Merge branch 'staging' into audit-static

.editorconfig

@@ -47,27 +47,17 @@ indent_style = space
 insert_final_newline = unset
 trim_trailing_whitespace = unset
 
-[*.{key,ovpn}]
+[*.{asc,key,ovpn}]
 insert_final_newline = unset
 end_of_line = unset
+trim_trailing_whitespace = unset
 
 [*.lock]
 indent_size = unset
 
-[deps.nix]
-insert_final_newline = unset
-[pkgs/tools/networking/dd-agent/*-deps.nix]
-insert_final_newline = unset
-
 [eggs.nix]
 trim_trailing_whitespace = unset
 
-[gemset.nix]
-insert_final_newline = unset
-
-[node-{composition,packages,packages-generated}.nix]
-insert_final_newline = unset
-
 [nixos/modules/services/networking/ircd-hybrid/*.{conf,in}]
 trim_trailing_whitespace = unset
 
@@ -92,15 +82,6 @@ insert_final_newline = unset
 indent_style = unset
 trim_trailing_whitespace = unset
 
-[pkgs/development/mobile/androidenv/generated/{addons,packages}.nix]
-trim_trailing_whitespace = unset
-
-[pkgs/development/node-packages/composition.nix]
-insert_final_newline = unset
-
-[pkgs/development/{perl-modules,ocaml-modules,tools/ocaml}/**]
-indent_style = unset
-
 [pkgs/servers/dict/wordnet_structures.py]
 trim_trailing_whitespace = unset
 

.github/CODEOWNERS

@@ -26,17 +26,18 @@
 /lib/asserts.nix            @edolstra @nbp @Profpatsch
 
 # Nixpkgs Internals
-/default.nix                          @nbp
+/default.nix                                     @nbp
-/pkgs/top-level/default.nix           @nbp @Ericson2314
+/pkgs/top-level/default.nix                      @nbp @Ericson2314
-/pkgs/top-level/impure.nix            @nbp @Ericson2314
+/pkgs/top-level/impure.nix                       @nbp @Ericson2314
-/pkgs/top-level/stage.nix             @nbp @Ericson2314 @matthewbauer
+/pkgs/top-level/stage.nix                        @nbp @Ericson2314 @matthewbauer
-/pkgs/top-level/splice.nix            @Ericson2314 @matthewbauer
+/pkgs/top-level/splice.nix                       @Ericson2314 @matthewbauer
-/pkgs/top-level/release-cross.nix     @Ericson2314 @matthewbauer
+/pkgs/top-level/release-cross.nix                @Ericson2314 @matthewbauer
-/pkgs/stdenv/generic                  @Ericson2314 @matthewbauer
+/pkgs/stdenv/generic                             @Ericson2314 @matthewbauer
-/pkgs/stdenv/cross                    @Ericson2314 @matthewbauer
+/pkgs/stdenv/cross                               @Ericson2314 @matthewbauer
-/pkgs/build-support/cc-wrapper        @Ericson2314 @orivej
+/pkgs/build-support/cc-wrapper                   @Ericson2314 @orivej
-/pkgs/build-support/bintools-wrapper  @Ericson2314 @orivej
+/pkgs/build-support/bintools-wrapper             @Ericson2314 @orivej
-/pkgs/build-support/setup-hooks       @Ericson2314
+/pkgs/build-support/setup-hooks                  @Ericson2314
+/pkgs/build-support/setup-hooks/auto-patchelf.sh @aszlig
 
 # Nixpkgs build-support
 /pkgs/build-support/writers @lassulus @Profpatsch
@@ -157,8 +158,8 @@
 /nixos/modules/services/networking/ntp @thoughtpolice
 
 # Dhall
-/pkgs/development/dhall-modules      @Gabriel439 @Profpatsch
+/pkgs/development/dhall-modules      @Gabriel439 @Profpatsch @ehmry
-/pkgs/development/interpreters/dhall @Gabriel439 @Profpatsch
+/pkgs/development/interpreters/dhall @Gabriel439 @Profpatsch @ehmry
 
 # Idris
 /pkgs/development/idris-modules @Infinisil

.github/CONTRIBUTING.md

@@ -57,6 +57,7 @@ Follow these steps to backport a change into a release branch in compliance with
 3. Create a branch for your change, e.g. `git checkout -b backport`.
 4. When the reason to backport is not obvious from the original commit message, use `git cherry-pick -xe <original commit>` and add a reason. Otherwise use `git cherry-pick -x <original commit>`. That's fine for minor version updates that only include security and bug fixes, commits that fixes an otherwise broken package or similar. Please also ensure the commits exists on the master branch; in the case of squashed or rebased merges, the commit hash will change and the new commits can be found in the merge message at the bottom of the master pull request.
 5. Push to GitHub and open a backport pull request. Make sure to select the release branch (e.g. `release-20.09`) as the target branch of the pull request, and link to the pull request in which the original change was comitted to `master`. The pull request title should be the commit title with the release version as prefix, e.g. `[20.09]`.
+6. When the backport pull request is merged and you have the necessary privileges you can also replace the label `9.needs: port to stable` with `8.has: port to stable` on the original pull request. This way maintainers can keep track of missing backports easier.
 
 ## Reviewing contributions
 

doc/builders/packages/emacs.section.md

@@ -2,12 +2,12 @@
 
 ## Configuring Emacs {#sec-emacs-config}
 
-The Emacs package comes with some extra helpers to make it easier to configure. `emacsWithPackages` allows you to manage packages from ELPA. This means that you will not have to install that packages from within Emacs. For instance, if you wanted to use `company` `counsel`, `flycheck`, `ivy`, `magit`, `projectile`, and `use-package` you could use this as a `~/.config/nixpkgs/config.nix` override:
+The Emacs package comes with some extra helpers to make it easier to configure. `emacs.pkgs.withPackages` allows you to manage packages from ELPA. This means that you will not have to install that packages from within Emacs. For instance, if you wanted to use `company` `counsel`, `flycheck`, `ivy`, `magit`, `projectile`, and `use-package` you could use this as a `~/.config/nixpkgs/config.nix` override:
 
 ```nix
 {
   packageOverrides = pkgs: with pkgs; {
-    myEmacs = emacsWithPackages (epkgs: (with epkgs.melpaStablePackages; [
+    myEmacs = emacs.pkgs.withPackages (epkgs: (with epkgs.melpaStablePackages; [
       company
       counsel
       flycheck
@@ -84,7 +84,7 @@ You can install it like any other packages via `nix-env -iA myEmacs`. However, t
         (projectile-global-mode))
     '';
 
-    myEmacs = emacsWithPackages (epkgs: (with epkgs.melpaStablePackages; [
+    myEmacs = emacs.pkgs.withPackages (epkgs: (with epkgs.melpaStablePackages; [
       (runCommand "default.el" {} ''
          mkdir -p $out/share/emacs/site-lisp
          cp ${myEmacsConfig} $out/share/emacs/site-lisp/default.el
@@ -103,14 +103,14 @@ You can install it like any other packages via `nix-env -iA myEmacs`. However, t
 
 This provides a fairly full Emacs start file. It will load in addition to the user's presonal config. You can always disable it by passing `-q` to the Emacs command.
 
-Sometimes `emacsWithPackages` is not enough, as this package set has some priorities imposed on packages (with the lowest priority assigned to Melpa Unstable, and the highest for packages manually defined in `pkgs/top-level/emacs-packages.nix`). But you can't control this priorities when some package is installed as a dependency. You can override it on per-package-basis, providing all the required dependencies manually - but it's tedious and there is always a possibility that an unwanted dependency will sneak in through some other package. To completely override such a package you can use `overrideScope'`.
+Sometimes `emacs.pkgs.withPackages` is not enough, as this package set has some priorities imposed on packages (with the lowest priority assigned to Melpa Unstable, and the highest for packages manually defined in `pkgs/top-level/emacs-packages.nix`). But you can't control this priorities when some package is installed as a dependency. You can override it on per-package-basis, providing all the required dependencies manually - but it's tedious and there is always a possibility that an unwanted dependency will sneak in through some other package. To completely override such a package you can use `overrideScope'`.
 
 ```nix
 overrides = self: super: rec {
   haskell-mode = self.melpaPackages.haskell-mode;
   ...
 };
-((emacsPackagesGen emacs).overrideScope' overrides).emacsWithPackages
+((emacsPackagesFor emacs).overrideScope' overrides).emacs.pkgs.withPackages
   (p: with p; [
     # here both these package will use haskell-mode of our own choice
     ghc-mod

doc/contributing/coding-conventions.xml

@@ -178,6 +178,12 @@ args.stdenv.mkDerivation (args // {
 </programlisting>
     </para>
    </listitem>
+   <listitem>
+    <para>
+     Arguments should be listed in the order they are used, with the
+     exception of <varname>lib</varname>, which always goes first.
+    </para>
+   </listitem>
    <listitem>
     <para>
      Prefer using the top-level <varname>lib</varname> over its alias

doc/languages-frameworks/coq.section.md

@@ -42,8 +42,8 @@ It also takes other standard `mkDerivation` attributes, they are added as such,
 Here is a simple package example. It is a pure Coq library, thus it depends on Coq. It builds on the Mathematical Components library, thus it also takes some `mathcomp` derivations as `extraBuildInputs`.
 
 ```nix
-{ coq, mkCoqDerivation, mathcomp, mathcomp-finmap, mathcomp-bigenough,
+{ lib, mkCoqDerivation, version ? null
-  lib, version ? null }:
+, coq, mathcomp, mathcomp-finmap, mathcomp-bigenough }:
 with lib; mkCoqDerivation {
   /* namePrefix leads to e.g. `name = coq8.11-mathcomp1.11-multinomials-1.5.2` */
   namePrefix = [ "coq" "mathcomp" ];

doc/languages-frameworks/emscripten.section.md

@@ -60,7 +60,7 @@ See the `zlib` example:
       stdenv = pkgs.emscriptenStdenv;
     }).overrideDerivation
     (old: rec {
-      buildInputs = old.buildInputs ++ [ pkgconfig ];
+      buildInputs = old.buildInputs ++ [ pkg-config ];
       # we need to reset this setting!
       NIX_CFLAGS_COMPILE="";
       configurePhase = ''
@@ -117,8 +117,8 @@ This `xmlmirror` example features a emscriptenPackage which is defined completel
     xmlmirror = pkgs.buildEmscriptenPackage rec {
       name = "xmlmirror";
 
-      buildInputs = [ pkgconfig autoconf automake libtool gnumake libxml2 nodejs openjdk json_c ];
+      buildInputs = [ pkg-config autoconf automake libtool gnumake libxml2 nodejs openjdk json_c ];
-      nativeBuildInputs = [ pkgconfig zlib ];
+      nativeBuildInputs = [ pkg-config zlib ];
 
       src = pkgs.fetchgit {
         url = "https://gitlab.com/odfplugfest/xmlmirror.git";

doc/languages-frameworks/idris.section.md

@@ -69,11 +69,11 @@ prelude
 As an example of how a Nix expression for an Idris package can be created, here is the one for `idrisPackages.yaml`:
 
 ```nix
-{ build-idris-package
+{ lib
+, build-idris-package
 , fetchFromGitHub
 , contrib
 , lightyear
-, lib
 }:
 build-idris-package  {
   name = "yaml";
@@ -94,11 +94,11 @@ build-idris-package  {
     sha256 = "1g4pi0swmg214kndj85hj50ccmckni7piprsxfdzdfhg87s0avw7";
   };
 
-  meta = {
+  meta = with lib; {
     description = "Idris YAML lib";
     homepage = "https://github.com/Heather/Idris.Yaml";
-    license = lib.licenses.mit;
+    license = licenses.mit;
-    maintainers = [ lib.maintainers.brainrape ];
+    maintainers = [ maintainers.brainrape ];
   };
 }
 ```

doc/languages-frameworks/maven.section.md

@@ -116,7 +116,7 @@ The first step will be to build the Maven project as a fixed-output derivation i
 > Traditionally the Maven repository is at `~/.m2/repository`. We will override this to be the `$out` directory.
 
 ```nix
-{ stdenv, lib, maven }:
+{ lib, stdenv, maven }:
 stdenv.mkDerivation {
   name = "maven-repository";
   buildInputs = [ maven ];
@@ -168,7 +168,7 @@ If your package uses _SNAPSHOT_ dependencies or _version ranges_; there is a str
 Regardless of which strategy is chosen above, the step to build the derivation is the same.
 
 ```nix
-{ stdenv, lib, maven, callPackage }:
+{ stdenv, maven, callPackage }:
 # pick a repository derivation, here we will use buildMaven
 let repository = callPackage ./build-maven-repository.nix { };
 in stdenv.mkDerivation rec {
@@ -222,7 +222,7 @@ We will read the Maven repository and flatten it to a single list. This list wil
 We make sure to provide this classpath to the `makeWrapper`.
 
 ```nix
-{ stdenv, lib, maven, callPackage, makeWrapper, jre }:
+{ stdenv, maven, callPackage, makeWrapper, jre }:
 let
   repository = callPackage ./build-maven-repository.nix { };
 in stdenv.mkDerivation rec {
@@ -298,7 +298,7 @@ Main-Class: Main
 We will modify the derivation above to add a symlink to our repository so that it's accessible to our JAR during the `installPhase`.
 
 ```nix
-{ stdenv, lib, maven, callPackage, makeWrapper, jre }:
+{ stdenv, maven, callPackage, makeWrapper, jre }:
 # pick a repository derivation, here we will use buildMaven
 let repository = callPackage ./build-maven-repository.nix { };
 in stdenv.mkDerivation rec {

doc/languages-frameworks/ocaml.section.md

@@ -32,11 +32,11 @@ buildDunePackage rec {
   propagatedBuildInputs = [ bigstringaf result ];
   doCheck = true;
 
-  meta = {
+  meta = with lib; {
     homepage = "https://github.com/inhabitedtype/angstrom";
     description = "OCaml parser combinators built for speed and memory efficiency";
-    license = lib.licenses.bsd3;
+    license = licenses.bsd3;
-    maintainers = with lib.maintainers; [ sternenseemann ];
+    maintainers = with maintainers; [ sternenseemann ];
   };
 }
 ```

doc/languages-frameworks/perl.section.md

@@ -110,7 +110,7 @@ ClassC3Componentised = buildPerlPackage rec {
 On Darwin, if a script has too many `-Idir` flags in its first line (its “shebang line”), it will not run. This can be worked around by calling the `shortenPerlShebang` function from the `postInstall` phase:
 
 ```nix
-{ stdenv, lib, buildPerlPackage, fetchurl, shortenPerlShebang }:
+{ lib, stdenv, buildPerlPackage, fetchurl, shortenPerlShebang }:
 
 ImageExifTool = buildPerlPackage {
   pname = "Image-ExifTool";

doc/languages-frameworks/python.section.md

@@ -610,6 +610,10 @@ Using the example above, the analagous pytestCheckHook usage would be:
     "download"
     "update"
   ];
+
+  disabledTestFiles = [
+    "tests/test_failing.py"
+  ];
 ```
 
 This is expecially useful when tests need to be conditionallydisabled,

doc/languages-frameworks/qt.section.md

@@ -8,7 +8,7 @@ There are primarily two problems which the Qt infrastructure is designed to addr
 
 ```{=docbook}
 <programlisting>
-{ mkDerivation, lib, qtbase }: <co xml:id='qt-default-nix-co-1' />
+{ mkDerivation, qtbase }: <co xml:id='qt-default-nix-co-1' />
 
 mkDerivation { <co xml:id='qt-default-nix-co-2' />
   pname = "myapp";
@@ -92,32 +92,43 @@ mkDerivation {
 }
 ```
 ## Adding a library to Nixpkgs
-   Add a Qt library to all-packages.nix by adding it to the collection inside `mkLibsForQt5`. This ensures that the library is built with every available version of Qt as needed.
+Qt libraries are added to `qt5-packages.nix` and are made available for every Qt
-
+version supported.
-### Example Adding a Qt library to all-packages.nix {#qt-library-all-packages-nix}
+### Example adding a Qt library {#qt-library-all-packages-nix}
 
+The following represents the contents of `qt5-packages.nix`.
 ```
 {
   # ...
 
-  mkLibsForQt5 = self: with self; {
+  mylib = callPackage ../path/to/mylib {};
-    # ...
-
-    mylib = callPackage ../path/to/mylib {};
-  };
 
   # ...
 }
 ```
 ## Adding an application to Nixpkgs
-Add a Qt application to *all-packages.nix* using `libsForQt5.callPackage` instead of the usual `callPackage`. The former ensures that all dependencies are built with the same version of Qt.
+Applications that use Qt are also added to `qt5-packages.nix`. An alias is added
+in the top-level `all-packages.nix` pointing to the package with the desired Qt5 version.
 
-### Example Adding a QT application to all-packages.nix {#qt-application-all-packages-nix}
+### Example adding a Qt application {#qt-application-all-packages-nix}
-```nix
+
+The following represents the contents of `qt5-packages.nix`.
+```
 {
   # ...
 
