README: update for 19.03

atlassian-jira: 8.0.1 -> 8.1.0
(cherry picked from commit e683811972)
2026-06-11 07:43:43 +00:00 · 2019-04-08 22:08:49 +02:00 · 2019-04-08 20:58:29 +02:00 · 2019-04-08 20:58:29 +02:00 · 2019-04-08 20:58:29 +02:00 · 2019-04-08 13:01:40 -04:00
1531 changed files with 43367 additions and 24302 deletions
--- a/2
+++ b/2
@@ -1,4 +1,4 @@
-Copyright (c) 2003-2018 Eelco Dolstra and the Nixpkgs/NixOS contributors
+Copyright (c) 2003-2019 Eelco Dolstra and the Nixpkgs/NixOS contributors

 Permission is hereby granted, free of charge, to any person obtaining
 a copy of this software and associated documentation files (the
--- a/README.md
+++ b/README.md
@@ -12,12 +12,12 @@ build daemon as so-called channels. To get channel information via git, add
 ```

 For stability and maximum binary package support, it is recommended to maintain
-custom changes on top of one of the channels, e.g. `nixos-18.09` for the latest
+custom changes on top of one of the channels, e.g. `nixos-19.03` for the latest
 release and `nixos-unstable` for the latest successful build of master:

 ```
 % git remote update channels
-% git rebase channels/nixos-18.09
+% git rebase channels/nixos-19.03
 ```

 For pull requests, please rebase onto nixpkgs `master`.
@@ -31,9 +31,9 @@ For pull requests, please rebase onto nixpkgs `master`.
 * [Manual (NixOS)](https://nixos.org/nixos/manual/)
 * [Community maintained wiki](https://nixos.wiki/)
 * [Continuous package builds for unstable/master](https://hydra.nixos.org/jobset/nixos/trunk-combined)
-* [Continuous package builds for 18.09 release](https://hydra.nixos.org/jobset/nixos/release-18.09)
+* [Continuous package builds for 19.03 release](https://hydra.nixos.org/jobset/nixos/release-19.03)
 * [Tests for unstable/master](https://hydra.nixos.org/job/nixos/trunk-combined/tested#tabs-constituents)
-* [Tests for 18.09 release](https://hydra.nixos.org/job/nixos/release-18.09/tested#tabs-constituents)
+* [Tests for 19.03 release](https://hydra.nixos.org/job/nixos/release-19.03/tested#tabs-constituents)

 Communication:

--- a/doc/functions/dockertools.xml
+++ b/doc/functions/dockertools.xml
@@ -47,7 +47,7 @@ buildImage {

  contents = pkgs.redis; <co xml:id='ex-dockerTools-buildImage-6' />
  runAsRoot = '' <co xml:id='ex-dockerTools-buildImage-runAsRoot' />
-    #!${stdenv.shell}
+    #!${pkgs.runtimeShell}
    mkdir -p /data
  '';

@@ -544,7 +544,7 @@ buildImage {
  name = "shadow-basic";

  runAsRoot = ''
-    #!${stdenv.shell}
+    #!${pkgs.runtimeShell}
    ${shadowSetup}
    groupadd -r redis
    useradd -r -g redis redis
--- a/doc/languages-frameworks/go.xml
+++ b/doc/languages-frameworks/go.xml
@@ -3,12 +3,91 @@
         xml:id="sec-language-go">
 <title>Go</title>

- <para>
-  The function <varname>buildGoPackage</varname> builds standard Go programs.
- </para>
+ <section xml:id="ssec-go-modules">
+  <title>Go modules</title>

- <example xml:id='ex-buildGoPackage'>
-  <title>buildGoPackage</title>
+  <para>
+   The function <varname> buildGoModule </varname> builds Go programs managed
+   with Go modules. It builds a
+   <link xlink:href="https://github.com/golang/go/wiki/Modules">Go
+   modules</link> through a two phase build:
+   <itemizedlist>
+    <listitem>
+     <para>
+      An intermediate fetcher derivation. This derivation will be used to fetch
+      all of the dependencies of the Go module.
+     </para>
+    </listitem>
+    <listitem>
+     <para>
+      A final derivation will use the output of the intermediate derivation to
+      build the binaries and produce the final output.
+     </para>
+    </listitem>
+   </itemizedlist>
+  </para>
+
+  <example xml:id='ex-buildGoModule'>
+   <title>buildGoModule</title>
+<programlisting>
+pet = buildGoModule rec {
+  name = "pet-${version}";
+  version = "0.3.4";
+
+  src = fetchFromGitHub {
+    owner = "knqyf263";
+    repo = "pet";
+    rev = "v${version}";
+    sha256 = "0m2fzpqxk7hrbxsgqplkg7h2p7gv6s1miymv3gvw0cz039skag0s";
+  };
+
+  modSha256 = "1879j77k96684wi554rkjxydrj8g3hpp0kvxz03sd8dmwr3lh83j"; <co xml:id='ex-buildGoModule-1' />
+
+  subPackages = [ "." ]; <co xml:id='ex-buildGoModule-2' />
+
+  meta = with lib; {
+    description = "Simple command-line snippet manager, written in Go";
+    homepage = https://github.com/knqyf263/pet;
+    license = licenses.mit;
+    maintainers = with maintainers; [ kalbasit ];
+    platforms = platforms.linux ++ platforms.darwin;
+  };
+}
+</programlisting>
+  </example>
+
+  <para>
+   <xref linkend='ex-buildGoModule'/> is an example expression using
+   buildGoModule, the following arguments are of special significance to the
+   function:
+   <calloutlist>
+    <callout arearefs='ex-buildGoModule-1'>
+     <para>
+      <varname>modSha256</varname> is the hash of the output of the
+      intermediate fetcher derivation.
+     </para>
+    </callout>
+    <callout arearefs='ex-buildGoModule-2'>
+     <para>
+      <varname>subPackages</varname> limits the builder from building child
+      packages that have not been listed. If <varname>subPackages</varname> is
+      not specified, all child packages will be built.
+     </para>
+    </callout>
+   </calloutlist>
+  </para>
+ </section>
+
+ <section xml:id="ssec-go-legacy">
+  <title>Go legacy</title>
+
+  <para>
+   The function <varname> buildGoPackage </varname> builds legacy Go programs,
+   not supporting Go modules.
+  </para>
+
+  <example xml:id='ex-buildGoPackage'>
+   <title>buildGoPackage</title>
 <programlisting>
 deis = buildGoPackage rec {
  name = "deis-${version}";
@@ -29,56 +108,56 @@ deis = buildGoPackage rec {
  buildFlags = "--tags release"; <co xml:id='ex-buildGoPackage-4' />
 }
 </programlisting>
- </example>
+  </example>

- <para>
-  <xref linkend='ex-buildGoPackage'/> is an example expression using
-  buildGoPackage, the following arguments are of special significance to the
-  function:
-  <calloutlist>
-   <callout arearefs='ex-buildGoPackage-1'>
-    <para>
-     <varname>goPackagePath</varname> specifies the package's canonical Go
-     import path.
-    </para>
-   </callout>
-   <callout arearefs='ex-buildGoPackage-2'>
-    <para>
-     <varname>subPackages</varname> limits the builder from building child
-     packages that have not been listed. If <varname>subPackages</varname> is
-     not specified, all child packages will be built.
-    </para>
-    <para>
-     In this example only <literal>github.com/deis/deis/client</literal> will
-     be built.
-    </para>
-   </callout>
-   <callout arearefs='ex-buildGoPackage-3'>
-    <para>
-     <varname>goDeps</varname> is where the Go dependencies of a Go program are
-     listed as a list of package source identified by Go import path. It could
-     be imported as a separate <varname>deps.nix</varname> file for
-     readability. The dependency data structure is described below.
-    </para>
-   </callout>
-   <callout arearefs='ex-buildGoPackage-4'>
-    <para>
-     <varname>buildFlags</varname> is a list of flags passed to the go build
-     command.
-    </para>
-   </callout>
-  </calloutlist>
- </para>
+  <para>
+   <xref linkend='ex-buildGoPackage'/> is an example expression using
+   buildGoPackage, the following arguments are of special significance to the
+   function:
+   <calloutlist>
+    <callout arearefs='ex-buildGoPackage-1'>
+     <para>
+      <varname>goPackagePath</varname> specifies the package's canonical Go
+      import path.
+     </para>
+    </callout>
+    <callout arearefs='ex-buildGoPackage-2'>
+     <para>
+      <varname>subPackages</varname> limits the builder from building child
+      packages that have not been listed. If <varname>subPackages</varname> is
+      not specified, all child packages will be built.
+     </para>
+     <para>
+      In this example only <literal>github.com/deis/deis/client</literal> will
+      be built.
+     </para>
+    </callout>
+    <callout arearefs='ex-buildGoPackage-3'>
+     <para>
+      <varname>goDeps</varname> is where the Go dependencies of a Go program
+      are listed as a list of package source identified by Go import path. It
+      could be imported as a separate <varname>deps.nix</varname> file for
+      readability. The dependency data structure is described below.
+     </para>
+    </callout>
+    <callout arearefs='ex-buildGoPackage-4'>
+     <para>
+      <varname>buildFlags</varname> is a list of flags passed to the go build
+      command.
+     </para>
+    </callout>
+   </calloutlist>
+  </para>

- <para>
-  The <varname>goDeps</varname> attribute can be imported from a separate
-  <varname>nix</varname> file that defines which Go libraries are needed and
-  should be included in <varname>GOPATH</varname> for
-  <varname>buildPhase</varname>.
- </para>
+  <para>
+   The <varname>goDeps</varname> attribute can be imported from a separate
+   <varname>nix</varname> file that defines which Go libraries are needed and
+   should be included in <varname>GOPATH</varname> for
+   <varname>buildPhase</varname>.
+  </para>

- <example xml:id='ex-goDeps'>
-  <title>deps.nix</title>
+  <example xml:id='ex-goDeps'>
+   <title>deps.nix</title>
 <programlisting>
 [ <co xml:id='ex-goDeps-1' />
  {
@@ -101,60 +180,62 @@ deis = buildGoPackage rec {
  }
 ]
 </programlisting>
- </example>
+  </example>

- <para>
-  <calloutlist>
-   <callout arearefs='ex-goDeps-1'>
-    <para>
-     <varname>goDeps</varname> is a list of Go dependencies.
-    </para>
-   </callout>
-   <callout arearefs='ex-goDeps-2'>
-    <para>
-     <varname>goPackagePath</varname> specifies Go package import path.
-    </para>
-   </callout>
-   <callout arearefs='ex-goDeps-3'>
-    <para>
-     <varname>fetch type</varname> that needs to be used to get package source.
-     If <varname>git</varname> is used there should be <varname>url</varname>,
-     <varname>rev</varname> and <varname>sha256</varname> defined next to it.
-    </para>
-   </callout>
-  </calloutlist>
- </para>
+  <para>
+   <calloutlist>
+    <callout arearefs='ex-goDeps-1'>
+     <para>
+      <varname>goDeps</varname> is a list of Go dependencies.
+     </para>
+    </callout>
+    <callout arearefs='ex-goDeps-2'>
+     <para>
+      <varname>goPackagePath</varname> specifies Go package import path.
+     </para>
+    </callout>
+    <callout arearefs='ex-goDeps-3'>
+     <para>
+      <varname>fetch type</varname> that needs to be used to get package
+      source. If <varname>git</varname> is used there should be
+      <varname>url</varname>, <varname>rev</varname> and
+      <varname>sha256</varname> defined next to it.
+     </para>
+    </callout>
+   </calloutlist>
+  </para>

- <para>
-  To extract dependency information from a Go package in automated way use
-  <link xlink:href="https://github.com/kamilchm/go2nix">go2nix</link>. It can
-  produce complete derivation and <varname>goDeps</varname> file for Go
-  programs.
- </para>
+  <para>
+   To extract dependency information from a Go package in automated way use
+   <link xlink:href="https://github.com/kamilchm/go2nix">go2nix</link>. It can
+   produce complete derivation and <varname>goDeps</varname> file for Go
+   programs.
+  </para>

- <para>
-  <varname>buildGoPackage</varname> produces
-  <xref linkend='chap-multiple-output' xrefstyle="select: title" /> where
-  <varname>bin</varname> includes program binaries. You can test build a Go
-  binary as follows:
+  <para>
+   <varname>buildGoPackage</varname> produces
+   <xref linkend='chap-multiple-output' xrefstyle="select: title" /> where
+   <varname>bin</varname> includes program binaries. You can test build a Go
+   binary as follows:
 <screen>
    $ nix-build -A deis.bin
  </screen>
-  or build all outputs with:
+   or build all outputs with:
 <screen>
    $ nix-build -A deis.all
  </screen>
-  <varname>bin</varname> output will be installed by default with
-  <varname>nix-env -i</varname> or <varname>systemPackages</varname>.
- </para>
+   <varname>bin</varname> output will be installed by default with
+   <varname>nix-env -i</varname> or <varname>systemPackages</varname>.
+  </para>

- <para>
-  You may use Go packages installed into the active Nix profiles by adding the
-  following to your ~/.bashrc:
+  <para>
+   You may use Go packages installed into the active Nix profiles by adding the
+   following to your ~/.bashrc:
 <screen>
 for p in $NIX_PROFILES; do
    GOPATH="$p/share/go:$GOPATH"
 done
 </screen>
- </para>
+  </para>
+ </section>
 </section>
--- a/doc/languages-frameworks/python.section.md
+++ b/doc/languages-frameworks/python.section.md
@@ -188,25 +188,24 @@ building Python libraries is `buildPythonPackage`. Let's see how we can build th
 ```nix
 { lib, buildPythonPackage, fetchPypi }:

-  toolz = buildPythonPackage rec {
-    pname = "toolz";
-    version = "0.7.4";
+buildPythonPackage rec {
+  pname = "toolz";
+  version = "0.7.4";

-    src = fetchPypi {
-      inherit pname version;
-      sha256 = "43c2c9e5e7a16b6c88ba3088a9bfc82f7db8e13378be7c78d6c14a5f8ed05afd";
-    };
-
-    doCheck = false;
-
-    meta = with lib; {
-      homepage = https://github.com/pytoolz/toolz;
-      description = "List processing tools and functional utilities";
-      license = licenses.bsd3;
-      maintainers = with maintainers; [ fridh ];
-    };
+  src = fetchPypi {
+    inherit pname version;
+    sha256 = "43c2c9e5e7a16b6c88ba3088a9bfc82f7db8e13378be7c78d6c14a5f8ed05afd";
  };
-}
+
+  doCheck = false;
+
+  meta = with lib; {
+    homepage = https://github.com/pytoolz/toolz;
+    description = "List processing tools and functional utilities";
+    license = licenses.bsd3;
+    maintainers = with maintainers; [ fridh ];
+  };
+};
 ```

 What happens here? The function `buildPythonPackage` is called and as argument
@@ -279,32 +278,31 @@ The following example shows which arguments are given to `buildPythonPackage` in
 order to build [`datashape`](https://github.com/blaze/datashape).

 ```nix
-{ # ...
+{ lib, buildPythonPackage, fetchPypi, numpy, multipledispatch, dateutil, pytest }:

-  datashape = buildPythonPackage rec {
-    pname = "datashape";
-    version = "0.4.7";
+buildPythonPackage rec {
+  pname = "datashape";
+  version = "0.4.7";

-    src = fetchPypi {
-      inherit pname version;
-      sha256 = "14b2ef766d4c9652ab813182e866f493475e65e558bed0822e38bf07bba1a278";
-    };
+  src = fetchPypi {
+    inherit pname version;
+    sha256 = "14b2ef766d4c9652ab813182e866f493475e65e558bed0822e38bf07bba1a278";
+  };

-    checkInputs = with self; [ pytest ];
-    propagatedBuildInputs = with self; [ numpy multipledispatch dateutil ];
+  checkInputs = [ pytest ];
+  propagatedBuildInputs = [ numpy multipledispatch dateutil ];

-    meta = with lib; {
-      homepage = https://github.com/ContinuumIO/datashape;
-      description = "A data description language";
-      license = licenses.bsd2;
-      maintainers = with maintainers; [ fridh ];
-    };
+  meta = with lib; {
+    homepage = https://github.com/ContinuumIO/datashape;
+    description = "A data description language";
+    license = licenses.bsd2;
+    maintainers = with maintainers; [ fridh ];
  };
 }
 ```

 We can see several runtime dependencies, `numpy`, `multipledispatch`, and
-`dateutil`. Furthermore, we have one `buildInput`, i.e. `pytest`. `pytest` is a
+`dateutil`. Furthermore, we have one `checkInputs`, i.e. `pytest`. `pytest` is a
 test runner and is only used during the `checkPhase` and is therefore not added
 to `propagatedBuildInputs`.

@@ -314,25 +312,24 @@ Python bindings to `libxml2` and `libxslt`. These libraries are only required
 when building the bindings and are therefore added as `buildInputs`.

 ```nix
-{ # ...
+{ lib, pkgs, buildPythonPackage, fetchPypi }:

-  lxml = buildPythonPackage rec {
-    pname = "lxml";
-    version = "3.4.4";
+buildPythonPackage rec {
+  pname = "lxml";
+  version = "3.4.4";

-    src = fetchPypi {
-      inherit pname version;
-      sha256 = "16a0fa97hym9ysdk3rmqz32xdjqmy4w34ld3rm3jf5viqjx65lxk";
-    };
+  src = fetchPypi {
+    inherit pname version;
+    sha256 = "16a0fa97hym9ysdk3rmqz32xdjqmy4w34ld3rm3jf5viqjx65lxk";
+  };

-    buildInputs = with self; [ pkgs.libxml2 pkgs.libxslt ];
+  buildInputs = [ pkgs.libxml2 pkgs.libxslt ];

-    meta = with lib; {
-      description = "Pythonic binding for the libxml2 and libxslt libraries";
-      homepage = https://lxml.de;
-      license = licenses.bsd3;
-      maintainers = with maintainers; [ sjourdois ];
-    };
+  meta = with lib; {
+    description = "Pythonic binding for the libxml2 and libxslt libraries";
+    homepage = https://lxml.de;
+    license = licenses.bsd3;
+    maintainers = with maintainers; [ sjourdois ];
  };
 }
 ```
@@ -348,35 +345,34 @@ find each of them in a different folder, and therefore we have to set `LDFLAGS`
 and `CFLAGS`.

 ```nix
-{ # ...
+{ lib, pkgs, buildPythonPackage, fetchPypi, numpy, scipy }:

-  pyfftw = buildPythonPackage rec {
-    pname = "pyFFTW";
-    version = "0.9.2";
+buildPythonPackage rec {
+  pname = "pyFFTW";
+  version = "0.9.2";

-    src = fetchPypi {
-      inherit pname version;
-      sha256 = "f6bbb6afa93085409ab24885a1a3cdb8909f095a142f4d49e346f2bd1b789074";
-    };
+  src = fetchPypi {
+    inherit pname version;
+    sha256 = "f6bbb6afa93085409ab24885a1a3cdb8909f095a142f4d49e346f2bd1b789074";
+  };

-    buildInputs = [ pkgs.fftw pkgs.fftwFloat pkgs.fftwLongDouble];
+  buildInputs = [ pkgs.fftw pkgs.fftwFloat pkgs.fftwLongDouble];

-    propagatedBuildInputs = with self; [ numpy scipy ];
+  propagatedBuildInputs = [ numpy scipy ];

-    # Tests cannot import pyfftw. pyfftw works fine though.
-    doCheck = false;
+  # Tests cannot import pyfftw. pyfftw works fine though.
+  doCheck = false;

-    preConfigure = ''
-      export LDFLAGS="-L${pkgs.fftw.dev}/lib -L${pkgs.fftwFloat.out}/lib -L${pkgs.fftwLongDouble.out}/lib"
-      export CFLAGS="-I${pkgs.fftw.dev}/include -I${pkgs.fftwFloat.dev}/include -I${pkgs.fftwLongDouble.dev}/include"
-    '';
+  preConfigure = ''
+    export LDFLAGS="-L${pkgs.fftw.dev}/lib -L${pkgs.fftwFloat.out}/lib -L${pkgs.fftwLongDouble.out}/lib"
+    export CFLAGS="-I${pkgs.fftw.dev}/include -I${pkgs.fftwFloat.dev}/include -I${pkgs.fftwLongDouble.dev}/include"
+  '';

-    meta = with lib; {
-      description = "A pythonic wrapper around FFTW, the FFT library, presenting a unified interface for all the supported transforms";
-      homepage = http://hgomersall.github.com/pyFFTW;
-      license = with licenses; [ bsd2 bsd3 ];
-      maintainers = with maintainers; [ fridh ];
-    };
+  meta = with lib; {
+    description = "A pythonic wrapper around FFTW, the FFT library, presenting a unified interface for all the supported transforms";
+    homepage = http://hgomersall.github.com/pyFFTW;
+    license = with licenses; [ bsd2 bsd3 ];
+    maintainers = with maintainers; [ fridh ];
  };
 }
 ```
@@ -404,7 +400,7 @@ Indeed, we can just add any package we like to have in our environment to `propa

 ```nix
 with import <nixpkgs> {};
-with pkgs.python35Packages;
+with python35Packages;

 buildPythonPackage rec {
  name = "mypackage";
@@ -437,7 +433,7 @@ Let's split the package definition from the environment definition.
 We first create a function that builds `toolz` in `~/path/to/toolz/release.nix`

 ```nix
-{ lib, pkgs, buildPythonPackage }:
+{ lib, buildPythonPackage }:

 buildPythonPackage rec {
  pname = "toolz";
@@ -457,18 +453,17 @@ buildPythonPackage rec {
 }
 ```

-It takes two arguments, `pkgs` and `buildPythonPackage`.
+It takes an argument `buildPythonPackage`.
 We now call this function using `callPackage` in the definition of our environment

 ```nix
 with import <nixpkgs> {};

 ( let
-    toolz = pkgs.callPackage /path/to/toolz/release.nix {
-      pkgs = pkgs;
-      buildPythonPackage = pkgs.python35Packages.buildPythonPackage;
+    toolz = callPackage /path/to/toolz/release.nix {
+      buildPythonPackage = python35Packages.buildPythonPackage;
    };
-  in pkgs.python35.withPackages (ps: [ ps.numpy toolz ])
+  in python35.withPackages (ps: [ ps.numpy toolz ])
 ).env
 ```

@@ -566,7 +561,7 @@ buildPythonPackage rec {
  '';

  checkInputs = [ hypothesis ];
-  buildInputs = [ setuptools_scm ];
+  nativeBuildInputs = [ setuptools_scm ];
  propagatedBuildInputs = [ attrs py setuptools six pluggy ];

  meta = with lib; {
@@ -586,11 +581,6 @@ The `buildPythonPackage` mainly does four things:
  environment variable and add dependent libraries to script's `sys.path`.
 * In the `installCheck` phase, `${python.interpreter} setup.py test` is ran.

-As in Perl, dependencies on other Python packages can be specified in the
-`buildInputs` and `propagatedBuildInputs` attributes.  If something is
-exclusively a build-time dependency, use `buildInputs`; if it is (also) a runtime
-dependency, use `propagatedBuildInputs`.
-
 By default tests are run because `doCheck = true`. Test dependencies, like
 e.g. the test runner, should be added to `checkInputs`.

@@ -602,11 +592,10 @@ as the interpreter unless overridden otherwise.
 All parameters from `stdenv.mkDerivation` function are still supported. The following are specific to `buildPythonPackage`:

 * `catchConflicts ? true`: If `true`, abort package build if a package name appears more than once in dependency tree. Default is `true`.
-* `checkInputs ? []`: Dependencies needed for running the `checkPhase`. These are added to `buildInputs` when `doCheck = true`.
 * `disabled` ? false: If `true`, package is not build for the particular Python interpreter version.
 * `dontWrapPythonPrograms ? false`: Skip wrapping of python programs.
-* `installFlags ? []`: A list of strings. Arguments to be passed to `pip install`. To pass options to `python setup.py install`, use `--install-option`. E.g., `installFlags=["--install-option='--cpp_implementation'"].
-* `format ? "setuptools"`: Format of the source. Valid options are `"setuptools"`, `"flit"`, `"wheel"`, and `"other"`. `"setuptools"` is for when the source has a `setup.py` and `setuptools` is used to build a wheel, `flit`, in case `flit` should be used to build a wheel, and `wheel` in case a wheel is provided. Use `other` when a custom `buildPhase` and/or `installPhase` is needed.
+* `installFlags ? []`: A list of strings. Arguments to be passed to `pip install`. To pass options to `python setup.py install`, use `--install-option`. E.g., `installFlags=["--install-option='--cpp_implementation'"]`.
+* `format ? "setuptools"`: Format of the source. Valid options are `"setuptools"`, `"pyproject"`, `"flit"`, `"wheel"`, and `"other"`. `"setuptools"` is for when the source has a `setup.py` and `setuptools` is used to build a wheel, `flit`, in case `flit` should be used to build a wheel, and `wheel` in case a wheel is provided. Use `other` when a custom `buildPhase` and/or `installPhase` is needed.
 * `makeWrapperArgs ? []`: A list of strings. Arguments to be passed to `makeWrapper`, which wraps generated binaries. By default, the arguments to `makeWrapper` set `PATH` and `PYTHONPATH` environment variables before calling the binary. Additional arguments here can allow a developer to set environment variables which will be available when the binary is run. For example, `makeWrapperArgs = ["--set FOO BAR" "--set BAZ QUX"]`.
 * `namePrefix`: Prepends text to `${name}` parameter. In case of libraries, this defaults to `"python3.5-"` for Python 3.5, etc., and in case of applications to `""`.
 * `pythonPath ? []`: List of packages to be added into `$PYTHONPATH`. Packages in `pythonPath` are not propagated (contrary to `propagatedBuildInputs`).
@@ -615,6 +604,14 @@ All parameters from `stdenv.mkDerivation` function are still supported. The foll
 * `removeBinByteCode ? true`: Remove bytecode from `/bin`. Bytecode is only created when the filenames end with `.py`.
 * `setupPyBuildFlags ? []`: List of flags passed to `setup.py build_ext` command.

+The `stdenv.mkDerivation` function accepts various parameters for describing build inputs (see "Specifying dependencies"). The following are of special
+interest for Python packages, either because these are primarily used, or because their behaviour is different:
+
+* `nativeBuildInputs ? []`: Build-time only dependencies. Typically executables as well as the items listed in `setup_requires`.
+* `buildInputs ? []`: Build and/or run-time dependencies that need to be be compiled for the host machine. Typically non-Python libraries which are being linked.
+* `checkInputs ? []`: Dependencies needed for running the `checkPhase`. These are added to `nativeBuildInputs` when `doCheck = true`. Items listed in `tests_require` go here.
+* `propagatedBuildInputs ? []`: Aside from propagating dependencies, `buildPythonPackage` also injects code into and wraps executables with the paths included in this list. Items listed in `install_requires` go here.
+
 ##### Overriding Python packages

 The `buildPythonPackage` function has a `overridePythonAttrs` method that
@@ -727,7 +724,7 @@ Saving the following as `default.nix`
 with import <nixpkgs> {};

 python.buildEnv.override {
-  extraLibs = [ pkgs.pythonPackages.pyramid ];
+  extraLibs = [ pythonPackages.pyramid ];
  ignoreCollisions = true;
 }
 ```
@@ -809,11 +806,12 @@ Given a `default.nix`:
 ```nix
 with import <nixpkgs> {};

-buildPythonPackage { name = "myproject";
+pythonPackages.buildPythonPackage {
+  name = "myproject";
+  buildInputs = with pythonPackages; [ pyramid ];

-buildInputs = with pkgs.pythonPackages; [ pyramid ];
-
-src = ./.; }
+  src = ./.;
+}
 ```

 Running `nix-shell` with no arguments should give you
@@ -874,7 +872,6 @@ example of such a situation is when `py.test` is used.
    '';
  }
  ```
- Unicode issues can typically be fixed by including `glibcLocales` in `buildInputs` and exporting `LC_ALL=en_US.utf-8`.
 - Tests that attempt to access `$HOME` can be fixed by using the following work-around before running tests (e.g. `preCheck`): `export HOME=$(mktemp -d)`

 ## FAQ
@@ -1000,10 +997,13 @@ Create this `default.nix` file, together with a `requirements.txt` and simply ex

 ```nix
 with import <nixpkgs> {};
-with pkgs.python27Packages;
+with python27Packages;

 stdenv.mkDerivation {
  name = "impurePythonEnv";
+
+  src = null;
+
  buildInputs = [
    # these packages are required for virtualenv and pip to work:
    #
@@ -1023,14 +1023,15 @@ stdenv.mkDerivation {
    libxslt
    libzip
    stdenv
-    zlib ];
-  src = null;
+    zlib
+  ];
+
  shellHook = ''
-  # set SOURCE_DATE_EPOCH so that we can use python wheels
-  SOURCE_DATE_EPOCH=$(date +%s)
-  virtualenv --no-setuptools venv
-  export PATH=$PWD/venv/bin:$PATH
-  pip install -r requirements.txt
+    # set SOURCE_DATE_EPOCH so that we can use python wheels
+    SOURCE_DATE_EPOCH=$(date +%s)
+    virtualenv --no-setuptools venv
+    export PATH=$PWD/venv/bin:$PATH
+    pip install -r requirements.txt
  '';
 }
 ```
@@ -1123,6 +1124,14 @@ LLVM implementation. To use that one instead, Intel recommends users set it with
 Note that `mkl` is only available on `x86_64-{linux,darwin}` platforms;
 moreover, Hydra is not building and distributing pre-compiled binaries using it.

