Merging against upstream master

.github/CONTRIBUTING.md

@@ -14,14 +14,22 @@ under the terms of [COPYING](../COPYING), which is an MIT-like license.
 
 * Format the commits in the following way:
 
-  `(pkg-name | service-name): (from -> to | init at version | refactor | etc)`
+  ```
+  (pkg-name | service-name): (from -> to | init at version | refactor | etc)
+  
+  (Motivation for change. Additional information.)
+  ```
 
   Examples:
 
   * nginx: init at 2.0.1
   * firefox: 3.0 -> 3.1.1
   * hydra service: add bazBaz option
+  
+    Dual baz behavior is needed to do foo.
   * nginx service: refactor config generation
+    
+    The old config generation system used impure shell scripts and could break in specific circumstances (see #1234).
 
 * `meta.description` should:
   * Be capitalized
@@ -30,6 +38,12 @@ under the terms of [COPYING](../COPYING), which is an MIT-like license.
 
 See the nixpkgs manual for more details on how to [Submit changes to nixpkgs](https://nixos.org/nixpkgs/manual/#chap-submitting-changes).
 
+## Writing good commit messages
+
+In addition to writing properly formatted commit messages, it's important to include relevant information so other developers can later understand *why* a change was made. While this information usually can be found by digging code, mailing list archives, pull request discussions or upstream changes, it may require a lot of work.
+
+For package version upgrades and such a one-line commit message is usually sufficient.
+
 ## Reviewing contributions
 
 See the nixpkgs manual for more details on how to [Review contributions](https://nixos.org/nixpkgs/manual/#sec-reviewing-contributions).

doc/coding-conventions.xml

@@ -623,7 +623,7 @@ evaluate correctly.</para>
     from bad to good:
     <itemizedlist>
       <listitem>
-        <para>Uses <literal>git://</literal> which won't be proxied.
+        <para>Bad: Uses <literal>git://</literal> which won't be proxied.
 <programlisting>
 src = fetchgit {
   url = "git://github.com/NixOS/nix.git";
@@ -634,7 +634,7 @@ src = fetchgit {
         </para>
       </listitem>
       <listitem>
-        <para>This is ok, but an archive fetch will still be faster.
+        <para>Better: This is ok, but an archive fetch will still be faster.
 <programlisting>
 src = fetchgit {
   url = "https://github.com/NixOS/nix.git";
@@ -645,7 +645,7 @@ src = fetchgit {
         </para>
       </listitem>
       <listitem>
-        <para>Fetches a snapshot archive and you get the rev you want.
+        <para>Best: Fetches a snapshot archive and you get the rev you want.
 <programlisting>
 src = fetchFromGitHub {
   owner = "NixOS";

doc/configuration.xml

@@ -2,12 +2,12 @@
          xmlns:xlink="http://www.w3.org/1999/xlink"
          xml:id="chap-packageconfig">
 
-<title><filename>~/.nixpkgs/config.nix</filename>: global configuration</title>
+<title>Global configuration</title>
 
 <para>Nix packages can be configured to allow or deny certain options.</para>
 
 <para>To apply the configuration edit
-<filename>~/.nixpkgs/config.nix</filename> and set it like
+<filename>~/.config/nixpkgs/config.nix</filename> and set it like
 
 <programlisting>
 {
@@ -89,7 +89,7 @@ packages via <literal>packageOverrides</literal></title>
 
 <para>You can define a function called
 <varname>packageOverrides</varname> in your local
-<filename>~/.nixpkgs/config.nix</filename> to overide nix packages.  It
+<filename>~/.config/nixpkgs/config.nix</filename> to overide nix packages.  It
 must be a function that takes pkgs as an argument and return modified
 set of packages.
 

doc/cross-compilation.xml

@@ -25,7 +25,7 @@
 <!--============================================================-->
 
 <section xml:id="sec-cross-packaging">
-  <title>Packing in a cross-friendly manner</title>
+  <title>Packaging in a cross-friendly manner</title>
 
   <section>
     <title>Platform parameters</title>
@@ -105,14 +105,15 @@
       This is the most important guiding principle behind cross-compilation with Nixpkgs, and will be called the <wordasword>sliding window principle</wordasword>.
       In this manner, given the 3 platforms for one package, we can determine the three platforms for all its transitive dependencies.
     </para>
+    <para>
+      Some examples will probably make this clearer.
+      If a package is being built with a <literal>(build, host, target)</literal> platform triple of <literal>(foo, bar, bar)</literal>, then its build-time dependencies would have a triple of <literal>(foo, foo, bar)</literal>, and <emphasis>those packages'</emphasis> build-time dependencies would have triple of <literal>(foo, foo, foo)</literal>.
+      In other words, it should take two "rounds" of following build-time dependency edges before one reaches a fixed point where, by the sliding window principle, the platform triple no longer changes.
+      Indeed, this happens with cross compilation, where only rounds of native dependencies starting with the second necessarily coincide with native packages.
+    </para>
     <note><para>
       The depending package's target platform is unconstrained by the sliding window principle, which makes sense in that one can in principle build cross compilers targeting arbitrary platforms.
     </para></note>
-    <warning><para>
-      From the above, one would surmise that if a package is being built with a <literal>(build, host, target)</literal> platform triple of <literal>(foo, bar, bar)</literal>, then its build-time dependencies would have a triple of <literal>(foo, foo, bar)</literal>, and <emphasis>those packages'</emphasis> build-time dependencies would have triple of <literal>(foo, foo, foo)</literal>.
-      In other words, it should take two "rounds" of following build-time dependency edges before one reaches a fixed point where, by the sliding window principle, the platform triple no longer changes.
-      Unfortunately, at the moment, we do <emphasis>not</emphasis> implement this correctly, and after only one round of following build-time dependencies is the fixed point reached, with target incorrectly kept different than the others.
-    </para></warning>
     <para>
       How does this work in practice? Nixpkgs is now structured so that build-time dependencies are taken from from <varname>buildPackages</varname>, whereas run-time dependencies are taken from the top level attribute set.
       For example, <varname>buildPackages.gcc</varname> should be used at build time, while <varname>gcc</varname> should be used at run time.
@@ -131,9 +132,23 @@
 
 <section xml:id="sec-cross-usage">
   <title>Cross-building packages</title>
+  <note><para>
+    More information needs to moved from the old wiki, especially <link xlink:href="https://nixos.org/wiki/CrossCompiling" />, for this section.
+  </para></note>
   <para>
-    To be written.
+    Many sources (manual, wiki, etc) probably mention passing <varname>system</varname>, <varname>platform</varname>, and, optionally, <varname>crossSystem</varname> to nixpkgs:
-    This is basically unchanged so see the old wiki for now.
+    <literal>import &lt;nixpkgs&gt; { system = ..; platform = ..; crossSystem = ..; }</literal>.
+    <varname>system</varname> and <varname>platform</varname> together determine the system on which packages are built, and <varname>crossSystem</varname> specifies the platform on which packages are ultimately intended to run, if it is different.
+    This still works, but with more recent changes, one can alternatively pass <varname>localSystem</varname>, containing <varname>system</varname> and <varname>platform</varname>, for symmetry.
+  </para>
+  <para>
+    One would think that <varname>localSystem</varname> and <varname>crossSystem</varname> overlap horribly with the three <varname>*Platforms</varname> (<varname>buildPlatform</varname>, <varname>hostPlatform,</varname> and <varname>targetPlatform</varname>; see <varname>stage.nix</varname> or the manual).
+    Actually, those identifiers are purposefully not used here to draw a subtle but important distinction:
+    While the granularity of having 3 platforms is necessary to properly *build* packages, it is overkill for specifying the user's *intent* when making a build plan or package set.
+    A simple "build vs deploy" dichotomy is adequate: the sliding window principle described in the previous section shows how to interpolate between the these two "end points" to get the 3 platform triple for each bootstrapping stage.
+    That means for any package a given package set, even those not bound on the top level but only reachable via dependencies or <varname>buildPackages</varname>, the three platforms will be defined as one of <varname>localSystem</varname> or <varname>crossSystem</varname>, with the former replacing the latter as one traverses build-time dependencies.
+    A last simple difference then is <varname>crossSystem</varname> should be null when one doesn't want to cross-compile, while the <varname>*Platform</varname>s are always non-null.
+    <varname>localSystem</varname> is always non-null.
   </para>
 </section>
 

doc/default.nix

@@ -68,6 +68,10 @@ pkgs.stdenv.mkDerivation {
       inputFile = ../pkgs/development/r-modules/README.md;
       outputFile = "languages-frameworks/r.xml";
     }
+  + toDocbook {
+      inputFile = ./languages-frameworks/vim.md;
+      outputFile = "./languages-frameworks/vim.xml";
+    }
   + ''
     echo ${lib.nixpkgsVersion} > .version
 

doc/functions.xml

@@ -119,7 +119,7 @@
       evaluation-per-function application incurs a performance penalty,
       which can become a problem if many overrides are used.
       It is only intended for ad-hoc customisation, such as in
-      <filename>~/.nixpkgs/config.nix</filename>.
+      <filename>~/.config/nixpkgs/config.nix</filename>.
     </para>
     </warning>
 

doc/languages-frameworks/haskell.md

@@ -195,7 +195,7 @@ its normal core packages:
         mtl-2.2.1
 
 This function allows users to define their own development environment by means
-of an override. After adding the following snippet to `~/.nixpkgs/config.nix`,
+of an override. After adding the following snippet to `~/.config/nixpkgs/config.nix`,
 
     {
       packageOverrides = super: let self = super.pkgs; in
@@ -522,7 +522,7 @@ file with `cabal2nix`:
     $ cd ~/src/foo && cabal2nix . >default.nix
     $ cd ~/src/bar && cabal2nix . >default.nix
 
-Then edit your `~/.nixpkgs/config.nix` file to register those builds in the
+Then edit your `~/.config/nixpkgs/config.nix` file to register those builds in the
 default Haskell package set:
 
       {
@@ -554,7 +554,7 @@ Every Haskell package set takes a function called `overrides` that you can use
 to manipulate the package as much as you please. One useful application of this
 feature is to replace the default `mkDerivation` function with one that enables
 library profiling for all packages. To accomplish that, add configure the
-following snippet in your `~/.nixpkgs/config.nix` file:
+following snippet in your `~/.config/nixpkgs/config.nix` file:
 
     {
       packageOverrides = super: let self = super.pkgs; in
@@ -583,7 +583,7 @@ The first step is to generate Nix build instructions with `cabal2nix`:
 
     $ cabal2nix cabal://ghc-events-0.4.3.0 >~/.nixpkgs/ghc-events-0.4.3.0.nix
 
-Then add the override in `~/.nixpkgs/config.nix`:
+Then add the override in `~/.config/nixpkgs/config.nix`:
 
     {
       packageOverrides = super: let self = super.pkgs; in
@@ -793,6 +793,64 @@ It's important to realize, however, that most system libraries in Nix are built
 as shared libraries only, i.e. there is just no static library available that
 Cabal could link!
 
+### Building GHC with integer-simple
+
+By default GHC implements the Integer type using the
+[GNU Multiple Precision Arithmetic (GMP) library](https://gmplib.org/).
+The implementation can be found in the
+[integer-gmp](http://hackage.haskell.org/package/integer-gmp) package.
+
+A potential problem with this is that GMP is licensed under the
+[​GNU Lesser General Public License (LGPL)](http://www.gnu.org/copyleft/lesser.html),
+a kind of "copyleft" license. According to the terms of the LGPL, paragraph 5,
+you may distribute a program that is designed to be compiled and dynamically
+linked with the library under the terms of your choice (i.e., commercially) but
+if your program incorporates portions of the library, if it is linked
+statically, then your program is a "derivative"--a "work based on the
+library"--and according to paragraph 2, section c, you "must cause the whole of
+the work to be licensed" under the terms of the LGPL (including for free).
+
+The LGPL licensing for GMP is a problem for the overall licensing of binary
+programs compiled with GHC because most distributions (and builds) of GHC use
+static libraries. (Dynamic libraries are currently distributed only for OS X.)
+The LGPL licensing situation may be worse: even though
+​[The Glasgow Haskell Compiler License](https://www.haskell.org/ghc/license)
+is essentially a "free software" license (BSD3), according to
+paragraph 2 of the LGPL, GHC must be distributed under the terms of the LGPL!
+
+To work around these problems GHC can be build with a slower but LGPL-free
+alternative implemention for Integer called
+[integer-simple](http://hackage.haskell.org/package/integer-simple).
+
+To get a GHC compiler build with `integer-simple` instead of `integer-gmp` use
+the attribute: `pkgs.haskell.compiler.integer-simple."${ghcVersion}"`.
+For example:
+
+    $ nix-build -E '(import <nixpkgs> {}).pkgs.haskell.compiler.integer-simple.ghc802'
+    ...
+    $ result/bin/ghc-pkg list | grep integer
+        integer-simple-0.1.1.1
+
+The following command displays the complete list of GHC compilers build with `integer-simple`:
+
+    $ nix-env -f "<nixpkgs>" -qaP -A haskell.compiler.integer-simple
+    haskell.compiler.integer-simple.ghc7102  ghc-7.10.2
+    haskell.compiler.integer-simple.ghc7103  ghc-7.10.3
+    haskell.compiler.integer-simple.ghc722   ghc-7.2.2
+    haskell.compiler.integer-simple.ghc742   ghc-7.4.2
+    haskell.compiler.integer-simple.ghc763   ghc-7.6.3
+    haskell.compiler.integer-simple.ghc783   ghc-7.8.3
+    haskell.compiler.integer-simple.ghc784   ghc-7.8.4
+    haskell.compiler.integer-simple.ghc801   ghc-8.0.1
+    haskell.compiler.integer-simple.ghc802   ghc-8.0.2
+    haskell.compiler.integer-simple.ghcHEAD  ghc-8.1.20170106
+
+To get a package set supporting `integer-simple` use the attribute:
+`pkgs.haskell.packages.integer-simple."${ghcVersion}"`. For example
+use the following to get the `scientific` package build with `integer-simple`:
+
+    $ nix-build -A pkgs.haskell.packages.integer-simple.ghc802.scientific
+
 
 ## Other resources
 

doc/languages-frameworks/index.xml

@@ -28,6 +28,7 @@ such as Perl or Haskell.  These are described in this chapter.</para>
 <xi:include href="r.xml" /> <!-- generated from ../../pkgs/development/r-modules/README.md  -->
 <xi:include href="ruby.xml" />
 <xi:include href="texlive.xml" />
+<xi:include href="vim.xml" />
 
 
 </chapter>

doc/languages-frameworks/python.md

@@ -781,7 +781,7 @@ If you get the following error:
     could not create '/nix/store/6l1bvljpy8gazlsw2aw9skwwp4pmvyxw-python-2.7.8/etc':
     Permission denied
 
-This is a [known bug](https://bitbucket.org/pypa/setuptools/issue/130/install_data-doesnt-respect-prefix) in setuptools.
+This is a [known bug](https://github.com/pypa/setuptools/issues/130) in setuptools.
 Setuptools `install_data` does not respect `--prefix`. An example of such package using the feature is `pkgs/tools/X11/xpra/default.nix`.
 As workaround install it as an extra `preInstall` step:
 

doc/languages-frameworks/vim.md

@@ -0,0 +1,102 @@
+---
+title: User's Guide for Vim in Nixpkgs
+author: Marc Weber
+date: 2016-06-25
+---
+# User's Guide to Vim Plugins/Addons/Bundles/Scripts in Nixpkgs
+
+You'll get a vim(-your-suffix) in PATH also loading the plugins you want.
+Loading can be deferred; see examples.
+
+VAM (=vim-addon-manager) and Pathogen plugin managers are supported.
+Vundle, NeoBundle could be your turn.
+
+## dependencies by Vim plugins
+
+VAM introduced .json files supporting dependencies without versioning
+assuming that "using latest version" is ok most of the time.
+
+## HOWTO
+
+First create a vim-scripts file having one plugin name per line. Example:
+
+    "tlib"
+    {'name': 'vim-addon-sql'}
+    {'filetype_regex': '\%(vim)$', 'names': ['reload', 'vim-dev-plugin']}
+
+Such vim-scripts file can be read by VAM as well like this:
+
+    call vam#Scripts(expand('~/.vim-scripts'), {})
+
+Create a default.nix file:
+
+    { nixpkgs ? import <nixpkgs> {}, compiler ? "ghc7102" }:
+    nixpkgs.vim_configurable.customize { name = "vim"; vimrcConfig.vam.pluginDictionaries = [ "vim-addon-vim2nix" ]; }
+
+Create a generate.vim file:
+
+    ActivateAddons vim-addon-vim2nix
+    let vim_scripts = "vim-scripts"
+    call nix#ExportPluginsForNix({
+    \  'path_to_nixpkgs': eval('{"'.substitute(substitute(substitute($NIX_PATH, ':', ',', 'g'), '=',':', 'g'), '\([:,]\)', '"\1"',"g").'"}')["nixpkgs"],
+    \  'cache_file': '/tmp/vim2nix-cache',
+    \  'try_catch': 0,
+    \  'plugin_dictionaries': ["vim-addon-manager"]+map(readfile(vim_scripts), 'eval(v:val)')
+    \ })
+
+Then run
+
+    nix-shell -p vimUtils.vim_with_vim2nix --command "vim -c 'source generate.vim'"
+
+You should get a Vim buffer with the nix derivations (output1) and vam.pluginDictionaries (output2).
+You can add your vim to your system's configuration file like this and start it by "vim-my":
+
+    my-vim =
+     let plugins = let inherit (vimUtils) buildVimPluginFrom2Nix; in {
+          copy paste output1 here
+     }; in vim_configurable.customize {
+       name = "vim-my";
+
+       vimrcConfig.vam.knownPlugins = plugins; # optional
+       vimrcConfig.vam.pluginDictionaries = [
+          copy paste output2 here
+       ];
+
+       # Pathogen would be
+       # vimrcConfig.pathogen.knownPlugins = plugins; # plugins
+       # vimrcConfig.pathogen.pluginNames = ["tlib"];
+     };
+
+
+Sample output1:
+
+    "reload" = buildVimPluginFrom2Nix { # created by nix#NixDerivation
+      name = "reload";
+      src = fetchgit {
+        url = "git://github.com/xolox/vim-reload";
+        rev = "0a601a668727f5b675cb1ddc19f6861f3f7ab9e1";
+        sha256 = "0vb832l9yxj919f5hfg6qj6bn9ni57gnjd3bj7zpq7d4iv2s4wdh";
+      };
+      dependencies = ["nim-misc"];
+
+    };
+    [...]
+
+Sample output2:
+
+    [
+      ''vim-addon-manager''
+      ''tlib''
+      { "name" = ''vim-addon-sql''; }
+      { "filetype_regex" = ''\%(vim)$$''; "names" = [ ''reload'' ''vim-dev-plugin'' ]; }
+    ]
+
+
+## Important repositories
+
+- [vim-pi](https://bitbucket.org/vimcommunity/vim-pi) is a plugin repository
+  from VAM plugin manager meant to be used by others as well used by
+
+- [vim2nix](http://github.com/MarcWeber/vim-addon-vim2nix) which generates the
+  .nix code
+

doc/overlays.xml

@@ -28,8 +28,8 @@ first one present is considered, and all the rest are ignored:
 
   <listitem>
 
-    <para>In the directory pointed by the environment variable
+    <para>In the directory pointed to by the Nix search path entry
-    <varname>NIXPKGS_OVERLAYS</varname>.</para>
+    <literal>&lt;nixpkgs-overlays></literal>.</para>
   </listitem>
 
   <listitem>

doc/package-notes.xml

@@ -278,7 +278,7 @@ packageOverrides = pkgs: {
 </screen>
 
     to your Nixpkgs configuration
-    (<filename>~/.nixpkgs/config.nix</filename>) and install it by
+    (<filename>~/.config/nixpkgs/config.nix</filename>) and install it by
     running <command>nix-env -f '&lt;nixpkgs&gt;' -iA
     myEclipse</command> and afterward run Eclipse as usual. It is
     possible to find out which plugins are available for installation

doc/stdenv.xml

@@ -1111,6 +1111,34 @@ functions.</para>
 <variablelist>
 
 
+  <varlistentry xml:id='fun-makeWrapper'>
+    <term><function>makeWrapper</function>
+    <replaceable>executable</replaceable>
+    <replaceable>wrapperfile</replaceable>
+    <replaceable>args</replaceable></term>
+    <listitem><para>Constructs a wrapper for a program with various
+    possible arguments. For example:
+
+<programlisting>
+# adds `FOOBAR=baz` to `$out/bin/foo`’s environment
+makeWrapper $out/bin/foo $wrapperfile --set FOOBAR baz
+
+# prefixes the binary paths of `hello` and `git`
+# Be advised that paths often should be patched in directly
+# (via string replacements or in `configurePhase`).
+makeWrapper $out/bin/foo $wrapperfile --prefix PATH : ${lib.makeBinPath [ hello git ]}
+</programlisting>
+
+    There’s many more kinds of arguments, they are documented in
+    <literal>nixpkgs/pkgs/build-support/setup-hooks/make-wrapper.sh</literal>.</para>
+
+    <para><literal>wrapProgram</literal> is a convenience function you probably
+    want to use most of the time.</para>
+
+    </listitem>
+  </varlistentry>
+  
+
   <varlistentry xml:id='fun-substitute'>
     <term><function>substitute</function>
     <replaceable>infile</replaceable>
@@ -1268,6 +1296,22 @@ someVar=$(stripHash $name)
 
     </para></listitem>
   </varlistentry>
+  
+
+  <varlistentry xml:id='fun-wrapProgram'>
+    <term><function>wrapProgram</function>
+    <replaceable>executable</replaceable>
+    <replaceable>makeWrapperArgs</replaceable></term>
+    <listitem><para>Convenience function for <literal>makeWrapper</literal>
+    that automatically creates a sane wrapper file
+
+    It takes all the same arguments as <literal>makeWrapper</literal>,
+    except for <literal>--argv0</literal>.</para>
+
+    <para>It cannot be applied multiple times, since it will overwrite the wrapper
+    file.</para>
+    </listitem>
+  </varlistentry>
 
 
 </variablelist>

lib/customisation.nix

@@ -15,10 +15,10 @@ rec {
      the original derivation attributes.
 
