStringsSep " " (mapAttrsToList unpackTheme cfg.themes)}; do
          ln -fs $theme/* ${cfg.stateDir}/public/themes/
        done
        rm -rf ${cfg.stateDir}/plugins/*
        for plugin in ${concatStringsSep " " (mapAttrsToList unpackPlugin cfg.plugins)}; do
          ln -fs $plugin/* ${cfg.stateDir}/plugins/''${plugin##*-redmine-plugin-}
        done
        ln -fs ${pkgs.writeText "database.yml" databaseYml} ${cfg.stateDir}/config/database.yml
        ln -fs ${pkgs.writeText "configuration.yml" configurationYml} ${cfg.stateDir}/config/configuration.yml
        if [ "${cfg.databaseHost}" = "127.0.0.1" ]; then
          if ! test -e "${cfg.stateDir}/db-created"; then
            psql postgres -c "CREATE ROLE redmine WITH LOGIN NOCREATEDB NOCREATEROLE NOCREATEUSER ENCRYPTED PASSWORD '${cfg.databasePassword}'"
            ${config.services.postgresql.package}/bin/createdb --owner redmine redmine || true
            touch "${cfg.stateDir}/db-created"
          fi
        fi
        cd ${pkgs.redmine}/share/redmine/
        ${ruby}/bin/rake db:migrate
        ${ruby}/bin/rake redmine:plugins:migrate
        ${ruby}/bin/rake redmine:load_default_data
        ${ruby}/bin/rake generate_secret_token
      '';
      serviceConfig = {
        PermissionsStartOnly = true; # preStart must be run as root
        Type = "simple";
        User = "redmine";
        Group = "redmine";
        TimeoutSec = "300";
        WorkingDirectory = "${pkgs.redmine}/share/redmine";
        ExecStart="${ruby}/bin/ruby ${pkgs.redmine}/share/redmine/script/rails server webrick -e production -P ${cfg.stateDir}/redmine.pid";
      };
    };
  };
 }
--- a/nixos/modules/services/misc/zookeeper.nix
+++ b/nixos/modules/services/misc/zookeeper.nix
--- a/nixos/modules/services/monitoring/bosun.nix
+++ b/nixos/modules/services/monitoring/bosun.nix
@ -0,0 +1,136 @@
 { config, lib, pkgs, ... }:
 with lib;
 let
  cfg = config.services.bosun;
  configFile = pkgs.writeText "bosun.conf" ''
    tsdbHost = ${cfg.opentsdbHost}
    httpListen = ${cfg.listenAddress}
    stateFile = ${cfg.stateFile}
    checkFrequency = 5m
    ${cfg.extraConfig}
  '';
 in {
  options = {
    services.bosun = {
      enable = mkOption {
        type = types.bool;
        default = false;
        description = ''
          Whether to run bosun.
        '';
      };
      package = mkOption {
        type = types.package;
        example = literalExample "pkgs.bosun";
        description = ''
          bosun binary to use.
        '';
      };
      user = mkOption {
        type = types.string;
        default = "bosun";
        description = ''
          User account under which bosun runs.
        '';
      };
      group = mkOption {
        type = types.string;
        default = "bosun";
        description = ''
          Group account under which bosun runs.
        '';
      };
      opentsdbHost = mkOption {
        type = types.string;
        default = "localhost:4242";
        description = ''
          Host and port of the OpenTSDB database that stores bosun data.
        '';
      };
      listenAddress = mkOption {
        type = types.string;
        default = ":8070";
        description = ''
          The host address and port that bosun's web interface will listen on.
        '';
      };
      stateFile = mkOption {
        type = types.string;
        default = "/var/lib/bosun/bosun.state";
        description = ''
          Path to bosun's state file.
        '';
      };
      extraConfig = mkOption {
        type = types.string;
        default = "";
        description = ''
          Extra configuration options for Bosun. You should describe your
          desired templates, alerts, macros, etc through this configuration
          option.
          A detailed description of the supported syntax can be found at-spi2-atk
          http://bosun.org/configuration.html
        '';
      };
    };
  };
  config = mkIf cfg.enable {
    services.bosun.package = mkDefault pkgs.bosun; 
    systemd.services.bosun = {
      description = "bosun metrics collector (part of Bosun)";
      wantedBy = [ "multi-user.target" ];
      preStart =
        ''
        mkdir -p `dirname ${cfg.stateFile}`;
        touch ${cfg.stateFile}
        touch ${cfg.stateFile}.tmp
        if [ "$(id -u)" = 0 ]; then
          chown ${cfg.user}:${cfg.group} ${cfg.stateFile}
          chown ${cfg.user}:${cfg.group} ${cfg.stateFile}.tmp
        fi
        '';
      serviceConfig = {
        PermissionsStartOnly = true;
        User = cfg.user;
        Group = cfg.group;
        ExecStart = ''
          ${cfg.package}/bin/bosun -c ${configFile}
        '';
      };
    };
    users.extraUsers.bosun = {
      description = "bosun user";
      group = "bosun";
      uid = config.ids.uids.bosun;
    };
    users.extraGroups.bosun.gid = config.ids.gids.bosun;
  };
 }
--- a/nixos/modules/services/monitoring/graphite.nix
+++ b/nixos/modules/services/monitoring/graphite.nix
@ -24,6 +24,8 @@ let
    GRAPHITE_URL = cfg.seyren.graphiteUrl;
  } // cfg.seyren.extraConfig;
  pagerConfig = pkgs.writeText "alarms.yaml" cfg.pager.alerts;
  configDir = pkgs.buildEnv {
    name = "graphite-config";
    paths = lists.filter (el: el != null) [
@ -83,13 +85,21 @@ in {
    api = {
      enable = mkOption {
-        description = "Whether to enable graphite api.";
+        description = ''
          Whether to enable graphite api. Graphite api is lightweight alternative
          to graphite web, with api and without dashboard. It's advised to use
          grafana as alternative dashboard and influxdb as alternative to
          graphite carbon.
