rtl8723bs: version bump

2026-06-06 21:33:45 +00:00 · 2016-06-02 20:09:27 +02:00
5458 changed files with 1036807 additions and 242198 deletions
--- a/.github/PULL_REQUEST_TEMPLATE.md
+++ b/.github/PULL_REQUEST_TEMPLATE.md
@@ -4,8 +4,8 @@
 ###### Things done

 - [ ] Tested using sandboxing
-  ([nix.useChroot](http://nixos.org/nixos/manual/options.html#opt-nix.useChroot) on NixOS,
-    or option `build-use-chroot` in [`nix.conf`](http://nixos.org/nix/manual/#sec-conf-file)
+  ([nix.useSandbox](http://nixos.org/nixos/manual/options.html#opt-nix.useSandbox) on NixOS,
+    or option `build-use-sandbox` in [`nix.conf`](http://nixos.org/nix/manual/#sec-conf-file)
    on non-NixOS)
 - Built on platform(s)
   - [ ] NixOS
--- a/.travis.yml
+++ b/.travis.yml
@@ -1,20 +1,12 @@
-language: nix
 matrix:
    include:
        - os: linux
-          sudo: false
-          script:
-              - ./maintainers/scripts/travis-nox-review-pr.sh nixpkgs-verify nixpkgs-manual nixpkgs-tarball
-              - ./maintainers/scripts/travis-nox-review-pr.sh nixos-options nixos-manual
-        - os: linux
+          language: generic
          sudo: required
          dist: trusty
-          before_script:
-              - sudo mount -o remount,exec,size=2G,mode=755 /run/user
-          script: ./maintainers/scripts/travis-nox-review-pr.sh nox pr
        - os: osx
+          language: generic
          osx_image: xcode7.3
-          script: ./maintainers/scripts/travis-nox-review-pr.sh nox pr
-env:
-    global:
-        - GITHUB_TOKEN=5edaaf1017f691ed34e7f80878f8f5fbd071603f
+before_install: ./maintainers/scripts/travis-nox-review-pr.sh nix
+install: ./maintainers/scripts/travis-nox-review-pr.sh nox
+script: ./maintainers/scripts/travis-nox-review-pr.sh build
--- a/README.md
+++ b/README.md
@@ -1,7 +1,6 @@
 [<img src="http://nixos.org/logo/nixos-hires.png" width="500px" alt="logo" />](https://nixos.org/nixos)

 [![Build Status](https://travis-ci.org/NixOS/nixpkgs.svg?branch=master)](https://travis-ci.org/NixOS/nixpkgs)
-[![Code Triagers Badge](https://www.codetriage.com/nixos/nixpkgs/badges/users.svg)](https://www.codetriage.com/nixos/nixpkgs)
 [![Issue Stats](http://www.issuestats.com/github/nixos/nixpkgs/badge/pr?style=flat)](http://www.issuestats.com/github/nixos/nixpkgs)
 [![Issue Stats](http://www.issuestats.com/github/nixos/nixpkgs/badge/issue?style=flat)](http://www.issuestats.com/github/nixos/nixpkgs)

@@ -15,12 +14,12 @@ build daemon as so-called channels. To get channel information via git, add
 ```

 For stability and maximum binary package support, it is recommended to maintain
-custom changes on top of one of the channels, e.g. `nixos-16.09` for the latest
+custom changes on top of one of the channels, e.g. `nixos-16.03` for the latest
 release and `nixos-unstable` for the latest successful build of master:

 ```
 % git remote update channels
-% git rebase channels/nixos-16.09
+% git rebase channels/nixos-16.03
 ```

 For pull-requests, please rebase onto nixpkgs `master`.
@@ -32,11 +31,11 @@ For pull-requests, please rebase onto nixpkgs `master`.
 * [Documentation (Nix Expression Language chapter)](https://nixos.org/nix/manual/#ch-expression-language)
 * [Manual (How to write packages for Nix)](https://nixos.org/nixpkgs/manual/)
 * [Manual (NixOS)](https://nixos.org/nixos/manual/)
-* [Nix Wiki](https://nixos.org/wiki/) (deprecated, see milestone ["Move the Wiki!"](https://github.com/NixOS/nixpkgs/issues?q=is%3Aopen+is%3Aissue+milestone%3A%22Move+the+wiki%21%22))
+* [Nix Wiki](https://nixos.org/wiki/)
 * [Continuous package builds for unstable/master](https://hydra.nixos.org/jobset/nixos/trunk-combined)
-* [Continuous package builds for 16.09 release](https://hydra.nixos.org/jobset/nixos/release-16.09)
+* [Continuous package builds for 16.03 release](https://hydra.nixos.org/jobset/nixos/release-16.03)
 * [Tests for unstable/master](https://hydra.nixos.org/job/nixos/trunk-combined/tested#tabs-constituents)
-* [Tests for 16.09 release](https://hydra.nixos.org/job/nixos/release-16.09/tested#tabs-constituents)
+* [Tests for 16.03 release](https://hydra.nixos.org/job/nixos/release-16.03/tested#tabs-constituents)

 Communication:

--- a/default.nix
+++ b/default.nix
@@ -6,4 +6,4 @@ if ! builtins ? nixVersion || builtins.compareVersions requiredVersion builtins.

 else

-  import ./pkgs/top-level/impure.nix
+  import ./pkgs/top-level
--- a/doc/coding-conventions.xml
+++ b/doc/coding-conventions.xml
@@ -251,13 +251,16 @@ bound to the variable name <varname>e2fsprogs</varname> in

  <listitem><para>The version part of the <literal>name</literal>
  attribute <emphasis>must</emphasis> start with a digit (following a
-  dash) — e.g., <literal>"hello-0.3.1rc2"</literal>.</para></listitem>
+  dash) — e.g., <literal>"hello-0.3-pre-r3910"</literal> instead of
+  <literal>"hello-svn-r3910"</literal>, as the latter would be seen as
+  a package named <literal>hello-svn</literal> by
+  <command>nix-env</command>.</para></listitem>

-  <listitem><para>If a package is not a release but a commit from a repository, then
+  <listitem><para>If package is fetched from git's commit then
  the version part of the name <emphasis>must</emphasis> be the date of that 
  (fetched) commit. The date must be in <literal>"YYYY-MM-DD"</literal> format.
-  Also append <literal>"unstable"</literal> to the name - e.g.,
-  <literal>"pkgname-unstable-2014-09-23"</literal>.</para></listitem>
+  Also add <literal>"git"</literal> to the name - e.g.,
+  <literal>"pkgname-git-2014-09-23"</literal>.</para></listitem>

  <listitem><para>Dashes in the package name should be preserved
  in new variable names, rather than converted to underscores
@@ -659,22 +662,4 @@ src = fetchFromGitHub {
    </itemizedlist>
  </para>
 </section>
-
-<section xml:id="sec-patches"><title>Patches</title>
-  <para>Only patches that are unique to <literal>nixpkgs</literal> should be 
-    included in <literal>nixpkgs</literal> source.</para>
-  <para>Patches available online should be retrieved using 
-    <literal>fetchpatch</literal>.</para>
-  <para>
-<programlisting>
-patches = [
-  (fetchpatch {
-    name = "fix-check-for-using-shared-freetype-lib.patch";
-    url = "http://git.ghostscript.com/?p=ghostpdl.git;a=patch;h=8f5d285";
-    sha256 = "1f0k043rng7f0rfl9hhb89qzvvksqmkrikmm38p61yfx51l325xr";
-  })
-];
-</programlisting>
-  </para>
-</section>
 </chapter>
--- a/doc/default.nix
+++ b/doc/default.nix
@@ -1,14 +1,14 @@
+with import ./.. { };
+with lib;
 let
-  pkgs = import ./.. { };
-  lib = pkgs.lib;
-  sources = lib.sourceFilesBySuffices ./. [".xml"];
+  sources = sourceFilesBySuffices ./. [".xml"];
  sources-langs = ./languages-frameworks;
 in
-pkgs.stdenv.mkDerivation {
+stdenv.mkDerivation {
  name = "nixpkgs-manual";


-  buildInputs = with pkgs; [ pandoc libxml2 libxslt zip ];
+  buildInputs = [ pandoc libxml2 libxslt ];

  xsltFlags = ''
    --param section.autolabel 1
@@ -26,7 +26,7 @@ pkgs.stdenv.mkDerivation {
      extraHeader = ''xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink" '';
    in ''
      {
-        pandoc '${inputFile}' -w docbook ${lib.optionalString useChapters "--chapters"} \
+        pandoc '${inputFile}' -w docbook ${optionalString useChapters "--chapters"} \
          --smart \
          | sed -e 's|<ulink url=|<link xlink:href=|' \
              -e 's|</ulink>|</link>|' \
@@ -57,43 +57,33 @@ pkgs.stdenv.mkDerivation {
      outputFile = "./languages-frameworks/haskell.xml";
    }
  + toDocbook {
-      inputFile = ../pkgs/development/idris-modules/README.md;
+      inputFile = ./../pkgs/development/idris-modules/README.md;
      outputFile = "languages-frameworks/idris.xml";
    }
  + toDocbook {
-      inputFile = ../pkgs/development/r-modules/README.md;
+      inputFile = ./../pkgs/development/r-modules/README.md;
      outputFile = "languages-frameworks/r.xml";
    }
  + ''
-    echo ${lib.nixpkgsVersion} > .version
+    echo ${nixpkgsVersion} > .version

    # validate against relaxng schema
    xmllint --nonet --xinclude --noxincludenode manual.xml --output manual-full.xml
-    ${pkgs.jing}/bin/jing ${pkgs.docbook5}/xml/rng/docbook/docbook.rng manual-full.xml
+    ${jing}/bin/jing ${docbook5}/xml/rng/docbook/docbook.rng manual-full.xml

    dst=$out/share/doc/nixpkgs
    mkdir -p $dst
    xsltproc $xsltFlags --nonet --xinclude \
      --output $dst/manual.html \
-      ${pkgs.docbook5_xsl}/xml/xsl/docbook/xhtml/docbook.xsl \
+      ${docbook5_xsl}/xml/xsl/docbook/xhtml/docbook.xsl \
      ./manual.xml

    cp ${./style.css} $dst/style.css

    mkdir -p $dst/images/callouts
-    cp "${pkgs.docbook5_xsl}/xml/xsl/docbook/images/callouts/"*.gif $dst/images/callouts/
+    cp "${docbook5_xsl}/xml/xsl/docbook/images/callouts/"*.gif $dst/images/callouts/

    mkdir -p $out/nix-support
    echo "doc manual $dst manual.html" >> $out/nix-support/hydra-build-products
-
-    xsltproc $xsltFlags --nonet --xinclude \
-      --output $dst/epub/ \
-      ${pkgs.docbook5_xsl}/xml/xsl/docbook/epub/docbook.xsl \
-      ./manual.xml
-
-    cp -r $dst/images $dst/epub/OEBPS
-    echo "application/epub+zip" > mimetype
-    zip -0Xq  "$dst/Nixpkgs Contributors Guide - NixOS community.epub" mimetype
-    zip -Xr9D "$dst/Nixpkgs Contributors Guide - NixOS community.epub" $dst/epub/*
  '';
 }
--- a/doc/functions.xml
+++ b/doc/functions.xml
@@ -89,27 +89,27 @@ in ...</programlisting>
  <title>&lt;pkg&gt;.overrideDerivation</title>

  <warning>
-    <para>Do not use this function in Nixpkgs as it evaluates a Derivation
-    before modifying it, which breaks package abstraction and removes
-    error-checking of function arguments. In addition, this
-    evaluation-per-function application incurs a performance penalty,
-    which can become a problem if many overrides are used.
-    It is only intended for ad-hoc customisation, such as in
-    <filename>~/.nixpkgs/config.nix</filename>.
+    <para>Do not use this function in Nixpkgs. Because it breaks
+    package abstraction and doesn’t provide error checking for
+    function arguments, it is only intended for ad-hoc customisation
+    (such as in <filename>~/.nixpkgs/config.nix</filename>).
+   </para>
+
+   <para>
+    Additionally, <varname>overrideDerivation</varname> forces an evaluation
+    of the Derivation which can be quite a performance penalty if there are many
+    overrides used.
   </para>
  </warning>

  <para>
-    The function <varname>overrideDerivation</varname> creates a new derivation
-    based on an existing one by overriding the original's attributes with
-    the attribute set produced by the specified function.
-    This function is available on all
-    derivations defined using the <varname>makeOverridable</varname> function.
-    Most standard derivation-producing functions, such as
-    <varname>stdenv.mkDerivation</varname>, are defined using this
-    function, which means most packages in the nixpkgs expression,
-    <varname>pkgs</varname>, have this function.
+    The function <varname>overrideDerivation</varname> is usually available for all the
+    derivations in the nixpkgs expression (<varname>pkgs</varname>).
  </para> 
+  <para>
+    It is used to create a new derivation by overriding the attributes of
+    the original derivation according to the given function.
+  </para>

  <para>
    Example usage:
@@ -125,9 +125,9 @@ in ...</programlisting>
  </para>

  <para>
-    In the above example, the <varname>name</varname>, <varname>src</varname>,
-    and <varname>patches</varname> of the derivation will be overridden, while
-    all other attributes will be retained from the original derivation.
+    In the above example, the name, src and patches of the derivation
+    will be overridden, while all other attributes will be retained from the
+    original derivation.
  </para>

  <para>
@@ -135,20 +135,6 @@ in ...</programlisting>
    the original derivation.
  </para>

-  <note>
-    <para>
-      A package's attributes are evaluated *before* being modified by
-      the <varname>overrideDerivation</varname> function.
-      For example, the <varname>name</varname> attribute reference
-      in <varname>url = "mirror://gnu/hello/${name}.tar.gz";</varname>
-      is filled-in *before* the <varname>overrideDerivation</varname> function
-      modifies the attribute set. This means that overriding the
-      <varname>name</varname> attribute, in this example, *will not* change the
-      value of the <varname>url</varname> attribute. Instead, we need to override
-      both the <varname>name</varname> *and* <varname>url</varname> attributes.
-    </para>
-  </note>
-
 </section>

 <section xml:id="sec-lib-makeOverridable">
@@ -185,18 +171,42 @@ c = lib.makeOverridable f { a = 1; b = 2; }</programlisting>


 <section xml:id="sec-fhs-environments">
-  <title>buildFHSUserEnv</title>
+  <title>buildFHSChrootEnv/buildFHSUserEnv</title>

  <para>
-    <function>buildFHSUserEnv</function> provides a way to build and run
-    FHS-compatible lightweight sandboxes. It creates an isolated root with
-    bound <filename>/nix/store</filename>, so its footprint in terms of disk
+    <function>buildFHSChrootEnv</function> and
+    <function>buildFHSUserEnv</function> provide a way to build and run
+    FHS-compatible lightweight sandboxes. They get their own isolated root with
+    binded <filename>/nix/store</filename>, so their footprint in terms of disk
    space needed is quite small. This allows one to run software which is hard or
    unfeasible to patch for NixOS -- 3rd-party source trees with FHS assumptions,
    games distributed as tarballs, software with integrity checking and/or external
-    self-updated binaries. It uses Linux namespaces feature to create
+    self-updated binaries.
+  </para>
+
+  <para>
+    <function>buildFHSChrootEnv</function> allows to create persistent
+    environments, which can be constructed, deconstructed and entered by
+    multiple users at once. A downside is that it requires
+    <literal>root</literal> access for both those who create and destroy and
+    those who enter it. It can be useful to create environments for daemons that
+    one can enter and observe.
+  </para>
+
+  <para>
+    <function>buildFHSUserEnv</function> uses Linux namespaces feature to create
    temporary lightweight environments which are destroyed after all child
-    processes exit, without root user rights requirement. Accepted arguments are:
+    processes exit. It does not require root access, and can be useful to create
+    sandboxes and wrap applications.
+  </para>
+
+  <para>
+    Those functions both rely on <function>buildFHSEnv</function>, which creates
+    an actual directory structure given a list of necessary packages and extra
+    build commands.
+    <function>buildFHSChrootEnv</function> and <function>buildFHSUserEnv</function>
+    both accept those arguments which are passed to
+    <function>buildFHSEnv</function>:
  </para>

  <variablelist>
@@ -210,16 +220,14 @@ c = lib.makeOverridable f { a = 1; b = 2; }</programlisting>
    <term><literal>targetPkgs</literal></term>

    <listitem><para>Packages to be installed for the main host's architecture
-    (i.e. x86_64 on x86_64 installations). Along with libraries binaries are also
-    installed.</para></listitem>
+    (i.e. x86_64 on x86_64 installations).</para></listitem>
    </varlistentry>

    <varlistentry>
    <term><literal>multiPkgs</literal></term>

    <listitem><para>Packages to be installed for all architectures supported by
-    a host (i.e. i686 and x86_64 on x86_64 installations). Only libraries are
-    installed by default.</para></listitem>
+    a host (i.e. i686 and x86_64 on x86_64 installations).</para></listitem>
    </varlistentry>

    <varlistentry>
@@ -232,33 +240,29 @@ c = lib.makeOverridable f { a = 1; b = 2; }</programlisting>
    <varlistentry>
    <term><literal>extraBuildCommandsMulti</literal></term>

-    <listitem><para>Like <literal>extraBuildCommands</literal>, but
+    <listitem><para>Like <literal>extraBuildCommandsMulti</literal>, but
    executed only on multilib architectures.</para></listitem>
    </varlistentry>
-
-    <varlistentry>
-    <term><literal>extraOutputsToInstall</literal></term>
-
-    <listitem><para>Additional derivation outputs to be linked for both
-    target and multi-architecture packages.</para></listitem>
-    </varlistentry>
-
-    <varlistentry>
-    <term><literal>extraInstallCommands</literal></term>
-
-    <listitem><para>Additional commands to be executed for finalizing the
-    derivation with runner script.</para></listitem>
-    </varlistentry>
-
-    <varlistentry>
-    <term><literal>runScript</literal></term>
-
-    <listitem><para>A command that would be executed inside the sandbox and
-    passed all the command line arguments. It defaults to
-    <literal>bash</literal>.</para></listitem>
-    </varlistentry>
  </variablelist>

+  <para>
+    Additionally, <function>buildFHSUserEnv</function> accepts
+    <literal>runScript</literal> parameter, which is a command that would be
+    executed inside the sandbox and passed all the command line arguments. It
+    default to <literal>bash</literal>.
+  </para>
+  <para>
+    It also uses <literal>CHROOTENV_EXTRA_BINDS</literal> environment variable
+    for binding extra directories in the sandbox to outside places. The format of
+    the variable is <literal>/mnt=test-mnt:/data</literal>, where
+    <literal>/mnt</literal> would be mounted as <literal>/test-mnt</literal>
+    and <literal>/data</literal> would be mounted as <literal>/data</literal>.
+    <literal>extraBindMounts</literal> array argument to
+    <function>buildFHSUserEnv</function> function is prepended to this variable.
+    Latter entries take priority if defined several times -- i.e. in case of
+    <literal>/data=data1:/data=data2</literal> the actual bind path would be
+    <literal>/data2</literal>.
+  </para>
  <para>
    One can create a simple environment using a <literal>shell.nix</literal>
    like that:
--- a/doc/languages-frameworks/go.xml
+++ b/doc/languages-frameworks/go.xml
@@ -5,29 +5,27 @@
 <title>Go</title>

 <para>The function <varname>buildGoPackage</varname> builds
-standard Go programs.
+standard Go packages.
 </para>

 <example xml:id='ex-buildGoPackage'><title>buildGoPackage</title>
 <programlisting>
-deis = buildGoPackage rec {
-  name = "deis-${version}";
-  version = "1.13.0";
-  
-  goPackagePath = "github.com/deis/deis"; <co xml:id='ex-buildGoPackage-1' />
-  subPackages = [ "client" ]; <co xml:id='ex-buildGoPackage-2' />
-
+net = buildGoPackage rec {
+  name = "go.net-${rev}";
+  goPackagePath = "golang.org/x/net"; <co xml:id='ex-buildGoPackage-1' />
+  subPackages = [ "ipv4" "ipv6" ]; <co xml:id='ex-buildGoPackage-2' />
+  rev = "e0403b4e005";
  src = fetchFromGitHub {
-    owner = "deis";
-    repo = "deis";
-    rev = "v${version}";
-    sha256 = "1qv9lxqx7m18029lj8cw3k7jngvxs4iciwrypdy0gd2nnghc68sw";
+    inherit rev;
+    owner = "golang";
+    repo = "net";
+    sha256 = "1g7cjzw4g4301a3yqpbk8n1d4s97sfby2aysl275x04g0zh8jxqp";
  };
-
-  goDeps = ./deps.nix; <co xml:id='ex-buildGoPackage-3' />
-
-  buildFlags = "--tags release"; <co xml:id='ex-buildGoPackage-4' />
-}
+  goPackageAliases = [ "code.google.com/p/go.net" ]; <co xml:id='ex-buildGoPackage-3' />
+  propagatedBuildInputs = [ goPackages.text ]; <co xml:id='ex-buildGoPackage-4' />
+  buildFlags = "--tags release"; <co xml:id='ex-buildGoPackage-5' />
+  disabled = isGo13;<co xml:id='ex-buildGoPackage-6' />
+};
 </programlisting>
 </example>

@@ -49,80 +47,50 @@ the following arguments are of special significance to the function:
      packages will be built.
    </para>
    <para>
-      In this example only <literal>github.com/deis/deis/client</literal> will be built.
+      In this example only <literal>code.google.com/p/go.net/ipv4</literal> and
+      <literal>code.google.com/p/go.net/ipv6</literal> will be built.
    </para>
  </callout>

  <callout arearefs='ex-buildGoPackage-3'>
    <para>
-      <varname>goDeps</varname> is where the Go dependencies of a Go program are listed
-      as a list of package source identified by Go import path.
-      It could be imported as a separate <varname>deps.nix</varname> file for
-      readability. The dependency data structure is described below.
+      <varname>goPackageAliases</varname> is a list of alternative import paths
+      that are valid for this library.
+      Packages that depend on this library will automatically rename
+      import paths that match any of the aliases to <literal>goPackagePath</literal>.
+    </para>
+    <para>
+      In this example imports will be renamed from
+      <literal>code.google.com/p/go.net</literal> to
+      <literal>golang.org/x/net</literal> in every package that depend on the
+      <literal>go.net</literal> library.
    </para>
  </callout>

  <callout arearefs='ex-buildGoPackage-4'>
+    <para>
+      <varname>propagatedBuildInputs</varname> is where the dependencies of a Go library are
+      listed. Only libraries should list <varname>propagatedBuildInputs</varname>. If a standalone
+      program is being built instead, use <varname>buildInputs</varname>. If a library's tests require
+      additional dependencies that are not propagated, they should be listed in <varname>buildInputs</varname>.
+    </para>
+  </callout>
+
+  <callout arearefs='ex-buildGoPackage-5'>
    <para>
      <varname>buildFlags</varname> is a list of flags passed to the go build command.
    </para>
  </callout>

-</calloutlist>
-
-</para>
-
-<para>The <varname>goDeps</varname> attribute can be imported from a separate
-  <varname>nix</varname> file that defines which Go libraries are needed and should
-  be included in <varname>GOPATH</varname> for <varname>buildPhase</varname>.
-</para>
-
-<example xml:id='ex-goDeps'><title>deps.nix</title>
-<programlisting>
-[ <co xml:id='ex-goDeps-1' />
-  {
-    goPackagePath = "gopkg.in/yaml.v2"; <co xml:id='ex-goDeps-2' />
-    fetch = {
-      type = "git"; <co xml:id='ex-goDeps-3' />
-      url = "https://gopkg.in/yaml.v2";
-      rev = "a83829b6f1293c91addabc89d0571c246397bbf4";
-      sha256 = "1m4dsmk90sbi17571h6pld44zxz7jc4lrnl4f27dpd1l8g5xvjhh";
-    };
-  }
-  {
-    goPackagePath = "github.com/docopt/docopt-go";
-    fetch = {
-      type = "git";
-      url = "https://github.com/docopt/docopt-go";
-      rev = "784ddc588536785e7299f7272f39101f7faccc3f";
-      sha256 = "0wwz48jl9fvl1iknvn9dqr4gfy1qs03gxaikrxxp9gry6773v3sj";
-    };
-  }
-]
-</programlisting>
-</example>
-
-<para>
-
-<calloutlist>
-
-  <callout arearefs='ex-goDeps-1'>
+  <callout arearefs='ex-buildGoPackage-6'>
    <para>
-      <varname>goDeps</varname> is a list of Go dependencies.
+      If <varname>disabled</varname> is <literal>true</literal>,
+      nix will refuse to build this package.
    </para>
-  </callout>
-
-  <callout arearefs='ex-goDeps-2'>
    <para>
-      <varname>goPackagePath</varname> specifies Go package import path.
-    </para>
-  </callout>
-
-  <callout arearefs='ex-goDeps-3'>
-    <para>
-      <varname>fetch type</varname> that needs to be used to get package source. If <varname>git</varname>
-      is used there should be <varname>url</varname>, <varname>rev</varname> and <varname>sha256</varname>
-      defined next to it.
+      In this example the package will not be built for go 1.3. The <literal>isGo13</literal>
+      is an utility function that returns <literal>true</literal> if go used to build the
+      package has version 1.3.x.
    </para>
  </callout>

@@ -131,21 +99,12 @@ the following arguments are of special significance to the function:
 </para>

 <para>
-  <varname>buildGoPackage</varname> produces <xref linkend='chap-multiple-output' xrefstyle="select: title" />
-  where <varname>bin</varname> includes program binaries. You can test build a Go binary as follows:
+Reusable Go libraries may be found in the <varname>goPackages</varname> set. You can test
+build a Go package as follows:

-  <screen>
-    $ nix-build -A deis.bin
-  </screen>
-
-  or build all outputs with:
-
-  <screen>
-    $ nix-build -A deis.all
-  </screen>
-
-  <varname>bin</varname> output will be installed by default with <varname>nix-env -i</varname>
-  or <varname>systemPackages</varname>.
+<screen>
+$ nix-build -A goPackages.net
+</screen>

 </para>

@@ -160,7 +119,6 @@ done
 </screen>
 </para>

-<para>To extract dependency information from a Go package in automated way use <link xlink:href="https://github.com/kamilchm/go2nix">go2nix</link>.
-  It can produce complete derivation and <varname>goDeps</varname> file for Go programs.</para>
+  <para>To extract dependency information from a Go package in automated way use <link xlink:href="https://github.com/kamilchm/go2nix">go2nix</link>.</para>
 </section>

--- a/doc/languages-frameworks/haskell.md
+++ b/doc/languages-frameworks/haskell.md
@@ -378,23 +378,6 @@ special options turned on:
 	  buildInputs = [ R zeromq zlib ];
    }

-You can select a particular GHC version to compile with by setting the
-`ghc` attribute as an argument to `buildStackProject`. Better yet, let
-Stack choose what GHC version it wants based on the snapshot specified
-in `stack.yaml` (only works with Stack >= 1.1.3):
-
-    {nixpkgs ? import <nixpkgs> { }, ghc ? nixpkgs.ghc}
-
-    with nixpkgs;
-
-    let R = pkgs.R.override { enableStrictBarrier = true; };
-    in
-    haskell.lib.buildStackProject {
-      name = "HaskellR";
-      buildInputs = [ R zeromq zlib ];
-      inherit ghc;
-    }
-
 [stack-nix-doc]: http://docs.haskellstack.org/en/stable/nix_integration.html

 ### How to create ad hoc environments for `nix-shell`
@@ -653,7 +636,7 @@ then you have to download and re-install `foo` and all its dependents from
 scratch:

    # nix-store -q --referrers /nix/store/*-haskell-text-1.2.0.4 \
-      | xargs -L 1 nix-store --repair-path
+      | xargs -L 1 nix-store --repair-path --option binary-caches http://hydra.nixos.org

 If you're using additional Hydra servers other than `hydra.nixos.org`, then it
 might be necessary to purge the local caches that store data from those
@@ -740,7 +723,7 @@ to the `stack.yaml` like the following:
      enable: true
 	  packages: [ zlib ]

-Stack's Nix support knows to add `${zlib.out}/lib` and `${zlib.dev}/include` as an
+Stack's Nix support knows to add `${zlib}/lib` and `${zlib}/include` as an
 `--extra-lib-dirs` and `extra-include-dirs`, respectively. Alternatively, you
 can achieve the same effect by hand. First of all, run

--- a/doc/languages-frameworks/python.md
+++ b/doc/languages-frameworks/python.md
@@ -291,8 +291,8 @@ pyfftw = buildPythonPackage rec {
  # Tests cannot import pyfftw. pyfftw works fine though.
  doCheck = false;

-  LDFLAGS="-L${pkgs.fftw.dev}/lib -L${pkgs.fftwFloat.out}/lib -L${pkgs.fftwLongDouble.out}/lib"
-  CFLAGS="-I${pkgs.fftw.dev}/include -I${pkgs.fftwFloat.dev}/include -I${pkgs.fftwLongDouble.dev}/include"
+  LDFLAGS="-L${pkgs.fftw}/lib -L${pkgs.fftwFloat}/lib -L${pkgs.fftwLongDouble}/lib"
+  CFLAGS="-I${pkgs.fftw}/include -I${pkgs.fftwFloat}/include -I${pkgs.fftwLongDouble}/include"
  '';

  meta = {
@@ -481,7 +481,7 @@ and the aliases
 #### `buildPythonPackage` function

 The `buildPythonPackage` function is implemented in
-`pkgs/development/interpreters/python/build-python-package.nix`
+`pkgs/development/python-modules/generic/default.nix`

 and can be used as:

@@ -503,12 +503,9 @@ and can be used as:

 The `buildPythonPackage` mainly does four things:

-* In the `buildPhase`, it calls `${python.interpreter} setup.py bdist_wheel` to
-  build a wheel binary zipfile.
+* In the `buildPhase`, it calls `${python.interpreter} setup.py bdist_wheel` to build a wheel binary zipfile.
 * In the `installPhase`, it installs the wheel file using `pip install *.whl`.
-* In the `postFixup` phase, the `wrapPythonPrograms` bash function is called to
-  wrap all programs in the `$out/bin/*` directory to include `$PATH`
-  environment variable and add dependent libraries to script's `sys.path`.
+* In the `postFixup` phase, the `wrapPythonPrograms` bash function is called to wrap all programs in the `$out/bin/*` directory to include `$PYTHONPATH` and `$PATH` environment variables.
 * In the `installCheck` phase, `${python.interpreter} setup.py test` is ran.

 As in Perl, dependencies on other Python packages can be specified in the
@@ -535,8 +532,6 @@ All parameters from `mkDerivation` function are still supported.
 * `makeWrapperArgs`: A list of strings. Arguments to be passed to `makeWrapper`, which wraps generated binaries. By default, the arguments to `makeWrapper` set `PATH` and `PYTHONPATH` environment variables before calling the binary. Additional arguments here can allow a developer to set environment variables which will be available when the binary is run. For example, `makeWrapperArgs = ["--set FOO BAR" "--set BAZ QUX"]`.
 * `installFlags`: A list of strings. Arguments to be passed to `pip install`. To pass options to `python setup.py install`, use `--install-option`. E.g., `installFlags=["--install-option='--cpp_implementation'"].
 * `format`: Format of the source. Options are `setup` for when the source has a `setup.py` and `setuptools` is used to build a wheel, and `wheel` in case the source is already a binary wheel. The default value is `setup`.
-* `catchConflicts` If `true`, abort package build if a package name appears more than once in dependency tree. Default is `true`.
-* `checkInputs` Dependencies needed for running the `checkPhase`. These are added to `buildInputs` when `doCheck = true`.

 #### `buildPythonApplication` function

@@ -570,7 +565,7 @@ running `nix-shell` with the following `shell.nix`
    with import <nixpkgs> {};

    (python3.buildEnv.override {
-      extraLibs = with python3Packages; [ numpy requests2 ];
+      extraLibs = with python3Packages; [ numpy requests ];
    }).env

 will drop you into a shell where Python will have the
@@ -609,7 +604,7 @@ attribute. The `shell.nix` file from the previous section can thus be also writt

    with import <nixpkgs> {};

-    (python33.withPackages (ps: [ps.numpy ps.requests2])).env
+    (python33.withPackages (ps: [ps.numpy ps.requests])).env

 In contrast to `python.buildEnv`, `python.withPackages` does not support the more advanced options
 such as `ignoreCollisions = true` or `postBuild`. If you need them, you have to use `python.buildEnv`.
@@ -633,7 +628,7 @@ Given a `default.nix`:
    src = ./.; }

 Running `nix-shell` with no arguments should give you
-the environment in which the package would be built with
+the environment in which the package would be build with
 `nix-build`.

 Shortcut to setup environments with C headers/libraries and python packages:
@@ -653,56 +648,6 @@ community to help save time. No tool is preferred at the moment.

 ## FAQ

-### How can I install a working Python environment?
-
-As explained in the user's guide installing individual Python packages
-imperatively with `nix-env -i` or declaratively in `environment.systemPackages`
-is not supported. However, it is possible to install a Python environment with packages (`python.buildEnv`).
-
-In the following examples we create an environment with Python 3.5, `numpy` and `ipython`.
-As you might imagine there is one limitation here, and that's you can install
-only one environment at a time. You will notice the complaints about collisions
-when you try to install a second environment.
-
-#### Environment defined in separate `.nix` file
-
-Create a file, e.g. `build.nix`, with the following expression
-```nix
-with import <nixpkgs> {};
-with python35Packages;
-
-python.withPackages (ps: with ps; [ numpy ipython ])
-```
-and install it in your profile with
-```
-nix-env -if build.nix
-```
-Now you can use the Python interpreter, as well as the extra packages that you added to the environment.
-
-#### Environment defined in `~/.nixpkgs/config.nix`
-
-If you prefer to, you could also add the environment as a package override to the Nixpkgs set.
-```
-  packageOverrides = pkgs: with pkgs; with python35Packages; {
-    myEnv = python.withPackages (ps: with ps; [ numpy ipython ]);
-  };
-```
-and install it in your profile with
-```
-nix-env -iA nixos.blogEnv
-```
-Note that I'm using the attribute path here.
-
-#### Environment defined in `/etc/nixos/configuration.nix`
-
-For the sake of completeness, here's another example how to install the environment system-wide.
-
-```nix
-environment.systemPackages = with pkgs; [
-  (python35Packages.python.withPackages (ps: callPackage ../packages/common-python-packages.nix { pythonPackages = ps; }))
-];
-```
-
 ### How to solve circular dependencies?

 Consider the packages `A` and `B` that depend on each other. When packaging `B`,
@@ -716,8 +661,8 @@ Python attribute sets are created for each interpreter version. We will therefor
 In the following example we change the name of the package `pandas` to `foo`.
 ```
 newpkgs = pkgs.overridePackages(self: super: rec {
-  python35Packages = (super.python35Packages.override { self = python35Packages;})
-    // { pandas = super.python35Packages.pandas.override  {name = "foo";};
+  python35Packages = super.python35Packages.override {
+    self = python35Packages // { pandas = python35Packages.pandas.override{name="foo";};};
  };
 });
 ```
@@ -728,8 +673,8 @@ with import <nixpkgs> {};
 (let

 newpkgs = pkgs.overridePackages(self: super: rec {
-  python35Packages = (super.python35Packages.override { self = python35Packages;})
-    // { pandas = super.python35Packages.pandas.override  {name = "foo";};
+  python35Packages = super.python35Packages.override {
+    self = python35Packages // { pandas = python35Packages.pandas.override{name="foo";};};
  };
 });
 in newpkgs.python35.withPackages (ps: [ps.blaze])
@@ -744,7 +689,7 @@ with import <nixpkgs> {};

 newpkgs = pkgs.overridePackages(self: super: rec {
  python35Packages = super.python35Packages.override {
-    self = python35Packages // { scipy = python35Packages.scipy_0_17;};
+    self = python35Packages // { scipy = python35Packages.scipy_0_16;};
  };
 });
 in newpkgs.python35.withPackages (ps: [ps.blaze])
@@ -752,41 +697,6 @@ in newpkgs.python35.withPackages (ps: [ps.blaze])
 ```
 The requested package `blaze` depends upon `pandas` which itself depends on `scipy`.