      `overrideDerivation' allows certain "ad-hoc" customisation
-     scenarios (e.g. in ~/.nixpkgs/config.nix).  For instance, if you
+     scenarios (e.g. in ~/.config/nixpkgs/config.nix).  For instance,
-     want to "patch" the derivation returned by a package function in
+     if you want to "patch" the derivation returned by a package
-     Nixpkgs to build another version than what the function itself
+     function in Nixpkgs to build another version than what the
-     provides, you can do something like this:
+     function itself provides, you can do something like this:
 
        mySed = overrideDerivation pkgs.gnused (oldAttrs: {
          name = "sed-4.2.2-pre";

lib/licenses.nix

@@ -379,6 +379,11 @@ lib.mapAttrs (n: v: v // { shortName = n; }) rec {
     fullName = "Mozilla Public License 2.0";
   };
 
+  mspl = spdx {
+    spdxId = "MS-PL";
+    fullName = "Microsoft Public License";
+  };
+
   msrla = {
     fullName  = "Microsoft Research License Agreement";
     url       = "http://research.microsoft.com/en-us/projects/pex/msr-la.txt";

lib/maintainers.nix

@@ -81,11 +81,13 @@
   c0dehero = "CodeHero <codehero@nerdpol.ch>";
   calrama = "Moritz Maxeiner <moritz@ucworks.org>";
   campadrenalin = "Philip Horger <campadrenalin@gmail.com>";
+  canndrew = "Andrew Cann <shum@canndrew.org>";
   carlsverre = "Carl Sverre <accounts@carlsverre.com>";
   cdepillabout = "Dennis Gosnell <cdep.illabout@gmail.com>";
   cfouche = "Chaddaï Fouché <chaddai.fouche@gmail.com>";
   chaoflow = "Florian Friesdorf <flo@chaoflow.net>";
   chattered = "Phil Scott <me@philscotted.com>";
+  changlinli = "Changlin Li <mail@changlinli.com>";
   choochootrain = "Hurshal Patel <hurshal@imap.cc>";
   chris-martin = "Chris Martin <ch.martin@gmail.com>";
   chrisjefferson = "Christopher Jefferson <chris@bubblescope.net>";
@@ -111,6 +113,7 @@
   cwoac = "Oliver Matthews <oliver@codersoffortune.net>";
   DamienCassou = "Damien Cassou <damien@cassou.me>";
   danbst = "Danylo Hlynskyi <abcz2.uprola@gmail.com>";
+  dancek = "Hannu Hartikainen <hannu.hartikainen@gmail.com>";
   danielfullmer = "Daniel Fullmer <danielrf12@gmail.com>";
   dasuxullebt = "Christoph-Simon Senjak <christoph.senjak@googlemail.com>";
   davidak = "David Kleuker <post@davidak.de>";
@@ -138,6 +141,7 @@
   dtzWill = "Will Dietz <nix@wdtz.org>";
   e-user = "Alexander Kahl <nixos@sodosopa.io>";
   ebzzry = "Rommel Martinez <ebzzry@gmail.com>";
+  edanaher = "Evan Danaher <nixos@edanaher.net>";
   ederoyd46 = "Matthew Brown <matt@ederoyd.co.uk>";
   eduarrrd = "Eduard Bachmakov <e.bachmakov@gmail.com>";
   edwtjo = "Edward Tjörnhammar <ed@cflags.cc>";
@@ -296,6 +300,7 @@
   mdaiter = "Matthew S. Daiter <mdaiter8121@gmail.com>";
   meditans = "Carlo Nucera <meditans@gmail.com>";
   meisternu = "Matt Miemiec <meister@krutt.org>";
+  metabar = "Celine Mercier <softs@metabarcoding.org>";
   mguentner = "Maximilian Güntner <code@klandest.in>";
   mic92 = "Jörg Thalheim <joerg@higgsboson.tk>";
   michaelpj = "Michael Peyton Jones <michaelpj@gmail.com>";
@@ -331,6 +336,7 @@
   Nate-Devv = "Nathan Moore <natedevv@gmail.com>";
   nathan-gs = "Nathan Bijnens <nathan@nathan.gs>";
   nckx = "Tobias Geerinckx-Rice <tobias.geerinckx.rice@gmail.com>";
+  ndowens = "Nathan Owens <ndowens04@gmail.com>";
   nequissimus = "Tim Steinbach <tim@nequissimus.com>";
   nfjinjing = "Jinjing Wang <nfjinjing@gmail.com>";
   nhooyr = "Anmol Sethi <anmol@aubble.com>";
@@ -351,12 +357,14 @@
   olejorgenb = "Ole Jørgen Brønner <olejorgenb@yahoo.no>";
   orbekk = "KJ Ørbekk <kjetil.orbekk@gmail.com>";
   orbitz = "Malcolm Matalka <mmatalka@gmail.com>";
+  orivej = "Orivej Desh <orivej@gmx.fr>";
   osener = "Ozan Sener <ozan@ozansener.com>";
   otwieracz = "Slawomir Gonet <slawek@otwiera.cz>";
   oxij = "Jan Malakhovski <oxij@oxij.org>";
   paholg = "Paho Lurie-Gregg <paho@paholg.com>";
   pakhfn = "Fedor Pakhomov <pakhfn@gmail.com>";
   palo = "Ingolf Wanger <palipalo9@googlemail.com>";
+  paperdigits = "Mica Semrick <mica@silentumbrella.com>";
   pashev = "Igor Pashev <pashev.igor@gmail.com>";
   pawelpacana = "Paweł Pacana <pawel.pacana@gmail.com>";
   periklis = "theopompos@gmail.com";
@@ -414,6 +422,7 @@
   roblabla = "Robin Lambertz <robinlambertz+dev@gmail.com>";
   roconnor = "Russell O'Connor <roconnor@theorem.ca>";
   romildo = "José Romildo Malaquias <malaquias@gmail.com>";
+  rongcuid = "Rongcui Dong <rongcuid@outlook.com>";
   ronny = "Ronny Pfannschmidt <nixos@ronnypfannschmidt.de>";
   rszibele = "Richard Szibele <richard_szibele@hotmail.com>";
   rushmorem = "Rushmore Mushambi <rushmore@webenchanter.com>";
@@ -456,6 +465,7 @@
   SShrike = "Severen Redwood <severen@shrike.me>";
   stephenmw = "Stephen Weinberg <stephen@q5comm.com>";
   sternenseemann = "Lukas Epple <post@lukasepple.de>";
+  stesie = "Stefan Siegl <stesie@brokenpipe.de>";
   steveej = "Stefan Junker <mail@stefanjunker.de>";
   swarren83 = "Shawn Warren <shawn.w.warren@gmail.com>";
   swistak35 = "Rafał Łasocha <me@swistak35.com>";
@@ -480,7 +490,7 @@
   travisbhartwell = "Travis B. Hartwell <nafai@travishartwell.net>";
   trino = "Hubert Mühlhans <muehlhans.hubert@ekodia.de>";
   tstrobel = "Thomas Strobel <4ZKTUB6TEP74PYJOPWIR013S2AV29YUBW5F9ZH2F4D5UMJUJ6S@hash.domains>";
-  ttuegel = "Thomas Tuegel <ttuegel@gmail.com>";
+  ttuegel = "Thomas Tuegel <ttuegel@mailbox.org>";
   tv = "Tomislav Viljetić <tv@shackspace.de>";
   tvestelind = "Tomas Vestelind <tomas.vestelind@fripost.org>";
   tvorog = "Marsel Zaripov <marszaripov@gmail.com>";
@@ -495,6 +505,7 @@
   vcunat = "Vladimír Čunát <vcunat@gmail.com>";
   vdemeester = "Vincent Demeester <vincent@sbr.pm>";
   veprbl = "Dmitry Kalinkin <veprbl@gmail.com>";
+  vifino = "Adrian Pistol <vifino@tty.sh>";
   viric = "Lluís Batlle i Rossell <viric@viric.name>";
   vizanto = "Danny Wilson <danny@prime.vc>";
   vklquevs = "vklquevs <vklquevs@gmail.com>";
@@ -514,8 +525,10 @@
   womfoo = "Kranium Gikos Mendoza <kranium@gikos.net>";
   wscott = "Wayne Scott <wsc9tt@gmail.com>";
   wyvie = "Elijah Rum <elijahrum@gmail.com>";
+  xwvvvvwx = "David Terry <davidterry@posteo.de>";
   yarr = "Dmitry V. <savraz@gmail.com>";
   yochai = "Yochai <yochai@titat.info>";
+  yorickvp = "Yorick van Pelt <yorickvanpelt@gmail.com>";
   yurrriq = "Eric Bailey <eric@ericb.me>";
   z77z = "Marco Maggesi <maggesi@math.unifi.it>";
   zagy = "Christian Zagrodnick <cz@flyingcircus.io>";

lib/modules.nix

@@ -326,7 +326,7 @@ rec {
     # Type-check the remaining definitions, and merge them.
     mergedValue = foldl' (res: def:
       if type.check def.value then res
-      else throw "The option value `${showOption loc}' in `${def.file}' is not a ${type.name}.")
+      else throw "The option value `${showOption loc}' in `${def.file}' is not a ${type.description}.")
       (type.merge loc defsFinal) defsFinal;
 
     isDefined = defsFinal != [];

lib/tests/modules.sh

@@ -115,6 +115,11 @@ set -- config.enable ./declare-enable.nix ./define-enable.nix ./define-loaOfSub-
 checkConfigError 'The option .* defined in .* does not exist.' "$@"
 checkConfigOutput "true" "$@" ./define-module-check.nix
 
+# Check coerced value.
+checkConfigOutput "\"42\"" config.value ./declare-coerced-value.nix
+checkConfigOutput "\"24\"" config.value ./declare-coerced-value.nix ./define-value-string.nix
+checkConfigError 'The option value .* in .* is not a string or integer.' config.value ./declare-coerced-value.nix ./define-value-list.nix
+
 cat <<EOF
 ====== module tests ======
 $pass Pass

lib/tests/modules/declare-coerced-value.nix

@@ -0,0 +1,10 @@
+{ lib, ... }:
+
+{
+  options = {
+    value = lib.mkOption {
+      default = 42;
+      type = lib.types.coercedTo lib.types.int builtins.toString lib.types.str;
+    };
+  };
+}

lib/tests/modules/define-value-list.nix

@@ -0,0 +1,3 @@
+{
+  value = [];
+}

lib/tests/modules/define-value-string.nix

@@ -0,0 +1,3 @@
+{
+  value = "24";
+}

lib/trivial.nix

@@ -102,25 +102,7 @@ rec {
   min = x: y: if x < y then x else y;
   max = x: y: if x > y then x else y;
 
-  /* Reads a JSON file. It is useful to import pure data into other nix
+  /* Reads a JSON file. */
-     expressions.
-
-     Example:
-
-       mkDerivation {
-         src = fetchgit (importJSON ./repo.json)
-         #...
-       }
-
-       where repo.json contains:
-
-       {
-         "url": "git://some-domain/some/repo",
-         "rev": "265de7283488964f44f0257a8b4a055ad8af984d",
-         "sha256": "0sb3h3067pzf3a7mlxn1hikpcjrsvycjcnj9hl9b1c3ykcgvps7h"
-       }
-
-  */
   importJSON = path:
     builtins.fromJSON (builtins.readFile path);
 

lib/types.nix

@@ -352,6 +352,28 @@ rec {
       functor = (defaultFunctor name) // { wrapped = [ t1 t2 ]; };
     };
 
+    coercedTo = coercedType: coerceFunc: finalType:
+      assert coercedType.getSubModules == null;
+      mkOptionType rec {
+        name = "coercedTo";
+        description = "${finalType.description} or ${coercedType.description}";
+        check = x: finalType.check x || coercedType.check x;
+        merge = loc: defs:
+          let
+            coerceVal = val:
+              if finalType.check val then val
+              else let
+                coerced = coerceFunc val;
+              in assert finalType.check coerced; coerced;
+
+          in finalType.merge loc (map (def: def // { value = coerceVal def.value; }) defs);
+        getSubOptions = finalType.getSubOptions;
+        getSubModules = finalType.getSubModules;
+        substSubModules = m: coercedTo coercedType coerceFunc (finalType.substSubModules m);
+        typeMerge = t1: t2: null;
+        functor = (defaultFunctor name) // { wrapped = finalType; };
+      };
+
     # Obsolete alternative to configOf.  It takes its option
     # declarations from the ‘options’ attribute of containing option
     # declaration.

nixos/doc/manual/configuration/configuration.xml

@@ -21,6 +21,7 @@ effect after you run <command>nixos-rebuild</command>.</para>
 <xi:include href="user-mgmt.xml" />
 <xi:include href="file-systems.xml" />
 <xi:include href="x-windows.xml" />
+<xi:include href="xfce.xml" />
 <xi:include href="networking.xml" />
 <xi:include href="linux-kernel.xml" />
 

nixos/doc/manual/configuration/ipv6-config.xml

@@ -22,5 +22,25 @@ boot.kernel.sysctl."net.ipv6.conf.eth0.disable_ipv6" = true;
 </programlisting>
 </para>
 
+<para>As with IPv4 networking interfaces are automatically configured via
+DHCPv6. You can configure an interface manually:
+
+<programlisting>
+networking.interfaces.eth0.ip6 = [ { address = "fe00:aa:bb:cc::2"; prefixLength = 64; } ];
+</programlisting>
+</para>
+
+<para>For configuring a gateway, optionally with explicitly specified interface:
+
+<programlisting>
+networking.defaultGateway6 = {
+  address = "fe00::1";
+  interface = "enp0s3";
+}
+</programlisting>
+</para>
+
+<para>See <xref linkend='sec-ipv4' /> for similar examples and additional information.
+</para>
 
 </section>

nixos/doc/manual/configuration/luks-file-systems.xml

@@ -37,6 +37,10 @@ boot.initrd.luks.devices.crypted.device = "/dev/disk/by-uuid/3f6b0024-3a44-4fde-
 fileSystems."/".device = "/dev/mapper/crypted";
 </programlisting>
 
+Should grub be used as bootloader, and <filename>/boot</filename> is located
+on an encrypted partition, it is necessary to add the following grub option:
+<programlisting>boot.loader.grub.enableCryptodisk = true;</programlisting>
+
 </para>
 
 </section>

nixos/doc/manual/configuration/modularity.xml

@@ -36,9 +36,8 @@ latter might look like this:
 { config, pkgs, ... }:
 
 { services.xserver.enable = true;
-  services.xserver.displayManager.kdm.enable = true;
+  services.xserver.displayManager.sddm.enable = true;
-  services.xserver.desktopManager.kde4.enable = true;
+  services.xserver.desktopManager.kde5.enable = true;
-  environment.systemPackages = [ pkgs.kde4.kscreensaver ];
 }
 </programlisting>
 

nixos/doc/manual/configuration/user-mgmt.xml

@@ -36,7 +36,10 @@ to set a password, which is retained across invocations of
 and /etc/group will be congruent to your NixOS configuration. For instance,
 if you remove a user from users.extraUsers and run nixos-rebuild, the user
 account will cease to exist. Also, imperative commands for managing users
-and groups, such as useradd, are no longer available.</para>
+and groups, such as useradd, are no longer available. Passwords may still be
+assigned by setting the user's <literal>hashedPassword</literal> option. A
+hashed password can be generated using <command>mkpasswd -m sha-512</command>
+after installing the <literal>mkpasswd</literal> package.</para>
 
 <para>A user ID (uid) is assigned automatically.  You can also specify
 a uid manually by adding

nixos/doc/manual/configuration/x-windows.xml

@@ -25,7 +25,7 @@ Otherwise, you can only log into a plain undecorated
 <command>xterm</command> window.  Thus you should pick one or more of
 the following lines:
 <programlisting>
-services.xserver.desktopManager.kde4.enable = true;
+services.xserver.desktopManager.kde5.enable = true;
 services.xserver.desktopManager.xfce.enable = true;
 services.xserver.windowManager.xmonad.enable = true;
 services.xserver.windowManager.twm.enable = true;
@@ -35,9 +35,9 @@ services.xserver.windowManager.icewm.enable = true;
 
 <para>NixOS’s default <emphasis>display manager</emphasis> (the
 program that provides a graphical login prompt and manages the X
-server) is SLiM.  You can select KDE’s <command>kdm</command> instead:
+server) is SLiM.  You can select KDE’s <command>sddm</command> instead:
 <programlisting>
-services.xserver.displayManager.kdm.enable = true;
+services.xserver.displayManager.sddm.enable = true;
 </programlisting>
 </para>
 

nixos/doc/manual/configuration/xfce.xml

@@ -0,0 +1,105 @@
+<chapter xmlns="http://docbook.org/ns/docbook"
+         xmlns:xlink="http://www.w3.org/1999/xlink"
+         xmlns:xi="http://www.w3.org/2001/XInclude"
+         version="5.0"
+         xml:id="sec-xfce">
+
+    <title>Xfce Desktop Environment</title>
+
+    <para>
+        To enable the Xfce Desktop Environment, set
+        <programlisting>
+            services.xserver.desktopManager = {
+                xfce.enable = true;
+                default = "xfce";
+            };
+        </programlisting>
+    </para>
+
+    <para>
+        Optionally, <emphasis>compton</emphasis>
+        can be enabled for nice graphical effects, some example settings:
+        <programlisting>
+            services.compton = {
+              enable          = true;
+              fade            = true;
+              inactiveOpacity = "0.9";
+              shadow          = true;
+              fadeDelta       = 4;
+            };
+        </programlisting>
+    </para>
+
+    <para>
+        Some Xfce programs are not installed automatically.
+        To install them manually (system wide), put them into your
+        <literal>environment.systemPackages</literal>.
+	</para>
+
+    <para>
+		NixOS’s default <emphasis>display manager</emphasis>is SLiM.
+		(DM is the program that provides a graphical login prompt
+		 and manages the X server.)
+	   	You can, for example, select KDE’s
+        <command>sddm</command> instead:
+        <programlisting>
+            services.xserver.displayManager.sddm.enable = true;
+        </programlisting>
+    </para>
+
+    <simplesect>
+        <title>Thunar Volume Support</title>
+
+        <para>
+            To enable
+            <emphasis>Thunar</emphasis>
+            volume support, put
+            <programlisting>
+                services.xserver.desktopManager.xfce.enable = true;
+            </programlisting>
+            into your <emphasis>configuration.nix</emphasis>.
+        </para>
+
+    </simplesect>
+
+    <simplesect>
+        <title>Polkit Authentication Agent</title>
+
+        <para>
+            There is no authentication agent automatically installed alongside
+            Xfce. To allow mounting of local (non-removable) filesystems, you
+            will need to install one.
+
+            Installing <emphasis>polkit_gnome</emphasis>, a rebuild, logout and
+            login did the trick.
+        </para>
+
+    </simplesect>
+
+    <simplesect>
+        <title>Troubleshooting</title>
+
+        <para>
+            Even after enabling udisks2, volume management might not work.
+            Thunar and/or the desktop takes time to show up.
+
+            Thunar will spit out this kind of message on start
+            (look at journalctl --user -b).
+
+            <programlisting>
+                Thunar:2410): GVFS-RemoteVolumeMonitor-WARNING **: remote volume monitor with dbus name org.gtk.Private.UDisks2VolumeMonitor is not supported
+            </programlisting>
+
+            This is caused by some needed GNOME services not running.
+            This is all fixed by enabling "Launch GNOME services on startup" in
+            the Advanced tab of the Session and Startup settings panel.
+            Alternatively, you can run this command to do the same thing.
+            <programlisting>
+                $ xfconf-query -c xfce4-session -p /compat/LaunchGNOME -s true
+            </programlisting>
+            A log-out and re-log will be needed for this to take effect.
+        </para>
+
+    </simplesect>
+
+</chapter>

nixos/doc/manual/development/option-declarations.xml

@@ -65,22 +65,22 @@ options = {
 
 </para>
 
-<section xml:id="sec-option-declarations-eot"><title>Extensible Option 
+<section xml:id="sec-option-declarations-eot"><title>Extensible Option
     Types</title>
 
-  <para>Extensible option types is a feature that allow to extend certain types 
+  <para>Extensible option types is a feature that allow to extend certain types
     declaration through multiple module files.
-    This feature only work with a restricted set of types, namely 
+    This feature only work with a restricted set of types, namely
     <literal>enum</literal> and <literal>submodules</literal> and any composed
     forms of them.</para>
 
-  <para>Extensible option types can be used for <literal>enum</literal> options 
+  <para>Extensible option types can be used for <literal>enum</literal> options
-    that affects multiple modules, or as an alternative to related 
+    that affects multiple modules, or as an alternative to related
     <literal>enable</literal> options.</para>
 
   <para>As an example, we will take the case of display managers. There is a
     central display manager module for generic display manager options and a
-    module file per display manager backend (slim, kdm, gdm ...).
+    module file per display manager backend (slim, sddm, gdm ...).
   </para>
 
   <para>There are two approach to this module structure:
@@ -96,7 +96,7 @@ options = {
   </para>
 
   <para>Both approachs have problems.</para>
-    
+
   <para>Making backends independent can quickly become hard to manage. For
     display managers, there can be only one enabled at a time, but the type
     system can not enforce this restriction as there is no relation between
@@ -108,18 +108,18 @@ options = {
     central module will require to change the central module option every time
     a new backend is added or removed.</para>
 
-  <para>By using extensible option types, it is possible to create a placeholder 
+  <para>By using extensible option types, it is possible to create a placeholder
-    option in the central module (<xref linkend='ex-option-declaration-eot-service' 
+    option in the central module (<xref linkend='ex-option-declaration-eot-service'
-      />), and to extend it in each backend module (<xref 
+      />), and to extend it in each backend module (<xref
-      linkend='ex-option-declaration-eot-backend-slim' />, <xref 
+      linkend='ex-option-declaration-eot-backend-slim' />, <xref
-      linkend='ex-option-declaration-eot-backend-kdm' />).</para>
+      linkend='ex-option-declaration-eot-backend-sddm' />).</para>
- 
+
   <para>As a result, <literal>displayManager.enable</literal> option values can
   be added without changing the main service module file and the type system
   automatically enforce that there can only be a single display manager
   enabled.</para>
 
-<example xml:id='ex-option-declaration-eot-service'><title>Extensible type 
+<example xml:id='ex-option-declaration-eot-service'><title>Extensible type
     placeholder in the service module</title>
 <screen>
 services.xserver.displayManager.enable = mkOption {
@@ -127,29 +127,29 @@ services.xserver.displayManager.enable = mkOption {
   type = with types; nullOr (enum [ ]);
 };</screen></example>
 
-<example xml:id='ex-option-declaration-eot-backend-slim'><title>Extending 
+<example xml:id='ex-option-declaration-eot-backend-slim'><title>Extending
-    <literal>services.xserver.displayManager.enable</literal> in the 
+    <literal>services.xserver.displayManager.enable</literal> in the
     <literal>slim</literal> module</title>
 <screen>
 services.xserver.displayManager.enable = mkOption {
   type = with types; nullOr (enum [ "slim" ]);
 };</screen></example>
 
-<example xml:id='ex-option-declaration-eot-backend-kdm'><title>Extending 
+<example xml:id='ex-option-declaration-eot-backend-sddm'><title>Extending
-    <literal>services.foo.backend</literal> in the <literal>kdm</literal> 
+    <literal>services.foo.backend</literal> in the <literal>sddm</literal>
     module</title>
 <screen>
 services.xserver.displayManager.enable = mkOption {
-  type = with types; nullOr (enum [ "kdm" ]);
+  type = with types; nullOr (enum [ "sddm" ]);
 };</screen></example>
 