          For more information visit
          <link xlink:href="http://graphite-api.readthedocs.org/en/latest/"/>
        '';
        default = false;
        type = types.uniq types.bool;
      };
      finders = mkOption {
-        description = "List of finder plugins load.";
+        description = "List of finder plugins to load.";
        default = [];
        example = [ pkgs.python27Packages.graphite_influxdb ];
        type = types.listOf types.package;
@ -296,175 +306,247 @@ in {
        example = literalExample ''
          {
            GRAPHITE_USERNAME = "user";
-            GRAPHITE_PASSWORD = "pass"; 
+            GRAPHITE_PASSWORD = "pass";
          }
        '';
      };
    };
    pager = {
      enable = mkOption {
        description = ''
          Whether to enable graphite-pager service. For more information visit
          <link xlink:href="https://github.com/seatgeek/graphite-pager"/>
        '';
        default = false;
        type = types.uniq types.bool;
      };
      redisUrl = mkOption {
        description = "Redis connection string.";
        default = "redis://localhost:${toString config.services.redis.port}/";
        type = types.str;
      };
      graphiteUrl = mkOption {
        description = "URL to your graphite service.";
        default = "http://${cfg.web.host}:${toString cfg.web.port}";
        type = types.str;
      };
      alerts = mkOption {
        description = "Alerts configuration for graphite-pager.";
        default = ''
          alerts:
            - target: constantLine(100)
              warning: 90
              critical: 200
              name: Test
        '';
        example = literalExample ''
          pushbullet_key: pushbullet_api_key
          alerts:
            - target: stats.seatgeek.app.deal_quality.venue_info_cache.hit
              warning: .5
              critical: 1
              name: Deal quality venue cache hits
        '';
        type = types.lines;
      };
    };
  };
  ###### implementation
-  config = mkIf (
+  config = mkMerge [
-    cfg.carbon.enableAggregator ||
+    (mkIf cfg.carbon.enableCache {
-    cfg.carbon.enableCache ||
+      systemd.services.carbonCache = {
-    cfg.carbon.enableRelay ||
+        description = "Graphite Data Storage Backend";
-    cfg.web.enable ||
+        wantedBy = [ "multi-user.target" ];
-    cfg.api.enable ||
+        after = [ "network-interfaces.target" ];
-    cfg.seyren.enable
+        environment = carbonEnv;
-  ) {
+        serviceConfig = {
-    systemd.services.carbonCache = {
+          ExecStart = "${pkgs.twisted}/bin/twistd ${carbonOpts "carbon-cache"}";
-      enable = cfg.carbon.enableCache;
+          User = "graphite";
-      description = "Graphite Data Storage Backend";
+          Group = "graphite";
-      wantedBy = [ "multi-user.target" ];
+          PermissionsStartOnly = true;
-      after = [ "network-interfaces.target" ];
+        };
-      environment = carbonEnv;
+        preStart = ''
-      serviceConfig = {
+          mkdir -p ${cfg.dataDir}/whisper
-        ExecStart = "${pkgs.twisted}/bin/twistd ${carbonOpts "carbon-cache"}";
+          chmod 0700 ${cfg.dataDir}/whisper
        User = "graphite";
        Group = "graphite";
        PermissionsStartOnly = true;
      };
      preStart = ''
        mkdir -p ${cfg.dataDir}/whisper
        chmod 0700 ${cfg.dataDir}/whisper
        chown -R graphite:graphite ${cfg.dataDir}
      '';
    };
    systemd.services.carbonAggregator = {
      enable = cfg.carbon.enableAggregator;
      description = "Carbon Data Aggregator";
      wantedBy = [ "multi-user.target" ];
      after = [ "network-interfaces.target" ];
      environment = carbonEnv;
      serviceConfig = {
        ExecStart = "${pkgs.twisted}/bin/twistd ${carbonOpts "carbon-aggregator"}";
        User = "graphite";
        Group = "graphite";
      };
    };
    systemd.services.carbonRelay = {
      enable = cfg.carbon.enableRelay;
      description = "Carbon Data Relay";
      wantedBy = [ "multi-user.target" ];
      after = [ "network-interfaces.target" ];
      environment = carbonEnv;
      serviceConfig = {
        ExecStart = "${pkgs.twisted}/bin/twistd ${carbonOpts "carbon-relay"}";
        User = "graphite";
        Group = "graphite";
      };
    };
    systemd.services.graphiteWeb = {
      enable = cfg.web.enable;
      description = "Graphite Web Interface";
      wantedBy = [ "multi-user.target" ];
      after = [ "network-interfaces.target" ];
      path = [ pkgs.perl ];
      environment = {
        PYTHONPATH = "${pkgs.python27Packages.graphite_web}/lib/python2.7/site-packages";
        DJANGO_SETTINGS_MODULE = "graphite.settings";
        GRAPHITE_CONF_DIR = configDir;
        GRAPHITE_STORAGE_DIR = dataDir;
      };
      serviceConfig = {
        ExecStart = ''
          ${pkgs.python27Packages.waitress}/bin/waitress-serve \
          --host=${cfg.web.host} --port=${toString cfg.web.port} \
          --call django.core.handlers.wsgi:WSGIHandler'';
        User = "graphite";
        Group = "graphite";
        PermissionsStartOnly = true;
      };
      preStart = ''
        if ! test -e ${dataDir}/db-created; then
          mkdir -p ${dataDir}/{whisper/,log/webapp/}
          chmod 0700 ${dataDir}/{whisper/,log/webapp/}
          # populate database
          ${pkgs.python27Packages.graphite_web}/bin/manage-graphite.py syncdb --noinput
          # create index
          ${pkgs.python27Packages.graphite_web}/bin/build-index.sh
          touch ${dataDir}/db-created
          chown -R graphite:graphite ${cfg.dataDir}
        fi
      '';
    };
    systemd.services.graphiteApi = {
      enable = cfg.api.enable;
      description = "Graphite Api Interface";
      wantedBy = [ "multi-user.target" ];
      after = [ "network-interfaces.target" ];
      environment = {
        PYTHONPATH =
          "${cfg.api.package}/lib/python2.7/site-packages:" +
          concatMapStringsSep ":" (f: f + "/lib/python2.7/site-packages") cfg.api.finders;
        GRAPHITE_API_CONFIG = graphiteApiConfig;
        LD_LIBRARY_PATH = "${pkgs.cairo}/lib";
      };
      serviceConfig = {
        ExecStart = ''
          ${pkgs.python27Packages.waitress}/bin/waitress-serve \
          --host=${cfg.api.host} --port=${toString cfg.api.port} \
          graphite_api.app:app 
        '';
        User = "graphite";
        Group = "graphite";
        PermissionsStartOnly = true;
      };
-      preStart = ''
+    })
        if ! test -e ${dataDir}/db-created; then
          mkdir -p ${dataDir}/cache/
          chmod 0700 ${dataDir}/cache/
-          touch ${dataDir}/db-created
+    (mkIf cfg.carbon.enableAggregator {
-
+      systemd.services.carbonAggregator = {
-          chown -R graphite:graphite ${cfg.dataDir}
+        enable = cfg.carbon.enableAggregator;
-        fi
+        description = "Carbon Data Aggregator";
-      '';
+        wantedBy = [ "multi-user.target" ];
-    };
+        after = [ "network-interfaces.target" ];
-
+        environment = carbonEnv;
-    systemd.services.seyren = {
+        serviceConfig = {
-      enable = cfg.seyren.enable;
+          ExecStart = "${pkgs.twisted}/bin/twistd ${carbonOpts "carbon-aggregator"}";
-      description = "Graphite Alerting Dashboard";