-  myapp = libsForQt5.callPackage ../path/to/myapp/ {};
+  myapp = callPackage ../path/to/myapp {};
+
+  # ...
+}
+```
+
+The following represents the contents of `all-packages.nix`.
+```
+{
+  # ...
+
+  myapp = libsForQt5.myapp;
 
   # ...
 }

doc/languages-frameworks/r.section.md

@@ -32,14 +32,12 @@ However, if you'd like to add a file to your project source to make the
 environment available for other contributors, you can create a `default.nix`
 file like so:
 ```nix
-let
+with import <nixpkgs> {};
-  pkgs = import <nixpkgs> {};
+{
-  stdenv = pkgs.stdenv;
-in with pkgs; {
   myProject = stdenv.mkDerivation {
     name = "myProject";
     version = "1";
-    src = if pkgs.lib.inNixShell then null else nix;
+    src = if lib.inNixShell then null else nix;
 
     buildInputs = with rPackages; [
       R

doc/languages-frameworks/ruby.section.md

@@ -232,7 +232,7 @@ If you want to package a specific version, you can use the standard Gemfile synt
 Now you can also also make a `default.nix` that looks like this:
 
 ```nix
-{ lib, bundlerApp }:
+{ bundlerApp }:
 
 bundlerApp {
   pname = "mdl";

doc/languages-frameworks/rust.section.md

@@ -19,6 +19,8 @@ or use Mozilla's [Rust nightlies overlay](#using-the-rust-nightlies-overlay).
 Rust applications are packaged by using the `buildRustPackage` helper from `rustPlatform`:
 
 ```
+{ lib, rustPlatform }:
+
 rustPlatform.buildRustPackage rec {
   pname = "ripgrep";
   version = "12.1.1";
@@ -226,8 +228,6 @@ source code in a reproducible way. If it is missing or out-of-date one can use
 the `cargoPatches` attribute to update or add it.
 
 ```
-{ lib, rustPlatform, fetchFromGitHub }:
-
 rustPlatform.buildRustPackage rec {
   (...)
   cargoPatches = [
@@ -263,7 +263,7 @@ Now, the file produced by the call to `carnix`, called `hello.nix`, looks like:
 
 ```
 # Generated by carnix 0.6.5: carnix -o hello.nix --src ./. Cargo.lock --standalone
-{ lib, stdenv, buildRustCrate, fetchgit }:
+{ stdenv, buildRustCrate, fetchgit }:
 let kernel = stdenv.buildPlatform.parsed.kernel.name;
     # ... (content skipped)
 in
@@ -292,7 +292,7 @@ following nix file:
 
 ```
 # Generated by carnix 0.6.5: carnix -o hello.nix --src ./. Cargo.lock --standalone
-{ lib, stdenv, buildRustCrate, fetchgit }:
+{ stdenv, buildRustCrate, fetchgit }:
 let kernel = stdenv.buildPlatform.parsed.kernel.name;
     # ... (content skipped)
 in
@@ -480,7 +480,7 @@ stdenv.mkDerivation {
     rustc cargo
 
     # Example Build-time Additional Dependencies
-    pkgconfig
+    pkg-config
   ];
   buildInputs = [
     # Example Run-time Additional Dependencies
@@ -522,7 +522,7 @@ stdenv.mkDerivation {
     latest.rustChannels.nightly.rust
 
     # Add some extra dependencies from `pkgs`
-    pkgconfig openssl
+    pkg-config openssl
   ];
 
   # Set Environment Variables
@@ -567,12 +567,13 @@ in the `~/.config/nixpkgs/overlays` directory.
 Add the following to your `configuration.nix`, `home-configuration.nix`, `shell.nix`, or similar:
 
 ```
-  nixpkgs = {
+{ pkgs ? import <nixpkgs> {
     overlays = [
       (import (builtins.fetchTarball https://github.com/mozilla/nixpkgs-mozilla/archive/master.tar.gz))
       # Further overlays go here
     ];
   };
+};
 ```
 
 Note that this will fetch the latest overlay version when rebuilding your system.

doc/shell.nix

@@ -1,5 +1,3 @@
-{ pkgs ? import ../. {} }:
+{ pkgs ? import ../. { } }:
-(import ./default.nix {}).overrideAttrs (x: {
+(import ./default.nix { }).overrideAttrs
-  buildInputs = x.buildInputs ++ [ pkgs.xmloscopy pkgs.ruby ];
+(x: { buildInputs = (x.buildInputs or [ ]) ++ [ pkgs.xmloscopy pkgs.ruby ]; })
-
-})

lib/modules.nix

@@ -895,7 +895,7 @@ rec {
       fromOpt = getAttrFromPath from options;
       toOf = attrByPath to
         (abort "Renaming error: option `${showOption to}' does not exist.");
-      toType = let opt = attrByPath to {} options; in opt.type or null;
+      toType = let opt = attrByPath to {} options; in opt.type or (types.submodule {});
     in
     {
       options = setAttrByPath from (mkOption {

lib/systems/platforms.nix

@@ -47,7 +47,6 @@ rec {
       arch = "armv5te";
     };
 
-    kernelMajor = "2.6";
     kernelBaseConfig = "multi_v5_defconfig";
     kernelArch = "arm";
     kernelAutoModules = false;
@@ -70,7 +69,6 @@ rec {
 
   sheevaplug = {
     name = "sheevaplug";
-    kernelMajor = "2.6";
     kernelBaseConfig = "multi_v5_defconfig";
     kernelArch = "arm";
     kernelAutoModules = false;
@@ -182,7 +180,6 @@ rec {
 
   raspberrypi = {
     name = "raspberrypi";
-    kernelMajor = "2.6";
     kernelBaseConfig = "bcm2835_defconfig";
     kernelDTB = true;
     kernelArch = "arm";
@@ -241,7 +238,6 @@ rec {
 
   utilite = {
     name = "utilite";
-    kernelMajor = "2.6";
     kernelBaseConfig = "multi_v7_defconfig";
     kernelArch = "arm";
     kernelAutoModules = false;
@@ -294,7 +290,6 @@ rec {
 
   armv7l-hf-multiplatform = {
     name = "armv7l-hf-multiplatform";
-    kernelMajor = "2.6"; # Using "2.6" enables 2.6 kernel syscalls in glibc.
     kernelBaseConfig = "multi_v7_defconfig";
     kernelArch = "arm";
     kernelDTB = true;
@@ -342,7 +337,6 @@ rec {
 
   aarch64-multiplatform = {
     name = "aarch64-multiplatform";
-    kernelMajor = "2.6"; # Using "2.6" enables 2.6 kernel syscalls in glibc.
     kernelBaseConfig = "defconfig";
     kernelArch = "arm64";
     kernelDTB = true;
@@ -381,7 +375,6 @@ rec {
 
   ben_nanonote = {
     name = "ben_nanonote";
-    kernelMajor = "2.6";
     kernelArch = "mips";
     gcc = {
       arch = "mips32";
@@ -391,7 +384,6 @@ rec {
 
   fuloong2f_n32 = {
     name = "fuloong2f_n32";
-    kernelMajor = "2.6";
     kernelBaseConfig = "lemote2f_defconfig";
     kernelArch = "mips";
     kernelAutoModules = false;

maintainers/maintainer-list.nix

@@ -610,6 +610,16 @@
     githubId = 11699655;
     name = "Stanislas Lange";
   };
+  anhdle14 = {
+    name = "Le Anh Duc";
+    email = "anhdle14@icloud.com";
+    github = "anhdle14";
+    githubId = 9645992;
+    keys = [{
+      longkeyid = "rsa4096/0x0299AFF9ECBB5169";
+      fingerprint = "AA4B 8EC3 F971 D350 482E  4E20 0299 AFF9 ECBB 5169";
+    }];
+  };
   ankhers = {
     email = "me@ankhers.dev";
     github = "ankhers";
@@ -960,6 +970,12 @@
     email = "sivaraman.balaji@gmail.com";
     name = "Balaji Sivaraman";
   };
+  baloo = {
+    email = "nixpkgs@superbaloo.net";
+    github = "baloo";
+    githubId = 59060;
+    name = "Arthur Gautier";
+  };
   balsoft = {
     email = "balsoft75@gmail.com";
     github = "balsoft";
@@ -1567,6 +1583,12 @@
     githubId = 33503784;
     name = "Yucheng Zhang";
   };
+  cheriimoya = {
+    email = "github@hausch.xyz";
+    github = "cheriimoya";
+    githubId = 28303440;
+    name = "Max Hausch";
+  };
   chessai = {
     email = "chessai1996@gmail.com";
     github = "chessai";
@@ -1683,16 +1705,6 @@
     githubId = 46303707;
     name = "Christian Lütke-Stetzkamp";
   };
-  kampka = {
-    email = "christian@kampka.net";
-    github = "kampka";
-    githubId = 422412;
-    name = "Christian Kampka";
-    keys = [{
-      longkeyid = "ed25519/0x1CBE9645DD68E915";
-      fingerprint = "F7FA 0BD0 8775 337C F6AB  4A14 1CBE 9645 DD68 E915";
-    }];
-  };
   ckauhaus = {
     email = "kc@flyingcircus.io";
     github = "ckauhaus";
@@ -2021,6 +2033,12 @@
     githubId = 23366017;
     name = "Dan Haraj";
   };
+  danielbarter = {
+    email = "danielbarter@gmail.com";
+    github = "danielbarter";
+    githubId = 8081722;
+    name = "Daniel Barter";
+  };
   danieldk = {
     email = "me@danieldk.eu";
     github = "danieldk";
@@ -3771,6 +3789,12 @@
     githubId = 7481521;
     name = "Balázs Lengyel";
   };
+  ilian = {
+    email = "ilian@tuta.io";
+    github = "ilian";
+    githubId = 25505957;
+    name = "Ilian";
+  };
   ilikeavocadoes = {
     email = "ilikeavocadoes@hush.com";
     github = "ilikeavocadoes";
@@ -3863,6 +3887,12 @@
     githubId = 4458;
     name = "Ivan Kozik";
   };
+  ivan-babrou = {
+    email = "nixpkgs@ivan.computer";
+    name = "Ivan Babrou";
+    github = "bobrik";
+    githubId = 89186;
+  };
   ivan-timokhin = {
     email = "nixpkgs@ivan.timokhin.name";
     name = "Ivan Timokhin";
@@ -4666,6 +4696,12 @@
     githubId = 494012;
     name = "Kevin Cox";
   };
+  kevingriffin = {
+    email = "me@kevin.jp";
+    github = "kevingriffin";
+    githubId = 209729;
+    name = "Kevin Griffin";
+  };
   kfollesdal = {
     email = "kfollesdal@gmail.com";
     github = "kfollesdal";
@@ -4793,6 +4829,12 @@
     github = "kmein";
     githubId = 10352507;
   };
+  kmicklas = {
+    email = "maintainer@kmicklas.com";
+    name = "Ken Micklas";
+    github = "kmicklas";
+    githubId = 929096;
+  };
   knairda = {
     email = "adrian@kummerlaender.eu";
     name = "Adrian Kummerlaender";
@@ -4936,6 +4978,10 @@
     github = "kyleondy";
     githubId = 1640900;
     name = "Kyle Ondy";
+    keys = [{
+      longkeyid = "rsa4096/0xDB0E3C33491F91C9";
+      fingerprint = "3C79 9D26 057B 64E6 D907  B0AC DB0E 3C33 491F 91C9";
+    }];
   };
   kylesferrazza = {
     name = "Kyle Sferrazza";
@@ -4949,6 +4995,16 @@
       fingerprint = "5A9A 1C9B 2369 8049 3B48  CF5B 81A1 5409 4816 2372";
     }];
   };
+  l-as = {
+    email = "las@protonmail.ch";
+    github = "L-as";
+    githubId = 22075344;
+    keys = [{
+      longkeyid = "rsa2048/0xAC458A7D1087D025";
+      fingerprint = "A093 EA17 F450 D4D1 60A0  1194 AC45 8A7D 1087 D025";
+    }];
+    name = "Las Safin";
+  };
   laikq = {
     email = "gwen@quasebarth.de";
     github = "laikq";
@@ -5088,12 +5144,24 @@
     githubId = 42153076;
     name = "Alexey Nikashkin";
   };
+  lesuisse = {
+    email = "thomas@gerbet.me";
+    github = "LeSuisse";
+    githubId = 737767;
+    name = "Thomas Gerbet";
+  };
   lethalman = {
     email = "lucabru@src.gnome.org";
     github = "lethalman";
     githubId = 480920;
     name = "Luca Bruno";
   };
+  leungbk = {
+    email = "leungbk@mailfence.com";
+    github = "leungbk";
+    githubId = 29217594;
+    name = "Brian Leung";
+  };
   lewo = {
     email = "lewo@abesis.fr";
     github = "nlewo";
@@ -5576,6 +5644,12 @@
       fingerprint = "B573 5118 0375 A872 FBBF  7770 B629 036B E399 EEE9";
     }];
   };
+  mausch = {
+    email = "mauricioscheffer@gmail.com";
+    github = "mausch";
+    githubId = 95194;
+    name = "Mauricio Scheffer";
+  };
   matejc = {
     email = "cotman.matej@gmail.com";
     github = "matejc";
@@ -6553,12 +6627,6 @@
     github = "NobbZ";
     githubId = 58951;
   };
-  nocent = {
-    email = "nocent@protonmail.ch";
-    github = "nocent";
-    githubId = 25505957;
-    name = "nocent";
-  };
   nocoolnametom = {
     email = "nocoolnametom@gmail.com";
     github = "nocoolnametom";
@@ -7085,6 +7153,16 @@
       fingerprint = "A3A3 65AE 16ED A7A0 C29C  88F1 9712 452E 8BE3 372E";
     }];
   };
+  pinpox = {
+    email = "mail@pablo.tools";
+    github = "pinpox";
+    githubId = 1719781;
+    name = "Pablo Ovelleiro Corral";
+    keys = [{
+      longkeyid = "sa4096/0x823A6154426408D3";
+      fingerprint = "D03B 218C AE77 1F77 D7F9  20D9 823A 6154 4264 08D3";
+    }];
+  };
   piotr = {
     email = "ppietrasa@gmail.com";
     name = "Piotr Pietraszkiewicz";
@@ -7131,6 +7209,12 @@
     githubId = 13000278;
     name = "Maksim Bronsky";
   };
+  PlushBeaver = {
+    name = "Dmitry Kozlyuk";
+    email = "dmitry.kozliuk+nixpkgs@gmail.com";
+    github = "PlushBeaver";
+    githubId = 8988269;
+  };
   pmahoney = {
     email = "pat@polycrystal.org";
     github = "pmahoney";
@@ -8653,6 +8737,12 @@
     githubId = 1315818;
     name = "Felix Bühler";
   };
+  stupremee = {
+      email = "jutus.k@protonmail.com";
+      github = "Stupremee";
+      githubId = 39732259;
+      name = "Justus K";
+  };
   suhr = {
     email = "suhr@i2pmail.org";
     github = "suhr";
@@ -8665,6 +8755,12 @@
     githubId = 2666479;
     name = "Y Nguyen";
   };
+  superherointj = {
+    name = "Sérgio G.";
+    email = "5861043+superherointj@users.noreply.github.com";
+    github = "superherointj";
+    githubId = 5861043;
+  };
   SuperSandro2000 = {
     email = "sandro.jaeckel@gmail.com";
     github = "SuperSandro2000";
@@ -8689,6 +8785,12 @@
     githubId = 1040871;
     name = "Mathis Antony";
   };
+  svend = {
+    email = "svend@svends.net";
+    github = "svend";
+    githubId = 306190;
+    name = "Svend Sorensen";
+  };
   svrana = {
     email = "shaw@vranix.com";
     github = "svrana";
@@ -8915,6 +9017,12 @@
     githubId = 649832;
     name = "Teo Klestrup Röijezon";
   };
+  terin = {
+    email = "terinjokes@gmail.com";
+    github = "terinjokes";
+    githubId = 273509;
+    name = "Terin Stock";
+  };
   terlar = {
     email = "terlar@gmail.com";
     github = "terlar";
@@ -9027,6 +9135,12 @@
     githubId = 844343;
     name = "Thiago K. Okada";
   };
+  thibautmarty = {
+    email = "github@thibautmarty.fr";
+    github = "ThibautMarty";
+    githubId = 3268082;
+    name = "Thibaut Marty";
+  };
   thmzlt = {
     email = "git@thomazleite.com";
     github = "thmzlt";
@@ -9287,6 +9401,12 @@
     githubId = 303489;
     name = "Manuel Bärenz";
   };
+  tu-maurice = {
+    email = "valentin.gehrke+nixpkgs@zom.bi";
+    github = "tu-maurice";
+    githubId = 16151097;
+    name = "Valentin Gehrke";
+  };
   tv = {
     email = "tv@krebsco.de";
     github = "4z3";
@@ -9626,6 +9746,10 @@
     email = "oliver.huntuk@gmail.com";
     name = "Oliver Hunt";
   };
+  vq = {
+    email = "vq@erq.se";
+    name = "Daniel Nilsson";
+  };
   vrthra = {
     email = "rahul@gopinath.org";
     github = "vrthra";

maintainers/scripts/nix-generate-from-cpan.nix

@@ -1,4 +1,4 @@
-{ stdenv, makeWrapper, perl, perlPackages }:
+{ stdenv, lib, makeWrapper, perl, perlPackages }:
 
 stdenv.mkDerivation {
   name = "nix-generate-from-cpan-3";
@@ -18,8 +18,8 @@ stdenv.mkDerivation {
     '';
 
   meta = {
-    maintainers = with stdenv.lib.maintainers; [ eelco rycee ];
+    maintainers = with lib.maintainers; [ eelco rycee ];
     description = "Utility to generate a Nix expression for a Perl package from CPAN";
-    platforms = stdenv.lib.platforms.unix;
+    platforms = lib.platforms.unix;
   };
 }

maintainers/scripts/nixpkgs-lint.nix

@@ -1,4 +1,4 @@
-{ stdenv, makeWrapper, perl, perlPackages }:
+{ stdenv, lib, makeWrapper, perl, perlPackages }:
 
 stdenv.mkDerivation {
   name = "nixpkgs-lint-1";
@@ -15,9 +15,9 @@ stdenv.mkDerivation {
       wrapProgram $out/bin/nixpkgs-lint --set PERL5LIB $PERL5LIB
     '';
 
