Release Notes 17.03: add some visual structure

qt-gstreamer: fix build and do not mark wrong pkgs as broken
(cherry picked from commit f9a1060199)
2026-06-06 05:13:37 +00:00 · 2017-03-30 18:32:09 +02:00 · 2017-03-30 18:32:09 +02:00 · 2017-03-30 18:32:08 +02:00 · 2017-03-30 18:32:08 +02:00 · 2017-03-30 18:08:02 +02:00
971 changed files with 19460 additions and 15974 deletions
--- a/.mention-bot
+++ b/.mention-bot
@@ -2,7 +2,8 @@
  "userBlacklist": [
    "civodul",
    "jhasse",
-    "shlevy"
+    "shlevy",
    "bbenoist"
  ],
  "alwaysNotifyForPaths": [
    { "name": "FRidh", "files": ["pkgs/top-level/python-packages.nix", "pkgs/development/interpreters/python/*", "pkgs/development/python-modules/*" ] },
--- a/.travis.yml
+++ b/.travis.yml
@@ -18,3 +18,8 @@ matrix:
 env:
    global:
        - GITHUB_TOKEN=5edaaf1017f691ed34e7f80878f8f5fbd071603f
 notifications:
    email:
        on_success: never
        on_failure: change
--- a/README.md
+++ b/README.md
@@ -13,12 +13,12 @@ build daemon as so-called channels. To get channel information via git, add
 ```
 For stability and maximum binary package support, it is recommended to maintain
-custom changes on top of one of the channels, e.g. `nixos-16.09` for the latest
+custom changes on top of one of the channels, e.g. `nixos-17.03` for the latest
 release and `nixos-unstable` for the latest successful build of master:
 ```
 % git remote update channels
-% git rebase channels/nixos-16.09
+% git rebase channels/nixos-17.03
 ```
 For pull-requests, please rebase onto nixpkgs `master`.
@@ -32,9 +32,9 @@ For pull-requests, please rebase onto nixpkgs `master`.
 * [Manual (NixOS)](https://nixos.org/nixos/manual/)
 * [Nix Wiki](https://nixos.org/wiki/) (deprecated, see milestone ["Move the Wiki!"](https://github.com/NixOS/nixpkgs/issues?q=is%3Aopen+is%3Aissue+milestone%3A%22Move+the+wiki%21%22))
 * [Continuous package builds for unstable/master](https://hydra.nixos.org/jobset/nixos/trunk-combined)
-* [Continuous package builds for 16.09 release](https://hydra.nixos.org/jobset/nixos/release-16.09)
+* [Continuous package builds for 17.03 release](https://hydra.nixos.org/jobset/nixos/release-17.03)
 * [Tests for unstable/master](https://hydra.nixos.org/job/nixos/trunk-combined/tested#tabs-constituents)
-* [Tests for 16.09 release](https://hydra.nixos.org/job/nixos/release-16.09/tested#tabs-constituents)
+* [Tests for 17.03 release](https://hydra.nixos.org/job/nixos/release-17.03/tested#tabs-constituents)
 Communication:
--- a/doc/default.nix
+++ b/doc/default.nix
@@ -68,6 +68,10 @@ pkgs.stdenv.mkDerivation {
      inputFile = ../pkgs/development/r-modules/README.md;
      outputFile = "languages-frameworks/r.xml";
    }
  + toDocbook {
      inputFile = ./languages-frameworks/rust.md;
      outputFile = "./languages-frameworks/rust.xml";
    }
  + toDocbook {
      inputFile = ./languages-frameworks/vim.md;
      outputFile = "./languages-frameworks/vim.xml";
--- a/doc/languages-frameworks/index.xml
+++ b/doc/languages-frameworks/index.xml
@@ -27,6 +27,7 @@ such as Perl or Haskell.  These are described in this chapter.</para>
 <xi:include href="qt.xml" />
 <xi:include href="r.xml" /> <!-- generated from ../../pkgs/development/r-modules/README.md  -->
 <xi:include href="ruby.xml" />
 <xi:include href="rust.xml" />
 <xi:include href="texlive.xml" />
 <xi:include href="vim.xml" />
--- a/doc/languages-frameworks/python.md
+++ b/doc/languages-frameworks/python.md
@@ -3,7 +3,7 @@
 ## User Guide
 Several versions of Python are available on Nix as well as a high amount of
-packages. The default interpreter is CPython 3.5.
+packages. The default interpreter is CPython 2.7.
 ### Using Python
@@ -74,7 +74,6 @@ can do is write a simple Nix expression which sets up an environment for you,
 requiring you only to type `nix-shell`. Say we want to have Python 3.5, `numpy`
 and `toolz`, like before, in an environment. With a `shell.nix` file
 containing
 ```nix
 with import <nixpkgs> {};
@@ -101,22 +100,25 @@ On Nix all packages are built by functions. The main function in Nix for buildin
 Let's see how we would build the `toolz` package. According to [`python-packages.nix`](https://raw.githubusercontent.com/NixOS/nixpkgs/master/pkgs/top-level/python-packages.nix) `toolz` is build using
 ```nix
-toolz = buildPythonPackage rec{
+{ # ...
  name = "toolz-${version}";
  version = "0.7.4";
-  src = pkgs.fetchurl{
+  toolz = buildPythonPackage rec {
-    url = "mirror://pypi/t/toolz/toolz-${version}.tar.gz";
+    name = "toolz-${version}";
-    sha256 = "43c2c9e5e7a16b6c88ba3088a9bfc82f7db8e13378be7c78d6c14a5f8ed05afd";
+    version = "0.7.4";
  };
-  meta = {
+    src = pkgs.fetchurl {
-    homepage = "http://github.com/pytoolz/toolz/";
+      url = "mirror://pypi/t/toolz/toolz-${version}.tar.gz";
-    description = "List processing tools and functional utilities";
+      sha256 = "43c2c9e5e7a16b6c88ba3088a9bfc82f7db8e13378be7c78d6c14a5f8ed05afd";
-    license = licenses.bsd3;
+    };
-    maintainers = with maintainers; [ fridh ];
+
    meta = {
      homepage = "http://github.com/pytoolz/toolz/";
      description = "List processing tools and functional utilities";
      license = licenses.bsd3;
      maintainers = with maintainers; [ fridh ];
    };
  };
-};
+}
 ```
 What happens here? The function `buildPythonPackage` is called and as argument
@@ -129,7 +131,7 @@ specify some (optional) [meta information](http://nixos.org/nixpkgs/manual/#chap
 The output of the function is a derivation, which is an attribute with the name
 `toolz` of the set `pythonPackages`. Actually, sets are created for all interpreter versions,
-so `python27Packages`, `python34Packages`, `python35Packages` and `pypyPackages`.
+so e.g. `python27Packages`, `python35Packages` and `pypyPackages`.
 The above example works when you're directly working on
 `pkgs/top-level/python-packages.nix` in the Nixpkgs repository. Often though,
@@ -143,7 +145,7 @@ pkgs.python35Packages.buildPythonPackage rec {
  name = "toolz-${version}";
  version = "0.8.0";
-  src = pkgs.fetchurl{
+  src = pkgs.fetchurl {
    url = "mirror://pypi/t/toolz/toolz-${version}.tar.gz";
    sha256 = "e8451af61face57b7c5d09e71c0d27b8005f001ead56e9fdf470417e5cc6d479";
  };
@@ -174,7 +176,7 @@ with import <nixpkgs> {};
      name = "toolz-${version}";
      version = "0.8.0";
-      src = pkgs.fetchurl{
+      src = pkgs.fetchurl {
        url = "mirror://pypi/t/toolz/toolz-${version}.tar.gz";
        sha256 = "e8451af61face57b7c5d09e71c0d27b8005f001ead56e9fdf470417e5cc6d479";
      };
@@ -215,25 +217,28 @@ The following example shows which arguments are given to `buildPythonPackage` in
 order to build [`datashape`](https://github.com/blaze/datashape).
 ```nix
-datashape = buildPythonPackage rec {
+{ # ...
  name = "datashape-${version}";
  version = "0.4.7";
-  src = pkgs.fetchurl {
+  datashape = buildPythonPackage rec {
-    url = "mirror://pypi/D/DataShape/${name}.tar.gz";
+    name = "datashape-${version}";
-    sha256 = "14b2ef766d4c9652ab813182e866f493475e65e558bed0822e38bf07bba1a278";
+    version = "0.4.7";
    src = pkgs.fetchurl {
      url = "mirror://pypi/D/DataShape/${name}.tar.gz";
      sha256 = "14b2ef766d4c9652ab813182e866f493475e65e558bed0822e38bf07bba1a278";
    };
    buildInputs = with self; [ pytest ];
    propagatedBuildInputs = with self; [ numpy multipledispatch dateutil ];
    meta = {
      homepage = https://github.com/ContinuumIO/datashape;
      description = "A data description language";
      license = licenses.bsd2;
      maintainers = with maintainers; [ fridh ];
    };
  };
-
+}
  buildInputs = with self; [ pytest ];
  propagatedBuildInputs = with self; [ numpy multipledispatch dateutil ];
  meta = {
    homepage = https://github.com/ContinuumIO/datashape;
    description = "A data description language";
    license = licenses.bsd2;
    maintainers = with maintainers; [ fridh ];
  };
 };
 ```
 We can see several runtime dependencies, `numpy`, `multipledispatch`, and
@@ -247,23 +252,26 @@ Python bindings to `libxml2` and `libxslt`. These libraries are only required
 when building the bindings and are therefore added as `buildInputs`.
 ```nix
-lxml = buildPythonPackage rec {
+{ # ...
  name = "lxml-3.4.4";
-  src = pkgs.fetchurl {
+  lxml = buildPythonPackage rec {
-    url = "mirror://pypi/l/lxml/${name}.tar.gz";
+    name = "lxml-3.4.4";
-    sha256 = "16a0fa97hym9ysdk3rmqz32xdjqmy4w34ld3rm3jf5viqjx65lxk";
+
    src = pkgs.fetchurl {
      url = "mirror://pypi/l/lxml/${name}.tar.gz";
      sha256 = "16a0fa97hym9ysdk3rmqz32xdjqmy4w34ld3rm3jf5viqjx65lxk";
    };
    buildInputs = with self; [ pkgs.libxml2 pkgs.libxslt ];
    meta = {
      description = "Pythonic binding for the libxml2 and libxslt libraries";
      homepage = http://lxml.de;
      license = licenses.bsd3;
      maintainers = with maintainers; [ sjourdois ];
    };
  };
-
+}
  buildInputs = with self; [ pkgs.libxml2 pkgs.libxslt ];
  meta = {
    description = "Pythonic binding for the libxml2 and libxslt libraries";
    homepage = http://lxml.de;
    license = licenses.bsd3;
    maintainers = with maintainers; [ sjourdois ];
  };
 };
 ```
 In this example `lxml` and Nix are able to work out exactly where the relevant
@@ -277,33 +285,37 @@ find each of them in a different folder, and therefore we have to set `LDFLAGS`
 and `CFLAGS`.
 ```nix
-pyfftw = buildPythonPackage rec {
+{ # ...
  name = "pyfftw-${version}";
  version = "0.9.2";
-  src = pkgs.fetchurl {
+  pyfftw = buildPythonPackage rec {
-    url = "mirror://pypi/p/pyFFTW/pyFFTW-${version}.tar.gz";
+    name = "pyfftw-${version}";
-    sha256 = "f6bbb6afa93085409ab24885a1a3cdb8909f095a142f4d49e346f2bd1b789074";
+    version = "0.9.2";
    src = pkgs.fetchurl {
      url = "mirror://pypi/p/pyFFTW/pyFFTW-${version}.tar.gz";
      sha256 = "f6bbb6afa93085409ab24885a1a3cdb8909f095a142f4d49e346f2bd1b789074";
    };
    buildInputs = [ pkgs.fftw pkgs.fftwFloat pkgs.fftwLongDouble];
    propagatedBuildInputs = with self; [ numpy scipy ];
    # Tests cannot import pyfftw. pyfftw works fine though.
    doCheck = false;
    preConfigure = ''
      export LDFLAGS="-L${pkgs.fftw.dev}/lib -L${pkgs.fftwFloat.out}/lib -L${pkgs.fftwLongDouble.out}/lib"
      export CFLAGS="-I${pkgs.fftw.dev}/include -I${pkgs.fftwFloat.dev}/include -I${pkgs.fftwLongDouble.dev}/include"
    '';
    meta = {
      description = "A pythonic wrapper around FFTW, the FFT library, presenting a unified interface for all the supported transforms";
      homepage = http://hgomersall.github.com/pyFFTW/;
      license = with licenses; [ bsd2 bsd3 ];
      maintainer = with maintainers; [ fridh ];
    };
  };
-
+}
  buildInputs = [ pkgs.fftw pkgs.fftwFloat pkgs.fftwLongDouble];
  propagatedBuildInputs = with self; [ numpy scipy ];
  # Tests cannot import pyfftw. pyfftw works fine though.
  doCheck = false;
  LDFLAGS="-L${pkgs.fftw.dev}/lib -L${pkgs.fftwFloat.out}/lib -L${pkgs.fftwLongDouble.out}/lib"
  CFLAGS="-I${pkgs.fftw.dev}/include -I${pkgs.fftwFloat.dev}/include -I${pkgs.fftwLongDouble.dev}/include"
  '';
  meta = {
    description = "A pythonic wrapper around FFTW, the FFT library, presenting a unified interface for all the supported transforms";
    homepage = http://hgomersall.github.com/pyFFTW/;
    license = with licenses; [ bsd2 bsd3 ];
    maintainer = with maintainers; [ fridh ];
  };
 };
 ```
 Note also the line `doCheck = false;`, we explicitly disabled running the test-suite.
@@ -316,10 +328,7 @@ That way, you can run updated code without having to reinstall after each and ev
 Development mode is also available. Let's see how you can use it.
 In the previous Nix expression the source was fetched from an url. We can also refer to a local source instead using
-
+`src = ./path/to/source/tree;`
 ```nix
 src = ./path/to/source/tree;
 ```
 If we create a `shell.nix` file which calls `buildPythonPackage`, and if `src`
 is a local source, and if the local source has a `setup.py`, then development
@@ -338,7 +347,7 @@ buildPythonPackage rec {
  name = "mypackage";
  src = ./path/to/package/source;
  propagatedBuildInputs = [ pytest numpy pkgs.libsndfile ];
-};
+}
 ```
 It is important to note that due to how development mode is implemented on Nix it is not possible to have multiple packages simultaneously in development mode.
@@ -371,7 +380,7 @@ buildPythonPackage rec {
  name = "toolz-${version}";
  version = "0.7.4";
-  src = pkgs.fetchurl{
+  src = pkgs.fetchurl {
    url = "mirror://pypi/t/toolz/toolz-${version}.tar.gz";
    sha256 = "43c2c9e5e7a16b6c88ba3088a9bfc82f7db8e13378be7c78d6c14a5f8ed05afd";
  };
@@ -382,7 +391,7 @@ buildPythonPackage rec {
    license = licenses.bsd3;
    maintainers = with maintainers; [ fridh ];
  };
-};
+}
 ```
 It takes two arguments, `pkgs` and `buildPythonPackage`.
@@ -392,7 +401,10 @@ We now call this function using `callPackage` in the definition of our environme
 with import <nixpkgs> {};
 ( let
-    toolz = pkgs.callPackage ~/path/to/toolz/release.nix { pkgs=pkgs; buildPythonPackage=pkgs.python35Packages.buildPythonPackage; };
+    toolz = pkgs.callPackage /path/to/toolz/release.nix {
      pkgs = pkgs;
      buildPythonPackage = pkgs.python35Packages.buildPythonPackage;
    };
  in pkgs.python35.withPackages (ps: [ ps.numpy toolz ])
 ).env
 ```
@@ -410,8 +422,8 @@ and in this case the `python35` interpreter is automatically used.
 ### Interpreters
-Versions 2.6, 2.7, 3.3, 3.4 and 3.5 of the CPython interpreter are available as respectively
+Versions 2.7, 3.3, 3.4, 3.5 and 3.6 of the CPython interpreter are available as
-`python26`, `python27`, `python33`, `python34` and `python35`. The PyPy interpreter
+respectively `python27`, `python33`, `python34`, `python35` and `python36`. The PyPy interpreter
 is available as `pypy`. The aliases `python2` and `python3` correspond to respectively `python27` and
 `python35`. The default interpreter, `python`, maps to `python2`.
 The Nix expressions for the interpreters can be found in
@@ -460,6 +472,7 @@ sets are
 * `pkgs.python33Packages`
 * `pkgs.python34Packages`
 * `pkgs.python35Packages`
 * `pkgs.python36Packages`
 * `pkgs.pypyPackages`
 and the aliases
@@ -474,22 +487,27 @@ The `buildPythonPackage` function is implemented in
 `pkgs/development/interpreters/python/build-python-package.nix`
 The following is an example:
 ```nix
 { # ...
-    twisted = buildPythonPackage {
+  twisted = buildPythonPackage {
-      name = "twisted-8.1.0";
+    name = "twisted-8.1.0";
-      src = pkgs.fetchurl {
+    src = pkgs.fetchurl {
-        url = http://tmrc.mit.edu/mirror/twisted/Twisted/8.1/Twisted-8.1.0.tar.bz2;
+      url = http://tmrc.mit.edu/mirror/twisted/Twisted/8.1/Twisted-8.1.0.tar.bz2;
-        sha256 = "0q25zbr4xzknaghha72mq57kh53qw1bf8csgp63pm9sfi72qhirl";
+      sha256 = "0q25zbr4xzknaghha72mq57kh53qw1bf8csgp63pm9sfi72qhirl";
-      };
+    };
-      propagatedBuildInputs = [ self.ZopeInterface ];
+    propagatedBuildInputs = [ self.ZopeInterface ];
-      meta = {
+    meta = {
-        homepage = http://twistedmatrix.com/;
+      homepage = http://twistedmatrix.com/;
-        description = "Twisted, an event-driven networking engine written in Python";
+      description = "Twisted, an event-driven networking engine written in Python";
-        license = stdenv.lib.licenses.mit; };
+      license = stdenv.lib.licenses.mit;
-      };
+    };
  };
 }
 ```
 The `buildPythonPackage` mainly does four things:
@@ -539,29 +557,32 @@ Because with an application we're not interested in multiple version the prefix
 Python environments can be created using the low-level `pkgs.buildEnv` function.
 This example shows how to create an environment that has the Pyramid Web Framework.
 Saving the following as `default.nix`
 ```nix
 with import <nixpkgs> {};
-    with import <nixpkgs> {};
+python.buildEnv.override {
-
+  extraLibs = [ pkgs.pythonPackages.pyramid ];
-    python.buildEnv.override {
+  ignoreCollisions = true;
-      extraLibs = [ pkgs.pythonPackages.pyramid ];
+}
-      ignoreCollisions = true;
+```
    }
 and running `nix-build` will create
-
+```
-    /nix/store/cf1xhjwzmdki7fasgr4kz6di72ykicl5-python-2.7.8-env
+/nix/store/cf1xhjwzmdki7fasgr4kz6di72ykicl5-python-2.7.8-env
 ```
 with wrapped binaries in `bin/`.
 You can also use the `env` attribute to create local environments with needed
 packages installed. This is somewhat comparable to `virtualenv`. For example,
 running `nix-shell` with the following `shell.nix`
 ```nix
 with import <nixpkgs> {};
-    with import <nixpkgs> {};
+(python3.buildEnv.override {
-
+  extraLibs = with python3Packages; [ numpy requests2 ];
-    (python3.buildEnv.override {
+}).env
-      extraLibs = with python3Packages; [ numpy requests2 ];
+```
    }).env
 will drop you into a shell where Python will have the
 specified packages in its path.
@@ -576,30 +597,33 @@ specified packages in its path.
 #### python.withPackages function
 The `python.withPackages` function provides a simpler interface to the `python.buildEnv` functionality.
-It takes a function as an argument that is passed the set of python packages and returns the list 
+It takes a function as an argument that is passed the set of python packages and returns the list
 of the packages to be included in the environment. Using the `withPackages` function, the previous
 example for the Pyramid Web Framework environment can be written like this:
 ```nix
 with import <nixpkgs> {};
-    with import <nixpkgs> {};
+python.withPackages (ps: [ps.pyramid])
 ```
-    python.withPackages (ps: [ps.pyramid])
+`withPackages` passes the correct package set for the specific interpreter version as an
 `withPackages` passes the correct package set for the specific interpreter version as an 
 argument to the function. In the above example, `ps` equals `pythonPackages`.
