python-cryptography: FIX missing pytz dependency

.travis.yml

@@ -15,6 +15,8 @@ matrix:
         - os: osx
           osx_image: xcode7.3
           script: ./maintainers/scripts/travis-nox-review-pr.sh nox pr
+git:
+    depth: 1
 env:
     global:
         - GITHUB_TOKEN=5edaaf1017f691ed34e7f80878f8f5fbd071603f

README.md

@@ -15,12 +15,12 @@ build daemon as so-called channels. To get channel information via git, add
 ```
 
 For stability and maximum binary package support, it is recommended to maintain
-custom changes on top of one of the channels, e.g. `nixos-16.09` for the latest
+custom changes on top of one of the channels, e.g. `nixos-16.03` for the latest
 release and `nixos-unstable` for the latest successful build of master:
 
 ```
 % git remote update channels
-% git rebase channels/nixos-16.09
+% git rebase channels/nixos-16.03
 ```
 
 For pull-requests, please rebase onto nixpkgs `master`.
@@ -34,9 +34,9 @@ For pull-requests, please rebase onto nixpkgs `master`.
 * [Manual (NixOS)](https://nixos.org/nixos/manual/)
 * [Nix Wiki](https://nixos.org/wiki/) (deprecated, see milestone ["Move the Wiki!"](https://github.com/NixOS/nixpkgs/issues?q=is%3Aopen+is%3Aissue+milestone%3A%22Move+the+wiki%21%22))
 * [Continuous package builds for unstable/master](https://hydra.nixos.org/jobset/nixos/trunk-combined)
-* [Continuous package builds for 16.09 release](https://hydra.nixos.org/jobset/nixos/release-16.09)
+* [Continuous package builds for 16.03 release](https://hydra.nixos.org/jobset/nixos/release-16.03)
 * [Tests for unstable/master](https://hydra.nixos.org/job/nixos/trunk-combined/tested#tabs-constituents)
-* [Tests for 16.09 release](https://hydra.nixos.org/job/nixos/release-16.09/tested#tabs-constituents)
+* [Tests for 16.03 release](https://hydra.nixos.org/job/nixos/release-16.03/tested#tabs-constituents)
 
 Communication:
 

doc/languages-frameworks/go.xml

@@ -24,7 +24,7 @@ deis = buildGoPackage rec {
     sha256 = "1qv9lxqx7m18029lj8cw3k7jngvxs4iciwrypdy0gd2nnghc68sw";
   };
 
-  goDeps = ./deps.nix; <co xml:id='ex-buildGoPackage-3' />
+  goDeps = ./deps.json; <co xml:id='ex-buildGoPackage-3' />
 
   buildFlags = "--tags release"; <co xml:id='ex-buildGoPackage-4' />
 }
@@ -56,9 +56,7 @@ the following arguments are of special significance to the function:
   <callout arearefs='ex-buildGoPackage-3'>
     <para>
       <varname>goDeps</varname> is where the Go dependencies of a Go program are listed
-      as a list of package source identified by Go import path.
-      It could be imported as a separate <varname>deps.nix</varname> file for
-      readability. The dependency data structure is described below.
+      in a JSON format described below.
     </para>
   </callout>
 
@@ -72,32 +70,23 @@ the following arguments are of special significance to the function:
 
 </para>
 
-<para>The <varname>goDeps</varname> attribute can be imported from a separate
-  <varname>nix</varname> file that defines which Go libraries are needed and should
-  be included in <varname>GOPATH</varname> for <varname>buildPhase</varname>.
+<para>The <varname>goDeps</varname> attribute should point to a JSON file that defines which Go libraries
+  are needed and should be included in <varname>GOPATH</varname> for <varname>buildPhase</varname>.
+
 </para>
 
-<example xml:id='ex-goDeps'><title>deps.nix</title>
+<example xml:id='ex-goDeps'><title>deps.json</title>
 <programlisting>
 [ <co xml:id='ex-goDeps-1' />
-  {
-    goPackagePath = "gopkg.in/yaml.v2"; <co xml:id='ex-goDeps-2' />
-    fetch = {
-      type = "git"; <co xml:id='ex-goDeps-3' />
-      url = "https://gopkg.in/yaml.v2";
-      rev = "a83829b6f1293c91addabc89d0571c246397bbf4";
-      sha256 = "1m4dsmk90sbi17571h6pld44zxz7jc4lrnl4f27dpd1l8g5xvjhh";
-    };
-  }
-  {
-    goPackagePath = "github.com/docopt/docopt-go";
-    fetch = {
-      type = "git";
-      url = "https://github.com/docopt/docopt-go";
-      rev = "784ddc588536785e7299f7272f39101f7faccc3f";
-      sha256 = "0wwz48jl9fvl1iknvn9dqr4gfy1qs03gxaikrxxp9gry6773v3sj";
-    };
-  }
+    {
+        "goPackagePath": "gopkg.in/yaml.v2", <co xml:id='ex-goDeps-2' />
+        "fetch": {
+          "type": "git", <co xml:id='ex-goDeps-3' />
+          "url": "https://gopkg.in/yaml.v2",
+          "rev": "a83829b6f1293c91addabc89d0571c246397bbf4",
+          "sha256": "1m4dsmk90sbi17571h6pld44zxz7jc4lrnl4f27dpd1l8g5xvjhh"
+        }
+    }
 ]
 </programlisting>
 </example>

doc/languages-frameworks/python.md

@@ -481,7 +481,7 @@ and the aliases
 #### `buildPythonPackage` function
 
 The `buildPythonPackage` function is implemented in
-`pkgs/development/interpreters/python/build-python-package.nix`
+`pkgs/development/python-modules/generic/default.nix`
 
 and can be used as:
 
@@ -536,7 +536,6 @@ All parameters from `mkDerivation` function are still supported.
 * `installFlags`: A list of strings. Arguments to be passed to `pip install`. To pass options to `python setup.py install`, use `--install-option`. E.g., `installFlags=["--install-option='--cpp_implementation'"].
 * `format`: Format of the source. Options are `setup` for when the source has a `setup.py` and `setuptools` is used to build a wheel, and `wheel` in case the source is already a binary wheel. The default value is `setup`.
 * `catchConflicts` If `true`, abort package build if a package name appears more than once in dependency tree. Default is `true`.
-* `checkInputs` Dependencies needed for running the `checkPhase`. These are added to `buildInputs` when `doCheck = true`.
 
 #### `buildPythonApplication` function
 
@@ -716,8 +715,8 @@ Python attribute sets are created for each interpreter version. We will therefor
 In the following example we change the name of the package `pandas` to `foo`.
 ```
 newpkgs = pkgs.overridePackages(self: super: rec {
-  python35Packages = (super.python35Packages.override { self = python35Packages;})
-    // { pandas = super.python35Packages.pandas.override  {name = "foo";};
+  python35Packages = super.python35Packages.override {
+    self = python35Packages // { pandas = python35Packages.pandas.override{name="foo";};};
   };
 });
 ```
@@ -728,8 +727,8 @@ with import <nixpkgs> {};
 (let
 
 newpkgs = pkgs.overridePackages(self: super: rec {
-  python35Packages = (super.python35Packages.override { self = python35Packages;})
-    // { pandas = super.python35Packages.pandas.override  {name = "foo";};
+  python35Packages = super.python35Packages.override {
+    self = python35Packages // { pandas = python35Packages.pandas.override{name="foo";};};
   };
 });
 in newpkgs.python35.withPackages (ps: [ps.blaze])
@@ -744,7 +743,7 @@ with import <nixpkgs> {};
 
 newpkgs = pkgs.overridePackages(self: super: rec {
   python35Packages = super.python35Packages.override {
-    self = python35Packages // { scipy = python35Packages.scipy_0_17;};
+    self = python35Packages // { scipy = python35Packages.scipy_0_16;};
   };
 });
 in newpkgs.python35.withPackages (ps: [ps.blaze])
@@ -752,41 +751,23 @@ in newpkgs.python35.withPackages (ps: [ps.blaze])
 ```
 The requested package `blaze` depends upon `pandas` which itself depends on `scipy`.
 
-A similar example but now using `django`
-```
-with import <nixpkgs> {};
-
-(let
-
-newpkgs = pkgs.overridePackages(self: super: rec {
-  python27Packages = (super.python27Packages.override {self = python27Packages;})
-    // { django = super.python27Packages.django_1_9; };
-});
-in newpkgs.python27.withPackages (ps: [ps.django_guardian ])
-).env
-```
-
 ### `python setup.py bdist_wheel` cannot create .whl
 
-Executing `python setup.py bdist_wheel` in a `nix-shell `fails with
+Executing `python setup.py bdist_wheel` fails with
 ```
 ValueError: ZIP does not support timestamps before 1980
 ```
 This is because files are included that depend on items in the Nix store which have a timestamp of, that is, it corresponds to January the 1st, 1970 at 00:00:00. And as the error informs you, ZIP does not support that.
-The command `bdist_wheel` takes into account `SOURCE_DATE_EPOCH`, and `nix-shell` sets this to 1. By setting it to a value corresponding to 1980 or later, or by unsetting it, it is possible to build wheels.
+Fortunately `bdist_wheel` takes into account `SOURCE_DATE_EPOCH`. On Nix this value is set to 1. By setting it to a value correspond to 1980 or later it is possible to build wheels.
 
 Use 1980 as timestamp:
 ```
-nix-shell --run "SOURCE_DATE_EPOCH=315532800 python3 setup.py bdist_wheel"
+SOURCE_DATE_EPOCH=315532800 python3 setup.py bdist_wheel
 ```
 or the current time:
 ```
-nix-shell --run "SOURCE_DATE_EPOCH=$(date +%s) python3 setup.py bdist_wheel"
+SOURCE_DATE_EPOCH=$(date +%s) python3 setup.py bdist_wheel
 ```
-or unset:
-"""
-nix-shell --run "unset SOURCE_DATE_EPOCH; python3 setup.py bdist_wheel"
-"""
 
 ### `install_data` / `data_files` problems
 

doc/multiple-output.xml

@@ -29,15 +29,15 @@
 
 <section><title>Using a split package</title>
   <para>In the Nix language the individual outputs can be reached explicitly as attributes, e.g. <varname>coreutils.info</varname>, but the typical case is just using packages as build inputs.</para>
-  <para>When a multiple-output derivation gets into a build input of another derivation, the <varname>dev</varname> output is added if it exists, otherwise the first output is added. In addition to that, <varname>propagatedBuildOutputs</varname> of that package which by default contain <varname>$outputBin</varname> and <varname>$outputLib</varname> are also added. (See <xref linkend="multiple-output-file-type-groups" />.)</para>
+  <para>When a multiple-output derivation gets into a build input of another derivation, the first output is added (<varname>.dev</varname> by convention) and also <varname>propagatedBuildOutputs</varname> of that package which by default contain <varname>$outputBin</varname> and <varname>$outputLib</varname>. (See <xref linkend="multiple-output-file-type-groups" />.)</para>
 </section>
 
 
 <section><title>Writing a split derivation</title>
   <para>Here you find how to write a derivation that produces multiple outputs.</para>
   <para>In nixpkgs there is a framework supporting multiple-output derivations. It tries to cover most cases by default behavior.  You can find the source separated in &lt;<filename>nixpkgs/pkgs/build-support/setup-hooks/multiple-outputs.sh</filename>&gt;; it's relatively well-readable.  The whole machinery is triggered by defining the <varname>outputs</varname> attribute to contain the list of desired output names (strings).</para>
-  <programlisting>outputs = [ "bin" "dev" "out" "doc" ];</programlisting>
-  <para>Often such a single line is enough.  For each output an equally named environment variable is passed to the builder and contains the path in nix store for that output.  By convention, the first output should contain the executable programs provided by the package as that output is used by Nix in string conversions, allowing references to binaries like <literal>${pkgs.perl}/bin/perl</literal> to always work. Typically you also want to have the main <varname>out</varname> output, as it catches any files that didn't get elsewhere.</para>
+  <programlisting>outputs = [ "dev" "out" "bin" "doc" ];</programlisting>
+  <para>Often such a single line is enough.  For each output an equally named environment variable is passed to the builder and contains the path in nix store for that output.  By convention, the first output should usually be <varname>dev</varname>; typically you also want to have the main <varname>out</varname> output, as it catches any files that didn't get elsewhere.</para>
 
   <note><para>There is a special handling of the <varname>debug</varname> output, described at <xref linkend="stdenv-separateDebugInfo" />.</para></note>
 
@@ -63,7 +63,7 @@
         </para></listitem></varlistentry>
       <varlistentry><term><varname>
         $outputDocdev</varname></term><listitem><para>
-        is for <emphasis>developer</emphasis> documentation.  Currently we count gtk-doc and man3 pages in there.  It goes to <varname>devdoc</varname> or is removed (!) by default.  This is because e.g. gtk-doc tends to be rather large and completely unused by nixpkgs users.
+        is for <emphasis>developer</emphasis> documentation.  Currently we count gtk-doc and man3 pages in there.  It goes to <varname>docdev</varname> or is removed (!) by default.  This is because e.g. gtk-doc tends to be rather large and completely unused by nixpkgs users.
         </para></listitem></varlistentry>
       <varlistentry><term><varname>
         $outputMan</varname></term><listitem><para>

doc/old/update-upstream-data.txt

@@ -0,0 +1,14 @@
+Semi-automatic source information updating using "update-upstream-data.sh" script and "src-{,info-}for-*.nix"
+
+1. Recognizing when a pre-existing package uses this mechanism.
+
+Packages using this automatical update mechanism have src-info-for-default.nix and src-for-default.nix next to default.nix. src-info-for-default.nix describes getting the freshest source from upstream web site; src-for-default.nix is a generated file with the current data about used source. Both files define a simple attrSet. 
+
+src-info-for-default.nix (for a file grabbed via http) contains at least downloadPage attribute - it is the page we need to look at to find out the latest version. It also contains baseName that is used for automatical generation of package name containing version. It can contain extra data for trickier cases.
+
+src-for-default.nix will contain advertisedUrl (raw URL chosen on the site; its change prompts regeneration of source data), url for fetchurl, hash, version retrieved from the download URL and suggested package name.
+
+2. Updating a package
+
+nixpkgs/pkgs/build-support/upstream-updater directory contains some scripts. The worker script is called update-upstream-data.sh. This script requires main expression name (e.g. default.nix). It can optionally accpet a second parameter, URL which will be used instead of getting one by parsing the downloadPage (version extraction, mirror URL creation etc. will still be run). After running the script, check src-for-default.nix (or replace default.nix with expression name, if there are seceral expressions in the directory) for new version information.
+

doc/stdenv.xml

@@ -557,8 +557,8 @@ script) if it exists.</para>
 
   <varlistentry>
     <term><varname>configureFlags</varname></term>
-    <listitem><para>A list of strings passed as additional arguments to the
-    configure script.</para></listitem>
+    <listitem><para>Additional arguments passed to the configure
+    script.</para></listitem>
   </varlistentry>
 
   <varlistentry>
@@ -658,7 +658,7 @@ nothing.</para>
 
   <varlistentry>
     <term><varname>makeFlags</varname></term>
-    <listitem><para>A list of strings passed as additional flags to
+    <listitem><para>Additional flags passed to
     <command>make</command>.  These flags are also used by the default
     install and check phase.  For setting make flags specific to the
     build phase, use <varname>buildFlags</varname> (see
@@ -685,7 +685,7 @@ makeFlagsArray=(CFLAGS="-O0 -g" LDFLAGS="-lfoo -lbar")
 
   <varlistentry>
     <term><varname>buildFlags</varname> / <varname>buildFlagsArray</varname></term>
-    <listitem><para>A list of strings passed as additional flags to
+    <listitem><para>Additional flags passed to
     <command>make</command>.  Like <varname>makeFlags</varname> and
     <varname>makeFlagsArray</varname>, but only used by the build
     phase.</para></listitem>
@@ -753,7 +753,7 @@ doCheck = true;</programlisting>
 
   <varlistentry>
     <term><varname>checkFlags</varname> / <varname>checkFlagsArray</varname></term>
-    <listitem><para>A list of strings passed as additional flags to
+    <listitem><para>Additional flags passed to
     <command>make</command>.  Like <varname>makeFlags</varname> and
     <varname>makeFlagsArray</varname>, but only used by the check
     phase.</para></listitem>
@@ -808,7 +808,7 @@ installTargets = "install-bin install-doc";</programlisting>
 
   <varlistentry>
     <term><varname>installFlags</varname> / <varname>installFlagsArray</varname></term>
-    <listitem><para>A list of strings passed as additional flags to
+    <listitem><para>Additional flags passed to
     <command>make</command>.  Like <varname>makeFlags</varname> and
     <varname>makeFlagsArray</varname>, but only used by the install
     phase.</para></listitem>

lib/attrsets.nix

@@ -296,17 +296,12 @@ rec {
 
   /* Converts a store path to a fake derivation. */
   toDerivation = path:
-    let
-      path' = builtins.storePath path;
-      res =
-        { type = "derivation";
-          name = builtins.unsafeDiscardStringContext (builtins.substring 33 (-1) (baseNameOf path'));
-          outPath = path';
-          outputs = [ "out" ];
-          out = res;
-          outputName = "out";
-        };
-    in res;
+    let path' = builtins.storePath path; in
+    { type = "derivation";
+      name = builtins.unsafeDiscardStringContext (builtins.substring 33 (-1) (baseNameOf path'));
+      outPath = path';
+      outputs = [ "out" ];
+    };
 
 
   /* If `cond' is true, return the attribute set `as',
@@ -459,8 +454,6 @@ rec {
   getLib = getOutput "lib";
   getDev = getOutput "dev";
 
-  /* Pick the outputs of packages to place in buildInputs */
-  chooseDevOutputs = drvs: builtins.map getDev drvs;
 
   /*** deprecated stuff ***/
 

lib/maintainers.nix

@@ -97,7 +97,6 @@
   cwoac = "Oliver Matthews <oliver@codersoffortune.net>";
   DamienCassou = "Damien Cassou <damien@cassou.me>";
   dasuxullebt = "Christoph-Simon Senjak <christoph.senjak@googlemail.com>";
-  danbst = "Danylo Hlynskyi <abcz2.uprola@gmail.com>";
   davidak = "David Kleuker <post@davidak.de>";
   davidrusu = "David Rusu <davidrusu.me@gmail.com>";
   dbohdan = "Danyil Bohdan <danyil.bohdan@gmail.com>";

nixos/doc/manual/release-notes/rl-1509.xml

@@ -471,7 +471,7 @@ in
   <listitem> <para>
     A newly packaged TeX Live 2015 is provided in <literal>pkgs.texlive</literal>,
     split into 6500 nix packages. For basic user documentation see
-    <link xlink:href="https://github.com/NixOS/nixpkgs/blob/release-15.09/pkgs/tools/typesetting/tex/texlive/default.nix#L1"
+    <link xlink:href="https://github.com/NixOS/nixpkgs/blob/release-15.09/pkgs/tools/typesetting/tex/texlive-new/default.nix#L1"
       >the source</link>.
     Beware of <link xlink:href="https://github.com/NixOS/nixpkgs/issues/9757"
       >an issue</link> when installing a too large package set.

