Merge remote-tracking branch 'upstream/master' into hardened-stdenv

2016-06-10 09:27:04 +00:00 · 2016-06-10 09:27:04 +00:00 · 8031cba2ab
commit 8031cba2ab
parent 2a5e64b69c 656c48f141
1116 changed files with 79612 additions and 24052 deletions
--- a/.travis.yml
+++ b/.travis.yml
@ -1,7 +1,14 @@
-language: python
+matrix:
-python: "3.4"
+    allow_failures:
        - os: osx
    include:
        - os: linux
          language: generic
          sudo: required
          dist: trusty
        - os: osx
          language: generic
          osx_image: xcode7.3
 before_install: ./maintainers/scripts/travis-nox-review-pr.sh nix
 install: ./maintainers/scripts/travis-nox-review-pr.sh nox
 script: ./maintainers/scripts/travis-nox-review-pr.sh build
--- a/lib/maintainers.nix
+++ b/lib/maintainers.nix
@ -11,6 +11,7 @@
  abaldeau = "Andreas Baldeau <andreas@baldeau.net>";
  abbradar = "Nikolay Amiantov <ab@fmap.me>";
  aboseley = "Adam Boseley <adam.boseley@gmail.com>";
  abuibrahim = "Ruslan Babayev <ruslan@babayev.com>";
  adev = "Adrien Devresse <adev@adev.name>";
  Adjective-Object = "Maxwell Huang-Hobbs <mhuan13@gmail.com>";
  adnelson = "Allen Nelson <ithinkican@gmail.com>";
@ -74,6 +75,8 @@
  chaoflow = "Florian Friesdorf <flo@chaoflow.net>";
  chattered = "Phil Scott <me@philscotted.com>";
  choochootrain = "Hurshal Patel <hurshal@imap.cc>";
  chris-martin = "Chris Martin <ch.martin@gmail.com>";
  chrisjefferson = "Christopher Jefferson <chris@bubblescope.net>";
  christopherpoole = "Christopher Mark Poole <mail@christopherpoole.net>";
  cleverca22 = "Michael Bishop <cleverca22@gmail.com>";
  cmcdragonkai = "Roger Qiu <roger.qiu@matrix.ai>";
@ -238,6 +241,7 @@
  meisternu = "Matt Miemiec <meister@krutt.org>";
  michaelpj = "Michael Peyton Jones <michaelpj@gmail.com>";
  michelk = "Michel Kuhlmann <michel@kuhlmanns.info>";
  mimadrid = "Miguel Madrid <mimadrid@ucm.es>";
  mingchuan = "Ming Chuan <ming@culpring.com>";
  mirdhyn = "Merlin Gaillard <mirdhyn@gmail.com>";
  mirrexagon = "Andrew Abbott <mirrexagon@mirrexagon.com>";
--- a/lib/modules.nix
+++ b/lib/modules.nix
@ -554,12 +554,10 @@ rec {
          apply = x: use (toOf config);
        });
        config = {
        /*
          warnings =
            let opt = getAttrFromPath from options; in
            optional (warn && opt.isDefined)
              "The option `${showOption from}' defined in ${showFiles opt.files} has been renamed to `${showOption to}'.";
              */
        } // setAttrByPath to (mkAliasDefinitions (getAttrFromPath from options));
      };
--- a/lib/sources.nix
+++ b/lib/sources.nix
@ -4,6 +4,11 @@ let lib = import ./default.nix; in
 rec {
  # Returns the type of a path: regular (for file), symlink, or directory
  pathType = p: with builtins; getAttr (baseNameOf p) (readDir (dirOf p));
  # Returns true if the path exists and is a directory, false otherwise
  pathIsDirectory = p: if builtins.pathExists p then (pathType p) == "directory" else false;
  # Bring in a path as a source, filtering out all Subversion and CVS
  # directories, as well as backup files (*~).
@ -29,6 +34,7 @@ rec {
      in type == "directory" || lib.any (ext: lib.hasSuffix ext base) exts;
    in builtins.filterSource filter path;
  # Get the commit id of a git repo
  # Example: commitIdFromGitRepo <nixpkgs/.git>
  commitIdFromGitRepo =
--- a/maintainers/scripts/travis-nox-review-pr.sh
+++ b/maintainers/scripts/travis-nox-review-pr.sh
@ -13,28 +13,36 @@ if [[ $1 == nix ]]; then
    sudo mkdir /etc/nix
    sudo sh -c 'echo "build-max-jobs = 4" > /etc/nix/nix.conf'
    # Nix builds in /tmp and we need exec support
    sudo mount
    sudo mount -o remount,exec /run
    # Verify evaluation
    echo "=== Verifying that nixpkgs evaluates..."
    nix-env -f. -qa --json >/dev/null
 elif [[ $1 == nox ]]; then
    source $HOME/.nix-profile/etc/profile.d/nix.sh
    echo "=== Installing nox..."
-    git clone -q https://github.com/madjar/nox
+    nix-build -A nox '<nixpkgs>' --show-trace
    pip --quiet install -e nox
 elif [[ $1 == build ]]; then
    source $HOME/.nix-profile/etc/profile.d/nix.sh
    if [[ $TRAVIS_OS_NAME == "osx" ]]; then
        echo "Skipping NixOS things on darwin"
    else
        echo "=== Checking NixOS options"
-    nix-build nixos/release.nix -A options
+        nix-build nixos/release.nix -A options --show-trace
        echo "=== Checking tarball creation"
-    nix-build pkgs/top-level/release.nix -A tarball
+        nix-build pkgs/top-level/release.nix -A tarball --show-trace
    fi
    if [[ $TRAVIS_PULL_REQUEST == false ]]; then
        echo "=== Not a pull request"
    else
        echo "=== Checking PR"
-        if ! nox-review pr ${TRAVIS_PULL_REQUEST}; then
+        if ! nix-shell -p nox --run "nox-review pr ${TRAVIS_PULL_REQUEST}"; then
            if sudo dmesg | egrep 'Out of memory|Killed process' > /tmp/oom-log; then
                echo "=== The build failed due to running out of memory:"
                cat /tmp/oom-log
--- a/nixos/doc/manual/administration/cleaning-store.xml
+++ b/nixos/doc/manual/administration/cleaning-store.xml
@ -21,7 +21,7 @@ Alternatively, you can use a systemd unit that does the same in the
 background:
 <screen>
-$ systemctl start nix-gc.service
+# systemctl start nix-gc.service
 </screen>
 You can tell NixOS in <filename>configuration.nix</filename> to run
--- a/nixos/doc/manual/administration/container-networking.xml
+++ b/nixos/doc/manual/administration/container-networking.xml
@ -13,7 +13,7 @@ create</literal>, it gets it own private IPv4 address in the range
 address as follows:
 <screen>
-$ nixos-container show-ip foo
+# nixos-container show-ip foo
 10.233.4.2
 $ ping -c1 10.233.4.2
--- a/nixos/doc/manual/administration/imperative-containers.xml
+++ b/nixos/doc/manual/administration/imperative-containers.xml
@ -11,7 +11,7 @@
 identifier <literal>foo</literal> as follows:
 <screen>
-$ nixos-container create foo
+# nixos-container create foo
 </screen>
 This creates the container’s root directory in
@ -25,7 +25,7 @@ line. For instance, to create a container that has
 <literal>root</literal>:
 <screen>
-$ nixos-container create foo --config 'services.openssh.enable = true; \
+# nixos-container create foo --config 'services.openssh.enable = true; \
  users.extraUsers.root.openssh.authorizedKeys.keys = ["ssh-dss AAAAB3N…"];'
 </screen>
@ -35,7 +35,7 @@ $ nixos-container create foo --config 'services.openssh.enable = true; \
 run:
 <screen>
-$ nixos-container start foo
+# nixos-container start foo
 </screen>
 This command will return as soon as the container has booted and has
@ -46,7 +46,7 @@ Thus, if something went wrong, you can get status info using
 <command>systemctl</command>:
 <screen>
-$ systemctl status container@foo
+# systemctl status container@foo
 </screen>
 </para>
@ -55,7 +55,7 @@ $ systemctl status container@foo
 root using the <command>root-login</command> operation:
 <screen>
-$ nixos-container root-login foo
+# nixos-container root-login foo
 [root@foo:~]#
 </screen>
@ -65,7 +65,7 @@ authentication).  You can also get a regular login prompt using the
 the host:
 <screen>
-$ nixos-container login foo
+# nixos-container login foo
 foo login: alice
 Password: ***
 </screen>
@ -74,7 +74,7 @@ With <command>nixos-container run</command>, you can execute arbitrary
 commands in the container:
 <screen>
-$ nixos-container run foo -- uname -a
+# nixos-container run foo -- uname -a
 Linux foo 3.4.82 #1-NixOS SMP Thu Mar 20 14:44:05 UTC 2014 x86_64 GNU/Linux
 </screen>
@ -86,17 +86,17 @@ container. First, on the host, you can edit
 and run
 <screen>
-$ nixos-container update foo
+# nixos-container update foo
 </screen>
 This will build and activate the new configuration. You can also
 specify a new configuration on the command line:
 <screen>
-$ nixos-container update foo --config 'services.httpd.enable = true; \
+# nixos-container update foo --config 'services.httpd.enable = true; \
  services.httpd.adminAddr = "foo@example.org";'
-$ curl http://$(nixos-container show-ip foo)/
+# curl http://$(nixos-container show-ip foo)/
 &lt;!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">…
 </screen>
@ -116,7 +116,7 @@ start</literal>, respectively, or by using
 destroy a container, including its file system, do
 <screen>
-$ nixos-container destroy foo
+# nixos-container destroy foo
 </screen>
 </para>
--- a/nixos/doc/manual/administration/maintenance-mode.xml
+++ b/nixos/doc/manual/administration/maintenance-mode.xml
@ -9,7 +9,7 @@
 <para>You can enter rescue mode by running:
 <screen>
-$ systemctl rescue</screen>
+# systemctl rescue</screen>
 This will eventually give you a single-user root shell.  Systemd will
 stop (almost) all system services.  To get out of maintenance mode,
--- a/nixos/doc/manual/administration/network-problems.xml
+++ b/nixos/doc/manual/administration/network-problems.xml
@ -18,14 +18,14 @@ You can disable the use of the binary cache by adding <option>--option
 use-binary-caches false</option>, e.g.
 <screen>
-$ nixos-rebuild switch --option use-binary-caches false
+# nixos-rebuild switch --option use-binary-caches false
 </screen>
 If you have an alternative binary cache at your disposal, you can use
 it instead:
 <screen>
-$ nixos-rebuild switch --option binary-caches http://my-cache.example.org/
+# nixos-rebuild switch --option binary-caches http://my-cache.example.org/
 </screen>
 </para>
--- a/nixos/doc/manual/administration/rebooting.xml
+++ b/nixos/doc/manual/administration/rebooting.xml
@ -10,7 +10,7 @@
 doing:
 <screen>
-$ shutdown
+# shutdown
 </screen>
 This is equivalent to running <command>systemctl
@ -19,7 +19,7 @@ poweroff</command>.</para>
 <para>To reboot the system, run
 <screen>
-$ reboot
+# reboot
 </screen>
 which is equivalent to <command>systemctl reboot</command>.
@ -28,7 +28,7 @@ Alternatively, you can quickly reboot the system using
 the new kernel into memory:
 <screen>
-$ systemctl kexec
+# systemctl kexec
 </screen>
 </para>
--- a/nixos/doc/manual/administration/rollback.xml
+++ b/nixos/doc/manual/administration/rollback.xml
@ -19,7 +19,7 @@ fails to boot.  After the system has booted, you can make the selected
 configuration the default for subsequent boots:
 <screen>
-$ /run/current-system/bin/switch-to-configuration boot</screen>
+# /run/current-system/bin/switch-to-configuration boot</screen>
 </para>
@ -27,12 +27,12 @@ $ /run/current-system/bin/switch-to-configuration boot</screen>
 system:
 <screen>
-$ nixos-rebuild switch --rollback</screen>
+# nixos-rebuild switch --rollback</screen>
 This is equivalent to running:
 <screen>
-$ /nix/var/nix/profiles/system-<replaceable>N</replaceable>-link/bin/switch-to-configuration switch</screen>
+# /nix/var/nix/profiles/system-<replaceable>N</replaceable>-link/bin/switch-to-configuration switch</screen>
 where <replaceable>N</replaceable> is the number of the NixOS system
 configuration.  To get a list of the available configurations, do:
--- a/nixos/doc/manual/administration/service-mgmt.xml
+++ b/nixos/doc/manual/administration/service-mgmt.xml
@ -66,9 +66,9 @@ messages from the service.
 <para>Units can be stopped, started or restarted:
 <screen>
-$ systemctl stop postgresql.service
+# systemctl stop postgresql.service
-$ systemctl start postgresql.service
+# systemctl start postgresql.service
-$ systemctl restart postgresql.service
+# systemctl restart postgresql.service
 </screen>
 These operations are synchronous: they wait until the service has
--- a/nixos/doc/manual/administration/store-corruption.xml
+++ b/nixos/doc/manual/administration/store-corruption.xml
@ -18,7 +18,7 @@ you may be able to fix it automatically.</para>
 system configuration, you can fix it by doing
 <screen>
-$ nixos-rebuild switch --repair
+# nixos-rebuild switch --repair
 </screen>
 This will cause Nix to check every path in the closure, and if its
@ -28,7 +28,7 @@ the path is rebuilt or redownloaded.</para>
 <para>You can also scan the entire Nix store for corrupt paths:
 <screen>
-$ nix-store --verify --check-contents --repair
+# nix-store --verify --check-contents --repair
 </screen>
 Any corrupt paths will be redownloaded if they’re available in a
--- a/nixos/doc/manual/administration/user-sessions.xml
+++ b/nixos/doc/manual/administration/user-sessions.xml
@ -45,7 +45,7 @@ track of this, you can terminate a session in a way that ensures that
 all the session’s processes are gone:
 <screen>
-$ loginctl terminate-session c3
+# loginctl terminate-session c3
 </screen>
 </para>
--- a/nixos/doc/manual/configuration/adding-custom-packages.xml
+++ b/nixos/doc/manual/configuration/adding-custom-packages.xml
@ -31,7 +31,7 @@ and you run <command>nixos-rebuild</command>, specifying your own
 Nixpkgs tree:
 <screen>
-$ nixos-rebuild switch -I nixpkgs=/path/to/my/nixpkgs</screen>
+# nixos-rebuild switch -I nixpkgs=/path/to/my/nixpkgs</screen>
 </para>
--- a/nixos/doc/manual/configuration/linux-kernel.xml
+++ b/nixos/doc/manual/configuration/linux-kernel.xml
@ -82,7 +82,7 @@ $ nix-shell '<nixpkgs>' -A linuxPackages.kernel
 $ unpackPhase
 $ cd linux-*
 $ make -C $dev/lib/modules/*/build M=$(pwd)/drivers/net/ethernet/mellanox modules
-$ sudo insmod ./drivers/net/ethernet/mellanox/mlx5/core/mlx5_core.ko
+# insmod ./drivers/net/ethernet/mellanox/mlx5/core/mlx5_core.ko
 ]]></screen>
 </section>
--- a/nixos/doc/manual/configuration/luks-file-systems.xml
+++ b/nixos/doc/manual/configuration/luks-file-systems.xml
@ -12,7 +12,7 @@ here is how you create an encrypted Ext4 file system on the device
 <filename>/dev/disk/by-uuid/3f6b0024-3a44-4fde-a43a-767b872abe5d</filename>:
 <screen>
-$ cryptsetup luksFormat /dev/disk/by-uuid/3f6b0024-3a44-4fde-a43a-767b872abe5d
+# cryptsetup luksFormat /dev/disk/by-uuid/3f6b0024-3a44-4fde-a43a-767b872abe5d
 WARNING!
