Merge branch 'master' to resolve conflicts

2016-05-05 08:18:44 +02:00 · 2016-05-05 08:18:44 +02:00 · 7a005601d4
commit 7a005601d4
parent 7d7a9df360 df310048e5
893 changed files with 89619 additions and 32353 deletions
--- a/.github/PULL_REQUEST_TEMPLATE.md
+++ b/.github/PULL_REQUEST_TEMPLATE.md
@ -1,6 +1,9 @@
 ###### Things done
- [ ] Tested using sandboxing (`nix-build --option build-use-chroot true` or [nix.useChroot](http://nixos.org/nixos/manual/options.html#opt-nix.useChroot) on NixOS)
+- [ ] Tested using sandboxing
  ([nix.useSandbox](http://nixos.org/nixos/manual/options.html#opt-nix.useSandbox) on NixOS,
    or option `build-use-sandbox` in [`nix.conf`](http://nixos.org/nix/manual/#sec-conf-file)
    on non-NixOS)
 - Built on platform(s)
   - [ ] NixOS
   - [ ] OS X
--- a/doc/beam-users-guide.xml
+++ b/doc/beam-users-guide.xml
@ -0,0 +1,376 @@
 <chapter xmlns="http://docbook.org/ns/docbook"
         xmlns:xlink="http://www.w3.org/1999/xlink"
         xml:id="users-guide-to-the-erlang-infrastructure">
  <title>User's Guide to the Beam Infrastructure</title>
  <section xml:id="beam-introduction">
    <title>Beam Languages (Erlang &amp; Elixir) on Nix</title>
    <para>
      In this document and related Nix expressions we use the term
      <emphasis>Beam</emphasis> to describe the environment. Beam is
      the name of the Erlang Virtial Machine and, as far as we know,
      from a packaging perspective all languages that run on Beam are
      interchangable. The things that do change, like the build
      system, are transperant to the users of the package. So we make
      no distinction.
    </para>
  </section>
 <section xml:id="build-tools">
  <title>Build Tools</title>
  <section xml:id="build-tools-rebar3">
    <title>Rebar3</title>
    <para>
      By default Rebar3 wants to manage it's own dependencies. In the
      normal non-Nix, this is perfectly acceptable. In the Nix world it
      is not. To support this we have created two versions of rebar3,
      <literal>rebar3</literal> and <literal>rebar3-open</literal>. The
      <literal>rebar3</literal> version has been patched to remove the
      ability to download anything from it. If you are not running it a
      nix-shell or a nix-build then its probably not going to work for
      you. <literal>rebar3-open</literal> is the normal, un-modified
      rebar3. It should work exactly as would any other version of
      rebar3. Any Erlang package should rely on
      <literal>rebar3</literal> and thats really what you should be
      using too.
    </para>
  </section>
  <section xml:id="build-tools-other">
    <title>Mix &amp; Erlang.mk</title>
    <para>
      Both Mix and Erlang.mk work exactly as you would expect. There
      is a bootstrap process that needs to be run for both of
      them. However, that is supported by the
      <literal>buildMix</literal> and <literal>buildErlangMk</literal> derivations.
    </para>
  </section>
 </section>
 <section xml:id="how-to-install-beam-packages">
  <title>How to install Beam packages</title>
  <para>
    Beam packages are not registered in the top level simply because
    they are not relevant to the vast majority of Nix users. They are
    installable using the <literal>beamPackages</literal> attribute
    set.
    You can list the avialable packages in the
    <literal>beamPackages</literal> with the following command:
  </para>
  <programlisting>
 $ nix-env -f &quot;&lt;nixpkgs&gt;&quot; -qaP -A beamPackages
 beamPackages.esqlite    esqlite-0.2.1
 beamPackages.goldrush   goldrush-0.1.7
 beamPackages.ibrowse    ibrowse-4.2.2
 beamPackages.jiffy      jiffy-0.14.5
 beamPackages.lager      lager-3.0.2
 beamPackages.meck       meck-0.8.3
 beamPackages.rebar3-pc  pc-1.1.0
  </programlisting>
  <para>
    To install any of those packages into your profile, refer to them by
    their attribute path (first column):
  </para>
  <programlisting>
 $ nix-env -f &quot;&lt;nixpkgs&gt;&quot; -iA beamPackages.ibrowse
  </programlisting>
  <para>
    The attribute path of any Beam packages corresponds to the name
    of that particular package in Hex or its OTP Application/Release name.
  </para>
 </section>
 <section xml:id="packaging-beam-applications">
  <title>Packaging Beam Applications</title>
  <section  xml:id="packaging-erlang-applications">
    <title>Erlang Applications</title>
    <section xml:id="rebar3-packages">
      <title>Rebar3 Packages</title>
      <para>
        There is a Nix functional called
        <literal>buildRebar3</literal>. We use this function to make a
        derivation that understands how to build the rebar3 project. For
        example, the epression we use to build the <link
        xlink:href="https://github.com/erlang-nix/hex2nix">hex2nix</link>
        project follows.
      </para>
      <programlisting>
        {stdenv, fetchFromGitHub, buildRebar3, ibrowse, jsx, erlware_commons }:
          buildRebar3 rec {
            name = "hex2nix";
            version = "0.0.1";
            src = fetchFromGitHub {
              owner = "ericbmerritt";
              repo = "hex2nix";
              rev = "${version}";
              sha256 = "1w7xjidz1l5yjmhlplfx7kphmnpvqm67w99hd2m7kdixwdxq0zqg";
            };
          beamDeps = [ ibrowse jsx erlware_commons ];
        }
      </programlisting>
      <para>
        The only visible difference between this derivation and
        something like <literal>stdenv.mkDerivation</literal> is that we
        have added <literal>erlangDeps</literal> to the derivation. If
        you add your Beam dependencies here they will be correctly
        handled by the system.
      </para>
      <para>
        If your package needs to compile native code via Rebar's port
        compilation mechenism. You should add <literal>compilePort =
        true;</literal> to the derivation.
      </para>
    </section>
    <section xml:id="erlang-mk-packages">
      <title>Erlang.mk Packages</title>
      <para>
        Erlang.mk functions almost identically to Rebar. The only real
        difference is that <literal>buildErlangMk</literal> is called
        instead of <literal>buildRebar3</literal>
      </para>
      <programlisting>
        { buildErlangMk, fetchHex,  cowlib, ranch }:
          buildErlangMk {
            name = "cowboy";
            version = "1.0.4";
            src = fetchHex {
              pkg = "cowboy";
              version = "1.0.4";
              sha256 =
                "6a0edee96885fae3a8dd0ac1f333538a42e807db638a9453064ccfdaa6b9fdac";
            };
            beamDeps  = [ cowlib ranch ];
            meta = {
              description = ''Small, fast, modular HTTP server written in
                            Erlang.'';
              license = stdenv.lib.licenses.isc;
              homepage = "https://github.com/ninenines/cowboy";
            };
        }
      </programlisting>
    </section>
    <section xml:id="mix-packages">
      <title>Mix Packages</title>
      <para>
        Mix functions almost identically to Rebar. The only real
        difference is that <literal>buildMix</literal> is called
        instead of <literal>buildRebar3</literal>
      </para>
      <programlisting>
        { buildMix, fetchHex, plug, absinthe }:
        buildMix {
          name = "absinthe_plug";
          version = "1.0.0";
          src = fetchHex {
            pkg = "absinthe_plug";
            version = "1.0.0";
            sha256 =
              "08459823fe1fd4f0325a8bf0c937a4520583a5a26d73b193040ab30a1dfc0b33";
          };
          beamDeps  = [ plug absinthe];
          meta = {
            description = ''A plug for Absinthe, an experimental GraphQL
                            toolkit'';
            license = stdenv.lib.licenses.bsd3;
            homepage = "https://github.com/CargoSense/absinthe_plug";
         };
       }
      </programlisting>
    </section>
  </section>
 </section>
 <section xml:id="how-to-develop">
  <title>How to develop</title>
  <section xml:id="accessing-an-environment">
    <title>Accessing an Environment</title>
    <para>
      Often, all you want to do is be able to access a valid
      environment that contains a specific package and its
      dependencies. we can do that with the <literal>env</literal>
      part of a derivation. For example, lets say we want to access an
      erlang repl with ibrowse loaded up. We could do the following.
    </para>
    <programlisting>
      ~/w/nixpkgs ❯❯❯ nix-shell -A beamPackages.ibrowse.env --run "erl"
      Erlang/OTP 18 [erts-7.0] [source] [64-bit] [smp:4:4] [async-threads:10] [hipe] [kernel-poll:false]
      Eshell V7.0  (abort with ^G)
      1> m(ibrowse).
      Module: ibrowse
      MD5: 3b3e0137d0cbb28070146978a3392945
      Compiled: January 10 2016, 23:34
      Object file: /nix/store/g1rlf65rdgjs4abbyj4grp37ry7ywivj-ibrowse-4.2.2/lib/erlang/lib/ibrowse-4.2.2/ebin/ibrowse.beam
      Compiler options:  [{outdir,"/tmp/nix-build-ibrowse-4.2.2.drv-0/hex-source-ibrowse-4.2.2/_build/default/lib/ibrowse/ebin"},
      debug_info,debug_info,nowarn_shadow_vars,
      warn_unused_import,warn_unused_vars,warnings_as_errors,
      {i,"/tmp/nix-build-ibrowse-4.2.2.drv-0/hex-source-ibrowse-4.2.2/_build/default/lib/ibrowse/include"}]
      Exports:
      add_config/1                  send_req_direct/7
      all_trace_off/0               set_dest/3
      code_change/3                 set_max_attempts/3
      get_config_value/1            set_max_pipeline_size/3
      get_config_value/2            set_max_sessions/3
      get_metrics/0                 show_dest_status/0
      get_metrics/2                 show_dest_status/1
      handle_call/3                 show_dest_status/2
      handle_cast/2                 spawn_link_worker_process/1
      handle_info/2                 spawn_link_worker_process/2
      init/1                        spawn_worker_process/1
      module_info/0                 spawn_worker_process/2
      module_info/1                 start/0
      rescan_config/0               start_link/0
      rescan_config/1               stop/0
      send_req/3                    stop_worker_process/1
      send_req/4                    stream_close/1
      send_req/5                    stream_next/1
      send_req/6                    terminate/2
      send_req_direct/4             trace_off/0
      send_req_direct/5             trace_off/2
      send_req_direct/6             trace_on/0
      trace_on/2
      ok
      2>
    </programlisting>
    <para>
      Notice the <literal>-A beamPackages.ibrowse.env</literal>.That
      is the key to this functionality.
    </para>
  </section>
  <section xml:id="creating-a-shell">
    <title>Creating a Shell</title>
    <para>
      Getting access to an environment often isn't enough to do real
      development. Many times we need to create a
      <literal>shell.nix</literal> file and do our development inside
      of the environment specified by that file. This file looks a lot
      like the packageing described above. The main difference is that
      <literal>src</literal> points to project root and we call the
      package directly.
    </para>
    <programlisting>
 { pkgs ? import &quot;&lt;nixpkgs&quot;&gt; {} }:
 with pkgs;
 let
  f = { buildRebar3, ibrowse, jsx, erlware_commons }:
      buildRebar3 {
        name = "hex2nix";
        version = "0.1.0";
        src = ./.;
        erlangDeps = [ ibrowse jsx erlware_commons ];
      };
  drv = beamPackages.callPackage f {};
 in
 drv
    </programlisting>
    <section xml:id="building-in-a-shell">
    <title>Building in a shell</title>
    <para>
      We can leveral the support of the Derivation, regardless of
      which build Derivation is called by calling the commands themselv.s
    </para>
    <programlisting>
 # =============================================================================
 # Variables
 # =============================================================================
 NIX_TEMPLATES := "$(CURDIR)/nix-templates"
 TARGET := "$(PREFIX)"
 PROJECT_NAME := thorndyke
 NIXPKGS=../nixpkgs
 NIX_PATH=nixpkgs=$(NIXPKGS)
 NIX_SHELL=nix-shell -I "$(NIX_PATH)" --pure
 # =============================================================================
 # Rules
 # =============================================================================
 .PHONY= all test clean repl shell build test analyze configure install \
        test-nix-install publish plt analyze
 all: build
 guard-%:
        @ if [ "${${*}}" == "" ]; then \
                echo "Environment variable $* not set"; \
                exit 1; \
        fi
 clean:
        rm -rf _build
        rm -rf .cache
 repl:
        $(NIX_SHELL) --run "iex -pa './_build/prod/lib/*/ebin'"
 shell:
        $(NIX_SHELL)
 configure:
        $(NIX_SHELL) --command 'eval "$$configurePhase"'
 build: configure
        $(NIX_SHELL) --command 'eval "$$buildPhase"'
 install:
        $(NIX_SHELL) --command 'eval "$$installPhase"'
 test:
        $(NIX_SHELL) --command 'mix test --no-start --no-deps-check'
 plt:
        $(NIX_SHELL) --run "mix dialyzer.plt --no-deps-check"
 analyze: build plt
        $(NIX_SHELL) --run "mix dialyzer --no-compile"
    </programlisting>
    <para>
      If you add the <literal>shell.nix</literal> as described and
      user rebar as follows things should simply work. Aside from the
      <literal>test</literal>, <literal>plt</literal>, and
      <literal>analyze</literal> the talks work just fine for all of
      the build Derivations.
    </para>
  </section>
 </section>
 </section>
 <section xml:id="generating-packages-from-hex-with-hex2nix">
  <title>Generating Packages from Hex with Hex2Nix</title>
  <para>
    Updating the Hex packages requires the use of the
    <literal>hex2nix</literal> tool. Given the path to the Erlang
    modules (usually
    <literal>pkgs/development/erlang-modules</literal>). It will
    happily dump a file called
    <literal>hex-packages.nix</literal>. That file will contain all
    the packages that use a recognized build system in Hex. However,
    it can't know whether or not all those packages are buildable.
    </para>
    <para>
      To make life easier for our users, it makes good sense to go
      ahead and attempt to build all those packages and remove the
      ones that don't build. To do that, simply run the command (in
      the root of your <literal>nixpkgs</literal> repository). that follows.
    </para>
    <programlisting>
 $ nix-build -A beamPackages
    </programlisting>
    <para>
      That will build every package in
      <literal>beamPackages</literal>. Then you can go through and
      manually remove the ones that fail. Hopefully, someone will
      improve <literal>hex2nix</literal> in the future to automate
      that.
    </para>
 </section>
 </chapter>
--- a/doc/erlang-users-guide.xml
+++ b/doc/erlang-users-guide.xml
@ -1,305 +0,0 @@
 <chapter xmlns="http://docbook.org/ns/docbook"
         xmlns:xlink="http://www.w3.org/1999/xlink"
         xml:id="users-guide-to-the-erlang-infrastructure">
 <title>User's Guide to the Erlang Infrastructure</title>
 <section xml:id="build-tools">
  <title>Build Tools</title>
  <para>
    By default Rebar3 wants to manage it's own dependencies. In the
    normal non-Nix, this is perfectly acceptable. In the Nix world it
    is not. To support this we have created two versions of rebar3,
    <literal>rebar3</literal> and <literal>rebar3-open</literal>. The
    <literal>rebar3</literal> version has been patched to remove the
    ability to download anything from it. If you are not running it a
    nix-shell or a nix-build then its probably not going to work for
    you. <literal>rebar3-open</literal> is the normal, un-modified
    rebar3. It should work exactly as would any other version of
    rebar3. Any Erlang package should rely on
    <literal>rebar3</literal> and thats really what you should be
    using too.
  </para>
 </section>
 <section xml:id="how-to-install-erlang-packages">
  <title>How to install Erlang packages</title>
  <para>
    Erlang packages are not registered in the top level simply because
    they are not relevant to the vast majority of Nix users. They are
    installable using the <literal>erlangPackages</literal> attribute set.
    You can list the avialable packages in the
    <literal>erlangPackages</literal> with the following command:
  </para>
  <programlisting>
 $ nix-env -f &quot;&lt;nixpkgs&gt;&quot; -qaP -A erlangPackages
 erlangPackages.esqlite    esqlite-0.2.1
 erlangPackages.goldrush   goldrush-0.1.7
 erlangPackages.ibrowse    ibrowse-4.2.2
 erlangPackages.jiffy      jiffy-0.14.5
 erlangPackages.lager      lager-3.0.2
 erlangPackages.meck       meck-0.8.3
 erlangPackages.rebar3-pc  pc-1.1.0
  </programlisting>
  <para>
    To install any of those packages into your profile, refer to them by
    their attribute path (first column):
  </para>
  <programlisting>
 $ nix-env -f &quot;&lt;nixpkgs&gt;&quot; -iA erlangPackages.ibrowse
  </programlisting>
  <para>
    The attribute path of any Erlang packages corresponds to the name
    of that particular package in Hex or its OTP Application/Release name.
  </para>
 </section>
 <section xml:id="packaging-erlang-applications">
  <title>Packaging Erlang Applications</title>
  <section xml:id="rebar3-packages">
    <title>Rebar3 Packages</title>
    <para>
      There is a Nix functional called
      <literal>buildRebar3</literal>. We use this function to make a
      derivation that understands how to build the rebar3 project. For
      example, the epression we use to build the <link
      xlink:href="https://github.com/erlang-nix/hex2nix">hex2nix</link>
      project follows.
    </para>
    <programlisting>
 {stdenv, fetchFromGitHub, buildRebar3, ibrowse, jsx, erlware_commons }:
 buildRebar3 rec {
    name = "hex2nix";
    version = "0.0.1";
    src = fetchFromGitHub {
        owner = "ericbmerritt";
        repo = "hex2nix";
        rev = "${version}";
        sha256 = "1w7xjidz1l5yjmhlplfx7kphmnpvqm67w99hd2m7kdixwdxq0zqg";
    };
    erlangDeps = [ ibrowse jsx erlware_commons ];
 }
    </programlisting>
    <para>
      The only visible difference between this derivation and
      something like <literal>stdenv.mkDerivation</literal> is that we
      have added <literal>erlangDeps</literal> to the derivation. If
      you add your Erlang dependencies here they will be correctly
      handled by the system.
    </para>
    <para>
      If your package needs to compile native code via Rebar's port
      compilation mechenism. You should add <literal>compilePort =
      true;</literal> to the derivation.
    </para>
  </section>
  <section xml:id="hex-packages">
    <title>Hex Packages</title>
    <para>
      Hex packages are based on Rebar packages. In fact, at the moment
      we can only compile Hex packages that are buildable with
      Rebar3. Packages that use Mix and other build systems are not
      supported. That being said, we know a lot more about Hex and can
      do more for you.
    </para>
    <programlisting>
 { buildHex }:
  buildHex {
    name = "esqlite";
    version = "0.2.1";
    sha256 = "1296fn1lz4lz4zqzn4dwc3flgkh0i6n4sydg501faabfbv8d3wkr";
    compilePort = true;
 }
    </programlisting>
    <para>
      For Hex packages you need to provide the name, the version, and
      the Sha 256 digest of the package and use
      <literal>buildHex</literal> to build it. Obviously, the package
      needs to have already been published to Hex.
    </para>
  </section>
 </section>
 <section xml:id="how-to-develop">
  <title>How to develop</title>
  <section xml:id="accessing-an-environment">
    <title>Accessing an Environment</title>
    <para>
      Often, all you want to do is be able to access a valid
      environment that contains a specific package and its
      dependencies. we can do that with the <literal>env</literal>
      part of a derivation. For example, lets say we want to access an
      erlang repl with ibrowse loaded up. We could do the following.
    </para>
    <programlisting>
      ~/w/nixpkgs ❯❯❯ nix-shell -A erlangPackages.ibrowse.env --run "erl"
      Erlang/OTP 18 [erts-7.0] [source] [64-bit] [smp:4:4] [async-threads:10] [hipe] [kernel-poll:false]
      Eshell V7.0  (abort with ^G)
      1> m(ibrowse).
      Module: ibrowse
      MD5: 3b3e0137d0cbb28070146978a3392945
      Compiled: January 10 2016, 23:34
      Object file: /nix/store/g1rlf65rdgjs4abbyj4grp37ry7ywivj-ibrowse-4.2.2/lib/erlang/lib/ibrowse-4.2.2/ebin/ibrowse.beam
      Compiler options:  [{outdir,"/tmp/nix-build-ibrowse-4.2.2.drv-0/hex-source-ibrowse-4.2.2/_build/default/lib/ibrowse/ebin"},
      debug_info,debug_info,nowarn_shadow_vars,
      warn_unused_import,warn_unused_vars,warnings_as_errors,
      {i,"/tmp/nix-build-ibrowse-4.2.2.drv-0/hex-source-ibrowse-4.2.2/_build/default/lib/ibrowse/include"}]
      Exports:
      add_config/1                  send_req_direct/7
      all_trace_off/0               set_dest/3
      code_change/3                 set_max_attempts/3
      get_config_value/1            set_max_pipeline_size/3
      get_config_value/2            set_max_sessions/3
      get_metrics/0                 show_dest_status/0
      get_metrics/2                 show_dest_status/1
      handle_call/3                 show_dest_status/2
      handle_cast/2                 spawn_link_worker_process/1
      handle_info/2                 spawn_link_worker_process/2
      init/1                        spawn_worker_process/1
      module_info/0                 spawn_worker_process/2
      module_info/1                 start/0
      rescan_config/0               start_link/0
      rescan_config/1               stop/0
      send_req/3                    stop_worker_process/1
      send_req/4                    stream_close/1
      send_req/5                    stream_next/1
      send_req/6                    terminate/2
      send_req_direct/4             trace_off/0
      send_req_direct/5             trace_off/2
      send_req_direct/6             trace_on/0
      trace_on/2
      ok
      2>
    </programlisting>
    <para>
      Notice the <literal>-A erlangPackages.ibrowse.env</literal>.That
      is the key to this functionality.
