Merge branch 'master' of github.com:nixos/nixpkgs into pleasant-ruby

Conflicts:
	pkgs/applications/version-management/git-and-tools/default.nix
	pkgs/applications/version-management/git-and-tools/hub/default.nix
	pkgs/tools/audio/mpdcron/default.nix

README.md

@@ -1,10 +1,18 @@
 Nixpkgs is a collection of packages for [Nix](https://nixos.org/nix/) package
-manager. Nixpkgs also includes [NixOS](https://nixos.org/nixos/) linux distribution source code.
+manager.
+
+[NixOS](https://nixos.org/nixos/) linux distribution source code is located inside `nixos/` folder.
 
 * [NixOS installation instructions](https://nixos.org/nixos/manual/#ch-installation)
+* [Documentation (Nix Expression Language chapter)](https://nixos.org/nix/manual/#ch-expression-language)
 * [Manual (How to write packages for Nix)](https://nixos.org/nixpkgs/manual/)
 * [Manual (NixOS)](https://nixos.org/nixos/manual/)
-* [Continuous build](https://hydra.nixos.org/jobset/nixos/trunk-combined)
+* [Continuous package builds for unstable/master](https://hydra.nixos.org/jobset/nixos/trunk-combined)
-* [Tests](https://hydra.nixos.org/job/nixos/trunk-combined/tested#tabs-constituents)
+* [Continuous package builds for 14.12 release](https://hydra.nixos.org/jobset/nixos/release-14.12)
+* [Tests for unstable/master](https://hydra.nixos.org/job/nixos/trunk-combined/tested#tabs-constituents)
+* [Tests for 14.12 release](https://hydra.nixos.org/job/nixos/release-14.12/tested#tabs-constituents)
+
+Communication:
+
 * [Mailing list](https://lists.science.uu.nl/mailman/listinfo/nix-dev)
 * [IRC - #nixos on freenode.net](irc://irc.freenode.net/#nixos)

default.nix

@@ -1,6 +1,6 @@
-if ! builtins ? nixVersion || builtins.compareVersions "1.7" builtins.nixVersion == 1 then
+if ! builtins ? nixVersion || builtins.compareVersions "1.8" builtins.nixVersion == 1 then
 
-  abort "This version of Nixpkgs requires Nix >= 1.7, please upgrade!"
+  abort "This version of Nixpkgs requires Nix >= 1.8, please upgrade!"
 
 else
 

doc/stdenv.xml

@@ -718,7 +718,7 @@ the Nix store under <envar>out</envar>.  The default
 install</command>.</para>
 
 <variablelist>
-  <title>Variables controlling the check phase</title>
+  <title>Variables controlling the install phase</title>
 
   <varlistentry>
     <term><varname>makeFlags</varname> /
@@ -797,7 +797,7 @@ following:
 </para>
 
 <variablelist>
-  <title>Variables controlling the check phase</title>
+  <title>Variables controlling the fixup phase</title>
 
   <varlistentry>
     <term><varname>dontStrip</varname></term>

lib/attrsets.nix

@@ -1,7 +1,7 @@
 # Operations on attribute sets.
 
 with {
-  inherit (builtins) head tail;
+  inherit (builtins) head tail length;
   inherit (import ./trivial.nix) or;
   inherit (import ./default.nix) fold;
   inherit (import ./strings.nix) concatStringsSep;

lib/customisation.nix

@@ -65,6 +65,13 @@ rec {
           overrideDerivation = fdrv:
             makeOverridable (args: overrideDerivation (f args) fdrv) origArgs;
         })
+      else if builtins.isFunction ff then
+        { override = newArgs:
+            makeOverridable f (origArgs // (if builtins.isFunction newArgs then newArgs origArgs else newArgs));
+          __functor = self: ff;
+          deepOverride = throw "deepOverride not yet supported for functors";
+          overrideDerivation = throw "overrideDerivation not yet supported for functors";
+        }
       else ff;
 
   deepOverrider = newArgs: name: x: if builtins.isAttrs x then (

lib/maintainers.nix

@@ -43,6 +43,7 @@
   chaoflow = "Florian Friesdorf <flo@chaoflow.net>";
   christopherpoole = "Christopher Mark Poole <mail@christopherpoole.net>";
   coconnor = "Corey O'Connor <coreyoconnor@gmail.com>";
+  cocreature = "Moritz Kiefer <moritz.kiefer@purelyfunctional.org>";
   codyopel = "Cody Opel <codyopel@gmail.com>";
   copumpkin = "Dan Peebles <pumpkingod@gmail.com>";
   coroa = "Jonas Hörsch <jonas@chaoflow.net>";
@@ -74,6 +75,7 @@
   garbas = "Rok Garbas <rok@garbas.si>";
   gavin = "Gavin Rogers <gavin@praxeology.co.uk>";
   goibhniu = "Cillian de Róiste <cillian.deroiste@gmail.com>";
+  gridaphobe = "Eric Seidel <eric@seidel.io>";
   guibert = "David Guibert <david.guibert@gmail.com>";
   henrytill = "Henry Till <henrytill@gmail.com>";
   hinton = "Tom Hinton <t@larkery.com>";
@@ -81,6 +83,7 @@
   ianwookim = "Ian-Woo Kim <ianwookim@gmail.com>";
   iElectric = "Domen Kozar <domen@dev.si>";
   iyzsong = "Song Wenwu <iyzsong@gmail.com>";
+  j-keck = "Jürgen Keck <jhyphenkeck@gmail.com>";
   jagajaga = "Arseniy Seroka <ars.seroka@gmail.com>";
   jcumming = "Jack Cummings <jack@mudshark.org>";
   jgeerds = "Jascha Geerds <jg@ekby.de>";
@@ -106,6 +109,7 @@
   manveru = "Michael Fellinger <m.fellinger@gmail.com>";
   marcweber = "Marc Weber <marco-oweber@gmx.de>";
   matejc = "Matej Cotman <cotman.matej@gmail.com>";
+  matthiasbeyer = "Matthias Beyer <mail@beyermatthias.de>";
   meditans = "Carlo Nucera <meditans@gmail.com>";
   meisternu = "Matt Miemiec <meister@krutt.org>";
   michelk = "Michel Kuhlmann <michel@kuhlmanns.info>";

lib/modules.nix

@@ -356,6 +356,31 @@ rec {
   mkBefore = mkOrder 500;
   mkAfter = mkOrder 1500;
 
+  # Convenient property used to transfer all definitions and their
+  # properties from one option to another. This property is useful for
+  # renaming options, and also for including properties from another module
+  # system, including sub-modules.
+  #
+  #   { config, options, ... }:
+  #
+  #   {
+  #     # 'bar' might not always be defined in the current module-set.
+  #     config.foo.enable = mkAliasDefinitions (options.bar.enable or {});
+  #
+  #     # 'barbaz' has to be defined in the current module-set.
+  #     config.foobar.paths = mkAliasDefinitions options.barbaz.paths;
+  #   }
+  #
+  # Note, this is different than taking the value of the option and using it
+  # as a definition, as the new definition will not keep the mkOverride /
+  # mkDefault properties of the previous option.
+  #
+  mkAliasDefinitions = mkAliasAndWrapDefinitions id;
+  mkAliasAndWrapDefinitions = wrap: option:
+    mkMerge
+      (optional (isOption option && option.isDefined)
+        (wrap (mkMerge option.definitions)));
+
 
   /* Compatibility. */
   fixMergeModules = modules: args: evalModules { inherit modules args; check = false; };

lib/options.nix

@@ -96,6 +96,7 @@ rec {
           declarations = filter (x: x != unknownModule) opt.declarations;
           internal = opt.internal or false;
           visible = opt.visible or true;
+          type = opt.type.name or null;
         }
         // (if opt ? example then { example = scrubOptionValue opt.example; } else {})
         // (if opt ? default then { default = scrubOptionValue opt.default; } else {})

maintainers/scripts/travis-nox-review-pr.sh

@@ -28,12 +28,13 @@ elif [[ $1 == build ]]; then
     source $HOME/.nix-profile/etc/profile.d/nix.sh
 
     if [[ $TRAVIS_PULL_REQUEST == false ]]; then
-        echo "===> Not a pull request, checking evaluation"
+        echo "=== Not a pull request"
-        nix-build pkgs/top-level/release.nix -A tarball
     else
         echo "=== Checking PR"
         nox-review pr ${TRAVIS_PULL_REQUEST}
     fi
+    echo "=== Checking tarball creation"
+    nix-build pkgs/top-level/release.nix -A tarball
 else
     echo "$0: Unknown option $1" >&2
     false

maintainers/scripts/vanity-manual-equalities.txt

@@ -4,3 +4,4 @@ Pjotr Prins	pjotr.public05@thebird.nl
 Wouter den Breejen	wbreejen
 MarcWeber	marcweber
 Ricardo Correia	Ricardo M. Correia
+ertesx@gmx.de	ertes

maintainers/scripts/vanity.sh

@@ -47,11 +47,11 @@ fetchGithubName () {
 
 # For RDF
 normalize_name () {
-	sed -e 's/%/%25/g; s/ /%20/g; s/'\''/%27/g; s/"/%22/g; s/`/%60/g'
+	sed -e 's/%/%25/g; s/ /%20/g; s/'\''/%27/g; s/"/%22/g; s/`/%60/g; s/\^/%5e/g; '
 }
 
 denormalize_name () {
-	sed -e 's/%20/ /g; s/%27/'\''/g; s/%22/"/g; s/%60/`/g; s/%25/%/g;';
+	sed -e 's/%20/ /g; s/%27/'\''/g; s/%22/"/g; s/%60/`/g; s/%5e/^/g; s/%25/%/g;';
 }
 
 n3="$(mktemp --suffix .n3)"

nixos/doc/manual/administration/control-groups.xml

@@ -58,12 +58,10 @@ controls memory allocation limits; by default, all processes are in
 the top-level cgroup, so any service or session can exhaust all
 available memory.  Per-cgroup memory limits can be specified in
 <filename>configuration.nix</filename>; for instance, to limit
-<literal>httpd.service</literal> to 512 MiB of RAM (excluding swap)
+<literal>httpd.service</literal> to 512 MiB of RAM (excluding swap):
-and 640 MiB of RAM (including swap):
 
 <programlisting>
 systemd.services.httpd.serviceConfig.MemoryLimit = "512M";
-systemd.services.httpd.serviceConfig.ControlGroupAttribute = [ "memory.memsw.limit_in_bytes 640M" ];
 </programlisting>
 
 </para>

nixos/doc/manual/configuration/summary.xml

@@ -60,7 +60,7 @@ manual</link> for the rest.</para>
         <entry>A nested set, equivalent to <literal>{ foo = { bar = 1; }; }</literal></entry>
       </row>
       <row>
-        <entry><literal>rec { x = "bla"; y = x + "bar"; }</literal></entry>
+        <entry><literal>rec { x = "foo"; y = x + "bar"; }</literal></entry>
         <entry>A recursive set, equivalent to <literal>{ x = "foo"; y = "foobar"; }</literal></entry>
       </row>
       <row>

nixos/doc/manual/default.nix

@@ -20,7 +20,8 @@ let
     declarations = map (fn: stripPrefix fn) opt.declarations;
   }
   // optionalAttrs (opt ? example) { example = substFunction opt.example; }
-  // optionalAttrs (opt ? default) { default = substFunction opt.default; });
+  // optionalAttrs (opt ? default) { default = substFunction opt.default; }
+  // optionalAttrs (opt ? type) { type = substFunction opt.type; });
 
   prefix = toString ../../..;
 

nixos/doc/manual/installation/obtaining.xml

@@ -8,7 +8,7 @@
 
 <para>NixOS ISO images can be downloaded from the <link
 xlink:href="http://nixos.org/nixos/download.html">NixOS
-homepage</link>.  There are a number of installation options.  If
+download page</link>.  There are a number of installation options.  If
 you happen to have an optical drive and a spare CD, burning the
 image to CD and booting from that is probably the easiest option.
 Most people will need to prepare a USB stick to boot from.
@@ -27,7 +27,7 @@ running NixOS system through several other means:
     <para>Using virtual appliances in Open Virtualization Format (OVF)
     that can be imported into VirtualBox.  These are available from
     the <link xlink:href="http://nixos.org/nixos/download.html">NixOS
-    homepage</link>.</para>
+    download page</link>.</para>
   </listitem>
   <listitem>
     <para>Using AMIs for Amazon’s EC2.  To find one for your region

nixos/doc/manual/installation/upgrading.xml

@@ -14,8 +14,8 @@ been built.  These channels are:
 
 <itemizedlist>
   <listitem>
-    <para>Stable channels, such as <literal
+    <para><emphasis>Stable channels</emphasis>, such as <literal
-    xlink:href="https://nixos.org/channels/nixos-14.04">nixos-14.04</literal>.
+    xlink:href="https://nixos.org/channels/nixos-14.12">nixos-14.12</literal>.
     These only get conservative bug fixes and package upgrades.  For
     instance, a channel update may cause the Linux kernel on your
     system to be upgraded from 3.4.66 to 3.4.67 (a minor bug fix), but
@@ -23,14 +23,28 @@ been built.  These channels are:
     3.11.<replaceable>x</replaceable> (a major change that has the
     potential to break things).  Stable channels are generally
     maintained until the next stable branch is created.</para>
+    <para></para>
   </listitem>
   <listitem>
-    <para>The unstable channel, <literal
+    <para>The <emphasis>unstable channel</emphasis>, <literal
     xlink:href="https://nixos.org/channels/nixos-unstable">nixos-unstable</literal>.
     This corresponds to NixOS’s main development branch, and may thus
     see radical changes between channel updates.  It’s not recommended
     for production systems.</para>
   </listitem>
+  <listitem>
+    <para><emphasis>Small channels</emphasis>, such as <literal
+    xlink:href="https://nixos.org/channels/nixos-14.12-small">nixos-14.12-small</literal>
+    or <literal
+    xlink:href="https://nixos.org/channels/nixos-unstable-small">nixos-unstable-small</literal>. These
+    are identical to the stable and unstable channels described above,
+    except that they contain fewer binary packages. This means they
+    get updated faster than the regular channels (for instance, when a
+    critical security patch is committed to NixOS’s source tree), but
+    may require more packages to be built from source than
+    usual. They’re mostly intended for server environments and as such
+    contain few GUI applications.</para>
+  </listitem>
 </itemizedlist>
 
 To see what channels are available, go to <link
@@ -41,8 +55,8 @@ appliances.)</para>
 
 <para>When you first install NixOS, you’re automatically subscribed to
 the NixOS channel that corresponds to your installation source.   For
-instance, if you installed from a 14.04 ISO, you will be subscribed to
+instance, if you installed from a 14.12 ISO, you will be subscribed to
-the <literal>nixos-14.04</literal> channel.  To see which NixOS
+the <literal>nixos-14.12</literal> channel.  To see which NixOS
 channel you’re subscribed to, run the following as root:
 
 <screen>
@@ -57,13 +71,19 @@ $ nix-channel --add https://nixos.org/channels/<replaceable>channel-name</replac
 </screen>
 
 (Be sure to include the <literal>nixos</literal> parameter at the
-end.)  For instance, to use the NixOS 14.04 stable channel:
+end.)  For instance, to use the NixOS 14.12 stable channel:
 
 <screen>
-$ nix-channel --add https://nixos.org/channels/nixos-14.04 nixos
+$ nix-channel --add https://nixos.org/channels/nixos-14.12 nixos
 </screen>
 
-But if you want to live on the bleeding edge:
+If you have a server, you may want to use the “small” channel instead:
+
+<screen>
+$ nix-channel --add https://nixos.org/channels/nixos-14.12-small nixos
+</screen>
+
+And if you want to live on the bleeding edge:
 
