Merge staging-next into staging

.github/CODEOWNERS

@@ -139,3 +139,14 @@
 
 # Bazel
 /pkgs/development/tools/build-managers/bazel @mboes @Profpatsch
+
+# NixOS modules for e-mail and dns services
+/nixos/modules/services/mail/mailman.nix    @peti
+/nixos/modules/services/mail/postfix.nix    @peti
+/nixos/modules/services/networking/bind.nix @peti
+/nixos/modules/services/mail/rspamd.nix     @peti
+
+# Emacs
+/pkgs/applications/editors/emacs-modes @adisbladis
+/pkgs/applications/editors/emacs       @adisbladis
+/pkgs/top-level/emacs-packages.nix     @adisbladis

doc/languages-frameworks/crystal.section.md

@@ -0,0 +1,71 @@
+# Crystal
+
+## Building a Crystal package
+
+This section uses [Mint](https://github.com/mint-lang/mint) as an example for how to build a Crystal package.
+
+If the Crystal project has any dependencies, the first step is to get a `shards.nix` file encoding those. Get a copy of the project and go to its root directory such that its `shard.lock` file is in the current directory, then run `crystal2nix` in it
+```bash
+$ git clone https://github.com/mint-lang/mint
+$ cd mint
+$ git checkout 0.5.0
+$ nix-shell -p crystal2nix --run crystal2nix
+```
+
+This should have generated a `shards.nix` file.
+
+Next create a Nix file for your derivation and use `pkgs.crystal.buildCrystalPackage` as follows:
+```nix
+with import <nixpkgs> {};
+crystal.buildCrystalPackage rec {
+  pname = "mint";
+  version = "0.5.0";
+
+  src = fetchFromGitHub {
+    owner = "mint-lang";
+    repo = "mint";
+    rev = version;
+    sha256 = "0vxbx38c390rd2ysvbwgh89v2232sh5rbsp3nk9wzb70jybpslvl";
+  };
+
+  # Insert the path to your shards.nix file here
+  shardsFile = ./shards.nix;
+
+  ...
+}
+```
+
+This won't build anything yet, because we haven't told it what files build. We can specify a mapping from binary names to source files with the `crystalBinaries` attribute. The project's compilation instructions should show this. For Mint, the binary is called "mint", which is compiled from the source file `src/mint.cr`, so we'll specify this as follows:
+
+```nix
+  crystalBinaries.mint.src = "src/mint.cr";
+
+  # ...
+```
+
+Additionally you can override the default `crystal build` options (which are currently `--release --progress --no-debug --verbose`) with
+
+```nix
+  crystalBinaries.mint.options = [ "--release" "--verbose" ];
+```
+
+Depending on the project, you might need additional steps to get it to compile successfully. In Mint's case, we need to link against openssl, so in the end the Nix file looks as follows:
+
+```nix
+with import <nixpkgs> {};
+crystal.buildCrystalPackage rec {
+  version = "0.5.0";
+  pname = "mint";
+  src = fetchFromGitHub {
+    owner = "mint-lang";
+    repo = "mint";
+    rev = version;
+    sha256 = "0vxbx38c390rd2ysvbwgh89v2232sh5rbsp3nk9wzb70jybpslvl";
+  };
+
+  shardsFile = ./shards.nix;
+  crystalBinaries.mint.src = "src/mint.cr";
+
+  buildInputs = [ openssl_1_0_2 ];
+}
+```

doc/languages-frameworks/index.xml

@@ -32,4 +32,5 @@
  <xi:include href="titanium.section.xml" />
  <xi:include href="vim.section.xml" />
  <xi:include href="emscripten.section.xml" />
+ <xi:include href="crystal.section.xml" />
 </chapter>

doc/package-specific-user-notes.xml

@@ -6,7 +6,7 @@
          answer some of the frequently asked questions
          related to Nixpkgs use.
 
-  Some useful information related to package use 
+  Some useful information related to package use
   can be found in <link linkend="chap-package-notes">package-specific development notes</link>.
 
  </para>
@@ -196,7 +196,7 @@ overrides = self: super: rec {
   haskell-mode = self.melpaPackages.haskell-mode;
   ...
 };
-((emacsPackagesNgGen emacs).overrideScope' overrides).emacsWithPackages (p: with p; [
+((emacsPackagesGen emacs).overrideScope' overrides).emacsWithPackages (p: with p; [
   # here both these package will use haskell-mode of our own choice
   ghc-mod
   dante

lib/modules.nix

@@ -323,16 +323,14 @@ rec {
         else
           mergeDefinitions loc opt.type defs';
 
-      # Check whether the option is defined, and apply the ‘apply’
+
-      # function to the merged value.  This allows options to yield a
+      # The value with a check that it is defined
-      # value computed from the definitions.
+      valueDefined = if res.isDefined then res.mergedValue else
-      value =
+        throw "The option `${showOption loc}' is used but not defined.";
-        if !res.isDefined then
+
-          throw "The option `${showOption loc}' is used but not defined."
+      # Apply the 'apply' function to the merged value. This allows options to
-        else if opt ? apply then
+      # yield a value computed from the definitions
-          opt.apply res.mergedValue
+      value = if opt ? apply then opt.apply valueDefined else valueDefined;
-        else
-          res.mergedValue;
 
     in opt //
       { value = builtins.addErrorContext "while evaluating the option `${showOption loc}':" value;

maintainers/maintainer-list.nix

@@ -478,7 +478,7 @@
     name = "Stanislas Lange";
   };
   ankhers = {
-    email = "justin.k.wood@gmail.com";
+    email = "me@ankhers.dev";
     github = "ankhers";
     githubId = 750786;
     name = "Justin Wood";
@@ -5340,10 +5340,16 @@
     name = "Richard Lupton";
   };
   rnhmjoj = {
-    email = "micheleguerinirocco@me.com";
+    email = "rnhmjoj@inventati.org";
     github = "rnhmjoj";
     githubId = 2817565;
     name = "Michele Guerini Rocco";
+    keys =
+    [
+      { longkeyid   = "ed25519/0xBFBAF4C975F76450";
+        fingerprint = "92B2 904F D293 C94D C4C9  3E6B BFBA F4C9 75F7 6450";
+      }
+    ];
   };
   rob = {
     email = "rob.vermaas@gmail.com";
@@ -5686,6 +5692,12 @@
     githubId = 918365;
     name = "Stefan Frijters";
   };
+  sgo = {
+    email = "stig@stig.io";
+    github = "stigtsp";
+    githubId = 75371;
+    name = "Stig Palmquist";
+  };
   sgraf = {
     email = "sgraf1337@gmail.com";
     github = "sgraf812";
@@ -6655,6 +6667,16 @@
     githubId = 5837359;
     name = "Adrian Pistol";
   };
+  vika_nezrimaya = {
+    email = "vika@fireburn.ru";
+    github = "kisik21";
+    githubId = 7953163;
+    name = "Vika Shleina";
+    keys = [{
+      longkeyid = "rsa4096/0x5402B9B5497BACDB";
+      fingerprint = "A03C D09C 36CF D9F6 1ADF  AF11 5402 B9B5 497B ACDB";
+    }];
+  };
   vinymeuh = {
     email = "vinymeuh@gmail.com";
     github = "vinymeuh";

maintainers/scripts/luarocks-packages.csv

@@ -18,6 +18,7 @@ http,,,,,vcunat
 inspect,,,,,
 ldoc,,,,,
 lgi,,,,,
+ljsyscall,,,,lua5_1,lblasc
 lpeg,,,,,vyp
 lpeg_patterns,,,,,
 lpeglabel,,,,,

nixos/doc/manual/configuration/profiles/clone-config.xml

@@ -11,4 +11,11 @@
   creating the image in the first place. As a result it allows users to edit
   and rebuild the live-system.
  </para>
+
+ <para>
+  On images where the installation media also becomes an installation target,
+  copying over <literal>configuration.nix</literal> should be disabled by
+  setting <literal>installer.cloneConfig</literal> to <literal>false</literal>.
+  This is already done in <literal>sd-image.nix</literal>.
+ </para>
 </section>

nixos/doc/manual/configuration/profiles/installation-device.xml

@@ -6,33 +6,31 @@
  <title>Installation Device</title>
 
  <para>
-  Provides a basic configuration for installation devices like CDs. This means
+  Provides a basic configuration for installation devices like CDs.
-  enabling hardware scans, using the <link linkend="sec-profile-clone-config">
+  This enables redistributable firmware, includes the
-  Clone Config profile</link> to guarantee
+  <link linkend="sec-profile-clone-config">Clone Config profile</link>
-  <filename>/etc/nixos/configuration.nix</filename> exists (for
+  and a copy of the Nixpkgs channel, so <command>nixos-install</command>
-  <command>nixos-rebuild</command> to work), a copy of the Nixpkgs channel
+  works out of the box.
-  snapshot used to create the install media.
  </para>
-
  <para>
-  Additionally, documentation for <link linkend="opt-documentation.enable">
+  Documentation for <link linkend="opt-documentation.enable">Nixpkgs</link>
-  Nixpkgs</link> and <link linkend="opt-documentation.nixos.enable">NixOS
+  and <link linkend="opt-documentation.nixos.enable">NixOS</link> are
-  </link> are forcefully enabled (to override the
+  forcefully enabled (to override the
   <link linkend="sec-profile-minimal">Minimal profile</link> preference); the
-  NixOS manual is shown automatically on TTY 8, sudo and udisks are disabled.
+  NixOS manual is shown automatically on TTY 8, udisks is disabled.
-  Autologin is enabled as root.
+  Autologin is enabled as <literal>nixos</literal> user, while passwordless
+  login as both <literal>root</literal> and <literal>nixos</literal> is possible.
+  Passwordless <command>sudo</command> is enabled too.
+  <link linkend="opt-networking.wireless.enable">wpa_supplicant</link> is
+  enabled, but configured to not autostart.
+ </para>
+ <para>
+  It is explained how to login, start the ssh server, and if available,
+  how to start the display manager.
  </para>
 
