rtl8723bs: version bump

2026-06-07 13:53:42 +00:00 · 2016-06-02 20:09:27 +02:00
4972 changed files with 981410 additions and 132937 deletions
--- a/.github/PULL_REQUEST_TEMPLATE.md
+++ b/.github/PULL_REQUEST_TEMPLATE.md
@@ -4,8 +4,8 @@
 ###### Things done

 - [ ] Tested using sandboxing
-  ([nix.useChroot](http://nixos.org/nixos/manual/options.html#opt-nix.useChroot) on NixOS,
-    or option `build-use-chroot` in [`nix.conf`](http://nixos.org/nix/manual/#sec-conf-file)
+  ([nix.useSandbox](http://nixos.org/nixos/manual/options.html#opt-nix.useSandbox) on NixOS,
+    or option `build-use-sandbox` in [`nix.conf`](http://nixos.org/nix/manual/#sec-conf-file)
    on non-NixOS)
 - Built on platform(s)
   - [ ] NixOS
--- a/.travis.yml
+++ b/.travis.yml
@@ -1,22 +1,12 @@
-language: nix
 matrix:
    include:
        - os: linux
-          sudo: false
-          script:
-              - ./maintainers/scripts/travis-nox-review-pr.sh nixpkgs-verify nixpkgs-manual nixpkgs-tarball
-              - ./maintainers/scripts/travis-nox-review-pr.sh nixos-options nixos-manual
-        - os: linux
+          language: generic
          sudo: required
          dist: trusty
-          before_script:
-              - sudo mount -o remount,exec,size=2G,mode=755 /run/user
-          script: ./maintainers/scripts/travis-nox-review-pr.sh nox pr
        - os: osx
+          language: generic
          osx_image: xcode7.3
-          script: ./maintainers/scripts/travis-nox-review-pr.sh nox pr
-git:
-    depth: 1
-env:
-    global:
-        - GITHUB_TOKEN=5edaaf1017f691ed34e7f80878f8f5fbd071603f
+before_install: ./maintainers/scripts/travis-nox-review-pr.sh nix
+install: ./maintainers/scripts/travis-nox-review-pr.sh nox
+script: ./maintainers/scripts/travis-nox-review-pr.sh build
--- a/README.md
+++ b/README.md
@@ -1,7 +1,6 @@
 [<img src="http://nixos.org/logo/nixos-hires.png" width="500px" alt="logo" />](https://nixos.org/nixos)

 [![Build Status](https://travis-ci.org/NixOS/nixpkgs.svg?branch=master)](https://travis-ci.org/NixOS/nixpkgs)
-[![Code Triagers Badge](https://www.codetriage.com/nixos/nixpkgs/badges/users.svg)](https://www.codetriage.com/nixos/nixpkgs)
 [![Issue Stats](http://www.issuestats.com/github/nixos/nixpkgs/badge/pr?style=flat)](http://www.issuestats.com/github/nixos/nixpkgs)
 [![Issue Stats](http://www.issuestats.com/github/nixos/nixpkgs/badge/issue?style=flat)](http://www.issuestats.com/github/nixos/nixpkgs)

@@ -32,7 +31,7 @@ For pull-requests, please rebase onto nixpkgs `master`.
 * [Documentation (Nix Expression Language chapter)](https://nixos.org/nix/manual/#ch-expression-language)
 * [Manual (How to write packages for Nix)](https://nixos.org/nixpkgs/manual/)
 * [Manual (NixOS)](https://nixos.org/nixos/manual/)
-* [Nix Wiki](https://nixos.org/wiki/) (deprecated, see milestone ["Move the Wiki!"](https://github.com/NixOS/nixpkgs/issues?q=is%3Aopen+is%3Aissue+milestone%3A%22Move+the+wiki%21%22))
+* [Nix Wiki](https://nixos.org/wiki/)
 * [Continuous package builds for unstable/master](https://hydra.nixos.org/jobset/nixos/trunk-combined)
 * [Continuous package builds for 16.03 release](https://hydra.nixos.org/jobset/nixos/release-16.03)
 * [Tests for unstable/master](https://hydra.nixos.org/job/nixos/trunk-combined/tested#tabs-constituents)
--- a/default.nix
+++ b/default.nix
@@ -6,4 +6,4 @@ if ! builtins ? nixVersion || builtins.compareVersions requiredVersion builtins.

 else

-  import ./pkgs/top-level/impure.nix
+  import ./pkgs/top-level
--- a/doc/coding-conventions.xml
+++ b/doc/coding-conventions.xml
@@ -251,13 +251,16 @@ bound to the variable name <varname>e2fsprogs</varname> in

  <listitem><para>The version part of the <literal>name</literal>
  attribute <emphasis>must</emphasis> start with a digit (following a
-  dash) — e.g., <literal>"hello-0.3.1rc2"</literal>.</para></listitem>
+  dash) — e.g., <literal>"hello-0.3-pre-r3910"</literal> instead of
+  <literal>"hello-svn-r3910"</literal>, as the latter would be seen as
+  a package named <literal>hello-svn</literal> by
+  <command>nix-env</command>.</para></listitem>

-  <listitem><para>If a package is not a release but a commit from a repository, then
+  <listitem><para>If package is fetched from git's commit then
  the version part of the name <emphasis>must</emphasis> be the date of that 
  (fetched) commit. The date must be in <literal>"YYYY-MM-DD"</literal> format.
-  Also append <literal>"unstable"</literal> to the name - e.g.,
-  <literal>"pkgname-unstable-2014-09-23"</literal>.</para></listitem>
+  Also add <literal>"git"</literal> to the name - e.g.,
+  <literal>"pkgname-git-2014-09-23"</literal>.</para></listitem>

  <listitem><para>Dashes in the package name should be preserved
  in new variable names, rather than converted to underscores
@@ -659,22 +662,4 @@ src = fetchFromGitHub {
    </itemizedlist>
  </para>
 </section>
-
-<section xml:id="sec-patches"><title>Patches</title>
-  <para>Only patches that are unique to <literal>nixpkgs</literal> should be 
-    included in <literal>nixpkgs</literal> source.</para>
-  <para>Patches available online should be retrieved using 
-    <literal>fetchpatch</literal>.</para>
-  <para>
-<programlisting>
-patches = [
-  (fetchpatch {
-    name = "fix-check-for-using-shared-freetype-lib.patch";
-    url = "http://git.ghostscript.com/?p=ghostpdl.git;a=patch;h=8f5d285";
-    sha256 = "1f0k043rng7f0rfl9hhb89qzvvksqmkrikmm38p61yfx51l325xr";
-  })
-];
-</programlisting>
-  </para>
-</section>
 </chapter>
--- a/doc/default.nix
+++ b/doc/default.nix
@@ -1,14 +1,14 @@
+with import ./.. { };
+with lib;
 let
-  pkgs = import ./.. { };
-  lib = pkgs.lib;
-  sources = lib.sourceFilesBySuffices ./. [".xml"];
+  sources = sourceFilesBySuffices ./. [".xml"];
  sources-langs = ./languages-frameworks;
 in
-pkgs.stdenv.mkDerivation {
+stdenv.mkDerivation {
  name = "nixpkgs-manual";


-  buildInputs = with pkgs; [ pandoc libxml2 libxslt zip ];
+  buildInputs = [ pandoc libxml2 libxslt ];

  xsltFlags = ''
    --param section.autolabel 1
@@ -26,7 +26,7 @@ pkgs.stdenv.mkDerivation {
      extraHeader = ''xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink" '';
    in ''
      {
-        pandoc '${inputFile}' -w docbook ${lib.optionalString useChapters "--chapters"} \
+        pandoc '${inputFile}' -w docbook ${optionalString useChapters "--chapters"} \
          --smart \
          | sed -e 's|<ulink url=|<link xlink:href=|' \
              -e 's|</ulink>|</link>|' \
@@ -57,43 +57,33 @@ pkgs.stdenv.mkDerivation {
      outputFile = "./languages-frameworks/haskell.xml";
    }
  + toDocbook {
-      inputFile = ../pkgs/development/idris-modules/README.md;
+      inputFile = ./../pkgs/development/idris-modules/README.md;
      outputFile = "languages-frameworks/idris.xml";
    }
  + toDocbook {
-      inputFile = ../pkgs/development/r-modules/README.md;
+      inputFile = ./../pkgs/development/r-modules/README.md;
      outputFile = "languages-frameworks/r.xml";
    }
  + ''
-    echo ${lib.nixpkgsVersion} > .version
+    echo ${nixpkgsVersion} > .version

    # validate against relaxng schema
    xmllint --nonet --xinclude --noxincludenode manual.xml --output manual-full.xml
-    ${pkgs.jing}/bin/jing ${pkgs.docbook5}/xml/rng/docbook/docbook.rng manual-full.xml
+    ${jing}/bin/jing ${docbook5}/xml/rng/docbook/docbook.rng manual-full.xml

    dst=$out/share/doc/nixpkgs
    mkdir -p $dst
    xsltproc $xsltFlags --nonet --xinclude \
      --output $dst/manual.html \
-      ${pkgs.docbook5_xsl}/xml/xsl/docbook/xhtml/docbook.xsl \
+      ${docbook5_xsl}/xml/xsl/docbook/xhtml/docbook.xsl \
      ./manual.xml

    cp ${./style.css} $dst/style.css

    mkdir -p $dst/images/callouts
-    cp "${pkgs.docbook5_xsl}/xml/xsl/docbook/images/callouts/"*.gif $dst/images/callouts/
+    cp "${docbook5_xsl}/xml/xsl/docbook/images/callouts/"*.gif $dst/images/callouts/

    mkdir -p $out/nix-support
    echo "doc manual $dst manual.html" >> $out/nix-support/hydra-build-products
-
-    xsltproc $xsltFlags --nonet --xinclude \
-      --output $dst/epub/ \
-      ${pkgs.docbook5_xsl}/xml/xsl/docbook/epub/docbook.xsl \
-      ./manual.xml
-
-    cp -r $dst/images $dst/epub/OEBPS
-    echo "application/epub+zip" > mimetype
-    zip -0Xq  "$dst/Nixpkgs Contributors Guide - NixOS community.epub" mimetype
-    zip -Xr9D "$dst/Nixpkgs Contributors Guide - NixOS community.epub" $dst/epub/*
  '';
 }
--- a/doc/functions.xml
+++ b/doc/functions.xml
@@ -89,27 +89,27 @@ in ...</programlisting>
  <title>&lt;pkg&gt;.overrideDerivation</title>

  <warning>
-    <para>Do not use this function in Nixpkgs as it evaluates a Derivation
-    before modifying it, which breaks package abstraction and removes
-    error-checking of function arguments. In addition, this
-    evaluation-per-function application incurs a performance penalty,
-    which can become a problem if many overrides are used.
-    It is only intended for ad-hoc customisation, such as in
-    <filename>~/.nixpkgs/config.nix</filename>.
+    <para>Do not use this function in Nixpkgs. Because it breaks
+    package abstraction and doesn’t provide error checking for
+    function arguments, it is only intended for ad-hoc customisation
+    (such as in <filename>~/.nixpkgs/config.nix</filename>).
+   </para>
+
+   <para>
+    Additionally, <varname>overrideDerivation</varname> forces an evaluation
+    of the Derivation which can be quite a performance penalty if there are many
+    overrides used.
   </para>
  </warning>

  <para>
-    The function <varname>overrideDerivation</varname> creates a new derivation
-    based on an existing one by overriding the original's attributes with
-    the attribute set produced by the specified function.
-    This function is available on all
-    derivations defined using the <varname>makeOverridable</varname> function.
-    Most standard derivation-producing functions, such as
-    <varname>stdenv.mkDerivation</varname>, are defined using this
-    function, which means most packages in the nixpkgs expression,
-    <varname>pkgs</varname>, have this function.
+    The function <varname>overrideDerivation</varname> is usually available for all the
+    derivations in the nixpkgs expression (<varname>pkgs</varname>).
  </para> 
+  <para>
+    It is used to create a new derivation by overriding the attributes of
+    the original derivation according to the given function.
+  </para>

  <para>
    Example usage:
@@ -125,9 +125,9 @@ in ...</programlisting>
  </para>

  <para>
-    In the above example, the <varname>name</varname>, <varname>src</varname>,
-    and <varname>patches</varname> of the derivation will be overridden, while
-    all other attributes will be retained from the original derivation.
+    In the above example, the name, src and patches of the derivation
+    will be overridden, while all other attributes will be retained from the
+    original derivation.
  </para>

  <para>
@@ -135,20 +135,6 @@ in ...</programlisting>
    the original derivation.
  </para>

-  <note>
-    <para>
-      A package's attributes are evaluated *before* being modified by
-      the <varname>overrideDerivation</varname> function.
-      For example, the <varname>name</varname> attribute reference
-      in <varname>url = "mirror://gnu/hello/${name}.tar.gz";</varname>
-      is filled-in *before* the <varname>overrideDerivation</varname> function
-      modifies the attribute set. This means that overriding the
-      <varname>name</varname> attribute, in this example, *will not* change the
-      value of the <varname>url</varname> attribute. Instead, we need to override
-      both the <varname>name</varname> *and* <varname>url</varname> attributes.
-    </para>
-  </note>
-
 </section>

 <section xml:id="sec-lib-makeOverridable">
@@ -185,18 +171,42 @@ c = lib.makeOverridable f { a = 1; b = 2; }</programlisting>


 <section xml:id="sec-fhs-environments">
-  <title>buildFHSUserEnv</title>
+  <title>buildFHSChrootEnv/buildFHSUserEnv</title>

  <para>
-    <function>buildFHSUserEnv</function> provides a way to build and run
-    FHS-compatible lightweight sandboxes. It creates an isolated root with
-    bound <filename>/nix/store</filename>, so its footprint in terms of disk
+    <function>buildFHSChrootEnv</function> and
+    <function>buildFHSUserEnv</function> provide a way to build and run
+    FHS-compatible lightweight sandboxes. They get their own isolated root with
+    binded <filename>/nix/store</filename>, so their footprint in terms of disk
    space needed is quite small. This allows one to run software which is hard or
    unfeasible to patch for NixOS -- 3rd-party source trees with FHS assumptions,
    games distributed as tarballs, software with integrity checking and/or external
-    self-updated binaries. It uses Linux namespaces feature to create
+    self-updated binaries.
+  </para>
+
+  <para>
+    <function>buildFHSChrootEnv</function> allows to create persistent
+    environments, which can be constructed, deconstructed and entered by
+    multiple users at once. A downside is that it requires
+    <literal>root</literal> access for both those who create and destroy and
+    those who enter it. It can be useful to create environments for daemons that
+    one can enter and observe.
+  </para>
+
+  <para>
+    <function>buildFHSUserEnv</function> uses Linux namespaces feature to create
    temporary lightweight environments which are destroyed after all child
-    processes exit, without root user rights requirement. Accepted arguments are:
+    processes exit. It does not require root access, and can be useful to create
+    sandboxes and wrap applications.
+  </para>
+
+  <para>
+    Those functions both rely on <function>buildFHSEnv</function>, which creates
+    an actual directory structure given a list of necessary packages and extra
+    build commands.
+    <function>buildFHSChrootEnv</function> and <function>buildFHSUserEnv</function>
+    both accept those arguments which are passed to
+    <function>buildFHSEnv</function>:
  </para>

  <variablelist>
@@ -210,16 +220,14 @@ c = lib.makeOverridable f { a = 1; b = 2; }</programlisting>
    <term><literal>targetPkgs</literal></term>

    <listitem><para>Packages to be installed for the main host's architecture
-    (i.e. x86_64 on x86_64 installations). Along with libraries binaries are also
-    installed.</para></listitem>
+    (i.e. x86_64 on x86_64 installations).</para></listitem>
    </varlistentry>

    <varlistentry>
    <term><literal>multiPkgs</literal></term>

    <listitem><para>Packages to be installed for all architectures supported by
-    a host (i.e. i686 and x86_64 on x86_64 installations). Only libraries are
-    installed by default.</para></listitem>
+    a host (i.e. i686 and x86_64 on x86_64 installations).</para></listitem>
    </varlistentry>

    <varlistentry>
@@ -232,33 +240,29 @@ c = lib.makeOverridable f { a = 1; b = 2; }</programlisting>
    <varlistentry>
    <term><literal>extraBuildCommandsMulti</literal></term>

-    <listitem><para>Like <literal>extraBuildCommands</literal>, but
+    <listitem><para>Like <literal>extraBuildCommandsMulti</literal>, but
    executed only on multilib architectures.</para></listitem>
    </varlistentry>
-
-    <varlistentry>
-    <term><literal>extraOutputsToInstall</literal></term>
-
-    <listitem><para>Additional derivation outputs to be linked for both
-    target and multi-architecture packages.</para></listitem>
-    </varlistentry>
-
-    <varlistentry>
-    <term><literal>extraInstallCommands</literal></term>
-
-    <listitem><para>Additional commands to be executed for finalizing the
-    derivation with runner script.</para></listitem>
-    </varlistentry>
-
-    <varlistentry>
-    <term><literal>runScript</literal></term>
-
-    <listitem><para>A command that would be executed inside the sandbox and
-    passed all the command line arguments. It defaults to
-    <literal>bash</literal>.</para></listitem>
-    </varlistentry>
  </variablelist>

+  <para>
+    Additionally, <function>buildFHSUserEnv</function> accepts
+    <literal>runScript</literal> parameter, which is a command that would be
+    executed inside the sandbox and passed all the command line arguments. It
+    default to <literal>bash</literal>.
+  </para>
+  <para>
+    It also uses <literal>CHROOTENV_EXTRA_BINDS</literal> environment variable
+    for binding extra directories in the sandbox to outside places. The format of
+    the variable is <literal>/mnt=test-mnt:/data</literal>, where
+    <literal>/mnt</literal> would be mounted as <literal>/test-mnt</literal>
+    and <literal>/data</literal> would be mounted as <literal>/data</literal>.
+    <literal>extraBindMounts</literal> array argument to
+    <function>buildFHSUserEnv</function> function is prepended to this variable.
+    Latter entries take priority if defined several times -- i.e. in case of
+    <literal>/data=data1:/data=data2</literal> the actual bind path would be
+    <literal>/data2</literal>.
+  </para>
  <para>
    One can create a simple environment using a <literal>shell.nix</literal>
    like that:
--- a/doc/languages-frameworks/go.xml
+++ b/doc/languages-frameworks/go.xml
@@ -5,29 +5,27 @@
 <title>Go</title>

 <para>The function <varname>buildGoPackage</varname> builds
-standard Go programs.
+standard Go packages.
 </para>

 <example xml:id='ex-buildGoPackage'><title>buildGoPackage</title>
 <programlisting>
-deis = buildGoPackage rec {
-  name = "deis-${version}";
-  version = "1.13.0";
-  
-  goPackagePath = "github.com/deis/deis"; <co xml:id='ex-buildGoPackage-1' />
-  subPackages = [ "client" ]; <co xml:id='ex-buildGoPackage-2' />
-
+net = buildGoPackage rec {
+  name = "go.net-${rev}";
+  goPackagePath = "golang.org/x/net"; <co xml:id='ex-buildGoPackage-1' />
+  subPackages = [ "ipv4" "ipv6" ]; <co xml:id='ex-buildGoPackage-2' />
+  rev = "e0403b4e005";
  src = fetchFromGitHub {
-    owner = "deis";
-    repo = "deis";
-    rev = "v${version}";
-    sha256 = "1qv9lxqx7m18029lj8cw3k7jngvxs4iciwrypdy0gd2nnghc68sw";
+    inherit rev;
+    owner = "golang";
+    repo = "net";
+    sha256 = "1g7cjzw4g4301a3yqpbk8n1d4s97sfby2aysl275x04g0zh8jxqp";
  };
-
-  goDeps = ./deps.json; <co xml:id='ex-buildGoPackage-3' />
-
-  buildFlags = "--tags release"; <co xml:id='ex-buildGoPackage-4' />
-}
+  goPackageAliases = [ "code.google.com/p/go.net" ]; <co xml:id='ex-buildGoPackage-3' />
+  propagatedBuildInputs = [ goPackages.text ]; <co xml:id='ex-buildGoPackage-4' />
+  buildFlags = "--tags release"; <co xml:id='ex-buildGoPackage-5' />
+  disabled = isGo13;<co xml:id='ex-buildGoPackage-6' />
+};
 </programlisting>
 </example>

@@ -49,69 +47,50 @@ the following arguments are of special significance to the function:
      packages will be built.
    </para>
    <para>
-      In this example only <literal>github.com/deis/deis/client</literal> will be built.
+      In this example only <literal>code.google.com/p/go.net/ipv4</literal> and
+      <literal>code.google.com/p/go.net/ipv6</literal> will be built.
    </para>
  </callout>

  <callout arearefs='ex-buildGoPackage-3'>
    <para>
-      <varname>goDeps</varname> is where the Go dependencies of a Go program are listed
-      in a JSON format described below.
+      <varname>goPackageAliases</varname> is a list of alternative import paths
+      that are valid for this library.
+      Packages that depend on this library will automatically rename
+      import paths that match any of the aliases to <literal>goPackagePath</literal>.
+    </para>
+    <para>
+      In this example imports will be renamed from
+      <literal>code.google.com/p/go.net</literal> to
+      <literal>golang.org/x/net</literal> in every package that depend on the
+      <literal>go.net</literal> library.
    </para>
  </callout>

  <callout arearefs='ex-buildGoPackage-4'>
+    <para>
+      <varname>propagatedBuildInputs</varname> is where the dependencies of a Go library are
+      listed. Only libraries should list <varname>propagatedBuildInputs</varname>. If a standalone
+      program is being built instead, use <varname>buildInputs</varname>. If a library's tests require
+      additional dependencies that are not propagated, they should be listed in <varname>buildInputs</varname>.
+    </para>
+  </callout>
+
+  <callout arearefs='ex-buildGoPackage-5'>
    <para>
      <varname>buildFlags</varname> is a list of flags passed to the go build command.
    </para>
  </callout>

-</calloutlist>
-
-</para>
-
-<para>The <varname>goDeps</varname> attribute should point to a JSON file that defines which Go libraries
-  are needed and should be included in <varname>GOPATH</varname> for <varname>buildPhase</varname>.
-
-</para>
-
-<example xml:id='ex-goDeps'><title>deps.json</title>
-<programlisting>
-[ <co xml:id='ex-goDeps-1' />
-    {
-        "goPackagePath": "gopkg.in/yaml.v2", <co xml:id='ex-goDeps-2' />
-        "fetch": {
-          "type": "git", <co xml:id='ex-goDeps-3' />
-          "url": "https://gopkg.in/yaml.v2",
-          "rev": "a83829b6f1293c91addabc89d0571c246397bbf4",
-          "sha256": "1m4dsmk90sbi17571h6pld44zxz7jc4lrnl4f27dpd1l8g5xvjhh"
-        }
-    }
-]
-</programlisting>
-</example>
-
-<para>
-
-<calloutlist>
-
-  <callout arearefs='ex-goDeps-1'>
+  <callout arearefs='ex-buildGoPackage-6'>
    <para>
-      <varname>goDeps</varname> is a list of Go dependencies.
+      If <varname>disabled</varname> is <literal>true</literal>,
+      nix will refuse to build this package.
    </para>
-  </callout>
-
-  <callout arearefs='ex-goDeps-2'>
    <para>
-      <varname>goPackagePath</varname> specifies Go package import path.
-    </para>
-  </callout>
-
-  <callout arearefs='ex-goDeps-3'>
-    <para>
-      <varname>fetch type</varname> that needs to be used to get package source. If <varname>git</varname>
-      is used there should be <varname>url</varname>, <varname>rev</varname> and <varname>sha256</varname>
-      defined next to it.
+      In this example the package will not be built for go 1.3. The <literal>isGo13</literal>
+      is an utility function that returns <literal>true</literal> if go used to build the
+      package has version 1.3.x.
    </para>
  </callout>

@@ -120,21 +99,12 @@ the following arguments are of special significance to the function:
 </para>

 <para>
-  <varname>buildGoPackage</varname> produces <xref linkend='chap-multiple-output' xrefstyle="select: title" />
-  where <varname>bin</varname> includes program binaries. You can test build a Go binary as follows:
+Reusable Go libraries may be found in the <varname>goPackages</varname> set. You can test
+build a Go package as follows:

-  <screen>
-    $ nix-build -A deis.bin
-  </screen>
-
-  or build all outputs with:
-
-  <screen>
-    $ nix-build -A deis.all
-  </screen>
-
-  <varname>bin</varname> output will be installed by default with <varname>nix-env -i</varname>
-  or <varname>systemPackages</varname>.
+<screen>
+$ nix-build -A goPackages.net
+</screen>

 </para>

@@ -149,7 +119,6 @@ done
 </screen>
 </para>

-<para>To extract dependency information from a Go package in automated way use <link xlink:href="https://github.com/kamilchm/go2nix">go2nix</link>.
-  It can produce complete derivation and <varname>goDeps</varname> file for Go programs.</para>
+  <para>To extract dependency information from a Go package in automated way use <link xlink:href="https://github.com/kamilchm/go2nix">go2nix</link>.</para>
 </section>

--- a/doc/languages-frameworks/haskell.md
+++ b/doc/languages-frameworks/haskell.md
@@ -378,23 +378,6 @@ special options turned on:
 	  buildInputs = [ R zeromq zlib ];
    }

-You can select a particular GHC version to compile with by setting the
-`ghc` attribute as an argument to `buildStackProject`. Better yet, let
-Stack choose what GHC version it wants based on the snapshot specified
-in `stack.yaml` (only works with Stack >= 1.1.3):
-
-    {nixpkgs ? import <nixpkgs> { }, ghc ? nixpkgs.ghc}
-
-    with nixpkgs;
-
-    let R = pkgs.R.override { enableStrictBarrier = true; };
-    in
-    haskell.lib.buildStackProject {
-      name = "HaskellR";
-      buildInputs = [ R zeromq zlib ];
-      inherit ghc;
-    }
-
 [stack-nix-doc]: http://docs.haskellstack.org/en/stable/nix_integration.html

 ### How to create ad hoc environments for `nix-shell`
@@ -653,7 +636,7 @@ then you have to download and re-install `foo` and all its dependents from
 scratch:

    # nix-store -q --referrers /nix/store/*-haskell-text-1.2.0.4 \
-      | xargs -L 1 nix-store --repair-path
+      | xargs -L 1 nix-store --repair-path --option binary-caches http://hydra.nixos.org

 If you're using additional Hydra servers other than `hydra.nixos.org`, then it
 might be necessary to purge the local caches that store data from those
@@ -740,7 +723,7 @@ to the `stack.yaml` like the following:
      enable: true
 	  packages: [ zlib ]

-Stack's Nix support knows to add `${zlib.out}/lib` and `${zlib.dev}/include` as an
+Stack's Nix support knows to add `${zlib}/lib` and `${zlib}/include` as an
 `--extra-lib-dirs` and `extra-include-dirs`, respectively. Alternatively, you
 can achieve the same effect by hand. First of all, run

--- a/doc/languages-frameworks/python.md
+++ b/doc/languages-frameworks/python.md
@@ -291,8 +291,8 @@ pyfftw = buildPythonPackage rec {
  # Tests cannot import pyfftw. pyfftw works fine though.
  doCheck = false;

-  LDFLAGS="-L${pkgs.fftw.dev}/lib -L${pkgs.fftwFloat.out}/lib -L${pkgs.fftwLongDouble.out}/lib"
-  CFLAGS="-I${pkgs.fftw.dev}/include -I${pkgs.fftwFloat.dev}/include -I${pkgs.fftwLongDouble.dev}/include"
+  LDFLAGS="-L${pkgs.fftw}/lib -L${pkgs.fftwFloat}/lib -L${pkgs.fftwLongDouble}/lib"
+  CFLAGS="-I${pkgs.fftw}/include -I${pkgs.fftwFloat}/include -I${pkgs.fftwLongDouble}/include"
  '';

  meta = {
@@ -503,12 +503,9 @@ and can be used as:

 The `buildPythonPackage` mainly does four things:

-* In the `buildPhase`, it calls `${python.interpreter} setup.py bdist_wheel` to
-  build a wheel binary zipfile.
+* In the `buildPhase`, it calls `${python.interpreter} setup.py bdist_wheel` to build a wheel binary zipfile.
 * In the `installPhase`, it installs the wheel file using `pip install *.whl`.
-* In the `postFixup` phase, the `wrapPythonPrograms` bash function is called to
-  wrap all programs in the `$out/bin/*` directory to include `$PATH`
-  environment variable and add dependent libraries to script's `sys.path`.
+* In the `postFixup` phase, the `wrapPythonPrograms` bash function is called to wrap all programs in the `$out/bin/*` directory to include `$PYTHONPATH` and `$PATH` environment variables.
 * In the `installCheck` phase, `${python.interpreter} setup.py test` is ran.

 As in Perl, dependencies on other Python packages can be specified in the
@@ -535,7 +532,6 @@ All parameters from `mkDerivation` function are still supported.
 * `makeWrapperArgs`: A list of strings. Arguments to be passed to `makeWrapper`, which wraps generated binaries. By default, the arguments to `makeWrapper` set `PATH` and `PYTHONPATH` environment variables before calling the binary. Additional arguments here can allow a developer to set environment variables which will be available when the binary is run. For example, `makeWrapperArgs = ["--set FOO BAR" "--set BAZ QUX"]`.
 * `installFlags`: A list of strings. Arguments to be passed to `pip install`. To pass options to `python setup.py install`, use `--install-option`. E.g., `installFlags=["--install-option='--cpp_implementation'"].
 * `format`: Format of the source. Options are `setup` for when the source has a `setup.py` and `setuptools` is used to build a wheel, and `wheel` in case the source is already a binary wheel. The default value is `setup`.
-* `catchConflicts` If `true`, abort package build if a package name appears more than once in dependency tree. Default is `true`.

 #### `buildPythonApplication` function

@@ -569,7 +565,7 @@ running `nix-shell` with the following `shell.nix`
    with import <nixpkgs> {};

    (python3.buildEnv.override {
-      extraLibs = with python3Packages; [ numpy requests2 ];
+      extraLibs = with python3Packages; [ numpy requests ];
    }).env

 will drop you into a shell where Python will have the
@@ -608,7 +604,7 @@ attribute. The `shell.nix` file from the previous section can thus be also writt

    with import <nixpkgs> {};

-    (python33.withPackages (ps: [ps.numpy ps.requests2])).env
+    (python33.withPackages (ps: [ps.numpy ps.requests])).env

 In contrast to `python.buildEnv`, `python.withPackages` does not support the more advanced options
 such as `ignoreCollisions = true` or `postBuild`. If you need them, you have to use `python.buildEnv`.
@@ -632,7 +628,7 @@ Given a `default.nix`:
    src = ./.; }

 Running `nix-shell` with no arguments should give you
-the environment in which the package would be built with
+the environment in which the package would be build with
 `nix-build`.

 Shortcut to setup environments with C headers/libraries and python packages:
@@ -652,56 +648,6 @@ community to help save time. No tool is preferred at the moment.

 ## FAQ

-### How can I install a working Python environment?
-
-As explained in the user's guide installing individual Python packages
-imperatively with `nix-env -i` or declaratively in `environment.systemPackages`
-is not supported. However, it is possible to install a Python environment with packages (`python.buildEnv`).
-
-In the following examples we create an environment with Python 3.5, `numpy` and `ipython`.
-As you might imagine there is one limitation here, and that's you can install
-only one environment at a time. You will notice the complaints about collisions
-when you try to install a second environment.
-
-#### Environment defined in separate `.nix` file
-
-Create a file, e.g. `build.nix`, with the following expression
-```nix
-with import <nixpkgs> {};
-with python35Packages;
-
-python.withPackages (ps: with ps; [ numpy ipython ])
-```
-and install it in your profile with
-```
-nix-env -if build.nix
-```
-Now you can use the Python interpreter, as well as the extra packages that you added to the environment.
-
-#### Environment defined in `~/.nixpkgs/config.nix`
-
-If you prefer to, you could also add the environment as a package override to the Nixpkgs set.
-```
-  packageOverrides = pkgs: with pkgs; with python35Packages; {
-    myEnv = python.withPackages (ps: with ps; [ numpy ipython ]);
-  };
-```
-and install it in your profile with
-```
-nix-env -iA nixos.blogEnv
-```
-Note that I'm using the attribute path here.
-
-#### Environment defined in `/etc/nixos/configuration.nix`
-
-For the sake of completeness, here's another example how to install the environment system-wide.
-
-```nix
-environment.systemPackages = with pkgs; [
-  (python35Packages.python.withPackages (ps: callPackage ../packages/common-python-packages.nix { pythonPackages = ps; }))
-];
-```
-
 ### How to solve circular dependencies?