+### What inputs do `setup_requires`, `install_requires` and `tests_require` map to?
+
+In a `setup.py` or `setup.cfg` it is common to declare dependencies:
+
+* `setup_requires` corresponds to `nativeBuildInputs`
+* `install_requires` corresponds to `propagatedBuildInputs`
+* `tests_require` corresponds to `checkInputs`
+
 ## Contributing

 ### Contributing guidelines
--- a/doc/package-notes.xml
+++ b/doc/package-notes.xml
@@ -882,6 +882,33 @@ citrix_receiver.override {
    On NixOS it can be installed using the following expression:
 <programlisting>{ pkgs, ... }: {
  fonts.fonts = with pkgs; [ noto-fonts-emoji ];
+}</programlisting>
+   </para>
+  </section>
+ </section>
+ <section xml:id="dlib">
+  <title>DLib</title>
+
+  <para>
+    <link xlink:href="http://dlib.net/">DLib</link> is a modern, C++-based toolkit which
+    provides several machine learning algorithms.
+  </para>
+
+  <section xml:id="compiling-without-avx-support">
+   <title>Compiling without AVX support</title>
+
+   <para>
+     Especially older CPUs don't support
+     <link xlink:href="https://en.wikipedia.org/wiki/Advanced_Vector_Extensions">AVX</link>
+     (<abbrev>Advanced Vector Extensions</abbrev>) instructions that are used by DLib to
+     optimize their algorithms.
+   </para>
+
+   <para>
+    On the affected hardware errors like <literal>Illegal instruction</literal> will occur.
+    In those cases AVX support needs to be disabled:
+<programlisting>self: super: {
+  dlib = super.dlib.override { avxSupport = false; };
 }</programlisting>
   </para>
  </section>
--- a/lib/modules.nix
+++ b/lib/modules.nix
@@ -476,8 +476,22 @@ rec {
     optionSet to options of type submodule.  FIXME: remove
     eventually. */
  fixupOptionType = loc: opt:
-    if opt.type.getSubModules or null == null
-      then opt // { type = opt.type or types.unspecified; }
+    let
+      options = opt.options or
+        (throw "Option `${showOption loc'}' has type optionSet but has no option attribute, in ${showFiles opt.declarations}.");
+      f = tp:
+        let optionSetIn = type: (tp.name == type) && (tp.functor.wrapped.name == "optionSet");
+        in
+        if tp.name == "option set" || tp.name == "submodule" then
+          throw "The option ${showOption loc} uses submodules without a wrapping type, in ${showFiles opt.declarations}."
+        else if optionSetIn "attrsOf" then types.attrsOf (types.submodule options)
+        else if optionSetIn "loaOf"   then types.loaOf   (types.submodule options)
+        else if optionSetIn "listOf"  then types.listOf  (types.submodule options)
+        else if optionSetIn "nullOr"  then types.nullOr  (types.submodule options)
+        else tp;
+    in
+      if opt.type.getSubModules or null == null
+      then opt // { type = f (opt.type or types.unspecified); }
      else opt // { type = opt.type.substSubModules opt.options; options = []; };


--- a/lib/options.nix
+++ b/lib/options.nix
@@ -48,6 +48,8 @@ rec {
    visible ? null,
    # Whether the option can be set only once
    readOnly ? null,
+    # Deprecated, used by types.optionSet.
+    options ? null
    } @ attrs:
    attrs // { _type = "option"; };

--- a/lib/types.nix
+++ b/lib/types.nix
@@ -469,8 +469,10 @@ rec {
    # Obsolete alternative to configOf.  It takes its option
    # declarations from the ‘options’ attribute of containing option
    # declaration.
-    optionSet = builtins.throw "types.optionSet is deprecated; use types.submodule instead" "optionSet";
-
+    optionSet = mkOptionType {
+      name = builtins.trace "types.optionSet is deprecated; use types.submodule instead" "optionSet";
+      description = "option set";
+    };
    # Augment the given type with an additional type check function.
    addCheck = elemType: check: elemType // { check = x: elemType.check x && check x; };

--- a/maintainers/maintainer-list.nix
+++ b/maintainers/maintainer-list.nix
@@ -1628,6 +1628,10 @@
    email = "fpletz@fnordicwalking.de";
    github = "fpletz";
    name = "Franz Pletz";
+    keys = [{
+      longkeyid = "rsa4096/0x846FDED7792617B4";
+      fingerprint = "8A39 615D CE78 AF08 2E23  F303 846F DED7 7926 17B4";
+    }];
  };
  fps = {
    email = "mista.tapas@gmx.net";
@@ -2449,6 +2453,11 @@
    github = "kisonecat";
    name = "Jim Fowler";
  };
+  kjuvi = {
+    email = "quentin.vaucher@pm.me";
+    github = "kjuvi";
+    name = "Quentin Vaucher";
+  };
  kkallio = {
    email = "tierpluspluslists@gmail.com";
    name = "Karn Kallio";
--- a/maintainers/scripts/fetch-kde-qt.sh
+++ b/maintainers/scripts/fetch-kde-qt.sh
@@ -14,12 +14,13 @@ fi

 tmp=$(mktemp -d)
 pushd $tmp >/dev/null
-wget -nH -r -c --no-parent "${WGET_ARGS[@]}" >/dev/null
+wget -nH -r -c --no-parent "${WGET_ARGS[@]}" -A '*.tar.xz.sha256' -A '*.mirrorlist' >/dev/null
+find -type f -name '*.mirrorlist' -delete

 csv=$(mktemp)
 find . -type f | while read src; do
    # Sanitize file name
-    filename=$(basename "$src" | tr '@' '_')
+    filename=$(gawk '{ print $2 }' "$src" | tr '@' '_')
    nameVersion="${filename%.tar.*}"
    name=$(echo "$nameVersion" | sed -e 's,-[[:digit:]].*,,' | sed -e 's,-opensource-src$,,' | sed -e 's,-everywhere-src$,,')
    version=$(echo "$nameVersion" | sed -e 's,^\([[:alpha:]][[:alnum:]]*-\)\+,,')
@@ -38,8 +39,8 @@ gawk -F , "{ print \$1 }" $csv | sort | uniq | while read name; do
    latestVersion=$(echo "$versions" | sort -rV | head -n 1)
    src=$(gawk -F , "/^$name,$latestVersion,/ { print \$3 }" $csv)
    filename=$(gawk -F , "/^$name,$latestVersion,/ { print \$4 }" $csv)
-    url="${src:2}"
-    sha256=$(nix-hash --type sha256 --base32 --flat "$src")
+    url="$(dirname "${src:2}")/$filename"
+    sha256=$(gawk '{ print $1 }' "$src")
    cat >>"$SRCS" <<EOF
  $name = {
    version = "$latestVersion";
--- a/maintainers/scripts/luarocks-packages.csv
+++ b/maintainers/scripts/luarocks-packages.csv
@@ -1,7 +1,6 @@
 ansicolors,
 argparse,
 basexx,
-cqueues
 dkjson
 fifo
 inspect
--- a/nixos/doc/manual/configuration/config-file.xml
+++ b/nixos/doc/manual/configuration/config-file.xml
@@ -200,8 +200,9 @@ swapDevices = [ { device = "/dev/disk/by-label/swap"; } ];
 <xref linkend="opt-services.postgresql.package"/> = pkgs.postgresql_10;
 </programlisting>
      The latter option definition changes the default PostgreSQL package used
-      by NixOS’s PostgreSQL service to 10.x. For more information on packages,
-      including how to add new ones, see <xref linkend="sec-custom-packages"/>.
+      by NixOS’s PostgreSQL service to 10.x. For more information on
+      packages, including how to add new ones, see
+      <xref linkend="sec-custom-packages"/>.
     </para>
    </listitem>
   </varlistentry>
--- a/nixos/doc/manual/configuration/configuration.xml
+++ b/nixos/doc/manual/configuration/configuration.xml
@@ -21,6 +21,7 @@
 <xi:include href="xfce.xml" />
 <xi:include href="networking.xml" />
 <xi:include href="linux-kernel.xml" />
+ <xi:include href="matrix.xml" />
 <xi:include href="../generated/modules.xml" xpointer="xpointer(//section[@id='modules']/*)" />
 <xi:include href="profiles.xml" />
 <xi:include href="kubernetes.xml" />
--- a/nixos/doc/manual/configuration/kubernetes.xml
+++ b/nixos/doc/manual/configuration/kubernetes.xml
@@ -4,15 +4,13 @@
         version="5.0"
         xml:id="sec-kubernetes">
 <title>Kubernetes</title>
-
 <para>
-   The NixOS Kubernetes module is a collective term for a handful of
-   individual submodules implementing the Kubernetes cluster components.
+  The NixOS Kubernetes module is a collective term for a handful of individual
+  submodules implementing the Kubernetes cluster components.
 </para>
-
 <para>
-   There are generally two ways of enabling Kubernetes on NixOS.
-   One way is to enable and configure cluster components appropriately by hand:
+  There are generally two ways of enabling Kubernetes on NixOS. One way is to
+  enable and configure cluster components appropriately by hand:
 <programlisting>
 services.kubernetes = {
  apiserver.enable = true;
@@ -33,95 +31,82 @@ services.kubernetes = {
 <programlisting>
 <xref linkend="opt-services.kubernetes.roles"/> = [ "node" ];
 </programlisting>
-  Assigning both the master and node roles is usable if you want a single
-  node Kubernetes cluster for dev or testing purposes:
+  Assigning both the master and node roles is usable if you want a single node
+  Kubernetes cluster for dev or testing purposes:
 <programlisting>
 <xref linkend="opt-services.kubernetes.roles"/> = [ "master" "node" ];
 </programlisting>
  Note: Assigning either role will also default both
  <xref linkend="opt-services.kubernetes.flannel.enable"/> and
-  <xref linkend="opt-services.kubernetes.easyCerts"/> to true.
-  This sets up flannel as CNI and activates automatic PKI bootstrapping.
+  <xref linkend="opt-services.kubernetes.easyCerts"/> to true. This sets up
+  flannel as CNI and activates automatic PKI bootstrapping.
 </para>
-
 <para>
-   As of kubernetes 1.10.X it has been deprecated to open
-   non-tls-enabled ports on kubernetes components. Thus, from NixOS 19.03 all
-   plain HTTP ports have been disabled by default.
-   While opening insecure ports is still possible, it is recommended not to
-   bind these to other interfaces than loopback.
-
-   To re-enable the insecure port on the apiserver, see options:
-   <xref linkend="opt-services.kubernetes.apiserver.insecurePort"/>
-   and
-   <xref linkend="opt-services.kubernetes.apiserver.insecureBindAddress"/>
+  As of kubernetes 1.10.X it has been deprecated to open non-tls-enabled ports
+  on kubernetes components. Thus, from NixOS 19.03 all plain HTTP ports have
+  been disabled by default. While opening insecure ports is still possible, it
+  is recommended not to bind these to other interfaces than loopback. To
+  re-enable the insecure port on the apiserver, see options:
+  <xref linkend="opt-services.kubernetes.apiserver.insecurePort"/> and
+  <xref linkend="opt-services.kubernetes.apiserver.insecureBindAddress"/>
 </para>
-
 <note>
  <para>
   As of NixOS 19.03, it is mandatory to configure:
-   <xref linkend="opt-services.kubernetes.masterAddress"/>.
-   The masterAddress must be resolveable and routeable by all cluster nodes.
-   In single node clusters, this can be set to <literal>localhost</literal>.
+   <xref linkend="opt-services.kubernetes.masterAddress"/>. The masterAddress
+   must be resolveable and routeable by all cluster nodes. In single node
+   clusters, this can be set to <literal>localhost</literal>.
  </para>
 </note>
-
 <para>
-   Role-based access control (RBAC) authorization mode is enabled by default.
-   This means that anonymous requests to the apiserver secure port will
-   expectedly cause a permission denied error. All cluster components must
-   therefore be configured with x509 certificates for two-way tls communication.
-   The x509 certificate subject section determines the roles and permissions
-   granted by the apiserver to perform clusterwide or namespaced operations.
-   See also:
-   <link
+  Role-based access control (RBAC) authorization mode is enabled by default.
+  This means that anonymous requests to the apiserver secure port will
+  expectedly cause a permission denied error. All cluster components must
+  therefore be configured with x509 certificates for two-way tls communication.
+  The x509 certificate subject section determines the roles and permissions
+  granted by the apiserver to perform clusterwide or namespaced operations. See
+  also:
+  <link
     xlink:href="https://kubernetes.io/docs/reference/access-authn-authz/rbac/">
-     Using RBAC Authorization</link>.
+  Using RBAC Authorization</link>.
 </para>
-
-  <para>
-   The NixOS kubernetes module provides an option for automatic certificate
-   bootstrapping and configuration,
-    <xref linkend="opt-services.kubernetes.easyCerts"/>.
-   The PKI bootstrapping process involves setting up a certificate authority
-   (CA) daemon (cfssl) on the kubernetes master node. cfssl generates a CA-cert
-   for the cluster, and uses the CA-cert for signing subordinate certs issued to
-   each of the cluster components. Subsequently, the certmgr daemon monitors
-   active certificates and renews them when needed. For single node Kubernetes
-   clusters, setting <xref linkend="opt-services.kubernetes.easyCerts"/> = true
-   is sufficient and no further action is required. For joining extra node
-   machines to an existing cluster on the other hand, establishing initial trust
-   is mandatory.
- </para>
-
 <para>
-   To add new nodes to the cluster:
-   On any (non-master) cluster node where
-   <xref linkend="opt-services.kubernetes.easyCerts"/> is enabled, the helper
-   script <literal>nixos-kubernetes-node-join</literal> is available on PATH.
-   Given a token on stdin, it will copy the token to the kubernetes
-   secrets directory and restart the certmgr service. As requested
-   certificates are issued, the script will restart kubernetes cluster
-   components as needed for them to pick up new keypairs.
+  The NixOS kubernetes module provides an option for automatic certificate
+  bootstrapping and configuration,
+  <xref linkend="opt-services.kubernetes.easyCerts"/>. The PKI bootstrapping
+  process involves setting up a certificate authority (CA) daemon (cfssl) on
+  the kubernetes master node. cfssl generates a CA-cert for the cluster, and
+  uses the CA-cert for signing subordinate certs issued to each of the cluster
+  components. Subsequently, the certmgr daemon monitors active certificates and
+  renews them when needed. For single node Kubernetes clusters, setting
+  <xref linkend="opt-services.kubernetes.easyCerts"/> = true is sufficient and
+  no further action is required. For joining extra node machines to an existing
+  cluster on the other hand, establishing initial trust is mandatory.
+ </para>
+ <para>
+  To add new nodes to the cluster: On any (non-master) cluster node where
+  <xref linkend="opt-services.kubernetes.easyCerts"/> is enabled, the helper
+  script <literal>nixos-kubernetes-node-join</literal> is available on PATH.
+  Given a token on stdin, it will copy the token to the kubernetes secrets
+  directory and restart the certmgr service. As requested certificates are
+  issued, the script will restart kubernetes cluster components as needed for
+  them to pick up new keypairs.
 </para>
-
 <note>
  <para>
   Multi-master (HA) clusters are not supported by the easyCerts module.
  </para>
 </note>
-
 <para>
-   In order to interact with an RBAC-enabled cluster as an administrator, one
-   needs to have cluster-admin privileges. By default, when easyCerts is
-   enabled, a cluster-admin kubeconfig file is generated and linked into
-   <literal>/etc/kubernetes/cluster-admin.kubeconfig</literal> as determined by
-   <xref linkend="opt-services.kubernetes.pki.etcClusterAdminKubeconfig"/>.
-   <literal>export KUBECONFIG=/etc/kubernetes/cluster-admin.kubeconfig</literal>
-   will make kubectl use this kubeconfig to access and authenticate the cluster.
-   The cluster-admin kubeconfig references an auto-generated keypair owned by
-   root. Thus, only root on the kubernetes master may obtain cluster-admin
-   rights by means of this file.
+  In order to interact with an RBAC-enabled cluster as an administrator, one
+  needs to have cluster-admin privileges. By default, when easyCerts is
+  enabled, a cluster-admin kubeconfig file is generated and linked into
+  <literal>/etc/kubernetes/cluster-admin.kubeconfig</literal> as determined by
+  <xref linkend="opt-services.kubernetes.pki.etcClusterAdminKubeconfig"/>.
+  <literal>export KUBECONFIG=/etc/kubernetes/cluster-admin.kubeconfig</literal>
+  will make kubectl use this kubeconfig to access and authenticate the cluster.
+  The cluster-admin kubeconfig references an auto-generated keypair owned by
+  root. Thus, only root on the kubernetes master may obtain cluster-admin
+  rights by means of this file.
 </para>
-
 </chapter>
--- a/nixos/doc/manual/configuration/matrix.xml
+++ b/nixos/doc/manual/configuration/matrix.xml
@@ -0,0 +1,203 @@
+<chapter xmlns="http://docbook.org/ns/docbook"
+         xmlns:xlink="http://www.w3.org/1999/xlink"
+         xmlns:xi="http://www.w3.org/2001/XInclude"
+         version="5.0"
+         xml:id="module-services-matrix">
+ <title>Matrix</title>
+ <para>
+  <link xlink:href="https://matrix.org/">Matrix</link> is an open standard for
+  interoperable, decentralised, real-time communication over IP. It can be used
+  to power Instant Messaging, VoIP/WebRTC signalling, Internet of Things
+  communication - or anywhere you need a standard HTTP API for publishing and
+  subscribing to data whilst tracking the conversation history.
+ </para>
+ <para>
+  This chapter will show you how to set up your own, self-hosted Matrix
+  homeserver using the Synapse reference homeserver, and how to serve your own
+  copy of the Riot web client. See the
+  <link xlink:href="https://matrix.org/docs/projects/try-matrix-now.html">Try
+  Matrix Now!</link> overview page for links to Riot Apps for Android and iOS,
+  desktop clients, as well as bridges to other networks and other projects
+  around Matrix.
+ </para>
+ <section xml:id="module-services-matrix-synapse">
+  <title>Synapse Homeserver</title>
+
+  <para>
+   <link xlink:href="https://github.com/matrix-org/synapse">Synapse</link> is
+   the reference homeserver implementation of Matrix from the core development
+   team at matrix.org. The following configuration example will set up a
+   synapse server for the <literal>example.org</literal> domain, served from
+   the host <literal>myhostname.example.org</literal>. For more information,
+   please refer to the
+   <link xlink:href="https://github.com/matrix-org/synapse#synapse-installation">
+   installation instructions of Synapse </link>.
+<programlisting>
+    let
+      fqdn =
+        let
+          join = hostName: domain: hostName + optionalString (domain != null) ".${domain}";
+        in join config.networking.hostName config.networking.domain;
+    in {
+      networking = {
+        hostName = "myhostname";
+        domain = "example.org";
+      };
+      networking.firewall.allowedTCPPorts = [ 80 443 ];
+
+      services.nginx = {
+        enable = true;
+        # only recommendedProxySettings and recommendedGzipSettings are strictly required,
+        # but the rest make sense as well
+        recommendedTlsSettings = true;
+        recommendedOptimisation = true;
+        recommendedGzipSettings = true;
+        recommendedProxySettings = true;
+
+        virtualHosts = {
+          # This host section can be placed on a different host than the rest,
+          # i.e. to delegate from the host being accessible as ${config.networking.domain}
+          # to another host actually running the Matrix homeserver.
+          "${config.networking.domain}" = {
+            locations."= /.well-known/matrix/server".extraConfig =
+              let
+                # use 443 instead of the default 8448 port to unite
+                # the client-server and server-server port for simplicity
+                server = { "m.server" = "${fqdn}:443"; };
+              in ''
+                add_header Content-Type application/json;
+                return 200 '${builtins.toJSON server}';
+              '';
+            locations."= /.well-known/matrix/client".extraConfig =
+              let
+                client = {
+                  "m.homeserver" =  { "base_url" = "https://${fqdn}"; };
+                  "m.identity_server" =  { "base_url" = "https://vector.im"; };
+                };
+              # ACAO required to allow riot-web on any URL to request this json file
+              in ''
+                add_header Content-Type application/json;
+                add_header Access-Control-Allow-Origin *;
+                return 200 '${builtins.toJSON client}';
+              '';
+          };
+
+          # Reverse proxy for Matrix client-server and server-server communication
+          ${fqdn} = {
+            enableACME = true;
+            forceSSL = true;
+
+            # Or do a redirect instead of the 404, or whatever is appropriate for you.
+            # But do not put a Matrix Web client here! See the Riot Web section below.
+            locations."/".extraConfig = ''
+              return 404;
+            '';
+
+            # forward all Matrix API calls to the synapse Matrix homeserver
+            locations."/_matrix" = {
+              proxyPass = "http://[::1]:8008";
+            };
+          };
+        };
+      };
+      services.matrix-synapse = {
+        enable = true;
+        server_name = config.networking.domain;
+        listeners = [
+          {
+            port = 8008;
+            bind_address = "::1";
+            type = "http";
+            tls = false;
+            x_forwarded = true;
+            resources = [
+              { names = [ "client" "federation" ]; compress = false; }
+            ];
+          }
+        ];
+      };
+    };
+   </programlisting>
+  </para>
+
+  <para>
+   If the <code>A</code> and <code>AAAA</code> DNS records on
+   <literal>example.org</literal> do not point on the same host as the records
+   for <code>myhostname.example.org</code>, you can easily move the
+   <code>/.well-known</code> virtualHost section of the code to the host that
+   is serving <literal>example.org</literal>, while the rest stays on
+   <literal>myhostname.example.org</literal> with no other changes required.
+   This pattern also allows to seamlessly move the homeserver from
+   <literal>myhostname.example.org</literal> to
+   <literal>myotherhost.example.org</literal> by only changing the
+   <code>/.well-known</code> redirection target.
+  </para>
+
+  <para>
+   If you want to run a server with public registration by anybody, you can
+   then enable <option>services.matrix-synapse.enable_registration =
+   true;</option>. Otherwise, or you can generate a registration secret with
+   <command>pwgen -s 64 1</command> and set it with
+   <option>services.matrix-synapse.registration_shared_secret</option>. To
+   create a new user or admin, run the following after you have set the secret
+   and have rebuilt NixOS:
+<programlisting>
+    $ nix run nixpkgs.matrix-synapse
+    $ register_new_matrix_user -k &lt;your-registration-shared-secret&gt; http://localhost:8008
+    New user localpart: &lt;your-username&gt;
+    Password:
+    Confirm password:
+    Make admin [no]:
+    Success!
+   </programlisting>
+   In the example, this would create a user with the Matrix Identifier
+   <literal>@your-username:example.org</literal>. Note that the registration
+   secret ends up in the nix store and therefore is world-readable by any user
+   on your machine, so it makes sense to only temporarily activate the
+   <option>registration_shared_secret</option> option until a better solution
+   for NixOS is in place.
+  </para>
+ </section>
+ <section xml:id="module-services-matrix-riot-web">
+  <title>Riot Web Client</title>
+
+  <para>
+   <link xlink:href="https://github.com/vector-im/riot-web/">Riot Web</link> is
+   the reference web client for Matrix and developed by the core team at
+   matrix.org. The following snippet can be optionally added to the code before
+   to complete the synapse installation with a web client served at
+   <code>https://riot.myhostname.example.org</code> and
+   <code>https://riot.example.org</code>. Alternatively, you can use the hosted
+   copy at <link xlink:href="https://riot.im/app">https://riot.im/app</link>,
+   or use other web clients or native client applications. Due to the
+   <literal>/.well-known</literal> urls set up done above, many clients should
+   fill in the required connection details automatically when you enter your
+   Matrix Identifier. See
+   <link xlink:href="https://matrix.org/docs/projects/try-matrix-now.html">Try
+   Matrix Now!</link> for a list of existing clients and their supported
+   featureset.
+<programlisting>
+     services.nginx.virtualHosts."riot.${fqdn}" = {
+       enableACME = true;
+       forceSSL = true;
+       serverAliases = [
+        "riot.${config.networking.domain}"
+       ];
+
+       root = pkgs.riot-web;
+     };
+   </programlisting>
+  </para>
+
+  <para>
+   Note that the Riot developers do not recommend running Riot and your Matrix
+   homeserver on the same fully-qualified domain name for security reasons. In
+   the example, this means that you should not reuse the
+   <literal>myhostname.example.org</literal> virtualHost to also serve Riot,
+   but instead serve it on a different subdomain, like
+   <literal>riot.example.org</literal> in the example. See the
+   <link xlink:href="https://github.com/vector-im/riot-web#important-security-note">Riot
+   Important Security Notes</link> for more information on this subject.
+  </para>
+ </section>
+</chapter>
--- a/nixos/doc/manual/configuration/modularity.xml
+++ b/nixos/doc/manual/configuration/modularity.xml
@@ -112,9 +112,8 @@ true
 $ nixos-option <xref linkend="opt-boot.kernelModules"/>
 [ "tun" "ipv6" "loop" <replaceable>...</replaceable> ]
 </screen>
-  Interactive exploration of the configuration is possible using
-  <command>nix repl</command>, a read-eval-print loop for Nix expressions.
-  A typical use:
+  Interactive exploration of the configuration is possible using <command>nix
+  repl</command>, a read-eval-print loop for Nix expressions. A typical use:
 <screen>
 $ nix repl '&lt;nixpkgs/nixos>'

@@ -127,11 +126,10 @@ nix-repl> map (x: x.hostName) config.<xref linkend="opt-services.httpd.virtualHo
 </para>

 <para>
-   While abstracting your configuration, you may find it useful to generate
-   modules using code, instead of writing files. The example
-   below would have the same effect as importing a file which sets those
-   options.
-   <screen>
+  While abstracting your configuration, you may find it useful to generate
+  modules using code, instead of writing files. The example below would have
+  the same effect as importing a file which sets those options.
+<screen>
     { config, pkgs, ... }:

     let netConfig = { hostName }: {
@@ -143,5 +141,5 @@ nix-repl> map (x: x.hostName) config.<xref linkend="opt-services.httpd.virtualHo

    { imports = [ (netConfig "nixos.localdomain") ]; }
  </screen>
-</para>
+ </para>
 </section>
--- a/nixos/doc/manual/configuration/profiles.xml
+++ b/nixos/doc/manual/configuration/profiles.xml
@@ -12,14 +12,14 @@
  That is to say, expected usage is to add them to the imports list of your
  <filename>/etc/configuration.nix</filename> as such:
 </para>
- <programlisting>
+<programlisting>
  imports = [
   &lt;nixpkgs/nixos/modules/profiles/profile-name.nix&gt;
  ];
 </programlisting>
 <para>
-  Even if some of these profiles seem only useful in the context of
-  install media, many are actually intended to be used in real installs.
+  Even if some of these profiles seem only useful in the context of install
+  media, many are actually intended to be used in real installs.
 </para>
 <para>
  What follows is a brief explanation on the purpose and use-case for each
--- a/nixos/doc/manual/configuration/profiles/all-hardware.xml
+++ b/nixos/doc/manual/configuration/profiles/all-hardware.xml
@@ -1,15 +1,16 @@
-
 <section xmlns="http://docbook.org/ns/docbook"
         xmlns:xlink="http://www.w3.org/1999/xlink"
         xmlns:xi="http://www.w3.org/2001/XInclude"
         version="5.0"
         xml:id="sec-profile-all-hardware">
 <title>All Hardware</title>
+
 <para>
-  Enables all hardware supported by NixOS: i.e., all firmware is
-  included, and all devices from which one may boot are enabled in the initrd.
-  Its primary use is in the NixOS installation CDs.
+  Enables all hardware supported by NixOS: i.e., all firmware is included, and
+  all devices from which one may boot are enabled in the initrd. Its primary
+  use is in the NixOS installation CDs.
 </para>
+
 <para>
  The enabled kernel modules include support for SATA and PATA, SCSI
  (partially), USB, Firewire (untested), Virtio (QEMU, KVM, etc.), VMware, and
--- a/nixos/doc/manual/configuration/profiles/base.xml
+++ b/nixos/doc/manual/configuration/profiles/base.xml
@@ -1,15 +1,15 @@
-
 <section xmlns="http://docbook.org/ns/docbook"
         xmlns:xlink="http://www.w3.org/1999/xlink"
         xmlns:xi="http://www.w3.org/2001/XInclude"
         version="5.0"
         xml:id="sec-profile-base">
 <title>Base</title>
+
 <para>
-  Defines the software packages included in the "minimal"
-  installation CD. It installs several utilities useful in a simple recovery or
-  install media, such as a text-mode web browser, and tools for manipulating
-  block devices, networking, hardware diagnostics, and filesystems (with their
-  respective kernel modules).
+  Defines the software packages included in the "minimal" installation CD. It
+  installs several utilities useful in a simple recovery or install media, such
+  as a text-mode web browser, and tools for manipulating block devices,
+  networking, hardware diagnostics, and filesystems (with their respective
+  kernel modules).
 </para>
 </section>
--- a/nixos/doc/manual/configuration/profiles/clone-config.xml
+++ b/nixos/doc/manual/configuration/profiles/clone-config.xml
@@ -1,14 +1,14 @@
-
 <section xmlns="http://docbook.org/ns/docbook"
         xmlns:xlink="http://www.w3.org/1999/xlink"
         xmlns:xi="http://www.w3.org/2001/XInclude"
         version="5.0"
         xml:id="sec-profile-clone-config">
 <title>Clone Config</title>
+
 <para>
-  This profile is used in installer images.
-  It provides an editable configuration.nix that imports all the modules that
-  were also used when creating the image in the first place.
-  As a result it allows users to edit and rebuild the live-system.
+  This profile is used in installer images. It provides an editable
+  configuration.nix that imports all the modules that were also used when
+  creating the image in the first place. As a result it allows users to edit
+  and rebuild the live-system.
 </para>
 </section>
--- a/nixos/doc/manual/configuration/profiles/demo.xml
+++ b/nixos/doc/manual/configuration/profiles/demo.xml
@@ -1,13 +1,15 @@
-
 <section xmlns="http://docbook.org/ns/docbook"
         xmlns:xlink="http://www.w3.org/1999/xlink"
         xmlns:xi="http://www.w3.org/2001/XInclude"
         version="5.0"
         xml:id="sec-profile-demo">
 <title>Demo</title>
+
 <para>
-  This profile just enables a <systemitem class="username">demo</systemitem> user, with password <literal>demo</literal>, uid <literal>1000</literal>, <systemitem class="groupname">wheel</systemitem>
-  group and <link linkend="opt-services.xserver.displayManager.sddm.autoLogin">
-   autologin in the SDDM display manager</link>.
+  This profile just enables a <systemitem class="username">demo</systemitem>
+  user, with password <literal>demo</literal>, uid <literal>1000</literal>,
+  <systemitem class="groupname">wheel</systemitem> group and
+  <link linkend="opt-services.xserver.displayManager.sddm.autoLogin"> autologin
+  in the SDDM display manager</link>.
 </para>
 </section>
--- a/nixos/doc/manual/configuration/profiles/docker-container.xml
+++ b/nixos/doc/manual/configuration/profiles/docker-container.xml
@@ -1,15 +1,16 @@
-
 <section xmlns="http://docbook.org/ns/docbook"
         xmlns:xlink="http://www.w3.org/1999/xlink"
         xmlns:xi="http://www.w3.org/2001/XInclude"
         version="5.0"
         xml:id="sec-profile-docker-container">
 <title>Docker Container</title>
+
 <para>
  This is the profile from which the Docker images are generated. It prepares a
-  working system by importing the <link linkend="sec-profile-minimal">Minimal</link> and
-  <link linkend="sec-profile-clone-config">Clone Config</link> profiles, and setting appropriate
-  configuration options that are useful inside a container context, like
-  <xref linkend="opt-boot.isContainer"/>.
+  working system by importing the
+  <link linkend="sec-profile-minimal">Minimal</link> and
+  <link linkend="sec-profile-clone-config">Clone Config</link> profiles, and
+  setting appropriate configuration options that are useful inside a container
+  context, like <xref linkend="opt-boot.isContainer"/>.
 </para>
 </section>
--- a/nixos/doc/manual/configuration/profiles/graphical.xml
+++ b/nixos/doc/manual/configuration/profiles/graphical.xml
@@ -1,20 +1,21 @@
-
 <section xmlns="http://docbook.org/ns/docbook"
         xmlns:xlink="http://www.w3.org/1999/xlink"
         xmlns:xi="http://www.w3.org/2001/XInclude"
         version="5.0"
         xml:id="sec-profile-graphical">
 <title>Graphical</title>
+
 <para>
  Defines a NixOS configuration with the Plasma 5 desktop. It's used by the
  graphical installation CD.
 </para>
+
 <para>
  It sets <xref linkend="opt-services.xserver.enable"/>,
  <xref linkend="opt-services.xserver.displayManager.sddm.enable"/>,
  <xref linkend="opt-services.xserver.desktopManager.plasma5.enable"/> (
  <link linkend="opt-services.xserver.desktopManager.plasma5.enableQt4Support">
-   without Qt4 Support</link>), and
+  without Qt4 Support</link>), and
  <xref linkend="opt-services.xserver.libinput.enable"/> to true. It also
  includes glxinfo and firefox in the system packages list.
 </para>
--- a/nixos/doc/manual/configuration/profiles/hardened.xml
+++ b/nixos/doc/manual/configuration/profiles/hardened.xml
@@ -1,22 +1,24 @@
-
 <section xmlns="http://docbook.org/ns/docbook"
         xmlns:xlink="http://www.w3.org/1999/xlink"
         xmlns:xi="http://www.w3.org/2001/XInclude"
         version="5.0"
         xml:id="sec-profile-hardened">
 <title>Hardened</title>
+
 <para>
  A profile with most (vanilla) hardening options enabled by default,
  potentially at the cost of features and performance.
 </para>
+
 <para>
  This includes a hardened kernel, and limiting the system information
  available to processes through the <filename>/sys</filename> and
  <filename>/proc</filename> filesystems. It also disables the User Namespaces
  feature of the kernel, which stops Nix from being able to build anything
  (this particular setting can be overriden via
-  <xref linkend="opt-security.allowUserNamespaces"/>). See the <literal
+  <xref linkend="opt-security.allowUserNamespaces"/>). See the
+  <literal
   xlink:href="https://github.com/nixos/nixpkgs/tree/master/nixos/modules/profiles/hardened.nix">
-   profile source</literal> for further detail on which settings are altered.
+  profile source</literal> for further detail on which settings are altered.
 </para>
 </section>
--- a/nixos/doc/manual/configuration/profiles/headless.xml
+++ b/nixos/doc/manual/configuration/profiles/headless.xml
@@ -1,18 +1,19 @@
-
 <section xmlns="http://docbook.org/ns/docbook"
         xmlns:xlink="http://www.w3.org/1999/xlink"
         xmlns:xi="http://www.w3.org/2001/XInclude"
         version="5.0"
         xml:id="sec-profile-headless">
 <title>Headless</title>
+
 <para>
  Common configuration for headless machines (e.g., Amazon EC2 instances).
 </para>
+
 <para>
  Disables <link linkend="opt-sound.enable">sound</link>,
  <link linkend="opt-boot.vesa">vesa</link>, serial consoles,
  <link linkend="opt-systemd.enableEmergencyMode">emergency mode</link>,
-  <link linkend="opt-boot.loader.grub.splashImage">grub splash images</link> and
-  configures the kernel to reboot automatically on panic.
+  <link linkend="opt-boot.loader.grub.splashImage">grub splash images</link>
+  and configures the kernel to reboot automatically on panic.
 </para>
 </section>
--- a/nixos/doc/manual/configuration/profiles/installation-device.xml
+++ b/nixos/doc/manual/configuration/profiles/installation-device.xml
@@ -1,31 +1,34 @@
-
 <section xmlns="http://docbook.org/ns/docbook"
         xmlns:xlink="http://www.w3.org/1999/xlink"
         xmlns:xi="http://www.w3.org/2001/XInclude"
         version="5.0"
         xml:id="sec-profile-installation-device">
 <title>Installation Device</title>
+
 <para>
  Provides a basic configuration for installation devices like CDs. This means
  enabling hardware scans, using the <link linkend="sec-profile-clone-config">
-   Clone Config profile</link> to guarantee
+  Clone Config profile</link> to guarantee
  <filename>/etc/nixos/configuration.nix</filename> exists (for
  <command>nixos-rebuild</command> to work), a copy of the Nixpkgs channel
  snapshot used to create the install media.
 </para>
+
 <para>
  Additionally, documentation for <link linkend="opt-documentation.enable">
-   Nixpkgs</link> and <link linkend="opt-documentation.nixos.enable">NixOS
-   </link> are forcefully enabled (to override the
-   <link linkend="sec-profile-minimal">Minimal profile</link> preference); the
-   NixOS manual is shown automatically on TTY 8, sudo and udisks are disabled.
-   Autologin is enabled as root.
+  Nixpkgs</link> and <link linkend="opt-documentation.nixos.enable">NixOS
+  </link> are forcefully enabled (to override the
+  <link linkend="sec-profile-minimal">Minimal profile</link> preference); the
+  NixOS manual is shown automatically on TTY 8, sudo and udisks are disabled.
+  Autologin is enabled as root.
 </para>
+
 <para>
-  A message is shown to the user to start a display manager if needed,
-  ssh with <xref linkend="opt-services.openssh.permitRootLogin"/> are enabled (but
+  A message is shown to the user to start a display manager if needed, ssh with
+  <xref linkend="opt-services.openssh.permitRootLogin"/> are enabled (but
  doesn't autostart). WPA Supplicant is also enabled without autostart.
 </para>
+
 <para>
  Finally, vim is installed, root is set to not have a password, the kernel is
  made more silent for remote public IP installs, and several settings are
--- a/nixos/doc/manual/configuration/profiles/minimal.xml
+++ b/nixos/doc/manual/configuration/profiles/minimal.xml
@@ -1,16 +1,16 @@
-
 <section xmlns="http://docbook.org/ns/docbook"
         xmlns:xlink="http://www.w3.org/1999/xlink"
         xmlns:xi="http://www.w3.org/2001/XInclude"
         version="5.0"
         xml:id="sec-profile-minimal">
 <title>Minimal</title>
+
 <para>
  This profile defines a small NixOS configuration. It does not contain any
  graphical stuff. It's a very short file that enables
  <link linkend="opt-environment.noXlibs">noXlibs</link>, sets
-  <link linkend="opt-i18n.supportedLocales">i18n.supportedLocales</link>
-  to only support the user-selected locale,
+  <link linkend="opt-i18n.supportedLocales">i18n.supportedLocales</link> to
+  only support the user-selected locale,
  <link linkend="opt-documentation.enable">disables packages' documentation
  </link>, and <link linkend="opt-sound.enable">disables sound</link>.
 </para>
--- a/nixos/doc/manual/configuration/profiles/qemu-guest.xml
+++ b/nixos/doc/manual/configuration/profiles/qemu-guest.xml
@@ -4,10 +4,12 @@
         version="5.0"
         xml:id="sec-profile-qemu-guest">
 <title>QEMU Guest</title>
+
 <para>
  This profile contains common configuration for virtual machines running under
  QEMU (using virtio).
 </para>
+
 <para>
  It makes virtio modules available on the initrd, sets the system time from
  the hardware clock to work around a bug in qemu-kvm, and
--- a/nixos/doc/manual/configuration/wireless.xml
+++ b/nixos/doc/manual/configuration/wireless.xml
@@ -28,11 +28,9 @@
  Be aware that keys will be written to the nix store in plaintext! When no
  networks are set, it will default to using a configuration file at
  <literal>/etc/wpa_supplicant.conf</literal>. You should edit this file
-  yourself to define wireless networks, WPA keys and so on (see
-  <citerefentry>
-    <refentrytitle>wpa_supplicant.conf</refentrytitle>
-    <manvolnum>5</manvolnum>
-  </citerefentry>).
+  yourself to define wireless networks, WPA keys and so on (see <citerefentry>
+  <refentrytitle>wpa_supplicant.conf</refentrytitle>
+  <manvolnum>5</manvolnum> </citerefentry>).
 </para>