 ========
@ -22,10 +22,10 @@ Are you sure? (Type uppercase yes): YES
 Enter LUKS passphrase: ***
 Verify passphrase: ***
-$ cryptsetup luksOpen /dev/disk/by-uuid/3f6b0024-3a44-4fde-a43a-767b872abe5d crypted
+# cryptsetup luksOpen /dev/disk/by-uuid/3f6b0024-3a44-4fde-a43a-767b872abe5d crypted
 Enter passphrase for /dev/disk/by-uuid/3f6b0024-3a44-4fde-a43a-767b872abe5d: ***
-$ mkfs.ext4 /dev/mapper/crypted
+# mkfs.ext4 /dev/mapper/crypted
 </screen>
 To ensure that this file system is automatically mounted at boot time
--- a/nixos/doc/manual/configuration/user-mgmt.xml
+++ b/nixos/doc/manual/configuration/user-mgmt.xml
@ -63,14 +63,14 @@ commands such as <command>useradd</command>,
 account named <literal>alice</literal>:
 <screen>
-$ useradd -m alice</screen>
+# useradd -m alice</screen>
 To make all nix tools available to this new user use `su - USER` which 
 opens a login shell (==shell that loads the profile) for given user. 
 This will create the ~/.nix-defexpr symlink. So run:
 <screen>
-$ su - alice -c "true"</screen>
+# su - alice -c "true"</screen>
 The flag <option>-m</option> causes the creation of a home directory
@ -79,7 +79,7 @@ have an initial password and therefore cannot log in.  A password can
 be set using the <command>passwd</command> utility:
 <screen>
-$ passwd alice
+# passwd alice
 Enter new UNIX password: ***
 Retype new UNIX password: ***
 </screen>
@ -87,7 +87,7 @@ Retype new UNIX password: ***
 A user can be deleted using <command>userdel</command>:
 <screen>
-$ userdel -r alice</screen>
+# userdel -r alice</screen>
 The flag <option>-r</option> deletes the user’s home directory.
 Accounts can be modified using <command>usermod</command>.  Unix
--- a/nixos/doc/manual/configuration/wireless.xml
+++ b/nixos/doc/manual/configuration/wireless.xml
@ -41,13 +41,13 @@ If you are using WPA2 the <command>wpa_passphrase</command> tool might be useful
 to generate the <literal>wpa_supplicant.conf</literal>.
 <screen>
-$ wpa_passphrase ESSID PSK > /etc/wpa_supplicant.conf</screen>
+# wpa_passphrase ESSID PSK > /etc/wpa_supplicant.conf</screen>
 After you have edited the <literal>wpa_supplicant.conf</literal>,
 you need to restart the wpa_supplicant service.
 <screen>
-$ systemctl restart wpa_supplicant.service</screen>
+# systemctl restart wpa_supplicant.service</screen>
 </para>
 </section>
--- a/nixos/doc/manual/configuration/x-windows.xml
+++ b/nixos/doc/manual/configuration/x-windows.xml
@ -48,7 +48,7 @@ services.xserver.autorun = false;
 </programlisting>
 The X server can then be started manually:
 <screen>
-$ systemctl start display-manager.service
+# systemctl start display-manager.service
 </screen>
 </para>
@ -115,5 +115,14 @@ services.xserver.synaptics.twoFingerScroll = true;
 </simplesect>
 <simplesect><title>GTK/Qt themes</title>
 <para>GTK themes can be installed either to user profile or system-wide (via
 <literal>system.environmentPackages</literal>). To make Qt 5 applications look similar
 to GTK2 ones, you can install <literal>qt5.qtbase.gtk</literal> package into your
 system environment. It should work for all Qt 5 library versions.
 </para>
 </simplesect>
 </chapter>
--- a/nixos/doc/manual/development/building-nixos.xml
+++ b/nixos/doc/manual/development/building-nixos.xml
@ -25,7 +25,7 @@ $ nix-build -A config.system.build.isoImage -I nixos-config=modules/installer/cd
 suggested by the following command:
 <screen>
-$ mount -o loop -t iso9660 ./result/iso/cd.iso /mnt/iso</screen>
+# mount -o loop -t iso9660 ./result/iso/cd.iso /mnt/iso</screen>
 </para>
--- a/nixos/doc/manual/development/building-parts.xml
+++ b/nixos/doc/manual/development/building-parts.xml
@ -94,8 +94,8 @@ $ nix-build -A 'config.systemd.units."httpd.service".unit'
 <screen>
 $ cp $(nix-build -A 'config.systemd.units."httpd.service".unit')/httpd.service \
    /run/systemd/system/tmp-httpd.service
-$ systemctl daemon-reload
+# systemctl daemon-reload
-$ systemctl start tmp-httpd.service
+# systemctl start tmp-httpd.service
 </screen>
      Note that the unit must not have the same name as any unit in
--- a/nixos/doc/manual/development/sources.xml
+++ b/nixos/doc/manual/development/sources.xml
@ -70,7 +70,7 @@ sources, you need to tell <command>nixos-rebuild</command> about them
 using the <option>-I</option> flag:
 <screen>
-$ nixos-rebuild switch -I nixpkgs=<replaceable>/my/sources</replaceable>/nixpkgs
+# nixos-rebuild switch -I nixpkgs=<replaceable>/my/sources</replaceable>/nixpkgs
 </screen>
 </para>
--- a/nixos/doc/manual/development/testing-installer.xml
+++ b/nixos/doc/manual/development/testing-installer.xml
@ -12,14 +12,14 @@ properly:
 <screen>
 $ nix-build -A config.system.build.nixos-install
-$ mount -t tmpfs none /mnt
+# mount -t tmpfs none /mnt
-$ ./result/bin/nixos-install</screen>
+# ./result/bin/nixos-install</screen>
 To start a login shell in the new NixOS installation in
 <filename>/mnt</filename>:
 <screen>
-$ ./result/bin/nixos-install --chroot
+# ./result/bin/nixos-install --chroot
 </screen>
 </para>
--- a/nixos/doc/manual/installation/changing-config.xml
+++ b/nixos/doc/manual/installation/changing-config.xml
@ -10,7 +10,7 @@ contains the current configuration of your machine.  Whenever you’ve
 changed something to that file, you should do
 <screen>
-$ nixos-rebuild switch</screen>
+# nixos-rebuild switch</screen>
 to build the new configuration, make it the default configuration for
 booting, and try to realise the configuration in the running system
@ -23,7 +23,7 @@ either run them from a root shell or by prefixing them with
 <para>You can also do
 <screen>
-$ nixos-rebuild test</screen>
+# nixos-rebuild test</screen>
 to build the configuration and switch the running system to it, but
 without making it the boot default.  So if (say) the configuration
@ -33,7 +33,7 @@ configuration.</para>
 <para>There is also
 <screen>
-$ nixos-rebuild boot</screen>
+# nixos-rebuild boot</screen>
 to build the configuration and make it the boot default, but not
 switch to it now (so it will only take effect after the next
@ -44,7 +44,7 @@ of the GRUB 2 boot screen by giving it a different <emphasis>profile
 name</emphasis>, e.g.
 <screen>
-$ nixos-rebuild switch -p test </screen>
+# nixos-rebuild switch -p test </screen>
 which causes the new configuration (and previous ones created using
 <literal>-p test</literal>) to show up in the GRUB submenu “NixOS -
--- a/nixos/doc/manual/installation/installing-uefi.xml
+++ b/nixos/doc/manual/installation/installing-uefi.xml
@ -26,7 +26,7 @@ changes:
    <literal>vfat</literal> filesystem.</para>
  </listitem>
  <listitem>
-    <para>You must set <option>boot.loader.gummiboot.enable</option> to
+    <para>You must set <option>boot.loader.systemd-boot.enable</option> to
    <literal>true</literal>. <command>nixos-generate-config</command>
    should do this automatically for new configurations when booted in
    UEFI mode.</para>
@ -38,7 +38,7 @@ changes:
  </listitem>
  <listitem>
    <para>You may want to look at the options starting with
-    <option>boot.loader.efi</option> and <option>boot.loader.gummiboot</option>
+    <option>boot.loader.efi</option> and <option>boot.loader.systemd-boot</option>
    as well.</para>
  </listitem>
 </itemizedlist>
--- a/nixos/doc/manual/installation/installing.xml
+++ b/nixos/doc/manual/installation/installing.xml
@ -54,7 +54,7 @@
    changes.  For example:
 <screen>
-$ mkfs.ext4 -L nixos /dev/sda1</screen>
+# mkfs.ext4 -L nixos /dev/sda1</screen>
    </para></listitem>
@ -66,10 +66,10 @@ $ mkfs.ext4 -L nixos /dev/sda1</screen>
    <listitem><para>For creating LVM volumes, the LVM commands, e.g.,
 <screen>
-$ pvcreate /dev/sda1 /dev/sdb1
+# pvcreate /dev/sda1 /dev/sdb1
-$ vgcreate MyVolGroup /dev/sda1 /dev/sdb1
+# vgcreate MyVolGroup /dev/sda1 /dev/sdb1
-$ lvcreate --size 2G --name bigdisk MyVolGroup
+# lvcreate --size 2G --name bigdisk MyVolGroup
-$ lvcreate --size 1G --name smalldisk MyVolGroup</screen>
+# lvcreate --size 1G --name smalldisk MyVolGroup</screen>
    </para></listitem>
@ -84,7 +84,7 @@ $ lvcreate --size 1G --name smalldisk MyVolGroup</screen>
  be installed on <filename>/mnt</filename>, e.g.
 <screen>
-$ mount /dev/disk/by-label/nixos /mnt
+# mount /dev/disk/by-label/nixos /mnt
 </screen>
  </para></listitem>
@ -113,14 +113,14 @@ $ mount /dev/disk/by-label/nixos /mnt
    generate an initial configuration file for you:
 <screen>
-$ nixos-generate-config --root /mnt</screen>
+# nixos-generate-config --root /mnt</screen>
    You should then edit
    <filename>/mnt/etc/nixos/configuration.nix</filename> to suit your
    needs:
 <screen>
-$ nano /mnt/etc/nixos/configuration.nix
+# nano /mnt/etc/nixos/configuration.nix
 </screen>
    If you’re using the graphical ISO image, other editors may be
@ -162,7 +162,7 @@ $ nano /mnt/etc/nixos/configuration.nix
  <listitem><para>Do the installation:
 <screen>
-$ nixos-install</screen>
+# nixos-install</screen>
    Cross fingers.  If this fails due to a temporary problem (such as
    a network issue while downloading binaries from the NixOS binary
@ -186,7 +186,7 @@ Retype new UNIX password: ***
  <listitem><para>If everything went well:
 <screen>
-$ reboot</screen>
+# reboot</screen>
  </para></listitem>
@ -235,15 +235,15 @@ drive (here <filename>/dev/sda</filename>).  <xref linkend="ex-config"
 <example xml:id='ex-install-sequence'><title>Commands for Installing NixOS on <filename>/dev/sda</filename></title>
 <screen>
-$ fdisk /dev/sda # <lineannotation>(or whatever device you want to install on)</lineannotation>
+# fdisk /dev/sda # <lineannotation>(or whatever device you want to install on)</lineannotation>
-$ mkfs.ext4 -L nixos /dev/sda1
+# mkfs.ext4 -L nixos /dev/sda1
-$ mkswap -L swap /dev/sda2
+# mkswap -L swap /dev/sda2
-$ swapon /dev/sda2
+# swapon /dev/sda2
-$ mount /dev/disk/by-label/nixos /mnt
+# mount /dev/disk/by-label/nixos /mnt
-$ nixos-generate-config --root /mnt
+# nixos-generate-config --root /mnt
-$ nano /mnt/etc/nixos/configuration.nix
+# nano /mnt/etc/nixos/configuration.nix
-$ nixos-install
+# nixos-install
-$ reboot</screen>
+# reboot</screen>
 </example>
 <example xml:id='ex-config'><title>NixOS Configuration</title>
--- a/nixos/doc/manual/installation/upgrading.xml
+++ b/nixos/doc/manual/installation/upgrading.xml
@ -60,33 +60,33 @@ the <literal>nixos-14.12</literal> channel.  To see which NixOS
 channel you’re subscribed to, run the following as root:
 <screen>
-$ nix-channel --list | grep nixos
+# nix-channel --list | grep nixos
 nixos https://nixos.org/channels/nixos-unstable
 </screen>
 To switch to a different NixOS channel, do
 <screen>
-$ nix-channel --add https://nixos.org/channels/<replaceable>channel-name</replaceable> nixos
+# nix-channel --add https://nixos.org/channels/<replaceable>channel-name</replaceable> nixos
 </screen>
 (Be sure to include the <literal>nixos</literal> parameter at the
 end.)  For instance, to use the NixOS 14.12 stable channel:
 <screen>
-$ nix-channel --add https://nixos.org/channels/nixos-14.12 nixos
+# nix-channel --add https://nixos.org/channels/nixos-14.12 nixos
 </screen>
 If you have a server, you may want to use the “small” channel instead:
 <screen>
-$ nix-channel --add https://nixos.org/channels/nixos-14.12-small nixos
+# nix-channel --add https://nixos.org/channels/nixos-14.12-small nixos
 </screen>
 And if you want to live on the bleeding edge:
 <screen>
-$ nix-channel --add https://nixos.org/channels/nixos-unstable nixos
+# nix-channel --add https://nixos.org/channels/nixos-unstable nixos
 </screen>
 </para>
@ -95,7 +95,7 @@ $ nix-channel --add https://nixos.org/channels/nixos-unstable nixos
 channel by running
 <screen>
-$ nixos-rebuild switch --upgrade
+# nixos-rebuild switch --upgrade
 </screen>
 which is equivalent to the more verbose <literal>nix-channel --update
--- a/nixos/doc/manual/manual.xml
+++ b/nixos/doc/manual/manual.xml
@ -26,6 +26,9 @@
    xlink:href="https://github.com/NixOS/nixpkgs/issues">NixOS’ GitHub
    issue tracker</link>.</para>
    <note><para>Commands prefixed with <literal>#</literal> have to be run as
    root, either requiring to login as root user or temporarily switching
    to it using <literal>sudo</literal> for example.</para></note>
  </preface>
  <xi:include href="installation/installation.xml" />
--- a/nixos/doc/manual/options-to-docbook.xsl
+++ b/nixos/doc/manual/options-to-docbook.xsl
@ -11,6 +11,7 @@
  <xsl:output method='xml' encoding="UTF-8" />
  <xsl:param name="revision" />
  <xsl:param name="program" />
  <xsl:template match="/expr/list">
@ -188,7 +189,7 @@
                </xsl:otherwise>
              </xsl:choose>
            </xsl:when>
-            <xsl:when test="$revision != 'local' and contains(@value, 'nixops') and contains(@value, '/nix/')">
+            <xsl:when test="$revision != 'local' and $program = 'nixops' and contains(@value, '/nix/')">
              <xsl:attribute name="xlink:href">https://github.com/NixOS/nixops/blob/<xsl:value-of select="$revision"/>/nix/<xsl:value-of select="substring-after(@value, '/nix/')"/></xsl:attribute>
            </xsl:when>
            <xsl:otherwise>
--- a/nixos/doc/manual/release-notes/rl-1609.xml
+++ b/nixos/doc/manual/release-notes/rl-1609.xml
@ -16,6 +16,10 @@ has the following highlights: </para>
    See <xref linkend="sec-booting-from-pxe" /> for documentation.</para>
  </listitem>
  <listitem>
    <para>Xorg-server-1.18.*. If you choose <literal>"ati_unfree"</literal> driver,
    1.17.* is still used due to ABI incompatibility.</para>
  </listitem>
 </itemizedlist>
 <para>The following new services were added since the last release:</para>
--- a/nixos/modules/hardware/video/ati.nix
+++ b/nixos/modules/hardware/video/ati.nix
@ -18,6 +18,8 @@ in
  config = mkIf enabled {
    nixpkgs.config.xorg.fglrxCompat = true;
    services.xserver.drivers = singleton
      { name = "fglrx"; modules = [ ati_x11 ]; libPath = [ "${ati_x11}/lib" ]; };
--- a/nixos/modules/installer/cd-dvd/iso-image.nix
+++ b/nixos/modules/installer/cd-dvd/iso-image.nix
@ -64,7 +64,7 @@ let
  # The EFI boot image.
  efiDir = pkgs.runCommand "efi-directory" {} ''
    mkdir -p $out/EFI/boot
-    cp -v ${pkgs.gummiboot}/lib/gummiboot/gummiboot${targetArch}.efi $out/EFI/boot/boot${targetArch}.efi
+    cp -v ${pkgs.systemd}/lib/systemd/boot/efi/systemd-boot${targetArch}.efi $out/EFI/boot/boot${targetArch}.efi
    mkdir -p $out/loader/entries
    echo "title NixOS Live CD" > $out/loader/entries/nixos-livecd.conf
--- a/nixos/modules/installer/tools/nixos-generate-config.pl
+++ b/nixos/modules/installer/tools/nixos-generate-config.pl
@ -518,8 +518,8 @@ if ($showHardwareConfig) {
        my $bootLoaderConfig = "";
        if (-e "/sys/firmware/efi/efivars") {
            $bootLoaderConfig = <<EOF;
-  # Use the gummiboot efi boot loader.