+          User = "graphite";
-      wantedBy = [ "multi-user.target" ];
+          Group = "graphite";
-      after = [ "network-interfaces.target" "mongodb.service" ];
+        };
      environment = seyrenConfig;
      serviceConfig = {
        ExecStart = "${pkgs.seyren}/bin/seyren -httpPort ${toString cfg.seyren.port}";
        WorkingDirectory = dataDir;
        User = "graphite";
        Group = "graphite"; 
      };
-      preStart = ''
+    })
        if ! test -e ${dataDir}/db-created; then
          mkdir -p ${dataDir}
          chown -R graphite:graphite ${dataDir}
        fi
      '';
    };
-    services.mongodb.enable = mkDefault cfg.seyren.enable;
+    (mkIf cfg.carbon.enableRelay {
      systemd.services.carbonRelay = {
        description = "Carbon Data Relay";
        wantedBy = [ "multi-user.target" ];
        after = [ "network-interfaces.target" ];
        environment = carbonEnv;
        serviceConfig = {
          ExecStart = "${pkgs.twisted}/bin/twistd ${carbonOpts "carbon-relay"}";
          User = "graphite";
          Group = "graphite";
        };
      };
    })
-    environment.systemPackages = [
+    (mkIf (cfg.carbon.enableCache || cfg.carbon.enableAggregator || cfg.carbon.enableRelay) {
-      pkgs.pythonPackages.carbon
+      environment.systemPackages = [
-      pkgs.python27Packages.graphite_web
+        pkgs.pythonPackages.carbon
-      pkgs.python27Packages.waitress
+      ];
-    ];
+    })
-    users.extraUsers = singleton {
+    (mkIf cfg.web.enable {
-      name = "graphite";
+      systemd.services.graphiteWeb = {
-      uid = config.ids.uids.graphite;
+        description = "Graphite Web Interface";
-      description = "Graphite daemon user";
+        wantedBy = [ "multi-user.target" ];
-      home = dataDir;
+        after = [ "network-interfaces.target" ];
-    };
+        path = [ pkgs.perl ];
-    users.extraGroups.graphite.gid = config.ids.gids.graphite;
+        environment = {
-  };
+          PYTHONPATH = "${pkgs.python27Packages.graphite_web}/lib/python2.7/site-packages";
          DJANGO_SETTINGS_MODULE = "graphite.settings";
          GRAPHITE_CONF_DIR = configDir;
          GRAPHITE_STORAGE_DIR = dataDir;
        };
        serviceConfig = {
          ExecStart = ''
            ${pkgs.python27Packages.waitress}/bin/waitress-serve \
            --host=${cfg.web.host} --port=${toString cfg.web.port} \
            --call django.core.handlers.wsgi:WSGIHandler'';
          User = "graphite";
          Group = "graphite";
          PermissionsStartOnly = true;
        };
        preStart = ''
          if ! test -e ${dataDir}/db-created; then
            mkdir -p ${dataDir}/{whisper/,log/webapp/}
            chmod 0700 ${dataDir}/{whisper/,log/webapp/}
            # populate database
            ${pkgs.python27Packages.graphite_web}/bin/manage-graphite.py syncdb --noinput
            # create index
            ${pkgs.python27Packages.graphite_web}/bin/build-index.sh
            touch ${dataDir}/db-created
            chown -R graphite:graphite ${cfg.dataDir}
          fi
        '';
      };
      environment.systemPackages = [ pkgs.python27Packages.graphite_web ];
    })
    (mkIf cfg.api.enable {
      systemd.services.graphiteApi = {
        description = "Graphite Api Interface";
        wantedBy = [ "multi-user.target" ];
        after = [ "network-interfaces.target" ];
        environment = {
          PYTHONPATH =
            "${cfg.api.package}/lib/python2.7/site-packages:" +
            concatMapStringsSep ":" (f: f + "/lib/python2.7/site-packages") cfg.api.finders;
          GRAPHITE_API_CONFIG = graphiteApiConfig;
          LD_LIBRARY_PATH = "${pkgs.cairo}/lib";
        };
        serviceConfig = {
          ExecStart = ''
            ${pkgs.python27Packages.waitress}/bin/waitress-serve \
            --host=${cfg.api.host} --port=${toString cfg.api.port} \
            graphite_api.app:app
          '';
          User = "graphite";
          Group = "graphite";
          PermissionsStartOnly = true;
        };
        preStart = ''
          if ! test -e ${dataDir}/db-created; then
            mkdir -p ${dataDir}/cache/
            chmod 0700 ${dataDir}/cache/
            touch ${dataDir}/db-created
            chown -R graphite:graphite ${cfg.dataDir}
          fi
        '';
      };
    })
    (mkIf cfg.seyren.enable {
      systemd.services.seyren = {
        description = "Graphite Alerting Dashboard";
        wantedBy = [ "multi-user.target" ];
        after = [ "network-interfaces.target" "mongodb.service" ];
        environment = seyrenConfig;
        serviceConfig = {
          ExecStart = "${pkgs.seyren}/bin/seyren -httpPort ${toString cfg.seyren.port}";
          WorkingDirectory = dataDir;
          User = "graphite";
          Group = "graphite";
        };
        preStart = ''
          if ! test -e ${dataDir}/db-created; then
            mkdir -p ${dataDir}
            chown -R graphite:graphite ${dataDir}
          fi
        '';
      };
      services.mongodb.enable = mkDefault true;
    })
    (mkIf cfg.pager.enable {
      systemd.services.graphitePager = {
        description = "Graphite Pager Alerting Daemon";
        wantedBy = [ "multi-user.target" ];
        after = [ "network-interfaces.target" "redis.service" ];
        environment = {
          REDIS_URL = cfg.pager.redisUrl;
          GRAPHITE_URL = cfg.pager.graphiteUrl;
        };
        serviceConfig = {
          ExecStart = "${pkgs.pythonPackages.graphite_pager}/bin/graphite-pager --config ${pagerConfig}";
          User = "graphite";
          Group = "graphite";
        };
      };
      services.redis.enable = mkDefault true;
      environment.systemPackages = [ pkgs.pythonPackages.graphite_pager ];
    })
    (mkIf (
      cfg.carbon.enableCache || cfg.carbon.enableAggregator || cfg.carbon.enableRelay ||
      cfg.web.enable || cfg.api.enable ||
      cfg.seyren.enable || cfg.pager.enable
     ) {
      users.extraUsers = singleton {
        name = "graphite";
        uid = config.ids.uids.graphite;
        description = "Graphite daemon user";
        home = dataDir;
      };
      users.extraGroups.graphite.gid = config.ids.gids.graphite;
    })
  ];
 }
--- a/nixos/modules/services/monitoring/riemann.nix
+++ b/nixos/modules/services/monitoring/riemann.nix
@ -11,11 +11,15 @@ let
    cfg.extraClasspathEntries ++ [ "${riemann}/share/java/riemann.jar" ]
  );
  riemannConfig = concatStringsSep "\n" (
    [cfg.config] ++ (map (f: ''(load-file "${f}")'') cfg.configFiles)
  );
  launcher = writeScriptBin "riemann" ''
    #!/bin/sh
    exec ${openjdk}/bin/java ${concatStringsSep "\n" cfg.extraJavaOpts} \
      -cp ${classpath} \
-      riemann.bin ${writeText "riemann.config" cfg.config}
+      riemann.bin ${writeText "riemann-config.clj" riemannConfig}
  '';
 in {
@ -36,6 +40,16 @@ in {
          Contents of the Riemann configuration file.
        '';
      };
      configFiles = mkOption {
        type = with types; listOf path;
        default = [];
        description = ''
          Extra files containing Riemann configuration. These files will be
          loaded at runtime by Riemann (with Clojure's
          <literal>load-file</literal> function) at the end of the
          configuration.
