Merge remote-tracking branch 'upstream/master' into openssl-1.1

2019-08-21 14:25:13 +02:00 · 2019-08-21 14:25:13 +02:00 · f4fc845e5b
commit f4fc845e5b
parent 9135412b63 609d408970
1739 changed files with 138825 additions and 193125 deletions
--- a/doc/functions/dockertools.xml
+++ b/doc/functions/dockertools.xml
@ -312,7 +312,23 @@ hello        latest   de2bf4786de6   About a minute ago   25.2MB
      Maximum number of layers to create.
     </para>
     <para>
-      <emphasis>Default:</emphasis> <literal>24</literal>
+      <emphasis>Default:</emphasis> <literal>100</literal>
     </para>
     <para>
      <emphasis>Maximum:</emphasis> <literal>125</literal>
     </para>
    </listitem>
   </varlistentry>
   <varlistentry>
    <term>
     <varname>extraCommands</varname> <emphasis>optional</emphasis>
    </term>
    <listitem>
     <para>
       Shell commands to run while building the final layer, without access
       to most of the layer contents. Changes to this layer are "on top"
       of all the other layers, so can create additional directories
       and files.
     </para>
    </listitem>
   </varlistentry>
--- a/doc/languages-frameworks/android.section.md
+++ b/doc/languages-frameworks/android.section.md
@ -185,10 +185,9 @@ with import <nixpkgs> {};
 androidenv.emulateApp {
  name = "emulate-MyAndroidApp";
-  platformVersion = "24";
+  platformVersion = "28";
-  abiVersion = "armeabi-v7a"; # mips, x86 or x86_64
+  abiVersion = "x86_64"; # armeabi-v7a, mips, x86
-  systemImageType = "default";
+  systemImageType = "google_apis_playstore";
  useGoogleAPIs = false;
 }
 ```
@ -201,7 +200,7 @@ with import <nixpkgs> {};
 androidenv.emulateApp {
  name = "emulate-MyAndroidApp";
  platformVersion = "24";
-  abiVersion = "armeabi-v7a"; # mips, x86 or x86_64
+  abiVersion = "armeabi-v7a"; # mips, x86, x86_64
  systemImageType = "default";
  useGoogleAPIs = false;
  app = ./MyApp.apk;
--- a/doc/languages-frameworks/idris.section.md
+++ b/doc/languages-frameworks/idris.section.md
@ -124,3 +124,21 @@ in another file (say `default.nix`) to be able to build it with
 ```
 $ nix-build -A yaml
 ```
 ## Passing options to `idris` commands
 The `build-idris-package` function provides also optional input values to set additional options for the used `idris` commands.
 Specifically, you can set `idrisBuildOptions`, `idrisTestOptions`, `idrisInstallOptions` and `idrisDocOptions` to provide additional options to the `idris` command respectively when building, testing, installing and generating docs for your package.
 For example you could set
 ```
 build-idris-package {
  idrisBuildOptions = [ "--log" "1" "--verbose" ]
  ...
 }
 ```
 to require verbose output during `idris` build phase.
--- a/doc/languages-frameworks/perl.xml
+++ b/doc/languages-frameworks/perl.xml
@ -75,7 +75,8 @@ foo = import ../path/to/foo.nix {
     It adds the contents of the <envar>PERL5LIB</envar> environment variable
     to <literal>#! .../bin/perl</literal> line of Perl scripts as
     <literal>-I<replaceable>dir</replaceable></literal> flags. This ensures
-     that a script can find its dependencies.
+     that a script can find its dependencies. (This can cause this shebang line
     to become too long for Darwin to handle; see the note below.)
    </para>
   </listitem>
   <listitem>
@ -137,6 +138,36 @@ ClassC3Componentised = buildPerlPackage rec {
 </programlisting>
 </para>
 <para>
  On Darwin, if a script has too many
  <literal>-I<replaceable>dir</replaceable></literal> flags in its first line
  (its “shebang line”), it will not run. This can be worked around by calling
  the <literal>shortenPerlShebang</literal> function from the
  <literal>postInstall</literal> phase:
 <programlisting>
 { stdenv, buildPerlPackage, fetchurl, shortenPerlShebang }:
 ImageExifTool = buildPerlPackage {
  pname = "Image-ExifTool";
  version = "11.50";
  src = fetchurl {
    url = "https://www.sno.phy.queensu.ca/~phil/exiftool/Image-ExifTool-11.50.tar.gz";
    sha256 = "0d8v48y94z8maxkmw1rv7v9m0jg2dc8xbp581njb6yhr7abwqdv3";
  };
  buildInputs = stdenv.lib.optional stdenv.isDarwin shortenPerlShebang;
  postInstall = stdenv.lib.optional stdenv.isDarwin ''
    shortenPerlShebang $out/bin/exiftool
  '';
 };
 </programlisting>
 This will remove the <literal>-I</literal> flags from the shebang line,
 rewrite them in the <literal>use lib</literal> form, and put them on the next
 line instead. This function can be given any number of Perl scripts as
 arguments; it will modify them in-place.
 </para>
 <section xml:id="ssec-generation-from-CPAN">
  <title>Generation from CPAN</title>
--- a/doc/languages-frameworks/qt.xml
+++ b/doc/languages-frameworks/qt.xml
@ -113,6 +113,15 @@ mkDerivation {
 </programlisting>
 </para>
 <note>
  <para>
    <literal>wrapQtAppsHook</literal> ignores files that are non-ELF executables.
    This means that scripts won't be automatically wrapped so you'll need to manually
    wrap them as previously mentioned. An example of when you'd always need to do this
    is with Python applications that use PyQT.
  </para>
 </note>
 <para>
  Libraries are built with every available version of Qt. Use the <literal>meta.broken</literal>
  attribute to disable the package for unsupported Qt versions:
--- a/doc/languages-frameworks/vim.section.md
+++ b/doc/languages-frameworks/vim.section.md
@ -21,7 +21,7 @@ At the moment we support three different methods for managing plugins:
 Adding custom .vimrc lines can be done using the following code:
-```
+```nix
 vim_configurable.customize {
  # `name` specifies the name of the executable and package
  name = "vim-with-plugins";
@ -32,11 +32,11 @@ vim_configurable.customize {
 }
 ```
-This configuration is used when vim is invoked with the command specified as name, in this case `vim-with-plugins`.
+This configuration is used when Vim is invoked with the command specified as name, in this case `vim-with-plugins`.
 For Neovim the `configure` argument can be overridden to achieve the same:
-```
+```nix
 neovim.override {
  configure = {
    customRC = ''
@ -46,10 +46,10 @@ neovim.override {
 }
 ```
-If you want to use `neovim-qt` as a graphical editor, you can configure it by overriding neovim in an overlay
+If you want to use `neovim-qt` as a graphical editor, you can configure it by overriding Neovim in an overlay
-or passing it an overridden neovimn:
+or passing it an overridden Neovimn:
-```
+```nix
 neovim-qt.override {
  neovim = neovim.override {
    configure = {
@ -63,16 +63,16 @@ neovim-qt.override {
 ## Managing plugins with Vim packages
-To store you plugins in Vim packages (the native vim plugin manager, see `:help packages`) the following example can be used:
+To store you plugins in Vim packages (the native Vim plugin manager, see `:help packages`) the following example can be used:
-```
+```nix
 vim_configurable.customize {
  vimrcConfig.packages.myVimPackage = with pkgs.vimPlugins; {
    # loaded on launch
    start = [ youcompleteme fugitive ];
    # manually loadable by calling `:packadd $plugin-name`
-    # however, if a vim plugin has a dependency that is not explicitly listed in
+    # however, if a Vim plugin has a dependency that is not explicitly listed in
-	# opt that dependency will always be added to start to avoid confusion.
+    # opt that dependency will always be added to start to avoid confusion.
    opt = [ phpCompletion elm-vim ];
    # To automatically load a plugin when opening a filetype, add vimrc lines like:
    # autocmd FileType php :packadd phpCompletion
@ -83,7 +83,7 @@ vim_configurable.customize {
 `myVimPackage` is an arbitrary name for the generated package. You can choose any name you like.
 For Neovim the syntax is:
-```
+```nix
 neovim.override {
  configure = {
    customRC = ''
@ -92,7 +92,7 @@ neovim.override {
    packages.myVimPackage = with pkgs.vimPlugins; {
      # see examples below how to use custom packages
      start = [ ];
-      # If a vim plugin has a dependency that is not explicitly listed in
+      # If a Vim plugin has a dependency that is not explicitly listed in
      # opt that dependency will always be added to start to avoid confusion.
      opt = [ ];
    };
@ -102,7 +102,7 @@ neovim.override {
 The resulting package can be added to `packageOverrides` in `~/.nixpkgs/config.nix` to make it installable:
-```
+```nix
 {
  packageOverrides = pkgs: with pkgs; {
    myVim = vim_configurable.customize {
@ -126,7 +126,7 @@ After that you can install your special grafted `myVim` or `myNeovim` packages.
 To use [vim-plug](https://github.com/junegunn/vim-plug) to manage your Vim
 plugins the following example can be used:
-```
+```nix
 vim_configurable.customize {
  vimrcConfig.packages.myVimPackage = with pkgs.vimPlugins; {
    # loaded on launch
@ -137,7 +137,7 @@ vim_configurable.customize {
 For Neovim the syntax is:
-```
+```nix
 neovim.override {
  configure = {
    customRC = ''
@ -161,89 +161,112 @@ assuming that "using latest version" is ok most of the time.
 First create a vim-scripts file having one plugin name per line. Example:
-    "tlib"
+```
-    {'name': 'vim-addon-sql'}
+"tlib"
-    {'filetype_regex': '\%(vim)$', 'names': ['reload', 'vim-dev-plugin']}
+{'name': 'vim-addon-sql'}
 {'filetype_regex': '\%(vim)$', 'names': ['reload', 'vim-dev-plugin']}
 ```
 Such vim-scripts file can be read by VAM as well like this:
-    call vam#Scripts(expand('~/.vim-scripts'), {})
+```vim
 call vam#Scripts(expand('~/.vim-scripts'), {})
 ```
 Create a default.nix file:
-    { nixpkgs ? import <nixpkgs> {}, compiler ? "ghc7102" }:
+```nix
-    nixpkgs.vim_configurable.customize { name = "vim"; vimrcConfig.vam.pluginDictionaries = [ "vim-addon-vim2nix" ]; }
+{ nixpkgs ? import <nixpkgs> {}, compiler ? "ghc7102" }:
 nixpkgs.vim_configurable.customize { name = "vim"; vimrcConfig.vam.pluginDictionaries = [ "vim-addon-vim2nix" ]; }
 ```
 Create a generate.vim file:
-    ActivateAddons vim-addon-vim2nix
+```vim
-    let vim_scripts = "vim-scripts"
+ActivateAddons vim-addon-vim2nix
-    call nix#ExportPluginsForNix({
+let vim_scripts = "vim-scripts"
-    \  'path_to_nixpkgs': eval('{"'.substitute(substitute(substitute($NIX_PATH, ':', ',', 'g'), '=',':', 'g'), '\([:,]\)', '"\1"',"g").'"}')["nixpkgs"],
+call nix#ExportPluginsForNix({
-    \  'cache_file': '/tmp/vim2nix-cache',
+\  'path_to_nixpkgs': eval('{"'.substitute(substitute(substitute($NIX_PATH, ':', ',', 'g'), '=',':', 'g'), '\([:,]\)', '"\1"',"g").'"}')["nixpkgs"],
-    \  'try_catch': 0,
+\  'cache_file': '/tmp/vim2nix-cache',
-    \  'plugin_dictionaries': ["vim-addon-manager"]+map(readfile(vim_scripts), 'eval(v:val)')
+\  'try_catch': 0,
-    \ })
+\  'plugin_dictionaries': ["vim-addon-manager"]+map(readfile(vim_scripts), 'eval(v:val)')
 \ })
 ```
 Then run
-    nix-shell -p vimUtils.vim_with_vim2nix --command "vim -c 'source generate.vim'"
+```bash
 nix-shell -p vimUtils.vim_with_vim2nix --command "vim -c 'source generate.vim'"
 ```
 You should get a Vim buffer with the nix derivations (output1) and vam.pluginDictionaries (output2).
-You can add your vim to your system's configuration file like this and start it by "vim-my":
+You can add your Vim to your system's configuration file like this and start it by "vim-my":
-    my-vim =
+```
-     let plugins = let inherit (vimUtils) buildVimPluginFrom2Nix; in {
+my-vim =
-          copy paste output1 here
+  let plugins = let inherit (vimUtils) buildVimPluginFrom2Nix; in {
-     }; in vim_configurable.customize {
+    copy paste output1 here
-       name = "vim-my";
+  }; in vim_configurable.customize {
    name = "vim-my";
-       vimrcConfig.vam.knownPlugins = plugins; # optional
+    vimrcConfig.vam.knownPlugins = plugins; # optional
-       vimrcConfig.vam.pluginDictionaries = [
+    vimrcConfig.vam.pluginDictionaries = [
-          copy paste output2 here
+       copy paste output2 here
-       ];
+    ];
       # Pathogen would be
       # vimrcConfig.pathogen.knownPlugins = plugins; # plugins
       # vimrcConfig.pathogen.pluginNames = ["tlib"];
     };
    # Pathogen would be
    # vimrcConfig.pathogen.knownPlugins = plugins; # plugins
    # vimrcConfig.pathogen.pluginNames = ["tlib"];
  };
 ```
 Sample output1:
-    "reload" = buildVimPluginFrom2Nix { # created by nix#NixDerivation
+```
-      name = "reload";
+"reload" = buildVimPluginFrom2Nix { # created by nix#NixDerivation
-      src = fetchgit {
+  name = "reload";
-        url = "git://github.com/xolox/vim-reload";
+  src = fetchgit {
-        rev = "0a601a668727f5b675cb1ddc19f6861f3f7ab9e1";
+    url = "git://github.com/xolox/vim-reload";
-        sha256 = "0vb832l9yxj919f5hfg6qj6bn9ni57gnjd3bj7zpq7d4iv2s4wdh";
+    rev = "0a601a668727f5b675cb1ddc19f6861f3f7ab9e1";
-      };
+    sha256 = "0vb832l9yxj919f5hfg6qj6bn9ni57gnjd3bj7zpq7d4iv2s4wdh";
-      dependencies = ["nim-misc"];
+  };
  dependencies = ["nim-misc"];
-    };
+};
-    [...]
+[...]
 ```
 Sample output2:
-    [
+```nix
-      ''vim-addon-manager''
+[
-      ''tlib''
+  ''vim-addon-manager''
-      { "name" = ''vim-addon-sql''; }
+  ''tlib''
-      { "filetype_regex" = ''\%(vim)$$''; "names" = [ ''reload'' ''vim-dev-plugin'' ]; }
+  { "name" = ''vim-addon-sql''; }
-    ]
+  { "filetype_regex" = ''\%(vim)$$''; "names" = [ ''reload'' ''vim-dev-plugin'' ]; }
-
+]
 ```
 ## Adding new plugins to nixpkgs
-In `pkgs/misc/vim-plugins/vim-plugin-names` we store the plugin names
+Nix expressions for Vim plugins are stored in [pkgs/misc/vim-plugins](/pkgs/misc/vim-plugins). For the vast majority of plugins, Nix expressions are automatically generated by running [`./update.py`](/pkgs/misc/vim-plugins/update.py). This creates a [generated.nix](/pkgs/misc/vim-plugins/generated.nix) file based on the plugins listed in [vim-plugin-names](/pkgs/misc/vim-plugins/vim-plugin-names). Plugins are listed in alphabetical order in `vim-plugin-names` using the format `[github username]/[repository]`. For example https://github.com/scrooloose/nerdtree becomes `scrooloose/nerdtree`.
-for all vim plugins we automatically generate plugins for.
+
-The format of this file `github username/github repository`:
+Some plugins require overrides in order to function properly. Overrides are placed in [overrides.nix](/pkgs/misc/vim-plugins/overrides.nix). Overrides are most often required when a plugin requires some dependencies, or extra steps are required during the build process. For example `deoplete-fish` requires both `deoplete-nvim` and `vim-fish`, and so the following override was added:
-For example https://github.com/scrooloose/nerdtree becomes `scrooloose/nerdtree`.
+
-After adding your plugin to this file run the `./update.py` in the same folder.
+```
-This will updated a file called `generated.nix` and make your plugin accessible in the
+deoplete-fish = super.deoplete-fish.overrideAttrs(old: {
-`vimPlugins` attribute set (`vimPlugins.nerdtree` in our example).
+  dependencies = with super; [ deoplete-nvim vim-fish ];
-If additional steps to the build process of the plugin are required, add an
+});
-override to the `pkgs/misc/vim-plugins/default.nix` in the same directory.
+```
 Sometimes plugins require an override that must be changed when the plugin is updated. This can cause issues when Vim plugins are auto-updated but the associated override isn't updated. For these plugins, the override should be written so that it specifies all information required to install the plugin, and running `./update.py` doesn't change the derivation for the plugin. Manually updating the override is required to update these types of plugins. An example of such a plugin is `LanguageClient-neovim`.
 To add a new plugin:
  1. run `./update.py` and create a commit named "vimPlugins: Update",
  2. add the new plugin to [vim-plugin-names](/pkgs/misc/vim-plugins/vim-plugin-names) and add overrides if required to [overrides.nix](/pkgs/misc/vim-plugins/overrides.nix),
  3. run `./update.py` again and create a commit named "vimPlugins.[name]: init at [version]" (where `name` and `version` can be found in [generated.nix](/pkgs/misc/vim-plugins/generated.nix)), and
  4. create a pull request.
 ## Important repositories
@ -252,4 +275,3 @@ override to the `pkgs/misc/vim-plugins/default.nix` in the same directory.
 - [vim2nix](https://github.com/MarcWeber/vim-addon-vim2nix) which generates the
  .nix code
--- a/doc/quick-start.xml
+++ b/doc/quick-start.xml
@ -210,8 +210,12 @@
   </listitem>
   <listitem>
    <para>
-     Optionally commit the new package and open a pull request, or send a patch
+     Optionally commit the new package and open a pull request <link
-     to <literal>https://groups.google.com/forum/#!forum/nix-devel</literal>.