+  # Use the systemd-boot EFI boot loader.
-  boot.loader.gummiboot.enable = true;
+  boot.loader.systemd-boot.enable = true;
  boot.loader.efi.canTouchEfiVariables = true;
 EOF
        } elsif ($virt ne "systemd-nspawn") {
--- a/nixos/modules/misc/version.nix
+++ b/nixos/modules/misc/version.nix
@ -104,8 +104,8 @@ in
      # changing them would not rebuild the manual
      nixosLabel   = mkDefault (maybeEnv "NIXOS_LABEL" cfg.nixosVersion);
      nixosVersion = mkDefault (maybeEnv "NIXOS_VERSION" (cfg.nixosRelease + cfg.nixosVersionSuffix));
-      nixosRevision      = mkIf (pathExists gitRepo) (mkDefault            gitCommitId);
+      nixosRevision      = mkIf (pathIsDirectory gitRepo) (mkDefault            gitCommitId);
-      nixosVersionSuffix = mkIf (pathExists gitRepo) (mkDefault (".git." + gitCommitId));
+      nixosVersionSuffix = mkIf (pathIsDirectory gitRepo) (mkDefault (".git." + gitCommitId));
      # Note: code names must only increase in alphabetical order.
      nixosCodeName = "Flounder";
--- a/nixos/modules/module-list.nix
+++ b/nixos/modules/module-list.nix
@ -79,6 +79,7 @@
  ./programs/ssh.nix
  ./programs/ssmtp.nix
  ./programs/tmux.nix
  ./programs/unity3d.nix
  ./programs/venus.nix
  ./programs/wvdial.nix
  ./programs/xfs_quota.nix
@ -127,6 +128,7 @@
  ./services/continuous-integration/jenkins/default.nix
  ./services/continuous-integration/jenkins/slave.nix
  ./services/continuous-integration/jenkins/job-builder.nix
  ./services/continuous-integration/hydra/default.nix
  ./services/databases/4store-endpoint.nix
  ./services/databases/4store.nix
  ./services/databases/couchdb.nix
@ -428,6 +430,7 @@
  ./services/security/haveged.nix
  ./services/security/hologram.nix
  ./services/security/munge.nix
  ./services/security/oauth2_proxy.nix
  ./services/security/physlock.nix
  ./services/security/torify.nix
  ./services/security/tor.nix
@ -503,10 +506,10 @@
  ./system/boot/loader/grub/grub.nix
  ./system/boot/loader/grub/ipxe.nix
  ./system/boot/loader/grub/memtest.nix
  ./system/boot/loader/gummiboot/gummiboot.nix
  ./system/boot/loader/init-script/init-script.nix
  ./system/boot/loader/loader.nix
  ./system/boot/loader/raspberrypi/raspberrypi.nix
  ./system/boot/loader/systemd-boot/systemd-boot.nix
  ./system/boot/luksroot.nix
  ./system/boot/modprobe.nix
  ./system/boot/networkd.nix
--- a/nixos/modules/programs/unity3d.nix
+++ b/nixos/modules/programs/unity3d.nix
@ -0,0 +1,25 @@
 { config, lib, pkgs, ... }:
 with lib;
 let cfg = config.programs.unity3d;
 in {
  options = {
    programs.unity3d.enable = mkEnableOption "Unity3D, a game development tool";
  };
  config = mkIf cfg.enable {
    security.setuidOwners = [{
      program = "unity-chrome-sandbox";
      source = "${pkgs.unity3d.sandbox}/bin/unity-chrome-sandbox";
      owner = "root";
      #group = "root";
      setuid = true;
      #setgid = true;
    }];
    environment.systemPackages = [ pkgs.unity3d ];
  };
 }
--- a/nixos/modules/security/acme.nix
+++ b/nixos/modules/security/acme.nix
@ -114,6 +114,19 @@ in
        '';
      };
      preliminarySelfsigned = mkOption {
        type = types.bool;
        default = true;
        description = ''
          Whether a preliminary self-signed certificate should be generated before
          doing ACME requests. This can be useful when certificates are required in
          a webserver, but ACME needs the webserver to make its requests.
          With preliminary self-signed certificate the webserver can be started and
          can later reload the correct ACME certificates.
        '';
      };
      certs = mkOption {
        default = { };
        type = types.loaOf types.optionSet;
@ -140,7 +153,10 @@ in
  config = mkMerge [
    (mkIf (cfg.certs != { }) {
-      systemd.services = flip mapAttrs' cfg.certs (cert: data:
+      systemd.services = let
          services = concatLists servicesLists;
          servicesLists = mapAttrsToList certToServices cfg.certs;
          certToServices = cert: data:
              let
                cpath = "${cfg.directory}/${cert}";
                rights = if data.allowKeysForGroup then "750" else "700";
@ -148,10 +164,7 @@ in
                          ++ optionals (data.email != null) [ "--email" data.email ]
                          ++ concatMap (p: [ "-f" p ]) data.plugins
                          ++ concatLists (mapAttrsToList (name: root: [ "-d" (if root == null then name else "${name}:${root}")]) data.extraDomains);
-
+                acmeService = {
        in nameValuePair
        ("acme-${cert}")
        ({
                  description = "Renew ACME Certificate for ${cert}";
                  after = [ "network.target" ];
                  serviceConfig = {
@ -186,8 +199,80 @@ in
                      ${data.postRun}
                    fi
                  '';
-        })
+
                  before = [ "acme-certificates.target" ];
                  wantedBy = [ "acme-certificates.target" ];
                };
                selfsignedService = {
                  description = "Create preliminary self-signed certificate for ${cert}";
                  preStart = ''
                      if [ ! -d '${cpath}' ]
                      then
                        mkdir -p '${cpath}'
                        chmod ${rights} '${cpath}'
                        chown '${data.user}:${data.group}' '${cpath}'
                      fi
                  '';
                  script = 
                    ''
                      # Create self-signed key
                      workdir="/run/acme-selfsigned-${cert}"
                      ${pkgs.openssl.bin}/bin/openssl genrsa -des3 -passout pass:x -out $workdir/server.pass.key 2048
                      ${pkgs.openssl.bin}/bin/openssl rsa -passin pass:x -in $workdir/server.pass.key -out $workdir/server.key
                      ${pkgs.openssl.bin}/bin/openssl req -new -key $workdir/server.key -out $workdir/server.csr \
                        -subj "/C=UK/ST=Warwickshire/L=Leamington/O=OrgName/OU=IT Department/CN=example.com"
                      ${pkgs.openssl.bin}/bin/openssl x509 -req -days 1 -in $workdir/server.csr -signkey $workdir/server.key -out $workdir/server.crt
                      # Move key to destination
                      mv $workdir/server.key ${cpath}/key.pem
                      mv $workdir/server.crt ${cpath}/fullchain.pem
                      # Clean up working directory
                      rm $workdir/server.csr
                      rm $workdir/server.pass.key
                      # Give key acme permissions
                      chmod ${rights} '${cpath}/key.pem'
                      chown '${data.user}:${data.group}' '${cpath}/key.pem'
                      chmod ${rights} '${cpath}/fullchain.pem'
                      chown '${data.user}:${data.group}' '${cpath}/fullchain.pem'
                    '';
                  serviceConfig = {
                    Type = "oneshot";
                    RuntimeDirectory = "acme-selfsigned-${cert}";
                    PermissionsStartOnly = true;
                    User = data.user;
                    Group = data.group;
                  };
                  unitConfig = {
                    # Do not create self-signed key when key already exists
                    ConditionPathExists = "!${cpath}/key.pem";
                  };
                  before = [
                    "acme-selfsigned-certificates.target"
                  ];
                  wantedBy = [
                    "acme-selfsigned-certificates.target"
                  ];
                };
              in (
                [ { name = "acme-${cert}"; value = acmeService; } ]
                ++
                (if cfg.preliminarySelfsigned
                  then [ { name = "acme-selfsigned-${cert}"; value = selfsignedService; } ]
                  else []
                )
              );
          servicesAttr = listToAttrs services;
          nginxAttr = {
            nginx = {
              after = [ "acme-selfsigned-certificates.target" ];
              wants = [ "acme-selfsigned-certificates.target" "acme-certificates.target" ];
            };
          };
        in
          servicesAttr //
          (if config.services.nginx.enable then nginxAttr else {});
      systemd.timers = flip mapAttrs' cfg.certs (cert: data: nameValuePair
        ("acme-${cert}")
@ -200,6 +285,9 @@ in
          };
        })
      );
      systemd.targets."acme-selfsigned-certificates" = mkIf cfg.preliminarySelfsigned {};
      systemd.targets."acme-certificates" = {};
    })
    { meta.maintainers = with lib.maintainers; [ abbradar fpletz globin ];
--- a/nixos/modules/security/acme.xml
+++ b/nixos/modules/security/acme.xml
@ -66,4 +66,32 @@ options for the <literal>security.acme</literal> module.</para>
 </section>
 <section><title>Using ACME certificates in Nginx</title>
 <para>In practice ACME is mostly used for retrieval and renewal of
  certificates that will be used in a webserver like Nginx. A configuration for
  Nginx that uses the certificates from ACME for
  <literal>foo.example.com</literal> will look similar to:
 </para>
 <programlisting>
 services.nginx.httpConfig = ''
  server {
    server_name foo.example.com;
    listen 443 ssl;
    ssl_certificate     ${config.security.acme.directory}/foo.example.com/fullchain.pem;
    ssl_certificate_key ${config.security.acme.directory}/foo.example.com/key.pem;
    root /var/www/foo.example.com/;
  }
 '';
 </programlisting>
 <para>Now Nginx will try to use the certificates that will be retrieved by ACME.
  ACME needs Nginx (or any other webserver) to function and Nginx needs
  the certificates to actually start. For this reason the ACME module
  automatically generates self-signed certificates that will be used by Nginx to
  start. After that Nginx is used by ACME to retrieve the actual ACME
  certificates. <literal>security.acme.preliminarySelfsigned</literal> can be
  used to control whether to generate the self-signed certificates.
 </para>
 </section>
 </chapter>
--- a/nixos/modules/services/continuous-integration/hydra/default.nix
+++ b/nixos/modules/services/continuous-integration/hydra/default.nix
@ -0,0 +1,418 @@
 { config, pkgs, lib, ... }:
 with lib;
 let
  cfg = config.services.hydra;
  baseDir = "/var/lib/hydra";
  hydraConf = pkgs.writeScript "hydra.conf" cfg.extraConfig;
  hydraEnv =
    { HYDRA_DBI = cfg.dbi;
      HYDRA_CONFIG = "${baseDir}/hydra.conf";
      HYDRA_DATA = "${baseDir}";
    };
  env =
    { NIX_REMOTE = "daemon";
      SSL_CERT_FILE = "/etc/ssl/certs/ca-certificates.crt"; # Remove in 16.03
      PGPASSFILE = "${baseDir}/pgpass";
      NIX_REMOTE_SYSTEMS = concatStringsSep ":" cfg.buildMachinesFiles;
    } // optionalAttrs (cfg.smtpHost != null) {
      EMAIL_SENDER_TRANSPORT = "SMTP";
      EMAIL_SENDER_TRANSPORT_host = cfg.smtpHost;
    } // hydraEnv // cfg.extraEnv;
  serverEnv = env //
    { HYDRA_TRACKER = cfg.tracker;
      COLUMNS = "80";
      PGPASSFILE = "${baseDir}/pgpass-www"; # grrr
    } // (optionalAttrs cfg.debugServer { DBIC_TRACE = "1"; });
  localDB = "dbi:Pg:dbname=hydra;user=hydra;";
  haveLocalDB = cfg.dbi == localDB;
 in
 {
  ###### interface
  options = {
    services.hydra = rec {
      enable = mkOption {
        type = types.bool;
        default = false;
        description = ''
          Whether to run Hydra services.
        '';
      };
      dbi = mkOption {
        type = types.str;
        default = localDB;
        example = "dbi:Pg:dbname=hydra;host=postgres.example.org;user=foo;";
        description = ''
          The DBI string for Hydra database connection.
        '';
      };
      package = mkOption {
        type = types.path;
        default = pkgs.hydra;
        defaultText = "pkgs.hydra";
        description = "The Hydra package.";
      };
      hydraURL = mkOption {
        type = types.str;
        description = ''
          The base URL for the Hydra webserver instance. Used for links in emails.
        '';
      };
      listenHost = mkOption {
        type = types.str;
        default = "*";
        example = "localhost";
        description = ''
          The hostname or address to listen on or <literal>*</literal> to listen
          on all interfaces.
        '';
      };
      port = mkOption {
        type = types.int;
        default = 3000;
        description = ''
          TCP port the web server should listen to.
        '';
      };
      minimumDiskFree = mkOption {
        type = types.int;
        default = 0;
        description = ''
          Threshold of minimum disk space (GiB) to determine if the queue runner should run or not.
        '';
      };
      minimumDiskFreeEvaluator = mkOption {
        type = types.int;
        default = 0;
        description = ''
          Threshold of minimum disk space (GiB) to determine if the evaluator should run or not.
        '';
      };
      notificationSender = mkOption {
        type = types.str;
        description = ''
          Sender email address used for email notifications.
        '';
      };
      smtpHost = mkOption {
        type = types.nullOr types.str;
        default = null;
        example = ["localhost"];
        description = ''
          Hostname of the SMTP server to use to send email.
        '';
      };
      tracker = mkOption {
        type = types.str;
        default = "";
        description = ''
          Piece of HTML that is included on all pages.
        '';
      };
      logo = mkOption {
        type = types.nullOr types.path;
        default = null;
        description = ''
          Path to a file containing the logo of your Hydra instance.
        '';
      };
      debugServer = mkOption {
        type = types.bool;
        default = false;
        description = "Whether to run the server in debug mode.";
      };
      extraConfig = mkOption {
        type = types.lines;
        description = "Extra lines for the Hydra configuration.";
      };
      extraEnv = mkOption {
        type = types.attrsOf types.str;
        default = {};
        description = "Extra environment variables for Hydra.";
      };
      gcRootsDir = mkOption {
        type = types.path;
        default = "/nix/var/nix/gcroots/hydra";
        description = "Directory that holds Hydra garbage collector roots.";
      };
      buildMachinesFiles = mkOption {
        type = types.listOf types.path;
        default = [];
        example = [ "/etc/nix/machines" "/var/lib/hydra/provisioner/machines" ];
        description = "List of files containing build machines.";
      };
      useSubstitutes = mkOption {
        type = types.bool;
        default = false;
        description = ''
          Whether to use binary caches for downloading store paths. Note that
          binary substitutions trigger (a potentially large number of) additional
          HTTP requests that slow down the queue monitor thread significantly.
          Also, this Hydra instance will serve those downloaded store paths to
          its users with its own signature attached as if it had built them
          itself, so don't enable this feature unless your active binary caches
          are absolute trustworthy.
