Merge branch 'master' of github.com:nixos/nixpkgs into ryghcjs

Conflicts: pkgs/development/libraries/haskell/ghcjs-dom/default.nix pkgs/top-level/haskell-packages.nix
2014-12-27 14:35:01 -05:00 · 2014-12-27 14:35:01 -05:00 · a188373640
commit a188373640
parent 571af5b988 5eba046b5d
1188 changed files with 22802 additions and 11008 deletions
--- a/.version
+++ b/.version
@ -1 +1 @@
-14.11
+15.05
--- a/README.md
+++ b/README.md
@ -1,10 +1,10 @@
-Nixpkgs is a collection of packages for [Nix](http://nixos.org/nix/) package
+Nixpkgs is a collection of packages for [Nix](https://nixos.org/nix/) package
-manager. Nixpkgs also includes [NixOS](http://nixos.org/nixos/) linux distribution source code.
+manager. Nixpkgs also includes [NixOS](https://nixos.org/nixos/) linux distribution source code.
-* [NixOS installation instructions](http://nixos.org/nixos/manual/#ch-installation)
+* [NixOS installation instructions](https://nixos.org/nixos/manual/#ch-installation)
-* [Manual (How to write packages for Nix)](http://nixos.org/nixpkgs/manual/)
+* [Manual (How to write packages for Nix)](https://nixos.org/nixpkgs/manual/)
-* [Manual (NixOS)](http://nixos.org/nixos/manual/)
+* [Manual (NixOS)](https://nixos.org/nixos/manual/)
-* [Continuous build](http://hydra.nixos.org/jobset/nixos/trunk-combined)
+* [Continuous build](https://hydra.nixos.org/jobset/nixos/trunk-combined)
-* [Tests](http://hydra.nixos.org/job/nixos/trunk-combined/tested#tabs-constituents)
+* [Tests](https://hydra.nixos.org/job/nixos/trunk-combined/tested#tabs-constituents)
-* [Mailing list](http://lists.science.uu.nl/mailman/listinfo/nix-dev)
+* [Mailing list](https://lists.science.uu.nl/mailman/listinfo/nix-dev)
 * [IRC - #nixos on freenode.net](irc://irc.freenode.net/#nixos)
--- a/doc/language-support.xml
+++ b/doc/language-support.xml
@ -502,7 +502,7 @@ exist in community to help save time. No tool is preferred at the moment.
 <section xml:id="python-development"><title>Development</title>
  <para>
-    To develop Python packages <function>bulidPythonPackage</function> has
+    To develop Python packages <function>buildPythonPackage</function> has
    additional logic inside <varname>shellPhase</varname> to run
    <command>${python.interpreter} setup.py develop</command> for the package.
  </para>
--- a/doc/old/cross.txt
+++ b/doc/old/cross.txt
@ -184,10 +184,10 @@ if test "$noSysDirs" = "1"; then
    if test "$noSysDirs" = "1"; then
        # Figure out what extra flags to pass to the gcc compilers
        # being generated to make sure that they use our glibc.
-        if test -e $NIX_GCC/nix-support/orig-glibc; then
+        if test -e $NIX_CC/nix-support/orig-glibc; then
-            glibc=$(cat $NIX_GCC/nix-support/orig-glibc)
+            glibc=$(cat $NIX_CC/nix-support/orig-glibc)
            # Ugh.  Copied from gcc-wrapper/builder.sh.  We can't just
-            # source in $NIX_GCC/nix-support/add-flags, since that
+            # source in $NIX_CC/nix-support/add-flags, since that
            # would cause *this* GCC to be linked against the
            # *previous* GCC.  Need some more modularity there.
            extraCFlags="-B$glibc/lib -isystem $glibc/include"
--- a/lib/licenses.nix
+++ b/lib/licenses.nix
@ -135,7 +135,7 @@ lib.mapAttrs (n: v: v // { shortName = n; }) rec {
  };
  gpl1 = spdx {
-    shortName = "GPL-1.0";
+    spdxId = "GPL-1.0";
    fullName = "GNU General Public License v1.0 only";
  };
@ -255,6 +255,11 @@ lib.mapAttrs (n: v: v // { shortName = n; }) rec {
    fullName = "LaTeX Project Public License v1.2";
  };
  lppl13c = spdx {
    spdxId = "LPPL-1.3c";
    fullName = "LaTeX Project Public License v1.3c";
  };
  lpl-102 = spdx {
    spdxId = "LPL-1.02";
    fullName = "Lucent Public License v1.02";
--- a/lib/maintainers.nix
+++ b/lib/maintainers.nix
@ -26,6 +26,7 @@
  aycanirican = "Aycan iRiCAN <iricanaycan@gmail.com>";
  balajisivaraman = "Balaji Sivaraman<sivaraman.balaji@gmail.com>";
  bbenoist = "Baptist BENOIST <return_0@live.com>";
  bdimcheff = "Brandon Dimcheff <brandon@dimcheff.com>";
  bennofs = "Benno Fünfstück <benno.fuenfstueck@gmail.com>";
  berdario = "Dario Bertini <berdario@gmail.com>";
  bergey = "Daniel Bergey <bergey@teallabs.org>";
@ -50,6 +51,7 @@
  davidrusu = "David Rusu <davidrusu.me@gmail.com>";
  dbohdan = "Danyil Bohdan <danyil.bohdan@gmail.com>";
  DerGuteMoritz = "Moritz Heidkamp <moritz@twoticketsplease.de>";
  devhell = "devhell <\"^\"@regexmail.net>";
  dmalikov = "Dmitry Malikov <malikov.d.y@gmail.com>";
  doublec = "Chris Double <chris.double@double.co.nz>";
  ederoyd46 = "Matthew Brown <matt@ederoyd.co.uk>";
@ -90,6 +92,7 @@
  jzellner = "Jeff Zellner <jeffz@eml.cc>";
  kkallio = "Karn Kallio <tierpluspluslists@gmail.com>";
  koral = "Koral <koral@mailoo.org>";
  kovirobi = "Kovacsics Robert <kovirobi@gmail.com>";
  kragniz = "Louis Taylor <kragniz@gmail.com>";
  ktosiek = "Tomasz Kontusz <tomasz.kontusz@gmail.com>";
  lethalman = "Luca Bruno <lucabru@src.gnome.org>";
@ -102,12 +105,14 @@
  manveru = "Michael Fellinger <m.fellinger@gmail.com>";
  marcweber = "Marc Weber <marco-oweber@gmx.de>";
  matejc = "Matej Cotman <cotman.matej@gmail.com>";
  meditans = "Carlo Nucera <meditans@gmail.com>";
  meisternu = "Matt Miemiec <meister@krutt.org>";
  michelk = "Michel Kuhlmann <michel@kuhlmanns.info>";
  modulistic = "Pablo Costa <modulistic@gmail.com>";
  mornfall = "Petr Ročkai <me@mornfall.net>";
  MP2E = "Cray Elliott <MP2E@archlinux.us>";
  msackman = "Matthew Sackman <matthew@wellquite.org>";
  mtreskin = "Max Treskin <zerthurd@gmail.com>";
  muflax = "Stefan Dorn <mail@muflax.com>";
  nathan-gs = "Nathan Bijnens <nathan@nathan.gs>";
  nckx = "Tobias Geerinckx-Rice <tobias.geerinckx.rice@gmail.com>";
@ -124,6 +129,7 @@
  piotr = "Piotr Pietraszkiewicz <ppietrasa@gmail.com>";
  pkmx = "Chih-Mao Chen <pkmx.tw@gmail.com>";
  plcplc = "Philip Lykke Carlsen <plcplc@gmail.com>";
  prikhi = "Pavan Rikhi <pavan.rikhi@gmail.com>";
  pSub = "Pascal Wittmann <mail@pascal-wittmann.de>";
  puffnfresh = "Brian McKenna <brian@brianmckenna.org>";
  qknight = "Joachim Schiele <js@lastlog.de>";
@ -175,6 +181,7 @@
  wjlroe = "William Roe <willroe@gmail.com>";
  wkennington = "William A. Kennington III <william@wkennington.com>";
  wmertens = "Wout Mertens <Wout.Mertens@gmail.com>";
  wscott = "Wayne Scott <wsc9tt@gmail.com>";
  wyvie = "Elijah Rum <elijahrum@gmail.com>";
  yarr = "Dmitry V. <savraz@gmail.com>";
  z77z = "Marco Maggesi <maggesi@math.unifi.it>";
--- a/lib/options.nix
+++ b/lib/options.nix
@ -31,6 +31,23 @@ rec {
    type = lib.types.bool;
  };
  # This option accept anything, but it does not produce any result.  This
  # is useful for sharing a module across different module sets without
  # having to implement similar features as long as the value of the options
  # are not expected.
  mkSinkUndeclaredOptions = attrs: mkOption ({
    internal = true;
    visible = false;
    default = false;
    description = "Sink for option definitions.";
    type = mkOptionType {
      name = "sink";
      check = x: true;
      merge = loc: defs: false;
    };
    apply = x: throw "Option value is not readable because the option is not declared.";
  } // attrs);
  mergeDefaultOption = loc: defs:
    let list = getValues defs; in
    if length list == 1 then head list
--- a/maintainers/docker/Dockerfile
+++ b/maintainers/docker/Dockerfile
@ -1,7 +1,7 @@
 FROM busybox
 RUN dir=`mktemp -d` && trap 'rm -rf "$dir"' EXIT && \
-    wget -O- http://nixos.org/releases/nix/nix-1.7/nix-1.7-x86_64-linux.tar.bz2  | bzcat | tar x -C $dir && \
+    wget -O- https://nixos.org/releases/nix/nix-1.7/nix-1.7-x86_64-linux.tar.bz2  | bzcat | tar x -C $dir && \
    mkdir -m 0755 /nix && USER=root sh $dir/*/install && \
    echo ". /root/.nix-profile/etc/profile.d/nix.sh" >> /etc/profile
--- a/maintainers/scripts/nix-generate-from-cpan.nix
+++ b/maintainers/scripts/nix-generate-from-cpan.nix
@ -3,7 +3,7 @@
 stdenv.mkDerivation {
  name = "nix-generate-from-cpan-1";
-  buildInputs = [ makeWrapper perl perlPackages.YAMLLibYAML perlPackages.JSON ];
+  buildInputs = [ makeWrapper perl perlPackages.YAMLLibYAML perlPackages.JSON perlPackages.CPANPLUS ];
  unpackPhase = "true";
  buildPhase = "true";
--- a/maintainers/scripts/nix-generate-from-cpan.pl
+++ b/maintainers/scripts/nix-generate-from-cpan.pl
@ -100,7 +100,7 @@ sub get_deps {
    foreach my $n (keys %{$deps}) {
        next if $n eq "perl";
        # Hacky way to figure out if this module is part of Perl.
-        if ($n !~ /^JSON/ && $n !~ /^YAML/) {
+        if ($n !~ /^JSON/ && $n !~ /^YAML/ && $n !~ /^Module::Pluggable/) {
            eval "use $n;";
            if (!$@) {
                print STDERR "skipping Perl-builtin module $n\n";
--- a/maintainers/scripts/patchelf-hints.sh
+++ b/maintainers/scripts/patchelf-hints.sh
@ -62,7 +62,7 @@ for bin in $(find $binaryDist -executable -type f) :; do
        )
        if test "$names" = "glibc"; then names="stdenv.glibc"; fi
-        if echo $names | grep -c "gcc" &> /dev/null; then names="stdenv.gcc.gcc"; fi
+        if echo $names | grep -c "gcc" &> /dev/null; then names="stdenv.cc.gcc"; fi
        if test $lib != $libPath; then
            interpreter="--interpreter \${$names}/lib/$lib"
--- a/maintainers/scripts/update-channel-branches.sh
+++ b/maintainers/scripts/update-channel-branches.sh
@ -0,0 +1,111 @@
 #!/bin/sh
 : ${NIXOS_CHANNELS:=https://nixos.org/channels/}
 : ${CHANNELS_NAMESPACE:=refs/heads/channels/}
 # List all channels which are currently in the repository which we would
 # have to remove if they are not found again.
 deadChannels=$(git for-each-ref --format="%(refname)" $CHANNELS_NAMESPACE)
 function updateRef() {
    local channelName=$1
    local newRev=$2
    # if the inputs are not valid, then we do not update any branch.
    test -z "$newRev" -o -z "$channelName" && return;
    # Update the local refs/heads/channels/* branches to be in-sync with the
    # channel references.
    local branch=$CHANNELS_NAMESPACE$channelName
    oldRev=$(git rev-parse --short $branch 2>/dev/null || true)
    if test "$oldRev" != "$newRev"; then
        if git update-ref $branch $newRev 2>/dev/null; then
            if test -z "$oldRev"; then
                echo " * [new branch]      $newRev           -> ${branch#refs/heads/}"
            else
                echo "                     $oldRev..$newRev  -> ${branch#refs/heads/}"
            fi
        else
            if test -z "$oldRev"; then
                echo " * [missing rev]     $newRev           -> ${branch#refs/heads/}"
            else
                echo "   [missing rev]     $oldRev..$newRev  -> ${branch#refs/heads/}"
            fi
        fi
    fi
    # Filter out the current channel from the list of dead channels.
    deadChannels=$(grep -v $CHANNELS_NAMESPACE$channelName <<EOF
 $deadChannels
 EOF
 )
 }
 # Find the name of all channels which are listed in the directory.
 echo "Fetching channels from $NIXOS_CHANNELS:"
 for channelName in : $(curl -s $NIXOS_CHANNELS | sed -n '/folder/ { s,.*href=",,; s,/".*,,; p }'); do
    test "$channelName" = : && continue;
    # Do not follow redirections, such that we can extract the
    # short-changeset from the name of the directory where we are
    # redirected to.
    sha1=$(curl -sI $NIXOS_CHANNELS$channelName | sed -n '/Location/ { s,.*\.\([a-f0-9]*\)[ \r]*$,\1,; p; }')
    updateRef "remotes/$channelName" "$sha1"
 done
 echo "Fetching channels from nixos-version:"
 if currentSystem=$(nixos-version 2>/dev/null); then
    # If the system is entirely build from a custom nixpkgs version,
    # then the version is not annotated in git version. This sed
    # expression is basically matching that the expressions end with
    # ".<sha1> (Name)" to extract the sha1.
    sha1=$(echo $currentSystem | sed -n 's,^.*\.\([a-f0-9]*\) *(.*)$,\1,; T skip; p; :skip;')
    updateRef current-system "$sha1"
 fi
 echo "Fetching channels from ~/.nix-defexpr:"
 for revFile in : $(find -L ~/.nix-defexpr/ -maxdepth 4 -name svn-revision); do
    test "$revFile" = : && continue;
    # Deconstruct a path such as, into:
    #
    #   /home/luke/.nix-defexpr/channels_root/nixos/nixpkgs/svn-revision
    #     channelName = root/nixos
    #
    #   /home/luke/.nix-defexpr/channels/nixpkgs/svn-revision
    #     channelName = nixpkgs
    #
    user=${revFile#*.nix-defexpr/channels}
    repo=${user#*/}
    repo=${repo%%/*}
    user=${user%%/*}
    user=${user#_}
    test -z "$user" && user=$USER
    channelName="$user${user:+/}$repo"
    sha1=$(cat $revFile | sed -n 's,^.*\.\([a-f0-9]*\)$,\1,; T skip; p; :skip;')
    updateRef "$channelName" "$sha1"
 done
 # Suggest to remove channel branches which are no longer found by this
 # script. This is to handle the cases where a local/remote channel
 # disappear. We should not attempt to remove manually any branches, as they
 # might be user branches.
 if test -n "$deadChannels"; then
    echo "
 Some old channel branches are still in your repository, if you
 want to remove them, run the following command(s):
 "
    while read branch; do
        echo "    git update-ref -d $branch"
    done <<EOF
 $deadChannels
 EOF
    echo
 fi
--- a/nixos/doc/manual/administration/network-problems.xml
+++ b/nixos/doc/manual/administration/network-problems.xml
@ -12,9 +12,9 @@ pre-built binary.  That is, whenever a command like
 <command>nixos-rebuild</command> needs a path in the Nix store, Nix
 will try to download that path from the Internet rather than build it
 from source.  The default binary cache is
-<uri>http://cache.nixos.org/</uri>.  If this cache is unreachable, Nix
+<uri>https://cache.nixos.org/</uri>.  If this cache is unreachable,
-operations may take a long time due to HTTP connection timeouts.  You
+Nix operations may take a long time due to HTTP connection timeouts.
-can disable the use of the binary cache by adding <option>--option
+You can disable the use of the binary cache by adding <option>--option
 use-binary-caches false</option>, e.g.
 <screen>
--- a/nixos/doc/manual/development/sources.xml
+++ b/nixos/doc/manual/development/sources.xml
@ -40,20 +40,22 @@ rebuild everything from source. So you may want to create a local
 branch based on your current NixOS version:
 <screen>
-$ nixos-version
+$ <replaceable>/my/sources</replaceable>/nixpkgs/maintainers/scripts/update-channel-branches.sh
-14.04.273.ea1952b (Baboon)
+Fetching channels from https://nixos.org/channels:
-
+ * [new branch]      cbe467e           -> channels/remotes/nixos-unstable
-$ git checkout -b local ea1952b
+Fetching channels from nixos-version:
 * [new branch]      9ff4738           -> channels/current-system
 Fetching channels from ~/.nix-defexpr:
 * [new branch]      0d4acad           -> channels/root/nixos
 $ git checkout -b local channels/current-system
 </screen>
 Or, to base your local branch on the latest version available in the
 NixOS channel:
 <screen>
-$ curl -sI http://nixos.org/channels/nixos-unstable/ | grep Location
+$ <replaceable>/my/sources</replaceable>/nixpkgs/maintainers/scripts/update-channel-branches.sh
-Location: http://releases.nixos.org/nixos/unstable/nixos-14.10pre43986.acaf4a6/
+$ git checkout -b local channels/remotes/nixos-unstable
 $ git checkout -b local acaf4a6
 </screen>
 You can then use <command>git rebase</command> to sync your local
--- a/nixos/doc/manual/installation/obtaining.xml
+++ b/nixos/doc/manual/installation/obtaining.xml
@ -8,9 +8,14 @@
 <para>NixOS ISO images can be downloaded from the <link
 xlink:href="http://nixos.org/nixos/download.html">NixOS
-homepage</link>.  These can be burned onto a CD.  It is also possible
+homepage</link>.  There are a number of installation options.  If
-to copy them onto a USB stick and install NixOS from there.  For
+you happen to have an optical drive and a spare CD, burning the
-details, see the <link
+image to CD and booting from that is probably the easiest option.
 Most people will need to prepare a USB stick to boot from.
 Unetbootin is recommended and the process is described in brief below.
 Note that systems which use UEFI require some additional manual steps.
 If you run into difficulty a number of alternative methods are presented
 in the <link
 xlink:href="https://nixos.org/wiki/Installing_NixOS_from_a_USB_stick">NixOS
 Wiki</link>.</para>
--- a/nixos/doc/manual/installation/upgrading.xml
+++ b/nixos/doc/manual/installation/upgrading.xml
@ -15,7 +15,7 @@ been built.  These channels are:
 <itemizedlist>
  <listitem>
    <para>Stable channels, such as <literal
-    xlink:href="http://nixos.org/channels/nixos-14.04">nixos-14.04</literal>.
+    xlink:href="https://nixos.org/channels/nixos-14.04">nixos-14.04</literal>.
    These only get conservative bug fixes and package upgrades.  For
    instance, a channel update may cause the Linux kernel on your
    system to be upgraded from 3.4.66 to 3.4.67 (a minor bug fix), but
@ -26,7 +26,7 @@ been built.  These channels are:
  </listitem>
  <listitem>
    <para>The unstable channel, <literal
-    xlink:href="http://nixos.org/channels/nixos-unstable">nixos-unstable</literal>.
+    xlink:href="https://nixos.org/channels/nixos-unstable">nixos-unstable</literal>.
    This corresponds to NixOS’s main development branch, and may thus
    see radical changes between channel updates.  It’s not recommended
    for production systems.</para>
@ -34,7 +34,7 @@ been built.  These channels are:
 </itemizedlist>
 To see what channels are available, go to <link
-xlink:href="http://nixos.org/channels"/>.  (Note that the URIs of the
+xlink:href="https://nixos.org/channels"/>.  (Note that the URIs of the
 various channels redirect to a directory that contains the channel’s
 latest version and includes ISO images and VirtualBox
 appliances.)</para>
@ -53,20 +53,20 @@ nixos https://nixos.org/channels/nixos-unstable
 To switch to a different NixOS channel, do
 <screen>
-$ nix-channel --add http://nixos.org/channels/<replaceable>channel-name</replaceable> nixos
+$ nix-channel --add https://nixos.org/channels/<replaceable>channel-name</replaceable> nixos
 </screen>
 (Be sure to include the <literal>nixos</literal> parameter at the
 end.)  For instance, to use the NixOS 14.04 stable channel:
 <screen>
-$ nix-channel --add http://nixos.org/channels/nixos-14.04 nixos
+$ nix-channel --add https://nixos.org/channels/nixos-14.04 nixos
 </screen>
 But if you want to live on the bleeding edge:
 <screen>
-$ nix-channel --add http://nixos.org/channels/nixos-unstable nixos
+$ nix-channel --add https://nixos.org/channels/nixos-unstable nixos
 </screen>
 </para>
--- a/nixos/doc/manual/release-notes/release-notes.xml
+++ b/nixos/doc/manual/release-notes/release-notes.xml
@ -10,7 +10,7 @@
 <para>This section lists the release notes for each stable version of NixOS.</para>
 </partintro>
-<xi:include href="rl-1411.xml" />
+<xi:include href="rl-1412.xml" />
 <xi:include href="rl-1404.xml" />
 <xi:include href="rl-1310.xml" />
--- a/nixos/doc/manual/release-notes/rl-1411.xml
+++ b/nixos/doc/manual/release-notes/rl-1411.xml
@ -1,37 +0,0 @@
 <chapter xmlns="http://docbook.org/ns/docbook"
        xmlns:xlink="http://www.w3.org/1999/xlink"
        xmlns:xi="http://www.w3.org/2001/XInclude"
        version="5.0"
        xml:id="sec-release-14.11">
 <title>Release 14.11 (“Caterpillar”, 2014/11/??)</title>
 <para>When upgrading from a previous release, please be aware of the
 following incompatible changes:
 <itemizedlist>
  <listitem><para>The default version of Apache httpd is now 2.4. If
  you use the <option>extraConfig</option> option to pass literal
  Apache configuration text, you may need to update it — see <link
  xlink:href="http://httpd.apache.org/docs/2.4/upgrading.html">Apache’s
  documentation</link> for details. If you wish to continue to use
  httpd 2.2, add the following line to your NixOS configuration:
 <programlisting>
 services.httpd.package = pkgs.apacheHttpd_2_2;
 </programlisting>
  </para></listitem>
  <listitem><para>The host side of a container virtual Ethernet pair
  is now called <literal>ve-<replaceable>container-name</replaceable></literal>
  rather than <literal>c-<replaceable>container-name</replaceable></literal>.</para></listitem>
  <listitem><para>GNOME 3.10 support has been dropped. The default GNOME version is now 3.12.</para></listitem>
 </itemizedlist>
 </para>
 </chapter>
--- a/nixos/doc/manual/release-notes/rl-1412.xml
+++ b/nixos/doc/manual/release-notes/rl-1412.xml
@ -0,0 +1,167 @@
 <chapter xmlns="http://docbook.org/ns/docbook"
        xmlns:xlink="http://www.w3.org/1999/xlink"
        xmlns:xi="http://www.w3.org/2001/XInclude"
        version="5.0"
        xml:id="sec-release-14.12">
 <title>Release 14.12 (“Caterpillar”, 2014/12/??)</title>
 <para>In addition to numerous new and upgraded packages, this release has the following highlights:
 <itemizedlist>
 <listitem><para>Systemd has been updated to version 217, which has numerous
 <link xlink:href="http://lists.freedesktop.org/archives/systemd-devel/2014-October/024662.html">improvements
 .</link></para></listitem>
 <listitem><para><link xlink:href="http://thread.gmane.org/gmane.linux.distributions.nixos/15165">
 Nix has been updated to 1.8.</link></para></listitem>
 <listitem><para>NixOS is now based on Glibc 2.20.</para></listitem>
 <listitem><para>KDE has been updated to 4.14.</para></listitem>
 <listitem><para>The default Linux kernel has been updated to 3.14.</para></listitem>
 <listitem><para><option>users.mutableUsers</option> set to <literal>true</literal> now respect any changes
 made after initial creation of a user or a group.
