Merge branch 'master' of github.com:NixOS/nixpkgs

2017-04-07 20:44:40 +02:00 · 2017-04-07 20:44:40 +02:00 · be6e9dce32
commit be6e9dce32
parent d486006e06 a5ee494046
1262 changed files with 36462 additions and 20613 deletions
--- a/.mention-bot
+++ b/.mention-bot
@ -2,7 +2,8 @@
  "userBlacklist": [
    "civodul",
    "jhasse",
-    "shlevy"
+    "shlevy",
    "bbenoist"
  ],
  "alwaysNotifyForPaths": [
    { "name": "FRidh", "files": ["pkgs/top-level/python-packages.nix", "pkgs/development/interpreters/python/*", "pkgs/development/python-modules/*" ] },
--- a/.travis.yml
+++ b/.travis.yml
@ -1,8 +1,14 @@
 language: nix
 sudo: true
 # 'sudo: false' == containers that start fast, but only get 4G ram;
 # 'sudo: true'  == VMs that start slow, but with 8G
 # ..as per:  https://docs.travis-ci.com/user/ci-environment/#Virtualization-environments
 # Nixpkgs PR tests OOM with 4G: https://github.com/NixOS/nixpkgs/issues/24200
 matrix:
    include:
        - os: linux
-          sudo: false
+          sudo: required
          script:
              - ./maintainers/scripts/travis-nox-review-pr.sh nixpkgs-verify nixpkgs-manual nixpkgs-tarball nixpkgs-unstable
              - ./maintainers/scripts/travis-nox-review-pr.sh nixos-options nixos-manual
--- a/README.md
+++ b/README.md
@ -13,12 +13,12 @@ build daemon as so-called channels. To get channel information via git, add
 ```
 For stability and maximum binary package support, it is recommended to maintain
-custom changes on top of one of the channels, e.g. `nixos-16.09` for the latest
+custom changes on top of one of the channels, e.g. `nixos-17.03` for the latest
 release and `nixos-unstable` for the latest successful build of master:
 ```
 % git remote update channels
-% git rebase channels/nixos-16.09
+% git rebase channels/nixos-17.03
 ```
 For pull-requests, please rebase onto nixpkgs `master`.
@ -32,9 +32,9 @@ For pull-requests, please rebase onto nixpkgs `master`.
 * [Manual (NixOS)](https://nixos.org/nixos/manual/)
 * [Nix Wiki](https://nixos.org/wiki/) (deprecated, see milestone ["Move the Wiki!"](https://github.com/NixOS/nixpkgs/issues?q=is%3Aopen+is%3Aissue+milestone%3A%22Move+the+wiki%21%22))
 * [Continuous package builds for unstable/master](https://hydra.nixos.org/jobset/nixos/trunk-combined)
-* [Continuous package builds for 16.09 release](https://hydra.nixos.org/jobset/nixos/release-16.09)
+* [Continuous package builds for 17.03 release](https://hydra.nixos.org/jobset/nixos/release-17.03)
 * [Tests for unstable/master](https://hydra.nixos.org/job/nixos/trunk-combined/tested#tabs-constituents)
-* [Tests for 16.09 release](https://hydra.nixos.org/job/nixos/release-16.09/tested#tabs-constituents)
+* [Tests for 17.03 release](https://hydra.nixos.org/job/nixos/release-17.03/tested#tabs-constituents)
 Communication:
--- a/default.nix
+++ b/default.nix
@ -2,7 +2,17 @@ let requiredVersion = import ./lib/minver.nix; in
 if ! builtins ? nixVersion || builtins.compareVersions requiredVersion builtins.nixVersion == 1 then
-  abort "This version of Nixpkgs requires Nix >= ${requiredVersion}, please upgrade! See https://nixos.org/wiki/How_to_update_when_Nix_is_too_old_to_evaluate_Nixpkgs"
+  abort ''
    This version of Nixpkgs requires Nix >= ${requiredVersion}, please upgrade:
    - If you are running NixOS, use `nixos-rebuild' to upgrade your system.
    - If you installed Nix using the install script (https://nixos.org/nix/install),
      it is safe to upgrade by running it again:
          curl https://nixos.org/nix/install | sh
  ''
 else
--- a/doc/default.nix
+++ b/doc/default.nix
@ -68,6 +68,10 @@ pkgs.stdenv.mkDerivation {
      inputFile = ../pkgs/development/r-modules/README.md;
      outputFile = "languages-frameworks/r.xml";
    }
  + toDocbook {
      inputFile = ./languages-frameworks/rust.md;
      outputFile = "./languages-frameworks/rust.xml";
    }
  + toDocbook {
      inputFile = ./languages-frameworks/vim.md;
      outputFile = "./languages-frameworks/vim.xml";
--- a/doc/functions.xml
+++ b/doc/functions.xml
@ -529,7 +529,7 @@
  <note>
  <para>
  If you see errors similar to <literal>getProtocolByName: does not exist (no such protocol name: tcp)</literal>
-  you may need to add <literal>pkgs.iana_etc</literal> to <varname>contents</varname>.
+  you may need to add <literal>pkgs.iana-etc</literal> to <varname>contents</varname>.
  </para>
  </note>
--- a/doc/languages-frameworks/index.xml
+++ b/doc/languages-frameworks/index.xml
@ -27,6 +27,7 @@ such as Perl or Haskell.  These are described in this chapter.</para>
 <xi:include href="qt.xml" />
 <xi:include href="r.xml" /> <!-- generated from ../../pkgs/development/r-modules/README.md  -->
 <xi:include href="ruby.xml" />
 <xi:include href="rust.xml" />
 <xi:include href="texlive.xml" />
 <xi:include href="vim.xml" />
--- a/doc/languages-frameworks/python.md
+++ b/doc/languages-frameworks/python.md
@ -3,7 +3,7 @@
 ## User Guide
 Several versions of Python are available on Nix as well as a high amount of
-packages. The default interpreter is CPython 3.5.
+packages. The default interpreter is CPython 2.7.
 ### Using Python
@ -131,7 +131,7 @@ specify some (optional) [meta information](http://nixos.org/nixpkgs/manual/#chap
 The output of the function is a derivation, which is an attribute with the name
 `toolz` of the set `pythonPackages`. Actually, sets are created for all interpreter versions,
-so `python27Packages`, `python34Packages`, `python35Packages` and `pypyPackages`.
+so e.g. `python27Packages`, `python35Packages` and `pypyPackages`.
 The above example works when you're directly working on
 `pkgs/top-level/python-packages.nix` in the Nixpkgs repository. Often though,
@ -422,8 +422,8 @@ and in this case the `python35` interpreter is automatically used.
 ### Interpreters
-Versions 2.6, 2.7, 3.3, 3.4 and 3.5 of the CPython interpreter are available as respectively
+Versions 2.7, 3.3, 3.4, 3.5 and 3.6 of the CPython interpreter are available as
-`python26`, `python27`, `python33`, `python34` and `python35`. The PyPy interpreter
+respectively `python27`, `python33`, `python34`, `python35` and `python36`. The PyPy interpreter
 is available as `pypy`. The aliases `python2` and `python3` correspond to respectively `python27` and
 `python35`. The default interpreter, `python`, maps to `python2`.
 The Nix expressions for the interpreters can be found in
@ -472,6 +472,7 @@ sets are
 * `pkgs.python33Packages`
 * `pkgs.python34Packages`
 * `pkgs.python35Packages`
 * `pkgs.python36Packages`
 * `pkgs.pypyPackages`
 and the aliases
@ -674,8 +675,8 @@ deterministic bytecode. This has security implications and is relevant for
 those using Python in a `nix-shell`.
 When the environment variable `DETERMINISTIC_BUILD` is set, all bytecode will have timestamp 1.
-The `buildPythonPackage` function sets `DETERMINISTIC_BUILD` as well as
+The `buildPythonPackage` function sets `DETERMINISTIC_BUILD=1` and
-[PYTHONHASHSEED](https://docs.python.org/3.5/using/cmdline.html#envvar-PYTHONHASHSEED).
+[PYTHONHASHSEED=0](https://docs.python.org/3.5/using/cmdline.html#envvar-PYTHONHASHSEED).
 Both are also exported in `nix-shell`.
@ -897,6 +898,27 @@ is executed it will attempt to download the python modules listed in
 requirements.txt. However these will be cached locally within the `virtualenv`
 folder and not downloaded again.
 ### How to override a Python package from `configuration.nix`?
 If you need to change a package's attribute(s) from `configuration.nix` you could do:
 ```nix
  nixpkgs.config.packageOverrides = superP: {
    pythonPackages = superP.pythonPackages.override {
      overrides = self: super: {
        bepasty-server = super.bepasty-server.overrideAttrs ( oldAttrs: {
          src = pkgs.fetchgit {
            url = "https://github.com/bepasty/bepasty-server";
            sha256 = "9ziqshmsf0rjvdhhca55sm0x8jz76fsf2q4rwh4m6lpcf8wr0nps";
            rev = "e2516e8cf4f2afb5185337073607eb9e84a61d2d";
          };
        });
      };
    };
  };
 ```
 If you are using the `bepasty-server` package somewhere, for example in `systemPackages` or indirectly from `services.bepasty`, then a `nixos-rebuild switch` will rebuild the system but with the `bepasty-server` package using a different `src` attribute. This way one can modify `python` based software/libraries easily. Using `self` and `super` one can also alter dependencies (`buildInputs`) between the old state (`self`) and new state (`super`). 
 ## Contributing
--- a/doc/languages-frameworks/rust.md
+++ b/doc/languages-frameworks/rust.md
@ -0,0 +1,91 @@
 ---
 title: Rust
 author: Matthias Beyer
 date: 2017-03-05
 ---
 # User's Guide to the Rust Infrastructure
 To install the rust compiler and cargo put
 ```
 rustStable.rustc
 rustStable.cargo
 ```
 into the `environment.systemPackages` or bring them into scope with
 `nix-shell -p rustStable.rustc -p rustStable.cargo`.
 There are also `rustBeta` and `rustNightly` package sets available.
 These are not updated very regulary. For daily builds see
 [Using the Rust nightlies overlay](#using-the-rust-nightlies-overlay)
 ## Packaging Rust applications
 Rust applications are packaged by using the `buildRustPackage` helper from `rustPlatform`:
 ```
 with rustPlatform;
 buildRustPackage rec {
  name = "ripgrep-${version}";
  version = "0.4.0";
  src = fetchFromGitHub {
    owner = "BurntSushi";
    repo = "ripgrep";
    rev = "${version}";
    sha256 = "0y5d1n6hkw85jb3rblcxqas2fp82h3nghssa4xqrhqnz25l799pj";
  };
  depsSha256 = "0q68qyl2h6i0qsz82z840myxlnjay8p1w5z7hfyr8fqp7wgwa9cx";
  meta = with stdenv.lib; {
    description = "A utility that combines the usability of The Silver Searcher with the raw speed of grep";
    homepage = https://github.com/BurntSushi/ripgrep;
    license = with licenses; [ unlicense ];
    maintainers = [ maintainers.tailhook ];
    platforms = platforms.all;
  };
 }
 ```
 `buildRustPackage` requires a `depsSha256` attribute which is computed over
 all crate sources of this package. Currently it is obtained by inserting a
 fake checksum into the expression and building the package once. The correct
 checksum can be then take from the failed build.
 To install crates with nix there is also an experimental project called
 [nixcrates](https://github.com/fractalide/nixcrates).
 ## Using the Rust nightlies overlay
 Mozilla provides an overlay for nixpkgs to bring a nightly version of Rust into scope.
 This overlay can _also_ be used to install recent unstable or stable versions
 of Rust, if desired.
 To use this overlay, clone
 [nixpkgs-mozilla](https://github.com/mozilla/nixpkgs-mozilla),
 and create a symbolic link to the file
 [rust-overlay.nix](https://github.com/mozilla/nixpkgs-mozilla/blob/master/rust-overlay.nix)
 in the `~/.config/nixpkgs/overlays` directory.
    $ git clone https://github.com/mozilla/nixpkgs-mozilla.git
    $ mkdir -p ~/.config/nixpkgs/overlays
    $ ln -s $(pwd)/nixpkgs-mozilla/rust-overlay.nix ~/.config/nixpkgs/overlays/rust-overlay.nix
 The latest version can be installed with the following command:
    $ nix-env -Ai nixos.rustChannels.stable.rust
 Or using the attribute with nix-shell:
    $ nix-shell -p nixos.rustChannels.stable.rust
 To install the beta or nightly channel, "stable" should be substituted by
 "nightly" or "beta", or
 use the function provided by this overlay to pull a version based on a
 build date.
 The overlay automatically updates itself as it uses the same source as
 [rustup](https://www.rustup.rs/).
--- a/doc/overlays.xml
+++ b/doc/overlays.xml
@ -34,7 +34,7 @@ first one present is considered, and all the rest are ignored:
  <listitem>
-    <para>In the directory <filename>~/.nixpkgs/overlays/</filename>.</para>
+    <para>In the directory <filename>~/.config/nixpkgs/overlays/</filename>.</para>
  </listitem>
 </orderedlist>
@ -50,7 +50,7 @@ the same recipe. In the case where overlays are loaded from a directory, they ar
 alphabetical order.</para>
 <para>To install an overlay using the last option, you can clone the overlay's repository and add
-a symbolic link to it in <filename>~/.nixpkgs/overlays/</filename> directory.</para>
+a symbolic link to it in <filename>~/.config/nixpkgs/overlays/</filename> directory.</para>
 </section>
--- a/lib/attrsets.nix
+++ b/lib/attrsets.nix
@ -1,12 +1,12 @@
 # Operations on attribute sets.
-with {
+let
  inherit (builtins) head tail length;
  inherit (import ./trivial.nix) or;
  inherit (import ./default.nix) fold;
  inherit (import ./strings.nix) concatStringsSep;
  inherit (import ./lists.nix) concatMap concatLists all deepSeqList;
-};
+in
 rec {
  inherit (builtins) attrNames listToAttrs hasAttr isAttrs getAttr;
--- a/lib/lists.nix
+++ b/lib/lists.nix
@ -16,17 +16,22 @@ rec {
  */
  singleton = x: [x];
-  /* "Fold" a binary function `op' between successive elements of
+  /* “right fold” a binary function `op' between successive elements of
-     `list' with `nul' as the starting value, i.e., `fold op nul [x_1
+     `list' with `nul' as the starting value, i.e.,
-     x_2 ... x_n] == op x_1 (op x_2 ... (op x_n nul))'.  (This is
+     `foldr op nul [x_1 x_2 ... x_n] == op x_1 (op x_2 ... (op x_n nul))'.
-     Haskell's foldr).
+     Type:
       foldr :: (a -> b -> b) -> b -> [a] -> b
     Example:
-       concat = fold (a: b: a + b) "z"
+       concat = foldr (a: b: a + b) "z"
       concat [ "a" "b" "c" ]
       => "abcz"
       # different types
       strange = foldr (int: str: toString (int + 1) + str) "a"
       strange [ 1 2 3 4 ]
       => "2345a"
  */
-  fold = op: nul: list:
+  foldr = op: nul: list:
    let
      len = length list;
      fold' = n:
@ -35,13 +40,25 @@ rec {
        else op (elemAt list n) (fold' (n + 1));
    in fold' 0;
-  /* Left fold: `fold op nul [x_1 x_2 ... x_n] == op (... (op (op nul
+  /* `fold' is an alias of `foldr' for historic reasons */
-     x_1) x_2) ... x_n)'.
+  # FIXME(Profpatsch): deprecate?
  fold = foldr;
  /* “left fold”, like `foldr', but from the left:
     `foldl op nul [x_1 x_2 ... x_n] == op (... (op (op nul x_1) x_2) ... x_n)`.
     Type:
       foldl :: (b -> a -> b) -> b -> [a] -> b
     Example:
       lconcat = foldl (a: b: a + b) "z"
       lconcat [ "a" "b" "c" ]
       => "zabc"
       # different types
       lstrange = foldl (str: int: str + toString (int + 1)) ""
       strange [ 1 2 3 4 ]
       => "a2345"
  */
  foldl = op: nul: list:
    let
@ -52,7 +69,7 @@ rec {
        else op (foldl' (n - 1)) (elemAt list n);
    in foldl' (length list - 1);
-  /* Strict version of foldl.
+  /* Strict version of `foldl'.
     The difference is that evaluation is forced upon access. Usually used
     with small whole results (in contract with lazily-generated list or large
@ -140,7 +157,7 @@ rec {
       any isString [ 1 { } ]
       => false
  */
-  any = builtins.any or (pred: fold (x: y: if pred x then true else y) false);
+  any = builtins.any or (pred: foldr (x: y: if pred x then true else y) false);
  /* Return true iff function `pred' returns true for all elements of
     `list'.
@ -151,7 +168,7 @@ rec {
       all (x: x < 3) [ 1 2 3 ]
       => false
  */
-  all = builtins.all or (pred: fold (x: y: if pred x then y else false) true);
+  all = builtins.all or (pred: foldr (x: y: if pred x then y else false) true);
  /* Count how many times function `pred' returns true for the elements
     of `list'.
