Merge branch 'master' into staging

.github/CODEOWNERS

@@ -122,6 +122,14 @@
 /nixos/modules/services/databases/postgresql.nix @thoughtpolice
 /nixos/tests/postgresql.nix @thoughtpolice
 
+# Hardened profile & related modules
+/nixos/modules/profiles/hardened.nix @joachifm
+/nixos/modules/security/hidepid.nix @joachifm
+/nixos/modules/security/lock-kernel-modules.nix @joachifm
+/nixos/modules/security/misc.nix @joachifm
+/nixos/tests/hardened.nix @joachifm
+/pkgs/os-specific/linux/kernel/hardened-config.nix @joachifm
+
 # Dhall
 /pkgs/development/dhall-modules      @Gabriel439 @Profpatsch
 /pkgs/development/interpreters/dhall @Gabriel439 @Profpatsch

maintainers/maintainer-list.nix

@@ -4031,6 +4031,11 @@
     github = "renatoGarcia";
     name = "Renato Garcia";
   };
+  rencire = {
+    email = "546296+rencire@users.noreply.github.com";
+    github = "rencire";
+    name = "Eric Ren";
+  };
   renzo = {
     email = "renzocarbonara@gmail.com";
     github = "k0001";
@@ -4823,6 +4828,15 @@
     github = "the-kenny";
     name = "Moritz Ulrich";
   };
+  thesola10 = {
+    email = "thesola10@bobile.fr";
+    github = "thesola10";
+    keys = [{
+      longkeyid = "rsa4096/0x89245619BEBB95BA";
+      fingerprint = "1D05 13A6 1AC4 0D8D C6D6  5F2C 8924 5619 BEBB 95BA";
+    }];
+    name = "Karim Vergnes";
+  };
   theuni = {
     email = "ct@flyingcircus.io";
     github = "ctheune";

nixos/modules/services/amqp/rabbitmq.nix

@@ -179,11 +179,11 @@ in {
       } //  optionalAttrs (cfg.config != "") { RABBITMQ_ADVANCED_CONFIG_FILE = advanced_config_file; };
 
       serviceConfig = {
-        PermissionsStartOnly = true; # preStart must be run as root
         ExecStart = "${cfg.package}/sbin/rabbitmq-server";
         ExecStop = "${cfg.package}/sbin/rabbitmqctl shutdown";
         User = "rabbitmq";
         Group = "rabbitmq";
+        LogsDirectory = "rabbitmq";
         WorkingDirectory = cfg.dataDir;
         Type = "notify";
         NotifyAccess = "all";
@@ -197,11 +197,8 @@ in {
       preStart = ''
         ${optionalString (cfg.cookie != "") ''
             echo -n ${cfg.cookie} > ${cfg.dataDir}/.erlang.cookie
-            chown rabbitmq:rabbitmq ${cfg.dataDir}/.erlang.cookie
             chmod 600 ${cfg.dataDir}/.erlang.cookie
         ''}
-        mkdir -p /var/log/rabbitmq
-        chown rabbitmq:rabbitmq /var/log/rabbitmq
       '';
     };
 

nixos/modules/services/audio/liquidsoap.nix

@@ -14,15 +14,10 @@ let
         description = "${name} liquidsoap stream";
         wantedBy = [ "multi-user.target" ];
         path = [ pkgs.wget ];
-        preStart =
-          ''
-            mkdir -p /var/log/liquidsoap
-            chown liquidsoap -R /var/log/liquidsoap
-          '';
         serviceConfig = {
-          PermissionsStartOnly="true";
           ExecStart = "${pkgs.liquidsoap}/bin/liquidsoap ${stream}";
           User = "liquidsoap";
+          LogsDirectory = "liquidsoap";
         };
       };
     };

nixos/modules/services/audio/mpd.nix

@@ -158,18 +158,18 @@ in {
       };
     };
 
+    systemd.tmpfiles.rules = [
+      "d '${cfg.dataDir}' - ${cfg.user} ${cfg.group} - -"
+      "d '${cfg.playlistDirectory}' - ${cfg.user} ${cfg.group} - -"
+    ];
+
     systemd.services.mpd = {
       after = [ "network.target" "sound.target" ];
       description = "Music Player Daemon";
       wantedBy = optional (!cfg.startWhenNeeded) "multi-user.target";
 
-      preStart = ''
-        mkdir -p "${cfg.dataDir}" && chown -R ${cfg.user}:${cfg.group} "${cfg.dataDir}"
-        mkdir -p "${cfg.playlistDirectory}" && chown -R ${cfg.user}:${cfg.group} "${cfg.playlistDirectory}"
-      '';
       serviceConfig = {
         User = "${cfg.user}";
-        PermissionsStartOnly = true;
         ExecStart = "${pkgs.mpd}/bin/mpd --no-daemon ${mpdConf}";
         Type = "notify";
         LimitRTPRIO = 50;

nixos/modules/services/backup/mysql-backup.nix

@@ -117,14 +117,12 @@ in
         enable = true;
         serviceConfig = {
           User = cfg.user;
-          PermissionsStartOnly = true;
         };
-        preStart = ''
-          mkdir -m 0700 -p ${cfg.location}
-          chown -R ${cfg.user} ${cfg.location}
-        '';
         script = backupScript;
       };
+      tmpfiles.rules = [
+        "d ${cfg.location} 0700 ${cfg.user} - - -"
+      ];
     };
   };
 

nixos/modules/services/backup/postgresql-backup.nix

@@ -14,11 +14,6 @@ let
 
       requires = [ "postgresql.service" ];
 
-      preStart = ''
-        mkdir -m 0700 -p ${cfg.location}
-        chown postgres ${cfg.location}
-      '';
-
       script = ''
         umask 0077 # ensure backup is only readable by postgres user
 
@@ -32,7 +27,6 @@ let
 
       serviceConfig = {
         Type = "oneshot";
-        PermissionsStartOnly = "true";
         User = "postgres";
       };
 
@@ -107,6 +101,11 @@ in {
         message = "config.services.postgresqlBackup.backupAll cannot be used together with config.services.postgresqlBackup.databases";
       }];
     }
+    (mkIf cfg.enable {
+      systemd.tmpfiles.rules = [
+        "d '${cfg.location}' 0700 postgres - - -"
+      ];
+    })
     (mkIf (cfg.enable && cfg.backupAll) {
       systemd.services.postgresqlBackup =
         postgresqlBackupService "all" "${config.services.postgresql.package}/bin/pg_dumpall";

nixos/modules/services/databases/clickhouse.nix

@@ -1,8 +1,6 @@
 { config, lib, pkgs, ... }:
 let
   cfg = config.services.clickhouse;
-  confDir = "/etc/clickhouse-server";
-  stateDir = "/var/lib/clickhouse";
 in
 with lib;
 {
@@ -43,20 +41,13 @@ with lib;
 
       after = [ "network.target" ];
 
-      preStart = ''
-        mkdir -p ${stateDir}
-        chown clickhouse:clickhouse ${confDir} ${stateDir}
-      '';
-
-      script = ''
-        cd "${confDir}"
-        exec ${pkgs.clickhouse}/bin/clickhouse-server
-      '';
-
       serviceConfig = {
         User = "clickhouse";
         Group = "clickhouse";
-        PermissionsStartOnly = true;
+        ConfigurationDirectory = "clickhouse-server";
+        StateDirectory = "clickhouse";
+        LogsDirectory = "clickhouse";
+        ExecStart = "${pkgs.clickhouse}/bin/clickhouse-server --config-file=${pkgs.clickhouse}/etc/clickhouse-server/config.xml";
       };
     };
 

nixos/modules/services/databases/couchdb.nix

@@ -158,27 +158,21 @@ in {
     services.couchdb.configFile = mkDefault
       (if useVersion2 then "/var/lib/couchdb/local.ini" else "/var/lib/couchdb/couchdb.ini");
 
+    systemd.tmpfiles.rules = [
+      "d '${dirOf cfg.uriFile}' - ${cfg.user} ${cfg.group} - -"
+      "d '${dirOf cfg.logFile}' - ${cfg.user} ${cfg.group} - -"
+      "d '${cfg.databaseDir}' -  ${cfg.user} ${cfg.group} - -"
+      "d '${cfg.viewIndexDir}' -  ${cfg.user} ${cfg.group} - -"
+    ];
+
     systemd.services.couchdb = {
       description = "CouchDB Server";
       wantedBy = [ "multi-user.target" ];
 
       preStart =
         ''
-        mkdir -p `dirname ${cfg.uriFile}`;
-        mkdir -p `dirname ${cfg.logFile}`;
-        mkdir -p ${cfg.databaseDir};
-        mkdir -p ${cfg.viewIndexDir};
         touch ${cfg.configFile}
         touch -a ${cfg.logFile}
-
-        if [ "$(id -u)" = 0 ]; then
-          chown ${cfg.user}:${cfg.group} `dirname ${cfg.uriFile}`;
-          (test -f ${cfg.uriFile} && chown ${cfg.user}:${cfg.group} ${cfg.uriFile}) || true
-          chown ${cfg.user}:${cfg.group} ${cfg.databaseDir}
-          chown ${cfg.user}:${cfg.group} ${cfg.viewIndexDir}
-          chown ${cfg.user}:${cfg.group} ${cfg.configFile}
-          chown ${cfg.user}:${cfg.group} ${cfg.logFile}
-        fi
         '';
 
       environment = mkIf useVersion2 {
@@ -191,7 +185,6 @@ in {
       };
 
       serviceConfig = {
-        PermissionsStartOnly = true;
         User = cfg.user;
         Group = cfg.group;
         ExecStart = executable;

nixos/modules/services/databases/influxdb.nix

@@ -157,20 +157,19 @@ in
 
   config = mkIf config.services.influxdb.enable {
 
+    systemd.tmpfiles.rules = [
+      "d '${cfg.dataDir}' 0770 ${cfg.user} ${cfg.group} - -"
+    ];
+
     systemd.services.influxdb = {
       description = "InfluxDB Server";
       wantedBy = [ "multi-user.target" ];
       after = [ "network.target" ];
       serviceConfig = {
         ExecStart = ''${cfg.package}/bin/influxd -config "${configFile}"'';
-        User = "${cfg.user}";
+        User = cfg.user;
-        Group = "${cfg.group}";
+        Group = cfg.group;
-        PermissionsStartOnly = true;
       };
-      preStart = ''
-        mkdir -m 0770 -p ${cfg.dataDir}
-        if [ "$(id -u)" = 0 ]; then chown -R ${cfg.user}:${cfg.group} ${cfg.dataDir}; fi
-      '';
       postStart =
         let
           scheme = if configOptions.http.https-enabled then "-k https" else "http";

nixos/modules/services/databases/memcached.nix

@@ -78,11 +78,6 @@ in
       after = [ "network.target" ];
 
       serviceConfig = {
-        PermissionsStartOnly = true;
-        ExecStartPre = optionals cfg.enableUnixSocket [
-          "${pkgs.coreutils}/bin/install -d -o ${cfg.user} /run/memcached/"
-          "${pkgs.coreutils}/bin/chown -R ${cfg.user} /run/memcached/"
-        ];
         ExecStart =
         let
           networking = if cfg.enableUnixSocket
@@ -91,12 +86,13 @@ in
         in "${memcached}/bin/memcached ${networking} -m ${toString cfg.maxMemory} -c ${toString cfg.maxConnections} ${concatStringsSep " " cfg.extraOptions}";
 
         User = cfg.user;
+        RuntimeDirectory = "memcached";
       };
     };
   };
   imports = [
     (mkRemovedOptionModule ["services" "memcached" "socket"] ''
-      This option was replaced by a fixed unix socket path at /run/memcached/memcached.sock enabled using services.memached.enableUnixSocket.
+      This option was replaced by a fixed unix socket path at /run/memcached/memcached.sock enabled using services.memcached.enableUnixSocket.
     '')
   ];
 

nixos/modules/services/databases/stanchion.nix

@@ -98,7 +98,7 @@ in
         type = types.path;
         default = "/var/log/stanchion";
         description = ''
-          Log directory for Stanchino.
+          Log directory for Stanchion.
         '';
       };
 
@@ -152,6 +152,11 @@ in
 
     users.groups.stanchion.gid = config.ids.gids.stanchion;
 
+    systemd.tmpfiles.rules = [
+      "d '${cfg.logDir}' - stanchion stanchion --"
+      "d '${cfg.dataDir}' 0700 stanchion stanchion --"
+    ];
+
     systemd.services.stanchion = {
       description = "Stanchion Server";
 
@@ -168,25 +173,12 @@ in
       environment.STANCHION_LOG_DIR = "${cfg.logDir}";
       environment.STANCHION_ETC_DIR = "/etc/stanchion";
 
-      preStart = ''
-        if ! test -e ${cfg.logDir}; then
-          mkdir -m 0755 -p ${cfg.logDir}
-          chown -R stanchion:stanchion ${cfg.logDir}
-        fi
-
-        if ! test -e ${cfg.dataDir}; then
-          mkdir -m 0700 -p ${cfg.dataDir}
-          chown -R stanchion:stanchion ${cfg.dataDir}
-        fi
-      '';
-
       serviceConfig = {
         ExecStart = "${cfg.package}/bin/stanchion console";
         ExecStop = "${cfg.package}/bin/stanchion stop";
         StandardInput = "tty";
         User = "stanchion";
         Group = "stanchion";
-        PermissionsStartOnly = true;
         # Give Stanchion a decent amount of time to clean up.
         TimeoutStopSec = 120;
         LimitNOFILE = 65536;

nixos/modules/services/mail/nullmailer.nix

@@ -212,6 +212,10 @@ with lib;
       };
     };
 
+    systemd.tmpfiles.rules = [
+      "d /var/spool/nullmailer - ${cfg.user} - - -"
+    ];
+
     systemd.services.nullmailer = {
       description = "nullmailer";
       wantedBy = [ "multi-user.target" ];
@@ -220,13 +224,11 @@ with lib;
       preStart = ''
         mkdir -p /var/spool/nullmailer/{queue,tmp}
         rm -f /var/spool/nullmailer/trigger && mkfifo -m 660 /var/spool/nullmailer/trigger
-        chown ${cfg.user} /var/spool/nullmailer/*
       '';
 
       serviceConfig = {
         User = cfg.user;
         Group = cfg.group;
-        PermissionsStartOnly=true;
         ExecStart = "${pkgs.nullmailer}/bin/nullmailer-send";
         Restart = "always";
       };

nixos/modules/services/mail/rss2email.nix

@@ -94,6 +94,10 @@ in {
 
     services.rss2email.config.to = cfg.to;
 
+    systemd.tmpfiles.rules = [
+      "d /var/rss2email 0700 rss2email rss2email - -"
+    ];
+
     systemd.services.rss2email = let
       conf = pkgs.writeText "rss2email.cfg" (lib.generators.toINI {} ({
           DEFAULT = cfg.config;
@@ -105,22 +109,16 @@ in {
     in
     {
       preStart = ''
-        mkdir -p /var/rss2email
-        chmod 700 /var/rss2email
-
         cp ${conf} /var/rss2email/conf.cfg
         if [ ! -f /var/rss2email/db.json ]; then
           echo '{"version":2,"feeds":[]}' > /var/rss2email/db.json
         fi
-
-        chown -R rss2email:rss2email /var/rss2email
       '';
       path = [ pkgs.system-sendmail ];
       serviceConfig = {
         ExecStart =
           "${pkgs.rss2email}/bin/r2e -c /var/rss2email/conf.cfg -d /var/rss2email/db.json run";
         User = "rss2email";
-        PermissionsStartOnly = "true";
       };
     };
 

nixos/modules/services/misc/etcd.nix

@@ -142,6 +142,10 @@ in {
   };
 
   config = mkIf cfg.enable {
+    systemd.tmpfiles.rules = [
+      "d '${cfg.dataDir}' 0700 etcd - - -"
+    ];
+
     systemd.services.etcd = {
       description = "etcd key-value store";
       wantedBy = [ "multi-user.target" ];
@@ -176,14 +180,8 @@ in {
         Type = "notify";
         ExecStart = "${pkgs.etcd.bin}/bin/etcd";
         User = "etcd";
-        PermissionsStartOnly = true;
         LimitNOFILE = 40000;
       };
-
-      preStart = ''
-        mkdir -m 0700 -p ${cfg.dataDir}
-        if [ "$(id -u)" = 0 ]; then chown etcd ${cfg.dataDir}; fi
-      '';
     };
 
     environment.systemPackages = [ pkgs.etcdctl ];

nixos/modules/services/misc/jackett.nix

@@ -38,24 +38,19 @@ in
   };
 
   config = mkIf cfg.enable {
+    systemd.tmpfiles.rules = [
+      "d '${cfg.dataDir}' 0700 ${cfg.user} ${cfg.group} - -"
+    ];
+
     systemd.services.jackett = {
       description = "Jackett";
       after = [ "network.target" ];
       wantedBy = [ "multi-user.target" ];
-      preStart = ''
-        test -d ${cfg.dataDir} || {
-          echo "Creating jackett data directory in ${cfg.dataDir}"
-          mkdir -p ${cfg.dataDir}
-        }
-        chown -R ${cfg.user}:${cfg.group} ${cfg.dataDir}
-        chmod 0700 ${cfg.dataDir}
-      '';
 
       serviceConfig = {
         Type = "simple";
         User = cfg.user;
         Group = cfg.group;
-        PermissionsStartOnly = "true";
         ExecStart = "${pkgs.jackett}/bin/Jackett --NoUpdates --DataFolder '${cfg.dataDir}'";
         Restart = "on-failure";
       };

nixos/modules/services/misc/lidarr.nix

@@ -17,20 +17,15 @@ in
       description = "Lidarr";
       after = [ "network.target" ];
       wantedBy = [ "multi-user.target" ];
-      preStart = ''
-        [ ! -d /var/lib/lidarr ] && mkdir -p /var/lib/lidarr
-        chown -R lidarr:lidarr /var/lib/lidarr
-      '';
 
       serviceConfig = {
         Type = "simple";
         User = "lidarr";
         Group = "lidarr";
-        PermissionsStartOnly = "true";
         ExecStart = "${pkgs.lidarr}/bin/Lidarr";
         Restart = "on-failure";
 