    </para>
  </section>
  <section xml:id="creating-a-shell">
    <title>Creating a Shell</title>
    <para>
      Getting access to an environment often isn't enough to do real
      development. Many times we need to create a
      <literal>shell.nix</literal> file and do our development inside
      of the environment specified by that file. This file looks a lot
      like the packageing described above. The main difference is that
      <literal>src</literal> points to project root and we call the
      package directly.
    </para>
    <programlisting>
 { pkgs ? import &quot;&lt;nixpkgs&quot;&gt; {} }:
 with pkgs;
 let
  f = { buildHex, ibrowse, jsx, erlware_commons }:
      buildHex {
        name = "hex2nix";
        version = "0.1.0";
        src = ./.;
        erlangDeps = [ ibrowse jsx erlware_commons ];
      };
  drv = erlangPackages.callPackage f {};
 in
 drv
    </programlisting>
    <section xml:id="building-in-a-shell">
    <title>Building in a shell</title>
    <para>
      Unfortunatly for us users of Nix, Rebar isn't very cooperative
      with us from the standpoint of building a hermetic
      environment. When building the rebar3 support we had to do some
      sneaky things to get it not to go out and pull packages on its
      own. Also unfortunately, you have to do some of the same things
      when building a project inside of a Nix shell.
      <orderedlist numeration="arabic">
        <listitem>
          <para>Run <literal>rebar3-nix-bootstrap</literal> every time
          dependencies change</para>
        </listitem>
        <listitem>
          <para>Set Home to the current directory.</para>
        </listitem>
      </orderedlist>
      If you do these two things then Rebar will be happy with you. I
      codify these into a makefile. Forunately, rebar3-nix-bootstrap
      is idempotent and fairly quick. so you can run it as often as
      you like.
    </para>
    <programlisting>
 # =============================================================================
 # Rules
 # =============================================================================
 .PHONY= all test clean repl shell build test analyze bootstrap
 all: test
 clean:
        rm -rf _build
        rm -rf .cache
 repl:
        nix-shell --run "erl"
 shell:
        nix-shell --run "bash"
 bootstrap:
        nix-shell --pure --run "rebar3-nix-bootstrap"
 build: bootstrap
        nix-shell --pure --run "HOME=$(CURDIR) rebar3 compile"
 analyze: bootstrap
        nix-shell --pure --run "HOME=$(CURDIR) rebar3 do compile,dialyzer"
 test: bootstrap
        nix-shell --pure --run "HOME=$(CURDIR) rebar3 do compile,dialyzer,eunit"
    </programlisting>
    <para>
      If you add the <literal>shell.nix</literal> as described and
      user rebar as follows things should simply work.
    </para>
  </section>
 </section>
 </section>
 <section xml:id="generating-packages-from-hex-with-hex2nix">
  <title>Generating Packages from Hex with Hex2Nix</title>
  <para>
    Updating the Hex packages requires the use of the
    <literal>hex2nix</literal> tool. Given the path to the Erlang
    modules (usually
    <literal>pkgs/development/erlang-modules</literal>). It will
    happily dump a file called
    <literal>hex-packages.nix</literal>. That file will contain all
    the packages that use a recognized build system in Hex. However,
    it can't know whether or not all those packages are buildable.
    </para>
    <para>
      To make life easier for our users, it makes good sense to go
      ahead and attempt to build all those packages and remove the
      ones that don't build. To do that, simply run the command (in
      the root of your <literal>nixpkgs</literal> repository). that follows.
    </para>
    <programlisting>
 $ nix-build -A erlangPackages
    </programlisting>
    <para>
      That will build every package in
      <literal>erlangPackages</literal>. Then you can go through and
      manually remove the ones that fail. Hopefully, someone will
      improve <literal>hex2nix</literal> in the future to automate
      that.
    </para>
 </section>
 </chapter>
--- a/doc/languages-frameworks/go.xml
+++ b/doc/languages-frameworks/go.xml
@ -119,6 +119,6 @@ done
 </screen>
 </para>
-  <para>To extract dependency information from a Go package in automated way use <link xlink:href="https://github.com/cstrahan/go2nix">go2nix</link>.</para>
+  <para>To extract dependency information from a Go package in automated way use <link xlink:href="https://github.com/kamilchm/go2nix">go2nix</link>.</para>
 </section>
--- a/doc/languages-frameworks/python.md
+++ b/doc/languages-frameworks/python.md
@ -108,7 +108,7 @@ toolz = buildPythonPackage rec{
  version = "0.7.4";
  src = pkgs.fetchurl{
-    url = "https://pypi.python.org/packages/source/t/toolz/toolz-${version}.tar.gz";
+    url = "mirror://pypi/t/toolz/toolz-${version}.tar.gz";
    sha256 = "43c2c9e5e7a16b6c88ba3088a9bfc82f7db8e13378be7c78d6c14a5f8ed05afd";
  };
@ -146,7 +146,7 @@ pkgs.python35Packages.buildPythonPackage rec {
  version = "0.7.4";
  src = pkgs.fetchurl{
-    url = "https://pypi.python.org/packages/source/t/toolz/toolz-${version}.tar.gz";
+    url = "mirror://pypi/t/toolz/toolz-${version}.tar.gz";
    sha256 = "43c2c9e5e7a16b6c88ba3088a9bfc82f7db8e13378be7c78d6c14a5f8ed05afd";
  };
@ -175,7 +175,7 @@ with import <nixpkgs> {};
      version = "0.7.4";
      src = pkgs.fetchurl{
-        url = "https://pypi.python.org/packages/source/t/toolz/toolz-${version}.tar.gz";
+        url = "mirror://pypi/t/toolz/toolz-${version}.tar.gz";
        sha256 = "43c2c9e5e7a16b6c88ba3088a9bfc82f7db8e13378be7c78d6c14a5f8ed05afd";
      };
@ -220,7 +220,7 @@ datashape = buildPythonPackage rec {
  version = "0.4.7";
  src = pkgs.fetchurl {
-    url = "https://pypi.python.org/packages/source/D/DataShape/${name}.tar.gz";
+    url = "mirror://pypi/D/DataShape/${name}.tar.gz";
    sha256 = "14b2ef766d4c9652ab813182e866f493475e65e558bed0822e38bf07bba1a278";
  };
@ -251,7 +251,7 @@ lxml = buildPythonPackage rec {
  name = "lxml-3.4.4";
  src = pkgs.fetchurl {
-    url = "http://pypi.python.org/packages/source/l/lxml/${name}.tar.gz";
+    url = "mirror://pypi/l/lxml/${name}.tar.gz";
    sha256 = "16a0fa97hym9ysdk3rmqz32xdjqmy4w34ld3rm3jf5viqjx65lxk";
  };
@ -282,7 +282,7 @@ pyfftw = buildPythonPackage rec {
  version = "0.9.2";
  src = pkgs.fetchurl {
-    url = "https://pypi.python.org/packages/source/p/pyFFTW/pyFFTW-${version}.tar.gz";
+    url = "mirror://pypi/p/pyFFTW/pyFFTW-${version}.tar.gz";
    sha256 = "f6bbb6afa93085409ab24885a1a3cdb8909f095a142f4d49e346f2bd1b789074";
  };
@ -373,7 +373,7 @@ buildPythonPackage rec {
  version = "0.7.4";
  src = pkgs.fetchurl{
-    url = "https://pypi.python.org/packages/source/t/toolz/toolz-${version}.tar.gz";
+    url = "mirror://pypi/t/toolz/toolz-${version}.tar.gz";
    sha256 = "43c2c9e5e7a16b6c88ba3088a9bfc82f7db8e13378be7c78d6c14a5f8ed05afd";
  };
--- a/doc/manual.xml
+++ b/doc/manual.xml
@ -21,7 +21,7 @@
  <xi:include href="coding-conventions.xml" />
  <xi:include href="submitting-changes.xml" />
  <xi:include href="haskell-users-guide.xml" />
-  <xi:include href="erlang-users-guide.xml" />
+  <xi:include href="beam-users-guide.xml" />
  <xi:include href="contributing.xml" />
 </book>
--- a/lib/maintainers.nix
+++ b/lib/maintainers.nix
@ -14,6 +14,7 @@
  adev = "Adrien Devresse <adev@adev.name>";
  Adjective-Object = "Maxwell Huang-Hobbs <mhuan13@gmail.com>";
  aespinosa = "Allan Espinosa <allan.espinosa@outlook.com>";
  adnelson = "Allen Nelson <ithinkican@gmail.com>";
  aflatter = "Alexander Flatter <flatter@fastmail.fm>";
  aforemny = "Alexander Foremny <alexanderforemny@googlemail.com>";
  afranchuk = "Alex Franchuk <alex.franchuk@gmail.com>";
@ -102,6 +103,7 @@
  dmalikov = "Dmitry Malikov <malikov.d.y@gmail.com>";
  dochang = "Desmond O. Chang <dochang@gmail.com>";
  doublec = "Chris Double <chris.double@double.co.nz>";
  drewkett = "Andrew Burkett <burkett.andrew@gmail.com>";
  ebzzry = "Rommel Martinez <ebzzry@gmail.com>";
  ederoyd46 = "Matthew Brown <matt@ederoyd.co.uk>";
  eduarrrd = "Eduard Bachmakov <e.bachmakov@gmail.com>";
@ -141,9 +143,11 @@
  garrison = "Jim Garrison <jim@garrison.cc>";
  gavin = "Gavin Rogers <gavin@praxeology.co.uk>";
  gebner = "Gabriel Ebner <gebner@gebner.org>";
  gilligan = "Tobias Pflug <tobias.pflug@gmail.com>";
  giogadi = "Luis G. Torres <lgtorres42@gmail.com>";
  gleber = "Gleb Peregud <gleber.p@gmail.com>";
  globin = "Robin Gloster <mail@glob.in>";
  gpyh = "Yacine Hmito <yacine.hmito@gmail.com>";
  goibhniu = "Cillian de Róiste <cillian.deroiste@gmail.com>";
  Gonzih = "Max Gonzih <gonzih@gmail.com>";
  gridaphobe = "Eric Seidel <eric@seidel.io>";
@ -234,6 +238,7 @@
  mirdhyn = "Merlin Gaillard <mirdhyn@gmail.com>";
  modulistic = "Pablo Costa <modulistic@gmail.com>";
  mog = "Matthew O'Gorman <mog-lists@rldn.net>";
  moosingin3space = "Nathan Moos <moosingin3space@gmail.com>";
  moretea = "Maarten Hoogendoorn <maarten@moretea.nl>";
  mornfall = "Petr Ročkai <me@mornfall.net>";
  MostAwesomeDude = "Corbin Simpson <cds@corbinsimpson.com>";
@ -253,7 +258,7 @@
  notthemessiah = "Brian Cohen <brian.cohen.88@gmail.com>";
  np = "Nicolas Pouillard <np.nix@nicolaspouillard.fr>";
  nslqqq = "Nikita Mikhailov <nslqqq@gmail.com>";
-  obadz = "obadz <dav-nixos@odav.org>";
+  obadz = "obadz <nixos@obadz.com>";
  ocharles = "Oliver Charles <ollie@ocharles.org.uk>";
  odi = "Oliver Dunkl <oliver.dunkl@gmail.com>";
  offline = "Jaka Hudoklin <jakahudoklin@gmail.com>";
@ -290,12 +295,14 @@
  pxc = "Patrick Callahan <patrick.callahan@latitudeengineering.com>";
  qknight = "Joachim Schiele <js@lastlog.de>";
  ragge = "Ragnar Dahlen <r.dahlen@gmail.com>";
  rardiol = "Ricardo Ardissone <ricardo.ardissone@gmail.com>";
  rasendubi = "Alexey Shmalko <rasen.dubi@gmail.com>";
  raskin = "Michael Raskin <7c6f434c@mail.ru>";
  redbaron = "Maxim Ivanov <ivanov.maxim@gmail.com>";
  refnil = "Martin Lavoie <broemartino@gmail.com>";
  relrod = "Ricky Elrod <ricky@elrod.me>";
  renzo = "Renzo Carbonara <renzocarbonara@gmail.com>";
  retrry = "Tadas Barzdžius <retrry@gmail.com>";
  rick68 = "Wei-Ming Yang <rick68@gmail.com>";
  rickynils = "Rickard Nilsson <rickynils@gmail.com>";
  rnhmjoj = "Michele Guerini Rocco <micheleguerinirocco@me.com>";
@ -312,6 +319,7 @@
  ryanartecona = "Ryan Artecona <ryanartecona@gmail.com>";
  ryantm = "Ryan Mulligan <ryan@ryantm.com>";
  rycee = "Robert Helgesson <robert@rycee.net>";
  ryneeverett = "Ryne Everett <ryneeverett@gmail.com>";
  samuelrivas = "Samuel Rivas <samuelrivas@gmail.com>";
  sander = "Sander van der Burg <s.vanderburg@tudelft.nl>";
  schmitthenner = "Fabian Schmitthenner <development@schmitthenner.eu>";
@ -338,6 +346,7 @@
  spwhitt = "Spencer Whitt <sw@swhitt.me>";
  stephenmw = "Stephen Weinberg <stephen@q5comm.com>";
  steveej = "Stefan Junker <mail@stefanjunker.de>";
  swistak35 = "Rafał Łasocha <me@swistak35.com>";
  szczyp = "Szczyp <qb@szczyp.com>";
  sztupi = "Attila Sztupak <attila.sztupak@gmail.com>";
  taeer = "Taeer Bar-Yam <taeer@necsi.edu>";
--- a/maintainers/scripts/map-files.pl
+++ b/maintainers/scripts/map-files.pl
@ -1,22 +0,0 @@
 #! /usr/bin/perl -w
 use strict;
 my %map;
 open LIST1, "<$ARGV[0]" or die;
 while (<LIST1>) {
    /^(\S+)\s+(.*)$/;
    $map{$1} = $2;
 }
 open LIST1, "<$ARGV[1]" or die;
 while (<LIST1>) {
    /^(\S+)\s+(.*)$/;
    if (!defined $map{$1}) {
        print STDERR "missing file: $2\n";
        next;
    }
    print "$2\n";
    print "$map{$1}\n";
 }
--- a/nixos/doc/manual/configuration/config-file.xml
+++ b/nixos/doc/manual/configuration/config-file.xml
@ -106,11 +106,15 @@ networking.extraHosts =
  '';
 </programlisting>
-      The main difference is that preceding whitespace is
+      The main difference is that it strips from each line
-      automatically stripped from each line, and that characters like
+      a number of spaces equal to the minimal indentation of
      the string as a whole (disregarding the indentation of
      empty lines), and that characters like
      <literal>"</literal> and <literal>\</literal> are not special
      (making it more convenient for including things like shell
-      code).</para>
+      code).
      See more info about this in the Nix manual <link
      xlink:href="https://nixos.org/nix/manual/#ssec-values">here</link>.</para>
    </listitem>
  </varlistentry>
--- a/nixos/doc/manual/default.nix
+++ b/nixos/doc/manual/default.nix
@ -74,6 +74,63 @@ let
      </toc>
    '';
  manualXsltprocOptions = toString [
    "--param section.autolabel 1"
    "--param section.label.includes.component.label 1"
    "--stringparam html.stylesheet style.css"
    "--param xref.with.number.and.title 1"
    "--param toc.section.depth 3"
    "--stringparam admon.style ''"
    "--stringparam callout.graphics.extension .gif"
    "--stringparam current.docid manual"
    "--param chunk.section.depth 0"
    "--param chunk.first.sections 1"
    "--param use.id.as.filename 1"
    "--stringparam generate.toc 'book toc appendix toc'"
    "--stringparam chunk.toc ${toc}"
  ];
  olinkDB = stdenv.mkDerivation {
    name = "manual-olinkdb";
    inherit sources;
    buildInputs = [ libxml2 libxslt ];
    buildCommand = ''
      ${copySources}
      xsltproc \
        ${manualXsltprocOptions} \
        --stringparam collect.xref.targets only \
        --stringparam targets.filename "$out/manual.db" \
        --nonet --xinclude \
        ${docbook5_xsl}/xml/xsl/docbook/xhtml/chunktoc.xsl \
        ./manual.xml
      # Check the validity of the man pages sources.
      xmllint --noout --nonet --xinclude --noxincludenode \
        --relaxng ${docbook5}/xml/rng/docbook/docbook.rng \
        ./man-pages.xml
      cat > "$out/olinkdb.xml" <<EOF
      <?xml version="1.0" encoding="utf-8"?>
      <!DOCTYPE targetset SYSTEM
        "file://${docbook5_xsl}/xml/xsl/docbook/common/targetdatabase.dtd" [
        <!ENTITY manualtargets SYSTEM "file://$out/manual.db">
      ]>
      <targetset>
        <targetsetinfo>
            Allows for cross-referencing olinks between the manpages
            and the HTML/PDF manuals.
        </targetsetinfo>
        <document targetdoc="manual">&manualtargets;</document>
      </targetset>
      EOF
    '';
  };
 in rec {
  # The NixOS options in JSON format.
@ -116,18 +173,8 @@ in rec {
      dst=$out/share/doc/nixos
      mkdir -p $dst
      xsltproc \
-        --param section.autolabel 1 \
+        ${manualXsltprocOptions} \
-        --param section.label.includes.component.label 1 \
+        --stringparam target.database.document "${olinkDB}/olinkdb.xml" \
        --stringparam html.stylesheet style.css \
        --param xref.with.number.and.title 1 \
        --param toc.section.depth 3 \
        --stringparam admon.style "" \
        --stringparam callout.graphics.extension .gif \
        --param chunk.section.depth 0 \
        --param chunk.first.sections 1 \
        --param use.id.as.filename 1 \
        --stringparam generate.toc "book toc appendix toc" \
        --stringparam chunk.toc ${toc} \
        --nonet --xinclude --output $dst/ \
        ${docbook5_xsl}/xml/xsl/docbook/xhtml/chunktoc.xsl ./manual.xml
@ -159,6 +206,7 @@ in rec {
      dst=$out/share/doc/nixos
      mkdir -p $dst
      xmllint --xinclude manual.xml | dblatex -o $dst/manual.pdf - \
        -P target.database.document="${olinkDB}/olinkdb.xml" \
        -P doc.collab.show=0 \
        -P latex.output.revhistory=0
@ -178,7 +226,7 @@ in rec {
    buildCommand = ''
      ${copySources}
-      # Check the validity of the manual sources.
+      # Check the validity of the man pages sources.
      xmllint --noout --nonet --xinclude --noxincludenode \
        --relaxng ${docbook5}/xml/rng/docbook/docbook.rng \
        ./man-pages.xml
@ -190,6 +238,7 @@ in rec {
        --param man.output.base.dir "'$out/share/man/'" \
        --param man.endnotes.are.numbered 0 \
        --param man.break.after.slash 1 \
        --stringparam target.database.document "${olinkDB}/olinkdb.xml" \
        ${docbook5_xsl}/xml/xsl/docbook/manpages/docbook.xsl \
        ./man-pages.xml
    '';
--- a/nixos/doc/manual/development/sources.xml
+++ b/nixos/doc/manual/development/sources.xml
@ -11,35 +11,25 @@ uses the NixOS and Nixpkgs sources provided by the
 <literal>nixos-unstable</literal> channel (kept in
 <filename>/nix/var/nix/profiles/per-user/root/channels/nixos</filename>).
 To modify NixOS, however, you should check out the latest sources from
-Git.  This is done using the following command:
+Git.  This is as follows:
 <screen>
 $ nixos-checkout <replaceable>/my/sources</replaceable>
 </screen>
 or
 <screen>
 $ mkdir -p <replaceable>/my/sources</replaceable>
 $ cd <replaceable>/my/sources</replaceable>
 $ nix-env -i git
 $ git clone git://github.com/NixOS/nixpkgs.git
 $ cd nixpkgs
 $ git remote add channels git://github.com/NixOS/nixpkgs-channels.git
 $ git remote update channels
 </screen>
-This will check out the latest NixOS sources to
+This will check out the latest Nixpkgs sources to
-<filename><replaceable>/my/sources</replaceable>/nixpkgs/nixos</filename>
+<filename>./nixpkgs</filename> the NixOS sources to
-and the Nixpkgs sources to
+<filename>./nixpkgs/nixos</filename>. (The NixOS source tree lives in
-<filename><replaceable>/my/sources</replaceable>/nixpkgs</filename>.
+a subdirectory of the Nixpkgs repository.) The remote
-(The NixOS source tree lives in a subdirectory of the Nixpkgs
+<literal>channels</literal> refers to a read-only repository that
-repository.) The remote <literal>channels</literal> refers to a
+tracks the Nixpkgs/NixOS channels (see <xref linkend="sec-upgrading"/>
-read-only repository that tracks the Nixpkgs/NixOS channels (see <xref
+for more information about channels). Thus, the Git branch
-linkend="sec-upgrading"/> for more information about channels). Thus,
+<literal>channels/nixos-14.12</literal> will contain the latest built
-the Git branch <literal>channels/nixos-14.12</literal> will contain
+and tested version available in the <literal>nixos-14.12</literal>
-the latest built and tested version available in the
+channel.</para>
 <literal>nixos-14.12</literal> channel.</para>
 <para>It’s often inconvenient to develop directly on the master
 branch, since if somebody has just committed (say) a change to GCC,
--- a/nixos/doc/manual/installation/installing-pxe.xml
+++ b/nixos/doc/manual/installation/installing-pxe.xml
@ -0,0 +1,48 @@
 <section xmlns="http://docbook.org/ns/docbook"
         xmlns:xlink="http://www.w3.org/1999/xlink"
         xmlns:xi="http://www.w3.org/2001/XInclude"
         version="5.0"
         xml:id="sec-booting-from-pxe">
 <title>Booting from the <quote>netboot</quote> media (PXE)</title>
 <para>
  Advanced users may wish to install NixOS using an existing PXE or
  iPXE setup.
