Merge branch 'master' into HEAD

2017-10-17 03:39:54 +03:00 · 2017-10-17 03:39:54 +03:00 · c6c67c46bf
commit c6c67c46bf
parent 23ea2e931f 2a036ca1a5
649 changed files with 15141 additions and 11004 deletions
--- a/.github/CODEOWNERS
+++ b/.github/CODEOWNERS
@ -50,3 +50,6 @@ pkgs/development/tools/erlang/*	@gleber
 # Jetbrains
 pkgs/applications/editors/jetbrains @edwtjo
 # Eclipse
 pkgs/applications/editors/eclipse @rycee
--- a/.github/PULL_REQUEST_TEMPLATE.md
+++ b/.github/PULL_REQUEST_TEMPLATE.md
@ -9,7 +9,7 @@
 - Built on platform(s)
   - [ ] NixOS
   - [ ] macOS
-   - [ ] Linux
+   - [ ] other Linux distributions
 - [ ] Tested via one or more NixOS test(s) if existing and applicable for the change (look inside [nixos/tests](https://github.com/NixOS/nixpkgs/blob/master/nixos/tests))
 - [ ] Tested compilation of all pkgs that depend on this change using `nix-shell -p nox --run "nox-review wip"`
 - [ ] Tested execution of all binary files (usually in `./result/bin/`)
--- a/README.md
+++ b/README.md
@ -13,12 +13,12 @@ build daemon as so-called channels. To get channel information via git, add
 ```
 For stability and maximum binary package support, it is recommended to maintain
-custom changes on top of one of the channels, e.g. `nixos-17.03` for the latest
+custom changes on top of one of the channels, e.g. `nixos-17.09` for the latest
 release and `nixos-unstable` for the latest successful build of master:
 ```
 % git remote update channels
-% git rebase channels/nixos-17.03
+% git rebase channels/nixos-17.09
 ```
 For pull-requests, please rebase onto nixpkgs `master`.
@ -30,11 +30,11 @@ For pull-requests, please rebase onto nixpkgs `master`.
 * [Documentation (Nix Expression Language chapter)](https://nixos.org/nix/manual/#ch-expression-language)
 * [Manual (How to write packages for Nix)](https://nixos.org/nixpkgs/manual/)
 * [Manual (NixOS)](https://nixos.org/nixos/manual/)
-* [Nix Wiki](https://nixos.org/wiki/) (deprecated, see milestone ["Move the Wiki!"](https://github.com/NixOS/nixpkgs/issues?q=is%3Aopen+is%3Aissue+milestone%3A%22Move+the+wiki%21%22))
+* [Community maintained wiki](https://nixos.wiki/)
 * [Continuous package builds for unstable/master](https://hydra.nixos.org/jobset/nixos/trunk-combined)
-* [Continuous package builds for 17.03 release](https://hydra.nixos.org/jobset/nixos/release-17.03)
+* [Continuous package builds for 17.09 release](https://hydra.nixos.org/jobset/nixos/release-17.09)
 * [Tests for unstable/master](https://hydra.nixos.org/job/nixos/trunk-combined/tested#tabs-constituents)
-* [Tests for 17.03 release](https://hydra.nixos.org/job/nixos/release-17.03/tested#tabs-constituents)
+* [Tests for 17.09 release](https://hydra.nixos.org/job/nixos/release-17.09/tested#tabs-constituents)
 Communication:
--- a/lib/maintainers.nix
+++ b/lib/maintainers.nix
@ -41,6 +41,7 @@
  amorsillo = "Andrew Morsillo <andrew.morsillo@gmail.com>";
  AndersonTorres = "Anderson Torres <torres.anderson.85@gmail.com>";
  anderspapitto = "Anders Papitto <anderspapitto@gmail.com>";
  andir = "Andreas Rammhold <andreas@rammhold.de>";
  andres = "Andres Loeh <ksnixos@andres-loeh.de>";
  andrewrk = "Andrew Kelley <superjoe30@gmail.com>";
  andsild = "Anders Sildnes <andsild@gmail.com>";
@ -71,6 +72,7 @@
  bcarrell = "Brandon Carrell <brandoncarrell@gmail.com>";
  bcdarwin = "Ben Darwin <bcdarwin@gmail.com>";
  bdimcheff = "Brandon Dimcheff <brandon@dimcheff.com>";
  bendlas = "Herwig Hochleitner <herwig@bendlas.net>";
  benley = "Benjamin Staffin <benley@gmail.com>";
  bennofs = "Benno Fünfstück <benno.fuenfstueck@gmail.com>";
  benwbooth = "Ben Booth <benwbooth@gmail.com>";
@ -98,6 +100,7 @@
  canndrew = "Andrew Cann <shum@canndrew.org>";
  carlsverre = "Carl Sverre <accounts@carlsverre.com>";
  casey = "Casey Rodarmor <casey@rodarmor.net>";
  catern = "Spencer Baugh <sbaugh@catern.com>";
  caugner = "Claas Augner <nixos@caugner.de>";
  cdepillabout = "Dennis Gosnell <cdep.illabout@gmail.com>";
  cfouche = "Chaddaï Fouché <chaddai.fouche@gmail.com>";
@ -105,6 +108,7 @@
  chaoflow = "Florian Friesdorf <flo@chaoflow.net>";
  chattered = "Phil Scott <me@philscotted.com>";
  choochootrain = "Hurshal Patel <hurshal@imap.cc>";
  chpatrick = "Patrick Chilton <chpatrick@gmail.com>";
  chris-martin = "Chris Martin <ch.martin@gmail.com>";
  chrisjefferson = "Christopher Jefferson <chris@bubblescope.net>";
  chrisrosset = "Christopher Rosset <chris@rosset.org.uk>";
@ -136,6 +140,7 @@
  dancek = "Hannu Hartikainen <hannu.hartikainen@gmail.com>";
  danielfullmer = "Daniel Fullmer <danielrf12@gmail.com>";
  dasuxullebt = "Christoph-Simon Senjak <christoph.senjak@googlemail.com>";
  david50407 = "David Kuo <me@davy.tw>";
  davidak = "David Kleuker <post@davidak.de>";
  davidrusu = "David Rusu <davidrusu.me@gmail.com>";
  davorb = "Davor Babic <davor@davor.se>";
@ -163,13 +168,15 @@
  dotlambda = "Robert Schütz <rschuetz17@gmail.com>";
  doublec = "Chris Double <chris.double@double.co.nz>";
  dpaetzel = "David Pätzel <david.a.paetzel@gmail.com>";
  dpflug = "David Pflug <david@pflug.email>";
  drets = "Dmytro Rets <dmitryrets@gmail.com>";
  drewkett = "Andrew Burkett <burkett.andrew@gmail.com>";
  dsferruzza = "David Sferruzza <david.sferruzza@gmail.com>";
  dtzWill = "Will Dietz <nix@wdtz.org>";
  dupgit = "Olivier Delhomme <olivier.delhomme@free.fr>";
  dywedir = "Vladyslav M. <dywedir@protonmail.ch>";
  e-user = "Alexander Kahl <nixos@sodosopa.io>";
-  ebzzry = "Rommel Martinez <ebzzry@gmail.com>";
+  ebzzry = "Rommel Martinez <ebzzry@ebzzry.io>";
  edanaher = "Evan Danaher <nixos@edanaher.net>";
  edef = "edef <edef@edef.eu>";
  ederoyd46 = "Matthew Brown <matt@ederoyd.co.uk>";
@ -190,6 +197,7 @@
  eqyiel = "Ruben Maher <r@rkm.id.au>";
  ericbmerritt = "Eric Merritt <eric@afiniate.com>";
  ericsagnes = "Eric Sagnes <eric.sagnes@gmail.com>";
  erictapen = "Justin Humm <justin.humm@posteo.de>";
  erikryb = "Erik Rybakken <erik.rybakken@math.ntnu.no>";
  ertes = "Ertugrul Söylemez <esz@posteo.de>";
  ethercrow = "Dmitry Ivanov <ethercrow@gmail.com>";
@ -201,6 +209,7 @@
  falsifian = "James Cook <james.cook@utoronto.ca>";
  fare = "Francois-Rene Rideau <fahree@gmail.com>";
  fgaz = "Francesco Gazzetta <francygazz@gmail.com>";
  flokli = "Florian Klink <flokli@flokli.de>";
  florianjacob = "Florian Jacob <projects+nixos@florianjacob.de>";
  flosse = "Markus Kohlhase <mail@markus-kohlhase.de>";
  fluffynukeit = "Daniel Austin <dan@fluffynukeit.com>";
@ -384,7 +393,6 @@
  mikefaille = "Michaël Faille <michael@faille.io>";
  miltador = "Vasiliy Solovey <miltador@yandex.ua>";
  mimadrid = "Miguel Madrid <mimadrid@ucm.es>";
  mingchuan = "Ming Chuan <ming@culpring.com>";
  mirdhyn = "Merlin Gaillard <mirdhyn@gmail.com>";
  mirrexagon = "Andrew Abbott <mirrexagon@mirrexagon.com>";
  mjanczyk = "Marcin Janczyk <m@dragonvr.pl>";
@ -458,6 +466,7 @@
  periklis = "theopompos@gmail.com";
  pesterhazy = "Paulus Esterhazy <pesterhazy@gmail.com>";
  peterhoeg = "Peter Hoeg <peter@hoeg.com>";
  peterromfeldhk = "Peter Romfeld <peter.romfeld.hk@gmail.com>";
  peti = "Peter Simons <simons@cryp.to>";
  philandstuff = "Philip Potter <philip.g.potter@gmail.com>";
  phile314 = "Philipp Hausmann <nix@314.ch>";
@ -550,6 +559,7 @@
  shell = "Shell Turner <cam.turn@gmail.com>";
  shlevy = "Shea Levy <shea@shealevy.com>";
  siddharthist = "Langston Barrett <langston.barrett@gmail.com>";
  sifmelcara = "Ming Chuan <ming@culpring.com>";
  sigma = "Yann Hodique <yann.hodique@gmail.com>";
  simonvandel = "Simon Vandel Sillesen <simon.vandel@gmail.com>";
  sivteck = "Sivaram Balakrishnan <sivaram1992@gmail.com>";
@ -574,6 +584,7 @@
  sternenseemann = "Lukas Epple <post@lukasepple.de>";
  stesie = "Stefan Siegl <stesie@brokenpipe.de>";
  steveej = "Stefan Junker <mail@stefanjunker.de>";
  stumoss = "Stuart Moss <samoss@gmail.com>";
  SuprDewd = "Bjarki Ágúst Guðmundsson <suprdewd@gmail.com>";
  swarren83 = "Shawn Warren <shawn.w.warren@gmail.com>";
  swflint = "Samuel W. Flint <swflint@flintfam.org>";
@ -588,6 +599,7 @@
  taku0 = "Takuo Yonezawa <mxxouy6x3m_github@tatapa.org>";
  tari = "Peter Marheine <peter@taricorp.net>";
  tavyc = "Octavian Cerna <octavian.cerna@gmail.com>";
  TealG = "Teal Gaure <~@Teal.Gr>";
  teh = "Tom Hunger <tehunger@gmail.com>";
  telotortium = "Robert Irelan <rirelan@gmail.com>";
  teto = "Matthieu Coudron <mcoudron@hotmail.com>";
--- a/lib/types.nix
+++ b/lib/types.nix
@ -240,25 +240,6 @@ rec {
        functor = (defaultFunctor name) // { wrapped = elemType; };
      };
    # List or element of ...
    loeOf = elemType: mkOptionType rec {
      name = "loeOf";
      description = "element or list of ${elemType.description}s";
      check = x: isList x || elemType.check x;
      merge = loc: defs:
        let
          defs' = filterOverrides defs;
          res = (head defs').value;
        in
        if isList res then concatLists (getValues defs')
        else if lessThan 1 (length defs') then
          throw "The option `${showOption loc}' is defined multiple times, in ${showFiles (getFiles defs)}."
        else if !isString res then
          throw "The option `${showOption loc}' does not have a string value, in ${showFiles (getFiles defs)}."
        else res;
      functor = (defaultFunctor name) // { wrapped = elemType; };
    };
    # Value of given type but with no merging (i.e. `uniq list`s are not concatenated).
    uniq = elemType: mkOptionType rec {
      name = "uniq";
--- a/maintainers/scripts/hydra-eval-failures.py
+++ b/maintainers/scripts/hydra-eval-failures.py
@ -49,8 +49,8 @@ def get_maintainers(attr_name):
@click.command()
@click.option(
    '--jobset',
-    default="nixos/release-17.03",
+    default="nixos/release-17.09",
-    help='Hydra project like nixos/release-17.03')
+    help='Hydra project like nixos/release-17.09')
 def cli(jobset):
    """
    Given a Hydra project, inspect latest evaluation
--- a/nixos/doc/manual/installation/installing-usb.xml
+++ b/nixos/doc/manual/installation/installing-usb.xml
@ -31,7 +31,7 @@ ISO, copy its contents verbatim to your drive, then either:
    <para>Edit <filename>loader/entries/nixos-livecd.conf</filename> on the drive
    and change the <literal>root=</literal> field in the <literal>options</literal>
    line to point to your drive (see the documentation on <literal>root=</literal>
-    in <link xlink:href="https://www.kernel.org/doc/Documentation/kernel-parameters.txt">
+    in <link xlink:href="https://www.kernel.org/doc/Documentation/admin-guide/kernel-parameters.txt">
    the kernel documentation</link> for more details).</para>
  </listitem>
  <listitem>
--- a/nixos/doc/manual/release-notes/rl-1803.xml
+++ b/nixos/doc/manual/release-notes/rl-1803.xml
@ -71,6 +71,8 @@ following incompatible changes:</para>
 <itemizedlist>
  <listitem>
    <para>
      ZNC option <option>services.znc.mutable</option> now defaults to <literal>true</literal>.
      That means that old configuration is not overwritten by default when update to the znc options are made.
    </para>
  </listitem>
 </itemizedlist>
--- a/nixos/lib/make-disk-image.nix
+++ b/nixos/lib/make-disk-image.nix
@ -80,7 +80,7 @@ let
    truncate -s ${toString diskSize}M $diskImage
    ${if partitioned then ''
-      parted $diskImage -- mklabel msdos mkpart primary ext4 1M -1s
+      parted --script $diskImage -- mklabel msdos mkpart primary ext4 1M -1s
      offset=$((2048*512))
    '' else ''
      offset=0
--- a/nixos/lib/testing.nix
+++ b/nixos/lib/testing.nix
@ -149,6 +149,7 @@ rec {
          { key = "run-in-machine";
            networking.hostName = "client";
            nix.readOnlyStore = false;
            virtualisation.writableStore = false;
          }
        ];
--- a/nixos/modules/config/debug-info.nix
+++ b/nixos/modules/config/debug-info.nix
@ -30,14 +30,15 @@ with lib;
  };
-  config = {
+  config = mkIf config.environment.enableDebugInfo {
    # FIXME: currently disabled because /lib is already in
    # environment.pathsToLink, and we can't have both.
    #environment.pathsToLink = [ "/lib/debug/.build-id" ];
-    environment.extraOutputsToInstall =
+    environment.extraOutputsToInstall = [ "debug" ];
-      optional config.environment.enableDebugInfo "debug";
+
    environment.variables.NIX_DEBUG_INFO_DIRS = [ "/run/current-system/sw/lib/debug" ];
  };
--- a/nixos/modules/config/krb5.nix
+++ b/nixos/modules/config/krb5.nix
@ -1,206 +0,0 @@
 { config, lib, pkgs, ... }:
 with lib;
 let
  cfg = config.krb5;
 in
 {
  ###### interface
  options = {
    krb5 = {
      enable = mkOption {
        default = false;
        description = "Whether to enable Kerberos V.";
      };
      defaultRealm = mkOption {
        default = "ATENA.MIT.EDU";
        description = "Default realm.";
      };
      domainRealm = mkOption {
        default = "atena.mit.edu";
        description = "Default domain realm.";
      };
      kdc = mkOption {
        default = "kerberos.mit.edu";
        description = "Key Distribution Center";
      };
      kerberosAdminServer = mkOption {
        default = "kerberos.mit.edu";
        description = "Kerberos Admin Server.";
      };
    };
  };
  ###### implementation
  config = mkIf config.krb5.enable {
    environment.systemPackages = [ pkgs.krb5Full ];
    environment.etc."krb5.conf".text =
      ''
        [libdefaults]