 Consider the packages `A` and `B` that depend on each other. When packaging `B`,
@@ -751,23 +697,6 @@ in newpkgs.python35.withPackages (ps: [ps.blaze])
 ```
 The requested package `blaze` depends upon `pandas` which itself depends on `scipy`.

-### `python setup.py bdist_wheel` cannot create .whl
-
-Executing `python setup.py bdist_wheel` fails with
-```
-ValueError: ZIP does not support timestamps before 1980
-```
-This is because files are included that depend on items in the Nix store which have a timestamp of, that is, it corresponds to January the 1st, 1970 at 00:00:00. And as the error informs you, ZIP does not support that.
-Fortunately `bdist_wheel` takes into account `SOURCE_DATE_EPOCH`. On Nix this value is set to 1. By setting it to a value correspond to 1980 or later it is possible to build wheels.
-
-Use 1980 as timestamp:
-```
-SOURCE_DATE_EPOCH=315532800 python3 setup.py bdist_wheel
-```
-or the current time:
-```
-SOURCE_DATE_EPOCH=$(date +%s) python3 setup.py bdist_wheel
-```

 ### `install_data` / `data_files` problems

--- a/doc/stdenv.xml
+++ b/doc/stdenv.xml
@@ -1196,24 +1196,10 @@ echo @foo@
    <term><function>stripHash</function>
    <replaceable>path</replaceable></term>
    <listitem><para>Strips the directory and hash part of a store
-    path, storing the name part in the environment variable
-    <literal>strippedName</literal>. For example:
-    
-<programlisting>
-stripHash "/nix/store/9s9r019176g7cvn2nvcw41gsp862y6b4-coreutils-8.24"
-# prints coreutils-8.24
-echo $strippedName
-</programlisting>
-
-    If you wish to store the result in another variable, then the
-    following idiom may be useful:
-    
-<programlisting>
-name="/nix/store/9s9r019176g7cvn2nvcw41gsp862y6b4-coreutils-8.24"
-someVar=$(stripHash $name; echo $strippedName)
-</programlisting>
-
-    </para></listitem>
+    path, and prints (on standard output) only the name part.  For
+    instance, <literal>stripHash
+    /nix/store/68afga4khv0w...-coreutils-6.12</literal> print
+    <literal>coreutils-6.12</literal>.</para></listitem>
  </varlistentry>

  
@@ -1319,25 +1305,6 @@ someVar=$(stripHash $name; echo $strippedName)
    <envar>GST_PLUGIN_SYSTEM_PATH</envar> environment variable.</para></listitem>
  </varlistentry>

-  <varlistentry>
-    <term>paxctl</term>
-    <listitem><para>Defines the <varname>paxmark</varname> helper for
-    setting per-executable PaX flags on Linux (where it is available by
-    default; on all other platforms, <varname>paxmark</varname> is a no-op).
-    For example, to disable secure memory protections on the executable
-    <replaceable>foo</replaceable>:
-    <programlisting>
-      postFixup = ''
-        paxmark m $out/bin/<replaceable>foo</replaceable>
-      '';
-    </programlisting>
-    The <literal>m</literal> flag is the most common flag and is typically
-    required for applications that employ JIT compilation or otherwise need to
-    execute code generated at run-time.  Disabling PaX protections should be
-    considered a last resort: if possible, problematic features should be
-    disabled or patched to work with PaX.</para></listitem>
-  </varlistentry>
-
 </variablelist>

 </para>
@@ -1360,209 +1327,6 @@ in the default system locations.</para>

 </section>

-<section xml:id="sec-hardening-in-nixpkgs"><title>Hardening in Nixpkgs</title>
-
-<para>There are flags available to harden packages at compile or link-time.
-These can be toggled using the <varname>stdenv.mkDerivation</varname> parameters
-<varname>hardeningDisable</varname> and <varname>hardeningEnable</varname>.
-</para>
-
-<para>The following flags are enabled by default and might require disabling
-if the program to package is incompatible.
-</para>
-
-<variablelist>
-
-  <varlistentry>
-    <term><varname>format</varname></term>
-    <listitem><para>Adds the <option>-Wformat -Wformat-security
-    -Werror=format-security</option> compiler options. At present,
-    this warns about calls to <varname>printf</varname> and
-    <varname>scanf</varname> functions where the format string is
-    not a string literal and there are no format arguments, as in
-    <literal>printf(foo);</literal>. This may be a security hole
-    if the format string came from untrusted input and contains
-    <literal>%n</literal>.</para>
-
-    <para>This needs to be turned off or fixed for errors similar to:</para>
-
-    <programlisting>
-/tmp/nix-build-zynaddsubfx-2.5.2.drv-0/zynaddsubfx-2.5.2/src/UI/guimain.cpp:571:28: error: format not a string literal and no format arguments [-Werror=format-security]
-         printf(help_message);
-                            ^
-cc1plus: some warnings being treated as errors
-    </programlisting></listitem>
-  </varlistentry>
-
-  <varlistentry>
-    <term><varname>stackprotector</varname></term>
-    <listitem>
-    <para>Adds the <option>-fstack-protector-strong
-    --param ssp-buffer-size=4</option>
-    compiler options. This adds safety checks against stack overwrites
-    rendering many potential code injection attacks into aborting situations.
-    In the best case this turns code injection vulnerabilities into denial
-    of service or into non-issues (depending on the application).</para>
-
-    <para>This needs to be turned off or fixed for errors similar to:</para>
-
-    <programlisting>
-bin/blib.a(bios_console.o): In function `bios_handle_cup':
-/tmp/nix-build-ipxe-20141124-5cbdc41.drv-0/ipxe-5cbdc41/src/arch/i386/firmware/pcbios/bios_console.c:86: undefined reference to `__stack_chk_fail'
-    </programlisting></listitem>
-  </varlistentry>
-
-  <varlistentry>
-    <term><varname>fortify</varname></term>
-    <listitem>
-    <para>Adds the <option>-O2 -D_FORTIFY_SOURCE=2</option> compiler
-    options. During code generation the compiler knows a great deal of
-    information about buffer sizes (where possible), and attempts to replace
-    insecure unlimited length buffer function calls with length-limited ones.
-    This is especially useful for old, crufty code. Additionally, format
-    strings in writable memory that contain '%n' are blocked. If an application
-    depends on such a format string, it will need to be worked around.
-    </para>
-
-    <para>Addtionally, some warnings are enabled which might trigger build
-    failures if compiler warnings are treated as errors in the package build.
-    In this case, set <option>NIX_CFLAGS_COMPILE</option> to
-    <option>-Wno-error=warning-type</option>.</para>
-
-    <para>This needs to be turned off or fixed for errors similar to:</para>
-
-    <programlisting>
-malloc.c:404:15: error: return type is an incomplete type
-malloc.c:410:19: error: storage size of 'ms' isn't known
-    </programlisting>
-    <programlisting>
-strdup.h:22:1: error: expected identifier or '(' before '__extension__'
-    </programlisting>
-    <programlisting>
-strsep.c:65:23: error: register name not specified for 'delim'
-    </programlisting>
-    <programlisting>
-installwatch.c:3751:5: error: conflicting types for '__open_2'
-    </programlisting>
-    <programlisting>
-fcntl2.h:50:4: error: call to '__open_missing_mode' declared with attribute error: open with O_CREAT or O_TMPFILE in second argument needs 3 arguments
-    </programlisting>
-    </listitem>
-  </varlistentry>
-
-  <varlistentry>
-    <term><varname>pic</varname></term>
-    <listitem>
-    <para>Adds the <option>-fPIC</option> compiler options. This options adds
-    support for position independant code in shared libraries and thus making
-    ASLR possible.</para>
-    <para>Most notably, the Linux kernel, kernel modules and other code
-    not running in an operating system environment like boot loaders won't
-    build with PIC enabled. The compiler will is most cases complain that
-    PIC is not supported for a specific build.
-    </para>
-
-    <para>This needs to be turned off or fixed for assembler errors similar to:</para>
-
-    <programlisting>
-ccbLfRgg.s: Assembler messages:
-ccbLfRgg.s:33: Error: missing or invalid displacement expression `private_key_len@GOTOFF'
-    </programlisting>
-    </listitem>
-  </varlistentry>
-
-  <varlistentry>
-    <term><varname>strictoverflow</varname></term>
-    <listitem>
-    <para>Signed integer overflow is undefined behaviour according to the C
-    standard. If it happens, it is an error in the program as it should check
-    for overflow before it can happen, not afterwards. GCC provides built-in
-    functions to perform arithmetic with overflow checking, which are correct
-    and faster than any custom implementation. As a workaround, the option
-    <option>-fno-strict-overflow</option> makes gcc behave as if signed
-    integer overflows were defined.
-    </para>
-
-    <para>This flag should not trigger any build or runtime errors.</para>
-    </listitem>
-  </varlistentry>
-
-  <varlistentry>
-    <term><varname>relro</varname></term>
-    <listitem>
-    <para>Adds the <option>-z relro</option> linker option. During program
-    load, several ELF memory sections need to be written to by the linker,
-    but can be turned read-only before turning over control to the program.
-    This prevents some GOT (and .dtors) overwrite attacks, but at least the
-    part of the GOT used by the dynamic linker (.got.plt) is still vulnerable.
-    </para>
-
-    <para>This flag can break dynamic shared object loading. For instance, the
-    module systems of Xorg and OpenCV are incompatible with this flag. In almost
-    all cases the <varname>bindnow</varname> flag must also be disabled and
-    incompatible programs typically fail with similar errors at runtime.</para>
-    </listitem>
-  </varlistentry>
-
-  <varlistentry>
-    <term><varname>bindnow</varname></term>
-    <listitem>
-    <para>Adds the <option>-z bindnow</option> linker option. During program
-    load, all dynamic symbols are resolved, allowing for the complete GOT to
-    be marked read-only (due to <varname>relro</varname>). This prevents GOT
-    overwrite attacks. For very large applications, this can incur some
-    performance loss during initial load while symbols are resolved, but this
-    shouldn't be an issue for daemons.
-    </para>
-
-    <para>This flag can break dynamic shared object loading. For instance, the
-    module systems of Xorg and PHP are incompatible with this flag. Programs
-    incompatible with this flag often fail at runtime due to missing symbols,
-    like:</para>
-
-    <programlisting>
-intel_drv.so: undefined symbol: vgaHWFreeHWRec
-    </programlisting>
-    </listitem>
-  </varlistentry>
-
-</variablelist>
-
-<para>The following flags are disabled by default and should be enabled
-for packages that take untrusted input, like network services.
-</para>
-
-<variablelist>
-
-  <varlistentry>
-    <term><varname>pie</varname></term>
-    <listitem>
-    <para>Adds the <option>-fPIE</option> compiler and <option>-pie</option>
-    linker options. Position Independent Executables are needed to take
-    advantage of Address Space Layout Randomization, supported by modern
-    kernel versions. While ASLR can already be enforced for data areas in
-    the stack and heap (brk and mmap), the code areas must be compiled as
-    position-independent. Shared libraries already do this with the
-    <varname>pic</varname> flag, so they gain ASLR automatically, but binary
-    .text regions need to be build with <varname>pie</varname> to gain ASLR.
-    When this happens, ROP attacks are much harder since there are no static
-    locations to bounce off of during a memory corruption attack.
-    </para>
-    </listitem>
-  </varlistentry>
-
-</variablelist>
-
-<para>For more in-depth information on these hardening flags and hardening in
-general, refer to the
-<link xlink:href="https://wiki.debian.org/Hardening">Debian Wiki</link>,
-<link xlink:href="https://wiki.ubuntu.com/Security/Features">Ubuntu Wiki</link>,
-<link xlink:href="https://wiki.gentoo.org/wiki/Project:Hardened">Gentoo Wiki</link>,
-and the <link xlink:href="https://wiki.archlinux.org/index.php/DeveloperWiki:Security">
-Arch Wiki</link>.
-</para>
-
-</section>

 </chapter>

--- a/lib/attrsets.nix
+++ b/lib/attrsets.nix
@@ -457,6 +457,7 @@ rec {

  /*** deprecated stuff ***/

+  deepSeqAttrs = throw "removed 2016-02-29 because unused and broken";
  zipWithNames = zipAttrsWithNames;
  zip = builtins.trace
    "lib.zip is deprecated, use lib.zipAttrsWith instead" zipAttrsWith;
--- a/lib/debug.nix
+++ b/lib/debug.nix
@@ -19,10 +19,6 @@ rec {
  traceXMLVal = x: trace (builtins.toXML x) x;
  traceXMLValMarked = str: x: trace (str + builtins.toXML x) x;

-  # strict trace functions (traced structure is fully evaluated and printed)
-  traceSeq = x: y: trace (builtins.deepSeq x x) y;
-  traceValSeq = v: traceVal (builtins.deepSeq v v);
-
  # this can help debug your code as well - designed to not produce thousands of lines
  traceShowVal = x : trace (showVal x) x;
  traceShowValMarked = str: x: trace (str + showVal x) x;
@@ -73,9 +69,27 @@ rec {
  # usage: { testX = allTrue [ true ]; }
  testAllTrue = expr : { inherit expr; expected = map (x: true) expr; };

-  strict = v:
-    trace "Warning: strict is deprecated and will be removed in the next release"
-      (builtins.seq v v);
+  # evaluate everything once so that errors will occur earlier
+  # hacky: traverse attrs by adding a dummy
+  # ignores functions (should this behavior change?) See strictf
+  #
+  # Note: This should be a primop! Something like seq of haskell would be nice to
+  # have as well. It's used fore debugging only anyway
+  strict = x :
+    let
+        traverse = x :
+          if isString x then true
+          else if isAttrs x then
+            if x ? outPath then true
+            else all id (mapAttrsFlatten (n: traverse) x)
+          else if isList x then
+            all id (map traverse x)
+          else if isBool x then true
+          else if isFunction x then true
+          else if isInt x then true
+          else if x == null then true
+          else true; # a (store) path?
+    in if traverse x then x else throw "else never reached";

  # example: (traceCallXml "myfun" id 3) will output something like
  # calling myfun arg 1: 3 result: 3
--- a/lib/licenses.nix
+++ b/lib/licenses.nix
@@ -188,24 +188,13 @@ lib.mapAttrs (n: v: v // { shortName = n; }) rec {

  fdl13 = spdx {
    spdxId = "GFDL-1.3";
-    fullName = "GNU Free Documentation License v1.3";
+    fullName = "GNU Free Documentation License v1.2";
  };

  free = {
    fullName = "Unspecified free software license";
  };

-  g4sl = {
-    fullName = "Geant4 Software License";
-    url = https://geant4.web.cern.ch/geant4/license/LICENSE.html;
-  };
-
-  geogebra = {
-    fullName = "GeoGebra Non-Commercial License Agreement";
-    url = https://www.geogebra.org/license;
-    free = false;
-  };
-
  gpl1 = spdx {
    spdxId = "GPL-1.0";
    fullName = "GNU General Public License v1.0 only";
--- a/lib/lists.nix
+++ b/lib/lists.nix
@@ -68,7 +68,18 @@ rec {
       imap (i: v: "${v}-${toString i}") ["a" "b"]
       => [ "a-1" "b-2" ]
  */
-  imap = f: list: genList (n: f (n + 1) (elemAt list n)) (length list);
+  imap =
+    if builtins ? genList then
+      f: list: genList (n: f (n + 1) (elemAt list n)) (length list)
+    else
+      f: list:
+      let
+        len = length list;
+        imap' = n:
+          if n == len
+            then []
+            else [ (f (n + 1) (elemAt list n)) ] ++ imap' (n + 1);
+      in imap' 0;

  /* Map and concatenate the result.

@@ -89,7 +100,7 @@ rec {
  */
  flatten = x:
    if isList x
-    then concatMap (y: flatten y) x
+    then foldl' (x: y: x ++ (flatten y)) [] x
    else [x];

  /* Remove elements equal to 'e' from a list.  Useful for buildInputs.
@@ -205,11 +216,17 @@ rec {
       range 3 2
       => [ ]
  */
-  range = first: last:
-    if first > last then
-      []
+  range =
+    if builtins ? genList then
+      first: last:
+        if first > last
+        then []
+        else genList (n: first + n) (last - first + 1)
    else
-      genList (n: first + n) (last - first + 1);
+      first: last:
+        if last < first
+        then []
+        else [first] ++ range (first + 1) last;

  /* Splits the elements of a list in two lists, `right' and
     `wrong', depending on the evaluation of a predicate.
@@ -218,12 +235,12 @@ rec {
       partition (x: x > 2) [ 5 1 2 3 4 ]
       => { right = [ 5 3 4 ]; wrong = [ 1 2 ]; }
  */
-  partition = builtins.partition or (pred:
+  partition = pred:
    fold (h: t:
      if pred h
      then { right = [h] ++ t.right; wrong = t.wrong; }
      else { right = t.right; wrong = [h] ++ t.wrong; }
-    ) { right = []; wrong = []; });
+    ) { right = []; wrong = []; };

  /* Merges two lists of the same size together. If the sizes aren't the same
     the merging stops at the shortest. How both lists are merged is defined
@@ -233,9 +250,19 @@ rec {
       zipListsWith (a: b: a + b) ["h" "l"] ["e" "o"]
       => ["he" "lo"]
  */
-  zipListsWith = f: fst: snd:
-    genList
-      (n: f (elemAt fst n) (elemAt snd n)) (min (length fst) (length snd));
+  zipListsWith =
+    if builtins ? genList then
+      f: fst: snd: genList (n: f (elemAt fst n) (elemAt snd n)) (min (length fst) (length snd))
+    else
+      f: fst: snd:
+      let
+        len = min (length fst) (length snd);
+        zipListsWith' = n:
+          if n != len then
+            [ (f (elemAt fst n) (elemAt snd n)) ]
+            ++ zipListsWith' (n + 1)
+          else [];
+      in zipListsWith' 0;

  /* Merges two lists of the same size together. If the sizes aren't the same
     the merging stops at the shortest.
@@ -253,88 +280,11 @@ rec {
       reverseList [ "b" "o" "j" ]
       => [ "j" "o" "b" ]
  */
-  reverseList = xs:
-    let l = length xs; in genList (n: elemAt xs (l - n - 1)) l;
-
-  /* Depth-First Search (DFS) for lists `list != []`.
-
-     `before a b == true` means that `b` depends on `a` (there's an
-     edge from `b` to `a`).
-
-     Examples:
-
-         listDfs true hasPrefix [ "/home/user" "other" "/" "/home" ]
-           == { minimal = "/";                  # minimal element
-                visited = [ "/home/user" ];     # seen elements (in reverse order)
-                rest    = [ "/home" "other" ];  # everything else
-              }
-
-         listDfs true hasPrefix [ "/home/user" "other" "/" "/home" "/" ]
-           == { cycle   = "/";                  # cycle encountered at this element
-                loops   = [ "/" ];              # and continues to these elements
-                visited = [ "/" "/home/user" ]; # elements leading to the cycle (in reverse order)
-                rest    = [ "/home" "other" ];  # everything else
-
-   */
-
-  listDfs = stopOnCycles: before: list:
-    let
-      dfs' = us: visited: rest:
-        let
-          c = filter (x: before x us) visited;
-          b = partition (x: before x us) rest;
-        in if stopOnCycles && (length c > 0)
-           then { cycle = us; loops = c; inherit visited rest; }
-           else if length b.right == 0
-                then # nothing is before us
-                     { minimal = us; inherit visited rest; }
-                else # grab the first one before us and continue
-                     dfs' (head b.right)
-                          ([ us ] ++ visited)
-                          (tail b.right ++ b.wrong);
-    in dfs' (head list) [] (tail list);
-
-  /* Sort a list based on a partial ordering using DFS. This
-     implementation is O(N^2), if your ordering is linear, use `sort`
-     instead.
-
-     `before a b == true` means that `b` should be after `a`
-     in the result.
-
-     Examples:
-
-         toposort hasPrefix [ "/home/user" "other" "/" "/home" ]
-           == { result = [ "/" "/home" "/home/user" "other" ]; }
-
-         toposort hasPrefix [ "/home/user" "other" "/" "/home" "/" ]
-           == { cycle = [ "/home/user" "/" "/" ]; # path leading to a cycle
-                loops = [ "/" ]; }                # loops back to these elements
-
-         toposort hasPrefix [ "other" "/home/user" "/home" "/" ]
-           == { result = [ "other" "/" "/home" "/home/user" ]; }
-
-         toposort (a: b: a < b) [ 3 2 1 ] == { result = [ 1 2 3 ]; }
-
-   */
-
-  toposort = before: list:
-    let
-      dfsthis = listDfs true before list;
-      toporest = toposort before (dfsthis.visited ++ dfsthis.rest);
-    in
-      if length list < 2
-      then # finish
-           { result =  list; }
-      else if dfsthis ? "cycle"
-           then # there's a cycle, starting from the current vertex, return it
-                { cycle = reverseList ([ dfsthis.cycle ] ++ dfsthis.visited);
-                  inherit (dfsthis) loops; }
-           else if toporest ? "cycle"
-                then # there's a cycle somewhere else in the graph, return it
-                     toporest
-                # Slow, but short. Can be made a bit faster with an explicit stack.
-                else # there are no cycles
-                     { result = [ dfsthis.minimal ] ++ toporest.result; };
+  reverseList =
+    if builtins ? genList then
+      xs: let l = length xs; in genList (n: elemAt xs (l - n - 1)) l
+    else
+      fold (e: acc: acc ++ [ e ]) [];

  /* Sort a list based on a comparator function which compares two
     elements and returns true if the first argument is strictly below
@@ -370,7 +320,19 @@ rec {
       take 2 [ ]
       => [ ]
  */
-  take = count: sublist 0 count;
+  take =
+    if builtins ? genList then
+      count: sublist 0 count
+    else
+      count: list:
+        let
+          len = length list;
+          take' = n:
+            if n == len || n == count
+              then []
+            else
+              [ (elemAt list n) ] ++ take' (n + 1);
+        in take' 0;

  /* Remove the first (at most) N elements of a list.

@@ -380,7 +342,19 @@ rec {
       drop 2 [ ]
       => [ ]
  */
-  drop = count: list: sublist count (length list) list;
+  drop =
+    if builtins ? genList then
+      count: list: sublist count (length list) list
+    else
+      count: list:
+        let
+          len = length list;
+          drop' = n:
+            if n == -1 || n < count
+              then []
+            else
+              drop' (n - 1) ++ [ (elemAt list n) ];
+        in drop' (len - 1);

  /* Return a list consisting of at most ‘count’ elements of ‘list’,
     starting at index ‘start’.
@@ -454,4 +428,8 @@ rec {
  */
  subtractLists = e: filter (x: !(elem x e));

+  /*** deprecated stuff ***/
+
+  deepSeqList = throw "removed 2016-02-29 because unused and broken";
+
 }
--- a/lib/maintainers.nix
+++ b/lib/maintainers.nix
@@ -11,11 +11,9 @@
  abaldeau = "Andreas Baldeau <andreas@baldeau.net>";
  abbradar = "Nikolay Amiantov <ab@fmap.me>";
  aboseley = "Adam Boseley <adam.boseley@gmail.com>";
-  abuibrahim = "Ruslan Babayev <ruslan@babayev.com>";
  adev = "Adrien Devresse <adev@adev.name>";
  Adjective-Object = "Maxwell Huang-Hobbs <mhuan13@gmail.com>";
  adnelson = "Allen Nelson <ithinkican@gmail.com>";
-  adolfogc = "Adolfo E. García Castro <adolfo.garcia.cr@gmail.com>";
  aespinosa = "Allan Espinosa <allan.espinosa@outlook.com>";
  aflatter = "Alexander Flatter <flatter@fastmail.fm>";
  aforemny = "Alexander Foremny <alexanderforemny@googlemail.com>";
@@ -39,7 +37,6 @@
  aristid = "Aristid Breitkreuz <aristidb@gmail.com>";
  arobyn = "Alexei Robyn <shados@shados.net>";
  artuuge = "Artur E. Ruuge <artuuge@gmail.com>";
-  ashalkhakov = "Artyom Shalkhakov <artyom.shalkhakov@gmail.com>";
  asppsa = "Alastair Pharo <asppsa@gmail.com>";
  astsmtl = "Alexander Tsamutali <astsmtl@yandex.ru>";
  aszlig = "aszlig <aszlig@redmoonstudios.org>";
@@ -72,16 +69,12 @@
  c0dehero = "CodeHero <codehero@nerdpol.ch>";
  calrama = "Moritz Maxeiner <moritz@ucworks.org>";
  campadrenalin = "Philip Horger <campadrenalin@gmail.com>";
-  carlsverre = "Carl Sverre <accounts@carlsverre.com>";
  cdepillabout = "Dennis Gosnell <cdep.illabout@gmail.com>";
  cfouche = "Chaddaï Fouché <chaddai.fouche@gmail.com>";
  chaoflow = "Florian Friesdorf <flo@chaoflow.net>";
  chattered = "Phil Scott <me@philscotted.com>";
  choochootrain = "Hurshal Patel <hurshal@imap.cc>";
-  chris-martin = "Chris Martin <ch.martin@gmail.com>";
-  chrisjefferson = "Christopher Jefferson <chris@bubblescope.net>";
  christopherpoole = "Christopher Mark Poole <mail@christopherpoole.net>";
-  cko = "Christine Koppelt <christine.koppelt@gmail.com>";
  cleverca22 = "Michael Bishop <cleverca22@gmail.com>";
  cmcdragonkai = "Roger Qiu <roger.qiu@matrix.ai>";
  coconnor = "Corey O'Connor <coreyoconnor@gmail.com>";
@@ -100,7 +93,6 @@
  davidak = "David Kleuker <post@davidak.de>";
  davidrusu = "David Rusu <davidrusu.me@gmail.com>";
  dbohdan = "Danyil Bohdan <danyil.bohdan@gmail.com>";
-  dbrock = "Daniel Brockman <daniel@brockman.se>";
  deepfire = "Kosyrev Serge <_deepfire@feelingofgreen.ru>";
  demin-dmitriy = "Dmitriy Demin <demindf@gmail.com>";
  DerGuteMoritz = "Moritz Heidkamp <moritz@twoticketsplease.de>";
@@ -112,7 +104,6 @@
  dmalikov = "Dmitry Malikov <malikov.d.y@gmail.com>";
  dochang = "Desmond O. Chang <dochang@gmail.com>";
  doublec = "Chris Double <chris.double@double.co.nz>";
-  drets = "Dmytro Rets <dmitryrets@gmail.com>";
  drewkett = "Andrew Burkett <burkett.andrew@gmail.com>";
  ebzzry = "Rommel Martinez <ebzzry@gmail.com>";
  ederoyd46 = "Matthew Brown <matt@ederoyd.co.uk>";
@@ -129,7 +120,7 @@
  ericbmerritt = "Eric Merritt <eric@afiniate.com>";
  ericsagnes = "Eric Sagnes <eric.sagnes@gmail.com>";
  erikryb = "Erik Rybakken <erik.rybakken@math.ntnu.no>";
-  ertes = "Ertugrul Söylemez <esz@posteo.de>";
+  ertes = "Ertugrul Söylemez <ertesx@gmx.de>";
  exi = "Reno Reckling <nixos@reckling.org>";
  exlevan = "Alexey Levan <exlevan@gmail.com>";
  expipiplus1 = "Joe Hermaszewski <nix@monoid.al>";
@@ -137,7 +128,6 @@
  falsifian = "James Cook <james.cook@utoronto.ca>";
  flosse = "Markus Kohlhase <mail@markus-kohlhase.de>";
  fluffynukeit = "Daniel Austin <dan@fluffynukeit.com>";
-  fmthoma = "Franz Thoma <f.m.thoma@googlemail.com>";
  forkk = "Andrew Okin <forkk@forkk.net>";
  fornever = "Friedrich von Never <friedrich@fornever.me>";
  fpletz = "Franz Pletz <fpletz@fnordicwalking.de>";
@@ -166,7 +156,6 @@
  guibert = "David Guibert <david.guibert@gmail.com>";
  havvy = "Ryan Scheel <ryan.havvy@gmail.com>";
  hbunke = "Hendrik Bunke <bunke.hendrik@gmail.com>";
-  hce = "Hans-Christian Esperer <hc@hcesperer.org>";
  henrytill = "Henry Till <henrytill@gmail.com>";
  hiberno = "Christian Lask <hiberno@hiberno.net>";
  hinton = "Tom Hinton <t@larkery.com>";
@@ -190,7 +179,6 @@
  joamaki = "Jussi Maki <joamaki@gmail.com>";
  joelmo = "Joel Moberg <joel.moberg@gmail.com>";
  joelteon = "Joel Taylor <me@joelt.io>";
-  joko = "Ioannis Koutras <ioannis.koutras@gmail.com>";
  jpbernardy = "Jean-Philippe Bernardy <jeanphilippe.bernardy@gmail.com>";
  jraygauthier = "Raymond Gauthier <jraygauthier@gmail.com>";
  juliendehos = "Julien Dehos <dehos@lisic.univ-littoral.fr>";
@@ -237,23 +225,19 @@
  markus1189 = "Markus Hauck <markus1189@gmail.com>";
  markWot = "Markus Wotringer <markus@wotringer.de>";
  martijnvermaat = "Martijn Vermaat <martijn@vermaat.name>";
-  martingms = "Martin Gammelsæter <martin@mg.am>";
  matejc = "Matej Cotman <cotman.matej@gmail.com>";
  mathnerd314 = "Mathnerd314 <mathnerd314.gph+hs@gmail.com>";
  matthiasbeyer = "Matthias Beyer <mail@beyermatthias.de>";
  maurer = "Matthew Maurer <matthew.r.maurer+nix@gmail.com>";
-  mbakke = "Marius Bakke <mbakke@fastmail.com>";
+  mbakke = "Marius Bakke <ymse@tuta.io>";
  matthewbauer = "Matthew Bauer <mjbauer95@gmail.com>";
  mbe = "Brandon Edens <brandonedens@gmail.com>";
  mboes = "Mathieu Boespflug <mboes@tweag.net>";
  mcmtroffaes = "Matthias C. M. Troffaes <matthias.troffaes@gmail.com>";
  meditans = "Carlo Nucera <meditans@gmail.com>";
  meisternu = "Matt Miemiec <meister@krutt.org>";
-  mic92 = "Jörg Thalheim <joerg@higgsboson.tk>";
  michaelpj = "Michael Peyton Jones <michaelpj@gmail.com>";
-  michalrus = "Michal Rus <m@michalrus.com>";
  michelk = "Michel Kuhlmann <michel@kuhlmanns.info>";
-  mimadrid = "Miguel Madrid <mimadrid@ucm.es>";
  mingchuan = "Ming Chuan <ming@culpring.com>";
  mirdhyn = "Merlin Gaillard <mirdhyn@gmail.com>";
  mirrexagon = "Andrew Abbott <mirrexagon@mirrexagon.com>";
@@ -263,9 +247,7 @@
  moretea = "Maarten Hoogendoorn <maarten@moretea.nl>";
  mornfall = "Petr Ročkai <me@mornfall.net>";
  MostAwesomeDude = "Corbin Simpson <cds@corbinsimpson.com>";
-  mounium = "Katona László <muoniurn@gmail.com>";
  MP2E = "Cray Elliott <MP2E@archlinux.us>";
-  mpscholten = "Marc Scholten <marc@mpscholten.de>";
  msackman = "Matthew Sackman <matthew@wellquite.org>";
  mschristiansen = "Mikkel Christiansen <mikkel@rheosystems.com>";
  msteen = "Matthijs Steen <emailmatthijs@gmail.com>";
@@ -273,9 +255,7 @@
  mudri = "James Wood <lamudri@gmail.com>";
  muflax = "Stefan Dorn <mail@muflax.com>";
  myrl = "Myrl Hex <myrl.0xf@gmail.com>";
-  nand0p = "Fernando Jose Pando <nando@hex7.com>";
  nathan-gs = "Nathan Bijnens <nathan@nathan.gs>";
-  Nate-Devv = "Nathan Moore <natedevv@gmail.com>";
  nckx = "Tobias Geerinckx-Rice <tobias.geerinckx.rice@gmail.com>";
  nequissimus = "Tim Steinbach <tim@nequissimus.com>";
  nfjinjing = "Jinjing Wang <nfjinjing@gmail.com>";
@@ -289,7 +269,6 @@
  odi = "Oliver Dunkl <oliver.dunkl@gmail.com>";
  offline = "Jaka Hudoklin <jakahudoklin@gmail.com>";
  olcai = "Erik Timan <dev@timan.info>";
-  olejorgenb = "Ole Jørgen Brønner <olejorgenb@yahoo.no>";
  orbitz = "Malcolm Matalka <mmatalka@gmail.com>";
  osener = "Ozan Sener <ozan@ozansener.com>";
  otwieracz = "Slawomir Gonet <slawek@otwiera.cz>";
@@ -299,7 +278,6 @@
  pakhfn = "Fedor Pakhomov <pakhfn@gmail.com>";
  palo = "Ingolf Wanger <palipalo9@googlemail.com>";
  pashev = "Igor Pashev <pashev.igor@gmail.com>";
-  pawelpacana = "Paweł Pacana <pawel.pacana@gmail.com>";
  pesterhazy = "Paulus Esterhazy <pesterhazy@gmail.com>";
  peterhoeg = "Peter Hoeg <peter@hoeg.com>";
  peti = "Peter Simons <simons@cryp.to>";
@@ -318,7 +296,6 @@
  pmiddend = "Philipp Middendorf <pmidden@secure.mailbox.org>";
  prikhi = "Pavan Rikhi <pavan.rikhi@gmail.com>";
  profpatsch = "Profpatsch <mail@profpatsch.de>";
-  proglodyte = "Proglodyte <proglodyte23@gmail.com>";
  pshendry = "Paul Hendry <paul@pshendry.com>";
  psibi = "Sibi <sibi@psibi.in>";
  pSub = "Pascal Wittmann <mail@pascal-wittmann.de>";
@@ -326,8 +303,6 @@
  pxc = "Patrick Callahan <patrick.callahan@latitudeengineering.com>";
  qknight = "Joachim Schiele <js@lastlog.de>";
  ragge = "Ragnar Dahlen <r.dahlen@gmail.com>";
-  ralith = "Benjamin Saunders <ben.e.saunders@gmail.com>";
-  ramkromberg = "Ram Kromberg <ramkromberg@mail.com>";
  rardiol = "Ricardo Ardissone <ricardo.ardissone@gmail.com>";
  rasendubi = "Alexey Shmalko <rasen.dubi@gmail.com>";
  raskin = "Michael Raskin <7c6f434c@mail.ru>";
@@ -344,7 +319,6 @@
  robberer = "Longrin Wischnewski <robberer@freakmail.de>";
  robbinch = "Robbin C. <robbinch33@gmail.com>";
  robgssp = "Rob Glossop <robgssp@gmail.com>";
-  roblabla = "Robin Lambertz <robinlambertz+dev@gmail.com>";
  roconnor = "Russell O'Connor <roconnor@theorem.ca>";
  romildo = "José Romildo Malaquias <malaquias@gmail.com>";
  rszibele = "Richard Szibele <richard_szibele@hotmail.com>";
@@ -353,10 +327,8 @@
  rvlander = "Gaëtan André <rvlander@gaetanandre.eu>";
  ryanartecona = "Ryan Artecona <ryanartecona@gmail.com>";
  ryantm = "Ryan Mulligan <ryan@ryantm.com>";
-  ryansydnor = "Ryan Sydnor <ryan.t.sydnor@gmail.com>";
  rycee = "Robert Helgesson <robert@rycee.net>";
  ryneeverett = "Ryne Everett <ryneeverett@gmail.com>";
-  s1lvester = "Markus Silvester <s1lvester@bockhacker.me>";
  samuelrivas = "Samuel Rivas <samuelrivas@gmail.com>";
  sander = "Sander van der Burg <s.vanderburg@tudelft.nl>";
  schmitthenner = "Fabian Schmitthenner <development@schmitthenner.eu>";