 </para>
 <para>
  These instructions assume that you have an existing PXE or iPXE
  infrastructure and simply want to add the NixOS installer as another
  option. To build the necessary files from a recent version of
  nixpkgs, you can run:
 </para>
 <programlisting>
 nix-build -A netboot nixos/release.nix
 </programlisting>
 <para>
  This will create a <literal>result</literal> directory containing: *
  <literal>bzImage</literal> – the Linux kernel *
  <literal>initrd</literal> – the initrd file *
  <literal>netboot.ipxe</literal> – an example ipxe script
  demonstrating the appropriate kernel command line arguments for this
  image
 </para>
 <para>
  If you’re using plain PXE, configure your boot loader to use the
  <literal>bzImage</literal> and <literal>initrd</literal> files and
  have it provide the same kernel command line arguments found in
  <literal>netboot.ipxe</literal>.
 </para>
 <para>
  If you’re using iPXE, depending on how your HTTP/FTP/etc. server is
  configured you may be able to use <literal>netboot.ipxe</literal>
  unmodified, or you may need to update the paths to the files to
  match your server’s directory layout
 </para>
 <para>
  In the future we may begin making these files available as build
  products from hydra at which point we will update this documentation
  with instructions on how to obtain them either for placing on a
  dedicated TFTP server or to boot them directly over the internet.
 </para>
 </section>
--- a/nixos/doc/manual/installation/installing.xml
+++ b/nixos/doc/manual/installation/installing.xml
@ -270,5 +270,6 @@ $ reboot</screen>
 <xi:include href="installing-uefi.xml" />
 <xi:include href="installing-usb.xml" />
 <xi:include href="installing-pxe.xml" />
 </chapter>
--- a/nixos/doc/manual/release-notes/release-notes.xml
+++ b/nixos/doc/manual/release-notes/release-notes.xml
@ -9,6 +9,7 @@
 <para>This section lists the release notes for each stable version of NixOS
 and current unstable revision.</para>
 <xi:include href="rl-1609.xml" />
 <xi:include href="rl-1603.xml" />
 <xi:include href="rl-1509.xml" />
 <xi:include href="rl-1412.xml" />
--- a/nixos/doc/manual/release-notes/rl-1609.xml
+++ b/nixos/doc/manual/release-notes/rl-1609.xml
@ -0,0 +1,48 @@
 <section xmlns="http://docbook.org/ns/docbook"
         xmlns:xlink="http://www.w3.org/1999/xlink"
         xmlns:xi="http://www.w3.org/2001/XInclude"
         version="5.0"
         xml:id="sec-release-16.09">
 <title>Release 16.09 (“Flounder”, 2016/09/??)</title>
 <para>In addition to numerous new and upgraded packages, this release
 has the following highlights: </para>
 <itemizedlist>
  <listitem>
    <para>PXE "netboot" media has landed in <link xlink:href="https://github.com/NixOS/nixpkgs/pull/14740" />.
    See <xref linkend="sec-booting-from-pxe" /> for documentation.</para>
  </listitem>
 </itemizedlist>
 <para>The following new services were added since the last release:</para>
  <itemizedlist>
    <listitem><para><literal>(this will get automatically generated at release time)</literal></para></listitem>
  </itemizedlist>
 <para>When upgrading from a previous release, please be aware of the
 following incompatible changes:</para>
 <itemizedlist>
  <listitem>
    <para>todo</para>
  </listitem>
 </itemizedlist>
 <para>Other notable improvements:</para>
 <itemizedlist>
  <listitem>
    <para>todo</para>
  </listitem>
 </itemizedlist>
 </section>
--- a/nixos/lib/make-disk-image.nix
+++ b/nixos/lib/make-disk-image.nix
@ -81,14 +81,14 @@ pkgs.vmTools.runInLinuxVM (
      # Register the paths in the Nix database.
      printRegistration=1 perl ${pkgs.pathsFromGraph} /tmp/xchg/closure | \
-          chroot /mnt ${config.nix.package}/bin/nix-store --load-db --option build-users-group ""
+          chroot /mnt ${config.nix.package.out}/bin/nix-store --load-db --option build-users-group ""
      # Add missing size/hash fields to the database. FIXME:
      # exportReferencesGraph should provide these directly.
-      chroot /mnt ${config.nix.package}/bin/nix-store --verify --check-contents
+      chroot /mnt ${config.nix.package.out}/bin/nix-store --verify --check-contents
      # Create the system profile to allow nixos-rebuild to work.
-      chroot /mnt ${config.nix.package}/bin/nix-env --option build-users-group "" \
+      chroot /mnt ${config.nix.package.out}/bin/nix-env --option build-users-group "" \
          -p /nix/var/nix/profiles/system --set ${config.system.build.toplevel}
      # `nixos-rebuild' requires an /etc/NIXOS.
--- a/nixos/modules/config/pulseaudio.nix
+++ b/nixos/modules/config/pulseaudio.nix
@ -134,7 +134,7 @@ in {
    }
    (mkIf cfg.enable {
-      environment.systemPackages = [ cfg.package.out ];
+      environment.systemPackages = [ cfg.package ];
      environment.etc = singleton {
        target = "asound.conf";
@ -158,7 +158,7 @@ in {
          wantedBy = [ "default.target" ];
          serviceConfig = {
            Type = "notify";
-            ExecStart = "${cfg.package}/bin/pulseaudio --daemonize=no";
+            ExecStart = "${cfg.package.out}/bin/pulseaudio --daemonize=no";
            Restart = "on-failure";
          };
        };
--- a/nixos/modules/hardware/all-firmware.nix
+++ b/nixos/modules/hardware/all-firmware.nix
@ -22,7 +22,11 @@ with lib;
  ###### implementation
  config = mkIf config.hardware.enableAllFirmware {
-    hardware.firmware = [ pkgs.firmwareLinuxNonfree pkgs.intel2200BGFirmware ];
+    hardware.firmware = with pkgs; [
      firmwareLinuxNonfree
      intel2200BGFirmware
      rtl8723bs-firmware
    ];
  };
 }
--- a/nixos/modules/hardware/video/webcam/facetimehd.nix
+++ b/nixos/modules/hardware/video/webcam/facetimehd.nix
@ -31,13 +31,13 @@ in
    # unload module during suspend/hibernate as it crashes the whole system
    powerManagement.powerDownCommands = ''
-      ${pkgs.module_init_tools}/bin/rmmod -f facetimehd
+      ${pkgs.kmod}/bin/lsmod | ${pkgs.gnugrep}/bin/grep -q "^facetimehd" && ${pkgs.kmod}/bin/rmmod -f -v facetimehd
    '';
    # and load it back on resume
    powerManagement.resumeCommands = ''
      export MODULE_DIR=/run/current-system/kernel-modules/lib/modules
-      ${pkgs.module_init_tools}/bin/modprobe -v facetimehd
+      ${pkgs.kmod}/bin/modprobe -v facetimehd
    '';
  };
--- a/nixos/modules/installer/cd-dvd/channel.nix
+++ b/nixos/modules/installer/cd-dvd/channel.nix
@ -34,7 +34,7 @@ in
      if ! [ -e /var/lib/nixos/did-channel-init ]; then
        echo "unpacking the NixOS/Nixpkgs sources..."
        mkdir -p /nix/var/nix/profiles/per-user/root
-        ${config.nix.package}/bin/nix-env -p /nix/var/nix/profiles/per-user/root/channels \
+        ${config.nix.package.out}/bin/nix-env -p /nix/var/nix/profiles/per-user/root/channels \
          -i ${channelSources} --quiet --option build-use-substitutes false
        mkdir -m 0700 -p /root/.nix-defexpr
        ln -s /nix/var/nix/profiles/per-user/root/channels /root/.nix-defexpr/channels
--- a/nixos/modules/installer/cd-dvd/iso-image.nix
+++ b/nixos/modules/installer/cd-dvd/iso-image.nix
@ -364,12 +364,12 @@ in
      ''
        # After booting, register the contents of the Nix store on the
        # CD in the Nix database in the tmpfs.
-        ${config.nix.package}/bin/nix-store --load-db < /nix/store/nix-path-registration
+        ${config.nix.package.out}/bin/nix-store --load-db < /nix/store/nix-path-registration
        # nixos-rebuild also requires a "system" profile and an
        # /etc/NIXOS tag.
        touch /etc/NIXOS
-        ${config.nix.package}/bin/nix-env -p /nix/var/nix/profiles/system --set /run/current-system
+        ${config.nix.package.out}/bin/nix-env -p /nix/var/nix/profiles/system --set /run/current-system
      '';
    # Add vfat support to the initrd to enable people to copy the
--- a/nixos/modules/installer/cd-dvd/sd-image.nix
+++ b/nixos/modules/installer/cd-dvd/sd-image.nix
@ -113,11 +113,11 @@ in
        ${pkgs.e2fsprogs}/bin/resize2fs $rootPart
        # Register the contents of the initial Nix store
-        ${config.nix.package}/bin/nix-store --load-db < /nix-path-registration
+        ${config.nix.package.out}/bin/nix-store --load-db < /nix-path-registration
        # nixos-rebuild also requires a "system" profile and an /etc/NIXOS tag.
        touch /etc/NIXOS
-        ${config.nix.package}/bin/nix-env -p /nix/var/nix/profiles/system --set /run/current-system
+        ${config.nix.package.out}/bin/nix-env -p /nix/var/nix/profiles/system --set /run/current-system
        # Prevents this from running on later boots.
        rm -f /nix-path-registration
--- a/nixos/modules/installer/cd-dvd/system-tarball-fuloong2f.nix
+++ b/nixos/modules/installer/cd-dvd/system-tarball-fuloong2f.nix
@ -52,8 +52,7 @@ in
  # Include some utilities that are useful for installing or repairing
  # the system.
  environment.systemPackages =
-    [ pkgs.subversion # for nixos-checkout
+    [ pkgs.w3m # needed for the manual anyway
      pkgs.w3m # needed for the manual anyway
      pkgs.testdisk # useful for repairing boot problems
      pkgs.mssys # for writing Microsoft boot sectors / MBRs
      pkgs.parted
--- a/nixos/modules/installer/cd-dvd/system-tarball-sheevaplug.nix
+++ b/nixos/modules/installer/cd-dvd/system-tarball-sheevaplug.nix
@ -49,8 +49,7 @@ in
  # Include some utilities that are useful for installing or repairing
  # the system.
  environment.systemPackages =
-    [ pkgs.subversion # for nixos-checkout
+    [ pkgs.w3m # needed for the manual anyway
      pkgs.w3m # needed for the manual anyway
      pkgs.ddrescue
      pkgs.ccrypt
      pkgs.cryptsetup # needed for dm-crypt volumes
--- a/nixos/modules/installer/cd-dvd/system-tarball.nix
+++ b/nixos/modules/installer/cd-dvd/system-tarball.nix
@ -78,14 +78,14 @@ in
        # After booting, register the contents of the Nix store on the
        # CD in the Nix database in the tmpfs.
        if [ -f /nix-path-registration ]; then
-          ${config.nix.package}/bin/nix-store --load-db < /nix-path-registration &&
+          ${config.nix.package.out}/bin/nix-store --load-db < /nix-path-registration &&
          rm /nix-path-registration
        fi
        # nixos-rebuild also requires a "system" profile and an
        # /etc/NIXOS tag.
        touch /etc/NIXOS
-        ${config.nix.package}/bin/nix-env -p /nix/var/nix/profiles/system --set /run/current-system
+        ${config.nix.package.out}/bin/nix-env -p /nix/var/nix/profiles/system --set /run/current-system
      '';
  };
--- a/nixos/modules/installer/netboot/netboot-base.nix
+++ b/nixos/modules/installer/netboot/netboot-base.nix
@ -0,0 +1,20 @@
 # This module contains the basic configuration for building netboot
 # images
 { config, lib, pkgs, ... }:
 with lib;
 {
  imports =
    [ ./netboot.nix
      # Profiles of this basic netboot media
      ../../profiles/all-hardware.nix
      ../../profiles/base.nix
      ../../profiles/installation-device.nix
    ];
  # Allow the user to log in as root without a password.
  users.extraUsers.root.initialHashedPassword = "";
 }
--- a/nixos/modules/installer/netboot/netboot-minimal.nix
+++ b/nixos/modules/installer/netboot/netboot-minimal.nix
@ -0,0 +1,10 @@
 # This module defines a small netboot environment.
 { config, lib, ... }:
 {
  imports =
    [ ./netboot-base.nix
      ../../profiles/minimal.nix
    ];
 }
--- a/nixos/modules/installer/netboot/netboot.nix
+++ b/nixos/modules/installer/netboot/netboot.nix
@ -0,0 +1,91 @@
 # This module creates netboot media containing the given NixOS
 # configuration.
 { config, lib, pkgs, ... }:
 with lib;
 {
  options = {
    netboot.storeContents = mkOption {
      example = literalExample "[ pkgs.stdenv ]";
      description = ''
        This option lists additional derivations to be included in the
        Nix store in the generated netboot image.
      '';
    };
  };
  config = {
    boot.loader.grub.version = 2;
    # Don't build the GRUB menu builder script, since we don't need it
    # here and it causes a cyclic dependency.
    boot.loader.grub.enable = false;
    boot.initrd.postMountCommands = ''
      mkdir -p /mnt-root/nix/store
      mount -t squashfs /nix-store.squashfs /mnt-root/nix/store
    '';
    # !!! Hack - attributes expected by other modules.
    system.boot.loader.kernelFile = "bzImage";
    environment.systemPackages = [ pkgs.grub2 pkgs.grub2_efi pkgs.syslinux ];
    boot.consoleLogLevel = mkDefault 7;
    fileSystems."/" =
      { fsType = "tmpfs";
        options = [ "mode=0755" ];
      };
    boot.initrd.availableKernelModules = [ "squashfs" ];
    boot.initrd.kernelModules = [ "loop" ];
    # Closures to be copied to the Nix store, namely the init
    # script and the top-level system configuration directory.
   netboot.storeContents =
      [ config.system.build.toplevel ];
    # Create the squashfs image that contains the Nix store.
    system.build.squashfsStore = import ../../../lib/make-squashfs.nix {
      inherit (pkgs) stdenv squashfsTools perl pathsFromGraph;
      storeContents = config.netboot.storeContents;
    };
    # Create the initrd
    system.build.netbootRamdisk = pkgs.makeInitrd {
      inherit (config.boot.initrd) compressor;
      prepend = [ "${config.system.build.initialRamdisk}/initrd" ];
      contents =
        [ { object = config.system.build.squashfsStore;
            symlink = "/nix-store.squashfs";
          }
        ];
    };
    system.build.netbootIpxeScript = pkgs.writeTextDir "netboot.ipxe" "#!ipxe\nkernel bzImage init=${config.system.build.toplevel}/init ${toString config.boot.kernelParams}\ninitrd initrd\nboot";
    boot.loader.timeout = 10;
    boot.postBootCommands =
      ''
        # After booting, register the contents of the Nix store
        # in the Nix database in the tmpfs.
        ${config.nix.package}/bin/nix-store --load-db < /nix/store/nix-path-registration
        # nixos-rebuild also requires a "system" profile and an
        # /etc/NIXOS tag.
        touch /etc/NIXOS
        ${config.nix.package}/bin/nix-env -p /nix/var/nix/profiles/system --set /run/current-system
      '';
  };
 }
--- a/nixos/modules/installer/tools/auto-upgrade.nix
+++ b/nixos/modules/installer/tools/auto-upgrade.nix
@ -78,7 +78,7 @@ let cfg = config.system.autoUpgrade; in
          HOME = "/root";
        };
-      path = [ pkgs.gnutar pkgs.xz.bin config.nix.package ];
+      path = [ pkgs.gnutar pkgs.xz.bin config.nix.package.out ];
      script = ''
        ${config.system.build.nixos-rebuild}/bin/nixos-rebuild switch ${toString cfg.flags}
--- a/nixos/modules/installer/tools/nixos-checkout.nix
+++ b/nixos/modules/installer/tools/nixos-checkout.nix
@ -1,60 +0,0 @@
 # This module generates the nixos-checkout script, which performs a
 # checkout of the Nixpkgs Git repository.
 { config, lib, pkgs, ... }:
 with lib;
 let
  nixosCheckout = pkgs.substituteAll {
    name = "nixos-checkout";
    dir = "bin";
    isExecutable = true;
    src = pkgs.writeScript "nixos-checkout"
      ''
        #! ${pkgs.stdenv.shell} -e
        if [ "$1" == "-h" ] || [ "$1" == "--help" ]; then
          echo "Usage: `basename $0` [PREFIX]. See NixOS Manual for more info."
          exit 0
        fi
        prefix="$1"
        if [ -z "$prefix" ]; then prefix=/etc/nixos; fi
        mkdir -p "$prefix"
        cd "$prefix"
        if [ -z "$(type -P git)" ]; then
            echo "installing Git..."
            nix-env -iA nixos.git
        fi
        # Move any old nixpkgs directories out of the way.
        backupTimestamp=$(date "+%Y%m%d%H%M%S")
        if [ -e nixpkgs -a ! -e nixpkgs/.git ]; then
            mv nixpkgs nixpkgs-$backupTimestamp
        fi
        # Check out the Nixpkgs sources.
        if ! [ -e nixpkgs/.git ]; then
            echo "Creating repository in $prefix/nixpkgs..."
            git init --quiet nixpkgs
        else
            echo "Updating repository in $prefix/nixpkgs..."
        fi
        cd nixpkgs
        git remote add origin git://github.com/NixOS/nixpkgs.git || true
        git remote add channels git://github.com/NixOS/nixpkgs-channels.git || true
        git remote set-url origin --push git@github.com:NixOS/nixpkgs.git
        git remote update
        git checkout master
      '';
   };
 in
 {
  environment.systemPackages = [ nixosCheckout ];
 }
--- a/nixos/modules/installer/tools/nixos-rebuild.sh
+++ b/nixos/modules/installer/tools/nixos-rebuild.sh
@ -271,7 +271,7 @@ remotePATH=
 if [ -n "$buildNix" ]; then
    echo "building Nix..." >&2
    nixDrv=
-    if ! nixDrv="$(nix-instantiate '<nixpkgs/nixos>' --add-root $tmpDir/nix.drv --indirect -A config.nix.package "${extraBuildFlags[@]}")"; then
+    if ! nixDrv="$(nix-instantiate '<nixpkgs/nixos>' --add-root $tmpDir/nix.drv --indirect -A config.nix.package.out "${extraBuildFlags[@]}")"; then
        if ! nixDrv="$(nix-instantiate '<nixpkgs/nixos>' --add-root $tmpDir/nix.drv --indirect -A nixFallback "${extraBuildFlags[@]}")"; then
            if ! nixDrv="$(nix-instantiate '<nixpkgs>' --add-root $tmpDir/nix.drv --indirect -A nix "${extraBuildFlags[@]}")"; then
                nixStorePath="$(prebuiltNix "$(uname -m)")"
--- a/nixos/modules/installer/tools/tools.nix
+++ b/nixos/modules/installer/tools/tools.nix
@ -22,17 +22,17 @@ let
    src = ./nixos-install.sh;
    inherit (pkgs) perl pathsFromGraph;
-    nix = config.nix.package;
+    nix = config.nix.package.out;
    nixClosure = pkgs.runCommand "closure"
-      { exportReferencesGraph = ["refs" config.nix.package]; }
+      { exportReferencesGraph = ["refs" config.nix.package.out]; }
      "cp refs $out";
  };
  nixos-rebuild = makeProg {
    name = "nixos-rebuild";
    src = ./nixos-rebuild.sh;
-    nix = config.nix.package;
+    nix = config.nix.package.out;
  };
  nixos-generate-config = makeProg {
--- a/nixos/modules/misc/ids.nix
+++ b/nixos/modules/misc/ids.nix
@ -263,6 +263,8 @@
      caddy = 239;
      taskd = 240;
      factorio = 241;
      emby = 242;
      graylog = 243;
      # When adding a uid, make sure it doesn't match an existing gid. And don't use uids above 399!
@ -497,6 +499,7 @@
      caddy = 239;
      taskd = 240;
      factorio = 241;
      emby = 242;
      # When adding a gid, make sure it doesn't match an existing
      # uid. Users and groups with the same name should have equal
--- a/nixos/modules/module-list.nix
+++ b/nixos/modules/module-list.nix
@ -47,7 +47,6 @@
  ./i18n/input-method/nabi.nix
  ./i18n/input-method/uim.nix
  ./installer/tools/auto-upgrade.nix
  ./installer/tools/nixos-checkout.nix
  ./installer/tools/tools.nix
  ./misc/assertions.nix
  ./misc/crashdump.nix
@ -159,6 +158,7 @@
  ./services/desktops/gnome3/tracker.nix
  ./services/desktops/profile-sync-daemon.nix
  ./services/desktops/telepathy.nix
  ./services/development/hoogle.nix
  ./services/games/factorio.nix
  ./services/games/ghost-one.nix
  ./services/games/minecraft-server.nix
@ -183,6 +183,7 @@
  ./services/hardware/thermald.nix
  ./services/logging/awstats.nix
  ./services/logging/fluentd.nix
  ./services/logging/graylog.nix
  ./services/logging/klogd.nix
  ./services/logging/logcheck.nix
  ./services/logging/logrotate.nix
@ -216,6 +217,7 @@
  ./services/misc/dictd.nix
  ./services/misc/disnix.nix
  ./services/misc/docker-registry.nix
  ./services/misc/emby.nix
  ./services/misc/etcd.nix
  ./services/misc/felix.nix
  ./services/misc/folding-at-home.nix
@ -337,6 +339,7 @@
  ./services/networking/kippo.nix
  ./services/networking/lambdabot.nix
  ./services/networking/libreswan.nix
  ./services/networking/logmein-hamachi.nix
  ./services/networking/mailpile.nix
  ./services/networking/mfi.nix
  ./services/networking/mjpg-streamer.nix
@ -400,6 +403,7 @@
  ./services/networking/wicd.nix
  ./services/networking/wpa_supplicant.nix
  ./services/networking/xinetd.nix
  ./services/networking/zerobin.nix
  ./services/networking/zerotierone.nix
  ./services/networking/znc.nix
  ./services/printing/cupsd.nix
--- a/nixos/modules/profiles/docker-container.nix
+++ b/nixos/modules/profiles/docker-container.nix
@ -37,12 +37,12 @@ in {
      # After booting, register the contents of the Nix store in the Nix
      # database.
      if [ -f /nix-path-registration ]; then
-        ${config.nix.package}/bin/nix-store --load-db < /nix-path-registration &&
+        ${config.nix.package.out}/bin/nix-store --load-db < /nix-path-registration &&
        rm /nix-path-registration
      fi
      # nixos-rebuild also requires a "system" profile
-      ${config.nix.package}/bin/nix-env -p /nix/var/nix/profiles/system --set /run/current-system
+      ${config.nix.package.out}/bin/nix-env -p /nix/var/nix/profiles/system --set /run/current-system
    '';
  # Install new init script
--- a/nixos/modules/rename.nix
+++ b/nixos/modules/rename.nix
@ -68,6 +68,10 @@ with lib;
    # proxy
    (mkRenamedOptionModule [ "nix" "proxy" ] [ "networking" "proxy" "default" ])
    # sandboxing
    (mkRenamedOptionModule [ "nix" "useChroot" ] [ "nix" "useSandbox" ])
    (mkRenamedOptionModule [ "nix" "chrootDirs" ] [ "nix" "sandboxPaths" ])
    # KDE
    (mkRenamedOptionModule [ "kde" "extraPackages" ] [ "environment" "systemPackages" ])
    (mkRenamedOptionModule [ "environment" "kdePackages" ] [ "environment" "systemPackages" ])
--- a/nixos/modules/security/grsecurity.nix
+++ b/nixos/modules/security/grsecurity.nix
@ -194,6 +194,23 @@ in
          '';
        };
        disableSimultConnect = mkOption {
          type = types.bool;
          default = false;
          description = ''
            Disable TCP simultaneous connect.  The TCP simultaneous connect
            feature allows two clients to connect without either of them
            entering the listening state.  This feature of the TCP specification
            is claimed to enable an attacker to deny the target access to a given
            server by guessing the source port the target would use to make the
            connection.
