disnix: 0.7.1 -> 0.7.2

(cherry picked from commit 94f0a6793b)

.github/CONTRIBUTING.md

@@ -28,5 +28,8 @@ under the terms of [COPYING](../COPYING), which is an MIT-like license.
   * Not start with the package name
   * Not have a dot at the end
 
-See the nixpkgs manual for more details on how to [Submit changes to nixpkgs](http://hydra.nixos.org/job/nixpkgs/trunk/manual/latest/download-by-type/doc/manual#chap-submitting-changes).
+See the nixpkgs manual for more details on how to [Submit changes to nixpkgs](https://nixos.org/nixpkgs/manual/#chap-submitting-changes).
 
+## Reviewing contributions
+
+See the nixpkgs manual for more details on how to [Review contributions](https://nixos.org/nixpkgs/manual/#sec-reviewing-contributions).

.travis.yml

@@ -18,3 +18,8 @@ matrix:
 env:
     global:
         - GITHUB_TOKEN=5edaaf1017f691ed34e7f80878f8f5fbd071603f
+
+notifications:
+    email:
+        on_success: never
+        on_failure: change

doc/coding-conventions.xml

@@ -623,7 +623,7 @@ evaluate correctly.</para>
     from bad to good:
     <itemizedlist>
       <listitem>
-        <para>Uses <literal>git://</literal> which won't be proxied.
+        <para>Bad: Uses <literal>git://</literal> which won't be proxied.
 <programlisting>
 src = fetchgit {
   url = "git://github.com/NixOS/nix.git";
@@ -634,7 +634,7 @@ src = fetchgit {
         </para>
       </listitem>
       <listitem>
-        <para>This is ok, but an archive fetch will still be faster.
+        <para>Better: This is ok, but an archive fetch will still be faster.
 <programlisting>
 src = fetchgit {
   url = "https://github.com/NixOS/nix.git";
@@ -645,7 +645,7 @@ src = fetchgit {
         </para>
       </listitem>
       <listitem>
-        <para>Fetches a snapshot archive and you get the rev you want.
+        <para>Best: Fetches a snapshot archive and you get the rev you want.
 <programlisting>
 src = fetchFromGitHub {
   owner = "NixOS";

doc/languages-frameworks/haskell.md

@@ -633,7 +633,7 @@ Now the builds succeeds.
 Of course, in the concrete example of `ghc-events` this whole exercise is not
 an ideal solution, because `ghc-events` can analyze the output emitted by any
 version of GHC later than 6.12 regardless of the compiler version that was used
-to build the `ghc-events' executable, so strictly speaking there's no reason to
+to build the `ghc-events` executable, so strictly speaking there's no reason to
 prefer one built with GHC 7.8.x in the first place. However, for users who
 cannot use GHC 7.10.x at all for some reason, the approach of downgrading to an
 older version might be useful.

doc/languages-frameworks/python.md

@@ -669,9 +669,8 @@ when you try to install a second environment.
 Create a file, e.g. `build.nix`, with the following expression
 ```nix
 with import <nixpkgs> {};
-with python35Packages;
 
-python.withPackages (ps: with ps; [ numpy ipython ])
+pkgs.python35.withPackages (ps: with ps; [ numpy ipython ])
 ```
 and install it in your profile with
 ```
@@ -683,14 +682,15 @@ Now you can use the Python interpreter, as well as the extra packages that you a
 
 If you prefer to, you could also add the environment as a package override to the Nixpkgs set.
 ```
-  packageOverrides = pkgs: with pkgs; with python35Packages; {
-    myEnv = python.withPackages (ps: with ps; [ numpy ipython ]);
+  packageOverrides = pkgs: with pkgs; {
+    myEnv = python35.withPackages (ps: with ps; [ numpy ipython ]);
   };
 ```
 and install it in your profile with
 ```
-nix-env -iA nixos.blogEnv
+nix-env -iA nixpkgs.myEnv
 ```
+We're installing using the attribute path and assume the channels is named `nixpkgs`.
 Note that I'm using the attribute path here.
 
 #### Environment defined in `/etc/nixos/configuration.nix`
@@ -699,7 +699,7 @@ For the sake of completeness, here's another example how to install the environm
 
 ```nix
 environment.systemPackages = with pkgs; [
-  (python35Packages.python.withPackages (ps: callPackage ../packages/common-python-packages.nix { pythonPackages = ps; }))
+  (python35.withPackages(ps: with ps; [ numpy ipython ]))
 ];
 ```
 

doc/manual.xml

@@ -20,6 +20,7 @@
   <xi:include href="package-notes.xml" />
   <xi:include href="coding-conventions.xml" />
   <xi:include href="submitting-changes.xml" />
+  <xi:include href="reviewing-contributions.xml" />
   <xi:include href="contributing.xml" />
 
 </book>

doc/reviewing-contributions.xml

@@ -0,0 +1,393 @@
+<chapter xmlns="http://docbook.org/ns/docbook"
+        xmlns:xlink="http://www.w3.org/1999/xlink"
+        xmlns:xi="http://www.w3.org/2001/XInclude"
+        version="5.0"
+        xml:id="sec-reviewing-contributions">
+
+<title>Reviewing contributions</title>
+
+<warning>
+  <para>The following section is a draft and reviewing policy is still being 
+    discussed.</para>
+</warning>
+
+<para>The nixpkgs projects receives a fairly high number of contributions via 
+  GitHub pull-requests. Reviewing and approving these is an important task and a 
+  way to contribute to the project.</para>
+
+<para>The high change rate of nixpkgs make any pull request that is open for 
+  long enough subject to conflicts that will require extra work from the 
+  submitter or the merger. Reviewing pull requests in a timely manner and being 
+  responsive to the comments is the key to avoid these. Github provides sort 
+  filters that can be used to see the <link 
+    xlink:href="https://github.com/NixOS/nixpkgs/pulls?q=is%3Apr+is%3Aopen+sort%3Aupdated-desc">most 
+    recently</link> and the <link 
+    xlink:href="https://github.com/NixOS/nixpkgs/pulls?q=is%3Apr+is%3Aopen+sort%3Aupdated-asc">least 
+    recently</link> updated pull-requests.</para>
+
+<para>When reviewing a pull request, please always be nice and polite. 
+  Controversial changes can lead to controversial opinions, but it is important 
+  to respect every community members and their work.</para>
+
+<para>GitHub provides reactions, they are a simple and quick way to provide 
+  feedback to pull-requests or any comments. The thumb-down reaction should be 
+  used with care and if possible accompanied with some explanations so the 
+  submitter has directions to improve his contribution.</para>
+
+<para>Pull-requests reviews should include a list of what has been reviewed in a 
+  comment, so other reviewers and mergers can know the state of the 
+  review.</para>
+
+<para>All the review template samples provided in this section are generic and 
+  meant as examples. Their usage is optional and the reviewer is free to adapt 
+  them to his liking.</para>
+
+<section><title>Package updates</title>
+
+<para>A package update is the most trivial and common type of pull-request. 
+  These pull-requests mainly consist in updating the version part of the package 
+  name and the source hash.</para>
+<para>It can happen that non trivial updates include patches or more complex 
+  changes.</para>
+
+<para>Reviewing process:</para>
+
+<itemizedlist>
+  <listitem><para>Add labels to the pull-request. (Requires commit 
+      rights)</para>
+    <itemizedlist>
+      <listitem><para><literal>8.has: package (update)</literal> and any topic 
+          label that fit the updated package.</para></listitem>
+    </itemizedlist>
+  </listitem>
+  <listitem><para>Ensure that the package versioning is fitting the 
+      guidelines.</para></listitem>
+  <listitem><para>Ensure that the commit text is fitting the 
+      guidelines.</para></listitem>
+  <listitem><para>Ensure that the package maintainers are notified.</para>
+    <itemizedlist>
+      <listitem><para>mention-bot usually notify GitHub users based on the 
+          submitted changes, but it can happen that it misses some of the 
+          package maintainers.</para></listitem>
+    </itemizedlist>
+  </listitem>
+  <listitem><para>Ensure that the meta field contains correct 
+      information.</para>
+    <itemizedlist>
+      <listitem><para>License can change with version updates, so it should be 
+          checked to be fitting upstream license.</para></listitem>
+      <listitem><para>If the package has no maintainer, a maintainer must be 
+          set. This can be the update submitter or a community member that 
+          accepts to take maintainership of the package.</para></listitem>
+    </itemizedlist>
+  </listitem>
+  <listitem><para>Ensure that the code contains no typos.</para></listitem>
+  <listitem><para>Building the package locally.</para>
+    <itemizedlist>
+      <listitem><para>Pull-requests are often targeted to the master or staging 
+          branch so building the pull-request locally as it is submitted can 
+          trigger a large amount of source builds.</para>
+        <para>It is possible to rebase the changes on nixos-unstable or 
+          nixpkgs-unstable for easier review by running the following commands 
+          from a nixpkgs clone.
+<screen>
+$ git remote add channels https://github.com/NixOS/nixpkgs-channels.git <co 
+  xml:id='reviewing-rebase-1' />
+$ git fetch channels nixos-unstable <co xml:id='reviewing-rebase-2' />
+$ git fetch origin pull/PRNUMBER/head <co xml:id='reviewing-rebase-3' />
+$ git rebase --onto nixos-unstable BASEBRANCH FETCH_HEAD <co 
+  xml:id='reviewing-rebase-4' />
+</screen>
+        <calloutlist>
+          <callout arearefs='reviewing-rebase-1'>
+            <para>This should be done only once to be able to fetch channel 
+              branches from the nixpkgs-channels repository.</para>
+          </callout>
+          <callout arearefs='reviewing-rebase-2'>
+            <para>Fetching the nixos-unstable branch.</para>
+          </callout>
+          <callout arearefs='reviewing-rebase-3'>
+            <para>Fetching the pull-request changes, <varname>PRNUMBER</varname> 
+              is the number at the end of the pull-request title and 
+              <varname>BASEBRANCH</varname> the base branch of the 
+              pull-request.</para>
+          </callout>
+          <callout arearefs='reviewing-rebase-3'>
+            <para>Rebasing the pull-request changes to the nixos-unstable 
+              branch.</para>
+          </callout>
+        </calloutlist>
+        </para>
+      </listitem>
+      <listitem>
+        <para>The <link xlink:href="https://github.com/madjar/nox">nox</link> 
+          tool can be used to review a pull-request content in a single command. 
+          It doesn't rebase on a channel branch so it might trigger multiple 
+          source builds. <varname>PRNUMBER</varname> should be replaced by the 
+          number at the end of the pull-request title.</para>
+<screen>
+$ nix-shell -p nox --run "nox-review -k pr PRNUMBER"
+</screen>
+      </listitem>
+    </itemizedlist>
+  </listitem>
+  <listitem><para>Running every binary.</para></listitem>
+</itemizedlist>
+
+<example><title>Sample template for a package update review</title>
+<screen>
+##### Reviewed points
+
+- [ ] package name fits guidelines
+- [ ] package version fits guidelines
+- [ ] package build on ARCHITECTURE
+- [ ] executables tested on ARCHITECTURE
+- [ ] all depending packages build
+
+##### Possible improvements
+
+##### Comments
+
+</screen></example>
+</section>
+
+<section><title>New packages</title>
+
+<para>New packages are a common type of pull-requests. These pull requests 
+  consists in adding a new nix-expression for a package.</para>
+
+<para>Reviewing process:</para>
+
+<itemizedlist>
+  <listitem><para>Add labels to the pull-request. (Requires commit 
+      rights)</para>
+    <itemizedlist>
+      <listitem><para><literal>8.has: package (new)</literal> and any topic 
+          label that fit the new package.</para></listitem>
+    </itemizedlist>
+  </listitem>
+  <listitem><para>Ensure that the package versioning is fitting the 
+      guidelines.</para></listitem>
+  <listitem><para>Ensure that the commit name is fitting the 
+      guidelines.</para></listitem>
+  <listitem><para>Ensure that the meta field contains correct 
+      information.</para>
+    <itemizedlist>
+      <listitem><para>License must be checked to be fitting upstream 
+          license.</para></listitem>
+      <listitem><para>Platforms should be set or the package will not get binary 
+          substitutes.</para></listitem>
+      <listitem><para>A maintainer must be set, this can be the package 
+          submitter or a community member that accepts to take maintainership of 
+          the package.</para></listitem>
+    </itemizedlist>
+  </listitem>
+  <listitem><para>Ensure that the code contains no typos.</para></listitem>
+  <listitem><para>Ensure the package source.</para>
+    <itemizedlist>
+      <listitem><para>Mirrors urls should be used when 
+          available.</para></listitem>
+      <listitem><para>The most appropriate function should be used (e.g. 
+          packages from GitHub should use 
+          <literal>fetchFromGitHub</literal>).</para></listitem>
+    </itemizedlist>
+  </listitem>
+  <listitem><para>Building the package locally.</para></listitem>
+  <listitem><para>Running every binary.</para></listitem>
+</itemizedlist>
+
+<example><title>Sample template for a new package review</title>
+<screen>
+##### Reviewed points
+
+- [ ] package path fits guidelines
+- [ ] package name fits guidelines
+- [ ] package version fits guidelines
+- [ ] package build on ARCHITECTURE
+- [ ] executables tested on ARCHITECTURE
+- [ ] `meta.description` is set and fits guidelines
+- [ ] `meta.license` fits upstream license
+- [ ] `meta.platforms` is set
+- [ ] `meta.maintainers` is set
+- [ ] build time only dependencies are declared in `nativeBuildInputs`
+- [ ] source is fetched using the appropriate function
+- [ ] phases are respected
+- [ ] patches that are remotely available are fetched with `fetchpatch`
+
+##### Possible improvements
+
+##### Comments
+
+</screen></example>
+</section>
+
+<section><title>Module updates</title>
+
+<para>Module updates are submissions changing modules in some ways. These often 
+  contains changes to the options or introduce new options.</para>
+
+<para>Reviewing process</para>
+
+<itemizedlist>
+  <listitem><para>Add labels to the pull-request. (Requires commit 
+      rights)</para>
+    <itemizedlist>
+      <listitem><para><literal>8.has: module (update)</literal> and any topic 
+          label that fit the module.</para></listitem>
+    </itemizedlist>
+  </listitem>
+  <listitem><para>Ensure that the module maintainers are notified.</para>
+    <itemizedlist>
+      <listitem><para>Mention-bot notify GitHub users based on the submitted 
+          changes, but it can happen that it miss some of the package 
+          maintainers.</para></listitem>
+    </itemizedlist>
+  </listitem>
+  <listitem><para>Ensure that the module tests, if any, are 
+      succeeding.</para></listitem>
+  <listitem><para>Ensure that the introduced options are correct.</para>
+    <itemizedlist>
+      <listitem><para>Type should be appropriate (string related types differs 
+          in their merging capabilities, <literal>optionSet</literal> and 
+          <literal>string</literal> types are deprecated).</para></listitem>
+      <listitem><para>Description, default and example should be 
+          provided.</para></listitem>
+    </itemizedlist>
+  </listitem>
+  <listitem><para>Ensure that option changes are backward compatible.</para>
+    <itemizedlist>
+      <listitem><para><literal>mkRenamedOptionModule</literal> and 
+          <literal>mkAliasOptionModule</literal> functions provide way to make 
+          option changes backward compatible.</para></listitem>
+    </itemizedlist>
+  </listitem>
+  <listitem><para>Ensure that removed options are declared with 
+      <literal>mkRemovedOptionModule</literal></para></listitem>
+  <listitem><para>Ensure that changes that are not backward compatible are 
+      mentioned in release notes.</para></listitem>
+  <listitem><para>Ensure that documentations affected by the change is 
+      updated.</para></listitem>
+</itemizedlist>
+
+<example><title>Sample template for a module update review</title>
+<screen>
+##### Reviewed points
+
+- [ ] changes are backward compatible
+- [ ] removed options are declared with `mkRemovedOptionModule`
+- [ ] changes that are not backward compatible are documented in release notes
+- [ ] module tests succeed on ARCHITECTURE
+- [ ] options types are appropriate
+- [ ] options description is set
+- [ ] options example is provided
+- [ ] documentation affected by the changes is updated
+
+##### Possible improvements
+
+##### Comments
+
+</screen></example>
+</section>
+
+<section><title>New modules</title>
+
+<para>New modules submissions introduce a new module to NixOS.</para>
+
+<itemizedlist>
+  <listitem><para>Add labels to the pull-request. (Requires commit 
+      rights)</para>
+    <itemizedlist>
+      <listitem><para><literal>8.has: module (new)</literal> and any topic label 
+          that fit the module.</para></listitem>
+    </itemizedlist>
+  </listitem>
+  <listitem><para>Ensure that the module tests, if any, are 
+      succeeding.</para></listitem>
+  <listitem><para>Ensure that the introduced options are correct.</para>
+    <itemizedlist>
+      <listitem><para>Type should be appropriate (string related types differs 
+          in their merging capabilities, <literal>optionSet</literal> and 
+          <literal>string</literal> types are deprecated).</para></listitem>
+      <listitem><para>Description, default and example should be 
+          provided.</para></listitem>
+    </itemizedlist>
+  </listitem>
+  <listitem><para>Ensure that module <literal>meta</literal> field is 
+      present</para>
+    <itemizedlist>
+      <listitem><para>Maintainers should be declared in 
+          <literal>meta.maintainers</literal>.</para></listitem>
+      <listitem><para>Module documentation should be declared with 
+          <literal>meta.doc</literal>.</para></listitem>
+    </itemizedlist>
+  </listitem>
+  <listitem><para>Ensure that the module respect other modules 
+      functionality.</para>
+    <itemizedlist>
+      <listitem><para>For example, enabling a module should not open firewall 
+          ports by default.</para></listitem>
+    </itemizedlist>
+  </listitem>
+</itemizedlist>
+
+<example><title>Sample template for a new module review</title>
+<screen>
+##### Reviewed points
+
+- [ ] module path fits the guidelines
+- [ ] module tests succeed on ARCHITECTURE
+- [ ] options have appropriate types
+- [ ] options have default
+- [ ] options have example
+- [ ] options have descriptions
+- [ ] No unneeded package is added to system.environmentPackages
+- [ ] meta.maintainers is set
+- [ ] module documentation is declared in meta.doc
+
+##### Possible improvements
+
+##### Comments
+
+</screen></example>
+</section>
+
+<section><title>Other submissions</title>
+
+<para>Other type of submissions requires different reviewing steps.</para>
+
+<para>If you consider having enough knowledge and experience in a topic and 
+  would like to be a long-term reviewer for related submissions, please contact 
+  the current reviewers for that topic. They will give you information about the 
+  reviewing process.