@@ -368,7 +340,6 @@
  sheganinans = "Aistis Raulinaitis <sheganinans@gmail.com>";
  shell = "Shell Turner <cam.turn@gmail.com>";
  shlevy = "Shea Levy <shea@shealevy.com>";
-  siddharthist = "Langston Barrett <langston.barrett@gmail.com>";
  simonvandel = "Simon Vandel Sillesen <simon.vandel@gmail.com>";
  sjagoe = "Simon Jagoe <simon@simonjagoe.com>";
  sjmackenzie = "Stewart Mackenzie <setori88@gmail.com>";
@@ -377,16 +348,13 @@
  skrzyp = "Jakub Skrzypnik <jot.skrzyp@gmail.com>";
  sleexyz = "Sean Lee <freshdried@gmail.com>";
  smironov = "Sergey Mironov <ierton@gmail.com>";
-  solson = "Scott Olson <scott@solson.me>";
  spacefrogg = "Michael Raitza <spacefrogg-nixos@meterriblecrew.net>";
  spencerjanssen = "Spencer Janssen <spencerjanssen@gmail.com>";
  spinus = "Tomasz Czyż <tomasz.czyz@gmail.com>";
  sprock = "Roger Mason <rmason@mun.ca>";
  spwhitt = "Spencer Whitt <sw@swhitt.me>";
-  SShrike = "Severen Redwood <severen@shrike.me>";
  stephenmw = "Stephen Weinberg <stephen@q5comm.com>";
  steveej = "Stefan Junker <mail@stefanjunker.de>";
-  swarren83 = "Shawn Warren <shawn.w.warren@gmail.com>";
  swistak35 = "Rafał Łasocha <me@swistak35.com>";
  szczyp = "Szczyp <qb@szczyp.com>";
  sztupi = "Attila Sztupak <attila.sztupak@gmail.com>";
@@ -437,12 +405,10 @@
  wscott = "Wayne Scott <wsc9tt@gmail.com>";
  wyvie = "Elijah Rum <elijahrum@gmail.com>";
  yarr = "Dmitry V. <savraz@gmail.com>";
-  yurrriq = "Eric Bailey <eric@ericb.me>";
  z77z = "Marco Maggesi <maggesi@math.unifi.it>";
  zagy = "Christian Zagrodnick <cz@flyingcircus.io>";
  zef = "Zef Hemel <zef@zef.me>";
  zimbatm = "zimbatm <zimbatm@zimbatm.com>";
  zohl = "Al Zohali <zohl@fmap.me>";
  zoomulator = "Kim Simmons <zoomulator@gmail.com>";
-  amiloradovsky = "Andrew Miloradovsky <miloradovsky@gmail.com>";
 }
--- a/lib/modules.nix
+++ b/lib/modules.nix
@@ -105,12 +105,8 @@ rec {
  /* Massage a module into canonical form, that is, a set consisting
     of ‘options’, ‘config’ and ‘imports’ attributes. */
  unifyModuleSyntax = file: key: m:
-    let metaSet = if m ? meta 
-      then { meta = m.meta; }
-      else {};
-    in
    if m ? config || m ? options then
-      let badAttrs = removeAttrs m ["imports" "options" "config" "key" "_file" "meta"]; in
+      let badAttrs = removeAttrs m ["imports" "options" "config" "key" "_file"]; in
      if badAttrs != {} then
        throw "Module `${key}' has an unsupported attribute `${head (attrNames badAttrs)}'. This is caused by assignments to the top-level attributes `config' or `options'."
      else
@@ -118,14 +114,14 @@ rec {
          key = toString m.key or key;
          imports = m.imports or [];
          options = m.options or {};
-          config = mkMerge [ (m.config or {}) metaSet ];
+          config = m.config or {};
        }
    else
      { file = m._file or file;
        key = toString m.key or key;
        imports = m.require or [] ++ m.imports or [];
        options = {};
-        config = mkMerge [ (removeAttrs m ["key" "_file" "require" "imports"]) metaSet ];
+        config = removeAttrs m ["key" "_file" "require" "imports"];
      };

  applyIfFunction = key: f: args@{ config, options, lib, ... }: if isFunction f then
@@ -507,25 +503,19 @@ rec {
  /* Return a module that causes a warning to be shown if the
     specified option is defined. For example,

-       mkRemovedOptionModule [ "boot" "loader" "grub" "bootDevice" ] "<replacement instructions>"
+       mkRemovedOptionModule [ "boot" "loader" "grub" "bootDevice" ]

     causes a warning if the user defines boot.loader.grub.bootDevice.
-
-     replacementInstructions is a string that provides instructions on
-     how to achieve the same functionality without the removed option,
-     or alternatively a reasoning why the functionality is not needed.
-     replacementInstructions SHOULD be provided!
  */
-  mkRemovedOptionModule = optionName: replacementInstructions:
+  mkRemovedOptionModule = optionName:
    { options, ... }:
    { options = setAttrByPath optionName (mkOption {
        visible = false;
      });
      config.warnings =
        let opt = getAttrFromPath optionName options; in
-        optional opt.isDefined ''
-            The option definition `${showOption optionName}' in ${showFiles opt.files} no longer has any effect; please remove it.
-            ${replacementInstructions}'';
+        optional opt.isDefined
+          "The option definition `${showOption optionName}' in ${showFiles opt.files} no longer has any effect; please remove it.";
    };

  /* Return a module that causes a warning to be shown if the
--- a/lib/sources.nix
+++ b/lib/sources.nix
@@ -4,11 +4,6 @@ let lib = import ./default.nix; in

 rec {

-  # Returns the type of a path: regular (for file), symlink, or directory
-  pathType = p: with builtins; getAttr (baseNameOf p) (readDir (dirOf p));
-
-  # Returns true if the path exists and is a directory, false otherwise
-  pathIsDirectory = p: if builtins.pathExists p then (pathType p) == "directory" else false;

  # Bring in a path as a source, filtering out all Subversion and CVS
  # directories, as well as backup files (*~).
@@ -20,9 +15,7 @@ rec {
      lib.hasSuffix "~" baseName ||
      # Filter out generates files.
      lib.hasSuffix ".o" baseName ||
-      lib.hasSuffix ".so" baseName ||
-      # Filter out nix-build result symlinks
-      (type == "symlink" && lib.hasPrefix "result" baseName)
+      lib.hasSuffix ".so" baseName
    );
    in src: builtins.filterSource filter src;

@@ -36,7 +29,6 @@ rec {
      in type == "directory" || lib.any (ext: lib.hasSuffix ext base) exts;
    in builtins.filterSource filter path;

-
  # Get the commit id of a git repo
  # Example: commitIdFromGitRepo <nixpkgs/.git>
  commitIdFromGitRepo =
@@ -46,22 +38,21 @@ rec {
            packedRefsName = toString path + "/packed-refs";
        in if lib.pathExists fileName
           then
-             let fileContent = lib.fileContents fileName;
+             let fileContent = readFile fileName;
                 # Sometimes git stores the commitId directly in the file but
                 # sometimes it stores something like: «ref: refs/heads/branch-name»
-                 matchRef    = match "^ref: (.*)$" fileContent;
+                 matchRef    = match "^ref: (.*)\n$" fileContent;
             in if   isNull matchRef
-                then fileContent
+                then lib.removeSuffix "\n" fileContent
                else readCommitFromFile path (lib.head matchRef)
           # Sometimes, the file isn't there at all and has been packed away in the
           # packed-refs file, so we have to grep through it:
           else if lib.pathExists packedRefsName
           then
-             let fileContent = readFile packedRefsName;
-                 matchRef    = match (".*\n([^\n ]*) " + file + "\n.*") fileContent;
-             in if   isNull matchRef
-                then throw ("Could not find " + file + " in " + packedRefsName)
-                else lib.head matchRef
+             let packedRefs  = lib.splitString "\n" (readFile packedRefsName);
+                 matchRule   = match ("^(.*) " + file + "$");
+                 matchedRefs = lib.flatten (lib.filter (m: ! (isNull m)) (map matchRule packedRefs));
+             in lib.head matchedRefs
           else throw ("Not a .git directory: " + path);
    in lib.flip readCommitFromFile "HEAD";
 }
--- a/lib/strings.nix
+++ b/lib/strings.nix
@@ -16,7 +16,11 @@ rec {
       concatStrings ["foo" "bar"]
       => "foobar"
  */
-  concatStrings = builtins.concatStringsSep "";
+  concatStrings =
+    if builtins ? concatStringsSep then
+      builtins.concatStringsSep ""
+    else
+      lib.foldl' (x: y: x + y) "";

  /* Map a function over a list and concatenate the resulting strings.

@@ -156,12 +160,12 @@ rec {
       hasSuffix "foo" "barfoo"
       => true
  */
-  hasSuffix = suffix: content:
+  hasSuffix = suff: str:
    let
-      lenContent = stringLength content;
-      lenSuffix = stringLength suffix;
-    in lenContent >= lenSuffix &&
-       substring (lenContent - lenSuffix) lenContent content == suffix;
+      lenStr = stringLength str;
+      lenSuff = stringLength suff;
+    in lenStr >= lenSuff &&
+       substring (lenStr - lenSuff) lenStr str == suff;

  /* Convert a string to a list of characters (i.e. singleton strings).
     This allows you to, e.g., map a function over each character.  However,
@@ -203,21 +207,13 @@ rec {
  */
  escape = list: replaceChars list (map (c: "\\${c}") list);

-  /* Quote string to be used safely within the Bourne shell.
+  /* Escape all characters that have special meaning in the Bourne shell.

     Example:
-       escapeShellArg "esc'ape\nme"
-       => "'esc'\\''ape\nme'"
+       escapeShellArg "so([<>])me"
+       => "so\\(\\[\\<\\>\\]\\)me"
  */
-  escapeShellArg = arg: "'${replaceStrings ["'"] ["'\\''"] (toString arg)}'";
-
-  /* Quote all arguments to be safely passed to the Bourne shell.
-
-     Example:
-       escapeShellArgs ["one" "two three" "four'five"]
-       => "'one' 'two three' 'four'\\''five'"
-  */
-  escapeShellArgs = concatMapStringsSep " " escapeShellArg;
+  escapeShellArg = lib.escape (stringToCharacters "\\ ';$`()|<>\t*[]");

  /* Obsolete - use replaceStrings instead. */
  replaceChars = builtins.replaceStrings or (
@@ -248,7 +244,7 @@ rec {
  /* Converts an ASCII string to upper-case.

     Example:
-       toUpper "home"
+       toLower "home"
       => "HOME"
  */
  toUpper = replaceChars lowerChars upperChars;
@@ -372,12 +368,7 @@ rec {
       getVersion pkgs.youtube-dl
       => "2016.01.01"
  */
-  getVersion = x:
-   let
-     parse = drv: (builtins.parseDrvName drv).version;
-   in if isString x
-      then parse x
-      else x.version or (parse x.name);
+  getVersion = x: (builtins.parseDrvName (x.name or x)).version;

  /* Extract name with version from URL. Ask for separator which is
     supposed to start extension.
@@ -484,14 +475,4 @@ rec {
      absolutePaths = builtins.map (path: builtins.toPath (root + "/" + path)) relativePaths;
    in
      absolutePaths;
-
-  /* Read the contents of a file removing the trailing \n
-
-     Example:
-       $ echo "1.0" > ./version
-
-       fileContents ./version
-       => "1.0"
-  */
-  fileContents = file: removeSuffix "\n" (builtins.readFile file);
 }
--- a/lib/tests/release.nix
+++ b/lib/tests/release.nix
@@ -1,6 +1,6 @@
 { nixpkgs }:

-with import ../.. { };
+with import ./../.. { };
 with lib;

 stdenv.mkDerivation {
--- a/lib/trivial.nix
+++ b/lib/trivial.nix
@@ -62,16 +62,14 @@ rec {
    isInt add sub lessThan
    seq deepSeq genericClosure;

-  inherit (import ./strings.nix) fileContents;
-
  # Return the Nixpkgs version number.
  nixpkgsVersion =
    let suffixFile = ../.version-suffix; in
-    fileContents ../.version
-    + (if pathExists suffixFile then fileContents suffixFile else "pre-git");
+    readFile ../.version
+    + (if pathExists suffixFile then readFile suffixFile else "pre-git");

  # Whether we're being called by nix-shell.
-  inNixShell = builtins.getEnv "IN_NIX_SHELL" != "";
+  inNixShell = builtins.getEnv "IN_NIX_SHELL" == "1";

  # Return minimum/maximum of two numbers.
  min = x: y: if x < y then x else y;
@@ -98,19 +96,4 @@ rec {
  */
  importJSON = path:
    builtins.fromJSON (builtins.readFile path);
-
-  /* See https://github.com/NixOS/nix/issues/749. Eventually we'd like these
-     to expand to Nix builtins that carry metadata so that Nix can filter out
-     the INFO messages without parsing the message string.
-
-     Usage:
-     {
-       foo = lib.warn "foo is deprecated" oldFoo;
-     }
-
-     TODO: figure out a clever way to integrate location information from
-     something like __unsafeGetAttrPos.
-  */
-  warn = msg: builtins.trace "WARNING: ${msg}";
-  info = msg: builtins.trace "INFO: ${msg}";
 }
--- a/lib/types.nix
+++ b/lib/types.nix
@@ -100,10 +100,6 @@ rec {
        in if isDerivation res then res else toDerivation res;
    };

-    shellPackage = package // {
-      check = x: (package.check x) && (hasAttr "shellPath" x);
-    };
-
    path = mkOptionType {
      name = "path";
      # Hacky: there is no ‘isPath’ primop.
--- a/maintainers/scripts/fetch-kde-qt.sh
+++ b/maintainers/scripts/fetch-kde-qt.sh
@@ -1,58 +0,0 @@
-#! /usr/bin/env nix-shell
-#! nix-shell -i bash -p coreutils findutils gnused nix wget
-
-SRCS=
-if [ -d "$1" ]; then
-    SRCS="$(pwd)/$1/srcs.nix"
-    . "$1/fetch.sh"
-else
-    SRCS="$(pwd)/$(dirname $1)/srcs.nix"
-    . "$1"
-fi
-
-tmp=$(mktemp -d)
-pushd $tmp >/dev/null
-wget -nH -r -c --no-parent "${WGET_ARGS[@]}" >/dev/null
-
-csv=$(mktemp)
-find . -type f | while read src; do
-    # Sanitize file name
-    filename=$(basename "$src" | tr '@' '_')
-    nameVersion="${filename%.tar.*}"
-    name=$(echo "$nameVersion" | sed -e 's,-[[:digit:]].*,,' | sed -e 's,-opensource-src$,,')
-    version=$(echo "$nameVersion" | sed -e 's,^\([[:alpha:]][[:alnum:]]*-\)\+,,')
-    echo "$name,$version,$src,$filename" >>$csv
-done
-
-cat >"$SRCS" <<EOF
-# DO NOT EDIT! This file is generated automatically by fetch-kde-qt.sh
-{ fetchurl, mirror }:
-
-{
-EOF
-
-gawk -F , "{ print \$1 }" $csv | sort | uniq | while read name; do
-    versions=$(gawk -F , "/^$name,/ { print \$2 }" $csv)
-    latestVersion=$(echo "$versions" | sort -rV | head -n 1)
-    src=$(gawk -F , "/^$name,$latestVersion,/ { print \$3 }" $csv)
-    filename=$(gawk -F , "/^$name,$latestVersion,/ { print \$4 }" $csv)
-    url="${src:2}"
-    sha256=$(nix-hash --type sha256 --base32 --flat "$src")
-    cat >>"$SRCS" <<EOF
-  $name = {
-    version = "$latestVersion";
-    src = fetchurl {
-      url = "\${mirror}/$url";
-      sha256 = "$sha256";
-      name = "$filename";
-    };
-  };
-EOF
-done
-
-echo "}" >>"$SRCS"
-
-popd >/dev/null
-rm -fr $tmp >/dev/null
-
-rm -f $csv >/dev/null
--- a/maintainers/scripts/nix-generate-from-cpan.pl
+++ b/maintainers/scripts/nix-generate-from-cpan.pl
@@ -395,21 +395,16 @@ my $meta = read_meta($pkg_path);

 DEBUG( "metadata: ", encode_json( $meta->as_struct ) ) if defined $meta;

-my @runtime_deps = sort( uniq( get_deps( $cb, $meta, "runtime" ) ) );
-INFO("runtime deps: @runtime_deps");
-
 my @build_deps = sort( uniq(
        get_deps( $cb, $meta, "configure" ),
        get_deps( $cb, $meta, "build" ),
        get_deps( $cb, $meta, "test" )
 ) );
-
-# Filter out runtime dependencies since those are already handled.
-my %in_runtime_deps = map { $_ => 1 } @runtime_deps;
-@build_deps = grep { not $in_runtime_deps{$_} } @build_deps;
-
 INFO("build deps: @build_deps");

+my @runtime_deps = sort( uniq( get_deps( $cb, $meta, "runtime" ) ) );
+INFO("runtime deps: @runtime_deps");
+
 my $homepage = $meta ? $meta->resources->{homepage} : undef;
 INFO("homepage: $homepage") if defined $homepage;

--- a/maintainers/scripts/nixpkgs-lint.nix
+++ b/maintainers/scripts/nixpkgs-lint.nix
@@ -18,6 +18,5 @@ stdenv.mkDerivation {
  meta = {
    maintainers = [ stdenv.lib.maintainers.eelco ];
    description = "A utility for Nixpkgs contributors to check Nixpkgs for common errors";
-    platforms = stdenv.lib.platforms.unix;
  };
 }
--- a/maintainers/scripts/travis-nox-review-pr.sh
+++ b/maintainers/scripts/travis-nox-review-pr.sh
@@ -1,76 +1,53 @@
 #! /usr/bin/env bash
 set -e

-while test -n "$1"; do
+export NIX_CURL_FLAGS=-sS

-    # tell Travis to use folding
-    echo -en "travis_fold:start:$1\r"
+if [[ $1 == nix ]]; then
+    echo "=== Installing Nix..."
+    # Install Nix
+    bash <(curl -sS https://nixos.org/nix/install)
+    source $HOME/.nix-profile/etc/profile.d/nix.sh

-    case $1 in
+    # Make sure we can use hydra's binary cache
+    sudo mkdir /etc/nix
+    sudo sh -c 'echo "build-max-jobs = 4" > /etc/nix/nix.conf'

-        nixpkgs-verify)
-            echo "=== Verifying that nixpkgs evaluates..."
+    # Verify evaluation
+    echo "=== Verifying that nixpkgs evaluates..."
+    nix-env -f. -qa --json >/dev/null
+elif [[ $1 == nox ]]; then
+    source $HOME/.nix-profile/etc/profile.d/nix.sh
+    echo "=== Installing nox..."
+    nix-build -A nox '<nixpkgs>' --show-trace
+elif [[ $1 == build ]]; then
+    source $HOME/.nix-profile/etc/profile.d/nix.sh

-            nix-env --file $TRAVIS_BUILD_DIR --query --available --json > /dev/null
-            ;;
+    if [[ $TRAVIS_OS_NAME == "osx" ]]; then
+        echo "Skipping NixOS things on darwin"
+    else
+        echo "=== Checking NixOS options"
+        nix-build nixos/release.nix -A options --show-trace

-        nixos-options)
-            echo "=== Checking NixOS options"
+        echo "=== Checking tarball creation"
+        nix-build pkgs/top-level/release.nix -A tarball --show-trace
+    fi

-            nix-build $TRAVIS_BUILD_DIR/nixos/release.nix --attr options --show-trace
-            ;;
+    if [[ $TRAVIS_PULL_REQUEST == false ]]; then
+        echo "=== Not a pull request"
+    else
+        echo "=== Checking PR"

-        nixos-manual)
-            echo "=== Checking NixOS manuals"
-
-            nix-build $TRAVIS_BUILD_DIR/nixos/release.nix --attr manual --show-trace
-            ;;
-
-        nixpkgs-manual)
-            echo "=== Checking nixpkgs manuals"
-
-            nix-build $TRAVIS_BUILD_DIR/pkgs/top-level/release.nix --attr manual --show-trace
-            ;;
-
-        nixpkgs-tarball)
-            echo "=== Checking nixpkgs tarball creation"
-
-            nix-build $TRAVIS_BUILD_DIR/pkgs/top-level/release.nix --attr tarball --show-trace
-            ;;
-
-        nixpkgs-lint)
-            echo "=== Checking nixpkgs lint"
-
-            nix-shell --packages nixpkgs-lint --run "nixpkgs-lint -f $TRAVIS_BUILD_DIR"
-            ;;
-
-        nox)
-            echo "=== Fetching Nox from binary cache"
-
-            # build nox silently so it's not in the log
-            nix-build "<nixpkgs>" -A nox -A stdenv
-            ;;
-
-        pr)
-            if [ "$TRAVIS_PULL_REQUEST" == "false" ]; then
-                echo "=== No pull request found"
-            else
-                echo "=== Building pull request #$TRAVIS_PULL_REQUEST"
-
-                token=""
-                if [ -n "$GITHUB_TOKEN" ]; then
-                    token="--token $GITHUB_TOKEN"
-                fi
-
-                nix-shell --packages nox --run "nox-review pr --slug $TRAVIS_REPO_SLUG $token $TRAVIS_PULL_REQUEST"
+        if ! nix-shell -p nox --run "nox-review pr ${TRAVIS_PULL_REQUEST}"; then
+            if sudo dmesg | egrep 'Out of memory|Killed process' > /tmp/oom-log; then
+                echo "=== The build failed due to running out of memory:"
+                cat /tmp/oom-log
+                echo "=== Please disregard the result of this Travis build."
            fi
-            ;;
-
-        *)
-            echo "Skipping unknown option $1"
-            ;;
-    esac
-
-    echo -en "travis_fold:end:$1\r"
-    shift
-done
+            exit 1
+        fi
+    fi
+else
+    echo "$0: Unknown option $1" >&2
+    false
+fi
--- a/nixos/doc/manual/administration/imperative-containers.xml
+++ b/nixos/doc/manual/administration/imperative-containers.xml
@@ -7,11 +7,7 @@
 <title>Imperative Container Management</title>

 <para>We’ll cover imperative container management using
-<command>nixos-container</command> first.
-Be aware that container management is currently only possible
-as <literal>root</literal>.</para>
-
-<para>You create a container with
+<command>nixos-container</command> first. You create a container with
 identifier <literal>foo</literal> as follows:

 <screen>
--- a/nixos/doc/manual/configuration/configuration.xml
+++ b/nixos/doc/manual/configuration/configuration.xml
@@ -24,9 +24,13 @@ effect after you run <command>nixos-rebuild</command>.</para>
 <xi:include href="networking.xml" />
 <xi:include href="linux-kernel.xml" />

-<xi:include href="modules.xml" xpointer="xpointer(//section[@id='modules']/*)" />
+<!-- FIXME: auto-include NixOS module docs -->
+<xi:include href="postgresql.xml" />
+<xi:include href="gitlab.xml" />
+<xi:include href="taskserver.xml" />
+<xi:include href="acme.xml" />
+<xi:include href="input-methods.xml" />

 <!-- Apache; libvirtd virtualisation -->

 </part>
-
--- a/nixos/doc/manual/configuration/x-windows.xml
+++ b/nixos/doc/manual/configuration/x-windows.xml
@@ -115,14 +115,5 @@ services.xserver.synaptics.twoFingerScroll = true;

 </simplesect>

-<simplesect><title>GTK/Qt themes</title>
-
-<para>GTK themes can be installed either to user profile or system-wide (via
-<literal>system.environmentPackages</literal>). To make Qt 5 applications look similar
-to GTK2 ones, you can install <literal>qt5.qtbase.gtk</literal> package into your
-system environment. It should work for all Qt 5 library versions.
-</para>
-
-</simplesect>

 </chapter>
--- a/nixos/doc/manual/default.nix
+++ b/nixos/doc/manual/default.nix
@@ -1,27 +1,27 @@
-{ pkgs, options, config, version, revision, extraSources ? [] }:
+{ pkgs, options, version, revision, extraSources ? [] }:

 with pkgs;
+with pkgs.lib;

 let
-  lib = pkgs.lib;

  # Remove invisible and internal options.
-  optionsList = lib.filter (opt: opt.visible && !opt.internal) (lib.optionAttrSetToDocList options);
+  optionsList = filter (opt: opt.visible && !opt.internal) (optionAttrSetToDocList options);

  # Replace functions by the string <function>
  substFunction = x:
-    if builtins.isAttrs x then lib.mapAttrs (name: substFunction) x
+    if builtins.isAttrs x then mapAttrs (name: substFunction) x
    else if builtins.isList x then map substFunction x
    else if builtins.isFunction x then "<function>"
    else x;

  # Clean up declaration sites to not refer to the NixOS source tree.
-  optionsList' = lib.flip map optionsList (opt: opt // {
+  optionsList' = flip map optionsList (opt: opt // {
    declarations = map stripAnyPrefixes opt.declarations;
  }
-  // lib.optionalAttrs (opt ? example) { example = substFunction opt.example; }
-  // lib.optionalAttrs (opt ? default) { default = substFunction opt.default; }
-  // lib.optionalAttrs (opt ? type) { type = substFunction opt.type; });
+  // optionalAttrs (opt ? example) { example = substFunction opt.example; }
+  // optionalAttrs (opt ? default) { default = substFunction opt.default; }
+  // optionalAttrs (opt ? type) { type = substFunction opt.type; });

  # We need to strip references to /nix/store/* from options,
  # including any `extraSources` if some modules came from elsewhere,
@@ -30,7 +30,7 @@ let
  # E.g. if some `options` came from modules in ${pkgs.customModules}/nix,
  # you'd need to include `extraSources = [ pkgs.customModules ]`
  prefixesToStrip = map (p: "${toString p}/") ([ ../../.. ] ++ extraSources);
-  stripAnyPrefixes = lib.flip (lib.fold lib.removePrefix) prefixesToStrip;
+  stripAnyPrefixes = flip (fold removePrefix) prefixesToStrip;

  # Convert the list of options into an XML file.
  optionsXML = builtins.toFile "options.xml" (builtins.toXML optionsList');
@@ -49,21 +49,17 @@ let
      -o $out ${./options-to-docbook.xsl} $optionsXML
  '';

-  sources = lib.sourceFilesBySuffices ./. [".xml"];
-
-  modulesDoc = builtins.toFile "modules.xml" ''
-    <section xmlns:xi="http://www.w3.org/2001/XInclude" id="modules">
-    ${(lib.concatMapStrings (path: ''
-      <xi:include href="${path}" />
-    '') (lib.catAttrs "value" config.meta.doc))}
-    </section>
-  '';
+  sources = sourceFilesBySuffices ./. [".xml"];

  copySources =
    ''
      cp -prd $sources/* . # */
      chmod -R u+w .
-      ln -s ${modulesDoc} configuration/modules.xml
+      cp ${../../modules/services/databases/postgresql.xml} configuration/postgresql.xml
+      cp ${../../modules/services/misc/gitlab.xml} configuration/gitlab.xml
+      cp ${../../modules/services/misc/taskserver/doc.xml} configuration/taskserver.xml
+      cp ${../../modules/security/acme.xml} configuration/acme.xml
+      cp ${../../modules/i18n/input-method/default.xml} configuration/input-methods.xml
      ln -s ${optionsDocBook} options-db.xml
      echo "${version}" > version
    '';
@@ -126,7 +122,7 @@ let
      <targetset>
        <targetsetinfo>
            Allows for cross-referencing olinks between the manpages
-            and manual.
+            and the HTML/PDF manuals.
        </targetsetinfo>

        <document targetdoc="manual">&manualtargets;</document>
@@ -147,7 +143,7 @@ in rec {
      mkdir -p $dst

      cp ${builtins.toFile "options.json" (builtins.unsafeDiscardStringContext (builtins.toJSON
-        (builtins.listToAttrs (map (o: { name = o.name; value = removeAttrs o ["name" "visible" "internal"]; }) optionsList'))))
+        (listToAttrs (map (o: { name = o.name; value = removeAttrs o ["name" "visible" "internal"]; }) optionsList'))))
      } $dst/options.json

      mkdir -p $out/nix-support
@@ -197,42 +193,25 @@ in rec {
    allowedReferences = ["out"];
  };

-
-  manualEpub = stdenv.mkDerivation {
-    name = "nixos-manual-epub";
+  manualPDF = stdenv.mkDerivation {
+    name = "nixos-manual-pdf";

    inherit sources;

-    buildInputs = [ libxml2 libxslt zip ];
+    buildInputs = [ libxml2 libxslt dblatex dblatex.tex ];

    buildCommand = ''
      ${copySources}

-      # Check the validity of the manual sources.
-      xmllint --noout --nonet --xinclude --noxincludenode \
-        --relaxng ${docbook5}/xml/rng/docbook/docbook.rng \
-        manual.xml
-
-      # Generate the epub manual.
      dst=$out/share/doc/nixos
-
-      xsltproc \
-        ${manualXsltprocOptions} \
-        --stringparam target.database.document "${olinkDB}/olinkdb.xml" \
-        --nonet --xinclude --output $dst/epub/ \
-        ${docbook5_xsl}/xml/xsl/docbook/epub/docbook.xsl ./manual.xml
-
-      mkdir -p $dst/epub/OEBPS/images/callouts
-      cp -r ${docbook5_xsl}/xml/xsl/docbook/images/callouts/*.gif $dst/epub/OEBPS/images/callouts
-      echo "application/epub+zip" > mimetype
-      manual="$dst/nixos-manual.epub"
-      zip -0Xq "$manual" mimetype
-      cd $dst/epub && zip -Xr9D "$manual" *
-
-      rm -rf $dst/epub
+      mkdir -p $dst
+      xmllint --xinclude manual.xml | dblatex -o $dst/manual.pdf - \
+        -P target.database.document="${olinkDB}/olinkdb.xml" \
+        -P doc.collab.show=0 \
+        -P latex.output.revhistory=0

      mkdir -p $out/nix-support
-      echo "doc-epub manual $manual" >> $out/nix-support/hydra-build-products
+      echo "doc-pdf manual $dst/manual.pdf" >> $out/nix-support/hydra-build-products
    '';
  };

--- a/nixos/doc/manual/development/meta-attributes.xml
+++ b/nixos/doc/manual/development/meta-attributes.xml
@@ -1,62 +0,0 @@
-<section xmlns="http://docbook.org/ns/docbook"
-        xmlns:xlink="http://www.w3.org/1999/xlink"
-        xmlns:xi="http://www.w3.org/2001/XInclude"
-        version="5.0"
-        xml:id="sec-meta-attributes">
-
-<title>Meta Attributes</title>
-
-<para>Like Nix packages, NixOS modules can declare meta-attributes to provide
-  extra information. Module meta attributes are defined in the
-  <filename
-    xlink:href="https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/misc/meta.nix">meta.nix</filename>
-  special module.</para>
-
-<para><literal>meta</literal> is a top level attribute like
-  <literal>options</literal> and <literal>config</literal>. Available
-  meta-attributes are <literal>maintainers</literal> and
-  <literal>doc</literal>.</para>
-
-<para>Each of the meta-attributes must be defined at most once per module
-  file.</para>
-
-<programlisting>
-{ config, lib, pkgs, ... }:
-{
-  options = {
-    ...
-  };
-
-  config = {
-    ...
-  };
-
-  meta = {
-    maintainers = with lib.maintainers; [ ericsagnes ]; <co
-      xml:id='modules-meta-1' />
-    doc = ./default.xml; <co xml:id='modules-meta-2' />
-  };
-}
-</programlisting>
-
-<calloutlist>
- <callout arearefs='modules-meta-1'>
-  <para>
-    <varname>maintainers</varname> contains a list of the module maintainers.
-  </para>
- </callout>
-
- <callout arearefs='modules-meta-2'>
-  <para>
-    <varname>doc</varname> points to a valid DocBook file containing the module
-    documentation. Its contents is automatically added to <xref
-      linkend="ch-configuration"/>.
-    Changes to a module documentation have to be checked to not break
-    building the NixOS manual:
-  </para>
-  <programlisting>$ nix-build nixos/release.nix -A manual</programlisting>
- </callout>
-
-</calloutlist>
-
-</section>
--- a/nixos/doc/manual/development/writing-modules.xml
+++ b/nixos/doc/manual/development/writing-modules.xml
@@ -177,6 +177,5 @@ in {

 <xi:include href="option-declarations.xml" />
 <xi:include href="option-def.xml" />
-<xi:include href="meta-attributes.xml" />

 </chapter>
--- a/nixos/doc/manual/installation/installing-virtualbox-guest.xml
+++ b/nixos/doc/manual/installation/installing-virtualbox-guest.xml
@@ -1,89 +0,0 @@
-<section xmlns="http://docbook.org/ns/docbook"
-         xmlns:xlink="http://www.w3.org/1999/xlink"
-         xmlns:xi="http://www.w3.org/2001/XInclude"
-         version="5.0"
-         xml:id="sec-instaling-virtualbox-guest">
-
-<title>Installing in a Virtualbox guest</title>
-<para>
-  Installing NixOS into a Virtualbox guest is convenient for users who want to
-  try NixOS without installing it on bare metal. If you want to use a pre-made
-  Virtualbox appliance, it is available at <link
-  xlink:href="https://nixos.org/nixos/download.html">the downloads page</link>.
-  If you want to set up a Virtualbox guest manually, follow these instructions:
-</para>
-
-<orderedlist>
-
-  <listitem><para>Add a New Machine in Virtualbox with OS Type "Linux / Other
-  Linux"</para></listitem>
-
-  <listitem><para>Base Memory Size: 768 MB or higher.</para></listitem>
-
-  <listitem><para>New Hard Disk of 8 GB or higher.</para></listitem>
-
-  <listitem><para>Mount the CD-ROM with the NixOS ISO (by clicking on
-  CD/DVD-ROM)</para></listitem>
-
-  <listitem><para>Click on Settings / System / Processor and enable
-  PAE/NX</para></listitem>
-
-  <listitem><para>Click on Settings / System / Acceleration and enable
-  "VT-x/AMD-V" acceleration</para></listitem>
-
-  <listitem><para>Save the settings, start the virtual machine, and continue
-  installation like normal</para></listitem>
-
-</orderedlist>
-
-<para>
-  There are a few modifications you should make in configuration.nix. Enable
-  the virtualbox guest service in the main block:
-</para>
-
-<programlisting>
-virtualisation.virtualbox.guest.enable = true;
-</programlisting>
-
-<para>
-  Enable booting:
-</para>
-
-<programlisting>
-boot.loader.grub.device = "/dev/sda";
-</programlisting>
-
-<para>
-  Also remove the fsck that runs at startup. It will always fail to run,
-  stopping your boot until you press <literal>*</literal>.
-</para>
-
-<programlisting>
-boot.initrd.checkJournalingFS = false;
-</programlisting>
-
-<para>
-  Shared folders can be given a name and a path in the host system in the
-  VirtualBox settings (Machine / Settings / Shared Folders, then click on the
-  "Add" icon). Add the following to the
-  <literal>/etc/nixos/configuration.nix</literal> to auto-mount them:
-</para>
-
-<programlisting>
-{ config, pkgs, ...} :
-{
-  ...
-
-  fileSystems."/virtualboxshare" = {
-    fsType = "vboxsf";
-    device = "nameofthesharedfolder";
-    options = [ "rw" ];
-  };
-}
-</programlisting>
-
-<para>
-  The folder will be available directly under the root directory.
-</para>
-
-</section>
--- a/nixos/doc/manual/installation/installing.xml
+++ b/nixos/doc/manual/installation/installing.xml
@@ -22,7 +22,7 @@
  (with empty password).</para></listitem>

  <listitem><para>If you downloaded the graphical ISO image, you can
-  run <command>systemctl start display-manager</command> to start KDE. If you
+  run <command>start display-manager</command> to start KDE. If you
  want to continue on the terminal, you can use
  <command>loadkeys</command> to switch to your preferred keyboard layout.
  (We even provide neo2 via <command>loadkeys de neo</command>!)</para></listitem>
