Merge remote-tracking branch 'upstream/master' into HEAD

2024-12-26 04:43:09 +03:00 · 2017-09-02 23:29:04 +02:00 · 2017-09-02 23:29:04 +02:00 · 0156db2da5
commit 0156db2da5
parent 891a1662aa d784b83005
4456 changed files with 84812 additions and 61072 deletions
--- a/.github/CODEOWNERS
+++ b/.github/CODEOWNERS
@ -0,0 +1,23 @@
 # CODEOWNERS file
 #
 # This file is used to describe who owns what in this repository. This file does not
 # replace `meta.maintainers` but is instead used for other things than derivations
 # and modules, like documentation, package sets, and other assets.
 #
 # For documentation on this file, see https://help.github.com/articles/about-codeowners/
 # Mentioned users will get code review requests.
 # Python-related code and docs
 pkgs/top-level/python-packages.nix	@FRidh
 pkgs/development/interpreters/python/*	@FRidh
 pkgs/development/python-modules/*	@FRidh
 doc/languages-frameworks/python.md	@FRidh
 # Boostraping and core infra
 pkgs/stdenv/	@Ericson2314
 pkgs/build-support/cc-wrapper/	@Ericson2314
 # Darwin-related
 pkgs/stdenv/darwin/*	@copumpkin @LnL7
 pkgs/os-specific/darwin/*	@LnL7
 pkgs/os-specific/darwin/apple-source-releases/*	@copumpkin
--- a/.github/CONTRIBUTING.md
+++ b/.github/CONTRIBUTING.md
@ -15,7 +15,7 @@ under the terms of [COPYING](../COPYING), which is an MIT-like license.
 * Format the commits in the following way:
  ```
-  (pkg-name | service-name): (from -> to | init at version | refactor | etc)
+  (pkg-name | nixos/<module>): (from -> to | init at version | refactor | etc)
  (Motivation for change. Additional information.)
  ```
@ -23,11 +23,11 @@ under the terms of [COPYING](../COPYING), which is an MIT-like license.
  Examples:
  * nginx: init at 2.0.1
-  * firefox: 3.0 -> 3.1.1
+  * firefox: 54.0.1 -> 55.0
-  * hydra service: add bazBaz option
+  * nixos/hydra: add bazBaz option
    Dual baz behavior is needed to do foo.
-  * nginx service: refactor config generation
+  * nixos/nginx: refactor config generation
    The old config generation system used impure shell scripts and could break in specific circumstances (see #1234).
--- a/.github/PULL_REQUEST_TEMPLATE.md
+++ b/.github/PULL_REQUEST_TEMPLATE.md
@ -3,6 +3,8 @@
 ###### Things done
 <!-- Please check what applies. Note that these are not hard requirements but merely serve as information for reviewers. -->
 - [ ] Tested using sandboxing
  ([nix.useSandbox](http://nixos.org/nixos/manual/options.html#opt-nix.useSandbox) on NixOS,
    or option `build-use-sandbox` in [`nix.conf`](http://nixos.org/nix/manual/#sec-conf-file)
--- a/.mention-bot
+++ b/.mention-bot
@ -1,14 +0,0 @@
 {
  "userBlacklist": [
    "civodul",
    "jhasse",
    "shlevy",
    "bbenoist"
  ],
  "alwaysNotifyForPaths": [
    { "name": "FRidh", "files": ["pkgs/top-level/python-packages.nix", "pkgs/development/interpreters/python/*", "pkgs/development/python-modules/*" ] },
    { "name": "LnL7", "files": ["pkgs/stdenv/darwin/*", "pkgs/os-specific/darwin/*"] },
    { "name": "copumpkin", "files": ["pkgs/stdenv/darwin/*", "pkgs/os-specific/darwin/apple-source-releases/*"] }
  ],
  "fileBlacklist": ["pkgs/top-level/all-packages.nix"]
 }
--- a/.travis.yml
+++ b/.travis.yml
@ -12,15 +12,21 @@ matrix:
          script:
              - ./maintainers/scripts/travis-nox-review-pr.sh nixpkgs-verify nixpkgs-manual nixpkgs-tarball nixpkgs-unstable
              - ./maintainers/scripts/travis-nox-review-pr.sh nixos-options nixos-manual
          env:
            - BUILD_TYPE="Test Nixpkgs evaluation & NixOS manual build"
        - os: linux
          sudo: required
          dist: trusty
          before_script:
              - sudo mount -o remount,exec,size=2G,mode=755 /run/user
          script: ./maintainers/scripts/travis-nox-review-pr.sh nox pr
          env:
            - BUILD_TYPE="Build affected packages (Linux)"
        - os: osx
          osx_image: xcode7.3
          script: ./maintainers/scripts/travis-nox-review-pr.sh nox pr
          env:
            - BUILD_TYPE="Build affected packages (macOS)"
 env:
    global:
        - GITHUB_TOKEN=5edaaf1017f691ed34e7f80878f8f5fbd071603f
--- a/.version
+++ b/.version
@ -1 +1 @@
-17.09
+18.03
--- a/README.md
+++ b/README.md
@ -38,5 +38,5 @@ For pull-requests, please rebase onto nixpkgs `master`.
 Communication:
-* [Mailing list](http://lists.science.uu.nl/mailman/listinfo/nix-dev)
+* [Mailing list](https://groups.google.com/forum/#!forum/nix-devel)
 * [IRC - #nixos on freenode.net](irc://irc.freenode.net/#nixos)
--- a/doc/coding-conventions.xml
+++ b/doc/coding-conventions.xml
@ -254,7 +254,7 @@ bound to the variable name <varname>e2fsprogs</varname> in
  dash) — e.g., <literal>"hello-0.3.1rc2"</literal>.</para></listitem>
  <listitem><para>If a package is not a release but a commit from a repository, then
-  the version part of the name <emphasis>must</emphasis> be the date of that 
+  the version part of the name <emphasis>must</emphasis> be the date of that
  (fetched) commit. The date must be in <literal>"YYYY-MM-DD"</literal> format.
  Also append <literal>"unstable"</literal> to the name - e.g.,
  <literal>"pkgname-unstable-2014-09-23"</literal>.</para></listitem>
@ -365,7 +365,7 @@ splitting up an existing category.</para>
  <varlistentry>
    <term>If it’s a (set of) <emphasis>tool(s)</emphasis>:</term>
    <listitem>
-      <para>(A tool is a relatively small program, especially one intented
+      <para>(A tool is a relatively small program, especially one intended
      to be used non-interactively.)</para>
      <variablelist>
        <varlistentry>
@ -456,7 +456,7 @@ splitting up an existing category.</para>
  <varlistentry>
    <term>If it’s a <emphasis>window manager</emphasis>:</term>
    <listitem>
-      <para><filename>applications/window-managers</filename> (e.g. <filename>awesome</filename>, <filename>compiz</filename>, <filename>stumpwm</filename>)</para>
+      <para><filename>applications/window-managers</filename> (e.g. <filename>awesome</filename>, <filename>stumpwm</filename>)</para>
    </listitem>
  </varlistentry>
  <varlistentry>
@ -608,7 +608,7 @@ evaluate correctly.</para>
 </section>
 <section xml:id="sec-sources"><title>Fetching Sources</title>
  <para>There are multiple ways to fetch a package source in nixpkgs. The
-    general guidline is that you should package sources with a high degree of
+    general guideline is that you should package sources with a high degree of
    availability. Right now there is only one fetcher which has mirroring
    support and that is <literal>fetchurl</literal>. Note that you should also
    prefer protocols which have a corresponding proxy environment variable.
@ -661,9 +661,9 @@ src = fetchFromGitHub {
 </section>
 <section xml:id="sec-patches"><title>Patches</title>
-  <para>Only patches that are unique to <literal>nixpkgs</literal> should be 
+  <para>Only patches that are unique to <literal>nixpkgs</literal> should be
    included in <literal>nixpkgs</literal> source.</para>
-  <para>Patches available online should be retrieved using 
+  <para>Patches available online should be retrieved using
    <literal>fetchpatch</literal>.</para>
  <para>
 <programlisting>
--- a/doc/configuration.xml
+++ b/doc/configuration.xml
@ -243,5 +243,218 @@ set of packages.
 </section>
 <section xml:id="sec-declarative-package-management">
  <title>Declarative Package Management</title>
  <section xml:id="sec-building-environment">
    <title>Build an environment</title>
    <para>
      Using <literal>packageOverrides</literal>, it is possible to manage
      packages declaratively. This means that we can list all of our desired
      packages within a declarative Nix expression. For example, to have
      <literal>aspell</literal>, <literal>bc</literal>,
      <literal>ffmpeg</literal>, <literal>coreutils</literal>,
      <literal>gdb</literal>, <literal>nixUnstable</literal>,
      <literal>emscripten</literal>, <literal>jq</literal>,
      <literal>nox</literal>, and <literal>silver-searcher</literal>, we could
      use the following in <filename>~/.config/nixpkgs/config.nix</filename>:
    </para>
    <screen>
 {
  packageOverrides = pkgs: with pkgs; {
    myPackages = pkgs.buildEnv {
      name = "my-packages";
      paths = [ aspell bc coreutils gdb ffmpeg nixUnstable emscripten jq nox silver-searcher ];
    };
  };
 }
    </screen>
    <para>
      To install it into our environment, you can just run <literal>nix-env -iA
      nixpkgs.myPackages</literal>. If you want to load the packages to be built
      from a working copy of <literal>nixpkgs</literal> you just run
      <literal>nix-env -f. -iA myPackages</literal>. To explore what's been
      installed, just look through <filename>~/.nix-profile/</filename>. You can
      see that a lot of stuff has been installed. Some of this stuff is useful
      some of it isn't. Let's tell Nixpkgs to only link the stuff that we want:
    </para>
    <screen>
 {
  packageOverrides = pkgs: with pkgs; {
    myPackages = pkgs.buildEnv {
      name = "my-packages";
      paths = [ aspell bc coreutils gdb ffmpeg nixUnstable emscripten jq nox silver-searcher ];
      pathsToLink = [ "/share" "/bin" ];
    };
  };
 }
    </screen>
    <para>
      <literal>pathsToLink</literal> tells Nixpkgs to only link the paths listed
      which gets rid of the extra stuff in the profile.
      <filename>/bin</filename> and <filename>/share</filename> are good
      defaults for a user environment, getting rid of the clutter. If you are
      running on Nix on MacOS, you may want to add another path as well,
      <filename>/Applications</filename>, that makes GUI apps available.
    </para>
  </section>
  <section xml:id="sec-getting-documentation">
    <title>Getting documentation</title>
    <para>
      After building that new environment, look through
      <filename>~/.nix-profile</filename> to make sure everything is there that
      we wanted. Discerning readers will note that some files are missing. Look
      inside <filename>~/.nix-profile/share/man/man1/</filename> to verify this.
      There are no man pages for any of the Nix tools! This is because some
      packages like Nix have multiple outputs for things like documentation (see
      section 4). Let's make Nix install those as well.
    </para>
    <screen>
 {
  packageOverrides = pkgs: with pkgs; {
    myPackages = pkgs.buildEnv {
      name = "my-packages";
      paths = [ aspell bc coreutils ffmpeg nixUnstable emscripten jq nox silver-searcher ];
      pathsToLink = [ "/share/man" "/share/doc" /bin" ];
      extraOutputsToInstall = [ "man" "doc" ];
    };
  };
 }
    </screen>
    <para>
      This provides us with some useful documentation for using our packages.
      However, if we actually want those manpages to be detected by man, we need
      to set up our environment. This can also be managed within Nix
      expressions.
    </para>
    <screen>
 {
  packageOverrides = pkgs: with pkgs; rec {
    myProfile = writeText "my-profile" ''
 export PATH=$HOME/.nix-profile/bin:/nix/var/nix/profiles/default/bin:/sbin:/bin:/usr/sbin:/usr/bin
 export MANPATH=$HOME/.nix-profile/share/man:/nix/var/nix/profiles/default/share/man:/usr/share/man
    '';
    myPackages = pkgs.buildEnv {
      name = "my-packages";
      paths = [
        (runCommand "profile" {} ''
 mkdir -p $out/etc/profile.d
 cp ${myProfile} $out/etc/profile.d/my-profile.sh
        '')
        aspell
        bc
        coreutils
        ffmpeg
        man
        nixUnstable
        emscripten
        jq
        nox
        silver-searcher
      ];
      pathsToLink = [ "/share/man" "/share/doc" /bin" "/etc" ];
      extraOutputsToInstall = [ "man" "doc" ];
    };
  };
 }
    </screen>
    <para>
      For this to work fully, you must also have this script sourced when you
      are logged in. Try adding something like this to your
      <filename>~/.profile</filename> file:
    </para>
    <screen>
 #!/bin/sh
 if [ -d $HOME/.nix-profile/etc/profile.d ]; then
  for i in $HOME/.nix-profile/etc/profile.d/*.sh; do
    if [ -r $i ]; then
      . $i
    fi
  done
 fi
    </screen>
    <para>
      Now just run <literal>source $HOME/.profile</literal> and you can starting
      loading man pages from your environent.
    </para>
  </section>
  <section xml:id="sec-gnu-info-setup">
    <title>GNU info setup</title>
    <para>
      Configuring GNU info is a little bit trickier than man pages. To work
      correctly, info needs a database to be generated. This can be done with
      some small modifications to our environment scripts.
    </para>
    <screen>
 {
  packageOverrides = pkgs: with pkgs; rec {
    myProfile = writeText "my-profile" ''
 export PATH=$HOME/.nix-profile/bin:/nix/var/nix/profiles/default/bin:/sbin:/bin:/usr/sbin:/usr/bin
 export MANPATH=$HOME/.nix-profile/share/man:/nix/var/nix/profiles/default/share/man:/usr/share/man
 export INFOPATH=$HOME/.nix-profile/share/info:/nix/var/nix/profiles/default/share/info:/usr/share/info
    '';
    myPackages = pkgs.buildEnv {
      name = "my-packages";
      paths = [
        (runCommand "profile" {} ''
 mkdir -p $out/etc/profile.d
 cp ${myProfile} $out/etc/profile.d/my-profile.sh
        '')
        aspell
        bc
        coreutils
        ffmpeg
        man
        nixUnstable
        emscripten
        jq
        nox
        silver-searcher
        texinfoInteractive
      ];
      pathsToLink = [ "/share/man" "/share/doc" "/share/info" "/bin" "/etc" ];
      extraOutputsToInstall = [ "man" "doc" "info" ];
      postBuild = ''
          if [ -x $out/bin/install-info -a -w $out/share/info ]; then
            shopt -s nullglob
            for i in $out/share/info/*.info $out/share/info/*.info.gz; do
                $out/bin/install-info $i $out/share/info/dir
            done
          fi
      '';
    };
  };
 }
    </screen>
    <para>
      <literal>postBuild</literal> tells Nixpkgs to run a command after building
      the environment. In this case, <literal>install-info</literal> adds the
      installed info pages to <literal>dir</literal> which is GNU info's default
      root node. Note that <literal>texinfoInteractive</literal> is added to the
      environment to give the <literal>install-info</literal> command.
    </para>
  </section>
 </section>
 </chapter>
--- a/doc/cross-compilation.xml
+++ b/doc/cross-compilation.xml
@ -37,8 +37,9 @@
    </para>
    <para>
      In Nixpkgs, these three platforms are defined as attribute sets under the names <literal>buildPlatform</literal>, <literal>hostPlatform</literal>, and <literal>targetPlatform</literal>.
-      All three are always defined at the top level, so one can get at them just like a dependency in a function that is imported with <literal>callPackage</literal>:
+      All three are always defined as attributes in the standard environment, and at the top level. That means one can get at them just like a dependency in a function that is imported with <literal>callPackage</literal>:
-      <programlisting>{ stdenv, buildPlatform, hostPlatform, fooDep, barDep, .. }: ...</programlisting>
+      <programlisting>{ stdenv, buildPlatform, hostPlatform, fooDep, barDep, .. }: ...buildPlatform...</programlisting>, or just off <varname>stdenv</varname>:
      <programlisting>{ stdenv, fooDep, barDep, .. }: ...stdenv.buildPlatform...</programlisting>.
    </para>
    <variablelist>
      <varlistentry>
--- a/doc/functions.xml
+++ b/doc/functions.xml
@ -358,8 +358,8 @@
 <para>
  <varname>pkgs.dockerTools</varname> is a set of functions for creating and
  manipulating Docker images according to the
-  <link xlink:href="https://github.com/docker/docker/blob/master/image/spec/v1.md#docker-image-specification-v100">
+  <link xlink:href="https://github.com/moby/moby/blob/master/image/spec/v1.2.md#docker-image-specification-v120">
-  Docker Image Specification v1.0.0
+  Docker Image Specification v1.2.0
  </link>. Docker itself is not used to perform any of the operations done by these
  functions.
 </para>
@ -493,8 +493,8 @@
    <varname>config</varname> is used to specify the configuration of the
    containers that will be started off the built image in Docker.
    The available options are listed in the
-    <link xlink:href="https://github.com/docker/docker/blob/master/image/spec/v1.md#container-runconfig-field-descriptions">
+    <link xlink:href="https://github.com/moby/moby/blob/master/image/spec/v1.2.md#image-json-field-descriptions">
-      Docker Image Specification v1.0.0
+      Docker Image Specification v1.2.0
    </link>.
    </para>
  </callout>
--- a/doc/languages-frameworks/haskell.md
+++ b/doc/languages-frameworks/haskell.md
@ -698,33 +698,6 @@ rm /nix/var/nix/manifests/*
 rm /nix/var/nix/channel-cache/*
 ```
 ### How to use the Haste Haskell-to-Javascript transpiler
 Open a shell with `haste-compiler` and `haste-cabal-install` (you don't actually need
 `node`, but it can be useful to test stuff):
 ```shell
 nix-shell \
  -p "haskellPackages.ghcWithPackages (self: with self; [haste-cabal-install haste-compiler])" \
  -p nodejs
 ```
 You may not need the following step but if `haste-boot` fails to compile all the
 packages it needs, this might do the trick
 ```shell
 haste-cabal update
 ```
 `haste-boot` builds a set of core libraries so that they can be used from Javascript
 transpiled programs:
 ```shell
 haste-boot
 ```
 Transpile and run a "Hello world" program:
 ```
 $ echo 'module Main where main = putStrLn "Hello world"' > hello-world.hs
 $ hastec --onexec hello-world.hs
 $ node hello-world.js
 Hello world
 ```
 ### Builds on Darwin fail with `math.h` not found
 Users of GHC on Darwin have occasionally reported that builds fail, because the
@ -854,7 +827,7 @@ the work to be licensed" under the terms of the LGPL (including for free).
 The LGPL licensing for GMP is a problem for the overall licensing of binary
 programs compiled with GHC because most distributions (and builds) of GHC use
-static libraries. (Dynamic libraries are currently distributed only for OS X.)
+static libraries. (Dynamic libraries are currently distributed only for macOS.)
 The LGPL licensing situation may be worse: even though
 [The Glasgow Haskell Compiler License](https://www.haskell.org/ghc/license)
 is essentially a "free software" license (BSD3), according to
@ -894,6 +867,62 @@ use the following to get the `scientific` package build with `integer-simple`:
 nix-build -A haskell.packages.integer-simple.ghc802.scientific
 ```
 ### Quality assurance
 The `haskell.lib` library includes a number of functions for checking for
 various imperfections in Haskell packages. It's useful to apply these functions
 to your own Haskell packages and integrate that in a Continuous Integration
 server like [hydra](https://nixos.org/hydra/) to assure your packages maintain a
 minimum level of quality. This section discusses some of these functions.
 #### buildStrictly
 Applying `haskell.lib.buildStrictly` to a Haskell package enables the `-Wall`
 and `-Werror` GHC options to turn all warnings into build failures. Additionally
 the source of your package is gotten from first invoking `cabal sdist` to ensure
 all needed files are listed in the Cabal file.
 #### checkUnusedPackages
 Applying `haskell.lib.checkUnusedPackages` to a Haskell package invokes
 the [packunused](http://hackage.haskell.org/package/packunused) tool on the
 package. `packunused` complains when it finds packages listed as build-depends
 in the Cabal file which are redundant. For example:
 ```
 $ nix-build -E 'let pkgs = import <nixpkgs> {}; in pkgs.haskell.lib.checkUnusedPackages {} pkgs.haskellPackages.scientific'
 these derivations will be built:
  /nix/store/3lc51cxj2j57y3zfpq5i69qbzjpvyci1-scientific-0.3.5.1.drv
 ...
 detected package components
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~
 - library
 - testsuite(s): test-scientific
 - benchmark(s): bench-scientific*
 (component names suffixed with '*' are not configured to be built)
 library
 ~~~~~~~
 The following package dependencies seem redundant:
 - ghc-prim-0.5.0.0
 testsuite(test-scientific)
 ~~~~~~~~~~~~~~~~~~~~~~~~~~
 no redundant packages dependencies found
 builder for ‘/nix/store/3lc51cxj2j57y3zfpq5i69qbzjpvyci1-scientific-0.3.5.1.drv’ failed with exit code 1
 error: build of ‘/nix/store/3lc51cxj2j57y3zfpq5i69qbzjpvyci1-scientific-0.3.5.1.drv’ failed
 ```
 As you can see, `packunused` finds out that although the testsuite component has
 no redundant dependencies the library component of `scientific-0.3.5.1` depends
 on `ghc-prim` which is unused in the library.
 ## Other resources
  - The Youtube video [Nix Loves Haskell](https://www.youtube.com/watch?v=BsBhi_r-OeE)
@ -912,14 +941,14 @@ nix-build -A haskell.packages.integer-simple.ghc802.scientific
  - The *Journey into the Haskell NG infrastructure* series of postings
    describe the new Haskell infrastructure in great detail:
-      - [Part 1](http://lists.science.uu.nl/pipermail/nix-dev/2015-January/015591.html)
+      - [Part 1](https://nixos.org/nix-dev/2015-January/015591.html)
        explains the differences between the old and the new code and gives
        instructions how to migrate to the new setup.
-      - [Part 2](http://lists.science.uu.nl/pipermail/nix-dev/2015-January/015608.html)
+      - [Part 2](https://nixos.org/nix-dev/2015-January/015608.html)
        looks in-depth at how to tweak and configure your setup by means of
        overrides.
-      - [Part 3](http://lists.science.uu.nl/pipermail/nix-dev/2015-April/016912.html)
+      - [Part 3](https://nixos.org/nix-dev/2015-April/016912.html)
        describes the infrastructure that keeps the Haskell package set in Nixpkgs
        up-to-date.
--- a/doc/languages-frameworks/python.md
+++ b/doc/languages-frameworks/python.md
@ -2,115 +2,204 @@
 ## User Guide
 Several versions of Python are available on Nix as well as a high amount of
 packages. The default interpreter is CPython 2.7.
 ### Using Python
 #### Overview
 Several versions of the Python interpreter are available on Nix, as well as a
 high amount of packages. The attribute `python` refers to the default
 interpreter, which is currently CPython 2.7. It is also possible to refer to
 specific versions, e.g. `python35` refers to CPython 3.5, and `pypy` refers to
 the default PyPy interpreter.
 Python is used a lot, and in different ways. This affects also how it is
 packaged. In the case of Python on Nix, an important distinction is made between
 whether the package is considered primarily an application, or whether it should
 be used as a library, i.e., of primary interest are the modules in
 `site-packages` that should be importable.
 In the Nixpkgs tree Python applications can be found throughout, depending on
 what they do, and are called from the main package set. Python libraries,
 however, are in separate sets, with one set per interpreter version.
 The interpreters have several common attributes. One of these attributes is
 `pkgs`, which is a package set of Python libraries for this specific
 interpreter. E.g., the `toolz` package corresponding to the default interpreter
 is `python.pkgs.toolz`, and the CPython 3.5 version is `python35.pkgs.toolz`.
 The main package set contains aliases to these package sets, e.g.
 `pythonPackages` refers to `python.pkgs` and `python35Packages` to
 `python35.pkgs`.
 #### Installing Python and packages
-It is important to make a distinction between Python packages that are
+The Nix and NixOS manuals explain how packages are generally installed. In the
-used as libraries, and applications that are written in Python.
+case of Python and Nix, it is important to make a distinction between whether the
 package is considered an application or a library.
-Applications on Nix are installed typically into your user
+Applications on Nix are typically installed into your user
 profile imperatively using `nix-env -i`, and on NixOS declaratively by adding the
 package name to `environment.systemPackages` in `/etc/nixos/configuration.nix`.
 Dependencies such as libraries are automatically installed and should not be
 installed explicitly.
 The same goes for Python applications and libraries. Python applications can be
-installed in your profile, but Python libraries you would like to use to develop
+installed in your profile. But Python libraries you would like to use for
-cannot. If you do install libraries in your profile, then you will end up with
+development cannot be installed, at least not individually, because they won't
-import errors.
+be able to find each other resulting in import errors. Instead, it is possible
 to create an environment with `python.buildEnv` or `python.withPackages` where
 the interpreter and other executables are able to find each other and all of the
 modules.
-#### Python environments using `nix-shell`
+In the following examples we create an environment with Python 3.5, `numpy` and
 `toolz`. As you may imagine, there is one limitation here, and that's that
 you can install only one environment at a time. You will notice the complaints
 about collisions when you try to install a second environment.
-The recommended method for creating Python environments for development is with
+##### Environment defined in separate `.nix` file
 `nix-shell`. Executing
-```sh
+Create a file, e.g. `build.nix`, with the following expression
-$ nix-shell -p python35Packages.numpy python35Packages.toolz
+```nix
 with import <nixpkgs> {};
 python35.withPackages (ps: with ps; [ numpy toolz ])
 ```
 and install it in your profile with
 ```shell
 nix-env -if build.nix
 ```
 Now you can use the Python interpreter, as well as the extra packages (`numpy`,
 `toolz`) that you added to the environment.
 ##### Environment defined in `~/.config/nixpkgs/config.nix`
 If you prefer to, you could also add the environment as a package override to the Nixpkgs set, e.g.
 using `config.nix`,
 ```nix
 { # ...
  packageOverrides = pkgs: with pkgs; {
    myEnv = python35.withPackages (ps: with ps; [ numpy toolz ]);
  };
 }
 ```
 and install it in your profile with
 ```shell
 nix-env -iA nixpkgs.myEnv
 ```
 The environment is is installed by referring to the attribute, and considering
 the `nixpkgs` channel was used.
 ##### Environment defined in `/etc/nixos/configuration.nix`
 For the sake of completeness, here's another example how to install the environment system-wide.
 ```nix
 { # ...
  environment.systemPackages = with pkgs; [
    (python35.withPackages(ps: with ps; [ numpy toolz ]))
  ];
 }
 ```
-opens a Nix shell which has available the requested packages and dependencies.
+#### Temporary Python environment with `nix-shell`
 Now you can launch the Python interpreter (which is itself a dependency)
 The examples in the previous section showed how to install a Python environment
 into a profile. For development you may need to use multiple environments.
 `nix-shell` gives the possibility to temporarily load another environment, akin
 to `virtualenv`.
 There are two methods for loading a shell with Python packages. The first and recommended method
 is to create an environment with `python.buildEnv` or `python.withPackages` and load that. E.g.
 ```sh
 $ nix-shell -p 'python35.withPackages(ps: with ps; [ numpy toolz ])'
 ```
 opens a shell from which you can launch the interpreter
 ```sh
 [nix-shell:~] python3
 ```
 The other method, which is not recommended, does not create an environment and requires you to list the packages directly,
-If the packages were not available yet in the Nix store, Nix would download or
+```sh
-build them automatically. A convenient option with `nix-shell` is the `--run`
+$ nix-shell -p python35.pkgs.numpy python35.pkgs.toolz
-option, with which you can execute a command in the `nix-shell`. Let's say we
+```
-want the above environment and directly run the Python interpreter
+Again, it is possible to launch the interpreter from the shell.
 The Python interpreter has the attribute `pkgs` which contains all Python libraries for that specific interpreter.
 ##### Load environment from `.nix` expression
 As explained in the Nix manual, `nix-shell` can also load an
 expression from a `.nix` file. Say we want to have Python 3.5, `numpy`
 and `toolz`, like before, in an environment. Consider a `shell.nix` file
 with
 ```nix
 with import <nixpkgs> {};
 python35.withPackages (ps: [ps.numpy ps.toolz])
 ```
 Executing `nix-shell` gives you again a Nix shell from which you can run Python.
 What's happening here?
 1. We begin with importing the Nix Packages collections. `import <nixpkgs>` imports the `<nixpkgs>` function, `{}` calls it and the `with` statement brings all attributes of `nixpkgs` in the local scope. These attributes form the main package set.