-        StateDirectory = "/var/lib/lidarr/";
+        StateDirectory = "lidarr";
         StateDirectoryMode = "0770";
       };
     };

nixos/modules/services/misc/mesos-master.nix

@@ -95,6 +95,9 @@ in {
 
 
   config = mkIf cfg.enable {
+    systemd.tmpfiles.rules = [
+      "d '${cfg.workDir}' 0700 - - - -"
+    ];
     systemd.services.mesos-master = {
       description = "Mesos Master";
       wantedBy = [ "multi-user.target" ];
@@ -114,11 +117,7 @@ in {
             ${toString cfg.extraCmdLineOptions}
         '';
         Restart = "on-failure";
-        PermissionsStartOnly = true;
       };
-      preStart = ''
-        mkdir -m 0700 -p ${cfg.workDir}
-      '';
     };
   };
 

nixos/modules/services/misc/mesos-slave.nix

@@ -184,6 +184,9 @@ in {
   };
 
   config = mkIf cfg.enable {
+    systemd.tmpfiles.rules = [
+      "d '${cfg.workDir}' 0701 - - - -"
+    ];
     systemd.services.mesos-slave = {
       description = "Mesos Slave";
       wantedBy = [ "multi-user.target" ];
@@ -210,11 +213,7 @@ in {
             --executor_environment_variables=${lib.escapeShellArg (builtins.toJSON cfg.executorEnvironmentVariables)} \
             ${toString cfg.extraCmdLineOptions}
         '';
-        PermissionsStartOnly = true;
       };
-      preStart = ''
-        mkdir -m 0701 -p ${cfg.workDir}
-      '';
     };
   };
 

nixos/modules/services/misc/radarr.nix

@@ -38,24 +38,19 @@ in
   };
 
   config = mkIf cfg.enable {
+    systemd.tmpfiles.rules = [
+      "d '${cfg.dataDir}' 0700 ${cfg.user} ${cfg.group} - -"
+    ];
+
     systemd.services.radarr = {
       description = "Radarr";
       after = [ "network.target" ];
       wantedBy = [ "multi-user.target" ];
-      preStart = ''
-        test -d ${cfg.dataDir} || {
-          echo "Creating radarr data directory in ${cfg.dataDir}"
-          mkdir -p ${cfg.dataDir}
-        }
-        chown -R ${cfg.user}:${cfg.group} ${cfg.dataDir}
-        chmod 0700 ${cfg.dataDir}
-      '';
 
       serviceConfig = {
         Type = "simple";
         User = cfg.user;
         Group = cfg.group;
-        PermissionsStartOnly = "true";
         ExecStart = "${pkgs.radarr}/bin/Radarr -nobrowser -data='${cfg.dataDir}'";
         Restart = "on-failure";
       };

nixos/modules/services/misc/sonarr.nix

@@ -39,24 +39,19 @@ in
   };
 
   config = mkIf cfg.enable {
+    systemd.tmpfiles.rules = [
+      "d '${cfg.dataDir}' 0700 ${cfg.user} ${cfg.group} - -"
+    ];
+
     systemd.services.sonarr = {
       description = "Sonarr";
       after = [ "network.target" ];
       wantedBy = [ "multi-user.target" ];
-      preStart = ''
-        test -d ${cfg.dataDir} || {
-          echo "Creating sonarr data directory in ${cfg.dataDir}"
-          mkdir -p ${cfg.dataDir}
-        }
-        chown -R ${cfg.user}:${cfg.group} ${cfg.dataDir}
-        chmod 0700 ${cfg.dataDir}
-      '';
 
       serviceConfig = {
         Type = "simple";
         User = cfg.user;
         Group = cfg.group;
-        PermissionsStartOnly = "true";
         ExecStart = "${pkgs.sonarr}/bin/NzbDrone -nobrowser -data='${cfg.dataDir}'";
         Restart = "on-failure";
       };

nixos/modules/services/misc/zookeeper.nix

@@ -119,6 +119,10 @@ in {
   config = mkIf cfg.enable {
     environment.systemPackages = [cfg.package];
 
+    systemd.tmpfiles.rules = [
+      "d '${cfg.dataDir}' 0700 zookeeper - - -"
+    ];
+
     systemd.services.zookeeper = {
       description = "Zookeeper Daemon";
       wantedBy = [ "multi-user.target" ];
@@ -135,11 +139,8 @@ in {
             ${configDir}/zoo.cfg
         '';
         User = "zookeeper";
-        PermissionsStartOnly = true;
       };
       preStart = ''
-        mkdir -m 0700 -p ${cfg.dataDir}
-        if [ "$(id -u)" = 0 ]; then chown zookeeper ${cfg.dataDir}; fi
         echo "${toString cfg.id}" > ${cfg.dataDir}/myid
       '';
     };

nixos/modules/services/monitoring/collectd.nix

@@ -79,6 +79,10 @@ in {
   };
 
   config = mkIf cfg.enable {
+    systemd.tmpfiles.rules = [
+      "d '${cfg.dataDir}' - ${cfg.user} - - -"
+    ];
+
     systemd.services.collectd = {
       description = "Collectd Monitoring Agent";
       after = [ "network.target" ];
@@ -87,16 +91,9 @@ in {
       serviceConfig = {
         ExecStart = "${cfg.package}/sbin/collectd -C ${conf} -f";
         User = cfg.user;
-        PermissionsStartOnly = true;
         Restart = "on-failure";
         RestartSec = 3;
       };
-
-      preStart = ''
-        mkdir -p "${cfg.dataDir}"
-        chmod 755 "${cfg.dataDir}"
-        chown -R ${cfg.user} "${cfg.dataDir}"
-      '';
     };
 
     users.users = optional (cfg.user == "collectd") {

nixos/modules/services/monitoring/prometheus/default.nix

@@ -22,9 +22,6 @@ let
   workingDir  = stateDirBase + stateDir;
   workingDir2 = stateDirBase + cfg2.stateDir;
 
-  # Get a submodule without any embedded metadata:
-  _filter = x: filterAttrs (k: v: k != "_module") x;
-
   # a wrapper that verifies that the configuration is valid
   promtoolCheck = what: name: file: pkgs.runCommand "${name}-${what}-checked"
     { buildInputs = [ cfg.package ]; } ''
@@ -50,11 +47,11 @@ let
 
   # This becomes the main config file for Prometheus 1
   promConfig = {
-    global = cfg.globalConfig;
+    global = filterValidPrometheus cfg.globalConfig;
     rule_files = map (promtoolCheck "check-rules" "rules") (cfg.ruleFiles ++ [
       (pkgs.writeText "prometheus.rules" (concatStringsSep "\n" cfg.rules))
     ]);
-    scrape_configs = filterEmpty cfg.scrapeConfigs;
+    scrape_configs = filterValidPrometheus cfg.scrapeConfigs;
   };
 
   generatedPrometheusYml = writePrettyJSON "prometheus.yml" promConfig;
@@ -77,11 +74,11 @@ let
 
   # This becomes the main config file for Prometheus 2
   promConfig2 = {
-    global = cfg2.globalConfig;
+    global = filterValidPrometheus cfg2.globalConfig;
     rule_files = map (prom2toolCheck "check rules" "rules") (cfg2.ruleFiles ++ [
       (pkgs.writeText "prometheus.rules" (concatStringsSep "\n" cfg2.rules))
     ]);
-    scrape_configs = filterEmpty cfg2.scrapeConfigs;
+    scrape_configs = filterValidPrometheus cfg2.scrapeConfigs;
     alerting = optionalAttrs (cfg2.alertmanagerURL != []) {
       alertmanagers = [{
         static_configs = [{
@@ -108,7 +105,7 @@ let
   ] ++
   optional (cfg2.webExternalUrl != null) "--web.external-url=${cfg2.webExternalUrl}";
 
-  filterEmpty = filterAttrsListRecursive (_n: v: !(v == null || v == [] || v == {}));
+  filterValidPrometheus = filterAttrsListRecursive (n: v: !(n == "_module" || v == null));
   filterAttrsListRecursive = pred: x:
     if isAttrs x then
       listToAttrs (
@@ -123,41 +120,37 @@ let
       map (filterAttrsListRecursive pred) x
     else x;
 
+  mkDefOpt = type : defaultStr : description : mkOpt type (description + ''
+
+    Defaults to <literal>${defaultStr}</literal> in prometheus
+    when set to <literal>null</literal>.
+  '');
+
+  mkOpt = type : description : mkOption {
+    type = types.nullOr type;
+    default = null;
+    inherit description;
+  };
+
   promTypes.globalConfig = types.submodule {
     options = {
-      scrape_interval = mkOption {
+      scrape_interval = mkDefOpt types.str "1m" ''
-        type = types.str;
-        default = "1m";
-        description = ''
         How frequently to scrape targets by default.
       '';
-      };
 
-      scrape_timeout = mkOption {
+      scrape_timeout = mkDefOpt types.str "10s" ''
-        type = types.str;
-        default = "10s";
-        description = ''
         How long until a scrape request times out.
       '';
-      };
 
-      evaluation_interval = mkOption {
+      evaluation_interval = mkDefOpt types.str "1m" ''
-        type = types.str;
-        default = "1m";
-        description = ''
         How frequently to evaluate rules by default.
       '';
-      };
 
-      external_labels = mkOption {
+      external_labels = mkOpt (types.attrsOf types.str) ''
-        type = types.attrsOf types.str;
-        description = ''
         The labels to add to any time series or alerts when
         communicating with external systems (federation, remote
         storage, Alertmanager).
       '';
-        default = {};
-      };
     };
   };
 
@@ -169,33 +162,21 @@ let
           The job name assigned to scraped metrics by default.
         '';
       };
-      scrape_interval = mkOption {
+      scrape_interval = mkOpt types.str ''
-        type = types.nullOr types.str;
-        default = null;
-        description = ''
         How frequently to scrape targets from this job. Defaults to the
         globally configured default.
       '';
-      };
+
-      scrape_timeout = mkOption {
+      scrape_timeout = mkOpt types.str ''
-        type = types.nullOr types.str;
-        default = null;
-        description = ''
         Per-target timeout when scraping this job. Defaults to the
         globally configured default.
       '';
-      };
+
-      metrics_path = mkOption {
+      metrics_path = mkDefOpt types.str "/metrics" ''
-        type = types.str;
-        default = "/metrics";
-        description = ''
         The HTTP resource path on which to fetch metrics from targets.
       '';
-      };
+
-      honor_labels = mkOption {
+      honor_labels = mkDefOpt types.bool "false" ''
-        type = types.bool;
-        default = false;
-        description = ''
         Controls how Prometheus handles conflicts between labels
         that are already present in scraped data and labels that
         Prometheus would attach server-side ("job" and "instance"
@@ -214,23 +195,27 @@ let
         federation, where all labels specified in the target should
         be preserved.
       '';
-      };
+
-      scheme = mkOption {
+      honor_timestamps = mkDefOpt types.bool "true" ''
-        type = types.enum ["http" "https"];
+        honor_timestamps controls whether Prometheus respects the timestamps present
-        default = "http";
+        in scraped data.
-        description = ''
+
+        If honor_timestamps is set to <literal>true</literal>, the timestamps of the metrics exposed
+        by the target will be used.
+
+        If honor_timestamps is set to <literal>false</literal>, the timestamps of the metrics exposed
+        by the target will be ignored.
+      '';
+
+      scheme = mkDefOpt (types.enum ["http" "https"]) "http" ''
         The URL scheme with which to fetch metrics from targets.
       '';
-      };
+
-      params = mkOption {
+      params = mkOpt (types.attrsOf (types.listOf types.str)) ''
-        type = types.attrsOf (types.listOf types.str);
-        default = {};
-        description = ''
         Optional HTTP URL parameters.
       '';
-      };
+
-      basic_auth = mkOption {
+      basic_auth = mkOpt (types.submodule {
-        type = types.nullOr (types.submodule {
         options = {
           username = mkOption {
             type = types.str;
@@ -245,69 +230,59 @@ let
             '';
           };
         };
-        });
+      }) ''
-        default = null;
-        apply = x: mapNullable _filter x;
-        description = ''
         Optional http login credentials for metrics scraping.
       '';
-      };
+
-      tls_config = mkOption {
+      bearer_token = mkOpt types.str ''
-        type = types.nullOr promTypes.tls_config;
+        Sets the `Authorization` header on every scrape request with
-        default = null;
+        the configured bearer token. It is mutually exclusive with
-        apply = x: mapNullable _filter x;
+        <option>bearer_token_file</option>.
-        description = ''
+      '';
+
+      bearer_token_file = mkOpt types.str ''
+        Sets the `Authorization` header on every scrape request with
+        the bearer token read from the configured file. It is mutually
+        exclusive with <option>bearer_token</option>.
+      '';
+
+      tls_config = mkOpt promTypes.tls_config ''
         Configures the scrape request's TLS settings.
       '';
-      };
+
-      dns_sd_configs = mkOption {
+      proxy_url = mkOpt types.str ''
-        type = types.listOf promTypes.dns_sd_config;
+        Optional proxy URL.
-        default = [];
-        apply = x: map _filter x;
-        description = ''
-          List of DNS service discovery configurations.
       '';
-      };
+
-      consul_sd_configs = mkOption {
+      ec2_sd_configs = mkOpt (types.listOf promTypes.ec2_sd_config) ''
-        type = types.listOf promTypes.consul_sd_config;
-        default = [];
-        apply = x: map _filter x;
-        description = ''
-          List of Consul service discovery configurations.
-        '';
-      };
-      file_sd_configs = mkOption {
-        type = types.listOf promTypes.file_sd_config;
-        default = [];
-        apply = x: map _filter x;
-        description = ''
-          List of file service discovery configurations.
-        '';
-      };
-      static_configs = mkOption {
-        type = types.listOf promTypes.static_config;
-        default = [];
-        apply = x: map _filter x;
-        description = ''
-          List of labeled target groups for this job.
-        '';
-      };
-      ec2_sd_configs = mkOption {
-        type = types.listOf promTypes.ec2_sd_config;
-        default = [];
-        apply = x: map _filter x;
-        description = ''
         List of EC2 service discovery configurations.
       '';
-      };
+
-      relabel_configs = mkOption {
+      dns_sd_configs = mkOpt (types.listOf promTypes.dns_sd_config) ''
-        type = types.listOf promTypes.relabel_config;
+        List of DNS service discovery configurations.
-        default = [];
+      '';
-        apply = x: map _filter x;
+
-        description = ''
+      consul_sd_configs = mkOpt (types.listOf promTypes.consul_sd_config) ''
+        List of Consul service discovery configurations.
+      '';
+
+      file_sd_configs = mkOpt (types.listOf promTypes.file_sd_config) ''
+        List of file service discovery configurations.
+      '';
+
+      static_configs = mkOpt (types.listOf promTypes.static_config) ''
+        List of labeled target groups for this job.
+      '';
+
+      relabel_configs = mkOpt (types.listOf promTypes.relabel_config) ''
         List of relabel configurations.
       '';
-      };
+
+      sample_limit = mkDefOpt types.int "0" ''
+        Per-scrape limit on number of scraped samples that will be accepted.
+        If more than this number of samples are present after metric relabelling
+        the entire scrape will be treated as failed. 0 means no limit.
+      '';
     };
   };
 