@ -219,7 +236,7 @@ rec {
       => { right = [ 5 3 4 ]; wrong = [ 1 2 ]; }
  */
  partition = builtins.partition or (pred:
-    fold (h: t:
+    foldr (h: t:
      if pred h
      then { right = [h] ++ t.right; wrong = t.wrong; }
      else { right = t.right; wrong = [h] ++ t.wrong; }
--- a/lib/maintainers.nix
+++ b/lib/maintainers.nix
@ -14,6 +14,7 @@
  aboseley = "Adam Boseley <adam.boseley@gmail.com>";
  abuibrahim = "Ruslan Babayev <ruslan@babayev.com>";
  acowley = "Anthony Cowley <acowley@gmail.com>";
  adelbertc = "Adelbert Chang <adelbertc@gmail.com>";
  adev = "Adrien Devresse <adev@adev.name>";
  Adjective-Object = "Maxwell Huang-Hobbs <mhuan13@gmail.com>";
  adnelson = "Allen Nelson <ithinkican@gmail.com>";
@ -24,6 +25,7 @@
  aforemny = "Alexander Foremny <alexanderforemny@googlemail.com>";
  afranchuk = "Alex Franchuk <alex.franchuk@gmail.com>";
  aherrmann = "Andreas Herrmann <andreash87@gmx.ch>";
  ahmedtd = "Taahir Ahmed <ahmed.taahir@gmail.com>";
  ak = "Alexander Kjeldaas <ak@formalprivacy.com>";
  akaWolf = "Artjom Vejsel <akawolf0@gmail.com>";
  akc = "Anders Claesson <akc@akc.is>";
@ -59,7 +61,6 @@
  badi = "Badi' Abdul-Wahid <abdulwahidc@gmail.com>";
  balajisivaraman = "Balaji Sivaraman<sivaraman.balaji@gmail.com>";
  Baughn = "Svein Ove Aas <sveina@gmail.com>";
  bbenoist = "Baptist BENOIST <return_0@live.com>";
  bcarrell = "Brandon Carrell <brandoncarrell@gmail.com>";
  bcdarwin = "Ben Darwin <bcdarwin@gmail.com>";
  bdimcheff = "Brandon Dimcheff <brandon@dimcheff.com>";
@ -82,6 +83,7 @@
  bzizou = "Bruno Bzeznik <Bruno@bzizou.net>";
  c0dehero = "CodeHero <codehero@nerdpol.ch>";
  calrama = "Moritz Maxeiner <moritz@ucworks.org>";
  calvertvl = "Victor Calvert <calvertvl@gmail.com>";
  campadrenalin = "Philip Horger <campadrenalin@gmail.com>";
  canndrew = "Andrew Cann <shum@canndrew.org>";
  carlsverre = "Carl Sverre <accounts@carlsverre.com>";
@ -134,6 +136,7 @@
  dgonyeo = "Derek Gonyeo <derek@gonyeo.com>";
  dipinhora = "Dipin Hora <dipinhora+github@gmail.com>";
  dmalikov = "Dmitry Malikov <malikov.d.y@gmail.com>";
  DmitryTsygankov = "Dmitry Tsygankov <dmitry.tsygankov@gmail.com>";
  dmjio = "David Johnson <djohnson.m@gmail.com>";
  dochang = "Desmond O. Chang <dochang@gmail.com>";
  domenkozar = "Domen Kozar <domen@dev.si>";
@ -141,6 +144,7 @@
  dpaetzel = "David Pätzel <david.a.paetzel@gmail.com>";
  drets = "Dmytro Rets <dmitryrets@gmail.com>";
  drewkett = "Andrew Burkett <burkett.andrew@gmail.com>";
  dsferruzza = "David Sferruzza <david.sferruzza@gmail.com>";
  dtzWill = "Will Dietz <nix@wdtz.org>";
  e-user = "Alexander Kahl <nixos@sodosopa.io>";
  ebzzry = "Rommel Martinez <ebzzry@gmail.com>";
@ -180,6 +184,7 @@
  ftrvxmtrx = "Siarhei Zirukin <ftrvxmtrx@gmail.com>";
  funfunctor = "Edward O'Callaghan <eocallaghan@alterapraxis.com>";
  fuuzetsu = "Mateusz Kowalczyk <fuuzetsu@fuuzetsu.co.uk>";
  fuzzy-id = "Thomas Bach <hacking+nixos@babibo.de>";
  fxfactorial = "Edgar Aroutiounian <edgar.factorial@gmail.com>";
  gal_bolle = "Florent Becker <florent.becker@ens-lyon.org>";
  garbas = "Rok Garbas <rok@garbas.si>";
@ -215,6 +220,7 @@
  ivan-tkatchev = "Ivan Tkatchev <tkatchev@gmail.com>";
  j-keck = "Jürgen Keck <jhyphenkeck@gmail.com>";
  jagajaga = "Arseniy Seroka <ars.seroka@gmail.com>";
  jansol = "Jan Solanti <jan.solanti@paivola.fi>";
  javaguirre = "Javier Aguirre <contacto@javaguirre.net>";
  jb55 = "William Casarin <bill@casarin.me>";
  jbedo = "Justin Bedő <cu@cua0.org>";
@ -237,6 +243,7 @@
  jonafato = "Jon Banafato <jon@jonafato.com>";
  jpbernardy = "Jean-Philippe Bernardy <jeanphilippe.bernardy@gmail.com>";
  jpierre03 = "Jean-Pierre PRUNARET <nix@prunetwork.fr>";
  jpotier = "Martin Potier <jpo.contributes.to.nixos@marvid.fr>";
  jraygauthier = "Raymond Gauthier <jraygauthier@gmail.com>";
  juliendehos = "Julien Dehos <dehos@lisic.univ-littoral.fr>";
  jwiegley = "John Wiegley <johnw@newartisans.com>";
@ -314,6 +321,7 @@
  michalrus = "Michal Rus <m@michalrus.com>";
  michelk = "Michel Kuhlmann <michel@kuhlmanns.info>";
  mikefaille = "Michaël Faille <michael@faille.io>";
  miltador = "Vasiliy Solovey <miltador@yandex.ua>";
  mimadrid = "Miguel Madrid <mimadrid@ucm.es>";
  mingchuan = "Ming Chuan <ming@culpring.com>";
  mirdhyn = "Merlin Gaillard <mirdhyn@gmail.com>";
@ -344,6 +352,7 @@
  nathan-gs = "Nathan Bijnens <nathan@nathan.gs>";
  nckx = "Tobias Geerinckx-Rice <tobias.geerinckx.rice@gmail.com>";
  ndowens = "Nathan Owens <ndowens04@gmail.com>";
  neeasade = "Nathan Isom <nathanisom27@gmail.com>";
  nequissimus = "Tim Steinbach <tim@nequissimus.com>";
  nfjinjing = "Jinjing Wang <nfjinjing@gmail.com>";
  nhooyr = "Anmol Sethi <anmol@aubble.com>";
@ -378,6 +387,7 @@
  pashev = "Igor Pashev <pashev.igor@gmail.com>";
  patternspandemic = "Brad Christensen <patternspandemic@live.com>";
  pawelpacana = "Paweł Pacana <pawel.pacana@gmail.com>";
  pbogdan = "Piotr Bogdan <ppbogdan@gmail.com>";
  periklis = "theopompos@gmail.com";
  pesterhazy = "Paulus Esterhazy <pesterhazy@gmail.com>";
  peterhoeg = "Peter Hoeg <peter@hoeg.com>";
@ -394,6 +404,7 @@
  pjones = "Peter Jones <pjones@devalot.com>";
  pkmx = "Chih-Mao Chen <pkmx.tw@gmail.com>";
  plcplc = "Philip Lykke Carlsen <plcplc@gmail.com>";
  plumps = "Maksim Bronsky <maks.bronsky@web.de";
  pmahoney = "Patrick Mahoney <pat@polycrystal.org>";
  pmiddend = "Philipp Middendorf <pmidden@secure.mailbox.org>";
  polyrod = "Maurizio Di Pietro <dc1mdp@gmail.com>";
@ -455,6 +466,8 @@
  scolobb = "Sergiu Ivanov <sivanov@colimite.fr>";
  sepi = "Raffael Mancini <raffael@mancini.lu>";
  seppeljordan = "Sebastian Jordan <sebastian.jordan.mail@googlemail.com>";
  shanemikel = "Shane Pearlman <shanemikel1@gmail.com>";
  shawndellysse = "Shawn Dellysse <sdellysse@gmail.com>";
  sheenobu = "Sheena Artrip <sheena.artrip@gmail.com>";
  sheganinans = "Aistis Raulinaitis <sheganinans@gmail.com>";
  shell = "Shell Turner <cam.turn@gmail.com>";
@ -488,6 +501,7 @@
  tailhook = "Paul Colomiets <paul@colomiets.name>";
  takikawa = "Asumu Takikawa <asumu@igalia.com>";
  taktoa = "Remy Goldschmidt <taktoa@gmail.com>";
  taku0 = "Takuo Yonezawa <mxxouy6x3m_github@tatapa.org>";
  tavyc = "Octavian Cerna <octavian.cerna@gmail.com>";
  teh = "Tom Hunger <tehunger@gmail.com>";
  telotortium = "Robert Irelan <rirelan@gmail.com>";
@ -510,7 +524,8 @@
  tvorog = "Marsel Zaripov <marszaripov@gmail.com>";
  twey = "James ‘Twey’ Kay <twey@twey.co.uk>";
  uralbash = "Svintsov Dmitry <root@uralbash.ru>";
-  urkud = "Yury G. Kudryashov <urkud+nix@ya.ru>";
+  utdemir = "Utku Demir <me@utdemir.com>";
  #urkud = "Yury G. Kudryashov <urkud+nix@ya.ru>"; inactive since 2012
  uwap = "uwap <me@uwap.name>";
  vandenoever = "Jos van den Oever <jos@vandenoever.info>";
  vanzef = "Ivan Solyankin <vanzef@gmail.com>";
@ -540,6 +555,7 @@
  wscott = "Wayne Scott <wsc9tt@gmail.com>";
  wyvie = "Elijah Rum <elijahrum@gmail.com>";
  xnwdd = "Guillermo NWDD <nwdd+nixos@no.team>";
  xvapx = "Marti Serra <marti.serra.coscollano@gmail.com>";
  xwvvvvwx = "David Terry <davidterry@posteo.de>";
  yarr = "Dmitry V. <savraz@gmail.com>";
  yochai = "Yochai <yochai@titat.info>";
--- a/lib/strings.nix
+++ b/lib/strings.nix
@ -476,10 +476,8 @@ rec {
  readPathsFromFile = rootPath: file:
    let
      root = toString rootPath;
-      lines =
+      lines = lib.splitString "\n" (builtins.readFile file);
-        builtins.map (lib.removeSuffix "\n")
+      removeComments = lib.filter (line: line != "" && !(lib.hasPrefix "#" line));
        (lib.splitString "\n" (builtins.readFile file));
      removeComments = lib.filter (line: !(lib.hasPrefix "#" line));
      relativePaths = removeComments lines;
      absolutePaths = builtins.map (path: builtins.toPath (root + "/" + path)) relativePaths;
    in
--- a/lib/tests.nix
+++ b/lib/tests.nix
@ -1,3 +1,6 @@
 # to run these tests:
 # nix-instantiate --eval --strict nixpkgs/lib/tests.nix
 # if the resulting list is empty, all tests passed
 let inherit (builtins) add; in
 with import ./default.nix;
@ -45,10 +48,34 @@ runTests {
    expected = ["b" "c"];
  };
-  testFold = {
+  testFold =
-    expr = fold (builtins.add) 0 (range 0 100);
+    let
-    expected = 5050;
+      f = op: fold: fold op 0 (range 0 100);
-  };
+      # fold with associative operator
      assoc = f builtins.add;
      # fold with non-associative operator
      nonAssoc = f builtins.sub;
    in {
      expr = {
        assocRight = assoc foldr;
        # right fold with assoc operator is same as left fold
        assocRightIsLeft = assoc foldr == assoc foldl;
        nonAssocRight = nonAssoc foldr;
        nonAssocLeft = nonAssoc foldl;
        # with non-assoc operator the fold results are not the same
        nonAssocRightIsNotLeft = nonAssoc foldl != nonAssoc foldr;
        # fold is an alias for foldr
        foldIsRight = nonAssoc fold == nonAssoc foldr;
      };
      expected = {
        assocRight = 5050;
        assocRightIsLeft = true;
        nonAssocRight = 50;
        nonAssocLeft = (-5050);
        nonAssocRightIsNotLeft = true;
        foldIsRight = true;
      };
    };
  testTake = testAllTrue [
    ([] == (take 0 [  1 2 3 ]))
--- a/lib/trivial.nix
+++ b/lib/trivial.nix
@ -1,17 +1,44 @@
 rec {
-  # Identity function.
+  /* The identity function
     For when you need a function that does “nothing”.
     Type: id :: a -> a
  */
  id = x: x;
-  # Constant function.
+  /* The constant function
     Ignores the second argument.
     Or: Construct a function that always returns a static value.
     Type: const :: a -> b -> a
     Example:
       let f = const 5; in f 10
       => 5
  */
  const = x: y: x;
-  # Named versions corresponding to some builtin operators.
+
  ## Named versions corresponding to some builtin operators.
  /* Concat two strings */
  concat = x: y: x ++ y;
  /* boolean “or” */
  or = x: y: x || y;
  /* boolean “and” */
  and = x: y: x && y;
  /* Merge two attribute sets shallowly, right side trumps left
     Example:
       mergeAttrs { a = 1; b = 2; } // { b = 3; c = 4; }
       => { a = 1; b = 3; c = 4; }
  */
  mergeAttrs = x: y: x // y;
  # Compute the fixed point of the given function `f`, which is usually an
  # attribute set that expects its final, non-recursive representation as an
  # argument:
--- a/lib/types.nix
+++ b/lib/types.nix
@ -6,7 +6,7 @@ with import ./attrsets.nix;
 with import ./options.nix;
 with import ./trivial.nix;
 with import ./strings.nix;
-with {inherit (import ./modules.nix) mergeDefinitions filterOverrides; };
+let inherit (import ./modules.nix) mergeDefinitions filterOverrides; in
 rec {
--- a/maintainers/scripts/hydra-eval-failures.py
+++ b/maintainers/scripts/hydra-eval-failures.py
@ -48,8 +48,8 @@ def get_maintainers(attr_name):
@click.command()
@click.option(
    '--jobset',
-    default="nixos/release-16.09",
+    default="nixos/release-17.03",
-    help='Hydra project like nixos/release-16.09')
+    help='Hydra project like nixos/release-17.03')
 def cli(jobset):
    """
    Given a Hydra project, inspect latest evaluation
--- a/maintainers/scripts/nix-diff.sh
+++ b/maintainers/scripts/nix-diff.sh
@ -0,0 +1,277 @@
 #!/usr/bin/env nix-shell
 #! nix-shell -i bash -p coreutils gnugrep gnused
 ################################################################################
 # nix-diff.sh                                                                  #
 ################################################################################
 # This script "diffs" Nix profile generations.                                 #
 #                                                                              #
 # Example:                                                                     #
 ################################################################################
 # > nix-diff.sh 90 92                                                          #
 # + gnumake-4.2.1                                                              #
 # + gnumake-4.2.1-doc                                                          #
 # - htmldoc-1.8.29                                                             #
 ################################################################################
 # The example shows that as of generation 92 and since generation 90,          #
 # gnumake-4.2.1 and gnumake-4.2.1-doc have been installed, while               #
 # htmldoc-1.8.29 has been removed.                                             #
 #                                                                              #
 # The example above shows the default, minimal output mode of this script.     #
 # For more features, run `nix-diff.sh -h` for usage instructions.              #
 ################################################################################
 usage() {
    cat <<EOF
 usage: nix-diff.sh [-h | [-p profile | -s] [-q] [-l] [range]]
 -h:         print this message before exiting
 -q:         list the derivations installed in the parent generation
 -l:         diff every available intermediate generation between parent and
            child
 -p profile: specify the Nix profile to use
            * defaults to ~/.nix-profile
 -s:         use the system profile
            * equivalent to: -p /nix/var/nix/profiles/system
 profile:    * should be something like /nix/var/nix/profiles/default, not a
              generation link like /nix/var/nix/profiles/default-2-link
 range:      the range of generations to diff
            * the following patterns are allowed, where A, B, and N are positive
              integers, and G is the currently active generation:
                A..B => diffs from generation A to generation B
                ~N   => diffs from the Nth newest generation (older than G) to G
                A    => diffs from generation A to G
            * defaults to ~1
 EOF
 }
 usage_tip() {
    echo 'run `nix-diff.sh -h` for usage instructions' >&2
    exit 1
 }
 while getopts :hqlp:s opt; do
    case $opt in
        h)
            usage
            exit
            ;;
        q)
            opt_query=1
            ;;
        l)
            opt_log=1
            ;;
        p)
            opt_profile=$OPTARG
            ;;
        s)
            opt_profile=/nix/var/nix/profiles/system
            ;;
        \?)
            echo "error: invalid option -$OPTARG" >&2
            usage_tip
            ;;
    esac
 done
 shift $((OPTIND-1))
 if [ -n "$opt_profile" ]; then
    if ! [ -L "$opt_profile" ]; then
        echo "error: expecting \`$opt_profile\` to be a symbolic link" >&2
        usage_tip
    fi
 else
    opt_profile=$(readlink ~/.nix-profile)
    if (( $? != 0 )); then
        echo 'error: unable to dereference `~/.nix-profile`' >&2
        echo 'specify the profile manually with the `-p` flag' >&2
        usage_tip
    fi
 fi
 list_gens() {
    nix-env -p "$opt_profile" --list-generations \
        | sed -r 's:^\s*::' \
        | cut -d' ' -f1
 }
 current_gen() {
    nix-env -p "$opt_profile" --list-generations \
        | grep -E '\(current\)\s*$' \
        | sed -r 's:^\s*::' \
        | cut -d' ' -f1
 }
 neg_gen() {
    local i=0 from=$1 n=$2 tmp
    for gen in $(list_gens | sort -rn); do
        if ((gen < from)); then
            tmp=$gen
            ((i++))
            ((i == n)) && break
        fi
    done
    if ((i < n)); then
        echo -n "error: there aren't $n generation(s) older than" >&2
        echo " generation $from" >&2
        return 1
    fi
    echo $tmp
 }
 match() {
    argv=("$@")
    for i in $(seq $(($#-1))); do
        if grep -E "^${argv[$i]}\$" <(echo "$1") >/dev/null; then
            echo $i
            return
        fi
    done
    echo 0
 }
 case $(match "$1" '' '[0-9]+' '[0-9]+\.\.[0-9]+' '~[0-9]+') in
    1)
        diffTo=$(current_gen)
        diffFrom=$(neg_gen $diffTo 1)
        (($? == 1)) && usage_tip
        ;;
    2)
        diffFrom=$1
        diffTo=$(current_gen)
        ;;
    3)
        diffFrom=${1%%.*}
        diffTo=${1##*.}
        ;;
    4)
        diffTo=$(current_gen)
        diffFrom=$(neg_gen $diffTo ${1#*~})
        (($? == 1)) && usage_tip
        ;;
    0)
        echo 'error: invalid invocation' >&2
        usage_tip
        ;;
 esac
 dirA="${opt_profile}-${diffFrom}-link"
 dirB="${opt_profile}-${diffTo}-link"
 declare -a temp_files
 temp_length() {
    echo -n ${#temp_files[@]}
 }
 temp_make() {
    temp_files[$(temp_length)]=$(mktemp)
 }
 temp_clean() {
    rm -f ${temp_files[@]}
 }
 temp_name() {
    echo -n "${temp_files[$(($(temp_length)-1))]}"
 }
 trap 'temp_clean' EXIT
 temp_make
 versA=$(temp_name)
 refs=$(nix-store -q --references "$dirA")
 (( $? != 0 )) && exit 1
 echo "$refs" \
    | grep -v env-manifest.nix \
    | sort \
          > "$versA"
 print_tag() {
    local gen=$1
    nix-env -p "$opt_profile" --list-generations \
        | grep -E "^\s*${gen}" \
        | sed -r 's:^\s*::' \
        | sed -r 's:\s*$::'
 }
 if [ -n "$opt_query" ]; then
    print_tag $diffFrom
    cat "$versA" \
        | sed -r 's:^[^-]+-(.*)$:    \1:'
    print_line=1
 fi
 if [ -n "$opt_log" ]; then
    gens=$(for gen in $(list_gens); do
               ((diffFrom < gen && gen < diffTo)) && echo $gen
           done)
    # Force the $diffTo generation to be included in this list, instead of using
    # `gen <= diffTo` in the preceding loop, so we encounter an error upon the
    # event of its nonexistence.
    gens=$(echo "$gens"
           echo $diffTo)
 else
    gens=$diffTo
 fi
 temp_make
 add=$(temp_name)
 temp_make
 rem=$(temp_name)
 temp_make
 out=$(temp_name)
 for gen in $gens; do
    [ -n "$print_line" ] && echo
    temp_make
    versB=$(temp_name)
    dirB="${opt_profile}-${gen}-link"
    refs=$(nix-store -q --references "$dirB")
    (( $? != 0 )) && exit 1
    echo "$refs" \
        | grep -v env-manifest.nix \
        | sort \
              > "$versB"
    in=$(comm -3 -1 "$versA" "$versB")
    sed -r 's:^[^-]*-(.*)$:\1+:' <(echo "$in") \
        | sort -f \
               > "$add"
    un=$(comm -3 -2 "$versA" "$versB")
    sed -r 's:^[^-]*-(.*)$:\1-:' <(echo "$un") \
        | sort -f \
               > "$rem"
    cat "$rem" "$add" \
        | sort -f \
        | sed -r 's:(.*)-$:- \1:' \
        | sed -r 's:(.*)\+$:\+ \1:' \
        | grep -v '^$' \
              > "$out"
    if [ -n "$opt_query" -o -n "$opt_log" ]; then
        lines=$(wc -l "$out" | cut -d' ' -f1)
        tag=$(print_tag "$gen")
        (( $? != 0 )) && exit 1
        if [ $lines -eq 0 ]; then
            echo "$tag   (no change)"
        else
            echo "$tag"
        fi
        cat "$out" \
            | sed 's:^:    :'
        print_line=1
    else
        echo "diffing from generation $diffFrom to $diffTo"
        cat "$out"
    fi
    versA=$versB
 done
 exit 0
--- a/nixos/doc/manual/development/sources.xml
+++ b/nixos/doc/manual/development/sources.xml
@ -8,7 +8,7 @@
 <para>By default, NixOS’s <command>nixos-rebuild</command> command
 uses the NixOS and Nixpkgs sources provided by the
-<literal>nixos-unstable</literal> channel (kept in
+<literal>nixos</literal> channel (kept in
 <filename>/nix/var/nix/profiles/per-user/root/channels/nixos</filename>).
 To modify NixOS, however, you should check out the latest sources from
 Git.  This is as follows:
@ -27,8 +27,8 @@ a subdirectory of the Nixpkgs repository.) The remote
 <literal>channels</literal> refers to a read-only repository that
 tracks the Nixpkgs/NixOS channels (see <xref linkend="sec-upgrading"/>
 for more information about channels). Thus, the Git branch
-<literal>channels/nixos-14.12</literal> will contain the latest built
+<literal>channels/nixos-17.03</literal> will contain the latest built
-and tested version available in the <literal>nixos-14.12</literal>
+and tested version available in the <literal>nixos-17.03</literal>
 channel.</para>
 <para>It’s often inconvenient to develop directly on the master
@ -39,9 +39,9 @@ branch based on your current NixOS version:
 <screen>
 $ nixos-version
-14.04.273.ea1952b (Baboon)
+17.09pre104379.6e0b727 (Hummingbird)
-$ git checkout -b local ea1952b
+$ git checkout -b local 6e0b727
 </screen>
 Or, to base your local branch on the latest version available in a
@ -49,17 +49,17 @@ NixOS channel:
 <screen>
 $ git remote update channels
-$ git checkout -b local channels/nixos-14.12
+$ git checkout -b local channels/nixos-17.03
 </screen>
-(Replace <literal>nixos-14.12</literal> with the name of the channel
+(Replace <literal>nixos-17.03</literal> with the name of the channel
 you want to use.) You can use <command>git merge</command> or
 <command>git rebase</command> to keep your local branch in sync with
 the channel, e.g.
 <screen>
 $ git remote update channels
-$ git merge channels/nixos-14.12
+$ git merge channels/nixos-17.03
 </screen>
 You can use <command>git cherry-pick</command> to copy commits from
@ -87,7 +87,11 @@ $ ln -s <replaceable>/my/sources</replaceable>/nixpkgs ~/.nix-defexpr/nixpkgs
 You may want to delete the symlink
 <filename>~/.nix-defexpr/channels_root</filename> to prevent root’s
-NixOS channel from clashing with your own tree.</para>
+NixOS channel from clashing with your own tree (this may break the
 command-not-found utility though). If you want to go back to the default
 state, you may just remove the <filename>~/.nix-defexpr</filename>
 directory completely, log out and log in again and it should have been
 recreated with a link to the root channels.</para>
 <!-- FIXME: not sure what this means.
 <para>You should not pass the base directory
--- a/nixos/doc/manual/installation/installing-uefi.xml
+++ b/nixos/doc/manual/installation/installing-uefi.xml
@ -26,7 +26,8 @@ changes:
    <literal>vfat</literal> filesystem.</para>
  </listitem>
  <listitem>
-    <para>You must set <option>boot.loader.systemd-boot.enable</option> to
+    <para>Instead of <option>boot.loader.grub.device</option>,
    you must set <option>boot.loader.systemd-boot.enable</option> to
    <literal>true</literal>. <command>nixos-generate-config</command>
    should do this automatically for new configurations when booted in
    UEFI mode.</para>
--- a/nixos/doc/manual/installation/installing-usb.xml
+++ b/nixos/doc/manual/installation/installing-usb.xml
@ -11,7 +11,9 @@ a USB stick. You can use the <command>dd</command> utility to write the image:
 <command>dd if=<replaceable>path-to-image</replaceable>
 of=<replaceable>/dev/sdb</replaceable></command>. Be careful about specifying the
 correct drive; you can use the <command>lsblk</command> command to get a list of
-block devices.</para>
+block devices. If you're on OS X you can run <command>diskutil list</command>
 to see the list of devices; the device you'll use for the USB must be ejected
 before writing the image.</para>
 <para>The <command>dd</command> utility will write the image verbatim to the drive,
 making it the recommended option for both UEFI and non-UEFI installations. For
--- a/nixos/doc/manual/installation/upgrading.xml
+++ b/nixos/doc/manual/installation/upgrading.xml
@ -15,12 +15,12 @@ been built.  These channels are:
 <itemizedlist>
  <listitem>
    <para><emphasis>Stable channels</emphasis>, such as <literal
-    xlink:href="https://nixos.org/channels/nixos-14.12">nixos-14.12</literal>.