-  meta = {
+  meta = with lib; {
-    maintainers = [ stdenv.lib.maintainers.eelco ];
+    maintainers = [ maintainers.eelco ];
     description = "A utility for Nixpkgs contributors to check Nixpkgs for common errors";
-    platforms = stdenv.lib.platforms.unix;
+    platforms = platforms.unix;
   };
 }

nixos/doc/manual/configuration/linux-kernel.xml

@@ -87,7 +87,7 @@ nixpkgs.config.packageOverrides = pkgs:
    You can edit the config with this snippet (by default <command>make
    menuconfig</command> won't work out of the box on nixos):
 <screen><![CDATA[
-      nix-shell -E 'with import <nixpkgs> {}; kernelToOverride.overrideAttrs (o: {nativeBuildInputs=o.nativeBuildInputs ++ [ pkgconfig ncurses ];})'
+      nix-shell -E 'with import <nixpkgs> {}; kernelToOverride.overrideAttrs (o: {nativeBuildInputs=o.nativeBuildInputs ++ [ pkg-config ncurses ];})'
   ]]></screen>
    or you can let nixpkgs generate the configuration. Nixpkgs generates it via
    answering the interactive kernel utility <command>make config</command>. The

nixos/doc/manual/configuration/x-windows.xml

@@ -186,7 +186,7 @@
    The driver has many options (see <xref linkend="ch-options"/>). For
    instance, the following disables tap-to-click behavior:
 <programlisting>
-<xref linkend="opt-services.xserver.libinput.tapping"/> = false;
+<xref linkend="opt-services.xserver.libinput.touchpad.tapping"/> = false;
 </programlisting>
    Note: the use of <literal>services.xserver.synaptics</literal> is deprecated
    since NixOS 17.09.

nixos/doc/manual/release-notes/rl-2003.xml

@@ -43,6 +43,15 @@
      Linux kernel is updated to branch 5.4 by default (from 4.19).
     </para>
    </listitem>
+   <listitem>
+    <para>
+     Grub is updated to 2.04, adding support for booting from F2FS filesystems and
+     Btrfs volumes using zstd compression. Note that some users have been unable
+to boot after upgrading to 2.04 - for more information, please see <link
+xlink:href="https://github.com/NixOS/nixpkgs/issues/61718#issuecomment-617618503">this
+     discussion</link>.
+    </para>
+   </listitem>
    <listitem>
     <para>
      Postgresql for NixOS service now defaults to v11.

nixos/doc/manual/release-notes/rl-2103.xml

@@ -256,6 +256,22 @@
      which is the new stable release.  OpenAFS 1.6 was removed.
     </para>
    </listitem>
+   <listitem>
+    <para>
+     MariaDB has been updated to 10.5.
+     Before you upgrade, it would be best to take a backup of your database and read
+     <link xlink:href="https://mariadb.com/kb/en/upgrading-from-mariadb-104-to-mariadb-105/#incompatible-changes-between-104-and-105">
+     Incompatible Changes Between 10.4 and 10.5</link>.
+     After the upgrade you will need to run <literal>mysql_upgrade</literal>.
+    </para>
+   </listitem>
+   <listitem>
+    <para>
+     The TokuDB storage engine dropped in <package>mariadb</package> 10.5 and removed in <package>mariadb</package> 10.6.
+     It is recommended to switch to RocksDB. See also <link xlink:href="https://mariadb.com/kb/en/tokudb/">TokuDB</link> and
+     <link xlink:href="https://jira.mariadb.org/browse/MDEV-19780">MDEV-19780: Remove the TokuDB storage engine</link>.
+    </para>
+   </listitem>
    <listitem>
     <para>
       The <literal>openldap</literal> module now has support for OLC-style
@@ -414,6 +430,17 @@ http://some.json-exporter.host:7979/probe?target=https://example.com/some/json/e
       dynamically allocated uid.
     </para>
    </listitem>
+   <listitem>
+     <para>
+      The libinput module has been updated with the ability to configure mouse and touchpad settings separately.
+      The options in <literal>services.xserver.libinput</literal> have been renamed to <literal>services.xserver.libinput.touchpad</literal>,
+      while there is a new <literal>services.xserver.libinput.mouse</literal> for mouse related configuration.
+     </para>
+     <para>
+      Since touchpad options no longer apply to all devices, you may want to replicate your touchpad configuration in
+      mouse section.
+     </para>
+   </listitem>
   </itemizedlist>
  </section>
 

nixos/modules/config/gnu.nix

@@ -1,11 +1,9 @@
 { config, lib, pkgs, ... }:
 
-with lib;
-
 {
   options = {
-    gnu = mkOption {
+    gnu = lib.mkOption {
-      type = types.bool;
+      type = lib.types.bool;
       default = false;
       description = ''
         When enabled, GNU software is chosen by default whenever a there is
@@ -15,7 +13,7 @@ with lib;
     };
   };
 
-  config = mkIf config.gnu {
+  config = lib.mkIf config.gnu {
 
     environment.systemPackages = with pkgs;
       # TODO: Adjust `requiredPackages' from `system-path.nix'.
@@ -26,7 +24,7 @@ with lib;
         nano zile
         texinfo # for the stand-alone Info reader
       ]
-      ++ stdenv.lib.optional (!stdenv.isAarch32) grub2;
+      ++ lib.optional (!stdenv.isAarch32) grub2;
 
 
     # GNU GRUB, where available.

nixos/modules/config/networking.nix

@@ -58,6 +58,7 @@ in
         "2.nixos.pool.ntp.org"
         "3.nixos.pool.ntp.org"
       ];
+      type = types.listOf types.str;
       description = ''
         The set of NTP servers from which to synchronise.
       '';

nixos/modules/config/xdg/portal.nix

@@ -62,7 +62,7 @@ with lib;
       services.dbus.packages  = packages;
       systemd.packages = packages;
 
-      environment.variables = {
+      environment.sessionVariables = {
         GTK_USE_PORTAL = mkIf cfg.gtkUsePortal "1";
         XDG_DESKTOP_PORTAL_DIR = "${joinedPortals}/share/xdg-desktop-portal/portals";
       };

nixos/modules/hardware/nitrokey.nix

@@ -19,23 +19,9 @@ in
         nitrokey-app package, depending on your device and needs.
       '';
     };
-
-    group = mkOption {
-      type = types.str;
-      default = "nitrokey";
-      example = "wheel";
-      description = ''
-        Grant access to Nitrokey devices to users in this group.
-      '';
-    };
   };
 
   config = mkIf cfg.enable {
-    services.udev.packages = [
+    services.udev.packages = [ pkgs.nitrokey-udev-rules ];
-      (pkgs.nitrokey-udev-rules.override (attrs:
-        { inherit (cfg) group; }
-      ))
-    ];
-    users.groups.${cfg.group} = {};
   };
 }

nixos/modules/i18n/input-method/ibus.nix

@@ -48,7 +48,7 @@ in
       panel = mkOption {
         type = with types; nullOr path;
         default = null;
-        example = literalExample "''${pkgs.plasma5.plasma-desktop}/lib/libexec/kimpanel-ibus-panel";
+        example = literalExample "''${pkgs.plasma5Packages.plasma-desktop}/lib/libexec/kimpanel-ibus-panel";
         description = "Replace the IBus panel with another panel.";
       };
     };

nixos/modules/installer/cd-dvd/iso-image.nix

@@ -425,7 +425,12 @@ in
     };
 
     isoImage.squashfsCompression = mkOption {
-      default = "xz -Xdict-size 100%";
+      default = with pkgs.stdenv.targetPlatform; "xz -Xdict-size 100% "
+                + lib.optionalString (isx86_32 || isx86_64) "-Xbcj x86"
+                # Untested but should also reduce size for these platforms
+                + lib.optionalString (isAarch32 || isAarch64) "-Xbcj arm"
+                + lib.optionalString (isPowerPC) "-Xbcj powerpc"
+                + lib.optionalString (isSparc) "-Xbcj sparc";
       description = ''
         Compression settings to use for the squashfs nix store.
       '';

nixos/modules/installer/tools/nixos-option/default.nix

@@ -1,11 +1,11 @@
-{lib, stdenv, boost, cmake, pkgconfig, nix, ... }:
+{lib, stdenv, boost, cmake, pkg-config, nix, ... }:
 stdenv.mkDerivation rec {
   name = "nixos-option";
   src = ./.;
-  nativeBuildInputs = [ cmake pkgconfig ];
+  nativeBuildInputs = [ cmake pkg-config ];
   buildInputs = [ boost nix ];
-  meta = {
+  meta = with lib; {
-    license = stdenv.lib.licenses.lgpl2Plus;
+    license = licenses.lgpl2Plus;
-    maintainers = with lib.maintainers; [ chkno ];
+    maintainers = with maintainers; [ chkno ];
   };
 }

nixos/modules/installer/tools/tools.nix

@@ -28,17 +28,7 @@ let
     ];
   };
 
-  nixos-rebuild =
+  nixos-rebuild = pkgs.nixos-rebuild.override { nix = config.nix.package.out; };
-    let fallback = import ./nix-fallback-paths.nix; in
-    makeProg {
-      name = "nixos-rebuild";
-      src = ./nixos-rebuild.sh;
-      inherit (pkgs) runtimeShell;
-      nix = config.nix.package.out;
-      nix_x86_64_linux = fallback.x86_64-linux;
-      nix_i686_linux = fallback.i686-linux;
-      path = makeBinPath [ pkgs.jq ];
-    };
 
   nixos-generate-config = makeProg {
     name = "nixos-generate-config";

nixos/modules/misc/crashdump.nix

@@ -26,6 +26,7 @@ in
         };
         reservedMemory = mkOption {
           default = "128M";
+          type = types.str;
           description = ''
             The amount of memory reserved for the crashdump kernel.
             If you choose a too high value, dmesg will mention

nixos/modules/module-list.nix

@@ -633,6 +633,7 @@
   ./services/networking/dnsdist.nix
   ./services/networking/dnsmasq.nix
   ./services/networking/ncdns.nix
+  ./services/networking/nomad.nix
   ./services/networking/ejabberd.nix
   ./services/networking/epmd.nix
   ./services/networking/ergo.nix
@@ -900,6 +901,7 @@
   ./services/web-apps/selfoss.nix
   ./services/web-apps/shiori.nix
   ./services/web-apps/virtlyst.nix
+  ./services/web-apps/whitebophir.nix
   ./services/web-apps/wordpress.nix
   ./services/web-apps/youtrack.nix
   ./services/web-apps/zabbix.nix
@@ -955,6 +957,7 @@
   ./services/x11/urxvtd.nix
   ./services/x11/window-managers/awesome.nix
   ./services/x11/window-managers/default.nix
+  ./services/x11/window-managers/clfswm.nix
   ./services/x11/window-managers/fluxbox.nix
   ./services/x11/window-managers/icewm.nix
   ./services/x11/window-managers/bspwm.nix

nixos/modules/profiles/all-hardware.nix

@@ -3,8 +3,10 @@
 # enabled in the initrd.  Its primary use is in the NixOS installation
 # CDs.
 
-{ ... }:
+{ pkgs, lib,... }:
-
+let
+  platform = pkgs.stdenv.hostPlatform;
+in
 {
 
   # The initrd has to contain any module that might be necessary for
@@ -42,7 +44,10 @@
       "virtio_net" "virtio_pci" "virtio_blk" "virtio_scsi" "virtio_balloon" "virtio_console"
 
       # VMware support.
-      "mptspi" "vmw_balloon" "vmwgfx" "vmw_vmci" "vmw_vsock_vmci_transport" "vmxnet3" "vsock"
+      "mptspi" "vmxnet3" "vsock"
+    ] ++ lib.optional platform.isx86 "vmw_balloon"
+    ++ lib.optionals (!platform.isAarch64) [ # not sure where else they're missing
+      "vmw_vmci" "vmwgfx" "vmw_vsock_vmci_transport"
 
       # Hyper-V support.
       "hv_storvsc"

nixos/modules/programs/fish.nix

@@ -13,6 +13,27 @@ let
       (filterAttrs (k: v: v != null) cfg.shellAliases)
   );
 
+  envShellInit = pkgs.writeText "shellInit" cfge.shellInit;
+
+  envLoginShellInit = pkgs.writeText "loginShellInit" cfge.loginShellInit;
+
+  envInteractiveShellInit = pkgs.writeText "interactiveShellInit" cfge.interactiveShellInit;
+
+  sourceEnv = file:
+  if cfg.useBabelfish then
+    "source /etc/fish/${file}.fish"
+  else
+    ''
+      set fish_function_path ${pkgs.fishPlugins.foreign-env}/share/fish-foreign-env/functions $fish_function_path
+      fenv source /etc/fish/foreign-env/${file} > /dev/null
+      set -e fish_function_path[1]
+    '';
+
+  babelfishTranslate = path: name:
+    pkgs.runCommand "${name}.fish" {
+      nativeBuildInputs = [ pkgs.babelfish ];
+    } "${pkgs.babelfish}/bin/babelfish < ${path} > $out;";
+
 in
 
 {
@@ -29,6 +50,15 @@ in
         type = types.bool;
       };
 
+      useBabelfish = mkOption {
+        type = types.bool;
+        default = false;
+        description = ''
+          If enabled, the configured environment will be translated to native fish using <link xlink:href="https://github.com/bouk/babelfish">babelfish</link>.
+          Otherwise, <link xlink:href="https://github.com/oh-my-fish/plugin-foreign-env">foreign-env</link> will be used.
+        '';
+      };
+
       vendor.config.enable = mkOption {
         type = types.bool;
         default = true;
@@ -105,72 +135,152 @@ in
     # Required for man completions
     documentation.man.generateCaches = lib.mkDefault true;
 
-    environment.etc."fish/foreign-env/shellInit".text = cfge.shellInit;
+    environment = mkMerge [
-    environment.etc."fish/foreign-env/loginShellInit".text = cfge.loginShellInit;
+      (mkIf cfg.useBabelfish
-    environment.etc."fish/foreign-env/interactiveShellInit".text = cfge.interactiveShellInit;
+      {
+        etc."fish/setEnvironment.fish".source = babelfishTranslate config.system.build.setEnvironment "setEnvironment";
+        etc."fish/shellInit.fish".source = babelfishTranslate envShellInit "shellInit";
+        etc."fish/loginShellInit.fish".source = babelfishTranslate envLoginShellInit "loginShellInit";
+        etc."fish/interactiveShellInit.fish".source = babelfishTranslate envInteractiveShellInit "interactiveShellInit";
+     })
 
-    environment.etc."fish/nixos-env-preinit.fish".text = ''
+      (mkIf (!cfg.useBabelfish)
-      # This happens before $__fish_datadir/config.fish sets fish_function_path, so it is currently
+      {
-      # unset. We set it and then completely erase it, leaving its configuration to $__fish_datadir/config.fish
+        etc."fish/foreign-env/shellInit".source = envShellInit;
-      set fish_function_path ${pkgs.fishPlugins.foreign-env}/share/fish/vendor_functions.d $__fish_datadir/functions
+        etc."fish/foreign-env/loginShellInit".source = envLoginShellInit;
+        etc."fish/foreign-env/interactiveShellInit".source = envInteractiveShellInit;
+      })
 