+     xlink:href="https://github.com/NixOS/nixpkgs/pulls">to nixpkgs</link>, or
     use <link
     xlink:href="https://discourse.nixos.org/t/about-the-patches-category/477">
     the Patches category</link> on Discourse for sending a patch without a
     GitHub account.
    </para>
   </listitem>
  </orderedlist>
--- a/doc/stdenv.xml
+++ b/doc/stdenv.xml
@ -1599,6 +1599,16 @@ installTargets = "install-bin install-doc";</programlisting>
   <variablelist>
    <title>Variables controlling the fixup phase</title>
    <varlistentry>
     <term>
      <varname>dontFixup</varname>
     </term>
     <listitem>
      <para>
        Set to true to skip the fixup phase.
      </para>
     </listitem>
    </varlistentry>
    <varlistentry>
     <term>
      <varname>dontStrip</varname>
--- a/lib/default.nix
+++ b/lib/default.nix
@ -71,7 +71,7 @@ let
      zipAttrsWithNames zipAttrsWith zipAttrs recursiveUpdateUntil
      recursiveUpdate matchAttrs overrideExisting getOutput getBin
      getLib getDev chooseDevOutputs zipWithNames zip;
-    inherit (lists) singleton foldr fold foldl foldl' imap0 imap1
+    inherit (lists) singleton forEach foldr fold foldl foldl' imap0 imap1
      concatMap flatten remove findSingle findFirst any all count
      optional optionals toList range partition zipListsWith zipLists
      reverseList listDfs toposort sort naturalSort compareLists take
--- a/lib/lists.nix
+++ b/lib/lists.nix
@ -21,6 +21,19 @@ rec {
  */
  singleton = x: [x];
  /*  Apply the function to each element in the list. Same as `map`, but arguments
      flipped.
      Type: forEach :: [a] -> (a -> b) -> [b]
      Example:
        forEach [ 1 2 ] (x:
          toString x
        )
        => [ "1" "2" ]
  */
  forEach = xs: f: map f xs;
  /* “right fold” a binary function `op` between successive elements of
     `list` with `nul' as the starting value, i.e.,
     `foldr op nul [x_1 x_2 ... x_n] == op x_1 (op x_2 ... (op x_n nul))`.
--- a/lib/tests/modules.sh
+++ b/lib/tests/modules.sh
@ -71,6 +71,15 @@ checkConfigError 'The option value .* in .* is not of type.*positive integer.*'
 checkConfigOutput "42" config.value ./declare-int-between-value.nix ./define-value-int-positive.nix
 checkConfigError 'The option value .* in .* is not of type.*between.*-21 and 43.*inclusive.*' config.value ./declare-int-between-value.nix ./define-value-int-negative.nix
 # Check either types
 # types.either
 checkConfigOutput "42" config.value ./declare-either.nix ./define-value-int-positive.nix
 checkConfigOutput "\"24\"" config.value ./declare-either.nix ./define-value-string.nix
 # types.oneOf
 checkConfigOutput "42" config.value ./declare-oneOf.nix ./define-value-int-positive.nix
 checkConfigOutput "[ ]" config.value ./declare-oneOf.nix ./define-value-list.nix
 checkConfigOutput "\"24\"" config.value ./declare-oneOf.nix ./define-value-string.nix
 # Check mkForce without submodules.
 set -- config.enable ./declare-enable.nix ./define-enable.nix
 checkConfigOutput "true" "$@"
--- a/lib/tests/modules/declare-either.nix
+++ b/lib/tests/modules/declare-either.nix
@ -0,0 +1,5 @@
 { lib, ... }: {
  options.value = lib.mkOption {
    type = lib.types.either lib.types.int lib.types.str;
  };
 }
--- a/lib/tests/modules/declare-oneOf.nix
+++ b/lib/tests/modules/declare-oneOf.nix
@ -0,0 +1,9 @@
 { lib, ... }: {
  options.value = lib.mkOption {
    type = lib.types.oneOf [
      lib.types.int
      (lib.types.listOf lib.types.int)
      lib.types.str
    ];
  };
 }
--- a/lib/types.nix
+++ b/lib/types.nix
@ -443,6 +443,13 @@ rec {
      functor = (defaultFunctor name) // { wrapped = [ t1 t2 ]; };
    };
    # Any of the types in the given list
    oneOf = ts:
      let
        head' = if ts == [] then throw "types.oneOf needs to get at least one type in its argument" else head ts;
        tail' = tail ts;
      in foldl' either head' tail';
    # Either value of type `finalType` or `coercedType`, the latter is
    # converted to `finalType` using `coerceFunc`.
    coercedTo = coercedType: coerceFunc: finalType:
--- a/maintainers/maintainer-list.nix
+++ b/maintainers/maintainer-list.nix
--- a/nixos/doc/manual/default.nix
+++ b/nixos/doc/manual/default.nix
@ -5,55 +5,6 @@ with pkgs;
 let
  lib = pkgs.lib;
  # Remove invisible and internal options.
  optionsListVisible = lib.filter (opt: opt.visible && !opt.internal) (lib.optionAttrSetToDocList options);
  # Replace functions by the string <function>
  substFunction = x:
    if builtins.isAttrs x then lib.mapAttrs (name: substFunction) x
    else if builtins.isList x then map substFunction x
    else if lib.isFunction x then "<function>"
    else x;
  # Generate DocBook documentation for a list of packages. This is
  # what `relatedPackages` option of `mkOption` from
  # ../../../lib/options.nix influences.
  #
  # Each element of `relatedPackages` can be either
  # - a string:  that will be interpreted as an attribute name from `pkgs`,
  # - a list:    that will be interpreted as an attribute path from `pkgs`,
  # - an attrset: that can specify `name`, `path`, `package`, `comment`
  #   (either of `name`, `path` is required, the rest are optional).
  genRelatedPackages = packages:
    let
      unpack = p: if lib.isString p then { name = p; }
                  else if lib.isList p then { path = p; }
                  else p;
      describe = args:
        let
          title = args.title or null;
          name = args.name or (lib.concatStringsSep "." args.path);
          path = args.path or [ args.name ];
          package = args.package or (lib.attrByPath path (throw "Invalid package attribute path `${toString path}'") pkgs);
        in "<listitem>"
        + "<para><literal>${lib.optionalString (title != null) "${title} aka "}pkgs.${name} (${package.meta.name})</literal>"
        + lib.optionalString (!package.meta.available) " <emphasis>[UNAVAILABLE]</emphasis>"
        + ": ${package.meta.description or "???"}.</para>"
        + lib.optionalString (args ? comment) "\n<para>${args.comment}</para>"
        # Lots of `longDescription's break DocBook, so we just wrap them into <programlisting>
        + lib.optionalString (package.meta ? longDescription) "\n<programlisting>${package.meta.longDescription}</programlisting>"
        + "</listitem>";
    in "<itemizedlist>${lib.concatStringsSep "\n" (map (p: describe (unpack p)) packages)}</itemizedlist>";
  optionsListDesc = lib.flip map optionsListVisible (opt: opt // {
    # Clean up declaration sites to not refer to the NixOS source tree.
    declarations = map stripAnyPrefixes opt.declarations;
  }
  // lib.optionalAttrs (opt ? example) { example = substFunction opt.example; }
  // lib.optionalAttrs (opt ? default) { default = substFunction opt.default; }
  // lib.optionalAttrs (opt ? type) { type = substFunction opt.type; }
  // lib.optionalAttrs (opt ? relatedPackages && opt.relatedPackages != []) { relatedPackages = genRelatedPackages opt.relatedPackages; });
  # We need to strip references to /nix/store/* from options,
  # including any `extraSources` if some modules came from elsewhere,
  # or else the build will fail.
@ -63,37 +14,13 @@ let
  prefixesToStrip = map (p: "${toString p}/") ([ ../../.. ] ++ extraSources);
  stripAnyPrefixes = lib.flip (lib.fold lib.removePrefix) prefixesToStrip;
-  # Custom "less" that pushes up all the things ending in ".enable*"
+  optionsDoc = buildPackages.nixosOptionsDoc {
-  # and ".package*"
+    inherit options revision;
-  optionLess = a: b:
+    transformOptions = opt: opt // {
-    let
+      # Clean up declaration sites to not refer to the NixOS source tree.
-      ise = lib.hasPrefix "enable";
+      declarations = map stripAnyPrefixes opt.declarations;
-      isp = lib.hasPrefix "package";
+    };
-      cmp = lib.splitByAndCompare ise lib.compare
+  };
                                 (lib.splitByAndCompare isp lib.compare lib.compare);
    in lib.compareLists cmp a.loc b.loc < 0;
  # Customly sort option list for the man page.
  optionsList = lib.sort optionLess optionsListDesc;
  # Convert the list of options into an XML file.
  optionsXML = builtins.toFile "options.xml" (builtins.toXML optionsList);
  optionsDocBook = runCommand "options-db.xml" {} ''
    optionsXML=${optionsXML}
    if grep /nixpkgs/nixos/modules $optionsXML; then
      echo "The manual appears to depend on the location of Nixpkgs, which is bad"
      echo "since this prevents sharing via the NixOS channel.  This is typically"
      echo "caused by an option default that refers to a relative path (see above"
      echo "for hints about the offending path)."
      exit 1
    fi
    ${buildPackages.libxslt.bin}/bin/xsltproc \
      --stringparam revision '${revision}' \
      -o intermediate.xml ${./options-to-docbook.xsl} $optionsXML
    ${buildPackages.libxslt.bin}/bin/xsltproc \
      -o "$out" ${./postprocess-option-descriptions.xsl} intermediate.xml
  '';
  sources = lib.sourceFilesBySuffices ./. [".xml"];
@ -108,7 +35,7 @@ let
  generatedSources = runCommand "generated-docbook" {} ''
    mkdir $out
    ln -s ${modulesDoc} $out/modules.xml
-    ln -s ${optionsDocBook} $out/options-db.xml
+    ln -s ${optionsDoc.optionsDocBook} $out/options-db.xml
    printf "%s" "${version}" > $out/version
  '';
@ -234,22 +161,7 @@ let
 in rec {
  inherit generatedSources;
-  # The NixOS options in JSON format.
+  inherit (optionsDoc) optionsJSON optionsXML optionsDocBook;
  optionsJSON = runCommand "options-json"
    { meta.description = "List of NixOS options in JSON format";
    }
    ''
      # Export list of options in different format.
      dst=$out/share/doc/nixos
      mkdir -p $dst
      cp ${builtins.toFile "options.json" (builtins.unsafeDiscardStringContext (builtins.toJSON
        (builtins.listToAttrs (map (o: { name = o.name; value = removeAttrs o ["name" "visible" "internal"]; }) optionsList))))
      } $dst/options.json
      mkdir -p $out/nix-support
      echo "file json $dst/options.json" >> $out/nix-support/hydra-build-products
    ''; # */
  # Generate the NixOS manual.
  manualHTML = runCommand "nixos-manual-html"
--- a/nixos/doc/manual/development/option-types.xml
+++ b/nixos/doc/manual/development/option-types.xml
@ -346,6 +346,18 @@
     </para>
    </listitem>
   </varlistentry>
   <varlistentry>
    <term>
     <varname>types.oneOf</varname> [ <replaceable>t1</replaceable> <replaceable>t2</replaceable> ... ]
    </term>
    <listitem>
     <para>
      Type <replaceable>t1</replaceable> or type <replaceable>t2</replaceable> and so forth,
      e.g. <literal>with types; oneOf [ int str bool ]</literal>. Multiple definitions
      cannot be merged.
     </para>
    </listitem>
   </varlistentry>
   <varlistentry>
    <term>
     <varname>types.coercedTo</varname> <replaceable>from</replaceable> <replaceable>f</replaceable> <replaceable>to</replaceable>
--- a/nixos/doc/manual/development/releases.xml
+++ b/nixos/doc/manual/development/releases.xml
@ -98,6 +98,16 @@
      <literal>stableBranch</literal> set to false.
     </para>
    </listitem>
    <listitem>
     <para>
      Remove attributes that we know we will not be able to support,
      especially if there is a stable alternative. E.g. Check that our
      Linux kernels'
      <link xlink:href="https://www.kernel.org/category/releases.html">
      projected end-of-life</link> are after our release projected
      end-of-life
     </para>
    </listitem>
    <listitem>
     <para>
      Edit changelog at
--- a/nixos/doc/manual/installation/changing-config.xml
+++ b/nixos/doc/manual/installation/changing-config.xml
@ -14,6 +14,13 @@
  to build the new configuration, make it the default configuration for
  booting, and try to realise the configuration in the running system (e.g., by
  restarting system services).
  <warning>
   <para>
    This command doesn't start/stop <link linkend="opt-systemd.user.services">user
    services</link> automatically. <command>nixos-rebuild</command> only runs a
    <literal>daemon-reload</literal> for each user with running user services.
   </para>
  </warning>
 </para>
 <warning>
  <para>
--- a/nixos/doc/manual/installation/installing.xml
+++ b/nixos/doc/manual/installation/installing.xml
@ -29,13 +29,14 @@
  </para>
  <para>
-   You are logged-in automatically as <literal>root</literal>. (The
+   You are logged-in automatically as <literal>nixos</literal>.
-   <literal>root</literal> user account has an empty password.)
+   The <literal>nixos</literal> user account has an empty password so you
   can use <command>sudo</command> without a password.
  </para>
  <para>
   If you downloaded the graphical ISO image, you can run <command>systemctl
-   start display-manager</command> to start KDE. If you want to continue on the
+   start display-manager</command> to start the desktop environment. If you want to continue on the
   terminal, you can use <command>loadkeys</command> to switch to your
   preferred keyboard layout. (We even provide neo2 via <command>loadkeys de
   neo</command>!)
@ -65,9 +66,9 @@
   <para>
    If you would like to continue the installation from a different machine you
-    need to activate the SSH daemon via <literal>systemctl start
+    need to activate the SSH daemon via <command>systemctl start
-    sshd</literal>. In order to be able to login you also need to set a
+    sshd</command>. You then must set a password for either <literal>root</literal> or
-    password for <literal>root</literal> using <literal>passwd</literal>.
+    <literal>nixos</literal> with <command>passwd></command> to be able to login.
   </para>
  </section>
 </section>
@ -334,7 +335,7 @@
     If you’re using the graphical ISO image, other editors may be available
     (such as <command>vim</command>). If you have network access, you can also
     install other editors — for instance, you can install Emacs by running
-     <literal>nix-env -i emacs</literal>.
+     <literal>nix-env -f '&lt;nixpkgs&gt;' -iA emacs</literal>.
    </para>
    <variablelist>
     <varlistentry>
@ -466,10 +467,10 @@ Retype new UNIX password: ***</screen>
    <para>
     You may also want to install some software. For instance,
 <screen>
-<prompt>$ </prompt>nix-env -qa \*</screen>
+<prompt>$ </prompt>nix-env -qaP \*</screen>
     shows what packages are available, and
 <screen>
-<prompt>$ </prompt>nix-env -i w3m</screen>
+<prompt>$ </prompt>nix-env -f '&lt;nixpkgs&gt;' -iA w3m</screen>
     install the <literal>w3m</literal> browser.
    </para>
   </listitem>
--- a/nixos/doc/manual/man-nixos-enter.xml
+++ b/nixos/doc/manual/man-nixos-enter.xml
@ -34,6 +34,12 @@
    </arg>
     <replaceable>shell-command</replaceable>
   </arg>
   <arg>
    <arg choice='plain'>
     <option>--silent</option>
    </arg>
   </arg>
   <arg>
    <arg choice='plain'>
@ -100,6 +106,16 @@
     </para>
    </listitem>
   </varlistentry>
   <varlistentry>
    <term>
     <option>--silent</option>
    </term>
    <listitem>
     <para>
       Suppresses all output from the activation script of the target system.
     </para>
    </listitem>
   </varlistentry>
   <varlistentry>
    <term>
     <option>--</option>
--- a/nixos/doc/manual/man-nixos-rebuild.xml
+++ b/nixos/doc/manual/man-nixos-rebuild.xml
@ -90,6 +90,35 @@
   <arg>
    <option>--show-trace</option>
   </arg>
   <arg>
    <option>-I</option>
    <replaceable>path</replaceable>
   </arg>
   <arg>
    <group choice='req'>
     <arg choice='plain'><option>--verbose</option></arg>
     <arg choice='plain'><option>-v</option></arg>
    </group>
   </arg>
   <arg>
    <group choice='req'>
     <arg choice='plain'><option>--max-jobs</option></arg>
     <arg choice='plain'><option>-j</option></arg>
    </group>
    <replaceable>number</replaceable>
   </arg>
   <arg>
    <group choice='req'>
     <arg choice='plain'><option>--keep-failed</option></arg>
     <arg choice='plain'><option>-K</option></arg>
    </group>
   </arg>
   <arg>
    <group choice='req'>
     <arg choice='plain'><option>--keep-going</option></arg>
     <arg choice='plain'><option>-k</option></arg>
    </group>
   </arg>
  </cmdsynopsis>
 </refsynopsisdiv>
 <refsection>
@ -101,7 +130,8 @@
   NixOS module, you must run <command>nixos-rebuild</command> to make the
   changes take effect. It builds the new system in
   <filename>/nix/store</filename>, runs its activation script, and stop and
-   (re)starts any system services if needed.
+   (re)starts any system services if needed. Please note that user services need
   to be started manually as they aren't detected by the activation script at the moment.
  </para>
  <para>
   This command has one required argument, which specifies the desired
--- a/nixos/doc/manual/man-pages.xml
+++ b/nixos/doc/manual/man-pages.xml
@ -6,7 +6,7 @@
  <author><personname><firstname>Eelco</firstname><surname>Dolstra</surname></personname>
   <contrib>Author</contrib>
  </author>
-  <copyright><year>2007-2018</year><holder>Eelco Dolstra</holder>
+  <copyright><year>2007-2019</year><holder>Eelco Dolstra</holder>
  </copyright>
 </info>
 <xi:include href="man-configuration.xml" />
--- a/nixos/doc/manual/release-notes/rl-1909.xml
+++ b/nixos/doc/manual/release-notes/rl-1909.xml
@ -33,6 +33,21 @@
     PHP 7.1 is no longer supported due to upstream not supporting this version for the entire lifecycle of the 19.09 release.