        '';
      };
    };
  };
  ###### implementation
  config = mkIf cfg.enable {
    users.extraGroups.hydra = { };
    users.extraUsers.hydra =
      { description = "Hydra";
        group = "hydra";
        createHome = true;
        home = baseDir;
        useDefaultShell = true;
      };
    users.extraUsers.hydra-queue-runner =
      { description = "Hydra queue runner";
        group = "hydra";
        useDefaultShell = true;
        home = "${baseDir}/queue-runner"; # really only to keep SSH happy
      };
    users.extraUsers.hydra-www =
      { description = "Hydra web server";
        group = "hydra";
        useDefaultShell = true;
      };
    nix.trustedUsers = [ "hydra-queue-runner" ];
    services.hydra.extraConfig =
      ''
        using_frontend_proxy 1
        base_uri ${cfg.hydraURL}
        notification_sender ${cfg.notificationSender}
        max_servers 25
        ${optionalString (cfg.logo != null) ''
          hydra_logo ${cfg.logo}
        ''}
        gc_roots_dir ${cfg.gcRootsDir}
      '';
    environment.systemPackages = [ cfg.package ];
    environment.variables = hydraEnv;
    nix.extraOptions = ''
      gc-keep-outputs = true
      gc-keep-derivations = true
      # The default (`true') slows Nix down a lot since the build farm
      # has so many GC roots.
      gc-check-reachability = false
    '';
    systemd.services.hydra-init =
      { wantedBy = [ "multi-user.target" ];
        requires = optional haveLocalDB "postgresql.service";
        after = optional haveLocalDB "postgresql.service";
        environment = env;
        preStart = ''
          mkdir -p ${baseDir}
          chown hydra.hydra ${baseDir}
          chmod 0750 ${baseDir}
          ln -sf ${hydraConf} ${baseDir}/hydra.conf
          mkdir -m 0700 -p ${baseDir}/www
          chown hydra-www.hydra ${baseDir}/www
          mkdir -m 0700 -p ${baseDir}/queue-runner
          mkdir -m 0750 -p ${baseDir}/build-logs
          chown hydra-queue-runner.hydra ${baseDir}/queue-runner ${baseDir}/build-logs
          ${optionalString haveLocalDB ''
            if ! [ -e ${baseDir}/.db-created ]; then
              ${config.services.postgresql.package}/bin/createuser hydra
              ${config.services.postgresql.package}/bin/createdb -O hydra hydra
              touch ${baseDir}/.db-created
            fi
          ''}
          if [ ! -e ${cfg.gcRootsDir} ]; then
            # Move legacy roots directory.
            if [ -e /nix/var/nix/gcroots/per-user/hydra/hydra-roots ]; then
              mv /nix/var/nix/gcroots/per-user/hydra/hydra-roots ${cfg.gcRootsDir}
            fi
            mkdir -p ${cfg.gcRootsDir}
          fi
          # Move legacy hydra-www roots.
          if [ -e /nix/var/nix/gcroots/per-user/hydra-www/hydra-roots ]; then
            find /nix/var/nix/gcroots/per-user/hydra-www/hydra-roots/ -type f \
              | xargs -r mv -f -t ${cfg.gcRootsDir}/
            rmdir /nix/var/nix/gcroots/per-user/hydra-www/hydra-roots
          fi
          chown hydra.hydra ${cfg.gcRootsDir}
          chmod 2775 ${cfg.gcRootsDir}
        '';
        serviceConfig.ExecStart = "${cfg.package}/bin/hydra-init";
        serviceConfig.PermissionsStartOnly = true;
        serviceConfig.User = "hydra";
        serviceConfig.Type = "oneshot";
        serviceConfig.RemainAfterExit = true;
      };
    systemd.services.hydra-server =
      { wantedBy = [ "multi-user.target" ];
        requires = [ "hydra-init.service" ];
        after = [ "hydra-init.service" ];
        environment = serverEnv;
        serviceConfig =
          { ExecStart =
              "@${cfg.package}/bin/hydra-server hydra-server -f -h '${cfg.listenHost}' "
              + "-p ${toString cfg.port} --max_spare_servers 5 --max_servers 25 "
              + "--max_requests 100 ${optionalString cfg.debugServer "-d"}";
            User = "hydra-www";
            PermissionsStartOnly = true;
            Restart = "always";
          };
      };
    systemd.services.hydra-queue-runner =
      { wantedBy = [ "multi-user.target" ];
        requires = [ "hydra-init.service" ];
        after = [ "hydra-init.service" "network.target" ];
        path = [ cfg.package pkgs.nettools pkgs.openssh pkgs.bzip2 config.nix.package ];
        environment = env // {
          PGPASSFILE = "${baseDir}/pgpass-queue-runner"; # grrr
          IN_SYSTEMD = "1"; # to get log severity levels
        };
        serviceConfig =
          { ExecStart = "@${cfg.package}/bin/hydra-queue-runner hydra-queue-runner -v --option build-use-substitutes ${if cfg.useSubstitutes then "true" else "false"}";
            ExecStopPost = "${cfg.package}/bin/hydra-queue-runner --unlock";
            User = "hydra-queue-runner";
            Restart = "always";
            # Ensure we can get core dumps.
            LimitCORE = "infinity";
            WorkingDirectory = "${baseDir}/queue-runner";
          };
      };
    systemd.services.hydra-evaluator =
      { wantedBy = [ "multi-user.target" ];
        requires = [ "hydra-init.service" ];
        after = [ "hydra-init.service" "network.target" ];
        path = [ pkgs.nettools ];
        environment = env;
        serviceConfig =
          { ExecStart = "@${cfg.package}/bin/hydra-evaluator hydra-evaluator";
            User = "hydra";
            Restart = "always";
            WorkingDirectory = baseDir;
          };
      };
    systemd.services.hydra-update-gc-roots =
      { requires = [ "hydra-init.service" ];
        after = [ "hydra-init.service" ];
        environment = env;
        serviceConfig =
          { ExecStart = "@${cfg.package}/bin/hydra-update-gc-roots hydra-update-gc-roots";
            User = "hydra";
          };
        startAt = "2,14:15";
      };
    systemd.services.hydra-send-stats =
      { wantedBy = [ "multi-user.target" ];
        after = [ "hydra-init.service" ];
        environment = env;
        serviceConfig =
          { ExecStart = "@${cfg.package}/bin/hydra-send-stats hydra-send-stats";
            User = "hydra";
          };
      };
    # If there is less than a certain amount of free disk space, stop
    # the queue/evaluator to prevent builds from failing or aborting.
    systemd.services.hydra-check-space =
      { script =
          ''
            if [ $(($(stat -f -c '%a' /nix/store) * $(stat -f -c '%S' /nix/store))) -lt $((${toString cfg.minimumDiskFree} * 1024**3)) ]; then
                echo "stopping Hydra queue runner due to lack of free space..."
                systemctl stop hydra-queue-runner
            fi
            if [ $(($(stat -f -c '%a' /nix/store) * $(stat -f -c '%S' /nix/store))) -lt $((${toString cfg.minimumDiskFreeEvaluator} * 1024**3)) ]; then
                echo "stopping Hydra evaluator due to lack of free space..."
                systemctl stop hydra-evaluator
            fi
          '';
        startAt = "*:0/5";
      };
    # Periodically compress build logs. The queue runner compresses
    # logs automatically after a step finishes, but this doesn't work
    # if the queue runner is stopped prematurely.
    systemd.services.hydra-compress-logs =
      { path = [ pkgs.bzip2 ];
        script =
          ''
            find /var/lib/hydra/build-logs -type f -name "*.drv" -mtime +3 -size +0c | xargs -r bzip2 -v -f
          '';
        startAt = "Sun 01:45";
      };
    services.postgresql.enable = mkIf haveLocalDB true;
    services.postgresql.identMap = optionalString haveLocalDB
      ''
        hydra-users hydra hydra
        hydra-users hydra-queue-runner hydra
        hydra-users hydra-www hydra
        hydra-users root hydra
      '';
    services.postgresql.authentication = optionalString haveLocalDB
      ''
        local hydra all ident map=hydra-users
      '';
  };
 }
--- a/nixos/modules/services/databases/openldap.nix
+++ b/nixos/modules/services/databases/openldap.nix
@ -52,11 +52,12 @@ in
        description = "
          sldapd.conf configuration
        ";
-        example = ''
+        example = literalExample ''
-            include ''${pkgs.openldap}/etc/openldap/schema/core.schema
+            '''
-            include ''${pkgs.openldap}/etc/openldap/schema/cosine.schema
+            include ${pkgs.openldap.out}/etc/openldap/schema/core.schema
-            include ''${pkgs.openldap}/etc/openldap/schema/inetorgperson.schema
+            include ${pkgs.openldap.out}/etc/openldap/schema/cosine.schema
-            include ''${pkgs.openldap}/etc/openldap/schema/nis.schema
+            include ${pkgs.openldap.out}/etc/openldap/schema/inetorgperson.schema
            include ${pkgs.openldap.out}/etc/openldap/schema/nis.schema
            database bdb 
            suffix dc=example,dc=org 
@ -64,6 +65,7 @@ in
            # NOTE: change after first start
            rootpw secret
            directory /var/db/openldap
            '''
          '';
      };
    };
--- a/nixos/modules/services/hardware/pcscd.nix
+++ b/nixos/modules/services/hardware/pcscd.nix
@ -1,28 +1,50 @@
 { config, lib, pkgs, ... }:
 let
  cfgFile = pkgs.writeText "reader.conf" "";
 in
 with lib;
-{
+let
  cfgFile = pkgs.writeText "reader.conf" config.services.pcscd.readerConfig;
  pluginEnv = pkgs.buildEnv {
    name = "pcscd-plugins";
    paths = map (p: "${p}/pcsc/drivers") config.services.pcscd.plugins;
  };
 in {
  ###### interface
  options = {
    services.pcscd = {
      enable = mkEnableOption "PCSC-Lite daemon";
-      enable = mkOption {
+      plugins = mkOption {
-        default = false;
+        type = types.listOf types.package;
-        description = "Whether to enable the PCSC-Lite daemon.";
+        default = [ pkgs.ccid ];
        defaultText = "[ pkgs.ccid ]";
        example = literalExample "[ pkgs.pcsc-cyberjack ]";
        description = "Plugin packages to be used for PCSC-Lite.";
      };
-    };
+      readerConfig = mkOption {
        type = types.lines;
        default = "";
        example = ''
          FRIENDLYNAME      "Some serial reader"
          DEVICENAME        /dev/ttyS0
          LIBPATH           /path/to/serial_reader.so
          CHANNELID         1
        '';
        description = ''
          Configuration for devices that aren't hotpluggable.
          See <citerefentry><refentrytitle>reader.conf</refentrytitle>
          <manvolnum>5</manvolnum></citerefentry> for valid options.
        '';
      };
    };
  };
  ###### implementation
@ -37,18 +59,11 @@ with lib;
    systemd.services.pcscd = {
      description = "PCSC-Lite daemon";
-      preStart = ''
+      environment.PCSCLITE_HP_DROPDIR = pluginEnv;
          mkdir -p /var/lib/pcsc
          rm -Rf /var/lib/pcsc/drivers
          ln -s ${pkgs.ccid}/pcsc/drivers /var/lib/pcsc/
      '';
      serviceConfig = {
-        Type = "forking";
+        ExecStart = "${pkgs.pcsclite}/sbin/pcscd -f -x -c ${cfgFile}";
-        ExecStart = "${pkgs.pcsclite}/sbin/pcscd --auto-exit -c ${cfgFile}";
+        ExecReload = "${pkgs.pcsclite}/sbin/pcscd -H";
        ExecReload = "${pkgs.pcsclite}/sbin/pcscd --hotplug";
      };
    };
  };
 }
--- a/nixos/modules/services/networking/dnscrypt-proxy.nix
+++ b/nixos/modules/services/networking/dnscrypt-proxy.nix
@ -89,8 +89,8 @@ in
        '';
        example = literalExample "${pkgs.dnscrypt-proxy}/share/dnscrypt-proxy/dnscrypt-resolvers.csv";
        default = pkgs.fetchurl {
-          url = "https://raw.githubusercontent.com/jedisct1/dnscrypt-proxy/master/dnscrypt-resolvers.csv";
+          url = https://raw.githubusercontent.com/jedisct1/dnscrypt-proxy/master/dnscrypt-resolvers.csv;
-          sha256 = "0lac20qhcgjxxiiz8jzcn3hkqj4ywl58hahp5n2i6vf9akfyqp7c";
+          sha256 = "171zvdqcqqvcw3zr7wl9h1wmdmk6m3h55xr4gq2z1j7a0x0ba2in";
        };
        defaultText = "pkgs.fetchurl { url = ...; sha256 = ...; }";
      };
--- a/nixos/modules/services/networking/openvpn.nix
+++ b/nixos/modules/services/networking/openvpn.nix
@ -29,21 +29,27 @@ let
        done
        ${cfg.up}
        ${optionalString cfg.updateResolvConf
           "${pkgs.update-resolv-conf}/libexec/openvpn/update-resolv-conf"}
      '';
      downScript = ''
        #! /bin/sh
        export PATH=${path}
        ${optionalString cfg.updateResolvConf
           "${pkgs.update-resolv-conf}/libexec/openvpn/update-resolv-conf"}
        ${cfg.down}
      '';
      configFile = pkgs.writeText "openvpn-config-${name}"
        ''
          errors-to-stderr
-          ${optionalString (cfg.up != "" || cfg.down != "") "script-security 2"}
+          ${optionalString (cfg.up != "" || cfg.down != "" || cfg.updateResolvConf) "script-security 2"}
          ${cfg.config}
-          ${optionalString (cfg.up != "") "up ${pkgs.writeScript "openvpn-${name}-up" upScript}"}
+          ${optionalString (cfg.up != "" || cfg.updateResolvConf)
-          ${optionalString (cfg.down != "") "down ${pkgs.writeScript "openvpn-${name}-down" downScript}"}
+              "up ${pkgs.writeScript "openvpn-${name}-up" upScript}"}
          ${optionalString (cfg.down != "" || cfg.updateResolvConf)
              "down ${pkgs.writeScript "openvpn-${name}-down" downScript}"}
        '';
    in {
@ -145,6 +151,16 @@ in
          description = "Whether this OpenVPN instance should be started automatically.";
        };
        updateResolvConf = mkOption {
          default = false;
          type = types.bool;
          description = ''
            Use the script from the update-resolv-conf package to automatically
            update resolv.conf with the DNS information provided by openvpn. The
            script will be run after the "up" commands and before the "down" commands.