nixos/doc/manual/release-notes/rl-1609.xml

@@ -4,7 +4,7 @@
          version="5.0"
          xml:id="sec-release-16.09">
 
-<title>Release 16.09 (“Flounder”, 2016/09/30)</title>
+<title>Release 16.09 (“Flounder”, 2016/09/??)</title>
 
 <para>In addition to numerous new and upgraded packages, this release
 has the following highlights: </para>
@@ -12,137 +12,28 @@ has the following highlights: </para>
 <itemizedlist>
 
   <listitem>
-    <para>Many NixOS configurations and Nix packages now use
-    significantly less disk space, thanks to the <link
-    xlink:href="https://github.com/NixOS/nixpkgs/issues/7117">extensive
-    work on closure size reduction</link>. For example, the closure
-    size of a minimal NixOS container went down from ~424 MiB in 16.03
-    to ~212 MiB in 16.09, while the closure size of Firefox went from
-    ~651 MiB to ~259 MiB.</para>
+    <para>PXE "netboot" media has landed in <link xlink:href="https://github.com/NixOS/nixpkgs/pull/14740" />.
+    See <xref linkend="sec-booting-from-pxe" /> for documentation.</para>
   </listitem>
 
   <listitem>
-    <para>To improve security, packages are now <link
-    xlink:href="https://github.com/NixOS/nixpkgs/pull/12895">built
-    using various hardening features</link>. See the Nixpkgs manual
-    for more information.</para>
+    <para>Xorg-server-1.18.*. If you choose <literal>"ati_unfree"</literal> driver,
+    1.17.* is still used due to ABI incompatibility.</para>
   </listitem>
-
-  <listitem>
-    <para>Support for PXE netboot.  See <xref
-    linkend="sec-booting-from-pxe" /> for documentation.</para>
-  </listitem>
-
-  <listitem>
-    <para>X.org server 1.18. If you use the
-    <literal>ati_unfree</literal> driver, 1.17 is still used due to an
-    ABI incompatibility.</para>
-  </listitem>
-
-  <listitem>
-    <para>This release is based on Glibc 2.24, GCC 5.4.0 and systemd
-    231. The default Linux kernel remains 4.4.</para>
-  </listitem>
-
 </itemizedlist>
 
 <para>The following new services were added since the last release:</para>
 
-<itemizedlist>
-  <listitem><para><literal>hardware/video/amdgpu.nix</literal></para></listitem>
-  <listitem><para><literal>hardware/video/displaylink.nix</literal></para></listitem>
-  <listitem><para><literal>programs/info.nix</literal></para></listitem>
-  <listitem><para><literal>programs/mosh.nix</literal></para></listitem>
-  <listitem><para><literal>programs/spacefm.nix</literal></para></listitem>
-  <listitem><para><literal>programs/tmux.nix</literal></para></listitem>
-  <listitem><para><literal>programs/xonsh.nix</literal></para></listitem>
-  <listitem><para><literal>security/chromium-suid-sandbox.nix</literal></para></listitem>
-  <listitem><para><literal>security/hidepid.nix</literal></para></listitem>
-  <listitem><para><literal>services/audio/squeezelite.nix</literal></para></listitem>
-  <listitem><para><literal>services/backup/znapzend.nix</literal></para></listitem>
-  <listitem><para><literal>services/continuous-integration/buildkite-agent.nix</literal></para></listitem>
-  <listitem><para><literal>services/continuous-integration/hydra/default.nix</literal></para></listitem>
-  <listitem><para><literal>services/continuous-integration/gocd-agent/default.nix</literal></para></listitem>
-  <listitem><para><literal>services/continuous-integration/gocd-server/default.nix</literal></para></listitem>
-  <listitem><para><literal>services/development/hoogle.nix</literal></para></listitem>
-  <listitem><para><literal>services/editors/emacs.nix</literal></para></listitem>
-  <listitem><para><literal>services/games/factorio.nix</literal></para></listitem>
-  <listitem><para><literal>services/games/terraria.nix</literal></para></listitem>
-  <listitem><para><literal>services/logging/awstats.nix</literal></para></listitem>
-  <listitem><para><literal>services/logging/graylog.nix</literal></para></listitem>
-  <listitem><para><literal>services/misc/emby.nix</literal></para></listitem>
-  <listitem><para><literal>services/misc/mantisbt.nix</literal></para></listitem>
-  <listitem><para><literal>services/misc/nzbget.nix</literal></para></listitem>
-  <listitem><para><literal>services/misc/packagekit.nix</literal></para></listitem>
-  <listitem><para><literal>services/misc/sonarr.nix</literal></para></listitem>
-  <listitem><para><literal>services/misc/spice-vdagentd.nix</literal></para></listitem>
-  <listitem><para><literal>services/misc/taskserver</literal></para></listitem>
-  <listitem><para><literal>services/network-filesystems/tahoe.nix</literal></para></listitem>
-  <listitem><para><literal>services/networking/coturn.nix</literal></para></listitem>
-  <listitem><para><literal>services/networking/ferm.nix</literal></para></listitem>
-  <listitem><para><literal>services/networking/gdomap.nix</literal></para></listitem>
-  <listitem><para><literal>services/networking/libreswan.nix</literal></para></listitem>
-  <listitem><para><literal>services/networking/logmein-hamachi.nix</literal></para></listitem>
-  <listitem><para><literal>services/networking/mfi.nix</literal></para></listitem>
-  <listitem><para><literal>services/networking/mjpg-streamer.nix</literal></para></listitem>
-  <listitem><para><literal>services/networking/mosquitto.nix</literal></para></listitem>
-  <listitem><para><literal>services/networking/nntp-proxy.nix</literal></para></listitem>
-  <listitem><para><literal>services/networking/offlineimap.nix</literal></para></listitem>
-  <listitem><para><literal>services/networking/pptpd.nix</literal></para></listitem>
-  <listitem><para><literal>services/networking/sniproxy.nix</literal></para></listitem>
-  <listitem><para><literal>services/networking/smokeping.nix</literal></para></listitem>
-  <listitem><para><literal>services/networking/toxvpn.nix</literal></para></listitem>
-  <listitem><para><literal>services/networking/xl2tpd.nix</literal></para></listitem>
-  <listitem><para><literal>services/networking/zerobin.nix</literal></para></listitem>
-  <listitem><para><literal>services/security/oauth2_proxy.nix</literal></para></listitem>
-  <listitem><para><literal>services/torrent/flexget.nix</literal></para></listitem>
-  <listitem><para><literal>services/web-apps/mattermost.nix</literal></para></listitem>
-  <listitem><para><literal>services/web-apps/tt-rss.nix</literal></para></listitem>
-  <listitem><para><literal>services/web-servers/caddy.nix</literal></para></listitem>
-  <listitem><para><literal>services/web-servers/lighttpd/inginious.nix</literal></para></listitem>
-  <listitem><para><literal>services/x11/compton.nix</literal></para></listitem>
-  <listitem><para><literal>services/x11/xbanish.nix</literal></para></listitem>
-  <listitem><para><literal>system/boot/loader/systemd-boot/systemd-boot.nix</literal></para></listitem>
-  <listitem><para><literal>system/boot/plymouth.nix</literal></para></listitem>
-  <listitem><para><literal>virtualisation/xe-guest-utilities.nix</literal></para></listitem>
-</itemizedlist>
+  <itemizedlist>
+    <listitem><para><literal>(this will get automatically generated at release time)</literal></para></listitem>
+  </itemizedlist>
+
 
 <para>When upgrading from a previous release, please be aware of the
 following incompatible changes:</para>
 
 <itemizedlist>
 
-  <listitem>
-    <para>A large number of packages have been converted to use the multiple outputs feature
-      of Nix to greatly reduce the amount of required disk space, as
-      mentioned above. This may require changes
-      to any custom packages to make them build again; see the relevant chapter in the
-      Nixpkgs manual for more information. (Additional caveat to packagers: some packaging conventions
-      related to multiple-output packages
-      <link xlink:href="https://github.com/NixOS/nixpkgs/pull/14766">were changed</link>
-      late (August 2016) in the release cycle and differ from the initial introduction of multiple outputs.)
-    </para>
-  </listitem>
-
-  <listitem>
-    <para>Previous versions of Nixpkgs had support for all versions of the LTS
-    Haskell package set. That support has been dropped. The previously provided
-    <literal>haskell.packages.lts-x_y</literal> package sets still exist in
-    name to aviod breaking user code, but these package sets don't actually
-    contain the versions mandated by the corresponding LTS release. Instead,
-    our package set it loosely based on the latest available LTS release, i.e.
-    LTS 7.x at the time of this writing. New releases of NixOS and Nixpkgs will
-    drop those old names entirely. <link
-    xlink:href="http://lists.science.uu.nl/pipermail/nix-dev/2016-June/020585.html">The
-    motivation for this change</link> has been discussed at length on the
-    <literal>nix-dev</literal> mailing list and in <link
-    xlink:href="https://github.com/NixOS/nixpkgs/issues/14897">Github issue
-    #14897</link>. Development strategies for Haskell hackers who want to rely
-    on Nix and NixOS have been described in <link
-    xlink:href="http://lists.science.uu.nl/pipermail/nix-dev/2016-June/020642.html">another
-    nix-dev article</link>.</para>
-  </listitem>
-
   <listitem>
     <para>Shell aliases for systemd sub-commands
     <link xlink:href="https://github.com/NixOS/nixpkgs/pull/15598">were dropped</link>:
@@ -156,27 +47,8 @@ following incompatible changes:</para>
   </listitem>
 
   <listitem>
-    <para>
-      <literal>/var/empty</literal> is now immutable. Activation script runs <command>chattr +i</command>
-      to forbid any modifications inside the folder. See <link xlink:href="https://github.com/NixOS/nixpkgs/pull/18365">
-      the pull request</link> for what bugs this caused.
-    </para>
-  </listitem>
-
-  <listitem>
-  <para>
-     Using packages compiled with older Wayland may yield an error "undefined reference to `wl_proxy_*`".
-     Please upgrade those packages and <link xlink:href="https://github.com/NixOS/nixpkgs/issues/16779">see bug report for more details.</link>
-  </para>
-  </listitem>
-
-  <listitem>
-    <para>Gitlab's maintainance script
-    <command>gitlab-runner</command> was removed and split up into the
-    more clearer <command>gitlab-run</command> and
-    <command>gitlab-rake</command> scripts, because
-    <command>gitlab-runner</command> is a component of Gitlab
-    CI.</para>
+    <para>Gitlab's maintainence script gitlab-runner was removed and split up into the more clearer
+      gitlab-run and gitlab-rake scripts because gitlab-runner is a component of Gitlab CI.</para>
   </listitem>
 
   <listitem>
@@ -189,44 +61,11 @@ following incompatible changes:</para>
   <listitem>
     <para><literal>fonts.fontconfig.ultimate.rendering</literal> was removed
     because our presets were obsolete for some time. New presets are hardcoded
-    into FreeType; you can select a preset via <literal>fonts.fontconfig.ultimate.preset</literal>.
+    into freetype; one selects a preset via <literal>fonts.fontconfig.ultimate.preset</literal>.
     You can customize those presets via ordinary environment variables, using
     <literal>environment.variables</literal>.</para>
   </listitem>
 
-  <listitem>
-    <para>The <literal>audit</literal> service is no longer enabled by default.
-    Use <literal>security.audit.enable = true</literal> to explicitly enable it.</para>
-  </listitem>
-
-  <listitem>
-    <para>
-      <literal>pkgs.linuxPackages.virtualbox</literal> now contains only the
-      kernel modules instead of the VirtualBox user space binaries.
-      If you want to reference the user space binaries, you have to use the new
-      <literal>pkgs.virtualbox</literal> instead.
-    </para>
-  </listitem>
-
-  <listitem>
-    <para><literal>goPackages</literal> was replaced with separated Go
-    applications in appropriate <literal>nixpkgs</literal>
-    categories. Each Go package uses its own dependency set. There's
-    also a new <literal>go2nix</literal> tool introduced to generate a
-    Go package definition from its Go source automatically.</para>
-  </listitem>
-
-  <listitem>
-    <para><literal>services.mongodb.extraConfig</literal> configuration format
-    was changed to YAML.</para>
-  </listitem>
-
-  <listitem>
-    <para>
-      PHP has been upgraded to 7.0
-    </para>
-  </listitem>
-
 </itemizedlist>
 
 
@@ -242,60 +81,6 @@ following incompatible changes:</para>
   functionality.  See <xref linkend="sec-grsecurity" /> for documentation
   </para></listitem>
 
-  <listitem><para>Special filesystems, like <literal>/proc</literal>,
-  <literal>/run</literal> and others, now have the same mount options
-  as recommended by systemd and are unified across different places in
-  NixOS.  Mount options are updated during <command>nixos-rebuild
-  switch</command> if possible. One benefit from this is improved
-  security — most such filesystems are now mounted with
-  <literal>noexec</literal>, <literal>nodev</literal> and/or
-  <literal>nosuid</literal> options.</para></listitem>
-
-  <listitem><para>The reverse path filter was interfering with DHCPv4 server
-  operation in the past. An exception for DHCPv4 and a new option to log
-  packets that were dropped due to the reverse path filter was added
-  (<literal>networking.firewall.logReversePathDrops</literal>) for easier
-  debugging.</para></listitem>
-
-  <listitem><para>Containers configuration within
-  <literal>containers.&lt;name&gt;.config</literal> is <link
-  xlink:href="https://github.com/NixOS/nixpkgs/pull/17365">now
-  properly typed and checked</link>. In particular, partial
-  configurations are merged correctly.</para></listitem>
-
-  <listitem>
-    <para>The directory container setuid wrapper programs,
-    <filename>/var/setuid-wrappers</filename>, <link
-    xlink:href="https://github.com/NixOS/nixpkgs/pull/18124">is now
-    updated atomically to prevent failures if the switch to a new
-    configuration is interrupted.</link></para>
-  </listitem>
-
-  <listitem>
-    <para><literal>services.xserver.startGnuPGAgent</literal>
-      has been removed due to GnuPG 2.1.x bump. See <link
-        xlink:href="https://github.com/NixOS/nixpkgs/commit/5391882ebd781149e213e8817fba6ac3c503740c">
-        how to achieve similar behavior</link>. You might need to
-      <literal>pkill gpg-agent</literal> after the upgrade
-      to prevent a stale agent being in the way.
-    </para>
-  </listitem>
-
-  <listitem><para>
-    <link xlink:href="https://github.com/NixOS/nixpkgs/commit/e561edc322d275c3687fec431935095cfc717147">
-    Declarative users could share the uid due to the bug in
-    the script handling conflict resolution.
-    </link>
-  </para></listitem>
-
-  <listitem><para>
-    Gummi boot has been replaced using systemd-boot.
-  </para></listitem>
-
-  <listitem><para>
-    Hydra package and NixOS module were added for convenience.
-  </para></listitem>
-
 </itemizedlist>
 
 

nixos/lib/test-driver/Machine.pm

@@ -566,25 +566,14 @@ sub getWindowNames {
 }
 
 
-sub hasWindow {
-    my ($self, $regexp) = @_;
-    my @names = $self->getWindowNames;
-    foreach my $n (@names) {
-        if ($n =~ /$regexp/) {
-            $self->log("match '$n' on '$regexp'");
-            return 1;
-        } else {
-            $self->log("no match '$n' on '$regexp'");
-        }
-    }
-}
-
-
 sub waitForWindow {
     my ($self, $regexp) = @_;
     $self->nest("waiting for a window to appear", sub {
         retry sub {
-            return $self->hasWindow($regexp)
+            my @names = $self->getWindowNames;
+            foreach my $n (@names) {
+                return 1 if $n =~ /$regexp/;
+            }
         }
     });
 }

nixos/lib/testing.nix

@@ -157,7 +157,9 @@ rec {
         ${coreutils}/bin/mkdir -p $TMPDIR
         cd $TMPDIR
 
-        exec $origBuilder $origArgs
+        $origBuilder $origArgs
+
+        exit $?
       '';
 
       testScript = ''
@@ -170,22 +172,9 @@ rec {
       '';
 
       vmRunCommand = writeText "vm-run" ''
-        xchg=vm-state-client/xchg
         ${coreutils}/bin/mkdir $out
-        ${coreutils}/bin/mkdir -p $xchg
-
-        for i in $passAsFile; do
-          i2=''${i}Path
-          _basename=$(${coreutils}/bin/basename ''${!i2})
-          ${coreutils}/bin/cp ''${!i2} $xchg/$_basename
-          eval $i2=/tmp/xchg/$_basename
-          ${coreutils}/bin/ls -la $xchg
-        done
-
-        unset i i2 _basename
-        export | ${gnugrep}/bin/grep -v '^xchg=' > $xchg/saved-env
-        unset xchg
-
+        ${coreutils}/bin/mkdir -p vm-state-client/xchg
+        export > vm-state-client/xchg/saved-env
         export tests='${testScript}'
         ${testDriver}/bin/nixos-test-driver ${vm.config.system.build.vm}/bin/run-*-vm
       ''; # */

nixos/modules/config/fonts/fonts.nix

@@ -11,28 +11,18 @@ with lib;
       # TODO: find another name for it.
       fonts = mkOption {
         type = types.listOf types.path;
-        default = [];
         example = literalExample "[ pkgs.dejavu_fonts ]";
         description = "List of primary font paths.";
       };
 
-      enableDefaultFonts = mkOption {
-        type = types.bool;
-        default = false;
-        description = ''
-          Enable a basic set of fonts providing several font styles
-          and families and reasonable coverage of Unicode.
-        '';
-      };
-
     };
 
   };
 
   config = {
 
-    fonts.fonts = mkIf config.fonts.enableDefaultFonts
-      [
+    fonts.fonts =
+      [ pkgs.xorg.fontbhttf
         pkgs.xorg.fontbhlucidatypewriter100dpi
         pkgs.xorg.fontbhlucidatypewriter75dpi
         pkgs.dejavu_fonts

nixos/modules/config/swap.nix

@@ -54,10 +54,6 @@ let
           WARNING: Don't try to hibernate when you have at least one swap partition with
           this option enabled! We have no way to set the partition into which hibernation image
           is saved, so if your image ends up on an encrypted one you would lose it!
-
-          WARNING #2: Do not use /dev/disk/by-uuid/… or /dev/disk/by-label/… as your swap device
-          when using randomEncryption as the UUIDs and labels will get erased on every boot when
-          the partition is encrypted. Best to use /dev/disk/by-partuuid/…
         '';
       };
 
@@ -76,7 +72,7 @@ let
     config = rec {
       device = mkIf options.label.isDefined
         "/dev/disk/by-label/${config.label}";
-      deviceName = lib.replaceChars ["\\"] [""] (escapeSystemdPath config.device);
+      deviceName = escapeSystemdPath config.device;
       realDevice = if config.randomEncryption then "/dev/mapper/${deviceName}" else config.device;
     };
 