 2. Then we create a Python 3.5 environment with the `withPackages` function.
 3. The `withPackages` function expects us to provide a function as an argument that takes the set of all python packages and returns a list of packages to include in the environment. Here, we select the packages `numpy` and `toolz` from the package set.
 ##### Execute command with `--run`
 A convenient option with `nix-shell` is the `--run`
 option, with which you can execute a command in the `nix-shell`. We can
 e.g. directly open a Python shell
 ```sh
 $ nix-shell -p python35Packages.numpy python35Packages.toolz --run "python3"
 ```
-
+or run a script
 This way you can use the `--run` option also to directly run a script
 ```sh
 $ nix-shell -p python35Packages.numpy python35Packages.toolz --run "python3 myscript.py"
 ```
-In fact, for this specific use case there is a more convenient method. You can
+##### `nix-shell` as shebang
 In fact, for the second use case, there is a more convenient method. You can
 add a [shebang](https://en.wikipedia.org/wiki/Shebang_(Unix)) to your script
-specifying which dependencies Nix shell needs. With the following shebang, you
+specifying which dependencies `nix-shell` needs. With the following shebang, you
-can use `nix-shell myscript.py` and it will make available all dependencies and
+can just execute `./myscript.py`, and it will make available all dependencies and
 run the script in the `python3` shell.
 ```py
 #! /usr/bin/env nix-shell
-#! nix-shell -i python3 -p python3Packages.numpy
+#! nix-shell -i 'python3.withPackages(ps: [ps.numpy])'
 import numpy
 print(numpy.__version__)
 ```
 Likely you do not want to type your dependencies each and every time. What you
 can do is write a simple Nix expression which sets up an environment for you,
 requiring you only to type `nix-shell`. Say we want to have Python 3.5, `numpy`
 and `toolz`, like before, in an environment. With a `shell.nix` file
 containing
 ```nix
 with import <nixpkgs> {};
 (pkgs.python35.withPackages (ps: [ps.numpy ps.toolz])).env
 ```
 executing `nix-shell` gives you again a Nix shell from which you can run Python.
 What's happening here?
 1. We begin with importing the Nix Packages collections. `import <nixpkgs>` import the `<nixpkgs>` function, `{}` calls it and the `with` statement brings all attributes of `nixpkgs` in the local scope. Therefore we can now use `pkgs`.
 2. Then we create a Python 3.5 environment with the `withPackages` function.
 3. The `withPackages` function expects us to provide a function as an argument that takes the set of all python packages and returns a list of packages to include in the environment. Here, we select the packages `numpy` and `toolz` from the package set.
 4. And finally, for in interactive use we return the environment by using the `env` attribute.
 ### Developing with Python
 Now that you know how to get a working Python environment with Nix, it is time
 to go forward and start actually developing with Python. We will first have a
 look at how Python packages are packaged on Nix. Then, we will look at how you
 can use development mode with your code.
-Now that you know how to get a working Python environment on Nix, it is time to go forward and start actually developing with Python.
+#### Packaging a library
 We will first have a look at how Python packages are packaged on Nix. Then, we will look how you can use development mode with your code.
-#### Python packaging on Nix
+With Nix all packages are built by functions. The main function in Nix for
-
+building Python libraries is `buildPythonPackage`. Let's see how we can build the
-On Nix all packages are built by functions. The main function in Nix for building Python packages is [`buildPythonPackage`](https://github.com/NixOS/nixpkgs/blob/master/pkgs/development/interpreters/python/build-python-package.nix).
+`toolz` package.
 Let's see how we would build the `toolz` package. According to [`python-packages.nix`](https://raw.githubusercontent.com/NixOS/nixpkgs/master/pkgs/top-level/python-packages.nix) `toolz` is build using
 ```nix
 { # ...
  toolz = buildPythonPackage rec {
-    name = "toolz-${version}";
+    pname = "toolz";
    version = "0.7.4";
    name = "${pname}-${version}";
-    src = pkgs.fetchurl {
+    src = fetchPypi {
-      url = "mirror://pypi/t/toolz/toolz-${version}.tar.gz";
+      inherit pname version;
      sha256 = "43c2c9e5e7a16b6c88ba3088a9bfc82f7db8e13378be7c78d6c14a5f8ed05afd";
    };
    doCheck = false;
    meta = {
      homepage = "http://github.com/pytoolz/toolz/";
      description = "List processing tools and functional utilities";
@ -122,63 +211,37 @@ Let's see how we would build the `toolz` package. According to [`python-packages
 ```
 What happens here? The function `buildPythonPackage` is called and as argument
-it accepts a set. In this case the set is a recursive set ([`rec`](http://nixos.org/nix/manual/#sec-constructs)).
+it accepts a set. In this case the set is a recursive set, `rec`. One of the
-One of the arguments is the name of the package, which consists of a basename
+arguments is the name of the package, which consists of a basename (generally
-(generally following the name on PyPi) and a version. Another argument, `src`
+following the name on PyPi) and a version. Another argument, `src` specifies the
-specifies the source, which in this case is fetched from an url. `fetchurl` not
+source, which in this case is fetched from PyPI using the helper function
-only downloads the target file, but also validates its hash. Furthermore, we
+`fetchPypi`. The argument `doCheck` is used to set whether tests should be run
-specify some (optional) [meta information](http://nixos.org/nixpkgs/manual/#chap-meta).
+when building the package. Furthermore, we specify some (optional) meta
-
+information. The output of the function is a derivation.
 The output of the function is a derivation, which is an attribute with the name
 `toolz` of the set `pythonPackages`. Actually, sets are created for all interpreter versions,
 so e.g. `python27Packages`, `python35Packages` and `pypyPackages`.
 An expression for `toolz` can be found in the Nixpkgs repository. As explained
 in the introduction of this Python section, a derivation of `toolz` is available
 for each interpreter version, e.g. `python35.pkgs.toolz` refers to the `toolz`
 derivation corresponding to the CPython 3.5 interpreter.
 The above example works when you're directly working on
 `pkgs/top-level/python-packages.nix` in the Nixpkgs repository. Often though,
-you will want to test a Nix expression outside of the Nixpkgs tree. If you
+you will want to test a Nix expression outside of the Nixpkgs tree.
 create a `shell.nix` file with the following contents
-```nix
+The following expression creates a derivation for the `toolz` package,
-with import <nixpkgs> {};
+and adds it along with a `numpy` package to a Python environment.
 pkgs.python35Packages.buildPythonPackage rec {
  name = "toolz-${version}";
  version = "0.8.0";
  src = pkgs.fetchurl {
    url = "mirror://pypi/t/toolz/toolz-${version}.tar.gz";
    sha256 = "e8451af61face57b7c5d09e71c0d27b8005f001ead56e9fdf470417e5cc6d479";
  };
  doCheck = false;
  meta = {
    homepage = "http://github.com/pytoolz/toolz/";
    description = "List processing tools and functional utilities";
    license = licenses.bsd3;
    maintainers = with maintainers; [ fridh ];
  };
 }
 ```
 and then execute `nix-shell` will result in an environment in which you can use
 Python 3.5 and the `toolz` package. As you can see we had to explicitly mention
 for which Python version we want to build a package.
 The above example considered only a single package. Generally you will want to use multiple packages.
 If we create a `shell.nix` file with the following contents
 ```nix
 with import <nixpkgs> {};
 ( let
-    toolz = pkgs.python35Packages.buildPythonPackage rec {
+    my_toolz = python35.pkgs.buildPythonPackage rec {
-      name = "toolz-${version}";
+      pname = "toolz";
-      version = "0.8.0";
+      version = "0.7.4";
      name = "${pname}-${version}";
-      src = pkgs.fetchurl {
+      src = python35.pkgs.fetchPypi {
-        url = "mirror://pypi/t/toolz/toolz-${version}.tar.gz";
+        inherit pname version;
-        sha256 = "e8451af61face57b7c5d09e71c0d27b8005f001ead56e9fdf470417e5cc6d479";
+        sha256 = "43c2c9e5e7a16b6c88ba3088a9bfc82f7db8e13378be7c78d6c14a5f8ed05afd";
      };
      doCheck = false;
@ -189,24 +252,24 @@ with import <nixpkgs> {};
      };
    };
-  in pkgs.python35.withPackages (ps: [ps.numpy toolz])
+  in python35.withPackages (ps: [ps.numpy my_toolz])
 ).env
 ```
 Executing `nix-shell` will result in an environment in which you can use
 Python 3.5 and the `toolz` package. As you can see we had to explicitly mention
 for which Python version we want to build a package.
-and again execute `nix-shell`, then we get a Python 3.5 environment with our
+So, what did we do here? Well, we took the Nix expression that we used earlier
-locally defined package as well as `numpy` which is build according to the
+to build a Python environment, and said that we wanted to include our own
-definition in Nixpkgs. What did we do here? Well, we took the Nix expression
+version of `toolz`, named `my_toolz`. To introduce our own package in the scope
-that we used earlier to build a Python environment, and said that we wanted to
+of `withPackages` we used a `let` expression. You can see that we used
-include our own version of `toolz`. To introduce our own package in the scope of
+`ps.numpy` to select numpy from the nixpkgs package set (`ps`). We did not take
-`withPackages` we used a
+`toolz` from the Nixpkgs package set this time, but instead took our own version
-[`let`](http://nixos.org/nix/manual/#sec-constructs) expression.
+that we introduced with the `let` expression.
 You can see that we used `ps.numpy` to select numpy from the nixpkgs package set (`ps`).
 But we do not take `toolz` from the nixpkgs package set this time.
 Instead, `toolz` will resolve to our local definition that we introduced with `let`.
-### Handling dependencies
+#### Handling dependencies
-Our example, `toolz`, doesn't have any dependencies on other Python
+Our example, `toolz`, does not have any dependencies on other Python
 packages or system libraries. According to the manual,  `buildPythonPackage`
 uses the arguments `buildInputs` and `propagatedBuildInputs` to specify dependencies. If something is
 exclusively a build-time dependency, then the dependency should be included as a
@ -340,7 +403,7 @@ other packages we like to have in the environment, all specified with `propagate
 Indeed, we can just add any package we like to have in our environment to `propagatedBuildInputs`.
 ```nix
-with import <nixpkgs>;
+with import <nixpkgs> {};
 with pkgs.python35Packages;
 buildPythonPackage rec {
@ -423,7 +486,7 @@ and in this case the `python35` interpreter is automatically used.
 ### Interpreters
 Versions 2.7, 3.3, 3.4, 3.5 and 3.6 of the CPython interpreter are available as
-respectively `python27`, `python33`, `python34`, `python35` and `python36`. The PyPy interpreter
+respectively `python27`, `python34`, `python35` and `python36`. The PyPy interpreter
 is available as `pypy`. The aliases `python2` and `python3` correspond to respectively `python27` and
 `python35`. The default interpreter, `python`, maps to `python2`.
 The Nix expressions for the interpreters can be found in
@ -469,7 +532,6 @@ sets are
 * `pkgs.python26Packages`
 * `pkgs.python27Packages`
 * `pkgs.python33Packages`
 * `pkgs.python34Packages`
 * `pkgs.python35Packages`
 * `pkgs.python36Packages`
@ -528,7 +590,7 @@ By default tests are run because `doCheck = true`. Test dependencies, like
 e.g. the test runner, should be added to `buildInputs`.
 By default `meta.platforms` is set to the same value
-as the interpreter unless overriden otherwise.
+as the interpreter unless overridden otherwise.
 ##### `buildPythonPackage` parameters
@ -546,6 +608,35 @@ All parameters from `mkDerivation` function are still supported.
 * `catchConflicts` If `true`, abort package build if a package name appears more than once in dependency tree. Default is `true`.
 * `checkInputs` Dependencies needed for running the `checkPhase`. These are added to `buildInputs` when `doCheck = true`.
 ##### Overriding Python packages
 The `buildPythonPackage` function has a `overridePythonAttrs` method that
 can be used to override the package. In the following example we create an
 environment where we have the `blaze` package using an older version of `pandas`.
 We override first the Python interpreter and pass
 `packageOverrides` which contains the overrides for packages in the package set.
 ```nix
 with import <nixpkgs> {};
 (let
  python = let
    packageOverrides = self: super: {
      pandas = super.pandas.overridePythonAttrs(old: rec {
        version = "0.19.1";
        name = "pandas-${version}";
        src =  super.fetchPypi {
          pname = "pandas";
          inherit version;
          sha256 = "08blshqj9zj1wyjhhw3kl2vas75vhhicvv72flvf1z3jvapgw295";
        };
      });
    };
  in pkgs.python3.override {inherit packageOverrides;};
 in python.withPackages(ps: [ps.blaze])).env
 ```
 #### `buildPythonApplication` function
 The `buildPythonApplication` function is practically the same as `buildPythonPackage`.
@ -622,7 +713,7 @@ attribute. The `shell.nix` file from the previous section can thus be also writt
 ```nix
 with import <nixpkgs> {};
-(python33.withPackages (ps: [ps.numpy ps.requests])).env
+(python36.withPackages (ps: [ps.numpy ps.requests])).env
 ```
 In contrast to `python.buildEnv`, `python.withPackages` does not support the more advanced options
@ -683,65 +774,23 @@ The `buildPythonPackage` function sets `DETERMINISTIC_BUILD=1` and
 Both are also exported in `nix-shell`.
 ### Automatic tests
 It is recommended to test packages as part of the build process.
 Source distributions (`sdist`) often include test files, but not always.
 By default the command `python setup.py test` is run as part of the
 `checkPhase`, but often it is necessary to pass a custom `checkPhase`. An
 example of such a situation is when `py.test` is used.
 #### Common issues
 - Non-working tests can often be deselected. In the case of `py.test`: `py.test -k 'not function_name and not other_function'`.
 - Unicode issues can typically be fixed by including `glibcLocales` in `buildInputs` and exporting `LC_ALL=en_US.utf-8`.
 - Tests that attempt to access `$HOME` can be fixed by using the following work-around before running tests (e.g. `preCheck`): `export HOME=$(mktemp -d)`
 ## FAQ
 ### How can I install a working Python environment?
 As explained in the user's guide installing individual Python packages
 imperatively with `nix-env -i` or declaratively in `environment.systemPackages`
 is not supported. However, it is possible to install a Python environment with packages (`python.buildEnv`).
 In the following examples we create an environment with Python 3.5, `numpy` and `ipython`.
 As you might imagine there is one limitation here, and that's you can install
 only one environment at a time. You will notice the complaints about collisions
 when you try to install a second environment.
 #### Environment defined in separate `.nix` file
 Create a file, e.g. `build.nix`, with the following expression
 ```nix
 with import <nixpkgs> {};
 pkgs.python35.withPackages (ps: with ps; [ numpy ipython ])
 ```
 and install it in your profile with
 ```shell
 nix-env -if build.nix
 ```
 Now you can use the Python interpreter, as well as the extra packages that you added to the environment.
 #### Environment defined in `~/.config/nixpkgs/config.nix`
 If you prefer to, you could also add the environment as a package override to the Nixpkgs set.
 ```nix
 { # ...
  packageOverrides = pkgs: with pkgs; {
    myEnv = python35.withPackages (ps: with ps; [ numpy ipython ]);
  };
 }
 ```
 and install it in your profile with
 ```shell
 nix-env -iA nixpkgs.myEnv
 ```
 We're installing using the attribute path and assume the channels is named `nixpkgs`.
 Note that I'm using the attribute path here.
 #### Environment defined in `/etc/nixos/configuration.nix`
 For the sake of completeness, here's another example how to install the environment system-wide.
 ```nix
 { # ...
  environment.systemPackages = with pkgs; [
    (python35.withPackages(ps: with ps; [ numpy ipython ]))
  ];
 }
 ```
 ### How to solve circular dependencies?
 Consider the packages `A` and `B` that depend on each other. When packaging `B`,
@ -755,17 +804,17 @@ In the following example we rename the `pandas` package and build it.
 ```nix
 with import <nixpkgs> {};
-let
+(let
  python = let
    packageOverrides = self: super: {
-      pandas = super.pandas.override {name="foo";};
+      pandas = super.pandas.overridePythonAttrs(old: {name="foo";});
    };
  in pkgs.python35.override {inherit packageOverrides;};
-in python.pkgs.pandas
+in python.withPackages(ps: [ps.pandas])).env
 ```
-Using `nix-build` on this expression will build the package `pandas`
+Using `nix-build` on this expression will build an environment that contains the
-but with the new name `foo`.
+package `pandas` but with the new name `foo`.
 All packages in the package set will use the renamed package.
 A typical use case is to switch to another version of a certain package.
@ -951,8 +1000,9 @@ rec {
 Following rules are desired to be respected:
-* Python libraries are supposed to be called from `python-packages.nix` and packaged with `buildPythonPackage`. The expression of a library should be in `pkgs/development/python-modules/<name>/default.nix`. Libraries in `pkgs/top-level/python-packages.nix` are sorted quasi-alphabetically to avoid merge conflicts.
+* Python libraries are called from `python-packages.nix` and packaged with `buildPythonPackage`. The expression of a library should be in `pkgs/development/python-modules/<name>/default.nix`. Libraries in `pkgs/top-level/python-packages.nix` are sorted quasi-alphabetically to avoid merge conflicts.
 * Python applications live outside of `python-packages.nix` and are packaged with `buildPythonApplication`.
 * Make sure libraries build for all Python interpreters.
 * By default we enable tests. Make sure the tests are found and, in the case of libraries, are passing for all interpreters. If certain tests fail they can be disabled individually. Try to avoid disabling the tests altogether. In any case, when you disable tests, leave a comment explaining why.
-* Commit names of Python libraries should include `pythonPackages`, for example `pythonPackages.numpy: 1.11 -> 1.12`.
+* Commit names of Python libraries should reflect that they are Python libraries, so write for example `pythonPackages.numpy: 1.11 -> 1.12`.
--- a/doc/languages-frameworks/ruby.xml
+++ b/doc/languages-frameworks/ruby.xml
@ -4,10 +4,14 @@
 <title>Ruby</title>
-  <para>There currently is support to bundle applications that are packaged as Ruby gems. The utility "bundix" allows you to write a <filename>Gemfile</filename>, let bundler create a <filename>Gemfile.lock</filename>, and then convert
+<para>There currently is support to bundle applications that are packaged as
-  this into a nix expression that contains all Gem dependencies automatically.</para>
+Ruby gems. The utility "bundix" allows you to write a
 <filename>Gemfile</filename>, let bundler create a
 <filename>Gemfile.lock</filename>, and then convert this into a nix
 expression that contains all Gem dependencies automatically.
 </para>
-  <para>For example, to package sensu, we did:</para>
+<para>For example, to package sensu, we did:</para>
 <screen>
 <![CDATA[$ cd pkgs/servers/monitoring
@ -16,7 +20,7 @@ $ cd sensu
 $ cat > Gemfile
 source 'https://rubygems.org'
 gem 'sensu'
-$ $(nix-build '<nixpkgs>' -A bundix)/bin/bundix --magic
+$ $(nix-build '<nixpkgs>' -A bundix --no-out-link)/bin/bundix --magic
 $ cat > default.nix
 { lib, bundlerEnv, ruby }:
@ -38,15 +42,61 @@ bundlerEnv rec {
 }]]>
 </screen>
-<para>Please check in the <filename>Gemfile</filename>, <filename>Gemfile.lock</filename> and the <filename>gemset.nix</filename> so future updates can be run easily.
+<para>Please check in the <filename>Gemfile</filename>,
 <filename>Gemfile.lock</filename> and the
 <filename>gemset.nix</filename> so future updates can be run easily.
 </para>
-<para>Resulting derivations also have two helpful items, <literal>env</literal> and <literal>wrapper</literal>. The first one allows one to quickly drop into
+<para>For tools written in Ruby - i.e. where the desire is to install
-<command>nix-shell</command> with the specified environment present. E.g. <command>nix-shell -A sensu.env</command> would give you an environment with Ruby preset
+a package and then execute e.g. <command>rake</command> at the command
-so it has all the libraries necessary for <literal>sensu</literal> in its paths. The second one can be used to make derivations from custom Ruby scripts which have
+line, there is an alternative builder called <literal>bundlerApp</literal>.
-<filename>Gemfile</filename>s with their dependencies specified. It is a derivation with <command>ruby</command> wrapped so it can find all the needed dependencies.
+Set up the <filename>gemset.nix</filename> the same way, and then, for
-For example, to make a derivation <literal>my-script</literal> for a <filename>my-script.rb</filename> (which should be placed in <filename>bin</filename>) you should
+example:
-run <command>bundix</command> as specified above and then use <literal>bundlerEnv</literal> like this:</para>
+</para>
 <screen>
 <![CDATA[{ lib, bundlerApp }:
 bundlerApp {
  pname = "corundum";
  gemdir = ./.;
  exes = [ "corundum-skel" ];
  meta = with lib; {
    description = "Tool and libraries for maintaining Ruby gems.";
    homepage    = https://github.com/nyarly/corundum;
    license     = licenses.mit;
    maintainers = [ maintainers.nyarly ];
    platforms   = platforms.unix;
  };
 }]]>
 </screen>
 <para>The chief advantage of <literal>bundlerApp</literal> over
 <literal>bundlerEnv</literal> is the executables introduced in the
 environment are precisely those selected in the <literal>exes</literal>
 list, as opposed to <literal>bundlerEnv</literal> which adds all the
 executables made available by gems in the gemset, which can mean e.g.
 <command>rspec</command> or <command>rake</command> in unpredictable
 versions available from various packages.
 </para>
 <para>Resulting derivations for both builders also have two helpful
 attributes, <literal>env</literal> and <literal>wrappedRuby</literal>.
 The first one allows one to quickly drop into
 <command>nix-shell</command> with the specified environment present.
 E.g. <command>nix-shell -A sensu.env</command> would give you an
 environment with Ruby preset so it has all the libraries necessary
 for <literal>sensu</literal> in its paths. The second one can be
 used to make derivations from custom Ruby scripts which have
 <filename>Gemfile</filename>s with their dependencies specified. It is
 a derivation with <command>ruby</command> wrapped so it can find all
 the needed dependencies. For example, to make a derivation
 <literal>my-script</literal> for a <filename>my-script.rb</filename>
 (which should be placed in <filename>bin</filename>) you should run
 <command>bundix</command> as specified above and then use
 <literal>bundlerEnv</literal> like this:
 </para>
 <programlisting>
 <![CDATA[let env = bundlerEnv {
@ -60,13 +110,9 @@ run <command>bundix</command> as specified above and then use <literal>bundlerEn
 in stdenv.mkDerivation {
  name = "my-script";
-
+  buildInputs = [ env.wrappedRuby ];
  buildInputs = [ env.wrapper ];
  script = ./my-script.rb;
  buildCommand = ''
    mkdir -p $out/bin
    install -D -m755 $script $out/bin/my-script
    patchShebangs $out/bin/my-script
  '';
@ -74,4 +120,3 @@ in stdenv.mkDerivation {
 </programlisting>
 </section>
--- a/doc/languages-frameworks/rust.md
+++ b/doc/languages-frameworks/rust.md
@ -17,7 +17,7 @@ into the `environment.systemPackages` or bring them into scope with
 `nix-shell -p rustStable.rustc -p rustStable.cargo`.
 There are also `rustBeta` and `rustNightly` package sets available.
-These are not updated very regulary. For daily builds use either rustup from
+These are not updated very regularly. For daily builds use either rustup from
 nixpkgs or use the [Rust nightlies overlay](#using-the-rust-nightlies-overlay).
 ## Packaging Rust applications
--- a/doc/multiple-output.xml
+++ b/doc/multiple-output.xml
@ -73,7 +73,7 @@
      <varlistentry><term><varname>
        $outputMan</varname></term><listitem><para>
-        is for man pages (except for section 3). They go to <varname>man</varname> or <varname>doc</varname> or <varname>$outputBin</varname> by default.
+        is for man pages (except for section 3). They go to <varname>man</varname> or <varname>$outputBin</varname> by default.
      </para></listitem></varlistentry>
      <varlistentry><term><varname>
@ -83,7 +83,7 @@
      <varlistentry><term><varname>
        $outputInfo</varname></term><listitem><para>
-        is for info pages. They go to <varname>info</varname> or <varname>doc</varname> or <varname>$outputMan</varname> by default.
+        is for info pages. They go to <varname>info</varname> or <varname>$outputBin</varname> by default.
      </para></listitem></varlistentry>
    </variablelist>
--- a/doc/overlays.xml
+++ b/doc/overlays.xml
@ -8,59 +8,88 @@
 overlays. Overlays are used to add layers in the fix-point used by Nixpkgs
 to compose the set of all packages.</para>
 <para>Nixpkgs can be configured with a list of overlays, which are
 applied in order. This means that the order of the overlays can be significant
 if multiple layers override the same package.</para>
 <!--============================================================-->
 <section xml:id="sec-overlays-install">
-<title>Installing Overlays</title>
+<title>Installing overlays</title>
-<para>The set of overlays is looked for in the following places. The
+<para>The list of overlays is determined as follows.</para>
-first one present is considered, and all the rest are ignored:
+
 <para>If the <varname>overlays</varname> argument is not provided explicitly, we look for overlays in a path. The path
 is determined as follows:
 <orderedlist>
  <listitem>
    <para>First, if an <varname>overlays</varname> argument to the nixpkgs function itself is given,
    then that is used.</para>
-    <para>As an argument of the imported attribute set. When importing Nixpkgs,
+    <para>This can be passed explicitly when importing nipxkgs, for example 
-    the <varname>overlays</varname> attribute argument can be set to a list of
+    <literal>import &lt;nixpkgs> { overlays = [ overlay1 overlay2 ]; }</literal>.</para>
    functions, which is described in <xref linkend="sec-overlays-layout"/>.</para>
  </listitem>
  <listitem>
    <para>Otherwise, if the Nix path entry <literal>&lt;nixpkgs-overlays></literal> exists, we look for overlays
    at that path, as described below.</para>
-    <para>In the directory pointed to by the Nix search path entry
+    <para>See the section on <literal>NIX_PATH</literal> in the Nix manual for more details on how to 
-    <literal>&lt;nixpkgs-overlays></literal>.</para>
+    set a value for <literal>&lt;nixpkgs-overlays>.</literal></para>
  </listitem>
  <listitem>
-
+    <para>If one of <filename>~/.config/nixpkgs/overlays.nix</filename> and
-    <para>In the directory <filename>~/.config/nixpkgs/overlays/</filename>.</para>
+    <filename>~/.config/nixpkgs/overlays/</filename> exists, then we look for overlays at that path, as
    described below. It is an error if both exist.</para>
  </listitem>
 </orderedlist>
 </para>
-<para>For the second and third options, the directory should contain Nix expressions defining the
+<para>If we are looking for overlays at a path, then there are two cases:
-overlays. Each overlay can be a file, a directory containing a
+<itemizedlist>
-<filename>default.nix</filename>, or a symlink to one of those. The expressions should follow
+  <listitem>
-the syntax described in <xref linkend="sec-overlays-layout"/>.</para>
+    <para>If the path is a file, then the file is imported as a Nix expression and used as the list of
    overlays.</para>
  </listitem>
-<para>The order of the overlay layers can influence the recipe of packages if multiple layers override
+  <listitem>
-the same recipe. In the case where overlays are loaded from a directory, they are loaded in
+    <para>If the path is a directory, then we take the content of the directory, order it
-alphabetical order.</para>
+    lexicographically, and attempt to interpret each as an overlay by:
    <itemizedlist>
      <listitem>
        <para>Importing the file, if it is a <literal>.nix</literal> file.</para>
      </listitem>
      <listitem>
        <para>Importing a top-level <filename>default.nix</filename> file, if it is a directory.</para>
      </listitem>
    </itemizedlist>
    </para>
  </listitem>
 </itemizedlist>
 </para>
-<para>To install an overlay using the last option, you can clone the overlay's repository and add
+<para>On a NixOS system the value of the <literal>nixpkgs.overlays</literal> option, if present, 
-a symbolic link to it in <filename>~/.config/nixpkgs/overlays/</filename> directory.</para>
+is passed to the system Nixpkgs directly as an argument. Note that this does not affect the overlays for
 non-NixOS operations (e.g. <literal>nix-env</literal>), which are looked up independently.</para>
 <para>The <filename>overlays.nix</filename> option therefore provides a convenient way to use the same
 overlays for a NixOS system configuration and user configuration: the same file can be used
 as <filename>overlays.nix</filename> and imported as the value of <literal>nixpkgs.overlays</literal>.</para>
 </section>
 <!--============================================================-->
-<section xml:id="sec-overlays-layout">
+<section xml:id="sec-overlays-definition">
-<title>Overlays Layout</title>
+<title>Defining overlays</title>
-<para>Overlays are expressed as Nix functions which accept 2 arguments and return a set of
+<para>Overlays are Nix functions which accept two arguments, 
-packages.</para>
+conventionally called <varname>self</varname> and <varname>super</varname>, 
 and return a set of packages. For example, the following is a valid overlay.</para>
 <programlisting>
 self: super:
@ -75,25 +104,31 @@ self: super:
 }
 </programlisting>
-<para>The first argument, usually named <varname>self</varname>, corresponds to the final package
+<para>The first argument (<varname>self</varname>) corresponds to the final package
 set. You should use this set for the dependencies of all packages specified in your
 overlay. For example, all the dependencies of <varname>rr</varname> in the example above come
 from <varname>self</varname>, as well as the overridden dependencies used in the
 <varname>boost</varname> override.</para>
-<para>The second argument, usually named <varname>super</varname>,
+<para>The second argument (<varname>super</varname>)
 corresponds to the result of the evaluation of the previous stages of
 Nixpkgs. It does not contain any of the packages added by the current
-overlay nor any of the following overlays. This set should be used either
+overlay, nor any of the following overlays. This set should be used either
 to refer to packages you wish to override, or to access functions defined
 in Nixpkgs. For example, the original recipe of <varname>boost</varname>
 in the above example, comes from <varname>super</varname>, as well as the
 <varname>callPackage</varname> function.</para>
 <para>The value returned by this function should be a set similar to
-<filename>pkgs/top-level/all-packages.nix</filename>, which contains
+<filename>pkgs/top-level/all-packages.nix</filename>, containing
 overridden and/or new packages.</para>
 <para>Overlays are similar to other methods for customizing Nixpkgs, in particular
 the <literal>packageOverrides</literal> attribute described in <xref linkend="sec-modify-via-packageOverrides"/>.