            default_realm = ${cfg.defaultRealm}
            encrypt = true
        # The following krb5.conf variables are only for MIT Kerberos.
            krb4_config = /etc/krb.conf
            krb4_realms = /etc/krb.realms
            kdc_timesync = 1
            ccache_type = 4
            forwardable = true
            proxiable = true
        # The following encryption type specification will be used by MIT Kerberos
        # if uncommented.  In general, the defaults in the MIT Kerberos code are
        # correct and overriding these specifications only serves to disable new
        # encryption types as they are added, creating interoperability problems.
        #   default_tgs_enctypes = aes256-cts arcfour-hmac-md5 des3-hmac-sha1 des-cbc-crc des-cbc-md5
        #   default_tkt_enctypes = aes256-cts arcfour-hmac-md5 des3-hmac-sha1 des-cbc-crc des-cbc-md5
        #   permitted_enctypes = aes256-cts arcfour-hmac-md5 des3-hmac-sha1 des-cbc-crc des-cbc-md5
        # The following libdefaults parameters are only for Heimdal Kerberos.
            v4_instance_resolve = false
            v4_name_convert = {
                host = {
                    rcmd = host
                    ftp = ftp
                }
                plain = {
                    something = something-else
                }
            }
            fcc-mit-ticketflags = true
        [realms]
            ${cfg.defaultRealm} = {
                kdc = ${cfg.kdc}
                admin_server = ${cfg.kerberosAdminServer}
                #kpasswd_server = ${cfg.kerberosAdminServer}
            }
            ATHENA.MIT.EDU = {
                kdc = kerberos.mit.edu:88
                kdc = kerberos-1.mit.edu:88
                kdc = kerberos-2.mit.edu:88
                admin_server = kerberos.mit.edu
                default_domain = mit.edu
            }
            MEDIA-LAB.MIT.EDU = {
                kdc = kerberos.media.mit.edu
                admin_server = kerberos.media.mit.edu
            }
            ZONE.MIT.EDU = {
                kdc = casio.mit.edu
                kdc = seiko.mit.edu
                admin_server = casio.mit.edu
            }
            MOOF.MIT.EDU = {
                kdc = three-headed-dogcow.mit.edu:88
                kdc = three-headed-dogcow-1.mit.edu:88
                admin_server = three-headed-dogcow.mit.edu
            }
            CSAIL.MIT.EDU = {
                kdc = kerberos-1.csail.mit.edu
                kdc = kerberos-2.csail.mit.edu
                admin_server = kerberos.csail.mit.edu
                default_domain = csail.mit.edu
                krb524_server = krb524.csail.mit.edu
            }
            IHTFP.ORG = {
                kdc = kerberos.ihtfp.org
                admin_server = kerberos.ihtfp.org
            }
            GNU.ORG = {
                kdc = kerberos.gnu.org
                kdc = kerberos-2.gnu.org
                kdc = kerberos-3.gnu.org
                admin_server = kerberos.gnu.org
            }
            1TS.ORG = {
                kdc = kerberos.1ts.org
                admin_server = kerberos.1ts.org
            }
            GRATUITOUS.ORG = {
                kdc = kerberos.gratuitous.org
                admin_server = kerberos.gratuitous.org
            }
            DOOMCOM.ORG = {
                kdc = kerberos.doomcom.org
                admin_server = kerberos.doomcom.org
            }
            ANDREW.CMU.EDU = {
                kdc = vice28.fs.andrew.cmu.edu
                kdc = vice2.fs.andrew.cmu.edu
                kdc = vice11.fs.andrew.cmu.edu
                kdc = vice12.fs.andrew.cmu.edu
                admin_server = vice28.fs.andrew.cmu.edu
                default_domain = andrew.cmu.edu
            }
            CS.CMU.EDU = {
                kdc = kerberos.cs.cmu.edu
                kdc = kerberos-2.srv.cs.cmu.edu
                admin_server = kerberos.cs.cmu.edu
            }
            DEMENTIA.ORG = {
                kdc = kerberos.dementia.org
                kdc = kerberos2.dementia.org
                admin_server = kerberos.dementia.org
            }
            stanford.edu = {
                kdc = krb5auth1.stanford.edu
                kdc = krb5auth2.stanford.edu
                kdc = krb5auth3.stanford.edu
                admin_server = krb5-admin.stanford.edu
                default_domain = stanford.edu
            }
        [domain_realm]
            .${cfg.domainRealm} = ${cfg.defaultRealm}
            ${cfg.domainRealm} = ${cfg.defaultRealm}
            .mit.edu = ATHENA.MIT.EDU
            mit.edu = ATHENA.MIT.EDU
            .exchange.mit.edu = EXCHANGE.MIT.EDU
            exchange.mit.edu = EXCHANGE.MIT.EDU
            .media.mit.edu = MEDIA-LAB.MIT.EDU
            media.mit.edu = MEDIA-LAB.MIT.EDU
            .csail.mit.edu = CSAIL.MIT.EDU
            csail.mit.edu = CSAIL.MIT.EDU
            .whoi.edu = ATHENA.MIT.EDU
            whoi.edu = ATHENA.MIT.EDU
            .stanford.edu = stanford.edu
        [logging]
            kdc = SYSLOG:INFO:DAEMON
            admin_server = SYSLOG:INFO:DAEMON
            default = SYSLOG:INFO:DAEMON
            krb4_convert = true
            krb4_get_tickets = false
        [appdefaults]
            pam = {
                debug = false
                ticket_lifetime = 36000
                renew_lifetime = 36000
                max_timeout = 30
                timeout_shift = 2
                initial_timeout = 1
            }
      '';
  };
 }
--- a/nixos/modules/config/krb5/default.nix
+++ b/nixos/modules/config/krb5/default.nix
@ -0,0 +1,367 @@
 { config, lib, pkgs, ... }:
 with lib;
 let
  cfg = config.krb5;
  # This is to provide support for old configuration options (as much as is
  # reasonable). This can be removed after 18.03 was released.
  defaultConfig = {
    libdefaults = optionalAttrs (cfg.defaultRealm != null)
      { default_realm = cfg.defaultRealm; };
    realms = optionalAttrs (lib.all (value: value != null) [
      cfg.defaultRealm cfg.kdc cfg.kerberosAdminServer
    ]) {
      "${cfg.defaultRealm}" = {
        kdc = cfg.kdc;
        admin_server = cfg.kerberosAdminServer;
      };
    };
    domain_realm = optionalAttrs (lib.all (value: value != null) [
      cfg.domainRealm cfg.defaultRealm
    ]) {
      ".${cfg.domainRealm}" = cfg.defaultRealm;
      "${cfg.domainRealm}" = cfg.defaultRealm;
    };
  };
  mergedConfig = (recursiveUpdate defaultConfig {
    inherit (config.krb5)
      kerberos libdefaults realms domain_realm capaths appdefaults plugins
      extraConfig config;
  });
  filterEmbeddedMetadata = value: if isAttrs value then
    (filterAttrs
      (attrName: attrValue: attrName != "_module" && attrValue != null)
        value)
    else value;
  mkIndent = depth: concatStrings (builtins.genList (_:  " ") (2 * depth));
  mkRelation = name: value: "${name} = ${mkVal { inherit value; }}";
  mkVal = { value, depth ? 0 }:
    if (value == true) then "true"
    else if (value == false) then "false"
    else if (isInt value) then (toString value)
    else if (isList value) then
      concatMapStringsSep " " mkVal { inherit value depth; }
    else if (isAttrs value) then
      (concatStringsSep "\n${mkIndent (depth + 1)}"
        ([ "{" ] ++ (mapAttrsToList
          (attrName: attrValue: let
            mappedAttrValue = mkVal {
              value = attrValue;
              depth = depth + 1;
            };
          in "${attrName} = ${mappedAttrValue}")
        value))) + "\n${mkIndent depth}}"
    else value;
  mkMappedAttrsOrString = value: concatMapStringsSep "\n"
    (line: if builtins.stringLength line > 0
      then "${mkIndent 1}${line}"
      else line)
    (splitString "\n"
      (if isAttrs value then
        concatStringsSep "\n"
            (mapAttrsToList mkRelation value)
        else value));
 in {
  ###### interface
  options = {
    krb5 = {
      enable = mkEnableOption "Whether to enable Kerberos V.";
      kerberos = mkOption {
        type = types.package;
        default = pkgs.krb5Full;
        defaultText = "pkgs.krb5Full";
        example = literalExample "pkgs.heimdalFull";
        description = ''
          The Kerberos implementation that will be present in
          <literal>environment.systemPackages</literal> after enabling this
          service.
        '';
      };
      libdefaults = mkOption {
        type = with types; either attrs lines;
        default = {};
        apply = attrs: filterEmbeddedMetadata attrs;
        example = literalExample ''
          {
            default_realm = "ATHENA.MIT.EDU";
          };
        '';
        description = ''
          Settings used by the Kerberos V5 library.
        '';
      };
      realms = mkOption {
        type = with types; either attrs lines;
        default = {};
        example = literalExample ''
          {
            "ATHENA.MIT.EDU" = {
              admin_server = "athena.mit.edu";
              kdc = "athena.mit.edu";
            };
          };
        '';
        apply = attrs: filterEmbeddedMetadata attrs;
        description = "Realm-specific contact information and settings.";
      };
      domain_realm = mkOption {
        type = with types; either attrs lines;
        default = {};
        example = literalExample ''
          {
            "example.com" = "EXAMPLE.COM";
            ".example.com" = "EXAMPLE.COM";
          };
        '';
        apply = attrs: filterEmbeddedMetadata attrs;
        description = ''
          Map of server hostnames to Kerberos realms.
        '';
      };
      capaths = mkOption {
        type = with types; either attrs lines;
        default = {};
        example = literalExample ''
          {
            "ATHENA.MIT.EDU" = {
              "EXAMPLE.COM" = ".";
            };
            "EXAMPLE.COM" = {
              "ATHENA.MIT.EDU" = ".";
            };
          };
        '';
        apply = attrs: filterEmbeddedMetadata attrs;
        description = ''
          Authentication paths for non-hierarchical cross-realm authentication.
        '';
      };
      appdefaults = mkOption {
        type = with types; either attrs lines;
        default = {};
        example = literalExample ''
          {
            pam = {
              debug = false;
              ticket_lifetime = 36000;
              renew_lifetime = 36000;
              max_timeout = 30;
              timeout_shift = 2;
              initial_timeout = 1;
            };
          };
        '';
        apply = attrs: filterEmbeddedMetadata attrs;
        description = ''
          Settings used by some Kerberos V5 applications.
        '';
      };
      plugins = mkOption {
        type = with types; either attrs lines;
        default = {};
        example = literalExample ''
          {
            ccselect = {
              disable = "k5identity";
            };
          };
        '';
        apply = attrs: filterEmbeddedMetadata attrs;
        description = ''
          Controls plugin module registration.
        '';
      };
      extraConfig = mkOption {
        type = with types; nullOr lines;
        default = null;
        example = ''
          [logging]
            kdc          = SYSLOG:NOTICE
            admin_server = SYSLOG:NOTICE
            default      = SYSLOG:NOTICE
        '';
        description = ''
          These lines go to the end of <literal>krb5.conf</literal> verbatim.
          <literal>krb5.conf</literal> may include any of the relations that are
          valid for <literal>kdc.conf</literal> (see <literal>man
          kdc.conf</literal>), but it is not a recommended practice.
        '';
      };
      config = mkOption {
        type = with types; nullOr lines;
        default = null;
        example = ''
          [libdefaults]
            default_realm = EXAMPLE.COM
          [realms]
            EXAMPLE.COM = {
              admin_server = kerberos.example.com
              kdc = kerberos.example.com
              default_principal_flags = +preauth
            }
          [domain_realm]
            example.com  = EXAMPLE.COM
            .example.com = EXAMPLE.COM
          [logging]
            kdc          = SYSLOG:NOTICE
            admin_server = SYSLOG:NOTICE
            default      = SYSLOG:NOTICE
        '';
        description = ''
          Verbatim <literal>krb5.conf</literal> configuration.  Note that this
          is mutually exclusive with configuration via
          <literal>libdefaults</literal>, <literal>realms</literal>,
          <literal>domain_realm</literal>, <literal>capaths</literal>,
          <literal>appdefaults</literal>, <literal>plugins</literal> and
          <literal>extraConfig</literal> configuration options.  Consult
          <literal>man krb5.conf</literal> for documentation.
        '';
      };
      defaultRealm = mkOption {
        type = with types; nullOr str;
        default = null;
        example = "ATHENA.MIT.EDU";
        description = ''
          DEPRECATED, please use
          <literal>krb5.libdefaults.default_realm</literal>.
        '';
      };
      domainRealm = mkOption {
        type = with types; nullOr str;
        default = null;
        example = "athena.mit.edu";
        description = ''
          DEPRECATED, please create a map of server hostnames to Kerberos realms
          in <literal>krb5.domain_realm</literal>.
        '';
      };
      kdc = mkOption {
        type = with types; nullOr str;
        default = null;
        example = "kerberos.mit.edu";
        description = ''
          DEPRECATED, please pass a <literal>kdc</literal> attribute to a realm
          in <literal>krb5.realms</literal>.
        '';
      };
      kerberosAdminServer = mkOption {
        type = with types; nullOr str;
        default = null;
        example = "kerberos.mit.edu";
        description = ''
          DEPRECATED, please pass an <literal>admin_server</literal> attribute
          to a realm in <literal>krb5.realms</literal>.
        '';
      };
    };
  };
  ###### implementation
  config = mkIf cfg.enable {
    environment.systemPackages = [ cfg.kerberos ];
    environment.etc."krb5.conf".text = if isString cfg.config
      then cfg.config
      else (''
        [libdefaults]
        ${mkMappedAttrsOrString mergedConfig.libdefaults}
        [realms]
        ${mkMappedAttrsOrString mergedConfig.realms}
        [domain_realm]
        ${mkMappedAttrsOrString mergedConfig.domain_realm}
        [capaths]
        ${mkMappedAttrsOrString mergedConfig.capaths}
        [appdefaults]
        ${mkMappedAttrsOrString mergedConfig.appdefaults}
        [plugins]
        ${mkMappedAttrsOrString mergedConfig.plugins}
      '' + optionalString (mergedConfig.extraConfig != null)
          ("\n" + mergedConfig.extraConfig));
    warnings = flatten [
      (optional (cfg.defaultRealm != null) ''
        The option krb5.defaultRealm is deprecated, please use
        krb5.libdefaults.default_realm.
      '')
      (optional (cfg.domainRealm != null) ''
        The option krb5.domainRealm is deprecated, please use krb5.domain_realm.
      '')
      (optional (cfg.kdc != null) ''
        The option krb5.kdc is deprecated, please pass a kdc attribute to a
        realm in krb5.realms.
      '')
      (optional (cfg.kerberosAdminServer != null) ''
        The option krb5.kerberosAdminServer is deprecated, please pass an
        admin_server attribute to a realm in krb5.realms.
      '')
    ];
    assertions = [
      { assertion = !((builtins.any (value: value != null) [
            cfg.defaultRealm cfg.domainRealm cfg.kdc cfg.kerberosAdminServer
          ]) && ((builtins.any (value: value != {}) [
              cfg.libdefaults cfg.realms cfg.domain_realm cfg.capaths
              cfg.appdefaults cfg.plugins
            ]) || (builtins.any (value: value != null) [
              cfg.config cfg.extraConfig
            ])));
        message = ''
          Configuration of krb5.conf by deprecated options is mutually exclusive
          with configuration by section.  Please migrate your config using the
          attributes suggested in the warnings.
        '';
      }
      { assertion = !(cfg.config != null
          && ((builtins.any (value: value != {}) [
              cfg.libdefaults cfg.realms cfg.domain_realm cfg.capaths
              cfg.appdefaults cfg.plugins
            ]) || (builtins.any (value: value != null) [
              cfg.extraConfig cfg.defaultRealm cfg.domainRealm cfg.kdc
              cfg.kerberosAdminServer
            ])));
        message = ''
          Configuration of krb5.conf using krb.config is mutually exclusive with
          configuration by section.  If you want to mix the two, you can pass
          lines to any configuration section or lines to krb5.extraConfig.
        '';
      }
    ];
  };
 }
--- a/nixos/modules/config/nsswitch.nix
+++ b/nixos/modules/config/nsswitch.nix
@ -18,7 +18,7 @@ let
  hostArray = [ "files" ]
    ++ optionals mymachines [ "mymachines" ]
-    ++ optionals nssmdns [ "mdns_minimal [!UNAVAIL=return]" ]
+    ++ optionals nssmdns [ "mdns_minimal [NOTFOUND=return]" ]
    ++ optionals nsswins [ "wins" ]
    ++ optionals resolved ["resolve [!UNAVAIL=return]"]
    ++ [ "dns" ]
--- a/nixos/modules/config/timezone.nix
+++ b/nixos/modules/config/timezone.nix
@ -5,6 +5,9 @@ with lib;
 let
  tzdir = "${pkgs.tzdata}/share/zoneinfo";
  nospace  = str: filter (c: c == " ") (stringToCharacters str) == [];
  timezone = types.nullOr (types.addCheck types.str nospace)
    // { description = "null or string without spaces"; };
 in
@ -15,7 +18,7 @@ in
      timeZone = mkOption {
        default = null;
-        type = types.nullOr types.str;
+        type = timezone;
        example = "America/New_York";
        description = ''
          The time zone used when displaying times and dates. See <link
--- a/nixos/modules/hardware/network/intel-2030.nix
+++ b/nixos/modules/hardware/network/intel-2030.nix
@ -1,3 +0,0 @@
 {
  hardware.enableRedistributableFirmware = true;
 }
--- a/nixos/modules/hardware/network/intel-2100bg.nix
+++ b/nixos/modules/hardware/network/intel-2100bg.nix
@ -1,30 +0,0 @@
 { config, pkgs, lib, ... }:
 {
  ###### interface
  options = {
    networking.enableIntel2100BGFirmware = lib.mkOption {
      default = false;
      type = lib.types.bool;
      description = ''
        Turn on this option if you want firmware for the Intel
        PRO/Wireless 2100BG to be loaded automatically.  This is
        required if you want to use this device.
      '';
    };
  };
  ###### implementation
  config = lib.mkIf config.networking.enableIntel2100BGFirmware {
    hardware.enableRedistributableFirmware = true;
  };
 }
--- a/nixos/modules/hardware/network/intel-3945abg.nix
+++ b/nixos/modules/hardware/network/intel-3945abg.nix
@ -1,29 +0,0 @@
 { config, pkgs, lib, ... }:
 {
  ###### interface
  options = {
    networking.enableIntel3945ABGFirmware = lib.mkOption {
      default = false;
      type = lib.types.bool;
      description = ''
        This option enables automatic loading of the firmware for the Intel
        PRO/Wireless 3945ABG.
      '';
    };
  };
  ###### implementation
  config = lib.mkIf config.networking.enableIntel3945ABGFirmware {
    hardware.enableRedistributableFirmware = true;
  };
 }
--- a/nixos/modules/hardware/network/intel-4965agn.nix
+++ b/nixos/modules/hardware/network/intel-4965agn.nix
@ -1,3 +0,0 @@
 {
  hardware.enableRedistributableFirmware = true;
 }
--- a/nixos/modules/hardware/network/intel-5000.nix
+++ b/nixos/modules/hardware/network/intel-5000.nix
@ -1,3 +0,0 @@
 {
  hardware.enableRedistributableFirmware = true;
 }
--- a/nixos/modules/hardware/network/intel-5150.nix
+++ b/nixos/modules/hardware/network/intel-5150.nix
@ -1,3 +0,0 @@
 {
  hardware.enableRedistributableFirmware = true;
 }
--- a/nixos/modules/hardware/network/intel-6000.nix
+++ b/nixos/modules/hardware/network/intel-6000.nix
@ -1,3 +0,0 @@
 {
  hardware.enableRedistributableFirmware = true;
 }
--- a/nixos/modules/hardware/network/intel-6000g2a.nix
+++ b/nixos/modules/hardware/network/intel-6000g2a.nix
@ -1,3 +0,0 @@
 {
  hardware.enableRedistributableFirmware = true;
 }
--- a/nixos/modules/hardware/network/intel-6000g2b.nix
+++ b/nixos/modules/hardware/network/intel-6000g2b.nix
@ -1,3 +0,0 @@
 {
  hardware.enableRedistributableFirmware = true;
 }
--- a/nixos/modules/hardware/network/ralink.nix
+++ b/nixos/modules/hardware/network/ralink.nix
@ -1,26 +0,0 @@
 {pkgs, config, lib, ...}:
 {
  ###### interface
  options = {
    networking.enableRalinkFirmware = lib.mkOption {
      default = false;
      type = lib.types.bool;
      description = ''
        Turn on this option if you want firmware for the RT73 NIC.
      '';
    };
  };
  ###### implementation
  config = lib.mkIf config.networking.enableRalinkFirmware {
    hardware.enableRedistributableFirmware = true;
  };
 }
--- a/nixos/modules/hardware/network/rtl8192c.nix
+++ b/nixos/modules/hardware/network/rtl8192c.nix
@ -1,26 +0,0 @@
 {pkgs, config, lib, ...}:
 {
  ###### interface
  options = {
    networking.enableRTL8192cFirmware = lib.mkOption {
      default = false;
      type = lib.types.bool;
      description = ''
        Turn on this option if you want firmware for the RTL8192c (and related) NICs.