 But you can also easily switch to using python3:
-    
+```nix
-    with import <nixpkgs> {};
+with import <nixpkgs> {};
-    python3.withPackages (ps: [ps.pyramid])
+python3.withPackages (ps: [ps.pyramid])
 ```
 Now, `ps` is set to `python3Packages`, matching the version of the interpreter.
 As `python.withPackages` simply uses `python.buildEnv` under the hood, it also supports the `env`
 attribute. The `shell.nix` file from the previous section can thus be also written like this:
 ```nix
 with import <nixpkgs> {};
-    with import <nixpkgs> {};
+(python33.withPackages (ps: [ps.numpy ps.requests2])).env
-
+```
    (python33.withPackages (ps: [ps.numpy ps.requests2])).env
 In contrast to `python.buildEnv`, `python.withPackages` does not support the more advanced options
 such as `ignoreCollisions = true` or `postBuild`. If you need them, you have to use `python.buildEnv`.
@@ -613,22 +637,24 @@ install -e . --prefix $TMPDIR/`for the package.
 Warning: `shellPhase` is executed only if `setup.py` exists.
 Given a `default.nix`:
 ```nix
 with import <nixpkgs> {};
-    with import <nixpkgs> {};
+buildPythonPackage { name = "myproject";
-    buildPythonPackage { name = "myproject";
+buildInputs = with pkgs.pythonPackages; [ pyramid ];
-    buildInputs = with pkgs.pythonPackages; [ pyramid ];
+src = ./.; }
-
+```
    src = ./.; }
 Running `nix-shell` with no arguments should give you
 the environment in which the package would be built with
 `nix-build`.
 Shortcut to setup environments with C headers/libraries and python packages:
-
+```shell
-    $ nix-shell -p pythonPackages.pyramid zlib libjpeg git
+nix-shell -p pythonPackages.pyramid zlib libjpeg git
 ```
 Note: There is a boolean value `lib.inNixShell` set to `true` if nix-shell is invoked.
@@ -641,6 +667,19 @@ community to help save time. No tool is preferred at the moment.
 - [pypi2nix](https://github.com/garbas/pypi2nix) by Rok Garbas
 - [pypi2nix](https://github.com/offlinehacker/pypi2nix) by Jaka Hudoklin
 ### Deterministic builds
 Python 2.7, 3.5 and 3.6 are now built deterministically and 3.4 mostly.
 Minor modifications had to be made to the interpreters in order to generate
 deterministic bytecode. This has security implications and is relevant for
 those using Python in a `nix-shell`.
 When the environment variable `DETERMINISTIC_BUILD` is set, all bytecode will have timestamp 1.
 The `buildPythonPackage` function sets `DETERMINISTIC_BUILD=1` and
 [PYTHONHASHSEED=0](https://docs.python.org/3.5/using/cmdline.html#envvar-PYTHONHASHSEED).
 Both are also exported in `nix-shell`.
 ## FAQ
 ### How can I install a working Python environment?
@@ -663,7 +702,7 @@ with import <nixpkgs> {};
 pkgs.python35.withPackages (ps: with ps; [ numpy ipython ])
 ```
 and install it in your profile with
-```
+```shell
 nix-env -if build.nix
 ```
 Now you can use the Python interpreter, as well as the extra packages that you added to the environment.
@@ -671,15 +710,19 @@ Now you can use the Python interpreter, as well as the extra packages that you a
 #### Environment defined in `~/.nixpkgs/config.nix`
 If you prefer to, you could also add the environment as a package override to the Nixpkgs set.
-```
+```nix
 { # ...
  packageOverrides = pkgs: with pkgs; {
    myEnv = python35.withPackages (ps: with ps; [ numpy ipython ]);
  };
 }
 ```
 and install it in your profile with
-```
+```shell
 nix-env -iA nixpkgs.myEnv
 ```
 We're installing using the attribute path and assume the channels is named `nixpkgs`.
 Note that I'm using the attribute path here.
@@ -688,9 +731,12 @@ Note that I'm using the attribute path here.
 For the sake of completeness, here's another example how to install the environment system-wide.
 ```nix
-environment.systemPackages = with pkgs; [
+{ # ...
-  (python35.withPackages(ps: with ps; [ numpy ipython ]))
+
-];
+  environment.systemPackages = with pkgs; [
    (python35.withPackages(ps: with ps; [ numpy ipython ]))
  ];
 }
 ```
 ### How to solve circular dependencies?
@@ -727,19 +773,18 @@ All packages in the Python package set will now use the updated `scipy` version.
 ```nix
 with import <nixpkgs> {};
-(
+( let
-let
+    packageOverrides = self: super: {
-  packageOverrides = self: super: {
+      scipy = super.scipy_0_17;
-    scipy = super.scipy_0_17;
+    };
-  };
+  in (pkgs.python35.override {inherit packageOverrides;}).withPackages (ps: [ps.blaze])
 in (pkgs.python35.override {inherit packageOverrides;}).withPackages (ps: [ps.blaze])
 ).env
 ```
 The requested package `blaze` depends on `pandas` which itself depends on `scipy`.
 If you want the whole of Nixpkgs to use your modifications, then you can use `overlays`
 as explained in this manual. In the following example we build a `inkscape` using a different version of `numpy`.
-```
+```nix
 let
  pkgs = import <nixpkgs> {};
  newpkgs = import pkgs.path { overlays = [ (pkgsself: pkgssuper: {
@@ -762,32 +807,32 @@ This is because files are included that depend on items in the Nix store which h
 The command `bdist_wheel` takes into account `SOURCE_DATE_EPOCH`, and `nix-shell` sets this to 1. By setting it to a value corresponding to 1980 or later, or by unsetting it, it is possible to build wheels.
 Use 1980 as timestamp:
-```
+```shell
 nix-shell --run "SOURCE_DATE_EPOCH=315532800 python3 setup.py bdist_wheel"
 ```
 or the current time:
-```
+```shell
 nix-shell --run "SOURCE_DATE_EPOCH=$(date +%s) python3 setup.py bdist_wheel"
 ```
 or unset:
-```
+```shell
 nix-shell --run "unset SOURCE_DATE_EPOCH; python3 setup.py bdist_wheel"
 ```
 ### `install_data` / `data_files` problems
 If you get the following error:
-
+```
-    could not create '/nix/store/6l1bvljpy8gazlsw2aw9skwwp4pmvyxw-python-2.7.8/etc':
+could not create '/nix/store/6l1bvljpy8gazlsw2aw9skwwp4pmvyxw-python-2.7.8/etc':
-    Permission denied
+Permission denied
-
+```
-This is a [known bug](https://github.com/pypa/setuptools/issues/130) in setuptools.
+This is a [known bug](https://github.com/pypa/setuptools/issues/130) in `setuptools`.
 Setuptools `install_data` does not respect `--prefix`. An example of such package using the feature is `pkgs/tools/X11/xpra/default.nix`.
 As workaround install it as an extra `preInstall` step:
-
+```shell
-    ${python.interpreter} setup.py install_data --install-dir=$out --root=$out
+${python.interpreter} setup.py install_data --install-dir=$out --root=$out
-    sed -i '/ = data\_files/d' setup.py
+sed -i '/ = data\_files/d' setup.py
-
+```
 ###  Rationale of non-existent global site-packages
@@ -811,11 +856,11 @@ and install python modules through `pip` the traditional way.
 Create this `default.nix` file, together with a `requirements.txt` and simply execute `nix-shell`.
-```
+```nix
 with import <nixpkgs> {};
 with pkgs.python27Packages;
-stdenv.mkDerivation { 
+stdenv.mkDerivation {
  name = "impurePythonEnv";
  buildInputs = [
    # these packages are required for virtualenv and pip to work:
@@ -823,10 +868,10 @@ stdenv.mkDerivation {
    python27Full
    python27Packages.virtualenv
    python27Packages.pip
-    # the following packages are related to the dependencies of your python 
+    # the following packages are related to the dependencies of your python
-    # project. 
+    # project.
-    # In this particular example the python modules listed in the 
+    # In this particular example the python modules listed in the
-    # requirements.tx require the following packages to be installed locally 
+    # requirements.tx require the following packages to be installed locally
    # in order to compile any binary extensions they may require.
    #
    taglib
@@ -841,7 +886,7 @@ stdenv.mkDerivation {
  shellHook = ''
  # set SOURCE_DATE_EPOCH so that we can use python wheels
  SOURCE_DATE_EPOCH=$(date +%s)
-  virtualenv --no-setuptools venv 
+  virtualenv --no-setuptools venv
  export PATH=$PWD/venv/bin:$PATH
  pip install -r requirements.txt
  '';
@@ -849,10 +894,31 @@ stdenv.mkDerivation {
 ```
 Note that the `pip install` is an imperative action. So every time `nix-shell`
-is executed it will attempt to download the python modules listed in 
+is executed it will attempt to download the python modules listed in
 requirements.txt. However these will be cached locally within the `virtualenv`
 folder and not downloaded again.
 ### How to override a Python package from `configuration.nix`?
 If you need to change a package's attribute(s) from `configuration.nix` you could do:
 ```nix
  nixpkgs.config.packageOverrides = superP: {
    pythonPackages = superP.pythonPackages.override {
      overrides = self: super: {
        bepasty-server = super.bepasty-server.overrideAttrs ( oldAttrs: {
          src = pkgs.fetchgit {
            url = "https://github.com/bepasty/bepasty-server";
            sha256 = "9ziqshmsf0rjvdhhca55sm0x8jz76fsf2q4rwh4m6lpcf8wr0nps";
            rev = "e2516e8cf4f2afb5185337073607eb9e84a61d2d";
          };
        });
      };
    };
  };
 ```
 If you are using the `bepasty-server` package somewhere, for example in `systemPackages` or indirectly from `services.bepasty`, then a `nixos-rebuild switch` will rebuild the system but with the `bepasty-server` package using a different `src` attribute. This way one can modify `python` based software/libraries easily. Using `self` and `super` one can also alter dependencies (`buildInputs`) between the old state (`self`) and new state (`super`). 
 ## Contributing
--- a/doc/languages-frameworks/rust.md
+++ b/doc/languages-frameworks/rust.md
@@ -0,0 +1,91 @@
 ---
 title: Rust
 author: Matthias Beyer
 date: 2017-03-05
 ---
 # User's Guide to the Rust Infrastructure
 To install the rust compiler and cargo put
 ```
 rustStable.rustc
 rustStable.cargo
 ```
 into the `environment.systemPackages` or bring them into scope with
 `nix-shell -p rustStable.rustc -p rustStable.cargo`.
 There are also `rustBeta` and `rustNightly` package sets available.
 These are not updated very regulary. For daily builds see
 [Using the Rust nightlies overlay](#using-the-rust-nightlies-overlay)
 ## Packaging Rust applications
 Rust applications are packaged by using the `buildRustPackage` helper from `rustPlatform`:
 ```
 with rustPlatform;
 buildRustPackage rec {
  name = "ripgrep-${version}";
  version = "0.4.0";
  src = fetchFromGitHub {
    owner = "BurntSushi";
    repo = "ripgrep";
    rev = "${version}";
    sha256 = "0y5d1n6hkw85jb3rblcxqas2fp82h3nghssa4xqrhqnz25l799pj";
  };
  depsSha256 = "0q68qyl2h6i0qsz82z840myxlnjay8p1w5z7hfyr8fqp7wgwa9cx";
  meta = with stdenv.lib; {
    description = "A utility that combines the usability of The Silver Searcher with the raw speed of grep";
    homepage = https://github.com/BurntSushi/ripgrep;
    license = with licenses; [ unlicense ];
    maintainers = [ maintainers.tailhook ];
    platforms = platforms.all;
  };
 }
 ```
 `buildRustPackage` requires a `depsSha256` attribute which is computed over
 all crate sources of this package. Currently it is obtained by inserting a
 fake checksum into the expression and building the package once. The correct
 checksum can be then take from the failed build.
 To install crates with nix there is also an experimental project called
 [nixcrates](https://github.com/fractalide/nixcrates).
 ## Using the Rust nightlies overlay
 Mozilla provides an overlay for nixpkgs to bring a nightly version of Rust into scope.
 This overlay can _also_ be used to install recent unstable or stable versions
 of Rust, if desired.
 To use this overlay, clone
 [nixpkgs-mozilla](https://github.com/mozilla/nixpkgs-mozilla),
 and create a symbolic link to the file
 [rust-overlay.nix](https://github.com/mozilla/nixpkgs-mozilla/blob/master/rust-overlay.nix)
 in the `~/.config/nixpkgs/overlays` directory.
    $ git clone https://github.com/mozilla/nixpkgs-mozilla.git
    $ mkdir -p ~/.config/nixpkgs/overlays
    $ ln -s $(pwd)/nixpkgs-mozilla/rust-overlay.nix ~/.config/nixpkgs/overlays/rust-overlay.nix
 The latest version can be installed with the following command:
    $ nix-env -Ai nixos.rustChannels.stable.rust
 Or using the attribute with nix-shell:
    $ nix-shell -p nixos.rustChannels.stable.rust
 To install the beta or nightly channel, "stable" should be substituted by
 "nightly" or "beta", or
 use the function provided by this overlay to pull a version based on a
 build date.
 The overlay automatically updates itself as it uses the same source as
 [rustup](https://www.rustup.rs/).
--- a/lib/default.nix
+++ b/lib/default.nix
@@ -34,6 +34,9 @@ let
  sandbox = import ./sandbox.nix;
  fetchers = import ./fetchers.nix;
  # Eval-time filesystem handling
  filesystem = import ./filesystem.nix;
 in
  { inherit trivial
            attrsets lists strings stringsWithDeps
@@ -41,7 +44,7 @@ in
            modules options types
            licenses platforms systems
            debug generators misc
-            sandbox fetchers;
+            sandbox fetchers filesystem;
  }
  # !!! don't include everything at top-level; perhaps only the most
  # commonly used functions.
--- a/lib/filesystem.nix
+++ b/lib/filesystem.nix
@@ -0,0 +1,26 @@
 { # locateDominatingFile :  RegExp
  #                      -> Path
  #                      -> Nullable { path : Path;
  #                                    matches : [ MatchResults ];
  #                                  }
  # Find the first directory containing a file matching 'pattern'
  # upward from a given 'file'.
  # Returns 'null' if no directories contain a file matching 'pattern'.
  locateDominatingFile = pattern: file:
    let go = path:
          let files = builtins.attrNames (builtins.readDir path);
              matches = builtins.filter (match: match != null)
                          (map (builtins.match pattern) files);
          in
            if builtins.length matches != 0
              then { inherit path matches; }
              else if path == /.
                then null
                else go (dirOf path);
        parent = dirOf file;
        isDir =
          let base = baseNameOf file;
              type = (builtins.readDir parent).${base} or null;
          in file == /. || type == "directory";
    in go (if isDir then file else parent);
 }
--- a/lib/maintainers.nix
+++ b/lib/maintainers.nix
@@ -59,7 +59,6 @@
  badi = "Badi' Abdul-Wahid <abdulwahidc@gmail.com>";
  balajisivaraman = "Balaji Sivaraman<sivaraman.balaji@gmail.com>";
  Baughn = "Svein Ove Aas <sveina@gmail.com>";
  bbenoist = "Baptist BENOIST <return_0@live.com>";
  bcarrell = "Brandon Carrell <brandoncarrell@gmail.com>";
  bcdarwin = "Ben Darwin <bcdarwin@gmail.com>";
  bdimcheff = "Brandon Dimcheff <brandon@dimcheff.com>";
@@ -352,6 +351,7 @@
  notthemessiah = "Brian Cohen <brian.cohen.88@gmail.com>";
  np = "Nicolas Pouillard <np.nix@nicolaspouillard.fr>";
  nslqqq = "Nikita Mikhailov <nslqqq@gmail.com>";
  xnwdd = "Guillermo NWDD <nwdd+nixos@no.team>";
  obadz = "obadz <obadz-nixos@obadz.com>";
  ocharles = "Oliver Charles <ollie@ocharles.org.uk>";
  odi = "Oliver Dunkl <oliver.dunkl@gmail.com>";
@@ -503,7 +503,7 @@
  tvorog = "Marsel Zaripov <marszaripov@gmail.com>";
  twey = "James ‘Twey’ Kay <twey@twey.co.uk>";
  uralbash = "Svintsov Dmitry <root@uralbash.ru>";
-  urkud = "Yury G. Kudryashov <urkud+nix@ya.ru>";
+  #urkud = "Yury G. Kudryashov <urkud+nix@ya.ru>"; inactive since 2012
  uwap = "uwap <me@uwap.name>";
  vandenoever = "Jos van den Oever <jos@vandenoever.info>";
  vanzef = "Ivan Solyankin <vanzef@gmail.com>";
@@ -532,6 +532,7 @@
  womfoo = "Kranium Gikos Mendoza <kranium@gikos.net>";
  wscott = "Wayne Scott <wsc9tt@gmail.com>";
  wyvie = "Elijah Rum <elijahrum@gmail.com>";
  xvapx = "Marti Serra <marti.serra.coscollano@gmail.com>";
  xwvvvvwx = "David Terry <davidterry@posteo.de>";
  yarr = "Dmitry V. <savraz@gmail.com>";
  yochai = "Yochai <yochai@titat.info>";
--- a/maintainers/scripts/hydra-eval-failures.py
+++ b/maintainers/scripts/hydra-eval-failures.py
@@ -5,6 +5,7 @@
 import subprocess
 import json
 import sys
 import click
 import requests
@@ -47,8 +48,8 @@ def get_maintainers(attr_name):
@click.command()
@click.option(
    '--jobset',
-    default="nixos/release-16.09",
+    default="nixos/release-17.03",
-    help='Hydra project like nixos/release-16.09')
+    help='Hydra project like nixos/release-17.03')
 def cli(jobset):
    """
    Given a Hydra project, inspect latest evaluation
@@ -75,12 +76,16 @@ def cli(jobset):
        a = pq(tr)('a')[1]
        print "- [ ] [{}]({})".format(a.text, a.get('href'))
        sys.stdout.flush()
        maintainers = get_maintainers(a.text)
        if maintainers:
            print "  - maintainers: {}".format(", ".join(map(lambda u: '@' + u, maintainers)))
        # TODO: print last three persons that touched this file
        # TODO: pinpoint the diff that broke this build, or maybe it's transient or maybe it never worked?
        sys.stdout.flush()
 if __name__ == "__main__":
    try:
--- a/nixos/default.nix
+++ b/nixos/default.nix
@@ -37,7 +37,4 @@ in
  vm = vmConfig.system.build.vm;
  vmWithBootLoader = vmWithBootLoaderConfig.system.build.vm;
  # The following are used by nixos-rebuild.
  nixFallback = pkgs.nixUnstable.out;
 }
--- a/nixos/doc/manual/configuration/modularity.xml
+++ b/nixos/doc/manual/configuration/modularity.xml
@@ -37,7 +37,7 @@ latter might look like this:
 { services.xserver.enable = true;
  services.xserver.displayManager.sddm.enable = true;
-  services.xserver.desktopManager.kde5.enable = true;
+  services.xserver.desktopManager.plasma5.enable = true;
 }
 </programlisting>
--- a/nixos/doc/manual/configuration/x-windows.xml
+++ b/nixos/doc/manual/configuration/x-windows.xml
@@ -25,7 +25,7 @@ Otherwise, you can only log into a plain undecorated
 <command>xterm</command> window.  Thus you should pick one or more of
 the following lines:
 <programlisting>
-services.xserver.desktopManager.kde5.enable = true;
+services.xserver.desktopManager.plasma5.enable = true;
 services.xserver.desktopManager.xfce.enable = true;
 services.xserver.desktopManager.gnome3.enable = true;
 services.xserver.windowManager.xmonad.enable = true;
--- a/nixos/doc/manual/configuration/xfce.xml
+++ b/nixos/doc/manual/configuration/xfce.xml
@@ -9,10 +9,10 @@
    <para>
        To enable the Xfce Desktop Environment, set
        <programlisting>
-            services.xserver.desktopManager = {
+services.xserver.desktopManager = {
-                xfce.enable = true;
+    xfce.enable = true;
-                default = "xfce";
+    default = "xfce";
-            };
+};
        </programlisting>
    </para>
@@ -20,13 +20,13 @@
        Optionally, <emphasis>compton</emphasis>
        can be enabled for nice graphical effects, some example settings:
        <programlisting>
-            services.compton = {
+services.compton = {
-              enable          = true;
+  enable          = true;
-              fade            = true;
+  fade            = true;
-              inactiveOpacity = "0.9";
+  inactiveOpacity = "0.9";
-              shadow          = true;
+  shadow          = true;
-              fadeDelta       = 4;
+  fadeDelta       = 4;
-            };
+};
        </programlisting>
    </para>
@@ -34,16 +34,16 @@
        Some Xfce programs are not installed automatically.
