Revert "liferea: 1.10.18 -> 1.12-rc2"

This reverts commit 73d9d2d577.

It was pushed here accidentially, I've meant 17.03.

README.md

@@ -14,12 +14,12 @@ build daemon as so-called channels. To get channel information via git, add
 ```
 
 For stability and maximum binary package support, it is recommended to maintain
-custom changes on top of one of the channels, e.g. `nixos-15.09` for the latest
+custom changes on top of one of the channels, e.g. `nixos-16.03` for the latest
 release and `nixos-unstable` for the latest successful build of master:
 
 ```
 % git remote update channels
-% git rebase channels/nixos-15.09
+% git rebase channels/nixos-16.03
 ```
 
 For pull-requests, please rebase onto nixpkgs `master`.
@@ -33,9 +33,9 @@ For pull-requests, please rebase onto nixpkgs `master`.
 * [Manual (NixOS)](https://nixos.org/nixos/manual/)
 * [Nix Wiki](https://nixos.org/wiki/)
 * [Continuous package builds for unstable/master](https://hydra.nixos.org/jobset/nixos/trunk-combined)
-* [Continuous package builds for 15.09 release](https://hydra.nixos.org/jobset/nixos/release-15.09)
+* [Continuous package builds for 16.03 release](https://hydra.nixos.org/jobset/nixos/release-16.03)
 * [Tests for unstable/master](https://hydra.nixos.org/job/nixos/trunk-combined/tested#tabs-constituents)
-* [Tests for 15.09 release](https://hydra.nixos.org/job/nixos/release-15.09/tested#tabs-constituents)
+* [Tests for 16.03 release](https://hydra.nixos.org/job/nixos/release-16.03/tested#tabs-constituents)
 
 Communication:
 

doc/default.nix

@@ -27,6 +27,7 @@ stdenv.mkDerivation {
     in ''
       {
         pandoc '${inputFile}' -w docbook ${optionalString useChapters "--chapters"} \
+          --smart \
           | sed -e 's|<ulink url=|<link xlink:href=|' \
               -e 's|</ulink>|</link>|' \
               -e 's|<sect. id=|<section xml:id=|' \

doc/haskell-users-guide.md

@@ -636,7 +636,7 @@ then you have to download and re-install `foo` and all its dependents from
 scratch:
 
     # nix-store -q --referrers /nix/store/*-haskell-text-1.2.0.4 \
-      | xargs -L 1 nix-store --repair-path --option binary-caches http://hydra.nixos.org
+      | xargs -L 1 nix-store --repair-path
 
 If you're using additional Hydra servers other than `hydra.nixos.org`, then it
 might be necessary to purge the local caches that store data from those

doc/introduction.md

@@ -6,13 +6,14 @@ date: 2015-11-25
 
 # Introduction
 
-The Nix Packages collection (Nixpkgs) is a set of over 30,000 packages for the
-[Nix package manager](http://nixos.org/nix/), released under a [permissive MIT/X11 license](https://github.com/NixOS/nixpkgs/blob/master/COPYING).
-Packages are available for several architectures, and can be used with the Nix package manager
-on most GNU/Linux distributions as well as NixOS.
+The Nix Packages collection (Nixpkgs) is a set of thousands of packages for the
+[Nix package manager](http://nixos.org/nix/), released under a
+[permissive MIT/X11 license](https://github.com/NixOS/nixpkgs/blob/master/COPYING).
+Packages are available for several platforms, and can be used with the Nix
+package manager on most GNU/Linux distributions as well as NixOS.
 
-This manual describes how to write packages for the Nix Packages collection
-(Nixpkgs). Thus it’s for packagers and developers who want to add packages to
+This manual primarily describes how to write packages for the Nix Packages collection
+(Nixpkgs). Thus it’s mainly for packagers and developers who want to add packages to
 Nixpkgs. If you like to learn more about the Nix package manager and the Nix
 expression language, then you are kindly referred to the [Nix manual](http://nixos.org/nix/manual/).
 
@@ -20,29 +21,33 @@ expression language, then you are kindly referred to the [Nix manual](http://nix
 
 Nix expressions describe how to build packages from source and are collected in
 the [nixpkgs repository](https://github.com/NixOS/nixpkgs). Also included in the
-collection are Nix expressions for [NixOS modules](http://nixos.org/nixos/manual/index.html#sec-writing-modules). With
-these expressions the Nix package manager can build binary packages.
+collection are Nix expressions for
+[NixOS modules](http://nixos.org/nixos/manual/index.html#sec-writing-modules).
+With these expressions the Nix package manager can build binary packages.
 
 Packages, including the Nix packages collection, are distributed through
 [channels](http://nixos.org/nix/manual/#sec-channels). The collection is
 distributed for users of Nix on non-NixOS distributions through the channel
 `nixpkgs`. Users of NixOS generally use one of the `nixos-*` channels, e.g.
-`nixos-15.09`, which includes all packages and modules for the stable NixOS
-15.09. The channels of the stable NixOS releases are generally only given
+`nixos-16.03`, which includes all packages and modules for the stable NixOS
+16.03. The purpose of stable NixOS releases are generally only given
 security updates. More up to date packages and modules are available via the
 `nixos-unstable` channel.
 
 Both `nixos-unstable` and `nixpkgs` follow the `master` branch of the Nixpkgs
-repository, although both do lag the `master` branch by generally [a couple of days](http://howoldis.herokuapp.com/). Updates to a channel are distributed as
-soon as all tests for that channel pass, e.g. [this table](http://hydra.nixos.org/job/nixpkgs/trunk/unstable#tabs-constituents)
+repository, although both do lag the `master` branch by generally
+[a couple of days](http://howoldis.herokuapp.com/). Updates to a channel are
+distributed as soon as all tests for that channel pass, e.g.
+[this table](http://hydra.nixos.org/job/nixpkgs/trunk/unstable#tabs-constituents)
 shows the status of tests for the `nixpkgs` channel.
 
 The tests are conducted by a cluster called [Hydra](http://nixos.org/hydra/),
-which also builds binary packages from the Nix expressions in Nixpkgs. As soon
-as a channel is updated, the binaries are made available via a [binary cache](https://cache.nixos.org). Until the channel updates, binaries that have
-already been built, are available via [Hydra's binary cache](https://hydra.nixos.org).
+which also builds binary packages from the Nix expressions in Nixpkgs for
+`x86_64-linux`, `i686-linux` and `x86_64-darwin`.
+The binaries are made available via a [binary cache](https://cache.nixos.org).
 
 The current Nix expressions of the channels are available in the
 [`nixpkgs-channels`](https://github.com/NixOS/nixpkgs-channels) repository,
 which has branches corresponding to the available channels. There is also the
-Nixpkgs Monitor which keeps track of updates and security vulnerabilities.
+[Nixpkgs Monitor](http://monitor.nixos.org) which keeps track of updates
+and security vulnerabilities.

lib/lists.nix

@@ -67,7 +67,7 @@ rec {
   # == [1 2 3 4 5]' and `flatten 1 == [1]'.
   flatten = x:
     if isList x
-    then foldl' (x: y: x ++ (flatten y)) [] x
+    then concatMap (y: flatten y) x
     else [x];
 
 
@@ -139,12 +139,12 @@ rec {
 
   # Partition the elements of a list in two lists, `right' and
   # `wrong', depending on the evaluation of a predicate.
-  partition = pred:
+  partition = builtins.partition or (pred:
     fold (h: t:
       if pred h
       then { right = [h] ++ t.right; wrong = t.wrong; }
       else { right = t.right; wrong = [h] ++ t.wrong; }
-    ) { right = []; wrong = []; };
+    ) { right = []; wrong = []; });
 
 
   zipListsWith =

lib/maintainers.nix

@@ -10,6 +10,7 @@
   aaronschif = "Aaron Schif <aaronschif@gmail.com>";
   abaldeau = "Andreas Baldeau <andreas@baldeau.net>";
   abbradar = "Nikolay Amiantov <ab@fmap.me>";
+  abuibrahim = "Ruslan Babayev <ruslan@babayev.com>";
   adev = "Adrien Devresse <adev@adev.name>";
   aespinosa = "Allan Espinosa <allan.espinosa@outlook.com>";
   aflatter = "Alexander Flatter <flatter@fastmail.fm>";
@@ -32,6 +33,7 @@
   ardumont = "Antoine R. Dumont <eniotna.t@gmail.com>";
   aristid = "Aristid Breitkreuz <aristidb@gmail.com>";
   arobyn = "Alexei Robyn <shados@shados.net>";
+  artuuge = "Artur E. Ruuge <artuuge@gmail.com>";
   asppsa = "Alastair Pharo <asppsa@gmail.com>";
   astsmtl = "Alexander Tsamutali <astsmtl@yandex.ru>";
   aszlig = "aszlig <aszlig@redmoonstudios.org>";
@@ -136,6 +138,7 @@
   globin = "Robin Gloster <mail@glob.in>";
   goibhniu = "Cillian de Róiste <cillian.deroiste@gmail.com>";
   Gonzih = "Max Gonzih <gonzih@gmail.com>";
+  grahamc = "Graham Christensen <graham@grahamc.com>";
   gridaphobe = "Eric Seidel <eric@seidel.io>";
   guibert = "David Guibert <david.guibert@gmail.com>";
   havvy = "Ryan Scheel <ryan.havvy@gmail.com>";
@@ -163,7 +166,9 @@
   joamaki = "Jussi Maki <joamaki@gmail.com>";
   joelmo = "Joel Moberg <joel.moberg@gmail.com>";
   joelteon = "Joel Taylor <me@joelt.io>";
+  joko = "Ioannis Koutras <ioannis.koutras@gmail.com>";
   jpbernardy = "Jean-Philippe Bernardy <jeanphilippe.bernardy@gmail.com>";
+  jraygauthier = "Raymond Gauthier <jraygauthier@gmail.com>";
   jwiegley = "John Wiegley <johnw@newartisans.com>";
   jwilberding = "Jordan Wilberding <jwilberding@afiniate.com>";
   jzellner = "Jeff Zellner <jeffz@eml.cc>";
@@ -249,6 +254,7 @@
   palo = "Ingolf Wanger <palipalo9@googlemail.com>";
   pashev = "Igor Pashev <pashev.igor@gmail.com>";
   pesterhazy = "Paulus Esterhazy <pesterhazy@gmail.com>";
+  peterhoeg = "Peter Hoeg <peter@hoeg.com>";
   philandstuff = "Philip Potter <philip.g.potter@gmail.com>";
   phile314 = "Philipp Hausmann <nix@314.ch>";
   Phlogistique = "Noé Rubinstein <noe.rubinstein@gmail.com>";
@@ -264,12 +270,15 @@
   pmiddend = "Philipp Middendorf <pmidden@secure.mailbox.org>";
   prikhi = "Pavan Rikhi <pavan.rikhi@gmail.com>";
   profpatsch = "Profpatsch <mail@profpatsch.de>";
+  proglodyte = "Proglodyte <proglodyte23@gmail.com>";
+  pshendry = "Paul Hendry <paul@pshendry.com>";
   psibi = "Sibi <sibi@psibi.in>";
   pSub = "Pascal Wittmann <mail@pascal-wittmann.de>";
   puffnfresh = "Brian McKenna <brian@brianmckenna.org>";
   pxc = "Patrick Callahan <patrick.callahan@latitudeengineering.com>";
   qknight = "Joachim Schiele <js@lastlog.de>";
   ragge = "Ragnar Dahlen <r.dahlen@gmail.com>";
+  ralith = "Benjamin Saunders <ben.e.saunders@gmail.com>";
   raskin = "Michael Raskin <7c6f434c@mail.ru>";
   redbaron = "Maxim Ivanov <ivanov.maxim@gmail.com>";
   refnil = "Martin Lavoie <broemartino@gmail.com>";
@@ -278,7 +287,7 @@
   rick68 = "Wei-Ming Yang <rick68@gmail.com>";
   rickynils = "Rickard Nilsson <rickynils@gmail.com>";
   rnhmjoj = "Michele Guerini Rocco <micheleguerinirocco@me.com>";
-  rob = "Rob Vermaas <rob.vermaas@gmail.com>";
+  rbvermaa = "Rob Vermaas <rob.vermaas@gmail.com>";
   robberer = "Longrin Wischnewski <robberer@freakmail.de>";
   robbinch = "Robbin C. <robbinch33@gmail.com>";
   robgssp = "Rob Glossop <robgssp@gmail.com>";
@@ -295,6 +304,7 @@
   schmitthenner = "Fabian Schmitthenner <development@schmitthenner.eu>";
   schristo = "Scott Christopher <schristopher@konputa.com>";
   sepi = "Raffael Mancini <raffael@mancini.lu>";
+  sheenobu = "Sheena Artrip <sheena.artrip@gmail.com>";
   sheganinans = "Aistis Raulinaitis <sheganinans@gmail.com>";
   shell = "Shell Turner <cam.turn@gmail.com>";
   shlevy = "Shea Levy <shea@shealevy.com>";
@@ -347,6 +357,7 @@
   vlstill = "Vladimír Štill <xstill@fi.muni.cz>";
   vmandela = "Venkateswara Rao Mandela <venkat.mandela@gmail.com>";
   vozz = "Oliver Hunt <oliver.huntuk@gmail.com>";
+  vrthra = "Rahul Gopinath <rahul@gopinath.org>";
   wedens = "wedens <kirill.wedens@gmail.com>";
   willtim = "Tim Philip Williams <tim.williams.public@gmail.com>";
   winden = "Antonio Vargas Gonzalez <windenntw@gmail.com>";

lib/trivial.nix

@@ -69,7 +69,7 @@ rec {
     + (if pathExists suffixFile then readFile suffixFile else "pre-git");
 
   # Whether we're being called by nix-shell.
-  inNixShell = builtins.getEnv "IN_NIX_SHELL" == "1";
+  inNixShell = builtins.getEnv "IN_NIX_SHELL" != "";
 
   # Return minimum/maximum of two numbers.
   min = x: y: if x < y then x else y;

lib/types.nix

@@ -114,13 +114,17 @@ rec {
       name = "list of ${elemType.name}s";
       check = isList;
       merge = loc: defs:
-        map (x: x.value) (filter (x: x ? value) (concatLists (imap (n: def: imap (m: def':
-            (mergeDefinitions
-              (loc ++ ["[definition ${toString n}-entry ${toString m}]"])
-              elemType
-              [{ inherit (def) file; value = def'; }]
-            ).optionalValue
-          ) def.value) defs)));
+        map (x: x.value) (filter (x: x ? value) (concatLists (imap (n: def:
+          if isList def.value then
+            imap (m: def':
+              (mergeDefinitions
+                (loc ++ ["[definition ${toString n}-entry ${toString m}]"])
+                elemType
+                [{ inherit (def) file; value = def'; }]
+              ).optionalValue
+            ) def.value
+          else
+            throw "The option value `${showOption loc}' in `${def.file}' is not a list.") defs)));
       getSubOptions = prefix: elemType.getSubOptions (prefix ++ ["*"]);
       getSubModules = elemType.getSubModules;
       substSubModules = m: listOf (elemType.substSubModules m);

maintainers/scripts/copy-tarballs.pl

@@ -5,7 +5,7 @@
 # content-addressed cache used by fetchurl as a fallback for when
 # upstream tarballs disappear or change. Usage:
 #
-# 1) To upload a single file:
+# 1) To upload one or more files:
 #
 #    $ copy-tarballs.pl --file /path/to/tarball.tar.gz
 #
@@ -22,9 +22,38 @@ use JSON;
 use Net::Amazon::S3;
 use Nix::Store;
 
+isValidPath("/nix/store/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-foo"); # FIXME: forces Nix::Store initialisation
+
+sub usage {
+    die "Syntax: $0 [--dry-run] [--exclude REGEXP] [--expr EXPR | --file FILES...]\n";
+}
+
+my $dryRun = 0;
+my $expr;
+my @fileNames;
+my $exclude;
+
+while (@ARGV) {
+    my $flag = shift @ARGV;
+
+    if ($flag eq "--expr") {
+        $expr = shift @ARGV or die "--expr requires an argument";
+    } elsif ($flag eq "--file") {
+        @fileNames = @ARGV;
+        last;
+    } elsif ($flag eq "--dry-run") {
+        $dryRun = 1;
+    } elsif ($flag eq "--exclude") {
+        $exclude = shift @ARGV or die "--exclude requires an argument";
+    } else {
+        usage();
+    }
+}
+
+
 # S3 setup.
-my $aws_access_key_id = $ENV{'AWS_ACCESS_KEY_ID'} or die;
-my $aws_secret_access_key = $ENV{'AWS_SECRET_ACCESS_KEY'} or die;
+my $aws_access_key_id = $ENV{'AWS_ACCESS_KEY_ID'} or die "AWS_ACCESS_KEY_ID not set\n";
+my $aws_secret_access_key = $ENV{'AWS_SECRET_ACCESS_KEY'} or die "AWS_SECRET_ACCESS_KEY not set\n";
 
 my $s3 = Net::Amazon::S3->new(
     { aws_access_key_id     => $aws_access_key_id,
@@ -34,12 +63,15 @@ my $s3 = Net::Amazon::S3->new(
 
 my $bucket = $s3->bucket("nixpkgs-tarballs") or die;
 
-my $cacheFile = "/tmp/copy-tarballs-cache";
+my $doWrite = 0;
+my $cacheFile = ($ENV{"HOME"} or die "\$HOME is not set") . "/.cache/nix/copy-tarballs";
 my %cache;
 $cache{$_} = 1 foreach read_file($cacheFile, err_mode => 'quiet', chomp => 1);
+$doWrite = 1;
 
 END() {
-    write_file($cacheFile, map { "$_\n" } keys %cache);
+    File::Path::mkpath(dirname($cacheFile), 0, 0755);
+    write_file($cacheFile, map { "$_\n" } keys %cache) if $doWrite;
 }
 
 sub alreadyMirrored {
@@ -84,11 +116,9 @@ sub uploadFile {
     $cache{$mainKey} = 1;
 }
 
-my $op = shift @ARGV;
-
-if ($op eq "--file") {
+if (scalar @fileNames) {
     my $res = 0;
-    foreach my $fn (@ARGV) {
+    foreach my $fn (@fileNames) {
         eval {
             if (alreadyMirrored("sha512", hashFile("sha512", 0, $fn))) {
                 print STDERR "$fn is already mirrored\n";
@@ -97,17 +127,16 @@ if ($op eq "--file") {
             }
         };
         if ($@) {
-            warn "$@\n";
+            warn "$@";
             $res = 1;
         }
     }
     exit $res;
 }
 
-elsif ($op eq "--expr") {
+elsif (defined $expr) {
 
     # Evaluate find-tarballs.nix.
-    my $expr = $ARGV[0] // die "$0: --expr requires a Nix expression\n";
     my $pid = open(JSON, "-|", "nix-instantiate", "--eval", "--json", "--strict",
                    "<nixpkgs/maintainers/scripts/find-tarballs.nix>",
                    "--arg", "expr", $expr);
@@ -123,10 +152,11 @@ elsif ($op eq "--expr") {
     # Check every fetchurl call discovered by find-tarballs.nix.
     my $mirrored = 0;
     my $have = 0;
-    foreach my $fetch (@{$fetches}) {
+    foreach my $fetch (sort { $a->{url} cmp $b->{url} } @{$fetches}) {
         my $url = $fetch->{url};
         my $algo = $fetch->{type};
         my $hash = $fetch->{hash};
+        my $name = $fetch->{name};
 
         if (defined $ENV{DEBUG}) {
             print "$url $algo $hash\n";
@@ -138,26 +168,44 @@ elsif ($op eq "--expr") {
             next;
         }
 
+        next if defined $exclude && $url =~ /$exclude/;
+
         if (alreadyMirrored($algo, $hash)) {
             $have++;
             next;
         }
 
-        print STDERR "mirroring $url...\n";
+        my $storePath = makeFixedOutputPath(0, $algo, $hash, $name);
 
-        next if $ENV{DRY_RUN};
+        print STDERR "mirroring $url ($storePath)...\n";
 
-        # Download the file using nix-prefetch-url.
-        $ENV{QUIET} = 1;
-        $ENV{PRINT_PATH} = 1;
-        my $fh;
-        my $pid = open($fh, "-|", "nix-prefetch-url", "--type", $algo, $url, $hash) or die;
-        waitpid($pid, 0) or die;
-        if ($? != 0) {
-            print STDERR "failed to fetch $url: $?\n";
+        if ($dryRun) {
+            $mirrored++;
             next;
         }
-        <$fh>; my $storePath = <$fh>; chomp $storePath;
+
+        # Substitute the output.
+        if (!isValidPath($storePath)) {
+            system("nix-store", "-r", $storePath);
+        }
+
+        # Otherwise download the file using nix-prefetch-url.
+        if (!isValidPath($storePath)) {
+            $ENV{QUIET} = 1;
+            $ENV{PRINT_PATH} = 1;
+            my $fh;
+            my $pid = open($fh, "-|", "nix-prefetch-url", "--type", $algo, $url, $hash) or die;
+            waitpid($pid, 0) or die;
+            if ($? != 0) {
+                print STDERR "failed to fetch $url: $?\n";
+                next;
+            }
+            <$fh>; my $storePath2 = <$fh>; chomp $storePath2;
+            if ($storePath ne $storePath2) {
+                warn "strange: $storePath != $storePath2\n";
+                next;
+            }
+        }
 
         uploadFile($storePath, $url);
         $mirrored++;
@@ -167,5 +215,5 @@ elsif ($op eq "--expr") {
 }
 
 else {
-    die "Syntax: $0 --file FILENAMES... | --expr EXPR\n";
+    usage();
 }

maintainers/scripts/find-tarballs.nix

@@ -14,12 +14,12 @@ let
     operator = const [ ];
   });
 
-  urls = map (drv: { url = head drv.urls; hash = drv.outputHash; type = drv.outputHashAlgo; }) fetchurlDependencies;
+  urls = map (drv: { url = head (drv.urls or [ drv.url ]); hash = drv.outputHash; type = drv.outputHashAlgo; name = drv.name; }) fetchurlDependencies;
 
   fetchurlDependencies =
     filter
       (drv: drv.outputHash or "" != "" && drv.outputHashMode or "flat" == "flat"
-          && drv.postFetch or "" == "" && drv ? urls)
+          && drv.postFetch or "" == "" && (drv ? url || drv ? urls))
       dependencies;
 
   dependencies = map (x: x.value) (genericClosure {

nixos/doc/manual/installation/installing-usb.xml

@@ -7,10 +7,18 @@
 <title>Booting from a USB Drive</title>
 
 <para>For systems without CD drive, the NixOS live CD can be booted from
-a USB stick. For non-UEFI installations,
-<link xlink:href="http://unetbootin.sourceforge.net/">unetbootin</link>
-will work. For UEFI installations, you should mount the ISO, copy its contents
-verbatim to your drive, then either:
+a USB stick. You can use the <command>dd</command> utility to write the image:
+<command>dd if=<replaceable>path-to-image</replaceable>
+of=<replaceable>/dev/sdb</replaceable></command>. Be careful about specifying the
+correct drive; you can use the <command>lsblk</command> command to get a list of
+block devices.</para>
+
+<para>The <command>dd</command> utility will write the image verbatim to the drive,
+making it the recommended option for both UEFI and non-UEFI installations. For
+non-UEFI installations, you can alternatively use
+<link xlink:href="http://unetbootin.sourceforge.net/">unetbootin</link>. If you
+cannot use <command>dd</command> for a UEFI installation, you can also mount the
+ISO, copy its contents verbatim to your drive, then either:
 
 <itemizedlist>
   <listitem>

nixos/doc/manual/installation/installing.xml

@@ -157,10 +157,6 @@ $ nano /mnt/etc/nixos/configuration.nix
     <command>nixos-generate-config</command> will figure out the
     required modules.</para></note>
 
-    <para>Examples of real-world NixOS configuration files can be
-    found at <link
-    xlink:href="https://nixos.org/repos/nix/configurations/trunk/"/>.</para>
-
   </listitem>
 
   <listitem><para>Do the installation:

nixos/doc/manual/release-notes/rl-1603.xml

@@ -4,7 +4,7 @@
          version="5.0"
          xml:id="sec-release-16.03">
 
-<title>Release 16.03 (“Emu”, 2016/03/??)</title>
+<title>Release 16.03 (“Emu”, 2016/03/31)</title>
 
 <para>In addition to numerous new and upgraded packages, this release
 has the following highlights:</para>
@@ -33,6 +33,10 @@ has the following highlights:</para>
     <para>Glibc 2.23 (was 2.21).</para>
   </listitem>
 
+  <listitem>
+    <para>Binutils 2.26 (was 2.23.1). See #909</para>
+  </listitem>
+
   <listitem>
     <para>Improved support for ensuring <link
     xlink:href="https://reproducible-builds.org/">bitwise reproducible
@@ -52,6 +56,11 @@ has the following highlights:</para>
     <para>Perl 5.22.</para>
   </listitem>
 
+  <listitem>
+    <para>KDE Plasma 5.5.5 (was 5.3.2) and Applications 15.12.3 (was
+    15.04.3), based on KDE Frameworks 5.19 (was 5.12).</para>
+  </listitem>
+
 </itemizedlist>
 
 <para>The following new services were added since the last release:
@@ -161,7 +170,7 @@ following incompatible changes:</para>
 
 <programlisting><![CDATA[
 {
-  imports = [ <nixos/modules/services/misc/gitit.nix> ];
+  imports = [ <nixpkgs/nixos/modules/services/misc/gitit.nix> ];
 }
 ]]></programlisting>
 
@@ -275,7 +284,7 @@ fileSystems."/example" = {
 
   <listitem>
     <para><literal>services.xserver.vaapiDrivers</literal> has been removed. Use
-    <literal>services.hardware.opengl.extraPackages{,32}</literal> instead. You can
+    <literal>hardware.opengl.extraPackages{,32}</literal> instead. You can
     also specify VDPAU drivers there.</para>
   </listitem>
 
@@ -344,7 +353,7 @@ $TTL 1800
     <para>
     <literal>service.syncthing.dataDir</literal> options now has to point
     to exact folder where syncthing is writing to. Example configuration should
-    loook something like:
+    look something like:
     </para>
     <programlisting>
 services.syncthing = {

nixos/lib/test-driver/Machine.pm

@@ -382,9 +382,17 @@ sub waitForUnit {
             my $state = $info->{ActiveState};
             die "unit ‘$unit’ reached state ‘$state’\n" if $state eq "failed";
             if ($state eq "inactive") {
+                # If there are no pending jobs, then assume this unit
+                # will never reach active state.
                 my ($status, $jobs) = $self->execute("systemctl list-jobs --full 2>&1");
-                die "unit ‘$unit’ is inactive and there are no pending jobs\n"
-                    if $jobs =~ /No jobs/; # FIXME: fragile
+                if ($jobs =~ /No jobs/) {  # FIXME: fragile
+                    # Handle the case where the unit may have started
+                    # between the previous getUnitInfo() and
+                    # list-jobs.