            This option is OFF by default because TCP simultaneous connect has
            some legitimate uses.  Enable this option if you know what this TCP
            feature is for and know that you do not need it.
          '';
        };
        verboseVersion = mkOption {
          type = types.bool;
          default = false;
@ -234,7 +251,8 @@ in
    systemd.services.grsec-lock = mkIf cfg.config.sysctl {
      description     = "grsecurity sysctl-lock Service";
-      requires        = [ "systemd-sysctl.service" ];
+      wants           = [ "systemd-sysctl.service" ];
      after           = [ "systemd-sysctl.service" ];
      wantedBy        = [ "multi-user.target" ];
      serviceConfig.Type = "oneshot";
      serviceConfig.RemainAfterExit = "yes";
--- a/nixos/modules/services/backup/crashplan.nix
+++ b/nixos/modules/services/backup/crashplan.nix
@ -50,11 +50,8 @@ with lib;
        ensureDir ${crashplan.vardir}/log 777
        cp -avn ${crashplan}/conf.template/* ${crashplan.vardir}/conf
        for x in app.asar bin EULA.txt install.vars lang lib libjniwrap64.so libjniwrap.so libjtux64.so libjtux.so libmd564.so libmd5.so share skin upgrade; do
-          if [ -e ${crashplan.vardir}/$x ]; then
+          rm -f ${crashplan.vardir}/$x;
-            true;
+          ln -sf ${crashplan}/$x ${crashplan.vardir}/$x;
          else
            ln -s ${crashplan}/$x ${crashplan.vardir}/$x;
          fi;
        done
      '';
--- a/nixos/modules/services/continuous-integration/jenkins/default.nix
+++ b/nixos/modules/services/continuous-integration/jenkins/default.nix
@ -161,16 +161,8 @@ in {
      '';
      postStart = ''
-        until ${pkgs.curl.bin}/bin/curl -s -L ${cfg.listenAddress}:${toString cfg.port}${cfg.prefix} ; do
+        until ${pkgs.curl.bin}/bin/curl -s -L --fail --head http://${cfg.listenAddress}:${toString cfg.port}${cfg.prefix} >/dev/null; do
-          sleep 10
+            sleep 2
        done
        while true ; do
          index=`${pkgs.curl.bin}/bin/curl -s -L ${cfg.listenAddress}:${toString cfg.port}${cfg.prefix}`
          if [[ !("$index" =~ 'Please wait while Jenkins is restarting' ||
                  "$index" =~ 'Please wait while Jenkins is getting ready to work') ]]; then
            exit 0
          fi
          sleep 30
        done
      '';
--- a/nixos/modules/services/databases/postgresql.nix
+++ b/nixos/modules/services/databases/postgresql.nix
@ -242,7 +242,7 @@ in
            if test -e "${cfg.dataDir}/.first_startup"; then
              ${optionalString (cfg.initialScript != null) ''
-                cat "${cfg.initialScript}" | psql --port=${toString cfg.port} postgres
+                psql -f "${cfg.initialScript}" --port=${toString cfg.port} postgres
              ''}
              rm -f "${cfg.dataDir}/.first_startup"
            fi
--- a/nixos/modules/services/development/hoogle.nix
+++ b/nixos/modules/services/development/hoogle.nix
@ -0,0 +1,70 @@
 { config, lib, pkgs, ... }:
 with lib;
 let
  cfg = config.services.hoogle;
  hoogleEnv = pkgs.buildEnv {
    name = "hoogle";
    paths = [ (cfg.haskellPackages.ghcWithHoogle cfg.packages) ];
  };
 in {
  options.services.hoogle = {
    enable = mkEnableOption "Haskell documentation server";
    port = mkOption {
      type = types.int;
      default = 8080;
      description = ''
        Port number Hoogle will be listening to.
      '';
    };
    packages = mkOption {
      default = hp: [];
      defaultText = "hp: []";
      example = "hp: with hp; [ text lens ]";
      description = ''
        The Haskell packages to generate documentation for.
        The option value is a function that takes the package set specified in
        the <varname>haskellPackages</varname> option as its sole parameter and
        returns a list of packages.
      '';
    };
    haskellPackages = mkOption {
      description = "Which haskell package set to use.";
      default = pkgs.haskellPackages;
      defaultText = "pkgs.haskellPackages";
    };
  };
  config = mkIf cfg.enable {
    systemd.services.hoogle = {
      description = "Haskell documentation server";
      wantedBy = [ "multi-user.target" ];
      serviceConfig = {
        Restart = "always";
        ExecStart = ''${hoogleEnv}/bin/hoogle server --local -p ${toString cfg.port}'';
        User = "nobody";
        Group = "nogroup";
        PrivateTmp = true;
        ProtectHome = true;
        RuntimeDirectory = "hoogle";
        WorkingDirectory = "%t/hoogle";
      };
    };
  };
 }
--- a/nixos/modules/services/hardware/sane_extra_backends/brscan4.nix
+++ b/nixos/modules/services/hardware/sane_extra_backends/brscan4.nix
@ -0,0 +1,116 @@
 { config, lib, pkgs, ... }:
 with lib;
 let
  cfg = config.hardware.sane.brscan4;
  netDeviceList = attrValues cfg.netDevices;
  etcFiles = pkgs.callPackage ./brscan4_etc_files.nix { netDevices = netDeviceList; };
  netDeviceOpts = { name, config, ... }: {
    options = {
      name = mkOption {
        type = types.str;
        description = ''
          The friendly name you give to the network device. If undefined,
          the name of attribute will be used.
        '';
        example = literalExample "office1";
      };
      model = mkOption {
        type = types.str;
        description = ''
          The model of the network device.
        '';
        example = literalExample "MFC-7860DW";
      };
      ip = mkOption {
        type = with types; nullOr str;
        default = null;
        description = ''
          The ip address of the device. If undefined, you will have to
          provide a nodename.
        '';
        example = literalExample "192.168.1.2";
      };
      nodename = mkOption {
        type = with types; nullOr str;
        default = null;
        description = ''
          The node name of the device. If undefined, you will have to
          provide an ip.
        '';
        example = literalExample "BRW0080927AFBCE";
      };
    };
    config =
      { name = mkDefault name;
      };
  };
 in
 {
  options = {
    hardware.sane.brscan4.enable = 
      mkEnableOption "Brother's brscan4 scan backend" // {
      description = ''
        When enabled, will automatically register the "brscan4" sane
        backend and bring configuration files to their expected location. 
      '';
    };
    hardware.sane.brscan4.netDevices = mkOption {
      default = {};
      example =
        { office1 = { model = "MFC-7860DW"; ip = "192.168.1.2"; };
          office2 = { model = "MFC-7860DW"; nodename = "BRW0080927AFBCE"; };
        };
      type = types.loaOf types.optionSet;
      description = ''
        The list of network devices that will be registered against the brscan4
        sane backend.
      '';
      options = [ netDeviceOpts ];
    };
  };
  config = mkIf (config.hardware.sane.enable && cfg.enable) {
    hardware.sane.extraBackends = [
      pkgs.brscan4
    ];
    environment.etc = singleton {
      target = "opt/brother/scanner/brscan4";
      source = "${etcFiles}/etc/opt/brother/scanner/brscan4";
    };
    assertions = [
      { assertion = all (x: !(null != x.ip && null != x.nodename)) netDeviceList;
        message = ''
          When describing a network device as part of the attribute list
          `hardware.sane.brscan4.netDevices`, only one of its `ip` or `nodename`
          attribute should be specified, not both!
        '';
      }
    ];
  };
 }
--- a/nixos/modules/services/hardware/sane_extra_backends/brscan4_etc_files.nix
+++ b/nixos/modules/services/hardware/sane_extra_backends/brscan4_etc_files.nix
@ -0,0 +1,71 @@
 { stdenv, lib, brscan4, netDevices ? [] }:
 /*
 Testing
 -------
 No net devices:
 ~~~
 nix-shell -E 'with import <nixpkgs> { }; brscan4-etc-files'
 ~~~
 Two net devices:
 ~~~
 nix-shell -E 'with import <nixpkgs> { }; brscan4-etc-files.override{netDevices=[{name="a"; model="MFC-7860DW"; nodename="BRW0080927AFBCE";} {name="b"; model="MFC-7860DW"; ip="192.168.1.2";}];}'
 ~~~
 */
 with lib; 
 let
  addNetDev = nd: ''
    brsaneconfig4 -a \
    name="${nd.name}" \
    model="${nd.model}" \
    ${if (hasAttr "nodename" nd && nd.nodename != null) then
      ''nodename="${nd.nodename}"'' else
      ''ip="${nd.ip}"''}'';
  addAllNetDev = xs: concatStringsSep "\n" (map addNetDev xs);
 in
 stdenv.mkDerivation rec {
  name = "brscan4-etc-files-0.4.3-3";
  src = "${brscan4}/opt/brother/scanner/brscan4";
  nativeBuildInputs = [ brscan4 ];
  configurePhase = ":";
  buildPhase = ''
    TARGET_DIR="$out/etc/opt/brother/scanner/brscan4"
    mkdir -p "$TARGET_DIR"
    cp -rp "./models4" "$TARGET_DIR"
    cp -rp "./Brsane4.ini" "$TARGET_DIR"
    cp -rp "./brsanenetdevice4.cfg" "$TARGET_DIR"
    export BRSANENETDEVICE4_CFG_FILENAME="$TARGET_DIR/brsanenetdevice4.cfg"
    printf '${addAllNetDev netDevices}\n'
    ${addAllNetDev netDevices}
  '';
  installPhase = ":";
  dontStrip = true;
  dontPatchELF = true;
  meta = {
    description = "Brother brscan4 sane backend driver etc files";
    homepage = http://www.brother.com;
    platforms = stdenv.lib.platforms.linux;
    license = stdenv.lib.licenses.unfree;
    maintainers = with stdenv.lib.maintainers; [ jraygauthier ];
  };
 }
--- a/nixos/modules/services/logging/graylog.nix
+++ b/nixos/modules/services/logging/graylog.nix
@ -0,0 +1,161 @@
 { config, lib, pkgs, ... }:
 with lib;
 let
  cfg = config.services.graylog;
  configBool = b: if b then "true" else "false";
  confFile = pkgs.writeText "graylog.conf" ''
    is_master = ${configBool cfg.isMaster}
    node_id_file = ${cfg.nodeIdFile}
    password_secret = ${cfg.passwordSecret}
    root_username = ${cfg.rootUsername}
    root_password_sha2 = ${cfg.rootPasswordSha2}
    elasticsearch_cluster_name = ${cfg.elasticsearchClusterName}
    elasticsearch_discovery_zen_ping_multicast_enabled = ${configBool cfg.elasticsearchDiscoveryZenPingMulticastEnabled}
    elasticsearch_discovery_zen_ping_unicast_hosts = ${cfg.elasticsearchDiscoveryZenPingUnicastHosts}
    message_journal_dir = ${cfg.messageJournalDir}
    mongodb_uri = ${cfg.mongodbUri}
    ${cfg.extraConfig}
  '';
 in
 {
  ###### interface
  options = {
    services.graylog = {
      enable = mkEnableOption "Graylog";
      package = mkOption {
        type = types.package;
        default = pkgs.graylog;
        defaultText = "pkgs.graylog";
        example = literalExample "pkgs.graylog";
        description = "Graylog package to use.";
      };
      user = mkOption {
        type = types.str;
        default = "graylog";
        example = literalExample "graylog";
        description = "User account under which graylog runs";
      };
      isMaster = mkOption {
        type = types.bool;
        default = true;
        description = "Whether this is the master instance of your Graylog cluster";
      };
      nodeIdFile = mkOption {
        type = types.str;
        default = "/var/lib/graylog/server/node-id";
        description = "Path of the file containing the graylog node-id";
      };
      passwordSecret = mkOption {
        type = types.str;
        description = ''
          You MUST set a secret to secure/pepper the stored user passwords here. Use at least 64 characters.
          Generate one by using for example: pwgen -N 1 -s 96
        '';
      };
      rootUsername = mkOption {
        type = types.str;
        default = "admin";
        description = "Name of the default administrator user";
      };
      rootPasswordSha2 = mkOption {
        type = types.str;
        example = "e3c652f0ba0b4801205814f8b6bc49672c4c74e25b497770bb89b22cdeb4e952";
        description = ''
          You MUST specify a hash password for the root user (which you only need to initially set up the
          system and in case you lose connectivity to your authentication backend)
          This password cannot be changed using the API or via the web interface. If you need to change it,
          modify it here.
          Create one by using for example: echo -n yourpassword | shasum -a 256
          and use the resulting hash value as string for the option
        '';
      };
      elasticsearchClusterName = mkOption {
        type = types.str;
        example = "graylog";
        description = "This must be the same as for your Elasticsearch cluster";
      };
      elasticsearchDiscoveryZenPingMulticastEnabled = mkOption {
        type = types.bool;
        default = false;
        description = "Whether to use elasticsearch multicast discovery";
      };
      elasticsearchDiscoveryZenPingUnicastHosts = mkOption {
        type = types.str;
        default = "127.0.0.1:9300";
        description = "Tells Graylogs Elasticsearch client how to find other cluster members. See Elasticsearch documentation for details";
      };
      messageJournalDir = mkOption {
        type = types.str;
        default = "/var/lib/graylog/data/journal";
        description = "The directory which will be used to store the message journal. The directory must be exclusively used by Graylog and must not contain any other files than the ones created by Graylog itself";
      };
      mongodbUri = mkOption {
        type = types.str;
        default = "mongodb://localhost/graylog";
        description = "MongoDB connection string. See http://docs.mongodb.org/manual/reference/connection-string/ for details";
      };
      extraConfig = mkOption {
        type = types.str;
        default = "";
        description = "Any other configuration options you might want to add";
      };
    };
  };
  ###### implementation
  config = mkIf cfg.enable {
    users.extraUsers = mkIf (cfg.user == "graylog") {
      graylog = {
        uid = config.ids.uids.graylog;
        description = "Graylog server daemon user";
      };
    };
    systemd.services.graylog = with pkgs; {
      description = "Graylog Server";
      wantedBy = [ "multi-user.target" ];
      environment = {
        JAVA_HOME = jre;
        GRAYLOG_CONF = "${confFile}";
      };
      path = [ pkgs.openjdk8 pkgs.which pkgs.procps ];
      preStart = ''
        mkdir -p /var/lib/graylog -m 755
        chown -R ${cfg.user} /var/lib/graylog
        mkdir -p ${cfg.messageJournalDir} -m 755
        chown -R ${cfg.user} ${cfg.messageJournalDir}
      '';
      serviceConfig = {
        User="${cfg.user}";
        PermissionsStartOnly=true;
        ExecStart = "${cfg.package}/bin/graylogctl run";
      };
    };
  };
 }
--- a/nixos/modules/services/logging/logcheck.nix
+++ b/nixos/modules/services/logging/logcheck.nix
@ -11,7 +11,10 @@ let
                   rm $out/logcheck.*
                 '';
-  rulesDir = pkgs.symlinkJoin "logcheck-rules-dir" ([ defaultRules ] ++ cfg.extraRulesDirs);
+  rulesDir = pkgs.symlinkJoin
    { name = "logcheck-rules-dir";
      paths = ([ defaultRules ] ++ cfg.extraRulesDirs);
    };
  configFile = pkgs.writeText "logcheck.conf" cfg.config;
--- a/nixos/modules/services/mail/dovecot.nix
+++ b/nixos/modules/services/mail/dovecot.nix
@ -63,8 +63,10 @@ let
    cfg.extraConfig
  ];
-  modulesDir = pkgs.symlinkJoin "dovecot-modules"
+  modulesDir = pkgs.symlinkJoin {
-    (map (pkg: "${pkg}/lib/dovecot") ([ dovecotPkg ] ++ map (module: module.override { dovecot = dovecotPkg; }) cfg.modules));
+    name = "dovecot-modules";
    paths = map (pkg: "${pkg}/lib/dovecot") ([ dovecotPkg ] ++ map (module: module.override { dovecot = dovecotPkg; }) cfg.modules);
  };
 in
 {
--- a/nixos/modules/services/mail/rmilter.nix
+++ b/nixos/modules/services/mail/rmilter.nix
@ -7,9 +7,14 @@ let
  rspamdCfg = config.services.rspamd;
  cfg = config.services.rmilter;
  inetSockets = map (sock: let s = stringSplit ":" sock; in "inet:${last s}:${head s}") cfg.bindInetSockets;
  unixSockets = map (sock: "unix:${sock}") cfg.bindUnixSockets;
  allSockets = unixSockets ++ inetSockets;
  rmilterConf = ''
 pidfile = /run/rmilter/rmilter.pid;
-bind_socket = ${cfg.bindSocket};
+bind_socket = ${if cfg.socketActivation then "fd:3" else concatStringsSep ", " allSockets};
 tempdir = /tmp;
  '' + (with cfg.rspamd; if enable then ''
@ -68,14 +73,37 @@ in
        '';
       };
-      bindSocket =  mkOption {
+      bindUnixSockets =  mkOption {
-        type = types.string;
+        type = types.listOf types.str;
-        default = "unix:/run/rmilter/rmilter.sock";
+        default = ["/run/rmilter.sock"];
-        description = "Socket to listed for MTA requests";
+        description = ''
          Unix domain sockets to listen for MTA requests.
        '';
        example = ''
-            "unix:/run/rmilter/rmilter.sock" or
+            [ "/run/rmilter.sock"]
-            "inet:11990@127.0.0.1"
+        '';
-          '';
+      };
      bindInetSockets = mkOption {
        type = types.listOf types.str;
        default = [];
        description = ''
          Inet addresses to listen (in format accepted by systemd.socket)
        '';
        example = ''
            ["127.0.0.1:11990"]
        '';
      };
      socketActivation = mkOption {
        type = types.bool;
        default = true;
        description = ''
          Enable systemd socket activation for rmilter.
          (disabling socket activation not recommended
          when unix socket used, and follow to wrong
          permissions on unix domain socket.)
        '';
      };
      rspamd = {
@ -86,7 +114,7 @@ in
        servers = mkOption {
          type = types.listOf types.str;
-          default = ["r:0.0.0.0:11333"];
+          default = ["r:/run/rspamd.sock"];
          description = ''
            Spamd socket definitions.
            Is server name is prefixed with r: it is rspamd server.