 <para>
--- a/nixos/doc/manual/configuration/x-windows.xml
+++ b/nixos/doc/manual/configuration/x-windows.xml
@@ -35,8 +35,8 @@
 </para>
 <para>
  NixOS’s default <emphasis>display manager</emphasis> (the program that
-  provides a graphical login prompt and manages the X server) is LightDM. You can
-  select an alternative one by picking one of the following lines:
+  provides a graphical login prompt and manages the X server) is LightDM. You
+  can select an alternative one by picking one of the following lines:
 <programlisting>
 <xref linkend="opt-services.xserver.displayManager.sddm.enable"/> = true;
 <xref linkend="opt-services.xserver.displayManager.slim.enable"/> = true;
@@ -59,9 +59,16 @@
 <screen>
 # systemctl start display-manager.service
 </screen>
+ </para>
+ <para>
+  On 64-bit systems, if you want OpenGL for 32-bit programs such as in Wine,
+  you should also set the following:
+<programlisting>
+<xref linkend="opt-hardware.opengl.driSupport32Bit"/> = true;
+</programlisting>
 </para>
 <simplesect xml:id="sec-x11-graphics-cards-nvidia">
-  <title>NVIDIA Graphics Cards</title>
+  <title>Proprietary NVIDIA drivers</title>
  <para>
   NVIDIA provides a proprietary driver for its graphics cards that has better
   3D performance than the X.org drivers. It is not enabled by default because
@@ -71,6 +78,7 @@
 </programlisting>
   Or if you have an older card, you may have to use one of the legacy drivers:
 <programlisting>
+<xref linkend="opt-services.xserver.videoDrivers"/> = [ "nvidiaLegacy390" ];
 <xref linkend="opt-services.xserver.videoDrivers"/> = [ "nvidiaLegacy340" ];
 <xref linkend="opt-services.xserver.videoDrivers"/> = [ "nvidiaLegacy304" ];
 <xref linkend="opt-services.xserver.videoDrivers"/> = [ "nvidiaLegacy173" ];
@@ -78,16 +86,9 @@
   You may need to reboot after enabling this driver to prevent a clash with
   other kernel modules.
  </para>
-  <para>
-   On 64-bit systems, if you want full acceleration for 32-bit programs such as
-   Wine, you should also set the following:
-<programlisting>
-<xref linkend="opt-hardware.opengl.driSupport32Bit"/> = true;
-</programlisting>
-  </para>
 </simplesect>
 <simplesect xml:id="sec-x11--graphics-cards-amd">
-  <title>AMD Graphics Cards</title>
+  <title>Proprietary AMD drivers</title>
  <para>
   AMD provides a proprietary driver for its graphics cards that has better 3D
   performance than the X.org drivers. It is not enabled by default because
@@ -99,11 +100,8 @@
   other kernel modules.
  </para>
  <para>
-   On 64-bit systems, if you want full acceleration for 32-bit programs such as
-   Wine, you should also set the following:
-<programlisting>
-<xref linkend="opt-hardware.opengl.driSupport32Bit"/> = true;
-</programlisting>
+   Note: for recent AMD GPUs you most likely want to keep either the defaults
+   or <literal>"amdgpu"</literal> (both free).
  </para>
 </simplesect>
 <simplesect xml:id="sec-x11-touchpads">
--- a/nixos/doc/manual/installation/installing-virtualbox-guest.xml
+++ b/nixos/doc/manual/installation/installing-virtualbox-guest.xml
@@ -77,10 +77,10 @@
  Shared folders can be given a name and a path in the host system in the
  VirtualBox settings (Machine / Settings / Shared Folders, then click on the
  "Add" icon). Add the following to the
-  <literal>/etc/nixos/configuration.nix</literal> to auto-mount them. If you 
-   do not add <literal>"nofail"</literal>, the system will no boot properly. 
-   The same goes for disabling <literal>rngd</literal> which is normally used 
-   to get randomness but this does not work in virtual machines.
+  <literal>/etc/nixos/configuration.nix</literal> to auto-mount them. If you do
+  not add <literal>"nofail"</literal>, the system will no boot properly. The
+  same goes for disabling <literal>rngd</literal> which is normally used to get
+  randomness but this does not work in virtual machines.
 </para>

 <programlisting>
--- a/nixos/doc/manual/man-nixos-generate-config.xml
+++ b/nixos/doc/manual/man-nixos-generate-config.xml
@@ -13,18 +13,18 @@
 </refnamediv>
 <refsynopsisdiv>
  <cmdsynopsis>
-   <command>nixos-generate-config</command>
+   <command>nixos-generate-config</command> 
   <arg>
    <option>--force</option>
   </arg>
-
+    
   <arg>
    <arg choice='plain'>
     <option>--root</option>
    </arg>
     <replaceable>root</replaceable>
   </arg>
-
+    
   <arg>
    <arg choice='plain'>
     <option>--dir</option>
--- a/nixos/doc/manual/man-nixos-rebuild.xml
+++ b/nixos/doc/manual/man-nixos-rebuild.xml
@@ -13,35 +13,39 @@
 </refnamediv>
 <refsynopsisdiv>
  <cmdsynopsis>
-   <command>nixos-rebuild</command><group choice='req'>
+   <command>nixos-rebuild</command><group choice='req'> 
   <arg choice='plain'>
    <option>switch</option>
   </arg>
-
+    
   <arg choice='plain'>
    <option>boot</option>
   </arg>
-
+    
   <arg choice='plain'>
    <option>test</option>
   </arg>
-
+    
   <arg choice='plain'>
    <option>build</option>
   </arg>
-
+    
   <arg choice='plain'>
    <option>dry-build</option>
   </arg>
-
+    
   <arg choice='plain'>
    <option>dry-activate</option>
   </arg>
-
+    
+   <arg choice='plain'>
+    <option>edit</option>
+   </arg>
+    
   <arg choice='plain'>
    <option>build-vm</option>
   </arg>
-
+    
   <arg choice='plain'>
    <option>build-vm-with-bootloader</option>
   </arg>
@@ -50,33 +54,33 @@
   <arg>
    <option>--upgrade</option>
   </arg>
-
+    
   <arg>
    <option>--install-bootloader</option>
   </arg>
-
+    
   <arg>
    <option>--no-build-nix</option>
   </arg>
-
+    
   <arg>
    <option>--fast</option>
   </arg>
-
+    
   <arg>
    <option>--rollback</option>
   </arg>
+    
   <arg>
-     <option>--builders</option>
-     <replaceable>builder-spec</replaceable>
+    <option>--builders</option> <replaceable>builder-spec</replaceable>
   </arg>
   <sbr />
   <arg>
-    <group choice='req'>
+    <group choice='req'> 
    <arg choice='plain'>
     <option>--profile-name</option>
    </arg>
-
+     
    <arg choice='plain'>
     <option>-p</option>
    </arg>
@@ -188,6 +192,16 @@ $ nix-build /path/to/nixpkgs/nixos -A system
      </para>
     </listitem>
    </varlistentry>
+    <varlistentry>
+     <term>
+      <option>edit</option>
+     </term>
+     <listitem>
+      <para>
+       Opens <filename>configuration.nix</filename> in the default editor.
+      </para>
+     </listitem>
+    </varlistentry>
    <varlistentry>
     <term>
      <option>build-vm</option>
@@ -320,25 +334,23 @@ $ ./result/bin/run-*-vm
    </listitem>
   </varlistentry>
   <varlistentry>
-     <term>
-       <option>--builders</option>
-       <replaceable>builder-spec</replaceable>
-     </term>
-     <listitem>
-       <para>
-         Allow ad-hoc remote builders for building the new system.
-         This requires the user executing <command>nixos-rebuild</command> (usually
-         root) to be configured as a trusted user in the Nix daemon. This can be
-         achieved by using the <literal>nix.trustedUsers</literal> NixOS option.
-         Examples values for that option are described in the
-		 <literal>Remote builds chapter</literal> in the Nix manual,
-         (i.e. <command>--builders "ssh://bigbrother x86_64-linux"</command>).
-         By specifying an empty string existing builders specified in
-         <filename>/etc/nix/machines</filename> can be ignored:
-         <command>--builders ""</command> for example when they are not
-         reachable due to network connectivity.
-       </para>
-     </listitem>
+    <term>
+     <option>--builders</option> <replaceable>builder-spec</replaceable>
+    </term>
+    <listitem>
+     <para>
+      Allow ad-hoc remote builders for building the new system. This requires
+      the user executing <command>nixos-rebuild</command> (usually root) to be
+      configured as a trusted user in the Nix daemon. This can be achieved by
+      using the <literal>nix.trustedUsers</literal> NixOS option. Examples
+      values for that option are described in the <literal>Remote builds
+      chapter</literal> in the Nix manual, (i.e. <command>--builders
+      "ssh://bigbrother x86_64-linux"</command>). By specifying an empty string
+      existing builders specified in <filename>/etc/nix/machines</filename> can
+      be ignored: <command>--builders ""</command> for example when they are
+      not reachable due to network connectivity.
+     </para>
+    </listitem>
   </varlistentry>
   <varlistentry>
    <term>
--- a/nixos/doc/manual/release-notes/rl-1809.xml
+++ b/nixos/doc/manual/release-notes/rl-1809.xml
@@ -639,7 +639,8 @@ $ nix-instantiate -E '(import &lt;nixpkgsunstable&gt; {}).gitFull'
   </listitem>
   <listitem>
    <para>
-        Groups <literal>kvm</literal> and <literal>render</literal> are introduced now, as systemd requires them.
+     Groups <literal>kvm</literal> and <literal>render</literal> are introduced
+     now, as systemd requires them.
    </para>
   </listitem>
  </itemizedlist>
--- a/nixos/doc/manual/release-notes/rl-1903.xml
+++ b/nixos/doc/manual/release-notes/rl-1903.xml
@@ -20,25 +20,27 @@
  <itemizedlist>
   <listitem>
    <para>
-    The default Python 3 interpreter is now CPython 3.7 instead of CPython 3.6.
+     The default Python 3 interpreter is now CPython 3.7 instead of CPython
+     3.6.
    </para>
   </listitem>
   <listitem>
    <para>
-     Added the Pantheon desktop environment.
-     It can be enabled through <varname>services.xserver.desktopManager.pantheon.enable</varname>.
+     Added the Pantheon desktop environment. It can be enabled through
+     <varname>services.xserver.desktopManager.pantheon.enable</varname>.
    </para>
    <note>
     <para>
-      <varname>services.xserver.desktopManager.pantheon</varname> default enables lightdm
-      as a display manager and using Pantheon's greeter.
+      <varname>services.xserver.desktopManager.pantheon</varname> default
+      enables lightdm as a display manager and using Pantheon's greeter.
     </para>
     <para>
-      This is because of limitations with the screenlocking implementation, whereas the
-      screenlocker would be non-functional without it.
+      This is because of limitations with the screenlocking implementation,
+      whereas the screenlocker would be non-functional without it.
     </para>
     <para>
-      Because of that it is recommended to retain this precaution, however if you'd like to change this set:
+      Because of that it is recommended to retain this precaution, however if
+      you'd like to change this set:
     </para>
     <itemizedlist>
      <listitem>
@@ -52,16 +54,38 @@
       </para>
      </listitem>
     </itemizedlist>
-     <para>to <literal>false</literal> and enable your preferred display manager.</para>
+     <para>
+      to <literal>false</literal> and enable your preferred display manager.
+     </para>
    </note>
   </listitem>
+   <listitem>
+    <para>
+     A major refactoring of the Kubernetes module has been completed.
+     Refactorings primarily focus on decoupling components and enhancing
+     security. Two-way TLS and RBAC has been enabled by default for all
+     components, which slightly changes the way the module is configured. See:
+     <xref linkend="sec-kubernetes"/> for details.
+    </para>
+   </listitem>
   <listitem>
     <para>
-       A major refactoring of the Kubernetes module has been completed.
-       Refactorings primarily focus on decoupling components and enhancing
-       security. Two-way TLS and RBAC has been enabled by default for all
-       components, which slightly changes the way the module is configured.
-       See: <xref linkend="sec-kubernetes"/> for details.
+       There is now a set of <option>confinement</option> options for
+       <option>systemd.services</option>, which allows to restrict services
+       into a <citerefentry>
+        <refentrytitle>chroot</refentrytitle>
+        <manvolnum>2</manvolnum>
+      </citerefentry>ed environment that only contains the store paths from
+      the runtime closure of the service.
+     </para>
+   </listitem>
+   <listitem>
+     <para>
+       A UEFI installer image for Aarch64 is now
+       <link xlink:href="https://hydra.nixos.org/job/nixos/release-19.03/nixos.iso_minimal.aarch64-linux/latest">
+         built by Hydra</link>.
+       It should work on all devices with a UEFI implementation
+       such as upstream u-boot.
     </para>
   </listitem>
  </itemizedlist>
@@ -71,57 +95,80 @@
         xmlns:xlink="http://www.w3.org/1999/xlink"
         xmlns:xi="http://www.w3.org/2001/XInclude"
         version="5.0"
-         xml:id="sec-release-19.03-new-services">
-  <title>New Services</title>
-
+         xml:id="sec-release-19.03-new-modules">
+  <title>New Modules</title>
  <para>
-   The following new services were added since the last release:
+   The following new modules were added since the last release:
  </para>

  <itemizedlist>
   <listitem>
-    <para>
-     <literal>./programs/nm-applet.nix</literal>
-    </para>
-   </listitem>
-   <listitem>
+    <para><filename>security/google_oslogin.nix</filename></para>
    <para>
     There is a new <varname>security.googleOsLogin</varname> module for using
-     <link xlink:href="https://cloud.google.com/compute/docs/instances/managing-instance-access">OS Login</link>
-     to manage SSH access to Google Compute Engine instances, which supersedes
-     the imperative and broken <literal>google-accounts-daemon</literal> used
-     in <literal>nixos/modules/virtualisation/google-compute-config.nix</literal>.
-    </para>
-   </listitem>
-   <listitem>
-    <para>
-     <literal>./services/misc/beanstalkd.nix</literal>
+     <link xlink:href="https://cloud.google.com/compute/docs/instances/managing-instance-access">OS
+     Login</link> to manage SSH access to Google Compute Engine instances,
+     which supersedes the imperative and broken
+     <literal>google-accounts-daemon</literal> used in
+     <literal>nixos/modules/virtualisation/google-compute-config.nix</literal>.
    </para>
   </listitem>
+
   <listitem>
+    <para><filename>services/misc/beanstalkd.nix</filename></para>
    <para>
     There is a new <varname>services.cockroachdb</varname> module for running
-     CockroachDB databases. NixOS now ships with CockroachDB 2.1.x as well, available
-     on <literal>x86_64-linux</literal> and <literal>aarch64-linux</literal>.
+     CockroachDB databases. NixOS now ships with CockroachDB 2.1.x as well,
+     available on <literal>x86_64-linux</literal> and
+     <literal>aarch64-linux</literal>.
    </para>
   </listitem>
-  </itemizedlist>

-  <itemizedlist>
   <listitem>
    <para>
-      <literal>./security/duosec.nix</literal>
+     <filename>security/duosec.nix</filename>
    </para>
-   </listitem>
-   <listitem>
    <para>
     The <link xlink:href="https://duo.com/docs/duounix">PAM module for Duo
-     Security</link> has been enabled for use.  One can configure it using
-     the <option>security.duosec</option> options along with the
-     corresponding PAM option in
+     Security</link> has been enabled for use. One can configure it using the
+     <option>security.duosec</option> options along with the corresponding PAM
+     option in
     <option>security.pam.services.&lt;name?&gt;.duoSecurity.enable</option>.
    </para>
   </listitem>
+   <listitem><para><filename>config/appstream.nix</filename></para></listitem>
+   <listitem><para><filename>config/xdg/sounds.nix</filename></para></listitem>
+   <listitem><para><filename>hardware/acpilight.nix</filename></para></listitem>
+   <listitem><para><filename>hardware/ledger.nix</filename></para></listitem>
+   <listitem><para><filename>programs/dmrconfig.nix</filename></para></listitem>
+   <listitem><para><filename>programs/iotop.nix</filename></para></listitem>
+   <listitem><para><filename>programs/mininet.nix</filename></para></listitem>
+   <listitem><para><filename>programs/nm-applet.nix</filename></para></listitem>
+   <listitem><para><filename>programs/wavemon.nix</filename></para></listitem>
+   <listitem><para><filename>security/google_oslogin.nix</filename></para></listitem>
+   <listitem><para><filename>security/misc.nix</filename></para></listitem>
+   <listitem><para><filename>services/desktops/gnome3/rygel.nix</filename></para></listitem>
+   <listitem><para><filename>services/desktops/gsignond.nix</filename></para></listitem>
+   <listitem><para><filename>services/hardware/bolt.nix</filename></para></listitem>
+   <listitem><para><filename>services/hardware/lirc.nix</filename></para></listitem>
+   <listitem><para><filename>services/hardware/ratbagd.nix</filename></para></listitem>
+   <listitem><para><filename>services/hardware/triggerhappy.nix</filename></para></listitem>
+   <listitem><para><filename>services/hardware/vdr.nix</filename></para></listitem>
+   <listitem><para><filename>services/mail/davmail.nix</filename></para></listitem>
+   <listitem><para><filename>services/mail/roundcube.nix</filename></para></listitem>
+   <listitem><para><filename>services/mail/rss2email.nix</filename></para></listitem>
+   <listitem><para><filename>services/misc/beanstalkd.nix</filename></para></listitem>
+   <listitem><para><filename>services/misc/bees.nix</filename></para></listitem>
+   <listitem><para><filename>services/misc/headphones.nix</filename></para></listitem>
+   <listitem><para><filename>services/misc/lidarr.nix</filename></para></listitem>
+   <listitem><para><filename>services/misc/sickbeard.nix</filename></para></listitem>
+   <listitem><para><filename>services/misc/weechat.nix</filename></para></listitem>
+   <listitem><para><filename>services/misc/zoneminder.nix</filename></para></listitem>
+   <listitem><para><filename>services/monitoring/alerta.nix</filename></para></listitem>
+   <listitem><para><filename>services/monitoring/kapacitor.nix</filename></para></listitem>
+   <listitem><para><filename>services/networking/iperf3.nix</filename></para></listitem>
+   <listitem><para><filename>services/networking/knot.nix</filename></para></listitem>
+
  </itemizedlist>
 </section>

@@ -184,22 +231,37 @@
   </listitem>
   <listitem>
    <para>
-      The Syncthing state and configuration data has been moved from
-      <varname>services.syncthing.dataDir</varname> to the newly defined
-      <varname>services.syncthing.configDir</varname>, which default to
-      <literal>/var/lib/syncthing/.config/syncthing</literal>.
-      This change makes possible to share synced directories using ACLs
-      without Syncthing resetting the permission on every start.
+     The <varname>buildPythonPackage</varname> function now sets
+     <varname>strictDeps = true</varname> to help distinguish between native
+     and non-native dependencies in order to improve cross-compilation
+     compatibility. Note however that this may break user expressions.
    </para>
   </listitem>
   <listitem>
    <para>
-      The <literal>ntp</literal> module now has sane default restrictions.
-      If you're relying on the previous defaults, which permitted all queries
-      and commands from all firewall-permitted sources, you can set
-      <varname>services.ntp.restrictDefault</varname> and
-      <varname>services.ntp.restrictSource</varname> to
-      <literal>[]</literal>.
+     The <varname>buildPythonPackage</varname> function now sets <varname>LANG
+     = C.UTF-8</varname> to enable Unicode support. The
+     <varname>glibcLocales</varname> package is no longer needed as a build
+     input.
+    </para>
+   </listitem>
+   <listitem>
+    <para>
+     The Syncthing state and configuration data has been moved from
+     <varname>services.syncthing.dataDir</varname> to the newly defined
+     <varname>services.syncthing.configDir</varname>, which default to
+     <literal>/var/lib/syncthing/.config/syncthing</literal>. This change makes
+     possible to share synced directories using ACLs without Syncthing
+     resetting the permission on every start.
+    </para>
+   </listitem>
+   <listitem>
+    <para>
+     The <literal>ntp</literal> module now has sane default restrictions. If
+     you're relying on the previous defaults, which permitted all queries and
+     commands from all firewall-permitted sources, you can set
+     <varname>services.ntp.restrictDefault</varname> and
+     <varname>services.ntp.restrictSource</varname> to <literal>[]</literal>.
    </para>
   </listitem>
   <listitem>
@@ -227,17 +289,21 @@
   </listitem>
   <listitem>
    <para>
-      Options
-      <literal>services.znc.confOptions.networks.<replaceable>name</replaceable>.userName</literal> and
-      <literal>services.znc.confOptions.networks.<replaceable>name</replaceable>.modulePackages</literal>
-      were removed. They were never used for anything and can therefore safely be removed.
+     Options
+     <literal>services.znc.confOptions.networks.<replaceable>name</replaceable>.userName</literal>
+     and
+     <literal>services.znc.confOptions.networks.<replaceable>name</replaceable>.modulePackages</literal>
+     were removed. They were never used for anything and can therefore safely
+     be removed.
    </para>
   </listitem>
   <listitem>
    <para>
-     Package <literal>wasm</literal> has been renamed <literal>proglodyte-wasm</literal>. The package
-     <literal>wasm</literal> will be pointed to <literal>ocamlPackages.wasm</literal> in 19.09, so
-     make sure to update your configuration if you want to keep <literal>proglodyte-wasm</literal>
+     Package <literal>wasm</literal> has been renamed
+     <literal>proglodyte-wasm</literal>. The package <literal>wasm</literal>
+     will be pointed to <literal>ocamlPackages.wasm</literal> in 19.09, so make
+     sure to update your configuration if you want to keep
+     <literal>proglodyte-wasm</literal>
    </para>
   </listitem>
   <listitem>
@@ -259,43 +325,47 @@
   <listitem>
    <para>
     The versioned <varname>postgresql</varname> have been renamed to use
-     underscore number seperators. For example, <varname>postgresql96</varname>
+     underscore number separators. For example, <varname>postgresql96</varname>
     has been renamed to <varname>postgresql_9_6</varname>.
    </para>
   </listitem>
   <listitem>
    <para>
-     Package <literal>consul-ui</literal> and passthrough <literal>consul.ui</literal> have been removed.
-     The package <literal>consul</literal> now uses upstream releases that vendor the UI into the binary.
-     See <link xlink:href="https://github.com/NixOS/nixpkgs/pull/48714#issuecomment-433454834">#48714</link>
+     Package <literal>consul-ui</literal> and passthrough
+     <literal>consul.ui</literal> have been removed. The package
+     <literal>consul</literal> now uses upstream releases that vendor the UI
+     into the binary. See
+     <link xlink:href="https://github.com/NixOS/nixpkgs/pull/48714#issuecomment-433454834">#48714</link>
     for details.
    </para>
   </listitem>
   <listitem>
    <para>
-      Slurm introduces the new option
-      <literal>services.slurm.stateSaveLocation</literal>,
-      which is now set to <literal>/var/spool/slurm</literal> by default
-      (instead of <literal>/var/spool</literal>).
-      Make sure to move all files to the new directory or to set the option accordingly.
+     Slurm introduces the new option
+     <literal>services.slurm.stateSaveLocation</literal>, which is now set to
+     <literal>/var/spool/slurm</literal> by default (instead of
+     <literal>/var/spool</literal>). Make sure to move all files to the new
+     directory or to set the option accordingly.
    </para>
    <para>
-      The slurmctld now runs as user <literal>slurm</literal> instead of <literal>root</literal>.
-      If you want to keep slurmctld running as <literal>root</literal>, set
-      <literal>services.slurm.user = root</literal>.
+     The slurmctld now runs as user <literal>slurm</literal> instead of
+     <literal>root</literal>. If you want to keep slurmctld running as
+     <literal>root</literal>, set <literal>services.slurm.user =
+     root</literal>.
    </para>
    <para>
-      The options <literal>services.slurm.nodeName</literal> and
-      <literal>services.slurm.partitionName</literal> are now sets of
-      strings to correctly reflect that fact that each of these
-      options can occour more than once in the configuration.
+     The options <literal>services.slurm.nodeName</literal> and
+     <literal>services.slurm.partitionName</literal> are now sets of strings to
+     correctly reflect that fact that each of these options can occour more
+     than once in the configuration.
    </para>
   </listitem>
   <listitem>
    <para>
-      The <literal>solr</literal> package has been upgraded from 4.10.3 to 7.5.0 and has undergone
-      some major changes. The <literal>services.solr</literal> module has been updated to reflect
-      these changes. Please review http://lucene.apache.org/solr/ carefully before upgrading.
+     The <literal>solr</literal> package has been upgraded from 4.10.3 to 7.5.0
+     and has undergone some major changes. The <literal>services.solr</literal>
+     module has been updated to reflect these changes. Please review
+     http://lucene.apache.org/solr/ carefully before upgrading.
    </para>
   </listitem>
   <listitem>
@@ -307,46 +377,49 @@
   </listitem>
   <listitem>
    <para>
-     The option <literal>services.xserver.displayManager.job.logToFile</literal> which was
+     The option
+     <literal>services.xserver.displayManager.job.logToFile</literal> which was
     previously set to <literal>true</literal> when using the display managers
-     <literal>lightdm</literal>, <literal>sddm</literal> or <literal>xpra</literal> has been
-     reset to the default value (<literal>false</literal>).
+     <literal>lightdm</literal>, <literal>sddm</literal> or
+     <literal>xpra</literal> has been reset to the default value
+     (<literal>false</literal>).
    </para>
   </listitem>
   <listitem>
    <para>
     Network interface indiscriminate NixOS firewall options
-     (<literal>networking.firewall.allow*</literal>) are now preserved when also
-     setting interface specific rules such as <literal>networking.firewall.interfaces.en0.allow*</literal>.
-     These rules continue to use the pseudo device "default"
-     (<literal>networking.firewall.interfaces.default.*</literal>), and assigning
-     to this pseudo device will override the (<literal>networking.firewall.allow*</literal>)
-     options.
-   </para>
-  </listitem>
-  <listitem>
-   <para>
+     (<literal>networking.firewall.allow*</literal>) are now preserved when
+     also setting interface specific rules such as
+     <literal>networking.firewall.interfaces.en0.allow*</literal>. These rules
+     continue to use the pseudo device "default"
+     (<literal>networking.firewall.interfaces.default.*</literal>), and
+     assigning to this pseudo device will override the
+     (<literal>networking.firewall.allow*</literal>) options.
+    </para>
+   </listitem>
+   <listitem>
+    <para>
     The <literal>nscd</literal> service now disables all caching of
     <literal>passwd</literal> and <literal>group</literal> databases by
     default. This was interferring with the correct functioning of the
     <literal>libnss_systemd.so</literal> module which is used by
     <literal>systemd</literal> to manage uids and usernames in the presence of
-     <literal>DynamicUser=</literal> in systemd services.  This was already the
+     <literal>DynamicUser=</literal> in systemd services. This was already the
     default behaviour in presence of <literal>services.sssd.enable =
-       true</literal> because nscd caching would interfere with
-     <literal>sssd</literal> in unpredictable ways as well.  Because we're
-     using nscd not for caching, but for convincing glibc to find NSS modules
-     in the nix store instead of an absolute path, we have decided to disable
-     caching globally now, as it's usually not the behaviour the user wants and
-     can lead to surprising behaviour.  Furthermore, negative caching of host
+     true</literal> because nscd caching would interfere with
+     <literal>sssd</literal> in unpredictable ways as well. Because we're using
+     nscd not for caching, but for convincing glibc to find NSS modules in the
+     nix store instead of an absolute path, we have decided to disable caching
+     globally now, as it's usually not the behaviour the user wants and can
+     lead to surprising behaviour. Furthermore, negative caching of host
     lookups is also disabled now by default. This should fix the issue of dns
     lookups failing in the presence of an unreliable network.
-   </para>
-   <para>
-     If the old behaviour is desired, this can be restored by setting
-     the <literal>services.nscd.config</literal> option
-     with the desired caching parameters.
-     <programlisting>
+    </para>
+    <para>
+     If the old behaviour is desired, this can be restored by setting the
+     <literal>services.nscd.config</literal> option with the desired caching
+     parameters.
+<programlisting>
     services.nscd.config =
     ''
     server-user             nscd
@@ -379,92 +452,125 @@
     shared                  hosts           yes
     '';
     </programlisting>
-     See <link xlink:href="https://github.com/NixOS/nixpkgs/pull/50316">#50316</link>
+     See
+     <link xlink:href="https://github.com/NixOS/nixpkgs/pull/50316">#50316</link>
     for details.
-   </para>
-  </listitem>
-  <listitem>
-   <para>
+    </para>
+   </listitem>
+   <listitem>
+    <para>
     GitLab Shell previously used the nix store paths for the
     <literal>gitlab-shell</literal> command in its
     <literal>authorized_keys</literal> file, which might stop working after
     garbage collection. To circumvent that, we regenerated that file on each
-     startup.  As <literal>gitlab-shell</literal> has now been changed to use
+     startup. As <literal>gitlab-shell</literal> has now been changed to use
     <literal>/var/run/current-system/sw/bin/gitlab-shell</literal>, this is
     not necessary anymore, but there might be leftover lines with a nix store
     path. Regenerate the <literal>authorized_keys</literal> file via
     <command>sudo -u git -H gitlab-rake gitlab:shell:setup</command> in that
     case.
-   </para>
-  </listitem>
-  <listitem>
-   <para>
+    </para>
+   </listitem>
+   <listitem>
+    <para>
     The <literal>pam_unix</literal> account module is now loaded with its
     control field set to <literal>required</literal> instead of
     <literal>sufficient</literal>, so that later PAM account modules that
-     might do more extensive checks are being executed.
-     Previously, the whole account module verification was exited prematurely
-     in case a nss module provided the account name to
-     <literal>pam_unix</literal>.
-     The LDAP and SSSD NixOS modules already add their NSS modules when
-     enabled. In case your setup breaks due to some later PAM account module
-     previosuly shadowed, or failing NSS lookups, please file a bug. You can
-     get back the old behaviour by manually setting
-     <literal><![CDATA[security.pam.services.<name?>.text]]></literal>.
-   </para>
-  </listitem>
-  <listitem>
-   <para>
-     The <literal>pam_unix</literal> password module is now loaded with its
-     control field set to <literal>sufficient</literal> instead of
-     <literal>required</literal>, so that password managed only
-     by later PAM password modules are being executed.
-     Previously, for example, changing an LDAP account's password through PAM
-     was not possible: the whole password module verification
-     was exited prematurely by <literal>pam_unix</literal>,
-     preventing <literal>pam_ldap</literal> to manage the password as it should.
-   </para>
-  </listitem>
-   <listitem>
-    <para>
-     <literal>fish</literal> has been upgraded to 3.0.
-     It comes with a number of improvements and backwards incompatible changes.
-     See the <literal>fish</literal> <link xlink:href="https://github.com/fish-shell/fish-shell/releases/tag/3.0.0">release notes</link> for more information.
+     might do more extensive checks are being executed. Previously, the whole
+     account module verification was exited prematurely in case a nss module
+     provided the account name to <literal>pam_unix</literal>. The LDAP and
+     SSSD NixOS modules already add their NSS modules when enabled. In case
+     your setup breaks due to some later PAM account module previously
+     shadowed, or failing NSS lookups, please file a bug. You can get back the
+     old behaviour by manually setting <literal>
+<![CDATA[security.pam.services.<name?>.text]]>
+     </literal>.
    </para>
   </listitem>
-  <listitem>
+   <listitem>
    <para>
-      The ibus-table input method has had a change in config format, which
-      causes all previous settings to be lost. See
-      <link xlink:href="https://github.com/mike-fabian/ibus-table/commit/f9195f877c5212fef0dfa446acb328c45ba5852b">this commit message</link>
-      for details.
+     The <literal>pam_unix</literal> password module is now loaded with its
+     control field set to <literal>sufficient</literal> instead of
+     <literal>required</literal>, so that password managed only by later PAM
+     password modules are being executed. Previously, for example, changing an
+     LDAP account's password through PAM was not possible: the whole password
+     module verification was exited prematurely by <literal>pam_unix</literal>,
+     preventing <literal>pam_ldap</literal> to manage the password as it
+     should.
    </para>
-  </listitem>
-  <listitem>
-   <para>
-    Support for NixOS module system type <literal>types.optionSet</literal> and
-    <literal>lib.mkOption</literal> argument <literal>options</literal> is removed.
-    Use <literal>types.submodule</literal> instead.
-    (<link xlink:href="https://github.com/NixOS/nixpkgs/pull/54637">#54637</link>)
-   </para>
-  </listitem>
-  <listitem>
-   <para>
-    <literal>matrix-synapse</literal> has been updated to version 0.99. It will
-    <link xlink:href="https://github.com/matrix-org/synapse/pull/4509">no longer generate a self-signed certificate on first launch</link>
-    and will be <link xlink:href="https://matrix.org/blog/2019/02/05/synapse-0-99-0/">the last version to accept self-signed certificates</link>.
-    As such, it is now recommended to use a proper certificate verified by a
-    root CA (for example Let's Encrypt).
-   </para>
-  </listitem>
+   </listitem>
+   <listitem>
+    <para>
+     <literal>fish</literal> has been upgraded to 3.0. It comes with a number
+     of improvements and backwards incompatible changes. See the
+     <literal>fish</literal>
+     <link xlink:href="https://github.com/fish-shell/fish-shell/releases/tag/3.0.0">release
+     notes</link> for more information.
+    </para>
+   </listitem>
+   <listitem>
+    <para>
+     The ibus-table input method has had a change in config format, which
+     causes all previous settings to be lost. See
+     <link xlink:href="https://github.com/mike-fabian/ibus-table/commit/f9195f877c5212fef0dfa446acb328c45ba5852b">this
+     commit message</link> for details.
+    </para>
+   </listitem>
+   <listitem>
+    <para>
+     NixOS module system type <literal>types.optionSet</literal> and
+     <literal>lib.mkOption</literal> argument <literal>options</literal> are
+     deprecated. Use <literal>types.submodule</literal> instead.
+     (<link xlink:href="https://github.com/NixOS/nixpkgs/pull/54637">#54637</link>)
+    </para>
+   </listitem>
+   <listitem>
+    <para>
+     <literal>matrix-synapse</literal> has been updated to version 0.99. It
+     will <link xlink:href="https://github.com/matrix-org/synapse/pull/4509">no
+     longer generate a self-signed certificate on first launch</link> and will
+     be
+     <link xlink:href="https://matrix.org/blog/2019/02/05/synapse-0-99-0/">the
+     last version to accept self-signed certificates</link>. As such, it is now
+     recommended to use a proper certificate verified by a root CA (for example
+     Let's Encrypt). The new <link linkend="module-services-matrix">manual
+     chapter on Matrix</link> contains a working example of using nginx as a
+     reverse proxy in front of <literal>matrix-synapse</literal>, using Let's
+     Encrypt certificates.
+    </para>
+   </listitem>
   <listitem>
    <para>
     <literal>mailutils</literal> now works by default when
     <literal>sendmail</literal> is not in a setuid wrapper. As a consequence,
-     the <literal>sendmailPath</literal> argument, having lost its main use, has
-     been removed.
+     the <literal>sendmailPath</literal> argument, having lost its main use,
+     has been removed.
    </para>
   </listitem>
+   <listitem>
+    <para>
+     <literal>graylog</literal> has been upgraded from version 2.* to 3.*. Some
+     setups making use of extraConfig (especially those exposing Graylog via
+     reverse proxies) need to be updated as upstream removed/replaced some
+     settings. See
+     <link xlink:href="http://docs.graylog.org/en/3.0/pages/upgrade/graylog-3.0.html#simplified-http-interface-configuration">Upgrading
+     Graylog</link> for details.
+    </para>
+   </listitem>
+   <listitem>
+    <para>
+      The option <literal>users.ldap.bind.password</literal> was renamed to <literal>users.ldap.bind.passwordFile</literal>,
+      and needs to be readable by the <literal>nslcd</literal> user.
+      Same applies to the new <literal>users.ldap.daemon.rootpwmodpwFile</literal> option.
+    </para>
+   </listitem>
+   <listitem>
+     <para>
+       <literal>nodejs-6_x</literal> is end-of-life.
+       <literal>nodejs-6_x</literal>, <literal>nodejs-slim-6_x</literal> and
+       <literal>nodePackages_6_x</literal> are removed.
+     </para>
+   </listitem>
  </itemizedlist>
 </section>