@@ -125,8 +121,6 @@ in
 
         createSwapDevice = sw:
           assert sw.device != "";
-          assert !(sw.randomEncryption && lib.hasPrefix "/dev/disk/by-uuid"  sw.device);
-          assert !(sw.randomEncryption && lib.hasPrefix "/dev/disk/by-label" sw.device);
           let realDevice' = escapeSystemdPath sw.realDevice;
           in nameValuePair "mkswap-${sw.deviceName}"
           { description = "Initialisation of swap device ${sw.device}";

nixos/modules/config/system-path.nix

@@ -34,10 +34,10 @@ let
       config.programs.ssh.package
       pkgs.perl
       pkgs.procps
-      pkgs.rsync # used by nixos-install anyway
       pkgs.strace
       pkgs.su
       pkgs.time
+      pkgs.texinfoInteractive
       pkgs.utillinux
       pkgs.which # 88K size
     ];
@@ -76,7 +76,7 @@ in
       extraOutputsToInstall = mkOption {
         type = types.listOf types.str;
         default = [ ];
-        example = [ "doc" "info" "devdoc" ];
+        example = [ "doc" "info" "docdev" ];
         description = "List of additional package outputs to be symlinked into <filename>/run/current-system/sw</filename>.";
       };
 
@@ -104,6 +104,7 @@ in
         "/etc/xdg"
         "/etc/gtk-2.0"
         "/etc/gtk-3.0"
+        "/info"
         "/lib" # FIXME: remove and update debug-info.nix
         "/sbin"
         "/share/applications"
@@ -111,6 +112,7 @@ in
         "/share/doc"
         "/share/emacs"
         "/share/icons"
+        "/share/info"
         "/share/menus"
         "/share/mime"
         "/share/nano"

nixos/modules/config/update-users-groups.pl

@@ -52,8 +52,8 @@ foreach my $g (@{$spec->{groups}}) {
     $gidsUsed{$g->{gid}} = 1 if defined $g->{gid};
 }
 
-foreach my $u (@{$spec->{users}}) {
-    $uidsUsed{$u->{uid}} = 1 if defined $u->{uid};
+foreach my $u (@{$spec->{groups}}) {
+    $uidsUsed{$u->{u}} = 1 if defined $u->{uid};
 }
 
 # Read the current /etc/group.

nixos/modules/hardware/opengl.nix

@@ -14,7 +14,7 @@ let
     name = "mesa-drivers+txc-${p.mesa_drivers.version}";
     paths =
       [ p.mesa_drivers
-        p.mesa_drivers.out # mainly for libGL
+        p.mesa_noglu # mainly for libGL
         (if cfg.s3tcSupport then p.libtxc_dxtn else p.libtxc_dxtn_s2tc)
       ];
   };

nixos/modules/hardware/video/displaylink.nix

@@ -1,61 +0,0 @@
-{ config, lib, ... }:
-
-with lib;
-
-let
-
-  enabled = elem "displaylink" config.services.xserver.videoDrivers;
-
-  displaylink = config.boot.kernelPackages.displaylink;
-
-in
-
-{
-
-  config = mkIf enabled {
-
-    boot.extraModulePackages = [ displaylink ];
-
-    boot.kernelModules = [ "evdi" ];
-
-    # Those are taken from displaylink-installer.sh and from Arch Linux AUR package.
-
-    services.udev.extraRules = ''
-      ACTION=="add", SUBSYSTEM=="usb", ATTR{idVendor}=="17e9", ATTR{bNumInterfaces}=="*5", TAG+="uaccess"
-    '';
-
-    powerManagement.powerDownCommands = ''
-      #flush any bytes in pipe
-      while read -n 1 -t 1 SUSPEND_RESULT < /tmp/PmMessagesPort_out; do : ; done;
-
-      #suspend DisplayLinkManager
-      echo "S" > /tmp/PmMessagesPort_in
-
-      #wait until suspend of DisplayLinkManager finish
-      read -n 1 -t 10 SUSPEND_RESULT < /tmp/PmMessagesPort_out
-    '';
-
-    powerManagement.resumeCommands = ''
-      #resume DisplayLinkManager
-      echo "R" > /tmp/PmMessagesPort_in
-    '';
-
-    systemd.services.displaylink = {
-      description = "DisplayLink Manager Service";
-      after = [ "display-manager.service" ];
-      wantedBy = [ "graphical.target" ];
-
-      serviceConfig = {
-        ExecStart = "${displaylink}/bin/DisplayLinkManager";
-        Restart = "always";
-        RestartSec = 5;
-      };
-
-      preStart = ''
-        mkdir -p /var/log/displaylink
-      '';
-    };
-
-  };
-
-}

nixos/modules/installer/cd-dvd/installation-cd-graphical-kde.nix

@@ -107,7 +107,4 @@ with lib;
       '';
     };
 
-  # Disable large stuff that's not very useful on the installation CD.
-  services.xserver.desktopManager.kde4.enablePIM = false;
-
 }

nixos/modules/installer/tools/nix-fallback-paths.nix

@@ -1,5 +0,0 @@
-{
-  x86_64-linux = "/nix/store/i4mwf2gpvar7dqvlpp5m86llbq3ahbvb-nix-1.11.4";
-  i686-linux = "/nix/store/a3gjrbspb0q4hs3sv5g1y2nza43i8nzv-nix-1.11.4";
-  x86_64-darwin = "/nix/store/7v21yd3qpv0nclcy5cqr5njj9bril12s-nix-1.11.4";
-}

nixos/modules/installer/tools/nixos-generate-config.pl

@@ -527,11 +527,8 @@ EOF
   # Use the GRUB 2 boot loader.
   boot.loader.grub.enable = true;
   boot.loader.grub.version = 2;
-  # boot.loader.grub.efiSupport = true;
-  # boot.loader.grub.efiInstallAsRemovable = true;
-  # boot.loader.efi.efiSysMountPoint = "/boot/efi";
   # Define on which hard drive you want to install Grub.
-  # boot.loader.grub.device = "/dev/sda"; # or "nodev" for efi only
+  # boot.loader.grub.device = "/dev/sda";
 EOF
         }
 

nixos/modules/installer/tools/nixos-install.sh

@@ -92,13 +92,14 @@ fi
 mkdir -m 0755 -p $mountPoint/dev $mountPoint/proc $mountPoint/sys $mountPoint/etc $mountPoint/run $mountPoint/home
 mkdir -m 01777 -p $mountPoint/tmp
 mkdir -m 0755 -p $mountPoint/tmp/root
-mkdir -m 0755 -p $mountPoint/var
+mkdir -m 0755 -p $mountPoint/var/setuid-wrappers
 mkdir -m 0700 -p $mountPoint/root
 mount --rbind /dev $mountPoint/dev
 mount --rbind /proc $mountPoint/proc
 mount --rbind /sys $mountPoint/sys
 mount --rbind / $mountPoint/tmp/root
 mount -t tmpfs -o "mode=0755" none $mountPoint/run
+mount -t tmpfs -o "mode=0755" none $mountPoint/var/setuid-wrappers
 rm -rf $mountPoint/var/run
 ln -s /run $mountPoint/var/run
 for f in /etc/resolv.conf /etc/hosts; do rm -f $mountPoint/$f; [ -f "$f" ] && cp -Lf $f $mountPoint/etc/; done
@@ -259,7 +260,7 @@ chroot $mountPoint /nix/var/nix/profiles/system/activate
 
 
 # Ask the user to set a root password.
-if [ -z "$noRootPasswd" ] && chroot $mountPoint [ -x /var/setuid-wrappers/passwd ] && [ -t 0 ]; then
+if [ -z "$noRootPasswd" ] && [ -x $mountPoint/var/setuid-wrappers/passwd ] && [ -t 0 ]; then
     echo "setting root password..."
     chroot $mountPoint /var/setuid-wrappers/passwd
 fi

nixos/modules/installer/tools/nixos-rebuild.sh

@@ -261,9 +261,9 @@ fi
 prebuiltNix() {
     machine="$1"
     if [ "$machine" = x86_64 ]; then
-        echo @nix_x86_64_linux@
+        echo /nix/store/xryr9g56h8yjddp89d6dw12anyb4ch7c-nix-1.10
     elif [[ "$machine" =~ i.86 ]]; then
-        echo @nix_i686_linux@
+        echo /nix/store/2w92k5wlpspf0q2k9mnf2z42prx3bwmv-nix-1.10
     else
         echo "$0: unsupported platform"
         exit 1

nixos/modules/installer/tools/tools.nix

@@ -32,15 +32,11 @@ let
       "cp refs $out";
   };
 
-  nixos-rebuild =
-    let fallback = import ./nix-fallback-paths.nix; in
-    makeProg {
-      name = "nixos-rebuild";
-      src = ./nixos-rebuild.sh;
-      nix = config.nix.package.out;
-      nix_x86_64_linux = fallback.x86_64-linux;
-      nix_i686_linux = fallback.i686-linux;
-    };
+  nixos-rebuild = makeProg {
+    name = "nixos-rebuild";
+    src = ./nixos-rebuild.sh;
+    nix = config.nix.package.out;
+  };
 
   nixos-generate-config = makeProg {
     name = "nixos-generate-config";

nixos/modules/misc/ids.nix

@@ -120,6 +120,7 @@
       minidlna = 91;
       elasticsearch = 92;
       tcpcryptd = 93; # tcpcryptd uses a hard-coded uid. We patch it in Nixpkgs to match this choice.
+      #connman = 94; # unused
       firebird = 95;
       #keys = 96; # unused
       haproxy = 97;
@@ -180,6 +181,7 @@
       systemd-timesync = 154;
       liquidsoap = 155;
       etcd = 156;
+      docker-registry = 157;
       hbase = 158;
       opentsdb = 159;
       scollector = 160;
@@ -375,6 +377,7 @@
       minidlna = 91;
       elasticsearch = 92;
       #tcpcryptd = 93; # unused
+      connman = 94;
       firebird = 95;
       keys = 96;
       haproxy = 97;
@@ -433,6 +436,7 @@
       systemd-timesync = 154;
       liquidsoap = 155;
       #etcd = 156; # unused
+      #docker-registry = 157; # unused
       hbase = 158;
       opentsdb = 159;
       scollector = 160;

nixos/modules/misc/version.nix

@@ -78,7 +78,7 @@ in
     defaultChannel = mkOption {
       internal = true;
       type = types.str;
-      default = https://nixos.org/channels/nixos-16.09;
+      default = https://nixos.org/channels/nixos-unstable;
       description = "Default NixOS channel to which the root user is subscribed.";
     };
 

nixos/modules/module-list.nix

@@ -40,7 +40,6 @@
   ./hardware/video/amdgpu.nix
   ./hardware/video/ati.nix
   ./hardware/video/bumblebee.nix
-  ./hardware/video/displaylink.nix
   ./hardware/video/nvidia.nix
   ./hardware/video/webcam/facetimehd.nix
   ./i18n/input-method/default.nix
@@ -67,9 +66,8 @@
   ./programs/command-not-found/command-not-found.nix
   ./programs/dconf.nix
   ./programs/environment.nix
-  ./programs/fish.nix
   ./programs/freetds.nix
-  ./programs/info.nix
+  ./programs/fish.nix
   ./programs/kbdlight.nix
   ./programs/light.nix
   ./programs/man.nix
@@ -230,6 +228,7 @@
   ./services/misc/dictd.nix
   ./services/misc/dysnomia.nix
   ./services/misc/disnix.nix
+  ./services/misc/docker-registry.nix
   ./services/misc/emby.nix
   ./services/misc/etcd.nix
   ./services/misc/felix.nix
@@ -333,6 +332,7 @@
   ./services/networking/dnschain.nix
   ./services/networking/dnscrypt-proxy.nix
   ./services/networking/dnsmasq.nix
+  ./services/networking/docker-registry-server.nix
   ./services/networking/ejabberd.nix
   ./services/networking/fan.nix
   ./services/networking/ferm.nix

nixos/modules/profiles/minimal.nix

@@ -11,7 +11,4 @@ with lib;
   # This isn't perfect, but let's expect the user specifies an UTF-8 defaultLocale
   i18n.supportedLocales = [ (config.i18n.defaultLocale + "/UTF-8") ];
   services.nixosManual.enable = mkDefault false;
-
-  programs.man.enable = mkDefault false;
-  programs.info.enable = mkDefault false;
 }

nixos/modules/programs/info.nix

@@ -1,30 +0,0 @@
-{ config, lib, pkgs, ... }:
-
-with lib;
-
-{
-
-  options = {
-
-    programs.info.enable = mkOption {
-      type = types.bool;
-      default = true;
-      description = ''
-        Whether to enable info pages and the <command>info</command> command.
-      '';
-    };
-
-  };
-
-
-  config = mkIf config.programs.info.enable {
-
-    environment.systemPackages = [ pkgs.texinfoInteractive ];
-
-    environment.pathsToLink = [ "/info" "/share/info" ];
-
-    environment.extraOutputsToInstall = [ "info" ];
-
-  };
-
-}

nixos/modules/programs/shadow.nix

@@ -99,6 +99,7 @@ in
         groupdel = { rootOK = true; };
         login = { startSession = true; allowNullPassword = true; showMotd = true; updateWtmp = true; };
         chpasswd = { rootOK = true; };
+        chgpasswd = { rootOK = true; };
       };
 
     security.setuidPrograms = [ "su" "chfn" ]

nixos/modules/programs/ssh.nix

@@ -56,6 +56,7 @@ in
 
       setXAuthLocation = mkOption {
         type = types.bool;
+        default = config.services.xserver.enable;
         description = ''
           Whether to set the path to <command>xauth</command> for X11-forwarded connections.
           This causes a dependency on X11 packages.
@@ -164,9 +165,6 @@ in
 
   config = {
 
-    programs.ssh.setXAuthLocation =
-      mkDefault (config.services.xserver.enable || config.programs.ssh.forwardX11);
-
     assertions =
       [ { assertion = cfg.forwardX11 -> cfg.setXAuthLocation;
           message = "cannot enable X11 forwarding without setting XAuth location";

nixos/modules/programs/zsh/zsh.nix

@@ -99,9 +99,9 @@ in
 
       interactiveShellInit = ''
         # history defaults
-        SAVEHIST=2000
-        HISTSIZE=2000
-        HISTFILE=$HOME/.zsh_history
+        export SAVEHIST=2000
+        export HISTSIZE=2000
+        export HISTFILE=$HOME/.zsh_history
 
         setopt HIST_IGNORE_DUPS SHARE_HISTORY HIST_FCNTL_LOCK
 

nixos/modules/rename.nix

@@ -140,9 +140,6 @@ with lib;
     # fontconfig-ultimate
     (mkRenamedOptionModule [ "fonts" "fontconfig" "ultimate" "rendering" ] [ "fonts" "fontconfig" "ultimate" "preset" ])
 
-    # murmur
-    (mkRenamedOptionModule [ "services" "murmur" "welcome" ] [ "services" "murmur" "welcometext" ])
-
     # Options that are obsolete and have no replacement.
     (mkRemovedOptionModule [ "boot" "initrd" "luks" "enable" ] "")
     (mkRemovedOptionModule [ "programs" "bash" "enable" ] "")
@@ -154,7 +151,7 @@ with lib;
     (mkRemovedOptionModule [ "services" "printing" "cupsFilesConf" ] "")
     (mkRemovedOptionModule [ "services" "printing" "cupsdConf" ] "")
     (mkRemovedOptionModule [ "services" "xserver" "startGnuPGAgent" ]
-      "See the 16.09 release notes for more information.")
+      "See the 16.03 release notes for more information.")
     (mkRemovedOptionModule [ "services" "phpfpm" "phpIni" ] "")
     (mkRemovedOptionModule [ "services" "dovecot2" "package" ] "")
   ];

nixos/modules/security/acme.nix

@@ -166,8 +166,7 @@ in
                           ++ concatLists (mapAttrsToList (name: root: [ "-d" (if root == null then name else "${name}:${root}")]) data.extraDomains);
                 acmeService = {
                   description = "Renew ACME Certificate for ${cert}";
-                  after = [ "network.target" "network-online.target" ];
-                  wants = [ "network-online.target" ];
+                  after = [ "network.target" ];
                   serviceConfig = {
                     Type = "oneshot";
                     SuccessExitStatus = [ "0" "1" ];

nixos/modules/security/audit.nix

@@ -4,7 +4,6 @@ with lib;
 
 let
   cfg = config.security.audit;
-  enabled = cfg.enable == "lock" || cfg.enable;
 
   failureModes = {
     silent = 0;
@@ -12,13 +11,6 @@ let
     panic  = 2;
   };
 
-  disableScript = pkgs.writeScript "audit-disable" ''
-    #!${pkgs.stdenv.shell} -eu
-    # Explicitly disable everything, as otherwise journald might start it.
-    auditctl -D
-    auditctl -e 0 -a task,never
-  '';
-
   # TODO: it seems like people like their rules to be somewhat secret, yet they will not be if
   # put in the store like this. At the same time, it doesn't feel like a huge deal and working
   # around that is a pain so I'm leaving it like this for now.
@@ -55,7 +47,7 @@ in {
     security.audit = {
       enable = mkOption {
         type        = types.enum [ false true "lock" ];
-        default     = false;
+        default     = true; # The kernel seems to enable it by default with no rules anyway
         description = ''
           Whether to enable the Linux audit system. The special `lock' value can be used to
           enable auditing and prevent disabling it until a restart. Be careful about locking
@@ -99,7 +91,7 @@ in {
     };
   };
 
-  config = {
+  config = mkIf (cfg.enable == "lock" || cfg.enable) {
     systemd.services.audit = {
       description = "Kernel Auditing";
       wantedBy = [ "basic.target" ];
@@ -111,8 +103,8 @@ in {
       serviceConfig = {
         Type = "oneshot";
         RemainAfterExit = true;
-        ExecStart = "@${if enabled then startScript else disableScript} audit-start";
-        ExecStop  = "@${stopScript} audit-stop";
+        ExecStart = "@${startScript} audit-start";
+        ExecStop  = "@${stopScript}  audit-stop";
       };
     };
   };

nixos/modules/security/hidepid.nix

@@ -20,6 +20,23 @@ with lib;
   config = mkIf config.security.hideProcessInformation {
     users.groups.proc.gid = config.ids.gids.proc;
 