@ -129,7 +157,7 @@ in
          type = types.str;
          description = "Addon to postfix configuration";
          default = ''
-smtpd_milters = ${cfg.bindSocket}
+smtpd_milters = ${head allSockets}
 # or for TCP socket
 # # smtpd_milters = inet:localhost:9900
 milter_protocol = 6
@ -169,21 +197,30 @@ milter_default_action = accept
      serviceConfig = {
        ExecStart = "${pkgs.rmilter}/bin/rmilter ${optionalString cfg.debug "-d"} -n -c ${rmilterConfigFile}";
        ExecReload = "/bin/kill -USR1 $MAINPID";
        User = cfg.user;
        Group = cfg.group;
        PermissionsStartOnly = true;
        Restart = "always";
        RuntimeDirectory = "rmilter";
        RuntimeDirectoryPermissions="0755";
      };
      preStart = ''
        ${pkgs.coreutils}/bin/mkdir -p /run/rmilter
        ${pkgs.coreutils}/bin/chown ${cfg.user}:${cfg.group} /run/rmilter
      '';
    };
-    services.postfix.extraConfig = optionalString cfg.postfix.enable cfg.postfix.configFragment;
+    systemd.sockets.rmilter = mkIf cfg.socketActivation {
      description = "Rmilter service socket";
      wantedBy = [ "sockets.target" ];
      socketConfig = {
          ListenStream = cfg.bindUnixSockets ++ cfg.bindInetSockets;
          SocketUser = cfg.user;
          SocketGroup = cfg.group;
          SocketMode = "0660";
      };
    };
    services.postfix.extraConfig = optionalString cfg.postfix.enable cfg.postfix.configFragment;
    users.users.postfix.extraGroups = [ cfg.group ];
  };
 }
--- a/nixos/modules/services/mail/rspamd.nix
+++ b/nixos/modules/services/mail/rspamd.nix
@ -6,6 +6,35 @@ let
  cfg = config.services.rspamd;
  mkBindSockets = socks: concatStringsSep "\n" (map (each: "  bind_socket = \"${each}\"") socks);
  rspamdConf =
    ''
      .include "$CONFDIR/common.conf"
      options {
        pidfile = "$RUNDIR/rspamd.pid";
        .include "$CONFDIR/options.inc"
      }
      logging {
        type = "file";
        filename = "$LOGDIR/rspamd.log";
        .include "$CONFDIR/logging.inc"
      }
      worker {
      ${mkBindSockets cfg.bindSocket}
        .include "$CONFDIR/worker-normal.inc"
      }
      worker {
      ${mkBindSockets cfg.bindUISocket}
        .include "$CONFDIR/worker-controller.inc"
      }
   '';
   rspamdConfFile = pkgs.writeText "rspamd.conf" rspamdConf;
 in
 {
@ -26,6 +55,32 @@ in
        description = "Whether to run the rspamd daemon in debug mode.";
      };
      bindSocket = mkOption {
        type = types.listOf types.str;
        default = [
          "/run/rspamd.sock mode=0666 owner=${cfg.user}"
        ];
        description = ''
          List of sockets to listen, in format acceptable by rspamd
        '';
        example = ''
          bindSocket = [
            "/run/rspamd.sock mode=0666 owner=rspamd"
            "*:11333"
          ];
        '';
      };
      bindUISocket = mkOption {
        type = types.listOf types.str;
        default = [
          "localhost:11334"
        ];
        description = ''
          List of sockets for web interface, in format acceptable by rspamd
        '';
      };
      user = mkOption {
        type = types.string;
        default = "rspamd";
@ -62,7 +117,7 @@ in
    users.extraGroups = singleton {
      name = cfg.group;
-      gid = config.ids.gids.spamd;
+      gid = config.ids.gids.rspamd;
    };
    systemd.services.rspamd = {
@ -72,7 +127,7 @@ in
      after = [ "network.target" ];
      serviceConfig = {
-        ExecStart = "${pkgs.rspamd}/bin/rspamd ${optionalString cfg.debug "-d"} --user=${cfg.user} --group=${cfg.group} --pid=/run/rspamd.pid -f";
+        ExecStart = "${pkgs.rspamd}/bin/rspamd ${optionalString cfg.debug "-d"} --user=${cfg.user} --group=${cfg.group} --pid=/run/rspamd.pid -c ${rspamdConfFile} -f";
        RuntimeDirectory = "/var/lib/rspamd";
        PermissionsStartOnly = true;
        Restart = "always";
--- a/nixos/modules/services/misc/emby.nix
+++ b/nixos/modules/services/misc/emby.nix
@ -0,0 +1,64 @@
 { config, pkgs, lib, mono, ... }:
 with lib;
 let
  cfg = config.services.emby;
  emby = pkgs.emby;
 in
 {
  options = {
    services.emby = {
      enable = mkEnableOption "Emby Media Server";
      user = mkOption {
        type = types.str;
        default = "emby";
        description = "User account under which Emby runs.";
      };
      group = mkOption {
        type = types.str;
        default = "emby";
        description = "Group under which emby runs.";
      };
    };
  };
  config = mkIf cfg.enable {
    systemd.services.emby = {
      description = "Emby Media Server";
      after = [ "network.target" ];
      wantedBy = [ "multi-user.target" ];
      preStart = ''
        test -d /var/lib/emby/ProgramData-Server || {
          echo "Creating initial Emby data directory in /var/lib/emby/ProgramData-Server"
          mkdir -p /var/lib/emby/ProgramData-Server
          chown -R ${cfg.user}:${cfg.group} /var/lib/emby/ProgramData-Server
          }
      '';
      serviceConfig = {
        Type = "simple";
        User = cfg.user;
        Group = cfg.group;
        PermissionsStartOnly = "true";
        ExecStart = "${pkgs.mono}/bin/mono ${pkgs.emby}/bin/MediaBrowser.Server.Mono.exe";
        Restart = "on-failure";
      };
    };
    users.extraUsers = mkIf (cfg.user == "emby") {
      emby = {
        group = cfg.group;
        uid = config.ids.uids.emby;
      };
    };
    users.extraGroups = mkIf (cfg.group == "emby") {
      emby = {
        gid = config.ids.gids.emby;
      };
    };
  };
 }
--- a/nixos/modules/services/misc/nix-daemon.nix
+++ b/nixos/modules/services/misc/nix-daemon.nix
@ -6,7 +6,7 @@ let
  cfg = config.nix;
-  nix = cfg.package;
+  nix = cfg.package.out;
  makeNixBuildUser = nr:
    { name = "nixbld${toString nr}";
@ -24,8 +24,8 @@ let
  nixConf =
    let
-      # If we're using a chroot for builds, then provide /bin/sh in
+      # If we're using sandbox for builds, then provide /bin/sh in
-      # the chroot as a bind-mount to bash. This means we also need to
+      # the sandbox as a bind-mount to bash. This means we also need to
      # include the entire closure of bash.
      sh = pkgs.stdenv.shell;
      binshDeps = pkgs.writeReferencesToFile sh;
@ -39,8 +39,8 @@ let
        build-users-group = nixbld
        build-max-jobs = ${toString (cfg.maxJobs)}
        build-cores = ${toString (cfg.buildCores)}
-        build-use-chroot = ${if (builtins.isBool cfg.useChroot) then (if cfg.useChroot then "true" else "false") else cfg.useChroot}
+        build-use-sandbox = ${if (builtins.isBool cfg.useSandbox) then (if cfg.useSandbox then "true" else "false") else cfg.useSandbox}
-        build-chroot-dirs = ${toString cfg.chrootDirs} /bin/sh=${sh} $(echo $extraPaths)
+        build-sandbox-paths = ${toString cfg.sandboxPaths} /bin/sh=${sh} $(echo $extraPaths)
        binary-caches = ${toString cfg.binaryCaches}
        trusted-binary-caches = ${toString cfg.trustedBinaryCaches}
        binary-cache-public-keys = ${toString cfg.binaryCachePublicKeys}
@ -65,8 +65,8 @@ in
      package = mkOption {
        type = types.package;
-        default = pkgs.nix.out;
+        default = pkgs.nix;
-        defaultText = "pkgs.nix.out";
+        defaultText = "pkgs.nix";
        description = ''
          This option specifies the Nix package instance to use throughout the system.
        '';
@ -98,25 +98,25 @@ in
        '';
      };
-      useChroot = mkOption {
+      useSandbox = mkOption {
        type = types.either types.bool (types.enum ["relaxed"]);
        default = false;
        description = "
-          If set, Nix will perform builds in a chroot-environment that it
+          If set, Nix will perform builds in a sandboxed environment that it
          will set up automatically for each build.  This prevents
          impurities in builds by disallowing access to dependencies
          outside of the Nix store.
        ";
      };
-      chrootDirs = mkOption {
+      sandboxPaths = mkOption {
        type = types.listOf types.str;
        default = [];
        example = [ "/dev" "/proc" ];
        description =
          ''
            Directories from the host filesystem to be included
-            in the chroot.
+            in the sandbox.
          '';
      };
--- a/nixos/modules/services/misc/nix-gc.nix
+++ b/nixos/modules/services/misc/nix-gc.nix
@ -52,7 +52,7 @@ in
    systemd.services.nix-gc =
      { description = "Nix Garbage Collector";
-        script = "exec ${config.nix.package}/bin/nix-collect-garbage ${cfg.options}";
+        script = "exec ${config.nix.package.out}/bin/nix-collect-garbage ${cfg.options}";
        startAt = optionalString cfg.automatic cfg.dates;
      };
--- a/nixos/modules/services/misc/nix-ssh-serve.nix
+++ b/nixos/modules/services/misc/nix-ssh-serve.nix
@ -41,7 +41,7 @@ with lib;
        PermitTTY no
        PermitTunnel no
        X11Forwarding no
-        ForceCommand ${config.nix.package}/bin/nix-store --serve
+        ForceCommand ${config.nix.package.out}/bin/nix-store --serve
      Match All
    '';
--- a/nixos/modules/services/misc/taskserver/default.nix
+++ b/nixos/modules/services/misc/taskserver/default.nix
@ -449,7 +449,7 @@ in {
        };
      };
    })
-    (mkIf needToCreateCA {
+    (mkIf (cfg.enable && needToCreateCA) {
      systemd.services.taskserver-ca = {
        wantedBy = [ "taskserver.service" ];
        after = [ "taskserver-init.service" ];
@ -533,7 +533,7 @@ in {
        '';
      };
    })
-    (mkIf (cfg.listenHost != "localhost") {
+    (mkIf (cfg.enable && cfg.listenHost != "localhost") {
      networking.firewall.allowedTCPPorts = [ cfg.listenPort ];
    })
    { meta.doc = ./taskserver.xml; }
--- a/nixos/modules/services/network-filesystems/openafs-client/default.nix
+++ b/nixos/modules/services/network-filesystems/openafs-client/default.nix
@ -80,7 +80,7 @@ in
      preStart = ''
        mkdir -p -m 0755 /afs
        mkdir -m 0700 -p ${cfg.cacheDirectory}
-        ${pkgs.module_init_tools}/sbin/insmod ${openafsPkgs}/lib/openafs/libafs-*.ko || true
+        ${pkgs.kmod}/sbin/insmod ${openafsPkgs}/lib/openafs/libafs-*.ko || true
        ${openafsPkgs}/sbin/afsd -confdir ${afsConfig} -cachedir ${cfg.cacheDirectory} ${if cfg.sparse then "-dynroot-sparse" else "-dynroot"} -fakestat -afsdb
        ${openafsPkgs}/bin/fs setcrypt ${if cfg.crypt then "on" else "off"}
      '';
@ -92,7 +92,7 @@ in
      preStop = ''
        ${pkgs.utillinux}/bin/umount /afs
        ${openafsPkgs}/sbin/afsd -shutdown
-        ${pkgs.module_init_tools}/sbin/rmmod libafs
+        ${pkgs.kmod}/sbin/rmmod libafs
      '';
    };
  };
--- a/nixos/modules/services/networking/copy-com.nix
+++ b/nixos/modules/services/networking/copy-com.nix
@ -1,54 +0,0 @@
 { config, lib, pkgs, ... }:
 with lib;
 let
  cfg = config.services.copy-com;
 in
 {
  options = {
    services.copy-com = {
 	  enable = mkOption {
          default = false;
          description = "
            Enable the Copy.com client.
            NOTE: before enabling the client for the first time, it must be
            configured by first running CopyConsole (command line) or CopyAgent
            (graphical) as the appropriate user.
          ";
      };
      user = mkOption {
        description = "The user for which the Copy.com client should be run.";
      };
      debug = mkOption {
        default = false;
        description = "Output more (debugging) messages to the console.";
      };
 	  };
  };
  config = mkIf cfg.enable {
    environment.systemPackages = [ pkgs.postfix ];
    systemd.services."copy-com-${cfg.user}" = {
      description = "Copy.com client";
      wants = [ "network-online.target" ];
      after = [ "network-online.target" "local-fs.target" ];
      wantedBy = [ "multi-user.target" ];
      serviceConfig = {
        ExecStart = "${pkgs.copy-com}/bin/CopyConsole ${if cfg.debug then "-consoleOutput -debugToConsole=dirwatch,path-watch,csm_path,csm -debug -console" else ""}";
        User = "${cfg.user}";
      };
    };
  };
 }
--- a/nixos/modules/services/networking/logmein-hamachi.nix
+++ b/nixos/modules/services/networking/logmein-hamachi.nix
@ -0,0 +1,50 @@
 { config, lib, pkgs, ... }:
 with lib;
 let
  cfg = config.services.logmein-hamachi;
 in
 {
  ###### interface
  options = {
    services.logmein-hamachi.enable = mkOption {
      type = types.bool;
      default = false;
      description =
        ''
          Whether to enable LogMeIn Hamachi, a proprietary
          (closed source) commercial VPN software.
        '';
    };
  };
  ###### implementation
  config = mkIf cfg.enable {
    systemd.services.logmein-hamachi = {
      description = "LogMeIn Hamachi Daemon";
      wantedBy = [ "multi-user.target" ];
      after = [ "network.target" "local-fs.target" ];
      serviceConfig = {
        Type = "forking";
        ExecStart = "${pkgs.logmein-hamachi}/bin/hamachid";
      };
    };
    environment.systemPackages = [ pkgs.logmein-hamachi ];
  };
 }
--- a/nixos/modules/services/networking/mfi.nix
+++ b/nixos/modules/services/networking/mfi.nix
@ -10,6 +10,7 @@ let
    { what = "${pkgs.mfi}/dl"; where = "${stateDir}/dl"; }
    { what = "${pkgs.mfi}/lib"; where = "${stateDir}/lib"; }
    { what = "${pkgs.mongodb248}/bin"; where = "${stateDir}/bin"; }
    { what = "${cfg.dataDir}"; where = "${stateDir}/data"; }
  ];
  systemdMountPoints = map (m: "${utils.escapeSystemdPath m.where}.mount") mountPoints;
  ports = [ 6080 6880 6443 6843 ];
@ -23,6 +24,15 @@ in
        default = true;
        description = "Whether to open TCP ports ${concatMapStrings (a: "${toString a} ") ports}for the services.";
      };
      dataDir = mkOption {
        type = types.str;
        default = "${stateDir}/data";
        description = ''
          Where to store the database and other data.
          This directory will be bind-mounted to ${stateDir}/data as part of the service startup.
        '';
      };
    };
  };
--- a/nixos/modules/services/networking/nix-serve.nix
+++ b/nixos/modules/services/networking/nix-serve.nix
@ -50,7 +50,7 @@ in
      after = [ "network.target" ];
      wantedBy = [ "multi-user.target" ];
-      path = [ config.nix.package pkgs.bzip2.bin ];
+      path = [ config.nix.package.out pkgs.bzip2.bin ];
      environment.NIX_REMOTE = "daemon";
      environment.NIX_SECRET_KEY_FILE = cfg.secretKeyFile;
--- a/nixos/modules/services/networking/quassel.nix
+++ b/nixos/modules/services/networking/quassel.nix
@ -3,7 +3,7 @@
 with lib;
 let
-  quassel = pkgs.quasselDaemon_qt5;
+  quassel = pkgs.kde4.quasselDaemon;
  cfg = config.services.quassel;
  user = if cfg.user != null then cfg.user else "quassel";
 in
--- a/nixos/modules/services/networking/unifi.nix
+++ b/nixos/modules/services/networking/unifi.nix
@ -17,6 +17,10 @@ let
      what = "${pkgs.mongodb}/bin";
      where = "${stateDir}/bin";
    }
    {
      what = "${cfg.dataDir}";
      where = "${stateDir}/data";
    }
  ];
  systemdMountPoints = map (m: "${utils.escapeSystemdPath m.where}.mount") mountPoints;
 in
@ -32,6 +36,16 @@ in
      '';
    };
    services.unifi.dataDir = mkOption {
      type = types.str;
      default = "${stateDir}/data";
      description = ''
        Where to store the database and other data.
        This directory will be bind-mounted to ${stateDir}/data as part of the service startup.
      '';
    };
  };
  config = mkIf cfg.enable {
@ -62,7 +76,7 @@ in
      bindsTo = systemdMountPoints;
      unitConfig.RequiresMountsFor = stateDir;
      # This a HACK to fix missing dependencies of dynamic libs extracted from jars
-      environment.LD_LIBRARY_PATH = with pkgs.stdenv; "${cc.cc}/lib";
+      environment.LD_LIBRARY_PATH = with pkgs.stdenv; "${cc.cc.lib}/lib";
      preStart = ''
        # Ensure privacy of state
--- a/nixos/modules/services/networking/zerobin.nix
+++ b/nixos/modules/services/networking/zerobin.nix
@ -0,0 +1,102 @@
 { config, pkgs, lib, nodes, ... }:
 with lib;
 let
  cfg = config.services.zerobin;
  zerobin_config = pkgs.writeText "zerobin-config.py" ''
  PASTE_FILES_ROOT = "${cfg.dataDir}"
  ${cfg.extraConfig}
  '';
 in
  {
    options = {
      services.zerobin = {
        enable = mkEnableOption "0bin";
        dataDir = mkOption {
          type = types.str;
          default = "/var/lib/zerobin";
          description = ''
          Path to the 0bin data directory
          '';
        };
        user = mkOption {
          type = types.str;
          default = "zerobin";
          description = ''
          The user 0bin should run as
          '';
        };
        group = mkOption {
          type = types.str;
          default = "zerobin";
          description = ''
          The group 0bin should run as
          '';
        };
        listenPort = mkOption {
          type = types.int;
          default = 8000;
          example = 1357;
          description = ''
          The port zerobin should listen on
          '';
        };
        listenAddress = mkOption {
          type = types.str;
          default = "localhost";
          example = "127.0.0.1";
          description = ''
          The address zerobin should listen to
          '';
        };
        extraConfig = mkOption {
          type = types.lines;
          default = "";
          example = ''
          MENU = (
          ('Home', '/'),
          )
          COMPRESSED_STATIC_FILE = True
          '';
          description = ''
          Extra configuration to be appended to the 0bin config file
          (see https://0bin.readthedocs.org/en/latest/en/options.html)
          '';
        };
      };
    };
    config = mkIf (cfg.enable) {
      users.users."${cfg.user}" =
      if cfg.user == "zerobin" then {
        isSystemUser = true;
        group = cfg.group;
        home = cfg.dataDir;
        createHome = true;
      }
      else {};
      users.groups."${cfg.group}" = {};
      systemd.services.zerobin = {
        enable = true;
        after = [ "network-interfaces.target" ];
        wantedBy = [ "multi-user.target" ];
        serviceConfig.ExecStart = "${pkgs.pythonPackages.zerobin}/bin/zerobin ${cfg.listenAddress} ${toString cfg.listenPort} false ${cfg.user} ${cfg.group} ${zerobin_config}";
        serviceConfig.PrivateTmp="yes";
        serviceConfig.User = cfg.user;
        serviceConfig.Group = cfg.group;
        preStart = ''
        mkdir -p ${cfg.dataDir}
        chown ${cfg.user} ${cfg.dataDir}
        '';
      };
    };
  }
--- a/nixos/modules/services/search/elasticsearch.nix
+++ b/nixos/modules/services/search/elasticsearch.nix
@ -145,6 +145,7 @@ in {
        # Install plugins
        ln -sfT ${esPlugins}/plugins ${cfg.dataDir}/plugins
        ln -sfT ${cfg.package}/lib ${cfg.dataDir}/lib
        ln -sfT ${cfg.package}/modules ${cfg.dataDir}/modules
        if [ "$(id -u)" = 0 ]; then chown -R elasticsearch ${cfg.dataDir}; fi
      '';
      postStart = mkBefore ''
--- a/nixos/modules/services/security/fail2ban.nix
+++ b/nixos/modules/services/security/fail2ban.nix
@ -99,34 +99,32 @@ in
        wantedBy = [ "multi-user.target" ];
        after = [ "network.target" ];
        partOf = optional config.networking.firewall.enable "firewall.service";
        restartTriggers = [ fail2banConf jailConf ];
        path = [ pkgs.fail2ban pkgs.iptables ];
        preStart =
          ''
            mkdir -p /run/fail2ban -m 0755
            mkdir -p /var/lib/fail2ban
          '';
        unitConfig.Documentation = "man:fail2ban(1)";
        serviceConfig =
-          { ExecStart = "${pkgs.fail2ban}/bin/fail2ban-server -f";
+          { Type = "forking";
            ExecStart = "${pkgs.fail2ban}/bin/fail2ban-client -x start";
            ExecStop = "${pkgs.fail2ban}/bin/fail2ban-client stop";
            ExecReload = "${pkgs.fail2ban}/bin/fail2ban-client reload";
            PIDFile = "/run/fail2ban/fail2ban.pid";
            Restart = "always";
            ReadOnlyDirectories = "/";
-            ReadWriteDirectories = "/run /var/tmp /var/lib";
+            ReadWriteDirectories = "/run/fail2ban /var/tmp /var/lib";
            PrivateTmp = "true";
            RuntimeDirectory = "fail2ban";
            CapabilityBoundingSet = "CAP_DAC_READ_SEARCH CAP_NET_ADMIN CAP_NET_RAW";
          };
        postStart =
          ''
            # Wait for the server to start listening.
            for ((n = 0; n < 20; n++)); do
              if fail2ban-client ping; then break; fi
              sleep 0.5
            done
            # Reload its configuration.
            fail2ban-client reload
          '';
      };
    # Add some reasonable default jails.  The special "DEFAULT" jail
--- a/nixos/modules/services/system/dbus.nix
+++ b/nixos/modules/services/system/dbus.nix
@ -121,7 +121,7 @@ in
    security.setuidOwners = singleton
      { program = "dbus-daemon-launch-helper";
-        source = "${pkgs.dbus_daemon.lib}/libexec/dbus-daemon-launch-helper";
+        source = "${pkgs.dbus_daemon.out}/libexec/dbus-daemon-launch-helper";
        owner = "root";
        group = "messagebus";
        setuid = true;
--- a/nixos/modules/services/system/kerberos.nix
+++ b/nixos/modules/services/system/kerberos.nix
@ -4,7 +4,7 @@ let
  inherit (lib) mkOption mkIf singleton;
-  inherit (pkgs) heimdal;
+  inherit (pkgs) heimdalFull;
  stateDir = "/var/heimdal";
 in
@ -33,7 +33,7 @@ in
  config = mkIf config.services.kerberos_server.enable {
-    environment.systemPackages = [ heimdal ];
+    environment.systemPackages = [ heimdalFull ];
    services.xinetd.enable = true;
    services.xinetd.services = lib.singleton
@ -42,7 +42,7 @@ in
        protocol = "tcp";
        user = "root";
        server = "${pkgs.tcp_wrappers}/sbin/tcpd";
-        serverArgs = "${pkgs.heimdal}/sbin/kadmind";
+        serverArgs = "${pkgs.heimdalFull}/sbin/kadmind";
      };
    systemd.services.kdc = {
@ -51,13 +51,13 @@ in
      preStart = ''
        mkdir -m 0755 -p ${stateDir}
      '';
-      script = "${heimdal}/sbin/kdc";
+      script = "${heimdalFull}/sbin/kdc";
    };
    systemd.services.kpasswdd = {
      description = "Kerberos Password Changing daemon";
      wantedBy = [ "multi-user.target" ];
-      script = "${heimdal}/sbin/kpasswdd";
+      script = "${heimdalFull}/sbin/kpasswdd";
    };
  };
--- a/nixos/modules/services/x11/desktop-managers/gnome3.nix
+++ b/nixos/modules/services/x11/desktop-managers/gnome3.nix
@ -165,6 +165,8 @@ in {
        '';
      };
    services.xserver.updateDbusEnvironment = true;
    environment.variables.GIO_EXTRA_MODULES = [ "${gnome3.dconf}/lib/gio/modules"
                                                "${gnome3.glib_networking.out}/lib/gio/modules"
                                                "${gnome3.gvfs}/lib/gio/modules" ];
--- a/nixos/modules/services/x11/desktop-managers/xfce.nix
+++ b/nixos/modules/services/x11/desktop-managers/xfce.nix
@ -42,10 +42,13 @@ in
            # Set GTK_DATA_PREFIX so that GTK+ can find the Xfce themes.
            export GTK_DATA_PREFIX=${config.system.path}
-            exec ${pkgs.stdenv.shell} ${pkgs.xfce.xinitrc}
+            ${pkgs.stdenv.shell} ${pkgs.xfce.xinitrc} &
            waitPID=$!