  <para>
-  A message is shown to the user to start a display manager if needed, ssh with
+  Several settings are tweaked so that the installer has a better chance of
-  <xref linkend="opt-services.openssh.permitRootLogin"/> are enabled (but
+  succeeding under low-memory environments.
-  doesn't autostart). WPA Supplicant is also enabled without autostart.
- </para>
-
- <para>
-  Finally, vim is installed, root is set to not have a password, the kernel is
-  made more silent for remote public IP installs, and several settings are
-  tweaked so that the installer has a better chance of succeeding under
-  low-memory environments.
  </para>
 </section>

nixos/doc/manual/release-notes/rl-1909.xml

@@ -48,6 +48,15 @@
      To gain root privileges use <literal>sudo -i</literal> without a password.
     </para>
    </listitem>
+   <listitem>
+    <para>
+      We've updated to Xfce 4.14, which brings a new module <option>services.xserver.desktopManager.xfce4-14</option>.
+      If you'd like to upgrade, please switch from the <option>services.xserver.desktopManager.xfce</option> module as it
+      will be deprecated in a future release. They're incompatibilities with the current Xfce module; it doesn't support
+      <option>thunarPlugins</option> and it isn't recommended to use <option>services.xserver.desktopManager.xfce</option>
+      and <option>services.xserver.desktopManager.xfce4-14</option> simultaneously or to downgrade from Xfce 4.14 after upgrading.
+    </para>
+   </listitem>
   </itemizedlist>
  </section>
 
@@ -291,6 +300,55 @@
        configuration while being better type-checked and mergeable.
      </para>
    </listitem>
+   <listitem>
+    <para>
+     No service depends on <literal>keys.target</literal> anymore which is a systemd
+     target that indicates if all <link xlink:href="https://nixos.org/nixops/manual/#idm140737322342384">NixOps keys</link> were successfully uploaded.
+     Instead, <literal>&lt;key-name&gt;-key.service</literal> should be used to define
+     a dependency of a key in a service. The full issue behind the <literal>keys.target</literal>
+     dependency is described at <link xlink:href="https://github.com/NixOS/nixpkgs/issues/67265">NixOS/nixpkgs#67265</link>.
+    </para>
+    <para>
+     The following services are affected by this:
+     <itemizedlist>
+      <listitem><para><link linkend="opt-services.dovecot2.enable"><literal>services.dovecot2</literal></link></para></listitem>
+      <listitem><para><link linkend="opt-services.nsd.enable"><literal>services.nsd</literal></link></para></listitem>
+      <listitem><para><link linkend="opt-services.softether.enable"><literal>services.softether</literal></link></para></listitem>
+      <listitem><para><link linkend="opt-services.strongswan.enable"><literal>services.strongswan</literal></link></para></listitem>
+      <listitem><para><link linkend="opt-services.strongswan-swanctl.enable"><literal>services.strongswan-swanctl</literal></link></para></listitem>
+      <listitem><para><link linkend="opt-services.httpd.enable"><literal>services.httpd</literal></link></para></listitem>
+     </itemizedlist>
+    </para>
+   </listitem>
+   <listitem>
+     <para>
+       The <option>security.acme.directory</option> option has been replaced by a read-only <option>security.acme.certs.&lt;cert&gt;.directory</option> option for each certificate you define. This will be
+       a subdirectory of <literal>/var/lib/acme</literal>. You can use this read-only option to figure out where the certificates are stored for a specific certificate. For example,
+       the <option>services.nginx.virtualhosts.&lt;name&gt;.enableACME</option>  option will use this directory option to find the certs for the virtual host.
+     </para>
+     <para>
+       <option>security.acme.preDelay</option> and <option>security.acme.activationDelay</option> options have been removed. To execute a service before certificates
+       are provisioned or renewed add a <literal>RequiredBy=acme-${cert}.service</literal> to any service.
+     </para>
+     <para>
+       Furthermore, the acme module will not automatically add a dependency on <literal>lighttpd.service</literal> anymore. If you are using certficates provided by letsencrypt
+       for lighttpd, then you should depend on the certificate service <literal>acme-${cert}.service></literal> manually.
+     </para>
+     <para>
+       For nginx, the dependencies are still automatically managed when <option>services.nginx.virtualhosts.&lt;name&gt;.enableACME</option> is enabled just like before. What changed is that nginx now directly depends on the specific certificates that it needs,
+       instead of depending on the catch-all <literal>acme-certificates.target</literal>. This target unit was also removed from the codebase.
+       This will mean nginx will no longer depend on certificates it isn't explicitly managing and fixes a bug with certificate renewal
+       ordering racing with nginx restarting which could lead to nginx getting in a broken state as described at
+        <link xlink:href="https://github.com/NixOS/nixpkgs/issues/60180">NixOS/nixpkgs#60180</link>.
+     </para>
+   </listitem>
+   <listitem>
+     <para>
+       The old deprecated <literal>emacs</literal> package sets have been dropped.
+       What used to be called <literal>emacsPackagesNg</literal> is now simply called <literal>emacsPackages</literal>.
+     </para>
+   </listitem>
+
   </itemizedlist>
  </section>
 
@@ -527,6 +585,12 @@
       features.
     </para>
    </listitem>
+   <listitem>
+    <para>
+     We no longer enable custom font rendering settings with <option>fonts.fontconfig.penultimate.enable</option> by default.
+     The defaults from fontconfig are sufficient.
+    </para>
+   </listitem>
   </itemizedlist>
  </section>
 </section>

nixos/modules/config/fonts/fontconfig-penultimate.nix

@@ -269,7 +269,7 @@ in
         penultimate = {
           enable = mkOption {
             type = types.bool;
-            default = true;
+            default = false;
             description = ''
               Enable fontconfig-penultimate settings to supplement the
               NixOS defaults by providing per-font rendering defaults and

nixos/modules/installer/cd-dvd/sd-image.nix

@@ -194,5 +194,9 @@ in
         rm -f /nix-path-registration
       fi
     '';
+
+    # the installation media is also the installation target,
+    # so we don't want to provide the installation configuration.nix.
+    installer.cloneConfig = false;
   };
 }

nixos/modules/misc/ids.nix

@@ -340,7 +340,7 @@
       cockroachdb = 313;
       zoneminder = 314;
       paperless = 315;
-      mailman = 316;
+      #mailman = 316;  # removed 2019-08-30
 
       # When adding a uid, make sure it doesn't match an existing gid. And don't use uids above 399!
 
@@ -641,7 +641,7 @@
       cockroachdb = 313;
       zoneminder = 314;
       paperless = 315;
-      mailman = 316;
+      #mailman = 316;  # removed 2019-08-30
 
       # When adding a gid, make sure it doesn't match an existing
       # uid. Users and groups with the same name should have equal

nixos/modules/module-list.nix

@@ -376,6 +376,7 @@
   ./services/mail/mail.nix
   ./services/mail/mailcatcher.nix
   ./services/mail/mailhog.nix
+  ./services/mail/mailman.nix
   ./services/mail/mlmmj.nix
   ./services/mail/offlineimap.nix
   ./services/mail/opendkim.nix
@@ -770,6 +771,7 @@
   ./services/system/uptimed.nix
   ./services/torrent/deluge.nix
   ./services/torrent/flexget.nix
+  ./services/torrent/magnetico.nix
   ./services/torrent/opentracker.nix
   ./services/torrent/peerflix.nix
   ./services/torrent/transmission.nix

nixos/modules/profiles/installation-device.nix

@@ -55,13 +55,16 @@ with lib;
     services.mingetty.autologinUser = "nixos";
 
     # Some more help text.
-    services.mingetty.helpLine =
+    services.mingetty.helpLine = ''
-      ''
+      The "nixos" and "root" accounts have empty passwords.
 
-        The "nixos" and "root" account have empty passwords.  ${
+      Type `sudo systemctl start sshd` to start the SSH daemon.
-          optionalString config.services.xserver.enable
+      You then must set a password for either "root" or "nixos"
-            "Type `sudo systemctl start display-manager' to\nstart the graphical user interface."}
+      with `passwd` to be able to login.
-      '';
+    '' + optionalString config.services.xserver.enable ''
+      Type `sudo systemctl start display-manager' to
+      start the graphical user interface.
+    '';
 
     # Allow sshd to be started manually through "systemctl start sshd".
     services.openssh = {

nixos/modules/programs/bash/bash.nix

@@ -98,7 +98,7 @@ in
           if [ "$TERM" != "dumb" -o -n "$INSIDE_EMACS" ]; then
             PROMPT_COLOR="1;31m"
             let $UID && PROMPT_COLOR="1;32m"
-            if [ -n "$INSIDE_EMACS" ]; then
+            if [ -n "$INSIDE_EMACS" -o "$TERM" == "eterm" -o "$TERM" == "eterm-color" ]; then
               # Emacs term mode doesn't support xterm title escape sequence (\e]0;)
               PS1="\n\[\033[$PROMPT_COLOR\][\u@\h:\w]\\$\[\033[0m\] "
             else

nixos/modules/programs/zsh/zsh.nix

@@ -214,7 +214,6 @@ in
         # Need to disable features to support TRAMP
         if [ "$TERM" = dumb ]; then
             unsetopt zle prompt_cr prompt_subst
-            unfunction precmd preexec
             unset RPS1 RPROMPT
             PS1='$ '
             PROMPT='$ '

nixos/modules/rename.nix

@@ -256,6 +256,11 @@ with lib;
 
     # binfmt
     (mkRenamedOptionModule [ "boot" "binfmtMiscRegistrations" ] [ "boot" "binfmt" "registrations" ])
+    
+    # ACME
+    (mkRemovedOptionModule [ "security" "acme" "directory"] "ACME Directory is now hardcoded to /var/lib/acme and its permisisons are managed by systemd. See https://github.com/NixOS/nixpkgs/issues/53852 for more info.")
+    (mkRemovedOptionModule [ "security" "acme" "preDelay"] "This option has been removed. If you want to make sure that something executes before certificates are provisioned, add a RequiredBy=acme-\${cert}.service to the service you want to execute before the cert renewal")
+    (mkRemovedOptionModule [ "security" "acme" "activationDelay"] "This option has been removed. If you want to make sure that something executes before certificates are provisioned, add a RequiredBy=acme-\${cert}.service to the service you want to execute before the cert renewal")
 
     # KSM
     (mkRenamedOptionModule [ "hardware" "enableKSM" ] [ "hardware" "ksm" "enable" ])

nixos/modules/security/acme.nix

@@ -80,25 +80,11 @@ let
         '';
       };
 