        '';
      };
      extraClasspathEntries = mkOption {
        type = with types; listOf str;
        default = [];
--- a/nixos/modules/services/monitoring/scollector.nix
+++ b/nixos/modules/services/monitoring/scollector.nix
@ -0,0 +1,114 @@
 { config, lib, pkgs, ... }:
 with lib;
 let
  cfg = config.services.scollector;
  collectors = pkgs.runCommand "collectors" {}
    ''
    mkdir -p $out
    ${lib.concatStringsSep
        "\n"
        (lib.mapAttrsToList
          (frequency: binaries:
            "mkdir -p $out/${frequency}\n" +
            (lib.concatStringsSep
              "\n"
              (map (path: "ln -s ${path} $out/${frequency}/$(basename ${path})")
                   binaries)))
          cfg.collectors)}
    '';
 in {
  options = {
    services.scollector = {
      enable = mkOption {
        type = types.bool;
        default = false;
        description = ''
          Whether to run scollector.
        '';
      };
      package = mkOption {
        type = types.package;
        default = pkgs.scollector;
        example = literalExample "pkgs.scollector";
        description = ''
          scollector binary to use.
        '';
      };
      user = mkOption {
        type = types.string;
        default = "scollector";
        description = ''
          User account under which scollector runs.
        '';
      };
      group = mkOption {
        type = types.string;
        default = "scollector";
        description = ''
          Group account under which scollector runs.
        '';
      };
      bosunHost = mkOption {
        type = types.string;
        default = "localhost:8070";
        description = ''
          Host and port of the bosun server that will store the collected
          data.
        '';
      };
      collectors = mkOption {
        type = types.attrs;
        default = {};
        example = literalExample "{ 0 = [ \"\${postgresStats}/bin/collect-stats\" ]; }";
        description = ''
          An attribute set mapping the frequency of collection to a list of
          binaries that should be executed at that frequency. You can use "0"
          to run a binary forever.
        '';
      };
    };
  };
  config = mkIf config.services.scollector.enable {
    systemd.services.scollector = {
      description = "scollector metrics collector (part of Bosun)";
      wantedBy = [ "multi-user.target" ];
      path = [ pkgs.coreutils pkgs.iproute ];
      serviceConfig = {
        PermissionsStartOnly = true;
        User = cfg.user;
        Group = cfg.group;
        ExecStart = ''
          ${cfg.package}/bin/scollector -h=${cfg.bosunHost} -c=${collectors}
        '';
      };
    };
    users.extraUsers.scollector = {
      description = "scollector user";
      group = "scollector";
      uid = config.ids.uids.scollector;
    };
    users.extraGroups.scollector.gid = config.ids.gids.scollector;
  };
 }
--- a/nixos/modules/services/monitoring/zabbix-server.nix
+++ b/nixos/modules/services/monitoring/zabbix-server.nix
@ -32,6 +32,8 @@ let
      ${optionalString (cfg.dbPassword != "") ''
        DBPassword = ${cfg.dbPassword}
      ''}
      ${config.services.zabbixServer.extraConfig}
    '';
  useLocalPostgres = cfg.dbServer == "localhost" || cfg.dbServer == "";
@ -46,6 +48,7 @@ in
    services.zabbixServer.enable = mkOption {
      default = false;
      type = types.bool;
      description = ''
        Whether to run the Zabbix server on this machine.
      '';
@ -53,6 +56,7 @@ in
    services.zabbixServer.dbServer = mkOption {
      default = "localhost";
      type = types.str;
      description = ''
        Hostname or IP address of the database server.
        Use an empty string ("") to use peer authentication.
@ -61,9 +65,18 @@ in
    services.zabbixServer.dbPassword = mkOption {
      default = "";
      type = types.str;
      description = "Password used to connect to the database server.";
    };
    services.zabbixServer.extraConfig = mkOption {
      default = "";
      type = types.lines;
      description = ''
        Configuration that is injected verbatim into the configuration file.
      '';
    };
  };
  ###### implementation
--- a/nixos/modules/services/network-filesystems/nfsd.nix
+++ b/nixos/modules/services/network-filesystems/nfsd.nix
@ -64,6 +64,13 @@ in
            Use fixed port for rpc.mountd, usefull if server is behind firewall.
          '';
        };
        lockdPort = mkOption {
          default = 0;
          description = ''
            Fix the lockd port number. This can help setting firewall rules for NFS.
          '';
        };
      };
    };
@ -104,6 +111,9 @@ in
            # Create a state directory required by NFSv4.
            mkdir -p /var/lib/nfs/v4recovery
            ${pkgs.procps}/sbin/sysctl -w fs.nfs.nlm_tcpport=${builtins.toString cfg.lockdPort}
            ${pkgs.procps}/sbin/sysctl -w fs.nfs.nlm_udpport=${builtins.toString cfg.lockdPort}
            rpc.nfsd \
              ${if cfg.hostName != null then "-H ${cfg.hostName}" else ""} \
              ${builtins.toString cfg.nproc}
--- a/nixos/modules/services/networking/chrony.nix
+++ b/nixos/modules/services/networking/chrony.nix
@ -48,9 +48,10 @@ in
      servers = mkOption {
        default = [
-          "0.pool.ntp.org"
+          "0.nixos.pool.ntp.org"
-          "1.pool.ntp.org"
+          "1.nixos.pool.ntp.org"
-          "2.pool.ntp.org"
+          "2.nixos.pool.ntp.org"
          "3.nixos.pool.ntp.org"
        ];
        description = ''
          The set of NTP servers from which to synchronise.
@ -99,8 +100,8 @@ in
    jobs.chronyd =
      { description = "chrony daemon";
-        wantedBy = [ "ip-up.target" ];
+        wantedBy = [ "multi-user.target" ];
-        partOf = [ "ip-up.target" ];
+        after = [ "network.target" ];
        path = [ chrony ];
--- a/nixos/modules/services/networking/cjdns-hosts.sh
+++ b/nixos/modules/services/networking/cjdns-hosts.sh
@ -0,0 +1,11 @@
 pubs=($pubs)
 hosts=($hosts)
 lines="''\n"
 for ((i = 0; i < ${#pubs[*]}; i++)); do
    addr=$($cjdns/bin/publictoip6 ${pubs[i]})
    lines="${lines}$addr ${hosts[i]}\n"
 done
 lines="${lines}''"
 echo -ne $lines > $out
--- a/nixos/modules/services/networking/cjdns.nix
+++ b/nixos/modules/services/networking/cjdns.nix
@ -4,8 +4,46 @@ with lib;
 let
  pkg = pkgs.cjdns;
  cfg = config.services.cjdns;
  connectToSubmodule =
  { options, ... }:
  { options =
    { password = mkOption {
      type = types.str;
      description = "Authorized password to the opposite end of the tunnel.";
      };
      publicKey = mkOption {
        type = types.str;
        description = "Public key at the opposite end of the tunnel.";
      };
      hostname = mkOption {
        default = "";
        example = "foobar.hype";
        type = types.str;
        description = "Optional hostname to add to /etc/hosts; prevents reverse lookup failures.";
      };
    };
  };
  peers = mapAttrsToList (n: v: v) (cfg.ETHInterface.connectTo // cfg.UDPInterface.connectTo);
  pubs  = toString (map (p: if p.hostname == "" then "" else p.publicKey) peers);
  hosts = toString (map (p: if p.hostname == "" then "" else p.hostname)  peers);
  cjdnsHosts =
    if hosts != "" then
      import (pkgs.stdenv.mkDerivation {
        name = "cjdns-hosts";
        builder = ./cjdns-hosts.sh;
        inherit (pkgs) cjdns;
        inherit pubs hosts;
      })
    else "";