+                    my $info2 = $self->getUnitInfo($unit);
+                    die "unit ‘$unit’ is inactive and there are no pending jobs\n"
+                        if $info2->{ActiveState} eq $state;
+                }
             }
             return 1 if $state eq "active";
         };
@@ -543,7 +551,7 @@ sub waitForX {
         retry sub {
             my ($status, $out) = $self->execute("journalctl -b SYSLOG_IDENTIFIER=systemd | grep 'session opened'");
             return 0 if $status != 0;
-            ($status, $out) = $self->execute("xwininfo -root > /dev/null 2>&1");
+            ($status, $out) = $self->execute("[ -e /tmp/.X11-unix/X0 ]");
             return 1 if $status == 0;
         }
     });

nixos/maintainers/scripts/ec2/create-amis.sh

@@ -8,14 +8,18 @@ echo "keeping state in $stateDir"
 mkdir -p $stateDir
 
 version=$(nix-instantiate --eval --strict '<nixpkgs>' -A lib.nixpkgsVersion | sed s/'"'//g)
-echo "NixOS version is $version"
+major=${version:0:5}
+echo "NixOS version is $version ($major)"
 
 rm -f ec2-amis.nix
 
+types="hvm pv"
+stores="ebs s3"
+regions="eu-west-1 eu-central-1 us-east-1 us-west-1 us-west-2 ap-southeast-1 ap-southeast-2 ap-northeast-1 ap-northeast-2 sa-east-1 ap-south-1"
 
-for type in hvm pv; do
+for type in $types; do
     link=$stateDir/$type
-    imageFile=$link/nixos.img
+    imageFile=$link/nixos.qcow2
     system=x86_64-linux
     arch=x86_64
 
@@ -30,7 +34,7 @@ for type in hvm pv; do
             --arg configuration "{ imports = [ <nixpkgs/nixos/maintainers/scripts/ec2/amazon-image.nix> ]; ec2.hvm = $hvmFlag; }"
     fi
 
-    for store in ebs s3; do
+    for store in $stores; do
 
         bucket=nixos-amis
         bucketDir="$version-$type-$store"
@@ -38,7 +42,7 @@ for type in hvm pv; do
         prevAmi=
         prevRegion=
 
-        for region in eu-west-1 eu-central-1 us-east-1 us-west-1 us-west-2 ap-southeast-1 ap-southeast-2 ap-northeast-1 sa-east-1; do
+        for region in $regions; do
 
             name=nixos-$version-$arch-$type-$store
             description="NixOS $system $version ($type-$store)"
@@ -50,10 +54,11 @@ for type in hvm pv; do
                 echo "doing $name in $region..."
 
                 if [ -n "$prevAmi" ]; then
-                    ami=$(ec2-copy-image \
+                    ami=$(aws ec2 copy-image \
                         --region "$region" \
-                        --source-region "$prevRegion" --source-ami-id "$prevAmi" \
-                        --name "$name" --description "$description" | cut -f 2)
+                        --source-region "$prevRegion" --source-image-id "$prevAmi" \
+                        --name "$name" --description "$description" | json -q .ImageId)
+                    if [ "$ami" = null ]; then break; fi
                 else
 
                     if [ $store = s3 ]; then
@@ -61,12 +66,19 @@ for type in hvm pv; do
                         # Bundle the image.
                         imageDir=$stateDir/$type-bundled
 
+                        # Convert the image to raw format.
+                        rawFile=$stateDir/$type.raw
+                        if ! [ -e $rawFile ]; then
+                            qemu-img convert -f qcow2 -O raw $imageFile $rawFile.tmp
+                            mv $rawFile.tmp $rawFile
+                        fi
+
                         if ! [ -d $imageDir ]; then
                             rm -rf $imageDir.tmp
                             mkdir -p $imageDir.tmp
                             ec2-bundle-image \
                                 -d $imageDir.tmp \
-                                -i $imageFile --arch $arch \
+                                -i $rawFile --arch $arch \
                                 --user "$AWS_ACCOUNT" -c "$EC2_CERT" -k "$EC2_PRIVATE_KEY"
                             mv $imageDir.tmp $imageDir
                         fi
@@ -75,14 +87,14 @@ for type in hvm pv; do
                         if ! [ -e $imageDir/uploaded ]; then
                             echo "uploading bundle to S3..."
                             ec2-upload-bundle \
-                                -m $imageDir/nixos.img.manifest.xml \
+                                -m $imageDir/$type.raw.manifest.xml \
                                 -b "$bucket/$bucketDir" \
-                                -a "$EC2_ACCESS_KEY" -s "$EC2_SECRET_KEY" \
+                                -a "$AWS_ACCESS_KEY_ID" -s "$AWS_SECRET_ACCESS_KEY" \
                                 --location EU
                             touch $imageDir/uploaded
                         fi
 
-                        extraFlags="$bucket/$bucketDir/nixos.img.manifest.xml"
+                        extraFlags="--image-location $bucket/$bucketDir/$type.raw.manifest.xml"
 
                     else
 
@@ -90,10 +102,15 @@ for type in hvm pv; do
                         # to upload a huge raw image.
                         vhdFile=$stateDir/$type.vhd
                         if ! [ -e $vhdFile ]; then
-                            qemu-img convert -O vpc $imageFile $vhdFile.tmp
+                            qemu-img convert -f qcow2 -O vpc $imageFile $vhdFile.tmp
                             mv $vhdFile.tmp $vhdFile
                         fi
 
+                        vhdFileLogicalBytes="$(qemu-img info "$vhdFile" | grep ^virtual\ size: | cut -f 2 -d \(  | cut -f 1 -d \ )"
+                        vhdFileLogicalGigaBytes=$(((vhdFileLogicalBytes-1)/1024/1024/1024+1)) # Round to the next GB
+
+                        echo "Disk size is $vhdFileLogicalBytes bytes. Will be registered as $vhdFileLogicalGigaBytes GB."
+
                         taskId=$(cat $stateDir/$region.$type.task-id 2> /dev/null || true)
                         volId=$(cat $stateDir/$region.$type.vol-id 2> /dev/null || true)
                         snapId=$(cat $stateDir/$region.$type.snap-id 2> /dev/null || true)
@@ -102,7 +119,8 @@ for type in hvm pv; do
                         if [ -z "$snapId" -a -z "$volId" -a -z "$taskId" ]; then
                             echo "importing $vhdFile..."
                             taskId=$(ec2-import-volume $vhdFile --no-upload -f vhd \
-                                -o "$EC2_ACCESS_KEY" -w "$EC2_SECRET_KEY" \
+                                -O "$AWS_ACCESS_KEY_ID" -W "$AWS_SECRET_ACCESS_KEY" \
+                                -o "$AWS_ACCESS_KEY_ID" -w "$AWS_SECRET_ACCESS_KEY" \
                                 --region "$region" -z "${region}a" \
                                 --bucket "$bucket" --prefix "$bucketDir/" \
                                 | tee /dev/stderr \
@@ -112,15 +130,16 @@ for type in hvm pv; do
 
                         if [ -z "$snapId" -a -z "$volId" ]; then
                             ec2-resume-import  $vhdFile -t "$taskId" --region "$region" \
-                                -o "$EC2_ACCESS_KEY" -w "$EC2_SECRET_KEY"
+                                -O "$AWS_ACCESS_KEY_ID" -W "$AWS_SECRET_ACCESS_KEY" \
+                                -o "$AWS_ACCESS_KEY_ID" -w "$AWS_SECRET_ACCESS_KEY"
                         fi
 
                         # Wait for the volume creation to finish.
                         if [ -z "$snapId" -a -z "$volId" ]; then
                             echo "waiting for import to finish..."
                             while true; do
-                                volId=$(ec2-describe-conversion-tasks "$taskId" --region "$region" | sed 's/.*VolumeId.*\(vol-[0-9a-f]\+\).*/\1/ ; t ; d')
-                                if [ -n "$volId" ]; then break; fi
+                                volId=$(aws ec2 describe-conversion-tasks --conversion-task-ids "$taskId" --region "$region" | jq -r .ConversionTasks[0].ImportVolume.Volume.Id)
+                                if [ "$volId" != null ]; then break; fi
                                 sleep 10
                             done
 
@@ -130,22 +149,24 @@ for type in hvm pv; do
                         # Delete the import task.
                         if [ -n "$volId" -a -n "$taskId" ]; then
                             echo "removing import task..."
-                            ec2-delete-disk-image -t "$taskId" --region "$region" -o "$EC2_ACCESS_KEY" -w "$EC2_SECRET_KEY" || true
+                            ec2-delete-disk-image -t "$taskId" --region "$region" \
+                                -O "$AWS_ACCESS_KEY_ID" -W "$AWS_SECRET_ACCESS_KEY" \
+                                -o "$AWS_ACCESS_KEY_ID" -w "$AWS_SECRET_ACCESS_KEY" || true
                             rm -f $stateDir/$region.$type.task-id
                         fi
 
                         # Create a snapshot.
                         if [ -z "$snapId" ]; then
                             echo "creating snapshot..."
-                            snapId=$(ec2-create-snapshot "$volId" --region "$region" | cut -f 2)
+                            snapId=$(aws ec2 create-snapshot --volume-id "$volId" --region "$region" --description "$description" | jq -r .SnapshotId)
+                            if [ "$snapId" = null ]; then exit 1; fi
                             echo -n "$snapId" > $stateDir/$region.$type.snap-id
-                            ec2-create-tags "$snapId" -t "Name=$description" --region "$region"
                         fi
 
                         # Wait for the snapshot to finish.
                         echo "waiting for snapshot to finish..."
                         while true; do
-                            status=$(ec2-describe-snapshots "$snapId" --region "$region" | head -n1 | cut -f 4)
+                            status=$(aws ec2 describe-snapshots --snapshot-ids "$snapId" --region "$region" | jq -r .Snapshots[0].State)
                             if [ "$status" = completed ]; then break; fi
                             sleep 10
                         done
@@ -153,35 +174,50 @@ for type in hvm pv; do
                         # Delete the volume.
                         if [ -n "$volId" ]; then
                             echo "deleting volume..."
-                            ec2-delete-volume "$volId" --region "$region" || true
+                            aws ec2 delete-volume --volume-id "$volId" --region "$region" || true
                             rm -f $stateDir/$region.$type.vol-id
                         fi
 
-                        extraFlags="-b /dev/sda1=$snapId:20:true:gp2"
+                        blockDeviceMappings="DeviceName=/dev/sda1,Ebs={SnapshotId=$snapId,VolumeSize=$vhdFileLogicalGigaBytes,DeleteOnTermination=true,VolumeType=gp2}"
+                        extraFlags=""
 
                         if [ $type = pv ]; then
-                            extraFlags+=" --root-device-name=/dev/sda1"
+                            extraFlags+=" --root-device-name /dev/sda1"
+                        else
+                            extraFlags+=" --root-device-name /dev/sda1"
+                            extraFlags+=" --sriov-net-support simple"
+                            extraFlags+=" --ena-support"
                         fi
 
-                        extraFlags+=" -b /dev/sdb=ephemeral0 -b /dev/sdc=ephemeral1 -b /dev/sdd=ephemeral2 -b /dev/sde=ephemeral3"
+                        blockDeviceMappings+=" DeviceName=/dev/sdb,VirtualName=ephemeral0"
+                        blockDeviceMappings+=" DeviceName=/dev/sdc,VirtualName=ephemeral1"
+                        blockDeviceMappings+=" DeviceName=/dev/sdd,VirtualName=ephemeral2"
+                        blockDeviceMappings+=" DeviceName=/dev/sde,VirtualName=ephemeral3"
+                    fi
+
+                    if [ $type = hvm ]; then
+                        extraFlags+=" --sriov-net-support simple"
+                        extraFlags+=" --ena-support"
                     fi
 
                     # Register the AMI.
                     if [ $type = pv ]; then
-                        kernel=$(ec2-describe-images -o amazon --filter "manifest-location=*pv-grub-hd0_1.04-$arch*" --region "$region" | cut -f 2)
-                        [ -n "$kernel" ]
+                        kernel=$(aws ec2 describe-images --owner amazon --filters "Name=name,Values=pv-grub-hd0_1.04-$arch.gz" | jq -r .Images[0].ImageId)
+                        if [ "$kernel" = null ]; then break; fi
                         echo "using PV-GRUB kernel $kernel"
                         extraFlags+=" --virtualization-type paravirtual --kernel $kernel"
                     else
                         extraFlags+=" --virtualization-type hvm"
                     fi
 
-                    ami=$(ec2-register \
-                        -n "$name" \
-                        -d "$description" \
+                    ami=$(aws ec2 register-image \
+                        --name "$name" \
+                        --description "$description" \
                         --region "$region" \
                         --architecture "$arch" \
-                        $extraFlags | cut -f 2)
+                        --block-device-mappings $blockDeviceMappings \
+                        $extraFlags | jq -r .ImageId)
+                    if [ "$ami" = null ]; then break; fi
                 fi
 
                 echo -n "$ami" > $amiFile
@@ -191,25 +227,47 @@ for type in hvm pv; do
                 ami=$(cat $amiFile)
             fi
 
-            if [ -z "$NO_WAIT" -o -z "$prevAmi" ]; then
-                echo "waiting for AMI..."
-                while true; do
-                    status=$(ec2-describe-images "$ami" --region "$region" | head -n1 | cut -f 5)
-                    if [ "$status" = available ]; then break; fi
-                    sleep 10
-                done
-
-                ec2-modify-image-attribute \
-                    --region "$region" "$ami" -l -a all
-            fi
-
             echo "region = $region, type = $type, store = $store, ami = $ami"
+
             if [ -z "$prevAmi" ]; then
                 prevAmi="$ami"
                 prevRegion="$region"
             fi
-
-            echo "  \"15.09\".$region.$type-$store = \"$ami\";" >> ec2-amis.nix
+        done
+
+    done
+
+done
+
+for type in $types; do
+    link=$stateDir/$type
+    system=x86_64-linux
+    arch=x86_64
+
+    for store in $stores; do
+
+        for region in $regions; do
+
+            name=nixos-$version-$arch-$type-$store
+            amiFile=$stateDir/$region.$type.$store.ami-id
+            ami=$(cat $amiFile)
+
+            echo "region = $region, type = $type, store = $store, ami = $ami"
+
+            echo -n "waiting for AMI..."
+            while true; do
+                status=$(aws ec2 describe-images --image-ids "$ami" --region "$region" | jq -r .Images[0].State)
+                if [ "$status" = available ]; then break; fi
+                sleep 10
+                echo -n '.'
+            done
+            echo
+
+            # Make the image public.
+            aws ec2 modify-image-attribute \
+                --image-id "$ami" --region "$region" --launch-permission 'Add={Group=all}'
+
+            echo "  \"$major\".$region.$type-$store = \"$ami\";" >> ec2-amis.nix
         done
 
     done

nixos/modules/config/krb5.nix

@@ -173,6 +173,8 @@ in
             ${cfg.domainRealm} = ${cfg.defaultRealm}
             .mit.edu = ATHENA.MIT.EDU
             mit.edu = ATHENA.MIT.EDU
+            .exchange.mit.edu = EXCHANGE.MIT.EDU
+            exchange.mit.edu = EXCHANGE.MIT.EDU
             .media.mit.edu = MEDIA-LAB.MIT.EDU
             media.mit.edu = MEDIA-LAB.MIT.EDU
             .csail.mit.edu = CSAIL.MIT.EDU

nixos/modules/config/ldap.nix

@@ -192,7 +192,7 @@ in
     system.activationScripts = mkIf insertLdapPassword {
       ldap = stringAfter [ "etc" "groups" "users" ] ''
         if test -f "${cfg.bind.password}" ; then
-          echo "bindpw "$(cat ${cfg.bind.password})"" | cat ${ldapConfig} - > /etc/ldap.conf.bindpw
+          echo "bindpw "$(cat ${cfg.bind.password})"" | cat ${ldapConfig.source} - > /etc/ldap.conf.bindpw
           mv -fT /etc/ldap.conf.bindpw /etc/ldap.conf
           chmod 600 /etc/ldap.conf
         fi

nixos/modules/config/swap.nix

@@ -30,8 +30,7 @@ let
         description = ''
           If this option is set, ‘device’ is interpreted as the
           path of a swapfile that will be created automatically
-          with the indicated size (in megabytes) if it doesn't
-          exist.
+          with the indicated size (in megabytes).
         '';
       };
 
@@ -132,9 +131,13 @@ in
             script =
               ''
                 ${optionalString (sw.size != null) ''
-                  if [ ! -e "${sw.device}" ]; then
+                  currentSize=$(( $(stat -c "%s" "${sw.device}" 2>/dev/null || echo 0) / 1024 / 1024 ))
+                  if [ "${toString sw.size}" != "$currentSize" ]; then
                     fallocate -l ${toString sw.size}M "${sw.device}" ||
                       dd if=/dev/zero of="${sw.device}" bs=1M count=${toString sw.size}
+                    if [ "${toString sw.size}" -lt "$currentSize" ]; then
+                      truncate --size "${toString sw.size}M" "${sw.device}"
+                    fi
                     chmod 0600 ${sw.device}
                     ${optionalString (!sw.randomEncryption) "mkswap ${sw.realDevice}"}
                   fi

nixos/modules/config/update-users-groups.pl

@@ -103,7 +103,7 @@ foreach my $g (@{$spec->{groups}}) {
     if (defined $existing) {
         $g->{gid} = $existing->{gid} if !defined $g->{gid};
         if ($g->{gid} != $existing->{gid}) {
-            warn "warning: not applying GID change of group ‘$name’\n";
+            warn "warning: not applying GID change of group ‘$name’ ($existing->{gid} -> $g->{gid})\n";
             $g->{gid} = $existing->{gid};
         }
         $g->{password} = $existing->{password}; # do we want this?
@@ -163,7 +163,7 @@ foreach my $u (@{$spec->{users}}) {
     if (defined $existing) {
         $u->{uid} = $existing->{uid} if !defined $u->{uid};
         if ($u->{uid} != $existing->{uid}) {
-            warn "warning: not applying UID change of user ‘$name’\n";
+            warn "warning: not applying UID change of user ‘$name’ ($existing->{uid} -> $u->{uid})\n";
             $u->{uid} = $existing->{uid};
         }
     } else {

nixos/modules/hardware/video/webcam/facetimehd.nix

@@ -31,13 +31,13 @@ in
 
     # unload module during suspend/hibernate as it crashes the whole system
     powerManagement.powerDownCommands = ''
-      ${pkgs.module_init_tools}/bin/rmmod -f facetimehd
+      ${pkgs.kmod}/bin/lsmod | ${pkgs.gnugrep}/bin/grep -q "^facetimehd" && ${pkgs.kmod}/bin/rmmod -f -v facetimehd
     '';
 
     # and load it back on resume
     powerManagement.resumeCommands = ''
       export MODULE_DIR=/run/current-system/kernel-modules/lib/modules
-      ${pkgs.module_init_tools}/bin/modprobe -v facetimehd
+      ${pkgs.kmod}/bin/modprobe -v facetimehd
     '';
 
   };

nixos/modules/installer/tools/nixos-generate-config.pl

@@ -1,5 +1,6 @@
 #! @perl@
 
+use strict;
 use Cwd 'abs_path';
 use File::Spec;
 use File::Path;
@@ -69,6 +70,7 @@ for (my $n = 0; $n < scalar @ARGV; $n++) {
 my @attrs = ();
 my @kernelModules = ();
 my @initrdKernelModules = ();
+my @initrdAvailableKernelModules = ();
 my @modulePackages = ();
 my @imports;
 
@@ -165,7 +167,7 @@ sub pciCheck {
         ) )
     {
         # we need e.g. brcmfmac43602-pcie.bin
-        push @imports, "<nixos/modules/hardware/network/broadcom-43xx.nix>";
+        push @imports, "<nixpkgs/nixos/modules/hardware/network/broadcom-43xx.nix>";
     }
 
     # Can't rely on $module here, since the module may not be loaded
@@ -379,7 +381,7 @@ EOF
     # Is this a btrfs filesystem?
     if ($fsType eq "btrfs") {
         my ($status, @id_info) = runCommand("btrfs subvol show $rootDir$mountPoint");
-        if ($status != 0 || join("", @msg) =~ /ERROR:/) {
+        if ($status != 0 || join("", @id_info) =~ /ERROR:/) {
             die "Failed to retrieve subvolume info for $mountPoint\n";
         }
         my @ids = join("", @id_info) =~ m/Subvolume ID:[ \t\n]*([^ \t\n]*)/;
@@ -440,7 +442,7 @@ sub toNixList {
 sub multiLineList {
     my $indent = shift;
     return " [ ]" if !@_;
-    $res = "\n${indent}[ ";
+    my $res = "\n${indent}[ ";
     my $first = 1;
     foreach my $s (@_) {
         $res .= "$indent  " if !$first;
@@ -474,7 +476,7 @@ my $hwConfig = <<EOF;
   boot.kernelModules = [$kernelModules ];
   boot.extraModulePackages = [$modulePackages ];
 $fsAndSwap
-  nix.maxJobs = $cpus;
+  nix.maxJobs = lib.mkDefault $cpus;
 ${\join "", (map { "  $_\n" } (uniq @attrs))}}
 EOF
 
@@ -494,7 +496,7 @@ if ($showHardwareConfig) {
     if ($force || ! -e $fn) {
         print STDERR "writing $fn...\n";
 
-        my $bootloaderConfig = "";
+        my $bootLoaderConfig = "";
         if (-e "/sys/firmware/efi/efivars") {
             $bootLoaderConfig = <<EOF;
   # Use the gummiboot efi boot loader.
@@ -568,7 +570,7 @@ $bootLoaderConfig
   # };
 