@@ -337,68 +312,43 @@ let
           The AWS Region.
         '';
       };
-      endpoint = mkOption {
+      endpoint = mkOpt types.str ''
-        type = types.nullOr types.str;
-        default = null;
-        description = ''
         Custom endpoint to be used.
       '';
-      };
+
-      access_key = mkOption {
+      access_key = mkOpt types.str ''
-        type = types.nullOr types.str;
-        default = null;
-        description = ''
         The AWS API key id. If blank, the environment variable
         <literal>AWS_ACCESS_KEY_ID</literal> is used.
       '';
-      };
+
-      secret_key = mkOption {
+      secret_key = mkOpt types.str ''
-        type = types.nullOr types.str;
-        default = null;
-        description = ''
         The AWS API key secret. If blank, the environment variable
          <literal>AWS_SECRET_ACCESS_KEY</literal> is used.
       '';
-      };
+
-      profile = mkOption {
+      profile = mkOpt  types.str ''
-        type = types.nullOr types.str;
-        default = null;
-        description = ''
         Named AWS profile used to connect to the API.
       '';
-      };
+
-      role_arn = mkOption {
+      role_arn = mkOpt types.str ''
-        type = types.nullOr types.str;
-        default = null;
-        description = ''
         AWS Role ARN, an alternative to using AWS API keys.
       '';
-      };
+
-      refresh_interval = mkOption {
+      refresh_interval = mkDefOpt types.str "60s" ''
-        type = types.nullOr types.str;
-        default = null;
-        description = ''
         Refresh interval to re-read the instance list.
       '';
-      };
+
-      port = mkOption {
+      port = mkDefOpt types.int "80" ''
-        type = types.int;
-        default = 80;
-        description = ''
         The port to scrape metrics from. If using the public IP
         address, this must instead be specified in the relabeling
         rule.
       '';
-      };
+
-      filters = mkOption {
+      filters = mkOpt (types.listOf promTypes.filter) ''
-        type = types.nullOr (types.listOf promTypes.filter);
-        default = null;
-        description = ''
         Filters can be used optionally to filter the instance list by other criteria.
       '';
     };
   };
-  };
 
   promTypes.filter = types.submodule {
     options = {
@@ -409,6 +359,7 @@ let
           for the available filters.
         '';
       };
+
       value = mkOption {
         type = types.listOf types.str;
         default = [];
@@ -427,56 +378,63 @@ let
           A list of DNS SRV record names to be queried.
         '';
       };
-      refresh_interval = mkOption {
+
-        type = types.str;
+      refresh_interval = mkDefOpt types.str "30s" ''
-        default = "30s";
-        description = ''
         The time after which the provided names are refreshed.
       '';
     };
   };
-  };
 
   promTypes.consul_sd_config = types.submodule {
     options = {
-      server = mkOption {
+      server = mkDefOpt types.str "localhost:8500" ''
-        type = types.str;
+        Consul server to query.
-        description = "Consul server to query.";
+      '';
-      };
-      token = mkOption {
-        type = types.nullOr types.str;
-        description = "Consul token";
-      };
-      datacenter = mkOption {
-        type = types.nullOr types.str;
-        description = "Consul datacenter";
-      };
-      scheme = mkOption {
-        type = types.nullOr types.str;
-        description = "Consul scheme";
-      };
-      username = mkOption {
-        type = types.nullOr types.str;
-        description = "Consul username";
-      };
-      password = mkOption {
-        type = types.nullOr types.str;
-        description = "Consul password";
-      };
 
-      services = mkOption {
+      token = mkOpt types.str "Consul token";
-        type = types.listOf types.str;
+
-        description = ''
+      datacenter = mkOpt types.str "Consul datacenter";
+
+      scheme = mkDefOpt types.str "http" "Consul scheme";
+
+      username = mkOpt types.str "Consul username";
+
+      password = mkOpt types.str "Consul password";
+
+      tls_config = mkOpt promTypes.tls_config ''
+        Configures the Consul request's TLS settings.
+      '';
+
+      services = mkOpt (types.listOf types.str) ''
         A list of services for which targets are retrieved.
       '';
-      };
+
-      tag_separator = mkOption {
+      tags = mkOpt (types.listOf types.str) ''
-        type = types.str;
+        An optional list of tags used to filter nodes for a given
-        default = ",";
+        service. Services must contain all tags in the list.
-        description = ''
+      '';
+
+      node_meta = mkOpt (types.attrsOf types.str) ''
+        Node metadata used to filter nodes for a given service.
+      '';
+
+      tag_separator = mkDefOpt types.str "," ''
         The string by which Consul tags are joined into the tag label.
       '';
-      };
+
+      allow_stale = mkOpt types.bool ''
+        Allow stale Consul results
+        (see <link xlink:href="https://www.consul.io/api/index.html#consistency-modes"/>).
+
+        Will reduce load on Consul.
+      '';
+
+      refresh_interval = mkDefOpt types.str "30s" ''
+        The time after which the provided names are refreshed.
+
+        On large setup it might be a good idea to increase this value
+        because the catalog will change all the time.
+      '';
     };
   };
 
@@ -488,110 +446,76 @@ let
           Patterns for files from which target groups are extracted. Refer
           to the Prometheus documentation for permitted filename patterns
           and formats.
-
         '';
       };
-      refresh_interval = mkOption {
+
-        type = types.str;
+      refresh_interval = mkDefOpt types.str "5m" ''
-        default = "30s";
-        description = ''
         Refresh interval to re-read the files.
       '';
     };
   };
-  };
 
   promTypes.relabel_config = types.submodule {
     options = {
-      source_labels = mkOption {
+      source_labels = mkOpt (types.listOf types.str) ''
-        type = with types; nullOr (listOf str);
-        default = null;
-        description = ''
         The source labels select values from existing labels. Their content
         is concatenated using the configured separator and matched against
         the configured regular expression.
       '';
-      };
+
-      separator = mkOption {
+      separator = mkDefOpt types.str ";" ''
-        type = types.str;
-        default = ";";
-        description = ''
         Separator placed between concatenated source label values.
       '';
-      };
+
-      target_label = mkOption {
+      target_label = mkOpt types.str ''
-        type = types.nullOr types.str;
-        default = null;
-        description = ''
         Label to which the resulting value is written in a replace action.
         It is mandatory for replace actions.
       '';
-      };
+
-      regex = mkOption {
+      regex = mkDefOpt types.str "(.*)" ''
-        type = types.str;
-        default = "(.*)";
-        description = ''
         Regular expression against which the extracted value is matched.
       '';
-      };
+
-      replacement = mkOption {
+      modulus = mkOpt types.int ''
-        type = types.str;
+        Modulus to take of the hash of the source label values.
-        default = "$1";
+      '';
-        description = ''
+
+      replacement = mkDefOpt types.str "$1" ''
         Replacement value against which a regex replace is performed if the
         regular expression matches.
       '';
-      };
+
-      action = mkOption {
+      action = mkDefOpt (types.enum ["replace" "keep" "drop"]) "replace" ''
-        type = types.enum ["replace" "keep" "drop"];
-        default = "replace";
-        description = ''
         Action to perform based on regex matching.
       '';
-      };
+
     };
   };
 
   promTypes.tls_config = types.submodule {
     options = {
-      ca_file = mkOption {
+      ca_file = mkOpt types.str ''
-        type = types.nullOr types.str;
-        default = null;
-        description = ''
         CA certificate to validate API server certificate with.
       '';
-      };
+
-      cert_file = mkOption {
+      cert_file = mkOpt types.str ''
-        type = types.nullOr types.str;
-        default = null;
-        description = ''
         Certificate file for client cert authentication to the server.
       '';
-      };
+
-      key_file = mkOption {
+      key_file = mkOpt types.str ''
-        type = types.nullOr types.str;
-        default = null;
-        description = ''
         Key file for client cert authentication to the server.
       '';
-      };
+
-      server_name = mkOption {
+      server_name = mkOpt types.str ''
-        type = types.nullOr types.str;
-        default = null;
-        description = ''
         ServerName extension to indicate the name of the server.
         http://tools.ietf.org/html/rfc4366#section-3.1
       '';
-      };
+
-      insecure_skip_verify = mkOption {
+      insecure_skip_verify = mkOpt types.bool ''
-        type = types.bool;
-        default = false;
-        description = ''
         Disable validation of the server certificate.
       '';
     };
   };
-  };
 
 in {
   options = {
@@ -662,7 +586,6 @@ in {
       globalConfig = mkOption {
         type = promTypes.globalConfig;
         default = {};
-        apply = _filter;
         description = ''
           Parameters that are valid in all  configuration contexts. They
           also serve as defaults for other configuration sections
@@ -688,7 +611,6 @@ in {
       scrapeConfigs = mkOption {
         type = types.listOf promTypes.scrape_config;
         default = [];
-        apply = x: map _filter x;
         description = ''
           A list of scrape configurations.
         '';
@@ -786,7 +708,6 @@ in {
       globalConfig = mkOption {
         type = promTypes.globalConfig;
         default = {};
-        apply = _filter;
         description = ''
           Parameters that are valid in all  configuration contexts. They
           also serve as defaults for other configuration sections
@@ -812,7 +733,6 @@ in {
       scrapeConfigs = mkOption {
         type = types.listOf promTypes.scrape_config;
         default = [];
-        apply = x: map _filter x;
         description = ''
           A list of scrape configurations.
         '';

nixos/modules/services/network-filesystems/ipfs.nix

@@ -226,18 +226,19 @@ in {
       ipfs.gid = config.ids.gids.ipfs;
     };
 
+    systemd.tmpfiles.rules = [
+      "d '${cfg.dataDir}' - ${cfg.user} ${cfg.group} - -"
+    ] ++ optionals cfg.autoMount [
+      "d '${cfg.ipfsMountDir}' - ${cfg.user} ${cfg.group} - -"
+      "d '${cfg.ipnsMountDir}' - ${cfg.user} ${cfg.group} - -"
+    ];
+
     systemd.services.ipfs-init = recursiveUpdate commonEnv {
       description = "IPFS Initializer";
 
       after = [ "local-fs.target" ];
       before = [ "ipfs.service" "ipfs-offline.service" "ipfs-norouting.service" ];
 
-      preStart = ''
-        install -m 0755 -o ${cfg.user} -g ${cfg.group} -d ${cfg.dataDir}
-      '' + optionalString cfg.autoMount ''
-        install -m 0755 -o ${cfg.user} -g ${cfg.group} -d ${cfg.ipfsMountDir}
-        install -m 0755 -o ${cfg.user} -g ${cfg.group} -d ${cfg.ipnsMountDir}
-      '';
       script = ''
         if [[ ! -f ${cfg.dataDir}/config ]]; then
           ipfs init ${optionalString cfg.emptyRepo "-e"} \
@@ -253,7 +254,6 @@ in {
       serviceConfig = {
         Type = "oneshot";
         RemainAfterExit = true;
-        PermissionsStartOnly = true;
       };
     };
 

nixos/modules/services/networking/mxisd.nix

@@ -116,7 +116,6 @@ in {
         Group = "mxisd";
         ExecStart = "${cfg.package}/bin/mxisd --spring.config.location=${cfg.dataDir}/ --spring.profiles.active=systemd --java.security.egd=file:/dev/./urandom";
         WorkingDirectory = cfg.dataDir;
-        PermissionsStartOnly = true;
         SuccessExitStatus = 143;
         Restart = "on-failure";
       };

nixos/modules/services/networking/smokeping.nix

@@ -285,12 +285,12 @@ in
       uid = config.ids.uids.smokeping;
       description = "smokeping daemon user";
       home = smokepingHome;
+      createHome = true;
     };
     systemd.services.smokeping = {
       wantedBy = [ "multi-user.target"];
       serviceConfig = {
         User = cfg.user;
-        PermissionsStartOnly = true;
         Restart = "on-failure";
       };
       preStart = ''
@@ -300,7 +300,6 @@ in
         cp ${cgiHome} ${smokepingHome}/smokeping.fcgi
         ${cfg.package}/bin/smokeping --check --config=${configPath}
         ${cfg.package}/bin/smokeping --static --config=${configPath}
-        chown -R ${cfg.user} ${smokepingHome}
       '';
       script = ''${cfg.package}/bin/smokeping --config=${configPath} --nodaemon'';
     };

nixos/modules/services/networking/syncthing.nix

@@ -151,7 +151,6 @@ in {
           RestartForceExitStatus="3 4";
           User = cfg.user;
           Group = cfg.group;
-          PermissionsStartOnly = true;
           ExecStart = ''
             ${cfg.package}/bin/syncthing \
               -no-browser \

nixos/modules/services/security/munge.nix

@@ -49,21 +49,16 @@ in
 
       path = [ pkgs.munge pkgs.coreutils ];
 
-      preStart = ''
-        chmod 0400 ${cfg.password}
-        mkdir -p /var/lib/munge -m 0711
-        chown -R munge:munge /var/lib/munge
-        mkdir -p /run/munge -m 0755
-        chown -R munge:munge /run/munge
-      '';
-
       serviceConfig = {
+        ExecStartPre = "+${pkgs.coreutils}/bin/chmod 0400 ${cfg.password}";
         ExecStart = "${pkgs.munge}/bin/munged --syslog --key-file ${cfg.password}";
         PIDFile = "/run/munge/munged.pid";
         ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
-        PermissionsStartOnly = "true";
         User = "munge";
         Group = "munge";
+        StateDirectory = "munge";
+        StateDirectoryMode = "0711";
+        RuntimeDirectory = "munge";
       };
 
     };

nixos/modules/services/security/vault.nix

@@ -119,6 +119,10 @@ in
     };
     users.groups.vault.gid = config.ids.gids.vault;
 
+    systemd.tmpfiles.rules = optional (cfg.storagePath != null) [
+      "d '${cfg.storagePath}' 0700 vault vault - -"
+    ];
+
     systemd.services.vault = {
       description = "Vault server daemon";
 
@@ -128,14 +132,9 @@ in
 
       restartIfChanged = false; # do not restart on "nixos-rebuild switch". It would seal the storage and disrupt the clients.
 