 <screen>
 $ nix-channel --add https://nixos.org/channels/nixos-unstable nixos

nixos/doc/manual/man-nixos-install.xml

@@ -11,12 +11,29 @@
 
 <refnamediv>
   <refname><command>nixos-install</command></refname>
-  <refpurpose>install NixOS</refpurpose>
+  <refpurpose>install bootloader and NixOS</refpurpose>
 </refnamediv>
 
 <refsynopsisdiv>
   <cmdsynopsis>
     <command>nixos-install</command>
+    <arg>
+      <arg choice='plain'><option>-I</option></arg>
+      <replaceable>path</replaceable>
+    </arg>
+    <arg>
+      <arg choice='plain'><option>--root</option></arg>
+      <replaceable>root</replaceable>
+    </arg>
+    <arg>
+      <arg choice='plain'><option>--show-trace</option></arg>
+    </arg>
+    <arg>
+      <arg choice='plain'><option>--chroot</option></arg>
+    </arg>
+    <arg>
+      <arg choice='plain'><option>--help</option></arg>
+    </arg>
   </cmdsynopsis>
 </refsynopsisdiv>
 
@@ -55,6 +72,56 @@ it.</para>
 
 </refsection>
 
+<refsection><title>Options</title>
+
+<para>This command accepts the following options:</para>
+
+<variablelist>
+
+  <varlistentry>
+    <term><option>--root</option></term>
+    <listitem>
+      <para>Defaults to <filename>/mnt</filename>. If this option is given, treat the directory
+      <replaceable>root</replaceable> as the root of the NixOS installation.
+      </para>
+    </listitem>
+  </varlistentry>
+
+  <varlistentry>
+    <term><option>-I</option></term>
+    <listitem>
+      <para>Add a path to the Nix expression search path. This option may be given multiple times.
+        See the NIX_PATH environment variable for information on the semantics of the Nix search path.
+        Paths added through <replaceable>-I</replaceable> take precedence over NIX_PATH.</para>
+    </listitem>
+  </varlistentry>
+
+  <varlistentry>
+    <term><option>--show-trace</option></term>
+    <listitem>
+      <para>Causes Nix to print out a stack trace in case of Nix expression evaluation errors.</para>
+    </listitem>
+  </varlistentry>
+
+  <varlistentry>
+    <term><option>--chroot</option></term>
+    <listitem>
+      <para>Chroot into given installation. Any additional arguments passed are going to be executed inside the chroot.
+      </para>
+    </listitem>
+  </varlistentry>
+
+  <varlistentry>
+    <term><option>--help</option></term>
+    <listitem>
+      <para>Synonym for <command>man nixos-install</command>.</para>
+    </listitem>
+  </varlistentry>
+
+</variablelist>
+
+</refsection>
+
 
 <refsection><title>Examples</title>
 
@@ -72,6 +139,7 @@ $ mount /dev/sda1 /mnt
 $ nixos-generate-config --root /mnt
 $ # edit /mnt/etc/nixos/configuration.nix
 $ nixos-install
+$ reboot
 </screen>
 
 </para>

nixos/doc/manual/man-pages.xml

@@ -15,7 +15,7 @@
     </author>
 
     <copyright>
-      <year>2007-2013</year>
+      <year>2007-2015</year>
       <holder>Eelco Dolstra</holder>
     </copyright>
 

nixos/doc/manual/options-to-docbook.xsl

@@ -34,6 +34,14 @@
                                select="attr[@name = 'description']/string/@value" />
                </para>
 
+               <xsl:if test="attr[@name = 'type']">
+                 <para>
+                   <emphasis>Type:</emphasis>
+                   <xsl:text> </xsl:text>
+                   <xsl:apply-templates select="attr[@name = 'type']" mode="top" />
+                 </para>
+               </xsl:if>
+
                <xsl:if test="attr[@name = 'default']">
                  <para>
                    <emphasis>Default:</emphasis>

nixos/doc/manual/release-notes/rl-1412.xml

@@ -4,15 +4,14 @@
         version="5.0"
         xml:id="sec-release-14.12">
 
-<title>Release 14.12 (“Caterpillar”, 2014/12/??)</title>
+<title>Release 14.12 (“Caterpillar”, 2014/12/30)</title>
 
 <para>In addition to numerous new and upgraded packages, this release has the following highlights:
 
 <itemizedlist>
 
 <listitem><para>Systemd has been updated to version 217, which has numerous
-<link xlink:href="http://lists.freedesktop.org/archives/systemd-devel/2014-October/024662.html">improvements
+<link xlink:href="http://lists.freedesktop.org/archives/systemd-devel/2014-October/024662.html">improvements.</link></para></listitem>
-.</link></para></listitem>
 
 <listitem><para><link xlink:href="http://thread.gmane.org/gmane.linux.distributions.nixos/15165">
 Nix has been updated to 1.8.</link></para></listitem>
@@ -23,76 +22,81 @@ Nix has been updated to 1.8.</link></para></listitem>
 
 <listitem><para>The default Linux kernel has been updated to 3.14.</para></listitem>
 
-<listitem><para><option>users.mutableUsers</option> set to <literal>true</literal> now respect any changes
+<listitem><para>If <option>users.mutableUsers</option> is enabled (the
-made after initial creation of a user or a group.
+default), changes made to the declaration of a user or group will be
-</para></listitem>
+correctly realised when running <command>nixos-rebuild</command>. For
+instance, removing a user specification from
+<filename>configuration.nix</filename> will cause the actual user
+account to be deleted. If <option>users.mutableUsers</option> is
+disabled, it is no longer necessary to specify UIDs or GIDs; if
+omitted, they are allocated dynamically.</para></listitem>
 
 </itemizedlist></para>
 
 <para>Following new services were added since the last release:
 
 <itemizedlist>
-<listitem><para>parallels-guest</para></listitem>
+<listitem><para><literal>atftpd</literal></para></listitem>
-<listitem><para>docker</para></listitem>
+<listitem><para><literal>bosun</literal></para></listitem>
-<listitem><para>lxc</para></listitem>
+<listitem><para><literal>bspwm</literal></para></listitem>
-<listitem><para>openvswitch</para></listitem>
+<listitem><para><literal>chronos</literal></para></listitem>
-<listitem><para>fluxbox</para></listitem>
+<listitem><para><literal>collectd</literal></para></listitem>
-<listitem><para>bspwm</para></listitem>
+<listitem><para><literal>consul</literal></para></listitem>
-<listitem><para>gdm</para></listitem>
+<listitem><para><literal>cpuminer-cryptonight</literal></para></listitem>
-<listitem><para>fcgiwrap</para></listitem>
+<listitem><para><literal>crashplan</literal></para></listitem>
-<listitem><para>peerflix</para></listitem>
+<listitem><para><literal>dnscrypt-proxy</literal></para></listitem>
-<listitem><para>fail2ban</para></listitem>
+<listitem><para><literal>docker-registry</literal></para></listitem>
-<listitem><para>chronos</para></listitem>
+<listitem><para><literal>docker</literal></para></listitem>
-<listitem><para>znc</para></listitem>
+<listitem><para><literal>etcd</literal></para></listitem>
-<listitem><para>unifi</para></listitem>
+<listitem><para><literal>fail2ban</literal></para></listitem>
-<listitem><para>teamspeak3</para></listitem>
+<listitem><para><literal>fcgiwrap</literal></para></listitem>
-<listitem><para>strongswan</para></listitem>
+<listitem><para><literal>fleet</literal></para></listitem>
-<listitem><para>seeks</para></listitem>
+<listitem><para><literal>fluxbox</literal></para></listitem>
-<listitem><para>radicale</para></listitem>
+<listitem><para><literal>gdm</literal></para></listitem>
-<listitem><para>prosody</para></listitem>
+<listitem><para><literal>geoclue2</literal></para></listitem>
-<listitem><para>polipo</para></listitem>
+<listitem><para><literal>gitlab</literal></para></listitem>
-<listitem><para>openntpd</para></listitem>
+<listitem><para><literal>gitolite</literal></para></listitem>
-<listitem><para>nsd</para></listitem>
+<listitem><para><literal>gnome3.gnome-documents</literal></para></listitem>
-<listitem><para>mailpile</para></listitem>
+<listitem><para><literal>gnome3.gnome-online-miners</literal></para></listitem>
-<listitem><para>i2pd</para></listitem>
+<listitem><para><literal>gnome3.gvfs</literal></para></listitem>
-<listitem><para>dnscrypt-proxy</para></listitem>
+<listitem><para><literal>gnome3.seahorse</literal></para></listitem>
-<listitem><para>consul</para></listitem>
+<listitem><para><literal>hbase</literal></para></listitem>
-<listitem><para>atftpd</para></listitem>
+<listitem><para><literal>i2pd</literal></para></listitem>
-<listitem><para>scollector</para></listitem>
+<listitem><para><literal>influxdb</literal></para></listitem>
-<listitem><para>collectd</para></listitem>
+<listitem><para><literal>kubernetes</literal></para></listitem>
-<listitem><para>bosun</para></listitem>
+<listitem><para><literal>liquidsoap</literal></para></listitem>
-<listitem><para>riemann</para></listitem>
+<listitem><para><literal>lxc</literal></para></listitem>
-<listitem><para>zookeeper</para></listitem>
+<listitem><para><literal>mailpile</literal></para></listitem>
-<listitem><para>uhub</para></listitem>
+<listitem><para><literal>mesos</literal></para></listitem>
-<listitem><para>siproxd</para></listitem>
+<listitem><para><literal>mlmmj</literal></para></listitem>
-<listitem><para>redmine</para></listitem>
+<listitem><para><literal>monetdb</literal></para></listitem>
-<listitem><para>phd</para></listitem>
+<listitem><para><literal>mopidy</literal></para></listitem>
-<listitem><para>mesos</para></listitem>
+<listitem><para><literal>neo4j</literal></para></listitem>
-<listitem><para>gitlab</para></listitem>
+<listitem><para><literal>nsd</literal></para></listitem>
-<listitem><para>gitolite</para></listitem>
+<listitem><para><literal>openntpd</literal></para></listitem>
-<listitem><para>etcd</para></listitem>
+<listitem><para><literal>opentsdb</literal></para></listitem>
-<listitem><para>docker-registry</para></listitem>
+<listitem><para><literal>openvswitch</literal></para></listitem>
-<listitem><para>cpuminer-cryptonight</para></listitem>
+<listitem><para><literal>parallels-guest</literal></para></listitem>
-<listitem><para>thermald</para></listitem>
+<listitem><para><literal>peerflix</literal></para></listitem>
-<listitem><para>mlmmj</para></listitem>
+<listitem><para><literal>phd</literal></para></listitem>
-<listitem><para>tcsd</para></listitem>
+<listitem><para><literal>polipo</literal></para></listitem>
-<listitem><para>gnome3.seahorse</para></listitem>
+<listitem><para><literal>prosody</literal></para></listitem>
-<listitem><para>gnome3.gvfs</para></listitem>
+<listitem><para><literal>radicale</literal></para></listitem>
-<listitem><para>gnome3.gnome-online-miners</para></listitem>
+<listitem><para><literal>redmine</literal></para></listitem>
-<listitem><para>gnome3.gnome-documents</para></listitem>
+<listitem><para><literal>riemann</literal></para></listitem>
-<listitem><para>geoclue2</para></listitem>
+<listitem><para><literal>scollector</literal></para></listitem>
-<listitem><para>opentsdb</para></listitem>
+<listitem><para><literal>seeks</literal></para></listitem>
-<listitem><para>neo4j</para></listitem>
+<listitem><para><literal>siproxd</literal></para></listitem>
-<listitem><para>monetdb</para></listitem>
+<listitem><para><literal>strongswan</literal></para></listitem>
-<listitem><para>influxdb</para></listitem>
+<listitem><para><literal>tcsd</literal></para></listitem>
-<listitem><para>hbase</para></listitem>
+<listitem><para><literal>teamspeak3</literal></para></listitem>
-<listitem><para>torque/mrom</para></listitem>
+<listitem><para><literal>thermald</literal></para></listitem>
-<listitem><para>torque/server</para></listitem>
+<listitem><para><literal>torque/mrom</literal></para></listitem>
-<listitem><para>kubernetes</para></listitem>
+<listitem><para><literal>torque/server</literal></para></listitem>
-<listitem><para>fleet</para></listitem>
+<listitem><para><literal>uhub</literal></para></listitem>
-<listitem><para>crashplan</para></listitem>
+<listitem><para><literal>unifi</literal></para></listitem>
-<listitem><para>mopidy</para></listitem>
+<listitem><para><literal>znc</literal></para></listitem>
-<listitem><para>liquidsoap</para></listitem>
+<listitem><para><literal>zookeeper</literal></para></listitem>
 </itemizedlist>
 </para>
 
@@ -125,9 +129,11 @@ rather than <literal>c-<replaceable>container-name</replaceable></literal>.</par
 
 <listitem><para>GNOME 3.10 support has been dropped. The default GNOME version is now 3.12.</para></listitem>
 
-<listitem><para>VirtualBox has been upgraded to 4.3.20 release. Users may be required to run
+<listitem><para>VirtualBox has been upgraded to 4.3.20 release. Users
-<command>rm -rf /tmp.vbox*</command>. <literal>imports = [ &lt;nixpkgs/nixos/modules/programs/virtualbox.nix&gt; ]</literal>
+may be required to run <command>rm -rf /tmp/.vbox*</command>. The line
-is no longer necessary, use <literal>services.virtualboxHost.enable = true</literal> instead.
+<literal>imports = [ &lt;nixpkgs/nixos/modules/programs/virtualbox.nix&gt; ]</literal> is
+no longer necessary, use <literal>services.virtualboxHost.enable =
+true</literal> instead.
 </para>
 <para>Also, hardening mode is now enabled by default, which means that unless you want to use
 USB support, you no longer need to be a member of the <literal>vboxusers</literal> group.
@@ -160,6 +166,10 @@ xlink:href="https://en.wikipedia.org/wiki/List_of_tz_database_time_zones"/>.</pa
 the ability to connect to sessions created by older versions of
 screen.</para></listitem>
 
+<listitem><para>The Intel GPU driver was updated to the 3.x prerelease
+version (used by most distributions) and supports DRI3
+now.</para></listitem>
+
 </itemizedlist>
 
 </para>

nixos/maintainers/scripts/ec2/create-ebs-amis.py

@@ -12,7 +12,7 @@ from nixops.statefile import StateFile, get_default_state_file
 
 parser = argparse.ArgumentParser(description='Create an EBS-backed NixOS AMI')
 parser.add_argument('--region', dest='region', required=True, help='EC2 region to create the image in')
-parser.add_argument('--channel', dest='channel', default="13.10", help='Channel to use')
+parser.add_argument('--channel', dest='channel', default="14.12", help='Channel to use')
 parser.add_argument('--keep', dest='keep', action='store_true', help='Keep NixOps machine after use')
 parser.add_argument('--hvm', dest='hvm', action='store_true', help='Create HVM image')
 parser.add_argument('--key', dest='key_name', action='store_true', help='Keypair used for HVM instance creation', default="rob")
@@ -34,13 +34,13 @@ ebs_size = 20
 # Start a NixOS machine in the given region.
 f = open("ebs-creator-config.nix", "w")
 f.write('''{{
-  resources.ec2KeyPairs.keypair.accessKeyId = "logicblox-dev";
+  resources.ec2KeyPairs.keypair.accessKeyId = "lb-nixos";
   resources.ec2KeyPairs.keypair.region = "{0}";
 
   machine =
     {{ pkgs, ... }}:
     {{
-      deployment.ec2.accessKeyId = "logicblox-dev";
+      deployment.ec2.accessKeyId = "lb-nixos";
       deployment.ec2.region = "{0}";
       deployment.ec2.blockDeviceMapping."/dev/xvdg".size = pkgs.lib.mkOverride 10 {1};
     }};
@@ -54,7 +54,7 @@ try:
 except Exception:
     depl = db.create_deployment()
     depl.name = "ebs-creator"
-depl.auto_response = "y"
+depl.logger.set_autoresponse("y")
 depl.nix_exprs = [os.path.abspath("./ebs-creator.nix"), os.path.abspath("./ebs-creator-config.nix")]
 if not args.keep: depl.destroy_resources()
 depl.deploy(allow_reboot=True)
@@ -140,6 +140,7 @@ common_args = dict(
         )
 if not args.hvm:
     common_args['kernel_id']=aki.id
+
 ami_id = m._conn.register_image(**common_args)
 
 print >> sys.stderr, "registered AMI {0}".format(ami_id)
@@ -161,16 +162,16 @@ f.write(
     {{
       network.description = "NixOS EBS test";
 