-      activationDelay = mkOption {
+      directory = mkOption {
-        type = types.nullOr types.str;
+        type = types.str;
-        default = null;
+        readOnly = true;
-        description = ''
+        default = "/var/lib/acme/${name}";
-          Systemd time span expression to delay copying new certificates to main
+        description = "Directory where certificate and other state is stored.";
-          state directory. See <citerefentry><refentrytitle>systemd.time</refentrytitle>
-          <manvolnum>7</manvolnum></citerefentry>.
-        '';
-      };
-
-      preDelay = mkOption {
-        type = types.lines;
-        default = "";
-        description = ''
-          Commands to run after certificates are re-issued but before they are
-          activated. Typically the new certificate is published to DNS.
-
-          Executed in the same directory with the new certificate.
-        '';
       };
 
       extraDomains = mkOption {
@@ -126,13 +112,6 @@ in
 
   options = {
     security.acme = {
-      directory = mkOption {
-        default = "/var/lib/acme";
-        type = types.str;
-        description = ''
-          Directory where certs and other state will be stored by default.
-        '';
-      };
 
       validMin = mkOption {
         type = types.int;
@@ -181,7 +160,11 @@ in
         default = { };
         type = with types; attrsOf (submodule certOpts);
         description = ''
-          Attribute set of certificates to get signed and renewed.
+          Attribute set of certificates to get signed and renewed. Creates
+          <literal>acme-''${cert}.{service,timer}</literal> systemd units for
+          each certificate defined here. Other services can add dependencies
+          to those units if they rely on the certificates being present,
+          or trigger restarts of the service if certificates get renewed.
         '';
         example = literalExample ''
           {
@@ -209,8 +192,7 @@ in
           servicesLists = mapAttrsToList certToServices cfg.certs;
           certToServices = cert: data:
               let
-                cpath = lpath + optionalString (data.activationDelay != null) ".staging";
+                lpath = "acme/${cert}";
-                lpath = "${cfg.directory}/${cert}";
                 rights = if data.allowKeysForGroup then "750" else "700";
                 cmdline = [ "-v" "-d" data.domain "--default_root" data.webroot "--valid_min" cfg.validMin ]
                           ++ optionals (data.email != null) [ "--email" data.email ]
@@ -224,79 +206,27 @@ in
                   serviceConfig = {
                     Type = "oneshot";
                     SuccessExitStatus = [ "0" "1" ];
-                    PermissionsStartOnly = true;
                     User = data.user;
                     Group = data.group;
                     PrivateTmp = true;
+                    StateDirectory = lpath;
+                    StateDirectoryMode = rights;
+                    WorkingDirectory = "/var/lib/${lpath}";
+                    ExecStart = "${pkgs.simp_le}/bin/simp_le ${escapeShellArgs cmdline}";
+                    ExecStopPost =
+                      let
+                        script = pkgs.writeScript "acme-post-stop" ''
+                          #!${pkgs.runtimeShell} -e
+                          ${data.postRun}
+                        '';
+                      in
+                        "+${script}";
                   };
-                  path = with pkgs; [ simp_le systemd ];
-                  preStart = ''
-                    mkdir -p '${cfg.directory}'
-                    chown 'root:root' '${cfg.directory}'
-                    chmod 755 '${cfg.directory}'
-                    if [ ! -d '${cpath}' ]; then
-                      mkdir '${cpath}'
-                    fi
-                    chmod ${rights} '${cpath}'
-                    chown -R '${data.user}:${data.group}' '${cpath}'
-                    mkdir -p '${data.webroot}/.well-known/acme-challenge'
-                    chown -R '${data.user}:${data.group}' '${data.webroot}/.well-known/acme-challenge'
-                  '';
-                  script = ''
-                    cd '${cpath}'
-                    set +e
-                    simp_le ${escapeShellArgs cmdline}
-                    EXITCODE=$?
-                    set -e
-                    echo "$EXITCODE" > /tmp/lastExitCode
-                    exit "$EXITCODE"
-                  '';
-                  postStop = ''
-                    cd '${cpath}'
 
-                    if [ -e /tmp/lastExitCode ] && [ "$(cat /tmp/lastExitCode)" = "0" ]; then
-                      ${if data.activationDelay != null then ''
-
-                      ${data.preDelay}
-
-                      if [ -d '${lpath}' ]; then
-                        systemd-run --no-block --on-active='${data.activationDelay}' --unit acme-setlive-${cert}.service
-                      else
-                        systemctl --wait start acme-setlive-${cert}.service
-                      fi
-                      '' else data.postRun}
-
-                      # noop ensuring that the "if" block is non-empty even if
-                      # activationDelay == null and postRun == ""
-                      true
-                    fi
-                  '';
-
-                  before = [ "acme-certificates.target" ];
-                  wantedBy = [ "acme-certificates.target" ];
-                };
-                delayService = {
-                  description = "Set certificate for ${cert} live";
-                  path = with pkgs; [ rsync ];
-                  serviceConfig = {
-                    Type = "oneshot";
-                  };
-                  script = ''
-                    rsync -a --delete-after '${cpath}/' '${lpath}'
-                  '';
-                  postStop = data.postRun;
                 };
                 selfsignedService = {
                   description = "Create preliminary self-signed certificate for ${cert}";
                   path = [ pkgs.openssl ];
-                  preStart = ''
-                      if [ ! -d '${cpath}' ]
-                      then
-                        mkdir -p '${cpath}'
-                        chmod ${rights} '${cpath}'
-                        chown '${data.user}:${data.group}' '${cpath}'
-                      fi
-                  '';
                   script =
                     ''
                       workdir="$(mktemp -d)"
@@ -318,50 +248,41 @@ in
                         -out $workdir/server.crt
 
                       # Copy key to destination
-                      cp $workdir/server.key ${cpath}/key.pem
+                      cp $workdir/server.key /var/lib/${lpath}/key.pem
 
                       # Create fullchain.pem (same format as "simp_le ... -f fullchain.pem" creates)
-                      cat $workdir/{server.crt,ca.crt} > "${cpath}/fullchain.pem"
+                      cat $workdir/{server.crt,ca.crt} > "/var/lib/${lpath}/fullchain.pem"
 
                       # Create full.pem for e.g. lighttpd
-                      cat $workdir/{server.key,server.crt,ca.crt} > "${cpath}/full.pem"
+                      cat $workdir/{server.key,server.crt,ca.crt} > "/var/lib/${lpath}/full.pem"
 
                       # Give key acme permissions
-                      chown '${data.user}:${data.group}' "${cpath}/"{key,fullchain,full}.pem
+                      chown '${data.user}:${data.group}' "/var/lib/${lpath}/"{key,fullchain,full}.pem
-                      chmod ${rights} "${cpath}/"{key,fullchain,full}.pem
+                      chmod ${rights} "/var/lib/${lpath}/"{key,fullchain,full}.pem
                     '';
                   serviceConfig = {
                     Type = "oneshot";
-                    PermissionsStartOnly = true;
                     PrivateTmp = true;
+                    StateDirectory = lpath;
                     User = data.user;
                     Group = data.group;
                   };
                   unitConfig = {
                     # Do not create self-signed key when key already exists
-                    ConditionPathExists = "!${cpath}/key.pem";
+                    ConditionPathExists = "!/var/lib/${lpath}/key.pem";
                   };
-                  before = [
-                    "acme-selfsigned-certificates.target"
-                  ];
-                  wantedBy = [
-                    "acme-selfsigned-certificates.target"
-                  ];
                 };
               in (
                 [ { name = "acme-${cert}"; value = acmeService; } ]
                 ++ optional cfg.preliminarySelfsigned { name = "acme-selfsigned-${cert}"; value = selfsignedService; }
-                ++ optional (data.activationDelay != null) { name = "acme-setlive-${cert}"; value = delayService; }
               );
           servicesAttr = listToAttrs services;
-          injectServiceDep = {
-            after = [ "acme-selfsigned-certificates.target" ];
-            wants = [ "acme-selfsigned-certificates.target" "acme-certificates.target" ];
-          };
         in
-          servicesAttr //
+          servicesAttr;
-          (if config.services.nginx.enable then { nginx = injectServiceDep; } else {}) //
+
-          (if config.services.lighttpd.enable then { lighttpd = injectServiceDep; } else {});
+      systemd.tmpfiles.rules =
+        flip mapAttrsToList cfg.certs
+        (cert: data: "d ${data.webroot}/.well-known/acme-challenge - ${data.user} ${data.group}");
 
       systemd.timers = flip mapAttrs' cfg.certs (cert: data: nameValuePair
         ("acme-${cert}")

nixos/modules/security/acme.xml

@@ -59,10 +59,8 @@ http {
   <para>
    The private key <filename>key.pem</filename> and certificate
    <filename>fullchain.pem</filename> will be put into
-   <filename>/var/lib/acme/foo.example.com</filename>. The target directory can
+   <filename>/var/lib/acme/foo.example.com</filename>.
-   be configured with the option <xref linkend="opt-security.acme.directory"/>.
   </para>
-
   <para>
    Refer to <xref linkend="ch-options" /> for all available configuration
    options for the <link linkend="opt-security.acme.certs">security.acme</link>

nixos/modules/services/continuous-integration/gitlab-runner.nix

@@ -111,7 +111,10 @@ in
   config = mkIf cfg.enable {
     systemd.services.gitlab-runner = {
       path = cfg.packages;
-      environment = config.networking.proxy.envVars;
+      environment = config.networking.proxy.envVars // {
+        # Gitlab runner will not start if the HOME variable is not set
+        HOME = cfg.workDir;
+      };
       description = "Gitlab Runner";
       after = [ "network.target" ]
         ++ optional hasDocker "docker.service";

nixos/modules/services/databases/redis.nix

@@ -224,26 +224,17 @@ in
 
     environment.systemPackages = [ cfg.package ];
 
-    systemd.services.redis_init =
-      { description = "Redis Server Initialisation";
-
-        wantedBy = [ "redis.service" ];
-        before = [ "redis.service" ];
-
-        serviceConfig.Type = "oneshot";
-
-        script = ''
-          install -d -m0700 -o ${cfg.user} ${cfg.dbpath}
-          chown -R ${cfg.user} ${cfg.dbpath}
-        '';
-      };
-
     systemd.services.redis =
       { description = "Redis Server";
 
         wantedBy = [ "multi-user.target" ];
         after = [ "network.target" ];
 