-      preStart = optionalString (cfg.storagePath != null) ''
-        install -d -m0700 -o vault -g vault "${cfg.storagePath}"
-      '';
-
       serviceConfig = {
         User = "vault";
         Group = "vault";
-        PermissionsStartOnly = true;
         ExecStart = "${cfg.package}/bin/vault server -config ${configFile}";
         PrivateDevices = true;
         PrivateTmp = true;

nixos/modules/services/torrent/peerflix.nix

@@ -39,6 +39,10 @@ in {
   ###### implementation
 
   config = mkIf cfg.enable {
+    systemd.tmpfiles.rules = [
+      "d '${cfg.stateDir}' - peerflix - - -"
+    ];
+
     systemd.services.peerflix = {
       description = "Peerflix Daemon";
       wantedBy = [ "multi-user.target" ];
@@ -47,13 +51,11 @@ in {
 
       preStart = ''
         mkdir -p "${cfg.stateDir}"/{torrents,.config/peerflix-server}
-        if [ "$(id -u)" = 0 ]; then chown -R peerflix "${cfg.stateDir}"; fi
         ln -fs "${configFile}" "${cfg.stateDir}/.config/peerflix-server/config.json"
       '';
 
       serviceConfig = {
         ExecStart = "${pkgs.nodePackages.peerflix-server}/bin/peerflix-server";
-        PermissionsStartOnly = true;
         User = "peerflix";
       };
     };

nixos/modules/services/web-apps/codimd.nix

@@ -899,10 +899,6 @@ in
       description = "CodiMD Service";
       wantedBy = [ "multi-user.target" ];
       after = [ "networking.target" ];
-      preStart = ''
-        mkdir -p ${cfg.workDir}
-        chown -R codimd: ${cfg.workDir}
-      '';
       serviceConfig = {
         WorkingDirectory = cfg.workDir;
         ExecStart = "${pkgs.codimd}/bin/codimd";
@@ -912,7 +908,6 @@ in
         ];
         Restart = "always";
         User = "codimd";
-        PermissionsStartOnly = true;
         PrivateTmp = true;
       };
     };

nixos/modules/services/web-apps/nexus.nix

@@ -83,6 +83,8 @@ in
     users.users."${cfg.user}" = {
       isSystemUser = true;
       group = cfg.group;
+      home = cfg.home;
+      createHome = true;
     };
 
     users.groups."${cfg.group}" = {};
@@ -104,8 +106,6 @@ in
       preStart = ''
         mkdir -p ${cfg.home}/nexus3/etc
 
-        chown -R ${cfg.user}:${cfg.group} ${cfg.home}
-
         if [ ! -f ${cfg.home}/nexus3/etc/nexus.properties ]; then
           echo "# Jetty section" > ${cfg.home}/nexus3/etc/nexus.properties
           echo "application-port=${toString cfg.listenPort}" >> ${cfg.home}/nexus3/etc/nexus.properties
@@ -124,7 +124,6 @@ in
         User = cfg.user;
         Group = cfg.group;
         PrivateTmp = true;
-        PermissionsStartOnly = true;
         LimitNOFILE = 102642;
       };
     };

nixos/modules/services/web-servers/minio.nix

@@ -72,19 +72,16 @@ in
   };
 
   config = mkIf cfg.enable {
+    systemd.tmpfiles.rules = [
+      "d '${cfg.configDir}' - minio minio - -"
+      "d '${cfg.dataDir}' - minio minio - -"
+    ];
+
     systemd.services.minio = {
       description = "Minio Object Storage";
       after = [ "network.target" ];
       wantedBy = [ "multi-user.target" ];
-      preStart = ''
-        # Make sure directories exist with correct owner
-        mkdir -p ${cfg.configDir}
-        chown -R minio:minio ${cfg.configDir}
-        mkdir -p ${cfg.dataDir}
-        chown minio:minio ${cfg.dataDir}
-      '';
       serviceConfig = {
-        PermissionsStartOnly = true;
         ExecStart = "${cfg.package}/bin/minio server --json --address ${cfg.listenAddress} --config-dir=${cfg.configDir} ${cfg.dataDir}";
         Type = "simple";
         User = "minio";

nixos/modules/services/web-servers/traefik.nix

@@ -84,18 +84,16 @@ in {
   };
 
   config = mkIf cfg.enable {
+    systemd.tmpfiles.rules = [
+      "d '${cfg.dataDir}' 0700 traefik traefik - -"
+    ];
+
     systemd.services.traefik = {
       description = "Traefik web server";
       after = [ "network-online.target" ];
       wantedBy = [ "multi-user.target" ];
       serviceConfig = {
-        PermissionsStartOnly = true;
         ExecStart = ''${cfg.package.bin}/bin/traefik --configfile=${configFile}'';
-        ExecStartPre = [
-          ''${pkgs.coreutils}/bin/mkdir -p "${cfg.dataDir}"''
-          ''${pkgs.coreutils}/bin/chmod 700 "${cfg.dataDir}"''
-          ''${pkgs.coreutils}/bin/chown -R traefik:traefik "${cfg.dataDir}"''
-        ];
         Type = "simple";
         User = "traefik";
         Group = cfg.group;

nixos/modules/services/x11/desktop-managers/maxx.nix

@@ -13,6 +13,12 @@ in {
   config = mkIf (xcfg.enable && cfg.enable) {
     environment.systemPackages = [ pkgs.maxx ];
 
+    # there is hardcoded path in binaries
+    system.activationScripts.setup-maxx = ''
+      mkdir -p /opt
+      ln -sfn ${pkgs.maxx}/opt/MaXX /opt
+    '';
+
     services.xserver.desktopManager.session = [
     { name = "MaXX";
       start = ''

nixos/modules/system/boot/stage-1-init.sh

@@ -555,7 +555,7 @@ echo /sbin/modprobe > /proc/sys/kernel/modprobe
 # Start stage 2.  `switch_root' deletes all files in the ramfs on the
 # current root.  Note that $stage2Init might be an absolute symlink,
 # in which case "-e" won't work because we're not in the chroot yet.
-if ! test -e "$targetRoot/$stage2Init" -o ! -L "$targetRoot/$stage2Init"; then
+if [ ! -e "$targetRoot/$stage2Init" ] && [ ! -L "$targetRoot/$stage2Init" ] ; then
     echo "stage 2 init script ($targetRoot/$stage2Init) not found"
     fail
 fi

nixos/modules/system/boot/stage-1.nix

@@ -32,7 +32,7 @@ let
   fileSystems = filter utils.fsNeededForBoot config.system.build.fileSystems;
 
   # A utility for enumerating the shared-library dependencies of a program
-  findLibs = pkgs.writeShellScriptBin "find-libs" ''
+  findLibs = pkgs.buildPackages.writeShellScriptBin "find-libs" ''
     set -euo pipefail
 
     declare -A seen

nixos/modules/virtualisation/ec2-amis.nix

@@ -274,5 +274,22 @@ let self = {
   "18.09".sa-east-1.hvm-ebs = "ami-0e4a8a47fd6db6112";
   "18.09".ap-south-1.hvm-ebs = "ami-0880a678d3f555313";
 
-  latest = self."18.09";
+  # 19.03.172286.8ea36d73256
+  "19.03".eu-west-1.hvm-ebs = "ami-0fe40176548ff0940";
+  "19.03".eu-west-2.hvm-ebs = "ami-03a40fd3a02fe95ba";
+  "19.03".eu-west-3.hvm-ebs = "ami-0436f9da0f20a638e";
+  "19.03".eu-central-1.hvm-ebs = "ami-0022b8ea9efde5de4";
+  "19.03".us-east-1.hvm-ebs = "ami-0efc58fb70ae9a217";
+  "19.03".us-east-2.hvm-ebs = "ami-0abf711b1b34da1af";
+  "19.03".us-west-1.hvm-ebs = "ami-07d126e8838c40ec5";
+  "19.03".us-west-2.hvm-ebs = "ami-03f8a737546e47fb0";
+  "19.03".ca-central-1.hvm-ebs = "ami-03f9fd0ef2e035ede";
+  "19.03".ap-southeast-1.hvm-ebs = "ami-0cff66114c652c262";
+  "19.03".ap-southeast-2.hvm-ebs = "ami-054c73a7f8d773ea9";
+  "19.03".ap-northeast-1.hvm-ebs = "ami-00db62688900456a4";
+  "19.03".ap-northeast-2.hvm-ebs = "ami-0485cdd1a5fdd2117";
+  "19.03".sa-east-1.hvm-ebs = "ami-0c6a43c6e0ad1f4e2";
+  "19.03".ap-south-1.hvm-ebs = "ami-0303deb1b5890f878";
+
+  latest = self."19.03";
 }; in self

nixos/modules/virtualisation/virtualbox-image.nix

@@ -100,6 +100,11 @@ in {
     boot.growPartition = true;
     boot.loader.grub.device = "/dev/sda";
 
+    swap.swapDevices = {
+      device = "/var/swap";
+      size = 2048;
+    };
+
     virtualisation.virtualbox.guest.enable = true;
 
   };

nixos/tests/nginx.nix

@@ -1,6 +1,8 @@
 # verifies:
 #   1. nginx generates config file with shared http context definitions above
 #      generated virtual hosts config.
+#   2. whether the ETag header is properly generated whenever we're serving
+#      files in Nix store paths
 
 import ./make-test.nix ({ pkgs, ... }: {
   name = "nginx";
@@ -8,10 +10,9 @@ import ./make-test.nix ({ pkgs, ...} : {
     maintainers = [ mbbx6spp ];
   };
 
-  nodes = {
+  nodes = let
-    webserver =
+    commonConfig = { pkgs, ... }: {
-      { ... }:
+      services.nginx.enable = true;
-      { services.nginx.enable = true;
       services.nginx.commonHttpConfig = ''
         log_format ceeformat '@cee: {"status":"$status",'
           '"request_time":$request_time,'
@@ -31,13 +32,54 @@ import ./make-test.nix ({ pkgs, ...} : {
           location /favicon.ico { allow all; access_log off; log_not_found off; }
         '';
       };
+      services.nginx.virtualHosts.localhost = {
+        root = pkgs.runCommand "testdir" {} ''
+          mkdir "$out"
+          echo hello world > "$out/index.html"
+        '';
+      };
+    };
+  in {
+    webserver = commonConfig;
+
+    newwebserver = { pkgs, lib, ... }: {
+      imports = [ commonConfig ];
+      services.nginx.virtualHosts.localhost = {
+        root = lib.mkForce (pkgs.runCommand "testdir2" {} ''
+          mkdir "$out"
+          echo hello world > "$out/index.html"
+        '');
+      };
     };
   };
 
-  testScript = ''
+  testScript = { nodes, ... }: let
-    startAll;
+    newServerSystem = nodes.newwebserver.config.system.build.toplevel;
+    switch = "${newServerSystem}/bin/switch-to-configuration test";
+  in ''
+    my $url = 'http://localhost/index.html';
+
+    sub checkEtag {
+      my $etag = $webserver->succeed(
+        'curl -v '.$url.' 2>&1 | sed -n -e "s/^< [Ee][Tt][Aa][Gg]: *//p"'
+      );
+      $etag =~ s/\r?\n$//;
+      my $httpCode = $webserver->succeed(
+        'curl -w "%{http_code}" -X HEAD -H \'If-None-Match: '.$etag.'\' '.$url
+      );
+      chomp $httpCode;
+      die "HTTP code is not 304" unless $httpCode == 304;
+      return $etag;
+    }
 
     $webserver->waitForUnit("nginx");
     $webserver->waitForOpenPort("80");
+
+    subtest "check ETag if serving Nix store paths", sub {
+      my $oldEtag = checkEtag;
+      $webserver->succeed('${switch}');
+      my $newEtag = checkEtag;
+      die "Old ETag $oldEtag is the same as $newEtag" if $oldEtag eq $newEtag;
+    };
   '';
 })

pkgs/applications/altcoins/go-ethereum.nix

@@ -1,8 +1,9 @@
-{ stdenv, buildGoPackage, fetchFromGitHub, libobjc, IOKit }:
+{ stdenv, buildGoPackage, fetchFromGitHub, libobjc, IOKit, fetchpatch }:
 
 buildGoPackage rec {
-  name = "go-ethereum-${version}";
+  pname = "go-ethereum";
-  version = "1.8.26";
+  version = "1.8.27";
+
   goPackagePath = "github.com/ethereum/go-ethereum";
 
   # Fix for usb-related segmentation faults on darwin
@@ -12,11 +13,22 @@ buildGoPackage rec {
   # Fixes Cgo related build failures (see https://github.com/NixOS/nixpkgs/issues/25959 )
   hardeningDisable = [ "fortify" ];
 
+  # Apply ethereum/go-ethereum#19183 to fix the aarch64 build failure.
+  #
+  # TODO Remove this patch when upstream (https://github.com/ethereum/go-ethereum)
+  # fix this problem in the future release.
+  patches = [
+    (fetchpatch {
+      url = "https://github.com/ethereum/go-ethereum/commit/39bd2609.patch";
+      sha256 = "1a362hzvcjk505hicv25kziy3c6s5an4j7rk4jibcxwgvygb3mz5";
+    })
+ ];
+
   src = fetchFromGitHub {
     owner = "ethereum";
-    repo = "go-ethereum";
+    repo = pname;
     rev = "v${version}";
-    sha256 = "0i7shrwix5j8l5i0ap5pzhninwyk2kvm1pax27pnnjlpam8577i4";
+    sha256 = "1640y7lqy7bvjjgx6wp0cnbw632ls5fj4ixclr819lfz4p5dfhx1";
   };
 
   meta = with stdenv.lib; {

pkgs/applications/audio/audio-recorder/default.nix

@@ -1,5 +1,5 @@
 { stdenv, fetchurl
-, pkgconfig, intltool, gnome3
+, pkgconfig, intltool
 , glib, dbus, gtk3, libappindicator-gtk3, gst_all_1
 , librsvg, wrapGAppsHook
 , pulseaudioSupport ? true, libpulseaudio ? null }:
@@ -15,7 +15,7 @@ stdenv.mkDerivation rec {
   };
 
   # https://bugs.launchpad.net/audio-recorder/+bug/1784622
-  NIX_CFLAGS_COMPILE = "-I${gnome3.glib.dev}/include/gio-unix-2.0";
+  NIX_CFLAGS_COMPILE = "-I${glib.dev}/include/gio-unix-2.0";
 
   nativeBuildInputs = [ pkgconfig intltool wrapGAppsHook ];
 

pkgs/applications/editors/android-studio/common.nix

@@ -39,12 +39,11 @@
 
 let
   drvName = "android-studio-${channel}-${version}";
-  archiveFormat = if builtins.elem channel [ "dev" "canary" ] then "tar.gz" else "zip";
   androidStudio = stdenv.mkDerivation {
     name = drvName;
 
     src = fetchurl {
-      url = "https://dl.google.com/dl/android/studio/ide-zips/${version}/android-studio-ide-${build}-linux.${archiveFormat}";
+      url = "https://dl.google.com/dl/android/studio/ide-zips/${version}/android-studio-ide-${build}-linux.tar.gz";
       sha256 = sha256Hash;
     };
 

pkgs/applications/editors/android-studio/default.nix

@@ -8,19 +8,15 @@ let
     inherit (gnome2) GConf gnome_vfs;
   };
   stableVersion = {
-    version = "3.3.2.0"; # "Android Studio 3.3.2"
+    version = "3.4.0.18"; # "Android Studio 3.4.0"
-    build = "182.5314842";
+    build = "183.5452501";
-    sha256Hash = "0smh3d3v8n0isxg7fkls20622gp52f58i2b6wa4a0g8wnvmd6mw2";
+    sha256Hash = "0i8wz9v6nxzr27a07cv2330i84v94pcl13gjwvpglp55hyzd8axd";
-  };
-  betaVersion = {
-    version = "3.4.0.17"; # "Android Studio 3.4 RC 3"
-    build = "183.5400832";
-    sha256Hash = "1v4apc73jdhavhzj8j46mzh15rw08w1hd9y9ykarj3b5q7i2vyq1";
   };
+  betaVersion = stableVersion;
   latestVersion = { # canary & dev
-    version = "3.5.0.10"; # "Android Studio 3.5 Canary 11"
+    version = "3.5.0.11"; # "Android Studio 3.5 Canary 12"
-    build = "191.5455988";
+    build = "191.5471097";
-    sha256Hash = "1g24a8fwnrfzdf093wdmqly3mzjddk5ndgi51qj98amn7kclsdpf";
+    sha256Hash = "1dz9iy8f12fzqp8wv9c5v01d33djy97aha8rxxp18vi6myak42ca";
   };
 in rec {
   # Attributes are named by their corresponding release channels

pkgs/applications/editors/atom/default.nix

@@ -3,14 +3,14 @@
 let
   versions = {
     atom = {
-      version = "1.34.0";
+      version = "1.36.0";
-      sha256 = "16hrjymrc43izg7frcrk7cwjwwrclcxzcwb5iw2llzjc6iadzlkb";
+      sha256 = "1ljg39h5xjigk2njvxyinb1gd3sbja21v47c7va6vl9hjr5xb3fr";
     };
 
     atom-beta = {
-      version = "1.35.0";
+      version = "1.37.0";
       beta = 0;
-      sha256 = "0gm5k573dq1hhnyw3719f5k1c6rsz872mhzg8q53n89y0g2r5xmw";
+      sha256 = "0aq8r5vfgq7r31qajjgcg4n5a57a2m8fvq6fzy9vq5gawkvmaxxx";
     };
   };
 

pkgs/applications/editors/manuskript/default.nix

@@ -2,13 +2,13 @@
 
 python3Packages.buildPythonApplication rec {
   pname = "manuskript";
-  version = "0.8.0";
+  version = "0.9.0";
 
   src = fetchFromGitHub {
     repo = pname;
     owner = "olivierkes";
     rev = version;
-    sha256 = "0vqz02p3m9n4hk2jplnklr9s6niqdm5iykab6nblqdm4plb04c34";
+    sha256 = "13y1s0kba1ib6g977n7h920kyr7abdw03kpal512m7iwa9g2kdw8";
   };
 
   propagatedBuildInputs = [

pkgs/applications/editors/vscode/default.nix

@@ -110,8 +110,8 @@ in
         cp $out/lib/vscode/resources/app/resources/linux/code.png $out/share/pixmaps/code.png
 