 Indeed, <literal>packageOverrides</literal> acts as an overlay with only the 
 <varname>super</varname> argument. It is therefore appropriate for basic use, 
 but overlays are more powerful and easier to distribute.</para>
 </section>
 </chapter>
--- a/doc/package-notes.xml
+++ b/doc/package-notes.xml
@ -366,15 +366,33 @@ it. Place the resulting <filename>package.nix</filename> file into
 </section>
-<section xml:id="sec-autojump">
+<section xml:id="sec-shell-helpers">
-<title>Autojump</title>
+<title>Interactive shell helpers</title>
 <para>
-  autojump needs the shell integration to be useful but unlike other systems,
+  Some packages provide the shell integration to be more useful. But
-  nix doesn't have a standard share directory location. This is why a
+  unlike other systems, nix doesn't have a standard share directory
-  <command>autojump-share</command> script is shipped that prints the location
+  location. This is why a bunch <command>PACKAGE-share</command>
-  of the shared folder. This can then be used in the .bashrc like this:
+  scripts are shipped that print the location of the corresponding
  shared folder.
  Current list of such packages is as following:
  <itemizedlist>
    <listitem>
      <para>
        <literal>autojump</literal>: <command>autojump-share</command>
      </para>
    </listitem>
    <listitem>
      <para>
        <literal>fzf</literal>: <command>fzf-share</command>
      </para>
    </listitem>
  </itemizedlist>
  E.g. <literal>autojump</literal> can then used in the .bashrc like this:
 <screen>
  source "$(autojump-share)/autojump.bash"
 </screen>
--- a/doc/quick-start.xml
+++ b/doc/quick-start.xml
@ -212,7 +212,7 @@ $ nix-env -f . -iA libfoo</screen>
  <listitem>
    <para>Optionally commit the new package and open a pull request, or send a patch to
-    <literal>nix-dev@cs.uu.nl</literal>.</para>
+    <literal>https://groups.google.com/forum/#!forum/nix-devel</literal>.</para>
  </listitem>
--- a/doc/stdenv.xml
+++ b/doc/stdenv.xml
@ -1,3 +1,4 @@
 <chapter xmlns="http://docbook.org/ns/docbook"
         xmlns:xlink="http://www.w3.org/1999/xlink"
         xml:id="chap-stdenv">
@ -1153,7 +1154,7 @@ makeWrapper $out/bin/foo $wrapperfile --prefix PATH : ${lib.makeBinPath [ hello
    </listitem>
  </varlistentry>
-  
+
  <varlistentry xml:id='fun-substitute'>
    <term><function>substitute</function>
@ -1312,7 +1313,7 @@ someVar=$(stripHash $name)
    </para></listitem>
  </varlistentry>
-  
+
  <varlistentry xml:id='fun-wrapProgram'>
    <term><function>wrapProgram</function>
@ -1342,12 +1343,34 @@ someVar=$(stripHash $name)
 <variablelist>
  <varlistentry>
-    <term>GCC wrapper</term>
+    <term>CC Wrapper</term>
-    <listitem><para>Adds the <filename>include</filename> subdirectory
+    <listitem>
-    of each build input to the <envar>NIX_CFLAGS_COMPILE</envar>
+      <para>
-    environment variable, and the <filename>lib</filename> and
+        CC Wrapper wraps a C toolchain for a bunch of miscellaneous purposes.
-    <filename>lib64</filename> subdirectories to
+        Specifically, a C compiler (GCC or Clang), Binutils (or the CCTools + binutils mashup when targetting Darwin), and a C standard library (glibc or Darwin's libSystem) are all fed in, and dependency finding, hardening (see below), and purity checks for each are handled by CC Wrapper.
-    <envar>NIX_LDFLAGS</envar>.</para></listitem>
+        Packages typically depend on only CC Wrapper, instead of those 3 inputs directly.
      </para>
      <para>
        Dependency finding is undoubtedly the main task of CC wrapper.
        It is currently accomplished by collecting directories of host-platform dependencies (i.e. <varname>buildInputs</varname> and <varname>nativeBuildInputs</varname>) in environment variables.
        CC wrapper's setup hook causes any <filename>include</filename> subdirectory of such a dependency to be added to <envar>NIX_CFLAGS_COMPILE</envar>, and any <filename>lib</filename> and <filename>lib64</filename> subdirectories to <envar>NIX_LDFLAGS</envar>.
        The setup hook itself contains some lengthy comments describing the exact convoluted mechanism by which this is accomplished.
      </para>
      <para>
        A final task of the setup hook is defining a number of standard environment variables to tell build systems which executables full-fill which purpose.
        They are defined to just be the base name of the tools, under the assumption that CC Wrapper's binaries will be on the path.
        Firstly, this helps poorly-written packages, e.g. ones that look for just <command>gcc</command> when <envar>CC</envar> isn't defined yet <command>clang</command> is to be used.
        Secondly, this helps packages not get confused when cross-compiling, in which case multiple CC wrappers may be simultaneous in use (targeting different platforms).
        <envar>BUILD_</envar>- and <envar>TARGET_</envar>-prefixed versions of the normal environment variable are defined for the additional CC Wrappers, properly disambiguating them.
      </para>
      <para>
        A problem with this final task is that CC Wrapper is honest and defines <envar>LD</envar> as <command>ld</command>.
        Most packages, however, firstly use the C compiler for linking, secondly use <envar>LD</envar> anyways, defining it as the C compiler, and thirdly, only so define <envar>LD</envar> when it is undefined as a fallback.
        This triple-threat means CC Wrapper will break those packages, as LD is already defined as the actually linker which the package won't override yet doesn't want to use.
        The workaround is to define, just for the problematic package, <envar>LD</envar> as the C compiler.
        A good way to do this would be <command>preConfigure = "LD=$CC"</command>.
      </para>
    </listitem>
  </varlistentry>
  <varlistentry>
--- a/doc/submitting-changes.xml
+++ b/doc/submitting-changes.xml
@ -78,7 +78,7 @@ Additional information.
 <listitem>
 <para>
-<command>firefox: 3.0 -> 3.1.1</command>
+<command>firefox: 54.0.1 -> 55.0</command>
 </para>
 </listitem>
@ -223,6 +223,133 @@ Additional information.
 </itemizedlist>
 </section>
 <section>
  <title>Pull Request Template</title>
  <para>
    The pull request template helps determine what steps have been made for a
    contribution so far, and will help guide maintainers on the status of a
    change. The motivation section of the PR should include any extra details
    the title does not address and link any existing issues related to the pull
    request.
  </para>
  <para>When a PR is created, it will be pre-populated with some checkboxes detailed below:
  </para>
  <section>
    <title>Tested using sandboxing</title>
    <para>
      When sandbox builds are enabled, Nix will setup an isolated environment
      for each build process. It is used to remove further hidden dependencies
      set by the build environment to improve reproducibility. This includes
      access to the network during the build outside of
      <function>fetch*</function> functions and files outside the Nix store.
      Depending on the operating system access to other resources are blocked
      as well (ex. inter process communication is isolated on Linux); see <link
      xlink:href="https://nixos.org/nix/manual/#description-45">build-use-sandbox</link>
      in Nix manual for details.
    </para>
    <para>
      Sandboxing is not enabled by default in Nix due to a small performance
      hit on each build.  In pull requests for <link
        xlink:href="https://github.com/NixOS/nixpkgs/">nixpkgs</link> people
      are asked to test builds with sandboxing enabled (see <literal>Tested
        using sandboxing</literal> in the pull request template) because
      in<link
        xlink:href="https://nixos.org/hydra/">https://nixos.org/hydra/</link>
      sandboxing is also used.
    </para>
    <para>
      Depending if you use NixOS or other platforms you can use one of the
      following methods to enable sandboxing <emphasis role="bold">before</emphasis> building the package:
      <itemizedlist>
        <listitem>
          <para>
            <emphasis role="bold">Globally enable sandboxing on NixOS</emphasis>:
            add the following to 
            <filename>configuration.nix</filename>
            <screen>nix.useSandbox = true;</screen>
          </para>
        </listitem>
        <listitem>
          <para>
            <emphasis role="bold">Globally enable sandboxing on non-NixOS platforms</emphasis>:
            add the following to: <filename>/etc/nix/nix.conf</filename>
            <screen>build-use-sandbox = true</screen>
          </para>
        </listitem>
      </itemizedlist>
    </para>
  </section>
  <section>
    <title>Built on platform(s)</title>
    <para>
      Many Nix packages are designed to run on multiple
      platforms. As such, it's important to let the maintainer know which
      platforms your changes have been tested on. It's not always practical to
      test a change on all platforms, and is not required for a pull request to
      be merged. Only check the systems you tested the build on in this
      section.
    </para>
  </section>
  <section>
    <title>Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)</title>
    <para>
      Packages with automated tests are much more likely to be merged in a
      timely fashion because it doesn't require as much manual testing by the
      maintainer to verify the functionality of the package. If there are
      existing tests for the package, they should be run to verify your changes
      do not break the tests. Tests only apply to packages with NixOS modules
      defined and can only be run on Linux. For more details on writing and
      running tests, see the <link
        xlink:href="https://nixos.org/nixos/manual/index.html#sec-nixos-tests">section
        in the NixOS manual</link>.
    </para>
  </section>
  <section>
    <title>Tested compilation of all pkgs that depend on this change using <command>nox-review</command></title>
    <para>
      If you are updating a package's version, you can use nox to make sure all
      packages that depend on the updated package still compile correctly. This
      can be done using the nox utility. The <command>nox-review</command>
      utility can look for and build all dependencies either based on
      uncommited changes with the <literal>wip</literal> option or specifying a
      github pull request number.
    </para>
    <para>
      review uncommitted changes:
      <screen>nix-shell -p nox --run nox-review wip</screen>
    </para>
    <para>
      review changes from pull request number 12345:
      <screen>nix-shell -p nox --run nox-review pr 12345</screen>
    </para>
  </section>
  <section>
    <title>Tested execution of all binary files (usually in <filename>./result/bin/</filename>)</title>
    <para>
      It's important to test any executables generated by a build when you
      change or create a package in nixpkgs. This can be done by looking in
      <filename>./result/bin</filename> and running any files in there, or at a
      minimum, the main executable for the package. For example, if you make a change
      to <package>texlive</package>, you probably would only check the binaries
      associated with the change you made rather than testing all of them.
    </para>
  </section>
  <section>
    <title>Meets nixpkgs contribution standards</title>
    <para>
      The last checkbox is fits <link
        xlink:href="https://github.com/NixOS/nixpkgs/blob/master/.github/CONTRIBUTING.md">CONTRIBUTING.md</link>.
      The contributing document has detailed information on standards the Nix
      community has for commit messages, reviews, licensing of contributions
      you make to the project, etc... Everyone should read and understand the
      standards the community has for contributing before submitting a pull
      request.
    </para>
  </section>
 </section>
 <section>
 <title>Hotfixing pull requests</title>
--- a/lib/deprecated.nix
+++ b/lib/deprecated.nix
@ -309,48 +309,6 @@ rec {
  mergeAttrsByFuncDefaults = foldl mergeAttrByFunc { inherit mergeAttrBy; };
  mergeAttrsByFuncDefaultsClean = list: removeAttrs (mergeAttrsByFuncDefaults list) ["mergeAttrBy"];
  # merge attrs based on version key into mkDerivation args, see mergeAttrBy to learn about smart merge defaults
  #
  # This function is best explained by an example:
  #
  #     {version ? "2.x"}:
  #
  #     mkDerivation (mergeAttrsByVersion "package-name" version
  #       { # version specific settings
  #         "git" = { src = ..; preConfigre = "autogen.sh"; buildInputs = [automake autoconf libtool];  };
  #         "2.x" = { src = ..; };
  #       }
  #       {  // shared settings
  #          buildInputs = [ common build inputs ];
  #          meta = { .. }
  #       }
  #     )
  #
  # Please note that e.g. Eelco Dolstra usually prefers having one file for
  # each version. On the other hand there are valuable additional design goals
  #  - readability
  #  - do it once only
  #  - try to avoid duplication
  #
  # Marc Weber and Michael Raskin sometimes prefer keeping older
  # versions around for testing and regression tests - as long as its cheap to
  # do so.
  #
  # Very often it just happens that the "shared" code is the bigger part.
  # Then using this function might be appropriate.
  #
  # Be aware that its easy to cause recompilations in all versions when using
  # this function - also if derivations get too complex splitting into multiple
  # files is the way to go.
  #
  # See misc.nix -> versionedDerivation
  # discussion: nixpkgs: pull/310
  mergeAttrsByVersion = name: version: attrsByVersion: base:
    mergeAttrsByFuncDefaultsClean [ { name = "${name}-${version}"; }
                                    base
                                    (maybeAttr version (throw "bad version ${version} for ${name}") attrsByVersion)
                                  ];
  # sane defaults (same name as attr name so that inherit can be used)
  mergeAttrBy = # { buildInputs = concatList; [...]; passthru = mergeAttr; [..]; }
    listToAttrs (map (n: nameValuePair n lib.concat)
--- a/lib/licenses.nix
+++ b/lib/licenses.nix
@ -546,12 +546,12 @@ lib.mapAttrs (n: v: v // { shortName = n; }) rec {
    fullName = "zlib License";
  };
-  zpt20 = spdx { # FIXME: why zpt* instead of zpl*
+  zpl20 = spdx {
    spdxId = "ZPL-2.0";
    fullName = "Zope Public License 2.0";
  };
-  zpt21 = spdx {
+  zpl21 = spdx {
    spdxId = "ZPL-2.1";
    fullName = "Zope Public License 2.1";
  };
--- a/lib/lists.nix
+++ b/lib/lists.nix
@ -477,4 +477,12 @@ rec {
  */
  subtractLists = e: filter (x: !(elem x e));
  /* Test if two lists have no common element.
     It should be slightly more efficient than (intersectLists a b == [])
  */
  mutuallyExclusive = a: b:
    (builtins.length a) == 0 ||
    (!(builtins.elem (builtins.head a) b) &&
     mutuallyExclusive (builtins.tail a) b);
 }
--- a/lib/maintainers.nix
+++ b/lib/maintainers.nix
@ -33,6 +33,7 @@
  algorith = "Dries Van Daele <dries_van_daele@telenet.be>";
  alibabzo = "Alistair Bill <alistair.bill@gmail.com>";
  all = "Nix Committers <nix-commits@lists.science.uu.nl>";
  alunduil = "Alex Brandt <alunduil@alunduil.com>";
  ambrop72 = "Ambroz Bizjak <ambrop7@gmail.com>";
  amiddelk = "Arie Middelkoop <amiddelk@gmail.com>";
  amiloradovsky = "Andrew Miloradovsky <miloradovsky@gmail.com>";
@ -43,6 +44,7 @@
  andrewrk = "Andrew Kelley <superjoe30@gmail.com>";
  andsild = "Anders Sildnes <andsild@gmail.com>";
  aneeshusa = "Aneesh Agrawal <aneeshusa@gmail.com>";
  ankhers = "Justin Wood <justin.k.wood@gmail.com>";
  antono = "Antono Vasiljev <self@antono.info>";
  apeschar = "Albert Peschar <albert@peschar.net>";
  apeyroux = "Alexandre Peyroux <alex@px.io>";
@ -62,6 +64,7 @@
  bachp = "Pascal Bach <pascal.bach@nextrem.ch>";
  badi = "Badi' Abdul-Wahid <abdulwahidc@gmail.com>";
  balajisivaraman = "Balaji Sivaraman<sivaraman.balaji@gmail.com>";
  barrucadu = "Michael Walker <mike@barrucadu.co.uk>";
  basvandijk = "Bas van Dijk <v.dijk.bas@gmail.com>";
  Baughn = "Svein Ove Aas <sveina@gmail.com>";
  bcarrell = "Brandon Carrell <brandoncarrell@gmail.com>";
@ -73,6 +76,7 @@
  berdario = "Dario Bertini <berdario@gmail.com>";
  bergey = "Daniel Bergey <bergey@teallabs.org>";
  bhipple = "Benjamin Hipple <bhipple@protonmail.com>";
  binarin = "Alexey Lebedeff <binarin@binarin.ru>";
  bjg = "Brian Gough <bjg@gnu.org>";
  bjornfor = "Bjørn Forsman <bjorn.forsman@gmail.com>";
  bluescreen303 = "Mathijs Kwik <mathijs@bluescreen303.nl>";
@ -86,11 +90,14 @@
  bstrik = "Berno Strik <dutchman55@gmx.com>";
  bzizou = "Bruno Bzeznik <Bruno@bzizou.net>";
  c0dehero = "CodeHero <codehero@nerdpol.ch>";
  calbrecht = "Christian Albrecht <christian.albrecht@mayflower.de>";
  calrama = "Moritz Maxeiner <moritz@ucworks.org>";
  calvertvl = "Victor Calvert <calvertvl@gmail.com>";
  campadrenalin = "Philip Horger <campadrenalin@gmail.com>";
  canndrew = "Andrew Cann <shum@canndrew.org>";
  carlsverre = "Carl Sverre <accounts@carlsverre.com>";
  casey = "Casey Rodarmor <casey@rodarmor.net>";
  caugner = "Claas Augner <nixos@caugner.de>";
  cdepillabout = "Dennis Gosnell <cdep.illabout@gmail.com>";
  cfouche = "Chaddaï Fouché <chaddai.fouche@gmail.com>";
  changlinli = "Changlin Li <mail@changlinli.com>";
@ -106,6 +113,7 @@
  cleverca22 = "Michael Bishop <cleverca22@gmail.com>";
  cmcdragonkai = "Roger Qiu <roger.qiu@matrix.ai>";
  cmfwyp = "cmfwyp <cmfwyp@riseup.net>";
  cobbal = "Andrew Cobb <andrew.cobb@gmail.com>";
  coconnor = "Corey O'Connor <coreyoconnor@gmail.com>";
  codsl = "codsl <codsl@riseup.net>";
  codyopel = "Cody Opel <codyopel@gmail.com>";
@ -133,12 +141,14 @@
  dbrock = "Daniel Brockman <daniel@brockman.se>";
  deepfire = "Kosyrev Serge <_deepfire@feelingofgreen.ru>";
  demin-dmitriy = "Dmitriy Demin <demindf@gmail.com>";
  derchris = "Christian Gerbrandt <derchris@me.com>";
  DerGuteMoritz = "Moritz Heidkamp <moritz@twoticketsplease.de>";
  dermetfan = "Robin Stumm <serverkorken@gmail.com>";
  DerTim1 = "Tim Digel <tim.digel@active-group.de>";
  desiderius = "Didier J. Devroye <didier@devroye.name>";
  devhell = "devhell <\"^\"@regexmail.net>";
  dezgeg = "Tuomas Tynkkynen <tuomas.tynkkynen@iki.fi>";
  dfordivam = "Divam <dfordivam+nixpkgs@gmail.com>";
  dfoxfranke = "Daniel Fox Franke <dfoxfranke@gmail.com>";
  dgonyeo = "Derek Gonyeo <derek@gonyeo.com>";
  dipinhora = "Dipin Hora <dipinhora+github@gmail.com>";
@ -155,6 +165,7 @@
  drewkett = "Andrew Burkett <burkett.andrew@gmail.com>";
  dsferruzza = "David Sferruzza <david.sferruzza@gmail.com>";
  dtzWill = "Will Dietz <nix@wdtz.org>";
  dywedir = "Vladyslav M. <dywedir@protonmail.ch>";
  e-user = "Alexander Kahl <nixos@sodosopa.io>";
  ebzzry = "Rommel Martinez <ebzzry@gmail.com>";
  edanaher = "Evan Danaher <nixos@edanaher.net>";
@ -169,6 +180,7 @@
  ekleog = "Leo Gaspard <leo@gaspard.io>";
  elasticdog = "Aaron Bull Schaefer <aaron@elasticdog.com>";
  eleanor = "Dejan Lukan <dejan@proteansec.com>";
  elijahcaine = "Elijah Caine <elijahcainemv@gmail.com>";
  elitak = "Eric Litak <elitak@gmail.com>";
  ellis = "Ellis Whitehead <nixos@ellisw.net>";
  eperuffo = "Emanuele Peruffo <info@emanueleperuffo.com>";
@ -205,10 +217,12 @@
  garrison = "Jim Garrison <jim@garrison.cc>";
  gavin = "Gavin Rogers <gavin@praxeology.co.uk>";
  gebner = "Gabriel Ebner <gebner@gebner.org>";
  geistesk = "Alvar Penning <post@0x21.biz>";
  georgewhewell = "George Whewell <georgerw@gmail.com>";
  gilligan = "Tobias Pflug <tobias.pflug@gmail.com>";
  giogadi = "Luis G. Torres <lgtorres42@gmail.com>";
  gleber = "Gleb Peregud <gleber.p@gmail.com>";
  glenns = "Glenn Searby <glenn.searby@gmail.com>";
  globin = "Robin Gloster <mail@glob.in>";
  gnidorah = "Alex Ivanov <yourbestfriend@opmbx.org>";
  goibhniu = "Cillian de Róiste <cillian.deroiste@gmail.com>";
@ -216,6 +230,7 @@
  goodrone = "Andrew Trachenko <goodrone@gmail.com>";
  gpyh = "Yacine Hmito <yacine.hmito@gmail.com>";
  grahamc = "Graham Christensen <graham@grahamc.com>";
  grburst = "Julius Elias <grburst@openmailbox.org>";
  gridaphobe = "Eric Seidel <eric@seidel.io>";
  guibert = "David Guibert <david.guibert@gmail.com>";
  guillaumekoenig = "Guillaume Koenig <guillaume.edward.koenig@gmail.com>";
@ -224,8 +239,10 @@
  havvy = "Ryan Scheel <ryan.havvy@gmail.com>";
  hbunke = "Hendrik Bunke <bunke.hendrik@gmail.com>";
  hce = "Hans-Christian Esperer <hc@hcesperer.org>";
  hectorj = "Hector Jusforgues <hector.jusforgues+nixos@gmail.com>";
  heel = "Sergii Paryzhskyi <parizhskiy@gmail.com>";
  henrytill = "Henry Till <henrytill@gmail.com>";
  hhm = "hhm <heehooman+nixpkgs@gmail.com>";
  hinton = "Tom Hinton <t@larkery.com>";
  hodapp = "Chris Hodapp <hodapp87@gmail.com>";
  hrdinka = "Christoph Hrdinka <c.nix@hrdinka.at>";
@ -234,14 +251,14 @@
  ianwookim = "Ian-Woo Kim <ianwookim@gmail.com>";
  igsha = "Igor Sharonov <igor.sharonov@gmail.com>";
  ikervagyok = "Balázs Lengyel <ikervagyok@gmail.com>";
-  infinisil = "Silvan Mosberger <infinisil@icloud.com";
+  infinisil = "Silvan Mosberger <infinisil@icloud.com>";
  ivan-tkatchev = "Ivan Tkatchev <tkatchev@gmail.com>";
  j-keck = "Jürgen Keck <jhyphenkeck@gmail.com>";
  jagajaga = "Arseniy Seroka <ars.seroka@gmail.com>";
  jammerful = "jammerful <jammerful@gmail.com>";
  jansol = "Jan Solanti <jan.solanti@paivola.fi>";
  javaguirre = "Javier Aguirre <contacto@javaguirre.net>";
-  jb55 = "William Casarin <bill@casarin.me>";
+  jb55 = "William Casarin <jb55@jb55.com>";
  jbedo = "Justin Bedő <cu@cua0.org>";
  jcumming = "Jack Cummings <jack@mudshark.org>";
  jdagilliland = "Jason Gilliland <jdagilliland@gmail.com>";
@ -262,6 +279,7 @@
  joelmo = "Joel Moberg <joel.moberg@gmail.com>";
  joelteon = "Joel Taylor <me@joelt.io>";
  johbo = "Johannes Bornhold <johannes@bornhold.name>";
  johnramsden = "John Ramsden <johnramsden@riseup.net>";
  joko = "Ioannis Koutras <ioannis.koutras@gmail.com>";
  jonafato = "Jon Banafato <jon@jonafato.com>";
  jpbernardy = "Jean-Philippe Bernardy <jeanphilippe.bernardy@gmail.com>";
@ -281,8 +299,10 @@
  khumba = "Bryan Gardiner <bog@khumba.net>";
  KibaFox = "Kiba Fox <kiba.fox@foxypossibilities.com>";
  kierdavis = "Kier Davis <kierdavis@gmail.com>";
  kiloreux = "Kiloreux Emperex <kiloreux@gmail.com>";
  kkallio = "Karn Kallio <tierpluspluslists@gmail.com>";
  knedlsepp = "Josef Kemetmüller <josef.kemetmueller@gmail.com>";
  konimex = "Muhammad Herdiansyah <herdiansyah@openmailbox.org>";
  koral = "Koral <koral@mailoo.org>";
  kovirobi = "Kovacsics Robert <kovirobi@gmail.com>";
  kragniz = "Louis Taylor <louis@kragniz.eu>";
@ -303,6 +323,7 @@
  lihop = "Leroy Hopson <nixos@leroy.geek.nz>";
  linquize = "Linquize <linquize@yahoo.com.hk>";
  linus = "Linus Arver <linusarver@gmail.com>";
  lluchs = "Lukas Werling <lukas.werling@gmail.com>";
  lnl7 = "Daiderd Jordan <daiderd@gmail.com>";
  loskutov = "Ignat Loskutov <ignat.loskutov@gmail.com>";
  lovek323 = "Jason O'Conal <jason@oconal.id.au>";
@ -314,6 +335,7 @@
  luispedro = "Luis Pedro Coelho <luis@luispedro.org>";
  lukego = "Luke Gorrie <luke@snabb.co>";
  lw = "Sergey Sofeychuk <lw@fmap.me>";
  lyt = "Tim Liou <wheatdoge@gmail.com>";
  m3tti = "Mathaeus Sander <mathaeus.peter.sander@gmail.com>";
  ma27 = "Maximilian Bosch <maximilian@mbosch.me>";
  madjar = "Georges Dubus <georges.dubus@compiletoi.net>";
@ -365,6 +387,7 @@
  MostAwesomeDude = "Corbin Simpson <cds@corbinsimpson.com>";
  mounium = "Katona László <muoniurn@gmail.com>";
  MP2E = "Cray Elliott <MP2E@archlinux.us>";
  mpcsh = "Mark Cohen <m@mpc.sh>";
  mpscholten = "Marc Scholten <marc@mpscholten.de>";
  mpsyco = "Francis St-Amour <fr.st-amour@gmail.com>";
  msackman = "Matthew Sackman <matthew@wellquite.org>";
@ -379,11 +402,12 @@
  nand0p = "Fernando Jose Pando <nando@hex7.com>";
  Nate-Devv = "Nathan Moore <natedevv@gmail.com>";
  nathan-gs = "Nathan Bijnens <nathan@nathan.gs>";
-  nckx = "Tobias Geerinckx-Rice <tobias.geerinckx.rice@gmail.com>";
+  nckx = "Tobias Geerinckx-Rice <github@tobias.gr>";
  ndowens = "Nathan Owens <ndowens04@gmail.com>";
  neeasade = "Nathan Isom <nathanisom27@gmail.com>";
  nequissimus = "Tim Steinbach <tim@nequissimus.com>";
  nfjinjing = "Jinjing Wang <nfjinjing@gmail.com>";
  nh2 = "Niklas Hambüchen <mail@nh2.me>";
  nhooyr = "Anmol Sethi <anmol@aubble.com>";
  nickhu = "Nick Hu <me@nickhu.co.uk>";
  nicknovitski = "Nick Novitski <nixpkgs@nicknovitski.com>";
@ -395,6 +419,7 @@
  np = "Nicolas Pouillard <np.nix@nicolaspouillard.fr>";
  nslqqq = "Nikita Mikhailov <nslqqq@gmail.com>";
  nthorne = "Niklas Thörne <notrupertthorne@gmail.com>";
  nyarly = "Judson Lester <nyarly@gmail.com>";
  obadz = "obadz <obadz-nixos@obadz.com>";
  ocharles = "Oliver Charles <ollie@ocharles.org.uk>";
  odi = "Oliver Dunkl <oliver.dunkl@gmail.com>";
@ -403,6 +428,7 @@
  okasu = "Okasu <oka.sux@gmail.com>";
  olcai = "Erik Timan <dev@timan.info>";
  olejorgenb = "Ole Jørgen Brønner <olejorgenb@yahoo.no>";
  olynch = "Owen Lynch <owen@olynch.me>";
  orbekk = "KJ Ørbekk <kjetil.orbekk@gmail.com>";
  orbitz = "Malcolm Matalka <mmatalka@gmail.com>";
  orivej = "Orivej Desh <orivej@gmx.fr>";
@ -488,6 +514,7 @@
  ryanartecona = "Ryan Artecona <ryanartecona@gmail.com>";
  ryansydnor = "Ryan Sydnor <ryan.t.sydnor@gmail.com>";
  ryantm = "Ryan Mulligan <ryan@ryantm.com>";
  rybern = "Ryan Bernstein <ryan.bernstein@columbia.edu>";
  rycee = "Robert Helgesson <robert@rycee.net>";
  ryneeverett = "Ryne Everett <ryneeverett@gmail.com>";
  rzetterberg = "Richard Zetterberg <richard.zetterberg@gmail.com>";
@ -495,10 +522,12 @@
  samuelrivas = "Samuel Rivas <samuelrivas@gmail.com>";
  sander = "Sander van der Burg <s.vanderburg@tudelft.nl>";
  sargon = "Daniel Ehlers <danielehlers@mindeye.net>";
  sauyon = "Sauyon Lee <s@uyon.co>";
  schmitthenner = "Fabian Schmitthenner <development@schmitthenner.eu>";
  schneefux = "schneefux <schneefux+nixos_pkg@schneefux.xyz>";
  schristo = "Scott Christopher <schristopher@konputa.com>";
  scolobb = "Sergiu Ivanov <sivanov@colimite.fr>";
  sdll = "Sasha Illarionov <sasha.delly@gmail.com>";
  sepi = "Raffael Mancini <raffael@mancini.lu>";
  seppeljordan = "Sebastian Jordan <sebastian.jordan.mail@googlemail.com>";
  shanemikel = "Shane Pearlman <shanemikel1@gmail.com>";
@ -519,6 +548,7 @@
  smironov = "Sergey Mironov <grrwlf@gmail.com>";
  snyh = "Xia Bin <snyh@snyh.org>";
  solson = "Scott Olson <scott@solson.me>";
  sorpaas = "Wei Tang <hi@that.world>";
  spacefrogg = "Michael Raitza <spacefrogg-nixos@meterriblecrew.net>";
  spencerjanssen = "Spencer Janssen <spencerjanssen@gmail.com>";
  spinus = "Tomasz Czyż <tomasz.czyz@gmail.com>";
@ -552,9 +582,11 @@
  thoughtpolice = "Austin Seipp <aseipp@pobox.com>";
  timbertson = "Tim Cuthbertson <tim@gfxmonk.net>";
  titanous = "Jonathan Rudenberg <jonathan@titanous.com>";
  tnias = "Philipp Bartsch <phil@grmr.de>";
  tohl = "Tomas Hlavaty <tom@logand.com>";
  tokudan = "Daniel Frank <git@danielfrank.net>";
  tomberek = "Thomas Bereknyei <tomberek@gmail.com>";
  tomsmeets = "Tom Smeets <tom@tsmeets.nl>";
  travisbhartwell = "Travis B. Hartwell <nafai@travishartwell.net>";
  trevorj = "Trevor Joynson <nix@trevor.joynson.io>";
  trino = "Hubert Mühlhans <muehlhans.hubert@ekodia.de>";
@ -563,12 +595,15 @@
  tv = "Tomislav Viljetić <tv@shackspace.de>";
  tvestelind = "Tomas Vestelind <tomas.vestelind@fripost.org>";
  tvorog = "Marsel Zaripov <marszaripov@gmail.com>";
  tweber = "Thorsten Weber <tw+nixpkgs@360vier.de>";
  twey = "James ‘Twey’ Kay <twey@twey.co.uk>";
  uralbash = "Svintsov Dmitry <root@uralbash.ru>";
  utdemir = "Utku Demir <me@utdemir.com>";
  #urkud = "Yury G. Kudryashov <urkud+nix@ya.ru>"; inactive since 2012
  uwap = "uwap <me@uwap.name>";
  vaibhavsagar = "Vaibhav Sagar <vaibhavsagar@gmail.com>";
  vandenoever = "Jos van den Oever <jos@vandenoever.info>";
  vanschelven = "Klaas van Schelven <klaas@vanschelven.com>";
  vanzef = "Ivan Solyankin <vanzef@gmail.com>";
  vbgl = "Vincent Laporte <Vincent.Laporte@gmail.com>";
  vbmithr = "Vincent Bernardoff <vb@luminar.eu.org>";
@ -576,6 +611,7 @@
  vdemeester = "Vincent Demeester <vincent@sbr.pm>";
  veprbl = "Dmitry Kalinkin <veprbl@gmail.com>";
  vifino = "Adrian Pistol <vifino@tty.sh>";
  vinymeuh = "VinyMeuh <vinymeuh@gmail.com>";
  viric = "Lluís Batlle i Rossell <viric@viric.name>";
  vizanto = "Danny Wilson <danny@prime.vc>";
  vklquevs = "vklquevs <vklquevs@gmail.com>";
@ -587,7 +623,9 @@
  volth = "Jaroslavas Pocepko <jaroslavas@volth.com>";
  vozz = "Oliver Hunt <oliver.huntuk@gmail.com>";
  vrthra = "Rahul Gopinath <rahul@gopinath.org>";
  vyp = "vyp <elisp.vim@gmail.com>";
  wedens = "wedens <kirill.wedens@gmail.com>";
  willibutz = "Willi Butz <willibutz@posteo.de>";
  willtim = "Tim Philip Williams <tim.williams.public@gmail.com>";
  winden = "Antonio Vargas Gonzalez <windenntw@gmail.com>";
  wizeman = "Ricardo M. Correia <rcorreia@wizy.org>";
@ -612,6 +650,7 @@
  zauberpony = "Elmar Athmer <elmar@athmer.org>";
  zef = "Zef Hemel <zef@zef.me>";
  zimbatm = "zimbatm <zimbatm@zimbatm.com>";
  Zimmi48 = "Théo Zimmermann <theo.zimmermann@univ-paris-diderot.fr>";
  zohl = "Al Zohali <zohl@fmap.me>";
  zoomulator = "Kim Simmons <zoomulator@gmail.com>";
  zraexy = "David Mell <zraexy@gmail.com>";
--- a/lib/minver.nix
+++ b/lib/minver.nix
@ -1,2 +1,2 @@
 # Expose the minimum required version for evaluating Nixpkgs
-"1.10"
+"1.11"
--- a/lib/sources.nix
+++ b/lib/sources.nix
@ -17,6 +17,8 @@ rec {
    (type == "directory" && (baseName == ".git" || baseName == ".svn" || baseName == "CVS" || baseName == ".hg")) ||