+The main reviewers for a topic can be hard to find as there is no list, but 
+checking past pull-requests to see who reviewed or git-blaming the code to see 
+who committed to that topic can give some hints.</para>
+
+<para>Container system, boot system and library changes are some examples of the 
+  pull requests fitting this category.</para>
+
+</section>
+
+<section><title>Merging pull-requests</title>
+
+<para>It is possible for community members that have enough knowledge and 
+  experience on a special topic to contribute by merging pull requests.</para>
+
+<para>TODO: add the procedure to request merging rights.</para>
+
+<!--
+The following paragraph about how to deal with unactive contributors is just a
+proposition and should be modified to what the community agrees to be the right
+policy.
+
+<para>Please note that contributors with commit rights unactive for more than 
+  three months will have their commit rights revoked.</para>
+-->
+
+<para>In a case a contributor leaves definitively the Nix community, he should 
+  create an issue or notify the mailing list with references of packages and 
+  modules he maintains so the maintainership can be taken over by other 
+  contributors.</para>
+
+</section>
+</chapter>

doc/stdenv.xml

@@ -1367,8 +1367,15 @@ These can be toggled using the <varname>stdenv.mkDerivation</varname> parameters
 <varname>hardeningDisable</varname> and <varname>hardeningEnable</varname>.
 </para>
 
-<para>The following flags are enabled by default and might require disabling
-if the program to package is incompatible.
+<para>
+Both parameters take a list of flags as strings. The special
+<varname>"all"</varname> flag can be passed to <varname>hardeningDisable</varname>
+to turn off all hardening. These flags can also be used as environment variables
+for testing or development purposes.
+</para>
+
+<para>The following flags are enabled by default and might require disabling with
+<varname>hardeningDisable</varname> if the program to package is incompatible.
 </para>
 
 <variablelist>
@@ -1529,7 +1536,8 @@ intel_drv.so: undefined symbol: vgaHWFreeHWRec
 </variablelist>
 
 <para>The following flags are disabled by default and should be enabled
-for packages that take untrusted input, like network services.
+with <varname>hardeningEnable</varname> for packages that take untrusted
+input like network services.
 </para>
 
 <variablelist>

lib/maintainers.nix

@@ -89,6 +89,7 @@
   codyopel = "Cody Opel <codyopel@gmail.com>";
   colemickens = "Cole Mickens <cole.mickens@gmail.com>";
   copumpkin = "Dan Peebles <pumpkingod@gmail.com>";
+  corngood = "David McFarland <corngood@gmail.com>";
   coroa = "Jonas Hörsch <jonas@chaoflow.net>";
   couchemar = "Andrey Pavlov <couchemar@yandex.ru>";
   cransom = "Casey Ransom <cransom@hubns.net>";
@@ -278,6 +279,7 @@
   nathan-gs = "Nathan Bijnens <nathan@nathan.gs>";
   Nate-Devv = "Nathan Moore <natedevv@gmail.com>";
   nckx = "Tobias Geerinckx-Rice <tobias.geerinckx.rice@gmail.com>";
+  ndowens = "Nathan Owens <ndowens04@gmail.com>";
   nequissimus = "Tim Steinbach <tim@nequissimus.com>";
   nfjinjing = "Jinjing Wang <nfjinjing@gmail.com>";
   nico202 = "Nicolò Balzarotti <anothersms@gmail.com>";
@@ -348,6 +350,8 @@
   roblabla = "Robin Lambertz <robinlambertz+dev@gmail.com>";
   roconnor = "Russell O'Connor <roconnor@theorem.ca>";
   romildo = "José Romildo Malaquias <malaquias@gmail.com>";
+  rongcuid = "Rongcui Dong <rongcuid@outlook.com>";
+  ronny = "Ronny Pfannschmidt <nixos@ronnypfannschmidt.de>";
   rszibele = "Richard Szibele <richard_szibele@hotmail.com>";
   rushmorem = "Rushmore Mushambi <rushmore@webenchanter.com>";
   rvl = "Rodney Lorrimar <dev+nix@rodney.id.au>";
@@ -438,6 +442,7 @@
   wscott = "Wayne Scott <wsc9tt@gmail.com>";
   wyvie = "Elijah Rum <elijahrum@gmail.com>";
   yarr = "Dmitry V. <savraz@gmail.com>";
+  yorickvP = "Yorick van Pelt <yorickvanpelt@gmail.com>";
   yurrriq = "Eric Bailey <eric@ericb.me>";
   z77z = "Marco Maggesi <maggesi@math.unifi.it>";
   zagy = "Christian Zagrodnick <cz@flyingcircus.io>";

nixos/doc/manual/configuration/luks-file-systems.xml

@@ -37,6 +37,10 @@ boot.initrd.luks.devices.crypted.device = "/dev/disk/by-uuid/3f6b0024-3a44-4fde-
 fileSystems."/".device = "/dev/mapper/crypted";
 </programlisting>
 
+Should grub be used as bootloader, and <filename>/boot</filename> is located
+on an encrypted partition, it is necessary to add the following grub option:
+<programlisting>boot.loader.grub.enableCryptodisk = true;</programlisting>
+
 </para>
 
 </section>

nixos/doc/manual/development/development.xml

@@ -17,5 +17,6 @@ NixOS.</para>
 <xi:include href="building-nixos.xml" />
 <xi:include href="nixos-tests.xml" />
 <xi:include href="testing-installer.xml" />
+<xi:include href="releases.xml" />
 
 </part>

nixos/doc/manual/development/releases.xml

@@ -0,0 +1,241 @@
+<chapter xmlns="http://docbook.org/ns/docbook"
+        xmlns:xlink="http://www.w3.org/1999/xlink"
+        xmlns:xi="http://www.w3.org/2001/XInclude"
+        version="5.0"
+        xml:id="ch-releases">
+
+<title>Releases</title>
+
+<section xml:id="release-process">
+  <title>Release process</title>
+
+  <para>
+    Going through an example of releasing NixOS 15.09:
+  </para>
+
+  <section xml:id="one-month-before-the-beta">
+    <title>One month before the beta</title>
+    <itemizedlist spacing="compact">
+      <listitem>
+        <para>
+          Send an email to nix-dev mailinglist as a warning about upcoming beta "feature freeze" in a month.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          Discuss with Eelco Dolstra and the community (via IRC, ML) about what will reach the deadline.
+          Any issue or Pull Request targeting the release should have assigned milestone.
+        </para>
+      </listitem>
+    </itemizedlist>
+  </section>
+  <section xml:id="at-beta-release-time">
+    <title>At beta release time</title>
+    <itemizedlist spacing="compact">
+      <listitem>
+        <para>
+          Rename <literal>rl-unstable.xml</literal> -&gt;
+          <literal>rl-1509.xml</literal>.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          <literal>git tag -a -m &quot;Release 15.09-beta&quot; 15.09-beta &amp;&amp; git push --tags</literal>
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          From the master branch run <literal>git checkout -B release-15.09</literal>.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          <link xlink:href="https://github.com/NixOS/nixos-org-configurations/pull/18">
+            Make sure channel is created at http://nixos.org/channels/.
+          </link>
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          <link xlink:href="https://github.com/NixOS/nixpkgs/settings/branches">
+            Lock the branch on github (so developers can’t force push)
+          </link>
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          <link xlink:href="https://github.com/NixOS/nixpkgs/compare/bdf161ed8d21...6b63c4616790">bump
+          <literal>system.defaultChannel</literal> attribute in
+          <literal>nixos/modules/misc/version.nix</literal></link>
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          <link xlink:href="https://github.com/NixOS/nixpkgs/commit/d6b08acd1ccac0d9d502c4b635e00b04d3387f06">update
+          <literal>versionSuffix</literal> in
+          <literal>nixos/release.nix</literal></link>, use
+          <literal>git log --format=%an|wc -l</literal> to get commit
+          count
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          <literal>echo -n &quot;16.03&quot; &gt; .version</literal> in
+          master.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          <link xlink:href="https://github.com/NixOS/nixpkgs/commit/b8a4095003e27659092892a4708bb3698231a842">pick
+          a new name for unstable branch.</link>
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          <link xlink:href="https://github.com/NixOS/nixpkgs/issues/13559">Create
+            an issue for tracking Zero Hydra Failures progress. ZHF is an effort
+            to get build failures down to zero.</link>
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          Use https://lwn.net/Vulnerabilities/ and 
+          <link xlink:href="https://github.com/NixOS/nixpkgs/search?utf8=%E2%9C%93&amp;q=vulnerabilities&amp;type=Issues">triage vulnerabilities in an issue</link>.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          Create two Hydra jobsets: release-15.09 and release-15.09-small with <literal>stableBranch</literal> set to false
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          Edit changelog at
+          <literal>nixos/doc/manual/release-notes/rl-1509.xml</literal>
+          (double check desktop versions are noted)
+        </para>
+        <itemizedlist spacing="compact">
+          <listitem>
+            <para>
+              Get all new NixOS modules
+              <literal>git diff release-14.12..release-15.09 nixos/modules/module-list.nix|grep ^+</literal>
+            </para>
+          </listitem>
+          <listitem>
+            <para>
+              Note systemd, kernel, glibc and Nix upgrades.
+            </para>
+          </listitem>
+        </itemizedlist>
+      </listitem>
+    </itemizedlist>
+  </section>
+  <section xml:id="before-the-final-release">
+    <title>Before the final release</title>
+    <itemizedlist spacing="compact">
+      <listitem>
+        <para>
+          Release Nix (currently only Eelco Dolstra can do that).
+          <link xlink:href="https://github.com/NixOS/nixpkgs/commit/53710c752a85f00658882531bc90a23a3d1287e4">
+            Make sure fallback is updated.
+          </link>
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          <link xlink:href="https://github.com/NixOS/nixpkgs/commit/40fd9ae3ac8048758abdcfc7d28a78b5f22fe97e">
+            Update README.md with new stable NixOS version information.
+          </link>
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          Change <literal>stableBranch</literal> to true and wait for channel to update.
+        </para>
+      </listitem>
+    </itemizedlist>
+  </section>
+  <section xml:id="at-final-release-time">
+    <title>At final release time</title>
+    <itemizedlist spacing="compact">
+      <listitem>
+        <para>
+          <literal>git tag -s -a -m &quot;Release 15.09&quot; 15.09</literal>
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          Update http://nixos.org/nixos/download.html and http://nixos.org/nixos/manual in https://github.com/NixOS/nixos-org-configurations
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          Get number of commits for the release:
+          <literal>git log release-14.04..release-14.12 --format=%an|wc -l</literal>
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          Commits by contributor:
+          <literal>git log release-14.04..release-14.12 --format=%an|sort|uniq -c|sort -rn</literal>
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          Send an email to nix-dev to announce the release with above information. Best to check how previous email was formulated
+          to see what needs to be included.
+        </para>
+      </listitem>
+    </itemizedlist>
+  </section>
+</section>
+
+<section xml:id="release-schedule">
+  <title>Release schedule</title>
+
+  <informaltable>
+    <tgroup cols="2">
+      <colspec align="left" />
+      <colspec align="left" />
+      <thead>
+        <row>
+          <entry>
+            Date
+          </entry>
+          <entry>
+            Event
+          </entry>
+        </row>
+      </thead>
+      <tbody>
+        <row>
+          <entry>
+            2016-07-25
+          </entry>
+          <entry>
+            Send email to nix-dev about upcoming branch-off
+          </entry>
+        </row>
+        <row>
+          <entry>
+            2016-09-01
+          </entry>
+          <entry>
+            <literal>release-16.09</literal> branch and corresponding jobsets are created,
+            change freeze
+          </entry>
+        </row>
+        <row>
+          <entry>
+            2016-09-30
+          </entry>
+          <entry>
+            NixOS 16.09 released
+          </entry>
+        </row>
+      </tbody>
+    </tgroup>
+  </informaltable>
+</section>
+
+</chapter>

nixos/doc/manual/installation/changing-config.xml

@@ -7,7 +7,7 @@
 
 <para>The file <filename>/etc/nixos/configuration.nix</filename>
 contains the current configuration of your machine.  Whenever you’ve
-changed something to that file, you should do
+<link linkend="ch-configuration">changed something</link> in that file, you should do
 
 <screen>
 # nixos-rebuild switch</screen>

nixos/lib/build-vms.nix

@@ -9,6 +9,8 @@ rec {
 
   inherit pkgs;
 
+  qemu = pkgs.qemu_test;
+
 
   # Build a virtual network from an attribute set `{ machine1 =
   # config1; ... machineN = configN; }', where `machineX' is the
@@ -27,6 +29,7 @@ rec {
         [ ../modules/virtualisation/qemu-vm.nix
           ../modules/testing/test-instrumentation.nix # !!! should only get added for automated test runs
           { key = "no-manual"; services.nixosManual.enable = false; }
+          { key = "qemu"; system.build.qemu = qemu; }
         ] ++ optional minimal ../modules/testing/minimal-kernel.nix;
       extraArgs = { inherit nodes; };
     };

nixos/lib/make-squashfs.nix

@@ -25,6 +25,6 @@ stdenv.mkDerivation {
 
       # Generate the squashfs image.
       mksquashfs nix-path-registration $storePaths $out \
-        -keep-as-directory -all-root
+        -keep-as-directory -all-root -b 1048576 -comp xz -Xdict-size 100%
     '';
 }

nixos/lib/test-driver/Machine.pm

@@ -504,6 +504,31 @@ sub screenshot {
     }, { image => $name } );
 }
 
+# Get the text of TTY<n>
+sub getTTYText {
+    my ($self, $tty) = @_;
+
+    my ($status, $out) = $self->execute("fold -w 80 /dev/vcs${tty}");
+    return $out;
+}
+
+# Wait until TTY<n>'s text matches a particular regular expression
+sub waitUntilTTYMatches {
+    my ($self, $tty, $regexp) = @_;
+
+    $self->nest("waiting for $regexp to appear on tty $tty", sub {
+        retry sub {
+            return 1 if $self->getTTYText($tty) =~ /$regexp/;
+        }
+    });
+}
+
+# Debugging: Dump the contents of the TTY<n>
+sub dumpTTYContents {
+    my ($self, $tty) = @_;
+
+    $self->execute("fold -w 80 /dev/vcs${tty} | systemd-cat");
+}
 
 # Take a screenshot and return the result as text using optical character
 # recognition.

nixos/lib/test-driver/test-driver.pl

@@ -8,6 +8,7 @@ use IO::Pty;
 use Logger;
 use Cwd;
 use POSIX qw(_exit dup2);
+use Time::HiRes qw(clock_gettime CLOCK_MONOTONIC);
 
 $SIG{PIPE} = 'IGNORE'; # because Unix domain sockets may die unexpectedly
 
@@ -179,7 +180,12 @@ END {
     $log->close();
 }
 
+my $now1 = clock_gettime(CLOCK_MONOTONIC);
 
 runTests;
 
+my $now2 = clock_gettime(CLOCK_MONOTONIC);
+
+printf STDERR "test script finished in %.2fs\n", $now2 - $now1;
+
 exit ($nrSucceeded < $nrTests ? 1 : 0);

nixos/lib/testing.nix

@@ -29,7 +29,7 @@ rec {
         cp ${./test-driver/Logger.pm} $libDir/Logger.pm
 
         wrapProgram $out/bin/nixos-test-driver \
-          --prefix PATH : "${lib.makeBinPath [ qemu_kvm vde2 netpbm coreutils ]}" \
+          --prefix PATH : "${lib.makeBinPath [ qemu vde2 netpbm coreutils ]}" \
           --prefix PERL5LIB : "${with perlPackages; lib.makePerlPath [ TermReadLineGnu XMLWriter IOTty FileSlurp ]}:$out/lib/perl5/site_perl"
       '';
   };

nixos/maintainers/scripts/ec2/create-amis.sh

@@ -15,7 +15,7 @@ rm -f ec2-amis.nix
 
 types="hvm pv"
 stores="ebs s3"
-regions="eu-west-1 eu-central-1 us-east-1 us-west-1 us-west-2 ap-southeast-1 ap-southeast-2 ap-northeast-1 ap-northeast-2 sa-east-1 ap-south-1"
+regions="eu-west-1 eu-west-2 eu-central-1 us-east-1 us-east-2 us-west-1 us-west-2 ca-central-1 ap-southeast-1 ap-southeast-2 ap-northeast-1 ap-northeast-2 sa-east-1 ap-south-1"
 
 for type in $types; do
     link=$stateDir/$type

nixos/modules/config/nsswitch.nix

@@ -56,7 +56,7 @@ in
     # configured IP addresses, or ::1 and 127.0.0.2 as
     # fallbacks. Systemd also provides nss-mymachines to return IP
     # addresses of local containers.
-    system.nssModules = [ config.systemd.package ];
+    system.nssModules = [ config.systemd.package.out ];
 
   };
 }

nixos/modules/config/timezone.nix

@@ -37,14 +37,15 @@ in
 
     environment.sessionVariables.TZDIR = "/etc/zoneinfo";
 
+    # This way services are restarted when tzdata changes.
     systemd.globalEnvironment.TZDIR = tzdir;
 
     environment.etc.localtime =
-      { source = "${tzdir}/${config.time.timeZone}";
+      { source = "/etc/zoneinfo/${config.time.timeZone}";
         mode = "direct-symlink";
       };
 
-    environment.etc.zoneinfo.source = "${pkgs.tzdata}/share/zoneinfo";
+    environment.etc.zoneinfo.source = tzdir;
 
   };
 

nixos/modules/config/update-users-groups.pl

@@ -177,7 +177,7 @@ foreach my $u (@{$spec->{users}}) {
     }
 
     # Create a home directory.
-    if ($u->{createHome} && ! -e $u->{home}) {
+    if ($u->{createHome}) {
         make_path($u->{home}, { mode => 0700 }) if ! -e $u->{home};
         chown $u->{uid}, $u->{gid}, $u->{home};
     }

nixos/modules/hardware/video/amdgpu-pro.nix

@@ -0,0 +1,56 @@
+# This module provides the proprietary AMDGPU-PRO drivers.