    </para>
   </listitem>
   <listitem>
     <para>
       The binfmt module is now easier to use. Additional systems can
       be added through <option>boot.binfmt.emulatedSystems</option>.
       For instance, <literal>boot.binfmt.emulatedSystems = [
       "wasm32-wasi" "x86_64-windows" "aarch64-linux" ];</literal> will
       set up binfmt interpreters for each of those listed systems.
     </para>
   </listitem>
   <listitem>
     <para>
     The installer now uses a less privileged <literal>nixos</literal> user whereas before we logged in as root.
     To gain root privileges use <literal>sudo -i</literal> without a password.
    </para>
   </listitem>
  </itemizedlist>
 </section>
@ -47,6 +62,13 @@
   The following new services were added since the last release:
  </para>
  <itemizedlist>
   <listitem>
    <para>
     <literal>./programs/dwm-status.nix</literal>
    </para>
   </listitem>
  </itemizedlist>
 </section>
 <section xmlns="http://docbook.org/ns/docbook"
@ -225,6 +247,38 @@
       Nodejs 8 is scheduled EOL under the lifetime of 19.09 and has been dropped.
     </para>
   </listitem>
   <listitem>
     <para>
       By default, prometheus exporters are now run with <literal>DynamicUser</literal> enabled.
       Exporters that need a real user, now run under a seperate user and group which follow the pattern <literal>&lt;exporter-name&gt;-exporter</literal>, instead of the previous default <literal>nobody</literal> and <literal>nogroup</literal>.
       Only some exporters are affected by the latter, namely the exporters <literal>dovecot</literal>, <literal>node</literal>, <literal>postfix</literal> and <literal>varnish</literal>.
     </para>
   </listitem>
   <listitem>
     <para>
       The <literal>ibus-qt</literal> package is not installed by default anymore when <xref linkend="opt-i18n.inputMethod.enabled" /> is set to <literal>ibus</literal>.
       If IBus support in Qt 4.x applications is required, add the <literal>ibus-qt</literal> package to your <xref linkend="opt-environment.systemPackages" /> manually.
     </para>
   </listitem>
   <listitem>
     <para>
       The CUPS Printing service now uses socket-based activation by
       default, only starting when needed. The previous behavior can
       be restored by setting
       <option>services.cups.startWhenNeeded</option> to
       <literal>false</literal>.
     </para>
   </listitem>
   <listitem>
     <para>
       The <option>services.systemhealth</option> module has been removed from nixpkgs due to lack of maintainer.
     </para>
   </listitem>
   <listitem>
     <para>
       The <option>services.mantisbt</option> module has been removed from nixpkgs due to lack of maintainer.
     </para>
   </listitem>
  </itemizedlist>
 </section>
@ -386,6 +440,67 @@
     installer after creating <literal>/var/lib/nextcloud</literal>.
    </para>
   </listitem>
   <listitem>
    <para>
     There exists now <literal>lib.forEach</literal>, which is like <literal>map</literal>, but with
     arguments flipped. When mapping function body spans many lines (or has nested
     <literal>map</literal>s), it is often hard to follow which list is modified.
    </para>
    <para>
     Previous solution to this problem was either to use <literal>lib.flip map</literal>
     idiom or extract that anonymous mapping function to a named one. Both can still be used
     but <literal>lib.forEach</literal> is preferred over <literal>lib.flip map</literal>.
    </para>
    <para>
      The <literal>/etc/sysctl.d/nixos.conf</literal> file containing all the options set via
      <link linkend="opt-boot.kernel.sysctl">boot.kernel.sysctl</link> was moved to
      <literal>/etc/sysctl.d/60-nixos.conf</literal>, as
      <citerefentry><refentrytitle>sysctl.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>
      recommends prefixing all filenames in <literal>/etc/sysctl.d</literal> with a
      two-digit number and a dash to simplify the ordering of the files.
    </para>
   </listitem>
   <listitem>
    <para>
      We now install the sysctl snippets shipped with systemd.
    <itemizedlist>
     <para>This enables:</para>
     <listitem>
      <para>Loose reverse path filtering</para>
     </listitem>
     <listitem>
      <para>Source route filtering</para>
     </listitem>
     <listitem>
      <para>
       <literal>fq_codel</literal> as a packet scheduler (this helps to fight bufferbloat)
      </para>
     </listitem>
    </itemizedlist>
     This also configures the kernel to pass coredumps to <literal>systemd-coredump</literal>.
     These sysctl snippets can be found in <literal>/etc/sysctl.d/50-*.conf</literal>,
     and overridden via <link linkend="opt-boot.kernel.sysctl">boot.kernel.sysctl</link>
     (which will place the parameters in <literal>/etc/sysctl.d/60-nixos.conf</literal>).
     </para>
   </listitem>
   <listitem>
    <para>
      Coredumps are now acquired by <literal>systemd-coredump</literal> by default.
      <literal>systemd-coredump</literal> behaviour can still be modified via
      <option>systemd.coredump.extraConfig</option>.
      To stick to the old behaviour (having the kernel dump to a file called <literal>core</literal>
      in the working directory), without piping it through <literal>systemd-coredump</literal>, set
      <option>boot.kernel.sysctl."kernel.core_pattern"</option> to <literal>"core"</literal>.
    </para>
   </listitem>
  <listitem>
   <para>
    <literal>systemd.packages</literal> option now also supports generators and
    shutdown scripts. Old <literal>systemd.generator-packages</literal> option has
    been removed.
   </para>
  </listitem>
  </itemizedlist>
 </section>
 </section>
--- a/nixos/lib/build-vms.nix
+++ b/nixos/lib/build-vms.nix
@ -54,11 +54,11 @@ rec {
      machinesNumbered = zipLists machines (range 1 254);
-      nodes_ = flip map machinesNumbered (m: nameValuePair m.fst
+      nodes_ = forEach machinesNumbered (m: nameValuePair m.fst
        [ ( { config, nodes, ... }:
            let
              interfacesNumbered = zipLists config.virtualisation.vlans (range 1 255);
-              interfaces = flip map interfacesNumbered ({ fst, snd }:
+              interfaces = forEach interfacesNumbered ({ fst, snd }:
                nameValuePair "eth${toString snd}" { ipv4.addresses =
                  [ { address = "192.168.${toString fst}.${toString m.snd}";
                      prefixLength = 24;
@ -67,7 +67,7 @@ rec {
            in
            { key = "ip-address";
              config =
-                { networking.hostName = m.fst;
+                { networking.hostName = mkDefault m.fst;
                  networking.interfaces = listToAttrs interfaces;
@ -88,7 +88,7 @@ rec {
                         "${config.networking.hostName}\n"));
                  virtualisation.qemu.options =
-                    flip map interfacesNumbered
+                    forEach interfacesNumbered
                      ({ fst, snd }: qemuNICFlags snd fst m.snd);
                };
            }
--- a/nixos/lib/make-options-doc/default.nix
+++ b/nixos/lib/make-options-doc/default.nix
@ -0,0 +1,164 @@
 /* Generate JSON, XML and DocBook documentation for given NixOS options.
   Minimal example:
    { pkgs,  }:
    let
      eval = import (pkgs.path + "/nixos/lib/eval-config.nix") {
        baseModules = [
          ../module.nix
        ];
        modules = [];
      };
    in pkgs.nixosOptionsDoc {
      options = eval.options;
    }
 */
 { pkgs
 , lib
 , options
 , transformOptions ? lib.id  # function for additional tranformations of the options
 , revision ? "" # Specify revision for the options
 }:
 let
  # Replace functions by the string <function>
  substFunction = x:
    if builtins.isAttrs x then lib.mapAttrs (name: substFunction) x
    else if builtins.isList x then map substFunction x
    else if lib.isFunction x then "<function>"
    else x;
  optionsListDesc = lib.flip map optionsListVisible
   (opt: transformOptions opt
    // lib.optionalAttrs (opt ? example) { example = substFunction opt.example; }
    // lib.optionalAttrs (opt ? default) { default = substFunction opt.default; }
    // lib.optionalAttrs (opt ? type) { type = substFunction opt.type; }
    // lib.optionalAttrs (opt ? relatedPackages && opt.relatedPackages != []) { relatedPackages = genRelatedPackages opt.relatedPackages; }
   );
  # Generate DocBook documentation for a list of packages. This is
  # what `relatedPackages` option of `mkOption` from
  # ../../../lib/options.nix influences.
  #
  # Each element of `relatedPackages` can be either
  # - a string:  that will be interpreted as an attribute name from `pkgs`,
  # - a list:    that will be interpreted as an attribute path from `pkgs`,
  # - an attrset: that can specify `name`, `path`, `package`, `comment`
  #   (either of `name`, `path` is required, the rest are optional).
  genRelatedPackages = packages:
    let
      unpack = p: if lib.isString p then { name = p; }
                  else if lib.isList p then { path = p; }
                  else p;
      describe = args:
        let
          title = args.title or null;
          name = args.name or (lib.concatStringsSep "." args.path);
          path = args.path or [ args.name ];
          package = args.package or (lib.attrByPath path (throw "Invalid package attribute path `${toString path}'") pkgs);
        in "<listitem>"
        + "<para><literal>${lib.optionalString (title != null) "${title} aka "}pkgs.${name} (${package.meta.name})</literal>"
        + lib.optionalString (!package.meta.available) " <emphasis>[UNAVAILABLE]</emphasis>"
        + ": ${package.meta.description or "???"}.</para>"
        + lib.optionalString (args ? comment) "\n<para>${args.comment}</para>"
        # Lots of `longDescription's break DocBook, so we just wrap them into <programlisting>
        + lib.optionalString (package.meta ? longDescription) "\n<programlisting>${package.meta.longDescription}</programlisting>"
        + "</listitem>";
    in "<itemizedlist>${lib.concatStringsSep "\n" (map (p: describe (unpack p)) packages)}</itemizedlist>";
  # Custom "less" that pushes up all the things ending in ".enable*"
  # and ".package*"
  optionLess = a: b:
    let
      ise = lib.hasPrefix "enable";
      isp = lib.hasPrefix "package";
      cmp = lib.splitByAndCompare ise lib.compare
                                 (lib.splitByAndCompare isp lib.compare lib.compare);
    in lib.compareLists cmp a.loc b.loc < 0;
  # Remove invisible and internal options.
  optionsListVisible = lib.filter (opt: opt.visible && !opt.internal) (lib.optionAttrSetToDocList options);
  # Customly sort option list for the man page.
  optionsList = lib.sort optionLess optionsListDesc;
  # Convert the list of options into an XML file.
  optionsXML = builtins.toFile "options.xml" (builtins.toXML optionsList);
  optionsNix = builtins.listToAttrs (map (o: { name = o.name; value = removeAttrs o ["name" "visible" "internal"]; }) optionsList);
  # TODO: declarations: link to github
  singleAsciiDoc = name: value: ''
    == ${name}
    ${value.description}
    [discrete]
    === details
    Type:: ${value.type}
    ${ if lib.hasAttr "default" value
       then ''
        Default::
        +
        ----
        ${builtins.toJSON value.default}
        ----
      ''
      else "No Default:: {blank}"
    }
    ${ if value.readOnly
       then "Read Only:: {blank}"
      else ""
    }
    ${ if lib.hasAttr "example" value
       then ''
        Example::
        +
        ----
        ${builtins.toJSON value.example}
        ----
      ''
      else "No Example:: {blank}"
    }
  '';
 in rec {
  inherit optionsNix;
  optionsAsciiDoc = lib.concatStringsSep "\n" (lib.mapAttrsToList singleAsciiDoc optionsNix);
  optionsJSON = pkgs.runCommand "options.json"
    { meta.description = "List of NixOS options in JSON format";
    }
    ''
      # Export list of options in different format.
      dst=$out/share/doc/nixos
      mkdir -p $dst
      cp ${builtins.toFile "options.json" (builtins.unsafeDiscardStringContext (builtins.toJSON optionsNix))} $dst/options.json
      mkdir -p $out/nix-support
      echo "file json $dst/options.json" >> $out/nix-support/hydra-build-products
    ''; # */
  optionsDocBook = pkgs.runCommand "options-docbook.xml" {} ''
    optionsXML=${optionsXML}
    if grep /nixpkgs/nixos/modules $optionsXML; then
      echo "The manual appears to depend on the location of Nixpkgs, which is bad"
      echo "since this prevents sharing via the NixOS channel.  This is typically"
      echo "caused by an option default that refers to a relative path (see above"
      echo "for hints about the offending path)."
      exit 1
    fi
    ${pkgs.libxslt.bin}/bin/xsltproc \
      --stringparam revision '${revision}' \
      -o intermediate.xml ${./options-to-docbook.xsl} $optionsXML
    ${pkgs.libxslt.bin}/bin/xsltproc \
      -o "$out" ${./postprocess-option-descriptions.xsl} intermediate.xml
  '';
 }
--- a/nixos/lib/make-options-doc/options-to-docbook.xsl
+++ b/nixos/lib/make-options-doc/options-to-docbook.xsl
--- a/nixos/lib/make-options-doc/postprocess-option-descriptions.xsl
+++ b/nixos/lib/make-options-doc/postprocess-option-descriptions.xsl
--- a/nixos/maintainers/option-usages.nix
+++ b/nixos/maintainers/option-usages.nix
@ -102,7 +102,7 @@ let
      # builtins multiply by 4 the memory usage and the time used to compute
      # each options.
      tryCollectOptions = moduleResult:
-        flip map (excludeOptions (collect isOption moduleResult)) (opt:
+        forEach (excludeOptions (collect isOption moduleResult)) (opt:
          { name = showOption opt.loc; } // builtins.tryEval (strict opt.value));
     in
       keepNames (
--- a/nixos/modules/config/timezone.nix
+++ b/nixos/modules/config/timezone.nix
@ -9,6 +9,8 @@ let
  timezone = types.nullOr (types.addCheck types.str nospace)
    // { description = "null or string without spaces"; };
  lcfg = config.location;
 in
 {
@ -37,12 +39,45 @@ in
      };
    };
    location = {
      latitude = mkOption {
        type = types.float;
        description = ''
          Your current latitude, between
          <literal>-90.0</literal> and <literal>90.0</literal>. Must be provided
          along with longitude.
        '';
      };
      longitude = mkOption {
        type = types.float;
        description = ''
          Your current longitude, between
          between <literal>-180.0</literal> and <literal>180.0</literal>. Must be
          provided along with latitude.
        '';
      };
      provider = mkOption {
        type = types.enum [ "manual" "geoclue2" ];
        default = "manual";
        description = ''
          The location provider to use for determining your location. If set to
          <literal>manual</literal> you must also provide latitude/longitude.
        '';
      };
    };
  };
  config = {
    environment.sessionVariables.TZDIR = "/etc/zoneinfo";
    services.geoclue2.enable = mkIf (lcfg.provider == "geoclue2") true;
    # This way services are restarted when tzdata changes.
    systemd.globalEnvironment.TZDIR = tzdir;
--- a/nixos/modules/config/qt5.nix
+++ b/nixos/modules/config/qt5.nix
@ -0,0 +1,102 @@
 { config, lib, pkgs, ... }:
 with lib;
 let
  cfg = config.qt5;
  isQGnome = cfg.platformTheme == "gnome" && cfg.style == "adwaita";
  isQtStyle = cfg.platformTheme == "gtk2" && cfg.style != "adwaita";
  packages = if isQGnome then [ pkgs.qgnomeplatform pkgs.adwaita-qt ]
    else if isQtStyle then [ pkgs.qtstyleplugins ]
    else throw "`qt5.platformTheme` ${cfg.platformTheme} and `qt5.style` ${cfg.style} are not compatible.";
 in
 {
  options = {
    qt5 = {
      enable = mkEnableOption "Qt5 theming configuration";
      platformTheme = mkOption {
        type = types.enum [
          "gtk2"
          "gnome"
        ];
        example = "gnome";
        relatedPackages = [
          "qgnomeplatform"
          ["libsForQt5" "qtstyleplugins"]
        ];
        description = ''
          Selects the platform theme to use for Qt5 applications.</para>
          <para>The options are
          <variablelist>
            <varlistentry>
              <term><literal>gtk</literal></term>
              <listitem><para>Use GTK theme with
                <link xlink:href="https://github.com/qt/qtstyleplugins">qtstyleplugins</link>
              </para></listitem>
            </varlistentry>
            <varlistentry>
              <term><literal>gnome</literal></term>
              <listitem><para>Use GNOME theme with
                <link xlink:href="https://github.com/FedoraQt/QGnomePlatform">qgnomeplatform</link>
              </para></listitem>
            </varlistentry>
          </variablelist>
        '';
      };
      style = mkOption {
        type = types.enum [
          "adwaita"
          "cleanlooks"
          "gtk2"
          "motif"
          "plastique"
        ];
        example = "adwaita";
        relatedPackages = [
          "adwaita-qt"
          ["libsForQt5" "qtstyleplugins"]
        ];
        description = ''
          Selects the style to use for Qt5 applications.</para>
          <para>The options are
          <variablelist>
            <varlistentry>
              <term><literal>adwaita</literal></term>
              <listitem><para>Use Adwaita Qt style with
                <link xlink:href="https://github.com/FedoraQt/adwaita-qt">adwaita</link>
              </para></listitem>
            </varlistentry>
            <varlistentry>
              <term><literal>cleanlooks</literal></term>
              <term><literal>gtk2</literal></term>
              <term><literal>motif</literal></term>
              <term><literal>plastique</literal></term>
              <listitem><para>Use styles from
                <link xlink:href="https://github.com/qt/qtstyleplugins">qtstyleplugins</link>
              </para></listitem>
            </varlistentry>
          </variablelist>
        '';
      };
    };
  };
  config = mkIf cfg.enable {
    environment.variables.QT_QPA_PLATFORMTHEME = cfg.platformTheme;
    environment.variables.QT_STYLE_OVERRIDE = cfg.style;
    environment.systemPackages = packages;
  };
 }
--- a/nixos/modules/config/sysctl.nix
+++ b/nixos/modules/config/sysctl.nix
@ -42,22 +42,16 @@ in
  config = {
-    environment.etc."sysctl.d/nixos.conf".text =
+    environment.etc."sysctl.d/60-nixos.conf".text =
      concatStrings (mapAttrsToList (n: v:
        optionalString (v != null) "${n}=${if v == false then "0" else toString v}\n"
      ) config.boot.kernel.sysctl);
    systemd.services.systemd-sysctl =
      { wantedBy = [ "multi-user.target" ];
-        restartTriggers = [ config.environment.etc."sysctl.d/nixos.conf".source ];
+        restartTriggers = [ config.environment.etc."sysctl.d/60-nixos.conf".source ];
      };
    # Enable hardlink and symlink restrictions.  See
    # https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=800179c9b8a1e796e441674776d11cd4c05d61d7
    # for details.
    boot.kernel.sysctl."fs.protected_hardlinks" = true;
    boot.kernel.sysctl."fs.protected_symlinks" = true;
    # Hide kernel pointers (e.g. in /proc/modules) for unprivileged
    # users as these make it easier to exploit kernel vulnerabilities.
    boot.kernel.sysctl."kernel.kptr_restrict" = 1;
--- a/nixos/modules/config/users-groups.nix
+++ b/nixos/modules/config/users-groups.nix
@ -564,7 +564,10 @@ in {
      };
    }) (filterAttrs (_: u: u.packages != []) cfg.users));
-    environment.profiles = [ "/etc/profiles/per-user/$USER" ];
+    environment.profiles = [
      "$HOME/.nix-profile"
      "/etc/profiles/per-user/$USER"
    ];
    assertions = [
      { assertion = !cfg.enforceIdUniqueness || (uidsAreUnique && gidsAreUnique);
--- a/nixos/modules/hardware/device-tree.nix
+++ b/nixos/modules/hardware/device-tree.nix
@ -0,0 +1,56 @@
 { config, lib, pkgs, ... }:
 with lib;
 let
  cfg = config.hardware.deviceTree;
 in {
  options = {
      hardware.deviceTree = {
        enable = mkOption {
          default = pkgs.stdenv.hostPlatform.platform.kernelDTB or false;
          type = types.bool;
          description = ''
            Build device tree files. These are used to describe the
            non-discoverable hardware of a system.