+    xlink:href="https://nixos.org/channels/nixos-17.03">nixos-17.03</literal>.
    These only get conservative bug fixes and package upgrades.  For
    instance, a channel update may cause the Linux kernel on your
-    system to be upgraded from 3.4.66 to 3.4.67 (a minor bug fix), but
+    system to be upgraded from 4.9.16 to 4.9.17 (a minor bug fix), but
-    not from 3.4.<replaceable>x</replaceable> to
+    not from 4.9.<replaceable>x</replaceable> to
-    3.11.<replaceable>x</replaceable> (a major change that has the
+    4.11.<replaceable>x</replaceable> (a major change that has the
    potential to break things).  Stable channels are generally
    maintained until the next stable branch is created.</para>
    <para></para>
@ -34,7 +34,7 @@ been built.  These channels are:
  </listitem>
  <listitem>
    <para><emphasis>Small channels</emphasis>, such as <literal
-    xlink:href="https://nixos.org/channels/nixos-14.12-small">nixos-14.12-small</literal>
+    xlink:href="https://nixos.org/channels/nixos-17.03-small">nixos-17.03-small</literal>
    or <literal
    xlink:href="https://nixos.org/channels/nixos-unstable-small">nixos-unstable-small</literal>. These
    are identical to the stable and unstable channels described above,
@ -55,8 +55,8 @@ appliances.)</para>
 <para>When you first install NixOS, you’re automatically subscribed to
 the NixOS channel that corresponds to your installation source.   For
-instance, if you installed from a 14.12 ISO, you will be subscribed to
+instance, if you installed from a 17.03 ISO, you will be subscribed to
-the <literal>nixos-14.12</literal> channel.  To see which NixOS
+the <literal>nixos-17.03</literal> channel.  To see which NixOS
 channel you’re subscribed to, run the following as root:
 <screen>
@ -71,16 +71,16 @@ To switch to a different NixOS channel, do
 </screen>
 (Be sure to include the <literal>nixos</literal> parameter at the
-end.)  For instance, to use the NixOS 14.12 stable channel:
+end.)  For instance, to use the NixOS 17.03 stable channel:
 <screen>
-# nix-channel --add https://nixos.org/channels/nixos-14.12 nixos
+# nix-channel --add https://nixos.org/channels/nixos-17.03 nixos
 </screen>
 If you have a server, you may want to use the “small” channel instead:
 <screen>
-# nix-channel --add https://nixos.org/channels/nixos-14.12-small nixos
+# nix-channel --add https://nixos.org/channels/nixos-17.03-small nixos
 </screen>
 And if you want to live on the bleeding edge:
@ -130,7 +130,7 @@ runs, see <command>systemctl list-timers</command>.)  You can also
 specify a channel explicitly, e.g.
 <programlisting>
-system.autoUpgrade.channel = https://nixos.org/channels/nixos-15.09;
+system.autoUpgrade.channel = https://nixos.org/channels/nixos-17.03;
 </programlisting>
 </para>
--- a/nixos/doc/manual/release-notes/rl-1703.xml
+++ b/nixos/doc/manual/release-notes/rl-1703.xml
@ -4,7 +4,15 @@
         version="5.0"
         xml:id="sec-release-17.03">
-<title>Release 17.03 (“XXX”, 2017/03/??)</title>
+<title>Release 17.03 (“Gorilla”, 2017/03/31)</title>
 <section xmlns="http://docbook.org/ns/docbook"
         xmlns:xlink="http://www.w3.org/1999/xlink"
         xmlns:xi="http://www.w3.org/2001/XInclude"
         version="5.0"
         xml:id="sec-release-17.03-highlights">
 <title>Highlights</title>
 <para>In addition to numerous new and upgraded packages, this release
 has the following highlights: </para>
@ -16,19 +24,40 @@ has the following highlights: </para>
    manual</link> for more information.</para>
  </listitem>
  <listitem>
    <para>This release is based on Glibc 2.25, GCC 5.4.0 and systemd
    232. The default Linux kernel is 4.9 and Nix is at 1.11.8.</para>
  </listitem>
  <listitem>
    <para>The default desktop environment now is KDE's Plasma 5. KDE 4 has been removed</para>
  </listitem>
  <listitem>
    <para>The setuid wrapper functionality now supports setting
    capabilities.</para>
  </listitem>
  <listitem>
-    <para>X.org server uses branch 1.19.  Due to ABI incompatibilities,
+    <para>X.org server uses branch 1.19. Due to ABI incompatibilities,
      <literal>ati_unfree</literal> keeps forcing 1.17
      and <literal>amdgpu-pro</literal> starts forcing 1.18.</para>
  </listitem>
  <listitem>
-    <para>PHP now defaults to PHP 7.1</para>
+    <para>
      Cross compilation has been rewritten. See the nixpkgs manual for
      details. The most obvious breaking change is that in derivations there is no
      <literal>.nativeDrv</literal> nor <literal>.crossDrv</literal> are now
      cross by default, not native.
    </para>
  </listitem>
  <listitem>
    <para>The <literal>overridePackages</literal> function has been rewritten
    to be replaced by <link
    xlink:href="https://nixos.org/nixpkgs/manual/#sec-overlays-install">
    overlays</link></para>
  </listitem>
  <listitem>
@ -38,16 +67,115 @@ has the following highlights: </para>
    manual</link> for more information.</para>
  </listitem>
  <listitem>
    <para>PHP now defaults to PHP 7.1</para>
  </listitem>
 </itemizedlist>
 </section>
 <section xmlns="http://docbook.org/ns/docbook"
         xmlns:xlink="http://www.w3.org/1999/xlink"
         xmlns:xi="http://www.w3.org/2001/XInclude"
         version="5.0"
         xml:id="sec-release-17.03-new-services">
 <title>New Services</title>
 <para>The following new services were added since the last release:</para>
 <itemizedlist>
-  <listitem>
+  <listitem><para><literal>hardware/ckb.nix</literal></para></listitem>
-    <para></para>
+  <listitem><para><literal>hardware/mcelog.nix</literal></para></listitem>
-  </listitem>
+  <listitem><para><literal>hardware/usb-wwan.nix</literal></para></listitem>
  <listitem><para><literal>hardware/video/capture/mwprocapture.nix</literal></para></listitem>
  <listitem><para><literal>programs/adb.nix</literal></para></listitem>
  <listitem><para><literal>programs/chromium.nix</literal></para></listitem>
  <listitem><para><literal>programs/gphoto2.nix</literal></para></listitem>
  <listitem><para><literal>programs/java.nix</literal></para></listitem>
  <listitem><para><literal>programs/mtr.nix</literal></para></listitem>
  <listitem><para><literal>programs/oblogout.nix</literal></para></listitem>
  <listitem><para><literal>programs/vim.nix</literal></para></listitem>
  <listitem><para><literal>programs/wireshark.nix</literal></para></listitem>
  <listitem><para><literal>security/dhparams.nix</literal></para></listitem>
  <listitem><para><literal>services/audio/ympd.nix</literal></para></listitem>
  <listitem><para><literal>services/computing/boinc/client.nix</literal></para></listitem>
  <listitem><para><literal>services/continuous-integration/buildbot/master.nix</literal></para></listitem>
  <listitem><para><literal>services/continuous-integration/buildbot/worker.nix</literal></para></listitem>
  <listitem><para><literal>services/continuous-integration/gitlab-runner.nix</literal></para></listitem>
  <listitem><para><literal>services/databases/riak-cs.nix</literal></para></listitem>
  <listitem><para><literal>services/databases/stanchion.nix</literal></para></listitem>
  <listitem><para><literal>services/desktops/gnome3/gnome-terminal-server.nix</literal></para></listitem>
  <listitem><para><literal>services/editors/infinoted.nix</literal></para></listitem>
  <listitem><para><literal>services/hardware/illum.nix</literal></para></listitem>
  <listitem><para><literal>services/hardware/trezord.nix</literal></para></listitem>
  <listitem><para><literal>services/logging/journalbeat.nix</literal></para></listitem>
  <listitem><para><literal>services/mail/offlineimap.nix</literal></para></listitem>
  <listitem><para><literal>services/mail/postgrey.nix</literal></para></listitem>
  <listitem><para><literal>services/misc/couchpotato.nix</literal></para></listitem>
  <listitem><para><literal>services/misc/docker-registry.nix</literal></para></listitem>
  <listitem><para><literal>services/misc/errbot.nix</literal></para></listitem>
  <listitem><para><literal>services/misc/geoip-updater.nix</literal></para></listitem>
  <listitem><para><literal>services/misc/gogs.nix</literal></para></listitem>
  <listitem><para><literal>services/misc/leaps.nix</literal></para></listitem>
  <listitem><para><literal>services/misc/nix-optimise.nix</literal></para></listitem>
  <listitem><para><literal>services/misc/ssm-agent.nix</literal></para></listitem>
  <listitem><para><literal>services/misc/sssd.nix</literal></para></listitem>
  <listitem><para><literal>services/monitoring/arbtt.nix</literal></para></listitem>
  <listitem><para><literal>services/monitoring/netdata.nix</literal></para></listitem>
  <listitem><para><literal>services/monitoring/prometheus/default.nix</literal></para></listitem>
  <listitem><para><literal>services/monitoring/prometheus/alertmanager.nix</literal></para></listitem>
  <listitem><para><literal>services/monitoring/prometheus/blackbox-exporter.nix</literal></para></listitem>
  <listitem><para><literal>services/monitoring/prometheus/json-exporter.nix</literal></para></listitem>
  <listitem><para><literal>services/monitoring/prometheus/nginx-exporter.nix</literal></para></listitem>
  <listitem><para><literal>services/monitoring/prometheus/node-exporter.nix</literal></para></listitem>
  <listitem><para><literal>services/monitoring/prometheus/snmp-exporter.nix</literal></para></listitem>
  <listitem><para><literal>services/monitoring/prometheus/unifi-exporter.nix</literal></para></listitem>
  <listitem><para><literal>services/monitoring/prometheus/varnish-exporter.nix</literal></para></listitem>
  <listitem><para><literal>services/monitoring/sysstat.nix</literal></para></listitem>
  <listitem><para><literal>services/monitoring/telegraf.nix</literal></para></listitem>
  <listitem><para><literal>services/monitoring/vnstat.nix</literal></para></listitem>
  <listitem><para><literal>services/network-filesystems/cachefilesd.nix</literal></para></listitem>
  <listitem><para><literal>services/network-filesystems/glusterfs.nix</literal></para></listitem>
  <listitem><para><literal>services/network-filesystems/ipfs.nix</literal></para></listitem>
  <listitem><para><literal>services/networking/dante.nix</literal></para></listitem>
  <listitem><para><literal>services/networking/dnscrypt-wrapper.nix</literal></para></listitem>
  <listitem><para><literal>services/networking/fakeroute.nix</literal></para></listitem>
  <listitem><para><literal>services/networking/flannel.nix</literal></para></listitem>
  <listitem><para><literal>services/networking/htpdate.nix</literal></para></listitem>
  <listitem><para><literal>services/networking/miredo.nix</literal></para></listitem>
  <listitem><para><literal>services/networking/nftables.nix</literal></para></listitem>
  <listitem><para><literal>services/networking/powerdns.nix</literal></para></listitem>
  <listitem><para><literal>services/networking/pdns-recursor.nix</literal></para></listitem>
  <listitem><para><literal>services/networking/quagga.nix</literal></para></listitem>
  <listitem><para><literal>services/networking/redsocks.nix</literal></para></listitem>
  <listitem><para><literal>services/networking/wireguard.nix</literal></para></listitem>
  <listitem><para><literal>services/system/cgmanager.nix</literal></para></listitem>
  <listitem><para><literal>services/torrent/opentracker.nix</literal></para></listitem>
  <listitem><para><literal>services/web-apps/atlassian/confluence.nix</literal></para></listitem>
  <listitem><para><literal>services/web-apps/atlassian/crowd.nix</literal></para></listitem>
  <listitem><para><literal>services/web-apps/atlassian/jira.nix</literal></para></listitem>
  <listitem><para><literal>services/web-apps/frab.nix</literal></para></listitem>
  <listitem><para><literal>services/web-apps/nixbot.nix</literal></para></listitem>
  <listitem><para><literal>services/web-apps/selfoss.nix</literal></para></listitem>
  <listitem><para><literal>services/web-apps/quassel-webserver.nix</literal></para></listitem>
  <listitem><para><literal>services/x11/unclutter-xfixes.nix</literal></para></listitem>
  <listitem><para><literal>services/x11/urxvtd.nix</literal></para></listitem>
  <listitem><para><literal>system/boot/systemd-nspawn.nix</literal></para></listitem>
  <listitem><para><literal>virtualisation/ecs-agent.nix</literal></para></listitem>
  <listitem><para><literal>virtualisation/lxcfs.nix</literal></para></listitem>
  <listitem><para><literal>virtualisation/openstack/keystone.nix</literal></para></listitem>
  <listitem><para><literal>virtualisation/openstack/glance.nix</literal></para></listitem>
 </itemizedlist>
 </section>
 <section xmlns="http://docbook.org/ns/docbook"
         xmlns:xlink="http://www.w3.org/1999/xlink"
         xmlns:xi="http://www.w3.org/2001/XInclude"
         version="5.0"
         xml:id="sec-release-17.03-incompatibilities">
 <title>Backward Incompatibilities</title>
 <para>When upgrading from a previous release, please be aware of the
 following incompatible changes:</para>
@ -55,10 +183,8 @@ following incompatible changes:</para>
 <itemizedlist>
  <listitem>
    <para>
-      Cross compilation has been rewritten. See the nixpkgs manual for
+      Derivations have no <literal>.nativeDrv</literal> nor <literal>.crossDrv</literal> 
-      details. The most obvious breaking change is that derivations absent a
+      and are now cross by default, not native.
      <literal>.nativeDrv</literal> or <literal>.crossDrv</literal> are now
      cross by default, not native.
    </para>
  </listitem>
@ -95,15 +221,6 @@ following incompatible changes:</para>
    </para>
  </listitem>
  <listitem>
    <para>
      The Yama LSM is now enabled by default in the kernel,
      which prevents ptracing non-child processes.
      This means you will not be able to attach gdb to an existing process,
      but will need to start that process from gdb (so it is a child).
    </para>
  </listitem>
  <listitem>
    <para>
      The <literal>stripHash</literal> bash function in <literal>stdenv</literal>
@ -183,7 +300,7 @@ following incompatible changes:</para>
    <para><literal>overridePackages</literal> function no longer exists.
    It is replaced by <link
    xlink:href="https://nixos.org/nixpkgs/manual/#sec-overlays-install">
-    overlays</link>.  For example, the following code:
+    overlays</link>. For example, the following code:
 <programlisting>
  let
@ -228,7 +345,7 @@ following incompatible changes:</para>
  <listitem>
    <para>
    Iputils no longer provide ping6 and traceroute6. The functionality of
-    these tools have been integrated into ping and traceroute respectively. To
+    these tools has been integrated into ping and traceroute respectively. To
    enforce an address family the new flags <literal>-4</literal> and
    <literal>-6</literal> have been added. One notable incompatibility is that
    specifying an interface (for link-local IPv6 for instance) is no longer done
@ -237,10 +354,60 @@ following incompatible changes:</para>
    </para>
  </listitem>
  <listitem>
    <para>
      The socket handling of the <literal>services.rmilter</literal> module
      has been fixed and refactored. As rmilter doesn't support binding to
      more than one socket, the options <literal>bindUnixSockets</literal>
      and <literal>bindInetSockets</literal> have been replaced by
      <literal>services.rmilter.bindSocket.*</literal>. The default is still
      a unix socket in <literal>/run/rmilter/rmilter.sock</literal>. Refer to
      the options documentation for more information.
    </para>
  </listitem>
  <listitem>
    <para>
      The <literal>fetch*</literal> functions no longer support md5,
      please use sha256 instead.
    </para>
  </listitem>
  <listitem>
    <para>
      The dnscrypt-proxy module interface has been streamlined around the
      <option>extraArgs</option> option. Where possible, legacy option
      declarations are mapped to <option>extraArgs</option> but will emit
      warnings. The <option>resolverList</option> has been outright
      removed: to use an unlisted resolver, use the
      <option>customResolver</option> option.
    </para>
  </listitem>
  <listitem>
    <para>
      torbrowser now stores local state under
      <filename>~/.local/share/tor-browser</filename> by default. Any
      browser profile data from the old location,
      <filename>~/.torbrowser4</filename>, must be migrated manually.
    </para>
  </listitem>
  <listitem>
    <para>
      The ihaskell, monetdb, offlineimap and sitecopy services have been removed.
    </para>
  </listitem>
 </itemizedlist>
 </section>
 <section xmlns="http://docbook.org/ns/docbook"
         xmlns:xlink="http://www.w3.org/1999/xlink"
         xmlns:xi="http://www.w3.org/2001/XInclude"
         version="5.0"
         xml:id="sec-release-17.03-notable-changes">
-<para>Other notable improvements:</para>
+<title>Other Notable Changes</title>
 <itemizedlist>
@ -261,6 +428,18 @@ following incompatible changes:</para>
    </para>
  </listitem>
  <listitem>
    <para>Python 2.6 interpreter and package set have been removed.</para>
  </listitem>
  <listitem>
    <para>
      The Python 2.7 interpreter does not use modules anymore. Instead, all
      CPython interpreters now include the whole standard library except for `tkinter`,
      which is available in the Python package set.
    </para>
  </listitem>
  <listitem>
    <para>
      Python 2.7, 3.5 and 3.6 are now built deterministically and 3.4 mostly.
@ -271,7 +450,65 @@ following incompatible changes:</para>
    </para>
  </listitem>
  <listitem>
    <para>
      The Python package sets now use a fixed-point combinator and the sets are
      available as attributes of the interpreters.
    </para>
  </listitem>
  <listitem>
    <para>
      The Python function <literal>buildPythonPackage</literal> has been improved and can be
      used to build from Setuptools source, Flit source, and precompiled Wheels.
    </para>
  </listitem>
  <listitem>
    <para>
      When adding new or updating current Python libraries, the expressions should be put
      in separate files in <literal>pkgs/development/python-modules</literal> and
      called from <literal>python-packages.nix</literal>.
    </para>
  </listitem>
  <listitem>
    <para>
      The dnscrypt-proxy service supports synchronizing the list of public
      resolvers without working DNS resolution. This fixes issues caused by the
      resolver list becoming outdated. It also improves the viability of
      DNSCrypt only configurations.
    </para>
  </listitem>
  <listitem>
    <para>
      Containers using bridged networking no longer lose their connection after
      changes to the host networking.
    </para>
  </listitem>
  <listitem>
    <para>
      ZFS supports pool auto scrubbing.
    </para>
  </listitem>
  <listitem>
    <para>
      The bind DNS utilities (e.g. dig) have been split into their own output and
      are now also available in <literal>pkgs.dnsutils</literal> and it is no longer
      necessary to pull in all of <literal>bind</literal> to use them.
    </para>
  </listitem>
  <listitem>
    <para>
      Per-user configuration was moved from <filename>~/.nixpkgs</filename> to
      <filename>~/.config/nixpkgs</filename>. The former is still valid for
      <filename>config.nix</filename> for backwards compatibility.
    </para>
  </listitem>
 </itemizedlist>
-
+</section>
 </section>
--- a/nixos/doc/manual/release-notes/rl-1709.xml
+++ b/nixos/doc/manual/release-notes/rl-1709.xml
@ -11,7 +11,11 @@ has the following highlights: </para>
 <itemizedlist>
  <listitem>
-    <para></para>
+    <para>
      The user handling now keeps track of deallocated UIDs/GIDs. When a user
      or group is revived, this allows it to be allocated the UID/GID it had before.
      A consequence is that UIDs and GIDs are no longer reused.
    </para>
  </listitem>
 </itemizedlist>
@ -49,6 +53,18 @@ following incompatible changes:</para>
      rest of the system on a stable release.
    </para>
  </listitem>
  <listitem>
    <para>
      Updated to FreeType 2.7.1, including a new TrueType engine.
      The new engine replaces the Infinality engine which was the default in
      NixOS. The default font rendering settings are now provided by
      fontconfig-penultimate, replacing fontconfig-ultimate; the new defaults
      are less invasive and provide rendering that is more consistent with
      other systems and hopefully with each font designer's intent. Some
      system-wide configuration has been removed from the Fontconfig NixOS
      module where user Fontconfig settings are available.