+
+{ config, lib, pkgs, pkgs_i686, ... }:
+
+with lib;
+
+let
+
+  drivers = config.services.xserver.videoDrivers;
+
+  enabled = elem "amdgpu-pro" drivers;
+
+  package = config.boot.kernelPackages.amdgpu-pro;
+  package32 = pkgs_i686.linuxPackages.amdgpu-pro.override { libsOnly = true; kernel = null; };
+
+  opengl = config.hardware.opengl;
+
+in
+
+{
+
+  config = mkIf enabled {
+
+    services.xserver.drivers = singleton
+      { name = "amdgpu"; modules = [ package ]; libPath = [ package ]; };
+
+    hardware.opengl.package = package;
+    hardware.opengl.package32 = package32;
+
+    boot.extraModulePackages = [ package ];
+
+    boot.blacklistedKernelModules = [ "radeon" ];
+
+    hardware.firmware = [ package ];
+
+    system.activationScripts.setup-amdgpu-pro = ''
+      mkdir -p /run/lib
+      ln -sfn ${package}/lib ${package.libCompatDir}
+    '' + optionalString opengl.driSupport32Bit ''
+      ln -sfn ${package32}/lib ${package32.libCompatDir}
+    '';
+
+    environment.etc = {
+      "amd/amdrc".source = package + "/etc/amd/amdrc";
+      "amd/amdapfxx.blb".source = package + "/etc/amd/amdapfxx.blb";
+      "gbm/gbm.conf".source = package + "/etc/gbm/gbm.conf";
+      "OpenCL/vendors/amdocl64.icd".source = package + "/etc/OpenCL/vendors/amdocl64.icd";
+      "vulkan/icd.d/amd_icd64.json".source = package + "/etc/vulkan/icd.d/amd_icd64.json";
+    } // optionalAttrs opengl.driSupport32Bit {
+      "OpenCL/vendors/amdocl32.icd".source = package32 + "/etc/OpenCL/vendors/amdocl32.icd";
+      "vulkan/icd.d/amd_icd32.json".source = package32 + "/etc/vulkan/icd.d/amd_icd32.json";
+    };
+
+  };
+
+}

nixos/modules/installer/cd-dvd/installation-cd-minimal.nix

@@ -1,11 +1,15 @@
 # This module defines a small NixOS installation CD.  It does not
 # contain any graphical stuff.
 
-{ config, lib, ... }:
+{ config, lib, pkgs, ... }:
 
 {
   imports =
     [ ./installation-cd-base.nix
-      ../../profiles/minimal.nix
+    ];
+
+  environment.systemPackages =
+    [
+      pkgs.vim
     ];
 }

nixos/modules/installer/tools/nix-fallback-paths.nix

@@ -1,5 +1,5 @@
 {
-  x86_64-linux = "/nix/store/i4mwf2gpvar7dqvlpp5m86llbq3ahbvb-nix-1.11.4";
-  i686-linux = "/nix/store/a3gjrbspb0q4hs3sv5g1y2nza43i8nzv-nix-1.11.4";
-  x86_64-darwin = "/nix/store/7v21yd3qpv0nclcy5cqr5njj9bril12s-nix-1.11.4";
+  x86_64-linux = "/nix/store/j6q3pb75q1sbk0xsa5x6a629ph98ycdl-nix-1.11.8";
+  i686-linux = "/nix/store/4m6ps568l988bbr1p2k3w9raq3rblppi-nix-1.11.8";
+  x86_64-darwin = "/nix/store/cc5q944yn3j2hrs8k0kxx9r2mk9mni8a-nix-1.11.8";
 }

nixos/modules/installer/tools/nixos-rebuild.sh

@@ -126,9 +126,9 @@ targetHostCmd() {
 copyToTarget() {
     if ! [ "$targetHost" = "$buildHost" ]; then
         if [ -z "$targetHost" ]; then
-            NIX_SSHOPTS=$SSH_OPTS nix-copy-closure --from "$buildHost" "$1"
+            NIX_SSHOPTS=$SSHOPTS nix-copy-closure --from "$buildHost" "$1"
         elif [ -z "$buildHost" ]; then
-            NIX_SSHOPTS=$SSH_OPTS nix-copy-closure --to "$targetHost" "$1"
+            NIX_SSHOPTS=$SSHOPTS nix-copy-closure --to "$targetHost" "$1"
         else
             buildHostCmd nix-copy-closure --to "$targetHost" "$1"
         fi
@@ -169,7 +169,7 @@ nixBuild() {
 
         local drv="$(nix-instantiate "${instArgs[@]}" "${extraBuildFlags[@]}")"
         if [ -a "$drv" ]; then
-            NIX_SSHOPTS=$SSH_OPTS nix-copy-closure --to "$buildHost" "$drv"
+            NIX_SSHOPTS=$SSHOPTS nix-copy-closure --to "$buildHost" "$drv"
             buildHostCmd nix-store -r "$drv" "${buildArgs[@]}"
         else
             echo "nix-instantiate failed"

nixos/modules/installer/virtualbox-demo.nix

@@ -18,5 +18,5 @@ with lib;
 
   # Add some more video drivers to give X11 a shot at working in
   # VMware and QEMU.
-  services.xserver.videoDrivers = mkOverride 40 [ "virtualbox" "vmware" "cirrus" "vesa" ];
+  services.xserver.videoDrivers = mkOverride 40 [ "virtualbox" "vmware" "cirrus" "vesa" "modesetting" ];
 }

nixos/modules/misc/ids.nix

@@ -273,6 +273,8 @@
       gocd-server = 252;
       terraria = 253;
       mattermost = 254;
+      hound = 259;
+      kresd = 270;
 
       # When adding a uid, make sure it doesn't match an existing gid. And don't use uids above 399!
 
@@ -516,6 +518,8 @@
       gocd-server = 252;
       terraria = 253;
       mattermost = 254;
+      hound = 259;
+      kresd = 270;
 
       # When adding a gid, make sure it doesn't match an existing
       # uid. Users and groups with the same name should have equal

nixos/modules/module-list.nix

@@ -38,6 +38,7 @@
   ./hardware/opengl.nix
   ./hardware/pcmcia.nix
   ./hardware/video/amdgpu.nix
+  ./hardware/video/amdgpu-pro.nix
   ./hardware/video/ati.nix
   ./hardware/video/bumblebee.nix
   ./hardware/video/displaylink.nix
@@ -355,6 +356,7 @@
   ./services/networking/iodine.nix
   ./services/networking/ircd-hybrid/default.nix
   ./services/networking/kippo.nix
+  ./services/networking/kresd.nix
   ./services/networking/lambdabot.nix
   ./services/networking/libreswan.nix
   ./services/networking/logmein-hamachi.nix
@@ -438,6 +440,7 @@
   ./services/scheduling/fcron.nix
   ./services/scheduling/marathon.nix
   ./services/search/elasticsearch.nix
+  ./services/search/hound.nix
   ./services/search/kibana.nix
   ./services/search/solr.nix
   ./services/security/clamav.nix

nixos/modules/profiles/base.nix

@@ -47,7 +47,7 @@
   ];
 
   # Include support for various filesystems.
-  boot.supportedFilesystems = [ "btrfs" "reiserfs" "vfat" "f2fs" "xfs" "zfs" "ntfs" "cifs" ];
+  boot.supportedFilesystems = [ "btrfs" "reiserfs" "vfat" "f2fs" "xfs" "ntfs" "cifs" ];
 
   # Configure host id for ZFS to work
   networking.hostId = lib.mkDefault "8425e349";

nixos/modules/programs/ssh.nix

@@ -165,7 +165,7 @@ in
   config = {
 
     programs.ssh.setXAuthLocation =
-      mkDefault (config.services.xserver.enable || config.programs.ssh.forwardX11);
+      mkDefault (config.services.xserver.enable || config.programs.ssh.forwardX11 || config.services.openssh.forwardX11);
 
     assertions =
       [ { assertion = cfg.forwardX11 -> cfg.setXAuthLocation;

nixos/modules/rename.nix

@@ -31,6 +31,8 @@ with lib;
     (mkRenamedOptionModule [ "services" "gitlab" "stateDir" ] [ "services" "gitlab" "statePath" ])
     (mkRemovedOptionModule [ "services" "gitlab" "satelliteDir" ] "")
 
+    (mkRenamedOptionModule [ "services" "clamav" "updater" "config" ] [ "services" "clamav" "updater" "extraConfig" ])
+
     # Old Grub-related options.
     (mkRenamedOptionModule [ "boot" "initrd" "extraKernelModules" ] [ "boot" "initrd" "kernelModules" ])
     (mkRenamedOptionModule [ "boot" "extraKernelParams" ] [ "boot" "kernelParams" ])

nixos/modules/security/acme.nix

@@ -179,6 +179,7 @@ in
                   path = [ pkgs.simp_le ];
                   preStart = ''
                     mkdir -p '${cfg.directory}'
+                    chown '${data.user}:${data.group}' '${cfg.directory}'
                     if [ ! -d '${cpath}' ]; then
                       mkdir '${cpath}'
                     fi
@@ -283,6 +284,7 @@ in
           timerConfig = {
             OnCalendar = cfg.renewInterval;
             Unit = "acme-${cert}.service";
+            Persistent = "yes";
           };
         })
       );

nixos/modules/security/acme.xml

@@ -74,7 +74,28 @@ options for the <literal>security.acme</literal> module.</para>
 </para>
 
 <programlisting>
+security.acme.certs."foo.example.com" = {
+  webroot = config.security.acme.directory + "/acme-challenge";
+  email = "foo@example.com";
+  user = "nginx";
+  group = "nginx";
+  postRun = "systemctl restart nginx.service";
+};
 services.nginx.httpConfig = ''
+  server {
+    server_name foo.example.com;
+    listen 80;
+    listen [::]:80;
+
+    location /.well-known/acme-challenge {
+      root /var/www/challenges;
+    }
+
+    location / {
+      return 301 https://$host$request_uri;
+    }
+  }
+
   server {
     server_name foo.example.com;
     listen 443 ssl;

nixos/modules/security/audit.nix

@@ -104,7 +104,11 @@ in {
       description = "Kernel Auditing";
       wantedBy = [ "basic.target" ];
 
-      unitConfig.ConditionVirtualization = "!container";
+      unitConfig = {
+        ConditionVirtualization = "!container";
+        ConditionSecurity = [ "audit" ];
+      };
+
 
       path = [ pkgs.audit ];
 

nixos/modules/security/grsecurity.nix

@@ -67,9 +67,9 @@ in
     system.requiredKernelConfig = with config.lib.kernelConfig;
       [ (isEnabled "GRKERNSEC")
         (isEnabled "PAX")
-        (isYES "GRKERNSEC_SYSCTL")
-        (isYES "GRKERNSEC_SYSCTL_DISTRO")
-        (isNO "GRKERNSEC_NO_RBAC")
+        (isYes "GRKERNSEC_SYSCTL")
+        (isYes "GRKERNSEC_SYSCTL_DISTRO")
+        (isNo "GRKERNSEC_NO_RBAC")
       ];
 
     # Install PaX related utillities into the system profile.

nixos/modules/security/grsecurity.xml

@@ -293,7 +293,7 @@
       Overflows in boot critical code (e.g., the root filesystem module) can
       render the system unbootable.  Work around by setting
       <programlisting>
-        boot.kernel.kernelParams = [ "pax_size_overflow_report_only" ];
+        boot.kernelParams = [ "pax_size_overflow_report_only" ];
       </programlisting>
     </para></listitem>
 

nixos/modules/security/hidepid.nix

@@ -19,7 +19,9 @@ with lib;
 
   config = mkIf config.security.hideProcessInformation {
     users.groups.proc.gid = config.ids.gids.proc;
+    users.groups.proc.members = [ "polkituser" ];
 
     boot.specialFileSystems."/proc".options = [ "hidepid=2" "gid=${toString config.ids.gids.proc}" ];
+    systemd.services.systemd-logind.serviceConfig.SupplementaryGroups = [ "proc" ];
   };
 }

nixos/modules/services/backup/tarsnap.nix

@@ -280,7 +280,11 @@ in
       (mapAttrsToList (name: cfg:
         { assertion = !(cfg.lowmem && cfg.verylowmem);
           message = "You cannot set both lowmem and verylowmem";
-        }) cfg.archives);
+        }) cfg.archives) ++ [
+          { assertion = length (unique (mapAttrsToList (name: x: x.keyfile) cfg.archives)) == length (attrNames cfg.archives);
+            message = "Using same key for different archives is not supported in NixOS";
+          }
+        ];
 
     systemd.services."tarsnap@" = {
       description = "Tarsnap archive '%i'";

nixos/modules/services/continuous-integration/hydra/default.nix

@@ -343,7 +343,7 @@ in
       { wantedBy = [ "multi-user.target" ];
         requires = [ "hydra-init.service" ];
         after = [ "hydra-init.service" "network.target" ];
-        path = [ pkgs.nettools ];
+        path = [ cfg.package pkgs.nettools ];
         environment = env;
         serviceConfig =
           { ExecStart = "@${cfg.package}/bin/hydra-evaluator hydra-evaluator";

nixos/modules/services/databases/couchdb.nix

@@ -162,7 +162,7 @@ in {
 
         if [ "$(id -u)" = 0 ]; then
           chown ${cfg.user}:${cfg.group} `dirname ${cfg.uriFile}`;
-          (-f ${cfg.uriFile} && chown ${cfg.user}:${cfg.group} ${cfg.uriFile}) || true
+          (test -f ${cfg.uriFile} && chown ${cfg.user}:${cfg.group} ${cfg.uriFile}) || true
           chown ${cfg.user}:${cfg.group} ${cfg.databaseDir}
           chown ${cfg.user}:${cfg.group} ${cfg.viewIndexDir}
           chown ${cfg.user}:${cfg.group} ${cfg.configFile}

nixos/modules/services/games/terraria.nix

@@ -64,7 +64,7 @@ in
       };
 
       worldPath = mkOption {
-        type        = types.path;
+        type        = types.nullOr types.path;
         default     = null;
         description = ''
           The path to the world file (<literal>.wld</literal>) which should be loaded.