@@ -479,198 +585,235 @@
   <listitem>
    <para>
     The <option>services.matomo</option> module gained the option
-     <option>services.matomo.package</option> which determines the used
-     Matomo version.
+     <option>services.matomo.package</option> which determines the used Matomo
+     version.
    </para>
    <para>
-     The Matomo module now also comes with the systemd service <literal>matomo-archive-processing.service</literal>
-     and a timer that automatically triggers archive processing every hour.
-     This means that you can safely
+     The Matomo module now also comes with the systemd service
+     <literal>matomo-archive-processing.service</literal> and a timer that
+     automatically triggers archive processing every hour. This means that you
+     can safely
     <link xlink:href="https://matomo.org/docs/setup-auto-archiving/#disable-browser-triggers-for-matomo-archiving-and-limit-matomo-reports-to-updating-every-hour">
-      disable browser triggers for Matomo archiving
-     </link> at <literal>Administration > System > General Settings</literal>.
+     disable browser triggers for Matomo archiving </link> at
+     <literal>Administration > System > General Settings</literal>.
    </para>
    <para>
     Additionally, you can enable to
     <link xlink:href="https://matomo.org/docs/privacy/#step-2-delete-old-visitors-logs">
-      delete old visitor logs
-     </link> at <literal>Administration > System > Privacy</literal>,
-     but make sure that you run <literal>systemctl start matomo-archive-processing.service</literal>
-     at least once without errors if you have already collected data before,
-     so that the reports get archived before the source data gets deleted.
+     delete old visitor logs </link> at <literal>Administration > System >
+     Privacy</literal>, but make sure that you run <literal>systemctl start
+     matomo-archive-processing.service</literal> at least once without errors
+     if you have already collected data before, so that the reports get
+     archived before the source data gets deleted.
    </para>
   </listitem>
   <listitem>
    <para>
-     <literal>composableDerivation</literal> along with supporting library functions
-     has been removed.
+     <literal>composableDerivation</literal> along with supporting library
+     functions has been removed.
    </para>
   </listitem>
   <listitem>
    <para>
-     The deprecated <literal>truecrypt</literal> package has been removed
-     and <literal>truecrypt</literal> attribute is now an alias for
+     The deprecated <literal>truecrypt</literal> package has been removed and
+     <literal>truecrypt</literal> attribute is now an alias for
     <literal>veracrypt</literal>. VeraCrypt is backward-compatible with
-     TrueCrypt volumes. Note that <literal>cryptsetup</literal> also
-     supports loading TrueCrypt volumes.
+     TrueCrypt volumes. Note that <literal>cryptsetup</literal> also supports
+     loading TrueCrypt volumes.
    </para>
   </listitem>
   <listitem>
    <para>
-      The Kubernetes DNS addons, kube-dns, has been replaced with CoreDNS.
-      This change is made in accordance with Kubernetes making CoreDNS the official default
-      starting from
-      <link xlink:href="https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG-1.11.md#sig-cluster-lifecycle">Kubernetes v1.11</link>.
-      Please beware that upgrading DNS-addon on existing clusters might induce
-      minor downtime while the DNS-addon terminates and re-initializes.
-      Also note that the DNS-service now runs with 2 pod replicas by default.
-      The desired number of replicas can be configured using:
-      <option>services.kubernetes.addons.dns.replicas</option>.
-    </para>
-   </listitem>
-   <listitem>
-     <para>
-       The quassel-webserver package and module was removed from nixpkgs due to the lack
-       of maintainers.
-     </para>
-   </listitem>
-   <listitem>
-     <para>
-       The astah-community package was removed from nixpkgs due to it being discontinued and the downloads not being available anymore.
-     </para>
-   </listitem>
-   <listitem>
-     <para>
-       The httpd service now saves log files with a .log file extension by default for
-       easier integration with the logrotate service.
-     </para>
-   </listitem>
-   <listitem>
-     <para>
-       The owncloud server packages and httpd subservice module were removed
-       from nixpkgs due to the lack of maintainers.
-     </para>
-   </listitem>
-   <listitem>
-     <para>
-       It is possible now to uze ZRAM devices as general purpose ephemeral block devices,
-       not only as swap. Using more than 1 device as ZRAM swap is no longer recommended,
-       but is still possible by setting <literal>zramSwap.swapDevices</literal> explicitly.
-     </para>
-     <para>
-      Default algorithm for ZRAM swap was changed to <literal>zstd</literal>.
-     </para>
-     <para>
-      Changes to ZRAM algorithm are applied during <literal>nixos-rebuild switch</literal>,
-      so make sure you have enough swap space on disk to survive ZRAM device rebuild. Alternatively,
-      use <literal>nixos-rebuild boot; reboot</literal>.
-     </para>
-   </listitem>
-   <listitem>
-    <para>
-     Symlinks in <filename>/etc</filename> (except <filename>/etc/static</filename>)
-     are now relative instead of absolute. This makes possible to examine
-     NixOS container's <filename>/etc</filename> directory from host system
-     (previously it pointed to host <filename>/etc</filename> when viewed from host,
-     and to container <filename>/etc</filename> when viewed from container chroot).
-    </para>
-    <para>
-     This also makes <filename>/etc/os-release</filename> adhere to
-     <link xlink:href="https://www.freedesktop.org/software/systemd/man/os-release.html">the standard</link>
-     for NixOS containers.
+     The Kubernetes DNS addons, kube-dns, has been replaced with CoreDNS. This
+     change is made in accordance with Kubernetes making CoreDNS the official
+     default starting from
+     <link xlink:href="https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG-1.11.md#sig-cluster-lifecycle">Kubernetes
+     v1.11</link>. Please beware that upgrading DNS-addon on existing clusters
+     might induce minor downtime while the DNS-addon terminates and
+     re-initializes. Also note that the DNS-service now runs with 2 pod
+     replicas by default. The desired number of replicas can be configured
+     using: <option>services.kubernetes.addons.dns.replicas</option>.
    </para>
   </listitem>
   <listitem>
    <para>
-      Flat volumes are now disabled by default in <literal>hardware.pulseaudio</literal>.
-      This has been done to prevent applications, which are unaware of this feature, setting
-      their volumes to 100% on startup causing harm to your audio hardware and potentially your ears.
+     The quassel-webserver package and module was removed from nixpkgs due to
+     the lack of maintainers.
+    </para>
+   </listitem>
+   <listitem>
+    <para>
+     The manual gained a <link linkend="module-services-matrix"> new chapter on
+     self-hosting <literal>matrix-synapse</literal> and
+     <literal>riot-web</literal> </link>, the most prevalent server and client
+     implementations for the
+     <link xlink:href="https://matrix.org/">Matrix</link> federated
+     communication network.
+    </para>
+   </listitem>
+   <listitem>
+    <para>
+     The astah-community package was removed from nixpkgs due to it being
+     discontinued and the downloads not being available anymore.
+    </para>
+   </listitem>
+   <listitem>
+    <para>
+     The httpd service now saves log files with a .log file extension by
+     default for easier integration with the logrotate service.
+    </para>
+   </listitem>
+   <listitem>
+    <para>
+     The owncloud server packages and httpd subservice module were removed from
+     nixpkgs due to the lack of maintainers.
+    </para>
+   </listitem>
+   <listitem>
+    <para>
+     It is possible now to uze ZRAM devices as general purpose ephemeral block
+     devices, not only as swap. Using more than 1 device as ZRAM swap is no
+     longer recommended, but is still possible by setting
+     <literal>zramSwap.swapDevices</literal> explicitly.
+    </para>
+    <para>
+     ZRAM algorithm can be changed now.
+    </para>
+    <para>
+     Changes to ZRAM algorithm are applied during <literal>nixos-rebuild
+     switch</literal>, so make sure you have enough swap space on disk to
+     survive ZRAM device rebuild. Alternatively, use <literal>nixos-rebuild
+     boot; reboot</literal>.
+    </para>
+   </listitem>
+   <listitem>
+    <para>
+     Flat volumes are now disabled by default in
+     <literal>hardware.pulseaudio</literal>. This has been done to prevent
+     applications, which are unaware of this feature, setting their volumes to
+     100% on startup causing harm to your audio hardware and potentially your
+     ears.
    </para>
    <note>
     <para>
-      With this change application specific volumes are relative to the master volume which can be
-      adjusted independently, whereas before they were absolute; meaning that in effect, it scaled the
-      device-volume with the volume of the loudest application.
+      With this change application specific volumes are relative to the master
+      volume which can be adjusted independently, whereas before they were
+      absolute; meaning that in effect, it scaled the device-volume with the
+      volume of the loudest application.
     </para>
    </note>
   </listitem>
   <listitem>
    <para>
-     The <link xlink:href="https://github.com/DanielAdolfsson/ndppd"><literal>ndppd</literal></link> module
-     now supports <link linkend="opt-services.ndppd.enable">all config options</link> provided by the current
-     upstream version as service options. Additionally the <literal>ndppd</literal> package doesn't contain
-     the systemd unit configuration from upstream anymore, the unit is completely configured by the NixOS module now.
+     The
+     <link xlink:href="https://github.com/DanielAdolfsson/ndppd"><literal>ndppd</literal></link>
+     module now supports <link linkend="opt-services.ndppd.enable">all config
+     options</link> provided by the current upstream version as service
+     options. Additionally the <literal>ndppd</literal> package doesn't contain
+     the systemd unit configuration from upstream anymore, the unit is
+     completely configured by the NixOS module now.
    </para>
   </listitem>
   <listitem>
    <para>
-     New installs of NixOS will default to the Redmine 4.x series unless otherwise specified in
-     <literal>services.redmine.package</literal> while existing installs of NixOS will default to
-     the Redmine 3.x series.
+     New installs of NixOS will default to the Redmine 4.x series unless
+     otherwise specified in <literal>services.redmine.package</literal> while
+     existing installs of NixOS will default to the Redmine 3.x series.
    </para>
   </listitem>
   <listitem>
    <para>
-     The <link linkend="opt-services.grafana.enable">Grafana module</link> now supports declarative
-     <link xlink:href="http://docs.grafana.org/administration/provisioning/">datasource and dashboard</link>
-     provisioning.
+     The <link linkend="opt-services.grafana.enable">Grafana module</link> now
+     supports declarative
+     <link xlink:href="http://docs.grafana.org/administration/provisioning/">datasource
+     and dashboard</link> provisioning.
+    </para>
+   </listitem>
+   <listitem>
+    <para>
+     The use of insecure ports on kubernetes has been deprecated. Thus options:
+     <varname>services.kubernetes.apiserver.port</varname> and
+     <varname>services.kubernetes.controllerManager.port</varname> has been
+     renamed to <varname>.insecurePort</varname>, and default of both options
+     has changed to 0 (disabled).
+    </para>
+   </listitem>
+   <listitem>
+    <para>
+     The default value of
+     <varname>services.kubernetes.apiserver.bindAddress</varname> has changed
+     from 127.0.0.1 to 0.0.0.0, allowing the apiserver to be accessible from
+     outside the master node itself. If the apiserver insecurePort is enabled,
+     it is strongly recommended to only bind on the loopback interface. See:
+     <varname>services.kubernetes.apiserver.insecurebindAddress</varname>.
+    </para>
+   </listitem>
+   <listitem>
+    <para>
+     The option
+     <varname>services.kubernetes.apiserver.allowPrivileged</varname> and
+     <varname>services.kubernetes.kubelet.allowPrivileged</varname> now
+     defaults to false. Disallowing privileged containers on the cluster.
+    </para>
+   </listitem>
+   <listitem>
+    <para>
+     The kubernetes module no longer adds the kubernetes package to
+     <varname>environment.systemPackages</varname> implicitly.
+    </para>
+   </listitem>
+   <listitem>
+    <para>
+     The <literal>intel</literal> driver has been removed from the default list
+     of <link linkend="opt-services.xserver.videoDrivers">X.org video
+     drivers</link>. The <literal>modesetting</literal> driver should take over
+     automatically, it is better maintained upstream and has less problems with
+     advanced X11 features. This can lead to a change in the output names used
+     by <command>xrandr</command>. Some performance regressions on some GPU
+     models might happen. Some OpenCL and VA-API applications might also break
+     (Beignet seems to provide OpenCL support with
+     <literal>modesetting</literal> driver, too). Kernel mode setting API does
+     not support backlight control, so <command>xbacklight</command> tool will
+     not work; backlight level can be controlled directly via
+     <filename>/sys/</filename> or with <command>brightnessctl</command> or
+     <command>light</command>. Users
+     who need this functionality more than multi-output XRandR are advised to
+     add <literal>intel</literal> to <varname>videoDrivers</varname> and report
+     an issue (or provide additional details in an existing one).
+    </para>
+   </listitem>
+   <listitem>
+    <para>
+     Openmpi has been updated to version 4.0.0, which removes some deprecated
+     MPI-1 symbols. This may break some older applications that still rely on
+     those symbols. An upgrade guide can be found
+     <link xlink:href="https://www.open-mpi.org/faq/?category=mpi-removed">here</link>.
+    </para>
+   </listitem>
+   <listitem>
+    <para>
+     The nginx package now relies on OpenSSL 1.1 and supports TLS 1.3 by
+     default. You can set the protocols used by the nginx service using
+     <xref linkend="opt-services.nginx.sslProtocols"/>.
+    </para>
+   </listitem>
+   <listitem>
+    <para>
+     A new subcommand <command>nixos-rebuild edit</command> was added.
    </para>
   </listitem>
   <listitem>
     <para>
-       The use of insecure ports on kubernetes has been deprecated.
-       Thus options:
-       <varname>services.kubernetes.apiserver.port</varname> and
-       <varname>services.kubernetes.controllerManager.port</varname>
-       has been renamed to <varname>.insecurePort</varname>,
-       and default of both options has changed to 0 (disabled).
+       <function>stdenv.mkDerivation</function> may now be passed
+       <varname>pname</varname> and <varname>version</varname> attributes
+       instead of <varname>name</varname>, and will now automatically
+       construct the package name by joining them with a dash.
     </para>
-    </listitem>
-    <listitem>
-      <para>
-        Note that the default value of
-        <varname>services.kubernetes.apiserver.bindAddress</varname>
-        has changed from 127.0.0.1 to 0.0.0.0, allowing the apiserver to be
-        accessible from outside the master node itself.
-        If the apiserver insecurePort is enabled,
-        it is strongly recommended to only bind on the loopback interface. See:
-        <varname>services.kubernetes.apiserver.insecurebindAddress</varname>.
-      </para>
-    </listitem>
-    <listitem>
-      <para>
-        The option <varname>services.kubernetes.apiserver.allowPrivileged</varname>
-        and <varname>services.kubernetes.kubelet.allowPrivileged</varname> now
-        defaults to false. Disallowing privileged containers on the cluster.
-      </para>
-    </listitem>
-    <listitem>
-      <para>
-        The kubernetes module does no longer add the kubernetes package to
-        <varname>environment.systemPackages</varname> implicitly.
-      </para>
-    </listitem>
-    <listitem>
-      <para>
-        The <literal>intel</literal> driver has been removed from the default list of
-        <link linkend="opt-services.xserver.videoDrivers">X.org video drivers</link>.
-        The <literal>modesetting</literal> driver should take over automatically,
-        it is better maintained upstream and has less problems with advanced X11 features.
-        This can lead to a change in the output names used by <literal>xrandr</literal>.
-        Some performance regressions on some GPU models might happen.
-        Some OpenCL and VA-API applications might also break
-        (Beignet seems to provide OpenCL support with
-        <literal>modesetting</literal> driver, too).
-        Users who need this functionality more than multi-output XRandR are advised
-        to add `intel` to `videoDrivers` and report an issue (or provide additional
-        details in an existing one)
-      </para>
   </listitem>
   <listitem>
     <para>
-       Openmpi has been updated to version 4.0.0, which removes some deprecated MPI-1 symbols.
-       This may break some older applications that still rely on those symbols.
-       An upgrade guide can be found <link xlink:href="https://www.open-mpi.org/faq/?category=mpi-removed">here</link>.
+       The Sway tiling Wayland compositor has been updated to version 1.0, and the
+       corresponding NixOS module has been refined to fix some bugs.
     </para>
   </listitem>
  </itemizedlist>
--- a/nixos/modules/config/ldap.nix
+++ b/nixos/modules/config/ldap.nix
@@ -27,25 +27,29 @@ let
    '';
  };

-  nslcdConfig = {
-    target = "nslcd.conf";
-    source = writeText "nslcd.conf" ''
-      uid nslcd
-      gid nslcd
-      uri ${cfg.server}
-      base ${cfg.base}
-      timelimit ${toString cfg.timeLimit}
-      bind_timelimit ${toString cfg.bind.timeLimit}
-      ${optionalString (cfg.bind.distinguishedName != "")
-        "binddn ${cfg.bind.distinguishedName}" }
-      ${optionalString (cfg.daemon.rootpwmoddn != "")
-        "rootpwmoddn ${cfg.daemon.rootpwmoddn}" }
-      ${optionalString (cfg.daemon.extraConfig != "") cfg.daemon.extraConfig }
-    '';
-  };
+  nslcdConfig = writeText "nslcd.conf" ''
+    uid nslcd
+    gid nslcd
+    uri ${cfg.server}
+    base ${cfg.base}
+    timelimit ${toString cfg.timeLimit}
+    bind_timelimit ${toString cfg.bind.timeLimit}
+    ${optionalString (cfg.bind.distinguishedName != "")
+      "binddn ${cfg.bind.distinguishedName}" }
+    ${optionalString (cfg.daemon.rootpwmoddn != "")
+      "rootpwmoddn ${cfg.daemon.rootpwmoddn}" }
+    ${optionalString (cfg.daemon.extraConfig != "") cfg.daemon.extraConfig }
+  '';

-  insertLdapPassword = !config.users.ldap.daemon.enable &&
-    config.users.ldap.bind.distinguishedName != "";
+  # nslcd normally reads configuration from /etc/nslcd.conf.
+  # this file might contain secrets. We append those at runtime,
+  # so redirect its location to something more temporary.
+  nslcdWrapped = runCommandNoCC "nslcd-wrapped" { nativeBuildInputs = [ makeWrapper ]; } ''
+    mkdir -p $out/bin
+    makeWrapper ${nss_pam_ldapd}/sbin/nslcd $out/bin/nslcd \
+      --set LD_PRELOAD    "${pkgs.libredirect}/lib/libredirect.so" \
+      --set NIX_REDIRECTS "/etc/nslcd.conf=/run/nslcd/nslcd.conf"
+  '';

 in

@@ -139,13 +143,13 @@ in
          '';
        };

-        rootpwmodpw = mkOption {
+        rootpwmodpwFile = mkOption {
          default = "";
          example = "/run/keys/nslcd.rootpwmodpw";
          type = types.str;
          description = ''
-            The path to a file containing the credentials with which
-            to bind to the LDAP server if the root user tries to change a user's password
+            The path to a file containing the credentials with which to bind to
+            the LDAP server if the root user tries to change a user's password.
          '';
        };
      };
@@ -161,7 +165,7 @@ in
          '';
        };

-        password = mkOption {
+        passwordFile = mkOption {
          default = "/etc/ldap/bind.password";
          type = types.str;
          description = ''
@@ -220,14 +224,14 @@ in

  config = mkIf cfg.enable {

-    environment.etc = if cfg.daemon.enable then [nslcdConfig] else [ldapConfig];
+    environment.etc = optional (!cfg.daemon.enable) ldapConfig;

-    system.activationScripts = mkIf insertLdapPassword {
+    system.activationScripts = mkIf (!cfg.daemon.enable) {
      ldap = stringAfter [ "etc" "groups" "users" ] ''
-        if test -f "${cfg.bind.password}" ; then
+        if test -f "${cfg.bind.passwordFile}" ; then
          umask 0077
          conf="$(mktemp)"
-          printf 'bindpw %s\n' "$(cat ${cfg.bind.password})" |
+          printf 'bindpw %s\n' "$(cat ${cfg.bind.passwordFile})" |
          cat ${ldapConfig.source} - >"$conf"
          mv -fT "$conf" /etc/ldap.conf
        fi
@@ -251,7 +255,6 @@ in
    };

    systemd.services = mkIf cfg.daemon.enable {
-
      nslcd = {
        wantedBy = [ "multi-user.target" ];

@@ -259,32 +262,32 @@ in
          umask 0077
          conf="$(mktemp)"
          {
-            cat ${nslcdConfig.source}
-            test -z '${cfg.bind.distinguishedName}' -o ! -f '${cfg.bind.password}' ||
-            printf 'bindpw %s\n' "$(cat '${cfg.bind.password}')"
-            test -z '${cfg.daemon.rootpwmoddn}' -o ! -f '${cfg.daemon.rootpwmodpw}' ||
-            printf 'rootpwmodpw %s\n' "$(cat '${cfg.daemon.rootpwmodpw}')"
+            cat ${nslcdConfig}
+            test -z '${cfg.bind.distinguishedName}' -o ! -f '${cfg.bind.passwordFile}' ||
+            printf 'bindpw %s\n' "$(cat '${cfg.bind.passwordFile}')"
+            test -z '${cfg.daemon.rootpwmoddn}' -o ! -f '${cfg.daemon.rootpwmodpwFile}' ||
+            printf 'rootpwmodpw %s\n' "$(cat '${cfg.daemon.rootpwmodpwFile}')"
          } >"$conf"
-          mv -fT "$conf" /etc/nslcd.conf
+          mv -fT "$conf" /run/nslcd/nslcd.conf
        '';
-
-        # NOTE: because one cannot pass a custom config path to `nslcd`
-        # (which is only able to use `/etc/nslcd.conf`)
-        # changes in `nslcdConfig` won't change `serviceConfig`,
-        # and thus won't restart `nslcd`.
-        # Therefore `restartTriggers` is used on `/etc/nslcd.conf`.
-        restartTriggers = [ nslcdConfig.source ];
+        restartTriggers = [ "/run/nslcd/nslcd.conf" ];

        serviceConfig = {
-          ExecStart = "${nss_pam_ldapd}/sbin/nslcd";
+          ExecStart = "${nslcdWrapped}/bin/nslcd";
          Type = "forking";
-          PIDFile = "/run/nslcd/nslcd.pid";
          Restart = "always";
+          User = "nslcd";
+          Group = "nslcd";
          RuntimeDirectory = [ "nslcd" ];
+          PIDFile = "/run/nslcd/nslcd.pid";
        };
      };

    };

  };
+
+  imports =
+    [ (mkRenamedOptionModule [ "users" "ldap" "bind" "password"] [ "users" "ldap" "bind" "passwordFile"])
+    ];
 }
--- a/nixos/modules/config/zram.nix
+++ b/nixos/modules/config/zram.nix
@@ -91,13 +91,13 @@ in
      };

      algorithm = mkOption {
-        default = "zstd";
-        example = "lzo";
+        default = "lzo";
+        example = "lz4";
        type = with types; either (enum [ "lzo" "lz4" "zstd" ]) str;
        description = ''
          Compression algorithm. <literal>lzo</literal> has good compression,
          but is slow. <literal>lz4</literal> has bad compression, but is fast.
-          <literal>zstd</literal> is both good compression and fast.
+          <literal>zstd</literal> is both good compression and fast, but requires newer kernel.
          You can check what other algorithms are supported by your zram device with
          <programlisting>cat /sys/class/block/zram*/comp_algorithm</programlisting>
        '';
--- a/nixos/modules/hardware/video/nvidia.nix
+++ b/nixos/modules/hardware/video/nvidia.nix
@@ -172,6 +172,11 @@ in
    environment.systemPackages = [ nvidia_x11.bin nvidia_x11.settings ]
      ++ lib.filter (p: p != null) [ nvidia_x11.persistenced ];

+    systemd.tmpfiles.rules = optional config.virtualisation.docker.enableNvidia
+        "L+ /run/nvidia-docker/bin - - - - ${nvidia_x11.bin}/origBin"
+      ++ optional (nvidia_x11.persistenced != null && config.virtualisation.docker.enableNvidia)
+        "L+ /run/nvidia-docker/extras/bin/nvidia-persistenced - - - - ${nvidia_x11.persistenced}/origBin/nvidia-persistenced";
+
    boot.extraModulePackages = [ nvidia_x11.bin ];

    # nvidia-uvm is required by CUDA applications.
--- a/nixos/modules/installer/cd-dvd/iso-image.nix
+++ b/nixos/modules/installer/cd-dvd/iso-image.nix
@@ -88,7 +88,7 @@ let
  #     result in incorrect boot entries.

  baseIsolinuxCfg = ''
-    SERIAL 0 38400
+    SERIAL 0 115200
    TIMEOUT ${builtins.toString syslinuxTimeout}
    UI vesamenu.c32
    MENU TITLE NixOS
@@ -165,6 +165,8 @@ let
    else
      "# No refind for ${targetArch}"
  ;
+  
+  grubPkgs = if config.boot.loader.grub.forcei686 then pkgs.pkgsi686Linux else pkgs; 

  grubMenuCfg = ''
    #
@@ -241,7 +243,7 @@ let
    # Modules that may or may not be available per-platform.
    echo "Adding additional modules:"
    for mod in efi_uga; do
-      if [ -f ${pkgs.grub2_efi}/lib/grub/${pkgs.grub2_efi.grubTarget}/$mod.mod ]; then
+      if [ -f ${grubPkgs.grub2_efi}/lib/grub/${grubPkgs.grub2_efi.grubTarget}/$mod.mod ]; then
        echo " - $mod"
        MODULES+=" $mod"
      fi
@@ -249,9 +251,9 @@ let

    # Make our own efi program, we can't rely on "grub-install" since it seems to
    # probe for devices, even with --skip-fs-probe.
-    ${pkgs.grub2_efi}/bin/grub-mkimage -o $out/EFI/boot/boot${targetArch}.efi -p /EFI/boot -O ${pkgs.grub2_efi.grubTarget} \
+    ${grubPkgs.grub2_efi}/bin/grub-mkimage -o $out/EFI/boot/boot${targetArch}.efi -p /EFI/boot -O ${grubPkgs.grub2_efi.grubTarget} \
      $MODULES
-    cp ${pkgs.grub2_efi}/share/grub/unicode.pf2 $out/EFI/boot/
+    cp ${grubPkgs.grub2_efi}/share/grub/unicode.pf2 $out/EFI/boot/

    cat <<EOF > $out/EFI/boot/grub.cfg

@@ -362,7 +364,7 @@ let

  # Name used by UEFI for architectures.
  targetArch =
-    if pkgs.stdenv.isi686 then
+    if pkgs.stdenv.isi686 || config.boot.loader.grub.forcei686 then
      "ia32"
    else if pkgs.stdenv.isx86_64 then
      "x64"
@@ -506,7 +508,7 @@ in
    # here and it causes a cyclic dependency.
    boot.loader.grub.enable = false;

-    environment.systemPackages = [ pkgs.grub2 pkgs.grub2_efi ]
+    environment.systemPackages =  [ grubPkgs.grub2 grubPkgs.grub2_efi ]
      ++ optional canx86BiosBoot pkgs.syslinux
    ;

--- a/nixos/modules/installer/tools/nixos-install.sh
+++ b/nixos/modules/installer/tools/nixos-install.sh
@@ -138,7 +138,18 @@ fi
 # Ask the user to set a root password, but only if the passwd command
 # exists (i.e. when mutable user accounts are enabled).
 if [[ -z $noRootPasswd ]] && [ -t 0 ]; then
-    nixos-enter --root "$mountPoint" -c '[[ -e /nix/var/nix/profiles/system/sw/bin/passwd ]] && echo "setting root password..." && /nix/var/nix/profiles/system/sw/bin/passwd'
+    if nixos-enter --root "$mountPoint" -c 'test -e /nix/var/nix/profiles/system/sw/bin/passwd'; then
+        set +e
+        nixos-enter --root "$mountPoint" -c 'echo "setting root password..." && /nix/var/nix/profiles/system/sw/bin/passwd'
+        exit_code=$?
+        set -e
+
+        if [[ $exit_code != 0 ]]; then
+            echo "Setting a root password failed with the above printed error."
+            echo "You can set the root password manually by executing \`nixos-enter --root ${mountPoint@Q}\` and then running \`passwd\` in the shell of the new system."
+            exit $exit_code
+        fi
+    fi
 fi

 echo "installation finished!"
--- a/nixos/modules/installer/tools/nixos-rebuild.sh
+++ b/nixos/modules/installer/tools/nixos-rebuild.sh
@@ -267,6 +267,14 @@ if [ -n "$rollback" -o "$action" = dry-build ]; then
    buildNix=
 fi

+nixSystem() {
+    machine="$(uname -m)"
+    if [[ "$machine" =~ i.86 ]]; then
+        machine=i686
+    fi
+    echo $machine-linux
+}
+
 prebuiltNix() {
    machine="$1"
    if [ "$machine" = x86_64 ]; then
@@ -286,7 +294,9 @@ if [ -n "$buildNix" ]; then
    nixDrv=
    if ! nixDrv="$(nix-instantiate '<nixpkgs/nixos>' --add-root $tmpDir/nix.drv --indirect -A config.nix.package.out "${extraBuildFlags[@]}")"; then
        if ! nixDrv="$(nix-instantiate '<nixpkgs>' --add-root $tmpDir/nix.drv --indirect -A nix "${extraBuildFlags[@]}")"; then
-            nixStorePath="$(prebuiltNix "$(uname -m)")"
+            if ! nixStorePath="$(nix-instantiate --eval '<nixpkgs/nixos/modules/installer/tools/nix-fallback-paths.nix>' -A $(nixSystem) | sed -e 's/^"//' -e 's/"$//')"; then
+                nixStorePath="$(prebuiltNix "$(uname -m)")"
+            fi
            if ! nix-store -r $nixStorePath --add-root $tmpDir/nix --indirect \
                --option extra-binary-caches https://cache.nixos.org/; then
                echo "warning: don't know how to get latest Nix" >&2
--- a/nixos/modules/installer/virtualbox-demo.nix
+++ b/nixos/modules/installer/virtualbox-demo.nix
@@ -57,7 +57,5 @@ with lib;