    </para>
  </listitem>
 </itemizedlist>
--- a/nixos/lib/testing.nix
+++ b/nixos/lib/testing.nix
@ -108,16 +108,16 @@ rec {
          mkdir -p $out/bin
          echo "$testScript" > $out/test-script
          ln -s ${testDriver}/bin/nixos-test-driver $out/bin/
-          vms="$(for i in ${toString vms}; do echo $i/bin/run-*-vm; done)"
+          vms=($(for i in ${toString vms}; do echo $i/bin/run-*-vm; done))
          wrapProgram $out/bin/nixos-test-driver \
-            --add-flags "$vms" \
+            --add-flags "''${vms[*]}" \
            ${lib.optionalString enableOCR "--prefix PATH : '${ocrProg}/bin'"} \
            --run "testScript=\"\$(cat $out/test-script)\"" \
            --set testScript '$testScript' \
            --set VLANS '${toString vlans}'
          ln -s ${testDriver}/bin/nixos-test-driver $out/bin/nixos-run-vms
          wrapProgram $out/bin/nixos-run-vms \
-            --add-flags "$vms" \
+            --add-flags "''${vms[*]}" \
            ${lib.optionalString enableOCR "--prefix PATH : '${ocrProg}/bin'"} \
            --set tests 'startAll; joinAll;' \
            --set VLANS '${toString vlans}' \
--- a/nixos/maintainers/scripts/ec2/create-amis.sh
+++ b/nixos/maintainers/scripts/ec2/create-amis.sh
@ -3,21 +3,20 @@
 # To start with do: nix-shell -p awscli --run "aws configure"
-
+set -e
 set -o pipefail
 #set -x
 stateDir=${TMPDIR:-/tmp}/ec2-image
 echo "keeping state in $stateDir"
 mkdir -p $stateDir
 version=$(nix-instantiate --eval --strict '<nixpkgs>' -A lib.nixpkgsVersion | sed s/'"'//g)
 major=${version:0:5}
 echo "NixOS version is $version ($major)"
 stateDir=/var/tmp/ec2-image-$version
 echo "keeping state in $stateDir"
 mkdir -p $stateDir
 rm -f ec2-amis.nix
-types="hvm pv"
+types="hvm"
 stores="ebs s3"
 regions="eu-west-1 eu-west-2 eu-central-1 us-east-1 us-east-2 us-west-1 us-west-2 ca-central-1 ap-southeast-1 ap-southeast-2 ap-northeast-1 ap-northeast-2 sa-east-1 ap-south-1"
@ -206,7 +205,7 @@ for type in $types; do
                    # Register the AMI.
                    if [ $type = pv ]; then
-                        kernel=$(aws ec2 describe-images --owner amazon --filters "Name=name,Values=pv-grub-hd0_1.04-$arch.gz" | jq -r .Images[0].ImageId)
+                        kernel=$(aws ec2 describe-images --owner amazon --filters "Name=name,Values=pv-grub-hd0_1.05-$arch.gz" | jq -r .Images[0].ImageId)
                        if [ "$kernel" = null ]; then break; fi
                        echo "using PV-GRUB kernel $kernel"
                        extraFlags+=" --virtualization-type paravirtual --kernel $kernel"
--- a/nixos/modules/config/fonts/fontconfig-penultimate.nix
+++ b/nixos/modules/config/fonts/fontconfig-penultimate.nix
@ -0,0 +1,270 @@
 { config, pkgs, lib, ... }:
 with lib;
 let
  cfg = config.fonts.fontconfig;
  fcBool = x: "<bool>" + (if x then "true" else "false") + "</bool>";
  # back-supported fontconfig version and package
  # version is used for font cache generation
  supportVersion = "210";
  supportPkg     = pkgs."fontconfig_${supportVersion}";
  # latest fontconfig version and package
  # version is used for configuration folder name, /etc/fonts/VERSION/
  # note: format differs from supportVersion and can not be used with makeCacheConf
  latestVersion  = pkgs.fontconfig.configVersion;
  latestPkg      = pkgs.fontconfig;
  # supported version fonts.conf
  supportFontsConf = pkgs.makeFontsConf { fontconfig = supportPkg; fontDirectories = config.fonts.fonts; };
  # configuration file to read fontconfig cache
  # version dependent
  # priority 0
  cacheConfSupport = makeCacheConf { version = supportVersion; };
  cacheConfLatest  = makeCacheConf {};
  # generate the font cache setting file for a fontconfig version
  # use latest when no version is passed
  makeCacheConf = { version ? null }:
    let
      fcPackage = if builtins.isNull version
                  then "fontconfig"
                  else "fontconfig_${version}";
      makeCache = fontconfig: pkgs.makeFontsCache { inherit fontconfig; fontDirectories = config.fonts.fonts; };
      cache     = makeCache pkgs."${fcPackage}";
      cache32   = makeCache pkgs.pkgsi686Linux."${fcPackage}";
    in
    pkgs.writeText "fc-00-nixos-cache.conf" ''
      <?xml version='1.0'?>
      <!DOCTYPE fontconfig SYSTEM 'fonts.dtd'>
      <fontconfig>
        <!-- Font directories -->
        ${concatStringsSep "\n" (map (font: "<dir>${font}</dir>") config.fonts.fonts)}
        <!-- Pre-generated font caches -->
        <cachedir>${cache}</cachedir>
        ${optionalString (pkgs.stdenv.isx86_64 && cfg.cache32Bit) ''
          <cachedir>${cache32}</cachedir>
        ''}
      </fontconfig>
    '';
  # The configuration to be included in /etc/font/
  penultimateConf = pkgs.runCommand "font-penultimate-conf" {} ''
    support_folder=$out/etc/fonts/conf.d
    latest_folder=$out/etc/fonts/${latestVersion}/conf.d
    mkdir -p $support_folder
    mkdir -p $latest_folder
    ln -s ${supportFontsConf} $support_folder/../fonts.conf
    ln -s ${latestPkg.out}/etc/fonts/fonts.conf \
          $latest_folder/../fonts.conf
    # fontconfig-penultimate various configuration files
    ln -s ${pkgs.fontconfig-penultimate}/etc/fonts/conf.d/*.conf \
          $support_folder
    ln -s ${pkgs.fontconfig-penultimate}/etc/fonts/conf.d/*.conf \
          $latest_folder
    ln -s ${cacheConfSupport} $support_folder/00-nixos-cache.conf
    ln -s ${cacheConfLatest}  $latest_folder/00-nixos-cache.conf
    rm $support_folder/10-antialias.conf $latest_folder/10-antialias.conf
    ln -s ${antialiasConf} $support_folder/10-antialias.conf
    ln -s ${antialiasConf} $latest_folder/10-antialias.conf
    rm $support_folder/10-hinting.conf $latest_folder/10-hinting.conf
    ln -s ${hintingConf} $support_folder/10-hinting.conf
    ln -s ${hintingConf} $latest_folder/10-hinting.conf
    ${optionalString cfg.useEmbeddedBitmaps ''
    rm $support_folder/10-no-embedded-bitmaps.conf
    rm $latest_folder/10-no-embedded-bitmaps.conf
    ''}
    rm $support_folder/10-subpixel.conf $latest_folder/10-subpixel.conf
    ln -s ${subpixelConf} $support_folder/10-subpixel.conf
    ln -s ${subpixelConf} $latest_folder/10-subpixel.conf
    ${optionalString (cfg.dpi != 0) ''
    ln -s ${dpiConf} $support_folder/11-dpi.conf
    ln -s ${dpiConf} $latest_folder/11-dpi.conf
    ''}
    ${optionalString (!cfg.includeUserConf) ''
    rm $support_folder/50-user.conf
    rm $latest_folder/50-user.conf
    ''}
    # 51-local.conf
    rm $latest_folder/51-local.conf
    substitute \
      ${pkgs.fontconfig-penultimate}/etc/fonts/conf.d/51-local.conf \
      $latest_folder/51-local.conf \
      --replace local.conf /etc/fonts/${latestVersion}/local.conf
    ln -s ${defaultFontsConf} $support_folder/52-default-fonts.conf
    ln -s ${defaultFontsConf} $latest_folder/52-default-fonts.conf
    ${optionalString cfg.allowBitmaps ''
    rm $support_folder/53-no-bitmaps.conf
    rm $latest_folder/53-no-bitmaps.conf
    ''}
    ${optionalString (!cfg.allowType1) ''
    ln -s ${rejectType1} $support_folder/53-no-type1.conf
    ln -s ${rejectType1} $latest_folder/53-no-type1.conf
    ''}
  '';
  hintingConf = pkgs.writeText "fc-10-hinting.conf" ''
    <?xml version='1.0'?>
    <!DOCTYPE fontconfig SYSTEM 'fonts.dtd'>
    <fontconfig>
      <!-- Default rendering settings -->
      <match target="pattern">
        <edit mode="append" name="hinting">
          ${fcBool cfg.hinting.enable}
        </edit>
        <edit mode="append" name="autohint">
          ${fcBool cfg.hinting.autohint}
        </edit>
        <edit mode="append" name="hintstyle">
          <const>hintslight</const>
        </edit>
      </match>
    </fontconfig>
  '';
  antialiasConf = pkgs.writeText "fc-10-antialias.conf" ''
    <?xml version='1.0'?>
    <!DOCTYPE fontconfig SYSTEM 'fonts.dtd'>
    <fontconfig>
      <!-- Default rendering settings -->
      <match target="pattern">
        <edit mode="append" name="antialias">
          ${fcBool cfg.antialias}
        </edit>
      </match>
    </fontconfig>
  '';
  subpixelConf = pkgs.writeText "fc-10-subpixel.conf" ''
    <?xml version='1.0'?>
    <!DOCTYPE fontconfig SYSTEM 'fonts.dtd'>
    <fontconfig>
      <!-- Default rendering settings -->
      <match target="pattern">
        <edit mode="append" name="rgba">
          <const>${cfg.subpixel.rgba}</const>
        </edit>
        <edit mode="append" name="lcdfilter">
          <const>lcd${cfg.subpixel.lcdfilter}</const>
        </edit>
      </match>
    </fontconfig>
  '';
  dpiConf = pkgs.writeText "fc-11-dpi.conf" ''
    <?xml version='1.0'?>
    <!DOCTYPE fontconfig SYSTEM 'fonts.dtd'>
    <fontconfig>
      <match target="pattern">
        <edit name="dpi" mode="assign">
          <double>${toString cfg.dpi}</double>
        </edit>
      </match>
    </fontconfig>
  '';
  defaultFontsConf =
    let genDefault = fonts: name:
      optionalString (fonts != []) ''
        <alias>
          <family>${name}</family>
          <prefer>
          ${concatStringsSep ""
          (map (font: ''
            <family>${font}</family>
          '') fonts)}
          </prefer>
        </alias>
      '';
    in
    pkgs.writeText "fc-52-nixos-default-fonts.conf" ''
    <?xml version='1.0'?>
    <!DOCTYPE fontconfig SYSTEM 'fonts.dtd'>
    <fontconfig>
      <!-- Default fonts -->
      ${genDefault cfg.defaultFonts.sansSerif "sans-serif"}
      ${genDefault cfg.defaultFonts.serif     "serif"}
      ${genDefault cfg.defaultFonts.monospace "monospace"}
    </fontconfig>
  '';
  rejectType1 = pkgs.writeText "fc-53-no-type1.conf" ''
    <?xml version="1.0"?>
    <!DOCTYPE fontconfig SYSTEM "fonts.dtd">
    <fontconfig>
    <!-- Reject Type 1 fonts -->
    <selectfont>
      <rejectfont>
        <pattern>
          <patelt name="fontformat"><string>Type 1</string></patelt>
        </pattern>
      </rejectfont>
    </selectfont>
    </fontconfig>
  '';
 in
 {
  options = {
    fonts = {
      fontconfig = {
        penultimate = {
          enable = mkOption {
            type = types.bool;
            default = true;
            description = ''
              Enable fontconfig-penultimate settings to supplement the
              NixOS defaults by providing per-font rendering defaults and
              metric aliases.
            '';
          };
        };
      };
    };
  };
  config = mkIf (config.fonts.fontconfig.enable && cfg.enable) {
    fonts.fontconfig.confPackages = [ penultimateConf ];
  };
 }
--- a/nixos/modules/config/fonts/fontconfig-ultimate.nix
+++ b/nixos/modules/config/fonts/fontconfig-ultimate.nix
@ -43,7 +43,7 @@ in
        ultimate = {
          enable = mkOption {
            type = types.bool;
-            default = true;
+            default = false;
            description = ''
              Enable fontconfig-ultimate settings (formerly known as
              Infinality). Besides the customizable settings in this NixOS
@ -63,15 +63,6 @@ in
              <literal>none</literal> disables the substitutions.
            '';
          };
          preset = mkOption {
            type = types.enum ["ultimate1" "ultimate2" "ultimate3" "ultimate4" "ultimate5" "osx" "windowsxp"];
            default = "ultimate3";
            description = ''
              FreeType rendering settings preset. Any of the presets may be
              customized by setting environment variables.
            '';
          };
        };
      };
    };
@ -81,7 +72,6 @@ in
  config = mkIf (config.fonts.fontconfig.enable && cfg.enable) {
    fonts.fontconfig.confPackages = [ confPkg ];
    environment.variables."INFINALITY_FT" = cfg.preset;
  };
--- a/nixos/modules/config/fonts/fontconfig.nix
+++ b/nixos/modules/config/fonts/fontconfig.nix
@ -75,23 +75,23 @@ let cfg = config.fonts.fontconfig;
      <fontconfig>
        <!-- Default rendering settings -->
-        <match target="font">
+        <match target="pattern">
-          <edit mode="assign" name="hinting">
+          <edit mode="append" name="hinting">
            ${fcBool cfg.hinting.enable}
          </edit>
-          <edit mode="assign" name="autohint">
+          <edit mode="append" name="autohint">
            ${fcBool cfg.hinting.autohint}
          </edit>
-          <edit mode="assign" name="hintstyle">
+          <edit mode="append" name="hintstyle">
-            <const>hint${cfg.hinting.style}</const>
+            <const>hintslight</const>
          </edit>
-          <edit mode="assign" name="antialias">
+          <edit mode="append" name="antialias">
            ${fcBool cfg.antialias}
          </edit>
-          <edit mode="assign" name="rgba">
+          <edit mode="append" name="rgba">
            <const>${cfg.subpixel.rgba}</const>
          </edit>
-          <edit mode="assign" name="lcdfilter">
+          <edit mode="append" name="lcdfilter">
            <const>lcd${cfg.subpixel.lcdfilter}</const>
          </edit>
        </match>
@ -104,13 +104,6 @@ let cfg = config.fonts.fontconfig;
        </match>
        ''}
        <!-- Force autohint always -->
        <match target="font">
          <edit name="force_autohint" mode="assign">
            ${fcBool cfg.forceAutohint}
          </edit>
        </match>
      </fontconfig>
    '';
@ -174,13 +167,6 @@ let cfg = config.fonts.fontconfig;
        </edit>
      </match>
      <!-- Render some monospace TTF fonts as bitmaps -->
      <match target="pattern">
        <edit name="bitmap_monospace" mode="assign">
          ${fcBool cfg.renderMonoTTFAsBitmap}
        </edit>
      </match>
      </fontconfig>
    '';
@ -304,7 +290,11 @@ in
        antialias = mkOption {
          type = types.bool;
          default = true;
-          description = "Enable font antialiasing.";
+          description = ''
            Enable font antialiasing. At high resolution (> 200 DPI),
            antialiasing has no visible effect; users of such displays may want
            to disable this option.
          '';
        };
        dpi = mkOption {
@ -320,7 +310,7 @@ in
          type = types.lines;
          default = "";
          description = ''
-            System-wide customization file contents, has higher priority than 
+            System-wide customization file contents, has higher priority than
            <literal>defaultFonts</literal> settings.
          '';
        };
@ -358,26 +348,21 @@ in
          enable = mkOption {
            type = types.bool;
            default = true;
-            description = "Enable TrueType hinting.";
+            description = ''
              Enable font hinting. Hinting aligns glyphs to pixel boundaries to
              improve rendering sharpness at low resolution. At high resolution
              (> 200 dpi) hinting will do nothing (at best); users of such
              displays may want to disable this option.
            '';
          };
          autohint = mkOption {
            type = types.bool;
-            default = true;
+            default = false;
            description = ''
-              Enable the autohinter, which provides hinting for otherwise
+              Enable the autohinter in place of the default interpreter.
-              un-hinted fonts. The results are usually lower quality than
+              The results are usually lower quality than correctly-hinted
-              correctly-hinted fonts.
+              fonts, but better than unhinted fonts.
            '';
          };
          style = mkOption {
            type = types.enum ["none" "slight" "medium" "full"];
            default = "full";
            description = ''
              TrueType hinting style, one of <literal>none</literal>,
              <literal>slight</literal>, <literal>medium</literal>, or
              <literal>full</literal>.
            '';
          };
        };
@ -398,7 +383,15 @@ in
            default = "rgb";
            type = types.enum ["rgb" "bgr" "vrgb" "vbgr" "none"];
            description = ''
-              Subpixel order.
+              Subpixel order. The overwhelming majority of displays are
              <literal>rgb</literal> in their normal orientation. Select
              <literal>vrgb</literal> for mounting such a display 90 degrees
              clockwise from its normal orientation or <literal>vbgr</literal>
              for mounting 90 degrees counter-clockwise. Select
              <literal>bgr</literal> in the unlikely event of mounting 180
              degrees from the normal orientation. Reverse these directions in
              the improbable event that the display's native subpixel order is
              <literal>bgr</literal>.
            '';
          };
@ -406,7 +399,9 @@ in
            default = "default";
            type = types.enum ["none" "default" "light" "legacy"];
            description = ''
-              FreeType LCD filter.
+              FreeType LCD filter. At high resolution (> 200 DPI), LCD filtering
              has no visible effect; users of such displays may want to select
              <literal>none</literal>.
            '';
          };
@ -444,31 +439,19 @@ in
          description = ''Use embedded bitmaps in fonts like Calibri.'';
        };
        forceAutohint = mkOption {
          type = types.bool;
          default = false;
          description = ''
            Force use of the TrueType Autohinter. Useful for debugging or
            free-software purists.
          '';
        };
        renderMonoTTFAsBitmap = mkOption {
          type = types.bool;
          default = false;
          description = ''Render some monospace TTF fonts as bitmaps.'';
        };
      };
    };
  };
-  config = mkIf cfg.enable {
+  config = mkMerge [
-    fonts.fontconfig.confPackages = [ confPkg ];
+    (mkIf cfg.enable {
-
+      environment.systemPackages    = [ pkgs.fontconfig ];
-    environment.systemPackages    = [ pkgs.fontconfig ];
+      environment.etc.fonts.source  = "${fontconfigEtc}/etc/fonts/";
-    environment.etc.fonts.source  = "${fontconfigEtc}/etc/fonts/";
+    })
-  };
+    (mkIf (cfg.enable && !cfg.penultimate.enable) {
      fonts.fontconfig.confPackages = [ confPkg ];
    })
  ];
 }
--- a/nixos/modules/config/networking.nix
+++ b/nixos/modules/config/networking.nix
@ -178,10 +178,10 @@ in
    environment.etc =
      { # /etc/services: TCP/UDP port assignments.
-        "services".source = pkgs.iana_etc + "/etc/services";
+        "services".source = pkgs.iana-etc + "/etc/services";
        # /etc/protocols: IP protocol numbers.
-        "protocols".source  = pkgs.iana_etc + "/etc/protocols";
+        "protocols".source  = pkgs.iana-etc + "/etc/protocols";
        # /etc/rpc: RPC program numbers.
        "rpc".source = pkgs.glibc.out + "/etc/rpc";
--- a/nixos/modules/config/sysctl.nix
+++ b/nixos/modules/config/sysctl.nix
@ -64,5 +64,9 @@ in
    # Removed under grsecurity.
    boot.kernel.sysctl."kernel.kptr_restrict" =
      if (config.boot.kernelPackages.kernel.features.grsecurity or false) then null else 1;
    # Disable YAMA by default to allow easy debugging.
    boot.kernel.sysctl."kernel.yama.ptrace_scope" = mkDefault 0;
  };
 }
--- a/nixos/modules/config/update-users-groups.pl
+++ b/nixos/modules/config/update-users-groups.pl
@ -6,6 +6,21 @@ use JSON;
 make_path("/var/lib/nixos", { mode => 0755 });
 # Keep track of deleted uids and gids.
 my $uidMapFile = "/var/lib/nixos/uid-map";
 my $uidMap = -e $uidMapFile ? decode_json(read_file($uidMapFile)) : {};
 my $gidMapFile = "/var/lib/nixos/gid-map";
 my $gidMap = -e $gidMapFile ? decode_json(read_file($gidMapFile)) : {};
 sub updateFile {
    my ($path, $contents, $perms) = @_;
    write_file("$path.tmp", { binmode => ':utf8', perms => $perms // 0644 }, $contents);
    rename("$path.tmp", $path) or die;
 }
 sub hashPassword {
    my ($password) = @_;
    my $salt = "";
@ -18,10 +33,10 @@ sub hashPassword {
 # Functions for allocating free GIDs/UIDs. FIXME: respect ID ranges in
 # /etc/login.defs.
 sub allocId {
-    my ($used, $idMin, $idMax, $up, $getid) = @_;
+    my ($used, $prevUsed, $idMin, $idMax, $up, $getid) = @_;
    my $id = $up ? $idMin : $idMax;
    while ($id >= $idMin && $id <= $idMax) {
-        if (!$used->{$id} && !defined &$getid($id)) {
+        if (!$used->{$id} && !$prevUsed->{$id} && !defined &$getid($id)) {
            $used->{$id} = 1;
            return $id;
        }
@ -31,23 +46,36 @@ sub allocId {
    die "$0: out of free UIDs or GIDs\n";
 }
-my (%gidsUsed, %uidsUsed);
+my (%gidsUsed, %uidsUsed, %gidsPrevUsed, %uidsPrevUsed);
 sub allocGid {
-    return allocId(\%gidsUsed, 400, 499, 0, sub { my ($gid) = @_; getgrgid($gid) });
+    my ($name) = @_;
    my $prevGid = $gidMap->{$name};
    if (defined $prevGid && !defined $gidsUsed{$prevGid}) {
        print STDERR "reviving group '$name' with GID $prevGid\n";
        $gidsUsed{$prevGid} = 1;
        return $prevGid;
    }
    return allocId(\%gidsUsed, \%gidsPrevUsed, 400, 499, 0, sub { my ($gid) = @_; getgrgid($gid) });
 }
 sub allocUid {
-    my ($isSystemUser) = @_;
+    my ($name, $isSystemUser) = @_;
    my ($min, $max, $up) = $isSystemUser ? (400, 499, 0) : (1000, 29999, 1);
-    return allocId(\%uidsUsed, $min, $max, $up, sub { my ($uid) = @_; getpwuid($uid) });
+    my $prevUid = $uidMap->{$name};
    if (defined $prevUid && $prevUid >= $min && $prevUid <= $max && !defined $uidsUsed{$prevUid}) {
        print STDERR "reviving user '$name' with UID $prevUid\n";
        $uidsUsed{$prevUid} = 1;
        return $prevUid;
    }
    return allocId(\%uidsUsed, \%uidsPrevUsed, $min, $max, $up, sub { my ($uid) = @_; getpwuid($uid) });
 }
 # Read the declared users/groups.
 my $spec = decode_json(read_file($ARGV[0]));
-# Don't allocate UIDs/GIDs that are already in use.