-A similar example but now using `django`
-```
-with import <nixpkgs> {};
-
-(let
-
-newpkgs = pkgs.overridePackages(self: super: rec {
-  python27Packages = (super.python27Packages.override {self = python27Packages;})
-    // { django = super.python27Packages.django_1_9; };
-});
-in newpkgs.python27.withPackages (ps: [ps.django_guardian ])
-).env
-```
-
-### `python setup.py bdist_wheel` cannot create .whl
-
-Executing `python setup.py bdist_wheel` in a `nix-shell `fails with
-```
-ValueError: ZIP does not support timestamps before 1980
-```
-This is because files are included that depend on items in the Nix store which have a timestamp of, that is, it corresponds to January the 1st, 1970 at 00:00:00. And as the error informs you, ZIP does not support that.
-The command `bdist_wheel` takes into account `SOURCE_DATE_EPOCH`, and `nix-shell` sets this to 1. By setting it to a value corresponding to 1980 or later, or by unsetting it, it is possible to build wheels.
-
-Use 1980 as timestamp:
-```
-nix-shell --run "SOURCE_DATE_EPOCH=315532800 python3 setup.py bdist_wheel"
-```
-or the current time:
-```
-nix-shell --run "SOURCE_DATE_EPOCH=$(date +%s) python3 setup.py bdist_wheel"
-```
-or unset:
-"""
-nix-shell --run "unset SOURCE_DATE_EPOCH; python3 setup.py bdist_wheel"
-"""

 ### `install_data` / `data_files` problems

--- a/doc/multiple-output.xml
+++ b/doc/multiple-output.xml
@@ -29,15 +29,15 @@

 <section><title>Using a split package</title>
  <para>In the Nix language the individual outputs can be reached explicitly as attributes, e.g. <varname>coreutils.info</varname>, but the typical case is just using packages as build inputs.</para>
-  <para>When a multiple-output derivation gets into a build input of another derivation, the <varname>dev</varname> output is added if it exists, otherwise the first output is added. In addition to that, <varname>propagatedBuildOutputs</varname> of that package which by default contain <varname>$outputBin</varname> and <varname>$outputLib</varname> are also added. (See <xref linkend="multiple-output-file-type-groups" />.)</para>
+  <para>When a multiple-output derivation gets into a build input of another derivation, the first output is added (<varname>.dev</varname> by convention) and also <varname>propagatedBuildOutputs</varname> of that package which by default contain <varname>$outputBin</varname> and <varname>$outputLib</varname>. (See <xref linkend="multiple-output-file-type-groups" />.)</para>
 </section>


 <section><title>Writing a split derivation</title>
  <para>Here you find how to write a derivation that produces multiple outputs.</para>
  <para>In nixpkgs there is a framework supporting multiple-output derivations. It tries to cover most cases by default behavior.  You can find the source separated in &lt;<filename>nixpkgs/pkgs/build-support/setup-hooks/multiple-outputs.sh</filename>&gt;; it's relatively well-readable.  The whole machinery is triggered by defining the <varname>outputs</varname> attribute to contain the list of desired output names (strings).</para>
-  <programlisting>outputs = [ "bin" "dev" "out" "doc" ];</programlisting>
-  <para>Often such a single line is enough.  For each output an equally named environment variable is passed to the builder and contains the path in nix store for that output.  By convention, the first output should contain the executable programs provided by the package as that output is used by Nix in string conversions, allowing references to binaries like <literal>${pkgs.perl}/bin/perl</literal> to always work. Typically you also want to have the main <varname>out</varname> output, as it catches any files that didn't get elsewhere.</para>
+  <programlisting>outputs = [ "dev" "out" "bin" "doc" ];</programlisting>
+  <para>Often such a single line is enough.  For each output an equally named environment variable is passed to the builder and contains the path in nix store for that output.  By convention, the first output should usually be <varname>dev</varname>; typically you also want to have the main <varname>out</varname> output, as it catches any files that didn't get elsewhere.</para>

  <note><para>There is a special handling of the <varname>debug</varname> output, described at <xref linkend="stdenv-separateDebugInfo" />.</para></note>

@@ -63,7 +63,7 @@
        </para></listitem></varlistentry>
      <varlistentry><term><varname>
        $outputDocdev</varname></term><listitem><para>
-        is for <emphasis>developer</emphasis> documentation.  Currently we count gtk-doc and man3 pages in there.  It goes to <varname>devdoc</varname> or is removed (!) by default.  This is because e.g. gtk-doc tends to be rather large and completely unused by nixpkgs users.
+        is for <emphasis>developer</emphasis> documentation.  Currently we count gtk-doc and man3 pages in there.  It goes to <varname>docdev</varname> or is removed (!) by default.  This is because e.g. gtk-doc tends to be rather large and completely unused by nixpkgs users.
        </para></listitem></varlistentry>
      <varlistentry><term><varname>
        $outputMan</varname></term><listitem><para>
--- a/doc/old/update-upstream-data.txt
+++ b/doc/old/update-upstream-data.txt
@@ -0,0 +1,14 @@
+Semi-automatic source information updating using "update-upstream-data.sh" script and "src-{,info-}for-*.nix"
+
+1. Recognizing when a pre-existing package uses this mechanism.
+
+Packages using this automatical update mechanism have src-info-for-default.nix and src-for-default.nix next to default.nix. src-info-for-default.nix describes getting the freshest source from upstream web site; src-for-default.nix is a generated file with the current data about used source. Both files define a simple attrSet. 
+
+src-info-for-default.nix (for a file grabbed via http) contains at least downloadPage attribute - it is the page we need to look at to find out the latest version. It also contains baseName that is used for automatical generation of package name containing version. It can contain extra data for trickier cases.
+
+src-for-default.nix will contain advertisedUrl (raw URL chosen on the site; its change prompts regeneration of source data), url for fetchurl, hash, version retrieved from the download URL and suggested package name.
+
+2. Updating a package
+
+nixpkgs/pkgs/build-support/upstream-updater directory contains some scripts. The worker script is called update-upstream-data.sh. This script requires main expression name (e.g. default.nix). It can optionally accpet a second parameter, URL which will be used instead of getting one by parsing the downloadPage (version extraction, mirror URL creation etc. will still be run). After running the script, check src-for-default.nix (or replace default.nix with expression name, if there are seceral expressions in the directory) for new version information.
+
--- a/doc/stdenv.xml
+++ b/doc/stdenv.xml
@@ -557,8 +557,8 @@ script) if it exists.</para>

  <varlistentry>
    <term><varname>configureFlags</varname></term>
-    <listitem><para>A list of strings passed as additional arguments to the
-    configure script.</para></listitem>
+    <listitem><para>Additional arguments passed to the configure
+    script.</para></listitem>
  </varlistentry>

  <varlistentry>
@@ -658,7 +658,7 @@ nothing.</para>

  <varlistentry>
    <term><varname>makeFlags</varname></term>
-    <listitem><para>A list of strings passed as additional flags to
+    <listitem><para>Additional flags passed to
    <command>make</command>.  These flags are also used by the default
    install and check phase.  For setting make flags specific to the
    build phase, use <varname>buildFlags</varname> (see
@@ -685,7 +685,7 @@ makeFlagsArray=(CFLAGS="-O0 -g" LDFLAGS="-lfoo -lbar")

  <varlistentry>
    <term><varname>buildFlags</varname> / <varname>buildFlagsArray</varname></term>
-    <listitem><para>A list of strings passed as additional flags to
+    <listitem><para>Additional flags passed to
    <command>make</command>.  Like <varname>makeFlags</varname> and
    <varname>makeFlagsArray</varname>, but only used by the build
    phase.</para></listitem>
@@ -753,7 +753,7 @@ doCheck = true;</programlisting>

  <varlistentry>
    <term><varname>checkFlags</varname> / <varname>checkFlagsArray</varname></term>
-    <listitem><para>A list of strings passed as additional flags to
+    <listitem><para>Additional flags passed to
    <command>make</command>.  Like <varname>makeFlags</varname> and
    <varname>makeFlagsArray</varname>, but only used by the check
    phase.</para></listitem>
@@ -808,7 +808,7 @@ installTargets = "install-bin install-doc";</programlisting>

  <varlistentry>
    <term><varname>installFlags</varname> / <varname>installFlagsArray</varname></term>
-    <listitem><para>A list of strings passed as additional flags to
+    <listitem><para>Additional flags passed to
    <command>make</command>.  Like <varname>makeFlags</varname> and
    <varname>makeFlagsArray</varname>, but only used by the install
    phase.</para></listitem>
@@ -1196,24 +1196,10 @@ echo @foo@
    <term><function>stripHash</function>
    <replaceable>path</replaceable></term>
    <listitem><para>Strips the directory and hash part of a store
-    path, storing the name part in the environment variable
-    <literal>strippedName</literal>. For example:
-    
-<programlisting>
-stripHash "/nix/store/9s9r019176g7cvn2nvcw41gsp862y6b4-coreutils-8.24"
-# prints coreutils-8.24
-echo $strippedName
-</programlisting>
-
-    If you wish to store the result in another variable, then the
-    following idiom may be useful:
-    
-<programlisting>
-name="/nix/store/9s9r019176g7cvn2nvcw41gsp862y6b4-coreutils-8.24"
-someVar=$(stripHash $name; echo $strippedName)
-</programlisting>
-
-    </para></listitem>
+    path, and prints (on standard output) only the name part.  For
+    instance, <literal>stripHash
+    /nix/store/68afga4khv0w...-coreutils-6.12</literal> print
+    <literal>coreutils-6.12</literal>.</para></listitem>
  </varlistentry>

  
@@ -1319,25 +1305,6 @@ someVar=$(stripHash $name; echo $strippedName)
    <envar>GST_PLUGIN_SYSTEM_PATH</envar> environment variable.</para></listitem>
  </varlistentry>

-  <varlistentry>
-    <term>paxctl</term>
-    <listitem><para>Defines the <varname>paxmark</varname> helper for
-    setting per-executable PaX flags on Linux (where it is available by
-    default; on all other platforms, <varname>paxmark</varname> is a no-op).
-    For example, to disable secure memory protections on the executable
-    <replaceable>foo</replaceable>:
-    <programlisting>
-      postFixup = ''
-        paxmark m $out/bin/<replaceable>foo</replaceable>
-      '';
-    </programlisting>
-    The <literal>m</literal> flag is the most common flag and is typically
-    required for applications that employ JIT compilation or otherwise need to
-    execute code generated at run-time.  Disabling PaX protections should be
-    considered a last resort: if possible, problematic features should be
-    disabled or patched to work with PaX.</para></listitem>
-  </varlistentry>
-
 </variablelist>

 </para>
@@ -1360,209 +1327,6 @@ in the default system locations.</para>

 </section>

-<section xml:id="sec-hardening-in-nixpkgs"><title>Hardening in Nixpkgs</title>
-
-<para>There are flags available to harden packages at compile or link-time.
-These can be toggled using the <varname>stdenv.mkDerivation</varname> parameters
-<varname>hardeningDisable</varname> and <varname>hardeningEnable</varname>.
-</para>
-
-<para>The following flags are enabled by default and might require disabling
-if the program to package is incompatible.
-</para>
-
-<variablelist>
-
-  <varlistentry>
-    <term><varname>format</varname></term>
-    <listitem><para>Adds the <option>-Wformat -Wformat-security
-    -Werror=format-security</option> compiler options. At present,
-    this warns about calls to <varname>printf</varname> and
-    <varname>scanf</varname> functions where the format string is
-    not a string literal and there are no format arguments, as in
-    <literal>printf(foo);</literal>. This may be a security hole
-    if the format string came from untrusted input and contains
-    <literal>%n</literal>.</para>
-
-    <para>This needs to be turned off or fixed for errors similar to:</para>
-
-    <programlisting>
-/tmp/nix-build-zynaddsubfx-2.5.2.drv-0/zynaddsubfx-2.5.2/src/UI/guimain.cpp:571:28: error: format not a string literal and no format arguments [-Werror=format-security]
-         printf(help_message);
-                            ^
-cc1plus: some warnings being treated as errors
-    </programlisting></listitem>
-  </varlistentry>
-
-  <varlistentry>
-    <term><varname>stackprotector</varname></term>
-    <listitem>
-    <para>Adds the <option>-fstack-protector-strong
-    --param ssp-buffer-size=4</option>
-    compiler options. This adds safety checks against stack overwrites
-    rendering many potential code injection attacks into aborting situations.
-    In the best case this turns code injection vulnerabilities into denial
-    of service or into non-issues (depending on the application).</para>
-
-    <para>This needs to be turned off or fixed for errors similar to:</para>
-
-    <programlisting>
-bin/blib.a(bios_console.o): In function `bios_handle_cup':
-/tmp/nix-build-ipxe-20141124-5cbdc41.drv-0/ipxe-5cbdc41/src/arch/i386/firmware/pcbios/bios_console.c:86: undefined reference to `__stack_chk_fail'
-    </programlisting></listitem>
-  </varlistentry>
-
-  <varlistentry>
-    <term><varname>fortify</varname></term>
-    <listitem>
-    <para>Adds the <option>-O2 -D_FORTIFY_SOURCE=2</option> compiler
-    options. During code generation the compiler knows a great deal of
-    information about buffer sizes (where possible), and attempts to replace
-    insecure unlimited length buffer function calls with length-limited ones.
-    This is especially useful for old, crufty code. Additionally, format
-    strings in writable memory that contain '%n' are blocked. If an application
-    depends on such a format string, it will need to be worked around.
-    </para>
-
-    <para>Addtionally, some warnings are enabled which might trigger build
-    failures if compiler warnings are treated as errors in the package build.
-    In this case, set <option>NIX_CFLAGS_COMPILE</option> to
-    <option>-Wno-error=warning-type</option>.</para>
-
-    <para>This needs to be turned off or fixed for errors similar to:</para>
-
-    <programlisting>
-malloc.c:404:15: error: return type is an incomplete type
-malloc.c:410:19: error: storage size of 'ms' isn't known
-    </programlisting>
-    <programlisting>
-strdup.h:22:1: error: expected identifier or '(' before '__extension__'
-    </programlisting>
-    <programlisting>
-strsep.c:65:23: error: register name not specified for 'delim'
-    </programlisting>
-    <programlisting>
-installwatch.c:3751:5: error: conflicting types for '__open_2'
-    </programlisting>
-    <programlisting>
-fcntl2.h:50:4: error: call to '__open_missing_mode' declared with attribute error: open with O_CREAT or O_TMPFILE in second argument needs 3 arguments
-    </programlisting>
-    </listitem>
-  </varlistentry>
-
-  <varlistentry>
-    <term><varname>pic</varname></term>
-    <listitem>
-    <para>Adds the <option>-fPIC</option> compiler options. This options adds
-    support for position independant code in shared libraries and thus making
-    ASLR possible.</para>
-    <para>Most notably, the Linux kernel, kernel modules and other code
-    not running in an operating system environment like boot loaders won't
-    build with PIC enabled. The compiler will is most cases complain that
-    PIC is not supported for a specific build.
-    </para>
-
-    <para>This needs to be turned off or fixed for assembler errors similar to:</para>
-
-    <programlisting>
-ccbLfRgg.s: Assembler messages:
-ccbLfRgg.s:33: Error: missing or invalid displacement expression `private_key_len@GOTOFF'
-    </programlisting>
-    </listitem>
-  </varlistentry>
-
-  <varlistentry>
-    <term><varname>strictoverflow</varname></term>
-    <listitem>
-    <para>Signed integer overflow is undefined behaviour according to the C
-    standard. If it happens, it is an error in the program as it should check
-    for overflow before it can happen, not afterwards. GCC provides built-in
-    functions to perform arithmetic with overflow checking, which are correct
-    and faster than any custom implementation. As a workaround, the option
-    <option>-fno-strict-overflow</option> makes gcc behave as if signed
-    integer overflows were defined.
-    </para>
-
-    <para>This flag should not trigger any build or runtime errors.</para>
-    </listitem>
-  </varlistentry>
-
-  <varlistentry>
-    <term><varname>relro</varname></term>
-    <listitem>
-    <para>Adds the <option>-z relro</option> linker option. During program
-    load, several ELF memory sections need to be written to by the linker,
-    but can be turned read-only before turning over control to the program.
-    This prevents some GOT (and .dtors) overwrite attacks, but at least the
-    part of the GOT used by the dynamic linker (.got.plt) is still vulnerable.
-    </para>
-
-    <para>This flag can break dynamic shared object loading. For instance, the
-    module systems of Xorg and OpenCV are incompatible with this flag. In almost
-    all cases the <varname>bindnow</varname> flag must also be disabled and
-    incompatible programs typically fail with similar errors at runtime.</para>
-    </listitem>
-  </varlistentry>
-
-  <varlistentry>
-    <term><varname>bindnow</varname></term>
-    <listitem>
-    <para>Adds the <option>-z bindnow</option> linker option. During program
-    load, all dynamic symbols are resolved, allowing for the complete GOT to
-    be marked read-only (due to <varname>relro</varname>). This prevents GOT
-    overwrite attacks. For very large applications, this can incur some
-    performance loss during initial load while symbols are resolved, but this
-    shouldn't be an issue for daemons.
-    </para>
-
-    <para>This flag can break dynamic shared object loading. For instance, the
-    module systems of Xorg and PHP are incompatible with this flag. Programs
-    incompatible with this flag often fail at runtime due to missing symbols,
-    like:</para>
-
-    <programlisting>
-intel_drv.so: undefined symbol: vgaHWFreeHWRec
-    </programlisting>
-    </listitem>
-  </varlistentry>
-
-</variablelist>
-
-<para>The following flags are disabled by default and should be enabled
-for packages that take untrusted input, like network services.
-</para>
-
-<variablelist>
-
-  <varlistentry>
-    <term><varname>pie</varname></term>
-    <listitem>
-    <para>Adds the <option>-fPIE</option> compiler and <option>-pie</option>
-    linker options. Position Independent Executables are needed to take
-    advantage of Address Space Layout Randomization, supported by modern
-    kernel versions. While ASLR can already be enforced for data areas in
-    the stack and heap (brk and mmap), the code areas must be compiled as
-    position-independent. Shared libraries already do this with the
-    <varname>pic</varname> flag, so they gain ASLR automatically, but binary
-    .text regions need to be build with <varname>pie</varname> to gain ASLR.
-    When this happens, ROP attacks are much harder since there are no static
-    locations to bounce off of during a memory corruption attack.
-    </para>
-    </listitem>
-  </varlistentry>
-
-</variablelist>
-
-<para>For more in-depth information on these hardening flags and hardening in
-general, refer to the
-<link xlink:href="https://wiki.debian.org/Hardening">Debian Wiki</link>,
-<link xlink:href="https://wiki.ubuntu.com/Security/Features">Ubuntu Wiki</link>,
-<link xlink:href="https://wiki.gentoo.org/wiki/Project:Hardened">Gentoo Wiki</link>,
-and the <link xlink:href="https://wiki.archlinux.org/index.php/DeveloperWiki:Security">
-Arch Wiki</link>.
-</para>
-
-</section>

 </chapter>

--- a/lib/attrsets.nix
+++ b/lib/attrsets.nix
@@ -296,17 +296,12 @@ rec {

  /* Converts a store path to a fake derivation. */
  toDerivation = path:
-    let
-      path' = builtins.storePath path;
-      res =
-        { type = "derivation";
-          name = builtins.unsafeDiscardStringContext (builtins.substring 33 (-1) (baseNameOf path'));
-          outPath = path';
-          outputs = [ "out" ];
-          out = res;
-          outputName = "out";
-        };
-    in res;
+    let path' = builtins.storePath path; in
+    { type = "derivation";
+      name = builtins.unsafeDiscardStringContext (builtins.substring 33 (-1) (baseNameOf path'));
+      outPath = path';
+      outputs = [ "out" ];
+    };


  /* If `cond' is true, return the attribute set `as',
@@ -459,11 +454,10 @@ rec {
  getLib = getOutput "lib";
  getDev = getOutput "dev";

-  /* Pick the outputs of packages to place in buildInputs */
-  chooseDevOutputs = drvs: builtins.map getDev drvs;

  /*** deprecated stuff ***/

+  deepSeqAttrs = throw "removed 2016-02-29 because unused and broken";
  zipWithNames = zipAttrsWithNames;
  zip = builtins.trace
    "lib.zip is deprecated, use lib.zipAttrsWith instead" zipAttrsWith;
--- a/lib/debug.nix
+++ b/lib/debug.nix
@@ -19,10 +19,6 @@ rec {
  traceXMLVal = x: trace (builtins.toXML x) x;
  traceXMLValMarked = str: x: trace (str + builtins.toXML x) x;

-  # strict trace functions (traced structure is fully evaluated and printed)
-  traceSeq = x: y: trace (builtins.deepSeq x x) y;
-  traceValSeq = v: traceVal (builtins.deepSeq v v);
-
  # this can help debug your code as well - designed to not produce thousands of lines
  traceShowVal = x : trace (showVal x) x;
  traceShowValMarked = str: x: trace (str + showVal x) x;
@@ -73,9 +69,27 @@ rec {
  # usage: { testX = allTrue [ true ]; }
  testAllTrue = expr : { inherit expr; expected = map (x: true) expr; };

-  strict = v:
-    trace "Warning: strict is deprecated and will be removed in the next release"
-      (builtins.seq v v);
+  # evaluate everything once so that errors will occur earlier
+  # hacky: traverse attrs by adding a dummy
+  # ignores functions (should this behavior change?) See strictf
+  #
+  # Note: This should be a primop! Something like seq of haskell would be nice to
+  # have as well. It's used fore debugging only anyway
+  strict = x :
+    let
+        traverse = x :
+          if isString x then true
+          else if isAttrs x then
+            if x ? outPath then true
+            else all id (mapAttrsFlatten (n: traverse) x)
+          else if isList x then
+            all id (map traverse x)
+          else if isBool x then true
+          else if isFunction x then true
+          else if isInt x then true
+          else if x == null then true
+          else true; # a (store) path?
+    in if traverse x then x else throw "else never reached";

  # example: (traceCallXml "myfun" id 3) will output something like
  # calling myfun arg 1: 3 result: 3
--- a/lib/licenses.nix
+++ b/lib/licenses.nix
@@ -188,24 +188,13 @@ lib.mapAttrs (n: v: v // { shortName = n; }) rec {

  fdl13 = spdx {
    spdxId = "GFDL-1.3";
-    fullName = "GNU Free Documentation License v1.3";
+    fullName = "GNU Free Documentation License v1.2";
  };

  free = {
    fullName = "Unspecified free software license";
  };

-  g4sl = {
-    fullName = "Geant4 Software License";
-    url = https://geant4.web.cern.ch/geant4/license/LICENSE.html;
-  };
-
-  geogebra = {
-    fullName = "GeoGebra Non-Commercial License Agreement";
-    url = https://www.geogebra.org/license;
-    free = false;
-  };
-
  gpl1 = spdx {
    spdxId = "GPL-1.0";
    fullName = "GNU General Public License v1.0 only";
--- a/lib/lists.nix
+++ b/lib/lists.nix
@@ -68,7 +68,18 @@ rec {
       imap (i: v: "${v}-${toString i}") ["a" "b"]
       => [ "a-1" "b-2" ]
  */
-  imap = f: list: genList (n: f (n + 1) (elemAt list n)) (length list);
+  imap =
+    if builtins ? genList then
+      f: list: genList (n: f (n + 1) (elemAt list n)) (length list)
+    else
+      f: list:
+      let
+        len = length list;
+        imap' = n:
+          if n == len
+            then []
+            else [ (f (n + 1) (elemAt list n)) ] ++ imap' (n + 1);
+      in imap' 0;

  /* Map and concatenate the result.

@@ -89,7 +100,7 @@ rec {
  */
  flatten = x:
    if isList x
-    then concatMap (y: flatten y) x
+    then foldl' (x: y: x ++ (flatten y)) [] x
    else [x];

  /* Remove elements equal to 'e' from a list.  Useful for buildInputs.
@@ -205,11 +216,17 @@ rec {
       range 3 2
       => [ ]
  */
-  range = first: last:
-    if first > last then
-      []
+  range =
+    if builtins ? genList then
+      first: last:
+        if first > last
+        then []
+        else genList (n: first + n) (last - first + 1)
    else
-      genList (n: first + n) (last - first + 1);
+      first: last:
+        if last < first
+        then []
+        else [first] ++ range (first + 1) last;

  /* Splits the elements of a list in two lists, `right' and
     `wrong', depending on the evaluation of a predicate.
@@ -218,12 +235,12 @@ rec {
       partition (x: x > 2) [ 5 1 2 3 4 ]
       => { right = [ 5 3 4 ]; wrong = [ 1 2 ]; }
  */
-  partition = builtins.partition or (pred:
+  partition = pred:
    fold (h: t:
      if pred h
      then { right = [h] ++ t.right; wrong = t.wrong; }
      else { right = t.right; wrong = [h] ++ t.wrong; }
-    ) { right = []; wrong = []; });
+    ) { right = []; wrong = []; };

  /* Merges two lists of the same size together. If the sizes aren't the same
     the merging stops at the shortest. How both lists are merged is defined
@@ -233,9 +250,19 @@ rec {
       zipListsWith (a: b: a + b) ["h" "l"] ["e" "o"]
       => ["he" "lo"]
  */
-  zipListsWith = f: fst: snd:
-    genList
-      (n: f (elemAt fst n) (elemAt snd n)) (min (length fst) (length snd));
+  zipListsWith =
+    if builtins ? genList then
+      f: fst: snd: genList (n: f (elemAt fst n) (elemAt snd n)) (min (length fst) (length snd))
+    else
+      f: fst: snd:
+      let
+        len = min (length fst) (length snd);
+        zipListsWith' = n:
+          if n != len then
+            [ (f (elemAt fst n) (elemAt snd n)) ]
+            ++ zipListsWith' (n + 1)
+          else [];
+      in zipListsWith' 0;

  /* Merges two lists of the same size together. If the sizes aren't the same
     the merging stops at the shortest.
@@ -253,88 +280,11 @@ rec {
       reverseList [ "b" "o" "j" ]
       => [ "j" "o" "b" ]
  */
-  reverseList = xs:
-    let l = length xs; in genList (n: elemAt xs (l - n - 1)) l;
-
-  /* Depth-First Search (DFS) for lists `list != []`.
-
-     `before a b == true` means that `b` depends on `a` (there's an
-     edge from `b` to `a`).
-
-     Examples:
-
-         listDfs true hasPrefix [ "/home/user" "other" "/" "/home" ]
-           == { minimal = "/";                  # minimal element
-                visited = [ "/home/user" ];     # seen elements (in reverse order)
-                rest    = [ "/home" "other" ];  # everything else
-              }
-
-         listDfs true hasPrefix [ "/home/user" "other" "/" "/home" "/" ]
-           == { cycle   = "/";                  # cycle encountered at this element
-                loops   = [ "/" ];              # and continues to these elements
-                visited = [ "/" "/home/user" ]; # elements leading to the cycle (in reverse order)
-                rest    = [ "/home" "other" ];  # everything else
-
-   */
-
-  listDfs = stopOnCycles: before: list:
-    let
-      dfs' = us: visited: rest:
-        let
-          c = filter (x: before x us) visited;
-          b = partition (x: before x us) rest;
-        in if stopOnCycles && (length c > 0)
-           then { cycle = us; loops = c; inherit visited rest; }
-           else if length b.right == 0
-                then # nothing is before us
-                     { minimal = us; inherit visited rest; }
-                else # grab the first one before us and continue
-                     dfs' (head b.right)
-                          ([ us ] ++ visited)
-                          (tail b.right ++ b.wrong);
-    in dfs' (head list) [] (tail list);
-
-  /* Sort a list based on a partial ordering using DFS. This
-     implementation is O(N^2), if your ordering is linear, use `sort`
-     instead.
-
-     `before a b == true` means that `b` should be after `a`
-     in the result.
-
-     Examples:
-
-         toposort hasPrefix [ "/home/user" "other" "/" "/home" ]
-           == { result = [ "/" "/home" "/home/user" "other" ]; }
-
-         toposort hasPrefix [ "/home/user" "other" "/" "/home" "/" ]
-           == { cycle = [ "/home/user" "/" "/" ]; # path leading to a cycle
-                loops = [ "/" ]; }                # loops back to these elements
-
-         toposort hasPrefix [ "other" "/home/user" "/home" "/" ]
-           == { result = [ "other" "/" "/home" "/home/user" ]; }
-
-         toposort (a: b: a < b) [ 3 2 1 ] == { result = [ 1 2 3 ]; }
-
-   */
-
-  toposort = before: list:
-    let
-      dfsthis = listDfs true before list;
-      toporest = toposort before (dfsthis.visited ++ dfsthis.rest);
-    in
-      if length list < 2
-      then # finish
-           { result =  list; }
-      else if dfsthis ? "cycle"
-           then # there's a cycle, starting from the current vertex, return it
-                { cycle = reverseList ([ dfsthis.cycle ] ++ dfsthis.visited);
-                  inherit (dfsthis) loops; }
-           else if toporest ? "cycle"
-                then # there's a cycle somewhere else in the graph, return it
-                     toporest
-                # Slow, but short. Can be made a bit faster with an explicit stack.
-                else # there are no cycles
-                     { result = [ dfsthis.minimal ] ++ toporest.result; };
+  reverseList =
+    if builtins ? genList then
+      xs: let l = length xs; in genList (n: elemAt xs (l - n - 1)) l
+    else
+      fold (e: acc: acc ++ [ e ]) [];

  /* Sort a list based on a comparator function which compares two
     elements and returns true if the first argument is strictly below
@@ -370,7 +320,19 @@ rec {
       take 2 [ ]
       => [ ]
  */
-  take = count: sublist 0 count;
+  take =
+    if builtins ? genList then
+      count: sublist 0 count
+    else
+      count: list:
+        let
+          len = length list;
+          take' = n:
+            if n == len || n == count
+              then []
+            else
+              [ (elemAt list n) ] ++ take' (n + 1);
+        in take' 0;

  /* Remove the first (at most) N elements of a list.