  # Enable the OpenSSH daemon.
  # services.openssh.enable = true;
-
-  system.stateVersion = mkDefault "18.03";
  '';
 }
--- a/nixos/modules/module-list.nix
+++ b/nixos/modules/module-list.nix
@@ -129,7 +129,6 @@
  ./programs/sysdig.nix
  ./programs/systemtap.nix
  ./programs/sway.nix
-  ./programs/sway-beta.nix
  ./programs/thefuck.nix
  ./programs/tmux.nix
  ./programs/udevil.nix
@@ -171,6 +170,7 @@
  ./security/rtkit.nix
  ./security/wrappers/default.nix
  ./security/sudo.nix
+  ./security/systemd-confinement.nix
  ./services/admin/oxidized.nix
  ./services/admin/salt/master.nix
  ./services/admin/salt/minion.nix
@@ -337,6 +337,7 @@
  ./services/logging/syslog-ng.nix
  ./services/logging/syslogd.nix
  ./services/mail/clamsmtp.nix
+  ./services/mail/davmail.nix
  ./services/mail/dkimproxy-out.nix
  ./services/mail/dovecot.nix
  ./services/mail/dspam.nix
@@ -573,6 +574,7 @@
  ./services/networking/keepalived/default.nix
  ./services/networking/keybase.nix
  ./services/networking/kippo.nix
+  ./services/networking/knot.nix
  ./services/networking/kresd.nix
  ./services/networking/lambdabot.nix
  ./services/networking/libreswan.nix
--- a/nixos/modules/programs/bash/bash.nix
+++ b/nixos/modules/programs/bash/bash.nix
@@ -102,7 +102,7 @@ in
              # Emacs term mode doesn't support xterm title escape sequence (\e]0;)
              PS1="\n\[\033[$PROMPT_COLOR\][\u@\h:\w]\\$\[\033[0m\] "
            else
-              PS1="\n\[\033[$PROMPT_COLOR\][\[\e]0;\u@\h: \w\a\]\u@\h:\w]\$\[\033[0m\] "
+              PS1="\n\[\033[$PROMPT_COLOR\][\[\e]0;\u@\h: \w\a\]\u@\h:\w]\\$\[\033[0m\] "
            fi
            if test "$TERM" = "xterm"; then
              PS1="\[\033]2;\h:\u:\w\007\]$PS1"
--- a/nixos/modules/programs/browserpass.nix
+++ b/nixos/modules/programs/browserpass.nix
@@ -4,15 +4,34 @@ with lib;

 {

-  ###### interface
-  options = {
-    programs.browserpass.enable = mkEnableOption "the NativeMessaging configuration for Chromium, Chrome, and Vivaldi.";
-  };
+  options.programs.browserpass.enable = mkEnableOption "Browserpass native messaging host";

-  ###### implementation
  config = mkIf config.programs.browserpass.enable {
-    environment.systemPackages = [ pkgs.browserpass ];
-    environment.etc = {
+    environment.etc = let
+      appId = "com.github.browserpass.native.json";
+      source = part: "${pkgs.browserpass}/lib/browserpass/${part}/${appId}";
+    in {
+      # chromium
+      "chromium/native-messaging-hosts/${appId}".source = source "hosts/chromium";
+      "chromium/policies/managed/${appId}".source = source "policies/chromium";
+
+      # chrome
+      "opt/chrome/native-messaging-hosts/${appId}".source = source "hosts/chromium";
+      "opt/chrome/policies/managed/${appId}".source = source "policies/chromium";
+
+      # vivaldi
+      "opt/vivaldi/native-messaging-hosts/${appId}".source = source "hosts/chromium";
+      "opt/vivaldi/policies/managed/${appId}".source = source "policies/chromium";
+
+      # brave
+      "opt/brave/native-messaging-hosts/${appId}".source = source "hosts/chromium";
+      "opt/brave/policies/managed/${appId}".source = source "policies/chromium";
+    }
+    # As with the v2 backwards compatibility in the pkgs.browserpass
+    # declaration, this part can be removed once the browser extension
+    # auto-updates to v3 (planned 2019-04-13, see
+    # https://github.com/browserpass/browserpass-native/issues/31)
+    // {
      "chromium/native-messaging-hosts/com.dannyvankooten.browserpass.json".source = "${pkgs.browserpass}/etc/chrome-host.json";
      "chromium/policies/managed/com.dannyvankooten.browserpass.json".source = "${pkgs.browserpass}/etc/chrome-policy.json";
      "opt/chrome/native-messaging-hosts/com.dannyvankooten.browserpass.json".source = "${pkgs.browserpass}/etc/chrome-host.json";
--- a/nixos/modules/programs/fish.nix
+++ b/nixos/modules/programs/fish.nix
@@ -169,43 +169,6 @@ in
      end
    '';

-    programs.fish.interactiveShellInit = ''
-      # add completions generated by NixOS to $fish_complete_path
-      begin
-        # joins with null byte to acommodate all characters in paths, then respectively gets all paths before / after the first one including "generated_completions",
-        # splits by null byte, and then removes all empty lines produced by using 'string'
-        set -l prev (string join0 $fish_complete_path | string match --regex "^.*?(?=\x00[^\x00]*generated_completions.*)" | string split0 | string match -er ".")
-        set -l post (string join0 $fish_complete_path | string match --regex "[^\x00]*generated_completions.*" | string split0 | string match -er ".")
-        set fish_complete_path $prev "/etc/fish/generated_completions" $post
-      end
-    '';
-
-    environment.etc."fish/generated_completions".source =
-      let
-        generateCompletions = package: pkgs.runCommand
-          "${package.name}-fish-completions"
-          (
-            {
-              src = package;
-              nativeBuildInputs = [ pkgs.python3 ];
-              buildInputs = [ pkgs.fish ];
-              preferLocalBuild = true;
-              allowSubstitutes = false;
-            }
-            // optionalAttrs (package ? meta.priority) { meta.priority = package.meta.priority; }
-          )
-          ''
-            mkdir -p $out
-            if [ -d $src/share/man ]; then
-              find $src/share/man -type f | xargs python ${pkgs.fish}/share/fish/tools/create_manpage_completions.py --directory $out >/dev/null
-            fi
-          '';
-      in
-        pkgs.buildEnv {
-          name = "system-fish-completions";
-          paths = map generateCompletions config.environment.systemPackages;
-        };
-
    # include programs that bring their own completions
    environment.pathsToLink = []
      ++ optional cfg.vendor.config.enable "/share/fish/vendor_conf.d"
--- a/nixos/modules/programs/sway-beta.nix
+++ b/nixos/modules/programs/sway-beta.nix
@@ -1,91 +0,0 @@
-{ config, pkgs, lib, ... }:
-
-with lib;
-
-let
-  cfg = config.programs.sway-beta;
-  swayPackage = cfg.package;
-
-  swayWrapped = pkgs.writeShellScriptBin "sway" ''
-    set -o errexit
-
-    if [ ! "$_SWAY_WRAPPER_ALREADY_EXECUTED" ]; then
-      export _SWAY_WRAPPER_ALREADY_EXECUTED=1
-      ${cfg.extraSessionCommands}
-    fi
-
-    if [ "$DBUS_SESSION_BUS_ADDRESS" ]; then
-      export DBUS_SESSION_BUS_ADDRESS
-      exec ${swayPackage}/bin/sway "$@"
-    else
-      exec ${pkgs.dbus}/bin/dbus-run-session ${swayPackage}/bin/sway "$@"
-    fi
-  '';
-  swayJoined = pkgs.symlinkJoin {
-    name = "sway-joined";
-    paths = [ swayWrapped swayPackage ];
-  };
-in {
-  options.programs.sway-beta = {
-    enable = mkEnableOption ''
-      Sway, the i3-compatible tiling Wayland compositor. This module will be removed after the final release of Sway 1.0
-    '';
-
-    package = mkOption {
-      type = types.package;
-      default = pkgs.sway-beta;
-      defaultText = "pkgs.sway-beta";
-      description = ''
-        The package to be used for `sway`.
-      '';
-    };
-
-    extraSessionCommands = mkOption {
-      type = types.lines;
-      default = "";
-      example = ''
-        export SDL_VIDEODRIVER=wayland
-        # needs qt5.qtwayland in systemPackages
-        export QT_QPA_PLATFORM=wayland
-        export QT_WAYLAND_DISABLE_WINDOWDECORATION="1"
-        # Fix for some Java AWT applications (e.g. Android Studio),
-        # use this if they aren't displayed properly:
-        export _JAVA_AWT_WM_NONREPARENTING=1
-      '';
-      description = ''
-        Shell commands executed just before Sway is started.
-      '';
-    };
-
-    extraPackages = mkOption {
-      type = with types; listOf package;
-      default = with pkgs; [
-        swaylock swayidle
-        xwayland rxvt_unicode dmenu
-      ];
-      defaultText = literalExample ''
-        with pkgs; [ swaylock swayidle xwayland rxvt_unicode dmenu ];
-      '';
-      example = literalExample ''
-        with pkgs; [
-          xwayland
-          i3status i3status-rust
-          termite rofi light
-        ]
-      '';
-      description = ''
-        Extra packages to be installed system wide.
-      '';
-    };
-  };
-
-  config = mkIf cfg.enable {
-    environment.systemPackages = [ swayJoined ] ++ cfg.extraPackages;
-    security.pam.services.swaylock = {};
-    hardware.opengl.enable = mkDefault true;
-    fonts.enableDefaultFonts = mkDefault true;
-    programs.dconf.enable = mkDefault true;
-  };
-
-  meta.maintainers = with lib.maintainers; [ gnidorah primeos colemickens ];
-}
--- a/nixos/modules/programs/sway.nix
+++ b/nixos/modules/programs/sway.nix
@@ -16,9 +16,9 @@ let

    if [ "$DBUS_SESSION_BUS_ADDRESS" ]; then
      export DBUS_SESSION_BUS_ADDRESS
-      exec sway-setcap "$@"
+      exec ${swayPackage}/bin/sway "$@"
    else
-      exec ${pkgs.dbus}/bin/dbus-run-session sway-setcap "$@"
+      exec ${pkgs.dbus}/bin/dbus-run-session ${swayPackage}/bin/sway "$@"
    fi
  '';
  swayJoined = pkgs.symlinkJoin {
@@ -28,22 +28,24 @@ let
 in {
  options.programs.sway = {
    enable = mkEnableOption ''
-      the tiling Wayland compositor Sway. After adding yourself to the "sway"
-      group you can manually launch Sway by executing "sway" from a terminal.
-      If you call "sway" with any parameters the extraSessionCommands won't be
-      executed and Sway won't be launched with dbus-launch'';
+      Sway, the i3-compatible tiling Wayland compositor. You can manually launch
+      Sway by executing "exec sway" on a TTY. Copy /etc/sway/config to
+      ~/.config/sway/config to modify the default configuration. See
+      https://github.com/swaywm/sway/wiki and "man 5 sway" for more information.
+      Please have a look at the "extraSessionCommands" example for running
+      programs natively under Wayland'';

    extraSessionCommands = mkOption {
      type = types.lines;
      default = "";
      example = ''
-        # Define a keymap (US QWERTY is the default)
-        export XKB_DEFAULT_LAYOUT=de,us
-        export XKB_DEFAULT_VARIANT=nodeadkeys
-        export XKB_DEFAULT_OPTIONS=grp:alt_shift_toggle,caps:escape
-        # Change the Keyboard repeat delay and rate
-        export WLC_REPEAT_DELAY=660
-        export WLC_REPEAT_RATE=25
+        export SDL_VIDEODRIVER=wayland
+        # needs qt5.qtwayland in systemPackages
+        export QT_QPA_PLATFORM=wayland
+        export QT_WAYLAND_DISABLE_WINDOWDECORATION="1"
+        # Fix for some Java AWT applications (e.g. Android Studio),
+        # use this if they aren't displayed properly:
+        export _JAVA_AWT_WM_NONREPARENTING=1
      '';
      description = ''
        Shell commands executed just before Sway is started.
@@ -53,14 +55,17 @@ in {
    extraPackages = mkOption {
      type = with types; listOf package;
      default = with pkgs; [
-        i3status xwayland rxvt_unicode dmenu
+        swaylock swayidle
+        xwayland rxvt_unicode dmenu
      ];
      defaultText = literalExample ''
-        with pkgs; [ i3status xwayland rxvt_unicode dmenu ];
+        with pkgs; [ swaylock swayidle xwayland rxvt_unicode dmenu ];
      '';
      example = literalExample ''
        with pkgs; [
-          i3lock light termite
+          xwayland
+          i3status i3status-rust
+          termite rofi light
        ]
      '';
      description = ''
@@ -70,23 +75,19 @@ in {
  };

  config = mkIf cfg.enable {
-    environment.systemPackages = [ swayJoined ] ++ cfg.extraPackages;
-    security.wrappers.sway = {
-      program = "sway-setcap";
-      source = "${swayPackage}/bin/sway";
-      capabilities = "cap_sys_ptrace,cap_sys_tty_config=eip";
-      owner = "root";
-      group = "sway";
-      permissions = "u+rx,g+rx";
+    environment = {
+      systemPackages = [ swayJoined ] ++ cfg.extraPackages;
+      etc = {
+        "sway/config".source = "${swayPackage}/etc/sway/config";
+        #"sway/security.d".source = "${swayPackage}/etc/sway/security.d/";
+        #"sway/config.d".source = "${swayPackage}/etc/sway/config.d/";
+      };
    };
-
-    users.groups.sway = {};
    security.pam.services.swaylock = {};
-
    hardware.opengl.enable = mkDefault true;
    fonts.enableDefaultFonts = mkDefault true;
    programs.dconf.enable = mkDefault true;
  };

-  meta.maintainers = with lib.maintainers; [ gnidorah primeos ];
+  meta.maintainers = with lib.maintainers; [ gnidorah primeos colemickens ];
 }
--- a/nixos/modules/programs/zsh/oh-my-zsh.xml
+++ b/nixos/modules/programs/zsh/oh-my-zsh.xml
@@ -87,9 +87,9 @@

  <para>
   <emphasis>Please keep in mind that this is not compatible with
-   <literal>programs.zsh.ohMyZsh.custom</literal> as it requires an immutable store
-   path while <literal>custom</literal> shall remain mutable! An evaluation
-   failure will be thrown if both <literal>custom</literal> and
+   <literal>programs.zsh.ohMyZsh.custom</literal> as it requires an immutable
+   store path while <literal>custom</literal> shall remain mutable! An
+   evaluation failure will be thrown if both <literal>custom</literal> and
   <literal>customPkgs</literal> are set.</emphasis>
  </para>
 </section>
--- a/nixos/modules/rename.nix
+++ b/nixos/modules/rename.nix
@@ -4,11 +4,6 @@ with lib;

 {
  imports = [
-    # !!! These were renamed the other way, but got reverted later.
-    # !!! Drop these before 18.09 is released.
-    (mkRenamedOptionModule [ "system" "nixos" "stateVersion" ] [ "system" "stateVersion" ])
-    (mkRenamedOptionModule [ "system" "nixos" "defaultChannel" ] [ "system" "defaultChannel" ])
-
    (mkRenamedOptionModule [ "environment" "x11Packages" ] [ "environment" "systemPackages" ])
    (mkRenamedOptionModule [ "environment" "enableBashCompletion" ] [ "programs" "bash" "enableCompletion" ])
    (mkRenamedOptionModule [ "environment" "nix" ] [ "nix" "package" ])
--- a/nixos/modules/security/duosec.nix
+++ b/nixos/modules/security/duosec.nix
@@ -76,7 +76,7 @@ in
      };

      failmode = mkOption {
-        type = types.enum [ "safe" "enum" ];
+        type = types.enum [ "safe" "secure" ];
        default = "safe";
        description = ''
          On service or configuration errors that prevent Duo
--- a/nixos/modules/security/systemd-confinement.nix
+++ b/nixos/modules/security/systemd-confinement.nix
@@ -0,0 +1,199 @@
+{ config, pkgs, lib, ... }:
+
+let
+  toplevelConfig = config;
+  inherit (lib) types;
+  inherit (import ../system/boot/systemd-lib.nix {
+    inherit config pkgs lib;
+  }) mkPathSafeName;
+in {
+  options.systemd.services = lib.mkOption {
+    type = types.attrsOf (types.submodule ({ name, config, ... }: {
+      options.confinement.enable = lib.mkOption {
+        type = types.bool;
+        default = false;
+        description = ''
+          If set, all the required runtime store paths for this service are
+          bind-mounted into a <literal>tmpfs</literal>-based <citerefentry>
+            <refentrytitle>chroot</refentrytitle>
+            <manvolnum>2</manvolnum>
+          </citerefentry>.
+        '';
+      };
+
+      options.confinement.fullUnit = lib.mkOption {
+        type = types.bool;
+        default = false;
+        description = ''
+          Whether to include the full closure of the systemd unit file into the
+          chroot, instead of just the dependencies for the executables.
+
+          <warning><para>While it may be tempting to just enable this option to
+          make things work quickly, please be aware that this might add paths
+          to the closure of the chroot that you didn't anticipate. It's better
+          to use <option>confinement.packages</option> to <emphasis
+          role="strong">explicitly</emphasis> add additional store paths to the
+          chroot.</para></warning>
+        '';
+      };
+
+      options.confinement.packages = lib.mkOption {
+        type = types.listOf (types.either types.str types.package);
+        default = [];
+        description = let
+          mkScOption = optName: "<option>serviceConfig.${optName}</option>";
+        in ''
+          Additional packages or strings with context to add to the closure of
+          the chroot. By default, this includes all the packages from the
+          ${lib.concatMapStringsSep ", " mkScOption [
+            "ExecReload" "ExecStartPost" "ExecStartPre" "ExecStop"
+            "ExecStopPost"
+          ]} and ${mkScOption "ExecStart"} options. If you want to have all the
+          dependencies of this systemd unit, you can use
+          <option>confinement.fullUnit</option>.
+
+          <note><para>The store paths listed in <option>path</option> are
+          <emphasis role="strong">not</emphasis> included in the closure as
+          well as paths from other options except those listed
+          above.</para></note>
+        '';
+      };
+
+      options.confinement.binSh = lib.mkOption {
+        type = types.nullOr types.path;
+        default = toplevelConfig.environment.binsh;
+        defaultText = "config.environment.binsh";
+        example = lib.literalExample "\${pkgs.dash}/bin/dash";
+        description = ''
+          The program to make available as <filename>/bin/sh</filename> inside
+          the chroot. If this is set to <literal>null</literal>, no
+          <filename>/bin/sh</filename> is provided at all.
+
+          This is useful for some applications, which for example use the
+          <citerefentry>
+            <refentrytitle>system</refentrytitle>
+            <manvolnum>3</manvolnum>
+          </citerefentry> library function to execute commands.
+        '';
+      };
+
+      options.confinement.mode = lib.mkOption {
+        type = types.enum [ "full-apivfs" "chroot-only" ];
+        default = "full-apivfs";
+        description = ''
+          The value <literal>full-apivfs</literal> (the default) sets up
+          private <filename class="directory">/dev</filename>, <filename
+          class="directory">/proc</filename>, <filename
+          class="directory">/sys</filename> and <filename
+          class="directory">/tmp</filename> file systems in a separate user
+          name space.
+
+          If this is set to <literal>chroot-only</literal>, only the file
+          system name space is set up along with the call to <citerefentry>
+            <refentrytitle>chroot</refentrytitle>
+            <manvolnum>2</manvolnum>
+          </citerefentry>.
+
+          <note><para>This doesn't cover network namespaces and is solely for
+          file system level isolation.</para></note>
+        '';
+      };
+
+      config = let
+        rootName = "${mkPathSafeName name}-chroot";
+        inherit (config.confinement) binSh fullUnit;
+        wantsAPIVFS = lib.mkDefault (config.confinement.mode == "full-apivfs");
+      in lib.mkIf config.confinement.enable {
+        serviceConfig = {
+          RootDirectory = pkgs.runCommand rootName {} "mkdir \"$out\"";
+          TemporaryFileSystem = "/";
+          PrivateMounts = lib.mkDefault true;
+
+          # https://github.com/NixOS/nixpkgs/issues/14645 is a future attempt
+          # to change some of these to default to true.
+          #
+          # If we run in chroot-only mode, having something like PrivateDevices
+          # set to true by default will mount /dev within the chroot, whereas
+          # with "chroot-only" it's expected that there are no /dev, /proc and
+          # /sys file systems available.
+          #
+          # However, if this suddenly becomes true, the attack surface will
+          # increase, so let's explicitly set these options to true/false
+          # depending on the mode.
+          MountAPIVFS = wantsAPIVFS;
+          PrivateDevices = wantsAPIVFS;
+          PrivateTmp = wantsAPIVFS;
+          PrivateUsers = wantsAPIVFS;
+          ProtectControlGroups = wantsAPIVFS;
+          ProtectKernelModules = wantsAPIVFS;
+          ProtectKernelTunables = wantsAPIVFS;
+        };
+        confinement.packages = let
+          execOpts = [
+            "ExecReload" "ExecStart" "ExecStartPost" "ExecStartPre" "ExecStop"
+            "ExecStopPost"
+          ];
+          execPkgs = lib.concatMap (opt: let
+            isSet = config.serviceConfig ? ${opt};
+          in lib.optional isSet config.serviceConfig.${opt}) execOpts;
+          unitAttrs = toplevelConfig.systemd.units."${name}.service";
+          allPkgs = lib.singleton (builtins.toJSON unitAttrs);
+          unitPkgs = if fullUnit then allPkgs else execPkgs;
+        in unitPkgs ++ lib.optional (binSh != null) binSh;
+      };
+    }));
+  };
+
+  config.assertions = lib.concatLists (lib.mapAttrsToList (name: cfg: let
+    whatOpt = optName: "The 'serviceConfig' option '${optName}' for"
+                    + " service '${name}' is enabled in conjunction with"
+                    + " 'confinement.enable'";
+  in lib.optionals cfg.confinement.enable [
+    { assertion = !cfg.serviceConfig.RootDirectoryStartOnly or false;
+      message = "${whatOpt "RootDirectoryStartOnly"}, but right now systemd"
+              + " doesn't support restricting bind-mounts to 'ExecStart'."
+              + " Please either define a separate service or find a way to run"
+              + " commands other than ExecStart within the chroot.";
+    }
+    { assertion = !cfg.serviceConfig.DynamicUser or false;
+      message = "${whatOpt "DynamicUser"}. Please create a dedicated user via"
+              + " the 'users.users' option instead as this combination is"
+              + " currently not supported.";
+    }
+  ]) config.systemd.services);
+
+  config.systemd.packages = lib.concatLists (lib.mapAttrsToList (name: cfg: let
+    rootPaths = let
+      contents = lib.concatStringsSep "\n" cfg.confinement.packages;
+    in pkgs.writeText "${mkPathSafeName name}-string-contexts.txt" contents;
+
+    chrootPaths = pkgs.runCommand "${mkPathSafeName name}-chroot-paths" {
+      closureInfo = pkgs.closureInfo { inherit rootPaths; };
+      serviceName = "${name}.service";
+      excludedPath = rootPaths;
+    } ''
+      mkdir -p "$out/lib/systemd/system"
+      serviceFile="$out/lib/systemd/system/$serviceName"
+
+      echo '[Service]' > "$serviceFile"
+
+      # /bin/sh is special here, because the option value could contain a
+      # symlink and we need to properly resolve it.
+      ${lib.optionalString (cfg.confinement.binSh != null) ''
+        binsh=${lib.escapeShellArg cfg.confinement.binSh}
+        realprog="$(readlink -e "$binsh")"
+        echo "BindReadOnlyPaths=$realprog:/bin/sh" >> "$serviceFile"
+      ''}
+
+      while read storePath; do
+        if [ -L "$storePath" ]; then
+          # Currently, systemd can't cope with symlinks in Bind(ReadOnly)Paths,
+          # so let's just bind-mount the target to that location.
+          echo "BindReadOnlyPaths=$(readlink -e "$storePath"):$storePath"
+        elif [ "$storePath" != "$excludedPath" ]; then
+          echo "BindReadOnlyPaths=$storePath"
+        fi
+      done < "$closureInfo/store-paths" >> "$serviceFile"
+    '';
+  in lib.optional cfg.confinement.enable chrootPaths) config.systemd.services);
+}
--- a/nixos/modules/services/cluster/kubernetes/addons/dns.nix
+++ b/nixos/modules/services/cluster/kubernetes/addons/dns.nix
@@ -38,6 +38,18 @@ in {
      type = types.int;
    };

+    reconcileMode = mkOption {
+      description = ''
+        Controls the addon manager reconciliation mode for the DNS addon.
+
+        Setting reconcile mode to EnsureExists makes it possible to tailor DNS behavior by editing the coredns ConfigMap.
+
+        See: <link xlink:href="https://github.com/kubernetes/kubernetes/blob/master/cluster/addons/addon-manager/README.md"/>.
+      '';
+      default = "Reconcile";
+      type = types.enum [ "Reconcile" "EnsureExists" ];
+    };
+
    coredns = mkOption {
      description = "Docker image to seed for the CoreDNS container.";
      type = types.attrs;
@@ -131,7 +143,7 @@ in {
        kind = "ConfigMap";
        metadata = {
          labels = {
-            "addonmanager.kubernetes.io/mode" = "Reconcile";
+            "addonmanager.kubernetes.io/mode" = cfg.reconcileMode;
            "k8s-app" = "kube-dns";
            "kubernetes.io/cluster-service" = "true";
          };
@@ -162,7 +174,7 @@ in {
        kind = "Deployment";
        metadata = {
          labels = {
-            "addonmanager.kubernetes.io/mode" = "Reconcile";
+            "addonmanager.kubernetes.io/mode" = cfg.reconcileMode;
            "k8s-app" = "kube-dns";
            "kubernetes.io/cluster-service" = "true";
            "kubernetes.io/name" = "CoreDNS";
--- a/nixos/modules/services/cluster/kubernetes/apiserver.nix
+++ b/nixos/modules/services/cluster/kubernetes/apiserver.nix
@@ -350,7 +350,7 @@ in
          listenPeerUrls = mkDefault ["https://0.0.0.0:2380"];
          advertiseClientUrls = mkDefault ["https://${top.masterAddress}:2379"];
          initialCluster = mkDefault ["${top.masterAddress}=https://${top.masterAddress}:2380"];
-          name = top.masterAddress;
+          name = mkDefault top.masterAddress;
          initialAdvertisePeerUrls = mkDefault ["https://${top.masterAddress}:2380"];
        };

--- a/nixos/modules/services/cluster/kubernetes/controller-manager.nix
+++ b/nixos/modules/services/cluster/kubernetes/controller-manager.nix
@@ -131,7 +131,7 @@ in
          ${optionalString (cfg.tlsCertFile!=null)
            "--tls-cert-file=${cfg.tlsCertFile}"} \
          ${optionalString (cfg.tlsKeyFile!=null)
-            "--tls-key-file=${cfg.tlsKeyFile}"} \
+            "--tls-private-key-file=${cfg.tlsKeyFile}"} \
          ${optionalString (elem "RBAC" top.apiserver.authorizationMode)
            "--use-service-account-credentials"} \
          ${optionalString (cfg.verbosity != null) "--v=${toString cfg.verbosity}"} \
--- a/nixos/modules/services/cluster/kubernetes/default.nix
+++ b/nixos/modules/services/cluster/kubernetes/default.nix
@@ -10,7 +10,7 @@ let
    kind = "Config";
    clusters = [{
      name = "local";
-      cluster.certificate-authority = cfg.caFile;
+      cluster.certificate-authority = conf.caFile or cfg.caFile;
      cluster.server = conf.server;
    }];
    users = [{
--- a/nixos/modules/services/mail/davmail.nix
+++ b/nixos/modules/services/mail/davmail.nix
@@ -0,0 +1,91 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+
+  cfg = config.services.davmail;
+
+  configType = with types;
+    either (either (attrsOf configType) str) (either int bool) // {
+      description = "davmail config type (str, int, bool or attribute set thereof)";
+    };
+
+  toStr = val: if isBool val then boolToString val else toString val;
+
+  linesForAttrs = attrs: concatMap (name: let value = attrs.${name}; in
+    if isAttrs value
+      then map (line: name + "." + line) (linesForAttrs value)
+      else [ "${name}=${toStr value}" ]
+  ) (attrNames attrs);
+
+  configFile = pkgs.writeText "davmail.properties" (concatStringsSep "\n" (linesForAttrs cfg.config));
+
+in
+
+  {
+    options.services.davmail = {
+      enable = mkEnableOption "davmail, an MS Exchange gateway";
+
+      url = mkOption {
+        type = types.str;
+        description = "Outlook Web Access URL to access the exchange server, i.e. the base webmail URL.";
+        example = "https://outlook.office365.com/EWS/Exchange.asmx";
+      };
+
+      config = mkOption {
+        type = configType;
+        default = {};
+        description = ''
+          Davmail configuration. Refer to
+          <link xlink:href="http://davmail.sourceforge.net/serversetup.html"/>
+          and <link xlink:href="http://davmail.sourceforge.net/advanced.html"/>
+          for details on supported values.
+        '';
+        example = literalExample ''
+          {
+            davmail.allowRemote = true;
+            davmail.imapPort = 55555;
+            davmail.bindAddress = "10.0.1.2";
+            davmail.smtpSaveInSent = true;
+            davmail.folderSizeLimit = 10;
+            davmail.caldavAutoSchedule = false;
+            log4j.logger.rootLogger = "DEBUG";
+          }
+        '';
+      };
+    };
+
+    config = mkIf cfg.enable {
+
+      services.davmail.config.davmail = mapAttrs (name: mkDefault) {
+        server = true;
+        disableUpdateCheck = true;
+        logFilePath = "/var/log/davmail/davmail.log";
+        logFileSize = "1MB";
+        mode = "auto";
+        url = cfg.url;
+        caldavPort = 1080;
+        imapPort = 1143;
+        ldapPort = 1389;
+        popPort = 1110;
+        smtpPort = 1025;
+      };
+
+      systemd.services.davmail = {
+        description = "DavMail POP/IMAP/SMTP Exchange Gateway";
+        after = [ "network.target" ];
+        wantedBy = [ "multi-user.target" ];
+
+        serviceConfig = {
+          Type = "simple";
+          ExecStart = "${pkgs.davmail}/bin/davmail ${configFile}";
+          Restart = "on-failure";
+          DynamicUser = "yes";
+          LogsDirectory = "davmail";
+        };
+      };
+
+      environment.systemPackages = [ pkgs.davmail ];
+    };
+  }
--- a/nixos/modules/services/mail/rmilter.nix
+++ b/nixos/modules/services/mail/rmilter.nix
@@ -8,7 +8,7 @@ let
  postfixCfg = config.services.postfix;
  cfg = config.services.rmilter;

-  inetSocket = addr: port: "inet:[${toString port}@${addr}]";
+  inetSocket = addr: port: "inet:${addr}:${toString port}";
  unixSocket = sock: "unix:${sock}";

  systemdSocket = if cfg.bindSocket.type == "unix" then cfg.bindSocket.path
@@ -97,7 +97,7 @@ in

      bindSocket.address = mkOption {
        type = types.str;
-        default = "::1";
+        default = "[::1]";
        example = "0.0.0.0";
        description = ''
          Inet address to listen on.
--- a/nixos/modules/services/misc/gitlab.nix
+++ b/nixos/modules/services/misc/gitlab.nix
@@ -160,6 +160,20 @@ let
     '';
  };

+  gitlab-rails = pkgs.stdenv.mkDerivation rec {
+    name = "gitlab-rails";
+    buildInputs = [ pkgs.makeWrapper ];
+    dontBuild = true;
+    unpackPhase = ":";
+    installPhase = ''
+      mkdir -p $out/bin
+      makeWrapper ${cfg.packages.gitlab.rubyEnv}/bin/rails $out/bin/gitlab-rails \
+          ${concatStrings (mapAttrsToList (name: value: "--set ${name} '${value}' ") gitlabEnv)} \
+          --set PATH '${lib.makeBinPath [ pkgs.nodejs pkgs.gzip pkgs.git pkgs.gnutar config.services.postgresql.package pkgs.coreutils pkgs.procps ]}:$PATH' \
+          --run 'cd ${cfg.packages.gitlab}/share/gitlab'
+     '';
+  };
+
  smtpSettings = pkgs.writeText "gitlab-smtp-settings.rb" ''
    if Rails.env.production?
      Rails.application.config.action_mailer.delivery_method = :smtp
@@ -439,7 +453,7 @@ in {

  config = mkIf cfg.enable {

-    environment.systemPackages = [ pkgs.git gitlab-rake cfg.packages.gitlab-shell ];
+    environment.systemPackages = [ pkgs.git gitlab-rake gitlab-rails cfg.packages.gitlab-shell ];