@@ -126,8 +126,8 @@ in
         User    = "terraria";
         Type = "oneshot";
         RemainAfterExit = true;
-        ExecStart = "${pkgs.tmux.bin}/bin/tmux -S /var/lib/terraria/terraria.sock new -d ${pkgs.terraria-server}/bin/TerrariaServer ${concatStringsSep " " flags}";
-        ExecStop = "${pkgs.tmux.bin}/bin/tmux -S /var/lib/terraria/terraria.sock send-keys Enter \"exit\" Enter";
+        ExecStart = "${getBin pkgs.tmux}/bin/tmux -S /var/lib/terraria/terraria.sock new -d ${pkgs.terraria-server}/bin/TerrariaServer ${concatStringsSep " " flags}";
+        ExecStop = "${getBin pkgs.tmux}/bin/tmux -S /var/lib/terraria/terraria.sock send-keys Enter \"exit\" Enter";
       };
 
       postStart = ''

nixos/modules/services/mail/rmilter.nix

@@ -203,7 +203,7 @@ milter_default_action = accept
         PermissionsStartOnly = true;
         Restart = "always";
         RuntimeDirectory = "rmilter";
-        RuntimeDirectoryPermissions="0755";
+        RuntimeDirectoryMode = "0755";
       };
 
     };

nixos/modules/services/misc/gitlab.nix

@@ -425,7 +425,7 @@ in {
         TimeoutSec = "300";
         Restart = "on-failure";
         WorkingDirectory = "${cfg.packages.gitlab}/share/gitlab";
-        ExecStart="${cfg.packages.gitlab.env}/bin/bundle exec \"sidekiq -q post_receive -q mailers -q system_hook -q project_web_hook -q gitlab_shell -q common -q default -e production -P ${cfg.statePath}/tmp/sidekiq.pid\"";
+        ExecStart="${cfg.packages.gitlab.env}/bin/bundle exec \"sidekiq -C \"${cfg.packages.gitlab}/share/gitlab/config/sidekiq_queues.yml\" -e production -P ${cfg.statePath}/tmp/sidekiq.pid\"";
       };
     };
 
@@ -477,6 +477,7 @@ in {
         mkdir -p ${cfg.statePath}/repositories
         mkdir -p ${gitlabConfig.production.shared.path}/artifacts
         mkdir -p ${gitlabConfig.production.shared.path}/lfs-objects
+        mkdir -p ${gitlabConfig.production.shared.path}/pages
         mkdir -p ${cfg.statePath}/log
         mkdir -p ${cfg.statePath}/shell
         mkdir -p ${cfg.statePath}/tmp/pids
@@ -524,8 +525,8 @@ in {
 
         if [ "${cfg.databaseHost}" = "127.0.0.1" ]; then
           if ! test -e "${cfg.statePath}/db-created"; then
-            psql postgres -c "CREATE ROLE gitlab WITH LOGIN NOCREATEDB NOCREATEROLE NOCREATEUSER ENCRYPTED PASSWORD '${cfg.databasePassword}'"
-            ${config.services.postgresql.package}/bin/createdb --owner gitlab gitlab || true
+            psql postgres -c "CREATE ROLE ${cfg.databaseUsername} WITH LOGIN NOCREATEDB NOCREATEROLE NOCREATEUSER ENCRYPTED PASSWORD '${cfg.databasePassword}'"
+            ${config.services.postgresql.package}/bin/createdb --owner ${cfg.databaseUsername} ${cfg.databaseName} || true
             touch "${cfg.statePath}/db-created"
           fi
         fi

nixos/modules/services/misc/matrix-synapse.nix

@@ -8,11 +8,15 @@ let
   mkResource = r: ''{names: ${builtins.toJSON r.names}, compress: ${if r.compress then "true" else "false"}}'';
   mkListener = l: ''{port: ${toString l.port}, bind_address: "${l.bind_address}", type: ${l.type}, tls: ${if l.tls then "true" else "false"}, x_forwarded: ${if l.x_forwarded then "true" else "false"}, resources: [${concatStringsSep "," (map mkResource l.resources)}]}'';
   configFile = pkgs.writeText "homeserver.yaml" ''
+${optionalString (cfg.tls_certificate_path != null) ''
 tls_certificate_path: "${cfg.tls_certificate_path}"
+''}
 ${optionalString (cfg.tls_private_key_path != null) ''
 tls_private_key_path: "${cfg.tls_private_key_path}"
 ''}
+${optionalString (cfg.tls_dh_params_path != null) ''
 tls_dh_params_path: "${cfg.tls_dh_params_path}"
+''}
 no_tls: ${if cfg.no_tls then "true" else "false"}
 ${optionalString (cfg.bind_port != null) ''
 bind_port: ${toString cfg.bind_port}
@@ -68,7 +72,7 @@ recaptcha_siteverify_api: "https://www.google.com/recaptcha/api/siteverify"
 turn_user_lifetime: "${cfg.turn_user_lifetime}"
 user_creation_max_duration: ${cfg.user_creation_max_duration}
 bcrypt_rounds: ${cfg.bcrypt_rounds}
-allow_guest_access: {if cfg.allow_guest_access then "true" else "false"}
+allow_guest_access: ${if cfg.allow_guest_access then "true" else "false"}
 enable_metrics: ${if cfg.enable_metrics then "true" else "false"}
 report_stats: ${if cfg.report_stats then "true" else "false"}
 signing_key_path: "/var/lib/matrix-synapse/homeserver.signing.key"
@@ -139,8 +143,9 @@ in {
         '';
       };
       tls_certificate_path = mkOption {
-        type = types.str;
-        default = "/var/lib/matrix-synapse/homeserver.tls.crt";
+        type = types.nullOr types.str;
+        default = null;
+        example = "/var/lib/matrix-synapse/homeserver.tls.crt";
         description = ''
           PEM encoded X509 certificate for TLS.
           You can replace the self-signed certificate that synapse
@@ -151,16 +156,17 @@ in {
       };
       tls_private_key_path = mkOption {
         type = types.nullOr types.str;
-        default = "/var/lib/matrix-synapse/homeserver.tls.key";
-        example = null;
+        default = null;
+        example = "/var/lib/matrix-synapse/homeserver.tls.key";
         description = ''
           PEM encoded private key for TLS. Specify null if synapse is not
           speaking TLS directly.
         '';
       };
       tls_dh_params_path = mkOption {
-        type = types.str;
-        default = "/var/lib/matrix-synapse/homeserver.tls.dh";
+        type = types.nullOr types.str;
+        default = null;
+        example = "/var/lib/matrix-synapse/homeserver.tls.dh";
         description = ''
           PEM dh parameters for ephemeral keys
         '';
@@ -522,12 +528,10 @@ in {
       after = [ "network.target" ];
       wantedBy = [ "multi-user.target" ];
       preStart = ''
-        if ! test -e /var/lib/matrix-synapse; then
-          mkdir -p /var/lib/matrix-synapse
-          chmod 700 /var/lib/matrix-synapse
-          chown -R matrix-synapse:matrix-synapse /var/lib/matrix-synapse
-          ${cfg.package}/bin/homeserver --config-path ${configFile} --keys-directory /var/lib/matrix-synapse/ --generate-keys
-        fi
+        ${cfg.package}/bin/homeserver \
+          --config-path ${configFile} \
+          --keys-directory /var/lib/matrix-synapse \
+          --generate-keys
       '';
       serviceConfig = {
         Type = "simple";
@@ -535,7 +539,7 @@ in {
         Group = "matrix-synapse";
         WorkingDirectory = "/var/lib/matrix-synapse";
         PermissionsStartOnly = true;
-        ExecStart = "${cfg.package}/bin/homeserver --config-path ${configFile}";
+        ExecStart = "${cfg.package}/bin/homeserver --config-path ${configFile} --keys-directory /var/lib/matrix-synapse";
       };
     };
   };

nixos/modules/services/monitoring/collectd.nix

@@ -9,7 +9,7 @@ let
     BaseDir "${cfg.dataDir}"
     PIDFile "${cfg.pidFile}"
     AutoLoadPlugin ${if cfg.autoLoadPlugin then "true" else "false"}
-    Hostname ${config.networking.hostName}
+    Hostname "${config.networking.hostName}"
 
     LoadPlugin syslog
     <Plugin "syslog">

nixos/modules/services/monitoring/grafana.nix

@@ -1,4 +1,4 @@
-{ config, lib, pkgs, ... }:
+{ options, config, lib, pkgs, ... }:
 
 with lib;
 
@@ -232,9 +232,10 @@ in {
   };
 
   config = mkIf cfg.enable {
-    warnings = [
-      "Grafana passwords will be stored as plaintext in the Nix store!"
-    ];
+    warnings = optional (
+      cfg.database.password != options.services.grafana.database.password.default ||
+      cfg.security.adminPassword != options.services.grafana.security.adminPassword.default
+    ) "Grafana passwords will be stored as plaintext in the Nix store!";
 
     environment.systemPackages = [ cfg.package ];
 

nixos/modules/services/monitoring/munin.nix

@@ -76,6 +76,7 @@ let
       # wrapped plugins by makeWrapper being with dots
       ignore_file ^\.
 
+      allow ^::1$
       allow ^127\.0\.0\.1$
 
       ${nodeCfg.extraConfig}
@@ -191,14 +192,26 @@ in
 
   }) (mkIf cronCfg.enable {
 
-    services.cron.systemCronJobs = [
-      "*/5 * * * * munin ${pkgs.munin}/bin/munin-cron --config ${muninConf}"
-    ];
+    systemd.timers.munin-cron = {
+      description = "batch Munin master programs";
+      wantedBy = [ "timers.target" ];
+      timerConfig.OnCalendar = "*:0/5";
+    };
+
+    systemd.services.munin-cron = {
+      description = "batch Munin master programs";
+      unitConfig.Documentation = "man:munin-cron(8)";
+
+      serviceConfig = {
+        Type = "oneshot";
+        User = "munin";
+        ExecStart = "${pkgs.munin}/bin/munin-cron --config ${muninConf}";
+      };
+    };
 
     system.activationScripts.munin-cron = stringAfter [ "users" "groups" ] ''
       mkdir -p /var/{run,log,www,lib}/munin
       chown -R munin:munin /var/{run,log,www,lib}/munin
     '';
-
   })];
 }

nixos/modules/services/monitoring/riemann-tools.nix

@@ -50,6 +50,7 @@ in {
 
     systemd.services.riemann-health = {
       wantedBy = [ "multi-user.target" ];
+      path = [ procps ];
       serviceConfig = {
         User = "riemanntools";
         ExecStart = "${healthLauncher}/bin/riemann-health";

nixos/modules/services/networking/kippo.nix

@@ -54,7 +54,7 @@ rec {
   };
   config = mkIf cfg.enable {
     environment.systemPackages = with pkgs.pythonPackages; [
-      python twisted_11 pycrypto pyasn1 ];
+      python pkgs.kippo.twisted pycrypto pyasn1 ];
 
     environment.etc."kippo.cfg".text = ''
         # Automatically generated by NixOS.
@@ -84,7 +84,7 @@ rec {
       description = "Kippo Web Server";
       after = [ "network.target" ];
       wantedBy = [ "multi-user.target" ];
-      environment.PYTHONPATH = "${pkgs.kippo}/src/:${pkgs.pythonPackages.pycrypto}/lib/python2.7/site-packages/:${pkgs.pythonPackages.pyasn1}/lib/python2.7/site-packages/:${pkgs.pythonPackages.python}/lib/python2.7/site-packages/:${pkgs.pythonPackages.twisted_11}/lib/python2.7/site-packages/:.";
+      environment.PYTHONPATH = "${pkgs.kippo}/src/:${pkgs.pythonPackages.pycrypto}/lib/python2.7/site-packages/:${pkgs.pythonPackages.pyasn1}/lib/python2.7/site-packages/:${pkgs.pythonPackages.python}/lib/python2.7/site-packages/:${pkgs.kippo.twisted}/lib/python2.7/site-packages/:.";
       preStart = ''
         if [ ! -d ${cfg.varPath}/ ] ; then
             mkdir -p ${cfg.logPath}/tty
@@ -107,7 +107,7 @@ rec {
         fi
       '';
 
-      serviceConfig.ExecStart = "${pkgs.pythonPackages.twisted_11}/bin/twistd -y ${pkgs.kippo}/src/kippo.tac --syslog --rundir=${cfg.varPath}/ --pidfile=${cfg.pidPath}/kippo.pid --prefix=kippo -n";
+      serviceConfig.ExecStart = "${pkgs.kippo.twisted}/bin/twistd -y ${pkgs.kippo}/src/kippo.tac --syslog --rundir=${cfg.varPath}/ --pidfile=${cfg.pidPath}/kippo.pid --prefix=kippo -n";
       serviceConfig.PermissionsStartOnly = true;
       serviceConfig.User = "kippo"; 
       serviceConfig.Group = "kippo"; 

nixos/modules/services/networking/kresd.nix

@@ -0,0 +1,119 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+
+  cfg = config.services.kresd;
+  package = pkgs.knot-resolver;
+
+  configFile = pkgs.writeText "kresd.conf" cfg.extraConfig;
+in
+
+{
+  meta.maintainers = [ maintainers.vcunat /* upstream developer */ ];
+
+  ###### interface
+  options.services.kresd = {
+    enable = mkOption {
+      type = types.bool;
+      default = false;
+      description = ''
+        Whether to enable knot-resolver domain name server.
+        DNSSEC validation is turned on by default.
+        You can run <literal>sudo nc -U /run/kresd/control</literal>
+        and give commands interactively to kresd.
+      '';
+    };
+    extraConfig = mkOption {
+      type = types.lines;
+      default = "";
+      description = ''
+        Extra lines to be added verbatim to the generated configuration file.
+      '';
+    };
+    cacheDir = mkOption {
+      type = types.path;
+      default = "/var/cache/kresd";
+      description = ''
+        Directory for caches.  They are intended to survive reboots.
+      '';
+    };
+    interfaces = mkOption {
+      type = with types; listOf str;
+      default = [ "::1" "127.0.0.1" ];
+      description = ''
+        What addresses the server should listen on.
+      '';
+    };
+    # TODO: perhaps options for more common stuff like cache size or forwarding
+  };
+
+  ###### implementation
+  config = mkIf cfg.enable {
+    environment.etc."kresd.conf".source = configFile; # not required
+
+    users.extraUsers = singleton
+      { name = "kresd";
+        uid = config.ids.uids.kresd;
+        group = "kresd";
+        description = "Knot-resolver daemon user";
+      };
+    users.extraGroups = singleton
+      { name = "kresd";
+        gid = config.ids.gids.kresd;
+      };
+
+    systemd.sockets.kresd = rec {
+      wantedBy = [ "sockets.target" ];
+      before = wantedBy;
+      listenStreams = map
+        # Syntax depends on being IPv6 or IPv4.
+        (iface: if elem ":" (stringToCharacters iface) then "[${iface}]:53" else "${iface}:53")
+        cfg.interfaces;
+      socketConfig.ListenDatagram = listenStreams;
+    };
+
+    systemd.sockets.kresd-control = rec {
+      wantedBy = [ "sockets.target" ];
+      before = wantedBy;
+      partOf = [ "kresd.socket" ];
+      listenStreams = [ "/run/kresd/control" ];
+      socketConfig = {
+        FileDescriptorName = "control";
+        Service = "kresd.service";
+        SocketMode = "0660"; # only root user/group may connect
+      };
+    };
+
+    # Create the cacheDir; tmpfiles don't work on nixos-rebuild switch.
+    systemd.services.kresd-cachedir = {
+      serviceConfig.Type = "oneshot";
+      script = ''
+        if [ ! -d '${cfg.cacheDir}' ]; then
+          mkdir -p '${cfg.cacheDir}'
+          chown kresd:kresd '${cfg.cacheDir}'
+        fi
+      '';
+    };
+
+    systemd.services.kresd = {
+      description = "Knot-resolver daemon";
+
+      serviceConfig = {
+        User = "kresd";
+        Type = "notify";
+        WorkingDirectory = cfg.cacheDir;
+      };
+
+      script = ''
+        exec '${package}/bin/kresd' --config '${configFile}' \
+          -k '${cfg.cacheDir}/root.key'
+      '';
+
+      after = [ "kresd-cachedir.service" ];
+      requires = [ "kresd.socket" "kresd-cachedir.service" ];
+      wantedBy = [ "sockets.target" ];
+    };
+  };
+}

nixos/modules/services/networking/ssh/sshd.nix

@@ -227,8 +227,6 @@ in
 
   config = mkIf cfg.enable {
 
-    programs.ssh.setXAuthLocation = mkForce cfg.forwardX11;
-
     users.extraUsers.sshd =
       { isSystemUser = true;
         description = "SSH privilege separation user";
@@ -273,8 +271,7 @@ in
                 StandardInput = "socket";
               } else {
                 Restart = "always";
-                Type = "forking";
-                PIDFile = "/run/sshd.pid";
+                Type = "simple";
               });
           };
       in
@@ -309,8 +306,6 @@ in
 
     services.openssh.extraConfig = mkOrder 0
       ''
-        PidFile /run/sshd.pid
-
         Protocol 2
 
         UsePAM yes

nixos/modules/services/networking/vsftpd.nix

@@ -100,6 +100,10 @@ let
         seccomp_sandbox=NO
       ''}
       anon_umask=${cfg.anonymousUmask}
+      ${optionalString cfg.anonymousUser ''
+        anon_root=${cfg.anonymousUserHome}
+      ''}
+      ${cfg.extraConfig}
     '';
 
 in
@@ -163,6 +167,13 @@ in
         description = "Anonymous write umask.";
       };
 
+      extraConfig = mkOption {
+        type = types.lines;
+        default = "";
+        example = "ftpd_banner=Hello";
+        description = "Extra configuration to add at the bottom of the generated configuration file.";
+      };
+
     } // (listToAttrs (catAttrs "nixosOption" optionDescription));
 
   };

nixos/modules/services/search/hound.nix

@@ -0,0 +1,123 @@
+{ config, lib, pkgs, ... }:
+with lib;
+let
+  cfg = config.services.hound;
+in {
+  options = {
+    services.hound = {
+      enable = mkOption {
+        type = types.bool;
+        default = false;
+        description = ''
+          Whether to enable the hound code search daemon.