  # would be nice to  merge 'cfg' with a //,
  # but the json nesting is wacky.
  cjdrouteConf = builtins.toJSON ( {
@ -44,7 +82,7 @@ in
      enable = mkOption {
        type = types.bool;
-	default = false;
+        default = false;
        description = ''
          Whether to enable the cjdns network encryption
          and routing engine. A file at /etc/cjdns.keys will
@ -53,84 +91,80 @@ in
        '';
      };
      confFile = mkOption {
        type = types.str;
        default = "";
        example = "/etc/cjdroute.conf";
        description = ''
          Ignore all other cjdns options and load configuration from this file.
        '';
      };
      authorizedPasswords = mkOption {
        type = types.listOf types.str;
-	default = [ ];
+        default = [ ];
-	example = [
+        example = [
          "snyrfgkqsc98qh1y4s5hbu0j57xw5s0"
-	  "z9md3t4p45mfrjzdjurxn4wuj0d8swv"
+          "z9md3t4p45mfrjzdjurxn4wuj0d8swv"
-	  "49275fut6tmzu354pq70sr5b95qq0vj"
+          "49275fut6tmzu354pq70sr5b95qq0vj"
        ];
-	description = ''
+        description = ''
-	  Any remote cjdns nodes that offer these passwords on 
+          Any remote cjdns nodes that offer these passwords on 
-	  connection will be allowed to route through this node.
+          connection will be allowed to route through this node.
        '';
      };
      admin = {
        bind = mkOption {
          type = types.string;
-	  default = "127.0.0.1:11234";
+          default = "127.0.0.1:11234";
-	  description = ''
+          description = ''
            Bind the administration port to this address and port.
-	  '';
+          '';
        };
      };
      UDPInterface = {
        bind = mkOption {
          type = types.string;
-	  default = "";
+          default = "";
          example = "192.168.1.32:43211";
          description = ''
-	    Address and port to bind UDP tunnels to.
+            Address and port to bind UDP tunnels to.
-	  '';
+          '';
- 	};
+         };
        connectTo = mkOption {
-          type = types.attrsOf ( types.submodule (
+          type = types.attrsOf ( types.submodule ( connectToSubmodule ) );
-	    { options, ... }:
+          default = { };
            { options = {
                # TODO make host an option, and add it to networking.extraHosts
                password = mkOption {
                  type = types.str;
                  description = "Authorized password to the opposite end of the tunnel.";
                };
                publicKey = mkOption {
                  type = types.str;
                  description = "Public key at the opposite end of the tunnel.";
                };
              };
            }
          ));
 	  default = { };
          example = {
            "192.168.1.1:27313" = {
-	      password = "5kG15EfpdcKNX3f2GSQ0H1HC7yIfxoCoImnO5FHM";
+              hostname = "homer.hype";
              password = "5kG15EfpdcKNX3f2GSQ0H1HC7yIfxoCoImnO5FHM";
              publicKey = "371zpkgs8ss387tmr81q04mp0hg1skb51hw34vk1cq644mjqhup0.k";
            };
          };
          description = ''
-	    Credentials for making UDP tunnels.
+            Credentials for making UDP tunnels.
-	  '';
+          '';
-	};
+        };
      };
      ETHInterface = {
        bind = mkOption {
-	  default = "";
+        default = "";
-	  example = "eth0";
+        example = "eth0";
-	  description = ''
+        description = ''
-	    Bind to this device for native ethernet operation.
+          Bind to this device for native ethernet operation.
-	  '';
+        '';
-        };
+      };
        beacon = mkOption {
-	  type = types.int;
+          type = types.int;
          default = 2;
          description = ''
            Auto-connect to other cjdns nodes on the same network.
            Options:
-	      0: Disabled.
+              0: Disabled.
              1: Accept beacons, this will cause cjdns to accept incoming
                 beacon messages and try connecting to the sender.
              2: Accept and send beacons, this will cause cjdns to broadcast
@ -142,32 +176,20 @@ in
        };
        connectTo = mkOption {
-          type = types.attrsOf ( types.submodule (
+          type = types.attrsOf ( types.submodule ( connectToSubmodule ) );
-	    { options, ... }:
+          default = { };
            { options = {
                password = mkOption {
                  type = types.str;
                  description = "Authorized password to the opposite end of the tunnel.";
                };
                publicKey = mkOption {
                  type = types.str;
                  description = "Public key at the opposite end of the tunnel.";
                };
              };
            }
          ));
 	  default = { };
          example = {
            "01:02:03:04:05:06" = {
-	      password = "5kG15EfpdcKNX3f2GSQ0H1HC7yIfxoCoImnO5FHM";
+              hostname = "homer.hype";
              password = "5kG15EfpdcKNX3f2GSQ0H1HC7yIfxoCoImnO5FHM";
              publicKey = "371zpkgs8ss387tmr81q04mp0hg1skb51hw34vk1cq644mjqhup0.k";
            };
          };
-	  description = ''
+          description = ''
-	    Credentials for connecting look similar to UDP credientials
+            Credentials for connecting look similar to UDP credientials
            except they begin with the mac address.