@@ -271,6 +271,5 @@ drive (here <filename>/dev/sda</filename>).  <xref linkend="ex-config"
 <xi:include href="installing-uefi.xml" />
 <xi:include href="installing-usb.xml" />
 <xi:include href="installing-pxe.xml" />
-<xi:include href="installing-virtualbox-guest.xml" />

 </chapter>
--- a/nixos/doc/manual/man-nixos-install.xml
+++ b/nixos/doc/manual/man-nixos-install.xml
@@ -25,19 +25,6 @@
      <arg choice='plain'><option>--root</option></arg>
      <replaceable>root</replaceable>
    </arg>
-    <arg>
-      <arg choice='plain'><option>--closure</option></arg>
-      <replaceable>closure</replaceable>
-    </arg>
-    <arg>
-      <arg choice='plain'><option>--no-channel-copy</option></arg>
-    </arg>
-    <arg>
-      <arg choice='plain'><option>--no-root-passwd</option></arg>
-    </arg>
-    <arg>
-      <arg choice='plain'><option>--no-bootloader</option></arg>
-    </arg>
    <arg>
      <group choice='req'>
        <arg choice='plain'><option>--max-jobs</option></arg>
@@ -84,13 +71,12 @@ the following steps:
  <filename>/mnt/etc/nixos/configuration.nix</filename>.</para></listitem>

  <listitem><para>It installs the GRUB boot loader on the device
-  specified in the option <option>boot.loader.grub.device</option>
-  (unless <option>--no-bootloader</option> is specified),
+  specified in the option <option>boot.loader.grub.device</option>,
  and generates a GRUB configuration file that boots into the NixOS
  configuration just installed.</para></listitem>

-  <listitem><para>It prompts you for a password for the root account
-  (unless <option>--no-root-passwd</option> is specified).</para></listitem>
+  <listitem><para>It prompts you for a password for the root
+  account.</para></listitem>

 </itemizedlist>

@@ -117,19 +103,6 @@ it.</para>
    </listitem>
  </varlistentry>

-  <varlistentry>
-    <term><option>--closure</option></term>
-    <listitem>
-      <para>If this option is provided, <command>nixos-install</command> will install the specified closure
-      rather than attempt to build one from <filename>/mnt/etc/nixos/configuration.nix</filename>.</para>
-
-      <para>The closure must be an appropriately configured NixOS system, with boot loader and partition
-      configuration that fits the target host. Such a closure is typically obtained with a command such as
-      <command>nix-build -I nixos-config=./configuration.nix '&lt;nixos&gt;' -A system --no-out-link</command>
-      </para>
-    </listitem>
-  </varlistentry>
-
  <varlistentry>
    <term><option>-I</option></term>
    <listitem>
--- a/nixos/doc/manual/man-nixos-rebuild.xml
+++ b/nixos/doc/manual/man-nixos-rebuild.xml
@@ -29,7 +29,7 @@
    </group>
    <sbr />
    <arg><option>--upgrade</option></arg>
-    <arg><option>--install-bootloader</option></arg>
+    <arg><option>--install-grub</option></arg>
    <arg><option>--no-build-nix</option></arg>
    <arg><option>--fast</option></arg>
    <arg><option>--rollback</option></arg>
@@ -212,11 +212,12 @@ $ ./result/bin/run-*-vm
  </varlistentry>

  <varlistentry>
-    <term><option>--install-bootloader</option></term>
+    <term><option>--install-grub</option></term>
    <listitem>
-      <para>Causes the boot loader to be (re)installed on the
-      device specified by the relevant configuration options.
-      </para>
+      <para>Causes the GRUB boot loader to be (re)installed on the
+      device specified by the
+      <varname>boot.loader.grub.device</varname> configuration
+      option.</para>
    </listitem>
  </varlistentry>

--- a/nixos/doc/manual/man-nixos-version.xml
+++ b/nixos/doc/manual/man-nixos-version.xml
@@ -1,97 +0,0 @@
-<refentry xmlns="http://docbook.org/ns/docbook"
-          xmlns:xlink="http://www.w3.org/1999/xlink"
-          xmlns:xi="http://www.w3.org/2001/XInclude">
-
-<refmeta>
-  <refentrytitle><command>nixos-version</command></refentrytitle>
-  <manvolnum>8</manvolnum>
-  <refmiscinfo class="source">NixOS</refmiscinfo>
-</refmeta>
-
-<refnamediv>
-  <refname><command>nixos-version</command></refname>
-  <refpurpose>show the NixOS version</refpurpose>
-</refnamediv>
-
-<refsynopsisdiv>
-  <cmdsynopsis>
-    <command>nixos-version</command>
-    <arg><option>--hash</option></arg>
-    <arg><option>--revision</option></arg>
-  </cmdsynopsis>
-</refsynopsisdiv>
-
-<refsection><title>Description</title>
-
-<para>This command shows the version of the currently active NixOS
-configuration. For example:
-
-<screen>$ nixos-version
-16.03.1011.6317da4 (Emu)
-</screen>
-
-The version consists of the following elements:
-
-<variablelist>
-
-  <varlistentry>
-    <term><literal>16.03</literal></term>
-    <listitem><para>The NixOS release, indicating the year and month
-    in which it was released (e.g. March 2016).</para></listitem>
-  </varlistentry>
-
-  <varlistentry>
-    <term><literal>1011</literal></term>
-    <listitem><para>The number of commits in the Nixpkgs Git
-    repository between the start of the release branch and the commit
-    from which this version was built. This ensures that NixOS
-    versions are monotonically increasing. It is
-    <literal>git</literal> when the current NixOS configuration was
-    built from a checkout of the Nixpkgs Git repository rather than
-    from a NixOS channel.</para></listitem>
-  </varlistentry>
-
-  <varlistentry>
-    <term><literal>6317da4</literal></term>
-    <listitem><para>The first 7 characters of the commit in the
-    Nixpkgs Git repository from which this version was
-    built.</para></listitem>
-  </varlistentry>
-
-  <varlistentry>
-    <term><literal>Emu</literal></term>
-    <listitem><para>The code name of the NixOS release. The first
-    letter of the code name indicates that this is the N'th stable
-    NixOS release; for example, Emu is the fifth
-    release.</para></listitem>
-  </varlistentry>
-
-</variablelist>
-
-</para>
-
-</refsection>
-
-
-<refsection><title>Options</title>
-
-<para>This command accepts the following options:</para>
-
-<variablelist>
-
-  <varlistentry>
-    <term><option>--hash</option></term>
-    <term><option>--revision</option></term>
-    <listitem>
-      <para>Show the full SHA1 hash of the Git commit from which this
-      configuration was built, e.g.
-<screen>$ nixos-version --hash
-6317da40006f6bc2480c6781999c52d88dde2acf
-</screen>
-      </para>
-    </listitem>
-  </varlistentry>
-</variablelist>
-
-</refsection>
-</refentry>
--- a/nixos/doc/manual/man-pages.xml
+++ b/nixos/doc/manual/man-pages.xml
@@ -27,6 +27,5 @@
  <xi:include href="man-nixos-install.xml" />
  <xi:include href="man-nixos-option.xml" />
  <xi:include href="man-nixos-rebuild.xml" />
-  <xi:include href="man-nixos-version.xml" />

 </reference>
--- a/nixos/doc/manual/options-to-docbook.xsl
+++ b/nixos/doc/manual/options-to-docbook.xsl
@@ -11,7 +11,6 @@
  <xsl:output method='xml' encoding="UTF-8" />

  <xsl:param name="revision" />
-  <xsl:param name="program" />


  <xsl:template match="/expr/list">
@@ -189,7 +188,7 @@
                </xsl:otherwise>
              </xsl:choose>
            </xsl:when>
-            <xsl:when test="$revision != 'local' and $program = 'nixops' and contains(@value, '/nix/')">
+            <xsl:when test="$revision != 'local' and contains(@value, 'nixops') and contains(@value, '/nix/')">
              <xsl:attribute name="xlink:href">https://github.com/NixOS/nixops/blob/<xsl:value-of select="$revision"/>/nix/<xsl:value-of select="substring-after(@value, '/nix/')"/></xsl:attribute>
            </xsl:when>
            <xsl:otherwise>
--- a/nixos/doc/manual/release-notes/rl-1603.xml
+++ b/nixos/doc/manual/release-notes/rl-1603.xml
@@ -385,41 +385,6 @@ services.syncthing = {
      the github issue</link>.
    </para>
  </listitem>
-
-  <listitem>
-    <para>
-      The <literal>services.xserver.startGnuPGAgent</literal> option has been removed.
-      GnuPG 2.1.x changed the way the gpg-agent works, and that new approach no
-      longer requires (or even supports) the "start everything as a child of the
-      agent" scheme we've implemented in NixOS for older versions.
-      To configure the gpg-agent for your X session, add the following code to
-      <filename>~/.bashrc</filename> or some file that’s sourced when your shell is started:
-    <programlisting>
-GPG_TTY=$(tty)
-export GPG_TTY
-    </programlisting>
-      If you want to use gpg-agent for SSH, too, add the following to your session
-      initialization (e.g. <literal>displayManager.sessionCommands</literal>)
-    <programlisting>
-gpg-connect-agent /bye
-unset SSH_AGENT_PID
-export SSH_AUTH_SOCK="''${HOME}/.gnupg/S.gpg-agent.ssh"
-    </programlisting>
-      and make sure that
-    <programlisting>
-enable-ssh-support
-    </programlisting>
-      is included in your <filename>~/.gnupg/gpg-agent.conf</filename>.
-      You will need to use <command>ssh-add</command> to re-add your ssh keys.
-      If gpg’s automatic transformation of the private keys to the new format fails,
-      you will need to re-import your private keyring as well:
-    <programlisting>
-gpg --import ~/.gnupg/secring.gpg
-    </programlisting>
-    The <command>gpg-agent(1)</command> man page has more details about this subject,
-    i.e. in the "EXAMPLES" section.
-    </para>
-  </listitem>
 </itemizedlist>


--- a/nixos/doc/manual/release-notes/rl-1609.xml
+++ b/nixos/doc/manual/release-notes/rl-1609.xml
@@ -16,10 +16,6 @@ has the following highlights: </para>
    See <xref linkend="sec-booting-from-pxe" /> for documentation.</para>
  </listitem>

-  <listitem>
-    <para>Xorg-server-1.18.*. If you choose <literal>"ati_unfree"</literal> driver,
-    1.17.* is still used due to ABI incompatibility.</para>
-  </listitem>
 </itemizedlist>

 <para>The following new services were added since the last release:</para>
@@ -33,53 +29,21 @@ has the following highlights: </para>
 following incompatible changes:</para>

 <itemizedlist>
-
  <listitem>
    <para>Shell aliases for systemd sub-commands
    <link xlink:href="https://github.com/NixOS/nixpkgs/pull/15598">were dropped</link>:
    <command>start</command>, <command>stop</command>,
    <command>restart</command>, <command>status</command>.</para>
  </listitem>
-
-  <listitem>
-    <para>Redis now binds to 127.0.0.1 only instead of listening to all network interfaces. This is the default
-    behavior of Redis 3.2</para>
-  </listitem>
-
-  <listitem>
-    <para>Gitlab's maintainence script gitlab-runner was removed and split up into the more clearer
-      gitlab-run and gitlab-rake scripts because gitlab-runner is a component of Gitlab CI.</para>
-  </listitem>
-
-  <listitem>
-    <para><literal>services.xserver.libinput.accelProfile</literal> default
-    changed from <literal>flat</literal> to <literal>adaptive</literal>,
-    as per <link xlink:href="https://wayland.freedesktop.org/libinput/doc/latest/group__config.html#gad63796972347f318b180e322e35cee79">
-    official documentation</link>.</para>
-  </listitem>
-
-  <listitem>
-    <para><literal>fonts.fontconfig.ultimate.rendering</literal> was removed
-    because our presets were obsolete for some time. New presets are hardcoded
-    into freetype; one selects a preset via <literal>fonts.fontconfig.ultimate.preset</literal>.
-    You can customize those presets via ordinary environment variables, using
-    <literal>environment.variables</literal>.</para>
-  </listitem>
-
 </itemizedlist>


 <para>Other notable improvements:</para>

 <itemizedlist>
-
-  <listitem><para>Revamped grsecurity/PaX support.  There is now only a single
-  general-purpose distribution kernel and the configuration interface has been
-  streamlined.  Desktop users should be able to simply set
-  <programlisting>security.grsecurity.enable = true</programlisting> to get
-  a reasonably secure system without having to sacrifice too much
-  functionality.  See <xref linkend="sec-grsecurity" /> for documentation
-  </para></listitem>
+  <listitem>
+    <para>todo</para>
+  </listitem>

 </itemizedlist>

--- a/nixos/lib/make-disk-image.nix
+++ b/nixos/lib/make-disk-image.nix
@@ -12,9 +12,6 @@
  # directly.
  partitioned ? true

-  # Whether to invoke switch-to-configuration boot during image creation
-, installBootLoader ? true
-
 , # The root file system type.
  fsType ? "ext4"

@@ -67,24 +64,40 @@ pkgs.vmTools.runInLinuxVM (
      mkdir /mnt
      mount $rootDisk /mnt

+      # The initrd expects these directories to exist.
+      mkdir /mnt/dev /mnt/proc /mnt/sys
+
+      mount -o bind /proc /mnt/proc
+      mount -o bind /dev /mnt/dev
+      mount -o bind /sys /mnt/sys
+
+      # Copy all paths in the closure to the filesystem.
+      storePaths=$(perl ${pkgs.pathsFromGraph} /tmp/xchg/closure)
+
+      mkdir -p /mnt/nix/store
+      echo "copying everything (will take a while)..."
+      set -f
+      cp -prd $storePaths /mnt/nix/store/
+
      # Register the paths in the Nix database.
      printRegistration=1 perl ${pkgs.pathsFromGraph} /tmp/xchg/closure | \
-          ${config.nix.package.out}/bin/nix-store --load-db --option build-users-group ""
+          chroot /mnt ${config.nix.package.out}/bin/nix-store --load-db --option build-users-group ""

      # Add missing size/hash fields to the database. FIXME:
      # exportReferencesGraph should provide these directly.
-      ${config.nix.package.out}/bin/nix-store --verify --check-contents --option build-users-group ""
+      chroot /mnt ${config.nix.package.out}/bin/nix-store --verify --check-contents

-      # In case the bootloader tries to write to /dev/sda…
-      ln -s vda /dev/xvda
-      ln -s vda /dev/sda
+      # Create the system profile to allow nixos-rebuild to work.
+      chroot /mnt ${config.nix.package.out}/bin/nix-env --option build-users-group "" \
+          -p /nix/var/nix/profiles/system --set ${config.system.build.toplevel}

-      # Install the closure onto the image
-      USER=root ${config.system.build.nixos-install}/bin/nixos-install \
-        --closure ${config.system.build.toplevel} \
-        --no-channel-copy \
-        --no-root-passwd \
-        ${optionalString (!installBootLoader) "--no-bootloader"}
+      # `nixos-rebuild' requires an /etc/NIXOS.
+      mkdir -p /mnt/etc
+      touch /mnt/etc/NIXOS
+
+      # `switch-to-configuration' requires a /bin/sh
+      mkdir -p /mnt/bin
+      ln -s ${config.system.build.binsh}/bin/sh /mnt/bin/sh

      # Install a configuration.nix.
      mkdir -p /mnt/etc/nixos
@@ -92,9 +105,12 @@ pkgs.vmTools.runInLinuxVM (
        cp ${configFile} /mnt/etc/nixos/configuration.nix
      ''}

-      # Remove /etc/machine-id so that each machine cloning this image will get its own id
-      rm -f /mnt/etc/machine-id
+      # Generate the GRUB menu.
+      ln -s vda /dev/xvda
+      ln -s vda /dev/sda
+      chroot /mnt ${config.system.build.toplevel}/bin/switch-to-configuration boot

+      umount /mnt/proc /mnt/dev /mnt/sys
      umount /mnt

      # Do a fsck to make sure resize2fs works.
--- a/nixos/lib/testing.nix
+++ b/nixos/lib/testing.nix
@@ -29,7 +29,7 @@ rec {
        cp ${./test-driver/Logger.pm} $libDir/Logger.pm

        wrapProgram $out/bin/nixos-test-driver \
-          --prefix PATH : "${lib.makeBinPath [ qemu_kvm vde2 netpbm coreutils ]}" \
+          --prefix PATH : "${qemu_kvm}/bin:${vde2}/bin:${netpbm}/bin:${coreutils}/bin" \
          --prefix PERL5LIB : "${with perlPackages; lib.makePerlPath [ TermReadLineGnu XMLWriter IOTty FileSlurp ]}:$out/lib/perl5/site_perl"
      '';
  };
@@ -113,14 +113,14 @@ rec {
            --add-flags "$vms" \
            ${lib.optionalString enableOCR "--prefix PATH : '${ocrProg}/bin'"} \
            --run "testScript=\"\$(cat $out/test-script)\"" \
-            --set testScript '$testScript' \
-            --set VLANS '${toString vlans}'
+            --set testScript '"$testScript"' \
+            --set VLANS '"${toString vlans}"'
          ln -s ${testDriver}/bin/nixos-test-driver $out/bin/nixos-run-vms
          wrapProgram $out/bin/nixos-run-vms \
            --add-flags "$vms" \
            ${lib.optionalString enableOCR "--prefix PATH : '${ocrProg}/bin'"} \
-            --set tests 'startAll; joinAll;' \
-            --set VLANS '${toString vlans}' \
+            --set tests '"startAll; joinAll;"' \
+            --set VLANS '"${toString vlans}"' \
            ${lib.optionalString (builtins.length vms == 1) "--set USE_SERIAL 1"}
        ''; # "

--- a/nixos/lib/utils.nix
+++ b/nixos/lib/utils.nix
@@ -2,27 +2,10 @@ pkgs: with pkgs.lib;

 rec {

-  # Check whenever fileSystem is needed for boot
-  fsNeededForBoot = fs: fs.neededForBoot
-                     || elem fs.mountPoint [ "/" "/nix" "/nix/store" "/var" "/var/log" "/var/lib" "/etc" ];
-
-  # Check whenever `b` depends on `a` as a fileSystem
-  # FIXME: it's incorrect to simply use hasPrefix here: "/dev/a" is not a parent of "/dev/ab"
-  fsBefore = a: b: ((any (x: elem x [ "bind" "move" ]) b.options) && (a.mountPoint == b.device))
-                || (hasPrefix a.mountPoint b.mountPoint);
-
  # Escape a path according to the systemd rules, e.g. /dev/xyzzy
  # becomes dev-xyzzy.  FIXME: slow.
  escapeSystemdPath = s:
   replaceChars ["/" "-" " "] ["-" "\\x2d" "\\x20"]
    (if hasPrefix "/" s then substring 1 (stringLength s) s else s);

-  # Returns a system path for a given shell package
-  toShellPath = shell:
-    if types.shellPackage.check shell then
-      "/run/current-system/sw${shell.shellPath}"
-    else if types.package.check shell then
-      throw "${shell} is not a shell package"
-    else
-      shell;
 }
--- a/nixos/maintainers/scripts/ec2/create-amis.sh
+++ b/nixos/maintainers/scripts/ec2/create-amis.sh
@@ -13,11 +13,8 @@ echo "NixOS version is $version ($major)"

 rm -f ec2-amis.nix

-types="hvm pv"
-stores="ebs s3"
-regions="eu-west-1 eu-central-1 us-east-1 us-west-1 us-west-2 ap-southeast-1 ap-southeast-2 ap-northeast-1 ap-northeast-2 sa-east-1 ap-south-1"

-for type in $types; do
+for type in hvm pv; do
    link=$stateDir/$type
    imageFile=$link/nixos.qcow2
    system=x86_64-linux
@@ -34,7 +31,7 @@ for type in $types; do
            --arg configuration "{ imports = [ <nixpkgs/nixos/maintainers/scripts/ec2/amazon-image.nix> ]; ec2.hvm = $hvmFlag; }"
    fi

-    for store in $stores; do
+    for store in ebs s3; do

        bucket=nixos-amis
        bucketDir="$version-$type-$store"
@@ -42,7 +39,7 @@ for type in $types; do
        prevAmi=
        prevRegion=

-        for region in $regions; do
+        for region in eu-west-1 eu-central-1 us-east-1 us-west-1 us-west-2 ap-southeast-1 ap-southeast-2 ap-northeast-1 sa-east-1; do

            name=nixos-$version-$arch-$type-$store
            description="NixOS $system $version ($type-$store)"
@@ -54,11 +51,10 @@ for type in $types; do
                echo "doing $name in $region..."

                if [ -n "$prevAmi" ]; then
-                    ami=$(aws ec2 copy-image \
+                    ami=$(ec2-copy-image \
                        --region "$region" \
-                        --source-region "$prevRegion" --source-image-id "$prevAmi" \
-                        --name "$name" --description "$description" | json -q .ImageId)
-                    if [ "$ami" = null ]; then break; fi
+                        --source-region "$prevRegion" --source-ami-id "$prevAmi" \
+                        --name "$name" --description "$description" | cut -f 2)
                else

                    if [ $store = s3 ]; then
@@ -89,12 +85,12 @@ for type in $types; do
                            ec2-upload-bundle \
                                -m $imageDir/$type.raw.manifest.xml \
                                -b "$bucket/$bucketDir" \
-                                -a "$AWS_ACCESS_KEY_ID" -s "$AWS_SECRET_ACCESS_KEY" \
+                                -a "$EC2_ACCESS_KEY" -s "$EC2_SECRET_KEY" \
                                --location EU
                            touch $imageDir/uploaded
                        fi

-                        extraFlags="--image-location $bucket/$bucketDir/$type.raw.manifest.xml"
+                        extraFlags="$bucket/$bucketDir/$type.raw.manifest.xml"

                    else

@@ -119,8 +115,7 @@ for type in $types; do
                        if [ -z "$snapId" -a -z "$volId" -a -z "$taskId" ]; then
                            echo "importing $vhdFile..."
                            taskId=$(ec2-import-volume $vhdFile --no-upload -f vhd \
-                                -O "$AWS_ACCESS_KEY_ID" -W "$AWS_SECRET_ACCESS_KEY" \
-                                -o "$AWS_ACCESS_KEY_ID" -w "$AWS_SECRET_ACCESS_KEY" \
+                                -o "$EC2_ACCESS_KEY" -w "$EC2_SECRET_KEY" \
                                --region "$region" -z "${region}a" \
                                --bucket "$bucket" --prefix "$bucketDir/" \
                                | tee /dev/stderr \
@@ -130,16 +125,15 @@ for type in $types; do

                        if [ -z "$snapId" -a -z "$volId" ]; then
                            ec2-resume-import  $vhdFile -t "$taskId" --region "$region" \
-                                -O "$AWS_ACCESS_KEY_ID" -W "$AWS_SECRET_ACCESS_KEY" \
-                                -o "$AWS_ACCESS_KEY_ID" -w "$AWS_SECRET_ACCESS_KEY"
+                                -o "$EC2_ACCESS_KEY" -w "$EC2_SECRET_KEY"
                        fi

                        # Wait for the volume creation to finish.
                        if [ -z "$snapId" -a -z "$volId" ]; then
                            echo "waiting for import to finish..."
                            while true; do
-                                volId=$(aws ec2 describe-conversion-tasks --conversion-task-ids "$taskId" --region "$region" | jq -r .ConversionTasks[0].ImportVolume.Volume.Id)
-                                if [ "$volId" != null ]; then break; fi
+                                volId=$(ec2-describe-conversion-tasks "$taskId" --region "$region" | sed 's/.*VolumeId.*\(vol-[0-9a-f]\+\).*/\1/ ; t ; d')
+                                if [ -n "$volId" ]; then break; fi
                                sleep 10
                            done

@@ -149,24 +143,22 @@ for type in $types; do
                        # Delete the import task.
                        if [ -n "$volId" -a -n "$taskId" ]; then
                            echo "removing import task..."
-                            ec2-delete-disk-image -t "$taskId" --region "$region" \
-                                -O "$AWS_ACCESS_KEY_ID" -W "$AWS_SECRET_ACCESS_KEY" \
-                                -o "$AWS_ACCESS_KEY_ID" -w "$AWS_SECRET_ACCESS_KEY" || true
+                            ec2-delete-disk-image -t "$taskId" --region "$region" -o "$EC2_ACCESS_KEY" -w "$EC2_SECRET_KEY" || true
                            rm -f $stateDir/$region.$type.task-id
                        fi

                        # Create a snapshot.
                        if [ -z "$snapId" ]; then
                            echo "creating snapshot..."
-                            snapId=$(aws ec2 create-snapshot --volume-id "$volId" --region "$region" --description "$description" | jq -r .SnapshotId)
-                            if [ "$snapId" = null ]; then exit 1; fi
+                            snapId=$(ec2-create-snapshot "$volId" --region "$region" | cut -f 2)
                            echo -n "$snapId" > $stateDir/$region.$type.snap-id
+                            ec2-create-tags "$snapId" -t "Name=$description" --region "$region"
                        fi

                        # Wait for the snapshot to finish.
                        echo "waiting for snapshot to finish..."
                        while true; do
-                            status=$(aws ec2 describe-snapshots --snapshot-ids "$snapId" --region "$region" | jq -r .Snapshots[0].State)
+                            status=$(ec2-describe-snapshots "$snapId" --region "$region" | head -n1 | cut -f 4)
                            if [ "$status" = completed ]; then break; fi
                            sleep 10
                        done
@@ -174,50 +166,35 @@ for type in $types; do
                        # Delete the volume.
                        if [ -n "$volId" ]; then
                            echo "deleting volume..."
-                            aws ec2 delete-volume --volume-id "$volId" --region "$region" || true
+                            ec2-delete-volume "$volId" --region "$region" || true
                            rm -f $stateDir/$region.$type.vol-id
                        fi

-                        blockDeviceMappings="DeviceName=/dev/sda1,Ebs={SnapshotId=$snapId,VolumeSize=$vhdFileLogicalGigaBytes,DeleteOnTermination=true,VolumeType=gp2}"
-                        extraFlags=""
+                        extraFlags="-b /dev/sda1=$snapId:$vhdFileLogicalGigaBytes:true:gp2"

                        if [ $type = pv ]; then
-                            extraFlags+=" --root-device-name /dev/sda1"
-                        else
-                            extraFlags+=" --root-device-name /dev/sda1"
-                            extraFlags+=" --sriov-net-support simple"
-                            extraFlags+=" --ena-support"
+                            extraFlags+=" --root-device-name=/dev/sda1"
                        fi

-                        blockDeviceMappings+=" DeviceName=/dev/sdb,VirtualName=ephemeral0"
-                        blockDeviceMappings+=" DeviceName=/dev/sdc,VirtualName=ephemeral1"
-                        blockDeviceMappings+=" DeviceName=/dev/sdd,VirtualName=ephemeral2"
-                        blockDeviceMappings+=" DeviceName=/dev/sde,VirtualName=ephemeral3"
-                    fi
-
-                    if [ $type = hvm ]; then
-                        extraFlags+=" --sriov-net-support simple"
-                        extraFlags+=" --ena-support"
+                        extraFlags+=" -b /dev/sdb=ephemeral0 -b /dev/sdc=ephemeral1 -b /dev/sdd=ephemeral2 -b /dev/sde=ephemeral3"
                    fi

                    # Register the AMI.
                    if [ $type = pv ]; then
-                        kernel=$(aws ec2 describe-images --owner amazon --filters "Name=name,Values=pv-grub-hd0_1.04-$arch.gz" | jq -r .Images[0].ImageId)
-                        if [ "$kernel" = null ]; then break; fi
+                        kernel=$(ec2-describe-images -o amazon --filter "manifest-location=*pv-grub-hd0_1.04-$arch*" --region "$region" | cut -f 2)
+                        [ -n "$kernel" ]
                        echo "using PV-GRUB kernel $kernel"
                        extraFlags+=" --virtualization-type paravirtual --kernel $kernel"
                    else
                        extraFlags+=" --virtualization-type hvm"
                    fi

-                    ami=$(aws ec2 register-image \
-                        --name "$name" \
-                        --description "$description" \
+                    ami=$(ec2-register \
+                        -n "$name" \
+                        -d "$description" \
                        --region "$region" \
                        --architecture "$arch" \
-                        --block-device-mappings $blockDeviceMappings \
-                        $extraFlags | jq -r .ImageId)
-                    if [ "$ami" = null ]; then break; fi
+                        $extraFlags | cut -f 2)
                fi

                echo -n "$ami" > $amiFile
@@ -227,45 +204,23 @@ for type in $types; do
                ami=$(cat $amiFile)
            fi

-            echo "region = $region, type = $type, store = $store, ami = $ami"
+            if [ -z "$NO_WAIT" -o -z "$prevAmi" ]; then
+                echo "waiting for AMI..."
+                while true; do
+                    status=$(ec2-describe-images "$ami" --region "$region" | head -n1 | cut -f 5)
+                    if [ "$status" = available ]; then break; fi
+                    sleep 10
+                done

+                ec2-modify-image-attribute \
+                    --region "$region" "$ami" -l -a all
+            fi
+
+            echo "region = $region, type = $type, store = $store, ami = $ami"
            if [ -z "$prevAmi" ]; then
                prevAmi="$ami"
                prevRegion="$region"
            fi
-        done
-
-    done
-
-done
-
-for type in $types; do
-    link=$stateDir/$type
-    system=x86_64-linux
-    arch=x86_64
-
-    for store in $stores; do
-
-        for region in $regions; do
-
-            name=nixos-$version-$arch-$type-$store
-            amiFile=$stateDir/$region.$type.$store.ami-id
-            ami=$(cat $amiFile)
-
-            echo "region = $region, type = $type, store = $store, ami = $ami"
-
-            echo -n "waiting for AMI..."
-            while true; do
-                status=$(aws ec2 describe-images --image-ids "$ami" --region "$region" | jq -r .Images[0].State)
-                if [ "$status" = available ]; then break; fi
-                sleep 10
-                echo -n '.'
-            done
-            echo
-
-            # Make the image public.
-            aws ec2 modify-image-attribute \
-                --image-id "$ami" --region "$region" --launch-permission 'Add={Group=all}'

            echo "  \"$major\".$region.$type-$store = \"$ami\";" >> ec2-amis.nix
        done
--- a/nixos/modules/config/fonts/fontconfig-ultimate.nix
+++ b/nixos/modules/config/fonts/fontconfig-ultimate.nix
@@ -3,95 +3,6 @@
 with lib;

 let fcBool = x: if x then "<bool>true</bool>" else "<bool>false</bool>";
-
-    cfg = config.fonts.fontconfig.ultimate;
-
-    latestVersion  = pkgs.fontconfig.configVersion;
-
-    # fontconfig ultimate main configuration file
-    # priority 52
-    fontconfigUltimateConf = pkgs.writeText "fc-52-fontconfig-ultimate.conf" ''
-      <?xml version="1.0"?>
-      <!DOCTYPE fontconfig SYSTEM "fonts.dtd">
-      <fontconfig>
-
-        ${optionalString (!cfg.allowBitmaps) ''
-        <!-- Reject bitmap fonts -->
-        <selectfont>
-          <rejectfont>
-            <pattern>
-              <patelt name="scalable"><bool>false</bool></patelt>
-            </pattern>
-          </rejectfont>
-        </selectfont>
-        ''}
-
-        ${optionalString cfg.allowType1 ''
-        <!-- Reject Type 1 fonts -->
-        <selectfont>
-          <rejectfont>
-            <pattern>
-              <patelt name="fontformat">
-                <string>Type 1</string>
-              </patelt>
-            </pattern>
-          </rejectfont>
-        </selectfont>
-        ''}
-
-        <!-- Use embedded bitmaps in fonts like Calibri? -->
-        <match target="font">
-          <edit name="embeddedbitmap" mode="assign">
-            ${fcBool cfg.useEmbeddedBitmaps}
-          </edit>
-        </match>
-
-        <!-- Force autohint always -->
-        <match target="font">
-          <edit name="force_autohint" mode="assign">
-            ${fcBool cfg.forceAutohint}
-          </edit>
-        </match>
-
-        <!-- Render some monospace TTF fonts as bitmaps -->
-        <match target="pattern">
-          <edit name="bitmap_monospace" mode="assign">
-            ${fcBool cfg.renderMonoTTFAsBitmap}
-          </edit>
-        </match>
-
-      </fontconfig>
-    '';
-
-    # The configuration to be included in /etc/font/
-    confPkg = pkgs.runCommand "font-ultimate-conf" {} ''
-      support_folder=$out/etc/fonts/conf.d
-      latest_folder=$out/etc/fonts/${latestVersion}/conf.d
-
-      mkdir -p $support_folder
-      mkdir -p $latest_folder
-
-      # 52-fontconfig-ultimate.conf
-      ln -s ${fontconfigUltimateConf} \
-            $support_folder/52-fontconfig-ultimate.conf
-      ln -s ${fontconfigUltimateConf} \
-            $latest_folder/52-fontconfig-ultimate.conf
-
-      # fontconfig ultimate substitutions
-      ${optionalString (cfg.substitutions != "none") ''
-      ln -s ${pkgs.fontconfig-ultimate}/etc/fonts/presets/${cfg.substitutions}/*.conf \
-            $support_folder