        To install them manually (system wide), put them into your
        <literal>environment.systemPackages</literal>.
-	</para>
+    </para>
    <para>
-		NixOS’s default <emphasis>display manager</emphasis>is SLiM.
+        NixOS’s default <emphasis>display manager</emphasis> is SLiM.
-		(DM is the program that provides a graphical login prompt
+        (DM is the program that provides a graphical login prompt
-		 and manages the X server.)
+         and manages the X server.)
-	   	You can, for example, select KDE’s
+        You can, for example, select KDE’s
        <command>sddm</command> instead:
        <programlisting>
-            services.xserver.displayManager.sddm.enable = true;
+services.xserver.displayManager.sddm.enable = true;
        </programlisting>
    </para>
@@ -55,7 +55,7 @@
            <emphasis>Thunar</emphasis>
            volume support, put
            <programlisting>
-                services.xserver.desktopManager.xfce.enable = true;
+services.xserver.desktopManager.xfce.enable = true;
            </programlisting>
            into your <emphasis>configuration.nix</emphasis>.
        </para>
@@ -84,10 +84,10 @@
            Thunar and/or the desktop takes time to show up.
            Thunar will spit out this kind of message on start
-            (look at journalctl --user -b).
+            (look at <command>journalctl --user -b</command>).
            <programlisting>
-                Thunar:2410): GVFS-RemoteVolumeMonitor-WARNING **: remote volume monitor with dbus name org.gtk.Private.UDisks2VolumeMonitor is not supported
+Thunar:2410): GVFS-RemoteVolumeMonitor-WARNING **: remote volume monitor with dbus name org.gtk.Private.UDisks2VolumeMonitor is not supported
            </programlisting>
            This is caused by some needed GNOME services not running.
@@ -95,7 +95,7 @@
            the Advanced tab of the Session and Startup settings panel.
            Alternatively, you can run this command to do the same thing.
            <programlisting>
-                $ xfconf-query -c xfce4-session -p /compat/LaunchGNOME -s true
+$ xfconf-query -c xfce4-session -p /compat/LaunchGNOME -s true
            </programlisting>
            A log-out and re-log will be needed for this to take effect.
        </para>
--- a/nixos/doc/manual/development/sources.xml
+++ b/nixos/doc/manual/development/sources.xml
@@ -27,8 +27,8 @@ a subdirectory of the Nixpkgs repository.) The remote
 <literal>channels</literal> refers to a read-only repository that
 tracks the Nixpkgs/NixOS channels (see <xref linkend="sec-upgrading"/>
 for more information about channels). Thus, the Git branch
-<literal>channels/nixos-14.12</literal> will contain the latest built
+<literal>channels/nixos-17.03</literal> will contain the latest built
-and tested version available in the <literal>nixos-14.12</literal>
+and tested version available in the <literal>nixos-17.03</literal>
 channel.</para>
 <para>It’s often inconvenient to develop directly on the master
@@ -39,9 +39,9 @@ branch based on your current NixOS version:
 <screen>
 $ nixos-version
-14.04.273.ea1952b (Baboon)
+17.09pre104379.6e0b727 (Hummingbird)
-$ git checkout -b local ea1952b
+$ git checkout -b local e3938c8
 </screen>
 Or, to base your local branch on the latest version available in a
@@ -49,17 +49,17 @@ NixOS channel:
 <screen>
 $ git remote update channels
-$ git checkout -b local channels/nixos-14.12
+$ git checkout -b local channels/nixos-17.03
 </screen>
-(Replace <literal>nixos-14.12</literal> with the name of the channel
+(Replace <literal>nixos-17.03</literal> with the name of the channel
 you want to use.) You can use <command>git merge</command> or
 <command>git rebase</command> to keep your local branch in sync with
 the channel, e.g.
 <screen>
 $ git remote update channels
-$ git merge channels/nixos-14.12
+$ git merge channels/nixos-17.03
 </screen>
 You can use <command>git cherry-pick</command> to copy commits from
--- a/nixos/doc/manual/installation/installing-usb.xml
+++ b/nixos/doc/manual/installation/installing-usb.xml
@@ -11,7 +11,9 @@ a USB stick. You can use the <command>dd</command> utility to write the image:
 <command>dd if=<replaceable>path-to-image</replaceable>
 of=<replaceable>/dev/sdb</replaceable></command>. Be careful about specifying the
 correct drive; you can use the <command>lsblk</command> command to get a list of
-block devices.</para>
+block devices. If you're on OS X you can run <command>diskutil list</command>
 to see the list of devices; the device you'll use for the USB must be ejected
 before writing the image.</para>
 <para>The <command>dd</command> utility will write the image verbatim to the drive,
 making it the recommended option for both UEFI and non-UEFI installations. For
--- a/nixos/doc/manual/installation/upgrading.xml
+++ b/nixos/doc/manual/installation/upgrading.xml
@@ -15,12 +15,12 @@ been built.  These channels are:
 <itemizedlist>
  <listitem>
    <para><emphasis>Stable channels</emphasis>, such as <literal
-    xlink:href="https://nixos.org/channels/nixos-14.12">nixos-14.12</literal>.
+    xlink:href="https://nixos.org/channels/nixos-17.03">nixos-17.03</literal>.
    These only get conservative bug fixes and package upgrades.  For
    instance, a channel update may cause the Linux kernel on your
-    system to be upgraded from 3.4.66 to 3.4.67 (a minor bug fix), but
+    system to be upgraded from 4.9.16 to 4.9.17 (a minor bug fix), but
-    not from 3.4.<replaceable>x</replaceable> to
+    not from 4.9.<replaceable>x</replaceable> to
-    3.11.<replaceable>x</replaceable> (a major change that has the
+    4.11.<replaceable>x</replaceable> (a major change that has the
    potential to break things).  Stable channels are generally
    maintained until the next stable branch is created.</para>
    <para></para>
@@ -34,7 +34,7 @@ been built.  These channels are:
  </listitem>
  <listitem>
    <para><emphasis>Small channels</emphasis>, such as <literal
-    xlink:href="https://nixos.org/channels/nixos-14.12-small">nixos-14.12-small</literal>
+    xlink:href="https://nixos.org/channels/nixos-17.03-small">nixos-17.03-small</literal>
    or <literal
    xlink:href="https://nixos.org/channels/nixos-unstable-small">nixos-unstable-small</literal>. These
    are identical to the stable and unstable channels described above,
@@ -55,8 +55,8 @@ appliances.)</para>
 <para>When you first install NixOS, you’re automatically subscribed to
 the NixOS channel that corresponds to your installation source.   For
-instance, if you installed from a 14.12 ISO, you will be subscribed to
+instance, if you installed from a 17.03 ISO, you will be subscribed to
-the <literal>nixos-14.12</literal> channel.  To see which NixOS
+the <literal>nixos-17.03</literal> channel.  To see which NixOS
 channel you’re subscribed to, run the following as root:
 <screen>
@@ -71,16 +71,16 @@ To switch to a different NixOS channel, do
 </screen>
 (Be sure to include the <literal>nixos</literal> parameter at the
-end.)  For instance, to use the NixOS 14.12 stable channel:
+end.)  For instance, to use the NixOS 17.03 stable channel:
 <screen>
-# nix-channel --add https://nixos.org/channels/nixos-14.12 nixos
+# nix-channel --add https://nixos.org/channels/nixos-17.03 nixos
 </screen>
 If you have a server, you may want to use the “small” channel instead:
 <screen>
-# nix-channel --add https://nixos.org/channels/nixos-14.12-small nixos
+# nix-channel --add https://nixos.org/channels/nixos-17.03-small nixos
 </screen>
 And if you want to live on the bleeding edge:
@@ -130,7 +130,7 @@ runs, see <command>systemctl list-timers</command>.)  You can also
 specify a channel explicitly, e.g.
 <programlisting>
-system.autoUpgrade.channel = https://nixos.org/channels/nixos-15.09;
+system.autoUpgrade.channel = https://nixos.org/channels/nixos-17.03;
 </programlisting>
 </para>
--- a/nixos/doc/manual/release-notes/rl-1703.xml
+++ b/nixos/doc/manual/release-notes/rl-1703.xml
@@ -4,7 +4,15 @@
         version="5.0"
         xml:id="sec-release-17.03">
-<title>Release 17.03 (“XXX”, 2017/03/??)</title>
+<title>Release 17.03 (“Gorilla”, 2017/03/31)</title>
 <section xmlns="http://docbook.org/ns/docbook"
         xmlns:xlink="http://www.w3.org/1999/xlink"
         xmlns:xi="http://www.w3.org/2001/XInclude"
         version="5.0"
         xml:id="sec-release-17.03-highlights">
 <title>Highlights</title>
 <para>In addition to numerous new and upgraded packages, this release
 has the following highlights: </para>
@@ -16,19 +24,40 @@ has the following highlights: </para>
    manual</link> for more information.</para>
  </listitem>
  <listitem>
    <para>This release is based on Glibc 2.25, GCC 5.4.0 and systemd
    232. The default Linux kernel is 4.9 and Nix is at 1.11.8.</para>
  </listitem>
  <listitem>
    <para>The default desktop environment now is KDE's Plasma 5. KDE 4 has been removed</para>
  </listitem>
  <listitem>
    <para>The setuid wrapper functionality now supports setting
    capabilities.</para>
  </listitem>
  <listitem>
-    <para>X.org server uses branch 1.19.  Due to ABI incompatibilities,
+    <para>X.org server uses branch 1.19. Due to ABI incompatibilities,
      <literal>ati_unfree</literal> keeps forcing 1.17
      and <literal>amdgpu-pro</literal> starts forcing 1.18.</para>
  </listitem>
  <listitem>
-    <para>PHP now defaults to PHP 7.1</para>
+    <para>
      Cross compilation has been rewritten. See the nixpkgs manual for
      details. The most obvious breaking change is that in derivations there is no
      <literal>.nativeDrv</literal> nor <literal>.crossDrv</literal> are now
      cross by default, not native.
    </para>
  </listitem>
  <listitem>
    <para>The <literal>overridePackages</literal> function has been rewritten
    to be replaced by <link
    xlink:href="https://nixos.org/nixpkgs/manual/#sec-overlays-install">
    overlays</link></para>
  </listitem>
  <listitem>
@@ -38,16 +67,123 @@ has the following highlights: </para>
    manual</link> for more information.</para>
  </listitem>
  <listitem>
    <para>PHP now defaults to PHP 7.1</para>
  </listitem>
  <listitem>
    <para>
      The user handling now keeps track of deallocated UIDs/GIDs. When a user
      or group is revived, this allows it to be allocated the UID/GID it had before.
      A consequence is that UIDs and GIDs are no longer reused.
    </para>
  </listitem>
 </itemizedlist>
 </section>
 <section xmlns="http://docbook.org/ns/docbook"
         xmlns:xlink="http://www.w3.org/1999/xlink"
         xmlns:xi="http://www.w3.org/2001/XInclude"
         version="5.0"
         xml:id="sec-release-17.03-new-services">
 <title>New Services</title>
 <para>The following new services were added since the last release:</para>
 <itemizedlist>
-  <listitem>
+  <listitem><para><literal>hardware/ckb.nix</literal></para></listitem>
-    <para></para>
+  <listitem><para><literal>hardware/mcelog.nix</literal></para></listitem>
-  </listitem>
+  <listitem><para><literal>hardware/usb-wwan.nix</literal></para></listitem>
  <listitem><para><literal>hardware/video/capture/mwprocapture.nix</literal></para></listitem>
  <listitem><para><literal>programs/adb.nix</literal></para></listitem>
  <listitem><para><literal>programs/chromium.nix</literal></para></listitem>
  <listitem><para><literal>programs/gphoto2.nix</literal></para></listitem>
  <listitem><para><literal>programs/java.nix</literal></para></listitem>
  <listitem><para><literal>programs/mtr.nix</literal></para></listitem>
  <listitem><para><literal>programs/oblogout.nix</literal></para></listitem>
  <listitem><para><literal>programs/vim.nix</literal></para></listitem>
  <listitem><para><literal>programs/wireshark.nix</literal></para></listitem>
  <listitem><para><literal>security/dhparams.nix</literal></para></listitem>
  <listitem><para><literal>services/audio/ympd.nix</literal></para></listitem>
  <listitem><para><literal>services/computing/boinc/client.nix</literal></para></listitem>
  <listitem><para><literal>services/continuous-integration/buildbot/master.nix</literal></para></listitem>
  <listitem><para><literal>services/continuous-integration/buildbot/worker.nix</literal></para></listitem>
  <listitem><para><literal>services/continuous-integration/gitlab-runner.nix</literal></para></listitem>
  <listitem><para><literal>services/databases/riak-cs.nix</literal></para></listitem>
  <listitem><para><literal>services/databases/stanchion.nix</literal></para></listitem>
  <listitem><para><literal>services/desktops/gnome3/gnome-terminal-server.nix</literal></para></listitem>
  <listitem><para><literal>services/editors/infinoted.nix</literal></para></listitem>
  <listitem><para><literal>services/hardware/illum.nix</literal></para></listitem>
  <listitem><para><literal>services/hardware/trezord.nix</literal></para></listitem>
  <listitem><para><literal>services/logging/journalbeat.nix</literal></para></listitem>
  <listitem><para><literal>services/mail/offlineimap.nix</literal></para></listitem>
  <listitem><para><literal>services/mail/postgrey.nix</literal></para></listitem>
  <listitem><para><literal>services/misc/couchpotato.nix</literal></para></listitem>
  <listitem><para><literal>services/misc/docker-registry.nix</literal></para></listitem>
  <listitem><para><literal>services/misc/errbot.nix</literal></para></listitem>
  <listitem><para><literal>services/misc/geoip-updater.nix</literal></para></listitem>
  <listitem><para><literal>services/misc/gogs.nix</literal></para></listitem>
  <listitem><para><literal>services/misc/leaps.nix</literal></para></listitem>
  <listitem><para><literal>services/misc/nix-optimise.nix</literal></para></listitem>
  <listitem><para><literal>services/misc/ssm-agent.nix</literal></para></listitem>
  <listitem><para><literal>services/misc/sssd.nix</literal></para></listitem>
  <listitem><para><literal>services/monitoring/arbtt.nix</literal></para></listitem>
  <listitem><para><literal>services/monitoring/netdata.nix</literal></para></listitem>
  <listitem><para><literal>services/monitoring/prometheus/default.nix</literal></para></listitem>
  <listitem><para><literal>services/monitoring/prometheus/alertmanager.nix</literal></para></listitem>
  <listitem><para><literal>services/monitoring/prometheus/blackbox-exporter.nix</literal></para></listitem>
  <listitem><para><literal>services/monitoring/prometheus/json-exporter.nix</literal></para></listitem>
  <listitem><para><literal>services/monitoring/prometheus/nginx-exporter.nix</literal></para></listitem>
  <listitem><para><literal>services/monitoring/prometheus/node-exporter.nix</literal></para></listitem>
  <listitem><para><literal>services/monitoring/prometheus/snmp-exporter.nix</literal></para></listitem>
  <listitem><para><literal>services/monitoring/prometheus/unifi-exporter.nix</literal></para></listitem>
  <listitem><para><literal>services/monitoring/prometheus/varnish-exporter.nix</literal></para></listitem>
  <listitem><para><literal>services/monitoring/sysstat.nix</literal></para></listitem>
  <listitem><para><literal>services/monitoring/telegraf.nix</literal></para></listitem>
  <listitem><para><literal>services/monitoring/vnstat.nix</literal></para></listitem>
  <listitem><para><literal>services/network-filesystems/cachefilesd.nix</literal></para></listitem>
  <listitem><para><literal>services/network-filesystems/glusterfs.nix</literal></para></listitem>
  <listitem><para><literal>services/network-filesystems/ipfs.nix</literal></para></listitem>
  <listitem><para><literal>services/networking/dante.nix</literal></para></listitem>
  <listitem><para><literal>services/networking/dnscrypt-wrapper.nix</literal></para></listitem>
  <listitem><para><literal>services/networking/fakeroute.nix</literal></para></listitem>
  <listitem><para><literal>services/networking/flannel.nix</literal></para></listitem>
  <listitem><para><literal>services/networking/htpdate.nix</literal></para></listitem>
  <listitem><para><literal>services/networking/miredo.nix</literal></para></listitem>
  <listitem><para><literal>services/networking/nftables.nix</literal></para></listitem>
  <listitem><para><literal>services/networking/powerdns.nix</literal></para></listitem>
  <listitem><para><literal>services/networking/pdns-recursor.nix</literal></para></listitem>
  <listitem><para><literal>services/networking/quagga.nix</literal></para></listitem>
  <listitem><para><literal>services/networking/redsocks.nix</literal></para></listitem>
  <listitem><para><literal>services/networking/wireguard.nix</literal></para></listitem>
  <listitem><para><literal>services/system/cgmanager.nix</literal></para></listitem>
  <listitem><para><literal>services/torrent/opentracker.nix</literal></para></listitem>
  <listitem><para><literal>services/web-apps/atlassian/confluence.nix</literal></para></listitem>
  <listitem><para><literal>services/web-apps/atlassian/crowd.nix</literal></para></listitem>
  <listitem><para><literal>services/web-apps/atlassian/jira.nix</literal></para></listitem>
  <listitem><para><literal>services/web-apps/frab.nix</literal></para></listitem>
  <listitem><para><literal>services/web-apps/nixbot.nix</literal></para></listitem>
  <listitem><para><literal>services/web-apps/selfoss.nix</literal></para></listitem>
  <listitem><para><literal>services/web-apps/quassel-webserver.nix</literal></para></listitem>
  <listitem><para><literal>services/x11/unclutter-xfixes.nix</literal></para></listitem>
  <listitem><para><literal>services/x11/urxvtd.nix</literal></para></listitem>
  <listitem><para><literal>system/boot/systemd-nspawn.nix</literal></para></listitem>
  <listitem><para><literal>virtualisation/ecs-agent.nix</literal></para></listitem>
  <listitem><para><literal>virtualisation/lxcfs.nix</literal></para></listitem>
  <listitem><para><literal>virtualisation/openstack/keystone.nix</literal></para></listitem>
  <listitem><para><literal>virtualisation/openstack/glance.nix</literal></para></listitem>
 </itemizedlist>
 </section>
 <section xmlns="http://docbook.org/ns/docbook"
         xmlns:xlink="http://www.w3.org/1999/xlink"
         xmlns:xi="http://www.w3.org/2001/XInclude"
         version="5.0"
         xml:id="sec-release-17.03-incompatibilities">
 <title>Backward Incompatibilities</title>
 <para>When upgrading from a previous release, please be aware of the
 following incompatible changes:</para>
@@ -55,10 +191,8 @@ following incompatible changes:</para>
 <itemizedlist>
  <listitem>
    <para>
-      Cross compilation has been rewritten. See the nixpkgs manual for
+      Derivations have no <literal>.nativeDrv</literal> nor <literal>.crossDrv</literal> 
-      details. The most obvious breaking change is that derivations absent a
+      and are now cross by default, not native.
      <literal>.nativeDrv</literal> or <literal>.crossDrv</literal> are now
      cross by default, not native.
    </para>
  </listitem>
@@ -95,15 +229,6 @@ following incompatible changes:</para>
    </para>
  </listitem>
  <listitem>
    <para>
      The Yama LSM is now enabled by default in the kernel,
      which prevents ptracing non-child processes.
      This means you will not be able to attach gdb to an existing process,
      but will need to start that process from gdb (so it is a child).
    </para>
  </listitem>
  <listitem>
    <para>
      The <literal>stripHash</literal> bash function in <literal>stdenv</literal>
@@ -183,7 +308,7 @@ following incompatible changes:</para>
    <para><literal>overridePackages</literal> function no longer exists.
    It is replaced by <link
    xlink:href="https://nixos.org/nixpkgs/manual/#sec-overlays-install">
-    overlays</link>.  For example, the following code:
+    overlays</link>. For example, the following code:
 <programlisting>
  let
@@ -237,10 +362,60 @@ following incompatible changes:</para>
    </para>
  </listitem>
  <listitem>
    <para>
      The socket handling of the <literal>services.rmilter</literal> module
      has been fixed and refactored. As rmilter doesn't support binding to
      more than one socket, the options <literal>bindUnixSockets</literal>
      and <literal>bindInetSockets</literal> have been replaced by
      <literal>services.rmilter.bindSocket.*</literal>. The default is still
      a unix socket in <literal>/run/rmilter/rmilter.sock</literal>. Refer to
      the options documentation for more information.