 </para></listitem>
 </itemizedlist></para>
 <para>Following new services were added since the last release:
 <itemizedlist>
 <listitem><para>parallels-guest</para></listitem>
 <listitem><para>docker</para></listitem>
 <listitem><para>lxc</para></listitem>
 <listitem><para>openvswitch</para></listitem>
 <listitem><para>fluxbox</para></listitem>
 <listitem><para>bspwm</para></listitem>
 <listitem><para>gdm</para></listitem>
 <listitem><para>fcgiwrap</para></listitem>
 <listitem><para>peerflix</para></listitem>
 <listitem><para>fail2ban</para></listitem>
 <listitem><para>chronos</para></listitem>
 <listitem><para>znc</para></listitem>
 <listitem><para>unifi</para></listitem>
 <listitem><para>teamspeak3</para></listitem>
 <listitem><para>strongswan</para></listitem>
 <listitem><para>seeks</para></listitem>
 <listitem><para>radicale</para></listitem>
 <listitem><para>prosody</para></listitem>
 <listitem><para>polipo</para></listitem>
 <listitem><para>openntpd</para></listitem>
 <listitem><para>nsd</para></listitem>
 <listitem><para>mailpile</para></listitem>
 <listitem><para>i2pd</para></listitem>
 <listitem><para>dnscrypt-proxy</para></listitem>
 <listitem><para>consul</para></listitem>
 <listitem><para>atftpd</para></listitem>
 <listitem><para>scollector</para></listitem>
 <listitem><para>collectd</para></listitem>
 <listitem><para>bosun</para></listitem>
 <listitem><para>riemann</para></listitem>
 <listitem><para>zookeeper</para></listitem>
 <listitem><para>uhub</para></listitem>
 <listitem><para>siproxd</para></listitem>
 <listitem><para>redmine</para></listitem>
 <listitem><para>phd</para></listitem>
 <listitem><para>mesos</para></listitem>
 <listitem><para>gitlab</para></listitem>
 <listitem><para>gitolite</para></listitem>
 <listitem><para>etcd</para></listitem>
 <listitem><para>docker-registry</para></listitem>
 <listitem><para>cpuminer-cryptonight</para></listitem>
 <listitem><para>thermald</para></listitem>
 <listitem><para>mlmmj</para></listitem>
 <listitem><para>tcsd</para></listitem>
 <listitem><para>gnome3.seahorse</para></listitem>
 <listitem><para>gnome3.gvfs</para></listitem>
 <listitem><para>gnome3.gnome-online-miners</para></listitem>
 <listitem><para>gnome3.gnome-documents</para></listitem>
 <listitem><para>geoclue2</para></listitem>
 <listitem><para>opentsdb</para></listitem>
 <listitem><para>neo4j</para></listitem>
 <listitem><para>monetdb</para></listitem>
 <listitem><para>influxdb</para></listitem>
 <listitem><para>hbase</para></listitem>
 <listitem><para>torque/mrom</para></listitem>
 <listitem><para>torque/server</para></listitem>
 <listitem><para>kubernetes</para></listitem>
 <listitem><para>fleet</para></listitem>
 <listitem><para>crashplan</para></listitem>
 <listitem><para>mopidy</para></listitem>
 <listitem><para>liquidsoap</para></listitem>
 </itemizedlist>
 </para>
 <para>When upgrading from a previous release, please be aware of the
 following incompatible changes:
 <itemizedlist>
 <listitem><para>The default version of Apache httpd is now 2.4. If
 you use the <option>extraConfig</option> option to pass literal
 Apache configuration text, you may need to update it — see <link
 xlink:href="http://httpd.apache.org/docs/2.4/upgrading.html">Apache’s
 documentation</link> for details. If you wish to continue to use
 httpd 2.2, add the following line to your NixOS configuration:
 rogramlisting>
 rvices.httpd.package = pkgs.apacheHttpd_2_2;
 programlisting>
 </para></listitem>
 <listitem><para>PHP 5.3 has been removed because it is no longer
 supported by the PHP project. A <link
 xlink:href="http://php.net/migration54">migration guide</link> is
 available.</para></listitem>
 <listitem><para>The host side of a container virtual Ethernet pair
 is now called <literal>ve-<replaceable>container-name</replaceable></literal>
 rather than <literal>c-<replaceable>container-name</replaceable></literal>.</para></listitem>
 <listitem><para>GNOME 3.10 support has been dropped. The default GNOME version is now 3.12.</para></listitem>
 <listitem><para>VirtualBox has been upgraded to 4.3.20 release. Users may be required to run
 <command>rm -rf /tmp.vbox*</command>. <literal>imports = [ &lt;nixpkgs/nixos/modules/programs/virtualbox.nix&gt; ]</literal>
 is no longer necessary, use <literal>services.virtualboxHost.enable = true</literal> instead.
 </para>
 <para>Also, hardening mode is now enabled by default, which means that unless you want to use
 USB support, you no longer need to be a member of the <literal>vboxusers</literal> group.
 </para></listitem>
 <listitem><para>Chromium has been updated to 39.0.2171.65. <option>enablePepperPDF</option> is now enabled by default.
 <literal>chromium*Wrapper</literal> packages no longer exist, because upstream removed NSAPI support.
 <literal>chromium-stable</literal> has been renamed to <literal>chromium</literal>.
 </para></listitem>
 <listitem><para>Python packaging documentation is now part of nixpkgs manual. To override
 the python packages available to a custom python you now use <literal>pkgs.pythonFull.buildEnv.override</literal>
 instead of <literal>pkgs.pythonFull.override</literal>.
 </para></listitem>
 <listitem><para><literal>boot.resumeDevice = "8:6"</literal> is no longer supported. Most users will
 want to leave it undefined, which takes the swap partitions automatically. There is an evaluation
 assertion to ensure that the string starts with a slash.
 </para></listitem>
 <listitem><para>The system-wide default timezone for NixOS installations
 changed from <literal>CET</literal> to <literal>UTC</literal>. To choose
 a different timezone for your system, configure
 <literal>time.timeZone</literal> in
 <literal>configuration.nix</literal>. A fairly complete list of possible
 values for that setting is available at <link
 xlink:href="https://en.wikipedia.org/wiki/List_of_tz_database_time_zones"/>.</para></listitem>
 <listitem><para>GNU screen has been updated to 4.2.1, which breaks
 the ability to connect to sessions created by older versions of
 screen.</para></listitem>
 </itemizedlist>
 </para>
 </chapter>
--- a/nixos/lib/eval-config.nix
+++ b/nixos/lib/eval-config.nix
@ -11,15 +11,16 @@
 , prefix ? []
 }:
-let extraArgs_ = extraArgs; pkgs_ = pkgs; system_ = system; in
+let extraArgs_ = extraArgs; pkgs_ = pkgs; system_ = system;
-
+    extraModules = let e = builtins.getEnv "NIXOS_EXTRA_MODULE_PATH";
-rec {
+                   in if e == "" then [] else [(import (builtins.toPath e))];
 in rec {
  # Merge the option definitions in all modules, forming the full
  # system configuration.
  inherit (pkgs.lib.evalModules {
    inherit prefix;
-    modules = modules ++ baseModules;
+    modules = modules ++ extraModules ++ baseModules;
    args = extraArgs;
    check = check && options.environment.checkConfigurationOptions.value;
  }) config options;
--- a/nixos/lib/make-system-tarball.nix
+++ b/nixos/lib/make-system-tarball.nix
@ -16,6 +16,9 @@
  # symlink to `object' that will be added to the tarball.
  storeContents ? []
  # Extra commands to be executed before archiving files
 , extraCommands ? ""
  # Extra tar arguments
 , extraArgs ? ""
 }:
@ -25,7 +28,7 @@ stdenv.mkDerivation {
  builder = ./make-system-tarball.sh;
  buildInputs = [perl xz];
-  inherit fileName pathsFromGraph extraArgs;
+  inherit fileName pathsFromGraph extraArgs extraCommands;
  # !!! should use XML.
  sources = map (x: x.source) contents;
--- a/nixos/lib/make-system-tarball.sh
+++ b/nixos/lib/make-system-tarball.sh
@ -48,6 +48,8 @@ for ((n = 0; n < ${#objects[*]}; n++)); do
    fi
 done
 $extraCommands
 mkdir -p $out/tarball
 tar cvJf $out/tarball/$fileName.tar.xz * $extraArgs
--- a/nixos/maintainers/scripts/ec2/create-ebs-amis.py
+++ b/nixos/maintainers/scripts/ec2/create-ebs-amis.py
@ -75,7 +75,7 @@ m.run_command("mount {0} /mnt".format(device))
 m.run_command("touch /mnt/.ebs")
 m.run_command("mkdir -p /mnt/etc/nixos")
-m.run_command("nix-channel --add http://nixos.org/channels/nixos-{} nixos".format(args.channel))
+m.run_command("nix-channel --add https://nixos.org/channels/nixos-{} nixos".format(args.channel))
 m.run_command("nix-channel --update")
 version = m.run_command("nix-instantiate --eval-only -A lib.nixpkgsVersion '<nixpkgs>'", capture_stdout=True).split(' ')[0].replace('"','').strip()
--- a/nixos/modules/config/fonts/fontconfig-ultimate.nix
+++ b/nixos/modules/config/fonts/fontconfig-ultimate.nix
@ -0,0 +1,193 @@
 { config, pkgs, ... }:
 with pkgs.lib;
 let fcBool = x: if x then "<bool>true</bool>" else "<bool>false</bool>";
 in
 {
  options = {
    fonts = {
      fontconfig = {
        ultimate = {
          enable = mkOption {
            type = types.bool;
            default = true;
            description = ''
              Enable fontconfig-ultimate settings (formerly known as
              Infinality). Besides the customizable settings in this NixOS
              module, fontconfig-ultimate also provides many font-specific
              rendering tweaks.
            '';
          };
          allowBitmaps = mkOption {
            type = types.bool;
            default = true;
            description = ''
              Allow bitmap fonts. Set to <literal>false</literal> to ban all
              bitmap fonts.
            '';
          };
          allowType1 = mkOption {
            type = types.bool;
            default = false;
            description = ''
              Allow Type-1 fonts. Default is <literal>false</literal> because of
              poor rendering.
            '';
          };
          useEmbeddedBitmaps = mkOption {
            type = types.bool;
            default = false;
            description = ''Use embedded bitmaps in fonts like Calibri.'';
          };
          forceAutohint = mkOption {
            type = types.bool;
            default = false;
            description = ''
              Force use of the TrueType Autohinter. Useful for debugging or
              free-software purists.
            '';
          };
          renderMonoTTFAsBitmap = mkOption {
            type = types.bool;
            default = false;
            description = ''Render some monospace TTF fonts as bitmaps.'';
          };
          substitutions = mkOption {
            type = types.str // {
              check = flip elem ["none" "free" "combi" "ms"];
            };
            default = "free";
            description = ''
              Font substitutions to replace common Type 1 fonts with nicer
              TrueType fonts. <literal>free</literal> uses free fonts,
              <literal>ms</literal> uses Microsoft fonts,
              <literal>combi</literal> uses a combination, and
              <literal>none</literal> disables the substitutions.
            '';
          };
          rendering = mkOption {
            type = types.attrs;
            default = pkgs.fontconfig-ultimate.rendering.ultimate;
            description = ''
              FreeType rendering settings presets. The default is
              <literal>pkgs.fontconfig-ultimate.rendering.ultimate</literal>.
              The other available styles are:
              <literal>ultimate-lighter</literal>,
              <literal>ultimate-darker</literal>,
              <literal>ultimate-lightest</literal>,
              <literal>ultimate-darkest</literal>,
              <literal>default</literal> (the original Infinality default),
              <literal>osx</literal>,
              <literal>ipad</literal>,
              <literal>ubuntu</literal>,
              <literal>linux</literal>,
              <literal>winxplight</literal>,
              <literal>win7light</literal>,
              <literal>winxp</literal>,
              <literal>win7</literal>,
              <literal>vanilla</literal>,
              <literal>classic</literal>,
              <literal>nudge</literal>,
              <literal>push</literal>,
              <literal>shove</literal>,
              <literal>sharpened</literal>,
              <literal>infinality</literal>. Any of the presets may be
              customized by editing the attributes. To disable, set this option
              to the empty attribute set <literal>{}</literal>.
            '';
          };
        };
      };
    };
  };
  config =
    let ultimate = config.fonts.fontconfig.ultimate;
        fontconfigUltimateConf = ''
          <?xml version="1.0"?>
          <!DOCTYPE fontconfig SYSTEM "fonts.dtd">
          <fontconfig>
            ${optionalString (!ultimate.allowBitmaps) ''
            <!-- Reject bitmap fonts -->
            <selectfont>
              <rejectfont>
                <pattern>
                  <patelt name="scalable"><bool>false</bool></patelt>
                </pattern>
              </rejectfont>
            </selectfont>
            ''}
            ${optionalString ultimate.allowType1 ''
            <!-- Reject Type 1 fonts -->
            <selectfont>
              <rejectfont>
                <pattern>
                  <patelt name="fontformat">
                    <string>Type 1</string>
                  </patelt>
                </pattern>
              </rejectfont>
            </selectfont>
            ''}
            <!-- Use embedded bitmaps in fonts like Calibri? -->
            <match target="font">
              <edit name="embeddedbitmap" mode="assign">
                ${fcBool ultimate.useEmbeddedBitmaps}
              </edit>
            </match>
            <!-- Force autohint always -->
            <match target="font">
              <edit name="force_autohint" mode="assign">
                ${fcBool ultimate.forceAutohint}
              </edit>
            </match>
            <!-- Render some monospace TTF fonts as bitmaps -->
            <match target="pattern">
              <edit name="bitmap_monospace" mode="assign">
                ${fcBool ultimate.renderMonoTTFAsBitmap}
              </edit>
            </match>
            ${optionalString (ultimate.substitutions != "none") ''
            <!-- Type 1 font substitutions -->
            <include ignore_missing="yes">${pkgs.fontconfig-ultimate.confd}/etc/fonts/presets/${ultimate.substitutions}</include>
            ''}
            <include ignore_missing="yes">${pkgs.fontconfig-ultimate.confd}/etc/fonts/conf.d</include>
          </fontconfig>
        '';
    in mkIf (config.fonts.fontconfig.enable && ultimate.enable) {
      environment.etc."fonts/conf.d/52-fontconfig-ultimate.conf" = {
        text = fontconfigUltimateConf;
      };
      environment.etc."fonts/${pkgs.fontconfig.configVersion}/conf.d/52-fontconfig-ultimate.conf" = {
        text = fontconfigUltimateConf;
      };
      environment.variables = ultimate.rendering;
    };
 }
--- a/nixos/modules/config/fonts/fontconfig.nix
+++ b/nixos/modules/config/fonts/fontconfig.nix
@ -8,7 +8,8 @@ with lib;
    fonts = {
-      enableFontConfig = mkOption { # !!! should be enableFontconfig
+      fontconfig = {
        enable = mkOption {
          type = types.bool;
          default = true;
          description = ''
@ -20,12 +21,197 @@ with lib;
          '';
        };
        antialias = mkOption {
          type = types.bool;
          default = true;
          description = "Enable font antialiasing.";
        };
        dpi = mkOption {
          type = types.int;
          default = 0;
          description = ''
            Force DPI setting. Setting to <literal>0</literal> disables DPI
            forcing; the DPI detected for the display will be used.
          '';
        };
        defaultFonts = {
          monospace = mkOption {
            type = types.listOf types.str;
            default = ["DejaVu Sans Mono"];
            description = ''
              System-wide default monospace font(s). Multiple fonts may be
              listed in case multiple languages must be supported.
            '';
          };
          sansSerif = mkOption {
            type = types.listOf types.str;
            default = ["DejaVu Sans"];
            description = ''
              System-wide default sans serif font(s). Multiple fonts may be
              listed in case multiple languages must be supported.
            '';
          };
          serif = mkOption {
            type = types.listOf types.str;
            default = ["DejaVu Serif"];
            description = ''
              System-wide default serif font(s). Multiple fonts may be listed
              in case multiple languages must be supported.
            '';
          };
        };
        hinting = {
          enable = mkOption {
            type = types.bool;
            default = true;
            description = "Enable TrueType hinting.";
          };
          autohint = mkOption {
            type = types.bool;
            default = true;
            description = ''
              Enable the autohinter, which provides hinting for otherwise
              un-hinted fonts. The results are usually lower quality than
              correctly-hinted fonts.
            '';
          };
          style = mkOption {
            type = types.str // {
              check = flip elem ["none" "slight" "medium" "full"];
            };
            default = "full";
            description = ''
              TrueType hinting style, one of <literal>none</literal>,
              <literal>slight</literal>, <literal>medium</literal>, or
              <literal>full</literal>.
            '';
          };
        };
        includeUserConf = mkOption {
          type = types.bool;
          default = true;
          description = ''
            Include the user configuration from
            <filename>~/.config/fontconfig/fonts.conf</filename> or
            <filename>~/.config/fontconfig/conf.d</filename>.
          '';
        };
        subpixel = {
          rgba = mkOption {
            type = types.string // {
              check = flip elem ["rgb" "bgr" "vrgb" "vbgr" "none"];
            };
            default = "rgb";
            description = ''
              Subpixel order, one of <literal>none</literal>,
              <literal>rgb</literal>, <literal>bgr</literal>,
              <literal>vrgb</literal>, or <literal>vbgr</literal>.
            '';
          };
          lcdfilter = mkOption {
            type = types.str // {
              check = flip elem ["none" "default" "light" "legacy"];
            };
            default = "default";
            description = ''
              FreeType LCD filter, one of <literal>none</literal>,
              <literal>default</literal>, <literal>light</literal>, or
              <literal>legacy</literal>.
            '';
          };
        };
      };
-  config = mkIf config.fonts.enableFontConfig {
+    };
  };
  config =
    let fontconfig = config.fonts.fontconfig;
        fcBool = x: "<bool>" + (if x then "true" else "false") + "</bool>";
        nixosConf = ''
          <?xml version='1.0'?>
          <!DOCTYPE fontconfig SYSTEM 'fonts.dtd'>
          <fontconfig>
            <!-- Default rendering settings -->
            <match target="font">
              <edit mode="assign" name="hinting">
                ${fcBool fontconfig.hinting.enable}
              </edit>
              <edit mode="assign" name="autohint">
                ${fcBool fontconfig.hinting.autohint}
              </edit>
              <edit mode="assign" name="hintstyle">
                <const>hint${fontconfig.hinting.style}</const>
              </edit>
              <edit mode="assign" name="antialias">
                ${fcBool fontconfig.antialias}
              </edit>
              <edit mode="assign" name="rgba">
                <const>${fontconfig.subpixel.rgba}</const>
              </edit>
              <edit mode="assign" name="lcdfilter">
                <const>lcd${fontconfig.subpixel.lcdfilter}</const>
              </edit>
            </match>
            <!-- Default fonts -->
            ${optionalString (fontconfig.defaultFonts.sansSerif != []) ''
            <alias>
              <family>sans-serif</family>
              <prefer>
                ${concatStringsSep "\n"
                  (map (font: "<family>${font}</family>")
                    fontconfig.defaultFonts.sansSerif)}
              </prefer>
            </alias>
            ''}
            ${optionalString (fontconfig.defaultFonts.serif != []) ''
            <alias>
              <family>serif</family>
              <prefer>
                ${concatStringsSep "\n"
                  (map (font: "<family>${font}</family>")
                    fontconfig.defaultFonts.serif)}
              </prefer>
            </alias>
            ''}
            ${optionalString (fontconfig.defaultFonts.monospace != []) ''
            <alias>
              <family>monospace</family>
              <prefer>
                ${concatStringsSep "\n"
                  (map (font: "<family>${font}</family>")
                    fontconfig.defaultFonts.monospace)}
              </prefer>
            </alias>
            ''}
            ${optionalString (fontconfig.dpi != 0) ''
            <match target="pattern">
              <edit name="dpi" mode="assign">
                <double>${fontconfig.dpi}</double>
              </edit>
            </match>
            ''}
          </fontconfig>
        '';
    in mkIf fontconfig.enable {
      # Fontconfig 2.10 backward compatibility
@ -33,45 +219,37 @@ with lib;
      environment.etc."fonts/fonts.conf".source =
        pkgs.makeFontsConf { fontconfig = pkgs.fontconfig_210; fontDirectories = config.fonts.fonts; };
-    environment.etc."fonts/conf.d/00-nixos.conf".text =
+      environment.etc."fonts/conf.d/98-nixos.conf".text = nixosConf;
      ''
        <?xml version='1.0'?>
        <!DOCTYPE fontconfig SYSTEM 'fonts.dtd'>
        <fontconfig>
          <!-- Set the default hinting style to "slight". -->
          <match target="font">
            <edit mode="assign" name="hintstyle">
              <const>hintslight</const>
            </edit>
          </match>
        </fontconfig>
      '';
      # Versioned fontconfig > 2.10. Take shared fonts.conf from fontconfig.
      # Otherwise specify only font directories.
      environment.etc."fonts/${pkgs.fontconfig.configVersion}/fonts.conf".source =
        "${pkgs.fontconfig}/etc/fonts/fonts.conf";
      environment.etc."fonts/${pkgs.fontconfig.configVersion}/conf.d/00-nixos.conf".text =
        ''
          <?xml version='1.0'?>
          <!DOCTYPE fontconfig SYSTEM 'fonts.dtd'>
          <fontconfig>
          <!-- Set the default hinting style to "slight". -->
          <match target="font">
            <edit mode="assign" name="hintstyle">
              <const>hintslight</const>
            </edit>
          </match>
            <!-- Font directories -->
            ${concatStringsSep "\n" (map (font: "<dir>${font}</dir>") config.fonts.fonts)}
          </fontconfig>
        '';
      environment.etc."fonts/${pkgs.fontconfig.configVersion}/conf.d/98-nixos.conf".text = nixosConf;
      environment.etc."fonts/${pkgs.fontconfig.configVersion}/conf.d/99-user.conf" = {
        enable = fontconfig.includeUserConf;
        text = ''
          <?xml version="1.0"?>
          <!DOCTYPE fontconfig SYSTEM "fonts.dtd">
          <fontconfig>
            <include ignore_missing="yes" prefix="xdg">fontconfig/conf.d</include>
            <include ignore_missing="yes" prefix="xdg">fontconfig/fonts.conf</include>
          </fontconfig>
        '';
      };
      environment.systemPackages = [ pkgs.fontconfig ];
    };
--- a/nixos/modules/config/fonts/fonts.nix
+++ b/nixos/modules/config/fonts/fonts.nix
@ -25,7 +25,7 @@ with lib;
      [ pkgs.xorg.fontbhttf
        pkgs.xorg.fontbhlucidatypewriter100dpi
        pkgs.xorg.fontbhlucidatypewriter75dpi
-        pkgs.ttf_bitstream_vera
+        pkgs.dejavu_fonts
        pkgs.freefont_ttf
        pkgs.liberation_ttf
        pkgs.xorg.fontbh100dpi
--- a/nixos/modules/config/networking.nix
+++ b/nixos/modules/config/networking.nix
@ -140,7 +140,7 @@ in
            '' + optionalString config.services.nscd.enable ''
              # Invalidate the nscd cache whenever resolv.conf is
              # regenerated.
-              libc_restart='${pkgs.systemd}/bin/systemctl try-restart --no-block nscd.service'
+              libc_restart='${pkgs.systemd}/bin/systemctl try-restart --no-block nscd.service 2> /dev/null'
            '' + optionalString cfg.dnsSingleRequest ''
              # only send one DNS request at a time
              resolv_conf_options='single-request'
--- a/nixos/modules/config/no-x-libs.nix
+++ b/nixos/modules/config/no-x-libs.nix
@ -24,7 +24,7 @@ with lib;
    programs.ssh.setXAuthLocation = false;
    security.pam.services.su.forwardXAuth = lib.mkForce false;
-    fonts.enableFontConfig = false;
+    fonts.fontconfig.enable = false;
    nixpkgs.config.packageOverrides = pkgs:
      { dbus = pkgs.dbus.override { useX11 = false; }; };
--- a/nixos/modules/config/timezone.nix
+++ b/nixos/modules/config/timezone.nix
@ -14,10 +14,14 @@ in
    time = {
      timeZone = mkOption {
-        default = "CET";
+        default = "UTC";
        type = types.str;
        example = "America/New_York";
-        description = "The time zone used when displaying times and dates.";
+        description = ''
          The time zone used when displaying times and dates. See <link
          xlink:href="https://en.wikipedia.org/wiki/List_of_tz_database_time_zones"/>
          for a comprehensive list of possible values for this setting.