-      ln -s ${pkgs.fontconfig-ultimate}/etc/fonts/presets/${cfg.substitutions}/*.conf \
-            $latest_folder
-      ''}
-
-      # fontconfig ultimate various configuration files
-      ln -s ${pkgs.fontconfig-ultimate}/etc/fonts/conf.d/*.conf \
-            $support_folder
-      ln -s ${pkgs.fontconfig-ultimate}/etc/fonts/conf.d/*.conf \
-            $latest_folder
-    '';
-
 in
 {

@@ -153,7 +64,9 @@ in
          };

          substitutions = mkOption {
-            type = types.nullOr (types.enum ["free" "combi" "ms"]);
+            type = types.str // {
+              check = flip elem ["none" "free" "combi" "ms"];
+            };
            default = "free";
            description = ''
              Font substitutions to replace common Type 1 fonts with nicer
@@ -164,12 +77,35 @@ in
            '';
          };

-          preset = mkOption {
-            type = types.enum ["ultimate1" "ultimate2" "ultimate3" "ultimate4" "ultimate5" "osx" "windowsxp"];
-            default = "ultimate3";
+          rendering = mkOption {
+            type = types.attrs;
+            default = pkgs.fontconfig-ultimate.rendering.ultimate;
            description = ''
-              FreeType rendering settings preset. Any of the presets may be
-              customized by setting environment variables.
+              FreeType rendering settings presets. The default is
+              <literal>pkgs.fontconfig-ultimate.rendering.ultimate</literal>.
+              The other available styles are:
+              <literal>ultimate-lighter</literal>,
+              <literal>ultimate-darker</literal>,
+              <literal>ultimate-lightest</literal>,
+              <literal>ultimate-darkest</literal>,
+              <literal>default</literal> (the original Infinality default),
+              <literal>osx</literal>,
+              <literal>ipad</literal>,
+              <literal>ubuntu</literal>,
+              <literal>linux</literal>,
+              <literal>winxplight</literal>,
+              <literal>win7light</literal>,
+              <literal>winxp</literal>,
+              <literal>win7</literal>,
+              <literal>vanilla</literal>,
+              <literal>classic</literal>,
+              <literal>nudge</literal>,
+              <literal>push</literal>,
+              <literal>shove</literal>,
+              <literal>sharpened</literal>,
+              <literal>infinality</literal>. Any of the presets may be
+              customized by editing the attributes. To disable, set this option
+              to the empty attribute set <literal>{}</literal>.
            '';
          };
        };
@@ -178,11 +114,80 @@ in

  };

-  config = mkIf (config.fonts.fontconfig.enable && cfg.enable) {

-    fonts.fontconfig.confPackages = [ confPkg ];
-    environment.variables."INFINALITY_FT" = cfg.preset;
+  config =
+    let ultimate = config.fonts.fontconfig.ultimate;
+        fontconfigUltimateConf = ''
+          <?xml version="1.0"?>
+          <!DOCTYPE fontconfig SYSTEM "fonts.dtd">
+          <fontconfig>

-  };
+            ${optionalString (!ultimate.allowBitmaps) ''
+            <!-- Reject bitmap fonts -->
+            <selectfont>
+              <rejectfont>
+                <pattern>
+                  <patelt name="scalable"><bool>false</bool></patelt>
+                </pattern>
+              </rejectfont>
+            </selectfont>
+            ''}
+
+            ${optionalString ultimate.allowType1 ''
+            <!-- Reject Type 1 fonts -->
+            <selectfont>
+              <rejectfont>
+                <pattern>
+                  <patelt name="fontformat">
+                    <string>Type 1</string>
+                  </patelt>
+                </pattern>
+              </rejectfont>
+            </selectfont>
+            ''}
+
+            <!-- Use embedded bitmaps in fonts like Calibri? -->
+            <match target="font">
+              <edit name="embeddedbitmap" mode="assign">
+                ${fcBool ultimate.useEmbeddedBitmaps}
+              </edit>
+            </match>
+
+            <!-- Force autohint always -->
+            <match target="font">
+              <edit name="force_autohint" mode="assign">
+                ${fcBool ultimate.forceAutohint}
+              </edit>
+            </match>
+
+            <!-- Render some monospace TTF fonts as bitmaps -->
+            <match target="pattern">
+              <edit name="bitmap_monospace" mode="assign">
+                ${fcBool ultimate.renderMonoTTFAsBitmap}
+              </edit>
+            </match>
+
+            ${optionalString (ultimate.substitutions != "none") ''
+            <!-- Type 1 font substitutions -->
+            <include ignore_missing="yes">${pkgs.fontconfig-ultimate.confd}/etc/fonts/presets/${ultimate.substitutions}</include>
+            ''}
+
+            <include ignore_missing="yes">${pkgs.fontconfig-ultimate.confd}/etc/fonts/conf.d</include>
+
+          </fontconfig>
+        '';
+    in mkIf (config.fonts.fontconfig.enable && ultimate.enable) {
+
+      environment.etc."fonts/conf.d/52-fontconfig-ultimate.conf" = {
+        text = fontconfigUltimateConf;
+      };
+
+      environment.etc."fonts/${pkgs.fontconfig.configVersion}/conf.d/52-fontconfig-ultimate.conf" = {
+        text = fontconfigUltimateConf;
+      };
+
+      environment.variables = ultimate.rendering;
+
+    };

 }
--- a/nixos/modules/config/fonts/fontconfig.nix
+++ b/nixos/modules/config/fonts/fontconfig.nix
@@ -1,207 +1,7 @@
-/*
-
-NixOS support 2 fontconfig versions, "support" and "latest".
-
- "latest" refers to default fontconfig package (pkgs.fontconfig).
-  configuration files are linked to /etc/fonts/VERSION/conf.d/
- "support" refers to supportPkg (pkgs."fontconfig_${supportVersion}").
-  configuration files are linked to /etc/fonts/conf.d/
-
-This module generates a package containing configuration files and link it in /etc/fonts.
-
-Fontconfig reads files in folder name / file name order, so the number prepended to the configuration file name decide the order of parsing.
-Low number means high priority.
-
-*/
-
 { config, lib, pkgs, ... }:

 with lib;

-let cfg = config.fonts.fontconfig;
-
-    fcBool = x: "<bool>" + (if x then "true" else "false") + "</bool>";
-
-    # back-supported fontconfig version and package
-    # version is used for font cache generation
-    supportVersion = "210";
-    supportPkg     = pkgs."fontconfig_${supportVersion}";
-
-    # latest fontconfig version and package
-    # version is used for configuration folder name, /etc/fonts/VERSION/
-    # note: format differs from supportVersion and can not be used with makeCacheConf
-    latestVersion  = pkgs.fontconfig.configVersion;
-    latestPkg      = pkgs.fontconfig;
-
-    # supported version fonts.conf
-    supportFontsConf = pkgs.makeFontsConf { fontconfig = supportPkg; fontDirectories = config.fonts.fonts; };
-
-    # configuration file to read fontconfig cache
-    # version dependent
-    # priority 0
-    cacheConfSupport = makeCacheConf { version = supportVersion; };
-    cacheConfLatest  = makeCacheConf {};
-    
-    # generate the font cache setting file for a fontconfig version
-    # use latest when no version is passed
-    makeCacheConf = { version ? null }:
-      let 
-        fcPackage = if builtins.isNull version
-                    then "fontconfig"
-                    else "fontconfig_${version}";
-        makeCache = fontconfig: pkgs.makeFontsCache { inherit fontconfig; fontDirectories = config.fonts.fonts; };
-        cache     = makeCache pkgs."${fcPackage}";
-        cache32   = makeCache pkgs.pkgsi686Linux."${fcPackage}";
-      in
-      pkgs.writeText "fc-00-nixos-cache.conf" ''
-        <?xml version='1.0'?>
-        <!DOCTYPE fontconfig SYSTEM 'fonts.dtd'>
-        <fontconfig>
-          <!-- Font directories -->
-          ${concatStringsSep "\n" (map (font: "<dir>${font}</dir>") config.fonts.fonts)}
-          <!-- Pre-generated font caches -->
-          <cachedir>${cache}</cachedir>
-          ${optionalString (pkgs.stdenv.isx86_64 && cfg.cache32Bit) ''
-            <cachedir>${cache32}</cachedir>
-          ''}
-        </fontconfig>
-      '';
-
-    # rendering settings configuration file
-    # priority 10
-    renderConf = pkgs.writeText "fc-10-nixos-rendering.conf" ''
-      <?xml version='1.0'?>
-      <!DOCTYPE fontconfig SYSTEM 'fonts.dtd'>
-      <fontconfig>
-
-        <!-- Default rendering settings -->
-        <match target="font">
-          <edit mode="assign" name="hinting">
-            ${fcBool cfg.hinting.enable}
-          </edit>
-          <edit mode="assign" name="autohint">
-            ${fcBool cfg.hinting.autohint}
-          </edit>
-          <edit mode="assign" name="hintstyle">
-            <const>hint${cfg.hinting.style}</const>
-          </edit>
-          <edit mode="assign" name="antialias">
-            ${fcBool cfg.antialias}
-          </edit>
-          <edit mode="assign" name="rgba">
-            <const>${cfg.subpixel.rgba}</const>
-          </edit>
-          <edit mode="assign" name="lcdfilter">
-            <const>lcd${cfg.subpixel.lcdfilter}</const>
-          </edit>
-        </match>
-
-        ${optionalString (cfg.dpi != 0) ''
-        <match target="pattern">
-          <edit name="dpi" mode="assign">
-            <double>${toString cfg.dpi}</double>
-          </edit>
-        </match>
-        ''}
-
-      </fontconfig>
-    '';
-
-    # local configuration file
-    # priority 51
-    localConf = pkgs.writeText "fc-local.conf" cfg.localConf;
-
-    # default fonts configuration file
-    # priority 52
-    defaultFontsConf = 
-      let genDefault = fonts: name:
-        optionalString (fonts != []) ''
-          <alias>
-            <family>${name}</family>
-            <prefer>
-            ${concatStringsSep ""
-            (map (font: ''
-              <family>${font}</family>
-            '') fonts)}
-            </prefer>
-          </alias>
-        '';
-      in
-      pkgs.writeText "fc-52-nixos-default-fonts.conf" ''
-      <?xml version='1.0'?>
-      <!DOCTYPE fontconfig SYSTEM 'fonts.dtd'>
-      <fontconfig>
-
-        <!-- Default fonts -->
-        ${genDefault cfg.defaultFonts.sansSerif "sans-serif"}
-
-        ${genDefault cfg.defaultFonts.serif     "serif"}
-
-        ${genDefault cfg.defaultFonts.monospace "monospace"}
-
-      </fontconfig>
-    '';
-
-    # fontconfig configuration package 
-    confPkg = pkgs.runCommand "fontconfig-conf" {} ''
-      support_folder=$out/etc/fonts
-      latest_folder=$out/etc/fonts/${latestVersion}
-
-      mkdir -p $support_folder/conf.d
-      mkdir -p $latest_folder/conf.d
-
-      # fonts.conf
-      ln -s ${supportFontsConf} $support_folder/fonts.conf
-      ln -s ${latestPkg.out}/etc/fonts/fonts.conf \
-            $latest_folder/fonts.conf
-
-      # fontconfig default config files
-      ln -s ${supportPkg.out}/etc/fonts/conf.d/*.conf \
-            $support_folder/conf.d/
-      ln -s ${latestPkg.out}/etc/fonts/conf.d/*.conf \
-            $latest_folder/conf.d/
-
-      # update latest 51-local.conf path to look at the latest local.conf
-      rm    $latest_folder/conf.d/51-local.conf
-
-      substitute ${latestPkg.out}/etc/fonts/conf.d/51-local.conf \
-                 $latest_folder/conf.d/51-local.conf \
-                 --replace local.conf /etc/fonts/${latestVersion}/local.conf 
-
-      # 00-nixos-cache.conf
-      ln -s ${cacheConfSupport} \
-            $support_folder/conf.d/00-nixos-cache.conf
-      ln -s ${cacheConfLatest}  $latest_folder/conf.d/00-nixos-cache.conf
-
-      # 10-nixos-rendering.conf
-      ln -s ${renderConf}       $support_folder/conf.d/10-nixos-rendering.conf
-      ln -s ${renderConf}       $latest_folder/conf.d/10-nixos-rendering.conf
-
-      # 50-user.conf
-      ${optionalString (! cfg.includeUserConf) ''
-      rm    $support_folder/conf.d/50-user.conf
-      rm    $latest_folder/conf.d/50-user.conf
-      ''}
-
-      # local.conf (indirect priority 51)
-      ${optionalString (cfg.localConf != "") ''
-      ln -s ${localConf}        $support_folder/local.conf
-      ln -s ${localConf}        $latest_folder/local.conf
-      ''}
-
-      # 52-nixos-default-fonts.conf
-      ln -s ${defaultFontsConf} $support_folder/conf.d/52-nixos-default-fonts.conf
-      ln -s ${defaultFontsConf} $latest_folder/conf.d/52-nixos-default-fonts.conf
-    '';
-
-    # Package with configuration files
-    # this merge all the packages in the fonts.fontconfig.confPackages list
-    fontconfigEtc = pkgs.buildEnv {
-      name  = "fontconfig-etc";
-      paths = cfg.confPackages;
-      ignoreCollisions = true;
-    };
-in
 {

  options = {
@@ -221,15 +21,6 @@ in
          '';
        };

-        confPackages = mkOption {
-          internal = true;
-          type     = with types; listOf path;
-          default  = [ ];
-          description = ''
-            Fontconfig configuration packages.
-          '';
-        };
-
        antialias = mkOption {
          type = types.bool;
          default = true;
@@ -245,15 +36,6 @@ in
          '';
        };

-        localConf = mkOption {
-          type = types.lines;
-          default = "";
-          description = ''
-            System-wide customization file contents, has higher priority than 
-            <literal>defaultFonts</literal> settings.
-          '';
-        };
-
        defaultFonts = {
          monospace = mkOption {
            type = types.listOf types.str;
@@ -360,11 +142,136 @@ in
    };

  };
-  config = mkIf cfg.enable {
-    fonts.fontconfig.confPackages = [ confPkg ];

-    environment.systemPackages    = [ pkgs.fontconfig ];
-    environment.etc.fonts.source  = "${fontconfigEtc}/etc/fonts/";
-  };
+  config =
+    let fontconfig = config.fonts.fontconfig;
+        fcBool = x: "<bool>" + (if x then "true" else "false") + "</bool>";
+        renderConf = ''
+          <?xml version='1.0'?>
+          <!DOCTYPE fontconfig SYSTEM 'fonts.dtd'>
+          <fontconfig>
+
+            <!-- Default rendering settings -->
+            <match target="font">
+              <edit mode="assign" name="hinting">
+                ${fcBool fontconfig.hinting.enable}
+              </edit>
+              <edit mode="assign" name="autohint">
+                ${fcBool fontconfig.hinting.autohint}
+              </edit>
+              <edit mode="assign" name="hintstyle">
+                <const>hint${fontconfig.hinting.style}</const>
+              </edit>
+              <edit mode="assign" name="antialias">
+                ${fcBool fontconfig.antialias}
+              </edit>
+              <edit mode="assign" name="rgba">
+                <const>${fontconfig.subpixel.rgba}</const>
+              </edit>
+              <edit mode="assign" name="lcdfilter">
+                <const>lcd${fontconfig.subpixel.lcdfilter}</const>
+              </edit>
+            </match>
+
+            ${optionalString (fontconfig.dpi != 0) ''
+            <match target="pattern">
+              <edit name="dpi" mode="assign">
+                <double>${toString fontconfig.dpi}</double>
+              </edit>
+            </match>
+            ''}
+
+          </fontconfig>
+        '';
+        genericAliasConf = ''
+          <?xml version='1.0'?>
+          <!DOCTYPE fontconfig SYSTEM 'fonts.dtd'>
+          <fontconfig>
+
+            <!-- Default fonts -->
+            ${optionalString (fontconfig.defaultFonts.sansSerif != []) ''
+            <alias>
+              <family>sans-serif</family>
+              <prefer>
+                ${concatStringsSep "\n"
+                  (map (font: "<family>${font}</family>")
+                    fontconfig.defaultFonts.sansSerif)}
+              </prefer>
+            </alias>
+            ''}
+            ${optionalString (fontconfig.defaultFonts.serif != []) ''
+            <alias>
+              <family>serif</family>
+              <prefer>
+                ${concatStringsSep "\n"
+                  (map (font: "<family>${font}</family>")
+                    fontconfig.defaultFonts.serif)}
+              </prefer>
+            </alias>
+            ''}
+            ${optionalString (fontconfig.defaultFonts.monospace != []) ''
+            <alias>
+              <family>monospace</family>
+              <prefer>
+                ${concatStringsSep "\n"
+                  (map (font: "<family>${font}</family>")
+                    fontconfig.defaultFonts.monospace)}
+              </prefer>
+            </alias>
+            ''}
+
+          </fontconfig>
+        '';
+    in mkIf fontconfig.enable {
+
+      # Fontconfig 2.10 backward compatibility
+
+      # Bring in the default (upstream) fontconfig configuration, only for fontconfig 2.10
+      environment.etc."fonts/fonts.conf".source =
+        pkgs.makeFontsConf { fontconfig = pkgs.fontconfig_210; fontDirectories = config.fonts.fonts; };
+
+      environment.etc."fonts/conf.d/10-nixos-rendering.conf".text = renderConf;
+      environment.etc."fonts/conf.d/60-nixos-generic-alias.conf".text = genericAliasConf;
+
+      # Versioned fontconfig > 2.10. Take shared fonts.conf from fontconfig.
+      # Otherwise specify only font directories.
+      environment.etc."fonts/${pkgs.fontconfig.configVersion}/fonts.conf".source =
+        "${pkgs.fontconfig.out}/etc/fonts/fonts.conf";
+
+      environment.etc."fonts/${pkgs.fontconfig.configVersion}/conf.d/00-nixos.conf".text =
+        let
+          cache = fontconfig: pkgs.makeFontsCache { inherit fontconfig; fontDirectories = config.fonts.fonts; };
+        in ''
+          <?xml version='1.0'?>
+          <!DOCTYPE fontconfig SYSTEM 'fonts.dtd'>
+          <fontconfig>
+            <!-- Font directories -->
+            ${concatStringsSep "\n" (map (font: "<dir>${font}</dir>") config.fonts.fonts)}
+            <!-- Pre-generated font caches -->
+            <cachedir>${cache pkgs.fontconfig}</cachedir>
+            ${optionalString (pkgs.stdenv.isx86_64 && config.fonts.fontconfig.cache32Bit) ''
+              <cachedir>${cache pkgs.pkgsi686Linux.fontconfig}</cachedir>
+            ''}
+          </fontconfig>
+        '';
+
+      environment.etc."fonts/${pkgs.fontconfig.configVersion}/conf.d/10-nixos-rendering.conf".text = renderConf;
+      environment.etc."fonts/${pkgs.fontconfig.configVersion}/conf.d/60-nixos-generic-alias.conf".text = genericAliasConf;
+
+      environment.etc."fonts/${pkgs.fontconfig.configVersion}/conf.d/99-user.conf" = {
+        enable = fontconfig.includeUserConf;
+        text = ''
+          <?xml version="1.0"?>
+          <!DOCTYPE fontconfig SYSTEM "fonts.dtd">
+          <fontconfig>
+            <include ignore_missing="yes" prefix="xdg">fontconfig/conf.d</include>
+            <include ignore_missing="yes" prefix="xdg">fontconfig/fonts.conf</include>
+          </fontconfig>
+        '';
+      };
+
+      environment.systemPackages = [ pkgs.fontconfig ];
+
+    };

 }
--- a/nixos/modules/config/gnu.nix
+++ b/nixos/modules/config/gnu.nix
@@ -37,7 +37,6 @@ with lib;
    services.openssh.enable = false;
    services.lshd.enable = true;
    programs.ssh.startAgent = false;
-    services.xserver.startGnuPGAgent = true;

    # TODO: GNU dico.
    # TODO: GNU Inetutils' inetd.
--- a/nixos/modules/config/i18n.nix
+++ b/nixos/modules/config/i18n.nix
@@ -41,15 +41,6 @@ in
        '';
      };

-      consolePackages = mkOption {
-        type = types.listOf types.package;
-        default = with pkgs.kbdKeymaps; [ dvp neo ];
-        description = ''
-	  List of additional packages that provide console fonts, keymaps and
-          other resources.
-        '';
-      };
-
      consoleFont = mkOption {
        type = types.str;
        default = "Lat2-Terminus16";
--- a/nixos/modules/config/ldap.nix
+++ b/nixos/modules/config/ldap.nix
@@ -62,18 +62,6 @@ in
        description = "Whether to enable authentication against an LDAP server.";
      };

-      loginPam = mkOption {
-        type = types.bool;
-        default = true;
-        description = "Whether to include authentication against LDAP in login PAM";
-      };
-
-      nsswitch = mkOption {
-        type = types.bool;
-        default = true;
-        description = "Whether to include lookup against LDAP in NSS";
-      };
-
      server = mkOption {
        example = "ldap://ldap.example.org/";
        description = "The URL of the LDAP server.";
--- a/nixos/modules/config/nsswitch.nix
+++ b/nixos/modules/config/nsswitch.nix
@@ -8,7 +8,7 @@ let

  inherit (config.services.avahi) nssmdns;
  inherit (config.services.samba) nsswins;
-  ldap = (config.users.ldap.enable && config.users.ldap.nsswitch);
+  ldap = config.users.ldap.enable;

 in

--- a/nixos/modules/config/pulseaudio.nix
+++ b/nixos/modules/config/pulseaudio.nix
@@ -9,36 +9,11 @@ let

  systemWide = cfg.enable && cfg.systemWide;
  nonSystemWide = cfg.enable && !cfg.systemWide;
-  hasZeroconf = let z = cfg.zeroconf; in z.publish.enable || z.discovery.enable;
-
-  overriddenPackage = cfg.package.override
-    (optionalAttrs hasZeroconf { zeroconfSupport = true; });
-  binary = "${getBin overriddenPackage}/bin/pulseaudio";
-  binaryNoDaemon = "${binary} --daemonize=no";

  # Forces 32bit pulseaudio and alsaPlugins to be built/supported for apps
  # using 32bit alsa on 64bit linux.
  enable32BitAlsaPlugins = cfg.support32Bit && stdenv.isx86_64 && (pkgs_i686.alsaLib != null && pkgs_i686.libpulseaudio != null);

-
-  myConfigFile =
-    let
-      addModuleIf = cond: mod: optionalString cond "load-module ${mod}";
-      allAnon = optional cfg.tcp.anonymousClients.allowAll "auth-anonymous=1";
-      ipAnon =  let a = cfg.tcp.anonymousClients.allowedIpRanges;
-                in optional (a != []) ''auth-ip-acl=${concatStringsSep ";" a}'';
-    in writeTextFile {
-      name = "default.pa";
-        text = ''
-        .include ${cfg.configFile}
-        ${addModuleIf cfg.zeroconf.publish.enable "module-zeroconf-publish"}
-        ${addModuleIf cfg.zeroconf.discovery.enable "module-zeroconf-discover"}
-        ${addModuleIf cfg.tcp.enable (concatStringsSep " "
-           ([ "module-native-protocol-tcp" ] ++ allAnon ++ ipAnon))}
-        ${cfg.extraConfig}
-      '';
-    };
-
  ids = config.ids;

  uid = ids.uids.pulseaudio;
@@ -51,8 +26,7 @@ let
  # are built with PulseAudio support (like KDE).
  clientConf = writeText "client.conf" ''
    autospawn=${if nonSystemWide then "yes" else "no"}
-    ${optionalString nonSystemWide "daemon-binary=${binary}"}
-    ${cfg.extraClientConf}
+    ${optionalString nonSystemWide "daemon-binary=${cfg.package.out}/bin/pulseaudio"}
  '';

  # Write an /etc/asound.conf that causes all ALSA applications to
@@ -69,7 +43,7 @@ let
      hint.description "Default Audio Device (via PulseAudio)"
    }
    ctl_type.pulse {
-      libs.native = ${pkgs.alsaPlugins}/lib/alsa-lib/libasound_module_ctl_pulse.so ;
+      libs.native = ${alsaPlugins}/lib/alsa-lib/libasound_module_ctl_pulse.so ;
      ${lib.optionalString enable32BitAlsaPlugins
     "libs.32Bit = ${pkgs_i686.alsaPlugins}/lib/alsa-lib/libasound_module_ctl_pulse.so ;"}
    }
@@ -114,31 +88,14 @@ in {
      };

      configFile = mkOption {
-        type = types.nullOr types.path;
+        type = types.path;
        description = ''
-          The path to the default configuration options the PulseAudio server
+          The path to the configuration the PulseAudio server
          should use. By default, the "default.pa" configuration
          from the PulseAudio distribution is used.
        '';
      };

-      extraConfig = mkOption {
-        type = types.lines;
-        default = "";
-        description = ''
-          Literal string to append to <literal>configFile</literal>
-          and the config file generated by the pulseaudio module.
-        '';
-      };
-
-      extraClientConf = mkOption {
-        type = types.lines;
-        default = "";
-        description = ''
-          Extra configuration appended to pulse/client.conf file.
-        '';
-      };
-
      package = mkOption {
        type = types.package;
        default = pulseaudioLight;
@@ -161,31 +118,6 @@ in {
          '';
        };
      };
-
-      zeroconf = {
-        discovery.enable =
-          mkEnableOption "discovery of pulseaudio sinks in the local network";
-        publish.enable =
-          mkEnableOption "publishing the pulseaudio sink in the local network";
-      };
-
-      # TODO: enable by default?
-      tcp = {
-        enable = mkEnableOption "tcp streaming support";
-
-        anonymousClients = {
-          allowAll = mkEnableOption "all anonymous clients to stream to the server";
-          allowedIpRanges = mkOption {
-            type = types.listOf types.str;
-            default = [];
-            example = literalExample ''[ "127.0.0.1" "192.168.1.0/24" ]'';
-            description = ''
-              A list of IP subnets that are allowed to stream to the server.
-            '';
-          };
-        };
-      };
-
    };

  };
@@ -198,11 +130,11 @@ in {
        source = clientConf;
      };

-      hardware.pulseaudio.configFile = mkDefault "${getBin overriddenPackage}/etc/pulse/default.pa";
+      hardware.pulseaudio.configFile = mkDefault "${getBin cfg.package}/etc/pulse/default.pa";
    }

    (mkIf cfg.enable {
-      environment.systemPackages = [ overriddenPackage ];
+      environment.systemPackages = [ cfg.package ];

      environment.etc = singleton {
        target = "asound.conf";
@@ -211,21 +143,12 @@ in {

      # Allow PulseAudio to get realtime priority using rtkit.
      security.rtkit.enable = true;
-
-    })
-
-    (mkIf hasZeroconf {
-      services.avahi.enable = true;
-    })
-    (mkIf cfg.zeroconf.publish.enable {
-      services.avahi.publish.enable = true;
-      services.avahi.publish.userServices = true;
    })

    (mkIf nonSystemWide {
      environment.etc = singleton {
        target = "pulse/default.pa";
-        source = myConfigFile;
+        source = cfg.configFile;
      };

      systemd.user = {
@@ -235,12 +158,9 @@ in {
          wantedBy = [ "default.target" ];
          serviceConfig = {
            Type = "notify";
-            ExecStart = binaryNoDaemon;
+            ExecStart = "${getBin cfg.package}/bin/pulseaudio --daemonize=no";
            Restart = "on-failure";
-            RestartSec = "500ms";
          };
-          environment = { DISPLAY = ":${toString config.services.xserver.display}"; };
-          restartIfChanged = true;
        };

        sockets.pulseaudio = {
@@ -275,9 +195,8 @@ in {
        environment.PULSE_RUNTIME_PATH = stateDir;
        serviceConfig = {
          Type = "notify";
-          ExecStart = "${binaryNoDaemon} --log-level=${cfg.daemon.logLevel} --system -n --file=${myConfigFile}";
+          ExecStart = "${getBin cfg.package}/bin/pulseaudio --daemonize=no --log-level=${cfg.daemon.logLevel} --system -n --file=${cfg.configFile}";
          Restart = "on-failure";
-          RestartSec = "500ms";
        };
      };
    })
--- a/nixos/modules/config/shells-environment.nix
+++ b/nixos/modules/config/shells-environment.nix
@@ -1,7 +1,7 @@
 # This module defines a global environment configuration and
 # a common configuration for all shells.

-{ config, lib, utils, pkgs, ... }:
+{ config, lib, pkgs, ... }:

 with lib;

@@ -135,13 +135,13 @@ in

    environment.shells = mkOption {
      default = [];
-      example = literalExample "[ pkgs.bashInteractive pkgs.zsh ]";
+      example = [ "/run/current-system/sw/bin/zsh" ];
      description = ''
        A list of permissible login shells for user accounts.
        No need to mention <literal>/bin/sh</literal>
        here, it is placed into this list implicitly.
      '';
-      type = types.listOf (types.either types.shellPackage types.path);
+      type = types.listOf types.path;
    };

  };
@@ -158,7 +158,7 @@ in

    environment.etc."shells".text =
      ''
-        ${concatStringsSep "\n" (map utils.toShellPath cfg.shells)}
+        ${concatStringsSep "\n" cfg.shells}
        /bin/sh
      '';

--- a/nixos/modules/config/swap.nix
+++ b/nixos/modules/config/swap.nix
@@ -30,7 +30,8 @@ let
        description = ''
          If this option is set, ‘device’ is interpreted as the
          path of a swapfile that will be created automatically
-          with the indicated size (in megabytes).
+          with the indicated size (in megabytes) if it doesn't
+          exist.
        '';
      };

@@ -131,13 +132,9 @@ in
            script =
              ''
                ${optionalString (sw.size != null) ''
-                  currentSize=$(( $(stat -c "%s" "${sw.device}" 2>/dev/null || echo 0) / 1024 / 1024 ))
-                  if [ "${toString sw.size}" != "$currentSize" ]; then
+                  if [ ! -e "${sw.device}" ]; then
                    fallocate -l ${toString sw.size}M "${sw.device}" ||
                      dd if=/dev/zero of="${sw.device}" bs=1M count=${toString sw.size}
-                    if [ "${toString sw.size}" -lt "$currentSize" ]; then
-                      truncate --size "${toString sw.size}M" "${sw.device}"
-                    fi
                    chmod 0600 ${sw.device}
                    ${optionalString (!sw.randomEncryption) "mkswap ${sw.realDevice}"}
                  fi
--- a/nixos/modules/config/system-path.nix
+++ b/nixos/modules/config/system-path.nix
@@ -34,6 +34,7 @@ let
      config.programs.ssh.package
      pkgs.perl
      pkgs.procps
+      pkgs.rsync
      pkgs.strace
      pkgs.su
      pkgs.time
--- a/nixos/modules/config/update-users-groups.pl
+++ b/nixos/modules/config/update-users-groups.pl
@@ -103,7 +103,7 @@ foreach my $g (@{$spec->{groups}}) {
    if (defined $existing) {
        $g->{gid} = $existing->{gid} if !defined $g->{gid};
        if ($g->{gid} != $existing->{gid}) {
-            warn "warning: not applying GID change of group ‘$name’ ($existing->{gid} -> $g->{gid})\n";
+            warn "warning: not applying GID change of group ‘$name’\n";
            $g->{gid} = $existing->{gid};
        }
        $g->{password} = $existing->{password}; # do we want this?
@@ -163,7 +163,7 @@ foreach my $u (@{$spec->{users}}) {
    if (defined $existing) {
        $u->{uid} = $existing->{uid} if !defined $u->{uid};
        if ($u->{uid} != $existing->{uid}) {
-            warn "warning: not applying UID change of user ‘$name’ ($existing->{uid} -> $u->{uid})\n";
+            warn "warning: not applying UID change of user ‘$name’\n";
            $u->{uid} = $existing->{uid};
        }
    } else {
--- a/nixos/modules/config/users-groups.nix
+++ b/nixos/modules/config/users-groups.nix
@@ -1,8 +1,9 @@
-{ config, lib, utils, pkgs, ... }:
+{ config, lib, pkgs, ... }:

 with lib;

 let
+
  ids = config.ids;
  cfg = config.users;

@@ -102,7 +103,7 @@ let
      };

      home = mkOption {
-        type = types.path;
+        type = types.str;
        default = "/var/empty";
        description = "The user's home directory.";
      };
@@ -117,17 +118,9 @@ let
      };

      shell = mkOption {
-        type = types.either types.shellPackage types.path;
-        default = pkgs.nologin;
-        defaultText = "pkgs.nologin";
-        example = literalExample "pkgs.bashInteractive";
-        description = ''
-          The path to the user's shell. Can use shell derivations,
-          like <literal>pkgs.bashInteractive</literal>. Don’t
-          forget to enable your shell in
-          <literal>programs</literal> if necessary,
-          like <code>programs.zsh.enable = true;</code>.
-        '';
+        type = types.str;
+        default = "/run/current-system/sw/bin/nologin";
+        description = "The path to the user's shell.";
      };

      subUidRanges = mkOption {
@@ -366,12 +359,11 @@ let

  spec = pkgs.writeText "users-groups.json" (builtins.toJSON {
    inherit (cfg) mutableUsers;
-    users = mapAttrsToList (_: u:
+    users = mapAttrsToList (n: u:
      { inherit (u)