-    boot.specialFileSystems."/proc".options = [ "hidepid=2" "gid=${toString config.ids.gids.proc}" ];
+    systemd.services.hidepid = {
+      wantedBy = [ "local-fs.target" ];
+      after = [ "systemd-remount-fs.service" ];
+      before = [ "local-fs-pre.target" "local-fs.target" "shutdown.target" ];
+      wants = [ "local-fs-pre.target" ];
+
+      serviceConfig = {
+        Type = "oneshot";
+        RemainAfterExit = true;
+        ExecStart = ''${pkgs.utillinux}/bin/mount -o remount,hidepid=2,gid=${toString config.ids.gids.proc} /proc'';
+        ExecStop = ''${pkgs.utillinux}/bin/mount -o remount,hidepid=0,gid=0 /proc'';
+      };
+
+      unitConfig = {
+        DefaultDependencies = false;
+        Conflicts = "shutdown.target";
+      };
+    };
   };
 }

nixos/modules/security/pam.nix

@@ -105,16 +105,6 @@ let
         '';
       };
 
-      setEnvironment = mkOption {
-        type = types.bool;
-        default = true;
-        description = ''
-          Whether the service should set the environment variables
-          listed in <option>environment.sessionVariables</option>
-          using <literal>pam_env.so</literal>.
-        '';
-      };
-
       setLoginUid = mkOption {
         type = types.bool;
         description = ''
@@ -294,9 +284,7 @@ let
               "password optional ${pkgs.samba}/lib/security/pam_smbpass.so nullok use_authtok try_first_pass"}
 
           # Session management.
-          ${optionalString cfg.setEnvironment ''
-            session required pam_env.so envfile=${config.system.build.pamEnvironment}
-          ''}
+          session required pam_env.so envfile=${config.system.build.pamEnvironment}
           session required pam_unix.so
           ${optionalString cfg.setLoginUid
               "session ${
@@ -489,13 +477,6 @@ in
         vlock = {};
         xlock = {};
         xscreensaver = {};
-
-        runuser = { rootOK = true; unixAuth = false; setEnvironment = false; };
-
-        /* FIXME: should runuser -l start a systemd session? Currently
-           it complains "Cannot create session: Already running in a
-           session". */
-        runuser-l = { rootOK = true; unixAuth = false; };
       };
 
   };

nixos/modules/security/rngd.nix

@@ -18,7 +18,7 @@ with lib;
   config = mkIf config.security.rngd.enable {
     services.udev.extraRules = ''
       KERNEL=="random", TAG+="systemd"
-      SUBSYSTEM=="cpu", ENV{MODALIAS}=="cpu:type:x86,*feature:*009E*", TAG+="systemd", ENV{SYSTEMD_WANTS}+="rngd.service"
+      SUBSYSTEM=="cpu", ENV{MODALIAS}=="x86cpu:*feature:*009E*", TAG+="systemd", ENV{SYSTEMD_WANTS}+="rngd.service"
       KERNEL=="hw_random", TAG+="systemd", ENV{SYSTEMD_WANTS}+="rngd.service"
       ${if config.services.tcsd.enable then "" else ''KERNEL=="tpm0", TAG+="systemd", ENV{SYSTEMD_WANTS}+="rngd.service"''}
     '';

nixos/modules/security/setuid-wrappers.nix

@@ -12,7 +12,7 @@ let
     installPhase = ''
       mkdir -p $out/bin
       cp ${./setuid-wrapper.c} setuid-wrapper.c
-      gcc -Wall -O2 -DWRAPPER_DIR=\"/run/setuid-wrapper-dirs\" \
+      gcc -Wall -O2 -DWRAPPER_DIR=\"${wrapperDir}\" \
           setuid-wrapper.c -o $out/bin/setuid-wrapper
     '';
   };
@@ -102,11 +102,11 @@ in
                 source=/nix/var/nix/profiles/default/bin/${program}
             fi
 
-            cp ${setuidWrapper}/bin/setuid-wrapper $wrapperDir/${program}
-            echo -n "$source" > $wrapperDir/${program}.real
-            chmod 0000 $wrapperDir/${program} # to prevent races
-            chown ${owner}.${group} $wrapperDir/${program}
-            chmod "u${if setuid then "+" else "-"}s,g${if setgid then "+" else "-"}s,${permissions}" $wrapperDir/${program}
+            cp ${setuidWrapper}/bin/setuid-wrapper ${wrapperDir}/${program}
+            echo -n "$source" > ${wrapperDir}/${program}.real
+            chmod 0000 ${wrapperDir}/${program} # to prevent races
+            chown ${owner}.${group} ${wrapperDir}/${program}
+            chmod "u${if setuid then "+" else "-"}s,g${if setgid then "+" else "-"}s,${permissions}" ${wrapperDir}/${program}
           '';
 
       in stringAfter [ "users" ]
@@ -115,30 +115,9 @@ in
           # programs to be wrapped.
           SETUID_PATH=${config.system.path}/bin:${config.system.path}/sbin
 
-          mkdir -p /run/setuid-wrapper-dirs
-          wrapperDir=$(mktemp --directory --tmpdir=/run/setuid-wrapper-dirs setuid-wrappers.XXXXXXXXXX)
-          chmod a+rx $wrapperDir
+          rm -f ${wrapperDir}/* # */
 
           ${concatMapStrings makeSetuidWrapper setuidPrograms}
-
-          if [ -L ${wrapperDir} ]; then
-            # Atomically replace the symlink
-            # See https://axialcorps.com/2013/07/03/atomically-replacing-files-and-directories/
-            old=$(readlink ${wrapperDir})
-            ln --symbolic --force --no-dereference $wrapperDir ${wrapperDir}-tmp
-            mv --no-target-directory ${wrapperDir}-tmp ${wrapperDir}
-            rm --force --recursive $old
-          elif [ -d ${wrapperDir} ]; then
-            # Compatibility with old state, just remove the folder and symlink
-            rm -f ${wrapperDir}/*
-            # if it happens to be a tmpfs
-            ${pkgs.utillinux}/bin/umount ${wrapperDir} || true
-            rm -d ${wrapperDir}
-            ln -d --symbolic $wrapperDir ${wrapperDir}
-          else
-            # For initial setup
-            ln --symbolic $wrapperDir ${wrapperDir}
-          fi
         '';
 
   };

nixos/modules/services/databases/influxdb.nix

@@ -66,16 +66,16 @@ let
       enabled = false;
     }];
 
-    collectd = [{
+    collectd = {
       enabled = false;
       typesdb = "${pkgs.collectd}/share/collectd/types.db";
       database = "collectd_db";
       port = 25826;
-    }];
+    };
 
-    opentsdb = [{
+    opentsdb = {
       enabled = false;
-    }];
+    };
 
     continuous_queries = {
       enabled = true;
@@ -171,11 +171,6 @@ in
         mkdir -m 0770 -p ${cfg.dataDir}
         if [ "$(id -u)" = 0 ]; then chown -R ${cfg.user}:${cfg.group} ${cfg.dataDir}; fi
       '';
-      postStart = mkBefore ''
-        until ${pkgs.curl.bin}/bin/curl -s -o /dev/null 'http://127.0.0.1${toString configOptions.http.bind-address}'/ping; do
-          sleep 1;
-        done
-      '';
     };
 
     users.extraUsers = optional (cfg.user == "influxdb") {

nixos/modules/services/databases/mongodb.nix

@@ -12,11 +12,13 @@ let
 
   mongoCnf = pkgs.writeText "mongodb.conf"
   ''
-    net.bindIp: ${cfg.bind_ip}
-    ${optionalString cfg.quiet "systemLog.quiet: true"}
-    systemLog.destination: syslog
-    storage.dbPath: ${cfg.dbpath}
-    ${optionalString (cfg.replSetName != "") "replication.replSetName: ${cfg.replSetName}"}
+    bind_ip = ${cfg.bind_ip}
+    ${optionalString cfg.quiet "quiet = true"}
+    dbpath = ${cfg.dbpath}
+    syslog = true
+    fork = true
+    pidfilepath = ${cfg.pidFile}
+    ${optionalString (cfg.replSetName != "") "replSet = ${cfg.replSetName}"}
     ${cfg.extraConfig}
   '';
 
@@ -82,9 +84,9 @@ in
       extraConfig = mkOption {
         default = "";
         example = ''
-          storage.journal.enabled: false
+          nojournal = true
         '';
-        description = "MongoDB extra configuration in YAML format";
+        description = "MongoDB extra configuration";
       };
     };
 
@@ -110,7 +112,7 @@ in
         after = [ "network.target" ];
 
         serviceConfig = {
-          ExecStart = "${mongodb}/bin/mongod --quiet --config ${mongoCnf} --fork --pidfilepath ${cfg.pidFile}";
+          ExecStart = "${mongodb}/bin/mongod --quiet --config ${mongoCnf}";
           User = cfg.user;
           PIDFile = cfg.pidFile;
           Type = "forking";

nixos/modules/services/databases/postgresql.nix

@@ -11,14 +11,12 @@ let
     if cfg.extraPlugins == [] then pg
     else pkgs.buildEnv {
       name = "postgresql-and-plugins-${(builtins.parseDrvName pg.name).version}";
-      paths = [ pg pg.lib ] ++ cfg.extraPlugins;
-      buildInputs = [ pkgs.makeWrapper ];
+      paths = [ pg ] ++ cfg.extraPlugins;
       postBuild =
         ''
           mkdir -p $out/bin
           rm $out/bin/{pg_config,postgres,pg_ctl}
           cp --target-directory=$out/bin ${pg}/bin/{postgres,pg_config,pg_ctl}
-          wrapProgram $out/bin/postgres --set NIX_PGLIBDIR $out/lib
         '';
     };
 

nixos/modules/services/misc/docker-registry.nix

@@ -0,0 +1,81 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+  cfg = config.services.dockerRegistry;
+
+in {
+  ###### interface
+
+  options.services.dockerRegistry = {
+    enable = mkOption {
+      description = "Whether to enable docker registry server.";
+      default = false;
+      type = types.bool;
+    };
+
+    listenAddress = mkOption {
+      description = "Docker registry host or ip to bind to.";
+      default = "127.0.0.1";
+      type = types.str;
+    };
+
+    port = mkOption {
+      description = "Docker registry port to bind to.";
+      default = 5000;
+      type = types.int;
+    };
+
+    storagePath = mkOption {
+      type = types.path;
+      default = "/var/lib/docker-registry";
+      description = "Docker registry storage path.";
+    };
+
+    extraConfig = mkOption {
+      description = ''
+        Docker extra registry configuration. See
+        <link xlink:href="https://github.com/docker/docker-registry/blob/master/config/config_sample.yml"/>
+      '';
+      default = {};
+      type = types.attrsOf types.str;
+    };
+  };
+
+  config = mkIf cfg.enable {
+    systemd.services.docker-registry = {
+      description = "Docker Container Registry";
+      wantedBy = [ "multi-user.target" ];
+      after = [ "network.target" ];
+
+      environment = {
+        REGISTRY_HOST = cfg.listenAddress;
+        REGISTRY_PORT = toString cfg.port;
+        GUNICORN_OPTS = "[--preload]"; # see https://github.com/docker/docker-registry#sqlalchemy
+        STORAGE_PATH = cfg.storagePath;
+      } // cfg.extraConfig;
+
+      serviceConfig = {
+        ExecStart = "${pkgs.pythonPackages.docker_registry}/bin/docker-registry";
+        User = "docker-registry";
+        Group = "docker";
+        PermissionsStartOnly = true;
+        WorkingDirectory = cfg.storagePath;
+      };
+
+      postStart = ''
+        until ${pkgs.curl.bin}/bin/curl -s -o /dev/null 'http://${cfg.listenAddress}:${toString cfg.port}/'; do
+          sleep 1;
+        done
+      '';
+    };
+
+    users.extraGroups.docker.gid = mkDefault config.ids.gids.docker;
+    users.extraUsers.docker-registry = {
+      createHome = true;
+      home = cfg.storagePath;
+      uid = config.ids.uids.docker-registry;
+    };
+  };
+}

nixos/modules/services/misc/gitit.nix

@@ -663,7 +663,7 @@ in
       after = [ "network.target" ];
       wantedBy = [ "multi-user.target" ];
       path = with pkgs; [ curl ]
-             ++ optional cfg.pdfExport texlive.combined.scheme-basic
+             ++ optional cfg.pdfExport texLiveFull
 	     ++ optional (cfg.repositoryType == "darcs") darcs
 	     ++ optional (cfg.repositoryType == "mercurial") mercurial
 	     ++ optional (cfg.repositoryType == "git") git;

nixos/modules/services/misc/gitlab.nix

@@ -449,15 +449,13 @@ in {
         Group = cfg.group;
         TimeoutSec = "300";
         Restart = "on-failure";
-        WorkingDirectory = gitlabEnv.HOME;
         ExecStart =
           "${cfg.packages.gitlab-workhorse}/bin/gitlab-workhorse "
           + "-listenUmask 0 "
           + "-listenNetwork unix "
           + "-listenAddr /run/gitlab/gitlab-workhorse.socket "
           + "-authSocket ${gitlabSocket} "
-          + "-documentRoot ${cfg.packages.gitlab}/share/gitlab/public "
-          + "-secretPath ${cfg.packages.gitlab}/share/gitlab/.gitlab_workhorse_secret";
+          + "-documentRoot ${cfg.packages.gitlab}/share/gitlab/public";
       };
     };
 
@@ -527,23 +525,17 @@ in {
             psql postgres -c "CREATE ROLE gitlab WITH LOGIN NOCREATEDB NOCREATEROLE NOCREATEUSER ENCRYPTED PASSWORD '${cfg.databasePassword}'"
             ${config.services.postgresql.package}/bin/createdb --owner gitlab gitlab || true
             touch "${cfg.statePath}/db-created"
+
+            # The gitlab:setup task is horribly broken somehow, these two tasks will do the same for setting up the initial database
+            ${gitlab-rake}/bin/gitlab-rake db:migrate RAILS_ENV=production
+            ${gitlab-rake}/bin/gitlab-rake db:seed_fu RAILS_ENV=production \
+              GITLAB_ROOT_PASSWORD="${cfg.initialRootPassword}" GITLAB_ROOT_EMAIL="${cfg.initialRootEmail}";
           fi
         fi
 
-        # enable required pg_trgm extension for gitlab
-        psql gitlab -c "CREATE EXTENSION IF NOT EXISTS pg_trgm"
         # Always do the db migrations just to be sure the database is up-to-date
         ${gitlab-rake}/bin/gitlab-rake db:migrate RAILS_ENV=production
 
-        # The gitlab:setup task is horribly broken somehow, the db:migrate
-        # task above and the db:seed_fu below will do the same for setting
-        # up the initial database
-        if ! test -e "${cfg.statePath}/db-seeded"; then
-          ${gitlab-rake}/bin/gitlab-rake db:seed_fu RAILS_ENV=production \
-            GITLAB_ROOT_PASSWORD="${cfg.initialRootPassword}" GITLAB_ROOT_EMAIL="${cfg.initialRootEmail}"
-          touch "${cfg.statePath}/db-seeded"
-        fi
-
         # Change permissions in the last step because some of the
         # intermediary scripts like to create directories as root.
         chown -R ${cfg.user}:${cfg.group} ${cfg.statePath}

nixos/modules/services/monitoring/cadvisor.nix

@@ -90,7 +90,6 @@ in {
             ${optionalString cfg.storageDriverSecure "-storage_driver_secure"}
           ''}
         '';
-        TimeoutStartSec=300;
       };
     };
 

nixos/modules/services/network-filesystems/samba.nix

@@ -56,7 +56,6 @@ let
       serviceConfig = {
         ExecStart = "${samba}/sbin/${appName} ${args}";
         ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
-        Type = "notify";
       };
 
       restartTriggers = [ configFile ];
@@ -168,12 +167,12 @@ in
         type = types.attrsOf (types.attrsOf types.unspecified);
         example =
           { public =
-            { path = "/srv/public";
-              "read only" = true;
-              browseable = "yes";
-              "guest ok" = "yes";
-              comment = "Public samba share.";
-            };
+             { path = "/srv/public";
+               "read only" = true;
+               browseable = "yes";
+               "guest ok" = "yes";
+                comment = "Public samba share.";
+             };
           };
       };
 

nixos/modules/services/networking/avahi-daemon.nix

@@ -75,8 +75,7 @@ in
       };
 
       browseDomains = mkOption {
-        default = [ ];
-        example = [ "0pointer.de" "zeroconf.org" ];
+        default = [ "0pointer.de" "zeroconf.org" ];
         description = ''
           List of non-local DNS domains to be browsed.
         '';

nixos/modules/services/networking/docker-registry-server.nix

@@ -0,0 +1,98 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+  cfg = config.services.nodeDockerRegistry;
+
+in {
+  options.services.nodeDockerRegistry = {
+    enable = mkEnableOption "docker registry service";
+
+    port = mkOption {
+      description = "Docker registry listening port.";
+      default = 8080;
+      type = types.int;
+    };
+
+    users = mkOption {
+      description = "Docker registry list of users.";
+      default = [];
+      options = [{
+        user = mkOption {
+          description = "Docker registry user username.";
+          type = types.str;
+        };
+
+        pass = mkOption {
+          description = "Docker registry user password.";
+          type = types.str;
+        };
+      }];
+      type = types.listOf types.optionSet;
+    };
+
+    onTag = mkOption {
+      description = "Docker registry hook triggered when an image is tagged.";
+      default = "";
+      type = types.str;
+    };
+
+    onImage = mkOption {
+      description = "Docker registry hook triggered when an image metadata is uploaded.";
+      default = "";
+      type = types.str;
+    };
+
+    onLayer = mkOption {
+      description = "Docker registry hook triggered when an when an image layer is uploaded.";
+      default = "";
+      type = types.str;
+    };
+
+    onVerify = mkOption {
+      description = "Docker registry hook triggered when an image layer+metadata has been verified.";
+      default = "";
+      type = types.str;
+    };
+
+    onIndex = mkOption {
+      description = "Docker registry hook triggered when an when an image file system data has been indexed.";
+      default = "";
+      type = types.str;
+    };
+
+    dataDir = mkOption {
+      description = "Docker registry data directory";
+      default = "/var/lib/docker-registry";
+      type = types.path;
+    };
+  };
+
+  config = mkIf cfg.enable {
+    systemd.services.docker-registry-server = {
+      description = "Docker Registry Service.";
+      wantedBy = ["multi-user.target"];
+      after = ["network.target"];
+      script = ''
+        ${pkgs.nodePackages.docker-registry-server}/bin/docker-registry-server \
+          --dir ${cfg.dataDir} \
+          --port ${toString cfg.port} \
+          ${concatMapStringsSep " " (u: "--user ${u.user}:${u.pass}") cfg.users} \
+          ${optionalString (cfg.onTag != "") "--on-tag '${cfg.onTag}'"} \
+          ${optionalString (cfg.onImage != "") "--on-image '${cfg.onImage}'"} \
+          ${optionalString (cfg.onVerify != "") "--on-verify '${cfg.onVerify}'"} \
+          ${optionalString (cfg.onIndex != "") "--on-index '${cfg.onIndex}'"}
+      '';
+
+      serviceConfig.User = "docker-registry";
+    };
+
+    users.extraUsers.docker-registry = {
+      uid = config.ids.uids.docker-registry;
+      description = "Docker registry user";
+      createHome = true;
+      home = cfg.dataDir;
+    };
+  };
+}

nixos/modules/services/networking/firewall.nix

@@ -490,8 +490,7 @@ in
 
     systemd.services.firewall = {
       description = "Firewall";
-      wantedBy = [ "multi-user.target" "sysinit.target" ];
-      wants = [ "network-pre.target" ];
+      wantedBy = [ "network-pre.target" ];
       before = [ "network-pre.target" ];
       after = [ "systemd-modules-load.service" ];
 

nixos/modules/services/networking/mjpg-streamer.nix

@@ -59,12 +59,8 @@ in {
       description = "mjpg-streamer webcam streamer";
       wantedBy = [ "multi-user.target" ];
 