    </para>
  </listitem>
  <listitem>
    <para>
      The <literal>fetch*</literal> functions no longer support md5,
      please use sha256 instead.
    </para>
  </listitem>
  <listitem>
    <para>
      The dnscrypt-proxy module interface has been streamlined around the
      <option>extraArgs</option> option. Where possible, legacy option
      declarations are mapped to <option>extraArgs</option> but will emit
      warnings. The <option>resolverList</option> has been outright
      removed: to use an unlisted resolver, use the
      <option>customResolver</option> option.
    </para>
  </listitem>
  <listitem>
    <para>
      torbrowser now stores local state under
      <filename>~/.local/share/tor-browser</filename> by default. Any
      browser profile data from the old location,
      <filename>~/.torbrowser4</filename>, must be migrated manually.
    </para>
  </listitem>
  <listitem>
    <para>
      The ihaskell, monetdb, offlineimap and sitecopy services have been removed.
    </para>
  </listitem>
 </itemizedlist>
 </section>
 <section xmlns="http://docbook.org/ns/docbook"
         xmlns:xlink="http://www.w3.org/1999/xlink"
         xmlns:xi="http://www.w3.org/2001/XInclude"
         version="5.0"
         xml:id="sec-release-17.03-notable-changes">
-<para>Other notable improvements:</para>
+<title>Other Notable Changes</title>
 <itemizedlist>
@@ -261,7 +436,79 @@ following incompatible changes:</para>
    </para>
  </listitem>
  <listitem>
    <para>Python 2.6 interpreter and package set have been removed.</para>
  </listitem>
  <listitem>
    <para>
      The Python 2.7 interpreter does not use modules anymore. Instead, all
      CPython interpreters now include the whole standard library except for `tkinter`,
      which is available in the Python package set.
    </para>
  </listitem>
  <listitem>
    <para>
      Python 2.7, 3.5 and 3.6 are now built deterministically and 3.4 mostly.
      Minor modifications had to be made to the interpreters in order to generate
      deterministic bytecode. This has security implications and is relevant for
      those using Python in a <literal>nix-shell</literal>. See the Nixpkgs manual
      for details.
    </para>
  </listitem>
  <listitem>
    <para>
      The Python package sets now use a fixed-point combinator and the sets are
      available as attributes of the interpreters.
    </para>
  </listitem>
  <listitem>
    <para>
      The Python function <literal>buildPythonPackage</literal> has been improved and can be
      used to build from Setuptools source, Flit source, and precompiled Wheels.
    </para>
  </listitem>
  <listitem>
    <para>
      When adding new or updating current Python libraries, the expressions should be put
      in separate files in <literal>pkgs/development/python-modules</literal> and
      called from <literal>python-packages.nix</literal>.
    </para>
  </listitem>
  <listitem>
    <para>
      The dnscrypt-proxy service supports synchronizing the list of public
      resolvers without working DNS resolution. This fixes issues caused by the
      resolver list becoming outdated. It also improves the viability of
      DNSCrypt only configurations.
    </para>
  </listitem>
  <listitem>
    <para>
      Containers using bridged networking no longer lose their connection after
      changes to the host networking.
    </para>
  </listitem>
  <listitem>
    <para>
      ZFS supports pool auto scrubbing.
    </para>
  </listitem>
  <listitem>
    <para>
      The bind DNS utilities (e.g. dig) have been split into their own output and
      are now also available in <literal>pkgs.dnsutils</literal> and it is no longer
      necessary to pull in all of <literal>bind</literal> to use them.
    </para>
  </listitem>
 </itemizedlist>
-
+</section>
 </section>
--- a/nixos/lib/testing.nix
+++ b/nixos/lib/testing.nix
@@ -108,16 +108,16 @@ rec {
          mkdir -p $out/bin
          echo "$testScript" > $out/test-script
          ln -s ${testDriver}/bin/nixos-test-driver $out/bin/
-          vms="$(for i in ${toString vms}; do echo $i/bin/run-*-vm; done)"
+          vms=($(for i in ${toString vms}; do echo $i/bin/run-*-vm; done))
          wrapProgram $out/bin/nixos-test-driver \
-            --add-flags "$vms" \
+            --add-flags "''${vms[*]}" \
            ${lib.optionalString enableOCR "--prefix PATH : '${ocrProg}/bin'"} \
            --run "testScript=\"\$(cat $out/test-script)\"" \
            --set testScript '$testScript' \
            --set VLANS '${toString vlans}'
          ln -s ${testDriver}/bin/nixos-test-driver $out/bin/nixos-run-vms
          wrapProgram $out/bin/nixos-run-vms \
-            --add-flags "$vms" \
+            --add-flags "''${vms[*]}" \
            ${lib.optionalString enableOCR "--prefix PATH : '${ocrProg}/bin'"} \
            --set tests 'startAll; joinAll;' \
            --set VLANS '${toString vlans}' \
--- a/nixos/modules/config/pulseaudio.nix
+++ b/nixos/modules/config/pulseaudio.nix
@@ -274,6 +274,8 @@ in {
          RestartSec = "500ms";
        };
      };
      environment.variables.PULSE_COOKIE = "${stateDir}/.config/pulse/cookie";
    })
  ];
--- a/nixos/modules/config/sysctl.nix
+++ b/nixos/modules/config/sysctl.nix
@@ -64,5 +64,9 @@ in
    # Removed under grsecurity.
    boot.kernel.sysctl."kernel.kptr_restrict" =
      if (config.boot.kernelPackages.kernel.features.grsecurity or false) then null else 1;
    # Disable YAMA by default to allow easy debugging.
    boot.kernel.sysctl."kernel.yama.ptrace_scope" = mkDefault 0;
  };
 }
--- a/nixos/modules/config/update-users-groups.pl
+++ b/nixos/modules/config/update-users-groups.pl
@@ -6,6 +6,21 @@ use JSON;
 make_path("/var/lib/nixos", { mode => 0755 });
 # Keep track of deleted uids and gids.
 my $uidMapFile = "/var/lib/nixos/uid-map";
 my $uidMap = -e $uidMapFile ? decode_json(read_file($uidMapFile)) : {};
 my $gidMapFile = "/var/lib/nixos/gid-map";
 my $gidMap = -e $gidMapFile ? decode_json(read_file($gidMapFile)) : {};
 sub updateFile {
    my ($path, $contents, $perms) = @_;
    write_file("$path.tmp", { binmode => ':utf8', perms => $perms // 0644 }, $contents);
    rename("$path.tmp", $path) or die;
 }
 sub hashPassword {
    my ($password) = @_;
    my $salt = "";
@@ -18,10 +33,10 @@ sub hashPassword {
 # Functions for allocating free GIDs/UIDs. FIXME: respect ID ranges in
 # /etc/login.defs.
 sub allocId {
-    my ($used, $idMin, $idMax, $up, $getid) = @_;
+    my ($used, $prevUsed, $idMin, $idMax, $up, $getid) = @_;
    my $id = $up ? $idMin : $idMax;
    while ($id >= $idMin && $id <= $idMax) {
-        if (!$used->{$id} && !defined &$getid($id)) {
+        if (!$used->{$id} && !$prevUsed->{$id} && !defined &$getid($id)) {
            $used->{$id} = 1;
            return $id;
        }
@@ -31,23 +46,36 @@ sub allocId {
    die "$0: out of free UIDs or GIDs\n";
 }
-my (%gidsUsed, %uidsUsed);
+my (%gidsUsed, %uidsUsed, %gidsPrevUsed, %uidsPrevUsed);
 sub allocGid {
-    return allocId(\%gidsUsed, 400, 499, 0, sub { my ($gid) = @_; getgrgid($gid) });
+    my ($name) = @_;
    my $prevGid = $gidMap->{$name};
    if (defined $prevGid && !defined $gidsUsed{$prevGid}) {
        print STDERR "reviving group '$name' with GID $prevGid\n";
        $gidsUsed{$prevGid} = 1;
        return $prevGid;
    }
    return allocId(\%gidsUsed, \%gidsPrevUsed, 400, 499, 0, sub { my ($gid) = @_; getgrgid($gid) });
 }
 sub allocUid {
-    my ($isSystemUser) = @_;
+    my ($name, $isSystemUser) = @_;
    my ($min, $max, $up) = $isSystemUser ? (400, 499, 0) : (1000, 29999, 1);
-    return allocId(\%uidsUsed, $min, $max, $up, sub { my ($uid) = @_; getpwuid($uid) });
+    my $prevUid = $uidMap->{$name};
    if (defined $prevUid && $prevUid >= $min && $prevUid <= $max && !defined $uidsUsed{$prevUid}) {
        print STDERR "reviving user '$name' with UID $prevUid\n";
        $uidsUsed{$prevUid} = 1;
        return $prevUid;
    }
    return allocId(\%uidsUsed, \%uidsPrevUsed, $min, $max, $up, sub { my ($uid) = @_; getpwuid($uid) });
 }
 # Read the declared users/groups.
 my $spec = decode_json(read_file($ARGV[0]));
-# Don't allocate UIDs/GIDs that are already in use.
+# Don't allocate UIDs/GIDs that are manually assigned.
 foreach my $g (@{$spec->{groups}}) {
    $gidsUsed{$g->{gid}} = 1 if defined $g->{gid};
 }
@@ -56,6 +84,11 @@ foreach my $u (@{$spec->{users}}) {
    $uidsUsed{$u->{uid}} = 1 if defined $u->{uid};
 }
 # Likewise for previously used but deleted UIDs/GIDs.
 $uidsPrevUsed{$_} = 1 foreach values %{$uidMap};
 $gidsPrevUsed{$_} = 1 foreach values %{$gidMap};
 # Read the current /etc/group.
 sub parseGroup {
    chomp;
@@ -114,16 +147,18 @@ foreach my $g (@{$spec->{groups}}) {
            }
        }
    } else {
-        $g->{gid} = allocGid if !defined $g->{gid};
+        $g->{gid} = allocGid($name) if !defined $g->{gid};
        $g->{password} = "x";
    }
    $g->{members} = join ",", sort(keys(%members));
    $groupsOut{$name} = $g;
    $gidMap->{$name} = $g->{gid};
 }
 # Update the persistent list of declarative groups.
-write_file($declGroupsFile, { binmode => ':utf8' }, join(" ", sort(keys %groupsOut)));
+updateFile($declGroupsFile, join(" ", sort(keys %groupsOut)));
 # Merge in the existing /etc/group.
 foreach my $name (keys %groupsCur) {
@@ -140,8 +175,8 @@ foreach my $name (keys %groupsCur) {
 # Rewrite /etc/group. FIXME: acquire lock.
 my @lines = map { join(":", $_->{name}, $_->{password}, $_->{gid}, $_->{members}) . "\n" }
    (sort { $a->{gid} <=> $b->{gid} } values(%groupsOut));
-write_file("/etc/group.tmp", { binmode => ':utf8' }, @lines);
+updateFile($gidMapFile, encode_json($gidMap));
-rename("/etc/group.tmp", "/etc/group") or die;
+updateFile("/etc/group", \@lines);
 system("nscd --invalidate group");
 # Generate a new /etc/passwd containing the declared users.
@@ -167,7 +202,7 @@ foreach my $u (@{$spec->{users}}) {
            $u->{uid} = $existing->{uid};
        }
    } else {
-        $u->{uid} = allocUid($u->{isSystemUser}) if !defined $u->{uid};
+        $u->{uid} = allocUid($name, $u->{isSystemUser}) if !defined $u->{uid};
        if (defined $u->{initialPassword}) {
            $u->{hashedPassword} = hashPassword($u->{initialPassword});
@@ -177,7 +212,7 @@ foreach my $u (@{$spec->{users}}) {
    }
    # Create a home directory.
-    if ($u->{createHome} && ! -e $u->{home}) {
+    if ($u->{createHome}) {
        make_path($u->{home}, { mode => 0700 }) if ! -e $u->{home};
        chown $u->{uid}, $u->{gid}, $u->{home};
    }
@@ -195,10 +230,12 @@ foreach my $u (@{$spec->{users}}) {
    $u->{fakePassword} = $existing->{fakePassword} // "x";
    $usersOut{$name} = $u;
    $uidMap->{$name} = $u->{uid};
 }
 # Update the persistent list of declarative users.
-write_file($declUsersFile, { binmode => ':utf8' }, join(" ", sort(keys %usersOut)));
+updateFile($declUsersFile, join(" ", sort(keys %usersOut)));
 # Merge in the existing /etc/passwd.
 foreach my $name (keys %usersCur) {
@@ -214,8 +251,8 @@ foreach my $name (keys %usersCur) {
 # Rewrite /etc/passwd. FIXME: acquire lock.
@lines = map { join(":", $_->{name}, $_->{fakePassword}, $_->{uid}, $_->{gid}, $_->{description}, $_->{home}, $_->{shell}) . "\n" }
    (sort { $a->{uid} <=> $b->{uid} } (values %usersOut));
-write_file("/etc/passwd.tmp", { binmode => ':utf8' }, @lines);
+updateFile($uidMapFile, encode_json($uidMap));
-rename("/etc/passwd.tmp", "/etc/passwd") or die;
+updateFile("/etc/passwd", \@lines);
 system("nscd --invalidate passwd");
@@ -242,5 +279,4 @@ foreach my $u (values %usersOut) {
    push @shadowNew, join(":", $u->{name}, $hashedPassword, "1::::::") . "\n";
 }
-write_file("/etc/shadow.tmp", { binmode => ':utf8', perms => 0600 }, @shadowNew);
+updateFile("/etc/shadow", \@shadowNew, 0600);
 rename("/etc/shadow.tmp", "/etc/shadow") or die;
--- a/nixos/modules/installer/cd-dvd/installation-cd-graphical-kde.nix
+++ b/nixos/modules/installer/cd-dvd/installation-cd-graphical-kde.nix
@@ -18,7 +18,7 @@ with lib;
      autoLogin = true;
    };
-    desktopManager.kde5 = {
+    desktopManager.plasma5 = {
      enable = true;
      enableQt4Support = false;
    };
@@ -66,7 +66,7 @@ with lib;
  in ''
    mkdir -p /root/Desktop
    ln -sfT ${desktopFile} /root/Desktop/nixos-manual.desktop
-    ln -sfT ${pkgs.kdeApplications.konsole}/share/applications/org.kde.konsole.desktop /root/Desktop/org.kde.konsole.desktop
+    ln -sfT ${pkgs.konsole}/share/applications/org.kde.konsole.desktop /root/Desktop/org.kde.konsole.desktop
    ln -sfT ${pkgs.gparted}/share/applications/gparted.desktop /root/Desktop/gparted.desktop
  '';
--- a/nixos/modules/installer/cd-dvd/iso-image.nix
+++ b/nixos/modules/installer/cd-dvd/iso-image.nix
@@ -172,7 +172,6 @@ in
    isoImage.includeSystemBuildDependencies = mkOption {
      default = false;
      example = true;
      description = ''
        Set this option to include all the needed sources etc in the
        image. It significantly increases image size. Use that when
@@ -280,7 +279,7 @@ in
        options = [ "allow_other" "cow" "nonempty" "chroot=/mnt-root" "max_files=32768" "hide_meta_files" "dirs=/nix/.rw-store=rw:/nix/.ro-store=ro" ];
      };
-    boot.initrd.availableKernelModules = [ "squashfs" "iso9660" "usb-storage" ];
+    boot.initrd.availableKernelModules = [ "squashfs" "iso9660" "usb-storage" "uas" ];
    boot.blacklistedKernelModules = [ "nouveau" ];
--- a/nixos/modules/installer/tools/auto-upgrade.nix
+++ b/nixos/modules/installer/tools/auto-upgrade.nix
@@ -48,7 +48,7 @@ let cfg = config.system.autoUpgrade; in
        description = ''
          Specification (in the format described by
          <citerefentry><refentrytitle>systemd.time</refentrytitle>
-          <manvolnum>5</manvolnum></citerefentry>) of the time at
+          <manvolnum>7</manvolnum></citerefentry>) of the time at
          which the update will occur.
        '';
      };
--- a/nixos/modules/installer/tools/nix-fallback-paths.nix
+++ b/nixos/modules/installer/tools/nix-fallback-paths.nix
@@ -1,5 +1,5 @@
 {
-  x86_64-linux = "/nix/store/4ssykr786d0wp7y6m4xd4qwqs4nrry1z-nix-1.11.7";
+  x86_64-linux = "/nix/store/j6q3pb75q1sbk0xsa5x6a629ph98ycdl-nix-1.11.8";
-  i686-linux = "/nix/store/61ggxx2072y2g877m01asy0lsn7xpn06-nix-1.11.7";
+  i686-linux = "/nix/store/4m6ps568l988bbr1p2k3w9raq3rblppi-nix-1.11.8";
-  x86_64-darwin = "/nix/store/pxf5ri5kdbfqkhd10sw4lpj8sn385ks5-nix-1.11.7";
+  x86_64-darwin = "/nix/store/cc5q944yn3j2hrs8k0kxx9r2mk9mni8a-nix-1.11.8";
 }
--- a/nixos/modules/installer/tools/nixos-generate-config.pl
+++ b/nixos/modules/installer/tools/nixos-generate-config.pl
@@ -607,7 +607,7 @@ $bootLoaderConfig
  # Enable the KDE Desktop Environment.
  # services.xserver.displayManager.sddm.enable = true;
-  # services.xserver.desktopManager.kde5.enable = true;
+  # services.xserver.desktopManager.plasma5.enable = true;
  # Define a user account. Don't forget to set a password with ‘passwd’.
  # users.extraUsers.guest = {
--- a/nixos/modules/installer/tools/nixos-rebuild.sh
+++ b/nixos/modules/installer/tools/nixos-rebuild.sh
@@ -278,24 +278,22 @@ if [ -n "$buildNix" ]; then
    echo "building Nix..." >&2
    nixDrv=
    if ! nixDrv="$(nix-instantiate '<nixpkgs/nixos>' --add-root $tmpDir/nix.drv --indirect -A config.nix.package.out "${extraBuildFlags[@]}")"; then
-        if ! nixDrv="$(nix-instantiate '<nixpkgs/nixos>' --add-root $tmpDir/nix.drv --indirect -A nixFallback "${extraBuildFlags[@]}")"; then
+        if ! nixDrv="$(nix-instantiate '<nixpkgs>' --add-root $tmpDir/nix.drv --indirect -A nix "${extraBuildFlags[@]}")"; then
-            if ! nixDrv="$(nix-instantiate '<nixpkgs>' --add-root $tmpDir/nix.drv --indirect -A nix "${extraBuildFlags[@]}")"; then
+            nixStorePath="$(prebuiltNix "$(uname -m)")"
-                nixStorePath="$(prebuiltNix "$(uname -m)")"
+            if ! nix-store -r $nixStorePath --add-root $tmpDir/nix --indirect \
-                if ! nix-store -r $nixStorePath --add-root $tmpDir/nix --indirect \
+                --option extra-binary-caches https://cache.nixos.org/; then
-                    --option extra-binary-caches https://cache.nixos.org/; then
+                echo "warning: don't know how to get latest Nix" >&2
            fi
            # Older version of nix-store -r don't support --add-root.
            [ -e $tmpDir/nix ] || ln -sf $nixStorePath $tmpDir/nix
            if [ -n "$buildHost" ]; then
                remoteNixStorePath="$(prebuiltNix "$(buildHostCmd uname -m)")"
                remoteNix="$remoteNixStorePath/bin"
                if ! buildHostCmd nix-store -r $remoteNixStorePath \
                  --option extra-binary-caches https://cache.nixos.org/ >/dev/null; then
                    remoteNix=
                    echo "warning: don't know how to get latest Nix" >&2
                fi
                # Older version of nix-store -r don't support --add-root.
                [ -e $tmpDir/nix ] || ln -sf $nixStorePath $tmpDir/nix
                if [ -n "$buildHost" ]; then
                    remoteNixStorePath="$(prebuiltNix "$(buildHostCmd uname -m)")"
                    remoteNix="$remoteNixStorePath/bin"
                    if ! buildHostCmd nix-store -r $remoteNixStorePath \
                      --option extra-binary-caches https://cache.nixos.org/ >/dev/null; then
                        remoteNix=
                        echo "warning: don't know how to get latest Nix" >&2
                    fi
                fi
            fi
        fi
    fi
--- a/nixos/modules/misc/ids.nix
+++ b/nixos/modules/misc/ids.nix
@@ -288,6 +288,7 @@
      kresd = 270;
      rpc = 271;
      geoip = 272;
      fcron = 273;
      # When adding a uid, make sure it doesn't match an existing gid. And don't use uids above 399!
@@ -545,6 +546,7 @@
      kresd = 270;
      #rpc = 271; # unused
      #geoip = 272; # unused
      fcron = 273;
      # When adding a gid, make sure it doesn't match an existing
      # uid. Users and groups with the same name should have equal
--- a/nixos/modules/misc/locate.nix
+++ b/nixos/modules/misc/locate.nix
@@ -104,13 +104,13 @@ in {
    users.extraGroups = mkIf isMLocate { mlocate = {}; };
    security.wrappers = mkIf isMLocate {
-      mlocate = {
+      locate = {
        group = "mlocate";
        owner = "root";
        permissions = "u+rx,g+x,o+x";
        setgid = true;
        setuid = false;
-        program = "locate";
+        source = "${cfg.locate}/bin/locate";
      };
    };
--- a/nixos/modules/misc/version.nix
+++ b/nixos/modules/misc/version.nix
@@ -78,7 +78,7 @@ in
    defaultChannel = mkOption {
      internal = true;
      type = types.str;
-      default = https://nixos.org/channels/nixos-unstable;
+      default = https://nixos.org/channels/nixos-17.03;
      description = "Default NixOS channel to which the root user is subscribed.";
    };
--- a/nixos/modules/module-list.nix
+++ b/nixos/modules/module-list.nix
@@ -136,7 +136,6 @@
  ./services/backup/mysql-backup.nix
  ./services/backup/postgresql-backup.nix
  ./services/backup/rsnapshot.nix
  ./services/backup/sitecopy-backup.nix
  ./services/backup/tarsnap.nix
  ./services/backup/znapzend.nix
  ./services/cluster/fleet.nix
@@ -332,6 +331,7 @@
  ./services/monitoring/prometheus/nginx-exporter.nix
  ./services/monitoring/prometheus/node-exporter.nix
  ./services/monitoring/prometheus/snmp-exporter.nix
  ./services/monitoring/prometheus/unifi-exporter.nix
  ./services/monitoring/prometheus/varnish-exporter.nix
  ./services/monitoring/riemann.nix
  ./services/monitoring/riemann-dash.nix
@@ -449,7 +449,7 @@
  ./services/networking/prayer.nix
  ./services/networking/privoxy.nix
  ./services/networking/prosody.nix
-  ./services/networking/quagga.nix
+  # ./services/networking/quagga.nix
  ./services/networking/quassel.nix
  ./services/networking/racoon.nix
  ./services/networking/radicale.nix
--- a/nixos/modules/profiles/graphical.nix
+++ b/nixos/modules/profiles/graphical.nix
@@ -1,5 +1,5 @@
-# This module defines a NixOS configuration that contains X11 and
+# This module defines a NixOS configuration with the Plasma 5 desktop.