    # Filter out backup files.
    lib.hasSuffix "~" baseName ||
    builtins.match "^.*\.sw[a-z]$" baseName != null ||
    # Filter out generates files.
    lib.hasSuffix ".o" baseName ||
    lib.hasSuffix ".so" baseName ||
--- a/lib/systems/doubles.nix
+++ b/lib/systems/doubles.nix
@ -26,7 +26,7 @@ in rec {
  allBut = platforms: lists.filter (x: !(builtins.elem x platforms)) all;
  none = [];
-  arm     = filterDoubles predicates.isArm32;
+  arm     = filterDoubles predicates.isArm;
  i686    = filterDoubles predicates.isi686;
  mips    = filterDoubles predicates.isMips;
  x86_64  = filterDoubles predicates.isx86_64;
--- a/lib/systems/inspect.nix
+++ b/lib/systems/inspect.nix
@ -8,8 +8,10 @@ rec {
    "64bit"      = { cpu = { bits = 64; }; };
    i686         = { cpu = cpuTypes.i686; };
    x86_64       = { cpu = cpuTypes.x86_64; };
    PowerPC      = { cpu = cpuTypes.powerpc; };
    x86          = { cpu = { family = "x86"; }; };
    Arm          = { cpu = { family = "arm"; }; };
    Aarch64      = { cpu = { family = "aarch64"; }; };
    Mips         = { cpu = { family = "mips"; }; };
    BigEndian    = { cpu = { significantByte = significantBytes.bigEndian; }; };
    LittleEndian = { cpu = { significantByte = significantBytes.littleEndian; }; };
@ -27,9 +29,6 @@ rec {
    Windows      = { kernel = kernels.windows; };
    Cygwin       = { kernel = kernels.windows; abi = abis.cygnus; };
    MinGW        = { kernel = kernels.windows; abi = abis.gnu; };
    Arm32        = recursiveUpdate Arm patterns."32bit";
    Arm64        = recursiveUpdate Arm patterns."64bit";
  };
  matchAnyAttrs = patterns:
--- a/lib/systems/parse.nix
+++ b/lib/systems/parse.nix
@ -40,11 +40,11 @@ rec {
    armv6l   = { bits = 32; significantByte = littleEndian; family = "arm"; };
    armv7a   = { bits = 32; significantByte = littleEndian; family = "arm"; };
    armv7l   = { bits = 32; significantByte = littleEndian; family = "arm"; };
-    aarch64  = { bits = 64; significantByte = littleEndian; family = "arm"; };
+    aarch64  = { bits = 64; significantByte = littleEndian; family = "aarch64"; };
    i686     = { bits = 32; significantByte = littleEndian; family = "x86"; };
    x86_64   = { bits = 64; significantByte = littleEndian; family = "x86"; };
    mips64el = { bits = 32; significantByte = littleEndian; family = "mips"; };
-    powerpc  = { bits = 32; significantByte = bigEndian;    family = "powerpc"; };
+    powerpc  = { bits = 32; significantByte = bigEndian;    family = "power"; };
  };
  isVendor = isType "vendor";
--- a/lib/systems/platforms.nix
+++ b/lib/systems/platforms.nix
@ -543,6 +543,10 @@ rec {
      # Cavium ThunderX stuff.
      PCI_HOST_THUNDER_ECAM y
      # The default (=y) forces us to have the XHCI firmware available in initrd,
      # which our initrd builder can't currently do easily.
      USB_XHCI_TEGRA m
    '';
    uboot = null;
    kernelTarget = "Image";
--- a/lib/trivial.nix
+++ b/lib/trivial.nix
@ -70,6 +70,16 @@ rec {
  min = x: y: if x < y then x else y;
  max = x: y: if x > y then x else y;
  /* Integer modulus
     Example:
       mod 11 10
       => 1
       mod 1 10
       => 1
  */
  mod = base: int: base - (int * (builtins.div base int));
  /* Reads a JSON file. */
  importJSON = path:
    builtins.fromJSON (builtins.readFile path);
--- a/maintainers/scripts/gnome.sh
+++ b/maintainers/scripts/gnome.sh
@ -2,11 +2,11 @@
 set -o pipefail
-GNOME_FTP="ftp.gnome.org/pub/GNOME/sources"
+GNOME_FTP=ftp.gnome.org/pub/GNOME/sources
 # projects that don't follow the GNOME major versioning, or that we don't want to
 # programmatically update
-NO_GNOME_MAJOR="gtkhtml gdm"
+NO_GNOME_MAJOR="ghex gtkhtml gdm"
 usage() {
  echo "Usage: $0 gnome_dir <show project>|<update project>|<update-all> [major.minor]" >&2
@ -18,10 +18,10 @@ if [ "$#" -lt 2 ]; then
  usage
 fi
-GNOME_TOP="$1"
+GNOME_TOP=$1
 shift
-action="$1"
+action=$1
 # curl -l ftp://... doesn't work from my office in HSE, and I don't want to have
 # any conversations with sysadmin. Somehow lftp works.
@ -36,18 +36,18 @@ else
 fi
 find_project() {
-  exec find "$GNOME_TOP" -mindepth 2 -maxdepth 2 -type d $@
+  exec find "$GNOME_TOP" -mindepth 2 -maxdepth 2 -type d "$@"
 }
 show_project() {
-  local project="$1"
+  local project=$1
-  local majorVersion="$2"
+  local majorVersion=$2
-  local version=""
+  local version=
  if [ -z "$majorVersion" ]; then
    echo "Looking for available versions..." >&2
-    local available_baseversions=( `ls_ftp ftp://${GNOME_FTP}/${project} | grep '[0-9]\.[0-9]' | sort -t. -k1,1n -k 2,2n` )
+    local available_baseversions=$(ls_ftp ftp://${GNOME_FTP}/${project} | grep '[0-9]\.[0-9]' | sort -t. -k1,1n -k 2,2n)
-    if [ "$?" -ne "0" ]; then
+    if [ "$?" -ne 0 ]; then
      echo "Project $project not found" >&2
      return 1
    fi
@ -59,11 +59,11 @@ show_project() {
  if echo "$majorVersion" | grep -q "[0-9]\+\.[0-9]\+\.[0-9]\+"; then
    # not a major version
-    version="$majorVersion"
+    version=$majorVersion
    majorVersion=$(echo "$majorVersion" | cut -d '.' -f 1,2)
  fi
-  local FTPDIR="${GNOME_FTP}/${project}/${majorVersion}"
+  local FTPDIR=${GNOME_FTP}/${project}/${majorVersion}
  #version=`curl -l ${FTPDIR}/ 2>/dev/null | grep LATEST-IS | sed -e s/LATEST-IS-//`
  # gnome's LATEST-IS is broken. Do not trust it.
@ -92,7 +92,7 @@ show_project() {
  		esac
  	done
  	echo "Found versions ${!versions[@]}" >&2
-  	version=`echo ${!versions[@]} | sed -e 's/ /\n/g' | sort -t. -k1,1n -k 2,2n -k 3,3n | tail -n1`
+  	version=$(echo ${!versions[@]} | sed -e 's/ /\n/g' | sort -t. -k1,1n -k 2,2n -k 3,3n | tail -n1)
        if [ -z "$version" ]; then
          echo "No version available for major $majorVersion" >&2
          return 1
@ -103,7 +103,7 @@ show_project() {
  local name=${project}-${version}
  echo "Fetching .sha256 file" >&2
-  local sha256out=$(curl -s -f http://${FTPDIR}/${name}.sha256sum)
+  local sha256out=$(curl -s -f http://"${FTPDIR}"/"${name}".sha256sum)
  if [ "$?" -ne "0" ]; then
  	echo "Version not found" >&2
@ -136,8 +136,8 @@ fetchurl: {
 }
 update_project() {
-  local project="$1"
+  local project=$1
-  local majorVersion="$2"
+  local majorVersion=$2
  # find project in nixpkgs tree
  projectPath=$(find_project -name "$project" -print)
@ -150,14 +150,14 @@ update_project() {
  if [ "$?" -eq "0" ]; then
    echo "Updating $projectPath/src.nix" >&2
-    echo -e "$src" > "$projectPath/src.nix"
+    echo -e "$src" > "$projectPath"/src.nix
  fi
  return 0
 }
-if [ "$action" == "update-all" ]; then
+if [ "$action" = "update-all" ]; then
-  majorVersion="$2"
+  majorVersion=$2
  if [ -z "$majorVersion" ]; then
    echo "No major version specified" >&2
    usage
@ -170,23 +170,23 @@ if [ "$action" == "update-all" ]; then
      echo "Skipping $project"
    else
      echo "= Updating $project to $majorVersion" >&2
-      update_project $project $majorVersion
+      update_project "$project" "$majorVersion"
      echo >&2
    fi
  done
 else
-  project="$2"
+  project=$2
-  majorVersion="$3"
+  majorVersion=$3
  if [ -z "$project" ]; then
    echo "No project specified, exiting" >&2
    usage
  fi
-  if [ "$action" == "show" ]; then
+  if [ "$action" = show ]; then
-    show_project $project $majorVersion
+    show_project "$project" "$majorVersion"
-  elif [ "$action" == "update" ]; then
+  elif [ "$action" = update ]; then
-    update_project $project $majorVersion
+    update_project "$project" "$majorVersion"
  else
    echo "Unknown action $action" >&2
    usage
--- a/maintainers/scripts/hydra-eval-failures.py
+++ b/maintainers/scripts/hydra-eval-failures.py
@ -31,18 +31,21 @@ EVAL_FILE = {
 def get_maintainers(attr_name):
-    nixname = attr_name.split('.')
+    try:
-    meta_json = subprocess.check_output([
+        nixname = attr_name.split('.')
-        'nix-instantiate',
+        meta_json = subprocess.check_output([
-        '--eval',
+            'nix-instantiate',
-        '--strict',
+            '--eval',
-        '-A',
+            '--strict',
-        '.'.join(nixname[1:]) + '.meta',
+            '-A',
-        EVAL_FILE[nixname[0]],
+            '.'.join(nixname[1:]) + '.meta',
-        '--json'])
+            EVAL_FILE[nixname[0]],
-    meta = json.loads(meta_json)
+            '--json'])
-    if meta.get('maintainers'):
+        meta = json.loads(meta_json)
-        return [MAINTAINERS[name] for name in meta['maintainers'] if MAINTAINERS.get(name)]
+        if meta.get('maintainers'):
            return [MAINTAINERS[name] for name in meta['maintainers'] if MAINTAINERS.get(name)]
    except:
       return []
@click.command()
--- a/maintainers/scripts/travis-nox-review-pr.sh
+++ b/maintainers/scripts/travis-nox-review-pr.sh
@ -53,8 +53,8 @@ while test -n "$1"; do
        nox)
            echo "=== Fetching Nox from binary cache"
-            # build nox silently so it's not in the log
+            # build nox (+ a basic nix-shell env) silently so it's not in the log
-            nix-build "<nixpkgs>" -A nox -A stdenv
+            nix-shell -p nox stdenv --command true
            ;;
        pr)
--- a/maintainers/scripts/update-python-libraries
+++ b/maintainers/scripts/update-python-libraries
@ -91,6 +91,7 @@ def _get_latest_version_pypi(package, extension):
        if release['filename'].endswith(extension):
            # TODO: In case of wheel we need to do further checks!
            sha256 = release['digests']['sha256']
            break
    else:
        sha256 = None
    return version, sha256
--- a/nixos/doc/manual/development/releases.xml
+++ b/nixos/doc/manual/development/releases.xml
@ -10,7 +10,7 @@
  <title>Release process</title>
  <para>
-    Going through an example of releasing NixOS 15.09:
+    Going through an example of releasing NixOS 17.09:
  </para>
  <section xml:id="one-month-before-the-beta">
@ -18,13 +18,13 @@
    <itemizedlist spacing="compact">
      <listitem>
        <para>
-          Send an email to nix-dev mailinglist as a warning about upcoming beta "feature freeze" in a month.
+          Send an email to the nix-devel mailinglist as a warning about upcoming beta "feature freeze" in a month.
        </para>
      </listitem>
      <listitem>
        <para>
          Discuss with Eelco Dolstra and the community (via IRC, ML) about what will reach the deadline.
-          Any issue or Pull Request targeting the release should have assigned milestone.
+          Any issue or Pull Request targeting the release should be included in the release milestone.
        </para>
      </listitem>
    </itemizedlist>
@ -32,64 +32,6 @@
  <section xml:id="at-beta-release-time">
    <title>At beta release time</title>
    <itemizedlist spacing="compact">
      <listitem>
        <para>
          Rename <literal>rl-unstable.xml</literal> -&gt;
          <literal>rl-1509.xml</literal>.
        </para>
      </listitem>
      <listitem>
        <para>
          <literal>git tag -a -m &quot;Release 15.09-beta&quot; 15.09-beta &amp;&amp; git push --tags</literal>
        </para>
      </listitem>
      <listitem>
        <para>
          From the master branch run <literal>git checkout -B release-15.09</literal>.
        </para>
      </listitem>
      <listitem>
        <para>
          <link xlink:href="https://github.com/NixOS/nixos-org-configurations/pull/18">
            Make sure channel is created at http://nixos.org/channels/.
          </link>
        </para>
      </listitem>
      <listitem>
        <para>
          <link xlink:href="https://github.com/NixOS/nixpkgs/settings/branches">
            Lock the branch on github (so developers can’t force push)
          </link>
        </para>
      </listitem>
      <listitem>
        <para>
          <link xlink:href="https://github.com/NixOS/nixpkgs/compare/bdf161ed8d21...6b63c4616790">bump
          <literal>system.defaultChannel</literal> attribute in
          <literal>nixos/modules/misc/version.nix</literal></link>
        </para>
      </listitem>
      <listitem>
        <para>
          <link xlink:href="https://github.com/NixOS/nixpkgs/commit/d6b08acd1ccac0d9d502c4b635e00b04d3387f06">update
          <literal>versionSuffix</literal> in
          <literal>nixos/release.nix</literal></link>, use
          <literal>git log --format=%an|wc -l</literal> to get commit
          count
        </para>
      </listitem>
      <listitem>
        <para>
          <literal>echo -n &quot;16.03&quot; &gt; .version</literal> in
          master.
        </para>
      </listitem>
      <listitem>
        <para>
          <link xlink:href="https://github.com/NixOS/nixpkgs/commit/b8a4095003e27659092892a4708bb3698231a842">pick
          a new name for unstable branch.</link>
        </para>
      </listitem>
      <listitem>
        <para>
          <link xlink:href="https://github.com/NixOS/nixpkgs/issues/13559">Create
@ -99,26 +41,81 @@
      </listitem>
      <listitem>
        <para>
-          Use https://lwn.net/Vulnerabilities/ and 
+          <literal>git tag -a -s -m &quot;Release 17.09-beta&quot; 17.09-beta &amp;&amp; git push --tags</literal>
          <link xlink:href="https://github.com/NixOS/nixpkgs/search?utf8=%E2%9C%93&amp;q=vulnerabilities&amp;type=Issues">triage vulnerabilities in an issue</link>.
        </para>
      </listitem>
      <listitem>
        <para>
-          Create two Hydra jobsets: release-15.09 and release-15.09-small with <literal>stableBranch</literal> set to false
+          From the master branch run <literal>git checkout -B release-17.09</literal>.
        </para>
      </listitem>
      <listitem>
        <para>
          <link xlink:href="https://github.com/NixOS/nixos-org-configurations/pull/18">
            Make sure a channel is created at http://nixos.org/channels/.
          </link>
        </para>
      </listitem>
      <listitem>
        <para>
          <link xlink:href="https://github.com/NixOS/nixpkgs/settings/branches">
            Let a GitHub nixpkgs admin lock the branch on github for you.
            (so developers can’t force push)
          </link>
        </para>
      </listitem>
      <listitem>
        <para>
          <link xlink:href="https://github.com/NixOS/nixpkgs/compare/bdf161ed8d21...6b63c4616790">
            Bump the <literal>system.defaultChannel</literal> attribute in
            <literal>nixos/modules/misc/version.nix</literal>
          </link>
        </para>
      </listitem>
      <listitem>
        <para>
          <link xlink:href="https://github.com/NixOS/nixpkgs/commit/d6b08acd1ccac0d9d502c4b635e00b04d3387f06">
            Update <literal>versionSuffix</literal> in
          <literal>nixos/release.nix</literal></link>, use
          <literal>git log --format=%an|wc -l</literal> to get the commit
          count
        </para>
      </listitem>
      <listitem>
        <para>
          <literal>echo -n &quot;18.03&quot; &gt; .version</literal> on
          master.
        </para>
      </listitem>
      <listitem>
        <para>
          <link xlink:href="https://github.com/NixOS/nixpkgs/commit/b8a4095003e27659092892a4708bb3698231a842">
            Pick a new name for the unstable branch.
          </link>
        </para>
      </listitem>
      <listitem>
        <para>
          Create a new release notes file for the upcoming release + 1, in this
          case <literal>rl-1803.xml</literal>.
        </para>
      </listitem>
      <listitem>
        <para>
          Create two Hydra jobsets: release-17.09 and release-17.09-small with <literal>stableBranch</literal> set to false.
        </para>
      </listitem>
      <listitem>
        <para>
          Edit changelog at
-          <literal>nixos/doc/manual/release-notes/rl-1509.xml</literal>
+          <literal>nixos/doc/manual/release-notes/rl-1709.xml</literal>
          (double check desktop versions are noted)
        </para>
        <itemizedlist spacing="compact">
          <listitem>
            <para>
              Get all new NixOS modules
-              <literal>git diff release-14.12..release-15.09 nixos/modules/module-list.nix|grep ^+</literal>
+              <literal>git diff release-17.03..release-17.09 nixos/modules/module-list.nix|grep ^+</literal>
            </para>
          </listitem>
          <listitem>
@ -130,9 +127,25 @@
      </listitem>
    </itemizedlist>
  </section>
  <section xml:id="during-beta">
    <title>During Beta</title>
    <itemizedlist spacing="compact">
      <listitem>
        <para>
          Monitor the master branch for bugfixes and minor updates
          and cherry-pick them to the release branch.
        </para>
      </listitem>
    </itemizedlist>
  </section>
  <section xml:id="before-the-final-release">
    <title>Before the final release</title>
    <itemizedlist spacing="compact">
      <listitem>
        <para>
          Re-check that the release notes are complete.
        </para>
      </listitem>
      <listitem>
        <para>
          Release Nix (currently only Eelco Dolstra can do that).
--- a/nixos/doc/manual/installation/installing-usb.xml
+++ b/nixos/doc/manual/installation/installing-usb.xml
@ -11,7 +11,7 @@ a USB stick. You can use the <command>dd</command> utility to write the image:
 <command>dd if=<replaceable>path-to-image</replaceable>
 of=<replaceable>/dev/sdb</replaceable></command>. Be careful about specifying the
 correct drive; you can use the <command>lsblk</command> command to get a list of
-block devices. If you're on OS X you can run <command>diskutil list</command>
+block devices. If you're on macOS you can run <command>diskutil list</command>
 to see the list of devices; the device you'll use for the USB must be ejected
 before writing the image.</para>
--- a/nixos/doc/manual/man-nixos-option.xml
+++ b/nixos/doc/manual/man-nixos-option.xml
@ -17,11 +17,16 @@
 <refsynopsisdiv>
  <cmdsynopsis>
    <command>nixos-option</command>
-    <arg choice='plain'><replaceable>option.name</replaceable></arg>
+    <arg>
      <option>-I</option>
      <replaceable>path</replaceable>
    </arg>
    <arg><option>--verbose</option></arg>
    <arg><option>--xml</option></arg>
    <arg choice="plain"><replaceable>option.name</replaceable></arg>
  </cmdsynopsis>
 </refsynopsisdiv>
 <refsection><title>Description</title>
 <para>This command evaluates the configuration specified in
@ -33,6 +38,45 @@ attributes contained in the attribute set.</para>
 </refsection>
 <refsection><title>Options</title>
 <para>This command accepts the following options:</para>
 <variablelist>
  <varlistentry>
    <term><option>-I</option> <replaceable>path</replaceable></term>
    <listitem>
      <para>
        This option is passed to the underlying
        <command>nix-instantiate</command> invocation.
      </para>
    </listitem>
  </varlistentry>
  <varlistentry>
    <term><option>--verbose</option></term>
    <listitem>
      <para>
        This option enables verbose mode, which currently is just
        the Bash <command>set</command> <option>-x</option> debug mode.
      </para>
    </listitem>
  </varlistentry>
  <varlistentry>
    <term><option>--xml</option></term>
    <listitem>
      <para>
        This option causes the output to be rendered as XML.