-      serviceConfig = {
-        User = cfg.user;
-        Group = cfg.group;
-        Restart = "on-failure";
-        RestartSec = 1;
-      };
+      serviceConfig.User = cfg.user;
+      serviceConfig.Group = cfg.group;
 
       script = ''
         IPLUGIN="${cfg.inputPlugin}"

nixos/modules/services/networking/murmur.nix

@@ -15,7 +15,7 @@ let
     logfile=/var/log/murmur/murmurd.log
     pidfile=${cfg.pidfile}
 
-    welcometext="${cfg.welcometext}"
+    welcome="${cfg.welcome}"
     port=${toString cfg.port}
 
     ${if cfg.hostName == "" then "" else "host="+cfg.hostName}
@@ -84,7 +84,7 @@ in
         description = "Path to PID file for Murmur daemon.";
       };
 
-      welcometext = mkOption {
+      welcome = mkOption {
         type = types.str;
         default = "";
         description = "Welcome message for connected clients.";

nixos/modules/services/networking/ssh/sshd.nix

@@ -85,7 +85,7 @@ in
 
       forwardX11 = mkOption {
         type = types.bool;
-        default = false;
+        default = cfgc.setXAuthLocation;
         description = ''
           Whether to allow X11 connections to be forwarded.
         '';
@@ -227,8 +227,6 @@ in
 
   config = mkIf cfg.enable {
 
-    programs.ssh.setXAuthLocation = mkForce cfg.forwardX11;
-
     users.extraUsers.sshd =
       { isSystemUser = true;
         description = "SSH privilege separation user";

nixos/modules/services/networking/supplicant.nix

@@ -34,7 +34,7 @@ let
       '';
     in
       { description = "Supplicant ${iface}${optionalString (iface=="WLAN"||iface=="LAN") " %I"}";
-        wantedBy = [ "network.target" ] ++ deps;
+        wantedBy = [ "network.target" ];
         bindsTo = deps;
         after = deps;
         before = [ "network.target" ];

nixos/modules/services/networking/unbound.nix

@@ -43,10 +43,14 @@ in
   options = {
     services.unbound = {
 
-      enable = mkEnableOption "Unbound domain name server";
+      enable = mkOption {
+        default = false;
+        type = types.bool;
+        description = "Whether to enable the Unbound domain name server.";
+      };
 
       allowedAccess = mkOption {
-        default = [ "127.0.0.0/24" ];
+        default = ["127.0.0.0/24"];
         type = types.listOf types.str;
         description = "What networks are allowed to use unbound as a resolver.";
       };
@@ -93,7 +97,7 @@ in
     };
 
     systemd.services.unbound = {
-      description = "Unbound recursive Domain Name Server";
+      description="Unbound recursive Domain Name Server";
       after = [ "network.target" ];
       before = [ "nss-lookup.target" ];
       wants = [" nss-lookup.target" ];

nixos/modules/services/networking/zerotierone.nix

@@ -7,19 +7,11 @@ let
 in
 {
   options.services.zerotierone.enable = mkEnableOption "ZeroTierOne";
-  options.services.zerotierone.package = mkOption {
-    default = pkgs.zerotierone;
-    defaultText = "pkgs.zerotierone";
-    type = types.package;
-    description = ''
-      ZeroTier One package to use.
-    '';
-  };
-
+  
   config = mkIf cfg.enable {
     systemd.services.zerotierone = {
       description = "ZeroTierOne";
-      path = [ cfg.package ];
+      path = [ pkgs.zerotierone ];
       after = [ "network.target" ];
       wantedBy = [ "multi-user.target" ];
       preStart =
@@ -29,7 +21,7 @@ in
         chown -R root:root /var/lib/zerotier-one
         '';
       serviceConfig = {
-        ExecStart = "${cfg.package}/bin/zerotier-one";
+        ExecStart = "${pkgs.zerotierone}/bin/zerotier-one";
         Restart = "always";
         KillMode = "process";
       };
@@ -38,6 +30,6 @@ in
     # ZeroTier does not issue DHCP leases, but some strangers might...
     networking.dhcpcd.denyInterfaces = [ "zt0" ];
 
-    environment.systemPackages = [ cfg.package ];
+    environment.systemPackages = [ pkgs.zerotierone ];
   };
 }

nixos/modules/services/system/dbus.nix

@@ -8,7 +8,7 @@ let
 
   cfg = config.services.dbus;
 
-  homeDir = "/run/dbus";
+  homeDir = "/var/run/dbus";
 
   systemExtraxml = concatStrings (flip concatMap cfg.packages (d: [
     "<servicedir>${d}/share/dbus-1/system-services</servicedir>"
@@ -20,8 +20,6 @@ let
     "<includedir>${d}/etc/dbus-1/session.d</includedir>"
   ]));
 
-  daemonArgs = "--address=systemd: --nofork --nopidfile --systemd-activation";
-
   configDir = pkgs.stdenv.mkDerivation {
     name = "dbus-conf";
 
@@ -31,14 +29,6 @@ let
     buildCommand = ''
       mkdir -p $out
 
-      cp ${pkgs.dbus.out}/share/dbus-1/{system,session}.conf $out
-
-      # avoid circular includes
-      sed -ri 's@(<include ignore_missing="yes">/etc/dbus-1/(system|session)\.conf</include>)@<!-- \1 -->@g' $out/{system,session}.conf
-
-      # include by full path
-      sed -ri "s@/etc/dbus-1/(system|session)-@$out/\1-@" $out/{system,session}.conf
-
       sed '${./dbus-system-local.conf.in}' \
         -e 's,@servicehelper@,${config.security.wrapperDir}/dbus-daemon-launch-helper,g' \
         -e 's,@extra@,${systemExtraxml},' \
@@ -85,21 +75,16 @@ in
         '';
       };
 
-      socketActivated = mkOption {
-        type = types.bool;
-        default = false;
-        description = ''
-          Make the user instance socket activated.
-        '';
-      };
     };
+
   };
 
+
   ###### implementation
 
   config = mkIf cfg.enable {
 
-    environment.systemPackages = [ pkgs.dbus.daemon pkgs.dbus ];
+    environment.systemPackages = [ pkgs.dbus.daemon pkgs.dbus_tools ];
 
     environment.etc = singleton
       { source = configDir;
@@ -119,7 +104,7 @@ in
 
     security.setuidOwners = singleton
       { program = "dbus-daemon-launch-helper";
-        source = "${pkgs.dbus.daemon}/libexec/dbus-daemon-launch-helper";
+        source = "${pkgs.dbus_daemon.out}/libexec/dbus-daemon-launch-helper";
         owner = "root";
         group = "messagebus";
         setuid = true;
@@ -132,29 +117,13 @@ in
       config.system.path
     ];
 
-    systemd.services.dbus = {
-      # Don't restart dbus-daemon. Bad things tend to happen if we do.
-      reloadIfChanged = true;
-      restartTriggers = [ configDir ];
-      serviceConfig.ExecStart = [
-        ""
-        "${lib.getBin pkgs.dbus}/bin/dbus-daemon --config-file=${configDir}/system.conf ${daemonArgs}"
-      ];
-    };
+    # Don't restart dbus-daemon. Bad things tend to happen if we do.
+    systemd.services.dbus.reloadIfChanged = true;
 
-    systemd.user = {
-      services.dbus = {
-        # Don't restart dbus-daemon. Bad things tend to happen if we do.
-        reloadIfChanged = true;
-        restartTriggers = [ configDir ];
-        serviceConfig.ExecStart = [
-          ""
-          "${lib.getBin pkgs.dbus}/bin/dbus-daemon --config-file=${configDir}/session.conf ${daemonArgs}"
-        ];
-      };
-      sockets.dbus.wantedBy = mkIf cfg.socketActivated [ "sockets.target" ];
-    };
+    systemd.services.dbus.restartTriggers = [ configDir ];
 
     environment.pathsToLink = [ "/etc/dbus-1" "/share/dbus-1" ];
+
   };
+
 }

nixos/modules/services/web-servers/apache-httpd/mediawiki.nix

@@ -83,11 +83,11 @@ let
 
   # Unpack Mediawiki and put the config file in its root directory.
   mediawikiRoot = pkgs.stdenv.mkDerivation rec {
-    name= "mediawiki-1.27.1";
+    name= "mediawiki-1.23.13";
 
     src = pkgs.fetchurl {
-      url = "http://download.wikimedia.org/mediawiki/1.27/${name}.tar.gz";
-      sha256 = "0sm3ymz93qragbwhzzbwq7f127mbj29inv0afg2z6p32jb1pd9h8";
+      url = "http://download.wikimedia.org/mediawiki/1.23/${name}.tar.gz";
+      sha256 = "168wpf53n4ksj2g5q5r0hxapx6238dvsfng5ff9ixk6axsn0j5d0";
     };
 
     skins = config.skins;

nixos/modules/services/web-servers/apache-httpd/moodle.nix

@@ -63,10 +63,6 @@ let
         cp -r * $out
         cp ${moodleConfig} $out/config.php
       '';
-    # Marked as broken due to needing an update for security issues.
-    # See: https://github.com/NixOS/nixpkgs/issues/18856
-    meta.broken = true;
-
   };
 
 in

nixos/modules/services/web-servers/apache-httpd/wordpress.nix

@@ -5,8 +5,7 @@ with lib;
 
 let
 
-  # Upgrading? We have a test! nix-build ./nixos/tests/wordpress.nix
-  version = "4.6.1";
+  version = "4.3.1";
   fullversion = "${version}";
 
   # Our bare-bones wp-config.php file using the above settings
@@ -75,7 +74,7 @@ let
       owner = "WordPress";
       repo = "WordPress";
       rev = "${fullversion}";
-      sha256 = "0n82xgjg1ry2p73hhgpslnkdzrma5n6hxxq76s7qskkzj0qjfvpn";
+      sha256 = "1rk10vcv4z9p04hfzc0wkbilrgx7m9ssyr6c3w6vw3vl1bcgqxza";
     };
     installPhase = ''
       mkdir -p $out
@@ -99,7 +98,7 @@ let
       # symlink additional plugin(s)
       ${concatMapStrings (plugin: "ln -s ${plugin} $out/wp-content/plugins/${plugin.name}\n") (config.plugins) }
 
-      # symlink additional translation(s)
+      # symlink additional translation(s) 
       mkdir -p $out/wp-content/languages
       ${concatMapStrings (language: "ln -s ${language}/*.mo ${language}/*.po $out/wp-content/languages/\n") (selectedLanguages) }
     '';
@@ -124,7 +123,7 @@ in
   options = {
     dbHost = mkOption {
       default = "localhost";
-      description = "The location of the database server.";
+      description = "The location of the database server.";  
       example = "localhost";
     };
     dbName = mkOption {
@@ -254,7 +253,7 @@ in
       done
       ${pkgs.mysql}/bin/mysql -e 'CREATE DATABASE ${config.dbName};'
       ${pkgs.mysql}/bin/mysql -e 'GRANT ALL ON ${config.dbName}.* TO ${config.dbUser}@localhost IDENTIFIED BY "${config.dbPassword}";'
-    else
+    else 
       echo "Good, no need to do anything database related."
     fi
   '';

nixos/modules/services/web-servers/nginx/default.nix

@@ -114,18 +114,17 @@ let
         port = if vhost.port != null then vhost.port else (if ssl then 443 else 80);
         listenString = toString port + optionalString ssl " ssl http2"
           + optionalString vhost.default " default";
-        acmeLocation = optionalString vhost.enableACME (''
+        acmeLocation = optionalString vhost.enableACME ''
           location /.well-known/acme-challenge {
-            ${optionalString (vhost.acmeFallbackHost != null) "try_files $uri @acme-fallback;"}
+            try_files $uri @acme-fallback;
             root ${vhost.acmeRoot};
             auth_basic off;
           }
-        '' + (optionalString (vhost.acmeFallbackHost != null) ''
           location @acme-fallback {
             auth_basic off;
             proxy_pass http://${vhost.acmeFallbackHost};
           }
-        ''));
+        '';
       in ''
         ${optionalString vhost.forceSSL ''
           server {

nixos/modules/services/web-servers/nginx/vhost-options.nix

@@ -39,8 +39,8 @@ with lib;
     };
 
     acmeFallbackHost = mkOption {
-      type = types.nullOr types.str;
-      default = null;
+      type = types.str;
+      default = "0.0.0.0";
       description = ''
         Host which to proxy requests to if acme challenge is not found. Useful
         if you want multiple hosts to be able to verify the same domain name.

nixos/modules/services/web-servers/tomcat.nix

@@ -10,10 +10,6 @@ in
 
 {
 
-  meta = {
-    maintainers = with maintainers; [ danbst ];
-  };
-
   ###### interface
 
   options = {
@@ -78,8 +74,8 @@ in
 
       webapps = mkOption {
         type = types.listOf types.package;
-        default = [ tomcat.webapps ];
-        defaultText = "[ tomcat.webapps ]";
+        default = [ tomcat ];
+        defaultText = "[ tomcat ]";
         description = "List containing WAR files or directories with WAR files which are web applications to be deployed on Tomcat";
       };
 

nixos/modules/services/x11/desktop-managers/kde4.nix

@@ -14,7 +14,7 @@ let
   # files), segfault sometimes and consume significant resources.
   # They can be re-enabled in the KDE System Settings under "Desktop
   # Search".
-  disableNepomuk = pkgs.writeTextFile
+  nepomukConfig = pkgs.writeTextFile
     { name = "nepomuk-config";
       destination = "/share/config/nepomukserverrc";
       text =
@@ -70,18 +70,6 @@ in
         type = types.package;
         description = "Custom kde-workspace, used for NixOS rebranding.";
       };
-
-      enablePIM = mkOption {
-        type = types.bool;
-        default = true;
-        description = "Whether to enable PIM support. Note that enabling this pulls in Akonadi and MariaDB as dependencies.";
-      };
-
-      enableNepomuk = mkOption {
-        type = types.bool;
-        default = false;
-        description = "Whether to enable Nepomuk (deprecated).";
-      };
     };
   };
 
@@ -150,6 +138,7 @@ in
 
           pkgs.kde4.kde_wallpapers # contains kdm's default background
           pkgs.kde4.oxygen_icons
+          pkgs.virtuoso # to enable Nepomuk to find Virtuoso
 
           # Starts KDE's Polkit authentication agent.
           pkgs.kde4.polkit_kde_agent
@@ -160,26 +149,20 @@ in
           xorg.xmessage # so that startkde can show error messages
           xorg.xset # used by startkde, non-essential
           xorg.xauth # used by kdesu
-        ]
-      ++ optionals cfg.enablePIM
-        [ pkgs.kde4.kdepim_runtime
+          pkgs.shared_desktop_ontologies # used by nepomuk
+          pkgs.strigi # used by nepomuk
           pkgs.kde4.akonadi
           pkgs.mysql # used by akonadi
+          pkgs.kde4.kdepim_runtime
         ]
-      ++ (if cfg.enableNepomuk then
-        [ pkgs.shared_desktop_ontologies # used by nepomuk
-          pkgs.strigi # used by nepomuk
-          pkgs.virtuoso # to enable Nepomuk to find Virtuoso
-        ] else
-        [ disableNepomuk ])
-      ++ optional config.hardware.pulseaudio.enable pkgs.kde4.kmix  # Perhaps this should always be enabled
-      ++ optional config.hardware.bluetooth.enable pkgs.kde4.bluedevil
-      ++ optional config.networking.networkmanager.enable pkgs.kde4.plasma-nm
-      ++ phononBackendPackages;
+      ++ lib.optional config.hardware.pulseaudio.enable pkgs.kde4.kmix  # Perhaps this should always be enabled
+      ++ lib.optional config.hardware.bluetooth.enable pkgs.kde4.bluedevil
+      ++ lib.optional config.networking.networkmanager.enable pkgs.kde4.plasma-nm
+      ++ [ nepomukConfig ] ++ phononBackendPackages;
 
     environment.pathsToLink = [ "/share" ];
 
-    environment.profileRelativeEnvVars = mkIf (elem "gstreamer" cfg.phononBackends) {
+    environment.profileRelativeEnvVars = mkIf (lib.elem "gstreamer" cfg.phononBackends) {
       GST_PLUGIN_SYSTEM_PATH = [ "/lib/gstreamer-0.10" ];
     };
 

nixos/modules/services/x11/desktop-managers/xfce.nix

@@ -69,7 +69,7 @@ in
     services.xserver.updateDbusEnvironment = true;
 
     environment.systemPackages =
-      [ pkgs.gtk.out # To get GTK+'s themes and gtk-update-icon-cache
+      [ pkgs.gtk # To get GTK+'s themes.
         pkgs.hicolor_icon_theme
         pkgs.tango-icon-theme
         pkgs.shared_mime_info
@@ -100,7 +100,6 @@ in
         pkgs.xfce.tumbler       # found via dbus
       ]
       ++ optional config.powerManagement.enable pkgs.xfce.xfce4_power_manager
-      ++ optional config.networking.networkmanager.enable pkgs.networkmanagerapplet
       ++ optionals (!cfg.noDesktop)
          [ pkgs.xfce.xfce4panel
            pkgs.xfce.xfdesktop

nixos/modules/services/x11/display-managers/default.nix

@@ -134,8 +134,13 @@ let
         (*) echo "$0: Desktop manager '$desktopManager' not found.";;
       esac
 
-      ${optionalString cfg.updateDbusEnvironment ''
-        ${lib.getBin pkgs.dbus}/bin/dbus-update-activation-environment --systemd --all
+      # FIXME: gdbus should not be in glib.dev!
+      ${optionalString (cfg.startDbusSession && cfg.updateDbusEnvironment) ''
+        ${pkgs.glib.dev}/bin/gdbus call --session \
+          --dest org.freedesktop.DBus --object-path /org/freedesktop/DBus \
+          --method org.freedesktop.DBus.UpdateActivationEnvironment \
+          "{$(env | ${pkgs.gnused}/bin/sed "s/'/\\\\'/g; s/\([^=]*\)=\(.*\)/'\1':'\2'/" \
+                  | ${pkgs.coreutils}/bin/paste -sd,)}"
       ''}
 
       test -n "$waitPID" && wait "$waitPID"

nixos/modules/services/x11/xserver.nix

@@ -654,8 +654,6 @@ in
         ${xrandrMonitorSections}
       '';
 