-<para>The placeholder declaration is a standard <literal>mkOption</literal> 
+<para>The placeholder declaration is a standard <literal>mkOption</literal>
-  declaration, but it is important that extensible option declarations only use 
+  declaration, but it is important that extensible option declarations only use
   the <literal>type</literal> argument.</para>
 
-<para>Extensible option types work with any of the composed variants of 
+<para>Extensible option types work with any of the composed variants of
-  <literal>enum</literal> such as 
+  <literal>enum</literal> such as
-  <literal>with types; nullOr (enum [ "foo" "bar" ])</literal> 
+  <literal>with types; nullOr (enum [ "foo" "bar" ])</literal>
   or <literal>with types; listOf (enum [ "foo" "bar" ])</literal>.</para>
 
 </section>

nixos/doc/manual/release-notes/rl-1703.xml

@@ -17,12 +17,21 @@ has the following highlights: </para>
   </listitem>
 
   <listitem>
-
     <para>Setting capabilities on programs is now supported with a
     <literal>setcap-wrapper</literal> functionality. This
     functionality and the <literal>setuid-wrapper</literal> are merged
     into a single "wrappers" module.</para>
   </listitem>
+
+  <listitem>
+    <para>X.org server uses branch 1.19.  Due to ABI incompatibilities,
+      <literal>ati_unfree</literal> keeps forcing 1.17
+      and <literal>amdgpu-pro</literal> starts forcing 1.18.</para>
+  </listitem>
+
+  <listitem>
+    <para>PHP now defaults to PHP 7.1</para>
+  </listitem>
 </itemizedlist>
 
 <para>The following new services were added since the last release:</para>
@@ -54,6 +63,7 @@ following incompatible changes:</para>
       for what those parameters represent.
     </para>
   </listitem>
+
   <listitem>
     <para>
       <literal>ansible</literal> now defaults to ansible version 2 as version 1
@@ -62,6 +72,7 @@ following incompatible changes:</para>
       vulnerability</link> unpatched by upstream.
     </para>
   </listitem>
+
   <listitem>
     <para>
       <literal>gnome</literal> alias has been removed along with
@@ -103,6 +114,15 @@ following incompatible changes:</para>
     </para>
   </listitem>
 
+  <listitem>
+    <para>
+      Two lone top-level dict dbs moved into <literal>dictdDBs</literal>. This
+      affects: <literal>dictdWordnet</literal> which is now at
+      <literal>dictdDBs.wordnet</literal> and <literal>dictdWiktionary</literal>
+      which is now at <literal>dictdDBs.wiktionary</literal>
+    </para>
+  </listitem>
+
   <listitem>
     <para>
       Parsoid service now uses YAML configuration format.
@@ -124,7 +144,36 @@ following incompatible changes:</para>
   </listitem>
 
   <listitem>
+    <para>
+      <literal>service.nylon</literal> is now declared using named instances.
+      As an example:
 
+<programlisting>
+  services.nylon = {
+    enable = true;
+    acceptInterface = "br0";
+    bindInterface = "tun1";
+    port = 5912;
+  };
+</programlisting>
+
+      should be replaced with:
+
+<programlisting>
+  services.nylon.myvpn = {
+    enable = true;
+    acceptInterface = "br0";
+    bindInterface = "tun1";
+    port = 5912;
+  };
+</programlisting>
+
+      this enables you to declare a SOCKS proxy for each uplink.
+
+    </para>
+  </listitem>
+
+  <listitem>
     <para><literal>overridePackages</literal> function no longer exists.
     It is replaced by <link
     xlink:href="https://nixos.org/nixpkgs/manual/#sec-overlays-install">
@@ -161,18 +210,39 @@ following incompatible changes:</para>
     </para>
   </listitem>
 
+  <listitem>
+    <para>
+      <literal>local_recipient_maps</literal> is not set to empty value by
+      Postfix service. It's an insecure default as stated by Postfix
+      documentation. Those who want to retain this setting need to set it via
+      <literal>services.postfix.extraConfig</literal>.
+    </para>
+  </listitem>
+
 </itemizedlist>
 
 
 <para>Other notable improvements:</para>
 
 <itemizedlist>
+
   <listitem>
     <para>Module type system have a new extensible option types feature that
       allow to extend certain types, such as enum, through multiple option
       declarations of the same option across multiple modules.
     </para>
   </listitem>
+
+  <listitem>
+    <para>
+      <literal>jre</literal> now defaults to GTK+ UI by default. This
+      improves visual consistency and makes Java follow system font style,
+      improving the situation on HighDPI displays. This has a cost of increased
+      closure size; for server and other headless workloads it's recommended to
+      use <literal>jre_headless</literal>.
+    </para>
+  </listitem>
+
 </itemizedlist>
 
 

nixos/lib/test-driver/Machine.pm

@@ -508,7 +508,7 @@ sub screenshot {
 sub getTTYText {
     my ($self, $tty) = @_;
 
-    my ($status, $out) = $self->execute("fold -w 80 /dev/vcs${tty}");
+    my ($status, $out) = $self->execute("fold -w\$(stty -F /dev/tty${tty} size | awk '{print \$2}') /dev/vcs${tty}");
     return $out;
 }
 

nixos/modules/hardware/opengl.nix

@@ -133,13 +133,10 @@ in
       '';
 
     environment.sessionVariables.LD_LIBRARY_PATH =
-      [ "/run/opengl-driver/lib" "/run/opengl-driver-32/lib" ];
+      [ "/run/opengl-driver/lib" ] ++ optional cfg.driSupport32Bit "/run/opengl-driver-32/lib";
 
-    environment.extraInit = ''
+    environment.variables.XDG_DATA_DIRS =
-      export XDG_DATA_DIRS=$XDG_DATA_DIRS:/run/opengl-driver/share
+      [ "/run/opengl-driver/share" ] ++ optional cfg.driSupport32Bit "/run/opengl-driver-32/share";
-    '' + optionalString cfg.driSupport32Bit ''
-      export XDG_DATA_DIRS=$XDG_DATA_DIRS:/run/opengl-driver-32/share
-    '';
 
     hardware.opengl.package = mkDefault (makePackage pkgs);
     hardware.opengl.package32 = mkDefault (makePackage pkgs_i686);

nixos/modules/hardware/video/amdgpu-pro.nix

@@ -21,6 +21,8 @@ in
 
   config = mkIf enabled {
 
+    nixpkgs.config.xorg.abiCompat = "1.18";
+
     services.xserver.drivers = singleton
       { name = "amdgpu"; modules = [ package ]; libPath = [ package ]; };
 
@@ -44,9 +46,6 @@ in
       "amd/amdrc".source = package + "/etc/amd/amdrc";
       "amd/amdapfxx.blb".source = package + "/etc/amd/amdapfxx.blb";
       "gbm/gbm.conf".source = package + "/etc/gbm/gbm.conf";
-      "OpenCL/vendors/amdocl64.icd".source = package + "/etc/OpenCL/vendors/amdocl64.icd";
-    } // optionalAttrs opengl.driSupport32Bit {
-      "OpenCL/vendors/amdocl32.icd".source = package32 + "/etc/OpenCL/vendors/amdocl32.icd";
     };
 
   };

nixos/modules/hardware/video/ati.nix

@@ -18,7 +18,7 @@ in
 
   config = mkIf enabled {
 
-    nixpkgs.config.xorg.fglrxCompat = true;
+    nixpkgs.config.xorg.abiCompat = "1.17";
 
     services.xserver.drivers = singleton
       { name = "fglrx"; modules = [ ati_x11 ]; libPath = [ "${ati_x11}/lib" ]; };

nixos/modules/hardware/video/bumblebee.nix

@@ -76,8 +76,8 @@ in
 
   config = mkIf cfg.enable {
     boot.blacklistedKernelModules = [ "nvidia-drm" "nvidia" "nouveau" ];
-    boot.kernelModules = optional useBbswitch [ "bbswitch" ];
+    boot.kernelModules = optional useBbswitch "bbswitch";
-    boot.extraModulePackages = optional useBbswitch kernel.bbswitch ++ optional useNvidia kernel.nvidia_x11;
+    boot.extraModulePackages = optional useBbswitch kernel.bbswitch ++ optional useNvidia kernel.nvidia_x11.bin;
 
     environment.systemPackages = [ bumblebee primus ];
 

nixos/modules/hardware/video/nvidia.nix

@@ -27,6 +27,13 @@ let
   nvidia_x11 = nvidiaForKernel config.boot.kernelPackages;
   nvidia_libs32 = (nvidiaForKernel pkgs_i686.linuxPackages).override { libsOnly = true; kernel = null; };
 
+  nvidiaPackage = nvidia: pkgs:
+    if !nvidia.useGLVND then nvidia
+    else pkgs.buildEnv {
+      name = "nvidia-libs";
+      paths = [ pkgs.libglvnd nvidia.out ];
+    };
+
   enabled = nvidia_x11 != null;
 in
 
@@ -35,19 +42,19 @@ in
   config = mkIf enabled {
 
     services.xserver.drivers = singleton
-      { name = "nvidia"; modules = [ nvidia_x11 ]; libPath = [ nvidia_x11 ]; };
+      { name = "nvidia"; modules = [ nvidia_x11.bin ]; libPath = [ nvidia_x11 ]; };
 
     services.xserver.screenSection =
       ''
         Option "RandRRotation" "on"
       '';
 
-    hardware.opengl.package = nvidia_x11;
+    hardware.opengl.package = nvidiaPackage nvidia_x11 pkgs;
-    hardware.opengl.package32 = nvidia_libs32;
+    hardware.opengl.package32 = nvidiaPackage nvidia_libs32 pkgs_i686;
 
-    environment.systemPackages = [ nvidia_x11 ];
+    environment.systemPackages = [ nvidia_x11.bin nvidia_x11.settings nvidia_x11.persistenced ];
 
-    boot.extraModulePackages = [ nvidia_x11 ];
+    boot.extraModulePackages = [ nvidia_x11.bin ];
 
     # nvidia-uvm is required by CUDA applications.
     boot.kernelModules = [ "nvidia-uvm" ];
@@ -62,8 +69,6 @@ in
 
     services.acpid.enable = true;
 
-    environment.etc."OpenCL/vendors/nvidia.icd".source = "${nvidia_x11}/lib/vendors/nvidia.icd";
-
   };
 
 }

nixos/modules/installer/cd-dvd/sd-image-aarch64.nix

@@ -52,9 +52,7 @@ in
         enable_uart=1
       '';
       in ''
-        for f in bootcode.bin fixup.dat start.elf; do
+        (cd ${pkgs.raspberrypifw}/share/raspberrypi/boot && cp bootcode.bin fixup*.dat start*.elf $NIX_BUILD_TOP/boot/)
-          cp ${pkgs.raspberrypifw}/share/raspberrypi/boot/$f boot/
-        done
         cp ${patchedUboot}/u-boot.bin boot/u-boot-rpi3.bin
         cp ${configTxt} boot/config.txt
         ${extlinux-conf-builder} -t 3 -c ${config.system.build.toplevel} -d ./boot

nixos/modules/installer/cd-dvd/sd-image-armv7l-multiplatform.nix

@@ -44,9 +44,7 @@ in
         enable_uart=1
       '';
       in ''
-        for f in bootcode.bin fixup.dat start.elf; do
+        (cd ${pkgs.raspberrypifw}/share/raspberrypi/boot && cp bootcode.bin fixup*.dat start*.elf $NIX_BUILD_TOP/boot/)
-          cp ${pkgs.raspberrypifw}/share/raspberrypi/boot/$f boot/
-        done
         cp ${pkgs.ubootRaspberryPi2}/u-boot.bin boot/u-boot-rpi2.bin
         cp ${pkgs.ubootRaspberryPi3_32bit}/u-boot.bin boot/u-boot-rpi3.bin
         cp ${configTxt} boot/config.txt

nixos/modules/installer/cd-dvd/sd-image-raspberrypi.nix

@@ -34,9 +34,7 @@ in
 
   sdImage = {
     populateBootCommands = ''
-      for f in bootcode.bin fixup.dat start.elf; do
+      (cd ${pkgs.raspberrypifw}/share/raspberrypi/boot && cp bootcode.bin fixup*.dat start*.elf $NIX_BUILD_TOP/boot/)
-        cp ${pkgs.raspberrypifw}/share/raspberrypi/boot/$f boot/
-      done
       cp ${pkgs.ubootRaspberryPi}/u-boot.bin boot/u-boot-rpi.bin
       echo 'kernel u-boot-rpi.bin' > boot/config.txt
       ${extlinux-conf-builder} -t 3 -c ${config.system.build.toplevel} -d ./boot

nixos/modules/installer/tools/nixos-generate-config.pl

@@ -208,9 +208,6 @@ foreach my $path (glob "/sys/bus/pci/devices/*") {
     pciCheck $path;
 }
 
-push @attrs, "services.xserver.videoDrivers = [ \"$videoDriver\" ];" if $videoDriver;
-
-
 # Idem for USB devices.
 
 sub usbCheck {
@@ -277,6 +274,12 @@ if ($virt eq "qemu" || $virt eq "kvm" || $virt eq "bochs") {
     push @imports, "<nixpkgs/nixos/modules/profiles/qemu-guest.nix>";
 }
 
+# Also for Hyper-V.
+if ($virt eq "microsoft") {
+    push @initrdAvailableKernelModules, "hv_storvsc";
+    $videoDriver = "fbdev";
+}
+
 
 # Pull in NixOS configuration for containers.
 if ($virt eq "systemd-nspawn") {
@@ -307,6 +310,7 @@ sub findStableDevPath {
     return $dev;
 }
 
+push @attrs, "services.xserver.videoDrivers = [ \"$videoDriver\" ];" if $videoDriver;
 
 # Generate the swapDevices option from the currently activated swap
 # devices.
@@ -588,6 +592,12 @@ $bootLoaderConfig
   # Enable the OpenSSH daemon.
   # services.openssh.enable = true;
 
+  # Open ports in the firewall.
+  # networking.firewall.allowedTCPPorts = [ ... ];
+  # networking.firewall.allowedUDPPorts = [ ... ];
+  # Or disable the firewall altogether.
+  # networking.firewall.enable = false;
+
   # Enable CUPS to print documents.
   # services.printing.enable = true;
 
@@ -597,8 +607,8 @@ $bootLoaderConfig
   # services.xserver.xkbOptions = "eurosign:e";
 
   # Enable the KDE Desktop Environment.
-  # services.xserver.displayManager.kdm.enable = true;
+  # services.xserver.displayManager.sddm.enable = true;
-  # services.xserver.desktopManager.kde4.enable = true;
+  # services.xserver.desktopManager.kde5.enable = true;
 
   # Define a user account. Don't forget to set a password with ‘passwd’.
   # users.extraUsers.guest = {

nixos/modules/misc/ids.nix

@@ -64,7 +64,7 @@
       cups = 36;
       foldingathome = 37;
       sabnzbd = 38;
-      kdm = 39;
+      #kdm = 39; # dropped in 17.03
       ghostone = 40;
       git = 41;
       fourstore = 42;
@@ -206,7 +206,7 @@
       ripple-data-api = 186;
       mediatomb = 187;
       rdnssd = 188;
-      ihaskell = 189;
+      # ihaskell = 189; # unused
       i2p = 190;
       lambdabot = 191;
       asterisk = 192;
@@ -286,6 +286,7 @@
       gogs = 268;
       pdns-recursor = 269;
       kresd = 270;
+      rpc = 271;
 
       # When adding a uid, make sure it doesn't match an existing gid. And don't use uids above 399!
 
@@ -332,7 +333,7 @@
       #cups = 36; # unused
       #foldingathome = 37; # unused
       #sabnzd = 38; # unused
-      #kdm = 39; # unused
+      #kdm = 39; # unused, even before 17.03
       ghostone = 40;
       git = 41;
       fourstore = 42;
@@ -469,7 +470,7 @@
       #ripple-data-api = 186; #unused
       mediatomb = 187;
       #rdnssd = 188; # unused
-      ihaskell = 189;
+      # ihaskell = 189; # unused
       i2p = 190;
       lambdabot = 191;
       asterisk = 192;
@@ -541,6 +542,7 @@
       couchpotato = 267;
       gogs = 268;
       kresd = 270;
+      #rpc = 271; # unused
 
       # When adding a gid, make sure it doesn't match an existing
       # uid. Users and groups with the same name should have equal

nixos/modules/misc/nixpkgs.nix

@@ -45,9 +45,8 @@ let
 in
 
 {
-  options = {
+  options.nixpkgs = {
-
+    config = mkOption {
-    nixpkgs.config = mkOption {
       default = {};
       example = literalExample
         ''
@@ -61,7 +60,7 @@ in
       '';
     };
 
-    nixpkgs.overlays = mkOption {
+    overlays = mkOption {
       default = [];
       example = literalExample
         ''
@@ -85,7 +84,7 @@ in
       '';
     };
 
-    nixpkgs.system = mkOption {
+    system = mkOption {
       type = types.str;
       example = "i686-linux";
       description = ''
@@ -95,14 +94,9 @@ in
         multi-platform deployment, or when building virtual machines.
       '';
     };
-
   };
 
   config = {
-    _module.args.pkgs = import ../../.. {
+    _module.args.pkgs = import ../../.. config.nixpkgs;
-      system = config.nixpkgs.system;
-
-      inherit (config.nixpkgs) config;
-    };
   };
 }

nixos/modules/module-list.nix

@@ -141,6 +141,7 @@
   ./services/computing/torque/mom.nix
   ./services/computing/slurm/slurm.nix
   ./services/continuous-integration/buildbot/master.nix
+  ./services/continuous-integration/buildbot/worker.nix
   ./services/continuous-integration/buildkite-agent.nix
   ./services/continuous-integration/hydra/default.nix
   ./services/continuous-integration/gitlab-runner.nix
@@ -197,6 +198,7 @@
   ./services/hardware/bluetooth.nix
   ./services/hardware/brltty.nix
   ./services/hardware/freefall.nix
+  ./services/hardware/illum.nix
   ./services/hardware/irqbalance.nix
   ./services/hardware/nvidia-optimus.nix
   ./services/hardware/pcscd.nix
@@ -205,6 +207,7 @@
   ./services/hardware/tcsd.nix
   ./services/hardware/tlp.nix
   ./services/hardware/thinkfan.nix
+  ./services/hardware/trezord.nix
   ./services/hardware/udev.nix
   ./services/hardware/udisks2.nix
   ./services/hardware/upower.nix
@@ -256,12 +259,13 @@
   ./services/misc/felix.nix
   ./services/misc/folding-at-home.nix
   ./services/misc/gammu-smsd.nix
+  ./services/misc/geoip-updater.nix
   #./services/misc/gitit.nix
   ./services/misc/gitlab.nix
   ./services/misc/gitolite.nix
   ./services/misc/gogs.nix
   ./services/misc/gpsd.nix
-  ./services/misc/ihaskell.nix
+  #./services/misc/ihaskell.nix
   ./services/misc/leaps.nix
   ./services/misc/mantisbt.nix
   ./services/misc/mathics.nix
@@ -290,6 +294,7 @@
   ./services/misc/siproxd.nix
   ./services/misc/sonarr.nix
   ./services/misc/spice-vdagentd.nix
+  ./services/misc/ssm-agent.nix
   ./services/misc/sssd.nix
   ./services/misc/subsonic.nix
   ./services/misc/sundtek.nix
@@ -339,6 +344,7 @@
   ./services/monitoring/zabbix-server.nix
   ./services/network-filesystems/cachefilesd.nix
   ./services/network-filesystems/drbd.nix
+  ./services/network-filesystems/glusterfs.nix
   ./services/network-filesystems/ipfs.nix
   ./services/network-filesystems/netatalk.nix
   ./services/network-filesystems/nfsd.nix
@@ -442,6 +448,7 @@
   ./services/networking/radicale.nix
   ./services/networking/radvd.nix
   ./services/networking/rdnssd.nix
+  ./services/networking/redsocks.nix
   ./services/networking/rpcbind.nix
   ./services/networking/sabnzbd.nix
   ./services/networking/searx.nix
@@ -498,7 +505,8 @@
   ./services/security/frandom.nix
   ./services/security/haka.nix
   ./services/security/haveged.nix
-  ./services/security/hologram.nix
+  ./services/security/hologram-server.nix
+  ./services/security/hologram-agent.nix
   ./services/security/munge.nix
   ./services/security/oauth2_proxy.nix
   ./services/security/physlock.nix
@@ -553,7 +561,6 @@
   ./services/x11/display-managers/auto.nix
   ./services/x11/display-managers/default.nix
   ./services/x11/display-managers/gdm.nix
-  ./services/x11/display-managers/kdm.nix
   ./services/x11/display-managers/lightdm.nix
   ./services/x11/display-managers/sddm.nix
   ./services/x11/display-managers/slim.nix
@@ -639,6 +646,7 @@
   ./virtualisation/container-config.nix
   ./virtualisation/containers.nix
   ./virtualisation/docker.nix
+  ./virtualisation/ecs-agent.nix
   ./virtualisation/libvirtd.nix
   ./virtualisation/lxc.nix
   ./virtualisation/lxcfs.nix

nixos/modules/profiles/all-hardware.nix

@@ -42,6 +42,9 @@
       # Virtio (QEMU, KVM etc.) support.
       "virtio_net" "virtio_pci" "virtio_blk" "virtio_scsi" "virtio_balloon" "virtio_console"
 
+      # Hyper-V support.
+      "hv_storvsc"
+
       # Keyboards
       "usbhid" "hid_apple" "hid_logitech_dj" "hid_lenovo_tpkbd" "hid_roccat"
     ];

nixos/modules/profiles/graphical.nix

@@ -6,8 +6,8 @@
 {
   services.xserver = {
     enable = true;
-    displayManager.kdm.enable = true;
+    displayManager.sddm.enable = true;
-    desktopManager.kde4.enable = true;
+    desktopManager.kde5.enable = true;
     synaptics.enable = true; # for touchpad support on many laptops
   };
 

nixos/modules/rename.nix

@@ -171,6 +171,10 @@ with lib;
     (mkRenamedOptionModule [ "services" "locate" "period" ] [ "services" "locate" "interval" ])
     (mkRemovedOptionModule [ "services" "locate" "includeStore" ] "Use services.locate.prunePaths" )
 
+    # nfs
+    (mkRenamedOptionModule [ "services" "nfs" "lockdPort" ] [ "services" "nfs" "server" "lockdPort" ])
+    (mkRenamedOptionModule [ "services" "nfs" "statdPort" ] [ "services" "nfs" "server" "statdPort" ])
+
     # Options that are obsolete and have no replacement.
     (mkRemovedOptionModule [ "boot" "initrd" "luks" "enable" ] "")
     (mkRemovedOptionModule [ "programs" "bash" "enable" ] "")

nixos/modules/security/grsecurity.xml

@@ -7,21 +7,20 @@
   <title>Grsecurity/PaX</title>
 
   <para>
-    Grsecurity/PaX is a set of patches against the Linux kernel that make it
+    Grsecurity/PaX is a set of patches against the Linux kernel that
-    harder to exploit bugs.  The patchset includes protections such as
+    implements an extensive suite of
-    enforcement of non-executable memory, address space layout randomization,
-    and chroot jail hardening.  These and other
     <link xlink:href="https://grsecurity.net/features.php">features</link>
-    render entire classes of exploits inert without additional efforts on the
+    designed to increase the difficulty of exploiting kernel and
-    part of the adversary.
+    application bugs.
   </para>
 
   <para>
     The NixOS grsecurity/PaX module is designed with casual users in mind and is
-    intended to be compatible with normal desktop usage, without unnecessarily
+    intended to be compatible with normal desktop usage, without
-    compromising security.  The following sections describe the configuration
+    <emphasis>unnecessarily</emphasis> compromising security.  The
-    and administration of a grsecurity/PaX enabled NixOS system.  For
+    following sections describe the configuration and administration of
-    more comprehensive coverage, please refer to the
+    a grsecurity/PaX enabled NixOS system.  For more comprehensive
+    coverage, please refer to the
     <link xlink:href="https://en.wikibooks.org/wiki/Grsecurity">grsecurity wikibook</link>
     and the
     <link xlink:href="https://wiki.archlinux.org/index.php/Grsecurity">Arch
@@ -35,7 +34,7 @@
     and each configuration requires quite a bit of testing to ensure that the
     resulting packages work as advertised.  Defining additional package sets
     would likely result in a large number of functionally broken packages, to
-    nobody's benefit.</para></note>.
+    nobody's benefit.</para></note>
   </para>
 
   <sect1 xml:id="sec-grsec-enable"><title>Enabling grsecurity/PaX</title>
@@ -126,10 +125,10 @@
     The NixOS kernel is built using upstream's recommended settings for a
     desktop deployment that generally favours security over performance.  This
     section details deviations from upstream's recommendations that may
-    compromise operational security.
+    compromise security.
 