          '';
        };
        base = mkOption {
          default = "${config.boot.kernelPackages.kernel}/dtbs";
          defaultText = "\${config.boot.kernelPackages.kernel}/dtbs";
          example = literalExample "pkgs.deviceTree_rpi";
          type = types.path;
          description = ''
            The package containing the base device-tree (.dtb) to boot. Contains
            device trees bundled with the Linux kernel by default.
          '';
        };
        overlays = mkOption {
          default = [];
          example = literalExample
            "[\"\${pkgs.deviceTree_rpi.overlays}/w1-gpio.dtbo\"]";
          type = types.listOf types.path;
          description = ''
            A path containing device tree overlays (.dtbo) to be applied to all
            base device-trees.
          '';
        };
        package = mkOption {
          default = null;
          type = types.nullOr types.path;
          internal = true;
          description = ''
            A path containing the result of applying `overlays` to `base`.
          '';
        };
      };
  };
  config = mkIf (cfg.enable) {
    hardware.deviceTree.package = if (cfg.overlays != [])
      then pkgs.deviceTree.applyOverlays cfg.base cfg.overlays else cfg.base;
  };
 }
--- a/nixos/modules/i18n/input-method/ibus.nix
+++ b/nixos/modules/i18n/input-method/ibus.nix
@ -55,7 +55,7 @@ in
    # Without dconf enabled it is impossible to use IBus
    environment.systemPackages = with pkgs; [
-      ibus-qt gnome3.dconf ibusAutostart
+      gnome3.dconf ibusAutostart
    ];
    environment.variables = {
--- a/nixos/modules/installer/cd-dvd/installation-cd-graphical-base.nix
+++ b/nixos/modules/installer/cd-dvd/installation-cd-graphical-base.nix
@ -8,16 +8,30 @@ with lib;
 {
  imports = [ ./installation-cd-base.nix ];
  # Whitelist wheel users to do anything
  # This is useful for things like pkexec
  #
  # WARNING: this is dangerous for systems
  # outside the installation-cd and shouldn't
  # be used anywhere else.
  security.polkit.extraConfig = ''
    polkit.addRule(function(action, subject) {
      if (subject.isInGroup("wheel")) {
        return polkit.Result.YES;
      }
    });
  '';
  services.xserver = {
    enable = true;
    # Don't start the X server by default.
    autorun = mkForce false;
-    # Automatically login as root.
+    # Automatically login as nixos.
    displayManager.slim = {
      enable = true;
-      defaultUser = "root";
+      defaultUser = "nixos";
      autoLogin = true;
    };
@ -33,7 +47,6 @@ with lib;
  # Enable sound in graphical iso's.
  hardware.pulseaudio.enable = true;
  hardware.pulseaudio.systemWide = true; # Needed since we run plasma as root.
  environment.systemPackages = [
    # Include gparted for partitioning disks.
--- a/nixos/modules/installer/cd-dvd/installation-cd-graphical-kde.nix
+++ b/nixos/modules/installer/cd-dvd/installation-cd-graphical-kde.nix
@ -1,5 +1,5 @@
 # This module defines a NixOS installation CD that contains X11 and
-# Plasma5.
+# Plasma 5.
 { config, lib, pkgs, ... }:
@ -30,15 +30,20 @@ with lib;
      Version=1.0
      Type=Application
      Name=NixOS Manual
-      Exec=firefox ${config.system.build.manual.manualHTMLIndex}
+      Exec=firefox ${config.system.build.manual.manual}/share/doc/nixos/index.html
      Icon=text-html
    '';
    homeDir = "/home/nixos/";
    desktopDir = homeDir + "Desktop/";
  in ''
-    mkdir -p /root/Desktop
+    mkdir -p ${desktopDir}
-    ln -sfT ${manualDesktopFile} /root/Desktop/nixos-manual.desktop
+    chown nixos ${homeDir} ${desktopDir}
-    ln -sfT ${pkgs.konsole}/share/applications/org.kde.konsole.desktop /root/Desktop/org.kde.konsole.desktop
+
-    ln -sfT ${pkgs.gparted}/share/applications/gparted.desktop /root/Desktop/gparted.desktop
+    ln -sfT ${manualDesktopFile} ${desktopDir + "nixos-manual.desktop"}
    ln -sfT ${pkgs.gparted}/share/applications/gparted.desktop ${desktopDir + "gparted.desktop"}
    ln -sfT ${pkgs.konsole}/share/applications/org.kde.konsole.desktop ${desktopDir + "org.kde.konsole.desktop"}
  '';
 }
--- a/nixos/modules/installer/cd-dvd/sd-image.nix
+++ b/nixos/modules/installer/cd-dvd/sd-image.nix
@ -73,8 +73,8 @@ in
    firmwareSize = mkOption {
      type = types.int;
-      # As of 2019-05-31 the Raspberry pi firmware + u-bot takes ~13MiB
+      # As of 2019-08-18 the Raspberry pi firmware + u-boot takes ~18MiB
-      default = 20;
+      default = 30;
      description = ''
        Size of the /boot/firmware partition, in megabytes.
      '';
--- a/nixos/modules/installer/tools/nixos-enter.sh
+++ b/nixos/modules/installer/tools/nixos-enter.sh
@ -16,7 +16,8 @@ fi
 mountPoint=/mnt
 system=/nix/var/nix/profiles/system
-command=($system/sw/bin/bash "--login")
+command=("$system/sw/bin/bash" "--login")
 silent=0
 while [ "$#" -gt 0 ]; do
    i="$1"; shift 1
@ -32,9 +33,12 @@ while [ "$#" -gt 0 ]; do
            exit 1
            ;;
        --command|-c)
-            command=($system/sw/bin/bash "-c" "$1")
+            command=("$system/sw/bin/bash" "-c" "$1")
            shift 1
            ;;
        --silent)
            silent=1
            ;;
        --)
            command=("$@")
            break
@ -51,11 +55,20 @@ if [[ ! -e $mountPoint/etc/NIXOS ]]; then
    exit 126
 fi
-mkdir -m 0755 -p "$mountPoint/dev" "$mountPoint/sys"
+mkdir -p "$mountPoint/dev" "$mountPoint/sys"
 chmod 0755 "$mountPoint/dev" "$mountPoint/sys"
 mount --rbind /dev "$mountPoint/dev"
 mount --rbind /sys "$mountPoint/sys"
 # If silent, write both stdout and stderr of activation script to /dev/null
 # otherwise, write both streams to stderr of this process
 if [ "$silent" -eq 0 ]; then
    PIPE_TARGET="/dev/stderr"
 else
    PIPE_TARGET="/dev/null"
 fi
 # Run the activation script. Set $LOCALE_ARCHIVE to supress some Perl locale warnings.
-LOCALE_ARCHIVE=$system/sw/lib/locale/locale-archive chroot "$mountPoint" "$system/activate" >&2 || true
+LOCALE_ARCHIVE="$system/sw/lib/locale/locale-archive" chroot "$mountPoint" "$system/activate" >>$PIPE_TARGET 2>&1 || true
 exec chroot "$mountPoint" "${command[@]}"
--- a/nixos/modules/installer/tools/nixos-generate-config.pl
+++ b/nixos/modules/installer/tools/nixos-generate-config.pl
@ -607,90 +607,7 @@ EOF
        }
        write_file($fn, <<EOF);
-# Edit this configuration file to define what should be installed on
+@configuration@
 # your system.  Help is available in the configuration.nix(5) man page
 # and in the NixOS manual (accessible by running ‘nixos-help’).
 { config, pkgs, ... }:
 {
  imports =
    [ # Include the results of the hardware scan.
      ./hardware-configuration.nix
    ];
 $bootLoaderConfig
  # networking.hostName = "nixos"; # Define your hostname.
  # networking.wireless.enable = true;  # Enables wireless support via wpa_supplicant.
  # Configure network proxy if necessary
  # networking.proxy.default = "http://user:password\@proxy:port/";
  # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain";
  # Select internationalisation properties.
  # i18n = {
  #   consoleFont = "Lat2-Terminus16";
  #   consoleKeyMap = "us";
  #   defaultLocale = "en_US.UTF-8";
  # };
  # Set your time zone.
  # time.timeZone = "Europe/Amsterdam";
  # List packages installed in system profile. To search, run:
  # \$ nix search wget
  # environment.systemPackages = with pkgs; [
  #   wget vim
  # ];
  # Some programs need SUID wrappers, can be configured further or are
  # started in user sessions.
  # programs.mtr.enable = true;
  # programs.gnupg.agent = { enable = true; enableSSHSupport = true; };
  # List services that you want to enable:
  # Enable the OpenSSH daemon.
  # services.openssh.enable = true;
  # Open ports in the firewall.
  # networking.firewall.allowedTCPPorts = [ ... ];
  # networking.firewall.allowedUDPPorts = [ ... ];
  # Or disable the firewall altogether.
  # networking.firewall.enable = false;
  # Enable CUPS to print documents.
  # services.printing.enable = true;
  # Enable sound.
  # sound.enable = true;
  # hardware.pulseaudio.enable = true;
  # Enable the X11 windowing system.
  # services.xserver.enable = true;
  # services.xserver.layout = "us";
  # services.xserver.xkbOptions = "eurosign:e";
  # Enable touchpad support.
  # services.xserver.libinput.enable = true;
  # Enable the KDE Desktop Environment.
  # services.xserver.displayManager.sddm.enable = true;
  # services.xserver.desktopManager.plasma5.enable = true;
  # Define a user account. Don't forget to set a password with ‘passwd’.
  # users.users.jane = {
  #   isNormalUser = true;
  #   extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user.
  # };
  # This value determines the NixOS release with which your system is to be
  # compatible, in order to avoid breaking some software such as database
  # servers. You should change this only after NixOS release notes say you
  # should.
  system.stateVersion = "${\(qw(@release@))}"; # Did you read the comment?
 }
 EOF
    } else {
        print STDERR "warning: not overwriting existing $fn\n";
--- a/nixos/modules/installer/tools/tools.nix
+++ b/nixos/modules/installer/tools/tools.nix
@ -38,7 +38,7 @@ let
    src = ./nixos-generate-config.pl;
    path = lib.optionals (lib.elem "btrfs" config.boot.supportedFilesystems) [ pkgs.btrfs-progs ];
    perl = "${pkgs.perl}/bin/perl -I${pkgs.perlPackages.FileSlurp}/${pkgs.perl.libPrefix}";
-    inherit (config.system.nixos) release;
+    inherit (config.system.nixos-generate-config) configuration;
  };
  nixos-option = makeProg {
@ -61,8 +61,111 @@ in
 {
  options.system.nixos-generate-config.configuration = mkOption {
    internal = true;
    type = types.str;
    description = ''
      The NixOS module that <literal>nixos-generate-config</literal>
      saves to <literal>/etc/nixos/configuration.nix</literal>.
      This is an internal option. No backward compatibility is guaranteed.
      Use at your own risk!
      Note that this string gets spliced into a Perl script. The perl
      variable <literal>$bootLoaderConfig</literal> can be used to
      splice in the boot loader configuration.
    '';
  };
  config = {
    system.nixos-generate-config.configuration = mkDefault ''
      # Edit this configuration file to define what should be installed on
      # your system.  Help is available in the configuration.nix(5) man page
      # and in the NixOS manual (accessible by running ‘nixos-help’).
      { config, pkgs, ... }:
      {
        imports =
          [ # Include the results of the hardware scan.
            ./hardware-configuration.nix
          ];
      $bootLoaderConfig
        # networking.hostName = "nixos"; # Define your hostname.
        # networking.wireless.enable = true;  # Enables wireless support via wpa_supplicant.
        # Configure network proxy if necessary
        # networking.proxy.default = "http://user:password\@proxy:port/";
        # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain";
        # Select internationalisation properties.
        # i18n = {
        #   consoleFont = "Lat2-Terminus16";
        #   consoleKeyMap = "us";
        #   defaultLocale = "en_US.UTF-8";
        # };
        # Set your time zone.
        # time.timeZone = "Europe/Amsterdam";
        # List packages installed in system profile. To search, run:
        # \$ nix search wget
        # environment.systemPackages = with pkgs; [
        #   wget vim
        # ];
        # Some programs need SUID wrappers, can be configured further or are
        # started in user sessions.
        # programs.mtr.enable = true;
        # programs.gnupg.agent = { enable = true; enableSSHSupport = true; };
        # List services that you want to enable:
        # Enable the OpenSSH daemon.
        # services.openssh.enable = true;
        # Open ports in the firewall.
        # networking.firewall.allowedTCPPorts = [ ... ];
        # networking.firewall.allowedUDPPorts = [ ... ];
        # Or disable the firewall altogether.
        # networking.firewall.enable = false;
        # Enable CUPS to print documents.
        # services.printing.enable = true;
        # Enable sound.
        # sound.enable = true;
        # hardware.pulseaudio.enable = true;
        # Enable the X11 windowing system.
        # services.xserver.enable = true;
        # services.xserver.layout = "us";
        # services.xserver.xkbOptions = "eurosign:e";
        # Enable touchpad support.
        # services.xserver.libinput.enable = true;
        # Enable the KDE Desktop Environment.
        # services.xserver.displayManager.sddm.enable = true;
        # services.xserver.desktopManager.plasma5.enable = true;
        # Define a user account. Don't forget to set a password with ‘passwd’.
        # users.users.jane = {
        #   isNormalUser = true;
        #   extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user.
        # };
        # This value determines the NixOS release with which your system is to be
        # compatible, in order to avoid breaking some software such as database
        # servers. You should change this only after NixOS release notes say you
        # should.
        system.stateVersion = "${config.system.nixos.release}"; # Did you read the comment?