      '';
    };
  };
  ###### implementation
  config = lib.mkIf config.networking.enableRTL8192cFirmware {
    hardware.enableRedistributableFirmware = true;
  };
 }
--- a/nixos/modules/installer/scan/detected.nix
+++ b/nixos/modules/installer/scan/detected.nix
@ -6,8 +6,7 @@ with lib;
 {
  config = mkDefault {
-    # Wireless card firmware
+    # Common firmware, i.e. for wifi cards
-    networking.enableIntel2200BGFirmware = true;
+    hardware.enableRedistributableFirmware = true;
    networking.enableIntel3945ABGFirmware = true;
  };
 }
--- a/nixos/modules/installer/tools/nixos-generate-config.pl
+++ b/nixos/modules/installer/tools/nixos-generate-config.pl
@ -398,19 +398,15 @@ EOF
    # Is this a btrfs filesystem?
    if ($fsType eq "btrfs") {
-        my ($status, @id_info) = runCommand("btrfs subvol show $rootDir$mountPoint");
+        my ($status, @info) = runCommand("btrfs subvol show $rootDir$mountPoint");
-        if ($status != 0 || join("", @id_info) =~ /ERROR:/) {
+        if ($status != 0 || join("", @info) =~ /ERROR:/) {
            die "Failed to retrieve subvolume info for $mountPoint\n";
        }
-        my @ids = join("", @id_info) =~ m/Subvolume ID:[ \t\n]*([^ \t\n]*)/;
+        my @ids = join("\n", @info) =~ m/^(?!\/\n).*Subvolume ID:[ \t\n]*([0-9]+)/s;
        if ($#ids > 0) {
            die "Btrfs subvol name for $mountPoint listed multiple times in mount\n"
        } elsif ($#ids == 0) {
-            my ($status, @path_info) = runCommand("btrfs subvol list $rootDir$mountPoint");
+            my @paths = join("", @info) =~ m/^([^\n]*)/;
            if ($status != 0) {
                die "Failed to find $mountPoint subvolume id from btrfs\n";
            }
            my @paths = join("", @path_info) =~ m/ID $ids[0] [^\n]* path ([^\n]*)/;
            if ($#paths > 0) {
                die "Btrfs returned multiple paths for a single subvolume id, mountpoint $mountPoint\n";
            } elsif ($#paths != 0) {
--- a/nixos/modules/misc/ids.nix
+++ b/nixos/modules/misc/ids.nix
@ -296,6 +296,9 @@
      clickhouse = 278;
      rslsync = 279;
      minio = 280;
      kanboard = 281;
      pykms = 282;
      kodi = 283;
      # When adding a uid, make sure it doesn't match an existing gid. And don't use uids above 399!
@ -561,6 +564,9 @@
      clickhouse = 278;
      rslsync = 279;
      minio = 280;
      kanboard = 281;
      pykms = 282;
      kodi = 283;
      # When adding a gid, make sure it doesn't match an existing
      # uid. Users and groups with the same name should have equal
--- a/nixos/modules/misc/locate.nix
+++ b/nixos/modules/misc/locate.nix
@ -126,12 +126,15 @@ in {
            ++ optional (isFindutils && cfg.pruneNames != []) "findutils locate does not support pruning by directory component"
            ++ optional (isFindutils && cfg.pruneBindMounts) "findutils locate does not support skipping bind mounts";
    # directory creation needs to be separated from main service
    # because ReadWritePaths fails when the directory doesn't already exist
    systemd.tmpfiles.rules = [ "d ${dirOf cfg.output} 0755 root root -" ];
    systemd.services.update-locatedb =
      { description = "Update Locate Database";
        path = mkIf (!isMLocate) [ pkgs.su ];
        script =
          ''
            mkdir -m 0755 -p ${dirOf cfg.output}
            exec ${cfg.locate}/bin/updatedb \
              ${optionalString (cfg.localuser != null && ! isMLocate) ''--localuser=${cfg.localuser}''} \
              --output=${toString cfg.output} ${concatStringsSep " " cfg.extraFlags}
@ -147,8 +150,13 @@ in {
        serviceConfig.PrivateTmp = "yes";
        serviceConfig.PrivateNetwork = "yes";
        serviceConfig.NoNewPrivileges = "yes";
-        serviceConfig.ReadOnlyDirectories = "/";
+        serviceConfig.ReadOnlyPaths = "/";
-        serviceConfig.ReadWriteDirectories = dirOf cfg.output;
+        # Use dirOf cfg.output because mlocate creates temporary files next to
        # the actual database. We could specify and create them as well,
        # but that would make this quite brittle when they change something.
        # NOTE: If /var/cache does not exist, this leads to the misleading error message:
        # update-locatedb.service: Failed at step NAMESPACE spawning …/update-locatedb-start: No such file or directory
        serviceConfig.ReadWritePaths = dirOf cfg.output;
      };
    systemd.timers.update-locatedb =
--- a/nixos/modules/module-list.nix
+++ b/nixos/modules/module-list.nix
@ -9,7 +9,7 @@
  ./config/fonts/ghostscript.nix
  ./config/gnu.nix
  ./config/i18n.nix
-  ./config/krb5.nix
+  ./config/krb5/default.nix
  ./config/ldap.nix
  ./config/networking.nix
  ./config/no-x-libs.nix
@ -35,11 +35,6 @@
  ./hardware/ksm.nix
  ./hardware/mcelog.nix
  ./hardware/network/b43.nix
  ./hardware/network/intel-2100bg.nix
  ./hardware/network/intel-2200bg.nix
  ./hardware/network/intel-3945abg.nix
  ./hardware/network/ralink.nix
  ./hardware/network/rtl8192c.nix
  ./hardware/nitrokey.nix
  ./hardware/opengl.nix
  ./hardware/pcmcia.nix
@ -136,8 +131,6 @@
  ./security/rtkit.nix
  ./security/wrappers/default.nix
  ./security/sudo.nix
  ./service-managers/docker.nix
  ./service-managers/trivial.nix
  ./services/admin/salt/master.nix
  ./services/admin/salt/minion.nix
  ./services/amqp/activemq/default.nix
@ -269,6 +262,7 @@
  ./services/mail/offlineimap.nix
  ./services/mail/opendkim.nix
  ./services/mail/opensmtpd.nix
  ./services/mail/pfix-srsd.nix
  ./services/mail/postfix.nix
  ./services/mail/postsrsd.nix
  ./services/mail/postgrey.nix
@ -332,6 +326,7 @@
  ./services/misc/parsoid.nix
  ./services/misc/phd.nix
  ./services/misc/plex.nix
  ./services/misc/pykms.nix
  ./services/misc/radarr.nix
  ./services/misc/redmine.nix
  ./services/misc/rippled.nix
@ -374,6 +369,7 @@
  ./services/monitoring/prometheus/collectd-exporter.nix
  ./services/monitoring/prometheus/fritzbox-exporter.nix
  ./services/monitoring/prometheus/json-exporter.nix
  ./services/monitoring/prometheus/minio-exporter.nix
  ./services/monitoring/prometheus/nginx-exporter.nix
  ./services/monitoring/prometheus/node-exporter.nix
  ./services/monitoring/prometheus/snmp-exporter.nix
@ -621,6 +617,7 @@
  ./services/web-servers/phpfpm/default.nix
  ./services/web-servers/shellinabox.nix
  ./services/web-servers/tomcat.nix
  ./services/web-servers/traefik.nix
  ./services/web-servers/uwsgi.nix
  ./services/web-servers/varnish/default.nix
  ./services/web-servers/winstone.nix
--- a/nixos/modules/profiles/all-hardware.nix
+++ b/nixos/modules/profiles/all-hardware.nix
@ -47,9 +47,6 @@
      # Hyper-V support.
      "hv_storvsc"
      # Keyboards
      "usbhid" "hid_apple" "hid_logitech_dj" "hid_lenovo_tpkbd" "hid_roccat"
    ];
  # Include lots of firmware.
--- a/nixos/modules/programs/command-not-found/command-not-found.nix
+++ b/nixos/modules/programs/command-not-found/command-not-found.nix
@ -25,7 +25,14 @@ in
 {
  options.programs.command-not-found = {
-    enable = mkEnableOption "command-not-found hook for interactive shell";
+    enable = mkOption {
      type = types.bool;
      default = true;
      description = ''
        Whether interactive shells should show which Nix package (if
        any) provides a missing command.
      '';
    };
    dbPath = mkOption {
      default = "/nix/var/nix/profiles/per-user/root/channels/nixos/programs.sqlite" ;
--- a/nixos/modules/programs/zsh/zsh-syntax-highlighting.nix
+++ b/nixos/modules/programs/zsh/zsh-syntax-highlighting.nix
@ -5,7 +5,7 @@ with lib;
 let
  cfg = config.programs.zsh.syntaxHighlighting;
 in
-  {
+{
  options = {
    programs.zsh.syntaxHighlighting = {
      enable = mkEnableOption "zsh-syntax-highlighting";
@ -54,25 +54,25 @@ in
  config = mkIf cfg.enable {
    environment.systemPackages = with pkgs; [ zsh-syntax-highlighting ];
-      programs.zsh.interactiveShellInit = with pkgs; with builtins; ''
+    assertions = [
-        source ${zsh-syntax-highlighting}/share/zsh-syntax-highlighting/zsh-syntax-highlighting.zsh
+      {
-
+        assertion = length(attrNames cfg.patterns) > 0 -> elem "pattern" cfg.highlighters;
-        ${optionalString (length(cfg.highlighters) > 0)
+        message = ''
-          "ZSH_HIGHLIGHT_HIGHLIGHTERS=(${concatStringsSep " " cfg.highlighters})"
+          When highlighting patterns, "pattern" needs to be included in the list of highlighters.
        }
        ${let
            n = attrNames cfg.patterns;
          in
            optionalString (length(n) > 0)
              (assert(elem "pattern" cfg.highlighters); (foldl (
                a: b:
                  ''
                    ${a}
                    ZSH_HIGHLIGHT_PATTERNS+=('${b}' '${attrByPath [b] "" cfg.patterns}')
                  ''
              ) "") n)
        }
        '';
    };
      }
    ];
    programs.zsh.interactiveShellInit = with pkgs;
      lib.concatStringsSep "\n" ([
        "source ${zsh-syntax-highlighting}/share/zsh-syntax-highlighting/zsh-syntax-highlighting.zsh"
      ] ++ optional (length(cfg.highlighters) > 0)
        "ZSH_HIGHLIGHT_HIGHLIGHTERS=(${concatStringsSep " " cfg.highlighters})"
        ++ optionals (length(attrNames cfg.patterns) > 0)
          (mapAttrsToList (
            pattern: design:
            "ZSH_HIGHLIGHT_PATTERNS+=('${pattern}' '${design}')"
          ) cfg.patterns)
      );
  };
 }
--- a/nixos/modules/rename.nix
+++ b/nixos/modules/rename.nix
@ -11,7 +11,11 @@ with lib;
    (mkRenamedOptionModule [ "fonts" "extraFonts" ] [ "fonts" "fonts" ])
    (mkRenamedOptionModule [ "networking" "enableWLAN" ] [ "networking" "wireless" "enable" ])
-    (mkRenamedOptionModule [ "networking" "enableRT73Firmware" ] [ "networking" "enableRalinkFirmware" ])
+    (mkRenamedOptionModule [ "networking" "enableRT73Firmware" ] [ "hardware" "enableRedistributableFirmware" ])
    (mkRenamedOptionModule [ "networking" "enableIntel3945ABGFirmware" ] [ "hardware" "enableRedistributableFirmware" ])
    (mkRenamedOptionModule [ "networking" "enableIntel2100BGFirmware" ] [ "hardware" "enableRedistributableFirmware" ])
    (mkRenamedOptionModule [ "networking" "enableRalinkFirmware" ] [ "hardware" "enableRedistributableFirmware" ])
    (mkRenamedOptionModule [ "networking" "enableRTL8192cFirmware" ] [ "hardware" "enableRedistributableFirmware" ])
    (mkRenamedOptionModule [ "services" "cadvisor" "host" ] [ "services" "cadvisor" "listenAddress" ])
    (mkChangedOptionModule [ "services" "printing" "gutenprint" ] [ "services" "printing" "drivers" ]
--- a/nixos/modules/service-managers/docker.nix
+++ b/nixos/modules/service-managers/docker.nix
@ -1,29 +0,0 @@
 { config, lib, pkgs, ... }:
 with lib;
 let
  cfg = config.docker-containers;
  containerModule = {
    script = mkOption {
      type = types.lines;
      description = "Shell commands executed as the service's main process.";
    };
  };
  toContainer = name: value: pkgs.dockerTools.buildImage {
    inherit name;
    config = {
      Cmd = [ value.script ];
    };
  };
 in {
  options.docker-containers = mkOption {
    default = {};
    type = with types; attrsOf (types.submodule containerModule);
    description = "Definition of docker containers";
  };
  config.system.build.toplevel-docker = lib.mapAttrs toContainer cfg;
 }
--- a/nixos/modules/service-managers/trivial.nix
+++ b/nixos/modules/service-managers/trivial.nix
@ -1,35 +0,0 @@
 { config, lib, pkgs, ... }:
 with lib;
 let
  cfg = config.trivial-services;
  serviceModule.options = {
    script = mkOption {
      type = types.lines;
      description = "Shell commands executed as the service's main process.";
    };
    environment = mkOption {
      default = {};
      type = types.attrs; # FIXME
      example = { PATH = "/foo/bar/bin"; LANG = "nl_NL.UTF-8"; };
      description = "Environment variables passed to the service's processes.";
    };
  };
  launcher = name: value: pkgs.writeScript name ''
    #!${pkgs.stdenv.shell} -eu
    ${pkgs.writeScript "${name}-entry" value.script}
  '';
 in {
  options.trivial-services = mkOption {
    default = {};
    type = with types; attrsOf (types.submodule serviceModule);
    description = "Definition of trivial services";
  };
  config.system.build.toplevel-trivial = lib.mapAttrs launcher cfg;
 }
--- a/nixos/modules/services/mail/pfix-srsd.nix
+++ b/nixos/modules/services/mail/pfix-srsd.nix
@ -0,0 +1,56 @@
 { config, lib, pkgs, ... }:
 with lib;
 {
  ###### interface
  options = {
    services.pfix-srsd = {
      enable = mkOption {
        default = false;
        type = types.bool;
        description = "Whether to run the postfix sender rewriting scheme daemon.";
      };
      domain = mkOption {
        description = "The domain for which to enable srs";
        type = types.str;
        example = "example.com";
      };
      secretsFile = mkOption {
        description = ''
          The secret data used to encode the SRS address.