-      resources.ec2KeyPairs.keypair.accessKeyId = "logicblox-dev";
+      resources.ec2KeyPairs.keypair.accessKeyId = "lb-nixos";
       resources.ec2KeyPairs.keypair.region = "{0}";
 
       machine = {{ config, pkgs, resources, ... }}: {{
         deployment.targetEnv = "ec2";
-        deployment.ec2.accessKeyId = "logicblox-dev";
+        deployment.ec2.accessKeyId = "lb-nixos";
         deployment.ec2.region = "{0}";
         deployment.ec2.instanceType = "{2}";
         deployment.ec2.keyPair = resources.ec2KeyPairs.keypair.name;
-        deployment.ec2.securityGroups = [ "admin" ];
+        deployment.ec2.securityGroups = [ "public-ssh" ];
         deployment.ec2.ami = "{1}";
       }};
     }}
@@ -185,23 +186,31 @@ test_depl.deploy(create_only=True)
 test_depl.machines['machine'].run_command("nixos-version")
 
 # Log the AMI ID.
-f = open("{0}.{1}.ami-id".format(args.region, image_type), "w")
+f = open("ec2-amis.nix".format(args.region, image_type), "w")
-f.write("{0}".format(ami_id))
+f.write("{\n")
-f.close()
 
 for dest in [ 'us-east-1', 'us-west-1', 'us-west-2', 'eu-west-1', 'eu-central-1', 'ap-southeast-1', 'ap-southeast-2', 'ap-northeast-1', 'sa-east-1']:
+    copy_image = None
     if args.region != dest:
+        try:
             print >> sys.stderr, "copying image from region {0} to {1}".format(args.region, dest)
             conn = boto.ec2.connect_to_region(dest)
             copy_image = conn.copy_image(args.region, ami_id, ami_name, description=None, client_token=None)
+        except :
+            print >> sys.stderr, "FAILED!"
 
         # Log the AMI ID.
-        f = open("{0}.{1}.ami-id".format(dest, image_type), "w")
+        if copy_image != None:
-        f.write("{0}".format(copy_image.image_id))
+            f.write('  "{0}"."{1}".{2} = "{3}";\n'.format(args.channel,dest,"hvm" if args.hvm else "ebs",copy_image.image_id))
+    else:
+        f.write('  "{0}"."{1}".{2} = "{3}";\n'.format(args.channel,args.region,"hvm" if args.hvm else "ebs",ami_id))
+
+
+f.write("}\n")
 f.close()
 
-
 if not args.keep:
+    test_depl.logger.set_autoresponse("y")
     test_depl.destroy_resources()
     test_depl.delete()
 

nixos/maintainers/scripts/ec2/create-s3-amis.sh

@@ -31,17 +31,22 @@ buildAndUploadFor() {
             -a "$EC2_ACCESS_KEY" -s "$EC2_SECRET_KEY" --location "$s3location" \
             --url http://s3.amazonaws.com
 
-        kernel=$(ec2-describe-images -o amazon --filter "manifest-location=*pv-grub-hd0_1.03-$arch*" --region "$region" | cut -f 2)
+        kernel=$(ec2-describe-images -o amazon --filter "manifest-location=*pv-grub-hd0_1.04-$arch*" --region "$region" | cut -f 2)
         echo "using PV-GRUB kernel $kernel"
 
-        ami=$(ec2-register "$bucket/nixos.img.manifest.xml" -n "$name" -d "NixOS $system r$revision" \
+        ami=$(ec2-register "$bucket/nixos.img.manifest.xml" -n "$name" -d "NixOS $system r$revision" -O "$EC2_ACCESS_KEY" -W "$EC2_SECRET_KEY" \
             --region "$region" --kernel "$kernel" | cut -f 2)
 
         echo "AMI ID is $ami"
 
-        echo $ami >> $region.s3.ami-id
+        echo "  \"14.12\".\"$region\".s3 = \"$ami\";" >> ec2-amis.nix
 
-        ec2-modify-image-attribute --region "$region" "$ami" -l -a all
+        ec2-modify-image-attribute --region "$region" "$ami" -l -a all -O "$EC2_ACCESS_KEY" -W "$EC2_SECRET_KEY"
+
+        for cp_region in us-east-1 us-west-1 us-west-2 eu-central-1 ap-southeast-1 ap-southeast-2 ap-northeast-1 sa-east-1; do
+          new_ami=$(aws ec2 copy-image --source-image-id $ami --source-region $region --region $cp_region --name "$name" | json ImageId)
+          echo "  \"14.12\".\"$cp_region\".s3 = \"$new_ami\";" >> ec2-amis.nix  
+        done
     done
 }
 

nixos/maintainers/scripts/ec2/ebs-creator.nix

@@ -5,10 +5,9 @@
     { config, pkgs, resources, ... }:
     { deployment.targetEnv = "ec2";
       deployment.ec2.instanceType = "c3.large";
-      deployment.ec2.securityGroups = [ "admin" ];
+      deployment.ec2.securityGroups = [ "public-ssh" ];
       deployment.ec2.ebsBoot = false;
       deployment.ec2.keyPair = resources.ec2KeyPairs.keypair.name;
-      deployment.ec2.zone = "us-east-1e";
       environment.systemPackages = [ pkgs.parted ];
     };
 }

nixos/maintainers/scripts/gce/create-gce.sh

@@ -1,6 +1,6 @@
 #! /bin/sh -e
 
-BUCKET_NAME=${BUCKET_NAME:-nixos}
+BUCKET_NAME=${BUCKET_NAME:-nixos-images}
 export NIX_PATH=nixpkgs=../../../..
 export NIXOS_CONFIG=$(dirname $(readlink -f $0))/../../../modules/virtualisation/google-compute-image.nix
 export TIMESTAMP=$(date +%Y%m%d%H%M)

nixos/modules/config/users-groups.nix

@@ -25,6 +25,11 @@ let
     options.
   '';
 
+  hashedPasswordDescription = ''
+    To generate hashed password install <literal>mkpassword</literal>
+    package and run <literal>mkpasswd -m sha-512</literal>.
+  '';
+
   userOpts = { name, config, ... }: {
 
     options = {
@@ -165,6 +170,7 @@ let
         description = ''
           Specifies the hashed password for the user.
           ${passwordDescription}
+          ${hashedPasswordDescription}
         '';
       };
 
@@ -202,6 +208,8 @@ let
           password can be changed subsequently using the
           <command>passwd</command> command. Otherwise, it's
           equivalent to setting the <option>password</option> option.
+
+          ${hashedPasswordDescription}
         '';
       };
 
@@ -366,21 +374,24 @@ in {
       type = types.bool;
       default = true;
       description = ''
-        If true, you are free to add new users and groups to the system
+        If set to <literal>true</literal>, you are free to add new users and groups to the system
         with the ordinary <literal>useradd</literal> and
         <literal>groupadd</literal> commands. On system activation, the
         existing contents of the <literal>/etc/passwd</literal> and
         <literal>/etc/group</literal> files will be merged with the
         contents generated from the <literal>users.extraUsers</literal> and
-        <literal>users.extraGroups</literal> options. If
+        <literal>users.extraGroups</literal> options.
-        <literal>mutableUsers</literal> is false, the contents of the user and
+        The initial password for a user will be set
-        group files will simply be replaced on system activation. This also
-        holds for the user passwords; if this option is false, all changed
-        passwords will be reset according to the
-        <literal>users.extraUsers</literal> configuration on activation. If
-        this option is true, the initial password for a user will be set
         according to <literal>users.extraUsers</literal>, but existing passwords
         will not be changed.
+
+        <warning><para>
+        If set to <literal>false</literal>, the contents of the user and
+        group files will simply be replaced on system activation. This also
+        holds for the user passwords; all changed
+        passwords will be reset according to the
+        <literal>users.extraUsers</literal> configuration on activation.
+        </para></warning>
       '';
     };
 

nixos/modules/hardware/video/bumblebee.nix

@@ -1,7 +1,13 @@
 { config, lib, pkgs, ... }:
 
-let kernel = config.boot.kernelPackages; in
 with lib;
+let
+  kernel = config.boot.kernelPackages;
+  bumblebee = if config.hardware.bumblebee.connectDisplay
+              then pkgs.bumblebee_display
+              else pkgs.bumblebee;
+
+in
 
 {
 
@@ -23,6 +29,17 @@ with lib;
       type = types.uniq types.str;
       description = ''Group for bumblebee socket'';
     };
+    hardware.bumblebee.connectDisplay = mkOption {
+      default = false;
+      type = types.bool;
+      description = ''
+        Set to true if you intend to connect your discrete card to a
+        monitor. This option will set up your Nvidia card for EDID
+        discovery and to turn on the monitor signal.
+
+        Only nvidia driver is supported so far.
+      '';
+    };
   };
 
   config = mkIf config.hardware.bumblebee.enable {
@@ -30,13 +47,13 @@ with lib;
     boot.kernelModules = [ "bbswitch" ];
     boot.extraModulePackages = [ kernel.bbswitch kernel.nvidia_x11 ];
 
-    environment.systemPackages = [ pkgs.bumblebee pkgs.primus ];
+    environment.systemPackages = [ bumblebee pkgs.primus ];
 
     systemd.services.bumblebeed = {
       description = "Bumblebee Hybrid Graphics Switcher";
       wantedBy = [ "display-manager.service" ];
       script = "bumblebeed --use-syslog -g ${config.hardware.bumblebee.group}";
-      path = [ kernel.bbswitch pkgs.bumblebee ];
+      path = [ kernel.bbswitch bumblebee ];
       serviceConfig = {
         Restart = "always";
         RestartSec = 60;

nixos/modules/installer/tools/nixos-install.sh

@@ -77,6 +77,7 @@ mkdir -m 0755 -p $mountPoint/dev $mountPoint/proc $mountPoint/sys $mountPoint/et
 mkdir -m 01777 -p $mountPoint/tmp
 mkdir -m 0755 -p $mountPoint/tmp/root
 mkdir -m 0755 -p $mountPoint/var/setuid-wrappers
+mkdir -m 0700 -p $mountPoint/root
 mount --rbind /dev $mountPoint/dev
 mount --rbind /proc $mountPoint/proc
 mount --rbind /sys $mountPoint/sys

nixos/modules/misc/ids.nix

@@ -174,6 +174,8 @@
       chronos = 164;
       gitlab = 165;
       tox-bootstrapd = 166;
+      cadvisor = 167;
+      nylon = 168;
 
       # When adding a uid, make sure it doesn't match an existing gid. And don't use uids above 399!
 
@@ -273,6 +275,7 @@
       jenkins = 109;
       systemd-journal-gateway = 110;
       notbit = 111;
+      btsync = 113;
       monetdb = 115;
       foundationdb = 118;
       newrelic = 119;
@@ -306,13 +309,16 @@
       systemd-resolve = 153;
       systemd-timesync = 154;
       liquidsoap = 155;
-      scollector = 156;
-      bosun = 157;
-      kubernetes = 158;
       fleet = 159;
-      gitlab = 160;
+      scollector = 160;
+      bosun = 161;
+      kubernetes = 162;
+      gitlab = 165;
+      nylon = 166;
 
-      # When adding a gid, make sure it doesn't match an existing uid. And don't use gids above 399!
+      # When adding a gid, make sure it doesn't match an existing
+      # uid. Users and groups with the same name should have equal
+      # uids and gids. Also, don't use gids above 399!
 
       users = 100;
       nixbld = 30000;

nixos/modules/module-list.nix

@@ -54,8 +54,8 @@
   ./misc/version.nix
   ./programs/atop.nix
   ./programs/bash/bash.nix
-  ./programs/bash/command-not-found.nix
   ./programs/blcr.nix
+  ./programs/command-not-found/command-not-found.nix
   ./programs/dconf.nix
   ./programs/environment.nix
   ./programs/info.nix
@@ -197,6 +197,7 @@
   ./services/misc/zookeeper.nix
   ./services/monitoring/apcupsd.nix
   ./services/monitoring/bosun.nix
+  ./services/monitoring/cadvisor.nix
   ./services/monitoring/collectd.nix
   ./services/monitoring/dd-agent.nix
   ./services/monitoring/graphite.nix
@@ -237,6 +238,7 @@
   ./services/networking/dnscrypt-proxy.nix
   ./services/networking/dnsmasq.nix
   ./services/networking/ejabberd.nix
+  ./services/networking/firefox/sync-server.nix
   ./services/networking/firewall.nix
   ./services/networking/flashpolicyd.nix
   ./services/networking/freenet.nix
@@ -253,6 +255,7 @@
   ./services/networking/kippo.nix
   ./services/networking/mailpile.nix
   ./services/networking/minidlna.nix
+  ./services/networking/mstpd.nix
   ./services/networking/murmur.nix
   ./services/networking/nat.nix
   ./services/networking/networkmanager.nix
@@ -261,6 +264,7 @@
   ./services/networking/nsd.nix
   ./services/networking/ntopng.nix
   ./services/networking/ntpd.nix
+  ./services/networking/nylon.nix
   ./services/networking/oidentd.nix
   ./services/networking/openfire.nix
   ./services/networking/openntpd.nix
@@ -305,6 +309,7 @@
   ./services/search/solr.nix
   ./services/security/clamav.nix
   ./services/security/fail2ban.nix
+  ./services/security/fprintd.nix
   ./services/security/fprot.nix
   ./services/security/frandom.nix
   ./services/security/haveged.nix

nixos/modules/profiles/base.nix

@@ -10,6 +10,8 @@
     pkgs.w3m # needed for the manual anyway
     pkgs.testdisk # useful for repairing boot problems
     pkgs.mssys # for writing Microsoft boot sectors / MBRs
+    pkgs.efibootmgr
+    pkgs.efivar
     pkgs.parted
     pkgs.gptfdisk
     pkgs.ddrescue

nixos/modules/programs/command-not-found/command-not-found.nix

@@ -44,6 +44,26 @@ in
       }
     '';
 
+  programs.zsh.interactiveShellInit =
+    ''
+      # This function is called whenever a command is not found.
+      command_not_found_handler() {
+        local p=/run/current-system/sw/bin/command-not-found
+        if [ -x $p -a -f /nix/var/nix/profiles/per-user/root/channels/nixos/programs.sqlite ]; then
+          # Run the helper program.
+          $p "$1"
+
+          # Retry the command if we just installed it.
+          if [ $? = 126 ]; then
+            "$@"
+          fi
+	else
+          # Indicate than there was an error so ZSH falls back to its default handler
+	  return 127
+        fi
+      }
+    '';
+
   environment.systemPackages = [ commandNotFound ];
 
   # TODO: tab completion for uninstalled commands! :-)

nixos/modules/programs/zsh/zsh.nix

@@ -100,7 +100,7 @@ in
         export HISTSIZE=2000
         export HISTFILE=$HOME/.zsh_history
 
-        setopt HIST_IGNORE_DUPS SHARE_HISTORY
+        setopt HIST_IGNORE_DUPS SHARE_HISTORY HIST_FCNTL_LOCK
       '';
 