          '';
        };
      };
    };
--- a/nixos/modules/services/security/oauth2_proxy.nix
+++ b/nixos/modules/services/security/oauth2_proxy.nix
@ -0,0 +1,523 @@
 # NixOS module for oauth2_proxy.
 { config, lib, pkgs, ... }:
 with lib;
 let
  cfg = config.services.oauth2_proxy;
  # Use like:
  #   repeatedArgs (arg: "--arg=${arg}") args
  repeatedArgs = concatMapStringsSep " ";
  # 'toString' doesn't quite do what we want for bools.
  fromBool = x: if x then "true" else "false";
  # oauth2_proxy provides many options that are only relevant if you are using
  # a certain provider. This set maps from provider name to a function that
  # takes the configuration and returns a string that can be inserted into the
  # command-line to launch oauth2_proxy.
  providerSpecificOptions = {
    azure = cfg: ''
      --azure-tenant=${cfg.azure.tenant} \
      --resource=${cfg.azure.resource} \
    '';
    github = cfg: ''
      $(optionalString (!isNull cfg.github.org) "--github-org=${cfg.github.org}") \
      $(optionalString (!isNull cfg.github.team) "--github-org=${cfg.github.team}") \
    '';
    google = cfg: ''
      --google-admin-email=${cfg.google.adminEmail} \
      --google-service-account=${cfg.google.serviceAccountJSON} \
      $(repeatedArgs (group: "--google-group=${group}") cfg.google.groups) \
    '';
  };
  authenticatedEmailsFile = pkgs.writeText "authenticated-emails" cfg.email.addresses;
  getProviderOptions = cfg: provider:
    if providerSpecificOptions ? provider then providerSpecificOptions.provider cfg else "";
  mkCommandLine = cfg: ''
    --provider='${cfg.provider}' \
    ${optionalString (!isNull cfg.email.addresses) "--authenticated-emails-file='${authenticatedEmailsFile}'"} \
    --approval-prompt='${cfg.approvalPrompt}' \
    ${optionalString (cfg.passBasicAuth && !isNull cfg.basicAuthPassword) "--basic-auth-password='${cfg.basicAuthPassword}'"} \
    --client-id='${cfg.clientID}' \
    --client-secret='${cfg.clientSecret}' \
    ${optionalString (!isNull cfg.cookie.domain) "--cookie-domain='${cfg.cookie.domain}'"} \
    --cookie-expire='${cfg.cookie.expire}' \
    --cookie-httponly=${fromBool cfg.cookie.httpOnly} \
    --cookie-name='${cfg.cookie.name}' \
    --cookie-secret='${cfg.cookie.secret}' \
    --cookie-secure=${fromBool cfg.cookie.secure} \
    ${optionalString (!isNull cfg.cookie.refresh) "--cookie-refresh='${cfg.cookie.refresh}'"} \
    ${optionalString (!isNull cfg.customTemplatesDir) "--custom-templates-dir='${cfg.customTemplatesDir}'"} \
    ${repeatedArgs (x: "--email-domain='${x}'") cfg.email.domains} \
    --http-address='${cfg.httpAddress}' \
    ${optionalString (!isNull cfg.htpasswd.file) "--htpasswd-file='${cfg.htpasswd.file}' --display-htpasswd-form=${fromBool cfg.htpasswd.displayForm}"} \
    ${optionalString (!isNull cfg.loginURL) "--login-url='${cfg.loginURL}'"} \
    --pass-access-token=${fromBool cfg.passAccessToken} \
    --pass-basic-auth=${fromBool cfg.passBasicAuth} \
    --pass-host-header=${fromBool cfg.passHostHeader} \
    --proxy-prefix='${cfg.proxyPrefix}' \
    ${optionalString (!isNull cfg.profileURL) "--profile-url='${cfg.profileURL}'"} \
    ${optionalString (!isNull cfg.redeemURL) "--redeem-url='${cfg.redeemURL}'"} \
    ${optionalString (!isNull cfg.redirectURL) "--redirect-url='${cfg.redirectURL}'"} \
    --request-logging=${fromBool cfg.requestLogging} \
    ${optionalString (!isNull cfg.scope) "--scope='${cfg.scope}'"} \
    ${repeatedArgs (x: "--skip-auth-regex='${x}'") cfg.skipAuthRegexes} \
    ${optionalString (!isNull cfg.signatureKey) "--signature-key='${cfg.signatureKey}'"} \
    --upstream='${cfg.upstream}' \
    ${optionalString (!isNull cfg.validateURL) "--validate-url='${cfg.validateURL}'"} \
    ${optionalString cfg.tls.enable "--tls-cert='${cfg.tls.certificate}' --tls-key='${cfg.tls.key}' --https-address='${cfg.tls.httpsAddress}'"} \
  '' + getProviderOptions cfg cfg.provider;
 in
 {
  options.services.oauth2_proxy = {
    enable = mkEnableOption "oauth2_proxy";
    package = mkOption {
      type = types.package;
      default = pkgs.oauth2_proxy;
      defaultText = "pkgs.oauth2_proxy";
      description = ''
        The package that provides oauth2_proxy.
      '';
    };
    ##############################################
    # PROVIDER configuration
    provider = mkOption {
      type = types.enum [
        "google"
        "github"
        "azure"
        "gitlab"
        "linkedin"
        "myusa"
      ];
      default = "google";
      description = ''
        OAuth provider.
      '';
    };
    approvalPrompt = mkOption {
      type = types.enum ["force" "auto"];
      default = "force";
      description = ''
        OAuth approval_prompt.
      '';
    };
    clientID = mkOption {
      type = types.str;
      description = ''
        The OAuth Client ID.
      '';
      example = "123456.apps.googleusercontent.com";
    };
    clientSecret = mkOption {
      type = types.str;
      description = ''
        The OAuth Client Secret.
      '';
    };
    skipAuthRegexes = mkOption {
     type = types.listOf types.str;
     default = [];
     description = ''
       Skip authentication for requests matching any of these regular
       expressions.
     '';
    };
    # XXX: Not clear whether these two options are mutually exclusive or not.
    email = {
      domains = mkOption {
        type = types.listOf types.str;
        default = [];
        description = ''
          Authenticate emails with the specified domains. Use
          <literal>*</literal> to authenticate any email.
        '';
      };
      addresses = mkOption {
        type = types.nullOr types.lines;
        default = null;
        description = ''
          Line-separated email addresses that are allowed to authenticate.
        '';
      };
    };
    loginURL = mkOption {
      type = types.nullOr types.str;
      default = null;
      description = ''
        Authentication endpoint.
        You only need to set this if you are using a self-hosted provider (e.g.
        Github Enterprise). If you're using a publicly hosted provider
        (e.g github.com), then the default works.
      '';
      example = "https://provider.example.com/oauth/authorize";
    };
    redeemURL = mkOption {
      type = types.nullOr types.str;
      default = null;
      description = ''
        Token redemption endpoint.
        You only need to set this if you are using a self-hosted provider (e.g.
        Github Enterprise). If you're using a publicly hosted provider
        (e.g github.com), then the default works.
      '';
      example = "https://provider.example.com/oauth/token";
    };
    validateURL = mkOption {
      type = types.nullOr types.str;
      default = null;
      description = ''
        Access token validation endpoint.
        You only need to set this if you are using a self-hosted provider (e.g.
        Github Enterprise). If you're using a publicly hosted provider
        (e.g github.com), then the default works.
      '';
      example = "https://provider.example.com/user/emails";
    };
    redirectURL = mkOption {
      # XXX: jml suspects this is always necessary, but the command-line
      # doesn't require it so making it optional.
      type = types.nullOr types.str;
      default = null;
      description = ''
        The OAuth2 redirect URL.
      '';
      example = "https://internalapp.yourcompany.com/oauth2/callback";
    };
    azure = {
      tenant = mkOption {
        type = types.str;
        default = "common";
        description = ''
          Go to a tenant-specific or common (tenant-independent) endpoint.
        '';
      };
      resource = mkOption {
        type = types.str;
        description = ''
          The resource that is protected.
        '';
      };
    };
    google = {
      adminEmail = mkOption {
        type = types.str;
        description = ''
          The Google Admin to impersonate for API calls.
          Only users with access to the Admin APIs can access the Admin SDK
          Directory API, thus the service account needs to impersonate one of
          those users to access the Admin SDK Directory API.
          See <link xlink:href="https://developers.google.com/admin-sdk/directory/v1/guides/delegation#delegate_domain-wide_authority_to_your_service_account" />.
        '';
      };
      groups = mkOption {
        type = types.listOf types.str;
        default = [];
        description = ''
          Restrict logins to members of these Google groups.
        '';
      };
      serviceAccountJSON = mkOption {
        type = types.path;
        description = ''
          The path to the service account JSON credentials.
        '';
      };
    };
    github = {
      org = mkOption {
        type = types.nullOr types.str;
        default = null;
        description = ''
          Restrict logins to members of this organisation.
        '';
      };
      team = mkOption {
        type = types.nullOr types.str;
        default = null;
        description = ''
          Restrict logins to members of this team.
        '';
      };
    };
    ####################################################
    # UPSTREAM Configuration
    upstream = mkOption {
      type = types.commas;
      description = ''
        The http url(s) of the upstream endpoint or <literal>file://</literal>
        paths for static files. Routing is based on the path.
      '';
    };
    passAccessToken = mkOption {
      type = types.bool;
      default = false;
      description = ''
        Pass OAuth access_token to upstream via X-Forwarded-Access-Token header.
      '';
    };
    passBasicAuth = mkOption {
      type = types.bool;
      default = true;
      description = ''
        Pass HTTP Basic Auth, X-Forwarded-User and X-Forwarded-Email information to upstream.
      '';
    };
    basicAuthPassword = mkOption {
      type = types.nullOr types.str;
      default = null;
      description = ''
        The password to set when passing the HTTP Basic Auth header.
      '';
    };
    passHostHeader = mkOption {
      type = types.bool;
      default = true;
      description = ''
        Pass the request Host Header to upstream.
      '';
    };
    signatureKey = mkOption {
      type = types.nullOr types.str;
      default = null;
      description = ''
        GAP-Signature request signature key.
      '';
      example = "sha1:secret0";
    };
    cookie = {
      domain = mkOption {
        type = types.nullOr types.str;
        default = null;
        description = ''
          An optional cookie domain to force cookies to.
        '';
        example = ".yourcompany.com";
      };
      expire = mkOption {
        type = types.str;
        default = "168h0m0s";
        description = ''
          Expire timeframe for cookie.
        '';
      };
      httpOnly = mkOption {
        type = types.bool;
        default = true;
        description = ''
          Set HttpOnly cookie flag.
        '';
      };
      name = mkOption {
        type = types.str;
        default = "_oauth2_proxy";
        description = ''
          The name of the cookie that the oauth_proxy creates.
        '';
      };
      refresh = mkOption {
        # XXX: Unclear what the behavior is when this is not specified.
        type = types.nullOr types.str;
        default = null;
        description = ''
          Refresh the cookie after this duration; 0 to disable.
        '';
        example = "168h0m0s";
      };
      secret = mkOption {
        type = types.str;
        description = ''
          The seed string for secure cookies.
        '';
      };
      secure = mkOption {
        type = types.bool;
        default = true;
        description = ''
          Set secure (HTTPS) cookie flag.
        '';
      };
    };
    ####################################################
    # OAUTH2 PROXY configuration
    httpAddress = mkOption {
      type = types.str;
      default = "127.0.0.1:4180";
      description = ''
        HTTPS listening address.  This module does not expose the port by
        default. If you want this URL to be accessible to other machines, please
        add the port to <literal>networking.firewall.allowedTCPPorts</literal>.
      '';
    };
    htpasswd = {
      file = mkOption {
        type = types.nullOr types.path;
        default = null;
        description = ''
          Additionally authenticate against a htpasswd file. Entries must be
          created with <literal>htpasswd -s</literal> for SHA encryption.
        '';
      };
      displayForm = mkOption {
        type = types.bool;
        default = true;
        description = ''
          Display username / password login form if an htpasswd file is provided.
        '';
      };
    };
    customTemplatesDir = mkOption {
      type = types.nullOr types.path;
      default = null;
      description = ''
        Path to custom HTML templates.
      '';
    };
    proxyPrefix = mkOption {
      type = types.str;
      default = "/oauth2";
      description = ''
        The url root path that this proxy should be nested under.
      '';
    };
    tls = {
      enable = mkOption {
        type = types.bool;
        default = false;
        description = ''
          Whether to serve over TLS.
        '';
      };
      certificate = mkOption {
        type = types.path;
        description = ''
          Path to certificate file.
        '';
      };
      key = mkOption {
        type = types.path;
        description = ''
          Path to private key file.
        '';
      };
      httpsAddress = mkOption {
        type = types.str;
        default = ":443";
        description = ''
          <literal>addr:port</literal> to listen on for HTTPS clients.
          Remember to add <literal>port</literal> to
          <literal>allowedTCPPorts</literal> if you want other machines to be
          able to connect to it.
        '';
      };
    };
    requestLogging = mkOption {
      type = types.bool;
      default = true;
      description = ''
        Log requests to stdout.
      '';
    };
    ####################################################
    # UNKNOWN
    # XXX: Is this mandatory? Is it part of another group? Is it part of the provider specification?
    scope = mkOption {
      # XXX: jml suspects this is always necessary, but the command-line
      # doesn't require it so making it optional.
      type = types.nullOr types.str;
      default = null;
      description = ''
        OAuth scope specification.
      '';
    };
    profileURL = mkOption {
      type = types.nullOr types.str;
      default = null;
      description = ''
      	Profile access endpoint.
      '';
    };
  };
  config = mkIf cfg.enable {
    users.extraUsers.oauth2_proxy = {
      description = "OAuth2 Proxy";
    };
    systemd.services.oauth2_proxy = {
      description = "OAuth2 Proxy";
      path = [ cfg.package ];
      wantedBy = [ "multi-user.target" ];
      after = [ "network-interfaces.target" ];
      serviceConfig = {
        User = "oauth2_proxy";
        Restart = "always";
        ExecStart = "${cfg.package}/bin/oauth2_proxy ${mkCommandLine cfg}";
      };
    };
  };
 }
--- a/nixos/modules/services/x11/desktop-managers/gnome3.nix
+++ b/nixos/modules/services/x11/desktop-managers/gnome3.nix
@ -81,7 +81,6 @@ in {
    };  
    environment.gnome3.packageSet = mkOption {
      type = types.nullOr types.package;
      default = null;
      example = literalExample "pkgs.gnome3_18";
      description = "Which GNOME 3 package set to use.";
--- a/nixos/modules/services/x11/desktop-managers/kde5.nix
+++ b/nixos/modules/services/x11/desktop-managers/kde5.nix
@ -117,6 +117,9 @@ in
      # Install activity manager if available
      ++ lib.optional (lib.hasAttr "kactivitymanagerd" kde5) kde5.kactivitymanagerd
      # frameworkintegration was split with plasma-integration in Plasma 5.6
      ++ lib.optional (lib.hasAttr "plasma-integration" kde5) kde5.plasma-integration
      # Optional hardware support features
      ++ lib.optional config.hardware.bluetooth.enable kde5.bluedevil
      ++ lib.optional config.networking.networkmanager.enable kde5.plasma-nm
@ -167,7 +170,9 @@ in
    services.xserver.displayManager.sddm = {
      theme = "breeze";
      themes = [
        kde5.extra-cmake-modules # for the setup-hook
        kde5.plasma-workspace
        kde5.breeze-icons
        (kde5.oxygen-icons or kde5.oxygen-icons5)
      ];
    };
--- a/nixos/modules/services/x11/xserver.nix
+++ b/nixos/modules/services/x11/xserver.nix
@ -463,7 +463,14 @@ in
          { source = "${cfg.xkbDir}";
            target = "X11/xkb";
          }
-        ]);
+        ])
      # Needed since 1.18; see https://bugs.freedesktop.org/show_bug.cgi?id=89023#c5
      ++ (let cfgPath = "/X11/xorg.conf.d/10-evdev.conf"; in
        [{
          source = xorg.xf86inputevdev.out + "/share" + cfgPath;
          target = cfgPath;
        }]
      );
    environment.systemPackages =
      [ xorg.xorgserver.out
@ -479,6 +486,7 @@ in
        xorg.xauth
        pkgs.xterm
        pkgs.xdg_utils
        xorg.xf86inputevdev.out # get evdev.4 man page
      ]
      ++ optional (elem "virtualbox" cfg.videoDrivers) xorg.xrefresh;
@ -538,7 +546,7 @@ in
    services.xserver.modules =
      concatLists (catAttrs "modules" cfg.drivers) ++
      [ xorg.xorgserver.out
-        xorg.xf86inputevdev
+        xorg.xf86inputevdev.out
      ];
    services.xserver.xkbDir = mkDefault "${pkgs.xkeyboard_config}/etc/X11/xkb";
--- a/nixos/modules/system/boot/loader/efi.nix
+++ b/nixos/modules/system/boot/loader/efi.nix
@ -4,19 +4,16 @@ with lib;
 {
  options.boot.loader.efi = {
    canTouchEfiVariables = mkOption {
      default = false;
      type = types.bool;
-
+      description = "Whether the installation process is allowed to modify EFI boot variables.";
      description = "Whether or not the installation process should modify efi boot variables.";
    };
    efiSysMountPoint = mkOption {
      default = "/boot";
      type = types.str;
      description = "Where the EFI System Partition is mounted.";
    };
  };
--- a/nixos/modules/system/boot/loader/grub/grub.nix
+++ b/nixos/modules/system/boot/loader/grub/grub.nix
@ -488,7 +488,7 @@ in
        }
        {
          assertion = if args.efiSysMountPoint == null then true else hasPrefix "/" args.efiSysMountPoint;
-          message = "Efi paths must be absolute, not ${args.efiSysMountPoint}";
+          message = "EFI paths must be absolute, not ${args.efiSysMountPoint}";
        }
      ] ++ flip map args.devices (device: {
        assertion = device == "nodev" || hasPrefix "/" device;
--- a/nixos/modules/system/boot/loader/systemd-boot/systemd-boot-builder.py
+++ b/nixos/modules/system/boot/loader/systemd-boot/systemd-boot-builder.py
@ -88,16 +88,16 @@ def remove_old_entries(gens):
        if not path in known_paths:
            os.unlink(path)
-parser = argparse.ArgumentParser(description='Update NixOS-related gummiboot files')
+parser = argparse.ArgumentParser(description='Update NixOS-related systemd-boot files')
 parser.add_argument('default_config', metavar='DEFAULT-CONFIG', help='The default NixOS config to boot')
 args = parser.parse_args()