-	  '';
+          '';
-	};
+        };
      };
    };
@ -182,37 +204,51 @@ in
    systemd.services.cjdns = {
      description = "encrypted networking for everybody";
-      wantedBy = [ "multi-user.target" ];
+      wantedBy = [ "network.target" ];
-      after = [ "network-interfaces.target" ];
+      after = [ "networkSetup.service" "network-interfaces.target" ];
-      script = ''
+      preStart = if cfg.confFile != "" then "" else ''
-        source /etc/cjdns.keys
+        [ -e /etc/cjdns.keys ] && source /etc/cjdns.keys
-        echo '${cjdrouteConf}' | sed \
+
-	  -e "s/@CJDNS_ADMIN_PASSWORD@/$CJDNS_ADMIN_PASSWORD/g" \
+        if [ -z "$CJDNS_PRIVATE_KEY" ]; then
-          -e "s/@CJDNS_PRIVATE_KEY@/$CJDNS_PRIVATE_KEY/g" \
+            shopt -s lastpipe
-            | ${pkgs.cjdns}/bin/cjdroute
+            ${pkg}/bin/makekeys | { read private ipv6 public; }
            umask 0077
            echo "CJDNS_PRIVATE_KEY=$private" >> /etc/cjdns.keys
            echo -e "CJDNS_IPV6=$ipv6\nCJDNS_PUBLIC_KEY=$public" > /etc/cjdns.public
            chmod 600 /etc/cjdns.keys
            chmod 444 /etc/cjdns.public
        fi
        if [ -z "$CJDNS_ADMIN_PASSWORD" ]; then
            echo "CJDNS_ADMIN_PASSWORD=$(${pkgs.coreutils}/bin/head -c 96 /dev/urandom | ${pkgs.coreutils}/bin/tr -dc A-Za-z0-9)" \
                >> /etc/cjdns.keys
        fi
      '';
      script = (
        if cfg.confFile != "" then "${pkg}/bin/cjdroute < ${cfg.confFile}" else
          ''
            source /etc/cjdns.keys
            echo '${cjdrouteConf}' | sed \
                -e "s/@CJDNS_ADMIN_PASSWORD@/$CJDNS_ADMIN_PASSWORD/g" \
                -e "s/@CJDNS_PRIVATE_KEY@/$CJDNS_PRIVATE_KEY/g" \
                | ${pkg}/bin/cjdroute
         ''
      );
      serviceConfig = {
        Type = "forking";
-	Restart = "on-failure";
+        Restart = "on-failure";
      };
    };
-    system.activationScripts.cjdns = ''
+    networking.extraHosts = "${cjdnsHosts}";
      grep -q "CJDNS_PRIVATE_KEY=" /etc/cjdns.keys || \
        echo "CJDNS_PRIVATE_KEY=$(${pkgs.cjdns}/bin/makekey)" \
 	  >> /etc/cjdns.keys
      grep -q "CJDNS_ADMIN_PASSWORD=" /etc/cjdns.keys || \
        echo "CJDNS_ADMIN_PASSWORD=$(${pkgs.coreutils}/bin/head -c 96 /dev/urandom | ${pkgs.coreutils}/bin/tr -dc A-Za-z0-9)" \
 	  >> /etc/cjdns.keys
      chmod 600 /etc/cjdns.keys
    '';
    assertions = [
-      { assertion = ( cfg.ETHInterface.bind != "" || cfg.UDPInterface.bind != "" );
+      { assertion = ( cfg.ETHInterface.bind != "" || cfg.UDPInterface.bind != "" || cfg.confFile == "" );
        message = "Neither cjdns.ETHInterface.bind nor cjdns.UDPInterface.bind defined.";
      }
      { assertion = config.networking.enableIPv6;
@ -222,4 +258,4 @@ in
  };
-}
+}
--- a/nixos/modules/services/networking/dhcpcd.nix
+++ b/nixos/modules/services/networking/dhcpcd.nix
@ -8,15 +8,29 @@ let
  cfg = config.networking.dhcpcd;
  interfaces = attrValues config.networking.interfaces;
  enableDHCP = config.networking.useDHCP || any (i: i.useDHCP == true) interfaces;
  # Don't start dhcpcd on explicitly configured interfaces or on
  # interfaces that are part of a bridge, bond or sit device.
  ignoredInterfaces =
-    map (i: i.name) (filter (i: i.ip4 != [ ] || i.ipAddress != null) (attrValues config.networking.interfaces))
+    map (i: i.name) (filter (i: if i.useDHCP != null then !i.useDHCP else i.ip4 != [ ] || i.ipAddress != null) interfaces)
    ++ mapAttrsToList (i: _: i) config.networking.sits
    ++ concatLists (attrValues (mapAttrs (n: v: v.interfaces) config.networking.bridges))
    ++ concatLists (attrValues (mapAttrs (n: v: v.interfaces) config.networking.bonds))
    ++ config.networking.dhcpcd.denyInterfaces;
  arrayAppendOrNull = a1: a2: if a1 == null && a2 == null then null
    else if a1 == null then a2 else if a2 == null then a1
      else a1 ++ a2;
  # If dhcp is disabled but explicit interfaces are enabled,
  # we need to provide dhcp just for those interfaces.
  allowInterfaces = arrayAppendOrNull cfg.allowInterfaces
    (if !config.networking.useDHCP && enableDHCP then
      map (i: i.name) (filter (i: i.useDHCP == true) interfaces) else null);
  # Config file adapted from the one that ships with dhcpcd.
  dhcpcdConf = pkgs.writeText "dhcpcd.conf"
    ''
@ -41,7 +55,7 @@ let
      denyinterfaces ${toString ignoredInterfaces} lo peth* vif* tap* tun* virbr* vnet* vboxnet* sit*
      # Use the list of allowed interfaces if specified
-      ${optionalString (cfg.allowInterfaces != null) "allowinterfaces ${toString cfg.allowInterfaces}"}
+      ${optionalString (allowInterfaces != null) "allowinterfaces ${toString allowInterfaces}"}
      ${cfg.extraConfig}
    '';
@ -132,7 +146,7 @@ in
  ###### implementation
-  config = mkIf config.networking.useDHCP {
+  config = mkIf enableDHCP {
    systemd.services.dhcpcd =
      { description = "DHCP Client";
--- a/nixos/modules/services/networking/dnscrypt-proxy.nix
+++ b/nixos/modules/services/networking/dnscrypt-proxy.nix
@ -0,0 +1,134 @@
 { config, lib, pkgs, ... }:
 with lib;
 let
  apparmorEnabled = config.security.apparmor.enable;
  dnscrypt-proxy = pkgs.dnscrypt-proxy;
  cfg = config.services.dnscrypt-proxy;
  uid = config.ids.uids.dnscrypt-proxy;
  daemonArgs =
    [ "--daemonize"
      "--user=dnscrypt-proxy"
      "--local-address=${cfg.localAddress}:${toString cfg.port}"
      (optionalString cfg.tcpOnly "--tcp-only")
      "--resolvers-list=${dnscrypt-proxy}/share/dnscrypt-proxy/dnscrypt-resolvers.csv"
      "--resolver-name=${cfg.resolverName}"
    ];
 in
 {
  ##### interface
  options = {
    services.dnscrypt-proxy = {
      enable = mkOption {
        default = false;
        type = types.bool;
        description = ''
          Enable dnscrypt-proxy.
          The proxy relays regular DNS queries to a DNSCrypt enabled
          upstream resolver.
          The traffic between the client and the upstream resolver is
          encrypted and authenticated, which may mitigate the risk of MITM
          attacks and third-party snooping (assuming the upstream is
          trustworthy).
        '';
      };
      localAddress = mkOption {
        default = "127.0.0.1";
        type = types.string;
        description = ''
          Listen for DNS queries on this address.
        '';
      };
      port = mkOption {
        default = 53;
        type = types.int;
        description = ''
          Listen on this port.
        '';
      };
      resolverName = mkOption {
        default = "opendns";
        type = types.string;
        description = ''
          The name of the upstream DNSCrypt resolver to use.
          See <literal>${dnscrypt-proxy}/share/dnscrypt-proxy/dnscrypt-resolvers.csv</literal>
          for alternative resolvers (e.g., if you are concerned about logging
          and/or server location).
        '';
      };
      tcpOnly = mkOption {
        default = false;
        type = types.bool;
        description = ''
          Force sending encrypted DNS queries to the upstream resolver
          over TCP instead of UDP (on port 443).
          Enabling this option may help circumvent filtering, but should
          not be used otherwise.