     };

nixos/modules/rename.nix

@@ -55,8 +55,8 @@ let
             apply = x: use (toOf config);
             inherit visible;
           });
-        }
+
-        { config = setTo (mkMerge (if (fromOf options).isDefined then [ (define (mkMerge (fromOf options).definitions)) ] else []));
+          config = setTo (mkAliasAndWrapDefinitions define (fromOf options));
         }
       ];
 

nixos/modules/security/duosec.nix

@@ -110,7 +110,7 @@ in
         default = false;
         description = ''
           Print the contents of <literal>/etc/motd</literal> to screen
-          after a succesful login.
+          after a successful login.
         '';
       };
 
@@ -145,7 +145,7 @@ in
 
           When $DUO_PASSCODE is non-empty, it will override
           autopush. The SSH client will need SendEnv DUO_PASSCODE in
-          its configuration, and the SSH server will similarily need
+          its configuration, and the SSH server will similarly need
           AcceptEnv DUO_PASSCODE.
         '';
       };

nixos/modules/security/grsecurity.nix

@@ -38,7 +38,7 @@ in
         type = types.bool;
         default = false;
         description = ''
-          Enable the testing grsecurity patch, based on Linux 3.17.
+          Enable the testing grsecurity patch, based on Linux 3.18.
         '';
       };
 
@@ -156,6 +156,24 @@ in
           '';
         };
 
+        denyUSB = mkOption {
+          type = types.bool;
+          default = false;
+          description = ''
+            If true, then set <literal>GRKERNSEC_DENYUSB y</literal>.
+
+            This enables a sysctl with name
+            <literal>kernel.grsecurity.deny_new_usb</literal>. Setting
+            its value to <literal>1</literal> will prevent any new USB
+            devices from being recognized by the OS.  Any attempted
+            USB device insertion will be logged.
+
+            This option is intended to be used against custom USB
+            devices designed to exploit vulnerabilities in various USB
+            device drivers.
+          '';
+        };
+
         restrictProc = mkOption {
           type = types.bool;
           default = false;
@@ -227,7 +245,7 @@ in
           message   = ''
             If grsecurity is enabled, you must select either the
             stable patch (with kernel 3.14), or the testing patch (with
-            kernel 3.17) to continue.
+            kernel 3.18) to continue.
           '';
         }
         { assertion = (cfg.stable -> !cfg.testing) || (cfg.testing -> !cfg.stable);

nixos/modules/security/pam.nix

@@ -54,6 +54,15 @@ let
         '';
       };
 
+      fprintAuth = mkOption {
+        default = config.services.fprintd.enable;
+        type = types.bool;
+        description = ''
+          If set, fingerprint reader will be used (if exists and
+          your fingerprints are enrolled).
+        '';
+      };
+
       sshAgentAuth = mkOption {
         default = false;
         type = types.bool;
@@ -113,6 +122,14 @@ let
         '';
       };
 
+      requireWheel = mkOption {
+        default = false;
+        type = types.bool;
+        description = ''
+          Whether to permit root access only to members of group wheel.
+        '';
+      };
+
       limits = mkOption {
         description = ''
           Attribute set describing resource limits.  Defaults to the
@@ -175,10 +192,14 @@ let
           # Authentication management.
           ${optionalString cfg.rootOK
               "auth sufficient pam_rootok.so"}
+          ${optionalString cfg.requireWheel
+              "auth required pam_wheel.so use_uid"}
           ${optionalString cfg.logFailures
               "auth required pam_tally.so"}
           ${optionalString (config.security.pam.enableSSHAgentAuth && cfg.sshAgentAuth)
               "auth sufficient ${pkgs.pam_ssh_agent_auth}/libexec/pam_ssh_agent_auth.so file=~/.ssh/authorized_keys:~/.ssh/authorized_keys2:/etc/ssh/authorized_keys.d/%u"}
+          ${optionalString cfg.fprintAuth
+              "auth sufficient ${pkgs.fprintd}/lib/security/pam_fprintd.so"}
           ${optionalString cfg.usbAuth
               "auth sufficient ${pkgs.pam_usb}/lib/security/pam_usb.so"}
           ${optionalString cfg.unixAuth

nixos/modules/security/rngd.nix

@@ -20,7 +20,7 @@ with lib;
       KERNEL=="random", TAG+="systemd"
       SUBSYSTEM=="cpu", ENV{MODALIAS}=="x86cpu:*feature:*009E*", TAG+="systemd", ENV{SYSTEMD_WANTS}+="rngd.service"
       KERNEL=="hw_random", TAG+="systemd", ENV{SYSTEMD_WANTS}+="rngd.service"
-      KERNEL=="tmp0", TAG+="systemd", ENV{SYSTEMD_WANTS}+="rngd.service"
+      ${if config.services.tcsd.enable then "" else ''KERNEL=="tpm0", TAG+="systemd", ENV{SYSTEMD_WANTS}+="rngd.service"''}
     '';
 
     systemd.services.rngd = {
@@ -32,8 +32,6 @@ with lib;
 
       serviceConfig.ExecStart = "${pkgs.rng_tools}/sbin/rngd -f -v" +
         (if config.services.tcsd.enable then " --no-tpm=1" else "");
-
-      restartTriggers = [ pkgs.rng_tools ];
     };
   };
 }

nixos/modules/services/databases/postgresql.xml

@@ -24,11 +24,11 @@
 
 <programlisting>
 services.postgresql.enable = true;
-services.postgresql.package = pkgs.postgresql93;
+services.postgresql.package = pkgs.postgresql94;
 </programlisting>
 
 Note that you are required to specify the desired version of
-PostgreSQL (e.g. <literal>pkgs.postgresql93</literal>). Since
+PostgreSQL (e.g. <literal>pkgs.postgresql94</literal>). Since
 upgrading your PostgreSQL version requires a database dump and reload
 (see below), NixOS cannot provide a default value for
 <option>services.postgresql.package</option> such as the most recent

nixos/modules/services/mail/dovecot.nix

@@ -45,8 +45,6 @@ let
       pop3_uidl_format = %08Xv%08Xu
     '' + cfg.extraConfig;
 
-  confFile = pkgs.writeText "dovecot.conf" dovecotConf;
-
 in
 
 {
@@ -88,6 +86,12 @@ in
         description = "Additional entries to put verbatim into Dovecot's config file.";
       };
 
+      configFile = mkOption {
+        default = null;
+        description = "Config file used for the whole dovecot configuration.";
+        apply = v: if v != null then v else pkgs.writeText "dovecot.conf" dovecotConf;
+      };
+
       mailLocation = mkOption {
         default = "maildir:/var/spool/mail/%u"; /* Same as inbox, as postfix */
         example = "maildir:~/mail:INBOX=/var/spool/mail/%u";
@@ -144,10 +148,11 @@ in
         gid = config.ids.gids.dovecot2;
       };
 
-    jobs.dovecot2 =
+    systemd.services.dovecot2 =
       { description = "Dovecot IMAP/POP3 server";
 
-        startOn = "started networking";
+        after = [ "network.target" ];
+        wantedBy = [ "multi-user.target" ];
 
         preStart =
           ''
@@ -155,7 +160,13 @@ in
             ${pkgs.coreutils}/bin/chown -R ${cfg.user}:${cfg.group} /var/run/dovecot2
           '';
 
-        exec = "${pkgs.dovecot}/sbin/dovecot -F -c ${confFile}";
+        serviceConfig = {
+          ExecStart = "${pkgs.dovecot}/sbin/dovecot -F -c ${cfg.configFile}";
+          Restart = "on-failure";
+          RestartSec = "1s";
+          StartLimitInterval = "1min";
+        };
+
       };
 
     environment.systemPackages = [ pkgs.dovecot ];

nixos/modules/services/mail/mlmmj.nix

@@ -90,7 +90,7 @@ in
       enable = true;
       recipientDelimiter= "+";
       extraMasterConf = ''
-        mlmmj unix - n n - - pipe flags=ORhu user=mlmmj argv=${pkgs.mlmmj}/bin/mlmmj-recieve -F -L ${spoolDir}/$nextHop
+        mlmmj unix - n n - - pipe flags=ORhu user=mlmmj argv=${pkgs.mlmmj}/bin/mlmmj-receive -F -L ${spoolDir}/$nextHop
       '';
 
       extraAliases = concatMapStrings (alias cfg.listDomain) cfg.mailLists;

nixos/modules/services/mail/postfix.nix

@@ -96,9 +96,9 @@ let
     #  -o smtpd_sasl_auth_enable=yes
     #  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
     #  -o milter_macro_daemon_name=ORIGINATING
-    pickup    fifo  n       -       n       60      1       pickup
+    pickup    unix  n       -       n       60      1       pickup
     cleanup   unix  n       -       n       -       0       cleanup
-    qmgr      fifo  n       -       n       300     1       qmgr
+    qmgr      unix  n       -       n       300     1       qmgr
     tlsmgr    unix  -       -       n       1000?   1       tlsmgr
     rewrite   unix  -       -       n       -       -       trivial-rewrite
     bounce    unix  -       -       n       -       0       bounce

nixos/modules/services/misc/nix-daemon.nix

@@ -82,9 +82,10 @@ in
         description = ''
           This option defines the maximum number of concurrent tasks during
           one build. It affects, e.g., -j option for make. The default is 1.
-          Some builds may become non-deterministic with this option; use with
+          The special value 0 means that the builder should use all
-          care! Packages will only be affected if enableParallelBuilding is
+          available CPU cores in the system. Some builds may become
-          set for them.
+          non-deterministic with this option; use with care! Packages will
+          only be affected if enableParallelBuilding is set for them.
         '';
       };
 

nixos/modules/services/monitoring/cadvisor.nix

@@ -0,0 +1,106 @@
+{ config, pkgs, lib, ... }:
+
+with lib;
+
+let
+  cfg = config.services.cadvisor;
+
+in {
+  options = {
+    services.cadvisor = {
+      enable = mkOption {
+        default = false;
+        type = types.bool;
+        description = "Whether to enable cadvisor service.";
+      };
+
+      host = mkOption {
+        default = "127.0.0.1";
+        type = types.str;
+        description = "Cadvisor listening host";
+      };
+
+      port = mkOption {
+        default = 8080;
+        type = types.int;
+        description = "Cadvisor listening port";
+      };
+
+      storageDriver = mkOption {
+        default = null;
+        type = types.nullOr types.str;
+        example = "influxdb";
+        description = "Cadvisor storage driver.";
+      };
+
+      storageDriverHost = mkOption {
+        default = "localhost:8086";
+        type = types.str;
+        description = "Cadvisor storage driver host.";
+      };
+
+      storageDriverDb = mkOption {
+        default = "root";
+        type = types.str;
+        description = "Cadvisord storage driver database name.";
+      };
+
+      storageDriverUser = mkOption {
+        default = "root";
+        type = types.str;
+        description = "Cadvisor storage driver username.";
+      };
+
+      storageDriverPassword = mkOption {
+        default = "root";
+        type = types.str;
+        description = "Cadvisor storage driver password.";
+      };
+
+      storageDriverSecure = mkOption {
+        default = false;
+        type = types.bool;
+        description = "Cadvisor storage driver, enable secure communication.";
+      };
+    };
+  };
+
+  config = mkIf cfg.enable {
+    systemd.services.cadvisor = {
+      wantedBy = [ "multi-user.target" ];
+      after = [ "network.target" "docker.service" "influxdb.service" ];
+
+      postStart = mkBefore ''
+        until ${pkgs.curl}/bin/curl -s -o /dev/null 'http://${cfg.host}:${toString cfg.port}/containers/'; do
+          sleep 1;
+        done
+      '';
+
+      serviceConfig = {
+        ExecStart = ''${pkgs.cadvisor}/bin/cadvisor \
+          -logtostderr=true \
+          -listen_ip=${cfg.host} \
+          -port=${toString cfg.port} \
+          ${optionalString (cfg.storageDriver != null) ''
+            -storage_driver ${cfg.storageDriver} \
+            -storage_driver_user ${cfg.storageDriverHost} \
+            -storage_driver_db ${cfg.storageDriverDb} \
+            -storage_driver_user ${cfg.storageDriverUser} \
+            -storage_driver_password ${cfg.storageDriverPassword} \
+            ${optionalString cfg.storageDriverSecure "-storage_driver_secure"}
+          ''}
+        '';
+        User = "cadvisor";
+      };
+    };
+
+    virtualisation.docker.enable = true;
+
+    users.extraUsers = singleton {
+      name = "cadvisor";
+      uid = config.ids.uids.cadvisor;
+      description = "Cadvisor user";
+      extraGroups = [ "docker" ];
+    };
+  };
+}

nixos/modules/services/monitoring/dd-agent.nix

@@ -140,6 +140,7 @@ in {
         Restart = "always";
         RestartSec = 2;
       };
+      environment.SSL_CERT_FILE = "/etc/ssl/certs/ca-bundle.crt";
       restartTriggers = [ pkgs.dd-agent ddConf postgresqlConfig nginxConfig ];
     };
 

nixos/modules/services/monitoring/riemann.nix

@@ -17,7 +17,7 @@ let
 
   launcher = writeScriptBin "riemann" ''
     #!/bin/sh
-    exec ${openjdk}/bin/java ${concatStringsSep "\n" cfg.extraJavaOpts} \
+    exec ${jdk}/bin/java ${concatStringsSep "\n" cfg.extraJavaOpts} \
       -cp ${classpath} \
       riemann.bin ${writeText "riemann-config.clj" riemannConfig}
   '';

nixos/modules/services/monitoring/statsd.nix

@@ -53,7 +53,7 @@ in
     };
 
     mgmt_address = mkOption {
-      description = "Address to run managment TCP interface on";
+      description = "Address to run management TCP interface on";
       default = "127.0.0.1";
       type = types.str;
     };
@@ -65,7 +65,7 @@ in
     };
 
     backends = mkOption {
-      description = "List of backends statsd will use for data persistance";
+      description = "List of backends statsd will use for data persistence";
       default = ["graphite"];
       example = ["graphite" pkgs.nodePackages."statsd-influxdb-backend"];
       type = types.listOf (types.either types.str types.package);

nixos/modules/services/network-filesystems/nfsd.nix

@@ -61,7 +61,7 @@ in
           default = null;
           example = 4002;
           description = ''
-            Use fixed port for rpc.mountd, usefull if server is behind firewall.
+            Use fixed port for rpc.mountd, useful if server is behind firewall.
           '';
         };
 

nixos/modules/services/network-filesystems/samba.nix

@@ -9,7 +9,7 @@ let
   logDir = "/var/log/samba";
   privateDir = "/var/samba/private";
 
-  inherit (pkgs) samba;
+  samba = cfg.package;
 
   setupScript =
     ''
@@ -90,6 +90,14 @@ in
         ";
       };
 
+      package = mkOption {
+        default = pkgs.samba;
+        example = pkgs.samba4;
+        description = ''
+          Defines which package should be used for the samba server.
+        '';
+      };
+
       syncPasswordsByPam = mkOption {
         default = false;
         description = "

nixos/modules/services/networking/btsync.nix

@@ -88,7 +88,7 @@ in
           use <literal>systemctl start btsync@user</literal> to start
           the daemon only for user <literal>user</literal>, using the
           configuration file located at
-          <literal>$HOME/.config/btsync.conf</literal>
+          <literal>$HOME/.config/btsync.conf</literal>.
         '';
       };
 
@@ -223,6 +223,21 @@ in
           --generate-secret</literal>. Note that this secret will be
           put inside the Nix store, so it is realistically not very
           secret.
+
+          If you would like to be able to modify the contents of this
+          directories, it is recommended that you make your user a
+          member of the <literal>btsync</literal> group.
+
+          Directories in this list should be in the
+          <literal>btsync</literal> group, and that group must have
+          write access to the directory. It is also recommended that
+          <literal>chmod g+s</literal> is applied to the directory
+          so that any sub directories created will also belong to
+          the <literal>btsync</literal> group. Also,
+          <literal>setfacl -d -m group:btsync:rwx</literal> and
+          <literal>setfacl -m group:btsync:rwx</literal> should also
+          be applied so that the sub directories are writable by
+          the group.
         '';
       };
     };
@@ -246,14 +261,20 @@ in
       home            = "/var/lib/btsync";
       createHome      = true;
       uid             = config.ids.uids.btsync;
+      group           = "btsync";
     };
 