-      # source the NixOS environment config
+      {
-      if [ -z "$__NIXOS_SET_ENVIRONMENT_DONE" ]
+        etc."fish/nixos-env-preinit.fish".text =
-          fenv source ${config.system.build.setEnvironment}
+        if cfg.useBabelfish
-      end
+        then ''
+          # source the NixOS environment config
+          if [ -z "$__NIXOS_SET_ENVIRONMENT_DONE" ]
+            source /etc/fish/setEnvironment.fish
+          end
+        ''
+        else ''
+          # This happens before $__fish_datadir/config.fish sets fish_function_path, so it is currently
+          # unset. We set it and then completely erase it, leaving its configuration to $__fish_datadir/config.fish
+          set fish_function_path ${pkgs.fishPlugins.foreign-env}/share/fish/vendor_functions.d $__fish_datadir/functions
 
-      # clear fish_function_path so that it will be correctly set when we return to $__fish_datadir/config.fish
+          # source the NixOS environment config
-      set -e fish_function_path
+          if [ -z "$__NIXOS_SET_ENVIRONMENT_DONE" ]
-    '';
+            fenv source ${config.system.build.setEnvironment}
+          end
 
-    environment.etc."fish/config.fish".text = ''
+          # clear fish_function_path so that it will be correctly set when we return to $__fish_datadir/config.fish
-      # /etc/fish/config.fish: DO NOT EDIT -- this file has been generated automatically.
+          set -e fish_function_path
+        '';
+      }
 
-      # if we haven't sourced the general config, do it
+      {
-      if not set -q __fish_nixos_general_config_sourced
+        etc."fish/config.fish".text = ''
-        set --prepend fish_function_path ${pkgs.fishPlugins.foreign-env}/share/fish/vendor_functions.d
+        # /etc/fish/config.fish: DO NOT EDIT -- this file has been generated automatically.
-        fenv source /etc/fish/foreign-env/shellInit > /dev/null
-        set -e fish_function_path[1]
 
-        ${cfg.shellInit}
+        # if we haven't sourced the general config, do it
+        if not set -q __fish_nixos_general_config_sourced
+          ${sourceEnv "shellInit"}
 
-        # and leave a note so we don't source this config section again from
+          ${cfg.shellInit}
-        # this very shell (children will source the general config anew)
-        set -g __fish_nixos_general_config_sourced 1
-      end
 
-      # if we haven't sourced the login config, do it
+          # and leave a note so we don't source this config section again from
-      status --is-login; and not set -q __fish_nixos_login_config_sourced
+          # this very shell (children will source the general config anew)
-      and begin
+          set -g __fish_nixos_general_config_sourced 1
-        set --prepend fish_function_path ${pkgs.fishPlugins.foreign-env}/share/fish/vendor_functions.d
+        end
-        fenv source /etc/fish/foreign-env/loginShellInit > /dev/null
-        set -e fish_function_path[1]
 
-        ${cfg.loginShellInit}
+        # if we haven't sourced the login config, do it
+        status --is-login; and not set -q __fish_nixos_login_config_sourced
+        and begin
+          ${sourceEnv "loginShellInit"}
 
-        # and leave a note so we don't source this config section again from
+          ${cfg.loginShellInit}
-        # this very shell (children will source the general config anew)
-        set -g __fish_nixos_login_config_sourced 1
-      end
 
-      # if we haven't sourced the interactive config, do it
+          # and leave a note so we don't source this config section again from
-      status --is-interactive; and not set -q __fish_nixos_interactive_config_sourced
+          # this very shell (children will source the general config anew)
-      and begin
+          set -g __fish_nixos_login_config_sourced 1
-        ${fishAliases}
+        end
 
-        set --prepend fish_function_path ${pkgs.fishPlugins.foreign-env}/share/fish/vendor_functions.d
+        # if we haven't sourced the interactive config, do it
-        fenv source /etc/fish/foreign-env/interactiveShellInit > /dev/null
+        status --is-interactive; and not set -q __fish_nixos_interactive_config_sourced
-        set -e fish_function_path[1]
+        and begin
+          ${fishAliases}
 
-        ${cfg.promptInit}
+          ${sourceEnv "interactiveShellInit"}
-        ${cfg.interactiveShellInit}
 
-        # and leave a note so we don't source this config section again from
+          ${cfg.promptInit}
-        # this very shell (children will source the general config anew,
+          ${cfg.interactiveShellInit}
-        # allowing configuration changes in, e.g, aliases, to propagate)
+
-        set -g __fish_nixos_interactive_config_sourced 1
+          # and leave a note so we don't source this config section again from
-      end
+          # this very shell (children will source the general config anew,
-    '';
+          # allowing configuration changes in, e.g, aliases, to propagate)
+          set -g __fish_nixos_interactive_config_sourced 1
+        end
+      '';
+      }
+
+      {
+        etc."fish/generated_completions".source =
+        let
+          patchedGenerator = pkgs.stdenv.mkDerivation {
+            name = "fish_patched-completion-generator";
+            srcs = [
+              "${pkgs.fish}/share/fish/tools/create_manpage_completions.py"
+              "${pkgs.fish}/share/fish/tools/deroff.py"
+            ];
+            unpackCmd = "cp $curSrc $(basename $curSrc)";
+            sourceRoot = ".";
+            patches = [ ./fish_completion-generator.patch ]; # to prevent collisions of identical completion files
+            dontBuild = true;
+            installPhase = ''
+              mkdir -p $out
+              cp * $out/
+            '';
+            preferLocalBuild = true;
+            allowSubstitutes = false;
+          };
+          generateCompletions = package: pkgs.runCommand
+            "${package.name}_fish-completions"
+            (
+              {
+                inherit package;
+                preferLocalBuild = true;
+                allowSubstitutes = false;
+              }
+              // optionalAttrs (package ? meta.priority) { meta.priority = package.meta.priority; }
+            )
+            ''
+              mkdir -p $out
+              if [ -d $package/share/man ]; then
+                find $package/share/man -type f | xargs ${pkgs.python3.interpreter} ${patchedGenerator}/create_manpage_completions.py --directory $out >/dev/null
+              fi
+            '';
+        in
+          pkgs.buildEnv {
+            name = "system_fish-completions";
+            ignoreCollisions = true;
+            paths = map generateCompletions config.environment.systemPackages;
+          };
+      }
+
+      # include programs that bring their own completions
+      {
+        pathsToLink = []
+        ++ optional cfg.vendor.config.enable "/share/fish/vendor_conf.d"
+        ++ optional cfg.vendor.completions.enable "/share/fish/vendor_completions.d"
+        ++ optional cfg.vendor.functions.enable "/share/fish/vendor_functions.d";
+      }
+
+      { systemPackages = [ pkgs.fish ]; }
+
+      {
+        shells = [
+          "/run/current-system/sw/bin/fish"
+          "${pkgs.fish}/bin/fish"
+        ];
+      }
+    ];
 
     programs.fish.interactiveShellInit = ''
       # add completions generated by NixOS to $fish_complete_path
@@ -187,61 +297,6 @@ in
       end
     '';
 
-    environment.etc."fish/generated_completions".source =
-      let
-        patchedGenerator = pkgs.stdenv.mkDerivation {
-          name = "fish_patched-completion-generator";
-          srcs = [
-            "${pkgs.fish}/share/fish/tools/create_manpage_completions.py"
-            "${pkgs.fish}/share/fish/tools/deroff.py"
-          ];
-          unpackCmd = "cp $curSrc $(basename $curSrc)";
-          sourceRoot = ".";
-          patches = [ ./fish_completion-generator.patch ]; # to prevent collisions of identical completion files
-          dontBuild = true;
-          installPhase = ''
-            mkdir -p $out
-            cp * $out/
-          '';
-          preferLocalBuild = true;
-          allowSubstitutes = false;
-        };
-        generateCompletions = package: pkgs.runCommand
-          "${package.name}_fish-completions"
-          (
-            {
-              inherit package;
-              preferLocalBuild = true;
-              allowSubstitutes = false;
-            }
-            // optionalAttrs (package ? meta.priority) { meta.priority = package.meta.priority; }
-          )
-          ''
-            mkdir -p $out
-            if [ -d $package/share/man ]; then
-              find $package/share/man -type f | xargs ${pkgs.python3.interpreter} ${patchedGenerator}/create_manpage_completions.py --directory $out >/dev/null
-            fi
-          '';
-      in
-        pkgs.buildEnv {
-          name = "system_fish-completions";
-          ignoreCollisions = true;
-          paths = map generateCompletions config.environment.systemPackages;
-        };
-
-    # include programs that bring their own completions
-    environment.pathsToLink = []
-      ++ optional cfg.vendor.config.enable "/share/fish/vendor_conf.d"
-      ++ optional cfg.vendor.completions.enable "/share/fish/vendor_completions.d"
-      ++ optional cfg.vendor.functions.enable "/share/fish/vendor_functions.d";
-
-    environment.systemPackages = [ pkgs.fish ];
-
-    environment.shells = [
-      "/run/current-system/sw/bin/fish"
-      "${pkgs.fish}/bin/fish"
-    ];
-
   };
 
 }

nixos/modules/security/pam.nix

@@ -430,8 +430,8 @@ let
               ${optionalString cfg.pamMount
                 "auth optional ${pkgs.pam_mount}/lib/security/pam_mount.so"}
               ${optionalString cfg.enableKwallet
-                ("auth optional ${pkgs.plasma5.kwallet-pam}/lib/security/pam_kwallet5.so" +
+                ("auth optional ${pkgs.plasma5Packages.kwallet-pam}/lib/security/pam_kwallet5.so" +
-                 " kwalletd=${pkgs.kdeFrameworks.kwallet.bin}/bin/kwalletd5")}
+                 " kwalletd=${pkgs.plasma5Packages.kwallet.bin}/bin/kwalletd5")}
               ${optionalString cfg.enableGnomeKeyring
                 "auth optional ${pkgs.gnome3.gnome-keyring}/lib/security/pam_gnome_keyring.so"}
               ${optionalString cfg.gnupg.enable
@@ -509,8 +509,8 @@ let
           ${optionalString (cfg.enableAppArmor && config.security.apparmor.enable)
               "session optional ${pkgs.apparmor-pam}/lib/security/pam_apparmor.so order=user,group,default debug"}
           ${optionalString (cfg.enableKwallet)
-              ("session optional ${pkgs.plasma5.kwallet-pam}/lib/security/pam_kwallet5.so" +
+              ("session optional ${pkgs.plasma5Packages.kwallet-pam}/lib/security/pam_kwallet5.so" +
-               " kwalletd=${pkgs.kdeFrameworks.kwallet.bin}/bin/kwalletd5")}
+               " kwalletd=${pkgs.plasma5Packages.kwallet.bin}/bin/kwalletd5")}
           ${optionalString (cfg.enableGnomeKeyring)
               "session optional ${pkgs.gnome3.gnome-keyring}/lib/security/pam_gnome_keyring.so auto_start"}
           ${optionalString cfg.gnupg.enable

nixos/modules/services/amqp/activemq/default.nix

@@ -33,6 +33,7 @@ in {
       };
       configurationDir = mkOption {
         default = "${activemq}/conf";
+        type = types.str;
         description = ''
           The base directory for ActiveMQ's configuration.
           By default, this directory is searched for a file named activemq.xml,

nixos/modules/services/databases/firebird.nix

@@ -59,6 +59,7 @@ in
 
       port = mkOption {
         default = "3050";
+        type = types.port;
         description = ''
           Port Firebird uses.
         '';
@@ -66,6 +67,7 @@ in
 
       user = mkOption {
         default = "firebird";
+        type = types.str;
         description = ''
           User account under which firebird runs.
         '';
@@ -73,6 +75,7 @@ in
 
       baseDir = mkOption {
         default = "/var/db/firebird"; # ubuntu is using /var/lib/firebird/2.1/data/.. ?
+        type = types.str;
         description = ''
           Location containing data/ and system/ directories.
           data/ stores the databases, system/ stores the password database security2.fdb.

nixos/modules/services/databases/memcached.nix

@@ -17,39 +17,44 @@ in
   options = {
 
     services.memcached = {
-
       enable = mkEnableOption "Memcached";
 
       user = mkOption {
+        type = types.str;
         default = "memcached";
         description = "The user to run Memcached as";
       };
 
       listen = mkOption {
+        type = types.str;
         default = "127.0.0.1";
-        description = "The IP address to bind to";
+        description = "The IP address to bind to.";
       };
 
       port = mkOption {
+        type = types.port;
         default = 11211;
-        description = "The port to bind to";
+        description = "The port to bind to.";
       };
 
       enableUnixSocket = mkEnableOption "unix socket at /run/memcached/memcached.sock";
 
       maxMemory = mkOption {
+        type = types.ints.unsigned;
         default = 64;
         description = "The maximum amount of memory to use for storage, in megabytes.";
       };
 
       maxConnections = mkOption {
+        type = types.ints.unsigned;
         default = 1024;
-        description = "The maximum number of simultaneous connections";
+        description = "The maximum number of simultaneous connections.";
       };
 
       extraOptions = mkOption {
+        type = types.listOf types.str;
         default = [];
-        description = "A list of extra options that will be added as a suffix when running memcached";
+        description = "A list of extra options that will be added as a suffix when running memcached.";
       };
     };
 

nixos/modules/services/databases/mongodb.nix

@@ -41,16 +41,19 @@ in
       };
 
       user = mkOption {
+        type = types.str;
         default = "mongodb";
         description = "User account under which MongoDB runs";
       };
 
       bind_ip = mkOption {
+        type = types.str;
         default = "127.0.0.1";
         description = "IP to bind to";
       };
 
       quiet = mkOption {
+        type = types.bool;
         default = false;
         description = "quieter output";
       };
@@ -68,16 +71,19 @@ in
       };
 
       dbpath = mkOption {
+        type = types.str;
         default = "/var/db/mongodb";
         description = "Location where MongoDB stores its files";
       };
 
       pidFile = mkOption {
+        type = types.str;
         default = "/run/mongodb.pid";
         description = "Location of MongoDB pid file";
       };
 
       replSetName = mkOption {
+        type = types.str;
         default = "";
         description = ''
           If this instance is part of a replica set, set its name here.
@@ -86,6 +92,7 @@ in
       };
 
       extraConfig = mkOption {
+        type = types.lines;
         default = "";
         example = ''
           storage.journal.enabled: false

nixos/modules/services/databases/openldap.nix

@@ -244,7 +244,7 @@ in {
     };
   };
 
-  meta.maintainers = with lib.maintainters; [ mic92 kwohlfahrt ];
+  meta.maintainers = with lib.maintainers; [ mic92 kwohlfahrt ];
 
   config = mkIf cfg.enable {
     assertions = map (opt: {

nixos/modules/services/databases/redis.nix

@@ -122,12 +122,29 @@ in
       };
 
       slaveOf = mkOption {
-        default = null; # { ip, port }
+        type = with types; nullOr (submodule ({ ... }: {
-        description = "An attribute set with two attributes: ip and port to which this redis instance acts as a slave.";
+          options = {
+            ip = mkOption {
+              type = str;
+              description = "IP of the Redis master";
+              example = "192.168.1.100";
+            };
+
+            port = mkOption {
+              type = port;
+              description = "port of the Redis master";
+              default = 6379;
+            };
+          };
+        }));
+
+        default = null;
+        description = "IP and port to which this redis instance acts as a slave.";
         example = { ip = "192.168.1.100"; port = 6379; };
       };
 
       masterAuth = mkOption {
+        type = with types; nullOr str;
         default = null;
         description = ''If the master is password protected (using the requirePass configuration)
         it is possible to tell the slave to authenticate before starting the replication synchronization

nixos/modules/services/databases/virtuoso.nix

@@ -16,28 +16,33 @@ with lib;
       enable = mkEnableOption "Virtuoso Opensource database server";
 
       config = mkOption {
+        type = types.lines;
         default = "";
         description = "Extra options to put into Virtuoso configuration file.";
       };
 
       parameters = mkOption {
+        type = types.lines;
         default = "";
         description = "Extra options to put into [Parameters] section of Virtuoso configuration file.";
       };
 
       listenAddress = mkOption {
+        type = types.str;
         default = "1111";
         example = "myserver:1323";
         description = "ip:port or port to listen on.";
       };
 
       httpListenAddress = mkOption {
+        type = types.nullOr types.str;
         default = null;
         example = "myserver:8080";
         description = "ip:port or port for Virtuoso HTTP server to listen on.";
       };
 
       dirsAllowed = mkOption {
+        type = types.nullOr types.str; # XXX Maybe use a list in the future?
         default = null;
         example = "/www, /home/";
         description = "A list of directories Virtuoso is allowed to access";

nixos/modules/services/desktops/gnome3/evolution-data-server.nix

@@ -15,31 +15,45 @@ with lib;
   options = {
 
     services.gnome3.evolution-data-server = {
-
+      enable = mkEnableOption "Evolution Data Server, a collection of services for storing addressbooks and calendars.";
-      enable = mkOption {
+      plugins = mkOption {
-        type = types.bool;
+        type = types.listOf types.package;
-        default = false;
+        default = [ ];
-        description = ''
+        description = "Plugins for Evolution Data Server.";
-          Whether to enable Evolution Data Server, a collection of services for
+      };
-          storing addressbooks and calendars.
+    };
-        '';
+    programs.evolution = {
+      enable = mkEnableOption "Evolution, a Personal information management application that provides integrated mail, calendaring and address book functionality.";
+      plugins = mkOption {
+        type = types.listOf types.package;
+        default = [ ];
+        example = literalExample "[ pkgs.evolution-ews ]";
+        description = "Plugins for Evolution.";
       };
 