     <warning><para>There may be additional problems not covered here!</para>
-    </warning>.
+    </warning>
   </para>
 
   <itemizedlist>
@@ -159,8 +158,8 @@
     <listitem><para>
       The NixOS module conditionally weakens <command>chroot</command>
       restrictions to accommodate NixOS lightweight containers and sandboxed Nix
-      builds.  This is problematic if the deployment also runs a privileged
+      builds.  This can be problematic if the deployment also runs privileged
-      network facing process that <emphasis>relies</emphasis> on
+      network facing processes that <emphasis>rely</emphasis> on
       <command>chroot</command> for isolation.
     </para></listitem>
 
@@ -221,15 +220,18 @@
   </para>
 
   <para>
-    The wikibook provides an exhaustive listing of
+    The grsecurity/PaX wikibook provides an exhaustive listing of
     <link xlink:href="https://en.wikibooks.org/wiki/Grsecurity/Appendix/Grsecurity_and_PaX_Configuration_Options">kernel configuration options</link>.
   </para>
 
   <para>
     The NixOS module makes several assumptions about the kernel and so
     may be incompatible with your customised kernel. Currently, the only way
-    to work around incompatibilities is to eschew the NixOS module.
+    to work around these incompatibilities is to eschew the NixOS
+    module.
+  </para>
 
+  <para>
     If not using the NixOS module, a custom grsecurity package set can
     be specified inline instead, as in
     <programlisting>
@@ -290,7 +292,7 @@
 
     <listitem><para>User initiated autoloading of modules (e.g., when
     using fuse or loop devices) is disallowed; either load requisite modules
-    as root or add them to<option>boot.kernelModules</option>.</para></listitem>
+    as root or add them to <option>boot.kernelModules</option>.</para></listitem>
 
     <listitem><para>Virtualization: KVM is the preferred virtualization
     solution. Xen, Virtualbox, and VMWare are

nixos/modules/security/pam.nix

@@ -253,6 +253,8 @@ let
               "auth sufficient ${pkgs.pam_u2f}/lib/security/pam_u2f.so"}
           ${optionalString cfg.usbAuth
               "auth sufficient ${pkgs.pam_usb}/lib/security/pam_usb.so"}
+          ${let oath = config.security.pam.oath; in optionalString cfg.oathAuth
+              "auth requisite ${pkgs.oathToolkit}/lib/security/pam_oath.so window=${toString oath.window} usersfile=${toString oath.usersFile} digits=${toString oath.digits}"}
         '' +
           # Modules in this block require having the password set in PAM_AUTHTOK.
           # pam_unix is marked as 'sufficient' on NixOS which means nothing will run
@@ -271,8 +273,6 @@ let
               "auth sufficient pam_unix.so ${optionalString cfg.allowNullPassword "nullok"} likeauth try_first_pass"}
           ${optionalString cfg.otpwAuth
               "auth sufficient ${pkgs.otpw}/lib/security/pam_otpw.so"}
-          ${let oath = config.security.pam.oath; in optionalString cfg.oathAuth
-              "auth sufficient ${pkgs.oathToolkit}/lib/security/pam_oath.so window=${toString oath.window} usersfile=${toString oath.usersFile} digits=${toString oath.digits}"}
           ${optionalString use_ldap
               "auth sufficient ${pam_ldap}/lib/security/pam_ldap.so use_first_pass"}
           ${optionalString config.services.sssd.enable

nixos/modules/services/cluster/kubernetes.nix

@@ -775,7 +775,7 @@ in {
             --bind-address=${cfg.proxy.address} \
             ${optionalString cfg.verbose "--v=6"} \
             ${optionalString cfg.verbose "--log-flush-frequency=1s"} \
-            ${cfg.controllerManager.extraOpts}
+            ${cfg.proxy.extraOpts}
           '';
           WorkingDirectory = cfg.dataDir;
         };

nixos/modules/services/continuous-integration/buildbot/master.nix

@@ -7,7 +7,7 @@ with lib;
 let
   cfg = config.services.buildbot-master;
   escapeStr = s: escape ["'"] s;
-  masterCfg = pkgs.writeText "master.cfg" ''
+  masterCfg = if cfg.masterCfg == null then pkgs.writeText "master.cfg" ''
     from buildbot.plugins import *
     factory = util.BuildFactory()
     c = BuildmasterConfig = dict(
@@ -27,9 +27,8 @@ let
       factory.addStep(step)
 
     ${cfg.extraConfig}
-  '';
+  ''
-
+  else pkgs.writeText "master.cfg" cfg.masterCfg;
-  configFile = if cfg.masterCfg == null then masterCfg else cfg.masterCfg;
 
 in {
   options = {
@@ -67,15 +66,13 @@ in {
       };
 
       masterCfg = mkOption {
-        type = with types; nullOr path;
+        type = types.str;
         description = ''
-          Optionally pass path to raw master.cfg file.
+          Optionally pass raw master.cfg file as string.
           Other options in this configuration will be ignored.
         '';
         default = null;
-        example = literalExample ''
+        example = "BuildmasterConfig = c = {}";
-          pkgs.writeText "master.cfg" "BuildmasterConfig = c = {}"
-        '';
       };
 
       schedulers = mkOption {
@@ -99,9 +96,9 @@ in {
         type = types.listOf types.str;
         description = "List of Workers.";
         default = [
-          "worker.Worker('default-worker', 'password')"
+          "worker.Worker('example-worker', 'pass')"
         ];
-        example = [ "worker.LocalWorker('default-worker')" ];
+        example = [ "worker.LocalWorker('example-worker')" ];
       };
 
       status = mkOption {
@@ -209,7 +206,7 @@ in {
 
     users.extraUsers = optional (cfg.user == "buildbot") {
       name = "buildbot";
-      description = "buildbot user";
+      description = "Buildbot User.";
       isNormalUser = true;
       createHome = true;
       home = cfg.home;
@@ -219,7 +216,7 @@ in {
     };
 
     systemd.services.buildbot-master = {
-      description = "Buildbot Continuous Integration Server";
+      description = "Buildbot Continuous Integration Server.";
       after = [ "network.target" ];
       wantedBy = [ "multi-user.target" ];
       path = cfg.packages;
@@ -233,9 +230,8 @@ in {
       };
 
       preStart = ''
-        mkdir -vp ${cfg.buildbotDir}
+        ${pkgs.coreutils}/bin/mkdir -vp ${cfg.buildbotDir}
-        chown -c ${cfg.user}:${cfg.group} ${cfg.buildbotDir}
+        ${pkgs.coreutils}/bin/ln -sfv ${masterCfg} ${cfg.buildbotDir}/master.cfg
-        ln -sf ${configFile} ${cfg.buildbotDir}/master.cfg
         ${cfg.package}/bin/buildbot create-master ${cfg.buildbotDir}
       '';
 
@@ -247,4 +243,6 @@ in {
     };
   };
 
+  meta.maintainers = with lib.maintainers; [ nand0p Mic92 ];
+
 }

nixos/modules/services/continuous-integration/buildbot/worker.nix

@@ -0,0 +1,128 @@
+# NixOS module for Buildbot Worker.
+
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+  cfg = config.services.buildbot-worker;
+
+in {
+  options = {
+    services.buildbot-worker = {
+
+      enable = mkOption {
+        type = types.bool;
+        default = false;
+        description = "Whether to enable the Buildbot Worker.";
+      };
+
+      user = mkOption {
+        default = "bbworker";
+        type = types.str;
+        description = "User the buildbot Worker should execute under.";
+      };
+
+      group = mkOption {
+        default = "bbworker";
+        type = types.str;
+        description = "Primary group of buildbot Worker user.";
+      };
+
+      extraGroups = mkOption {
+        type = types.listOf types.str;
+        default = [ "nixbld" ];
+        description = "List of extra groups that the Buildbot Worker user should be a part of.";
+      };
+
+      home = mkOption {
+        default = "/home/bbworker";
+        type = types.path;
+        description = "Buildbot home directory.";
+      };
+
+      buildbotDir = mkOption {
+        default = "${cfg.home}/worker";
+        type = types.path;
+        description = "Specifies the Buildbot directory.";
+      };
+
+      workerUser = mkOption {
+        default = "example-worker";
+        type = types.str;
+        description = "Specifies the Buildbot Worker user.";
+      };
+
+      workerPass = mkOption {
+        default = "pass";
+        type = types.str;
+        description = "Specifies the Buildbot Worker password.";
+      };
+
+      masterUrl = mkOption {
+        default = "localhost:9989";
+        type = types.str;
+        description = "Specifies the Buildbot Worker connection string.";
+      };
+
+      package = mkOption {
+        type = types.package;
+        default = pkgs.buildbot-worker;
+        description = "Package to use for buildbot worker.";
+        example = pkgs.buildbot-worker;
+      };
+
+      packages = mkOption {
+        default = [ ];
+        example = [ pkgs.git ];
+        type = types.listOf types.package;
+        description = "Packages to add to PATH for the buildbot process.";
+      };
+
+    };
+  };
+
+  config = mkIf cfg.enable {
+    users.extraGroups = optional (cfg.group == "bbworker") {
+      name = "bbworker";
+    };
+
+    users.extraUsers = optional (cfg.user == "bbworker") {
+      name = "bbworker";
+      description = "Buildbot Worker User.";
+      isNormalUser = true;
+      createHome = true;
+      home = cfg.home;
+      group = cfg.group;
+      extraGroups = cfg.extraGroups;
+      useDefaultShell = true;
+    };
+
+    systemd.services.buildbot-worker = {
+      description = "Buildbot Worker.";
+      after = [ "network.target" ];
+      wantedBy = [ "multi-user.target" ];
+      wants = [ "buildbot-master.service" ];
+      path = cfg.packages;
+
+      preStart = ''
+        # NOTE: ensure master has time to start in case running on localhost
+        ${pkgs.coreutils}/bin/sleep 4
+        ${pkgs.coreutils}/bin/mkdir -vp ${cfg.buildbotDir}
+        ${cfg.package}/bin/buildbot-worker create-worker ${cfg.buildbotDir} ${cfg.masterUrl} ${cfg.workerUser} ${cfg.workerPass}
+      '';
+
+      serviceConfig = {
+        Type = "forking";
+        User = cfg.user;
+        Group = cfg.group;
+        WorkingDirectory = cfg.home;
+        ExecStart = "${cfg.package}/bin/buildbot-worker start ${cfg.buildbotDir}";
+      };
+
+    };
+  };
+
+  meta.maintainers = with lib.maintainers; [ nand0p ];
+
+}

nixos/modules/services/editors/emacs.xml

@@ -316,10 +316,10 @@ https://nixos.org/nixpkgs/manual/#sec-modify-via-packageOverrides
       <para>
         If you are not on NixOS or want to install this particular
         Emacs only for yourself, you can do so by adding it to your
-        <filename>~/.nixpkgs/config.nix</filename>
+        <filename>~/.config/nixpkgs/config.nix</filename>
         (see <link xlink:href="http://nixos.org/nixpkgs/manual/#sec-modify-via-packageOverrides">Nixpkgs manual</link>):
         <example>
-          <title>Custom Emacs in <filename>~/.nixpkgs/system.nix</filename></title>
+          <title>Custom Emacs in <filename>~/.config/nixpkgs/config.nix</filename></title>
           <programlisting><![CDATA[
 {
   packageOverrides = super: let self = super.pkgs; in {

nixos/modules/services/hardware/bluetooth.nix

@@ -2,41 +2,7 @@
 
 with lib;
 let
-    bluez-bluetooth = if config.services.xserver.desktopManager.kde4.enable then pkgs.bluez else pkgs.bluez5;
+  bluez-bluetooth = pkgs.bluez;
-
-    configBluez = {
-        description = "Bluetooth Service";
-        serviceConfig = {
-          Type = "dbus";
-          BusName = "org.bluez";
-          ExecStart = "${getBin bluez-bluetooth}/bin/bluetoothd -n";
-        };
-        wantedBy = [ "bluetooth.target" ];
-    };
-
-    configBluez5 =  {
-        description = "Bluetooth Service";
-        serviceConfig = {
-          Type = "dbus";
-          BusName = "org.bluez";
-          ExecStart = "${getBin bluez-bluetooth}/bin/bluetoothd -n";
-          NotifyAccess="main";
-          CapabilityBoundingSet="CAP_NET_ADMIN CAP_NET_BIND_SERVICE";
-          LimitNPROC=1;
-        };
-        wantedBy = [ "bluetooth.target" ];
-    };
-
-    obexConfig = {
-        description = "Bluetooth OBEX service";
-        serviceConfig = {
-          Type = "dbus";
-          BusName = "org.bluez.obex";
-          ExecStart = "${getBin bluez-bluetooth}/bin/obexd";
-        };
-    };
-
-    bluezConfig = if config.services.xserver.desktopManager.kde4.enable then configBluez else configBluez5;
 in
 
 {
@@ -54,14 +20,25 @@ in
   };
 
   ###### implementation
-  
+
   config = mkIf config.hardware.bluetooth.enable {
 
     environment.systemPackages = [ bluez-bluetooth pkgs.openobex pkgs.obexftp ];
+
     services.udev.packages = [ bluez-bluetooth ];
+
     services.dbus.packages = [ bluez-bluetooth ];
-    systemd.services."dbus-org.bluez" = bluezConfig;
+
-    systemd.services."dbus-org.bluez.obex" = obexConfig;
+    systemd.packages = [ bluez-bluetooth ];
+
+    systemd.services.bluetooth = {
+      wantedBy = [ "bluetooth.target" ];
+      aliases = [ "dbus-org.bluez.service" ];
+    };
+
+    systemd.user.services.obex = {
+      aliases = [ "dbus-org.bluez.obex.service" ];
+    };
 
   };
 

nixos/modules/services/hardware/illum.nix

@@ -0,0 +1,35 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+  cfg = config.services.illum;
+in {
+
+  options = {
+
+    services.illum = {
+
+      enable = mkOption {
+        default = false;
+        type = types.bool;
+        description = ''
+          Enable illum, a daemon for controlling screen brightness with brightness buttons.
+        '';
+      };
+
+    };
+
+  };
+
+  config = mkIf cfg.enable {
+
+    systemd.services.illum = {
+      description = "Backlight Adjustment Service";
+      wantedBy = [ "multi-user.target" ];
+      serviceConfig.ExecStart = "${pkgs.illum}/bin/illum-d";
+    };
+
+  };
+
+}

nixos/modules/services/hardware/sane.nix

@@ -51,7 +51,7 @@ in
         Enable support for SANE scanners.
 
         <note><para>
-          Users in the "scanner" group will gain access to the scanner.
+          Users in the "scanner" group will gain access to the scanner, or the "lp" group if it's also a printer.
         </para></note>
       '';
     };

nixos/modules/services/hardware/trezord.nix

@@ -0,0 +1,54 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+let
+  cfg = config.services.trezord;
+in {
+  
+  ### interface
+
+  options = {
+    services.trezord = {
+      enable = mkOption {
+        type = types.bool;
+        default = false;
+        description = ''
+          Enable Trezor bridge daemon, for use with Trezor hardware bitcoin wallets.
+        '';
+      };
+    };
+  };
+  
+  ### implementation
+
+  config = mkIf cfg.enable {
+    services.udev.packages = lib.singleton (pkgs.writeTextFile {
+      name = "trezord-udev-rules";
+      destination = "/etc/udev/rules.d/51-trezor.rules";
+      text = ''
+        SUBSYSTEM=="usb", ATTR{idVendor}=="534c", ATTR{idProduct}=="0001", MODE="0666", GROUP="dialout", SYMLINK+="trezor%n"
+        KERNEL=="hidraw*", ATTRS{idVendor}=="534c", ATTRS{idProduct}=="0001",  MODE="0666", GROUP="dialout"
+      '';
+    });
+
+    systemd.services.trezord = {
+      description = "TREZOR Bridge";
+      after = [ "systemd-udev-settle.service" "network.target" ];
+      wantedBy = [ "multi-user.target" ];
+      path = [];
+      serviceConfig = {
+        Type = "simple";
+        ExecStart = "${pkgs.trezord}/bin/trezord -f";
+        User = "trezord";
+      };
+    };
+
+    users.users.trezord = {
+      group = "trezord";
+      description = "Trezor bridge daemon user";
+    };
+
+    users.groups.trezord = {};
+  };
+}
+

nixos/modules/services/mail/postfix.nix

@@ -79,8 +79,6 @@ let
       relay_domains = ${concatStringsSep ", " cfg.relayDomains}
     ''
     + ''
-      local_recipient_maps =
-
       relayhost = ${if cfg.lookupMX || cfg.relayHost == "" then
           cfg.relayHost
         else