-    fonts.enableDefaultFonts = mkDefault true;
-
   };
 
 }

nixos/modules/system/activation/activation-script.nix

@@ -12,13 +12,11 @@ let
     '';
   });
 
-  path = with pkgs; map getBin
-    [ coreutils
-      gnugrep
-      findutils
-      glibc # needed for getent
-      shadow
-      nettools # needed for hostname
+  path = map getBin
+    [ pkgs.coreutils pkgs.gnugrep pkgs.findutils
+      pkgs.glibc # needed for getent
+      pkgs.shadow
+      pkgs.nettools # needed for hostname
     ];
 
 in
@@ -139,13 +137,8 @@ in
 
         mkdir -m 1777 -p /var/tmp
 
-        # Empty, immutable home directory of many system accounts.
-        mkdir -p /var/empty
-        # Make sure it's really empty
-        ${pkgs.e2fsprogs}/bin/chattr -f -i /var/empty || true
-        find /var/empty -mindepth 1 -delete
-        chmod 0555 /var/empty
-        ${pkgs.e2fsprogs}/bin/chattr -f +i /var/empty || true
+        # Empty, read-only home directory of many system accounts.
+        mkdir -m 0555 -p /var/empty
       '';
 
     system.activationScripts.usrbinenv = if config.environment.usrbinenv != null
@@ -161,15 +154,9 @@ in
 
     system.activationScripts.tmpfs =
       ''
-        specialMount() {
-          local device="$1"
-          local mountPoint="$2"
-          local options="$3"
-          local fsType="$4"
-
-          ${pkgs.utillinux}/bin/mount -t "$fsType" -o "remount,$options" "$device" "$mountPoint"
-        }
-        source ${config.system.build.earlyMountScript}
+        ${pkgs.utillinux}/bin/mount -o "remount,size=${config.boot.devSize}" none /dev
+        ${pkgs.utillinux}/bin/mount -o "remount,size=${config.boot.devShmSize}" none /dev/shm
+        ${pkgs.utillinux}/bin/mount -o "remount,size=${config.boot.runSize}" none /run
       '';
 
   };

nixos/modules/system/activation/switch-to-configuration.pl

@@ -213,30 +213,33 @@ while (my ($unit, $state) = each %{$activePrev}) {
                 elsif (!boolIsTrue($unitInfo->{'X-RestartIfChanged'} // "yes") || boolIsTrue($unitInfo->{'RefuseManualStop'} // "no") ) {
                     $unitsToSkip{$unit} = 1;
                 } else {
+                    # If this unit is socket-activated, then stop the
+                    # socket unit(s) as well, and restart the
+                    # socket(s) instead of the service.
+                    my $socketActivated = 0;
+                    if ($unit =~ /\.service$/) {
+                        my @sockets = split / /, ($unitInfo->{Sockets} // "");
+                        if (scalar @sockets == 0) {
+                            @sockets = ("$baseName.socket");
+                        }
+                        foreach my $socket (@sockets) {
+                            if (defined $activePrev->{$socket}) {
+                                $unitsToStop{$unit} = 1;
+                                $unitsToStart{$unit} = 1;
+                                recordUnit($startListFile, $socket);
+                                $socketActivated = 1;
+                            }
+                        }
+                    }
+
                     if (!boolIsTrue($unitInfo->{'X-StopIfChanged'} // "yes")) {
+
                         # This unit should be restarted instead of
                         # stopped and started.
                         $unitsToRestart{$unit} = 1;
                         recordUnit($restartListFile, $unit);
+
                     } else {
-                        # If this unit is socket-activated, then stop the
-                        # socket unit(s) as well, and restart the
-                        # socket(s) instead of the service.
-                        my $socketActivated = 0;
-                        if ($unit =~ /\.service$/) {
-                            my @sockets = split / /, ($unitInfo->{Sockets} // "");
-                            if (scalar @sockets == 0) {
-                                @sockets = ("$baseName.socket");
-                            }
-                            foreach my $socket (@sockets) {
-                                if (defined $activePrev->{$socket}) {
-                                    $unitsToStop{$socket} = 1;
-                                    $unitsToStart{$socket} = 1;
-                                    recordUnit($startListFile, $socket);
-                                    $socketActivated = 1;
-                                }
-                            }
-                        }
 
                         # If the unit is not socket-activated, record
                         # that this unit needs to be started below.
@@ -248,6 +251,7 @@ while (my ($unit, $state) = each %{$activePrev}) {
                         }
 
                         $unitsToStop{$unit} = 1;
+
                     }
                 }
             }

nixos/modules/system/activation/top-level.nix

@@ -98,7 +98,7 @@ let
   # `switch-to-configuration' that activates the configuration and
   # makes it bootable.
   baseSystem = showWarnings (
-    if [] == failed then pkgs.stdenvNoCC.mkDerivation {
+    if [] == failed then pkgs.stdenv.mkDerivation {
       name = let hn = config.networking.hostName;
                  nn = if (hn != "") then hn else "unnamed";
           in "nixos-system-${nn}-${config.system.nixosLabel}";

nixos/modules/system/boot/kernel.nix

@@ -203,12 +203,6 @@ in
         # Misc. stuff.
         "pcips2" "atkbd"
 
-        # Temporary fix for https://github.com/NixOS/nixpkgs/issues/18451
-        # Remove as soon as upstream gets fixed - marking it:
-        # TODO
-        # FIXME
-        "i8042"
-
         # To wait for SCSI devices to appear.
         "scsi_wait_scan"
 

nixos/modules/system/boot/loader/grub/grub.nix

@@ -55,7 +55,7 @@ let
       inherit (cfg)
         version extraConfig extraPerEntryConfig extraEntries
         extraEntriesBeforeNixOS extraPrepareConfig configurationLimit copyKernels
-        default fsIdentifier efiSupport efiInstallAsRemovable gfxmodeEfi gfxmodeBios;
+        default fsIdentifier efiSupport gfxmodeEfi gfxmodeBios;
       path = (makeBinPath ([
         pkgs.coreutils pkgs.gnused pkgs.gnugrep pkgs.findutils pkgs.diffutils pkgs.btrfs-progs
         pkgs.utillinux ] ++ (if cfg.efiSupport && (cfg.version == 2) then [pkgs.efibootmgr ] else [])
@@ -357,44 +357,6 @@ in
         '';
       };
 
-      efiInstallAsRemovable = mkOption {
-        default = false;
-        example = true;
-        type = types.bool;
-        description = ''
-          Whether to invoke <literal>grub-install</literal> with
-          <literal>--removable</literal>.</para>
-
-          <para>Unless you turn this on, GRUB will install itself somewhere in
-          <literal>boot.loader.efi.efiSysMountPoint</literal> (exactly where
-          depends on other config variables). If you've set
-          <literal>boot.loader.efi.canTouchEfiVariables</literal> *AND* you
-          are currently booted in UEFI mode, then GRUB will use
-          <literal>efibootmgr</literal> to modify the boot order in the
-          EFI variables of your firmware to include this location. If you are
-          *not* booted in UEFI mode at the time GRUB is being installed, the
-          NVRAM will not be modified, and your system will not find GRUB at
-          boot time. However, GRUB will still return success so you may miss
-          the warning that gets printed ("<literal>efibootmgr: EFI variables
-          are not supported on this system.</literal>").</para>
-
-          <para>If you turn this feature on, GRUB will install itself in a
-          special location within <literal>efiSysMountPoint</literal> (namely
-          <literal>EFI/boot/boot$arch.efi</literal>) which the firmwares
-          are hardcoded to try first, regardless of NVRAM EFI variables.</para>
-
-          <para>To summarize, turn this on if:
-          <itemizedlist>
-            <listitem><para>You are installing NixOS and want it to boot in UEFI mode,
-            but you are currently booted in legacy mode</para></listitem>
-            <listitem><para>You want to make a drive that will boot regardless of
-            the NVRAM state of the computer (like a USB "removable" drive)</para></listitem>
-            <listitem><para>You simply dislike the idea of depending on NVRAM
-            state to make your drive bootable</para></listitem>
-          </itemizedlist>
-        '';
-      };
-
       enableCryptodisk = mkOption {
         default = false;
         type = types.bool;
@@ -463,20 +425,13 @@ in
         { path = "/boot"; inherit (cfg) devices; inherit (efi) efiSysMountPoint; }
       ];
 
-      system.build.installBootLoader =
-        let
-          install-grub-pl = pkgs.substituteAll {
-            src = ./install-grub.pl;
-            inherit (pkgs) utillinux;
-            btrfsprogs = pkgs.btrfs-progs;
-          };
-        in pkgs.writeScript "install-grub.sh" (''
+      system.build.installBootLoader = pkgs.writeScript "install-grub.sh" (''
         #!${pkgs.stdenv.shell}
         set -e
         export PERL5LIB=${makePerlPath (with pkgs.perlPackages; [ FileSlurp XMLLibXML XMLSAX ListCompare ])}
         ${optionalString cfg.enableCryptodisk "export GRUB_ENABLE_CRYPTODISK=y"}
       '' + flip concatMapStrings cfg.mirroredBoots (args: ''
-        ${pkgs.perl}/bin/perl ${install-grub-pl} ${grubConfig args} $@
+        ${pkgs.perl}/bin/perl ${./install-grub.pl} ${grubConfig args} $@
       ''));
 
       system.build.grub = grub;
@@ -522,14 +477,6 @@ in
           assertion = !cfg.trustedBoot.enable || cfg.trustedBoot.systemHasTPM == "YES_TPM_is_activated";
           message = "Trusted GRUB can break the system! Confirm that the system has an activated TPM by setting 'systemHasTPM'.";
         }
-        {
-          assertion = cfg.efiInstallAsRemovable -> cfg.efiSupport;
-          message = "If you wish to to use boot.loader.grub.efiInstallAsRemovable, then turn on boot.loader.grub.efiSupport";
-        }
-        {
-          assertion = cfg.efiInstallAsRemovable -> !config.boot.loader.efi.canTouchEfiVariables;
-          message = "If you wish to to use boot.loader.grub.efiInstallAsRemovable, then turn off boot.loader.efi.canTouchEfiVariables";
-        }
       ] ++ flip concatMap cfg.mirroredBoots (args: [
         {
           assertion = args.devices != [ ];

nixos/modules/system/boot/loader/grub/install-grub.pl

@@ -12,10 +12,8 @@ require List::Compare;
 use POSIX;
 use Cwd;
 
-# system.build.toplevel path
 my $defaultConfig = $ARGV[1] or die;
 
-# Grub config XML generated by grubConfig function in grub.nix
 my $dom = XML::LibXML->load_xml(location => $ARGV[0]);
 
 sub get { my ($name) = @_; return $dom->findvalue("/expr/attrs/attr[\@name = '$name']/*/\@value"); }
@@ -60,7 +58,6 @@ my $grubTargetEfi = get("grubTargetEfi");
 my $bootPath = get("bootPath");
 my $storePath = get("storePath");
 my $canTouchEfiVariables = get("canTouchEfiVariables");
-my $efiInstallAsRemovable = get("efiInstallAsRemovable");
 my $efiSysMountPoint = get("efiSysMountPoint");
 my $gfxmodeEfi = get("gfxmodeEfi");
 my $gfxmodeBios = get("gfxmodeBios");
@@ -100,8 +97,6 @@ sub PathInMount {
     }
     return 1;
 }
-
-# Figure out what filesystem is used for the directory with init/initrd/kernel files
 sub GetFs {
     my ($dir) = @_;
     my $bestFs = Fs->new(device => "", type => "", mount => "");
@@ -141,10 +136,7 @@ my $driveid = 1;
 sub GrubFs {
     my ($dir) = @_;
     my $fs = GetFs($dir);
-    my $path = substr($dir, length($fs->mount));
-    if (substr($path, 0, 1) ne "/") {
-      $path = "/$path";
-    }
+    my $path = "/" . substr($dir, length($fs->mount));
     my $search = "";
 
     if ($grubVersion > 1) {
@@ -177,7 +169,7 @@ sub GrubFs {
                 $search = $types{$fsIdentifier} . ' ';
 
                 # Based on the type pull in the identifier from the system
-                my ($status, @devInfo) = runCommand("@utillinux@/bin/blkid -o export @{[$fs->device]}");
+                my ($status, @devInfo) = runCommand("blkid -o export @{[$fs->device]}");
                 if ($status != 0) {
                     die "Failed to get blkid info for @{[$fs->mount]} on @{[$fs->device]}";
                 }
@@ -190,7 +182,7 @@ sub GrubFs {
 
             # BTRFS is a special case in that we need to fix the referrenced path based on subvolumes
             if ($fs->type eq 'btrfs') {
-                my ($status, @id_info) = runCommand("@btrfsprogs@/bin/btrfs subvol show @{[$fs->mount]}");
+                my ($status, @id_info) = runCommand("btrfs subvol show @{[$fs->mount]}");
                 if ($status != 0) {
                     die "Failed to retrieve subvolume info for @{[$fs->mount]}\n";
                 }
@@ -198,7 +190,7 @@ sub GrubFs {
                 if ($#ids > 0) {
                     die "Btrfs subvol name for @{[$fs->device]} listed multiple times in mount\n"
                 } elsif ($#ids == 0) {
-                    my ($status, @path_info) = runCommand("@btrfsprogs@/bin/btrfs subvol list @{[$fs->mount]}");
+                    my ($status, @path_info) = runCommand("btrfs subvol list @{[$fs->mount]}");
                     if ($status != 0) {
                         die "Failed to find @{[$fs->mount]} subvolume id from btrfs\n";
                     }
@@ -545,15 +537,13 @@ if (($requireNewInstall != 0) && ($efiTarget eq "no" || $efiTarget eq "both")) {
 # install EFI GRUB
 if (($requireNewInstall != 0) && ($efiTarget eq "only" || $efiTarget eq "both")) {
     print STDERR "installing the GRUB $grubVersion EFI boot loader into $efiSysMountPoint...\n";
-    my @command = ("$grubEfi/sbin/grub-install", "--recheck", "--target=$grubTargetEfi", "--boot-directory=$bootPath", "--efi-directory=$efiSysMountPoint");
     if ($canTouchEfiVariables eq "true") {
-        push @command, "--bootloader-id=$bootloaderId";
+        system("$grubEfi/sbin/grub-install", "--recheck", "--target=$grubTargetEfi", "--boot-directory=$bootPath", "--efi-directory=$efiSysMountPoint", "--bootloader-id=$bootloaderId") == 0
+                or die "$0: installation of GRUB EFI into $efiSysMountPoint failed\n";
     } else {
-        push @command, "--no-nvram";
-        push @command, "--removable" if $efiInstallAsRemovable eq "true";
+        system("$grubEfi/sbin/grub-install", "--recheck", "--target=$grubTargetEfi", "--boot-directory=$bootPath", "--efi-directory=$efiSysMountPoint", "--no-nvram") == 0
+                or die "$0: installation of GRUB EFI into $efiSysMountPoint failed\n";
     }
-
-    (system @command) == 0 or die "$0: installation of GRUB EFI into $efiSysMountPoint failed\n";
 }
 
 

nixos/modules/system/boot/stage-1-init.sh

@@ -59,24 +59,22 @@ echo
 echo "<<< NixOS Stage 1 >>>"
 echo
 
-# Make several required directories.
-mkdir -p /etc/udev
-touch /etc/fstab # to shut up mount
-ln -s /proc/mounts /etc/mtab # to shut up mke2fs
-touch /etc/udev/hwdb.bin # to shut up udev
-touch /etc/initrd-release
 
 # Mount special file systems.
-specialMount() {
-  local device="$1"
-  local mountPoint="$2"
-  local options="$3"
-  local fsType="$4"
-
-  mkdir -m 0755 -p "$mountPoint"
-  mount -n -t "$fsType" -o "$options" "$device" "$mountPoint"
-}
-source @earlyMountScript@
+mkdir -p /etc/udev
+touch /etc/fstab # to shut up mount
+touch /etc/mtab # to shut up mke2fs
+touch /etc/udev/hwdb.bin # to shut up udev
+touch /etc/initrd-release
+mkdir -p /proc
+mount -t proc proc /proc
+mkdir -p /sys
+mount -t sysfs sysfs /sys
+mount -t devtmpfs -o "size=@devSize@" devtmpfs /dev
+mkdir -p /run
+mount -t tmpfs -o "mode=0755,size=@runSize@" tmpfs /run
+mkdir /dev/pts
+mount -t devpts devpts /dev/pts
 
 # Log the script output to /dev/kmsg or /run/log/stage-1-init.log.
 mkdir -p /tmp

nixos/modules/system/boot/stage-1.nix

@@ -190,18 +190,15 @@ let
 
     inherit udevRules extraUtils modulesClosure;
 
-    inherit (config.boot) resumeDevice;
-
-    inherit (config.system.build) earlyMountScript;
+    inherit (config.boot) resumeDevice devSize runSize;
 
     inherit (config.boot.initrd) checkJournalingFS
       preLVMCommands preDeviceCommands postDeviceCommands postMountCommands preFailCommands kernelModules;
 
     resumeDevices = map (sd: if sd ? device then sd.device else "/dev/disk/by-label/${sd.label}")
-                    (filter (sd: hasPrefix "/dev/" sd.device && !sd.randomEncryption
-                             # Don't include zram devices
-                             && !(hasPrefix "/dev/zram" sd.device)
-                            ) config.swapDevices);
+                    (filter (sd: (sd ? label || hasPrefix "/dev/" sd.device) && !sd.randomEncryption 
+                    # Don't include zram devices
+                    && !(hasPrefix "/dev/zram" sd.device)) config.swapDevices);
 
     fsInfo =
       let f = fs: [ fs.mountPoint (if fs.device != null then fs.device else "/dev/disk/by-label/${fs.label}") fs.fsType (builtins.concatStringsSep "," fs.options) ];

nixos/modules/system/boot/stage-2-init.sh

@@ -29,7 +29,7 @@ setPath "@path@"
 # Normally, stage 1 mounts the root filesystem read/writable.
 # However, in some environments, stage 2 is executed directly, and the
 # root is read-only.  So make it writable here.
-if [ -z "$container" ]; then
+if [ "$container" != systemd-nspawn ]; then
     mount -n -o remount,rw none /
 fi
 
@@ -37,16 +37,12 @@ fi
 # Likewise, stage 1 mounts /proc, /dev and /sys, so if we don't have a
 # stage 1, we need to do that here.
 if [ ! -e /proc/1 ]; then
-    specialMount() {
-        local device="$1"
-        local mountPoint="$2"
-        local options="$3"
-        local fsType="$4"
-
-        mkdir -m 0755 -p "$mountPoint"
-        mount -n -t "$fsType" -o "$options" "$device" "$mountPoint"
-    }
-    source @earlyMountScript@
+    mkdir -m 0755 -p /proc
+    mount -n -t proc proc /proc
+    mkdir -m 0755 -p /dev
+    mount -t devtmpfs devtmpfs /dev
+    mkdir -m 0755 -p /sys
+    mount -t sysfs sysfs /sys
 fi
 