-          name uid group description home createHome isSystemUser
+          name uid group description home shell createHome isSystemUser
          password passwordFile hashedPassword
          initialPassword initialHashedPassword;
-        shell = utils.toShellPath u.shell;
      }) cfg.users;
    groups = mapAttrsToList (n: g:
      { inherit (g) name gid;
@@ -381,12 +373,6 @@ let
      }) cfg.groups;
  });

-  systemShells =
-    let
-      shells = mapAttrsToList (_: u: u.shell) cfg.users;
-    in
-      filter types.shellPackage.check shells;
-
 in {

  ###### interface
@@ -482,6 +468,7 @@ in {
        home = "/root";
        shell = mkDefault cfg.defaultUserShell;
        group = "root";
+        extraGroups = [ "grsecurity" ];
        initialHashedPassword = mkDefault config.security.initialRootPassword;
      };
      nobody = {
@@ -491,9 +478,6 @@ in {
      };
    };

-    # Install all the user shells
-    environment.systemPackages = systemShells;
-
    users.groups = {
      root.gid = ids.gids.root;
      wheel.gid = ids.gids.wheel;
@@ -513,6 +497,7 @@ in {
      nixbld.gid = ids.gids.nixbld;
      utmp.gid = ids.gids.utmp;
      adm.gid = ids.gids.adm;
+      grsecurity.gid = ids.gids.grsecurity;
      input.gid = ids.gids.input;
    };

--- a/nixos/modules/config/zram.nix
+++ b/nixos/modules/config/zram.nix
@@ -8,7 +8,7 @@ let

  devices = map (nr: "zram${toString nr}") (range 0 (cfg.numDevices - 1));

-  modprobe = "${pkgs.kmod}/bin/modprobe";
+  modprobe = "${config.system.sbin.modprobe}/sbin/modprobe";

 in

--- a/nixos/modules/hardware/video/amdgpu.nix
+++ b/nixos/modules/hardware/video/amdgpu.nix
@@ -1,9 +0,0 @@
-{ config, lib, ... }:
-
-with lib;
-{
-  config = mkIf (elem "amdgpu" config.services.xserver.videoDrivers) {
-    boot.blacklistedKernelModules = [ "radeon" ];
-  };
-}
-
--- a/nixos/modules/hardware/video/ati.nix
+++ b/nixos/modules/hardware/video/ati.nix
@@ -18,8 +18,6 @@ in

  config = mkIf enabled {

-    nixpkgs.config.xorg.fglrxCompat = true;
-
    services.xserver.drivers = singleton
      { name = "fglrx"; modules = [ ati_x11 ]; libPath = [ "${ati_x11}/lib" ]; };

--- a/nixos/modules/hardware/video/bumblebee.nix
+++ b/nixos/modules/hardware/video/bumblebee.nix
@@ -75,6 +75,7 @@ in
      serviceConfig = {
        ExecStart = "${bumblebee}/bin/bumblebeed --use-syslog -g ${cfg.group} --driver ${cfg.driver}";
      };
+      environment.MODULE_DIR="/run/current-system/kernel-modules/lib/modules/";
    };
  };
 }
--- a/nixos/modules/hardware/video/webcam/facetimehd.nix
+++ b/nixos/modules/hardware/video/webcam/facetimehd.nix
@@ -36,6 +36,7 @@ in

    # and load it back on resume
    powerManagement.resumeCommands = ''
+      export MODULE_DIR=/run/current-system/kernel-modules/lib/modules
      ${pkgs.kmod}/bin/modprobe -v facetimehd
    '';

--- a/nixos/modules/i18n/input-method/default.nix
+++ b/nixos/modules/i18n/input-method/default.nix
@@ -62,9 +62,4 @@ in
    environment.systemPackages = [ cfg.package gtk2_cache gtk3_cache ];
  };

-  meta = {
-    maintainers = with lib.maintainers; [ ericsagnes ];
-    doc = ./default.xml;
-  };
-
 }
--- a/nixos/modules/i18n/input-method/default.xml
+++ b/nixos/modules/i18n/input-method/default.xml
@@ -88,8 +88,6 @@ i18n.inputMethod = {
      methods among Traditional Chinese Unix users.</para></listitem>
  <listitem><para>Hangul (<literal>fcitx-engines.hangul</literal>): Korean input 
      method.</para></listitem>
-  <listitem><para>Unikey (<literal>fcitx-engines.unikey</literal>): Vietnamese input 
-      method.</para></listitem>
  <listitem><para>m17n (<literal>fcitx-engines.m17n</literal>): m17n is an input 
      method that uses input methods and corresponding icons in the m17n 
      database.</para></listitem>
--- a/nixos/modules/i18n/input-method/fcitx.nix
+++ b/nixos/modules/i18n/input-method/fcitx.nix
@@ -4,7 +4,7 @@ with lib;

 let
  cfg = config.i18n.inputMethod.fcitx;
-  fcitxPackage = pkgs.fcitx.override { plugins = cfg.engines; };
+  fcitxPackage = pkgs.fcitx-with-plugins.override { plugins = cfg.engines; };
  fcitxEngine = types.package // {
    name  = "fcitx-engine";
    check = x: (lib.types.package.check x) && (attrByPath ["meta" "isFcitxEngine"] false x);
--- a/nixos/modules/installer/cd-dvd/sd-image-armv7l-multiplatform.nix
+++ b/nixos/modules/installer/cd-dvd/sd-image-armv7l-multiplatform.nix
@@ -19,37 +19,18 @@ in
      "it cannot be cross compiled";
  };

-  # Needed by RPi firmware
-  nixpkgs.config.allowUnfree = true;
-
  boot.loader.grub.enable = false;
  boot.loader.generic-extlinux-compatible.enable = true;

  boot.kernelPackages = pkgs.linuxPackages_latest;
-  boot.kernelParams = ["console=ttyS0,115200n8" "console=ttymxc0,115200n8" "console=ttyAMA0,115200n8" "console=ttyO0,115200n8" "console=tty0"];
-  boot.consoleLogLevel = 7;
+  boot.kernelParams = ["console=ttyS0,115200n8" "console=ttymxc0,115200n8" "console=ttyAMA0,115200n8" "console=tty0"];

  # FIXME: this probably should be in installation-device.nix
  users.extraUsers.root.initialHashedPassword = "";

  sdImage = {
-    populateBootCommands = let
-      configTxt = pkgs.writeText "config.txt" ''
-        [pi2]
-        kernel=u-boot-rpi2.bin
-
-        [pi3]
-        kernel=u-boot-rpi3.bin
-        enable_uart=1
-      '';
-      in ''
-        for f in bootcode.bin fixup.dat start.elf; do
-          cp ${pkgs.raspberrypifw}/share/raspberrypi/boot/$f boot/
-        done
-        cp ${pkgs.ubootRaspberryPi2}/u-boot.bin boot/u-boot-rpi2.bin
-        cp ${pkgs.ubootRaspberryPi3}/u-boot.bin boot/u-boot-rpi3.bin
-        cp ${configTxt} boot/config.txt
+    populateBootCommands = ''
        ${extlinux-conf-builder} -t 3 -c ${config.system.build.toplevel} -d ./boot
-      '';
+    '';
  };
 }
--- a/nixos/modules/installer/cd-dvd/sd-image-raspberrypi.nix
+++ b/nixos/modules/installer/cd-dvd/sd-image-raspberrypi.nix
@@ -26,7 +26,6 @@ in
  boot.loader.generic-extlinux-compatible.enable = true;

  boot.kernelPackages = pkgs.linuxPackages_rpi;
-  boot.consoleLogLevel = 7;

  # FIXME: this probably should be in installation-device.nix
  users.extraUsers.root.initialHashedPassword = "";
--- a/nixos/modules/installer/tools/nixos-install.sh
+++ b/nixos/modules/installer/tools/nixos-install.sh
@@ -24,7 +24,6 @@ fi
 # Parse the command line for the -I flag
 extraBuildFlags=()
 chrootCommand=(/run/current-system/sw/bin/bash)
-buildUsersGroup="nixbld"

 while [ "$#" -gt 0 ]; do
    i="$1"; shift 1
@@ -41,19 +40,6 @@ while [ "$#" -gt 0 ]; do
        --root)
            mountPoint="$1"; shift 1
            ;;
-        --closure)
-            closure="$1"; shift 1
-            buildUsersGroup=""
-            ;;
-        --no-channel-copy)
-            noChannelCopy=1
-            ;;
-        --no-root-passwd)
-            noRootPasswd=1
-            ;;
-        --no-bootloader)
-            noBootLoader=1
-            ;;
        --show-trace)
            extraBuildFlags+=("$i")
            ;;
@@ -102,13 +88,15 @@ mount -t tmpfs -o "mode=0755" none $mountPoint/run
 mount -t tmpfs -o "mode=0755" none $mountPoint/var/setuid-wrappers
 rm -rf $mountPoint/var/run
 ln -s /run $mountPoint/var/run
-for f in /etc/resolv.conf /etc/hosts; do rm -f $mountPoint/$f; [ -f "$f" ] && cp -Lf $f $mountPoint/etc/; done
-for f in /etc/passwd /etc/group;      do touch $mountPoint/$f; [ -f "$f" ] && mount --rbind -o ro $f $mountPoint/$f; done
+rm -f $mountPoint/etc/{resolv.conf,hosts}
+cp -Lf /etc/resolv.conf /etc/hosts $mountPoint/etc/

-cp -Lf "@cacert@" "$mountPoint/tmp/ca-cert.crt"
-export SSL_CERT_FILE=/tmp/ca-cert.crt
-# For Nix 1.7
-export CURL_CA_BUNDLE=/tmp/ca-cert.crt
+if [ -e "$SSL_CERT_FILE" ]; then
+    cp -Lf "$SSL_CERT_FILE" "$mountPoint/tmp/ca-cert.crt"
+    export SSL_CERT_FILE=/tmp/ca-cert.crt
+    # For Nix 1.7
+    export CURL_CA_BUNDLE=/tmp/ca-cert.crt
+fi

 if [ -n "$runChroot" ]; then
    if ! [ -L $mountPoint/nix/var/nix/profiles/system ]; then
@@ -125,7 +113,7 @@ if test -z "$NIXOS_CONFIG"; then
    NIXOS_CONFIG=/etc/nixos/configuration.nix
 fi

-if [ ! -e "$mountPoint/$NIXOS_CONFIG" ] && [ -z "$closure" ]; then
+if ! test -e "$mountPoint/$NIXOS_CONFIG"; then
    echo "configuration file $mountPoint/$NIXOS_CONFIG doesn't exist"
    exit 1
 fi
@@ -136,13 +124,14 @@ fi
 mkdir -m 0755 -p \
    $mountPoint/nix/var/nix/gcroots \
    $mountPoint/nix/var/nix/temproots \
+    $mountPoint/nix/var/nix/manifests \
    $mountPoint/nix/var/nix/userpool \
    $mountPoint/nix/var/nix/profiles \
    $mountPoint/nix/var/nix/db \
    $mountPoint/nix/var/log/nix/drvs

 mkdir -m 1775 -p $mountPoint/nix/store
-chown @root_uid@:@nixbld_gid@ $mountPoint/nix/store
+chown root:nixbld $mountPoint/nix/store


 # There is no daemon in the chroot.
@@ -155,13 +144,18 @@ export LC_ALL=
 export LC_TIME=


-# Builds will use users that are members of this group
-extraBuildFlags+=(--option "build-users-group" "$buildUsersGroup")
+# Create a temporary Nix config file that causes the nixbld users to
+# be used.
+echo "build-users-group = nixbld" > $mountPoint/tmp/nix.conf # FIXME: remove in Nix 1.8
+binary_caches=$(@perl@/bin/perl -I @nix@/lib/perl5/site_perl/*/* -e 'use Nix::Config; Nix::Config::readConfig; print $Nix::Config::config{"binary-caches"};')
+if test -n "$binary_caches"; then
+    echo "binary-caches = $binary_caches" >> $mountPoint/tmp/nix.conf
+fi
+export NIX_CONF_DIR=/tmp

-
-# Inherit binary caches from the host
-binary_caches="$(@perl@/bin/perl -I @nix@/lib/perl5/site_perl/*/* -e 'use Nix::Config; Nix::Config::readConfig; print $Nix::Config::config{"binary-caches"};')"
-extraBuildFlags+=(--option "binary-caches" "$binary_caches")
+touch $mountPoint/etc/passwd $mountPoint/etc/group
+mount --bind -o ro /etc/passwd $mountPoint/etc/passwd
+mount --bind -o ro /etc/group $mountPoint/etc/group


 # Copy Nix to the Nix store on the target device, unless it's already there.
@@ -170,7 +164,7 @@ if ! NIX_DB_DIR=$mountPoint/nix/var/nix/db nix-store --check-validity @nix@ 2> /
    for i in $(@perl@/bin/perl @pathsFromGraph@ @nixClosure@); do
        echo "  $i"
        chattr -R -i $mountPoint/$i 2> /dev/null || true # clear immutable bit
-        @rsync@/bin/rsync -a $i $mountPoint/nix/store/
+        rsync -a $i $mountPoint/nix/store/
    done

    # Register the paths in the Nix closure as valid.  This is necessary
@@ -200,22 +194,24 @@ p=@nix@/libexec/nix/substituters
 export NIX_SUBSTITUTERS=$p/copy-from-other-stores.pl:$p/download-from-binary-cache.pl


-if [ -z "$closure" ]; then
-    # Get the absolute path to the NixOS/Nixpkgs sources.
-    nixpkgs="$(readlink -f $(nix-instantiate --find-file nixpkgs))"
+# Make manifests available in the chroot.
+rm -f $mountPoint/nix/var/nix/manifests/*
+for i in /nix/var/nix/manifests/*.nixmanifest; do
+    chroot $mountPoint @nix@/bin/nix-store -r "$(readlink -f "$i")" > /dev/null
+    cp -pd "$i" $mountPoint/nix/var/nix/manifests/
+done
+
+
+# Get the absolute path to the NixOS/Nixpkgs sources.
+nixpkgs="$(readlink -f $(nix-instantiate --find-file nixpkgs))"

-    nixEnvAction="-f <nixpkgs/nixos> --set -A system"
-else
-    nixpkgs=""
-    nixEnvAction="--set $closure"
-fi

 # Build the specified Nix expression in the target store and install
 # it into the system configuration profile.
 echo "building the system configuration..."
 NIX_PATH="nixpkgs=/tmp/root/$nixpkgs:nixos-config=$NIXOS_CONFIG" NIXOS_CONFIG= \
    chroot $mountPoint @nix@/bin/nix-env \
-    "${extraBuildFlags[@]}" -p /nix/var/nix/profiles/system $nixEnvAction
+    "${extraBuildFlags[@]}" -p /nix/var/nix/profiles/system -f '<nixpkgs/nixos>' --set -A system


 # Copy the NixOS/Nixpkgs sources to the target as the initial contents
@@ -224,7 +220,7 @@ mkdir -m 0755 -p $mountPoint/nix/var/nix/profiles
 mkdir -m 1777 -p $mountPoint/nix/var/nix/profiles/per-user
 mkdir -m 0755 -p $mountPoint/nix/var/nix/profiles/per-user/root
 srcs=$(nix-env "${extraBuildFlags[@]}" -p /nix/var/nix/profiles/per-user/root/channels -q nixos --no-name --out-path 2>/dev/null || echo -n "")
-if [ -z "$noChannelCopy" ] && [ -n "$srcs" ]; then
+if test -n "$srcs"; then
    echo "copying NixOS/Nixpkgs sources..."
    chroot $mountPoint @nix@/bin/nix-env \
        "${extraBuildFlags[@]}" -p /nix/var/nix/profiles/per-user/root/channels -i "$srcs" --quiet
@@ -234,7 +230,7 @@ ln -sfn /nix/var/nix/profiles/per-user/root/channels $mountPoint/root/.nix-defex


 # Get rid of the /etc bind mounts.
-for f in /etc/passwd /etc/group; do [ -f "$f" ] && umount $mountPoint/$f; done
+umount $mountPoint/etc/passwd $mountPoint/etc/group


 # Grub needs an mtab.
@@ -250,17 +246,16 @@ touch $mountPoint/etc/NIXOS
 # a menu default pointing at the kernel/initrd/etc of the new
 # configuration.
 echo "finalising the installation..."
-if [ -z "$noBootLoader" ]; then
-  NIXOS_INSTALL_BOOTLOADER=1 chroot $mountPoint \
-      /nix/var/nix/profiles/system/bin/switch-to-configuration boot
-fi
+NIXOS_INSTALL_GRUB=1 chroot $mountPoint \
+    /nix/var/nix/profiles/system/bin/switch-to-configuration boot
+

 # Run the activation script.
 chroot $mountPoint /nix/var/nix/profiles/system/activate


 # Ask the user to set a root password.
-if [ -z "$noRootPasswd" ] && [ -x $mountPoint/var/setuid-wrappers/passwd ] && [ -t 0 ]; then
+if [ "$(chroot $mountPoint /run/current-system/sw/bin/sh -l -c "nix-instantiate --eval '<nixpkgs/nixos>' -A config.users.mutableUsers")" = true ] && [ -t 0 ] ; then
    echo "setting root password..."
    chroot $mountPoint /var/setuid-wrappers/passwd
 fi
--- a/nixos/modules/installer/tools/nixos-rebuild.sh
+++ b/nixos/modules/installer/tools/nixos-rebuild.sh
@@ -33,11 +33,7 @@ while [ "$#" -gt 0 ]; do
        action="$i"
        ;;
      --install-grub)
-        echo "$0: --install-grub deprecated, use --install-bootloader instead" >&2
-        export NIXOS_INSTALL_BOOTLOADER=1
-        ;;
-      --install-bootloader)
-        export NIXOS_INSTALL_BOOTLOADER=1
+        export NIXOS_INSTALL_GRUB=1
        ;;
      --no-build-nix)
        buildNix=
@@ -218,9 +214,9 @@ fi

 # Re-execute nixos-rebuild from the Nixpkgs tree.
 if [ -z "$_NIXOS_REBUILD_REEXEC" -a -n "$canRun" ]; then
-    if p=$(nix-build --no-out-link --expr 'with import <nixpkgs/nixos> {}; config.system.build.nixos-rebuild' "${extraBuildFlags[@]}"); then
+    if p=$(nix-instantiate --find-file nixpkgs/nixos/modules/installer/tools/nixos-rebuild.sh "${extraBuildFlags[@]}"); then
        export _NIXOS_REBUILD_REEXEC=1
-        exec $p/bin/nixos-rebuild "${origArgs[@]}"
+        exec $SHELL -e $p "${origArgs[@]}"
        exit 1
    fi
 fi
--- a/nixos/modules/installer/tools/nixos-version.sh
+++ b/nixos/modules/installer/tools/nixos-version.sh
@@ -1,10 +1,6 @@
 #! @shell@

 case "$1" in
-  -h|--help)
-    exec man nixos-version
-    exit 1
-    ;;
  --hash|--revision)
    echo "@nixosRevision@"
    ;;
--- a/nixos/modules/installer/tools/tools.nix
+++ b/nixos/modules/installer/tools/tools.nix
@@ -21,11 +21,8 @@ let
    name = "nixos-install";
    src = ./nixos-install.sh;

-    inherit (pkgs) perl pathsFromGraph rsync;
+    inherit (pkgs) perl pathsFromGraph;
    nix = config.nix.package.out;
-    cacert = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt";
-    root_uid = config.ids.uids.root;
-    nixbld_gid = config.ids.gids.nixbld;

    nixClosure = pkgs.runCommand "closure"
      { exportReferencesGraph = ["refs" config.nix.package.out]; }
--- a/nixos/modules/misc/ids.nix
+++ b/nixos/modules/misc/ids.nix
@@ -147,6 +147,7 @@
      foundationdb = 118;
      newrelic = 119;
      starbound = 120;
+      #grsecurity = 121; # unused
      hydra = 122;
      spiped = 123;
      teamspeak = 124;
@@ -268,13 +269,6 @@
      nzbget = 245;
      mosquitto = 246;
      toxvpn = 247;
-      squeezelite = 248;
-      turnserver = 249;
-      smokeping = 250;
-      gocd-agent = 251;
-      gocd-server = 252;
-      terraria = 253;
-      mattermost = 254;

      # When adding a uid, make sure it doesn't match an existing gid. And don't use uids above 399!

@@ -375,7 +369,7 @@
      quassel = 89;
      amule = 90;
      minidlna = 91;
-      elasticsearch = 92;
+      #elasticsearch = 92; # unused
      #tcpcryptd = 93; # unused
      connman = 94;
      firebird = 95;
@@ -402,6 +396,7 @@
      foundationdb = 118;
      newrelic = 119;
      starbound = 120;
+      grsecurity = 121;
      hydra = 122;
      spiped = 123;
      teamspeak = 124;
@@ -513,13 +508,6 @@
      nzbget = 245;
      mosquitto = 246;
      #toxvpn = 247; # unused
-      #squeezelite = 248; #unused
-      turnserver = 249;
-      smokeping = 250;
-      gocd-agent = 251;
-      gocd-server = 252;
-      terraria = 253;
-      mattermost = 254;

      # When adding a gid, make sure it doesn't match an existing
      # uid. Users and groups with the same name should have equal
--- a/nixos/modules/misc/meta.nix
+++ b/nixos/modules/misc/meta.nix
@@ -39,7 +39,7 @@ in
        default = [];
        example = [ lib.maintainers.all ];
        description = ''
-          List of maintainers of each module.  This option should be defined at
+	  List of maintainers of each module.  This option should be defined at
          most once per module.
        '';
      };
@@ -49,7 +49,7 @@ in
        internal = true;
        example = "./meta.xml";
        description = ''
-          Documentation prologe for the set of options of each module.  This
+	  Documentation prologe for the set of options of each module.  This
          option should be defined at most once per module.
        '';
      };
@@ -57,5 +57,7 @@ in
    };
  };

-  meta.maintainers = singleton lib.maintainers.pierron;
+  config = {
+    meta.maintainers = singleton lib.maintainers.pierron;
+  };
 }
--- a/nixos/modules/misc/nixpkgs.nix
+++ b/nixos/modules/misc/nixpkgs.nix
@@ -21,11 +21,6 @@ let
      packageOverrides = pkgs:
        optCall lhs.packageOverrides pkgs //
        optCall (attrByPath ["packageOverrides"] ({}) rhs) pkgs;
-    } //
-    optionalAttrs (lhs ? perlPackageOverrides) {
-      perlPackageOverrides = pkgs:
-        optCall lhs.perlPackageOverrides pkgs //
-        optCall (attrByPath ["perlPackageOverrides"] ({}) rhs) pkgs;
    };

  configType = mkOptionType {
--- a/nixos/modules/misc/version.nix
+++ b/nixos/modules/misc/version.nix
@@ -35,44 +35,57 @@ in
    nixosLabel = mkOption {
      type = types.str;
      description = ''
-        Label to be used in the names of generated outputs and boot
-        labels.
+        NixOS version name to be used in the names of generated
+        outputs and boot labels.
+
+        If you ever wanted to influence the labels in your GRUB menu,
+        this is option is for you.
+
+        Can be set directly or with <envar>NIXOS_LABEL</envar>
+        environment variable for <command>nixos-rebuild</command>,
+        e.g.:
+
+        <screen>
+        #!/bin/sh
+        today=`date +%Y%m%d`
+        branch=`(cd nixpkgs ; git branch 2>/dev/null | sed -n '/^\* / { s|^\* ||; p; }')`
+        revision=`(cd nixpkgs ; git rev-parse HEAD)`
+        export NIXOS_LABEL="$today.$branch-''${revision:0:7}"
+        nixos-rebuild switch</screen>
      '';
    };

    nixosVersion = mkOption {
      internal = true;
      type = types.str;
-      description = "The full NixOS version (e.g. <literal>16.03.1160.f2d4ee1</literal>).";
+      description = "NixOS version.";
    };

    nixosRelease = mkOption {
      readOnly = true;
      type = types.str;
-      default = fileContents releaseFile;
-      description = "The NixOS release (e.g. <literal>16.03</literal>).";
+      default = readFile releaseFile;
+      description = "NixOS release.";
    };

    nixosVersionSuffix = mkOption {
      internal = true;
      type = types.str;
-      default = if pathExists suffixFile then fileContents suffixFile else "pre-git";
-      description = "The NixOS version suffix (e.g. <literal>1160.f2d4ee1</literal>).";
+      default = if pathExists suffixFile then readFile suffixFile else "pre-git";
+      description = "NixOS version suffix.";
    };

    nixosRevision = mkOption {
      internal = true;
      type = types.str;
-      default = if pathIsDirectory gitRepo then commitIdFromGitRepo gitRepo
-                else if pathExists revisionFile then fileContents revisionFile
-                else "master";
-      description = "The Git revision from which this NixOS configuration was built.";
+      default = if pathExists revisionFile then readFile revisionFile else "master";
+      description = "NixOS Git revision hash.";
    };

    nixosCodeName = mkOption {
      readOnly = true;
      type = types.str;
-      description = "The NixOS release code name (e.g. <literal>Emu</literal>).";
+      description = "NixOS release code name.";
    };

    defaultChannel = mkOption {
@@ -89,10 +102,10 @@ in
    system = {
      # These defaults are set here rather than up there so that
      # changing them would not rebuild the manual
-      nixosLabel   = mkDefault cfg.nixosVersion;
-      nixosVersion = mkDefault (cfg.nixosRelease + cfg.nixosVersionSuffix);
-      nixosRevision      = mkIf (pathIsDirectory gitRepo) (mkDefault            gitCommitId);
-      nixosVersionSuffix = mkIf (pathIsDirectory gitRepo) (mkDefault (".git." + gitCommitId));
+      nixosLabel   = mkDefault (maybeEnv "NIXOS_LABEL" cfg.nixosVersion);
+      nixosVersion = mkDefault (maybeEnv "NIXOS_VERSION" (cfg.nixosRelease + cfg.nixosVersionSuffix));
+      nixosRevision      = mkIf (pathExists gitRepo) (mkDefault            gitCommitId);
+      nixosVersionSuffix = mkIf (pathExists gitRepo) (mkDefault (".git." + gitCommitId));

      # Note: code names must only increase in alphabetical order.
      nixosCodeName = "Flounder";
--- a/nixos/modules/module-list.nix
+++ b/nixos/modules/module-list.nix
@@ -37,10 +37,9 @@
  ./hardware/network/rtl8192c.nix
  ./hardware/opengl.nix
  ./hardware/pcmcia.nix
-  ./hardware/video/amdgpu.nix
-  ./hardware/video/ati.nix
  ./hardware/video/bumblebee.nix
  ./hardware/video/nvidia.nix
+  ./hardware/video/ati.nix
  ./hardware/video/webcam/facetimehd.nix
  ./i18n/input-method/default.nix
  ./i18n/input-method/fcitx.nix
@@ -63,7 +62,8 @@
  ./programs/bash/bash.nix
  ./programs/blcr.nix
  ./programs/cdemu.nix
-  ./programs/command-not-found/command-not-found.nix
+  # see https://github.com/NixOS/nixos-channel-scripts/issues/4
+  #./programs/command-not-found/command-not-found.nix
  ./programs/dconf.nix
  ./programs/environment.nix
  ./programs/freetds.nix
@@ -76,14 +76,13 @@
  ./programs/screen.nix
  ./programs/shadow.nix
  ./programs/shell.nix
-  ./programs/spacefm.nix
  ./programs/ssh.nix
  ./programs/ssmtp.nix
  ./programs/tmux.nix
+  ./programs/unity3d.nix
  ./programs/venus.nix
  ./programs/wvdial.nix
  ./programs/xfs_quota.nix
-  ./programs/xonsh.nix
  ./programs/zsh/zsh.nix
  ./rename.nix
  ./security/acme.nix
@@ -91,7 +90,6 @@
  ./security/apparmor-suid.nix
  ./security/audit.nix
  ./security/ca.nix
-  ./security/chromium-suid-sandbox.nix
  ./security/duosec.nix
  ./security/grsecurity.nix
  ./security/hidepid.nix
@@ -112,7 +110,6 @@
  ./services/audio/liquidsoap.nix
  ./services/audio/mpd.nix
  ./services/audio/mopidy.nix
-  ./services/audio/squeezelite.nix
  ./services/backup/almir.nix
  ./services/backup/bacula.nix
  ./services/backup/crashplan.nix
@@ -128,13 +125,10 @@
  ./services/computing/torque/server.nix
  ./services/computing/torque/mom.nix
  ./services/computing/slurm/slurm.nix
-  ./services/continuous-integration/buildkite-agent.nix
-  ./services/continuous-integration/hydra/default.nix
-  ./services/continuous-integration/gocd-agent/default.nix
-  ./services/continuous-integration/gocd-server/default.nix
  ./services/continuous-integration/jenkins/default.nix
-  ./services/continuous-integration/jenkins/job-builder.nix
  ./services/continuous-integration/jenkins/slave.nix
+  ./services/continuous-integration/jenkins/job-builder.nix
+  ./services/continuous-integration/hydra/default.nix
  ./services/databases/4store-endpoint.nix
  ./services/databases/4store.nix
  ./services/databases/couchdb.nix
@@ -168,12 +162,10 @@
  ./services/desktops/profile-sync-daemon.nix
  ./services/desktops/telepathy.nix
  ./services/development/hoogle.nix
-  ./services/editors/emacs.nix
  ./services/games/factorio.nix
  ./services/games/ghost-one.nix
  ./services/games/minecraft-server.nix
  ./services/games/minetest-server.nix
-  ./services/games/terraria.nix
  ./services/hardware/acpid.nix
  ./services/hardware/actkbd.nix
  ./services/hardware/amd-hybrid-graphics.nix
@@ -226,7 +218,6 @@
  ./services/misc/confd.nix
  ./services/misc/devmon.nix
  ./services/misc/dictd.nix
-  ./services/misc/dysnomia.nix
  ./services/misc/disnix.nix
  ./services/misc/docker-registry.nix
  ./services/misc/emby.nix
@@ -253,7 +244,6 @@
  ./services/misc/nix-ssh-serve.nix
  ./services/misc/nzbget.nix
  ./services/misc/octoprint.nix
-  ./services/misc/packagekit.nix
  ./services/misc/parsoid.nix
  ./services/misc/phd.nix
  ./services/misc/plex.nix
@@ -263,7 +253,6 @@
  ./services/misc/ripple-data-api.nix
  ./services/misc/rogue.nix
  ./services/misc/siproxd.nix
-  ./services/misc/sonarr.nix
  ./services/misc/spice-vdagentd.nix
  ./services/misc/subsonic.nix
  ./services/misc/sundtek.nix
@@ -325,7 +314,6 @@
  ./services/networking/cntlm.nix
  ./services/networking/connman.nix
  ./services/networking/consul.nix
-  ./services/networking/coturn.nix
  ./services/networking/ddclient.nix
  ./services/networking/dhcpcd.nix
  ./services/networking/dhcpd.nix
@@ -335,14 +323,12 @@
  ./services/networking/docker-registry-server.nix
  ./services/networking/ejabberd.nix
  ./services/networking/fan.nix
-  ./services/networking/ferm.nix
  ./services/networking/firefox/sync-server.nix
  ./services/networking/firewall.nix
  ./services/networking/flashpolicyd.nix
  ./services/networking/freenet.nix
  ./services/networking/gale.nix
  ./services/networking/gateone.nix
-  ./services/networking/gdomap.nix
  ./services/networking/git-daemon.nix
  ./services/networking/gnunet.nix
  ./services/networking/gogoclient.nix
@@ -376,7 +362,6 @@
  ./services/networking/ntopng.nix
  ./services/networking/ntpd.nix
  ./services/networking/nylon.nix
-  ./services/networking/offlineimap.nix
  ./services/networking/oidentd.nix
  ./services/networking/openfire.nix
  ./services/networking/openntpd.nix
@@ -384,7 +369,6 @@
  ./services/networking/ostinato.nix
  ./services/networking/pdnsd.nix
  ./services/networking/polipo.nix
-  ./services/networking/pptpd.nix
  ./services/networking/prayer.nix
  ./services/networking/privoxy.nix
  ./services/networking/prosody.nix
@@ -401,7 +385,6 @@
  ./services/networking/shairport-sync.nix
  ./services/networking/shout.nix
  ./services/networking/sniproxy.nix
-  ./services/networking/smokeping.nix
  ./services/networking/softether.nix
  ./services/networking/spiped.nix
  ./services/networking/sslh.nix
@@ -427,7 +410,6 @@
  ./services/networking/wicd.nix
  ./services/networking/wpa_supplicant.nix
  ./services/networking/xinetd.nix
-  ./services/networking/xl2tpd.nix
  ./services/networking/zerobin.nix
  ./services/networking/zerotierone.nix
  ./services/networking/znc.nix
@@ -449,7 +431,6 @@
  ./services/security/haveged.nix
  ./services/security/hologram.nix
  ./services/security/munge.nix
-  ./services/security/oauth2_proxy.nix
  ./services/security/physlock.nix
  ./services/security/torify.nix
  ./services/security/tor.nix
@@ -466,9 +447,7 @@
  ./services/ttys/agetty.nix
  ./services/ttys/gpm.nix
  ./services/ttys/kmscon.nix
-  ./services/web-apps/mattermost.nix
  ./services/web-apps/pump.io.nix
-  ./services/web-apps/tt-rss.nix
  ./services/web-servers/apache-httpd/default.nix
  ./services/web-servers/caddy.nix
  ./services/web-servers/fcgiwrap.nix
@@ -476,9 +455,8 @@
  ./services/web-servers/lighttpd/cgit.nix
  ./services/web-servers/lighttpd/default.nix
  ./services/web-servers/lighttpd/gitweb.nix
-  ./services/web-servers/lighttpd/inginious.nix
  ./services/web-servers/nginx/default.nix
-  ./services/web-servers/phpfpm/default.nix
+  ./services/web-servers/phpfpm.nix
  ./services/web-servers/shellinabox.nix
  ./services/web-servers/tomcat.nix
  ./services/web-servers/uwsgi.nix
@@ -486,7 +464,6 @@
  ./services/web-servers/winstone.nix
  ./services/web-servers/zope2.nix
  ./services/x11/colord.nix
-  ./services/x11/compton.nix
  ./services/x11/unclutter.nix
  ./services/x11/desktop-managers/default.nix
  ./services/x11/display-managers/auto.nix
@@ -513,7 +490,6 @@
  ./services/x11/window-managers/windowlab.nix
  ./services/x11/window-managers/wmii.nix
  ./services/x11/window-managers/xmonad.nix
-  ./services/x11/xbanish.nix
  ./services/x11/xfs.nix
  ./services/x11/xserver.nix
  ./system/activation/activation-script.nix
@@ -537,7 +513,6 @@
  ./system/boot/luksroot.nix
  ./system/boot/modprobe.nix
  ./system/boot/networkd.nix
-  ./system/boot/plymouth.nix
  ./system/boot/resolved.nix
  ./system/boot/shutdown.nix
  ./system/boot/stage-1.nix
--- a/nixos/modules/profiles/installation-device.nix
+++ b/nixos/modules/profiles/installation-device.nix
@@ -42,7 +42,7 @@ with lib;

        The "root" account has an empty password.  ${
          optionalString config.services.xserver.enable
-            "Type `systemctl start display-manager' to\nstart the graphical user interface."}
+            "Type `start display-manager' to\nstart the graphical user interface."}
      '';

    # Allow sshd to be started manually through "start sshd".
--- a/nixos/modules/programs/bash/bash.nix
+++ b/nixos/modules/programs/bash/bash.nix
@@ -200,7 +200,7 @@ in
    # Configuration for readline in bash.
    environment.etc."inputrc".source = ./inputrc;

-    users.defaultUserShell = mkDefault pkgs.bashInteractive;
+    users.defaultUserShell = mkDefault "/run/current-system/sw/bin/bash";

    environment.pathsToLink = optionals cfg.enableCompletion [
      "/etc/bash_completion.d"
--- a/nixos/modules/programs/bash/inputrc
+++ b/nixos/modules/programs/bash/inputrc
@@ -6,7 +6,6 @@ set meta-flag on
 set input-meta on
 set convert-meta off
 set output-meta on
-set colored-stats on

 #set mark-symlinked-directories on

--- a/nixos/modules/programs/shadow.nix
+++ b/nixos/modules/programs/shadow.nix
@@ -1,6 +1,6 @@
 # Configuration for the pwdutils suite of tools: passwd, useradd, etc.

-{ config, lib, utils, pkgs, ... }:
+{ config, lib, pkgs, ... }:

 with lib;

@@ -43,13 +43,13 @@ in
    users.defaultUserShell = lib.mkOption {
      description = ''
        This option defines the default shell assigned to user
-        accounts. This can be either a full system path or a shell package.
-
-        This must not be a store path, since the path is
+        accounts.  This must not be a store path, since the path is
        used outside the store (in particular in /etc/passwd).
+        Rather, it should be the path of a symlink that points to the
+        actual shell in the Nix store.
      '';
-      example = literalExample "pkgs.zsh";
-      type = types.either types.path types.shellPackage;
+      example = "/run/current-system/sw/bin/zsh";
+      type = types.path;
    };

  };
@@ -60,9 +60,7 @@ in
  config = {

    environment.systemPackages =
-      lib.optional config.users.mutableUsers pkgs.shadow ++
-      lib.optional (types.shellPackage.check config.users.defaultUserShell)
-        config.users.defaultUserShell;
+      lib.optional config.users.mutableUsers pkgs.shadow;

    environment.etc =
      [ { # /etc/login.defs: global configuration for pwdutils.  You
@@ -76,7 +74,7 @@ in
            ''
              GROUP=100
              HOME=/home
-              SHELL=${utils.toShellPath config.users.defaultUserShell}
+              SHELL=${config.users.defaultUserShell}
            '';
          target = "default/useradd";
        }
@@ -103,9 +101,10 @@ in
      };

    security.setuidPrograms = [ "su" "chfn" ]
-      ++ [ "newuidmap" "newgidmap" ] # new in shadow 4.2.x
      ++ lib.optionals config.users.mutableUsers
-      [ "passwd" "sg" "newgrp" ];
+      [ "passwd" "sg" "newgrp"