     };
-
   };
 
-
   ###### implementation
 
-  config = mkIf config.services.gnome3.evolution-data-server.enable {
+  config =
+    let
+      bundle = pkgs.evolutionWithPlugins.override { inherit (config.services.gnome3.evolution-data-server) plugins; };
+    in
+    mkMerge [
+      (mkIf config.services.gnome3.evolution-data-server.enable {
+        environment.systemPackages = [ bundle ];
 
-    environment.systemPackages = [ pkgs.gnome3.evolution-data-server ];
+        services.dbus.packages = [ bundle ];
-
-    services.dbus.packages = [ pkgs.gnome3.evolution-data-server ];
-
-    systemd.packages = [ pkgs.gnome3.evolution-data-server ];
-
-  };
 
+        systemd.packages = [ bundle ];
+      })
+      (mkIf config.programs.evolution.enable {
+        services.gnome3.evolution-data-server = {
+          enable = true;
+          plugins = [ pkgs.evolution ] ++ config.programs.evolution.plugins;
+        };
+        services.gnome3.gnome-keyring.enable = true;
+      })
+    ];
 }

nixos/modules/services/editors/emacs.xml

@@ -156,7 +156,7 @@ $ ./result/bin/emacs
 
 let
   myEmacs = pkgs.emacs; <co xml:id="ex-emacsNix-2" />
-  emacsWithPackages = (pkgs.emacsPackagesGen myEmacs).emacsWithPackages; <co xml:id="ex-emacsNix-3" />
+  emacsWithPackages = (pkgs.emacsPackagesFor myEmacs).emacsWithPackages; <co xml:id="ex-emacsNix-3" />
 in
   emacsWithPackages (epkgs: (with epkgs.melpaStablePackages; [ <co xml:id="ex-emacsNix-4" />
     magit          # ; Integrate git &lt;C-x g&gt;
@@ -254,10 +254,10 @@ in
     <example xml:id="module-services-emacs-querying-packages">
      <title>Querying Emacs packages</title>
 <programlisting><![CDATA[
-nix-env -f "<nixpkgs>" -qaP -A emacsPackages.elpaPackages
+nix-env -f "<nixpkgs>" -qaP -A emacs.pkgs.elpaPackages
-nix-env -f "<nixpkgs>" -qaP -A emacsPackages.melpaPackages
+nix-env -f "<nixpkgs>" -qaP -A emacs.pkgs.melpaPackages
-nix-env -f "<nixpkgs>" -qaP -A emacsPackages.melpaStablePackages
+nix-env -f "<nixpkgs>" -qaP -A emacs.pkgs.melpaStablePackages
-nix-env -f "<nixpkgs>" -qaP -A emacsPackages.orgPackages
+nix-env -f "<nixpkgs>" -qaP -A emacs.pkgs.orgPackages
 ]]></programlisting>
     </example>
    </para>

nixos/modules/services/hardware/sane_extra_backends/brscan4_etc_files.nix

@@ -19,18 +19,16 @@ nix-shell -E 'with import <nixpkgs> { }; brscan4-etc-files.override{netDevices=[
 
 */
 
-with lib;
-
 let
 
   addNetDev = nd: ''
     brsaneconfig4 -a \
     name="${nd.name}" \
     model="${nd.model}" \
-    ${if (hasAttr "nodename" nd && nd.nodename != null) then
+    ${if (lib.hasAttr "nodename" nd && nd.nodename != null) then
       ''nodename="${nd.nodename}"'' else
       ''ip="${nd.ip}"''}'';
-  addAllNetDev = xs: concatStringsSep "\n" (map addNetDev xs);
+  addAllNetDev = xs: lib.concatStringsSep "\n" (map addNetDev xs);
 in
 
 stdenv.mkDerivation {
@@ -61,11 +59,11 @@ stdenv.mkDerivation {
   dontStrip = true;
   dontPatchELF = true;
 
-  meta = {
+  meta = with lib; {
     description = "Brother brscan4 sane backend driver etc files";
     homepage = "http://www.brother.com";
-    platforms = stdenv.lib.platforms.linux;
+    platforms = platforms.linux;
-    license = stdenv.lib.licenses.unfree;
+    license = licenses.unfree;
-    maintainers = with stdenv.lib.maintainers; [ jraygauthier ];
+    maintainers = with maintainers; [ jraygauthier ];
   };
 }

nixos/modules/services/mail/postfix.nix

@@ -25,8 +25,6 @@ let
 
   clientRestrictions = concatStringsSep ", " (clientAccess ++ dnsBl);
 
-  smtpTlsSecurityLevel = if cfg.useDane then "dane" else "may";
-
   mainCf = let
     escape = replaceStrings ["$"] ["$$"];
     mkList = items: "\n  " + concatStringsSep ",\n  " items;
@@ -510,14 +508,6 @@ in
         '';
       };
 
-      useDane = mkOption {
-        type = types.bool;
-        default = false;
-        description = ''
-          Sets smtp_tls_security_level to "dane" rather than "may". See postconf(5) for details.
-        '';
-      };
-
       sslCert = mkOption {
         type = types.str;
         default = "";
@@ -819,13 +809,13 @@ in
       // optionalAttrs cfg.enableHeaderChecks { header_checks = [ "regexp:/etc/postfix/header_checks" ]; }
       // optionalAttrs (cfg.tlsTrustedAuthorities != "") {
         smtp_tls_CAfile = cfg.tlsTrustedAuthorities;
-        smtp_tls_security_level = smtpTlsSecurityLevel;
+        smtp_tls_security_level = mkDefault "may";
       }
       // optionalAttrs (cfg.sslCert != "") {
         smtp_tls_cert_file = cfg.sslCert;
         smtp_tls_key_file = cfg.sslKey;
 
-        smtp_tls_security_level = smtpTlsSecurityLevel;
+        smtp_tls_security_level = mkDefault "may";
 
         smtpd_tls_cert_file = cfg.sslCert;
         smtpd_tls_key_file = cfg.sslKey;
@@ -969,5 +959,9 @@ in
   imports = [
    (mkRemovedOptionModule [ "services" "postfix" "sslCACert" ]
      "services.postfix.sslCACert was replaced by services.postfix.tlsTrustedAuthorities. In case you intend that your server should validate requested client certificates use services.postfix.extraConfig.")
+
+   (mkChangedOptionModule [ "services" "postfix" "useDane" ]
+     [ "services" "postfix" "config" "smtp_tls_security_level" ]
+     (config: mkIf config.services.postfix.useDane "dane"))
   ];
 }

nixos/modules/services/misc/gitea.nix

@@ -349,7 +349,7 @@ in
         {
           DOMAIN = cfg.domain;
           STATIC_ROOT_PATH = cfg.staticRootPath;
-          LFS_JWT_SECRET = "#jwtsecret#";
+          LFS_JWT_SECRET = "#lfsjwtsecret#";
           ROOT_URL = cfg.rootUrl;
         }
         (mkIf cfg.enableUnixSocket {
@@ -381,6 +381,7 @@ in
 
       security = {
         SECRET_KEY = "#secretkey#";
+        INTERNAL_TOKEN = "#internaltoken#";
         INSTALL_LOCK = true;
       };
 
@@ -396,6 +397,10 @@ in
       mailer = mkIf (cfg.mailerPasswordFile != null) {
         PASSWD = "#mailerpass#";
       };
+
+      oauth2 = {
+        JWT_SECRET = "#oauth2jwtsecret#";
+      };
     };
 
     services.postgresql = optionalAttrs (usePostgresql && cfg.database.createDatabase) {
@@ -453,12 +458,22 @@ in
       description = "gitea";
       after = [ "network.target" ] ++ lib.optional usePostgresql "postgresql.service" ++ lib.optional useMysql "mysql.service";
       wantedBy = [ "multi-user.target" ];
-      path = [ gitea pkgs.gitAndTools.git ];
+      path = [ gitea pkgs.git ];
 
+      # In older versions the secret naming for JWT was kind of confusing.
+      # The file jwt_secret hold the value for LFS_JWT_SECRET and JWT_SECRET
+      # wasn't persistant at all.
+      # To fix that, there is now the file oauth2_jwt_secret containing the
+      # values for JWT_SECRET and the file jwt_secret gets renamed to
+      # lfs_jwt_secret.
+      # We have to consider this to stay compatible with older installations.
       preStart = let
         runConfig = "${cfg.stateDir}/custom/conf/app.ini";
         secretKey = "${cfg.stateDir}/custom/conf/secret_key";
-        jwtSecret = "${cfg.stateDir}/custom/conf/jwt_secret";
+        oauth2JwtSecret = "${cfg.stateDir}/custom/conf/oauth2_jwt_secret";
+        oldLfsJwtSecret = "${cfg.stateDir}/custom/conf/jwt_secret"; # old file for LFS_JWT_SECRET
+        lfsJwtSecret = "${cfg.stateDir}/custom/conf/lfs_jwt_secret"; # new file for LFS_JWT_SECRET
+        internalToken = "${cfg.stateDir}/custom/conf/internal_token";
       in ''
         # copy custom configuration and generate a random secret key if needed
         ${optionalString (cfg.useWizard == false) ''
@@ -468,24 +483,41 @@ in
               ${gitea}/bin/gitea generate secret SECRET_KEY > ${secretKey}
           fi
 
-          if [ ! -e ${jwtSecret} ]; then
+          # Migrate LFS_JWT_SECRET filename
-              ${gitea}/bin/gitea generate secret LFS_JWT_SECRET > ${jwtSecret}
+          if [[ -e ${oldLfsJwtSecret} && ! -e ${lfsJwtSecret} ]]; then
+              mv ${oldLfsJwtSecret} ${lfsJwtSecret}
           fi
 
-          KEY="$(head -n1 ${secretKey})"
+          if [ ! -e ${oauth2JwtSecret} ]; then
+              ${gitea}/bin/gitea generate secret JWT_SECRET > ${oauth2JwtSecret}
+          fi
+
+          if [ ! -e ${lfsJwtSecret} ]; then
+              ${gitea}/bin/gitea generate secret LFS_JWT_SECRET > ${lfsJwtSecret}
+          fi
+
+          if [ ! -e ${internalToken} ]; then
+              ${gitea}/bin/gitea generate secret INTERNAL_TOKEN > ${internalToken}
+          fi
+
+          SECRETKEY="$(head -n1 ${secretKey})"
           DBPASS="$(head -n1 ${cfg.database.passwordFile})"
-          JWTSECRET="$(head -n1 ${jwtSecret})"
+          OAUTH2JWTSECRET="$(head -n1 ${oauth2JwtSecret})"
+          LFSJWTSECRET="$(head -n1 ${lfsJwtSecret})"
+          INTERNALTOKEN="$(head -n1 ${internalToken})"
           ${if (cfg.mailerPasswordFile == null) then ''
             MAILERPASSWORD="#mailerpass#"
           '' else ''
             MAILERPASSWORD="$(head -n1 ${cfg.mailerPasswordFile} || :)"
           ''}
-          sed -e "s,#secretkey#,$KEY,g" \
+          sed -e "s,#secretkey#,$SECRETKEY,g" \
               -e "s,#dbpass#,$DBPASS,g" \
-              -e "s,#jwtsecret#,$JWTSECRET,g" \
+              -e "s,#oauth2jwtsecret#,$OAUTH2JWTSECRET,g" \
+              -e "s,#lfsjwtsecret#,$LFSJWTSECRET,g" \
+              -e "s,#internaltoken#,$INTERNALTOKEN,g" \
               -e "s,#mailerpass#,$MAILERPASSWORD,g" \
               -i ${runConfig}
-          chmod 640 ${runConfig} ${secretKey} ${jwtSecret}
+          chmod 640 ${runConfig} ${secretKey} ${oauth2JwtSecret} ${lfsJwtSecret} ${internalToken}
         ''}
 
         # update all hooks' binary paths

nixos/modules/services/misc/gitlab.nix

@@ -736,7 +736,7 @@ in {
       environment = gitlabEnv;
       path = with pkgs; [
         postgresqlPackage
-        gitAndTools.git
+        git
         ruby
         openssh
         nodejs
@@ -764,7 +764,7 @@ in {
       path = with pkgs; [
         openssh
         procps  # See https://gitlab.com/gitlab-org/gitaly/issues/1562
-        gitAndTools.git
+        git
         cfg.packages.gitaly.rubyEnv
         cfg.packages.gitaly.rubyEnv.wrappedRuby
         gzip
@@ -806,7 +806,7 @@ in {
       wantedBy = [ "multi-user.target" ];
       path = with pkgs; [
         exiftool
-        gitAndTools.git
+        git
         gnutar
         gzip
         openssh
@@ -854,7 +854,7 @@ in {
       environment = gitlabEnv;
       path = with pkgs; [
         postgresqlPackage
-        gitAndTools.git
+        git
         openssh
         nodejs
         procps

nixos/modules/services/misc/gitolite.nix

@@ -227,6 +227,6 @@ in
     };
 
     environment.systemPackages = [ pkgs.gitolite pkgs.git ]
-        ++ optional cfg.enableGitAnnex pkgs.gitAndTools.git-annex;
+        ++ optional cfg.enableGitAnnex pkgs.git-annex;
   });
 }

nixos/modules/services/misc/matrix-synapse.xml

@@ -69,6 +69,9 @@ in {
       # i.e. to delegate from the host being accessible as ${config.networking.domain}
       # to another host actually running the Matrix homeserver.
       "${config.networking.domain}" = {
+        <link linkend="opt-services.nginx.virtualHosts._name_.enableACME">enableACME</link> = true;
+        <link linkend="opt-services.nginx.virtualHosts._name_.forceSSL">forceSSL</link> = true;
+
         <link linkend="opt-services.nginx.virtualHosts._name_.locations._name_.extraConfig">locations."= /.well-known/matrix/server".extraConfig</link> =
           let
             # use 443 instead of the default 8448 port to unite
@@ -203,7 +206,7 @@ Success!
     <link linkend="opt-services.nginx.virtualHosts._name_.root">root</link> = pkgs.element-web.override {
       conf = {
         default_server_config."m.homeserver" = {
-          "base_url" = "${config.networking.domain}";
+          "base_url" = "https://${fqdn}";
           "server_name" = "${fqdn}";
         };
       };

nixos/modules/services/misc/redmine.nix

@@ -230,7 +230,7 @@ in
       production = {
         scm_subversion_command = "${pkgs.subversion}/bin/svn";
         scm_mercurial_command = "${pkgs.mercurial}/bin/hg";
-        scm_git_command = "${pkgs.gitAndTools.git}/bin/git";
+        scm_git_command = "${pkgs.git}/bin/git";
         scm_cvs_command = "${pkgs.cvs}/bin/cvs";
         scm_bazaar_command = "${pkgs.breezy}/bin/bzr";
         scm_darcs_command = "${pkgs.darcs}/bin/darcs";
@@ -299,7 +299,7 @@ in
         breezy
         cvs
         darcs
-        gitAndTools.git
+        git
         mercurial
         subversion
       ];

nixos/modules/services/misc/snapper.nix

@@ -48,6 +48,8 @@ in
           subvolume = "/home";
           extraConfig = ''
             ALLOW_USERS="alice"
+            TIMELINE_CREATE=yes
+            TIMELINE_CLEANUP=yes
           '';
         };
       };

nixos/modules/services/monitoring/grafana-image-renderer.nix

@@ -122,7 +122,7 @@ in {
         timezone = config.time.timeZone;
       };
 