         # Override the previously determined VSCODE_PATH with the one we know to be correct
-        sed -i "/ELECTRON=/iVSCODE_PATH='$out/lib/vscode'" $out/bin/code
+        sed -i "/ELECTRON=/iVSCODE_PATH='$out/lib/vscode'" $out/bin/${executableName}
-        grep -q "VSCODE_PATH='$out/lib/vscode'" $out/bin/code # check if sed succeeded
+        grep -q "VSCODE_PATH='$out/lib/vscode'" $out/bin/${executableName} # check if sed succeeded
       '';
 
     preFixup = lib.optionalString (system == "i686-linux" || system == "x86_64-linux") ''

pkgs/applications/graphics/apitrace/default.nix

@@ -2,11 +2,11 @@
 
 stdenv.mkDerivation rec {
   name = "apitrace-${version}";
-  version = "7.1-363-ge3509be1";
+  version = "7.1-572-g${builtins.substring 0 8 src.rev}";
 
   src = fetchFromGitHub {
-    sha256 = "1xbz6gwl7kqjm7jjy5gxkdxzrg93vj1a3l19ara7rni6dii0q136";
+    sha256 = "11bwb0l8cr1bf9bj1s6cbmi77d5fy4qrphj9cgmcd8jpa862anp5";
-    rev = "e3509be175eda77749abffe051ed0d3eb5d14e72";
+    rev = "26966134f15d28f6b4a9a0a560017b3ba36d60bf";
     repo = "apitrace";
     owner = "apitrace";
   };

pkgs/applications/misc/crumbs/default.nix

@@ -0,0 +1,33 @@
+{ stdenv, fetchFromGitHub }:
+
+stdenv.mkDerivation rec {
+  pname = "crumbs";
+  version = "0.0.3";
+
+  src = fetchFromGitHub
+    { owner = "fasseg";
+      repo = "crumbs";
+      rev = version;
+      sha256 = "0jjvydn4i4n9xv8vsal2jxpa95mk2lw6myv0gx9wih242k9vy0l7";
+    };
+
+  prePatch = ''
+    sed -i 's|gfind|find|' crumbs-completion.fish
+  '';
+
+  postInstall = ''
+    mkdir -p $out/share/bash-completion/completions
+    mkdir -p $out/share/fish/vendor_completions.d
+
+    cp crumbs-completion.bash $out/share/bash-completion/completions/crumbs
+    cp crumbs-completion.fish $out/share/fish/vendor_completions.d/crumbs.fish
+  '';
+
+  meta = with stdenv.lib;
+    { description = "Bookmarks for the command line";
+      homepage    = https://github.com/fasseg/crumbs;
+      license     = licenses.wtfpl;
+      platforms   = platforms.all;
+      maintainers = with maintainers; [ thesola10 ];
+    };
+}

pkgs/applications/misc/gnome-recipes/default.nix

@@ -55,7 +55,7 @@ in stdenv.mkDerivation rec {
 
   # https://github.com/NixOS/nixpkgs/issues/36468
   # https://gitlab.gnome.org/GNOME/recipes/issues/76
-  NIX_CFLAGS_COMPILE = "-I${gnome3.glib.dev}/include/gio-unix-2.0";
+  NIX_CFLAGS_COMPILE = "-I${glib.dev}/include/gio-unix-2.0";
 
   postPatch = ''
     chmod +x src/list_to_c.py

pkgs/applications/misc/hugo/default.nix

@@ -2,7 +2,7 @@
 
 buildGoModule rec {
   name = "hugo-${version}";
-  version = "0.55.0";
+  version = "0.55.2";
 
   goPackagePath = "github.com/gohugoio/hugo";
 
@@ -10,7 +10,7 @@ buildGoModule rec {
     owner  = "gohugoio";
     repo   = "hugo";
     rev    = "v${version}";
-    sha256 = "063z79m9rganzjzqvy7bg6b29m877asm5haxp0d5cb5ac7cx55rj";
+    sha256 = "0v06hn9wnq9bp4pdh3pzhkp6adpba6pxk9w42p0v2mpgsjdvm5j0";
   };
 
   modSha256 = "0yrwkaaasj9ihjjfbywnzkppix1y2znagg3dkyikk21sl5n0nz23";

pkgs/applications/misc/rofi/default.nix

@@ -26,7 +26,7 @@ stdenv.mkDerivation rec {
 
   meta = with stdenv.lib; {
     description = "Window switcher, run dialog and dmenu replacement";
-    homepage = https://davedavenport.github.io/rofi;
+    homepage = https://github.com/davatorium/rofi;
     license = licenses.mit;
     maintainers = with maintainers; [ mbakke garbas ma27 ];
     platforms = with platforms; linux;

pkgs/applications/misc/rxvt_unicode/wrapper.nix

@@ -1,4 +1,4 @@
-{ symlinkJoin, rxvt_unicode, makeWrapper, plugins }:
+{ symlinkJoin, rxvt_unicode, makeWrapper, plugins, perlPackages, perlDeps ? []}:
 
 let
   rxvt_name = builtins.parseDrvName rxvt_unicode.name;
@@ -12,8 +12,10 @@ in symlinkJoin {
 
   postBuild = ''
     wrapProgram $out/bin/urxvt \
+      --set PERL5LIB : "${perlPackages.makePerlPath perlDeps}" \
       --suffix-each URXVT_PERL_LIB ':' "$out/lib/urxvt/perl"
     wrapProgram $out/bin/urxvtd \
+      --set PERL5LIB : "${perlPackages.makePerlPath perlDeps}" \
       --suffix-each URXVT_PERL_LIB ':' "$out/lib/urxvt/perl"
   '';
 

pkgs/applications/networking/instant-messengers/rambox/bare.nix

@@ -3,13 +3,13 @@
 
 stdenv.mkDerivation rec {
   name = "rambox-bare-${version}";
-  version = "0.6.3";
+  version = "0.6.6";
 
   src = fetchFromGitHub {
     owner = "ramboxapp";
     repo = "community-edition";
     rev = version;
-    sha256 = "1ghk29d0x6i3j8b1b4xxgyf961lp17qsvvhnilnkh1nhmvxpwmw5";
+    sha256 = "15cy8krzl66b6sfazhff41adq4kf2857sj4h0qvzmadv85dy301v";
   };
 
   nativeBuildInputs = [ nodejs-8_x ruby sencha ];
@@ -18,7 +18,7 @@ stdenv.mkDerivation rec {
     inherit src;
 
     nodejs = nodejs-8_x;
-    sha256 = "03h1kfiaflwbrvcd8v0bsymn7n2dxi3yj4pxkwcigqg4jgcf56k6";
+    sha256 = "0ifk0fzw4zhi4195jlmiq5k57bdmf912372r4bwa4z500wipikq3";
   };
 
   patches = [ ./isDev.patch ];

pkgs/applications/networking/instant-messengers/signal-desktop/default.nix

@@ -57,11 +57,11 @@ let
 
 in stdenv.mkDerivation rec {
   name = "signal-desktop-${version}";
-  version = "1.24.0";
+  version = "1.24.1";
 
   src = fetchurl {
     url = "https://updates.signal.org/desktop/apt/pool/main/s/signal-desktop/signal-desktop_${version}_amd64.deb";
-    sha256 = "0h5f1y29glq3l59gr54vln1jqfg5w9br3kg37wzwjjgvcac81ck9";
+    sha256 = "195rwx4xhgij5nrda1y6bhf5jyvcgb70g6ykangywhcagglqqair";
   };
 
   phases = [ "unpackPhase" "installPhase" ];

pkgs/applications/office/gnucash/default.nix

@@ -25,11 +25,11 @@ in
 
 stdenv.mkDerivation rec {
   name = "gnucash-${version}";
-  version = "3.4";
+  version = "3.5";
 
   src = fetchurl {
     url = "mirror://sourceforge/gnucash/${name}.tar.bz2";
-    sha256 = "1ms2wg4sh5gq3rpjmmnp85rh5nc9ahca1imxkvhz4d3yiwy8hm52";
+    sha256 = "0ibp7g6aknvnkwkin97kv04ipksy3l18dsz9qysjb7h2nr8hnvbp";
   };
 
   nativeBuildInputs = [ pkgconfig makeWrapper cmake gtest ];

pkgs/applications/science/biology/exonerate/default.nix

@@ -0,0 +1,25 @@
+{ stdenv, fetchurl, glib, pkgconfig }:
+
+stdenv.mkDerivation rec {
+  version = "2.4.0";
+  pname = "exonerate";
+
+  src = fetchurl {
+    url = "http://ftp.ebi.ac.uk/pub/software/vertebrategenomics/exonerate/${pname}-${version}.tar.gz";
+    sha256 = "0hj0m9xygiqsdxvbg79wq579kbrx1mdrabi2bzqz2zn9qwfjcjgq";
+  };
+
+  doCheck = true;
+
+  buildInputs = [ glib ];
+
+  nativeBuildInputs = [ pkgconfig ];
+
+  meta = with stdenv.lib; {
+    description = "Generic tool for sequence alignment";
+    homepage = https://www.ebi.ac.uk/about/vertebrate-genomics/software/exonerate;
+    license = licenses.gpl3;
+    maintainers = [ maintainers.bzizou ];
+    platforms = platforms.unix ;
+  };
+}

pkgs/applications/science/biology/prodigal/default.nix

@@ -0,0 +1,26 @@
+{ stdenv, fetchFromGitHub }:
+
+stdenv.mkDerivation rec {
+  pname = "prodigal";
+  version = "2.6.3";
+
+  src = fetchFromGitHub {
+    repo = "Prodigal";
+    owner = "hyattpd";
+    rev = "v${version}";
+    sha256 = "1fs1hqk83qjbjhrvhw6ni75zakx5ki1ayy3v6wwkn3xvahc9hi5s";
+  };
+
+  makeFlags = [
+    "CC=cc"
+    "INSTALLDIR=$(out)/bin"
+  ];
+  
+  meta = with stdenv.lib; {
+    description = "Fast, reliable protein-coding gene prediction for prokaryotic genomes";
+    homepage = https://github.com/hyattpd/Prodigal;
+    license = licenses.gpl3;
+    platforms = platforms.all;
+    maintainers = with maintainers; [ luispedro ];
+  };
+}

pkgs/applications/science/math/sage/env-locations.nix

@@ -28,6 +28,7 @@ writeTextFile rec {
     export GPDOCDIR="${pari}/share/pari/doc"
     export SINGULARPATH='${singular}/share/singular'
     export SINGULAR_SO='${singular}/lib/libSingular.so'
+    export GAP_SO='${gap}/lib/libgap.so'
     export SINGULAR_EXECUTABLE='${singular}/bin/Singular'
     export MAXIMA_FAS='${maxima-ecl}/lib/maxima/${maxima-ecl.version}/binary-ecl/maxima.fas'
     export MAXIMA_PREFIX="${maxima-ecl}"

pkgs/applications/science/math/sage/patches/do-not-test-find-library.patch

@@ -0,0 +1,95 @@
+diff --git a/src/sage/env.py b/src/sage/env.py
+index 061b94f3f1..67cd091540 100644
+--- a/src/sage/env.py
++++ b/src/sage/env.py
+@@ -189,88 +189,13 @@ var('MAXIMA_FAS')
+ var('SAGE_BANNER', '')
+ var('SAGE_IMPORTALL', 'yes')
+ 
+-
+-def _get_shared_lib_filename(libname, *additional_libnames):
+-    """
+-    Return the full path to a shared library file installed in the standard
+-    location for the system within the ``LIBDIR`` prefix (or
+-    ``$SAGE_LOCAL/lib`` in the case of manual build of Sage).
+-
+-    This can also be passed more than one library name (e.g. for cases where
+-    some library may have multiple names depending on the platform) in which
+-    case the first one found is returned.
+-
+-    This supports most *NIX variants (in which ``lib<libname>.so`` is found
+-    under ``$SAGE_LOCAL/lib``), macOS (same, but with the ``.dylib``
+-    extension), and Cygwin (under ``$SAGE_LOCAL/bin/cyg<libname>.dll``,
+-    or ``$SAGE_LOCAL/bin/cyg<libname>-*.dll`` for versioned DLLs).
+-
+-    For distributions like Debian that use a multiarch layout, we also try the
+-    multiarch lib paths (i.e. ``/usr/lib/<arch>/``).
+-
+-    Returns ``None`` if the file does not exist.
+-
+-    EXAMPLES::
+-
+-        sage: import sys
+-        sage: from fnmatch import fnmatch
+-        sage: from sage.env import _get_shared_lib_filename
+-        sage: lib_filename = _get_shared_lib_filename("Singular",
+-        ....:                                         "singular-Singular")
+-        sage: if sys.platform == 'cygwin':
+-        ....:     pattern = "*/cygSingular-*.dll"
+-        ....: elif sys.platform == 'darwin':
+-        ....:     pattern = "*/libSingular.dylib"
+-        ....: else:
+-        ....:     pattern = "*/lib*Singular.so"
+-        sage: fnmatch(lib_filename, pattern)
+-        True
+-        sage: _get_shared_lib_filename("an_absurd_lib") is None
+-        True
+-    """
+-
+-    for libname in (libname,) + additional_libnames:
+-        if sys.platform == 'cygwin':
+-            bindir = sysconfig.get_config_var('BINDIR')
+-            pats = ['cyg{}.dll'.format(libname), 'cyg{}-*.dll'.format(libname)]
+-            filenames = []
+-            for pat in pats:
+-                filenames += glob.glob(os.path.join(bindir, pat))
+-
+-            # Note: This is not very robust, since if there are multi DLL
+-            # versions for the same library this just selects one more or less
+-            # at arbitrary.  However, practically speaking, on Cygwin, there
+-            # will only ever be one version
+-            if filenames:
+-                return filenames[-1]
+-        else:
+-            if sys.platform == 'darwin':
+-                ext = 'dylib'
+-            else:
+-                ext = 'so'
+-
+-            libdirs = [sysconfig.get_config_var('LIBDIR')]
+-            multilib = sysconfig.get_config_var('MULTILIB')
+-            if multilib:
+-                libdirs.insert(0, os.path.join(libdirs[0], multilib))
+-
+-            for libdir in libdirs:
+-                basename = 'lib{}.{}'.format(libname, ext)
+-                filename = os.path.join(libdir, basename)
+-                if os.path.exists(filename):
+-                    return filename
+-
+-    # Just return None if no files were found
+-    return None
+-
+-
+ # locate singular shared object
+ # On Debian it's libsingular-Singular so try that as well
+-SINGULAR_SO = _get_shared_lib_filename('Singular', 'singular-Singular')
++SINGULAR_SO = '/default'
+ var('SINGULAR_SO', SINGULAR_SO)
+ 
+ # locate libgap shared object
+-GAP_SO= _get_shared_lib_filename('gap','')
++GAP_SO= '/default'
+ var('GAP_SO', GAP_SO)
+ 
+ # post process

pkgs/applications/science/math/sage/patches/do-not-test-package-manifests.patch

@@ -0,0 +1,26 @@
+diff --git a/src/sage/misc/package.py b/src/sage/misc/package.py
+index 3bca15d53b..7cf04ff8d1 100644
+--- a/src/sage/misc/package.py
++++ b/src/sage/misc/package.py
+@@ -478,16 +478,16 @@ def package_manifest(package):
+ 
+     EXAMPLES::
+ 
+-        sage: from sage.misc.package import package_manifest
+-        sage: sagetex_manifest = package_manifest('sagetex')
+-        sage: sagetex_manifest['package_name'] == 'sagetex'
++        sage: from sage.misc.package import package_manifest # optional - buildsystem
++        sage: sagetex_manifest = package_manifest('sagetex') # optional - buildsystem
++        sage: sagetex_manifest['package_name'] == 'sagetex' # optional - buildsystem
+         True
+-        sage: 'files' in sagetex_manifest
++        sage: 'files' in sagetex_manifest # optional - buildsystem
+         True
+ 
+     Test a nonexistent package::
+ 
+-        sage: package_manifest('dummy-package')
++        sage: package_manifest('dummy-package') # optional - buildsystem
+         Traceback (most recent call last):
+         ...
+         KeyError: 'dummy-package'

pkgs/applications/science/math/sage/patches/giac-1.5.0.patch

@@ -1,14 +0,0 @@
---- a/src/sage/interfaces/giac.py	2018-12-08 22:11:56.285500644 +0100
-+++ b/src/sage/interfaces/giac.py	2018-12-08 22:11:56.285500644 +0100
-@@ -617,10 +617,7 @@
-             '4\n3'
-             sage: s='g(x):={\nx+1;\nx+2;\n}'
-             sage: giac(s)
--            (x)->{
--            x+1;
--            x+2;
--            }
-+            (x)->[x+1,x+2]
-             sage: giac.g(5)
-             7
-         """