+        preStart = ''
+          install -d -m0700 -o ${cfg.user} ${cfg.dbpath}
+          chown -R ${cfg.user} ${cfg.dbpath}
+        '';
+
         serviceConfig = {
           ExecStart = "${cfg.package}/bin/redis-server ${redisConfig}";
           User = cfg.user;

nixos/modules/services/desktops/gnome3/gnome-user-share.nix

@@ -12,14 +12,7 @@ with lib;
 
     services.gnome3.gnome-user-share = {
 
-      enable = mkOption {
+      enable = mkEnableOption "GNOME User Share, a user-level file sharing service for GNOME";
-        type = types.bool;
-        default = false;
-        description = ''
-          Whether to enable GNOME User Share, a service that exports the
-          contents of the Public folder in your home directory on the local network.
-        '';
-      };
 
     };
 
@@ -30,12 +23,13 @@ with lib;
 
   config = mkIf config.services.gnome3.gnome-user-share.enable {
 
-    environment.systemPackages = [ pkgs.gnome3.gnome-user-share ];
+    environment.systemPackages = [
+      pkgs.gnome3.gnome-user-share
+    ];
 
-    services.xserver.displayManager.sessionCommands = with pkgs.gnome3; ''
+    systemd.packages = [
-      # Don't let gnome-control-center depend upon gnome-user-share
+      pkgs.gnome3.gnome-user-share
-      export XDG_DATA_DIRS=$XDG_DATA_DIRS''${XDG_DATA_DIRS:+:}${gnome-user-share}/share/gsettings-schemas/${gnome-user-share.name}
+    ];
-    '';
 
   };
 

nixos/modules/services/editors/emacs.xml

@@ -9,6 +9,7 @@
       Damien Cassou @DamienCassou
       Thomas Tuegel @ttuegel
       Rodney Lorrimar @rvl
+      Adam Hoese @adisbladis
   -->
  <para>
   <link xlink:href="https://www.gnu.org/software/emacs/">Emacs</link> is an
@@ -130,15 +131,6 @@
     Emacs packages through nixpkgs.
    </para>
 
-   <note>
-    <para>
-     This documentation describes the new Emacs packages framework in NixOS
-     16.03 (<varname>emacsPackagesNg</varname>) which should not be confused
-     with the previous and deprecated framework
-     (<varname>emacs24Packages</varname>).
-    </para>
-   </note>
-
    <para>
     The first step to declare the list of packages you want in your Emacs
     installation is to create a dedicated derivation. This can be done in a
@@ -164,7 +156,7 @@ $ ./result/bin/emacs
 
 let
   myEmacs = pkgs.emacs; <co xml:id="ex-emacsNix-2" />
-  emacsWithPackages = (pkgs.emacsPackagesNgGen myEmacs).emacsWithPackages; <co xml:id="ex-emacsNix-3" />
+  emacsWithPackages = (pkgs.emacsPackagesGen myEmacs).emacsWithPackages; <co xml:id="ex-emacsNix-3" />
 in
   emacsWithPackages (epkgs: (with epkgs.melpaStablePackages; [ <co xml:id="ex-emacsNix-4" />
     magit          # ; Integrate git &lt;C-x g&gt;
@@ -262,10 +254,10 @@ in
     <example xml:id="module-services-emacs-querying-packages">
      <title>Querying Emacs packages</title>
 <programlisting><![CDATA[
-nix-env -f "<nixpkgs>" -qaP -A emacsPackagesNg.elpaPackages
+nix-env -f "<nixpkgs>" -qaP -A emacsPackages.elpaPackages
-nix-env -f "<nixpkgs>" -qaP -A emacsPackagesNg.melpaPackages
+nix-env -f "<nixpkgs>" -qaP -A emacsPackages.melpaPackages
-nix-env -f "<nixpkgs>" -qaP -A emacsPackagesNg.melpaStablePackages
+nix-env -f "<nixpkgs>" -qaP -A emacsPackages.melpaStablePackages
-nix-env -f "<nixpkgs>" -qaP -A emacsPackagesNg.orgPackages
+nix-env -f "<nixpkgs>" -qaP -A emacsPackages.orgPackages
 ]]></programlisting>
     </example>
    </para>

nixos/modules/services/hardware/fwupd.nix

@@ -8,8 +8,8 @@ let
   cfg = config.services.fwupd;
   originalEtc =
     let
-      mkEtcFile = n: nameValuePair n { source = "${pkgs.fwupd}/etc/${n}"; };
+      mkEtcFile = n: nameValuePair n { source = "${cfg.package}/etc/${n}"; };
-    in listToAttrs (map mkEtcFile pkgs.fwupd.filesInstalledToEtc);
+    in listToAttrs (map mkEtcFile cfg.package.filesInstalledToEtc);
   extraTrustedKeys =
     let
       mkName = p: "pki/fwupd/${baseNameOf (toString p)}";
@@ -24,7 +24,7 @@ let
     "fwupd/remotes.d/fwupd-tests.conf" = {
       source = pkgs.runCommand "fwupd-tests-enabled.conf" {} ''
         sed "s,^Enabled=false,Enabled=true," \
-        "${pkgs.fwupd.installedTests}/etc/fwupd/remotes.d/fwupd-tests.conf" > "$out"
+        "${cfg.package.installedTests}/etc/fwupd/remotes.d/fwupd-tests.conf" > "$out"
       '';
     };
   } else {};
@@ -77,13 +77,21 @@ in {
           <link xlink:href="https://github.com/hughsie/fwupd/blob/master/data/installed-tests/README.md">installed tests</link>.
         '';
       };
+
+      package = mkOption {
+        type = types.package;
+        default = pkgs.fwupd;
+        description = ''
+          Which fwupd package to use.
+        '';
+      };
     };
   };
 
 
   ###### implementation
   config = mkIf cfg.enable {
-    environment.systemPackages = [ pkgs.fwupd ];
+    environment.systemPackages = [ cfg.package ];
 
     environment.etc = {
       "fwupd/daemon.conf" = {
@@ -102,11 +110,11 @@ in {
 
     } // originalEtc // extraTrustedKeys // testRemote;
 
-    services.dbus.packages = [ pkgs.fwupd ];
+    services.dbus.packages = [ cfg.package ];
 
-    services.udev.packages = [ pkgs.fwupd ];
+    services.udev.packages = [ cfg.package ];
 
-    systemd.packages = [ pkgs.fwupd ];
+    systemd.packages = [ cfg.package ];
 
     systemd.tmpfiles.rules = [
       "d /var/lib/fwupd 0755 root root -"

nixos/modules/services/mail/dovecot.nix

@@ -344,8 +344,7 @@ in
     systemd.services.dovecot2 = {
       description = "Dovecot IMAP/POP3 server";
 
-      after = [ "keys.target" "network.target" ];
+      after = [ "network.target" ];
-      wants = [ "keys.target" ];
       wantedBy = [ "multi-user.target" ];
       restartTriggers = [ cfg.configFile ];
 

nixos/modules/services/mail/mailman.nix

@@ -0,0 +1,114 @@
+{ config, pkgs, lib, ... }:          # mailman.nix
+
+with lib;
+
+let
+
+  cfg = config.services.mailman;
+
+  pythonEnv = pkgs.python3.withPackages (ps: [ps.mailman]);
+
+  mailmanExe = with pkgs; stdenv.mkDerivation {
+    name = "mailman-" + python3Packages.mailman.version;
+    unpackPhase = ":";
+    installPhase = ''
+      mkdir -p $out/bin
+      sed >"$out/bin/mailman" <"${pythonEnv}/bin/mailman" \
+        -e "2 iexport MAILMAN_CONFIG_FILE=/etc/mailman.cfg"
+      chmod +x $out/bin/mailman
+    '';
+  };
+
+  mailmanCfg = ''
+    [mailman]
+    site_owner: ${cfg.siteOwner}
+    layout: fhs
+
+    [paths.fhs]
+    bin_dir: ${pkgs.python3Packages.mailman}/bin
+    var_dir: /var/lib/mailman
+    queue_dir: $var_dir/queue
+    log_dir: $var_dir/log
+    lock_dir: $var_dir/lock
+    etc_dir: /etc
+    ext_dir: $etc_dir/mailman.d
+    pid_file: /run/mailman/master.pid
+  '';
+
+in {
+
+  ###### interface
+
+  options = {
+
+    services.mailman = {
+
+      enable = mkOption {
+        type = types.bool;
+        default = false;
+        description = "Enable Mailman on this host. Requires an active Postfix installation.";
+      };
+
+      siteOwner = mkOption {
+        type = types.str;
+        default = "postmaster";
+        description = ''
+          Certain messages that must be delivered to a human, but which can't
+          be delivered to a list owner (e.g. a bounce from a list owner), will
+          be sent to this address. It should point to a human.
+        '';
+      };
+
+
+    };
+  };
+
+  ###### implementation
+
+  config = mkIf cfg.enable {
+
+    assertions = [
+      { assertion = cfg.enable -> config.services.postfix.enable;
+        message = "Mailman requires Postfix";
+      }
+      { assertion = config.services.postfix.recipientDelimiter == "+";
+        message = "Postfix's recipientDelimiter must be set to '+'.";
+      }
+    ];
+
+    users.users.mailman = { description = "GNU Mailman"; isSystemUser = true; };
+
+    environment = {
+      systemPackages = [ mailmanExe ];
+      etc."mailman.cfg".text = mailmanCfg;
+    };
+
+    services.postfix = {
+      relayDomains = [ "hash:/var/lib/mailman/data/postfix_domains" ];
+      config = {
+        transport_maps = [ "hash:/var/lib/mailman/data/postfix_lmtp" ];
+        local_recipient_maps = [ "hash:/var/lib/mailman/data/postfix_lmtp" ];
+        # Mailman uses recipient delimiters, so we don't need special handling.
+        owner_request_special = "no";
+      };
+    };
+
+    systemd.services.mailman = {
+      description = "GNU Mailman Master Process";
+      after = [ "network.target" ];
+      wantedBy = [ "multi-user.target" ];
+      serviceConfig = {
+        ExecStart = "${mailmanExe}/bin/mailman start";
+        ExecStop = "${mailmanExe}/bin/mailman stop";
+        User = "mailman";
+        Type = "forking";
+        StateDirectory = "mailman";
+        StateDirectoryMode = "0700";
+        RuntimeDirectory = "mailman";
+        PIDFile = "/run/mailman/master.pid";
+      };
+    };
+
+  };
+
+}

nixos/modules/services/misc/nix-daemon.nix

@@ -8,7 +8,9 @@ let
 
   nix = cfg.package.out;
 