-      services = {
+      service = {
         logging.level = mkIf cfg.verbose (mkDefault "debug");
         metrics.enabled = mkDefault false;
       };

nixos/modules/services/monitoring/prometheus/exporters/nextcloud.nix

@@ -46,11 +46,11 @@ in
       DynamicUser = false;
       ExecStart = ''
         ${pkgs.prometheus-nextcloud-exporter}/bin/nextcloud-exporter \
-          -a ${cfg.listenAddress}:${toString cfg.port} \
+          --addr ${cfg.listenAddress}:${toString cfg.port} \
-          -u ${cfg.username} \
+          --username ${cfg.username} \
-          -t ${cfg.timeout} \
+          --timeout ${cfg.timeout} \
-          -l ${cfg.url} \
+          --server ${cfg.url} \
-          -p ${escapeShellArg "@${cfg.passwordFile}"} \
+          --password ${escapeShellArg "@${cfg.passwordFile}"} \
           ${concatStringsSep " \\\n  " cfg.extraFlags}
       '';
     };

nixos/modules/services/networking/bitlbee.nix

@@ -58,6 +58,7 @@ in
       };
 
       interface = mkOption {
+        type = types.str;
         default = "127.0.0.1";
         description = ''
           The interface the BitlBee deamon will be listening to.  If `127.0.0.1',
@@ -68,6 +69,7 @@ in
 
       portNumber = mkOption {
         default = 6667;
+        type = types.int;
         description = ''
           Number of the port BitlBee will be listening to.
         '';
@@ -142,6 +144,7 @@ in
 
       extraSettings = mkOption {
         default = "";
+        type = types.lines;
         description = ''
           Will be inserted in the Settings section of the config file.
         '';
@@ -149,6 +152,7 @@ in
 
       extraDefaults = mkOption {
         default = "";
+        type = types.lines;
         description = ''
           Will be inserted in the Default section of the config file.
         '';

nixos/modules/services/networking/dnscrypt-wrapper.nix

@@ -83,7 +83,7 @@ let
   # correctly implement key rotation of dnscrypt-wrapper ephemeral keys.
   dnscrypt-proxy1 = pkgs.callPackage
     ({ stdenv, fetchFromGitHub, autoreconfHook
-    , pkgconfig, libsodium, ldns, openssl, systemd }:
+    , pkg-config, libsodium, ldns, openssl, systemd }:
 
     stdenv.mkDerivation rec {
       pname = "dnscrypt-proxy";
@@ -98,7 +98,7 @@ let
 
       configureFlags = optional stdenv.isLinux "--with-systemd";
 
-      nativeBuildInputs = [ autoreconfHook pkgconfig ];
+      nativeBuildInputs = [ autoreconfHook pkg-config ];
 
       # <ldns/ldns.h> depends on <openssl/ssl.h>
       buildInputs = [ libsodium openssl.dev ldns ] ++ optional stdenv.isLinux systemd;

nixos/modules/services/networking/murmur.nix

@@ -109,6 +109,13 @@ in
         description = "Host to bind to. Defaults binding on all addresses.";
       };
 
+      package = mkOption {
+        type = types.package;
+        default = pkgs.murmur;
+        defaultText = "pkgs.murmur";
+        description = "Overridable attribute of the murmur package to use.";
+      };
+
       password = mkOption {
         type = types.str;
         default = "";
@@ -299,7 +306,7 @@ in
         Type = if forking then "forking" else "simple";
         PIDFile = mkIf forking "/run/murmur/murmurd.pid";
         EnvironmentFile = mkIf (cfg.environmentFile != null) cfg.environmentFile;
-        ExecStart = "${pkgs.murmur}/bin/murmurd -ini /run/murmur/murmurd.ini";
+        ExecStart = "${cfg.package}/bin/murmurd -ini /run/murmur/murmurd.ini";
         Restart = "always";
         RuntimeDirectory = "murmur";
         RuntimeDirectoryMode = "0700";

nixos/modules/services/networking/nomad.nix

@@ -0,0 +1,126 @@
+{ config, lib, pkgs, ... }:
+with lib;
+let
+  cfg = config.services.nomad;
+  format = pkgs.formats.json { };
+in
+{
+  ##### interface
+  options = {
+    services.nomad = {
+      enable = mkEnableOption "Nomad, a distributed, highly available, datacenter-aware scheduler";
+
+      package = mkOption {
+        type = types.package;
+        default = pkgs.nomad;
+        defaultText = "pkgs.nomad";
+        description = ''
+          The package used for the Nomad agent and CLI.
+        '';
+      };
+
+      extraPackages = mkOption {
+        type = types.listOf types.package;
+        default = [ ];
+        description = ''
+          Extra packages to add to <envar>PATH</envar> for the Nomad agent process.
+        '';
+        example = literalExample ''
+          with pkgs; [ cni-plugins ]
+        '';
+      };
+
+      dropPrivileges = mkOption {
+        type = types.bool;
+        default = true;
+        description = ''
+          Whether the nomad agent should be run as a non-root nomad user.
+        '';
+      };
+
+      enableDocker = mkOption {
+        type = types.bool;
+        default = true;
+        description = ''
+          Enable Docker support. Needed for Nomad's docker driver.
+
+          Note that the docker group membership is effectively equivalent
+          to being root, see https://github.com/moby/moby/issues/9976.
+        '';
+      };
+
+      settings = mkOption {
+        type = format.type;
+        default = {
+          # Agrees with `StateDirectory = "nomad"` set below.
+          data_dir = "/var/lib/nomad";
+        };
+        description = ''
+          Configuration for Nomad. See the <link xlink:href="https://www.nomadproject.io/docs/configuration">documentation</link>
+          for supported values.
+        '';
+        example = literalExample ''
+          {
+            # A minimal config example:
+            server = {
+              enabled = true;
+              bootstrap_expect = 1; # for demo; no fault tolerance
+            };
+            client = {
+              enabled = true;
+            };
+          }
+        '';
+      };
+    };
+  };
+
+  ##### implementation
+  config = mkIf cfg.enable {
+    environment = {
+      etc."nomad.json".source = format.generate "nomad.json" cfg.settings;
+      systemPackages = [ cfg.package ];
+    };
+
+    systemd.services.nomad = {
+      description = "Nomad";
+      wantedBy = [ "multi-user.target" ];
+      wants = [ "network-online.target" ];
+      after = [ "network-online.target" ];
+      restartTriggers = [ config.environment.etc."nomad.json".source ];
+
+      path = cfg.extraPackages ++ (with pkgs; [
+        # Client mode requires at least the following:
+        coreutils
+        iproute
+        iptables
+      ]);
+
+      serviceConfig = {
+        DynamicUser = cfg.dropPrivileges;
+        ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
+        ExecStart = "${cfg.package}/bin/nomad agent -config=/etc/nomad.json";
+        KillMode = "process";
+        KillSignal = "SIGINT";
+        LimitNOFILE = 65536;
+        LimitNPROC = "infinity";
+        OOMScoreAdjust = -1000;
+        Restart = "on-failure";
+        RestartSec = 2;
+        # Agrees with the default `data_dir = "/var/lib/nomad"` in `settings` above.
+        StateDirectory = "nomad";
+        TasksMax = "infinity";
+        User = optionalString cfg.dropPrivileges "nomad";
+      } // (optionalAttrs cfg.enableDocker {
+        SupplementaryGroups = "docker"; # space-separated string
+      });
+      unitConfig = {
+        StartLimitIntervalSec = 10;
+        StartLimitBurst = 3;
+      };
+    };
+
+    # Docker support requires the Docker daemon to be running.
+    virtualisation.docker.enable = mkIf cfg.enableDocker true;
+  };
+}

nixos/modules/services/networking/ntp/chrony.nix

@@ -4,13 +4,14 @@ with lib;
 
 let
   cfg = config.services.chrony;
+  chronyPkg = cfg.package;
 
-  stateDir = "/var/lib/chrony";
+  stateDir = cfg.directory;
   driftFile = "${stateDir}/chrony.drift";
   keyFile = "${stateDir}/chrony.keys";
 
   configFile = pkgs.writeText "chrony.conf" ''
-    ${concatMapStringsSep "\n" (server: "server " + server + " iburst") cfg.servers}
+    ${concatMapStringsSep "\n" (server: "server " + server + " " + cfg.serverOption + optionalString (cfg.enableNTS) " nts") cfg.servers}
 
     ${optionalString
       (cfg.initstepslew.enabled && (cfg.servers != []))
@@ -19,6 +20,7 @@ let
 
     driftfile ${driftFile}
     keyfile ${keyFile}
+    ${optionalString (cfg.enableNTS) "ntsdumpdir ${stateDir}"}
 
     ${optionalString (!config.time.hardwareClockInLocalTime) "rtconutc"}
 
@@ -39,13 +41,46 @@ in
         '';
       };
 
+      package = mkOption {
+        type = types.package;
+        default = pkgs.chrony;
+        defaultText = "pkgs.chrony";
+        description = ''
+          Which chrony package to use.
+        '';
+      };
+
       servers = mkOption {
         default = config.networking.timeServers;
+        type = types.listOf types.str;
         description = ''
           The set of NTP servers from which to synchronise.
         '';
       };
 
+      serverOption = mkOption {
+        default = "iburst";
+        type = types.enum [ "iburst" "offline" ];
+        description = ''
+          Set option for server directives.
+
+          Use "iburst" to rapidly poll on startup. Recommended if your machine
+          is consistently online.
+
+          Use "offline" to prevent polling on startup. Recommended if your
+          machine boots offline or is otherwise frequently offline.
+        '';
+      };
+
+      enableNTS = mkOption {
+        type = types.bool;
+        default = false;
+        description = ''
+          Whether to enable Network Time Security authentication.
+          Make sure it is supported by your selected NTP server(s).
+        '';
+      };
+
       initstepslew = mkOption {
         default = {
           enabled = true;
@@ -58,6 +93,12 @@ in
         '';
       };
 
+      directory = mkOption {
+        type = types.str;
+        default = "/var/lib/chrony";
+        description = "Directory where chrony state is stored.";
+      };
+
       extraConfig = mkOption {
         type = types.lines;
         default = "";
@@ -79,7 +120,7 @@ in
   config = mkIf cfg.enable {
     meta.maintainers = with lib.maintainers; [ thoughtpolice ];
 
-    environment.systemPackages = [ pkgs.chrony ];
+    environment.systemPackages = [ chronyPkg ];
 
     users.groups.chrony.gid = config.ids.gids.chrony;
 
@@ -109,12 +150,12 @@ in
         after    = [ "network.target" ];
         conflicts = [ "ntpd.service" "systemd-timesyncd.service" ];
 
-        path = [ pkgs.chrony ];
+        path = [ chronyPkg ];
 
         unitConfig.ConditionCapability = "CAP_SYS_TIME";
         serviceConfig =
           { Type = "simple";
-            ExecStart = "${pkgs.chrony}/bin/chronyd ${chronyFlags}";
+            ExecStart = "${chronyPkg}/bin/chronyd ${chronyFlags}";
 
             ProtectHome = "yes";
             ProtectSystem = "full";

nixos/modules/services/networking/ntp/ntpd.nix

@@ -79,6 +79,7 @@ in
 
       servers = mkOption {
         default = config.networking.timeServers;
+        type = types.listOf types.str;
         description = ''
           The set of NTP servers from which to synchronise.
         '';

nixos/modules/services/networking/searx.nix

@@ -1,4 +1,4 @@
-{ config, lib, pkgs, ... }:
+{ options, config, lib, pkgs, ... }:
 
 with lib;
 
@@ -6,42 +6,14 @@ let
   runDir = "/run/searx";
   cfg = config.services.searx;
 
-  hasEngines =
+  generateConfig = ''
-    builtins.hasAttr "engines" cfg.settings &&
-    cfg.settings.engines != { };
-
-  # Script to merge NixOS settings with
-  # the default settings.yml bundled in searx.
-  mergeConfig = ''
     cd ${runDir}
-    # find the default settings.yml
-    default=$(find '${cfg.package}/' -name settings.yml)
 
     # write NixOS settings as JSON
-    cat <<'EOF' > settings.json
+    cat <<'EOF' > settings.yml
       ${builtins.toJSON cfg.settings}
     EOF
 
-    ${optionalString hasEngines ''
-      # extract and convert the default engines array to an object
-      ${pkgs.yq-go}/bin/yq r "$default" engines -j | \
-      ${pkgs.jq}/bin/jq 'reduce .[] as $e ({}; .[$e.name] = $e)' \
-        > engines.json
-
-      # merge and update the NixOS engines with the newly created object
-      cp settings.json temp.json
-      ${pkgs.jq}/bin/jq -s '. as [$s, $e] | $s | .engines |=
-        ($e * . | to_entries | map (.value))' \
-        temp.json engines.json > settings.json
-
-      # clean up temporary files
-      rm {engines,temp}.json
-    ''}
-
-    # merge the default and NixOS settings
-    ${pkgs.yq-go}/bin/yq m -P settings.json "$default" > settings.yml
-    rm settings.json
-
     # substitute environment variables
     env -0 | while IFS='=' read -r -d ''' n v; do
       sed "s#@$n@#$v#g" -i settings.yml
@@ -51,6 +23,12 @@ let
     chmod 400 settings.yml
   '';
 
+  settingType = with types; (oneOf
+    [ bool int float str
+      (listOf settingType)
+      (attrsOf settingType)
+    ]) // { description = "JSON value"; };
+
 in
 
 {
@@ -86,15 +64,16 @@ in
       };
 
       settings = mkOption {
-        type = types.attrs;
+        type = types.attrsOf settingType;
         default = { };
         example = literalExample ''
           { server.port = 8080;
             server.bind_address = "0.0.0.0";
             server.secret_key = "@SEARX_SECRET_KEY@";
 
-            engines.wolframalpha =
+            engines = lib.singleton
-              { shortcut = "wa";
+              { name = "wolframalpha";
+                shortcut = "wa";
                 api_key = "@WOLFRAM_API_KEY@";
                 engine = "wolframalpha_api";
               };
@@ -155,9 +134,9 @@ in
       };
 
       uwsgiConfig = mkOption {
-        type = types.attrs;
+        type = options.services.uwsgi.instance.type;
         default = { http = ":8080"; };
-        example = lib.literalExample ''
+        example = literalExample ''
           {
             disable-logging = true;
             http = ":8080";                   # serve via HTTP...
@@ -199,7 +178,7 @@ in
         RuntimeDirectoryMode = "750";
       } // optionalAttrs (cfg.environmentFile != null)
         { EnvironmentFile = builtins.toPath cfg.environmentFile; };
-      script = mergeConfig;
+      script = generateConfig;
     };
 
     systemd.services.searx = mkIf (!cfg.runInUwsgi) {
@@ -221,6 +200,11 @@ in
         after = [ "searx-init.service" ];
       };
 
+    services.searx.settings = {
+      # merge NixOS settings with defaults settings.yml
+      use_default_settings = mkDefault true;
+    };
+
     services.uwsgi = mkIf (cfg.runInUwsgi) {
       enable = true;
       plugins = [ "python3" ];
@@ -241,6 +225,6 @@ in
 
   };
 
-  meta.maintainers = with lib.maintainers; [ rnhmjoj ];
+  meta.maintainers = with maintainers; [ rnhmjoj ];
 
 }

nixos/modules/services/security/tor.nix

@@ -909,8 +909,11 @@ in
 
     networking.firewall = mkIf cfg.openFirewall {
       allowedTCPPorts =
-        concatMap (o: optional (isInt o && o > 0 || o ? "port" && isInt o.port && o.port > 0) o.port)
+        concatMap (o:
-        (flatten [
+          if isInt o && o > 0 then [o]
+          else if o ? "port" && isInt o.port && o.port > 0 then [o.port]
+          else []
+        ) (flatten [
           cfg.settings.ORPort
           cfg.settings.DirPort
         ]);

nixos/modules/services/web-apps/trilium.nix

@@ -85,7 +85,7 @@ in
 
   config = lib.mkIf cfg.enable (lib.mkMerge [
   {
-    meta.maintainers = with lib.maintainers; [ kampka ];
+    meta.maintainers = with lib.maintainers; [ ];
 
     users.groups.trilium = {};
     users.users.trilium = {

nixos/modules/services/web-apps/whitebophir.nix

@@ -0,0 +1,45 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+  cfg = config.services.whitebophir;
+in {
+  options = {
+    services.whitebophir = {
+      enable = mkEnableOption "whitebophir, an online collaborative whiteboard server (persistent state will be maintained under <filename>/var/lib/whitebophir</filename>)";
+
+      package = mkOption {
+        default = pkgs.whitebophir;
+        defaultText = "pkgs.whitebophir";
+        type = types.package;
+        description = "Whitebophir package to use.";
+      };
+
+      port = mkOption {
+        type = types.port;
+        default = 5001;
+        description = "Port to bind to.";
+      };
+    };
+  };
+
+  config = mkIf cfg.enable {
+    systemd.services.whitebophir = {
+      description = "Whitebophir Service";
+      wantedBy    = [ "multi-user.target" ];
+      after       = [ "network.target" ];
+      environment = {
+        PORT            = "${toString cfg.port}";
+        WBO_HISTORY_DIR = "/var/lib/whitebophir";
+      };
+
+      serviceConfig = {
+        DynamicUser    = true;
+        ExecStart      = "${cfg.package}/bin/whitebophir";
+        Restart        = "always";
+        StateDirectory = "whitebophir";
+      };
+    };
+  };
+}

nixos/modules/services/web-servers/jboss/default.nix

@@ -31,32 +31,38 @@ in
 
       tempDir = mkOption {
         default = "/tmp";
+        type = types.str;
         description = "Location where JBoss stores its temp files";
       };
 
       logDir = mkOption {
         default = "/var/log/jboss";
+        type = types.str;
         description = "Location of the logfile directory of JBoss";
       };
 
       serverDir = mkOption {
         description = "Location of the server instance files";
         default = "/var/jboss/server";
+        type = types.str;
       };
 
       deployDir = mkOption {
         description = "Location of the deployment files";
         default = "/nix/var/nix/profiles/default/server/default/deploy/";
+        type = types.str;
       };
 
       libUrl = mkOption {
         default = "file:///nix/var/nix/profiles/default/server/default/lib";
         description = "Location where the shared library JARs are stored";
+        type = types.str;
       };
 
       user = mkOption {
         default = "nobody";
         description = "User account under which jboss runs.";
+        type = types.str;
       };
 
       useJK = mkOption {

nixos/modules/services/web-servers/tomcat.nix

@@ -74,6 +74,7 @@ in
 
       extraGroups = mkOption {
         default = [];
+        type = types.listOf types.str;
         example = [ "users" ];
         description = "Defines extra groups to which the tomcat user belongs.";
       };

nixos/modules/services/x11/desktop-managers/plasma5.nix

@@ -7,8 +7,8 @@ let
   xcfg = config.services.xserver;
   cfg = xcfg.desktopManager.plasma5;
 