   # The NixOS release to be compatible with for stateful data such as databases.
-  system.stateVersion = "@nixosRelease@";
+  system.stateVersion = "${\(qw(@nixosRelease@))}";
 
 }
 EOF

nixos/modules/installer/tools/nixos-install.sh

@@ -91,12 +91,10 @@ ln -s /run $mountPoint/var/run
 rm -f $mountPoint/etc/{resolv.conf,hosts}
 cp -Lf /etc/resolv.conf /etc/hosts $mountPoint/etc/
 
-if [ -e "$SSL_CERT_FILE" ]; then
-    cp -Lf "$SSL_CERT_FILE" "$mountPoint/tmp/ca-cert.crt"
-    export SSL_CERT_FILE=/tmp/ca-cert.crt
-    # For Nix 1.7
-    export CURL_CA_BUNDLE=/tmp/ca-cert.crt
-fi
+cp -Lf "@cacert@" "$mountPoint/tmp/ca-cert.crt"
+export SSL_CERT_FILE=/tmp/ca-cert.crt
+# For Nix 1.7
+export CURL_CA_BUNDLE=/tmp/ca-cert.crt
 
 if [ -n "$runChroot" ]; then
     if ! [ -L $mountPoint/nix/var/nix/profiles/system ]; then

nixos/modules/installer/tools/tools.nix

@@ -23,6 +23,7 @@ let
 
     inherit (pkgs) perl pathsFromGraph;
     nix = config.nix.package;
+    cacert = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt";
 
     nixClosure = pkgs.runCommand "closure"
       { exportReferencesGraph = ["refs" config.nix.package]; }

nixos/modules/misc/ids.nix

@@ -354,7 +354,7 @@
       quassel = 89;
       amule = 90;
       minidlna = 91;
-      #elasticsearch = 92; # unused
+      elasticsearch = 92;
       #tcpcryptd = 93; # unused
       connman = 94;
       firebird = 95;

nixos/modules/misc/locate.nix

@@ -88,7 +88,7 @@ in {
         serviceConfig.PrivateNetwork = "yes";
         serviceConfig.NoNewPrivileges = "yes";
         serviceConfig.ReadOnlyDirectories = "/";
-        serviceConfig.ReadWriteDirectories = cfg.output;
+        serviceConfig.ReadWriteDirectories = dirOf cfg.output;
       };
 
     systemd.timers.update-locatedb = mkIf cfg.enable

nixos/modules/module-list.nix

@@ -208,6 +208,7 @@
   ./services/misc/confd.nix
   ./services/misc/devmon.nix
   ./services/misc/dictd.nix
+  ./services/misc/dysnomia.nix
   ./services/misc/disnix.nix
   ./services/misc/docker-registry.nix
   ./services/misc/etcd.nix
@@ -436,6 +437,7 @@
   ./services/web-servers/varnish/default.nix
   ./services/web-servers/winstone.nix
   ./services/web-servers/zope2.nix
+  ./services/x11/colord.nix
   ./services/x11/unclutter.nix
   ./services/x11/desktop-managers/default.nix
   ./services/x11/display-managers/auto.nix

nixos/modules/programs/ssh.nix

@@ -189,6 +189,7 @@ in
 
         # Allow DSA keys for now. (These were deprecated in OpenSSH 7.0.)
         PubkeyAcceptedKeyTypes +ssh-dss
+        HostKeyAlgorithms +ssh-dss
 
         ${cfg.extraConfig}
       '';

nixos/modules/security/acme.nix

@@ -152,7 +152,7 @@ in
         in nameValuePair
         ("acme-${cert}")
         ({
-          description = "ACME cert renewal for ${cert} using simp_le";
+          description = "Renew ACME Certificate for ${cert}";
           after = [ "network.target" ];
           serviceConfig = {
             Type = "oneshot";
@@ -192,7 +192,7 @@ in
       systemd.timers = flip mapAttrs' cfg.certs (cert: data: nameValuePair
         ("acme-${cert}")
         ({
-          description = "timer for ACME cert renewal of ${cert}";
+          description = "Renew ACME Certificate for ${cert}";
           wantedBy = [ "timers.target" ];
           timerConfig = {
             OnCalendar = cfg.renewInterval;

nixos/modules/security/grsecurity.nix

@@ -126,6 +126,19 @@ in
           '';
         };
 
+        denyChrootCaps = mkOption {
+          type = types.bool;
+          default = false;
+          description = ''
+            Whether to lower capabilities of all processes within a chroot,
+            preventing commands that require <literal>CAP_SYS_ADMIN</literal>.
+
+            This protection is disabled by default because it breaks
+            <literal>nixos-rebuild</literal>. Whenever possible, it is
+            highly recommended to enable this protection.
+          '';
+        };
+
         denyUSB = mkOption {
           type = types.bool;
           default = false;
@@ -234,7 +247,8 @@ in
 
     systemd.services.grsec-lock = mkIf cfg.config.sysctl {
       description     = "grsecurity sysctl-lock Service";
-      requires        = [ "systemd-sysctl.service" ];
+      wants           = [ "systemd-sysctl.service" ];
+      after           = [ "systemd-sysctl.service" ];
       wantedBy        = [ "multi-user.target" ];
       serviceConfig.Type = "oneshot";
       serviceConfig.RemainAfterExit = "yes";

nixos/modules/security/setuid-wrappers.nix

@@ -96,7 +96,7 @@ in
           }:
 
           ''
-            if ! source=${if source != "" then source else "$(PATH=$SETUID_PATH type -tP ${program})"}; then
+            if ! source=${if source != "" then source else "$(readlink -f $(PATH=$SETUID_PATH type -tP ${program}))"}; then
                 # If we can't find the program, fall back to the
                 # system profile.
                 source=/nix/var/nix/profiles/default/bin/${program}

nixos/modules/services/audio/mopidy.nix

@@ -47,6 +47,7 @@ in {
       };
 
       configuration = mkOption {
+        default = "";
         type = types.lines;
         description = ''
           The configuration that Mopidy should use.

nixos/modules/services/continuous-integration/jenkins/default.nix

@@ -92,12 +92,11 @@ in {
         type = with types; attrsOf str;
         description = ''
           Additional environment variables to be passed to the jenkins process.
-          As a base environment, jenkins receives NIX_PATH from
-          <option>environment.sessionVariables</option>, NIX_REMOTE is set to
-          "daemon" and JENKINS_HOME is set to the value of
-          <option>services.jenkins.home</option>.
-          This option has precedence and can be used to override those
-          mentioned variables.
+          As a base environment, jenkins receives NIX_PATH, SSL_CERT_FILE and
+          GIT_SSL_CAINFO from <option>environment.sessionVariables</option>,
+          NIX_REMOTE is set to "daemon" and JENKINS_HOME is set to
+          the value of <option>services.jenkins.home</option>. This option has
+          precedence and can be used to override those mentioned variables.
         '';
       };
 
@@ -137,7 +136,11 @@ in {
       environment =
         let
           selectedSessionVars =
-            lib.filterAttrs (n: v: builtins.elem n [ "NIX_PATH" ])
+            lib.filterAttrs (n: v: builtins.elem n
+                [ "NIX_PATH"
+                  "SSL_CERT_FILE"
+                  "GIT_SSL_CAINFO"
+                ])
               config.environment.sessionVariables;
         in
           selectedSessionVars //
@@ -161,16 +164,8 @@ in {
       '';
 
       postStart = ''
-        until ${pkgs.curl}/bin/curl -s -L ${cfg.listenAddress}:${toString cfg.port}${cfg.prefix} ; do
-          sleep 10
-        done
-        while true ; do
-          index=`${pkgs.curl}/bin/curl -s -L ${cfg.listenAddress}:${toString cfg.port}${cfg.prefix}`
-          if [[ !("$index" =~ 'Please wait while Jenkins is restarting' ||
-                  "$index" =~ 'Please wait while Jenkins is getting ready to work') ]]; then
-            exit 0
-          fi
-          sleep 30
+        until ${pkgs.curl}/bin/curl -s -L --fail --head http://${cfg.listenAddress}:${toString cfg.port}${cfg.prefix} >/dev/null; do
+            sleep 2
         done
       '';
 

nixos/modules/services/mail/dspam.nix

@@ -104,6 +104,7 @@ in {
       systemd.services.dspam = {
         description = "dspam spam filtering daemon";
         wantedBy = [ "multi-user.target" ];
+        after = [ "postgresql.service" ];
         restartTriggers = [ cfgfile ];
 
         serviceConfig = {
@@ -114,7 +115,7 @@ in {
           RuntimeDirectoryMode = optional (cfg.domainSocket == defaultSock) "0750";
           PermissionsStartOnly = true;
           # DSPAM segfaults on just about every error
-          Restart = "on-failure";
+          Restart = "on-abort";
           RestartSec = "1s";
         };
 

nixos/modules/services/misc/disnix.nix

@@ -36,49 +36,32 @@ in
         default = false;
         description = "Whether to enable the DisnixWebService interface running on Apache Tomcat";
       };
-
-      publishInfrastructure = {
-        enable = mkOption {
-          default = false;
-          description = "Whether to publish capabilities/properties of this machine in as attributes in the infrastructure option";
-        };
-
-        enableAuthentication = mkOption {
-          default = false;
-          description = "Whether to publish authentication credentials through the infrastructure attribute (not recommended in combination with Avahi)";
-        };
-      };
-
-      infrastructure = mkOption {
-        default = {};
-        description = "List of name value pairs containing properties for the infrastructure model";
-      };
-
-      publishAvahi = mkOption {
-        default = false;
-        description = "Whether to publish capabilities/properties as a Disnix service through Avahi";
+      
+      package = mkOption {
+        type = types.path;
+        description = "The Disnix package";
+        default = pkgs.disnix;
       };
 
     };
 
   };
 
-
   ###### implementation
 
   config = mkIf cfg.enable {
-    environment.systemPackages = [ pkgs.disnix pkgs.dysnomia ] ++ optional cfg.useWebServiceInterface pkgs.DisnixWebService;
+    dysnomia.enable = true;
+    
+    environment.systemPackages = [ pkgs.disnix ] ++ optional cfg.useWebServiceInterface pkgs.DisnixWebService;
 
     services.dbus.enable = true;
     services.dbus.packages = [ pkgs.disnix ];
 
-    services.avahi.enable = cfg.publishAvahi;
-
     services.tomcat.enable = cfg.useWebServiceInterface;
     services.tomcat.extraGroups = [ "disnix" ];
     services.tomcat.javaOpts = "${optionalString cfg.useWebServiceInterface "-Djava.library.path=${pkgs.libmatthew_java}/lib/jni"} ";
     services.tomcat.sharedLibs = optional cfg.useWebServiceInterface "${pkgs.DisnixWebService}/share/java/DisnixConnection.jar"
-                                 ++ optional cfg.useWebServiceInterface "${pkgs.dbus_java}/share/java/dbus.jar";
+      ++ optional cfg.useWebServiceInterface "${pkgs.dbus_java}/share/java/dbus.jar";
     services.tomcat.webapps = optional cfg.useWebServiceInterface pkgs.DisnixWebService;
 
     users.extraGroups = singleton
@@ -86,38 +69,6 @@ in
         gid = config.ids.gids.disnix;
       };
 
-    services.disnix.infrastructure =
-      optionalAttrs (cfg.publishInfrastructure.enable)
-      ( { hostname = config.networking.hostName;
-          #targetHost = config.deployment.targetHost;
-          system = if config.nixpkgs.system == "" then builtins.currentSystem else config.nixpkgs.system;
-
-          supportedTypes = (import "${pkgs.stdenv.mkDerivation {
-            name = "supportedtypes";
-            buildCommand = ''
-              ( echo -n "[ "
-                cd ${dysnomia}/libexec/dysnomia
-                for i in *
-                do
-                    echo -n "\"$i\" "
-                done
-                echo -n " ]") > $out
-            '';
-          }}");
-        }
-        #// optionalAttrs (cfg.useWebServiceInterface) { targetEPR = "http://${config.deployment.targetHost}:8080/DisnixWebService/services/DisnixWebService"; }
-        // optionalAttrs (config.services.httpd.enable) { documentRoot = config.services.httpd.documentRoot; }
-        // optionalAttrs (config.services.mysql.enable) { mysqlPort = config.services.mysql.port; }
-        // optionalAttrs (config.services.tomcat.enable) { tomcatPort = 8080; }
-        // optionalAttrs (config.services.svnserve.enable) { svnBaseDir = config.services.svnserve.svnBaseDir; }
-        // optionalAttrs (config.services.ejabberd.enable) { ejabberdUser = config.services.ejabberd.user; }
-        // optionalAttrs (cfg.publishInfrastructure.enableAuthentication) (
-          optionalAttrs (config.services.mysql.enable) { mysqlUsername = "root"; mysqlPassword = readFile config.services.mysql.rootPassword; })
-        )
-    ;
-
-    services.disnix.publishInfrastructure.enable = cfg.publishAvahi;
-
     systemd.services = {
       disnix = {
         description = "Disnix server";
@@ -133,46 +84,17 @@ in
 
         restartIfChanged = false;
 
-        path = [ pkgs.nix pkgs.disnix dysnomia "/run/current-system/sw" ];
+        path = [ config.nix.package cfg.package config.dysnomia.package "/run/current-system/sw" ];
 
         environment = {
           HOME = "/root";
-        };
-
-        preStart = ''
-          mkdir -p /etc/systemd-mutable/system
-          if [ ! -f /etc/systemd-mutable/system/dysnomia.target ]
-          then
-              ( echo "[Unit]"
-                echo "Description=Services that are activated and deactivated by Dysnomia"
-                echo "After=final.target"
-              ) > /etc/systemd-mutable/system/dysnomia.target
-          fi
-        '';
-
-        script = "disnix-service";
+        }
+        // (if config.environment.variables ? DYSNOMIA_CONTAINERS_PATH then { inherit (config.environment.variables) DYSNOMIA_CONTAINERS_PATH; } else {})
+        // (if config.environment.variables ? DYSNOMIA_MODULES_PATH then { inherit (config.environment.variables) DYSNOMIA_MODULES_PATH; } else {});
+        
+        serviceConfig.ExecStart = "${cfg.package}/bin/disnix-service";
       };
-    } // optionalAttrs cfg.publishAvahi {
-      disnixAvahi = {
-        description = "Disnix Avahi publisher";
-        wants = [ "avahi-daemon.service" ];
-        wantedBy = [ "multi-user.target" ];
 
-        script = ''
-          ${pkgs.avahi}/bin/avahi-publish-service disnix-${config.networking.hostName} _disnix._tcp 22 \
-            "mem=$(grep 'MemTotal:' /proc/meminfo | sed -e 's/kB//' -e 's/MemTotal://' -e 's/ //g')" \
-            ${concatMapStrings (infrastructureAttrName:
-              let infrastructureAttrValue = getAttr infrastructureAttrName (cfg.infrastructure);
-              in
-              if isInt infrastructureAttrValue then
-              ''${infrastructureAttrName}=${toString infrastructureAttrValue} \
-              ''
-              else
-              ''${infrastructureAttrName}=\"${infrastructureAttrValue}\" \
-              ''
-              ) (attrNames (cfg.infrastructure))}
-        '';
-      };
     };
   };
 }

nixos/modules/services/misc/dysnomia.nix

@@ -0,0 +1,217 @@
+{pkgs, lib, config, ...}:
+
+with lib;
+
+let
+  cfg = config.dysnomia;
+  
+  printProperties = properties:
+    concatMapStrings (propertyName:
+      let
+        property = properties."${propertyName}";
+      in
+      if isList property then "${propertyName}=(${lib.concatMapStrings (elem: "\"${toString elem}\" ") (properties."${propertyName}")})\n"
+      else "${propertyName}=\"${toString property}\"\n"
+    ) (builtins.attrNames properties);
+  
+  properties = pkgs.stdenv.mkDerivation {
+    name = "dysnomia-properties";
+    buildCommand = ''
+      cat > $out << "EOF"
+      ${printProperties cfg.properties}
+      EOF
+    '';
+  };
+  
+  containersDir = pkgs.stdenv.mkDerivation {
+    name = "dysnomia-containers";
+    buildCommand = ''
+      mkdir -p $out
+      cd $out
+      
+      ${concatMapStrings (containerName:
+        let
+          containerProperties = cfg.containers."${containerName}";
+        in
+        ''
+          cat > ${containerName} <<EOF
+          ${printProperties containerProperties}
+          type=${containerName}
+          EOF
+        ''
+      ) (builtins.attrNames cfg.containers)}
+    '';
+  };
+  
+  linkMutableComponents = {containerName}:
+    ''
+      mkdir ${containerName}
+      
+      ${concatMapStrings (componentName:
+        let
+          component = cfg.components."${containerName}"."${componentName}";
+        in
+        "ln -s ${component} ${containerName}/${componentName}\n"
+      ) (builtins.attrNames (cfg.components."${containerName}" or {}))}
+    '';
+  
+  componentsDir = pkgs.stdenv.mkDerivation {
+    name = "dysnomia-components";
+    buildCommand = ''
+      mkdir -p $out
+      cd $out
+      
+      ${concatMapStrings (containerName:
+        let
+          components = cfg.components."${containerName}";
+        in
+        linkMutableComponents { inherit containerName; }
+      ) (builtins.attrNames cfg.components)}
+    '';
+  };
+in
+{
+  options = {
+    dysnomia = {
+      
+      enable = mkOption {
+        type = types.bool;
+        default = false;
+        description = "Whether to enable Dysnomia";
+      };
+      
+      enableAuthentication = mkOption {
+        type = types.bool;
+        default = false;
+        description = "Whether to publish privacy-sensitive authentication credentials";
+      };
+      
+      package = mkOption {
+        type = types.path;
+        description = "The Dysnomia package";
+      };
+      
+      properties = mkOption {
+        description = "An attribute set in which each attribute represents a machine property. Optionally, these values can be shell substitutions.";
+        default = {};
+      };
+      
+      containers = mkOption {
+        description = "An attribute set in which each key represents a container and each value an attribute set providing its configuration properties";
+        default = {};
+      };
+      
+      components = mkOption {
+        description = "An atttribute set in which each key represents a container and each value an attribute set in which each key represents a component and each value a derivation constructing its initial state";
+        default = {};
+      };
+      
+      extraContainerProperties = mkOption {
+        description = "An attribute set providing additional container settings in addition to the default properties";
+        default = {};
+      };
+      
+      extraContainerPaths = mkOption {
+        description = "A list of paths containing additional container configurations that are added to the search folders";
+        default = [];
+      };
+      
+      extraModulePaths = mkOption {
+        description = "A list of paths containing additional modules that are added to the search folders";
+        default = [];
+      };
+    };
+  };
+  
+  config = mkIf cfg.enable {
+  
+    environment.etc = {
+      "dysnomia/containers" = {
+        source = containersDir;
+      };
+      "dysnomia/components" = {
+        source = componentsDir;
+      };
+      "dysnomia/properties" = {
+        source = properties;
+      };
+    };
+    
+    environment.variables = {
+      DYSNOMIA_STATEDIR = "/var/state/dysnomia-nixos";
+      DYSNOMIA_CONTAINERS_PATH = "${lib.concatMapStrings (containerPath: "${containerPath}:") cfg.extraContainerPaths}/etc/dysnomia/containers";
+      DYSNOMIA_MODULES_PATH = "${lib.concatMapStrings (modulePath: "${modulePath}:") cfg.extraModulePaths}/etc/dysnomia/modules";
+    };
+    
+    environment.systemPackages = [ cfg.package ];
+    
+    dysnomia.package = pkgs.dysnomia.override (origArgs: {
+      enableApacheWebApplication = config.services.httpd.enable;
+      enableAxis2WebService = config.services.tomcat.axis2.enable;
+      enableEjabberdDump = config.services.ejabberd.enable;
+      enableMySQLDatabase = config.services.mysql.enable;
+      enablePostgreSQLDatabase = config.services.postgresql.enable;
+      enableSubversionRepository = config.services.svnserve.enable;
+      enableTomcatWebApplication = config.services.tomcat.enable;
+      enableMongoDatabase = config.services.mongodb.enable;
+    });
+    
+    dysnomia.properties = {
+      hostname = config.networking.hostName;
+      system = if config.nixpkgs.system == "" then builtins.currentSystem else config.nixpkgs.system;
+
+      supportedTypes = (import "${pkgs.stdenv.mkDerivation {
+        name = "supportedtypes";
+        buildCommand = ''
+          ( echo -n "[ "
+            cd ${cfg.package}/libexec/dysnomia
+            for i in *
+            do
+                echo -n "\"$i\" "
+            done
+            echo -n " ]") > $out
+        '';
+      }}");
+    };
+    
+    dysnomia.containers = lib.recursiveUpdate ({
+      process = {};
+      wrapper = {};
+    }
+    // lib.optionalAttrs (config.services.httpd.enable) { apache-webapplication = {
+      documentRoot = config.services.httpd.documentRoot;
+    }; }
+    // lib.optionalAttrs (config.services.tomcat.axis2.enable) { axis2-webservice = {}; }
+    // lib.optionalAttrs (config.services.ejabberd.enable) { ejabberd-dump = {
+      ejabberdUser = config.services.ejabberd.user;
+    }; }
+    // lib.optionalAttrs (config.services.mysql.enable) { mysql-database = {
+        mysqlPort = config.services.mysql.port;
+      } // lib.optionalAttrs cfg.enableAuthentication {
+        mysqlUsername = "root";
+        mysqlPassword = builtins.readFile (config.services.mysql.rootPassword);
+      };
+    }
+    // lib.optionalAttrs (config.services.postgresql.enable && cfg.enableAuthentication) { postgresql-database = {
+      postgresqlUsername = "root";
+    }; }
+    // lib.optionalAttrs (config.services.tomcat.enable) { tomcat-webapplication = {
+      tomcatPort = 8080;
+    }; }
+    // lib.optionalAttrs (config.services.mongodb.enable) { mongo-database = {}; }
+    // lib.optionalAttrs (config.services.svnserve.enable) { subversion-repository = {
+      svnBaseDir = config.services.svnserve.svnBaseDir;
+    }; }) cfg.extraContainerProperties;
+
+    system.activationScripts.dysnomia = ''
+      mkdir -p /etc/systemd-mutable/system
+      if [ ! -f /etc/systemd-mutable/system/dysnomia.target ]
+      then
+          ( echo "[Unit]"
+            echo "Description=Services that are activated and deactivated by Dysnomia"
+            echo "After=final.target"
+          ) > /etc/systemd-mutable/system/dysnomia.target
+      fi
+    '';
+  };
+}

nixos/modules/services/misc/matrix-synapse.nix

@@ -5,17 +5,31 @@ with lib;
 let
   cfg = config.services.matrix-synapse;
   logConfigFile = pkgs.writeText "log_config.yaml" cfg.logConfig;
+  mkResource = r: ''{names: ${builtins.toJSON r.names}, compress: ${if r.compress then "true" else "false"}}'';
+  mkListener = l: ''{port: ${toString l.port}, bind_address: "${l.bind_address}", type: ${l.type}, tls: ${if l.tls then "true" else "false"}, x_forwarded: ${if l.x_forwarded then "true" else "false"}, resources: [${concatStringsSep "," (map mkResource l.resources)}]}'';
   configFile = pkgs.writeText "homeserver.yaml" ''
 tls_certificate_path: "${cfg.tls_certificate_path}"
+${optionalString (cfg.tls_private_key_path != null) ''
 tls_private_key_path: "${cfg.tls_private_key_path}"
+''}
 tls_dh_params_path: "${cfg.tls_dh_params_path}"
 no_tls: ${if cfg.no_tls then "true" else "false"}
+${optionalString (cfg.bind_port != null) ''
 bind_port: ${toString cfg.bind_port}
+''}
+${optionalString (cfg.unsecure_port != null) ''
 unsecure_port: ${toString cfg.unsecure_port}
+''}
+${optionalString (cfg.bind_host != null) ''
 bind_host: "${cfg.bind_host}"
+''}
 server_name: "${cfg.server_name}"
 pid_file: "/var/run/matrix-synapse.pid"
 web_client: ${if cfg.web_client then "true" else "false"}
+${optionalString (cfg.public_baseurl != null) ''
+public_baseurl: "${cfg.public_baseurl}"
+''}
+listeners: [${concatStringsSep "," (map mkListener cfg.listeners)}]
 database: {
   name: "${cfg.database_type}",
   args: {
@@ -24,21 +38,41 @@ database: {
     )}
   }
 }
+event_cache_size: "${cfg.event_cache_size}"
+verbose: ${cfg.verbose}
 log_file: "/var/log/matrix-synapse/homeserver.log"
 log_config: "${logConfigFile}"
+rc_messages_per_second: ${cfg.rc_messages_per_second}
+rc_message_burst_count: ${cfg.rc_message_burst_count}
+federation_rc_window_size: ${cfg.federation_rc_window_size}
+federation_rc_sleep_limit: ${cfg.federation_rc_sleep_limit}
+federation_rc_sleep_delay: ${cfg.federation_rc_sleep_delay}
+federation_rc_reject_limit: ${cfg.federation_rc_reject_limit}
+federation_rc_concurrent: ${cfg.federation_rc_concurrent}
 media_store_path: "/var/lib/matrix-synapse/media"
+uploads_path: "/var/lib/matrix-synapse/uploads"
+max_upload_size: "${cfg.max_upload_size}"
+max_image_pixels: "${cfg.max_image_pixels}"
+dynamic_thumbnails: ${if cfg.dynamic_thumbnails then "true" else "false"}
+url_preview_enabled: False
 recaptcha_private_key: "${cfg.recaptcha_private_key}"
 recaptcha_public_key: "${cfg.recaptcha_public_key}"
 enable_registration_captcha: ${if cfg.enable_registration_captcha then "true" else "false"}
-turn_uris: ${if (length cfg.turn_uris) == 0 then "[]" else ("\n" + (concatStringsSep "\n" (map (s: "- " + s) cfg.turn_uris)))}
+turn_uris: ${builtins.toJSON cfg.turn_uris}
 turn_shared_secret: "${cfg.turn_shared_secret}"
 enable_registration: ${if cfg.enable_registration then "true" else "false"}
-${optionalString (cfg.registration_shared_secret != "") ''
+${optionalString (cfg.registration_shared_secret != null) ''
 registration_shared_secret: "${cfg.registration_shared_secret}"
 ''}
+recaptcha_siteverify_api: "https://www.google.com/recaptcha/api/siteverify"
+turn_user_lifetime: "${cfg.turn_user_lifetime}"
+user_creation_max_duration: ${cfg.user_creation_max_duration}
+bcrypt_rounds: ${cfg.bcrypt_rounds}
+allow_guest_access: {if cfg.allow_guest_access then "true" else "false"}
 enable_metrics: ${if cfg.enable_metrics then "true" else "false"}
 report_stats: ${if cfg.report_stats then "true" else "false"}
 signing_key_path: "/var/lib/matrix-synapse/homeserver.signing.key"
+key_refresh_interval: "${cfg.key_refresh_interval}"
 perspectives:
   servers: {
     ${concatStringsSep "},\n" (mapAttrsToList (n: v: ''
@@ -52,6 +86,8 @@ perspectives:
     '') cfg.servers)}
     }
   }
+app_service_config_files: ${builtins.toJSON cfg.app_service_config_files}
+
 ${cfg.extraConfig}
 '';
 in {
@@ -73,53 +109,65 @@ in {
           Don't bind to the https port
         '';
       };
-      tls_certificate_path = mkOption {
-        type = types.path;
-        default = "/var/lib/matrix-synapse/homeserver.tls.crt";
-        description = ''
-          PEM encoded X509 certificate for TLS
-        '';
-      };
-      tls_private_key_path = mkOption {
-        type = types.path;
-        default = "/var/lib/matrix-synapse/homeserver.tls.key";
-        description = ''
-          PEM encoded private key for TLS
-        '';
-      };
-      tls_dh_params_path = mkOption {
-        type = types.path;
-        default = "/var/lib/matrix-synapse/homeserver.tls.dh";
-        description = ''
-          PEM dh parameters for ephemeral keys
-        '';
-      };
       bind_port = mkOption {
-        type = types.int;
-        default = 8448;
+        type = types.nullOr types.int;
+        default = null;
+        example = 8448;
         description = ''
+          DEPRECATED: Use listeners instead.