        '';
      };
      hardwareClockInLocalTime = mkOption {
--- a/nixos/modules/hardware/opengl.nix
+++ b/nixos/modules/hardware/opengl.nix
@ -16,7 +16,6 @@ let
      [ p.mesa_drivers
        p.mesa_noglu # mainly for libGL
        (if cfg.s3tcSupport then p.libtxc_dxtn else p.libtxc_dxtn_s2tc)
        p.udev
      ];
  };
--- a/nixos/modules/installer/cd-dvd/system-tarball-pc-readme.txt
+++ b/nixos/modules/installer/cd-dvd/system-tarball-pc-readme.txt
@ -80,7 +80,7 @@ had booted this nixos. Run:
 *  `grep local-cmds run/current-system/init`
 Then you can proceed normally subscribing to a nixos channel:
-  nix-channel --add http://nixos.org/channels/nixos-unstable
+  nix-channel --add https://nixos.org/channels/nixos-unstable
  nix-channel --update
 Testing:
--- a/nixos/modules/installer/tools/nixos-generate-config.pl
+++ b/nixos/modules/installer/tools/nixos-generate-config.pl
@ -476,14 +476,6 @@ EOF
 EOF
        }
        # Generate a random 32-bit value to use as the host id
        open my $rnd, "<", "/dev/urandom" or die $!;
        read $rnd, $hostIdBin, 4;
        close $rnd;
        # Convert the 32-bit value to a hex string
        my $hostIdHex = unpack("H*", $hostIdBin);
        write_file($fn, <<EOF);
 # Edit this configuration file to define what should be installed on
 # your system.  Help is available in the configuration.nix(5) man page
@ -499,8 +491,7 @@ EOF
 $bootLoaderConfig
  # networking.hostName = "nixos"; # Define your hostname.
-  networking.hostId = "$hostIdHex";
+  # networking.wireless.enable = true;  # Enables wireless support via wpa_supplicant.
  # networking.wireless.enable = true;  # Enables wireless.
  # Select internationalisation properties.
  # i18n = {
@ -509,6 +500,9 @@ $bootLoaderConfig
  #   defaultLocale = "en_US.UTF-8";
  # };
  # Set your time zone.
  # time.timeZone = "Europe/Amsterdam";
  # List packages installed in system profile. To search by name, run:
  # \$ nix-env -qaP | grep wget
  # environment.systemPackages = with pkgs; [
--- a/nixos/modules/installer/tools/nixos-install.sh
+++ b/nixos/modules/installer/tools/nixos-install.sh
@ -30,8 +30,7 @@ while [ "$#" -gt 0 ]; do
    case "$i" in
        -I)
            given_path="$1"; shift 1
-            absolute_path=$(readlink -m $given_path)
+            extraBuildFlags+=("$i" "$given_path")
            extraBuildFlags+=("$i" "/mnt$absolute_path")
            ;;
        --root)
            mountPoint="$1"; shift 1
@ -89,6 +88,12 @@ ln -s /run $mountPoint/var/run
 rm -f $mountPoint/etc/{resolv.conf,hosts}
 cp -Lf /etc/resolv.conf /etc/hosts $mountPoint/etc/
 if [ -e "$SSL_CERT_FILE" ]; then
    cp -Lf "$SSL_CERT_FILE" "$mountPoint/tmp/ca-cert.crt"
    export SSL_CERT_FILE=/tmp/ca-cert.crt
    # For Nix 1.7
    export CURL_CA_BUNDLE=/tmp/ca-cert.crt
 fi
 if [ -n "$runChroot" ]; then
    if ! [ -L $mountPoint/nix/var/nix/profiles/system ]; then
@ -244,7 +249,7 @@ chroot $mountPoint /nix/var/nix/profiles/system/activate
 # Ask the user to set a root password.
-if [ -t 0 ] ; then
+if [ "$(chroot $mountPoint nix-instantiate --eval '<nixos>' -A config.users.mutableUsers)" = true ] && [ -t 0 ] ; then
    echo "setting root password..."
    chroot $mountPoint /var/setuid-wrappers/passwd
 fi
--- a/nixos/modules/installer/tools/nixos-option.sh
+++ b/nixos/modules/installer/tools/nixos-option.sh
@ -13,6 +13,7 @@ usage () {
 xml=false
 verbose=false
 nixPath=""
 option=""
@ -26,6 +27,7 @@ for arg; do
        while test "$sarg" != "-"; do
          case $sarg in
            --*) longarg=$arg; sarg="--";;
            -I) argfun="include_nixpath";;
            -*) usage;;
          esac
          # remove the first letter option
@ -53,6 +55,9 @@ for arg; do
        var=$(echo $argfun | sed 's,^set_,,')
        eval $var=$arg
        ;;
      include_nixpath)
        nixPath="-I $arg $nixPath"
        ;;
    esac
    argfun=""
  fi
@ -69,18 +74,114 @@ fi
 #############################
 evalNix(){
-  nix-instantiate - --eval-only "$@"
+  result=$(nix-instantiate ${nixPath:+$nixPath} - --eval-only "$@" 2>&1)
  if test $? -eq 0; then
      cat <<EOF
 $result
 EOF
      return 0;
  else
      sed -n '
  /^error/ { s/, at (string):[0-9]*:[0-9]*//; p; };
  /^warning: Nix search path/ { p; };
 ' <<EOF
 $result
 EOF
      return 1;
  fi
 }
 header="let
  nixos = import <nixpkgs/nixos> {};
  nixpkgs = import <nixpkgs> {};
 in with nixpkgs.lib;
 "
 # This function is used for converting the option definition path given by
 # the user into accessors for reaching the definition and the declaration
 # corresponding to this option.
 generateAccessors(){
  if result=$(evalNix --strict --show-trace <<EOF
 $header
 let
  path = "${option:+$option}";
  pathList = splitString "." path;
  walkOptions = attrsNames: result:
    if attrsNames == [] then
      result
    else
      let name = head attrsNames; rest = tail attrsNames; in
      if isOption result.options then
        walkOptions rest {
          options = result.options.type.getSubOptions "";
          opt = ''(\${result.opt}.type.getSubOptions "")'';
          cfg = ''\${result.cfg}."\${name}"'';
        }
      else
        walkOptions rest {
          options = result.options.\${name};
          opt = ''\${result.opt}."\${name}"'';
          cfg = ''\${result.cfg}."\${name}"'';
        }
    ;
  walkResult = (if path == "" then x: x else walkOptions pathList) {
    options = nixos.options;
    opt = ''nixos.options'';
    cfg = ''nixos.config'';
  };
 in
  ''let option = \${walkResult.opt}; config = \${walkResult.cfg}; in''
 EOF
 )
  then
      echo $result
  else
      # In case of error we want to ignore the error message roduced by the
      # script above, as it is iterating over each attribute, which does not
      # produce a nice error message.  The following code is a fallback
      # solution which is cause a nicer error message in the next
      # evaluation.
      echo "\"let option = nixos.options${option:+.$option}; config = nixos.config${option:+.$option}; in\""
  fi
 }
 header="$header
 $(eval echo $(generateAccessors))
 "
 evalAttr(){
  local prefix="$1"
  local strict="$2"
  local suffix="$3"
-  echo "(import <nixos> {}).$prefix${option:+.$option}${suffix:+.$suffix}" | evalNix ${strict:+--strict}
+
  # If strict is set, then set it to "true".
  test -n "$strict" && strict=true
  evalNix ${strict:+--strict} <<EOF
 $header
 let
  value = $prefix${suffix:+.$suffix};
  strict = ${strict:-false};
  cleanOutput = x: with nixpkgs.lib;
    if isDerivation x then x.outPath
    else if isFunction x then "<CODE>"
    else if strict then
      if isAttrs x then mapAttrs (n: cleanOutput) x
      else if isList x then map cleanOutput x
      else x
    else x;
 in
  cleanOutput value
 EOF
 }
 evalOpt(){
-  evalAttr "options" "" "$@"
+  evalAttr "option" "" "$@"
 }
 evalCfg(){
@ -90,8 +191,11 @@ evalCfg(){
 findSources(){
  local suffix=$1
-  echo "(import <nixos> {}).options${option:+.$option}.$suffix" |
+  evalNix --strict <<EOF
-    evalNix --strict
+$header
 option.$suffix
 EOF
 }
 # Given a result from nix-instantiate, recover the list of attributes it
@ -121,13 +225,12 @@ nixMap() {
 # the output of nixos-option with other tools such as nixos-gui.
 if $xml; then
  evalNix --xml --no-location <<EOF
 $header
 let
  reach = attrs: attrs${option:+.$option};
  nixos = import <nixos> {};
  nixpkgs = import <nixpkgs> {};
  sources = builtins.map (f: f.source);
-  opt = reach nixos.options;
+  opt = option;
-  cfg = reach nixos.config;
+  cfg = config;
 in
 with nixpkgs.lib;
--- a/nixos/modules/installer/tools/nixos-rebuild.sh
+++ b/nixos/modules/installer/tools/nixos-rebuild.sh
@ -156,7 +156,7 @@ if [ -n "$buildNix" ]; then
                    exit 1
                fi
                if ! nix-store -r $nixStorePath --add-root $tmpDir/nix --indirect \
-                    --option extra-binary-caches http://cache.nixos.org/; then
+                    --option extra-binary-caches https://cache.nixos.org/; then
                    echo "warning: don't know how to get latest Nix" >&2
                fi
                # Older version of nix-store -r don't support --add-root.
--- a/nixos/modules/misc/ids.nix
+++ b/nixos/modules/misc/ids.nix
@ -172,6 +172,8 @@
      kubernetes = 162;
      peerflix = 163;
      chronos = 164;
      gitlab = 165;
      tox-bootstrapd = 166;
      # When adding a uid, make sure it doesn't match an existing gid. And don't use uids above 399!
@ -212,6 +214,7 @@
      privoxy = 32;
      disnix = 33;
      osgi = 34;
      tor = 35;
      ghostOne = 40;
      git = 41;
      fourstore = 42;
@ -306,6 +309,8 @@
      scollector = 156;
      bosun = 157;
      kubernetes = 158;
      fleet = 159;
      gitlab = 160;
      # When adding a gid, make sure it doesn't match an existing uid. And don't use gids above 399!
--- a/nixos/modules/misc/version.nix
+++ b/nixos/modules/misc/version.nix
@ -53,7 +53,7 @@ with lib;
      mkDefault (if pathExists fn then readFile fn else "master");
    # Note: code names must only increase in alphabetical order.
-    system.nixosCodeName = "Caterpillar";
+    system.nixosCodeName = "Dingo";
    # Generate /etc/os-release.  See
    # http://0pointer.de/public/systemd-man/os-release.html for the
--- a/nixos/modules/module-list.nix
+++ b/nixos/modules/module-list.nix
@ -1,6 +1,7 @@
 [
  ./config/fonts/corefonts.nix
  ./config/fonts/fontconfig.nix
  ./config/fonts/fontconfig-ultimate.nix
  ./config/fonts/fontdir.nix
  ./config/fonts/fonts.nix
  ./config/fonts/ghostscript.nix
@ -101,6 +102,8 @@
  ./services/backup/rsnapshot.nix
  ./services/backup/sitecopy-backup.nix
  ./services/backup/tarsnap.nix
  ./services/cluster/fleet.nix
  ./services/cluster/kubernetes.nix
  ./services/computing/torque/server.nix
  ./services/computing/torque/mom.nix
  ./services/continuous-integration/jenkins/default.nix
@ -134,6 +137,7 @@
  ./services/desktops/gnome3/seahorse.nix
  ./services/desktops/gnome3/sushi.nix
  ./services/desktops/gnome3/tracker.nix
  ./services/desktops/profile-sync-daemon.nix
  ./services/desktops/telepathy.nix
  ./services/games/ghost-one.nix
  ./services/games/minecraft-server.nix
@ -173,6 +177,7 @@
  ./services/misc/etcd.nix
  ./services/misc/felix.nix
  ./services/misc/folding-at-home.nix
  ./services/misc/gitlab.nix
  ./services/misc/gitolite.nix
  ./services/misc/gpsd.nix
  ./services/misc/mesos-master.nix
@ -281,6 +286,7 @@
  ./services/networking/tcpcrypt.nix
  ./services/networking/teamspeak3.nix
  ./services/networking/tftpd.nix
  ./services/networking/tox-bootstrapd.nix
  ./services/networking/unbound.nix
  ./services/networking/unifi.nix
  ./services/networking/vsftpd.nix
@ -305,6 +311,7 @@
  ./services/security/torify.nix
  ./services/security/tor.nix
  ./services/security/torsocks.nix
  ./services/system/cloud-init.nix
  ./services/system/dbus.nix
  ./services/system/kerberos.nix
  ./services/system/nscd.nix
@ -400,7 +407,6 @@
  ./virtualisation/container-config.nix
  ./virtualisation/containers.nix
  ./virtualisation/docker.nix
  ./virtualisation/kubernetes.nix
  ./virtualisation/libvirtd.nix
  ./virtualisation/lxc.nix
  #./virtualisation/nova.nix
--- a/nixos/modules/profiles/container.nix
+++ b/nixos/modules/profiles/container.nix
@ -0,0 +1,56 @@
 { config, lib, pkgs, ... }:
 with lib;
 let
 pkgs2storeContents = l : map (x: { object = x; symlink = "none"; }) l;
 in {
  # Docker image config.
  imports = [
    ../installer/cd-dvd/channel.nix
    ./minimal.nix
    ./clone-config.nix
  ];
  # Create the tarball
  system.build.tarball = import ../../lib/make-system-tarball.nix {
    inherit (pkgs) stdenv perl xz pathsFromGraph;
    contents = [];
    extraArgs = "--owner=0";
    # Add init script to image
    storeContents = [
      { object = config.system.build.toplevel + "/init";
        symlink = "/init";
      }
    ] ++ (pkgs2storeContents [ pkgs.stdenv ]);
    # Some container managers like lxc need these
    extraCommands = "mkdir -p proc sys dev";
  };
  boot.isContainer = true;
  boot.postBootCommands =
    ''
      # After booting, register the contents of the Nix store in the Nix
      # database.
      if [ -f /nix-path-registration ]; then
        ${config.nix.package}/bin/nix-store --load-db < /nix-path-registration &&
        rm /nix-path-registration
      fi
      # nixos-rebuild also requires a "system" profile
      ${config.nix.package}/bin/nix-env -p /nix/var/nix/profiles/system --set /run/current-system
    '';
  # Disable some features that are not useful in a container.
  sound.enable = mkDefault false;
  services.udisks2.enable = mkDefault false;
  # Install new init script
  system.activationScripts.installInitScript = ''
    ln -fs $systemConfig/init /init
  '';
 }
--- a/nixos/modules/programs/ssh.nix
+++ b/nixos/modules/programs/ssh.nix
@ -61,7 +61,8 @@ in
      agentTimeout = mkOption {
        type = types.nullOr types.string;
-        default = "1h";
+        default = null;
        example = "1h";
        description = ''
          How long to keep the private keys in memory. Use null to keep them forever.
        '';
--- a/nixos/modules/programs/virtualbox-host.nix
+++ b/nixos/modules/programs/virtualbox-host.nix
@ -3,34 +3,74 @@
 with lib;
 let
-  virtualbox = config.boot.kernelPackages.virtualbox;
+  cfg = config.services.virtualboxHost;
  virtualbox = config.boot.kernelPackages.virtualbox.override {
    inherit (cfg) enableHardening;
  };
 in
 {
-  options = {
+  options.services.virtualboxHost = {
-    services.virtualboxHost.enable = mkEnableOption "VirtualBox Host support";
+    enable = mkOption {
      type = types.bool;
      default = false;
      description = ''
        Whether to enable host-side support for VirtualBox.
        <note><para>
          In order to pass USB devices from the host to the guests, the user
          needs to be in the <literal>vboxusers</literal> group.
        </para></note>
      '';
    };
-  config = mkIf config.services.virtualboxHost.enable {
+    addNetworkInterface = mkOption {
      type = types.bool;
      default = true;
      description = ''
        Automatically set up a vboxnet0 host-only network interface.
      '';
    };
    enableHardening = mkOption {
      type = types.bool;
      default = true;
      description = ''
        Enable hardened VirtualBox, which ensures that only the binaries in the
        system path get access to the devices exposed by the kernel modules
        instead of all users in the vboxusers group.
        <important><para>
          Disabling this can put your system's security at risk, as local users
          in the vboxusers group can tamper with the VirtualBox device files.
        </para></important>
      '';
    };
  };
  config = mkIf cfg.enable (mkMerge [{
    boot.kernelModules = [ "vboxdrv" "vboxnetadp" "vboxnetflt" ];
    boot.extraModulePackages = [ virtualbox ];
    environment.systemPackages = [ virtualbox ];
    security.setuidOwners = let
-      mkVboxStub = program: {
+      mkSuid = program: {
        inherit program;
        source = "${virtualbox}/libexec/virtualbox/${program}";
        owner = "root";
        group = "vboxusers";
        setuid = true;
      };
-    in map mkVboxStub [
+    in mkIf cfg.enableHardening (map mkSuid [
      "VBoxBFE"
      "VBoxBalloonCtrl"
      "VBoxHeadless"
-      "VBoxManage"
+      "VBoxNetAdpCtl"
      "VBoxNetDHCP"
      "VBoxNetNAT"
      "VBoxSDL"
      "VBoxVolInfo"
      "VirtualBox"
-    ];
+    ]);
    users.extraGroups.vboxusers.gid = config.ids.gids.vboxusers;
@ -46,7 +86,7 @@ in
      '';
    # Since we lack the right setuid binaries, set up a host-only network by default.
-
+  } (mkIf cfg.addNetworkInterface {
    systemd.services."vboxnet0" =
      { description = "VirtualBox vboxnet0 Interface";
        requires = [ "dev-vboxnetctl.device" ];
@ -55,10 +95,13 @@ in
        path = [ virtualbox ];
        serviceConfig.RemainAfterExit = true;
        serviceConfig.Type = "oneshot";
        serviceConfig.PrivateTmp = true;
        environment.VBOX_USER_HOME = "/tmp";
        script =
          ''
            if ! [ -e /sys/class/net/vboxnet0 ]; then
              VBoxManage hostonlyif create
              cat /tmp/VBoxSVC.log >&2
            fi
          '';
        postStop =
@ -68,5 +111,5 @@ in
      };
    networking.interfaces.vboxnet0.ip4 = [ { address = "192.168.56.1"; prefixLength = 24; } ];
-  };
+  })]);
 }
--- a/nixos/modules/rename.nix
+++ b/nixos/modules/rename.nix
@ -74,6 +74,7 @@ in zipModules ([]
 ++ obsolete [ "environment" "x11Packages" ] [ "environment" "systemPackages" ]
 ++ obsolete [ "environment" "enableBashCompletion" ] [ "programs" "bash" "enableCompletion" ]
 ++ obsolete [ "environment" "nix" ] [ "nix" "package" ]
 ++ obsolete [ "fonts" "enableFontConfig" ] [ "fonts" "fontconfig" "enable" ]
 ++ obsolete [ "fonts" "extraFonts" ] [ "fonts" "fonts" ]
 ++ obsolete [ "security" "extraSetuidPrograms" ] [ "security" "setuidPrograms" ]
--- a/nixos/modules/security/sudo.nix
+++ b/nixos/modules/security/sudo.nix
@ -64,7 +64,7 @@ in
    security.sudo.configFile =
      ''
        # Don't edit this file. Set the NixOS options ‘security.sudo.configFile’
-        # and security.sudo.extraConfig instead.
+        # or ‘security.sudo.extraConfig’ instead.