pkgs/applications/science/math/sage/patches/ignore-pip-deprecation.patch

@@ -1,22 +0,0 @@
-diff --git a/src/sage/misc/package.py b/src/sage/misc/package.py
-index 689e5a23b9..4e16fe3a8d 100644
---- a/src/sage/misc/package.py
-+++ b/src/sage/misc/package.py
-@@ -142,9 +142,14 @@ def pip_installed_packages():
-         sage: d['beautifulsoup']   # optional - beautifulsoup
-         u'...'
-     """
--    proc = subprocess.Popen(["pip", "list", "--no-index", "--format", "json"], stdout=subprocess.PIPE)
--    stdout = proc.communicate()[0].decode()
--    return {package['name'].lower():package['version'] for package in json.loads(stdout)}
-+    with open(os.devnull, 'w')  as devnull:
-+        proc = subprocess.Popen(
-+            ["pip", "list", "--no-index", "--format", "json"],
-+            stdout=subprocess.PIPE,
-+            stderr=devnull,
-+        )
-+        stdout = proc.communicate()[0].decode()
-+        return {package['name'].lower():package['version'] for package in json.loads(stdout)}
- 
- def list_packages(*pkg_types, **opts):
-     r"""

pkgs/applications/science/math/sage/patches/revert-sphinx-always-fork.patch

@@ -1,71 +0,0 @@
-commit f1c59929c3c180ac283334c2b3c901ac8c82f6b1
-Author: Timo Kaufmann <timokau@zoho.com>
-Date:   Sat Oct 20 20:07:41 2018 +0200
-
-    Revert "Something related to the sphinxbuild seems to be leaking memory"
-    
-    This reverts commit 7d85dc796c58c3de57401bc22d3587b94e205091.
-
-diff --git a/src/sage_setup/docbuild/__init__.py b/src/sage_setup/docbuild/__init__.py
-index 0b24b1a60b..084c3f89d7 100644
---- a/src/sage_setup/docbuild/__init__.py
-+++ b/src/sage_setup/docbuild/__init__.py
-@@ -265,29 +265,35 @@ class DocBuilder(object):
-     # import the customized builder for object.inv files
-     inventory = builder_helper('inventory')
- 
--def build_many(target, args):
--    # Pool() uses an actual fork() to run each new instance. This is important
--    # for performance reasons, i.e., don't use a forkserver when it becomes
--    # available with Python 3: Here, sage is already initialized which is quite
--    # costly, with a forkserver we would have to reinitialize it for every
--    # document we build. At the same time, don't serialize this by taking the
--    # pool (and thus the call to fork()) out completely: The call to Sphinx
--    # leaks memory, so we need to build each document in its own process to
--    # control the RAM usage.
--    from multiprocessing import Pool
--    pool = Pool(NUM_THREADS, maxtasksperchild=1)
--    # map_async handles KeyboardInterrupt correctly. Plain map and
--    # apply_async does not, so don't use it.
--    x = pool.map_async(target, args, 1)
--    try:
--        ret = x.get(99999)
--        pool.close()
--        pool.join()
--    except Exception:
--        pool.terminate()
--        if ABORT_ON_ERROR:
--            raise
--    return ret
-+if NUM_THREADS > 1:
-+    def build_many(target, args):
-+        from multiprocessing import Pool
-+        pool = Pool(NUM_THREADS, maxtasksperchild=1)
-+        # map_async handles KeyboardInterrupt correctly. Plain map and
-+        # apply_async does not, so don't use it.
-+        x = pool.map_async(target, args, 1)
-+        try:
-+            ret = x.get(99999)
-+            pool.close()
-+            pool.join()
-+        except Exception:
-+            pool.terminate()
-+            if ABORT_ON_ERROR:
-+                raise
-+        return ret
-+else:
-+    def build_many(target, args):
-+        results = []
-+
-+        for arg in args:
-+            try:
-+                results.append(target(arg))
-+            except Exception:
-+                if ABORT_ON_ERROR:
-+                    raise
-+
-+        return results
-+
- 
- ##########################################
- #      Parallel Building Ref Manual      #

pkgs/applications/science/math/sage/sage-src.nix

@@ -10,14 +10,14 @@
 # all get the same sources with the same patches applied.
 
 stdenv.mkDerivation rec {
-  version = "8.6";
+  version = "8.7";
-  name = "sage-src-${version}";
+  pname = "sage-src";
 
   src = fetchFromGitHub {
     owner = "sagemath";
     repo = "sage";
     rev = version;
-    sha256 = "1vs3pbgbqpg0qnwr018bqsdmm7crgjp310cx8zwh7za3mv1cw5j3";
+    sha256 = "05vvrd6syh0hlmrk6kzjrwd0hpmvxp8vr8p3mkjb0jh5p2kjdd27";
   };
 
   # Patches needed because of particularities of nix or the way this is packaged.
@@ -37,12 +37,6 @@ stdenv.mkDerivation rec {
     # https://github.com/python/cpython/pull/7476
     ./patches/python-5755-hotpatch.patch
 
-    # Revert the commit that made the sphinx build fork even in the single thread
-    # case. For some yet unknown reason, that breaks the docbuild on nix and archlinux.
-    # See https://groups.google.com/forum/#!msg/sage-packaging/VU4h8IWGFLA/mrmCMocYBwAJ.
-    # https://trac.sagemath.org/ticket/26608
-    ./patches/revert-sphinx-always-fork.patch
-
     # Make sure py2/py3 tests are only run when their expected context (all "sage"
     # tests) are also run. That is necessary to test dochtml individually. See
     # https://trac.sagemath.org/ticket/26110 for an upstream discussion.
@@ -59,6 +53,21 @@ stdenv.mkDerivation rec {
       sha256 = "07p9i0fwjgapmfvmi436yn6v60p8pvmxqjc93wsssqgh5kd8qw3n";
       stripLen = 1;
     })
+
+    # Part of the build system. Should become unnecessary with sage 8.8.
+    # Upstream discussion here: https://trac.sagemath.org/ticket/27124#comment:33
+    ./patches/do-not-test-package-manifests.patch
+
+    # Not necessary since library location is set explicitly
+    # https://trac.sagemath.org/ticket/27660#ticket
+    ./patches/do-not-test-find-library.patch
+
+    # https://trac.sagemath.org/ticket/27697#ticket
+    (fetchpatch {
+      name = "pplpy-doc-location-configurable.patch";
+      url = "https://git.sagemath.org/sage.git/patch/?h=c4d966e7cb0c7b87c55d52dc6f46518433a2a0a2";
+      sha256 = "0pqbbsx8mriwny422s9mp3z5d095cnam32sm62q4mxk8g8jb9vm9";
+    })
   ];
 
   # Since sage unfortunately does not release bugfix releases, packagers must
@@ -72,12 +81,6 @@ stdenv.mkDerivation rec {
       url = "https://git.sagemath.org/sage.git/patch?id2=10407524b18659e14e184114b61c043fb816f3c2&id=c9b0cc9d0b8748ab85e568f8f57f316c5e8cbe54";
       sha256 = "0wgp7yvn9sm1ynlhcr4l0hzmvr2n28llg4xc01p6k1zz4im64c17";
     })
-    # https://trac.sagemath.org/ticket/27224
-    (fetchpatch {
-      name = "sig_on_in_matrix_misc.patch";
-      url = "https://git.sagemath.org/sage.git/patch?id=85d25bf2eb73f7d3c6de4ee6222b0c399be43b07";
-      sha256 = "1ciwhh57pnb9b4i8m3vb07wfsibsay5sg0jp5giq1pzc5zc79a4p";
-    })
   ];
 
   # Patches needed because of package updates. We could just pin the versions of
@@ -110,52 +113,12 @@ stdenv.mkDerivation rec {
       stripLen = 1;
     })
 
-    # https://trac.sagemath.org/ticket/26315
-    ./patches/giac-1.5.0.patch
-
-    # https://trac.sagemath.org/ticket/26442
-    (fetchSageDiff {
-      name = "cypari2-2.0.3.patch";
-      base = "8.6.rc1";
-      rev = "cd62d45bcef93fb4f7ed62609a46135e6de07051";
-      sha256 = "08l2b9w0rn1zrha6188j72f7737xs126gkgmydjd31baa6367np2";
-    })
-
-    # https://trac.sagemath.org/ticket/26949
-    (fetchpatch {
-      name = "sphinx-1.8.3-dependency.patch";
-      url = "https://git.sagemath.org/sage.git/patch?id=d305eda0fedc73fdbe0447b5d6d2b520b8d112c4";
-      sha256 = "1x3q5j8lq35vlj893gj5gq9fhzs60szm9r9rx6ri79yiy9apabph";
-    })
     # https://trac.sagemath.org/ticket/26451
-    (fetchpatch {
+    (fetchSageDiff {
-      name = "sphinx-1.8.3.patch";
+      name = "sphinx-1.8.patch";
-      url = "https://git.sagemath.org/sage.git/patch?id2=0cb494282d7b4cea50aba7f4d100e7932a4c00b1&id=62b989d5ee1d9646db85ea56053cd22e9ffde5ab";
+      base = "8.7";
-      sha256 = "1n5c61mvhalcr2wbp66wzsynwwk59aakvx3xqa5zw9nlkx3rd0h1";
+      rev = "737afd8f314bd1e16feaec562bb4b5efa2effa8b";
-    })
+      sha256 = "0n56ss88ds662bp49j23z5c2i6hsn3jynxw13wv76hyl0h7l1hjh";
-
-    # https://trac.sagemath.org/ticket/27061
-    (fetchpatch {
-      name = "numpy-1.16-inline-fortran.patch";
-      url = "https://git.sagemath.org/sage.git/patch?id=a05b6b038e1571ab15464e98f76d1927c0c3fd12";
-      sha256 = "05yq97pq84xi60wb1p9skrad5h5x770gq98ll4frr7hvvmlwsf58";
-    })
-
-    # https://trac.sagemath.org/ticket/27405
-    ./patches/ignore-pip-deprecation.patch
-
-    # https://trac.sagemath.org/ticket/27360
-    (fetchpatch {
-      name = "eclib-20190226.patch";
-      url = "https://git.sagemath.org/sage.git/patch/?id=f570e3a7fc2965764b84c04ce301a88ded2c42df";
-      sha256 = "0l5c4giixkn15v2a06sfzq5mkxila6l67zkjbacirwprrlpcnmmp";
-    })
-
-    # https://trac.sagemath.org/ticket/27420
-    (fetchpatch {
-      name = "cypari-2.1.patch";
-      url = "https://git.sagemath.org/sage.git/patch/?id=e351bf2f2914e683d5e2028597c45ae8d1b7f855";
-      sha256 = "00faa7fl0vaqcqbw0bidkhl78qa8l34d3a07zirbcl0vm74bdn1p";
     })
 
     # https://trac.sagemath.org/ticket/27653
@@ -177,6 +140,12 @@ stdenv.mkDerivation rec {
     echo '#!${runtimeShell}
     python "$@"' > build/bin/sage-python23
 
+    # Make sure sage can at least be imported without setting any environment
+    # variables. It won't be close to feature complete though.
+    sed -i \
+      "s|var('SAGE_LOCAL',.*|var('SAGE_LOCAL', '$out/src')|" \
+      src/sage/env.py
+
     # Do not use sage-env-config (generated by ./configure).
     # Instead variables are set manually.
     echo '# do nothing' >  src/bin/sage-env-config

pkgs/applications/science/math/sage/sagedoc.nix

@@ -52,6 +52,9 @@ stdenv.mkDerivation rec {
     export HOME="$TMPDIR/sage_home"
     mkdir -p "$HOME"
 
+    # needed to link them in the sage docs using intersphinx
+    export PPLPY_DOCS=${python.pkgs.pplpy.doc}/share/doc/pplpy
+
     ${sage-with-env}/bin/sage -python -m sage_setup.docbuild \
       --mathjax \
       --no-pdf-links \

pkgs/applications/science/math/sage/sagelib.nix

@@ -47,6 +47,8 @@
 , jupyter_core
 , libhomfly
 , libbraiding
+, gmpy2
+, pplpy
 }:
 
 # This is the core sage python package. Everything else is just wrappers gluing
@@ -115,6 +117,8 @@ buildPythonPackage rec {
     cysignals
     libhomfly
     libbraiding
+    gmpy2
+    pplpy
   ];
 
   buildPhase = ''

pkgs/applications/science/programming/groove/default.nix

@@ -0,0 +1,54 @@
+{ stdenv, fetchurl, unzip, makeWrapper, makeDesktopItem, icoutils, jre }:
+
+let
+  desktopItem = makeDesktopItem {
+    name = "groove-simulator";
+    exec = "groove-simulator";
+    icon = "groove";
+    desktopName = "GROOVE Simulator";
+    comment = "GRaphs for Object-Oriented VErification";
+    categories = "Science;ComputerScience;";
+  };
+
+in stdenv.mkDerivation rec {
+  pname = "groove";
+  version = "5.7.4";
+
+  src = fetchurl {
+    url = "mirror://sourceforge/groove/groove/${version}/${pname}-${builtins.replaceStrings ["."] ["_"] version}-bin.zip";
+    sha256 = "1cl3xzl3n8b9a7h5pvnv31bab9j9zaw07ppk8whk8h865dcq1d10";
+  };
+
+  nativeBuildInputs = [ unzip makeWrapper icoutils ];
+
+  dontBuild = true;
+
+  installPhase = ''
+    mkdir -p $out/share/groove
+    cp -r bin lib $out/share/groove/
+
+    mkdir -p $out/share/doc/groove
+    cp CHANGES README *.pdf $out/share/doc/groove/
+
+    mkdir -p $out/bin
+    for bin in Generator Imager ModelChecker PrologChecker Simulator Viewer; do
+      makeWrapper ${jre}/bin/java $out/bin/groove-''${bin,,} \
+        --add-flags "-jar $out/share/groove/bin/$bin.jar"
+    done
+
+    mkdir -p $out/share/applications
+    ln -s ${desktopItem}/share/applications/* $out/share/applications/
+
+    mkdir -p $out/share/icons/hicolor/{16x16,32x32}/apps
+    icotool -x -i 1 -o $out/share/icons/hicolor/32x32/apps/groove.png groove-green-g.ico
+    icotool -x -i 2 -o $out/share/icons/hicolor/16x16/apps/groove.png groove-green-g.ico
+  '';
+
+  meta = with stdenv.lib; {
+    description = "GRaphs for Object-Oriented VErification";
+    homepage = http://groove.cs.utwente.nl/;
+    license = licenses.asl20;
+    platforms = platforms.all;
+    maintainers = with maintainers; [ jfrankenau ];
+  };
+}

pkgs/applications/video/mkvtoolnix/default.nix

@@ -12,13 +12,13 @@ with stdenv.lib;
 
 stdenv.mkDerivation rec {
   pname = "mkvtoolnix";
-  version = "32.0.0";
+  version = "33.0.0";
 
   src = fetchFromGitLab {
     owner  = "mbunkus";
     repo   = "mkvtoolnix";
     rev    = "release-${version}";
-    sha256 = "022mmgm0a6qxybjrygisg731sg9m9d8svd0mxr77wfknwa7m09c9";
+    sha256 = "0bphwjjpcj86phcx795wdy5b0ivwh5mvbvi5288pql88x6x0jjk9";
   };
 
   nativeBuildInputs = [

pkgs/applications/window-managers/i3/easyfocus.nix

@@ -2,15 +2,15 @@
 , xorg , i3ipc-glib , glib
 }:
 