           The port to listen for HTTPS requests on.
           For when matrix traffic is sent directly to synapse.
         '';
       };
       unsecure_port = mkOption {
-        type = types.int;
-        default = 8008;
+        type = types.nullOr types.int;
+        default = null;
+        example = 8008;
         description = ''
+          DEPRECATED: Use listeners instead.
           The port to listen for HTTP requests on.
           For when matrix traffic passes through loadbalancer that unwraps TLS.
         '';
       };
       bind_host = mkOption {
-        type = types.str;
-        default = "";
+        type = types.nullOr types.str;
+        default = null;
         description = ''
+          DEPRECATED: Use listeners instead.
           Local interface to listen on.
           The empty string will cause synapse to listen on all interfaces.
         '';
       };
+      tls_certificate_path = mkOption {
+        type = types.str;
+        default = "/var/lib/matrix-synapse/homeserver.tls.crt";
+        description = ''
+          PEM encoded X509 certificate for TLS.
+          You can replace the self-signed certificate that synapse
+          autogenerates on launch with your own SSL certificate + key pair
+          if you like.  Any required intermediary certificates can be
+          appended after the primary certificate in hierarchical order.
+        '';
+      };
+      tls_private_key_path = mkOption {
+        type = types.nullOr types.str;
+        default = "/var/lib/matrix-synapse/homeserver.tls.key";
+        example = null;
+        description = ''
+          PEM encoded private key for TLS. Specify null if synapse is not
+          speaking TLS directly.
+        '';
+      };
+      tls_dh_params_path = mkOption {
+        type = types.str;
+        default = "/var/lib/matrix-synapse/homeserver.tls.dh";
+        description = ''
+          PEM dh parameters for ephemeral keys
+        '';
+      };
       server_name = mkOption {
         type = types.str;
+        example = "example.com";
         description = ''
           The domain name of the server, with optional explicit port.
           This is used by remote servers to connect to this server,
@@ -134,6 +182,145 @@ in {
           Whether to serve a web client from the HTTP/HTTPS root resource.
         '';
       };
+      public_baseurl = mkOption {
+        type = types.nullOr types.str;
+        default = null;
+        example = "https://example.com:8448/";
+        description = ''
+          The public-facing base URL for the client API (not including _matrix/...)
+        '';
+      };
+      listeners = mkOption {
+        type = types.listOf (types.submodule {
+          options = {
+            port = mkOption {
+              type = types.int;
+              example = 8448;
+              description = ''
+                The port to listen for HTTP(S) requests on.
+              '';
+            };
+            bind_address = mkOption {
+              type = types.str;
+              default = "";
+              example = "203.0.113.42";
+              description = ''
+                Local interface to listen on.
+                The empty string will cause synapse to listen on all interfaces.
+              '';
+            };
+            type = mkOption {
+              type = types.str;
+              default = "http";
+              description = ''
+                Type of listener.
+              '';
+            };
+            tls = mkOption {
+              type = types.bool;
+              default = true;
+              description = ''
+                Whether to listen for HTTPS connections rather than HTTP.
+              '';
+            };
+            x_forwarded = mkOption {
+              type = types.bool;
+              default = false;
+              description = ''
+                Use the X-Forwarded-For (XFF) header as the client IP and not the
+                actual client IP.
+              '';
+            };
+            resources = mkOption {
+              type = types.listOf (types.submodule {
+                options = {
+                  names = mkOption {
+                    type = types.listOf types.str;
+                    description = ''
+                      List of resources to host on this listener.
+                    '';
+                    example = ["client" "webclient" "federation"];
+                  };
+                  compress = mkOption {
+                    type = types.bool;
+                    description = ''
+                      Should synapse compress HTTP responses to clients that support it?
+                      This should be disabled if running synapse behind a load balancer
+                      that can do automatic compression.
+                    '';
+                  };
+                };
+              });
+              description = ''
+                List of HTTP resources to serve on this listener.
+              '';
+            };
+          };
+        });
+        default = [{
+          port = 8448;
+          bind_address = "";
+          type = "http";
+          tls = true;
+          x_forwarded = false;
+          resources = [
+            { names = ["client" "webclient"]; compress = true; }
+            { names = ["federation"]; compress = false; }
+          ];
+        }];
+        description = ''
+          List of ports that Synapse should listen on, their purpose and their configuration.
+        '';
+      };
+      verbose = mkOption {
+        type = types.str;
+        default = "0";
+        description = "Logging verbosity level.";
+      };
+      rc_messages_per_second = mkOption {
+        type = types.str;
+        default = "0.2";
+        description = "Number of messages a client can send per second";
+      };
+      rc_message_burst_count = mkOption {
+        type = types.str;
+        default = "10.0";
+        description = "Number of message a client can send before being throttled";
+      };
+      federation_rc_window_size = mkOption {
+        type = types.str;
+        default = "1000";
+        description = "The federation window size in milliseconds";
+      };
+      federation_rc_sleep_limit = mkOption {
+        type = types.str;
+        default = "10";
+        description = ''
+          The number of federation requests from a single server in a window
+          before the server will delay processing the request.
+        '';
+      };
+      federation_rc_sleep_delay = mkOption {
+        type = types.str;
+        default = "500";
+        description = ''
+          The duration in milliseconds to delay processing events from
+          remote servers by if they go over the sleep limit.
+        '';
+      };
+      federation_rc_reject_limit = mkOption {
+        type = types.str;
+        default = "50";
+        description = ''
+          The maximum number of concurrent federation requests allowed
+          from a single server
+        '';
+      };
+      federation_rc_concurrent = mkOption {
+        type = types.str;
+        default = "3";
+        description = "The number of federation requests to concurrently process from a single server";
+      };
       database_type = mkOption {
         type = types.enum [ "sqlite3" "psycopg2" ];
         default = "sqlite3";
@@ -150,6 +337,11 @@ in {
           Arguments to pass to the engine.
         '';
       };
+      event_cache_size = mkOption {
+        type = types.str;
+        default = "10K";
+        description = "Number of events to cache in memory.";
+      };
       recaptcha_private_key = mkOption {
         type = types.str;
         default = "";
@@ -187,6 +379,11 @@ in {
           The shared secret used to compute passwords for the TURN server
         '';
       };
+      turn_user_lifetime = mkOption {
+        type = types.str;
+        default = "1h";
+        description = "How long generated TURN credentials last";
+      };
       enable_registration = mkOption {
         type = types.bool;
         default = false;
@@ -195,8 +392,8 @@ in {
         '';
       };
       registration_shared_secret = mkOption {
-        type = types.str;
-        default = "";
+        type = types.nullOr types.str;
+        default = null;
         description = ''
           If set, allows registration by anyone who also has the shared
           secret, even if registration is otherwise disabled.
@@ -216,7 +413,7 @@ in {
         '';
       };
       servers = mkOption {
-        type = types.attrs;
+        type = types.attrsOf (types.attrsOf types.str);
         default = {
           "matrix.org" = {
             "ed25519:auto" = "Noi6WqcDj0QmPxCNQqgezwTlBKrfqehY1u2FyWP9uYw";
@@ -226,6 +423,69 @@ in {
           The trusted servers to download signing keys from.
         '';
       };
+      max_upload_size = mkOption {
+        type = types.str;
+        default = "10M";
+        description = "The largest allowed upload size in bytes";
+      };
+      max_image_pixels = mkOption {
+        type = types.str;
+        default = "32M";
+        description = "Maximum number of pixels that will be thumbnailed";
+      };
+      dynamic_thumbnails = mkOption {
+        type = types.bool;
+        default = false;
+        description = ''
+          Whether to generate new thumbnails on the fly to precisely match
+          the resolution requested by the client. If true then whenever
+          a new resolution is requested by the client the server will
+          generate a new thumbnail. If false the server will pick a thumbnail
+          from a precalculated list.
+        '';
+      };
+      user_creation_max_duration = mkOption {
+        type = types.str;
+        default = "1209600000";
+        description = ''
+          Sets the expiry for the short term user creation in
+          milliseconds. The default value is two weeks.
+        '';
+      };
+      bcrypt_rounds = mkOption {
+        type = types.str;
+        default = "12";
+        description = ''
+          Set the number of bcrypt rounds used to generate password hash.
+          Larger numbers increase the work factor needed to generate the hash.
+        '';
+      };
+      allow_guest_access = mkOption {
+        type = types.bool;
+        default = false;
+        description = ''
+          Allows users to register as guests without a password/email/etc, and
+          participate in rooms hosted on this server which have been made
+          accessible to anonymous users.
+        '';
+      };
+      key_refresh_interval = mkOption {
+        type = types.str;
+        default = "1d";
+        description = ''
+          How long key response published by this server is valid for.
+          Used to set the valid_until_ts in /key/v2 APIs.
+          Determines how quickly servers will query to check which keys
+          are still valid.
+        '';
+      };
+      app_service_config_files = mkOption {
+        type = types.listOf types.path;
+        default = [ ];
+        description = ''
+          A list of application service config file to use
+        '';
+      };
       extraConfig = mkOption {
         type = types.lines;
         default = "";
@@ -265,7 +525,7 @@ in {
         mkdir -p /var/lib/matrix-synapse
         chmod 700 /var/lib/matrix-synapse
         chown -R matrix-synapse:matrix-synapse /var/lib/matrix-synapse
-        ${cfg.package}/bin/homeserver --config-path ${configFile} --generate-keys
+        ${cfg.package}/bin/homeserver --config-path ${configFile} --keys-directory /var/lib/matrix-synapse/ --generate-keys
       '';
       serviceConfig = {
         Type = "simple";

nixos/modules/services/misc/nix-daemon.nix

@@ -257,13 +257,11 @@ in
         type = types.bool;
         default = true;
         description = ''
-          If enabled, Nix will only download binaries from binary
-          caches if they are cryptographically signed with any of the
-          keys listed in
-          <option>nix.binaryCachePublicKeys</option>. If disabled (the
-          default), signatures are neither required nor checked, so
-          it's strongly recommended that you use only trustworthy
-          caches and https to prevent man-in-the-middle attacks.
+          If enabled (the default), Nix will only download binaries from binary caches if
+          they are cryptographically signed with any of the keys listed in
+          <option>nix.binaryCachePublicKeys</option>. If disabled, signatures are neither
+          required nor checked, so it's strongly recommended that you use only
+          trustworthy caches and https to prevent man-in-the-middle attacks.
         '';
       };
 

nixos/modules/services/monitoring/dd-agent.nix

@@ -72,6 +72,7 @@ let
   postgresqlConfig = pkgs.writeText "postgres.yaml" cfg.postgresqlConfig;
   nginxConfig = pkgs.writeText "nginx.yaml" cfg.nginxConfig;
   mongoConfig = pkgs.writeText "mongo.yaml" cfg.mongoConfig;
+  jmxConfig = pkgs.writeText "jmx.yaml" cfg.jmxConfig;
   
   etcfiles =
     [ { source = ddConf;
@@ -94,6 +95,10 @@ let
     (optional (cfg.mongoConfig != null)
       { source = mongoConfig;
         target = "dd-agent/conf.d/mongo.yaml";
+      }) ++
+    (optional (cfg.jmxConfig != null)
+      { source = jmxConfig;
+        target = "dd-agent/conf.d/jmx.yaml";
       });
 
 in {
@@ -141,6 +146,13 @@ in {
       default = null;
       type = types.uniq (types.nullOr types.string);
     };
+
+    jmxConfig = mkOption {
+      description = "JMX integration configuration";
+      default = null;
+      type = types.uniq (types.nullOr types.string);
+    };
+
   };
 
   config = mkIf cfg.enable {
@@ -167,7 +179,7 @@ in {
         Restart = "always";
         RestartSec = 2;
       };
-      restartTriggers = [ pkgs.dd-agent ddConf diskConfig networkConfig postgresqlConfig nginxConfig mongoConfig ];
+      restartTriggers = [ pkgs.dd-agent ddConf diskConfig networkConfig postgresqlConfig nginxConfig mongoConfig jmxConfig ];
     };
 
     systemd.services.dogstatsd = {
@@ -183,7 +195,21 @@ in {
         Restart = "always";
         RestartSec = 2;
       };
-      restartTriggers = [ pkgs.dd-agent ddConf diskConfig networkConfig postgresqlConfig nginxConfig mongoConfig ];
+      restartTriggers = [ pkgs.dd-agent ddConf diskConfig networkConfig postgresqlConfig nginxConfig mongoConfig jmxConfig ];
+    };
+
+    systemd.services.dd-jmxfetch = lib.mkIf (cfg.jmxConfig != null) {
+      description = "Datadog JMX Fetcher";
+      path = [ pkgs."dd-agent" pkgs.python pkgs.sysstat pkgs.procps pkgs.jdk ];
+      wantedBy = [ "multi-user.target" ];
+      serviceConfig = {
+        ExecStart = "${pkgs.dd-agent}/bin/dd-jmxfetch";
+        User = "datadog";
+        Group = "datadog";
+        Restart = "always";
+        RestartSec = 2;
+      };
+      restartTriggers = [ pkgs.dd-agent ddConf diskConfig networkConfig postgresqlConfig nginxConfig mongoConfig jmxConfig ];
     };
 
     environment.etc = etcfiles;

nixos/modules/services/monitoring/graphite.nix

@@ -51,7 +51,13 @@ let
   '';
 
   carbonEnv = {
-    PYTHONPATH = "${pkgs.python27Packages.carbon}/lib/python2.7/site-packages";
+    PYTHONPATH = let
+      cenv = pkgs.python.buildEnv.override {
+        extraLibs = [ pkgs.python27Packages.carbon ];
+      };
+      cenvPack =  "${cenv}/${pkgs.python.sitePackages}";
+    # opt/graphite/lib contains twisted.plugins.carbon-cache
+    in "${cenvPack}/opt/graphite/lib:${cenvPack}";
     GRAPHITE_ROOT = dataDir;
     GRAPHITE_CONF_DIR = configDir;
     GRAPHITE_STORAGE_DIR = dataDir;
@@ -445,10 +451,21 @@ in {
         after = [ "network-interfaces.target" ];
         path = [ pkgs.perl ];
         environment = {
-          PYTHONPATH = "${pkgs.python27Packages.graphite_web}/lib/python2.7/site-packages";
+          PYTHONPATH = let
+              penv = pkgs.python.buildEnv.override {
+                extraLibs = [
+                  pkgs.python27Packages.graphite_web
+                  pkgs.python27Packages.pysqlite
+                ];
+              };
+              penvPack = "${penv}/${pkgs.python.sitePackages}";
+              # opt/graphite/webapp contains graphite/settings.py
+              # explicitly adding pycairo in path because it cannot be imported via buildEnv
+            in "${penvPack}/opt/graphite/webapp:${penvPack}:${pkgs.pycairo}/${pkgs.python.sitePackages}";
           DJANGO_SETTINGS_MODULE = "graphite.settings";
           GRAPHITE_CONF_DIR = configDir;
           GRAPHITE_STORAGE_DIR = dataDir;
+          LD_LIBRARY_PATH = "${pkgs.cairo}/lib";
         };
         serviceConfig = {
           ExecStart = ''
@@ -486,9 +503,11 @@ in {
         wantedBy = [ "multi-user.target" ];
         after = [ "network-interfaces.target" ];
         environment = {
-          PYTHONPATH =
-            "${cfg.api.package}/lib/python2.7/site-packages:" +
-            concatMapStringsSep ":" (f: f + "/lib/python2.7/site-packages") cfg.api.finders;
+          PYTHONPATH = let
+              aenv = pkgs.python.buildEnv.override {
+                extraLibs = [ cfg.api.package pkgs.cairo ] ++ cfg.api.finders;
+              };
+            in "${aenv}/${pkgs.python.sitePackages}";
           GRAPHITE_API_CONFIG = graphiteApiConfig;
           LD_LIBRARY_PATH = "${pkgs.cairo}/lib";
         };

nixos/modules/services/network-filesystems/nfsd.nix

@@ -126,7 +126,7 @@ in
       { description = "NFSv3 Mount Daemon";
 
         requires = [ "rpcbind.service" ];
-        after = [ "rpcbind.service" ];
+        after = [ "rpcbind.service" "local-fs.target" ];
 
         path = [ pkgs.nfs-utils pkgs.sysvtools pkgs.utillinux ];
 

nixos/modules/services/network-filesystems/openafs-client/default.nix

@@ -80,7 +80,7 @@ in
       preStart = ''
         mkdir -p -m 0755 /afs
         mkdir -m 0700 -p ${cfg.cacheDirectory}
-        ${pkgs.module_init_tools}/sbin/insmod ${openafsPkgs}/lib/openafs/libafs-*.ko || true
+        ${pkgs.kmod}/sbin/insmod ${openafsPkgs}/lib/openafs/libafs-*.ko || true
         ${openafsPkgs}/sbin/afsd -confdir ${afsConfig} -cachedir ${cfg.cacheDirectory} ${if cfg.sparse then "-dynroot-sparse" else "-dynroot"} -fakestat -afsdb
         ${openafsPkgs}/bin/fs setcrypt ${if cfg.crypt then "on" else "off"}
       '';
@@ -92,7 +92,7 @@ in
       preStop = ''
         ${pkgs.utillinux}/bin/umount /afs
         ${openafsPkgs}/sbin/afsd -shutdown
-        ${pkgs.module_init_tools}/sbin/rmmod libafs
+        ${pkgs.kmod}/sbin/rmmod libafs
       '';
     };
   };

nixos/modules/services/networking/ddclient.nix

@@ -7,22 +7,8 @@ let
 
   stateDir = "/var/spool/ddclient";
   ddclientUser = "ddclient";
-  ddclientFlags = "-foreground -verbose -noquiet -file ${ddclientCfg}";
+  ddclientFlags = "-foreground -verbose -noquiet -file /etc/ddclient.conf";
   ddclientPIDFile = "${stateDir}/ddclient.pid";
-  ddclientCfg = pkgs.writeText "ddclient.conf" ''
-    daemon=600
-    cache=${stateDir}/ddclient.cache
-    pid=${ddclientPIDFile}
-    use=${config.services.ddclient.use}
-    login=${config.services.ddclient.username}
-    password=${config.services.ddclient.password}
-    protocol=${config.services.ddclient.protocol}
-    server=${config.services.ddclient.server}
-    ssl=${if config.services.ddclient.ssl then "yes" else "no"}
-    wildcard=YES
-    ${config.services.ddclient.domain}
-    ${config.services.ddclient.extraConfig}
-  '';
 
 in
 
@@ -62,7 +48,7 @@ in
         default = "";
         type = str;
         description = ''
-          Password.
+          Password. WARNING: The password becomes world readable in the Nix store.