        # Environment variables to keep for root and %wheel.
        Defaults:root,%wheel env_keep+=TERMINFO_DIRS
@ -93,8 +93,7 @@ in
          { src = pkgs.writeText "sudoers-in" cfg.configFile; }
          # Make sure that the sudoers file is syntactically valid.
          # (currently disabled - NIXOS-66)
-          "${pkgs.sudo}/sbin/visudo -f $src -c &&
+          "${pkgs.sudo}/sbin/visudo -f $src -c && cp $src $out";
 	      cp $src $out";
        target = "sudoers";
        mode = "0440";
      };
--- a/nixos/modules/services/audio/mpd.nix
+++ b/nixos/modules/services/audio/mpd.nix
@ -15,7 +15,6 @@ let
    state_file          "${cfg.dataDir}/state"
    sticker_file        "${cfg.dataDir}/sticker.sql"
    log_file            "syslog"
    user                "mpd"
    ${if cfg.network.host != "any" then
   "bind_to_address     ${cfg.network.host}" else ""}
    ${if cfg.network.port != 6600 then
@ -99,6 +98,9 @@ in {
      path = [ pkgs.mpd ];
      preStart = "mkdir -p ${cfg.dataDir} && chown -R mpd:mpd  ${cfg.dataDir}";
      script = "exec mpd --no-daemon ${mpdConf}";
      serviceConfig = {
        User = "mpd";
      };
    };
    users.extraUsers.mpd = {
--- a/nixos/modules/services/cluster/fleet.nix
+++ b/nixos/modules/services/cluster/fleet.nix
@ -0,0 +1,150 @@
 { config, lib, pkgs, ... }:
 with lib;
 let
  cfg = config.services.fleet;
 in {
  ##### Interface
  options.services.fleet = {
    enable = mkOption {
      type = types.bool;
      default = false;
      description = ''
        Whether to enable fleet service.
      '';
    };
    listen = mkOption {
      type = types.listOf types.str;
      default = [ "/var/run/fleet.sock" ];
      example = [ "/var/run/fleet.sock" "127.0.0.1:49153" ];
      description = ''
        Fleet listening addresses.
      '';
    };
    etcdServers = mkOption {
      type = types.listOf types.str;
      default = [ "http://127.0.0.1:4001" ];
      description = ''
        Fleet list of etcd endpoints to use.
      '';
    };
    publicIp = mkOption {
      type = types.nullOr types.str;
      default = "";
      description = ''
        Fleet IP address that should be published with the local Machine's
        state and any socket information. If not set, fleetd will attempt
        to detect the IP it should publish based on the machine's IP
        routing information.
      '';
    };
    etcdCafile = mkOption {
      type = types.nullOr types.path;
      default = null;
      description = ''
        Fleet TLS ca file when SSL certificate authentication is enabled
        in etcd endpoints.
      '';
    };
    etcdKeyfile = mkOption {
      type = types.nullOr types.path;
      default = null;
      description = ''
        Fleet TLS key file when SSL certificate authentication is enabled
        in etcd endpoints.
      '';
    };
    etcdCertfile = mkOption {
      type = types.nullOr types.path;
      default = null;
      description = ''
        Fleet TLS cert file when SSL certificate authentication is enabled
        in etcd endpoints.
      '';
    };
    metadata = mkOption {
      type = types.attrsOf types.str;
      default = {};
      apply = attrs: concatMapStringsSep "," (n: "${n}=${attrs."${n}"}") (attrNames attrs);
      example = literalExample ''
        {
          region = "us-west";
          az = "us-west-1";
        }
      '';
      description = ''
        Key/value pairs that are published with the local to the fleet registry.
        This data can be used directly by a client of fleet to make scheduling decisions.
      '';
    };
    extraConfig = mkOption {
      type = types.attrsOf types.str;
      apply = mapAttrs' (n: v: nameValuePair ("ETCD_" + n) v);
      default = {};
      example = literalExample ''
        {
          VERBOSITY = 1;
          ETCD_REQUEST_TIMEOUT = "2.0";
          AGENT_TTL = "40s";
        }
      '';
      description = ''
        Fleet extra config. See
        <link xlink:href="https://github.com/coreos/fleet/blob/master/Documentation/deployment-and-configuration.md"/>
        for configuration options.
      '';
    };
  };
  ##### Implementation
  config = mkIf cfg.enable {
    systemd.services.fleet = {
      description = "Fleet Init System Daemon";
      wantedBy = [ "multi-user.target" ];
      after = [ "network.target" "fleet.socket" "etcd.service" "docker.service" ];
      requires = [ "fleet.socket" ];
      environment = {
        FLEET_ETCD_SERVERS = concatStringsSep "," cfg.etcdServers;
        FLEET_PUBLIC_IP = cfg.publicIp;
        FLEET_ETCD_CAFILE = cfg.etcdCafile;
        FLEET_ETCD_KEYFILE = cfg.etcdKeyfile;
        FEELT_ETCD_CERTFILE = cfg.etcdCertfile;
        FLEET_METADATA = cfg.metadata;
      } // cfg.extraConfig;
      serviceConfig = {
        ExecStart = "${pkgs.fleet}/bin/fleetd";
        Group = "fleet";
      };
    };
    systemd.sockets.fleet = {
      description = "Fleet Socket for the API";
      wantedBy = [ "sockets.target" ];
      listenStreams = cfg.listen;
      socketConfig = {
        ListenStream = "/var/run/fleet.sock";
        SocketMode = "0660";
        SocketUser = "root";
        SocketGroup = "fleet";
      };
    };
    services.etcd.enable = mkDefault true;
    virtualisation.docker.enable = mkDefault true;
    environment.systemPackages = [ pkgs.fleet ];
    users.extraGroups.fleet.gid = config.ids.gids.fleet;
  };
 }
--- a/nixos/modules/services/cluster/kubernetes.nix
+++ b/nixos/modules/services/cluster/kubernetes.nix
@ -3,13 +3,13 @@
 with lib;
 let
-  cfg = config.virtualisation.kubernetes;
+  cfg = config.services.kubernetes;
 in {
  ###### interface
-  options.virtualisation.kubernetes = {
+  options.services.kubernetes = {
    package = mkOption {
      description = "Kubernetes package to use.";
      type = types.package;
@ -420,15 +420,15 @@ in {
    })
    (mkIf (any (el: el == "master") cfg.roles) {
-      virtualisation.kubernetes.apiserver.enable = mkDefault true;
+      services.kubernetes.apiserver.enable = mkDefault true;
-      virtualisation.kubernetes.scheduler.enable = mkDefault true;
+      services.kubernetes.scheduler.enable = mkDefault true;
-      virtualisation.kubernetes.controllerManager.enable = mkDefault true;
+      services.kubernetes.controllerManager.enable = mkDefault true;
    })
    (mkIf (any (el: el == "node") cfg.roles) {
      virtualisation.docker.enable = mkDefault true;
-      virtualisation.kubernetes.kubelet.enable = mkDefault true;
+      services.kubernetes.kubelet.enable = mkDefault true;
-      virtualisation.kubernetes.proxy.enable = mkDefault true;
+      services.kubernetes.proxy.enable = mkDefault true;
    })
    (mkIf (any (el: el == "node" || el == "master") cfg.roles) {
@ -442,7 +442,7 @@ in {
        cfg.kubelet.enable ||
        cfg.proxy.enable
    ) {
-      virtualisation.kubernetes.package = mkDefault pkgs.kubernetes; 
+      services.kubernetes.package = mkDefault pkgs.kubernetes;
      environment.systemPackages = [ cfg.package ];
--- a/nixos/modules/services/desktops/gnome3/gvfs.nix
+++ b/nixos/modules/services/desktops/gnome3/gvfs.nix
@ -1,6 +1,6 @@
 # gvfs backends
-{ config, lib, ... }:
+{ config, lib, pkgs, ... }:
 with lib;
@ -37,6 +37,8 @@ in
    services.dbus.packages = [ gnome3.gvfs ];
    services.udev.packages = [ pkgs.libmtp ];
  };
 }
--- a/nixos/modules/services/desktops/profile-sync-daemon.nix
+++ b/nixos/modules/services/desktops/profile-sync-daemon.nix
@ -0,0 +1,139 @@
 { config, pkgs, lib, ... }:
 with lib;
 let
  cfg = config.services.psd;
  configFile = ''
    ${optionalString (cfg.users != [ ]) ''
      USERS="${concatStringsSep " " cfg.users}"
    ''}
    ${optionalString (cfg.browsers != [ ]) ''
      BROWSERS="${concatStringsSep " " cfg.browsers}"
    ''}
    ${optionalString (cfg.volatile != "") "VOLATILE=${cfg.volatile}"}
    ${optionalString (cfg.daemonFile != "") "DAEMON_FILE=${cfg.daemonFile}"}
  '';
 in {
  options.services.psd = with types; {
    enable = mkOption {
      type = bool;
      default = false;
      description = ''
        Whether to enable the Profile Sync daemon.
      '';
    };
    users = mkOption {
      type = listOf str;
      default = [ ];
      example = [ "demo" ];
      description = ''
        A list of users whose browser profiles should be sync'd to tmpfs.
      '';
    };
    browsers = mkOption {
      type = listOf str;
      default = [ ];
      example = [ "chromium" "firefox" ];
      description = ''
        A list of browsers to sync. Available choices are:
        chromium chromium-dev conkeror.mozdev.org epiphany firefox
        firefox-trunk google-chrome google-chrome-beta google-chrome-unstable
        heftig-aurora icecat luakit midori opera opera-developer opera-beta
        qupzilla palemoon rekonq seamonkey
        An empty list will enable all browsers.
      '';
    };
    resyncTimer = mkOption {
      type = str;
      default = "1h";
      example = "1h 30min";
      description = ''
        The amount of time to wait before syncing browser profiles back to the
        disk.
        Takes a systemd.unit time span. The time unit defaults to seconds if
        omitted.
      '';
    };
    volatile = mkOption {
      type = str;
      default = "/run/psd-profiles";
      description = ''
        The directory where browser profiles should reside(this should be
        mounted as a tmpfs). Do not include a trailing backslash.
      '';
    };
    daemonFile = mkOption {
      type = str;
      default = "/run/psd";
      description = ''
        Where the pid and backup configuration files will be stored.
      '';
    };
  };
  config = mkIf cfg.enable {
    systemd = {
      services = {
        psd = {
          description = "Profile Sync daemon";
          wants = [ "psd-resync.service" "local-fs.target" ];
          wantedBy = [ "multi-user.target" ];
          preStart = "mkdir -p ${cfg.volatile}";
          path = with pkgs; [ glibc rsync gawk ];
          unitConfig = {
            RequiresMountsFor = [ "/home/" ];
          };
          serviceConfig = {
            Type = "oneshot";
            RemainAfterExit = "yes";
            ExecStart = "${pkgs.profile-sync-daemon}/bin/profile-sync-daemon sync";
            ExecStop = "${pkgs.profile-sync-daemon}/bin/profile-sync-daemon unsync";
          };
        };
        psd-resync = {
          description = "Timed profile resync";
          after = [ "psd.service" ];
          wants = [ "psd-resync.timer" ];
          partOf = [ "psd.service" ];
          path = with pkgs; [ glibc rsync gawk ];
          serviceConfig = {
            Type = "oneshot";
            ExecStart = "${pkgs.profile-sync-daemon}/bin/profile-sync-daemon resync";
          };
        };
      };
      timers.psd-resync = {
        description = "Timer for profile sync daemon - ${cfg.resyncTimer}";
        partOf = [ "psd-resync.service" "psd.service" ];
        timerConfig = {
          OnUnitActiveSec = "${cfg.resyncTimer}";
        };
      };
    };
    environment.etc."psd.conf".text = configFile;
  };
 }
--- a/nixos/modules/services/hardware/80-net-setup-link.rules
+++ b/nixos/modules/services/hardware/80-net-setup-link.rules
--- a/nixos/modules/services/hardware/udev.nix
+++ b/nixos/modules/services/hardware/udev.nix
@ -88,7 +88,7 @@ let
      done
      ${optionalString config.networking.usePredictableInterfaceNames ''
-        cp ${./80-net-name-slot.rules} $out/80-net-name-slot.rules
+        cp ${./80-net-setup-link.rules} $out/80-net-setup-link.rules
      ''}
      # If auto-configuration is disabled, then remove
--- a/nixos/modules/services/misc/autofs.nix
+++ b/nixos/modules/services/misc/autofs.nix
@ -84,7 +84,7 @@ in
        startOn = "started network-interfaces";
        stopOn = "stopping network-interfaces";
-        path = [ pkgs.nfsUtils pkgs.sshfsFuse ];
+        path = [ pkgs.nfs-utils pkgs.sshfsFuse ];
        preStop =
          ''
--- a/nixos/modules/services/misc/defaultUnicornConfig.rb
+++ b/nixos/modules/services/misc/defaultUnicornConfig.rb
@ -0,0 +1,206 @@
 # The following was taken from github.com/crohr/syslogger and is BSD
 # licensed.
 require 'syslog'
 require 'logger'
 require 'thread'
 class Syslogger
  VERSION = "1.6.0"
  attr_reader :level, :ident, :options, :facility, :max_octets
  attr_accessor :formatter
  MAPPING = {
    Logger::DEBUG => Syslog::LOG_DEBUG,
    Logger::INFO => Syslog::LOG_INFO,
    Logger::WARN => Syslog::LOG_WARNING,
    Logger::ERROR => Syslog::LOG_ERR,
    Logger::FATAL => Syslog::LOG_CRIT,
    Logger::UNKNOWN => Syslog::LOG_ALERT
  }
  #
  # Initializes default options for the logger
  # <tt>ident</tt>:: the name of your program [default=$0].
  # <tt>options</tt>::  syslog options [default=<tt>Syslog::LOG_PID | Syslog::LOG_CONS</tt>].
  #                     Correct values are:
  #                       LOG_CONS    : writes the message on the console if an error occurs when sending the message;
  #                       LOG_NDELAY  : no delay before sending the message;
  #                       LOG_PERROR  : messages will also be written on STDERR;
  #                       LOG_PID     : adds the process number to the message (just after the program name)
  # <tt>facility</tt>:: the syslog facility [default=nil] Correct values include:
  #                       Syslog::LOG_DAEMON
  #                       Syslog::LOG_USER
  #                       Syslog::LOG_SYSLOG
  #                       Syslog::LOG_LOCAL2
  #                       Syslog::LOG_NEWS
  #                       etc.
  #
  # Usage:
  #   logger = Syslogger.new("my_app", Syslog::LOG_PID | Syslog::LOG_CONS, Syslog::LOG_LOCAL0)
  #   logger.level = Logger::INFO # use Logger levels
  #   logger.warn "warning message"
  #   logger.debug "debug message"
  #
  def initialize(ident = $0, options = Syslog::LOG_PID | Syslog::LOG_CONS, facility = nil)
    @ident = ident
    @options = options || (Syslog::LOG_PID | Syslog::LOG_CONS)
    @facility = facility
    @level = Logger::INFO
    @mutex = Mutex.new
    @formatter = Logger::Formatter.new
  end
  %w{debug info warn error fatal unknown}.each do |logger_method|
    # Accepting *args as message could be nil.
    #  Default params not supported in ruby 1.8.7
    define_method logger_method.to_sym do |*args, &block|
      return true if @level > Logger.const_get(logger_method.upcase)
      message = args.first || block && block.call
      add(Logger.const_get(logger_method.upcase), message)
    end
    unless logger_method == 'unknown'
      define_method "#{logger_method}?".to_sym do
        @level <= Logger.const_get(logger_method.upcase)
      end
    end
  end
  # Log a message at the Logger::INFO level. Useful for use with Rack::CommonLogger
  def write(msg)
    add(Logger::INFO, msg)
  end
  # Logs a message at the Logger::INFO level.
  def <<(msg)
    add(Logger::INFO, msg)
  end
  # Low level method to add a message.
  # +severity+::  the level of the message. One of Logger::DEBUG, Logger::INFO, Logger::WARN, Logger::ERROR, Logger::FATAL, Logger::UNKNOWN
  # +message+:: the message string.
  #             If nil, the method will call the block and use the result as the message string.
  #             If both are nil or no block is given, it will use the progname as per the behaviour of both the standard Ruby logger, and the Rails BufferedLogger.
  # +progname+:: optionally, overwrite the program name that appears in the log message.
  def add(severity, message = nil, progname = nil, &block)
    if message.nil? && block.nil? && !progname.nil?
      message, progname = progname, nil
    end
    progname ||= @ident
    @mutex.synchronize do
      Syslog.open(progname, @options, @facility) do |s|
        s.mask = Syslog::LOG_UPTO(MAPPING[@level])
        communication = clean(message || block && block.call)
        if self.max_octets
          buffer = "#{tags_text}"
          communication.bytes do |byte|
            buffer.concat(byte)
            # if the last byte we added is potentially part of an escape, we'll go ahead and add another byte
            if buffer.bytesize >= self.max_octets && !['%'.ord,'\\'.ord].include?(byte)
              s.log(MAPPING[severity],buffer)
              buffer = ""
            end
          end
          s.log(MAPPING[severity],buffer) unless buffer.empty?
        else
          s.log(MAPPING[severity],"#{tags_text}#{communication}")
        end
      end
    end
  end
  # Set the max octets of the messages written to the log
  def max_octets=(max_octets)
    @max_octets = max_octets
  end
  # Sets the minimum level for messages to be written in the log.
  # +level+:: one of <tt>Logger::DEBUG</tt>, <tt>Logger::INFO</tt>, <tt>Logger::WARN</tt>, <tt>Logger::ERROR</tt>, <tt>Logger::FATAL</tt>, <tt>Logger::UNKNOWN</tt>
  def level=(level)
    level = Logger.const_get(level.to_s.upcase) if level.is_a?(Symbol)
    unless level.is_a?(Fixnum)
      raise ArgumentError.new("Invalid logger level `#{level.inspect}`")
    end
    @level = level
  end
  # Sets the ident string passed along to Syslog
  def ident=(ident)
    @ident = ident
  end
  # Tagging code borrowed from ActiveSupport gem
  def tagged(*tags)
    new_tags = push_tags(*tags)
    yield self
  ensure
    pop_tags(new_tags.size)
  end
  def push_tags(*tags)
    tags.flatten.reject{ |i| i.respond_to?(:empty?) ? i.empty? : !i }.tap do |new_tags|
      current_tags.concat new_tags
    end
  end
  def pop_tags(size = 1)
    current_tags.pop size
  end
  def clear_tags!
    current_tags.clear
  end
  protected
  # Borrowed from SyslogLogger.
  def clean(message)
    message = message.to_s.dup
    message.strip! # remove whitespace
    message.gsub!(/\n/, '\\n') # escape newlines
    message.gsub!(/%/, '%%') # syslog(3) freaks on % (printf)
    message.gsub!(/\e\[[^m]*m/, '') # remove useless ansi color codes
    message
  end
  private
  def tags_text
    tags = current_tags
    if tags.any?
      tags.collect { |tag| "[#{tag}] " }.join
    end
  end
  def current_tags
    Thread.current[:syslogger_tagged_logging_tags] ||= []
  end
 end
 worker_processes 2
 working_directory ENV["GITLAB_PATH"]
 pid ENV["UNICORN_PATH"] + "/tmp/pids/unicorn.pid"
 listen ENV["UNICORN_PATH"] + "/tmp/sockets/gitlab.socket", :backlog => 1024
 listen "127.0.0.1:8080", :tcp_nopush => true
 timeout 60
 logger Syslogger.new
 preload_app true
 GC.respond_to?(:copy_on_write_friendly=) and
  GC.copy_on_write_friendly = true
 check_client_connection false
 after_fork do |server, worker|
  defined?(ActiveRecord::Base) and
    ActiveRecord::Base.establish_connection
 end
--- a/nixos/modules/services/misc/gitlab.nix
+++ b/nixos/modules/services/misc/gitlab.nix
@ -0,0 +1,295 @@
 { config, lib, pkgs, ... }:
 # TODO: support non-postgresql
 with lib;
 let
  cfg = config.services.gitlab;
  ruby = pkgs.ruby;
  rubyLibs = pkgs.rubyLibs;
  databaseYml = ''
    production:
      adapter: postgresql
      database: ${cfg.databaseName}
      host: ${cfg.databaseHost}
      password: ${cfg.databasePassword}
      username: ${cfg.databaseUsername}
      encoding: utf8
  '';
  gitlabShellYml = ''
    user: gitlab
    gitlab_url: "http://${cfg.host}:${toString cfg.port}/"
    http_settings:
      self_signed_cert: false
    repos_path: "${cfg.stateDir}/repositories"
    log_file: "${cfg.stateDir}/log/gitlab-shell.log"
    redis:
      bin: ${pkgs.redis}/bin/redis-cli
      host: 127.0.0.1
      port: 6379
      database: 0
      namespace: resque:gitlab
  '';
  unicornConfig = builtins.readFile ./defaultUnicornConfig.rb;
  gitlab-runner = pkgs.stdenv.mkDerivation rec {
    name = "gitlab-runner";
    buildInputs = [ pkgs.gitlab pkgs.rubyLibs.bundler pkgs.makeWrapper ];
    phases = "installPhase fixupPhase";
    buildPhase = "";
    installPhase = ''
      mkdir -p $out/bin
      makeWrapper ${rubyLibs.bundler}/bin/bundle $out/bin/gitlab-runner\
          --set RAKEOPT '"-f ${pkgs.gitlab}/share/gitlab/Rakefile"'\
          --set UNICORN_PATH "${cfg.stateDir}/"\
          --set GITLAB_PATH "${pkgs.gitlab}/share/gitlab/"\
          --set GITLAB_APPLICATION_LOG_PATH "${cfg.stateDir}/log/application.log"\
          --set GITLAB_SATELLITES_PATH "${cfg.stateDir}/satellites"\
          --set GITLAB_SHELL_PATH "${pkgs.gitlab-shell}"\
          --set GITLAB_REPOSITORIES_PATH "${cfg.stateDir}/repositories"\
          --set GITLAB_SHELL_HOOKS_PATH "${cfg.stateDir}/shell/hooks"\
          --set BUNDLE_GEMFILE "${pkgs.gitlab}/share/gitlab/Gemfile"\
          --set GITLAB_EMAIL_FROM "${cfg.emailFrom}"\
          --set GITLAB_SHELL_CONFIG_PATH "${cfg.stateDir}/shell/config.yml"\
          --set GITLAB_SHELL_SECRET_PATH "${cfg.stateDir}/config/gitlab_shell_secret"\
          --set GITLAB_HOST "${cfg.host}"\
          --set GITLAB_PORT "${toString cfg.port}"\
          --set GITLAB_BACKUP_PATH"${cfg.backupPath}"\
          --set RAILS_ENV "production"
    '';
  };
 in {
  options = {
    services.gitlab = {
      enable = mkOption {
        type = types.bool;
        default = false;
        description = ''
          Enable the gitlab service.