+    users.extraGroups = [
+      { name = "btsync";
+      }];
+
     systemd.services.btsync = with pkgs; {
       description = "Bittorrent Sync Service";
       wantedBy    = [ "multi-user.target" ];
       after       = [ "network.target" ];
       serviceConfig = {
         Restart   = "on-abort";
+        UMask     = "0002";
         User      = "btsync";
         ExecStart =
           "${bittorrentSync}/bin/btsync --nodaemon --config ${configFile}";

nixos/modules/services/networking/firefox/sync-server.nix

@@ -0,0 +1,142 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+  cfg = config.services.firefox.syncserver;
+  syncServerIni = pkgs.writeText "syncserver.ini" ''
+    [DEFAULT]
+    overrides = ${cfg.privateConfig}
+
+    [server:main]
+    use = egg:Paste#http
+    host = ${cfg.listen.address}
+    port = ${toString cfg.listen.port}
+
+    [app:main]
+    use = egg:syncserver
+
+    [syncserver]
+    public_url = ${cfg.publicUrl}
+    ${optionalString (cfg.sqlUri != "") "sqluri = ${cfg.sqlUri}"}
+    allow_new_users = ${if cfg.allowNewUsers then "true" else "false"}
+
+    [browserid]
+    backend = tokenserver.verifiers.LocalVerifier
+    audiences = ${removeSuffix "/" cfg.publicUrl}
+  '';
+in
+
+{
+  options = {
+    services.firefox.syncserver = {
+      enable = mkOption {
+        type = types.bool;
+        default = false;
+        example = true;
+        description = ''
+          Whether to enable a Firefox Sync Server, this give the opportunity to
+          Firefox users to store all synchronized data on their own server. To use this
+          server, Firefox users should visit the <option>about:config</option>, and
+          replicate the following change
+
+          <screen>
+          services.sync.tokenServerURI: http://localhost:5000/token/1.0/sync/1.5
+          </screen>
+
+          where <option>http://localhost:5000/</option> corresponds to the
+          public url of the server.
+        '';
+      };
+
+      listen.address = mkOption {
+        type = types.str;
+        default = "127.0.0.1";
+        example = "0.0.0.0";
+        description = ''
+          Address on which the sync server listen to.
+        '';
+      };
+
+      listen.port = mkOption {
+        type = types.int;
+        default = 5000;
+        description = ''
+          Port on which the sync server listen to.
+        '';
+      };
+
+      publicUrl = mkOption {
+        type = types.str;
+        default = "http://localhost:5000/";
+        example = "http://sync.example.com/";
+        description = ''
+          Public URL with which firefox users can use to access the sync server.
+        '';
+      };
+
+      allowNewUsers = mkOption {
+        type = types.bool;
+        default = true;
+        example = false;
+        description = ''
+          Whether to allow new-user signups on the server. Only request by
+          existing accounts will be honored.
+        '';
+      };
+
+      sqlUri = mkOption {
+        type = types.str;
+        default = "sqlite:////var/db/firefox-sync-server.db";
+        example = "postgresql://scott:tiger@localhost/test";
+        description = ''
+          The location of the database. This URL is composed of
+          <option>dialect[+driver]://user:password@host/dbname[?key=value..]</option>,
+          where <option>dialect</option> is a database name such as
+          <option>mysql</option>, <option>oracle</option>, <option>postgresql</option>,
+          etc., and <option>driver</option> the name of a DBAPI, such as
+          <option>psycopg2</option>, <option>pyodbc</option>, <option>cx_oracle</option>,
+          etc. The <link
+          xlink:href="http://docs.sqlalchemy.org/en/rel_0_9/core/engines.html#database-urls">
+          SQLAlchemy documentation</link> provides more examples and describe the syntax of
+          the expected URL.
+        '';
+      };
+
+      privateConfig = mkOption {
+        type = types.str;
+        default = "/etc/firefox/syncserver-secret.ini";
+        description = ''
+          The private config file is used to extend the generated config with confidential
+          information, such as the <option>syncserver.sqlUri</option> setting if it contains a
+          password, and the <option>syncserver.secret</option> setting is used by the server to
+          generate cryptographically-signed authentication tokens.
+
+          If this file does not exists, then it is created with a generated
+          <option>syncserver.secret</option> settings.
+       '';
+      };
+    };
+  };
+
+  config = mkIf cfg.enable {
+
+    systemd.services.syncserver = {
+      after = [ "network.target" ];
+      description = "Firefox Sync Server";
+      wantedBy = [ "multi-user.target" ];
+      path = [ pkgs.pythonPackages.pasteScript pkgs.coreutils ];
+      environment.PYTHONPATH = "${pkgs.pythonPackages.syncserver}/lib/${pkgs.pythonPackages.python.libPrefix}/site-packages";
+      preStart = ''
+        if ! test -e ${cfg.privateConfig}; then
+          umask u=rwx,g=x,o=x
+          mkdir -p $(dirname ${cfg.privateConfig})
+          echo  > ${cfg.privateConfig} '[syncserver]'
+          echo >> ${cfg.privateConfig} "secret = $(head -c 20 /dev/urandom | sha1sum | tr -d ' -')"
+        fi
+      '';
+      serviceConfig.ExecStart = "paster serve ${syncServerIni}";
+    };
+
+  };
+}

nixos/modules/services/networking/firewall.nix

@@ -356,7 +356,7 @@ in
         ''
           If pings are allowed, this allows setting rate limits
           on them. If non-null, this option should be in the form
-          of flags like "-limit 1/minute -limit-burst 5"
+          of flags like "--limit 1/minute --limit-burst 5"
         '';
     };
 

nixos/modules/services/networking/i2pd.nix

@@ -142,7 +142,7 @@ in
           type = types.int;
           default = 80;
           description = ''
-            Port to forward incoming trafic to. 80 by default.
+            Port to forward incoming traffic to. 80 by default.
           '';
         };
         keyFile = mkOption {

nixos/modules/services/networking/mstpd.nix

@@ -0,0 +1,33 @@
+{ config, lib, pkgs, ... }:
+let
+  cfg = config.services.mstpd;
+in
+with lib;
+{
+  options.services.mstpd = {
+    
+    enable = mkOption {
+      default = false;
+      type = types.bool;
+      description = ''
+        Whether to enable the multiple spanning tree protocol daemon.
+      '';
+    };
+
+  };
+
+  config = mkIf cfg.enable {
+    environment.systemPackages = [ pkgs.mstpd ];
+
+    systemd.services.mstpd = {
+      description = "Multiple Spanning Tree Protocol Daemon";
+      wantedBy = [ "network.target" ];
+      unitConfig.ConditionCapability = "CAP_NET_ADMIN";
+      serviceConfig = {
+        Type = "forking";
+        ExecStart = "@${pkgs.mstpd}/bin/mstpd mstpd";
+        PIDFile = "/run/mstpd.pid";
+      };
+    };
+  };
+}

nixos/modules/services/networking/nylon.nix

@@ -0,0 +1,139 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+
+  cfg = config.services.nylon;
+
+  homeDir = "/var/lib/nylon";
+
+  configFile = pkgs.writeText "nylon.conf" ''
+    [General]
+    No-Simultaneous-Conn=${toString cfg.nrConnections}
+    Log=${if cfg.logging then "1" else "0"}
+    Verbose=${if cfg.verbosity then "1" else "0"}
+
+    [Server]
+    Binding-Interface=${cfg.acceptInterface}
+    Connecting-Interface=${cfg.bindInterface}
+    Port=${toString cfg.port}
+    Allow-IP=${concatStringsSep " " cfg.allowedIPRanges}
+    Deny-IP=${concatStringsSep " " cfg.deniedIPRanges}
+  '';
+
+in
+
+{
+
+  ###### interface
+
+  options = {
+
+    services.nylon = {
+
+      enable = mkOption {
+        type = types.bool;
+        default = false;
+        description = ''
+          Enables nylon as a running service upon activation.
+        '';
+      };
+
+      nrConnections = mkOption {
+        type = types.int;
+        default = 10;
+        description = ''
+          The number of allowed simultaneous connections to the daemon, default 10.
+        '';
+      };
+
+      logging = mkOption {
+        type = types.bool;
+        default = false;
+        description = ''
+          Enable logging, default is no logging.
+        '';
+      };
+
+      verbosity = mkOption {
+        type = types.bool;
+        default = false;
+        description = ''
+          Enable verbose output, default is to not be verbose.
+        '';
+      };
+
+      acceptInterface = mkOption {
+        type = types.string;
+        default = "lo";
+        description = ''
+          Tell nylon which interface to listen for client requests on, default is "lo".
+        '';
+      };
+
+      bindInterface = mkOption {
+        type = types.string;
+        default = "enp3s0f0";
+        description = ''
+          Tell nylon which interface to use as an uplink, default is "enp3s0f0".
+        '';
+      };
+
+      port = mkOption {
+        type = types.int;
+        default = 1080;
+        description = ''
+          What port to listen for client requests, default is 1080.
+        '';
+      };
+
+      allowedIPRanges = mkOption {
+        type = with types; listOf string;
+        default = [ "192.168.0.0/16" "127.0.0.1/8" "172.16.0.1/12" "10.0.0.0/8" ];
+        description = ''
+           Allowed client IP ranges are evaluated first, defaults to ARIN IPv4 private ranges:
+             [ "192.168.0.0/16" "127.0.0.0/8" "172.16.0.0/12" "10.0.0.0/8" ]
+        '';
+      };
+
+      deniedIPRanges = mkOption {
+        type = with types; listOf string;
+        default = [ "0.0.0.0/0" ];
+        description = ''
+          Denied client IP ranges, these gets evaluated after the allowed IP ranges, defaults to all IPv4 addresses:
+            [ "0.0.0.0/0" ]
+          To block all other access than the allowed.
+        '';
+      };
+    };
+  };
+
+  ###### implementation
+
+  config = mkIf cfg.enable {
+
+    users.extraUsers.nylon= {
+      group = "nylon";
+      description = "Nylon SOCKS Proxy";
+      home = homeDir;
+      createHome = true;
+      uid = config.ids.uids.nylon;
+    };
+
+    users.extraGroups.nylon.gid = config.ids.gids.nylon;
+
+    systemd.services.nylon = {
+      description = "Nylon, a lightweight SOCKS proxy server";
+      after = [ "network.target" ];
+      wantedBy = [ "multi-user.target" ];
+      serviceConfig =
+      {
+        User = "nylon";
+        Group = "nylon";
+        WorkingDirectory = homeDir;
+        ExecStart = "${pkgs.nylon}/bin/nylon -f -c ${configFile}";
+      };
+    };
+  };
+}

nixos/modules/services/networking/ssh/sshd.nix

@@ -17,13 +17,11 @@ let
 
   knownHosts = map (h: getAttr h cfg.knownHosts) (attrNames cfg.knownHosts);
 
-  knownHostsFile = pkgs.runCommand "ssh_known_hosts" {} ''
+  knownHostsText = flip (concatMapStringsSep "\n") knownHosts
-    touch "$out"
+    (h:
-    ${flip concatMapStrings knownHosts (h: ''
+      concatStringsSep "," h.hostNames + " "
-      pubkeyfile=${builtins.toFile "host.pub" (if h.publicKey == null then readFile h.publicKeyFile else h.publicKey)}
+      + (if h.publicKey != null then h.publicKey else readFile h.publicKeyFile)
-      ${pkgs.gnused}/bin/sed 's/^/${concatStringsSep "," h.hostNames} /' $pubkeyfile >> "$out"
+    );
-    '')}
-  '';
 
   userOptions = {
 
@@ -301,7 +299,7 @@ in
       { source = "${cfgc.package}/etc/ssh/moduli";
         target = "ssh/moduli";
       }
-      { source = knownHostsFile;
+      { text = knownHostsText;
         target = "ssh/ssh_known_hosts";
       }
     ];

nixos/modules/services/networking/tox-bootstrapd.nix

@@ -24,7 +24,7 @@ in
             default = false;
             description =
               ''
-                Whether to enable the Tox DHT boostrap daemon.
+                Whether to enable the Tox DHT bootstrap daemon.
               '';
           };
 
@@ -45,7 +45,7 @@ in
             default = "";
             description =
               ''
-                Configuration for boostrap daemon.
+                Configuration for bootstrap daemon.
                 See <link xlink:href="https://github.com/irungentoo/toxcore/blob/master/other/bootstrap_daemon/tox-bootstrapd.conf"/>
                 and <link xlink:href="http://wiki.tox.im/Nodes"/>.
              '';

nixos/modules/services/networking/unifi.nix

@@ -3,7 +3,7 @@ with lib;
 let
   cfg = config.services.unifi;
   stateDir = "/var/lib/unifi";
-  cmd = "@${pkgs.icedtea7_jre}/bin/java java -jar ${stateDir}/lib/ace.jar";
+  cmd = "@${pkgs.jre}/bin/java java -jar ${stateDir}/lib/ace.jar";
   mountPoints = [
     {
       what = "${pkgs.unifi}/dl";

nixos/modules/services/printing/cupsd.nix

@@ -4,7 +4,7 @@ with lib;
 
 let
 
-  inherit (pkgs) cups;
+  inherit (pkgs) cups cups_filters;
 
   cfg = config.services.printing;
 
@@ -123,6 +123,19 @@ in
         '';
       };
 
+      browsedConf = mkOption {
+        type = types.lines;
+        default = "";
+        example =
+          ''
+            BrowsePoll cups.example.com
+          '';
+        description = ''
+          The contents of the configuration. file of the CUPS Browsed daemon
+          (<filename>cups-browsed.conf</filename>)
+        '';
+      };
+
       drivers = mkOption {
         type = types.listOf types.path;
         example = literalExample "[ pkgs.splix ]";
@@ -161,6 +174,7 @@ in
     environment.etc."cups/client.conf".text = cfg.clientConf;
     environment.etc."cups/cups-files.conf".text = cfg.cupsFilesConf;
     environment.etc."cups/cupsd.conf".text = cfg.cupsdConf;
+    environment.etc."cups/cups-browsed.conf".text = cfg.browsedConf;
 
     services.dbus.packages = [ cups ];
 
@@ -195,6 +209,22 @@ in
           ];
       };
 