-  isNix20 = versionAtLeast (getVersion nix) "2.0pre";
+  nixVersion = getVersion nix;
+
+  isNix20 = versionAtLeast nixVersion "2.0pre";
 
   makeNixBuildUser = nr:
     { name = "nixbld${toString nr}";
@@ -61,6 +63,9 @@ let
           builders =
         ''}
         system-features = ${toString cfg.systemFeatures}
+        ${optionalString (versionAtLeast nixVersion "2.3pre") ''
+          sandbox-fallback = false
+        ''}
         $extraOptions
         END
       '' + optionalString cfg.checkConfig (

nixos/modules/services/monitoring/netdata.nix

@@ -156,6 +156,8 @@ in {
       };
     };
 
+    systemd.enableCgroupAccounting = true;
+
     security.wrappers."apps.plugin" = {
       source = "${pkgs.netdata}/libexec/netdata/plugins.d/apps.plugin.org";
       capabilities = "cap_dac_read_search,cap_sys_ptrace+ep";

nixos/modules/services/networking/nsd.nix

@@ -916,9 +916,8 @@ in
     systemd.services.nsd = {
       description = "NSD authoritative only domain name service";
 
-      after = [ "keys.target" "network.target" ];
+      after = [ "network.target" ];
       wantedBy = [ "multi-user.target" ];
-      wants = [ "keys.target" ];
 
       serviceConfig = {
         ExecStart = "${nsdPkg}/sbin/nsd -d -c ${nsdEnv}/nsd.conf";

nixos/modules/services/networking/softether.nix

@@ -70,8 +70,6 @@ in
 
       systemd.services.softether-init = {
         description = "SoftEther VPN services initial task";
-        after = [ "keys.target" ];
-        wants = [ "keys.target" ];
         wantedBy = [ "network.target" ];
         serviceConfig = {
           Type = "oneshot";

nixos/modules/services/networking/strongswan-swanctl/module.nix

@@ -62,9 +62,8 @@ in  {
     systemd.services.strongswan-swanctl = {
       description = "strongSwan IPsec IKEv1/IKEv2 daemon using swanctl";
       wantedBy = [ "multi-user.target" ];
-      after    = [ "network-online.target" "keys.target" ];
+      after    = [ "network-online.target" ];
-      wants    = [ "keys.target" ];
+      path     = with pkgs; [ kmod iproute iptables utillinux ];
-      path = with pkgs; [ kmod iproute iptables utillinux ];
       environment = {
         STRONGSWAN_CONF = pkgs.writeTextFile {
           name = "strongswan.conf";

nixos/modules/services/networking/strongswan.nix

@@ -151,8 +151,7 @@ in
       description = "strongSwan IPSec Service";
       wantedBy = [ "multi-user.target" ];
       path = with pkgs; [ kmod iproute iptables utillinux ]; # XXX Linux
-      wants = [ "keys.target" ];
+      after = [ "network-online.target" ];
-      after = [ "network-online.target" "keys.target" ];
       environment = {
         STRONGSWAN_CONF = strongswanConf { inherit setup connections ca secretsFile managePlugins enabledPlugins; };
       };

nixos/modules/services/security/vault.nix

@@ -70,7 +70,7 @@ in
       };
 
       storageBackend = mkOption {
-        type = types.enum [ "inmem" "file" "consul" "zookeeper" "s3" "azure" "dynamodb" "etcd" "mssql" "mysql" "postgresql" "swift" "gcs" ];
+        type = types.enum [ "inmem" "file" "consul" "zookeeper" "s3" "azure" "dynamodb" "etcd" "mssql" "mysql" "postgresql" "swift" "gcs" "raft" ];
         default = "inmem";
         description = "The name of the type of storage backend";
       };

nixos/modules/services/torrent/magnetico.nix

@@ -0,0 +1,214 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+  cfg = config.services.magnetico;
+
+  dataDir = "/var/lib/magnetico";
+
+  credFile = with cfg.web;
+    if credentialsFile != null
+      then credentialsFile
+      else pkgs.writeText "magnetico-credentials"
+        (concatStrings (mapAttrsToList
+          (user: hash: "${user}:${hash}\n")
+          cfg.web.credentials));
+
+  # default options in magneticod/main.go
+  dbURI = concatStrings
+    [ "sqlite3://${dataDir}/database.sqlite3"
+      "?_journal_mode=WAL"
+      "&_busy_timeout=3000"
+      "&_foreign_keys=true"
+    ];
+
+  crawlerArgs = with cfg.crawler; escapeShellArgs
+    ([ "--database=${dbURI}"
+       "--indexer-addr=${address}:${toString port}"
+       "--indexer-max-neighbors=${toString maxNeighbors}"
+       "--leech-max-n=${toString maxLeeches}"
+     ] ++ extraOptions);
+
+  webArgs = with cfg.web; escapeShellArgs
+    ([ "--database=${dbURI}"
+       (if (cfg.web.credentialsFile != null || cfg.web.credentials != { })
+         then "--credentials=${toString credFile}"
+         else "--no-auth")
+     ] ++ extraOptions);
+
+in {
+
+  ###### interface
+
+  options.services.magnetico = {
+    enable = mkEnableOption "Magnetico, Bittorrent DHT crawler";
+
+    crawler.address = mkOption {
+      type = types.str;
+      default = "0.0.0.0";
+      example = "1.2.3.4";
+      description = ''
+        Address to be used for indexing DHT nodes.
+      '';
+    };
+
+    crawler.port = mkOption {
+      type = types.port;
+      default = 0;
+      description = ''
+        Port to be used for indexing DHT nodes.
+        This port should be added to
+        <option>networking.firewall.allowedTCPPorts</option>.
+      '';
+    };
+
+    crawler.maxNeighbors = mkOption {
+      type = types.ints.positive;
+      default = 1000;
+      description = ''
+        Maximum number of simultaneous neighbors of an indexer.
+        Be careful changing this number: high values can very
+        easily cause your network to be congested or even crash
+        your router.
+      '';
+    };
+
+    crawler.maxLeeches = mkOption {
+      type = types.ints.positive;
+      default = 200;
+      description = ''
+        Maximum number of simultaneous leeches.
+      '';
+    };
+
+    crawler.extraOptions = mkOption {
+      type = types.listOf types.str;
+      default = [];
+      description = ''
+        Extra command line arguments to pass to magneticod.
+      '';
+    };
+
+    web.address = mkOption {
+      type = types.str;
+      default = "localhost";
+      example = "1.2.3.4";
+      description = ''
+        Address the web interface will listen to.
+      '';
+    };
+
+    web.port = mkOption {
+      type = types.port;
+      default = 8080;
+      description = ''
+        Port the web interface will listen to.
+      '';
+    };
+
+    web.credentials = mkOption {
+      type = types.attrsOf types.str;
+      default = {};
+      example = lib.literalExample ''
+        {
+          myuser = "$2y$12$YE01LZ8jrbQbx6c0s2hdZO71dSjn2p/O9XsYJpz.5968yCysUgiaG";
+        }
+      '';
+      description = ''
+        The credentials to access the web interface, in case authentication is
+        enabled, in the format <literal>username:hash</literal>. If unset no
+        authentication will be required.
+
+        Usernames must start with a lowercase ([a-z]) ASCII character, might
+        contain non-consecutive underscores except at the end, and consists of
+        small-case a-z characters and digits 0-9.  The
+        <command>htpasswd</command> tool from the <package>apacheHttpd
+        </package> package may be used to generate the hash: <command>htpasswd
+        -bnBC 12 username password</command>
+
+        <warning>
+        <para>
+          The hashes will be stored world-readable in the nix store.
+          Consider using the <literal>credentialsFile</literal> option if you
+          don't want this.
+        </para>
+        </warning>
+      '';
+    };
+
+    web.credentialsFile = mkOption {
+      type = types.nullOr types.path;
+      default = null;
+      description = ''
+        The path to the file holding the credentials to access the web
+        interface. If unset no authentication will be required.
+
+        The file must constain user names and password hashes in the format
+        <literal>username:hash </literal>, one for each line.  Usernames must
+        start with a lowecase ([a-z]) ASCII character, might contain
+        non-consecutive underscores except at the end, and consists of
+        small-case a-z characters and digits 0-9.
+        The <command>htpasswd</command> tool from the <package>apacheHttpd
+        </package> package may be used to generate the hash:
+        <command>htpasswd -bnBC 12 username password</command>
+      '';
+    };
+
+    web.extraOptions = mkOption {
+      type = types.listOf types.str;
+      default = [];
+      description = ''
+        Extra command line arguments to pass to magneticow.
+      '';
+    };
+
+  };
+
+  ###### implementation
+
+  config = mkIf cfg.enable {
+
+    users.users.magnetico = {
+      description = "Magnetico daemons user";
+    };
+
+    systemd.services.magneticod = {
+      description = "Magnetico DHT crawler";
+      wantedBy = [ "multi-user.target" ];
+      after    = [ "network-online.target" ];
+
+      serviceConfig = {
+        User      = "magnetico";
+        Restart   = "on-failure";
+        ExecStart = "${pkgs.magnetico}/bin/magneticod ${crawlerArgs}";
+      };
+    };
+
+    systemd.services.magneticow = {
+      description = "Magnetico web interface";
+      wantedBy = [ "multi-user.target" ];
+      after    = [ "network-online.target" "magneticod.service"];
+
+      serviceConfig = {
+        User           = "magnetico";
+        StateDirectory = "magnetico";
+        Restart        = "on-failure";
+        ExecStart      = "${pkgs.magnetico}/bin/magneticow ${webArgs}";
+      };
+    };
+
+    assertions =
+    [
+      {
+        assertion = cfg.web.credentialsFile != null || cfg.web.credentials != { };
+        message = ''
+          The options services.magnetico.web.credentialsFile and
+          services.magnetico.web.credentials are mutually exclusives.
+        '';
+      }
+    ];
+
+  };
+
+}

nixos/modules/services/web-servers/apache-httpd/default.nix

@@ -670,8 +670,7 @@ in
       { description = "Apache HTTPD";
 
         wantedBy = [ "multi-user.target" ];
-        wants = [ "keys.target" ];
+        after = [ "network.target" "fs.target" ];
-        after = [ "network.target" "fs.target" "keys.target" ];
 
         path =
           [ httpd pkgs.coreutils pkgs.gnugrep ]

nixos/modules/services/web-servers/nginx/default.nix

@@ -4,23 +4,25 @@ with lib;
 