          to generate, use a command like:
          <literal>for n in $(seq 5); do dd if=/dev/urandom count=1 bs=1024 status=none | sha256sum | sed 's/  -$//' | sed 's/^/          /'; done</literal>
        '';
        type = types.path;
        default = "/var/lib/pfix-srsd/secrets";
      };
    };
  };
  ###### implementation
  config = mkIf config.services.pfix-srsd.enable {
    environment = {
      systemPackages = [ pkgs.pfixtools ];
    };
    systemd.services."pfix-srsd" = {
      description = "Postfix sender rewriting scheme daemon";
      before = [ "postfix.service" ];
      #note that we use requires rather than wants because postfix
      #is unable to process (almost) all mail without srsd
      requiredBy = [ "postfix.service" ];
      serviceConfig = {
        Type = "forking";
        PIDFile = "/var/run/pfix-srsd.pid";
        ExecStart = "${pkgs.pfixtools}/bin/pfix-srsd -p /var/run/pfix-srsd.pid -I ${config.services.pfix-srsd.domain} ${config.services.pfix-srsd.secretsFile}";
      };
    };
  };
 }
--- a/nixos/modules/services/mail/postfix.nix
+++ b/nixos/modules/services/mail/postfix.nix
@ -79,6 +79,12 @@ let
  // optionalAttrs haveTransport { transport_maps = "hash:/etc/postfix/transport"; }
  // optionalAttrs haveVirtual { virtual_alias_maps = "${cfg.virtualMapType}:/etc/postfix/virtual"; }
  // optionalAttrs (cfg.dnsBlacklists != []) { smtpd_client_restrictions = clientRestrictions; }
  // optionalAttrs cfg.useSrs {
    sender_canonical_maps = "tcp:127.0.0.1:10001";
    sender_canonical_classes = "envelope_sender";
    recipient_canonical_maps = "tcp:127.0.0.1:10002";
    recipient_canonical_classes= "envelope_recipient";
  }
  // optionalAttrs cfg.enableHeaderChecks { header_checks = "regexp:/etc/postfix/header_checks"; }
  // optionalAttrs (cfg.sslCert != "") {
    smtp_tls_CAfile = cfg.sslCACert;
@ -626,6 +632,12 @@ in
        description = "Maps to be compiled and placed into /var/lib/postfix/conf.";
      };
      useSrs = mkOption {
        type = types.bool;
        default = false;
        description = "Whether to enable sender rewriting scheme";
      };
    };
  };
@ -646,6 +658,8 @@ in
        systemPackages = [ pkgs.postfix ];
      };
      services.pfix-srsd.enable = config.services.postfix.useSrs;
      services.mail.sendmailSetuidWrapper = mkIf config.services.postfix.setSendmail {
        program = "sendmail";
        source = "${pkgs.postfix}/bin/sendmail";
--- a/nixos/modules/services/misc/gitlab.nix
+++ b/nixos/modules/services/misc/gitlab.nix
@ -414,7 +414,7 @@ in {
          Make sure the secret is an RSA private key in PEM format. You can
          generate one with
-          openssl genrsa 2048openssl genpkey -algorithm RSA -out - -pkeyopt rsa_keygen_bits:2048
+          openssl genrsa 2048
        '';
      };
@ -567,6 +567,7 @@ in {
        mkdir -p ${cfg.statePath}/log
        mkdir -p ${cfg.statePath}/tmp/pids
        mkdir -p ${cfg.statePath}/tmp/sockets
        mkdir -p ${cfg.statePath}/shell
        rm -rf ${cfg.statePath}/config ${cfg.statePath}/shell/hooks
        mkdir -p ${cfg.statePath}/config
@ -580,6 +581,7 @@ in {
        mkdir -p ${cfg.statePath}/{log,uploads}
        ln -sf ${cfg.statePath}/log /run/gitlab/log
        ln -sf ${cfg.statePath}/uploads /run/gitlab/uploads
        ln -sf ${cfg.statePath}/tmp /run/gitlab/tmp
        chown -R ${cfg.user}:${cfg.group} /run/gitlab
        # Prepare home directory
@ -638,10 +640,10 @@ in {
        chmod -R ug+rwX,o-rwx ${cfg.statePath}/repositories
        chmod -R ug-s ${cfg.statePath}/repositories
        find ${cfg.statePath}/repositories -type d -print0 | xargs -0 chmod g+s
-        chmod 700 ${cfg.statePath}/uploads
+        chmod 770 ${cfg.statePath}/uploads
        chown -R git ${cfg.statePath}/uploads
        find ${cfg.statePath}/uploads -type f -exec chmod 0644 {} \;
-        find ${cfg.statePath}/uploads -type d -not -path ${cfg.statePath}/uploads -exec chmod 0700 {} \;
+        find ${cfg.statePath}/uploads -type d -not -path ${cfg.statePath}/uploads -exec chmod 0770 {} \;
      '';
      serviceConfig = {
--- a/nixos/modules/services/misc/gitlab.xml
+++ b/nixos/modules/services/misc/gitlab.xml
@ -66,6 +66,35 @@ services.gitlab = {
    db = "uPgq1gtwwHiatiuE0YHqbGa5lEIXH7fMsvuTNgdzJi8P0Dg12gibTzBQbq5LT7PNzcc3BP9P1snHVnduqtGF43PgrQtU7XL93ts6gqe9CBNhjtaqUwutQUDkygP5NrV6";
    secret = "devzJ0Tz0POiDBlrpWmcsjjrLaltyiAdS8TtgT9YNBOoUcDsfppiY3IXZjMVtKgXrFImIennFGOpPN8IkP8ATXpRgDD5rxVnKuTTwYQaci2NtaV1XxOQGjdIE50VGsR3";
    otp = "e1GATJVuS2sUh7jxiPzZPre4qtzGGaS22FR50Xs1TerRVdgI3CBVUi5XYtQ38W4xFeS4mDqi5cQjExE838iViSzCdcG19XSL6qNsfokQP9JugwiftmhmCadtsnHErBMI";
    jws = ''
      -----BEGIN RSA PRIVATE KEY-----
      MIIEpAIBAAKCAQEArrtx4oHKwXoqUbMNqnHgAklnnuDon3XG5LJB35yPsXKv/8GK
      ke92wkI+s1Xkvsp8tg9BIY/7c6YK4SR07EWL+dB5qwctsWR2Q8z+/BKmTx9D99pm
      hnsjuNIXTF7BXrx3RX6BxZpH5Vzzh9nCwWKT/JCFqtwH7afNGGL7aMf+hdaiUg/Q
      SD05yRObioiO4iXDolsJOhrnbZvlzVHl1ZYxFJv0H6/Snc0BBA9Fl/3uj6ANpbjP
      eXF1SnJCqT87bj46r5NdVauzaRxAsIfqHroHK4UZ98X5LjGQFGvSqTvyjPBS4I1i
      s7VJU28ObuutHxIxSlH0ibn4HZqWmKWlTS652wIDAQABAoIBAGtPcUTTw2sJlR3x
      4k2wfAvLexkHNbZhBdKEa5JiO5mWPuLKwUiZEY2CU7Gd6csG3oqNWcm7/IjtC7dz
      xV8p4yp8T4yq7vQIJ93B80NqTLtBD2QTvG2RCMJEPMzJUObWxkVmyVpLQyZo7KOd
      KE/OM+aj94OUeEYLjRkSCScz1Gvq/qFG/nAy7KPCmN9JDHuhX26WHo2Rr1OnPNT/
      7diph0bB9F3b8gjjNTqXDrpdAqVOgR/PsjEBz6DMY+bdyMIn87q2yfmMexxRofN6
      LulpzSaa6Yup8N8H6PzVO6KAkQuf1aQRj0sMwGk1IZEnj6I0KbuHIZkw21Nc6sf2
      ESFySDECgYEA1PnCNn5tmLnwe62Ttmrzl20zIS3Me1gUVJ1NTfr6+ai0I9iMYU21
      5czuAjJPm9JKQF2vY8UAaCj2ZoObtHa/anb3xsCd8NXoM3iJq5JDoXI1ldz3Y+ad
      U/bZUg1DLRvAniTuXmw9iOTwTwPxlDIGq5k+wG2Xmi1lk7zH8ezr9BMCgYEA0gfk
      EhgcmPH8Z5cU3YYwOdt6HSJOM0OyN4k/5gnkv+HYVoJTj02gkrJmLr+mi1ugKj46
      7huYO9TVnrKP21tmbaSv1dp5hS3letVRIxSloEtVGXmmdvJvBRzDWos+G+KcvADi
      fFCz6w8v9NmO40CB7y/3SxTmSiSxDQeoi9LhDBkCgYEAsPgMWm25sfOnkY2NNUIv
      wT8bAlHlHQT2d8zx5H9NttBpR3P0ShJhuF8N0sNthSQ7ULrIN5YGHYcUH+DyLAWU
      TuomP3/kfa+xL7vUYb269tdJEYs4AkoppxBySoz8qenqpz422D0G8M6TpIS5Y5Qi
      GMrQ6uLl21YnlpiCaFOfSQMCgYEAmZxj1kgEQmhZrnn1LL/D7czz1vMMNrpAUhXz
      wg9iWmSXkU3oR1sDIceQrIhHCo2M6thwyU0tXjUft93pEQocM/zLDaGoVxtmRxxV
      J08mg8IVD3jFoyFUyWxsBIDqgAKRl38eJsXvkO+ep3mm49Z+Ma3nM+apN3j2dQ0w
      3HLzXaECgYBFLMEAboVFwi5+MZjGvqtpg2PVTisfuJy2eYnPwHs+AXUgi/xRNFjI
      YHEa7UBPb5TEPSzWImQpETi2P5ywcUYL1EbN/nqPWmjFnat8wVmJtV4sUpJhubF4
      Vqm9LxIWc1uQ1q1HDCejRIxIN3aSH+wgRS3Kcj8kCTIoXd1aERb04g==
      -----END RSA PRIVATE KEY-----
    '';
  };
  extraConfig = {
    gitlab = {
--- a/nixos/modules/services/misc/gogs.nix
+++ b/nixos/modules/services/misc/gogs.nix
@ -25,6 +25,7 @@ let
    HTTP_ADDR = ${cfg.httpAddress}
    HTTP_PORT = ${toString cfg.httpPort}
    ROOT_URL = ${cfg.rootUrl}
    STATIC_ROOT_PATH = ${cfg.staticRootPath}
    [session]
    COOKIE_NAME = session
@ -175,6 +176,13 @@ in
        '';
      };
      staticRootPath = mkOption {
        type = types.str;
        default = "${pkgs.gogs.data}";
        example = "/var/lib/gogs/data";
        description = "Upper level of template and static files path.";
      };
      extraConfig = mkOption {
        type = types.str;
        default = "";
@ -195,6 +203,8 @@ in
        runConfig = "${cfg.stateDir}/custom/conf/app.ini";
        secretKey = "${cfg.stateDir}/custom/conf/secret_key";
      in ''
        mkdir -p ${cfg.stateDir}
        # copy custom configuration and generate a random secret key if needed
        ${optionalString (cfg.useWizard == false) ''
          mkdir -p ${cfg.stateDir}/custom/conf
@ -240,7 +250,7 @@ in
      };
    };
-    users = {
+    users = mkIf (cfg.user == "gogs") {
      extraUsers.gogs = {
        description = "Go Git Service";
        uid = config.ids.uids.gogs;
--- a/nixos/modules/services/misc/nix-daemon.nix
+++ b/nixos/modules/services/misc/nix-daemon.nix
@ -189,6 +189,7 @@ in
              sshKey = "/root/.ssh/id_buildfarm";
              system = "x86_64-linux";
              maxJobs = 2;
              speedFactor = 2;
              supportedFeatures = [ "kvm" ];
              mandatoryFeatures = [ "perf" ];
            }
--- a/nixos/modules/services/misc/plex.nix
+++ b/nixos/modules/services/misc/plex.nix
@ -137,7 +137,7 @@ in
        User = cfg.user;
        Group = cfg.group;
        PermissionsStartOnly = "true";
-        ExecStart = "/bin/sh -c ${cfg.package}/usr/lib/plexmediaserver/Plex\\ Media\\ Server";
+        ExecStart = "\"${cfg.package}/usr/lib/plexmediaserver/Plex Media Server\"";
        KillSignal = "SIGQUIT";
        Restart = "on-failure";
      };
--- a/nixos/modules/services/misc/pykms.nix
+++ b/nixos/modules/services/misc/pykms.nix
@ -0,0 +1,90 @@
 { config, lib, pkgs, ... }:
 with lib;
 let
  cfg = config.services.pykms;
  home = "/var/lib/pykms";
  services = {
    serviceConfig = {
      Restart = "on-failure";
      RestartSec = "10s";
      StartLimitInterval = "1min";
      PrivateTmp = true;
      ProtectSystem = "full";
      ProtectHome = true;
    };
  };
 in {
  options = {
    services.pykms = rec {
      enable = mkOption {
        type = types.bool;
        default = false;
        description = "Whether to enable the PyKMS service.";
      };
      listenAddress = mkOption {
        type = types.str;
        default = "0.0.0.0";
        description = "The IP address on which to listen.";
      };
      port = mkOption {
        type = types.int;
        default = 1688;
        description = "The port on which to listen.";
      };
      verbose = mkOption {
        type = types.bool;
        default = false;
        description = "Show verbose output.";
      };
      openFirewallPort = mkOption {
        type = types.bool;
        default = false;
        description = "Whether the listening port should be opened automatically.";
      };
    };
  };
  config = mkIf cfg.enable {
    networking.firewall.allowedTCPPorts = lib.mkIf cfg.openFirewallPort [ cfg.port ];
    systemd.services = {
      pykms = services // {
        description = "Python KMS";
        wantedBy = [ "multi-user.target" ];
        serviceConfig = with pkgs; {
          User = "pykms";
          Group = "pykms";
          ExecStartPre = "${getBin pykms}/bin/create_pykms_db.sh ${home}/clients.db";
          ExecStart = "${getBin pykms}/bin/server.py ${optionalString cfg.verbose "--verbose"} ${cfg.listenAddress} ${toString cfg.port}";
          WorkingDirectory = home;
          MemoryLimit = "64M";
        };
      };
    };
    users = {
      extraUsers.pykms = {
        name = "pykms";
        group = "pykms";
        home  = home;
        createHome = true;
        uid = config.ids.uids.pykms;
        description = "PyKMS daemon user";
      };
      extraGroups.pykms = {
        gid = config.ids.gids.pykms;
      };
    };
  };
 }
--- a/nixos/modules/services/monitoring/dd-agent/dd-agent.nix
+++ b/nixos/modules/services/monitoring/dd-agent/dd-agent.nix
@ -23,7 +23,7 @@ let
    # proxy_password: password
    # tags: mytag0, mytag1
-    ${optionalString (cfg.tags != null ) "tags: ${concatStringsSep "," cfg.tags }"}
+    ${optionalString (cfg.tags != null ) "tags: ${concatStringsSep ", " cfg.tags }"}
    # collect_ec2_tags: no
    # recent_point_threshold: 30
--- a/nixos/modules/services/monitoring/prometheus/minio-exporter.nix
+++ b/nixos/modules/services/monitoring/prometheus/minio-exporter.nix
@ -0,0 +1,117 @@
 { config, pkgs, lib, ... }:
 with lib;
 let
  cfg = config.services.prometheus.minioExporter;
 in {
  options = {
    services.prometheus.minioExporter = {
      enable = mkEnableOption "prometheus minio exporter";
      port = mkOption {
        type = types.int;
        default = 9290;
        description = ''
          Port to listen on.
        '';
      };
      listenAddress = mkOption {
        type = types.nullOr types.str;
        default = null;
        example = "0.0.0.0";
        description = ''
          Address to listen on for web interface and telemetry.
        '';
      };
      minioAddress = mkOption {
        type = types.str;
        example = "https://10.0.0.1:9000";
        default = if config.services.minio.enable then "http://localhost:9000" else null;
        description = ''
          The URL of the minio server.
          Use HTTPS if Minio accepts secure connections only.
          By default this connects to the local minio server if enabled.
        '';
      };
      minioAccessKey = mkOption ({
        type = types.str;
        example = "BKIKJAA5BMMU2RHO6IBB";
        description = ''
          The value of the Minio access key.
          It is required in order to connect to the server.
          By default this uses the one from the local minio server if enabled
          and <literal>config.services.minio.accessKey</literal>.
        '';
      } // optionalAttrs (config.services.minio.enable && config.services.minio.accessKey != "") {
        default = config.services.minio.accessKey;
      });
      minioAccessSecret = mkOption ({
        type = types.str;
        description = ''
          The calue of the Minio access secret.
          It is required in order to connect to the server.
          By default this uses the one from the local minio server if enabled
          and <literal>config.services.minio.secretKey</literal>.
        '';
      } // optionalAttrs (config.services.minio.enable && config.services.minio.secretKey != "") {
        default = config.services.minio.secretKey;
      });
      minioBucketStats = mkOption {
        type = types.bool;
        default = false;
        description = ''
          Collect statistics about the buckets and files in buckets.
          It requires more computation, use it carefully in case of large buckets..
        '';
      };
      extraFlags = mkOption {
        type = types.listOf types.str;
        default = [];
        description = ''
          Extra commandline options when launching the minio exporter.
        '';
      };
      openFirewall = mkOption {
        type = types.bool;
        default = false;
        description = ''
          Open port in firewall for incoming connections.
        '';
      };
    };
  };
  config = mkIf cfg.enable {
    networking.firewall.allowedTCPPorts = optional cfg.openFirewall cfg.port;
    systemd.services.prometheus-minio-exporter = {
      description = "Prometheus exporter for Minio server metrics";
      unitConfig.Documentation = "https://github.com/joe-pll/minio-exporter";
      wantedBy = [ "multi-user.target" ];
      after = optional config.services.minio.enable "minio.service";
      serviceConfig = {
        DynamicUser = true;
        Restart = "always";
        PrivateTmp = true;
        WorkingDirectory = /tmp;
        ExecStart = ''
          ${pkgs.prometheus-minio-exporter}/bin/minio-exporter \
            -web.listen-address ${optionalString (cfg.listenAddress != null) cfg.listenAddress}:${toString cfg.port} \
            -minio.server ${cfg.minioAddress} \
            -minio.access-key ${cfg.minioAccessKey} \
            -minio.access-secret ${cfg.minioAccessSecret} \
            ${optionalString cfg.minioBucketStats "-minio.bucket-stats"} \
            ${concatStringsSep " \\\n  " cfg.extraFlags}
        '';
      };
    };
  };
 }
--- a/nixos/modules/services/network-filesystems/ipfs.nix
+++ b/nixos/modules/services/network-filesystems/ipfs.nix
@ -7,7 +7,7 @@ let
  ipfsFlags = toString ([
    (optionalString  cfg.autoMount                   "--mount")
-    (optionalString  cfg.autoMigrate                 "--migrate")
+    #(optionalString  cfg.autoMigrate                 "--migrate")
    (optionalString  cfg.enableGC                    "--enable-gc")
    (optionalString (cfg.serviceFdlimit != null)     "--manage-fdlimit=false")
    (optionalString (cfg.defaultMode == "offline")   "--offline")
@ -36,6 +36,7 @@ let
  baseService = recursiveUpdate commonEnv {
    wants = [ "ipfs-init.service" ];
    # NB: migration must be performed prior to pre-start, else we get the failure message!
    preStart = ''
      ipfs repo fsck # workaround for BUG #4212 (https://github.com/ipfs/go-ipfs/issues/4214)
      ipfs --local config Addresses.API ${cfg.apiAddress}
@ -97,11 +98,17 @@ in {
        description = "systemd service that is enabled by default";
      };
      /*
      autoMigrate = mkOption {
        type = types.bool;
        default = false;
-        description = "Whether IPFS should try to migrate the file system automatically";
+        description = ''
          Whether IPFS should try to migrate the file system automatically.
          The daemon will need to be able to download a binary from https://ipfs.io to perform the migration.
        '';
      };
      */
      autoMount = mkOption {
        type = types.bool;
--- a/nixos/modules/services/network-filesystems/kbfs.nix
+++ b/nixos/modules/services/network-filesystems/kbfs.nix
@ -55,8 +55,11 @@ in {
        Restart = "on-failure";
        PrivateTmp = true;
      };
      wantedBy = [ "default.target" ];
    };
    services.keybase.enable = true;
    environment.systemPackages = [ pkgs.kbfs ];
  };
 }
--- a/nixos/modules/services/network-filesystems/openafs-client/default.nix
+++ b/nixos/modules/services/network-filesystems/openafs-client/default.nix
@ -93,7 +93,6 @@ in
      preStop = ''
        ${pkgs.utillinux}/bin/umount /afs
        ${openafsPkgs}/sbin/afsd -shutdown
        ${pkgs.kmod}/sbin/rmmod libafs
      '';
    };
  };
--- a/nixos/modules/services/networking/connman.nix
+++ b/nixos/modules/services/networking/connman.nix
@ -115,10 +115,5 @@ in {
      wireless.enable = true;
      networkmanager.enable = false;
    };
    powerManagement.resumeCommands = ''
      systemctl restart connman
    '';
  };
 }
--- a/nixos/modules/services/networking/dnscache.nix
+++ b/nixos/modules/services/networking/dnscache.nix
@ -18,10 +18,13 @@ let
      '') ips}
    '') cfg.domainServers)}
-    # djbdns contains an outdated list of root servers;
+    # if a list of root servers was not provided in config, copy it
-    # if one was not provided in config, provide a current list
+    # over. (this is also done by dnscache-conf, but we 'rm -rf
-    if [ ! -e servers/@ ]; then
+    # /var/lib/dnscache/root' below & replace it wholesale with this,
-      awk '/^.?.ROOT-SERVERS.NET/ { print $4 }' ${pkgs.dns-root-data}/root.hints > $out/servers/@
+    # so we have to ensure servers/@ exists ourselves.)
    if [ ! -e $out/servers/@ ]; then
      # symlink does not work here, due chroot
      cp ${pkgs.djbdns}/etc/dnsroots.global $out/servers/@;
    fi
  '';
--- a/nixos/modules/services/networking/firewall.nix
+++ b/nixos/modules/services/networking/firewall.nix
@ -95,18 +95,18 @@ let
    ip46tables -N nixos-fw-log-refuse
    ${optionalString cfg.logRefusedConnections ''
-      ip46tables -A nixos-fw-log-refuse -p tcp --syn -j LOG --log-level info --log-prefix "rejected connection: "
+      ip46tables -A nixos-fw-log-refuse -p tcp --syn -j LOG --log-level info --log-prefix "refused connection: "
    ''}
    ${optionalString (cfg.logRefusedPackets && !cfg.logRefusedUnicastsOnly) ''
      ip46tables -A nixos-fw-log-refuse -m pkttype --pkt-type broadcast \
-        -j LOG --log-level info --log-prefix "rejected broadcast: "
+        -j LOG --log-level info --log-prefix "refused broadcast: "
      ip46tables -A nixos-fw-log-refuse -m pkttype --pkt-type multicast \
-        -j LOG --log-level info --log-prefix "rejected multicast: "
+        -j LOG --log-level info --log-prefix "refused multicast: "
    ''}
    ip46tables -A nixos-fw-log-refuse -m pkttype ! --pkt-type unicast -j nixos-fw-refuse
    ${optionalString cfg.logRefusedPackets ''
      ip46tables -A nixos-fw-log-refuse \
-        -j LOG --log-level info --log-prefix "rejected packet: "
+        -j LOG --log-level info --log-prefix "refused packet: "
    ''}
    ip46tables -A nixos-fw-log-refuse -j nixos-fw-refuse
--- a/nixos/modules/services/networking/keybase.nix
+++ b/nixos/modules/services/networking/keybase.nix
@ -28,11 +28,12 @@ in {
      description = "Keybase service";
      serviceConfig = {
        ExecStart = ''
-          ${pkgs.keybase}/bin/keybase service
+          ${pkgs.keybase}/bin/keybase -d service --auto-forked
        '';
        Restart = "on-failure";
        PrivateTmp = true;
      };
      wantedBy = [ "default.target" ];
    };
    environment.systemPackages = [ pkgs.keybase ];
--- a/nixos/modules/services/networking/softether.nix
+++ b/nixos/modules/services/networking/softether.nix
@ -3,7 +3,6 @@
 with lib;
 let
  pkg = pkgs.softether;
  cfg = config.services.softether;
 in
@ -17,6 +16,15 @@ in
      enable = mkEnableOption "SoftEther VPN services";
      package = mkOption {
        type = types.package;
        default = pkgs.softether;
        defaultText = "pkgs.softether";
        description = ''
          softether derivation to use.