      }
    '';
    environment.systemPackages =
      [ nixos-build-vms
        nixos-install
--- a/nixos/modules/misc/crashdump.nix
+++ b/nixos/modules/misc/crashdump.nix
@ -58,7 +58,6 @@ in
       "crashkernel=${crashdump.reservedMemory}"
       "nmi_watchdog=panic"
       "softlockup_panic=1"
       "idle=poll"
      ];
      kernelPatches = [ {
        name = "crashdump-config";
--- a/nixos/modules/misc/nixpkgs.nix
+++ b/nixos/modules/misc/nixpkgs.nix
@ -19,7 +19,7 @@ let
      lhs = optCall lhs_ { inherit pkgs; };
      rhs = optCall rhs_ { inherit pkgs; };
    in
-    lhs // rhs //
+    recursiveUpdate lhs rhs //
    optionalAttrs (lhs ? packageOverrides) {
      packageOverrides = pkgs:
        optCall lhs.packageOverrides pkgs //
--- a/nixos/modules/module-list.nix
+++ b/nixos/modules/module-list.nix
@ -20,12 +20,14 @@
  ./config/iproute2.nix
  ./config/krb5/default.nix
  ./config/ldap.nix
  ./config/locale.nix
  ./config/malloc.nix
  ./config/networking.nix
  ./config/no-x-libs.nix
  ./config/nsswitch.nix
  ./config/power-management.nix
  ./config/pulseaudio.nix
  ./config/qt5.nix
  ./config/resolvconf.nix
  ./config/shells-environment.nix
  ./config/swap.nix
@ -33,7 +35,6 @@
  ./config/system-environment.nix
  ./config/system-path.nix
  ./config/terminfo.nix
  ./config/timezone.nix
  ./config/unix-odbc-drivers.nix
  ./config/users-groups.nix
  ./config/vpnc.nix
@ -46,6 +47,7 @@
  ./hardware/cpu/amd-microcode.nix
  ./hardware/cpu/intel-microcode.nix
  ./hardware/digitalbitbox.nix
  ./hardware/device-tree.nix
  ./hardware/sensor/iio.nix
  ./hardware/ksm.nix
  ./hardware/ledger.nix
@ -106,9 +108,15 @@
  ./programs/digitalbitbox/default.nix
  ./programs/dmrconfig.nix
  ./programs/environment.nix
  ./programs/evince.nix
  ./programs/file-roller.nix
  ./programs/firejail.nix
  ./programs/fish.nix
  ./programs/freetds.nix
  ./programs/fuse.nix
  ./programs/gnome-disks.nix
  ./programs/gnome-documents.nix
  ./programs/gpaste.nix
  ./programs/gnupg.nix
  ./programs/gphoto2.nix
  ./programs/iftop.nix
@ -209,6 +217,7 @@
  ./services/backup/duplicity.nix
  ./services/backup/mysql-backup.nix
  ./services/backup/postgresql-backup.nix
  ./services/backup/postgresql-wal-receiver.nix
  ./services/backup/restic.nix
  ./services/backup/restic-rest-server.nix
  ./services/backup/rsnapshot.nix
@ -277,15 +286,12 @@
  ./services/desktops/flatpak.nix
  ./services/desktops/geoclue2.nix
  ./services/desktops/gsignond.nix
  ./services/desktops/gvfs.nix
  ./services/desktops/pipewire.nix
  ./services/desktops/gnome3/at-spi2-core.nix
  ./services/desktops/gnome3/chrome-gnome-shell.nix
  ./services/desktops/gnome3/evince.nix
  ./services/desktops/gnome3/evolution-data-server.nix
  ./services/desktops/gnome3/file-roller.nix
  ./services/desktops/gnome3/glib-networking.nix
  ./services/desktops/gnome3/gnome-disks.nix
  ./services/desktops/gnome3/gnome-documents.nix
  ./services/desktops/gnome3/gnome-keyring.nix
  ./services/desktops/gnome3/gnome-online-accounts.nix
  ./services/desktops/gnome3/gnome-remote-desktop.nix
@ -293,8 +299,6 @@
  ./services/desktops/gnome3/gnome-settings-daemon.nix
  ./services/desktops/gnome3/gnome-terminal-server.nix
  ./services/desktops/gnome3/gnome-user-share.nix
  ./services/desktops/gnome3/gpaste.nix
  ./services/desktops/gnome3/gvfs.nix
  ./services/desktops/gnome3/rygel.nix
  ./services/desktops/gnome3/seahorse.nix
  ./services/desktops/gnome3/sushi.nix
@ -402,6 +406,7 @@
  ./services/misc/couchpotato.nix
  ./services/misc/devmon.nix
  ./services/misc/dictd.nix
  ./services/misc/dwm-status.nix
  ./services/misc/dysnomia.nix
  ./services/misc/disnix.nix
  ./services/misc/docker-registry.nix
@ -432,13 +437,13 @@
  ./services/misc/logkeys.nix
  ./services/misc/leaps.nix
  ./services/misc/lidarr.nix
  ./services/misc/mantisbt.nix
  ./services/misc/mathics.nix
  ./services/misc/matrix-synapse.nix
  ./services/misc/mbpfan.nix
  ./services/misc/mediatomb.nix
  ./services/misc/mesos-master.nix
  ./services/misc/mesos-slave.nix
  ./services/misc/metabase.nix
  ./services/misc/mwlib.nix
  ./services/misc/nix-daemon.nix
  ./services/misc/nix-gc.nix
@ -516,7 +521,6 @@
  ./services/monitoring/scollector.nix
  ./services/monitoring/smartd.nix
  ./services/monitoring/sysstat.nix
  ./services/monitoring/systemhealth.nix
  ./services/monitoring/teamviewer.nix
  ./services/monitoring/telegraf.nix
  ./services/monitoring/thanos.nix
@ -818,6 +822,7 @@
  ./services/web-servers/varnish/default.nix
  ./services/web-servers/zope2.nix
  ./services/x11/extra-layouts.nix
  ./services/x11/clight.nix
  ./services/x11/colord.nix
  ./services/x11/compton.nix
  ./services/x11/unclutter.nix
@ -857,7 +862,6 @@
  ./system/activation/activation-script.nix
  ./system/activation/top-level.nix
  ./system/boot/binfmt.nix
  ./system/boot/coredump.nix
  ./system/boot/emergency-mode.nix
  ./system/boot/grow-partition.nix
  ./system/boot/initrd-network.nix
--- a/nixos/modules/profiles/hardened.nix
+++ b/nixos/modules/profiles/hardened.nix
@ -14,8 +14,6 @@ with lib;
  nix.allowedUsers = mkDefault [ "@users" ];
  environment.memoryAllocator.provider = mkDefault "graphene-hardened";
  security.hideProcessInformation = mkDefault true;
  security.lockKernelModules = mkDefault true;
@ -44,6 +42,9 @@ with lib;
    # Disable legacy virtual syscalls
    "vsyscall=none"
    # Enable page allocator randomization
    "page_alloc.shuffle=1"
  ];
  boot.blacklistedKernelModules = [
@ -92,23 +93,17 @@ with lib;
  # Disable ftrace debugging
  boot.kernel.sysctl."kernel.ftrace_enabled" = mkDefault false;
-  # Enable reverse path filtering (that is, do not attempt to route packets
+  # Enable strict reverse path filtering (that is, do not attempt to route
-  # that "obviously" do not belong to the iface's network; dropped packets are
+  # packets that "obviously" do not belong to the iface's network; dropped
-  # logged as martians).
+  # packets are logged as martians).
  boot.kernel.sysctl."net.ipv4.conf.all.log_martians" = mkDefault true;
-  boot.kernel.sysctl."net.ipv4.conf.all.rp_filter" = mkDefault true;
+  boot.kernel.sysctl."net.ipv4.conf.all.rp_filter" = mkDefault "1";
  boot.kernel.sysctl."net.ipv4.conf.default.log_martians" = mkDefault true;
-  boot.kernel.sysctl."net.ipv4.conf.default.rp_filter" = mkDefault true;
+  boot.kernel.sysctl."net.ipv4.conf.default.rp_filter" = mkDefault "1";
  # Ignore broadcast ICMP (mitigate SMURF)
  boot.kernel.sysctl."net.ipv4.icmp_echo_ignore_broadcasts" = mkDefault true;
  # Ignore route information from sender
  boot.kernel.sysctl."net.ipv4.conf.all.accept_source_route" = mkDefault false;
  boot.kernel.sysctl."net.ipv4.conf.default.accept_source_route" = mkDefault false;
  boot.kernel.sysctl."net.ipv6.conf.all.accept_source_route" = mkDefault false;
  boot.kernel.sysctl."net.ipv6.conf.default.accept_source_route" = mkDefault false;
  # Ignore incoming ICMP redirects (note: default is needed to ensure that the
  # setting is applied to interfaces added after the sysctls are set)
  boot.kernel.sysctl."net.ipv4.conf.all.accept_redirects" = mkDefault false;
@ -121,4 +116,7 @@ with lib;
  # Ignore outgoing ICMP redirects (this is ipv4 only)
  boot.kernel.sysctl."net.ipv4.conf.all.send_redirects" = mkDefault false;
  boot.kernel.sysctl."net.ipv4.conf.default.send_redirects" = mkDefault false;
  # Restrict userfaultfd syscalls to processes with the SYS_PTRACE capability
  boot.kernel.sysctl."vm.unprivileged_userfaultfd" = mkDefault false;
 }
--- a/nixos/modules/profiles/installation-device.nix
+++ b/nixos/modules/profiles/installation-device.nix
@ -32,19 +32,35 @@ with lib;
    #services.rogue.enable = true;
    # Disable some other stuff we don't need.
    security.sudo.enable = mkDefault false;
    services.udisks2.enable = mkDefault false;
    # Use less privileged nixos user
    users.users.nixos = {
      isNormalUser = true;
      extraGroups = [ "wheel" "networkmanager" "video" ];
      # Allow the graphical user to login without password
      initialHashedPassword = "";
    };
    # Allow the user to log in as root without a password.
    users.users.root.initialHashedPassword = "";
    # Allow passwordless sudo from nixos user
    security.sudo = {
      enable = mkDefault true;
      wheelNeedsPassword = mkForce false;
    };
    # Automatically log in at the virtual consoles.
-    services.mingetty.autologinUser = "root";
+    services.mingetty.autologinUser = "nixos";
    # Some more help text.
    services.mingetty.helpLine =
      ''
-        The "root" account has an empty password.  ${
+        The "nixos" and "root" account have empty passwords.  ${
          optionalString config.services.xserver.enable
-            "Type `systemctl start display-manager' to\nstart the graphical user interface."}
+            "Type `sudo systemctl start display-manager' to\nstart the graphical user interface."}
      '';
    # Allow sshd to be started manually through "systemctl start sshd".
@ -86,8 +102,5 @@ with lib;
    # because we have the firewall enabled. This makes installs from the
    # console less cumbersome if the machine has a public IP.
    networking.firewall.logRefusedConnections = mkDefault false;
    # Allow the user to log in as root without a password.
    users.users.root.initialHashedPassword = "";
  };
 }
--- a/nixos/modules/programs/dconf.nix
+++ b/nixos/modules/programs/dconf.nix
@ -34,11 +34,11 @@ in
    services.dbus.packages = [ pkgs.gnome3.dconf ];
-    environment.variables.GIO_EXTRA_MODULES = optional cfg.enable
+    # For dconf executable
-      "${pkgs.gnome3.dconf.lib}/lib/gio/modules";
+    environment.systemPackages = [ pkgs.gnome3.dconf ];
-    # https://github.com/NixOS/nixpkgs/pull/31891
+
-    #environment.variables.XDG_DATA_DIRS = optional cfg.enable
+    # Needed for unwrapped applications
-    #  "$(echo ${pkgs.gsettings-desktop-schemas}/share/gsettings-schemas/gsettings-desktop-schemas-*)";
+    environment.variables.GIO_EXTRA_MODULES = mkIf cfg.enable [ "${pkgs.gnome3.dconf.lib}/lib/gio/modules" ];
  };
 }
--- a/nixos/modules/programs/environment.nix
+++ b/nixos/modules/programs/environment.nix
@ -23,9 +23,8 @@ in
        XCURSOR_PATH = [ "$HOME/.icons" ];
      };
-    environment.profiles =
+    environment.profiles = mkAfter
-      [ "$HOME/.nix-profile"
+      [ "/nix/var/nix/profiles/default"
        "/nix/var/nix/profiles/default"
        "/run/current-system/sw"
      ];
--- a/nixos/modules/services/desktops/gnome3/evince.nix
+++ b/nixos/modules/services/desktops/gnome3/evince.nix
@ -6,14 +6,21 @@ with lib;
 {
  # Added 2019-08-09
  imports = [
    (mkRenamedOptionModule
      [ "services" "gnome3" "evince" "enable" ]
      [ "programs" "evince" "enable" ])
  ];
  ###### interface
  options = {
-    services.gnome3.evince = {
+    programs.evince = {
      enable = mkEnableOption
-        "systemd and dbus services for Evince, the GNOME document viewer";
+        "Evince, the GNOME document viewer";
    };
@ -22,7 +29,7 @@ with lib;
  ###### implementation
-  config = mkIf config.services.gnome3.evince.enable {
+  config = mkIf config.programs.evince.enable {
    environment.systemPackages = [ pkgs.evince ];
--- a/nixos/modules/services/desktops/gnome3/file-roller.nix
+++ b/nixos/modules/services/desktops/gnome3/file-roller.nix
@ -6,11 +6,18 @@ with lib;
 {
  # Added 2019-08-09
  imports = [
    (mkRenamedOptionModule
      [ "services" "gnome3" "file-roller" "enable" ]
      [ "programs" "file-roller" "enable" ])
  ];
  ###### interface
  options = {
-    services.gnome3.file-roller = {
+    programs.file-roller = {
      enable = mkEnableOption "File Roller, an archive manager for GNOME";
@ -21,7 +28,7 @@ with lib;
  ###### implementation
-  config = mkIf config.services.gnome3.file-roller.enable {
+  config = mkIf config.programs.file-roller.enable {
    environment.systemPackages = [ pkgs.gnome3.file-roller ];
--- a/nixos/modules/programs/fuse.nix
+++ b/nixos/modules/programs/fuse.nix
@ -0,0 +1,37 @@
 { config, lib, ... }:
 with lib;
 let
  cfg = config.programs.fuse;
 in {
  meta.maintainers = with maintainers; [ primeos ];
  options.programs.fuse = {
    mountMax = mkOption {
      # In the C code it's an "int" (i.e. signed and at least 16 bit), but
      # negative numbers obviously make no sense:
      type = types.ints.between 0 32767; # 2^15 - 1
      default = 1000;
      description = ''
        Set the maximum number of FUSE mounts allowed to non-root users.
      '';
    };
    userAllowOther = mkOption {
      type = types.bool;
      default = false;
      description = ''
        Allow non-root users to specify the allow_other or allow_root mount
        options, see mount.fuse3(8).
      '';
    };
  };
  config =  {
    environment.etc."fuse.conf".text = ''
      ${optionalString (!cfg.userAllowOther) "#"}user_allow_other
      mount_max = ${toString cfg.mountMax}
    '';
  };
 }
--- a/nixos/modules/services/desktops/gnome3/gnome-disks.nix
+++ b/nixos/modules/services/desktops/gnome3/gnome-disks.nix
@ -1,4 +1,4 @@
-# GNOME Disks daemon.
+# GNOME Disks.
 { config, pkgs, lib, ... }:
@ -6,17 +6,24 @@ with lib;
 {
  # Added 2019-08-09
  imports = [
    (mkRenamedOptionModule
      [ "services" "gnome3" "gnome-disks" "enable" ]
      [ "programs" "gnome-disks" "enable" ])
  ];
  ###### interface
  options = {
-    services.gnome3.gnome-disks = {
+    programs.gnome-disks = {
      enable = mkOption {
        type = types.bool;
        default = false;
        description = ''
-          Whether to enable GNOME Disks daemon, a service designed to
+          Whether to enable GNOME Disks daemon, a program designed to
          be a UDisks2 graphical front-end.
        '';
      };
@ -28,7 +35,7 @@ with lib;
  ###### implementation
-  config = mkIf config.services.gnome3.gnome-disks.enable {
+  config = mkIf config.programs.gnome-disks.enable {
    environment.systemPackages = [ pkgs.gnome3.gnome-disk-utility ];
--- a/nixos/modules/services/desktops/gnome3/gnome-documents.nix
+++ b/nixos/modules/services/desktops/gnome3/gnome-documents.nix
@ -1,4 +1,4 @@
-# GNOME Documents daemon.
+# GNOME Documents.
 { config, pkgs, lib, ... }:
@ -6,17 +6,24 @@ with lib;
 {
  # Added 2019-08-09
  imports = [
    (mkRenamedOptionModule
      [ "services" "gnome3" "gnome-documents" "enable" ]
      [ "programs" "gnome-documents" "enable" ])
  ];
  ###### interface
  options = {
-    services.gnome3.gnome-documents = {
+    programs.gnome-documents = {
      enable = mkOption {
        type = types.bool;
        default = false;
        description = ''
-          Whether to enable GNOME Documents services, a document
+          Whether to enable GNOME Documents, a document
          manager application for GNOME.
        '';
      };
@ -28,7 +35,7 @@ with lib;
  ###### implementation
-  config = mkIf config.services.gnome3.gnome-documents.enable {
+  config = mkIf config.programs.gnome-documents.enable {
    environment.systemPackages = [ pkgs.gnome3.gnome-documents ];
--- a/nixos/modules/services/desktops/gnome3/gpaste.nix
+++ b/nixos/modules/services/desktops/gnome3/gpaste.nix
@ -1,12 +1,20 @@
-# GPaste daemon.
+# GPaste.
 { config, lib, pkgs, ... }:
 with lib;
 {
  # Added 2019-08-09
  imports = [
    (mkRenamedOptionModule
      [ "services" "gnome3" "gpaste" "enable" ]
      [ "programs" "gpaste" "enable" ])
  ];
  ###### interface
  options = {
-    services.gnome3.gpaste = {
+     programs.gpaste = {
      enable = mkOption {
        type = types.bool;
        default = false;
@ -18,10 +26,9 @@ with lib;
  };
  ###### implementation
-  config = mkIf config.services.gnome3.gpaste.enable {
+  config = mkIf config.programs.gpaste.enable {
    environment.systemPackages = [ pkgs.gnome3.gpaste ];
    services.dbus.packages = [ pkgs.gnome3.gpaste ];
    services.xserver.desktopManager.gnome3.sessionPath = [ pkgs.gnome3.gpaste ];
    systemd.packages = [ pkgs.gnome3.gpaste ];
  };
 }
--- a/nixos/modules/programs/nylas-mail.nix
+++ b/nixos/modules/programs/nylas-mail.nix
@ -1,36 +0,0 @@
 { config, lib, pkgs, ... }:
 with lib;
 let
  cfg = config.services.nylas-mail;
 in {
  ###### interface
  options = {
    services.nylas-mail = {
      enable = mkEnableOption ''
        nylas-mail - Open-source mail client built on the modern web with Electron, React, and Flux
      '';
      gnome3-keyring = mkOption {
        type = types.bool;
        default = true;
        description = "Enable gnome3 keyring for nylas-mail.";
      };
    };
  };
  ###### implementation
  config = mkIf cfg.enable {
    environment.systemPackages = [ pkgs.nylas-mail-bin ];
    services.gnome3.gnome-keyring = mkIf cfg.gnome3-keyring {
      enable = true;
    };
  };
 }
--- a/nixos/modules/programs/zsh/zsh.nix
+++ b/nixos/modules/programs/zsh/zsh.nix
@ -70,7 +70,7 @@ in
      promptInit = mkOption {
        default = ''
          if [ "$TERM" != dumb ]; then
-              autoload -U promptinit && promptinit && prompt walters
+              autoload -U promptinit && promptinit && prompt walters && setopt prompt_sp
          fi
        '';
        description = ''
--- a/nixos/modules/rename.nix
+++ b/nixos/modules/rename.nix
@ -51,6 +51,10 @@ with lib;
    (mkRemovedOptionModule [ "services" "misc" "nzbget" "openFirewall" ] "The port used by nzbget is managed through the web interface so you should adjust your firewall rules accordingly.")