      </para>
    </listitem>
  </varlistentry>
 </variablelist>
 </refsection>
 <refsection><title>Environment</title>
 <variablelist>
--- a/nixos/doc/manual/manual.xml
+++ b/nixos/doc/manual/manual.xml
@ -18,7 +18,7 @@
    <para>If you encounter problems, please report them on the
    <literal
-    xlink:href="http://lists.science.uu.nl/mailman/listinfo/nix-dev">nix-dev@lists.science.uu.nl</literal>
+    xlink:href="https://groups.google.com/forum/#!forum/nix-devel">nix-devel</literal>
    mailing list or on the <link
    xlink:href="irc://irc.freenode.net/#nixos">
    <literal>#nixos</literal> channel on Freenode</link>.  Bugs should
--- a/nixos/doc/manual/release-notes/rl-1509.xml
+++ b/nixos/doc/manual/release-notes/rl-1509.xml
@ -28,7 +28,7 @@ has the following highlights:</para>
    since version 0.0 as well as the most recent <link
    xlink:href="http://www.stackage.org/">Stackage Nightly</link>
    snapshot. The announcement <link
-    xlink:href="http://lists.science.uu.nl/pipermail/nix-dev/2015-September/018138.html">&quot;Full
+    xlink:href="https://nixos.org/nix-dev/2015-September/018138.html">&quot;Full
    Stackage Support in Nixpkgs&quot;</link> gives additional
    details.</para>
  </listitem>
--- a/nixos/doc/manual/release-notes/rl-1609.xml
+++ b/nixos/doc/manual/release-notes/rl-1609.xml
@ -78,13 +78,13 @@ following incompatible changes:</para>
    our package set it loosely based on the latest available LTS release, i.e.
    LTS 7.x at the time of this writing. New releases of NixOS and Nixpkgs will
    drop those old names entirely. <link
-    xlink:href="http://lists.science.uu.nl/pipermail/nix-dev/2016-June/020585.html">The
+    xlink:href="https://nixos.org/nix-dev/2016-June/020585.html">The
    motivation for this change</link> has been discussed at length on the
    <literal>nix-dev</literal> mailing list and in <link
    xlink:href="https://github.com/NixOS/nixpkgs/issues/14897">Github issue
    #14897</link>. Development strategies for Haskell hackers who want to rely
    on Nix and NixOS have been described in <link
-    xlink:href="http://lists.science.uu.nl/pipermail/nix-dev/2016-June/020642.html">another
+    xlink:href="https://nixos.org/nix-dev/2016-June/020642.html">another
    nix-dev article</link>.</para>
  </listitem>
@ -176,7 +176,7 @@ following incompatible changes:</para>
  streamlined.  Desktop users should be able to simply set
  <programlisting>security.grsecurity.enable = true</programlisting> to get
  a reasonably secure system without having to sacrifice too much
-  functionality.  See <xref linkend="sec-grsecurity" /> for documentation
+  functionality.
  </para></listitem>
  <listitem><para>Special filesystems, like <literal>/proc</literal>,
--- a/nixos/doc/manual/release-notes/rl-1709.xml
+++ b/nixos/doc/manual/release-notes/rl-1709.xml
@ -10,6 +10,11 @@
 has the following highlights: </para>
 <itemizedlist>
  <listitem>
    <para>
      The GNOME version is now 3.24.
    </para>
  </listitem>
  <listitem>
    <para>
      The user handling now keeps track of deallocated UIDs/GIDs. When a user
@ -85,6 +90,10 @@ rmdir /var/lib/ipfs/.ipfs
    </para>
  </listitem>
  <listitem>
    <para>
      The following changes apply if the <literal>stateVersion</literal> is changed to 17.09 or higher.
      For <literal>stateVersion = "17.03</literal> or lower the old behavior is preserved.
    </para>
    <para>
      The <literal>postgres</literal> default version was changed from 9.5 to 9.6.
    </para>
@ -94,6 +103,12 @@ rmdir /var/lib/ipfs/.ipfs
    <para>
      The <literal>postgres</literal> default <literal>dataDir</literal> has changed from <literal>/var/db/postgres</literal> to <literal>/var/lib/postgresql/$psqlSchema</literal> where $psqlSchema is 9.6 for example.
    </para>
    <para>
      The <literal>mysql</literal> default <literal>dataDir</literal> has changed from <literal>/var/mysql</literal> to <literal>/var/lib/mysql</literal>.
    </para>
    <para>
      Radicale's default package has changed from 1.x to 2.x. Instructions to migrate can be found <link xlink:href="http://radicale.org/1to2/"> here </link>. It is also possible to use the newer version by setting the <literal>package</literal> to <literal>radicale2</literal>, which is done automatically when <literal>stateVersion</literal> is 17.09 or higher.
    </para>
  </listitem>
  <listitem>
    <para>
@ -113,9 +128,73 @@ rmdir /var/lib/ipfs/.ipfs
      also serve as a SSH agent if <literal>enableSSHSupport</literal> is set.
    </para>
  </listitem>
  <listitem>
    <para>
      The <literal>services.tinc.networks.&lt;name&gt;.listenAddress</literal>
      option had a misleading name that did not correspond to its behavior. It
      now correctly defines the ip to listen for incoming connections on. To
      keep the previous behaviour, use
      <literal>services.tinc.networks.&lt;name&gt;.bindToAddress</literal>
      instead. Refer to the description of the options for more details.
    </para>
  </listitem>
  <listitem>
    <para>
      <literal>tlsdate</literal> package and module were removed. This is due to the project
      being dead and not building with openssl 1.1.
    </para>
  </listitem>
  <listitem>
    <para>
      <literal>wvdial</literal> package and module were removed. This is due to the project
      being dead and not building with openssl 1.1.
    </para>
  </listitem>
  <listitem>
    <para>
      <literal>cc-wrapper</literal>'s setup-hook now exports a number of
      environment variables corresponding to binutils binaries,
      (e.g. <envar>LD</envar>, <envar>STRIP</envar>, <envar>RANLIB</envar>,
      etc). This is done to prevent packages' build systems guessing, which is
      harder to predict, especially when cross-compiling. However, some packages
      have broken due to this—their build systems either not supporting, or
      claiming to support without adequate testing, taking such environment
      variables as parameters.
    </para>
  </listitem>
  <listitem>
    <para>
      <literal>services.firefox.syncserver</literal> now runs by default as a
      non-root user. To accomodate this change, the default sqlite database
      location has also been changed. Migration should work automatically.
      Refer to the description of the options for more details.
    </para>
  </listitem>
  <listitem>
    <para>
      The <literal>compiz</literal> window manager and package was
      removed. The system support had been broken for several years.
    </para>
  </listitem>
  <listitem>
    <para>
      Touchpad support should now be enabled through
      <literal>libinput</literal> as <literal>synaptics</literal> is
      now deprecated. See the option
      <literal>services.xserver.libinput.enable</literal>.
    </para>
  </listitem>
  <listitem>
    <para>
      grsecurity/PaX support has been dropped, following upstream's
      decision to cease free support.  See
      <link xlink:href="https://grsecurity.net/passing_the_baton.php">
      upstream's announcement</link> for more information.
      No complete replacement for grsecurity/PaX is available presently.
    </para>
  </listitem>
 </itemizedlist>
 <para>Other notable improvements:</para>
 <itemizedlist>
@ -141,6 +220,32 @@ rmdir /var/lib/ipfs/.ipfs
      module where user Fontconfig settings are available.
    </para>
  </listitem>
  <listitem>
    <para>
      ZFS/SPL have been updated to 0.7.0, <literal>zfsUnstable, splUnstable</literal>
      have therefore been removed.
    </para>
  </listitem>
  <listitem>
    <para>
      The <option>time.timeZone</option> option now allows the value
      <literal>null</literal> in addition to timezone strings. This value
      allows changing the timezone of a system imperatively using
      <command>timedatectl set-timezone</command>. The default timezone
      is still UTC.
    </para>
  </listitem>
  <listitem>
    <para>
      Nixpkgs overlays may now be specified with a file as well as a directory. The
      value of <literal>&lt;nixpkgs-overlays></literal> may be a file, and
      <filename>~/.config/nixpkgs/overlays.nix</filename> can be used instead of the
      <filename>~/.config/nixpkgs/overalys</filename> directory.
    </para>
    <para>
      See the overlays chapter of the Nixpkgs manual for more details.
    </para>
  </listitem>
 </itemizedlist>
--- a/nixos/doc/manual/release-notes/rl-1803.xml
+++ b/nixos/doc/manual/release-notes/rl-1803.xml
@ -0,0 +1,46 @@
 <section xmlns="http://docbook.org/ns/docbook"
         xmlns:xlink="http://www.w3.org/1999/xlink"
         xmlns:xi="http://www.w3.org/2001/XInclude"
         version="5.0"
         xml:id="sec-release-18.03">
 <title>Release 18.03 (“Impala”, 2018/03/??)</title>
 <para>In addition to numerous new and upgraded packages, this release
 has the following highlights: </para>
 <itemizedlist>
  <listitem>
    <para>
    </para>
  </listitem>
 </itemizedlist>
 <para>The following new services were added since the last release:</para>
 <itemizedlist>
  <listitem>
    <para></para>
  </listitem>
 </itemizedlist>
 <para>When upgrading from a previous release, please be aware of the
 following incompatible changes:</para>
 <itemizedlist>
  <listitem>
    <para>
    </para>
  </listitem>
 </itemizedlist>
 <para>Other notable improvements:</para>
 <itemizedlist>
  <listitem>
    <para>
    </para>
  </listitem>
 </itemizedlist>
 </section>
--- a/nixos/lib/make-disk-image.nix
+++ b/nixos/lib/make-disk-image.nix
@ -39,19 +39,13 @@
 with lib;
 let
-  # Copied from https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/installer/cd-dvd/channel.nix
+  extensions = {
-  # TODO: factor out more cleanly
+    qcow2 = "qcow2";
    vpc   = "vhd";
    raw   = "img";
  };
-  # Do not include these things:
+  nixpkgs = lib.cleanSource pkgs.path;
  #   - The '.git' directory
  #   - Result symlinks from nix-build ('result', 'result-2', 'result-bin', ...)
  #   - VIM/Emacs swap/backup files ('.swp', '.swo', '.foo.swp', 'foo~', ...)
  filterFn = path: type: let basename = baseNameOf (toString path); in
    if type == "directory" then basename != ".git"
    else if type == "symlink" then builtins.match "^result(|-.*)$" basename == null
    else builtins.match "^((|\..*)\.sw[a-z]|.*~)$" basename == null;
  nixpkgs = builtins.filterSource filterFn pkgs.path;
  channelSources = pkgs.runCommand "nixos-${config.system.nixosVersion}" {} ''
    mkdir -p $out
@ -142,8 +136,8 @@ in pkgs.vmTools.runInLinuxVM (
          mv $diskImage $out/nixos.img
          diskImage=$out/nixos.img
        '' else ''
-          ${pkgs.qemu}/bin/qemu-img convert -f raw -O qcow2 $diskImage $out/nixos.qcow2
+          ${pkgs.qemu}/bin/qemu-img convert -f raw -O ${format} $diskImage $out/nixos.${extensions.${format}}
-          diskImage=$out/nixos.qcow2
+          diskImage=$out/nixos.${extensions.${format}}
        ''}
        ${postVM}
      '';
--- a/nixos/lib/make-ext4-fs.nix
+++ b/nixos/lib/make-ext4-fs.nix
@ -33,7 +33,7 @@ pkgs.stdenv.mkDerivation {
      echo "Creating an EXT4 image of $bytes bytes (numInodes=$numInodes, numDataBlocks=$numDataBlocks)"
      truncate -s $bytes $out
-      faketime "1970-01-01 00:00:00" mkfs.ext4 -L ${volumeLabel} -U 44444444-4444-4444-8888-888888888888 $out
+      faketime -f "1970-01-01 00:00:01" mkfs.ext4 -L ${volumeLabel} -U 44444444-4444-4444-8888-888888888888 $out
      # Populate the image contents by piping a bunch of commands to the `debugfs` tool from e2fsprogs.
      # For example, to copy /nix/store/abcd...efg-coreutils-8.23/bin/sleep:
@ -76,7 +76,7 @@ pkgs.stdenv.mkDerivation {
          echo sif $file gid 30000 # chgrp to nixbld
        done
-      ) | faketime "1970-01-01 00:00:00" debugfs -w $out -f /dev/stdin > errorlog 2>&1
+      ) | faketime -f "1970-01-01 00:00:01" debugfs -w $out -f /dev/stdin > errorlog 2>&1
      # The debugfs tool doesn't terminate on error nor exit with a non-zero status. Check manually.
      if egrep -q 'Could not allocate|File not found' errorlog; then
--- a/nixos/maintainers/scripts/ec2/amazon-image.nix
+++ b/nixos/maintainers/scripts/ec2/amazon-image.nix
@ -22,15 +22,26 @@ in {
        generated image. Glob patterns work.
      '';
    };
    sizeMB = mkOption {
      type = types.int;
      default = if config.ec2.hvm then 2048 else 8192;
      description = "The size in MB of the image";
    };
    format = mkOption {
      type = types.enum [ "raw" "qcow2" "vpc" ];
      default = "qcow2";
      description = "The image format to output";
    };
  };
  config.system.build.amazonImage = import ../../../lib/make-disk-image.nix {
    inherit lib config;
-    inherit (cfg) contents;
+    inherit (cfg) contents format;
    pkgs = import ../../../.. { inherit (pkgs) system; }; # ensure we use the regular qemu-kvm package
    partitioned = config.ec2.hvm;
-    diskSize = if config.ec2.hvm then 2048 else 8192;
+    diskSize = cfg.sizeMB;
    format = "qcow2";
    configFile = pkgs.writeText "configuration.nix"
      ''
        {
@ -41,5 +52,4 @@ in {
        }
      '';
  };
 }
--- a/nixos/modules/config/ldap.nix
+++ b/nixos/modules/config/ldap.nix
@ -19,7 +19,6 @@ let
      bind_policy ${config.users.ldap.bind.policy}
      ${optionalString config.users.ldap.useTLS ''
        ssl start_tls
        tls_checkpeer no
      ''}
      ${optionalString (config.users.ldap.bind.distinguishedName != "") ''
        binddn ${config.users.ldap.bind.distinguishedName}
--- a/nixos/modules/config/networking.nix
+++ b/nixos/modules/config/networking.nix
@ -20,12 +20,26 @@ in
  options = {
    networking.hosts = lib.mkOption {
      type = types.attrsOf ( types.listOf types.str );
      default = {};
      example = literalExample ''
        {
          "127.0.0.1" = [ "foo.bar.baz" ];
          "192.168.0.2" = [ "fileserver.local" "nameserver.local" ];
        };
      '';
      description = ''
        Locally defined maps of hostnames to IP addresses.
      '';
    };
    networking.extraHosts = lib.mkOption {
      type = types.lines;
      default = "";
      example = "192.168.0.1 lanlocalhost";
      description = ''
-        Additional entries to be appended to <filename>/etc/hosts</filename>.
+        Additional verbatim entries to be appended to <filename>/etc/hosts</filename>.
      '';
    };
@ -188,11 +202,22 @@ in
        # /etc/hosts: Hostname-to-IP mappings.
        "hosts".text =
          let oneToString = set : ip : ip + " " + concatStringsSep " " ( getAttr ip set );
              allToString = set : concatMapStringsSep "\n" ( oneToString set ) ( attrNames set );
              userLocalHosts = optionalString
                ( builtins.hasAttr "127.0.0.1" cfg.hosts )
                ( concatStringsSep " " ( remove "localhost" cfg.hosts."127.0.0.1" ));
              userLocalHosts6 = optionalString
                ( builtins.hasAttr "::1" cfg.hosts )
                ( concatStringsSep " " ( remove "localhost" cfg.hosts."::1" ));
              otherHosts = allToString ( removeAttrs cfg.hosts [ "127.0.0.1" "::1" ]);
          in
          ''
-            127.0.0.1 localhost
+            127.0.0.1 ${userLocalHosts} localhost
            ${optionalString cfg.enableIPv6 ''
-              ::1 localhost
+              ::1 ${userLocalHosts6} localhost
            ''}
            ${otherHosts}
            ${cfg.extraHosts}
          '';
@ -223,7 +248,9 @@ in
            '';
      } // optionalAttrs config.services.resolved.enable {
-        "resolv.conf".source = "/run/systemd/resolve/resolv.conf";
+        # symlink the static version of resolv.conf as recommended by upstream:
        # https://www.freedesktop.org/software/systemd/man/systemd-resolved.html#/etc/resolv.conf
        "resolv.conf".source = "${pkgs.systemd}/lib/systemd/resolv.conf";
      } // optionalAttrs (config.services.resolved.enable && dnsmasqResolve) {
        "dnsmasq-resolv.conf".source = "/run/systemd/resolve/resolv.conf";
      };
--- a/nixos/modules/config/no-x-libs.nix
+++ b/nixos/modules/config/no-x-libs.nix
@ -26,7 +26,16 @@ with lib;
    fonts.fontconfig.enable = false;
-    nixpkgs.config.packageOverrides = pkgs:
+    nixpkgs.config.packageOverrides = pkgs: {
-      { dbus = pkgs.dbus.override { x11Support = false; }; };
+      dbus = pkgs.dbus.override { x11Support = false; };
      networkmanager_fortisslvpn = pkgs.networkmanager_fortisslvpn.override { withGnome = false; };
      networkmanager_l2tp = pkgs.networkmanager_l2tp.override { withGnome = false; };
      networkmanager_openconnect = pkgs.networkmanager_openconnect.override { withGnome = false; };
      networkmanager_openvpn = pkgs.networkmanager_openvpn.override { withGnome = false; };
      networkmanager_pptp = pkgs.networkmanager_pptp.override { withGnome = false; };
      networkmanager_vpnc = pkgs.networkmanager_vpnc.override { withGnome = false; };
      networkmanager_iodine = pkgs.networkmanager_iodine.override { withGnome = false; };
      pinentry = pkgs.pinentry.override { gtk2 = null; qt4 = null; };
    };
  };
 }
--- a/nixos/modules/config/nsswitch.nix
+++ b/nixos/modules/config/nsswitch.nix
@ -28,7 +28,8 @@ let
  passwdArray = [ "files" ]
    ++ optional sssd "sss"
    ++ optionals ldap [ "ldap" ]
-    ++ optionals mymachines [ "mymachines" ];
+    ++ optionals mymachines [ "mymachines" ]
    ++ [ "systemd" ];
  shadowArray = [ "files" ]
    ++ optional sssd "sss"
--- a/nixos/modules/config/pulseaudio.nix
+++ b/nixos/modules/config/pulseaudio.nix
@ -6,6 +6,7 @@ with lib;
 let
  cfg = config.hardware.pulseaudio;
  alsaCfg = config.sound;
  systemWide = cfg.enable && cfg.systemWide;
  nonSystemWide = cfg.enable && !cfg.systemWide;
@ -76,6 +77,7 @@ let
    ctl.!default {
      type pulse
    }
    ${alsaCfg.extraConfig}
  '');
 in {
@ -222,7 +224,7 @@ in {
      # Allow PulseAudio to get realtime priority using rtkit.
      security.rtkit.enable = true;
-      systemd.packages = [ cfg.package ];
+      systemd.packages = [ overriddenPackage ];
    })
    (mkIf hasZeroconf {
--- a/nixos/modules/config/swap.nix
+++ b/nixos/modules/config/swap.nix
@ -5,6 +5,52 @@ with lib;
 let
  randomEncryptionCoerce = enable: { inherit enable; };
  randomEncryptionOpts = { ... }: {
    options = {
      enable = mkOption {
        default = false;
        type = types.bool;
        description = ''
          Encrypt swap device with a random key. This way you won't have a persistent swap device.
          WARNING: Don't try to hibernate when you have at least one swap partition with
          this option enabled! We have no way to set the partition into which hibernation image
          is saved, so if your image ends up on an encrypted one you would lose it!
          WARNING #2: Do not use /dev/disk/by-uuid/… or /dev/disk/by-label/… as your swap device
          when using randomEncryption as the UUIDs and labels will get erased on every boot when
          the partition is encrypted. Best to use /dev/disk/by-partuuid/…
        '';
      };
      cipher = mkOption {
        default = "aes-xts-plain64";
        example = "serpent-xts-plain64";
        type = types.str;
        description = ''
          Use specified cipher for randomEncryption.
          Hint: Run "cryptsetup benchmark" to see which one is fastest on your machine.
        '';
      };
      source = mkOption {
        default = "/dev/urandom";
        example = "/dev/random";
        type = types.str;
        description = ''
          Define the source of randomness to obtain a random key for encryption.
        '';
      };
    };
  };
  swapCfg = {config, options, ...}: {
    options = {
@ -47,10 +93,17 @@ let
      randomEncryption = mkOption {
        default = false;
-        type = types.bool;
+        example = {
          enable = true;
          cipher = "serpent-xts-plain64";
          source = "/dev/random";
        };
        type = types.coercedTo types.bool randomEncryptionCoerce (types.submodule randomEncryptionOpts);
        description = ''
          Encrypt swap device with a random key. This way you won't have a persistent swap device.
          HINT: run "cryptsetup benchmark" to test cipher performance on your machine.
          WARNING: Don't try to hibernate when you have at least one swap partition with
          this option enabled! We have no way to set the partition into which hibernation image
          is saved, so if your image ends up on an encrypted one you would lose it!
@ -77,7 +130,7 @@ let
      device = mkIf options.label.isDefined
        "/dev/disk/by-label/${config.label}";
      deviceName = lib.replaceChars ["\\"] [""] (escapeSystemdPath config.device);
-      realDevice = if config.randomEncryption then "/dev/mapper/${deviceName}" else config.device;
+      realDevice = if config.randomEncryption.enable then "/dev/mapper/${deviceName}" else config.device;
    };
  };
@ -125,14 +178,14 @@ in
        createSwapDevice = sw:
          assert sw.device != "";
-          assert !(sw.randomEncryption && lib.hasPrefix "/dev/disk/by-uuid"  sw.device);
+          assert !(sw.randomEncryption.enable && lib.hasPrefix "/dev/disk/by-uuid"  sw.device);
-          assert !(sw.randomEncryption && lib.hasPrefix "/dev/disk/by-label" sw.device);
+          assert !(sw.randomEncryption.enable && lib.hasPrefix "/dev/disk/by-label" sw.device);
          let realDevice' = escapeSystemdPath sw.realDevice;
          in nameValuePair "mkswap-${sw.deviceName}"
          { description = "Initialisation of swap device ${sw.device}";
            wantedBy = [ "${realDevice'}.swap" ];
            before = [ "${realDevice'}.swap" ];
-            path = [ pkgs.utillinux ] ++ optional sw.randomEncryption pkgs.cryptsetup;
+            path = [ pkgs.utillinux ] ++ optional sw.randomEncryption.enable pkgs.cryptsetup;
            script =
              ''
@ -145,13 +198,11 @@ in
                      truncate --size "${toString sw.size}M" "${sw.device}"
                    fi
                    chmod 0600 ${sw.device}
-                    ${optionalString (!sw.randomEncryption) "mkswap ${sw.realDevice}"}
+                    ${optionalString (!sw.randomEncryption.enable) "mkswap ${sw.realDevice}"}
                  fi
                ''}
-                ${optionalString sw.randomEncryption ''
+                ${optionalString sw.randomEncryption.enable ''
-                  echo "secretkey" | cryptsetup luksFormat --batch-mode ${sw.device}
+                  cryptsetup plainOpen -c ${sw.randomEncryption.cipher} -d ${sw.randomEncryption.source} ${sw.device} ${sw.deviceName}
                  echo "secretkey" | cryptsetup luksOpen ${sw.device} ${sw.deviceName}
                  cryptsetup luksErase --batch-mode ${sw.device}
                  mkswap ${sw.realDevice}
                ''}
              '';
@ -159,12 +210,12 @@ in
            unitConfig.RequiresMountsFor = [ "${dirOf sw.device}" ];
            unitConfig.DefaultDependencies = false; # needed to prevent a cycle
            serviceConfig.Type = "oneshot";
-            serviceConfig.RemainAfterExit = sw.randomEncryption;
+            serviceConfig.RemainAfterExit = sw.randomEncryption.enable;
-            serviceConfig.ExecStop = optionalString sw.randomEncryption "${pkgs.cryptsetup}/bin/cryptsetup luksClose ${sw.deviceName}";
+            serviceConfig.ExecStop = optionalString sw.randomEncryption.enable "${pkgs.cryptsetup}/bin/cryptsetup luksClose ${sw.deviceName}";
            restartIfChanged = false;
          };
-      in listToAttrs (map createSwapDevice (filter (sw: sw.size != null || sw.randomEncryption) config.swapDevices));
+      in listToAttrs (map createSwapDevice (filter (sw: sw.size != null || sw.randomEncryption.enable) config.swapDevices));
  };
--- a/nixos/modules/config/system-path.nix
+++ b/nixos/modules/config/system-path.nix
@ -118,6 +118,9 @@ in
        "/share/themes"
        "/share/vim-plugins"
        "/share/vulkan"
        "/share/kservices5"
        "/share/kservicetypes5"
        "/share/kxmlgui5"
      ];
    system.path = pkgs.buildEnv {
--- a/nixos/modules/config/timezone.nix
+++ b/nixos/modules/config/timezone.nix
@ -14,13 +14,16 @@ in
    time = {
      timeZone = mkOption {
-        default = "UTC";
+        default = null;
-        type = types.str;
+        type = types.nullOr types.str;
        example = "America/New_York";
        description = ''
          The time zone used when displaying times and dates. See <link
          xlink:href="https://en.wikipedia.org/wiki/List_of_tz_database_time_zones"/>
          for a comprehensive list of possible values for this setting.
          If null, the timezone will default to UTC and can be set imperatively
          using timedatectl.