nixos/modules/services/misc/geoip-updater.nix

@@ -0,0 +1,300 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+  cfg = config.services.geoip-updater;
+
+  dbBaseUrl = "https://geolite.maxmind.com/download/geoip/database";
+
+  randomizedTimerDelaySec = "3600";
+
+  # Use writeScriptBin instead of writeScript, so that argv[0] (logged to the
+  # journal) doesn't include the long nix store path hash. (Prefixing the
+  # ExecStart= command with '@' doesn't work because we start a shell (new
+  # process) that creates a new argv[0].)
+  geoip-updater = pkgs.writeScriptBin "geoip-updater" ''
+    #!${pkgs.stdenv.shell}
+    skipExisting=0
+    debug()
+    {
+        echo "<7>$@"
+    }
+    info()
+    {
+        echo "<6>$@"
+    }
+    error()
+    {
+        echo "<3>$@"
+    }
+    die()
+    {
+        error "$@"
+        exit 1
+    }
+    waitNetworkOnline()
+    {
+        ret=1
+        for i in $(seq 6); do
+            curl_out=$("${pkgs.curl.bin}/bin/curl" \
+                --silent --fail --show-error --max-time 60 "${dbBaseUrl}" 2>&1)
+            if [ $? -eq 0 ]; then
+                debug "Server is reachable (try $i)"
+                ret=0
+                break
+            else
+                debug "Server is unreachable (try $i): $curl_out"
+                sleep 10
+            fi
+        done
+        return $ret
+    }
+    dbFnameTmp()
+    {
+        dburl=$1
+        echo "${cfg.databaseDir}/.$(basename "$dburl")"
+    }
+    dbFnameTmpDecompressed()
+    {
+        dburl=$1
+        echo "${cfg.databaseDir}/.$(basename "$dburl")" | sed 's/\.\(gz\|xz\)$//'
+    }
+    dbFname()
+    {
+        dburl=$1
+        echo "${cfg.databaseDir}/$(basename "$dburl")" | sed 's/\.\(gz\|xz\)$//'
+    }
+    downloadDb()
+    {
+        dburl=$1
+        curl_out=$("${pkgs.curl.bin}/bin/curl" \
+            --silent --fail --show-error --max-time 900 -L -o "$(dbFnameTmp "$dburl")" "$dburl" 2>&1)
+        if [ $? -ne 0 ]; then
+            error "Failed to download $dburl: $curl_out"
+            return 1
+        fi
+    }
+    decompressDb()
+    {
+        fn=$(dbFnameTmp "$1")
+        ret=0
+        case "$fn" in
+            *.gz)
+                cmd_out=$("${pkgs.gzip}/bin/gzip" --decompress --force "$fn" 2>&1)
+                ;;
+            *.xz)
+                cmd_out=$("${pkgs.xz.bin}/bin/xz" --decompress --force "$fn" 2>&1)
+                ;;
+            *)
+                cmd_out=$(echo "File \"$fn\" is neither a .gz nor .xz file")
+                false
+                ;;
+        esac
+        if [ $? -ne 0 ]; then
+            error "$cmd_out"
+            ret=1
+        fi
+    }
+    atomicRename()
+    {
+        dburl=$1
+        mv "$(dbFnameTmpDecompressed "$dburl")" "$(dbFname "$dburl")"
+    }
+    removeIfNotInConfig()
+    {
+        # Arg 1 is the full path of an installed DB.
+        # If the corresponding database is not specified in the NixOS config we
+        # remove it.
+        db=$1
+        for cdb in ${lib.concatStringsSep " " cfg.databases}; do
+            confDb=$(echo "$cdb" | sed 's/\.\(gz\|xz\)$//')
+            if [ "$(basename "$db")" = "$(basename "$confDb")" ]; then
+                return 0
+            fi
+        done
+        rm "$db"
+        if [ $? -eq 0 ]; then
+            debug "Removed $(basename "$db") (not listed in services.geoip-updater.databases)"
+        else
+            error "Failed to remove $db"
+        fi
+    }
+    removeUnspecifiedDbs()
+    {
+        for f in "${cfg.databaseDir}/"*; do
+            test -f "$f" || continue
+            case "$f" in
+                *.dat|*.mmdb|*.csv)
+                    removeIfNotInConfig "$f"
+                    ;;
+                *)
+                    debug "Not removing \"$f\" (unknown file extension)"
+                    ;;
+            esac
+        done
+    }
+    downloadAndInstall()
+    {
+        dburl=$1
+        if [ "$skipExisting" -eq 1 -a -f "$(dbFname "$dburl")" ]; then
+            debug "Skipping existing file: $(dbFname "$dburl")"
+            return 0
+        fi
+        downloadDb "$dburl" || return 1
+        decompressDb "$dburl" || return 1
+        atomicRename "$dburl" || return 1
+        info "Updated $(basename "$(dbFname "$dburl")")"
+    }
+    for arg in "$@"; do
+        case "$arg" in
+            --skip-existing)
+                skipExisting=1
+                info "Option --skip-existing is set: not updating existing databases"
+                ;;
+            *)
+                error "Unknown argument: $arg";;
+        esac
+    done
+    waitNetworkOnline || die "Network is down (${dbBaseUrl} is unreachable)"
+    test -d "${cfg.databaseDir}" || die "Database directory (${cfg.databaseDir}) doesn't exist"
+    debug "Starting update of GeoIP databases in ${cfg.databaseDir}"
+    all_ret=0
+    for db in ${lib.concatStringsSep " \\\n        " cfg.databases}; do
+        downloadAndInstall "${dbBaseUrl}/$db" || all_ret=1
+    done
+    removeUnspecifiedDbs || all_ret=1
+    if [ $all_ret -eq 0 ]; then
+        info "Completed GeoIP database update in ${cfg.databaseDir}"
+    else
+        error "Completed GeoIP database update in ${cfg.databaseDir}, with error(s)"
+    fi
+    # Hack to work around systemd journal race:
+    # https://github.com/systemd/systemd/issues/2913
+    sleep 2
+    exit $all_ret
+  '';
+
+in
+
+{
+  options = {
+    services.geoip-updater = {
+      enable = mkOption {
+        default = false;
+        type = types.bool;
+        description = ''
+          Whether to enable periodic downloading of GeoIP databases from
+          maxmind.com. You might want to enable this if you, for instance, use
+          ntopng or Wireshark.
+        '';
+      };
+
+      interval = mkOption {
+        type = types.str;
+        default = "weekly";
+        description = ''
+          Update the GeoIP databases at this time / interval.
+          The format is described in
+          <citerefentry><refentrytitle>systemd.time</refentrytitle>
+          <manvolnum>7</manvolnum></citerefentry>.
+          To prevent load spikes on maxmind.com, the timer interval is
+          randomized by an additional delay of ${randomizedTimerDelaySec}
+          seconds. Setting a shorter interval than this is not recommended.
+        '';
+      };
+
+      databaseDir = mkOption {
+        type = types.path;
+        default = "/var/lib/geoip-databases";
+        description = ''
+          Directory that will contain GeoIP databases.
+        '';
+      };
+
+      databases = mkOption {
+        type = types.listOf types.str;
+        default = [
+          "GeoLiteCountry/GeoIP.dat.gz"
+          "GeoIPv6.dat.gz"
+          "GeoLiteCity.dat.xz"
+          "GeoLiteCityv6-beta/GeoLiteCityv6.dat.gz"
+          "asnum/GeoIPASNum.dat.gz"
+          "asnum/GeoIPASNumv6.dat.gz"
+          "GeoLite2-Country.mmdb.gz"
+          "GeoLite2-City.mmdb.gz"
+        ];
+        description = ''
+          Which GeoIP databases to update. The full URL is ${dbBaseUrl}/ +
+          <literal>the_database</literal>.
+        '';
+      };
+
+    };
+
+  };
+
+  config = mkIf cfg.enable {
+
+    assertions = [
+      { assertion = (builtins.filter
+          (x: builtins.match ".*\.(gz|xz)$" x == null) cfg.databases) == [];
+        message = ''
+          services.geoip-updater.databases supports only .gz and .xz databases.
+
+          Current value:
+          ${toString cfg.databases}
+
+          Offending element(s):
+          ${toString (builtins.filter (x: builtins.match ".*\.(gz|xz)$" x == null) cfg.databases)};
+        '';
+      }
+    ];
+
+    systemd.timers.geoip-updater =
+      { description = "GeoIP Updater Timer";
+        partOf = [ "geoip-updater.service" ];
+        wantedBy = [ "timers.target" ];
+        timerConfig.OnCalendar = cfg.interval;
+        timerConfig.Persistent = "true";
+        timerConfig.RandomizedDelaySec = randomizedTimerDelaySec;
+      };
+
+    systemd.services.geoip-updater = {
+      description = "GeoIP Updater";
+      after = [ "network-online.target" "nss-lookup.target" ];
+      wants = [ "network-online.target" ];
+      preStart = ''
+        mkdir -p "${cfg.databaseDir}"
+        chmod 755 "${cfg.databaseDir}"
+        chown nobody:root "${cfg.databaseDir}"
+      '';
+      serviceConfig = {
+        ExecStart = "${geoip-updater}/bin/geoip-updater";
+        User = "nobody";
+        PermissionsStartOnly = true;
+      };
+    };
+
+    systemd.services.geoip-updater-setup = {
+      description = "GeoIP Updater Setup";
+      after = [ "network-online.target" "nss-lookup.target" ];
+      wants = [ "network-online.target" ];
+      wantedBy = [ "multi-user.target" ];
+      conflicts = [ "geoip-updater.service" ];
+      preStart = ''
+        mkdir -p "${cfg.databaseDir}"
+        chmod 755 "${cfg.databaseDir}"
+        chown nobody:root "${cfg.databaseDir}"
+      '';
+      serviceConfig = {
+        ExecStart = "${geoip-updater}/bin/geoip-updater --skip-existing";
+        User = "nobody";
+        PermissionsStartOnly = true;
+        # So it won't be (needlessly) restarted:
+        RemainAfterExit = true;
+      };
+    };
+
+  };
+}

nixos/modules/services/misc/gitlab.nix

@@ -528,8 +528,8 @@ in {
 
         if [ "${cfg.databaseHost}" = "127.0.0.1" ]; then
           if ! test -e "${cfg.statePath}/db-created"; then
-            psql postgres -c "CREATE ROLE gitlab WITH LOGIN NOCREATEDB NOCREATEROLE NOCREATEUSER ENCRYPTED PASSWORD '${cfg.databasePassword}'"
+            psql postgres -c "CREATE ROLE ${cfg.databaseUsername} WITH LOGIN NOCREATEDB NOCREATEROLE NOCREATEUSER ENCRYPTED PASSWORD '${cfg.databasePassword}'"
-            ${config.services.postgresql.package}/bin/createdb --owner gitlab gitlab || true
+            ${config.services.postgresql.package}/bin/createdb --owner ${cfg.databaseUsername} ${cfg.databaseName} || true
             touch "${cfg.statePath}/db-created"
           fi
         fi

nixos/modules/services/misc/gogs.nix

@@ -208,6 +208,7 @@ in
         group = "gogs";
         home = cfg.stateDir;
         createHome = true;
+        shell = pkgs.bash;
       };
       extraGroups.gogs.gid = config.ids.gids.gogs;
     };

nixos/modules/services/misc/ihaskell.nix

@@ -20,18 +20,6 @@ in
         description = "Autostart an IHaskell notebook service.";
       };
 
-      haskellPackages = mkOption {
-        default = pkgs.haskellPackages;
-        defaultText = "pkgs.haskellPackages";
-        example = literalExample "pkgs.haskell.packages.ghc784";
-        description = ''
-          haskellPackages used to build IHaskell and other packages.
-          This can be used to change the GHC version used to build
-          IHaskell and the packages listed in
-          <varname>extraPackages</varname>.
-        '';
-      };
-
       extraPackages = mkOption {
         default = self: [];
         example = literalExample ''

nixos/modules/services/misc/ssm-agent.nix

@@ -0,0 +1,45 @@
+{ config, pkgs, lib, ... }:
+
+with lib;
+let
+  cfg = config.services.ssm-agent;
+
+  # The SSM agent doesn't pay attention to our /etc/os-release yet, and the lsb-release tool
+  # in nixpkgs doesn't seem to work properly on NixOS, so let's just fake the two fields SSM
+  # looks for. See https://github.com/aws/amazon-ssm-agent/issues/38 for upstream fix.
+  fake-lsb-release = pkgs.writeScriptBin "lsb_release" ''
+    #!${pkgs.stdenv.shell}
+
+    case "$1" in
+      -i) echo "nixos";;
+      -r) echo "${config.system.nixosVersion}";;
+    esac
+  '';
+in {
+  options.services.ssm-agent = {
+    enable = mkEnableOption "AWS SSM agent";
+
+    package = mkOption {
+      type = types.path;
+      description = "The SSM agent package to use";
+      default = pkgs.ssm-agent;
+    };
+  };
+
+  config = mkIf cfg.enable {
+    systemd.services.ssm-agent = {
+      inherit (cfg.package.meta) description;
+      after    = [ "network.target" ];
+      wantedBy = [ "multi-user.target" ];
+
+      path = [ fake-lsb-release ];
+      serviceConfig = {
+        ExecStart = "${cfg.package.bin}/bin/agent";
+        KillMode = "process";
+        Restart = "on-failure";
+        RestartSec = "15min";
+      };
+    };
+  };
+}
+

nixos/modules/services/misc/taskserver/default.nix

@@ -125,10 +125,10 @@ let
       server.key = ${cfg.dataDir}/keys/server.key
       server.crl = ${cfg.dataDir}/keys/server.crl
     '' else ''
-      ca.cert = ${cfg.pki.ca.cert}
+      ca.cert = ${cfg.pki.manual.ca.cert}
-      server.cert = ${cfg.pki.server.cert}
+      server.cert = ${cfg.pki.manual.server.cert}
-      server.key = ${cfg.pki.server.key}
+      server.key = ${cfg.pki.manual.server.key}
-      server.crl = ${cfg.pki.server.crl}
+      server.crl = ${cfg.pki.manual.server.crl}
     ''}
   '' + cfg.extraConfig);
 

nixos/modules/services/monitoring/grafana.nix

@@ -1,4 +1,4 @@
-{ config, lib, pkgs, ... }:
+{ options, config, lib, pkgs, ... }:
 
 with lib;
 
@@ -232,9 +232,10 @@ in {
   };
 
   config = mkIf cfg.enable {
-    warnings = [
+    warnings = optional (
-      "Grafana passwords will be stored as plaintext in the Nix store!"
+      cfg.database.password != options.services.grafana.database.password.default ||
-    ];
+      cfg.security.adminPassword != options.services.grafana.security.adminPassword.default
+    ) "Grafana passwords will be stored as plaintext in the Nix store!";
 
     environment.systemPackages = [ cfg.package ];
 

nixos/modules/services/network-filesystems/glusterfs.nix

@@ -0,0 +1,84 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+  inherit (pkgs) glusterfs;
+
+  cfg = config.services.glusterfs;
+
+in
+
+{
+
+  ###### interface
+
+  options = {
+
+    services.glusterfs = {
+
+      enable = mkEnableOption "GlusterFS Daemon";
+
+      logLevel = mkOption {
+        type = types.enum ["DEBUG" "INFO" "WARNING" "ERROR" "CRITICAL" "TRACE" "NONE"];
+        description = "Log level used by the GlusterFS daemon";
+        default = "INFO";
+      };
+
+      extraFlags = mkOption {
+        type = types.listOf types.str;
+        description = "Extra flags passed to the GlusterFS daemon";
+        default = [];
+      };
+    };
+  };
+
+  ###### implementation
+
+  config = mkIf cfg.enable {
+    environment.systemPackages = [ pkgs.glusterfs ];
+
+    services.rpcbind.enable = true;
+
+    systemd.services.glusterd = {
+
+      description = "GlusterFS, a clustered file-system server";
+
+      wantedBy = [ "multi-user.target" ];
+
+      requires = [ "rpcbind.service" ];
+      after = [ "rpcbind.service" "network.target" "local-fs.target" ];
+      before = [ "network-online.target" ];
+
+      preStart = ''
+        install -m 0755 -d /var/log/glusterfs
+      '';
+
+      serviceConfig = {
+        Type="forking";
+        PIDFile="/run/glusterd.pid";
+        LimitNOFILE=65536;
+        ExecStart="${glusterfs}/sbin/glusterd -p /run/glusterd.pid --log-level=${cfg.logLevel} ${toString cfg.extraFlags}";
+        KillMode="process";
+      };
+    };
+
+    systemd.services.glustereventsd = {
+
+      description = "Gluster Events Notifier";
+
+      wantedBy = [ "multi-user.target" ];
+
+      after = [ "syslog.target" "network.target" ];
+
+      serviceConfig = {
+        Type="simple";
+        Environment="PYTHONPATH=${glusterfs}/usr/lib/python2.7/site-packages";
+        PIDFile="/run/glustereventsd.pid";
+        ExecStart="${glusterfs}/sbin/glustereventsd --pid-file /run/glustereventsd.pid";
+        ExecReload="/bin/kill -SIGUSR2 $MAINPID";
+        KillMode="control-group";
+      };
+    };
+  };
+}

nixos/modules/services/network-filesystems/ipfs.nix

@@ -104,30 +104,72 @@ in
       };
     };
 
-    systemd.services.ipfs = {
+    systemd.services.ipfs-init = {
-      description = "IPFS Daemon";
+      description = "IPFS Initializer";
+
+      after = [ "local-fs.target" ];
+      before = [ "ipfs.service" "ipfs-offline.service" ];
 
-      wantedBy = [ "multi-user.target" ];
-      after = [ "network.target" "local-fs.target" ];
       path  = [ pkgs.ipfs pkgs.su pkgs.bash ];
 
       preStart = ''
         install -m 0755 -o ${cfg.user} -g ${cfg.group} -d ${cfg.dataDir}
+      '';
+
+      script =  ''
         if [[ ! -d ${cfg.dataDir}/.ipfs ]]; then
           cd ${cfg.dataDir}
-          ${pkgs.su}/bin/su -s ${pkgs.bash}/bin/sh ${cfg.user} -c \
+          ${ipfs}/bin/ipfs init ${optionalString cfg.emptyRepo "-e"}
-             "${ipfs}/bin/ipfs init ${if cfg.emptyRepo then "-e" else ""}"
         fi
-        ${pkgs.su}/bin/su -s ${pkgs.bash}/bin/sh ${cfg.user} -c \
+        ${ipfs}/bin/ipfs --local config Addresses.API ${cfg.apiAddress}
-           "${ipfs}/bin/ipfs --local config Addresses.API ${cfg.apiAddress} && \
+        ${ipfs}/bin/ipfs --local config Addresses.Gateway ${cfg.gatewayAddress}
-            ${ipfs}/bin/ipfs --local config Addresses.Gateway ${cfg.gatewayAddress}"
       '';
 
+      serviceConfig = {
+        User = cfg.user;
+        Group = cfg.group;
+        Type = "oneshot";
+        RemainAfterExit = true;
+        PermissionsStartOnly = true;
+      };
+    };
+
+    systemd.services.ipfs = {
+      description = "IPFS Daemon";
+
+      wantedBy = [ "multi-user.target" ];
+      after = [ "network.target" "local-fs.target" "ipfs-init.service" ];
+
+      conflicts = [ "ipfs-offline.service" ];
+      wants = [ "ipfs-init.service" ];
+
+      path  = [ pkgs.ipfs ];
+
       serviceConfig = {
         ExecStart = "${ipfs}/bin/ipfs daemon ${ipfsFlags}";
         User = cfg.user;
         Group = cfg.group;
-        PermissionsStartOnly = true;
+        Restart = "on-failure";
+        RestartSec = 1;
+      };
+    };
+
+    systemd.services.ipfs-offline = {
+      description = "IPFS Daemon (offline mode)";
+
+      after = [ "local-fs.target" "ipfs-init.service" ];
+
+      conflicts = [ "ipfs.service" ];
+      wants = [ "ipfs-init.service" ];
+
+      path  = [ pkgs.ipfs ];
+
+      serviceConfig = {
+        ExecStart = "${ipfs}/bin/ipfs daemon ${ipfsFlags} --offline";
+        User = cfg.user;
+        Group = cfg.group;
+        Restart = "on-failure";
+        RestartSec = 1;
       };
     };
   };

nixos/modules/services/network-filesystems/nfsd.nix

@@ -20,6 +20,7 @@ in
 
       server = {
         enable = mkOption {
+          type = types.bool;
           default = false;
           description = ''
             Whether to enable the kernel's NFS server.
@@ -27,6 +28,7 @@ in
         };
 
         exports = mkOption {
+          type = types.lines;
           default = "";
           description = ''
             Contents of the /etc/exports file.  See
@@ -36,6 +38,7 @@ in
         };
 
         hostName = mkOption {
+          type = types.nullOr types.str;
           default = null;
           description = ''
             Hostname or address on which NFS requests will be accepted.
@@ -46,6 +49,7 @@ in
         };
 
         nproc = mkOption {
+          type = types.int;
           default = 8;
           description = ''
             Number of NFS server threads.  Defaults to the recommended value of 8.
@@ -53,11 +57,13 @@ in
         };
 
         createMountPoints = mkOption {
+          type = types.bool;
           default = false;
           description = "Whether to create the mount points in the exports file at startup time.";
         };
 
         mountdPort = mkOption {
+          type = types.nullOr types.int;
           default = null;
           example = 4002;
           description = ''
@@ -66,11 +72,26 @@ in
         };
 
         lockdPort = mkOption {
-          default = 0;
+          type = types.nullOr types.int;
+          default = null;
+          example = 4001;
           description = ''
-            Fix the lockd port number. This can help setting firewall rules for NFS.
+            Use a fixed port for the NFS lock manager kernel module
+            (<literal>lockd/nlockmgr</literal>).  This is useful if the
+            NFS server is behind a firewall.
           '';
         };
+
+        statdPort = mkOption {
+          type = types.nullOr types.int;
+          default = null;
+          example = 4000;
+          description = ''
+            Use a fixed port for <command>rpc.statd</command>. This is
+            useful if the NFS server is behind a firewall.
+          '';
+        };
+
       };
 
     };
@@ -82,60 +103,47 @@ in
 
   config = mkIf cfg.enable {
 
+    services.nfs.extraConfig = ''
+      [nfsd]
+      threads=${toString cfg.nproc}
+      ${optionalString (cfg.hostName != null) "host=${cfg.hostName}"}
+
+      [mountd]
+      ${optionalString (cfg.mountdPort != null) "port=${toString cfg.mountdPort}"}
+
+      [statd]
+      ${optionalString (cfg.statdPort != null) "port=${toString cfg.statdPort}"}
+
+      [lockd]
+      ${optionalString (cfg.lockdPort != null) ''
+        port=${toString cfg.lockdPort}
+        udp-port=${toString cfg.lockdPort}
+      ''}
+    '';
+
     services.rpcbind.enable = true;
 
     boot.supportedFilesystems = [ "nfs" ]; # needed for statd and idmapd
 
-    environment.systemPackages = [ pkgs.nfs-utils ];
-
     environment.etc.exports.source = exports;
 
-    boot.kernelModules = [ "nfsd" ];
+    systemd.services.nfs-server =
-
+      { enable = true;
-    systemd.services.nfsd =
-      { description = "NFS Server";
-
         wantedBy = [ "multi-user.target" ];
 
-        requires = [ "rpcbind.service" "mountd.service" ];
+        preStart =
-        after = [ "rpcbind.service" "mountd.service" "idmapd.service" ];
-        before = [ "statd.service" ];
-
-        path = [ pkgs.nfs-utils ];
-
-        script =
           ''
-            # Create a state directory required by NFSv4.
             mkdir -p /var/lib/nfs/v4recovery
-
-            ${pkgs.procps}/sbin/sysctl -w fs.nfs.nlm_tcpport=${builtins.toString cfg.lockdPort}
-            ${pkgs.procps}/sbin/sysctl -w fs.nfs.nlm_udpport=${builtins.toString cfg.lockdPort}
-
-            rpc.nfsd \
-              ${if cfg.hostName != null then "-H ${cfg.hostName}" else ""} \
-              ${builtins.toString cfg.nproc}
           '';
-
-        postStop = "rpc.nfsd 0";
-
-        serviceConfig.Type = "oneshot";
-        serviceConfig.RemainAfterExit = true;
       };
 
-    systemd.services.mountd =
+    systemd.services.nfs-mountd =
-      { description = "NFSv3 Mount Daemon";
+      { enable = true;
-
+        restartTriggers = [ exports ];
-        requires = [ "rpcbind.service" ];
-        after = [ "rpcbind.service" "local-fs.target" ];
-
-        path = [ pkgs.nfs-utils pkgs.sysvtools pkgs.utillinux ];
 
         preStart =
           ''
             mkdir -p /var/lib/nfs
-            touch /var/lib/nfs/rmtab
-
-            mountpoint -q /proc/fs/nfsd || mount -t nfsd none /proc/fs/nfsd
 
             ${optionalString cfg.createMountPoints
               ''
@@ -146,18 +154,7 @@ in
                 | xargs -d '\n' mkdir -p
               ''
             }
-
-            exportfs -rav
           '';
-
-        restartTriggers = [ exports ];
-
-        serviceConfig.Type = "forking";
-        serviceConfig.ExecStart = ''
-          @${pkgs.nfs-utils}/sbin/rpc.mountd rpc.mountd \
-              ${if cfg.mountdPort != null then "-p ${toString cfg.mountdPort}" else ""}
-        '';
-        serviceConfig.Restart = "always";
       };
 
   };

nixos/modules/services/networking/asterisk.nix

@@ -17,7 +17,7 @@ let
   allConfFiles =
     cfg.confFiles //
     builtins.listToAttrs (map (x: { name = x;
-                                    value = builtins.readFile (pkgs.asterisk + "/etc/asterisk/" + x); })
+                                    value = builtins.readFile (cfg.package + "/etc/asterisk/" + x); })
                               defaultConfFiles);
 
   asteriskEtc = pkgs.stdenv.mkDerivation
@@ -38,7 +38,7 @@ let
     asteriskConf = ''
       [directories]
       astetcdir => /etc/asterisk
-      astmoddir => ${pkgs.asterisk}/lib/asterisk/modules
+      astmoddir => ${cfg.package}/lib/asterisk/modules
       astvarlibdir => /var/lib/asterisk
       astdbdir => /var/lib/asterisk
       astkeydir => /var/lib/asterisk
@@ -47,7 +47,7 @@ let
       astspooldir => /var/spool/asterisk
       astrundir => /var/run/asterisk
       astlogdir => /var/log/asterisk
-      astsbindir => ${pkgs.asterisk}/sbin
+      astsbindir => ${cfg.package}/sbin
     '';
     extraConf = cfg.extraConfig;
 
@@ -197,11 +197,17 @@ in
           Additional command line arguments to pass to Asterisk.
         '';
       };
+      package = mkOption {
+        type = types.package;
+        default = pkgs.asterisk;
+        defaultText = "pkgs.asterisk";
+        description = "The Asterisk package to use.";
+      };
     };
   };
 
   config = mkIf cfg.enable {
-    environment.systemPackages = [ pkgs.asterisk ];
+    environment.systemPackages = [ cfg.package ];
 
     environment.etc.asterisk.source = asteriskEtc;
 