    (mkRemovedOptionModule [ "services" "prometheus" "alertmanager" "user" ] "The alertmanager service is now using systemd's DynamicUser mechanism which obviates a user setting.")
    (mkRemovedOptionModule [ "services" "prometheus" "alertmanager" "group" ] "The alertmanager service is now using systemd's DynamicUser mechanism which obviates a group setting.")
    (mkRemovedOptionModule [ "services" "prometheus2" "alertmanagerURL" ] ''
      Due to incompatibility, the alertmanagerURL option has been removed,
      please use 'services.prometheus2.alertmanagers' instead.
    '')
    (mkRenamedOptionModule [ "services" "tor" "relay" "portSpec" ] [ "services" "tor" "relay" "port" ])
    (mkRenamedOptionModule [ "services" "vmwareGuest" ] [ "virtualisation" "vmware" "guest" ])
    (mkRenamedOptionModule [ "jobs" ] [ "systemd" "services" ])
@ -221,6 +225,8 @@ with lib;
    (mkRemovedOptionModule [ "services" "mysql" "pidDir" ] "Don't wait for pidfiles, describe dependencies through systemd")
    (mkRemovedOptionModule [ "services" "mysql" "rootPassword" ] "Use socket authentication or set the password outside of the nix store.")
    (mkRemovedOptionModule [ "services" "zabbixServer" "dbPassword" ] "Use services.zabbixServer.database.passwordFile instead.")
    (mkRemovedOptionModule [ "systemd" "generator-packages" ] "Use systemd.packages instead.")
    (mkRemovedOptionModule [ "systemd" "coredump" "enable" ] "Enabled by default. Set boot.kernel.sysctl.\"kernel.core_pattern\" = \"core\"; to disable.")
    # ZSH
    (mkRenamedOptionModule [ "programs" "zsh" "enableSyntaxHighlighting" ] [ "programs" "zsh" "syntaxHighlighting" "enable" ])
@ -257,7 +263,21 @@ with lib;
    (mkRenamedOptionModule [ "networking" "extraResolvconfConf" ] [ "networking" "resolvconf" "extraConfig" ])
    (mkRenamedOptionModule [ "networking" "resolvconfOptions" ] [ "networking" "resolvconf" "extraOptions" ])
-  ] ++ (flip map [ "blackboxExporter" "collectdExporter" "fritzboxExporter"
+    # Redshift
    (mkChangedOptionModule [ "services" "redshift" "latitude" ] [ "location" "latitude" ]
      (config:
        let value = getAttrFromPath [ "services" "redshift" "latitude" ] config;
        in if value == null then
          throw "services.redshift.latitude is set to null, you can remove this"
          else builtins.fromJSON value))
    (mkChangedOptionModule [ "services" "redshift" "longitude" ] [ "location" "longitude" ]
      (config:
        let value = getAttrFromPath [ "services" "redshift" "longitude" ] config;
        in if value == null then
          throw "services.redshift.longitude is set to null, you can remove this"
          else builtins.fromJSON value))
  ] ++ (forEach [ "blackboxExporter" "collectdExporter" "fritzboxExporter"
                   "jsonExporter" "minioExporter" "nginxExporter" "nodeExporter"
                   "snmpExporter" "unifiExporter" "varnishExporter" ]
       (opt: mkRemovedOptionModule [ "services" "prometheus" "${opt}" ] ''
--- a/nixos/modules/services/admin/oxidized.nix
+++ b/nixos/modules/services/admin/oxidized.nix
@ -97,8 +97,8 @@ in
      preStart = ''
        mkdir -p ${cfg.dataDir}/.config/oxidized
-        cp -v ${cfg.routerDB} ${cfg.dataDir}/.config/oxidized/router.db
+        ln -f -s ${cfg.routerDB} ${cfg.dataDir}/.config/oxidized/router.db
-        cp -v ${cfg.configFile} ${cfg.dataDir}/.config/oxidized/config
+        ln -f -s ${cfg.configFile} ${cfg.dataDir}/.config/oxidized/config
      '';
      serviceConfig = {
--- a/nixos/modules/services/audio/roon-server.nix
+++ b/nixos/modules/services/audio/roon-server.nix
@ -19,6 +19,20 @@ in {
          TCP: 9100 - 9200
        '';
      };
      user = mkOption {
        type = types.str;
        default = "roon-server";
        description = ''
          User to run the Roon Server as.
        '';
      };
      group = mkOption {
        type = types.str;
        default = "roon-server";
        description = ''
          Group to run the Roon Server as.
        '';
      };
    };
  };
@ -33,8 +47,8 @@ in {
      serviceConfig = {
        ExecStart = "${pkgs.roon-server}/opt/start.sh";
        LimitNOFILE = 8192;
-        DynamicUser = true;
+        User = cfg.user;
-        SupplementaryGroups = "audio";
+        Group = cfg.group;
        StateDirectory = name;
      };
    };
@ -45,5 +59,15 @@ in {
      ];
      allowedUDPPorts = [ 9003 ];
    };
    users.groups."${cfg.group}" = {};
    users.users."${cfg.user}" =
      if cfg.user == "roon-server" then {
        isSystemUser = true;
        description = "Roon Server user";
        groups = [ cfg.group "audio" ];
      }
      else {};
  };
 }
--- a/nixos/modules/services/backup/automysqlbackup.nix
+++ b/nixos/modules/services/backup/automysqlbackup.nix
@ -41,7 +41,7 @@ in
      };
      config = mkOption {
-        type = with types; attrsOf (either (either str (either int bool)) (listOf str));
+        type = with types; attrsOf (oneOf [ str int bool (listOf str) ]);
        default = {};
        description = ''
          automysqlbackup configuration. Refer to
--- a/nixos/modules/services/backup/postgresql-wal-receiver.nix
+++ b/nixos/modules/services/backup/postgresql-wal-receiver.nix
@ -0,0 +1,203 @@
 { config, lib, pkgs, ... }:
 with lib;
 let
  receiverSubmodule = {
    options = {
      postgresqlPackage = mkOption {
        type = types.package;
        example = literalExample "pkgs.postgresql_11";
        description = ''
          PostgreSQL package to use.
        '';
      };
      directory = mkOption {
        type = types.path;
        example = literalExample "/mnt/pg_wal/main/";
        description = ''
          Directory to write the output to.
        '';
      };
      statusInterval = mkOption {
        type = types.int;
        default = 10;
        description = ''
          Specifies the number of seconds between status packets sent back to the server.
          This allows for easier monitoring of the progress from server.
          A value of zero disables the periodic status updates completely,
          although an update will still be sent when requested by the server, to avoid timeout disconnect.
        '';
      };
      slot = mkOption {
        type = types.str;
        default = "";
        example = "some_slot_name";
        description = ''
          Require <command>pg_receivewal</command> to use an existing replication slot (see
          <link xlink:href="https://www.postgresql.org/docs/current/warm-standby.html#STREAMING-REPLICATION-SLOTS">Section 26.2.6 of the PostgreSQL manual</link>).
          When this option is used, <command>pg_receivewal</command> will report a flush position to the server,
          indicating when each segment has been synchronized to disk so that the server can remove that segment if it is not otherwise needed.
          When the replication client of <command>pg_receivewal</command> is configured on the server as a synchronous standby,
          then using a replication slot will report the flush position to the server, but only when a WAL file is closed.
          Therefore, that configuration will cause transactions on the primary to wait for a long time and effectively not work satisfactorily.
          The option <option>synchronous</option> must be specified in addition to make this work correctly.
        '';
      };
      synchronous = mkOption {
        type = types.bool;
        default = false;
        description = ''
          Flush the WAL data to disk immediately after it has been received.
          Also send a status packet back to the server immediately after flushing, regardless of <option>statusInterval</option>.
          This option should be specified if the replication client of <command>pg_receivewal</command> is configured on the server as a synchronous standby,
          to ensure that timely feedback is sent to the server.
        '';
      };
      compress = mkOption {
        type = types.ints.between 0 9;
        default = 0;
        description = ''
          Enables gzip compression of write-ahead logs, and specifies the compression level
          (<literal>0</literal> through <literal>9</literal>, <literal>0</literal> being no compression and <literal>9</literal> being best compression).
          The suffix <literal>.gz</literal> will automatically be added to all filenames.
          This option requires PostgreSQL >= 10.
        '';
      };
      connection = mkOption {
        type = types.str;
        example = "postgresql://user@somehost";
        description = ''
          Specifies parameters used to connect to the server, as a connection string.
          See <link xlink:href="https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-CONNSTRING">Section 34.1.1 of the PostgreSQL manual</link> for more information.
          Because <command>pg_receivewal</command> doesn't connect to any particular database in the cluster,
          database name in the connection string will be ignored.
        '';
      };
      extraArgs = mkOption {
        type = with types; listOf str;
        default = [ ];
        example = literalExample ''
          [
            "--no-sync"
          ]
        '';
        description = ''
          A list of extra arguments to pass to the <command>pg_receivewal</command> command.
        '';
      };
      environment = mkOption {
        type = with types; attrsOf str;
        default = { };
        example = literalExample ''
          {
            PGPASSFILE = "/private/passfile";
            PGSSLMODE = "require";
          }
        '';
        description = ''
          Environment variables passed to the service.
          Usable parameters are listed in <link xlink:href="https://www.postgresql.org/docs/current/libpq-envars.html">Section 34.14 of the PostgreSQL manual</link>.
        '';
      };
    };
  };
 in {
  options = {
    services.postgresqlWalReceiver = {
      receivers = mkOption {
        type = with types; attrsOf (submodule receiverSubmodule);
        default = { };
        example = literalExample ''
          {
            main = {
              postgresqlPackage = pkgs.postgresql_11;
              directory = /mnt/pg_wal/main/;
              slot = "main_wal_receiver";
              connection = "postgresql://user@somehost";
            };
          }
        '';
        description = ''
          PostgreSQL WAL receivers.
          Stream write-ahead logs from a PostgreSQL server using <command>pg_receivewal</command> (formerly <command>pg_receivexlog</command>).
          See <link xlink:href="https://www.postgresql.org/docs/current/app-pgreceivewal.html">the man page</link> for more information.
        '';
      };
    };
  };
  config = let
    receivers = config.services.postgresqlWalReceiver.receivers;
  in mkIf (receivers != { }) {
    users = {
      users.postgres = {
        uid = config.ids.uids.postgres;
        group = "postgres";
        description = "PostgreSQL server user";
      };
      groups.postgres = {
        gid = config.ids.gids.postgres;
      };
    };
    assertions = concatLists (attrsets.mapAttrsToList (name: config: [
      {
        assertion = config.compress > 0 -> versionAtLeast config.postgresqlPackage.version "10";
        message = "Invalid configuration for WAL receiver \"${name}\": compress requires PostgreSQL version >= 10.";
      }
    ]) receivers);
    systemd.tmpfiles.rules = mapAttrsToList (name: config: ''
      d ${escapeShellArg config.directory} 0750 postgres postgres - -
    '') receivers;
    systemd.services = with attrsets; mapAttrs' (name: config: nameValuePair "postgresql-wal-receiver-${name}" {
      description = "PostgreSQL WAL receiver (${name})";
      wantedBy = [ "multi-user.target" ];
      serviceConfig = {
        User = "postgres";
        Group = "postgres";
        KillSignal = "SIGINT";
        Restart = "always";
        RestartSec = 30;
      };
      inherit (config) environment;
      script = let
        receiverCommand = postgresqlPackage:
         if (versionAtLeast postgresqlPackage.version "10")
           then "${postgresqlPackage}/bin/pg_receivewal"
           else "${postgresqlPackage}/bin/pg_receivexlog";
      in ''
        ${receiverCommand config.postgresqlPackage} \
          --no-password \
          --directory=${escapeShellArg config.directory} \
          --status-interval=${toString config.statusInterval} \
          --dbname=${escapeShellArg config.connection} \
          ${optionalString (config.compress > 0) "--compress=${toString config.compress}"} \
          ${optionalString (config.slot != "") "--slot=${escapeShellArg config.slot}"} \
          ${optionalString config.synchronous "--synchronous"} \
          ${concatStringsSep " " config.extraArgs}
      '';
    }) receivers;
  };
  meta.maintainers = with maintainers; [ pacien ];
 }
--- a/nixos/modules/services/backup/zfs-replication.nix
+++ b/nixos/modules/services/backup/zfs-replication.nix
@ -0,0 +1,90 @@
 { lib, pkgs, config, ... }:
 with lib;
 let
  cfg = config.services.zfs.autoReplication;
  recursive = optionalString cfg.recursive " --recursive";
  followDelete = optionalString cfg.followDelete " --follow-delete";
 in {
  options = {
    services.zfs.autoReplication = {
      enable = mkEnableOption "ZFS snapshot replication.";
      followDelete = mkOption {
        description = "Remove remote snapshots that don't have a local correspondant.";
        default = true;
        type = types.bool;
      };
      host = mkOption {
        description = "Remote host where snapshots should be sent.";
        example = "example.com";
        type = types.str;
      };
      identityFilePath = mkOption {
        description = "Path to SSH key used to login to host.";
        example = "/home/username/.ssh/id_rsa";
        type = types.path;
      };
      localFilesystem = mkOption {
        description = "Local ZFS fileystem from which snapshots should be sent.  Defaults to the attribute name.";
        example = "pool/file/path";
        type = types.str;
      };
      remoteFilesystem = mkOption {
        description = "Remote ZFS filesystem where snapshots should be sent.";
        example = "pool/file/path";
        type = types.str;
      };
      recursive = mkOption {
        description = "Recursively discover snapshots to send.";
        default = true;
        type = types.bool;
      };
      username = mkOption {
        description = "Username used by SSH to login to remote host.";
        example = "username";
        type = types.str;
      };
    };
  };
  config = lib.mkIf cfg.enable {
    environment.systemPackages = [
      pkgs.lz4
    ];
    systemd.services."zfs-replication" = {
      after = [
        "zfs-snapshot-daily.service"
        "zfs-snapshot-frequent.service"
        "zfs-snapshot-hourly.service"
        "zfs-snapshot-monthly.service"
        "zfs-snapshot-weekly.service"
      ];
      description = "ZFS Snapshot Replication";
      documentation = [
        "https://github.com/alunduil/zfs-replicate"
      ];
      restartIfChanged = false;
      serviceConfig.ExecStart = "${pkgs.zfs-replicate}/bin/zfs-replicate${recursive} -l ${escapeShellArg cfg.username} -i ${escapeShellArg cfg.identityFilePath}${followDelete} ${escapeShellArg cfg.host} ${escapeShellArg cfg.remoteFilesystem} ${escapeShellArg cfg.localFilesystem}";
      wantedBy = [
        "zfs-snapshot-daily.service"
        "zfs-snapshot-frequent.service"
        "zfs-snapshot-hourly.service"
        "zfs-snapshot-monthly.service"
        "zfs-snapshot-weekly.service"
      ];
    };
  };
  meta = {
    maintainers = with lib.maintainers; [ alunduil ];
  };
 }
--- a/nixos/modules/services/databases/couchdb.nix
+++ b/nixos/modules/services/databases/couchdb.nix
@ -160,7 +160,7 @@ in {
    systemd.tmpfiles.rules = [
      "d '${dirOf cfg.uriFile}' - ${cfg.user} ${cfg.group} - -"
-      "d '${dirOf cfg.logFile}' - ${cfg.user} ${cfg.group} - -"
+      "f '${cfg.logFile}' - ${cfg.user} ${cfg.group} - -"
      "d '${cfg.databaseDir}' -  ${cfg.user} ${cfg.group} - -"
      "d '${cfg.viewIndexDir}' -  ${cfg.user} ${cfg.group} - -"
    ];
@ -169,11 +169,9 @@ in {
      description = "CouchDB Server";
      wantedBy = [ "multi-user.target" ];
-      preStart =
+      preStart = ''
        ''
        touch ${cfg.configFile}
-        touch -a ${cfg.logFile}
+      '';
        '';
      environment = mkIf useVersion2 {
        # we are actually specifying 4 configuration files:
--- a/nixos/modules/services/databases/memcached.nix
+++ b/nixos/modules/services/databases/memcached.nix
@ -86,7 +86,25 @@ in
        in "${memcached}/bin/memcached ${networking} -m ${toString cfg.maxMemory} -c ${toString cfg.maxConnections} ${concatStringsSep " " cfg.extraOptions}";
        User = cfg.user;
        # Filesystem access
        ProtectSystem = "strict";
        ProtectHome = true;
        PrivateTmp = true;
        PrivateDevices = true;
        ProtectKernelTunables = true;
        ProtectKernelModules = true;
        ProtectControlGroups = true;
        RuntimeDirectory = "memcached";
        # Caps
        CapabilityBoundingSet = "";
        NoNewPrivileges = true;
        # Misc.
        LockPersonality = true;
        RestrictRealtime = true;
        PrivateMounts = true;
        PrivateUsers = true;
        MemoryDenyWriteExecute = true;
      };
    };
  };
--- a/nixos/modules/services/databases/postgresql.nix
+++ b/nixos/modules/services/databases/postgresql.nix
@ -251,6 +251,10 @@ in
    environment.systemPackages = [ postgresql ];
    environment.pathsToLink = [
     "/share/postgresql"
    ];
    systemd.services.postgresql =
      { description = "PostgreSQL Server";
@ -326,13 +330,13 @@ in
            fi
          '' + optionalString (cfg.ensureDatabases != []) ''
            ${concatMapStrings (database: ''
-              $PSQL -tAc "SELECT 1 FROM pg_database WHERE datname = '${database}'" | grep -q 1 || $PSQL -tAc "CREATE DATABASE ${database}"
+              $PSQL -tAc "SELECT 1 FROM pg_database WHERE datname = '${database}'" | grep -q 1 || $PSQL -tAc 'CREATE DATABASE "${database}"'
            '') cfg.ensureDatabases}
          '' + ''
            ${concatMapStrings (user: ''
              $PSQL -tAc "SELECT 1 FROM pg_roles WHERE rolname='${user.name}'" | grep -q 1 || $PSQL -tAc "CREATE USER ${user.name}"
              ${concatStringsSep "\n" (mapAttrsToList (database: permission: ''
-                $PSQL -tAc "GRANT ${permission} ON ${database} TO ${user.name}"
+                $PSQL -tAc 'GRANT ${permission} ON ${database} TO ${user.name}'
              '') user.ensurePermissions)}
            '') cfg.ensureUsers}
          '';
--- a/nixos/modules/services/desktops/flatpak.nix
+++ b/nixos/modules/services/desktops/flatpak.nix
@ -38,5 +38,16 @@ in {
      "$HOME/.local/share/flatpak/exports"
      "/var/lib/flatpak/exports"
    ];
    # It has been possible since https://github.com/flatpak/flatpak/releases/tag/1.3.2
    # to build a SELinux policy module.
    users.users.flatpak = {
      description = "Flatpak system helper";
      group = "flatpak";
      isSystemUser = true;
    };
    users.groups.flatpak = { };
  };
 }
--- a/nixos/modules/services/desktops/gnome3/gvfs.nix
+++ b/nixos/modules/services/desktops/gnome3/gvfs.nix
@ -1,43 +0,0 @@
 # gvfs backends
 { config, lib, pkgs, ... }:
 with lib;
 {
  ###### interface
  options = {
    services.gnome3.gvfs = {
      enable = mkOption {
        type = types.bool;
        default = false;
        description = ''
          Whether to enable gvfs backends, userspace virtual filesystem used
          by GNOME components via D-Bus.