        '';
      };
    };
  };
  ##### implementation
  config = mkIf cfg.enable {
    ### AppArmor profile
    security.apparmor.profiles = mkIf apparmorEnabled [
      (pkgs.writeText "apparmor-dnscrypt-proxy" ''
        ${dnscrypt-proxy}/sbin/dnscrypt-proxy {
          capability ipc_lock,
          capability net_bind_service,
          capability net_admin,
          capability sys_chroot,
          capability setgid,
          capability setuid,
          /dev/null rw,
          /dev/urandom r,
          ${pkgs.glibc}/lib/*.so mr,
          ${pkgs.tzdata}/share/zoneinfo/** r,
          ${dnscrypt-proxy}/share/dnscrypt-proxy/** r,
          ${pkgs.gcc.gcc}/lib/libssp.so.* mr,
          ${pkgs.libsodium}/lib/libsodium.so.* mr,
        }
      '')
    ];
    ### User
    users.extraUsers = singleton {
      inherit uid;
      name = "dnscrypt-proxy";
      description = "dnscrypt-proxy daemon user";
    };
    ### Service definition
    systemd.services.dnscrypt-proxy = {
      description = "dnscrypt-proxy daemon";
      after = [ "network.target" ] ++ optional apparmorEnabled "apparmor.service";
      requires = mkIf apparmorEnabled [ "apparmor.service" ];
      wantedBy = [ "multi-user.target" ];
      serviceConfig = {
        Type = "forking";
        ExecStart = "${dnscrypt-proxy}/sbin/dnscrypt-proxy ${toString daemonArgs}";
      };
    };
  };
 }
--- a/nixos/modules/services/networking/dnsmasq.nix
+++ b/nixos/modules/services/networking/dnsmasq.nix
@ -82,7 +82,7 @@ in
    systemd.services.dnsmasq = {
        description = "dnsmasq daemon";
-        after = [ "network.target" ];
+        after = [ "network.target" "systemd-resolved.conf" ];
        wantedBy = [ "multi-user.target" ];
        path = [ dnsmasq ];
        preStart = ''
--- a/nixos/modules/services/networking/firewall.nix
+++ b/nixos/modules/services/networking/firewall.nix
@ -187,6 +187,12 @@ let
    # Clean up after added ruleset
    ip46tables -D INPUT -j nixos-fw 2>/dev/null || true
    ${optionalString (kernelHasRPFilter && cfg.checkReversePath) ''
      if ! ip46tables -D PREROUTING -t raw -m rpfilter --invert -j DROP; then
        echo "<2>failed to stop rpfilter support" >&2
      fi
    ''}
    ${cfg.extraStopCommands}
  '';
@ -452,8 +458,9 @@ in
    systemd.services.firewall = {
      description = "Firewall";
-      wantedBy = [ "network.target" ];
+      wantedBy = [ "network-pre.target" ];
-      after = [ "network-interfaces.target" "systemd-modules-load.service" ];
+      before = [ "network-pre.target" ];
      after = [ "systemd-modules-load.service" ];
      path = [ pkgs.iptables ];
--- a/nixos/modules/services/networking/git-daemon.nix
+++ b/nixos/modules/services/networking/git-daemon.nix
@ -3,7 +3,6 @@ with lib;
 let
  cfg = config.services.gitDaemon;
  gitUser = "git";
 in
 {
@ -14,6 +13,7 @@ in
    services.gitDaemon = {
      enable = mkOption {
        type = types.bool;
        default = false;
        description = ''
          Enable Git daemon, which allows public hosting  of git repositories
@ -28,6 +28,7 @@ in
      };
      basePath = mkOption {
        type = types.str;
        default = "";
        example = "/srv/git/";
        description = ''
@ -38,6 +39,7 @@ in
      };
      exportAll = mkOption {
        type = types.bool;
        default = false;
        description = ''
          Publish all directories that look like Git repositories (have the objects
@ -52,6 +54,7 @@ in
      };
      repositories = mkOption {
        type = types.listOf types.str;
        default = [];
        example = [ "/srv/git" "/home/user/git/repo2" ];
        description = ''
@ -64,21 +67,36 @@ in
      };
      listenAddress = mkOption {
        type = types.str;
        default = "";
        example = "example.com";
        description = "Listen on a specific IP address or hostname.";
      };
      port = mkOption {
        type = types.int;
        default = 9418;
        description = "Port to listen on.";
      };
      options = mkOption {
        type = types.str;
        default = "";
        description = "Extra configuration options to be passed to Git daemon.";
      };
      user = mkOption {
        type = types.str;
        default = "git";
        description = "User under which Git daemon would be running.";
      };
      group = mkOption {
        type = types.str;
        default = "git";
        description = "Group under which Git daemon would be running.";
      };
    };
  };
@ -86,14 +104,14 @@ in
  config = mkIf cfg.enable {
-    users.extraUsers = singleton
+    users.extraUsers = if cfg.user != "git" then {} else singleton
-      { name = gitUser;
+      { name = "git";
        uid = config.ids.uids.git;
        description = "Git daemon user";
      };
-    users.extraGroups = singleton
+    users.extraGroups = if cfg.group != "git" then {} else singleton
-      { name = gitUser;
+      { name = "git";
        gid = config.ids.gids.git;
      };
@ -103,8 +121,8 @@ in
      exec = "${pkgs.git}/bin/git daemon --reuseaddr "
        + (optionalString (cfg.basePath != "") "--base-path=${cfg.basePath} ")
        + (optionalString (cfg.listenAddress != "") "--listen=${cfg.listenAddress} ")
-        + "--port=${toString cfg.port} --user=${gitUser} --group=${gitUser} ${cfg.options} "
+        + "--port=${toString cfg.port} --user=${cfg.user} --group=${cfg.group} ${cfg.options} "
-        + "--verbose " + (optionalString cfg.exportAll "--export-all")  + concatStringsSep " " cfg.repositories;
+        + "--verbose " + (optionalString cfg.exportAll "--export-all ")  + concatStringsSep " " cfg.repositories;
    };
  };
--- a/nixos/modules/services/networking/gogoclient.nix
+++ b/nixos/modules/services/networking/gogoclient.nix
@ -76,8 +76,7 @@ in
        exec ${pkgs.gogoclient}/bin/gogoc -y -f /var/lib/gogoc/gogoc.conf
      '';
    } // optionalAttrs cfg.autorun {
-      wantedBy = [ "ip-up.target" ];
+      wantedBy = [ "multi-user.target" ];
      partOf = [ "ip-up.target" ];
    };
  };
--- a/nixos/modules/services/networking/i2pd.nix
+++ b/nixos/modules/services/networking/i2pd.nix
@ -0,0 +1,198 @@
 { config, lib, pkgs, ... }:
 with lib;
 let
  cfg = config.services.i2pd;
  homeDir = "/var/lib/i2pd";
  extip = "EXTIP=$(${pkgs.curl}/bin/curl -sf "http://jsonip.com" | ${pkgs.gawk}/bin/awk -F'\"' '{print $4}')";
  i2pSh = pkgs.writeScriptBin "i2pd" ''
    #!/bin/sh
    ${if isNull cfg.extIp then extip else ""}
    ${pkgs.i2pd}/bin/i2p --log=1 --daemon=0 --service=0 \
      --v6=${if cfg.enableIPv6 then "1" else "0"} \
      --unreachable=${if cfg.unreachable then "1" else "0"} \
      --host=${if isNull cfg.extIp then "$EXTIP" else cfg.extIp} \
      ${if isNull cfg.port then "" else "--port=${toString cfg.port}"} \
      --httpproxyport=${toString cfg.proxy.httpPort} \
      --socksproxyport=${toString cfg.proxy.socksPort} \
      --ircport=${toString cfg.irc.port} \
      --ircdest=${cfg.irc.dest} \
      --irckeys=${cfg.irc.keyFile} \
      --eepport=${toString cfg.eep.port} \
      ${if isNull cfg.sam.port then "" else "--samport=${toString cfg.sam.port}"} \
      --eephost=${cfg.eep.host} \
      --eepkeys=${cfg.eep.keyFile}
  '';
 in
 {
  ###### interface
  options = {
    services.i2pd = {
      enable = mkOption {
        type = types.bool;
        default = false;
        description = ''
          Enables I2Pd as a running service upon activation.