@@ -234,7 +240,7 @@ in
           # TODO: Make exceptions for /var directories that likely should be updated
           if [ ! -e "$d" ]; then
             mkdir -p "$d"
-            cp --recursive ${pkgs.asterisk}/"$d"/* "$d"/
+            cp --recursive ${cfg.package}/"$d"/* "$d"/
             chown --recursive ${asteriskUser}:${asteriskGroup} "$d"
             find "$d" -type d | xargs chmod 0755
           fi
@@ -247,8 +253,8 @@ in
             # FIXME: This doesn't account for arguments with spaces
             argString = concatStringsSep " " cfg.extraArguments;
           in
-          "${pkgs.asterisk}/bin/asterisk -U ${asteriskUser} -C /etc/asterisk/asterisk.conf ${argString} -F";
+          "${cfg.package}/bin/asterisk -U ${asteriskUser} -C /etc/asterisk/asterisk.conf ${argString} -F";
-        ExecReload = ''${pkgs.asterisk}/bin/asterisk -x "core reload"
+        ExecReload = ''${cfg.package}/bin/asterisk -x "core reload"
           '';
         Type = "forking";
         PIDFile = "/var/run/asterisk/asterisk.pid";

nixos/modules/services/networking/chrony.nix

@@ -12,6 +12,25 @@ let
 
   cfg = config.services.chrony;
 
+  configFile = pkgs.writeText "chrony.conf" ''
+    ${concatMapStringsSep "\n" (server: "server " + server) cfg.servers}
+
+    ${optionalString
+      cfg.initstepslew.enabled
+      "initstepslew ${toString cfg.initstepslew.threshold} ${concatStringsSep " " cfg.initstepslew.servers}"
+    }
+
+    driftfile ${stateDir}/chrony.drift
+
+    keyfile ${keyFile}
+
+    ${optionalString (!config.time.hardwareClockInLocalTime) "rtconutc"}
+
+    ${cfg.extraConfig}
+  '';
+
+  chronyFlags = "-n -m -u chrony -f ${configFile} ${toString cfg.extraFlags}";
+
 in
 
 {
@@ -58,6 +77,13 @@ in
           <literal>chrony.conf</literal>
         '';
       };
+
+      extraFlags = mkOption {
+        default = [];
+        example = [ "-s" ];
+        type = types.listOf types.str;
+        description = "Extra flags passed to the chronyd command.";
+      };
     };
 
   };
@@ -70,25 +96,6 @@ in
     # Make chronyc available in the system path
     environment.systemPackages = [ pkgs.chrony ];
 
-    environment.etc."chrony.conf".text =
-      ''
-        ${concatMapStringsSep "\n" (server: "server " + server) cfg.servers}
-
-        ${optionalString
-          cfg.initstepslew.enabled
-          "initstepslew ${toString cfg.initstepslew.threshold} ${concatStringsSep " " cfg.initstepslew.servers}"
-        }
-
-        driftfile ${stateDir}/chrony.drift
-
-        keyfile ${keyFile}
-        generatecommandkey
-
-        ${optionalString (!config.time.hardwareClockInLocalTime) "rtconutc"}
-
-        ${cfg.extraConfig}
-      '';
-
     users.extraGroups = singleton
       { name = "chrony";
         gid = config.ids.gids.chrony;
@@ -124,7 +131,7 @@ in
           '';
 
         serviceConfig =
-          { ExecStart = "${pkgs.chrony}/bin/chronyd -n -m -u chrony";
+          { ExecStart = "${pkgs.chrony}/bin/chronyd ${chronyFlags}";
           };
       };
 

nixos/modules/services/networking/cjdns.nix

@@ -258,9 +258,8 @@ in
         Restart = "always";
         StartLimitInterval = 0;
         RestartSec = 1;
-        CapabilityBoundingSet = "CAP_NET_ADMIN CAP_NET_RAW";
+        CapabilityBoundingSet = "CAP_NET_ADMIN CAP_NET_RAW CAP_SETUID";
-        AmbientCapabilities = "CAP_NET_ADMIN CAP_NET_RAW";
+        ProtectSystem = true;
-        ProtectSystem = "full";
         MemoryDenyWriteExecute = true;
         ProtectHome = true;
         PrivateTmp = true;

nixos/modules/services/networking/dnschain.nix

@@ -3,23 +3,28 @@
 with lib;
 
 let
-  cfg = config.services;
+  cfgs = config.services;
+  cfg  = cfgs.dnschain;
 
-  dnschainConf = pkgs.writeText "dnschain.conf" ''
+  dataDir  = "/var/lib/dnschain";
+  username = "dnschain";
+
+  configFile = pkgs.writeText "dnschain.conf" ''
     [log]
-    level=info
+    level = info
 
     [dns]
-    host = 127.0.0.1
+    host = ${cfg.dns.address}
-    port = 5333
+    port = ${toString cfg.dns.port}
     oldDNSMethod = NO_OLD_DNS
-    # TODO: check what that address is acutally used for
+    externalIP = ${cfg.dns.address}
-    externalIP = 127.0.0.1
 
     [http]
-    host = 127.0.0.1
+    host = ${cfg.api.hostname}
-    port=8088
+    port = ${toString cfg.api.port}
-    tlsPort=4443
+    tlsPort = ${toString cfg.api.tlsPort}
+
+    ${cfg.extraConfig}
   '';
 
 in
@@ -32,28 +37,81 @@ in
 
     services.dnschain = {
 
-      enable = mkOption {
+      enable = mkEnableOption ''
-        type = types.bool;
+        DNSChain, a blockchain based DNS + HTTP server.
-        default = false;
+        To resolve .bit domains set <literal>services.namecoind.enable = true;</literal>
+        and an RPC username/password.
+      '';
+
+      dns.address = mkOption {
+        type = types.str;
+        default = "127.0.0.1";
         description = ''
-          Whether to run dnschain. That implies running
+          The IP address that will be used to reach this machine.
-          namecoind as well, so make sure to configure
+          Leave this unchanged if you do not wish to directly expose the DNSChain resolver.
-          it appropriately.
+        '';
+      };
+
+      dns.port = mkOption {
+        type = types.int;
+        default = 5333;
+        description = ''
+          The port the DNSChain resolver will bind to.
+        '';
+      };
+
+      api.hostname = mkOption {
+        type = types.str;
+        default = "0.0.0.0";
+        description = ''
+          The hostname (or IP address) the DNSChain API server will bind to.
+        '';
+      };
+
+      api.port = mkOption {
+        type = types.int;
+        default = 8080;
+        description = ''
+          The port the DNSChain API server (HTTP) will bind to.
+        '';
+      };
+
+      api.tlsPort = mkOption {
+        type = types.int;
+        default = 4433;
+        description = ''
+          The port the DNSChain API server (HTTPS) will bind to.
+        '';
+      };
+
+      extraConfig = mkOption {
+        type = types.lines;
+        default = "";
+        example = ''
+          [log]
+          level = debug
+        '';
+        description = ''
+          Additional options that will be appended to the configuration file.
         '';
       };
 
     };
 
-    services.dnsmasq = {
+    services.dnsmasq.resolveDNSChainQueries = mkOption {
-      resolveDnschainQueries = mkOption {
+      type = types.bool;
-        type = types.bool;
+      default = false;
-        default = false;
+      description = ''
-        description = ''
+        Resolve <literal>.bit</literal> top-level domains using DNSChain and namecoin.
-          Resolve <literal>.bit</literal> top-level domains
+      '';
-          with dnschain and namecoind.
+    };
-        '';
-      };
 
+    services.pdns-recursor.resolveDNSChainQueries = mkOption {
+      type = types.bool;
+      default = false;
+      description = ''
+        Resolve <literal>.bit</literal> top-level domains using DNSChain and namecoin.
+      '';
     };
 
   };
@@ -61,48 +119,47 @@ in
 
   ###### implementation
 
-  config = mkIf cfg.dnschain.enable {
+  config = mkIf cfg.enable {
 
-    services.namecoind.enable = true;
+    services.dnsmasq.servers = optionals cfgs.dnsmasq.resolveDNSChainQueries
+      [ "/.bit/127.0.0.1#${toString cfg.dns.port}"
+        "/.dns/127.0.0.1#${toString cfg.dns.port}"
+      ];
 
-    services.dnsmasq.servers = optionals cfg.dnsmasq.resolveDnschainQueries [ "/.bit/127.0.0.1#5333" ];
+    services.pdns-recursor.forwardZones = mkIf cfgs.pdns-recursor.resolveDNSChainQueries
-
+      { bit = "127.0.0.1:${toString cfg.dns.port}";
-    users.extraUsers = singleton
+        dns = "127.0.0.1:${toString cfg.dns.port}";
-      { name = "dnschain";
-        uid = config.ids.uids.dnschain;
-        extraGroups = [ "namecoin" ];
-        description = "Dnschain daemon user";
-        home = "/var/lib/dnschain";
-        createHome = true;
       };
 
-    systemd.services.dnschain = {
+    users.extraUsers = singleton {
-        description = "Dnschain Daemon";
+      name = username;
-        after = [ "namecoind.target" ];
+      description = "DNSChain daemon user";
-        wantedBy = [ "multi-user.target" ];
+      home = dataDir;
-        path = [ pkgs.openssl ];
+      createHome = true;
-        preStart = ''
+      uid = config.ids.uids.dnschain;
-          # Link configuration file into dnschain HOME directory
+      extraGroups = optional cfgs.namecoind.enable "namecoin";
-          if [ "$(${pkgs.coreutils}/bin/realpath /var/lib/dnschain/.dnschain.conf)" != "${dnschainConf}" ]; then
+    };
-              rm -rf /var/lib/dnschain/.dnschain.conf
-              ln -s ${dnschainConf} /var/lib/dnschain/.dnschain.conf
-          fi
 
-          # Create empty namecoin.conf so that dnschain is not
+    systemd.services.dnschain = {
-          # searching for /etc/namecoin/namecoin.conf
+      description = "DNSChain daemon";
-          if [ ! -e /var/lib/dnschain/.namecoin/namecoin.conf ]; then
+      after    = optional cfgs.namecoind.enable "namecoind.target";
-              mkdir -p /var/lib/dnschain/.namecoin
+      wantedBy = [ "multi-user.target" ];
-              touch /var/lib/dnschain/.namecoin/namecoin.conf
+
-          fi
+      serviceConfig = {
-        '';
+        User = "dnschain";
-        serviceConfig = {
+        Restart = "on-failure";
-          Type = "simple";
+        ExecStart = "${pkgs.dnschain}/bin/dnschain";
-          User = "dnschain";
+      };
-          EnvironmentFile = config.services.namecoind.userFile;
+
-          ExecStart = "${pkgs.dnschain}/bin/dnschain --rpcuser=\${USER} --rpcpassword=\${PASSWORD} --rpcport=8336";
+      preStart = ''
-          ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
+        # Link configuration file into dnschain home directory
-          ExecStop = "${pkgs.coreutils}/bin/kill -KILL $MAINPID";
+        configPath=${dataDir}/.dnschain/dnschain.conf
-        };
+        mkdir -p ${dataDir}/.dnschain
+        if [ "$(realpath $configPath)" != "${configFile}" ]; then
+          rm -f $configPath
+          ln -s ${configFile} $configPath
+        fi
+      '';
     };
 
   };

nixos/modules/services/networking/firewall.nix

@@ -38,9 +38,9 @@ let
 
   cfg = config.networking.firewall;
 
-  kernelPackages = config.boot.kernelPackages;
+  inherit (config.boot.kernelPackages) kernel;
 
-  kernelHasRPFilter = kernelPackages.kernel.features.netfilterRPFilter or false;
+  kernelHasRPFilter = ((kernel.config.isEnabled or (x: false)) "IP_NF_MATCH_RPFILTER") || (kernel.features.netfilterRPFilter or false);
 
   helpers =
     ''

nixos/modules/services/networking/i2pd.nix

@@ -8,7 +8,7 @@ let
 
   homeDir = "/var/lib/i2pd";
 
-  extip = "EXTIP=\$(${pkgs.curl.bin}/bin/curl -sf \"http://jsonip.com\" | ${pkgs.gawk}/bin/awk -F'\"' '{print $4}')";
+  extip = "EXTIP=\$(${pkgs.curl.bin}/bin/curl -sLf \"http://jsonip.com\" | ${pkgs.gawk}/bin/awk -F'\"' '{print $4}')";
 
   toYesNo = b: if b then "true" else "false";
 

nixos/modules/services/networking/libreswan.nix

@@ -102,7 +102,7 @@ in
       serviceConfig = {
         Type = "simple";
         Restart = "always";
-        EnvironmentFile = "${pkgs.libreswan}/etc/sysconfig/pluto";
+        EnvironmentFile = "-${pkgs.libreswan}/etc/sysconfig/pluto";
         ExecStartPre = [
           "${libexec}/addconn --config ${configFile} --checkconfig"
           "${libexec}/_stackmanager start"

nixos/modules/services/networking/namecoind.nix

@@ -3,25 +3,35 @@
 with lib;
 
 let
-  cfg = config.services.namecoind;
+  cfg     = config.services.namecoind;
+  dataDir = "/var/lib/namecoind";
+  useSSL  = (cfg.rpc.certificate != null) && (cfg.rpc.key != null);
+  useRPC  = (cfg.rpc.user != null) && (cfg.rpc.password != null);
 
-  namecoinConf =
+  listToConf = option: list:
-  let
+    concatMapStrings (value :"${option}=${value}\n") list;
-    useSSL = (cfg.rpcCertificate != null) && (cfg.rpcKey != null);
+
-  in
+  configFile = pkgs.writeText "namecoin.conf" (''
-  pkgs.writeText "namecoin.conf" ''
     server=1
     daemon=0
-    rpcallowip=127.0.0.1
-    walletpath=${cfg.wallet}
-    gen=${if cfg.generate then "1" else "0"}
-    rpcssl=${if useSSL then "1" else "0"}
-    ${optionalString useSSL "rpcsslcertificatechainfile=${cfg.rpcCertificate}"}
-    ${optionalString useSSL "rpcsslprivatekeyfile=${cfg.rpcKey}"}
-    ${optionalString useSSL "rpcsslciphers=TLSv1.2+HIGH:TLSv1+HIGH:!SSLv2:!aNULL:!eNULL:!3DES:@STRENGTH"}
     txindex=1
     txprevcache=1
-  '';
+    walletpath=${cfg.wallet}
+    gen=${if cfg.generate then "1" else "0"}
+    ${listToConf "addnode" cfg.extraNodes}
+    ${listToConf "connect" cfg.trustedNodes}
+  '' + optionalString useRPC ''
+    rpcbind=${cfg.rpc.address}
+    rpcport=${toString cfg.rpc.port}
+    rpcuser=${cfg.rpc.user}
+    rpcpassword=${cfg.rpc.password}
+    ${listToConf "rpcallowip" cfg.rpc.allowFrom}
+  '' + optionalString useSSL ''
+    rpcssl=1
+    rpcsslcertificatechainfile=${cfg.rpc.certificate}
+    rpcsslprivatekeyfile=${cfg.rpc.key}
+    rpcsslciphers=TLSv1.2+HIGH:TLSv1+HIGH:!SSLv2:!aNULL:!eNULL:!3DES:@STRENGTH
+  '');
 
 in
 
@@ -33,40 +43,17 @@ in
 
     services.namecoind = {
 
-      enable = mkOption {
+      enable = mkEnableOption "namecoind, Namecoin client.";
-        type = types.bool;
-        default = false;
-        description = ''
-          Whether to run namecoind.
-        '';
-      };
 
       wallet = mkOption {
         type = types.path;
-        example = "/etc/namecoin/wallet.dat";
+        default = "${dataDir}/wallet.dat";
         description = ''
           Wallet file. The ownership of the file has to be
           namecoin:namecoin, and the permissions must be 0640.
         '';
       };
 
-      userFile = mkOption {
-        type = types.nullOr types.path;
-        default = null;
-        example = "/etc/namecoin/user";
-        description = ''
-          File containing the user name and user password to
-          authenticate RPC connections to namecoind.
-          The content of the file is of the form:
-          <literal>
-          USER=namecoin
-          PASSWORD=secret
-          </literal>
-          The ownership of the file has to be namecoin:namecoin,
-          and the permissions must be 0640.
-        '';
-      };
-
       generate = mkOption {
         type = types.bool;
         default = false;
@@ -75,24 +62,83 @@ in
         '';
       };
 
-      rpcCertificate = mkOption {
+      extraNodes = mkOption {
+        type = types.listOf types.str;
+        default = [ ];
+        description = ''
+          List of additional peer IP addresses to connect to.
+        '';
+      };
+
+      trustedNodes = mkOption {
+        type = types.listOf types.str;
+        default = [ ];
+        description = ''
+          List of the only peer IP addresses to connect to. If specified
+          no other connection will be made.
+        '';
+      };
+
+      rpc.user = mkOption {
+        type = types.nullOr types.str;
+        default = null;
+        description = ''
+          User name for RPC connections.
+        '';
+      };
+
+      rpc.password = mkOption {
+        type = types.str;
+        default = null;
+        description = ''
+          Password for RPC connections.
+        '';
+      };
+
+      rpc.address = mkOption {
+        type = types.str;
+        default = "0.0.0.0";
+        description = ''
+          IP address the RPC server will bind to.
+        '';
+      };
+
+      rpc.port = mkOption {
+        type = types.int;
+        default = 8332;
+        description = ''
+          Port the RPC server will bind to.
+        '';
+      };
+
+      rpc.certificate = mkOption {
         type = types.nullOr types.path;
         default = null;
-        example = "/etc/namecoin/server.cert";
+        example = "/var/lib/namecoind/server.cert";
         description = ''
           Certificate file for securing RPC connections.
         '';
       };
 
-      rpcKey = mkOption {
+      rpc.key = mkOption {
         type = types.nullOr types.path;
         default = null;
-        example = "/etc/namecoin/server.pem";
+        example = "/var/lib/namecoind/server.pem";
         description = ''
           Key file for securing RPC connections.
         '';
       };
 
+
+      rpc.allowFrom = mkOption {
+        type = types.listOf types.str;
+        default = [ "127.0.0.1" ];
+        description = ''
+          List of IP address ranges allowed to use the RPC API.
+          Wiledcards (*) can be user to specify a range.
+        '';
+      };
+
     };
 
   };
@@ -102,47 +148,54 @@ in
 
   config = mkIf cfg.enable {
 
-    users.extraUsers = singleton
+    services.dnschain.extraConfig = ''
-      { name = "namecoin";
+      [namecoin]
-        uid = config.ids.uids.namecoin;
+      config = ${configFile}
-        description = "Namecoin daemon user";
+    '';
-        home = "/var/lib/namecoin";
-        createHome = true;
-      };
 
-    users.extraGroups = singleton
+    users.extraUsers = singleton {
-      { name = "namecoin";
+      name = "namecoin";
-        gid = config.ids.gids.namecoin;
+      uid  = config.ids.uids.namecoin;
-      };
+      description = "Namecoin daemon user";
+      home = dataDir;
+      createHome = true;
+    };
+
+    users.extraGroups = singleton {
+      name = "namecoin";
+      gid  = config.ids.gids.namecoin;
+    };
 
     systemd.services.namecoind = {
-        description = "Namecoind Daemon";
+      description = "Namecoind daemon";
-        after = [ "network.target" ];
+      after    = [ "network.target" ];
-        wantedBy = [ "multi-user.target" ];
+      wantedBy = [ "multi-user.target" ];
-        preStart = ''
+
-          if [  "$(stat --printf '%u' ${cfg.userFile})" != "${toString config.ids.uids.namecoin}" \
+      serviceConfig = {
-             -o "$(stat --printf '%g' ${cfg.userFile})" != "${toString config.ids.gids.namecoin}" \
+        User  = "namecoin";
-             -o "$(stat --printf '%a' ${cfg.userFile})" != "640" ]; then
+        Griup = "namecoin";
-             echo "ERROR: bad ownership or rights on ${cfg.userFile}" >&2
+        ExecStart  = "${pkgs.altcoins.namecoind}/bin/namecoind -conf=${configFile} -datadir=${dataDir} -printtoconsole";
-             exit 1
+        ExecStop   = "${pkgs.coreutils}/bin/kill -KILL $MAINPID";
-          fi
+        ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
-          if [  "$(stat --printf '%u' ${cfg.wallet})" != "${toString config.ids.uids.namecoin}" \
+        Nice = "10";
-             -o "$(stat --printf '%g' ${cfg.wallet})" != "${toString config.ids.gids.namecoin}" \
+        PrivateTmp = true;
-             -o "$(stat --printf '%a' ${cfg.wallet})" != "640" ]; then
+        TimeoutStopSec     = "60s";
-             echo "ERROR: bad ownership or rights on ${cfg.wallet}" >&2
+        TimeoutStartSec    = "2s";
-             exit 1
+        Restart            = "always";
-          fi
+        StartLimitInterval = "120s";
-        '';
+        StartLimitBurst    = "5";
-        serviceConfig = {
+      };
-          Type = "simple";
+
-          User = "namecoin";
+      preStart = optionalString (cfg.wallet != "${dataDir}/wallet.dat")  ''
-          EnvironmentFile = cfg.userFile;
+        # check wallet file permissions
-          ExecStart = "${pkgs.altcoins.namecoind}/bin/namecoind -conf=${namecoinConf} -rpcuser=\${USER} -rpcpassword=\${PASSWORD} -printtoconsole";
+        if [ "$(stat --printf '%u' ${cfg.wallet})" != "${toString config.ids.uids.namecoin}" \
-          ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
+           -o "$(stat --printf '%g' ${cfg.wallet})" != "${toString config.ids.gids.namecoin}" \
-          ExecStop = "${pkgs.coreutils}/bin/kill -KILL $MAINPID";
+           -o "$(stat --printf '%a' ${cfg.wallet})" != "640" ]; then
-          StandardOutput = "null";
+           echo "ERROR: bad ownership or rights on ${cfg.wallet}" >&2
-          Nice = "10";
+           exit 1
-        };
+        fi
+      '';
+
     };
 
   };

nixos/modules/services/networking/nylon.nix

@@ -8,7 +8,7 @@ let
 
   homeDir = "/var/lib/nylon";
 
-  configFile = pkgs.writeText "nylon.conf" ''
+  configFile = cfg: pkgs.writeText "nylon-${cfg.name}.conf" ''
     [General]
     No-Simultaneous-Conn=${toString cfg.nrConnections}
     Log=${if cfg.logging then "1" else "0"}
@@ -22,15 +22,9 @@ let
     Deny-IP=${concatStringsSep " " cfg.deniedIPRanges}
   '';
 
-in
+  nylonOpts = { name, config, ... }: {
 
-{
+    options = {
-
-  ###### interface
-
-  options = {
-
-    services.nylon = {
 
       enable = mkOption {
         type = types.bool;
@@ -40,6 +34,12 @@ in
         '';
       };
 