-# KDE 4.  It's used by the graphical installation CD.
+# It's used by the graphical installation CD.
 { config, pkgs, ... }:
@@ -7,7 +7,7 @@
  services.xserver = {
    enable = true;
    displayManager.sddm.enable = true;
-    desktopManager.kde5.enable = true;
+    desktopManager.plasma5.enable = true;
    synaptics.enable = true; # for touchpad support on many laptops
  };
--- a/nixos/modules/programs/adb.nix
+++ b/nixos/modules/programs/adb.nix
@@ -10,7 +10,6 @@ with lib;
    programs.adb = {
      enable = mkOption {
        default = false;
        example = true;
        type = types.bool;
        description = ''
          Whether to configure system to use Android Debug Bridge (adb).
--- a/nixos/modules/programs/gphoto2.nix
+++ b/nixos/modules/programs/gphoto2.nix
@@ -10,7 +10,6 @@ with lib;
    programs.gphoto2 = {
      enable = mkOption {
        default = false;
        example = true;
        type = types.bool;
        description = ''
          Whether to configure system to use gphoto2.
--- a/nixos/modules/programs/mosh.nix
+++ b/nixos/modules/programs/mosh.nix
@@ -14,7 +14,6 @@ in
        Whether to enable mosh. Note, this will open ports in your firewall!
      '';
      default = false;
      example = true;
      type = lib.types.bool;
    };
  };
--- a/nixos/modules/programs/ssmtp.nix
+++ b/nixos/modules/programs/ssmtp.nix
@@ -22,7 +22,6 @@ in
      directDelivery = mkOption {
        type = types.bool;
        default = false;
        example = true;
        description = ''
          Use the trivial Mail Transfer Agent (MTA)
          <command>ssmtp</command> package to allow programs to send
@@ -65,7 +64,6 @@ in
      useTLS = mkOption {
        type = types.bool;
        default = false;
        example = true;
        description = ''
          Whether TLS should be used to connect to the default mail
          server.
@@ -75,7 +73,6 @@ in
      useSTARTTLS = mkOption {
        type = types.bool;
        default = false;
        example = true;
        description = ''
          Whether the STARTTLS should be used to connect to the default
          mail server.  (This is needed for TLS-capable mail servers
--- a/nixos/modules/programs/tmux.nix
+++ b/nixos/modules/programs/tmux.nix
@@ -65,7 +65,6 @@ in {
      aggressiveResize = mkOption {
        default = false;
        example = true;
        type = types.bool;
        description = ''
          Resize the window to the size of the smallest session for which it is the current window.
@@ -81,14 +80,12 @@ in {
      clock24 = mkOption {
        default = false;
        example = true;
        type = types.bool;
        description = "Use 24 hour clock.";
      };
      customPaneNavigationAndResize = mkOption {
        default = false;
        example = true;
        type = types.bool;
        description = "Override the hjkl and HJKL bindings for pane navigation and resizing in VI mode.";
      };
@@ -124,14 +121,12 @@ in {
      newSession = mkOption {
        default = false;
        example = true;
        type = types.bool;
        description = "Automatically spawn a session if trying to attach and none are running.";
      };
      reverseSplit = mkOption {
        default = false;
        example = true;
        type = types.bool;
        description = "Reverse the window split shortcuts.";
      };
--- a/nixos/modules/programs/venus.nix
+++ b/nixos/modules/programs/venus.nix
@@ -45,7 +45,7 @@ in
        description = ''
          Specification (in the format described by
          <citerefentry><refentrytitle>systemd.time</refentrytitle>
-          <manvolnum>5</manvolnum></citerefentry>) of the time at
+          <manvolnum>7</manvolnum></citerefentry>) of the time at
          which the Venus will collect feeds.
        '';
      };
--- a/nixos/modules/programs/vim.nix
+++ b/nixos/modules/programs/vim.nix
@@ -9,7 +9,6 @@ in {
    defaultEditor = mkOption {
      type = types.bool;
      default = false;
      example = true;
      description = ''
        When enabled, installs vim and configures vim to be the default editor
        using the EDITOR environment variable.
--- a/nixos/modules/rename.nix
+++ b/nixos/modules/rename.nix
@@ -103,9 +103,6 @@ with lib;
    (mkRenamedOptionModule [ "services" "xserver" "windowManager" "xbmc" ] [ "services" "xserver" "desktopManager" "kodi" ])
    (mkRenamedOptionModule [ "services" "xserver" "desktopManager" "xbmc" ] [ "services" "xserver" "desktopManager" "kodi" ])
    # DNSCrypt-proxy
    (mkRenamedOptionModule [ "services" "dnscrypt-proxy" "port" ] [ "services" "dnscrypt-proxy" "localPort" ])
    (mkRenamedOptionModule [ "services" "hostapd" "extraCfg" ] [ "services" "hostapd" "extraConfig" ])
    # Enlightenment
@@ -195,5 +192,7 @@ with lib;
      "See the 16.09 release notes for more information.")
    (mkRemovedOptionModule [ "services" "phpfpm" "phpIni" ] "")
    (mkRemovedOptionModule [ "services" "dovecot2" "package" ] "")
    (mkRemovedOptionModule [ "services" "xserver" "displayManager" "sddm" "themes" ]
      "Set the option `services.xserver.displayManager.sddm.package' instead.")
  ];
 }
--- a/nixos/modules/security/acme.nix
+++ b/nixos/modules/security/acme.nix
@@ -110,7 +110,7 @@ in
        description = ''
          Systemd calendar expression when to check for renewal. See
          <citerefentry><refentrytitle>systemd.time</refentrytitle>
-          <manvolnum>5</manvolnum></citerefentry>.
+          <manvolnum>7</manvolnum></citerefentry>.
        '';
      };
--- a/nixos/modules/security/dhparams.nix
+++ b/nixos/modules/security/dhparams.nix
@@ -19,6 +19,12 @@ in
            Note: The name of the DH params is taken as being the name of the
            service it serves: the params will be generated before the said
            service is started.
            Warning: If you are removing all dhparams from this list, you have
            to leave security.dhparams.enable for at least one activation in
            order to have them be cleaned up. This also means if you rollback to
            a version without any dhparams the existing ones won't be cleaned
            up.
          '';
        type = with types; attrsOf int;
        default = {};
@@ -34,57 +40,68 @@ in
        type = types.str;
        default = "/var/lib/dhparams";
      };
      enable = mkOption {
        description =
          ''
            Whether to generate new DH params and clean up old DH params.
          '';
        default = false;
        type = types.bool;
      };
    };
  };
-  config.systemd.services = {
+  config = mkIf cfg.enable {
-    dhparams-init = {
+    systemd.services = {
-      description = "Cleanup old Diffie-Hellman parameters";
+      dhparams-init = {
-      wantedBy = [ "multi-user.target" ]; # Clean up even when no DH params is set
+        description = "Cleanup old Diffie-Hellman parameters";
-      serviceConfig.Type = "oneshot";
+        wantedBy = [ "multi-user.target" ]; # Clean up even when no DH params is set
-      script =
+        serviceConfig.Type = "oneshot";
-        # Create directory
+        script =
-        ''
+          # Create directory
-          if [ ! -d ${cfg.path} ]; then
+          ''
-            mkdir -p ${cfg.path}
+            if [ ! -d ${cfg.path} ]; then
-          fi
+              mkdir -p ${cfg.path}
        '' +
        # Remove old dhparams
        ''
          for file in ${cfg.path}/*; do
            if [ ! -f "$file" ]; then
              continue
            fi
-        '' + concatStrings (mapAttrsToList (name: value:
+          '' +
-        ''
+          # Remove old dhparams
-            if [ "$file" == "${cfg.path}/${name}.pem" ] && \
+          ''
-                ${pkgs.openssl}/bin/openssl dhparam -in "$file" -text | head -n 1 | grep "(${toString value} bit)" > /dev/null; then
+            for file in ${cfg.path}/*; do
-              continue
+              if [ ! -f "$file" ]; then
-            fi
+                continue
-        ''
+              fi
-        ) cfg.params) +
+          '' + concatStrings (mapAttrsToList (name: value:
-        ''
+          ''
-            rm $file
+              if [ "$file" == "${cfg.path}/${name}.pem" ] && \
-          done
+                  ${pkgs.openssl}/bin/openssl dhparam -in "$file" -text | head -n 1 | grep "(${toString value} bit)" > /dev/null; then
                continue
              fi
          ''
          ) cfg.params) +
          ''
              rm $file
            done
-          # TODO: Ideally this would be removing the *former* cfg.path, though this
+            # TODO: Ideally this would be removing the *former* cfg.path, though this
-          # does not seem really important
+            # does not seem really important as changes to it are quite unlikely
-          rmdir -p --ignore-fail-on-non-empty ${cfg.path}
+            rmdir --ignore-fail-on-non-empty ${cfg.path}
-        '';
+          '';
-    };
+      };
-  } //
+    } //
-    mapAttrs' (name: value: nameValuePair "dhparams-gen-${name}" {
+      mapAttrs' (name: value: nameValuePair "dhparams-gen-${name}" {
-      description = "Generate Diffie-Hellman parameters for ${name} if they don't exist yet";
+        description = "Generate Diffie-Hellman parameters for ${name} if they don't exist yet";
-      after = [ "dhparams-init.service" ];
+        after = [ "dhparams-init.service" ];
-      before = [ "${name}.service" ];
+        before = [ "${name}.service" ];
-      wantedBy = [ "multi-user.target" ];
+        wantedBy = [ "multi-user.target" ];
-      serviceConfig.Type = "oneshot";
+        serviceConfig.Type = "oneshot";
-      script =
+        script =
-        ''
+          ''
-          mkdir -p ${cfg.path}
+            mkdir -p ${cfg.path}
-          if [ ! -f ${cfg.path}/${name}.pem ]; then
+            if [ ! -f ${cfg.path}/${name}.pem ]; then
-            ${pkgs.openssl}/bin/openssl dhparam -out ${cfg.path}/${name}.pem ${toString value}
+              ${pkgs.openssl}/bin/openssl dhparam -out ${cfg.path}/${name}.pem ${toString value}
-          fi
+            fi
-        '';
+          '';
-    }) cfg.params;
+      }) cfg.params;
  };
 }
--- a/nixos/modules/security/grsecurity.nix
+++ b/nixos/modules/security/grsecurity.nix
@@ -21,7 +21,6 @@ in
    enable = mkOption {
      type = types.bool;
      example = true;
      default = false;
      description = ''
        Enable grsecurity/PaX.
@@ -30,7 +29,6 @@ in
    lockTunables = mkOption {
      type = types.bool;
      example = false;
      default = true;
      description = ''
        Whether to automatically lock grsecurity tunables
@@ -43,7 +41,6 @@ in
    disableEfiRuntimeServices = mkOption {
      type = types.bool;
      example = false;
      default = true;
      description = ''
        Whether to disable access to EFI runtime services.  Enabling EFI runtime
--- a/nixos/modules/security/grsecurity.xml
+++ b/nixos/modules/security/grsecurity.xml
@@ -214,8 +214,8 @@
            GRKERNSEC_CONFIG_SERVER y
            GRKERNSEC_CONFIG_SECURITY y
          '';
-          };
+        };
-      }
+      };
    </programlisting>
  </para>
@@ -312,7 +312,7 @@
      Overflows in boot critical code (e.g., the root filesystem module) can
      render the system unbootable.  Work around by setting
      <programlisting>
-        boot.kernel.kernelParams = [ "pax_size_overflow_report_only" ];
+        boot.kernelParams = [ "pax_size_overflow_report_only" ];
      </programlisting>
    </para></listitem>
--- a/nixos/modules/security/wrappers/default.nix
+++ b/nixos/modules/security/wrappers/default.nix
@@ -179,21 +179,31 @@ in
          # Remove the old /var/setuid-wrappers path from the system...
          #
-          # TODO: this is only necessary for ugprades 16.09 => 17.x;
+          # TODO: this is only necessary for upgrades 16.09 => 17.x;
          # this conditional removal block needs to be removed after
          # the release.
          if [ -d /var/setuid-wrappers ]; then
            rm -rf /var/setuid-wrappers
            ln -s /run/wrappers/bin /var/setuid-wrappers
          fi
          # Remove the old /run/setuid-wrappers-dir path from the
          # system as well...
          #
-          # TODO: this is only necessary for ugprades 16.09 => 17.x;
+          # TODO: this is only necessary for upgrades 16.09 => 17.x;
          # this conditional removal block needs to be removed after
          # the release.
          if [ -d /run/setuid-wrapper-dirs ]; then
            rm -rf /run/setuid-wrapper-dirs
            ln -s /run/wrappers/bin /run/setuid-wrapper-dirs
          fi
          # TODO: this is only necessary for upgrades 16.09 => 17.x;
          # this conditional removal block needs to be removed after
          # the release.
          if readlink -f /run/booted-system | grep nixos-17 > /dev/null; then
            rm -rf /run/setuid-wrapper-dirs
            rm -rf /var/setuid-wrappers
          fi
          # We want to place the tmpdirs for the wrappers to the parent dir.
--- a/nixos/modules/services/backup/rsnapshot.nix
+++ b/nixos/modules/services/backup/rsnapshot.nix
@@ -26,7 +26,6 @@ in
      enableManualRsnapshot = mkOption {
        description = "Whether to enable manual usage of the rsnapshot command with this module.";
        default = true;
        example = false;
        type = types.bool;
      };
--- a/nixos/modules/services/backup/sitecopy-backup.nix
+++ b/nixos/modules/services/backup/sitecopy-backup.nix
@@ -1,106 +0,0 @@
 { config, lib, pkgs, ... }:
 with lib;
 let
  inherit (pkgs) sitecopy;
  stateDir = "/var/spool/sitecopy";
  sitecopyCron = backup : ''
    ${if backup ? period then backup.period else config.services.sitecopy.period} root ${sitecopy}/bin/sitecopy --storepath=${stateDir} --rcfile=${stateDir}/${backup.name}.conf --update ${backup.name} >> /var/log/sitecopy.log 2>&1
  '';
 in
 {
  options = {
    services.sitecopy = {
      enable = mkOption {
        default = false;
        description = ''
          Whether to enable <command>sitecopy</command> backups of specified
          directories.
        '';
      };
      period = mkOption {
        default = "15 04 * * *";
        description = ''
          This option defines (in the format used by <command>cron</command>)
          when the <command>sitecopy</command> backups are to be run.
          The default is to update at 04:15 (at night) every day.
        '';
      };
      backups = mkOption {
        example = [
          { name = "test";
            local = "/tmp/backup";
            remote = "/staff-groups/ewi/st/strategoxt/backup/test";
            server = "webdata.tudelft.nl";
            protocol = "webdav";
            https = true ;
            symlinks = "maintain" ;
          }
        ];
        default = [];
        description = ''
           List of attribute sets describing the backups.
           Username/password are extracted from
           <filename>${stateDir}/sitecopy.secrets</filename> at activation
           time. The secrets file lines should have the following structure:
           <screen>
             server username password
           </screen>
        '';
      };
    };
  };
  config = mkIf config.services.sitecopy.enable {
    environment.systemPackages = [ sitecopy ];
    services.cron.systemCronJobs = map sitecopyCron config.services.sitecopy.backups;
    system.activationScripts.sitecopyBackup = stringAfter [ "stdio" "users" ]
      ''
        mkdir -m 0700 -p ${stateDir}
        chown root ${stateDir}
        touch ${stateDir}/sitecopy.secrets
        chown root ${stateDir}/sitecopy.secrets
        ${lib.concatStrings (map ( b: ''
            unset secrets
            unset secret
            secrets=`grep '^${b.server}' ${stateDir}/sitecopy.secrets | head -1`
            secret=($secrets)
            cat > ${stateDir}/${b.name}.conf << EOF
              site ${b.name}
              server ${b.server}
              protocol ${b.protocol}
              username ''${secret[1]}
              password ''${secret[2]}
              local ${b.local}
              remote ${b.remote}
              symlinks ${b.symlinks}
              ${if b.https then "http secure" else ""}
            EOF
            chmod 0600 ${stateDir}/${b.name}.conf
            if ! test -e ${stateDir}/${b.name} ; then
              echo " * Initializing sitecopy '${b.name}'"
              ${sitecopy}/bin/sitecopy --storepath=${stateDir} --rcfile=${stateDir}/${b.name}.conf --initialize ${b.name}
            else
              echo " * Sitecopy '${b.name}' already initialized"
            fi
          '' ) config.services.sitecopy.backups
        )}
      '';
  };
 }
--- a/nixos/modules/services/cluster/kubernetes.nix
+++ b/nixos/modules/services/cluster/kubernetes.nix
@@ -76,6 +76,7 @@ in {
      description = "Kubernetes package to use.";
      type = types.package;
      default = pkgs.kubernetes;
      defaultText = "pkgs.kubernetes";
    };
    verbose = mkOption {
--- a/nixos/modules/services/computing/boinc/client.nix
+++ b/nixos/modules/services/computing/boinc/client.nix
@@ -12,7 +12,6 @@ in
      enable = mkOption {
        type = types.bool;
        default = false;
        example = true;
        description = ''
          Whether to enable the BOINC distributed computing client. If this
          option is set to true, the boinc_client daemon will be run as a
@@ -41,7 +40,6 @@ in
      allowRemoteGuiRpc = mkOption {
        type = types.bool;
        default = false;
        example = true;
        description = ''
          If set to true, any remote host can connect to and control this BOINC
          client (subject to password authentication). If instead set to false,
--- a/nixos/modules/services/continuous-integration/buildbot/master.nix
+++ b/nixos/modules/services/continuous-integration/buildbot/master.nix
@@ -183,16 +183,17 @@ in {
      package = mkOption {
        type = types.package;
        default = pkgs.buildbot-ui;
        defaultText = "pkgs.buildbot-ui";
        description = ''
          Package to use for buildbot.