        '';
      };
      satelliteDir = mkOption {
        type = types.str;
        default = "/var/gitlab/git-satellites";
        description = "Gitlab directory to store checked out git trees requires for operation.";
      };
      stateDir = mkOption {
        type = types.str;
        default = "/var/gitlab/state";
        description = "Gitlab state directory, logs are stored here.";
      };
      backupPath = mkOption {
        type = types.str;
        default = cfg.stateDir + "/backup";
        description = "Gitlab path for backups.";
      };
      databaseHost = mkOption {
        type = types.str;
        default = "127.0.0.1";
        description = "Gitlab database hostname.";
      };
      databasePassword = mkOption {
        type = types.str;
        default = "";
        description = "Gitlab database user password.";
      };
      databaseName = mkOption {
        type = types.str;
        default = "gitlab";
        description = "Gitlab database name.";
      };
      databaseUsername = mkOption {
        type = types.str;
        default = "gitlab";
        description = "Gitlab database user.";
      };
      emailFrom = mkOption {
        type = types.str;
        default = "example@example.org";
        description = "The source address for emails sent by gitlab.";
      };
      host = mkOption {
        type = types.str;
        default = config.networking.hostName;
        description = "Gitlab host name. Used e.g. for copy-paste URLs.";
      };
      port = mkOption {
        type = types.int;
        default = 8080;
        description = "Gitlab server listening port.";
      };
    };
  };
  config = mkIf cfg.enable {
    environment.systemPackages = [ gitlab-runner pkgs.gitlab-shell ];
    assertions = [
      { assertion = cfg.databasePassword != "";
        message = "databasePassword must be set";
      }
    ];
    # Redis is required for the sidekiq queue runner.
    services.redis.enable = mkDefault true;
    # We use postgres as the main data store.
    services.postgresql.enable = mkDefault true;
    services.postgresql.package = mkDefault pkgs.postgresql;
    # Use postfix to send out mails.
    services.postfix.enable = mkDefault true;
    users.extraUsers = [
      { name = "gitlab";
        group = "gitlab";
        home = "${cfg.stateDir}/home";
        shell = "${pkgs.bash}/bin/bash";
        uid = config.ids.uids.gitlab;
      } ];
    users.extraGroups = [
      { name = "gitlab";
        gid = config.ids.gids.gitlab;
      } ];
    systemd.services.gitlab-sidekiq = {
      after = [ "network.target" "redis.service" ];
      wantedBy = [ "multi-user.target" ];
      environment.HOME = "${cfg.stateDir}/home";
      environment.UNICORN_PATH = "${cfg.stateDir}/";
      environment.GITLAB_PATH = "${pkgs.gitlab}/share/gitlab/";
      environment.GITLAB_APPLICATION_LOG_PATH = "${cfg.stateDir}/log/application.log";
      environment.GITLAB_SATELLITES_PATH = "${cfg.stateDir}/satellites";
      environment.GITLAB_SHELL_PATH = "${pkgs.gitlab-shell}";
      environment.GITLAB_REPOSITORIES_PATH = "${cfg.stateDir}/repositories";
      environment.GITLAB_SHELL_HOOKS_PATH = "${cfg.stateDir}/shell/hooks";
      environment.BUNDLE_GEMFILE = "${pkgs.gitlab}/share/gitlab/Gemfile";
      environment.GITLAB_EMAIL_FROM = "${cfg.emailFrom}";
      environment.GITLAB_SHELL_CONFIG_PATH = "${cfg.stateDir}/shell/config.yml";
      environment.GITLAB_SHELL_SECRET_PATH = "${cfg.stateDir}/config/gitlab_shell_secret";
      environment.GITLAB_HOST = "${cfg.host}";
      environment.GITLAB_PORT = "${toString cfg.port}";
      environment.GITLAB_DATABASE_HOST = "${cfg.databaseHost}";
      environment.GITLAB_DATABASE_PASSWORD = "${cfg.databasePassword}";
      environment.RAILS_ENV = "production";
      path = with pkgs; [
        config.services.postgresql.package
        gitAndTools.git
        ruby
        openssh
        nodejs
      ];
      serviceConfig = {
        Type = "simple";
        User = "gitlab";
        Group = "gitlab";
        TimeoutSec = "300";
        WorkingDirectory = "${pkgs.gitlab}/share/gitlab";
        ExecStart="${rubyLibs.bundler}/bin/bundle exec \"sidekiq -q post_receive -q mailer -q system_hook -q project_web_hook -q gitlab_shell -q common -q default -e production -P ${cfg.stateDir}/tmp/sidekiq.pid\"";
      };
    };
    systemd.services.gitlab = {
      after = [ "network.target" "postgresql.service" "redis.service" ];
      wantedBy = [ "multi-user.target" ];
      environment.HOME = "${cfg.stateDir}/home";
      environment.UNICORN_PATH = "${cfg.stateDir}/";
      environment.GITLAB_PATH = "${pkgs.gitlab}/share/gitlab/";
      environment.GITLAB_APPLICATION_LOG_PATH = "${cfg.stateDir}/log/application.log";
      environment.GITLAB_SATELLITES_PATH = "${cfg.stateDir}/satellites";
      environment.GITLAB_SHELL_PATH = "${pkgs.gitlab-shell}";
      environment.GITLAB_REPOSITORIES_PATH = "${cfg.stateDir}/repositories";
      environment.GITLAB_SHELL_HOOKS_PATH = "${cfg.stateDir}/shell/hooks";
      environment.BUNDLE_GEMFILE = "${pkgs.gitlab}/share/gitlab/Gemfile";
      environment.GITLAB_EMAIL_FROM = "${cfg.emailFrom}";
      environment.GITLAB_HOST = "${cfg.host}";
      environment.GITLAB_PORT = "${toString cfg.port}";
      environment.GITLAB_DATABASE_HOST = "${cfg.databaseHost}";
      environment.GITLAB_DATABASE_PASSWORD = "${cfg.databasePassword}";
      environment.RAILS_ENV = "production";
      path = with pkgs; [
        config.services.postgresql.package
        gitAndTools.git
        ruby
        openssh
        nodejs
      ];
      preStart = ''
        # TODO: use env vars
        mkdir -p ${cfg.stateDir}
        mkdir -p ${cfg.stateDir}/log
        mkdir -p ${cfg.stateDir}/satellites
        mkdir -p ${cfg.stateDir}/repositories
        mkdir -p ${cfg.stateDir}/shell/hooks
        mkdir -p ${cfg.stateDir}/tmp/pids
        mkdir -p ${cfg.stateDir}/tmp/sockets
        rm -rf ${cfg.stateDir}/config
        mkdir -p ${cfg.stateDir}/config
        # TODO: What exactly is gitlab-shell doing with the secret?
        head -c 20 /dev/urandom > ${cfg.stateDir}/config/gitlab_shell_secret
        mkdir -p ${cfg.stateDir}/home/.ssh
        touch ${cfg.stateDir}/home/.ssh/authorized_keys
        cp -rf ${pkgs.gitlab}/share/gitlab/config ${cfg.stateDir}/
        cp ${pkgs.gitlab}/share/gitlab/VERSION ${cfg.stateDir}/VERSION
        ln -fs ${pkgs.writeText "database.yml" databaseYml} ${cfg.stateDir}/config/database.yml
        ln -fs ${pkgs.writeText "unicorn.rb" unicornConfig} ${cfg.stateDir}/config/unicorn.rb
        chown -R gitlab:gitlab ${cfg.stateDir}/
        chmod -R 755 ${cfg.stateDir}/
        if [ "${cfg.databaseHost}" = "127.0.0.1" ]; then
          if ! test -e "${cfg.stateDir}/db-created"; then
            psql postgres -c "CREATE ROLE gitlab WITH LOGIN NOCREATEDB NOCREATEROLE NOCREATEUSER ENCRYPTED PASSWORD '${cfg.databasePassword}'"
            ${config.services.postgresql.package}/bin/createdb --owner gitlab gitlab || true
            touch "${cfg.stateDir}/db-created"
            # force=yes disables the manual-interaction yes/no prompt
            # which breaks without an stdin.
            force=yes ${rubyLibs.bundler}/bin/bundle exec rake -f ${pkgs.gitlab}/share/gitlab/Rakefile gitlab:setup RAILS_ENV=production
          fi
        fi
      # Install the shell required to push repositories
      ln -fs ${pkgs.writeText "config.yml" gitlabShellYml} ${cfg.stateDir}/shell/config.yml
      export GITLAB_SHELL_CONFIG_PATH=""${cfg.stateDir}/shell/config.yml
      ${pkgs.gitlab-shell}/bin/install
      # Change permissions in the last step because some of the
      # intermediary scripts like to create directories as root.
      chown -R gitlab:gitlab ${cfg.stateDir}/
      chmod -R 755 ${cfg.stateDir}/
      '';
      serviceConfig = {
        PermissionsStartOnly = true; # preStart must be run as root
        Type = "simple";
        User = "gitlab";
        Group = "gitlab";
        TimeoutSec = "300";
        WorkingDirectory = "${pkgs.gitlab}/share/gitlab";
        ExecStart="${rubyLibs.bundler}/bin/bundle exec \"unicorn -c ${cfg.stateDir}/config/unicorn.rb -E production\"";
      };
    };
  };
 }
--- a/nixos/modules/services/misc/mesos-slave.nix
+++ b/nixos/modules/services/misc/mesos-slave.nix
@ -5,6 +5,13 @@ with lib;
 let
  cfg = config.services.mesos.slave;
  mkAttributes =
    attrs: concatStringsSep ";" (mapAttrsToList
                                   (k: v: "${k}:${v}")
                                   (filterAttrs (k: v: v != null) attrs));
  attribsArg = optionalString (cfg.attributes != {})
                              "--attributes=${mkAttributes cfg.attributes}";
 in {
  options.services.mesos = {
@ -62,6 +69,19 @@ in {
        type = types.str;
      };
      attributes = mkOption {
        description = ''
          Machine attributes for the slave instance.
          Use caution when changing this; you may need to manually reset slave
          metadata before the slave can re-register.
        '';
        default = {};
        type = types.attrsOf types.str;
        example = { rack = "aa";
                    host = "aabc123";
                    os = "nixos"; };
      };
    };
  };
@ -79,6 +99,7 @@ in {
            --port=${toString cfg.port} \
            --master=${cfg.master} \
            ${optionalString cfg.withHadoop "--hadoop-home=${pkgs.hadoop}"} \
            ${attribsArg} \
            --work_dir=${cfg.workDir} \
            --logging_level=${cfg.logLevel} \
            --docker=${pkgs.docker}/libexec/docker/docker \
--- a/nixos/modules/services/misc/nix-daemon.nix
+++ b/nixos/modules/services/misc/nix-daemon.nix
@ -225,7 +225,7 @@ in
      binaryCaches = mkOption {
        type = types.listOf types.str;
-        default = [ http://cache.nixos.org/ ];
+        default = [ https://cache.nixos.org/ ];
        description = ''
          List of binary cache URLs used to obtain pre-built binaries
          of Nix packages.
--- a/nixos/modules/services/misc/synergy.nix
+++ b/nixos/modules/services/misc/synergy.nix
@ -81,27 +81,26 @@ in
  ###### implementation
-  config = {
+  config = mkMerge [
-
+    (mkIf cfgC.enable {
      systemd.services."synergy-client" = {
      enable = cfgC.enable;
        after = [ "network.target" ];
        description = "Synergy client";
        wantedBy = optional cfgC.autoStart "multi-user.target";
        path = [ pkgs.synergy ];
        serviceConfig.ExecStart = ''${pkgs.synergy}/bin/synergyc -f ${optionalString (cfgC.screenName != "") "-n ${cfgC.screenName}"} ${cfgC.serverAddress}'';
      };
-
+    })
    (mkIf cfgS.enable {
      systemd.services."synergy-server" = {
      enable = cfgS.enable;
        after = [ "network.target" ];
        description = "Synergy server";
        wantedBy = optional cfgS.autoStart "multi-user.target";
        path = [ pkgs.synergy ];
        serviceConfig.ExecStart = ''${pkgs.synergy}/bin/synergys -c ${cfgS.configFile} -f ${optionalString (cfgS.address != "") "-a ${cfgS.address}"} ${optionalString (cfgS.screenName != "") "-n ${cfgS.screenName}" }'';
      };
-
+    })
-  };
+  ];
 }
--- a/nixos/modules/services/monitoring/munin.nix
+++ b/nixos/modules/services/monitoring/munin.nix
@ -34,7 +34,7 @@ let
        cap=$(sed -nr 's/.*#%#\s+capabilities\s*=\s*(.+)/\1/p' $file)
        wrapProgram $file \
-          --set PATH "/run/current-system/sw/bin:/run/current-system/sw/sbin" \
+          --set PATH "/var/setuid-wrappers:/run/current-system/sw/bin:/run/current-system/sw/sbin" \
          --set MUNIN_LIBDIR "${pkgs.munin}/lib" \
          --set MUNIN_PLUGSTATE "/var/run/munin"
@ -194,7 +194,7 @@ in
        mkdir -p /etc/munin/plugins
        rm -rf /etc/munin/plugins/*
-        PATH="/run/current-system/sw/bin:/run/current-system/sw/sbin" ${pkgs.munin}/sbin/munin-node-configure --shell --families contrib,auto,manual --config ${nodeConf} --libdir=${muninPlugins} --servicedir=/etc/munin/plugins 2>/dev/null | ${pkgs.bash}/bin/bash
+        PATH="/var/setuid-wrappers:/run/current-system/sw/bin:/run/current-system/sw/sbin" ${pkgs.munin}/sbin/munin-node-configure --shell --families contrib,auto,manual --config ${nodeConf} --libdir=${muninPlugins} --servicedir=/etc/munin/plugins 2>/dev/null | ${pkgs.bash}/bin/bash
      '';
      serviceConfig = {
        ExecStart = "${pkgs.munin}/sbin/munin-node --config ${nodeConf} --servicedir /etc/munin/plugins/";
--- a/nixos/modules/services/network-filesystems/nfsd.nix
+++ b/nixos/modules/services/network-filesystems/nfsd.nix
@ -86,7 +86,7 @@ in
    boot.supportedFilesystems = [ "nfs" ]; # needed for statd and idmapd
-    environment.systemPackages = [ pkgs.nfsUtils ];
+    environment.systemPackages = [ pkgs.nfs-utils ];
    environment.etc = singleton
      { source = exports;
@ -104,7 +104,7 @@ in
        after = [ "rpcbind.service" "mountd.service" "idmapd.service" ];
        before = [ "statd.service" ];
-        path = [ pkgs.nfsUtils ];
+        path = [ pkgs.nfs-utils ];
        script =
          ''
@ -131,7 +131,7 @@ in
        requires = [ "rpcbind.service" ];
        after = [ "rpcbind.service" ];
-        path = [ pkgs.nfsUtils pkgs.sysvtools pkgs.utillinux ];
+        path = [ pkgs.nfs-utils pkgs.sysvtools pkgs.utillinux ];
        preStart =
          ''
@ -157,7 +157,7 @@ in
        serviceConfig.Type = "forking";
        serviceConfig.ExecStart = ''
-          @${pkgs.nfsUtils}/sbin/rpc.mountd rpc.mountd \
+          @${pkgs.nfs-utils}/sbin/rpc.mountd rpc.mountd \
              ${if cfg.mountdPort != null then "-p ${toString cfg.mountdPort}" else ""}
        '';
        serviceConfig.Restart = "always";
--- a/nixos/modules/services/network-filesystems/rsyncd.nix
+++ b/nixos/modules/services/network-filesystems/rsyncd.nix
@ -6,27 +6,28 @@ let
  cfg = config.services.rsyncd;
-  motdFile = pkgs.writeText "rsyncd-motd" cfg.motd;
+  motdFile = builtins.toFile "rsyncd-motd" cfg.motd;
-  rsyncdCfg = ""
+  moduleConfig = name:
-    + optionalString (cfg.motd != "") "motd file = ${motdFile}\n"
+    let module = getAttr name cfg.modules; in
-    + optionalString (cfg.address != "") "address = ${cfg.address}\n"
+    "[${name}]\n " + (toString (
-    + optionalString (cfg.port != 873) "port = ${toString cfg.port}\n"
+       map
-    + cfg.extraConfig
+         (key: "${key} = ${toString (getAttr key module)}\n")
-    + "\n"
+         (attrNames module)
-    + flip concatMapStrings cfg.modules (m: "[${m.name}]\n\tpath = ${m.path}\n"
+    ));
      + optionalString (m.comment != "") "\tcomment = ${m.comment}\n"
      + m.extraConfig
      + "\n"
    );
  rsyncdCfgFile = pkgs.writeText "rsyncd.conf" rsyncdCfg;
  cfgFile = builtins.toFile "rsyncd.conf"
    ''
    ${optionalString (cfg.motd != "") "motd file = ${motdFile}"}
    ${optionalString (cfg.address != "") "address = ${cfg.address}"}
    ${optionalString (cfg.port != 873) "port = ${toString cfg.port}"}
    ${cfg.extraConfig}
    ${toString (map moduleConfig (attrNames cfg.modules))}
    '';
 in
 {
  options = {
    services.rsyncd = {
      enable = mkOption {
@ -63,56 +64,26 @@ in
        default = "";
        description = ''
            Lines of configuration to add to rsyncd globally.
-	  See <literal>man rsyncd.conf</literal> for more options.
+            See <command>man rsyncd.conf</command> for options.
          '';
      };
      modules = mkOption {
-        default = [ ];
+        default = {};
 	example = [ 
 	  { name = "ftp"; 
 	    path = "/home/ftp"; 
 	    comment = "ftp export area";
 	    extraConfig = ''
 	      secrets file = /etc/rsyncd.secrets
 	    '';
 	  }
 	];
 	description = "The list of file paths to export.";
 	type = types.listOf types.optionSet;
 	options = {
 	  name = mkOption {
 	    example = "ftp";
 	    type = types.string;
 	    description = "Name of export module.";
 	  };
 	  comment = mkOption {
 	    default = "";
        description = ''
-	      Description string that is displayed next to the module name
+            A set describing exported directories.
-	      when clients obtain a list of available modules.
+            See <command>man rsyncd.conf</command> for options.
          '';
        type = types.attrsOf (types.attrsOf types.str);
        example =
          { srv =
             { path = "/srv";
               "read only" = "yes";
               comment = "Public rsync share.";
             };
          };
      };
 	  path = mkOption {
 	    example = "/home/ftp";
 	    type = types.string;
 	    description = "Directory to make available in this module.";
   	  };
          extraConfig = mkOption {
            type = types.lines;
 	    default = "";
            description = ''
 	      Lines of configuration to add to this module.
 	      See <literal>man rsyncd.conf</literal> for more options.
 	    '';
          };
 	};
      };
    };
  };
@ -120,20 +91,16 @@ in
  config = mkIf cfg.enable {
-    environment.etc = singleton
+    environment.etc = singleton {
-    { source = rsyncdCfgFile;
+      source = cfgFile;
      target = "rsyncd.conf";
    };
    systemd.services.rsyncd = {
      description = "Rsync daemon";
      wantedBy = [ "multi-user.target" ];
      path = [ pkgs.rsync ];
      serviceConfig.ExecStart = "${pkgs.rsync}/bin/rsync --daemon --no-detach";
    };
    networking.firewall.allowedTCPPorts = [ cfg.port ];
  };
 }
--- a/nixos/modules/services/network-filesystems/samba.nix
+++ b/nixos/modules/services/network-filesystems/samba.nix
@ -27,6 +27,14 @@ let
      mkdir -p ${privateDir}
    '';
  shareConfig = name:
    let share = getAttr name cfg.shares; in
    "[${name}]\n " + (toString (
       map
         (key: "${key} = ${toString (getAttr key share)}\n")
         (attrNames share)
    ));
  configFile = pkgs.writeText "smb.conf"
    (if cfg.configText != null then cfg.configText else
    ''
@ -36,6 +44,8 @@ let
      ${optionalString cfg.syncPasswordsByPam "pam password change = true"}
      ${cfg.extraConfig}
      ${toString (map shareConfig (attrNames cfg.shares))}
    '');
  # This may include nss_ldap, needed for samba if it has to use ldap.
@ -159,6 +169,23 @@ in
        '';
      };
      shares = mkOption {
        default = {};
        description =
          ''
          A set describing shared resources.
          See <command>man smb.conf</command> for options.
          '';
        type = types.attrsOf (types.attrsOf types.str);
        example =
          { srv =
             { path = "/srv";
               "read only" = "yes";
                comment = "Public samba share.";
             };
          };
      };
    };
  };
--- a/nixos/modules/services/networking/consul.nix
+++ b/nixos/modules/services/networking/consul.nix
@ -8,7 +8,6 @@ let
  configOptions = {
    data_dir = dataDir;
    rejoin_after_leave = true;
  }
  // (if cfg.webUi then { ui_dir = "${pkgs.consul.ui}"; } else { })
  // cfg.extraConfig;
@ -41,6 +40,35 @@ in
        '';
      };
      leaveOnStop = mkOption {
        type = types.bool;
        default = false;
        description = ''
          If enabled, causes a leave action to be sent when closing consul.
          This allows a clean termination of the node, but permanently removes
          it from the cluster. You probably don't want this option unless you
          are running a node which going offline in a permanent / semi-permanent
          fashion.
        '';
      };
      joinNodes = mkOption {
        type = types.listOf types.str;
        default = [ ];
        description = ''
          A list of addresses of nodes which should be joined at startup if the
          current node is in a left state.
        '';
      };
      joinRetries = mkOption {
        type = types.int;
        default = 10;
        description = ''
          The number of times to retry connecting to the join nodes.