        '';
      };
    };
  };
  ###### implementation
  config = mkIf config.services.gnome3.gvfs.enable {
    environment.systemPackages = [ pkgs.gnome3.gvfs ];
    services.dbus.packages = [ pkgs.gnome3.gvfs ];
    systemd.packages = [ pkgs.gnome3.gvfs ];
    services.udev.packages = [ pkgs.libmtp.bin ];
  };
 }
--- a/nixos/modules/services/desktops/gvfs.nix
+++ b/nixos/modules/services/desktops/gvfs.nix
@ -0,0 +1,59 @@
 # GVfs
 { config, lib, pkgs, ... }:
 with lib;
 let
  cfg = config.services.gvfs;
 in
 {
  # Added 2019-08-19
  imports = [
    (mkRenamedOptionModule
      [ "services" "gnome3" "gvfs" "enable" ]
      [ "services" "gvfs" "enable" ])
  ];
  ###### interface
  options = {
    services.gvfs = {
      enable = mkEnableOption "GVfs, a userspace virtual filesystem";
      # gvfs can be built with multiple configurations
      package = mkOption {
        type = types.package;
        default = pkgs.gnome3.gvfs;
        description = "Which GVfs package to use.";
      };
    };
  };
  ###### implementation
  config = mkIf cfg.enable {
    environment.systemPackages = [ cfg.package ];
    services.dbus.packages = [ cfg.package ];
    systemd.packages = [ cfg.package ];
    services.udev.packages = [ pkgs.libmtp.bin ];
    # Needed for unwrapped applications
    environment.variables.GIO_EXTRA_MODULES = [ "${cfg.package}/lib/gio/modules" ];
  };
 }
--- a/nixos/modules/services/development/bloop.nix
+++ b/nixos/modules/services/development/bloop.nix
@ -9,6 +9,20 @@ let
 in {
  options.services.bloop = {
    extraOptions = mkOption {
      type = types.listOf types.str;
      default = [ ];
      example = [
        "-J-Xmx2G"
        "-J-XX:MaxInlineLevel=20"
        "-J-XX:+UseParallelGC"
      ];
      description = ''
        Specifies additional command line argument to pass to bloop
        java process.
      '';
    };
    install = mkOption {
      type = types.bool;
      default = false;
@ -25,10 +39,13 @@ in {
    systemd.user.services.bloop = {
      description = "Bloop Scala build server";
      environment = {
        PATH = mkForce "${makeBinPath [ config.programs.java.package ]}";
      };
      serviceConfig = {
-        Type      = "simple";
+        Type        = "simple";
-        ExecStart = ''${pkgs.bloop}/bin/blp-server'';
+        ExecStart   = ''${pkgs.bloop}/bin/bloop server'';
-        Restart   = "always";
+        Restart     = "always";
      };
    };
--- a/nixos/modules/services/editors/emacs.xml
+++ b/nixos/modules/services/editors/emacs.xml
@ -552,7 +552,7 @@ emacsclient --create-frame --tty  # opens a new frame on the current terminal
    <xref linkend="opt-environment.systemPackages"/>
    (<link
      linkend="sec-declarative-package-mgmt">NixOS</link>), or run
-    <literal>nix-env -i pkgs.docbook5</literal>
+    <literal>nix-env -f '&lt;nixpkgs&gt;' -iA docbook5</literal>
    (<link linkend="sec-ad-hoc-packages">Nix</link>).
   </para>
--- a/nixos/modules/services/games/minecraft-server.nix
+++ b/nixos/modules/services/games/minecraft-server.nix
@ -118,7 +118,7 @@ in {
      };
      serverProperties = mkOption {
-        type = with types; attrsOf (either bool (either int str));
+        type = with types; attrsOf (oneOf [ bool int str ]);
        default = {};
        example = literalExample ''
          {
--- a/nixos/modules/services/hardware/throttled.nix
+++ b/nixos/modules/services/hardware/throttled.nix
@ -8,6 +8,12 @@ in {
  options = {
    services.throttled = {
      enable = mkEnableOption "fix for Intel CPU throttling";
      extraConfig = mkOption {
        type = types.str;
        default = "";
        description = "Alternative configuration";
      };
    };
  };
@ -16,6 +22,9 @@ in {
    # The upstream package has this in Install, but that's not enough, see the NixOS manual
    systemd.services."lenovo_fix".wantedBy = [ "multi-user.target" ];
-    environment.etc."lenovo_fix.conf".source = "${pkgs.throttled}/etc/lenovo_fix.conf";
+    environment.etc."lenovo_fix.conf".source =
      if cfg.extraConfig != ""
      then pkgs.writeText "lenovo_fix.conf" cfg.extraConfig
      else "${pkgs.throttled}/etc/lenovo_fix.conf";
  };
 }
--- a/nixos/modules/services/hardware/trezord.nix
+++ b/nixos/modules/services/hardware/trezord.nix
@ -4,6 +4,12 @@ with lib;
 let
  cfg = config.services.trezord;
 in {
  ### docs
  meta = {
    doc = ./trezord.xml;
  };
  ### interface
--- a/nixos/modules/services/hardware/trezord.xml
+++ b/nixos/modules/services/hardware/trezord.xml
@ -0,0 +1,26 @@
 <chapter xmlns="http://docbook.org/ns/docbook"
         xmlns:xlink="http://www.w3.org/1999/xlink"
         xmlns:xi="http://www.w3.org/2001/XInclude"
         version="5.0"
         xml:id="trezor">
 <title>Trezor</title>
 <para>
  Trezor is an open-source cryptocurrency hardware wallet and security token
  allowing secure storage of private keys.
 </para>
 <para>
  It offers advanced features such U2F two-factor authorization, SSH login
  through
  <link xlink:href="https://wiki.trezor.io/Apps:SSH_agent">Trezor SSH agent</link>,
  <link xlink:href="https://wiki.trezor.io/GPG">GPG</link> and a
  <link xlink:href="https://wiki.trezor.io/Trezor_Password_Manager">password manager</link>.
  For more information, guides and documentation, see <link xlink:href="https://wiki.trezor.io"/>.
 </para>
 <para>
  To enable Trezor support, add the following to your <filename>configuration.nix</filename>:
 <programlisting>
 <xref linkend="opt-services.trezord.enable"/> = true;
 </programlisting>
  This will add all necessary udev rules and start Trezor Bridge.
 </para>
 </chapter>
--- a/nixos/modules/services/logging/awstats.nix
+++ b/nixos/modules/services/logging/awstats.nix
@ -4,6 +4,7 @@ with lib;
 let
  cfg = config.services.awstats;
  httpd = config.services.httpd;
  package = pkgs.awstats;
 in
@ -67,50 +68,43 @@ in
    environment.etc."awstats/awstats.conf".source = pkgs.runCommand "awstats.conf"
      { preferLocalBuild = true; }
      ( let
          cfg-httpd = config.services.httpd;
          logFormat =
-            if cfg-httpd.logFormat == "combined" then "1" else
+            if httpd.logFormat == "combined" then "1" else
-            if cfg-httpd.logFormat == "common" then "4" else
+            if httpd.logFormat == "common" then "4" else
-            throw "awstats service doesn't support Apache log format `${cfg-httpd.logFormat}`";
+            throw "awstats service doesn't support Apache log format `${httpd.logFormat}`";
        in
        ''
          sed \
            -e 's|^\(DirData\)=.*$|\1="${cfg.vardir}"|' \
            -e 's|^\(DirIcons\)=.*$|\1="icons"|' \
            -e 's|^\(CreateDirDataIfNotExists\)=.*$|\1=1|' \
-            -e 's|^\(SiteDomain\)=.*$|\1="${cfg-httpd.hostName}"|' \
+            -e 's|^\(SiteDomain\)=.*$|\1="${httpd.hostName}"|' \
-            -e 's|^\(LogFile\)=.*$|\1="${cfg-httpd.logDir}/access_log"|' \
+            -e 's|^\(LogFile\)=.*$|\1="${httpd.logDir}/access_log"|' \
            -e 's|^\(LogFormat\)=.*$|\1=${logFormat}|' \
            < '${package.out}/wwwroot/cgi-bin/awstats.model.conf' > "$out"
          echo '${cfg.extraConfig}' >> "$out"
        '');
-    # The httpd sub-service showing awstats.
+    systemd.tmpfiles.rules = optionals cfg.service.enable [
-    services.httpd.enable = mkIf cfg.service.enable true;
+      "d '${cfg.vardir}' - ${httpd.user} ${httpd.group} - -"
-    services.httpd.extraSubservices = mkIf cfg.service.enable [ { function = { serverInfo, ... }: {
+      "Z '${cfg.vardir}' - ${httpd.user} ${httpd.group} - -"
-      extraConfig =
+    ];
        ''
          Alias ${cfg.service.urlPrefix}/classes "${package.out}/wwwroot/classes/"
          Alias ${cfg.service.urlPrefix}/css "${package.out}/wwwroot/css/"
          Alias ${cfg.service.urlPrefix}/icons "${package.out}/wwwroot/icon/"
          ScriptAlias ${cfg.service.urlPrefix}/ "${package.out}/wwwroot/cgi-bin/"
-          <Directory "${package.out}/wwwroot">
+    # The httpd sub-service showing awstats.
-            Options None
+    services.httpd = optionalAttrs cfg.service.enable {
-            AllowOverride None
+      enable = true;
-            Order allow,deny
+      extraConfig = ''
-            Allow from all
+        Alias ${cfg.service.urlPrefix}/classes "${package.out}/wwwroot/classes/"
-          </Directory>
+        Alias ${cfg.service.urlPrefix}/css "${package.out}/wwwroot/css/"
-        '';
+        Alias ${cfg.service.urlPrefix}/icons "${package.out}/wwwroot/icon/"
-      startupScript =
+        ScriptAlias ${cfg.service.urlPrefix}/ "${package.out}/wwwroot/cgi-bin/"
-        let
+
-          inherit (serverInfo.serverConfig) user group;
+        <Directory "${package.out}/wwwroot">
-        in pkgs.writeScript "awstats_startup.sh"
+          Options None
-          ''
+          Require all granted
-            mkdir -p '${cfg.vardir}'
+        </Directory>
-            chown '${user}:${group}' '${cfg.vardir}'
+      '';
-          '';
+    };
    };}];
    systemd.services.awstats-update = mkIf (cfg.updateAt != null) {
      description = "awstats log collector";
--- a/nixos/modules/services/mail/davmail.nix
+++ b/nixos/modules/services/mail/davmail.nix
@ -7,7 +7,7 @@ let
  cfg = config.services.davmail;
  configType = with types;
-    either (either (attrsOf configType) str) (either int bool) // {
+    oneOf [ (attrsOf configType) str int bool ] // {
      description = "davmail config type (str, int, bool or attribute set thereof)";
    };
--- a/nixos/modules/services/mail/postfix.nix
+++ b/nixos/modules/services/mail/postfix.nix
@ -447,7 +447,7 @@ in
      };
      config = mkOption {
-        type = with types; attrsOf (either bool (either str (listOf str)));
+        type = with types; attrsOf (oneOf [ bool str (listOf str) ]);
        description = ''
          The main.cf configuration file as key value set.
        '';
--- a/nixos/modules/services/mail/rspamd.nix
+++ b/nixos/modules/services/mail/rspamd.nix
@ -331,7 +331,7 @@ in
        };
        config = mkOption {
-          type = with types; attrsOf (either bool (either str (listOf str)));
+          type = with types; attrsOf (oneOf [ bool str (listOf str) ]);
          description = ''
            Addon to postfix configuration
          '';
--- a/nixos/modules/services/mail/rss2email.nix
+++ b/nixos/modules/services/mail/rss2email.nix
@ -30,7 +30,7 @@ in {
      };
      config = mkOption {
-        type = with types; attrsOf (either str (either int bool));
+        type = with types; attrsOf (oneOf [ str int bool ]);
        default = {};
        description = ''
          The configuration to give rss2email.
--- a/nixos/modules/services/misc/dwm-status.nix
+++ b/nixos/modules/services/misc/dwm-status.nix
@ -0,0 +1,73 @@
 { config, lib, pkgs, ... }:
 with lib;
 let
  cfg = config.services.dwm-status;
  order = concatMapStringsSep "," (feature: ''"${feature}"'') cfg.order;
  configFile = pkgs.writeText "dwm-status.toml" ''
    order = [${order}]
    ${cfg.extraConfig}
  '';
 in
 {
  ###### interface
  options = {
    services.dwm-status = {
      enable = mkEnableOption "dwm-status user service";
      package = mkOption {
        type = types.package;
        default = pkgs.dwm-status;
        defaultText = "pkgs.dwm-status";
        example = "pkgs.dwm-status.override { enableAlsaUtils = false; }";
        description = ''
          Which dwm-status package to use.
        '';
      };
      order = mkOption {
        type = types.listOf (types.enum [ "audio" "backlight" "battery" "cpu_load" "network" "time" ]);
        description = ''
          List of enabled features in order.
        '';
      };
      extraConfig = mkOption {
        type = types.lines;
        default = "";
        description = ''
          Extra config in TOML format.
        '';
      };
    };
  };
  ###### implementation
  config = mkIf cfg.enable {
    services.upower.enable = elem "battery" cfg.order;
    systemd.user.services.dwm-status = {
      description = "Highly performant and configurable DWM status service";
      wantedBy = [ "graphical-session.target" ];
      partOf = [ "graphical-session.target" ];
      serviceConfig.ExecStart = "${cfg.package}/bin/dwm-status ${configFile}";
    };
  };
 }
--- a/nixos/modules/services/misc/gitlab.nix
+++ b/nixos/modules/services/misc/gitlab.nix
@ -502,7 +502,7 @@ in {
      "d ${cfg.statePath} 0750 ${cfg.user} ${cfg.group} -"
      "d ${cfg.statePath}/builds 0750 ${cfg.user} ${cfg.group} -"
      "d ${cfg.statePath}/config 0750 ${cfg.user} ${cfg.group} -"
-      "d ${cfg.statePath}/config/initializers 0750 ${cfg.user} ${cfg.group} -"
+      "D ${cfg.statePath}/config/initializers 0750 ${cfg.user} ${cfg.group} -"
      "d ${cfg.statePath}/db 0750 ${cfg.user} ${cfg.group} -"
      "d ${cfg.statePath}/log 0750 ${cfg.user} ${cfg.group} -"
      "d ${cfg.statePath}/repositories 2770 ${cfg.user} ${cfg.group} -"
@ -659,7 +659,7 @@ in {
        fi
        # We remove potentially broken links to old gitlab-shell versions
-        rm -f ${cfg.statePath}/repositories/**/*.git/hooks
+        rm -Rf ${cfg.statePath}/repositories/**/*.git/hooks
        ${pkgs.sudo}/bin/sudo -u ${cfg.user} -H ${pkgs.git}/bin/git config --global core.autocrlf "input"
      '';
--- a/nixos/modules/services/misc/gitolite.nix
+++ b/nixos/modules/services/misc/gitolite.nix
@ -143,21 +143,37 @@ in
    users.users.${cfg.user} = {
      description     = "Gitolite user";
      home            = cfg.dataDir;
      createHome      = true;
      uid             = config.ids.uids.gitolite;
      group           = cfg.group;
      useDefaultShell = true;
    };
    users.groups."${cfg.group}".gid = config.ids.gids.gitolite;
    systemd.tmpfiles.rules = [
      "d '${cfg.dataDir}' 0750 ${cfg.user} ${cfg.group} - -"
      "d '${cfg.dataDir}'/.gitolite - ${cfg.user} ${cfg.group} - -"
      "d '${cfg.dataDir}'/.gitolite/logs - ${cfg.user} ${cfg.group} - -"
      "Z ${cfg.dataDir} 0750 ${cfg.user} ${cfg.group} - -"
    ];
    systemd.services."gitolite-init" = {
      description = "Gitolite initialization";
      wantedBy    = [ "multi-user.target" ];
      unitConfig.RequiresMountsFor = cfg.dataDir;
-      serviceConfig.User = "${cfg.user}";
+      environment = {
-      serviceConfig.Type = "oneshot";
+        GITOLITE_RC = ".gitolite.rc";
-      serviceConfig.RemainAfterExit = true;
+        GITOLITE_RC_DEFAULT = "${rcDir}/gitolite.rc.default";
      };
      serviceConfig = {
        Type = "oneshot";
        User = cfg.user;
        Group = cfg.group;
        WorkingDirectory = "~";
        RemainAfterExit = true;
      };
      path = [ pkgs.gitolite pkgs.git pkgs.perl pkgs.bash pkgs.diffutils config.programs.ssh.package ];
      script =
@ -187,11 +203,6 @@ in
          '';
      in
        ''
          cd ${cfg.dataDir}
          mkdir -p .gitolite/logs
          GITOLITE_RC=.gitolite.rc
          GITOLITE_RC_DEFAULT=${rcDir}/gitolite.rc.default
          if ( [[ ! -e "$GITOLITE_RC" ]] && [[ ! -L "$GITOLITE_RC" ]] ) ||
             ( [[ -f "$GITOLITE_RC" ]] && diff -q "$GITOLITE_RC" "$GITOLITE_RC_DEFAULT" >/dev/null ) ||
             ( [[ -L "$GITOLITE_RC" ]] && [[ "$(readlink "$GITOLITE_RC")" =~ ^/nix/store/ ]] )
--- a/nixos/modules/services/misc/mantisbt.nix
+++ b/nixos/modules/services/misc/mantisbt.nix
@ -1,68 +0,0 @@
 { config, lib, pkgs, ... }:
 with lib;
 let
  cfg = config.services.mantisbt;
  freshInstall = cfg.extraConfig == "";
  # combined code+config directory
  mantisbt = let
    config_inc = pkgs.writeText "config_inc.php" ("<?php\n" + cfg.extraConfig);
    src = pkgs.fetchurl {
      url = "mirror://sourceforge/mantisbt/${name}.tar.gz";
      sha256 = "1pl6xn793p3mxc6ibpr2bhg85vkdlcf57yk7pfc399g47l8x4508";
    };
    name = "mantisbt-1.2.19";
    in
      # We have to copy every time; otherwise config won't be found.
      pkgs.runCommand name
        { preferLocalBuild = true; allowSubstitutes = false; }
        (''
          mkdir -p "$out"
          cd "$out"
          tar -xf '${src}' --strip-components=1
          ln -s '${config_inc}' config_inc.php
        ''
        + lib.optionalString (!freshInstall) "rm -r admin/"
        );
 in
 {
  options.services.mantisbt = {
    enable = mkOption {
      type = types.bool;
      default = false;
      description = ''
        Enable the mantisbt web service.