 let
   cfg = config.services.nginx;
+  certs = config.security.acme.certs;
+  vhostsConfigs = mapAttrsToList (vhostName: vhostConfig: vhostConfig) virtualHosts;
+  acmeEnabledVhosts = filter (vhostConfig: vhostConfig.enableACME && vhostConfig.useACMEHost == null) vhostsConfigs;
   virtualHosts = mapAttrs (vhostName: vhostConfig:
     let
       serverName = if vhostConfig.serverName != null
         then vhostConfig.serverName
         else vhostName;
-      acmeDirectory = config.security.acme.directory;
     in
     vhostConfig // {
       inherit serverName;
     } // (optionalAttrs vhostConfig.enableACME {
-      sslCertificate = "${acmeDirectory}/${serverName}/fullchain.pem";
+      sslCertificate = "${certs.${serverName}.directory}/fullchain.pem";
-      sslCertificateKey = "${acmeDirectory}/${serverName}/key.pem";
+      sslCertificateKey = "${certs.${serverName}.directory}/key.pem";
-      sslTrustedCertificate = "${acmeDirectory}/${serverName}/fullchain.pem";
+      sslTrustedCertificate = "${certs.${serverName}.directory}/full.pem";
     }) // (optionalAttrs (vhostConfig.useACMEHost != null) {
-      sslCertificate = "${acmeDirectory}/${vhostConfig.useACMEHost}/fullchain.pem";
+      sslCertificate = "${certs.${vhostConfig.useACMEHost}.directory}/fullchain.pem";
-      sslCertificateKey = "${acmeDirectory}/${vhostConfig.useACMEHost}/key.pem";
+      sslCertificateKey = "${certs.${vhostConfig.useACMEHost}.directory}/key.pem";
-      sslTrustedCertificate = "${acmeDirectory}/${vhostConfig.useACMEHost}/fullchain.pem";
+      sslTrustedCertificate = "${certs.${vhostConfig.useACMEHost}.directory}/fullchain.pem";
     })
   ) cfg.virtualHosts;
   enableIPv6 = config.networking.enableIPv6;
@@ -646,8 +648,9 @@ in
 
     systemd.services.nginx = {
       description = "Nginx Web Server";
-      after = [ "network.target" ];
       wantedBy = [ "multi-user.target" ];
+      wants = concatLists (map (vhostConfig: ["acme-${vhostConfig.serverName}.service" "acme-selfsigned-${vhostConfig.serverName}.service"]) acmeEnabledVhosts);
+      after = [ "network.target" ] ++ map (vhostConfig: "acme-selfsigned-${vhostConfig.serverName}.service") acmeEnabledVhosts;
       stopIfChanged = false;
       preStart =
         ''
@@ -680,8 +683,6 @@ in
 
     security.acme.certs = filterAttrs (n: v: v != {}) (
       let
-        vhostsConfigs = mapAttrsToList (vhostName: vhostConfig: vhostConfig) virtualHosts;
-        acmeEnabledVhosts = filter (vhostConfig: vhostConfig.enableACME && vhostConfig.useACMEHost == null) vhostsConfigs;
         acmePairs = map (vhostConfig: { name = vhostConfig.serverName; value = {
             user = cfg.user;
             group = lib.mkDefault cfg.group;

nixos/modules/services/x11/desktop-managers/default.nix

@@ -18,7 +18,7 @@ in
   # determines the default: later modules (if enabled) are preferred.
   # E.g., if Plasma 5 is enabled, it supersedes xterm.
   imports = [
-    ./none.nix ./xterm.nix ./xfce.nix ./plasma5.nix ./lumina.nix
+    ./none.nix ./xterm.nix ./xfce.nix ./xfce4-14.nix ./plasma5.nix ./lumina.nix
     ./lxqt.nix ./enlightenment.nix ./gnome3.nix ./kodi.nix ./maxx.nix
     ./mate.nix ./pantheon.nix ./surf-display.nix
   ];

nixos/modules/services/x11/desktop-managers/xfce4-14.nix

@@ -0,0 +1,157 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+  cfg = config.services.xserver.desktopManager.xfce4-14;
+in
+
+{
+  # added 2019-08-18
+  # needed to preserve some semblance of UI familarity
+  # with original XFCE module
+  imports = [
+    (mkRenamedOptionModule
+      [ "services" "xserver" "desktopManager" "xfce4-14" "extraSessionCommands" ]
+      [ "services" "xserver" "displayManager" "sessionCommands" ])
+  ];
+
+  options = {
+    services.xserver.desktopManager.xfce4-14 = {
+      enable = mkOption {
+        type = types.bool;
+        default = false;
+        description = "Enable the Xfce desktop environment.";
+      };
+
+    # TODO: support thunar plugins
+    #   thunarPlugins = mkOption {
+    #     default = [];
+    #     type = types.listOf types.package;
+    #     example = literalExample "[ pkgs.xfce4-14.thunar-archive-plugin ]";
+    #     description = ''
+    #       A list of plugin that should be installed with Thunar.
+    #     '';
+    #  };
+
+      noDesktop = mkOption {
+        type = types.bool;
+        default = false;
+        description = "Don't install XFCE desktop components (xfdesktop, panel and notification daemon).";
+      };
+
+      enableXfwm = mkOption {
+        type = types.bool;
+        default = true;
+        description = "Enable the XFWM (default) window manager.";
+      };
+    };
+  };
+
+  config = mkIf cfg.enable {
+    environment.systemPackages = with pkgs.xfce4-14 // pkgs; [
+      glib # for gsettings
+      gtk3.out # gtk-update-icon-cache
+
+      gnome3.adwaita-icon-theme
+      hicolor-icon-theme
+      tango-icon-theme
+      xfce4-icon-theme
+
+      desktop-file-utils
+      shared-mime-info # for update-mime-database
+
+      # For a polkit authentication agent
+      polkit_gnome
+
+      # Needed by Xfce's xinitrc script
+      xdg-user-dirs # Update user dirs as described in https://freedesktop.org/wiki/Software/xdg-user-dirs/
+
+      exo
+      garcon
+      gtk-xfce-engine
+      libxfce4ui
+      xfconf
+
+      mousepad
+      ristretto
+      xfce4-appfinder
+      xfce4-screenshooter
+      xfce4-session
+      xfce4-settings
+      xfce4-terminal
+
+      # TODO: resync patch for plugins
+      #(thunar.override { thunarPlugins = cfg.thunarPlugins; })
+      thunar
+    ] # TODO: NetworkManager doesn't belong here
+      ++ optional config.networking.networkmanager.enable networkmanagerapplet
+      ++ optional config.hardware.pulseaudio.enable xfce4-pulseaudio-plugin
+      ++ optional config.powerManagement.enable xfce4-power-manager
+      ++ optional cfg.enableXfwm xfwm4
+      ++ optionals (!cfg.noDesktop) [
+        xfce4-panel
+        xfce4-notifyd
+        xfdesktop
+      ];
+
+    environment.pathsToLink = [
+      "/share/xfce4"
+      "/lib/xfce4"
+      "/share/gtksourceview-3.0"
+      "/share/gtksourceview-4.0"
+    ];
+
+    # Use the correct gnome3 packageSet
+    networking.networkmanager.basePackages = mkIf config.networking.networkmanager.enable {
+      inherit (pkgs) networkmanager modemmanager wpa_supplicant crda;
+      inherit (pkgs.gnome3) networkmanager-openvpn networkmanager-vpnc
+      networkmanager-openconnect networkmanager-fortisslvpn
+      networkmanager-iodine networkmanager-l2tp;
+    };
+
+    services.xserver.desktopManager.session = [{
+      name = "xfce4-14";
+      bgSupport = true;
+      start = ''
+        # Set GTK_PATH so that GTK+ can find the theme engines.
+        export GTK_PATH="${config.system.path}/lib/gtk-2.0:${config.system.path}/lib/gtk-3.0"
+
+        # Set GTK_DATA_PREFIX so that GTK+ can find the Xfce themes.
+        export GTK_DATA_PREFIX=${config.system.path}
+
+        ${pkgs.runtimeShell} ${pkgs.xfce4-14.xinitrc} &
+        waitPID=$!
+      '';
+    }];
+
+    services.xserver.updateDbusEnvironment = true;
+    services.xserver.gdk-pixbuf.modulePackages = [ pkgs.librsvg ];
+
+    # Enable helpful DBus services.
+    services.udisks2.enable = true;
+    security.polkit.enable = true;
+    services.accounts-daemon.enable = true;
+    services.upower.enable = config.powerManagement.enable;
+    services.gnome3.glib-networking.enable = true;
+    services.gvfs.enable = true;
+    services.gvfs.package = pkgs.xfce.gvfs;
+    services.tumbler.enable = true;
+    services.dbus.packages =
+      optional config.services.printing.enable pkgs.system-config-printer;
+    services.xserver.libinput.enable = mkDefault true; # used in xfce4-settings-manager
+
+    # Enable default programs
+    programs.dconf.enable = true;
+
+    # Shell integration for VTE terminals
+    programs.bash.vteIntegration = mkDefault true;
+    programs.zsh.vteIntegration = mkDefault true;
+
+    # Systemd services
+    systemd.packages = with pkgs.xfce4-14; [
+      thunar
+    ] ++ optional (!cfg.noDesktop) xfce4-notifyd;
+
+  };
+}

nixos/modules/services/x11/display-managers/default.nix

@@ -109,7 +109,7 @@ let
 
       # Allow the user to setup a custom session type.
       if test -x ~/.xsession; then
-          exec ~/.xsession
+          eval exec ~/.xsession "$@"
       fi
 
       if test "$1"; then

nixos/modules/system/boot/systemd.nix

@@ -112,11 +112,13 @@ let
       # Hibernate / suspend.
       "hibernate.target"
       "suspend.target"
+      "suspend-then-hibernate.target"
       "sleep.target"
       "hybrid-sleep.target"
       "systemd-hibernate.service"
       "systemd-hybrid-sleep.service"
       "systemd-suspend.service"
+      "systemd-suspend-then-hibernate.service"
 
       # Reboot stuff.
       "reboot.target"

nixos/modules/virtualisation/containers.nix

@@ -256,6 +256,10 @@ let
     RestartForceExitStatus = "133";
     SuccessExitStatus = "133";
 
+    # Some containers take long to start
+    # especially when you automatically start many at once
+    TimeoutStartSec = cfg.timeoutStartSec;
+
     Restart = "on-failure";
 