    # Redis is required for the sidekiq queue runner.
    services.redis.enable = mkDefault true;
@@ -512,9 +526,12 @@ in {
      wantedBy = [ "multi-user.target" ];
      path = with pkgs; [
        openssh
+        procps  # See https://gitlab.com/gitlab-org/gitaly/issues/1562
        gitAndTools.git
        cfg.packages.gitaly.rubyEnv
        cfg.packages.gitaly.rubyEnv.wrappedRuby
+        gzip
+        bzip2
      ];
      serviceConfig = {
        Type = "simple";
--- a/nixos/modules/services/monitoring/hdaps.nix
+++ b/nixos/modules/services/monitoring/hdaps.nix
@@ -16,6 +16,7 @@ in
  };

  config = mkIf cfg.enable {
+    boot.kernelModules = [ "hdapsd" ];
    services.udev.packages = hdapsd;
    systemd.packages = hdapsd;
  };
--- a/nixos/modules/services/networking/knot.nix
+++ b/nixos/modules/services/networking/knot.nix
@@ -0,0 +1,95 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+  cfg = config.services.knot;
+
+  configFile = pkgs.writeText "knot.conf" cfg.extraConfig;
+  socketFile = "/run/knot/knot.sock";
+
+  knotConfCheck = file: pkgs.runCommand "knot-config-checked"
+    { buildInputs = [ cfg.package ]; } ''
+    ln -s ${configFile} $out
+    knotc --config=${configFile} conf-check
+  '';
+
+  knot-cli-wrappers = pkgs.stdenv.mkDerivation {
+    name = "knot-cli-wrappers";
+    buildInputs = [ pkgs.makeWrapper ];
+    buildCommand = ''
+      mkdir -p $out/bin
+      makeWrapper ${cfg.package}/bin/knotc "$out/bin/knotc" \
+        --add-flags "--config=${configFile}" \
+        --add-flags "--socket=${socketFile}"
+      makeWrapper ${cfg.package}/bin/keymgr "$out/bin/keymgr" \
+        --add-flags "--config=${configFile}"
+      for executable in kdig khost kjournalprint knsec3hash knsupdate kzonecheck
+      do
+        ln -s "${cfg.package}/bin/$executable" "$out/bin/$executable"
+      done
+      mkdir -p "$out/share"
+      ln -s '${cfg.package}/share/man' "$out/share/"
+    '';
+  };
+in {
+  options = {
+    services.knot = {
+      enable = mkEnableOption "Knot authoritative-only DNS server";
+
+      extraArgs = mkOption {
+        type = types.listOf types.str;
+        default = [];
+        description = ''
+          List of additional command line paramters for knotd
+        '';
+      };
+
+      extraConfig = mkOption {
+        type = types.lines;
+        default = "";
+        description = ''
+          Extra lines to be added verbatim to knot.conf
+        '';
+      };
+
+      package = mkOption {
+        type = types.package;
+        default = pkgs.knot-dns;
+        description = ''
+          Which Knot DNS package to use
+        '';
+      };
+    };
+  };
+
+  config = mkIf config.services.knot.enable {
+    systemd.services.knot = {
+      unitConfig.Documentation = "man:knotd(8) man:knot.conf(5) man:knotc(8) https://www.knot-dns.cz/docs/${cfg.package.version}/html/";
+      description = cfg.package.meta.description;
+      wantedBy = [ "multi-user.target" ];
+      wants = [ "network.target" ];
+      after = ["network.target" ];
+
+      serviceConfig = {
+        Type = "notify";
+        ExecStart = "${cfg.package}/bin/knotd --config=${knotConfCheck configFile} --socket=${socketFile} ${concatStringsSep " " cfg.extraArgs}";
+        ExecReload = "${knot-cli-wrappers}/bin/knotc reload";
+        CapabilityBoundingSet = "CAP_NET_BIND_SERVICE CAP_SETPCAP";
+        AmbientCapabilities = "CAP_NET_BIND_SERVICE CAP_SETPCAP";
+        NoNewPrivileges = true;
+        DynamicUser = "yes";
+        RuntimeDirectory = "knot";
+        StateDirectory = "knot";
+        StateDirectoryMode = "0700";
+        PrivateDevices = true;
+        RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6";
+        SystemCallArchitectures = "native";
+        Restart = "on-abort";
+      };
+    };
+
+    environment.systemPackages = [ knot-cli-wrappers ];
+  };
+}
+
--- a/nixos/modules/services/search/elasticsearch-curator.nix
+++ b/nixos/modules/services/search/elasticsearch-curator.nix
@@ -86,7 +86,7 @@ in {
      startAt = cfg.interval;
      serviceConfig = {
        ExecStart =
-          "${pkgs.python3Packages.elasticsearch-curator}/bin/curator" +
+          "${pkgs.elasticsearch-curator}/bin/curator" +
          " --config ${curatorConfig} ${curatorAction}";
      };
    };
--- a/nixos/modules/services/web-apps/icingaweb2/icingaweb2.nix
+++ b/nixos/modules/services/web-apps/icingaweb2/icingaweb2.nix
@@ -3,112 +3,18 @@
  poolName = "icingaweb2";
  phpfpmSocketName = "/var/run/phpfpm/${poolName}.sock";

-  formatBool = b: if b then "1" else "0";
-
-  configIni = let
-    config = cfg.generalConfig;
-  in ''
-    [global]
-    show_stacktraces = "${formatBool config.showStacktraces}"
-    show_application_state_messages = "${formatBool config.showApplicationStateMessages}"
-    module_path = "${pkgs.icingaweb2}/modules${optionalString (builtins.length config.modulePath > 0) ":${concatStringsSep ":" config.modulePath}"}"
-    config_backend = "${config.configBackend}"
-    ${optionalString (config.configBackend == "db") ''config_resource = "${config.configResource}"''}
-
-    [logging]
-    log = "${config.log}"
-    ${optionalString (config.log != "none") ''level = "${config.logLevel}"''}
-    ${optionalString (config.log == "php" || config.log == "syslog") ''application = "${config.logApplication}"''}
-    ${optionalString (config.log == "syslog") ''facility = "${config.logFacility}"''}
-    ${optionalString (config.log == "file") ''file = "${config.logFile}"''}
-
-    [themes]
-    default = "${config.themeDefault}"
-    disabled = "${formatBool config.themeDisabled}"
-
-    [authentication]
-    ${optionalString (config.authDefaultDomain != null) ''default_domain = "${config.authDefaultDomain}"''}
-  '';
-
-  resourcesIni = concatStringsSep "\n" (mapAttrsToList (name: config: ''
-    [${name}]
-    type = "${config.type}"
-    ${optionalString (config.type == "db") ''
-      db = "${config.db}"
-      host = "${config.host}"
-      ${optionalString (config.port != null) ''port = "${toString config.port}"''}
-      username = "${config.username}"
-      password = "${config.password}"
-      dbname = "${config.dbname}"
-      ${optionalString (config.charset != null) ''charset = "${config.charset}"''}
-      use_ssl = "${formatBool config.useSSL}"
-      ${optionalString (config.sslCert != null) ''ssl_cert = "${config.sslCert}"''}
-      ${optionalString (config.sslKey != null) ''ssl_cert = "${config.sslKey}"''}
-      ${optionalString (config.sslCA != null) ''ssl_cert = "${config.sslCA}"''}
-      ${optionalString (config.sslCApath != null) ''ssl_cert = "${config.sslCApath}"''}
-      ${optionalString (config.sslCipher != null) ''ssl_cert = "${config.sslCipher}"''}
-    ''}
-    ${optionalString (config.type == "ldap") ''
-      hostname = "${config.host}"
-      ${optionalString (config.port != null) ''port = "${toString config.port}"''}
-      root_dn = "${config.rootDN}"
-      bind_dn = "${config.username}"
-      bind_pw = "${config.password}"
-      encryption = "${config.ldapEncryption}"
-      timeout = "${toString config.ldapTimeout}"
-    ''}
-    ${optionalString (config.type == "ssh") ''
-      user = "${config.username}"
-      private_key = "${config.sshPrivateKey}"
-    ''}
-
-  '') cfg.resources);
-
-  authenticationIni = concatStringsSep "\n" (mapAttrsToList (name: config: ''
-    [${name}]
-    backend = "${config.backend}"
-    ${optionalString (config.domain != null) ''domain = "${config.domain}"''}
-    ${optionalString (config.backend == "external" && config.externalStripRegex != null) ''strip_username_regexp = "${config.externalStripRegex}"''}
-    ${optionalString (config.backend != "external") ''resource = "${config.resource}"''}
-    ${optionalString (config.backend == "ldap" || config.backend == "msldap") ''
-      ${optionalString (config.ldapUserClass != null) ''user_class = "${config.ldapUserClass}"''}
-      ${optionalString (config.ldapUserNameAttr != null) ''user_name_attribute = "${config.ldapUserNameAttr}"''}
-      ${optionalString (config.ldapFilter != null) ''filter = "${config.ldapFilter}"''}
-    ''}
-  '') cfg.authentications);
-
-  groupsIni = concatStringsSep "\n" (mapAttrsToList (name: config: ''
-    [${name}]
-    backend = "${config.backend}"
-    resource = "${config.resource}"
-    ${optionalString (config.backend != "db") ''
-      ${optionalString (config.ldapUserClass != null) ''user_class = "${config.ldapUserClass}"''}
-      ${optionalString (config.ldapUserNameAttr != null) ''user_name_attribute = "${config.ldapUserNameAttr}"''}
-      ${optionalString (config.ldapGroupClass != null) ''group_class = "${config.ldapGroupClass}"''}
-      ${optionalString (config.ldapGroupNameAttr != null) ''group_name_attribute = "${config.ldapGroupNameAttr}"''}
-      ${optionalString (config.ldapGroupFilter != null) ''group_filter = "${config.ldapGroupFilter}"''}
-    ''}
-    ${optionalString (config.backend == "msldap" && config.ldapNestedSearch) ''nested_group_search = "1"''}
-  '') cfg.groupBackends);
-
-  rolesIni = let
-    optionalList = var: attribute: optionalString (builtins.length var > 0) ''${attribute} = "${concatStringsSep "," var}"'';
-  in concatStringsSep "\n" (mapAttrsToList (name: config: ''
-    [${name}]
-    ${optionalList config.users "users"}
-    ${optionalList config.groups "groups"}
-    ${optionalList config.permissions "permissions"}
-    ${optionalList config.permissions "permissions"}
-    ${concatStringsSep "\n" (mapAttrsToList (key: value: optionalList value key) config.extraAssignments)}
-  '') cfg.roles);
-
+  defaultConfig = {
+    global = {
+      module_path = "${pkgs.icingaweb2}/modules${optionalString (builtins.length config.modulePath > 0) ":${concatStringsSep ":" config.modulePath}"}";
+    };
+  };
 in {
  options.services.icingaweb2 = with types; {
    enable = mkEnableOption "the icingaweb2 web interface";

    pool = mkOption {
      type = str;
-      default = "${poolName}";
+      default = poolName;
      description = ''
         Name of existing PHP-FPM pool that is used to run Icingaweb2.
         If not specified, a pool will automatically created with default values.
@@ -143,7 +49,7 @@ in {
      default = {};
      example = literalExample ''
        {
-          "snow" = pkgs.icingaweb2Modules.theme-snow;
+          "snow" = icingaweb2Modules.theme-snow;
        }
      '';
      description = ''
@@ -153,394 +59,105 @@ in {
      '';
    };

-    generalConfig = {
-      mutable = mkOption {
-        type = bool;
-        default = false;
-        description = ''
-          Make config.ini mutable (e.g. via the web interface).
-          Not that you need to update module_path manually.
-        '';
+    generalConfig = mkOption {
+      type = nullOr attrs;
+      default = null;
+      example = {
+        general = {
+          showStacktraces = 1;
+          config_resource = "icingaweb_db";
+        };
+        logging = {
+          log = "syslog";
+          level = "CRITICAL";
+        };
      };
+      description = ''
+        config.ini contents.
+        Will automatically be converted to a .ini file.
+        If you don't set global.module_path, the module will take care of it.

-      showStacktraces = mkOption {
-        type = bool;
-        default = true;
-        description = "Enable stack traces in the Web UI";
-      };
-
-      showApplicationStateMessages = mkOption {
-        type = bool;
-        default = true;
-        description = "Enable application state messages in the Web UI";
-      };
-
-      modulePath = mkOption {
-        type = listOf str;
-        default = [];
-        description = "List of additional module search paths";
-      };
-
-      configBackend = mkOption {
-        type = enum [ "ini" "db" "none" ];
-        default = "db";
-        description = "Where to store user preferences";
-      };
-
-      configResource = mkOption {
-        type = nullOr str;
-        default = null;
-        description = "Database resource where user preferences are stored (if they are stored in a database)";
-      };
-
-      log = mkOption {
-        type = enum [ "syslog" "php" "file" "none" ];
-        default = "syslog";
-        description = "Logging target";
-      };
-
-      logLevel = mkOption {
-        type = enum [ "ERROR" "WARNING" "INFO" "DEBUG" ];
-        default = "ERROR";
-        description = "Maximum logging level to emit";
-      };
-
-      logApplication = mkOption {
-        type = str;
-        default = "icingaweb2";
-        description = "Application name to log under (syslog and php log)";
-      };
-
-      logFacility = mkOption {
-        type = enum [ "user" "local0" "local1" "local2" "local3" "local4" "local5" "local6" "local7" ];
-        default = "user";
-        description = "Syslog facility to log to";
-      };
-
-      logFile = mkOption {
-        type = str;
-        default = "/var/log/icingaweb2/icingaweb2.log";
-        description = "File to log to";
-      };
-
-      themeDefault = mkOption {
-        type = str;
-        default = "Icinga";
-        description = "Name of the default theme";
-      };
-
-      themeDisabled = mkOption {
-        type = bool;
-        default = false;
-        description = "Disallow users to change the theme";
-      };
-
-      authDefaultDomain = mkOption {
-        type = nullOr str;
-        default = null;
-        description = "Domain for users logging in without a qualified domain";
-      };
-    };
-
-    mutableResources = mkOption {
-      type = bool;
-      default = false;
-      description = "Make resources.ini mutable (e.g. via the web interface)";
+        If the value is null, no config.ini is created and you can
+        modify it manually (e.g. via the web interface).
+        Note that you need to update module_path manually.
+      '';
    };

    resources = mkOption {
-      default = {};
-      description = "Icingaweb 2 resources to define";
-      type = attrsOf (submodule ({ name, ... }: {
-        options = {
-          name = mkOption {
-            visible = false;
-            default = name;
-            type = str;
-            description = "Name of this resource";
-          };
-
-          type = mkOption {
-            type = enum [ "db" "ldap" "ssh" ];
-            default = "db";
-            description = "Type of this resouce";
-          };
-
-          db = mkOption {
-            type = enum [ "mysql" "pgsql" ];
-            default = "mysql";
-            description = "Type of this database resource";
-          };
-
-          host = mkOption {
-            type = str;
-            description = "Host to connect to";
-          };
-
-          port = mkOption {
-            type = nullOr port;
-            default = null;
-            description = "Port to connect on";
-          };
-
-          username = mkOption {
-            type = str;
-            description = "Database or SSH user or LDAP bind DN to connect with";
-          };
-
-          password = mkOption {
-            type = str;
-            description = "Password for the database user or LDAP bind DN";
-          };
-
-          dbname = mkOption {
-            type = str;
-            description = "Name of the database to connect to";
-          };
-
-          charset = mkOption {
-            type = nullOr str;
-            default = null;
-            example = "utf8";
-            description = "Database character set to connect with";
-          };
-
-          useSSL = mkOption {
-            type = nullOr bool;
-            default = false;
-            description = "Whether to connect to the database using SSL";
-          };
-
-          sslCert = mkOption {
-            type = nullOr str;
-            default = null;
-            description = "The file path to the SSL certificate. Only available for the mysql database.";
-          };
-
-          sslKey = mkOption {
-            type = nullOr str;
-            default = null;
-            description = "The file path to the SSL key. Only available for the mysql database.";
-          };
-
-          sslCA = mkOption {
-            type = nullOr str;
-            default = null;
-            description = "The file path to the SSL certificate authority. Only available for the mysql database.";
-          };
-
-          sslCApath = mkOption {
-            type = nullOr str;
-            default = null;
-            description = "The file path to the directory that contains the trusted SSL CA certificates in PEM format. Only available for the mysql database.";
-          };
-
-          sslCipher = mkOption {
-            type = nullOr str;
-            default = null;
-            description = "A list of one or more permissible ciphers to use for SSL encryption, in a format understood by OpenSSL. Only available for the mysql database.";
-          };
-
-          rootDN = mkOption {
-            type = str;
-            description = "Root object of the LDAP tree";
-          };
-
-          ldapEncryption = mkOption {
-            type = enum [ "none" "starttls" "ldaps" ];
-            default = "none";
-            description = "LDAP encryption to use";
-          };
-
-          ldapTimeout = mkOption {
-            type = ints.positive;
-            default = 5;
-            description = "Connection timeout for every LDAP connection";
-          };
-
-          sshPrivateKey = mkOption {
-            type = str;
-            description = "The path to the private key of the user";
-          };
+      type = nullOr attrs;
+      default = null;
+      example = {
+        icingaweb_db = {
+          type = "db";
+          db = "mysql";
+          host = "localhost";
+          username = "icingaweb2";
+          password = "icingaweb2";
+          dbname = "icingaweb2";
        };
-      }));
-    };
+      };
+      description = ''
+        resources.ini contents.
+        Will automatically be converted to a .ini file.

-    mutableAuthConfig = mkOption {
-      type = bool;
-      default = true;
-      description = "Make authentication.ini mutable (e.g. via the web interface)";
+        If the value is null, no resources.ini is created and you can
+        modify it manually (e.g. via the web interface).
+        Note that if you set passwords here, they will go into the nix store.
+      '';
    };

    authentications = mkOption {
-      default = {};
-      description = "Icingaweb 2 authentications to define";
-      type = attrsOf (submodule ({ name, ... }: {
-        options = {
-          name = mkOption {
-            visible = false;
-            default = name;
-            type = str;
-            description = "Name of this authentication";
-          };
-
-          backend = mkOption {
-            type = enum [ "external" "ldap" "msldap" "db" ];
-            default = "db";
-            description = "The type of this authentication backend";
-          };
-
-          domain = mkOption {
-            type = nullOr str;
-            default = null;
-            description = "Domain for domain-aware authentication";
-          };
-
-          externalStripRegex = mkOption {
-            type = nullOr str;
-            default = null;
-            description = "Regular expression to strip off specific user name parts";
-          };
-
-          resource = mkOption {
-            type = str;
-            description = "Name of the database/LDAP resource";
-          };
-
-          ldapUserClass = mkOption {
-            type = nullOr str;
-            default = null;
-            description = "LDAP user class";
-          };
-
-          ldapUserNameAttr = mkOption {
-            type = nullOr str;
-            default = null;
-            description = "LDAP attribute which contains the username";
-          };
-
-          ldapFilter = mkOption {
-            type = nullOr str;
-            default = null;
-            description = "LDAP search filter";
-          };
+      type = nullOr attrs;
+      default = null;
+      example = {
+        icingaweb = {
+          backend = "db";
+          resource = "icingaweb_db";
        };
-      }));
-    };
+      };
+      description = ''
+        authentication.ini contents.
+        Will automatically be converted to a .ini file.

-    mutableGroupsConfig = mkOption {
-      type = bool;
-      default = true;
-      description = "Make groups.ini mutable (e.g. via the web interface)";
+        If the value is null, no authentication.ini is created and you can
+        modify it manually (e.g. via the web interface).
+      '';
    };

    groupBackends = mkOption {
-      default = {};
-      description = "Icingaweb 2 group backends to define";
-      type = attrsOf (submodule ({ name, ... }: {
-        options = {
-          name = mkOption {
-            visible = false;
-            default = name;
-            type = str;
-            description = "Name of this group backend";
-          };
-
-          backend = mkOption {
-            type = enum [ "ldap" "msldap" "db" ];
-            default = "db";
-            description = "The type of this group backend";
-          };
-
-          resource = mkOption {
-            type = str;
-            description = "Name of the database/LDAP resource";
-          };
-
-          ldapUserClass = mkOption {
-            type = nullOr str;
-            default = null;
-            description = "LDAP user class";
-          };
-
-          ldapUserNameAttr = mkOption {
-            type = nullOr str;
-            default = null;
-            description = "LDAP attribute which contains the username";
-          };
-
-          ldapGroupClass = mkOption {
-            type = nullOr str;
-            default = null;
-            description = "LDAP group class";
-          };
-
-          ldapGroupNameAttr = mkOption {
-            type = nullOr str;
-            default = null;
-            description = "LDAP attribute which contains the groupname";
-          };
-
-          ldapGroupFilter = mkOption {
-            type = nullOr str;
-            default = null;
-            description = "LDAP group search filter";
-          };
-
-          ldapNestedSearch = mkOption {
-            type = bool;
-            default = false;
-            description = "Enable nested group search in Active Directory based on the user";
-          };
+      type = nullOr attrs;
+      default = null;
+      example = {
+        icingaweb = {
+          backend = "db";
+          resource = "icingaweb_db";
        };
-      }));
-    };
+      };
+      description = ''
+        groups.ini contents.
+        Will automatically be converted to a .ini file.

-    mutableRolesConfig = mkOption {
-      type = bool;
-      default = true;
-      description = "Make roles.ini mutable (e.g. via the web interface)";
+        If the value is null, no groups.ini is created and you can
+        modify it manually (e.g. via the web interface).
+      '';
    };

    roles = mkOption {
-      default = {};
-      description = "Icingaweb 2 roles to define";
-      type = attrsOf (submodule ({ name, ... }: {
-        options = {
-          name = mkOption {
-            visible = false;
-            default = name;
-            type = str;
-            description = "Name of this role";
-          };
-
-          users = mkOption {
-            type = listOf str;
-            default = [];
-            description = "List of users that are assigned to the role";
-          };
-
-          groups = mkOption {
-            type = listOf str;
-            default = [];
-            description = "List of groups that are assigned to the role";
-          };
-
-          permissions = mkOption {
-            type = listOf str;
-            default = [];
-            example = [ "application/share/navigation" "config/*" ];
-            description = "The permissions to grant";
-          };
-
-          extraAssignments = mkOption {
-            type = attrsOf (listOf str);
-            default = {};
-            example = { "monitoring/blacklist/properties" = [ "sla" "customer"]; };
-            description = "Additional assignments of this role";
-          };
+      type = nullOr attrs;
+      default = null;
+      example = {
+        Administrators = {
+          users = "admin";
+          permissions = "*";
        };
-      }));
+      };
+      description = ''
+        roles.ini contents.
+        Will automatically be converted to a .ini file.
+
+        If the value is null, no roles.ini is created and you can
+        modify it manually (e.g. via the web interface).
+      '';
    };
  };

@@ -609,11 +226,11 @@ in {
      // doModule "test"
      // doModule "translation"
      # Configs
-      // optionalAttrs (!cfg.generalConfig.mutable) { "icingaweb2/config.ini".text = configIni; }
-      // optionalAttrs (!cfg.mutableResources) { "icingaweb2/resources.ini".text = resourcesIni; }
-      // optionalAttrs (!cfg.mutableAuthConfig) { "icingaweb2/authentication.ini".text = authenticationIni; }
-      // optionalAttrs (!cfg.mutableGroupsConfig) { "icingaweb2/groups.ini".text = groupsIni; }
-      // optionalAttrs (!cfg.mutableRolesConfig) { "icingaweb2/roles.ini".text = rolesIni; };
+      // optionalAttrs (cfg.generalConfig != null) { "icingaweb2/config.ini".text = generators.toINI {} (defaultConfig // cfg.generalConfig); }
+      // optionalAttrs (cfg.resources != null) { "icingaweb2/resources.ini".text = generators.toINI {} cfg.resources; }
+      // optionalAttrs (cfg.authentications != null) { "icingaweb2/authentication.ini".text = generators.toINI {} cfg.authentications; }
+      // optionalAttrs (cfg.groupBackends != null) { "icingaweb2/groups.ini".text = generators.toINI {} cfg.groupBackends; }
+      // optionalAttrs (cfg.roles != null) { "icingaweb2/roles.ini".text = generators.toINI {} cfg.roles; };

    # User and group
    users.groups.icingaweb2 = {};
--- a/nixos/modules/services/web-apps/matomo-doc.xml
+++ b/nixos/modules/services/web-apps/matomo-doc.xml
@@ -12,15 +12,15 @@
  An automatic setup is not suported by Matomo, so you need to configure Matomo
  itself in the browser-based Matomo setup.
 </para>
-
 <section xml:id="module-services-matomo-database-setup">
  <title>Database Setup</title>
+
  <para>
   You also need to configure a MariaDB or MySQL database and -user for Matomo
   yourself, and enter those credentials in your browser. You can use
   passwordless database authentication via the UNIX_SOCKET authentication
   plugin with the following SQL commands:
-   <programlisting>
+<programlisting>
        # For MariaDB
        INSTALL PLUGIN unix_socket SONAME 'auth_socket';
        CREATE DATABASE matomo;
@@ -46,30 +46,32 @@
   database is not on the same host.
  </para>
 </section>
-
 <section xml:id="module-services-matomo-archive-processing">
  <title>Archive Processing</title>
+
  <para>
-   This module comes with the systemd service <literal>matomo-archive-processing.service</literal>
-   and a timer that automatically triggers archive processing every hour.
-   This means that you can safely
+   This module comes with the systemd service
+   <literal>matomo-archive-processing.service</literal> and a timer that
+   automatically triggers archive processing every hour. This means that you
+   can safely
   <link xlink:href="https://matomo.org/docs/setup-auto-archiving/#disable-browser-triggers-for-matomo-archiving-and-limit-matomo-reports-to-updating-every-hour">
-    disable browser triggers for Matomo archiving
-   </link> at <literal>Administration > System > General Settings</literal>.
+   disable browser triggers for Matomo archiving </link> at
+   <literal>Administration > System > General Settings</literal>.
  </para>
+
  <para>
   With automatic archive processing, you can now also enable to
   <link xlink:href="https://matomo.org/docs/privacy/#step-2-delete-old-visitors-logs">
-    delete old visitor logs
-   </link> at <literal>Administration > System > Privacy</literal>,
-   but make sure that you run <literal>systemctl start matomo-archive-processing.service</literal>
-   at least once without errors if you have already collected data before,
-   so that the reports get archived before the source data gets deleted.
+   delete old visitor logs </link> at <literal>Administration > System >
+   Privacy</literal>, but make sure that you run <literal>systemctl start
+   matomo-archive-processing.service</literal> at least once without errors if
+   you have already collected data before, so that the reports get archived
+   before the source data gets deleted.
  </para>
 </section>
-
 <section xml:id="module-services-matomo-backups">
  <title>Backup</title>
+
  <para>
   You only need to take backups of your MySQL database and the
   <filename>/var/lib/matomo/config/config.ini.php</filename> file. Use a user
@@ -78,9 +80,9 @@
   <link xlink:href="https://matomo.org/faq/how-to-install/faq_138/" />.
  </para>
 </section>
-
 <section xml:id="module-services-matomo-issues">
  <title>Issues</title>
+
  <itemizedlist>
   <listitem>
    <para>
@@ -97,7 +99,6 @@
   </listitem>
  </itemizedlist>
 </section>
-
 <section xml:id="module-services-matomo-other-web-servers">
  <title>Using other Web Servers than nginx</title>

--- a/nixos/modules/services/web-apps/nextcloud.nix
+++ b/nixos/modules/services/web-apps/nextcloud.nix
@@ -5,14 +5,18 @@ with lib;
 let
  cfg = config.services.nextcloud;

+  phpPackage = pkgs.php73;
+  phpPackages = pkgs.php73Packages;
+
  toKeyValue = generators.toKeyValue {
    mkKeyValue = generators.mkKeyValueDefault {} " = ";
  };

  phpOptionsExtensions = ''
-    ${optionalString cfg.caching.apcu "extension=${cfg.phpPackages.apcu}/lib/php/extensions/apcu.so"}
-    ${optionalString cfg.caching.redis "extension=${cfg.phpPackages.redis}/lib/php/extensions/redis.so"}
-    ${optionalString cfg.caching.memcached "extension=${cfg.phpPackages.memcached}/lib/php/extensions/memcached.so"}
+    ${optionalString cfg.caching.apcu "extension=${phpPackages.apcu}/lib/php/extensions/apcu.so"}
+    ${optionalString cfg.caching.redis "extension=${phpPackages.redis}/lib/php/extensions/redis.so"}
+    ${optionalString cfg.caching.memcached "extension=${phpPackages.memcached}/lib/php/extensions/memcached.so"}
+    extension=${phpPackages.imagick}/lib/php/extensions/imagick.so
    zend_extension = opcache.so
    opcache.enable = 1
  '';
@@ -28,7 +32,7 @@ let
    cd ${pkgs.nextcloud}
    exec /run/wrappers/bin/sudo -u nextcloud \
      NEXTCLOUD_CONFIG_DIR="${cfg.home}/config" \
-      ${config.services.phpfpm.phpPackage}/bin/php \
+      ${phpPackage}/bin/php \
      -c ${pkgs.writeText "php.ini" phpOptionsStr}\
      occ $*
  '';
@@ -45,6 +49,11 @@ in {
      default = "/var/lib/nextcloud";
      description = "Storage path of nextcloud.";
    };
+    logLevel = mkOption {
+      type = types.ints.between 0 4;
+      default = 2;
+      description = "Log level value between 0 (DEBUG) and 4 (FATAL).";
+    };
    https = mkOption {
      type = types.bool;
      default = false;
@@ -89,18 +98,6 @@ in {
      '';
    };

-    phpPackages = mkOption {
-      type = types.attrs;
-      default = pkgs.php71Packages;
-      defaultText = "pkgs.php71Packages";
-      description = ''
-        Overridable attribute of the PHP packages set to use.  If any caching
-        module is enabled, it will be taken from here.  Therefore it should
-        match the version of PHP given to
-        <literal>services.phpfpm.phpPackage</literal>.
-      '';
-    };
-
    phpOptions = mkOption {
      type = types.attrsOf types.str;
      default = {
@@ -218,6 +215,19 @@ in {
          <literal>services.nextcloud.hostname</literal> here.
        '';
      };
+
+      overwriteProtocol = mkOption {
+        type = types.nullOr (types.enum [ "http" "https" ]);
+        default = null;
+        example = "https";
+
+        description = ''
+          Force Nextcloud to always use HTTPS i.e. for link generation. Nextcloud
+          uses the currently used protocol by default, but when behind a reverse-proxy,
+          it may use <literal>http</literal> for everything although Nextcloud
+          may be served via HTTPS.
+        '';
+      };
    };

    caching = {
@@ -281,6 +291,8 @@ in {
              'skeletondirectory' => '${cfg.skeletonDirectory}',
              ${optionalString cfg.caching.apcu "'memcache.local' => '\\OC\\Memcache\\APCu',"}
              'log_type' => 'syslog',
+              'log_level' => '${builtins.toString cfg.logLevel}',
+              ${optionalString (cfg.config.overwriteProtocol != null) "'overwriteprotocol' => '${cfg.config.overwriteProtocol}',"}
            ];
          '';
          occInstallCmd = let
@@ -348,19 +360,19 @@ in {
          environment.NEXTCLOUD_CONFIG_DIR = "${cfg.home}/config";
          serviceConfig.Type = "oneshot";
          serviceConfig.User = "nextcloud";
-          serviceConfig.ExecStart = "${pkgs.php}/bin/php -f ${pkgs.nextcloud}/cron.php";
+          serviceConfig.ExecStart = "${phpPackage}/bin/php -f ${pkgs.nextcloud}/cron.php";
        };
      };