          '';
      };
    services.xserver.updateDbusEnvironment = true;
    environment.systemPackages =
      [ pkgs.gtk # To get GTK+'s themes.
        pkgs.hicolor_icon_theme
--- a/nixos/modules/services/x11/display-managers/default.nix
+++ b/nixos/modules/services/x11/display-managers/default.nix
@ -126,6 +126,14 @@ let
        (*) echo "$0: Desktop manager '$desktopManager' not found.";;
      esac
      ${optionalString (cfg.startDbusSession && cfg.updateDbusEnvironment) ''
        ${pkgs.glib}/bin/gdbus call --session \
          --dest org.freedesktop.DBus --object-path /org/freedesktop/DBus \
          --method org.freedesktop.DBus.UpdateActivationEnvironment \
          "{$(env | ${pkgs.gnused}/bin/sed "s/'/\\\\'/g; s/\([^=]*\)=\(.*\)/'\1':'\2'/" \
                  | ${pkgs.coreutils}/bin/paste -sd,)}"
      ''}
      test -n "$waitPID" && wait "$waitPID"
      exit 0
    '';
--- a/nixos/modules/services/x11/redshift.nix
+++ b/nixos/modules/services/x11/redshift.nix
@ -94,11 +94,9 @@ in {
  };
  config = mkIf cfg.enable {
-    systemd.services.redshift = {
+    systemd.user.services.redshift = {
      description = "Redshift colour temperature adjuster";
-      requires = [ "display-manager.service" ];
+      wantedBy = [ "default.target" ];
      after = [ "display-manager.service" ];
      wantedBy = [ "graphical.target" ];
      serviceConfig = {
        ExecStart = ''
          ${cfg.package}/bin/redshift \
@ -107,10 +105,10 @@ in {
            -b ${toString cfg.brightness.day}:${toString cfg.brightness.night} \
            ${lib.strings.concatStringsSep " " cfg.extraOptions}
        '';
-	RestartSec = 3;
+        RestartSec = 3;
        Restart = "always";
      };
      environment = { DISPLAY = ":0"; };
      serviceConfig.Restart = "always";
    };
  };
--- a/nixos/modules/services/x11/window-managers/bspwm.nix
+++ b/nixos/modules/services/x11/window-managers/bspwm.nix
@ -38,6 +38,7 @@ in
      start = if cfg.startThroughSession
        then cfg.sessionScript
        else ''
            export _JAVA_AWT_WM_NONREPARENTING=1
            SXHKD_SHELL=/bin/sh ${pkgs.sxhkd}/bin/sxhkd -f 100 &
            ${pkgs.bspwm}/bin/bspwm
        '';
--- a/nixos/modules/services/x11/xserver.nix
+++ b/nixos/modules/services/x11/xserver.nix
@ -233,6 +233,15 @@ in
        '';
      };
      updateDbusEnvironment = mkOption {
        type = types.bool;
        default = false;
        description = ''
          Whether to update the DBus activation environment after launching the
          desktop manager.
        '';
      };
      layout = mkOption {
        type = types.str;
        default = "us";
--- a/nixos/modules/system/boot/loader/grub/grub.nix
+++ b/nixos/modules/system/boot/loader/grub/grub.nix
@ -499,7 +499,7 @@ in
        }
      ] ++ flip map args.devices (device: {
        assertion = device == "nodev" || hasPrefix "/" device;
-        message = "GRUB devices must be absolute paths, not ${dev} in ${args.path}";
+        message = "GRUB devices must be absolute paths, not ${device} in ${args.path}";
      }));
    })
--- a/nixos/modules/system/boot/loader/gummiboot/gummiboot.nix
+++ b/nixos/modules/system/boot/loader/gummiboot/gummiboot.nix
@ -14,7 +14,7 @@ let
    inherit (pkgs) python gummiboot;
-    nix = config.nix.package;
+    nix = config.nix.package.out;
    timeout = if cfg.timeout != null then cfg.timeout else "";
--- a/nixos/modules/system/etc/etc.nix
+++ b/nixos/modules/system/etc/etc.nix
@ -36,7 +36,7 @@ in
      type = types.loaOf types.optionSet;
      default = {};
      example = literalExample ''
-        { hosts =
+        { example-configuration-file =
            { source = "/nix/store/.../etc/dir/file.conf.example";
              mode = "0440";
            };
--- a/nixos/modules/tasks/network-interfaces.nix
+++ b/nixos/modules/tasks/network-interfaces.nix
@ -523,7 +523,7 @@ in
    networking.bonds = mkOption {
      default = { };
-      example = {
+      example = literalExample {
        bond0 = {
          interfaces = [ "eth0" "wlan0" ];
          miimon = 100;
@ -598,7 +598,7 @@ in
    networking.macvlans = mkOption {
      type = types.attrsOf types.optionSet;
      default = { };
-      example = {
+      example = literalExample {
        wan = {
          interface = "enp2s0";
          mode = "vepa";
@ -629,7 +629,7 @@ in
    networking.sits = mkOption {
      type = types.attrsOf types.optionSet;
      default = { };
-      example = {
+      example = literalExample {
        hurricane = {
          remote = "10.0.0.1";
          local = "10.0.0.22";
@ -688,7 +688,7 @@ in
    networking.vlans = mkOption {
      default = { };
-      example = {
+      example = literalExample {
        vlan0 = {
          id = 3;
          interface = "enp3s0";
@ -727,7 +727,7 @@ in
    networking.wlanInterfaces = mkOption {
      default = { };
-      example = {
+      example = literalExample {
        "wlan-station0" = {
            device = "wlp6s0";
        };
--- a/nixos/modules/virtualisation/amazon-init.nix
+++ b/nixos/modules/virtualisation/amazon-init.nix
@ -8,7 +8,7 @@ let
    echo "attempting to fetch configuration from EC2 user data..."
-    export PATH=${config.nix.package}/bin:${pkgs.systemd}/bin:${pkgs.gnugrep}/bin:${pkgs.gnused}/bin:${config.system.build.nixos-rebuild}/bin:$PATH
+    export PATH=${pkgs.lib.makeBinPath [ config.nix.package pkgs.systemd pkgs.gnugrep pkgs.gnused config.system.build.nixos-rebuild]}:$PATH
    export NIX_PATH=/nix/var/nix/profiles/per-user/root/channels/nixos:nixos-config=/etc/nixos/configuration.nix:/nix/var/nix/profiles/per-user/root/channels
    userData=/etc/ec2-metadata/user-data
--- a/nixos/modules/virtualisation/azure-image.nix
+++ b/nixos/modules/virtualisation/azure-image.nix
@ -62,10 +62,10 @@ in
          echo Register the paths in the Nix database.
          printRegistration=1 perl ${pkgs.pathsFromGraph} /tmp/xchg/closure | \
-              chroot /mnt ${config.nix.package}/bin/nix-store --load-db --option build-users-group ""
+              chroot /mnt ${config.nix.package.out}/bin/nix-store --load-db --option build-users-group ""
          echo Create the system profile to allow nixos-rebuild to work.
-          chroot /mnt ${config.nix.package}/bin/nix-env \
+          chroot /mnt ${config.nix.package.out}/bin/nix-env \
              -p /nix/var/nix/profiles/system --set ${config.system.build.toplevel} --option build-users-group ""
          echo nixos-rebuild requires an /etc/NIXOS.
--- a/nixos/modules/virtualisation/brightbox-image.nix
+++ b/nixos/modules/virtualisation/brightbox-image.nix
@ -62,10 +62,10 @@ in
          # Register the paths in the Nix database.
          printRegistration=1 perl ${pkgs.pathsFromGraph} /tmp/xchg/closure | \
-              chroot /mnt ${config.nix.package}/bin/nix-store --load-db --option build-users-group ""
+              chroot /mnt ${config.nix.package.out}/bin/nix-store --load-db --option build-users-group ""
          # Create the system profile to allow nixos-rebuild to work.
-          chroot /mnt ${config.nix.package}/bin/nix-env \
+          chroot /mnt ${config.nix.package.out}/bin/nix-env \
              -p /nix/var/nix/profiles/system --set ${config.system.build.toplevel} \
              --option build-users-group ""
--- a/nixos/modules/virtualisation/containers.nix
+++ b/nixos/modules/virtualisation/containers.nix
@ -28,14 +28,23 @@ let
      # Initialise the container side of the veth pair.
      if [ "$PRIVATE_NETWORK" = 1 ]; then
        ip link set host0 name eth0
        ip link set dev eth0 up
        if [ -n "$LOCAL_ADDRESS" ]; then
          ip addr add $LOCAL_ADDRESS dev eth0
        fi
        if [ -n "$LOCAL_ADDRESS6" ]; then
          ip -6 addr add $LOCAL_ADDRESS6 dev eth0
        fi
        if [ -n "$HOST_ADDRESS" ]; then
          ip route add $HOST_ADDRESS dev eth0
          ip route add default via $HOST_ADDRESS
        fi
-        if [ -n "$LOCAL_ADDRESS" ]; then
+        if [ -n "$HOST_ADDRESS6" ]; then
-          ip addr add $LOCAL_ADDRESS dev eth0
+          ip -6 route add $HOST_ADDRESS6 dev eth0
          ip -6 route add default via $HOST_ADDRESS6
        fi
      fi
@ -48,7 +57,7 @@ let
  system = config.nixpkgs.system;
  bindMountOpts = { name, config, ... }: {
-  
+
    options = {
      mountPoint = mkOption {
        example = "/mnt/usb";
@ -68,13 +77,13 @@ let
        description = "Determine whether the mounted path will be accessed in read-only mode.";
      };
    };
-    
+
    config = {
      mountPoint = mkDefault name;
    };
-    
+
  };
-  
+
  mkBindFlag = d:
               let flagPrefix = if d.isReadOnly then " --bind-ro=" else " --bind=";
                   mountstr = if d.hostPath != null then "${d.hostPath}:${d.mountPoint}" else "${d.mountPoint}";
@ -142,12 +151,33 @@ in
              '';
            };
            hostBridge = mkOption {
              type = types.nullOr types.string;
              default = null;
              example = "br0";
              description = ''
                Put the host-side of the veth-pair into the named bridge.
                Only one of hostAddress* or hostBridge can be given.
              '';
            };
            hostAddress = mkOption {
              type = types.nullOr types.str;
              default = null;
              example = "10.231.136.1";
              description = ''
                The IPv4 address assigned to the host interface.
                (Not used when hostBridge is set.)
              '';
            };
            hostAddress6 = mkOption {
              type = types.nullOr types.string;
              default = null;
              example = "fc00::1";
              description = ''
                The IPv6 address assigned to the host interface.
                (Not used when hostBridge is set.)
              '';
            };
@ -161,6 +191,16 @@ in
              '';
            };
            localAddress6 = mkOption {
              type = types.nullOr types.string;
              default = null;
              example = "fc00::2";
              description = ''
                The IPv6 address assigned to <literal>eth0</literal>
                in the container.
              '';
            };
            interfaces = mkOption {
              type = types.listOf types.string;
              default = [];
@ -185,7 +225,7 @@ in
              example = { "/home" = { hostPath = "/home/alice";
                                      isReadOnly = false; };
                        };
-                        
+
              description =
                ''
                  An extra list of directories that is bound to the container.
@ -238,154 +278,180 @@ in
  };
-  config = mkIf (config.boot.enableContainers) {
+  config = mkIf (config.boot.enableContainers) (let
-    systemd.services."container@" =
+    unit = {
-      { description = "Container '%i'";
+      description = "Container '%i'";
-        unitConfig.RequiresMountsFor = [ "/var/lib/containers/%i" ];
+      unitConfig.RequiresMountsFor = [ "/var/lib/containers/%i" ];
-        path = [ pkgs.iproute ];
+      path = [ pkgs.iproute ];
-        environment.INSTANCE = "%i";
+      environment.INSTANCE = "%i";
-        environment.root = "/var/lib/containers/%i";
+      environment.root = "/var/lib/containers/%i";
-        preStart =
+      preStart =
-          ''
+        ''
-            # Clean up existing machined registration and interfaces.
+          # Clean up existing machined registration and interfaces.
-            machinectl terminate "$INSTANCE" 2> /dev/null || true
+          machinectl terminate "$INSTANCE" 2> /dev/null || true
-            if [ "$PRIVATE_NETWORK" = 1 ]; then
+          if [ "$PRIVATE_NETWORK" = 1 ]; then
-              ip link del dev "ve-$INSTANCE" 2> /dev/null || true
+            ip link del dev "ve-$INSTANCE" 2> /dev/null || true
            ip link del dev "vb-$INSTANCE" 2> /dev/null || true
          fi
       '';
      script =
        ''
          mkdir -p -m 0755 "$root/etc" "$root/var/lib"
          mkdir -p -m 0700 "$root/var/lib/private" "$root/root" /run/containers
          if ! [ -e "$root/etc/os-release" ]; then
            touch "$root/etc/os-release"
          fi
          mkdir -p -m 0755 \
            "/nix/var/nix/profiles/per-container/$INSTANCE" \
            "/nix/var/nix/gcroots/per-container/$INSTANCE"
          cp --remove-destination /etc/resolv.conf "$root/etc/resolv.conf"
          if [ "$PRIVATE_NETWORK" = 1 ]; then
            extraFlags+=" --network-veth"
            if [ -n "$HOST_BRIDGE" ]; then
              extraFlags+=" --network-bridge=$HOST_BRIDGE"
            fi
          fi
          for iface in $INTERFACES; do
            extraFlags+=" --network-interface=$iface"
          done
-            if [ "$PRIVATE_NETWORK" = 1 ]; then
+          for iface in $MACVLANS; do
-              ip link del dev "ve-$INSTANCE" 2> /dev/null || true
+            extraFlags+=" --network-macvlan=$iface"
          done
          # If the host is 64-bit and the container is 32-bit, add a
          # --personality flag.
          ${optionalString (config.nixpkgs.system == "x86_64-linux") ''
            if [ "$(< ''${SYSTEM_PATH:-/nix/var/nix/profiles/per-container/$INSTANCE/system}/system)" = i686-linux ]; then
              extraFlags+=" --personality=x86"
            fi
-         '';
+          ''}
        script =
          ''
            mkdir -p -m 0755 "$root/etc" "$root/var/lib"
            mkdir -p -m 0700 "$root/var/lib/private" "$root/root" /run/containers
            if ! [ -e "$root/etc/os-release" ]; then
              touch "$root/etc/os-release"
            fi
            mkdir -p -m 0755 \
              "/nix/var/nix/profiles/per-container/$INSTANCE" \
              "/nix/var/nix/gcroots/per-container/$INSTANCE"
            cp --remove-destination /etc/resolv.conf "$root/etc/resolv.conf"
            if [ "$PRIVATE_NETWORK" = 1 ]; then
              extraFlags+=" --network-veth"
            fi
            for iface in $INTERFACES; do
              extraFlags+=" --network-interface=$iface"
            done
            for iface in $MACVLANS; do
              extraFlags+=" --network-macvlan=$iface"
            done
            # If the host is 64-bit and the container is 32-bit, add a
            # --personality flag.
            ${optionalString (config.nixpkgs.system == "x86_64-linux") ''
              if [ "$(< ''${SYSTEM_PATH:-/nix/var/nix/profiles/per-container/$INSTANCE/system}/system)" = i686-linux ]; then
                extraFlags+=" --personality=x86"
              fi
            ''}
-            # Run systemd-nspawn without startup notification (we'll
+          # Run systemd-nspawn without startup notification (we'll
-            # wait for the container systemd to signal readiness).
+          # wait for the container systemd to signal readiness).
-            EXIT_ON_REBOOT=1 NOTIFY_SOCKET= \
+          EXIT_ON_REBOOT=1 NOTIFY_SOCKET= \
-            exec ${config.systemd.package}/bin/systemd-nspawn \
+          exec ${config.systemd.package}/bin/systemd-nspawn \
-              --keep-unit \
+            --keep-unit \
-              -M "$INSTANCE" -D "$root" $extraFlags \
+            -M "$INSTANCE" -D "$root" $extraFlags \
-              $EXTRA_NSPAWN_FLAGS \
+            $EXTRA_NSPAWN_FLAGS \
-              --bind-ro=/nix/store \
+            --bind-ro=/nix/store \
-              --bind-ro=/nix/var/nix/db \
+            --bind-ro=/nix/var/nix/db \
-              --bind-ro=/nix/var/nix/daemon-socket \
+            --bind-ro=/nix/var/nix/daemon-socket \
-              --bind=/run/systemd/notify:/var/lib/private/host-notify \
+            --bind=/run/systemd/notify:/var/lib/private/host-notify \
-              --bind="/nix/var/nix/profiles/per-container/$INSTANCE:/nix/var/nix/profiles" \
+            --bind="/nix/var/nix/profiles/per-container/$INSTANCE:/nix/var/nix/profiles" \
-              --bind="/nix/var/nix/gcroots/per-container/$INSTANCE:/nix/var/nix/gcroots" \
+            --bind="/nix/var/nix/gcroots/per-container/$INSTANCE:/nix/var/nix/gcroots" \
-              --setenv PRIVATE_NETWORK="$PRIVATE_NETWORK" \
+            --setenv PRIVATE_NETWORK="$PRIVATE_NETWORK" \
-              --setenv HOST_ADDRESS="$HOST_ADDRESS" \
+            --setenv HOST_BRIDGE="$HOST_BRIDGE" \
-              --setenv LOCAL_ADDRESS="$LOCAL_ADDRESS" \
+            --setenv HOST_ADDRESS="$HOST_ADDRESS" \
-              --setenv PATH="$PATH" \
+            --setenv LOCAL_ADDRESS="$LOCAL_ADDRESS" \
-              ${containerInit} "''${SYSTEM_PATH:-/nix/var/nix/profiles/system}/init"
+            --setenv HOST_ADDRESS6="$HOST_ADDRESS6" \
-          '';
+            --setenv LOCAL_ADDRESS6="$LOCAL_ADDRESS6" \
            --setenv PATH="$PATH" \
            ${containerInit} "''${SYSTEM_PATH:-/nix/var/nix/profiles/system}/init"
        '';
-        postStart =
+      postStart =
-          ''
+        ''
-            if [ "$PRIVATE_NETWORK" = 1 ]; then
+          if [ "$PRIVATE_NETWORK" = 1 ]; then
            if [ -z "$HOST_BRIDGE" ]; then
              ifaceHost=ve-$INSTANCE
              ip link set dev $ifaceHost up
              if [ -n "$HOST_ADDRESS" ]; then
                ip addr add $HOST_ADDRESS dev $ifaceHost
              fi
              if [ -n "$HOST_ADDRESS6" ]; then
                ip -6 addr add $HOST_ADDRESS6 dev $ifaceHost
              fi
              if [ -n "$LOCAL_ADDRESS" ]; then
                ip route add $LOCAL_ADDRESS dev $ifaceHost
              fi
              if [ -n "$LOCAL_ADDRESS6" ]; then
                ip -6 route add $LOCAL_ADDRESS6 dev $ifaceHost
              fi
            fi
          fi
-            # Get the leader PID so that we can signal it in
+          # Get the leader PID so that we can signal it in
-            # preStop. We can't use machinectl there because D-Bus
+          # preStop. We can't use machinectl there because D-Bus
-            # might be shutting down. FIXME: in systemd 219 we can
+          # might be shutting down. FIXME: in systemd 219 we can
-            # just signal systemd-nspawn to do a clean shutdown.