@@ -380,7 +342,19 @@ rec {
       drop 2 [ ]
       => [ ]
  */
-  drop = count: list: sublist count (length list) list;
+  drop =
+    if builtins ? genList then
+      count: list: sublist count (length list) list
+    else
+      count: list:
+        let
+          len = length list;
+          drop' = n:
+            if n == -1 || n < count
+              then []
+            else
+              drop' (n - 1) ++ [ (elemAt list n) ];
+        in drop' (len - 1);

  /* Return a list consisting of at most ‘count’ elements of ‘list’,
     starting at index ‘start’.
@@ -454,4 +428,8 @@ rec {
  */
  subtractLists = e: filter (x: !(elem x e));

+  /*** deprecated stuff ***/
+
+  deepSeqList = throw "removed 2016-02-29 because unused and broken";
+
 }
--- a/lib/maintainers.nix
+++ b/lib/maintainers.nix
@@ -11,11 +11,9 @@
  abaldeau = "Andreas Baldeau <andreas@baldeau.net>";
  abbradar = "Nikolay Amiantov <ab@fmap.me>";
  aboseley = "Adam Boseley <adam.boseley@gmail.com>";
-  abuibrahim = "Ruslan Babayev <ruslan@babayev.com>";
  adev = "Adrien Devresse <adev@adev.name>";
  Adjective-Object = "Maxwell Huang-Hobbs <mhuan13@gmail.com>";
  adnelson = "Allen Nelson <ithinkican@gmail.com>";
-  adolfogc = "Adolfo E. García Castro <adolfo.garcia.cr@gmail.com>";
  aespinosa = "Allan Espinosa <allan.espinosa@outlook.com>";
  aflatter = "Alexander Flatter <flatter@fastmail.fm>";
  aforemny = "Alexander Foremny <alexanderforemny@googlemail.com>";
@@ -39,7 +37,6 @@
  aristid = "Aristid Breitkreuz <aristidb@gmail.com>";
  arobyn = "Alexei Robyn <shados@shados.net>";
  artuuge = "Artur E. Ruuge <artuuge@gmail.com>";
-  ashalkhakov = "Artyom Shalkhakov <artyom.shalkhakov@gmail.com>";
  asppsa = "Alastair Pharo <asppsa@gmail.com>";
  astsmtl = "Alexander Tsamutali <astsmtl@yandex.ru>";
  aszlig = "aszlig <aszlig@redmoonstudios.org>";
@@ -72,16 +69,12 @@
  c0dehero = "CodeHero <codehero@nerdpol.ch>";
  calrama = "Moritz Maxeiner <moritz@ucworks.org>";
  campadrenalin = "Philip Horger <campadrenalin@gmail.com>";
-  carlsverre = "Carl Sverre <accounts@carlsverre.com>";
  cdepillabout = "Dennis Gosnell <cdep.illabout@gmail.com>";
  cfouche = "Chaddaï Fouché <chaddai.fouche@gmail.com>";
  chaoflow = "Florian Friesdorf <flo@chaoflow.net>";
  chattered = "Phil Scott <me@philscotted.com>";
  choochootrain = "Hurshal Patel <hurshal@imap.cc>";
-  chris-martin = "Chris Martin <ch.martin@gmail.com>";
-  chrisjefferson = "Christopher Jefferson <chris@bubblescope.net>";
  christopherpoole = "Christopher Mark Poole <mail@christopherpoole.net>";
-  cko = "Christine Koppelt <christine.koppelt@gmail.com>";
  cleverca22 = "Michael Bishop <cleverca22@gmail.com>";
  cmcdragonkai = "Roger Qiu <roger.qiu@matrix.ai>";
  coconnor = "Corey O'Connor <coreyoconnor@gmail.com>";
@@ -97,11 +90,9 @@
  cwoac = "Oliver Matthews <oliver@codersoffortune.net>";
  DamienCassou = "Damien Cassou <damien@cassou.me>";
  dasuxullebt = "Christoph-Simon Senjak <christoph.senjak@googlemail.com>";
-  danbst = "Danylo Hlynskyi <abcz2.uprola@gmail.com>";
  davidak = "David Kleuker <post@davidak.de>";
  davidrusu = "David Rusu <davidrusu.me@gmail.com>";
  dbohdan = "Danyil Bohdan <danyil.bohdan@gmail.com>";
-  dbrock = "Daniel Brockman <daniel@brockman.se>";
  deepfire = "Kosyrev Serge <_deepfire@feelingofgreen.ru>";
  demin-dmitriy = "Dmitriy Demin <demindf@gmail.com>";
  DerGuteMoritz = "Moritz Heidkamp <moritz@twoticketsplease.de>";
@@ -113,7 +104,6 @@
  dmalikov = "Dmitry Malikov <malikov.d.y@gmail.com>";
  dochang = "Desmond O. Chang <dochang@gmail.com>";
  doublec = "Chris Double <chris.double@double.co.nz>";
-  drets = "Dmytro Rets <dmitryrets@gmail.com>";
  drewkett = "Andrew Burkett <burkett.andrew@gmail.com>";
  ebzzry = "Rommel Martinez <ebzzry@gmail.com>";
  ederoyd46 = "Matthew Brown <matt@ederoyd.co.uk>";
@@ -130,7 +120,7 @@
  ericbmerritt = "Eric Merritt <eric@afiniate.com>";
  ericsagnes = "Eric Sagnes <eric.sagnes@gmail.com>";
  erikryb = "Erik Rybakken <erik.rybakken@math.ntnu.no>";
-  ertes = "Ertugrul Söylemez <esz@posteo.de>";
+  ertes = "Ertugrul Söylemez <ertesx@gmx.de>";
  exi = "Reno Reckling <nixos@reckling.org>";
  exlevan = "Alexey Levan <exlevan@gmail.com>";
  expipiplus1 = "Joe Hermaszewski <nix@monoid.al>";
@@ -138,7 +128,6 @@
  falsifian = "James Cook <james.cook@utoronto.ca>";
  flosse = "Markus Kohlhase <mail@markus-kohlhase.de>";
  fluffynukeit = "Daniel Austin <dan@fluffynukeit.com>";
-  fmthoma = "Franz Thoma <f.m.thoma@googlemail.com>";
  forkk = "Andrew Okin <forkk@forkk.net>";
  fornever = "Friedrich von Never <friedrich@fornever.me>";
  fpletz = "Franz Pletz <fpletz@fnordicwalking.de>";
@@ -167,7 +156,6 @@
  guibert = "David Guibert <david.guibert@gmail.com>";
  havvy = "Ryan Scheel <ryan.havvy@gmail.com>";
  hbunke = "Hendrik Bunke <bunke.hendrik@gmail.com>";
-  hce = "Hans-Christian Esperer <hc@hcesperer.org>";
  henrytill = "Henry Till <henrytill@gmail.com>";
  hiberno = "Christian Lask <hiberno@hiberno.net>";
  hinton = "Tom Hinton <t@larkery.com>";
@@ -191,7 +179,6 @@
  joamaki = "Jussi Maki <joamaki@gmail.com>";
  joelmo = "Joel Moberg <joel.moberg@gmail.com>";
  joelteon = "Joel Taylor <me@joelt.io>";
-  joko = "Ioannis Koutras <ioannis.koutras@gmail.com>";
  jpbernardy = "Jean-Philippe Bernardy <jeanphilippe.bernardy@gmail.com>";
  jraygauthier = "Raymond Gauthier <jraygauthier@gmail.com>";
  juliendehos = "Julien Dehos <dehos@lisic.univ-littoral.fr>";
@@ -238,23 +225,19 @@
  markus1189 = "Markus Hauck <markus1189@gmail.com>";
  markWot = "Markus Wotringer <markus@wotringer.de>";
  martijnvermaat = "Martijn Vermaat <martijn@vermaat.name>";
-  martingms = "Martin Gammelsæter <martin@mg.am>";
  matejc = "Matej Cotman <cotman.matej@gmail.com>";
  mathnerd314 = "Mathnerd314 <mathnerd314.gph+hs@gmail.com>";
  matthiasbeyer = "Matthias Beyer <mail@beyermatthias.de>";
  maurer = "Matthew Maurer <matthew.r.maurer+nix@gmail.com>";
-  mbakke = "Marius Bakke <mbakke@fastmail.com>";
+  mbakke = "Marius Bakke <ymse@tuta.io>";
  matthewbauer = "Matthew Bauer <mjbauer95@gmail.com>";
  mbe = "Brandon Edens <brandonedens@gmail.com>";
  mboes = "Mathieu Boespflug <mboes@tweag.net>";
  mcmtroffaes = "Matthias C. M. Troffaes <matthias.troffaes@gmail.com>";
  meditans = "Carlo Nucera <meditans@gmail.com>";
  meisternu = "Matt Miemiec <meister@krutt.org>";
-  mic92 = "Jörg Thalheim <joerg@higgsboson.tk>";
  michaelpj = "Michael Peyton Jones <michaelpj@gmail.com>";
-  michalrus = "Michal Rus <m@michalrus.com>";
  michelk = "Michel Kuhlmann <michel@kuhlmanns.info>";
-  mimadrid = "Miguel Madrid <mimadrid@ucm.es>";
  mingchuan = "Ming Chuan <ming@culpring.com>";
  mirdhyn = "Merlin Gaillard <mirdhyn@gmail.com>";
  mirrexagon = "Andrew Abbott <mirrexagon@mirrexagon.com>";
@@ -264,9 +247,7 @@
  moretea = "Maarten Hoogendoorn <maarten@moretea.nl>";
  mornfall = "Petr Ročkai <me@mornfall.net>";
  MostAwesomeDude = "Corbin Simpson <cds@corbinsimpson.com>";
-  mounium = "Katona László <muoniurn@gmail.com>";
  MP2E = "Cray Elliott <MP2E@archlinux.us>";
-  mpscholten = "Marc Scholten <marc@mpscholten.de>";
  msackman = "Matthew Sackman <matthew@wellquite.org>";
  mschristiansen = "Mikkel Christiansen <mikkel@rheosystems.com>";
  msteen = "Matthijs Steen <emailmatthijs@gmail.com>";
@@ -274,9 +255,7 @@
  mudri = "James Wood <lamudri@gmail.com>";
  muflax = "Stefan Dorn <mail@muflax.com>";
  myrl = "Myrl Hex <myrl.0xf@gmail.com>";
-  nand0p = "Fernando Jose Pando <nando@hex7.com>";
  nathan-gs = "Nathan Bijnens <nathan@nathan.gs>";
-  Nate-Devv = "Nathan Moore <natedevv@gmail.com>";
  nckx = "Tobias Geerinckx-Rice <tobias.geerinckx.rice@gmail.com>";
  nequissimus = "Tim Steinbach <tim@nequissimus.com>";
  nfjinjing = "Jinjing Wang <nfjinjing@gmail.com>";
@@ -290,7 +269,6 @@
  odi = "Oliver Dunkl <oliver.dunkl@gmail.com>";
  offline = "Jaka Hudoklin <jakahudoklin@gmail.com>";
  olcai = "Erik Timan <dev@timan.info>";
-  olejorgenb = "Ole Jørgen Brønner <olejorgenb@yahoo.no>";
  orbitz = "Malcolm Matalka <mmatalka@gmail.com>";
  osener = "Ozan Sener <ozan@ozansener.com>";
  otwieracz = "Slawomir Gonet <slawek@otwiera.cz>";
@@ -300,7 +278,6 @@
  pakhfn = "Fedor Pakhomov <pakhfn@gmail.com>";
  palo = "Ingolf Wanger <palipalo9@googlemail.com>";
  pashev = "Igor Pashev <pashev.igor@gmail.com>";
-  pawelpacana = "Paweł Pacana <pawel.pacana@gmail.com>";
  pesterhazy = "Paulus Esterhazy <pesterhazy@gmail.com>";
  peterhoeg = "Peter Hoeg <peter@hoeg.com>";
  peti = "Peter Simons <simons@cryp.to>";
@@ -319,7 +296,6 @@
  pmiddend = "Philipp Middendorf <pmidden@secure.mailbox.org>";
  prikhi = "Pavan Rikhi <pavan.rikhi@gmail.com>";
  profpatsch = "Profpatsch <mail@profpatsch.de>";
-  proglodyte = "Proglodyte <proglodyte23@gmail.com>";
  pshendry = "Paul Hendry <paul@pshendry.com>";
  psibi = "Sibi <sibi@psibi.in>";
  pSub = "Pascal Wittmann <mail@pascal-wittmann.de>";
@@ -327,8 +303,6 @@
  pxc = "Patrick Callahan <patrick.callahan@latitudeengineering.com>";
  qknight = "Joachim Schiele <js@lastlog.de>";
  ragge = "Ragnar Dahlen <r.dahlen@gmail.com>";
-  ralith = "Benjamin Saunders <ben.e.saunders@gmail.com>";
-  ramkromberg = "Ram Kromberg <ramkromberg@mail.com>";
  rardiol = "Ricardo Ardissone <ricardo.ardissone@gmail.com>";
  rasendubi = "Alexey Shmalko <rasen.dubi@gmail.com>";
  raskin = "Michael Raskin <7c6f434c@mail.ru>";
@@ -345,7 +319,6 @@
  robberer = "Longrin Wischnewski <robberer@freakmail.de>";
  robbinch = "Robbin C. <robbinch33@gmail.com>";
  robgssp = "Rob Glossop <robgssp@gmail.com>";
-  roblabla = "Robin Lambertz <robinlambertz+dev@gmail.com>";
  roconnor = "Russell O'Connor <roconnor@theorem.ca>";
  romildo = "José Romildo Malaquias <malaquias@gmail.com>";
  rszibele = "Richard Szibele <richard_szibele@hotmail.com>";
@@ -354,10 +327,8 @@
  rvlander = "Gaëtan André <rvlander@gaetanandre.eu>";
  ryanartecona = "Ryan Artecona <ryanartecona@gmail.com>";
  ryantm = "Ryan Mulligan <ryan@ryantm.com>";
-  ryansydnor = "Ryan Sydnor <ryan.t.sydnor@gmail.com>";
  rycee = "Robert Helgesson <robert@rycee.net>";
  ryneeverett = "Ryne Everett <ryneeverett@gmail.com>";
-  s1lvester = "Markus Silvester <s1lvester@bockhacker.me>";
  samuelrivas = "Samuel Rivas <samuelrivas@gmail.com>";
  sander = "Sander van der Burg <s.vanderburg@tudelft.nl>";
  schmitthenner = "Fabian Schmitthenner <development@schmitthenner.eu>";
@@ -369,7 +340,6 @@
  sheganinans = "Aistis Raulinaitis <sheganinans@gmail.com>";
  shell = "Shell Turner <cam.turn@gmail.com>";
  shlevy = "Shea Levy <shea@shealevy.com>";
-  siddharthist = "Langston Barrett <langston.barrett@gmail.com>";
  simonvandel = "Simon Vandel Sillesen <simon.vandel@gmail.com>";
  sjagoe = "Simon Jagoe <simon@simonjagoe.com>";
  sjmackenzie = "Stewart Mackenzie <setori88@gmail.com>";
@@ -378,16 +348,13 @@
  skrzyp = "Jakub Skrzypnik <jot.skrzyp@gmail.com>";
  sleexyz = "Sean Lee <freshdried@gmail.com>";
  smironov = "Sergey Mironov <ierton@gmail.com>";
-  solson = "Scott Olson <scott@solson.me>";
  spacefrogg = "Michael Raitza <spacefrogg-nixos@meterriblecrew.net>";
  spencerjanssen = "Spencer Janssen <spencerjanssen@gmail.com>";
  spinus = "Tomasz Czyż <tomasz.czyz@gmail.com>";
  sprock = "Roger Mason <rmason@mun.ca>";
  spwhitt = "Spencer Whitt <sw@swhitt.me>";
-  SShrike = "Severen Redwood <severen@shrike.me>";
  stephenmw = "Stephen Weinberg <stephen@q5comm.com>";
  steveej = "Stefan Junker <mail@stefanjunker.de>";
-  swarren83 = "Shawn Warren <shawn.w.warren@gmail.com>";
  swistak35 = "Rafał Łasocha <me@swistak35.com>";
  szczyp = "Szczyp <qb@szczyp.com>";
  sztupi = "Attila Sztupak <attila.sztupak@gmail.com>";
@@ -438,12 +405,10 @@
  wscott = "Wayne Scott <wsc9tt@gmail.com>";
  wyvie = "Elijah Rum <elijahrum@gmail.com>";
  yarr = "Dmitry V. <savraz@gmail.com>";
-  yurrriq = "Eric Bailey <eric@ericb.me>";
  z77z = "Marco Maggesi <maggesi@math.unifi.it>";
  zagy = "Christian Zagrodnick <cz@flyingcircus.io>";
  zef = "Zef Hemel <zef@zef.me>";
  zimbatm = "zimbatm <zimbatm@zimbatm.com>";
  zohl = "Al Zohali <zohl@fmap.me>";
  zoomulator = "Kim Simmons <zoomulator@gmail.com>";
-  amiloradovsky = "Andrew Miloradovsky <miloradovsky@gmail.com>";
 }
--- a/lib/modules.nix
+++ b/lib/modules.nix
@@ -105,12 +105,8 @@ rec {
  /* Massage a module into canonical form, that is, a set consisting
     of ‘options’, ‘config’ and ‘imports’ attributes. */
  unifyModuleSyntax = file: key: m:
-    let metaSet = if m ? meta 
-      then { meta = m.meta; }
-      else {};
-    in
    if m ? config || m ? options then
-      let badAttrs = removeAttrs m ["imports" "options" "config" "key" "_file" "meta"]; in
+      let badAttrs = removeAttrs m ["imports" "options" "config" "key" "_file"]; in
      if badAttrs != {} then
        throw "Module `${key}' has an unsupported attribute `${head (attrNames badAttrs)}'. This is caused by assignments to the top-level attributes `config' or `options'."
      else
@@ -118,14 +114,14 @@ rec {
          key = toString m.key or key;
          imports = m.imports or [];
          options = m.options or {};
-          config = mkMerge [ (m.config or {}) metaSet ];
+          config = m.config or {};
        }
    else
      { file = m._file or file;
        key = toString m.key or key;
        imports = m.require or [] ++ m.imports or [];
        options = {};
-        config = mkMerge [ (removeAttrs m ["key" "_file" "require" "imports"]) metaSet ];
+        config = removeAttrs m ["key" "_file" "require" "imports"];
      };

  applyIfFunction = key: f: args@{ config, options, lib, ... }: if isFunction f then
@@ -507,25 +503,19 @@ rec {
  /* Return a module that causes a warning to be shown if the
     specified option is defined. For example,

-       mkRemovedOptionModule [ "boot" "loader" "grub" "bootDevice" ] "<replacement instructions>"
+       mkRemovedOptionModule [ "boot" "loader" "grub" "bootDevice" ]

     causes a warning if the user defines boot.loader.grub.bootDevice.
-
-     replacementInstructions is a string that provides instructions on
-     how to achieve the same functionality without the removed option,
-     or alternatively a reasoning why the functionality is not needed.
-     replacementInstructions SHOULD be provided!
  */
-  mkRemovedOptionModule = optionName: replacementInstructions:
+  mkRemovedOptionModule = optionName:
    { options, ... }:
    { options = setAttrByPath optionName (mkOption {
        visible = false;
      });
      config.warnings =
        let opt = getAttrFromPath optionName options; in
-        optional opt.isDefined ''
-            The option definition `${showOption optionName}' in ${showFiles opt.files} no longer has any effect; please remove it.
-            ${replacementInstructions}'';
+        optional opt.isDefined
+          "The option definition `${showOption optionName}' in ${showFiles opt.files} no longer has any effect; please remove it.";
    };

  /* Return a module that causes a warning to be shown if the
--- a/lib/sources.nix
+++ b/lib/sources.nix
@@ -4,11 +4,6 @@ let lib = import ./default.nix; in

 rec {

-  # Returns the type of a path: regular (for file), symlink, or directory
-  pathType = p: with builtins; getAttr (baseNameOf p) (readDir (dirOf p));
-
-  # Returns true if the path exists and is a directory, false otherwise
-  pathIsDirectory = p: if builtins.pathExists p then (pathType p) == "directory" else false;

  # Bring in a path as a source, filtering out all Subversion and CVS
  # directories, as well as backup files (*~).
@@ -20,9 +15,7 @@ rec {
      lib.hasSuffix "~" baseName ||
      # Filter out generates files.
      lib.hasSuffix ".o" baseName ||
-      lib.hasSuffix ".so" baseName ||
-      # Filter out nix-build result symlinks
-      (type == "symlink" && lib.hasPrefix "result" baseName)
+      lib.hasSuffix ".so" baseName
    );
    in src: builtins.filterSource filter src;

@@ -36,7 +29,6 @@ rec {
      in type == "directory" || lib.any (ext: lib.hasSuffix ext base) exts;
    in builtins.filterSource filter path;

-
  # Get the commit id of a git repo
  # Example: commitIdFromGitRepo <nixpkgs/.git>
  commitIdFromGitRepo =
@@ -46,22 +38,21 @@ rec {
            packedRefsName = toString path + "/packed-refs";
        in if lib.pathExists fileName
           then
-             let fileContent = lib.fileContents fileName;
+             let fileContent = readFile fileName;
                 # Sometimes git stores the commitId directly in the file but
                 # sometimes it stores something like: «ref: refs/heads/branch-name»
-                 matchRef    = match "^ref: (.*)$" fileContent;
+                 matchRef    = match "^ref: (.*)\n$" fileContent;
             in if   isNull matchRef
-                then fileContent
+                then lib.removeSuffix "\n" fileContent
                else readCommitFromFile path (lib.head matchRef)
           # Sometimes, the file isn't there at all and has been packed away in the
           # packed-refs file, so we have to grep through it:
           else if lib.pathExists packedRefsName
           then
-             let fileContent = readFile packedRefsName;
-                 matchRef    = match (".*\n([^\n ]*) " + file + "\n.*") fileContent;
-             in if   isNull matchRef
-                then throw ("Could not find " + file + " in " + packedRefsName)
-                else lib.head matchRef
+             let packedRefs  = lib.splitString "\n" (readFile packedRefsName);
+                 matchRule   = match ("^(.*) " + file + "$");
+                 matchedRefs = lib.flatten (lib.filter (m: ! (isNull m)) (map matchRule packedRefs));
+             in lib.head matchedRefs
           else throw ("Not a .git directory: " + path);
    in lib.flip readCommitFromFile "HEAD";
 }
--- a/lib/strings.nix
+++ b/lib/strings.nix
@@ -16,7 +16,11 @@ rec {
       concatStrings ["foo" "bar"]
       => "foobar"
  */
-  concatStrings = builtins.concatStringsSep "";
+  concatStrings =
+    if builtins ? concatStringsSep then
+      builtins.concatStringsSep ""
+    else
+      lib.foldl' (x: y: x + y) "";

  /* Map a function over a list and concatenate the resulting strings.

@@ -156,12 +160,12 @@ rec {
       hasSuffix "foo" "barfoo"
       => true
  */
-  hasSuffix = suffix: content:
+  hasSuffix = suff: str:
    let
-      lenContent = stringLength content;
-      lenSuffix = stringLength suffix;
-    in lenContent >= lenSuffix &&
-       substring (lenContent - lenSuffix) lenContent content == suffix;
+      lenStr = stringLength str;
+      lenSuff = stringLength suff;
+    in lenStr >= lenSuff &&
+       substring (lenStr - lenSuff) lenStr str == suff;

  /* Convert a string to a list of characters (i.e. singleton strings).
     This allows you to, e.g., map a function over each character.  However,
@@ -203,21 +207,13 @@ rec {
  */
  escape = list: replaceChars list (map (c: "\\${c}") list);

-  /* Quote string to be used safely within the Bourne shell.
+  /* Escape all characters that have special meaning in the Bourne shell.

     Example:
-       escapeShellArg "esc'ape\nme"
-       => "'esc'\\''ape\nme'"
+       escapeShellArg "so([<>])me"
+       => "so\\(\\[\\<\\>\\]\\)me"
  */
-  escapeShellArg = arg: "'${replaceStrings ["'"] ["'\\''"] (toString arg)}'";
-
-  /* Quote all arguments to be safely passed to the Bourne shell.
-
-     Example:
-       escapeShellArgs ["one" "two three" "four'five"]
-       => "'one' 'two three' 'four'\\''five'"
-  */
-  escapeShellArgs = concatMapStringsSep " " escapeShellArg;
+  escapeShellArg = lib.escape (stringToCharacters "\\ ';$`()|<>\t*[]");

  /* Obsolete - use replaceStrings instead. */
  replaceChars = builtins.replaceStrings or (
@@ -248,7 +244,7 @@ rec {
  /* Converts an ASCII string to upper-case.

     Example:
-       toUpper "home"
+       toLower "home"
       => "HOME"
  */
  toUpper = replaceChars lowerChars upperChars;
@@ -372,12 +368,7 @@ rec {
       getVersion pkgs.youtube-dl
       => "2016.01.01"
  */
-  getVersion = x:
-   let
-     parse = drv: (builtins.parseDrvName drv).version;
-   in if isString x
-      then parse x
-      else x.version or (parse x.name);
+  getVersion = x: (builtins.parseDrvName (x.name or x)).version;

  /* Extract name with version from URL. Ask for separator which is
     supposed to start extension.
@@ -484,14 +475,4 @@ rec {
      absolutePaths = builtins.map (path: builtins.toPath (root + "/" + path)) relativePaths;
    in
      absolutePaths;
-
-  /* Read the contents of a file removing the trailing \n
-
-     Example:
-       $ echo "1.0" > ./version
-
-       fileContents ./version
-       => "1.0"
-  */
-  fileContents = file: removeSuffix "\n" (builtins.readFile file);
 }
--- a/lib/tests/release.nix
+++ b/lib/tests/release.nix
@@ -1,6 +1,6 @@
 { nixpkgs }:

-with import ../.. { };
+with import ./../.. { };
 with lib;

 stdenv.mkDerivation {
--- a/lib/trivial.nix
+++ b/lib/trivial.nix
@@ -62,16 +62,14 @@ rec {
    isInt add sub lessThan
    seq deepSeq genericClosure;

-  inherit (import ./strings.nix) fileContents;
-
  # Return the Nixpkgs version number.
  nixpkgsVersion =
    let suffixFile = ../.version-suffix; in
-    fileContents ../.version
-    + (if pathExists suffixFile then fileContents suffixFile else "pre-git");
+    readFile ../.version
+    + (if pathExists suffixFile then readFile suffixFile else "pre-git");

  # Whether we're being called by nix-shell.
-  inNixShell = builtins.getEnv "IN_NIX_SHELL" != "";
+  inNixShell = builtins.getEnv "IN_NIX_SHELL" == "1";

  # Return minimum/maximum of two numbers.
  min = x: y: if x < y then x else y;
@@ -98,19 +96,4 @@ rec {
  */
  importJSON = path:
    builtins.fromJSON (builtins.readFile path);
-
-  /* See https://github.com/NixOS/nix/issues/749. Eventually we'd like these
-     to expand to Nix builtins that carry metadata so that Nix can filter out
-     the INFO messages without parsing the message string.
-
-     Usage:
-     {
-       foo = lib.warn "foo is deprecated" oldFoo;
-     }
-
-     TODO: figure out a clever way to integrate location information from
-     something like __unsafeGetAttrPos.
-  */
-  warn = msg: builtins.trace "WARNING: ${msg}";
-  info = msg: builtins.trace "INFO: ${msg}";
 }
--- a/lib/types.nix
+++ b/lib/types.nix
@@ -100,10 +100,6 @@ rec {
        in if isDerivation res then res else toDerivation res;
    };

-    shellPackage = package // {
-      check = x: (package.check x) && (hasAttr "shellPath" x);
-    };
-
    path = mkOptionType {
      name = "path";
      # Hacky: there is no ‘isPath’ primop.
--- a/maintainers/scripts/fetch-kde-qt.sh
+++ b/maintainers/scripts/fetch-kde-qt.sh
@@ -1,58 +0,0 @@
-#! /usr/bin/env nix-shell
-#! nix-shell -i bash -p coreutils findutils gnused nix wget
-
-SRCS=
-if [ -d "$1" ]; then
-    SRCS="$(pwd)/$1/srcs.nix"
-    . "$1/fetch.sh"
-else
-    SRCS="$(pwd)/$(dirname $1)/srcs.nix"
-    . "$1"
-fi
-
-tmp=$(mktemp -d)
-pushd $tmp >/dev/null
-wget -nH -r -c --no-parent "${WGET_ARGS[@]}" >/dev/null
-
-csv=$(mktemp)
-find . -type f | while read src; do
-    # Sanitize file name
-    filename=$(basename "$src" | tr '@' '_')
-    nameVersion="${filename%.tar.*}"
-    name=$(echo "$nameVersion" | sed -e 's,-[[:digit:]].*,,' | sed -e 's,-opensource-src$,,')
-    version=$(echo "$nameVersion" | sed -e 's,^\([[:alpha:]][[:alnum:]]*-\)\+,,')
-    echo "$name,$version,$src,$filename" >>$csv
-done
-
-cat >"$SRCS" <<EOF
-# DO NOT EDIT! This file is generated automatically by fetch-kde-qt.sh
-{ fetchurl, mirror }:
-
-{
-EOF
-
-gawk -F , "{ print \$1 }" $csv | sort | uniq | while read name; do
-    versions=$(gawk -F , "/^$name,/ { print \$2 }" $csv)
-    latestVersion=$(echo "$versions" | sort -rV | head -n 1)
-    src=$(gawk -F , "/^$name,$latestVersion,/ { print \$3 }" $csv)
-    filename=$(gawk -F , "/^$name,$latestVersion,/ { print \$4 }" $csv)
-    url="${src:2}"
-    sha256=$(nix-hash --type sha256 --base32 --flat "$src")
-    cat >>"$SRCS" <<EOF
-  $name = {
-    version = "$latestVersion";
-    src = fetchurl {
-      url = "\${mirror}/$url";
-      sha256 = "$sha256";
-      name = "$filename";
-    };
-  };
-EOF
-done
-
-echo "}" >>"$SRCS"
-
-popd >/dev/null
-rm -fr $tmp >/dev/null
-
-rm -f $csv >/dev/null
--- a/maintainers/scripts/nix-generate-from-cpan.pl
+++ b/maintainers/scripts/nix-generate-from-cpan.pl
@@ -395,21 +395,16 @@ my $meta = read_meta($pkg_path);

 DEBUG( "metadata: ", encode_json( $meta->as_struct ) ) if defined $meta;

-my @runtime_deps = sort( uniq( get_deps( $cb, $meta, "runtime" ) ) );
-INFO("runtime deps: @runtime_deps");
-
 my @build_deps = sort( uniq(
        get_deps( $cb, $meta, "configure" ),
        get_deps( $cb, $meta, "build" ),
        get_deps( $cb, $meta, "test" )
 ) );
-
-# Filter out runtime dependencies since those are already handled.
-my %in_runtime_deps = map { $_ => 1 } @runtime_deps;
-@build_deps = grep { not $in_runtime_deps{$_} } @build_deps;
-
 INFO("build deps: @build_deps");

+my @runtime_deps = sort( uniq( get_deps( $cb, $meta, "runtime" ) ) );
+INFO("runtime deps: @runtime_deps");
+
 my $homepage = $meta ? $meta->resources->{homepage} : undef;
 INFO("homepage: $homepage") if defined $homepage;

--- a/maintainers/scripts/nixpkgs-lint.nix
+++ b/maintainers/scripts/nixpkgs-lint.nix
@@ -18,6 +18,5 @@ stdenv.mkDerivation {
  meta = {
    maintainers = [ stdenv.lib.maintainers.eelco ];
    description = "A utility for Nixpkgs contributors to check Nixpkgs for common errors";
-    platforms = stdenv.lib.platforms.unix;
  };
 }
--- a/maintainers/scripts/travis-nox-review-pr.sh
+++ b/maintainers/scripts/travis-nox-review-pr.sh
@@ -1,76 +1,53 @@
 #! /usr/bin/env bash
 set -e