+        '';
+      };
+
+      user = mkOption {
+        default = "hound";
+        type = types.str;
+        description = ''
+          User the hound daemon should execute under.
+        '';
+      };
+
+      group = mkOption {
+        default = "hound";
+        type = types.str;
+        description = ''
+          Group the hound daemon should execute under.
+        '';
+      };
+
+      extraGroups = mkOption {
+        type = types.listOf types.str;
+        default = [ ];
+        example = [ "dialout" ];
+        description = ''
+          List of extra groups that the "hound" user should be a part of.
+        '';
+      };
+
+      home = mkOption {
+        default = "/var/lib/hound";
+        type = types.path;
+        description = ''
+          The path to use as hound's $HOME. If the default user
+          "hound" is configured then this is the home of the "hound"
+          user.
+        '';
+      };
+
+      package = mkOption {
+        default = pkgs.hound;
+        description = ''
+          Package for running hound.
+        '';
+      };
+
+      config = mkOption {
+        type = types.str;
+        description = ''
+          The full configuration of the Hound daemon. Note the dbpath
+          should be an absolute path to a writable location on disk.
+        '';
+        example = ''
+          {
+             "max-concurrent-indexers" : 2,
+             "dbpath" : "''${services.hound.home}/data",
+             "repos" : {
+                "nixpkgs": {
+                   "url" : "https://www.github.com/NixOS/nixpkgs.git"
+                }
+             }
+          }
+        '';
+      };
+
+      listen = mkOption {
+        type = types.str;
+        default = "0.0.0.0:6080";
+        example = "127.0.0.1:6080 or just :6080";
+        description = ''
+          Listen on this IP:port / :port
+        '';
+      };
+    };
+  };
+
+  config = mkIf cfg.enable {
+    users.extraGroups = optional (cfg.group == "hound") {
+      name = "hound";
+      gid = config.ids.gids.hound;
+    };
+
+    users.extraUsers = optional (cfg.user == "hound") {
+      name = "hound";
+      description = "hound code search";
+      createHome = true;
+      home = cfg.home;
+      group = cfg.group;
+      extraGroups = cfg.extraGroups;
+      uid = config.ids.uids.hound;
+    };
+
+    systemd.services.hound = {
+      description = "Hound Code Search";
+      wantedBy = [ "multi-user.target" ];
+      after = [ "network.target" ];
+
+      serviceConfig = {
+        User = cfg.user;
+        Group = cfg.group;
+        WorkingDirectory = cfg.home;
+        ExecStartPre = "${pkgs.git}/bin/git config --global --replace-all http.sslCAinfo /etc/ssl/certs/ca-certificates.crt";
+        ExecStart = "${cfg.package}/bin/houndd" +
+                    " -addr ${cfg.listen}" +
+                    " -conf ${pkgs.writeText "hound.json" cfg.config}";
+
+      };
+      path = [ pkgs.git pkgs.mercurial pkgs.openssh ];
+    };
+  };
+
+}

nixos/modules/services/security/clamav.nix

@@ -3,26 +3,37 @@ with lib;
 let
   clamavUser = "clamav";
   stateDir = "/var/lib/clamav";
-  runDir = "/var/run/clamav";
-  logDir = "/var/log/clamav";
+  runDir = "/run/clamav";
   clamavGroup = clamavUser;
   cfg = config.services.clamav;
+  pkg = pkgs.clamav;
+
   clamdConfigFile = pkgs.writeText "clamd.conf" ''
     DatabaseDirectory ${stateDir}
     LocalSocket ${runDir}/clamd.ctl
-    LogFile ${logDir}/clamav.log
     PidFile ${runDir}/clamd.pid
+    TemporaryDirectory /tmp
     User clamav
+    Foreground yes
 
     ${cfg.daemon.extraConfig}
   '';
-  pkg = pkgs.clamav.override { freshclamConf = cfg.updater.config; };
+
+  freshclamConfigFile = pkgs.writeText "freshclam.conf" ''
+    DatabaseDirectory ${stateDir}
+    Foreground yes
+    Checks ${toString cfg.updater.frequency}
+
+    ${cfg.updater.extraConfig}
+
+    DatabaseMirror database.clamav.net
+  '';
 in
 {
   options = {
     services.clamav = {
       daemon = {
-        enable = mkEnableOption "clamd daemon";
+        enable = mkEnableOption "ClamAV clamd daemon";
 
         extraConfig = mkOption {
           type = types.lines;
@@ -34,16 +45,27 @@ in
         };
       };
       updater = {
-        enable = mkEnableOption "freshclam updater";
+        enable = mkEnableOption "ClamAV freshclam updater";
 
         frequency = mkOption {
+          type = types.int;
           default = 12;
           description = ''
             Number of database checks per day.
           '';
         };
 
-        config = mkOption {
+        interval = mkOption {
+          type = types.str;
+          default = "hourly";
+          description = ''
+            How often freshclam is invoked. See systemd.time(7) for more
+            information about the format.
+          '';
+        };
+
+        extraConfig = mkOption {
+          type = types.lines;
           default = "";
           description = ''
             Extra configuration for freshclam. Contents will be added verbatim to the
@@ -59,6 +81,7 @@ in
     users.extraUsers = singleton {
       name = clamavUser;
       uid = config.ids.uids.clamav;
+      group = clamavGroup;
       description = "ClamAV daemon user";
       home = stateDir;
     };
@@ -68,50 +91,53 @@ in
       gid = config.ids.gids.clamav;
     };
 
-    services.clamav.updater.config = mkIf cfg.updater.enable ''
-      DatabaseDirectory ${stateDir}
-      Foreground yes
-      Checks ${toString cfg.updater.frequency}
-      DatabaseMirror database.clamav.net
-    '';
+    environment.etc."clamav/freshclam.conf".source = freshclamConfigFile;
+    environment.etc."clamav/clamd.conf".source = clamdConfigFile;
 
-    systemd.services.clamd = mkIf cfg.daemon.enable {
+    systemd.services.clamav-daemon = mkIf cfg.daemon.enable {
       description = "ClamAV daemon (clamd)";
-      path = [ pkg ];
-      after = [ "network.target" "freshclam.service" ];
-      requires = [ "freshclam.service" ];
+      after = mkIf cfg.updater.enable [ "clamav-freshclam.service" ];
+      requires = mkIf cfg.updater.enable [ "clamav-freshclam.service" ];
       wantedBy = [ "multi-user.target" ];
+      restartTriggers = [ clamdConfigFile ];
+
       preStart = ''
-        mkdir -m 0755 -p ${logDir}
         mkdir -m 0755 -p ${runDir}
-        chown ${clamavUser}:${clamavGroup} ${logDir}
         chown ${clamavUser}:${clamavGroup} ${runDir}
       '';
+
       serviceConfig = {
-        ExecStart = "${pkg}/bin/clamd --config-file=${clamdConfigFile}";
-        Type = "forking";
-        ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
-        Restart = "on-failure";
-        RestartSec = "10s";
-        StartLimitInterval = "1min";
+        ExecStart = "${pkg}/bin/clamd";
+        ExecReload = "${pkgs.coreutils}/bin/kill -USR2 $MAINPID";
+        PrivateTmp = "yes";
+        PrivateDevices = "yes";
+        PrivateNetwork = "yes";
       };
     };
 
-    systemd.services.freshclam = mkIf cfg.updater.enable {
-      description = "ClamAV updater (freshclam)";
-      after = [ "network.target" ];
-      wantedBy = [ "multi-user.target" ];
-      path = [ pkg ];
+    systemd.timers.clamav-freshclam = mkIf cfg.updater.enable {
+      description = "Timer for ClamAV virus database updater (freshclam)";
+      wantedBy = [ "timers.target" ];
+      timerConfig = {
+        OnCalendar = cfg.updater.interval;
+        Unit = "clamav-freshclam.service";
+      };
+    };
+
+    systemd.services.clamav-freshclam = mkIf cfg.updater.enable {
+      description = "ClamAV virus database updater (freshclam)";
+      restartTriggers = [ freshclamConfigFile ];
+
       preStart = ''
         mkdir -m 0755 -p ${stateDir}
         chown ${clamavUser}:${clamavGroup} ${stateDir}
       '';
+
       serviceConfig = {
-        ExecStart = "${pkg}/bin/freshclam --daemon --config-file=${pkgs.writeText "freshclam.conf" cfg.updater.config}";
-        ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
-        Restart = "on-failure";
-        RestartSec = "10s";
-        StartLimitInterval = "1min";
+        Type = "oneshot";
+        ExecStart = "${pkg}/bin/freshclam";
+        PrivateTmp = "yes";
+        PrivateDevices = "yes";
       };
     };
   };

nixos/modules/services/web-servers/apache-httpd/wordpress.nix

@@ -4,11 +4,6 @@
 with lib;
 
 let
-
-  # Upgrading? We have a test! nix-build ./nixos/tests/wordpress.nix
-  version = "4.6.1";
-  fullversion = "${version}";
-
   # Our bare-bones wp-config.php file using the above settings
   wordpressConfig = pkgs.writeText "wp-config.php" ''
     <?php
@@ -71,12 +66,7 @@ let
   # The wordpress package itself
   wordpressRoot = pkgs.stdenv.mkDerivation rec {
     name = "wordpress";
-    src = pkgs.fetchFromGitHub {
-      owner = "WordPress";
-      repo = "WordPress";
-      rev = "${fullversion}";
-      sha256 = "0n82xgjg1ry2p73hhgpslnkdzrma5n6hxxq76s7qskkzj0qjfvpn";
-    };
+    src = config.package;
     installPhase = ''
       mkdir -p $out
       # copy all the wordpress files we downloaded
@@ -122,6 +112,14 @@ in
   enablePHP = true;
 
   options = {
+    package = mkOption {
+      type = types.path;
+      default = pkgs.wordpress;
+      description = ''
+        Path to the wordpress sources.
+        Upgrading? We have a test! nix-build ./nixos/tests/wordpress.nix
+      '';
+    };
     dbHost = mkOption {
       default = "localhost";
       description = "The location of the database server.";

nixos/modules/services/web-servers/lighttpd/gitweb.nix

@@ -60,7 +60,8 @@ in
               "/gitweb/"        => "${pkgs.git}/share/gitweb/gitweb.cgi"
           )
           setenv.add-environment = (
-              "GITWEB_CONFIG" => "${gitwebConfigFile}"
+              "GITWEB_CONFIG" => "${gitwebConfigFile}",
+              "HOME" => "${cfg.projectroot}"
           )
       }
     '';

nixos/modules/services/web-servers/nginx/default.nix

@@ -135,7 +135,7 @@ let
             server_name ${serverName} ${concatStringsSep " " vhost.serverAliases};
             ${acmeLocation}
             location / {
-              return 301 https://$host${optionalString (port != 443) ":${port}"}$request_uri;
+              return 301 https://$host${optionalString (port != 443) ":${toString port}"}$request_uri;
             }
           }
         ''}

nixos/modules/services/x11/desktop-managers/gnome3.nix

@@ -124,6 +124,7 @@ in {
     services.packagekit.enable = mkDefault true;
     hardware.bluetooth.enable = mkDefault true;
     services.xserver.libinput.enable = mkDefault true; # for controlling touchpad settings via gnome control center
+    services.udev.packages = [ pkgs.gnome3.gnome_settings_daemon ];
 
     fonts.fonts = [ pkgs.dejavu_fonts pkgs.cantarell_fonts ];
 

nixos/modules/services/x11/display-managers/default.nix

@@ -82,12 +82,12 @@ let
 
       # Speed up application start by 50-150ms according to
       # http://kdemonkey.blogspot.nl/2008/04/magic-trick.html
-      rm -rf $HOME/.compose-cache
-      mkdir $HOME/.compose-cache
+      rm -rf "$HOME/.compose-cache"
+      mkdir "$HOME/.compose-cache"
 
       # Work around KDE errors when a user first logs in and
       # .local/share doesn't exist yet.
-      mkdir -p $HOME/.local/share
+      mkdir -p "$HOME/.local/share"
 
       unset _DID_SYSTEMD_CAT
 
@@ -148,7 +148,7 @@ let
       allowSubstitutes = false;
     }
     ''
-      mkdir -p $out
+      mkdir -p "$out"
       ${concatMapStrings (n: ''
         cat - > "$out/${n}.desktop" << EODESKTOP
         [Desktop Entry]

nixos/modules/services/x11/display-managers/sddm.nix

@@ -14,7 +14,7 @@ let
   xserverWrapper = pkgs.writeScript "xserver-wrapper" ''
     #!/bin/sh
     ${concatMapStrings (n: "export ${n}=\"${getAttr n xEnv}\"\n") (attrNames xEnv)}
-    exec ${dmcfg.xserverBin} ${dmcfg.xserverArgs} "$@"
+    exec systemd-cat ${dmcfg.xserverBin} ${dmcfg.xserverArgs} "$@"
   '';
 
   Xsetup = pkgs.writeScript "Xsetup" ''
@@ -27,7 +27,6 @@ let
     ${cfg.stopScript}
   '';
 
-
   cfgFile = pkgs.writeText "sddm.conf" ''
     [General]
     HaltCommand=${pkgs.systemd}/bin/systemctl poweroff
@@ -46,8 +45,8 @@ let
     HideUsers=${concatStringsSep "," dmcfg.hiddenUsers}
     HideShells=/run/current-system/sw/bin/nologin
 
-    [XDisplay]
-    MinimumVT=${toString xcfg.tty}
+    [X11]
+    MinimumVT=${toString (if xcfg.tty != null then xcfg.tty else 7)}
     ServerPath=${xserverWrapper}
     XephyrPath=${pkgs.xorg.xorgserver.out}/bin/Xephyr
     SessionCommand=${dmcfg.session.script}
@@ -100,7 +99,7 @@ in
 
       theme = mkOption {
         type = types.str;
-        default = "maui";
+        default = "";
         description = ''
           Greeter theme to use.
         '';
@@ -254,5 +253,10 @@ in
 
     users.extraGroups.sddm.gid = config.ids.gids.sddm;
 
+    services.dbus.packages = [ sddm.unwrapped ];
+
+    # To enable user switching, allow sddm to allocate TTYs/displays dynamically.
+    services.xserver.tty = null;
+    services.xserver.display = null;
   };
 }

nixos/modules/services/x11/terminal-server.nix

@@ -41,7 +41,7 @@ with lib;
       { description = "Terminal Server";
 
         path =
-          [ pkgs.xorgserver.out pkgs.gawk pkgs.which pkgs.openssl pkgs.xorg.xauth
+          [ pkgs.xorg.xorgserver.out pkgs.gawk pkgs.which pkgs.openssl pkgs.xorg.xauth
             pkgs.nettools pkgs.shadow pkgs.procps pkgs.utillinux pkgs.bash
           ];
 

nixos/modules/services/x11/xserver.nix

@@ -504,6 +504,7 @@ in
       { description = "X11 Server";
 
         after = [ "systemd-udev-settle.service" "local-fs.target" "acpid.service" "systemd-logind.service" ];
+        wants = [ "systemd-udev-settle.service" ];
 
         restartIfChanged = false;
 
@@ -529,6 +530,10 @@ in
           Restart = "always";
           RestartSec = "200ms";
           SyslogIdentifier = "display-manager";
+          # Stop restarting if the display manager stops (crashes) 2 times
+          # in one minute. Starting X typically takes 3-4s.