         '';
       };
 
@@ -122,10 +108,30 @@ in
       home = stateDir;
     };
 
+    environment.etc."ddclient.conf" = {
+      uid = config.ids.uids.ddclient;
+      mode = "0600";
+      text = ''
+        daemon=600
+        cache=${stateDir}/ddclient.cache
+        pid=${ddclientPIDFile}
+        use=${config.services.ddclient.use}
+        login=${config.services.ddclient.username}
+        password=${config.services.ddclient.password}
+        protocol=${config.services.ddclient.protocol}
+        server=${config.services.ddclient.server}
+        ssl=${if config.services.ddclient.ssl then "yes" else "no"}
+        wildcard=YES
+        ${config.services.ddclient.domain}
+        ${config.services.ddclient.extraConfig}
+      '';
+    };
+
     systemd.services.ddclient = {
       description = "Dynamic DNS Client";
       wantedBy = [ "multi-user.target" ];
       after = [ "network.target" ];
+      restartTriggers = [ config.environment.etc."ddclient.conf".source ];
 
       serviceConfig = {
         # Uncomment this if too many problems occur:

nixos/modules/services/networking/shairport-sync.nix

@@ -52,6 +52,8 @@ in
   config = mkIf config.services.shairport-sync.enable {
 
     services.avahi.enable = true;
+    services.avahi.publish.enable = true;
+    services.avahi.publish.userServices = true;
 
     users.extraUsers = singleton
       { name = cfg.user;

nixos/modules/services/networking/unbound.nix

@@ -106,8 +106,10 @@ in
       preStart = ''
         mkdir -m 0755 -p ${stateDir}/dev/
         cp ${confFile} ${stateDir}/unbound.conf
+        ${optionalString cfg.enableRootTrustAnchor ''
         ${pkgs.unbound}/bin/unbound-anchor -a ${rootTrustAnchorFile}
         chown unbound ${stateDir} ${rootTrustAnchorFile}
+        ''}
         touch ${stateDir}/dev/random
         ${pkgs.utillinux}/bin/mount --bind -n /dev/random ${stateDir}/dev/random
       '';

nixos/modules/services/search/elasticsearch.nix

@@ -156,11 +156,14 @@ in {
 
     environment.systemPackages = [ cfg.package ];
 
-    users.extraUsers = singleton {
-      name = "elasticsearch";
-      uid = config.ids.uids.elasticsearch;
-      description = "Elasticsearch daemon user";
-      home = cfg.dataDir;
+    users = {
+      groups.elasticsearch.gid = config.ids.gids.elasticsearch;
+      users.elasticsearch = {
+        uid = config.ids.uids.elasticsearch;
+        description = "Elasticsearch daemon user";
+        home = cfg.dataDir;
+        group = "elasticsearch";
+      };
     };
   };
 }

nixos/modules/services/security/fail2ban.nix

@@ -101,7 +101,7 @@ in
         after = [ "network.target" ];
 
         restartTriggers = [ fail2banConf jailConf ];
-        path = [ pkgs.fail2ban pkgs.iptables ];
+        path = [ pkgs.fail2ban pkgs.iptables pkgs.iproute ];
 
         preStart =
           ''

nixos/modules/services/system/kerberos.nix

@@ -4,7 +4,7 @@ let
 
   inherit (lib) mkOption mkIf singleton;
 
-  inherit (pkgs) heimdal;
+  inherit (pkgs) heimdalFull;
 
   stateDir = "/var/heimdal";
 in
@@ -33,7 +33,7 @@ in
 
   config = mkIf config.services.kerberos_server.enable {
 
-    environment.systemPackages = [ heimdal ];
+    environment.systemPackages = [ heimdalFull ];
 
     services.xinetd.enable = true;
     services.xinetd.services = lib.singleton
@@ -42,7 +42,7 @@ in
         protocol = "tcp";
         user = "root";
         server = "${pkgs.tcp_wrappers}/sbin/tcpd";
-        serverArgs = "${pkgs.heimdal}/sbin/kadmind";
+        serverArgs = "${pkgs.heimdalFull}/sbin/kadmind";
       };
 
     systemd.services.kdc = {
@@ -51,13 +51,13 @@ in
       preStart = ''
         mkdir -m 0755 -p ${stateDir}
       '';
-      script = "${heimdal}/sbin/kdc";
+      script = "${heimdalFull}/sbin/kdc";
     };
 
     systemd.services.kpasswdd = {
       description = "Kerberos Domain Controller daemon";
       wantedBy = [ "multi-user.target" ];
-      script = "${heimdal}/sbin/kpasswdd";
+      script = "${heimdalFull}/sbin/kpasswdd";
     };
   };
 

nixos/modules/services/web-servers/apache-httpd/default.nix

@@ -685,6 +685,7 @@ in
 
         serviceConfig.ExecStart = "@${httpd}/bin/httpd httpd -f ${httpdConf}";
         serviceConfig.ExecStop = "${httpd}/bin/httpd -f ${httpdConf} -k graceful-stop";
+        serviceConfig.ExecReload = "${httpd}/bin/httpd -f ${httpdConf} -k graceful";
         serviceConfig.Type = "forking";
         serviceConfig.PIDFile = "${mainCfg.stateDir}/httpd.pid";
         serviceConfig.Restart = "always";

nixos/modules/services/web-servers/apache-httpd/trac.nix

@@ -5,14 +5,19 @@ with lib;
 let
 
   # Build a Subversion instance with Apache modules and Swig/Python bindings.
-  subversion = pkgs.subversion.override (origArgs: {
+  subversion = pkgs.subversion.override {
     bdbSupport = true;
     httpServer = true;
     pythonBindings = true;
-  });
+    apacheHttpd = httpd;
+  };
 
   pythonLib = p: "${p}/";
 
+  httpd = serverInfo.serverConfig.package;
+
+  versionPre24 = versionOlder httpd.version "2.4";
+
 in
 
 {
@@ -82,7 +87,7 @@ in
         AuthName "${config.ldapAuthentication.name}"
         AuthBasicProvider "ldap"
         AuthLDAPURL "${config.ldapAuthentication.url}"
-        authzldapauthoritative Off
+        ${if versionPre24 then "authzldapauthoritative Off" else ""}
         require valid-user
       </LocationMatch>
     '' else ""}

nixos/modules/services/web-servers/uwsgi.nix

@@ -32,17 +32,27 @@ let
         self = pythonPackages;
       };
 
-      json = builtins.toJSON {
+      penv = python.buildEnv.override {
+        extraLibs = (c.pythonPackages or (self: [])) pythonPackages;
+      };
+
+      uwsgiCfg = {
         uwsgi =
           if c.type == "normal"
             then {
               inherit plugins;
             } // removeAttrs c [ "type" "pythonPackages" ]
               // optionalAttrs (python != null) {
-                pythonpath = "@PYTHONPATH@";
-                env = (c.env or {}) // {
-                  PATH = optionalString (c ? env.PATH) "${c.env.PATH}:" + "@PATH@";
-                };
+                pythonpath = "${penv}/${python.sitePackages}";
+                env =
+                  # Argh, uwsgi expects list of key-values there instead of a dictionary.
+                  let env' = c.env or [];
+                      getPath =
+                        x: if hasPrefix "PATH=" x
+                           then substring (stringLength "PATH=") (stringLength x) x
+                           else null;
+                      oldPaths = filter (x: x != null) (map getPath env');
+                  in env' ++ [ "PATH=${optionalString (oldPaths != []) "${last oldPaths}:"}${penv}/bin" ];
               }
           else if c.type == "emperor"
             then {
@@ -55,35 +65,7 @@ let
           else throw "`type` attribute in UWSGI configuration should be either 'normal' or 'emperor'";
       };
 
-    in
-      if python == null || c.type != "normal"
-      then pkgs.writeTextDir "${name}.json" json
-      else pkgs.stdenv.mkDerivation {
-        name = "uwsgi-config";
-        inherit json;
-        passAsFile = [ "json" ];
-        nativeBuildInputs = [ pythonPackages.wrapPython ];
-        pythonInputs = (c.pythonPackages or (self: [])) pythonPackages;
-
-        buildCommand = ''
-          mkdir $out
-          declare -A pythonPathsSeen=()
-          program_PYTHONPATH=
-          program_PATH=
-          if [ -n "$pythonInputs" ]; then
-            for i in $pythonInputs; do
-              _addToPythonPath $i
-            done
-          fi
-          # A hack to replace "@PYTHONPATH@" with a JSON list
-          if [ -n "$program_PYTHONPATH" ]; then
-            program_PYTHONPATH="\"''${program_PYTHONPATH//:/\",\"}\""
-          fi
-          substitute $jsonPath $out/${name}.json \
-            --replace '"@PYTHONPATH@"' "[$program_PYTHONPATH]" \
-            --subst-var-by PATH "$program_PATH"
-        '';
-      };
+    in pkgs.writeTextDir "${name}.json" (builtins.toJSON uwsgiCfg);
 
 in {
 

nixos/modules/services/x11/colord.nix

@@ -0,0 +1,39 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+
+  cfg = config.services.colord;
+
+in {
+
+  options = {
+
+    services.colord = {
+      enable = mkEnableOption "colord, the color management daemon";
+    };
+
+  };
+
+  config = mkIf cfg.enable {
+
+    services.dbus.packages = [ pkgs.colord ];
+
+    services.udev.packages = [ pkgs.colord ];
+
+    environment.systemPackages = [ pkgs.colord ];
+
+    systemd.services.colord = {
+      description = "Manage, Install and Generate Color Profiles";
+      serviceConfig = {
+        Type = "dbus";
+        BusName = "org.freedesktop.ColorManager";
+        ExecStart = "${pkgs.colord}/libexec/colord";
+        PrivateTmp = true;
+      };
+    };
+
+  };
+
+}

nixos/modules/services/x11/desktop-managers/gnome3.nix

@@ -99,6 +99,8 @@ in {
     services.telepathy.enable = mkDefault true;
     networking.networkmanager.enable = mkDefault true;
     services.upower.enable = config.powerManagement.enable;
+    services.dbus.packages = mkIf config.services.printing.enable [ pkgs.system-config-printer ];
+    services.colord.enable = mkDefault true;
     hardware.bluetooth.enable = mkDefault true;
 
     fonts.fonts = [ pkgs.dejavu_fonts pkgs.cantarell_fonts ];

nixos/modules/services/x11/redshift.nix

@@ -94,11 +94,9 @@ in {
   };
 
   config = mkIf cfg.enable {
-    systemd.services.redshift = {
+    systemd.user.services.redshift = {
       description = "Redshift colour temperature adjuster";
-      requires = [ "display-manager.service" ];
-      after = [ "display-manager.service" ];
-      wantedBy = [ "graphical.target" ];
+      wantedBy = [ "default.target" ];
       serviceConfig = {
         ExecStart = ''
           ${cfg.package}/bin/redshift \
@@ -107,10 +105,10 @@ in {
             -b ${toString cfg.brightness.day}:${toString cfg.brightness.night} \
             ${lib.strings.concatStringsSep " " cfg.extraOptions}
         '';
-	RestartSec = 3;
+        RestartSec = 3;
+        Restart = "always";
       };
       environment = { DISPLAY = ":0"; };
-      serviceConfig.Restart = "always";
     };
   };
 

nixos/modules/services/x11/terminal-server.nix

@@ -41,7 +41,7 @@ with lib;
       { description = "Terminal Server";
 
         path =
-          [ pkgs.xorgserver pkgs.gawk pkgs.which pkgs.openssl pkgs.xorg.xauth
+          [ pkgs.xorg.xorgserver pkgs.gawk pkgs.which pkgs.openssl pkgs.xorg.xauth
             pkgs.nettools pkgs.shadow pkgs.procps pkgs.utillinux pkgs.bash
           ];
 

nixos/modules/services/x11/xserver.nix

@@ -16,6 +16,7 @@ let
     virtualbox = { modules = [ kernelPackages.virtualboxGuestAdditions ]; driverName = "vboxvideo"; };
     ati = { modules = with pkgs.xorg; [ xf86videoati glamoregl ]; };
     intel = { modules = with pkgs.xorg; [ xf86videointel glamoregl ]; };
+    modesetting = { modules = []; };
   };
 
   fontsForXServer =
@@ -478,6 +479,7 @@ in
         xorg.xsetroot
         xorg.xinput
         xorg.xprop
+        xorg.xauth
         pkgs.xterm
         pkgs.xdg_utils
       ]
@@ -525,8 +527,7 @@ in
       };
 
     services.xserver.displayManager.xserverArgs =
-      [ "-ac"
-        "-terminate"
+      [ "-terminate"
         "-config ${configFile}"
         "-xkbdir" "${cfg.xkbDir}"
       ] ++ optional (cfg.display != null) ":${toString cfg.display}"

nixos/modules/system/activation/switch-to-configuration.pl

@@ -261,7 +261,7 @@ while (my ($unit, $state) = each %{$activePrev}) {
 
 sub pathToUnitName {
     my ($path) = @_;
-    open my $cmd, "-|", "systemd-escape", "--suffix=mount", "-p", $path
+    open my $cmd, "-|", "@systemd@/bin/systemd-escape", "--suffix=mount", "-p", $path
         or die "Unable to escape $path!\n";
     my $escaped = join "", <$cmd>;
     chomp $escaped;

nixos/modules/system/boot/coredump.nix

@@ -50,6 +50,11 @@ with lib;
 
     (mkIf (!config.systemd.coredump.enable) {
       boot.kernel.sysctl."kernel.core_pattern" = mkDefault "core";
+
+      systemd.extraConfig =
+        ''
+          DefaultLimitCORE=0:infinity
+        '';
     })
   ];
 

nixos/modules/system/boot/kernel.nix

@@ -200,8 +200,8 @@ in
         "hid_generic" "hid_lenovo"
         "hid_apple" "hid_logitech_dj" "hid_lenovo_tpkbd" "hid_roccat"
 
-        # Misc. stuff.
-        "pcips2" "atkbd"
+        # Misc. keyboard stuff.
+        "pcips2" "atkbd" "i8042"
 
         # To wait for SCSI devices to appear.
         "scsi_wait_scan"

nixos/modules/system/boot/loader/grub/install-grub.pl

@@ -501,7 +501,7 @@ sub getEfiTarget {
 my @deviceTargets = getDeviceTargets();
 my $efiTarget = getEfiTarget();
 my $prevGrubState = readGrubState();
-my @prevDeviceTargets = split/:/, $prevGrubState->devices;
+my @prevDeviceTargets = split/,/, $prevGrubState->devices;
 
 my $devicesDiffer = scalar (List::Compare->new( '-u', '-a', \@deviceTargets, \@prevDeviceTargets)->get_symmetric_difference());
 my $nameDiffer = get("fullName") ne $prevGrubState->name;
@@ -549,7 +549,7 @@ if ($requireNewInstall != 0) {
     print FILE get("fullName"), "\n" or die;
     print FILE get("fullVersion"), "\n" or die;
     print FILE $efiTarget, "\n" or die;
-    print FILE join( ":", @deviceTargets ), "\n" or die;
+    print FILE join( ",", @deviceTargets ), "\n" or die;
     print FILE $efiSysMountPoint, "\n" or die;
     close FILE or die;
 }

nixos/modules/system/boot/stage-1-init.sh

@@ -434,16 +434,23 @@ udevadm control --exit
 
 # Reset the logging file descriptors.
 # Do this just before pkill, which will kill the tee process.
-if test -n "@logCommands@"
-then
-    exec 1>&$logOutFd 2>&$logErrFd
-    eval "exec $logOutFd>&- $logErrFd>&-"
-fi
+exec 1>&$logOutFd 2>&$logErrFd
+eval "exec $logOutFd>&- $logErrFd>&-"
 
 # Kill any remaining processes, just to be sure we're not taking any
 # with us into stage 2. But keep storage daemons like unionfs-fuse.
-pkill -9 -v -f '@'
-
+#
+# Storage daemons are distinguished by an @ in front of their command line:
+# https://www.freedesktop.org/wiki/Software/systemd/RootStorageDaemons/
+local pidsToKill="$(pgrep -v -f '^@')"
+for pid in $pidsToKill; do
+    # Make sure we don't kill kernel processes, see #15226 and:
+    # http://stackoverflow.com/questions/12213445/identifying-kernel-threads
+    readlink "/proc/$pid/exe" &> /dev/null || continue
+    # Try to avoid killing ourselves.
+    [ $pid -eq $$ ] && continue
+    kill -9 "$pid"
+done
 
 if test -n "$debug1mounts"; then fail; fi
 

nixos/modules/system/boot/stage-1.nix

@@ -67,6 +67,10 @@ let
         copy_bin_and_libs $BIN
       done
 
+      # Copy modprobe.
+      copy_bin_and_libs ${pkgs.kmod}/bin/kmod
+      ln -sf kmod $out/bin/modprobe
+
       # Copy resize2fs if needed.
       ${optionalString (any (fs: fs.autoResize) (attrValues config.fileSystems)) ''
         # We need mke2fs in the initrd.

nixos/modules/system/boot/systemd.nix

@@ -747,7 +747,7 @@ in
         { wantedBy = [ "timers.target" ];
           timerConfig.OnCalendar = service.startAt;
         })
-        (filterAttrs (name: service: service.startAt != "") cfg.services);
+        (filterAttrs (name: service: service.enable && service.startAt != "") cfg.services);
 
     # Generate timer units for all services that have a ‘startAt’ value.
     systemd.user.timers =

nixos/modules/tasks/filesystems/zfs.nix

@@ -228,8 +228,18 @@ in
               esac
             done
             ''] ++ (map (pool: ''
-            echo "importing root ZFS pool \"${pool}\"..."
-            zpool import -d ${cfgZfs.devNodes} -N $ZFS_FORCE "${pool}"
+            echo -n "importing root ZFS pool \"${pool}\"..."
+            trial=0
+            until msg="$(zpool import -d ${cfgZfs.devNodes} -N $ZFS_FORCE '${pool}' 2>&1)"; do
+              sleep 0.25
+              echo -n .
+              trial=$(($trial + 1))
+              if [[ $trial -eq 60 ]]; then
+                break
+              fi
+            done
+            echo
+            if [[ -n "$msg" ]]; then echo "$msg"; fi
         '') rootPools));
       };
 

nixos/modules/tasks/network-interfaces.nix

@@ -391,7 +391,7 @@ in
     };
 
     networking.localCommands = mkOption {
-      type = types.str;
+      type = types.lines;
       default = "";
       example = "text=anything; echo You can put $text here.";
       description = ''

nixos/modules/testing/test-instrumentation.nix

@@ -113,6 +113,14 @@ let kernel = config.boot.kernelPackages.kernel; in
     # Make it easy to log in as root when running the test interactively.
     users.extraUsers.root.initialHashedPassword = mkOverride 150 "";
 
+    # Bump kdm's X server start timeout to account for heavily loaded
+    # VM host systems.
+    services.xserver.displayManager.kdm.extraConfig =
+      ''
+        [X-:*-Core]
+        ServerTimeout=240
+      '';
+
   };
 
 }

nixos/modules/virtualisation/amazon-image.nix

@@ -20,7 +20,12 @@ let cfg = config.ec2; in
       autoResize = true;
     };
 
+    boot.extraModulePackages =
+      [ config.boot.kernelPackages.ixgbevf
+        config.boot.kernelPackages.ena
+      ];
     boot.initrd.kernelModules = [ "xen-blkfront" "xen-netfront" ];
+    boot.initrd.availableKernelModules = [ "ixgbevf" "ena" ];
     boot.kernelParams = mkIf cfg.hvm [ "console=ttyS0" ];
 
     # Prevent the nouveau kernel module from being loaded, as it

nixos/modules/virtualisation/containers.nix

@@ -299,7 +299,7 @@ in
               fi
             ''}
 
-
+            rm -f $root/var/lib/private/host-notify
 
             # Run systemd-nspawn without startup notification (we'll
             # wait for the container systemd to signal readiness).

nixos/modules/virtualisation/ec2-amis.nix

@@ -0,0 +1,137 @@
+{
+  "14.04".ap-northeast-1.hvm-ebs = "ami-71c6f470";
+  "14.04".ap-northeast-1.pv-ebs = "ami-4dcbf84c";
+  "14.04".ap-northeast-1.pv-s3 = "ami-8fc4f68e";
+  "14.04".ap-southeast-1.hvm-ebs = "ami-da280888";
+  "14.04".ap-southeast-1.pv-ebs = "ami-7a9dbc28";
+  "14.04".ap-southeast-1.pv-s3 = "ami-c4290996";
+  "14.04".ap-southeast-2.hvm-ebs = "ami-ab523e91";
+  "14.04".ap-southeast-2.pv-ebs = "ami-6769055d";
+  "14.04".ap-southeast-2.pv-s3 = "ami-15533f2f";
+  "14.04".eu-central-1.hvm-ebs = "ami-ba0234a7";
+  "14.04".eu-west-1.hvm-ebs = "ami-96cb63e1";
+  "14.04".eu-west-1.pv-ebs = "ami-b48c25c3";
+  "14.04".eu-west-1.pv-s3 = "ami-06cd6571";
+  "14.04".sa-east-1.hvm-ebs = "ami-01b90e1c";
+  "14.04".sa-east-1.pv-ebs = "ami-69e35474";
+  "14.04".sa-east-1.pv-s3 = "ami-61b90e7c";
+  "14.04".us-east-1.hvm-ebs = "ami-58ba3a30";
+  "14.04".us-east-1.pv-ebs = "ami-9e0583f6";
+  "14.04".us-east-1.pv-s3 = "ami-9cbe3ef4";
+  "14.04".us-west-1.hvm-ebs = "ami-0bc3d74e";
+  "14.04".us-west-1.pv-ebs = "ami-8b1703ce";
+  "14.04".us-west-1.pv-s3 = "ami-27ccd862";
+  "14.04".us-west-2.hvm-ebs = "ami-3bf1bf0b";
+  "14.04".us-west-2.pv-ebs = "ami-259bd515";
+  "14.04".us-west-2.pv-s3 = "ami-07094037";
+
+  "14.12".ap-northeast-1.hvm-ebs = "ami-24435f25";
+  "14.12".ap-northeast-1.pv-ebs = "ami-b0425eb1";
+  "14.12".ap-northeast-1.pv-s3 = "ami-fed3c6ff";
+  "14.12".ap-southeast-1.hvm-ebs = "ami-6c765d3e";
+  "14.12".ap-southeast-1.pv-ebs = "ami-6a765d38";
+  "14.12".ap-southeast-1.pv-s3 = "ami-d1bf9183";
+  "14.12".ap-southeast-2.hvm-ebs = "ami-af86f395";
+  "14.12".ap-southeast-2.pv-ebs = "ami-b386f389";
+  "14.12".ap-southeast-2.pv-s3 = "ami-69c5ae53";
+  "14.12".eu-central-1.hvm-ebs = "ami-4a497a57";
+  "14.12".eu-central-1.pv-ebs = "ami-4c497a51";
+  "14.12".eu-central-1.pv-s3 = "ami-60f2c27d";
+  "14.12".eu-west-1.hvm-ebs = "ami-d126a5a6";
+  "14.12".eu-west-1.pv-ebs = "ami-0126a576";
+  "14.12".eu-west-1.pv-s3 = "ami-deda5fa9";
+  "14.12".sa-east-1.hvm-ebs = "ami-2d239e30";
+  "14.12".sa-east-1.pv-ebs = "ami-35239e28";
+  "14.12".sa-east-1.pv-s3 = "ami-81e3519c";
+  "14.12".us-east-1.hvm-ebs = "ami-0c463a64";
+  "14.12".us-east-1.pv-ebs = "ami-ac473bc4";
+  "14.12".us-east-1.pv-s3 = "ami-00e18a68";
+  "14.12".us-west-1.hvm-ebs = "ami-ca534a8f";
+  "14.12".us-west-1.pv-ebs = "ami-3e534a7b";
+  "14.12".us-west-1.pv-s3 = "ami-2905196c";
+  "14.12".us-west-2.hvm-ebs = "ami-fb9dc3cb";
+  "14.12".us-west-2.pv-ebs = "ami-899dc3b9";
+  "14.12".us-west-2.pv-s3 = "ami-cb7f2dfb";
+
+  "15.09".ap-northeast-1.hvm-ebs = "ami-58cac236";
+  "15.09".ap-northeast-1.hvm-s3 = "ami-39c8c057";
+  "15.09".ap-northeast-1.pv-ebs = "ami-5ac9c134";
+  "15.09".ap-northeast-1.pv-s3 = "ami-03cec66d";
+  "15.09".ap-southeast-1.hvm-ebs = "ami-2fc2094c";
+  "15.09".ap-southeast-1.hvm-s3 = "ami-9ec308fd";
+  "15.09".ap-southeast-1.pv-ebs = "ami-95c00bf6";
+  "15.09".ap-southeast-1.pv-s3 = "ami-bfc00bdc";
+  "15.09".ap-southeast-2.hvm-ebs = "ami-996c4cfa";
+  "15.09".ap-southeast-2.hvm-s3 = "ami-3f6e4e5c";
+  "15.09".ap-southeast-2.pv-ebs = "ami-066d4d65";
+  "15.09".ap-southeast-2.pv-s3 = "ami-cc6e4eaf";
+  "15.09".eu-central-1.hvm-ebs = "ami-3f8c6b50";
+  "15.09".eu-central-1.hvm-s3 = "ami-5b836434";
+  "15.09".eu-central-1.pv-ebs = "ami-118c6b7e";
+  "15.09".eu-central-1.pv-s3 = "ami-2c977043";
+  "15.09".eu-west-1.hvm-ebs = "ami-9cf04aef";
+  "15.09".eu-west-1.hvm-s3 = "ami-2bea5058";
+  "15.09".eu-west-1.pv-ebs = "ami-c9e852ba";
+  "15.09".eu-west-1.pv-s3 = "ami-c6f64cb5";
+  "15.09".sa-east-1.hvm-ebs = "ami-6e52df02";
+  "15.09".sa-east-1.hvm-s3 = "ami-1852df74";
+  "15.09".sa-east-1.pv-ebs = "ami-4368e52f";
+  "15.09".sa-east-1.pv-s3 = "ami-f15ad79d";
+  "15.09".us-east-1.hvm-ebs = "ami-84a6a0ee";
+  "15.09".us-east-1.hvm-s3 = "ami-06a7a16c";
+  "15.09".us-east-1.pv-ebs = "ami-a4a1a7ce";
+  "15.09".us-east-1.pv-s3 = "ami-5ba8ae31";
+  "15.09".us-west-1.hvm-ebs = "ami-22c8bb42";
+  "15.09".us-west-1.hvm-s3 = "ami-a2ccbfc2";
+  "15.09".us-west-1.pv-ebs = "ami-10cebd70";
+  "15.09".us-west-1.pv-s3 = "ami-fa30429a";
+  "15.09".us-west-2.hvm-ebs = "ami-ce57b9ae";
+  "15.09".us-west-2.hvm-s3 = "ami-2956b849";
+  "15.09".us-west-2.pv-ebs = "ami-005fb160";
+  "15.09".us-west-2.pv-s3 = "ami-cd55bbad";
+
+  "16.03".ap-northeast-1.hvm-ebs = "ami-40619d21";
+  "16.03".ap-northeast-1.hvm-s3 = "ami-ce629eaf";
+  "16.03".ap-northeast-1.pv-ebs = "ami-ef639f8e";
+  "16.03".ap-northeast-1.pv-s3 = "ami-a1609cc0";
+  "16.03".ap-northeast-2.hvm-ebs = "ami-deca00b0";
+  "16.03".ap-northeast-2.hvm-s3 = "ami-a3b77dcd";
+  "16.03".ap-northeast-2.pv-ebs = "ami-7bcb0115";
+  "16.03".ap-northeast-2.pv-s3 = "ami-a2b77dcc";
+  "16.03".ap-south-1.hvm-ebs = "ami-0dff9562";
+  "16.03".ap-south-1.hvm-s3 = "ami-13f69c7c";
+  "16.03".ap-south-1.pv-ebs = "ami-0ef39961";
+  "16.03".ap-south-1.pv-s3 = "ami-e0c8a28f";
+  "16.03".ap-southeast-1.hvm-ebs = "ami-5e964a3d";
+  "16.03".ap-southeast-1.hvm-s3 = "ami-4d964a2e";
+  "16.03".ap-southeast-1.pv-ebs = "ami-ec9b478f";
+  "16.03".ap-southeast-1.pv-s3 = "ami-999b47fa";
+  "16.03".ap-southeast-2.hvm-ebs = "ami-9f7359fc";
+  "16.03".ap-southeast-2.hvm-s3 = "ami-987359fb";
+  "16.03".ap-southeast-2.pv-ebs = "ami-a2705ac1";
+  "16.03".ap-southeast-2.pv-s3 = "ami-a3705ac0";
+  "16.03".eu-central-1.hvm-ebs = "ami-17a45178";
+  "16.03".eu-central-1.hvm-s3 = "ami-f9a55096";
+  "16.03".eu-central-1.pv-ebs = "ami-c8a550a7";
+  "16.03".eu-central-1.pv-s3 = "ami-6ea45101";
+  "16.03".eu-west-1.hvm-ebs = "ami-b5b3d5c6";
+  "16.03".eu-west-1.hvm-s3 = "ami-c986e0ba";
+  "16.03".eu-west-1.pv-ebs = "ami-b083e5c3";
+  "16.03".eu-west-1.pv-s3 = "ami-3c83e54f";
+  "16.03".sa-east-1.hvm-ebs = "ami-f6eb7f9a";
+  "16.03".sa-east-1.hvm-s3 = "ami-93e773ff";
+  "16.03".sa-east-1.pv-ebs = "ami-cbb82ca7";
+  "16.03".sa-east-1.pv-s3 = "ami-abb82cc7";
+  "16.03".us-east-1.hvm-ebs = "ami-c123a3d6";
+  "16.03".us-east-1.hvm-s3 = "ami-bc25a5ab";
+  "16.03".us-east-1.pv-ebs = "ami-bd25a5aa";
+  "16.03".us-east-1.pv-s3 = "ami-a325a5b4";
+  "16.03".us-west-1.hvm-ebs = "ami-748bcd14";
+  "16.03".us-west-1.hvm-s3 = "ami-a68dcbc6";
+  "16.03".us-west-1.pv-ebs = "ami-048acc64";
+  "16.03".us-west-1.pv-s3 = "ami-208dcb40";
+  "16.03".us-west-2.hvm-ebs = "ami-8263a0e2";
+  "16.03".us-west-2.hvm-s3 = "ami-925c9ff2";
+  "16.03".us-west-2.pv-ebs = "ami-5e61a23e";
+  "16.03".us-west-2.pv-s3 = "ami-734c8f13";
+}

nixos/modules/virtualisation/libvirtd.nix

@@ -1,5 +1,3 @@
-# Systemd services for libvirtd.