 # We deserve our own env var!
 if os.getenv("NIXOS_INSTALL_GRUB") == "1":
    if "@canTouchEfiVariables@" == "1":
-        subprocess.check_call(["@gummiboot@/bin/gummiboot", "--path=@efiSysMountPoint@", "install"])
+        subprocess.check_call(["@systemd@/bin/bootctl", "--path=@efiSysMountPoint@", "install"])
    else:
-        subprocess.check_call(["@gummiboot@/bin/gummiboot", "--path=@efiSysMountPoint@", "--no-variables", "install"])
+        subprocess.check_call(["@systemd@/bin/bootctl", "--path=@efiSysMountPoint@", "--no-variables", "install"])
 mkdir_p("@efiSysMountPoint@/efi/nixos")
 mkdir_p("@efiSysMountPoint@/loader/entries")
--- a/nixos/modules/system/boot/loader/systemd-boot/systemd-boot.nix
+++ b/nixos/modules/system/boot/loader/systemd-boot/systemd-boot.nix
@ -3,16 +3,18 @@
 with lib;
 let
-  cfg = config.boot.loader.gummiboot;
+  cfg = config.boot.loader.systemd-boot;
  efi = config.boot.loader.efi;
  gummibootBuilder = pkgs.substituteAll {
-    src = ./gummiboot-builder.py;
+    src = ./systemd-boot-builder.py;
    isExecutable = true;
-    inherit (pkgs) python gummiboot;
+    inherit (pkgs) python;
    systemd = config.systemd.package;
    nix = config.nix.package.out;
@ -21,13 +23,18 @@ let
    inherit (efi) efiSysMountPoint canTouchEfiVariables;
  };
 in {
-  options.boot.loader.gummiboot = {
+
  imports =
    [ (mkRenamedOptionModule [ "boot" "loader" "gummiboot" "enable" ] [ "boot" "loader" "systemd-boot" "enable" ])
    ];
  options.boot.loader.systemd-boot = {
    enable = mkOption {
      default = false;
      type = types.bool;
-      description = "Whether to enable the gummiboot UEFI boot manager";
+      description = "Whether to enable the systemd-boot (formerly gummiboot) EFI boot manager";
    };
  };
@ -45,7 +52,7 @@ in {
    system = {
      build.installBootLoader = gummibootBuilder;
-      boot.loader.id = "gummiboot";
+      boot.loader.id = "systemd-boot";
      requiredKernelConfig = with config.lib.kernelConfig; [
        (isYes "EFI_STUB")
--- a/nixos/modules/system/boot/stage-2-init.sh
+++ b/nixos/modules/system/boot/stage-2-init.sh
@ -41,6 +41,8 @@ if [ ! -e /proc/1 ]; then
    mount -n -t proc proc /proc
    mkdir -m 0755 -p /dev
    mount -t devtmpfs devtmpfs /dev
    mkdir -m 0755 -p /sys
    mount -t sysfs sysfs /sys
 fi
--- a/nixos/modules/virtualisation/virtualbox-guest.nix
+++ b/nixos/modules/virtualisation/virtualbox-guest.nix
@ -77,7 +77,7 @@ in
        KERNEL=="vboxuser",  OWNER="root", GROUP="root", MODE="0666"
        # Allow systemd dependencies on vboxguest.
-        KERNEL=="vboxguest", TAG+="systemd"
+        SUBSYSTEM=="misc", KERNEL=="vboxguest", TAG+="systemd"
      '';
  };
--- a/nixos/tests/gnome3_20-gdm.nix
+++ b/nixos/tests/gnome3_20-gdm.nix
@ -0,0 +1,41 @@
 import ./make-test.nix ({ pkgs, ...} : {
  name = "gnome3-gdm";
  meta = with pkgs.stdenv.lib.maintainers; {
    maintainers = [ lethalman ];
  };
  machine =
    { config, pkgs, ... }:
    { imports = [ ./common/user-account.nix ];
      services.xserver.enable = true;
      services.xserver.displayManager.gdm = {
        enable = true;
        autoLogin = {
          enable = true;
          user = "alice";
        };
      };
      services.xserver.desktopManager.gnome3.enable = true;
      environment.gnome3.packageSet = pkgs.gnome3_20;
      virtualisation.memorySize = 512;
    };
  testScript =
    ''
      $machine->waitForX;
      $machine->sleep(15);
      # Check that logging in has given the user ownership of devices.
      $machine->succeed("getfacl /dev/snd/timer | grep -q alice");
      $machine->succeed("su - alice -c 'DISPLAY=:0.0 gnome-terminal &'");
      $machine->succeed("xauth merge ~alice/.Xauthority");
      $machine->waitForWindow(qr/Terminal/);
      $machine->sleep(20);
      $machine->screenshot("screen");
    '';
 })
--- a/nixos/tests/gnome3_20.nix
+++ b/nixos/tests/gnome3_20.nix
@ -0,0 +1,38 @@
 import ./make-test.nix ({ pkgs, ...} : {
  name = "gnome3";
  meta = with pkgs.stdenv.lib.maintainers; {
    maintainers = [ domenkozar eelco chaoflow lethalman ];
  };
  machine =
    { config, pkgs, ... }:
    { imports = [ ./common/user-account.nix ];
      services.xserver.enable = true;
      services.xserver.displayManager.auto.enable = true;
      services.xserver.displayManager.auto.user = "alice";
      services.xserver.desktopManager.gnome3.enable = true;
      environment.gnome3.packageSet = pkgs.gnome3_20;
      virtualisation.memorySize = 512;
    };
  testScript =
    ''
      $machine->waitForX;
      $machine->sleep(15);
      # Check that logging in has given the user ownership of devices.
      $machine->succeed("getfacl /dev/snd/timer | grep -q alice");
      $machine->succeed("su - alice -c 'DISPLAY=:0.0 gnome-terminal &'");
      $machine->succeed("xauth merge ~alice/.Xauthority");
      $machine->waitForWindow(qr/Terminal/);
      $machine->mustSucceed("timeout 900 bash -c 'journalctl -f|grep -m 1 \"GNOME Shell started\"'");
      $machine->sleep(10);
      $machine->screenshot("screen");
    '';
 })
--- a/nixos/tests/installer.nix
+++ b/nixos/tests/installer.nix
@ -30,8 +30,8 @@ let
          boot.loader.grub.configurationLimit = 100 + ${toString forceGrubReinstallCount};
        ''}
-        ${optionalString (bootLoader == "gummiboot") ''
+        ${optionalString (bootLoader == "systemd-boot") ''
-          boot.loader.gummiboot.enable = true;
+          boot.loader.systemd-boot.enable = true;
        ''}
        hardware.enableAllFirmware = lib.mkForce false;
@ -57,7 +57,7 @@ let
        (if system == "x86_64-linux" then "-m 768 " else "-m 512 ") +
        (optionalString (system == "x86_64-linux") "-cpu kvm64 ");
      hdFlags = ''hda => "vm-state-machine/machine.qcow2", hdaInterface => "${iface}", ''
-        + optionalString (bootLoader == "gummiboot") ''bios => "${pkgs.OVMF}/FV/OVMF.fd", '';
+        + optionalString (bootLoader == "systemd-boot") ''bios => "${pkgs.OVMF}/FV/OVMF.fd", '';
    in
    ''
      $machine->start;
@ -159,7 +159,7 @@ let
  makeInstallerTest = name:
    { createPartitions, preBootCommands ? "", extraConfig ? ""
-    , bootLoader ? "grub" # either "grub" or "gummiboot"
+    , bootLoader ? "grub" # either "grub" or "systemd-boot"
    , grubVersion ? 2, grubDevice ? "/dev/vda", grubIdentifier ? "uuid"
    , enableOCR ? false, meta ? {}
    }:
@ -195,7 +195,7 @@ let
            virtualisation.qemu.diskInterface =
              if grubVersion == 1 then "scsi" else "virtio";
-            boot.loader.gummiboot.enable = mkIf (bootLoader == "gummiboot") true;
+            boot.loader.systemd-boot.enable = mkIf (bootLoader == "systemd-boot") true;
            hardware.enableAllFirmware = mkForce false;
@ -208,7 +208,6 @@ let
                pkgs.unionfs-fuse
                pkgs.ntp
                pkgs.nixos-artwork
                pkgs.gummiboot
                pkgs.perlPackages.XMLLibXML
                pkgs.perlPackages.ListCompare
              ]
@ -250,7 +249,7 @@ in {
        '';
    };
-  # Simple GPT/UEFI configuration using Gummiboot with 3 partitions: ESP, swap & root filesystem
+  # Simple GPT/UEFI configuration using systemd-boot with 3 partitions: ESP, swap & root filesystem
  simpleUefiGummiboot = makeInstallerTest "simpleUefiGummiboot"
    { createPartitions =
        ''
@ -270,7 +269,7 @@ in {
              "mount LABEL=BOOT /mnt/boot",
          );
        '';
-        bootLoader = "gummiboot";
+        bootLoader = "systemd-boot";
    };
  # Same as the previous, but now with a separate /boot partition.
--- a/nixos/tests/sddm-kde5.nix
+++ b/nixos/tests/sddm-kde5.nix
@ -1,4 +1,6 @@
-import ./make-test.nix ({ pkgs, ...} : {
+import ./make-test.nix ({ pkgs, ...} :
 {
  name = "sddm";
  meta = with pkgs.stdenv.lib.maintainers; {
    maintainers = [ ttuegel ];
@ -6,6 +8,7 @@ import ./make-test.nix ({ pkgs, ...} : {
  machine = { lib, ... }: {
    imports = [ ./common/user-account.nix ];
    virtualisation.memorySize = 1024;
    services.xserver.enable = true;
    services.xserver.displayManager.sddm = {
      enable = true;
@ -14,18 +17,38 @@ import ./make-test.nix ({ pkgs, ...} : {
        user = "alice";
      };
    };
    services.xserver.windowManager.default = "icewm";
    services.xserver.windowManager.icewm.enable = true;
    services.xserver.desktopManager.default = "none";
    services.xserver.desktopManager.kde5.enable = true;
  };
  enableOCR = true;
-  testScript = { nodes, ... }: ''
+  testScript = { nodes, ... }:
-    startAll;
+  let xdo = "${pkgs.xdotool}/bin/xdotool"; in
-    $machine->waitForFile("/home/alice/.Xauthority");
+   ''     
    sub krunner {
      my ($win,) = @_;
      $machine->execute("${xdo} key Alt+F2 sleep 1 type $win");
      $machine->execute("${xdo} search --sync --onlyvisible --class krunner sleep 5 key Return");
    }
    $machine->waitUntilSucceeds("pgrep plasmashell");
    $machine->succeed("xauth merge ~alice/.Xauthority");    
-    $machine->waitForWindow("^IceWM ");
+    $machine->waitForWindow(qr/Desktop.*/);