        This switches on httpd with PHP and database.
      '';
    };
    urlPrefix = mkOption {
      type = types.string;
      default = "/mantisbt";
      description = "The URL prefix under which the mantisbt service appears.";
    };
    extraConfig = mkOption {
      type = types.lines;
      default = "";
      description = ''
        The contents of config_inc.php, without leading &lt;?php.
        If left empty, the admin directory will be accessible.
      '';
    };
  };
  config = mkIf cfg.enable {
    services.mysql.enable = true;
    services.httpd.enable = true;
    services.httpd.enablePHP = true;
    # The httpd sub-service showing mantisbt.
    services.httpd.extraSubservices = [ { function = { ... }: {
      extraConfig =
        ''
          Alias ${cfg.urlPrefix} "${mantisbt}"
        '';
    };}];
  };
 }
--- a/nixos/modules/services/misc/matrix-synapse.nix
+++ b/nixos/modules/services/misc/matrix-synapse.nix
@ -684,7 +684,7 @@ in {
        fi
      '';
      serviceConfig = {
-        Type = "simple";
+        Type = "notify";
        User = "matrix-synapse";
        Group = "matrix-synapse";
        WorkingDirectory = cfg.dataDir;
--- a/nixos/modules/services/misc/metabase.nix
+++ b/nixos/modules/services/misc/metabase.nix
@ -0,0 +1,103 @@
 { config, lib, pkgs, ... }:
 let
  cfg = config.services.metabase;
  inherit (lib) mkEnableOption mkIf mkOption;
  inherit (lib) optional optionalAttrs types;
  dataDir = "/var/lib/metabase";
 in {
  options = {
    services.metabase = {
      enable = mkEnableOption "Metabase service";
      listen = {
        ip = mkOption {
          type = types.str;
          default = "0.0.0.0";
          description = ''
            IP address that Metabase should listen on.
          '';
        };
        port = mkOption {
          type = types.port;
          default = 3000;
          description = ''
            Listen port for Metabase.
          '';
        };
      };
      ssl = {
        enable = mkOption {
          type = types.bool;
          default = false;
          description = ''
            Whether to enable SSL (https) support.
          '';
        };
        port = mkOption {
          type = types.port;
          default = 8443;
          description = ''
            Listen port over SSL (https) for Metabase.
          '';
        };
        keystore = mkOption {
          type = types.nullOr types.path;
          default = "${dataDir}/metabase.jks";
          example = "/etc/secrets/keystore.jks";
          description = ''
            <link xlink:href="https://www.digitalocean.com/community/tutorials/java-keytool-essentials-working-with-java-keystores">Java KeyStore</link> file containing the certificates.
          '';
        };
      };
      openFirewall = mkOption {
        type = types.bool;
        default = false;
        description = ''
          Open ports in the firewall for Metabase.
        '';
      };
    };
  };
  config = mkIf cfg.enable {
    systemd.services.metabase = {
      description = "Metabase server";
      wantedBy = [ "multi-user.target" ];
      after = [ "network-online.target" ];
      environment = {
        MB_PLUGINS_DIR = "${dataDir}/plugins";
        MB_DB_FILE = "${dataDir}/metabase.db";
        MB_JETTY_HOST = cfg.listen.ip;
        MB_JETTY_PORT = toString cfg.listen.port;
      } // optionalAttrs (cfg.ssl.enable) {
        MB_JETTY_SSL = true;
        MB_JETTY_SSL_PORT = toString cfg.ssl.port;
        MB_JETTY_SSL_KEYSTORE = cfg.ssl.keystore;
      };
      serviceConfig = {
        DynamicUser = true;
        StateDirectory = baseNameOf dataDir;
        ExecStart = "${pkgs.metabase}/bin/metabase";
      };
    };
    networking.firewall = mkIf cfg.openFirewall {
      allowedTCPPorts = [ cfg.listen.port ] ++ optional cfg.ssl.enable cfg.ssl.port;
    };
  };
 }
--- a/nixos/modules/services/monitoring/cadvisor.nix
+++ b/nixos/modules/services/monitoring/cadvisor.nix
@ -84,6 +84,16 @@ in {
        type = types.bool;
        description = "Cadvisor storage driver, enable secure communication.";
      };
      extraOptions = mkOption {
        type = types.listOf types.str;
        default = [];
        description = ''
          Additional cadvisor options.
          See <link xlink:href='https://github.com/google/cadvisor/blob/master/docs/runtime_options.md'/> for available options.
        '';
      };
    };
  };
@ -112,6 +122,7 @@ in {
            -logtostderr=true \
            -listen_ip="${cfg.listenAddress}" \
            -port="${toString cfg.port}" \
            ${escapeShellArgs cfg.extraOptions} \
            ${optionalString (cfg.storageDriver != null) ''
              -storage_driver "${cfg.storageDriver}" \
              -storage_driver_user "${cfg.storageDriverHost}" \
--- a/nixos/modules/services/monitoring/datadog-agent.nix
+++ b/nixos/modules/services/monitoring/datadog-agent.nix
@ -42,9 +42,9 @@ let
  # Apply the configured extraIntegrations to the provided agent
  # package. See the documentation of `dd-agent/integrations-core.nix`
  # for detailed information on this.
-  datadogPkg = cfg.package.overrideAttrs(_: {
+  datadogPkg = cfg.package.override {
-    python = (pkgs.datadog-integrations-core cfg.extraIntegrations).python;
+    pythonPackages = pkgs.datadog-integrations-core cfg.extraIntegrations;
-  });
+  };
 in {
  options.services.datadog-agent = {
    enable = mkOption {
@ -60,7 +60,7 @@ in {
      defaultText = "pkgs.datadog-agent";
      description = ''
        Which DataDog v6 agent package to use. Note that the provided
-        package is expected to have an overridable `python`-attribute
+        package is expected to have an overridable `pythonPackages`-attribute
        which configures the Python environment with the Datadog
        checks.
      '';
--- a/nixos/modules/services/monitoring/grafana.nix
+++ b/nixos/modules/services/monitoring/grafana.nix
@ -503,12 +503,12 @@ in {
        message = "Cannot set both adminPassword and adminPasswordFile";
      }
      {
-        assertion = cfg.security.secretKeyFile != opt.security.secretKeyFile.default -> cfg.security.secretKeyFile == null;
+        assertion = cfg.security.secretKey != opt.security.secretKey.default -> cfg.security.secretKeyFile == null;
        message = "Cannot set both secretKey and secretKeyFile";
      }
      {
        assertion = cfg.smtp.password != opt.smtp.password.default -> cfg.smtp.passwordFile == null;
-        message = "Cannot set both password and secretKeyFile";
+        message = "Cannot set both password and passwordFile";
      }
    ];
--- a/nixos/modules/services/monitoring/loki.nix
+++ b/nixos/modules/services/monitoring/loki.nix
@ -103,7 +103,7 @@ in {
        PrivateTmp = true;
        ProtectHome = true;
        ProtectSystem = "full";
-        DecvicePolicy = "closed";
+        DevicePolicy = "closed";
        NoNewPrivileges = true;
        WorkingDirectory = cfg.dataDir;
      };
--- a/nixos/modules/services/monitoring/prometheus/default.nix
+++ b/nixos/modules/services/monitoring/prometheus/default.nix
@ -79,12 +79,8 @@ let
      (pkgs.writeText "prometheus.rules" (concatStringsSep "\n" cfg2.rules))
    ]);
    scrape_configs = filterValidPrometheus cfg2.scrapeConfigs;
-    alerting = optionalAttrs (cfg2.alertmanagerURL != []) {
+    alerting = {
-      alertmanagers = [{
+      inherit (cfg2) alertmanagers;
        static_configs = [{
          targets = cfg2.alertmanagerURL;
        }];
      }];
    };
  };
@ -738,11 +734,23 @@ in {
        '';
      };
-      alertmanagerURL = mkOption {
+      alertmanagers = mkOption {
-        type = types.listOf types.str;
+        type = types.listOf types.attrs;
        example = literalExample ''
          [ {
            scheme = "https";
            path_prefix = "/alertmanager";
            static_configs = [ {
              targets = [
                "prometheus.domain.tld"
              ];
            } ];
          } ]
        '';
        default = [];
        description = ''
-          List of Alertmanager URLs to send notifications to.
+          A list of alertmanagers to send alerts to.
          See <link xlink:href="https://prometheus.io/docs/prometheus/latest/configuration/configuration/#alertmanager_config">the official documentation</link> for more information.
        '';
      };
--- a/nixos/modules/services/monitoring/prometheus/exporters.nix
+++ b/nixos/modules/services/monitoring/prometheus/exporters.nix
@ -33,6 +33,7 @@ let
    "nginx"
    "node"
    "postfix"
    "postgres"
    "snmp"
    "surfboard"
    "tor"
@ -87,7 +88,7 @@ let
    };
    user = mkOption {
      type = types.str;
-      default = "nobody";
+      default = "${name}-exporter";
      description = ''
        User name under which the ${name} exporter shall be run.
        Has no effect when <option>systemd.services.prometheus-${name}-exporter.serviceConfig.DynamicUser</option> is true.
@ -95,7 +96,7 @@ let
    };
    group = mkOption {
      type = types.str;
-      default = "nobody";
+      default = "${name}-exporter";
      description = ''
        Group under which the ${name} exporter shall be run.
        Has no effect when <option>systemd.services.prometheus-${name}-exporter.serviceConfig.DynamicUser</option> is true.
@ -126,8 +127,23 @@ let
  );
  mkExporterConf = { name, conf, serviceOpts }:
    let
      enableDynamicUser = serviceOpts.serviceConfig.DynamicUser or true;
    in
    mkIf conf.enable {
      warnings = conf.warnings or [];
      users.users = (mkIf (conf.user == "${name}-exporter" && !enableDynamicUser) {
        "${name}-exporter" = {
          description = ''
            Prometheus ${name} exporter service user
          '';
          isSystemUser = true;
          inherit (conf) group;
        };
      });
      users.groups = (mkIf (conf.group == "${name}-exporter" && !enableDynamicUser) {
        "${name}-exporter" = {};
      });
      networking.firewall.extraCommands = mkIf conf.openFirewall (concatStrings [
        "ip46tables -A nixos-fw ${conf.firewallFilter} "
        "-m comment --comment ${name}-exporter -j nixos-fw-accept"
@ -138,7 +154,8 @@ let
        serviceConfig.Restart = mkDefault "always";
        serviceConfig.PrivateTmp = mkDefault true;
        serviceConfig.WorkingDirectory = mkDefault /tmp;
-      } serviceOpts ] ++ optional (!(serviceOpts.serviceConfig.DynamicUser or false)) {
+        serviceConfig.DynamicUser = mkDefault enableDynamicUser;
      } serviceOpts ] ++ optional (!enableDynamicUser) {
        serviceConfig.User = conf.user;
        serviceConfig.Group = conf.group;
      });
--- a/nixos/modules/services/monitoring/prometheus/exporters.xml
+++ b/nixos/modules/services/monitoring/prometheus/exporters.xml
@ -159,8 +159,10 @@ in
  # `serviceOpts.script` and `serviceOpts.serviceConfig.ExecStart`
  # has to be specified here. This will be merged with the default
  # service confiuration.
  # Note that by default 'DynamicUser' is 'true'.
  serviceOpts = {
    serviceConfig = {
      DynamicUser = false;
      ExecStart = ''
        ${pkgs.prometheus-postfix-exporter}/bin/postfix_exporter \
          --web.listen-address ${cfg.listenAddress}:${toString cfg.port} \
--- a/nixos/modules/services/monitoring/prometheus/exporters/bind.nix
+++ b/nixos/modules/services/monitoring/prometheus/exporters/bind.nix
@ -39,7 +39,6 @@ in
  };
  serviceOpts = {
    serviceConfig = {
      DynamicUser = true;
      ExecStart = ''
        ${pkgs.prometheus-bind-exporter}/bin/bind_exporter \
          -web.listen-address ${cfg.listenAddress}:${toString cfg.port} \
--- a/nixos/modules/services/monitoring/prometheus/exporters/blackbox.nix
+++ b/nixos/modules/services/monitoring/prometheus/exporters/blackbox.nix
@ -4,6 +4,13 @@ with lib;
 let
  cfg = config.services.prometheus.exporters.blackbox;
  checkConfig = file: pkgs.runCommand "checked-blackbox-exporter.conf" {
    preferLocalBuild = true;
    buildInputs = [ pkgs.buildPackages.prometheus-blackbox-exporter ]; } ''
    ln -s ${file} $out
    blackbox_exporter --config.check --config.file $out
  '';
 in
 {
  port = 9115;
@ -18,11 +25,10 @@ in
  serviceOpts = {
    serviceConfig = {
      AmbientCapabilities = [ "CAP_NET_RAW" ]; # for ping probes
      DynamicUser = true;
      ExecStart = ''
        ${pkgs.prometheus-blackbox-exporter}/bin/blackbox_exporter \
          --web.listen-address ${cfg.listenAddress}:${toString cfg.port} \
-          --config.file ${cfg.configFile} \
+          --config.file ${checkConfig cfg.configFile} \
          ${concatStringsSep " \\\n  " cfg.extraFlags}
      '';
      ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
--- a/nixos/modules/services/monitoring/prometheus/exporters/collectd.nix
+++ b/nixos/modules/services/monitoring/prometheus/exporters/collectd.nix
@ -64,7 +64,6 @@ in
    '' else "";
  in {
    serviceConfig = {
      DynamicUser = true;
      ExecStart = ''
        ${pkgs.prometheus-collectd-exporter}/bin/collectd_exporter \
          -log.format ${cfg.logFormat} \
--- a/nixos/modules/services/monitoring/prometheus/exporters/dnsmasq.nix
+++ b/nixos/modules/services/monitoring/prometheus/exporters/dnsmasq.nix
@ -26,7 +26,6 @@ in
  };
  serviceOpts = {
    serviceConfig = {
      DynamicUser = true;
      ExecStart = ''
        ${pkgs.prometheus-dnsmasq-exporter}/bin/dnsmasq_exporter \
          --listen ${cfg.listenAddress}:${toString cfg.port} \
--- a/nixos/modules/services/monitoring/prometheus/exporters/dovecot.nix
+++ b/nixos/modules/services/monitoring/prometheus/exporters/dovecot.nix
@ -39,8 +39,8 @@ in
            mail_plugins = $mail_plugins old_stats
            service old-stats {
              unix_listener old-stats {
-                user = nobody
+                user = dovecot-exporter
-                group = nobody
+                group = dovecot-exporter
              }
            }
          ''';
@ -59,6 +59,7 @@ in
  };
  serviceOpts = {
    serviceConfig = {
      DynamicUser = false;
      ExecStart = ''
        ${pkgs.prometheus-dovecot-exporter}/bin/dovecot_exporter \
          --web.listen-address ${cfg.listenAddress}:${toString cfg.port} \
--- a/nixos/modules/services/monitoring/prometheus/exporters/fritzbox.nix
+++ b/nixos/modules/services/monitoring/prometheus/exporters/fritzbox.nix
@ -26,7 +26,6 @@ in
  };
  serviceOpts = {
    serviceConfig = {
      DynamicUser = true;
      ExecStart = ''
        ${pkgs.prometheus-fritzbox-exporter}/bin/exporter \
          -listen-address ${cfg.listenAddress}:${toString cfg.port} \
--- a/nixos/modules/services/monitoring/prometheus/exporters/json.nix
+++ b/nixos/modules/services/monitoring/prometheus/exporters/json.nix
@ -24,7 +24,6 @@ in
  };
  serviceOpts = {
    serviceConfig = {
      DynamicUser = true;
      ExecStart = ''
        ${pkgs.prometheus-json-exporter}/bin/prometheus-json-exporter \
          --port ${toString cfg.port} \
--- a/nixos/modules/services/monitoring/prometheus/exporters/mail.nix
+++ b/nixos/modules/services/monitoring/prometheus/exporters/mail.nix
@ -143,6 +143,7 @@ in
  };
  serviceOpts = {
    serviceConfig = {
      DynamicUser = false;
      ExecStart = ''
        ${pkgs.prometheus-mail-exporter}/bin/mailexporter \
          --web.listen-address ${cfg.listenAddress}:${toString cfg.port} \
--- a/Show More
+++ b/Show More