-
 { config, lib, pkgs, ... }:
 
 with lib;
@@ -16,71 +14,59 @@ let
     ${cfg.extraConfig}
   '';
 
-in
+in {
 
-{
   ###### interface
 
   options = {
 
-    virtualisation.libvirtd.enable =
-      mkOption {
-        type = types.bool;
-        default = false;
-        description =
-          ''
-            This option enables libvirtd, a daemon that manages
-            virtual machines. Users in the "libvirtd" group can interact with
-            the daemon (e.g. to start or stop VMs) using the
-            <command>virsh</command> command line tool, among others.
-          '';
-      };
+    virtualisation.libvirtd.enable = mkOption {
+      type = types.bool;
+      default = false;
+      description = ''
+        This option enables libvirtd, a daemon that manages
+        virtual machines. Users in the "libvirtd" group can interact with
+        the daemon (e.g. to start or stop VMs) using the
+        <command>virsh</command> command line tool, among others.
+      '';
+    };
 
-    virtualisation.libvirtd.enableKVM =
-      mkOption {
-        type = types.bool;
-        default = true;
-        description =
-          ''
-            This option enables support for QEMU/KVM in libvirtd.
-          '';
-      };
+    virtualisation.libvirtd.enableKVM = mkOption {
+      type = types.bool;
+      default = true;
+      description = ''
+        This option enables support for QEMU/KVM in libvirtd.
+      '';
+    };
 
-    virtualisation.libvirtd.extraConfig =
-      mkOption {
-        type = types.lines;
-        default = "";
-        description =
-          ''
-            Extra contents appended to the libvirtd configuration file,
-            libvirtd.conf.
-          '';
-      };
+    virtualisation.libvirtd.extraConfig = mkOption {
+      type = types.lines;
+      default = "";
+      description = ''
+        Extra contents appended to the libvirtd configuration file,
+        libvirtd.conf.
+      '';
+    };
 
-    virtualisation.libvirtd.extraOptions =
-      mkOption {
-        type = types.listOf types.str;
-        default = [ ];
-        example = [ "--verbose" ];
-        description =
-          ''
-            Extra command line arguments passed to libvirtd on startup.
-          '';
-      };
-
-    virtualisation.libvirtd.onShutdown =
-      mkOption {
-        type = types.enum ["shutdown" "suspend" ];
-        default = "suspend";
-        description =
-          ''
-            When shutting down / restarting the host what method should
-            be used to gracefully halt the guests. Setting to "shutdown"
-            will cause an ACPI shutdown of each guest. "suspend" will
-            attempt to save the state of the guests ready to restore on boot.
-          '';
-      };
+    virtualisation.libvirtd.extraOptions = mkOption {
+      type = types.listOf types.str;
+      default = [ ];
+      example = [ "--verbose" ];
+      description = ''
+        Extra command line arguments passed to libvirtd on startup.
+      '';
+    };
 
+    virtualisation.libvirtd.onShutdown = mkOption {
+      type = types.enum ["shutdown" "suspend" ];
+      default = "suspend";
+      description = ''
+        When shutting down / restarting the host what method should
+        be used to gracefully halt the guests. Setting to "shutdown"
+        will cause an ACPI shutdown of each guest. "suspend" will
+        attempt to save the state of the guests ready to restore on boot.
+      '';
+    };
 
   };
 
@@ -95,103 +81,87 @@ in
 
     boot.kernelModules = [ "tun" ];
 
-    systemd.services.libvirtd =
-      { description = "Libvirt Virtual Machine Management Daemon";
+    users.extraGroups.libvirtd.gid = config.ids.gids.libvirtd;
 
-        wantedBy = [ "multi-user.target" ];
-        after = [ "systemd-udev-settle.service" ]
-                ++ optional vswitch.enable "vswitchd.service";
-
-        path = [ 
-            pkgs.bridge-utils 
-            pkgs.dmidecode 
-            pkgs.dnsmasq
-            pkgs.ebtables
-          ] 
-          ++ optional cfg.enableKVM pkgs.qemu_kvm
-          ++ optional vswitch.enable vswitch.package;
-
-        preStart =
-          ''
-            mkdir -p /var/log/libvirt/qemu -m 755
-            rm -f /var/run/libvirtd.pid
-
-            mkdir -p /var/lib/libvirt
-            mkdir -p /var/lib/libvirt/dnsmasq
-
-            chmod 755 /var/lib/libvirt
-            chmod 755 /var/lib/libvirt/dnsmasq
-
-            # Copy default libvirt network config .xml files to /var/lib
-            # Files modified by the user will not be overwritten
-            for i in $(cd ${pkgs.libvirt}/var/lib && echo \
-                libvirt/qemu/networks/*.xml libvirt/qemu/networks/autostart/*.xml \
-                libvirt/nwfilter/*.xml );
-            do
-                mkdir -p /var/lib/$(dirname $i) -m 755
-                cp -npd ${pkgs.libvirt}/var/lib/$i /var/lib/$i
-            done
-
-            # libvirtd puts the full path of the emulator binary in the machine
-            # config file. But this path can unfortunately be garbage collected
-            # while still being used by the virtual machine. So update the
-            # emulator path on each startup to something valid (re-scan $PATH).
-            for file in /etc/libvirt/qemu/*.xml /etc/libvirt/lxc/*.xml; do
-                test -f "$file" || continue
-                # get (old) emulator path from config file
-                emulator=$(grep "^[[:space:]]*<emulator>" "$file" | sed 's,^[[:space:]]*<emulator>\(.*\)</emulator>.*,\1,')
-                # get a (definitely) working emulator path by re-scanning $PATH
-                new_emulator=$(PATH=${pkgs.libvirt}/libexec:$PATH command -v $(basename "$emulator"))
-                # write back
-                sed -i "s,^[[:space:]]*<emulator>.*,    <emulator>$new_emulator</emulator> <!-- WARNING: emulator dirname is auto-updated by the nixos libvirtd module -->," "$file"
-            done
-          ''; # */
-
-        serviceConfig.ExecStart = ''@${pkgs.libvirt}/sbin/libvirtd libvirtd --config "${configFile}" --daemon ${concatStringsSep " " cfg.extraOptions}'';
-        serviceConfig.Type = "forking";
-        serviceConfig.KillMode = "process"; # when stopping, leave the VMs alone
-
-        # Wait until libvirtd is ready to accept requests.
-        postStart =
-          ''
-            for ((i = 0; i < 60; i++)); do
-                if ${pkgs.libvirt}/bin/virsh list > /dev/null; then exit 0; fi
-                sleep 1
-            done
-            exit 1 # !!! seems to be ignored
-          '';
-      };
-
-    systemd.services."libvirt-guests" = {
-      description = "Libvirt Virtual Machines";
+    systemd.services.libvirtd = {
+      description = "Libvirt Virtual Machine Management Daemon";
 
       wantedBy = [ "multi-user.target" ];
-      wants = [ "libvirtd.service" ];
-      after = [ "libvirtd.service" ];
+      after = [ "systemd-udev-settle.service" ]
+              ++ optional vswitch.enable "vswitchd.service";
 
-      restartIfChanged = false;
-
-      path = with pkgs; [ gettext libvirt gawk ];
+      path = [
+          pkgs.bridge-utils
+          pkgs.dmidecode
+          pkgs.dnsmasq
+          pkgs.ebtables
+        ]
+        ++ optional cfg.enableKVM pkgs.qemu_kvm
+        ++ optional vswitch.enable vswitch.package;
 
       preStart = ''
-        mkdir -p /var/lock/subsys -m 755
-        ${pkgs.libvirt}/etc/rc.d/init.d/libvirt-guests start || true
-      '';
+        mkdir -p /var/log/libvirt/qemu -m 755
+        rm -f /var/run/libvirtd.pid
 
-      postStop = ''
-        export PATH=${pkgs.gettext}/bin:$PATH
-        export ON_SHUTDOWN=${cfg.onShutdown}
-        ${pkgs.libvirt}/etc/rc.d/init.d/libvirt-guests stop
-      '';
+        mkdir -p /var/lib/libvirt
+        mkdir -p /var/lib/libvirt/dnsmasq
+
+        chmod 755 /var/lib/libvirt
+        chmod 755 /var/lib/libvirt/dnsmasq
+
+        # Copy default libvirt network config .xml files to /var/lib
+        # Files modified by the user will not be overwritten
+        for i in $(cd ${pkgs.libvirt}/var/lib && echo \
+            libvirt/qemu/networks/*.xml libvirt/qemu/networks/autostart/*.xml \
+            libvirt/nwfilter/*.xml );
+        do
+            mkdir -p /var/lib/$(dirname $i) -m 755
+            cp -npd ${pkgs.libvirt}/var/lib/$i /var/lib/$i
+        done
+
+        # libvirtd puts the full path of the emulator binary in the machine
+        # config file. But this path can unfortunately be garbage collected
+        # while still being used by the virtual machine. So update the
+        # emulator path on each startup to something valid (re-scan $PATH).
+        for file in /etc/libvirt/qemu/*.xml /etc/libvirt/lxc/*.xml; do
+            test -f "$file" || continue
+            # get (old) emulator path from config file
+            emulator=$(grep "^[[:space:]]*<emulator>" "$file" | sed 's,^[[:space:]]*<emulator>\(.*\)</emulator>.*,\1,')
+            # get a (definitely) working emulator path by re-scanning $PATH
+            new_emulator=$(PATH=${pkgs.libvirt}/libexec:$PATH command -v $(basename "$emulator"))
+            # write back
+            sed -i "s,^[[:space:]]*<emulator>.*,    <emulator>$new_emulator</emulator> <!-- WARNING: emulator dirname is auto-updated by the nixos libvirtd module -->," "$file"
+        done
+      ''; # */
 
       serviceConfig = {
-        Type = "oneshot";
-        RemainAfterExit = true;
+        ExecStart = ''@${pkgs.libvirt}/sbin/libvirtd libvirtd --config "${configFile}" ${concatStringsSep " " cfg.extraOptions}'';
+        Type = "notify";
+        KillMode = "process"; # when stopping, leave the VMs alone
+        Restart = "on-failure";
       };
     };
 
-    users.extraGroups.libvirtd.gid = config.ids.gids.libvirtd;
+    systemd.sockets.virtlogd = {
+      description = "Virtual machine log manager socket";
+      wantedBy = [ "sockets.target" ];
+      listenStreams = [ "/run/libvirt/virtlogd-sock" ];
+    };
 
+    systemd.services.virtlogd = {
+      description = "Virtual machine log manager";
+      serviceConfig.ExecStart = "@${pkgs.libvirt}/sbin/virtlogd virtlogd";
+    };
+
+    systemd.sockets.virtlockd = {
+      description = "Virtual machine lock manager socket";
+      wantedBy = [ "sockets.target" ];
+      listenStreams = [ "/run/libvirt/virtlockd-sock" ];
+    };
+
+    systemd.services.virtlockd = {
+      description = "Virtual machine lock manager";
+      serviceConfig.ExecStart = "@${pkgs.libvirt}/sbin/virtlockd virtlockd";
+    };
   };
-
 }

nixos/modules/virtualisation/qemu-vm.nix

@@ -149,11 +149,11 @@ let
           ${pkgs.mtools}/bin/mlabel -i /dev/vda2 ::boot
 
           # Mount /boot; load necessary modules first.
-          ${pkgs.module_init_tools}/sbin/insmod ${pkgs.linux}/lib/modules/*/kernel/fs/nls/nls_cp437.ko || true
-          ${pkgs.module_init_tools}/sbin/insmod ${pkgs.linux}/lib/modules/*/kernel/fs/nls/nls_iso8859-1.ko || true
-          ${pkgs.module_init_tools}/sbin/insmod ${pkgs.linux}/lib/modules/*/kernel/fs/fat/fat.ko || true
-          ${pkgs.module_init_tools}/sbin/insmod ${pkgs.linux}/lib/modules/*/kernel/fs/fat/vfat.ko || true
-          ${pkgs.module_init_tools}/sbin/insmod ${pkgs.linux}/lib/modules/*/kernel/fs/efivarfs/efivarfs.ko || true
+          ${pkgs.kmod}/sbin/insmod ${pkgs.linux}/lib/modules/*/kernel/fs/nls/nls_cp437.ko.xz || true
+          ${pkgs.kmod}/sbin/insmod ${pkgs.linux}/lib/modules/*/kernel/fs/nls/nls_iso8859-1.ko.xz || true
+          ${pkgs.kmod}/sbin/insmod ${pkgs.linux}/lib/modules/*/kernel/fs/fat/fat.ko.xz || true
+          ${pkgs.kmod}/sbin/insmod ${pkgs.linux}/lib/modules/*/kernel/fs/fat/vfat.ko.xz || true
+          ${pkgs.kmod}/sbin/insmod ${pkgs.linux}/lib/modules/*/kernel/fs/efivarfs/efivarfs.ko.xz || true
           mkdir /boot
           mount /dev/vda2 /boot
 

nixos/modules/virtualisation/virtualbox-guest.nix

@@ -49,7 +49,7 @@ in
         serviceConfig.ExecStart = "@${kernel.virtualboxGuestAdditions}/bin/VBoxService VBoxService --foreground";
       };
 
-    services.xserver.videoDrivers = mkOverride 50 [ "virtualbox" ];
+    services.xserver.videoDrivers = mkOverride 50 [ "virtualbox" "modesetting" ];
 
     services.xserver.config =
       ''
@@ -77,7 +77,7 @@ in
         KERNEL=="vboxuser",  OWNER="root", GROUP="root", MODE="0666"
 
         # Allow systemd dependencies on vboxguest.
-        KERNEL=="vboxguest", TAG+="systemd"
+        SUBSYSTEM=="misc", KERNEL=="vboxguest", TAG+="systemd"
       '';
   };
 

nixos/release-combined.nix

@@ -64,6 +64,11 @@ in rec {
         (all nixos.tests.installer.btrfsSubvols)
         (all nixos.tests.installer.btrfsSubvolDefault)
         (all nixos.tests.boot.biosCdrom)
+        #(all nixos.tests.boot.biosUsb) # disabled due to issue #15690
+        (all nixos.tests.boot.uefiCdrom)
+        (all nixos.tests.boot.uefiUsb)
+        (all nixos.tests.boot-stage1)
+        (all nixos.tests.ecryptfs)
         (all nixos.tests.ipv6)
         (all nixos.tests.kde4)
         #(all nixos.tests.lightdm)

nixos/release.nix

@@ -196,12 +196,14 @@ in rec {
   tests.bittorrent = callTest tests/bittorrent.nix {};
   tests.blivet = callTest tests/blivet.nix {};
   tests.boot = callSubTests tests/boot.nix {};
+  tests.boot-stage1 = callTest tests/boot-stage1.nix {};
   tests.cadvisor = hydraJob (import tests/cadvisor.nix { system = "x86_64-linux"; });
   tests.chromium = callSubTests tests/chromium.nix {};
   tests.cjdns = callTest tests/cjdns.nix {};
   tests.containers = callTest tests/containers.nix {};
   tests.docker = hydraJob (import tests/docker.nix { system = "x86_64-linux"; });
   tests.dockerRegistry = hydraJob (import tests/docker-registry.nix { system = "x86_64-linux"; });
+  tests.ecryptfs = callTest tests/ecryptfs.nix {};
   tests.etcd = hydraJob (import tests/etcd.nix { system = "x86_64-linux"; });
   tests.ec2-nixops = hydraJob (import tests/ec2.nix { system = "x86_64-linux"; }).boot-ec2-nixops;
   tests.ec2-config = hydraJob (import tests/ec2.nix { system = "x86_64-linux"; }).boot-ec2-config;
@@ -211,7 +213,6 @@ in rec {
   #tests.gitlab = callTest tests/gitlab.nix {};
   tests.gnome3 = callTest tests/gnome3.nix {};
   tests.gnome3-gdm = callTest tests/gnome3-gdm.nix {};
-  tests.grsecurity = callTest tests/grsecurity.nix {};
   tests.i3wm = callTest tests/i3wm.nix {};
   tests.installer = callSubTests tests/installer.nix {};
   tests.influxdb = callTest tests/influxdb.nix {};

nixos/tests/bittorrent.nix

@@ -25,7 +25,7 @@ in
 {
   name = "bittorrent";
   meta = with pkgs.stdenv.lib.maintainers; {
-    maintainers = [ iElectric eelco chaoflow rob wkennington ];
+    maintainers = [ iElectric eelco chaoflow rbvermaa wkennington ];
   };
 
   nodes =

nixos/tests/boot-stage1.nix

@@ -0,0 +1,155 @@
+import ./make-test.nix ({ pkgs, ... }: {
+  name = "boot-stage1";
+
+  machine = { config, pkgs, lib, ... }: {
+    boot.extraModulePackages = let
+      compileKernelModule = name: source: pkgs.runCommand name rec {
+        inherit source;
+        kdev = config.boot.kernelPackages.kernel.dev;
+        kver = config.boot.kernelPackages.kernel.modDirVersion;
+        ksrc = "${kdev}/lib/modules/${kver}/build";
+      } ''
+        echo "obj-m += $name.o" > Makefile
+        echo "$source" > "$name.c"
+        make -C "$ksrc" M=$(pwd) modules
+        install -vD "$name.ko" "$out/lib/modules/$kver/$name.ko"
+      '';
+
+      # This spawns a kthread which just waits until it gets a signal and
+      # terminates if that is the case. We want to make sure that nothing during
+      # the boot process kills any kthread by accident, like what happened in
+      # issue #15226.
+      kcanary = compileKernelModule "kcanary" ''
+        #include <linux/init.h>
+        #include <linux/module.h>
+        #include <linux/kernel.h>
+        #include <linux/kthread.h>
+        #include <linux/sched.h>
+
+        struct task_struct *canaryTask;
+
+        static int kcanary(void *nothing)
+        {
+          allow_signal(SIGINT);
+          allow_signal(SIGTERM);
+          allow_signal(SIGKILL);
+          while (!kthread_should_stop()) {
+            set_current_state(TASK_INTERRUPTIBLE);
+            schedule_timeout_interruptible(msecs_to_jiffies(100));
+            if (signal_pending(current)) break;
+          }
+          return 0;
+        }
+
+        static int kcanaryInit(void)
+        {
+          kthread_run(&kcanary, NULL, "kcanary");
+          return 0;
+        }
+
+        static void kcanaryExit(void)
+        {
+          kthread_stop(canaryTask);
+        }
+
+        module_init(kcanaryInit);
+        module_exit(kcanaryExit);
+      '';
+
+    in lib.singleton kcanary;
+
+    boot.initrd.kernelModules = [ "kcanary" ];
+
+    boot.initrd.extraUtilsCommands = let
+      compile = name: source: pkgs.runCommand name { inherit source; } ''
+        mkdir -p "$out/bin"
+        echo "$source" | gcc -Wall -o "$out/bin/$name" -xc -
+      '';
+
+      daemonize = name: source: compile name ''
+        #include <stdio.h>
+        #include <unistd.h>
+
+        void runSource(void) {
+        ${source}
+        }
+
+        int main(void) {
+          if (fork() > 0) return 0;
+          setsid();
+          runSource();
+          return 1;
+        }
+      '';
+
+      mkCmdlineCanary = { name, cmdline ? "", source ? "" }: (daemonize name ''
+        char *argv[] = {"${cmdline}", NULL};
+        execvp("${name}-child", argv);
+      '') // {
+        child = compile "${name}-child" ''
+          #include <stdio.h>
+          #include <unistd.h>
+
+          int main(void) {
+            ${source}
+            while (1) sleep(1);
+            return 1;
+          }
+        '';
+      };
+
+      copyCanaries = with lib; concatMapStrings (canary: ''
+        ${optionalString (canary ? child) ''
+          copy_bin_and_libs "${canary.child}/bin/${canary.child.name}"
+        ''}
+        copy_bin_and_libs "${canary}/bin/${canary.name}"
+      '');
+
+    in copyCanaries [
+      # Simple canary process which just sleeps forever and should be killed by
+      # stage 2.
+      (daemonize "canary1" "while (1) sleep(1);")
+
+      # We want this canary process to try mimicking a kthread using a cmdline
+      # with a zero length so we can make sure that the process is properly
+      # killed in stage 1.