-stdenv.mkDerivation rec {
+stdenv.mkDerivation {
-  name = "i3easyfocus-${version}";
+  pname = "i3easyfocus";
-  version = "20180622";
+  version = "20190411";
 
   src = fetchFromGitHub {
     owner = "cornerman";
     repo = "i3-easyfocus";
-    rev = "3631d5af612d58c3d027f59c86b185590bd78ae1";
+    rev = "fffb468f7274f9d7c9b92867c8cb9314ec6cf81a";
-    sha256 = "1wgknmmm7iz0wxsdh29gmx4arizva9101pzhnmac30bmixf3nzhr";
+    sha256 = "1db23vzzmp0hnfss1fkd80za6d2pajx7hdwikw50pk95jq0w8wfm";
   };
 
   nativeBuildInputs = [ pkgconfig ];

pkgs/build-support/trivial-builders.nix

@@ -18,8 +18,8 @@ rec {
   * stdenv with no compiler environment. `runCommandCC`
   *
   * Examples:
-  * runCommand "name" {envVariable = true;} ''echo hello''
+  * runCommand "name" {envVariable = true;} ''echo hello > $out''
-  * runCommandNoCC "name" {envVariable = true;} ''echo hello'' # equivalent to prior
+  * runCommandNoCC "name" {envVariable = true;} ''echo hello > $out'' # equivalent to prior
   * runCommandCC "name" {} ''gcc -o myfile myfile.c; cp myfile $out'';
   */
   runCommand = runCommandNoCC;

pkgs/data/themes/materia-theme/default.nix

@@ -1,4 +1,4 @@
-{ stdenv, fetchFromGitHub, gnome3, libxml2, gtk-engine-murrine, gdk_pixbuf, librsvg, bc }:
+{ stdenv, fetchFromGitHub, gnome3, glib, libxml2, gtk-engine-murrine, gdk_pixbuf, librsvg, bc }:
 
 stdenv.mkDerivation rec {
   pname = "materia-theme";
@@ -11,7 +11,7 @@ stdenv.mkDerivation rec {
     sha256 = "1fpipwvwxjiriqhysqgx51rnax73hyd5jkyxhc2g3y73s5r2xq82";
   };
 
-  nativeBuildInputs = [ gnome3.glib libxml2 bc ];
+  nativeBuildInputs = [ glib libxml2 bc ];
 
   buildInputs = [ gnome3.gnome-themes-extra gdk_pixbuf librsvg ];
 

pkgs/data/themes/plata/default.nix

@@ -18,13 +18,13 @@
 
 stdenv.mkDerivation rec {
   name = "plata-theme-${version}";
-  version = "0.6.0";
+  version = "0.7.6";
 
   src = fetchFromGitLab {
     owner = "tista500";
     repo = "plata-theme";
     rev = version;
-    sha256 = "182i2wbviwpdvmkmayyqggjx6fvlpf4vsmhsyi6nlg9m4n1djxp8";
+    sha256 = "1jllsl2h3zdvlp3k2dy3h4jyccrzzymwbqz43jhnm6mxxabxzijg";
   };
 
   preferLocalBuild = true;

pkgs/desktops/enlightenment/terminology.nix

@@ -2,11 +2,11 @@
 
 stdenv.mkDerivation rec {
   name = "terminology-${version}";
-  version = "1.3.2";
+  version = "1.4.0";
 
   src = fetchurl {
     url = "http://download.enlightenment.org/rel/apps/terminology/${name}.tar.xz";
-    sha256 = "1kclxzadmk272s9spa7n704pcb1c611ixxrq88w5zk22va0i25xm";
+    sha256 = "0q1y7fadj42n23aspx9y8hm4w4xlc316wc3415wnf75ibsx08ngd";
   };
 
   nativeBuildInputs = [

pkgs/desktops/gnome-3/apps/polari/default.nix

@@ -5,13 +5,13 @@
 
 let
   pname = "polari";
-  version = "3.32.0";
+  version = "3.32.1";
 in stdenv.mkDerivation rec {
   name = "${pname}-${version}";
 
   src = fetchurl {
     url = "mirror://gnome/sources/${pname}/${stdenv.lib.versions.majorMinor version}/${name}.tar.xz";
-    sha256 = "1jq1xvk9a05x37g9w349f5q069cvg5lfbhxj88gpbnf4fyndnr70";
+    sha256 = "0z2dxj1hd798jn79y9a7lkb77lm8l7y5fsqh9g6lbr7pnmg559yk";
   };
 
   propagatedUserEnvPkgs = [ telepathy-idle telepathy-logger ];

pkgs/desktops/gnome-3/core/gnome-shell-extensions/default.nix

@@ -3,11 +3,11 @@
 
 stdenv.mkDerivation rec {
   name = "gnome-shell-extensions-${version}";
-  version = "3.32.0";
+  version = "3.32.1";
 
   src = fetchurl {
     url = "mirror://gnome/sources/gnome-shell-extensions/${stdenv.lib.versions.majorMinor version}/${name}.tar.xz";
-    sha256 = "0wzrivhp6vs4754yldza38gkhkhah35rdncb3c3hxhhyv9fr3pl5";
+    sha256 = "07libf6z24n42hpdsq163w0j8xyrav0lxqrwxrvq5kbz8zxv5ch2";
   };
 
   passthru = {

pkgs/desktops/gnome-3/core/gnome-shell/default.nix

@@ -14,11 +14,11 @@ let
 
 in stdenv.mkDerivation rec {
   name = "gnome-shell-${version}";
-  version = "3.32.0";
+  version = "3.32.1";
 
   src = fetchurl {
     url = "mirror://gnome/sources/gnome-shell/${stdenv.lib.versions.majorMinor version}/${name}.tar.xz";
-    sha256 = "1djkswsv3fhb3lf2w77bbl6z2kvji29cfxbwh5gqvyykwwx87y92";
+    sha256 = "1pb00af3w4wivdhcvdy59z2xlxasg90bcm5a9ck0p5lf97adwx08";
   };
 
   LANG = "en_US.UTF-8";

pkgs/desktops/gnome-3/core/gnome-software/default.nix

@@ -5,11 +5,11 @@
 
 stdenv.mkDerivation rec {
   name = "gnome-software-${version}";
-  version = "3.32.0";
+  version = "3.32.1";
 
   src = fetchurl {
     url = "mirror://gnome/sources/gnome-software/${stdenv.lib.versions.majorMinor version}/${name}.tar.xz";
-    sha256 = "19hrvkyavrfrhs19ii4ky5bpzsijiyq2vcxb5s4xk13xv8ys2151";
+    sha256 = "0xxhvyqfwlcyvlqc36rpcili00dpwy8b5c5klaqccn5qrc87rl38";
   };
 
   patches = [

pkgs/desktops/gnome-3/core/mutter/default.nix

@@ -10,12 +10,12 @@
 }:
 
 stdenv.mkDerivation rec {
-  name = "mutter-${version}";
+  pname = "mutter";
-  version = "3.32.0";
+  version = "3.32.1";
 
   src = fetchurl {
-    url = "mirror://gnome/sources/mutter/${stdenv.lib.versions.majorMinor version}/${name}.tar.xz";
+    url = "mirror://gnome/sources/mutter/${stdenv.lib.versions.majorMinor version}/${pname}-${version}.tar.xz";
-    sha256 = "068zir5c1awmzb31gx94zjykv6c3xb1p5pch7860y3xlihha4s3n";
+    sha256 = "1q74lrb08vy0ynxbssqyxvbzf9252xgf9l6jxr9g4q0gmvpq402j";
   };
 
   mesonFlags = [

pkgs/desktops/gnome-3/core/rygel/add-option-for-installation-sysconfdir.patch

@@ -0,0 +1,38 @@
+diff --git a/meson.build b/meson.build
+index 209d4187..58580980 100644
+--- a/meson.build
++++ b/meson.build
+@@ -20,7 +20,11 @@ if not get_option('uninstalled')
+     rygel_datadir = join_paths(get_option('prefix'), get_option('datadir'), 'rygel')
+     rygel_libexecdir = join_paths(get_option('prefix'), get_option('libexecdir'),
+     'rygel')
+-    rygel_sysconfdir = join_paths(get_option('prefix'), get_option('sysconfdir'))
++    if get_option('sysconfdir_install') != ''
++        rygel_sysconfdir = join_paths(get_option('prefix'), get_option('sysconfdir_install'))
++    else
++        rygel_sysconfdir = join_paths(get_option('prefix'), get_option('sysconfdir'))
++    endif
+     rygel_plugindir = join_paths(rygel_libdir, 'rygel-2.6', 'plugins')
+     rygel_enginedir = join_paths(rygel_libdir, 'rygel-2.6', 'engines')
+     rygel_presetdir = join_paths(rygel_datadir, 'rygel', 'presets')
+@@ -55,7 +59,7 @@ conf.set_quoted('DATA_DIR', rygel_datadir)
+ conf.set_quoted('PLUGIN_DIR', rygel_plugindir)
+ conf.set_quoted('BIG_ICON_DIR', rygel_bigicondir)
+ conf.set_quoted('SMALL_ICON_DIR', rygel_smallicondir)
+-conf.set_quoted('SYS_CONFIG_DIR', rygel_sysconfdir)
++conf.set_quoted('SYS_CONFIG_DIR', get_option('sysconfdir'))
+ conf.set_quoted('LOCALEDIR', join_paths(get_option('prefix'), get_option('localedir')))
+ conf.set_quoted('MX_EXTRACT_PATH', join_paths(rygel_libexecdir, 'mx-extract'))
+ conf.set_quoted('DESKTOP_DIR', join_paths(get_option('prefix'), get_option('datadir'), 'applications'))
+diff --git a/meson_options.txt b/meson_options.txt
+index f09cac58..ff11c548 100644
+--- a/meson_options.txt
++++ b/meson_options.txt
+@@ -1,6 +1,7 @@
+ option('uninstalled', type: 'boolean', value: 'false', description: 'Run Rygel from build directory only')
+ option('api-docs', type: 'boolean', value: 'false', description: 'Build the API documentation')
+ option('systemd-user-units-dir', type : 'string', value : 'auto', description : 'Where to install the systemd user unit (use special values "auto" or "none", or pass a path')
++option('sysconfdir_install', type: 'string', value: '', description: 'sysconfdir to use during installation')
+ option('plugins', type : 'array', choices : ['external', 'gst-launch', 'lms', 'media-export', 'mpris', 'playbin', 'ruih', 'tracker'])
+ option('engines', type : 'array', choices : ['simple', 'gstreamer'])
+ option('examples', type : 'boolean', value : 'true')

pkgs/desktops/gnome-3/core/rygel/default.nix

@@ -7,7 +7,6 @@
 , gettext
 , libxml2
 , gobject-introspection
-, gtk-doc
 , wrapGAppsHook
 , python3
 , glib
@@ -32,7 +31,7 @@ stdenv.mkDerivation rec {
   version = "0.38.0";
 
   # TODO: split out lib
-  outputs = [ "out" "dev" "devdoc" ];
+  outputs = [ "out" "dev" ];
 
   src = fetchurl {
     url = "mirror://gnome/sources/${pname}/${stdenv.lib.versions.majorMinor version}/${pname}-${version}.tar.xz";
@@ -47,7 +46,6 @@ stdenv.mkDerivation rec {
     gettext
     libxml2
     gobject-introspection
-    gtk-doc
     wrapGAppsHook
     python3
   ];
@@ -76,12 +74,17 @@ stdenv.mkDerivation rec {
 
   mesonFlags = [
     "-Dsystemd-user-units-dir=${placeholder "out"}/lib/systemd/user"
-    "-Dapi-docs=true"
+    "-Dapi-docs=false"
     "--sysconfdir=/etc"
+    "-Dsysconfdir_install=${placeholder "out"}/etc"
   ];
 
   doCheck = true;
 
+  patches = [
+    ./add-option-for-installation-sysconfdir.patch
+  ];
+
   postPatch = ''
     patchShebangs data/xml/process-xml.py
   '';

pkgs/desktops/mate/marco/default.nix

@@ -1,4 +1,4 @@
-{ stdenv, fetchurl, pkgconfig, intltool, itstool, libxml2, libcanberra-gtk3, libgtop, gnome2, gnome3, gtk3, mate, wrapGAppsHook }:
+{ stdenv, fetchurl, pkgconfig, intltool, itstool, libxml2, libcanberra-gtk3, libgtop, libstartup_notification, gnome3, gtk3, mate, wrapGAppsHook }:
 
 stdenv.mkDerivation rec {
   name = "marco-${version}";
@@ -20,7 +20,7 @@ stdenv.mkDerivation rec {
     libxml2
     libcanberra-gtk3
     libgtop
-    gnome2.startup_notification
+    libstartup_notification
     gtk3
     gnome3.zenity
   ];

pkgs/desktops/mate/mate-applets/default.nix

@@ -1,4 +1,4 @@
-{ stdenv, fetchurl, pkgconfig, intltool, itstool, gnome3, gtk3, gtksourceview3, libwnck3, libgtop, libxml2, libnotify, polkit, upower, wirelesstools, mate, hicolor-icon-theme, wrapGAppsHook }:
+{ stdenv, fetchurl, pkgconfig, intltool, itstool, gnome3, glib, gtk3, gtksourceview3, libwnck3, libgtop, libxml2, libnotify, polkit, upower, wirelesstools, mate, hicolor-icon-theme, wrapGAppsHook }:
 
 stdenv.mkDerivation rec {
   name = "mate-applets-${version}";
@@ -34,7 +34,7 @@ stdenv.mkDerivation rec {
 
   configureFlags = [ "--enable-suid=no" ];
 
-  NIX_CFLAGS_COMPILE = "-I${gnome3.glib.dev}/include/gio-unix-2.0";
+  NIX_CFLAGS_COMPILE = "-I${glib.dev}/include/gio-unix-2.0";
 
   meta = with stdenv.lib; {
     description = "Applets for use with the MATE panel";

pkgs/desktops/maxx/default.nix

@@ -1,43 +1,34 @@
-{ stdenv, fetchurl, makeWrapper, autoPatchelfHook
+{ stdenv, fetchurl, makeWrapper, autoPatchelfHook, gnused
-, libredirect, gcc-unwrapped, bash, gtk-engine-murrine, gtk_engines, librsvg
+, gcc, bash, gtk-engine-murrine, gtk_engines, librsvg
 
 , libX11, libXext, libXi, libXau, libXrender, libXft, libXmu, libSM, libXcomposite, libXfixes, libXpm
 , libXinerama, libXdamage, libICE, libXtst, libXaw, fontconfig, pango, cairo, glib, libxml2, atk, gtk2
-, gdk_pixbuf, libGL, ncurses
+, gdk_pixbuf, libGL, ncurses5
 
-, xclock, xsettingsd }:
+, dmidecode, pciutils, usbutils
+}:
 
-let
+stdenv.mkDerivation rec {
-  version = "Indy-1.1.0";
+  pname = "MaXX";
-
+  version = "2.0.1";
-  runtime_deps = [
+  codename = "Indigo";
-    xclock xsettingsd
-  ];
-in stdenv.mkDerivation {
-  name = "MaXX-${version}";
 
   srcs = [
     (fetchurl {
-      url = "http://maxxdesktop.arcadedaydream.com/Indy-Releases/Installers/MaXX-${version}-NO-ARCH.tar.gz";
+      url = "http://maxxdesktop.arcadedaydream.com/${codename}-Releases/Installers/MaXX-${codename}-${version}-x86_64.tar.gz";
-      sha256 = "1d23j08wwrrn5cp7csv70pcz9jppcn0xb1894wkp0caaliy7g31y";
+      sha256 = "17hd3j8773kmvvhyf657in6zmhnw4mbvyn4r6dfip5bdaz66pj01";
-    })
-    (fetchurl {
-      url = "http://maxxdesktop.arcadedaydream.com/Indy-Releases/Installers/MaXX-${version}-x86_64.tar.gz";
-      sha256 = "156p2lra184wyvibrihisd7cr1ivqaygsf0zfm26a12gx23b7708";
     })
   ];
 
-  nativeBuildInputs = [ makeWrapper autoPatchelfHook ];
+  nativeBuildInputs = [ makeWrapper autoPatchelfHook gnused ];
   buildInputs = [
     stdenv.cc.cc libX11 libXext libXi libXau libXrender libXft libXmu libSM libXcomposite libXfixes libXpm
     libXinerama libXdamage libICE libXtst libXaw fontconfig pango cairo glib libxml2 atk gtk2
-    gdk_pixbuf libGL ncurses
+    gdk_pixbuf libGL ncurses5
   ];
 
   buildPhase = ''
-    while IFS= read -r -d ''$'\0' i; do
+    sed -i "s/\(LD_LIBRARY_PATH=.*\)$/\1:\$LD_LIBRARY_PATH/p" etc/system.desktopenv
-      substituteInPlace "$i" --replace /opt/MaXX $out/opt/MaXX
-    done < <(find "." -type f -exec grep -Iq /opt/MaXX {} \; -and -print0)
 
     substituteInPlace bin/adminterm \
       --replace /bin/bash ${bash}/bin/bash
@@ -55,33 +46,25 @@ in stdenv.mkDerivation {
 
     wrapProgram $maxx/etc/skel/Xsession.dt \
       --prefix GTK_PATH : "${gtk-engine-murrine}/lib/gtk-2.0:${gtk_engines}/lib/gtk-2.0" \
-      --prefix GDK_PIXBUF_MODULE_FILE : "$(echo ${librsvg.out}/lib/gdk-pixbuf-2.0/*/loaders.cache)" \
+      --prefix GDK_PIXBUF_MODULE_FILE : "$(echo ${librsvg.out}/lib/gdk-pixbuf-2.0/*/loaders.cache)"
-      --prefix PATH : ${stdenv.lib.makeBinPath runtime_deps}
 
     while IFS= read -r -d ''$'\0' i; do
       if isExecutable "$i"; then
         wrapProgram "$i" \
-          --set LD_PRELOAD "${libredirect}/lib/libredirect.so" \
+          --prefix PATH : ${gcc}/bin
-          --set NIX_REDIRECTS /opt/MaXX=$maxx \
-          --prefix PATH : $maxx/sbin
       fi
     done < <(find "$maxx" -type f -print0)
 