+# Don't allocate UIDs/GIDs that are manually assigned.
 foreach my $g (@{$spec->{groups}}) {
    $gidsUsed{$g->{gid}} = 1 if defined $g->{gid};
 }
@ -56,6 +84,11 @@ foreach my $u (@{$spec->{users}}) {
    $uidsUsed{$u->{uid}} = 1 if defined $u->{uid};
 }
 # Likewise for previously used but deleted UIDs/GIDs.
 $uidsPrevUsed{$_} = 1 foreach values %{$uidMap};
 $gidsPrevUsed{$_} = 1 foreach values %{$gidMap};
 # Read the current /etc/group.
 sub parseGroup {
    chomp;
@ -114,16 +147,18 @@ foreach my $g (@{$spec->{groups}}) {
            }
        }
    } else {
-        $g->{gid} = allocGid if !defined $g->{gid};
+        $g->{gid} = allocGid($name) if !defined $g->{gid};
        $g->{password} = "x";
    }
    $g->{members} = join ",", sort(keys(%members));
    $groupsOut{$name} = $g;
    $gidMap->{$name} = $g->{gid};
 }
 # Update the persistent list of declarative groups.
-write_file($declGroupsFile, { binmode => ':utf8' }, join(" ", sort(keys %groupsOut)));
+updateFile($declGroupsFile, join(" ", sort(keys %groupsOut)));
 # Merge in the existing /etc/group.
 foreach my $name (keys %groupsCur) {
@ -140,8 +175,8 @@ foreach my $name (keys %groupsCur) {
 # Rewrite /etc/group. FIXME: acquire lock.
 my @lines = map { join(":", $_->{name}, $_->{password}, $_->{gid}, $_->{members}) . "\n" }
    (sort { $a->{gid} <=> $b->{gid} } values(%groupsOut));
-write_file("/etc/group.tmp", { binmode => ':utf8' }, @lines);
+updateFile($gidMapFile, encode_json($gidMap));
-rename("/etc/group.tmp", "/etc/group") or die;
+updateFile("/etc/group", \@lines);
 system("nscd --invalidate group");
 # Generate a new /etc/passwd containing the declared users.
@ -167,7 +202,7 @@ foreach my $u (@{$spec->{users}}) {
            $u->{uid} = $existing->{uid};
        }
    } else {
-        $u->{uid} = allocUid($u->{isSystemUser}) if !defined $u->{uid};
+        $u->{uid} = allocUid($name, $u->{isSystemUser}) if !defined $u->{uid};
        if (defined $u->{initialPassword}) {
            $u->{hashedPassword} = hashPassword($u->{initialPassword});
@ -195,10 +230,12 @@ foreach my $u (@{$spec->{users}}) {
    $u->{fakePassword} = $existing->{fakePassword} // "x";
    $usersOut{$name} = $u;
    $uidMap->{$name} = $u->{uid};
 }
 # Update the persistent list of declarative users.
-write_file($declUsersFile, { binmode => ':utf8' }, join(" ", sort(keys %usersOut)));
+updateFile($declUsersFile, join(" ", sort(keys %usersOut)));
 # Merge in the existing /etc/passwd.
 foreach my $name (keys %usersCur) {
@ -214,8 +251,8 @@ foreach my $name (keys %usersCur) {
 # Rewrite /etc/passwd. FIXME: acquire lock.
@lines = map { join(":", $_->{name}, $_->{fakePassword}, $_->{uid}, $_->{gid}, $_->{description}, $_->{home}, $_->{shell}) . "\n" }
    (sort { $a->{uid} <=> $b->{uid} } (values %usersOut));
-write_file("/etc/passwd.tmp", { binmode => ':utf8' }, @lines);
+updateFile($uidMapFile, encode_json($uidMap));
-rename("/etc/passwd.tmp", "/etc/passwd") or die;
+updateFile("/etc/passwd", \@lines);
 system("nscd --invalidate passwd");
@ -242,5 +279,4 @@ foreach my $u (values %usersOut) {
    push @shadowNew, join(":", $u->{name}, $hashedPassword, "1::::::") . "\n";
 }
-write_file("/etc/shadow.tmp", { binmode => ':utf8', perms => 0600 }, @shadowNew);
+updateFile("/etc/shadow", \@shadowNew, 0600);
 rename("/etc/shadow.tmp", "/etc/shadow") or die;
--- a/nixos/modules/hardware/all-firmware.nix
+++ b/nixos/modules/hardware/all-firmware.nix
@ -26,6 +26,7 @@ with lib;
      firmwareLinuxNonfree
      intel2200BGFirmware
      rtl8723bs-firmware
      rtl8192su-firmware
    ];
  };
--- a/nixos/modules/installer/cd-dvd/channel.nix
+++ b/nixos/modules/installer/cd-dvd/channel.nix
@ -6,6 +6,16 @@
 with lib;
 let
  # Do not include these things:
  #   - The '.git' directory
  #   - Result symlinks from nix-build ('result', 'result-2', 'result-bin', ...)
  #   - VIM/Emacs swap/backup files ('.swp', '.swo', '.foo.swp', 'foo~', ...)
  filterFn = path: type: let basename = baseNameOf (toString path); in
    if type == "directory" then basename != ".git"
    else if type == "symlink" then builtins.match "^result(|-.*)$" basename == null
    else builtins.match "^((|\..*)\.sw[a-z]|.*~)$" basename == null;
  nixpkgs = builtins.filterSource filterFn pkgs.path;
  # We need a copy of the Nix expressions for Nixpkgs and NixOS on the
  # CD.  These are installed into the "nixos" channel of the root
@ -15,12 +25,11 @@ let
    { }
    ''
      mkdir -p $out
-      cp -prd ${pkgs.path} $out/nixos
+      cp -prd ${nixpkgs} $out/nixos
      chmod -R u+w $out/nixos
      if [ ! -e $out/nixos/nixpkgs ]; then
        ln -s . $out/nixos/nixpkgs
      fi
      rm -rf $out/nixos/.git
      echo -n ${config.system.nixosVersionSuffix} > $out/nixos/.version-suffix
    '';
--- a/nixos/modules/installer/cd-dvd/sd-image-armv7l-multiplatform.nix
+++ b/nixos/modules/installer/cd-dvd/sd-image-armv7l-multiplatform.nix
@ -28,7 +28,7 @@ in
  boot.loader.generic-extlinux-compatible.enable = true;
  boot.kernelPackages = pkgs.linuxPackages_latest;
-  boot.kernelParams = ["console=ttyS0,115200n8" "console=ttymxc0,115200n8" "console=ttyAMA0,115200n8" "console=ttyO0,115200n8" "console=tty0"];
+  boot.kernelParams = ["console=ttyS0,115200n8" "console=ttymxc0,115200n8" "console=ttyAMA0,115200n8" "console=ttyO0,115200n8" "console=ttySAC2,115200n8" "console=tty0"];
  # FIXME: this probably should be in installation-device.nix
  users.extraUsers.root.initialHashedPassword = "";
--- a/nixos/modules/installer/tools/auto-upgrade.nix
+++ b/nixos/modules/installer/tools/auto-upgrade.nix
@ -48,7 +48,7 @@ let cfg = config.system.autoUpgrade; in
        description = ''
          Specification (in the format described by
          <citerefentry><refentrytitle>systemd.time</refentrytitle>
-          <manvolnum>5</manvolnum></citerefentry>) of the time at
+          <manvolnum>7</manvolnum></citerefentry>) of the time at
          which the update will occur.
        '';
      };
--- a/nixos/modules/installer/tools/nix-fallback-paths.nix
+++ b/nixos/modules/installer/tools/nix-fallback-paths.nix
@ -1,5 +1,5 @@
 {
-  x86_64-linux = "/nix/store/4ssykr786d0wp7y6m4xd4qwqs4nrry1z-nix-1.11.7";
+  x86_64-linux = "/nix/store/j6q3pb75q1sbk0xsa5x6a629ph98ycdl-nix-1.11.8";
-  i686-linux = "/nix/store/61ggxx2072y2g877m01asy0lsn7xpn06-nix-1.11.7";
+  i686-linux = "/nix/store/4m6ps568l988bbr1p2k3w9raq3rblppi-nix-1.11.8";
-  x86_64-darwin = "/nix/store/pxf5ri5kdbfqkhd10sw4lpj8sn385ks5-nix-1.11.7";
+  x86_64-darwin = "/nix/store/cc5q944yn3j2hrs8k0kxx9r2mk9mni8a-nix-1.11.8";
 }
--- a/nixos/modules/module-list.nix
+++ b/nixos/modules/module-list.nix
@ -1,8 +1,9 @@
 [
  ./config/debug-info.nix
  ./config/fonts/corefonts.nix
  ./config/fonts/fontconfig-ultimate.nix
  ./config/fonts/fontconfig.nix
  ./config/fonts/fontconfig-penultimate.nix
  ./config/fonts/fontconfig-ultimate.nix
  ./config/fonts/fontdir.nix
  ./config/fonts/fonts.nix
  ./config/fonts/ghostscript.nix
@ -137,7 +138,6 @@
  ./services/backup/mysql-backup.nix
  ./services/backup/postgresql-backup.nix
  ./services/backup/rsnapshot.nix
  ./services/backup/sitecopy-backup.nix
  ./services/backup/tarsnap.nix
  ./services/backup/znapzend.nix
  ./services/cluster/fleet.nix
@ -274,6 +274,7 @@
  ./services/misc/gpsd.nix
  #./services/misc/ihaskell.nix
  ./services/misc/irkerd.nix
  ./services/misc/jackett.nix
  ./services/misc/leaps.nix
  ./services/misc/mantisbt.nix
  ./services/misc/mathics.nix
@ -294,6 +295,7 @@
  ./services/misc/parsoid.nix
  ./services/misc/phd.nix
  ./services/misc/plex.nix
  ./services/misc/radarr.nix
  ./services/misc/redmine.nix
  ./services/misc/rippled.nix
  ./services/misc/ripple-rest.nix
@ -453,7 +455,7 @@
  ./services/networking/prayer.nix
  ./services/networking/privoxy.nix
  ./services/networking/prosody.nix
-  ./services/networking/quagga.nix
+  # ./services/networking/quagga.nix
  ./services/networking/quassel.nix
  ./services/networking/racoon.nix
  ./services/networking/radicale.nix
@ -527,6 +529,7 @@
  ./services/system/cgmanager.nix
  ./services/system/cloud-init.nix
  ./services/system/dbus.nix
  ./services/system/earlyoom.nix
  ./services/system/kerberos.nix
  ./services/system/nscd.nix
  ./services/system/uptimed.nix
--- a/nixos/modules/programs/venus.nix
+++ b/nixos/modules/programs/venus.nix
@ -45,7 +45,7 @@ in
        description = ''
          Specification (in the format described by
          <citerefentry><refentrytitle>systemd.time</refentrytitle>
-          <manvolnum>5</manvolnum></citerefentry>) of the time at
+          <manvolnum>7</manvolnum></citerefentry>) of the time at
          which the Venus will collect feeds.
        '';
      };
--- a/nixos/modules/rename.nix
+++ b/nixos/modules/rename.nix
@ -35,6 +35,9 @@ with lib;
    (mkRemovedOptionModule [ "security" "setuidOwners" ] "Use security.wrappers instead")
    (mkRemovedOptionModule [ "security" "setuidPrograms" ] "Use security.wrappers instead")
    (mkRemovedOptionModule [ "services" "rmilter" "bindInetSockets" ] "Use services.rmilter.bindSocket.* instead")
    (mkRemovedOptionModule [ "services" "rmilter" "bindUnixSockets" ] "Use services.rmilter.bindSocket.* instead")
    # Old Grub-related options.
    (mkRenamedOptionModule [ "boot" "initrd" "extraKernelModules" ] [ "boot" "initrd" "kernelModules" ])
    (mkRenamedOptionModule [ "boot" "extraKernelParams" ] [ "boot" "kernelParams" ])
@ -138,9 +141,6 @@ with lib;
    # Unity3D
    (mkRenamedOptionModule [ "programs" "unity3d" "enable" ] [ "security" "chromiumSuidSandbox" "enable" ])
    # fontconfig-ultimate
    (mkRenamedOptionModule [ "fonts" "fontconfig" "ultimate" "rendering" ] [ "fonts" "fontconfig" "ultimate" "preset" ])
    # murmur
    (mkRenamedOptionModule [ "services" "murmur" "welcome" ] [ "services" "murmur" "welcometext" ])
@ -199,5 +199,10 @@ with lib;
      "See the 16.09 release notes for more information.")
    (mkRemovedOptionModule [ "services" "phpfpm" "phpIni" ] "")
    (mkRemovedOptionModule [ "services" "dovecot2" "package" ] "")
    (mkRemovedOptionModule [ "fonts" "fontconfig" "hinting" "style" ] "")
    (mkRemovedOptionModule [ "services" "xserver" "displayManager" "sddm" "themes" ]
      "Set the option `services.xserver.displayManager.sddm.package' instead.")
    (mkRemovedOptionModule [ "fonts" "fontconfig" "forceAutohint" ] "")
    (mkRemovedOptionModule [ "fonts" "fontconfig" "renderMonoTTFAsBitmap" ] "")
  ];
 }
--- a/nixos/modules/security/acme.nix
+++ b/nixos/modules/security/acme.nix
@ -110,7 +110,7 @@ in
        description = ''
          Systemd calendar expression when to check for renewal. See
          <citerefentry><refentrytitle>systemd.time</refentrytitle>
-          <manvolnum>5</manvolnum></citerefentry>.
+          <manvolnum>7</manvolnum></citerefentry>.
        '';
      };
@ -178,7 +178,7 @@ in
                  path = [ pkgs.simp_le ];
                  preStart = ''
                    mkdir -p '${cfg.directory}'
-                    chown '${data.user}:${data.group}' '${cfg.directory}'
+                    chown -R '${data.user}:${data.group}' '${cfg.directory}'
                    if [ ! -d '${cpath}' ]; then
                      mkdir '${cpath}'
                    fi
--- a/nixos/modules/security/polkit.nix
+++ b/nixos/modules/security/polkit.nix
@ -64,7 +64,7 @@ in
    systemd.packages = [ pkgs.polkit.out ];
    systemd.services.polkit.restartTriggers = [ config.system.path ];
-    systemd.services.polkit.unitConfig.X-StopIfChanged = false;
+    systemd.services.polkit.stopIfChanged = false;
    # The polkit daemon reads action/rule files
    environment.pathsToLink = [ "/share/polkit-1" ];
--- a/nixos/modules/security/wrappers/default.nix
+++ b/nixos/modules/security/wrappers/default.nix
@ -179,21 +179,31 @@ in
          # Remove the old /var/setuid-wrappers path from the system...
          #
-          # TODO: this is only necessary for ugprades 16.09 => 17.x;
+          # TODO: this is only necessary for upgrades 16.09 => 17.x;
          # this conditional removal block needs to be removed after
          # the release.
          if [ -d /var/setuid-wrappers ]; then
            rm -rf /var/setuid-wrappers
            ln -s /run/wrappers/bin /var/setuid-wrappers
          fi
          # Remove the old /run/setuid-wrappers-dir path from the
          # system as well...
          #
-          # TODO: this is only necessary for ugprades 16.09 => 17.x;
+          # TODO: this is only necessary for upgrades 16.09 => 17.x;
          # this conditional removal block needs to be removed after
          # the release.
          if [ -d /run/setuid-wrapper-dirs ]; then
            rm -rf /run/setuid-wrapper-dirs
            ln -s /run/wrappers/bin /run/setuid-wrapper-dirs
          fi
          # TODO: this is only necessary for upgrades 16.09 => 17.x;
          # this conditional removal block needs to be removed after
          # the release.
          if readlink -f /run/booted-system | grep nixos-17 > /dev/null; then
            rm -rf /run/setuid-wrapper-dirs
            rm -rf /var/setuid-wrappers
          fi
          # We want to place the tmpdirs for the wrappers to the parent dir.
--- a/nixos/modules/services/backup/sitecopy-backup.nix
+++ b/nixos/modules/services/backup/sitecopy-backup.nix
@ -1,106 +0,0 @@
 { config, lib, pkgs, ... }:
 with lib;
 let
  inherit (pkgs) sitecopy;
  stateDir = "/var/spool/sitecopy";
  sitecopyCron = backup : ''
    ${if backup ? period then backup.period else config.services.sitecopy.period} root ${sitecopy}/bin/sitecopy --storepath=${stateDir} --rcfile=${stateDir}/${backup.name}.conf --update ${backup.name} >> /var/log/sitecopy.log 2>&1
  '';
 in
 {
  options = {
    services.sitecopy = {
      enable = mkOption {
        default = false;
        description = ''
          Whether to enable <command>sitecopy</command> backups of specified
          directories.
        '';
      };
      period = mkOption {
        default = "15 04 * * *";
        description = ''
          This option defines (in the format used by <command>cron</command>)
          when the <command>sitecopy</command> backups are to be run.
          The default is to update at 04:15 (at night) every day.
        '';
      };
      backups = mkOption {
        example = [
          { name = "test";
            local = "/tmp/backup";
            remote = "/staff-groups/ewi/st/strategoxt/backup/test";
            server = "webdata.tudelft.nl";
            protocol = "webdav";
            https = true ;
            symlinks = "maintain" ;
          }
        ];
        default = [];
        description = ''
           List of attribute sets describing the backups.
           Username/password are extracted from
           <filename>${stateDir}/sitecopy.secrets</filename> at activation
           time. The secrets file lines should have the following structure:
           <screen>
             server username password
           </screen>
        '';
      };
    };
  };
  config = mkIf config.services.sitecopy.enable {
    environment.systemPackages = [ sitecopy ];
    services.cron.systemCronJobs = map sitecopyCron config.services.sitecopy.backups;
    system.activationScripts.sitecopyBackup = stringAfter [ "stdio" "users" ]
      ''
        mkdir -m 0700 -p ${stateDir}
        chown root ${stateDir}
        touch ${stateDir}/sitecopy.secrets
        chown root ${stateDir}/sitecopy.secrets
        ${lib.concatStrings (map ( b: ''
            unset secrets
            unset secret
            secrets=`grep '^${b.server}' ${stateDir}/sitecopy.secrets | head -1`
            secret=($secrets)
            cat > ${stateDir}/${b.name}.conf << EOF
              site ${b.name}
              server ${b.server}
              protocol ${b.protocol}
              username ''${secret[1]}
              password ''${secret[2]}
              local ${b.local}
              remote ${b.remote}
              symlinks ${b.symlinks}
              ${if b.https then "http secure" else ""}
            EOF
            chmod 0600 ${stateDir}/${b.name}.conf
            if ! test -e ${stateDir}/${b.name} ; then
              echo " * Initializing sitecopy '${b.name}'"
              ${sitecopy}/bin/sitecopy --storepath=${stateDir} --rcfile=${stateDir}/${b.name}.conf --initialize ${b.name}
            else
              echo " * Sitecopy '${b.name}' already initialized"
            fi
          '' ) config.services.sitecopy.backups
        )}
      '';
  };
 }
--- a/nixos/modules/services/continuous-integration/gitlab-runner.nix
+++ b/nixos/modules/services/continuous-integration/gitlab-runner.nix
@ -20,6 +20,14 @@ in
      description = "The working directory used";
    };
    package = mkOption {
      description = "Gitlab Runner package to use";
      default = pkgs.gitlab-runner;
      defaultText = "pkgs.gitlab-runner";
      type = types.package;
      example = literalExample "pkgs.gitlab-runner_1_11";
    };
  };
  config = mkIf cfg.enable {
@ -29,7 +37,7 @@ in
      requires = [ "docker.service" ];
      wantedBy = [ "multi-user.target" ];
      serviceConfig = {
-        ExecStart = ''${pkgs.gitlab-runner.bin}/bin/gitlab-runner run \
+        ExecStart = ''${cfg.package.bin}/bin/gitlab-runner run \
          --working-directory ${cfg.workDir} \
          --config ${configFile} \
          --service gitlab-runner \
@ -38,6 +46,9 @@ in
      };
    };
    # Make the gitlab-runner command availabe so users can query the runner
    environment.systemPackages = [ cfg.package ];
    users.extraUsers.gitlab-runner = {
      group = "gitlab-runner";
      extraGroups = [ "docker" ];
--- a/nixos/modules/services/databases/neo4j.nix
+++ b/nixos/modules/services/databases/neo4j.nix
@ -27,9 +27,7 @@ let
    ''}
    dbms.shell.enabled=true
    ${cfg.extraServerConfig}
  '';
  wrapperConfig = pkgs.writeText "neo4j-wrapper.conf" ''
    # Default JVM parameters from neo4j.conf
    dbms.jvm.additional=-XX:+UseG1GC
    dbms.jvm.additional=-XX:-OmitStackTraceInFastThrow
@ -135,12 +133,11 @@ in {
      preStart = ''
        mkdir -m 0700 -p ${cfg.dataDir}/{data/graph.db,conf,logs}
        ln -fs ${serverConfig} ${cfg.dataDir}/conf/neo4j.conf
        ln -fs ${wrapperConfig} ${cfg.dataDir}/conf/neo4j-wrapper.conf
        if [ "$(id -u)" = 0 ]; then chown -R neo4j ${cfg.dataDir}; fi
      '';
    };
-    environment.systemPackages = [ pkgs.neo4j ];
+    environment.systemPackages = [ cfg.package ];
    users.extraUsers = singleton {
      name = "neo4j";
--- a/nixos/modules/services/editors/emacs.xml
+++ b/nixos/modules/services/editors/emacs.xml
@ -79,10 +79,11 @@
            </listitem>
          </varlistentry>
          <varlistentry>
-            <term><varname>emacs24Macport</varname></term>
+            <term><varname>emacsMacport</varname></term>
            <term><varname>emacs25Macport</varname></term>
            <listitem>
              <para>
-                Emacs 24 with the "Mac port" patches, providing a more
+                Emacs 25 with the "Mac port" patches, providing a more
                native look and feel under OS X.