+      (mkCmdlineCanary {
+        name = "canary2";
+        source = ''
+          FILE *f;
+          f = fopen("/run/canary2.pid", "w");
+          fprintf(f, "%d\n", getpid());
+          fclose(f);
+        '';
+      })
+
+      # This canary process mimicks a storage daemon, which we do NOT want to be
+      # killed before going into stage 2. For more on root storage daemons, see:
+      # https://www.freedesktop.org/wiki/Software/systemd/RootStorageDaemons/
+      (mkCmdlineCanary {
+        name = "canary3";
+        cmdline = "@canary3";
+      })
+    ];
+
+    boot.initrd.postMountCommands = ''
+      canary1
+      canary2
+      canary3
+      # Make sure the pidfile of canary 2 is created so that we still can get
+      # its former pid after the killing spree starts next within stage 1.
+      while [ ! -s /run/canary2.pid ]; do sleep 0.1; done
+    '';
+  };
+
+  testScript = ''
+    $machine->waitForUnit("multi-user.target");
+    $machine->succeed('test -s /run/canary2.pid');
+    $machine->fail('pgrep -a canary1');
+    $machine->fail('kill -0 $(< /run/canary2.pid)');
+    $machine->succeed('pgrep -a -f \'^@canary3$\''');
+    $machine->succeed('pgrep -a -f \'^kcanary$\''');
+  '';
+
+  meta.maintainers = with pkgs.stdenv.lib.maintainers; [ aszlig ];
+})

nixos/tests/common/user-account.nix

@@ -1,9 +1,14 @@
 { lib, ... }:
 
-{ users.extraUsers = lib.singleton
+{ users.extraUsers.alice =
     { isNormalUser = true;
-      name = "alice";
       description = "Alice Foobar";
       password = "foobar";
     };
+
+  users.extraUsers.bob =
+    { isNormalUser = true;
+      description = "Bob Foobar";
+      password = "foobar";
+    };
 }

nixos/tests/ecryptfs.nix

@@ -0,0 +1,81 @@
+import ./make-test.nix ({ pkgs, ... }:
+{
+  name = "ecryptfs";
+
+  machine = { config, pkgs, ... }: {
+    imports = [ ./common/user-account.nix ];
+    boot.kernelModules = [ "ecryptfs" ];
+    security.pam.enableEcryptfs = true;
+    environment.systemPackages = with pkgs; [ keyutils ];
+  };
+
+  testScript = ''
+    $machine->waitForUnit("default.target");
+
+    # Set alice up with a password and a home
+    $machine->succeed("(echo foobar; echo foobar) | passwd alice");
+    $machine->succeed("chown -R alice.users ~alice");
+
+    # Migrate alice's home
+    my $out = $machine->succeed("echo foobar | ecryptfs-migrate-home -u alice");
+    $machine->log("ecryptfs-migrate-home said: $out");
+
+    # Log alice in (ecryptfs passwhrase is wrapped during first login)
+    $machine->sleep(2); # urgh: wait for username prompt
+    $machine->sendChars("alice\n");
+    $machine->sleep(1);
+    $machine->sendChars("foobar\n");
+    $machine->sleep(2);
+    $machine->sendChars("logout\n");
+    $machine->sleep(2);
+
+    # Why do I need to do this??
+    $machine->succeed("su alice -c ecryptfs-umount-private");
+    $machine->sleep(1);
+    $machine->fail("mount | grep ecryptfs"); # check that encrypted home is not mounted
+
+    # Show contents of the user keyring
+    my $out = $machine->succeed("su - alice -c 'keyctl list \@u'");
+    $machine->log("keyctl unlink said: " . $out);
+
+    # Log alice again
+    $machine->sendChars("alice\n");
+    $machine->sleep(1);
+    $machine->sendChars("foobar\n");
+    $machine->sleep(2);
+
+    # Create some files in encrypted home
+    $machine->succeed("su alice -c 'touch ~alice/a'");
+    $machine->succeed("su alice -c 'echo c > ~alice/b'");
+
+    # Logout
+    $machine->sendChars("logout\n");
+    $machine->sleep(2);
+
+    # Why do I need to do this??
+    $machine->succeed("su alice -c ecryptfs-umount-private");
+    $machine->sleep(1);
+
+    # Check that the filesystem is not accessible
+    $machine->fail("mount | grep ecryptfs");
+    $machine->succeed("su alice -c 'test \! -f ~alice/a'");
+    $machine->succeed("su alice -c 'test \! -f ~alice/b'");
+
+    # Log alice once more
+    $machine->sendChars("alice\n");
+    $machine->sleep(1);
+    $machine->sendChars("foobar\n");
+    $machine->sleep(2);
+
+    # Check that the files are there
+    $machine->sleep(1);
+    $machine->succeed("su alice -c 'test -f ~alice/a'");
+    $machine->succeed("su alice -c 'test -f ~alice/b'");
+    $machine->succeed(qq%test "\$(cat ~alice/b)" = "c"%);
+
+    # Catch https://github.com/NixOS/nixpkgs/issues/16766
+    $machine->succeed("su alice -c 'ls -lh ~alice/'");
+
+    $machine->sendChars("logout\n");
+  '';
+})

nixos/tests/gnome3-gdm.nix

@@ -32,6 +32,7 @@ import ./make-test.nix ({ pkgs, ...} : {
       $machine->succeed("getfacl /dev/snd/timer | grep -q alice");
 
       $machine->succeed("su - alice -c 'DISPLAY=:0.0 gnome-terminal &'");
+      $machine->succeed("xauth merge ~alice/.Xauthority");
       $machine->waitForWindow(qr/Terminal/);
       $machine->sleep(20);
       $machine->screenshot("screen");

nixos/tests/gnome3.nix

@@ -27,6 +27,7 @@ import ./make-test.nix ({ pkgs, ...} : {
       $machine->succeed("getfacl /dev/snd/timer | grep -q alice");
 
       $machine->succeed("su - alice -c 'DISPLAY=:0.0 gnome-terminal &'");
+      $machine->succeed("xauth merge ~alice/.Xauthority");
       $machine->waitForWindow(qr/Terminal/);
       $machine->mustSucceed("timeout 900 bash -c 'journalctl -f|grep -m 1 \"GNOME Shell started\"'");
       $machine->sleep(10);

nixos/tests/i3wm.nix

@@ -13,6 +13,8 @@ import ./make-test.nix ({ pkgs, ...} : {
 
   testScript = { nodes, ... }: ''
     $machine->waitForX;
+    $machine->waitForFile("/home/alice/.Xauthority");
+    $machine->succeed("xauth merge ~alice/.Xauthority");
     $machine->waitForWindow(qr/first configuration/);
     $machine->sleep(1);
     $machine->screenshot("started");

nixos/tests/installer.nix

@@ -5,9 +5,11 @@ with import ../lib/qemu-flags.nix;
 with pkgs.lib;
 
 let
+  # increase timeout due to IO on build machines
+  udevsettleCmd = "udevadm settle --timeout=600";
 
   # The configuration to install.
-  makeConfig = { grubVersion, grubDevice, grubIdentifier
+  makeConfig = { bootLoader, grubVersion, grubDevice, grubIdentifier
                , extraConfig, forceGrubReinstallCount ? 0
                }:
     pkgs.writeText "configuration.nix" ''
@@ -18,15 +20,21 @@ let
             <nixpkgs/nixos/modules/testing/test-instrumentation.nix>
           ];
 
-        boot.loader.grub.version = ${toString grubVersion};
-        ${optionalString (grubVersion == 1) ''
-          boot.loader.grub.splashImage = null;
-        ''}
-        boot.loader.grub.device = "${grubDevice}";
-        boot.loader.grub.extraConfig = "serial; terminal_output.serial";
-        boot.loader.grub.fsIdentifier = "${grubIdentifier}";
+        ${optionalString (bootLoader == "grub") ''
+          boot.loader.grub.version = ${toString grubVersion};
+          ${optionalString (grubVersion == 1) ''
+            boot.loader.grub.splashImage = null;
+          ''}
+          boot.loader.grub.device = "${grubDevice}";
+          boot.loader.grub.extraConfig = "serial; terminal_output.serial";
+          boot.loader.grub.fsIdentifier = "${grubIdentifier}";
 
-        boot.loader.grub.configurationLimit = 100 + ${toString forceGrubReinstallCount};
+          boot.loader.grub.configurationLimit = 100 + ${toString forceGrubReinstallCount};
+        ''}
+
+        ${optionalString (bootLoader == "gummiboot") ''
+          boot.loader.gummiboot.enable = true;
+        ''}
 
         hardware.enableAllFirmware = lib.mkForce false;
 
@@ -42,7 +50,7 @@ let
   # disk, and then reboot from the hard disk.  It's parameterized with
   # a test script fragment `createPartitions', which must create
   # partitions and filesystems.
-  testScriptFun = { createPartitions, grubVersion, grubDevice
+  testScriptFun = { bootLoader, createPartitions, grubVersion, grubDevice
                   , grubIdentifier, preBootCommands, extraConfig
                   }:
     let
@@ -50,7 +58,8 @@ let
       qemuFlags =
         (if system == "x86_64-linux" then "-m 768 " else "-m 512 ") +
         (optionalString (system == "x86_64-linux") "-cpu kvm64 ");
-      hdFlags = ''hda => "vm-state-machine/machine.qcow2", hdaInterface => "${iface}", '';
+      hdFlags = ''hda => "vm-state-machine/machine.qcow2", hdaInterface => "${iface}", ''
+        + optionalString (bootLoader == "gummiboot") ''bios => "${pkgs.OVMF}/FV/OVMF.fd", '';
     in
     ''
       $machine->start;
@@ -62,7 +71,7 @@ let
       $machine->waitForUnit("nixos-manual");
 
       # Wait for hard disks to appear in /dev
-      $machine->succeed("udevadm settle");
+      $machine->succeed("${udevsettleCmd}");
 
       # Partition the disk.
       ${createPartitions}
@@ -73,7 +82,7 @@ let
       $machine->succeed("cat /mnt/etc/nixos/hardware-configuration.nix >&2");
 
       $machine->copyFileFromHost(
-          "${ makeConfig { inherit grubVersion grubDevice grubIdentifier extraConfig; } }",
+          "${ makeConfig { inherit bootLoader grubVersion grubDevice grubIdentifier extraConfig; } }",
           "/mnt/etc/nixos/configuration.nix");
 
       # Perform the installation.
@@ -97,7 +106,11 @@ let
       # Did /boot get mounted?
       $machine->waitForUnit("local-fs.target");
 
-      $machine->succeed("test -e /boot/grub");
+      ${if bootLoader == "grub" then
+          ''$machine->succeed("test -e /boot/grub");''
+        else
+          ''$machine->succeed("test -e /boot/loader/loader.conf");''
+      }
 
       # Check whether /root has correct permissions.
       $machine->succeed("stat -c '%a' /root") =~ /700/ or die;
@@ -114,7 +127,7 @@ let
 
       # We need to a writable nix-store on next boot.
       $machine->copyFileFromHost(
-          "${ makeConfig { inherit grubVersion grubDevice grubIdentifier extraConfig; forceGrubReinstallCount = 1; } }",
+          "${ makeConfig { inherit bootLoader grubVersion grubDevice grubIdentifier extraConfig; forceGrubReinstallCount = 1; } }",
           "/etc/nixos/configuration.nix");
 
       # Check whether nixos-rebuild works.
@@ -132,7 +145,7 @@ let
       ${preBootCommands}
       $machine->waitForUnit("multi-user.target");
       $machine->copyFileFromHost(
-          "${ makeConfig { inherit grubVersion grubDevice grubIdentifier extraConfig; forceGrubReinstallCount = 2; } }",
+          "${ makeConfig { inherit bootLoader grubVersion grubDevice grubIdentifier extraConfig; forceGrubReinstallCount = 2; } }",
           "/etc/nixos/configuration.nix");
       $machine->succeed("nixos-rebuild boot >&2");
       $machine->shutdown;
@@ -148,8 +161,9 @@ let
 
   makeInstallerTest = name:
     { createPartitions, preBootCommands ? "", extraConfig ? ""
-    , grubVersion ? 2, grubDevice ? "/dev/vda"
-    , grubIdentifier ? "uuid", enableOCR ? false, meta ? {}
+    , bootLoader ? "grub" # either "grub" or "gummiboot"
+    , grubVersion ? 2, grubDevice ? "/dev/vda", grubIdentifier ? "uuid"
+    , enableOCR ? false, meta ? {}
     }:
     makeTest {
       inherit enableOCR;
@@ -183,6 +197,8 @@ let
             virtualisation.qemu.diskInterface =
               if grubVersion == 1 then "scsi" else "virtio";
 
+            boot.loader.gummiboot.enable = mkIf (bootLoader == "gummiboot") true;
+
             hardware.enableAllFirmware = mkForce false;
 
             # The test cannot access the network, so any packages we
@@ -198,8 +214,8 @@ let
                 pkgs.perlPackages.XMLLibXML
                 pkgs.perlPackages.ListCompare
               ]
-              ++ optional (grubVersion == 1) pkgs.grub
-              ++ optionals (grubVersion == 2) [ pkgs.grub2 pkgs.grub2_efi ];
+              ++ optional (bootLoader == "grub" && grubVersion == 1) pkgs.grub
+              ++ optionals (bootLoader == "grub" && grubVersion == 2) [ pkgs.grub2 pkgs.grub2_efi ];
 
             nix.binaryCaches = mkForce [ ];
           };
@@ -207,8 +223,8 @@ let
       };
 
       testScript = testScriptFun {
-        inherit createPartitions preBootCommands grubVersion
-                grubDevice grubIdentifier extraConfig;
+        inherit bootLoader createPartitions preBootCommands
+                grubVersion grubDevice grubIdentifier extraConfig;
       };
     };
 
@@ -227,7 +243,7 @@ in {
               "parted /dev/vda mklabel msdos",
               "parted /dev/vda -- mkpart primary linux-swap 1M 1024M",
               "parted /dev/vda -- mkpart primary ext2 1024M -1s",
-              "udevadm settle",
+              "${udevsettleCmd}",
               "mkswap /dev/vda1 -L swap",
               "swapon -L swap",
               "mkfs.ext3 -L nixos /dev/vda2",
@@ -236,6 +252,29 @@ in {
         '';
     };
 
+  # Simple GPT/UEFI configuration using Gummiboot with 3 partitions: ESP, swap & root filesystem
+  simpleUefiGummiboot = makeInstallerTest "simpleUefiGummiboot"
+    { createPartitions =
+        ''
+          $machine->succeed(
+              "parted /dev/vda mklabel gpt",
+              "parted -s /dev/vda -- mkpart ESP fat32 1M 50MiB", # /boot
+              "parted -s /dev/vda -- set 1 boot on",
+              "parted -s /dev/vda -- mkpart primary linux-swap 50MiB 1024MiB",
+              "parted -s /dev/vda -- mkpart primary ext2 1024MiB -1MiB", # /
+              "udevadm settle",
+              "mkswap /dev/vda2 -L swap",
+              "swapon -L swap",
+              "mkfs.ext3 -L nixos /dev/vda3",
+              "mount LABEL=nixos /mnt",
+              "mkfs.vfat -n BOOT /dev/vda1",
+              "mkdir -p /mnt/boot",
+              "mount LABEL=BOOT /mnt/boot",
+          );
+        '';
+        bootLoader = "gummiboot";
+    };
+
   # Same as the previous, but now with a separate /boot partition.
   separateBoot = makeInstallerTest "separateBoot"
     { createPartitions =
@@ -245,7 +284,7 @@ in {
               "parted /dev/vda -- mkpart primary ext2 1M 50MB", # /boot
               "parted /dev/vda -- mkpart primary linux-swap 50MB 1024M",
               "parted /dev/vda -- mkpart primary ext2 1024M -1s", # /
-              "udevadm settle",
+              "${udevsettleCmd}",
               "mkswap /dev/vda2 -L swap",
               "swapon -L swap",
               "mkfs.ext3 -L nixos /dev/vda3",
@@ -266,7 +305,7 @@ in {
               "parted /dev/vda -- mkpart primary ext2 1M 50MB", # /boot
               "parted /dev/vda -- mkpart primary linux-swap 50MB 1024M",
               "parted /dev/vda -- mkpart primary ext2 1024M -1s", # /
-              "udevadm settle",
+              "${udevsettleCmd}",
               "mkswap /dev/vda2 -L swap",
               "swapon -L swap",
               "mkfs.ext3 -L nixos /dev/vda3",
@@ -289,7 +328,7 @@ in {
               "parted /dev/vda -- set 1 lvm on",
               "parted /dev/vda -- mkpart primary 2048M -1s", # PV2
               "parted /dev/vda -- set 2 lvm on",
-              "udevadm settle",
+              "${udevsettleCmd}",
               "pvcreate /dev/vda1 /dev/vda2",
               "vgcreate MyVolGroup /dev/vda1 /dev/vda2",
               "lvcreate --size 1G --name swap MyVolGroup",
@@ -310,7 +349,7 @@ in {
           "parted /dev/vda -- mkpart primary ext2 1M 50MB", # /boot
           "parted /dev/vda -- mkpart primary linux-swap 50M 1024M",
           "parted /dev/vda -- mkpart primary 1024M -1s", # LUKS
-          "udevadm settle",
+          "${udevsettleCmd}",
           "mkswap /dev/vda2 -L swap",
           "swapon -L swap",
           "modprobe dm_mod dm_crypt",
@@ -352,12 +391,12 @@ in {
               . " mkpart logical 1603M 3103M" # md0 (root), second device
               . " mkpart logical 3104M 3360M" # md1 (swap), first device
               . " mkpart logical 3361M 3617M", # md1 (swap), second device
-              "udevadm settle",
+              "${udevsettleCmd}",
               "ls -l /dev/vda* >&2",
               "cat /proc/partitions >&2",
               "mdadm --create --force /dev/md0 --metadata 1.2 --level=raid1 --raid-devices=2 /dev/vda5 /dev/vda6",
               "mdadm --create --force /dev/md1 --metadata 1.2 --level=raid1 --raid-devices=2 /dev/vda7 /dev/vda8",
-              "udevadm settle",
+              "${udevsettleCmd}",
               "mkswap -f /dev/md1 -L swap",
               "swapon -L swap",
               "mkfs.ext3 -L nixos /dev/md0",
@@ -365,11 +404,13 @@ in {
               "mkfs.ext3 -L boot /dev/vda1",
               "mkdir /mnt/boot",
               "mount LABEL=boot /mnt/boot",
-              "udevadm settle",
-              "mdadm -W /dev/md0", # wait for sync to finish; booting off an unsynced device tends to fail
-              "mdadm -W /dev/md1",
+              "${udevsettleCmd}",
           );
         '';
+      preBootCommands = ''
+        $machine->start;
+        $machine->fail("dmesg | grep 'immediate safe mode'");
+      '';
     };
 
   # Test a basic install using GRUB 1.
@@ -380,7 +421,7 @@ in {
               "parted /dev/sda mklabel msdos",
               "parted /dev/sda -- mkpart primary linux-swap 1M 1024M",
               "parted /dev/sda -- mkpart primary ext2 1024M -1s",
-              "udevadm settle",
+              "${udevsettleCmd}",
               "mkswap /dev/sda1 -L swap",
               "swapon -L swap",
               "mkfs.ext3 -L nixos /dev/sda2",

nixos/tests/kde4.nix

@@ -41,11 +41,13 @@ import ./make-test.nix ({ pkgs, ... }: {
           pkgs.kde4.kdenetwork
           pkgs.kde4.kdetoys
           pkgs.kde4.kdewebdev
+          pkgs.xorg.xmessage
         ];
     };
 
-  testScript = '' 
+  testScript = ''
       $machine->waitUntilSucceeds("pgrep plasma-desktop");
+      $machine->succeed("xauth merge ~alice/.Xauthority");
       $machine->waitForWindow(qr/plasma-desktop/);
 
       # Check that logging in has given the user ownership of devices.
@@ -62,7 +64,7 @@ import ./make-test.nix ({ pkgs, ... }: {
 
       $machine->sleep(10);
 
-      $machine->screenshot("screen"); 
+      $machine->screenshot("screen");
     '';
 
 })

nixos/tests/lightdm.nix

@@ -22,6 +22,8 @@ import ./make-test.nix ({ pkgs, ...} : {
     $machine->waitForText(qr/${user.description}/);
     $machine->screenshot("lightdm");
     $machine->sendChars("${user.password}\n");
+    $machine->waitForFile("/home/alice/.Xauthority");
+    $machine->succeed("xauth merge ~alice/.Xauthority");
     $machine->waitForWindow("^IceWM ");
   '';
 })

nixos/tests/nat.nix

@@ -10,7 +10,7 @@ import ./make-test.nix ({ pkgs, withFirewall, ... }:
   {
     name = "nat${if withFirewall then "WithFirewall" else "Standalone"}";
   meta = with pkgs.stdenv.lib.maintainers; {
-      maintainers = [ eelco chaoflow rob wkennington ];
+      maintainers = [ eelco chaoflow rbvermaa wkennington ];
     };
 
     nodes =

nixos/tests/sddm-kde5.nix

@@ -24,6 +24,8 @@ import ./make-test.nix ({ pkgs, ...} : {
 
   testScript = { nodes, ... }: ''
     startAll;
+    $machine->waitForFile("/home/alice/.Xauthority");
+    $machine->succeed("xauth merge ~alice/.Xauthority");
     $machine->waitForWindow("^IceWM ");
   '';
 })

nixos/tests/sddm.nix

@@ -23,6 +23,8 @@ import ./make-test.nix ({ pkgs, ...} : {
 
   testScript = { nodes, ... }: ''
     startAll;
+    $machine->waitForFile("/home/alice/.Xauthority");
+    $machine->succeed("xauth merge ~alice/.Xauthority");
     $machine->waitForWindow("^IceWM ");
   '';
 })

nixos/tests/xfce.nix

@@ -15,11 +15,15 @@ import ./make-test.nix ({ pkgs, ...} : {
       services.xserver.displayManager.auto.user = "alice";
 
       services.xserver.desktopManager.xfce.enable = true;
+
+      environment.systemPackages = [ pkgs.xorg.xmessage ];
     };
 
   testScript =
     ''
       $machine->waitForX;
+      $machine->waitForFile("/home/alice/.Xauthority");
+      $machine->succeed("xauth merge ~alice/.Xauthority");
       $machine->waitForWindow(qr/xfce4-panel/);
       $machine->sleep(10);
 
@@ -30,5 +34,9 @@ import ./make-test.nix ({ pkgs, ...} : {
       $machine->waitForWindow(qr/Terminal/);
       $machine->sleep(10);
       $machine->screenshot("screen");
+
+      # Ensure that the X server does proper access control.