+        "newuidmap" "newgidmap" # new in shadow 4.2.x
+      ];

  };

--- a/nixos/modules/programs/spacefm.nix
+++ b/nixos/modules/programs/spacefm.nix
@@ -1,55 +0,0 @@
-# Global configuration for spacefm.
-
-{ config, lib, pkgs, ... }:
-
-with lib;
-
-let cfg = config.programs.spacefm;
-
-in
-{
-  ###### interface
-
-  options = {
-
-    programs.spacefm = {
-
-      enable = mkOption {
-        type = types.bool;
-        default = false;
-        description = ''
-          Whether to install SpaceFM and create <filename>/etc/spacefm/spacefm.conf</filename>.
-        '';
-      };
-
-      settings = mkOption {
-        type = types.attrs;
-        default = {
-          tmp_dir = "/tmp";
-          terminal_su = "${pkgs.sudo}/bin/sudo";
-          graphical_su = "${pkgs.gksu}/bin/gksu";
-        };
-        example = literalExample ''{
-          tmp_dir = "/tmp";
-          terminal_su = "''${pkgs.sudo}/bin/sudo";
-          graphical_su = "''${pkgs.gksu}/bin/gksu";
-        }'';
-        description = ''
-          The system-wide spacefm configuration.
-          Parameters to be written to <filename>/etc/spacefm/spacefm.conf</filename>.
-          Refer to the <link xlink:href="https://ignorantguru.github.io/spacefm/spacefm-manual-en.html#programfiles-etc">relevant entry</link> in the SpaceFM manual.
-        '';
-      };
-
-    };
-  };
-
-  ###### implementation
-
-  config = mkIf cfg.enable {
-    environment.systemPackages = [ pkgs.spaceFM ];
-
-    environment.etc."spacefm/spacefm.conf".text =
-      concatStrings (mapAttrsToList (n: v: "${n}=${toString v}\n") cfg.settings);
-  };
-}
--- a/nixos/modules/programs/ssmtp.nix
+++ b/nixos/modules/programs/ssmtp.nix
@@ -100,12 +100,6 @@ in
          Password used for SMTP auth. (STORED PLAIN TEXT, WORLD-READABLE IN NIX STORE)
        '';
      };
-      
-      setSendmail = mkOption {
-        type = types.bool;
-        default = true;
-        description = "Whether to set the system sendmail to ssmtp's.";
-      };

    };

@@ -128,13 +122,6 @@ in
      '';

    environment.systemPackages = [pkgs.ssmtp];
-    
-    services.mail.sendmailSetuidWrapper = mkIf cfg.setSendmail {
-      program = "sendmail";
-      source = "${pkgs.ssmtp}/bin/sendmail";
-      setuid = false;
-      setgid = false;
-    };

  };

--- a/nixos/modules/programs/tmux.nix
+++ b/nixos/modules/programs/tmux.nix
@@ -27,7 +27,7 @@ let
    set -g status-keys ${cfg.keyMode}
    set -g mode-keys   ${cfg.keyMode}

-    ${if cfg.keyMode == "vi" && cfg.customPaneNavigationAndResize then ''
+    ${if cfg.keyMode == "vi" then ''
    bind h select-pane -L
    bind j select-pane -D
    bind k select-pane -U
@@ -86,13 +86,6 @@ in {
        description = "Use 24 hour clock.";
      };

-      customPaneNavigationAndResize = mkOption {
-        default = false;
-        example = true;
-        type = types.bool;
-        description = "Override the hjkl and HJKL bindings for pane navigation and resizing in VI mode.";
-      };
-
      escapeTime = mkOption {
        default = 500;
        example = 0;
--- a/nixos/modules/programs/unity3d.nix
+++ b/nixos/modules/programs/unity3d.nix
@@ -0,0 +1,25 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let cfg = config.programs.unity3d;
+in {
+
+  options = {
+    programs.unity3d.enable = mkEnableOption "Unity3D, a game development tool";
+  };
+
+  config = mkIf cfg.enable {
+    security.setuidOwners = [{
+      program = "unity-chrome-sandbox";
+      source = "${pkgs.unity3d.sandbox}/bin/unity-chrome-sandbox";
+      owner = "root";
+      #group = "root";
+      setuid = true;
+      #setgid = true;
+    }];
+
+    environment.systemPackages = [ pkgs.unity3d ];
+  };
+
+}
--- a/nixos/modules/programs/xonsh.nix
+++ b/nixos/modules/programs/xonsh.nix
@@ -1,62 +0,0 @@
-# This module defines global configuration for the xonsh.
-
-{ config, lib, pkgs, ... }:
-
-with lib;
-
-let
-
-  cfge = config.environment;
-
-  cfg = config.programs.xonsh;
-
-in
-
-{
-
-  options = {
-
-    programs.xonsh = {
-
-      enable = mkOption {
-        default = false;
-        description = ''
-          Whether to configure xnosh as an interactive shell.
-        '';
-        type = types.bool;
-      };
-
-      package = mkOption {
-        type = types.package;
-        example = literalExample "pkgs.xonsh.override { configFile = \"/path/to/xonshrc\"; }";
-        description = ''
-          xonsh package to use.
-        '';
-      };
-
-      config = mkOption {
-        default = "";
-        description = "Control file to customize your shell behavior.";
-        type = types.lines;
-      };
-
-    };
-
-  };
-
-  config = mkIf cfg.enable {
-
-    environment.etc."xonshrc".text = cfg.config;
-
-    environment.systemPackages = [ pkgs.xonsh ];
-
-    environment.shells =
-      [ "/run/current-system/sw/bin/xonsh"
-        "/var/run/current-system/sw/bin/xonsh"
-        "${pkgs.xonsh}/bin/xonsh"
-      ];
-
-  };
-
-}
-
--- a/nixos/modules/programs/zsh/zsh.nix
+++ b/nixos/modules/programs/zsh/zsh.nix
@@ -116,8 +116,6 @@ in
        done

        ${if cfg.enableCompletion then "autoload -U compinit && compinit" else ""}
-
-        HELPDIR="${pkgs.zsh}/share/zsh/$ZSH_VERSION/help"
      '';

    };
--- a/nixos/modules/rename.nix
+++ b/nixos/modules/rename.nix
@@ -29,7 +29,7 @@ with lib;
    (mkRenamedOptionModule [ "jobs" ] [ "systemd" "services" ])

    (mkRenamedOptionModule [ "services" "gitlab" "stateDir" ] [ "services" "gitlab" "statePath" ])
-    (mkRemovedOptionModule [ "services" "gitlab" "satelliteDir" ] "")
+    (mkRemovedOptionModule [ "services" "gitlab" "satelliteDir" ])

    # Old Grub-related options.
    (mkRenamedOptionModule [ "boot" "initrd" "extraKernelModules" ] [ "boot" "initrd" "kernelModules" ])
@@ -112,47 +112,21 @@ with lib;
    (mkRenamedOptionModule [ "services" "iodined" "domain" ] [ "services" "iodine" "server" "domain" ])
    (mkRenamedOptionModule [ "services" "iodined" "ip" ] [ "services" "iodine" "server" "ip" ])
    (mkRenamedOptionModule [ "services" "iodined" "extraConfig" ] [ "services" "iodine" "server" "extraConfig" ])
-    (mkRemovedOptionModule [ "services" "iodined" "client" ] "")
-
-    # Grsecurity
-    (mkRemovedOptionModule [ "security" "grsecurity" "kernelPatch" ] "")
-    (mkRemovedOptionModule [ "security" "grsecurity" "config" "mode" ] "")
-    (mkRemovedOptionModule [ "security" "grsecurity" "config" "priority" ] "")
-    (mkRemovedOptionModule [ "security" "grsecurity" "config" "system" ] "")
-    (mkRemovedOptionModule [ "security" "grsecurity" "config" "virtualisationConfig" ] "")
-    (mkRemovedOptionModule [ "security" "grsecurity" "config" "hardwareVirtualisation" ] "")
-    (mkRemovedOptionModule [ "security" "grsecurity" "config" "virtualisationSoftware" ] "")
-    (mkRemovedOptionModule [ "security" "grsecurity" "config" "sysctl" ] "")
-    (mkRemovedOptionModule [ "security" "grsecurity" "config" "denyChrootChmod" ] "")
-    (mkRemovedOptionModule [ "security" "grsecurity" "config" "denyChrootCaps" ] "")
-    (mkRemovedOptionModule [ "security" "grsecurity" "config" "denyUSB" ] "")
-    (mkRemovedOptionModule [ "security" "grsecurity" "config" "restrictProc" ] "")
-    (mkRemovedOptionModule [ "security" "grsecurity" "config" "restrictProcWithGroup" ] "")
-    (mkRemovedOptionModule [ "security" "grsecurity" "config" "unrestrictProcGid" ] "")
-    (mkRemovedOptionModule [ "security" "grsecurity" "config" "disableRBAC" ] "")
-    (mkRemovedOptionModule [ "security" "grsecurity" "config" "disableSimultConnect" ] "")
-    (mkRemovedOptionModule [ "security" "grsecurity" "config" "verboseVersion" ] "")
-    (mkRemovedOptionModule [ "security" "grsecurity" "config" "kernelExtraConfig" ] "")
-
-    # Unity3D
-    (mkRenamedOptionModule [ "programs" "unity3d" "enable" ] [ "security" "chromiumSuidSandbox" "enable" ])
-
-    # fontconfig-ultimate
-    (mkRenamedOptionModule [ "fonts" "fontconfig" "ultimate" "rendering" ] [ "fonts" "fontconfig" "ultimate" "preset" ])
+    (mkRemovedOptionModule [ "services" "iodined" "client" ])

    # Options that are obsolete and have no replacement.
-    (mkRemovedOptionModule [ "boot" "initrd" "luks" "enable" ] "")
-    (mkRemovedOptionModule [ "programs" "bash" "enable" ] "")
-    (mkRemovedOptionModule [ "services" "samba" "defaultShare" ] "")
-    (mkRemovedOptionModule [ "services" "syslog-ng" "serviceName" ] "")
-    (mkRemovedOptionModule [ "services" "syslog-ng" "listenToJournal" ] "")
-    (mkRemovedOptionModule [ "ec2" "metadata" ] "")
-    (mkRemovedOptionModule [ "services" "openvpn" "enable" ] "")
-    (mkRemovedOptionModule [ "services" "printing" "cupsFilesConf" ] "")
-    (mkRemovedOptionModule [ "services" "printing" "cupsdConf" ] "")
-    (mkRemovedOptionModule [ "services" "xserver" "startGnuPGAgent" ]
-      "See the 16.03 release notes for more information.")
-    (mkRemovedOptionModule [ "services" "phpfpm" "phpIni" ] "")
-    (mkRemovedOptionModule [ "services" "dovecot2" "package" ] "")
+    (mkRemovedOptionModule [ "boot" "initrd" "luks" "enable" ])
+    (mkRemovedOptionModule [ "programs" "bash" "enable" ])
+    (mkRemovedOptionModule [ "services" "samba" "defaultShare" ])
+    (mkRemovedOptionModule [ "services" "syslog-ng" "serviceName" ])
+    (mkRemovedOptionModule [ "services" "syslog-ng" "listenToJournal" ])
+    (mkRemovedOptionModule [ "ec2" "metadata" ])
+    (mkRemovedOptionModule [ "services" "openvpn" "enable" ])
+    (mkRemovedOptionModule [ "services" "printing" "cupsFilesConf" ])
+    (mkRemovedOptionModule [ "services" "printing" "cupsdConf" ])
+    (mkRemovedOptionModule [ "services" "xserver" "startGnuPGAgent" ])
+    (mkRemovedOptionModule [ "services" "phpfpm" "phpIni" ])
+    (mkRemovedOptionModule [ "services" "dovecot2" "package" ])
+
  ];
 }
--- a/nixos/modules/security/acme.nix
+++ b/nixos/modules/security/acme.nix
@@ -187,7 +187,7 @@ in
                  script = ''
                    cd '${cpath}'
                    set +e
-                    simp_le ${escapeShellArgs cmdline}
+                    simp_le ${concatMapStringsSep " " (arg: escapeShellArg (toString arg)) cmdline}
                    EXITCODE=$?
                    set -e
                    echo "$EXITCODE" > /tmp/lastExitCode
@@ -290,10 +290,9 @@ in
      systemd.targets."acme-certificates" = {};
    })

+    { meta.maintainers = with lib.maintainers; [ abbradar fpletz globin ];
+      meta.doc = ./acme.xml;
+    }
  ];

-  meta = {
-    maintainers = with lib.maintainers; [ abbradar fpletz globin ];
-    doc = ./acme.xml;
-  };
 }
--- a/nixos/modules/security/chromium-suid-sandbox.nix
+++ b/nixos/modules/security/chromium-suid-sandbox.nix
@@ -1,32 +0,0 @@
-{ config, lib, pkgs, ... }:
-
-with lib;
-
-let
-  cfg     = config.security.chromiumSuidSandbox;
-  sandbox = pkgs.chromium.sandbox;
-in
-{
-  options.security.chromiumSuidSandbox.enable = mkOption {
-    type = types.bool;
-    default = false;
-    description = ''
-      Whether to install the Chromium SUID sandbox which is an executable that
-      Chromium may use in order to achieve sandboxing.
-
-      If you get the error "The SUID sandbox helper binary was found, but is not
-      configured correctly.", turning this on might help.
-
-      Also, if the URL chrome://sandbox tells you that "You are not adequately
-      sandboxed!", turning this on might resolve the issue.
-
-      Finally, if you have <option>security.grsecurity</option> enabled and you
-      use Chromium, you probably need this.
-    '';
-  };
-
-  config = mkIf cfg.enable {
-    environment.systemPackages = [ sandbox ];
-    security.setuidPrograms    = [ sandbox.passthru.sandboxExecutableName ];
-  };
-}
--- a/nixos/modules/security/grsecurity.nix
+++ b/nixos/modules/security/grsecurity.nix
@@ -1,143 +1,312 @@
-{ config, pkgs, lib, ... }:
+{ config, lib, pkgs, ... }:

 with lib;

 let
  cfg = config.security.grsecurity;
-  grsecLockPath = "/proc/sys/kernel/grsecurity/grsec_lock";

-  # Ascertain whether ZFS is required for booting the system; grsecurity is
-  # currently incompatible with ZFS, rendering the system unbootable.
-  zfsNeededForBoot = filter
-    (fs: (fs.neededForBoot
-          || elem fs.mountPoint [ "/" "/nix" "/nix/store" "/var" "/var/log" "/var/lib" "/etc" ])
-          && fs.fsType == "zfs")
-    config.system.build.fileSystems != [];
-
-  # Ascertain whether NixOS container support is required
-  containerSupportRequired =
-    config.boot.enableContainers && config.containers != {};
+  customGrsecPkg =
+    (import ../../../pkgs/build-support/grsecurity {
+      grsecOptions = cfg;
+      inherit pkgs lib;
+    }).grsecPackage;
 in
-
 {
-  meta = {
-    maintainers = with maintainers; [ joachifm ];
-    doc = ./grsecurity.xml;
-  };
+  options = {
+    security.grsecurity = {
+      enable = mkOption {
+        type = types.bool;
+        default = false;
+        description = ''
+          Enable grsecurity support. This enables advanced exploit
+          hardening for the Linux kernel, and adds support for
+          administrative Role-Based Acess Control (RBAC) via
+          <literal>gradm</literal>. It also includes traditional
+          utilities for PaX.
+        '';
+      };

-  options.security.grsecurity = {
+      kernelPatch = mkOption {
+        type = types.attrs;
+        example = lib.literalExample "pkgs.kernelPatches.grsecurity_4_1";
+        description = ''
+          Grsecurity patch to use.
+        '';
+      };

-    enable = mkEnableOption "grsecurity/PaX";
+      config = {
+        mode = mkOption {
+          type = types.enum [ "auto" "custom" ];
+          default = "auto";
+          description = ''
+            grsecurity configuration mode. This specifies whether
+            grsecurity is auto-configured or otherwise completely
+            manually configured.
+          '';
+        };

-    lockTunables = mkOption {
-      type = types.bool;
-      example = false;
-      default = true;
-      description = ''
-        Whether to automatically lock grsecurity tunables
-        (<option>boot.kernel.sysctl."kernel.grsecurity.*"</option>).  Disable
-        this to allow runtime configuration of grsecurity features.  Activate
-        the <literal>grsec-lock</literal> service unit to prevent further
-        configuration until the next reboot.
-      '';
+        priority = mkOption {
+          type = types.enum [ "security" "performance" ];
+          default = "security";
+          description = ''
+            grsecurity configuration priority. This specifies whether
+            the kernel configuration should emphasize speed or
+            security.
+          '';
+        };
+
+        system = mkOption {
+          type = types.enum [ "desktop" "server" ];
+          default = "desktop";
+          description = ''
+            grsecurity system configuration.
+          '';
+        };
+
+        virtualisationConfig = mkOption {
+          type = types.nullOr (types.enum [ "host" "guest" ]);
+          default = null;
+          description = ''
+            grsecurity virtualisation configuration. This specifies
+            the virtualisation role of the machine - that is, whether
+            it will be a virtual machine guest, a virtual machine
+            host, or neither.
+          '';
+        };
+
+        hardwareVirtualisation = mkOption {
+          type = types.nullOr types.bool;
+          default = null;
+          example = true;
+          description = ''
+            grsecurity hardware virtualisation configuration. Set to
+            <literal>true</literal> if your machine supports hardware
+            accelerated virtualisation.
+          '';
+        };
+
+        virtualisationSoftware = mkOption {
+          type = types.nullOr (types.enum [ "kvm" "xen" "vmware" "virtualbox" ]);
+          default = null;
+          description = ''
+            Configure grsecurity for use with this virtualisation software.
+          '';
+        };
+
+        sysctl = mkOption {
+          type = types.bool;
+          default = false;
+          description = ''
+            If true, then set <literal>GRKERN_SYSCTL y</literal>. If
+            enabled then grsecurity can be controlled using sysctl
+            (and turned off). You are advised to *never* enable this,
+            but if you do, make sure to always set the sysctl
+            <literal>kernel.grsecurity.grsec_lock</literal> to
+            non-zero as soon as all sysctl options are set. *THIS IS
+            EXTREMELY IMPORTANT*!
+          '';
+        };
+
+        denyChrootChmod = mkOption {
+          type = types.bool;
+          default = false;
+          description = ''
+            If true, then set <literal>GRKERN_CHROOT_CHMOD
+            y</literal>. If enabled, this denies processes inside a
+            chroot from setting the suid or sgid bits using
+            <literal>chmod</literal> or <literal>fchmod</literal>.
+
+            By default this protection is disabled - it makes it
+            impossible to use Nix to build software on your system,
+            which is what most users want.
+
+            If you are using NixOps to deploy your software to a
+            remote machine, you're encouraged to enable this as you
+            won't need to compile code.
+          '';
+        };
+
+        denyChrootCaps = mkOption {
+          type = types.bool;
+          default = false;
+          description = ''
+            Whether to lower capabilities of all processes within a chroot,
+            preventing commands that require <literal>CAP_SYS_ADMIN</literal>.
+
+            This protection is disabled by default because it breaks
+            <literal>nixos-rebuild</literal>. Whenever possible, it is
+            highly recommended to enable this protection.
+          '';
+        };
+
+        denyUSB = mkOption {
+          type = types.bool;
+          default = false;
+          description = ''
+            If true, then set <literal>GRKERNSEC_DENYUSB y</literal>.
+
+            This enables a sysctl with name
+            <literal>kernel.grsecurity.deny_new_usb</literal>. Setting
+            its value to <literal>1</literal> will prevent any new USB
+            devices from being recognized by the OS.  Any attempted
+            USB device insertion will be logged.
+
+            This option is intended to be used against custom USB
+            devices designed to exploit vulnerabilities in various USB
+            device drivers.
+          '';
+        };
+
+        restrictProc = mkOption {
+          type = types.bool;
+          default = false;
+          description = ''
+            If true, then set <literal>GRKERN_PROC_USER
+            y</literal>. This restricts non-root users to only viewing
+            their own processes and restricts network-related
+            information, kernel symbols, and module information.
+          '';
+        };
+
+        restrictProcWithGroup = mkOption {
+          type = types.bool;
+          default = true;
+          description = ''
+            If true, then set <literal>GRKERN_PROC_USERGROUP
+            y</literal>. This is similar to
+            <literal>restrictProc</literal> except it allows a special
+            group (specified by <literal>unrestrictProcGid</literal>)
+            to still access otherwise classified information in
+            <literal>/proc</literal>.
+          '';
+        };
+
+        unrestrictProcGid = mkOption {
+          type = types.int;
+          default = config.ids.gids.grsecurity;
+          description = ''
+            If set, specifies a GID which is exempt from
+            <literal>/proc</literal> restrictions (set by
+            <literal>GRKERN_PROC_USERGROUP</literal>). By default,
+            this is set to the GID for <literal>grsecurity</literal>,
+            a predefined NixOS group, which the
+            <literal>root</literal> account is a member of. You may
+            conveniently add other users to this group if you need
+            access to <literal>/proc</literal>
+          '';
+        };
+
+        disableRBAC = mkOption {
+          type = types.bool;
+          default = false;
+          description = ''
+            If true, then set <literal>GRKERN_NO_RBAC
+            y</literal>. This disables the
+            <literal>/dev/grsec</literal> device, which in turn
+            disables the RBAC system (and <literal>gradm</literal>).
+          '';
+        };
+
+        disableSimultConnect = mkOption {
+          type = types.bool;
+          default = false;
+          description = ''
+            Disable TCP simultaneous connect.  The TCP simultaneous connect
+            feature allows two clients to connect without either of them
+            entering the listening state.  This feature of the TCP specification
+            is claimed to enable an attacker to deny the target access to a given
+            server by guessing the source port the target would use to make the
+            connection.
+
+            This option is OFF by default because TCP simultaneous connect has
+            some legitimate uses.  Enable this option if you know what this TCP
+            feature is for and know that you do not need it.
+          '';
+        };
+
+        verboseVersion = mkOption {
+          type = types.bool;
+          default = false;
+          description = "Use verbose version in kernel localversion.";
+        };
+
+        kernelExtraConfig = mkOption {
+          type = types.str;
+          default = "";
+          description = "Extra kernel configuration parameters.";
+        };
+      };
    };
-
-    disableEfiRuntimeServices = mkOption {
-      type = types.bool;
-      example = false;
-      default = true;
-      description = ''
-        Whether to disable access to EFI runtime services.  Enabling EFI runtime
-        services creates a venue for code injection attacks on the kernel and
-        should be disabled if at all possible.  Changing this option enters into
-        effect upon reboot.
-      '';
-    };
-
  };

  config = mkIf cfg.enable {
-
-    # Allow the user to select a different package set, subject to the stated
-    # required kernel config
-    boot.kernelPackages = mkDefault pkgs.linuxPackages_grsec_nixos;
-
-    boot.kernelParams = optional cfg.disableEfiRuntimeServices "noefi";
-
-    system.requiredKernelConfig = with config.lib.kernelConfig;
-      [ (isEnabled "GRKERNSEC")
-        (isEnabled "PAX")
-        (isYES "GRKERNSEC_SYSCTL")
-        (isYES "GRKERNSEC_SYSCTL_DISTRO")
-        (isNO "GRKERNSEC_NO_RBAC")
+    assertions =
+      [
+        { assertion = (cfg.config.restrictProc -> !cfg.config.restrictProcWithGroup) ||
+                      (cfg.config.restrictProcWithGroup -> !cfg.config.restrictProc);
+          message   = "You cannot enable both restrictProc and restrictProcWithGroup";
+        }
+        { assertion = config.boot.kernelPackages.kernel.features ? grsecurity
+                   && config.boot.kernelPackages.kernel.features.grsecurity;
+          message = "grsecurity enabled, but kernel doesn't have grsec support";
+        }
+        { assertion = (cfg.config.mode == "auto" && (cfg.config.virtualisationConfig != null)) ->
+              cfg.config.hardwareVirtualisation != null;
+          message   = "when using auto grsec mode with virtualisation, you must specify if your hardware has virtualisation extensions";
+        }
+        { assertion = (cfg.config.mode == "auto" && (cfg.config.virtualisationConfig != null)) ->
+              cfg.config.virtualisationSoftware != null;
+         message   = "grsecurity configured for virtualisation but no virtualisation software specified";
+        }
      ];

-    # Install PaX related utillities into the system profile.
-    environment.systemPackages = with pkgs; [ gradm paxctl pax-utils ];
-
-    # Install rules for the grsec device node
-    services.udev.packages = [ pkgs.gradm ];
-
-    # This service unit is responsible for locking the grsecurity tunables.  The
-    # unit is always defined, but only activated on bootup if lockTunables is
-    # toggled.  When lockTunables is toggled, failure to activate the unit will
-    # enter emergency mode.  The intent is to make it difficult to silently
-    # enter multi-user mode without having locked the tunables.  Some effort is
-    # made to ensure that starting the unit is an idempotent operation.
-    systemd.services.grsec-lock = {
-      description = "Lock grsecurity tunables";
-
-      wantedBy = optional cfg.lockTunables "multi-user.target";
-
-      wants = [ "local-fs.target" "systemd-sysctl.service" ];
-      after = [ "local-fs.target" "systemd-sysctl.service" ];
-      conflicts = [ "shutdown.target" ];
-
-      restartIfChanged = false;
+    security.grsecurity.kernelPatch = lib.mkDefault pkgs.kernelPatches.grsecurity_latest;

+    systemd.services.grsec-lock = mkIf cfg.config.sysctl {
+      description     = "grsecurity sysctl-lock Service";
+      wants           = [ "systemd-sysctl.service" ];
+      after           = [ "systemd-sysctl.service" ];
+      wantedBy        = [ "multi-user.target" ];
+      serviceConfig.Type = "oneshot";
+      serviceConfig.RemainAfterExit = "yes";
+      unitConfig.ConditionPathIsReadWrite = "/proc/sys/kernel/grsecurity/grsec_lock";
      script = ''
-        if ${pkgs.gnugrep}/bin/grep -Fq 0 ${grsecLockPath} ; then
-          echo -n 1 > ${grsecLockPath}
+        locked=`cat /proc/sys/kernel/grsecurity/grsec_lock`
+        if [ "$locked" == "0" ]; then
+            echo 1 > /proc/sys/kernel/grsecurity/grsec_lock
+            echo grsecurity sysctl lock - enabled
+        else
+            echo grsecurity sysctl lock already enabled - doing nothing
        fi
      '';
-
-      unitConfig = {
-        ConditionPathIsReadWrite = grsecLockPath;
-        DefaultDependencies = false;
-      } // optionalAttrs cfg.lockTunables {
-        OnFailure = "emergency.target";
-      };
-
-      serviceConfig = {
-        Type = "oneshot";
-        RemainAfterExit = true;
-      };
    };

-    # Configure system tunables
-    boot.kernel.sysctl = {
-      # Read-only under grsecurity
-      "kernel.kptr_restrict" = mkForce null;
-    } // optionalAttrs config.nix.useSandbox {
-      # chroot(2) restrictions that conflict with sandboxed Nix builds
-      "kernel.grsecurity.chroot_caps" = mkForce 0;
-      "kernel.grsecurity.chroot_deny_chroot" = mkForce 0;
-      "kernel.grsecurity.chroot_deny_mount" = mkForce 0;
-      "kernel.grsecurity.chroot_deny_pivot" = mkForce 0;
-      "kernel.grsecurity.chroot_deny_chmod" = mkForce 0;
-    } // optionalAttrs containerSupportRequired {
-      # chroot(2) restrictions that conflict with NixOS lightweight containers
-      "kernel.grsecurity.chroot_deny_chmod" = mkForce 0;
-      "kernel.grsecurity.chroot_deny_mount" = mkForce 0;
-      "kernel.grsecurity.chroot_restrict_nice" = mkForce 0;
-      "kernel.grsecurity.chroot_caps" = mkForce 0;
-    };
+#   systemd.services.grsec-learn = {
+#     description     = "grsecurity learning Service";
+#     wantedBy        = [ "local-fs.target" ];
+#     serviceConfig   = {
+#       Type = "oneshot";
+#       RemainAfterExit = "yes";
+#       ExecStart = "${pkgs.gradm}/sbin/gradm -VFL /etc/grsec/learning.logs";
+#       ExecStop  = "${pkgs.gradm}/sbin/gradm -D";
+#     };
+#   };

-    assertions = [
-      { assertion = !zfsNeededForBoot;
-        message = "grsecurity is currently incompatible with ZFS";
-      }
-    ];
+    system.activationScripts = lib.optionalAttrs (!cfg.config.disableRBAC) { grsec = ''
+      mkdir -p /etc/grsec
+      if [ ! -f /etc/grsec/learn_config ]; then
+        cp ${pkgs.gradm}/etc/grsec/learn_config /etc/grsec
+      fi
+      if [ ! -f /etc/grsec/policy ]; then
+        cp ${pkgs.gradm}/etc/grsec/policy /etc/grsec
+      fi
+      chmod -R 0600 /etc/grsec
+    ''; };

+    # Enable AppArmor, gradm udev rules, and utilities
+    security.apparmor.enable   = true;
+    boot.kernelPackages        = customGrsecPkg;
+    services.udev.packages     = lib.optional (!cfg.config.disableRBAC) pkgs.gradm;
+    environment.systemPackages = [ pkgs.paxctl pkgs.pax-utils ] ++ lib.optional (!cfg.config.disableRBAC) pkgs.gradm;
  };
 }
--- a/nixos/modules/security/grsecurity.xml
+++ b/nixos/modules/security/grsecurity.xml
@@ -1,345 +0,0 @@
-<chapter xmlns="http://docbook.org/ns/docbook"
-         xmlns:xlink="http://www.w3.org/1999/xlink"
-         xmlns:xi="http://www.w3.org/2001/XInclude"
-         version="5.0"
-         xml:id="sec-grsecurity">
-
-  <title>Grsecurity/PaX</title>
-
-  <para>
-    Grsecurity/PaX is a set of patches against the Linux kernel that make it
-    harder to exploit bugs.  The patchset includes protections such as
-    enforcement of non-executable memory, address space layout randomization,
-    and chroot jail hardening.  These and other
-    <link xlink:href="https://grsecurity.net/features.php">features</link>
-    render entire classes of exploits inert without additional efforts on the
-    part of the adversary.
-  </para>
-
-  <para>
-    The NixOS grsecurity/PaX module is designed with casual users in mind and is
-    intended to be compatible with normal desktop usage, without unnecessarily
-    compromising security.  The following sections describe the configuration
-    and administration of a grsecurity/PaX enabled NixOS system.  For
-    more comprehensive coverage, please refer to the
-    <link xlink:href="https://en.wikibooks.org/wiki/Grsecurity">grsecurity wikibook</link>
-    and the
-    <link xlink:href="https://wiki.archlinux.org/index.php/Grsecurity">Arch
-    Linux wiki page on grsecurity</link>.
-
-    <note><para>grsecurity/PaX is only available for the latest linux -stable
-    kernel; patches against older kernels are available from upstream only for
-    a fee.</para></note>
-    <note><para>We standardise on a desktop oriented configuration primarily due
-    to lack of resources.  The grsecurity/PaX configuration state space is huge
-    and each configuration requires quite a bit of testing to ensure that the
-    resulting packages work as advertised.  Defining additional package sets
-    would likely result in a large number of functionally broken packages, to
-    nobody's benefit.</para></note>.
-  </para>
-
-  <sect1 xml:id="sec-grsec-enable"><title>Enabling grsecurity/PaX</title>
-
-  <para>
-    To make use of grsecurity/PaX on NixOS, add the following to your
-    <filename>configuration.nix</filename>:
-    <programlisting>
-      security.grsecurity.enable = true;
-    </programlisting>
-    followed by
-    <programlisting>
-      # nixos-rebuild boot
-      # reboot
-    </programlisting>
-    For most users, further configuration should be unnecessary.  All users
-    are encouraged to look over <xref linkend="sec-grsec-security" /> before
-    using the system, however.  If you experience problems, please refer to
-    <xref linkend="sec-grsec-issues" />.
-  </para>
-
-  <para>
-    Once booted into the new system, you can optionally use
-    <command>paxtest</command> to exercise various PaX features:
-    <screen><![CDATA[
-    # nix-shell -p paxtest --command 'paxtest blackhat'
-    Executable anonymous mapping             : Killed
-    Executable bss                           : Killed
-    # ... remaining output truncated for brevity
-    ]]></screen>
-  </para>
-
-  </sect1>
-
-  <sect1 xml:id="sec-grsec-declarative-tuning"><title>Declarative tuning</title>
-
-  <para>
-    The default configuration mode is strictly declarative.  Some features
-    simply cannot be changed at all after boot, while others are locked once the
-    system is up and running.  Moreover, changes to the configuration enter
-    into effect only upon booting into the new system.
-  </para>
-
-  <para>