        '';
      };
      interface = {
        advertise = mkOption {
@ -119,13 +147,15 @@ in
      serviceConfig = {
        ExecStart = "@${pkgs.consul}/bin/consul consul agent"
          + concatMapStrings (n: " -config-file ${n}") configFiles;
        ExecStop = "${pkgs.consul}/bin/consul leave";
        ExecReload = "${pkgs.consul}/bin/consul reload";
        PermissionsStartOnly = true;
        User = if cfg.dropPrivileges then "consul" else null;
-      };
+        TimeoutStartSec = "${toString (20 + (3 * cfg.joinRetries))}s";
      } // (optionalAttrs (cfg.leaveOnStop) {
        ExecStop = "${pkgs.consul}/bin/consul leave";
      });
-      path = with pkgs; [ iproute gnugrep gawk ];
+      path = with pkgs; [ iproute gnugrep gawk consul ];
      preStart = ''
        mkdir -m 0700 -p ${dataDir}
        chown -R consul ${dataDir}
@ -160,6 +190,18 @@ in
        echo "    \"\": \"\"" >> /etc/consul-addrs.json
        echo "}" >> /etc/consul-addrs.json
      '';
      postStart = ''
        # Issues joins to nodes which we statically connect to
        ${flip concatMapStrings cfg.joinNodes (addr: ''
          for i in {0..${toString cfg.joinRetries}}; do
            # Try to join the other nodes ${toString cfg.joinRetries} times before failing
            consul join "${addr}" && break
            sleep 1
          done &
        '')}
        wait
        exit 0
      '';
    };
  };
--- a/nixos/modules/services/networking/networkmanager.nix
+++ b/nixos/modules/services/networking/networkmanager.nix
@ -194,7 +194,7 @@ in {
    };
    powerManagement.resumeCommands = ''
-      Systemctl restart network-manager
+      ${config.systemd.package}/bin/systemctl restart network-manager
    '';
    security.polkit.extraConfig = polkitConf;
--- a/nixos/modules/services/networking/strongswan.nix
+++ b/nixos/modules/services/networking/strongswan.nix
@ -118,7 +118,7 @@ in
    systemd.services.strongswan = {
      description = "strongSwan IPSec Service";
      wantedBy = [ "multi-user.target" ];
-      path = with pkgs; [ kmod ]; # XXX Linux
+      path = with pkgs; [ kmod iproute iptables utillinux ]; # XXX Linux
      wants = [ "keys.target" ];
      after = [ "network.target" "keys.target" ];
      environment = {
--- a/nixos/modules/services/networking/tcpcrypt.nix
+++ b/nixos/modules/services/networking/tcpcrypt.nix
@ -44,6 +44,8 @@ in
      path = [ pkgs.iptables pkgs.tcpcrypt pkgs.procps ];
      preStart = ''
        mkdir -p /var/run/tcpcryptd
        chown tcpcryptd /var/run/tcpcryptd
        sysctl -n net.ipv4.tcp_ecn >/run/pre-tcpcrypt-ecn-state
        sysctl -w net.ipv4.tcp_ecn=0
--- a/nixos/modules/services/networking/tox-bootstrapd.nix
+++ b/nixos/modules/services/networking/tox-bootstrapd.nix
@ -0,0 +1,80 @@
 { config, lib, pkgs, ... }:
 with lib;
 let
  home = "/var/lib/tox-bootstrapd";
  PIDFile = "${home}/pid";
  pkg = pkgs.libtoxcore;
  cfg = config.services.toxBootstrapd;
  cfgFile = builtins.toFile "tox-bootstrapd.conf"
    ''
      port = ${toString cfg.port}
      keys_file_path = "${home}/keys"
      pid_file_path = "${PIDFile}"
      ${cfg.extraConfig}
    '';
 in
 {
  options =
    { services.toxBootstrapd =
        { enable = mkOption {
            type = types.bool;
            default = false;
            description =
              ''
                Whether to enable the Tox DHT boostrap daemon.
              '';
          };
          port = mkOption {
            type = types.int;
            default = 33445;
            description = "Listening port (UDP).";
          };
          keysFile = mkOption {
            type = types.str;
            default = "${home}/keys";
            description = "Node key file.";
          };
          extraConfig = mkOption {
            type = types.lines;
            default = "";
            description =
              ''
                Configuration for boostrap daemon.
                See <link xlink:href="https://github.com/irungentoo/toxcore/blob/master/other/bootstrap_daemon/tox-bootstrapd.conf"/>
                and <link xlink:href="http://wiki.tox.im/Nodes"/>.
             '';
          };
      };
    };
  config = mkIf config.services.toxBootstrapd.enable {
    users.extraUsers = singleton
      { name = "tox-bootstrapd";
        uid = config.ids.uids.tox-bootstrapd;
        description = "Tox bootstrap daemon user";
        inherit home;
        createHome = true;
      };
    systemd.services.tox-bootstrapd = {
      description = "Tox DHT bootstrap daemon";
      after = [ "network.target" ];
      wantedBy = [ "multi-user.target" ];
      serviceConfig =
        { ExecStart = "${pkg}/bin/tox-bootstrapd ${cfgFile}";
          Type = "forking";
          inherit PIDFile;
          User = "tox-bootstrapd";
        };
    };
  };
 }
--- a/nixos/modules/services/networking/unifi.nix
+++ b/nixos/modules/services/networking/unifi.nix
@ -48,6 +48,7 @@ in
    systemd.mounts = map ({ what, where }: {
        bindsTo = [ "unifi.service" ];
        partOf = [ "unifi.service" ];
        unitConfig.RequiresMountsFor = stateDir;
        options = "bind";
        what = what;
        where = where;
@ -59,6 +60,7 @@ in
      after = [ "network.target" ] ++ systemdMountPoints;
      partOf = systemdMountPoints;
      bindsTo = systemdMountPoints;
      unitConfig.RequiresMountsFor = stateDir;
      preStart = ''
        # Ensure privacy of state
--- a/nixos/modules/services/printing/cupsd.nix
+++ b/nixos/modules/services/printing/cupsd.nix
@ -11,20 +11,16 @@ let
  additionalBackends = pkgs.runCommand "additional-cups-backends" { }
    ''
      mkdir -p $out
-      if [ ! -e ${pkgs.cups}/lib/cups/backend/smb ]; then
+      if [ ! -e ${cups}/lib/cups/backend/smb ]; then
        mkdir -p $out/lib/cups/backend
        ln -sv ${pkgs.samba}/bin/smbspool $out/lib/cups/backend/smb
      fi
      # Provide support for printing via HTTPS.
-      if [ ! -e ${pkgs.cups}/lib/cups/backend/https ]; then
+      if [ ! -e ${cups}/lib/cups/backend/https ]; then
        mkdir -p $out/lib/cups/backend
-        ln -sv ${pkgs.cups}/lib/cups/backend/ipp $out/lib/cups/backend/https
+        ln -sv ${cups}/lib/cups/backend/ipp $out/lib/cups/backend/https
      fi
      # Import filter configuration from Ghostscript.
      mkdir -p $out/share/cups/mime/
      ln -v -s "${pkgs.ghostscript}/etc/cups/"* $out/share/cups/mime/
    '';
  # Here we can enable additional backends, filters, etc. that are not
@ -90,6 +86,15 @@ in
        '';
      };
      cupsFilesConf = mkOption {
        type = types.lines;
        default = "";
        description = ''
          The contents of the configuration file of the CUPS daemon
          (<filename>cups-files.conf</filename>).
        '';
      };
      extraConf = mkOption {
        type = types.lines;
        default = "";
@ -153,13 +158,9 @@ in
    environment.systemPackages = [ cups ];
-    environment.variables.CUPS_SERVERROOT = "/etc/cups";
+    environment.etc."cups/client.conf".text = cfg.clientConf;
-
+    environment.etc."cups/cups-files.conf".text = cfg.cupsFilesConf;
-    environment.etc = [
+    environment.etc."cups/cupsd.conf".text = cfg.cupsdConf;
      { source = pkgs.writeText "client.conf" cfg.clientConf;
        target = "cups/client.conf";
      }
    ];
    services.dbus.packages = [ cups ];
@ -186,35 +187,26 @@ in
          '';
        serviceConfig.Type = "forking";
-        serviceConfig.ExecStart = "@${cups}/sbin/cupsd cupsd -c ${pkgs.writeText "cupsd.conf" cfg.cupsdConf}";
+        serviceConfig.ExecStart = "@${cups}/sbin/cupsd cupsd";
        restartTriggers =
          [ config.environment.etc."cups/cups-files.conf".source
            config.environment.etc."cups/cupsd.conf".source
          ];
      };
    services.printing.drivers =
-      [ pkgs.cups pkgs.ghostscript pkgs.cups_filters additionalBackends
+      [ cups pkgs.ghostscript pkgs.cups_filters additionalBackends
        pkgs.perl pkgs.coreutils pkgs.gnused pkgs.bc pkgs.gawk pkgs.gnugrep
      ];
-    services.printing.cupsdConf =
+    services.printing.cupsFilesConf =
      ''
        LogLevel info
        SystemGroup root wheel
        ${concatMapStrings (addr: ''
          Listen ${addr}
        '') cfg.listenAddresses}
        Listen /var/run/cups/cups.sock
        # Note: we can't use ${cups}/etc/cups as the ServerRoot, since
        # CUPS will write in the ServerRoot when e.g. adding new printers
        # through the web interface.
        ServerRoot /etc/cups
        ServerBin ${bindir}/lib/cups
        DataDir ${bindir}/share/cups
        SetEnv PATH ${bindir}/lib/cups/filter:${bindir}/bin:${bindir}/sbin
        AccessLog syslog
        ErrorLog syslog
        PageLog syslog
@ -227,6 +219,18 @@ in
        # these programs to run as `lp' as well.
        User cups
        Group lp
      '';
    services.printing.cupsdConf =
      ''
        LogLevel info
        ${concatMapStrings (addr: ''
          Listen ${addr}
        '') cfg.listenAddresses}
        Listen /var/run/cups/cups.sock
        SetEnv PATH ${bindir}/lib/cups/filter:${bindir}/bin:${bindir}/sbin
        Browsing On
        BrowseOrder allow,deny
@ -272,6 +276,7 @@ in
            Order deny,allow
          </Limit>
        </Policy>
        ${cfg.extraConf}
      '';
--- a/nixos/modules/services/scheduling/cron.nix
+++ b/nixos/modules/services/scheduling/cron.nix
@ -97,12 +97,10 @@ in
    environment.systemPackages = [ cronNixosPkg ];
-    jobs.cron =
+    systemd.services.cron =
      { description = "Cron Daemon";
-        startOn = "startup";
+        wantedBy = [ "multi-user.target" ];
        path = [ cronNixosPkg ];
        preStart =
          ''
@ -119,7 +117,8 @@ in
            fi
          '';
-        exec = "cron -n";
+        restartTriggers = [ config.environment.etc.localtime.source ];
        serviceConfig.ExecStart = "${cronNixosPkg}/bin/cron -n";
      };
  };
--- a/nixos/modules/services/security/tor.nix
+++ b/nixos/modules/services/security/tor.nix
@ -3,120 +3,146 @@
 with lib;
 let
  inherit (pkgs) tor privoxy;
  stateDir = "/var/lib/tor";
  privoxyDir = stateDir+"/privoxy";
  cfg = config.services.tor;
  torDirectory = "/var/lib/tor";
-  torUser = "tor";
+  opt    = name: value: optionalString (value != null) "${name} ${value}";
  optint = name: value: optionalString (value != 0)    "${name} ${toString value}";
-  opt = name: value: if value != "" then "${name} ${value}" else "";
+  torRc = ''
-  optint = name: value: if value != 0 then "${name} ${toString value}" else "";
+    User tor
    DataDirectory ${torDirectory}
    ${optint "ControlPort" cfg.controlPort}
  ''
  # Client connection config
  + optionalString cfg.client.enable  ''
    SOCKSPort ${cfg.client.socksListenAddress} IsolateDestAddr
    SOCKSPort ${cfg.client.socksListenAddressFaster}
    ${opt "SocksPolicy" cfg.client.socksPolicy}
  ''
  # Relay config
  + optionalString cfg.relay.enable ''
    ORPort ${cfg.relay.portSpec}
    ${opt "Nickname" cfg.relay.nickname}
    ${opt "ContactInfo" cfg.relay.contactInfo}
    ${optint "RelayBandwidthRate" cfg.relay.bandwidthRate}
    ${optint "RelayBandwidthBurst" cfg.relay.bandwidthBurst}
    ${opt "AccountingMax" cfg.relay.accountingMax}
    ${opt "AccountingStart" cfg.relay.accountingStart}
    ${if cfg.relay.isExit then
        opt "ExitPolicy" cfg.relay.exitPolicy
      else
        "ExitPolicy reject *:*"}
    ${optionalString cfg.relay.isBridge ''
      BridgeRelay 1
      ServerTransportPlugin obfs2,obfs3 exec ${pkgs.pythonPackages.obfsproxy}/bin/obfsproxy managed
    ''}
  ''
  + cfg.extraConfig;
  torRcFile = pkgs.writeText "torrc" torRc;
 in
 {
  ###### interface
  options = {
    services.tor = {
      enable = mkOption {
        type = types.bool;
        default = false;
        description = ''
          Enable the Tor daemon. By default, the daemon is run without
          relay, exit, bridge or client connectivity.
        '';
      };
-      config = mkOption {
+      extraConfig = mkOption {
        type = types.lines;
        default = "";
        description = ''
          Extra configuration. Contents will be added verbatim to the
-          configuration file.
+          configuration file at the end.
        '';
      };
      controlPort = mkOption {
        type = types.int;
        default = 0;
        example = 9051;
        description = ''
          If set, Tor will accept connections on the specified port
          and allow them to control the tor process.
        '';
      };
      client = {
        enable = mkOption {
          type = types.bool;
          default = false;
          description = ''
-            Whether to enable Tor daemon to route application connections.
+            Whether to enable Tor daemon to route application
-            You might want to disable this if you plan running a dedicated Tor relay.
+            connections.  You might want to disable this if you plan
            running a dedicated Tor relay.
          '';
        };
        socksListenAddress = mkOption {
          type = types.str;
          default = "127.0.0.1:9050";
          example = "192.168.0.1:9100";
          description = ''
-            Bind to this address to listen for connections from Socks-speaking
+            Bind to this address to listen for connections from
-            applications.
+            Socks-speaking applications. Provides strong circuit
            isolation, separate circuit per IP address.
          '';
        };
        socksListenAddressFaster = mkOption {
          type = types.str;
          default = "127.0.0.1:9063";
          example = "192.168.0.1:9101";
          description = ''
-            Same as socksListenAddress but uses weaker circuit isolation to provide
+            Bind to this address to listen for connections from
-            performance suitable for a web browser.
+            Socks-speaking applications. Same as socksListenAddress
            but uses weaker circuit isolation to provide performance
            suitable for a web browser.
           '';
         };
        socksPolicy = mkOption {
-          default = "";
+          type = types.nullOr types.str;
          default = null;
          example = "accept 192.168.0.0/16, reject *";
          description = ''
-            Entry policies to allow/deny SOCKS requests based on IP address.
+            Entry policies to allow/deny SOCKS requests based on IP
-            First entry that matches wins. If no SocksPolicy is set, we accept
+            address.  First entry that matches wins. If no SocksPolicy
-            all (and only) requests from SocksListenAddress.
+            is set, we accept all (and only) requests from
            SocksListenAddress.
          '';
        };
-        privoxy = {
+        privoxy.enable = mkOption {
          enable = mkOption {
          default = true;
          description = ''
-              Whether to enable a special instance of privoxy dedicated to Tor.
+            Whether to enable and configure the system Privoxy to use Tor's
            faster port, suitable for HTTP.
            To have anonymity, protocols need to be scrubbed of identifying
-              information.
+            information, and this can be accomplished for HTTP by Privoxy.
-              Most people using Tor want to anonymize their web traffic, so by
+
-              default we enable an special instance of privoxy specifically for
+            Privoxy can also be useful for KDE torification. A good setup would be:
-              Tor.
+            setting SOCKS proxy to the default Tor port, providing maximum
-              However, if you are only going to use Tor only for other kinds of
+            circuit isolation where possible; and setting HTTP proxy to Privoxy
-              traffic then you can disable this option.
+            to route HTTP traffic over faster, but less isolated port.
          '';
        };
          listenAddress = mkOption {
            default = "127.0.0.1:8118";
            description = ''
              Address that Tor's instance of privoxy is listening to.
              *This does not configure the standard NixOS instance of privoxy.*
              This is for Tor connections only!
              See services.privoxy.listenAddress to configure the standard NixOS
              instace of privoxy.
            '';
          };
          config = mkOption {
            default = "";
            description = ''
              Extra configuration for Tor's instance of privoxy. Contents will be
              added verbatim to the configuration file.
              *This does not configure the standard NixOS instance of privoxy.*
              This is for Tor connections only!
              See services.privoxy.extraConfig to configure the standard NixOS
              instace of privoxy.
            '';
          };
        };
      };
      relay = {
        enable = mkOption {
          type = types.bool;
          default = false;
          description = ''
            Whether to enable relaying TOR traffic for others.
@ -126,16 +152,19 @@ in
        };
        isBridge = mkOption {
          type = types.bool;
          default = false;
          description = ''
-            Bridge relays (or "bridges" ) are Tor relays that aren't listed in the
+            Bridge relays (or "bridges") are Tor relays that aren't
-            main directory. Since there is no complete public list of them, even if an
+            listed in the main directory. Since there is no complete
-            ISP is filtering connections to all the known Tor relays, they probably
+            public list of them, even if an ISP is filtering
            connections to all the known Tor relays, they probably
            won't be able to block all the bridges.
            A bridge relay can't be an exit relay.
-            You need to set relay.enable to true for this option to take effect.
+            You need to set relay.enable to true for this option to
            take effect.
            The bridge is set up with an obfuscated transport proxy.
@ -144,25 +173,72 @@ in
        };
        isExit = mkOption {
          type = types.bool;
          default = false;
          description = ''
-            An exit relay allows Tor users to access regular Internet services.
+            An exit relay allows Tor users to access regular Internet
            services.
-            Unlike running a non-exit relay, running an exit relay may expose
+            Unlike running a non-exit relay, running an exit relay may
-            you to abuse complaints. See https://www.torproject.org/faq.html.en#ExitPolicies for more info.
+            expose you to abuse complaints. See
            https://www.torproject.org/faq.html.en#ExitPolicies for
            more info.
-            You can specify which services Tor users may access via your exit relay using exitPolicy option.
+            You can specify which services Tor users may access via
            your exit relay using exitPolicy option.
          '';
        };
        nickname = mkOption {
          type = types.str;
          default = "anonymous";
          description = ''
            A unique handle for your TOR relay.
          '';
        };
        contactInfo = mkOption {
          type = types.nullOr types.str;
          default = null;
          example = "admin@relay.com";
          description = ''
            Contact information for the relay owner (e.g. a mail
            address and GPG key ID).
          '';
        };
        accountingMax = mkOption {
          type = types.nullOr types.str;
          default = null;
          example = "450 GBytes";
          description = ''
            Specify maximum bandwidth allowed during an accounting
            period. This allows you to limit overall tor bandwidth
            over some time period. See the
            <literal>AccountingMax</literal> option by looking at the
            tor manual (<literal>man tor</literal>) for more.
            Note this limit applies individually to upload and
            download; if you specify <literal>"500 GBytes"</literal>
            here, then you may transfer up to 1 TBytes of overall
            bandwidth (500 GB upload, 500 GB download).
          '';
        };
        accountingStart = mkOption {
          type = types.nullOr types.str;
          default = null;
          example = "month 1 1:00";
          description = ''
            Specify length of an accounting period. This allows you to
            limit overall tor bandwidth over some time period. See the
            <literal>AccountingStart</literal> option by looking at
            the tor manual (<literal>man tor</literal>) for more.
          '';
        };
        bandwidthRate = mkOption {
          type = types.int;
          default = 0;
          example = 100;
          description = ''
@ -172,6 +248,7 @@ in
        };
        bandwidthBurst = mkOption {
          type = types.int;
          default = cfg.relay.bandwidthRate;
          example = 200;
          description = ''
@ -181,143 +258,110 @@ in
          '';
        };
-        port = mkOption {
+        portSpec = mkOption {
-          default = 9001;
+          type    = types.str;
          example = "143";
          description = ''
-            What port to advertise for Tor connections.
+            What port to advertise for Tor connections. This corresponds
-          '';
+            to the <literal>ORPort</literal> section in the Tor manual; see
-        };
+            <literal>man tor</literal> for more details.
-        listenAddress = mkOption {
+            At a minimum, you should just specify the port for the
-          default = "";
+            relay to listen on; a common one like 143, 22, 80, or 443
-          example = "0.0.0.0:9090";
+            to help Tor users who may have very restrictive port-based
-          description = ''
+            firewalls.
            Set this if you need to listen on a port other than the one advertised
            in relayPort (e.g. to advertise 443 but bind to 9090). You'll need to do
            ipchains or other port forwsarding yourself to make this work.
          '';
        };
        exitPolicy = mkOption {
-          default = "";
+          type    = types.nullOr types.str;
          default = null;
          example = "accept *:6660-6667,reject *:*";
          description = ''
-            A comma-separated list of exit policies. They're considered first
+            A comma-separated list of exit policies. They're
-            to last, and the first match wins. If you want to _replace_
+            considered first to last, and the first match wins. If you
-            the default exit policy, end this with either a reject *:* or an
+            want to _replace_ the default exit policy, end this with
-            accept *:*. Otherwise, you're _augmenting_ (prepending to) the
+            either a reject *:* or an accept *:*. Otherwise, you're
-            default exit policy. Leave commented to just use the default, which is
+            _augmenting_ (prepending to) the default exit
-            available in the man page or at https://www.torproject.org/documentation.html
+            policy. Leave commented to just use the default, which is
            available in the man page or at
            https://www.torproject.org/documentation.html
            Look at https://www.torproject.org/faq-abuse.html#TypicalAbuses
            for issues you might encounter if you use the default exit policy.
-            If certain IPs and ports are blocked externally, e.g. by your firewall,
+            If certain IPs and ports are blocked externally, e.g. by
-            you should update your exit policy to reflect this -- otherwise Tor
+            your firewall, you should update your exit policy to
-            users will be told that those destinations are down.
+            reflect this -- otherwise Tor users will be told that
            those destinations are down.