    # Check that logging in has given the user ownership of devices.
    $machine->succeed("getfacl /dev/snd/timer | grep -q alice");
    krunner("dolphin");
    $machine->waitForWindow(qr/.*Dolphin/);
    krunner("konsole");
    $machine->waitForWindow(qr/.*Konsole/);
    krunner("systemsettings5");
    $machine->waitForWindow(qr/.*Settings/);
    $machine->sleep(20);
    $machine->execute("${xdo} key Alt+F1 sleep 10");
    $machine->screenshot("screen");
  '';
 })
--- a/pkgs/applications/audio/abcde/default.nix
+++ b/pkgs/applications/audio/abcde/default.nix
@ -52,7 +52,7 @@ in
         --replace '#!/usr/bin/perl' '#!${perl}/bin/perl'
      wrapProgram "$out/bin/abcde" --prefix PATH ":" \
-        "$out/bin:${which}/bin:${libcdio}/bin:${cddiscid}/bin:${wget}/bin:${vorbis-tools}/bin:${id3v2}/bin:${eyeD3}/bin:${lame}/bin:${flac}/bin"
+        ${stdenv.lib.makeBinPath [ "$out" which libcdio cddiscid wget vorbis-tools id3v2 eyeD3 lame flac ]}
      wrapProgram "$out/bin/cddb-tool" --prefix PATH ":" \
        "${wget}/bin"
--- a/pkgs/applications/audio/ardour/ardour3.nix
+++ b/pkgs/applications/audio/ardour/ardour3.nix
@ -35,7 +35,7 @@ stdenv.mkDerivation rec {
  src = fetchgit {
    url = git://git.ardour.org/ardour/ardour.git;
    rev = "7024232855d268633760674d34c096ce447b7240";
-    sha256 = "ede3730455c3c91b2fd612871fa7262bdacd3dff4ba77c5dfbc3c1f0de9b8a36";
+    sha256 = "0pnnx22asizin5rvf352nfv6003zarw3jd64magp10310wrfiwbq";
  };
  buildInputs = 
--- a/pkgs/applications/audio/artyFX/default.nix
+++ b/pkgs/applications/audio/artyFX/default.nix
@ -7,7 +7,7 @@ stdenv.mkDerivation rec {
  src = fetchgit {
    url = "https://github.com/harryhaaren/openAV-ArtyFX.git";
    rev = "3a8cb9a5e4ffaf27a497a31cc9cd6f2e79622d5b";
-    sha256 = "2e3f6ab6f829c0ec177e85f4e419286616cf35fb7303445caa09d3438cac27d5";
+    sha256 = "0nsmycm64a686ysfnmdvnaazijvfj90z5wyp96kyr81nsrbcv2ij";
  };
  buildInputs = [ cairomm cmake libjack2 libpthreadstubs libXdmcp libxshmfence libsndfile lv2 ntk pkgconfig   ];
--- a/pkgs/applications/audio/distrho/default.nix
+++ b/pkgs/applications/audio/distrho/default.nix
@ -7,7 +7,7 @@ stdenv.mkDerivation rec {
  src = fetchgit {
    url = "https://github.com/DISTRHO/DISTRHO-Ports.git";
    rev = "53458838505efef91ed069d0a7d970b6b3588eba";
-    sha256 = "0fb4dxfvvqy8lnm9c91sxwn5wbcw8grfpm52zag25vrls251aih3";
+    sha256 = "1wjzgy5yyi52fn4si2m8zrbbzqsh3p75avfx744jmxj5gpq5qa92";
  };
  patchPhase = ''
--- a/pkgs/applications/audio/faust/faust1git.nix
+++ b/pkgs/applications/audio/faust/faust1git.nix
@ -14,7 +14,7 @@ let
  src = fetchgit {
    url = "git://git.code.sf.net/p/faudiostream/code";
    rev = "931fca3e649f99ef09025d37bd6a7dc70a03e6f6";
-    sha256 = "05yam8jfdnziysvpxa5w118k5bbl103vamyqgka6vyhjjizp1nx7";
+    sha256 = "1h2qfwxqf9406v0w6kqyxlzn88zw3xmwgxg9f01n4jvd72zxll78";
  };
  meta = with stdenv.lib; {
--- a/pkgs/applications/audio/i-score/default.nix
+++ b/pkgs/applications/audio/i-score/default.nix
@ -27,7 +27,7 @@ stdenv.mkDerivation rec {
  src = fetchgit {
    url = "https://github.com/OSSIA/i-score.git";
    rev = "ede2453b139346ae46702b5e2643c5488f8c89fb";
-    sha256 = "04li771nj0k8gym7vg6rnawjkp2f6d5m5mby26h0k6ksf7hg7h70";
+    sha256 = "0mk0zsqhx9z7ry1amjki89h6yp5ysi1qgy2j3kzhrm5sfazvf0x3";
    leaveDotGit = true;
    deepClone = true;
  };
--- a/pkgs/applications/audio/ladspa-plugins/git.nix
+++ b/pkgs/applications/audio/ladspa-plugins/git.nix
@ -7,7 +7,7 @@ stdenv.mkDerivation {
  src = fetchgit {
    url = https://github.com/swh/ladspa.git;
    rev = "4b8437e8037cace3d5bf8ce6d1d1da0182aba686";
-    sha256 = "7d9aa13a064903b330bd52e35c1f810f1c8a253ea5eb4e5a3a69a051af03150e";
+    sha256 = "1rmqm4780dhp0pj2scl3k7m8hpp1x6w6ln4wwg954zb9570rqaxx";
  };
  buildInputs = [ autoreconfHook fftw ladspaH libxml2 pkgconfig perl perlPackages.XMLParser ];
--- a/pkgs/applications/audio/lastwatch/default.nix
+++ b/pkgs/applications/audio/lastwatch/default.nix
@ -8,7 +8,7 @@ pythonPackages.buildPythonApplication rec {
  src = fetchgit {
    url = "git://github.com/aszlig/LastWatch.git";
    rev = "refs/tags/v${version}";
-    sha256 = "c43f0fd87e9f3daafc7e8676daf2e89c8e21fbabc278eb1455e28d2997587a92";
+    sha256 = "0nlng3595j5jvnikk8i5hb915zak5zsmfn2306cc4gfcns9xzjwp";
  };
  pythonPath = [
--- a/pkgs/applications/audio/morituri/default.nix
+++ b/pkgs/applications/audio/morituri/default.nix
@ -11,7 +11,7 @@ stdenv.mkDerivation rec {
    url = "https://github.com/thomasvs/morituri.git";
    fetchSubmodules = true;
    rev = "135b2f7bf27721177e3aeb1d26403f1b29116599";
-    sha256 = "1ccxq1spny6xgd7nqwn13n9nqa00ay0nhflg3vbdkvbirh8fgxwq";
+    sha256 = "1sl5y5j3gdbynf2v0gf9dwd2hzawj8lm8ywadid7qm34yn8lx12k";
  };
  pythonPath = [
--- a/pkgs/applications/audio/plugin-torture/default.nix
+++ b/pkgs/applications/audio/plugin-torture/default.nix
@ -7,7 +7,7 @@ stdenv.mkDerivation rec {
  src = fetchgit {
    url = "https://github.com/cth103/plugin-torture";
    rev = "9ee06016982bdfbaa215cd0468cc6ada6367462a";
-    sha256 = "bfe9213fd2c1451d7acc1381d63301c4e6ff69ce86d31a886ece5159ba850706";
+    sha256 = "0ynzfs3z95lbw4l1w276as2a37zxp0cw6pi3lbikr0qk0r7j5j10";
  };
  buildInputs = [ boost ladspaH lilv lv2 pkgconfig serd sord sratom ];
--- a/pkgs/applications/audio/swh-lv2/default.nix
+++ b/pkgs/applications/audio/swh-lv2/default.nix
@ -6,7 +6,7 @@ stdenv.mkDerivation rec {
  src = fetchgit {
    url = "https://github.com/swh/lv2.git";
    rev = "978d5d8f549fd22048157a6d044af0faeaacbd7f";
-    sha256 = "3a9c042785b856623339aedafa5bc019b41beb8034d8594c7bbd6c9c26368065";
+    sha256 = "10jj8sp67caxvmzjxwyzapc34jpry5nrkkp49kyyvyk5dgkpbsjw";
  };
  patchPhase = ''
--- a/pkgs/applications/audio/zam-plugins/default.nix
+++ b/pkgs/applications/audio/zam-plugins/default.nix
@ -8,7 +8,7 @@ stdenv.mkDerivation rec {
    url = "https://github.com/zamaudio/zam-plugins.git";
    deepClone = true;
    rev = "91fe56931a3e57b80f18c740d2dde6b44f962aee";
-    sha256 = "1s0s028h3z3pfd4qvi63fsg6bv33bvz0p5fbmbmhypzqjlx6mlkb";
+    sha256 = "1ldrqh6nk0m1axb553wjp1gfznw8b6b3k0v0z1jdwy425sl6g07d";
  };
  buildInputs = [ boost libX11 mesa liblo libjack2 ladspaH lv2 pkgconfig rubberband libsndfile ];
--- a/pkgs/applications/backup/crashplan/default.nix
+++ b/pkgs/applications/backup/crashplan/default.nix
@ -1,15 +1,15 @@
 { stdenv, fetchurl, makeWrapper, jre, cpio, gawk, gnugrep, gnused, procps, swt, gtk2, glib, libXtst }:
 let
-  version = "4.6.0";
+  version = "4.7.0";
-  rev = "3"; #tracks unversioned changes that occur on download.code42.com from time to time
+  rev = "1"; #tracks unversioned changes that occur on download.code42.com from time to time
 in stdenv.mkDerivation rec {
  name = "crashplan-${version}-r${rev}";
  crashPlanArchive = fetchurl {
    url = "https://download.code42.com/installs/linux/install/CrashPlan/CrashPlan_${version}_Linux.tgz";
-    sha256 = "0crrx8gy132xcpjfah08qhsl8g2arx14p5mpypcihl9j6mldi6mz";
+    sha256 = "1r50fyswvqjxsdslbyibbxwz2fs8iim15hxr0k05jrzmkhjm4g5v";
  };
  srcs = [ crashPlanArchive ];
--- a/pkgs/applications/display-managers/sddm/default.nix
+++ b/pkgs/applications/display-managers/sddm/default.nix
@ -68,14 +68,19 @@ in
 stdenv.mkDerivation {
  name = "sddm-${version}";
  phases = "installPhase";
  nativeBuildInputs = [ lndir makeQtWrapper ];
  buildInputs = [ unwrapped ] ++ themes;
  themes = map (pkg: pkg.out or pkg) themes;
  inherit unwrapped;
  unpackPhase = "true";
  configurePhase = "runHook preConfigure; runHook postConfigure";
  buildPhase = "runHook preBuild; runHook postBuild";
  installPhase = ''
    runHook preInstall
    makeQtWrapper "$unwrapped/bin/sddm" "$out/bin/sddm"
    mkdir -p "$out/share/sddm"
@ -85,6 +90,8 @@ stdenv.mkDerivation {
            lndir -silent "$sddmDir" "$out/share/sddm"
        fi
    done
    runHook postInstall
  '';
  inherit (unwrapped) meta;
--- a/pkgs/applications/editors/atom/default.nix
+++ b/pkgs/applications/editors/atom/default.nix
@ -31,6 +31,8 @@ stdenv.mkDerivation rec {
    patchelf --set-interpreter "$(cat $NIX_CC/nix-support/dynamic-linker)" \
      --set-rpath "${atomEnv.libPath}" \
      $out/share/atom/resources/app/apm/bin/node
    patchelf --set-interpreter "$(cat $NIX_CC/nix-support/dynamic-linker)" \
      $out/share/atom/resources/app.asar.unpacked/node_modules/symbols-view/vendor/ctags-linux
  '';
  meta = with stdenv.lib; {
--- a/pkgs/applications/editors/emacs-24/at-fdcwd.patch
+++ b/pkgs/applications/editors/emacs-24/at-fdcwd.patch
@ -1,12 +1,14 @@
 diff --git a/lib/careadlinkat.h b/lib/careadlinkat.h
-index 5cdb813..7a272e8 100644
+index 84ede3e..8e8f42e 100644
 --- a/lib/careadlinkat.h
 +++ b/lib/careadlinkat.h
-@@ -23,6 +23,8 @@
+@@ -23,6 +23,10 @@
 #include <fcntl.h>
 #include <unistd.h>
 +#ifndef AT_FDCWD
 +#define AT_FDCWD -2
 +#endif
 +
 struct allocator;
--- a/pkgs/applications/editors/emacs-25/at-fdcwd.patch
+++ b/pkgs/applications/editors/emacs-25/at-fdcwd.patch
@ -1,12 +1,14 @@
 diff --git a/lib/careadlinkat.h b/lib/careadlinkat.h
-index 5cdb813..7a272e8 100644
+index 84ede3e..8e8f42e 100644
 --- a/lib/careadlinkat.h
 +++ b/lib/careadlinkat.h
-@@ -23,6 +23,8 @@
+@@ -23,6 +23,10 @@
 #include <fcntl.h>
 #include <unistd.h>
 +#ifndef AT_FDCWD
 +#define AT_FDCWD -2
 +#endif
 +
 struct allocator;
--- a/pkgs/applications/editors/emacs-modes/cask/default.nix
+++ b/pkgs/applications/editors/emacs-modes/cask/default.nix
@ -6,7 +6,7 @@ stdenv.mkDerivation rec {
  src = fetchgit {
    url = "https://github.com/cask/cask.git";
    rev = "717b64a9ba7640ec366e8573da0c01f9c4d57b0c";
-    sha256 = "0j18rzgpibisfcci6kcgjs8nlkfi1dw33dxp6ab6zaiarydwgcs5";
+    sha256 = "0bq24hac1z77g1bybwlk991dcc3pss2gjpwq0a6vvrqg5hw02lsf";
  };
  buildInputs = [ emacs python ];
--- a/pkgs/applications/editors/emacs-modes/emacs-clang-complete-async/default.nix
+++ b/pkgs/applications/editors/emacs-modes/emacs-clang-complete-async/default.nix
@ -5,7 +5,7 @@ clangStdenv.mkDerivation {
  src = fetchgit {
    url = "git://github.com/Golevka/emacs-clang-complete-async.git";
    rev = "f01488971ec8b5752780d130fb84de0c16a46f31";
-    sha256 = "1c8zqi6axbsb951azz9iqx3j52j30nd9ypv396hvids3g02cirrf";
+    sha256 = "01smjinrvx0w5z847a43fh2hyr6rrq1kaglfakbr6dcr313w89x9";
  };
  buildInputs = [ llvmPackages.llvm ];
--- a/pkgs/applications/editors/emacs-modes/gh/default.nix
+++ b/pkgs/applications/editors/emacs-modes/gh/default.nix
@ -6,7 +6,7 @@ stdenv.mkDerivation rec {
  src = fetchgit {
    url = "https://github.com/sigma/gh.el.git";
    rev = "ef03b63d063ec22f03af449aa955c98dfad7f80e";
-    sha256 = "efa231e0091e8c7785385149dc97b2d8dc24aba65f4b0974b8ed7f62b7596ad3";
+    sha256 = "1pciq16vl5l4kvj08q4ib1jzk2bb2y1makcsyaw8k9jblqviw756";
  };
  buildInputs = [ emacs ];
--- a/pkgs/applications/editors/emacs-modes/js2/default.nix
+++ b/pkgs/applications/editors/emacs-modes/js2/default.nix
@ -6,7 +6,7 @@ stdenv.mkDerivation {
  src = fetchgit {
    url = "git://github.com/mooz/js2-mode.git";
    rev = "3abcd90ddc2f446ddf0fb874dd79ba870c26ad2d";
-    sha256 = "c0aaab4eeb8d60cfd5c382c3e30d4725e5ec492720d573e663ea69ee43aa73a8";
+    sha256 = "0sh9ax2w0ydhjjn4vnwbgy3926p7ad6h6nmsnm0a3zlldj9a4vwn";
  };
  buildInputs = [ emacs ];
--- a/pkgs/applications/editors/emacs-modes/melpa-generated.nix
+++ b/pkgs/applications/editors/emacs-modes/melpa-generated.nix
--- a/pkgs/applications/editors/emacs-modes/melpa-packages.nix
+++ b/pkgs/applications/editors/emacs-modes/melpa-packages.nix
@ -37,7 +37,7 @@ self:
    overrides = {
      ac-php = super.ac-php.override {
-        inherit (self.melpaPackages) company popup;
+        inherit (self.melpaPackages) popup;
      };
      # upstream issue: mismatched filename
--- a/pkgs/applications/editors/emacs-modes/melpa-stable-generated.nix
+++ b/pkgs/applications/editors/emacs-modes/melpa-stable-generated.nix
--- a/pkgs/applications/editors/emacs-modes/proofgeneral/HEAD.nix
+++ b/pkgs/applications/editors/emacs-modes/proofgeneral/HEAD.nix
@ -6,7 +6,7 @@ stdenv.mkDerivation (rec {
  src = fetchgit {
    url = "https://github.com/ProofGeneral/PG.git";
    rev = "16991280fb09743ae7320aef77f6a166afb907d7";
-    sha256 = "08zhfl6xbl4q7lrl7wdp72xr155k06778by0d60g28mfx59b7sqc";
+    sha256 = "1yakjxfz6a09m7lrxff04sj1717gpmhq2bsibd5f9lkp6z0w2i0q";
  };
  buildInputs = [ emacs texinfo perl which ] ++ stdenv.lib.optional enableDoc texLive;
--- a/pkgs/applications/editors/leo-editor/default.nix
+++ b/pkgs/applications/editors/leo-editor/default.nix
@ -8,7 +8,7 @@ pythonPackages.buildPythonApplication rec {
  src = fetchgit {
    url = "https://github.com/leo-editor/leo-editor";
    rev = "refs/tags/Leo-${version}-final";
-    sha256 = "3cc5259609890bbde9cfee71f4f60b959b3f5b740f7d403c99ea2d9796b4758e";
+    sha256 = "0km5mvzfpfbxxhcjr4if24qhgk2c7dsvmfinz0zrbfriip848vcp";
  };
  propagatedBuildInputs = with pythonPackages; [ pyqt4 sqlite3 ];
--- a/pkgs/applications/editors/neovim/default.nix
+++ b/pkgs/applications/editors/neovim/default.nix
@ -1,6 +1,6 @@