        '';
      };
      vpnserver.enable = mkEnableOption "SoftEther VPN Server";
      vpnbridge.enable = mkEnableOption "SoftEther VPN Bridge";
@ -41,7 +49,7 @@ in
      dataDir = mkOption {
        type = types.string;
-        default = "${pkg.dataDir}";
+        default = "${cfg.package.dataDir}";
        description = ''
          Data directory for SoftEther VPN.
        '';
@ -57,12 +65,13 @@ in
    mkMerge [{
      environment.systemPackages = [
-          (pkgs.lib.overrideDerivation pkg (attrs: {
+          (pkgs.lib.overrideDerivation cfg.package (attrs: {
            dataDir = cfg.dataDir;
          }))
        ];
      systemd.services."softether-init" = {
        description = "SoftEther VPN services initial task";
        wantedBy = [ "network.target" ];
        serviceConfig = {
          Type = "oneshot";
          RemainAfterExit = false;
@ -71,11 +80,11 @@ in
            for d in vpnserver vpnbridge vpnclient vpncmd; do
                if ! test -e ${cfg.dataDir}/$d; then
                    ${pkgs.coreutils}/bin/mkdir -m0700 -p ${cfg.dataDir}/$d
-                    install -m0600 ${pkg}${cfg.dataDir}/$d/hamcore.se2 ${cfg.dataDir}/$d/hamcore.se2
+                    install -m0600 ${cfg.package}${cfg.dataDir}/$d/hamcore.se2 ${cfg.dataDir}/$d/hamcore.se2
                fi
            done
            rm -rf ${cfg.dataDir}/vpncmd/vpncmd
-            ln -s ${pkg}${cfg.dataDir}/vpncmd/vpncmd ${cfg.dataDir}/vpncmd/vpncmd
+            ln -s ${cfg.package}${cfg.dataDir}/vpncmd/vpncmd ${cfg.dataDir}/vpncmd/vpncmd
        '';
      };
    }
@ -83,17 +92,17 @@ in
    (mkIf (cfg.vpnserver.enable) {
      systemd.services.vpnserver = {
        description = "SoftEther VPN Server";
-        after = [ "softether-init.service" "network.target" ];
+        after = [ "softether-init.service" ];
-        wants = [ "softether-init.service" ];
+        requires = [ "softether-init.service" ];
-        wantedBy = [ "multi-user.target" ];
+        wantedBy = [ "network.target" ];
        serviceConfig = {
          Type = "forking";
-          ExecStart = "${pkg}/bin/vpnserver start";
+          ExecStart = "${cfg.package}/bin/vpnserver start";
-          ExecStop = "${pkg}/bin/vpnserver stop";
+          ExecStop = "${cfg.package}/bin/vpnserver stop";
        };
        preStart = ''
            rm -rf ${cfg.dataDir}/vpnserver/vpnserver
-            ln -s ${pkg}${cfg.dataDir}/vpnserver/vpnserver ${cfg.dataDir}/vpnserver/vpnserver
+            ln -s ${cfg.package}${cfg.dataDir}/vpnserver/vpnserver ${cfg.dataDir}/vpnserver/vpnserver
        '';
        postStop = ''
            rm -rf ${cfg.dataDir}/vpnserver/vpnserver
@ -104,17 +113,17 @@ in
    (mkIf (cfg.vpnbridge.enable) {
      systemd.services.vpnbridge = {
        description = "SoftEther VPN Bridge";
-        after = [ "softether-init.service" "network.target" ];
+        after = [ "softether-init.service" ];
-        wants = [ "softether-init.service" ];
+        requires = [ "softether-init.service" ];
-        wantedBy = [ "multi-user.target" ];
+        wantedBy = [ "network.target" ];
        serviceConfig = {
          Type = "forking";
-          ExecStart = "${pkg}/bin/vpnbridge start";
+          ExecStart = "${cfg.package}/bin/vpnbridge start";
-          ExecStop = "${pkg}/bin/vpnbridge stop";
+          ExecStop = "${cfg.package}/bin/vpnbridge stop";
        };
        preStart = ''
            rm -rf ${cfg.dataDir}/vpnbridge/vpnbridge
-            ln -s ${pkg}${cfg.dataDir}/vpnbridge/vpnbridge ${cfg.dataDir}/vpnbridge/vpnbridge
+            ln -s ${cfg.package}${cfg.dataDir}/vpnbridge/vpnbridge ${cfg.dataDir}/vpnbridge/vpnbridge
        '';
        postStop = ''
            rm -rf ${cfg.dataDir}/vpnbridge/vpnbridge
@ -125,17 +134,17 @@ in
    (mkIf (cfg.vpnclient.enable) {
      systemd.services.vpnclient = {
        description = "SoftEther VPN Client";
-        after = [ "softether-init.service" "network.target" ];
+        after = [ "softether-init.service" ];
-        wants = [ "softether-init.service" ];
+        requires = [ "softether-init.service" ];
-        wantedBy = [ "multi-user.target" ];
+        wantedBy = [ "network.target" ];
        serviceConfig = {
          Type = "forking";
-          ExecStart = "${pkg}/bin/vpnclient start";
+          ExecStart = "${cfg.package}/bin/vpnclient start";
-          ExecStop = "${pkg}/bin/vpnclient stop";
+          ExecStop = "${cfg.package}/bin/vpnclient stop";
        };
        preStart = ''
            rm -rf ${cfg.dataDir}/vpnclient/vpnclient
-            ln -s ${pkg}${cfg.dataDir}/vpnclient/vpnclient ${cfg.dataDir}/vpnclient/vpnclient
+            ln -s ${cfg.package}${cfg.dataDir}/vpnclient/vpnclient ${cfg.dataDir}/vpnclient/vpnclient
        '';
        postStart = ''
            sleep 1
--- a/nixos/modules/services/networking/unbound.nix
+++ b/nixos/modules/services/networking/unbound.nix
@ -105,7 +105,7 @@ in
      description = "Unbound recursive Domain Name Server";
      after = [ "network.target" ];
      before = [ "nss-lookup.target" ];
-      wants = [" nss-lookup.target" ];
+      wants = [ "nss-lookup.target" ];
      wantedBy = [ "multi-user.target" ];
      preStart = ''
--- a/nixos/modules/services/networking/znc.nix
+++ b/nixos/modules/services/networking/znc.nix
@ -329,7 +329,7 @@ in
      };
      mutable = mkOption {
-        default = false;
+        default = true;
        type = types.bool;
        description = ''
          Indicates whether to allow the contents of the `dataDir` directory to be changed
--- a/nixos/modules/services/scheduling/atd.nix
+++ b/nixos/modules/services/scheduling/atd.nix
@ -42,6 +42,8 @@ in
  config = mkIf cfg.enable {
    # Not wrapping "batch" because it's a shell script (kernel drops perms
    # anyway) and it's patched to invoke the "at" setuid wrapper.
    security.wrappers = builtins.listToAttrs (
      map (program: { name = "${program}"; value = {
      source = "${at}/bin/${program}";
@ -49,7 +51,7 @@ in
      group = "atd";
      setuid = true;
      setgid = true;
-    };}) [ "at" "atq" "atrm" "batch" ]);
+    };}) [ "at" "atq" "atrm" ]);
    environment.systemPackages = [ at ];
--- a/nixos/modules/services/scheduling/fcron.nix
+++ b/nixos/modules/services/scheduling/fcron.nix
@ -137,10 +137,7 @@ in
      after = [ "local-fs.target" ];
      wantedBy = [ "multi-user.target" ];
-      # FIXME use specific path
+      path = [ pkgs.fcron ];
      environment = {
        PATH = "/run/current-system/sw/bin";
      };
      preStart = ''
        install \
@ -149,7 +146,7 @@ in
          --group fcron \
          --directory /var/spool/fcron
        # load system crontab file
-        /run/wrappers/bin/fcrontab -u systab ${pkgs.writeText "systab" cfg.systab}
+        /run/wrappers/bin/fcrontab -u systab - < ${pkgs.writeText "systab" cfg.systab}
      '';
      serviceConfig = {
--- a/nixos/modules/services/security/hologram-server.nix
+++ b/nixos/modules/services/security/hologram-server.nix
@ -23,8 +23,6 @@ let
    stats  = cfg.statsAddress;
    listen = cfg.listenAddress;
  });
  script = "${pkgs.hologram.bin}/bin/hologram-server --debug --conf ${cfgFile}";
 in {
  options = {
    services.hologram-server = {
@ -96,15 +94,9 @@ in {
      after       = [ "network.target" ];
      wantedBy    = [ "multi-user.target" ];
-      inherit script;
+      serviceConfig = {
        ExecStart = "${pkgs.hologram.bin}/bin/hologram-server --debug --conf ${cfgFile}";
      };
    docker-containers.hologram-server = {
      inherit script;
    };
    trivial-services.hologram-server = {
      inherit script;
    };
  };
 }
--- a/nixos/modules/services/web-apps/mattermost.nix
+++ b/nixos/modules/services/web-apps/mattermost.nix
@ -184,8 +184,10 @@ in
          fi
        '' + lib.optionalString cfg.localDatabaseCreate ''
          if ! test -e "${cfg.statePath}/.db-created"; then
            ${pkgs.sudo}/bin/sudo -u ${config.services.postgresql.superUser} \
              ${config.services.postgresql.package}/bin/psql postgres -c \
                "CREATE ROLE ${cfg.localDatabaseUser} WITH LOGIN NOCREATEDB NOCREATEROLE ENCRYPTED PASSWORD '${cfg.localDatabasePassword}'"
            ${pkgs.sudo}/bin/sudo -u ${config.services.postgresql.superUser} \
              ${config.services.postgresql.package}/bin/createdb \
                --owner ${cfg.localDatabaseUser} ${cfg.localDatabaseName}
            touch ${cfg.statePath}/.db-created
--- a/nixos/modules/services/web-servers/lighttpd/default.nix
+++ b/nixos/modules/services/web-servers/lighttpd/default.nix
@ -15,7 +15,8 @@ let
  # Some modules are always imported and should not appear in the config:
  # disallowedModules = [ "mod_indexfile" "mod_dirlisting" "mod_staticfile" ];
  #
-  # Get full module list: "ls -1 $lighttpd/lib/*.so"
+  # For full module list, see the output of running ./configure in the lighttpd
  # source.
  allKnownModules = [
    "mod_rewrite"
    "mod_redirect"
@ -38,12 +39,15 @@ let
    "mod_accesslog"
    # Remaining list of modules, order assumed to be unimportant.
    "mod_authn_file"
    "mod_authn_gssapi"
    "mod_authn_ldap"
    "mod_authn_mysql"
    "mod_cml"
    "mod_deflate"
    "mod_evasive"
    "mod_extforward"
    "mod_flv_streaming"
    "mod_geoip"
    "mod_magnet"
    "mod_mysql_vhost"
    "mod_scgi"
--- a/nixos/modules/services/web-servers/traefik.nix
+++ b/nixos/modules/services/web-servers/traefik.nix
@ -0,0 +1,115 @@
 { config, lib, pkgs, ... }:
 with lib;
 let
  cfg = config.services.traefik;
  configFile =
    if cfg.configFile == null then
      pkgs.runCommand "config.toml" {
        buildInputs = [ pkgs.remarshal ];
      } ''
        remarshal -if json -of toml \
          < ${pkgs.writeText "config.json" (builtins.toJSON cfg.configOptions)} \
          > $out
      ''
    else cfg.configFile;
 in {
  options.services.traefik = {
    enable = mkEnableOption "Traefik web server";
    configFile = mkOption {
      default = null;
      example = literalExample "/path/to/config.toml";
      type = types.nullOr types.path;
      description = ''
        Path to verbatim traefik.toml to use.
        (Using that option has precedence over <literal>configOptions</literal>)
      '';
    };
    configOptions = mkOption {
      description = ''
        Config for Traefik.
      '';
      type = types.attrs;
      default = {
        defaultEntryPoints = ["http"];
        entryPoints.http.address = ":80";
      };
      example = {
        defaultEntrypoints = [ "http" ];
        web.address = ":8080";
        entryPoints.http.address = ":80";
        file = {};
        frontends = {
          frontend1 = {
            backend = "backend1";
            routes.test_1.rule = "Host:localhost";
          };
        };
        backends.backend1 = {
          servers.server1.url = "http://localhost:8000";
        };
      };
    };
    dataDir = mkOption {
      default = "/var/lib/traefik";
      type = types.path;
      description = ''
      Location for any persistent data traefik creates, ie. acme
      '';
    };
    package = mkOption {
      default = pkgs.traefik;
      defaultText = "pkgs.traefik";
      type = types.package;
      description = "Traefik package to use.";
    };
  };
  config = mkIf cfg.enable {
    systemd.services.traefik = {
      description = "Traefik web server";
      after = [ "network-online.target" ];
      wantedBy = [ "multi-user.target" ];
      serviceConfig = {
        PermissionsStartOnly = true;
        ExecStart = ''${cfg.package.bin}/bin/traefik --configfile=${configFile}'';
        ExecStartPre = [
          ''${pkgs.coreutils}/bin/mkdir -p "${cfg.dataDir}"''
          ''${pkgs.coreutils}/bin/chmod 700 "${cfg.dataDir}"''
          ''${pkgs.coreutils}/bin/chown -R traefik:traefik "${cfg.dataDir}"''
        ];
        Type = "simple";
        User = "traefik";
        Group = "traefik";
        Restart = "on-failure";
        StartLimitInterval = 86400;
        StartLimitBurst = 5;
        AmbientCapabilities = "cap_net_bind_service";
        CapabilityBoundingSet = "cap_net_bind_service";
        NoNewPrivileges = true;
        LimitNPROC = 64;
        LimitNOFILE = 1048576;
        PrivateTmp = true;
        PrivateDevices = true;
        ProtectHome = true;
        ProtectSystem = "full";
        ReadWriteDirectories = cfg.dataDir;
      };
    };
    users.extraUsers.traefik = {
      group = "traefik";
      home = cfg.dataDir;
      createHome = true;
    };
    users.extraGroups.traefik = {};
  };
 }
--- a/nixos/modules/services/x11/compton.nix
+++ b/nixos/modules/services/x11/compton.nix
@ -7,7 +7,12 @@ let
  cfg = config.services.compton;
-  configFile = pkgs.writeText "compton.conf"
+  configFile = let
    opacityRules = optionalString (length cfg.opacityRules != 0)
      (concatStringsSep "\n"
        (map (a: "opacity-rule = [ \"${a}\" ];") cfg.opacityRules)
      );
  in pkgs.writeText "compton.conf"
    (optionalString cfg.fade ''
      # fading
      fading = true;
@ -31,6 +36,8 @@ let
      inactive-opacity = ${cfg.inactiveOpacity};
      menu-opacity     = ${cfg.menuOpacity};
      ${opacityRules}
      # other options
      backend = ${toJSON cfg.backend};
      vsync = ${toJSON cfg.vSync};
@ -155,6 +162,14 @@ in {
      '';
    };
    opacityRules = mkOption {
      type = types.listOf types.str;
      default = [];
      description = ''
        Opacity rules to be handled by compton.
      '';
    };
    backend = mkOption {
      type = types.str;
      default = "glx";
--- a/nixos/modules/services/x11/desktop-managers/mate.nix
+++ b/nixos/modules/services/x11/desktop-managers/mate.nix
@ -72,6 +72,7 @@ in
    ];
    services.gnome3.gnome-keyring.enable = true;
    services.upower.enable = config.powerManagement.enable;
    environment.pathsToLink = [ "/share" ];
  };
--- a/nixos/modules/services/x11/desktop-managers/plasma5.nix
+++ b/nixos/modules/services/x11/desktop-managers/plasma5.nix
@ -142,7 +142,8 @@ in
          kde-gtk-config breeze-gtk
-          phonon-backend-gstreamer
+          libsForQt56.phonon-backend-gstreamer
          libsForQt5.phonon-backend-gstreamer
        ]
        ++ lib.optionals cfg.enableQt4Support [ breeze-qt4 pkgs.phonon-backend-gstreamer ]
--- a/nixos/modules/services/x11/hardware/libinput.nix
+++ b/nixos/modules/services/x11/hardware/libinput.nix
@ -75,7 +75,8 @@ in {
        default = null;
        description =
          ''
-            Enables a click method. Permitted values are none, buttonareas, clickfinger.
+            Enables a click method. Permitted values are <literal>none</literal>,
            <literal>buttonareas</literal>, <literal>clickfinger</literal>.
            Not all devices support all methods, if an option is unsupported,
            the default click method for this device is used.
          '';
@ -120,7 +121,8 @@ in {
        example = "edge";
        description =
          ''
-            Specify the scrolling method.
+            Specify the scrolling method: <literal>twofinger</literal>, <literal>edge</literal>,
            or <literal>none</literal>
          '';
      };
@ -141,7 +143,8 @@ in {
        example = "disabled";
        description =
          ''
-            Sets the send events mode to disabled, enabled, or "disable when an external mouse is connected".
+            Sets the send events mode to <literal>disabled</literal>, <literal>enabled</literal>,
            or <literal>disabled-on-external-mouse</literal>
          '';
      };
--- a/nixos/modules/services/x11/xautolock.nix
+++ b/nixos/modules/services/x11/xautolock.nix
@ -31,7 +31,17 @@ in
          type = types.string;
          description = ''
-            The script to use when locking the computer.
+            The script to use when automatically locking the computer.
          '';
        };
        nowlocker = mkOption {
          default = null;
          example = "i3lock -i /path/to/img";
          type = types.nullOr types.string;
          description = ''
            The script to use when manually locking the computer with <command>xautolock -locknow</command>.
          '';
        };
@ -45,28 +55,82 @@ in
        };
        notifier = mkOption {
-          default = "notify-send 'Locking in 10 seconds'";
+          default = null;
-          type = types.string;
+          example = literalExample ''
            "${pkgs.libnotify}/bin/notify-send \"Locking in 10 seconds\""
          '';
          type = types.nullOr types.string;
          description = ''
            Notification script to be used to warn about the pending autolock.