          '';
        };
-
+      };
    };
  };
-    };
+  config = mkIf cfg.enable {
  };
  ###### implementation
  config = mkIf (cfg.client.enable || cfg.relay.enable) {
    assertions = singleton
-      { assertion = cfg.relay.enable -> !(cfg.relay.isBridge && cfg.relay.isExit);
+      { message = "Can't be both an exit and a bridge relay at the same time";
-        message = "Can't be both an exit and a bridge relay at the same time";
+        assertion =
          cfg.relay.enable -> !(cfg.relay.isBridge && cfg.relay.isExit);
      };
-    users.extraUsers = singleton
+    users.extraGroups.tor.gid = config.ids.gids.tor;
-      { name = torUser;
+    users.extraUsers.tor =
      { description = "Tor Daemon User";
        createHome  = true;
        home        = torDirectory;
        group       = "tor";
        uid         = config.ids.uids.tor;
        description = "Tor daemon user";
        home = stateDir;
      };
-    jobs = {
+    systemd.services.tor =
-      tor = { name = "tor";
+      { description = "Tor Daemon";
        path = [ pkgs.tor ];
-              startOn = "started network-interfaces";
+        wantedBy = [ "multi-user.target" ];
-              stopOn = "stopping network-interfaces";
+        after    = [ "network.target" ];
        restartTriggers = [ torRcFile ];
-              preStart = ''
+        # Translated from the upstream contrib/dist/tor.service.in
-                mkdir -m 0755 -p ${stateDir}
+        serviceConfig =
-                chown ${torUser} ${stateDir}
+          { Type         = "simple";
-              '';
+            ExecStartPre = "${pkgs.tor}/bin/tor -f ${torRcFile} --verify-config";
-              exec = "${tor}/bin/tor -f ${pkgs.writeText "torrc" cfg.config}";
+            ExecStart    = "${pkgs.tor}/bin/tor -f ${torRcFile} --RunAsDaemon 0";
-    }; }
+            ExecReload   = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
-    // optionalAttrs (cfg.client.privoxy.enable && cfg.client.enable) {
+            KillSignal   = "SIGINT";
-      torPrivoxy = { name = "tor-privoxy";
+            TimeoutSec   = 30;
            Restart      = "on-failure";
            LimitNOFILE  = 32768;
-                     startOn = "started network-interfaces";
+            # Hardening
-                     stopOn = "stopping network-interfaces";
+            # Note: DevicePolicy is set to 'closed', although the
            # minimal permissions are really:
            #   DeviceAllow /dev/null rw
            #   DeviceAllow /dev/urandom r
            # .. but we can't specify DeviceAllow multiple times. 'closed'
            # is close enough.
            PrivateTmp              = "yes";
            DevicePolicy            = "closed";
            InaccessibleDirectories = "/home";
            ReadOnlyDirectories     = "/";
            ReadWriteDirectories    = torDirectory;
            NoNewPrivileges         = "yes";
          };
      };
-                     preStart = ''
+    environment.systemPackages = [ pkgs.tor ];
                       mkdir -m 0755 -p ${privoxyDir}
                       chown ${torUser} ${privoxyDir}
                     '';
                     exec = "${privoxy}/sbin/privoxy --no-daemon --user ${torUser} ${pkgs.writeText "torPrivoxy.conf" cfg.client.privoxy.config}";
    }; };
-      services.tor.config = ''
+    services.privoxy = mkIf (cfg.client.enable && cfg.client.privoxy.enable) {
-        DataDirectory ${stateDir}
+      enable = true;
-        User ${torUser}
+      extraConfig = ''
      ''
      + optionalString cfg.client.enable  ''
        SOCKSPort ${cfg.client.socksListenAddress} IsolateDestAddr
        SOCKSPort ${cfg.client.socksListenAddressFaster}
        ${opt "SocksPolicy" cfg.client.socksPolicy}
      ''
      + optionalString cfg.relay.enable ''
        ORPort ${toString cfg.relay.port}
        ${opt "ORListenAddress" cfg.relay.listenAddress }
        ${opt "Nickname" cfg.relay.nickname}
        ${optint "RelayBandwidthRate" cfg.relay.bandwidthRate}
        ${optint "RelayBandwidthBurst" cfg.relay.bandwidthBurst}
        ${if cfg.relay.isExit then opt "ExitPolicy" cfg.relay.exitPolicy else "ExitPolicy reject *:*"}
        ${if cfg.relay.isBridge then ''
          BridgeRelay 1
          ServerTransportPlugin obfs2,obfs3 exec ${pkgs.pythonPackages.obfsproxy}/bin/obfsproxy managed
        '' else ""}
      '';
      services.tor.client.privoxy.config = ''
        # Generally, this file goes in /etc/privoxy/config
        #
        # Tor listens as a SOCKS4a proxy here:
        forward-socks4a / ${cfg.client.socksListenAddressFaster} .
        confdir ${privoxy}/etc
        logdir ${privoxyDir}
        # actionsfile standard  # Internal purpose, recommended
        actionsfile default.action   # Main actions file
        actionsfile user.action      # User customizations
        filterfile default.filter
        # Don't log interesting things, only startup messages, warnings and errors
        logfile logfile
        #jarfile jarfile
        #debug   0    # show each GET/POST/CONNECT request
        debug   4096 # Startup banner and warnings
        debug   8192 # Errors - *we highly recommended enabling this*
        user-manual ${privoxy}/doc/privoxy/user-manual
        listen-address  ${cfg.client.privoxy.listenAddress}
        toggle  1
        enable-remote-toggle 0
        enable-edit-actions 0
        enable-remote-http-toggle 0
        buffer-limit 4096
        # Extra config goes here
      '';
    };
-
+  };
 }
--- a/nixos/modules/services/security/torify.nix
+++ b/nixos/modules/services/security/torify.nix
@ -5,13 +5,13 @@ let
  cfg = config.services.tor;
  torify = pkgs.writeTextFile {
-    name = "torify";
+    name = "tsocks";
    text = ''
        #!${pkgs.stdenv.shell}
-        TSOCKS_CONF_FILE=${pkgs.writeText "tsocks.conf" cfg.torify.config} LD_PRELOAD="${pkgs.tsocks}/lib/libtsocks.so $LD_PRELOAD" "$@"
+        TSOCKS_CONF_FILE=${pkgs.writeText "tsocks.conf" cfg.tsocks.config} LD_PRELOAD="${pkgs.tsocks}/lib/libtsocks.so $LD_PRELOAD" "$@"
    '';
    executable = true;
-    destination = "/bin/torify";
+    destination = "/bin/tsocks";
  };
 in
@ -22,12 +22,12 @@ in
  options = {
-    services.tor.torify = {
+    services.tor.tsocks = {
      enable = mkOption {
-        default = cfg.client.enable;
+        default = cfg.enable && cfg.client.enable;
        description = ''
-          Whether to build torify scipt to relay application traffic via TOR.
+          Whether to build tsocks wrapper script to relay application traffic via TOR.
        '';
      };
@ -53,13 +53,13 @@ in
  ###### implementation
-  config = mkIf cfg.torify.enable {
+  config = mkIf cfg.tsocks.enable {
    environment.systemPackages = [ torify ];  # expose it to the users
-    services.tor.torify.config = ''
+    services.tor.tsocks.config = ''
-      server = ${toString(head (splitString ":" cfg.torify.server))}
+      server = ${toString(head (splitString ":" cfg.tsocks.server))}
-      server_port = ${toString(tail (splitString ":" cfg.torify.server))}
+      server_port = ${toString(tail (splitString ":" cfg.tsocks.server))}
      local = 127.0.0.0/255.128.0.0
      local = 127.128.0.0/255.192.0.0
--- a/nixos/modules/services/security/torsocks.nix
+++ b/nixos/modules/services/security/torsocks.nix
@ -1,85 +1,121 @@
 { config, lib, pkgs, ... }:
 with lib;
 let
  cfg = config.services.tor.torsocks;
  optionalNullStr = b: v: optionalString (b != null) v;
-  cfg = config.services.tor;
+  configFile = server: ''
    TorAddress ${toString (head (splitString ":" server))}
    TorPort    ${toString (tail (splitString ":" server))}
-  makeConfig = server: ''
+    OnionAddrRange ${cfg.onionAddrRange}
      server = ${toString(head (splitString ":" server))}
      server_port = ${toString(tail (splitString ":" server))}
-      local = 127.0.0.0/255.128.0.0
+    ${optionalNullStr cfg.socks5Username
-      local = 127.128.0.0/255.192.0.0
+        "SOCKS5Username ${cfg.socks5Username}"}
-      local = 169.254.0.0/255.255.0.0
+    ${optionalNullStr cfg.socks5Password
-      local = 172.16.0.0/255.240.0.0
+        "SOCKS5Password ${cfg.socks5Password}"}
      local = 192.168.0.0/255.255.0.0
-      ${cfg.torsocks.config}
+    AllowInbound ${if cfg.allowInbound then "1" else "0"}
  '';
-  makeTorsocks = name: server: pkgs.writeTextFile {
+
  wrapTorsocks = name: server: pkgs.writeTextFile {
    name = name;
    text = ''
        #!${pkgs.stdenv.shell}
-        TORSOCKS_CONF_FILE=${pkgs.writeText "torsocks.conf" (makeConfig server)} LD_PRELOAD="${pkgs.torsocks}/lib/torsocks/libtorsocks.so $LD_PRELOAD" "$@"
+        TORSOCKS_CONF_FILE=${pkgs.writeText "torsocks.conf" (configFile server)} ${pkgs.torsocks}/bin/torsocks "$@"
    '';
    executable = true;
    destination = "/bin/${name}";
  };
  torsocks = makeTorsocks "torsocks" cfg.torsocks.server;
  torsocksFaster = makeTorsocks "torsocks-faster" cfg.torsocks.serverFaster;
 in
 {
  ###### interface
  options = {
    services.tor.torsocks = {
      enable = mkOption {
-        default = cfg.client.enable;
+        type        = types.bool;
        default     = config.services.tor.enable && config.services.tor.client.enable;
        description = ''
-          Whether to build torsocks scipt to relay application traffic via TOR.
+          Whether to build <literal>/etc/tor/torsocks.conf</literal>
          containing the specified global torsocks configuration.
        '';
      };
      server = mkOption {
-        default = cfg.client.socksListenAddress;
+        type    = types.str;
-        example = "192.168.0.20:9050";
+        default = "127.0.0.1:9050";
        example = "192.168.0.20:1234";
        description = ''
-          IP address of TOR client to use.
+          IP/Port of the Tor SOCKS server. Currently, hostnames are
          NOT supported by torsocks.
        '';
      };
-      serverFaster = mkOption {
+      fasterServer = mkOption {
-        default = cfg.client.socksListenAddressFaster;
+        type    = types.str;
-        example = "192.168.0.20:9063";
+        default = "127.0.0.1:9063";
        example = "192.168.0.20:1234";
        description = ''
-          IP address of TOR client to use for applications like web browsers which
+          IP/Port of the Tor SOCKS server for torsocks-faster wrapper suitable for HTTP.
-	  need less circuit isolation to achive satisfactory performance.
+          Currently, hostnames are NOT supported by torsocks.
        '';
      };
-      config = mkOption {
+      onionAddrRange = mkOption {
-        default = "";
+        type    = types.str;
        default = "127.42.42.0/24";
        description = ''
-          Extra configuration. Contents will be added verbatim to torsocks
+          Tor hidden sites do not have real IP addresses. This
-          configuration file.
+          specifies what range of IP addresses will be handed to the
          application as "cookies" for .onion names.  Of course, you
          should pick a block of addresses which you aren't going to
          ever need to actually connect to. This is similar to the
          MapAddress feature of the main tor daemon.
        '';
      };
      socks5Username = mkOption {
        type    = types.nullOr types.str;
        default = null;
        example = "bob";
        description = ''
          SOCKS5 username. The <literal>TORSOCKS_USERNAME</literal>
          environment variable overrides this option if it is set.
        '';
      };
      socks5Password = mkOption {
        type    = types.nullOr types.str;
        default = null;
        example = "sekret";
        description = ''
          SOCKS5 password. The <literal>TORSOCKS_PASSWORD</literal>
          environment variable overrides this option if it is set.
        '';
      };
      allowInbound = mkOption {
        type    = types.bool;
        default = false;
        description = ''
          Set Torsocks to accept inbound connections. If set to
          <literal>true</literal>, listen() and accept() will be
          allowed to be used with non localhost address.
        '';
      };
    };
  };
-  ###### implementation
+  config = mkIf cfg.enable {
-
+    environment.systemPackages = [ pkgs.torsocks (wrapTorsocks "torsocks-faster" cfg.fasterServer) ];
  config = mkIf cfg.torsocks.enable {
    environment.systemPackages = [ torsocks torsocksFaster ];  # expose it to the users
  };
    environment.etc =
      [ { source = pkgs.writeText "torsocks.conf" (configFile cfg.server);
          target = "tor/torsocks.conf";
        }
      ];
  };
 }
--- a/nixos/modules/services/system/cloud-init.nix
+++ b/nixos/modules/services/system/cloud-init.nix
@ -0,0 +1,152 @@
 { config, lib, pkgs, ... }:
 with lib;
 let cfg = config.services.cloud-init;
    path = with pkgs; [ cloud-init nettools utillinux e2fsprogs shadow dmidecode openssh ];
    configFile = pkgs.writeText "cloud-init.cfg" ''
 users:
   - root
 disable_root: false
 preserve_hostname: false
 cloud_init_modules:
 - migrator
 - seed_random
 - bootcmd
 - write-files
 - growpart
 - resizefs
 - set_hostname
 - update_hostname
 - update_etc_hosts
 - ca-certs
 - rsyslog
 - users-groups
 cloud_config_modules:
 - emit_upstart
 - disk_setup
 - mounts
 - ssh-import-id
 - set-passwords
 - timezone
 - disable-ec2-metadata
 - runcmd
 - ssh
 cloud_final_modules:
 - rightscale_userdata
 - scripts-vendor
 - scripts-per-once
 - scripts-per-boot
 - scripts-per-instance
 - scripts-user
 - ssh-authkey-fingerprints
 - keys-to-console
 - phone-home
 - final-message
 - power-state-change
 '';
 in
 {
  options = {
    services.cloud-init = {
      enable = mkOption {
        type = types.bool;
        default = false;
        description = ''
          Enable the cloud-init service. This services reads
          configuration metadata in a cloud environment and configures
          the machine according to this metadata.
          This configuration is not completely compatible with the
          NixOS way of doing configuration, as configuration done by
          cloud-init might be overriden by a subsequent nixos-rebuild
          call. However, some parts of cloud-init fall outside of
          NixOS's responsibility, like filesystem resizing and ssh
          public key provisioning, and cloud-init is useful for that
          parts. Thus, be wary that using cloud-init in NixOS might
          come as some cost.
        '';
      };
    };
  };
  config = mkIf cfg.enable {
    systemd.services.cloud-init-local =
      { description = "Initial cloud-init job (pre-networking)";
        wantedBy = [ "multi-user.target" ];
        wants = [ "local-fs.target" ];
        after = [ "local-fs.target" ];
        path = path;
        serviceConfig =
          { Type = "oneshot";
            ExecStart = "${pkgs.cloud-init}/bin/cloud-init -f ${configFile} init --local";
            RemainAfterExit = "yes";
            TimeoutSec = "0";
            StandardOutput = "journal+console";
          };
      };
    systemd.services.cloud-init =
      { description = "Initial cloud-init job (metadata service crawler)";
        wantedBy = [ "multi-user.target" ];
        wants = [ "local-fs.target" "cloud-init-local.service" "sshd.service" "sshd-keygen.service" ];
        after = [ "local-fs.target" "network.target" "cloud-init-local.service" ];
        before = [ "sshd.service" "sshd-keygen.service" ];
        requires = [ "network.target "];
        path = path;
        serviceConfig =
          { Type = "oneshot";
            ExecStart = "${pkgs.cloud-init}/bin/cloud-init -f ${configFile} init";
            RemainAfterExit = "yes";
            TimeoutSec = "0";
            StandardOutput = "journal+console";
          };
      };
    systemd.services.cloud-config =
      { description = "Apply the settings specified in cloud-config";
        wantedBy = [ "multi-user.target" ];
        wants = [ "network.target" ];
        after = [ "network.target" "syslog.target" "cloud-config.target" ];
        path = path;
        serviceConfig =
          { Type = "oneshot";
            ExecStart = "${pkgs.cloud-init}/bin/cloud-init -f ${configFile} modules --mode=config";
            RemainAfterExit = "yes";
            TimeoutSec = "0";
            StandardOutput = "journal+console";
          };
      };
    systemd.services.cloud-final =
      { description = "Execute cloud user/final scripts";
        wantedBy = [ "multi-user.target" ];
        wants = [ "network.target" ];
        after = [ "network.target" "syslog.target" "cloud-config.service" "rc-local.service" ];
        requires = [ "cloud-config.target" ];
        path = path;
        serviceConfig =
          { Type = "oneshot";
            ExecStart = "${pkgs.cloud-init}/bin/cloud-init -f ${configFile} modules --mode=final";
            RemainAfterExit = "yes";
            TimeoutSec = "0";
            StandardOutput = "journal+console";
          };
      };
    systemd.targets.cloud-config =
      { description = "Cloud-config availability";
        requires = [ "cloud-init-local.service" "cloud-init.service" ];
      };
  };
 }
--- a/nixos/modules/services/web-servers/apache-httpd/default.nix
+++ b/nixos/modules/services/web-servers/apache-httpd/default.nix
@ -98,9 +98,6 @@ let
      # Authorization: is the user allowed access?
      "authz_user" "authz_groupfile" "authz_host"
      # For compatibility with old configurations, the new module mod_access_compat is provided.
      (if version24 then "access_compat" else "")
      # Other modules.
      "ext_filter" "include" "log_config" "env" "mime_magic"
      "cern_meta" "expires" "headers" "usertrack" /* "unique_id" */ "setenvif"
@ -115,6 +112,8 @@ let
      "cache" "cache_disk"
      "slotmem_shm"
      "socache_shmcb"
      # For compatibility with old configurations, the new module mod_access_compat is provided.
      "access_compat"
    ]
    ++ (if mainCfg.multiProcessingModule == "prefork" then [ "cgi" ] else [ "cgid" ])
    ++ optional enableSSL "ssl"
--- a/nixos/modules/services/web-servers/nginx/default.nix
+++ b/nixos/modules/services/web-servers/nginx/default.nix
@ -23,6 +23,7 @@ in
    services.nginx = {
      enable = mkOption {
        default = false;
        type = types.bool;
        description = "
          Enable the nginx Web Server.
        ";
@ -70,11 +71,13 @@ in
      };
      user = mkOption {
        type = types.str;
        default = "nginx";
        description = "User account under which nginx runs.";
      };
      group = mkOption {
        type = types.str;
        default = "nginx";
        description = "Group account under which nginx runs.";
      };
--- a/nixos/modules/services/x11/desktop-managers/kde4.nix
+++ b/nixos/modules/services/x11/desktop-managers/kde4.nix
@ -152,7 +152,9 @@ in
          xorg.xauth # used by kdesu
          pkgs.shared_desktop_ontologies # used by nepomuk
          pkgs.strigi # used by nepomuk
          pkgs.kde4.akonadi
          pkgs.mysql # used by akonadi
          pkgs.kde4.kdepim_runtime
        ]
      ++ lib.optional config.hardware.pulseaudio.enable pkgs.kde4.kmix  # Perhaps this should always be enabled
      ++ lib.optional config.hardware.bluetooth.enable pkgs.kde4.bluedevil
--- a/nixos/modules/services/x11/display-managers/default.nix
+++ b/nixos/modules/services/x11/display-managers/default.nix
@ -23,6 +23,17 @@ let
    pathsToLink = [ "/" ];
  };
  fontconfig = config.fonts.fontconfig;
  xresourcesXft = pkgs.writeText "Xresources-Xft" ''
    ${optionalString (fontconfig.dpi != 0) ''Xft.dpi: ${fontconfig.dpi}''}
    Xft.antialias: ${if fontconfig.antialias then "1" else "0"}
    Xft.rgba: ${fontconfig.subpixel.rgba}
    Xft.lcdfilter: lcd${fontconfig.subpixel.lcdfilter}
    Xft.hinting: ${if fontconfig.hinting.enable then "1" else "0"}
    Xft.autohint: ${if fontconfig.hinting.autohint then "1" else "0"}
    Xft.hintstyle: hint${fontconfig.hinting.style}
  '';
  # file provided by services.xserver.displayManager.session.script
  xsession = wm: dm: pkgs.writeScript "xsession"
    ''
@ -79,6 +90,7 @@ let
      ''}
      # Load X defaults.
      ${xorg.xrdb}/bin/xrdb -merge ${xresourcesXft}
      if test -e ~/.Xresources; then
          ${xorg.xrdb}/bin/xrdb -merge ~/.Xresources
      elif test -e ~/.Xdefaults; then
@ -177,7 +189,7 @@ in
      xserverArgs = mkOption {
        type = types.listOf types.str;
        default = [];
-        example = [ "-ac" "-logverbose" "-nolisten tcp" ];
+        example = [ "-ac" "-logverbose" "-verbose" "-nolisten tcp" ];
        description = "List of arguments for the X server.";
        apply = toString;
      };
--- a/nixos/modules/services/x11/window-managers/awesome.nix
+++ b/nixos/modules/services/x11/window-managers/awesome.nix
@ -5,6 +5,7 @@ with lib;
 let
  cfg = config.services.xserver.windowManager.awesome;
  awesome = cfg.package;
 in
@ -14,9 +15,24 @@ in
  options = {
-    services.xserver.windowManager.awesome.enable = mkOption {
+    services.xserver.windowManager.awesome = {
-      default = false;
+
-      description = "Enable the Awesome window manager.";
+      enable = mkEnableOption "Awesome window manager";
      luaModules = mkOption {
        default = [];
        type = types.listOf types.package;
        description = "List of lua packages available for being used in the Awesome configuration.";
        example = literalExample "[ luaPackages.oocairo ]";
      };
      package = mkOption {
        default = null;
        type = types.nullOr types.package;
        description = "Package to use for running the Awesome WM.";
        apply = pkg: if pkg == null then pkgs.awesome else pkg;
      };
    };
  };
@ -30,12 +46,17 @@ in
      { name = "awesome";
        start =
          ''
-            ${pkgs.awesome}/bin/awesome &
+            ${concatMapStrings (pkg: ''
              export LUA_CPATH=$LUA_CPATH''${LUA_CPATH:+;}${pkg}/lib/lua/${awesome.lua.luaversion}/?.so
              export LUA_PATH=$LUA_PATH''${LUA_PATH:+;}${pkg}/lib/lua/${awesome.lua.luaversion}/?.lua
            '') cfg.luaModules}
            ${awesome}/bin/awesome &
            waitPID=$!
          '';
      };
-    environment.systemPackages = [ pkgs.awesome ];
+    environment.systemPackages = [ awesome ];
  };
--- a/nixos/modules/services/x11/xserver.nix
+++ b/nixos/modules/services/x11/xserver.nix
@ -483,8 +483,6 @@ in
    services.xserver.displayManager.xserverArgs =
      [ "-ac"
        "-logverbose"
        "-verbose"
        "-terminate"
        "-logfile" "/var/log/X.${toString cfg.display}.log"
        "-config ${configFile}"
--- a/nixos/modules/system/activation/switch-to-configuration.pl
+++ b/nixos/modules/system/activation/switch-to-configuration.pl
@ -181,7 +181,7 @@ while (my ($unit, $state) = each %{$activePrev}) {
            } elsif ($unit =~ /\.mount$/) {
                # Reload the changed mount unit to force a remount.
                write_file($reloadListFile, { append => 1 }, "$unit\n");
-            } elsif ($unit =~ /\.socket$/ || $unit =~ /\.path$/) {
+            } elsif ($unit =~ /\.socket$/ || $unit =~ /\.path$/ || $unit =~ /\.slice$/) {
                # FIXME: do something?
            } else {
                my $unitInfo = parseUnit($newUnitFile);
--- a/nixos/modules/system/activation/top-level.nix
+++ b/nixos/modules/system/activation/top-level.nix
@ -88,7 +88,7 @@ let
  failed = map (x: x.message) (filter (x: !x.assertion) config.assertions);
-  showWarnings = res: fold (w: x: builtins.trace "^[[1;31mwarning: ${w}^[[0m" x) res config.warnings;
+  showWarnings = res: fold (w: x: builtins.trace "[1;31mwarning: ${w}[0m" x) res config.warnings;
  # Putting it all together.  This builds a store path containing
  # symlinks to the various parts of the built configuration (the
--- a/nixos/modules/system/boot/luksroot.nix
+++ b/nixos/modules/system/boot/luksroot.nix
@ -203,7 +203,7 @@ in
      description = ''
        Unless enabled, encryption keys can be easily recovered by an attacker with physical
        access to any machine with PCMCIA, ExpressCard, ThunderBolt or FireWire port.
-        More information: http://en.wikipedia.org/wiki/DMA_attack
+        More information is available at <link xlink:href="http://en.wikipedia.org/wiki/DMA_attack"/>.