        '';
      };
@ -40,13 +43,14 @@ in
    # This way services are restarted when tzdata changes.
    systemd.globalEnvironment.TZDIR = tzdir;
-    environment.etc.localtime =
+    systemd.services.systemd-timedated.environment = lib.optionalAttrs (config.time.timeZone != null) { NIXOS_STATIC_TIMEZONE = "1"; };
-      { source = "/etc/zoneinfo/${config.time.timeZone}";
+
-        mode = "direct-symlink";
+    environment.etc = {
      zoneinfo.source = tzdir;
    } // lib.optionalAttrs (config.time.timeZone != null) {
        localtime.source = "/etc/zoneinfo/${config.time.timeZone}";
        localtime.mode = "direct-symlink";
      };
    environment.etc.zoneinfo.source = tzdir;
  };
 }
--- a/nixos/modules/config/users-groups.nix
+++ b/nixos/modules/config/users-groups.nix
@ -527,7 +527,7 @@ in {
      input.gid = ids.gids.input;
    };
-    system.activationScripts.users = stringAfter [ "etc" ]
+    system.activationScripts.users = stringAfter [ "stdio" ]
      ''
        ${pkgs.perl}/bin/perl -w \
          -I${pkgs.perlPackages.FileSlurp}/lib/perl5/site_perl \
--- a/nixos/modules/hardware/mcelog.nix
+++ b/nixos/modules/hardware/mcelog.nix
@ -3,7 +3,7 @@
 with lib;
 {
-  meta.maintainers = [ maintainers.grahamc ];
+  meta.maintainers = with maintainers; [ grahamc ];
  options = {
    hardware.mcelog = {
@ -19,19 +19,17 @@ with lib;
  };
  config = mkIf config.hardware.mcelog.enable {
-    systemd.services.mcelog = {
+    systemd = {
-      description = "Machine Check Exception Logging Daemon";
+      packages = [ pkgs.mcelog ];
      wantedBy = [ "multi-user.target" ];
-      serviceConfig = {
+      services.mcelog = {
-        ExecStart = "${pkgs.mcelog}/bin/mcelog --daemon --foreground";
+        wantedBy = [ "multi-user.target" ];
-        SuccessExitStatus = [ 0 15 ];
+        serviceConfig = {
-
+          ProtectHome = true;
-        ProtectHome = true;
+          PrivateNetwork = true;
-        PrivateNetwork = true;
+          PrivateTmp = true;
-        PrivateTmp = true;
+        };
      };
    };
  };
 }
--- a/nixos/modules/hardware/raid/hpsa.nix
+++ b/nixos/modules/hardware/raid/hpsa.nix
@ -0,0 +1,61 @@
 { config, lib, pkgs, ... }:
 with lib;
 let
  hpssacli = pkgs.stdenv.mkDerivation rec {
    name = "hpssacli-${version}";
    version = "2.40-13.0";
    src = pkgs.fetchurl {
      url = "http://downloads.linux.hpe.com/SDR/downloads/MCP/Ubuntu/pool/non-free/${name}_amd64.deb";
      sha256 = "11w7fwk93lmfw0yya4jpjwdmgjimqxx6412sqa166g1pz4jil4sw";
    };
    nativeBuildInputs = [ pkgs.dpkg ];
    unpackPhase = "dpkg -x $src ./";
    installPhase = ''
      mkdir -p $out/bin $out/share/doc $out/share/man
      mv opt/hp/hpssacli/bld/{hpssascripting,hprmstr,hpssacli} $out/bin/
      mv opt/hp/hpssacli/bld/*.{license,txt}                   $out/share/doc/
      mv usr/man                                               $out/share/
      for file in $out/bin/*; do
        chmod +w $file
        patchelf --set-interpreter "$(cat $NIX_CC/nix-support/dynamic-linker)" \
                 --set-rpath ${lib.makeLibraryPath [ pkgs.stdenv.cc.cc ]} \
                 $file
      done
    '';
    dontStrip = true;
    meta = with lib; {
      description = "HP Smart Array CLI";
      homepage = http://downloads.linux.hpe.com/SDR/downloads/MCP/Ubuntu/pool/non-free/;
      license = licenses.unfreeRedistributable;
      platforms = [ "x86_64-linux" ];
      maintainers = with maintainers; [ volth ];
    };
  };
 in {
  ###### interface
  options = {
    hardware.raid.HPSmartArray = {
      enable = mkEnableOption "HP Smart Array kernel modules and CLI utility";
    };
  };
  ###### implementation
  config = mkIf config.hardware.raid.HPSmartArray.enable {
    boot.initrd.kernelModules = [ "sg" ]; /* hpssacli wants it */
    boot.initrd.availableKernelModules = [ "hpsa" ];
    environment.systemPackages = [ hpssacli ];
  };
 }
--- a/nixos/modules/installer/cd-dvd/channel.nix
+++ b/nixos/modules/installer/cd-dvd/channel.nix
@ -6,16 +6,7 @@
 with lib;
 let
-  # Do not include these things:
+  nixpkgs = lib.cleanSource pkgs.path;
  #   - The '.git' directory
  #   - Result symlinks from nix-build ('result', 'result-2', 'result-bin', ...)
  #   - VIM/Emacs swap/backup files ('.swp', '.swo', '.foo.swp', 'foo~', ...)
  filterFn = path: type: let basename = baseNameOf (toString path); in
    if type == "directory" then basename != ".git"
    else if type == "symlink" then builtins.match "^result(|-.*)$" basename == null
    else builtins.match "^((|\..*)\.sw[a-z]|.*~)$" basename == null;
  nixpkgs = builtins.filterSource filterFn pkgs.path;
  # We need a copy of the Nix expressions for Nixpkgs and NixOS on the
  # CD.  These are installed into the "nixos" channel of the root
--- a/nixos/modules/installer/tools/auto-upgrade.nix
+++ b/nixos/modules/installer/tools/auto-upgrade.nix
@ -76,7 +76,7 @@ let cfg = config.system.autoUpgrade; in
      environment = config.nix.envVars //
        { inherit (config.environment.sessionVariables) NIX_PATH;
          HOME = "/root";
-        };
+        } // config.networking.proxy.envVars;
      path = [ pkgs.gnutar pkgs.xz.bin config.nix.package.out ];
--- a/nixos/modules/installer/tools/nix-fallback-paths.nix
+++ b/nixos/modules/installer/tools/nix-fallback-paths.nix
@ -1,5 +1,5 @@
 {
-  x86_64-linux = "/nix/store/crqd5wmrqipl4n1fcm5kkc1zg4sj80js-nix-1.11.11";
+  x86_64-linux = "/nix/store/xrqssm90gsrnqdn79rpfcs6dwx8597d2-nix-1.11.14";
-  i686-linux = "/nix/store/wsjn14xp5ja509d4dxb1c78zhirw0b5x-nix-1.11.11";
+  i686-linux = "/nix/store/3vjphivqs2iy6m9yb3bd80nd3518510k-nix-1.11.14";
-  x86_64-darwin = "/nix/store/zqkqnhk85g2shxlpb04y72h1i3db3gpl-nix-1.11.11";
+  x86_64-darwin = "/nix/store/4j9jacx8mjd4jlj53wvymyhxq7dqyj5d-nix-1.11.14";
 }
--- a/nixos/modules/installer/tools/nixos-generate-config.pl
+++ b/nixos/modules/installer/tools/nixos-generate-config.pl
@ -605,6 +605,9 @@ $bootLoaderConfig
  # services.xserver.layout = "us";
  # services.xserver.xkbOptions = "eurosign:e";
  # Enable touchpad support.
  # services.xserver.libinput.enable = true;
  # Enable the KDE Desktop Environment.
  # services.xserver.displayManager.sddm.enable = true;
  # services.xserver.desktopManager.plasma5.enable = true;
@ -615,8 +618,11 @@ $bootLoaderConfig
  #   uid = 1000;
  # };
-  # The NixOS release to be compatible with for stateful data such as databases.
+  # This value determines the NixOS release with which your system is to be
-  system.stateVersion = "${\(qw(@nixosRelease@))}";
+  # compatible, in order to avoid breaking some software such as database
  # servers. You should change this only after NixOS release notes say you
  # should.
  system.stateVersion = "${\(qw(@nixosRelease@))}"; # Did you read the comment?
 }
 EOF
--- a/nixos/modules/installer/tools/nixos-install.sh
+++ b/nixos/modules/installer/tools/nixos-install.sh
@ -140,7 +140,7 @@ channel_closure="$tmpdir/channel.closure"
 nix-store --export $channel_root > $channel_closure
 # Populate the target root directory with the basics
-@prepare_root@/bin/nixos-prepare-root $mountPoint $channel_root $system_root @nixClosure@ $system_closure $channel_closure
+@prepare_root@/bin/nixos-prepare-root "$mountPoint" "$channel_root" "$system_root" @nixClosure@ "$system_closure" "$channel_closure"
 # nixos-prepare-root doesn't currently do anything with file ownership, so we set it up here instead
 chown @root_uid@:@nixbld_gid@ $mountPoint/nix/store
--- a/nixos/modules/installer/tools/nixos-rebuild.sh
+++ b/nixos/modules/installer/tools/nixos-rebuild.sh
@ -250,7 +250,7 @@ trap cleanup EXIT
 # If --repair is given, don't try to use the Nix daemon, because the
 # flag can only be used directly.
 if [ -z "$repair" ] && systemctl show nix-daemon.socket nix-daemon.service | grep -q ActiveState=active; then
-    export NIX_REMOTE=${NIX_REMOTE:-daemon}
+    export NIX_REMOTE=${NIX_REMOTE-daemon}
 fi
--- a/nixos/modules/misc/ids.nix
+++ b/nixos/modules/misc/ids.nix
@ -139,6 +139,7 @@
      btsync = 113;
      minecraft = 114;
      #monetdb = 115; # unused (not packaged), removed 2016-09-19
      vault = 115;
      rippled = 116;
      murmur = 117;
      foundationdb = 118;
@ -213,7 +214,7 @@
      plex = 193;
      grafana = 196;
      skydns = 197;
-      ripple-rest = 198;
+      # ripple-rest = 198; # unused, removed 2017-08-12
      nix-serve = 199;
      tvheadend = 200;
      uwsgi = 201;
@ -334,7 +335,7 @@
      dialout = 27;
      #polkituser = 28; # currently unused, polkitd doesn't need a group
      utmp = 29;
-      #ddclient = 30; # unused
+      ddclient = 30;
      davfs2 = 31;
      disnix = 33;
      osgi = 34;
@ -415,6 +416,7 @@
      btsync = 113;
      #minecraft = 114; # unused
      #monetdb = 115; # unused (not packaged), removed 2016-09-19
      vault = 115;
      #ripped = 116; # unused
      #murmur = 117; # unused
      foundationdb = 118;
@ -487,7 +489,7 @@
      sabnzbd = 194;
      #grafana = 196; #unused
      #skydns = 197; #unused
-      #ripple-rest = 198; #unused
+      # ripple-rest = 198; # unused, removed 2017-08-12
      #nix-serve = 199; #unused
      #tvheadend = 200; #unused
      uwsgi = 201;
--- a/nixos/modules/misc/version.nix
+++ b/nixos/modules/misc/version.nix
@ -95,7 +95,7 @@ in
      nixosVersionSuffix = mkIf (pathIsDirectory gitRepo) (mkDefault (".git." + gitCommitId));
      # Note: code names must only increase in alphabetical order.
-      nixosCodeName = "Hummingbird";
+      nixosCodeName = "Impala";
    };
    # Generate /etc/os-release.  See
--- a/nixos/modules/module-list.nix
+++ b/nixos/modules/module-list.nix
@ -43,6 +43,7 @@
  ./hardware/nitrokey.nix
  ./hardware/opengl.nix
  ./hardware/pcmcia.nix
  ./hardware/raid/hpsa.nix
  ./hardware/usb-wwan.nix
  ./hardware/video/amdgpu.nix
  ./hardware/video/amdgpu-pro.nix
@ -105,7 +106,6 @@
  ./programs/venus.nix
  ./programs/vim.nix
  ./programs/wireshark.nix
  ./programs/wvdial.nix
  ./programs/xfs_quota.nix
  ./programs/xonsh.nix
  ./programs/zsh/oh-my-zsh.nix
@ -116,11 +116,11 @@
  ./security/apparmor.nix
  ./security/apparmor-suid.nix
  ./security/audit.nix
  ./security/auditd.nix
  ./security/ca.nix
  ./security/chromium-suid-sandbox.nix
  ./security/dhparams.nix
  ./security/duosec.nix
  ./security/grsecurity.nix
  ./security/hidepid.nix
  ./security/lock-kernel-modules.nix
  ./security/oath.nix
@ -165,6 +165,7 @@
  ./services/continuous-integration/buildbot/master.nix
  ./services/continuous-integration/buildbot/worker.nix
  ./services/continuous-integration/buildkite-agent.nix
  ./services/continuous-integration/hail.nix
  ./services/continuous-integration/hydra/default.nix
  ./services/continuous-integration/gitlab-runner.nix
  ./services/continuous-integration/gocd-agent/default.nix
@ -185,6 +186,7 @@
  ./services/databases/neo4j.nix
  ./services/databases/openldap.nix
  ./services/databases/opentsdb.nix
  ./services/databases/postage.nix
  ./services/databases/postgresql.nix
  ./services/databases/redis.nix
  ./services/databases/riak.nix
@ -223,6 +225,7 @@
  ./services/hardware/brltty.nix
  ./services/hardware/freefall.nix
  ./services/hardware/illum.nix
  ./services/hardware/interception-tools.nix
  ./services/hardware/irqbalance.nix
  ./services/hardware/nvidia-optimus.nix
  ./services/hardware/pcscd.nix
@ -242,6 +245,7 @@
  ./services/logging/graylog.nix
  ./services/logging/heartbeat.nix
  ./services/logging/journalbeat.nix
  ./services/logging/journalwatch.nix
  ./services/logging/klogd.nix
  ./services/logging/logcheck.nix
  ./services/logging/logrotate.nix
@ -266,6 +270,7 @@
  ./services/mail/rspamd.nix
  ./services/mail/rmilter.nix
  ./services/mail/nullmailer.nix
  ./services/misc/airsonic.nix
  ./services/misc/apache-kafka.nix
  ./services/misc/autofs.nix
  ./services/misc/autorandr.nix
@ -285,6 +290,7 @@
  ./services/misc/emby.nix
  ./services/misc/errbot.nix
  ./services/misc/etcd.nix
  ./services/misc/exhibitor.nix
  ./services/misc/felix.nix
  ./services/misc/folding-at-home.nix
  ./services/misc/fstrim.nix
@ -321,10 +327,10 @@
  ./services/misc/radarr.nix
  ./services/misc/redmine.nix
  ./services/misc/rippled.nix
  ./services/misc/ripple-rest.nix
  ./services/misc/ripple-data-api.nix
  ./services/misc/rogue.nix
  ./services/misc/siproxd.nix
  ./services/misc/snapper.nix
  ./services/misc/sonarr.nix
  ./services/misc/spice-vdagentd.nix
  ./services/misc/ssm-agent.nix
@ -352,6 +358,7 @@
  ./services/monitoring/munin.nix
  ./services/monitoring/nagios.nix
  ./services/monitoring/netdata.nix
  ./services/monitoring/osquery.nix
  ./services/monitoring/prometheus/default.nix
  ./services/monitoring/prometheus/alertmanager.nix
  ./services/monitoring/prometheus/blackbox-exporter.nix
@ -512,7 +519,6 @@
  ./services/networking/teamspeak3.nix
  ./services/networking/tinc.nix
  ./services/networking/tftpd.nix
  ./services/networking/tlsdated.nix
  ./services/networking/tox-bootstrapd.nix
  ./services/networking/toxvpn.nix
  ./services/networking/tvheadend.nix
@ -544,7 +550,6 @@
  ./services/security/fail2ban.nix
  ./services/security/fprintd.nix
  ./services/security/fprot.nix
  ./services/security/frandom.nix
  ./services/security/haka.nix
  ./services/security/haveged.nix
  ./services/security/hologram-server.nix
@ -553,16 +558,20 @@
  ./services/security/oauth2_proxy.nix
  ./services/security/physlock.nix
  ./services/security/shibboleth-sp.nix
  ./services/security/sks.nix
  ./services/security/sshguard.nix
  ./services/security/tor.nix
  ./services/security/torify.nix
  ./services/security/torsocks.nix
  ./services/security/usbguard.nix
  ./services/security/vault.nix
  ./services/system/cgmanager.nix
  ./services/system/cloud-init.nix
  ./services/system/dbus.nix
  ./services/system/earlyoom.nix
  ./services/system/kerberos.nix
  ./services/system/nscd.nix
  ./services/system/saslauthd.nix
  ./services/system/uptimed.nix
  ./services/torrent/deluge.nix
  ./services/torrent/flexget.nix
@ -578,6 +587,7 @@
  ./services/web-apps/frab.nix
  ./services/web-apps/mattermost.nix
  ./services/web-apps/nixbot.nix
  ./services/web-apps/pgpkeyserver-lite.nix
  ./services/web-apps/piwik.nix
  ./services/web-apps/pump.io.nix
  ./services/web-apps/tt-rss.nix
@ -620,7 +630,6 @@
  ./services/x11/redshift.nix
  ./services/x11/urxvtd.nix
  ./services/x11/window-managers/awesome.nix
  #./services/x11/window-managers/compiz.nix
  ./services/x11/window-managers/default.nix
  ./services/x11/window-managers/fluxbox.nix
  ./services/x11/window-managers/icewm.nix
@ -670,6 +679,7 @@
  ./tasks/cpu-freq.nix
  ./tasks/encrypted-devices.nix
  ./tasks/filesystems.nix
  ./tasks/filesystems/bcachefs.nix
  ./tasks/filesystems/btrfs.nix
  ./tasks/filesystems/cifs.nix
  ./tasks/filesystems/exfat.nix
--- a/nixos/modules/profiles/all-hardware.nix
+++ b/nixos/modules/profiles/all-hardware.nix
@ -41,6 +41,9 @@
      # Virtio (QEMU, KVM etc.) support.
      "virtio_net" "virtio_pci" "virtio_blk" "virtio_scsi" "virtio_balloon" "virtio_console"
      # VMware support.
      "mptspi" "vmw_balloon" "vmwgfx" "vmw_vmci" "vmw_vsock_vmci_transport" "vmxnet3" "vsock"
      # Hyper-V support.
      "hv_storvsc"
--- a/nixos/modules/profiles/graphical.nix
+++ b/nixos/modules/profiles/graphical.nix
@ -8,7 +8,7 @@
    enable = true;
    displayManager.sddm.enable = true;
    desktopManager.plasma5.enable = true;
-    synaptics.enable = true; # for touchpad support on many laptops
+    libinput.enable = true; # for touchpad support on many laptops
  };
  environment.systemPackages = [ pkgs.glxinfo ];
--- a/nixos/modules/profiles/hardened.nix
+++ b/nixos/modules/profiles/hardened.nix
@ -59,4 +59,10 @@ with lib;
  # the feature at runtime.  Attempting to create a user namespace
  # with unshare will then fail with "no space left on device".
  boot.kernel.sysctl."user.max_user_namespaces" = mkDefault 0;
  # Raise ASLR entropy for 64bit & 32bit, respectively.
  #
  # Note: mmap_rnd_compat_bits may not exist on 64bit.
  boot.kernel.sysctl."vm.mmap_rnd_bits" = mkDefault 32;
  boot.kernel.sysctl."vm.mmap_rnd_compat_bits" = mkDefault 16;
 }
--- a/nixos/modules/profiles/installation-device.nix
+++ b/nixos/modules/profiles/installation-device.nix
@ -28,7 +28,7 @@ with lib;
    services.nixosManual.showManual = true;
    # Let the user play Rogue on TTY 8 during the installation.
-    services.rogue.enable = true;
+    #services.rogue.enable = true;
    # Disable some other stuff we don't need.
    security.sudo.enable = false;
--- a/nixos/modules/programs/gnupg.nix
+++ b/nixos/modules/programs/gnupg.nix
@ -55,79 +55,24 @@ in
  };
  config = mkIf cfg.agent.enable {
    systemd.user.services.gpg-agent = {
      serviceConfig = {
        ExecStart = [
          ""
          ("${pkgs.gnupg}/bin/gpg-agent --supervised "
            + optionalString cfg.agent.enableSSHSupport "--enable-ssh-support")
        ];
        ExecReload = "${pkgs.gnupg}/bin/gpgconf --reload gpg-agent";
      };
    };
    systemd.user.sockets.gpg-agent = {
      wantedBy = [ "sockets.target" ];
      listenStreams = [ "%t/gnupg/S.gpg-agent" ];
      socketConfig = {
        FileDescriptorName = "std";
        SocketMode = "0600";
        DirectoryMode = "0700";
      };
    };
    systemd.user.sockets.gpg-agent-ssh = mkIf cfg.agent.enableSSHSupport {
      wantedBy = [ "sockets.target" ];
      listenStreams = [ "%t/gnupg/S.gpg-agent.ssh" ];
      socketConfig = {
        FileDescriptorName = "ssh";
        Service = "gpg-agent.service";
        SocketMode = "0600";
        DirectoryMode = "0700";
      };
    };
    systemd.user.sockets.gpg-agent-extra = mkIf cfg.agent.enableExtraSocket {
      wantedBy = [ "sockets.target" ];
      listenStreams = [ "%t/gnupg/S.gpg-agent.extra" ];
      socketConfig = {
        FileDescriptorName = "extra";
        Service = "gpg-agent.service";
        SocketMode = "0600";
        DirectoryMode = "0700";
      };
    };
    systemd.user.sockets.gpg-agent-browser = mkIf cfg.agent.enableBrowserSocket {
      wantedBy = [ "sockets.target" ];
      listenStreams = [ "%t/gnupg/S.gpg-agent.browser" ];
      socketConfig = {
        FileDescriptorName = "browser";
        Service = "gpg-agent.service";
        SocketMode = "0600";
        DirectoryMode = "0700";
      };
    };
-    systemd.user.services.dirmngr = {
+    systemd.user.sockets.dirmngr = mkIf cfg.dirmngr.enable {
      requires = [ "dirmngr.socket" ];
      after = [ "dirmngr.socket" ];
      unitConfig = {
        RefuseManualStart = "true";
      };
      serviceConfig = {
        ExecStart = "${pkgs.gnupg}/bin/dirmngr --supervised";
        ExecReload = "${pkgs.gnupg}/bin/gpgconf --reload dirmngr";
      };
    };
    systemd.user.sockets.dirmngr = {
      wantedBy = [ "sockets.target" ];
      listenStreams = [ "%t/gnupg/S.dirmngr" ];
      socketConfig = {
        SocketMode = "0600";
        DirectoryMode = "0700";
      };
    };
    systemd.packages = [ pkgs.gnupg ];
@ -147,7 +92,7 @@ in
    '');
    assertions = [
-      { assertion = cfg.agent.enableSSHSupport && !config.programs.ssh.startAgent;
+      { assertion = cfg.agent.enableSSHSupport -> !config.programs.ssh.startAgent;
        message = "You can't use ssh-agent and GnuPG agent with SSH support enabled at the same time!";
      }
    ];
--- a/nixos/modules/programs/nylas-mail.nix
+++ b/nixos/modules/programs/nylas-mail.nix
@ -0,0 +1,37 @@
 { config, lib, pkgs, ... }:
 with lib;
 let
  cfg = config.services.nylas-mail;
  defaultUser = "nylas-mail";
 in {
  ###### interface
  options = {
    services.nylas-mail = {
      enable = mkEnableOption ''
        nylas-mail - Open-source mail client built on the modern web with Electron, React, and Flux
      '';
      gnome3-keyring = mkOption {
        type = types.bool;
        default = true;
        description = "Enable gnome3 keyring for nylas-mail.";
      };
    };
  };
  ###### implementation
  config = mkIf cfg.enable {
    environment.systemPackages = [ pkgs.nylas-mail-bin ];
    services.gnome3.gnome-keyring = mkIf cfg.gnome3-keyring {
      enable = true;
    };
  };
 }
--- a/nixos/modules/programs/oblogout.nix
+++ b/nixos/modules/programs/oblogout.nix
@ -27,6 +27,7 @@ in
        type = types.int;
        default = 70;
        description = ''
          Opacity percentage of Cairo rendered backgrounds.
        '';
      };
@ -34,6 +35,7 @@ in
        type = types.str;
        default = "black";
        description = ''
          Colour name or hex code (#ffffff) of the background color.
        '';
      };
@ -41,6 +43,9 @@ in
        type = types.str;
        default = "simplistic";
        description = ''
          Icon theme for the buttons, must be in the themes folder of
          the package, or in
          <filename>~/.themes/&lt;name&gt;/oblogout/</filename>.
        '';
      };
@ -48,6 +53,7 @@ in
        type = types.str;
        default =  "cancel, logout, restart, shutdown, suspend, hibernate";
        description = ''
          List and order of buttons to show.
        '';
      };
@ -55,6 +61,7 @@ in
        type = types.str;
        default =  "Escape";
        description = ''
          Cancel logout/shutdown shortcut.
        '';
      };
@ -62,6 +69,7 @@ in
        type = types.str;
        default = "S";
        description = ''
          Shutdown shortcut.
        '';
      };
@ -69,6 +77,7 @@ in
        type = types.str;
        default = "R";
        description = ''
          Restart shortcut.
        '';
      };
@ -76,6 +85,7 @@ in
        type = types.str;
        default = "U";
        description = ''
          Suspend shortcut.
        '';
      };
@ -83,6 +93,7 @@ in
        type = types.str;
        default = "L";
        description = ''
          Logout shortcut.
        '';
      };
@ -90,6 +101,7 @@ in
        type = types.str;
        default = "K";
        description = ''
          Lock session shortcut.
        '';
      };
@ -97,6 +109,7 @@ in
        type = types.str;
        default =  "H";
        description = ''
          Hibernate shortcut.
        '';
      };
@ -104,6 +117,7 @@ in
        type = types.str;
        default = "openbox --exit";
        description = ''
          Command to logout.
        '';
      };
@ -111,6 +125,7 @@ in
        type = types.str;
        default = "";
        description = ''
          Command to lock screen.
        '';
      };
@ -118,6 +133,7 @@ in
        type = types.str;
        default = "";
        description = ''
          Command to switch user.
        '';
      };
    };
--- a/nixos/modules/programs/qt5ct.nix
+++ b/nixos/modules/programs/qt5ct.nix
@ -26,6 +26,6 @@ with lib;
  ###### implementation
  config = mkIf config.programs.qt5ct.enable {
    environment.variables.QT_QPA_PLATFORMTHEME = "qt5ct";
-    environment.systemPackages = [ pkgs.qt5ct ];
+    environment.systemPackages = with pkgs; [ qt5ct libsForQt5.qtstyleplugins ];
  };
 }
--- a/nixos/modules/programs/thefuck.nix
+++ b/nixos/modules/programs/thefuck.nix
@ -3,7 +3,12 @@
 with lib;
 let
-  cfg = config.programs.thefuck;
+  prg = config.programs;
  cfg = prg.thefuck;
  initScript = ''
    eval $(${pkgs.thefuck}/bin/thefuck --alias ${cfg.alias})
  '';
 in
  {
    options = {
@ -24,8 +29,11 @@ in
    config = mkIf cfg.enable {
      environment.systemPackages = with pkgs; [ thefuck ];
-      environment.shellInit = ''
+      environment.shellInit = initScript;
-        eval $(${pkgs.thefuck}/bin/thefuck --alias ${cfg.alias})
+
      programs.zsh.shellInit = mkIf prg.zsh.enable initScript;
      programs.fish.shellInit = mkIf prg.fish.enable ''
        ${pkgs.thefuck}/bin/thefuck --alias | source
      '';
    };
  }
--- a/nixos/modules/programs/wvdial.nix
+++ b/nixos/modules/programs/wvdial.nix
@ -1,71 +0,0 @@
 # Global configuration for wvdial.
 { config, lib, pkgs, ... }:
 with lib;
 let
  configFile = ''
    [Dialer Defaults]
    PPPD PATH = ${pkgs.ppp}/sbin/pppd
    ${config.environment.wvdial.dialerDefaults}
  '';
  cfg = config.environment.wvdial;
 in
 {
  ###### interface
  options = {
    environment.wvdial = {
      dialerDefaults = mkOption {
        default = "";
        type = types.str;
        example = ''Init1 = AT+CGDCONT=1,"IP","internet.t-mobile"'';
        description = ''
          Contents of the "Dialer Defaults" section of
          <filename>/etc/wvdial.conf</filename>.
        '';
      };
      pppDefaults = mkOption {
        default = ''
          noipdefault
          usepeerdns
          defaultroute
          persist
          noauth
        '';
        type = types.str;
        description = "Default ppp settings for wvdial.";
      };
    };
  };
  ###### implementation
  config = mkIf (cfg.dialerDefaults != "") {
    environment = {
      etc =
      [
        { source = pkgs.writeText "wvdial.conf" configFile;
          target = "wvdial.conf";
        }
        { source = pkgs.writeText "wvdial" cfg.pppDefaults;
          target = "ppp/peers/wvdial";
        }
      ];
    };
  };
 }
--- a/nixos/modules/programs/zsh/oh-my-zsh.nix
+++ b/nixos/modules/programs/zsh/oh-my-zsh.nix
@ -15,6 +15,16 @@ in
          '';
        };
        package = mkOption {
          default = pkgs.oh-my-zsh;
          defaultText = "pkgs.oh-my-zsh";
          description = ''
            Package to install for `oh-my-zsh` usage.