+      $machine->mustFail("su - bob -c 'DISPLAY=:0.0 xmessage Foo'");
+      $machine->mustFail("su - bob -c 'DISPLAY=:0 xmessage Foo'");
     '';
 })

pkgs/applications/audio/audacity/default.nix

@@ -1,15 +1,15 @@
-{ stdenv, fetchurl, wxGTK, pkgconfig, gettext, gtk, glib, zlib, perl, intltool,
+{ stdenv, fetchurl, wxGTK30, pkgconfig, gettext, gtk, glib, zlib, perl, intltool,
   libogg, libvorbis, libmad, alsaLib, libsndfile, soxr, flac, lame, fetchpatch,
   expat, libid3tag, ffmpeg, soundtouch /*, portaudio - given up fighting their portaudio.patch */
   }:
 
 stdenv.mkDerivation rec {
-  version = "2.1.1";
+  version = "2.1.2";
   name = "audacity-${version}";
 
   src = fetchurl {
     url = "https://github.com/audacity/audacity/archive/Audacity-${version}.tar.gz";
-    sha256 = "15c5ff7ac1c0b19b08f4bdcb0f4988743da2f9ed3fab41d6f07600e67cb9ddb6";
+    sha256 = "1ggr6g0mk36rqj7ahsg8b0b1r9kphwajzvxgn43md263rm87n04h";
   };
   patches = [(fetchpatch {
     name = "new-ffmpeg.patch";
@@ -25,11 +25,11 @@ stdenv.mkDerivation rec {
     rm -r lib-src-rm/
   '';
 
-  configureFlags = "--with-libsamplerate";
+  configureFlags = [ "--with-libsamplerate" ];
 
   buildInputs = [
-    pkgconfig gettext wxGTK gtk expat alsaLib
-    libsndfile soxr libid3tag
+    pkgconfig gettext wxGTK30 expat alsaLib
+    libsndfile soxr libid3tag gtk
     ffmpeg libmad lame libvorbis flac soundtouch
   ]; #ToDo: detach sbsms
 

pkgs/applications/audio/paprefs/default.nix

@@ -1,5 +1,5 @@
 { fetchurl, stdenv, pkgconfig, libpulseaudio, gtkmm, libglademm
-, dbus_glib, gconfmm, intltool }:
+, dbus_glib, GConf, gconfmm, intltool }:
 
 stdenv.mkDerivation rec {
   name = "paprefs-0.9.10";
@@ -13,6 +13,8 @@ stdenv.mkDerivation rec {
 
   nativeBuildInputs = [ pkgconfig intltool ];
 
+  propagatedUserEnvPkgs = [ GConf ];
+
   configureFlags = [ "--disable-lynx" ];
 
   meta = with stdenv.lib; {

pkgs/applications/audio/qmmp/default.nix

@@ -28,11 +28,11 @@
 # handle that.
 
 stdenv.mkDerivation rec {
-  name = "qmmp-0.8.4";
+  name = "qmmp-0.9.9";
 
   src = fetchurl {
     url = "http://qmmp.ylsoftware.com/files/${name}.tar.bz2";
-    sha256 = "1ld69xypyak3lzwmfvzbxsyd4fl841aaq0gmkfa7jpavbdlggydf";
+    sha256 = "1wv4kbjq50xflhrl1jjf1hm3rrw599xkd72dwm4rscm0sdvzhnc1";
   };
 
   buildInputs =

pkgs/applications/audio/spotify/default.nix

@@ -1,11 +1,12 @@
-{ fetchurl, stdenv, dpkg, xorg, alsaLib, makeWrapper, openssl_1_0_1, freetype
+{ fetchurl, stdenv, dpkg, xorg, alsaLib, makeWrapper, openssl, freetype
 , glib, pango, cairo, atk, gdk_pixbuf, gtk, cups, nspr, nss, libpng, GConf
 , libgcrypt, udev, fontconfig, dbus, expat, ffmpeg_0_10, curl, zlib, gnome }:
 
 assert stdenv.system == "x86_64-linux";
 
 let
-  version = "1.0.26.125.g64dc8bc6-14";
+  # Please update the stable branch!
+  version = "1.0.38.171.g5e1cd7b2-22";
 
   deps = [
     alsaLib
@@ -50,26 +51,33 @@ stdenv.mkDerivation {
   src =
     fetchurl {
       url = "http://repository-origin.spotify.com/pool/non-free/s/spotify-client/spotify-client_${version}_amd64.deb";
-      sha256 = "09wanpml2a6k8asfc0pd56n7fia37amgsplsan1qdh6dwdzr3rv5";
+      sha256 = "0mhrbcw92g11czwcclnbwz1pk1jgap4xlya7dqsrcyb50azmv450";
     };
 
   buildInputs = [ dpkg makeWrapper ];
 
-  unpackPhase = "true";
+  unpackPhase = ''
+    runHook preUnpack
+    dpkg-deb -x $src .
+    runHook postUnpack
+  '';
+
+  configurePhase = "runHook preConfigure; runHook postConfigure";
+  buildPhase = "runHook preBuild; runHook postBuild";
 
   installPhase =
     ''
+      runHook preInstall
+
       libdir=$out/lib/spotify
       mkdir -p $libdir
-      dpkg-deb -x $src $out
-      mv $out/usr/* $out/
-      rm -rf $out/usr
+      mv ./usr/* $out/
 
       # Work around Spotify referring to a specific minor version of
       # OpenSSL.
 
-      ln -s ${openssl_1_0_1}/lib/libssl.so $libdir/libssl.so.1.0.0
-      ln -s ${openssl_1_0_1}/lib/libcrypto.so $libdir/libcrypto.so.1.0.0
+      ln -s ${openssl}/lib/libssl.so $libdir/libssl.so.1.0.0
+      ln -s ${openssl}/lib/libcrypto.so $libdir/libcrypto.so.1.0.0
       ln -s ${nspr}/lib/libnspr4.so $libdir/libnspr4.so
       ln -s ${nspr}/lib/libplc4.so $libdir/libplc4.so
 
@@ -95,6 +103,8 @@ stdenv.mkDerivation {
         ln -s "$out/share/spotify/icons/spotify-linux-$i.png" \
           "$out/share/icons/hicolor/$ixi/apps/spotify-client.png"
       done
+
+      runHook postInstall
     '';
 
   dontStrip = true;
@@ -104,6 +114,6 @@ stdenv.mkDerivation {
     homepage = https://www.spotify.com/;
     description = "Play music from the Spotify music service";
     license = stdenv.lib.licenses.unfree;
-    maintainers = with stdenv.lib.maintainers; [ eelco ftrvxmtrx ];
+    maintainers = with stdenv.lib.maintainers; [ eelco ftrvxmtrx sheenobu ];
   };
 }

pkgs/applications/audio/svox/default.nix

@@ -0,0 +1,43 @@
+{ stdenv, fetchgit }:
+
+stdenv.mkDerivation rec {
+  name = "svox-${version}";
+  version = "2016-01-25";
+
+  src = fetchgit {
+    url = "https://android.googlesource.com/platform/external/svox";
+    rev = "dfb9937746b1828d093faf3b1494f9dc403f392d";
+    sha256 = "1gkfj5avikzmr2vv8bhf83n15jcbz4phz5j13l0qnh3gjzh4f1bk";
+  };
+
+  postPatch = ''
+    cd pico
+  '';
+
+  buildPhase = ''
+    cd lib
+    for i in *.c; do
+      $CC -O2 -fPIC -c -o ''${i%.c}.o $i
+    done
+    $CC -shared -o libttspico.so *.o
+    cd ..
+  '';
+
+  installPhase = ''
+    install -Dm755 lib/libttspico.so $out/lib/libttspico.so
+    mkdir -p $out/include
+    cp lib/*.h $out/include
+    mkdir -p $out/share/pico/lang
+    cp lang/*.bin $out/share/pico/lang
+  '';
+
+  NIX_CFLAGS_COMPILE = [ "-include stdint.h" ];
+
+  meta = with stdenv.lib; {
+    description = "Text-to-speech engine";
+    homepage = https://android.googlesource.com/platform/external/svox;
+    platforms = platforms.linux;
+    license = licenses.asl20;
+    maintainers = with maintainers; [ abbradar ];
+  };
+}

pkgs/applications/editors/emacs-25/builder.sh

@@ -5,6 +5,8 @@ source $stdenv/setup
 # *our* versions, not the ones found in the system, as it would do by default.
 # On other platforms, this appears to be unnecessary.
 preConfigure() {
+    ./autogen.sh
+
     for i in Makefile.in ./src/Makefile.in ./lib-src/Makefile.in ./leim/Makefile.in; do
         substituteInPlace $i --replace /bin/pwd pwd
     done

pkgs/applications/editors/emacs-25/default.nix

@@ -1,7 +1,7 @@
-{ stdenv, fetchgit, ncurses, xlibsWrapper, libXaw, libXpm, Xaw3d
+{ stdenv, lib, fetchurl, ncurses, xlibsWrapper, libXaw, libXpm, Xaw3d
 , pkgconfig, gettext, libXft, dbus, libpng, libjpeg, libungif
 , libtiff, librsvg, texinfo, gconf, libxml2, imagemagick, gnutls
-, alsaLib, cairo, acl, gpm, AppKit, Foundation, libobjc
+, alsaLib, cairo, acl, gpm, AppKit, CoreWLAN, Kerberos, GSS, ImageIO
 , autoconf, automake
 , withX ? !stdenv.isDarwin
 , withGTK3 ? false, gtk3 ? null
@@ -23,17 +23,16 @@ let
 in
 
 stdenv.mkDerivation rec {
-  name = "emacs-25.0.50-1b5630e";
+  name = "emacs-25.0.92";
 
   builder = ./builder.sh;
 
-  src = fetchgit {
-    url = "git://git.savannah.gnu.org/emacs.git";
-    rev = "1b5630eb47d3f4bade09708c958ab006b83b3fc0";
-    sha256 = "0n3qbri84akmy7ad1pbv89j4jn4x9pnkz0p4nbhh6m1c37cbz58l";
+  src = fetchurl {
+    url = "ftp://alpha.gnu.org/gnu/emacs/pretest/emacs-25.0.92.tar.xz";
+    sha256 = "13jnj1js2l90k4yk219r3z67fff90r6mniprsp0sgip2kaak75y2";
   };
 
-  patches = stdenv.lib.optionals stdenv.isDarwin [
+  patches = lib.optionals stdenv.isDarwin [
     ./at-fdcwd.patch
   ];
 
@@ -52,11 +51,7 @@ stdenv.mkDerivation rec {
     ++ stdenv.lib.optional (withX && withGTK3) gtk3
     ++ stdenv.lib.optional (stdenv.isDarwin && withX) cairo;
 
-  propagatedBuildInputs = stdenv.lib.optionals stdenv.isDarwin [ AppKit Foundation libobjc
-  ];
-
-  NIX_LDFLAGS = stdenv.lib.optional stdenv.isDarwin
-    "/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation";
+  propagatedBuildInputs = stdenv.lib.optionals stdenv.isDarwin [ AppKit GSS ImageIO ];
 
   configureFlags =
     if stdenv.isDarwin
@@ -81,18 +76,16 @@ stdenv.mkDerivation rec {
     mv nextstep/Emacs.app $out/Applications
   '';
 
-  doCheck = !stdenv.isDarwin;
+  # https://github.com/NixOS/nixpkgs/issues/13573
+  doCheck = false;
 
   meta = with stdenv.lib; {
     description = "GNU Emacs 25 (pre), the extensible, customizable text editor";
     homepage    = http://www.gnu.org/software/emacs/;
     license     = licenses.gpl3Plus;
-    maintainers = with maintainers; [ chaoflow lovek323 simons the-kenny ];
+    maintainers = with maintainers; [ chaoflow lovek323 simons the-kenny jwiegley ];
     platforms   = platforms.all;
 
-    # So that Exuberant ctags is preferred
-    priority = 1;
-
     longDescription = ''
       GNU Emacs is an extensible, customizable text editor—and more.  At its
       core is an interpreter for Emacs Lisp, a dialect of the Lisp

pkgs/applications/editors/emacs-modes/proofgeneral/HEAD.nix

@@ -0,0 +1,52 @@
+{ stdenv, fetchgit, emacs, texinfo, texLive, perl, which, automake, enableDoc ? false }:
+
+stdenv.mkDerivation (rec {
+  name = "ProofGeneral-HEAD";
+
+  src = fetchgit {
+    url = "https://github.com/ProofGeneral/PG.git";
+    rev = "64ca55b1593fff8cfffab89c51d7e92c1a68dc27";
+    sha256 = "1gz13fagxf0w2zgp7qd0w328qiv97295jwq7ra8vj61pdfi8xklj";
+  };
+
+  buildInputs = [ emacs texinfo perl which ] ++ stdenv.lib.optional enableDoc texLive;
+
+  prePatch =
+    '' sed -i "Makefile" \
+           -e "s|^\(\(DEST_\)\?PREFIX\)=.*$|\1=$out|g ; \
+               s|/sbin/install-info|install-info|g"
+
+
+       sed -i "bin/proofgeneral" -e's/which/type -p/g'
+
+       # @image{ProofGeneral} fails, so remove it.
+       sed -i '94d' doc/PG-adapting.texi
+       sed -i '96d' doc/ProofGeneral.texi
+    '';
+
+  patches = [ ./pg.patch ];
+
+  preBuild = ''
+    make clean;
+  '';
+
+  installPhase =
+    if enableDoc
+    then
+    # Copy `texinfo.tex' in the right place so that `texi2pdf' works.
+    '' cp -v "${automake}/share/"automake-*/texinfo.tex doc
+       make install install-doc
+    ''
+    else "make install";
+
+  meta = {
+    description = "Proof General, an Emacs front-end for proof assistants";
+    longDescription = ''
+      Proof General is a generic front-end for proof assistants (also known as
+      interactive theorem provers), based on the customizable text editor Emacs.
+    '';
+    homepage = http://proofgeneral.inf.ed.ac.uk;
+    license = stdenv.lib.licenses.gpl2Plus;
+    platforms = stdenv.lib.platforms.unix;  # arbitrary choice
+  };
+})

pkgs/applications/editors/idea/default.nix

@@ -146,124 +146,148 @@ in
 
 {
 
-  android-studio = buildAndroidStudio rec {
+  android-studio = let buildNumber = "143.2821654"; in buildAndroidStudio rec {
     name = "android-studio-${version}";
-    version = "2.0.0.0";
-    build = "143.2443734";
+    version = "2.1.1.0";
+    build = "AI-${buildNumber}";
     description = "Android development environment based on IntelliJ IDEA";
     license = stdenv.lib.licenses.asl20;
     src = fetchurl {
       url = "https://dl.google.com/dl/android/studio/ide-zips/${version}" +
-            "/android-studio-ide-${build}-linux.zip";
-      sha256 = "0j6bi87hb5jxjwfhfya64s673vdkdslsqc6sqa4zl97sabvafk2w";
+            "/android-studio-ide-${buildNumber}-linux.zip";
+      sha256 = "1zxxzyhny7j4vzlydrhwz3g8l8zcml84mhkcf5ckx8xr50j3m101";
     };
   };
 
   clion = buildClion rec {
     name = "clion-${version}";
-    version = "1.2.4";
-    build = "143.1186";
+    version = "1.2.5";
+    build = "CL-143.2370.46";
     description  = "C/C++ IDE. New. Intelligent. Cross-platform";
     license = stdenv.lib.licenses.unfree;
     src = fetchurl {
       url = "https://download.jetbrains.com/cpp/${name}.tar.gz";
-      sha256 = "0asjgfshbximjk6i57fz3d2ykby5qw5x6nhw91cpzrzszc59dmm2";
+      sha256 = "0ll1rcnnbd1if6x5rp3qw35lvp5zdzmvyg9n1lha89i34xiw36jp";
     };
   };
 
   idea14-community = buildIdea rec {
     name = "idea-community-${version}";
-    version = "14.1.6";
-    build = "IC-141.3056.4";
+    version = "14.1.7";
+    build = "IC-141.3058.30";
     description = "Integrated Development Environment (IDE) by Jetbrains, community edition";
     license = stdenv.lib.licenses.asl20;
     src = fetchurl {
       url = "https://download.jetbrains.com/idea/ideaIC-${version}.tar.gz";
-      sha256 = "157969b37sbafby1r1gva2xm3a3y0dgj7pisgxmk8k1d5rgncvil";
+      sha256 = "1i4mdjm9dd6zvxlpdgd3bqg45ir0cfc9hl55cdc0hg5qwbz683fz";
     };
   };
 
   idea-community = buildIdea rec {
     name = "idea-community-${version}";
-    version = "15.0.4";
-    build = "IC-143.2287";
+    version = "2016.2";
+    build = "IC-162.1121";
     description = "Integrated Development Environment (IDE) by Jetbrains, community edition";
     license = stdenv.lib.licenses.asl20;
     src = fetchurl {
       url = "https://download.jetbrains.com/idea/ideaIC-${version}.tar.gz";
-      sha256 = "05kah5cx7x3rlaaxkvbbm7g8jvy9hc38q4jv7j5r9rkxd38fslvn";
+      sha256 = "164x4l0q31zpc1jh3js1xx9y6afrzsshmnkx1mwhmq8qmvzc4w32";
+    };
+  };
+
+  idea14-ultimate = buildIdea rec {
+    name = "idea-ultimate-${version}";
+    version = "14.1.7";
+    build = "IU-141.3058.30";
+    description = "Integrated Development Environment (IDE) by Jetbrains, requires paid license";
+    license = stdenv.lib.licenses.unfree;
+    src = fetchurl {
+      url = "https://download.jetbrains.com/idea/ideaIU-${version}.tar.gz";
+      sha256 = "a2259249f6e7bf14ba17b0af90a18d24d9b4670af60d24f0bb51af2f62500fc2";
+    };
+  };
+
+  idea15-ultimate = buildIdea rec {
+    name = "idea-ultimate-${version}";
+    version = "15.0.6";
+    build = "IU-143.2370.31";
+    description = "Integrated Development Environment (IDE) by Jetbrains, requires paid license";
+    license = stdenv.lib.licenses.unfree;
+    src = fetchurl {
+      url = "https://download.jetbrains.com/idea/ideaIU-${version}.tar.gz";
+      sha256 = "012aap2qn0jx4x34bdv9ivrsr86vvf683srb5vpj27hc4l6rw6ll";
     };
   };
 
   idea-ultimate = buildIdea rec {
     name = "idea-ultimate-${version}";
-    version = "15.0.4";
-    build = "IU-143.2287";
+    version = "2016.2";
+    build = "IU-162.1121";
     description = "Integrated Development Environment (IDE) by Jetbrains, requires paid license";
     license = stdenv.lib.licenses.unfree;
     src = fetchurl {
       url = "https://download.jetbrains.com/idea/ideaIU-${version}.tar.gz";
-      sha256 = "0416y7krrak1q5pb8axskdamy06nfxmn4hj7421j8jaz0nc50dn4";
+      sha256 = "10hiqh6ccmai2cnc5p72vqjcz9kzmmcpn0hy5v514h4mq6vs4zk4";
     };
   };
 
   ruby-mine = buildRubyMine rec {
     name = "ruby-mine-${version}";
-    version = "7.1.2";
-    build = "141.1119";
+    version = "7.1.5";
+    build = "RM-141.3058.29";
     description = "The Most Intelligent Ruby and Rails IDE";
     license = stdenv.lib.licenses.unfree;
     src = fetchurl {
       url = "https://download.jetbrains.com/ruby/RubyMine-${version}.tar.gz";
-      sha256 = "1gz14lv5jhnrnshp7lkx3wgrdf0y60abs4q78yhv2x9dc6ld1gmj";
+      sha256 = "04fcxj1xlap9mxmwf051s926p2darlj5kwl4lms2gy5d8b2lhd5l";
     };
   };
 
   pycharm-community = buildPycharm rec {
     name = "pycharm-community-${version}";
-    version = "5.0.3";
-    build = "143.1559.1";
+    version = "2016.1.3";
+    build = "PC-145.971.25";
     description = "PyCharm Community Edition";
     license = stdenv.lib.licenses.asl20;
     src = fetchurl {
       url = "https://download.jetbrains.com/python/${name}.tar.gz";
-      sha256 = "1xb3qxhl8ln488v0hmjqkzpyypm7wh941c7syi4cs7plbdp6w4c2";
+      sha256 = "1ks7crrfnhzkdxban2hh2pnr986vqwmac5zybmb1ighcyamhdi4q";
     };
   };
 
   pycharm-professional = buildPycharm rec {
     name = "pycharm-professional-${version}";
-    version = "5.0.3";
-    build = "143.1559.1";
+    version = "2016.1.3";
+    build = "PY-145.971.25";
     description = "PyCharm Professional Edition";
     license = stdenv.lib.licenses.unfree;
     src = fetchurl {
       url = "https://download.jetbrains.com/python/${name}.tar.gz";
-      sha256 = "1v2g9867nn3id1zfbg4zwj0c0z9d72rl9c1dz6vs2c4j0y4gy9xl";
+      sha256 = "1rn0i5qbvfjbl4v571ngmyslispibcq5ab0fb7xjl38vr1y417f2";
     };
   };
 
   phpstorm = buildPhpStorm rec {
     name = "phpstorm-${version}";
-    version = "10.0.1";
-    build = "PS-143.382";
+    version = "10.0.4";
+    build = "PS-143.2370.33";
     description = "Professional IDE for Web and PHP developers";
     license = stdenv.lib.licenses.unfree;
     src = fetchurl {
       url = "https://download.jetbrains.com/webide/PhpStorm-${version}.tar.gz";
-      sha256 = "12bqil8pxzmbv8a7pxn2529ph2x7szr3wvkvgxaisydm463kpdk8";
+      sha256 = "0fi042zvjpg5pn2mnhj3bbrdkl1b9vmhpf2l6ca4nr0rhjjv7dsm";
     };
   };
 
   webstorm = buildWebStorm rec {
     name = "webstorm-${version}";
-    version = "10.0.4";
-    build = "141.1550";
+    version = "10.0.5";
+    build = "WS-141.3058.35";
     description = "Professional IDE for Web and JavaScript development";
     license = stdenv.lib.licenses.unfree;
     src = fetchurl {
       url = "https://download.jetbrains.com/webstorm/WebStorm-${version}.tar.gz";
-      sha256 = "171i544ssvjnbr1vq6ncxlj38swsygacavsa427qa4s5wzyvdipj";
+      sha256 = "0a5s6f99wyql5pgjl94pf4ljdbviik3b8dbr1s6b7c6jn1gk62ic";
     };
   };
 

pkgs/applications/editors/neovim/default.nix

@@ -1,6 +1,6 @@
 { stdenv, fetchFromGitHub, cmake, gettext, glib, libmsgpack, libtermkey
-, libtool, libuv, lpeg, lua, luajit, luaMessagePack, luabitop, ncurses, perl
-, pkgconfig, unibilium, makeWrapper, vimUtils
+, libtool, libuv, lpeg, lua, luajit, luaMessagePack, luabitop, man, ncurses
+, perl, pkgconfig, unibilium, makeWrapper, vimUtils
 
 , withPython ? true, pythonPackages, extraPythonPackages ? []
 , withPython3 ? true, python3Packages, extraPython3Packages ? []
@@ -96,7 +96,10 @@ let
     LUA_CPATH="${lpeg}/lib/lua/${lua.luaversion}/?.so;${luabitop}/lib/lua/5.2/?.so";
     LUA_PATH="${luaMessagePack}/share/lua/5.1/?.lua";
 
-    preConfigure = stdenv.lib.optionalString stdenv.isDarwin ''
+    preConfigure = ''
+      substituteInPlace runtime/autoload/man.vim \
+        --replace /usr/bin/man ${man}/bin/man
+    '' + stdenv.lib.optionalString stdenv.isDarwin ''
       export DYLD_LIBRARY_PATH=${jemalloc}/lib
       substituteInPlace src/nvim/CMakeLists.txt --replace "    util" ""
     '';

pkgs/applications/graphics/ImageMagick/default.nix

@@ -13,7 +13,7 @@ in
 
 stdenv.mkDerivation rec {
   name = "imagemagick-${version}";
-  version = "6.9.2-0";
+  version = "6.9.5-2";
 
   src = fetchurl {
     urls = [
@@ -21,9 +21,11 @@ stdenv.mkDerivation rec {
       # the original source above removes tarballs quickly
       "http://distfiles.macports.org/ImageMagick/ImageMagick-${version}.tar.xz"
     ];
-    sha256 = "17ir8bw1j7g7srqmsz3rx780sgnc21zfn0kwyj78iazrywldx8h7";
+    sha256 = "09h3rpr1jnzd7ipy5d16r2gi0bwg4hk5khwzv4cyhv1xzs8pk7pj";
   };
 
+  patches = [ ./imagetragick.patch ];
+
   outputs = [ "out" "doc" ];
 
   enableParallelBuilding = true;

pkgs/applications/graphics/ImageMagick/imagetragick.patch

@@ -0,0 +1,8 @@
+--- a/config/policy.xml
++++ b/config/policy.xml
+67a68,72
+>   <policy domain="coder" rights="none" pattern="EPHEMERAL" />
+>   <policy domain="coder" rights="none" pattern="URL" />
+>   <policy domain="coder" rights="none" pattern="HTTPS" />
+>   <policy domain="coder" rights="none" pattern="MVG" />
+>   <policy domain="coder" rights="none" pattern="MSL" />

pkgs/applications/graphics/gimp/2.8.nix

@@ -4,7 +4,8 @@
 , python, pygtk, libart_lgpl, libexif, gettext, xorg, wrapPython }:
 
 stdenv.mkDerivation rec {
-  name = "gimp-2.8.16";
+  name = "gimp-${version}";
+  version = "2.8.18";
 
   # This declarations for `gimp-with-plugins` wrapper,
   # (used for determining $out/lib/gimp/${majorVersion}/ paths)
@@ -14,7 +15,7 @@ stdenv.mkDerivation rec {
 
   src = fetchurl {
     url = "http://download.gimp.org/pub/gimp/v2.8/${name}.tar.bz2";
-    sha256 = "1dsgazia9hmab8cw3iis7s69dvqyfj5wga7ds7w2q5mms1xqbqwm";
+    sha256 = "0halh6sl3d2j9gahyabj6h6r3yyldcy7sfb4qrfazpkqqr3j5p9r";
   };
 
   buildInputs =