-    The NixOS module exposes a limited number of options for tuning the behavior
-    of grsecurity/PaX.  These are options thought to be of particular interest
-    to most users.  For experts, further tuning is possible via
-    <option>boot.kernelParams</option> (see
-    <xref linkend="sec-grsec-kernel-params" />) and
-    <option>boot.kernel.sysctl."kernel.grsecurity.*"</option> (the wikibook
-    contains an <link xlink:href="https://en.wikibooks.org/wiki/Grsecurity/Appendix/Sysctl_Options">
-    exhaustive listing of grsecurity sysctl tunables</link>).
-  </para>
-
-  </sect1>
-
-  <sect1 xml:id="sec-grsec-manual-tuning"><title>Manual tuning</title>
-
-  <para>
-    To permit manual tuning of grsecurity runtime parameters, set:
-    <programlisting>
-      security.grsecurity.lockTunables = false;
-    </programlisting>
-    Once booted into this system, grsecurity features that have a corresponding
-    sysctl tunable can be changed without rebooting, either by switching into
-    a new system profile or via the <command>sysctl</command> utility.
-  </para>
-
-  <para>
-    To lock all grsecurity tunables until the next boot, do:
-    <screen>
-      # systemctl start grsec-lock
-    </screen>
-  </para>
-
-  </sect1>
-
-  <sect1 xml:id="sec-grsec-security"><title>Security considerations</title>
-
-  <para>
-    The NixOS kernel is built using upstream's recommended settings for a
-    desktop deployment that generally favours security over performance.  This
-    section details deviations from upstream's recommendations that may
-    compromise operational security.
-
-    <warning><para>There may be additional problems not covered here!</para>
-    </warning>.
-  </para>
-
-  <itemizedlist>
-
-    <listitem><para>
-      The following hardening features are disabled in the NixOS kernel:
-      <itemizedlist>
-        <listitem><para>Kernel symbol hiding: rendered useless by redistributing
-        kernel objects.</para></listitem>
-
-        <listitem><para>Randomization of kernel structures: rendered useless by
-        redistributing kernel objects.</para></listitem>
-
-        <listitem><para>TCP simultaneous OPEN connection is permitted: breaking
-        strict TCP conformance is inappropriate for a general purpose kernel.
-        The trade-off is that an attacker may be able to deny outgoing
-        connections if they are able to guess the source port allocated by your
-        OS for that connection <emphasis>and</emphasis> also manage to initiate
-        a TCP simultaneous OPEN on that port before the connection is actually
-        established.</para></listitem>
-
-        <listitem><para><filename class="directory">/sys</filename> hardening:
-        breaks systemd.</para></listitem>
-
-        <listitem><para>Trusted path execution: a desirable feature, but
-        requires some more work to operate smoothly on NixOS.</para></listitem>
-      </itemizedlist>
-    </para></listitem>
-
-    <listitem><para>
-      The NixOS module conditionally weakens <command>chroot</command>
-      restrictions to accommodate NixOS lightweight containers and sandboxed Nix
-      builds.  This is problematic if the deployment also runs a privileged
-      network facing process that <emphasis>relies</emphasis> on
-      <command>chroot</command> for isolation.
-    </para></listitem>
-
-    <listitem><para>
-      The NixOS kernel is patched to allow usermode helpers from anywhere in the
-      Nix store.  A usermode helper is an executable called by the kernel in
-      certain circumstances, e.g., <command>modprobe</command>.  Vanilla
-      grsecurity only allows usermode helpers from paths typically owned by the
-      super user.  The NixOS kernel allows an attacker to inject malicious code
-      into the Nix store which could then be executed by the kernel as a
-      usermode helper.
-    </para></listitem>
-
-    <listitem><para>
-      The following features are disabled because they overlap with
-      vanilla kernel mechanisms:
-
-      <itemizedlist>
-        <listitem><para><filename class="directory">/proc</filename> hardening:
-        use <option>security.hideProcessInformation</option> instead.  This
-        trades weaker protection for greater compatibility.
-        </para></listitem>
-
-        <listitem><para><command>dmesg</command> restrictions:
-        use <option>boot.kernel.sysctl."kernel.dmesg_restrict"</option> instead
-        </para></listitem>
-      </itemizedlist>
-    </para></listitem>
-
-  </itemizedlist>
-
-  </sect1>
-
-  <sect1 xml:id="sec-grsec-custom-kernel"><title>Using a custom grsecurity/PaX kernel</title>
-
-  <para>
-    The NixOS kernel is likely to be either too permissive or too restrictive
-    for many deployment scenarios.  In addition to producing a kernel more
-    suitable for a particular deployment, a custom kernel may improve security
-    by depriving an attacker the ability to study the kernel object code, adding
-    yet more guesswork to successfully carry out certain exploits.
-  </para>
-
-  <para>
-    To use a custom kernel with upstream's recommended settings for server
-    deployments:
-    <programlisting>
-      boot.kernelPackages =
-        let
-          kernel = pkgs.linux_grsec_nixos.override {
-            extraConfig = ''
-              GRKERNSEC y
-              PAX y
-              GRKERNSEC_CONFIG_AUTO y
-              GRKERNSEC_CONFIG_SERVER y
-              GRKERNSEC_CONFIG_SECURITY y
-            '';
-          };
-          self = pkgs.linuxPackagesFor kernel self;
-        in self;
-    </programlisting>
-    The wikibook provides an exhaustive listing of
-    <link xlink:href="https://en.wikibooks.org/wiki/Grsecurity/Appendix/Grsecurity_and_PaX_Configuration_Options">kernel configuration options</link>.
-  </para>
-
-  <para>
-    The NixOS module makes several assumptions about the kernel and so may be
-    incompatible with your customised kernel.  Most of these assumptions are
-    encoded as assertions &#x2014; mismatches should ideally result in a build
-    failure.  Currently, the only way to work around incompatibilities is to
-    eschew the NixOS module and do all configuration yourself.
-  </para>
-
-  </sect1>
-
-  <sect1 xml:id="sec-grsec-pax-flags"><title>Per-executable PaX flags</title>
-
-  <para>
-    Manual tuning of per-file PaX flags for executables in the Nix store is
-    impossible on a properly configured system.  If a package in Nixpkgs fails
-    due to PaX, that is a bug in the package recipe and should be reported to
-    the maintainer (including relevant <command>dmesg</command> output).
-  </para>
-
-  <para>
-    For executables installed outside of the Nix store, PaX flags can be set
-    using the <command>paxctl</command> utility:
-    <programlisting>
-      paxctl -czem <replaceable>foo</replaceable>
-    </programlisting>
-
-    <warning>
-      <para><command>paxctl</command> overwrites files in-place.</para>
-    </warning>
-
-    Equivalently, on file systems that support extended attributes:
-    <programlisting>
-      setfattr -n user.pax.flags -v em <replaceable>foo</replaceable>
-    </programlisting>
-
-    <!-- TODO: PaX flags via RBAC policy -->
-  </para>
-
-  </sect1>
-
-  <sect1 xml:id="sec-grsec-issues"><title>Issues and work-arounds</title>
-
-  <itemizedlist>
-    <listitem><para>User namespaces require <literal>CAP_SYS_ADMIN</literal>:
-    consequently, unprivileged namespaces are unsupported. Applications that
-    rely on namespaces for sandboxing must use a privileged helper. For chromium
-    there is <option>security.chromiumSuidSandbox.enable</option>.</para></listitem>
-
-    <listitem><para>Access to EFI runtime services is disabled by default:
-    this plugs a potential code injection attack vector; use
-    <option>security.grsecurity.disableEfiRuntimeServices</option> to override
-    this behavior.</para></listitem>
-
-    <listitem><para>Virtualization: KVM is the preferred virtualization
-    solution. Xen, Virtualbox, and VMWare are
-    <emphasis>unsupported</emphasis> and most likely require a custom kernel.
-    </para></listitem>
-
-    <listitem><para>
-      Attaching <command>gdb</command> to a running process is disallowed by
-      default: unprivileged users can only ptrace processes that are children of
-      the ptracing process.  To relax this restriction, set
-      <programlisting>
-        boot.kernel.sysctl."kernel.grsecurity.harden_ptrace" = 0;
-      </programlisting>
-    </para></listitem>
-
-    <listitem><para>
-      Overflows in boot critical code (e.g., the root filesystem module) can
-      render the system unbootable.  Work around by setting
-      <programlisting>
-        boot.kernel.kernelParams = [ "pax_size_overflow_report_only" ];
-      </programlisting>
-    </para></listitem>
-
-    <listitem><para>
-      The <citerefentry><refentrytitle>modify_ldt
-      </refentrytitle><manvolnum>2</manvolnum></citerefentry> syscall is disabled
-      by default.  This restriction can interfere with programs designed to run
-      legacy 16-bit or segmented 32-bit code.  To support applications that rely
-      on this syscall, set
-      <programlisting>
-        boot.kernel.sysctl."kernel.modify_ldt" = 1;
-      </programlisting>
-    </para></listitem>
-
-  </itemizedlist>
-
-  </sect1>
-
-  <sect1 xml:id="sec-grsec-kernel-params"><title>Grsecurity/PaX kernel parameters</title>
-
-  <para>
-    The NixOS kernel supports the following kernel command line parameters:
-    <itemizedlist>
-      <listitem><para>
-        <literal>pax_nouderef</literal>: disable UDEREF (separate kernel and
-        user address spaces).
-      </para></listitem>
-
-      <listitem><para>
-        <literal>pax_weakuderef</literal>: enable a faster but
-        weaker variant of UDEREF on 64-bit processors with PCID support
-        (check <code>grep pcid /proc/cpuinfo</code>).
-      </para></listitem>
-
-      <listitem><para>
-        <literal>pax_sanitize_slab={off|fast|full}</literal>: control kernel
-        slab object sanitization
-      </para></listitem>
-
-      <listitem><para>
-        <literal>pax_size_overflow_report_only</literal>: log size overflow
-        violations but leave the violating task running
-      </para></listitem>
-    </itemizedlist>
-  </para>
-
-  </sect1>
-
-</chapter>
--- a/nixos/modules/security/pam.nix
+++ b/nixos/modules/security/pam.nix
@@ -221,7 +221,7 @@ let
        (''
          # Account management.
          account sufficient pam_unix.so
-          ${optionalString use_ldap
+          ${optionalString config.users.ldap.enable
              "account sufficient ${pam_ldap}/lib/security/pam_ldap.so"}
          ${optionalString config.krb5.enable
              "account sufficient ${pam_krb5}/lib/security/pam_krb5.so"}
@@ -261,7 +261,7 @@ let
              "auth sufficient ${pkgs.otpw}/lib/security/pam_otpw.so"}
          ${let oath = config.security.pam.oath; in optionalString cfg.oathAuth
              "auth sufficient ${pkgs.oathToolkit}/lib/security/pam_oath.so window=${toString oath.window} usersfile=${toString oath.usersFile} digits=${toString oath.digits}"}
-          ${optionalString use_ldap
+          ${optionalString config.users.ldap.enable
              "auth sufficient ${pam_ldap}/lib/security/pam_ldap.so use_first_pass"}
          ${optionalString config.krb5.enable ''
            auth [default=ignore success=1 service_err=reset] ${pam_krb5}/lib/security/pam_krb5.so use_first_pass
@@ -276,7 +276,7 @@ let
              "password optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so"}
          ${optionalString cfg.pamMount
              "password optional ${pkgs.pam_mount}/lib/security/pam_mount.so"}
-          ${optionalString use_ldap
+          ${optionalString config.users.ldap.enable
              "password sufficient ${pam_ldap}/lib/security/pam_ldap.so"}
          ${optionalString config.krb5.enable
              "password sufficient ${pam_krb5}/lib/security/pam_krb5.so use_first_pass"}
@@ -296,7 +296,7 @@ let
              "session required ${pkgs.pam}/lib/security/pam_lastlog.so silent"}
          ${optionalString config.security.pam.enableEcryptfs
              "session optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so"}
-          ${optionalString use_ldap
+          ${optionalString config.users.ldap.enable
              "session optional ${pam_ldap}/lib/security/pam_ldap.so"}
          ${optionalString config.krb5.enable
              "session optional ${pam_krb5}/lib/security/pam_krb5.so"}
@@ -322,7 +322,6 @@ let

  inherit (pkgs) pam_krb5 pam_ccreds;

-  use_ldap = (config.users.ldap.enable && config.users.ldap.loginPam);
  pam_ldap = if config.users.ldap.daemon.enable then pkgs.nss_pam_ldapd else pkgs.pam_ldap;

  # Create a limits.conf(5) file.
--- a/nixos/modules/services/audio/mopidy.nix
+++ b/nixos/modules/services/audio/mopidy.nix
@@ -47,7 +47,6 @@ in {
      };

      configuration = mkOption {
-        default = "";
        type = types.lines;
        description = ''
          The configuration that Mopidy should use.
--- a/nixos/modules/services/audio/squeezelite.nix
+++ b/nixos/modules/services/audio/squeezelite.nix
@@ -1,67 +0,0 @@
-{ config, lib, pkgs, ... }:
-
-with lib;
-
-let
-
-  uid = config.ids.uids.squeezelite;
-  cfg = config.services.squeezelite;
-
-in {
-
-  ###### interface
-
-  options = {
-
-    services.squeezelite= {
-
-      enable = mkEnableOption "Squeezelite, a software Squeezebox emulator";
-
-      dataDir = mkOption {
-        default = "/var/lib/squeezelite";
-        type = types.str;
-        description = ''
-          The directory where Squeezelite stores its name file.
-        '';
-      };
-
-      extraArguments = mkOption {
-        default = "";
-        type = types.str;
-        description = ''
-          Additional command line arguments to pass to Squeezelite.
-        '';
-      };
-
-    };
-
-  };
-
-
-  ###### implementation
-
-  config = mkIf cfg.enable {
-
-    systemd.services.squeezelite= {
-      wantedBy = [ "multi-user.target" ];
-      after = [ "network.target" "sound.target" ];
-      description = "Software Squeezebox emulator";
-      preStart = "mkdir -p ${cfg.dataDir} && chown -R squeezelite ${cfg.dataDir}";
-      serviceConfig = {
-        ExecStart = "${pkgs.squeezelite}/bin/squeezelite -N ${cfg.dataDir}/player-name ${cfg.extraArguments}";
-        User = "squeezelite";
-        PermissionsStartOnly = true;
-      };
-    };
-
-    users.extraUsers.squeezelite= {
-      inherit uid;
-      group = "nogroup";
-      extraGroups = [ "audio" ];
-      description = "Squeezelite user";
-      home = "${cfg.dataDir}";
-    };
-
-  };
-
-}
--- a/nixos/modules/services/backup/crashplan.nix
+++ b/nixos/modules/services/backup/crashplan.nix
@@ -28,7 +28,7 @@ with lib;
      description = "CrashPlan Backup Engine";

      wantedBy = [ "multi-user.target" ];
-      after    = [ "network.target" "local-fs.target" ];
+      after    = [ "network.target" ];

      preStart = ''
        ensureDir() {
--- a/nixos/modules/services/continuous-integration/buildkite-agent.nix
+++ b/nixos/modules/services/continuous-integration/buildkite-agent.nix
@@ -1,96 +0,0 @@
-{ config, lib, pkgs, ... }:
-
-with lib;
-
-let
-  cfg = config.services.buildkite-agent;
-  configFile = pkgs.writeText "buildkite-agent.cfg"
-    ''
-      token="${cfg.token}"
-      name="${cfg.name}"
-      meta-data="${cfg.meta-data}"
-      hooks-path="${pkgs.buildkite-agent}/share/hooks"
-      build-path="/var/lib/buildkite-agent/builds"
-      bootstrap-script="${pkgs.buildkite-agent}/share/bootstrap.sh"
-    '';
-in
-
-{
-  options = {
-    services.buildkite-agent = {
-      enable = mkEnableOption "buildkite-agent";
-
-      token = mkOption {
-        type = types.str;
-        description = ''
-          The token from your Buildkite "Agents" page.
-        '';
-      };
-
-      name = mkOption {
-        type = types.str;
-        description = ''
-          The name of the agent.
-        '';
-      };
-
-      meta-data = mkOption {
-        type = types.str;
-        default = "";
-        description = ''
-          Meta data for the agent.
-        '';
-      };
-
-      openssh =
-        { privateKey = mkOption {
-            type = types.str;
-            description = ''
-              Private agent key.
-            '';
-          };
-          publicKey = mkOption {
-            type = types.str;
-            description = ''
-              Public agent key.
-            '';
-          };
-        };
-    };
-  };
-
-  config = mkIf config.services.buildkite-agent.enable {
-    users.extraUsers.buildkite-agent =
-      { name = "buildkite-agent";
-        home = "/var/lib/buildkite-agent";
-        createHome = true;
-        description = "Buildkite agent user";
-      };
-
-    environment.systemPackages = [ pkgs.buildkite-agent ];
-
-    systemd.services.buildkite-agent =
-      { description = "Buildkite Agent";
-        wantedBy = [ "multi-user.target" ];
-        after = [ "network.target" ];
-        environment.HOME = "/var/lib/buildkite-agent";
-        preStart = ''
-            ${pkgs.coreutils}/bin/mkdir -m 0700 -p /var/lib/buildkite-agent/.ssh
-
-            echo "${cfg.openssh.privateKey}" > /var/lib/buildkite-agent/.ssh/id_rsa
-            ${pkgs.coreutils}/bin/chmod 600 /var/lib/buildkite-agent/.ssh/id_rsa
-
-            echo "${cfg.openssh.publicKey}" > /var/lib/buildkite-agent/.ssh/id_rsa.pub
-            ${pkgs.coreutils}/bin/chmod 600 /var/lib/buildkite-agent/.ssh/id_rsa.pub
-          '';
-
-        serviceConfig =
-          { ExecStart = "${pkgs.buildkite-agent}/bin/buildkite-agent start --config ${configFile}";
-            User = "buildkite-agent";
-            RestartSec = 5;
-            Restart = "on-failure";
-            TimeoutSec = 10;
-          };
-      };
-  };
-}
--- a/nixos/modules/services/continuous-integration/gocd-agent/default.nix
+++ b/nixos/modules/services/continuous-integration/gocd-agent/default.nix
@@ -1,205 +0,0 @@
-{ config, lib, pkgs, ... }:
-
-with lib;
-
-let
-  cfg = config.services.gocd-agent;
-in {
-  options = {
-    services.gocd-agent = {
-      enable = mkEnableOption "gocd-agent";
-
-      user = mkOption {
-        default = "gocd-agent";
-        type = types.str;
-        description = ''
-          User the Go.CD agent should execute under.
-        '';
-      };
-
-      group = mkOption {
-        default = "gocd-agent";
-        type = types.str;
-        description = ''
-          If the default user "gocd-agent" is configured then this is the primary
-          group of that user.
-        '';
-      };
-
-      extraGroups = mkOption {
-        type = types.listOf types.str;
-        default = [ ];
-        example = [ "wheel" "docker" ];
-        description = ''
-          List of extra groups that the "gocd-agent" user should be a part of.
-        '';
-      };
-
-      packages = mkOption {
-        default = [ pkgs.stdenv pkgs.jre pkgs.git config.programs.ssh.package pkgs.nix ];
-        type = types.listOf types.package;
-        description = ''
-          Packages to add to PATH for the Go.CD agent process.
-        '';
-      };
-
-      agentConfig = mkOption {
-        default = "";
-        type = types.str;
-        example = ''
-          agent.auto.register.resources=ant,java
-          agent.auto.register.environments=QA,Performance
-          agent.auto.register.hostname=Agent01
-        '';
-        description = ''
-          Agent registration configuration.
-        '';
-      };
-
-      goServer = mkOption {
-        default = "https://127.0.0.1:8154/go";
-        type = types.str;
-        description = ''
-          URL of the GoCD Server to attach the Go.CD Agent to.
-        '';
-      };
-
-      workDir = mkOption {
-        default = "/var/lib/go-agent";
-        type = types.str;
-        description = ''
-          Specifies the working directory in which the Go.CD agent java archive resides.
-        '';
-      };
-
-      initialJavaHeapSize = mkOption {
-        default = "128m";
-        type = types.str;
-        description = ''
-          Specifies the initial java heap memory size for the Go.CD agent java process.
-        '';
-      };
-
-      maxJavaHeapMemory = mkOption {
-        default = "256m";
-        type = types.str;
-        description = ''
-          Specifies the java maximum heap memory size for the Go.CD agent java process.
-        '';
-      };
-
-      startupOptions = mkOption {
-        default = [
-          "-Xms${cfg.initialJavaHeapSize}"
-          "-Xmx${cfg.maxJavaHeapMemory}"
-          "-Djava.io.tmpdir=/tmp"
-          "-Dcruise.console.publish.interval=10"
-          "-Djava.security.egd=file:/dev/./urandom"
-        ];
-        description = ''
-          Specifies startup command line arguments to pass to Go.CD agent
-          java process.  Example contains debug and gcLog arguments.
-        '';
-      };
-
-      extraOptions = mkOption {
-        default = [ ];
-        example = [
-          "-X debug"
-          "-Xrunjdwp:transport=dt_socket,server=y,suspend=n,address=5006"
-          "-verbose:gc"
-          "-Xloggc:go-agent-gc.log"
-          "-XX:+PrintGCTimeStamps"
-          "-XX:+PrintTenuringDistribution"
-          "-XX:+PrintGCDetails"
-          "-XX:+PrintGC"
-        ];
-        description = ''
-          Specifies additional command line arguments to pass to Go.CD agent
-          java process.  Example contains debug and gcLog arguments.
-        '';
-      };
-
-      environment = mkOption {
-        default = { };
-        type = with types; attrsOf str;
-        description = ''
-          Additional environment variables to be passed to the Go.CD agent process.
-          As a base environment, Go.CD agent receives NIX_PATH from
-          <option>environment.sessionVariables</option>, NIX_REMOTE is set to
-          "daemon".
-        '';
-      };
-    };
-  };
-
-  config = mkIf cfg.enable {
-    users.extraGroups = optional (cfg.group == "gocd-agent") {
-      name = "gocd-agent";
-      gid = config.ids.gids.gocd-agent;
-    };
-
-    users.extraUsers = optional (cfg.user == "gocd-agent") {
-      name = "gocd-agent";
-      description = "gocd-agent user";
-      createHome = true;
-      home = cfg.workDir;
-      group = cfg.group;
-      extraGroups = cfg.extraGroups;
-      useDefaultShell = true;
-      uid = config.ids.uids.gocd-agent;
-    };
-
-    systemd.services.gocd-agent = {
-      description = "GoCD Agent";
-      after = [ "network.target" ];
-      wantedBy = [ "multi-user.target" ];
-
-      environment =
-        let
-          selectedSessionVars =
-            lib.filterAttrs (n: v: builtins.elem n [ "NIX_PATH" ])
-              config.environment.sessionVariables;
-        in
-          selectedSessionVars //
-            {
-              NIX_REMOTE = "daemon";
-              AGENT_WORK_DIR = cfg.workDir;
-              AGENT_STARTUP_ARGS = ''${concatStringsSep " "  cfg.startupOptions}'';
-              LOG_DIR = cfg.workDir;
-              LOG_FILE = "${cfg.workDir}/go-agent-start.log";
-            } //
-            cfg.environment;
-
-      path = cfg.packages;
-
-      script = ''
-        MPATH="''${PATH}";
-        source /etc/profile
-        export PATH="''${MPATH}:''${PATH}";
-
-        if ! test -f ~/.nixpkgs/config.nix; then
-          mkdir -p ~/.nixpkgs/
-          echo "{ allowUnfree = true; }" > ~/.nixpkgs/config.nix
-        fi
-
-        mkdir -p config
-        rm -f config/autoregister.properties
-        ln -s "${pkgs.writeText "autoregister.properties" cfg.agentConfig}" config/autoregister.properties
-
-        ${pkgs.git}/bin/git config --global --add http.sslCAinfo /etc/ssl/certs/ca-certificates.crt
-        ${pkgs.jre}/bin/java ${concatStringsSep " " cfg.startupOptions} \
-                        ${concatStringsSep " " cfg.extraOptions} \
-                              -jar ${pkgs.gocd-agent}/go-agent/agent-bootstrapper.jar \
-                              -serverUrl ${cfg.goServer}
-      '';
-
-      serviceConfig = {
-        User = cfg.user;
-        WorkingDirectory = cfg.workDir;
-        RestartSec = 30;
-        Restart = "on-failure";
-      };
-    };
-  };
-}
--- a/nixos/modules/services/continuous-integration/gocd-server/default.nix
+++ b/nixos/modules/services/continuous-integration/gocd-server/default.nix
@@ -1,183 +0,0 @@
-{ config, lib, pkgs, ... }:
-
-with lib;
-
-let
-  cfg = config.services.gocd-server;
-in {
-  options = {
-    services.gocd-server = {
-      enable = mkEnableOption "gocd-server";
-
-      user = mkOption {
-        default = "gocd-server";
-        type = types.str;
-        description = ''
-          User the Go.CD server should execute under.
-        '';
-      };
-
-      group = mkOption {
-        default = "gocd-server";
-        type = types.str;
-        description = ''
-          If the default user "gocd-server" is configured then this is the primary group of that user.
-        '';
-      };
-
-      extraGroups = mkOption {
-        default = [ ];
-        example = [ "wheel" "docker" ];
-        description = ''
-          List of extra groups that the "gocd-server" user should be a part of.
-        '';
-      };
-
-      listenAddress = mkOption {
-        default = "0.0.0.0";
-        example = "localhost";
-        type = types.str;
-        description = ''
-          Specifies the bind address on which the Go.CD server HTTP interface listens.
-        '';
-      };
-
-      port = mkOption {
-        default = 8153;
-        type = types.int;
-        description = ''
-          Specifies port number on which the Go.CD server HTTP interface listens.
-        '';
-      };
-
-      sslPort = mkOption {
-        default = 8154;
-        type = types.int;
-        description = ''
-          Specifies port number on which the Go.CD server HTTPS interface listens.
-        '';
-      };
-
-      workDir = mkOption {
-        default = "/var/lib/go-server";
-        type = types.str;
-        description = ''
-          Specifies the working directory in which the Go.CD server java archive resides.
-        '';
-      };
-
-      packages = mkOption {
-        default = [ pkgs.stdenv pkgs.jre pkgs.git config.programs.ssh.package pkgs.nix ];
-        type = types.listOf types.package;
-        description = ''
-          Packages to add to PATH for the Go.CD server's process.
-        '';
-      };
-
-      initialJavaHeapSize = mkOption {
-        default = "512m";
-        type = types.str;
-        description = ''
-          Specifies the initial java heap memory size for the Go.CD server's java process.
-        '';
-      };
-
-      maxJavaHeapMemory = mkOption {
-        default = "1024m";
-        type = types.str;
-        description = ''
-          Specifies the java maximum heap memory size for the Go.CD server's java process.
-        '';
-      };
-
-      extraOptions = mkOption {
-        default = [
-          "-Xms${cfg.initialJavaHeapSize}"
-          "-Xmx${cfg.maxJavaHeapMemory}"
-          "-Dcruise.listen.host=${cfg.listenAddress}"
-          "-Duser.language=en"
-          "-Djruby.rack.request.size.threshold.bytes=30000000"
-          "-Duser.country=US"
-          "-Dcruise.config.dir=${cfg.workDir}/conf"
-          "-Dcruise.config.file=${cfg.workDir}/conf/cruise-config.xml"
-          "-Dcruise.server.port=${toString cfg.port}"
-          "-Dcruise.server.ssl.port=${toString cfg.sslPort}"
-        ];
-        example = [ 
-          "-X debug" 
-          "-Xrunjdwp:transport=dt_socket,server=y,suspend=n,address=5005"
-          "-verbose:gc"
-          "-Xloggc:go-server-gc.log"
-          "-XX:+PrintGCTimeStamps"
-          "-XX:+PrintTenuringDistribution"
-          "-XX:+PrintGCDetails"
-          "-XX:+PrintGC"
-        ];
-        description = ''
-          Specifies additional command line arguments to pass to Go.CD server's
-          java process.  Example contains debug and gcLog arguments.
-        '';
-      };
-
-      environment = mkOption {
-        default = { };
-        type = with types; attrsOf str;
-        description = ''
-          Additional environment variables to be passed to the gocd-server process.
-          As a base environment, gocd-server receives NIX_PATH from
-          <option>environment.sessionVariables</option>, NIX_REMOTE is set to
-          "daemon".
-        '';
-      };
-    };
-  };
-
-  config = mkIf cfg.enable {
-    users.extraGroups = optional (cfg.group == "gocd-server") {
-      name = "gocd-server";
-      gid = config.ids.gids.gocd-server;
-    };
-
-    users.extraUsers = optional (cfg.user == "gocd-server") {
-      name = "gocd-server";
-      description = "gocd-server user";
-      createHome = true;
-      home = cfg.workDir;
-      group = cfg.group;
-      extraGroups = cfg.extraGroups;
-      useDefaultShell = true;
-      uid = config.ids.uids.gocd-server;
-    };
-
-    systemd.services.gocd-server = {
-      description = "GoCD Server";
-      after = [ "network.target" ];
-      wantedBy = [ "multi-user.target" ];
-
-      environment =
-        let
-          selectedSessionVars =
-            lib.filterAttrs (n: v: builtins.elem n [ "NIX_PATH" ])
-              config.environment.sessionVariables;
-        in
-          selectedSessionVars //
-            { NIX_REMOTE = "daemon";
-            } //
-            cfg.environment;
-
-      path = cfg.packages;
-
-      script = ''
-        ${pkgs.git}/bin/git config --global --add http.sslCAinfo /etc/ssl/certs/ca-certificates.crt
-        ${pkgs.jre}/bin/java -server ${concatStringsSep " " cfg.extraOptions} \
-                              -jar ${pkgs.gocd-server}/go-server/go.jar
-      '';
-
-      serviceConfig = {
-        User = cfg.user;
-        Group = cfg.group;
-        WorkingDirectory = cfg.workDir;
-      };
-    };
-  };
-}
--- a/nixos/modules/services/continuous-integration/hydra/default.nix
+++ b/nixos/modules/services/continuous-integration/hydra/default.nix
@@ -166,7 +166,7 @@ in

      buildMachinesFiles = mkOption {
        type = types.listOf types.path;
-        default = [ "/etc/nix/machines" ];
+        default = [];
        example = [ "/etc/nix/machines" "/var/lib/hydra/provisioner/machines" ];
        description = "List of files containing build machines.";
      };
@@ -193,9 +193,7 @@ in

  config = mkIf cfg.enable {

-    users.extraGroups.hydra = {
-      gid = config.ids.gids.hydra;
-    };
+    users.extraGroups.hydra = { };

    users.extraUsers.hydra =
      { description = "Hydra";
@@ -203,7 +201,6 @@ in
        createHome = true;
        home = baseDir;
        useDefaultShell = true;
-        uid = config.ids.uids.hydra;
      };

    users.extraUsers.hydra-queue-runner =
@@ -211,14 +208,12 @@ in
        group = "hydra";
        useDefaultShell = true;
        home = "${baseDir}/queue-runner"; # really only to keep SSH happy
-        uid = config.ids.uids.hydra-queue-runner;
      };

    users.extraUsers.hydra-www =
      { description = "Hydra web server";
        group = "hydra";
        useDefaultShell = true;
-        uid = config.ids.uids.hydra-www;
      };

    nix.trustedUsers = [ "hydra-queue-runner" ];
--- a/nixos/modules/services/continuous-integration/jenkins/default.nix
+++ b/nixos/modules/services/continuous-integration/jenkins/default.nix
@@ -154,7 +154,7 @@ in {
      '';

      script = ''
-        ${pkgs.jdk}/bin/java -jar ${pkgs.jenkins}/webapps/jenkins.war --httpListenAddress=${cfg.listenAddress} \
+        ${pkgs.jdk}/bin/java -jar ${pkgs.jenkins} --httpListenAddress=${cfg.listenAddress} \
                                                  --httpPort=${toString cfg.port} \
                                                  --prefix=${cfg.prefix} \
                                                  ${concatStringsSep " " cfg.extraOptions}
--- a/Show More
+++ b/Show More