          '';
        };
        killer = mkOption {
          default = null; # default according to `man xautolock` is none
          example = "systemctl suspend";
          type = types.nullOr types.string;
          description = ''
            The script to use when nothing has happend for as long as <option>killtime</option>
          '';
        };
        killtime = mkOption {
          default = 20; # default according to `man xautolock`
          type = types.int;
          description = ''
            Minutes xautolock waits until it executes the script specified in <option>killer</option>
            (Has to be at least 10 minutes)
          '';
        };
        extraOptions = mkOption {
          type = types.listOf types.str;
          default = [ ];
          example = [ "-detectsleep" ];
          description = ''
            Additional command-line arguments to pass to
            <command>xautolock</command>.
          '';
        };
      };
    };
    config = mkIf cfg.enable {
      environment.systemPackages = with pkgs; [ xautolock ];
-
+      systemd.user.services.xautolock = {
-      services.xserver.displayManager.sessionCommands = with builtins; with pkgs; ''
+        description = "xautolock service";
-        ${xautolock}/bin/xautolock \
+        wantedBy = [ "graphical-session.target" ];
-          ${concatStringsSep " \\\n" ([
+        partOf = [ "graphical-session.target" ];
-            "-time ${toString(cfg.time)}"
+        serviceConfig = with lib; {
-            "-locker ${cfg.locker}"
+          ExecStart = strings.concatStringsSep " " ([
-          ] ++ optional cfg.enableNotifier (concatStringsSep " " [ 
+            "${pkgs.xautolock}/bin/xautolock"
-            "-notify ${toString(cfg.notify)}"
+            "-noclose"
-            "-notifier \"${cfg.notifier}\""
+            "-time ${toString cfg.time}"
-          ]))} &
+            "-locker '${cfg.locker}'"
-      '';
+          ] ++ optionals cfg.enableNotifier [
            "-notify ${toString cfg.notify}"
            "-notifier '${cfg.notifier}'"
          ] ++ optionals (cfg.nowlocker != null) [
            "-nowlocker '${cfg.nowlocker}'"
          ] ++ optionals (cfg.killer != null) [
            "-killer '${cfg.killer}'"
            "-killtime ${toString cfg.killtime}"
          ] ++ cfg.extraOptions);
          Restart = "always";
        };
      };
      assertions = [
        {
          assertion = cfg.enableNotifier -> cfg.notifier != null;
          message = "When enabling the notifier for xautolock, you also need to specify the notify script";
        }
        {
          assertion = cfg.killer != null -> cfg.killtime >= 10;
          message = "killtime has to be at least 10 minutes according to `man xautolock`";
        }
      ];
    };
  }
--- a/nixos/modules/system/boot/kernel.nix
+++ b/nixos/modules/system/boot/kernel.nix
@ -193,11 +193,6 @@ in
        "sd_mod"
        "sr_mod"
        # Standard IDE stuff.
        "ide_cd"
        "ide_disk"
        "ide_generic"
        # SD cards and internal eMMC drives.
        "mmc_block"
@ -211,21 +206,11 @@ in
        "xhci_hcd"
        "xhci_pci"
        "usbhid"
-        "hid_generic" "hid_lenovo"
+        "hid_generic" "hid_lenovo" "hid_apple" "hid_roccat"
        "hid_apple" "hid_logitech_dj" "hid_lenovo_tpkbd" "hid_roccat"
        # Misc. keyboard stuff.
        "pcips2" "atkbd" "i8042"
        # Temporary fix for https://github.com/NixOS/nixpkgs/issues/18451
        # Remove as soon as upstream gets fixed - marking it:
        # TODO
        # FIXME
        "i8042"
        # To wait for SCSI devices to appear.
        "scsi_wait_scan"
        # Needed by the stage 2 init script.
        "rtc_cmos"
      ];
--- a/nixos/modules/system/boot/loader/grub/install-grub.pl
+++ b/nixos/modules/system/boot/loader/grub/install-grub.pl
@ -197,7 +197,7 @@ sub GrubFs {
                if ($status != 0) {
                    die "Failed to retrieve subvolume info for @{[$fs->mount]}\n";
                }
-                my @ids = join("", @id_info) =~ m/Subvolume ID:[ \t\n]*([^ \t\n]*)/;
+                my @ids = join("\n", @id_info) =~ m/^(?!\/\n).*Subvolume ID:[ \t\n]*([0-9]+)/s;
                if ($#ids > 0) {
                    die "Btrfs subvol name for @{[$fs->device]} listed multiple times in mount\n"
                } elsif ($#ids == 0) {
--- a/nixos/modules/tasks/encrypted-devices.nix
+++ b/nixos/modules/tasks/encrypted-devices.nix
@ -36,7 +36,7 @@ let
      keyFile = mkOption {
        default = null;
-        example = "/root/.swapkey";
+        example = "/mnt-root/root/.swapkey";
        type = types.nullOr types.str;
        description = "File system location of keyfile. This unlocks the drive after the root has been mounted to <literal>/mnt-root</literal>.";
      };
@ -67,7 +67,6 @@ in
      luks = {
        devices =
          map (dev: { name = dev.encrypted.label; device = dev.encrypted.blkDev; } ) keylessEncDevs;
        cryptoModules = [ "aes" "sha256" "sha1" "xts" ];
        forceLuksSupportInInitrd = true;
      };
      postMountCommands =
--- a/nixos/modules/tasks/filesystems/ext.nix
+++ b/nixos/modules/tasks/filesystems/ext.nix
@ -5,7 +5,8 @@
    system.fsPackages = [ pkgs.e2fsprogs ];
-    boot.initrd.availableKernelModules = [ "ext2" "ext3" "ext4" ];
+    # As of kernel 4.3, there is no separate ext3 driver (they're also handled by ext4.ko)
    boot.initrd.availableKernelModules = [ "ext2" "ext4" ];
    boot.initrd.extraUtilsCommands =
      ''
--- a/nixos/modules/tasks/powertop.nix
+++ b/nixos/modules/tasks/powertop.nix
@ -16,6 +16,7 @@ in {
      powertop = {
        wantedBy = [ "multi-user.target" ];
        description = "Powertop tunings";
        path = [ pkgs.kmod ];
        serviceConfig = {
          Type = "oneshot";
          RemainAfterExit = "yes";
--- a/nixos/modules/virtualisation/brightbox-image.nix
+++ b/nixos/modules/virtualisation/brightbox-image.nix
@ -33,9 +33,9 @@ in
        }
        ''
          # Create partition table
-          ${pkgs.parted}/sbin/parted /dev/vda mklabel msdos
+          ${pkgs.parted}/sbin/parted --script /dev/vda mklabel msdos
-          ${pkgs.parted}/sbin/parted /dev/vda mkpart primary ext4 1 ${diskSize}
+          ${pkgs.parted}/sbin/parted --script /dev/vda mkpart primary ext4 1 ${diskSize}
-          ${pkgs.parted}/sbin/parted /dev/vda print
+          ${pkgs.parted}/sbin/parted --script /dev/vda print
          . /sys/class/block/vda1/uevent
          mknod /dev/vda1 b $MAJOR $MINOR
--- a/nixos/modules/virtualisation/ec2-amis.nix
+++ b/nixos/modules/virtualisation/ec2-amis.nix
@ -223,5 +223,21 @@ let self = {
  "17.03".us-west-2.hvm-ebs = "ami-a93daac9";
  "17.03".us-west-2.hvm-s3 = "ami-5139ae31";
-  latest = self."17.03";
+  # 17.09.1483.d0f0657ca0
  "17.09".eu-west-1.hvm-ebs = "ami-cf33e7b6";
  "17.09".eu-west-2.hvm-ebs = "ami-7d061419";
  "17.09".eu-central-1.hvm-ebs = "ami-7548fa1a";
  "17.09".us-east-1.hvm-ebs = "ami-6f669d15";
  "17.09".us-east-2.hvm-ebs = "ami-cbe1ccae";
  "17.09".us-west-1.hvm-ebs = "ami-9d95a5fd";
  "17.09".us-west-2.hvm-ebs = "ami-d3956fab";
  "17.09".ca-central-1.hvm-ebs = "ami-ee4ef78a";
  "17.09".ap-southeast-1.hvm-ebs = "ami-1dfc807e";
  "17.09".ap-southeast-2.hvm-ebs = "ami-dcb350be";
  "17.09".ap-northeast-1.hvm-ebs = "ami-00ec3d66";
  "17.09".ap-northeast-2.hvm-ebs = "ami-1107dd7f";
  "17.09".sa-east-1.hvm-ebs = "ami-0377086f";
  "17.09".ap-south-1.hvm-ebs = "ami-4a064625";
  latest = self."17.09";
 }; in self
--- a/nixos/modules/virtualisation/grow-partition.nix
+++ b/nixos/modules/virtualisation/grow-partition.nix
@ -24,7 +24,12 @@ with lib;
      copy_bin_and_libs ${pkgs.gnused}/bin/sed
      copy_bin_and_libs ${pkgs.utillinux}/sbin/sfdisk
      copy_bin_and_libs ${pkgs.utillinux}/sbin/lsblk
-      cp -v ${pkgs.cloud-utils}/bin/.growpart-wrapped $out/bin/growpart
+
      substitute "${pkgs.cloud-utils}/bin/.growpart-wrapped" "$out/bin/growpart" \
        --replace "${pkgs.bash}/bin/sh" "/bin/sh" \
        --replace "awk" "gawk" \
        --replace "sed" "gnused"
      ln -s sed $out/bin/gnused
    '';
--- a/nixos/release-combined.nix
+++ b/nixos/release-combined.nix
@ -42,12 +42,11 @@ in rec {
    name = "nixos-${nixos.channel.version}";
    meta = {
      description = "Release-critical builds for the NixOS channel";
-      maintainers = [ pkgs.lib.maintainers.eelco ];
+      maintainers = with pkgs.lib.maintainers; [ eelco fpletz ];
    };
    constituents =
      let
-        all = x: map (system: x.${system})
+        all = x: map (system: x.${system}) supportedSystems;
          (supportedSystems ++ limitedSupportedSystems);
      in [
        nixos.channel
        (all nixos.dummy)
@ -61,7 +60,7 @@ in rec {
        nixos.tests.chromium
        (all nixos.tests.firefox)
        (all nixos.tests.firewall)
-        nixos.tests.gnome3.x86_64-linux # FIXME: i686-linux
+        (all nixos.tests.gnome3)
        nixos.tests.installer.zfsroot.x86_64-linux # ZFS is 64bit only
        (all nixos.tests.installer.lvm)
        (all nixos.tests.installer.luksroot)
@ -80,9 +79,8 @@ in rec {
        (all nixos.tests.boot.uefiCdrom)
        (all nixos.tests.boot.uefiUsb)
        (all nixos.tests.boot-stage1)
-        nixos.tests.hibernate.x86_64-linux # i686 is flaky, see #23107
+        (all nixos.tests.hibernate)
        nixos.tests.docker
        nixos.tests.docker-edge
        (all nixos.tests.ecryptfs)
        (all nixos.tests.env)
        (all nixos.tests.ipv6)
@ -93,7 +91,7 @@ in rec {
        (all nixos.tests.keymap.dvp)
        (all nixos.tests.keymap.neo)
        (all nixos.tests.keymap.qwertz)
-        nixos.tests.plasma5.x86_64-linux # avoid big build on i686
+        (all nixos.tests.plasma5)
        #(all nixos.tests.lightdm)
        (all nixos.tests.login)
        (all nixos.tests.misc)
--- a/nixos/release.nix
+++ b/nixos/release.nix
@ -214,6 +214,7 @@ in rec {
  # Run the tests for each platform.  You can run a test by doing
  # e.g. ‘nix-build -A tests.login.x86_64-linux’, or equivalently,
  # ‘nix-build tests/login.nix -A result’.
  tests.atd = callTest tests/atd.nix {};
  tests.acme = callTest tests/acme.nix {};
  tests.avahi = callTest tests/avahi.nix {};
  tests.bittorrent = callTest tests/bittorrent.nix {};
@ -249,6 +250,7 @@ in rec {
  tests.firewall = callTest tests/firewall.nix {};
  tests.fleet = hydraJob (import tests/fleet.nix { system = "x86_64-linux"; });
  #tests.gitlab = callTest tests/gitlab.nix {};
  tests.gitolite = callTest tests/gitolite.nix {};
  tests.glance = callTest tests/glance.nix {};
  tests.gocd-agent = callTest tests/gocd-agent.nix {};
  tests.gocd-server = callTest tests/gocd-server.nix {};
@ -303,8 +305,10 @@ in rec {
  #tests.panamax = hydraJob (import tests/panamax.nix { system = "x86_64-linux"; });
  tests.peerflix = callTest tests/peerflix.nix {};
  tests.postgresql = callSubTests tests/postgresql.nix {};
  tests.postgis = callTest tests/postgis.nix {};
  #tests.pgjwt = callTest tests/pgjwt.nix {};
  tests.printing = callTest tests/printing.nix {};
  tests.prometheus = callTest tests/prometheus.nix {};
  tests.proxy = callTest tests/proxy.nix {};
  tests.pumpio = callTest tests/pump.io.nix {};
  # tests.quagga = callTest tests/quagga.nix {};
--- a/nixos/tests/atd.nix
+++ b/nixos/tests/atd.nix
@ -0,0 +1,36 @@
 import ./make-test.nix ({ pkgs, lib, ... }:
 {
  name = "atd";
  meta = with pkgs.stdenv.lib.maintainers; {
    maintainers = [ bjornfor ];
  };
  machine =
    { config, pkgs, ... }:
    { services.atd.enable = true;
      users.extraUsers.alice = { isNormalUser = true; };
    };
  # "at" has a resolution of 1 minute
  testScript = ''
    startAll;
    $machine->fail("test -f ~root/at-1");
    $machine->fail("test -f ~root/batch-1");
    $machine->fail("test -f ~alice/at-1");
    $machine->fail("test -f ~alice/batch-1");
    $machine->succeed("echo 'touch ~root/at-1' | at now+1min");
    $machine->succeed("echo 'touch ~root/batch-1' | batch");
    $machine->succeed("su - alice -c \"echo 'touch at-1' | at now+1min\"");
    $machine->succeed("su - alice -c \"echo 'touch batch-1' | batch\"");
    $machine->succeed("sleep 1.5m");
    $machine->succeed("test -f ~root/at-1");
    $machine->succeed("test -f ~root/batch-1");
    $machine->succeed("test -f ~alice/at-1");
    $machine->succeed("test -f ~alice/batch-1");
  '';
 })
--- a/nixos/tests/gitolite.nix
+++ b/nixos/tests/gitolite.nix
@ -0,0 +1,139 @@
 import ./make-test.nix ({ pkgs, ...}:
 let
  adminPrivateKey = pkgs.writeText "id_ed25519" ''
    -----BEGIN OPENSSH PRIVATE KEY-----
    b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
    QyNTUxOQAAACDu7qxYQAPdAU6RrhB3llk2N1v4PTwcVzcX1oX265uC3gAAAJBJiYxDSYmM
    QwAAAAtzc2gtZWQyNTUxOQAAACDu7qxYQAPdAU6RrhB3llk2N1v4PTwcVzcX1oX265uC3g
    AAAEDE1W6vMwSEUcF1r7Hyypm/+sCOoDmKZgPxi3WOa1mD2u7urFhAA90BTpGuEHeWWTY3
    W/g9PBxXNxfWhfbrm4LeAAAACGJmb0BtaW5pAQIDBAU=
    -----END OPENSSH PRIVATE KEY-----
  '';
  adminPublicKey = pkgs.writeText "id_ed25519.pub" ''
    ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO7urFhAA90BTpGuEHeWWTY3W/g9PBxXNxfWhfbrm4Le root@client
  '';
  alicePrivateKey = pkgs.writeText "id_ed25519" ''
    -----BEGIN OPENSSH PRIVATE KEY-----
    b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
    QyNTUxOQAAACBbeWvHh/AWGWI6EIc1xlSihyXtacNQ9KeztlW/VUy8wQAAAJAwVQ5VMFUO
    VQAAAAtzc2gtZWQyNTUxOQAAACBbeWvHh/AWGWI6EIc1xlSihyXtacNQ9KeztlW/VUy8wQ
    AAAEB7lbfkkdkJoE+4TKHPdPQWBKLSx+J54Eg8DaTr+3KoSlt5a8eH8BYZYjoQhzXGVKKH
    Je1pw1D0p7O2Vb9VTLzBAAAACGJmb0BtaW5pAQIDBAU=
    -----END OPENSSH PRIVATE KEY-----
  '';
  alicePublicKey = pkgs.writeText "id_ed25519.pub" ''
    ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFt5a8eH8BYZYjoQhzXGVKKHJe1pw1D0p7O2Vb9VTLzB alice@client
  '';
  bobPrivateKey = pkgs.writeText "id_ed25519" ''
    -----BEGIN OPENSSH PRIVATE KEY-----
    b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
    QyNTUxOQAAACCWTaJ1D9Xjxy6759FvQ9oXTes1lmWBciXPkEeqTikBMAAAAJDQBmNV0AZj
    VQAAAAtzc2gtZWQyNTUxOQAAACCWTaJ1D9Xjxy6759FvQ9oXTes1lmWBciXPkEeqTikBMA
    AAAEDM1IYYFUwk/IVxauha9kuR6bbRtT3gZ6ZA0GLb9txb/pZNonUP1ePHLrvn0W9D2hdN