-  inherit (pkgs) kdeApplications kdeFrameworks plasma5;
+  libsForQt5 = pkgs.plasma5Packages;
-  inherit (pkgs) qt5 libsForQt5;
+  inherit (libsForQt5) kdeApplications kdeFrameworks plasma5;
   inherit (pkgs) writeText;
 
   pulseaudio = config.hardware.pulseaudio;
@@ -198,8 +198,8 @@ in
       };
 
       security.wrappers = {
-        kcheckpass.source = "${lib.getBin plasma5.kscreenlocker}/libexec/kcheckpass";
+        kcheckpass.source = "${lib.getBin libsForQt5.kscreenlocker}/libexec/kcheckpass";
-        start_kdeinit.source = "${lib.getBin pkgs.kdeFrameworks.kinit}/libexec/kf5/start_kdeinit";
+        start_kdeinit.source = "${lib.getBin libsForQt5.kinit}/libexec/kf5/start_kdeinit";
         kwin_wayland = {
           source = "${lib.getBin plasma5.kwin}/bin/kwin_wayland";
           capabilities = "cap_sys_nice+ep";
@@ -213,7 +213,7 @@ in
       '';
 
       environment.systemPackages =
-        with qt5; with libsForQt5;
+        with libsForQt5;
         with plasma5; with kdeApplications; with kdeFrameworks;
         [
           frameworkintegration

nixos/modules/services/x11/hardware/libinput.nix

@@ -3,23 +3,18 @@
 with lib;
 
 let cfg = config.services.xserver.libinput;
+
     xorgBool = v: if v then "on" else "off";
-in {
-
-  options = {
-
-    services.xserver.libinput = {
-
-      enable = mkEnableOption "libinput";
 
+    mkConfigForDevice = deviceType: {
       dev = mkOption {
         type = types.nullOr types.str;
         default = null;
         example = "/dev/input/event0";
         description =
           ''
-            Path for touchpad device.  Set to null to apply to any
+            Path for ${deviceType} device.  Set to null to apply to any
-            auto-detected touchpad.
+            auto-detected ${deviceType}.
           '';
       };
 
@@ -185,14 +180,64 @@ in {
           Option "DragLockButtons" "L1 B1 L2 B2"
         '';
         description = ''
-          Additional options for libinput touchpad driver. See
+          Additional options for libinput ${deviceType} driver. See
           <citerefentry><refentrytitle>libinput</refentrytitle><manvolnum>4</manvolnum></citerefentry>
           for available options.";
         '';
       };
-
     };
 
+    mkX11ConfigForDevice = deviceType: matchIs: ''
+        Identifier "libinput ${deviceType} configuration"
+        MatchDriver "libinput"
+        MatchIs${matchIs} "${xorgBool true}"
+        ${optionalString (cfg.${deviceType}.dev != null) ''MatchDevicePath "${cfg.${deviceType}.dev}"''}
+        Option "AccelProfile" "${cfg.${deviceType}.accelProfile}"
+        ${optionalString (cfg.${deviceType}.accelSpeed != null) ''Option "AccelSpeed" "${cfg.${deviceType}.accelSpeed}"''}
+        ${optionalString (cfg.${deviceType}.buttonMapping != null) ''Option "ButtonMapping" "${cfg.${deviceType}.buttonMapping}"''}
+        ${optionalString (cfg.${deviceType}.calibrationMatrix != null) ''Option "CalibrationMatrix" "${cfg.${deviceType}.calibrationMatrix}"''}
+        ${optionalString (cfg.${deviceType}.clickMethod != null) ''Option "ClickMethod" "${cfg.${deviceType}.clickMethod}"''}
+        Option "LeftHanded" "${xorgBool cfg.${deviceType}.leftHanded}"
+        Option "MiddleEmulation" "${xorgBool cfg.${deviceType}.middleEmulation}"
+        Option "NaturalScrolling" "${xorgBool cfg.${deviceType}.naturalScrolling}"
+        ${optionalString (cfg.${deviceType}.scrollButton != null) ''Option "ScrollButton" "${toString cfg.${deviceType}.scrollButton}"''}
+        Option "ScrollMethod" "${cfg.${deviceType}.scrollMethod}"
+        Option "HorizontalScrolling" "${xorgBool cfg.${deviceType}.horizontalScrolling}"
+        Option "SendEventsMode" "${cfg.${deviceType}.sendEventsMode}"
+        Option "Tapping" "${xorgBool cfg.${deviceType}.tapping}"
+        Option "TappingDragLock" "${xorgBool cfg.${deviceType}.tappingDragLock}"
+        Option "DisableWhileTyping" "${xorgBool cfg.${deviceType}.disableWhileTyping}"
+        ${cfg.${deviceType}.additionalOptions}
+  '';
+in {
+
+  imports =
+    (map (option: mkRenamedOptionModule ([ "services" "xserver" "libinput" option ]) [ "services" "xserver" "libinput" "touchpad" option ]) [
+      "accelProfile"
+      "accelSpeed"
+      "buttonMapping"
+      "calibrationMatrix"
+      "clickMethod"
+      "leftHanded"
+      "middleEmulation"
+      "naturalScrolling"
+      "scrollButton"
+      "scrollMethod"
+      "horizontalScrolling"
+      "sendEventsMode"
+      "tapping"
+      "tappingDragLock"
+      "disableWhileTyping"
+      "additionalOptions"
+    ]);
+
+  options = {
+
+    services.xserver.libinput = {
+      enable = mkEnableOption "libinput";
+      mouse = mkConfigForDevice "mouse";
+      touchpad = mkConfigForDevice "touchpad";
+    };
   };
 
 
@@ -212,32 +257,10 @@ in {
 
     services.udev.packages = [ pkgs.libinput.out ];
 
-    services.xserver.config =
+    services.xserver.inputClassSections = [
-      ''
+      (mkX11ConfigForDevice "mouse" "Pointer")
-        # General libinput configuration.
+      (mkX11ConfigForDevice "touchpad" "Touchpad")
-        # See CONFIGURATION DETAILS section of man:libinput(4).
+    ];
-        Section "InputClass"
-          Identifier "libinputConfiguration"
-          MatchDriver "libinput"
-          ${optionalString (cfg.dev != null) ''MatchDevicePath "${cfg.dev}"''}
-          Option "AccelProfile" "${cfg.accelProfile}"
-          ${optionalString (cfg.accelSpeed != null) ''Option "AccelSpeed" "${cfg.accelSpeed}"''}
-          ${optionalString (cfg.buttonMapping != null) ''Option "ButtonMapping" "${cfg.buttonMapping}"''}
-          ${optionalString (cfg.calibrationMatrix != null) ''Option "CalibrationMatrix" "${cfg.calibrationMatrix}"''}
-          ${optionalString (cfg.clickMethod != null) ''Option "ClickMethod" "${cfg.clickMethod}"''}
-          Option "LeftHanded" "${xorgBool cfg.leftHanded}"
-          Option "MiddleEmulation" "${xorgBool cfg.middleEmulation}"
-          Option "NaturalScrolling" "${xorgBool cfg.naturalScrolling}"
-          ${optionalString (cfg.scrollButton != null) ''Option "ScrollButton" "${toString cfg.scrollButton}"''}
-          Option "ScrollMethod" "${cfg.scrollMethod}"
-          Option "HorizontalScrolling" "${xorgBool cfg.horizontalScrolling}"
-          Option "SendEventsMode" "${cfg.sendEventsMode}"
-          Option "Tapping" "${xorgBool cfg.tapping}"
-          Option "TappingDragLock" "${xorgBool cfg.tappingDragLock}"
-          Option "DisableWhileTyping" "${xorgBool cfg.disableWhileTyping}"
-          ${cfg.additionalOptions}
-        EndSection
-      '';
 
     assertions = [
       # already present in synaptics.nix

nixos/modules/services/x11/window-managers/clfswm.nix

@@ -15,10 +15,10 @@ in
     services.xserver.windowManager.session = singleton {
       name = "clfswm";
       start = ''
-        ${pkgs.clfswm}/bin/clfswm &
+        ${pkgs.lispPackages.clfswm}/bin/clfswm &
         waitPID=$!
       '';
     };
-    environment.systemPackages = [ pkgs.clfswm ];
+    environment.systemPackages = [ pkgs.lispPackages.clfswm ];
   };
 }

nixos/modules/services/x11/window-managers/default.nix

@@ -13,6 +13,7 @@ in
     ./berry.nix
     ./bspwm.nix
     ./cwm.nix
+    ./clfswm.nix
     ./dwm.nix
     ./evilwm.nix
     ./exwm.nix

nixos/modules/services/x11/window-managers/exwm.nix

@@ -48,7 +48,7 @@ in
         description = ''
           Extra packages available to Emacs. The value must be a
           function which receives the attrset defined in
-          <varname>emacsPackages</varname> as the sole argument.
+          <varname>emacs.pkgs</varname> as the sole argument.
         '';
       };
     };

nixos/modules/system/boot/binfmt.nix

@@ -20,8 +20,14 @@ let
                  optionalString fixBinary "F";
   in ":${name}:${type}:${offset'}:${magicOrExtension}:${mask'}:${interpreter}:${flags}";
 
-  activationSnippet = name: { interpreter, ... }:
+  activationSnippet = name: { interpreter, ... }: ''
-    "ln -sf ${interpreter} /run/binfmt/${name}";
+    rm -f /run/binfmt/${name}
+    cat > /run/binfmt/${name} << 'EOF'
+    #!/usr/bin/env sh
+    exec -- ${interpreter} "$@"
+    EOF
+    chmod +x /run/binfmt/${name}
+  '';
 
   getEmulator = system: (lib.systems.elaborate { inherit system; }).emulator pkgs;
 

nixos/modules/system/boot/plymouth.nix

@@ -9,7 +9,7 @@ let
 
   cfg = config.boot.plymouth;
 
-  nixosBreezePlymouth = pkgs.plasma5.breeze-plymouth.override {
+  nixosBreezePlymouth = pkgs.plasma5Packages.breeze-plymouth.override {
     logoFile = cfg.logo;
     logoName = "nixos";
     osName = "NixOS";

nixos/modules/system/boot/systemd.nix

@@ -263,7 +263,7 @@ let
         }
         (mkIf (config.preStart != "")
           { serviceConfig.ExecStartPre =
-              makeJobScript "${name}-pre-start" config.preStart;
+              [ (makeJobScript "${name}-pre-start" config.preStart) ];
           })
         (mkIf (config.script != "")
           { serviceConfig.ExecStart =
@@ -271,7 +271,7 @@ let
           })
         (mkIf (config.postStart != "")
           { serviceConfig.ExecStartPost =
-              makeJobScript "${name}-post-start" config.postStart;
+              [ (makeJobScript "${name}-post-start" config.postStart) ];
           })
         (mkIf (config.reload != "")
           { serviceConfig.ExecReload =

nixos/modules/system/boot/timesyncd.nix

@@ -16,6 +16,7 @@ with lib;
       };
       servers = mkOption {
         default = config.networking.timeServers;
+        type = types.listOf types.str;
         description = ''
           The set of NTP servers from which to synchronise.
         '';

nixos/modules/system/boot/tmp.nix

@@ -34,6 +34,7 @@ with lib;
       {
         what = "tmpfs";
         where = "/tmp";
+        type = "tmpfs";
         mountConfig.Options = [ "mode=1777" "strictatime" "rw" "nosuid" "nodev" "size=50%" ];
       }
     ];

nixos/modules/tasks/filesystems/zfs.nix

@@ -664,6 +664,8 @@ in
         # - There are only HDDs and we would set the system in a degraded state
         serviceConfig.ExecStart = ''${pkgs.runtimeShell} -c 'for pool in $(zpool list -H -o name); do zpool trim $pool;  done || true' '';
       };
+
+      systemd.timers.zpool-trim.timerConfig.Persistent = "yes";
     })
   ];
 }

nixos/modules/virtualisation/azure-agent.nix

@@ -146,7 +146,7 @@ in
 
     services.logrotate = {
       enable = true;
-      config = ''
+      extraConfig = ''
         /var/log/waagent.log {
             compress
             monthly

nixos/modules/virtualisation/docker.nix

@@ -155,13 +155,11 @@ in
       users.groups.docker.gid = config.ids.gids.docker;
       systemd.packages = [ cfg.package ];
 
-      # TODO: remove once docker 20.10 is released
-      systemd.enableUnifiedCgroupHierarchy = false;
-
       systemd.services.docker = {
         wantedBy = optional cfg.enableOnBoot "multi-user.target";
         environment = proxy_env;
         serviceConfig = {
+          Type = "notify";
           ExecStart = [
             ""
             ''
@@ -215,13 +213,10 @@ in
           message = "Option enableNvidia requires 32bit support libraries";
         }];
     }
-    (mkIf cfg.enableNvidia {
-      environment.etc."nvidia-container-runtime/config.toml".source = "${pkgs.nvidia-docker}/etc/config.toml";
-    })
   ]);
 
   imports = [
-    (mkRemovedOptionModule ["virtualisation" "docker" "socketActivation"] "This option was removed in favor of starting docker at boot")
+    (mkRemovedOptionModule ["virtualisation" "docker" "socketActivation"] "This option was removed and socket activation is now always active")
   ];
 
 }

nixos/modules/virtualisation/google-compute-image.nix

@@ -43,7 +43,7 @@ in
     system.build.googleComputeImage = import ../../lib/make-disk-image.nix {
       name = "google-compute-image";
       postVM = ''
-        PATH=$PATH:${with pkgs; stdenv.lib.makeBinPath [ gnutar gzip ]}
+        PATH=$PATH:${with pkgs; lib.makeBinPath [ gnutar gzip ]}
         pushd $out
         mv $diskImage disk.raw
         tar -Szcf nixos-image-${config.system.nixos.label}-${pkgs.stdenv.hostPlatform.system}.raw.tar.gz disk.raw

nixos/modules/virtualisation/podman.nix

@@ -2,7 +2,6 @@
 let
   cfg = config.virtualisation.podman;
   toml = pkgs.formats.toml { };
-  nvidia-docker = pkgs.nvidia-docker.override { containerRuntimePath = "${pkgs.runc}/bin/runc"; };
 
   inherit (lib) mkOption types;
 