+    systemd.services.cups-browsed =
+      { description = "Make remote CUPS printers available locally";
+
+        wantedBy = [ "multi-user.target" ];
+        wants = [ "cups.service" "avahi-daemon.service" ];
+        after = [ "cups.service" "avahi-daemon.service" ];
+
+        path = [ cups ];
+
+        serviceConfig.ExecStart = "${cups_filters}/bin/cups-browsed";
+
+        restartTriggers =
+          [ config.environment.etc."cups/cups-browsed.conf".source
+          ];
+      };
+
     services.printing.drivers =
       [ cups pkgs.ghostscript pkgs.cups_filters additionalBackends
         pkgs.perl pkgs.coreutils pkgs.gnused pkgs.bc pkgs.gawk pkgs.gnugrep

nixos/modules/services/search/solr.nix

@@ -22,7 +22,7 @@ let
       cp common/lib/*.jar $out/lib/
       ln -s ${pkgs.ant}/lib/ant/lib/ant.jar $out/lib/
       ln -s ${cfg.solrPackage}/lib/ext/* $out/lib/
-      ln -s ${pkgs.openjdk}/lib/openjdk/lib/tools.jar $out/lib/
+      ln -s ${pkgs.jdk.home}/lib/tools.jar $out/lib/
     '' + optionalString (cfg.extraJars != []) ''
       for f in ${concatStringsSep " " cfg.extraJars}; do
          cp $f $out/lib
@@ -44,7 +44,7 @@ in {
 
       javaPackage = mkOption {
         type = types.package;
-        default = pkgs.openjre;
+        default = pkgs.jre;
         description = ''
           Which Java derivation to use for running solr.
         '';

nixos/modules/services/security/fprintd.nix

@@ -0,0 +1,53 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+
+  cfg = config.services.fprintd;
+
+in
+
+
+{
+
+  ###### interface
+
+  options = {
+
+    services.fprintd = {
+
+      enable = mkOption {
+        type = types.bool;
+        default = false;
+        description = ''
+          Whether to enable fprintd daemon and PAM module for fingerprint readers handling.
+        '';
+      };
+
+    };
+    
+  };
+  
+  
+  ###### implementation
+  
+  config = mkIf cfg.enable {
+
+    services.dbus.packages = [ pkgs.fprintd ];
+
+    environment.systemPackages = [ pkgs.fprintd ];
+
+    systemd.services.fprintd = {
+      description = "Fingerprint Authentication Daemon";
+
+      serviceConfig = {
+        Type = "dbus";
+        BusName = "net.reactivated.Fprint";
+        ExecStart = "${pkgs.fprintd}/libexec/fprintd";
+      };
+    };
+
+  };
+  
+}

nixos/modules/services/web-servers/winstone.nix

@@ -30,7 +30,7 @@ let
 
       javaPackage = mkOption {
         type = types.package;
-        default = pkgs.openjre;
+        default = pkgs.jre;
         description = ''
           Which Java derivation to use for running Winstone.
         '';

nixos/modules/services/web-servers/zope2.nix

@@ -24,7 +24,7 @@ let
       http_address = mkOption {
         default = "localhost:8080";
         type = types.string;
-        description = "Give a port and adress for the HTTP server.";
+        description = "Give a port and address for the HTTP server.";
       };
 
       user = mkOption {

nixos/modules/services/x11/desktop-managers/e19.nix

@@ -7,6 +7,11 @@ let
   xcfg = config.services.xserver;
   cfg = xcfg.desktopManager.e19;
   e19_enlightenment = pkgs.e19.enlightenment.override { set_freqset_setuid = true; };
+  GST_PLUGIN_PATH = lib.makeSearchPath "lib/gstreamer-1.0" [
+    pkgs.gst_all_1.gst-plugins-base
+    pkgs.gst_all_1.gst-plugins-good
+    pkgs.gst_all_1.gst-plugins-bad
+    pkgs.gst_all_1.gst-libav ];
 
 in
 
@@ -45,6 +50,8 @@ in
         export GTK_PATH=${config.system.path}/lib/gtk-3.0:${config.system.path}/lib/gtk-2.0
         export XDG_MENU_PREFIX=enlightenment
 
+        export GST_PLUGIN_PATH="${GST_PLUGIN_PATH}"
+
         # make available for D-BUS user services
         #export XDG_DATA_DIRS=$XDG_DATA_DIRS''${XDG_DATA_DIRS:+:}:${config.system.path}/share:${pkgs.e19.efl}/share
 

nixos/modules/system/activation/switch-to-configuration.pl

@@ -323,7 +323,7 @@ system("@systemd@/bin/systemctl", "daemon-reload") == 0 or $res = 3;
 
 # Signal dbus to reload its configuration before starting other units.
 # Other units may rely on newly installed policy files under /etc/dbus-1
-system("@systemd@/bin/systemctl", "reload", "dbus.service");
+system("@systemd@/bin/systemctl", "reload-or-restart", "dbus.service");
 
 # Restart changed services (those that have to be restarted rather
 # than stopped and started).

nixos/modules/system/boot/loader/gummiboot/gummiboot-builder.py

@@ -63,7 +63,8 @@ def get_generations(profile):
         "@nix@/bin/nix-env",
         "--list-generations",
         "-p",
-        "/nix/var/nix/profiles/%s" % (profile)
+        "/nix/var/nix/profiles/%s" % (profile),
+        "--option", "build-users-group", ""
         ])
     gen_lines = gen_list.split('\n')
     gen_lines.pop()

nixos/modules/system/boot/stage-2-init.sh

@@ -91,6 +91,7 @@ mkdir -m 01777 -p /tmp
 mkdir -m 0755 -p /var /var/log /var/lib /var/db
 mkdir -m 0755 -p /nix/var
 mkdir -m 0700 -p /root
+chmod 0700 /root
 mkdir -m 0755 -p /bin # for the /bin/sh symlink
 mkdir -m 0755 -p /home
 mkdir -m 0755 -p /etc/nixos

nixos/modules/system/boot/systemd-unit-options.nix

@@ -58,7 +58,7 @@ let
       "simple" "forking" "oneshot" "dbus" "notify" "idle"
     ])
     (assertValueOneOf "Restart" [
-      "no" "on-success" "on-failure" "on-abort" "always"
+      "no" "on-success" "on-failure" "on-abnormal" "on-abort" "always"
     ])
   ];
 

nixos/modules/system/boot/systemd.nix

@@ -695,21 +695,21 @@ in
       default = {};
       type = types.attrsOf types.optionSet;
       options = [ linkOptions ];
-      description = "Definiton of systemd network links.";
+      description = "Definition of systemd network links.";
     };
 
     systemd.network.netdevs = mkOption {
       default = {};
       type = types.attrsOf types.optionSet;
       options = [ netdevOptions ];
-      description = "Definiton of systemd network devices.";
+      description = "Definition of systemd network devices.";
     };
 
     systemd.network.networks = mkOption {
       default = {};
       type = types.attrsOf types.optionSet;
       options = [ networkOptions networkConfig ];
-      description = "Definiton of systemd networks.";
+      description = "Definition of systemd networks.";
     };
 
     systemd.network.units = mkOption {
@@ -858,6 +858,13 @@ in
       description = "Definition of systemd per-user service units.";
     };
 
+    systemd.user.timers = mkOption {
+      default = {};
+      type = types.attrsOf types.optionSet;
+      options = [ timerOptions unitConfig ];
+      description = "Definition of systemd per-user timer units.";
+    };
+
     systemd.user.sockets = mkOption {
       default = {};
       type = types.attrsOf types.optionSet;
@@ -979,7 +986,8 @@ in
 
     systemd.user.units =
          mapAttrs' (n: v: nameValuePair "${n}.service" (serviceToUnit n v)) cfg.user.services
-      // mapAttrs' (n: v: nameValuePair "${n}.socket" (socketToUnit n v)) cfg.user.sockets;
+      // mapAttrs' (n: v: nameValuePair "${n}.socket"  (socketToUnit  n v)) cfg.user.sockets
+      // mapAttrs' (n: v: nameValuePair "${n}.timer"   (timerToUnit   n v)) cfg.user.timers;
 
     system.requiredKernelConfig = map config.lib.kernelConfig.isEnabled
       [ "DEVTMPFS" "CGROUPS" "INOTIFY_USER" "SIGNALFD" "TIMERFD" "EPOLL" "NET"

nixos/modules/system/etc/setup-etc.pl

@@ -12,8 +12,8 @@ sub atomicSymlink {
     my ($source, $target) = @_;
     my $tmp = "$target.tmp";
     unlink $tmp;
-    symlink $source, $tmp or return 1;
+    symlink $source, $tmp or return 0;
-    rename $tmp, $target or return 1;
+    rename $tmp, $target or return 0;
     return 1;
 }
 

nixos/modules/tasks/filesystems/nfs.nix

@@ -38,7 +38,7 @@ in
         default = null;
         example = 4000;
         description = ''
-          Use fixed port for rpc.statd, usefull if NFS server is behind firewall.
+          Use fixed port for rpc.statd, useful if NFS server is behind firewall.
         '';
       };
       lockdPort = mkOption {
@@ -46,7 +46,7 @@ in
         example = 4001;
         description = ''
           Use fixed port for NFS lock manager kernel module (lockd/nlockmgr),
-          usefull if NFS server is behind firewall.
+          useful if NFS server is behind firewall.
         '';
       };
     };

nixos/modules/tasks/network-interfaces-scripted.nix

@@ -185,8 +185,9 @@ in
           in
           { description = "Bridge Interface ${n}";
             wantedBy = [ "network.target" (subsystemDevice n) ];
-            bindsTo = deps;
+            bindsTo = deps ++ optional v.rstp "mstpd.service";
-            after = [ "network-pre.target" ] ++ deps
+            partOf = optional v.rstp "mstpd.service";
+            after = [ "network-pre.target" "mstpd.service" ] ++ deps
               ++ concatMap (i: [ "network-addresses-${i}.service" "network-link-${i}.service" ]) v.interfaces;
             before = [ "network-interfaces.target" (subsystemDevice n) ];
             serviceConfig.Type = "oneshot";
@@ -206,6 +207,11 @@ in
                 ip link set "${i}" up
               '')}
 
+              # Enable stp on the interface
+              ${optionalString v.rstp ''
+                echo 2 >/sys/class/net/${n}/bridge/stp_state
+              ''}
+
               ip link set "${n}" up
             '';
             postStop = ''

nixos/modules/tasks/network-interfaces.nix

@@ -16,6 +16,35 @@ let
 
   slaveIfs = map (i: cfg.interfaces.${i}) (filter (i: cfg.interfaces ? ${i}) slaves);
 
+  rstpBridges = flip filterAttrs cfg.bridges (_: { rstp, ... }: rstp);
+
+  needsMstpd = rstpBridges != { };
+
+  bridgeStp = optional needsMstpd (pkgs.writeTextFile {
+    name = "bridge-stp";
+    executable = true;
+    destination = "/bin/bridge-stp";
+    text = ''
+      #!${pkgs.stdenv.shell} -e
+      export PATH="${pkgs.mstpd}/bin"
+
+      BRIDGES=(${concatStringsSep " " (attrNames rstpBridges)})
+      for BRIDGE in $BRIDGES; do
+        if [ "$BRIDGE" = "$1" ]; then
+          if [ "$2" = "start" ]; then
+            mstpctl addbridge "$BRIDGE"
+            exit 0
+          elif [ "$2" = "stop" ]; then
+            mstpctl delbridge "$BRIDGE"
+            exit 0
+          fi
+          exit 1
+        fi
+      done
+      exit 1
+    '';
+  });
+
   # We must escape interfaces due to the systemd interpretation
   subsystemDevice = interface:
     "sys-subsystem-net-devices-${escapeSystemdPath interface}.device";
@@ -368,6 +397,13 @@ in
             "The physical network interfaces connected by the bridge.";
         };
 
+        rstp = mkOption {
+          example = true;
+          default = false;
+          type = types.bool;
+          description = "Whether the bridge interface should enable rstp.";
+        };
+
       };
 
     };
@@ -676,7 +712,7 @@ in
         pkgs.iw
         pkgs.rfkill
         pkgs.openresolv
-      ];
+      ] ++ bridgeStp;
 
     systemd.targets."network-interfaces" =
       { description = "All Network Interfaces";
@@ -724,6 +760,9 @@ in
             ip link set "${i.name}" mtu "${toString i.mtu}"
           '';
       })));
+
+    services.mstpd = mkIf needsMstpd { enable = true; };
+
   };
 
 }

nixos/modules/testing/test-instrumentation.nix

@@ -38,6 +38,11 @@ let kernel = config.boot.kernelPackages.kernel; in
     systemd.services."serial-getty@ttyS0".enable = false;
     systemd.services."serial-getty@hvc0".enable = false;
 
+    # Don't use a pager when executing backdoor actions. Because we
+    # use a tty, commands like systemctl or nix-store get confused
+    # into thinking they're running interactively.
+    environment.variables.PAGER = "";
+
     boot.initrd.postDeviceCommands =
       ''
         # Using acpi_pm as a clock source causes the guest clock to

nixos/modules/virtualisation/containers.nix

@@ -111,6 +111,13 @@ in
               '';
             };
 
+            autoStart = mkOption {
+              type = types.bool;
+              default = false;
+              description = ''
+                Wether the container is automatically started at boot-time.
+              '';
+            };
           };
 
           config = mkMerge
@@ -187,7 +194,7 @@ in
         script =
           ''
             mkdir -p -m 0755 "$root/etc" "$root/var/lib"
-            mkdir -p -m 0700 "$root/var/lib/private"
+            mkdir -p -m 0700 "$root/var/lib/private" "$root/root"
             if ! [ -e "$root/etc/os-release" ]; then
               touch "$root/etc/os-release"
             fi
@@ -305,6 +312,9 @@ in
                 LOCAL_ADDRESS=${cfg.localAddress}
               ''}
             ''}
+           ${optionalString cfg.autoStart ''
+             AUTO_START=1
+           ''}
           '';
       }) config.containers;
 

nixos/modules/virtualisation/ec2-data.nix

@@ -44,7 +44,7 @@ with lib;
             # into the image (a Nova feature).
             if ! [ -e /root/.ssh/authorized_keys ]; then
                 echo "obtaining SSH key..."
-                mkdir -p /root/.ssh
+                mkdir -m 0700 -p /root/.ssh
                 $wget http://169.254.169.254/1.0/meta-data/public-keys/0/openssh-key > /root/key.pub
                 if [ $? -eq 0 -a -e /root/key.pub ]; then
                     if ! grep -q -f /root/key.pub /root/.ssh/authorized_keys; then

nixos/modules/virtualisation/google-compute-image.nix

@@ -63,11 +63,12 @@ in
 
           # Register the paths in the Nix database.
           printRegistration=1 perl ${pkgs.pathsFromGraph} /tmp/xchg/closure | \
-              chroot /mnt ${config.nix.package}/bin/nix-store --load-db
+              chroot /mnt ${config.nix.package}/bin/nix-store --load-db --option build-users-group ""
 
           # Create the system profile to allow nixos-rebuild to work.
           chroot /mnt ${config.nix.package}/bin/nix-env \
-              -p /nix/var/nix/profiles/system --set ${config.system.build.toplevel}
+              -p /nix/var/nix/profiles/system --set ${config.system.build.toplevel} \
+              --option build-users-group ""
 
           # `nixos-rebuild' requires an /etc/NIXOS.
           mkdir -p /mnt/etc
@@ -119,6 +120,8 @@ in
     169.254.169.254 metadata.google.internal metadata
   '';
 
+  services.ntp.servers = [ "metadata.google.internal" ];
+
   networking.usePredictableInterfaceNames = false;
 
   systemd.services.fetch-ssh-keys =
@@ -129,15 +132,15 @@ in
       after = [ "network-online.target" ];
       wants = [ "network-online.target" ];
 
-      path  = [ pkgs.wget ];
+      script = let wget = "${pkgs.wget}/bin/wget --retry-connrefused -t 6 --waitretry=10"; in
-      script =
         ''
-          wget="wget --retry-connrefused -t 6 --waitretry=10"
+          # When dealing with cryptographic keys, we want to keep things private.
+          umask 077
           # Don't download the SSH key if it has already been downloaded
           if ! [ -e /root/.ssh/authorized_keys ]; then
                 echo "obtaining SSH key..."
-                mkdir -p /root/.ssh
+                mkdir -m 0700 -p /root/.ssh
-                $wget -O /root/authorized-keys-metadata http://metadata/0.1/meta-data/authorized-keys
+                ${wget} -O /root/authorized-keys-metadata http://metadata/0.1/meta-data/authorized-keys
                 if [ $? -eq 0 -a -e /root/authorized-keys-metadata ]; then
                     cat /root/authorized-keys-metadata | cut -d: -f2- > /root/key.pub
                     if ! grep -q -f /root/key.pub /root/.ssh/authorized_keys; then
@@ -145,24 +148,30 @@ in
                         echo "new key added to authorized_keys"
                     fi
                     chmod 600 /root/.ssh/authorized_keys
+                fi
                 rm -f /root/key.pub /root/authorized-keys-metadata
           fi
-          fi
 
-          echo "obtaining SSH private host key..."
+          countKeys=0
-          $wget -O /root/ssh_host_ecdsa_key  http://metadata/0.1/meta-data/attributes/ssh_host_ecdsa_key
+          ${flip concatMapStrings config.services.openssh.hostKeys (k :
-          if [ $? -eq 0 -a -e /root/ssh_host_ecdsa_key ]; then
+            let kName = baseNameOf k.path; in ''
-              mv -f /root/ssh_host_ecdsa_key /etc/ssh/ssh_host_ecdsa_key
+              echo "trying to obtain SSH private host key ${kName}"
-              echo "downloaded ssh_host_ecdsa_key"
+              ${wget} -O /root/${kName} http://metadata/0.1/meta-data/attributes/${kName} && :
-              chmod 600 /etc/ssh/ssh_host_ecdsa_key
+              if [ $? -eq 0 -a -e /root/${kName} ]; then
+                  countKeys=$((countKeys+1))
+                  mv -f /root/${kName} ${k.path}
+                  echo "downloaded ${k.path}"
+                  chmod 600 ${k.path}
+                  ${config.programs.ssh.package}/bin/ssh-keygen -y -f ${k.path} > ${k.path}.pub
+                  chmod 644 ${k.path}.pub
               fi
+              rm -f /root/${kName}
+            ''
+          )}
 
-          echo "obtaining SSH public host key..."
+          if [[ $countKeys -le 0 ]]; then
-          $wget -O /root/ssh_host_ecdsa_key.pub http://metadata/0.1/meta-data/attributes/ssh_host_ecdsa_key_pub
+             echo "failed to obtain any SSH private host keys."
-          if [ $? -eq 0 -a -e /root/ssh_host_ecdsa_key.pub ]; then
+             false
-              mv -f /root/ssh_host_ecdsa_key.pub /etc/ssh/ssh_host_ecdsa_key.pub
-              echo "downloaded ssh_host_ecdsa_key.pub"
-              chmod 644 /etc/ssh/ssh_host_ecdsa_key.pub
           fi
         '';
       serviceConfig.Type = "oneshot";

nixos/modules/virtualisation/qemu-vm.nix

@@ -266,7 +266,7 @@ in
             Networking-related command-line options that should be passed to qemu.
             The default is to use userspace networking (slirp).
 