+      name = mkOption {
+        type = types.str;
+        default = "";
+        description = "The name of this nylon instance.";
+      };
+
       nrConnections = mkOption {
         type = types.int;
         default = 10;
@@ -107,13 +107,51 @@ in
         '';
       };
     };
+    config = { name = mkDefault name; };
+  };
+
+  mkNamedNylon = cfg: {
+    "nylon-${cfg.name}" = {
+      description = "Nylon, a lightweight SOCKS proxy server";
+      after = [ "network.target" ];
+      wantedBy = [ "multi-user.target" ];
+      serviceConfig =
+      {
+        User = "nylon";
+        Group = "nylon";
+        WorkingDirectory = homeDir;
+        ExecStart = "${pkgs.nylon}/bin/nylon -f -c ${configFile cfg}";
+      };
+    };
+  };
+
+  anyNylons = collect (p: p ? enable) cfg;
+  enabledNylons = filter (p: p.enable == true) anyNylons;
+  nylonUnits = map (nylon: mkNamedNylon nylon) enabledNylons;
+
+in
+
+{
+
+  ###### interface
+
+  options = {
+
+    services.nylon = mkOption {
+      default = {};
+      description = "Collection of named nylon instances";
+      type = with types; loaOf (submodule nylonOpts);
+      internal = true;
+      options = [ nylonOpts ];
+    };
+
   };
 
   ###### implementation
 
-  config = mkIf cfg.enable {
+  config = mkIf (length(enabledNylons) > 0) {
 
-    users.extraUsers.nylon= {
+    users.extraUsers.nylon = {
       group = "nylon";
       description = "Nylon SOCKS Proxy";
       home = homeDir;
@@ -123,17 +161,7 @@ in
 
     users.extraGroups.nylon.gid = config.ids.gids.nylon;
 
-    systemd.services.nylon = {
+    systemd.services = fold (a: b: a // b) {} nylonUnits;
-      description = "Nylon, a lightweight SOCKS proxy server";
+
-      after = [ "network.target" ];
-      wantedBy = [ "multi-user.target" ];
-      serviceConfig =
-      {
-        User = "nylon";
-        Group = "nylon";
-        WorkingDirectory = homeDir;
-        ExecStart = "${pkgs.nylon}/bin/nylon -f -c ${configFile}";
-      };
-    };
   };
 }

nixos/modules/services/networking/quassel.nix

@@ -25,12 +25,12 @@ in
 
       package = mkOption {
         type = types.package;
-        default = pkgs.kde4.quasselDaemon;
+        default = pkgs.quasselDaemon_qt5;
-        defaultText = "pkgs.kde4.quasselDaemon";
+        defaultText = "pkgs.quasselDaemon_qt5";
         description = ''
           The package of the quassel daemon.
         '';
-        example = literalExample "pkgs.quasselDaemon";
+        example = literalExample "pkgs.quasselDaemon_qt5";
       };
 
       interfaces = mkOption {

nixos/modules/services/networking/redsocks.nix

@@ -0,0 +1,270 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+let
+  cfg = config.services.redsocks;
+in
+{
+  ##### interface
+  options = {
+    services.redsocks = {
+      enable = mkOption {
+        type = types.bool;
+        default = false;
+        description = "Whether to enable redsocks.";
+      };
+
+      log_debug = mkOption {
+        type = types.bool;
+        default = false;
+        description = "Log connection progress.";
+      };
+
+      log_info = mkOption {
+        type = types.bool;
+        default = false;
+        description = "Log start and end of client sessions.";
+      };
+
+      log = mkOption {
+        type = types.str;
+        default = "stderr";
+        description =
+          ''
+            Where to send logs.
+
+            Possible values are:
+              - stderr
+              - file:/path/to/file
+              - syslog:FACILITY where FACILITY is any of "daemon", "local0",
+              etc.
+          '';
+      };
+
+      chroot = mkOption {
+        type = with types; nullOr str;
+        default = null;
+        description =
+          ''
+            Chroot under which to run redsocks. Log file is opened before
+            chroot, but if logging to syslog /etc/localtime may be required.
+          '';
+      };
+
+      redsocks = mkOption {
+        description =
+          ''
+            Local port to proxy associations to be performed.
+
+            The example shows how to configure a proxy to handle port 80 as HTTP
+            relay, and all other ports as HTTP connect.
+          '';
+        example = [
+          { port = 23456; proxy = "1.2.3.4:8080"; type = "http-relay";
+            redirectCondition = "--dport 80";
+            doNotRedirect = [ "-d 1.2.0.0/16" ];
+          }
+          { port = 23457; proxy = "1.2.3.4:8080"; type = "http-connect";
+            redirectCondition = true;
+            doNotRedirect = [ "-d 1.2.0.0/16" ];
+          }
+        ];
+        type = types.listOf (types.submodule { options = {
+          ip = mkOption {
+            type = types.str;
+            default = "127.0.0.1";
+            description =
+              ''
+                IP on which redsocks should listen. Defaults to 127.0.0.1 for
+                security reasons.
+              '';
+          };
+
+          port = mkOption {
+            type = types.int;
+            default = 12345;
+            description = "Port on which redsocks should listen.";
+          };
+
+          proxy = mkOption {
+            type = types.str;
+            description =
+              ''
+                Proxy through which redsocks should forward incoming traffic.
+                Example: "example.org:8080"
+              '';
+          };
+
+          type = mkOption {
+            type = types.enum [ "socks4" "socks5" "http-connect" "http-relay" ];
+            description = "Type of proxy.";
+          };
+
+          login = mkOption {
+            type = with types; nullOr str;
+            default = null;
+            description = "Login to send to proxy.";
+          };
+
+          password = mkOption {
+            type = with types; nullOr str;
+            default = null;
+            description =
+              ''
+                Password to send to proxy. WARNING, this will end up
+                world-readable in the store! Awaiting
+                https://github.com/NixOS/nix/issues/8 to be able to fix.
+              '';
+          };
+
+          disclose_src = mkOption {
+            type = types.enum [ "false" "X-Forwarded-For" "Forwarded_ip"
+                                "Forwarded_ipport" ];
+            default = "false";
+            description =
+              ''
+                Way to disclose client IP to the proxy.
+                  - "false": do not disclose
+                http-connect supports the following ways:
+                  - "X-Forwarded-For": add header "X-Forwarded-For: IP"
+                  - "Forwarded_ip": add header "Forwarded: for=IP" (see RFC7239)
+                  - "Forwarded_ipport": add header 'Forwarded: for="IP:port"'
+              '';
+          };
+
+          redirectInternetOnly = mkOption {
+            type = types.bool;
+            default = true;
+            description = "Exclude all non-globally-routable IPs from redsocks";
+          };
+
+          doNotRedirect = mkOption {
+            type = with types; listOf str;
+            default = [];
+            description =
+              ''
+                Iptables filters that if matched will get the packet off of
+                redsocks.
+              '';
+            example = [ "-d 1.2.3.4" ];
+          };
+
+          redirectCondition = mkOption {
+            type = with types; either bool str;
+            default = false;
+            description =
+              ''
+                Conditions to make outbound packets go through this redsocks
+                instance.
+
+                If set to false, no packet will be forwarded. If set to true,
+                all packets will be forwarded (except packets excluded by
+                redirectInternetOnly).
+
+                If set to a string, this is an iptables filter that will be
+                matched against packets before getting them into redsocks. For
+                example, setting it to "--dport 80" will only send
+                packets to port 80 to redsocks. Note "-p tcp" is always
+                implicitly added, as udp can only be proxied through redudp or
+                the like.
+              '';
+          };
+        };});
+      };
+
+      # TODO: Add support for redudp and dnstc
+    };
+  };
+
+  ##### implementation
+  config = let
+    redsocks_blocks = concatMapStrings (block:
+      let proxy = splitString ":" block.proxy; in
+      ''
+        redsocks {
+          local_ip = ${block.ip};
+          local_port = ${toString block.port};
+
+          ip = ${elemAt proxy 0};
+          port = ${elemAt proxy 1};
+          type = ${block.type};
+
+          ${optionalString (block.login != null) "login = \"${block.login}\";"}
+          ${optionalString (block.password != null) "password = \"${block.password}\";"}
+
+          disclose_src = ${block.disclose_src};
+        }
+      '') cfg.redsocks;
+    configfile = pkgs.writeText "redsocks.conf"
+      ''
+        base {
+          log_debug = ${if cfg.log_debug then "on" else "off" };
+          log_info = ${if cfg.log_info then "on" else "off" };
+          log = ${cfg.log};
+
+          daemon = off;
+          redirector = iptables;
+
+          user = redsocks;
+          group = redsocks;
+          ${optionalString (cfg.chroot != null) "chroot = ${cfg.chroot};"}
+        }
+
+        ${redsocks_blocks}
+      '';
+    internetOnly = [ # TODO: add ipv6-equivalent
+      "-d 0.0.0.0/8"
+      "-d 10.0.0.0/8"
+      "-d 127.0.0.0/8"
+      "-d 169.254.0.0/16"
+      "-d 172.16.0.0/12"
+      "-d 192.168.0.0/16"
+      "-d 224.168.0.0/4"
+      "-d 240.168.0.0/4"
+    ];
+    redCond = block:
+      optionalString (isString block.redirectCondition) block.redirectCondition;
+    iptables = concatImapStrings (idx: block:
+      let chain = "REDSOCKS${toString idx}"; doNotRedirect =
+        concatMapStringsSep "\n"
+          (f: "ip46tables -t nat -A ${chain} ${f} -j RETURN 2>/dev/null || true")
+          (block.doNotRedirect ++ (optionals block.redirectInternetOnly internetOnly));
+      in
+      optionalString (block.redirectCondition != false)
+        ''
+          ip46tables -t nat -F ${chain} 2>/dev/null || true
+          ip46tables -t nat -N ${chain} 2>/dev/null || true
+          ${doNotRedirect}
+          ip46tables -t nat -A ${chain} -p tcp -j REDIRECT --to-ports ${toString block.port}
+
+          # TODO: show errors, when it will be easily possible by a switch to
+          # iptables-restore
+          ip46tables -t nat -A OUTPUT -p tcp ${redCond block} -j ${chain} 2>/dev/null || true
+        ''
+    ) cfg.redsocks;
+  in
+    mkIf cfg.enable {
+      users.groups.redsocks = {};
+      users.users.redsocks = {
+        description = "Redsocks daemon";
+        group = "redsocks";
+        isSystemUser = true;
+      };
+
+      systemd.services.redsocks = {
+        description = "Redsocks";
+        after = [ "network.target" ];
+        wantedBy = [ "multi-user.target" ];
+        script = "${pkgs.redsocks}/bin/redsocks -c ${configfile}";
+      };
+
+      networking.firewall.extraCommands = iptables;
+
+      networking.firewall.extraStopCommands =
+        concatImapStringsSep "\n" (idx: block:
+          let chain = "REDSOCKS${toString idx}"; in
+          optionalString (block.redirectCondition != false)
+            "ip46tables -t nat -D OUTPUT -p tcp ${redCond block} -j ${chain} 2>/dev/null || true"
+        ) cfg.redsocks;
+    };
+}

nixos/modules/services/networking/rpcbind.nix

@@ -2,35 +2,6 @@
 
 with lib;
 
-let
-
-  netconfigFile = {
-    target = "netconfig";
-    source = pkgs.writeText "netconfig" ''
-      #
-      # The network configuration file. This file is currently only used in
-      # conjunction with the TI-RPC code in the libtirpc library.
-      #
-      # Entries consist of:
-      #
-      #       <network_id> <semantics> <flags> <protofamily> <protoname> \
-      #               <device> <nametoaddr_libs>
-      #
-      # The <device> and <nametoaddr_libs> fields are always empty in this
-      # implementation.
-      #
-      udp        tpi_clts      v     inet     udp     -       -
-      tcp        tpi_cots_ord  v     inet     tcp     -       -
-      udp6       tpi_clts      v     inet6    udp     -       -
-      tcp6       tpi_cots_ord  v     inet6    tcp     -       -
-      rawip      tpi_raw       -     inet      -      -       -
-      local      tpi_cots_ord  -     loopback  -      -       -
-      unix       tpi_cots_ord  -     loopback  -      -       -
-    '';
-  };
-
-in
-
 {
 
   ###### interface
@@ -58,25 +29,18 @@ in
   ###### implementation
 
   config = mkIf config.services.rpcbind.enable {
-
     environment.systemPackages = [ pkgs.rpcbind ];
 
-    environment.etc = [ netconfigFile ];
+    systemd.packages = [ pkgs.rpcbind ];
 
-    systemd.services.rpcbind =
+    systemd.services.rpcbind = {
-      { description = "ONC RPC Directory Service";
+      wantedBy = [ "multi-user.target" ];
-
+    };
-        wantedBy = [ "multi-user.target" ];
-
-        requires = [ "basic.target" ];
-        after = [ "basic.target" ];
-
-        unitConfig.DefaultDependencies = false; # don't stop during shutdown
-
-        serviceConfig.Type = "forking";
-        serviceConfig.ExecStart = "@${pkgs.rpcbind}/bin/rpcbind rpcbind";
-      };
 
+    users.extraUsers.rpc = {
+      group = "nogroup";
+      uid = config.ids.uids.rpc;
+    };
   };
 
 }

nixos/modules/services/networking/searx.nix

@@ -34,6 +34,11 @@ in
         ";
       };
 
+      package = mkOption {
+        default = pkgs.pythonPackages.searx;
+        description = "searx package to use.";
+      };
+
     };
 
   };
@@ -61,14 +66,13 @@ in
         wantedBy = [ "multi-user.target" ];
         serviceConfig = {
           User = "searx";
-          ExecStart = "${pkgs.pythonPackages.searx}/bin/searx-run";
+          ExecStart = "${cfg.package}/bin/searx-run";
         };
       } // (optionalAttrs (configFile != "") {
         environment.SEARX_SETTINGS_PATH = configFile;
       });
-        
 
-    environment.systemPackages = [ pkgs.pythonPackages.searx ];
+    environment.systemPackages = [ cfg.package ];
 
   };
 

nixos/modules/services/networking/supplicant.nix

@@ -82,7 +82,8 @@ in
           configFile = {
   
             path = mkOption {
-              type = types.path;
+              type = types.nullOr types.path;
+              default = null;
               example = literalExample "/etc/wpa_supplicant.conf";
               description = ''
                 External <literal>wpa_supplicant.conf</literal> configuration file.

nixos/modules/services/security/hologram-agent.nix

@@ -0,0 +1,57 @@
+{pkgs, config, lib, ...}:
+
+with lib;
+
+let
+  cfg = config.services.hologram-agent;
+
+  cfgFile = pkgs.writeText "hologram-agent.json" (builtins.toJSON {
+    host = cfg.dialAddress;
+  });
+in {
+  options = {
+    services.hologram-agent = {
+      enable = mkOption {
+        type = types.bool;
+        default = false;
+        description = "Whether to enable the Hologram agent for AWS instance credentials";
+      };
+
+      dialAddress = mkOption {
+        type        = types.str;
+        default     = "localhost:3100";
+        description = "Hologram server and port.";
+      };
+
+      httpPort = mkOption {
+        type        = types.str;
+        default     = "80";
+        description = "Port for metadata service to listen on.";
+      };
+
+    };
+  };
+
+  config = mkIf cfg.enable {
+    networking.interfaces.dummy0 = {
+      ipAddress = "169.254.169.254";
+      prefixLength = 32;
+    };
+
+    systemd.services.hologram-agent = {
+      description = "Provide EC2 instance credentials to machines outside of EC2";
+      after       = [ "network.target" ];
+      wantedBy    = [ "multi-user.target" ];
+      requires    = [ "network-link-dummy0.service" "network-addresses-dummy0.service" ]; 
+      preStart = ''
+        /run/current-system/sw/bin/rm -fv /var/run/hologram.sock
+      '';
+      serviceConfig = {
+        ExecStart = "${pkgs.hologram.bin}/bin/hologram-agent -debug -conf ${cfgFile} -port ${cfg.httpPort}";
+      };
+    };
+
+  };
+
+  meta.maintainers = with lib.maintainers; [ nand0p ];
+}

nixos/modules/services/system/dbus.nix

@@ -20,8 +20,6 @@ let
     "<includedir>${d}/etc/dbus-1/session.d</includedir>"
   ]));
 
-  daemonArgs = "--address=systemd: --nofork --nopidfile --systemd-activation";
-
   configDir = pkgs.runCommand "dbus-conf"
     { preferLocalBuild = true;
       allowSubstitutes = false;
@@ -29,11 +27,6 @@ let
     ''
       mkdir -p $out
 
-      cp ${pkgs.dbus.out}/share/dbus-1/{system,session}.conf $out
-
-      # include by full path
-      sed -ri "s@/etc/dbus-1/(system|session)-@$out/\1-@" $out/{system,session}.conf
-
       sed '${./dbus-system-local.conf.in}' \
         -e 's,@servicehelper@,${config.security.wrapperDir}/dbus-daemon-launch-helper,g' \
         -e 's,@extra@,${systemExtraxml},' \
@@ -95,6 +88,11 @@ in
 
     environment.systemPackages = [ pkgs.dbus.daemon pkgs.dbus ];
 
+    environment.etc = singleton
+      { source = configDir;
+        target = "dbus-1";
+      };
+
     users.extraUsers.messagebus = {
       uid = config.ids.uids.messagebus;
       description = "D-Bus system message bus daemon user";
@@ -124,10 +122,6 @@ in
       # Don't restart dbus-daemon. Bad things tend to happen if we do.
       reloadIfChanged = true;
       restartTriggers = [ configDir ];
-      serviceConfig.ExecStart = [
-        "" # Default dbus.service has two entries, we need to override both.
-        "${lib.getBin pkgs.dbus}/bin/dbus-daemon --config-file=/run/current-system/dbus/system.conf ${daemonArgs}"
-      ];
     };
 
     systemd.user = {
@@ -135,18 +129,10 @@ in
         # Don't restart dbus-daemon. Bad things tend to happen if we do.
         reloadIfChanged = true;
         restartTriggers = [ configDir ];
-        serviceConfig.ExecStart = [
-          "" # Default dbus.service has two entries, we need to override both.
-          "${lib.getBin pkgs.dbus}/bin/dbus-daemon --config-file=/run/current-system/dbus/session.conf ${daemonArgs}"
-        ];
       };
       sockets.dbus.wantedBy = mkIf cfg.socketActivated [ "sockets.target" ];
     };
 
     environment.pathsToLink = [ "/etc/dbus-1" "/share/dbus-1" ];
-
-    system.extraSystemBuilderCmds = ''
-      ln -s ${configDir} $out/dbus
-    '';
   };
 }

nixos/modules/services/web-servers/apache-httpd/default.nix

@@ -63,6 +63,8 @@ let
       let
         svcFunction =
           if svc ? function then svc.function
+          # instead of using serviceType="mediawiki"; you can copy mediawiki.nix to any location outside nixpkgs, modify it at will, and use serviceExpression=./mediawiki.nix;
+          else if svc ? serviceExpression then import (toString svc.serviceExpression)
           else import (toString "${toString ./.}/${if svc ? serviceType then svc.serviceType else svc.serviceName}.nix");
         config = (evalModules
           { modules = [ { options = res.options; config = svc.config or svc; } ];

nixos/modules/services/web-servers/apache-httpd/moodle.nix

@@ -1,198 +0,0 @@
-{ config, lib, pkgs, serverInfo, php, ... }:
-
-with lib;
-
-let
-
-  httpd = serverInfo.serverConfig.package;
-
-  version24 = !versionOlder httpd.version "2.4";
-
-  allGranted = if version24 then ''
-    Require all granted
-  '' else ''
-    Order allow,deny
-    Allow from all
-  '';
-
-  moodleConfig = pkgs.writeText "config.php"
-    ''
-      <?php
-      unset($CFG);
-      global $CFG;
-      $CFG = new stdClass();
-      $CFG->dbtype    = '${config.dbType}';
-      $CFG->dblibrary = 'native';
-      $CFG->dbhost    = '${config.dbHost}';
-      $CFG->dbname    = '${config.dbName}';
-      $CFG->dbuser    = '${config.dbUser}';
-      $CFG->dbpass    = '${config.dbPassword}';
-      $CFG->prefix    = '${config.dbPrefix}';
-      $CFG->dboptions = array(
-          'dbpersist' => false,
-          'dbsocket'  => false,
-          'dbport'    => "${config.dbPort}",
-      );
-      $CFG->wwwroot   = '${config.wwwRoot}';
-      $CFG->dataroot  = '${config.dataRoot}';
-      $CFG->directorypermissions = 02777;
-      $CFG->admin = 'admin';
-      ${optionalString (config.debug.noEmailEver == true) ''
-        $CFG->noemailever = true;
-      ''}
-
-      ${config.extraConfig}
-      require_once(dirname(__FILE__) . '/lib/setup.php'); // Do not edit
-    '';
-  # Unpack Moodle and put the config file in its root directory.
-  moodleRoot = pkgs.stdenv.mkDerivation rec {
-    name= "moodle-2.8.10";
-
-    src = pkgs.fetchurl {
-      url = "https://download.moodle.org/stable28/${name}.tgz";
-      sha256 = "0c3r5081ipcwc9s6shakllnrkd589y2ln5z5m1q09l4h6a7cy4z2";
-    };
-
-    buildPhase =
-      ''
-      '';
-
-    installPhase =
-      ''
-        mkdir -p $out
-        cp -r * $out
-        cp ${moodleConfig} $out/config.php
-      '';
-    # Marked as broken due to needing an update for security issues.
-    # See: https://github.com/NixOS/nixpkgs/issues/18856
-    meta.broken = true;
-
-  };
-
-in
-
-{
-
-  extraConfig =
-  ''
-    # this should be config.urlPrefix instead of /
-    Alias / ${moodleRoot}/
-    <Directory ${moodleRoot}>
-      DirectoryIndex index.php
-    </Directory>
-  '';
-
-  documentRoot = moodleRoot; # TODO: fix this, should be config.urlPrefix
-
-  enablePHP = true;
-
-  options = {
-
-    id = mkOption {
-      default = "main";
-      description = ''
-        A unique identifier necessary to keep multiple Moodle server
-        instances on the same machine apart.
-      '';
-    };
-
-    dbType = mkOption {
-      default = "postgres";
-      example = "mysql";
-      description = "Database type.";
-    };
-
-    dbName = mkOption {
-      default = "moodle";
-      description = "Name of the database that holds the Moodle data.";
-    };
-
-    dbHost = mkOption {
-      default = "localhost";
-      example = "10.0.2.2";
-      description = ''
-        The location of the database server.
-      '';
-    };
-
-    dbPort = mkOption {
-      default = ""; # use the default port
-      example = "12345";
-      description = ''
-        The port that is used to connect to the database server.
-      '';
-    };
-
-    dbUser = mkOption {
-      default = "moodle";
-      description = "The user name for accessing the database.";
-    };
-
-    dbPassword = mkOption {
-      default = "";
-      example = "password";
-      description = ''
-        The password of the database user.  Warning: this is stored in
-        cleartext in the Nix store!
-      '';
-    };
-
-    dbPrefix = mkOption {
-      default = "mdl_";
-      example = "my_other_mdl_";
-      description = ''
-        A prefix for each table, if multiple moodles should run in a single database.
-      '';
-    };
-
-    wwwRoot = mkOption {
-      type = types.string;
-      example = "http://my.machine.com/my-moodle";
-      description = ''
-        The full web address where moodle has been installed.
-      '';
-    };
-
-    dataRoot = mkOption {
-      default = "/var/lib/moodledata";
-      example = "/var/lib/moodledata";
-      description = ''
-        The data directory for moodle. Needs to be writable!
-      '';
-      type = types.path;
-      };
-
-
-    extraConfig = mkOption {
-      type = types.lines;
-      default = "";
-      example =
-        ''
-        '';
-      description = ''
-        Any additional text to be appended to Moodle's
-        configuration file.  This is a PHP script.
-      '';
-    };
-
-    debug = {
-      noEmailEver = mkOption {
-        default = false;
-	example = "true";
-	description = ''
-	  Set this to true to prevent Moodle from ever sending any email.
-	'';
-	};
-    };
-  };
-
-  startupScript = pkgs.writeScript "moodle_startup.sh" ''
-  echo "Checking for existence of ${config.dataRoot}"
-  if [ ! -e "${config.dataRoot}" ]
-  then
-    mkdir -p "${config.dataRoot}"
-    chown ${serverInfo.serverConfig.user}.${serverInfo.serverConfig.group} "${config.dataRoot}"
-  fi
-  '';
-
-}

nixos/modules/services/web-servers/apache-httpd/wordpress.nix

@@ -6,7 +6,7 @@ with lib;
 let
 
   # Upgrading? We have a test! nix-build ./nixos/tests/wordpress.nix
-  version = "4.7.1";
+  version = "4.7.2";
   fullversion = "${version}";
 