+          # just signal systemd-nspawn to do a clean shutdown.
-            machinectl show "$INSTANCE" | sed 's/Leader=\(.*\)/\1/;t;d' > "/run/containers/$INSTANCE.pid"
+          machinectl show "$INSTANCE" | sed 's/Leader=\(.*\)/\1/;t;d' > "/run/containers/$INSTANCE.pid"
-          '';
+        '';
-        preStop =
+      preStop =
        ''
          pid="$(cat /run/containers/$INSTANCE.pid)"
          if [ -n "$pid" ]; then
            kill -RTMIN+4 "$pid"
          fi
          rm -f "/run/containers/$INSTANCE.pid"
        '';
      restartIfChanged = false;
      serviceConfig = {
        ExecReload = pkgs.writeScript "reload-container"
          ''
-            pid="$(cat /run/containers/$INSTANCE.pid)"
+            #! ${pkgs.stdenv.shell} -e
-            if [ -n "$pid" ]; then
+            ${nixos-container}/bin/nixos-container run "$INSTANCE" -- \
-              kill -RTMIN+4 "$pid"
+              bash --login -c "''${SYSTEM_PATH:-/nix/var/nix/profiles/system}/bin/switch-to-configuration test"
            fi
            rm -f "/run/containers/$INSTANCE.pid"
          '';
-        restartIfChanged = false;
+        SyslogIdentifier = "container %i";
        #reloadIfChanged = true; # FIXME
-        serviceConfig = {
+        EnvironmentFile = "-/etc/containers/%i.conf";
          ExecReload = pkgs.writeScript "reload-container"
            ''
              #! ${pkgs.stdenv.shell} -e
              ${nixos-container}/bin/nixos-container run "$INSTANCE" -- \
                bash --login -c "''${SYSTEM_PATH:-/nix/var/nix/profiles/system}/bin/switch-to-configuration test"
            '';
-          SyslogIdentifier = "container %i";
+        Type = "notify";
-          EnvironmentFile = "-/etc/containers/%i.conf";
+        NotifyAccess = "all";
-          Type = "notify";
+        # Note that on reboot, systemd-nspawn returns 133, so this
        # unit will be restarted. On poweroff, it returns 0, so the
        # unit won't be restarted.
        RestartForceExitStatus = "133";
        SuccessExitStatus = "133";
-          NotifyAccess = "all";
+        Restart = "on-failure";
-          # Note that on reboot, systemd-nspawn returns 133, so this
+        # Hack: we don't want to kill systemd-nspawn, since we call
-          # unit will be restarted. On poweroff, it returns 0, so the
+        # "machinectl poweroff" in preStop to shut down the
-          # unit won't be restarted.
+        # container cleanly. But systemd requires sending a signal
-          RestartForceExitStatus = "133";
+        # (at least if we want remaining processes to be killed
-          SuccessExitStatus = "133";
+        # after the timeout). So send an ignored signal.
-
+        KillMode = "mixed";
-          Restart = "on-failure";
+        KillSignal = "WINCH";
          # Hack: we don't want to kill systemd-nspawn, since we call
          # "machinectl poweroff" in preStop to shut down the
          # container cleanly. But systemd requires sending a signal
          # (at least if we want remaining processes to be killed
          # after the timeout). So send an ignored signal.
          KillMode = "mixed";
          KillSignal = "WINCH";
        };
      };
    };
  in {
    systemd.services = listToAttrs (filter (x: x.value != null) (
      # The generic container template used by imperative containers
      [{ name = "container@"; value = unit; }]
      # declarative containers
      ++ (mapAttrsToList (name: cfg: nameValuePair "container@${name}" (
        if cfg.autoStart then
          unit // {
            wantedBy = [ "multi-user.target" ];
            wants = [ "network.target" ];
            after = [ "network.target" ];
            restartTriggers = [ cfg.path ];
            reloadIfChanged = true;
          }
        else null
      )) config.containers)
    ));
    # Generate a configuration file in /etc/containers for each
    # container so that container@.target can get the container
@ -396,12 +462,21 @@ in
            SYSTEM_PATH=${cfg.path}
            ${optionalString cfg.privateNetwork ''
              PRIVATE_NETWORK=1
              ${optionalString (cfg.hostBridge != null) ''
                HOST_BRIDGE=${cfg.hostBridge}
              ''}
              ${optionalString (cfg.hostAddress != null) ''
                HOST_ADDRESS=${cfg.hostAddress}
              ''}
              ${optionalString (cfg.hostAddress6 != null) ''
                HOST_ADDRESS6=${cfg.hostAddress6}
              ''}
              ${optionalString (cfg.localAddress != null) ''
                LOCAL_ADDRESS=${cfg.localAddress}
              ''}
              ${optionalString (cfg.localAddress6 != null) ''
                LOCAL_ADDRESS6=${cfg.localAddress6}
              ''}
            ''}
             INTERFACES="${toString cfg.interfaces}"
           ${optionalString cfg.autoStart ''
@ -420,31 +495,5 @@ in
    networking.dhcpcd.denyInterfaces = [ "ve-*" ];
    environment.systemPackages = [ nixos-container ];
-
+  });
    # Start containers at boot time.
    systemd.services.all-containers =
      { description = "All Containers";
        wantedBy = [ "multi-user.target" ];
        unitConfig.ConditionDirectoryNotEmpty = "/etc/containers";
        serviceConfig.Type = "oneshot";
        script =
          ''
            res=0
            shopt -s nullglob
            for i in /etc/containers/*.conf; do
              AUTO_START=
              source "$i"
              if [ "$AUTO_START" = 1 ]; then
                systemctl start "container@$(basename "$i" .conf).service" || res=1
              fi
            done
            exit $res
          ''; # */
      };
  };
 }
--- a/nixos/modules/virtualisation/ec2-amis.nix
+++ b/nixos/modules/virtualisation/ec2-amis.nix
@ -90,40 +90,40 @@
  "15.09".us-west-2.pv-ebs = "ami-005fb160";
  "15.09".us-west-2.pv-s3 = "ami-cd55bbad";
-  "16.03".ap-northeast-1.hvm-ebs = "ami-885040e6";
+  "16.03".ap-northeast-1.hvm-ebs = "ami-b6edf5d8";
-  "16.03".ap-northeast-1.hvm-s3 = "ami-d15a4abf";
+  "16.03".ap-northeast-1.hvm-s3 = "ami-b1e3fbdf";
-  "16.03".ap-northeast-1.pv-ebs = "ami-7f455511";
+  "16.03".ap-northeast-1.pv-ebs = "ami-6190880f";
-  "16.03".ap-northeast-1.pv-s3 = "ami-6d7d6d03";
+  "16.03".ap-northeast-1.pv-s3 = "ami-908d95fe";
-  "16.03".ap-southeast-1.hvm-ebs = "ami-478a5f24";
+  "16.03".ap-southeast-1.hvm-ebs = "ami-35b16656";
-  "16.03".ap-southeast-1.hvm-s3 = "ami-b2885dd1";
+  "16.03".ap-southeast-1.hvm-s3 = "ami-41be6922";
-  "16.03".ap-southeast-1.pv-ebs = "ami-55b46136";
+  "16.03".ap-southeast-1.pv-ebs = "ami-4cb96e2f";
-  "16.03".ap-southeast-1.pv-s3 = "ami-92b762f1";
+  "16.03".ap-southeast-1.pv-s3 = "ami-3bb96e58";
-  "16.03".ap-southeast-2.hvm-ebs = "ami-26b09345";
+  "16.03".ap-southeast-2.hvm-ebs = "ami-debc91bd";
-  "16.03".ap-southeast-2.hvm-s3 = "ami-52ac8f31";
+  "16.03".ap-southeast-2.hvm-s3 = "ami-55bc9136";
-  "16.03".ap-southeast-2.pv-ebs = "ami-1fb3907c";
+  "16.03".ap-southeast-2.pv-ebs = "ami-b38ba6d0";
-  "16.03".ap-southeast-2.pv-s3 = "ami-49b1922a";
+  "16.03".ap-southeast-2.pv-s3 = "ami-9e8ba6fd";
-  "16.03".eu-central-1.hvm-ebs = "ami-2bd63744";
+  "16.03".eu-central-1.hvm-ebs = "ami-7c967413";
-  "16.03".eu-central-1.hvm-s3 = "ami-82d435ed";
+  "16.03".eu-central-1.hvm-s3 = "ami-b29072dd";
-  "16.03".eu-central-1.pv-ebs = "ami-b729c8d8";
+  "16.03".eu-central-1.pv-ebs = "ami-7a947615";
-  "16.03".eu-central-1.pv-s3 = "ami-a12dccce";
+  "16.03".eu-central-1.pv-s3 = "ami-729b791d";
-  "16.03".eu-west-1.hvm-ebs = "ami-87c242f4";
+  "16.03".eu-west-1.hvm-ebs = "ami-ff27a98c";
-  "16.03".eu-west-1.hvm-s3 = "ami-b6c343c5";
+  "16.03".eu-west-1.hvm-s3 = "ami-6c21af1f";
-  "16.03".eu-west-1.pv-ebs = "ami-6bc94918";
+  "16.03".eu-west-1.pv-ebs = "ami-a33cb2d0";
-  "16.03".eu-west-1.pv-s3 = "ami-00cb4b73";
+  "16.03".eu-west-1.pv-s3 = "ami-ec38b69f";
-  "16.03".sa-east-1.hvm-ebs = "ami-845cd3e8";
+  "16.03".sa-east-1.hvm-ebs = "ami-5bef6637";
-  "16.03".sa-east-1.hvm-s3 = "ami-8142cded";
+  "16.03".sa-east-1.hvm-s3 = "ami-55f87139";
-  "16.03".sa-east-1.pv-ebs = "ami-1643cc7a";
+  "16.03".sa-east-1.pv-ebs = "ami-76e56c1a";
-  "16.03".sa-east-1.pv-s3 = "ami-1646c97a";
+  "16.03".sa-east-1.pv-s3 = "ami-e1f8718d";
-  "16.03".us-east-1.hvm-ebs = "ami-2cc4d046";
+  "16.03".us-east-1.hvm-ebs = "ami-4bfd1926";
-  "16.03".us-east-1.hvm-s3 = "ami-9bc9ddf1";
+  "16.03".us-east-1.hvm-s3 = "ami-60c5210d";
-  "16.03".us-east-1.pv-ebs = "ami-7df4e017";
+  "16.03".us-east-1.pv-ebs = "ami-c0c92dad";
-  "16.03".us-east-1.pv-s3 = "ami-90f2e6fa";
+  "16.03".us-east-1.pv-s3 = "ami-f9d63294";
-  "16.03".us-west-1.hvm-ebs = "ami-d8116db8";
+  "16.03".us-west-1.hvm-ebs = "ami-13aad473";
-  "16.03".us-west-1.hvm-s3 = "ami-a7166ac7";
+  "16.03".us-west-1.hvm-s3 = "ami-e1a8d681";
-  "16.03".us-west-1.pv-ebs = "ami-e90c7089";
+  "16.03".us-west-1.pv-ebs = "ami-c0a6d8a0";
-  "16.03".us-west-1.pv-s3 = "ami-5b0c703b";
+  "16.03".us-west-1.pv-s3 = "ami-6aa9d70a";
-  "16.03".us-west-2.hvm-ebs = "ami-b339ccd3";
+  "16.03".us-west-2.hvm-ebs = "ami-265dad46";
-  "16.03".us-west-2.hvm-s3 = "ami-2c3bce4c";
+  "16.03".us-west-2.hvm-s3 = "ami-cd40b0ad";
-  "16.03".us-west-2.pv-ebs = "ami-0625d066";
+  "16.03".us-west-2.pv-ebs = "ami-7b4aba1b";
-  "16.03".us-west-2.pv-s3 = "ami-7414e114";
+  "16.03".us-west-2.pv-s3 = "ami-0849b968";
 }
--- a/nixos/modules/virtualisation/google-compute-image.nix
+++ b/nixos/modules/virtualisation/google-compute-image.nix
@ -66,10 +66,10 @@ in
          # Register the paths in the Nix database.
          printRegistration=1 perl ${pkgs.pathsFromGraph} /tmp/xchg/closure | \
-              chroot /mnt ${config.nix.package}/bin/nix-store --load-db --option build-users-group ""
+              chroot /mnt ${config.nix.package.out}/bin/nix-store --load-db --option build-users-group ""
          # Create the system profile to allow nixos-rebuild to work.
-          chroot /mnt ${config.nix.package}/bin/nix-env \
+          chroot /mnt ${config.nix.package.out}/bin/nix-env \
              -p /nix/var/nix/profiles/system --set ${config.system.build.toplevel} \
              --option build-users-group ""
--- a/nixos/modules/virtualisation/qemu-vm.nix
+++ b/nixos/modules/virtualisation/qemu-vm.nix
@ -149,11 +149,11 @@ let
          ${pkgs.mtools}/bin/mlabel -i /dev/vda2 ::boot
          # Mount /boot; load necessary modules first.
-          ${pkgs.module_init_tools}/sbin/insmod ${pkgs.linux}/lib/modules/*/kernel/fs/nls/nls_cp437.ko || true
+          ${pkgs.kmod}/sbin/insmod ${pkgs.linux}/lib/modules/*/kernel/fs/nls/nls_cp437.ko.xz || true
-          ${pkgs.module_init_tools}/sbin/insmod ${pkgs.linux}/lib/modules/*/kernel/fs/nls/nls_iso8859-1.ko || true
+          ${pkgs.kmod}/sbin/insmod ${pkgs.linux}/lib/modules/*/kernel/fs/nls/nls_iso8859-1.ko.xz || true
-          ${pkgs.module_init_tools}/sbin/insmod ${pkgs.linux}/lib/modules/*/kernel/fs/fat/fat.ko || true
+          ${pkgs.kmod}/sbin/insmod ${pkgs.linux}/lib/modules/*/kernel/fs/fat/fat.ko.xz || true
-          ${pkgs.module_init_tools}/sbin/insmod ${pkgs.linux}/lib/modules/*/kernel/fs/fat/vfat.ko || true
+          ${pkgs.kmod}/sbin/insmod ${pkgs.linux}/lib/modules/*/kernel/fs/fat/vfat.ko.xz || true
-          ${pkgs.module_init_tools}/sbin/insmod ${pkgs.linux}/lib/modules/*/kernel/fs/efivarfs/efivarfs.ko || true
+          ${pkgs.kmod}/sbin/insmod ${pkgs.linux}/lib/modules/*/kernel/fs/efivarfs/efivarfs.ko.xz || true
          mkdir /boot
          mount /dev/vda2 /boot
@ -403,7 +403,7 @@ in
    boot.postBootCommands =
      ''
        if [[ "$(cat /proc/cmdline)" =~ regInfo=([^ ]*) ]]; then
-          ${config.nix.package}/bin/nix-store --load-db < ''${BASH_REMATCH[1]}
+          ${config.nix.package.out}/bin/nix-store --load-db < ''${BASH_REMATCH[1]}
        fi
      '';
--- a/nixos/release-combined.nix
+++ b/nixos/release-combined.nix
@ -48,7 +48,7 @@ in rec {
        nixos.ova.x86_64-linux
        #(all nixos.tests.containers)
-        (all nixos.tests.chromium.stable)
+        (all nixos.tests.chromium)
        (all nixos.tests.firefox)
        (all nixos.tests.firewall)
        nixos.tests.gnome3.x86_64-linux # FIXME: i686-linux
@ -64,6 +64,9 @@ in rec {
        (all nixos.tests.installer.btrfsSubvols)
        (all nixos.tests.installer.btrfsSubvolDefault)
        (all nixos.tests.boot.biosCdrom)
        (all nixos.tests.boot.biosUsb)
        (all nixos.tests.boot.uefiCdrom)
        (all nixos.tests.boot.uefiUsb)
        (all nixos.tests.ipv6)
        (all nixos.tests.kde4)
        #(all nixos.tests.lightdm)
--- a/nixos/release-small.nix
+++ b/nixos/release-small.nix
@ -31,7 +31,8 @@ in rec {
    inherit (nixos') channel manual iso_minimal dummy;
    tests = {
      inherit (nixos'.tests)
-        containers
+        containers-imperative
        containers-ipv4
        firewall
        ipv6
        login
--- a/nixos/release.nix
+++ b/nixos/release.nix
@ -103,6 +103,19 @@ in rec {
  # Build the initial ramdisk so Hydra can keep track of its size over time.
  initialRamdisk = buildFromConfig ({ pkgs, ... }: { }) (config: config.system.build.initialRamdisk);
  netboot.x86_64-linux = let build = (import lib/eval-config.nix {
      system = "x86_64-linux";
      modules = [
        ./modules/installer/netboot/netboot-minimal.nix
        versionModule
      ];
    }).config.system.build;
  in
    pkgs.symlinkJoin {name="netboot"; paths=[
      build.netbootRamdisk
      build.kernel
      build.netbootIpxeScript
    ];};
  iso_minimal = forAllSystems (system: makeIso {
    module = ./modules/installer/cd-dvd/installation-cd-minimal.nix;
@ -197,9 +210,12 @@ in rec {
  tests.blivet = callTest tests/blivet.nix {};
  tests.boot = callSubTests tests/boot.nix {};
  tests.cadvisor = hydraJob (import tests/cadvisor.nix { system = "x86_64-linux"; });
-  tests.chromium = callSubTests tests/chromium.nix {};
+  tests.chromium = (callSubTests tests/chromium.nix { system = "x86_64-linux"; }).stable;
  tests.cjdns = callTest tests/cjdns.nix {};
-  tests.containers = callTest tests/containers.nix {};
+  tests.containers-ipv4 = callTest tests/containers-ipv4.nix {};
  tests.containers-ipv6 = callTest tests/containers-ipv6.nix {};
  tests.containers-bridge = callTest tests/containers-bridge.nix {};
  tests.containers-imperative = callTest tests/containers-imperative.nix {};
  tests.docker = hydraJob (import tests/docker.nix { system = "x86_64-linux"; });
  tests.dockerRegistry = hydraJob (import tests/docker-registry.nix { system = "x86_64-linux"; });
  tests.dnscrypt-proxy = callTest tests/dnscrypt-proxy.nix { system = "x86_64-linux"; };
--- a/nixos/tests/boot.nix
+++ b/nixos/tests/boot.nix
@ -44,5 +44,44 @@ in {
        usb => glob("${iso}/iso/*.iso"),
        bios => '${pkgs.OVMF}/FV/OVMF.fd'
      '';
-  }
+    netboot = let
-
+      config = (import ../lib/eval-config.nix {
          inherit system;
          modules =
            [ ../modules/installer/netboot/netboot.nix
              ../modules/testing/test-instrumentation.nix
              { key = "serial"; }
            ];
        }).config;
      ipxeScriptDir = pkgs.writeTextFile {
        name = "ipxeScriptDir";
        text = ''
          #!ipxe
          dhcp
          kernel bzImage init=${config.system.build.toplevel}/init ${toString config.boot.kernelParams} console=ttyS0
          initrd initrd
          boot
        '';
        destination = "/boot.ipxe";
      };
      ipxeBootDir = pkgs.symlinkJoin {
        name = "ipxeBootDir";
        paths = [
          config.system.build.netbootRamdisk
          config.system.build.kernel
          ipxeScriptDir
        ];
      };
    in
      makeTest {
        name = "boot-netboot";
        nodes = { };
        testScript =
          ''
            my $machine = createMachine({ qemuFlags => '-boot order=n -net nic,model=e1000 -net user,tftp=${ipxeBootDir}/,bootfile=boot.ipxe -m 2000M' });
            $machine->start;
            $machine->waitForUnit("multi-user.target");
            $machine->shutdown;
          '';
      };
 }
--- a/nixos/tests/containers-bridge.nix
+++ b/nixos/tests/containers-bridge.nix
@ -0,0 +1,81 @@
 # Test for NixOS' container support.
 let
  hostIp = "192.168.0.1";
  containerIp = "192.168.0.100/24";
  hostIp6 = "fc00::1";
  containerIp6 = "fc00::2/7";
 in
 import ./make-test.nix ({ pkgs, ...} : {
  name = "containers-bridge";
  meta = with pkgs.stdenv.lib.maintainers; {
    maintainers = [ aristid aszlig eelco chaoflow ];
  };
  machine =
    { config, pkgs, ... }:
    { imports = [ ../modules/installer/cd-dvd/channel.nix ];
      virtualisation.writableStore = true;
      virtualisation.memorySize = 768;
      networking.bridges = {
        br0 = {
          interfaces = [];
        };
      };
      networking.interfaces = {
        br0 = {
          ip4 = [{ address = hostIp; prefixLength = 24; }];
          ip6 = [{ address = hostIp6; prefixLength = 7; }];
        };
      };
      containers.webserver =
        {
          autoStart = true;
          privateNetwork = true;
          hostBridge = "br0";
          localAddress = containerIp;
          localAddress6 = containerIp6;
          config =
            { services.httpd.enable = true;
              services.httpd.adminAddr = "foo@example.org";
              networking.firewall.allowedTCPPorts = [ 80 ];
              networking.firewall.allowPing = true;
            };
        };
      virtualisation.pathsInNixDB = [ pkgs.stdenv ];
    };
  testScript =
    ''
      $machine->waitForUnit("default.target");
      $machine->succeed("nixos-container list") =~ /webserver/ or die;
      # Start the webserver container.
      $machine->succeed("nixos-container status webserver") =~ /up/ or die;
      "${containerIp}" =~ /([^\/]+)\/([0-9+])/;
      my $ip = $1;
      chomp $ip;
      $machine->succeed("ping -n -c 1 $ip");
      $machine->succeed("curl --fail http://$ip/ > /dev/null");
      "${containerIp6}" =~ /([^\/]+)\/([0-9+])/;
      my $ip6 = $1;
      chomp $ip6;
      $machine->succeed("ping6 -n -c 1 $ip6");
      $machine->succeed("curl --fail http://[$ip6]/ > /dev/null");
      # Stop the container.
      $machine->succeed("nixos-container stop webserver");
      $machine->fail("curl --fail --connect-timeout 2 http://$ip/ > /dev/null");
      $machine->fail("curl --fail --connect-timeout 2 http://[$ip6]/ > /dev/null");
      # Destroying a declarative container should fail.
      $machine->fail("nixos-container destroy webserver");
    '';
 })
--- a/nixos/tests/containers-imperative.nix
+++ b/nixos/tests/containers-imperative.nix
@ -1,50 +1,30 @@
 # Test for NixOS' container support.
 import ./make-test.nix ({ pkgs, ...} : {
-  name = "containers";
+  name = "containers-imperative";
  meta = with pkgs.stdenv.lib.maintainers; {
    maintainers = [ aristid aszlig eelco chaoflow ];
  };
  machine =
-    { config, pkgs, ... }:
+    { config, pkgs, lib, ... }:
    { imports = [ ../modules/installer/cd-dvd/channel.nix ];
      virtualisation.writableStore = true;
      virtualisation.memorySize = 768;
-
+      # Make sure we always have all the required dependencies for creating a
-      containers.webserver =
+      # container available within the VM, because we don't have network access.