 { stdenv, fetchFromGitHub, cmake, gettext, glib, libmsgpack, libtermkey
-, libtool, libuv, lpeg, lua, luajit, luaMessagePack, luabitop, man, ncurses
+, libtool, libuv, lua, luajit, luaPackages, man, ncurses, perl, pkgconfig
-, perl, pkgconfig, unibilium, makeWrapper, vimUtils, xsel
+, unibilium, makeWrapper, vimUtils, xsel
 , withPython ? true, pythonPackages, extraPythonPackages ? []
 , withPython3 ? true, python3Packages, extraPython3Packages ? []
@ -21,10 +21,10 @@ let
    version = "2015-11-06";
    src = fetchFromGitHub {
      sha256 = "090pyf1n5asaw1m2l9bsbdv3zd753aq1plb0w0drbc2k43ds7k3g";
      rev = "a9c7c6fd20fa35e0ad3e0e98901ca12dfca9c25c";
      repo = "libvterm";
      owner = "neovim";
      repo = "libvterm";
      rev = "a9c7c6fd20fa35e0ad3e0e98901ca12dfca9c25c";
      sha256 = "090pyf1n5asaw1m2l9bsbdv3zd753aq1plb0w0drbc2k43ds7k3g";
    };
    buildInputs = [ perl ];
@ -39,7 +39,7 @@ let
      description = "VT220/xterm/ECMA-48 terminal emulator library";
      homepage = http://www.leonerd.org.uk/code/libvterm/;
      license = licenses.mit;
-      maintainers = with maintainers; [ nckx ];
+      maintainers = with maintainers; [ nckx garbas ];
      platforms = platforms.unix;
    };
  };
@ -60,13 +60,13 @@ let
  neovim = stdenv.mkDerivation rec {
    name = "neovim-${version}";
-    version = "0.1.3";
+    version = "0.1.4";
    src = fetchFromGitHub {
      sha256 = "1bkyfxsgb7894848nphsi6shr8bvi9z6ch0zvh2df7vkkzji8chr";
      rev = "v${version}";
      repo = "neovim";
      owner = "neovim";
      repo = "neovim";
      rev = "v${version}";
      sha256 = "14c4gydkm2mz22i616190yif1k0i6d7h5hyxa1mf5cmcyqmp3kkp";
    };
    enableParallelBuilding = true;
@ -79,13 +79,15 @@ let
      # https://github.com/NixOS/nixpkgs/issues/14442
      lua
      luajit
      lpeg
      luaMessagePack
      luabitop
      libmsgpack
      ncurses
      neovimLibvterm
      unibilium
      luaPackages.lpeg
      luaPackages.mpack
      luaPackages.luabitop
    ] ++ optional withJemalloc jemalloc;
    nativeBuildInputs = [
@ -95,8 +97,12 @@ let
      pkgconfig
    ];
-    LUA_CPATH="${lpeg}/lib/lua/${lua.luaversion}/?.so;${luabitop}/lib/lua/5.2/?.so";
+    LUA_CPATH = "${luaPackages.lpeg}/lib/lua/${lua.luaversion}/?.so;${luaPackages.mpack}/lib/lua/${lua.luaversion}/?.so;${luaPackages.luabitop}/lib/lua/${lua.luaversion}/?.so";
-    LUA_PATH="${luaMessagePack}/share/lua/5.1/?.lua";
+
    configureFlags = [
      "-DCMAKE_BUILD_TYPE=RelWithDebInfo"
      "-DENABLE_JEMALLOC=ON"
    ];
    # triggers on buffer overflow bug while running tests
    hardeningDisable = [ "fortify" ];
@ -114,7 +120,7 @@ let
      install_name_tool -change libjemalloc.1.dylib \
                ${jemalloc}/lib/libjemalloc.1.dylib \
                $out/bin/nvim
-      sed -i -e "s|'xsel|'${xsel}/bin/xsel|" share/nvim/runtime/autoload/provider/clipboard.vim
+      sed -i -e "s|'xsel|'${xsel}/bin/xsel|" $out/share/nvim/runtime/autoload/provider/clipboard.vim
    '' + optionalString withPython ''
      ln -s ${pythonEnv}/bin/python $out/bin/nvim-python
    '' + optionalString withPyGUI ''
--- a/pkgs/applications/editors/vim/qvim.nix
+++ b/pkgs/applications/editors/vim/qvim.nix
@ -4,7 +4,7 @@ args@{ fetchgit, stdenv, ncurses, pkgconfig, gettext
 , libICE, ... }: with args;
 let tag = "20140827";
-    sha256 = "02adf2212872db3c5d133642d2c12fbfc28b506e4c0c42552e3d079756f63f65";
+    sha256 = "0ncgbcm23z25naicxqkblz0mcl1zar2qwgi37y5ar8q8884w9ml2";
 in
 let inherit (args.composableDerivation) composableDerivation edf; in
--- a/pkgs/applications/graphics/antimony/default.nix
+++ b/pkgs/applications/graphics/antimony/default.nix
@ -12,7 +12,7 @@ in
    src  = fetchgit {
      url         = "git://github.com/mkeeter/antimony.git";
      rev         = gitRev;
-      sha256      = "19ir3y5ipmfyygcn8mbxika4j3af6dfrv54dvhn6maz7dy8h30f4";
+      sha256      = "0azjdkbixz2pyk2yy7a0ya5xk60xgw3l2pd4pj4ijyqxx5jmh0sy";
    };
    patches = [ ./paths-fix.patch ];
--- a/pkgs/applications/graphics/feh/default.nix
+++ b/pkgs/applications/graphics/feh/default.nix
@ -1,18 +1,19 @@
 { stdenv, makeWrapper, fetchurl, xlibsWrapper, imlib2, libjpeg, libpng
-, libXinerama, curl, libexif }:
+, libXinerama, curl, libexif, perlPackages }:
 stdenv.mkDerivation rec {
-  name = "feh-2.15.2";
+  name = "feh-2.15.4";
  src = fetchurl {
    url = "http://feh.finalrewind.org/${name}.tar.bz2";
-    sha256 = "0bnfk50y2l5zkr292l4yyws1m7ibdmr398vxj7c0djh965frpj1q";
+    sha256 = "b8a9c29f37b1349228b19866f712b677e2a150837bc46be8c5d6348dd4850758";
  };
  outputs = [ "out" "doc" ];
  nativeBuildInputs = [ makeWrapper ];
-  buildInputs = [ xlibsWrapper imlib2 libjpeg libpng libXinerama curl libexif ];
+  buildInputs = [ xlibsWrapper imlib2 libjpeg libpng libXinerama curl libexif ]
    ++ stdenv.lib.optional doCheck [ perlPackages.TestCommand perlPackages.TestHarness ];
  preBuild = ''
    makeFlags="PREFIX=$out exif=1"
@ -23,6 +24,11 @@ stdenv.mkDerivation rec {
                               --add-flags '--theme=feh'
  '';
  checkPhase = ''
    PERL5LIB="${perlPackages.TestCommand}/lib/perl5/site_perl" make test
  '';
  doCheck = true;
  meta = {
    description = "A light-weight image viewer";
    homepage = https://derf.homelinux.org/projects/feh/;
--- a/pkgs/applications/graphics/inkscape/default.nix
+++ b/pkgs/applications/graphics/inkscape/default.nix
@ -25,6 +25,8 @@ stdenv.mkDerivation rec {
    sha256 = "06ql3x732x2rlnanv0a8aharsnj91j5kplksg574090rks51z42d";
  };
  patches = [ ./deprecated-scopedptr.patch ];
  postPatch = ''
    patchShebangs share/extensions
  ''
--- a/pkgs/applications/graphics/inkscape/deprecated-scopedptr.patch
+++ b/pkgs/applications/graphics/inkscape/deprecated-scopedptr.patch
@ -0,0 +1,16 @@
 glibmm deprecated ScopedPtr
 ---
 diff -u src/ui/clipboard.cpp src/ui/clipboard.cpp
 --- a/src/ui/clipboard.cpp	2015-01-28 04:32:28.162676000 +0100
 +++ b/src/ui/clipboard.cpp	2016-04-03 09:13:12.360980533 +0200
@@ -1402,7 +1402,7 @@
         Glib::ustring target;
         if (atom_name) {
 -            target = Glib::ScopedPtr<char>(atom_name).get(); //This frees the gchar*.
 +            target = Glib::make_unique_ptr_gfree(atom_name).get(); //This frees the gchar*.
         }
         listTargets.push_back(target);
 Diff finished.  Sun Apr  3 09:13:51 2016
--- a/pkgs/applications/graphics/krita/default.nix
+++ b/pkgs/applications/graphics/krita/default.nix
@ -0,0 +1,45 @@
 { stdenv, lib, fetchgit, cmake, extra-cmake-modules, makeQtWrapper
 , karchive, kconfig, kwidgetsaddons, kcompletion, kcoreaddons
 , kguiaddons, ki18n, kitemmodels, kitemviews, kwindowsystem
 , kio, kcrash
 , boost, libraw, fftw, eigen, exiv2, lcms2, gsl, openexr
 , openjpeg, opencolorio, vc, poppler_qt5, curl, ilmbase
 }:
 stdenv.mkDerivation rec {
  name = "krita-${version}";
  version = "3.0";
  src = fetchgit {
    url = "http://phabricator.kde.org/diffusion/KRITA/krita.git";
    rev = "refs/tags/v${version}";
    sha256 = "0aas86667ncp8jz00c8qk7bm26g76l65cysh06wxr8kxbvqynrdn";
  };
  nativeBuildInputs = [ cmake extra-cmake-modules makeQtWrapper ];
  buildInputs = [
    karchive kconfig kwidgetsaddons kcompletion kcoreaddons kguiaddons
    ki18n kitemmodels kitemviews kwindowsystem kio kcrash
    boost libraw fftw eigen exiv2 lcms2 gsl openexr
    openjpeg opencolorio vc poppler_qt5 curl ilmbase
  ];
  NIX_CFLAGS_COMPILE = [ "-I${ilmbase}/include/OpenEXR" ];
  enableParallelBuilding = true;
  postInstall = ''
    for i in $out/bin/*; do
      wrapQtProgram "$i"
    done
  '';
  meta = with stdenv.lib; {
    description = "A free an open source painting application";
    homepage = "https://krita.org/";
    maintainers = with maintainers; [ abbradar ];
    platforms = platforms.linux;
    licenses = licenses.gpl2;
  };
 }
--- a/pkgs/applications/graphics/ktikz/default.nix
+++ b/pkgs/applications/graphics/ktikz/default.nix
@ -0,0 +1,78 @@
 { withKDE ? true
 , stdenv, fetchurl, gettext, poppler_qt4, qt4
 # Qt only (no KDE):
 , pkgconfig
 # With KDE
 , cmake, automoc4, kdelibs
 }:
 # Warning: You will also need a working pdflatex installation containing (at
 # least) auctex and pgf.
 assert withKDE -> kdelibs != null;
 let
  version = "0.10";
  qtikz = {
    name = "qtikz-${version}";
    conf = ''
      # installation prefix:
      #PREFIX = ""
      # install desktop file here (*nix only):
      DESKTOPDIR = ''$''${PREFIX}/share/applications
      # install mimetype here:
      MIMEDIR = ''$''${PREFIX}/share/mime/packages
      CONFIG -= debug
      CONFIG += release
      # qmake command:
      QMAKECOMMAND = qmake
      # lrelease command:
      LRELEASECOMMAND = lrelease
      # qcollectiongenerator command:
      #QCOLLECTIONGENERATORCOMMAND = qcollectiongenerator
      # TikZ documentation default file path:
      TIKZ_DOCUMENTATION_DEFAULT = ''$''${PREFIX}/share/doc/texmf/pgf/pgfmanual.pdf.gz
    '';
    patchPhase = ''
      echo "$conf" > conf.pri
    '';
    configurePhase = ''
      qmake PREFIX="$out" ./qtikz.pro
    '';
    buildInputs = [ gettext qt4 poppler_qt4 pkgconfig ];
  };
  ktikz = {
    name = "ktikz-${version}";
    buildInputs = [ kdelibs cmake qt4 automoc4 gettext poppler_qt4 ];
  };
  common = {
    inherit version;
    src = fetchurl {
      url = "http://www.hackenberger.at/ktikz/ktikz_${version}.tar.gz";
      md5 = "e8f0826cba2447250bcdcd389a71a2ac";
    };
    enableParallelBuilding = true;
    meta = with stdenv.lib; {
      description = "Editor for the TikZ language";
      license = licenses.gpl2;
      platforms = platforms.linux;
      maintainers = [ maintainers.layus ];
    };
  };
 in stdenv.mkDerivation (common // (if withKDE then ktikz else qtikz))
--- a/pkgs/applications/graphics/pinta/default.nix
+++ b/pkgs/applications/graphics/pinta/default.nix
@ -58,7 +58,7 @@ buildDotnetPackage rec {
  makeWrapperArgs = [
    ''--prefix MONO_GAC_PREFIX ':' "${gtksharp}"''
    ''--prefix LD_LIBRARY_PATH ':' "${gtksharp}/lib"''
-    ''--prefix LD_LIBRARY_PATH ':' "${gtksharp.gtk}/lib"''
+    ''--prefix LD_LIBRARY_PATH ':' "${gtksharp.gtk.out}/lib"''
  ];
  postInstall = ''
--- a/pkgs/applications/graphics/rapcad/default.nix
+++ b/pkgs/applications/graphics/rapcad/default.nix
@ -9,7 +9,7 @@ stdenv.mkDerivation rec {
  src = fetchgit {
    url = "https://github.com/GilesBathgate/RapCAD.git";
    rev = "refs/tags/v${version}";
-    sha256 = "15c18jvgbwyrfhv7r35ih0gzx35vjlsbi984h1sckgh2z17hjq8l";
+    sha256 = "1i5h4sw7mdbpdbssmbjccwgidndrsc606zz4wy9pjsg2wzrabw7x";
  };
  buildInputs = [ qtbase qmakeHook cgal boost gmp mpfr flex bison dxflib readline mesa_glu ];
--- a/pkgs/applications/graphics/sane/backends/git.nix
+++ b/pkgs/applications/graphics/sane/backends/git.nix
@ -3,7 +3,7 @@
 callPackage ./generic.nix (args // {
  version = "2016-05-09";
  src = fetchgit {
-    sha256 = "5e3d647503d1231395a6782c6aa536b52b3d45585a87a0600ce0aca8b422cf82";
+    sha256 = "17y2l59vz2l0y5ya89390x6lim75p1mp8s5c2wzp9l4d5fy8j8dd";
    rev = "1e013654cc3af09f4731ab9ec8d8324d03a7de4a";
    url = "git://alioth.debian.org/git/sane/sane-backends.git";
  };
--- a/pkgs/applications/graphics/shutter/default.nix
+++ b/pkgs/applications/graphics/shutter/default.nix
@ -27,7 +27,7 @@ stdenv.mkDerivation rec {
    wrapProgram $out/bin/shutter \
      --set PERL5LIB "${stdenv.lib.makePerlPath perlModules}" \
-      --prefix PATH : "${imagemagick}/bin" \
+      --prefix PATH : "${imagemagick.out}/bin" \
      --set GDK_PIXBUF_MODULE_FILE "$GDK_PIXBUF_MODULE_FILE"
  '';
--- a/pkgs/applications/graphics/solvespace/default.nix
+++ b/pkgs/applications/graphics/solvespace/default.nix
@ -5,7 +5,7 @@ stdenv.mkDerivation {
  name = "solvespace-2.0";
  src = fetchgit {
    url = "https://github.com/jwesthues/solvespace.git";
-    sha256 = "0sakxkmj2f0k27f67wy1xz2skpnwzg15yqrf7av97pgc5s8xb3da";
+    sha256 = "0m6zlx1kiqxkm6szdsnywwr6spnb7xjg6vqsq30nrr44cx37w861";
    rev = "e587d0e";
  };
--- a/pkgs/applications/misc/avrdudess/default.nix
+++ b/pkgs/applications/misc/avrdudess/default.nix
@ -20,7 +20,7 @@ stdenv.mkDerivation rec {
    cat >> "$out/bin/avrdudess" << __EOF__
    #!${stdenv.shell}
-    export LD_LIBRARY_PATH="${gtk}/lib:${mono}/lib"
+    export LD_LIBRARY_PATH="${stdenv.lib.makeLibraryPath [gtk mono]}"
    # We need PATH from user env for xdg-open to find its tools, which
    # typically depend on the currently running desktop environment.
    export PATH="${avrgcclibc}/bin:${avrdude}/bin:${xdg_utils}/bin:\$PATH"
--- a/pkgs/applications/misc/calibre/default.nix
+++ b/pkgs/applications/misc/calibre/default.nix
@ -5,12 +5,12 @@
 }:
 stdenv.mkDerivation rec {
-  version = "2.57.1";
+  version = "2.58.0";
  name = "calibre-${version}";
  src = fetchurl {
    url = "http://download.calibre-ebook.com/${version}/${name}.tar.xz";
-    sha256 = "0bgkm2cf1icx73v7r6njkx31jdm3l7psnfwd9kjqc21p7ii70h11";
+    sha256 = "0npqvfjqj1vwa7nmnsyd4d30z40brydw275ldf1jankrp6dr9dyd";
  };
  inherit python;
--- a/Show More
+++ b/Show More