-while test -n "$1"; do
+export NIX_CURL_FLAGS=-sS

-    # tell Travis to use folding
-    echo -en "travis_fold:start:$1\r"
+if [[ $1 == nix ]]; then
+    echo "=== Installing Nix..."
+    # Install Nix
+    bash <(curl -sS https://nixos.org/nix/install)
+    source $HOME/.nix-profile/etc/profile.d/nix.sh

-    case $1 in
+    # Make sure we can use hydra's binary cache
+    sudo mkdir /etc/nix
+    sudo sh -c 'echo "build-max-jobs = 4" > /etc/nix/nix.conf'

-        nixpkgs-verify)
-            echo "=== Verifying that nixpkgs evaluates..."
+    # Verify evaluation
+    echo "=== Verifying that nixpkgs evaluates..."
+    nix-env -f. -qa --json >/dev/null
+elif [[ $1 == nox ]]; then
+    source $HOME/.nix-profile/etc/profile.d/nix.sh
+    echo "=== Installing nox..."
+    nix-build -A nox '<nixpkgs>' --show-trace
+elif [[ $1 == build ]]; then
+    source $HOME/.nix-profile/etc/profile.d/nix.sh

-            nix-env --file $TRAVIS_BUILD_DIR --query --available --json > /dev/null
-            ;;
+    if [[ $TRAVIS_OS_NAME == "osx" ]]; then
+        echo "Skipping NixOS things on darwin"
+    else
+        echo "=== Checking NixOS options"
+        nix-build nixos/release.nix -A options --show-trace

-        nixos-options)
-            echo "=== Checking NixOS options"
+        echo "=== Checking tarball creation"
+        nix-build pkgs/top-level/release.nix -A tarball --show-trace
+    fi

-            nix-build $TRAVIS_BUILD_DIR/nixos/release.nix --attr options --show-trace
-            ;;
+    if [[ $TRAVIS_PULL_REQUEST == false ]]; then
+        echo "=== Not a pull request"
+    else
+        echo "=== Checking PR"

-        nixos-manual)
-            echo "=== Checking NixOS manuals"
-
-            nix-build $TRAVIS_BUILD_DIR/nixos/release.nix --attr manual --show-trace
-            ;;
-
-        nixpkgs-manual)
-            echo "=== Checking nixpkgs manuals"
-
-            nix-build $TRAVIS_BUILD_DIR/pkgs/top-level/release.nix --attr manual --show-trace
-            ;;
-
-        nixpkgs-tarball)
-            echo "=== Checking nixpkgs tarball creation"
-
-            nix-build $TRAVIS_BUILD_DIR/pkgs/top-level/release.nix --attr tarball --show-trace
-            ;;
-
-        nixpkgs-lint)
-            echo "=== Checking nixpkgs lint"
-
-            nix-shell --packages nixpkgs-lint --run "nixpkgs-lint -f $TRAVIS_BUILD_DIR"
-            ;;
-
-        nox)
-            echo "=== Fetching Nox from binary cache"
-
-            # build nox silently so it's not in the log
-            nix-build "<nixpkgs>" -A nox -A stdenv
-            ;;
-
-        pr)
-            if [ "$TRAVIS_PULL_REQUEST" == "false" ]; then
-                echo "=== No pull request found"
-            else
-                echo "=== Building pull request #$TRAVIS_PULL_REQUEST"
-
-                token=""
-                if [ -n "$GITHUB_TOKEN" ]; then
-                    token="--token $GITHUB_TOKEN"
-                fi
-
-                nix-shell --packages nox --run "nox-review pr --slug $TRAVIS_REPO_SLUG $token $TRAVIS_PULL_REQUEST"
+        if ! nix-shell -p nox --run "nox-review pr ${TRAVIS_PULL_REQUEST}"; then
+            if sudo dmesg | egrep 'Out of memory|Killed process' > /tmp/oom-log; then
+                echo "=== The build failed due to running out of memory:"
+                cat /tmp/oom-log
+                echo "=== Please disregard the result of this Travis build."
            fi
-            ;;
-
-        *)
-            echo "Skipping unknown option $1"
-            ;;
-    esac
-
-    echo -en "travis_fold:end:$1\r"
-    shift
-done
+            exit 1
+        fi
+    fi
+else
+    echo "$0: Unknown option $1" >&2
+    false
+fi
--- a/nixos/doc/manual/administration/imperative-containers.xml
+++ b/nixos/doc/manual/administration/imperative-containers.xml
@@ -7,11 +7,7 @@
 <title>Imperative Container Management</title>

 <para>We’ll cover imperative container management using
-<command>nixos-container</command> first.
-Be aware that container management is currently only possible
-as <literal>root</literal>.</para>
-
-<para>You create a container with
+<command>nixos-container</command> first. You create a container with
 identifier <literal>foo</literal> as follows:

 <screen>
--- a/nixos/doc/manual/configuration/configuration.xml
+++ b/nixos/doc/manual/configuration/configuration.xml
@@ -24,9 +24,13 @@ effect after you run <command>nixos-rebuild</command>.</para>
 <xi:include href="networking.xml" />
 <xi:include href="linux-kernel.xml" />

-<xi:include href="modules.xml" xpointer="xpointer(//section[@id='modules']/*)" />
+<!-- FIXME: auto-include NixOS module docs -->
+<xi:include href="postgresql.xml" />
+<xi:include href="gitlab.xml" />
+<xi:include href="taskserver.xml" />
+<xi:include href="acme.xml" />
+<xi:include href="input-methods.xml" />

 <!-- Apache; libvirtd virtualisation -->

 </part>
-
--- a/nixos/doc/manual/configuration/x-windows.xml
+++ b/nixos/doc/manual/configuration/x-windows.xml
@@ -115,14 +115,5 @@ services.xserver.synaptics.twoFingerScroll = true;

 </simplesect>

-<simplesect><title>GTK/Qt themes</title>
-
-<para>GTK themes can be installed either to user profile or system-wide (via
-<literal>system.environmentPackages</literal>). To make Qt 5 applications look similar
-to GTK2 ones, you can install <literal>qt5.qtbase.gtk</literal> package into your
-system environment. It should work for all Qt 5 library versions.
-</para>
-
-</simplesect>

 </chapter>
--- a/nixos/doc/manual/default.nix
+++ b/nixos/doc/manual/default.nix
@@ -1,27 +1,27 @@
-{ pkgs, options, config, version, revision, extraSources ? [] }:
+{ pkgs, options, version, revision, extraSources ? [] }:

 with pkgs;
+with pkgs.lib;

 let
-  lib = pkgs.lib;

  # Remove invisible and internal options.
-  optionsList = lib.filter (opt: opt.visible && !opt.internal) (lib.optionAttrSetToDocList options);
+  optionsList = filter (opt: opt.visible && !opt.internal) (optionAttrSetToDocList options);

  # Replace functions by the string <function>
  substFunction = x:
-    if builtins.isAttrs x then lib.mapAttrs (name: substFunction) x
+    if builtins.isAttrs x then mapAttrs (name: substFunction) x
    else if builtins.isList x then map substFunction x
    else if builtins.isFunction x then "<function>"
    else x;

  # Clean up declaration sites to not refer to the NixOS source tree.
-  optionsList' = lib.flip map optionsList (opt: opt // {
+  optionsList' = flip map optionsList (opt: opt // {
    declarations = map stripAnyPrefixes opt.declarations;
  }
-  // lib.optionalAttrs (opt ? example) { example = substFunction opt.example; }
-  // lib.optionalAttrs (opt ? default) { default = substFunction opt.default; }
-  // lib.optionalAttrs (opt ? type) { type = substFunction opt.type; });
+  // optionalAttrs (opt ? example) { example = substFunction opt.example; }
+  // optionalAttrs (opt ? default) { default = substFunction opt.default; }
+  // optionalAttrs (opt ? type) { type = substFunction opt.type; });

  # We need to strip references to /nix/store/* from options,
  # including any `extraSources` if some modules came from elsewhere,
@@ -30,7 +30,7 @@ let
  # E.g. if some `options` came from modules in ${pkgs.customModules}/nix,
  # you'd need to include `extraSources = [ pkgs.customModules ]`
  prefixesToStrip = map (p: "${toString p}/") ([ ../../.. ] ++ extraSources);
-  stripAnyPrefixes = lib.flip (lib.fold lib.removePrefix) prefixesToStrip;
+  stripAnyPrefixes = flip (fold removePrefix) prefixesToStrip;

  # Convert the list of options into an XML file.
  optionsXML = builtins.toFile "options.xml" (builtins.toXML optionsList');
@@ -49,21 +49,17 @@ let
      -o $out ${./options-to-docbook.xsl} $optionsXML
  '';

-  sources = lib.sourceFilesBySuffices ./. [".xml"];
-
-  modulesDoc = builtins.toFile "modules.xml" ''
-    <section xmlns:xi="http://www.w3.org/2001/XInclude" id="modules">
-    ${(lib.concatMapStrings (path: ''
-      <xi:include href="${path}" />
-    '') (lib.catAttrs "value" config.meta.doc))}
-    </section>
-  '';
+  sources = sourceFilesBySuffices ./. [".xml"];

  copySources =
    ''
      cp -prd $sources/* . # */
      chmod -R u+w .
-      ln -s ${modulesDoc} configuration/modules.xml
+      cp ${../../modules/services/databases/postgresql.xml} configuration/postgresql.xml
+      cp ${../../modules/services/misc/gitlab.xml} configuration/gitlab.xml
+      cp ${../../modules/services/misc/taskserver/doc.xml} configuration/taskserver.xml
+      cp ${../../modules/security/acme.xml} configuration/acme.xml
+      cp ${../../modules/i18n/input-method/default.xml} configuration/input-methods.xml
      ln -s ${optionsDocBook} options-db.xml
      echo "${version}" > version
    '';
@@ -126,7 +122,7 @@ let
      <targetset>
        <targetsetinfo>
            Allows for cross-referencing olinks between the manpages
-            and manual.
+            and the HTML/PDF manuals.
        </targetsetinfo>

        <document targetdoc="manual">&manualtargets;</document>
@@ -147,7 +143,7 @@ in rec {
      mkdir -p $dst

      cp ${builtins.toFile "options.json" (builtins.unsafeDiscardStringContext (builtins.toJSON
-        (builtins.listToAttrs (map (o: { name = o.name; value = removeAttrs o ["name" "visible" "internal"]; }) optionsList'))))
+        (listToAttrs (map (o: { name = o.name; value = removeAttrs o ["name" "visible" "internal"]; }) optionsList'))))
      } $dst/options.json

      mkdir -p $out/nix-support
@@ -197,42 +193,25 @@ in rec {
    allowedReferences = ["out"];
  };

-
-  manualEpub = stdenv.mkDerivation {
-    name = "nixos-manual-epub";
+  manualPDF = stdenv.mkDerivation {
+    name = "nixos-manual-pdf";

    inherit sources;

-    buildInputs = [ libxml2 libxslt zip ];
+    buildInputs = [ libxml2 libxslt dblatex dblatex.tex ];

    buildCommand = ''
      ${copySources}

-      # Check the validity of the manual sources.
-      xmllint --noout --nonet --xinclude --noxincludenode \
-        --relaxng ${docbook5}/xml/rng/docbook/docbook.rng \
-        manual.xml
-
-      # Generate the epub manual.
      dst=$out/share/doc/nixos
-
-      xsltproc \
-        ${manualXsltprocOptions} \
-        --stringparam target.database.document "${olinkDB}/olinkdb.xml" \
-        --nonet --xinclude --output $dst/epub/ \
-        ${docbook5_xsl}/xml/xsl/docbook/epub/docbook.xsl ./manual.xml
-
-      mkdir -p $dst/epub/OEBPS/images/callouts
-      cp -r ${docbook5_xsl}/xml/xsl/docbook/images/callouts/*.gif $dst/epub/OEBPS/images/callouts
-      echo "application/epub+zip" > mimetype
-      manual="$dst/nixos-manual.epub"
-      zip -0Xq "$manual" mimetype
-      cd $dst/epub && zip -Xr9D "$manual" *
-
-      rm -rf $dst/epub
+      mkdir -p $dst
+      xmllint --xinclude manual.xml | dblatex -o $dst/manual.pdf - \
+        -P target.database.document="${olinkDB}/olinkdb.xml" \
+        -P doc.collab.show=0 \
+        -P latex.output.revhistory=0

      mkdir -p $out/nix-support
-      echo "doc-epub manual $manual" >> $out/nix-support/hydra-build-products
+      echo "doc-pdf manual $dst/manual.pdf" >> $out/nix-support/hydra-build-products
    '';
  };

--- a/nixos/doc/manual/development/meta-attributes.xml
+++ b/nixos/doc/manual/development/meta-attributes.xml
@@ -1,62 +0,0 @@
-<section xmlns="http://docbook.org/ns/docbook"
-        xmlns:xlink="http://www.w3.org/1999/xlink"
-        xmlns:xi="http://www.w3.org/2001/XInclude"
-        version="5.0"
-        xml:id="sec-meta-attributes">
-
-<title>Meta Attributes</title>
-
-<para>Like Nix packages, NixOS modules can declare meta-attributes to provide
-  extra information. Module meta attributes are defined in the
-  <filename
-    xlink:href="https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/misc/meta.nix">meta.nix</filename>
-  special module.</para>
-
-<para><literal>meta</literal> is a top level attribute like
-  <literal>options</literal> and <literal>config</literal>. Available
-  meta-attributes are <literal>maintainers</literal> and
-  <literal>doc</literal>.</para>
-
-<para>Each of the meta-attributes must be defined at most once per module
-  file.</para>
-
-<programlisting>
-{ config, lib, pkgs, ... }:
-{
-  options = {
-    ...
-  };
-
-  config = {
-    ...
-  };
-
-  meta = {
-    maintainers = with lib.maintainers; [ ericsagnes ]; <co
-      xml:id='modules-meta-1' />
-    doc = ./default.xml; <co xml:id='modules-meta-2' />
-  };
-}
-</programlisting>
-
-<calloutlist>
- <callout arearefs='modules-meta-1'>
-  <para>
-    <varname>maintainers</varname> contains a list of the module maintainers.
-  </para>
- </callout>
-
- <callout arearefs='modules-meta-2'>
-  <para>
-    <varname>doc</varname> points to a valid DocBook file containing the module
-    documentation. Its contents is automatically added to <xref
-      linkend="ch-configuration"/>.
-    Changes to a module documentation have to be checked to not break
-    building the NixOS manual:
-  </para>
-  <programlisting>$ nix-build nixos/release.nix -A manual</programlisting>
- </callout>
-
-</calloutlist>
-
-</section>
--- a/nixos/doc/manual/development/writing-modules.xml
+++ b/nixos/doc/manual/development/writing-modules.xml
@@ -177,6 +177,5 @@ in {

 <xi:include href="option-declarations.xml" />
 <xi:include href="option-def.xml" />
-<xi:include href="meta-attributes.xml" />

 </chapter>
--- a/nixos/doc/manual/installation/installing-virtualbox-guest.xml
+++ b/nixos/doc/manual/installation/installing-virtualbox-guest.xml
@@ -1,89 +0,0 @@
-<section xmlns="http://docbook.org/ns/docbook"
-         xmlns:xlink="http://www.w3.org/1999/xlink"
-         xmlns:xi="http://www.w3.org/2001/XInclude"
-         version="5.0"
-         xml:id="sec-instaling-virtualbox-guest">
-
-<title>Installing in a Virtualbox guest</title>
-<para>
-  Installing NixOS into a Virtualbox guest is convenient for users who want to
-  try NixOS without installing it on bare metal. If you want to use a pre-made
-  Virtualbox appliance, it is available at <link
-  xlink:href="https://nixos.org/nixos/download.html">the downloads page</link>.
-  If you want to set up a Virtualbox guest manually, follow these instructions:
-</para>
-
-<orderedlist>
-
-  <listitem><para>Add a New Machine in Virtualbox with OS Type "Linux / Other
-  Linux"</para></listitem>
-
-  <listitem><para>Base Memory Size: 768 MB or higher.</para></listitem>
-
-  <listitem><para>New Hard Disk of 8 GB or higher.</para></listitem>
-
-  <listitem><para>Mount the CD-ROM with the NixOS ISO (by clicking on
-  CD/DVD-ROM)</para></listitem>
-
-  <listitem><para>Click on Settings / System / Processor and enable
-  PAE/NX</para></listitem>
-
-  <listitem><para>Click on Settings / System / Acceleration and enable
-  "VT-x/AMD-V" acceleration</para></listitem>
-
-  <listitem><para>Save the settings, start the virtual machine, and continue
-  installation like normal</para></listitem>
-
-</orderedlist>
-
-<para>
-  There are a few modifications you should make in configuration.nix. Enable
-  the virtualbox guest service in the main block:
-</para>
-
-<programlisting>
-virtualisation.virtualbox.guest.enable = true;
-</programlisting>
-
-<para>
-  Enable booting:
-</para>
-
-<programlisting>
-boot.loader.grub.device = "/dev/sda";
-</programlisting>
-
-<para>
-  Also remove the fsck that runs at startup. It will always fail to run,
-  stopping your boot until you press <literal>*</literal>.
-</para>
-
-<programlisting>
-boot.initrd.checkJournalingFS = false;
-</programlisting>
-
-<para>
-  Shared folders can be given a name and a path in the host system in the
-  VirtualBox settings (Machine / Settings / Shared Folders, then click on the
-  "Add" icon). Add the following to the
-  <literal>/etc/nixos/configuration.nix</literal> to auto-mount them:
-</para>
-
-<programlisting>
-{ config, pkgs, ...} :
-{
-  ...
-
-  fileSystems."/virtualboxshare" = {
-    fsType = "vboxsf";
-    device = "nameofthesharedfolder";
-    options = [ "rw" ];
-  };
-}
-</programlisting>
-
-<para>
-  The folder will be available directly under the root directory.
-</para>
-
-</section>
--- a/nixos/doc/manual/installation/installing.xml
+++ b/nixos/doc/manual/installation/installing.xml
@@ -22,7 +22,7 @@
  (with empty password).</para></listitem>

  <listitem><para>If you downloaded the graphical ISO image, you can
-  run <command>systemctl start display-manager</command> to start KDE. If you
+  run <command>start display-manager</command> to start KDE. If you
  want to continue on the terminal, you can use
  <command>loadkeys</command> to switch to your preferred keyboard layout.
  (We even provide neo2 via <command>loadkeys de neo</command>!)</para></listitem>
@@ -271,6 +271,5 @@ drive (here <filename>/dev/sda</filename>).  <xref linkend="ex-config"
 <xi:include href="installing-uefi.xml" />
 <xi:include href="installing-usb.xml" />
 <xi:include href="installing-pxe.xml" />
-<xi:include href="installing-virtualbox-guest.xml" />

 </chapter>
--- a/nixos/doc/manual/man-nixos-install.xml
+++ b/nixos/doc/manual/man-nixos-install.xml
@@ -25,19 +25,6 @@
      <arg choice='plain'><option>--root</option></arg>
      <replaceable>root</replaceable>
    </arg>
-    <arg>
-      <arg choice='plain'><option>--closure</option></arg>
-      <replaceable>closure</replaceable>
-    </arg>
-    <arg>
-      <arg choice='plain'><option>--no-channel-copy</option></arg>
-    </arg>
-    <arg>
-      <arg choice='plain'><option>--no-root-passwd</option></arg>
-    </arg>
-    <arg>
-      <arg choice='plain'><option>--no-bootloader</option></arg>
-    </arg>
    <arg>
      <group choice='req'>
        <arg choice='plain'><option>--max-jobs</option></arg>
@@ -84,13 +71,12 @@ the following steps:
  <filename>/mnt/etc/nixos/configuration.nix</filename>.</para></listitem>

  <listitem><para>It installs the GRUB boot loader on the device
-  specified in the option <option>boot.loader.grub.device</option>
-  (unless <option>--no-bootloader</option> is specified),
+  specified in the option <option>boot.loader.grub.device</option>,
  and generates a GRUB configuration file that boots into the NixOS
  configuration just installed.</para></listitem>

-  <listitem><para>It prompts you for a password for the root account
-  (unless <option>--no-root-passwd</option> is specified).</para></listitem>
+  <listitem><para>It prompts you for a password for the root
+  account.</para></listitem>

 </itemizedlist>

@@ -117,19 +103,6 @@ it.</para>
    </listitem>
  </varlistentry>

-  <varlistentry>
-    <term><option>--closure</option></term>
-    <listitem>
-      <para>If this option is provided, <command>nixos-install</command> will install the specified closure
-      rather than attempt to build one from <filename>/mnt/etc/nixos/configuration.nix</filename>.</para>
-
-      <para>The closure must be an appropriately configured NixOS system, with boot loader and partition
-      configuration that fits the target host. Such a closure is typically obtained with a command such as
-      <command>nix-build -I nixos-config=./configuration.nix '&lt;nixos&gt;' -A system --no-out-link</command>
-      </para>
-    </listitem>
-  </varlistentry>
-
  <varlistentry>
    <term><option>-I</option></term>
    <listitem>
--- a/nixos/doc/manual/man-nixos-rebuild.xml
+++ b/nixos/doc/manual/man-nixos-rebuild.xml
@@ -29,7 +29,7 @@
    </group>
    <sbr />
    <arg><option>--upgrade</option></arg>
-    <arg><option>--install-bootloader</option></arg>
+    <arg><option>--install-grub</option></arg>
    <arg><option>--no-build-nix</option></arg>
    <arg><option>--fast</option></arg>
    <arg><option>--rollback</option></arg>
@@ -212,11 +212,12 @@ $ ./result/bin/run-*-vm
  </varlistentry>

  <varlistentry>
-    <term><option>--install-bootloader</option></term>
+    <term><option>--install-grub</option></term>
    <listitem>
-      <para>Causes the boot loader to be (re)installed on the
-      device specified by the relevant configuration options.
-      </para>
+      <para>Causes the GRUB boot loader to be (re)installed on the
+      device specified by the
+      <varname>boot.loader.grub.device</varname> configuration
+      option.</para>
    </listitem>
  </varlistentry>

--- a/nixos/doc/manual/man-nixos-version.xml
+++ b/nixos/doc/manual/man-nixos-version.xml
@@ -1,97 +0,0 @@
-<refentry xmlns="http://docbook.org/ns/docbook"
-          xmlns:xlink="http://www.w3.org/1999/xlink"
-          xmlns:xi="http://www.w3.org/2001/XInclude">
-
-<refmeta>
-  <refentrytitle><command>nixos-version</command></refentrytitle>
-  <manvolnum>8</manvolnum>
-  <refmiscinfo class="source">NixOS</refmiscinfo>
-</refmeta>
-
-<refnamediv>
-  <refname><command>nixos-version</command></refname>
-  <refpurpose>show the NixOS version</refpurpose>
-</refnamediv>
-
-<refsynopsisdiv>
-  <cmdsynopsis>
-    <command>nixos-version</command>
-    <arg><option>--hash</option></arg>
-    <arg><option>--revision</option></arg>
-  </cmdsynopsis>
-</refsynopsisdiv>
-
-<refsection><title>Description</title>
-
-<para>This command shows the version of the currently active NixOS
-configuration. For example:
-
-<screen>$ nixos-version
-16.03.1011.6317da4 (Emu)
-</screen>
-
-The version consists of the following elements:
-
-<variablelist>
-
-  <varlistentry>
-    <term><literal>16.03</literal></term>
-    <listitem><para>The NixOS release, indicating the year and month
-    in which it was released (e.g. March 2016).</para></listitem>
-  </varlistentry>
-
-  <varlistentry>
-    <term><literal>1011</literal></term>
-    <listitem><para>The number of commits in the Nixpkgs Git
-    repository between the start of the release branch and the commit
-    from which this version was built. This ensures that NixOS
-    versions are monotonically increasing. It is
-    <literal>git</literal> when the current NixOS configuration was
-    built from a checkout of the Nixpkgs Git repository rather than
-    from a NixOS channel.</para></listitem>
-  </varlistentry>
-
-  <varlistentry>
-    <term><literal>6317da4</literal></term>
-    <listitem><para>The first 7 characters of the commit in the
-    Nixpkgs Git repository from which this version was
-    built.</para></listitem>
-  </varlistentry>
-
-  <varlistentry>
-    <term><literal>Emu</literal></term>
-    <listitem><para>The code name of the NixOS release. The first
-    letter of the code name indicates that this is the N'th stable
-    NixOS release; for example, Emu is the fifth
-    release.</para></listitem>
-  </varlistentry>
-
-</variablelist>
-
-</para>
-
-</refsection>
-
-
-<refsection><title>Options</title>
-
-<para>This command accepts the following options:</para>
-
-<variablelist>
-
-  <varlistentry>
-    <term><option>--hash</option></term>
-    <term><option>--revision</option></term>
-    <listitem>
-      <para>Show the full SHA1 hash of the Git commit from which this
-      configuration was built, e.g.
-<screen>$ nixos-version --hash
-6317da40006f6bc2480c6781999c52d88dde2acf
-</screen>
-      </para>
-    </listitem>
-  </varlistentry>
-</variablelist>
-
-</refsection>
-</refentry>
--- a/nixos/doc/manual/man-pages.xml
+++ b/nixos/doc/manual/man-pages.xml
@@ -27,6 +27,5 @@
  <xi:include href="man-nixos-install.xml" />
  <xi:include href="man-nixos-option.xml" />
  <xi:include href="man-nixos-rebuild.xml" />
-  <xi:include href="man-nixos-version.xml" />

 </reference>
--- a/nixos/doc/manual/options-to-docbook.xsl
+++ b/nixos/doc/manual/options-to-docbook.xsl
@@ -11,7 +11,6 @@
  <xsl:output method='xml' encoding="UTF-8" />

  <xsl:param name="revision" />
-  <xsl:param name="program" />


  <xsl:template match="/expr/list">
@@ -189,7 +188,7 @@
                </xsl:otherwise>
              </xsl:choose>
            </xsl:when>
-            <xsl:when test="$revision != 'local' and $program = 'nixops' and contains(@value, '/nix/')">
+            <xsl:when test="$revision != 'local' and contains(@value, 'nixops') and contains(@value, '/nix/')">
              <xsl:attribute name="xlink:href">https://github.com/NixOS/nixops/blob/<xsl:value-of select="$revision"/>/nix/<xsl:value-of select="substring-after(@value, '/nix/')"/></xsl:attribute>
            </xsl:when>
            <xsl:otherwise>
--- a/nixos/doc/manual/release-notes/rl-1509.xml
+++ b/nixos/doc/manual/release-notes/rl-1509.xml
@@ -471,7 +471,7 @@ in
  <listitem> <para>
    A newly packaged TeX Live 2015 is provided in <literal>pkgs.texlive</literal>,
    split into 6500 nix packages. For basic user documentation see
-    <link xlink:href="https://github.com/NixOS/nixpkgs/blob/release-15.09/pkgs/tools/typesetting/tex/texlive/default.nix#L1"
+    <link xlink:href="https://github.com/NixOS/nixpkgs/blob/release-15.09/pkgs/tools/typesetting/tex/texlive-new/default.nix#L1"
      >the source</link>.
    Beware of <link xlink:href="https://github.com/NixOS/nixpkgs/issues/9757"
      >an issue</link> when installing a too large package set.
--- a/nixos/doc/manual/release-notes/rl-1603.xml
+++ b/nixos/doc/manual/release-notes/rl-1603.xml
@@ -385,41 +385,6 @@ services.syncthing = {
      the github issue</link>.
    </para>
  </listitem>
-
-  <listitem>
-    <para>
-      The <literal>services.xserver.startGnuPGAgent</literal> option has been removed.
-      GnuPG 2.1.x changed the way the gpg-agent works, and that new approach no
-      longer requires (or even supports) the "start everything as a child of the
-      agent" scheme we've implemented in NixOS for older versions.
-      To configure the gpg-agent for your X session, add the following code to
-      <filename>~/.bashrc</filename> or some file that’s sourced when your shell is started:
-    <programlisting>
-GPG_TTY=$(tty)
-export GPG_TTY
-    </programlisting>
-      If you want to use gpg-agent for SSH, too, add the following to your session
-      initialization (e.g. <literal>displayManager.sessionCommands</literal>)
-    <programlisting>
-gpg-connect-agent /bye
-unset SSH_AGENT_PID
-export SSH_AUTH_SOCK="''${HOME}/.gnupg/S.gpg-agent.ssh"
-    </programlisting>
-      and make sure that
-    <programlisting>
-enable-ssh-support
-    </programlisting>
-      is included in your <filename>~/.gnupg/gpg-agent.conf</filename>.
-      You will need to use <command>ssh-add</command> to re-add your ssh keys.
-      If gpg’s automatic transformation of the private keys to the new format fails,
-      you will need to re-import your private keyring as well:
-    <programlisting>
-gpg --import ~/.gnupg/secring.gpg
-    </programlisting>
-    The <command>gpg-agent(1)</command> man page has more details about this subject,
-    i.e. in the "EXAMPLES" section.
-    </para>
-  </listitem>
 </itemizedlist>


--- a/nixos/doc/manual/release-notes/rl-1609.xml
+++ b/nixos/doc/manual/release-notes/rl-1609.xml
@@ -4,7 +4,7 @@
         version="5.0"
         xml:id="sec-release-16.09">

-<title>Release 16.09 (“Flounder”, 2016/09/30)</title>
+<title>Release 16.09 (“Flounder”, 2016/09/??)</title>

 <para>In addition to numerous new and upgraded packages, this release
 has the following highlights: </para>
@@ -12,290 +12,39 @@ has the following highlights: </para>
 <itemizedlist>

  <listitem>
-    <para>Many NixOS configurations and Nix packages now use
-    significantly less disk space, thanks to the <link
-    xlink:href="https://github.com/NixOS/nixpkgs/issues/7117">extensive
-    work on closure size reduction</link>. For example, the closure
-    size of a minimal NixOS container went down from ~424 MiB in 16.03
-    to ~212 MiB in 16.09, while the closure size of Firefox went from
-    ~651 MiB to ~259 MiB.</para>
-  </listitem>
-
-  <listitem>
-    <para>To improve security, packages are now <link
-    xlink:href="https://github.com/NixOS/nixpkgs/pull/12895">built
-    using various hardening features</link>. See the Nixpkgs manual
-    for more information.</para>
-  </listitem>
-
-  <listitem>
-    <para>Support for PXE netboot.  See <xref
-    linkend="sec-booting-from-pxe" /> for documentation.</para>
-  </listitem>
-
-  <listitem>
-    <para>X.org server 1.18. If you use the
-    <literal>ati_unfree</literal> driver, 1.17 is still used due to an
-    ABI incompatibility.</para>
-  </listitem>
-
-  <listitem>
-    <para>This release is based on Glibc 2.24, GCC 5.4.0 and systemd
-    231. The default Linux kernel remains 4.4.</para>
+    <para>PXE "netboot" media has landed in <link xlink:href="https://github.com/NixOS/nixpkgs/pull/14740" />.
+    See <xref linkend="sec-booting-from-pxe" /> for documentation.</para>
  </listitem>