+          StartLimitInterval = "30s";
+          StartLimitBurst = "3";
         };
       };
 

nixos/modules/system/activation/activation-script.nix

@@ -145,6 +145,7 @@ in
         ${pkgs.e2fsprogs}/bin/chattr -f -i /var/empty || true
         find /var/empty -mindepth 1 -delete
         chmod 0555 /var/empty
+        chown root:root /var/empty
         ${pkgs.e2fsprogs}/bin/chattr -f +i /var/empty || true
       '';
 

nixos/modules/system/boot/stage-1-init.sh

@@ -318,6 +318,8 @@ mountFS() {
     [ "$mountPoint" == "/" ] &&
         [ -f "/mnt-root/etc/NIXOS_LUSTRATE" ] &&
         lustrateRoot "/mnt-root"
+
+    true
 }
 
 lustrateRoot () {

nixos/modules/virtualisation/amazon-image.nix

@@ -94,7 +94,6 @@ let cfg = config.ec2; in
             elif [ "$fsType" = ext3 ]; then
                 mp="/disk$diskNr"
                 diskNr=$((diskNr + 1))
-                echo "mounting $device on $mp..."
                 if mountFS "$device" "$mp" "" ext3; then
                     if [ -z "$diskForUnionfs" ]; then diskForUnionfs="$mp"; fi
                 fi

nixos/modules/virtualisation/azure-image.nix

@@ -23,7 +23,7 @@ in
           postVM =
             ''
               mkdir -p $out
-              ${pkgs.vmTools.qemu-220}/bin/qemu-img convert -f raw -O vpc $diskImage $out/disk.vhd
+              ${pkgs.vmTools.qemu-220}/bin/qemu-img convert -f raw -o subformat=fixed -O vpc $diskImage $out/disk.vhd
               rm $diskImage
             '';
           diskImageBase = "nixos-image-${config.system.nixosLabel}-${pkgs.stdenv.system}.raw";

nixos/modules/virtualisation/containers.nix

@@ -129,6 +129,9 @@ let
         --setenv HOST_ADDRESS6="$HOST_ADDRESS6" \
         --setenv LOCAL_ADDRESS6="$LOCAL_ADDRESS6" \
         --setenv PATH="$PATH" \
+        ${if cfg.additionalCapabilities != null then
+          ''--capability="${concatStringsSep " " cfg.additionalCapabilities}"'' else ""
+        } \
         ${containerInit cfg} "''${SYSTEM_PATH:-/nix/var/nix/profiles/system}/init"
     '';
 
@@ -205,6 +208,41 @@ let
       ''
   );
 
+  serviceDirectives = cfg: {
+    ExecReload = pkgs.writeScript "reload-container"
+      ''
+        #! ${pkgs.stdenv.shell} -e
+        ${pkgs.nixos-container}/bin/nixos-container run "$INSTANCE" -- \
+          bash --login -c "''${SYSTEM_PATH:-/nix/var/nix/profiles/system}/bin/switch-to-configuration test"
+      '';
+
+    SyslogIdentifier = "container %i";
+
+    EnvironmentFile = "-/etc/containers/%i.conf";
+
+    Type = "notify";
+
+    # Note that on reboot, systemd-nspawn returns 133, so this
+    # unit will be restarted. On poweroff, it returns 0, so the
+    # unit won't be restarted.
+    RestartForceExitStatus = "133";
+    SuccessExitStatus = "133";
+
+    Restart = "on-failure";
+
+    # Hack: we don't want to kill systemd-nspawn, since we call
+    # "machinectl poweroff" in preStop to shut down the
+    # container cleanly. But systemd requires sending a signal
+    # (at least if we want remaining processes to be killed
+    # after the timeout). So send an ignored signal.
+    KillMode = "mixed";
+    KillSignal = "WINCH";
+
+    DevicePolicy = "closed";
+    DeviceAllow = map (d: "${d.node} ${d.modifier}") cfg.allowedDevices;
+  };
+
+
   system = config.nixpkgs.system;
 
   bindMountOpts = { name, config, ... }: {
@@ -235,6 +273,27 @@ let
 
   };
 
+  allowedDeviceOpts = { name, config, ... }: {
+    options = {
+      node = mkOption {
+        example = "/dev/net/tun";
+        type = types.str;
+        description = "Path to device node";
+      };
+      modifier = mkOption {
+        example = "rw";
+        type = types.str;
+        description = ''
+          Device node access modifier. Takes a combination
+          <literal>r</literal> (read), <literal>w</literal> (write), and
+          <literal>m</literal> (mknod). See the
+          <literal>systemd.resource-control(5)</literal> man page for more
+          information.'';
+      };
+    };
+  };
+
+
   mkBindFlag = d:
                let flagPrefix = if d.isReadOnly then " --bind-ro=" else " --bind=";
                    mountstr = if d.hostPath != null then "${d.hostPath}:${d.mountPoint}" else "${d.mountPoint}";
@@ -302,6 +361,8 @@ let
   dummyConfig =
     {
       extraVeths = {};
+      additionalCapabilities = [];
+      allowedDevices = [];
       hostAddress = null;
       hostAddress6 = null;
       localAddress = null;
@@ -368,6 +429,26 @@ in
               '';
             };
 
+            additionalCapabilities = mkOption {
+              type = types.listOf types.str;
+              default = [];
+              example = [ "CAP_NET_ADMIN" "CAP_MKNOD" ];
+              description = ''
+                Grant additional capabilities to the container.  See the
+                capabilities(7) and systemd-nspawn(1) man pages for more
+                information.
+              '';
+            };
+            enableTun = mkOption {
+              type = types.bool;
+              default = false;
+              description = ''
+                Allows the container to create and setup tunnel interfaces
+                by granting the <literal>NET_ADMIN</literal> capability and
+                enabling access to <literal>/dev/net/tun</literal>.
+              '';
+            };
+
             privateNetwork = mkOption {
               type = types.bool;
               default = false;
@@ -422,6 +503,16 @@ in
                 '';
             };
 
+            allowedDevices = mkOption {
+              type = types.listOf types.optionSet;
+              options = [ allowedDeviceOpts ];
+              default = [];
+              example = [ { node = "/dev/net/tun"; modifier = "rw"; } ];
+              description = ''
+                A list of device nodes to which the containers has access to.
+              '';
+            };
+
           } // networkOptions;
 
           config = mkMerge
@@ -488,59 +579,39 @@ in
 
       restartIfChanged = false;
 
-      serviceConfig = {
-        ExecReload = pkgs.writeScript "reload-container"
-          ''
-            #! ${pkgs.stdenv.shell} -e
-            ${pkgs.nixos-container}/bin/nixos-container run "$INSTANCE" -- \
-              bash --login -c "''${SYSTEM_PATH:-/nix/var/nix/profiles/system}/bin/switch-to-configuration test"
-          '';
-
-        SyslogIdentifier = "container %i";
-
-        EnvironmentFile = "-/etc/containers/%i.conf";
-
-        Type = "notify";
-
-        # Note that on reboot, systemd-nspawn returns 133, so this
-        # unit will be restarted. On poweroff, it returns 0, so the
-        # unit won't be restarted.
-        RestartForceExitStatus = "133";
-        SuccessExitStatus = "133";
-
-        Restart = "on-failure";
-
-        # Hack: we don't want to kill systemd-nspawn, since we call
-        # "machinectl poweroff" in preStop to shut down the
-        # container cleanly. But systemd requires sending a signal
-        # (at least if we want remaining processes to be killed
-        # after the timeout). So send an ignored signal.
-        KillMode = "mixed";
-        KillSignal = "WINCH";
-
-        DevicePolicy = "closed";
-      };
+      serviceConfig = serviceDirectives dummyConfig;
     };
   in {
     systemd.services = listToAttrs (filter (x: x.value != null) (
       # The generic container template used by imperative containers
       [{ name = "container@"; value = unit; }]
       # declarative containers
-      ++ (mapAttrsToList (name: cfg: nameValuePair "container@${name}" (
-        unit // {
-          preStart = preStartScript cfg;
-          script = startScript cfg;
-          postStart = postStartScript cfg;
-        } // (
-        if cfg.autoStart then
-          {
-            wantedBy = [ "multi-user.target" ];
-            wants = [ "network.target" ];
-            after = [ "network.target" ];
-            restartTriggers = [ cfg.path ];
-            reloadIfChanged = true;
-          }
-        else {})
+      ++ (mapAttrsToList (name: cfg: nameValuePair "container@${name}" (let
+          config = cfg // (
+          if cfg.enableTun then
+            {
+              allowedDevices = cfg.allowedDevices
+                ++ [ { node = "/dev/net/tun"; modifier = "rw"; } ];
+              additionalCapabilities = cfg.additionalCapabilities
+                ++ [ "CAP_NET_ADMIN" ];
+            }
+          else {});
+        in
+          unit // {
+            preStart = preStartScript config;
+            script = startScript config;
+            postStart = postStartScript config;
+            serviceConfig = serviceDirectives config;
+          } // (
+          if config.autoStart then
+            {
+              wantedBy = [ "multi-user.target" ];
+              wants = [ "network.target" ];
+              after = [ "network.target" ];
+              restartTriggers = [ config.path ];
+              reloadIfChanged = true;
+            }
+          else {})
       )) config.containers)
     ));
 

nixos/modules/virtualisation/ec2-amis.nix

@@ -1,4 +1,4 @@
-{
+let self = {
   "14.04".ap-northeast-1.hvm-ebs = "ami-71c6f470";
   "14.04".ap-northeast-1.pv-ebs = "ami-4dcbf84c";
   "14.04".ap-northeast-1.pv-s3 = "ami-8fc4f68e";
@@ -134,4 +134,64 @@
   "16.03".us-west-2.hvm-s3 = "ami-925c9ff2";
   "16.03".us-west-2.pv-ebs = "ami-5e61a23e";
   "16.03".us-west-2.pv-s3 = "ami-734c8f13";
-}
+
+  # 16.09.1508.3909827
+  "16.09".ap-northeast-1.hvm-ebs = "ami-68453b0f";
+  "16.09".ap-northeast-1.hvm-s3 = "ami-f9bec09e";
+  "16.09".ap-northeast-1.pv-ebs = "ami-254a3442";
+  "16.09".ap-northeast-1.pv-s3 = "ami-ef473988";
+  "16.09".ap-northeast-2.hvm-ebs = "ami-18ae7f76";
+  "16.09".ap-northeast-2.hvm-s3 = "ami-9eac7df0";
+  "16.09".ap-northeast-2.pv-ebs = "ami-57aa7b39";
+  "16.09".ap-northeast-2.pv-s3 = "ami-5cae7f32";
+  "16.09".ap-south-1.hvm-ebs = "ami-b3f98fdc";
+  "16.09".ap-south-1.hvm-s3 = "ami-98e690f7";
+  "16.09".ap-south-1.pv-ebs = "ami-aef98fc1";
+  "16.09".ap-south-1.pv-s3 = "ami-caf88ea5";
+  "16.09".ap-southeast-1.hvm-ebs = "ami-80fb51e3";
+  "16.09".ap-southeast-1.hvm-s3 = "ami-2df3594e";
+  "16.09".ap-southeast-1.pv-ebs = "ami-37f05a54";
+  "16.09".ap-southeast-1.pv-s3 = "ami-27f35944";
+  "16.09".ap-southeast-2.hvm-ebs = "ami-57ece834";
+  "16.09".ap-southeast-2.hvm-s3 = "ami-87f4f0e4";
+  "16.09".ap-southeast-2.pv-ebs = "ami-d8ede9bb";
+  "16.09".ap-southeast-2.pv-s3 = "ami-a6ebefc5";
+  "16.09".ca-central-1.hvm-ebs = "ami-9f863bfb";
+  "16.09".ca-central-1.hvm-s3 = "ami-ea85388e";
+  "16.09".ca-central-1.pv-ebs = "ami-ce8a37aa";
+  "16.09".ca-central-1.pv-s3 = "ami-448a3720";
+  "16.09".eu-central-1.hvm-ebs = "ami-1b884774";
+  "16.09".eu-central-1.hvm-s3 = "ami-b08c43df";
+  "16.09".eu-central-1.pv-ebs = "ami-888946e7";
+  "16.09".eu-central-1.pv-s3 = "ami-06874869";
+  "16.09".eu-west-1.hvm-ebs = "ami-1ed3e76d";
+  "16.09".eu-west-1.hvm-s3 = "ami-73d1e500";
+  "16.09".eu-west-1.pv-ebs = "ami-44c0f437";
+  "16.09".eu-west-1.pv-s3 = "ami-f3d8ec80";
+  "16.09".eu-west-2.hvm-ebs = "ami-2c9c9648";
+  "16.09".eu-west-2.hvm-s3 = "ami-6b9e940f";
+  "16.09".eu-west-2.pv-ebs = "ami-f1999395";
+  "16.09".eu-west-2.pv-s3 = "ami-bb9f95df";
+  "16.09".sa-east-1.hvm-ebs = "ami-a11882cd";
+  "16.09".sa-east-1.hvm-s3 = "ami-7726bc1b";
+  "16.09".sa-east-1.pv-ebs = "ami-9725bffb";
+  "16.09".sa-east-1.pv-s3 = "ami-b027bddc";
+  "16.09".us-east-1.hvm-ebs = "ami-854ca593";
+  "16.09".us-east-1.hvm-s3 = "ami-2241a834";
+  "16.09".us-east-1.pv-ebs = "ami-a441a8b2";
+  "16.09".us-east-1.pv-s3 = "ami-e841a8fe";
+  "16.09".us-east-2.hvm-ebs = "ami-3f41645a";
+  "16.09".us-east-2.hvm-s3 = "ami-804065e5";
+  "16.09".us-east-2.pv-ebs = "ami-f1466394";
+  "16.09".us-east-2.pv-s3 = "ami-05426760";
+  "16.09".us-west-1.hvm-ebs = "ami-c2efbca2";
+  "16.09".us-west-1.hvm-s3 = "ami-d71042b7";
+  "16.09".us-west-1.pv-ebs = "ami-04e8bb64";
+  "16.09".us-west-1.pv-s3 = "ami-31e9ba51";
+  "16.09".us-west-2.hvm-ebs = "ami-6449f504";
+  "16.09".us-west-2.hvm-s3 = "ami-344af654";
+  "16.09".us-west-2.pv-ebs = "ami-6d4af60d";
+  "16.09".us-west-2.pv-s3 = "ami-de48f4be";
+
+  latest = self."16.09";
+}; in self

nixos/modules/virtualisation/google-compute-image.nix

@@ -23,7 +23,7 @@ in
 
           postVM =
             ''
-              PATH=$PATH:${stdenv.lib.makeBinPath [ pkgs.gnutar pkgs.gzip ]}
+              PATH=$PATH:${pkgs.stdenv.lib.makeBinPath [ pkgs.gnutar pkgs.gzip ]}
               pushd $out
               mv $diskImageBase disk.raw
               tar -Szcf $diskImageBase.tar.gz disk.raw

nixos/modules/virtualisation/libvirtd.nix

@@ -123,7 +123,7 @@ in {
         # config file. But this path can unfortunately be garbage collected
         # while still being used by the virtual machine. So update the
         # emulator path on each startup to something valid (re-scan $PATH).
-        for file in /etc/libvirt/qemu/*.xml /etc/libvirt/lxc/*.xml; do
+        for file in /var/lib/libvirt/qemu/*.xml /var/lib/libvirt/lxc/*.xml; do
             test -f "$file" || continue
             # get (old) emulator path from config file
             emulator=$(grep "^[[:space:]]*<emulator>" "$file" | sed 's,^[[:space:]]*<emulator>\(.*\)</emulator>.*,\1,')

nixos/modules/virtualisation/qemu-vm.nix

@@ -13,6 +13,8 @@ with lib;
 
 let
 
+  qemu = config.system.build.qemu or pkgs.qemu_test;
+
   vmName =
     if config.networking.hostName == ""
     then "noname"
@@ -32,7 +34,7 @@ let
       NIX_DISK_IMAGE=$(readlink -f ''${NIX_DISK_IMAGE:-${config.virtualisation.diskImage}})
 
       if ! test -e "$NIX_DISK_IMAGE"; then
-          ${pkgs.qemu_kvm}/bin/qemu-img create -f qcow2 "$NIX_DISK_IMAGE" \
+          ${qemu}/bin/qemu-img create -f qcow2 "$NIX_DISK_IMAGE" \
             ${toString config.virtualisation.diskSize}M || exit 1
       fi
 
@@ -47,7 +49,7 @@ let
       ${if cfg.useBootLoader then ''
         # Create a writable copy/snapshot of the boot disk.
         # A writable boot disk can be booted from automatically.
-        ${pkgs.qemu_kvm}/bin/qemu-img create -f qcow2 -b ${bootDisk}/disk.img $TMPDIR/disk.img || exit 1
+        ${qemu}/bin/qemu-img create -f qcow2 -b ${bootDisk}/disk.img $TMPDIR/disk.img || exit 1
 
         ${if cfg.useEFIBoot then ''
           # VM needs a writable flash BIOS.
@@ -63,14 +65,14 @@ let
       extraDisks=""
       ${flip concatMapStrings cfg.emptyDiskImages (size: ''
         if ! test -e "empty$idx.qcow2"; then
-            ${pkgs.qemu_kvm}/bin/qemu-img create -f qcow2 "empty$idx.qcow2" "${toString size}M"
+            ${qemu}/bin/qemu-img create -f qcow2 "empty$idx.qcow2" "${toString size}M"
         fi
         extraDisks="$extraDisks -drive index=$idx,file=$(pwd)/empty$idx.qcow2,if=${cfg.qemu.diskInterface},werror=report"
         idx=$((idx + 1))
       '')}
 