          <literal>buildbot-full</literal> is required in order to use local workers.
        '';
-        example = pkgs.buildbot-full;
+        example = literalExample "pkgs.buildbot-full";
      };
      packages = mkOption {
        default = [ ];
-        example = [ pkgs.git ];
+        example = literalExample "[ pkgs.git ]";
        type = types.listOf types.package;
        description = "Packages to add to PATH for the buildbot process.";
      };
--- a/nixos/modules/services/continuous-integration/buildbot/worker.nix
+++ b/nixos/modules/services/continuous-integration/buildbot/worker.nix
@@ -68,13 +68,14 @@ in {
      package = mkOption {
        type = types.package;
        default = pkgs.buildbot-worker;
        defaultText = "pkgs.buildbot-worker";
        description = "Package to use for buildbot worker.";
-        example = pkgs.buildbot-worker;
+        example = literalExample "pkgs.buildbot-worker";
      };
      packages = mkOption {
        default = [ ];
-        example = [ pkgs.git ];
+        example = literalExample "[ pkgs.git ]";
        type = types.listOf types.package;
        description = "Packages to add to PATH for the buildbot process.";
      };
--- a/nixos/modules/services/databases/cassandra.nix
+++ b/nixos/modules/services/databases/cassandra.nix
@@ -310,7 +310,6 @@ in {
    autoBootstrap = mkOption {
      description = "It makes new (non-seed) nodes automatically migrate the right data to themselves.";
      default = true;
      example = true;
      type = types.bool;
    };
    streamingSocketTimoutInMS = mkOption {
--- a/nixos/modules/services/databases/neo4j.nix
+++ b/nixos/modules/services/databases/neo4j.nix
@@ -27,9 +27,7 @@ let
    ''}
    dbms.shell.enabled=true
    ${cfg.extraServerConfig}
  '';
  wrapperConfig = pkgs.writeText "neo4j-wrapper.conf" ''
    # Default JVM parameters from neo4j.conf
    dbms.jvm.additional=-XX:+UseG1GC
    dbms.jvm.additional=-XX:-OmitStackTraceInFastThrow
@@ -130,16 +128,16 @@ in {
        ExecStart = "${cfg.package}/bin/neo4j console";
        User = "neo4j";
        PermissionsStartOnly = true;
        LimitNOFILE = 40000;
      };
      preStart = ''
        mkdir -m 0700 -p ${cfg.dataDir}/{data/graph.db,conf,logs}
        ln -fs ${serverConfig} ${cfg.dataDir}/conf/neo4j.conf
        ln -fs ${wrapperConfig} ${cfg.dataDir}/conf/neo4j-wrapper.conf
        if [ "$(id -u)" = 0 ]; then chown -R neo4j ${cfg.dataDir}; fi
      '';
    };
-    environment.systemPackages = [ pkgs.neo4j ];
+    environment.systemPackages = [ cfg.package ];
    users.extraUsers = singleton {
      name = "neo4j";
--- a/nixos/modules/services/databases/openldap.nix
+++ b/nixos/modules/services/databases/openldap.nix
@@ -25,7 +25,6 @@ in
        description = "
          Whether to enable the ldap server.
        ";
        example = true;
      };
      user = mkOption {
@@ -68,10 +67,10 @@ in
        ";
        example = literalExample ''
            '''
-            include ${pkgs.openldap.out}/etc/openldap/schema/core.schema
+            include ${pkgs.openldap.out}/etc/schema/core.schema
-            include ${pkgs.openldap.out}/etc/openldap/schema/cosine.schema
+            include ${pkgs.openldap.out}/etc/schema/cosine.schema
-            include ${pkgs.openldap.out}/etc/openldap/schema/inetorgperson.schema
+            include ${pkgs.openldap.out}/etc/schema/inetorgperson.schema
-            include ${pkgs.openldap.out}/etc/openldap/schema/nis.schema
+            include ${pkgs.openldap.out}/etc/schema/nis.schema
            database bdb 
            suffix dc=example,dc=org 
--- a/nixos/modules/services/editors/emacs.nix
+++ b/nixos/modules/services/editors/emacs.nix
@@ -21,7 +21,6 @@ in {
    enable = mkOption {
      type = types.bool;
      default = false;
      example = true;
      description = ''
        Whether to enable a user service for the Emacs daemon. Use <literal>emacsclient</literal> to connect to the
        daemon. If <literal>true</literal>, <varname>services.emacs.install</varname> is
@@ -32,7 +31,6 @@ in {
    install = mkOption {
      type = types.bool;
      default = false;
      example = true;
      description = ''
        Whether to install a user service for the Emacs daemon. Once
        the service is started, use emacsclient to connect to the
@@ -57,7 +55,6 @@ in {
    defaultEditor = mkOption {
      type = types.bool;
      default = false;
      example = true;
      description = ''
        When enabled, configures emacsclient to be the default editor
        using the EDITOR environment variable.
--- a/nixos/modules/services/hardware/udev.nix
+++ b/nixos/modules/services/hardware/udev.nix
@@ -35,6 +35,7 @@ let
  udevRules = pkgs.runCommand "udev-rules"
    { preferLocalBuild = true;
      allowSubstitutes = false;
      packages = unique (map toString cfg.packages);
    }
    ''
      mkdir -p $out
@@ -45,7 +46,7 @@ let
      echo 'ENV{PATH}="${udevPath}/bin:${udevPath}/sbin"' > $out/00-path.rules
      # Add the udev rules from other packages.
-      for i in ${toString cfg.packages}; do
+      for i in $packages; do
        echo "Adding rules for package $i"
        for j in $i/{etc,lib}/udev/rules.d/*; do
          echo "Copying $j to $out/$(basename $j)"
@@ -132,10 +133,11 @@ let
  hwdbBin = pkgs.runCommand "hwdb.bin"
    { preferLocalBuild = true;
      allowSubstitutes = false;
      packages = unique (map toString ([udev] ++ cfg.packages));
    }
    ''
      mkdir -p etc/udev/hwdb.d
-      for i in ${toString ([udev] ++ cfg.packages)}; do
+      for i in $packages; do
        echo "Adding hwdb files for package $i"
        for j in $i/{etc,lib}/udev/hwdb.d/*; do
          ln -s $j etc/udev/hwdb.d/$(basename $j)
--- a/nixos/modules/services/logging/awstats.nix
+++ b/nixos/modules/services/logging/awstats.nix
@@ -38,7 +38,7 @@ in
        Specification of the time at which awstats will get updated.
        (in the format described by <citerefentry>
          <refentrytitle>systemd.time</refentrytitle>
-          <manvolnum>5</manvolnum></citerefentry>)
+          <manvolnum>7</manvolnum></citerefentry>)
      '';
    };
--- a/nixos/modules/services/logging/fluentd.nix
+++ b/nixos/modules/services/logging/fluentd.nix
@@ -25,6 +25,7 @@ in {
      package = mkOption {
        type = types.path;
        default = pkgs.fluentd;
        defaultText = "pkgs.fluentd";
        description = "The fluentd package to use.";
      };
    };
--- a/nixos/modules/services/mail/mlmmj.nix
+++ b/nixos/modules/services/mail/mlmmj.nix
@@ -18,7 +18,7 @@ let
  footer = domain: list: "To unsubscribe send a mail to ${list}+unsubscribe@${domain}";
  createList = d: l: ''
    ${pkgs.coreutils}/bin/mkdir -p ${listCtl d l}
-    echo ${listAddress d l} > ${listCtl d l}/listadress
+    echo ${listAddress d l} > ${listCtl d l}/listaddress
    echo "${lib.concatStringsSep "\n" (customHeaders d l)}" > ${listCtl d l}/customheaders
    echo ${footer d l} > ${listCtl d l}/footer
    echo ${subjectPrefix l} > ${listCtl d l}/prefix
--- a/nixos/modules/services/mail/offlineimap.nix
+++ b/nixos/modules/services/mail/offlineimap.nix
@@ -12,7 +12,6 @@ in {
    install = mkOption {
      type = types.bool;
      default = false;
      example = true;
      description = ''
        Whether to install a user service for Offlineimap. Once
        the service is started, emails will be fetched automatically.
--- a/nixos/modules/services/misc/gitlab.nix
+++ b/nixos/modules/services/misc/gitlab.nix
@@ -481,6 +481,7 @@ in {
        mkdir -p ${cfg.statePath}/repositories
        mkdir -p ${gitlabConfig.production.shared.path}/artifacts
        mkdir -p ${gitlabConfig.production.shared.path}/lfs-objects
        mkdir -p ${gitlabConfig.production.shared.path}/pages
        mkdir -p ${cfg.statePath}/log
        mkdir -p ${cfg.statePath}/shell
        mkdir -p ${cfg.statePath}/tmp/pids
--- a/nixos/modules/services/misc/ihaskell.nix
+++ b/nixos/modules/services/misc/ihaskell.nix
@@ -16,7 +16,6 @@ in
    services.ihaskell = {
      enable = mkOption {
        default = false;
        example = true;
        description = "Autostart an IHaskell notebook service.";
      };
--- a/nixos/modules/services/misc/nix-daemon.nix
+++ b/nixos/modules/services/misc/nix-daemon.nix
@@ -8,6 +8,8 @@ let
  nix = cfg.package.out;
  isNix112 = versionAtLeast (getVersion nix) "1.12pre";
  makeNixBuildUser = nr:
    { name = "nixbld${toString nr}";
      description = "Nix build user ${toString nr}";
@@ -44,6 +46,7 @@ let
        binary-caches = ${toString cfg.binaryCaches}
        trusted-binary-caches = ${toString cfg.trustedBinaryCaches}
        binary-cache-public-keys = ${toString cfg.binaryCachePublicKeys}
        auto-optimise-store = ${if cfg.autoOptimiseStore then "true" else "false"}
        ${optionalString cfg.requireSignedBinaryCaches ''
          signed-binary-caches = *
        ''}
@@ -84,6 +87,18 @@ in
        '';
      };
      autoOptimiseStore = mkOption {
        type = types.bool;
        default = false;
        example = true;
        description = ''
         If set to true, Nix automatically detects files in the store that have
         identical contents, and replaces them with hard links to a single copy.
         This saves disk space. If set to false (the default), you can still run
         nix-store --optimise to get rid of duplicate files.
        '';
      };
      buildCores = mkOption {
        type = types.int;
        default = 1;
@@ -162,22 +177,23 @@ in
      buildMachines = mkOption {
        type = types.listOf types.attrs;
        default = [];
-        example = [
+        example = literalExample ''
-          { hostName = "voila.labs.cs.uu.nl";
+          [ { hostName = "voila.labs.cs.uu.nl";
-            sshUser = "nix";
+              sshUser = "nix";
-            sshKey = "/root/.ssh/id_buildfarm";
+              sshKey = "/root/.ssh/id_buildfarm";
-            system = "powerpc-darwin";
+              system = "powerpc-darwin";
-            maxJobs = 1;
+              maxJobs = 1;
-          }
+            }
-          { hostName = "linux64.example.org";
+            { hostName = "linux64.example.org";
-            sshUser = "buildfarm";
+              sshUser = "buildfarm";
-            sshKey = "/root/.ssh/id_buildfarm";
+              sshKey = "/root/.ssh/id_buildfarm";
-            system = "x86_64-linux";
+              system = "x86_64-linux";
-            maxJobs = 2;
+              maxJobs = 2;
-            supportedFeatures = [ "kvm" ];
+              supportedFeatures = [ "kvm" ];
-            mandatoryFeatures = [ "perf" ];
+              mandatoryFeatures = [ "perf" ];
-          }
+            }
-        ];
+          ]
        '';
        description = ''
          This option lists the machines to be used if distributed
          builds are enabled (see
@@ -380,7 +396,9 @@ in
    nix.envVars =
      { NIX_CONF_DIR = "/etc/nix";
      }
      // optionalAttrs (!isNix112) {
        # Enable the copy-from-other-stores substituter, which allows
        # builds to be sped up by copying build results from remote
        # Nix stores.  To do this, mount the remote file system on a
@@ -389,9 +407,11 @@ in
      }
      // optionalAttrs cfg.distributedBuilds {
-        NIX_BUILD_HOOK = "${nix}/libexec/nix/build-remote.pl";
+        NIX_BUILD_HOOK =
-        NIX_REMOTE_SYSTEMS = "/etc/nix/machines";
+          if isNix112 then
-        NIX_CURRENT_LOAD = "/run/nix/current-load";
+            "${nix}/libexec/nix/build-remote"
          else
            "${nix}/libexec/nix/build-remote.pl";
      };
    # Set up the environment variables for running Nix.
--- a/nixos/modules/services/misc/nix-gc.nix
+++ b/nixos/modules/services/misc/nix-gc.nix
@@ -26,7 +26,7 @@ in
        description = ''
          Specification (in the format described by
          <citerefentry><refentrytitle>systemd.time</refentrytitle>
-          <manvolnum>5</manvolnum></citerefentry>) of the time at
+          <manvolnum>7</manvolnum></citerefentry>) of the time at
          which the garbage collector will run.
        '';
      };
--- a/nixos/modules/services/misc/nix-optimise.nix
+++ b/nixos/modules/services/misc/nix-optimise.nix
@@ -26,7 +26,7 @@ in
        description = ''
          Specification (in the format described by
          <citerefentry><refentrytitle>systemd.time</refentrytitle>
-          <manvolnum>5</manvolnum></citerefentry>) of the time at
+          <manvolnum>7</manvolnum></citerefentry>) of the time at
          which the optimiser will run.
        '';
      };
--- a/nixos/modules/services/misc/nixos-manual.nix
+++ b/nixos/modules/services/misc/nixos-manual.nix
@@ -41,7 +41,7 @@ let
  entry = "${manual.manual}/share/doc/nixos/index.html";
-  help = pkgs.writeScriptBin "nixos-help"
+  helpScript = pkgs.writeScriptBin "nixos-help"
    ''
      #! ${pkgs.stdenv.shell} -e
      browser="$BROWSER"
@@ -58,6 +58,15 @@ let
      exec "$browser" ${entry}
    '';
  desktopItem = pkgs.makeDesktopItem {
    name = "nixos-manual";
    desktopName = "NixOS Manual";
    genericName = "View NixOS documentation in a web browser";
    # TODO: find a better icon (Nix logo + help overlay?)
    icon = "system-help";
    exec = "${helpScript}/bin/nixos-help";
    categories = "System";
  };
 in
 {
@@ -105,7 +114,8 @@ in
    system.build.manual = manual;
    environment.systemPackages =
-      [ manual.manual help ]
+      [ manual.manual helpScript ]
      ++ optional config.services.xserver.enable desktopItem
      ++ optional config.programs.man.enable manual.manpages;
    boot.extraTTYs = mkIf cfg.showManual ["tty${toString cfg.ttyNumber}"];
--- a/nixos/modules/services/misc/octoprint.nix
+++ b/nixos/modules/services/misc/octoprint.nix
@@ -117,7 +117,7 @@ in
      '';
      serviceConfig = {
-        ExecStart = "${pkgs.octoprint}/bin/octoprint -b ${cfg.stateDir}";
+        ExecStart = "${pkgs.octoprint}/bin/octoprint serve -b ${cfg.stateDir}";
        User = cfg.user;
        Group = cfg.group;
        PermissionsStartOnly = true;
--- a/nixos/modules/services/misc/ssm-agent.nix
+++ b/nixos/modules/services/misc/ssm-agent.nix
@@ -23,6 +23,7 @@ in {
      type = types.path;
      description = "The SSM agent package to use";
      default = pkgs.ssm-agent;
      defaultText = "pkgs.ssm-agent";
    };
  };
--- a/nixos/modules/services/misc/taskserver/default.nix
+++ b/nixos/modules/services/misc/taskserver/default.nix
@@ -148,7 +148,6 @@ in {
      enable = mkOption {
        type = types.bool;
        default = false;
        example = true;
        description = ''
          Whether to enable the Taskwarrior server.
--- a/nixos/modules/services/monitoring/arbtt.nix
+++ b/nixos/modules/services/monitoring/arbtt.nix
@@ -10,7 +10,6 @@ in {
      enable = mkOption {
        type = types.bool;
        default = false;
        example = true;
        description = ''
          Enable the arbtt statistics capture service.
        '';
--- a/nixos/modules/services/monitoring/das_watchdog.nix
+++ b/nixos/modules/services/monitoring/das_watchdog.nix
@@ -25,7 +25,7 @@ in {
      wantedBy = [ "multi-user.target" ];
      serviceConfig = {
        User = "root";
-        Type = "oneshot";
+        Type = "simple";
        ExecStart = "${das_watchdog}/bin/das_watchdog";
        RemainAfterExit = true;
      };
--- a/nixos/modules/services/monitoring/munin.nix
+++ b/nixos/modules/services/monitoring/munin.nix
@@ -193,14 +193,26 @@ in
  }) (mkIf cronCfg.enable {
-    services.cron.systemCronJobs = [
+    systemd.timers.munin-cron = {
-      "*/5 * * * * munin ${pkgs.munin}/bin/munin-cron --config ${muninConf}"
+      description = "batch Munin master programs";
-    ];
+      wantedBy = [ "timers.target" ];
      timerConfig.OnCalendar = "*:0/5";
    };
    systemd.services.munin-cron = {
      description = "batch Munin master programs";
      unitConfig.Documentation = "man:munin-cron(8)";
      serviceConfig = {
        Type = "oneshot";
        User = "munin";
        ExecStart = "${pkgs.munin}/bin/munin-cron --config ${muninConf}";
      };
    };
    system.activationScripts.munin-cron = stringAfter [ "users" "groups" ] ''
      mkdir -p /var/{run,log,www,lib}/munin
      chown -R munin:munin /var/{run,log,www,lib}/munin
    '';
  })];
 }
--- a/nixos/modules/services/monitoring/prometheus/unifi-exporter.nix
+++ b/nixos/modules/services/monitoring/prometheus/unifi-exporter.nix
@@ -0,0 +1,104 @@
 { config, pkgs, lib, ... }:
 with lib;
 let
  cfg = config.services.prometheus.unifiExporter;
 in {
  options = {
    services.prometheus.unifiExporter = {
      enable = mkEnableOption "prometheus unifi exporter";
      port = mkOption {
        type = types.int;
        default = 9130;
        description = ''
          Port to listen on.
        '';
      };
      unifiAddress = mkOption {
        type = types.str;
        example = "https://10.0.0.1:8443";
        description = ''
          URL of the UniFi Controller API.
        '';
      };
      unifiInsecure = mkOption {
        type = types.bool;
        default = false;
        description = ''
          If enabled skip the verification of the TLS certificate of the UniFi Controller API.
          Use with caution.
        '';
      };
      unifiUsername = mkOption {
        type = types.str;
        example = "ReadOnlyUser";
        description = ''
          username for authentication against UniFi Controller API.
        '';
      };
      unifiPassword = mkOption {
        type = types.str;
        description = ''
          Password for authentication against UniFi Controller API.
        '';
      };
      unifiTimeout = mkOption {
        type = types.str;
        default = "5s";
        example = "2m";
        description = ''
          Timeout including unit for UniFi Controller API requests.
        '';
      };
      extraFlags = mkOption {
        type = types.listOf types.str;
        default = [];
        description = ''
          Extra commandline options when launching the unifi exporter.
        '';
      };
      openFirewall = mkOption {
        type = types.bool;
        default = false;
        description = ''
          Open port in firewall for incoming connections.