    6zWWZYFyJc+QR6pOKQEwAAAACGJmb0BtaW5pAQIDBAU=
    -----END OPENSSH PRIVATE KEY-----
  '';
  bobPublicKey = pkgs.writeText "id_ed25519.pub" ''
    ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJZNonUP1ePHLrvn0W9D2hdN6zWWZYFyJc+QR6pOKQEw bob@client
  '';
  gitoliteAdminConfSnippet = ''
    repo alice-project
        RW+     =   alice
  '';
 in
 {
  name = "gitolite";
  meta = with pkgs.stdenv.lib.maintainers; {
    maintainers = [ bjornfor ];
  };
  nodes = {
    server =
      { config, pkgs, lib, ... }:
      {
        services.gitolite = {
          enable = true;
          adminPubkey = builtins.readFile adminPublicKey;
        };
        services.openssh.enable = true;
      };
    client =
      { config, pkgs, lib, ... }:
      {
        environment.systemPackages = [ pkgs.git ];
        programs.ssh.extraConfig = ''
          Host *
            UserKnownHostsFile /dev/null
            StrictHostKeyChecking no
            # there's nobody around that can input password
            PreferredAuthentications publickey
        '';
        users.extraUsers.alice = { isNormalUser = true; };
        users.extraUsers.bob = { isNormalUser = true; };
      };
  };
  testScript = ''
    startAll;
    subtest "can setup ssh keys on system", sub {
      $client->mustSucceed("mkdir -p ~root/.ssh");
      $client->mustSucceed("cp ${adminPrivateKey} ~root/.ssh/id_ed25519");
      $client->mustSucceed("chmod 600 ~root/.ssh/id_ed25519");
      $client->mustSucceed("sudo -u alice mkdir -p ~alice/.ssh");
      $client->mustSucceed("sudo -u alice cp ${alicePrivateKey} ~alice/.ssh/id_ed25519");
      $client->mustSucceed("sudo -u alice chmod 600 ~alice/.ssh/id_ed25519");
      $client->mustSucceed("sudo -u bob mkdir -p ~bob/.ssh");
      $client->mustSucceed("sudo -u bob cp ${bobPrivateKey} ~bob/.ssh/id_ed25519");
      $client->mustSucceed("sudo -u bob chmod 600 ~bob/.ssh/id_ed25519");
    };
    subtest "gitolite server starts", sub {
      $server->waitForUnit("gitolite-init.service");
      $server->waitForUnit("sshd.service");
      $client->mustSucceed('ssh gitolite@server info');
    };
    subtest "admin can clone and configure gitolite-admin.git", sub {
      $client->mustSucceed('git clone gitolite@server:gitolite-admin.git');
      $client->mustSucceed("git config --global user.name 'System Administrator'");
      $client->mustSucceed("git config --global user.email root\@domain.example");
      $client->mustSucceed("cp ${alicePublicKey} gitolite-admin/keydir/alice.pub");
      $client->mustSucceed("cp ${bobPublicKey} gitolite-admin/keydir/bob.pub");
      $client->mustSucceed('(cd gitolite-admin && git add . && git commit -m "Add keys for alice, bob" && git push)');
      $client->mustSucceed("printf '${gitoliteAdminConfSnippet}' >> gitolite-admin/conf/gitolite.conf");
      $client->mustSucceed('(cd gitolite-admin && git add . && git commit -m "Add repo for alice" && git push)');
    };
    subtest "non-admins cannot clone gitolite-admin.git", sub {
      $client->mustFail('sudo -i -u alice git clone gitolite@server:gitolite-admin.git');
      $client->mustFail('sudo -i -u bob git clone gitolite@server:gitolite-admin.git');
    };
    subtest "non-admins can clone testing.git", sub {
      $client->mustSucceed('sudo -i -u alice git clone gitolite@server:testing.git');
      $client->mustSucceed('sudo -i -u bob git clone gitolite@server:testing.git');
    };
    subtest "alice can clone alice-project.git", sub {
      $client->mustSucceed('sudo -i -u alice git clone gitolite@server:alice-project.git');
    };
    subtest "bob cannot clone alice-project.git", sub {
      $client->mustFail('sudo -i -u bob git clone gitolite@server:alice-project.git');
    };
  '';
 })
--- a/nixos/tests/installer.nix
+++ b/nixos/tests/installer.nix
@ -260,9 +260,9 @@ in {
    { createPartitions =
        ''
          $machine->succeed(
-              "parted /dev/vda mklabel msdos",
+              "parted --script /dev/vda mklabel msdos",
-              "parted /dev/vda -- mkpart primary linux-swap 1M 1024M",
+              "parted --script /dev/vda -- mkpart primary linux-swap 1M 1024M",
-              "parted /dev/vda -- mkpart primary ext2 1024M -1s",
+              "parted --script /dev/vda -- mkpart primary ext2 1024M -1s",
              "udevadm settle",
              "mkswap /dev/vda1 -L swap",
              "swapon -L swap",
@ -277,11 +277,11 @@ in {
    { createPartitions =
        ''
          $machine->succeed(
-              "parted /dev/vda mklabel gpt",
+              "parted --script /dev/vda mklabel gpt",
-              "parted -s /dev/vda -- mkpart ESP fat32 1M 50MiB", # /boot
+              "parted --script /dev/vda -- mkpart ESP fat32 1M 50MiB", # /boot
-              "parted -s /dev/vda -- set 1 boot on",
+              "parted --script /dev/vda -- set 1 boot on",
-              "parted -s /dev/vda -- mkpart primary linux-swap 50MiB 1024MiB",
+              "parted --script /dev/vda -- mkpart primary linux-swap 50MiB 1024MiB",
-              "parted -s /dev/vda -- mkpart primary ext2 1024MiB -1MiB", # /
+              "parted --script /dev/vda -- mkpart primary ext2 1024MiB -1MiB", # /
              "udevadm settle",
              "mkswap /dev/vda2 -L swap",
              "swapon -L swap",
@ -300,10 +300,10 @@ in {
    { createPartitions =
        ''
          $machine->succeed(
-              "parted /dev/vda mklabel msdos",
+              "parted --script /dev/vda mklabel msdos",
-              "parted /dev/vda -- mkpart primary ext2 1M 50MB", # /boot
+              "parted --script /dev/vda -- mkpart primary ext2 1M 50MB", # /boot
-              "parted /dev/vda -- mkpart primary linux-swap 50MB 1024M",
+              "parted --script /dev/vda -- mkpart primary linux-swap 50MB 1024M",
-              "parted /dev/vda -- mkpart primary ext2 1024M -1s", # /
+              "parted --script /dev/vda -- mkpart primary ext2 1024M -1s", # /
              "udevadm settle",
              "mkswap /dev/vda2 -L swap",
              "swapon -L swap",
@ -321,10 +321,10 @@ in {
    { createPartitions =
        ''
          $machine->succeed(
-              "parted /dev/vda mklabel msdos",
+              "parted --script /dev/vda mklabel msdos",
-              "parted /dev/vda -- mkpart primary ext2 1M 50MB", # /boot
+              "parted --script /dev/vda -- mkpart primary ext2 1M 50MB", # /boot
-              "parted /dev/vda -- mkpart primary linux-swap 50MB 1024M",
+              "parted --script /dev/vda -- mkpart primary linux-swap 50MB 1024M",
-              "parted /dev/vda -- mkpart primary ext2 1024M -1s", # /
+              "parted --script /dev/vda -- mkpart primary ext2 1024M -1s", # /
              "udevadm settle",
              "mkswap /dev/vda2 -L swap",
              "swapon -L swap",
@ -357,9 +357,9 @@ in {
      createPartitions =
        ''
          $machine->succeed(
-              "parted /dev/vda mklabel msdos",
+              "parted --script /dev/vda mklabel msdos",
-              "parted /dev/vda -- mkpart primary linux-swap 1M 1024M",
+              "parted --script /dev/vda -- mkpart primary linux-swap 1M 1024M",
-              "parted /dev/vda -- mkpart primary 1024M -1s",
+              "parted --script /dev/vda -- mkpart primary 1024M -1s",
              "udevadm settle",
              "mkswap /dev/vda1 -L swap",
@ -380,11 +380,11 @@ in {
    { createPartitions =
        ''
          $machine->succeed(
-              "parted /dev/vda mklabel msdos",
+              "parted --script /dev/vda mklabel msdos",
-              "parted /dev/vda -- mkpart primary 1M 2048M", # PV1
+              "parted --script /dev/vda -- mkpart primary 1M 2048M", # PV1
-              "parted /dev/vda -- set 1 lvm on",
+              "parted --script /dev/vda -- set 1 lvm on",
-              "parted /dev/vda -- mkpart primary 2048M -1s", # PV2
+              "parted --script /dev/vda -- mkpart primary 2048M -1s", # PV2
-              "parted /dev/vda -- set 2 lvm on",
+              "parted --script /dev/vda -- set 2 lvm on",
              "udevadm settle",
              "pvcreate /dev/vda1 /dev/vda2",
              "vgcreate MyVolGroup /dev/vda1 /dev/vda2",
@ -402,10 +402,10 @@ in {
  luksroot = makeInstallerTest "luksroot"
    { createPartitions = ''
        $machine->succeed(
-          "parted /dev/vda mklabel msdos",
+          "parted --script /dev/vda mklabel msdos",
-          "parted /dev/vda -- mkpart primary ext2 1M 50MB", # /boot
+          "parted --script /dev/vda -- mkpart primary ext2 1M 50MB", # /boot
-          "parted /dev/vda -- mkpart primary linux-swap 50M 1024M",
+          "parted --script /dev/vda -- mkpart primary linux-swap 50M 1024M",
-          "parted /dev/vda -- mkpart primary 1024M -1s", # LUKS
+          "parted --script /dev/vda -- mkpart primary 1024M -1s", # LUKS
          "udevadm settle",
          "mkswap /dev/vda2 -L swap",
          "swapon -L swap",
@ -434,7 +434,7 @@ in {
    { createPartitions =
        ''
          $machine->succeed(
-              "parted /dev/vda --"
+              "parted --script /dev/vda --"
              . " mklabel msdos"
              . " mkpart primary ext2 1M 100MB" # /boot
              . " mkpart extended 100M -1s"
@ -469,9 +469,9 @@ in {
    { createPartitions =
        ''
          $machine->succeed(
-              "parted /dev/sda mklabel msdos",
+              "parted --script /dev/sda mklabel msdos",
-              "parted /dev/sda -- mkpart primary linux-swap 1M 1024M",
+              "parted --script /dev/sda -- mkpart primary linux-swap 1M 1024M",
-              "parted /dev/sda -- mkpart primary ext2 1024M -1s",
+              "parted --script /dev/sda -- mkpart primary ext2 1024M -1s",
              "udevadm settle",
              "mkswap /dev/sda1 -L swap",
              "swapon -L swap",
--- a/nixos/tests/krb5/default.nix
+++ b/nixos/tests/krb5/default.nix
@ -0,0 +1,5 @@
 { system ? builtins.currentSystem }:
 {
  example-config = import ./example-config.nix { inherit system; };
  deprecated-config = import ./deprecated-config.nix { inherit system; };
 }
--- a/nixos/tests/krb5/deprecated-config.nix
+++ b/nixos/tests/krb5/deprecated-config.nix
@ -0,0 +1,48 @@
 # Verifies that the configuration suggested in deprecated example values
 # will result in the expected output.
 import ../make-test.nix ({ pkgs, ...} : {
  name = "krb5-with-deprecated-config";
  meta = with pkgs.stdenv.lib.maintainers; {
    maintainers = [ eqyiel ];
  };
  machine =
    { config, pkgs, ... }: {
      krb5 = {
        enable = true;
        defaultRealm = "ATHENA.MIT.EDU";
        domainRealm = "athena.mit.edu";
        kdc = "kerberos.mit.edu";
        kerberosAdminServer = "kerberos.mit.edu";
      };
    };
  testScript =
    let snapshot = pkgs.writeText "krb5-with-deprecated-config.conf" ''
      [libdefaults]
        default_realm = ATHENA.MIT.EDU
      [realms]
        ATHENA.MIT.EDU = {
          admin_server = kerberos.mit.edu
          kdc = kerberos.mit.edu
        }
      [domain_realm]
        .athena.mit.edu = ATHENA.MIT.EDU
        athena.mit.edu = ATHENA.MIT.EDU
      [capaths]
      [appdefaults]
      [plugins]
    '';
  in ''
    $machine->succeed("diff /etc/krb5.conf ${snapshot}");
  '';
 })
--- a/nixos/tests/krb5/example-config.nix
+++ b/nixos/tests/krb5/example-config.nix
@ -0,0 +1,106 @@
 # Verifies that the configuration suggested in (non-deprecated) example values
 # will result in the expected output.
 import ../make-test.nix ({ pkgs, ...} : {
  name = "krb5-with-example-config";
  meta = with pkgs.stdenv.lib.maintainers; {
    maintainers = [ eqyiel ];
  };
  machine =
    { config, pkgs, ... }: {
      krb5 = {
        enable = true;
        kerberos = pkgs.krb5Full;
        libdefaults = {
          default_realm = "ATHENA.MIT.EDU";
        };
        realms = {
          "ATHENA.MIT.EDU" = {
            admin_server = "athena.mit.edu";
            kdc = "athena.mit.edu";
          };
        };
        domain_realm = {
          "example.com" = "EXAMPLE.COM";
          ".example.com" = "EXAMPLE.COM";
        };
        capaths = {
          "ATHENA.MIT.EDU" = {
            "EXAMPLE.COM" = ".";
          };
          "EXAMPLE.COM" = {
            "ATHENA.MIT.EDU" = ".";
          };
        };
        appdefaults = {
          pam = {
            debug = false;
            ticket_lifetime = 36000;
            renew_lifetime = 36000;
            max_timeout = 30;
            timeout_shift = 2;
            initial_timeout = 1;
          };
        };
        plugins = {
          ccselect = {
            disable = "k5identity";
          };
        };
        extraConfig = ''
          [logging]
            kdc          = SYSLOG:NOTICE
            admin_server = SYSLOG:NOTICE
            default      = SYSLOG:NOTICE
        '';
      };
    };
  testScript =
    let snapshot = pkgs.writeText "krb5-with-example-config.conf" ''
      [libdefaults]
        default_realm = ATHENA.MIT.EDU
      [realms]
        ATHENA.MIT.EDU = {
          admin_server = athena.mit.edu
          kdc = athena.mit.edu
        }
      [domain_realm]
        .example.com = EXAMPLE.COM
        example.com = EXAMPLE.COM
      [capaths]
        ATHENA.MIT.EDU = {
          EXAMPLE.COM = .
        }
        EXAMPLE.COM = {
          ATHENA.MIT.EDU = .
        }
      [appdefaults]
        pam = {
          debug = false
          initial_timeout = 1
          max_timeout = 30
          renew_lifetime = 36000
          ticket_lifetime = 36000
          timeout_shift = 2
        }
      [plugins]
        ccselect = {
          disable = k5identity
        }
      [logging]
        kdc          = SYSLOG:NOTICE
        admin_server = SYSLOG:NOTICE
        default      = SYSLOG:NOTICE
    '';
  in ''
    $machine->succeed("diff /etc/krb5.conf ${snapshot}");
  '';
 })
--- a/nixos/tests/minio.nix
+++ b/nixos/tests/minio.nix
@ -12,6 +12,9 @@ import ./make-test.nix ({ pkgs, ...} : {
        secretKey = "V7f1CwQqAcwo80UEIJEjc5gVQUSSx5ohQ9GSrr12";
      };
      environment.systemPackages = [ pkgs.minio-client ];