 
@@ -91,6 +87,11 @@ done
 
 
 # More special file systems, initialise required directories.
+if ! mountpoint -q /dev/shm; then
+    mkdir -m 0755 /dev/shm
+    mount -t tmpfs -o "rw,nosuid,nodev,size=@devShmSize@" tmpfs /dev/shm
+fi
+mkdir -m 0755 -p /dev/pts
 [ -e /proc/bus/usb ] && mount -t usbfs usbfs /proc/bus/usb # UML doesn't have USB by default
 mkdir -m 01777 -p /tmp
 mkdir -m 0755 -p /var /var/log /var/lib /var/db
@@ -111,6 +112,14 @@ rm -f /etc/{group,passwd,shadow}.lock
 rm -rf /nix/var/nix/gcroots/tmp /nix/var/nix/temproots
 
 
+# Create a tmpfs on /run to hold runtime state for programs such as
+# udev (if stage 1 hasn't already done so).
+if ! mountpoint -q /run; then
+    rm -rf /run
+    mkdir -m 0755 -p /run
+    mount -t tmpfs -o "mode=0755,size=@runSize@" tmpfs /run
+fi
+
 # Create a ramfs on /run/keys to hold secrets that shouldn't be
 # written to disk (generally used for NixOps, harmless elsewhere).
 if ! mountpoint -q /run/keys; then
@@ -141,6 +150,13 @@ if [ -n "@useHostResolvConf@" -a -e /etc/resolv.conf ]; then
     cat /etc/resolv.conf | resolvconf -m 1000 -a host
 fi
 
+
+# Create /var/setuid-wrappers as a tmpfs.
+rm -rf /var/setuid-wrappers
+mkdir -m 0755 -p /var/setuid-wrappers
+mount -t tmpfs -o "mode=0755" tmpfs /var/setuid-wrappers
+
+
 # Log the script output to /dev/kmsg or /run/log/stage-2-init.log.
 # Only at this point are all the necessary prerequisites ready for these commands.
 exec {logOutFd}>&1 {logErrFd}>&2

nixos/modules/system/boot/stage-2.nix

@@ -20,9 +20,10 @@ let
     src = ./stage-2-init.sh;
     shellDebug = "${pkgs.bashInteractive}/bin/bash";
     isExecutable = true;
+    inherit (config.boot) devShmSize runSize;
     inherit (config.nix) readOnlyStore;
     inherit (config.networking) useHostResolvConf;
-    inherit (config.system.build) earlyMountScript;
+    ttyGid = config.ids.gids.tty;
     path =
       [ pkgs.coreutils
         pkgs.utillinux

nixos/modules/system/boot/systemd-unit-options.nix

@@ -309,7 +309,7 @@ in rec {
     };
 
     startAt = mkOption {
-      type = with types; either str (listOf str);
+      type = types.str;
       default = "";
       example = "Sun 14:00:00";
       description = ''

nixos/modules/system/boot/systemd.nix

@@ -803,8 +803,6 @@ in
     systemd.services.systemd-user-sessions.restartIfChanged = false; # Restart kills all active sessions.
     systemd.services.systemd-logind.restartTriggers = [ config.environment.etc."systemd/logind.conf".source ];
     systemd.services.systemd-logind.stopIfChanged = false;
-    systemd.services.systemd-journald.restartTriggers = [ config.environment.etc."systemd/journald.conf".source ];
-    systemd.services.systemd-journald.stopIfChanged = false;
     systemd.targets.local-fs.unitConfig.X-StopOnReconfiguration = true;
     systemd.targets.remote-fs.unitConfig.X-StopOnReconfiguration = true;
     systemd.services.systemd-binfmt.wants = [ "proc-sys-fs-binfmt_misc.automount" ];

nixos/modules/system/etc/etc.nix

@@ -8,7 +8,7 @@ let
 
   etc' = filter (f: f.enable) (attrValues config.environment.etc);
 
-  etc = pkgs.stdenvNoCC.mkDerivation {
+  etc = pkgs.stdenv.mkDerivation {
     name = "etc";
 
     builder = ./make-etc.sh;

nixos/modules/tasks/filesystems.nix

@@ -18,9 +18,7 @@ let
 
   prioOption = prio: optionalString (prio != null) " pri=${toString prio}";
 
-  specialFSTypes = [ "proc" "sysfs" "tmpfs" "devtmpfs" "devpts" ];
-
-  coreFileSystemOpts = { name, config, ... }: {
+  fileSystemOpts = { name, config, ... }: {
 
     options = {
 
@@ -37,6 +35,13 @@ let
         description = "Location of the device.";
       };
 
+      label = mkOption {
+        default = null;
+        example = "root-partition";
+        type = types.nullOr types.str;
+        description = "Label of the device (if any).";
+      };
+
       fsType = mkOption {
         default = "auto";
         example = "ext3";
@@ -48,28 +53,12 @@ let
         default = [ "defaults" ];
         example = [ "data=journal" ];
         description = "Options used to mount the file system.";
+      } // (if versionAtLeast lib.nixpkgsVersion "16.09" then {
         type = types.listOf types.str;
-      };
-
-    };
-
-    config = {
-      mountPoint = mkDefault name;
-      device = mkIf (elem config.fsType specialFSTypes) (mkDefault config.fsType);
-    };
-
-  };
-
-  fileSystemOpts = { config, ... }: {
-
-    options = {
-
-      label = mkOption {
-        default = null;
-        example = "root-partition";
-        type = types.nullOr types.str;
-        description = "Label of the device (if any).";
-      };
+      } else {
+        type = types.either types.commas (types.listOf types.str);
+        apply = x: if isList x then x else lib.strings.splitString "," (builtins.trace "warning: passing a comma-separated string for filesystem options is deprecated; use a list of strings instead. This will become a hard error in 16.09." x);
+      });
 
       autoFormat = mkOption {
         default = false;
@@ -111,6 +100,8 @@ let
     };
 
     config = {
+      mountPoint = mkDefault name;
+      device = mkIf (config.fsType == "tmpfs") (mkDefault config.fsType);
       options = mkIf config.autoResize [ "x-nixos.autoresize" ];
 
       # -F needed to allow bare block device without partitions
@@ -119,13 +110,6 @@ let
 
   };
 
-  # Makes sequence of `specialMount device mountPoint options fsType` commands.
-  # `systemMount` should be defined in the sourcing script.
-  makeSpecialMounts = mounts:
-    pkgs.writeText "mounts.sh" (concatMapStringsSep "\n" (mount: ''
-      specialMount "${mount.device}" "${mount.mountPoint}" "${concatStringsSep "," mount.options}" "${mount.fsType}"
-    '') mounts);
-
 in
 
 {
@@ -147,7 +131,8 @@ in
           "/bigdisk".label = "bigdisk";
         }
       '';
-      type = types.loaOf (types.submodule [coreFileSystemOpts fileSystemOpts]);
+      type = types.loaOf types.optionSet;
+      options = [ fileSystemOpts ];
       description = ''
         The file systems to be mounted.  It must include an entry for
         the root directory (<literal>mountPoint = "/"</literal>).  Each
@@ -179,15 +164,6 @@ in
       description = "Names of supported filesystem types.";
     };
 
-    boot.specialFileSystems = mkOption {
-      default = {};
-      type = types.loaOf (types.submodule coreFileSystemOpts);
-      internal = true;
-      description = ''
-        Special filesystems that are mounted very early during boot.
-      '';
-    };
-
   };
 
 
@@ -205,7 +181,6 @@ in
 
     # Export for use in other modules
     system.build.fileSystems = fileSystems;
-    system.build.earlyMountScript = makeSpecialMounts (toposort fsBefore (attrValues config.boot.specialFileSystems)).result;
 
     boot.supportedFilesystems = map (fs: fs.fsType) fileSystems;
 
@@ -258,7 +233,7 @@ in
           let
             mountPoint' = "${escapeSystemdPath fs.mountPoint}.mount";
             device'  = escapeSystemdPath fs.device;
-            device'' = "${device'}.device";
+            device'' = "${device}.device";
           in nameValuePair "mkfs-${device'}"
           { description = "Initialisation of Filesystem ${fs.device}";
             wantedBy = [ mountPoint' ];
@@ -283,20 +258,6 @@ in
 
       in listToAttrs (map formatDevice (filter (fs: fs.autoFormat) fileSystems));
 
-    # Sync mount options with systemd's src/core/mount-setup.c: mount_table.
-    boot.specialFileSystems = {
-      "/proc" = { fsType = "proc"; options = [ "nosuid" "noexec" "nodev" ]; };
-      "/run" = { fsType = "tmpfs"; options = [ "nodev" "strictatime" "mode=755" "size=${config.boot.runSize}" ]; };
-      "/dev" = { fsType = "devtmpfs"; options = [ "nosuid" "strictatime" "mode=755" "size=${config.boot.devSize}" ]; };
-      "/dev/shm" = { fsType = "tmpfs"; options = [ "nosuid" "nodev" "strictatime" "mode=1777" "size=${config.boot.devShmSize}" ]; };
-      "/dev/pts" = { fsType = "devpts"; options = [ "nosuid" "noexec" "mode=620" "gid=${toString config.ids.gids.tty}" ]; };
-    } // optionalAttrs (!config.boot.isContainer) {
-      # systemd-nspawn populates /sys by itself, and remounting it causes all
-      # kinds of weird issues (most noticeably, waiting for host disk device
-      # nodes).
-      "/sys" = { fsType = "sysfs"; options = [ "nosuid" "noexec" "nodev" ]; };
-    };
-
   };
 
 }

nixos/modules/tasks/filesystems/nfs.nix

@@ -38,17 +38,15 @@ in
         default = null;
         example = 4000;
         description = ''
-          Use a fixed port for <command>rpc.statd</command>. This is
-          useful if the NFS server is behind a firewall.
+          Use fixed port for rpc.statd, useful if NFS server is behind firewall.
         '';
       };
       lockdPort = mkOption {
         default = null;
         example = 4001;
         description = ''
-          Use a fixed port for the NFS lock manager kernel module
-          (<literal>lockd/nlockmgr</literal>).  This is useful if the
-          NFS server is behind a firewall.
+          Use fixed port for NFS lock manager kernel module (lockd/nlockmgr),
+          useful if NFS server is behind firewall.
         '';
       };
     };
@@ -70,16 +68,13 @@ in
 
     boot.initrd.kernelModules = mkIf inInitrd [ "nfs" ];
 
-    # FIXME: should use upstream units from nfs-utils.
-
     systemd.services.statd =
       { description = "NFSv3 Network Status Monitor";
 
         path = [ pkgs.nfs-utils pkgs.sysvtools pkgs.utillinux ];
 
-        wants = [ "remote-fs-pre.target" ];
+        wantedBy = [ "remote-fs-pre.target" ];
         before = [ "remote-fs-pre.target" ];
-        wantedBy = [ "remote-fs.target" ];
         requires = [ "basic.target" "rpcbind.service" ];
         after = [ "basic.target" "rpcbind.service" ];
 
@@ -105,9 +100,8 @@ in
 
         path = [ pkgs.sysvtools pkgs.utillinux ];
 
-        wants = [ "remote-fs-pre.target" ];
+        wantedBy = [ "remote-fs-pre.target" ];
         before = [ "remote-fs-pre.target" ];
-        wantedBy = [ "remote-fs.target" ];
         requires = [ "rpcbind.service" ];
         after = [ "rpcbind.service" ];
 

nixos/modules/tasks/network-interfaces.nix

@@ -391,7 +391,7 @@ in
     };
 
     networking.localCommands = mkOption {
-      type = types.lines;
+      type = types.str;
       default = "";
       example = "text=anything; echo You can put $text here.";
       description = ''

nixos/modules/virtualisation/amazon-grow-partition.nix

@@ -0,0 +1,24 @@
+# This module automatically grows the root partition on Amazon EC2 HVM
+# instances. This allows an instance to be created with a bigger root
+# filesystem than provided by the AMI.
+
+{ config, lib, pkgs, ... }:
+
+{
+  config = lib.mkIf config.ec2.hvm {
+    boot.initrd.extraUtilsCommands = ''
+      copy_bin_and_libs ${pkgs.gawk}/bin/gawk
+      copy_bin_and_libs ${pkgs.gnused}/bin/sed
+      copy_bin_and_libs ${pkgs.utillinux}/sbin/sfdisk
+      cp -v ${pkgs.cloud-utils}/bin/growpart $out/bin/growpart
+      ln -s sed $out/bin/gnused
+    '';
+
+    boot.initrd.postDeviceCommands = ''
+      if [ -e /dev/xvda ] && [ -e /dev/xvda1 ]; then
+        TMPDIR=/run sh $(type -P growpart) /dev/xvda 1
+        udevadm settle
+      fi
+    '';
+  };
+}

nixos/modules/virtualisation/amazon-image.nix

@@ -11,12 +11,10 @@ with lib;
 let cfg = config.ec2; in
 
 {
-  imports = [ ../profiles/headless.nix ./ec2-data.nix ./grow-partition.nix ./amazon-init.nix ];
+  imports = [ ../profiles/headless.nix ./ec2-data.nix ./amazon-grow-partition.nix ./amazon-init.nix ];
 
   config = {
 
-    virtualisation.growPartition = cfg.hvm;
-
     fileSystems."/" = {
       device = "/dev/disk/by-label/nixos";
       autoResize = true;

nixos/modules/virtualisation/brightbox-image.nix

@@ -20,7 +20,7 @@ in
 
           postVM =
             ''
-              PATH=$PATH:${lib.makeBinPath [ pkgs.gnutar pkgs.gzip ]}
+              PATH=$PATH:${stdenv.lib.makeBinPath [ pkgs.gnutar pkgs.gzip ]}
               pushd $out
               ${pkgs.qemu_kvm}/bin/qemu-img convert -c -O qcow2 $diskImageBase nixos.qcow2
               rm $diskImageBase

nixos/modules/virtualisation/containers.nix

@@ -12,21 +12,21 @@ let
         ''
         echo "Bringing ${name} up"
         ip link set dev ${name} up
-        ${optionalString (cfg.localAddress != null) ''
+        ${optionalString (cfg . "localAddress" or null != null) ''
           echo "Setting ip for ${name}"
-          ip addr add ${cfg.localAddress} dev ${name}
+          ip addr add ${cfg . "localAddress"} dev ${name}
         ''}
-        ${optionalString (cfg.localAddress6 != null) ''
+        ${optionalString (cfg . "localAddress6" or null != null) ''
           echo "Setting ip6 for ${name}"
-          ip -6 addr add ${cfg.localAddress6} dev ${name}
+          ip -6 addr add ${cfg . "localAddress6"} dev ${name}
         ''}
-        ${optionalString (cfg.hostAddress != null) ''
+        ${optionalString (cfg . "hostAddress" or null != null) ''
           echo "Setting route to host for ${name}"
-          ip route add ${cfg.hostAddress} dev ${name}
+          ip route add ${cfg . "hostAddress"} dev ${name}
         ''}
-        ${optionalString (cfg.hostAddress6 != null) ''
+        ${optionalString (cfg . "hostAddress6" or null != null) ''
           echo "Setting route6 to host for ${name}"
-          ip -6 route add ${cfg.hostAddress6} dev ${name}
+          ip -6 route add ${cfg . "hostAddress6"} dev ${name}
         ''}
         ''
         );
@@ -56,7 +56,9 @@ let
             ip -6 route add default via $HOST_ADDRESS6
           fi
 
-          ${concatStringsSep "\n" (mapAttrsToList renderExtraVeth cfg.extraVeths)}
+          ${concatStringsSep "\n" (mapAttrsToList renderExtraVeth cfg . "extraVeths" or {})}
+          ip a
+          ip r
         fi
 
         # Start the regular stage 1 script.
@@ -65,8 +67,7 @@ let
     );
 
   nspawnExtraVethArgs = (name: cfg: "--network-veth-extra=${name}");
-
-  startScript = cfg:
+  startScript = (cfg:
     ''
       mkdir -p -m 0755 "$root/etc" "$root/var/lib"
       mkdir -p -m 0700 "$root/var/lib/private" "$root/root" /run/containers
@@ -91,7 +92,11 @@ let
         fi
       fi
 
-      extraFlags+=" ${concatStringsSep " " (mapAttrsToList nspawnExtraVethArgs cfg.extraVeths)}"
+      ${if cfg . "extraVeths" or null != null then
+        ''extraFlags+=" ${concatStringsSep " " (mapAttrsToList nspawnExtraVethArgs cfg . "extraVeths" or {})}"''
+        else
+          ''# No extra veth pairs to create''
+      }
 
       for iface in $INTERFACES; do
         extraFlags+=" --network-interface=$iface"
@@ -130,9 +135,10 @@ let
         --setenv LOCAL_ADDRESS6="$LOCAL_ADDRESS6" \
         --setenv PATH="$PATH" \
         ${containerInit cfg} "''${SYSTEM_PATH:-/nix/var/nix/profiles/system}/init"
-    '';
+    ''
+    );
 
-  preStartScript = cfg:
+  preStartScript = (cfg:
     ''
       # Clean up existing machined registration and interfaces.
       machinectl terminate "$INSTANCE" 2> /dev/null || true
@@ -145,43 +151,45 @@ let
       ${concatStringsSep "\n" (
         mapAttrsToList (name: cfg:
           ''ip link del dev ${name} 2> /dev/null || true ''
-        ) cfg.extraVeths
+        ) cfg . "extraVeths" or {}
       )}
-   '';
-
+   ''
+    );
   postStartScript = (cfg:
     let
-      ipcall = cfg: ipcmd: variable: attribute:
-        if cfg.${attribute} == null then
+      ipcall = (cfg: ipcmd: variable: attribute:
+        if cfg . attribute or null == null then
           ''
             if [ -n "${variable}" ]; then
               ${ipcmd} add ${variable} dev $ifaceHost
             fi
           ''
         else
-          ''${ipcmd} add ${cfg.${attribute}} dev $ifaceHost'';
-      renderExtraVeth = name: cfg:
-        if cfg.hostBridge != null then
+          ''${ipcmd} add ${cfg . attribute} dev $ifaceHost''
+        );
+      renderExtraVeth = (name: cfg:
+        if cfg . "hostBridge" or null != null then
           ''
             # Add ${name} to bridge ${cfg.hostBridge}
             ip link set dev ${name} master ${cfg.hostBridge} up
           ''
         else
           ''
-            # Set IPs and routes for ${name}
-            ${optionalString (cfg.hostAddress != null) ''
-              ip addr add ${cfg.hostAddress} dev ${name}
-            ''}
-            ${optionalString (cfg.hostAddress6 != null) ''
-              ip -6 addr add ${cfg.hostAddress6} dev ${name}
-            ''}
-            ${optionalString (cfg.localAddress != null) ''
-              ip route add ${cfg.localAddress} dev ${name}
-            ''}
-            ${optionalString (cfg.localAddress6 != null) ''
-              ip -6 route add ${cfg.localAddress6} dev ${name}
-            ''}
-          '';
+          # Set IPs and routes for ${name}
+          ${optionalString (cfg . "hostAddress" or null != null) ''
+            ip addr add ${cfg . "hostAddress"} dev ${name}
+          ''}
+          ${optionalString (cfg . "hostAddress6" or null != null) ''
+            ip -6 addr add ${cfg . "hostAddress6"} dev ${name}
+          ''}
+          ${optionalString (cfg . "localAddress" or null != null) ''
+            ip route add ${cfg . "localAddress"} dev ${name}
+          ''}
+          ${optionalString (cfg . "localAddress6" or null != null) ''
+            ip -6 route add ${cfg . "localAddress6"} dev ${name}
+          ''}
+          ''
+        );
     in
       ''
         if [ "$PRIVATE_NETWORK" = 1 ]; then
@@ -194,7 +202,7 @@ let
             ${ipcall cfg "ip route" "$LOCAL_ADDRESS" "localAddress"}
             ${ipcall cfg "ip -6 route" "$LOCAL_ADDRESS6" "localAddress6"}
           fi
-          ${concatStringsSep "\n" (mapAttrsToList renderExtraVeth cfg.extraVeths)}
+          ${concatStringsSep "\n" (mapAttrsToList renderExtraVeth cfg . "extraVeths" or {})}
         fi
 