-        { privateNetwork = true;
+      virtualisation.pathsInNixDB = let
-          hostAddress = "10.231.136.1";
+        emptyContainer = import ../lib/eval-config.nix {
-          localAddress = "10.231.136.2";
+          inherit (config.nixpkgs) system;
-          config =
+          modules = lib.singleton {
-            { services.httpd.enable = true;
+            containers.foo.config = {};
-              services.httpd.adminAddr = "foo@example.org";
+          };
              networking.firewall.allowedTCPPorts = [ 80 ];
              networking.firewall.allowPing = true;
            };
        };
-
+      in [ pkgs.stdenv emptyContainer.config.containers.foo.path ];
      virtualisation.pathsInNixDB = [ pkgs.stdenv ];
    };
  testScript =
    ''
      $machine->succeed("nixos-container list") =~ /webserver/ or die;
      # Start the webserver container.
      $machine->succeed("nixos-container start webserver");
      # Since "start" returns after the container has reached
      # multi-user.target, we should now be able to access it.
      my $ip = $machine->succeed("nixos-container show-ip webserver");
      chomp $ip;
      #$machine->succeed("ping -c1 $ip"); # FIXME
      $machine->succeed("curl --fail http://$ip/ > /dev/null");
      # Stop the container.
      $machine->succeed("nixos-container stop webserver");
      $machine->fail("curl --fail --connect-timeout 2 http://$ip/ > /dev/null");
      # Make sure we have a NixOS tree (required by ‘nixos-container create’).
      $machine->succeed("PAGER=cat nix-env -qa -A nixos.hello >&2");
@ -111,9 +91,6 @@ import ./make-test.nix ({ pkgs, ...} : {
        # Ensure that the container path is gone
        "test ! -e /var/lib/containers/$id1"
      );
      # Destroying a declarative container should fail.
      $machine->fail("nixos-container destroy webserver");
    '';
 })
--- a/nixos/tests/containers-ipv4.nix
+++ b/nixos/tests/containers-ipv4.nix
@ -0,0 +1,55 @@
 # Test for NixOS' container support.
 import ./make-test.nix ({ pkgs, ...} : {
  name = "containers-ipv4";
  meta = with pkgs.stdenv.lib.maintainers; {
    maintainers = [ aristid aszlig eelco chaoflow ];
  };
  machine =
    { config, pkgs, ... }:
    { imports = [ ../modules/installer/cd-dvd/channel.nix ];
      virtualisation.writableStore = true;
      virtualisation.memorySize = 768;
      containers.webserver =
        { privateNetwork = true;
          hostAddress = "10.231.136.1";
          localAddress = "10.231.136.2";
          config =
            { services.httpd.enable = true;
              services.httpd.adminAddr = "foo@example.org";
              networking.firewall.allowedTCPPorts = [ 80 ];
              networking.firewall.allowPing = true;
            };
        };
      virtualisation.pathsInNixDB = [ pkgs.stdenv ];
    };
  testScript =
    ''
      $machine->succeed("nixos-container list") =~ /webserver/ or die;
      # Start the webserver container.
      $machine->succeed("nixos-container start webserver");
      # wait two seconds for the container to start and the network to be up
      sleep 2;
      # Since "start" returns after the container has reached
      # multi-user.target, we should now be able to access it.
      my $ip = $machine->succeed("nixos-container show-ip webserver");
      chomp $ip;
      $machine->succeed("ping -n -c1 $ip");
      $machine->succeed("curl --fail http://$ip/ > /dev/null");
      # Stop the container.
      $machine->succeed("nixos-container stop webserver");
      $machine->fail("curl --fail --connect-timeout 2 http://$ip/ > /dev/null");
      # Destroying a declarative container should fail.
      $machine->fail("nixos-container destroy webserver");
    '';
 })
--- a/nixos/tests/containers-ipv6.nix
+++ b/nixos/tests/containers-ipv6.nix
@ -0,0 +1,61 @@
 # Test for NixOS' container support.
 let
  hostIp = "fc00::2";
  localIp = "fc00::1";
 in
 import ./make-test.nix ({ pkgs, ...} : {
  name = "containers-ipv6";
  meta = with pkgs.stdenv.lib.maintainers; {
    maintainers = [ aristid aszlig eelco chaoflow ];
  };
  machine =
    { config, pkgs, ... }:
    { imports = [ ../modules/installer/cd-dvd/channel.nix ];
      virtualisation.writableStore = true;
      virtualisation.memorySize = 768;
      containers.webserver =
        { privateNetwork = true;
          hostAddress6 = hostIp;
          localAddress6 = localIp;
          config =
            { services.httpd.enable = true;
              services.httpd.adminAddr = "foo@example.org";
              networking.firewall.allowedTCPPorts = [ 80 ];
              networking.firewall.allowPing = true;
            };
        };
      virtualisation.pathsInNixDB = [ pkgs.stdenv ];
    };
  testScript =
    ''
      $machine->waitForUnit("default.target");
      $machine->succeed("nixos-container list") =~ /webserver/ or die;
      # Start the webserver container.
      $machine->succeed("nixos-container start webserver");
      # wait two seconds for the container to start and the network to be up
      sleep 2;
      # Since "start" returns after the container has reached
      # multi-user.target, we should now be able to access it.
      my $ip = "${localIp}";
      chomp $ip;
      $machine->succeed("ping6 -n -c 1 $ip");
      $machine->succeed("curl --fail http://[$ip]/ > /dev/null");
      # Stop the container.
      $machine->succeed("nixos-container stop webserver");
      $machine->fail("curl --fail --connect-timeout 2 http://[$ip]/ > /dev/null");
      # Destroying a declarative container should fail.
      $machine->fail("nixos-container destroy webserver");
    '';
 })
--- a/nixos/tests/printing.nix
+++ b/nixos/tests/printing.nix
@ -62,7 +62,7 @@ import ./make-test.nix ({pkgs, ... }: {
      # Test printing various file types.
      foreach my $file ("${pkgs.groff.doc}/share/doc/*/examples/mom/penguin.pdf",
                        "${pkgs.groff.doc}/share/doc/*/meref.ps",
-                        "${pkgs.cups}/share/doc/cups/images/cups.png",
+                        "${pkgs.cups.out}/share/doc/cups/images/cups.png",
                        "${pkgs.pcre.doc}/share/doc/pcre/pcre.txt")
      {
          $file =~ /([^\/]*)$/; my $fn = $1;
--- a/pkgs/applications/audio/MMA/default.nix
+++ b/pkgs/applications/audio/MMA/default.nix
@ -0,0 +1,68 @@
 { stdenv, fetchurl, makeWrapper, python, alsaUtils, timidity }:
  stdenv.mkDerivation rec {
  version = "15.12";
  name = "mma-${version}";
  src = fetchurl {
    url = "http://www.mellowood.ca/mma/mma-bin-${version}.tar.gz";
    sha256 = "0k37kcrfaxmwjb8xb1cbqinrkx3g50dbvwqbvwl3l762j4vr8jgx";
  };
  buildInputs = [ makeWrapper python alsaUtils timidity ];
  patchPhase = ''
    sed -i 's@/usr/bin/aplaymidi@/${alsaUtils}/bin/aplaymidi@g' mma-splitrec
    sed -i 's@/usr/bin/aplaymidi@/${alsaUtils}/bin/aplaymidi@g' util/mma-splitrec.py
    sed -i 's@/usr/bin/arecord@/${alsaUtils}/bin/arecord@g' mma-splitrec
    sed -i 's@/usr/bin/arecord@/${alsaUtils}/bin/arecord@g' util/mma-splitrec.py
    sed -i 's@/usr/bin/timidity@/${timidity}/bin/timidity@g' mma-splitrec
    sed -i 's@/usr/bin/timidity@/${timidity}/bin/timidity@g' util/mma-splitrec.py
    find . -type f | xargs sed -i 's@/usr/bin/env python@${python}/bin/python@g'
  '';
  installPhase = ''
    mkdir -p $out/{bin,share/mma,share/man/man1,share/man/man8}
    mkdir -p $out/etc
    cp mma.py $out/bin/mma
    cp mma-gb $out/bin/mma-gb
    cp mma-libdoc $out/bin/mma-libdoc
    cp mma-renum $out/bin/mma-renum
    cp mma-splitrec $out/bin/mma-splitrec
    cp util/mma-mnx.py $out/bin/mma-mnx
    cp util/mma-rm2std.py $out/bin/mma-rm2std
    cp util/mmatabs.py $out/bin/mmatabs
    cp util/mup2mma.py $out/bin/mup2mma
    cp util/pg2mma.py $out/bin/pg2mma
    cp util/synthsplit.py $out/bin/mma-synthsplit
    cp -r {docs,egs,includes,lib,MMA,text} $out/share/mma
    rmdir $out/share/mma/includes/aria
    cp util/README.* $out/share/mma/docs
    mv $out/share/mma/docs/man/mma-libdoc.8 $out/share/man/man8
    mv $out/share/mma/docs/man/mma-renum.1 $out/share/man/man1
    mv $out/share/mma/docs/man/mma.1 $out/share/man/man1
    mv $out/share/mma/docs/man/mma-gb.1 $out/share/man/man1
    rm -rf $out/share/mma/docs/man
    find $out -type f | xargs sed -i "s@/usr/share/mma@$out/share/mma@g"
  '';
  preFixup = ''
    PYTHONPATH=$out/share/mma/:$PYTHONPATH
    for f in $out/bin/*; do
          wrapProgram $f \
           --prefix PYTHONPATH : $PYTHONPATH
    done
    cd $out/share/mma/
    $out/bin/mma -G
  '';
  meta = {
    description = "Creates MIDI tracks for a soloist to perform over from a user supplied file containing chords";
    homepage =  http://www.mellowood.ca/mma/index.html;
    license = stdenv.lib.licenses.gpl2;
    maintainers = [ stdenv.lib.maintainers.magnetophon ];
    platforms = stdenv.lib.platforms.linux;
  };
 }
--- a/pkgs/applications/audio/abcde/default.nix
+++ b/pkgs/applications/audio/abcde/default.nix
@ -3,13 +3,13 @@
 , perl, DigestSHA, MusicBrainz, MusicBrainzDiscID
 , makeWrapper }:
-let version = "2.7";
+let version = "2.7.2";
 in
  stdenv.mkDerivation {
    name = "abcde-${version}";
    src = fetchurl {
      url = "http://abcde.einval.com/download/abcde-${version}.tar.gz";
-      sha256 = "0ikpffzvacadh6vj9qlary8126j1zrd2knp9gvivmp7y1656jj01";
+      sha256 = "1pakpi41k8yd780mfp0snhia6mmwjwxk9lcrq6gynimch8b8hfda";
    };
    # FIXME: This package does not support `distmp3', `eject', etc.
@ -39,6 +39,8 @@ in
    buildInputs = [ makeWrapper ];
    installFlags = [ "sysconfdir=$(out)/etc" ];
    postInstall = ''
    #   substituteInPlace "$out/bin/cddb-tool" \
    #      --replace '#!/bin/sh' '#!${bash}/bin/sh'
--- a/pkgs/applications/audio/amarok/default.nix
+++ b/pkgs/applications/audio/amarok/default.nix
@ -2,7 +2,7 @@
 , qtscriptgenerator, gettext, curl , libxml2, mysql, taglib
 , taglib_extras, loudmouth , kdelibs , qca2, libmtp, liblastfm, libgpod
 , phonon , strigi, soprano, qjson, ffmpeg, libofa, nepomuk_core ? null
-, lz4, lzo, snappy, libaio
+, lz4, lzo, snappy, libaio, pcre
 }:
 stdenv.mkDerivation rec {
@ -24,7 +24,7 @@ stdenv.mkDerivation rec {
    qtscriptgenerator stdenv.cc.libc gettext curl libxml2 mysql.lib
    taglib taglib_extras loudmouth kdelibs phonon strigi soprano qca2
    libmtp liblastfm libgpod qjson ffmpeg libofa nepomuk_core
-    lz4 lzo snappy libaio
+    lz4 lzo snappy libaio pcre
  ];
  # This is already fixed upstream, will be release in 2.9
--- a/pkgs/applications/audio/audacity/default.nix
+++ b/pkgs/applications/audio/audacity/default.nix
@ -1,15 +1,15 @@
-{ stdenv, fetchurl, wxGTK, pkgconfig, gettext, gtk, glib, zlib, perl, intltool,
+{ stdenv, fetchurl, wxGTK30, pkgconfig, gettext, gtk, glib, zlib, perl, intltool,
  libogg, libvorbis, libmad, alsaLib, libsndfile, soxr, flac, lame, fetchpatch,
  expat, libid3tag, ffmpeg, soundtouch /*, portaudio - given up fighting their portaudio.patch */
  }:
 stdenv.mkDerivation rec {
-  version = "2.1.1";
+  version = "2.1.2";
  name = "audacity-${version}";
  src = fetchurl {
    url = "https://github.com/audacity/audacity/archive/Audacity-${version}.tar.gz";
-    sha256 = "15c5ff7ac1c0b19b08f4bdcb0f4988743da2f9ed3fab41d6f07600e67cb9ddb6";
+    sha256 = "1ggr6g0mk36rqj7ahsg8b0b1r9kphwajzvxgn43md263rm87n04h";
  };
  patches = [(fetchpatch {
    name = "new-ffmpeg.patch";
@ -18,12 +18,6 @@ stdenv.mkDerivation rec {
    sha256 = "19fr674mw844zmkp1476yigkcnmb6zyn78av64ccdwi3p68i00rf";
  })];
  # fix with gcc-5 from http://lists.freebsd.org/pipermail/freebsd-ports-bugs/2012-December/245884.html
  postPatch = ''
    substituteInPlace lib-src/libnyquist/nyquist/ffts/src/fftlib.c \
      --replace 'inline void' 'static inline void'
  '';
  preConfigure = /* we prefer system-wide libs */ ''
    mv lib-src lib-src-rm
    mkdir lib-src
@ -31,11 +25,11 @@ stdenv.mkDerivation rec {
    rm -r lib-src-rm/
  '';
-  configureFlags = "--with-libsamplerate";
+  configureFlags = [ "--with-libsamplerate" ];
  buildInputs = [
-    pkgconfig gettext wxGTK gtk expat alsaLib
+    pkgconfig gettext wxGTK30 expat alsaLib
-    libsndfile soxr libid3tag
+    libsndfile soxr libid3tag gtk
    ffmpeg libmad lame libvorbis flac soundtouch
  ]; #ToDo: detach sbsms
--- a/pkgs/applications/audio/deadbeef/default.nix
+++ b/pkgs/applications/audio/deadbeef/default.nix
@ -53,11 +53,11 @@ assert remoteSupport -> curl != null;
 stdenv.mkDerivation rec {
  name = "deadbeef-${version}";
-  version = "0.7.0";
+  version = "0.7.2";
  src = fetchurl {
    url = "mirror://sourceforge/project/deadbeef/${name}.tar.bz2";
-    sha256 = "0s6qip1zs83pig75pnd30ayiv1dbbj7s72px9mr31f4m0v86kaqx";
+    sha256 = "0rwdxxn7h94vlgblbkswyvj6pm82488v8x5nrmlrcsbzjjf2pccw";
  };
  buildInputs = with stdenv.lib; [ jansson ]
@ -96,10 +96,10 @@ stdenv.mkDerivation rec {
  meta = with stdenv.lib; {
    description = "Ultimate Music Player for GNU/Linux";
-    homepage = http://deadbeef.sourceforge.net/;
+    homepage = "http://deadbeef.sourceforge.net/";
    license = licenses.gpl2;
    platforms = platforms.linux;
    maintainers = [ maintainers.abbradar ];
-    repositories.git = https://github.com/Alexey-Yakovenko/deadbeef;
+    repositories.git = "https://github.com/Alexey-Yakovenko/deadbeef";
  };
 }
--- a/pkgs/applications/audio/deadbeef/wrapper.nix
+++ b/pkgs/applications/audio/deadbeef/wrapper.nix
@ -1,22 +1,14 @@
-{ stdenv, buildEnv, deadbeef, makeWrapper, plugins }:
+{ stdenv, symlinkJoin, deadbeef, makeWrapper, plugins }:
-let
+symlinkJoin {
-drv = buildEnv {
+  name = "deadbeef-with-plugins-${deadbeef.version}";
  name = "deadbeef-with-plugins-" + (builtins.parseDrvName deadbeef.name).version;
  paths = [ deadbeef ] ++ plugins;
  buildInputs = [ makeWrapper ];
  postBuild = ''
    # TODO: This could be avoided if buildEnv could be forced to create all directories
    if [ -L $out/bin ]; then
      rm $out/bin
      mkdir $out/bin
      for i in ${deadbeef}/bin/*; do
        ln -s $i $out/bin
      done
    fi
    wrapProgram $out/bin/deadbeef \
      --set DEADBEEF_PLUGIN_DIR "$out/lib/deadbeef"
  '';
-  };
+}
 in stdenv.lib.overrideDerivation drv (x : { buildInputs = x.buildInputs ++ [ makeWrapper ]; })
--- a/pkgs/applications/audio/fmit/default.nix
+++ b/pkgs/applications/audio/fmit/default.nix
@ -9,10 +9,10 @@ assert portaudioSupport -> portaudio != null;
 stdenv.mkDerivation rec {
  name = "fmit-${version}";
-  version = "1.0.8";
+  version = "1.0.13";
  src = fetchFromGitHub {
-    sha256 = "04s7xcgmi5g58lirr48vf203n1jwdxf981x1p6ysbax24qwhs2kd";
+    sha256 = "04cj70q60sqns68nvw4zfy6078x4cc2q1y2y13z3rs5n80jw27by";
    rev = "v${version}";
    repo = "fmit";
    owner = "gillesdegottex";
--- a/pkgs/applications/audio/linuxband/default.nix
+++ b/pkgs/applications/audio/linuxband/default.nix
@ -0,0 +1,34 @@
 { stdenv, fetchurl, makeWrapper, pkgconfig, MMA, libjack2, libsmf, python, pyGtkGlade, pygtksourceview }:
 stdenv.mkDerivation rec {
  version = "12.02.1";
  name = "linuxband-${version}";
  src = fetchurl {
    url = "http://linuxband.org/assets/sources/${name}.tar.gz";
    sha256 = "1r71h4yg775m4gax4irrvygmrsclgn503ykmc2qwjsxa42ri4n2n";
  };
  buildInputs = [ makeWrapper pkgconfig MMA libjack2 libsmf python pyGtkGlade pygtksourceview ];
  patchPhase = ''
    sed -i 's@/usr/@${MMA}/@g' src/main/config/linuxband.rc.in
    cat src/main/config/linuxband.rc.in
  '';
  postFixup = ''
    PYTHONPATH=$pyGtkGlade/share/:pygtksourceview/share/:$PYTHONPATH
    for f in $out/bin/*; do
      wrapProgram $f \
      --prefix PYTHONPATH : $PYTHONPATH
    done
  '';
  meta = {
    description = "A GUI front-end for MMA: Type in the chords, choose the groove and it will play an accompaniment";
    homepage = http://linuxband.org/;
    license = stdenv.lib.licenses.gpl2;
    maintainers = [ stdenv.lib.maintainers.magnetophon ];
    platforms = stdenv.lib.platforms.linux;
  };
 }
--- a/pkgs/applications/audio/non/default.nix
+++ b/pkgs/applications/audio/non/default.nix
@ -4,12 +4,12 @@
 stdenv.mkDerivation rec {
  name = "non-${version}";
-  version = "2016-03-06";
+  version = "2016-04-05";
  src = fetchFromGitHub {
    owner = "original-male";
    repo = "non";
-    rev = "3946d392216ee999b560d8b7cdee7c4347110e29";
+    rev = "16885e69fe865495dc32d869d1454ab148b0dca6";
-    sha256 = "02vnq2mfimgdrmv3lmz80yif4h9a1lympv0wqc5dr2l0f8amj2fp";
+    sha256 = "1nwzzgcdpbqh5kjvz40yy5nmzvpp8gcr9biyhhwi68s5bsg972ss";
  };
  buildInputs = [ pkgconfig python2 cairo libjpeg ntk libjack2 libsndfile
--- a/Show More
+++ b/Show More