   # Our bare-bones wp-config.php file using the above settings
@@ -75,7 +75,7 @@ let
       owner = "WordPress";
       repo = "WordPress";
       rev = "${fullversion}";
-      sha256 = "1wb4f4zn55d23qi0whsfpbpcd4sjvzswgmni6f5rzrmlawq9ssgr";
+      sha256 = "0vph12708drf8ww0xd05hpdvbyy7n5gj9ca598lhdhy2i1j6wy32";
     };
     installPhase = ''
       mkdir -p $out

nixos/modules/services/web-servers/caddy.nix

@@ -61,6 +61,7 @@ in
         User = "caddy";
         Group = "caddy";
         AmbientCapabilities = "cap_net_bind_service";
+        LimitNOFILE = 8192;
       };
     };
 

nixos/modules/services/web-servers/nginx/default.nix

@@ -16,7 +16,20 @@ let
   ) cfg.virtualHosts;
   enableIPv6 = config.networking.enableIPv6;
 
-  configFile = pkgs.writeText "nginx.conf" ''
+  configFile = pkgs.runCommand "nginx.conf" {
+    inherit configFileUnformatted;
+    passAsFile = [ "configFileUnformatted" ];
+    # configFileUnformatted is created locally, therefore so should this be.
+    preferLocalBuild = true;
+    allowSubstitutes = false;
+  } ''
+    cp ${configFileUnformatted} nginx.conf
+    chmod u+w nginx.conf
+    ${pkgs.nginx-config-formatter}/bin/nginxfmt nginx.conf
+    cp nginx.conf $out
+  '';
+
+  configFileUnformatted = pkgs.writeText "nginx.unformatted.conf" ''
     user ${cfg.user} ${cfg.group};
     error_log stderr;
     daemon off;
@@ -403,7 +416,7 @@ in
         acmeEnabledVhosts = filter (vhostConfig: vhostConfig.enableACME) vhostsConfigs;
         acmePairs = map (vhostConfig: { name = vhostConfig.serverName; value = {
             user = cfg.user;
-            group = cfg.group;
+            group = lib.mkDefault cfg.group;
             webroot = vhostConfig.acmeRoot;
             extraDomains = genAttrs vhostConfig.serverAliases (alias: null);
             postRun = ''

nixos/modules/services/x11/desktop-managers/default.nix

@@ -18,9 +18,8 @@ in
   # determines the default: later modules (if enabled) are preferred.
   # E.g., if KDE is enabled, it supersedes xterm.
   imports = [
-    ./none.nix ./xterm.nix ./xfce.nix ./kde4.nix ./kde5.nix
+    ./none.nix ./xterm.nix ./xfce.nix ./kde5.nix ./lumina.nix
-    ./lumina.nix ./lxqt.nix ./enlightenment.nix ./gnome3.nix
+    ./lxqt.nix ./enlightenment.nix ./gnome3.nix ./kodi.nix
-    ./kodi.nix
   ];
 
   options = {

nixos/modules/services/x11/desktop-managers/enlightenment.nix

@@ -64,7 +64,10 @@ in
 
     security.wrappers.e_freqset.source = "${e.enlightenment.out}/bin/e_freqset";
 
-    services.xserver.exportConfiguration = true;
+    environment.etc = singleton
+      { source = "${pkgs.xkeyboard_config}/etc/X11/xkb";
+        target = "X11/xkb";
+      };
 
     fonts.fonts = [ pkgs.dejavu_fonts pkgs.ubuntu_font_family ];
 

nixos/modules/services/x11/desktop-managers/gnome3.nix

@@ -78,7 +78,7 @@ in {
       };
 
       debug = mkEnableOption "gnome-session debug messages";
-    };  
+    };
 
     environment.gnome3.packageSet = mkOption {
       default = null;
@@ -86,7 +86,7 @@ in {
       description = "Which GNOME 3 package set to use.";
       apply = p: if p == null then pkgs.gnome3 else p;
     };
-    
+
     environment.gnome3.excludePackages = mkOption {
       default = [];
       example = literalExample "[ pkgs.gnome3.totem ]";
@@ -125,6 +125,9 @@ in {
     services.xserver.libinput.enable = mkDefault true; # for controlling touchpad settings via gnome control center
     services.udev.packages = [ pkgs.gnome3.gnome_settings_daemon ];
 
+    # If gnome3 is installed, build vim for gtk3 too.
+    nixpkgs.config.vim.gui = "gtk3";
+
     fonts.fonts = [ pkgs.dejavu_fonts pkgs.cantarell_fonts ];
 
     services.xserver.desktopManager.session = singleton

nixos/modules/services/x11/desktop-managers/kde4.nix

@@ -1,190 +0,0 @@
-{ config, lib, pkgs, ... }:
-
-with lib;
-
-let
-
-  xcfg = config.services.xserver;
-  cfg = xcfg.desktopManager.kde4;
-  xorg = pkgs.xorg;
-  kde_workspace = config.services.xserver.desktopManager.kde4.kdeWorkspacePackage;
-
-  # Disable Nepomuk and Strigi by default.  As of KDE 4.7, they don't
-  # really work very well (e.g. searching files often fails to find
-  # files), segfault sometimes and consume significant resources.
-  # They can be re-enabled in the KDE System Settings under "Desktop
-  # Search".
-  disableNepomuk = pkgs.writeTextFile
-    { name = "nepomuk-config";
-      destination = "/share/config/nepomukserverrc";
-      text =
-        ''
-          [Basic Settings]
-          Start Nepomuk=false
-
-          [Service-nepomukstrigiservice]
-          autostart=false
-        '';
-    };
-
-  phononBackends = {
-    gstreamer = [
-      pkgs.phonon-backend-gstreamer
-      pkgs.gst_all.gstPluginsBase
-      pkgs.gst_all.gstPluginsGood
-      pkgs.gst_all.gstPluginsUgly
-      pkgs.gst_all.gstPluginsBad
-      pkgs.gst_all.gstFfmpeg # for mp3 playback
-      pkgs.gst_all.gstreamer # needed?
-    ];
-
-    vlc = [pkgs.phonon-backend-vlc];
-  };
-
-  phononBackendPackages = flip concatMap cfg.phononBackends
-    (name: attrByPath [name] (throw "unknown phonon backend `${name}'") phononBackends);
-
-in
-
-{
-  options = {
-
-    services.xserver.desktopManager.kde4 = {
-      enable = mkOption {
-        type = types.bool;
-        default = false;
-        description = "Enable the KDE 4 desktop environment.";
-      };
-
-      phononBackends = mkOption {
-        type = types.listOf types.str;
-        default = ["gstreamer"];
-        example = ["gstreamer" "vlc"];
-        description = "Which phonon multimedia backend kde should use";
-      };
-
-      kdeWorkspacePackage = mkOption {
-        internal = true;
-        default = pkgs.kde4.kde_workspace;
-        defaultText = "pkgs.kde4.kde_workspace";
-        type = types.package;
-        description = "Custom kde-workspace, used for NixOS rebranding.";
-      };
-
-      enablePIM = mkOption {
-        type = types.bool;
-        default = true;
-        description = "Whether to enable PIM support. Note that enabling this pulls in Akonadi and MariaDB as dependencies.";
-      };
-
-      enableNepomuk = mkOption {
-        type = types.bool;
-        default = false;
-        description = "Whether to enable Nepomuk (deprecated).";
-      };
-    };
-  };
-
-
-  config = mkIf (xcfg.enable && cfg.enable) {
-
-    # If KDE 4 is enabled, make it the default desktop manager (unless
-    # overridden by the user's configuration).
-    # !!! doesn't work yet ("Multiple definitions. Only one is allowed
-    # for this option.")
-    # services.xserver.desktopManager.default = mkOverride 900 "kde4";
-
-    services.xserver.desktopManager.session = singleton
-      { name = "kde4";
-        bgSupport = true;
-        start =
-          ''
-            # The KDE icon cache is supposed to update itself
-            # automatically, but it uses the timestamp on the icon
-            # theme directory as a trigger.  Since in Nix the
-            # timestamp is always the same, this doesn't work.  So as
-            # a workaround, nuke the icon cache on login.  This isn't
-            # perfect, since it may require logging out after
-            # installing new applications to update the cache.
-            # See http://lists-archives.org/kde-devel/26175-what-when-will-icon-cache-refresh.html
-            rm -fv $HOME/.kde/cache-*/icon-cache.kcache
-
-            # Qt writes a weird ‘libraryPath’ line to
-            # ~/.config/Trolltech.conf that causes the KDE plugin
-            # paths of previous KDE invocations to be searched.
-            # Obviously using mismatching KDE libraries is potentially
-            # disastrous, so here we nuke references to the Nix store
-            # in Trolltech.conf.  A better solution would be to stop
-            # Qt from doing this wackiness in the first place.
-            if [ -e $HOME/.config/Trolltech.conf ]; then
-                sed -e '/nix\\store\|nix\/store/ d' -i $HOME/.config/Trolltech.conf
-            fi
-
-            # Load PulseAudio module for routing support.
-            # See http://colin.guthr.ie/2009/10/so-how-does-the-kde-pulseaudio-support-work-anyway/
-            ${optionalString config.hardware.pulseaudio.enable ''
-              ${getBin config.hardware.pulseaudio.package}/bin/pactl load-module module-device-manager "do_routing=1"
-            ''}
-
-            # Start KDE.
-            exec ${kde_workspace}/bin/startkde
-          '';
-      };
-
-    security.wrappers.kcheckpass.source = "${kde_workspace}/lib/kde4/libexec/kcheckpass";
-
-    environment.systemPackages =
-        [ pkgs.kde4.kdelibs
-
-          pkgs.kde4.kde_baseapps # Splitted kdebase
-          kde_workspace
-          pkgs.kde4.kde_runtime
-          pkgs.kde4.konsole
-          pkgs.kde4.kate
-
-          pkgs.kde4.kde_wallpapers # contains kdm's default background
-          pkgs.kde4.oxygen_icons
-
-          # Starts KDE's Polkit authentication agent.
-          pkgs.kde4.polkit_kde_agent
-
-          # Miscellaneous runtime dependencies.
-          pkgs.kde4.qt4 # needed for qdbus
-          pkgs.shared_mime_info
-          xorg.xmessage # so that startkde can show error messages
-          xorg.xset # used by startkde, non-essential
-          xorg.xauth # used by kdesu
-        ]
-      ++ optionals cfg.enablePIM
-        [ pkgs.kde4.kdepim_runtime
-          pkgs.kde4.akonadi
-          pkgs.mysql # used by akonadi
-        ]
-      ++ (if cfg.enableNepomuk then
-        [ pkgs.shared_desktop_ontologies # used by nepomuk
-          pkgs.strigi # used by nepomuk
-          pkgs.virtuoso # to enable Nepomuk to find Virtuoso
-        ] else
-        [ disableNepomuk ])
-      ++ optional config.hardware.pulseaudio.enable pkgs.kde4.kmix  # Perhaps this should always be enabled
-      ++ optional config.hardware.bluetooth.enable pkgs.kde4.bluedevil
-      ++ optional config.networking.networkmanager.enable pkgs.kde4.plasma-nm
-      ++ phononBackendPackages;
-
-    environment.pathsToLink = [ "/share" ];
-
-    environment.profileRelativeEnvVars = mkIf (elem "gstreamer" cfg.phononBackends) {
-      GST_PLUGIN_SYSTEM_PATH = [ "/lib/gstreamer-0.10" ];
-    };
-
-    services.xserver.exportConfiguration = true;
-
-    # Enable helpful DBus services.
-    services.udisks2.enable = true;
-    services.upower.enable = config.powerManagement.enable;
-
-    security.pam.services.kde = { allowNullPassword = true; };
-
-  };
-
-}

nixos/modules/services/x11/desktop-managers/kde5.nix

@@ -50,10 +50,6 @@ in
     })
 
     (mkIf (xcfg.enable && cfg.enable) {
-
-      warnings = optional config.services.xserver.desktopManager.kde4.enable
-        "KDE 4 should not be enabled at the same time as KDE 5";
-
       services.xserver.desktopManager.session = singleton {
         name = "kde5";
         bgSupport = true;
@@ -188,7 +184,10 @@ in
 
       environment.pathsToLink = [ "/share" ];
 
-      services.xserver.exportConfiguration = true;
+      environment.etc = singleton {
+        source = "${pkgs.xkeyboard_config}/etc/X11/xkb";
+        target = "X11/xkb";
+      };
 
       environment.variables =
         {

nixos/modules/services/x11/display-managers/default.nix

@@ -1,5 +1,5 @@
 # This module declares the options to define a *display manager*, the
-# program responsible for handling X logins (such as xdm, kdm, gdb, or
+# program responsible for handling X logins (such as xdm, gdb, or
 # SLiM).  The display manager allows the user to select a *session
 # type*.  When the user logs in, the display manager starts the
 # *session script* ("xsession" below) to launch the selected session
@@ -32,6 +32,9 @@ let
     ''
       #! ${pkgs.bash}/bin/bash
 
+      # Handle being called by SDDM.
+      if test "''${1:0:1}" = / ; then eval exec $1 $2 ; fi
+
       ${optionalString cfg.displayManager.logToJournal ''
         if [ -z "$_DID_SYSTEMD_CAT" ]; then
           _DID_SYSTEMD_CAT=1 exec ${config.systemd.package}/bin/systemd-cat -t xsession -- "$0" "$@"
@@ -55,9 +58,6 @@ let
         fi
       ''}
 
-      # Handle being called by kdm.
-      if test "''${1:0:1}" = /; then eval exec "$1"; fi
-
       # Start PulseAudio if enabled.
       ${optionalString (config.hardware.pulseaudio.enable) ''
         ${optionalString (!config.hardware.pulseaudio.systemWide)

nixos/modules/services/x11/display-managers/kdm.nix

@@ -1,158 +0,0 @@
-{ config, lib, pkgs, ... }:
-
-with lib;
-
-let
-
-  dmcfg = config.services.xserver.displayManager;
-  cfg = dmcfg.kdm;
-
-  inherit (pkgs.kde4) kdebase_workspace;
-
-  defaultConfig =
-    ''
-      [Shutdown]
-      HaltCmd=${config.systemd.package}/sbin/shutdown -h now
-      RebootCmd=${config.systemd.package}/sbin/shutdown -r now
-      ${optionalString (config.system.boot.loader.id == "grub") ''
-        BootManager=${if config.boot.loader.grub.version == 2 then "Grub2" else "Grub"}
-      ''}
-
-      [X-*-Core]
-      Xrdb=${pkgs.xorg.xrdb}/bin/xrdb
-      SessionsDirs=${dmcfg.session.desktops}
-      Session=${dmcfg.session.script}
-      FailsafeClient=${pkgs.xterm}/bin/xterm
-
-      [X-:*-Core]
-      ServerCmd=${dmcfg.xserverBin} ${toString dmcfg.xserverArgs}
-      # KDM calls `rm' somewhere to clean up some temporary directory.
-      SystemPath=${pkgs.coreutils}/bin
-      # The default timeout (15) is too short in a heavily loaded boot process.
-      ServerTimeout=60
-      # Needed to prevent the X server from dying on logout and not coming back:
-      TerminateServer=true
-      ${optionalString (cfg.setupScript != "")
-      ''
-        Setup=${cfg.setupScript}
-      ''} 
-
-      [X-*-Greeter]
-      HiddenUsers=root,${concatStringsSep "," dmcfg.hiddenUsers}
-      PluginsLogin=${kdebase_workspace}/lib/kde4/kgreet_classic.so
-      ${optionalString (cfg.themeDirectory != null)
-      ''
-        UseTheme=true
-        Theme=${cfg.themeDirectory}
-      ''
-      }
-
-      ${optionalString (cfg.enableXDMCP)
-      ''
-        [Xdmcp]
-        Enable=true
-      ''}
-    '';
-
-  kdmrc = pkgs.runCommand "kdmrc"
-    { config = defaultConfig + cfg.extraConfig;
-      preferLocalBuild = true;
-    }
-    ''
-      echo "$config" > $out
-
-      # The default kdmrc would add "-nolisten tcp", and we already
-      # have that managed by nixos. Hence the grep.
-      cat ${kdebase_workspace}/share/config/kdm/kdmrc | grep -v nolisten >> $out
-    '';
-
-in
-
-{
-
-  ###### interface
-
-  options = {
-
-    services.xserver.displayManager.kdm = {
-
-      enable = mkOption {
-        type = types.bool;
-        default = false;
-        description = ''
-          Whether to enable the KDE display manager.
-        '';
-      };
-
-      enableXDMCP = mkOption {
-        type = types.bool;
-        default = false;
-        description = ''
-          Whether to enable XDMCP, which allows remote logins.
-        '';
-      };
-
-      themeDirectory = mkOption {
-        type = types.nullOr types.str;
-        default = null;
-        description = ''
-          The path to a KDM theme directory. This theme
-          will be used by the KDM greeter.
-        '';
-      };
-
-      setupScript = mkOption {
-        type = types.lines;
-        default = "";
-        description = ''
-          The path to a KDM setup script. This script is run as root just
-          before KDM starts. Can be used for setting up
-          monitors with xrandr, for example.
-        '';
-      };
-
-      extraConfig = mkOption {
-        type = types.lines;
-        default = "";
-        description = ''
-          Options appended to <filename>kdmrc</filename>, the
-          configuration file of KDM.
-        '';
-      };
-
-    };
-
-  };
-
-
-  ###### implementation
-
-  config = mkIf cfg.enable {
-
-    services.xserver.displayManager.slim.enable = false;
-
-    services.xserver.displayManager.job =
-      { execCmd =
-          ''
-            mkdir -m 0755 -p /var/lib/kdm
-            chown kdm /var/lib/kdm
-            ${(optionalString (config.system.boot.loader.id == "grub" && config.system.build.grub != null) "PATH=${config.system.build.grub}/sbin:$PATH ") +
-              "KDEDIRS=/run/current-system/sw exec ${kdebase_workspace}/bin/kdm -config ${kdmrc} -nodaemon -logfile /dev/stderr"}
-          '';
-        logsXsession = true;
-      };
-
-    security.pam.services.kde = { allowNullPassword = true; startSession = true; };
-
-    users.extraUsers = singleton
-      { name = "kdm";
-        uid = config.ids.uids.kdm;
-        description = "KDM user";
-      };
-
-    environment.systemPackages =
-      [ pkgs.kde4.kde_wallpapers ]; # contains kdm's default background
-
-  };
-
-}

nixos/modules/services/x11/terminal-server.nix

@@ -16,18 +16,8 @@ with lib;
     services.xserver.enable = true;
     services.xserver.videoDrivers = [];
 
-    # Enable KDM.  Any display manager will do as long as it supports XDMCP.
+    # Enable GDM.  Any display manager will do as long as it supports XDMCP.
-    services.xserver.displayManager.kdm.enable = true;
+    services.xserver.displayManager.gdm.enable = true;
-    services.xserver.displayManager.kdm.enableXDMCP = true;
-    services.xserver.displayManager.kdm.extraConfig =
-      ''
-        [General]
-        # We're headless, so don't bother starting an X server.
-        StaticServers=
-
-        [Xdmcp]
-        Xaccess=${pkgs.writeText "Xaccess" "localhost"}
-      '';
 
     systemd.sockets.terminal-server =
       { description = "Terminal Server Socket";

nixos/modules/services/x11/xserver.nix

@@ -459,21 +459,31 @@ in
           knownVideoDrivers;
       in optional (driver != null) ({ inherit name; modules = []; driverName = name; } // driver));
 
+    nixpkgs.config.xorg = optionalAttrs (elem "vboxvideo" cfg.videoDrivers) { abiCompat = "1.18"; };
+
     assertions =
       [ { assertion = config.security.polkit.enable;
           message = "X11 requires Polkit to be enabled (‘security.polkit.enable = true’).";
         }
       ];
 
-    environment.etc = mkMerge [
+    environment.etc =
-      (mkIf cfg.exportConfiguration {
+      (optionals cfg.exportConfiguration
-        "X11/xorg.conf".source = configFile;
+        [ { source = "${configFile}";
-        "X11/xkb".source = cfg.xkbDir;
+            target = "X11/xorg.conf";
-      })
+          }
+          # -xkbdir command line option does not seems to be passed to xkbcomp.
+          { source = "${cfg.xkbDir}";
+            target = "X11/xkb";
+          }
+        ])
       # Needed since 1.18; see https://bugs.freedesktop.org/show_bug.cgi?id=89023#c5
-      (let cfgPath = "X11/xorg.conf.d/10-evdev.conf"; in
+      ++ (let cfgPath = "/X11/xorg.conf.d/10-evdev.conf"; in
-        { "${cfgPath}".source = xorg.xf86inputevdev.out + "/share" + cfgPath; })
+        [{
-    ];
+          source = xorg.xf86inputevdev.out + "/share" + cfgPath;
+          target = cfgPath;
+        }]
+      );
 
     environment.systemPackages =
       [ xorg.xorgserver.out