     Slice = "machine.slice";
@@ -423,6 +427,7 @@ let
       extraVeths = {};
       additionalCapabilities = [];
       ephemeral = false;
+      timeoutStartSec = "15s";
       allowedDevices = [];
       hostAddress = null;
       hostAddress6 = null;
@@ -595,6 +600,18 @@ in
               '';
             };
 
+		    timeoutStartSec = mkOption {
+		      type = types.str;
+		      default = "1min";
+		      description = ''
+		        Time for the container to start. In case of a timeout,
+		        the container processes get killed.
+		        See <citerefentry><refentrytitle>systemd.time</refentrytitle>
+		        <manvolnum>7</manvolnum></citerefentry>
+		        for more information about the format.
+		       '';
+		    };
+
             bindMounts = mkOption {
               type = with types; loaOf (submodule bindMountOpts);
               default = {};

nixos/release-combined.nix

@@ -136,6 +136,7 @@ in rec {
         (all nixos.tests.switchTest)
         (all nixos.tests.udisks2)
         (all nixos.tests.xfce)
+        (all nixos.tests.xfce4-14)
 
         nixpkgs.tarball
         (all allSupportedNixpkgs.emacs)

nixos/tests/acme.nix

@@ -3,19 +3,49 @@ let
 in import ./make-test.nix {
   name = "acme";
 
-  nodes = {
+  nodes = rec {
     letsencrypt = ./common/letsencrypt;
 
+    acmeStandalone = { config, pkgs, ... }: {
+      imports = [ commonConfig ];
+      networking.firewall.allowedTCPPorts = [ 80 ];
+      networking.extraHosts = ''
+        ${config.networking.primaryIPAddress} standalone.com
+      '';
+      security.acme.certs."standalone.com" = {
+        webroot = "/var/lib/acme/acme-challenges";
+      };
+      systemd.targets."acme-finished-standalone.com" = {};
+      systemd.services."acme-standalone.com" = {
+        wants = [ "acme-finished-standalone.com.target" ];
+        before = [ "acme-finished-standalone.com.target" ];
+      };
+      services.nginx.enable = true;
+      services.nginx.virtualHosts."standalone.com" = {
+        locations."/.well-known/acme-challenge".root = "/var/lib/acme/acme-challenges";
+      };
+    };
+
     webserver = { config, pkgs, ... }: {
       imports = [ commonConfig ];
       networking.firewall.allowedTCPPorts = [ 80 443 ];
 
       networking.extraHosts = ''
-        ${config.networking.primaryIPAddress} example.com
+        ${config.networking.primaryIPAddress} a.example.com
+        ${config.networking.primaryIPAddress} b.example.com
       '';
 
+      # A target remains active. Use this to probe the fact that
+      # a service fired eventhough it is not RemainAfterExit
+      systemd.targets."acme-finished-a.example.com" = {};
+      systemd.services."acme-a.example.com" = {
+        wants = [ "acme-finished-a.example.com.target" ];
+        before = [ "acme-finished-a.example.com.target" ];
+      };
+
       services.nginx.enable = true;
-      services.nginx.virtualHosts."example.com" = {
+
+      services.nginx.virtualHosts."a.example.com" = {
         enableACME = true;
         forceSSL = true;
         locations."/".root = pkgs.runCommand "docroot" {} ''
@@ -23,17 +53,63 @@ in import ./make-test.nix {
           echo hello world > "$out/index.html"
         '';
       };
+
+      nesting.clone = [
+        ({pkgs, ...}: {
+
+          networking.extraHosts = ''
+            ${config.networking.primaryIPAddress} b.example.com
+          '';
+          systemd.targets."acme-finished-b.example.com" = {};
+          systemd.services."acme-b.example.com" = {
+            wants = [ "acme-finished-b.example.com.target" ];
+            before = [ "acme-finished-b.example.com.target" ];
+          };
+          services.nginx.virtualHosts."b.example.com" = {
+            enableACME = true;
+            forceSSL = true;
+            locations."/".root = pkgs.runCommand "docroot" {} ''
+              mkdir -p "$out"
+              echo hello world > "$out/index.html"
+            '';
+          };
+        })
+      ];
     };
 
     client = commonConfig;
   };
 
-  testScript = ''
+  testScript = {nodes, ...}: 
-    $letsencrypt->waitForUnit("default.target");
+    let
-    $letsencrypt->waitForUnit("boulder.service");
+      newServerSystem = nodes.webserver2.config.system.build.toplevel;
-    $webserver->waitForUnit("default.target");
+      switchToNewServer = "${newServerSystem}/bin/switch-to-configuration test";
-    $webserver->waitForUnit("acme-certificates.target");
+    in
-    $client->waitForUnit("default.target");
+    # Note, waitForUnit does not work for oneshot services that do not have RemainAfterExit=true,
-    $client->succeed('curl https://example.com/ | grep -qF "hello world"');
+    # this is because a oneshot goes from inactive => activating => inactive, and never
-  '';
+    # reaches the active state. To work around this, we create some mock target units which
+    # get pulled in by the oneshot units. The target units linger after activation, and hence we
+    # can use them to probe that a oneshot fired. It is a bit ugly, but it is the best we can do
+    ''
+      $client->waitForUnit("default.target");
+      $letsencrypt->waitForUnit("default.target");
+      $letsencrypt->waitForUnit("boulder.service");
+
+      subtest "can request certificate with HTTPS-01 challenge", sub {
+        $acmeStandalone->waitForUnit("default.target");
+        $acmeStandalone->succeed("systemctl start acme-standalone.com.service");
+        $acmeStandalone->waitForUnit("acme-finished-standalone.com.target");
+      };
+
+      subtest "Can request certificate for nginx service", sub {
+        $webserver->waitForUnit("acme-finished-a.example.com.target");
+        $client->succeed('curl https://a.example.com/ | grep -qF "hello world"');
+      };
+
+      subtest "Can add another certificate for nginx service", sub {
+        $webserver->succeed("/run/current-system/fine-tune/child-1/bin/switch-to-configuration test");
+        $webserver->waitForUnit("acme-finished-b.example.com.target");
+        $client->succeed('curl https://b.example.com/ | grep -qF "hello world"');
+      };
+    '';
 }

nixos/tests/all-tests.nix

@@ -278,6 +278,7 @@ in
   xautolock = handleTest ./xautolock.nix {};
   xdg-desktop-portal = handleTest ./xdg-desktop-portal.nix {};
   xfce = handleTest ./xfce.nix {};
+  xfce4-14 = handleTest ./xfce4-14.nix {};
   xmonad = handleTest ./xmonad.nix {};
   xrdp = handleTest ./xrdp.nix {};
   xss-lock = handleTest ./xss-lock.nix {};

nixos/tests/magnetico.nix

@@ -0,0 +1,28 @@
+import ./make-test.nix ({ pkgs, ...} : {
+  name = "magnetico";
+  meta = with pkgs.stdenv.lib.maintainers; {
+    maintainers = [ rnhmjoj ];
+  };
+
+  machine = { ... }: {
+    imports = [ ../modules/profiles/minimal.nix ];
+
+    networking.firewall.allowedTCPPorts = [ 9000 ];
+
+    services.magnetico = {
+      enable = true;
+      crawler.port = 9000;
+      web.credentials.user = "$2y$12$P88ZF6soFthiiAeXnz64aOWDsY3Dw7Yw8fZ6GtiqFNjknD70zDmNe";
+    };
+  };
+
+  testScript =
+    ''
+      startAll;
+      $machine->waitForUnit("magneticod");
+      $machine->waitForUnit("magneticow");
+      $machine->succeed("${pkgs.curl}/bin/curl -u user:password http://localhost:8080");
+      $machine->succeed("${pkgs.curl}/bin/curl -u user:wrongpwd http://localhost:8080") =~ "Unauthorised." or die;
+      $machine->shutdown();
+    '';
+})

nixos/tests/systemd.nix

@@ -71,11 +71,13 @@ import ./make-test.nix ({ pkgs, ... }: {
 
     # Regression test for https://github.com/NixOS/nixpkgs/issues/35268
     subtest "file system with x-initrd.mount is not unmounted", sub {
+      $machine->succeed('mountpoint -q /test-x-initrd-mount');
       $machine->shutdown;
-      $machine->waitForUnit('multi-user.target');
+      system('qemu-img', 'convert', '-O', 'raw',
-      # If the file system was unmounted during the shutdown the file system
+             'vm-state-machine/empty2.qcow2', 'x-initrd-mount.raw');
-      # has a last mount time, because the file system wasn't checked.
+      my $extinfo = `${pkgs.e2fsprogs}/bin/dumpe2fs x-initrd-mount.raw`;
-      $machine->fail('dumpe2fs /dev/vdb | grep -q "^Last mount time: *n/a"');
+      die "File system was not cleanly unmounted: $extinfo"
+        unless $extinfo =~ /^Filesystem state: *clean$/m;
     };
 
     subtest "systemd-shutdown works", sub {

nixos/tests/xfce4-14.nix

@@ -0,0 +1,33 @@
+import ./make-test.nix ({ pkgs, ...} : {
+  name = "xfce4-14";
+
+  machine =
+    { pkgs, ... }:
+
+    { imports = [ ./common/user-account.nix ];
+
+      services.xserver.enable = true;
+
+      services.xserver.displayManager.auto.enable = true;
+      services.xserver.displayManager.auto.user = "alice";
+
+      services.xserver.desktopManager.xfce4-14.enable = true;
+    };
+
+  testScript =
+    ''
+      $machine->waitForX;
+      $machine->waitForFile("/home/alice/.Xauthority");
+      $machine->succeed("xauth merge ~alice/.Xauthority");
+      $machine->waitForWindow(qr/xfce4-panel/);
+      $machine->sleep(10);
+
+      # Check that logging in has given the user ownership of devices.
+      $machine->succeed("getfacl /dev/snd/timer | grep -q alice");
+
+      $machine->succeed("su - alice -c 'DISPLAY=:0.0 xfce4-terminal &'");
+      $machine->waitForWindow(qr/Terminal/);
+      $machine->sleep(10);
+      $machine->screenshot("screen");
+    '';
+})