              </para>
            </listitem>
--- a/nixos/modules/services/hardware/bluetooth.nix
+++ b/nixos/modules/services/hardware/bluetooth.nix
@ -14,12 +14,26 @@ in
  options = {
-    hardware.bluetooth.enable = mkEnableOption "support for Bluetooth.";
+    hardware.bluetooth = {
      enable = mkEnableOption "support for Bluetooth.";
-    hardware.bluetooth.powerOnBoot = mkOption {
+      powerOnBoot = mkOption {
-      type    = types.bool;
+        type    = types.bool;
-      default = true;
+        default = true;
-      description = "Whether to power up the default Bluetooth controller on boot.";
+        description = "Whether to power up the default Bluetooth controller on boot.";
      };
      extraConfig = mkOption {
        type = types.lines;
        default = "";
        example = ''
          [General]
          ControllerMode = bredr
        '';
        description = ''
          Set additional configuration for system-wide bluetooth (/etc/bluetooth/main.conf).
        '';
      };
    };
  };
@ -30,6 +44,11 @@ in
    environment.systemPackages = [ bluez-bluetooth pkgs.openobex pkgs.obexftp ];
    environment.etc = singleton {
      source = pkgs.writeText "main.conf" cfg.extraConfig;
      target = "bluetooth/main.conf";
    };
    services.udev.packages = [ bluez-bluetooth ];
    services.dbus.packages = [ bluez-bluetooth ];
    systemd.packages       = [ bluez-bluetooth ];
--- a/nixos/modules/services/hardware/udev.nix
+++ b/nixos/modules/services/hardware/udev.nix
@ -35,6 +35,7 @@ let
  udevRules = pkgs.runCommand "udev-rules"
    { preferLocalBuild = true;
      allowSubstitutes = false;
      packages = unique (map toString cfg.packages);
    }
    ''
      mkdir -p $out
@ -45,7 +46,7 @@ let
      echo 'ENV{PATH}="${udevPath}/bin:${udevPath}/sbin"' > $out/00-path.rules
      # Add the udev rules from other packages.
-      for i in ${toString cfg.packages}; do
+      for i in $packages; do
        echo "Adding rules for package $i"
        for j in $i/{etc,lib}/udev/rules.d/*; do
          echo "Copying $j to $out/$(basename $j)"
@ -132,10 +133,11 @@ let
  hwdbBin = pkgs.runCommand "hwdb.bin"
    { preferLocalBuild = true;
      allowSubstitutes = false;
      packages = unique (map toString ([udev] ++ cfg.packages));
    }
    ''
      mkdir -p etc/udev/hwdb.d
-      for i in ${toString ([udev] ++ cfg.packages)}; do
+      for i in $packages; do
        echo "Adding hwdb files for package $i"
        for j in $i/{etc,lib}/udev/hwdb.d/*; do
          ln -s $j etc/udev/hwdb.d/$(basename $j)
--- a/nixos/modules/services/logging/awstats.nix
+++ b/nixos/modules/services/logging/awstats.nix
@ -38,7 +38,7 @@ in
        Specification of the time at which awstats will get updated.
        (in the format described by <citerefentry>
          <refentrytitle>systemd.time</refentrytitle>
-          <manvolnum>5</manvolnum></citerefentry>)
+          <manvolnum>7</manvolnum></citerefentry>)
      '';
    };
--- a/nixos/modules/services/mail/rmilter.nix
+++ b/nixos/modules/services/mail/rmilter.nix
@ -5,35 +5,38 @@ with lib;
 let
  rspamdCfg = config.services.rspamd;
  postfixCfg = config.services.postfix;
  cfg = config.services.rmilter;
-  inetSockets = map (sock: let s = stringSplit ":" sock; in "inet:${last s}:${head s}") cfg.bindInetSockets;
+  inetSocket = addr: port: "inet:[${toString port}@${addr}]";
-  unixSockets = map (sock: "unix:${sock}") cfg.bindUnixSockets;
+  unixSocket = sock: "unix:${sock}";
-  allSockets = unixSockets ++ inetSockets;
+  systemdSocket = if cfg.bindSocket.type == "unix" then cfg.bindSocket.path
    else "${cfg.bindSocket.address}:${toString cfg.bindSocket.port}";
  rmilterSocket = if cfg.bindSocket.type == "unix" then unixSocket cfg.bindSocket.path
    else inetSocket cfg.bindSocket.address cfg.bindSocket.port;
  rmilterConf = ''
-pidfile = /run/rmilter/rmilter.pid;
+    pidfile = /run/rmilter/rmilter.pid;
-bind_socket = ${if cfg.socketActivation then "fd:3" else concatStringsSep ", " allSockets};
+    bind_socket = ${if cfg.socketActivation then "fd:3" else rmilterSocket};
-tempdir = /tmp;
+    tempdir = /tmp;
  '' + (with cfg.rspamd; if enable then ''
-spamd {
+    spamd {
-        servers = ${concatStringsSep ", " servers};
+      servers = ${concatStringsSep ", " servers};
-        connect_timeout = 1s;
+      connect_timeout = 1s;
-        results_timeout = 20s;
+      results_timeout = 20s;
-        error_time = 10;
+      error_time = 10;
-        dead_time = 300;
+      dead_time = 300;
-        maxerrors = 10;
+      maxerrors = 10;
-        reject_message = "${rejectMessage}";
+      reject_message = "${rejectMessage}";
-        ${optionalString (length whitelist != 0)  "whitelist = ${concatStringsSep ", " whitelist};"}
+      ${optionalString (length whitelist != 0)  "whitelist = ${concatStringsSep ", " whitelist};"}
-        # rspamd_metric - metric for using with rspamd
+      # rspamd_metric - metric for using with rspamd
-        # Default: "default"
+      # Default: "default"
-        rspamd_metric = "default";
+      rspamd_metric = "default";
-        ${extraConfig}
+      ${extraConfig}
-};
+    };
-    '' else "") + cfg.extraConfig;
+  '' else "") + cfg.extraConfig;
  rmilterConfigFile = pkgs.writeText "rmilter.conf" rmilterConf;
@ -48,11 +51,13 @@ in
    services.rmilter = {
      enable = mkOption {
        type = types.bool;
        default = cfg.rspamd.enable;
        description = "Whether to run the rmilter daemon.";
      };
      debug = mkOption {
        type = types.bool;
        default = false;
        description = "Whether to run the rmilter daemon in debug mode.";
      };
@ -73,25 +78,37 @@ in
        '';
       };
-      bindUnixSockets =  mkOption {
+      bindSocket.type = mkOption {
-        type = types.listOf types.str;
+        type = types.enum [ "unix" "inet" ];
-        default = ["/run/rmilter/rmilter.sock"];
+        default = "unix";
        description = ''
-          Unix domain sockets to listen for MTA requests.
+          What kind of socket rmilter should listen on. Either "unix"
-        '';
+          for an Unix domain socket or "inet" for a TCP socket.
        example = ''
            [ "/run/rmilter.sock"]
        '';
      };
-      bindInetSockets = mkOption {
+      bindSocket.path = mkOption {
-        type = types.listOf types.str;
+       type = types.str;
-        default = [];
+       default = "/run/rmilter/rmilter.sock";
-        description = ''
+       description = ''
-          Inet addresses to listen (in format accepted by systemd.socket)
+          Path to Unix domain socket to listen on.
        '';
-        example = ''
+      };
-            ["127.0.0.1:11990"]
+
      bindSocket.address = mkOption {
        type = types.str;
        default = "::1";
        example = "0.0.0.0";
        description = ''
          Inet address to listen on.
        '';
      };
      bindSocket.port = mkOption {
        type = types.int;
        default = 11990;
        description = ''
          Inet port to listen on.
        '';
      };
@ -100,14 +117,16 @@ in
        default = true;
        description = ''
          Enable systemd socket activation for rmilter.
-          (disabling socket activation not recommended
+
-          when unix socket used, and follow to wrong
+          Disabling socket activation is not recommended when a Unix
-          permissions on unix domain socket.)
+          domain socket is used and could lead to incorrect
          permissions.
        '';
      };
      rspamd = {
        enable = mkOption {
          type = types.bool;
          default = rspamdCfg.enable;
          description = "Whether to use rspamd to filter mails";
        };
@ -157,13 +176,9 @@ in
          type = types.str;
          description = "Addon to postfix configuration";
          default = ''
-smtpd_milters = ${head allSockets}
+            smtpd_milters = ${rmilterSocket}
-# or for TCP socket
+            milter_protocol = 6
-# # smtpd_milters = inet:localhost:9900
+            milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen}
 milter_protocol = 6
 milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen}
 # skip mail without checks if milter will die
 milter_default_action = accept
          '';
        };
      };
@ -175,52 +190,60 @@ milter_default_action = accept
  ###### implementation
-  config = mkIf cfg.enable {
+  config = mkMerge [
-    users.extraUsers = singleton {
+    (mkIf cfg.enable {
      name = cfg.user;
      description = "rspamd daemon";
      uid = config.ids.uids.rmilter;
      group = cfg.group;
    };
-    users.extraGroups = singleton {
+      users.extraUsers = singleton {
-      name = cfg.group;
+        name = cfg.user;
-      gid = config.ids.gids.rmilter;
+        description = "rmilter daemon";
-    };
+        uid = config.ids.uids.rmilter;
-
+        group = cfg.group;
    systemd.services.rmilter = {
      description = "Rmilter Service";
      wantedBy = [ "multi-user.target" ];
      after = [ "network.target" ];
      serviceConfig = {
        ExecStart = "${pkgs.rmilter}/bin/rmilter ${optionalString cfg.debug "-d"} -n -c ${rmilterConfigFile}";
        ExecReload = "${pkgs.coreutils}/bin/kill -USR1 $MAINPID";
        User = cfg.user;
        Group = cfg.group;
        PermissionsStartOnly = true;
        Restart = "always";
        RuntimeDirectory = "rmilter";
        RuntimeDirectoryMode = "0755";
      };
-    };
+      users.extraGroups = singleton {
-
+        name = cfg.group;
-    systemd.sockets.rmilter = mkIf cfg.socketActivation {
+        gid = config.ids.gids.rmilter;
      description = "Rmilter service socket";
      wantedBy = [ "sockets.target" ];
      socketConfig = {
        ListenStream = cfg.bindUnixSockets ++ cfg.bindInetSockets;
        SocketUser = cfg.user;
        SocketGroup = cfg.group;
        SocketMode = "0666";
      };
    };
-    services.postfix.extraConfig = optionalString cfg.postfix.enable cfg.postfix.configFragment;
+      systemd.services.rmilter = {
-    users.users.postfix.extraGroups = [ cfg.group ];
+        description = "Rmilter Service";
  };
        wantedBy = [ "multi-user.target" ];
        after = [ "network.target" ];
        serviceConfig = {
          ExecStart = "${pkgs.rmilter}/bin/rmilter ${optionalString cfg.debug "-d"} -n -c ${rmilterConfigFile}";
          ExecReload = "${pkgs.coreutils}/bin/kill -USR1 $MAINPID";
          User = cfg.user;
          Group = cfg.group;
          PermissionsStartOnly = true;
          Restart = "always";
          RuntimeDirectory = "rmilter";
          RuntimeDirectoryMode = "0750";
        };
      };
      systemd.sockets.rmilter = mkIf cfg.socketActivation {
        description = "Rmilter service socket";
        wantedBy = [ "sockets.target" ];
        socketConfig = {
          ListenStream = systemdSocket;
          SocketUser = cfg.user;
          SocketGroup = cfg.group;
          SocketMode = "0660";
        };
      };
    })
    (mkIf (cfg.enable && cfg.rspamd.enable && rspamdCfg.enable) {
      users.extraUsers.${cfg.user}.extraGroups = [ rspamdCfg.group ];
    })
    (mkIf (cfg.enable && cfg.postfix.enable) {
      services.postfix.extraConfig = cfg.postfix.configFragment;
      users.extraUsers.${postfixCfg.user}.extraGroups = [ cfg.group ];
    })
  ];
 }
--- a/nixos/modules/services/mail/rspamd.nix
+++ b/nixos/modules/services/mail/rspamd.nix
@ -53,8 +53,11 @@ in
      bindSocket = mkOption {
        type = types.listOf types.str;
        default = [
-          "/run/rspamd/rspamd.sock mode=0666 owner=${cfg.user}"
+          "/run/rspamd/rspamd.sock mode=0660 owner=${cfg.user} group=${cfg.group}"
        ];
        defaultText = ''[
          "/run/rspamd/rspamd.sock mode=0660 owner=${cfg.user} group=${cfg.group}"
        ]'';
        description = ''
          List of sockets to listen, in format acceptable by rspamd
        '';
--- a/nixos/modules/services/misc/gitlab.nix
+++ b/nixos/modules/services/misc/gitlab.nix
@ -481,6 +481,7 @@ in {
        mkdir -p ${cfg.statePath}/repositories
        mkdir -p ${gitlabConfig.production.shared.path}/artifacts
        mkdir -p ${gitlabConfig.production.shared.path}/lfs-objects
        mkdir -p ${gitlabConfig.production.shared.path}/pages
        mkdir -p ${cfg.statePath}/log
        mkdir -p ${cfg.statePath}/shell
        mkdir -p ${cfg.statePath}/tmp/pids
--- a/nixos/modules/services/misc/jackett.nix
+++ b/nixos/modules/services/misc/jackett.nix
@ -0,0 +1,44 @@
 { config, pkgs, lib, mono, ... }:
 with lib;
 let
  cfg = config.services.jackett;
 in
 {
  options = {
    services.jackett = {
      enable = mkEnableOption "Jackett";
    };
  };
  config = mkIf cfg.enable {
    systemd.services.jackett = {
      description = "Jackett";
      after = [ "network.target" ];
      wantedBy = [ "multi-user.target" ];
      preStart = ''
        test -d /var/lib/jackett/ || {
          echo "Creating jackett data directory in /var/lib/jackett/"
          mkdir -p /var/lib/jackett/
        }
        chown -R jackett /var/lib/jackett/
        chmod 0700 /var/lib/jackett/
      '';
      serviceConfig = {
        Type = "simple";
        User = "jackett";
        Group = "nogroup";
        PermissionsStartOnly = "true";
        ExecStart = "${pkgs.jackett}/bin/Jackett";
        Restart = "on-failure";
      };
    };
    users.extraUsers.jackett = {
      home = "/var/lib/jackett";
    };
  };
 }
--- a/nixos/modules/services/misc/nix-daemon.nix
+++ b/nixos/modules/services/misc/nix-daemon.nix
@ -8,7 +8,7 @@ let
  nix = cfg.package.out;
-  isNix112 = versionAtLeast (getVersion nix) "1.12pre4997";
+  isNix112 = versionAtLeast (getVersion nix) "1.12pre";
  makeNixBuildUser = nr:
    { name = "nixbld${toString nr}";
@ -46,6 +46,7 @@ let
        binary-caches = ${toString cfg.binaryCaches}
        trusted-binary-caches = ${toString cfg.trustedBinaryCaches}
        binary-cache-public-keys = ${toString cfg.binaryCachePublicKeys}
        auto-optimise-store = ${if cfg.autoOptimiseStore then "true" else "false"}
        ${optionalString cfg.requireSignedBinaryCaches ''
          signed-binary-caches = *
        ''}
@ -86,6 +87,18 @@ in
        '';
      };
      autoOptimiseStore = mkOption {
        type = types.bool;
        default = false;
        example = true;
        description = ''
         If set to true, Nix automatically detects files in the store that have
         identical contents, and replaces them with hard links to a single copy.
         This saves disk space. If set to false (the default), you can still run
         nix-store --optimise to get rid of duplicate files.
        '';
      };
      buildCores = mkOption {
        type = types.int;
        default = 1;
--- a/nixos/modules/services/misc/nix-gc.nix
+++ b/nixos/modules/services/misc/nix-gc.nix
@ -26,7 +26,7 @@ in
        description = ''
          Specification (in the format described by
          <citerefentry><refentrytitle>systemd.time</refentrytitle>
-          <manvolnum>5</manvolnum></citerefentry>) of the time at
+          <manvolnum>7</manvolnum></citerefentry>) of the time at
          which the garbage collector will run.
        '';
      };
--- a/nixos/modules/services/misc/nix-optimise.nix
+++ b/nixos/modules/services/misc/nix-optimise.nix
@ -26,7 +26,7 @@ in
        description = ''
          Specification (in the format described by
          <citerefentry><refentrytitle>systemd.time</refentrytitle>
-          <manvolnum>5</manvolnum></citerefentry>) of the time at
+          <manvolnum>7</manvolnum></citerefentry>) of the time at
          which the optimiser will run.
        '';
      };
--- a/nixos/modules/services/misc/octoprint.nix
+++ b/nixos/modules/services/misc/octoprint.nix
@ -117,7 +117,7 @@ in
      '';
      serviceConfig = {
-        ExecStart = "${pkgs.octoprint}/bin/octoprint -b ${cfg.stateDir}";
+        ExecStart = "${pkgs.octoprint}/bin/octoprint serve -b ${cfg.stateDir}";
        User = cfg.user;
        Group = cfg.group;
        PermissionsStartOnly = true;
--- a/nixos/modules/services/misc/radarr.nix
+++ b/nixos/modules/services/misc/radarr.nix
@ -0,0 +1,44 @@
 { config, pkgs, lib, mono, ... }:
 with lib;
 let
  cfg = config.services.radarr;
 in
 {
  options = {
    services.radarr = {
      enable = mkEnableOption "Radarr";
    };
  };
  config = mkIf cfg.enable {
    systemd.services.radarr = {
      description = "Radarr";
      after = [ "network.target" ];
      wantedBy = [ "multi-user.target" ];
      preStart = ''
        test -d /var/lib/radarr/ || {
          echo "Creating radarr data directory in /var/lib/radarr/"
          mkdir -p /var/lib/radarr/
        }
        chown -R radarr /var/lib/radarr/
        chmod 0700 /var/lib/radarr/
      '';
      serviceConfig = {
        Type = "simple";
        User = "radarr";
        Group = "nogroup";
        PermissionsStartOnly = "true";
        ExecStart = "${pkgs.radarr}/bin/Radarr";
        Restart = "on-failure";
      };
    };
    users.extraUsers.radarr = {
      home = "/var/lib/radarr";
    };
  };
 }
--- a/nixos/modules/services/monitoring/munin.nix
+++ b/nixos/modules/services/monitoring/munin.nix
@ -193,14 +193,26 @@ in
  }) (mkIf cronCfg.enable {
-    services.cron.systemCronJobs = [
+    systemd.timers.munin-cron = {
-      "*/5 * * * * munin ${pkgs.munin}/bin/munin-cron --config ${muninConf}"
+      description = "batch Munin master programs";
-    ];
+      wantedBy = [ "timers.target" ];
      timerConfig.OnCalendar = "*:0/5";
    };
    systemd.services.munin-cron = {
      description = "batch Munin master programs";
      unitConfig.Documentation = "man:munin-cron(8)";
      serviceConfig = {
        Type = "oneshot";
        User = "munin";
        ExecStart = "${pkgs.munin}/bin/munin-cron --config ${muninConf}";
      };
    };
    system.activationScripts.munin-cron = stringAfter [ "users" "groups" ] ''
      mkdir -p /var/{run,log,www,lib}/munin
      chown -R munin:munin /var/{run,log,www,lib}/munin
    '';
  })];
 }
--- a/nixos/modules/services/network-filesystems/openafs-client/default.nix
+++ b/nixos/modules/services/network-filesystems/openafs-client/default.nix
@ -76,6 +76,7 @@ in
      description = "AFS client";
      wantedBy = [ "multi-user.target" ];
      after = [ "network.target" ];
      serviceConfig = { RemainAfterExit = true; };
      preStart = ''
        mkdir -p -m 0755 /afs
--- a/nixos/modules/services/networking/avahi-daemon.nix
+++ b/nixos/modules/services/networking/avahi-daemon.nix
@ -21,6 +21,7 @@ let
    use-ipv6=${if ipv6 then "yes" else "no"}
    ${optionalString (interfaces!=null) "allow-interfaces=${concatStringsSep "," interfaces}"}
    ${optionalString (domainName!=null) "domain-name=${domainName}"}
    allow-point-to-point=${if allowPointToPoint then "yes" else "no"}
    [wide-area]
    enable-wide-area=${if wideArea then "yes" else "no"}
@ -98,6 +99,15 @@ in
        '';
      };
      allowPointToPoint = mkOption {
        default = false;
        description= ''
          Whether to use POINTTOPOINT interfaces. Might make mDNS unreliable due to usually large
          latencies with such links and opens a potential security hole by allowing mDNS access from Internet
          connections. Use with care and YMMV!
        '';
      };
      wideArea = mkOption {
        default = true;
        description = ''Whether to enable wide-area service discovery.'';
--- a/nixos/modules/services/networking/dnscrypt-proxy.nix
+++ b/nixos/modules/services/networking/dnscrypt-proxy.nix
@ -220,6 +220,8 @@ in
        ${getLib pkgs.attr}/lib/libattr.so.* mr, # */
        ${resolverList} r,
        /run/systemd/notify rw,
      }
    '');
    })
--- a/nixos/modules/services/networking/nftables.nix
+++ b/nixos/modules/services/networking/nftables.nix
@ -17,6 +17,17 @@ in
          This conflicts with the standard networking firewall, so make sure to
          disable it before using nftables.
          Note that if you have Docker enabled you will not be able to use
          nftables without intervention. Docker uses iptables internally to
          setup NAT for containers. This module disables the ip_tables kernel
          module, however Docker automatically loads the module. Please see [1]
          for more information.
          There are other programs that use iptables internally too, such as
          libvirt.