 </itemizedlist>

 <para>The following new services were added since the last release:</para>

-<itemizedlist>
-  <listitem><para><literal>hardware/video/amdgpu.nix</literal></para></listitem>
-  <listitem><para><literal>hardware/video/displaylink.nix</literal></para></listitem>
-  <listitem><para><literal>programs/info.nix</literal></para></listitem>
-  <listitem><para><literal>programs/mosh.nix</literal></para></listitem>
-  <listitem><para><literal>programs/spacefm.nix</literal></para></listitem>
-  <listitem><para><literal>programs/tmux.nix</literal></para></listitem>
-  <listitem><para><literal>programs/xonsh.nix</literal></para></listitem>
-  <listitem><para><literal>security/chromium-suid-sandbox.nix</literal></para></listitem>
-  <listitem><para><literal>security/hidepid.nix</literal></para></listitem>
-  <listitem><para><literal>services/audio/squeezelite.nix</literal></para></listitem>
-  <listitem><para><literal>services/backup/znapzend.nix</literal></para></listitem>
-  <listitem><para><literal>services/continuous-integration/buildkite-agent.nix</literal></para></listitem>
-  <listitem><para><literal>services/continuous-integration/hydra/default.nix</literal></para></listitem>
-  <listitem><para><literal>services/continuous-integration/gocd-agent/default.nix</literal></para></listitem>
-  <listitem><para><literal>services/continuous-integration/gocd-server/default.nix</literal></para></listitem>
-  <listitem><para><literal>services/development/hoogle.nix</literal></para></listitem>
-  <listitem><para><literal>services/editors/emacs.nix</literal></para></listitem>
-  <listitem><para><literal>services/games/factorio.nix</literal></para></listitem>
-  <listitem><para><literal>services/games/terraria.nix</literal></para></listitem>
-  <listitem><para><literal>services/logging/awstats.nix</literal></para></listitem>
-  <listitem><para><literal>services/logging/graylog.nix</literal></para></listitem>
-  <listitem><para><literal>services/misc/emby.nix</literal></para></listitem>
-  <listitem><para><literal>services/misc/mantisbt.nix</literal></para></listitem>
-  <listitem><para><literal>services/misc/nzbget.nix</literal></para></listitem>
-  <listitem><para><literal>services/misc/packagekit.nix</literal></para></listitem>
-  <listitem><para><literal>services/misc/sonarr.nix</literal></para></listitem>
-  <listitem><para><literal>services/misc/spice-vdagentd.nix</literal></para></listitem>
-  <listitem><para><literal>services/misc/taskserver</literal></para></listitem>
-  <listitem><para><literal>services/network-filesystems/tahoe.nix</literal></para></listitem>
-  <listitem><para><literal>services/networking/coturn.nix</literal></para></listitem>
-  <listitem><para><literal>services/networking/ferm.nix</literal></para></listitem>
-  <listitem><para><literal>services/networking/gdomap.nix</literal></para></listitem>
-  <listitem><para><literal>services/networking/libreswan.nix</literal></para></listitem>
-  <listitem><para><literal>services/networking/logmein-hamachi.nix</literal></para></listitem>
-  <listitem><para><literal>services/networking/mfi.nix</literal></para></listitem>
-  <listitem><para><literal>services/networking/mjpg-streamer.nix</literal></para></listitem>
-  <listitem><para><literal>services/networking/mosquitto.nix</literal></para></listitem>
-  <listitem><para><literal>services/networking/nntp-proxy.nix</literal></para></listitem>
-  <listitem><para><literal>services/networking/offlineimap.nix</literal></para></listitem>
-  <listitem><para><literal>services/networking/pptpd.nix</literal></para></listitem>
-  <listitem><para><literal>services/networking/sniproxy.nix</literal></para></listitem>
-  <listitem><para><literal>services/networking/smokeping.nix</literal></para></listitem>
-  <listitem><para><literal>services/networking/toxvpn.nix</literal></para></listitem>
-  <listitem><para><literal>services/networking/xl2tpd.nix</literal></para></listitem>
-  <listitem><para><literal>services/networking/zerobin.nix</literal></para></listitem>
-  <listitem><para><literal>services/security/oauth2_proxy.nix</literal></para></listitem>
-  <listitem><para><literal>services/torrent/flexget.nix</literal></para></listitem>
-  <listitem><para><literal>services/web-apps/mattermost.nix</literal></para></listitem>
-  <listitem><para><literal>services/web-apps/tt-rss.nix</literal></para></listitem>
-  <listitem><para><literal>services/web-servers/caddy.nix</literal></para></listitem>
-  <listitem><para><literal>services/web-servers/lighttpd/inginious.nix</literal></para></listitem>
-  <listitem><para><literal>services/x11/compton.nix</literal></para></listitem>
-  <listitem><para><literal>services/x11/xbanish.nix</literal></para></listitem>
-  <listitem><para><literal>system/boot/loader/systemd-boot/systemd-boot.nix</literal></para></listitem>
-  <listitem><para><literal>system/boot/plymouth.nix</literal></para></listitem>
-  <listitem><para><literal>virtualisation/xe-guest-utilities.nix</literal></para></listitem>
-</itemizedlist>
+  <itemizedlist>
+    <listitem><para><literal>(this will get automatically generated at release time)</literal></para></listitem>
+  </itemizedlist>
+

 <para>When upgrading from a previous release, please be aware of the
 following incompatible changes:</para>

 <itemizedlist>
-
-  <listitem>
-    <para>A large number of packages have been converted to use the multiple outputs feature
-      of Nix to greatly reduce the amount of required disk space, as
-      mentioned above. This may require changes
-      to any custom packages to make them build again; see the relevant chapter in the
-      Nixpkgs manual for more information. (Additional caveat to packagers: some packaging conventions
-      related to multiple-output packages
-      <link xlink:href="https://github.com/NixOS/nixpkgs/pull/14766">were changed</link>
-      late (August 2016) in the release cycle and differ from the initial introduction of multiple outputs.)
-    </para>
-  </listitem>
-
-  <listitem>
-    <para>Previous versions of Nixpkgs had support for all versions of the LTS
-    Haskell package set. That support has been dropped. The previously provided
-    <literal>haskell.packages.lts-x_y</literal> package sets still exist in
-    name to aviod breaking user code, but these package sets don't actually
-    contain the versions mandated by the corresponding LTS release. Instead,
-    our package set it loosely based on the latest available LTS release, i.e.
-    LTS 7.x at the time of this writing. New releases of NixOS and Nixpkgs will
-    drop those old names entirely. <link
-    xlink:href="http://lists.science.uu.nl/pipermail/nix-dev/2016-June/020585.html">The
-    motivation for this change</link> has been discussed at length on the
-    <literal>nix-dev</literal> mailing list and in <link
-    xlink:href="https://github.com/NixOS/nixpkgs/issues/14897">Github issue
-    #14897</link>. Development strategies for Haskell hackers who want to rely
-    on Nix and NixOS have been described in <link
-    xlink:href="http://lists.science.uu.nl/pipermail/nix-dev/2016-June/020642.html">another
-    nix-dev article</link>.</para>
-  </listitem>
-
  <listitem>
    <para>Shell aliases for systemd sub-commands
    <link xlink:href="https://github.com/NixOS/nixpkgs/pull/15598">were dropped</link>:
    <command>start</command>, <command>stop</command>,
    <command>restart</command>, <command>status</command>.</para>
  </listitem>
-
-  <listitem>
-    <para>Redis now binds to 127.0.0.1 only instead of listening to all network interfaces. This is the default
-    behavior of Redis 3.2</para>
-  </listitem>
-
-  <listitem>
-    <para>
-      <literal>/var/empty</literal> is now immutable. Activation script runs <command>chattr +i</command>
-      to forbid any modifications inside the folder. See <link xlink:href="https://github.com/NixOS/nixpkgs/pull/18365">
-      the pull request</link> for what bugs this caused.
-    </para>
-  </listitem>
-
-  <listitem>
-  <para>
-     Using packages compiled with older Wayland may yield an error "undefined reference to `wl_proxy_*`".
-     Please upgrade those packages and <link xlink:href="https://github.com/NixOS/nixpkgs/issues/16779">see bug report for more details.</link>
-  </para>
-  </listitem>
-
-  <listitem>
-    <para>Gitlab's maintainance script
-    <command>gitlab-runner</command> was removed and split up into the
-    more clearer <command>gitlab-run</command> and
-    <command>gitlab-rake</command> scripts, because
-    <command>gitlab-runner</command> is a component of Gitlab
-    CI.</para>
-  </listitem>
-
-  <listitem>
-    <para><literal>services.xserver.libinput.accelProfile</literal> default
-    changed from <literal>flat</literal> to <literal>adaptive</literal>,
-    as per <link xlink:href="https://wayland.freedesktop.org/libinput/doc/latest/group__config.html#gad63796972347f318b180e322e35cee79">
-    official documentation</link>.</para>
-  </listitem>
-
-  <listitem>
-    <para><literal>fonts.fontconfig.ultimate.rendering</literal> was removed
-    because our presets were obsolete for some time. New presets are hardcoded
-    into FreeType; you can select a preset via <literal>fonts.fontconfig.ultimate.preset</literal>.
-    You can customize those presets via ordinary environment variables, using
-    <literal>environment.variables</literal>.</para>
-  </listitem>
-
-  <listitem>
-    <para>The <literal>audit</literal> service is no longer enabled by default.
-    Use <literal>security.audit.enable = true</literal> to explicitly enable it.</para>
-  </listitem>
-
-  <listitem>
-    <para>
-      <literal>pkgs.linuxPackages.virtualbox</literal> now contains only the
-      kernel modules instead of the VirtualBox user space binaries.
-      If you want to reference the user space binaries, you have to use the new
-      <literal>pkgs.virtualbox</literal> instead.
-    </para>
-  </listitem>
-
-  <listitem>
-    <para><literal>goPackages</literal> was replaced with separated Go
-    applications in appropriate <literal>nixpkgs</literal>
-    categories. Each Go package uses its own dependency set. There's
-    also a new <literal>go2nix</literal> tool introduced to generate a
-    Go package definition from its Go source automatically.</para>
-  </listitem>
-
-  <listitem>
-    <para><literal>services.mongodb.extraConfig</literal> configuration format
-    was changed to YAML.</para>
-  </listitem>
-
-  <listitem>
-    <para>
-      PHP has been upgraded to 7.0
-    </para>
-  </listitem>
-
 </itemizedlist>


 <para>Other notable improvements:</para>

 <itemizedlist>
-
-  <listitem><para>Revamped grsecurity/PaX support.  There is now only a single
-  general-purpose distribution kernel and the configuration interface has been
-  streamlined.  Desktop users should be able to simply set
-  <programlisting>security.grsecurity.enable = true</programlisting> to get
-  a reasonably secure system without having to sacrifice too much
-  functionality.  See <xref linkend="sec-grsecurity" /> for documentation
-  </para></listitem>
-
-  <listitem><para>Special filesystems, like <literal>/proc</literal>,
-  <literal>/run</literal> and others, now have the same mount options
-  as recommended by systemd and are unified across different places in
-  NixOS.  Mount options are updated during <command>nixos-rebuild
-  switch</command> if possible. One benefit from this is improved
-  security — most such filesystems are now mounted with
-  <literal>noexec</literal>, <literal>nodev</literal> and/or
-  <literal>nosuid</literal> options.</para></listitem>
-
-  <listitem><para>The reverse path filter was interfering with DHCPv4 server
-  operation in the past. An exception for DHCPv4 and a new option to log
-  packets that were dropped due to the reverse path filter was added
-  (<literal>networking.firewall.logReversePathDrops</literal>) for easier
-  debugging.</para></listitem>
-
-  <listitem><para>Containers configuration within
-  <literal>containers.&lt;name&gt;.config</literal> is <link
-  xlink:href="https://github.com/NixOS/nixpkgs/pull/17365">now
-  properly typed and checked</link>. In particular, partial
-  configurations are merged correctly.</para></listitem>
-
  <listitem>
-    <para>The directory container setuid wrapper programs,
-    <filename>/var/setuid-wrappers</filename>, <link
-    xlink:href="https://github.com/NixOS/nixpkgs/pull/18124">is now
-    updated atomically to prevent failures if the switch to a new
-    configuration is interrupted.</link></para>
+    <para>todo</para>
  </listitem>

-  <listitem>
-    <para><literal>services.xserver.startGnuPGAgent</literal>
-      has been removed due to GnuPG 2.1.x bump. See <link
-        xlink:href="https://github.com/NixOS/nixpkgs/commit/5391882ebd781149e213e8817fba6ac3c503740c">
-        how to achieve similar behavior</link>. You might need to
-      <literal>pkill gpg-agent</literal> after the upgrade
-      to prevent a stale agent being in the way.
-    </para>
-  </listitem>
-
-  <listitem><para>
-    <link xlink:href="https://github.com/NixOS/nixpkgs/commit/e561edc322d275c3687fec431935095cfc717147">
-    Declarative users could share the uid due to the bug in
-    the script handling conflict resolution.
-    </link>
-  </para></listitem>
-
-  <listitem><para>
-    Gummi boot has been replaced using systemd-boot.
-  </para></listitem>
-
-  <listitem><para>
-    Hydra package and NixOS module were added for convenience.
-  </para></listitem>
-
 </itemizedlist>


--- a/nixos/lib/make-disk-image.nix
+++ b/nixos/lib/make-disk-image.nix
@@ -12,9 +12,6 @@
  # directly.
  partitioned ? true

-  # Whether to invoke switch-to-configuration boot during image creation
-, installBootLoader ? true
-
 , # The root file system type.
  fsType ? "ext4"

@@ -67,24 +64,40 @@ pkgs.vmTools.runInLinuxVM (
      mkdir /mnt
      mount $rootDisk /mnt

+      # The initrd expects these directories to exist.
+      mkdir /mnt/dev /mnt/proc /mnt/sys
+
+      mount -o bind /proc /mnt/proc
+      mount -o bind /dev /mnt/dev
+      mount -o bind /sys /mnt/sys
+
+      # Copy all paths in the closure to the filesystem.
+      storePaths=$(perl ${pkgs.pathsFromGraph} /tmp/xchg/closure)
+
+      mkdir -p /mnt/nix/store
+      echo "copying everything (will take a while)..."
+      set -f
+      cp -prd $storePaths /mnt/nix/store/
+
      # Register the paths in the Nix database.
      printRegistration=1 perl ${pkgs.pathsFromGraph} /tmp/xchg/closure | \
-          ${config.nix.package.out}/bin/nix-store --load-db --option build-users-group ""
+          chroot /mnt ${config.nix.package.out}/bin/nix-store --load-db --option build-users-group ""

      # Add missing size/hash fields to the database. FIXME:
      # exportReferencesGraph should provide these directly.
-      ${config.nix.package.out}/bin/nix-store --verify --check-contents --option build-users-group ""
+      chroot /mnt ${config.nix.package.out}/bin/nix-store --verify --check-contents

-      # In case the bootloader tries to write to /dev/sda…
-      ln -s vda /dev/xvda
-      ln -s vda /dev/sda
+      # Create the system profile to allow nixos-rebuild to work.
+      chroot /mnt ${config.nix.package.out}/bin/nix-env --option build-users-group "" \
+          -p /nix/var/nix/profiles/system --set ${config.system.build.toplevel}

-      # Install the closure onto the image
-      USER=root ${config.system.build.nixos-install}/bin/nixos-install \
-        --closure ${config.system.build.toplevel} \
-        --no-channel-copy \
-        --no-root-passwd \
-        ${optionalString (!installBootLoader) "--no-bootloader"}
+      # `nixos-rebuild' requires an /etc/NIXOS.
+      mkdir -p /mnt/etc
+      touch /mnt/etc/NIXOS
+
+      # `switch-to-configuration' requires a /bin/sh
+      mkdir -p /mnt/bin
+      ln -s ${config.system.build.binsh}/bin/sh /mnt/bin/sh

      # Install a configuration.nix.
      mkdir -p /mnt/etc/nixos
@@ -92,9 +105,12 @@ pkgs.vmTools.runInLinuxVM (
        cp ${configFile} /mnt/etc/nixos/configuration.nix
      ''}

-      # Remove /etc/machine-id so that each machine cloning this image will get its own id
-      rm -f /mnt/etc/machine-id
+      # Generate the GRUB menu.
+      ln -s vda /dev/xvda
+      ln -s vda /dev/sda
+      chroot /mnt ${config.system.build.toplevel}/bin/switch-to-configuration boot

+      umount /mnt/proc /mnt/dev /mnt/sys
      umount /mnt

      # Do a fsck to make sure resize2fs works.
--- a/nixos/lib/test-driver/Machine.pm
+++ b/nixos/lib/test-driver/Machine.pm
@@ -566,25 +566,14 @@ sub getWindowNames {
 }


-sub hasWindow {
-    my ($self, $regexp) = @_;
-    my @names = $self->getWindowNames;
-    foreach my $n (@names) {
-        if ($n =~ /$regexp/) {
-            $self->log("match '$n' on '$regexp'");
-            return 1;
-        } else {
-            $self->log("no match '$n' on '$regexp'");
-        }
-    }
-}
-
-
 sub waitForWindow {
    my ($self, $regexp) = @_;
    $self->nest("waiting for a window to appear", sub {
        retry sub {
-            return $self->hasWindow($regexp)
+            my @names = $self->getWindowNames;
+            foreach my $n (@names) {
+                return 1 if $n =~ /$regexp/;
+            }
        }
    });
 }
--- a/nixos/lib/testing.nix
+++ b/nixos/lib/testing.nix
@@ -29,7 +29,7 @@ rec {
        cp ${./test-driver/Logger.pm} $libDir/Logger.pm

        wrapProgram $out/bin/nixos-test-driver \
-          --prefix PATH : "${lib.makeBinPath [ qemu_kvm vde2 netpbm coreutils ]}" \
+          --prefix PATH : "${qemu_kvm}/bin:${vde2}/bin:${netpbm}/bin:${coreutils}/bin" \
          --prefix PERL5LIB : "${with perlPackages; lib.makePerlPath [ TermReadLineGnu XMLWriter IOTty FileSlurp ]}:$out/lib/perl5/site_perl"
      '';
  };
@@ -113,14 +113,14 @@ rec {
            --add-flags "$vms" \
            ${lib.optionalString enableOCR "--prefix PATH : '${ocrProg}/bin'"} \
            --run "testScript=\"\$(cat $out/test-script)\"" \
-            --set testScript '$testScript' \
-            --set VLANS '${toString vlans}'
+            --set testScript '"$testScript"' \
+            --set VLANS '"${toString vlans}"'
          ln -s ${testDriver}/bin/nixos-test-driver $out/bin/nixos-run-vms
          wrapProgram $out/bin/nixos-run-vms \
            --add-flags "$vms" \
            ${lib.optionalString enableOCR "--prefix PATH : '${ocrProg}/bin'"} \
-            --set tests 'startAll; joinAll;' \
-            --set VLANS '${toString vlans}' \
+            --set tests '"startAll; joinAll;"' \
+            --set VLANS '"${toString vlans}"' \
            ${lib.optionalString (builtins.length vms == 1) "--set USE_SERIAL 1"}
        ''; # "

@@ -157,7 +157,9 @@ rec {
        ${coreutils}/bin/mkdir -p $TMPDIR
        cd $TMPDIR

-        exec $origBuilder $origArgs
+        $origBuilder $origArgs
+
+        exit $?
      '';

      testScript = ''
@@ -170,22 +172,9 @@ rec {
      '';

      vmRunCommand = writeText "vm-run" ''
-        xchg=vm-state-client/xchg
        ${coreutils}/bin/mkdir $out
-        ${coreutils}/bin/mkdir -p $xchg
-
-        for i in $passAsFile; do
-          i2=''${i}Path
-          _basename=$(${coreutils}/bin/basename ''${!i2})
-          ${coreutils}/bin/cp ''${!i2} $xchg/$_basename
-          eval $i2=/tmp/xchg/$_basename
-          ${coreutils}/bin/ls -la $xchg
-        done
-
-        unset i i2 _basename
-        export | ${gnugrep}/bin/grep -v '^xchg=' > $xchg/saved-env
-        unset xchg
-
+        ${coreutils}/bin/mkdir -p vm-state-client/xchg
+        export > vm-state-client/xchg/saved-env
        export tests='${testScript}'
        ${testDriver}/bin/nixos-test-driver ${vm.config.system.build.vm}/bin/run-*-vm
      ''; # */
--- a/nixos/lib/utils.nix
+++ b/nixos/lib/utils.nix
@@ -2,27 +2,10 @@ pkgs: with pkgs.lib;

 rec {

-  # Check whenever fileSystem is needed for boot
-  fsNeededForBoot = fs: fs.neededForBoot
-                     || elem fs.mountPoint [ "/" "/nix" "/nix/store" "/var" "/var/log" "/var/lib" "/etc" ];
-
-  # Check whenever `b` depends on `a` as a fileSystem
-  # FIXME: it's incorrect to simply use hasPrefix here: "/dev/a" is not a parent of "/dev/ab"
-  fsBefore = a: b: ((any (x: elem x [ "bind" "move" ]) b.options) && (a.mountPoint == b.device))
-                || (hasPrefix a.mountPoint b.mountPoint);
-
  # Escape a path according to the systemd rules, e.g. /dev/xyzzy
  # becomes dev-xyzzy.  FIXME: slow.
  escapeSystemdPath = s:
   replaceChars ["/" "-" " "] ["-" "\\x2d" "\\x20"]
    (if hasPrefix "/" s then substring 1 (stringLength s) s else s);

-  # Returns a system path for a given shell package
-  toShellPath = shell:
-    if types.shellPackage.check shell then
-      "/run/current-system/sw${shell.shellPath}"
-    else if types.package.check shell then
-      throw "${shell} is not a shell package"
-    else
-      shell;
 }
--- a/nixos/maintainers/scripts/ec2/create-amis.sh
+++ b/nixos/maintainers/scripts/ec2/create-amis.sh
@@ -13,11 +13,8 @@ echo "NixOS version is $version ($major)"

 rm -f ec2-amis.nix

-types="hvm pv"
-stores="ebs s3"
-regions="eu-west-1 eu-central-1 us-east-1 us-west-1 us-west-2 ap-southeast-1 ap-southeast-2 ap-northeast-1 ap-northeast-2 sa-east-1 ap-south-1"

-for type in $types; do
+for type in hvm pv; do
    link=$stateDir/$type
    imageFile=$link/nixos.qcow2
    system=x86_64-linux
@@ -34,7 +31,7 @@ for type in $types; do
            --arg configuration "{ imports = [ <nixpkgs/nixos/maintainers/scripts/ec2/amazon-image.nix> ]; ec2.hvm = $hvmFlag; }"
    fi

-    for store in $stores; do
+    for store in ebs s3; do

        bucket=nixos-amis
        bucketDir="$version-$type-$store"
@@ -42,7 +39,7 @@ for type in $types; do
        prevAmi=
        prevRegion=

-        for region in $regions; do
+        for region in eu-west-1 eu-central-1 us-east-1 us-west-1 us-west-2 ap-southeast-1 ap-southeast-2 ap-northeast-1 sa-east-1; do

            name=nixos-$version-$arch-$type-$store
            description="NixOS $system $version ($type-$store)"
@@ -54,11 +51,10 @@ for type in $types; do
                echo "doing $name in $region..."

                if [ -n "$prevAmi" ]; then
-                    ami=$(aws ec2 copy-image \
+                    ami=$(ec2-copy-image \
                        --region "$region" \
-                        --source-region "$prevRegion" --source-image-id "$prevAmi" \
-                        --name "$name" --description "$description" | json -q .ImageId)
-                    if [ "$ami" = null ]; then break; fi
+                        --source-region "$prevRegion" --source-ami-id "$prevAmi" \
+                        --name "$name" --description "$description" | cut -f 2)
                else

                    if [ $store = s3 ]; then
@@ -89,12 +85,12 @@ for type in $types; do
                            ec2-upload-bundle \
                                -m $imageDir/$type.raw.manifest.xml \
                                -b "$bucket/$bucketDir" \
-                                -a "$AWS_ACCESS_KEY_ID" -s "$AWS_SECRET_ACCESS_KEY" \
+                                -a "$EC2_ACCESS_KEY" -s "$EC2_SECRET_KEY" \
                                --location EU
                            touch $imageDir/uploaded
                        fi

-                        extraFlags="--image-location $bucket/$bucketDir/$type.raw.manifest.xml"
+                        extraFlags="$bucket/$bucketDir/$type.raw.manifest.xml"

                    else

@@ -119,8 +115,7 @@ for type in $types; do
                        if [ -z "$snapId" -a -z "$volId" -a -z "$taskId" ]; then
                            echo "importing $vhdFile..."
                            taskId=$(ec2-import-volume $vhdFile --no-upload -f vhd \
-                                -O "$AWS_ACCESS_KEY_ID" -W "$AWS_SECRET_ACCESS_KEY" \
-                                -o "$AWS_ACCESS_KEY_ID" -w "$AWS_SECRET_ACCESS_KEY" \
+                                -o "$EC2_ACCESS_KEY" -w "$EC2_SECRET_KEY" \
                                --region "$region" -z "${region}a" \
                                --bucket "$bucket" --prefix "$bucketDir/" \
                                | tee /dev/stderr \
@@ -130,16 +125,15 @@ for type in $types; do

                        if [ -z "$snapId" -a -z "$volId" ]; then
                            ec2-resume-import  $vhdFile -t "$taskId" --region "$region" \
-                                -O "$AWS_ACCESS_KEY_ID" -W "$AWS_SECRET_ACCESS_KEY" \
-                                -o "$AWS_ACCESS_KEY_ID" -w "$AWS_SECRET_ACCESS_KEY"
+                                -o "$EC2_ACCESS_KEY" -w "$EC2_SECRET_KEY"
                        fi

                        # Wait for the volume creation to finish.
                        if [ -z "$snapId" -a -z "$volId" ]; then
                            echo "waiting for import to finish..."
                            while true; do
-                                volId=$(aws ec2 describe-conversion-tasks --conversion-task-ids "$taskId" --region "$region" | jq -r .ConversionTasks[0].ImportVolume.Volume.Id)
-                                if [ "$volId" != null ]; then break; fi
+                                volId=$(ec2-describe-conversion-tasks "$taskId" --region "$region" | sed 's/.*VolumeId.*\(vol-[0-9a-f]\+\).*/\1/ ; t ; d')
+                                if [ -n "$volId" ]; then break; fi
                                sleep 10
                            done

@@ -149,24 +143,22 @@ for type in $types; do
                        # Delete the import task.
                        if [ -n "$volId" -a -n "$taskId" ]; then
                            echo "removing import task..."
-                            ec2-delete-disk-image -t "$taskId" --region "$region" \
-                                -O "$AWS_ACCESS_KEY_ID" -W "$AWS_SECRET_ACCESS_KEY" \
-                                -o "$AWS_ACCESS_KEY_ID" -w "$AWS_SECRET_ACCESS_KEY" || true
+                            ec2-delete-disk-image -t "$taskId" --region "$region" -o "$EC2_ACCESS_KEY" -w "$EC2_SECRET_KEY" || true
                            rm -f $stateDir/$region.$type.task-id
                        fi

                        # Create a snapshot.
                        if [ -z "$snapId" ]; then
                            echo "creating snapshot..."
-                            snapId=$(aws ec2 create-snapshot --volume-id "$volId" --region "$region" --description "$description" | jq -r .SnapshotId)
-                            if [ "$snapId" = null ]; then exit 1; fi
+                            snapId=$(ec2-create-snapshot "$volId" --region "$region" | cut -f 2)
                            echo -n "$snapId" > $stateDir/$region.$type.snap-id
+                            ec2-create-tags "$snapId" -t "Name=$description" --region "$region"
                        fi

                        # Wait for the snapshot to finish.
                        echo "waiting for snapshot to finish..."
                        while true; do
-                            status=$(aws ec2 describe-snapshots --snapshot-ids "$snapId" --region "$region" | jq -r .Snapshots[0].State)
+                            status=$(ec2-describe-snapshots "$snapId" --region "$region" | head -n1 | cut -f 4)
                            if [ "$status" = completed ]; then break; fi
                            sleep 10
                        done
@@ -174,50 +166,35 @@ for type in $types; do
                        # Delete the volume.
                        if [ -n "$volId" ]; then
                            echo "deleting volume..."
-                            aws ec2 delete-volume --volume-id "$volId" --region "$region" || true
+                            ec2-delete-volume "$volId" --region "$region" || true
                            rm -f $stateDir/$region.$type.vol-id
                        fi

-                        blockDeviceMappings="DeviceName=/dev/sda1,Ebs={SnapshotId=$snapId,VolumeSize=$vhdFileLogicalGigaBytes,DeleteOnTermination=true,VolumeType=gp2}"
-                        extraFlags=""
+                        extraFlags="-b /dev/sda1=$snapId:$vhdFileLogicalGigaBytes:true:gp2"

                        if [ $type = pv ]; then
-                            extraFlags+=" --root-device-name /dev/sda1"
-                        else
-                            extraFlags+=" --root-device-name /dev/sda1"
-                            extraFlags+=" --sriov-net-support simple"
-                            extraFlags+=" --ena-support"
+                            extraFlags+=" --root-device-name=/dev/sda1"
                        fi

-                        blockDeviceMappings+=" DeviceName=/dev/sdb,VirtualName=ephemeral0"
-                        blockDeviceMappings+=" DeviceName=/dev/sdc,VirtualName=ephemeral1"
-                        blockDeviceMappings+=" DeviceName=/dev/sdd,VirtualName=ephemeral2"
-                        blockDeviceMappings+=" DeviceName=/dev/sde,VirtualName=ephemeral3"
-                    fi
-
-                    if [ $type = hvm ]; then
-                        extraFlags+=" --sriov-net-support simple"
-                        extraFlags+=" --ena-support"
+                        extraFlags+=" -b /dev/sdb=ephemeral0 -b /dev/sdc=ephemeral1 -b /dev/sdd=ephemeral2 -b /dev/sde=ephemeral3"
                    fi

                    # Register the AMI.
                    if [ $type = pv ]; then
-                        kernel=$(aws ec2 describe-images --owner amazon --filters "Name=name,Values=pv-grub-hd0_1.04-$arch.gz" | jq -r .Images[0].ImageId)
-                        if [ "$kernel" = null ]; then break; fi
+                        kernel=$(ec2-describe-images -o amazon --filter "manifest-location=*pv-grub-hd0_1.04-$arch*" --region "$region" | cut -f 2)
+                        [ -n "$kernel" ]
                        echo "using PV-GRUB kernel $kernel"
                        extraFlags+=" --virtualization-type paravirtual --kernel $kernel"
                    else
                        extraFlags+=" --virtualization-type hvm"
                    fi

-                    ami=$(aws ec2 register-image \
-                        --name "$name" \
-                        --description "$description" \
+                    ami=$(ec2-register \
+                        -n "$name" \
+                        -d "$description" \
                        --region "$region" \
                        --architecture "$arch" \
-                        --block-device-mappings $blockDeviceMappings \
-                        $extraFlags | jq -r .ImageId)
-                    if [ "$ami" = null ]; then break; fi
+                        $extraFlags | cut -f 2)
                fi

                echo -n "$ami" > $amiFile
@@ -227,45 +204,23 @@ for type in $types; do
                ami=$(cat $amiFile)
            fi

-            echo "region = $region, type = $type, store = $store, ami = $ami"
+            if [ -z "$NO_WAIT" -o -z "$prevAmi" ]; then
+                echo "waiting for AMI..."
+                while true; do
+                    status=$(ec2-describe-images "$ami" --region "$region" | head -n1 | cut -f 5)
+                    if [ "$status" = available ]; then break; fi
+                    sleep 10
+                done

+                ec2-modify-image-attribute \
+                    --region "$region" "$ami" -l -a all
+            fi
+
+            echo "region = $region, type = $type, store = $store, ami = $ami"
            if [ -z "$prevAmi" ]; then
                prevAmi="$ami"
                prevRegion="$region"
            fi
-        done
-
-    done
-
-done
-
-for type in $types; do
-    link=$stateDir/$type
-    system=x86_64-linux
-    arch=x86_64
-
-    for store in $stores; do
-
-        for region in $regions; do
-
-            name=nixos-$version-$arch-$type-$store
-            amiFile=$stateDir/$region.$type.$store.ami-id
-            ami=$(cat $amiFile)
-
-            echo "region = $region, type = $type, store = $store, ami = $ami"
-
-            echo -n "waiting for AMI..."
-            while true; do
-                status=$(aws ec2 describe-images --image-ids "$ami" --region "$region" | jq -r .Images[0].State)
-                if [ "$status" = available ]; then break; fi
-                sleep 10
-                echo -n '.'
-            done
-            echo
-
-            # Make the image public.
-            aws ec2 modify-image-attribute \
-                --image-id "$ami" --region "$region" --launch-permission 'Add={Group=all}'

            echo "  \"$major\".$region.$type-$store = \"$ami\";" >> ec2-amis.nix
        done
--- a/nixos/modules/config/fonts/fontconfig-ultimate.nix
+++ b/nixos/modules/config/fonts/fontconfig-ultimate.nix
@@ -3,95 +3,6 @@
 with lib;

 let fcBool = x: if x then "<bool>true</bool>" else "<bool>false</bool>";
-
-    cfg = config.fonts.fontconfig.ultimate;
-
-    latestVersion  = pkgs.fontconfig.configVersion;
-
-    # fontconfig ultimate main configuration file
-    # priority 52
-    fontconfigUltimateConf = pkgs.writeText "fc-52-fontconfig-ultimate.conf" ''
-      <?xml version="1.0"?>
-      <!DOCTYPE fontconfig SYSTEM "fonts.dtd">
-      <fontconfig>
-
-        ${optionalString (!cfg.allowBitmaps) ''
-        <!-- Reject bitmap fonts -->
-        <selectfont>
-          <rejectfont>
-            <pattern>
-              <patelt name="scalable"><bool>false</bool></patelt>
-            </pattern>
-          </rejectfont>
-        </selectfont>
-        ''}
-
-        ${optionalString cfg.allowType1 ''
-        <!-- Reject Type 1 fonts -->
-        <selectfont>
-          <rejectfont>
-            <pattern>
-              <patelt name="fontformat">
-                <string>Type 1</string>
-              </patelt>
-            </pattern>
-          </rejectfont>
-        </selectfont>
-        ''}
-
-        <!-- Use embedded bitmaps in fonts like Calibri? -->
-        <match target="font">
-          <edit name="embeddedbitmap" mode="assign">
-            ${fcBool cfg.useEmbeddedBitmaps}
-          </edit>
-        </match>
-
-        <!-- Force autohint always -->
-        <match target="font">
-          <edit name="force_autohint" mode="assign">
-            ${fcBool cfg.forceAutohint}
-          </edit>
-        </match>
-
-        <!-- Render some monospace TTF fonts as bitmaps -->
-        <match target="pattern">
-          <edit name="bitmap_monospace" mode="assign">
-            ${fcBool cfg.renderMonoTTFAsBitmap}
-          </edit>
-        </match>
-
-      </fontconfig>
-    '';
-
-    # The configuration to be included in /etc/font/
-    confPkg = pkgs.runCommand "font-ultimate-conf" {} ''
-      support_folder=$out/etc/fonts/conf.d
-      latest_folder=$out/etc/fonts/${latestVersion}/conf.d
-
-      mkdir -p $support_folder
-      mkdir -p $latest_folder
-
-      # 52-fontconfig-ultimate.conf
-      ln -s ${fontconfigUltimateConf} \
-            $support_folder/52-fontconfig-ultimate.conf
-      ln -s ${fontconfigUltimateConf} \
-            $latest_folder/52-fontconfig-ultimate.conf
-
-      # fontconfig ultimate substitutions
-      ${optionalString (cfg.substitutions != "none") ''
-      ln -s ${pkgs.fontconfig-ultimate}/etc/fonts/presets/${cfg.substitutions}/*.conf \
-            $support_folder
-      ln -s ${pkgs.fontconfig-ultimate}/etc/fonts/presets/${cfg.substitutions}/*.conf \
-            $latest_folder
-      ''}
-
-      # fontconfig ultimate various configuration files
-      ln -s ${pkgs.fontconfig-ultimate}/etc/fonts/conf.d/*.conf \
-            $support_folder
-      ln -s ${pkgs.fontconfig-ultimate}/etc/fonts/conf.d/*.conf \
-            $latest_folder
-    '';
-
 in
 {