      services.phpfpm = {
-        phpOptions = phpOptionsExtensions;
-        phpPackage = pkgs.php71;
        pools.nextcloud = let
          phpAdminValues = (toKeyValue
            (foldr (a: b: a // b) {}
              (mapAttrsToList (k: v: { "php_admin_value[${k}]" = v; })
                phpOptions)));
        in {
+          phpOptions = phpOptionsExtensions;
+          phpPackage = phpPackage;
          listen = "/run/phpfpm/nextcloud";
          extraConfig = ''
            listen.owner = nginx
@@ -401,7 +413,7 @@ in {
              };
              "/" = {
                priority = 200;
-                extraConfig = "rewrite ^ /index.php$uri;";
+                extraConfig = "rewrite ^ /index.php$request_uri;";
              };
              "~ ^/store-apps" = {
                priority = 201;
@@ -415,19 +427,19 @@ in {
                priority = 210;
                extraConfig = "return 301 $scheme://$host/remote.php/dav;";
              };
-              "~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/" = {
+              "~ ^\\/(?:build|tests|config|lib|3rdparty|templates|data)\\/" = {
                priority = 300;
                extraConfig = "deny all;";
              };
-              "~ ^/(?:\\.|autotest|occ|issue|indie|db_|console)" = {
+              "~ ^\\/(?:\\.|autotest|occ|issue|indie|db_|console)" = {
                priority = 300;
                extraConfig = "deny all;";
              };
-              "~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+)\\.php(?:$|/)" = {
+              "~ ^\\/(?:index|remote|public|cron|core/ajax\\/update|status|ocs\\/v[12]|updater\\/.+|ocs-provider\\/.+|ocm-provider\\/.+)\\.php(?:$|\\/)" = {
                priority = 500;
                extraConfig = ''
                  include ${config.services.nginx.package}/conf/fastcgi.conf;
-                  fastcgi_split_path_info ^(.+\.php)(/.*)$;
+                  fastcgi_split_path_info ^(.+\.php)(\\/.*)$;
                  fastcgi_param PATH_INFO $fastcgi_path_info;
                  fastcgi_param HTTPS ${if cfg.https then "on" else "off"};
                  fastcgi_param modHeadersAvailable true;
@@ -438,22 +450,23 @@ in {
                  fastcgi_read_timeout 120s;
                '';
              };
-              "~ ^/(?:updater|ocs-provider)(?:$|/)".extraConfig = ''
+              "~ ^\\/(?:updater|ocs-provider|ocm-provider)(?:$|\\/)".extraConfig = ''
                try_files $uri/ =404;
                index index.php;
              '';
-              "~ \\.(?:css|js|woff|svg|gif)$".extraConfig = ''
-                try_files $uri /index.php$uri$is_args$args;
+              "~ \\.(?:css|js|woff2?|svg|gif)$".extraConfig = ''
+                try_files $uri /index.php$request_uri;
                add_header Cache-Control "public, max-age=15778463";
                add_header X-Content-Type-Options nosniff;
                add_header X-XSS-Protection "1; mode=block";
                add_header X-Robots-Tag none;
                add_header X-Download-Options noopen;
                add_header X-Permitted-Cross-Domain-Policies none;
+                add_header Referrer-Policy no-referrer;
                access_log off;
              '';
              "~ \\.(?:png|html|ttf|ico|jpg|jpeg)$".extraConfig = ''
-                try_files $uri /index.php$uri$is_args$args;
+                try_files $uri /index.php$request_uri;
                access_log off;
              '';
            };
@@ -463,10 +476,12 @@ in {
              add_header X-Robots-Tag none;
              add_header X-Download-Options noopen;
              add_header X-Permitted-Cross-Domain-Policies none;
+              add_header Referrer-Policy no-referrer;
              error_page 403 /core/templates/403.php;
              error_page 404 /core/templates/404.php;
              client_max_body_size ${cfg.maxUploadSize};
              fastcgi_buffers 64 4K;
+              fastcgi_hide_header X-Powered-By;
              gzip on;
              gzip_vary on;
              gzip_comp_level 4;
--- a/nixos/modules/services/web-apps/nextcloud.xml
+++ b/nixos/modules/services/web-apps/nextcloud.xml
@@ -4,24 +4,26 @@
         version="5.0"
         xml:id="module-services-nextcloud">
 <title>Nextcloud</title>
-
 <para>
-  <link xlink:href="https://nextcloud.com/">Nextcloud</link> is an open-source, self-hostable cloud
-  platform. The server setup can be automated using
-  <link linkend="opt-services.nextcloud.enable">services.nextcloud</link>. A desktop client is packaged
-  at <literal>pkgs.nextcloud-client</literal>.
+  <link xlink:href="https://nextcloud.com/">Nextcloud</link> is an open-source,
+  self-hostable cloud platform. The server setup can be automated using
+  <link linkend="opt-services.nextcloud.enable">services.nextcloud</link>. A
+  desktop client is packaged at <literal>pkgs.nextcloud-client</literal>.
 </para>
-
 <section xml:id="module-services-nextcloud-basic-usage">
  <title>Basic usage</title>
+
  <para>
   Nextcloud is a PHP-based application which requires an HTTP server
-   (<literal><link linkend="opt-services.nextcloud.enable">services.nextcloud</link></literal> optionally supports
-   <literal><link linkend="opt-services.nginx.enable">services.nginx</link></literal>) and a database
-   (it's recommended to use <literal><link linkend="opt-services.postgresql.enable">services.postgresql</link></literal>).
+   (<literal><link linkend="opt-services.nextcloud.enable">services.nextcloud</link></literal>
+   optionally supports
+   <literal><link linkend="opt-services.nginx.enable">services.nginx</link></literal>)
+   and a database (it's recommended to use
+   <literal><link linkend="opt-services.postgresql.enable">services.postgresql</link></literal>).
  </para>
+
  <para>
-    A very basic configuration may look like this:
+   A very basic configuration may look like this:
 <programlisting>{ pkgs, ... }:
 {
  services.nextcloud = {
@@ -55,45 +57,59 @@
  <link linkend="opt-networking.firewall.allowedTCPPorts">networking.firewall.allowedTCPPorts</link> = [ 80 443 ];
 }</programlisting>
  </para>
+
  <para>
-   The options <literal>hostName</literal> and <literal>nginx.enable</literal> are used internally to configure an
-   HTTP server using <literal><link xlink:href="https://php-fpm.org/">PHP-FPM</link></literal> and <literal>nginx</literal>.
-   The <literal>config</literal> attribute set is used for the <literal>config.php</literal> which is used
-   for the application's configuration.
-   <emphasis>Beware: this isn't entirely pure since the config is modified by the application's runtime!</emphasis>
+   The options <literal>hostName</literal> and <literal>nginx.enable</literal>
+   are used internally to configure an HTTP server using
+   <literal><link xlink:href="https://php-fpm.org/">PHP-FPM</link></literal>
+   and <literal>nginx</literal>. The <literal>config</literal> attribute set is
+   used for the <literal>config.php</literal> which is used for the
+   application's configuration. <emphasis>Beware: this isn't entirely pure
+   since the config is modified by the application's runtime!</emphasis>
  </para>
+
  <para>
-    In case the application serves multiple hosts (those are checked with
-    <literal><link xlink:href="http://php.net/manual/en/reserved.variables.server.php">$_SERVER['HTTP_HOST']</link></literal>)
-    those can be added using
-    <literal><link linkend="opt-services.nextcloud.config.extraTrustedDomains">services.nextcloud.config.extraTrustedDomains</link></literal>.
+   In case the application serves multiple hosts (those are checked with
+   <literal><link xlink:href="http://php.net/manual/en/reserved.variables.server.php">$_SERVER['HTTP_HOST']</link></literal>)
+   those can be added using
+   <literal><link linkend="opt-services.nextcloud.config.extraTrustedDomains">services.nextcloud.config.extraTrustedDomains</link></literal>.
  </para>
 </section>
-
 <section xml:id="module-services-nextcloud-pitfalls-during-upgrade">
  <title>Pitfalls</title>
+
  <para>
-   Unfortunately Nextcloud appears to be very stateful when it comes to managing its own configuration. The
-   config file lives in the home directory of the <literal>nextcloud</literal> user (by default
-   <literal>/var/lib/nextcloud/config/config.php</literal>) and is also used to track several
-   states of the application (e.g. whether installed or not).
+   Unfortunately Nextcloud appears to be very stateful when it comes to
+   managing its own configuration. The config file lives in the home directory
+   of the <literal>nextcloud</literal> user (by default
+   <literal>/var/lib/nextcloud/config/config.php</literal>) and is also used to
+   track several states of the application (e.g. whether installed or not).
  </para>
+
  <para>
-   Right now changes to the <literal>services.nextcloud.config</literal> attribute set won't take effect
-   after the first install
-   (except <literal><link linkend="opt-services.nextcloud.config.extraTrustedDomains">services.nextcloud.config.extraTrustedDomains</link></literal>) since the actual configuration
-   file is generated by the NextCloud installer which also sets up critical parts such as the database
-   structure.
+   Right now changes to the <literal>services.nextcloud.config</literal>
+   attribute set won't take effect after the first install (except
+   <literal><link linkend="opt-services.nextcloud.config.extraTrustedDomains">services.nextcloud.config.extraTrustedDomains</link></literal>)
+   since the actual configuration file is generated by the NextCloud installer
+   which also sets up critical parts such as the database structure.
  </para>
+
  <para>
-   <emphasis>Warning: don't delete <literal>config.php</literal>! This file tracks the application's state and a deletion can cause unwanted side-effects!</emphasis>
+   <emphasis>Warning: don't delete <literal>config.php</literal>! This file
+   tracks the application's state and a deletion can cause unwanted
+   side-effects!</emphasis>
  </para>
+
  <para>
-   <emphasis>Warning: don't rerun <literal>nextcloud-occ maintenance:install</literal>! This command tries to install the application and can cause unwanted side-effects!</emphasis>
+   <emphasis>Warning: don't rerun <literal>nextcloud-occ
+   maintenance:install</literal>! This command tries to install the application
+   and can cause unwanted side-effects!</emphasis>
  </para>
+
  <para>
-    The issues are known and reported in <link xlink:href="https://github.com/NixOS/nixpkgs/issues/49783">#49783</link>, for now it's unfortunately necessary to manually work around these issues.
+   The issues are known and reported in
+   <link xlink:href="https://github.com/NixOS/nixpkgs/issues/49783">#49783</link>,
+   for now it's unfortunately necessary to manually work around these issues.
  </para>
 </section>
-
 </chapter>
--- a/nixos/modules/services/web-servers/apache-httpd/default.nix
+++ b/nixos/modules/services/web-servers/apache-httpd/default.nix
@@ -705,10 +705,7 @@ in

        path =
          [ httpd pkgs.coreutils pkgs.gnugrep ]
-          ++ # Needed for PHP's mail() function.  !!! Probably the
-             # ssmtp module should export the path to sendmail in
-             # some way.
-             optional config.networking.defaultMailServer.directDelivery pkgs.ssmtp
+          ++ optional enablePHP pkgs.system-sendmail # Needed for PHP's mail() function.
          ++ concatMap (svc: svc.extraServerPath) allSubservices;

        environment =
--- a/nixos/modules/services/web-servers/nginx/default.nix
+++ b/nixos/modules/services/web-servers/nginx/default.nix
@@ -194,11 +194,12 @@ let
            then filter (x: x.ssl) defaultListen
            else defaultListen;

-        listenString = { addr, port, ssl, ... }:
+        listenString = { addr, port, ssl, extraParameters ? [], ... }:
          "listen ${addr}:${toString port} "
          + optionalString ssl "ssl "
          + optionalString (ssl && vhost.http2) "http2 "
          + optionalString vhost.default "default_server "
+          + optionalString (extraParameters != []) (concatStringsSep " " extraParameters)
          + ";";

        redirectListen = filter (x: !x.ssl) defaultListen;
@@ -491,8 +492,8 @@ in

      sslProtocols = mkOption {
        type = types.str;
-        default = "TLSv1.2";
-        example = "TLSv1 TLSv1.1 TLSv1.2";
+        default = "TLSv1.2 TLSv1.3";
+        example = "TLSv1 TLSv1.1 TLSv1.2 TLSv1.3";
        description = "Allowed TLS protocol versions.";
      };

--- a/nixos/modules/services/web-servers/nginx/vhost-options.nix
+++ b/nixos/modules/services/web-servers/nginx/vhost-options.nix
@@ -31,6 +31,7 @@ with lib;
        addr = mkOption { type = str;  description = "IP address.";  };
        port = mkOption { type = int;  description = "Port number."; default = 80; };
        ssl  = mkOption { type = bool; description = "Enable SSL.";  default = false; };
+        extraParameters = mkOption { type = listOf str; description = "Extra parameters of this listen directive."; default = []; example = [ "reuseport" "deferred" ]; };
      }; });
      default = [];
      example = [
--- a/nixos/modules/services/x11/desktop-managers/pantheon.nix
+++ b/nixos/modules/services/x11/desktop-managers/pantheon.nix
@@ -108,25 +108,25 @@ in
      ([ pkgs.pantheon.switchboard-plug-power ])
      (mkIf config.services.printing.enable  ([pkgs.system-config-printer]) )
    ];
-    services.pantheon.contractor.enable = true;
+    services.pantheon.contractor.enable = mkDefault true;
    services.geoclue2.enable = mkDefault true;
    # pantheon has pantheon-agent-geoclue2
    services.geoclue2.enableDemoAgent = false;
    services.gnome3.at-spi2-core.enable = true;
    services.gnome3.evolution-data-server.enable = true;
-    services.gnome3.file-roller.enable = true;
+    services.gnome3.file-roller.enable = mkDefault true;
    # TODO: gnome-keyring's xdg autostarts will still be in the environment (from elementary-session-settings) if disabled forcefully
    services.gnome3.gnome-keyring.enable = true;
    services.gnome3.gvfs.enable = true;
-    services.gnome3.rygel.enable = true;
-    services.gsignond.enable = true;
+    services.gnome3.rygel.enable = mkDefault true;
+    services.gsignond.enable = mkDefault true;
    services.gsignond.plugins = with pkgs.gsignondPlugins; [ lastfm mail oauth ];
    services.udev.packages = [ pkgs.pantheon.elementary-settings-daemon ];
    services.udisks2.enable = true;
    services.upower.enable = config.powerManagement.enable;
    services.xserver.libinput.enable = mkDefault true;
    services.xserver.updateDbusEnvironment = true;
-    services.zeitgeist.enable = true;
+    services.zeitgeist.enable = mkDefault true;

    networking.networkmanager.enable = mkDefault true;
    networking.networkmanager.basePackages =
@@ -151,19 +151,15 @@ in
      "/share"
    ];

-    environment.systemPackages = pkgs.pantheon.artwork ++ pkgs.pantheon.desktop ++ pkgs.pantheon.services ++ cfg.sessionPath
-      ++ (pkgs.gnome3.removePackagesByName pkgs.pantheon.apps config.environment.pantheon.excludePackages)
-      ++ (with pkgs.gnome3;
-      [
-        adwaita-icon-theme
-        dconf
-        epiphany
+    environment.systemPackages =
+      pkgs.pantheon.artwork ++ pkgs.pantheon.desktop ++ pkgs.pantheon.services ++ cfg.sessionPath
+      ++ (with pkgs; gnome3.removePackagesByName
+      ([
+        gnome3.geary
+        gnome3.epiphany
+        gnome3.gnome-font-viewer
        evince
-        geary
-        gnome-bluetooth
-        gnome-font-viewer
-        gnome-power-manager
-      ])
+      ] ++ pantheon.apps) config.environment.pantheon.excludePackages)
      ++ (with pkgs;
      [
        adwaita-qt
@@ -171,6 +167,8 @@ in
        glib
        glib-networking
        gnome-menus
+        gnome3.adwaita-icon-theme
+        gnome3.dconf
        gtk3.out
        hicolor-icon-theme
        lightlocker
@@ -184,7 +182,9 @@ in
    fonts.fonts = with pkgs; [
      opensans-ttf
      roboto-mono
+      pantheon.elementary-redacted-script # needed by screenshot-tool
    ];
+
    fonts.fontconfig.defaultFonts = {
      monospace = [ "Roboto Mono" ];
      sansSerif = [ "Open Sans" ];
--- a/nixos/modules/services/x11/desktop-managers/plasma5.nix
+++ b/nixos/modules/services/x11/desktop-managers/plasma5.nix
@@ -163,6 +163,8 @@ in

          libsForQt56.phonon-backend-gstreamer
          libsForQt5.phonon-backend-gstreamer
+
+          xdg-user-dirs # Update user dirs as described in https://freedesktop.org/wiki/Software/xdg-user-dirs/
        ]

        ++ lib.optionals cfg.enableQt4Support [ pkgs.phonon-backend-gstreamer ]
@@ -175,9 +177,9 @@ in
        ++ lib.optional config.services.colord.enable colord-kde
        ++ lib.optionals config.services.samba.enable [ kdenetwork-filesharing pkgs.samba ];

-      environment.pathsToLink = [ 
+      environment.pathsToLink = [
        # FIXME: modules should link subdirs of `/share` rather than relying on this
-        "/share" 
+        "/share"
      ];

      environment.etc = singleton {
@@ -224,7 +226,29 @@ in
      security.pam.services.slim.enableKwallet = true;

      # Update the start menu for each user that is currently logged in
-      system.userActivationScripts.plasmaSetup = "${pkgs.libsForQt5.kservice}/bin/kbuildsycoca5";
+      system.userActivationScripts.plasmaSetup = ''
+        # The KDE icon cache is supposed to update itself
+        # automatically, but it uses the timestamp on the icon
+        # theme directory as a trigger.  Since in Nix the
+        # timestamp is always the same, this doesn't work.  So as
+        # a workaround, nuke the icon cache on login.  This isn't
+        # perfect, since it may require logging out after
+        # installing new applications to update the cache.
+        # See http://lists-archives.org/kde-devel/26175-what-when-will-icon-cache-refresh.html
+        rm -fv $HOME/.cache/icon-cache.kcache
+
+        # xdg-desktop-settings generates this empty file but
+        # it makes kbuildsyscoca5 fail silently. To fix this
+        # remove that menu if it exists.
+        rm -fv $HOME/.config/menus/applications-merged/xdg-desktop-menu-dummy.menu
+
+        # Remove the kbuildsyscoca5 cache. It will be regenerated
+        # immediately after. This is necessary for kbuildsyscoca5 to
+        # recognize that software that has been removed.
+        rm -fv $HOME/.cache/ksycoca*
+
+        ${pkgs.libsForQt5.kservice}/bin/kbuildsycoca5
+      '';
    })
  ];

--- a/nixos/modules/services/x11/desktop-managers/xfce.nix
+++ b/nixos/modules/services/x11/desktop-managers/xfce.nix
@@ -53,7 +53,7 @@ in

      # Supplies some abstract icons such as:
      # utilities-terminal, accessories-text-editor
-      gnome3.defaultIconTheme
+      gnome3.adwaita-icon-theme

      hicolor-icon-theme
      tango-icon-theme
--- a/nixos/modules/services/x11/display-managers/lightdm-greeters/gtk.nix
+++ b/nixos/modules/services/x11/display-managers/lightdm-greeters/gtk.nix
@@ -96,8 +96,8 @@ in

        package = mkOption {
          type = types.package;
-          default = pkgs.gnome3.defaultIconTheme;
-          defaultText = "pkgs.gnome3.defaultIconTheme";
+          default = pkgs.gnome3.adwaita-icon-theme;
+          defaultText = "pkgs.gnome3.adwaita-icon-theme";
          description = ''
            The package path that contains the icon theme given in the name option.
          '';
@@ -116,8 +116,8 @@ in
      cursorTheme = {

        package = mkOption {
-          default = pkgs.gnome3.defaultIconTheme;
-          defaultText = "pkgs.gnome3.defaultIconTheme";
+          default = pkgs.gnome3.adwaita-icon-theme;
+          defaultText = "pkgs.gnome3.adwaita-icon-theme";
          description = ''
            The package path that contains the cursor theme given in the name option.
          '';
--- a/nixos/modules/services/x11/window-managers/dwm.nix
+++ b/nixos/modules/services/x11/window-managers/dwm.nix
@@ -25,7 +25,7 @@ in
      { name = "dwm";
        start =
          ''
-            ${pkgs.dwm}/bin/dwm &
+            dwm &
            waitPID=$!
          '';
      };
--- a/nixos/modules/services/x11/xserver.nix
+++ b/nixos/modules/services/x11/xserver.nix
@@ -244,7 +244,7 @@ in
        default = [ "ati" "cirrus" "vesa" "vmware" "modesetting" ];
        example = [
          "ati_unfree" "amdgpu" "amdgpu-pro"
-          "nv" "nvidia" "nvidiaLegacy340" "nvidiaLegacy304"
+          "nv" "nvidia" "nvidiaLegacy390" "nvidiaLegacy340" "nvidiaLegacy304"
        ];
        # TODO(@oxij): think how to easily add the rest, like those nvidia things
        relatedPackages = concatLists
@@ -257,6 +257,11 @@ in
          The names of the video drivers the configuration
          supports. They will be tried in order until one that
          supports your card is found.
+          Don't combine those with "incompatible" OpenGL implementations,
+          e.g. free ones (mesa-based) with proprietary ones.
+
+          For unfree "nvidia*", the supported GPU lists are on
+          https://www.nvidia.com/object/unix.html
        '';
      };

--- a/nixos/modules/system/boot/loader/grub/grub.nix
+++ b/nixos/modules/system/boot/loader/grub/grub.nix
@@ -8,13 +8,17 @@ let

  efi = config.boot.loader.efi;

-  realGrub = if cfg.version == 1 then pkgs.grub
-    else if cfg.zfsSupport then pkgs.grub2.override { zfsSupport = true; }
+  grubPkgs = 
+    # Package set of targeted architecture
+    if cfg.forcei686 then pkgs.pkgsi686Linux else pkgs;
+
+  realGrub = if cfg.version == 1 then grubPkgs.grub
+    else if cfg.zfsSupport then grubPkgs.grub2.override { zfsSupport = true; }
    else if cfg.trustedBoot.enable
         then if cfg.trustedBoot.isHPLaptop
-              then pkgs.trustedGrub-for-HP
-              else pkgs.trustedGrub
-         else pkgs.grub2;
+              then grubPkgs.trustedGrub-for-HP
+              else grubPkgs.trustedGrub
+         else grubPkgs.grub2;

  grub =
    # Don't include GRUB if we're only generating a GRUB menu (e.g.,
@@ -58,14 +62,10 @@ let
        version extraConfig extraPerEntryConfig extraEntries forceInstall useOSProber
        extraEntriesBeforeNixOS extraPrepareConfig extraInitrd configurationLimit copyKernels
        default fsIdentifier efiSupport efiInstallAsRemovable gfxmodeEfi gfxmodeBios;
-      path = (makeBinPath ([
-        pkgs.coreutils pkgs.gnused pkgs.gnugrep pkgs.findutils pkgs.diffutils pkgs.btrfs-progs
-        pkgs.utillinux ]
-        ++ (optional (cfg.efiSupport && (cfg.version == 2)) pkgs.efibootmgr)
-        ++ (optionals cfg.useOSProber [pkgs.busybox pkgs.os-prober])
-      )) + ":" + (makeSearchPathOutput "bin" "sbin" [
-        pkgs.mdadm pkgs.utillinux
-      ]);
+      path = with pkgs; makeBinPath (
+        [ coreutils gnused gnugrep findutils diffutils btrfs-progs utillinux mdadm ]
+        ++ optional (cfg.efiSupport && (cfg.version == 2)) efibootmgr
+        ++ optionals cfg.useOSProber [ busybox os-prober ]);
      font = if cfg.font == null then ""
        else (if lib.last (lib.splitString "." cfg.font) == "pf2"
             then cfg.font
@@ -512,6 +512,15 @@ in
        '';
      };

+      forcei686 = mkOption {
+        default = false;
+        type = types.bool;
+        description = ''
+          Whether to force the use of a ia32 boot loader on x64 systems. Required 
+          to install and run NixOS on 64bit x86 systems with 32bit (U)EFI.
+        '';
+      };
+
      trustedBoot = {

        enable = mkOption {
--- a/nixos/modules/system/boot/systemd-lib.nix
+++ b/nixos/modules/system/boot/systemd-lib.nix
@@ -9,12 +9,11 @@ in rec {

  shellEscape = s: (replaceChars [ "\\" ] [ "\\\\" ] s);

+  mkPathSafeName = lib.replaceChars ["@" ":" "\\" "[" "]"] ["-" "-" "-" "" ""];
+
  makeUnit = name: unit:
-    let
-      pathSafeName = lib.replaceChars ["@" ":" "\\" "[" "]"] ["-" "-" "-" "" ""] name;
-    in
    if unit.enable then
-      pkgs.runCommand "unit-${pathSafeName}"
+      pkgs.runCommand "unit-${mkPathSafeName name}"
        { preferLocalBuild = true;
          allowSubstitutes = false;
          inherit (unit) text;
@@ -24,7 +23,7 @@ in rec {
          echo -n "$text" > $out/${shellEscape name}
        ''
    else
-      pkgs.runCommand "unit-${pathSafeName}-disabled"
+      pkgs.runCommand "unit-${mkPathSafeName name}-disabled"
        { preferLocalBuild = true;
          allowSubstitutes = false;
        }
--- a/nixos/modules/system/etc/make-etc.sh
+++ b/nixos/modules/system/etc/make-etc.sh
@@ -10,11 +10,6 @@ users_=($users)
 groups_=($groups)
 set +f

-# Create relative symlinks, so that the links can be followed if
-# the NixOS installation is not mounted as filesystem root.
-# Absolute symlinks violate the os-release format
-# at https://www.freedesktop.org/software/systemd/man/os-release.html
-# and break e.g. systemd-nspawn and os-prober.
 for ((i = 0; i < ${#targets_[@]}; i++)); do
    source="${sources_[$i]}"
    target="${targets_[$i]}"
@@ -24,14 +19,14 @@ for ((i = 0; i < ${#targets_[@]}; i++)); do
        # If the source name contains '*', perform globbing.
        mkdir -p $out/etc/$target
        for fn in $source; do
-            ln -s --relative "$fn" $out/etc/$target/
+            ln -s "$fn" $out/etc/$target/
        done

    else
-
+        
        mkdir -p $out/etc/$(dirname $target)
        if ! [ -e $out/etc/$target ]; then
-            ln -s --relative $source $out/etc/$target
+            ln -s $source $out/etc/$target
        else
            echo "duplicate entry $target -> $source"
            if test "$(readlink $out/etc/$target)" != "$source"; then
@@ -39,13 +34,13 @@ for ((i = 0; i < ${#targets_[@]}; i++)); do
                exit 1
            fi
        fi
-
+        
        if test "${modes_[$i]}" != symlink; then
            echo "${modes_[$i]}"  > $out/etc/$target.mode
            echo "${users_[$i]}"  > $out/etc/$target.uid
            echo "${groups_[$i]}" > $out/etc/$target.gid
        fi
-
+        
    fi
 done

--- a/nixos/modules/system/etc/setup-etc.pl
+++ b/nixos/modules/system/etc/setup-etc.pl
@@ -4,7 +4,6 @@ use File::Copy;
 use File::Path;
 use File::Basename;
 use File::Slurp;
-use File::Spec;

 my $etc = $ARGV[0] or die;
 my $static = "/etc/static";
@@ -18,20 +17,6 @@ sub atomicSymlink {
    return 1;
 }

-# Create relative symlinks, so that the links can be followed if
-# the NixOS installation is not mounted as filesystem root.
-# Absolute symlinks violate the os-release format
-# at https://www.freedesktop.org/software/systemd/man/os-release.html
-# and break e.g. systemd-nspawn and os-prober.
-sub atomicRelativeSymlink {
-    my ($source, $target) = @_;
-    my $tmp = "$target.tmp";
-    unlink $tmp;
-    my $rel = File::Spec->abs2rel($source, dirname $target);
-    symlink $rel, $tmp or return 0;
-    rename $tmp, $target or return 0;
-    return 1;
-}

 # Atomically update /etc/static to point at the etc files of the
 # current configuration.
@@ -118,7 +103,7 @@ sub link {
    if (-e "$_.mode") {
        my $mode = read_file("$_.mode"); chomp $mode;
        if ($mode eq "direct-symlink") {
-            atomicRelativeSymlink readlink("$static/$fn"), $target or warn;
+            atomicSymlink readlink("$static/$fn"), $target or warn;
        } else {
            my $uid = read_file("$_.uid"); chomp $uid;
            my $gid = read_file("$_.gid"); chomp $gid;
@@ -132,7 +117,7 @@ sub link {
        push @copied, $fn;
        print CLEAN "$fn\n";
    } elsif (-l "$_") {
-        atomicRelativeSymlink "$static/$fn", $target or warn;
+        atomicSymlink "$static/$fn", $target or warn;
    }
 }

--- a/nixos/modules/virtualisation/containers.nix
+++ b/nixos/modules/virtualisation/containers.nix
@@ -36,8 +36,9 @@ let
        #! ${pkgs.runtimeShell} -e

        # Initialise the container side of the veth pair.
-        if [ -n "$HOST_ADDRESS" ] || [ -n "$LOCAL_ADDRESS" ] || [ -n "$HOST_BRIDGE" ]; then
-
+        if [ -n "$HOST_ADDRESS" ]   || [ -n "$HOST_ADDRESS6" ]  ||
+           [ -n "$LOCAL_ADDRESS" ]  || [ -n "$LOCAL_ADDRESS6" ] ||
+           [ -n "$HOST_BRIDGE" ]; then
          ip link set host0 name eth0
          ip link set dev eth0 up

@@ -88,7 +89,8 @@ let
        extraFlags+=" --private-network"
      fi

-      if [ -n "$HOST_ADDRESS" ] || [ -n "$LOCAL_ADDRESS" ]; then
+      if [ -n "$HOST_ADDRESS" ]  || [ -n "$LOCAL_ADDRESS" ] ||
+         [ -n "$HOST_ADDRESS6" ] || [ -n "$LOCAL_ADDRESS6" ]; then
        extraFlags+=" --network-veth"
      fi

@@ -159,7 +161,8 @@ let
      # Clean up existing machined registration and interfaces.
      machinectl terminate "$INSTANCE" 2> /dev/null || true

-      if [ -n "$HOST_ADDRESS" ] || [ -n "$LOCAL_ADDRESS" ]; then
+      if [ -n "$HOST_ADDRESS" ]  || [ -n "$LOCAL_ADDRESS" ] ||
+         [ -n "$HOST_ADDRESS6" ] || [ -n "$LOCAL_ADDRESS6" ]; then
        ip link del dev "ve-$INSTANCE" 2> /dev/null || true
        ip link del dev "vb-$INSTANCE" 2> /dev/null || true
      fi
@@ -208,7 +211,8 @@ let
          '';
    in
      ''
-        if [ -n "$HOST_ADDRESS" ] || [ -n "$LOCAL_ADDRESS" ]; then
+        if [ -n "$HOST_ADDRESS" ]  || [ -n "$LOCAL_ADDRESS" ] ||
+           [ -n "$HOST_ADDRESS6" ] || [ -n "$LOCAL_ADDRESS6" ]; then
          if [ -z "$HOST_BRIDGE" ]; then
            ifaceHost=ve-$INSTANCE
            ip link set dev $ifaceHost up
--- a/nixos/modules/virtualisation/docker.nix
+++ b/nixos/modules/virtualisation/docker.nix
@@ -52,6 +52,15 @@ in
          '';
      };

+    enableNvidia =
+      mkOption {
+        type = types.bool;
+        default = false;
+        description = ''
+          Enable nvidia-docker wrapper, supporting NVIDIA GPUs inside docker containers.
+        '';
+      };
+
    liveRestore =
      mkOption {
        type = types.bool;
@@ -140,7 +149,8 @@ in
  ###### implementation

  config = mkIf cfg.enable (mkMerge [{
-      environment.systemPackages = [ cfg.package ];
+      environment.systemPackages = [ cfg.package ]
+        ++ optional cfg.enableNvidia pkgs.nvidia-docker;
      users.groups.docker.gid = config.ids.gids.docker;
      systemd.packages = [ cfg.package ];

@@ -157,6 +167,7 @@ in
                --log-driver=${cfg.logDriver} \
                ${optionalString (cfg.storageDriver != null) "--storage-driver=${cfg.storageDriver}"} \
                ${optionalString cfg.liveRestore "--live-restore" } \
+                ${optionalString cfg.enableNvidia "--add-runtime nvidia=${pkgs.nvidia-docker}/bin/nvidia-container-runtime" } \
                ${cfg.extraOptions}
            ''];
          ExecReload=[
@@ -165,7 +176,8 @@ in
          ];
        };

-        path = [ pkgs.kmod ] ++ (optional (cfg.storageDriver == "zfs") pkgs.zfs);
+        path = [ pkgs.kmod ] ++ optional (cfg.storageDriver == "zfs") pkgs.zfs
+          ++ optional cfg.enableNvidia pkgs.nvidia-docker;
      };

      systemd.sockets.docker = {
@@ -179,7 +191,6 @@ in
        };
      };

-
      systemd.services.docker-prune = {
        description = "Prune docker resources";

@@ -194,7 +205,15 @@ in

        startAt = optional cfg.autoPrune.enable cfg.autoPrune.dates;
      };
+
+      assertions = [
+        { assertion = cfg.enableNvidia -> config.hardware.opengl.driSupport32Bit or false;
+          message = "Option enableNvidia requires 32bit support libraries";
+        }];
    }
+    (mkIf cfg.enableNvidia {
+      environment.etc."nvidia-container-runtime/config.toml".source = "${pkgs.nvidia-docker}/etc/config.toml";
+    })
  ]);

  imports = [
--- a/nixos/modules/virtualisation/openstack-config.nix
+++ b/nixos/modules/virtualisation/openstack-config.nix
@@ -20,6 +20,7 @@ in
  config = {
    fileSystems."/" = {
      device = "/dev/disk/by-label/nixos";
+      fsType = "ext4";
      autoResize = true;
    };

--- a/nixos/modules/virtualisation/virtualbox-host.nix
+++ b/nixos/modules/virtualisation/virtualbox-host.nix
@@ -83,6 +83,8 @@ in
  };

  config = mkIf cfg.enable (mkMerge [{
+    warnings = mkIf (config.nixpkgs.config.virtualbox.enableExtensionPack or false)
+      ["'nixpkgs.virtualbox.enableExtensionPack' has no effect, please use 'virtualisation.virtualbox.host.enableExtensionPack'"];
    boot.kernelModules = [ "vboxdrv" "vboxnetadp" "vboxnetflt" ];
    boot.extraModulePackages = [ kernelModules ];
    environment.systemPackages = [ virtualbox ];
--- a/nixos/release-combined.nix
+++ b/nixos/release-combined.nix
@@ -64,6 +64,7 @@ in rec {
        #(all nixos.tests.containers)
        (all nixos.tests.containers-imperative)
        (all nixos.tests.containers-ipv4)
+        (all nixos.tests.containers-ipv6)
        nixos.tests.chromium.x86_64-linux or []
        (all nixos.tests.firefox)
        (all nixos.tests.firewall)
--- a/nixos/release-small.nix
+++ b/nixos/release-small.nix
@@ -33,6 +33,7 @@ in rec {
      inherit (nixos'.tests)
        containers-imperative
        containers-ipv4
+        containers-ipv6
        firewall
        ipv6
        login
--- a/nixos/tests/all-tests.nix
+++ b/nixos/tests/all-tests.nix
@@ -116,6 +116,7 @@ in
  kernel-latest = handleTest ./kernel-latest.nix {};
  kernel-lts = handleTest ./kernel-lts.nix {};
  keymap = handleTest ./keymap.nix {};
+  knot = handleTest ./knot.nix {};
  kubernetes.dns = handleTestOn ["x86_64-linux"] ./kubernetes/dns.nix {};
  # kubernetes.e2e should eventually replace kubernetes.rbac when it works
  #kubernetes.e2e = handleTestOn ["x86_64-linux"] ./kubernetes/e2e.nix {};
@@ -171,6 +172,7 @@ in
  osquery = handleTest ./osquery.nix {};
  osrm-backend = handleTest ./osrm-backend.nix {};
  ostree = handleTest ./ostree.nix {};
+  overlayfs = handleTest ./overlayfs.nix {};
  pam-oath-login = handleTest ./pam-oath-login.nix {};
  pam-u2f = handleTest ./pam-u2f.nix {};
  pantheon = handleTest ./pantheon.nix {};
@@ -215,6 +217,7 @@ in
  switchTest = handleTest ./switch-test.nix {};
  syncthing-relay = handleTest ./syncthing-relay.nix {};
  systemd = handleTest ./systemd.nix {};
+  systemd-confinement = handleTest ./systemd-confinement.nix {};
  taskserver = handleTest ./taskserver.nix {};
  telegraf = handleTest ./telegraf.nix {};
  tomcat = handleTest ./tomcat.nix {};
@@ -224,6 +227,7 @@ in
  upnp = handleTest ./upnp.nix {};
  vault = handleTest ./vault.nix {};
  virtualbox = handleTestOn ["x86_64-linux"] ./virtualbox.nix {};
+  wireguard = handleTest ./wireguard {};
  wordpress = handleTest ./wordpress.nix {};
  xautolock = handleTest ./xautolock.nix {};
  xdg-desktop-portal = handleTest ./xdg-desktop-portal.nix {};
--- a/nixos/tests/common/webroot/news-rss.xml
+++ b/nixos/tests/common/webroot/news-rss.xml
@@ -1,10 +1,18 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<rss xmlns:blogChannel="http://backend.userland.com/blogChannelModule" version="2.0"><channel><title>NixOS News</title><link>https://nixos.org</link><description>News for NixOS, the purely functional Linux distribution.</description><image><title>NixOS</title><url>https://nixos.org/logo/nixos-logo-only-hires.png</url><link>https://nixos.org/</link></image><item><title>
-      NixOS 18.09 released
-    </title><link>https://nixos.org/news.html</link><description>
-      <a href="https://github.com/NixOS/nixos-artwork/blob/master/releases/18.09-jellyfish/jellyfish.png">
-        <img class="inline" src="logo/nixos-logo-18.09-jellyfish-lores.png" alt="18.09 Jellyfish logo" with="100" height="87"/>
-      </a>
+<rss xmlns:blogChannel="http://backend.userland.com/blogChannelModule" version="2.0">
+ <channel>
+  <title>NixOS News</title><link>https://nixos.org</link>
+  <description>News for NixOS, the purely functional Linux distribution.</description>
+  <image>
+   <title>NixOS</title>
+   <url>https://nixos.org/logo/nixos-logo-only-hires.png</url><link>https://nixos.org/</link>
+  </image>
+  <item>
+   <title>NixOS 18.09 released</title><link>https://nixos.org/news.html</link>
+   <description>
+    <a href="https://github.com/NixOS/nixos-artwork/blob/master/releases/18.09-jellyfish/jellyfish.png">
+     <img class="inline" src="logo/nixos-logo-18.09-jellyfish-lores.png" alt="18.09 Jellyfish logo" with="100" height="87"/>
+    </a>
      NixOS 18.09 “Jellyfish” has been released, the tenth stable release branch.
      See the <a href="/nixos/manual/release-notes.html#sec-release-18.09">release notes</a>
      for details. You can get NixOS 18.09 ISOs and VirtualBox appliances
@@ -12,4 +20,8 @@
      For information on how to upgrade from older release branches
      to 18.09, check out the
      <a href="/nixos/manual/index.html#sec-upgrading">manual section on upgrading</a>.
-    </description><pubDate>Sat Oct 06 2018 00:00:00 GMT</pubDate></item></channel></rss>
+    </description>
+   <pubDate>Sat Oct 06 2018 00:00:00 GMT</pubDate>
+  </item>
+ </channel>
+</rss>
--- a/nixos/tests/gitlab.nix
+++ b/nixos/tests/gitlab.nix
@@ -1,5 +1,8 @@
 # This test runs gitlab and checks if it works