        This option blacklists FireWire drivers, but doesn't remove them. You can manually
        load the drivers if you need to use a FireWire device, but don't forget to unload them!
--- a/nixos/modules/system/boot/stage-1-init.sh
+++ b/nixos/modules/system/boot/stage-1-init.sh
@ -56,9 +56,10 @@ echo
 # Mount special file systems.
-mkdir -p /etc
+mkdir -p /etc/udev
 touch /etc/fstab # to shut up mount
 touch /etc/mtab # to shut up mke2fs
 touch /etc/udev/hwdb.bin # to shut up udev
 touch /etc/initrd-release
 mkdir -p /proc
 mount -t proc proc /proc
--- a/nixos/modules/system/boot/stage-1.nix
+++ b/nixos/modules/system/boot/stage-1.nix
@ -240,8 +240,9 @@ in
      example = "/dev/sda3";
      description = ''
        Device for manual resume attempt during boot. This should be used primarily
-        if you want to resume from file. Specify here the device where the file
+        if you want to resume from file. If left empty, the swap partitions are used.
-        resides. You should also use <varname>boot.kernelParams</varname> to specify
+        Specify here the device where the file resides.
        You should also use <varname>boot.kernelParams</varname> to specify
        <literal><replaceable>resume_offset</replaceable></literal>.
      '';
    };
@ -355,10 +356,17 @@ in
  config = mkIf (!config.boot.isContainer) {
-    assertions = singleton
+    assertions = [
      { assertion = any (fs: fs.mountPoint == "/") (attrValues config.fileSystems);
        message = "The ‘fileSystems’ option does not specify your root file system.";
-      };
+      }
      { assertion = let inherit (config.boot) resumeDevice; in
          resumeDevice == "" || builtins.substring 0 1 resumeDevice == "/";
        message = "boot.resumeDevice has to be an absolute path."
          + " Old \"x:y\" style is no longer supported.";
      }
    ];
    system.build.bootStage1 = bootStage1;
    system.build.initialRamdisk = initialRamdisk;
--- a/nixos/modules/system/boot/systemd.nix
+++ b/nixos/modules/system/boot/systemd.nix
@ -348,7 +348,8 @@ let
          [Service]
          ${let env = cfg.globalEnvironment // def.environment;
            in concatMapStrings (n:
-              let s = "Environment=\"${n}=${env.${n}}\"\n";
+              let s = optionalString (env."${n}" != null)
                "Environment=\"${n}=${env.${n}}\"\n";
              in if stringLength s >= 2048 then throw "The value of the environment variable ‘${n}’ in systemd service ‘${name}.service’ is too long." else s) (attrNames env)}
          ${if def.reloadIfChanged then ''
            X-ReloadIfChanged=true
--- a/nixos/modules/tasks/filesystems/nfs.nix
+++ b/nixos/modules/tasks/filesystems/nfs.nix
@ -58,7 +58,7 @@ in
    services.rpcbind.enable = true;
-    system.fsPackages = [ pkgs.nfsUtils ];
+    system.fsPackages = [ pkgs.nfs-utils ];
    boot.extraModprobeConfig = mkIf (cfg.lockdPort != null) ''
      options lockd nlm_udpport=${toString cfg.lockdPort} nlm_tcpport=${toString cfg.lockdPort}
@ -71,7 +71,7 @@ in
    systemd.services.statd =
      { description = "NFSv3 Network Status Monitor";
-        path = [ pkgs.nfsUtils pkgs.sysvtools pkgs.utillinux ];
+        path = [ pkgs.nfs-utils pkgs.sysvtools pkgs.utillinux ];
        wantedBy = [ "remote-fs-pre.target" ];
        before = [ "remote-fs-pre.target" ];
@ -89,7 +89,7 @@ in
        serviceConfig.Type = "forking";
        serviceConfig.ExecStart = ''
-          @${pkgs.nfsUtils}/sbin/rpc.statd rpc.statd --no-notify \
+          @${pkgs.nfs-utils}/sbin/rpc.statd rpc.statd --no-notify \
              ${if cfg.statdPort != null then "-p ${toString statdPort}" else ""}
        '';
        serviceConfig.Restart = "always";
@ -117,7 +117,7 @@ in
          '';
        serviceConfig.Type = "forking";
-        serviceConfig.ExecStart = "@${pkgs.nfsUtils}/sbin/rpc.idmapd rpc.idmapd -c ${idmapdConfFile}";
+        serviceConfig.ExecStart = "@${pkgs.nfs-utils}/sbin/rpc.idmapd rpc.idmapd -c ${idmapdConfFile}";
        serviceConfig.Restart = "always";
      };
--- a/nixos/modules/tasks/network-interfaces-scripted.nix
+++ b/nixos/modules/tasks/network-interfaces-scripted.nix
@ -1,7 +1,7 @@
 { config, lib, pkgs, utils, ... }:
 with lib;
 with utils;
 with lib;
 let
@ -85,6 +85,12 @@ in
                    optionalString (cfg.defaultGatewayWindowSize != null)
                      "window ${cfg.defaultGatewayWindowSize}"} || true
                ''}
                ${optionalString (cfg.defaultGateway6 != null && cfg.defaultGateway6 != "") ''
                  # FIXME: get rid of "|| true" (necessary to make it idempotent).
                  ip -6 route add ::/0 via "${cfg.defaultGateway6}" ${
                    optionalString (cfg.defaultGatewayWindowSize != null)
                      "window ${cfg.defaultGatewayWindowSize}"} || true
                ''}
              '';
          };
--- a/nixos/modules/tasks/network-interfaces-systemd.nix
+++ b/nixos/modules/tasks/network-interfaces-systemd.nix
@ -1,7 +1,7 @@
 { config, lib, pkgs, utils, ... }:
 with lib;
 with utils;
 with lib;
 let
@ -51,6 +51,8 @@ in
          DHCP = override (dhcpStr cfg.useDHCP);
        } // optionalAttrs (cfg.defaultGateway != null) {
          gateway = override [ cfg.defaultGateway ];
        } // optionalAttrs (cfg.defaultGateway6 != null) {
          gateway = override [ cfg.defaultGateway6 ];
        } // optionalAttrs (domains != [ ]) {
          domains = override domains;
        };
--- a/nixos/modules/tasks/network-interfaces.nix
+++ b/nixos/modules/tasks/network-interfaces.nix
@ -233,7 +233,11 @@ in
        The 32-bit host ID of the machine, formatted as 8 hexadecimal characters.
        You should try to make this ID unique among your machines. You can
-        generate a random 32-bit ID using the following command:
+        generate a random 32-bit ID using the following commands:
        <literal>cksum /etc/machine-id | while read c rest; do printf "%x" $c; done</literal>
        (this derives it from the machine-id that systemd generates) or
        <literal>head -c4 /dev/urandom | od -A none -t x4</literal>
      '';
@ -256,6 +260,15 @@ in
      '';
    };
    networking.defaultGateway6 = mkOption {
      default = null;
      example = "2001:4d0:1e04:895::1";
      type = types.nullOr types.str;
      description = ''
        The default ipv6 gateway.  It can be left empty if it is auto-detected through DHCP.
      '';
    };
    networking.defaultGatewayWindowSize = mkOption {
      default = null;
      example = 524288;
--- a/nixos/modules/virtualisation/docker-image.nix
+++ b/nixos/modules/virtualisation/docker-image.nix
@ -1,67 +1,19 @@
-{ config, lib, pkgs, ... }:
+{ config, pkgs, ... }:
-with lib;
+{
-
+  imports = [
-let
+    ../profiles/container.nix
- pkgs2storeContents = l : map (x: { object = x; symlink = "none"; }) l;
+  ];
 in {
  # Create the tarball
  system.build.dockerImage = import ../../lib/make-system-tarball.nix {
    inherit (pkgs) stdenv perl xz pathsFromGraph;
    contents = [];
    extraArgs = "--owner=0";
    storeContents = [
      { object = config.system.build.toplevel + "/init";
        symlink = "/bin/init";
      }
    ] ++ (pkgs2storeContents [ pkgs.stdenv ]);
  };
  boot.postBootCommands =
    ''
      # After booting, register the contents of the Nix store in the Nix
      # database.
      if [ -f /nix-path-registration ]; then
        ${config.nix.package}/bin/nix-store --load-db < /nix-path-registration &&
        rm /nix-path-registration
      fi
      # nixos-rebuild also requires a "system" profile and an
      # /etc/NIXOS tag.
      touch /etc/NIXOS
      ${config.nix.package}/bin/nix-env -p /nix/var/nix/profiles/system --set /run/current-system
      # Set virtualisation to docker
      echo "docker" > /run/systemd/container
    '';
  # Docker image config.
  imports = [
    ../installer/cd-dvd/channel.nix
    ../profiles/minimal.nix
    ../profiles/clone-config.nix
  ];
  boot.isContainer = true;
  # Iptables do not work in Docker.
  networking.firewall.enable = false;
  services.openssh.enable = true;
  # Socket activated ssh presents problem in Docker.
  services.openssh.startWhenNeeded = false;
  # Allow the user to login as root without password.
  users.extraUsers.root.initialHashedPassword = mkOverride 150 "";
  # Some more help text.
  services.mingetty.helpLine =
    ''
      Log in as "root" with an empty password.
    '';
 }
--- a/nixos/modules/virtualisation/lxc-container.nix
+++ b/nixos/modules/virtualisation/lxc-container.nix
@ -0,0 +1,26 @@
 { config, pkgs, lib, ... }:
 with lib;
 {
  imports = [
    ../profiles/container.nix
  ];
  # Allow the user to login as root without password.
  users.extraUsers.root.initialHashedPassword = mkOverride 150 "";
  # Some more help text.
  services.mingetty.helpLine =
    ''
      Log in as "root" with an empty password.
    '';
  # Containers should be light-weight, so start sshd on demand.
  services.openssh.enable = mkDefault true;
  services.openssh.startWhenNeeded = mkDefault true;
  # Allow ssh connections
  networking.firewall.allowedTCPPorts = [ 22 ];
 }
--- a/nixos/modules/virtualisation/qemu-vm.nix
+++ b/nixos/modules/virtualisation/qemu-vm.nix
@ -57,8 +57,7 @@ let
          -name ${vmName} \
          -m ${toString config.virtualisation.memorySize} \
          ${optionalString (pkgs.stdenv.system == "x86_64-linux") "-cpu kvm64"} \
-          -net nic,vlan=0,model=virtio \
+          ${concatStringsSep " " config.virtualisation.qemu.networkingOptions} \
          -net user,vlan=0''${QEMU_NET_OPTS:+,$QEMU_NET_OPTS} \
          -virtfs local,path=/nix/store,security_model=none,mount_tag=store \
          -virtfs local,path=$TMPDIR/xchg,security_model=none,mount_tag=xchg \
          -virtfs local,path=''${SHARED_DIR:-$TMPDIR/xchg},security_model=none,mount_tag=shared \
@ -248,13 +247,32 @@ in
        description = "Primary IP address used in /etc/hosts.";
      };
-    virtualisation.qemu.options =
+    virtualisation.qemu = {
      options =
        mkOption {
          default = [];
          example = [ "-vga std" ];
          description = "Options passed to QEMU.";
        };
      networkingOptions =
        mkOption {
          default = [
            "-net nic,vlan=0,model=virtio"
            "-net user,vlan=0\${QEMU_NET_OPTS:+,$QEMU_NET_OPTS}"
          ];
          type = types.listOf types.str;
          description = ''
            Networking-related command-line options that should be passed to qemu.
            The default is to use userspace networking (slirp).
            If you override this option, be adviced to keep
            ''${QEMU_NET_OPTS:+,$QEMU_NET_OPTS} (as seen in the default)
            to keep the default runtime behaviour.
          '';
        };
    };
    virtualisation.useBootLoader =
      mkOption {
        default = false;
--- a/nixos/release-combined.nix
+++ b/nixos/release-combined.nix
@ -48,6 +48,7 @@ in rec {
        (all nixos.ova)
        #(all nixos.tests.containers)
        (all nixos.tests.chromium)
        (all nixos.tests.firefox)
        (all nixos.tests.firewall)
        (all nixos.tests.gnome3)
--- a/nixos/release.nix
+++ b/nixos/release.nix
@ -213,6 +213,12 @@ in rec {
    inherit system;
  });
  # Provide container tarball for lxc, libvirt-lxc, docker-lxc, ...
  containerTarball = forAllSystems (system: makeSystemTarball {
    module = ./modules/virtualisation/lxc-container.nix;
    inherit system;
  });
  /*
  system_tarball_fuloong2f =
    assert builtins.currentSystem == "mips64-linux";
@ -244,6 +250,8 @@ in rec {
  tests.etcd = scrubDrv (import tests/etcd.nix { system = "x86_64-linux"; });
  tests.firefox = callTest tests/firefox.nix {};
  tests.firewall = callTest tests/firewall.nix {};
  tests.fleet = scrubDrv (import tests/fleet.nix { system = "x86_64-linux"; });
  tests.gitlab = callTest tests/gitlab.nix {};
  tests.gnome3 = callTest tests/gnome3.nix {};
  tests.installer.grub1 = forAllSystems (system: scrubDrv (import tests/installer.nix { inherit system; }).grub1.test);
  tests.installer.lvm = forAllSystems (system: scrubDrv (import tests/installer.nix { inherit system; }).lvm.test);
@ -299,6 +307,7 @@ in rec {
  tests.simple = callTest tests/simple.nix {};
  tests.tomcat = callTest tests/tomcat.nix {};
  tests.udisks2 = callTest tests/udisks2.nix {};
  tests.virtualbox = callTest tests/virtualbox.nix {};
  tests.xfce = callTest tests/xfce.nix {};
--- a/nixos/tests/bittorrent.nix
+++ b/nixos/tests/bittorrent.nix
@ -81,7 +81,7 @@ in
      # Create the torrent.
      $tracker->succeed("mkdir /tmp/data");
      $tracker->succeed("cp ${file} /tmp/data/test.tar.bz2");
-      $tracker->succeed("transmission-create /tmp/data/test.tar.bz2 -t http://${(pkgs.lib.head nodes.tracker.config.networking.interfaces.eth1.ip4).address}:6969/announce -o /tmp/test.torrent");
+      $tracker->succeed("transmission-create /tmp/data/test.tar.bz2 -p -t http://${(pkgs.lib.head nodes.tracker.config.networking.interfaces.eth1.ip4).address}:6969/announce -o /tmp/test.torrent");
      $tracker->succeed("chmod 644 /tmp/test.torrent");
      # Start the tracker.  !!! use a less crappy tracker
--- a/nixos/tests/blivet.nix
+++ b/nixos/tests/blivet.nix
@ -43,11 +43,6 @@ import ./make-test.nix ({ pkgs, ... }: with pkgs.pythonPackages; rec {
    TMPDIR=/tmp/xchg/bigtmp
    export TMPDIR
    mkPythonPath() {
      nix-store -qR "$@" \
        | sed -e 's|$|/lib/${pkgs.python.libPrefix}/site-packages|'
    }
    cp -Rd "${blivet.src}/tests" .
    # Skip SELinux tests
@ -73,8 +68,11 @@ import ./make-test.nix ({ pkgs, ... }: with pkgs.pythonPackages; rec {
      -e 's|_STORE_FILE_PATH = .*|_STORE_FILE_PATH = tempfile.gettempdir()|' \
      tests/loopbackedtestcase.py
-    PYTHONPATH=".:$(mkPythonPath "${blivet}" "${mock}" | paste -sd :)" \
+    PYTHONPATH=".:$(< "${pkgs.stdenv.mkDerivation {
-      python "${pythonTestRunner}"
+      name = "blivet-pythonpath";
      buildInputs = [ blivet mock ];
      buildCommand = "echo \"$PYTHONPATH\" > \"$out\"";
    }}")" python "${pythonTestRunner}"
  '';
  testScript = ''
--- a/nixos/tests/containers.nix
+++ b/nixos/tests/containers.nix
@ -43,7 +43,7 @@ import ./make-test.nix {
      $machine->fail("curl --fail --connect-timeout 2 http://$ip/ > /dev/null");
      # Make sure we have a NixOS tree (required by ‘nixos-container create’).
-      $machine->succeed("nix-env -qa -A nixos.pkgs.hello >&2");
+      $machine->succeed("PAGER=cat nix-env -qa -A nixos.pkgs.hello >&2");
      # Create some containers imperatively.
      my $id1 = $machine->succeed("nixos-container create foo --ensure-unique-name");
--- a/nixos/tests/fleet.nix
+++ b/nixos/tests/fleet.nix
@ -0,0 +1,73 @@
 import ./make-test.nix rec {
  name = "simple";
  nodes = {
    node1 =
      { config, pkgs, ... }:
        {
          services = {
            etcd = {
              enable = true;
              listenPeerUrls = ["http://0.0.0.0:7001"];
              initialAdvertisePeerUrls = ["http://node1:7001"];
              initialCluster = ["node1=http://node1:7001" "node2=http://node2:7001"];
            };
         };
          services.fleet = {
            enable = true;
            metadata.name = "node1";
          };
          networking.firewall.allowedTCPPorts = [ 7001 ];
        };
    node2 =
      { config, pkgs, ... }:
        {
          services = {
            etcd = {
              enable = true;
              listenPeerUrls = ["http://0.0.0.0:7001"];
              initialAdvertisePeerUrls = ["http://node2:7001"];
              initialCluster = ["node1=http://node1:7001" "node2=http://node2:7001"];
            };
           };
          services.fleet = {
            enable = true;
            metadata.name = "node2";
          };
          networking.firewall.allowedTCPPorts = [ 7001 ];
        };
  };
  service = builtins.toFile "hello.service" ''
    [Unit]
    Description=Hello World
    [Service]
    ExecStart=/bin/sh -c "while true; do echo \"Hello, world\"; /var/run/current-system/sw/bin/sleep 1; done"
    [X-Fleet]
    MachineMetadata=name=node2
  '';
  testScript =
    ''
      startAll;
      $node1->waitForUnit("fleet.service");
      $node2->waitForUnit("fleet.service");
      $node2->waitUntilSucceeds("fleetctl list-machines | grep node1");
      $node1->waitUntilSucceeds("fleetctl list-machines | grep node2");
      $node1->succeed("cp ${service} hello.service && fleetctl submit hello.service");
      $node1->succeed("fleetctl list-unit-files | grep hello");
      $node1->succeed("fleetctl start hello.service");
      $node1->waitUntilSucceeds("fleetctl list-units | grep running");
      $node1->succeed("fleetctl stop hello.service");
      $node1->succeed("fleetctl destroy hello.service");
    '';
 }
--- a/nixos/tests/gitlab.nix
+++ b/nixos/tests/gitlab.nix
@ -0,0 +1,21 @@
 # This test runs gitlab and checks if it works
 import ./make-test.nix {
  name = "gitlab";
  nodes = {
    gitlab = { config, pkgs, ... }: {
      virtualisation.memorySize = 768;
      services.gitlab.enable = true;
      services.gitlab.databasePassword = "gitlab";
      systemd.services.gitlab.serviceConfig.TimeoutStartSec = "10min";
    };
  };
  testScript = ''
    $gitlab->start();
    $gitlab->waitForUnit("gitlab.service");
    $gitlab->waitForUnit("gitlab-sidekiq.service");
    $gitlab->waitUntilSucceeds("curl http://localhost:8080/users/sign_in");
  '';
 }
--- a/nixos/tests/installer.nix
+++ b/nixos/tests/installer.nix
@ -29,6 +29,10 @@ let
                pkgs.unionfs-fuse
                pkgs.gummiboot
              ];
            # Don't use https://cache.nixos.org since the fake
            # cache.nixos.org doesn't do https.
            nix.binaryCaches = [ http://cache.nixos.org/ ];
          }
        ];
    }).config.system.build.isoImage;
@ -38,7 +42,7 @@ let
  makeConfig = { testChannel, grubVersion, grubDevice, grubIdentifier
    , readOnly ? true, forceGrubReinstallCount ? 0 }:
    pkgs.writeText "configuration.nix" ''
-      { config, pkgs, modulesPath, ... }:
+      { config, lib, pkgs, modulesPath, ... }:
      { imports =
          [ ./hardware-configuration.nix
@ -58,9 +62,9 @@ let
        ${optionalString (!readOnly) "nix.readOnlyStore = false;"}
        swapDevices = mkOverride 0 [ ];
        environment.systemPackages = [ ${optionalString testChannel "pkgs.rlwrap"} ];
        nix.binaryCaches = [ http://cache.nixos.org/ ];
      }
    '';
@ -68,7 +72,7 @@ let
  # Configuration of a web server that simulates the Nixpkgs channel
  # distribution server.
  webserver =
-    { config, pkgs, ... }:
+    { config, lib, pkgs, ... }:
    { services.httpd.enable = true;
      services.httpd.adminAddr = "foo@example.org";
@ -187,8 +191,9 @@ let
      $machine->succeed("test -e /boot/grub");
      # Did the swap device get activated?
-      $machine->waitForUnit("swap.target");
+      # uncomment once https://bugs.freedesktop.org/show_bug.cgi?id=86930 is resolved
-      $machine->succeed("cat /proc/swaps | grep -q /dev");
+      #$machine->waitForUnit("swap.target");
      $machine->waitUntilSucceeds("cat /proc/swaps | grep -q /dev");
      # Check whether the channel works.
      $machine->succeed("nix-env -i coreutils >&2");
--- a/nixos/tests/kubernetes.nix
+++ b/nixos/tests/kubernetes.nix
@ -45,10 +45,10 @@ import ./make-test.nix rec {
  nodes = {
    master =
-      { config, pkgs, nodes, ... }:
+      { config, pkgs, lib, nodes, ... }:
        {
-          virtualisation.memorySize = 512;
+          virtualisation.memorySize = 768;
-          virtualisation.kubernetes = {
+          services.kubernetes = {
            roles = ["master" "node"];
            controllerManager.machines = ["master" "node"];
            kubelet.extraOpts = "-network_container_image=master:5000/pause";
@ -75,6 +75,7 @@ import ./make-test.nix rec {
              ipAddress = "10.10.0.1";
              prefixLength = 24;
            };
            eth2.ip4 = lib.mkOverride 0 [ ];
          };
          networking.localCommands = ''
            ip route add 10.10.0.0/16 dev cbr0
@ -89,9 +90,9 @@ import ./make-test.nix rec {
        };
    node =
-      { config, pkgs, nodes, ... }:
+      { config, pkgs, lib, nodes, ... }:
        {
-          virtualisation.kubernetes = {
+          services.kubernetes = {
            roles = ["node"];
            kubelet.extraOpts = "-network_container_image=master:5000/pause";
            verbose = true;
@ -112,6 +113,7 @@ import ./make-test.nix rec {
              ipAddress = "10.10.1.1";
              prefixLength = 24;
            };
            eth2.ip4 = lib.mkOverride 0 [ ];
          };
          networking.localCommands = ''
            ip route add 10.10.0.0/16 dev cbr0
--- a/Show More
+++ b/Show More