@@ -153,7 +64,9 @@ in
          };

          substitutions = mkOption {
-            type = types.nullOr (types.enum ["free" "combi" "ms"]);
+            type = types.str // {
+              check = flip elem ["none" "free" "combi" "ms"];
+            };
            default = "free";
            description = ''
              Font substitutions to replace common Type 1 fonts with nicer
@@ -164,12 +77,35 @@ in
            '';
          };

-          preset = mkOption {
-            type = types.enum ["ultimate1" "ultimate2" "ultimate3" "ultimate4" "ultimate5" "osx" "windowsxp"];
-            default = "ultimate3";
+          rendering = mkOption {
+            type = types.attrs;
+            default = pkgs.fontconfig-ultimate.rendering.ultimate;
            description = ''
-              FreeType rendering settings preset. Any of the presets may be
-              customized by setting environment variables.
+              FreeType rendering settings presets. The default is
+              <literal>pkgs.fontconfig-ultimate.rendering.ultimate</literal>.
+              The other available styles are:
+              <literal>ultimate-lighter</literal>,
+              <literal>ultimate-darker</literal>,
+              <literal>ultimate-lightest</literal>,
+              <literal>ultimate-darkest</literal>,
+              <literal>default</literal> (the original Infinality default),
+              <literal>osx</literal>,
+              <literal>ipad</literal>,
+              <literal>ubuntu</literal>,
+              <literal>linux</literal>,
+              <literal>winxplight</literal>,
+              <literal>win7light</literal>,
+              <literal>winxp</literal>,
+              <literal>win7</literal>,
+              <literal>vanilla</literal>,
+              <literal>classic</literal>,
+              <literal>nudge</literal>,
+              <literal>push</literal>,
+              <literal>shove</literal>,
+              <literal>sharpened</literal>,
+              <literal>infinality</literal>. Any of the presets may be
+              customized by editing the attributes. To disable, set this option
+              to the empty attribute set <literal>{}</literal>.
            '';
          };
        };
@@ -178,11 +114,80 @@ in

  };

-  config = mkIf (config.fonts.fontconfig.enable && cfg.enable) {

-    fonts.fontconfig.confPackages = [ confPkg ];
-    environment.variables."INFINALITY_FT" = cfg.preset;
+  config =
+    let ultimate = config.fonts.fontconfig.ultimate;
+        fontconfigUltimateConf = ''
+          <?xml version="1.0"?>
+          <!DOCTYPE fontconfig SYSTEM "fonts.dtd">
+          <fontconfig>

-  };
+            ${optionalString (!ultimate.allowBitmaps) ''
+            <!-- Reject bitmap fonts -->
+            <selectfont>
+              <rejectfont>
+                <pattern>
+                  <patelt name="scalable"><bool>false</bool></patelt>
+                </pattern>
+              </rejectfont>
+            </selectfont>
+            ''}
+
+            ${optionalString ultimate.allowType1 ''
+            <!-- Reject Type 1 fonts -->
+            <selectfont>
+              <rejectfont>
+                <pattern>
+                  <patelt name="fontformat">
+                    <string>Type 1</string>
+                  </patelt>
+                </pattern>
+              </rejectfont>
+            </selectfont>
+            ''}
+
+            <!-- Use embedded bitmaps in fonts like Calibri? -->
+            <match target="font">
+              <edit name="embeddedbitmap" mode="assign">
+                ${fcBool ultimate.useEmbeddedBitmaps}
+              </edit>
+            </match>
+
+            <!-- Force autohint always -->
+            <match target="font">
+              <edit name="force_autohint" mode="assign">
+                ${fcBool ultimate.forceAutohint}
+              </edit>
+            </match>
+
+            <!-- Render some monospace TTF fonts as bitmaps -->
+            <match target="pattern">
+              <edit name="bitmap_monospace" mode="assign">
+                ${fcBool ultimate.renderMonoTTFAsBitmap}
+              </edit>
+            </match>
+
+            ${optionalString (ultimate.substitutions != "none") ''
+            <!-- Type 1 font substitutions -->
+            <include ignore_missing="yes">${pkgs.fontconfig-ultimate.confd}/etc/fonts/presets/${ultimate.substitutions}</include>
+            ''}
+
+            <include ignore_missing="yes">${pkgs.fontconfig-ultimate.confd}/etc/fonts/conf.d</include>
+
+          </fontconfig>
+        '';
+    in mkIf (config.fonts.fontconfig.enable && ultimate.enable) {
+
+      environment.etc."fonts/conf.d/52-fontconfig-ultimate.conf" = {
+        text = fontconfigUltimateConf;
+      };
+
+      environment.etc."fonts/${pkgs.fontconfig.configVersion}/conf.d/52-fontconfig-ultimate.conf" = {
+        text = fontconfigUltimateConf;
+      };
+
+      environment.variables = ultimate.rendering;
+
+    };

 }
--- a/nixos/modules/config/fonts/fontconfig.nix
+++ b/nixos/modules/config/fonts/fontconfig.nix
@@ -1,207 +1,7 @@
-/*
-
-NixOS support 2 fontconfig versions, "support" and "latest".
-
- "latest" refers to default fontconfig package (pkgs.fontconfig).
-  configuration files are linked to /etc/fonts/VERSION/conf.d/
- "support" refers to supportPkg (pkgs."fontconfig_${supportVersion}").
-  configuration files are linked to /etc/fonts/conf.d/
-
-This module generates a package containing configuration files and link it in /etc/fonts.
-
-Fontconfig reads files in folder name / file name order, so the number prepended to the configuration file name decide the order of parsing.
-Low number means high priority.
-
-*/
-
 { config, lib, pkgs, ... }:

 with lib;

-let cfg = config.fonts.fontconfig;
-
-    fcBool = x: "<bool>" + (if x then "true" else "false") + "</bool>";
-
-    # back-supported fontconfig version and package
-    # version is used for font cache generation
-    supportVersion = "210";
-    supportPkg     = pkgs."fontconfig_${supportVersion}";
-
-    # latest fontconfig version and package
-    # version is used for configuration folder name, /etc/fonts/VERSION/
-    # note: format differs from supportVersion and can not be used with makeCacheConf
-    latestVersion  = pkgs.fontconfig.configVersion;
-    latestPkg      = pkgs.fontconfig;
-
-    # supported version fonts.conf
-    supportFontsConf = pkgs.makeFontsConf { fontconfig = supportPkg; fontDirectories = config.fonts.fonts; };
-
-    # configuration file to read fontconfig cache
-    # version dependent
-    # priority 0
-    cacheConfSupport = makeCacheConf { version = supportVersion; };
-    cacheConfLatest  = makeCacheConf {};
-    
-    # generate the font cache setting file for a fontconfig version
-    # use latest when no version is passed
-    makeCacheConf = { version ? null }:
-      let 
-        fcPackage = if builtins.isNull version
-                    then "fontconfig"
-                    else "fontconfig_${version}";
-        makeCache = fontconfig: pkgs.makeFontsCache { inherit fontconfig; fontDirectories = config.fonts.fonts; };
-        cache     = makeCache pkgs."${fcPackage}";
-        cache32   = makeCache pkgs.pkgsi686Linux."${fcPackage}";
-      in
-      pkgs.writeText "fc-00-nixos-cache.conf" ''
-        <?xml version='1.0'?>
-        <!DOCTYPE fontconfig SYSTEM 'fonts.dtd'>
-        <fontconfig>
-          <!-- Font directories -->
-          ${concatStringsSep "\n" (map (font: "<dir>${font}</dir>") config.fonts.fonts)}
-          <!-- Pre-generated font caches -->
-          <cachedir>${cache}</cachedir>
-          ${optionalString (pkgs.stdenv.isx86_64 && cfg.cache32Bit) ''
-            <cachedir>${cache32}</cachedir>
-          ''}
-        </fontconfig>
-      '';
-
-    # rendering settings configuration file
-    # priority 10
-    renderConf = pkgs.writeText "fc-10-nixos-rendering.conf" ''
-      <?xml version='1.0'?>
-      <!DOCTYPE fontconfig SYSTEM 'fonts.dtd'>
-      <fontconfig>
-
-        <!-- Default rendering settings -->
-        <match target="font">
-          <edit mode="assign" name="hinting">
-            ${fcBool cfg.hinting.enable}
-          </edit>
-          <edit mode="assign" name="autohint">
-            ${fcBool cfg.hinting.autohint}
-          </edit>
-          <edit mode="assign" name="hintstyle">
-            <const>hint${cfg.hinting.style}</const>
-          </edit>
-          <edit mode="assign" name="antialias">
-            ${fcBool cfg.antialias}
-          </edit>
-          <edit mode="assign" name="rgba">
-            <const>${cfg.subpixel.rgba}</const>
-          </edit>
-          <edit mode="assign" name="lcdfilter">
-            <const>lcd${cfg.subpixel.lcdfilter}</const>
-          </edit>
-        </match>
-
-        ${optionalString (cfg.dpi != 0) ''
-        <match target="pattern">
-          <edit name="dpi" mode="assign">
-            <double>${toString cfg.dpi}</double>
-          </edit>
-        </match>
-        ''}
-
-      </fontconfig>
-    '';
-
-    # local configuration file
-    # priority 51
-    localConf = pkgs.writeText "fc-local.conf" cfg.localConf;
-
-    # default fonts configuration file
-    # priority 52
-    defaultFontsConf = 
-      let genDefault = fonts: name:
-        optionalString (fonts != []) ''
-          <alias>
-            <family>${name}</family>
-            <prefer>
-            ${concatStringsSep ""
-            (map (font: ''
-              <family>${font}</family>
-            '') fonts)}
-            </prefer>
-          </alias>
-        '';
-      in
-      pkgs.writeText "fc-52-nixos-default-fonts.conf" ''
-      <?xml version='1.0'?>
-      <!DOCTYPE fontconfig SYSTEM 'fonts.dtd'>
-      <fontconfig>
-
-        <!-- Default fonts -->
-        ${genDefault cfg.defaultFonts.sansSerif "sans-serif"}
-
-        ${genDefault cfg.defaultFonts.serif     "serif"}
-
-        ${genDefault cfg.defaultFonts.monospace "monospace"}
-
-      </fontconfig>
-    '';
-
-    # fontconfig configuration package 
-    confPkg = pkgs.runCommand "fontconfig-conf" {} ''
-      support_folder=$out/etc/fonts
-      latest_folder=$out/etc/fonts/${latestVersion}
-
-      mkdir -p $support_folder/conf.d
-      mkdir -p $latest_folder/conf.d
-
-      # fonts.conf
-      ln -s ${supportFontsConf} $support_folder/fonts.conf
-      ln -s ${latestPkg.out}/etc/fonts/fonts.conf \
-            $latest_folder/fonts.conf
-
-      # fontconfig default config files
-      ln -s ${supportPkg.out}/etc/fonts/conf.d/*.conf \
-            $support_folder/conf.d/
-      ln -s ${latestPkg.out}/etc/fonts/conf.d/*.conf \
-            $latest_folder/conf.d/
-
-      # update latest 51-local.conf path to look at the latest local.conf
-      rm    $latest_folder/conf.d/51-local.conf
-
-      substitute ${latestPkg.out}/etc/fonts/conf.d/51-local.conf \
-                 $latest_folder/conf.d/51-local.conf \
-                 --replace local.conf /etc/fonts/${latestVersion}/local.conf 
-
-      # 00-nixos-cache.conf
-      ln -s ${cacheConfSupport} \
-            $support_folder/conf.d/00-nixos-cache.conf
-      ln -s ${cacheConfLatest}  $latest_folder/conf.d/00-nixos-cache.conf
-
-      # 10-nixos-rendering.conf
-      ln -s ${renderConf}       $support_folder/conf.d/10-nixos-rendering.conf
-      ln -s ${renderConf}       $latest_folder/conf.d/10-nixos-rendering.conf
-
-      # 50-user.conf
-      ${optionalString (! cfg.includeUserConf) ''
-      rm    $support_folder/conf.d/50-user.conf
-      rm    $latest_folder/conf.d/50-user.conf
-      ''}
-
-      # local.conf (indirect priority 51)
-      ${optionalString (cfg.localConf != "") ''
-      ln -s ${localConf}        $support_folder/local.conf
-      ln -s ${localConf}        $latest_folder/local.conf
-      ''}
-
-      # 52-nixos-default-fonts.conf
-      ln -s ${defaultFontsConf} $support_folder/conf.d/52-nixos-default-fonts.conf
-      ln -s ${defaultFontsConf} $latest_folder/conf.d/52-nixos-default-fonts.conf
-    '';
-
-    # Package with configuration files
-    # this merge all the packages in the fonts.fontconfig.confPackages list
-    fontconfigEtc = pkgs.buildEnv {
-      name  = "fontconfig-etc";
-      paths = cfg.confPackages;
-      ignoreCollisions = true;
-    };
-in
 {

  options = {
@@ -221,15 +21,6 @@ in
          '';
        };

-        confPackages = mkOption {
-          internal = true;
-          type     = with types; listOf path;
-          default  = [ ];
-          description = ''
-            Fontconfig configuration packages.
-          '';
-        };
-
        antialias = mkOption {
          type = types.bool;
          default = true;
@@ -245,15 +36,6 @@ in
          '';
        };

-        localConf = mkOption {
-          type = types.lines;
-          default = "";
-          description = ''
-            System-wide customization file contents, has higher priority than 
-            <literal>defaultFonts</literal> settings.
-          '';
-        };
-
        defaultFonts = {
          monospace = mkOption {
            type = types.listOf types.str;
@@ -360,11 +142,136 @@ in
    };

  };
-  config = mkIf cfg.enable {
-    fonts.fontconfig.confPackages = [ confPkg ];

-    environment.systemPackages    = [ pkgs.fontconfig ];
-    environment.etc.fonts.source  = "${fontconfigEtc}/etc/fonts/";
-  };
+  config =
+    let fontconfig = config.fonts.fontconfig;
+        fcBool = x: "<bool>" + (if x then "true" else "false") + "</bool>";
+        renderConf = ''
+          <?xml version='1.0'?>
+          <!DOCTYPE fontconfig SYSTEM 'fonts.dtd'>
+          <fontconfig>
+
+            <!-- Default rendering settings -->
+            <match target="font">
+              <edit mode="assign" name="hinting">
+                ${fcBool fontconfig.hinting.enable}
+              </edit>
+              <edit mode="assign" name="autohint">
+                ${fcBool fontconfig.hinting.autohint}
+              </edit>
+              <edit mode="assign" name="hintstyle">
+                <const>hint${fontconfig.hinting.style}</const>
+              </edit>
+              <edit mode="assign" name="antialias">
+                ${fcBool fontconfig.antialias}
+              </edit>
+              <edit mode="assign" name="rgba">
+                <const>${fontconfig.subpixel.rgba}</const>
+              </edit>
+              <edit mode="assign" name="lcdfilter">
+                <const>lcd${fontconfig.subpixel.lcdfilter}</const>
+              </edit>
+            </match>
+
+            ${optionalString (fontconfig.dpi != 0) ''
+            <match target="pattern">
+              <edit name="dpi" mode="assign">
+                <double>${toString fontconfig.dpi}</double>
+              </edit>
+            </match>
+            ''}
+
+          </fontconfig>
+        '';
+        genericAliasConf = ''
+          <?xml version='1.0'?>
+          <!DOCTYPE fontconfig SYSTEM 'fonts.dtd'>
+          <fontconfig>
+
+            <!-- Default fonts -->
+            ${optionalString (fontconfig.defaultFonts.sansSerif != []) ''
+            <alias>
+              <family>sans-serif</family>
+              <prefer>
+                ${concatStringsSep "\n"
+                  (map (font: "<family>${font}</family>")
+                    fontconfig.defaultFonts.sansSerif)}
+              </prefer>
+            </alias>
+            ''}
+            ${optionalString (fontconfig.defaultFonts.serif != []) ''
+            <alias>
+              <family>serif</family>
+              <prefer>
+                ${concatStringsSep "\n"
+                  (map (font: "<family>${font}</family>")
+                    fontconfig.defaultFonts.serif)}
+              </prefer>
+            </alias>
+            ''}
+            ${optionalString (fontconfig.defaultFonts.monospace != []) ''
+            <alias>
+              <family>monospace</family>
+              <prefer>
+                ${concatStringsSep "\n"
+                  (map (font: "<family>${font}</family>")
+                    fontconfig.defaultFonts.monospace)}
+              </prefer>
+            </alias>
+            ''}
+
+          </fontconfig>
+        '';
+    in mkIf fontconfig.enable {
+
+      # Fontconfig 2.10 backward compatibility
+
+      # Bring in the default (upstream) fontconfig configuration, only for fontconfig 2.10
+      environment.etc."fonts/fonts.conf".source =
+        pkgs.makeFontsConf { fontconfig = pkgs.fontconfig_210; fontDirectories = config.fonts.fonts; };
+
+      environment.etc."fonts/conf.d/10-nixos-rendering.conf".text = renderConf;
+      environment.etc."fonts/conf.d/60-nixos-generic-alias.conf".text = genericAliasConf;
+
+      # Versioned fontconfig > 2.10. Take shared fonts.conf from fontconfig.
+      # Otherwise specify only font directories.
+      environment.etc."fonts/${pkgs.fontconfig.configVersion}/fonts.conf".source =
+        "${pkgs.fontconfig.out}/etc/fonts/fonts.conf";
+
+      environment.etc."fonts/${pkgs.fontconfig.configVersion}/conf.d/00-nixos.conf".text =
+        let
+          cache = fontconfig: pkgs.makeFontsCache { inherit fontconfig; fontDirectories = config.fonts.fonts; };
+        in ''
+          <?xml version='1.0'?>
+          <!DOCTYPE fontconfig SYSTEM 'fonts.dtd'>
+          <fontconfig>
+            <!-- Font directories -->
+            ${concatStringsSep "\n" (map (font: "<dir>${font}</dir>") config.fonts.fonts)}
+            <!-- Pre-generated font caches -->
+            <cachedir>${cache pkgs.fontconfig}</cachedir>
+            ${optionalString (pkgs.stdenv.isx86_64 && config.fonts.fontconfig.cache32Bit) ''
+              <cachedir>${cache pkgs.pkgsi686Linux.fontconfig}</cachedir>
+            ''}
+          </fontconfig>
+        '';
+
+      environment.etc."fonts/${pkgs.fontconfig.configVersion}/conf.d/10-nixos-rendering.conf".text = renderConf;
+      environment.etc."fonts/${pkgs.fontconfig.configVersion}/conf.d/60-nixos-generic-alias.conf".text = genericAliasConf;
+
+      environment.etc."fonts/${pkgs.fontconfig.configVersion}/conf.d/99-user.conf" = {
+        enable = fontconfig.includeUserConf;
+        text = ''
+          <?xml version="1.0"?>
+          <!DOCTYPE fontconfig SYSTEM "fonts.dtd">
+          <fontconfig>
+            <include ignore_missing="yes" prefix="xdg">fontconfig/conf.d</include>
+            <include ignore_missing="yes" prefix="xdg">fontconfig/fonts.conf</include>
+          </fontconfig>
+        '';
+      };
+
+      environment.systemPackages = [ pkgs.fontconfig ];
+
+    };

 }
--- a/nixos/modules/config/fonts/fonts.nix
+++ b/nixos/modules/config/fonts/fonts.nix
@@ -11,28 +11,18 @@ with lib;
      # TODO: find another name for it.
      fonts = mkOption {
        type = types.listOf types.path;
-        default = [];
        example = literalExample "[ pkgs.dejavu_fonts ]";
        description = "List of primary font paths.";
      };

-      enableDefaultFonts = mkOption {
-        type = types.bool;
-        default = false;
-        description = ''
-          Enable a basic set of fonts providing several font styles
-          and families and reasonable coverage of Unicode.
-        '';
-      };
-
    };

  };

  config = {

-    fonts.fonts = mkIf config.fonts.enableDefaultFonts
-      [
+    fonts.fonts =
+      [ pkgs.xorg.fontbhttf
        pkgs.xorg.fontbhlucidatypewriter100dpi
        pkgs.xorg.fontbhlucidatypewriter75dpi
        pkgs.dejavu_fonts
--- a/nixos/modules/config/gnu.nix
+++ b/nixos/modules/config/gnu.nix
@@ -37,7 +37,6 @@ with lib;
    services.openssh.enable = false;
    services.lshd.enable = true;
    programs.ssh.startAgent = false;
-    services.xserver.startGnuPGAgent = true;

    # TODO: GNU dico.
    # TODO: GNU Inetutils' inetd.
--- a/nixos/modules/config/i18n.nix
+++ b/nixos/modules/config/i18n.nix
@@ -41,15 +41,6 @@ in
        '';
      };

-      consolePackages = mkOption {
-        type = types.listOf types.package;
-        default = with pkgs.kbdKeymaps; [ dvp neo ];
-        description = ''
-	  List of additional packages that provide console fonts, keymaps and
-          other resources.
-        '';
-      };
-
      consoleFont = mkOption {
        type = types.str;
        default = "Lat2-Terminus16";
--- a/nixos/modules/config/ldap.nix
+++ b/nixos/modules/config/ldap.nix
@@ -62,18 +62,6 @@ in
        description = "Whether to enable authentication against an LDAP server.";
      };

-      loginPam = mkOption {
-        type = types.bool;
-        default = true;
-        description = "Whether to include authentication against LDAP in login PAM";
-      };
-
-      nsswitch = mkOption {
-        type = types.bool;
-        default = true;
-        description = "Whether to include lookup against LDAP in NSS";
-      };
-
      server = mkOption {
        example = "ldap://ldap.example.org/";
        description = "The URL of the LDAP server.";
--- a/nixos/modules/config/nsswitch.nix
+++ b/nixos/modules/config/nsswitch.nix
@@ -8,7 +8,7 @@ let

  inherit (config.services.avahi) nssmdns;
  inherit (config.services.samba) nsswins;
-  ldap = (config.users.ldap.enable && config.users.ldap.nsswitch);
+  ldap = config.users.ldap.enable;

 in

--- a/nixos/modules/config/pulseaudio.nix
+++ b/nixos/modules/config/pulseaudio.nix
@@ -9,36 +9,11 @@ let

  systemWide = cfg.enable && cfg.systemWide;
  nonSystemWide = cfg.enable && !cfg.systemWide;
-  hasZeroconf = let z = cfg.zeroconf; in z.publish.enable || z.discovery.enable;
-
-  overriddenPackage = cfg.package.override
-    (optionalAttrs hasZeroconf { zeroconfSupport = true; });
-  binary = "${getBin overriddenPackage}/bin/pulseaudio";
-  binaryNoDaemon = "${binary} --daemonize=no";

  # Forces 32bit pulseaudio and alsaPlugins to be built/supported for apps
  # using 32bit alsa on 64bit linux.
  enable32BitAlsaPlugins = cfg.support32Bit && stdenv.isx86_64 && (pkgs_i686.alsaLib != null && pkgs_i686.libpulseaudio != null);

-
-  myConfigFile =
-    let
-      addModuleIf = cond: mod: optionalString cond "load-module ${mod}";
-      allAnon = optional cfg.tcp.anonymousClients.allowAll "auth-anonymous=1";
-      ipAnon =  let a = cfg.tcp.anonymousClients.allowedIpRanges;
-                in optional (a != []) ''auth-ip-acl=${concatStringsSep ";" a}'';
-    in writeTextFile {
-      name = "default.pa";
-        text = ''
-        .include ${cfg.configFile}
-        ${addModuleIf cfg.zeroconf.publish.enable "module-zeroconf-publish"}
-        ${addModuleIf cfg.zeroconf.discovery.enable "module-zeroconf-discover"}
-        ${addModuleIf cfg.tcp.enable (concatStringsSep " "
-           ([ "module-native-protocol-tcp" ] ++ allAnon ++ ipAnon))}
-        ${cfg.extraConfig}
-      '';
-    };
-
  ids = config.ids;

  uid = ids.uids.pulseaudio;
@@ -51,8 +26,7 @@ let
  # are built with PulseAudio support (like KDE).
  clientConf = writeText "client.conf" ''
    autospawn=${if nonSystemWide then "yes" else "no"}
-    ${optionalString nonSystemWide "daemon-binary=${binary}"}
-    ${cfg.extraClientConf}
+    ${optionalString nonSystemWide "daemon-binary=${cfg.package.out}/bin/pulseaudio"}
  '';

  # Write an /etc/asound.conf that causes all ALSA applications to
@@ -69,7 +43,7 @@ let
      hint.description "Default Audio Device (via PulseAudio)"
    }
    ctl_type.pulse {
-      libs.native = ${pkgs.alsaPlugins}/lib/alsa-lib/libasound_module_ctl_pulse.so ;
+      libs.native = ${alsaPlugins}/lib/alsa-lib/libasound_module_ctl_pulse.so ;
      ${lib.optionalString enable32BitAlsaPlugins
     "libs.32Bit = ${pkgs_i686.alsaPlugins}/lib/alsa-lib/libasound_module_ctl_pulse.so ;"}
    }
@@ -114,31 +88,14 @@ in {
      };

      configFile = mkOption {
-        type = types.nullOr types.path;
+        type = types.path;
        description = ''
-          The path to the default configuration options the PulseAudio server
+          The path to the configuration the PulseAudio server
          should use. By default, the "default.pa" configuration
          from the PulseAudio distribution is used.
        '';
      };

-      extraConfig = mkOption {
-        type = types.lines;
-        default = "";
-        description = ''
-          Literal string to append to <literal>configFile</literal>
-          and the config file generated by the pulseaudio module.
-        '';
-      };
-
-      extraClientConf = mkOption {
-        type = types.lines;
-        default = "";
-        description = ''
-          Extra configuration appended to pulse/client.conf file.
-        '';
-      };
-
      package = mkOption {
        type = types.package;
        default = pulseaudioLight;
@@ -161,31 +118,6 @@ in {
          '';
        };
      };
-
-      zeroconf = {
-        discovery.enable =
-          mkEnableOption "discovery of pulseaudio sinks in the local network";
-        publish.enable =
-          mkEnableOption "publishing the pulseaudio sink in the local network";
-      };
-
-      # TODO: enable by default?
-      tcp = {
-        enable = mkEnableOption "tcp streaming support";
-
-        anonymousClients = {
-          allowAll = mkEnableOption "all anonymous clients to stream to the server";
-          allowedIpRanges = mkOption {
-            type = types.listOf types.str;
-            default = [];
-            example = literalExample ''[ "127.0.0.1" "192.168.1.0/24" ]'';
-            description = ''
-              A list of IP subnets that are allowed to stream to the server.
-            '';
-          };
-        };
-      };
-
    };

  };
@@ -198,11 +130,11 @@ in {
        source = clientConf;
      };

-      hardware.pulseaudio.configFile = mkDefault "${getBin overriddenPackage}/etc/pulse/default.pa";
+      hardware.pulseaudio.configFile = mkDefault "${getBin cfg.package}/etc/pulse/default.pa";
    }

    (mkIf cfg.enable {
-      environment.systemPackages = [ overriddenPackage ];
+      environment.systemPackages = [ cfg.package ];

      environment.etc = singleton {
        target = "asound.conf";
@@ -211,21 +143,12 @@ in {

      # Allow PulseAudio to get realtime priority using rtkit.
      security.rtkit.enable = true;
-
-    })
-
-    (mkIf hasZeroconf {
-      services.avahi.enable = true;
-    })
-    (mkIf cfg.zeroconf.publish.enable {
-      services.avahi.publish.enable = true;
-      services.avahi.publish.userServices = true;
    })

    (mkIf nonSystemWide {
      environment.etc = singleton {
        target = "pulse/default.pa";
-        source = myConfigFile;
+        source = cfg.configFile;
      };

      systemd.user = {
@@ -235,12 +158,9 @@ in {
          wantedBy = [ "default.target" ];
          serviceConfig = {
            Type = "notify";
-            ExecStart = binaryNoDaemon;
+            ExecStart = "${getBin cfg.package}/bin/pulseaudio --daemonize=no";
            Restart = "on-failure";
-            RestartSec = "500ms";
          };
-          environment = { DISPLAY = ":${toString config.services.xserver.display}"; };
-          restartIfChanged = true;
        };

        sockets.pulseaudio = {
@@ -275,9 +195,8 @@ in {
        environment.PULSE_RUNTIME_PATH = stateDir;
        serviceConfig = {
          Type = "notify";
-          ExecStart = "${binaryNoDaemon} --log-level=${cfg.daemon.logLevel} --system -n --file=${myConfigFile}";
+          ExecStart = "${getBin cfg.package}/bin/pulseaudio --daemonize=no --log-level=${cfg.daemon.logLevel} --system -n --file=${cfg.configFile}";
          Restart = "on-failure";
-          RestartSec = "500ms";
        };
      };
    })
--- a/nixos/modules/config/shells-environment.nix
+++ b/nixos/modules/config/shells-environment.nix
@@ -1,7 +1,7 @@
 # This module defines a global environment configuration and
 # a common configuration for all shells.