       # Start QEMU.
-      exec ${pkgs.qemu_kvm}/bin/qemu-kvm \
+      exec ${qemu}/bin/qemu-kvm \
           -name ${vmName} \
           -m ${toString config.virtualisation.memorySize} \
           ${optionalString (pkgs.stdenv.system == "x86_64-linux") "-cpu kvm64"} \
@@ -121,7 +123,7 @@ let
               mkdir $out
               diskImage=$out/disk.img
               bootFlash=$out/bios.bin
-              ${pkgs.qemu_kvm}/bin/qemu-img create -f qcow2 $diskImage "40M"
+              ${qemu}/bin/qemu-img create -f qcow2 $diskImage "40M"
               ${if cfg.useEFIBoot then ''
                 cp ${pkgs.OVMF-CSM}/FV/OVMF.fd $bootFlash
                 chmod 0644 $bootFlash
@@ -272,7 +274,7 @@ in
 
     virtualisation.writableStore =
       mkOption {
-        default = false;
+        default = true; # FIXME
         description =
           ''
             If enabled, the Nix store in the VM is made writable by

nixos/release.nix

@@ -244,6 +244,7 @@ in rec {
   tests.gnome3-gdm = callTest tests/gnome3-gdm.nix {};
   tests.grsecurity = callTest tests/grsecurity.nix {};
   tests.hibernate = callTest tests/hibernate.nix {};
+  tests.hound = callTest tests/hound.nix {};
   tests.i3wm = callTest tests/i3wm.nix {};
   tests.installer = callSubTests tests/installer.nix {};
   tests.influxdb = callTest tests/influxdb.nix {};

nixos/tests/chromium.nix

@@ -18,8 +18,9 @@ mapAttrs (channel: chromiumPkg: makeTest rec {
 
   enableOCR = true;
 
-  machine.imports = [ ./common/x11.nix ];
+  machine.imports = [ ./common/user-account.nix ./common/x11.nix ];
   machine.virtualisation.memorySize = 2047;
+  machine.services.xserver.displayManager.auto.user = "alice";
   machine.environment.systemPackages = [ chromiumPkg ];
 
   startupHTML = pkgs.writeText "chromium-startup.html" ''
@@ -43,14 +44,20 @@ mapAttrs (channel: chromiumPkg: makeTest rec {
       xdoScript = pkgs.writeText "${name}.xdo" text;
     in "${pkgs.xdotool}/bin/xdotool '${xdoScript}'";
   in ''
+    # Run as user alice
+    sub ru ($) {
+      my $esc = $_[0] =~ s/'/'\\${"'"}'/gr;
+      return "su - alice -c '$esc'";
+    }
+
     sub createNewWin {
       $machine->nest("creating a new Chromium window", sub {
-        $machine->execute("${xdo "new-window" ''
+        $machine->execute(ru "${xdo "new-window" ''
           search --onlyvisible --name "startup done"
           windowfocus --sync
           windowactivate --sync
         ''}");
-        $machine->execute("${xdo "new-window" ''
+        $machine->execute(ru "${xdo "new-window" ''
           key Ctrl+n
         ''}");
       });
@@ -58,16 +65,16 @@ mapAttrs (channel: chromiumPkg: makeTest rec {
 
     sub closeWin {
       Machine::retry sub {
-        $machine->execute("${xdo "close-window" ''
+        $machine->execute(ru "${xdo "close-window" ''
           search --onlyvisible --name "new tab"
           windowfocus --sync
           windowactivate --sync
         ''}");
-        $machine->execute("${xdo "close-window" ''
+        $machine->execute(ru "${xdo "close-window" ''
           key Ctrl+w
         ''}");
         for (1..20) {
-          my ($status, $out) = $machine->execute("${xdo "wait-for-close" ''
+          my ($status, $out) = $machine->execute(ru "${xdo "wait-for-close" ''
             search --onlyvisible --name "new tab"
           ''}");
           return 1 if $status != 0;
@@ -80,7 +87,7 @@ mapAttrs (channel: chromiumPkg: makeTest rec {
       my $ret = 0;
       $machine->nest("waiting for new Chromium window to appear", sub {
         for (1..20) {
-          my ($status, $out) = $machine->execute("${xdo "wait-for-window" ''
+          my ($status, $out) = $machine->execute(ru "${xdo "wait-for-window" ''
             search --onlyvisible --name "new tab"
             windowfocus --sync
             windowactivate --sync
@@ -113,13 +120,9 @@ mapAttrs (channel: chromiumPkg: makeTest rec {
     $machine->waitForX;
 
     my $url = "file://${startupHTML}";
-    my $args = "--user-data-dir=/tmp/chromium-${channel}";
-    $machine->execute(
-      "ulimit -c unlimited; ".
-      "chromium $args \"$url\" & disown"
-    );
-    $machine->waitForText(qr/Type to search or enter a URL to navigate/);
-    $machine->waitUntilSucceeds("${xdo "check-startup" ''
+    $machine->execute(ru "ulimit -c unlimited; chromium \"$url\" & disown");
+    $machine->waitForText(qr/startup done/);
+    $machine->waitUntilSucceeds(ru "${xdo "check-startup" ''
       search --sync --onlyvisible --name "startup done"
       # close first start help popup
       key -delay 1000 Escape
@@ -134,13 +137,13 @@ mapAttrs (channel: chromiumPkg: makeTest rec {
     $machine->screenshot("startup_done");
 
     testNewWin "check sandbox", sub {
-      $machine->succeed("${xdo "type-url" ''
+      $machine->succeed(ru "${xdo "type-url" ''
         search --sync --onlyvisible --name "new tab"
         windowfocus --sync
         type --delay 1000 "chrome://sandbox"
       ''}");
 
-      $machine->succeed("${xdo "submit-url" ''
+      $machine->succeed(ru "${xdo "submit-url" ''
         search --sync --onlyvisible --name "new tab"
         windowfocus --sync
         key --delay 1000 Return
@@ -148,15 +151,15 @@ mapAttrs (channel: chromiumPkg: makeTest rec {
 
       $machine->screenshot("sandbox_info");
 
-      $machine->succeed("${xdo "submit-url" ''
+      $machine->succeed(ru "${xdo "submit-url" ''
         search --sync --onlyvisible --name "sandbox status"
         windowfocus --sync
       ''}");
-      $machine->succeed("${xdo "submit-url" ''
+      $machine->succeed(ru "${xdo "submit-url" ''
         key --delay 1000 Ctrl+a Ctrl+c
       ''}");
 
-      my $clipboard = $machine->succeed("${pkgs.xclip}/bin/xclip -o");
+      my $clipboard = $machine->succeed(ru "${pkgs.xclip}/bin/xclip -o");
       die "sandbox not working properly: $clipboard"
       unless $clipboard =~ /namespace sandbox.*yes/mi
           && $clipboard =~ /pid namespaces.*yes/mi

nixos/tests/ecryptfs.nix

@@ -21,13 +21,13 @@ import ./make-test.nix ({ pkgs, ... }:
     $machine->log("ecryptfs-migrate-home said: $out");
 
     # Log alice in (ecryptfs passwhrase is wrapped during first login)
-    $machine->sleep(2); # urgh: wait for username prompt
+    $machine->waitUntilTTYMatches(1, "login: ");
     $machine->sendChars("alice\n");
-    $machine->sleep(1);
+    $machine->waitUntilTTYMatches(1, "Password: ");
     $machine->sendChars("foobar\n");
-    $machine->sleep(2);
+    $machine->waitUntilTTYMatches(1, "alice\@machine");
     $machine->sendChars("logout\n");
-    $machine->sleep(2);
+    $machine->waitUntilTTYMatches(1, "login: ");
 
     # Why do I need to do this??
     $machine->succeed("su alice -c ecryptfs-umount-private || true");
@@ -39,10 +39,11 @@ import ./make-test.nix ({ pkgs, ... }:
     $machine->log("keyctl unlink said: " . $out);
 
     # Log alice again
+    $machine->waitUntilTTYMatches(1, "login: ");
     $machine->sendChars("alice\n");
-    $machine->sleep(1);
+    $machine->waitUntilTTYMatches(1, "Password: ");
     $machine->sendChars("foobar\n");
-    $machine->sleep(2);
+    $machine->waitUntilTTYMatches(1, "alice\@machine");
 
     # Create some files in encrypted home
     $machine->succeed("su alice -c 'touch ~alice/a'");
@@ -50,7 +51,7 @@ import ./make-test.nix ({ pkgs, ... }:
 
     # Logout
     $machine->sendChars("logout\n");
-    $machine->sleep(2);
+    $machine->waitUntilTTYMatches(1, "login: ");
 
     # Why do I need to do this??
     $machine->succeed("su alice -c ecryptfs-umount-private || true");
@@ -62,10 +63,11 @@ import ./make-test.nix ({ pkgs, ... }:
     $machine->succeed("su alice -c 'test \! -f ~alice/b'");
 
     # Log alice once more
+    $machine->waitUntilTTYMatches(1, "login: ");
     $machine->sendChars("alice\n");
-    $machine->sleep(1);
+    $machine->waitUntilTTYMatches(1, "Password: ");
     $machine->sendChars("foobar\n");
-    $machine->sleep(2);
+    $machine->waitUntilTTYMatches(1, "alice\@machine");
 
     # Check that the files are there
     $machine->sleep(1);
@@ -77,5 +79,6 @@ import ./make-test.nix ({ pkgs, ... }:
     $machine->succeed("su alice -c 'ls -lh ~alice/'");
 
     $machine->sendChars("logout\n");
+    $machine->waitUntilTTYMatches(1, "login: ");
   '';
 })

nixos/tests/emacs-daemon.nix

@@ -1,7 +1,7 @@
 import ./make-test.nix ({ pkgs, ...} : {
   name = "emacs-daemon";
   meta = with pkgs.stdenv.lib.maintainers; {
-    maintainers = [ DamienCassou ];
+    maintainers = [ ];
   };
 
   enableOCR = true;

nixos/tests/gnome3.nix

@@ -29,7 +29,7 @@ import ./make-test.nix ({ pkgs, ...} : {
       $machine->succeed("su - alice -c 'DISPLAY=:0.0 gnome-terminal &'");
       $machine->succeed("xauth merge ~alice/.Xauthority");
       $machine->waitForWindow(qr/Terminal/);
-      $machine->mustSucceed("timeout 900 bash -c 'journalctl -f|grep -m 1 \"GNOME Shell started\"'");
+      $machine->succeed("timeout 900 bash -c 'while read msg; do if [[ \$msg =~ \"GNOME Shell started\" ]]; then break; fi; done < <(journalctl -f)'");
       $machine->sleep(10);
       $machine->screenshot("screen");
     '';

nixos/tests/hibernate.nix

@@ -14,6 +14,8 @@ import ./make-test.nix (pkgs: {
       networking.firewall.allowedTCPPorts = [ 4444 ];
 
       systemd.services.listener.serviceConfig.ExecStart = "${pkgs.netcat}/bin/nc -l -p 4444";
+
+      virtualisation.writableStore = false; # FIXME
     };
 
     probe = { config, lib, pkgs, ...}: {

nixos/tests/hound.nix

@@ -0,0 +1,58 @@
+# Test whether `houndd` indexes nixpkgs
+import ./make-test.nix ({ pkgs, ... } : {
+  name = "hound";
+  meta = with pkgs.stdenv.lib.maintainers; {
+    maintainers = [ grahamc ];
+  };
+  machine = { config, pkgs, ... }: {
+    services.hound = {
+      enable = true;
+      config = ''
+        {
+          "max-concurrent-indexers": 1,
+          "dbpath": "/var/lib/hound/data",
+          "repos": {
+            "nix": {
+              "url": "file:///var/lib/hound/my-git"
+            }
+          }
+        }
+      '';
+    };
+
+    systemd.services.houndseed = {
+      description = "seed hound with a git repo";
+      requiredBy = [ "hound.service" ];
+      before = [ "hound.service" ];
+
+      serviceConfig = {
+        User = "hound";
+        Group = "hound";
+        WorkingDirectory = "/var/lib/hound";
+      };
+      path = [ pkgs.git ];
+      script = ''
+        git config --global user.email "you@example.com"
+        git config --global user.name "Your Name"
+        git init my-git --bare
+        git init my-git-clone
+        cd my-git-clone
+        echo 'hi nix!' > hello
+        git add hello
+        git commit -m "hello there :)"
+        git remote add origin /var/lib/hound/my-git
+        git push origin master
+      '';
+    };
+  };
+
+  testScript =
+    '' startAll;
+
+       $machine->waitForUnit("network.target");
+       $machine->waitForUnit("hound.service");
+       $machine->waitForOpenPort(6080);
+       $machine->succeed('curl http://127.0.0.1:6080/api/v1/search\?stats\=fosho\&repos\=\*\&rng=%3A20\&q\=hi\&files\=\&i=nope | grep "Filename" | grep "hello"');
+
+    '';
+})

nixos/tests/kde5.nix

@@ -18,6 +18,7 @@ import ./make-test.nix ({ pkgs, ...} :
       };
     };
     services.xserver.desktopManager.kde5.enable = true;
+    virtualisation.writableStore = false; # FIXME
   };
 
   enableOCR = true;

nixos/tests/login.nix

@@ -33,10 +33,11 @@ import ./make-test.nix ({ pkgs, latestKernel ? false, ... }:
 
       # Log in as alice on a virtual console.
       subtest "virtual console login", sub {
-          $machine->sleep(2); # urgh: wait for username prompt
+          $machine->waitUntilTTYMatches(2, "login: ");
           $machine->sendChars("alice\n");
+          $machine->waitUntilTTYMatches(2, "login: alice");
           $machine->waitUntilSucceeds("pgrep login");
-          $machine->sleep(2); # urgh: wait for `Password:'
+          $machine->waitUntilTTYMatches(2, "Password: ");
           $machine->sendChars("foobar\n");
           $machine->waitUntilSucceeds("pgrep -u alice bash");
           $machine->sendChars("touch done\n");

nixos/tests/munin.nix

@@ -29,6 +29,7 @@ import ./make-test.nix ({ pkgs, ...} : {
     startAll;
 
     $one->waitForUnit("munin-node.service");
+    $one->succeed('systemctl start munin-cron');
     $one->waitForFile("/var/lib/munin/one/one-uptime-uptime-g.rrd");
     $one->waitForFile("/var/www/munin/one/index.html");
   '';

nixos/tests/openssh.nix

@@ -35,6 +35,18 @@ in {
         ];
       };
 
+    server_lazy =
+      { config, pkgs, ... }:
+
+      {
+        services.openssh = { enable = true; startWhenNeeded = true; };
+        security.pam.services.sshd.limits =
+          [ { domain = "*"; item = "memlock"; type = "-"; value = 1024; } ];
+        users.extraUsers.root.openssh.authorizedKeys.keys = [
+          snakeOilPublicKey
+        ];
+      };
+
     client =
       { config, pkgs, ... }: { };
 
@@ -50,6 +62,8 @@ in {
     subtest "manual-authkey", sub {
       $server->succeed("mkdir -m 700 /root/.ssh");
       $server->copyFileFromHost("key.pub", "/root/.ssh/authorized_keys");
+      $server_lazy->succeed("mkdir -m 700 /root/.ssh");
+      $server_lazy->copyFileFromHost("key.pub", "/root/.ssh/authorized_keys");
 
       $client->succeed("mkdir -m 700 /root/.ssh");
       $client->copyFileFromHost("key", "/root/.ssh/id_ed25519");
@@ -58,6 +72,10 @@ in {
       $client->waitForUnit("network.target");
       $client->succeed("ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no server 'echo hello world' >&2");
       $client->succeed("ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no server 'ulimit -l' | grep 1024");
+
+      $client->succeed("ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no server_lazy 'echo hello world' >&2");
+      $client->succeed("ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no server_lazy 'ulimit -l' | grep 1024");
+
     };
 
     subtest "configured-authkey", sub {
@@ -66,6 +84,11 @@ in {
       $client->succeed("ssh -o UserKnownHostsFile=/dev/null" .
                        " -o StrictHostKeyChecking=no -i privkey.snakeoil" .
                        " server true");
+
+      $client->succeed("ssh -o UserKnownHostsFile=/dev/null" .
+                       " -o StrictHostKeyChecking=no -i privkey.snakeoil" .