        '';
      };
    };
  };
  config = mkIf cfg.enable {
    networking.firewall.allowedTCPPorts = optional cfg.openFirewall cfg.port;
    systemd.services.prometheus-unifi-exporter = {
      description = "Prometheus exporter for UniFi Controller metrics";
      unitConfig.Documentation = "https://github.com/mdlayher/unifi_exporter";
      wantedBy = [ "multi-user.target" ];
      serviceConfig = {
        User = "nobody";
        Restart = "always";
        PrivateTmp = true;
        WorkingDirectory = /tmp;
        ExecStart = ''
          ${pkgs.prometheus-unifi-exporter}/bin/unifi_exporter \
            -telemetry.addr :${toString cfg.port} \
            -unifi.addr ${cfg.unifiAddress} \
            -unifi.username ${cfg.unifiUsername} \
            -unifi.password ${cfg.unifiPassword} \
            -unifi.timeout ${cfg.unifiTimeout} \
            ${optionalString cfg.unifiInsecure "-unifi.insecure" } \
            ${concatStringsSep " \\\n  " cfg.extraFlags}
        '';
      };
    };
  };
 }
--- a/nixos/modules/services/network-filesystems/openafs-client/default.nix
+++ b/nixos/modules/services/network-filesystems/openafs-client/default.nix
@@ -76,6 +76,7 @@ in
      description = "AFS client";
      wantedBy = [ "multi-user.target" ];
      after = [ "network.target" ];
      serviceConfig = { RemainAfterExit = true; };
      preStart = ''
        mkdir -p -m 0755 /afs
--- a/nixos/modules/services/networking/aiccu.nix
+++ b/nixos/modules/services/networking/aiccu.nix
@@ -35,7 +35,6 @@ in {
      enable = mkOption {
        type = types.bool;
        default = false;
        example = true;
        description = "Enable aiccu IPv6 over IPv4 SiXXs tunnel";
      };
@@ -88,21 +87,18 @@ in {
      verbose = mkOption {
        type = types.bool;
        default = false;
        example = true;
        description = "Be verbose?";
      };
      automatic = mkOption {
        type = types.bool;
        default = true;
        example = false;
        description = "Automatic Login and Tunnel activation";
      };
      requireTLS = mkOption {
        type = types.bool;
        default = false;
        example = true;
        description = ''
          When set to true, if TLS is not supported on the server
          the TIC transaction will fail.
@@ -124,7 +120,6 @@ in {
      defaultRoute = mkOption {
        type = types.bool;
        default = true;
        example = false;
        description = "Add a default route";
      };
@@ -138,7 +133,6 @@ in {
      makeHeartBeats = mkOption {
        type = types.bool;
        default = true;
        example = false;
        description = ''
          In general you don't want to turn this off
          Of course only applies to AYIYA and heartbeat tunnels not to static ones
@@ -148,21 +142,18 @@ in {
      noConfigure = mkOption {
        type = types.bool;
        default = false;
        example = true;
        description = "Don't configure anything";
      };
      behindNAT = mkOption {
        type = types.bool;
        default = false;
        example = true;
        description = "Notify the user that a NAT-kind network is detected";
      };
      localIPv4Override = mkOption {
        type = types.bool;
        default = false;
        example = true;
        description = ''
          Overrides the IPv4 parameter received from TIC
          This allows one to configure a NAT into "DMZ" mode and then
--- a/nixos/modules/services/networking/btsync.nix
+++ b/nixos/modules/services/networking/btsync.nix
@@ -208,7 +208,6 @@ in
      storagePath = mkOption {
        type = types.path;
        default = "/var/lib/btsync/";
        example = "/var/lib/btsync/";
        description = ''
          Where BitTorrent Sync will store it's database files (containing
          things like username info and licenses). Generally, you should not
--- a/nixos/modules/services/networking/dnscrypt-proxy.nix
+++ b/nixos/modules/services/networking/dnscrypt-proxy.nix
@@ -2,12 +2,9 @@
 with lib;
 let
  apparmorEnabled = config.security.apparmor.enable;
  dnscrypt-proxy = pkgs.dnscrypt-proxy;
  cfg = config.services.dnscrypt-proxy;
  stateDirectory = "/var/lib/dnscrypt-proxy";
-  localAddress = "${cfg.localAddress}:${toString cfg.localPort}";
+  stateDirectory = "/var/lib/dnscrypt-proxy";
  # The minisign public key used to sign the upstream resolver list.
  # This is somewhat more flexible than preloading the key as an
@@ -17,31 +14,33 @@ let
    sha256 = "18lnp8qr6ghfc2sd46nn1rhcpr324fqlvgsp4zaigw396cd7vnnh";
  };
-  # Internal flag indicating whether the upstream resolver list is used
+  # Internal flag indicating whether the upstream resolver list is used.
-  useUpstreamResolverList = cfg.resolverList == null && cfg.customResolver == null;
+  useUpstreamResolverList = cfg.customResolver == null;
-  resolverList =
+  # The final local address.
-    if (cfg.resolverList != null)
+  localAddress = "${cfg.localAddress}:${toString cfg.localPort}";
      then cfg.resolverList
      else "${stateDirectory}/dnscrypt-resolvers.csv";
-  resolverArgs = if (cfg.customResolver != null)
+  # The final resolvers list path.
-    then
+  resolverList = "${stateDirectory}/dnscrypt-resolvers.csv";
-      [ "--resolver-address=${cfg.customResolver.address}:${toString cfg.customResolver.port}"
+
-        "--provider-name=${cfg.customResolver.name}"
+  # Build daemon command line
-        "--provider-key=${cfg.customResolver.key}"
+
-      ]
+  resolverArgs =
-    else
+    if (cfg.customResolver == null)
-      [ "--resolvers-list=${resolverList}"
+      then
-        "--resolver-name=${cfg.resolverName}"
+        [ "-L ${resolverList}"
-      ];
+          "-R ${cfg.resolverName}"
        ]
      else with cfg.customResolver;
        [ "-N ${name}"
          "-k ${key}"
          "-r ${address}:${toString port}"
        ];
  # The final command line arguments passed to the daemon
  daemonArgs =
-    [ "--local-address=${localAddress}" ]
+       [ "-a ${localAddress}" ]
-    ++ optional cfg.tcpOnly "--tcp-only"
+    ++ resolverArgs
-    ++ optional cfg.ephemeralKeys "-E"
+    ++ cfg.extraArgs;
    ++ resolverArgs;
 in
 {
@@ -51,6 +50,9 @@ in
  };
  options = {
    # Before adding another option, consider whether it could
    # equally well be passed via extraArgs.
    services.dnscrypt-proxy = {
      enable = mkOption {
        default = false;
@@ -83,19 +85,11 @@ in
        default = "dnscrypt.eu-nl";
        type = types.nullOr types.str;
        description = ''
-          The name of the upstream DNSCrypt resolver to use, taken from
+          The name of the DNSCrypt resolver to use, taken from
-          <filename>${resolverList}</filename>.  The default resolver is
+          <filename>${resolverList}</filename>.  The default
-          located in Holland, supports DNS security extensions, and
+          resolver is located in Holland, supports DNS security
-          <emphasis>claims</emphasis> to not keep logs.
+          extensions, and <emphasis>claims</emphasis> to not
-        '';
+          keep logs.
      };
      resolverList = mkOption {
        default = null;
        type = types.nullOr types.path;
        description = ''
          List of DNSCrypt resolvers.  The default is to use the list of
          public resolvers provided by upstream.
        '';
      };
@@ -121,7 +115,7 @@ in
          name = mkOption {
            type = types.str;
            description = "Fully qualified domain name";
-            example = "2.dnscrypt-cert.opendns.com";
+            example = "2.dnscrypt-cert.example.com";
          };
          key = mkOption {
@@ -132,39 +126,72 @@ in
        }; }));
      };
-      tcpOnly = mkOption {
+      extraArgs = mkOption {
-        default = false;
+        default = [];
-        type = types.bool;
+        type = types.listOf types.str;
        description = ''
-          Force sending encrypted DNS queries to the upstream resolver over
+          Additional command-line arguments passed verbatim to the daemon.
-          TCP instead of UDP (on port 443). Use only if the UDP port is blocked.
+          See <citerefentry><refentrytitle>dnscrypt-proxy</refentrytitle>
-        '';
+          <manvolnum>8</manvolnum></citerefentry> for details.
      };
      ephemeralKeys = mkOption {
        default = false;
        type = types.bool;
        description = ''
          Compute a new key pair for every query.  Enabling this option
          increases CPU usage, but makes it more difficult for the upstream
          resolver to track your usage of their service across IP addresses.
          The default is to re-use the public key pair for all queries, making
          tracking trivial.
        '';
        example = [ "-X libdcplugin_example_cache.so,--min-ttl=60" ];
      };
    };
  };
-  config = mkIf cfg.enable {
+  config = mkIf cfg.enable (mkMerge [{
    assertions = [
      { assertion = (cfg.customResolver != null) || (cfg.resolverName != null);
        message   = "please configure upstream DNSCrypt resolver";
      }
    ];
-    security.apparmor.profiles = optional apparmorEnabled (pkgs.writeText "apparmor-dnscrypt-proxy" ''
+    users.users.dnscrypt-proxy = {
-      ${dnscrypt-proxy}/bin/dnscrypt-proxy {
+      description = "dnscrypt-proxy daemon user";
      isSystemUser = true;
      group = "dnscrypt-proxy";
    };
    users.groups.dnscrypt-proxy = {};
    systemd.sockets.dnscrypt-proxy = {
      description = "dnscrypt-proxy listening socket";
      documentation = [ "man:dnscrypt-proxy(8)" ];
      wantedBy = [ "sockets.target" ];
      socketConfig = {
        ListenStream = localAddress;
        ListenDatagram = localAddress;
      };
    };
    systemd.services.dnscrypt-proxy = {
      description = "dnscrypt-proxy daemon";
      documentation = [ "man:dnscrypt-proxy(8)" ];
      before = [ "nss-lookup.target" ];
      after = [ "network.target" ];
      requires = [ "dnscrypt-proxy.socket "];
      serviceConfig = {
        NonBlocking = "true";
        ExecStart = "${pkgs.dnscrypt-proxy}/bin/dnscrypt-proxy ${toString daemonArgs}";
        ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
        User = "dnscrypt-proxy";
        PrivateTmp = true;
        PrivateDevices = true;
        ProtectHome = true;
      };
    };
    }
    (mkIf config.security.apparmor.enable {
    systemd.services.dnscrypt-proxy.after = [ "apparmor.service" ];
    security.apparmor.profiles = singleton (pkgs.writeText "apparmor-dnscrypt-proxy" ''
      ${pkgs.dnscrypt-proxy}/bin/dnscrypt-proxy {
        /dev/null rw,
        /dev/urandom r,
@@ -180,6 +207,8 @@ in
        network inet dgram,
        network inet6 dgram,
        ${getLib pkgs.dnscrypt-proxy}/lib/dnscrypt-proxy/libdcplugin*.so mr,
        ${getLib pkgs.gcc.cc}/lib/libssp.so.* mr,
        ${getLib pkgs.libsodium}/lib/libsodium.so.* mr,
        ${getLib pkgs.systemd}/lib/libsystemd.so.* mr,
@@ -188,102 +217,106 @@ in
        ${getLib pkgs.libgpgerror}/lib/libgpg-error.so.* mr,
        ${getLib pkgs.libcap}/lib/libcap.so.* mr,
        ${getLib pkgs.lz4}/lib/liblz4.so.* mr,
-        ${getLib pkgs.attr}/lib/libattr.so.* mr,
+        ${getLib pkgs.attr}/lib/libattr.so.* mr, # */
        ${resolverList} r,
        /run/systemd/notify rw,
      }
    '');
    })
-    users.users.dnscrypt-proxy = {
+    (mkIf useUpstreamResolverList {
-      description = "dnscrypt-proxy daemon user";
+    systemd.services.init-dnscrypt-proxy-statedir = {
      isSystemUser = true;
      group = "dnscrypt-proxy";
    };
    users.groups.dnscrypt-proxy = {};
    systemd.services.init-dnscrypt-proxy-statedir = optionalAttrs useUpstreamResolverList {
      description = "Initialize dnscrypt-proxy state directory";
      wantedBy = [ "dnscrypt-proxy.service" ];
      before = [ "dnscrypt-proxy.service" ];
      script = ''
        mkdir -pv ${stateDirectory}
        chown -c dnscrypt-proxy:dnscrypt-proxy ${stateDirectory}
-        cp --preserve=timestamps -uv \
+        cp -uv \
          ${pkgs.dnscrypt-proxy}/share/dnscrypt-proxy/dnscrypt-resolvers.csv \
          ${stateDirectory}
      '';
      serviceConfig = {
        Type = "oneshot";
        RemainAfterExit = true;
      };
    };
-    systemd.services.update-dnscrypt-resolvers = optionalAttrs useUpstreamResolverList {
+    systemd.services.update-dnscrypt-resolvers = {
      description = "Update list of DNSCrypt resolvers";
      requires = [ "init-dnscrypt-proxy-statedir.service" ];
      after = [ "init-dnscrypt-proxy-statedir.service" ];
-      path = with pkgs; [ curl minisign ];
+      path = with pkgs; [ curl diffutils dnscrypt-proxy minisign ];
      script = ''
        cd ${stateDirectory}
-        curl -fSsL -o dnscrypt-resolvers.csv.tmp \
+        domain=raw.githubusercontent.com
-          https://download.dnscrypt.org/dnscrypt-proxy/dnscrypt-resolvers.csv
+        get="curl -fSs --resolve $domain:443:$(hostip -r 8.8.8.8 $domain | head -1)"
-        curl -fSsL -o dnscrypt-resolvers.csv.minisig.tmp \
+        $get -o dnscrypt-resolvers.csv.tmp \
-          https://download.dnscrypt.org/dnscrypt-proxy/dnscrypt-resolvers.csv.minisig
+          https://$domain/jedisct1/dnscrypt-proxy/master/dnscrypt-resolvers.csv
        $get -o dnscrypt-resolvers.csv.minisig.tmp \
          https://$domain/jedisct1/dnscrypt-proxy/master/dnscrypt-resolvers.csv.minisig
        mv dnscrypt-resolvers.csv.minisig{.tmp,}
-        minisign -q -V -p ${upstreamResolverListPubKey} \
+        if ! minisign -q -V -p ${upstreamResolverListPubKey} \
-          -m dnscrypt-resolvers.csv.tmp -x dnscrypt-resolvers.csv.minisig
+          -m dnscrypt-resolvers.csv.tmp -x dnscrypt-resolvers.csv.minisig ; then
          echo "failed to verify resolver list!" >&2
          exit 1
        fi
        [[ -f dnscrypt-resolvers.csv ]] && mv dnscrypt-resolvers.csv{,.old}
        mv dnscrypt-resolvers.csv{.tmp,}
        if cmp dnscrypt-resolvers.csv{,.old} ; then
          echo "no change"
        else
          echo "resolver list updated"
        fi
      '';
      serviceConfig = {
        PrivateTmp = true;
        PrivateDevices = true;
        ProtectHome = true;
-        ProtectSystem = true;
+        ProtectSystem = "strict";
        ReadWritePaths = "${dirOf stateDirectory} ${stateDirectory}";
        SystemCallFilter = "~@mount";
      };
    };
-    systemd.timers.update-dnscrypt-resolvers = optionalAttrs useUpstreamResolverList {
+    systemd.timers.update-dnscrypt-resolvers = {
      wantedBy = [ "timers.target" ];
      timerConfig = {
        OnBootSec = "5min";
        OnUnitActiveSec = "6h";
      };
      wantedBy = [ "timers.target" ];
    };
    })
    ]);
-    systemd.sockets.dnscrypt-proxy = {
+  imports = [
-      description = "dnscrypt-proxy listening socket";
+    (mkRenamedOptionModule [ "services" "dnscrypt-proxy" "port" ] [ "services" "dnscrypt-proxy" "localPort" ])
      socketConfig = {
        ListenStream = localAddress;
        ListenDatagram = localAddress;
      };
      wantedBy = [ "sockets.target" ];
    };
-    systemd.services.dnscrypt-proxy = {
+    (mkChangedOptionModule
-      description = "dnscrypt-proxy daemon";
+      [ "services" "dnscrypt-proxy" "tcpOnly" ]
      [ "services" "dnscrypt-proxy" "extraArgs" ]
      (config:
        let val = getAttrFromPath [ "services" "dnscrypt-proxy" "tcpOnly" ] config; in
        optional val "-T"))
-      before = [ "nss-lookup.target" ];
+    (mkChangedOptionModule
      [ "services" "dnscrypt-proxy" "ephemeralKeys" ]
      [ "services" "dnscrypt-proxy" "extraArgs" ]
      (config:
        let val = getAttrFromPath [ "services" "dnscrypt-proxy" "ephemeralKeys" ] config; in
        optional val "-E"))
-      after = [ "network.target" ]
+    (mkRemovedOptionModule [ "services" "dnscrypt-proxy" "resolverList" ] ''
-        ++ optional apparmorEnabled "apparmor.service"
+      The current resolver listing from upstream is always used
-        ++ optional useUpstreamResolverList "init-dnscrypt-proxy-statedir.service";
+      unless a custom resolver is specified.
-
+    '')
-      requires = [ "dnscrypt-proxy.socket "]
+  ];
        ++ optional apparmorEnabled "apparmor.service"
        ++ optional useUpstreamResolverList "init-dnscrypt-proxy-statedir.service";
      serviceConfig = {
        Type = "simple";
        NonBlocking = "true";
        ExecStart = "${dnscrypt-proxy}/bin/dnscrypt-proxy ${toString daemonArgs}";
        User = "dnscrypt-proxy";
        PrivateTmp = true;
        PrivateDevices = true;
        ProtectHome = true;
      };
    };
  };
 }
--- a/nixos/modules/services/networking/dnscrypt-proxy.xml
+++ b/nixos/modules/services/networking/dnscrypt-proxy.xml
@@ -31,15 +31,12 @@
  </sect1>
-  <sect1><title>As a forwarder for a caching DNS client</title>
+  <sect1><title>As a forwarder for another DNS client</title>
  <para>
-    By default, DNSCrypt proxy acts as a transparent proxy for the
+    To run the DNSCrypt proxy client as a forwarder for another
-    system stub resolver. Because the client does not cache lookups, this
+    DNS client, change the default proxy listening port to a
-    setup can significantly slow down e.g., web browsing. The recommended
+    non-standard value and point the other client to it:
    configuration is to run DNSCrypt proxy as a forwarder for a caching DNS
    client. To achieve this, change the default proxy listening port to
    a non-standard value and point the caching client to it:
    <programlisting>
      services.dnscrypt-proxy.localPort = 43;
    </programlisting>
@@ -60,7 +57,6 @@
  <para>
    <programlisting>
      {
        networking.nameservers = [ "127.0.0.1" ];
        services.unbound.enable = true;
        services.unbound.forwardAddresses = [ "127.0.0.1@43" ];
      }
--- a/nixos/modules/services/networking/ferm.nix
+++ b/nixos/modules/services/networking/ferm.nix
@@ -19,7 +19,6 @@ in {
    services.ferm = {
      enable = mkOption {
        default = false;
        example = true;
        type = types.bool;
        description = ''
          Whether to enable Ferm Firewall.
--- a/nixos/modules/services/networking/firefox/sync-server.nix
+++ b/nixos/modules/services/networking/firefox/sync-server.nix
@@ -33,7 +33,6 @@ in
      enable = mkOption {
        type = types.bool;
        default = false;
        example = true;
        description = ''
          Whether to enable a Firefox Sync Server, this give the opportunity to
          Firefox users to store all synchronized data on their own server. To use this
@@ -78,7 +77,6 @@ in
      allowNewUsers = mkOption {
        type = types.bool;
        default = true;
        example = false;
        description = ''
          Whether to allow new-user signups on the server. Only request by
          existing accounts will be honored.
--- a/nixos/modules/services/networking/mosquitto.nix
+++ b/nixos/modules/services/networking/mosquitto.nix
@@ -147,7 +147,6 @@ in
      allowAnonymous = mkOption {
        default = false;
        example = true;
        type = types.bool;
        description = ''
          Allow clients to connect without authentication.
--- a/nixos/modules/services/networking/nftables.nix
+++ b/nixos/modules/services/networking/nftables.nix
@@ -17,6 +17,17 @@ in
          This conflicts with the standard networking firewall, so make sure to
          disable it before using nftables.
          Note that if you have Docker enabled you will not be able to use
          nftables without intervention. Docker uses iptables internally to
          setup NAT for containers. This module disables the ip_tables kernel
          module, however Docker automatically loads the module. Please see [1]
          for more information.
          There are other programs that use iptables internally too, such as
          libvirt.
          [1]: https://github.com/NixOS/nixpkgs/issues/24318#issuecomment-289216273
        '';
    };
    networking.nftables.ruleset = mkOption {
--- a/nixos/modules/services/networking/quagga.nix
+++ b/nixos/modules/services/networking/quagga.nix
@@ -104,7 +104,6 @@ in
        enable = mkOption {
          type = types.bool;
          default = any isEnabled services;
          example = true;
          description = ''
            Whether to enable the Zebra routing manager.