-{ config, lib, utils, pkgs, ... }:
+{ config, lib, pkgs, ... }:

 with lib;

@@ -135,13 +135,13 @@ in

    environment.shells = mkOption {
      default = [];
-      example = literalExample "[ pkgs.bashInteractive pkgs.zsh ]";
+      example = [ "/run/current-system/sw/bin/zsh" ];
      description = ''
        A list of permissible login shells for user accounts.
        No need to mention <literal>/bin/sh</literal>
        here, it is placed into this list implicitly.
      '';
-      type = types.listOf (types.either types.shellPackage types.path);
+      type = types.listOf types.path;
    };

  };
@@ -158,7 +158,7 @@ in

    environment.etc."shells".text =
      ''
-        ${concatStringsSep "\n" (map utils.toShellPath cfg.shells)}
+        ${concatStringsSep "\n" cfg.shells}
        /bin/sh
      '';

--- a/nixos/modules/config/swap.nix
+++ b/nixos/modules/config/swap.nix
@@ -30,7 +30,8 @@ let
        description = ''
          If this option is set, ‘device’ is interpreted as the
          path of a swapfile that will be created automatically
-          with the indicated size (in megabytes).
+          with the indicated size (in megabytes) if it doesn't
+          exist.
        '';
      };

@@ -54,10 +55,6 @@ let
          WARNING: Don't try to hibernate when you have at least one swap partition with
          this option enabled! We have no way to set the partition into which hibernation image
          is saved, so if your image ends up on an encrypted one you would lose it!
-
-          WARNING #2: Do not use /dev/disk/by-uuid/… or /dev/disk/by-label/… as your swap device
-          when using randomEncryption as the UUIDs and labels will get erased on every boot when
-          the partition is encrypted. Best to use /dev/disk/by-partuuid/…
        '';
      };

@@ -76,7 +73,7 @@ let
    config = rec {
      device = mkIf options.label.isDefined
        "/dev/disk/by-label/${config.label}";
-      deviceName = lib.replaceChars ["\\"] [""] (escapeSystemdPath config.device);
+      deviceName = escapeSystemdPath config.device;
      realDevice = if config.randomEncryption then "/dev/mapper/${deviceName}" else config.device;
    };

@@ -125,8 +122,6 @@ in

        createSwapDevice = sw:
          assert sw.device != "";
-          assert !(sw.randomEncryption && lib.hasPrefix "/dev/disk/by-uuid"  sw.device);
-          assert !(sw.randomEncryption && lib.hasPrefix "/dev/disk/by-label" sw.device);
          let realDevice' = escapeSystemdPath sw.realDevice;
          in nameValuePair "mkswap-${sw.deviceName}"
          { description = "Initialisation of swap device ${sw.device}";
@@ -137,13 +132,9 @@ in
            script =
              ''
                ${optionalString (sw.size != null) ''
-                  currentSize=$(( $(stat -c "%s" "${sw.device}" 2>/dev/null || echo 0) / 1024 / 1024 ))
-                  if [ "${toString sw.size}" != "$currentSize" ]; then
+                  if [ ! -e "${sw.device}" ]; then
                    fallocate -l ${toString sw.size}M "${sw.device}" ||
                      dd if=/dev/zero of="${sw.device}" bs=1M count=${toString sw.size}
-                    if [ "${toString sw.size}" -lt "$currentSize" ]; then
-                      truncate --size "${toString sw.size}M" "${sw.device}"
-                    fi
                    chmod 0600 ${sw.device}
                    ${optionalString (!sw.randomEncryption) "mkswap ${sw.realDevice}"}
                  fi
--- a/nixos/modules/config/system-path.nix
+++ b/nixos/modules/config/system-path.nix
@@ -34,10 +34,11 @@ let
      config.programs.ssh.package
      pkgs.perl
      pkgs.procps
-      pkgs.rsync # used by nixos-install anyway
+      pkgs.rsync
      pkgs.strace
      pkgs.su
      pkgs.time
+      pkgs.texinfoInteractive
      pkgs.utillinux
      pkgs.which # 88K size
    ];
@@ -76,7 +77,7 @@ in
      extraOutputsToInstall = mkOption {
        type = types.listOf types.str;
        default = [ ];
-        example = [ "doc" "info" "devdoc" ];
+        example = [ "doc" "info" "docdev" ];
        description = "List of additional package outputs to be symlinked into <filename>/run/current-system/sw</filename>.";
      };

@@ -104,6 +105,7 @@ in
        "/etc/xdg"
        "/etc/gtk-2.0"
        "/etc/gtk-3.0"
+        "/info"
        "/lib" # FIXME: remove and update debug-info.nix
        "/sbin"
        "/share/applications"
@@ -111,6 +113,7 @@ in
        "/share/doc"
        "/share/emacs"
        "/share/icons"
+        "/share/info"
        "/share/menus"
        "/share/mime"
        "/share/nano"
--- a/nixos/modules/config/update-users-groups.pl
+++ b/nixos/modules/config/update-users-groups.pl
@@ -52,8 +52,8 @@ foreach my $g (@{$spec->{groups}}) {
    $gidsUsed{$g->{gid}} = 1 if defined $g->{gid};
 }

-foreach my $u (@{$spec->{users}}) {
-    $uidsUsed{$u->{uid}} = 1 if defined $u->{uid};
+foreach my $u (@{$spec->{groups}}) {
+    $uidsUsed{$u->{u}} = 1 if defined $u->{uid};
 }

 # Read the current /etc/group.
@@ -103,7 +103,7 @@ foreach my $g (@{$spec->{groups}}) {
    if (defined $existing) {
        $g->{gid} = $existing->{gid} if !defined $g->{gid};
        if ($g->{gid} != $existing->{gid}) {
-            warn "warning: not applying GID change of group ‘$name’ ($existing->{gid} -> $g->{gid})\n";
+            warn "warning: not applying GID change of group ‘$name’\n";
            $g->{gid} = $existing->{gid};
        }
        $g->{password} = $existing->{password}; # do we want this?
@@ -163,7 +163,7 @@ foreach my $u (@{$spec->{users}}) {
    if (defined $existing) {
        $u->{uid} = $existing->{uid} if !defined $u->{uid};
        if ($u->{uid} != $existing->{uid}) {
-            warn "warning: not applying UID change of user ‘$name’ ($existing->{uid} -> $u->{uid})\n";
+            warn "warning: not applying UID change of user ‘$name’\n";
            $u->{uid} = $existing->{uid};
        }
    } else {
--- a/nixos/modules/config/users-groups.nix
+++ b/nixos/modules/config/users-groups.nix
@@ -1,8 +1,9 @@
-{ config, lib, utils, pkgs, ... }:
+{ config, lib, pkgs, ... }:

 with lib;

 let
+
  ids = config.ids;
  cfg = config.users;

@@ -102,7 +103,7 @@ let
      };

      home = mkOption {
-        type = types.path;
+        type = types.str;
        default = "/var/empty";
        description = "The user's home directory.";
      };
@@ -117,17 +118,9 @@ let
      };

      shell = mkOption {
-        type = types.either types.shellPackage types.path;
-        default = pkgs.nologin;
-        defaultText = "pkgs.nologin";
-        example = literalExample "pkgs.bashInteractive";
-        description = ''
-          The path to the user's shell. Can use shell derivations,
-          like <literal>pkgs.bashInteractive</literal>. Don’t
-          forget to enable your shell in
-          <literal>programs</literal> if necessary,
-          like <code>programs.zsh.enable = true;</code>.
-        '';
+        type = types.str;
+        default = "/run/current-system/sw/bin/nologin";
+        description = "The path to the user's shell.";
      };

      subUidRanges = mkOption {
@@ -366,12 +359,11 @@ let

  spec = pkgs.writeText "users-groups.json" (builtins.toJSON {
    inherit (cfg) mutableUsers;
-    users = mapAttrsToList (_: u:
+    users = mapAttrsToList (n: u:
      { inherit (u)
-          name uid group description home createHome isSystemUser
+          name uid group description home shell createHome isSystemUser
          password passwordFile hashedPassword
          initialPassword initialHashedPassword;
-        shell = utils.toShellPath u.shell;
      }) cfg.users;
    groups = mapAttrsToList (n: g:
      { inherit (g) name gid;
@@ -381,12 +373,6 @@ let
      }) cfg.groups;
  });

-  systemShells =
-    let
-      shells = mapAttrsToList (_: u: u.shell) cfg.users;
-    in
-      filter types.shellPackage.check shells;
-
 in {

  ###### interface
@@ -482,6 +468,7 @@ in {
        home = "/root";
        shell = mkDefault cfg.defaultUserShell;
        group = "root";
+        extraGroups = [ "grsecurity" ];
        initialHashedPassword = mkDefault config.security.initialRootPassword;
      };
      nobody = {
@@ -491,9 +478,6 @@ in {
      };
    };

-    # Install all the user shells
-    environment.systemPackages = systemShells;
-
    users.groups = {
      root.gid = ids.gids.root;
      wheel.gid = ids.gids.wheel;
@@ -513,6 +497,7 @@ in {
      nixbld.gid = ids.gids.nixbld;
      utmp.gid = ids.gids.utmp;
      adm.gid = ids.gids.adm;
+      grsecurity.gid = ids.gids.grsecurity;
      input.gid = ids.gids.input;
    };

--- a/nixos/modules/config/zram.nix
+++ b/nixos/modules/config/zram.nix
@@ -8,7 +8,7 @@ let

  devices = map (nr: "zram${toString nr}") (range 0 (cfg.numDevices - 1));

-  modprobe = "${pkgs.kmod}/bin/modprobe";
+  modprobe = "${config.system.sbin.modprobe}/sbin/modprobe";

 in

--- a/nixos/modules/hardware/opengl.nix
+++ b/nixos/modules/hardware/opengl.nix
@@ -14,7 +14,7 @@ let
    name = "mesa-drivers+txc-${p.mesa_drivers.version}";
    paths =
      [ p.mesa_drivers
-        p.mesa_drivers.out # mainly for libGL
+        p.mesa_noglu # mainly for libGL
        (if cfg.s3tcSupport then p.libtxc_dxtn else p.libtxc_dxtn_s2tc)
      ];
  };
--- a/nixos/modules/hardware/video/amdgpu.nix
+++ b/nixos/modules/hardware/video/amdgpu.nix
@@ -1,9 +0,0 @@
-{ config, lib, ... }:
-
-with lib;
-{
-  config = mkIf (elem "amdgpu" config.services.xserver.videoDrivers) {
-    boot.blacklistedKernelModules = [ "radeon" ];
-  };
-}
-
--- a/nixos/modules/hardware/video/ati.nix
+++ b/nixos/modules/hardware/video/ati.nix
@@ -18,8 +18,6 @@ in

  config = mkIf enabled {

-    nixpkgs.config.xorg.fglrxCompat = true;
-
    services.xserver.drivers = singleton
      { name = "fglrx"; modules = [ ati_x11 ]; libPath = [ "${ati_x11}/lib" ]; };

--- a/nixos/modules/hardware/video/bumblebee.nix
+++ b/nixos/modules/hardware/video/bumblebee.nix
@@ -75,6 +75,7 @@ in
      serviceConfig = {
        ExecStart = "${bumblebee}/bin/bumblebeed --use-syslog -g ${cfg.group} --driver ${cfg.driver}";
      };
+      environment.MODULE_DIR="/run/current-system/kernel-modules/lib/modules/";
    };
  };
 }
--- a/nixos/modules/hardware/video/displaylink.nix
+++ b/nixos/modules/hardware/video/displaylink.nix
@@ -1,61 +0,0 @@
-{ config, lib, ... }:
-
-with lib;
-
-let
-
-  enabled = elem "displaylink" config.services.xserver.videoDrivers;
-
-  displaylink = config.boot.kernelPackages.displaylink;
-
-in
-
-{
-
-  config = mkIf enabled {
-
-    boot.extraModulePackages = [ displaylink ];
-
-    boot.kernelModules = [ "evdi" ];
-
-    # Those are taken from displaylink-installer.sh and from Arch Linux AUR package.
-
-    services.udev.extraRules = ''
-      ACTION=="add", SUBSYSTEM=="usb", ATTR{idVendor}=="17e9", ATTR{bNumInterfaces}=="*5", TAG+="uaccess"
-    '';
-
-    powerManagement.powerDownCommands = ''
-      #flush any bytes in pipe
-      while read -n 1 -t 1 SUSPEND_RESULT < /tmp/PmMessagesPort_out; do : ; done;
-
-      #suspend DisplayLinkManager
-      echo "S" > /tmp/PmMessagesPort_in
-
-      #wait until suspend of DisplayLinkManager finish
-      read -n 1 -t 10 SUSPEND_RESULT < /tmp/PmMessagesPort_out
-    '';
-
-    powerManagement.resumeCommands = ''
-      #resume DisplayLinkManager
-      echo "R" > /tmp/PmMessagesPort_in
-    '';
-
-    systemd.services.displaylink = {
-      description = "DisplayLink Manager Service";
-      after = [ "display-manager.service" ];
-      wantedBy = [ "graphical.target" ];
-
-      serviceConfig = {
-        ExecStart = "${displaylink}/bin/DisplayLinkManager";
-        Restart = "always";
-        RestartSec = 5;
-      };
-
-      preStart = ''
-        mkdir -p /var/log/displaylink
-      '';
-    };
-
-  };
-
-}
--- a/nixos/modules/hardware/video/webcam/facetimehd.nix
+++ b/nixos/modules/hardware/video/webcam/facetimehd.nix
@@ -36,6 +36,7 @@ in

    # and load it back on resume
    powerManagement.resumeCommands = ''
+      export MODULE_DIR=/run/current-system/kernel-modules/lib/modules
      ${pkgs.kmod}/bin/modprobe -v facetimehd
    '';

--- a/nixos/modules/i18n/input-method/default.nix
+++ b/nixos/modules/i18n/input-method/default.nix
@@ -62,9 +62,4 @@ in
    environment.systemPackages = [ cfg.package gtk2_cache gtk3_cache ];
  };

-  meta = {
-    maintainers = with lib.maintainers; [ ericsagnes ];
-    doc = ./default.xml;
-  };
-
 }
--- a/nixos/modules/i18n/input-method/default.xml
+++ b/nixos/modules/i18n/input-method/default.xml
@@ -88,8 +88,6 @@ i18n.inputMethod = {
      methods among Traditional Chinese Unix users.</para></listitem>
  <listitem><para>Hangul (<literal>fcitx-engines.hangul</literal>): Korean input 
      method.</para></listitem>
-  <listitem><para>Unikey (<literal>fcitx-engines.unikey</literal>): Vietnamese input 
-      method.</para></listitem>
  <listitem><para>m17n (<literal>fcitx-engines.m17n</literal>): m17n is an input 
      method that uses input methods and corresponding icons in the m17n 
      database.</para></listitem>
--- a/nixos/modules/i18n/input-method/fcitx.nix
+++ b/nixos/modules/i18n/input-method/fcitx.nix
@@ -4,7 +4,7 @@ with lib;

 let
  cfg = config.i18n.inputMethod.fcitx;
-  fcitxPackage = pkgs.fcitx.override { plugins = cfg.engines; };
+  fcitxPackage = pkgs.fcitx-with-plugins.override { plugins = cfg.engines; };
  fcitxEngine = types.package // {
    name  = "fcitx-engine";
    check = x: (lib.types.package.check x) && (attrByPath ["meta" "isFcitxEngine"] false x);
--- a/nixos/modules/installer/cd-dvd/installation-cd-graphical-kde.nix
+++ b/nixos/modules/installer/cd-dvd/installation-cd-graphical-kde.nix
@@ -107,7 +107,4 @@ with lib;
      '';
    };

-  # Disable large stuff that's not very useful on the installation CD.
-  services.xserver.desktopManager.kde4.enablePIM = false;
-
 }
--- a/nixos/modules/installer/cd-dvd/sd-image-armv7l-multiplatform.nix
+++ b/nixos/modules/installer/cd-dvd/sd-image-armv7l-multiplatform.nix
@@ -19,37 +19,18 @@ in
      "it cannot be cross compiled";
  };

-  # Needed by RPi firmware
-  nixpkgs.config.allowUnfree = true;
-
  boot.loader.grub.enable = false;
  boot.loader.generic-extlinux-compatible.enable = true;

  boot.kernelPackages = pkgs.linuxPackages_latest;
-  boot.kernelParams = ["console=ttyS0,115200n8" "console=ttymxc0,115200n8" "console=ttyAMA0,115200n8" "console=ttyO0,115200n8" "console=tty0"];
-  boot.consoleLogLevel = 7;
+  boot.kernelParams = ["console=ttyS0,115200n8" "console=ttymxc0,115200n8" "console=ttyAMA0,115200n8" "console=tty0"];

  # FIXME: this probably should be in installation-device.nix
  users.extraUsers.root.initialHashedPassword = "";

  sdImage = {
-    populateBootCommands = let
-      configTxt = pkgs.writeText "config.txt" ''
-        [pi2]
-        kernel=u-boot-rpi2.bin
-
-        [pi3]
-        kernel=u-boot-rpi3.bin
-        enable_uart=1
-      '';
-      in ''
-        for f in bootcode.bin fixup.dat start.elf; do
-          cp ${pkgs.raspberrypifw}/share/raspberrypi/boot/$f boot/
-        done
-        cp ${pkgs.ubootRaspberryPi2}/u-boot.bin boot/u-boot-rpi2.bin
-        cp ${pkgs.ubootRaspberryPi3}/u-boot.bin boot/u-boot-rpi3.bin
-        cp ${configTxt} boot/config.txt
+    populateBootCommands = ''
        ${extlinux-conf-builder} -t 3 -c ${config.system.build.toplevel} -d ./boot
-      '';
+    '';
  };
 }
--- a/nixos/modules/installer/cd-dvd/sd-image-raspberrypi.nix
+++ b/nixos/modules/installer/cd-dvd/sd-image-raspberrypi.nix
@@ -26,7 +26,6 @@ in
  boot.loader.generic-extlinux-compatible.enable = true;

  boot.kernelPackages = pkgs.linuxPackages_rpi;
-  boot.consoleLogLevel = 7;

  # FIXME: this probably should be in installation-device.nix
  users.extraUsers.root.initialHashedPassword = "";
--- a/nixos/modules/installer/tools/nix-fallback-paths.nix
+++ b/nixos/modules/installer/tools/nix-fallback-paths.nix
@@ -1,5 +0,0 @@
-{
-  x86_64-linux = "/nix/store/i4mwf2gpvar7dqvlpp5m86llbq3ahbvb-nix-1.11.4";
-  i686-linux = "/nix/store/a3gjrbspb0q4hs3sv5g1y2nza43i8nzv-nix-1.11.4";
-  x86_64-darwin = "/nix/store/7v21yd3qpv0nclcy5cqr5njj9bril12s-nix-1.11.4";
-}
--- a/nixos/modules/installer/tools/nixos-generate-config.pl
+++ b/nixos/modules/installer/tools/nixos-generate-config.pl
@@ -527,11 +527,8 @@ EOF
  # Use the GRUB 2 boot loader.
  boot.loader.grub.enable = true;
  boot.loader.grub.version = 2;
-  # boot.loader.grub.efiSupport = true;
-  # boot.loader.grub.efiInstallAsRemovable = true;
-  # boot.loader.efi.efiSysMountPoint = "/boot/efi";
  # Define on which hard drive you want to install Grub.
-  # boot.loader.grub.device = "/dev/sda"; # or "nodev" for efi only
+  # boot.loader.grub.device = "/dev/sda";
 EOF
        }

--- a/nixos/modules/installer/tools/nixos-install.sh
+++ b/nixos/modules/installer/tools/nixos-install.sh
@@ -24,7 +24,6 @@ fi
 # Parse the command line for the -I flag
 extraBuildFlags=()
 chrootCommand=(/run/current-system/sw/bin/bash)
-buildUsersGroup="nixbld"

 while [ "$#" -gt 0 ]; do
    i="$1"; shift 1
@@ -41,19 +40,6 @@ while [ "$#" -gt 0 ]; do
        --root)
            mountPoint="$1"; shift 1
            ;;
-        --closure)
-            closure="$1"; shift 1
-            buildUsersGroup=""
-            ;;
-        --no-channel-copy)
-            noChannelCopy=1
-            ;;
-        --no-root-passwd)
-            noRootPasswd=1
-            ;;
-        --no-bootloader)
-            noBootLoader=1
-            ;;
        --show-trace)
            extraBuildFlags+=("$i")
            ;;
@@ -92,22 +78,25 @@ fi
 mkdir -m 0755 -p $mountPoint/dev $mountPoint/proc $mountPoint/sys $mountPoint/etc $mountPoint/run $mountPoint/home
 mkdir -m 01777 -p $mountPoint/tmp
 mkdir -m 0755 -p $mountPoint/tmp/root
-mkdir -m 0755 -p $mountPoint/var
+mkdir -m 0755 -p $mountPoint/var/setuid-wrappers
 mkdir -m 0700 -p $mountPoint/root
 mount --rbind /dev $mountPoint/dev
 mount --rbind /proc $mountPoint/proc
 mount --rbind /sys $mountPoint/sys
 mount --rbind / $mountPoint/tmp/root
 mount -t tmpfs -o "mode=0755" none $mountPoint/run
+mount -t tmpfs -o "mode=0755" none $mountPoint/var/setuid-wrappers
 rm -rf $mountPoint/var/run
 ln -s /run $mountPoint/var/run
-for f in /etc/resolv.conf /etc/hosts; do rm -f $mountPoint/$f; [ -f "$f" ] && cp -Lf $f $mountPoint/etc/; done
-for f in /etc/passwd /etc/group;      do touch $mountPoint/$f; [ -f "$f" ] && mount --rbind -o ro $f $mountPoint/$f; done
+rm -f $mountPoint/etc/{resolv.conf,hosts}
+cp -Lf /etc/resolv.conf /etc/hosts $mountPoint/etc/

-cp -Lf "@cacert@" "$mountPoint/tmp/ca-cert.crt"
-export SSL_CERT_FILE=/tmp/ca-cert.crt
-# For Nix 1.7
-export CURL_CA_BUNDLE=/tmp/ca-cert.crt
+if [ -e "$SSL_CERT_FILE" ]; then
+    cp -Lf "$SSL_CERT_FILE" "$mountPoint/tmp/ca-cert.crt"
+    export SSL_CERT_FILE=/tmp/ca-cert.crt
+    # For Nix 1.7
+    export CURL_CA_BUNDLE=/tmp/ca-cert.crt
+fi

 if [ -n "$runChroot" ]; then
    if ! [ -L $mountPoint/nix/var/nix/profiles/system ]; then
@@ -124,7 +113,7 @@ if test -z "$NIXOS_CONFIG"; then
    NIXOS_CONFIG=/etc/nixos/configuration.nix
 fi

-if [ ! -e "$mountPoint/$NIXOS_CONFIG" ] && [ -z "$closure" ]; then
+if ! test -e "$mountPoint/$NIXOS_CONFIG"; then
    echo "configuration file $mountPoint/$NIXOS_CONFIG doesn't exist"
    exit 1
 fi
@@ -135,13 +124,14 @@ fi
 mkdir -m 0755 -p \
    $mountPoint/nix/var/nix/gcroots \
    $mountPoint/nix/var/nix/temproots \
+    $mountPoint/nix/var/nix/manifests \
    $mountPoint/nix/var/nix/userpool \
    $mountPoint/nix/var/nix/profiles \
    $mountPoint/nix/var/nix/db \
    $mountPoint/nix/var/log/nix/drvs

 mkdir -m 1775 -p $mountPoint/nix/store
-chown @root_uid@:@nixbld_gid@ $mountPoint/nix/store
+chown root:nixbld $mountPoint/nix/store


 # There is no daemon in the chroot.
@@ -154,13 +144,18 @@ export LC_ALL=
 export LC_TIME=


-# Builds will use users that are members of this group
-extraBuildFlags+=(--option "build-users-group" "$buildUsersGroup")
+# Create a temporary Nix config file that causes the nixbld users to
+# be used.
+echo "build-users-group = nixbld" > $mountPoint/tmp/nix.conf # FIXME: remove in Nix 1.8
+binary_caches=$(@perl@/bin/perl -I @nix@/lib/perl5/site_perl/*/* -e 'use Nix::Config; Nix::Config::readConfig; print $Nix::Config::config{"binary-caches"};')
+if test -n "$binary_caches"; then
+    echo "binary-caches = $binary_caches" >> $mountPoint/tmp/nix.conf
+fi
+export NIX_CONF_DIR=/tmp

-
-# Inherit binary caches from the host
-binary_caches="$(@perl@/bin/perl -I @nix@/lib/perl5/site_perl/*/* -e 'use Nix::Config; Nix::Config::readConfig; print $Nix::Config::config{"binary-caches"};')"
-extraBuildFlags+=(--option "binary-caches" "$binary_caches")
+touch $mountPoint/etc/passwd $mountPoint/etc/group
+mount --bind -o ro /etc/passwd $mountPoint/etc/passwd
+mount --bind -o ro /etc/group $mountPoint/etc/group


 # Copy Nix to the Nix store on the target device, unless it's already there.
@@ -169,7 +164,7 @@ if ! NIX_DB_DIR=$mountPoint/nix/var/nix/db nix-store --check-validity @nix@ 2> /
    for i in $(@perl@/bin/perl @pathsFromGraph@ @nixClosure@); do
        echo "  $i"
        chattr -R -i $mountPoint/$i 2> /dev/null || true # clear immutable bit
-        @rsync@/bin/rsync -a $i $mountPoint/nix/store/
+        rsync -a $i $mountPoint/nix/store/
    done

    # Register the paths in the Nix closure as valid.  This is necessary
@@ -199,22 +194,24 @@ p=@nix@/libexec/nix/substituters
 export NIX_SUBSTITUTERS=$p/copy-from-other-stores.pl:$p/download-from-binary-cache.pl


-if [ -z "$closure" ]; then
-    # Get the absolute path to the NixOS/Nixpkgs sources.
-    nixpkgs="$(readlink -f $(nix-instantiate --find-file nixpkgs))"
+# Make manifests available in the chroot.
+rm -f $mountPoint/nix/var/nix/manifests/*
+for i in /nix/var/nix/manifests/*.nixmanifest; do
+    chroot $mountPoint @nix@/bin/nix-store -r "$(readlink -f "$i")" > /dev/null
+    cp -pd "$i" $mountPoint/nix/var/nix/manifests/
+done
+
+
+# Get the absolute path to the NixOS/Nixpkgs sources.
+nixpkgs="$(readlink -f $(nix-instantiate --find-file nixpkgs))"

-    nixEnvAction="-f <nixpkgs/nixos> --set -A system"
-else
-    nixpkgs=""
-    nixEnvAction="--set $closure"
-fi

 # Build the specified Nix expression in the target store and install
 # it into the system configuration profile.
 echo "building the system configuration..."
 NIX_PATH="nixpkgs=/tmp/root/$nixpkgs:nixos-config=$NIXOS_CONFIG" NIXOS_CONFIG= \
    chroot $mountPoint @nix@/bin/nix-env \
-    "${extraBuildFlags[@]}" -p /nix/var/nix/profiles/system $nixEnvAction
+    "${extraBuildFlags[@]}" -p /nix/var/nix/profiles/system -f '<nixpkgs/nixos>' --set -A system


 # Copy the NixOS/Nixpkgs sources to the target as the initial contents
@@ -223,7 +220,7 @@ mkdir -m 0755 -p $mountPoint/nix/var/nix/profiles
 mkdir -m 1777 -p $mountPoint/nix/var/nix/profiles/per-user
 mkdir -m 0755 -p $mountPoint/nix/var/nix/profiles/per-user/root
 srcs=$(nix-env "${extraBuildFlags[@]}" -p /nix/var/nix/profiles/per-user/root/channels -q nixos --no-name --out-path 2>/dev/null || echo -n "")
-if [ -z "$noChannelCopy" ] && [ -n "$srcs" ]; then
+if test -n "$srcs"; then
    echo "copying NixOS/Nixpkgs sources..."
    chroot $mountPoint @nix@/bin/nix-env \
        "${extraBuildFlags[@]}" -p /nix/var/nix/profiles/per-user/root/channels -i "$srcs" --quiet
@@ -233,7 +230,7 @@ ln -sfn /nix/var/nix/profiles/per-user/root/channels $mountPoint/root/.nix-defex


 # Get rid of the /etc bind mounts.
-for f in /etc/passwd /etc/group; do [ -f "$f" ] && umount $mountPoint/$f; done
+umount $mountPoint/etc/passwd $mountPoint/etc/group


 # Grub needs an mtab.
@@ -249,17 +246,16 @@ touch $mountPoint/etc/NIXOS
 # a menu default pointing at the kernel/initrd/etc of the new
 # configuration.
 echo "finalising the installation..."
-if [ -z "$noBootLoader" ]; then
-  NIXOS_INSTALL_BOOTLOADER=1 chroot $mountPoint \
-      /nix/var/nix/profiles/system/bin/switch-to-configuration boot
-fi
+NIXOS_INSTALL_GRUB=1 chroot $mountPoint \
+    /nix/var/nix/profiles/system/bin/switch-to-configuration boot
+

 # Run the activation script.
 chroot $mountPoint /nix/var/nix/profiles/system/activate


 # Ask the user to set a root password.
-if [ -z "$noRootPasswd" ] && chroot $mountPoint [ -x /var/setuid-wrappers/passwd ] && [ -t 0 ]; then
+if [ "$(chroot $mountPoint /run/current-system/sw/bin/sh -l -c "nix-instantiate --eval '<nixpkgs/nixos>' -A config.users.mutableUsers")" = true ] && [ -t 0 ] ; then
    echo "setting root password..."
    chroot $mountPoint /var/setuid-wrappers/passwd
 fi
--- a/nixos/modules/installer/tools/nixos-rebuild.sh
+++ b/nixos/modules/installer/tools/nixos-rebuild.sh
@@ -33,11 +33,7 @@ while [ "$#" -gt 0 ]; do
        action="$i"
        ;;
      --install-grub)
-        echo "$0: --install-grub deprecated, use --install-bootloader instead" >&2
-        export NIXOS_INSTALL_BOOTLOADER=1
-        ;;
-      --install-bootloader)
-        export NIXOS_INSTALL_BOOTLOADER=1
+        export NIXOS_INSTALL_GRUB=1
        ;;
      --no-build-nix)
        buildNix=
@@ -218,9 +214,9 @@ fi

 # Re-execute nixos-rebuild from the Nixpkgs tree.
 if [ -z "$_NIXOS_REBUILD_REEXEC" -a -n "$canRun" ]; then
-    if p=$(nix-build --no-out-link --expr 'with import <nixpkgs/nixos> {}; config.system.build.nixos-rebuild' "${extraBuildFlags[@]}"); then
+    if p=$(nix-instantiate --find-file nixpkgs/nixos/modules/installer/tools/nixos-rebuild.sh "${extraBuildFlags[@]}"); then
        export _NIXOS_REBUILD_REEXEC=1
-        exec $p/bin/nixos-rebuild "${origArgs[@]}"
+        exec $SHELL -e $p "${origArgs[@]}"
        exit 1
    fi
 fi
@@ -261,9 +257,9 @@ fi
 prebuiltNix() {
    machine="$1"
    if [ "$machine" = x86_64 ]; then
-        echo @nix_x86_64_linux@
+        echo /nix/store/xryr9g56h8yjddp89d6dw12anyb4ch7c-nix-1.10
    elif [[ "$machine" =~ i.86 ]]; then
-        echo @nix_i686_linux@
+        echo /nix/store/2w92k5wlpspf0q2k9mnf2z42prx3bwmv-nix-1.10
    else
        echo "$0: unsupported platform"
        exit 1
--- a/nixos/modules/installer/tools/nixos-version.sh
+++ b/nixos/modules/installer/tools/nixos-version.sh
@@ -1,10 +1,6 @@
 #! @shell@

 case "$1" in
-  -h|--help)
-    exec man nixos-version
-    exit 1
-    ;;
  --hash|--revision)
    echo "@nixosRevision@"
    ;;
--- a/nixos/modules/installer/tools/tools.nix
+++ b/nixos/modules/installer/tools/tools.nix
@@ -21,26 +21,19 @@ let
    name = "nixos-install";
    src = ./nixos-install.sh;

-    inherit (pkgs) perl pathsFromGraph rsync;
+    inherit (pkgs) perl pathsFromGraph;
    nix = config.nix.package.out;
-    cacert = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt";
-    root_uid = config.ids.uids.root;
-    nixbld_gid = config.ids.gids.nixbld;

    nixClosure = pkgs.runCommand "closure"
      { exportReferencesGraph = ["refs" config.nix.package.out]; }
      "cp refs $out";
  };

-  nixos-rebuild =
-    let fallback = import ./nix-fallback-paths.nix; in
-    makeProg {
-      name = "nixos-rebuild";
-      src = ./nixos-rebuild.sh;
-      nix = config.nix.package.out;
-      nix_x86_64_linux = fallback.x86_64-linux;
-      nix_i686_linux = fallback.i686-linux;
-    };
+  nixos-rebuild = makeProg {
+    name = "nixos-rebuild";
+    src = ./nixos-rebuild.sh;
+    nix = config.nix.package.out;
+  };

  nixos-generate-config = makeProg {
    name = "nixos-generate-config";
--- a/nixos/modules/misc/ids.nix
+++ b/nixos/modules/misc/ids.nix
@@ -120,6 +120,7 @@
      minidlna = 91;
      elasticsearch = 92;
      tcpcryptd = 93; # tcpcryptd uses a hard-coded uid. We patch it in Nixpkgs to match this choice.
+      #connman = 94; # unused
      firebird = 95;
      #keys = 96; # unused
      haproxy = 97;
@@ -146,6 +147,7 @@
      foundationdb = 118;
      newrelic = 119;
      starbound = 120;
+      #grsecurity = 121; # unused
      hydra = 122;
      spiped = 123;
      teamspeak = 124;
@@ -180,6 +182,7 @@
      systemd-timesync = 154;
      liquidsoap = 155;
      etcd = 156;
+      docker-registry = 157;
      hbase = 158;
      opentsdb = 159;
      scollector = 160;
@@ -266,13 +269,6 @@
      nzbget = 245;
      mosquitto = 246;
      toxvpn = 247;
-      squeezelite = 248;
-      turnserver = 249;
-      smokeping = 250;
-      gocd-agent = 251;
-      gocd-server = 252;
-      terraria = 253;
-      mattermost = 254;