pkgs/applications/altcoins/default.nix

@@ -1,90 +0,0 @@
-{ callPackage, boost155, boost165, darwin, libsForQt5, libsForQt59, miniupnpc_2, python3, buildGo110Package }:
-
-rec {
-
-  aeon = callPackage ./aeon { };
-
-  bitcoin  = libsForQt5.callPackage ./bitcoin.nix { miniupnpc = miniupnpc_2; withGui = true; };
-  bitcoind = callPackage ./bitcoin.nix { miniupnpc = miniupnpc_2; withGui = false; };
-  clightning = callPackage ./clightning.nix { };
-
-  bitcoin-abc  = libsForQt5.callPackage ./bitcoin-abc.nix { boost = boost165; withGui = true; };
-  bitcoind-abc = callPackage ./bitcoin-abc.nix { boost = boost165; withGui = false; };
-
-  bitcoin-unlimited  = libsForQt5.callPackage ./bitcoin-unlimited.nix {
-    inherit (darwin.apple_sdk.frameworks) Foundation ApplicationServices AppKit;
-    withGui = true;
-  };
-  bitcoind-unlimited = callPackage ./bitcoin-unlimited.nix {
-    inherit (darwin.apple_sdk.frameworks) Foundation ApplicationServices AppKit;
-    withGui = false;
-  };
-
-  bitcoin-classic  = libsForQt5.callPackage ./bitcoin-classic.nix { boost = boost165; withGui = true; };
-  bitcoind-classic = callPackage ./bitcoin-classic.nix { boost = boost165; withGui = false; };
-
-  btc1 = callPackage ./btc1.nix {
-    inherit (darwin.apple_sdk.frameworks) AppKit;
-    boost = boost165;
-  };
-  btc1d = btc1.override { withGui = false; };
-
-  cryptop = python3.pkgs.callPackage ./cryptop { };
-
-  dashpay = callPackage ./dashpay.nix { };
-
-  dcrd = callPackage ./dcrd.nix { };
-  dcrwallet = callPackage ./dcrwallet.nix { };
-
-  dero = callPackage ./dero.nix { boost = boost165; };
-
-  dogecoin  = callPackage ./dogecoin.nix { boost = boost165; withGui = true; };
-  dogecoind = callPackage ./dogecoin.nix { boost = boost165; withGui = false; };
-
-
-  freicoin = callPackage ./freicoin.nix { boost = boost155; };
-  go-ethereum = callPackage ./go-ethereum.nix {
-    inherit (darwin) libobjc;
-    inherit (darwin.apple_sdk.frameworks) IOKit;
-  };
-  go-ethereum-classic = callPackage ./go-ethereum-classic {
-    buildGoPackage = buildGo110Package;
-  };
-
-  litecoin  = callPackage ./litecoin.nix {
-    inherit (darwin.apple_sdk.frameworks) AppKit;
-  };
-  litecoind = litecoin.override { withGui = false; };
-
-  lnd = callPackage ./lnd.nix { };
-
-  masari = callPackage ./masari.nix { boost = boost165; };
-
-  mist = callPackage ./mist.nix { };
-
-  namecoin  = callPackage ./namecoin.nix  { withGui = true; };
-  namecoind = callPackage ./namecoin.nix { withGui = false; };
-
-  pivx = libsForQt59.callPackage ./pivx.nix { withGui = true; };
-  pivxd = callPackage ./pivx.nix { withGui = false; };
-
-  ethabi = callPackage ./ethabi.nix { };
-
-  stellar-core = callPackage ./stellar-core.nix { };
-
-  sumokoin = callPackage ./sumokoin.nix { boost = boost165; };
-
-  wownero = callPackage ./wownero.nix {};
-
-  zcash = callPackage ./zcash {
-    withGui = false;
-  };
-
-  parity = callPackage ./parity { };
-  parity-beta = callPackage ./parity/beta.nix { };
-  parity-ui = callPackage ./parity-ui { };
-
-  polkadot = callPackage ./polkadot { };
-
-  particl-core = callPackage ./particl/particl-core.nix { miniupnpc = miniupnpc_2; };
-}

pkgs/applications/audio/pithos/default.nix

@@ -1,33 +1,29 @@
-{ fetchFromGitHub, stdenv, pythonPackages, gtk3, gobject-introspection, libnotify
+{ stdenv, fetchFromGitHub, meson, ninja, pkgconfig, appstream-glib
-, gst_all_1, wrapGAppsHook }:
+, wrapGAppsHook, pythonPackages, gtk3, gnome3, gobject-introspection
+, libnotify, libsecret, gst_all_1 }:
 
 pythonPackages.buildPythonApplication rec {
   pname = "pithos";
-  version = "1.1.2";
+  version = "1.4.1";
 
   src = fetchFromGitHub {
     owner = pname;
     repo  = pname;
     rev = version;
-    sha256 = "0zk9clfawsnwmgjbk7y5d526ksxd1pkh09ln6sb06v4ygaiifcxp";
+    sha256 = "0vaw0rfcdh4bsp9b8la9bs36kw0iwia54y5x060byxhff9av6nj4";
   };
 
-  # No tests in repo
+  format = "other";
-  doCheck = false;
 
   postPatch = ''
-    substituteInPlace setup.py --replace "/usr/share" "$out/share"
+    chmod +x meson_post_install.py
+    patchShebangs meson_post_install.py
   '';
 
-  postInstall = ''
+  nativeBuildInputs = [ meson ninja pkgconfig appstream-glib wrapGAppsHook ];
-    mkdir -p $out/share/applications
-    cp -v data/pithos.desktop $out/share/applications
-  '';
-
-  buildInputs = [ wrapGAppsHook ];
 
   propagatedBuildInputs =
-    [ gtk3 gobject-introspection libnotify ] ++
+    [ gtk3 gobject-introspection libnotify libsecret gnome3.adwaita-icon-theme ] ++
     (with gst_all_1; [ gstreamer gst-plugins-base gst-plugins-good gst-plugins-ugly gst-plugins-bad ]) ++
     (with pythonPackages; [ pygobject3 pylast ]);
 

pkgs/applications/blockchains/monero-gui/default.nix

@@ -1,5 +1,4 @@
-{ stdenv, fetchFromGitHub
+{ mkDerivation, lib, makeDesktopItem, fetchFromGitHub
-, wrapQtAppsHook, makeDesktopItem
 , qtbase, qmake, qtmultimedia, qttools
 , qtgraphicaleffects, qtdeclarative
 , qtlocation, qtquickcontrols, qtquickcontrols2
@@ -9,21 +8,9 @@
 , hidapi
 }:
 
-with stdenv.lib;
+with lib;
 
-let
+mkDerivation rec {
-  qmlPath = qmlLib: "${qmlLib}/${qtbase.qtQmlPrefix}";
-
-  qml2ImportPath = concatMapStringsSep ":" qmlPath [
-    qtbase.bin qtmultimedia.bin qtgraphicaleffects
-    qtdeclarative.bin qtlocation.bin
-    qtquickcontrols qtquickcontrols2.bin
-    qtwebchannel.bin qtwebengine.bin qtxmlpatterns
-  ];
-
-in
-
-stdenv.mkDerivation rec {
   pname = "monero-gui";
   version = "0.14.1.2";
 
@@ -34,7 +21,7 @@ stdenv.mkDerivation rec {
     sha256 = "1rm043r6y2mzy8pclnzbjjfxgps8pkfa2b92p66k8y8rdmgq6m1k";
   };
 
-  nativeBuildInputs = [ qmake pkgconfig wrapQtAppsHook ];
+  nativeBuildInputs = [ qmake pkgconfig ];
 
   buildInputs = [
     qtbase qtmultimedia qtgraphicaleffects
@@ -46,9 +33,7 @@ stdenv.mkDerivation rec {
     cppzmq hidapi
   ];
 
-  patches = [
+  patches = [ ./move-log-file.patch ];
-    ./move-log-file.patch
-  ];
 
   postPatch = ''
     echo '

pkgs/applications/editors/android-studio/default.nix

@@ -14,9 +14,9 @@ let
   };
   betaVersion = stableVersion;
   latestVersion = { # canary & dev
-    version = "3.6.0.7"; # "Android Studio 3.6 Canary 7"
+    version = "3.6.0.9"; # "Android Studio 3.6 Canary 9"
-    build = "192.5807797";
+    build = "192.5830636";
-    sha256Hash = "1l47miiyd8z7v0hbvda06953pp9ilyrsma83gxqx35ghnc0n7g81";
+    sha256Hash = "0c9zmxf2scsf9pygcbabzngl7cdyjgpir5pggjaj535ni0nsrr7p";
   };
 in {
   # Attributes are named by their corresponding release channels

pkgs/applications/editors/emacs-modes/auto-complete/default.nix

@@ -1,30 +0,0 @@
-{ stdenv, fetchurl, emacs }:
-
-stdenv.mkDerivation rec {
-  name = "auto-complete-1.3.1";
-
-  src = fetchurl {
-    url = "http://cx4a.org/pub/auto-complete/${name}.tar.bz2";
-    sha256 = "124qxfp0pcphwlmrasbfrci48brxnrzc38h4wcf2sn20x1mvcrlj";
-  };
-
-  buildInputs = [ emacs ];
-
-  preInstall = ''
-    install -d $out/share/emacs/site-lisp
-  '';
-
-  installFlags = "DIR=$(out)/share/emacs/site-lisp";
-
-  postInstall = ''
-    ln -s javascript-mode $out/share/emacs/site-lisp/ac-dict/js2-mode
-  '';
-
-  meta = {
-    description = "Auto-complete extension for Emacs";
-    homepage = http://cx4a.org/software/auto-complete/;
-    license = stdenv.lib.licenses.gpl3Plus;
-
-    platforms = stdenv.lib.platforms.all;
-  };
-}

pkgs/applications/editors/emacs-modes/bbdb/3.nix

@@ -1,25 +0,0 @@
-{ stdenv, fetchurl, emacs }:
-
-stdenv.mkDerivation rec {
-  name = "bbdb-3.1.2";
-
-  src = fetchurl {
-    url = "https://download.savannah.gnu.org/releases/bbdb/${name}.tar.gz";
-    sha256 = "1gs16bbpiiy01w9pyg12868r57kx1v3hnw04gmqsmpc40l1hyy05";
-  };
-
-  buildInputs = [ emacs ];
-
-  # Hack to disable documentation as there is no way to tell bbdb to
-  # NOT build pdfs. I really don't want to pull in TexLive here...
-  preConfigure = ''
-   substituteInPlace ./Makefile.in \
-     --replace "SUBDIRS = lisp doc tex" "SUBDIRS = lisp"
-  '';
-
-  meta = {
-    homepage = https://savannah.nongnu.org/projects/bbdb/;
-    description = "The Insidious Big Brother Database (BBDB), a contact management utility for Emacs, version 3";
-    license = "GPL";
-  };
-}