          '';
          type = types.package;
        };
        plugins = mkOption {
          default = [];
          type = types.listOf(types.str);
@ -42,11 +52,15 @@ in
    };
    config = mkIf cfg.enable {
      environment.systemPackages = with pkgs; [ oh-my-zsh ];
-      programs.zsh.interactiveShellInit = with pkgs; with builtins; ''
+      # Prevent zsh from overwriting oh-my-zsh's prompt
      programs.zsh.promptInit = mkDefault "";
      environment.systemPackages = [ cfg.package ];
      programs.zsh.interactiveShellInit = with builtins; ''
        # oh-my-zsh configuration generated by NixOS
-        export ZSH=${oh-my-zsh}/share/oh-my-zsh
+        export ZSH=${cfg.package}/share/oh-my-zsh
        ${optionalString (length(cfg.plugins) > 0)
          "plugins=(${concatStringsSep " " cfg.plugins})"
--- a/nixos/modules/programs/zsh/zsh.nix
+++ b/nixos/modules/programs/zsh/zsh.nix
@ -97,45 +97,6 @@ in
  config = mkIf cfg.enable {
    programs.zsh = {
      shellInit = ''
        . ${config.system.build.setEnvironment}
        ${cfge.shellInit}
      '';
      loginShellInit = cfge.loginShellInit;
      interactiveShellInit = ''
        # history defaults
        SAVEHIST=2000
        HISTSIZE=2000
        HISTFILE=$HOME/.zsh_history
        setopt HIST_IGNORE_DUPS SHARE_HISTORY HIST_FCNTL_LOCK
        # Tell zsh how to find installed completions
        for p in ''${(z)NIX_PROFILES}; do
          fpath+=($p/share/zsh/site-functions $p/share/zsh/$ZSH_VERSION/functions $p/share/zsh/vendor-completions)
        done
        ${if cfg.enableCompletion then "autoload -U compinit && compinit" else ""}
        ${optionalString (cfg.enableAutosuggestions)
          "source ${pkgs.zsh-autosuggestions}/share/zsh-autosuggestions/zsh-autosuggestions.zsh"
        }
        ${zshAliases}
        ${cfg.promptInit}
        ${cfge.interactiveShellInit}
        HELPDIR="${pkgs.zsh}/share/zsh/$ZSH_VERSION/help"
      '';
    };
    environment.etc."zshenv".text =
      ''
        # /etc/zshenv: DO NOT EDIT -- this file has been generated automatically.
@ -146,6 +107,10 @@ in
        if [ -n "$__ETC_ZSHENV_SOURCED" ]; then return; fi
        export __ETC_ZSHENV_SOURCED=1
        . ${config.system.build.setEnvironment}
        ${cfge.shellInit}
        ${cfg.shellInit}
        # Read system-wide modifications.
@ -163,6 +128,8 @@ in
        if [ -n "$__ETC_ZPROFILE_SOURCED" ]; then return; fi
        __ETC_ZPROFILE_SOURCED=1
        ${cfge.loginShellInit}
        ${cfg.loginShellInit}
        # Read system-wide modifications.
@ -182,8 +149,34 @@ in
        . /etc/zinputrc
        # history defaults
        SAVEHIST=2000
        HISTSIZE=2000
        HISTFILE=$HOME/.zsh_history
        setopt HIST_IGNORE_DUPS SHARE_HISTORY HIST_FCNTL_LOCK
        HELPDIR="${pkgs.zsh}/share/zsh/$ZSH_VERSION/help"
        # Tell zsh how to find installed completions
        for p in ''${(z)NIX_PROFILES}; do
          fpath+=($p/share/zsh/site-functions $p/share/zsh/$ZSH_VERSION/functions $p/share/zsh/vendor-completions)
        done
        ${optionalString cfg.enableCompletion "autoload -U compinit && compinit"}
        ${optionalString (cfg.enableAutosuggestions)
          "source ${pkgs.zsh-autosuggestions}/share/zsh-autosuggestions/zsh-autosuggestions.zsh"
        }
        ${cfge.interactiveShellInit}
        ${cfg.interactiveShellInit}
        ${zshAliases}
        ${cfg.promptInit}
        # Read system-wide modifications.
        if test -f /etc/zshrc.local; then
          . /etc/zshrc.local
--- a/nixos/modules/rename.nix
+++ b/nixos/modules/rename.nix
@ -1,4 +1,4 @@
-{ lib, ... }:
+{ lib, pkgs, ... }:
 with lib;
@ -14,17 +14,23 @@ with lib;
    (mkRenamedOptionModule [ "networking" "enableRT73Firmware" ] [ "networking" "enableRalinkFirmware" ])
    (mkRenamedOptionModule [ "services" "cadvisor" "host" ] [ "services" "cadvisor" "listenAddress" ])
    (mkChangedOptionModule [ "services" "printing" "gutenprint" ] [ "services" "printing" "drivers" ]
      (config:
        let enabled = getAttrFromPath [ "services" "printing" "gutenprint" ] config;
        in if enabled then [ pkgs.gutenprint ] else [ ]))
    (mkRenamedOptionModule [ "services" "elasticsearch" "host" ] [ "services" "elasticsearch" "listenAddress" ])
    (mkRenamedOptionModule [ "services" "graphite" "api" "host" ] [ "services" "graphite" "api" "listenAddress" ])
    (mkRenamedOptionModule [ "services" "graphite" "web" "host" ] [ "services" "graphite" "web" "listenAddress" ])
-    (mkRenamedOptionModule [ "services" "logstash" "address" ] [ "services" "logstash" "listenAddress" ])
+    (mkRenamedOptionModule [ "services" "i2pd" "extIp" ] [ "services" "i2pd" "address" ])
    (mkRenamedOptionModule [ "services" "kibana" "host" ] [ "services" "kibana" "listenAddress" ])
    (mkRenamedOptionModule [ "services" "logstash" "address" ] [ "services" "logstash" "listenAddress" ])
    (mkRenamedOptionModule [ "services" "mpd" "network" "host" ] [ "services" "mpd" "network" "listenAddress" ])
    (mkRenamedOptionModule [ "services" "neo4j" "host" ] [ "services" "neo4j" "listenAddress" ])
    (mkRenamedOptionModule [ "services" "shout" "host" ] [ "services" "shout" "listenAddress" ])
    (mkRenamedOptionModule [ "services" "sslh" "host" ] [ "services" "sslh" "listenAddress" ])
    (mkRenamedOptionModule [ "services" "statsd" "host" ] [ "services" "statsd" "listenAddress" ])
    (mkRenamedOptionModule [ "services" "subsonic" "host" ] [ "services" "subsonic" "listenAddress" ])
    (mkRenamedOptionModule [ "services" "tor" "relay" "portSpec" ] [ "services" "tor" "relay" "port" ])
    (mkRenamedOptionModule [ "jobs" ] [ "systemd" "services" ])
    (mkRenamedOptionModule [ "services" "gitlab" "stateDir" ] [ "services" "gitlab" "statePath" ])
@ -118,26 +124,6 @@ with lib;
    (mkRenamedOptionModule [ "services" "iodined" "extraConfig" ] [ "services" "iodine" "server" "extraConfig" ])
    (mkRemovedOptionModule [ "services" "iodined" "client" ] "")
    # Grsecurity
    (mkRemovedOptionModule [ "security" "grsecurity" "kernelPatch" ] "")
    (mkRemovedOptionModule [ "security" "grsecurity" "config" "mode" ] "")
    (mkRemovedOptionModule [ "security" "grsecurity" "config" "priority" ] "")
    (mkRemovedOptionModule [ "security" "grsecurity" "config" "system" ] "")
    (mkRemovedOptionModule [ "security" "grsecurity" "config" "virtualisationConfig" ] "")
    (mkRemovedOptionModule [ "security" "grsecurity" "config" "hardwareVirtualisation" ] "")
    (mkRemovedOptionModule [ "security" "grsecurity" "config" "virtualisationSoftware" ] "")
    (mkRemovedOptionModule [ "security" "grsecurity" "config" "sysctl" ] "")
    (mkRemovedOptionModule [ "security" "grsecurity" "config" "denyChrootChmod" ] "")
    (mkRemovedOptionModule [ "security" "grsecurity" "config" "denyChrootCaps" ] "")
    (mkRemovedOptionModule [ "security" "grsecurity" "config" "denyUSB" ] "")
    (mkRemovedOptionModule [ "security" "grsecurity" "config" "restrictProc" ] "")
    (mkRemovedOptionModule [ "security" "grsecurity" "config" "restrictProcWithGroup" ] "")
    (mkRemovedOptionModule [ "security" "grsecurity" "config" "unrestrictProcGid" ] "")
    (mkRemovedOptionModule [ "security" "grsecurity" "config" "disableRBAC" ] "")
    (mkRemovedOptionModule [ "security" "grsecurity" "config" "disableSimultConnect" ] "")
    (mkRemovedOptionModule [ "security" "grsecurity" "config" "verboseVersion" ] "")
    (mkRemovedOptionModule [ "security" "grsecurity" "config" "kernelExtraConfig" ] "")
    # Unity3D
    (mkRenamedOptionModule [ "programs" "unity3d" "enable" ] [ "security" "chromiumSuidSandbox" "enable" ])
@ -195,6 +181,8 @@ with lib;
    (mkRemovedOptionModule [ "services" "openvpn" "enable" ] "")
    (mkRemovedOptionModule [ "services" "printing" "cupsFilesConf" ] "")
    (mkRemovedOptionModule [ "services" "printing" "cupsdConf" ] "")
    (mkRemovedOptionModule [ "services" "tor" "relay" "isBridge" ] "Use services.tor.relay.role instead.")
    (mkRemovedOptionModule [ "services" "tor" "relay" "isExit" ] "Use services.tor.relay.role instead.")
    (mkRemovedOptionModule [ "services" "xserver" "startGnuPGAgent" ]
      "See the 16.09 release notes for more information.")
    (mkRemovedOptionModule [ "services" "phpfpm" "phpIni" ] "")
@ -204,6 +192,7 @@ with lib;
      "Set the option `services.xserver.displayManager.sddm.package' instead.")
    (mkRemovedOptionModule [ "fonts" "fontconfig" "forceAutohint" ] "")
    (mkRemovedOptionModule [ "fonts" "fontconfig" "renderMonoTTFAsBitmap" ] "")
    (mkRemovedOptionModule [ "boot" "zfs" "enableUnstable" ] "0.7.0 is now the default")
    # ZSH
    (mkRenamedOptionModule [ "programs" "zsh" "enableSyntaxHighlighting" ] [ "programs" "zsh" "syntaxHighlighting" "enable" ])
--- a/nixos/modules/security/auditd.nix
+++ b/nixos/modules/security/auditd.nix
@ -0,0 +1,27 @@
 { config, lib, pkgs, ... }:
 with lib;
 {
  options.security.auditd.enable = mkEnableOption "the Linux Audit daemon";
  config = mkIf config.security.auditd.enable {
    systemd.services.auditd = {
      description = "Linux Audit daemon";
      wantedBy = [ "basic.target" ];
      unitConfig = {
        ConditionVirtualization = "!container";
        ConditionSecurity = [ "audit" ];
        DefaultDependencies = false;
      };
      path = [ pkgs.audit ];
      serviceConfig = {
        ExecStartPre="${pkgs.coreutils}/bin/mkdir -p /var/log/audit";
        ExecStart = "${pkgs.audit}/bin/auditd -l -n -s nochange";
      };
    };
  };
 }
--- a/nixos/modules/security/chromium-suid-sandbox.nix
+++ b/nixos/modules/security/chromium-suid-sandbox.nix
@ -19,9 +19,6 @@ in
      Also, if the URL chrome://sandbox tells you that "You are not adequately
      sandboxed!", turning this on might resolve the issue.
      Finally, if you have <option>security.grsecurity</option> enabled and you
      use Chromium, you probably need this.
    '';
  };
--- a/nixos/modules/security/grsecurity.nix
+++ b/nixos/modules/security/grsecurity.nix
@ -1,169 +0,0 @@
 { config, pkgs, lib, ... }:
 with lib;
 let
  cfg = config.security.grsecurity;
  grsecLockPath = "/proc/sys/kernel/grsecurity/grsec_lock";
  # Ascertain whether NixOS container support is required
  containerSupportRequired =
    config.boot.enableContainers && config.containers != {};
 in
 {
  meta = {
    maintainers = with maintainers; [ ];
    doc = ./grsecurity.xml;
  };
  options.security.grsecurity = {
    enable = mkOption {
      type = types.bool;
      default = false;
      description = ''
        Enable grsecurity/PaX.
      '';
    };
    lockTunables = mkOption {
      type = types.bool;
      default = true;
      description = ''
        Whether to automatically lock grsecurity tunables
        (<option>boot.kernel.sysctl."kernel.grsecurity.*"</option>).  Disable
        this to allow runtime configuration of grsecurity features.  Activate
        the <literal>grsec-lock</literal> service unit to prevent further
        configuration until the next reboot.
      '';
    };
    disableEfiRuntimeServices = mkOption {
      type = types.bool;
      default = true;
      description = ''
        Whether to disable access to EFI runtime services.  Enabling EFI runtime
        services creates a venue for code injection attacks on the kernel and
        should be disabled if at all possible.  Changing this option enters into
        effect upon reboot.
      '';
    };
  };
  config = mkIf cfg.enable {
    boot.kernelPackages = mkForce pkgs.linuxPackages_grsec_nixos;
    boot.kernelParams = [ "grsec_sysfs_restrict=0" ]
      ++ optional cfg.disableEfiRuntimeServices "noefi";
    nixpkgs.config.grsecurity = true;
    # Install PaX related utillities into the system profile.
    environment.systemPackages = with pkgs; [ gradm paxctl pax-utils ];
    # Install rules for the grsec device node
    services.udev.packages = [ pkgs.gradm ];
    # This service unit is responsible for locking the grsecurity tunables.  The
    # unit is always defined, but only activated on bootup if lockTunables is
    # toggled.  When lockTunables is toggled, failure to activate the unit will
    # enter emergency mode.  The intent is to make it difficult to silently
    # enter multi-user mode without having locked the tunables.  Some effort is
    # made to ensure that starting the unit is an idempotent operation.
    systemd.services.grsec-lock = {
      description = "Lock grsecurity tunables";
      wantedBy = optional cfg.lockTunables "multi-user.target";
      wants = [ "local-fs.target" "systemd-sysctl.service" ];
      after = [ "local-fs.target" "systemd-sysctl.service" ];
      conflicts = [ "shutdown.target" ];
      restartIfChanged = false;
      script = ''
        if ${pkgs.gnugrep}/bin/grep -Fq 0 ${grsecLockPath} ; then
          echo -n 1 > ${grsecLockPath}
        fi
      '';
      unitConfig = {
        ConditionPathIsReadWrite = grsecLockPath;
        DefaultDependencies = false;
      } // optionalAttrs cfg.lockTunables {
        OnFailure = "emergency.target";
      };
      serviceConfig = {
        Type = "oneshot";
        RemainAfterExit = true;
      };
    };
    # Configure system tunables
    boot.kernel.sysctl = {
      # Read-only under grsecurity
      "kernel.kptr_restrict" = mkForce null;
      # All grsec tunables default to off, those not enabled below are
      # *disabled*.  We use mkDefault to allow expert users to override
      # our choices, but use mkForce where tunables would outright
      # conflict with other settings.
      # Enable all chroot restrictions by default (overwritten as
      # necessary below)
      "kernel.grsecurity.chroot_caps" = mkDefault 1;
      "kernel.grsecurity.chroot_deny_bad_rename" = mkDefault 1;
      "kernel.grsecurity.chroot_deny_chmod" = mkDefault 1;
      "kernel.grsecurity.chroot_deny_chroot" = mkDefault 1;
      "kernel.grsecurity.chroot_deny_fchdir" = mkDefault 1;
      "kernel.grsecurity.chroot_deny_mknod" = mkDefault 1;
      "kernel.grsecurity.chroot_deny_mount" = mkDefault 1;
      "kernel.grsecurity.chroot_deny_pivot" = mkDefault 1;
      "kernel.grsecurity.chroot_deny_shmat" = mkDefault 1;
      "kernel.grsecurity.chroot_deny_sysctl" = mkDefault 1;
      "kernel.grsecurity.chroot_deny_unix" = mkDefault 1;
      "kernel.grsecurity.chroot_enforce_chdir" = mkDefault 1;
      "kernel.grsecurity.chroot_findtask" = mkDefault 1;
      "kernel.grsecurity.chroot_restrict_nice" = mkDefault 1;
      # Enable various grsec protections
      "kernel.grsecurity.consistent_setxid" = mkDefault 1;
      "kernel.grsecurity.deter_bruteforce" = mkDefault 1;
      "kernel.grsecurity.fifo_restrictions" = mkDefault 1;
      "kernel.grsecurity.harden_ipc" = mkDefault 1;
      "kernel.grsecurity.harden_ptrace" = mkDefault 1;
      "kernel.grsecurity.harden_tty" = mkDefault 1;
      "kernel.grsecurity.ip_blackhole" = mkDefault 1;
      "kernel.grsecurity.linking_restrictions" = mkDefault 1;
      "kernel.grsecurity.ptrace_readexec" = mkDefault 1;
      # Enable auditing
      "kernel.grsecurity.audit_ptrace" = mkDefault 1;
      "kernel.grsecurity.forkfail_logging" = mkDefault 1;
      "kernel.grsecurity.rwxmap_logging" = mkDefault 1;
      "kernel.grsecurity.signal_logging" = mkDefault 1;
      "kernel.grsecurity.timechange_logging" = mkDefault 1;
    } // optionalAttrs config.nix.useSandbox {
      # chroot(2) restrictions that conflict with sandboxed Nix builds
      "kernel.grsecurity.chroot_caps" = mkForce 0;
      "kernel.grsecurity.chroot_deny_chmod" = mkForce 0;
      "kernel.grsecurity.chroot_deny_chroot" = mkForce 0;
      "kernel.grsecurity.chroot_deny_mount" = mkForce 0;
      "kernel.grsecurity.chroot_deny_pivot" = mkForce 0;
    } // optionalAttrs containerSupportRequired {
      # chroot(2) restrictions that conflict with NixOS lightweight containers
      "kernel.grsecurity.chroot_caps" = mkForce 0;
      "kernel.grsecurity.chroot_deny_chmod" = mkForce 0;
      "kernel.grsecurity.chroot_deny_mount" = mkForce 0;
      "kernel.grsecurity.chroot_restrict_nice" = mkForce 0;
      # Disable privileged IO by default, unless X is enabled
    } // optionalAttrs (!config.services.xserver.enable) {
      "kernel.grsecurity.disable_priv_io" = mkDefault 1;
    };
  };
 }
--- a/nixos/modules/security/grsecurity.xml
+++ b/nixos/modules/security/grsecurity.xml
@ -1,385 +0,0 @@
 <chapter xmlns="http://docbook.org/ns/docbook"
         xmlns:xlink="http://www.w3.org/1999/xlink"
         xmlns:xi="http://www.w3.org/2001/XInclude"
         version="5.0"
         xml:id="sec-grsecurity">
  <title>Grsecurity/PaX</title>
  <para>
    Grsecurity/PaX is a set of patches against the Linux kernel that
    implements an extensive suite of
    <link xlink:href="https://grsecurity.net/features.php">features</link>
    designed to increase the difficulty of exploiting kernel and
    application bugs.
  </para>
  <para>
    The NixOS grsecurity/PaX module is designed with casual users in mind and is
    intended to be compatible with normal desktop usage, without
    <emphasis>unnecessarily</emphasis> compromising security.  The
    following sections describe the configuration and administration of
    a grsecurity/PaX enabled NixOS system.  For more comprehensive
    coverage, please refer to the
    <link xlink:href="https://en.wikibooks.org/wiki/Grsecurity">grsecurity wikibook</link>
    and the
    <link xlink:href="https://wiki.archlinux.org/index.php/Grsecurity">Arch
    Linux wiki page on grsecurity</link>.
    <warning><para>Upstream has ceased free support for grsecurity/PaX.  See
    <link xlink:href="https://grsecurity.net/passing_the_baton.php">
    the announcement</link> for more information.  Consequently, NixOS
    support for grsecurity/PaX also must cease.  Enabling this module will
    result in a build error.</para></warning>
    <note><para>We standardise on a desktop oriented configuration primarily due
    to lack of resources.  The grsecurity/PaX configuration state space is huge
    and each configuration requires quite a bit of testing to ensure that the
    resulting packages work as advertised.  Defining additional package sets
    would likely result in a large number of functionally broken packages, to
    nobody's benefit.</para></note>
  </para>
  <sect1 xml:id="sec-grsec-enable"><title>Enabling grsecurity/PaX</title>
  <para>
    To make use of grsecurity/PaX on NixOS, add the following to your
    <filename>configuration.nix</filename>:
    <programlisting>
      security.grsecurity.enable = true;
    </programlisting>
    followed by
    <programlisting>
      # nixos-rebuild boot
      # reboot
    </programlisting>
    <note><para>
      Enabling the grsecurity module overrides
      <option>boot.kernelPackages</option>, to reduce the risk of
      misconfiguration.  <xref linkend="sec-grsec-custom-kernel" />
      describes how to use a custom kernel package set.
    </para></note>
    For most users, further configuration should be unnecessary.  All users
    are encouraged to look over <xref linkend="sec-grsec-security" /> before
    using the system, however.  If you experience problems, please refer to
    <xref linkend="sec-grsec-issues" />.
  </para>
  <para>
    Once booted into the new system, you can optionally use
    <command>paxtest</command> to exercise various PaX features:
    <screen><![CDATA[
    # nix-shell -p paxtest --command 'paxtest blackhat'
    Executable anonymous mapping             : Killed
    Executable bss                           : Killed
    # ... remaining output truncated for brevity
    ]]></screen>
  </para>
  </sect1>
  <sect1 xml:id="sec-grsec-declarative-tuning"><title>Declarative tuning</title>
  <para>
    The default configuration mode is strictly declarative.  Some features
    simply cannot be changed at all after boot, while others are locked once the
    system is up and running.  Moreover, changes to the configuration enter
    into effect only upon booting into the new system.
  </para>
  <para>
    The NixOS module exposes a limited number of options for tuning the behavior
    of grsecurity/PaX.  These are options thought to be of particular interest
    to most users.  For experts, further tuning is possible via
    <option>boot.kernelParams</option> (see
    <xref linkend="sec-grsec-kernel-params" />) and
    <option>boot.kernel.sysctl."kernel.grsecurity.*"</option> (the wikibook
    contains an <link xlink:href="https://en.wikibooks.org/wiki/Grsecurity/Appendix/Sysctl_Options">
    exhaustive listing of grsecurity sysctl tunables</link>).
  </para>
  </sect1>
  <sect1 xml:id="sec-grsec-manual-tuning"><title>Manual tuning</title>
  <para>
    To permit manual tuning of grsecurity runtime parameters, set:
    <programlisting>
      security.grsecurity.lockTunables = false;
    </programlisting>
    Once booted into this system, grsecurity features that have a corresponding
    sysctl tunable can be changed without rebooting, either by switching into
    a new system profile or via the <command>sysctl</command> utility.
  </para>
  <para>
    To lock all grsecurity tunables until the next boot, do:
    <screen>
      # systemctl start grsec-lock
    </screen>
  </para>
  </sect1>
  <sect1 xml:id="sec-grsec-security"><title>Security considerations</title>
  <para>
    The NixOS kernel is built using upstream's recommended settings for a
    desktop deployment that generally favours security over performance.  This
    section details deviations from upstream's recommendations that may
    compromise security.
    <warning><para>There may be additional problems not covered here!</para>
    </warning>
  </para>
  <itemizedlist>
    <listitem><para>
      The following hardening features are disabled in the NixOS kernel:
      <itemizedlist>
        <listitem><para>Kernel symbol hiding: rendered useless by redistributing
        kernel objects.</para></listitem>
        <listitem><para>Randomization of kernel structures: rendered useless by
        redistributing kernel objects.</para></listitem>
        <listitem><para>TCP simultaneous OPEN connection is permitted: breaking
        strict TCP conformance is inappropriate for a general purpose kernel.
        The trade-off is that an attacker may be able to deny outgoing
        connections if they are able to guess the source port allocated by your
        OS for that connection <emphasis>and</emphasis> also manage to initiate
        a TCP simultaneous OPEN on that port before the connection is actually
        established.</para></listitem>
        <listitem><para>Trusted path execution: a desirable feature, but
        requires some more work to operate smoothly on NixOS.</para></listitem>
      </itemizedlist>
    </para></listitem>
    <listitem><para>
      The NixOS module conditionally weakens <command>chroot</command>
      restrictions to accommodate NixOS lightweight containers and sandboxed Nix
      builds.  This can be problematic if the deployment also runs privileged
      network facing processes that <emphasis>rely</emphasis> on
      <command>chroot</command> for isolation.
    </para></listitem>
    <listitem><para>
      The NixOS kernel is patched to allow usermode helpers from anywhere in the
      Nix store.  A usermode helper is an executable called by the kernel in
      certain circumstances, e.g., <command>modprobe</command>.  Vanilla
      grsecurity only allows usermode helpers from paths typically owned by the
      super user.  The NixOS kernel allows an attacker to inject malicious code
      into the Nix store which could then be executed by the kernel as a
      usermode helper.
    </para></listitem>
    <listitem><para>
      The following features are disabled because they overlap with
      vanilla kernel mechanisms:
      <itemizedlist>
        <listitem><para><filename class="directory">/proc</filename> hardening:
        use <option>security.hideProcessInformation</option> instead.  This
        trades weaker protection for greater compatibility.
        </para></listitem>
        <listitem><para><command>dmesg</command> restrictions:
        use <option>boot.kernel.sysctl."kernel.dmesg_restrict"</option> instead
        </para></listitem>
      </itemizedlist>
    </para></listitem>
  </itemizedlist>
  </sect1>
  <sect1 xml:id="sec-grsec-custom-kernel"><title>Using a custom grsecurity/PaX kernel</title>
  <para>
    The NixOS kernel is likely to be either too permissive or too restrictive
    for many deployment scenarios.  In addition to producing a kernel more
    suitable for a particular deployment, a custom kernel may improve security
    by depriving an attacker the ability to study the kernel object code, adding
    yet more guesswork to successfully carry out certain exploits.
  </para>
  <para>
    To build a custom kernel using upstream's recommended settings for server
    deployments, while still using the NixOS module:
    <programlisting>
      nixpkgs.config.packageOverrides = super: {
        linux_grsec_nixos = super.linux_grsec_nixos.override {
          extraConfig = ''
            GRKERNSEC_CONFIG_AUTO y
            GRKERNSEC_CONFIG_SERVER y
            GRKERNSEC_CONFIG_SECURITY y
          '';
        };
      };
    </programlisting>
  </para>
  <para>
    The grsecurity/PaX wikibook provides an exhaustive listing of
    <link xlink:href="https://en.wikibooks.org/wiki/Grsecurity/Appendix/Grsecurity_and_PaX_Configuration_Options">kernel configuration options</link>.
  </para>
  <para>
    The NixOS module makes several assumptions about the kernel and so
    may be incompatible with your customised kernel. Currently, the only way
    to work around these incompatibilities is to eschew the NixOS
    module.
  </para>
  <para>
    If not using the NixOS module, a custom grsecurity package set can
    be specified inline instead, as in
    <programlisting>
      boot.kernelPackages =
        let
          kernel = pkgs.linux_grsec_nixos.override {
            extraConfig = /* as above */;
          };
          self = pkgs.linuxPackagesFor kernel self;
        in self;
    </programlisting>
  </para>
  </sect1>
  <sect1 xml:id="sec-grsec-pax-flags"><title>Per-executable PaX flags</title>
  <para>
    Manual tuning of per-file PaX flags for executables in the Nix store is
    impossible on a properly configured system.  If a package in Nixpkgs fails
    due to PaX, that is a bug in the package recipe and should be reported to
    the maintainer (including relevant <command>dmesg</command> output).
  </para>
  <para>
    For executables installed outside of the Nix store, PaX flags can be set
    using the <command>paxctl</command> utility:
    <programlisting>
      paxctl -czem <replaceable>foo</replaceable>
    </programlisting>
    <warning>
      <para><command>paxctl</command> overwrites files in-place.</para>
    </warning>
    Equivalently, on file systems that support extended attributes:
    <programlisting>
      setfattr -n user.pax.flags -v em <replaceable>foo</replaceable>
    </programlisting>
    <!-- TODO: PaX flags via RBAC policy -->
  </para>
  </sect1>
  <sect1 xml:id="sec-grsec-issues"><title>Issues and work-arounds</title>
  <itemizedlist>
    <listitem><para>User namespaces require <literal>CAP_SYS_ADMIN</literal>:
    consequently, unprivileged namespaces are unsupported. Applications that
    rely on namespaces for sandboxing must use a privileged helper. For chromium
    there is <option>security.chromiumSuidSandbox.enable</option>.</para></listitem>
    <listitem><para>Access to EFI runtime services is disabled by default:
    this plugs a potential code injection attack vector; use
    <option>security.grsecurity.disableEfiRuntimeServices</option> to override
    this behavior.</para></listitem>
    <listitem><para>User initiated autoloading of modules (e.g., when
    using fuse or loop devices) is disallowed; either load requisite modules
    as root or add them to <option>boot.kernelModules</option>.</para></listitem>
    <listitem><para>Virtualization: KVM is the preferred virtualization
    solution. Xen, Virtualbox, and VMWare are
    <emphasis>unsupported</emphasis> and most likely require a custom kernel.
    </para></listitem>
    <listitem><para>
      Attaching <command>gdb</command> to a running process is disallowed by
      default: unprivileged users can only ptrace processes that are children of
      the ptracing process.  To relax this restriction, set
      <programlisting>
        boot.kernel.sysctl."kernel.grsecurity.harden_ptrace" = 0;
      </programlisting>
    </para></listitem>
    <listitem><para>
      Overflows in boot critical code (e.g., the root filesystem module) can
      render the system unbootable.  Work around by setting
      <programlisting>
        boot.kernelParams = [ "pax_size_overflow_report_only" ];
      </programlisting>
    </para></listitem>
    <listitem><para>
      The <citerefentry><refentrytitle>modify_ldt
      </refentrytitle><manvolnum>2</manvolnum></citerefentry> syscall is disabled
      by default.  This restriction can interfere with programs designed to run
      legacy 16-bit or segmented 32-bit code.  To support applications that rely
      on this syscall, set
      <programlisting>
        boot.kernel.sysctl."kernel.modify_ldt" = 1;
      </programlisting>
    </para></listitem>
    <listitem><para>
      The gitlab service (<xref linkend="module-services-gitlab" />)
      requires a variant of the <literal>ruby</literal> interpreter
      built without `mprotect()` hardening, as in
      <programlisting>
        services.gitlab.packages.gitlab = pkgs.gitlab.override {
          ruby = pkgs.ruby.overrideAttrs (attrs: {
            postFixup = "paxmark m $out/bin/ruby";
          });
        };
      </programlisting>
    </para></listitem>
  </itemizedlist>
  </sect1>
  <sect1 xml:id="sec-grsec-kernel-params"><title>Grsecurity/PaX kernel parameters</title>
  <para>
    The NixOS kernel supports the following kernel command line parameters:
    <itemizedlist>
      <listitem><para>
        <literal>pax_nouderef</literal>: disable UDEREF (separate kernel and
        user address spaces).