--- a/nixos/modules/services/networking/searx.nix
+++ b/nixos/modules/services/networking/searx.nix
@@ -19,6 +19,7 @@ in
    services.searx = {
      enable = mkOption {
        type = types.bool;
        default = false;
        description = "
          Whether to enable the Searx server. See https://github.com/asciimoo/searx
@@ -26,6 +27,7 @@ in
      };
      configFile = mkOption {
        type = types.path;
        default = "";
        description = "
          The path of the Searx server configuration file. If no file
@@ -35,7 +37,9 @@ in
      };
      package = mkOption {
        type = types.package;
        default = pkgs.pythonPackages.searx;
        defaultText = "pkgs.pythonPackages.searx";
        description = "searx package to use.";
      };
--- a/nixos/modules/services/networking/znc.nix
+++ b/nixos/modules/services/networking/znc.nix
@@ -132,7 +132,6 @@ in
    services.znc = {
      enable = mkOption {
        default = false;
        example = true;
        type = types.bool;
        description = ''
          Enable a ZNC service for a user.
@@ -251,7 +250,6 @@ in
        useSSL = mkOption {
          default = true;
          example = true;
          type = types.bool;
          description = ''
            Indicates whether the ZNC server should use SSL when listening on the specified port. A self-signed certificate will be generated.
@@ -278,7 +276,6 @@ in
      mutable = mkOption {
        default = false;
        example = true;
        type = types.bool;
        description = ''
          Indicates whether to allow the contents of the `dataDir` directory to be changed
--- a/nixos/modules/services/scheduling/cron.nix
+++ b/nixos/modules/services/scheduling/cron.nix
@@ -39,7 +39,7 @@ in
      enable = mkOption {
        type = types.bool;
-        example = true;
+        default = false;
        description = "Whether to enable the Vixie cron daemon.";
      };
--- a/nixos/modules/services/scheduling/fcron.nix
+++ b/nixos/modules/services/scheduling/fcron.nix
@@ -23,7 +23,8 @@ let
  allowdeny = target: users:
    { source = pkgs.writeText "fcron.${target}" (concatStringsSep "\n" users);
      target = "fcron.${target}";
-      mode = "600"; # fcron has some security issues.. So I guess this is most safe
+      mode = "644";
      gid = config.ids.gids.fcron;
    };
 in
@@ -89,7 +90,7 @@ in
      [ (allowdeny "allow" (cfg.allow))
        (allowdeny "deny" cfg.deny)
        # see man 5 fcron.conf
-        { source = pkgs.writeText "fcon.conf" ''
+        { source = pkgs.writeText "fcron.conf" ''
            fcrontabs   =       /var/spool/fcron
            pidfile     =       /var/run/fcron.pid
            fifofile    =       /var/run/fcron.fifo
@@ -97,16 +98,40 @@ in
            fcrondeny   =       /etc/fcron.deny
            shell       =       /bin/sh
            sendmail    =       /run/wrappers/bin/sendmail
-            editor      =       /run/current-system/sw/bin/vi
+            editor      =       ${pkgs.vim}/bin/vim
          '';
          target = "fcron.conf";
-          mode = "0600"; # max allowed is 644
+          gid = config.ids.gids.fcron;
          mode = "0644";
        }
      ];
    environment.systemPackages = [ pkgs.fcron ];
    users.extraUsers.fcron = {
      uid = config.ids.uids.fcron;
      home = "/var/spool/fcron";
      group = "fcron";
    };
    users.groups.fcron.gid = config.ids.gids.fcron;
-    security.wrappers.fcrontab.source = "${pkgs.fcron.out}/bin/fcrontab";
+    security.wrappers = {
      fcrontab = {
        source = "${pkgs.fcron}/bin/fcrontab";
        owner = "fcron";
        group = "fcron";
        setgid = true;
      };
      fcrondyn = {
        source = "${pkgs.fcron}/bin/fcrondyn";
        owner = "fcron";
        group = "fcron";
        setgid = true;
      };
      fcronsighup = {
        source = "${pkgs.fcron}/bin/fcronsighup";
        group = "fcron";
      };
    };
    systemd.services.fcron = {
      description = "fcron daemon";
      after = [ "local-fs.target" ];
@@ -118,14 +143,17 @@ in
      };
      preStart = ''
-        ${pkgs.coreutils}/bin/mkdir -m 0700 -p /var/spool/fcron
+        ${pkgs.coreutils}/bin/mkdir -m 0770 -p /var/spool/fcron
        ${pkgs.coreutils}/bin/chown -R fcron:fcron /var/spool/fcron
        # load system crontab file
-        ${pkgs.fcron}/bin/fcrontab -u systab ${pkgs.writeText "systab" cfg.systab}
+        set -x
        #${pkgs.fcron}/bin/fcrontab -u systab ${pkgs.writeText "systab" cfg.systab}
      '';
-      serviceConfig.Type = "forking";
+      serviceConfig = {
-
+        Type = "forking";
-      script = "${pkgs.fcron}/sbin/fcron -m ${toString cfg.maxSerialJobs} ${queuelen}";
+        ExecStart = "${pkgs.fcron}/sbin/fcron -m ${toString cfg.maxSerialJobs} ${queuelen}";
      };
    };
  };
 }
--- a/nixos/modules/services/security/haka.nix
+++ b/nixos/modules/services/security/haka.nix
@@ -99,7 +99,6 @@ in
      pcap = mkOption {
        default = true;
        example = false;
        type = types.bool;
        description = "Whether to enable pcap";
      };
--- a/nixos/modules/services/security/physlock.nix
+++ b/nixos/modules/services/security/physlock.nix
@@ -26,17 +26,7 @@ in
          This will switch to a new virtual terminal, turn off console
          switching and disable SysRq mechanism (when
          <option>services.physlock.disableSysRq</option> is set)
-          until the root or <option>services.physlock.user</option>
+          until the root or user password is given.
          password is given.
        '';
      };
      user = mkOption {
        type = types.nullOr types.str;
        default = null;
        description = ''
          User whose password will be used to unlock the screen on par
          with the root password.
        '';
      };
@@ -105,7 +95,7 @@ in
              ++ cfg.lockOn.extraTargets;
      serviceConfig.Type = "forking";
      script = ''
-        ${pkgs.physlock}/bin/physlock -d${optionalString cfg.disableSysRq "s"}${optionalString (cfg.user != null) " -u ${cfg.user}"}
+        ${pkgs.physlock}/bin/physlock -d${optionalString cfg.disableSysRq "s"}
      '';
    };
--- a/nixos/modules/services/security/tor.nix
+++ b/nixos/modules/services/security/tor.nix
@@ -12,6 +12,10 @@ let
  torRc = ''
    User tor
    DataDirectory ${torDirectory}
    ${optionalString cfg.enableGeoIP ''
      GeoIPFile ${pkgs.tor.geoip}/share/tor/geoip
      GeoIPv6File ${pkgs.tor.geoip}/share/tor/geoip6
    ''}
    ${optint "ControlPort" cfg.controlPort}
  ''
@@ -58,6 +62,18 @@ in
        '';
      };
      enableGeoIP = mkOption {
        type = types.bool;
        default = true;
        description = ''
          Whenever to configure Tor daemon to use GeoIP databases.
          Disabling this will disable by-country statistics for
          bridges and relays and some client and third-party software
          functionality.
        '';
      };
      extraConfig = mkOption {
        type = types.lines;
        default = "";
@@ -124,6 +140,7 @@ in
        };
        privoxy.enable = mkOption {
          type = types.bool;
          default = true;
          description = ''
            Whether to enable and configure the system Privoxy to use Tor's
--- a/nixos/modules/services/security/torify.nix
+++ b/nixos/modules/services/security/torify.nix
@@ -19,15 +19,23 @@ in
 {
  ###### interface
-  
+
  options = {
-  
+
    services.tor.tsocks = {
      enable = mkOption {
-        default = cfg.enable && cfg.client.enable;
+        default = false;
        description = ''
-          Whether to build tsocks wrapper script to relay application traffic via TOR.
+          Whether to build tsocks wrapper script to relay application traffic via Tor.
          <important>
            <para>You shouldn't use this unless you know what you're
            doing because your installation of Tor already comes with
            its own superior (doesn't leak DNS queries)
            <literal>torsocks</literal> wrapper which does pretty much
            exactly the same thing as this.</para>
          </important>
        '';
      };
--- a/nixos/modules/services/torrent/deluge.nix
+++ b/nixos/modules/services/torrent/deluge.nix
@@ -13,7 +13,6 @@ in {
      deluge = {
        enable = mkOption {
          default = false;
          example = true;
          description = "Start the Deluge daemon";
        };
@@ -29,7 +28,6 @@ in {
      deluge.web = {
        enable = mkOption {
          default = false;
          example = true;
          description = ''
            Start Deluge Web daemon.
          '';
--- a/nixos/modules/services/ttys/kmscon.nix
+++ b/nixos/modules/services/ttys/kmscon.nix
@@ -76,7 +76,7 @@ in {
          ln -s ${config.systemd.units."kmsconvt@.service".unit}/kmsconvt@.service $out/autovt@.service
        '';
-    systemd.services.systemd-vconsole-setup.restartIfChanged = false;
+    systemd.services.systemd-vconsole-setup.enable = false;
    services.kmscon.extraConfig = mkIf cfg.hwRender ''
      drm
--- a/nixos/modules/services/web-apps/atlassian/crowd.nix
+++ b/nixos/modules/services/web-apps/atlassian/crowd.nix
@@ -88,7 +88,6 @@ in
        secure = mkOption {
          type = types.bool;
          default = true;
          example = false;
          description = "Whether the connections to the proxy should be considered secure.";
        };
      };
--- a/nixos/modules/services/web-apps/atlassian/jira.nix
+++ b/nixos/modules/services/web-apps/atlassian/jira.nix
@@ -78,7 +78,6 @@ in
        secure = mkOption {
          type = types.bool;
          default = true;
          example = false;
          description = "Whether the connections to the proxy should be considered secure.";
        };
      };
--- a/nixos/modules/services/web-apps/pump.io-configure.js
+++ b/nixos/modules/services/web-apps/pump.io-configure.js
@@ -0,0 +1,23 @@
 var fs = require('fs');
 var opts = JSON.parse(fs.readFileSync("/dev/stdin").toString());
 var config = opts.config;
 var readSecret = function(filename) {
  return fs.readFileSync(filename).toString().trim();
 };
 if (opts.secretFile) {
  config.secret = readSecret(opts.secretFile);
 }
 if (opts.dbPasswordFile) {
  config.params.dbpass = readSecret(opts.dbPasswordFile);
 }
 if (opts.smtpPasswordFile) {
  config.smtppass = readSecret(opts.smtpPasswordFile);
 }
 if (opts.spamClientSecretFile) {
  config.spamclientsecret = readSecret(opts.opts.spamClientSecretFile);
 }
 fs.writeFileSync(opts.outputFile, JSON.stringify(config));
--- a/nixos/modules/services/web-apps/pump.io.nix
+++ b/nixos/modules/services/web-apps/pump.io.nix
@@ -5,71 +5,74 @@ with lib;
 let
  cfg = config.services.pumpio;
  dataDir = "/var/lib/pump.io";
  runDir = "/run/pump.io";
  user = "pumpio";
  optionalSet = condition: value: if condition then value else {};
  configScript = ./pump.io-configure.js;
  configOptions = {
-    driver = if cfg.driver == "disk" then null else cfg.driver;
+    outputFile = "${runDir}/config.json";
-    params = ({ } //
+    config =
-    (if cfg.driver == "disk" then {
+      (optionalSet (cfg.driver != "disk") {
-      dir = dataDir;
+        driver = cfg.driver;
-     } else { }) //
+      }) //
-    (if cfg.driver == "mongodb" || cfg.driver == "redis" then {
+      {
-       host = cfg.dbHost;
+        params = (optionalSet (cfg.driver == "disk") { dir = dataDir; }) //
-       port = cfg.dbPort;
+                 (optionalSet (cfg.driver == "mongodb" || cfg.driver == "redis") {
-       dbname = cfg.dbName;
+                   host = cfg.dbHost;
-       dbuser = cfg.dbUser;
+                   port = cfg.dbPort;
-       dbpass = cfg.dbPassword;
+                   dbname = cfg.dbName;
-     } else { }) //
+                   dbuser = cfg.dbUser;
-    (if cfg.driver == "memcached" then {
+                   dbpass = cfg.dbPassword;
-       host = cfg.dbHost;
+                 }) //
-       port = cfg.dbPort;
+                 (optionalSet (cfg.driver == "memcached") {
-     } else { }) //
+                   host = cfg.dbHost;
-     cfg.driverParams);
+                   port = cfg.dbPort;
                 }) // cfg.driverParams;
        secret = cfg.secret;
-    secret = cfg.secret;
+        address = cfg.address;
        port = cfg.port;
-    address = cfg.address;
+        noweb = false;
-    port = cfg.port;
+        urlPort = cfg.urlPort;
        hostname = cfg.hostname;
        favicon = cfg.favicon;
-    noweb = false;
+        site = cfg.site;
-    urlPort = cfg.urlPort;
+        owner = cfg.owner;
-    hostname = cfg.hostname;
+        ownerURL = cfg.ownerURL;
    favicon = cfg.favicon;
-    site = cfg.site;
+        key = cfg.sslKey;
-    owner = cfg.owner;
+        cert = cfg.sslCert;
-    ownerURL = cfg.ownerURL;
+        bounce = false;
-    key = cfg.sslKey;
+        spamhost = cfg.spamHost;
-    cert = cfg.sslCert;
+        spamclientid = cfg.spamClientId;
-    bounce = false;
+        spamclientsecret = cfg.spamClientSecret;
-    spamhost = cfg.spamHost;
+        requireEmail = cfg.requireEmail;
-    spamclientid = cfg.spamClientId;
+        smtpserver = cfg.smtpHost;
-    spamclientsecret = cfg.spamClientSecret;
+        smtpport = cfg.smtpPort;
        smtpuser = cfg.smtpUser;
        smtppass = cfg.smtpPassword;
        smtpusessl = cfg.smtpUseSSL;
        smtpfrom = cfg.smtpFrom;
-    requireEmail = cfg.requireEmail;
+        nologger = false;
-    smtpserver = cfg.smtpHost;
+        enableUploads = cfg.enableUploads;
-    smtpport = cfg.smtpPort;
+        datadir = dataDir;
-    smtpuser = cfg.smtpUser;
+        debugClient = false;
-    smtppass = cfg.smtpPassword;
+        firehose = cfg.firehose;
-    smtpusessl = cfg.smtpUseSSL;
+        disableRegistration = cfg.disableRegistration;
    smtpfrom = cfg.smtpFrom;
-    nologger = false;
+        inherit (cfg) secretFile dbPasswordFile smtpPasswordFile spamClientSecretFile;
-    uploaddir =  "${dataDir}/uploads";
+      } //
-    debugClient = false;
+      (optionalSet (cfg.port < 1024) {
-    firehose = cfg.firehose;
+        serverUser = user;  # have pump.io listen then drop privileges
-    disableRegistration = cfg.disableRegistration;
+      }) // cfg.extraConfig;
-  } //
+}; in {
  (if cfg.port < 1024 then {
    serverUser = user;  # have pump.io listen then drop privileges
   } else { }) //
  cfg.extraConfig;
 in
 {
  options = {
    services.pumpio = {
@@ -77,7 +80,8 @@ in
      enable = mkEnableOption "Pump.io social streams server";
      secret = mkOption {
-        type = types.str;
+        type = types.nullOr types.str;
        default = null;
        example = "my dog has fleas";
        description = ''
          A session-generating secret, server-wide password.  Warning:
@@ -85,6 +89,16 @@ in
        '';
      };
      secretFile = mkOption {
        type = types.nullOr types.path;
        default = null;
        example = "/run/keys/pump.io-secret";
        description = ''
          A file containing the session-generating secret,
          server-wide password.
        '';
      };
      site = mkOption {
        type = types.str;
        example = "Awesome Sauce";
@@ -125,7 +139,7 @@ in
      hostname = mkOption {
        type = types.nullOr types.str;
-        default = null;
+        default = "localhost";
        description = ''
          The hostname of the server, used for generating
          URLs. Defaults to "localhost" which doesn't do much for you.
@@ -152,6 +166,15 @@ in
        '';
      };
      enableUploads = mkOption {
        type = types.bool;
        default = true;
        description = ''
          If you want to disable file uploads, set this to false. Uploaded files will be stored
          in ${dataDir}/uploads.
        '';
      };
      sslKey = mkOption {
        type = types.path;
        example = "${dataDir}/myserver.key";
@@ -253,6 +276,15 @@ in
        '';
      };
      dbPasswordFile = mkOption {
        type = types.nullOr types.path;
        default = null;
        example = "/run/keys/pump.io-dbpassword";
        description = ''
          A file containing the password corresponding to dbUser.
        '';
      };
      smtpHost = mkOption {
        type = types.nullOr types.str;
        default = null;
@@ -291,6 +323,17 @@ in
        '';
      };
      smtpPasswordFile = mkOption {
        type = types.nullOr types.path;
        default = null;
        example = "/run/keys/pump.io-smtppassword";
        description = ''
          A file containing the password used to connect to SMTP
          server. Might not be necessary for some servers.
        '';
      };
      smtpUseSSL = mkOption {
        type = types.bool;
        default = false;
@@ -332,24 +375,55 @@ in
          stored in cleartext in the Nix store!
        '';
      };
      spamClientSecretFile = mkOption {
        type = types.nullOr types.path;
        default = null;
        example = "/run/keys/pump.io-spamclientsecret";
        description = ''
          A file containing the OAuth key for the spam server.
        '';
      };
    };
  };
  config = mkIf cfg.enable {
    warnings = let warn = k: optional (cfg.${k} != null)
                 "config.services.pumpio.${k} is insecure. Use ${k}File instead.";
               in concatMap warn [ "secret" "dbPassword" "smtpPassword" "spamClientSecret" ];
    assertions = [
      { assertion = !(isNull cfg.secret && isNull cfg.secretFile);
        message = "pump.io needs a secretFile configured";
      }
    ];
    systemd.services."pump.io" =
-      { description = "pump.io social network stream server";
+      { description = "Pump.io - stream server that does most of what people really want from a social network";
        after = [ "network.target" ];
        wantedBy = [ "multi-user.target" ];
        serviceConfig.ExecStart = "${pkgs.pumpio}/bin/pump -c /etc/pump.io.json";
        serviceConfig.User = if cfg.port < 1024 then "root" else user;
        serviceConfig.Group = user;
      };
-      environment.etc."pump.io.json" = {
+        preStart = ''
-        mode = "0440";
+          mkdir -p ${dataDir}/uploads
-        gid = config.ids.gids.pumpio;
+          mkdir -p ${runDir}
-        text = builtins.toJSON configOptions;
+          chown pumpio:pumpio ${dataDir}/uploads ${runDir}
          chmod 770 ${dataDir}/uploads ${runDir}
          ${pkgs.nodejs}/bin/node ${configScript} <<EOF
          ${builtins.toJSON configOptions}
          EOF
          chgrp pumpio ${configOptions.outputFile}
          chmod 640 ${configOptions.outputFile}
        '';
        serviceConfig = {
          ExecStart = "${pkgs.pumpio}/bin/pump -c ${configOptions.outputFile}";
          PermissionsStartOnly = true;
          User = if cfg.port < 1024 then "root" else user;
          Group = user;
        };
        environment = { NODE_ENV = "production"; };
      };
      users.extraGroups.pumpio.gid = config.ids.gids.pumpio;
--- a/nixos/modules/services/web-servers/apache-httpd/wordpress.nix
+++ b/nixos/modules/services/web-servers/apache-httpd/wordpress.nix
@@ -4,11 +4,6 @@
 with lib;
 let
  # Upgrading? We have a test! nix-build ./nixos/tests/wordpress.nix
  version = "4.7.2";
  fullversion = "${version}";
  # Our bare-bones wp-config.php file using the above settings
  wordpressConfig = pkgs.writeText "wp-config.php" ''
    <?php
@@ -71,12 +66,7 @@ let
  # The wordpress package itself
  wordpressRoot = pkgs.stdenv.mkDerivation rec {
    name = "wordpress";
-    src = pkgs.fetchFromGitHub {
+    src = config.package;
      owner = "WordPress";
      repo = "WordPress";
      rev = "${fullversion}";
      sha256 = "0vph12708drf8ww0xd05hpdvbyy7n5gj9ca598lhdhy2i1j6wy32";
    };
    installPhase = ''
      mkdir -p $out
      # copy all the wordpress files we downloaded
@@ -122,6 +112,14 @@ in
  enablePHP = true;
  options = {
    package = mkOption {
      type = types.path;
      default = pkgs.wordpress;
      description = ''
        Path to the wordpress sources.
        Upgrading? We have a test! nix-build ./nixos/tests/wordpress.nix
      '';
    };
    dbHost = mkOption {
      default = "localhost";
      description = "The location of the database server.";
--- a/Show More
+++ b/Show More