          [1]: https://github.com/NixOS/nixpkgs/issues/24318#issuecomment-289216273
        '';
    };
    networking.nftables.ruleset = mkOption {
--- a/nixos/modules/services/networking/searx.nix
+++ b/nixos/modules/services/networking/searx.nix
@ -18,17 +18,12 @@ in
    services.searx = {
-      enable = mkOption {
+      enable = mkEnableOption
-        type = types.bool;
+        "the searx server. See https://github.com/asciimoo/searx";
        default = false;
        description = "
          Whether to enable the Searx server. See https://github.com/asciimoo/searx
        ";
      };
      configFile = mkOption {
-        type = types.path;
+        type = types.nullOr types.path;
-        default = "";
+        default = null;
        description = "
          The path of the Searx server configuration file. If no file
          is specified, a default file is used (default config file has
@ -72,7 +67,7 @@ in
          User = "searx";
          ExecStart = "${cfg.package}/bin/searx-run";
        };
-      } // (optionalAttrs (configFile != "") {
+      } // (optionalAttrs (configFile != null) {
        environment.SEARX_SETTINGS_PATH = configFile;
      });
--- a/nixos/modules/services/networking/ssh/sshd.nix
+++ b/nixos/modules/services/networking/ssh/sshd.nix
@ -240,7 +240,7 @@ in
    systemd =
      let
-        sshd-service =
+        service =
          { description = "SSH Daemon";
            wantedBy = optional (!cfg.startWhenNeeded) "multi-user.target";
@ -251,8 +251,20 @@ in
            environment.LD_LIBRARY_PATH = nssModulesPath;
-            wants = [ "sshd-keygen.service" ];
+            preStart =
-            after = [ "sshd-keygen.service" ];
+              ''
                # Make sure we don't write to stdout, since in case of
                # socket activation, it goes to the remote side (#19589).
                exec >&2
                mkdir -m 0755 -p /etc/ssh
                ${flip concatMapStrings cfg.hostKeys (k: ''
                  if ! [ -f "${k.path}" ]; then
                      ssh-keygen -t "${k.type}" ${if k ? bits then "-b ${toString k.bits}" else ""} -f "${k.path}" -N ""
                  fi
                '')}
              '';
            serviceConfig =
              { ExecStart =
@ -262,31 +274,12 @@ in
                KillMode = "process";
              } // (if cfg.startWhenNeeded then {
                StandardInput = "socket";
                StandardError = "journal";
              } else {
                Restart = "always";
                Type = "simple";
              });
          };
        sshd-keygen-service =
          { description = "SSH Host Key Generation";
            path = [ cfgc.package ];
            script =
            ''
              mkdir -m 0755 -p /etc/ssh
              ${flip concatMapStrings cfg.hostKeys (k: ''
                if ! [ -f "${k.path}" ]; then
                  ssh-keygen -t "${k.type}" ${if k ? bits then "-b ${toString k.bits}" else ""} -f "${k.path}" -N ""
                fi
              '')}
            '';
            serviceConfig = {
              Type = "oneshot";
              RemainAfterExit = "yes";
            };
          };
      in
      if cfg.startWhenNeeded then {
@ -298,13 +291,11 @@ in
            socketConfig.Accept = true;
          };
-        services.sshd-keygen = sshd-keygen-service;
+        services."sshd@" = service;
        services."sshd@" = sshd-service;
      } else {
-        services.sshd-keygen = sshd-keygen-service;
+        services.sshd = service;
        services.sshd = sshd-service;
      };
--- a/nixos/modules/services/networking/vsftpd.nix
+++ b/nixos/modules/services/networking/vsftpd.nix
@ -37,6 +37,9 @@ let
    (yesNoOption "anonymousUser" "anonymous_enable" false ''
      Whether to enable the anonymous FTP user.
    '')
    (yesNoOption "anonymousUserNoPassword" "no_anon_password" false ''
      Whether to disable the password for the anonymous FTP user.
    '')
    (yesNoOption "localUsers" "local_enable" false ''
      Whether to enable FTP for local users.
    '')
--- a/nixos/modules/services/security/tor.nix
+++ b/nixos/modules/services/security/tor.nix
@ -140,6 +140,7 @@ in
        };
        privoxy.enable = mkOption {
          type = types.bool;
          default = true;
          description = ''
            Whether to enable and configure the system Privoxy to use Tor's
--- a/nixos/modules/services/system/earlyoom.nix
+++ b/nixos/modules/services/system/earlyoom.nix
@ -0,0 +1,96 @@
 { config, lib, pkgs, ... }:
 with lib;
 let
  ecfg = config.services.earlyoom;
 in
 {
  options = {
    services.earlyoom = {
      enable = mkOption {
        type = types.bool;
        default = false;
        description = ''
          Enable early out of memory killing.
        '';
      };
      freeMemThreshold = mkOption {
        type = types.int;
        default = 10;
        description = ''
          Minimum of availabe memory (in percent).
          If the free memory falls below this threshold and the analog is true for
          <option>services.earlyoom.freeSwapThreshold</option>
          the killing begins.
        '';
      };
      freeSwapThreshold = mkOption {
        type = types.int;
        default = 10;
        description = ''
          Minimum of availabe swap space (in percent).
          If the available swap space falls below this threshold and the analog
          is true for <option>services.earlyoom.freeMemThreshold</option>
          the killing begins.
        '';
      };
      useKernelOOMKiller= mkOption {
        type = types.bool;
        default = false;
        description = ''
          Use kernel OOM killer instead of own user-space implementation.
        '';
      };
      ignoreOOMScoreAdjust = mkOption {
        type = types.bool;
        default = false;
        description = ''
          Ignore oom_score_adjust values of processes.
          User-space implementation only.
        '';
      };
      enableDebugInfo = mkOption {
        type = types.bool;
        default = false;
        description = ''
          Enable debugging messages.
        '';
      };
    };
  };
  config = mkIf ecfg.enable {
    assertions = [
      { assertion = ecfg.freeMemThreshold > 0 && ecfg.freeMemThreshold <= 100;
        message = "Needs to be a positive percentage"; }
      { assertion = ecfg.freeSwapThreshold > 0 && ecfg.freeSwapThreshold <= 100;
        message = "Needs to be a positive percentage"; }
      { assertion = !ecfg.useKernelOOMKiller || !ecfg.ignoreOOMScoreAdjust;
        message = "Both options in conjunction do not make sense"; }
    ];
    systemd.services.earlyoom = {
      description = "Early OOM Daemon for Linux";
      wantedBy = [ "multi-user.target" ];
      serviceConfig = {
        StandardOutput = "null";
        StandardError = "syslog";
        ExecStart = ''
          ${pkgs.earlyoom}/bin/earlyoom \
          -m ${toString ecfg.freeMemThreshold} \
          -s ${toString ecfg.freeSwapThreshold} \
          ${optionalString ecfg.useKernelOOMKiller "-k"} \
          ${optionalString ecfg.ignoreOOMScoreAdjust "-i"} \
          ${optionalString ecfg.enableDebugInfo "-d"}
        '';
      };
    };
  };
 }
--- a/nixos/modules/services/web-servers/apache-httpd/wordpress.nix
+++ b/nixos/modules/services/web-servers/apache-httpd/wordpress.nix
@ -9,7 +9,7 @@ let
    <?php
    define('DB_NAME',     '${config.dbName}');
    define('DB_USER',     '${config.dbUser}');
-    define('DB_PASSWORD', '${config.dbPassword}');
+    define('DB_PASSWORD', file_get_contents('${config.dbPasswordFile}'));
    define('DB_HOST',     '${config.dbHost}');
    define('DB_CHARSET',  'utf8');
    $table_prefix  = '${config.tablePrefix}';
@ -137,9 +137,34 @@ in
    };
    dbPassword = mkOption {
      default = "wordpress";
-      description = "The mysql password to the respective dbUser.";
+      description = ''
        The mysql password to the respective dbUser.
        Warning: this password is stored in the world-readable Nix store. It's
        recommended to use the $dbPasswordFile option since that gives you control over
        the security of the password. $dbPasswordFile also takes precedence over $dbPassword.
      '';
      example = "wordpress";
    };
    dbPasswordFile = mkOption {
      type = types.str;
      default = toString (pkgs.writeTextFile {
        name = "wordpress-dbpassword";
        text = config.dbPassword;
      });
      example = "/run/keys/wordpress-dbpassword";
      description = ''
        Path to a file that contains the mysql password to the respective dbUser.
        The file should be readable by the user: config.services.httpd.user.
        $dbPasswordFile takes precedence over the $dbPassword option.
        This defaults to a file in the world-readable Nix store that contains the value
        of the $dbPassword option. It's recommended to override this with a path not in
        the Nix store. Tip: use nixops key management:
        <link xlink:href='https://nixos.org/nixops/manual/#idm140737318306400'/>
      '';
    };
    tablePrefix = mkOption {
      default = "wp_";
      description = ''
@ -251,7 +276,7 @@ in
        sleep 1
      done
      ${pkgs.mysql}/bin/mysql -e 'CREATE DATABASE ${config.dbName};'
-      ${pkgs.mysql}/bin/mysql -e 'GRANT ALL ON ${config.dbName}.* TO ${config.dbUser}@localhost IDENTIFIED BY "${config.dbPassword}";'
+      ${pkgs.mysql}/bin/mysql -e "GRANT ALL ON ${config.dbName}.* TO ${config.dbUser}@localhost IDENTIFIED BY \"$(cat ${config.dbPasswordFile})\";"
    else
      echo "Good, no need to do anything database related."
    fi
--- a/nixos/modules/services/web-servers/nginx/default.nix
+++ b/nixos/modules/services/web-servers/nginx/default.nix
@ -87,6 +87,8 @@ let
      server_tokens ${if cfg.serverTokens then "on" else "off"};
      ${cfg.commonHttpConfig}
      ${vhosts}
      ${optionalString cfg.statusPage ''
@ -183,6 +185,7 @@ let
      ${optionalString (config.index != null) "index ${config.index};"}
      ${optionalString (config.tryFiles != null) "try_files ${config.tryFiles};"}
      ${optionalString (config.root != null) "root ${config.root};"}
      ${optionalString (config.alias != null) "alias ${config.alias};"}
      ${config.extraConfig}
    }
  '') locations);
@ -244,11 +247,13 @@ in
      };
      package = mkOption {
-        default = pkgs.nginx;
+        default = pkgs.nginxStable;
-        defaultText = "pkgs.nginx";
+        defaultText = "pkgs.nginxStable";
        type = types.package;
        description = "
-          Nginx package to use.
+          Nginx package to use. This defaults to the stable version. Note
          that the nginx team recommends to use the mainline version which
          available in nixpkgs as <literal>nginxMainline</literal>.
        ";
      };
@ -275,6 +280,24 @@ in
        '';
      };
      commonHttpConfig = mkOption {
        type = types.lines;
        default = "";
        example = ''
          resolver 127.0.0.1 valid=5s;
          log_format myformat '$remote_addr - $remote_user [$time_local] '
                              '"$request" $status $body_bytes_sent '
                              '"$http_referer" "$http_user_agent"';
        '';
        description = ''
          With nginx you must provide common http context definitions before
          they are used, e.g. log_format, resolver, etc. inside of server
          or location contexts. Use this attribute to set these definitions
          at the appropriate location.
        '';
      };
      httpConfig = mkOption {
        type = types.lines;
        default = "";
@ -381,6 +404,13 @@ in
  config = mkIf cfg.enable {
    # TODO: test user supplied config file pases syntax test
    assertions = let hostOrAliasIsNull = l: l.root == null || l.alias == null; in [
      {
        assertion = all (host: all hostOrAliasIsNull (attrValues host.locations)) (attrValues virtualHosts);
        message = "Only one of nginx root or alias can be specified on a location.";
      }
    ];
    systemd.services.nginx = {
      description = "Nginx Web Server";
      after = [ "network.target" ];
--- a/nixos/modules/services/web-servers/nginx/location-options.nix
+++ b/nixos/modules/services/web-servers/nginx/location-options.nix
@ -45,6 +45,15 @@ with lib;
      '';
    };
    alias = mkOption {
      type = types.nullOr types.path;
      default = null;
      example = "/your/alias/directory";
      description = ''
        Alias directory for requests.
      '';
    };
    extraConfig = mkOption {
      type = types.lines;
      default = "";
--- a/nixos/modules/services/web-servers/phpfpm/default.nix
+++ b/nixos/modules/services/web-servers/phpfpm/default.nix
@ -147,7 +147,6 @@ in {
          cfgFile = fpmCfgFile pool poolConfig;
        in {
          Slice = "phpfpm.slice";
          PrivateTmp = true;
          PrivateDevices = true;
          ProtectSystem = "full";
          ProtectHome = true;
--- a/nixos/modules/services/x11/desktop-managers/enlightenment.nix
+++ b/nixos/modules/services/x11/desktop-managers/enlightenment.nix
@ -64,7 +64,7 @@ in
    security.wrappers.e_freqset.source = "${e.enlightenment.out}/bin/e_freqset";
    environment.etc = singleton
-      { source = "${pkgs.xkeyboard_config}/etc/X11/xkb";
+      { source = xcfg.xkbDir;
        target = "X11/xkb";
      };
--- a/nixos/modules/services/x11/desktop-managers/lumina.nix
+++ b/nixos/modules/services/x11/desktop-managers/lumina.nix
@ -32,8 +32,8 @@ in
    environment.systemPackages = [
      pkgs.fluxbox
-      pkgs.qt5.kwindowsystem
+      pkgs.libsForQt5.kwindowsystem
-      pkgs.qt5.oxygen-icons5
+      pkgs.kdeFrameworks.oxygen-icons5
      pkgs.lumina
      pkgs.numlockx
      pkgs.qt5.qtsvg
--- a/nixos/modules/services/x11/desktop-managers/plasma5.nix
+++ b/nixos/modules/services/x11/desktop-managers/plasma5.nix
@ -176,7 +176,7 @@ in
      environment.pathsToLink = [ "/share" ];
      environment.etc = singleton {
-        source = "${pkgs.xkeyboard_config}/etc/X11/xkb";
+        source = xcfg.xkbDir;
        target = "X11/xkb";
      };
@ -208,11 +208,7 @@ in
      services.xserver.displayManager.sddm = {
        theme = "breeze";
-        themes = [
+        package = pkgs.sddmPlasma5;
          pkgs.extra-cmake-modules # for the setup-hook
          plasma5.plasma-workspace
          pkgs.breeze-icons
        ];
      };
      security.pam.services.kde = { allowNullPassword = true; };
@ -225,11 +221,6 @@ in
      security.pam.services.sddm.enableKwallet = true;
      security.pam.services.slim.enableKwallet = true;
      # use kimpanel as the default IBus panel
      i18n.inputMethod.ibus.panel =
        lib.mkDefault
        "${plasma5.plasma-desktop}/lib/libexec/kimpanel-ibus-panel";
    })
  ];
--- a/nixos/modules/services/x11/display-managers/default.nix
+++ b/nixos/modules/services/x11/display-managers/default.nix
@ -24,7 +24,7 @@ let
    Xft.lcdfilter: lcd${fontconfig.subpixel.lcdfilter}
    Xft.hinting: ${if fontconfig.hinting.enable then "1" else "0"}
    Xft.autohint: ${if fontconfig.hinting.autohint then "1" else "0"}
-    Xft.hintstyle: hint${fontconfig.hinting.style}
+    Xft.hintstyle: hintslight
  '';
  # file provided by services.xserver.displayManager.session.script
--- a/nixos/modules/services/x11/display-managers/lightdm-greeters/gtk.nix
+++ b/nixos/modules/services/x11/display-managers/lightdm-greeters/gtk.nix
@ -45,6 +45,7 @@ let
    theme-name = ${cfg.theme.name}
    icon-theme-name = ${cfg.iconTheme.name}
    background = ${ldmcfg.background}
    ${cfg.extraConfig}
    '';
 in
@ -103,6 +104,15 @@ in
      };
      extraConfig = mkOption {
        type = types.lines;
        default = "";
        description = ''
          Extra configuration that should be put in the lightdm-gtk-greeter.conf
          configuration file.
        '';
      };
    };
  };
--- a/nixos/modules/services/x11/display-managers/sddm.nix
+++ b/nixos/modules/services/x11/display-managers/sddm.nix
@ -9,7 +9,7 @@ let
  cfg = dmcfg.sddm;
  xEnv = config.systemd.services."display-manager".environment;
-  sddm = pkgs.sddm.override { inherit (cfg) themes; };
+  sddm = cfg.package;
  xserverWrapper = pkgs.writeScript "xserver-wrapper" ''
    #!/bin/sh
@ -105,11 +105,12 @@ in
        '';
      };
-      themes = mkOption {
+      package = mkOption {
-        type = types.listOf types.package;
+        type = types.package;
-        default = [];
+        default = pkgs.sddm;
        description = ''
-          Extra packages providing themes.
+          The SDDM package to install.
          The default package can be overridden to provide extra themes.
        '';
      };
--- a/nixos/modules/services/x11/window-managers/2bwm.nix
+++ b/nixos/modules/services/x11/window-managers/2bwm.nix
@ -0,0 +1,37 @@
 { config, lib, pkgs, ... }:
 with lib;
 let
  cfg = config.services.xserver.windowManager."2bwm";
 in
 {
  ###### interface
  options = {
    services.xserver.windowManager."2bwm".enable = mkEnableOption "2bwm";
  };
  ###### implementation
  config = mkIf cfg.enable {
    services.xserver.windowManager.session = singleton
      { name = "2bwm";
        start =
          ''
            ${pkgs."2bwm"}/bin/2bwm &
            waitPID=$!
          '';
      };
    environment.systemPackages = [ pkgs."2bwm" ];
  };
 }
--- a/nixos/modules/services/x11/window-managers/default.nix
+++ b/nixos/modules/services/x11/window-managers/default.nix
@ -8,12 +8,14 @@ in
 {
  imports = [
    ./2bwm.nix
    ./afterstep.nix
    ./bspwm.nix
    ./compiz.nix
    ./dwm.nix
    ./exwm.nix
    ./fluxbox.nix
    ./fvwm.nix
    ./herbstluftwm.nix
    ./i3.nix
    ./jwm.nix
--- a/nixos/modules/services/x11/window-managers/fvwm.nix
+++ b/nixos/modules/services/x11/window-managers/fvwm.nix
@ -0,0 +1,41 @@
 { config, lib, pkgs, ... }:
 with lib;
 let
  cfg = config.services.xserver.windowManager.fvwm;
  fvwm = pkgs.fvwm.override { gestures = cfg.gestures; };
 in
 {
  ###### interface
  options = {
    services.xserver.windowManager.fvwm = {
      enable = mkEnableOption "Fvwm window manager";
      gestures = mkOption {
        default = false;
        type = types.bool;
        description = "Whether or not to enable libstroke for gesture support";
      };
    };
  };
  ###### implementation
  config = mkIf cfg.enable {
    services.xserver.windowManager.session = singleton
      { name = "fvwm";
        start =
          ''
            ${fvwm}/bin/fvwm &
            waitPID=$!
          '';
      };
    environment.systemPackages = [ fvwm ];
  };
 }
--- a/nixos/modules/system/activation/top-level.nix
+++ b/nixos/modules/system/activation/top-level.nix
@ -53,6 +53,8 @@ let
        ln -s ${config.system.build.initialRamdisk}/initrd $out/initrd
        ln -s ${config.system.build.initialRamdiskSecretAppender}/bin/append-initrd-secrets $out
        ln -s ${config.hardware.firmware}/lib/firmware $out/firmware
      ''}
--- a/nixos/modules/system/boot/initrd-ssh.nix
+++ b/nixos/modules/system/boot/initrd-ssh.nix
@ -44,9 +44,10 @@ in
      description = ''
        RSA SSH private key file in the Dropbear format.
-        WARNING: This key is contained insecurely in the global Nix store. Do NOT
+        WARNING: Unless your bootloader supports initrd secrets, this key is
-        use your regular SSH host private keys for this purpose or you'll expose
+        contained insecurely in the global Nix store. Do NOT use your regular
-        them to regular users!
+        SSH host private keys for this purpose or you'll expose them to
        regular users!
      '';
    };
@ -56,9 +57,10 @@ in
      description = ''
        DSS SSH private key file in the Dropbear format.
-        WARNING: This key is contained insecurely in the global Nix store. Do NOT
+        WARNING: Unless your bootloader supports initrd secrets, this key is
-        use your regular SSH host private keys for this purpose or you'll expose
+        contained insecurely in the global Nix store. Do NOT use your regular
-        them to regular users!
+        SSH host private keys for this purpose or you'll expose them to
        regular users!
      '';
    };
@ -68,9 +70,10 @@ in
      description = ''
        ECDSA SSH private key file in the Dropbear format.
-        WARNING: This key is contained insecurely in the global Nix store. Do NOT
+        WARNING: Unless your bootloader supports initrd secrets, this key is
-        use your regular SSH host private keys for this purpose or you'll expose
+        contained insecurely in the global Nix store. Do NOT use your regular
-        them to regular users!
+        SSH host private keys for this purpose or you'll expose them to
        regular users!