         # Get the leader PID so that we can signal it in
@@ -299,15 +307,6 @@ let
 
   };
 
-  dummyConfig =
-    {
-      extraVeths = {};
-      hostAddress = null;
-      hostAddress6 = null;
-      localAddress = null;
-      localAddress6 = null;
-    };
-
 in
 
 {
@@ -452,7 +451,7 @@ in
         containers.  Each container appears as a service
         <literal>container-<replaceable>name</replaceable></literal>
         on the host system, allowing it to be started and stopped via
-        <command>systemctl</command>.
+        <command>systemctl</command> .
       '';
     };
 
@@ -471,11 +470,11 @@ in
       environment.INSTANCE = "%i";
       environment.root = "/var/lib/containers/%i";
 
-      preStart = preStartScript dummyConfig;
+      preStart = preStartScript {};
 
-      script = startScript dummyConfig;
+      script = startScript {};
 
-      postStart = postStartScript dummyConfig;
+      postStart = postStartScript {};
 
       preStop =
         ''

nixos/modules/virtualisation/docker.nix

@@ -40,25 +40,13 @@ in
       };
     storageDriver =
       mkOption {
-        type = types.nullOr (types.enum ["aufs" "btrfs" "devicemapper" "overlay" "overlay2" "zfs"]);
-        default = null;
+        type = types.enum ["aufs" "btrfs" "devicemapper" "overlay" "zfs"];
+        default = "devicemapper";
         description =
           ''
-            This option determines which Docker storage driver to use. By default
-            it let's docker automatically choose preferred storage driver.
+            This option determines which Docker storage driver to use.
           '';
       };
-
-    logDriver =
-      mkOption {
-        type = types.enum ["none" "json-file" "syslog" "journald" "gelf" "fluentd" "awslogs" "splunk" "etwlogs" "gcplogs"];
-        default = "journald";
-        description =
-          ''
-            This option determines which Docker log driver to use.
-          '';
-      };
-
     extraOptions =
       mkOption {
         type = types.separatedString " ";
@@ -100,12 +88,7 @@ in
         after = [ "network.target" ] ++ (optional cfg.socketActivation "docker.socket") ;
         requires = optional cfg.socketActivation "docker.socket";
         serviceConfig = {
-          ExecStart = ''${pkgs.docker}/bin/dockerd \
-            --group=docker --log-driver=${cfg.logDriver} \
-            ${optionalString (cfg.storageDriver != null) "--storage-driver=${cfg.storageDriver}"} \
-            ${optionalString cfg.socketActivation "--host=fd://"} \
-            ${cfg.extraOptions}
-          '';
+          ExecStart = "${pkgs.docker}/bin/docker daemon --group=docker --storage-driver=${cfg.storageDriver} ${optionalString cfg.socketActivation "--host=fd://"} ${cfg.extraOptions}";
           #  I'm not sure if that limits aren't too high, but it's what
           #  goes in config bundled with docker itself
           LimitNOFILE = 1048576;

nixos/modules/virtualisation/grow-partition.nix

@@ -1,43 +0,0 @@
-# This module automatically grows the root partition on virtual machines.
-# This allows an instance to be created with a bigger root filesystem
-# than provided by the machine image.
-
-{ config, lib, pkgs, ... }:
-
-with lib;
-
-{
-
-  options = {
-
-    virtualisation.growPartition = mkOption {
-      type = types.bool;
-      default = true;
-    };
-
-  };
-
-  config = mkIf config.virtualisation.growPartition {
-
-    boot.initrd.extraUtilsCommands = ''
-      copy_bin_and_libs ${pkgs.gawk}/bin/gawk
-      copy_bin_and_libs ${pkgs.gnused}/bin/sed
-      copy_bin_and_libs ${pkgs.utillinux}/sbin/sfdisk
-      copy_bin_and_libs ${pkgs.utillinux}/sbin/lsblk
-      cp -v ${pkgs.cloud-utils}/bin/growpart $out/bin/growpart
-      ln -s sed $out/bin/gnused
-    '';
-
-    boot.initrd.postDeviceCommands = ''
-      rootDevice="${config.fileSystems."/".device}"
-      if [ -e "$rootDevice" ]; then
-        rootDevice="$(readlink -f "$rootDevice")"
-        parentDevice="$(lsblk -npo PKNAME "$rootDevice")"
-        TMPDIR=/run sh $(type -P growpart) "$parentDevice" "''${rootDevice#$parentDevice}"
-        udevadm settle
-      fi
-    '';
-
-  };
-
-}

nixos/modules/virtualisation/virtualbox-host.nix

@@ -4,13 +4,8 @@ with lib;
 
 let
   cfg = config.virtualisation.virtualbox.host;
-
-  virtualbox = pkgs.virtualbox.override {
-    inherit (cfg) enableHardening headless;
-  };
-
-  kernelModules = config.boot.kernelPackages.virtualbox.override {
-    inherit virtualbox;
+  virtualbox = config.boot.kernelPackages.virtualbox.override {
+    inherit (cfg) enableHardening;
   };
 
 in
@@ -52,20 +47,11 @@ in
         </para></important>
       '';
     };
-
-    headless = mkOption {
-      type = types.bool;
-      default = false;
-      description = ''
-        Use VirtualBox installation without GUI and Qt dependency. Useful to enable on servers
-        and when virtual machines are controlled only via SSH.
-      '';
-    };
   };
 
   config = mkIf cfg.enable (mkMerge [{
     boot.kernelModules = [ "vboxdrv" "vboxnetadp" "vboxnetflt" ];
-    boot.extraModulePackages = [ kernelModules ];
+    boot.extraModulePackages = [ virtualbox ];
     environment.systemPackages = [ virtualbox ];
 
     security.setuidOwners = let

nixos/modules/virtualisation/virtualbox-image.nix

@@ -8,8 +8,6 @@ let
 
 in {
 
-  imports = [ ./grow-partition.nix ];
-
   options = {
     virtualbox = {
       baseImageSize = mkOption {
@@ -34,7 +32,7 @@ in {
       postVM =
         ''
           export HOME=$PWD
-          export PATH=${pkgs.virtualbox}/bin:$PATH
+          export PATH=${pkgs.linuxPackages.virtualbox}/bin:$PATH
 
           echo "creating VirtualBox pass-through disk wrapper (no copying invovled)..."
           VBoxManage internalcommands createrawvmdk -filename disk.vmdk -rawdisk $diskImage
@@ -66,10 +64,7 @@ in {
         '';
     };
 
-    fileSystems."/" = {
-      device = "/dev/disk/by-label/nixos";
-      autoResize = true;
-    };
+    fileSystems."/".device = "/dev/disk/by-label/nixos";
 
     boot.loader.grub.device = "/dev/sda";
 

nixos/release-combined.nix

@@ -73,7 +73,6 @@ in rec {
         (all nixos.tests.ipv6)
         (all nixos.tests.i3wm)
         (all nixos.tests.kde4)
-        (all nixos.tests.kde5)
         #(all nixos.tests.lightdm)
         (all nixos.tests.login)
         (all nixos.tests.misc)
@@ -89,7 +88,6 @@ in rec {
         (all nixos.tests.networking.scripted.sit)
         (all nixos.tests.networking.scripted.vlan)
         (all nixos.tests.nfs3)
-        (all nixos.tests.nfs4)
         (all nixos.tests.openssh)
         (all nixos.tests.printing)
         (all nixos.tests.proxy)

nixos/release.nix

@@ -9,7 +9,7 @@ let
 
   version = fileContents ../.version;
   versionSuffix =
-    (if stableBranch then "." else "beta") + "${toString (nixpkgs.revCount - 90538)}.${nixpkgs.shortRev}";
+    (if stableBranch then "." else "pre") + "${toString nixpkgs.revCount}.${nixpkgs.shortRev}";
 
   forAllSystems = genAttrs supportedSystems;
 
@@ -228,12 +228,12 @@ in rec {
   tests.containers-imperative = callTest tests/containers-imperative.nix {};
   tests.containers-extra_veth = callTest tests/containers-extra_veth.nix {};
   tests.docker = hydraJob (import tests/docker.nix { system = "x86_64-linux"; });
+  tests.dockerRegistry = hydraJob (import tests/docker-registry.nix { system = "x86_64-linux"; });
   tests.dnscrypt-proxy = callTest tests/dnscrypt-proxy.nix { system = "x86_64-linux"; };
   tests.ecryptfs = callTest tests/ecryptfs.nix {};
   tests.etcd = hydraJob (import tests/etcd.nix { system = "x86_64-linux"; });
   tests.ec2-nixops = hydraJob (import tests/ec2.nix { system = "x86_64-linux"; }).boot-ec2-nixops;
   tests.ec2-config = hydraJob (import tests/ec2.nix { system = "x86_64-linux"; }).boot-ec2-config;
-  tests.ferm = callTest tests/ferm.nix {};
   tests.firefox = callTest tests/firefox.nix {};
   tests.firewall = callTest tests/firewall.nix {};
   tests.fleet = hydraJob (import tests/fleet.nix { system = "x86_64-linux"; });
@@ -250,7 +250,6 @@ in rec {
   tests.ipv6 = callTest tests/ipv6.nix {};
   tests.jenkins = callTest tests/jenkins.nix {};
   tests.kde4 = callTest tests/kde4.nix {};
-  tests.kde5 = callTest tests/kde5.nix {};
   tests.keymap = callSubTests tests/keymap.nix {};
   tests.initrdNetwork = callTest tests/initrd-network.nix {};
   tests.kubernetes = hydraJob (import tests/kubernetes.nix { system = "x86_64-linux"; });
@@ -260,7 +259,6 @@ in rec {
   #tests.logstash = callTest tests/logstash.nix {};
   tests.mathics = callTest tests/mathics.nix {};
   tests.misc = callTest tests/misc.nix {};
-  tests.mongodb = callTest tests/mongodb.nix {};
   tests.mumble = callTest tests/mumble.nix {};
   tests.munin = callTest tests/munin.nix {};
   tests.mysql = callTest tests/mysql.nix {};
@@ -275,7 +273,7 @@ in rec {
   tests.nfs4 = callTest tests/nfs.nix { version = 4; };
   tests.nsd = callTest tests/nsd.nix {};
   tests.openssh = callTest tests/openssh.nix {};
-  #tests.panamax = hydraJob (import tests/panamax.nix { system = "x86_64-linux"; });
+  tests.panamax = hydraJob (import tests/panamax.nix { system = "x86_64-linux"; });
   tests.peerflix = callTest tests/peerflix.nix {};
   tests.postgresql = callTest tests/postgresql.nix {};
   tests.printing = callTest tests/printing.nix {};
@@ -283,8 +281,8 @@ in rec {
   tests.pumpio = callTest tests/pump.io.nix {};
   tests.quake3 = callTest tests/quake3.nix {};
   tests.runInMachine = callTest tests/run-in-machine.nix {};
-  tests.samba = callTest tests/samba.nix {};
   tests.sddm = callTest tests/sddm.nix {};
+  tests.sddm-kde5 = callTest tests/sddm-kde5.nix {};
   tests.simple = callTest tests/simple.nix {};
   tests.smokeping = callTest tests/smokeping.nix {};
   tests.taskserver = callTest tests/taskserver.nix {};

nixos/tests/avahi.nix

@@ -28,8 +28,6 @@ import ./make-test.nix ({ pkgs, ... } : {
        # mDNS.
        $one->waitForUnit("network.target");
        $two->waitForUnit("network.target");
-       $one->waitForUnit("avahi-daemon.service");
-       $two->waitForUnit("avahi-daemon.service");
 
        $one->succeed("avahi-resolve-host-name one.local | tee out >&2");
        $one->succeed("test \"`cut -f1 < out`\" = one.local");

nixos/tests/blivet.nix

@@ -69,7 +69,6 @@ import ./make-test.nix ({ pkgs, ... }: with pkgs.pythonPackages; rec {
     sed -i \
       -e '1i import tempfile' \
       -e 's|_STORE_FILE_PATH = .*|_STORE_FILE_PATH = tempfile.gettempdir()|' \
-      -e 's|DEFAULT_STORE_SIZE = .*|DEFAULT_STORE_SIZE = 409600|' \
       tests/loopbackedtestcase.py
 
     PYTHONPATH=".:$(< "${pkgs.stdenv.mkDerivation {

nixos/tests/cadvisor.nix

@@ -13,6 +13,10 @@ import ./make-test.nix ({ pkgs, ... } : {
       services.cadvisor.enable = true;
       services.cadvisor.storageDriver = "influxdb";
       services.influxdb.enable = true;
+      systemd.services.influxdb.postStart = mkAfter ''
+        ${pkgs.curl.bin}/bin/curl -X POST 'http://localhost:8086/db?u=root&p=root' \
+          -d '{"name": "root"}'
+      '';
     };
   };
 
@@ -23,12 +27,6 @@ import ./make-test.nix ({ pkgs, ... } : {
       $machine->succeed("curl http://localhost:8080/containers/");
 
       $influxdb->waitForUnit("influxdb.service");
-
-      # create influxdb database
-      $influxdb->succeed(q~
-        curl -XPOST http://localhost:8086/query --data-urlencode "q=CREATE DATABASE root"
-      ~);
-
       $influxdb->waitForUnit("cadvisor.service");
       $influxdb->succeed("curl http://localhost:8080/containers/");
     '';

nixos/tests/docker-registry.nix

@@ -0,0 +1,43 @@
+# This test runs docker-registry and check if it works
+
+import ./make-test.nix ({ pkgs, ...} : {
+  name = "docker-registry";
+  meta = with pkgs.stdenv.lib.maintainers; {
+    maintainers = [ offline ];
+  };
+
+  nodes = {
+    registry = { config, pkgs, ... }: {
+      services.dockerRegistry.enable = true;
+      services.dockerRegistry.port = 8080;
+      services.dockerRegistry.host = "0.0.0.0";
+      networking.firewall.allowedTCPPorts = [ 8080 ];
+    };
+
+    client1 = { config, pkgs, ...}: {
+      virtualisation.docker.enable = true;
+      virtualisation.docker.extraOptions = "--insecure-registry registry:8080";
+    };
+
+    client2 = { config, pkgs, ...}: {
+      virtualisation.docker.enable = true;
+      virtualisation.docker.extraOptions = "--insecure-registry registry:8080";
+    };
+  };
+
+  testScript = ''
+    $client1->start();
+    $client1->waitForUnit("docker.service");
+    $client1->succeed("tar cv --files-from /dev/null | docker import - scratch");
+    $client1->succeed("docker tag scratch registry:8080/scratch");
+
+    $registry->start();
+    $registry->waitForUnit("docker-registry.service");
+    $client1->succeed("docker push registry:8080/scratch");
+
+    $client2->start();
+    $client2->waitForUnit("docker.service");
+    $client2->succeed("docker pull registry:8080/scratch");
+    $client2->succeed("docker images | grep scratch");
+  '';
+})

nixos/tests/docker.nix

@@ -11,6 +11,9 @@ import ./make-test.nix ({ pkgs, ...} : {
       { config, pkgs, ... }:
         {
           virtualisation.docker.enable = true;
+          # FIXME: The default "devicemapper" storageDriver fails in NixOS VM
+          # tests.
+          virtualisation.docker.storageDriver = "overlay";
         };
     };
 

nixos/tests/ferm.nix

@@ -1,72 +0,0 @@
-
-import ./make-test.nix ({ pkgs, ...} : {
-  name = "ferm";
-  meta = with pkgs.stdenv.lib.maintainers; {
-    maintainers = [ mic92 ];
-  };
-
-  nodes =
-    { client =
-        { config, pkgs, ... }:
-        with pkgs.lib;
-        {
-          networking = {
-            interfaces.eth1.ip6 = mkOverride 0 [ { address = "fd00::2"; prefixLength = 64; } ];
-            interfaces.eth1.ip4 = mkOverride 0 [ { address = "192.168.1.2"; prefixLength = 24; } ];
-          };
-      };
-      server =
-        { config, pkgs, ... }:
-        with pkgs.lib;
-        {
-          networking = {
-            interfaces.eth1.ip6 = mkOverride 0 [ { address = "fd00::1"; prefixLength = 64; } ];
-            interfaces.eth1.ip4 = mkOverride 0 [ { address = "192.168.1.1"; prefixLength = 24; } ];
-          };
-
-          services = {
-            ferm.enable = true;
-            ferm.config = ''
-              domain (ip ip6) table filter chain INPUT {
-                interface lo ACCEPT;
-                proto tcp dport 8080 REJECT reject-with tcp-reset;
-              }
-            '';
-            nginx.enable = true;
-            nginx.httpConfig = ''
-              server {
-                listen 80;
-                listen [::]:80;
-                listen 8080;
-                listen [::]:8080;
-
-                location /status { stub_status on; }
-              }
-            '';
-          };
-        };
-    };
-
-  testScript =
-    ''
-      startAll;
-
-      $client->waitForUnit("network.target");
-      $server->waitForUnit("ferm.service");
-      $server->waitForUnit("nginx.service");
-      $server->waitUntilSucceeds("ss -ntl | grep -q 80");
-
-      subtest "port 80 is allowed", sub {
-          $client->succeed("curl --fail -g http://192.168.1.1:80/status");
-          $client->succeed("curl --fail -g http://[fd00::1]:80/status");
-      };
-
-      subtest "port 8080 is not allowed", sub {
-          $server->succeed("curl --fail -g http://192.168.1.1:8080/status");
-          $server->succeed("curl --fail -g http://[fd00::1]:8080/status");
-
-          $client->fail("curl --fail -g http://192.168.1.1:8080/status");
-          $client->fail("curl --fail -g http://[fd00::1]:8080/status");
-      };
-    '';
-})