      # Minio requires at least 1GiB of free disk space to run.
      virtualisation.diskSize = 4 * 1024;
    };
  };
@ -20,7 +23,6 @@ import ./make-test.nix ({ pkgs, ...} : {
      startAll;
      $machine->waitForUnit("minio.service");
      $machine->waitForOpenPort(9000);
      $machine->succeed("curl --fail http://localhost:9000/minio/index.html");
      # Create a test bucket on the server
      $machine->succeed("mc config host add minio http://localhost:9000 BKIKJAA5BMMU2RHO6IBB V7f1CwQqAcwo80UEIJEjc5gVQUSSx5ohQ9GSrr12 S3v4");
--- a/nixos/tests/pgjwt.nix
+++ b/nixos/tests/pgjwt.nix
@ -1,42 +1,37 @@
-import ./make-test.nix ({ pkgs, ...} : 
+import ./make-test.nix ({ pkgs, lib, ...}:
 let
-  test = pkgs.writeText "test.sql" ''
+  test = with pkgs; runCommand "patch-test" {
-    CREATE EXTENSION pgcrypto;
+    nativeBuildInputs = [ pgjwt ];
-    CREATE EXTENSION pgjwt;
+  }
-    select sign('{"sub":"1234567890","name":"John Doe","admin":true}', 'secret');
+  ''
-    select * from verify('eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ', 'secret');
+    sed -e '12 i CREATE EXTENSION pgcrypto;\nCREATE EXTENSION pgtap;\nSET search_path TO tap,public;' ${pgjwt.src}/test.sql > $out;
  '';
 in
-{
+with pkgs; {
  name = "pgjwt";
-  meta = with pkgs.stdenv.lib.maintainers; {
+  meta = with lib.maintainers; {
-    maintainers = [ spinus ];
+    maintainers = [ spinus willibutz ];
  };
  nodes = {
-    master =
+    master = { pkgs, config, ... }:
      { pkgs, config, ... }:
    {
-        services.postgresql = let mypg = pkgs.postgresql95; in {
+      services.postgresql = {
        enable = true;
-            package = mypg;
+        extraPlugins = [ pgjwt pgtap ];
            extraPlugins =[pkgs.pgjwt];
            initialScript =  pkgs.writeText "postgresql-init.sql"
          ''
          CREATE ROLE postgres WITH superuser login createdb;
          '';
      };
    };
  };
-  testScript = ''
+  testScript = { nodes, ... }:
  let
    sqlSU = "${nodes.master.config.services.postgresql.superUser}";
    pgProve = "${pkgs.perlPackages.TAPParserSourceHandlerpgTAP}";
  in
  ''
    startAll;
    $master->waitForUnit("postgresql");
-    $master->succeed("timeout 10 bash -c 'while ! psql postgres -c \"SELECT 1;\";do sleep 1;done;'");
+    $master->copyFileFromHost("${test}","/tmp/test.sql");
-    $master->succeed("cat ${test} | psql postgres");
+    $master->succeed("${pkgs.sudo}/bin/sudo -u ${sqlSU} PGOPTIONS=--search_path=tap,public ${pgProve}/bin/pg_prove -d postgres -v -f /tmp/test.sql");
    # I can't make original test working :[
    # $master->succeed("${pkgs.perlPackages.TAPParserSourceHandlerpgTAP}/bin/pg_prove -d postgres ${pkgs.pgjwt.src}/test.sql");
  '';
 })
--- a/nixos/tests/postgis.nix
+++ b/nixos/tests/postgis.nix
@ -9,14 +9,10 @@ import ./make-test.nix ({ pkgs, ...} : {
      { pkgs, config, ... }:
      {
-        services.postgresql = let mypg = pkgs.postgresql95; in {
+        services.postgresql = let mypg = pkgs.postgresql100; in {
            enable = true;
            package = mypg;
-            extraPlugins = [ (pkgs.postgis.override { postgresql = mypg; }).v_2_2_1 ];
+            extraPlugins = [ (pkgs.postgis.override { postgresql = mypg; }).v_2_4_0 ];
            initialScript =  pkgs.writeText "postgresql-init.sql"
          ''
          CREATE ROLE postgres WITH superuser login createdb;
          '';
        };
      };
  };
--- a/nixos/tests/prometheus.nix
+++ b/nixos/tests/prometheus.nix
@ -5,9 +5,6 @@ import ./make-test.nix {
    one = { config, pkgs, ... }: {
      services.prometheus = {
        enable = true;
        globalConfig = {
          labels = { foo = "bar"; };
        };
        scrapeConfigs = [{
          job_name = "prometheus";
          static_configs = [{
--- a/nixos/tests/run-in-machine.nix
+++ b/nixos/tests/run-in-machine.nix
@ -2,7 +2,16 @@
 with import ../lib/testing.nix { inherit system; };
-runInMachine {
+let
  output = runInMachine {
    drv = pkgs.hello;
    machine = { config, pkgs, ... }: { /* services.sshd.enable = true; */ };
-}
+  };
 in pkgs.runCommand "verify-output" { inherit output; } ''
  if [ ! -e "$output/bin/hello" ]; then
    echo "Derivation built using runInMachine produced incorrect output:" >&2
    ls -laR "$output" >&2
    exit 1
  fi
  "$output/bin/hello" > "$out"
 ''
--- a/nixos/tests/virtualbox.nix
+++ b/nixos/tests/virtualbox.nix
@ -107,8 +107,8 @@ let
    buildInputs = [ pkgs.utillinux pkgs.perl ];
  } ''
-    ${pkgs.parted}/sbin/parted /dev/vda mklabel msdos
+    ${pkgs.parted}/sbin/parted --script /dev/vda mklabel msdos
-    ${pkgs.parted}/sbin/parted /dev/vda -- mkpart primary ext2 1M -1s
+    ${pkgs.parted}/sbin/parted --script /dev/vda -- mkpart primary ext2 1M -1s
    . /sys/class/block/vda1/uevent
    mknod /dev/vda1 b $MAJOR $MINOR
--- a/pkgs/applications/altcoins/bitcoin-abc.nix
+++ b/pkgs/applications/altcoins/bitcoin-abc.nix
@ -1,5 +1,5 @@
 { stdenv, fetchFromGitHub, pkgconfig, autoreconfHook, openssl, db48, boost
-, zlib, miniupnpc, qt5, utillinux, protobuf, qrencode, libevent
+, zlib, miniupnpc, qtbase ? null , qttools ? null, utillinux, protobuf, qrencode, libevent
 , withGui }:
 with stdenv.lib;
@ -21,7 +21,7 @@ stdenv.mkDerivation rec {
  nativeBuildInputs = [ pkgconfig autoreconfHook ];
  buildInputs = [ openssl db48 boost zlib
                  miniupnpc utillinux protobuf libevent ]
-                  ++ optionals withGui [ qt5.qtbase qt5.qttools qrencode ];
+                  ++ optionals withGui [ qtbase qttools qrencode ];
  configureFlags = [ "--with-boost-libdir=${boost.out}/lib" ]
                     ++ optionals withGui [ "--with-gui=qt5" ];
--- a/pkgs/applications/altcoins/bitcoin-classic.nix
+++ b/pkgs/applications/altcoins/bitcoin-classic.nix
@ -1,5 +1,5 @@
 { stdenv, fetchFromGitHub, pkgconfig, autoreconfHook, openssl, db48, boost
-, zlib, miniupnpc, qt4, utillinux, protobuf, qrencode, libevent
+, zlib, miniupnpc, qtbase ? null, qttools ? null, utillinux, protobuf, qrencode, libevent
 , withGui }:
 with stdenv.lib;
@ -16,13 +16,15 @@ stdenv.mkDerivation rec {
    sha256 = "129gkg035gv7zmc463jl2spvdh0fl4q8v4jdaslfnp34hbwi1p07";
  };
  patches = [ ./fix-bitcoin-qt-build.patch ];
  nativeBuildInputs = [ pkgconfig autoreconfHook ];
  buildInputs = [ openssl db48 boost zlib
                  miniupnpc utillinux protobuf libevent ]
-                  ++ optionals withGui [ qt4 qrencode ];
+                  ++ optionals withGui [ qtbase qttools qrencode ];
  configureFlags = [ "--with-boost-libdir=${boost.out}/lib" ]
-                     ++ optionals withGui [ "--with-gui=qt4" ];
+                     ++ optionals withGui [ "--with-gui=qt5" ];
  meta = {
    description = "Peer-to-peer electronic cash system (Classic client)";
--- a/pkgs/applications/altcoins/default.nix
+++ b/pkgs/applications/altcoins/default.nix
@ -1,17 +1,17 @@
-{ callPackage, boost155, boost162, boost163, openssl_1_1_0, haskellPackages }:
+{ callPackage, boost155, boost162, boost163, openssl_1_1_0, haskellPackages, darwin, libsForQt5 }:
 rec {
  bitcoin  = callPackage ./bitcoin.nix { withGui = true; };
  bitcoind = callPackage ./bitcoin.nix { withGui = false; };
-  bitcoin-abc  = callPackage ./bitcoin-abc.nix { withGui = true; };
+  bitcoin-abc  = libsForQt5.callPackage ./bitcoin-abc.nix { withGui = true; };
  bitcoind-abc = callPackage ./bitcoin-abc.nix { withGui = false; };
  bitcoin-unlimited  = callPackage ./bitcoin-unlimited.nix { withGui = true; };
  bitcoind-unlimited = callPackage ./bitcoin-unlimited.nix { withGui = false; };
-  bitcoin-classic  = callPackage ./bitcoin-classic.nix { withGui = true; };
+  bitcoin-classic  = libsForQt5.callPackage ./bitcoin-classic.nix { withGui = true; };
  bitcoind-classic = callPackage ./bitcoin-classic.nix { withGui = false; };
  bitcoin-xt  = callPackage ./bitcoin-xt.nix { withGui = true; };
@ -26,7 +26,10 @@ rec {
  dogecoind = callPackage ./dogecoin.nix { withGui = false; };
  freicoin = callPackage ./freicoin.nix { boost = boost155; };
-  go-ethereum = callPackage ./go-ethereum.nix { };
+  go-ethereum = callPackage ./go-ethereum.nix {
    inherit (darwin) libobjc;
    inherit (darwin.apple_sdk.frameworks) IOKit;
  };
  go-ethereum-classic = callPackage ./go-ethereum-classic { };
  hivemind = callPackage ./hivemind.nix { withGui = true; };
--- a/pkgs/applications/altcoins/go-ethereum-classic/default.nix
+++ b/pkgs/applications/altcoins/go-ethereum-classic/default.nix
@ -2,7 +2,7 @@
 buildGoPackage rec {
  name = "go-ethereum-classic-${version}";
-  version = "3.5.86";
+  version = "4.0.0";
  goPackagePath = "github.com/ethereumproject/go-ethereum";
  subPackages = [ "cmd/evm" "cmd/geth" ];
@ -10,7 +10,7 @@ buildGoPackage rec {
  src = fetchgit {
    rev = "v${version}";
    url = "https://github.com/ethereumproject/go-ethereum";
-    sha256 = "1k59hl3qvx4422zqlp259566fnxq5bs67jhm0v6a1zfr1k8iqzwh";
+    sha256 = "06f1w7s45q4zva1xjrx92xinsdrixl0m6zhx5hvdjmg3xqcbwr79";
  };
  goDeps = ./deps.nix;
--- a/pkgs/applications/altcoins/go-ethereum.nix
+++ b/pkgs/applications/altcoins/go-ethereum.nix
@ -1,10 +1,14 @@
-{ stdenv, lib, buildGoPackage, fetchFromGitHub }:
+{ stdenv, lib, buildGoPackage, fetchFromGitHub, libobjc, IOKit }:
 buildGoPackage rec {
  name = "go-ethereum-${version}";
-  version = "1.7.0";
+  version = "1.7.2";
  goPackagePath = "github.com/ethereum/go-ethereum";
  # Fix for usb-related segmentation faults on darwin
  propagatedBuildInputs =
    stdenv.lib.optionals stdenv.isDarwin [ libobjc IOKit ];
  # Fixes Cgo related build failures (see https://github.com/NixOS/nixpkgs/issues/25959 )
  hardeningDisable = [ "fortify" ];
@ -12,17 +16,9 @@ buildGoPackage rec {
    owner = "ethereum";
    repo = "go-ethereum";
    rev = "v${version}";
-    sha256 = "0ybjaiyrfb320rab6a5r9iiqvkrcd8b2qvixzx0kjmc4a7l1q5zh";
+    sha256 = "11n77zlf8qixhx26sqf33v911716msi6h0z4ng8gxhzhznrn2nrd";
  };
  # Fix cyclic referencing on Darwin
  postInstall = stdenv.lib.optionalString (stdenv.isDarwin) ''
    for file in $bin/bin/*; do
      # Not all files are referencing $out/lib so consider this step non-critical
      install_name_tool -delete_rpath $out/lib $file || true
    done
  '';
  meta = with stdenv.lib; {
    homepage = https://ethereum.github.io/go-ethereum/;
    description = "Official golang implementation of the Ethereum protocol";
--- a/pkgs/applications/audio/ardour/default.nix
+++ b/pkgs/applications/audio/ardour/default.nix
@ -16,7 +16,7 @@ let
  # "git describe" when _not_ on an annotated tag(!): MAJOR.MINOR-REV-HASH.
  # Version to build.
-  tag = "5.11";
+  tag = "5.12";
 in
@ -25,8 +25,8 @@ stdenv.mkDerivation rec {
  src = fetchgit {
    url = "git://git.ardour.org/ardour/ardour.git";
-    rev = "bd40b9132cbac2d2b79ba0ef480bd41d837f8f71";
+    rev = "ae0dcdc0c5d13483271065c360e378202d20170a";
-    sha256 = "0xxxjg90jzj5cj364mlhk8srkgaghxif2jj1015bra25pffk41ay";
+    sha256 = "0mla5lm51ryikc2rrk53max2m7a5ds6i1ai921l2h95wrha45nkr";
  };
  buildInputs =
--- a/pkgs/applications/audio/axoloti/default.nix
+++ b/pkgs/applications/audio/axoloti/default.nix
@ -0,0 +1,101 @@
 { stdenv, fetchFromGitHub, fetchurl, makeWrapper, unzip
 , gnumake, gcc-arm-embedded, dfu-util-axoloti, jdk, ant, libfaketime }:
 stdenv.mkDerivation rec {
  version = "1.0.12-1";
  name = "axoloti-${version}";
  src = fetchFromGitHub {
    owner = "axoloti";
    repo = "axoloti";
    rev = "${version}";
    sha256 = "13njmv8zac0kaaxgkv4y4zfjcclafn9cw0m8lj2k4926wnwjmf50";
  };
  chibi_version = "2.6.9";
  chibi_name = "ChibiOS_${chibi_version}";
  chibios = fetchurl {
    url = "mirror://sourceforge/project/chibios/ChibiOS_RT%20stable/Version%20${chibi_version}/${chibi_name}.zip";
    sha256 = "0lb5s8pkj80mqhsy47mmq0lqk34s2a2m3xagzihalvabwd0frhlj";
  };
  buildInputs = [ makeWrapper unzip gcc-arm-embedded dfu-util-axoloti jdk ant libfaketime ];
  patchPhase = ''
    unzip ${chibios}
    mv ${chibi_name} chibios
    (cd chibios/ext; unzip -q -o fatfs-0.9-patched.zip)
    # Remove source of non-determinism in ChibiOS
    substituteInPlace "chibios/os/various/shell.c" \
      --replace "#ifdef __DATE__" "#if 0"
    # Hardcode full path to compiler tools
    for f in "firmware/Makefile.patch" \
             "firmware/Makefile" \
             "firmware/flasher/Makefile" \
             "firmware/mounter/Makefile"; do
      substituteInPlace "$f" \
        --replace "arm-none-eabi-" "${gcc-arm-embedded}/bin/arm-none-eabi-"
    done
    # Hardcode path to "make"
    for f in "firmware/compile_firmware_linux.sh" \
             "firmware/compile_patch_linux.sh"; do
      substituteInPlace "$f" \
        --replace "make" "${gnumake}/bin/make"
    done
    # Hardcode dfu-util path
    substituteInPlace "platform_linux/upload_fw_dfu.sh" \
      --replace "/bin/dfu-util" ""
    substituteInPlace "platform_linux/upload_fw_dfu.sh" \
      --replace "./dfu-util" "${dfu-util-axoloti}/bin/dfu-util"
    # Fix build version
    substituteInPlace "build.xml" \
      --replace "(git missing)" "${version}"
    # Remove build time
    substituteInPlace "build.xml" \
      --replace "<tstamp>" ""
    substituteInPlace "build.xml" \
      --replace \
        '<format property="build.time" pattern="dd/MM/yyyy HH:mm:ss z"/>' \
        '<property name="build.time" value=""/>'
    substituteInPlace "build.xml" \
      --replace "</tstamp>" ""
    substituteInPlace "build.xml" \
      --replace \
       '{line.separator}</echo>' \
       '{line.separator}</echo> <touch file="src/main/java/axoloti/Version.java" millis="0" />'
  '';
  buildPhase = ''
    find . -exec touch -d '1970-01-01 00:00' {} \;
    (cd platform_linux; sh compile_firmware.sh)
    faketime "1970-01-01 00:00:00" ant -Dbuild.runtime=true
  '';
  installPhase = ''
    mkdir -p $out/bin $out/share/axoloti
    cp -r doc firmware chibios platform_linux CMSIS *.txt $out/share/axoloti/
    install -vD dist/Axoloti.jar $out/share/axoloti/
    makeWrapper ${jdk}/bin/java $out/bin/axoloti --add-flags "-Daxoloti_release=$out/share/axoloti -Daxoloti_runtime=$out/share/axoloti -jar $out/share/axoloti/Axoloti.jar"
  '';
  meta = with stdenv.lib; {
    homepage = http://www.axoloti.com;
    description = ''
      Sketching embedded digital audio algorithms.
      To fix permissions of the Axoloti USB device node, add a similar udev rule to <literal>services.udev.extraRules</literal>:
      <literal>SUBSYSTEM=="usb", ATTR{idVendor}=="16c0", ATTR{idProduct}=="0442", OWNER="someuser", GROUP="somegroup"</literal>
    '';
    license = licenses.gpl3;
    maintainers = with maintainers; [ TealG ];
  };
 }
--- a/pkgs/applications/audio/axoloti/dfu-util.nix
+++ b/pkgs/applications/audio/axoloti/dfu-util.nix
@ -0,0 +1,31 @@
 { stdenv, fetchurl, pkgconfig, libusb1-axoloti }:
 stdenv.mkDerivation rec {
  name="dfu-util-${version}";
  version = "0.8";
  nativeBuildInputs = [ pkgconfig ];
  buildInputs = [ libusb1-axoloti ];
  src = fetchurl {
    url = "http://dfu-util.sourceforge.net/releases/${name}.tar.gz";
    sha256 = "0n7h08avlzin04j93m6hkq9id6hxjiiix7ff9gc2n89aw6dxxjsm";
  };
  meta = with stdenv.lib; {
    description = "Device firmware update (DFU) USB programmer";
    longDescription = ''
      dfu-util is a program that implements the host (PC) side of the USB
      DFU 1.0 and 1.1 (Universal Serial Bus Device Firmware Upgrade) protocol.
      DFU is intended to download and upload firmware to devices connected over
      USB. It ranges from small devices like micro-controller boards up to mobile
      phones. With dfu-util you are able to download firmware to your device or
      upload firmware from it.
    '';
    homepage = http://dfu-util.gnumonks.org/;
    license = licenses.gpl2Plus;
    platforms = platforms.unix;
    maintainers = [ ];
  };
 }
--- a/pkgs/applications/audio/axoloti/libusb1.nix
+++ b/pkgs/applications/audio/axoloti/libusb1.nix
@ -0,0 +1,38 @@
 { stdenv, fetchurl, pkgconfig, systemd ? null, libobjc, IOKit, fetchpatch }:
 stdenv.mkDerivation rec {
  name = "libusb-1.0.19";
  src = fetchurl {
    url = "mirror://sourceforge/libusb/${name}.tar.bz2";
    sha256 = "0h38p9rxfpg9vkrbyb120i1diq57qcln82h5fr7hvy82c20jql3c";
  };
  outputs = [ "out" "dev" ]; # get rid of propagating systemd closure
  buildInputs = [ pkgconfig ];
  propagatedBuildInputs =
    stdenv.lib.optional stdenv.isLinux systemd ++
    stdenv.lib.optionals stdenv.isDarwin [ libobjc IOKit ];
  patches = [
    (fetchpatch {
      name = "libusb.stdfu.patch";
      url = "https://raw.githubusercontent.com/axoloti/axoloti/1.0.12/platform_linux/src/libusb.stdfu.patch";
      sha256 = "194j7j61i4q6x0ihm9ms8dxd4vliw20n2rj6cm9h17qzdl9xr33d";
    })
  ];
  NIX_LDFLAGS = stdenv.lib.optionalString stdenv.isLinux "-lgcc_s";
  preFixup = stdenv.lib.optionalString stdenv.isLinux ''
    sed 's,-ludev,-L${systemd.lib}/lib -ludev,' -i $out/lib/libusb-1.0.la
  '';
  meta = {
    homepage = http://www.libusb.info;
    description = "User-space USB library";
    platforms = stdenv.lib.platforms.unix;
    maintainers = [ ];
  };
 }
--- a/pkgs/applications/audio/cantata/default.nix
+++ b/pkgs/applications/audio/cantata/default.nix
@ -34,20 +34,21 @@ assert withOnlineServices -> withTaglib;
 assert withReplaygain -> withTaglib;
 let
-  version = "2.1.0";
+  version = "2.2.0";
  pname = "cantata";
  fstat = x: fn: "-DENABLE_" + fn + "=" + (if x then "ON" else "OFF");
  fstats = x: map (fstat x);
 in
-stdenv.mkDerivation rec {
+  withUdisks = (withTaglib && withDevices);
 in stdenv.mkDerivation rec {
  name = "${pname}-${version}";
  src = fetchFromGitHub {
    owner  = "CDrummond";
    repo   = "cantata";
    rev    = "v${version}";
-    sha256 = "1mwc3cyrvg8qxjn70h4i6kdkvz85xspb3wi8wrb56jrhil409fkh";
+    sha256 = "1b633chgfs8rya78bzzck5zijna15d1y4nmrz4dcjp862ks5y5q6";
  };
  buildInputs = [ vlc ]
@ -60,7 +61,7 @@ stdenv.mkDerivation rec {
    ++ stdenv.lib.optional  withLame lame
    ++ stdenv.lib.optional  withMtp libmtp
    ++ stdenv.lib.optional  withMusicbrainz libmusicbrainz5
-    ++ stdenv.lib.optional  (withTaglib && withDevices) udisks2;
+    ++ stdenv.lib.optional  withUdisks udisks2;
  nativeBuildInputs = [ cmake pkgconfig ];
@ -80,23 +81,17 @@ stdenv.mkDerivation rec {
    (fstat withDevices        "DEVICES_SUPPORT")
    (fstat withHttpServer     "HTTP_SERVER")
    (fstat withStreams        "STREAMS")
    (fstat withUdisks         "UDISKS2")
    "-DENABLE_HTTPS_SUPPORT=ON"
    "-DENABLE_UDISKS2=ON"
  ];
  # This is already fixed upstream but not released yet. Maybe in version 2.
  preConfigure = ''
    sed -i -e 's/STRLESS/VERSION_LESS/g' cmake/FindTaglib.cmake
  '';
  meta = with stdenv.lib; {
    homepage    = https://github.com/cdrummond/cantata;
    description = "A graphical client for MPD";
    license     = licenses.gpl3;
-
+    maintainers = with maintainers; [ fuuzetsu peterhoeg ];
    # Technically Cantata can run on Windows so if someone wants to
    # bother figuring that one out, be my guest.
    platforms   = platforms.linux;
    maintainers = with maintainers; [ fuuzetsu ];
  };
 }
--- a/Show More
+++ b/Show More