      '';
    };
@ -97,10 +100,6 @@ in
    boot.initrd.extraUtilsCommands = ''
      copy_bin_and_libs ${pkgs.dropbear}/bin/dropbear
      cp -pv ${pkgs.glibc.out}/lib/libnss_files.so.* $out/lib
      ${optionalString (cfg.hostRSAKey != null) "install -D ${cfg.hostRSAKey} $out/etc/dropbear/dropbear_rsa_host_key"}
      ${optionalString (cfg.hostDSSKey != null) "install -D ${cfg.hostDSSKey} $out/etc/dropbear/dropbear_dss_host_key"}
      ${optionalString (cfg.hostECDSAKey != null) "install -D ${cfg.hostECDSAKey} $out/etc/dropbear/dropbear_ecdsa_host_key"}
    '';
    boot.initrd.extraUtilsCommandsTest = ''
@ -116,9 +115,6 @@ in
      touch /var/log/lastlog
      mkdir -p /etc/dropbear
      ${optionalString (cfg.hostRSAKey != null) "ln -s $extraUtils/etc/dropbear/dropbear_rsa_host_key /etc/dropbear/dropbear_rsa_host_key"}
      ${optionalString (cfg.hostDSSKey != null) "ln -s $extraUtils/etc/dropbear/dropbear_dss_host_key /etc/dropbear/dropbear_dss_host_key"}
      ${optionalString (cfg.hostECDSAKey != null) "ln -s $extraUtils/etc/dropbear/dropbear_ecdsa_host_key /etc/dropbear/dropbear_ecdsa_host_key"}
      mkdir -p /root/.ssh
      ${concatStrings (map (key: ''
@ -128,6 +124,11 @@ in
      dropbear -s -j -k -E -m -p ${toString cfg.port}
    '';
    boot.initrd.secrets =
     (optionalAttrs (cfg.hostRSAKey != null) { "/etc/dropbear/dropbear_rsa_host_key" = cfg.hostRSAKey; }) //
     (optionalAttrs (cfg.hostDSSKey != null) { "/etc/dropbear/dropbear_dss_host_key" = cfg.hostDSSKey; }) //
     (optionalAttrs (cfg.hostECDSAKey != null) { "/etc/dropbear/dropbear_ecdsa_host_key" = cfg.hostECDSAKey; });
  };
 }
--- a/nixos/modules/system/boot/loader/grub/install-grub.pl
+++ b/nixos/modules/system/boot/loader/grub/install-grub.pl
@ -443,9 +443,40 @@ my $confFile = $grubVersion == 1 ? "$bootPath/grub/menu.lst" : "$bootPath/grub/g
 my $tmpFile = $confFile . ".tmp";
 writeFile($tmpFile, $conf);
 # check whether to install GRUB EFI or not
 sub getEfiTarget {
    if ($grubVersion == 1) {
        return "no"
    } elsif (($grub ne "") && ($grubEfi ne "")) {
        # EFI can only be installed when target is set;
        # A target is also required then for non-EFI grub
        if (($grubTarget eq "") || ($grubTargetEfi eq "")) { die }
        else { return "both" }
    } elsif (($grub ne "") && ($grubEfi eq "")) {
        # TODO: It would be safer to disallow non-EFI grub installation if no taget is given.
        #       If no target is given, then grub auto-detects the target which can lead to errors.
        #       E.g. it seems as if grub would auto-detect a EFI target based on the availability
        #       of a EFI partition.
        #       However, it seems as auto-detection is currently relied on for non-x86_64 and non-i386
        #       architectures in NixOS. That would have to be fixed in the nixos modules first.
        return "no"
    } elsif (($grub eq "") && ($grubEfi ne "")) {
        # EFI can only be installed when target is set;
        if ($grubTargetEfi eq "") { die }
        else {return "only" }
    } else {
        # prevent an installation if neither grub nor grubEfi is given
        return "neither"
    }
 }
 my $efiTarget = getEfiTarget();
 # Append entries detected by os-prober
 if (get("useOSProber") eq "true") {
-    system(get("shell"), "-c", "pkgdatadir=$grub/share/grub $grub/etc/grub.d/30_os-prober >> $tmpFile");
+    my $targetpackage = ($efiTarget eq "no") ? $grub : $grubEfi;
    system(get("shell"), "-c", "pkgdatadir=$targetpackage/share/grub $targetpackage/etc/grub.d/30_os-prober >> $tmpFile");
 }
 # Atomically switch to the new config
@ -498,36 +529,7 @@ sub getDeviceTargets {
    }
    return @devices;
 }
 # check whether to install GRUB EFI or not
 sub getEfiTarget {
    if ($grubVersion == 1) {
        return "no"
    } elsif (($grub ne "") && ($grubEfi ne "")) {
        # EFI can only be installed when target is set;
        # A target is also required then for non-EFI grub
        if (($grubTarget eq "") || ($grubTargetEfi eq "")) { die }
        else { return "both" }
    } elsif (($grub ne "") && ($grubEfi eq "")) {
        # TODO: It would be safer to disallow non-EFI grub installation if no taget is given.
        #       If no target is given, then grub auto-detects the target which can lead to errors.
        #       E.g. it seems as if grub would auto-detect a EFI target based on the availability
        #       of a EFI partition.
        #       However, it seems as auto-detection is currently relied on for non-x86_64 and non-i386
        #       architectures in NixOS. That would have to be fixed in the nixos modules first.
        return "no"
    } elsif (($grub eq "") && ($grubEfi ne "")) {
        # EFI can only be installed when target is set;
        if ($grubTargetEfi eq "") { die }
        else {return "only" }
    } else {
        # prevent an installation if neither grub nor grubEfi is given
        return "neither"
    }
 }
 my @deviceTargets = getDeviceTargets();
 my $efiTarget = getEfiTarget();
 my $prevGrubState = readGrubState();
 my @prevDeviceTargets = split/,/, $prevGrubState->devices;
--- a/nixos/modules/system/boot/loader/systemd-boot/systemd-boot-builder.py
+++ b/nixos/modules/system/boot/loader/systemd-boot/systemd-boot-builder.py
@ -32,8 +32,11 @@ def write_loader_conf(generation):
            f.write("editor 0");
    os.rename("@efiSysMountPoint@/loader/loader.conf.tmp", "@efiSysMountPoint@/loader/loader.conf")
 def profile_path(generation, name):
    return os.readlink("%s/%s" % (system_dir(generation), name))
 def copy_from_profile(generation, name, dry_run=False):
-    store_file_path = os.readlink("%s/%s" % (system_dir(generation), name))
+    store_file_path = profile_path(generation, name)
    suffix = os.path.basename(store_file_path)
    store_dir = os.path.basename(os.path.dirname(store_file_path))
    efi_file_path = "/efi/nixos/%s-%s.efi" % (store_dir, suffix)
@ -44,6 +47,11 @@ def copy_from_profile(generation, name, dry_run=False):
 def write_entry(generation, machine_id):
    kernel = copy_from_profile(generation, "kernel")
    initrd = copy_from_profile(generation, "initrd")
    try:
        append_initrd_secrets = profile_path(generation, "append-initrd-secrets")
        subprocess.check_call([append_initrd_secrets, "@efiSysMountPoint@%s" % (initrd)])
    except FileNotFoundError:
        pass
    entry_file = "@efiSysMountPoint@/loader/entries/nixos-generation-%d.conf" % (generation)
    generation_dir = os.readlink(system_dir(generation))
    tmp_path = "%s.tmp" % (entry_file)
--- a/nixos/modules/system/boot/loader/systemd-boot/systemd-boot.nix
+++ b/nixos/modules/system/boot/loader/systemd-boot/systemd-boot.nix
@ -65,6 +65,8 @@ in {
    boot.loader.grub.enable = mkDefault false;
    boot.loader.supportsInitrdSecrets = true;
    system = {
      build.installBootLoader = gummibootBuilder;
--- a/nixos/modules/system/boot/luksroot.nix
+++ b/nixos/modules/system/boot/luksroot.nix
@ -6,29 +6,38 @@ let
  luks = config.boot.initrd.luks;
  openCommand = name': { name, device, header, keyFile, keyFileSize, allowDiscards, yubikey, ... }: assert name' == name; ''
-    # Wait for luksRoot to appear, e.g. if on a usb drive.
+
-    # XXX: copied and adapted from stage-1-init.sh - should be
+    # Wait for a target (e.g. device, keyFile, header, ...) to appear.
-    # available as a function.
+    wait_target() {
-    if ! test -e ${device}; then
+        local name="$1"
-        echo -n "waiting 10 seconds for device ${device} to appear..."
+        local target="$2"
-        for try in $(seq 10); do
+
-            sleep 1
+        if [ ! -e $target ]; then
-            if test -e ${device}; then break; fi
+            echo -n "Waiting 10 seconds for $name $target to appear"
-            echo -n .
+            local success=false;
-        done
+            for try in $(seq 10); do
-        echo "ok"
+                echo -n "."
-    fi
+                sleep 1
                if [ -e $target ]; then success=true break; fi
            done
            if [ $success = true ]; then
                echo " - success";
            else
                echo " - failure";
            fi
        fi
    }
    # Wait for luksRoot (and optionally keyFile and/or header) to appear, e.g.
    # if on a USB drive.
    wait_target "device" ${device}
    ${optionalString (keyFile != null) ''
-    if ! test -e ${keyFile}; then
+      wait_target "key file" ${keyFile}
-        echo -n "waiting 10 seconds for key file ${keyFile} to appear..."
+    ''}
-        for try in $(seq 10); do
+
-            sleep 1
+    ${optionalString (header != null) ''
-            if test -e ${keyFile}; then break; fi
+      wait_target "header" ${header}
            echo -n .
        done
        echo "ok"
    fi
    ''}
    open_normally() {
--- a/nixos/modules/system/boot/stage-1-init.sh
+++ b/nixos/modules/system/boot/stage-1-init.sh
@ -8,6 +8,14 @@ export LD_LIBRARY_PATH=@extraUtils@/lib
 export PATH=@extraUtils@/bin
 ln -s @extraUtils@/bin /bin
 # Copy the secrets to their needed location
 if [ -d "@extraUtils@/secrets" ]; then
    for secret in $(cd "@extraUtils@/secrets"; find . -type f); do
        mkdir -p $(dirname "/$secret")
        ln -s "@extraUtils@/secrets/$secret" "$secret"
    done
 fi
 # Stop LVM complaining about fd3
 export LVM_SUPPRESS_FD_WARNINGS=true
--- a/nixos/modules/system/boot/stage-1.nix
+++ b/nixos/modules/system/boot/stage-1.nix
@ -82,6 +82,17 @@ let
        copy_bin_and_libs ${pkgs.e2fsprogs}/sbin/resize2fs
      ''}
      # Copy secrets if needed.
      ${optionalString (!config.boot.loader.supportsInitrdSecrets)
          (concatStringsSep "\n" (mapAttrsToList (dest: source:
             let source' = if source == null then dest else source; in
               ''
                  mkdir -p $(dirname "$out/secrets/${dest}")
                  cp -a ${source'} "$out/secrets/${dest}"
                ''
          ) config.boot.initrd.secrets))
       }
      ${config.boot.initrd.extraUtilsCommands}
      # Copy ld manually since it isn't detected correctly
@ -242,6 +253,52 @@ let
      ];
  };
  # Script to add secret files to the initrd at bootloader update time
  initialRamdiskSecretAppender =
    pkgs.writeScriptBin "append-initrd-secrets"
      ''
        #!${pkgs.bash}/bin/bash -e
        function usage {
          echo "USAGE: $0 INITRD_FILE" >&2
          echo "Appends this configuration's secrets to INITRD_FILE" >&2
        }
        if [ $# -ne 1 ]; then
          usage
          exit 1
        fi
        if [ "$1"x = "--helpx" ]; then
          usage
          exit 0
        fi
        ${lib.optionalString (config.boot.initrd.secrets == {})
            "exit 0"}
        export PATH=${pkgs.coreutils}/bin:${pkgs.cpio}/bin:${pkgs.gzip}/bin:${pkgs.findutils}/bin
        function cleanup {
          if [ -n "$tmp" -a -d "$tmp" ]; then
            rm -fR "$tmp"
          fi
        }
        trap cleanup EXIT
        tmp=$(mktemp -d initrd-secrets.XXXXXXXXXX)
        ${lib.concatStringsSep "\n" (mapAttrsToList (dest: source:
            let source' = if source == null then dest else toString source; in
              ''
                mkdir -p $(dirname "$tmp/${dest}")
                cp -a ${source'} "$tmp/${dest}"
              ''
          ) config.boot.initrd.secrets)
         }
        (cd "$tmp" && find . | cpio -H newc -o) | gzip >>"$1"
      '';
 in
 {
@ -370,6 +427,25 @@ in
      example = "xz";
    };
    boot.initrd.secrets = mkOption
      { internal = true;
        default = {};
        type = types.attrsOf (types.nullOr types.path);
        description =
          ''
            Secrets to append to the initrd. The attribute name is the
            path the secret should have inside the initrd, the value
            is the path it should be copied from (or null for the same
            path inside and out).
          '';
        example = literalExample
          ''
            { "/etc/dropbear/dropbear_rsa_host_key" =
                ./secret-dropbear-key;
            }
          '';
      };
    boot.initrd.supportedFilesystems = mkOption {
      default = [ ];
      example = [ "btrfs" ];
@ -377,6 +453,18 @@ in
      description = "Names of supported filesystem types in the initial ramdisk.";
    };
    boot.loader.supportsInitrdSecrets = mkOption
      { internal = true;
        default = false;
        type = types.bool;
        description =
          ''
            Whether the bootloader setup runs append-initrd-secrets.
            If not, any needed secrets must be copied into the initrd
            and thus added to the store.
          '';
      };
    fileSystems = mkOption {
      options.neededForBoot = mkOption {
        default = false;
@ -404,9 +492,8 @@ in
      }
    ];
-    system.build.bootStage1 = bootStage1;
+    system.build =
-    system.build.initialRamdisk = initialRamdisk;
+      { inherit bootStage1 initialRamdisk initialRamdiskSecretAppender extraUtils; };
    system.build.extraUtils = extraUtils;
    system.requiredKernelConfig = with config.lib.kernelConfig; [
      (isYes "TMPFS")
--- a/nixos/modules/system/boot/systemd-unit-options.nix
+++ b/nixos/modules/system/boot/systemd-unit-options.nix
@ -328,7 +328,7 @@ in rec {
        Automatically start this unit at the given date/time, which
        must be in the format described in
        <citerefentry><refentrytitle>systemd.time</refentrytitle>
-        <manvolnum>5</manvolnum></citerefentry>.  This is equivalent
+        <manvolnum>7</manvolnum></citerefentry>.  This is equivalent
        to adding a corresponding timer unit with
        <option>OnCalendar</option> set to the value given here.
      '';
@ -375,9 +375,9 @@ in rec {
        Each attribute in this set specifies an option in the
        <literal>[Timer]</literal> section of the unit.  See
        <citerefentry><refentrytitle>systemd.timer</refentrytitle>
-        <manvolnum>5</manvolnum></citerefentry> and
+        <manvolnum>7</manvolnum></citerefentry> and
        <citerefentry><refentrytitle>systemd.time</refentrytitle>
-        <manvolnum>5</manvolnum></citerefentry> for details.
+        <manvolnum>7</manvolnum></citerefentry> for details.
      '';
    };
--- a/nixos/modules/system/boot/systemd.nix
+++ b/nixos/modules/system/boot/systemd.nix
@ -829,7 +829,8 @@ in
    # Some overrides to upstream units.
    systemd.services."systemd-backlight@".restartIfChanged = false;
-    systemd.services."systemd-rfkill@".restartIfChanged = false;
+    systemd.services."systemd-fsck@".restartIfChanged = false;
    systemd.services."systemd-fsck@".path = [ config.system.path ];
    systemd.services."user@".restartIfChanged = false;
    systemd.services.systemd-journal-flush.restartIfChanged = false;
    systemd.services.systemd-random-seed.restartIfChanged = false;
--- a/nixos/modules/tasks/filesystems.nix
+++ b/nixos/modules/tasks/filesystems.nix
@ -221,7 +221,7 @@ in
    environment.etc.fstab.text =
      let
-        fsToSkipCheck = [ "none" "btrfs" "zfs" "tmpfs" "nfs" "vboxsf" "glusterfs" ];
+        fsToSkipCheck = [ "none" "bindfs" "btrfs" "zfs" "tmpfs" "nfs" "vboxsf" "glusterfs" ];
        skipCheck = fs: fs.noCheck || fs.device == "none" || builtins.elem fs.fsType fsToSkipCheck;
      in ''
        # This is a generated file.  Do not edit!
--- a/nixos/modules/tasks/filesystems/zfs.nix
+++ b/nixos/modules/tasks/filesystems/zfs.nix
@ -234,7 +234,7 @@ in
        description = ''
          Systemd calendar expression when to scrub ZFS pools. See
          <citerefentry><refentrytitle>systemd.time</refentrytitle>
-          <manvolnum>5</manvolnum></citerefentry>.
+          <manvolnum>7</manvolnum></citerefentry>.
        '';
      };
--- a/nixos/modules/tasks/network-interfaces-scripted.nix
+++ b/nixos/modules/tasks/network-interfaces-scripted.nix
@ -159,35 +159,42 @@ let
            after = [ "network-pre.target" ] ++ (deviceDependency i.name);
            serviceConfig.Type = "oneshot";
            serviceConfig.RemainAfterExit = true;
            # Restart rather than stop+start this unit to prevent the
            # network from dying during switch-to-configuration.
            stopIfChanged = false;
            path = [ pkgs.iproute ];
            script =
              ''
                # FIXME: shouldn't this be done in network-link?
                echo "bringing up interface..."
                ip link set "${i.name}" up
-                restart_network_interfaces=false
+                state="/run/nixos/network/addresses/${i.name}"
                mkdir -p $(dirname "$state")
              '' + flip concatMapStrings (ips) (ip:
                let
                  address = "${ip.address}/${toString ip.prefixLength}";
                in
                ''
-                  echo "checking ip ${address}..."
+                  echo "${address}" >> $state
                  if out=$(ip addr add "${address}" dev "${i.name}" 2>&1); then
-                    echo "added ip ${address}..."
+                    echo "added ip ${address}"
                  elif ! echo "$out" | grep "File exists" >/dev/null 2>&1; then
                    echo "failed to add ${address}"
                    exit 1
                  fi
                '');
-            preStop = flip concatMapStrings (ips) (ip:
+            preStop = ''
-                let
+              state="/run/nixos/network/addresses/${i.name}"
-                  address = "${ip.address}/${toString ip.prefixLength}";
+              while read address; do
-                in
+                echo -n "deleting $address..."
-                ''
+                ip addr del "$address" dev "${i.name}" >/dev/null 2>&1 || echo -n " Failed"
-                  echo -n "deleting ${address}..."
+                echo ""
-                  ip addr del "${address}" dev "${i.name}" >/dev/null 2>&1 || echo -n " Failed"
+              done < "$state"
-                  echo ""
+              rm -f "$state"
-                '');
+            '';
          };
        createTunDevice = i: nameValuePair "${i.name}-netdev"
@ -239,6 +246,10 @@ let
                ip link set "${i}" master "${n}"
                ip link set "${i}" up
              '')}
              # Save list of enslaved interfaces
              echo "${flip concatMapStrings v.interfaces (i: ''
                ${i}
              '')}" > /run/${n}.interfaces
              # Enable stp on the interface
              ${optionalString v.rstp ''
@ -250,7 +261,28 @@ let
            postStop = ''
              ip link set "${n}" down || true
              ip link del "${n}" || true
              rm -f /run/${n}.interfaces
            '';
            reload = ''
              # Un-enslave child interfaces (old list of interfaces)
              for interface in `cat /run/${n}.interfaces`; do
                ip link set "$interface" nomaster up
              done
              # Enslave child interfaces (new list of interfaces)
              ${flip concatMapStrings v.interfaces (i: ''
                ip link set "${i}" master "${n}"
                ip link set "${i}" up
              '')}
              # Save list of enslaved interfaces
              echo "${flip concatMapStrings v.interfaces (i: ''
                ${i}
              '')}" > /run/${n}.interfaces
              # (Un-)set stp on the bridge
              echo ${if v.rstp then "2" else "0"} > /sys/class/net/${n}/bridge/stp_state
            '';
            reloadIfChanged = true;
          });
        createVswitchDevice = n: v: nameValuePair "${n}-netdev"
--- a/nixos/modules/tasks/network-interfaces-systemd.nix
+++ b/nixos/modules/tasks/network-interfaces-systemd.nix
@ -59,15 +59,16 @@ in
    systemd.network =
      let
        domains = cfg.search ++ (optional (cfg.domain != null) cfg.domain);
-        genericNetwork = override: {
+        genericNetwork = override:
-          DHCP = override (dhcpStr cfg.useDHCP);
+          let gateway = optional (cfg.defaultGateway != null) cfg.defaultGateway.address
-        } // optionalAttrs (cfg.defaultGateway != null) {
+            ++ optional (cfg.defaultGateway6 != null) cfg.defaultGateway6.address;
-          gateway = override [ cfg.defaultGateway.address ];
+          in {
-        } // optionalAttrs (cfg.defaultGateway6 != null) {
+            DHCP = override (dhcpStr cfg.useDHCP);
-          gateway = override [ cfg.defaultGateway6.address ];
+          } // optionalAttrs (gateway != [ ]) {
-        } // optionalAttrs (domains != [ ]) {
+            gateway = override gateway;
-          domains = override domains;
+          } // optionalAttrs (domains != [ ]) {
-        };
+            domains = override domains;
          };
      in mkMerge [ {
        enable = true;
        networks."99-main" = genericNetwork mkDefault;
--- a/nixos/modules/virtualisation/amazon-image.nix
+++ b/nixos/modules/virtualisation/amazon-image.nix
@ -15,6 +15,12 @@ let cfg = config.ec2; in
  config = {
    assertions = [
      { assertion = cfg.hvm;
        message = "Paravirtualized EC2 instances are no longer supported.";
      }
    ];
    virtualisation.growPartition = cfg.hvm;
    fileSystems."/" = {
--- a/nixos/modules/virtualisation/amazon-options.nix
+++ b/nixos/modules/virtualisation/amazon-options.nix
@ -3,7 +3,7 @@
  options = {
    ec2 = {
      hvm = lib.mkOption {
-        default = false;
+        default = lib.versionAtLeast config.system.stateVersion "17.03";
        internal = true;
        description = ''
          Whether the EC2 instance is a HVM instance.
@ -11,6 +11,4 @@
      };
    };
  };
  config = {};
 }
--- a/nixos/modules/virtualisation/docker.nix
+++ b/nixos/modules/virtualisation/docker.nix
@ -126,7 +126,17 @@ in
        path = [ pkgs.kmod ] ++ (optional (cfg.storageDriver == "zfs") pkgs.zfs);
      };
-      systemd.sockets.docker.socketConfig.ListenStream = cfg.listenOptions;
+
      systemd.sockets.docker = {
        description = "Docker Socket for the API";
        wantedBy = [ "sockets.target" ];
        socketConfig = {
          ListenStream = cfg.listenOptions;
          SocketMode = "0660";
          SocketUser = "root";
          SocketGroup = "docker";
        };
      };
    }
  ]);
--- a/Show More
+++ b/Show More