+let
+  initialRootPassword = "notproduction";
+in
 import ./make-test.nix ({ pkgs, lib, ...} : with lib; {
  name = "gitlab";
  meta = with pkgs.stdenv.lib.maintainers; {
@@ -27,7 +30,7 @@ import ./make-test.nix ({ pkgs, lib, ...} : with lib; {
      services.gitlab = {
        enable = true;
        databasePassword = "dbPassword";
-        initialRootPassword = "notproduction";
+        inherit initialRootPassword;
        smtp.enable = true;
        secrets = {
          secret = "secret";
@@ -69,7 +72,27 @@ import ./make-test.nix ({ pkgs, lib, ...} : with lib; {
    };
  };

-  testScript = ''
+  testScript =
+  let
+    auth = pkgs.writeText "auth.json" (builtins.toJSON {
+      grant_type = "password";
+      username = "root";
+      password = initialRootPassword;
+    });
+
+    createProject = pkgs.writeText "create-project.json" (builtins.toJSON {
+      name = "test";
+    });
+
+    putFile = pkgs.writeText "put-file.json" (builtins.toJSON {
+      branch = "master";
+      author_email = "author@example.com";
+      author_name = "Firstname Lastname";
+      content = "some content";
+      commit_message = "create a new file";
+    });
+  in
+  ''
    $gitlab->start();
    $gitlab->waitForUnit("gitaly.service");
    $gitlab->waitForUnit("gitlab-workhorse.service");
@@ -78,6 +101,13 @@ import ./make-test.nix ({ pkgs, lib, ...} : with lib; {
    $gitlab->waitForFile("/var/gitlab/state/tmp/sockets/gitlab.socket");
    $gitlab->waitUntilSucceeds("curl -sSf http://gitlab/users/sign_in");
    $gitlab->succeed("curl -isSf http://gitlab  | grep -i location | grep -q http://gitlab/users/sign_in");
-    $gitlab->succeed("${pkgs.sudo}/bin/sudo -u gitlab -H gitlab-rake gitlab:check 1>&2")
+    $gitlab->succeed("${pkgs.sudo}/bin/sudo -u gitlab -H gitlab-rake gitlab:check 1>&2");
+    $gitlab->succeed("echo \"Authorization: Bearer \$(curl -X POST -H 'Content-Type: application/json' -d @${auth} http://gitlab/oauth/token | ${pkgs.jq}/bin/jq -r '.access_token')\" >/tmp/headers");
+    $gitlab->succeed("curl -X POST -H 'Content-Type: application/json' -H @/tmp/headers -d @${createProject} http://gitlab/api/v4/projects");
+    $gitlab->succeed("curl -X POST -H 'Content-Type: application/json' -H @/tmp/headers -d @${putFile} http://gitlab/api/v4/projects/1/repository/files/some-file.txt");
+    $gitlab->succeed("curl -H @/tmp/headers http://gitlab/api/v4/projects/1/repository/archive.tar.gz > /tmp/archive.tar.gz");
+    $gitlab->succeed("curl -H @/tmp/headers http://gitlab/api/v4/projects/1/repository/archive.tar.bz2 > /tmp/archive.tar.bz2");
+    $gitlab->succeed("test -s /tmp/archive.tar.gz");
+    $gitlab->succeed("test -s /tmp/archive.tar.bz2");
  '';
 })
--- a/nixos/tests/knot.nix
+++ b/nixos/tests/knot.nix
@@ -0,0 +1,197 @@
+import ./make-test.nix ({ pkgs, lib, ...} :
+let
+  common = {
+    networking.firewall.enable = false;
+    networking.useDHCP = false;
+  };
+  exampleZone = pkgs.writeTextDir "example.com.zone" ''
+      @ SOA ns.example.com. noc.example.com. 2019031301 86400 7200 3600000 172800
+      @       NS      ns1
+      @       NS      ns2
+      ns1     A       192.168.0.1
+      ns1     AAAA    fd00::1
+      ns2     A       192.168.0.2
+      ns2     AAAA    fd00::2
+      www     A       192.0.2.1
+      www     AAAA    2001:DB8::1
+      sub     NS      ns.example.com.
+  '';
+  delegatedZone = pkgs.writeTextDir "sub.example.com.zone" ''
+      @ SOA ns.example.com. noc.example.com. 2019031301 86400 7200 3600000 172800
+      @       NS      ns1.example.com.
+      @       NS      ns2.example.com.
+      @       A       192.0.2.2
+      @       AAAA    2001:DB8::2
+  '';
+
+  knotZonesEnv = pkgs.buildEnv {
+    name = "knot-zones";
+    paths = [ exampleZone delegatedZone ];
+  };
+in {
+  name = "knot";
+
+  nodes = {
+    master = { lib, ... }: {
+      imports = [ common ];
+      networking.interfaces.eth1 = {
+        ipv4.addresses = lib.mkForce [
+          { address = "192.168.0.1"; prefixLength = 24; }
+        ];
+        ipv6.addresses = lib.mkForce [
+          { address = "fd00::1"; prefixLength = 64; }
+        ];
+      };
+      services.knot.enable = true;
+      services.knot.extraArgs = [ "-v" ];
+      services.knot.extraConfig = ''
+        server:
+            listen: 0.0.0.0@53
+            listen: ::@53
+
+        acl:
+          - id: slave_acl
+            address: 192.168.0.2
+            action: transfer
+
+        remote:
+          - id: slave
+            address: 192.168.0.2@53
+
+        template:
+          - id: default
+            storage: ${knotZonesEnv}
+            notify: [slave]
+            acl: [slave_acl]
+            dnssec-signing: on
+            # Input-only zone files
+            # https://www.knot-dns.cz/docs/2.8/html/operation.html#example-3
+            # prevents modification of the zonefiles, since the zonefiles are immutable
+            zonefile-sync: -1
+            zonefile-load: difference
+            journal-content: changes
+            # move databases below the state directory, because they need to be writable
+            journal-db: /var/lib/knot/journal
+            kasp-db: /var/lib/knot/kasp
+            timer-db: /var/lib/knot/timer
+
+        zone:
+          - domain: example.com
+            file: example.com.zone
+
+          - domain: sub.example.com
+            file: sub.example.com.zone
+
+        log:
+          - target: syslog
+            any: info
+      '';
+    };
+
+    slave = { lib, ... }: {
+      imports = [ common ];
+      networking.interfaces.eth1 = {
+        ipv4.addresses = lib.mkForce [
+          { address = "192.168.0.2"; prefixLength = 24; }
+        ];
+        ipv6.addresses = lib.mkForce [
+          { address = "fd00::2"; prefixLength = 64; }
+        ];
+      };
+      services.knot.enable = true;
+      services.knot.extraArgs = [ "-v" ];
+      services.knot.extraConfig = ''
+        server:
+            listen: 0.0.0.0@53
+            listen: ::@53
+
+        acl:
+          - id: notify_from_master
+            address: 192.168.0.1
+            action: notify
+
+        remote:
+          - id: master
+            address: 192.168.0.1@53
+
+        template:
+          - id: default
+            master: master
+            acl: [notify_from_master]
+            # zonefileless setup
+            # https://www.knot-dns.cz/docs/2.8/html/operation.html#example-2
+            zonefile-sync: -1
+            zonefile-load: none
+            journal-content: all
+            # move databases below the state directory, because they need to be writable
+            journal-db: /var/lib/knot/journal
+            kasp-db: /var/lib/knot/kasp
+            timer-db: /var/lib/knot/timer
+
+        zone:
+          - domain: example.com
+            file: example.com.zone
+
+          - domain: sub.example.com
+            file: sub.example.com.zone
+
+        log:
+          - target: syslog
+            any: info
+      '';
+    };
+    client = { lib, nodes, ... }: {
+      imports = [ common ];
+      networking.interfaces.eth1 = {
+        ipv4.addresses = [
+          { address = "192.168.0.3"; prefixLength = 24; }
+        ];
+        ipv6.addresses = [
+          { address = "fd00::3"; prefixLength = 64; }
+        ];
+      };
+      environment.systemPackages = [ pkgs.knot-dns ];
+    };    
+  };
+
+  testScript = { nodes, ... }: let 
+    master4 = (lib.head nodes.master.config.networking.interfaces.eth1.ipv4.addresses).address;
+    master6 = (lib.head nodes.master.config.networking.interfaces.eth1.ipv6.addresses).address;
+
+    slave4 = (lib.head nodes.slave.config.networking.interfaces.eth1.ipv4.addresses).address;
+    slave6 = (lib.head nodes.slave.config.networking.interfaces.eth1.ipv6.addresses).address;
+  in ''
+    startAll;
+
+    $client->waitForUnit("network.target");
+    $master->waitForUnit("knot.service");
+    $slave->waitForUnit("knot.service");
+
+    sub assertResponse {
+      my ($knot, $query_type, $query, $expected) = @_;
+      my $out = $client->succeed("khost -t $query_type $query $knot");
+      $client->log("$knot replies with: $out");
+      chomp $out;
+      die "DNS query for $query ($query_type) against $knot gave '$out' instead of '$expected'"
+        if ($out !~ $expected);
+    }
+
+    foreach ("${master4}", "${master6}", "${slave4}", "${slave6}") {
+      subtest $_, sub {
+        assertResponse($_, "SOA", "example.com", qr/start of authority.*?noc\.example\.com/);
+        assertResponse($_, "A", "example.com", qr/has no [^ ]+ record/);
+        assertResponse($_, "AAAA", "example.com", qr/has no [^ ]+ record/);
+
+        assertResponse($_, "A", "www.example.com", qr/address 192.0.2.1$/);
+        assertResponse($_, "AAAA", "www.example.com", qr/address 2001:db8::1$/);
+
+        assertResponse($_, "NS", "sub.example.com", qr/nameserver is ns\d\.example\.com.$/);
+        assertResponse($_, "A", "sub.example.com", qr/address 192.0.2.2$/);
+        assertResponse($_, "AAAA", "sub.example.com", qr/address 2001:db8::2$/);
+
+        assertResponse($_, "RRSIG", "www.example.com", qr/RR set signature is/);
+        assertResponse($_, "DNSKEY", "example.com", qr/DNSSEC key is/);
+      };
+    }
+  '';
+})
--- a/nixos/tests/ldap.nix
+++ b/nixos/tests/ldap.nix
@@ -28,20 +28,19 @@ let
      users.ldap.daemon = {
        enable = useDaemon;
        rootpwmoddn = "cn=admin,${dbSuffix}";
-        rootpwmodpw = "/etc/nslcd.rootpwmodpw";
+        rootpwmodpwFile = "/etc/nslcd.rootpwmodpw";
      };
-      # NOTE: password stored in clear in Nix's store, but this is a test.
-      environment.etc."nslcd.rootpwmodpw".source = pkgs.writeText "rootpwmodpw" dbAdminPwd;
      users.ldap.loginPam = true;
      users.ldap.nsswitch = true;
      users.ldap.server = "ldap://server";
      users.ldap.base = "ou=posix,${dbSuffix}";
      users.ldap.bind = {
        distinguishedName = "cn=admin,${dbSuffix}";
-        password = "/etc/ldap/bind.password";
+        passwordFile = "/etc/ldap/bind.password";
      };
-      # NOTE: password stored in clear in Nix's store, but this is a test.
+      # NOTE: passwords stored in clear in Nix's store, but this is a test.
      environment.etc."ldap/bind.password".source = pkgs.writeText "password" dbAdminPwd;
+      environment.etc."nslcd.rootpwmodpw".source = pkgs.writeText "rootpwmodpw" dbAdminPwd;
    };
 in

--- a/nixos/tests/overlayfs.nix
+++ b/nixos/tests/overlayfs.nix
@@ -0,0 +1,57 @@
+import ./make-test.nix ({ pkgs, ... }: {
+  name = "overlayfs";
+  meta.maintainers = with pkgs.stdenv.lib.maintainers; [ bachp ];
+
+  machine = { pkgs, ... }: {
+    virtualisation.emptyDiskImages = [ 512 ];
+    networking.hostId = "deadbeef";
+    environment.systemPackages = with pkgs; [ parted ];
+  };
+
+  testScript = ''
+    $machine->succeed("ls /dev");
+
+    $machine->succeed("mkdir -p /tmp/mnt");
+
+    # Test ext4 + overlayfs
+    $machine->succeed(
+
+      "mkfs.ext4 -F -L overlay-ext4 /dev/vdb",
+      "mount -t ext4 /dev/vdb /tmp/mnt",
+
+      "mkdir -p /tmp/mnt/upper /tmp/mnt/lower /tmp/mnt/work /tmp/mnt/merged",
+
+      # Setup some existing files
+      "echo 'Replace' > /tmp/mnt/lower/replace.txt",
+      "echo 'Append' > /tmp/mnt/lower/append.txt",
+      "echo 'Overwrite' > /tmp/mnt/lower/overwrite.txt",
+
+      "mount -t overlay overlay -o lowerdir=/tmp/mnt/lower,upperdir=/tmp/mnt/upper,workdir=/tmp/mnt/work /tmp/mnt/merged",
+
+      # Test new
+      "echo 'New' > /tmp/mnt/merged/new.txt",
+      "[[ \"\$(cat /tmp/mnt/merged/new.txt)\" == \"New\" ]]",
+
+      # Test replace
+      "[[ \"\$(cat /tmp/mnt/merged/replace.txt)\" == \"Replace\" ]]",
+      "echo 'Replaced' > /tmp/mnt/merged/replace-tmp.txt",
+      "mv /tmp/mnt/merged/replace-tmp.txt /tmp/mnt/merged/replace.txt",
+      "[[ \"\$(cat /tmp/mnt/merged/replace.txt)\" == \"Replaced\" ]]",
+
+      # Overwrite
+      "[[ \"\$(cat /tmp/mnt/merged/overwrite.txt)\" == \"Overwrite\" ]]",
+      "echo 'Overwritten' > /tmp/mnt/merged/overwrite.txt",
+      "[[ \"\$(cat /tmp/mnt/merged/overwrite.txt)\" == \"Overwritten\" ]]",
+
+      # Test append
+      "[[ \"\$(cat /tmp/mnt/merged/append.txt)\" == \"Append\" ]]",
+      "echo 'ed' >> /tmp/mnt/merged/append.txt",
+      #"cat /tmp/mnt/merged/append.txt && exit 1",
+      "[[ \"\$(cat /tmp/mnt/merged/append.txt)\" == \"Append\ned\" ]]",
+
+      "umount /tmp/mnt/merged",
+      "umount /tmp/mnt",
+      "udevadm settle"
+    );
+  '';
+})
--- a/nixos/tests/predictable-interface-names.nix
+++ b/nixos/tests/predictable-interface-names.nix
@@ -20,8 +20,7 @@ in pkgs.lib.listToAttrs (pkgs.lib.crossLists (predictable: withNetworkd: {

    testScript = ''
      print $machine->succeed("ip link");
-      $machine->succeed("ip link show ${if predictable then "ens3" else "eth0"}");
-      $machine->fail("ip link show ${if predictable then "eth0" else "ens3"}");
+      $machine->${if predictable then "fail" else "succeed"}("ip link show eth0 ");
    '';
  };
 }) [[true false] [true false]])
--- a/nixos/tests/systemd-confinement.nix
+++ b/nixos/tests/systemd-confinement.nix
@@ -0,0 +1,168 @@
+import ./make-test.nix {
+  name = "systemd-confinement";
+
+  machine = { pkgs, lib, ... }: let
+    testServer = pkgs.writeScript "testserver.sh" ''
+      #!${pkgs.stdenv.shell}
+      export PATH=${lib.escapeShellArg "${pkgs.coreutils}/bin"}
+      ${lib.escapeShellArg pkgs.stdenv.shell} 2>&1
+      echo "exit-status:$?"
+    '';
+
+    testClient = pkgs.writeScriptBin "chroot-exec" ''
+      #!${pkgs.stdenv.shell} -e
+      output="$(echo "$@" | nc -NU "/run/test$(< /teststep).sock")"
+      ret="$(echo "$output" | sed -nre '$s/^exit-status:([0-9]+)$/\1/p')"
+      echo "$output" | head -n -1
+      exit "''${ret:-1}"
+    '';
+
+    mkTestStep = num: { description, config ? {}, testScript }: {
+      systemd.sockets."test${toString num}" = {
+        description = "Socket for Test Service ${toString num}";
+        wantedBy = [ "sockets.target" ];
+        socketConfig.ListenStream = "/run/test${toString num}.sock";
+        socketConfig.Accept = true;
+      };
+
+      systemd.services."test${toString num}@" = {
+        description = "Confined Test Service ${toString num}";
+        confinement = (config.confinement or {}) // { enable = true; };
+        serviceConfig = (config.serviceConfig or {}) // {
+          ExecStart = testServer;
+          StandardInput = "socket";
+        };
+      } // removeAttrs config [ "confinement" "serviceConfig" ];
+
+      __testSteps = lib.mkOrder num ''
+        subtest '${lib.escape ["\\" "'"] description}', sub {
+          $machine->succeed('echo ${toString num} > /teststep');
+          ${testScript}
+        };
+      '';
+    };
+
+  in {
+    imports = lib.imap1 mkTestStep [
+      { description = "chroot-only confinement";
+        config.confinement.mode = "chroot-only";
+        testScript = ''
+          $machine->succeed(
+            'test "$(chroot-exec ls -1 / | paste -sd,)" = bin,nix',
+            'test "$(chroot-exec id -u)" = 0',
+            'chroot-exec chown 65534 /bin',
+          );
+        '';
+      }
+      { description = "full confinement with APIVFS";
+        testScript = ''
+          $machine->fail(
+            'chroot-exec ls -l /etc',
+            'chroot-exec ls -l /run',
+            'chroot-exec chown 65534 /bin',
+          );
+          $machine->succeed(
+            'test "$(chroot-exec id -u)" = 0',
+            'chroot-exec chown 0 /bin',
+          );
+        '';
+      }
+      { description = "check existence of bind-mounted /etc";
+        config.serviceConfig.BindReadOnlyPaths = [ "/etc" ];
+        testScript = ''
+          $machine->succeed('test -n "$(chroot-exec cat /etc/passwd)"');
+        '';
+      }
+      { description = "check if User/Group really runs as non-root";
+        config.serviceConfig.User = "chroot-testuser";
+        config.serviceConfig.Group = "chroot-testgroup";
+        testScript = ''
+          $machine->succeed('chroot-exec ls -l /dev');
+          $machine->succeed('test "$(chroot-exec id -u)" != 0');
+          $machine->fail('chroot-exec touch /bin/test');
+        '';
+      }
+      (let
+        symlink = pkgs.runCommand "symlink" {
+          target = pkgs.writeText "symlink-target" "got me\n";
+        } "ln -s \"$target\" \"$out\"";
+      in {
+        description = "check if symlinks are properly bind-mounted";
+        config.confinement.packages = lib.singleton symlink;
+        testScript = ''
+          $machine->fail('chroot-exec test -e /etc');
+          $machine->succeed('chroot-exec cat ${symlink} >&2');
+          $machine->succeed('test "$(chroot-exec cat ${symlink})" = "got me"');
+        '';
+      })
+      { description = "check if StateDirectory works";
+        config.serviceConfig.User = "chroot-testuser";
+        config.serviceConfig.Group = "chroot-testgroup";
+        config.serviceConfig.StateDirectory = "testme";
+        testScript = ''
+          $machine->succeed('chroot-exec touch /tmp/canary');
+          $machine->succeed('chroot-exec "echo works > /var/lib/testme/foo"');
+          $machine->succeed('test "$(< /var/lib/testme/foo)" = works');
+          $machine->succeed('test ! -e /tmp/canary');
+        '';
+      }
+      { description = "check if /bin/sh works";
+        testScript = ''
+          $machine->succeed(
+            'chroot-exec test -e /bin/sh',
+            'test "$(chroot-exec \'/bin/sh -c "echo bar"\')" = bar',
+          );
+        '';
+      }
+      { description = "check if suppressing /bin/sh works";
+        config.confinement.binSh = null;
+        testScript = ''
+          $machine->succeed(
+            'chroot-exec test ! -e /bin/sh',
+            'test "$(chroot-exec \'/bin/sh -c "echo foo"\')" != foo',
+          );
+        '';
+      }
+      { description = "check if we can set /bin/sh to something different";
+        config.confinement.binSh = "${pkgs.hello}/bin/hello";
+        testScript = ''
+          $machine->succeed(
+            'chroot-exec test -e /bin/sh',
+            'test "$(chroot-exec /bin/sh -g foo)" = foo',
+          );
+        '';
+      }
+      { description = "check if only Exec* dependencies are included";
+        config.environment.FOOBAR = pkgs.writeText "foobar" "eek\n";
+        testScript = ''
+          $machine->succeed('test "$(chroot-exec \'cat "$FOOBAR"\')" != eek');
+        '';
+      }
+      { description = "check if all unit dependencies are included";
+        config.environment.FOOBAR = pkgs.writeText "foobar" "eek\n";
+        config.confinement.fullUnit = true;
+        testScript = ''
+          $machine->succeed('test "$(chroot-exec \'cat "$FOOBAR"\')" = eek');
+        '';
+      }
+    ];
+
+    options.__testSteps = lib.mkOption {
+      type = lib.types.lines;
+      description = "All of the test steps combined as a single script.";
+    };
+
+    config.environment.systemPackages = lib.singleton testClient;
+
+    config.users.groups.chroot-testgroup = {};
+    config.users.users.chroot-testuser = {
+      description = "Chroot Test User";
+      group = "chroot-testgroup";
+    };
+  };
+
+  testScript = { nodes, ... }: ''
+    $machine->waitForUnit('multi-user.target');
+    ${nodes.machine.config.__testSteps}
+  '';
+}
--- a/nixos/tests/wireguard/default.nix
+++ b/nixos/tests/wireguard/default.nix
@@ -0,0 +1,97 @@
+let
+  wg-snakeoil-keys = import ./snakeoil-keys.nix;
+in
+
+import ../make-test.nix ({ pkgs, ...} : {
+  name = "wireguard";
+  meta = with pkgs.stdenv.lib.maintainers; {
+    maintainers = [ ma27 ];
+  };
+
+  nodes = {
+    peer0 = { lib, ... }: {
+      boot.kernel.sysctl = {
+        "net.ipv6.conf.all.forwarding" = "1";
+        "net.ipv6.conf.default.forwarding" = "1";
+        "net.ipv4.ip_forward" = "1";
+      };
+
+      networking.useDHCP = false;
+      networking.interfaces.eth1 = {
+        ipv4.addresses = lib.singleton {
+          address = "192.168.0.1";
+          prefixLength = 24;
+        };
+        ipv6.addresses = lib.singleton {
+          address = "fd00::1";
+          prefixLength = 64;
+        };
+      };
+
+      networking.firewall.allowedUDPPorts = [ 23542 ];
+      networking.wireguard.interfaces.wg0 = {
+        ips = [ "10.23.42.1/32" "fc00::1/128" ];
+        listenPort = 23542;
+
+        inherit (wg-snakeoil-keys.peer0) privateKey;
+
+        peers = lib.singleton {
+          allowedIPs = [ "10.23.42.2/32" "fc00::2/128" ];
+
+          inherit (wg-snakeoil-keys.peer1) publicKey;
+        };
+      };
+    };
+
+    peer1 = { pkgs, lib, ... }: {
+      boot.kernel.sysctl = {
+        "net.ipv6.conf.all.forwarding" = "1";
+        "net.ipv6.conf.default.forwarding" = "1";
+        "net.ipv4.ip_forward" = "1";
+      };
+
+      networking.useDHCP = false;
+      networking.interfaces.eth1 = {
+        ipv4.addresses = lib.singleton {
+          address = "192.168.0.2";
+          prefixLength = 24;
+        };
+        ipv6.addresses = lib.singleton {
+          address = "fd00::2";
+          prefixLength = 64;
+        };
+      };
+
+      networking.wireguard.interfaces.wg0 = {
+        ips = [ "10.23.42.2/32" "fc00::2/128" ];
+        listenPort = 23542;
+        allowedIPsAsRoutes = false;
+
+        inherit (wg-snakeoil-keys.peer1) privateKey;
+
+        peers = lib.singleton {
+          allowedIPs = [ "0.0.0.0/0" "::/0" ];
+          endpoint = "192.168.0.1:23542";
+          persistentKeepalive = 25;
+
+          inherit (wg-snakeoil-keys.peer0) publicKey;
+        };
+
+        postSetup = let inherit (pkgs) iproute; in ''
+          ${iproute}/bin/ip route replace 10.23.42.1/32 dev wg0
+          ${iproute}/bin/ip route replace fc00::1/128 dev wg0
+        '';
+      };
+    };
+  };
+
+  testScript = ''
+    startAll;
+
+    $peer0->waitForUnit("wireguard-wg0.service");
+    $peer1->waitForUnit("wireguard-wg0.service");
+
+    $peer1->succeed("ping -c5 fc00::1");
+    $peer1->succeed("ping -c5 10.23.42.1")
+  '';
+})
--- a/nixos/tests/wireguard/snakeoil-keys.nix
+++ b/nixos/tests/wireguard/snakeoil-keys.nix
@@ -0,0 +1,11 @@
+{
+  peer0 = {
+    privateKey = "OPuVRS2T0/AtHDp3PXkNuLQYDiqJaBEEnYe42BSnJnQ=";
+    publicKey = "IujkG119YPr2cVQzJkSLYCdjpHIDjvr/qH1w1tdKswY=";
+  };
+
+  peer1 = {
+    privateKey = "uO8JVo/sanx2DOM0L9GUEtzKZ82RGkRnYgpaYc7iXmg=";
+    publicKey = "Ks9yRJIi/0vYgRmn14mIOQRwkcUGBujYINbMpik2SBI=";
+  };
+}
--- a/pkgs/applications/altcoins/freicoin.nix
+++ b/pkgs/applications/altcoins/freicoin.nix
@@ -11,6 +11,8 @@ stdenv.mkDerivation rec {
    sha256 = "1v1qwv4x5agjba82s1vknmdgq67y26wzdwbmwwqavv7f7y3y860h";
  };

+  enableParallelBuilding = false;
+
  qmakeFlags = ["USE_UPNP=-"];

  # I think that openssl and zlib are required, but come through other
--- a/pkgs/applications/altcoins/monero-gui/default.nix
+++ b/pkgs/applications/altcoins/monero-gui/default.nix
@@ -2,8 +2,8 @@
 , makeWrapper, makeDesktopItem
 , qtbase, qmake, qtmultimedia, qttools
 , qtgraphicaleffects, qtdeclarative
-, qtlocation, qtquickcontrols2, qtwebchannel
-, qtwebengine, qtx11extras, qtxmlpatterns
+, qtlocation, qtquickcontrols, qtquickcontrols2
+, qtwebchannel, qtwebengine, qtx11extras, qtxmlpatterns
 , monero, unbound, readline, boost, libunwind
 , libsodium, pcsclite, zeromq, cppzmq, pkgconfig
 , hidapi
@@ -11,22 +11,35 @@

 with stdenv.lib;

+let
+  qmlPath = qmlLib: "${qmlLib}/${qtbase.qtQmlPrefix}";
+
+  qml2ImportPath = concatMapStringsSep ":" qmlPath [
+    qtbase.bin qtmultimedia.bin qtgraphicaleffects
+    qtdeclarative.bin qtlocation.bin
+    qtquickcontrols qtquickcontrols2.bin
+    qtwebchannel.bin qtwebengine.bin qtxmlpatterns
+  ];
+
+in
+
 stdenv.mkDerivation rec {
  name = "monero-gui-${version}";
-  version = "0.13.0.4";
+  version = "0.14.0.0";

  src = fetchFromGitHub {
    owner  = "monero-project";
    repo   = "monero-gui";
    rev    = "v${version}";
-    sha256 = "142yj5s15bhm300dislq3x5inw1f37shnrd5vyj78jjcvry3wymw";
+    sha256 = "1l4kx2vidr7bpds43jdbwyaz0q1dy7sricpz061ff1fkappbxdh8";
  };

  nativeBuildInputs = [ qmake pkgconfig ];

  buildInputs = [
    qtbase qtmultimedia qtgraphicaleffects
-    qtdeclarative qtlocation qtquickcontrols2
+    qtdeclarative qtlocation
+    qtquickcontrols qtquickcontrols2
    qtwebchannel qtwebengine qtx11extras
    qtxmlpatterns monero unbound readline
    boost libunwind libsodium pcsclite zeromq
@@ -81,6 +94,11 @@ stdenv.mkDerivation rec {
      cp $src/images/appicons/$size.png \
         $out/share/icons/hicolor/$size/apps/monero.png
    done;
+
+    # wrap runtime dependencies
+    wrapProgram $out/bin/monero-wallet-gui \
+      --set QML2_IMPORT_PATH "${qml2ImportPath}" \
+      --set QT_PLUGIN_PATH "${qtbase.bin}/${qtbase.qtPluginPrefix}"
  '';

  meta = {
--- a/pkgs/applications/altcoins/monero-gui/move-log-file.patch
+++ b/pkgs/applications/altcoins/monero-gui/move-log-file.patch
@@ -13,15 +13,17 @@ index 79223c0..e80b317 100644
     parser.addHelpOption();
     parser.process(app);
 diff --git a/Logger.cpp b/Logger.cpp
-index 660bafc..dae24d4 100644
+index 6b1daba..c357762 100644
 --- a/Logger.cpp
 +++ b/Logger.cpp
-@@ -15,7 +15,7 @@ static const QString default_name = "monero-wallet-gui.log";
- #elif defined(Q_OS_MAC)
-     static const QString osPath = QStandardPaths::standardLocations(QStandardPaths::HomeLocation).at(0) + "/Library/Logs";
+@@ -28,8 +28,8 @@ static const QString defaultLogName = "monero-wallet-gui.log";
+     static const QString appFolder = "Library/Logs";
 #else // linux + bsd
+     //HomeLocation = "~"
 -    static const QString osPath = QStandardPaths::standardLocations(QStandardPaths::HomeLocation).at(0);
+-    static const QString appFolder = ".bitmonero";
 +    static const QString osPath = QStandardPaths::standardLocations(QStandardPaths::CacheLocation).at(0);
+    static const QString appFolder = "bitmonero";
 #endif
- 
+
 
--- a/pkgs/applications/altcoins/monero/default.nix
+++ b/pkgs/applications/altcoins/monero/default.nix
@@ -11,12 +11,12 @@ with stdenv.lib;

 stdenv.mkDerivation rec {
  name    = "monero-${version}";
-  version = "0.13.0.4";
+  version = "0.14.0.2";

  src = fetchgit {
    url    = "https://github.com/monero-project/monero.git";
    rev    = "v${version}";
-    sha256 = "1ambgakapijhsi1pd70vw8vvnlwa3nid944lqkbfq3wl25lmc70d";
+    sha256 = "1471iy6c8dfdqcmcwcp0m7fp9xl74dcm5hqlfdfi217abhawfs8k";
  };

  nativeBuildInputs = [ cmake pkgconfig git ];
--- a/Show More
+++ b/Show More