+                       " server_lazy true");
+
     };
   '';
 })

nixos/tests/virtualbox.nix

@@ -11,10 +11,10 @@ let
       #!${pkgs.stdenv.shell} -xe
       export PATH="${lib.makeBinPath [ pkgs.coreutils pkgs.utillinux ]}"
 
-      mkdir -p /var/run/dbus
+      mkdir -p /run/dbus
       cat > /etc/passwd <<EOF
       root:x:0:0::/root:/bin/false
-      messagebus:x:1:1::/var/run/dbus:/bin/false
+      messagebus:x:1:1::/run/dbus:/bin/false
       EOF
       cat > /etc/group <<EOF
       root:x:0:

nixos/tests/wordpress.nix

@@ -10,14 +10,10 @@ import ./make-test.nix ({ pkgs, ... }:
     { web =
         { config, pkgs, ... }:
         {
-          services.mysql.enable = true;
-          services.mysql.package = pkgs.mysql;
-          services.mysql.initialScript = pkgs.writeText "start.sql" ''
-            CREATE DATABASE wordpress;
-	    CREATE USER 'wordpress'@'localhost' IDENTIFIED BY 'wordpress';
-            GRANT ALL on wordpress.* TO 'wordpress'@'localhost';
-          '';
-
+          services.mysql = {
+            enable = true;
+            package = pkgs.mysql;
+          };
           services.httpd = {
             enable = true;
             logPerVirtualHost = true;

pkgs/applications/audio/flac/default.nix

@@ -1,11 +1,11 @@
 { stdenv, fetchurl, libogg }:
 
 stdenv.mkDerivation rec {
-  name = "flac-1.3.1";
+  name = "flac-1.3.2";
 
   src = fetchurl {
     url = "http://downloads.xiph.org/releases/flac/${name}.tar.xz";
-    sha256 = "4773c0099dba767d963fd92143263be338c48702172e8754b9bc5103efe1c56c";
+    sha256 = "0gymm2j3276kr9nz6vmgfwsdfrq6c449n40a0mzz8h6wc7nw7kwi";
   };
 
   buildInputs = [ libogg ];

pkgs/applications/audio/game-music-emu/default.nix

@@ -1,12 +1,12 @@
 { stdenv, fetchurl, cmake }:
 
 stdenv.mkDerivation rec {
-  version = "0.6.0";
+  version = "0.6.1";
   name = "game-music-emu-${version}";
 
   src = fetchurl {
-    url = "https://game-music-emu.googlecode.com/files/${name}.tar.bz2";
-    sha256 = "11s9l938nxbrk7qb2k1ppfgizcz00cakbxgv0gajc6hyqv882vjh";
+    url = "https://bitbucket.org/mpyne/game-music-emu/downloads/${name}.tar.bz2";
+    sha256 = "08fk7zddpn7v93d0fa7fcypx7hvgwx9b5psj9l6m8b87k2hbw4fw";
   };
 
   buildInputs = [ cmake ];

pkgs/applications/audio/groovebasin/default.nix

@@ -62,5 +62,8 @@ in nodePackages.buildNodePackage rec {
 
       Groove Basin supports Last.fm scrobbling.
     '';
+    # groovebasin was built with nodejs 0.10 which reached end of LTS
+    # in October 216, it doesn't built with nodejs 4.x
+    broken = true;
   };
 }

pkgs/applications/audio/mpg123/default.nix

@@ -1,11 +1,11 @@
 {stdenv, fetchurl, alsaLib }:
 
 stdenv.mkDerivation rec {
-  name = "mpg123-1.22.2";
+  name = "mpg123-1.23.8";
 
   src = fetchurl {
     url = "mirror://sourceforge/mpg123/${name}.tar.bz2";
-    sha256 = "0i1phi6fdjas37y00h3j8rb0b8ngr9az6hy5ff5bl53ify3j87kd";
+    sha256 = "13ngfzk84k4ks7ymanmq8f6707yrybra5h0mk3ir6mdnxk4068yy";
   };
 
   buildInputs = stdenv.lib.optional (!stdenv.isDarwin) alsaLib;

pkgs/applications/audio/qmmp/default.nix

@@ -29,11 +29,11 @@
 # handle that.
 
 stdenv.mkDerivation rec {
-  name = "qmmp-1.1.2";
+  name = "qmmp-1.1.5";
 
   src = fetchurl {
     url = "http://qmmp.ylsoftware.com/files/${name}.tar.bz2";
-    sha256 = "023gvgchk6ybkz3miy0z08j9n5awz5cjvav7fqjdmpix4sivhn5q";
+    sha256 = "1gfx6nm9v6qrx58gxib6grfhb45mnib1n4wdsnjq16br6bs8h4lv";
   };
 
   buildInputs =

pkgs/applications/audio/spotify/default.nix

@@ -6,7 +6,9 @@ assert stdenv.system == "x86_64-linux";
 
 let
   # Please update the stable branch!
-  version = "1.0.38.171.g5e1cd7b2-22";
+  # Latest version number can be found at:
+  # http://repository-origin.spotify.com/pool/non-free/s/spotify-client/
+  version = "1.0.49.125.g72ee7853-111";
 
   deps = [
     alsaLib
@@ -51,7 +53,7 @@ stdenv.mkDerivation {
   src =
     fetchurl {
       url = "http://repository-origin.spotify.com/pool/non-free/s/spotify-client/spotify-client_${version}_amd64.deb";
-      sha256 = "0mhrbcw92g11czwcclnbwz1pk1jgap4xlya7dqsrcyb50azmv450";
+      sha256 = "0l008x06d257vcw6gq3q90hvv93cq6mxpj11by1np6bzzg61qv8x";
     };
 
   buildInputs = [ dpkg makeWrapper ];

pkgs/applications/display-managers/sddm/0002-fix-ConfigReader-QStringList-corruption.patch

@@ -1,26 +0,0 @@
-From 7a18f4cb77c567dec9ad924fcc76c50092de6ee7 Mon Sep 17 00:00:00 2001
-From: Thomas Tuegel <ttuegel@gmail.com>
-Date: Mon, 23 Nov 2015 06:57:51 -0600
-Subject: [PATCH 2/2] fix ConfigReader QStringList corruption
-
----
- src/common/ConfigReader.cpp | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/src/common/ConfigReader.cpp b/src/common/ConfigReader.cpp
-index 5bf5a6a..34182e6 100644
---- a/src/common/ConfigReader.cpp
-+++ b/src/common/ConfigReader.cpp
-@@ -30,7 +30,8 @@
- 
- QTextStream &operator>>(QTextStream &str, QStringList &list)  {
-     list.clear();
--    foreach(const QStringRef &s, str.readLine().splitRef(QLatin1Char(',')))
-+    QString line = str.readLine();
-+    foreach(const QStringRef &s, line.splitRef(QLatin1Char(',')))
-     {
-         QStringRef trimmed = s.trimmed();
-         if (!trimmed.isEmpty())
--- 
-2.6.3
-

pkgs/applications/display-managers/sddm/default.nix

@@ -1,11 +1,11 @@
 { stdenv, makeQtWrapper, fetchFromGitHub, fetchpatch
-, cmake, pkgconfig, libxcb, libpthreadstubs, lndir
+, cmake, extra-cmake-modules, pkgconfig, libxcb, libpthreadstubs, lndir
 , libXdmcp, libXau, qtbase, qtdeclarative, qttools, pam, systemd
 , themes
 }:
 
 let
-  version = "0.13.0";
+  version = "0.14.0";
 
   unwrapped = stdenv.mkDerivation rec {
     name = "sddm-unwrapped-${version}";
@@ -14,19 +14,18 @@ let
       owner = "sddm";
       repo = "sddm";
       rev = "v${version}";
-      sha256 = "0c3q8lpb123m9k5x3i71mm8lmyzhknw77zxh89yfl8qmn6zd61i1";
+      sha256 = "0wwid23kw0725zpw67zchalg9mmharr7sn4yzhijq7wqpsczjfxj";
     };
 
     patches = [
       ./0001-ignore-config-mtime.patch
-      ./0002-fix-ConfigReader-QStringList-corruption.patch
-      (fetchpatch {
-        url = https://github.com/benjarobin/sddm/commit/7d05362e3c7c5945ad85b0176771bc1c5a370598.patch;
-        sha256 = "17f174lsb8vm7k1vx00yiqcipyyr6hgg4rm1rclps7saapfah5sj";
+      (fetchpatch { /* Fix display of user avatars. */
+        url = https://github.com/sddm/sddm/commit/ecb903e48822bd90650bdd64fe80754e3e9664cb.patch;
+        sha256 = "0zm88944pwdad8grmv0xwnxl23xml85ryc71x2xac233jxdyx6ms";
       })
     ];
 
-    nativeBuildInputs = [ cmake pkgconfig qttools ];
+    nativeBuildInputs = [ cmake extra-cmake-modules pkgconfig qttools ];
 
     buildInputs = [
       libxcb libpthreadstubs libXdmcp libXau qtbase pam systemd

pkgs/applications/editors/brackets/default.nix

@@ -1,25 +1,25 @@
-{ stdenv, fetchurl, buildEnv, gtk, glib, gdk_pixbuf, alsaLib, nss, nspr, gconf
+{ stdenv, fetchurl, buildEnv, gtk2, glib, gdk_pixbuf, alsaLib, nss, nspr, gconf
 , cups, libgcrypt_1_5, systemd, makeWrapper, dbus }:
 let
   bracketsEnv = buildEnv {
     name = "env-brackets";
     paths = [
-      gtk glib gdk_pixbuf stdenv.cc.cc alsaLib nss nspr gconf cups libgcrypt_1_5
-      dbus systemd.lib
+      gtk2 glib gdk_pixbuf stdenv.cc.cc.lib alsaLib nss nspr gconf cups libgcrypt_1_5
+      dbus.lib systemd.lib
     ];
   };
 in
 stdenv.mkDerivation rec {
   name = "brackets-${version}";
-  version = "1.5";
+  version = "1.7";
 
   src = fetchurl {
     url = "https://github.com/adobe/brackets/releases/download/release-${version}/Brackets.Release.${version}.64-bit.deb";
-    sha256 = "1fc8wvh9wbcydd1sw20yfnwlfv7nllb6vrssr6hgn80m7i0zl3db";
+    sha256 = "0nsiy3gvp8rd71a0misf6v1kz067kxnszr5mpch9fj4jqmg6nj8m";
     name = "${name}.deb";
   };
 
-  phases = [ "installPhase" ];
+  phases = [ "installPhase" "fixupPhase" ];
 
   buildInputs = [ makeWrapper ];
 

pkgs/applications/editors/eclipse/build-eclipse.nix

@@ -1,4 +1,6 @@
-{ stdenv, makeDesktopItem, freetype, fontconfig, libX11, libXrender, zlib, jdk, glib, gtk, libXtst, webkitgtk2, makeWrapper, ... }:
+{ stdenv, makeDesktopItem, freetype, fontconfig, libX11, libXrender
+, zlib, jdk, glib, gtk, libXtst, gsettings_desktop_schemas, webkitgtk2
+, makeWrapper, ... }:
 
 { name, src ? builtins.getAttr stdenv.system sources, sources ? null, description }:
 
@@ -15,7 +17,10 @@ stdenv.mkDerivation rec {
     categories = "Application;Development;";
   };
 
-  buildInputs = [ makeWrapper ];
+  buildInputs = [
+    fontconfig freetype glib gsettings_desktop_schemas gtk jdk libX11
+    libXrender libXtst makeWrapper zlib
+  ] ++ stdenv.lib.optional (webkitgtk2 != null) webkitgtk2;
 
   buildCommand = ''
     # Unpack tarball.
@@ -37,6 +42,7 @@ stdenv.mkDerivation rec {
     makeWrapper $out/eclipse/eclipse $out/bin/eclipse \
       --prefix PATH : ${jdk}/bin \
       --prefix LD_LIBRARY_PATH : ${stdenv.lib.makeLibraryPath ([ glib gtk libXtst ] ++ stdenv.lib.optional (webkitgtk2 != null) webkitgtk2)} \
+      --prefix XDG_DATA_DIRS : "$GSETTINGS_SCHEMAS_PATH" \
       --add-flags "-configuration \$HOME/.eclipse/''${productId}_$productVersion/configuration"
 
     # Create desktop item.

pkgs/applications/editors/eclipse/default.nix

@@ -1,6 +1,6 @@
 { stdenv, lib, fetchurl, makeDesktopItem, makeWrapper
 , freetype, fontconfig, libX11, libXext, libXrender, zlib
-, glib, gtk, libXtst, jdk
+, glib, gtk, libXtst, jdk, gsettings_desktop_schemas
 , webkitgtk2 ? null  # for internal web browser
 , buildEnv, writeText, runCommand
 , callPackage

pkgs/applications/editors/eclipse/plugins.nix

@@ -83,16 +83,16 @@ rec {
 
   acejump = buildEclipsePlugin rec {
     name = "acejump-${version}";
-    version = "1.0.0.201501181511";
+    version = "1.0.0.201610261941";
 
     srcFeature = fetchurl {
       url = "https://tobiasmelcher.github.io/acejumpeclipse/features/acejump.feature_${version}.jar";
-      sha256 = "127xqrnns4h96g21c9zg0iblxprx3fg6fg0w5f413rf84415z884";
+      sha256 = "1szswjxp9g70ibfbv3p8dlq1bngq7nc22kp657z9i9kp8309md2d";
     };
 
     srcPlugin = fetchurl {
       url = "https://tobiasmelcher.github.io/acejumpeclipse/plugins/acejump_${version}.jar";
-      sha256 = "0mz79ca32yryidd1wijirvnmfg4j5q4g84vdspdi56z0r4xrja13";
+      sha256 = "1cn64xj2bm69vnn9db2xxh6kq148v83w5nx3183mrqb59ym3v9kf";
     };
 
     meta = with stdenv.lib; {

pkgs/applications/editors/ed/default.nix

@@ -1,7 +1,8 @@
 { fetchurl, stdenv }:
 
 stdenv.mkDerivation rec {
-  name = "ed-1.13";
+  name = "ed-${version}";
+  version = "1.14.1";
 
   src = fetchurl {
     # gnu only provides *.lz tarball, which is unfriendly for stdenv bootstrapping
@@ -9,8 +10,13 @@ stdenv.mkDerivation rec {
     # When updating, please make sure the sources pulled match those upstream by
     # Unpacking both tarballs and running `find . -type f -exec sha256sum \{\} \; | sha256sum`
     # in the resulting directory
-    url = "http://fossies.org/linux/privat/${name}.tar.bz2";
-    sha256 = "1iym2fsamxr886l3sz8lqzgf00bip5cr0aly8jp04f89kf5mvl0j";
+    urls = let file_sha512 = "84396fe4e4f0bf0b591037277ff8679a08b2883207628aaa387644ad83ca5fbdaa74a581f33310e28222d2fea32a0b8ba37e579597cc7d6145df6eb956ea75db";
+      in [
+        ("http://pkgs.fedoraproject.org/repo/extras/ed"
+          + "/${name}.tar.bz2/sha512/${file_sha512}/${name}.tar.bz2")
+        "http://fossies.org/linux/privat/${name}.tar.bz2"
+      ];
+    sha256 = "1pk6qa4sr7qc6vgm34hjx44hsh8x2bwaxhdi78jhsacnn4zwi7bw";
   };
 
   /* FIXME: Tests currently fail on Darwin:

pkgs/applications/editors/emacs-modes/color-theme-solarized/default.nix

@@ -24,12 +24,11 @@ stdenv.mkDerivation rec {
     install *.el* $out/share/emacs/site-lisp
   '';
 
-  meta = {
+  meta = with stdenv.lib; {
     description = "Precision colors for machines and people";
     homepage = http://ethanschoonover.com/solarized;
-    maintainers = "Samuel Rivas <samuelrivas@gmail.com>";
-    license = stdenv.lib.licenses.mit;
-
-    platforms = stdenv.lib.platforms.all;
+    maintainers = [ maintainers.samuelrivas ];
+    license = licenses.mit;
+    platforms = platforms.all;
   };
 }

pkgs/applications/editors/emacs-modes/elpa-generated.nix

@@ -175,10 +175,10 @@
       }) {};
     auctex = callPackage ({ elpaBuild, fetchurl, lib }: elpaBuild {
         pname = "auctex";
-        version = "11.89.4";
+        version = "11.89.5";
         src = fetchurl {
-          url = "https://elpa.gnu.org/packages/auctex-11.89.4.tar";
-          sha256 = "06dxj9wflwgzy88vk47pdk6xln4f63cab7s73ynwp2bdqjs99f5b";
+          url = "https://elpa.gnu.org/packages/auctex-11.89.5.tar";
+          sha256 = "0scab76ks9wnv1wp9lrm6h9hag7p70zn950srp2p02vrzz2z5p53";
         };
         packageRequires = [];
         meta = {
@@ -618,10 +618,10 @@
       }) {};
     el-search = callPackage ({ elpaBuild, emacs, fetchurl, lib }: elpaBuild {
         pname = "el-search";
-        version = "0.2.2";
+        version = "0.2.3";
         src = fetchurl {
-          url = "https://elpa.gnu.org/packages/el-search-0.2.2.tar";
-          sha256 = "07b4jk143vi3sydg03mg12gy1rs21q0qvs7p303irwz4pv8bfwqj";
+          url = "https://elpa.gnu.org/packages/el-search-0.2.3.tar";
+          sha256 = "0icxfq6hd8pfg4r5q70ylm84wgv1jiijpv0d56x7kjdh7wrdalrb";
         };
         packageRequires = [ emacs ];
         meta = {
@@ -1336,10 +1336,10 @@
       }) {};
     org = callPackage ({ elpaBuild, fetchurl, lib }: elpaBuild {
         pname = "org";
-        version = "20160829";
+        version = "20160905";
         src = fetchurl {
-          url = "https://elpa.gnu.org/packages/org-20160829.tar";
-          sha256 = "1p0bxbzjzxmhsg1m4a3mlsphh7gcv6b97mfgkl22lfy0ia0g1fzv";
+          url = "https://elpa.gnu.org/packages/org-20160905.tar";
+          sha256 = "118xq8bsiwa6nfxm14ww5dmyf5r0cv69lf748cj39bcvg1qm94vn";
         };
         packageRequires = [];
         meta = {