-            If you override this option, be adviced to keep
+            If you override this option, be advised to keep
             ''${QEMU_NET_OPTS:+,$QEMU_NET_OPTS} (as seen in the default)
             to keep the default runtime behaviour.
           '';

nixos/release-small.nix

@@ -61,12 +61,12 @@ in rec {
       gettext
       git
       imagemagick
+      jdk
       linux
       mysql51
       mysql55
       nginx
       nodejs
-      openjdk
       openssh
       php
       postgresql92

nixos/release.nix

@@ -242,6 +242,7 @@ in rec {
   tests.avahi = callTest tests/avahi.nix {};
   tests.bittorrent = callTest tests/bittorrent.nix {};
   tests.blivet = callTest tests/blivet.nix {};
+  tests.cadvisor = scrubDrv (import tests/cadvisor.nix { system = "x86_64-linux"; });
   tests.chromium = callTest tests/chromium.nix {};
   tests.cjdns = callTest tests/cjdns.nix {};
   tests.containers = callTest tests/containers.nix {};

nixos/tests/cadvisor.nix

@@ -0,0 +1,30 @@
+import ./make-test.nix {
+  name = "cadvisor";
+
+  nodes = {
+    machine = { config, pkgs, ... }: {
+      services.cadvisor.enable = true;
+    };
+
+    influxdb = { config, pkgs, lib, ... }: with lib; {
+      services.cadvisor.enable = true;
+      services.cadvisor.storageDriver = "influxdb";
+      services.influxdb.enable = true;
+      systemd.services.influxdb.postStart = mkAfter ''
+        ${pkgs.curl}/bin/curl -X POST 'http://localhost:8086/db?u=root&p=root' \
+          -d '{"name": "root"}'
+      '';
+    };
+  };
+
+  testScript =
+    ''
+      startAll;
+      $machine->waitForUnit("cadvisor.service");
+      $machine->succeed("curl http://localhost:8080/containers/");
+
+      $influxdb->waitForUnit("influxdb.service");
+      $influxdb->waitForUnit("cadvisor.service");
+      $influxdb->succeed("curl http://localhost:8080/containers/");
+    '';
+}

nixos/tests/installer.nix

@@ -190,6 +190,9 @@ let
 
       $machine->succeed("test -e /boot/grub");
 
+      # Check whether /root has correct permissions.
+      $machine->succeed("stat -c '%a' /root") =~ /700/ or die;
+
       # Did the swap device get activated?
       # uncomment once https://bugs.freedesktop.org/show_bug.cgi?id=86930 is resolved
       #$machine->waitForUnit("swap.target");

pkgs/applications/audio/ardour/default.nix

@@ -6,7 +6,21 @@
 , perl, pkgconfig, python, serd, sord, sratom, suil }:
 
 let
+
+  # Ardour git repo uses a mix of annotated and lightweight tags. Annotated
+  # tags are used for MAJOR.MINOR versioning, and lightweight tags are used
+  # in-between; MAJOR.MINOR.REV where REV is the number of commits since the
+  # last annotated tag. A slightly different version string format is needed
+  # for the 'revision' info that is built into the binary; it is the format of
+  # "git describe" when _not_ on an annotated tag(!): MAJOR.MINOR-REV-HASH.
+
+  # Version to build.
   tag = "3.5.403";
+
+  # Version info that is built into the binary. Keep in sync with 'tag'. The
+  # last 8 digits is a (fake) commit id.
+  revision = "3.5-403-00000000";
+
 in
 
 stdenv.mkDerivation rec {
@@ -15,7 +29,7 @@ stdenv.mkDerivation rec {
   src = fetchgit {
     url = git://git.ardour.org/ardour/ardour.git;
     rev = "refs/tags/${tag}";
-    sha256 = "7d7c8e2c7ccccca6c8324fd874509e1b0d89f3f42cb92982c50d212797463f4c";
+    sha256 = "0k1z8sbjf88dqn12kf9cykrqj38vkr879n2g6b4adk6cghn8wz3x";
   };
 
   buildInputs = 
@@ -27,10 +41,7 @@ stdenv.mkDerivation rec {
     ];
 
   patchPhase = ''
-    # The funny revision number is from `git describe rev`
+    printf '#include "libs/ardour/ardour/revision.h"\nnamespace ARDOUR { const char* revision = \"${revision}\"; }\n' > libs/ardour/revision.cc
-    printf '#include "libs/ardour/ardour/revision.h"\nnamespace ARDOUR { const char* revision = \"${tag}-g2f6065b\"; }\n' > libs/ardour/revision.cc
-    # Note the different version number
-    sed -i '33i rev = \"3.5-380-g2f6065b\"' wscript
     sed 's|/usr/include/libintl.h|${glibc}/include/libintl.h|' -i wscript
     sed -e 's|^#!/usr/bin/perl.*$|#!${perl}/bin/perl|g' -i tools/fmt-bindings
     sed -e 's|^#!/usr/bin/env.*$|#!${perl}/bin/perl|g' -i tools/*.pl

pkgs/applications/audio/aumix/default.nix

@@ -24,7 +24,7 @@ stdenv.mkDerivation rec {
     homepage = http://www.jpj.net/~trevor/aumix.html;
     license = stdenv.lib.licenses.gpl2Plus;
 
-    maintainers = [ stdenv.lib.maintainers.ludo ];
+    maintainers = [ ];
     platforms = stdenv.lib.platforms.linux;
   };
 }

pkgs/applications/audio/faust-compiler/default.nix

@@ -1,14 +1,23 @@
-{ fetchurl, stdenv, unzip, pkgconfig, makeWrapper, libsndfile, libmicrohttpd, vim }:
+{ fetchgit, stdenv, unzip, pkgconfig, makeWrapper, libsndfile, libmicrohttpd, vim }:
 
 stdenv.mkDerivation rec {
 
-  version = "0.9.67";
+  version = "8-1-2015";
   name = "faust-compiler-${version}";
-  src = fetchurl {
+  src = fetchgit {
-    url = "http://downloads.sourceforge.net/project/faudiostream/faust-${version}.zip";
+    url = git://git.code.sf.net/p/faudiostream/code;
-    sha256 = "068vl9536zn0j4pknwfcchzi90rx5pk64wbcbd67z32w0csx8xm1";
+    rev = "4db76fdc02b6aec8d15a5af77fcd5283abe963ce";
+    sha256 = "f1ac92092ee173e4bcf6b2cb1ac385a7c390fb362a578a403b2b6edd5dc7d5d0";
   };
 
+  # this version has a bug that manifests when doing faust2jack:
+  /*version = "0.9.67";*/
+  /*name = "faust-compiler-${version}";*/
+  /*src = fetchurl {*/
+    /*url = "http://downloads.sourceforge.net/project/faudiostream/faust-${version}.zip";*/
+    /*sha256 = "068vl9536zn0j4pknwfcchzi90rx5pk64wbcbd67z32w0csx8xm1";*/
+  /*};*/
+
   buildInputs = [ unzip pkgconfig makeWrapper libsndfile libmicrohttpd vim];
 
 

pkgs/applications/audio/faust/default.nix

@@ -1,21 +1,32 @@
-{ fetchurl, stdenv, bash, alsaLib, atk, cairo, faust-compiler, fontconfig, freetype
+{ fetchgit, stdenv, bash, alsaLib, atk, cairo, faust-compiler, fontconfig, freetype
-, gcc, gdk_pixbuf, glib, gtk, makeWrapper, pango, pkgconfig, unzip
+, gcc, gdk_pixbuf, glib, gtk, jack2, makeWrapper, opencv, pango, pkgconfig, unzip
 , gtkSupport ? true
+, jackaudioSupport ? true
 }:
 
 stdenv.mkDerivation rec {
 
-  version = "0.9.67";
+  version = "8-1-2015";
   name = "faust-${version}";
-  src = fetchurl {
+  src = fetchgit {
-    url = "http://downloads.sourceforge.net/project/faudiostream/faust-${version}.zip";
+    url = git://git.code.sf.net/p/faudiostream/code;
-    sha256 = "068vl9536zn0j4pknwfcchzi90rx5pk64wbcbd67z32w0csx8xm1";
+    rev = "4db76fdc02b6aec8d15a5af77fcd5283abe963ce";
+    sha256 = "f1ac92092ee173e4bcf6b2cb1ac385a7c390fb362a578a403b2b6edd5dc7d5d0";
   };
 
+  # this version has a bug that manifests when doing faust2jack:
+  /*version = "0.9.67";*/
+  /*name = "faust-${version}";*/
+  /*src = fetchurl {*/
+    /*url = "http://downloads.sourceforge.net/project/faudiostream/faust-${version}.zip";*/
+    /*sha256 = "068vl9536zn0j4pknwfcchzi90rx5pk64wbcbd67z32w0csx8xm1";*/
+  /*};*/
+
   buildInputs = [ bash unzip faust-compiler gcc makeWrapper pkgconfig ]
     ++ stdenv.lib.optionals gtkSupport [
       alsaLib atk cairo fontconfig freetype gdk_pixbuf glib gtk pango
     ]
+    ++ stdenv.lib.optional jackaudioSupport jack2
   ;
 
   makeFlags="PREFIX=$(out)";
@@ -24,11 +35,15 @@ stdenv.mkDerivation rec {
   phases = [ "unpackPhase installPhase postInstall" ];
 
   installPhase  = ''
+    sed -i 23,24d  tools/faust2appls/faust2jack
     mkdir $out/bin
     install tools/faust2appls/faust2alsaconsole $out/bin
     install tools/faust2appls/faustpath  $out/bin
     install tools/faust2appls/faustoptflags  $out/bin
     install tools/faust2appls/faust2alsa $out/bin
+    install tools/faust2appls/faust2jack $out/bin
+
+    patchShebangs $out/bin
 
     wrapProgram $out/bin/faust2alsaconsole \
     --prefix PKG_CONFIG_PATH : ${alsaLib}/lib/pkgconfig \
@@ -41,17 +56,23 @@ stdenv.mkDerivation rec {
     --prefix PKG_CONFIG_PATH :  ${alsaLib}/lib/pkgconfig:$GTK_PKGCONFIG_PATHS \
     --set FAUSTLIB ${faust-compiler}/lib/faust \
     --set FAUSTINC ${faust-compiler}/include/ \
-    '' + stdenv.lib.optionalString (!gtkSupport) "rm $out/bin/faust2alsa"
-  ;
 
+
+    wrapProgram  $out/bin/faust2jack \
+    --prefix PKG_CONFIG_PATH :  ${jack2}/lib/pkgconfig:${opencv}/lib/pkgconfig:$GTK_PKGCONFIG_PATHS \
+    --set FAUSTLIB ${faust-compiler}/lib/faust \
+    --set FAUSTINC ${faust-compiler}/include/ \
+
+    ''
+    + stdenv.lib.optionalString (!gtkSupport) "rm $out/bin/faust2alsa"
+    + stdenv.lib.optionalString (!gtkSupport || !jackaudioSupport) "rm $out/bin/faust2jack"
+  ;
   postInstall = ''
-    find $out/bin/ -name "faust2*" -type f | xargs sed "s@/bin/bash@${bash}/bin/bash@g" -i
-    sed -i "s@/bin/bash@${bash}/bin/bash@g" $out/bin/faustpath
     sed -e "s@\$FAUST_INSTALL /usr/local /usr /opt /opt/local@${faust-compiler}@g" -i $out/bin/faustpath
     sed -i "s@/bin/bash@${bash}/bin/bash@g" $out/bin/faustoptflags
-    find $out/bin/ -name "faust2*" -type f | xargs sed "s@pkg-config@${pkgconfig}/bin/pkg-config@g" -i
+    find $out/bin/ -name "*faust2*" -type f | xargs sed "s@pkg-config@${pkgconfig}/bin/pkg-config@g" -i
-    find $out/bin/ -name "faust2*" -type f | xargs sed "s@CXX=g++@CXX=${gcc}/bin/g++@g" -i
+    find $out/bin/ -name "*faust2*" -type f | xargs sed "s@CXX=g++@CXX=${gcc}/bin/g++@g" -i
-    find $out/bin/ -name "faust2*" -type f | xargs sed "s@faust -i -a @${faust-compiler}/bin/faust -i -a ${faust-compiler}/lib/faust/@g" -i
+    find $out/bin/ -name "*faust2*" -type f | xargs sed "s@faust -i -a @${faust-compiler}/bin/faust -i -a ${faust-compiler}/lib/faust/@g" -i
   '';
 
   meta = with stdenv.lib; {

pkgs/applications/audio/fmit/default.nix

@@ -0,0 +1,28 @@
+{ stdenv, fetchurl, alsaLib, cmake, fftw, freeglut, jack2, libXmu, qt4 }:
+
+stdenv.mkDerivation rec {
+  version = "0.99.5";
+  name = "fmit-${version}";
+
+  src = fetchurl {
+    url = "http://download.gna.org/fmit/${name}-Source.tar.bz2";
+    sha256 = "1rc84gi27jmq2smhk0y0p2xyypmsz878vi053iqns21k848g1491";
+  };
+
+  # Also update longDescription when adding/removing sound libraries
+  buildInputs = [ alsaLib cmake fftw freeglut jack2 libXmu qt4 ];
+
+  enableParallelBuilding = true;
+
+  meta = with stdenv.lib; {
+    description = "Free Musical Instrument Tuner";
+    longDescription = ''
+      Software for tuning musical instruments. Uses Qt as GUI library and
+      ALSA or JACK as sound input library.
+    '';
+    homepage = http://home.gna.org/fmit/index.html;
+    license = with licenses; gpl3Plus;
+    platforms = with platforms; linux;
+    maintainers = with maintainers; [ nckx ];
+  };
+}

pkgs/applications/audio/game-music-emu/default.nix

@@ -0,0 +1,21 @@
+{ stdenv, fetchurl, cmake }:
+
+stdenv.mkDerivation rec {
+  version = "0.6.0";
+  name = "game-music-emu-${version}";
+
+  src = fetchurl {
+    url = "https://game-music-emu.googlecode.com/files/${name}.tar.bz2";
+    sha256 = "11s9l938nxbrk7qb2k1ppfgizcz00cakbxgv0gajc6hyqv882vjh";
+  };
+
+  buildInputs = [ cmake ];
+
+  meta = with stdenv.lib; {
+    homepage = https://code.google.com/p/game-music-emu/;
+    description = "A collection of video game music file emulators";
+    license = licenses.lgpl21Plus;
+    platforms = platforms.all;
+    maintainers = [ ];
+  };
+}

pkgs/applications/audio/lmms/default.nix

@@ -5,11 +5,11 @@
 
 stdenv.mkDerivation  rec {
   name = "lmms-${version}";
-  version = "1.0.3";
+  version = "1.1.0";
 
   src = fetchurl {
     url = "https://github.com/LMMS/lmms/archive/v${version}.tar.gz";
-    sha256 = "191mfld3gspnxlgwcszp9kls58kdwrplj0rfw4zqsz90zdbsjnx3";
+    sha256 = "0kck8aapw1m0jbwd20bwwgbs27z518vv09zs1pjm3v8vnkaxlx65";
   };
 
   buildInputs = [

pkgs/applications/audio/mp3gain/default.nix

@@ -14,8 +14,7 @@ stdenv.mkDerivation {
   buildFlags = [ "OSTYPE=linux" ];
 
   installPhase = ''
-    mkdir -p $out/usr/bin
+    install -vD mp3gain "$out/bin/mp3gain"
-    cp mp3gain $out/usr/bin
   '';
 
   meta = {

pkgs/applications/audio/mp3info/default.nix

@@ -36,7 +36,7 @@ stdenv.mkDerivation rec {
 
     license = stdenv.lib.licenses.gpl2Plus;
 