        '';
      };
      extIp = mkOption {
        type = with types; nullOr str;
        default = null;
        description = ''
          Your external IP.
        '';
      };
      unreachable = mkOption {
        type = types.bool;
        default = false;
        description = ''
          If the router is declared to be unreachable and needs introduction nodes.
        '';
      };
      port = mkOption {
        type = with types; nullOr int;
        default = null;
        description = ''
          I2P listen port. If no one is given the router will pick between 9111 and 30777.
        '';
      };
      enableIPv6 = mkOption {
        type = types.bool;
        default = false;
        description = ''
          Enables IPv6 connectivity. Disabled by default.
        '';
      };
      http = {
        port = mkOption {
          type = types.int;
          default = 7070;
          description = ''
            HTTP listen port.
          '';
        };
      };
      proxy = {
        httpPort = mkOption {
          type = types.int;
          default = 4446;
          description = ''
            HTTP proxy listen port.
          '';
        };
        socksPort = mkOption {
          type = types.int;
          default = 4447;
          description = ''
            SOCKS proxy listen port.
          '';
        };
      };
      irc = {
        dest = mkOption {
          type = types.str;
          default = "irc.postman.i2p";
          description = ''
            Destination I2P tunnel endpoint address of IRC server. irc.postman.i2p by default.
          '';
        };
        port = mkOption {
          type = types.int;
          default = 6668;
          description = ''
            Local IRC tunnel endoint port to listen on. 6668 by default.
          '';
        };
        keyFile = mkOption {
          type = types.str;
          default = "privKeys.dat";
          description = ''
            File name containing destination keys. privKeys.dat by default.
          '';
        };
      };
      eep = {
        host = mkOption {
          type = types.str;
          default = "127.0.0.1";
          description = ''
            Address to forward incoming traffic to. 127.0.0.1 by default.
          '';
        };
        port = mkOption {
          type = types.int;
          default = 80;
          description = ''
            Port to forward incoming trafic to. 80 by default.
          '';
        };
        keyFile = mkOption {
          type = types.str;
          default = "privKeys.dat";
          description = ''
            File name containing destination keys. privKeys.dat by default.
          '';
        };
      };
      sam = {
        port = mkOption {
          type = with types; nullOr int;
          default = null;
          description = ''
            Local SAM tunnel endpoint. Usually 7656. SAM is disabled if not specified.
          '';
        };
      };
    };
  };
  ###### implementation
  config = mkIf cfg.enable {
    users.extraUsers.i2pd = {
      group = "i2pd";
      description = "I2Pd User";
      home = homeDir;
      createHome = true;
      uid = config.ids.uids.i2pd;
    };
    users.extraGroups.i2pd.gid = config.ids.gids.i2pd;
    systemd.services.i2pd = {
      description = "Minimal I2P router";
      after = [ "network.target" ];
      wantedBy = [ "multi-user.target" ];
      serviceConfig =
      {
        User = "i2pd";
        WorkingDirectory = homeDir;
        Restart = "on-abort";
        ExecStart = "${i2pSh}/bin/i2pd";
      };
    };
  };
 }
 #
--- a/nixos/modules/services/networking/minidlna.nix
+++ b/nixos/modules/services/networking/minidlna.nix
@ -79,7 +79,7 @@ in
      { description = "MiniDLNA Server";
        wantedBy = [ "multi-user.target" ];
-        after = [ "network.target" ];
+        after = [ "network.target" "local-fs.target" ];
        preStart =
          ''
--- a/nixos/modules/services/networking/nat.nix
+++ b/nixos/modules/services/networking/nat.nix
@ -157,9 +157,9 @@ in
    boot = {
      kernelModules = [ "nf_nat_ftp" ];
-      kernel.sysctl = mkOverride 99 {
+      kernel.sysctl = {
-        "net.ipv4.conf.all.forwarding" = true;
+        "net.ipv4.conf.all.forwarding" = mkOverride 99 true;
-        "net.ipv4.conf.default.forwarding" = true;
+        "net.ipv4.conf.default.forwarding" = mkOverride 99 true;
      };
    };
--- a/nixos/modules/services/networking/networkmanager.nix
+++ b/nixos/modules/services/networking/networkmanager.nix
@ -52,6 +52,7 @@ let
    #!/bin/sh
    if test "$2" = "up"; then
      ${config.systemd.package}/bin/systemctl start ip-up.target
      ${config.systemd.package}/bin/systemctl start network-online.target
    fi
  '';
@ -177,8 +178,8 @@ in {
    systemd.services."networkmanager-init" = {
      description = "NetworkManager initialisation";
      wantedBy = [ "network.target" ];
-      wants = [ "NetworkManager.service" ];
+      wants = [ "network-manager.service" ];
-      before = [ "NetworkManager.service" ];
+      before = [ "network-manager.service" ];
      script = ''
        mkdir -m 700 -p /etc/NetworkManager/system-connections
        mkdir -m 755 -p ${stateDirs}
@ -193,7 +194,7 @@ in {
    };
    powerManagement.resumeCommands = ''
-      systemctl restart NetworkManager
+      Systemctl restart network-manager
    '';
    security.polkit.extraConfig = polkitConf;
--- a/nixos/modules/services/networking/ntpd.nix
+++ b/nixos/modules/services/networking/ntpd.nix
@ -45,9 +45,10 @@ in
      servers = mkOption {
        default = [
-          "0.pool.ntp.org"
+          "0.nixos.pool.ntp.org"
-          "1.pool.ntp.org"
+          "1.nixos.pool.ntp.org"
-          "2.pool.ntp.org"
+          "2.nixos.pool.ntp.org"
          "3.nixos.pool.ntp.org"
        ];
        description = ''
          The set of NTP servers from which to synchronise.
@ -76,8 +77,7 @@ in
    jobs.ntpd =
      { description = "NTP Daemon";
-        wantedBy = [ "ip-up.target" ];
+        wantedBy = [ "multi-user.target" ];
        partOf = [ "ip-up.target" ];
        path = [ ntp ];
--- a/Show More
+++ b/Show More