      # When adding a uid, make sure it doesn't match an existing gid. And don't use uids above 399!

@@ -373,8 +369,9 @@
      quassel = 89;
      amule = 90;
      minidlna = 91;
-      elasticsearch = 92;
+      #elasticsearch = 92; # unused
      #tcpcryptd = 93; # unused
+      connman = 94;
      firebird = 95;
      keys = 96;
      haproxy = 97;
@@ -399,6 +396,7 @@
      foundationdb = 118;
      newrelic = 119;
      starbound = 120;
+      grsecurity = 121;
      hydra = 122;
      spiped = 123;
      teamspeak = 124;
@@ -433,6 +431,7 @@
      systemd-timesync = 154;
      liquidsoap = 155;
      #etcd = 156; # unused
+      #docker-registry = 157; # unused
      hbase = 158;
      opentsdb = 159;
      scollector = 160;
@@ -509,13 +508,6 @@
      nzbget = 245;
      mosquitto = 246;
      #toxvpn = 247; # unused
-      #squeezelite = 248; #unused
-      turnserver = 249;
-      smokeping = 250;
-      gocd-agent = 251;
-      gocd-server = 252;
-      terraria = 253;
-      mattermost = 254;

      # When adding a gid, make sure it doesn't match an existing
      # uid. Users and groups with the same name should have equal
--- a/nixos/modules/misc/meta.nix
+++ b/nixos/modules/misc/meta.nix
@@ -39,7 +39,7 @@ in
        default = [];
        example = [ lib.maintainers.all ];
        description = ''
-          List of maintainers of each module.  This option should be defined at
+	  List of maintainers of each module.  This option should be defined at
          most once per module.
        '';
      };
@@ -49,7 +49,7 @@ in
        internal = true;
        example = "./meta.xml";
        description = ''
-          Documentation prologe for the set of options of each module.  This
+	  Documentation prologe for the set of options of each module.  This
          option should be defined at most once per module.
        '';
      };
@@ -57,5 +57,7 @@ in
    };
  };

-  meta.maintainers = singleton lib.maintainers.pierron;
+  config = {
+    meta.maintainers = singleton lib.maintainers.pierron;
+  };
 }
--- a/nixos/modules/misc/nixpkgs.nix
+++ b/nixos/modules/misc/nixpkgs.nix
@@ -21,11 +21,6 @@ let
      packageOverrides = pkgs:
        optCall lhs.packageOverrides pkgs //
        optCall (attrByPath ["packageOverrides"] ({}) rhs) pkgs;
-    } //
-    optionalAttrs (lhs ? perlPackageOverrides) {
-      perlPackageOverrides = pkgs:
-        optCall lhs.perlPackageOverrides pkgs //
-        optCall (attrByPath ["perlPackageOverrides"] ({}) rhs) pkgs;
    };

  configType = mkOptionType {
--- a/nixos/modules/misc/version.nix
+++ b/nixos/modules/misc/version.nix
@@ -35,50 +35,63 @@ in
    nixosLabel = mkOption {
      type = types.str;
      description = ''
-        Label to be used in the names of generated outputs and boot
-        labels.
+        NixOS version name to be used in the names of generated
+        outputs and boot labels.
+
+        If you ever wanted to influence the labels in your GRUB menu,
+        this is option is for you.
+
+        Can be set directly or with <envar>NIXOS_LABEL</envar>
+        environment variable for <command>nixos-rebuild</command>,
+        e.g.:
+
+        <screen>
+        #!/bin/sh
+        today=`date +%Y%m%d`
+        branch=`(cd nixpkgs ; git branch 2>/dev/null | sed -n '/^\* / { s|^\* ||; p; }')`
+        revision=`(cd nixpkgs ; git rev-parse HEAD)`
+        export NIXOS_LABEL="$today.$branch-''${revision:0:7}"
+        nixos-rebuild switch</screen>
      '';
    };

    nixosVersion = mkOption {
      internal = true;
      type = types.str;
-      description = "The full NixOS version (e.g. <literal>16.03.1160.f2d4ee1</literal>).";
+      description = "NixOS version.";
    };

    nixosRelease = mkOption {
      readOnly = true;
      type = types.str;
-      default = fileContents releaseFile;
-      description = "The NixOS release (e.g. <literal>16.03</literal>).";
+      default = readFile releaseFile;
+      description = "NixOS release.";
    };

    nixosVersionSuffix = mkOption {
      internal = true;
      type = types.str;
-      default = if pathExists suffixFile then fileContents suffixFile else "pre-git";
-      description = "The NixOS version suffix (e.g. <literal>1160.f2d4ee1</literal>).";
+      default = if pathExists suffixFile then readFile suffixFile else "pre-git";
+      description = "NixOS version suffix.";
    };

    nixosRevision = mkOption {
      internal = true;
      type = types.str;
-      default = if pathIsDirectory gitRepo then commitIdFromGitRepo gitRepo
-                else if pathExists revisionFile then fileContents revisionFile
-                else "master";
-      description = "The Git revision from which this NixOS configuration was built.";
+      default = if pathExists revisionFile then readFile revisionFile else "master";
+      description = "NixOS Git revision hash.";
    };

    nixosCodeName = mkOption {
      readOnly = true;
      type = types.str;
-      description = "The NixOS release code name (e.g. <literal>Emu</literal>).";
+      description = "NixOS release code name.";
    };

    defaultChannel = mkOption {
      internal = true;
      type = types.str;
-      default = https://nixos.org/channels/nixos-16.09;
+      default = https://nixos.org/channels/nixos-unstable;
      description = "Default NixOS channel to which the root user is subscribed.";
    };

@@ -89,10 +102,10 @@ in
    system = {
      # These defaults are set here rather than up there so that
      # changing them would not rebuild the manual
-      nixosLabel   = mkDefault cfg.nixosVersion;
-      nixosVersion = mkDefault (cfg.nixosRelease + cfg.nixosVersionSuffix);
-      nixosRevision      = mkIf (pathIsDirectory gitRepo) (mkDefault            gitCommitId);
-      nixosVersionSuffix = mkIf (pathIsDirectory gitRepo) (mkDefault (".git." + gitCommitId));
+      nixosLabel   = mkDefault (maybeEnv "NIXOS_LABEL" cfg.nixosVersion);
+      nixosVersion = mkDefault (maybeEnv "NIXOS_VERSION" (cfg.nixosRelease + cfg.nixosVersionSuffix));
+      nixosRevision      = mkIf (pathExists gitRepo) (mkDefault            gitCommitId);
+      nixosVersionSuffix = mkIf (pathExists gitRepo) (mkDefault (".git." + gitCommitId));

      # Note: code names must only increase in alphabetical order.
      nixosCodeName = "Flounder";
--- a/nixos/modules/module-list.nix
+++ b/nixos/modules/module-list.nix
@@ -37,11 +37,9 @@
  ./hardware/network/rtl8192c.nix
  ./hardware/opengl.nix
  ./hardware/pcmcia.nix
-  ./hardware/video/amdgpu.nix
-  ./hardware/video/ati.nix
  ./hardware/video/bumblebee.nix
-  ./hardware/video/displaylink.nix
  ./hardware/video/nvidia.nix
+  ./hardware/video/ati.nix
  ./hardware/video/webcam/facetimehd.nix
  ./i18n/input-method/default.nix
  ./i18n/input-method/fcitx.nix
@@ -64,12 +62,12 @@
  ./programs/bash/bash.nix
  ./programs/blcr.nix
  ./programs/cdemu.nix
-  ./programs/command-not-found/command-not-found.nix
+  # see https://github.com/NixOS/nixos-channel-scripts/issues/4
+  #./programs/command-not-found/command-not-found.nix
  ./programs/dconf.nix
  ./programs/environment.nix
-  ./programs/fish.nix
  ./programs/freetds.nix
-  ./programs/info.nix
+  ./programs/fish.nix
  ./programs/kbdlight.nix
  ./programs/light.nix
  ./programs/man.nix
@@ -78,14 +76,13 @@
  ./programs/screen.nix
  ./programs/shadow.nix
  ./programs/shell.nix
-  ./programs/spacefm.nix
  ./programs/ssh.nix
  ./programs/ssmtp.nix
  ./programs/tmux.nix
+  ./programs/unity3d.nix
  ./programs/venus.nix
  ./programs/wvdial.nix
  ./programs/xfs_quota.nix
-  ./programs/xonsh.nix
  ./programs/zsh/zsh.nix
  ./rename.nix
  ./security/acme.nix
@@ -93,7 +90,6 @@
  ./security/apparmor-suid.nix
  ./security/audit.nix
  ./security/ca.nix
-  ./security/chromium-suid-sandbox.nix
  ./security/duosec.nix
  ./security/grsecurity.nix
  ./security/hidepid.nix
@@ -114,7 +110,6 @@
  ./services/audio/liquidsoap.nix
  ./services/audio/mpd.nix
  ./services/audio/mopidy.nix
-  ./services/audio/squeezelite.nix
  ./services/backup/almir.nix
  ./services/backup/bacula.nix
  ./services/backup/crashplan.nix
@@ -130,13 +125,10 @@
  ./services/computing/torque/server.nix
  ./services/computing/torque/mom.nix
  ./services/computing/slurm/slurm.nix
-  ./services/continuous-integration/buildkite-agent.nix
-  ./services/continuous-integration/hydra/default.nix
-  ./services/continuous-integration/gocd-agent/default.nix
-  ./services/continuous-integration/gocd-server/default.nix
  ./services/continuous-integration/jenkins/default.nix
-  ./services/continuous-integration/jenkins/job-builder.nix
  ./services/continuous-integration/jenkins/slave.nix
+  ./services/continuous-integration/jenkins/job-builder.nix
+  ./services/continuous-integration/hydra/default.nix
  ./services/databases/4store-endpoint.nix
  ./services/databases/4store.nix
  ./services/databases/couchdb.nix
@@ -170,12 +162,10 @@
  ./services/desktops/profile-sync-daemon.nix
  ./services/desktops/telepathy.nix
  ./services/development/hoogle.nix
-  ./services/editors/emacs.nix
  ./services/games/factorio.nix
  ./services/games/ghost-one.nix
  ./services/games/minecraft-server.nix
  ./services/games/minetest-server.nix
-  ./services/games/terraria.nix
  ./services/hardware/acpid.nix
  ./services/hardware/actkbd.nix
  ./services/hardware/amd-hybrid-graphics.nix
@@ -228,8 +218,8 @@
  ./services/misc/confd.nix
  ./services/misc/devmon.nix
  ./services/misc/dictd.nix
-  ./services/misc/dysnomia.nix
  ./services/misc/disnix.nix
+  ./services/misc/docker-registry.nix
  ./services/misc/emby.nix
  ./services/misc/etcd.nix
  ./services/misc/felix.nix
@@ -254,7 +244,6 @@
  ./services/misc/nix-ssh-serve.nix
  ./services/misc/nzbget.nix
  ./services/misc/octoprint.nix
-  ./services/misc/packagekit.nix
  ./services/misc/parsoid.nix
  ./services/misc/phd.nix
  ./services/misc/plex.nix
@@ -264,7 +253,6 @@
  ./services/misc/ripple-data-api.nix
  ./services/misc/rogue.nix
  ./services/misc/siproxd.nix
-  ./services/misc/sonarr.nix
  ./services/misc/spice-vdagentd.nix
  ./services/misc/subsonic.nix
  ./services/misc/sundtek.nix
@@ -326,23 +314,21 @@
  ./services/networking/cntlm.nix
  ./services/networking/connman.nix
  ./services/networking/consul.nix
-  ./services/networking/coturn.nix
  ./services/networking/ddclient.nix
  ./services/networking/dhcpcd.nix
  ./services/networking/dhcpd.nix
  ./services/networking/dnschain.nix
  ./services/networking/dnscrypt-proxy.nix
  ./services/networking/dnsmasq.nix
+  ./services/networking/docker-registry-server.nix
  ./services/networking/ejabberd.nix
  ./services/networking/fan.nix
-  ./services/networking/ferm.nix
  ./services/networking/firefox/sync-server.nix
  ./services/networking/firewall.nix
  ./services/networking/flashpolicyd.nix
  ./services/networking/freenet.nix
  ./services/networking/gale.nix
  ./services/networking/gateone.nix
-  ./services/networking/gdomap.nix
  ./services/networking/git-daemon.nix
  ./services/networking/gnunet.nix
  ./services/networking/gogoclient.nix
@@ -376,7 +362,6 @@
  ./services/networking/ntopng.nix
  ./services/networking/ntpd.nix
  ./services/networking/nylon.nix
-  ./services/networking/offlineimap.nix
  ./services/networking/oidentd.nix
  ./services/networking/openfire.nix
  ./services/networking/openntpd.nix
@@ -384,7 +369,6 @@
  ./services/networking/ostinato.nix
  ./services/networking/pdnsd.nix
  ./services/networking/polipo.nix
-  ./services/networking/pptpd.nix
  ./services/networking/prayer.nix
  ./services/networking/privoxy.nix
  ./services/networking/prosody.nix
@@ -401,7 +385,6 @@
  ./services/networking/shairport-sync.nix
  ./services/networking/shout.nix
  ./services/networking/sniproxy.nix
-  ./services/networking/smokeping.nix
  ./services/networking/softether.nix
  ./services/networking/spiped.nix
  ./services/networking/sslh.nix
@@ -427,7 +410,6 @@
  ./services/networking/wicd.nix
  ./services/networking/wpa_supplicant.nix
  ./services/networking/xinetd.nix
-  ./services/networking/xl2tpd.nix
  ./services/networking/zerobin.nix
  ./services/networking/zerotierone.nix
  ./services/networking/znc.nix
@@ -449,7 +431,6 @@
  ./services/security/haveged.nix
  ./services/security/hologram.nix
  ./services/security/munge.nix
-  ./services/security/oauth2_proxy.nix
  ./services/security/physlock.nix
  ./services/security/torify.nix
  ./services/security/tor.nix
@@ -466,9 +447,7 @@
  ./services/ttys/agetty.nix
  ./services/ttys/gpm.nix
  ./services/ttys/kmscon.nix
-  ./services/web-apps/mattermost.nix
  ./services/web-apps/pump.io.nix
-  ./services/web-apps/tt-rss.nix
  ./services/web-servers/apache-httpd/default.nix
  ./services/web-servers/caddy.nix
  ./services/web-servers/fcgiwrap.nix
@@ -476,9 +455,8 @@
  ./services/web-servers/lighttpd/cgit.nix
  ./services/web-servers/lighttpd/default.nix
  ./services/web-servers/lighttpd/gitweb.nix
-  ./services/web-servers/lighttpd/inginious.nix
  ./services/web-servers/nginx/default.nix
-  ./services/web-servers/phpfpm/default.nix
+  ./services/web-servers/phpfpm.nix
  ./services/web-servers/shellinabox.nix
  ./services/web-servers/tomcat.nix
  ./services/web-servers/uwsgi.nix
@@ -486,7 +464,6 @@
  ./services/web-servers/winstone.nix
  ./services/web-servers/zope2.nix
  ./services/x11/colord.nix
-  ./services/x11/compton.nix
  ./services/x11/unclutter.nix
  ./services/x11/desktop-managers/default.nix
  ./services/x11/display-managers/auto.nix
@@ -513,7 +490,6 @@
  ./services/x11/window-managers/windowlab.nix
  ./services/x11/window-managers/wmii.nix
  ./services/x11/window-managers/xmonad.nix
-  ./services/x11/xbanish.nix
  ./services/x11/xfs.nix
  ./services/x11/xserver.nix
  ./system/activation/activation-script.nix
@@ -537,7 +513,6 @@
  ./system/boot/luksroot.nix
  ./system/boot/modprobe.nix
  ./system/boot/networkd.nix
-  ./system/boot/plymouth.nix
  ./system/boot/resolved.nix
  ./system/boot/shutdown.nix
  ./system/boot/stage-1.nix
--- a/nixos/modules/profiles/installation-device.nix
+++ b/nixos/modules/profiles/installation-device.nix
@@ -42,7 +42,7 @@ with lib;

        The "root" account has an empty password.  ${
          optionalString config.services.xserver.enable
-            "Type `systemctl start display-manager' to\nstart the graphical user interface."}
+            "Type `start display-manager' to\nstart the graphical user interface."}
      '';

    # Allow sshd to be started manually through "start sshd".
--- a/nixos/modules/profiles/minimal.nix
+++ b/nixos/modules/profiles/minimal.nix
@@ -11,7 +11,4 @@ with lib;
  # This isn't perfect, but let's expect the user specifies an UTF-8 defaultLocale
  i18n.supportedLocales = [ (config.i18n.defaultLocale + "/UTF-8") ];
  services.nixosManual.enable = mkDefault false;
-
-  programs.man.enable = mkDefault false;
-  programs.info.enable = mkDefault false;
 }
--- a/nixos/modules/programs/bash/bash.nix
+++ b/nixos/modules/programs/bash/bash.nix
@@ -200,7 +200,7 @@ in
    # Configuration for readline in bash.
    environment.etc."inputrc".source = ./inputrc;

-    users.defaultUserShell = mkDefault pkgs.bashInteractive;
+    users.defaultUserShell = mkDefault "/run/current-system/sw/bin/bash";

    environment.pathsToLink = optionals cfg.enableCompletion [
      "/etc/bash_completion.d"
--- a/nixos/modules/programs/bash/inputrc
+++ b/nixos/modules/programs/bash/inputrc
@@ -6,7 +6,6 @@ set meta-flag on
 set input-meta on
 set convert-meta off
 set output-meta on
-set colored-stats on

 #set mark-symlinked-directories on

--- a/nixos/modules/programs/info.nix
+++ b/nixos/modules/programs/info.nix
@@ -1,30 +0,0 @@
-{ config, lib, pkgs, ... }:
-
-with lib;
-
-{
-
-  options = {
-
-    programs.info.enable = mkOption {
-      type = types.bool;
-      default = true;
-      description = ''
-        Whether to enable info pages and the <command>info</command> command.
-      '';
-    };
-
-  };
-
-
-  config = mkIf config.programs.info.enable {
-
-    environment.systemPackages = [ pkgs.texinfoInteractive ];
-
-    environment.pathsToLink = [ "/info" "/share/info" ];
-
-    environment.extraOutputsToInstall = [ "info" ];
-
-  };
-
-}
--- a/nixos/modules/programs/shadow.nix
+++ b/nixos/modules/programs/shadow.nix
@@ -1,6 +1,6 @@
 # Configuration for the pwdutils suite of tools: passwd, useradd, etc.

-{ config, lib, utils, pkgs, ... }:
+{ config, lib, pkgs, ... }:

 with lib;

@@ -43,13 +43,13 @@ in
    users.defaultUserShell = lib.mkOption {
      description = ''
        This option defines the default shell assigned to user
-        accounts. This can be either a full system path or a shell package.
-
-        This must not be a store path, since the path is
+        accounts.  This must not be a store path, since the path is
        used outside the store (in particular in /etc/passwd).
+        Rather, it should be the path of a symlink that points to the
+        actual shell in the Nix store.
      '';
-      example = literalExample "pkgs.zsh";
-      type = types.either types.path types.shellPackage;
+      example = "/run/current-system/sw/bin/zsh";
+      type = types.path;
    };

  };
@@ -60,9 +60,7 @@ in
  config = {

    environment.systemPackages =
-      lib.optional config.users.mutableUsers pkgs.shadow ++
-      lib.optional (types.shellPackage.check config.users.defaultUserShell)
-        config.users.defaultUserShell;
+      lib.optional config.users.mutableUsers pkgs.shadow;

    environment.etc =
      [ { # /etc/login.defs: global configuration for pwdutils.  You
@@ -76,7 +74,7 @@ in
            ''
              GROUP=100
              HOME=/home
-              SHELL=${utils.toShellPath config.users.defaultUserShell}
+              SHELL=${config.users.defaultUserShell}
            '';
          target = "default/useradd";
        }
@@ -99,12 +97,14 @@ in
        groupdel = { rootOK = true; };
        login = { startSession = true; allowNullPassword = true; showMotd = true; updateWtmp = true; };
        chpasswd = { rootOK = true; };
+        chgpasswd = { rootOK = true; };
      };

    security.setuidPrograms = [ "su" "chfn" ]
-      ++ [ "newuidmap" "newgidmap" ] # new in shadow 4.2.x
      ++ lib.optionals config.users.mutableUsers
-      [ "passwd" "sg" "newgrp" ];
+      [ "passwd" "sg" "newgrp"
+        "newuidmap" "newgidmap" # new in shadow 4.2.x
+      ];

  };

--- a/nixos/modules/programs/spacefm.nix
+++ b/nixos/modules/programs/spacefm.nix
@@ -1,55 +0,0 @@
-# Global configuration for spacefm.
-
-{ config, lib, pkgs, ... }:
-
-with lib;
-
-let cfg = config.programs.spacefm;
-
-in
-{
-  ###### interface
-
-  options = {
-
-    programs.spacefm = {
-
-      enable = mkOption {
-        type = types.bool;
-        default = false;
-        description = ''
-          Whether to install SpaceFM and create <filename>/etc/spacefm/spacefm.conf</filename>.
-        '';
-      };
-
-      settings = mkOption {
-        type = types.attrs;
-        default = {
-          tmp_dir = "/tmp";
-          terminal_su = "${pkgs.sudo}/bin/sudo";
-          graphical_su = "${pkgs.gksu}/bin/gksu";
-        };
-        example = literalExample ''{
-          tmp_dir = "/tmp";
-          terminal_su = "''${pkgs.sudo}/bin/sudo";
-          graphical_su = "''${pkgs.gksu}/bin/gksu";
-        }'';
-        description = ''
-          The system-wide spacefm configuration.
-          Parameters to be written to <filename>/etc/spacefm/spacefm.conf</filename>.
-          Refer to the <link xlink:href="https://ignorantguru.github.io/spacefm/spacefm-manual-en.html#programfiles-etc">relevant entry</link> in the SpaceFM manual.
-        '';
-      };
-
-    };
-  };
-
-  ###### implementation
-
-  config = mkIf cfg.enable {
-    environment.systemPackages = [ pkgs.spaceFM ];
-
-    environment.etc."spacefm/spacefm.conf".text =
-      concatStrings (mapAttrsToList (n: v: "${n}=${toString v}\n") cfg.settings);
-  };
-}
--- a/nixos/modules/programs/ssh.nix
+++ b/nixos/modules/programs/ssh.nix
@@ -56,6 +56,7 @@ in

      setXAuthLocation = mkOption {
        type = types.bool;
+        default = config.services.xserver.enable;
        description = ''
          Whether to set the path to <command>xauth</command> for X11-forwarded connections.
          This causes a dependency on X11 packages.
@@ -164,9 +165,6 @@ in

  config = {

-    programs.ssh.setXAuthLocation =
-      mkDefault (config.services.xserver.enable || config.programs.ssh.forwardX11);
-
    assertions =
      [ { assertion = cfg.forwardX11 -> cfg.setXAuthLocation;
          message = "cannot enable X11 forwarding without setting XAuth location";
--- a/nixos/modules/programs/ssmtp.nix
+++ b/nixos/modules/programs/ssmtp.nix
@@ -100,12 +100,6 @@ in
          Password used for SMTP auth. (STORED PLAIN TEXT, WORLD-READABLE IN NIX STORE)
        '';
      };
-      
-      setSendmail = mkOption {
-        type = types.bool;
-        default = true;
-        description = "Whether to set the system sendmail to ssmtp's.";
-      };

    };

@@ -128,13 +122,6 @@ in
      '';

    environment.systemPackages = [pkgs.ssmtp];
-    
-    services.mail.sendmailSetuidWrapper = mkIf cfg.setSendmail {
-      program = "sendmail";
-      source = "${pkgs.ssmtp}/bin/sendmail";
-      setuid = false;
-      setgid = false;
-    };

  };

--- a/nixos/modules/programs/tmux.nix
+++ b/nixos/modules/programs/tmux.nix
@@ -27,7 +27,7 @@ let
    set -g status-keys ${cfg.keyMode}
    set -g mode-keys   ${cfg.keyMode}

-    ${if cfg.keyMode == "vi" && cfg.customPaneNavigationAndResize then ''
+    ${if cfg.keyMode == "vi" then ''
    bind h select-pane -L
    bind j select-pane -D
    bind k select-pane -U
@@ -86,13 +86,6 @@ in {
        description = "Use 24 hour clock.";
      };

-      customPaneNavigationAndResize = mkOption {
-        default = false;
-        example = true;
-        type = types.bool;
-        description = "Override the hjkl and HJKL bindings for pane navigation and resizing in VI mode.";
-      };
-
      escapeTime = mkOption {
        default = 500;
        example = 0;
--- a/nixos/modules/programs/unity3d.nix
+++ b/nixos/modules/programs/unity3d.nix
@@ -0,0 +1,25 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let cfg = config.programs.unity3d;
+in {
+
+  options = {
+    programs.unity3d.enable = mkEnableOption "Unity3D, a game development tool";
+  };
+
+  config = mkIf cfg.enable {
+    security.setuidOwners = [{
+      program = "unity-chrome-sandbox";
+      source = "${pkgs.unity3d.sandbox}/bin/unity-chrome-sandbox";
+      owner = "root";
+      #group = "root";
+      setuid = true;
+      #setgid = true;
+    }];
+
+    environment.systemPackages = [ pkgs.unity3d ];
+  };
+
+}
--- a/nixos/modules/programs/xonsh.nix
+++ b/nixos/modules/programs/xonsh.nix
@@ -1,62 +0,0 @@
-# This module defines global configuration for the xonsh.
-
-{ config, lib, pkgs, ... }:
-
-with lib;
-
-let
-
-  cfge = config.environment;
-
-  cfg = config.programs.xonsh;
-
-in
-
-{
-
-  options = {
-
-    programs.xonsh = {
-
-      enable = mkOption {
-        default = false;
-        description = ''
-          Whether to configure xnosh as an interactive shell.
-        '';
-        type = types.bool;
-      };
-
-      package = mkOption {
-        type = types.package;
-        example = literalExample "pkgs.xonsh.override { configFile = \"/path/to/xonshrc\"; }";
-        description = ''
-          xonsh package to use.
-        '';
-      };
-
-      config = mkOption {
-        default = "";
-        description = "Control file to customize your shell behavior.";
-        type = types.lines;
-      };
-
-    };
-
-  };
-
-  config = mkIf cfg.enable {
-
-    environment.etc."xonshrc".text = cfg.config;
-
-    environment.systemPackages = [ pkgs.xonsh ];
-
-    environment.shells =
-      [ "/run/current-system/sw/bin/xonsh"
-        "/var/run/current-system/sw/bin/xonsh"
-        "${pkgs.xonsh}/bin/xonsh"
-      ];
-
-  };
-
-}
-
--- a/nixos/modules/programs/zsh/zsh.nix
+++ b/nixos/modules/programs/zsh/zsh.nix
@@ -99,9 +99,9 @@ in

      interactiveShellInit = ''
        # history defaults
-        SAVEHIST=2000
-        HISTSIZE=2000
-        HISTFILE=$HOME/.zsh_history
+        export SAVEHIST=2000
+        export HISTSIZE=2000
+        export HISTFILE=$HOME/.zsh_history

        setopt HIST_IGNORE_DUPS SHARE_HISTORY HIST_FCNTL_LOCK

@@ -116,8 +116,6 @@ in
        done

        ${if cfg.enableCompletion then "autoload -U compinit && compinit" else ""}
-
-        HELPDIR="${pkgs.zsh}/share/zsh/$ZSH_VERSION/help"
      '';

    };
--- a/nixos/modules/rename.nix
+++ b/nixos/modules/rename.nix
@@ -29,7 +29,7 @@ with lib;
    (mkRenamedOptionModule [ "jobs" ] [ "systemd" "services" ])

    (mkRenamedOptionModule [ "services" "gitlab" "stateDir" ] [ "services" "gitlab" "statePath" ])
-    (mkRemovedOptionModule [ "services" "gitlab" "satelliteDir" ] "")
+    (mkRemovedOptionModule [ "services" "gitlab" "satelliteDir" ])

    # Old Grub-related options.
    (mkRenamedOptionModule [ "boot" "initrd" "extraKernelModules" ] [ "boot" "initrd" "kernelModules" ])
@@ -112,50 +112,21 @@ with lib;
    (mkRenamedOptionModule [ "services" "iodined" "domain" ] [ "services" "iodine" "server" "domain" ])
    (mkRenamedOptionModule [ "services" "iodined" "ip" ] [ "services" "iodine" "server" "ip" ])
    (mkRenamedOptionModule [ "services" "iodined" "extraConfig" ] [ "services" "iodine" "server" "extraConfig" ])
-    (mkRemovedOptionModule [ "services" "iodined" "client" ] "")
-
-    # Grsecurity
-    (mkRemovedOptionModule [ "security" "grsecurity" "kernelPatch" ] "")
-    (mkRemovedOptionModule [ "security" "grsecurity" "config" "mode" ] "")
-    (mkRemovedOptionModule [ "security" "grsecurity" "config" "priority" ] "")
-    (mkRemovedOptionModule [ "security" "grsecurity" "config" "system" ] "")
-    (mkRemovedOptionModule [ "security" "grsecurity" "config" "virtualisationConfig" ] "")
-    (mkRemovedOptionModule [ "security" "grsecurity" "config" "hardwareVirtualisation" ] "")
-    (mkRemovedOptionModule [ "security" "grsecurity" "config" "virtualisationSoftware" ] "")
-    (mkRemovedOptionModule [ "security" "grsecurity" "config" "sysctl" ] "")
-    (mkRemovedOptionModule [ "security" "grsecurity" "config" "denyChrootChmod" ] "")
-    (mkRemovedOptionModule [ "security" "grsecurity" "config" "denyChrootCaps" ] "")
-    (mkRemovedOptionModule [ "security" "grsecurity" "config" "denyUSB" ] "")
-    (mkRemovedOptionModule [ "security" "grsecurity" "config" "restrictProc" ] "")
-    (mkRemovedOptionModule [ "security" "grsecurity" "config" "restrictProcWithGroup" ] "")
-    (mkRemovedOptionModule [ "security" "grsecurity" "config" "unrestrictProcGid" ] "")
-    (mkRemovedOptionModule [ "security" "grsecurity" "config" "disableRBAC" ] "")
-    (mkRemovedOptionModule [ "security" "grsecurity" "config" "disableSimultConnect" ] "")
-    (mkRemovedOptionModule [ "security" "grsecurity" "config" "verboseVersion" ] "")
-    (mkRemovedOptionModule [ "security" "grsecurity" "config" "kernelExtraConfig" ] "")
-
-    # Unity3D
-    (mkRenamedOptionModule [ "programs" "unity3d" "enable" ] [ "security" "chromiumSuidSandbox" "enable" ])
-
-    # fontconfig-ultimate
-    (mkRenamedOptionModule [ "fonts" "fontconfig" "ultimate" "rendering" ] [ "fonts" "fontconfig" "ultimate" "preset" ])
-
-    # murmur
-    (mkRenamedOptionModule [ "services" "murmur" "welcome" ] [ "services" "murmur" "welcometext" ])
+    (mkRemovedOptionModule [ "services" "iodined" "client" ])

    # Options that are obsolete and have no replacement.
-    (mkRemovedOptionModule [ "boot" "initrd" "luks" "enable" ] "")
-    (mkRemovedOptionModule [ "programs" "bash" "enable" ] "")
-    (mkRemovedOptionModule [ "services" "samba" "defaultShare" ] "")
-    (mkRemovedOptionModule [ "services" "syslog-ng" "serviceName" ] "")
-    (mkRemovedOptionModule [ "services" "syslog-ng" "listenToJournal" ] "")
-    (mkRemovedOptionModule [ "ec2" "metadata" ] "")
-    (mkRemovedOptionModule [ "services" "openvpn" "enable" ] "")
-    (mkRemovedOptionModule [ "services" "printing" "cupsFilesConf" ] "")
-    (mkRemovedOptionModule [ "services" "printing" "cupsdConf" ] "")
-    (mkRemovedOptionModule [ "services" "xserver" "startGnuPGAgent" ]
-      "See the 16.09 release notes for more information.")
-    (mkRemovedOptionModule [ "services" "phpfpm" "phpIni" ] "")
-    (mkRemovedOptionModule [ "services" "dovecot2" "package" ] "")
+    (mkRemovedOptionModule [ "boot" "initrd" "luks" "enable" ])
+    (mkRemovedOptionModule [ "programs" "bash" "enable" ])
+    (mkRemovedOptionModule [ "services" "samba" "defaultShare" ])
+    (mkRemovedOptionModule [ "services" "syslog-ng" "serviceName" ])
+    (mkRemovedOptionModule [ "services" "syslog-ng" "listenToJournal" ])
+    (mkRemovedOptionModule [ "ec2" "metadata" ])
+    (mkRemovedOptionModule [ "services" "openvpn" "enable" ])
+    (mkRemovedOptionModule [ "services" "printing" "cupsFilesConf" ])
+    (mkRemovedOptionModule [ "services" "printing" "cupsdConf" ])
+    (mkRemovedOptionModule [ "services" "xserver" "startGnuPGAgent" ])
+    (mkRemovedOptionModule [ "services" "phpfpm" "phpIni" ])
+    (mkRemovedOptionModule [ "services" "dovecot2" "package" ])
+
  ];
 }
--- a/Show More
+++ b/Show More