-    cp ${gcc-unwrapped}/bin/cpp ${gcc-unwrapped}/libexec/gcc/*/*/cc1 $maxx/sbin
+    wrapProgram $maxx/bin/hinv \
-    for i in $maxx/sbin/cpp $maxx/sbin/cc1
+      --prefix PATH : ${stdenv.lib.makeBinPath [ dmidecode pciutils usbutils ]}
-    do
-      wrapProgram "$i" \
-        --set LD_PRELOAD "${libredirect}/lib/libredirect.so" \
-        --set NIX_REDIRECTS /opt/MaXX=$maxx
-    done
   '';
 
   meta = with stdenv.lib; {
     description = "A replica of IRIX Interactive Desktop";
-    homepage = http://www.maxxinteractive.com;
+    homepage = https://www.facebook.com/maxxdesktop/;
     license = {
       fullName = "The MaXX Interactive Desktop for Linux License Agreement";
-      url = http://www.maxxinteractive.com/site/?page_id=97;
+      url = http://maxxdesktop.arcadedaydream.com/Indigo-Releases/docs/license.html;
       free = false; # redistribution is only allowed to *some* hardware, etc.
     };
     maintainers = [ maintainers.gnidorah ];

pkgs/desktops/pantheon/apps/elementary-music/default.nix

@@ -7,7 +7,7 @@
 
 stdenv.mkDerivation rec {
   pname = "music";
-  version = "5.0.3";
+  version = "5.0.4";
 
   name = "elementary-${pname}-${version}";
 
@@ -15,7 +15,7 @@ stdenv.mkDerivation rec {
     owner = "elementary";
     repo = pname;
     rev = version;
-    sha256 = "0qbny4484kr7lihg54rbhfwah9k43iivk3rivfvn7i5w66vn5spl";
+    sha256 = "02qjsf9xnfh043xbls9mll2r1wcdvclw60x8wysv12rhbm90gwvp";
   };
 
   passthru = {

pkgs/desktops/pantheon/apps/elementary-photos/default.nix

@@ -5,7 +5,7 @@
 
 stdenv.mkDerivation rec {
   pname = "photos";
-  version = "2.6.2";
+  version = "2.6.3";
 
   name = "elementary-${pname}-${version}";
 
@@ -13,7 +13,7 @@ stdenv.mkDerivation rec {
     owner = "elementary";
     repo = pname;
     rev = version;
-    sha256 = "166a1jb85n67z6ffm5i0xzap407rv0r511lzh0gidkap1qy6pnmi";
+    sha256 = "1s0ww5g26wj0gd1drj8gxs74gvg2c9fdj4ixpifj8jh8yafdmrvg";
   };
 
   passthru = {
@@ -67,11 +67,9 @@ stdenv.mkDerivation rec {
   ];
 
   patches = [
-    # Fix build against gexiv2 0.12
+    # https://github.com/elementary/photos/pull/505
-    (fetchpatch {
+    # Unrelated line got dropped in https://github.com/elementary/photos/pull/498
-      url = "https://github.com/elementary/photos/commit/86df00ced674abb2ee430ea24422079cfabb314c.patch";
+    ./fix-missing-line.patch
-      sha256 = "0836fzja93w36jf7ldqypsmnqn46mwsl93q41m104zn8qm0wrkmy";
-    })
   ];
 
   postPatch = ''

pkgs/desktops/pantheon/apps/elementary-photos/fix-missing-line.patch

@@ -0,0 +1,21 @@
+From 88ee69b57f94efa2779595d1544109fed6a3211c Mon Sep 17 00:00:00 2001
+From: Fabio Valentini <decathorpe@gmail.com>
+Date: Tue, 16 Apr 2019 16:12:47 +0200
+Subject: [PATCH] photos/PhotoMetadata: fix issue introduced with PR #498
+
+---
+ src/photos/PhotoMetadata.vala | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/photos/PhotoMetadata.vala b/src/photos/PhotoMetadata.vala
+index f0a4a73b..34dcbb55 100644
+--- a/src/photos/PhotoMetadata.vala
++++ b/src/photos/PhotoMetadata.vala
+@@ -197,6 +197,7 @@ public class PhotoMetadata : MediaMetadata {
+ #else
+         exiv2.from_app1_segment (buffer, length);
+ #endif
++        exif = Exif.Data.new_from_data (buffer, length);
+         source_name = "<app1 segment %d bytes>".printf (length);
+     }
+ 

pkgs/desktops/pantheon/apps/switchboard-plugs/a11y/default.nix

@@ -33,7 +33,7 @@ stdenv.mkDerivation rec {
     switchboard
   ];
 
-  PKG_CONFIG_SWITCHBOARD_2_0_PLUGSDIR = "lib/switchboard";
+  PKG_CONFIG_SWITCHBOARD_2_0_PLUGSDIR = "${placeholder ''out''}/lib/switchboard";
 
   meta = with stdenv.lib; {
     description = "Switchboard Universal Access Plug";

pkgs/desktops/pantheon/apps/switchboard-plugs/about/default.nix

@@ -41,7 +41,7 @@ stdenv.mkDerivation rec {
     ./remove-update-button.patch
   ];
 
-  PKG_CONFIG_SWITCHBOARD_2_0_PLUGSDIR = "lib/switchboard";
+  PKG_CONFIG_SWITCHBOARD_2_0_PLUGSDIR = "${placeholder ''out''}/lib/switchboard";
 
   meta = with stdenv.lib; {
     description = "Switchboard About Plug";

pkgs/desktops/pantheon/apps/switchboard-plugs/applications/default.nix

@@ -33,7 +33,7 @@ stdenv.mkDerivation rec {
     switchboard
   ];
 
-  PKG_CONFIG_SWITCHBOARD_2_0_PLUGSDIR = "lib/switchboard";
+  PKG_CONFIG_SWITCHBOARD_2_0_PLUGSDIR = "${placeholder ''out''}/lib/switchboard";
 
   meta = with stdenv.lib; {
     description = "Switchboard Applications Plug";

pkgs/desktops/pantheon/apps/switchboard-plugs/bluetooth/default.nix

@@ -34,7 +34,7 @@ stdenv.mkDerivation rec {
     switchboard
   ];
 
-  PKG_CONFIG_SWITCHBOARD_2_0_PLUGSDIR = "lib/switchboard";
+  PKG_CONFIG_SWITCHBOARD_2_0_PLUGSDIR = "${placeholder ''out''}/lib/switchboard";
 
   meta = with stdenv.lib; {
     description = "Switchboard Bluetooth Plug";

pkgs/desktops/pantheon/apps/switchboard-plugs/datetime/default.nix

@@ -43,7 +43,7 @@ stdenv.mkDerivation rec {
     ./clock-format.patch
   ];
 
-  PKG_CONFIG_SWITCHBOARD_2_0_PLUGSDIR = "lib/switchboard";
+  PKG_CONFIG_SWITCHBOARD_2_0_PLUGSDIR = "${placeholder ''out''}/lib/switchboard";
 
   meta = with stdenv.lib; {
     description = "Switchboard Date & Time Plug";

pkgs/desktops/pantheon/apps/switchboard-plugs/display/default.nix

@@ -33,7 +33,7 @@ stdenv.mkDerivation rec {
     switchboard
   ];
 
-  PKG_CONFIG_SWITCHBOARD_2_0_PLUGSDIR = "lib/switchboard";
+  PKG_CONFIG_SWITCHBOARD_2_0_PLUGSDIR = "${placeholder ''out''}/lib/switchboard";
 
   meta = with stdenv.lib; {
     description = "Switchboard Displays Plug";

pkgs/desktops/pantheon/apps/switchboard-plugs/keyboard/default.nix

@@ -43,7 +43,7 @@ stdenv.mkDerivation rec {
     })
   ];
 
-  PKG_CONFIG_SWITCHBOARD_2_0_PLUGSDIR = "lib/switchboard";
+  PKG_CONFIG_SWITCHBOARD_2_0_PLUGSDIR = "${placeholder ''out''}/lib/switchboard";
 
   meta = with stdenv.lib; {
     description = "Switchboard Keyboard Plug";

pkgs/desktops/pantheon/apps/switchboard-plugs/mouse-touchpad/default.nix

@@ -1,17 +1,25 @@
-{ stdenv, fetchFromGitHub, pantheon, fetchpatch, meson, ninja
+{ stdenv, fetchFromGitHub, pantheon, fetchpatch, meson, ninja, pkgconfig, vala
-, pkgconfig, vala, libgee, granite, gtk3, switchboard, gobject-introspection }:
+, libgee, granite, gtk3, switchboard, elementary-settings-daemon, gobject-introspection }:
 
 stdenv.mkDerivation rec {
   pname = "switchboard-plug-mouse-touchpad";
-  version = "2.1.4";
+  version = "2.2.0";
 
   src = fetchFromGitHub {
     owner = "elementary";
     repo = pname;
     rev = version;
-    sha256 = "1zh5472ab01bckrc1py5bqqsal9i9pbgx6i8ap2d4yzhc8sirjrf";
+    sha256 = "0mr25p7j5hl8zmvz5i3g30s4xbdhk6d22lw2akch3si40il9q5fv";
   };
 
+  patches = [
+    ./hardcode-settings-daemon-gsettings.patch
+  ];
+
+  postPatch = ''
+    substituteInPlace src/Views/General.vala --subst-var-by GSD_GSETTINGS ${elementary-settings-daemon}/share/gsettings-schemas/${elementary-settings-daemon.name}/glib-2.0/schemas
+  '';
+
   passthru = {
     updateScript = pantheon.updateScript {
       repoName = pname;
@@ -33,7 +41,7 @@ stdenv.mkDerivation rec {
     switchboard
   ];
 
-  PKG_CONFIG_SWITCHBOARD_2_0_PLUGSDIR = "lib/switchboard";
+  PKG_CONFIG_SWITCHBOARD_2_0_PLUGSDIR = "${placeholder ''out''}/lib/switchboard";
 
   meta = with stdenv.lib; {
     description = "Switchboard Mouse & Touchpad Plug";

pkgs/desktops/pantheon/apps/switchboard-plugs/mouse-touchpad/hardcode-settings-daemon-gsettings.patch

@@ -0,0 +1,63 @@
+diff --git a/src/Views/General.vala b/src/Views/General.vala
+index 4b19b73..dfa3d4d 100644
+--- a/src/Views/General.vala
++++ b/src/Views/General.vala
+@@ -138,32 +138,34 @@ public class MouseTouchpad.GeneralView : Gtk.Grid {
+         attach (pointer_speed_scale, 3, 8);
+         attach (pointer_speed_help, 1, 9, 3);
+ 
+-        var xsettings_schema = SettingsSchemaSource.get_default ().lookup ("org.gnome.settings-daemon.plugins.xsettings", false);
+-        if (xsettings_schema != null) {
+-            var primary_paste_switch = new Gtk.Switch ();
+-            primary_paste_switch.halign = Gtk.Align.START;
+-
+-            var primary_paste_help = new Gtk.Label (_("Middle or three-finger clicking on an input will paste any selected text"));
+-            primary_paste_help.margin_bottom = 18;
+-            primary_paste_help.wrap = true;
+-            primary_paste_help.xalign = 0;
+-            primary_paste_help.get_style_context ().add_class (Gtk.STYLE_CLASS_DIM_LABEL);
+-
+-            attach (new SettingLabel (_("Middle click paste:")), 0, 4);
+-            attach (primary_paste_switch, 1, 4);
+-            attach (primary_paste_help, 1, 5, 3);
+-
+-            var xsettings = new GLib.Settings ("org.gnome.settings-daemon.plugins.xsettings");
+-            primary_paste_switch.notify["active"].connect (() => on_primary_paste_switch_changed (primary_paste_switch, xsettings));
+-
+-            var current_value = xsettings.get_value ("overrides").lookup_value ("Gtk/EnablePrimaryPaste", VariantType.INT32);
+-            if (current_value != null) {
+-                primary_paste_switch.active = current_value.get_int32 () == 1;
+-            }
++        var primary_paste_switch = new Gtk.Switch ();
++        primary_paste_switch.halign = Gtk.Align.START;
++
++        var primary_paste_help = new Gtk.Label (_("Middle or three-finger clicking on an input will paste any selected text"));
++        primary_paste_help.margin_bottom = 18;
++        primary_paste_help.wrap = true;
++        primary_paste_help.xalign = 0;
++        primary_paste_help.get_style_context ().add_class (Gtk.STYLE_CLASS_DIM_LABEL);
++
++        attach (new SettingLabel (_("Middle click paste:")), 0, 4);
++        attach (primary_paste_switch, 1, 4);
++        attach (primary_paste_help, 1, 5, 3);
++
++        SettingsSchemaSource daemon_schema_source = new SettingsSchemaSource.from_directory ("@GSD_GSETTINGS@", null, true);
++        SettingsSchema xsettings_schema = daemon_schema_source.lookup ("org.gnome.settings-daemon.plugins.xsettings", false);
++
++        var xsettings = new GLib.Settings.full (xsettings_schema, null, null);
++        primary_paste_switch.notify["active"].connect (() => on_primary_paste_switch_changed (primary_paste_switch, xsettings));
++
++        var current_value = xsettings.get_value ("overrides").lookup_value ("Gtk/EnablePrimaryPaste", VariantType.INT32);
++        if (current_value != null) {
++            primary_paste_switch.active = current_value.get_int32 () == 1;
+         }
+ 
+-        var daemon_settings = new GLib.Settings ("org.gnome.settings-daemon.peripherals.mouse");
+-        daemon_settings.bind ("locate-pointer", reveal_pointer_switch, "active", GLib.SettingsBindFlags.DEFAULT);
++        SettingsSchema daemon_mouse_schema = daemon_schema_source.lookup ("org.gnome.settings-daemon.peripherals.mouse", false);
++
++        var daemon_mouse_settings = new GLib.Settings.full (daemon_mouse_schema, null, null);
++        daemon_mouse_settings.bind ("locate-pointer", reveal_pointer_switch, "active", GLib.SettingsBindFlags.DEFAULT);
+ 
+         var a11y_mouse_settings = new GLib.Settings ("org.gnome.desktop.a11y.mouse");
+         a11y_mouse_settings.bind ("secondary-click-enabled", hold_switch, "active", GLib.SettingsBindFlags.DEFAULT);

pkgs/desktops/pantheon/apps/switchboard-plugs/network/default.nix

@@ -43,7 +43,7 @@ stdenv.mkDerivation rec {
   ];
 
 
-  PKG_CONFIG_SWITCHBOARD_2_0_PLUGSDIR = "lib/switchboard";
+  PKG_CONFIG_SWITCHBOARD_2_0_PLUGSDIR = "${placeholder ''out''}/lib/switchboard";
 
   meta = with stdenv.lib; {
     description = "Switchboard Networking Plug";

pkgs/desktops/pantheon/apps/switchboard-plugs/notifications/default.nix

@@ -33,7 +33,7 @@ stdenv.mkDerivation rec {
     switchboard
   ];
 
-  PKG_CONFIG_SWITCHBOARD_2_0_PLUGSDIR = "lib/switchboard";
+  PKG_CONFIG_SWITCHBOARD_2_0_PLUGSDIR = "${placeholder ''out''}/lib/switchboard";
 
   meta = with stdenv.lib; {
     description = "Switchboard Notifications Plug";

pkgs/desktops/pantheon/apps/switchboard-plugs/pantheon-shell/default.nix

@@ -51,7 +51,7 @@ stdenv.mkDerivation rec {
   '';
 
 
-  PKG_CONFIG_SWITCHBOARD_2_0_PLUGSDIR = "lib/switchboard";
+  PKG_CONFIG_SWITCHBOARD_2_0_PLUGSDIR = "${placeholder ''out''}/lib/switchboard";
 
   meta = with stdenv.lib; {
     description = "Switchboard Desktop Plug";