      </para></listitem>
      <listitem><para>
        <literal>pax_weakuderef</literal>: enable a faster but
        weaker variant of UDEREF on 64-bit processors with PCID support
        (check <code>grep pcid /proc/cpuinfo</code>).
      </para></listitem>
      <listitem><para>
        <literal>pax_sanitize_slab={off|fast|full}</literal>: control kernel
        slab object sanitization. Defaults to <literal>fast</literal>
      </para></listitem>
      <listitem><para>
        <literal>pax_size_overflow_report_only</literal>: log size overflow
        violations but leave the violating task running
      </para></listitem>
      <listitem><para>
        <literal>grsec_sysfs_restrict=[0|1]</literal>: toggle sysfs
        restrictions. The NixOS module sets this to <literal>0</literal>
        for systemd compatibility
      </para></listitem>
    </itemizedlist>
  </para>
  </sect1>
 </chapter>
--- a/nixos/modules/security/pam.nix
+++ b/nixos/modules/security/pam.nix
@ -281,7 +281,7 @@ let
                "auth optional ${pkgs.pam_mount}/lib/security/pam_mount.so"}
              ${optionalString cfg.enableKwallet
                ("auth optional ${pkgs.plasma5.kwallet-pam}/lib/security/pam_kwallet5.so" +
-                 " kwalletd=${pkgs.libsForQt5.kwallet}/bin/kwalletd5")}
+                 " kwalletd=${pkgs.libsForQt5.kwallet.bin}/bin/kwalletd5")}
            '') + ''
          ${optionalString cfg.unixAuth
              "auth sufficient pam_unix.so ${optionalString cfg.allowNullPassword "nullok"} likeauth try_first_pass"}
@ -350,7 +350,7 @@ let
              "session optional ${pkgs.apparmor-pam}/lib/security/pam_apparmor.so order=user,group,default debug"}
          ${optionalString (cfg.enableKwallet)
              ("session optional ${pkgs.plasma5.kwallet-pam}/lib/security/pam_kwallet5.so" +
-               " kwalletd=${pkgs.libsForQt5.kwallet}/bin/kwalletd5")}
+               " kwalletd=${pkgs.libsForQt5.kwallet.bin}/bin/kwalletd5")}
        '');
    };
--- a/nixos/modules/services/audio/alsa.nix
+++ b/nixos/modules/services/audio/alsa.nix
@ -7,6 +7,8 @@ let
  inherit (pkgs) alsaUtils;
  pulseaudioEnabled = config.hardware.pulseaudio.enable;
 in
 {
@ -80,7 +82,7 @@ in
    environment.systemPackages = [ alsaUtils ];
-    environment.etc = mkIf (config.sound.extraConfig != "")
+    environment.etc = mkIf (!pulseaudioEnabled && config.sound.extraConfig != "")
      [
        { source = pkgs.writeText "asound.conf" config.sound.extraConfig;
          target = "asound.conf";
--- a/nixos/modules/services/audio/mpd.nix
+++ b/nixos/modules/services/audio/mpd.nix
@ -10,11 +10,9 @@ let
  gid = config.ids.gids.mpd;
  cfg = config.services.mpd;
  playlistDir = "${cfg.dataDir}/playlists";
  mpdConf = pkgs.writeText "mpd.conf" ''
    music_directory     "${cfg.musicDirectory}"
-    playlist_directory  "${playlistDir}"
+    playlist_directory  "${cfg.playlistDirectory}"
    db_file             "${cfg.dbFile}"
    state_file          "${cfg.dataDir}/state"
    sticker_file        "${cfg.dataDir}/sticker.sql"
@ -44,14 +42,34 @@ in {
        '';
      };
      startWhenNeeded = mkOption {
        type = types.bool;
        default = false;
        description = ''
          If set, <command>mpd</command> is socket-activated; that
          is, instead of having it permanently running as a daemon,
          systemd will start it on the first incoming connection.
        '';
      };
      musicDirectory = mkOption {
        type = types.path;
        default = "${cfg.dataDir}/music";
        defaultText = ''''${dataDir}/music'';
        description = ''
          The directory where mpd reads music from.
        '';
      };
      playlistDirectory = mkOption {
        type = types.path;
        default = "${cfg.dataDir}/playlists";
        defaultText = ''''${dataDir}/playlists'';
        description = ''
          The directory where mpd stores playlists.
        '';
      };
      extraConfig = mkOption {
        type = types.lines;
        default = "";
@ -110,6 +128,7 @@ in {
      dbFile = mkOption {
        type = types.str;
        default = "${cfg.dataDir}/tag_cache";
        defaultText = ''''${dataDir}/tag_cache'';
        description = ''
          The path to MPD's database.
        '';
@ -123,19 +142,42 @@ in {
  config = mkIf cfg.enable {
    systemd.sockets.mpd = mkIf cfg.startWhenNeeded {
      description = "Music Player Daemon Socket";
      wantedBy = [ "sockets.target" ];
      listenStreams = [
        "${optionalString (cfg.network.listenAddress != "any") "${cfg.network.listenAddress}:"}${toString cfg.network.port}"
      ];
      socketConfig = {
        Backlog = 5;
        KeepAlive = true;
        PassCredentials = true;
      };
    };
    systemd.services.mpd = {
      after = [ "network.target" "sound.target" ];
      description = "Music Player Daemon";
-      wantedBy = [ "multi-user.target" ];
+      wantedBy = optional (!cfg.startWhenNeeded) "multi-user.target";
      preStart = ''
        mkdir -p "${cfg.dataDir}" && chown -R ${cfg.user}:${cfg.group} "${cfg.dataDir}"
-        mkdir -p "${playlistDir}" && chown -R ${cfg.user}:${cfg.group} "${playlistDir}"
+        mkdir -p "${cfg.playlistDirectory}" && chown -R ${cfg.user}:${cfg.group} "${cfg.playlistDirectory}"
      '';
      serviceConfig = {
        User = "${cfg.user}";
        PermissionsStartOnly = true;
        ExecStart = "${pkgs.mpd}/bin/mpd --no-daemon ${mpdConf}";
        Type = "notify";
        LimitRTPRIO = 50;
        LimitRTTIME = "infinity";
        ProtectSystem = true;
        NoNewPrivileges = true;
        ProtectKernelTunables = true;
        ProtectControlGroups = true;
        ProtectKernelModules = true;
        RestrictAddressFamilies = "AF_INET AF_INET6 AF_UNIX AF_NETLINK";
        RestrictNamespaces = true;
      };
    };
--- a/nixos/modules/services/backup/znapzend.nix
+++ b/nixos/modules/services/backup/znapzend.nix
@ -27,7 +27,13 @@ in
      noDestroy = mkOption {
        type = types.bool;
        default = false;
-        description = "Does all changes to the filesystem except destroy";
+        description = "Does all changes to the filesystem except destroy.";
      };
      autoCreation = mkOption {
        type = types.bool;
        default = false;
        description = "Automatically create the dataset on dest if it does not exists.";
      };
    };
  };
@ -44,7 +50,7 @@ in
        path = with pkgs; [ zfs mbuffer openssh ];
        serviceConfig = {
-          ExecStart = "${pkgs.znapzend}/bin/znapzend --logto=${cfg.logTo} --loglevel=${cfg.logLevel} ${optionalString cfg.noDestroy "--nodestroy"}";
+          ExecStart = "${pkgs.znapzend}/bin/znapzend --logto=${cfg.logTo} --loglevel=${cfg.logLevel} ${optionalString cfg.noDestroy "--nodestroy"} ${optionalString cfg.autoCreation "--autoCreation"}";
          ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
          Restart = "on-failure";
        };
--- a/nixos/modules/services/computing/slurm/slurm.nix
+++ b/nixos/modules/services/computing/slurm/slurm.nix
@ -36,9 +36,9 @@ in
      package = mkOption {
        type = types.package;
-        default = pkgs.slurm-llnl;
+        default = pkgs.slurm;
-        defaultText = "pkgs.slurm-llnl";
+        defaultText = "pkgs.slurm";
-        example = literalExample "pkgs.slurm-llnl-full";
+        example = literalExample "pkgs.slurm-full";
        description = ''
          The package to use for slurm binaries.
        '';
--- a/nixos/modules/services/continuous-integration/buildbot/master.nix
+++ b/nixos/modules/services/continuous-integration/buildbot/master.nix
@ -225,11 +225,7 @@ in {
        User = cfg.user;
        Group = cfg.group;
        WorkingDirectory = cfg.home;
-        Environment = "PYTHONPATH=${cfg.package}/lib/python2.7/site-packages:${pkgs.buildbot-plugins.www}/lib/python2.7/site-packages:${pkgs.buildbot-plugins.waterfall-view}/lib/python2.7/site-packages:${pkgs.buildbot-plugins.console-view}/lib/python2.7/site-packages:${pkgs.python27Packages.future}/lib/python2.7/site-packages:${pkgs.python27Packages.dateutil}/lib/python2.7/site-packages:${pkgs.python27Packages.six}/lib/python2.7/site-packages:${pkgs.python27Packages.sqlalchemy}/lib/python2.7/site-packages:${pkgs.python27Packages.jinja2}/lib/python2.7/site-packages:${pkgs.python27Packages.markupsafe}/lib/python2.7/site-packages:${pkgs.python27Packages.sqlalchemy_migrate}/lib/python2.7/site-packages:${pkgs.python27Packages.tempita}/lib/python2.7/site-packages:${pkgs.python27Packages.decorator}/lib/python2.7/site-packages:${pkgs.python27Packages.sqlparse}/lib/python2.7/site-packages:${pkgs.python27Packages.txaio}/lib/python2.7/site-packages:${pkgs.python27Packages.autobahn}/lib/python2.7/site-packages:${pkgs.python27Packages.pyjwt}/lib/python2.7/site-packages:${pkgs.python27Packages.distro}/lib/python2.7/site-packages:${pkgs.python27Packages.pbr}/lib/python2.7/site-packages:${pkgs.python27Packages.urllib3}/lib/python2.7/site-packages";
+        ExecStart = "${cfg.package}/bin/buildbot start --nodaemon ${cfg.buildbotDir}";
        # NOTE: call twistd directly with stdout logging for systemd
        #ExecStart = "${cfg.package}/bin/buildbot start --nodaemon ${cfg.buildbotDir}";
        ExecStart = "${pkgs.python27Packages.twisted}/bin/twistd -n -l - -y ${cfg.buildbotDir}/buildbot.tac";
      };
    };
--- a/nixos/modules/services/continuous-integration/gitlab-runner.nix
+++ b/nixos/modules/services/continuous-integration/gitlab-runner.nix
@ -4,15 +4,82 @@ with lib;
 let
  cfg = config.services.gitlab-runner;
-  configFile = pkgs.writeText "config.toml" cfg.configText;
+  configFile =
    if (cfg.configFile == null) then
      (pkgs.runCommand "config.toml" {
        buildInputs = [ pkgs.remarshal ];
      } ''
        remarshal -if json -of toml \
          < ${pkgs.writeText "config.json" (builtins.toJSON cfg.configOptions)} \
          > $out
      '')
    else
      cfg.configFile;
  hasDocker = config.virtualisation.docker.enable;
 in
 {
  options.services.gitlab-runner = {
    enable = mkEnableOption "Gitlab Runner";
-    configText = mkOption {
+    configFile = mkOption {
-      description = "Verbatim config.toml to use";
+      default = null;
      description = ''
        Configuration file for gitlab-runner.
        Use this option in favor of configOptions to avoid placing CI tokens in the nix store.
        <option>configFile</option> takes precedence over <option>configOptions</option>.
        Warning: Not using <option>configFile</option> will potentially result in secrets
        leaking into the WORLD-READABLE nix store.
      '';
      type = types.nullOr types.path;
    };
    configOptions = mkOption {
      description = ''
        Configuration for gitlab-runner
        <option>configFile</option> will take precedence over this option.
        Warning: all Configuration, especially CI token, will be stored in a
        WORLD-READABLE file in the Nix Store.
        If you want to protect your CI token use <option>configFile</option> instead.
      '';
      type = types.attrs;
      example = {
        concurrent = 2;
        runners = [{
          name = "docker-nix-1.11";
          url = "https://CI/";
          token = "TOKEN";
          executor = "docker";
          builds_dir = "";
          docker = {
            host = "";
            image = "nixos/nix:1.11";
            privileged = true;
            disable_cache = true;
            cache_dir = "";
          };
        }];
      };
    };
    gracefulTermination = mkOption {
      default = false;
      type = types.bool;
      description = ''
        Finish all remaining jobs before stopping, restarting or reconfiguring.
        If not set gitlab-runner will stop immediatly without waiting for jobs to finish,
        which will lead to failed builds.
      '';
    };
    gracefulTimeout = mkOption {
      default = "infinity";
      type = types.str;
      example = "5min 20s";
      description = ''Time to wait until a graceful shutdown is turned into a forceful one.'';
    };
    workDir = mkOption {
@ -29,10 +96,21 @@ in
      example = literalExample "pkgs.gitlab-runner_1_11";
    };
    packages = mkOption {
      default = [ pkgs.bash pkgs.docker-machine ];
      defaultText = "[ pkgs.bash pkgs.docker-machine ]";
      type = types.listOf types.package;
      description = ''
        Packages to add to PATH for the gitlab-runner process.
      '';
    };
  };
  config = mkIf cfg.enable {
    systemd.services.gitlab-runner = {
      path = cfg.packages;
      environment = config.networking.proxy.envVars;
      description = "Gitlab Runner";
      after = [ "network.target" ]
        ++ optional hasDocker "docker.service";
@ -45,6 +123,11 @@ in
          --service gitlab-runner \
          --user gitlab-runner \
        '';
      } //  optionalAttrs (cfg.gracefulTermination) {
        TimeoutStopSec = "${cfg.gracefulTimeout}";
        KillSignal = "SIGQUIT";
        KillMode = "process";
      };
    };
--- a/nixos/modules/services/continuous-integration/hail.nix
+++ b/nixos/modules/services/continuous-integration/hail.nix
@ -0,0 +1,61 @@
 { config, lib, pkgs, ...}:
 with lib;
 let
  cfg = config.services.hail;
 in {
  ###### interface
  options.services.hail = {
    enable = mkOption {
      type = types.bool;
      default = false;
      description = ''
        Enables the Hail Auto Update Service. Hail can automatically deploy artifacts
        built by a Hydra Continous Integration server. A common use case is to provide
        continous deployment for single services or a full NixOS configuration.'';
    };
    profile = mkOption {
      type = types.str;
      default = "hail-profile";
      description = "The name of the Nix profile used by Hail.";
    };
    hydraJobUri = mkOption {
      type = types.str;
      description = "The URI of the Hydra Job.";
    };
    netrc = mkOption {
      type = types.nullOr types.path;
      description = "The netrc file to use when fetching data from Hydra.";
      default = null;
    };
    package = mkOption {
      type = types.package;
      default = pkgs.haskellPackages.hail;
      defaultText = "pkgs.haskellPackages.hail";
      description = "Hail package to use.";
    };
  };
  ###### implementation
  config = mkIf cfg.enable {
    systemd.services.hail = {
      description = "Hail Auto Update Service";
      wants = [ "network-online.target" ];
      wantedBy = [ "multi-user.target" ];
      path = with pkgs; [ nix ];
      environment = {
        HOME = "/var/lib/empty";
      };
      serviceConfig = {
        ExecStart = "${cfg.package}/bin/hail --profile ${cfg.profile} --job-uri ${cfg.hydraJobUri}"
          + lib.optionalString (cfg.netrc != null) " --netrc-file ${cfg.netrc}";
      };
    };
  };
 }
--- a/nixos/modules/services/continuous-integration/hydra/default.nix
+++ b/nixos/modules/services/continuous-integration/hydra/default.nix
@ -270,8 +270,8 @@ in
          ${optionalString haveLocalDB ''
            if ! [ -e ${baseDir}/.db-created ]; then
-              ${config.services.postgresql.package}/bin/createuser hydra
+              ${pkgs.sudo}/bin/sudo -u ${config.services.postgresql.superUser} ${config.services.postgresql.package}/bin/createuser hydra
-              ${config.services.postgresql.package}/bin/createdb -O hydra hydra
+              ${pkgs.sudo}/bin/sudo -u ${config.services.postgresql.superUser} ${config.services.postgresql.package}/bin/createdb -O hydra hydra
              touch ${baseDir}/.db-created
            fi
          ''}
--- a/nixos/modules/services/databases/influxdb.nix
+++ b/nixos/modules/services/databases/influxdb.nix
@ -68,9 +68,9 @@ let
    collectd = [{
      enabled = false;
-      typesdb = "${pkgs.collectd}/share/collectd/types.db";
+      typesdb = "${pkgs.collectd-data}/share/collectd/types.db";
      database = "collectd_db";
-      port = 25826;
+      bind-address = ":25826";
    }];
    opentsdb = [{
@ -149,7 +149,6 @@ in
        type = types.attrs;
      };
    };
  };
--- a/nixos/modules/services/databases/mongodb.nix
+++ b/nixos/modules/services/databases/mongodb.nix
@ -108,7 +108,7 @@ in
        after = [ "network.target" ];
        serviceConfig = {
-          ExecStart = "${mongodb}/bin/mongod --quiet --config ${mongoCnf} --fork --pidfilepath ${cfg.pidFile}";
+          ExecStart = "${mongodb}/bin/mongod --config ${mongoCnf} --fork --pidfilepath ${cfg.pidFile}";
          User = cfg.user;
          PIDFile = cfg.pidFile;
          Type = "forking";
--- a/nixos/modules/services/databases/mysql.nix
+++ b/nixos/modules/services/databases/mysql.nix
@ -108,10 +108,13 @@ in
      initialDatabases = mkOption {
        default = [];
-        description = "List of database names and their initial schemas that should be used to create databases on the first startup of MySQL";
+        description = ''
          List of database names and their initial schemas that should be used to create databases on the first startup
          of MySQL. The schema attribute is optional: If not specified, an empty database is created.
        '';
        example = [
          { name = "foodatabase"; schema = literalExample "./foodatabase.sql"; }
-          { name = "bardatabase"; schema = literalExample "./bardatabase.sql"; }
+          { name = "bardatabase"; }
        ];
      };
@ -247,6 +250,8 @@ in
                    if ! test -e "${cfg.dataDir}/${database.name}"; then
                        echo "Creating initial database: ${database.name}"
                        ( echo "create database ${database.name};"
                          ${optionalString (database ? "schema") ''
                          echo "use ${database.name};"
                          if [ -f "${database.schema}" ]
@ -256,6 +261,7 @@ in
                          then
                              cat ${database.schema}/mysql-databases/*.sql
                          fi
                          ''}
                        ) | ${mysql}/bin/mysql -u root -N
                    fi
                  '') cfg.initialDatabases}
--- a/nixos/modules/services/databases/postage.nix
+++ b/nixos/modules/services/databases/postage.nix
@ -0,0 +1,205 @@
 { lib, pkgs, config, ... } :
 with lib;
 let
  cfg = config.services.postage;
  confFile = pkgs.writeTextFile {
    name = "postage.conf";
    text =  ''
      connection_file = ${postageConnectionsFile}
      allow_custom_connections = ${builtins.toJSON cfg.allowCustomConnections}
      postage_port = ${toString cfg.port}
      super_only = ${builtins.toJSON cfg.superOnly}
      ${optionalString (!isNull cfg.loginGroup) "login_group = ${cfg.loginGroup}"}
      login_timeout = ${toString cfg.loginTimeout}
      web_root = ${cfg.package}/etc/postage/web_root
      data_root = ${cfg.dataRoot}
      ${optionalString (!isNull cfg.tls) ''
      tls_cert = ${cfg.tls.cert}
      tls_key = ${cfg.tls.key}
      ''}
      log_level = ${cfg.logLevel}
    '';
  };
  postageConnectionsFile = pkgs.writeTextFile {
    name = "postage-connections.conf";
    text = concatStringsSep "\n"
      (mapAttrsToList (name : conn : "${name}: ${conn}") cfg.connections);
  };
  postage = "postage";
 in {
  options.services.postage = {
    enable = mkEnableOption "PostgreSQL Administration for the web";
    package = mkOption {
      type = types.package;
      default = pkgs.postage;
      defaultText = "pkgs.postage";
      description = ''
        The postage package to use.
      '';
    };
    connections = mkOption {
      type = types.attrsOf types.str;
      default = {};
      example = {
        "nuc-server"  = "hostaddr=192.168.0.100 port=5432 dbname=postgres";
        "mini-server" = "hostaddr=127.0.0.1 port=5432 dbname=postgres sslmode=require";
      };
      description = ''
        Postage requires at least one PostgreSQL server be defined.
        </para><para>
        Detailed information about PostgreSQL connection strings is available at:
        <link xlink:href="http://www.postgresql.org/docs/current/static/libpq-connect.html"/>
        </para><para>
        Note that you should not specify your user name or password. That
        information will be entered on the login screen. If you specify a
        username or password, it will be removed by Postage before attempting to
        connect to a database.
      '';
    };
    allowCustomConnections = mkOption {
      type = types.bool;
      default = false;
      description = ''
        This tells Postage whether or not to allow anyone to use a custom
        connection from the login screen.
      '';
    };
    port = mkOption {
      type = types.int;
      default = 8080;
      description = ''
        This tells Postage what port to listen on for browser requests.
      '';
    };
    localOnly = mkOption {
      type = types.bool;
      default = true;
      description = ''
        This tells Postage whether or not to set the listening socket to local
        addresses only.
      '';
    };
    superOnly = mkOption {
      type = types.bool;
      default = true;
      description = ''
        This tells Postage whether or not to only allow super users to
        login. The recommended value is true and will restrict users who are not
        super users from logging in to any PostgreSQL instance through
        Postage. Note that a connection will be made to PostgreSQL in order to
        test if the user is a superuser.
      '';
    };
    loginGroup = mkOption {
      type = types.nullOr types.str;
      default = null;
      description = ''
        This tells Postage to only allow users in a certain PostgreSQL group to
        login to Postage. Note that a connection will be made to PostgreSQL in
        order to test if the user is a member of the login group.
      '';
    };
    loginTimeout = mkOption {
      type = types.int;
      default = 3600;
      description = ''
        Number of seconds of inactivity before user is automatically logged
        out.
      '';
    };
    dataRoot = mkOption {
      type = types.str;
      default = "/var/lib/postage";
      description = ''
        This tells Postage where to put the SQL file history. All tabs are saved
        to this location so that if you get disconnected from Postage you
        don't lose your work.
      '';
    };
    tls = mkOption {
      type = types.nullOr (types.submodule {
        options = {
          cert = mkOption {
            type = types.str;
            description = "TLS certificate";
          };
          key = mkOption {
            type = types.str;
            description = "TLS key";
          };
        };
      });
      default = null;
      description = ''
        These options tell Postage where the TLS Certificate and Key files
        reside. If you use these options then you'll only be able to access
        Postage through a secure TLS connection. These options are only
        necessary if you wish to connect directly to Postage using a secure TLS
        connection. As an alternative, you can set up Postage in a reverse proxy
        configuration. This allows your web server to terminate the secure
        connection and pass on the request to Postage. You can find help to set
        up this configuration in:
        <link xlink:href="https://github.com/workflowproducts/postage/blob/master/INSTALL_NGINX.md"/>
      '';
    };
    logLevel = mkOption {
      type = types.enum ["error" "warn" "notice" "info"];
      default = "error";
      description = ''
        Verbosity of logs
      '';
    };
  };
  config = mkIf cfg.enable {
    systemd.services.postage = {
      description = "postage - PostgreSQL Administration for the web";
      wants    = [ "postgresql.service" ];
      after    = [ "postgresql.service" ];
      wantedBy = [ "multi-user.target" ];
      serviceConfig = {
        User         = postage;
        Group        = postage;
        ExecStart    = "${pkgs.postage}/sbin/postage -c ${confFile}" +
                       optionalString cfg.localOnly " --local-only=true";
      };
    };
    users = {
      users."${postage}" = {
        name  = postage;
        group = postage;
        home  = cfg.dataRoot;
        createHome = true;
      };
      groups."${postage}" = {
        name = postage;
      };
    };
  };
 }
--- a/nixos/modules/services/databases/postgresql.nix
+++ b/nixos/modules/services/databases/postgresql.nix
@ -38,9 +38,6 @@ let
  pre84 = versionOlder (builtins.parseDrvName postgresql.name).version "8.4";
  # NixOS traditionally used `root` as superuser, most other distros use `postgres`. From 17.09
  # we also try to follow this standard
  superuser = (if versionAtLeast config.system.stateVersion "17.09" then "postgres" else "root");
 in
@ -151,6 +148,16 @@ in
          Contents of the <filename>recovery.conf</filename> file.
        '';
      };
      superUser = mkOption {
        type = types.str;
        default= if versionAtLeast config.system.stateVersion "17.09" then "postgres" else "root";
        internal = true;
        description = ''
          NixOS traditionally used `root` as superuser, most other distros use `postgres`.
          From 17.09 we also try to follow this standard. Internal since changing this value
          would lead to breakage while setting up databases.
        '';
        };
    };
  };
@ -215,7 +222,7 @@ in
          ''
            # Initialise the database.
            if ! test -e ${cfg.dataDir}/PG_VERSION; then
-              initdb -U ${superuser}
+              initdb -U ${cfg.superUser}
              # See postStart!
              touch "${cfg.dataDir}/.first_startup"
            fi
@ -247,14 +254,14 @@ in
        # Wait for PostgreSQL to be ready to accept connections.
        postStart =
          ''
-            while ! ${pkgs.sudo}/bin/sudo -u ${superuser} psql --port=${toString cfg.port} -d postgres -c "" 2> /dev/null; do
+            while ! ${pkgs.sudo}/bin/sudo -u ${cfg.superUser} psql --port=${toString cfg.port} -d postgres -c "" 2> /dev/null; do
                if ! kill -0 "$MAINPID"; then exit 1; fi
                sleep 0.1
            done
            if test -e "${cfg.dataDir}/.first_startup"; then
              ${optionalString (cfg.initialScript != null) ''
-                ${pkgs.sudo}/bin/sudo -u ${superuser} psql -f "${cfg.initialScript}" --port=${toString cfg.port} -d postgres
+                ${pkgs.sudo}/bin/sudo -u ${cfg.superUser} psql -f "${cfg.initialScript}" --port=${toString cfg.port} -d postgres
              ''}
              rm -f "${cfg.dataDir}/.first_startup"
            fi
--- a/nixos/modules/services/editors/emacs.xml
+++ b/nixos/modules/services/editors/emacs.xml
@ -24,7 +24,7 @@
  <para>
    Emacs runs within a graphical desktop environment using the X
    Window System, but works equally well on a text terminal. Under
-    <productname>OS X</productname>, a "Mac port" edition is
+    <productname>macOS</productname>, a "Mac port" edition is
    available, which uses Apple's native GUI frameworks.
  </para>
@ -84,7 +84,7 @@
            <listitem>
              <para>
                Emacs 25 with the "Mac port" patches, providing a more
-                native look and feel under OS X.
+                native look and feel under macOS.
              </para>
            </listitem>
          </varlistentry>
--- a/nixos/modules/services/games/factorio.nix
+++ b/nixos/modules/services/games/factorio.nix
@ -39,7 +39,7 @@ let
    admins = [];
  };
  serverSettingsFile = pkgs.writeText "server-settings.json" (builtins.toJSON (filterAttrsRecursive (n: v: v != null) serverSettings));
-  modDir = pkgs.factorio-mkModDirDrv cfg.mods;
+  modDir = pkgs.factorio-utils.mkModDirDrv cfg.mods;
 in
 {
  options = {
--- a/Show More
+++ b/Show More
`@ -1,2 +1,2 @@`
	`# Expose the minimum required version for evaluating Nixpkgs`	`# Expose the minimum required version for evaluating Nixpkgs`
	`"1.10"`	`"1.11"`