@@ -100,8 +99,8 @@ in
         containersConf.extraConfig = lib.optionalString cfg.enableNvidia
           (builtins.readFile (toml.generate "podman.nvidia.containers.conf" {
             engine = {
-              conmon_env_vars = [ "PATH=${lib.makeBinPath [ nvidia-docker ]}" ];
+              conmon_env_vars = [ "PATH=${lib.makeBinPath [ pkgs.nvidia-podman ]}" ];
-              runtimes.nvidia = [ "${nvidia-docker}/bin/nvidia-container-runtime" ];
+              runtimes.nvidia = [ "${pkgs.nvidia-podman}/bin/nvidia-container-runtime" ];
             };
           }));
       };
@@ -111,14 +110,7 @@ in
           assertion = cfg.dockerCompat -> !config.virtualisation.docker.enable;
           message = "Option dockerCompat conflicts with docker";
         }
-        {
-          assertion = cfg.enableNvidia -> !config.virtualisation.docker.enableNvidia;
-          message = "Option enableNvidia conflicts with docker.enableNvidia";
-        }
       ];
     }
-    (lib.mkIf cfg.enableNvidia {
-      environment.etc."nvidia-container-runtime/config.toml".source = "${nvidia-docker}/etc/podman-config.toml";
-    })
   ]);
 }

nixos/release-combined.nix

@@ -60,7 +60,8 @@ in rec {
         (onFullSupported "nixos.tests.boot-stage1")
         (onSystems ["x86_64-linux"] "nixos.tests.boot.uefiCdrom")
         (onSystems ["x86_64-linux"] "nixos.tests.boot.uefiUsb")
-        (onSystems ["x86_64-linux"] "nixos.tests.chromium")
+        # TODO (@primeos): Fix the test failure since https://github.com/NixOS/nixpkgs/pull/110010:
+        #(onSystems ["x86_64-linux"] "nixos.tests.chromium")
         (onFullSupported "nixos.tests.containers-imperative")
         (onFullSupported "nixos.tests.containers-ip")
         (onSystems ["x86_64-linux"] "nixos.tests.docker")

nixos/tests/all-tests.nix

@@ -147,6 +147,7 @@ in
   haproxy = handleTest ./haproxy.nix {};
   hardened = handleTest ./hardened.nix {};
   hedgedoc = handleTest ./hedgedoc.nix {};
+  herbstluftwm = handleTest ./herbstluftwm.nix {};
   installed-tests = pkgs.recurseIntoAttrs (handleTest ./installed-tests {});
   oci-containers = handleTestOn ["x86_64-linux"] ./oci-containers.nix {};
   # 9pnet_virtio used to mount /nix partition doesn't support
@@ -401,6 +402,7 @@ in
   unbound = handleTest ./unbound.nix {};
   unit-php = handleTest ./web-servers/unit-php.nix {};
   upnp = handleTest ./upnp.nix {};
+  usbguard = handleTest ./usbguard.nix {};
   uwsgi = handleTest ./uwsgi.nix {};
   v2ray = handleTest ./v2ray.nix {};
   vault = handleTest ./vault.nix {};

nixos/tests/chromium.nix

@@ -1,10 +1,14 @@
 { system ? builtins.currentSystem
 , config ? {}
 , pkgs ? import ../.. { inherit system config; }
-, channelMap ? {
+, channelMap ? { # Maps "channels" to packages
-    stable = pkgs.chromium;
+    stable        = pkgs.chromium;
-    beta   = pkgs.chromiumBeta;
+    beta          = pkgs.chromiumBeta;
-    dev    = pkgs.chromiumDev;
+    dev           = pkgs.chromiumDev;
+    ungoogled     = pkgs.ungoogled-chromium;
+    chrome-stable = pkgs.google-chrome;
+    chrome-beta   = pkgs.google-chrome-beta;
+    chrome-dev    = pkgs.google-chrome-dev;
   }
 }:
 
@@ -14,7 +18,7 @@ with pkgs.lib;
 mapAttrs (channel: chromiumPkg: makeTest rec {
   name = "chromium-${channel}";
   meta = {
-    maintainers = with maintainers; [ aszlig ];
+    maintainers = with maintainers; [ aszlig primeos ];
     # https://github.com/NixOS/hydra/issues/591#issuecomment-435125621
     inherit (chromiumPkg.meta) timeout;
   };
@@ -58,9 +62,22 @@ mapAttrs (channel: chromiumPkg: makeTest rec {
         return "su - ${user} -c " + shlex.quote(cmd)
 
 
+    def get_browser_binary():
+        """Returns the name of the browser binary."""
+        pname = "${getName chromiumPkg.name}"
+        if pname.find("chromium") != -1:
+            return "chromium"  # Same name for all channels and ungoogled-chromium
+        if pname == "google-chrome":
+            return "google-chrome-stable"
+        if pname == "google-chrome-dev":
+            return "google-chrome-unstable"
+        # For google-chrome-beta and as fallback:
+        return pname
+
+
     def create_new_win():
         with machine.nested("Creating a new Chromium window"):
-            machine.execute(
+            status, _ = machine.execute(
                 ru(
                     "${xdo "new-window" ''
                       search --onlyvisible --name "startup done"
@@ -69,18 +86,19 @@ mapAttrs (channel: chromiumPkg: makeTest rec {
                     ''}"
                 )
             )
-            machine.execute(
+            if status == 0:
-                ru(
+                machine.execute(
-                    "${xdo "new-window" ''
+                    ru(
-                      key Ctrl+n
+                        "${xdo "new-window" ''
-                    ''}"
+                          key Ctrl+n
+                        ''}"
+                    )
                 )
-            )
 
 
     def close_win():
         def try_close(_):
-            machine.execute(
+            status, _ = machine.execute(
                 ru(
                     "${xdo "close-window" ''
                       search --onlyvisible --name "new tab"
@@ -89,15 +107,16 @@ mapAttrs (channel: chromiumPkg: makeTest rec {
                     ''}"
                 )
             )
-            machine.execute(
+            if status == 0:
-                ru(
+                machine.execute(
-                    "${xdo "close-window" ''
+                    ru(
-                      key Ctrl+w
+                        "${xdo "close-window" ''
-                    ''}"
+                          key Ctrl+w
+                        ''}"
+                    )
                 )
-            )
             for _ in range(1, 20):
-                status, out = machine.execute(
+                status, _ = machine.execute(
                     ru(
                         "${xdo "wait-for-close" ''
                           search --onlyvisible --name "new tab"
@@ -116,7 +135,7 @@ mapAttrs (channel: chromiumPkg: makeTest rec {
         ret = False
         with machine.nested("Waiting for new Chromium window to appear"):
             for _ in range(1, 20):
-                status, out = machine.execute(
+                status, _ = machine.execute(
                     ru(
                         "${xdo "wait-for-window" ''
                           search --onlyvisible --name "new tab"
@@ -152,7 +171,14 @@ mapAttrs (channel: chromiumPkg: makeTest rec {
     machine.wait_for_x()
 
     url = "file://${startupHTML}"
-    machine.succeed(ru(f'ulimit -c unlimited; chromium "{url}" & disown'))
+    machine.succeed(ru(f'ulimit -c unlimited; "{get_browser_binary()}" "{url}" & disown'))
+
+    if get_browser_binary().startswith("google-chrome"):
+        # Need to click away the first window:
+        machine.wait_for_text("Make Google Chrome the default browser")
+        machine.screenshot("google_chrome_default_browser_prompt")
+        machine.send_key("ret")
+
     machine.wait_for_text("startup done")
     machine.wait_until_succeeds(
         ru(

nixos/tests/cifs-utils.nix

@@ -0,0 +1,12 @@
+import ./make-test-python.nix ({ pkgs, ... }: {
+  name = "cifs-utils";
+
+  machine = { pkgs, ... }: { environment.systemPackages = [ pkgs.cifs-utils ]; };
+
+  testScript = ''
+    machine.succeed("smbinfo -h")
+    machine.succeed("smb2-quota -h")
+    assert "${pkgs.cifs-utils.version}" in machine.succeed("cifs.upcall -v")
+    assert "${pkgs.cifs-utils.version}" in machine.succeed("mount.cifs -V")
+  '';
+})

nixos/tests/containers-tmpfs.nix

@@ -3,7 +3,7 @@
 import ./make-test-python.nix ({ pkgs, ...} : {
   name = "containers-tmpfs";
   meta = with pkgs.lib.maintainers; {
-    maintainers = [ kampka ];
+    maintainers = [ ];
   };
 
   machine =

nixos/tests/git/hub.nix

@@ -6,12 +6,12 @@ import ../make-test-python.nix ({ pkgs, ...} : {
 
   nodes.hub = { pkgs, ... }:
     {
-      environment.systemPackages = [ pkgs.gitAndTools.hub ];
+      environment.systemPackages = [ pkgs.hub ];
     };
 
   testScript =
     ''
-      assert "git version ${pkgs.git.version}\nhub version ${pkgs.gitAndTools.hub.version}\n" in hub.succeed("hub version")
+      assert "git version ${pkgs.git.version}\nhub version ${pkgs.hub.version}\n" in hub.succeed("hub version")
       assert "These GitHub commands are provided by hub" in hub.succeed("hub help")
     '';
 })

nixos/tests/herbstluftwm.nix

@@ -0,0 +1,38 @@
+import ./make-test-python.nix ({ lib, ...} : {
+  name = "herbstluftwm";
+
+  meta = {
+    maintainers = with lib.maintainers; [ thibautmarty ];
+    timeout = 30;
+  };
+
+  machine = { pkgs, lib, ... }: {
+    imports = [ ./common/x11.nix ./common/user-account.nix ];
+    test-support.displayManager.auto.user = "alice";
+    services.xserver.displayManager.defaultSession = lib.mkForce "none+herbstluftwm";
+    services.xserver.windowManager.herbstluftwm.enable = true;
+    environment.systemPackages = [ pkgs.dzen2 ]; # needed for upstream provided panel
+  };
+
+  testScript = ''
+    with subtest("ensure x starts"):
+        machine.wait_for_x()
+        machine.wait_for_file("/home/alice/.Xauthority")
+        machine.succeed("xauth merge ~alice/.Xauthority")
+
+    with subtest("ensure client is available"):
+        machine.succeed("herbstclient --version")
+
+    with subtest("ensure keybindings are set"):
+        machine.wait_until_succeeds("herbstclient list_keybinds | grep xterm")
+
+    with subtest("ensure panel starts"):
+        machine.wait_for_window("dzen title")
+
+    with subtest("ensure we can open a new terminal"):
+        machine.send_key("alt-ret")
+        machine.wait_for_window(r"alice.*?machine")
+        machine.sleep(2)
+        machine.screenshot("terminal")
+  '';
+})

nixos/tests/installer.nix

@@ -284,7 +284,9 @@ let
             extraInstallerConfig
           ];
 
+          # builds stuff in the VM, needs more juice
           virtualisation.diskSize = 8 * 1024;
+          virtualisation.cores = 8;
           virtualisation.memorySize = 1536;
 
           # Use a small /dev/vdb as the root disk for the

nixos/tests/mpd.nix

@@ -107,7 +107,7 @@ import ./make-test-python.nix ({ pkgs, lib, ... }:
         for track in tracks.splitlines():
             server.succeed(f"{mpc} add {track}")
 
-        _, added_tracks = server.execute(f"{mpc} listall")
+        _, added_tracks = server.execute(f"{mpc} playlist")
 
         # Check we succeeded adding audio tracks to the playlist
         assert len(added_tracks.splitlines()) > 0

nixos/tests/mysql/mysql.nix

@@ -98,7 +98,7 @@ import ./../make-test-python.nix ({ pkgs, ...} : {
         }];
         services.mysql.settings = {
           mysqld = {
-            plugin-load-add = [ "ha_tokudb.so" "ha_rocksdb.so" ];
+            plugin-load-add = [ "ha_rocksdb.so" ];
           };
         };
         services.mysql.package = pkgs.mariadb;
@@ -185,19 +185,5 @@ import ./../make-test-python.nix ({ pkgs, ...} : {
     mariadb.succeed(
         "echo 'use testdb; drop table rocksdb;' | sudo -u testuser mysql -u testuser"
     )
-  '' + pkgs.lib.optionalString pkgs.stdenv.isx86_64 ''
-    # Check if TokuDB plugin works
-    mariadb.succeed(
-        "echo 'use testdb; create table tokudb (test_id INT, PRIMARY KEY (test_id)) ENGINE = TokuDB;' | sudo -u testuser mysql -u testuser"
-    )
-    mariadb.succeed(
-        "echo 'use testdb; insert into tokudb values (25);' | sudo -u testuser mysql -u testuser"
-    )
-    mariadb.succeed(
-        "echo 'use testdb; select test_id from tokudb;' | sudo -u testuser mysql -u testuser -N | grep 25"
-    )
-    mariadb.succeed(
-        "echo 'use testdb; drop table tokudb;' | sudo -u testuser mysql -u testuser"
-    )
   '';
 })

nixos/tests/opentabletdriver.nix

@@ -1,4 +1,6 @@
-import ./make-test-python.nix ( { pkgs, ... }: {
+import ./make-test-python.nix ( { pkgs, ... }: let
+  testUser = "alice";
+in {
   name = "opentabletdriver";
   meta = {
     maintainers = with pkgs.lib.maintainers; [ thiagokokada ];
@@ -10,7 +12,7 @@ import ./make-test-python.nix ( { pkgs, ... }: {
         ./common/user-account.nix
         ./common/x11.nix
       ];
-      test-support.displayManager.auto.user = "alice";
+      test-support.displayManager.auto.user = testUser;
       hardware.opentabletdriver.enable = true;
     };
 
@@ -18,10 +20,11 @@ import ./make-test-python.nix ( { pkgs, ... }: {
     ''
       machine.start()
       machine.wait_for_x()
-      machine.wait_for_unit("opentabletdriver.service", "alice")
+      machine.wait_for_unit("opentabletdriver.service", "${testUser}")
 
-      machine.succeed("cat /etc/udev/rules.d/30-opentabletdriver.rules")
+      machine.succeed("cat /etc/udev/rules.d/99-opentabletdriver.rules")
       # Will fail if service is not running
-      machine.succeed("otd detect")
+      # Needs to run as the same user that started the service
+      machine.succeed("su - ${testUser} -c 'otd detect'")
     '';
 })

nixos/tests/podman.nix

@@ -61,6 +61,20 @@ import ./make-test-python.nix (
           podman.succeed("podman stop sleeping")
           podman.succeed("podman rm sleeping")
 
+      # create systemd session for rootless
+      podman.succeed("loginctl enable-linger alice")
+
+      with subtest("Run container rootless with runc"):
+          podman.succeed(su_cmd("tar cv --files-from /dev/null | podman import - scratchimg"))
+          podman.succeed(
+              su_cmd(
+                  "podman run --runtime=runc -d --name=sleeping -v /nix/store:/nix/store -v /run/current-system/sw/bin:/bin scratchimg /bin/sleep 10"
+              )
+          )
+          podman.succeed(su_cmd("podman ps | grep sleeping"))
+          podman.succeed(su_cmd("podman stop sleeping"))
+          podman.succeed(su_cmd("podman rm sleeping"))
+
       with subtest("Run container rootless with crun"):
           podman.succeed(su_cmd("tar cv --files-from /dev/null | podman import - scratchimg"))
           podman.succeed(
@@ -71,7 +85,6 @@ import ./make-test-python.nix (
           podman.succeed(su_cmd("podman ps | grep sleeping"))
           podman.succeed(su_cmd("podman stop sleeping"))
           podman.succeed(su_cmd("podman rm sleeping"))
-      # As of 2020-11-20, the runc backend doesn't work with cgroupsv2 yet, so we don't run that test.
 
       with subtest("Run container rootless with the default backend"):
           podman.succeed(su_cmd("tar cv --files-from /dev/null | podman import - scratchimg"))

nixos/tests/prometheus-exporters.nix

@@ -423,7 +423,7 @@ let
       exporterConfig = {
         enable = true;
         passwordFile = "/var/nextcloud-pwfile";
-        url = "http://localhost/negative-space.xml";
+        url = "http://localhost";
       };
       metricProvider = {
         systemd.services.nc-pwfile = let
@@ -441,6 +441,7 @@ let
             basicAuth.nextcloud-exporter = "snakeoilpw";
             locations."/" = {
               root = "${pkgs.prometheus-nextcloud-exporter.src}/serverinfo/testdata";
+              tryFiles = "/negative-space.xml =404";
             };
           };
         };

nixos/tests/searx.nix

@@ -2,7 +2,7 @@ import ./make-test-python.nix ({ pkgs, ...} :
 
 {
   name = "searx";
-  meta = with pkgs.stdenv.lib.maintainers; {
+  meta = with pkgs.lib.maintainers; {
     maintainers = [ rnhmjoj ];
   };
 
@@ -22,13 +22,15 @@ import ./make-test-python.nix ({ pkgs, ...} :
           bind_address = "0.0.0.0";
           secret_key = "@SEARX_SECRET_KEY@";
         };
-      settings.engines = {
+      settings.engines = [
-        wolframalpha =
+        { name = "wolframalpha";
-          { api_key = "@WOLFRAM_API_KEY@";
+          api_key = "@WOLFRAM_API_KEY@";
-            engine = "wolframalpha_api";
+          engine = "wolframalpha_api";
-          };
+        }
-        startpage.shortcut = "start";
+        { name = "startpage";
-      };
+          shortcut = "start";
+        }
+      ];
     };
 
   };
@@ -39,6 +41,9 @@ import ./make-test-python.nix ({ pkgs, ...} :
 
     services.searx = {
       enable = true;
+      # searx refuses to run if unchanged
+      settings.server.secret_key = "somesecret";
+
       runInUwsgi = true;
       uwsgiConfig = {
         # serve using the uwsgi protocol
@@ -106,4 +111,3 @@ import ./make-test-python.nix ({ pkgs, ...} :
           )
     '';
 })
-

nixos/tests/slurm.nix

@@ -109,12 +109,12 @@ in {
             ensurePermissions = { "slurm_acct_db.*" = "ALL PRIVILEGES"; };
             name = "slurm";
           }];
-          extraOptions = ''
+          settings.mysqld = {
             # recommendations from: https://slurm.schedmd.com/accounting.html#mysql-configuration
-            innodb_buffer_pool_size=1024M
+            innodb_buffer_pool_size="1024M";
-            innodb_log_file_size=64M
+            innodb_log_file_size="64M";
-            innodb_lock_wait_timeout=900
+            innodb_lock_wait_timeout=900;
-          '';
+          };
         };
       };