-    maintainers = [ stdenv.lib.maintainers.ludo ];
+    maintainers = [ ];
     platforms = stdenv.lib.platforms.unix;
   };
 }

pkgs/applications/audio/mpg321/default.nix

@@ -1,20 +1,28 @@
-{stdenv, fetchurl, libao, libmad, libid3tag, zlib}:
+{stdenv, fetchurl, libao, libmad, libid3tag, zlib, alsaLib}:
 
 stdenv.mkDerivation rec {
-  name = "mpg321-0.2.13-2";
+  name = "mpg321-${version}";
+  version = "0.3.2";
 
   src = fetchurl {
-    url = "mirror://sourceforge/mpg321/0.2.13/${name}.tar.gz";
+    url = "mirror://sourceforge/mpg321/${version}/mpg321_${version}.orig.tar.gz";
-    sha256 = "0zx9xyr97frlyrwyk2msm9h1sn2b84vqaxcy5drbzcd2n585lwlx";
+    sha256 = "0ki8mh76bbmdh77qsiw682dvi8y468yhbdabqwg05igmwc1wqvq5";
   };
 
-  buildInputs = [libao libid3tag libmad zlib];
+  configureFlags = [
+    ("--enable-alsa=" + (if stdenv.isLinux then "yes" else "no"))
+  ];
 
-  meta = {
+  buildInputs = [libao libid3tag libmad zlib]
+    ++ stdenv.lib.optional stdenv.isLinux alsaLib;
+
+  installTargets = "install install-man";
+
+  meta = with stdenv.lib; {
     description = "Command-line MP3 player";
     homepage = http://mpg321.sourceforge.net/;
-    license = stdenv.lib.licenses.gpl2;
+    license = licenses.gpl2;
-    maintainers = [ ];
+    maintainers = [ maintainers.rycee ];
-    platforms = stdenv.lib.platforms.gnu;
+    platforms = platforms.gnu;
   };
 }

pkgs/applications/audio/pianobar/default.nix

@@ -1,15 +1,15 @@
-{ fetchurl, stdenv, pkgconfig, libao, faad2, libmad, readline, json_c, libgcrypt, gnutls }:
+{ fetchurl, stdenv, pkgconfig, libao, readline, json_c, libgcrypt, gnutls, libav }:
 
 stdenv.mkDerivation rec {
-  name = "pianobar-2013.05.19";
+  name = "pianobar-2014.09.28";
 
   src = fetchurl {
     url = "http://6xq.net/projects/pianobar/${name}.tar.bz2";
-    sha256 = "cf88e82663d2b0aa4d73e761506eac4f3e7bc789b57d92377acd994d785e1046";
+    sha256 = "6bd10218ad5d68c4c761e02c729627d2581b4a6db559190e7e52dc5df177e68f";
   };
 
   buildInputs = [
-    pkgconfig libao faad2 libmad json_c libgcrypt gnutls
+    pkgconfig libao json_c libgcrypt gnutls libav
   ];
 
   makeFlags="PREFIX=$(out)";
@@ -17,10 +17,13 @@ stdenv.mkDerivation rec {
   CC = "gcc";
   CFLAGS = "-std=c99";
 
+  configurePhase = "export CC=${CC}";
+
   meta = {
     description = "A console front-end for Pandora.com";
     homepage = "http://6xq.net/projects/pianobar/";
     platforms = stdenv.lib.platforms.linux;
     license = stdenv.lib.licenses.mit; # expat version
+    maintainers = stdenv.lib.maintainers.eduarrrd;
   };
 }

pkgs/applications/audio/spotify/default.nix

@@ -1,6 +1,6 @@
 { fetchurl, stdenv, dpkg, xlibs, qt4, alsaLib, makeWrapper, openssl, freetype
 , glib, pango, cairo, atk, gdk_pixbuf, gtk, cups, nspr, nss, libpng, GConf
-, libgcrypt, chromium, sqlite, gst_plugins_base, gstreamer, udev, fontconfig
+, libgcrypt, chromium, udev, fontconfig
 , dbus, expat }:
 
 assert stdenv.system == "i686-linux" || stdenv.system == "x86_64-linux";
@@ -10,20 +10,6 @@ let
     then "0.9.4.183.g644e24e.428"
     else "0.9.11.27.g2b1a638.81";
 
-  qt4webkit =
-    if stdenv.system == "i686-linux" then
-      fetchurl {
-        name = "libqtwebkit4_2.3.2_i386.deb";
-        url = http://ie.archive.ubuntu.com/ubuntu/pool/main/q/qtwebkit-source/libqtwebkit4_2.3.2-0ubuntu7_i386.deb;
-        sha256 = "0q4abhczx91ma57fjss0gn8j6nkfbfsbsh6kxhykzj88dih2s8rn";
-      }
-    else
-      fetchurl {
-        name = "libqtwebkit4_2.3.2_amd64.deb";
-        url = http://ie.archive.ubuntu.com/ubuntu/pool/main/q/qtwebkit-source/libqtwebkit4_2.3.2-0ubuntu7_amd64.deb;
-        sha256 = "0sac88avfivwkfhmd6fik7ili8fdznqas6741dbspf9mfnawbwch";
-      };
-
   deps = [
     alsaLib
     atk
@@ -36,15 +22,12 @@ let
     GConf
     gdk_pixbuf
     glib
-    gst_plugins_base
-    gstreamer
     gtk
     libgcrypt
     libpng
     nss
     pango
     qt4
-    sqlite
     stdenv.cc.gcc
     xlibs.libX11
     xlibs.libXcomposite
@@ -56,7 +39,6 @@ let
     xlibs.libXrender
     xlibs.libXrender
     xlibs.libXScrnSaver
-    #xlibs.libXss
   ];
 
 in
@@ -83,37 +65,37 @@ stdenv.mkDerivation {
 
   installPhase =
     ''
-      mkdir -p $out
+      libdir=$out/lib/spotify
+      mkdir -p $libdir
       dpkg-deb -x $src $out
       mv $out/opt/spotify/* $out/
       rm -rf $out/usr $out/opt
 
       # Work around Spotify referring to a specific minor version of
       # OpenSSL.
-      mkdir $out/lib
 
-      ln -s ${nss}/lib/libnss3.so $out/lib/libnss3.so.1d
+      ln -s ${nss}/lib/libnss3.so $libdir/libnss3.so.1d
-      ln -s ${nss}/lib/libnssutil3.so $out/lib/libnssutil3.so.1d
+      ln -s ${nss}/lib/libnssutil3.so $libdir/libnssutil3.so.1d
-      ln -s ${nss}/lib/libsmime3.so $out/lib/libsmime3.so.1d
+      ln -s ${nss}/lib/libsmime3.so $libdir/libsmime3.so.1d
 
       ${if stdenv.system == "x86_64-linux" then ''
-      ln -s ${openssl}/lib/libssl.so $out/lib/libssl.so.1.0.0
+      ln -s ${openssl}/lib/libssl.so $libdir/libssl.so.1.0.0
-      ln -s ${openssl}/lib/libcrypto.so $out/lib/libcrypto.so.1.0.0
+      ln -s ${openssl}/lib/libcrypto.so $libdir/libcrypto.so.1.0.0
-      ln -s ${nspr}/lib/libnspr4.so $out/lib/libnspr4.so
+      ln -s ${nspr}/lib/libnspr4.so $libdir/libnspr4.so
-      ln -s ${nspr}/lib/libplc4.so $out/lib/libplc4.so
+      ln -s ${nspr}/lib/libplc4.so $libdir/libplc4.so
       '' else ''
-      ln -s ${openssl}/lib/libssl.so $out/lib/libssl.so.0.9.8
+      ln -s ${openssl}/lib/libssl.so $libdir/libssl.so.0.9.8
-      ln -s ${openssl}/lib/libcrypto.so $out/lib/libcrypto.so.0.9.8
+      ln -s ${openssl}/lib/libcrypto.so $libdir/libcrypto.so.0.9.8
-      ln -s ${nspr}/lib/libnspr4.so $out/lib/libnspr4.so.0d
+      ln -s ${nspr}/lib/libnspr4.so $libdir/libnspr4.so.0d
-      ln -s ${nspr}/lib/libplc4.so $out/lib/libplc4.so.0d
+      ln -s ${nspr}/lib/libplc4.so $libdir/libplc4.so.0d
       ''}
 
       # Work around Spotify trying to open libudev.so.0 (which we don't have)
-      ln -s ${udev}/lib/libudev.so.1 $out/lib/libudev.so.0
+      ln -s ${udev}/lib/libudev.so.1 $libdir/libudev.so.0
 
       mkdir -p $out/bin
 
-      rpath="$out/spotify-client/Data:$out/lib:$out/spotify-client:${stdenv.cc.gcc}/lib64"
+      rpath="$out/spotify-client/Data:$libdir:$out/spotify-client:${stdenv.cc.gcc}/lib64"
 
       ln -s $out/spotify-client/spotify $out/bin/spotify
 
@@ -125,12 +107,8 @@ stdenv.mkDerivation {
         --interpreter "$(cat $NIX_CC/nix-support/dynamic-linker)" \
         --set-rpath $rpath $out/spotify-client/Data/SpotifyHelper
 
-      dpkg-deb -x ${qt4webkit} ./
-      mkdir -p $out/lib/
-      cp -v usr/lib/*/* $out/lib/
-
       preload=$out/libexec/spotify/libpreload.so
-      librarypath="${stdenv.lib.makeLibraryPath deps}:$out/lib"
+      librarypath="${stdenv.lib.makeLibraryPath deps}:$libdir"
       mkdir -p $out/libexec/spotify
       gcc -shared ${./preload.c} -o $preload -ldl -DOUT=\"$out\" -fPIC
 

pkgs/applications/audio/transcode/default.nix

@@ -17,7 +17,7 @@ stdenv.mkDerivation rec {
   enableParallelBuilding = true;
 
   meta = with stdenv.lib; {
-    description = "Suite of command line utilities for transcoding video and audio codecs, and for converting beween different container formats";
+    description = "Suite of command line utilities for transcoding video and audio codecs, and for converting between different container formats";
     homepage = http://www.transcoding.org/;
     license = licenses.lgpl2Plus;
     platforms = platforms.linux;

pkgs/applications/audio/yoshimi/default.nix

@@ -6,11 +6,11 @@ assert stdenv ? glibc;
 
 stdenv.mkDerivation  rec {
   name = "yoshimi-${version}";
-  version = "1.3.0";
+  version = "1.3.1";
 
   src = fetchurl {
     url = "mirror://sourceforge/yoshimi/${name}.tar.bz2";
-    sha256 = "1zxblcl6ffwwzxh3d17hw1mp398b73wk5bsagdmx5gph038gdh7y";
+    sha256 = "1nj71xmjgr0pdqwv6h9kigdvljh8hggy6az9rnd7f64r13nmrphl";
   };
 
   buildInputs = [

pkgs/applications/editors/atom/default.nix

@@ -16,11 +16,11 @@ let
   };
 in stdenv.mkDerivation rec {
   name = "atom-${version}";
-  version = "0.150.0";
+  version = "0.171.0";
 
   src = fetchurl {
     url = "https://github.com/atom/atom/releases/download/v${version}/atom-amd64.deb";
-    sha256 = "1vvsxj1pwpcz0hn58k1hsrv994vm61lxkih58ix1rkj32wpvdjxn";
+    sha256 = "0syl3rljk2k8j6fy8xq59qhf13b8a4awpi5cvn1kka56y0vmhxs5";
     name = "${name}.deb";
   };
 

pkgs/applications/editors/eclipse/default.nix

@@ -1,6 +1,7 @@
 { stdenv, fetchurl, makeDesktopItem, makeWrapper
 , freetype, fontconfig, libX11, libXext, libXrender, zlib
 , glib, gtk, libXtst, jre
+, webkitgtk2 ? null  # for internal web browser
 }:
 
 assert stdenv ? glibc;
@@ -44,7 +45,7 @@ let
         
         makeWrapper $out/eclipse/eclipse $out/bin/eclipse \
           --prefix PATH : ${jre}/bin \
-          --prefix LD_LIBRARY_PATH : ${glib}/lib:${gtk}/lib:${libXtst}/lib \
+          --prefix LD_LIBRARY_PATH : ${glib}/lib:${gtk}/lib:${libXtst}/lib${stdenv.lib.optionalString (webkitgtk2 != null) ":${webkitgtk2}/lib"} \
           --add-flags "-configuration \$HOME/.eclipse/''${productId}_$productVersion/configuration"
 
         # Create desktop item.

pkgs/applications/editors/emacs-24/at-fdcwd.patch

@@ -0,0 +1,13 @@
+diff --git a/lib/careadlinkat.h b/lib/careadlinkat.h
+index 5cdb813..7a272e8 100644
+--- a/lib/careadlinkat.h
++++ b/lib/careadlinkat.h
+@@ -23,6 +23,8 @@
+ #include <fcntl.h>
+ #include <unistd.h>
+ 
++#define AT_FDCWD -2
++
+ struct allocator;
+ 
+ /* Assuming the current directory is FD, get the symbolic link value

pkgs/applications/editors/emacs-24/default.nix

@@ -18,7 +18,10 @@ stdenv.mkDerivation rec {
     sha256 = "1zflm6ac34s6v166p58ilxrxbxjm0q2wfc25f8y0mjml1lbr3qs7";
   };
 
-  patches = [ ./darwin-new-sections.patch ];
+  patches = stdenv.lib.optionals stdenv.isDarwin [
+    ./darwin-new-sections.patch
+    ./at-fdcwd.patch
+  ];
 
   buildInputs =
     [ ncurses gconf libxml2 gnutls alsaLib pkgconfig texinfo ]