Merge remote-tracking branch 'nixos/master'

2017-04-09 15:36:03 -07:00 · 2017-04-09 15:36:03 -07:00 · ed77e113c5
commit ed77e113c5
parent 7f6e8a1cd5 b64163a90d
3032 changed files with 91595 additions and 49262 deletions
--- a/.mention-bot
+++ b/.mention-bot
@ -2,7 +2,8 @@
  "userBlacklist": [
    "civodul",
    "jhasse",
-    "shlevy"
+    "shlevy",
    "bbenoist"
  ],
  "alwaysNotifyForPaths": [
    { "name": "FRidh", "files": ["pkgs/top-level/python-packages.nix", "pkgs/development/interpreters/python/*", "pkgs/development/python-modules/*" ] },
--- a/.travis.yml
+++ b/.travis.yml
@ -1,8 +1,14 @@
 language: nix
 sudo: true
 # 'sudo: false' == containers that start fast, but only get 4G ram;
 # 'sudo: true'  == VMs that start slow, but with 8G
 # ..as per:  https://docs.travis-ci.com/user/ci-environment/#Virtualization-environments
 # Nixpkgs PR tests OOM with 4G: https://github.com/NixOS/nixpkgs/issues/24200
 matrix:
    include:
        - os: linux
-          sudo: false
+          sudo: required
          script:
              - ./maintainers/scripts/travis-nox-review-pr.sh nixpkgs-verify nixpkgs-manual nixpkgs-tarball nixpkgs-unstable
              - ./maintainers/scripts/travis-nox-review-pr.sh nixos-options nixos-manual
@ -18,3 +24,8 @@ matrix:
 env:
    global:
        - GITHUB_TOKEN=5edaaf1017f691ed34e7f80878f8f5fbd071603f
 notifications:
    email:
        on_success: never
        on_failure: change
--- a/.version
+++ b/.version
@ -1 +1 @@
-17.03
+17.09
--- a/README.md
+++ b/README.md
@ -13,12 +13,12 @@ build daemon as so-called channels. To get channel information via git, add
 ```
 For stability and maximum binary package support, it is recommended to maintain
-custom changes on top of one of the channels, e.g. `nixos-16.09` for the latest
+custom changes on top of one of the channels, e.g. `nixos-17.03` for the latest
 release and `nixos-unstable` for the latest successful build of master:
 ```
 % git remote update channels
-% git rebase channels/nixos-16.09
+% git rebase channels/nixos-17.03
 ```
 For pull-requests, please rebase onto nixpkgs `master`.
@ -32,9 +32,9 @@ For pull-requests, please rebase onto nixpkgs `master`.
 * [Manual (NixOS)](https://nixos.org/nixos/manual/)
 * [Nix Wiki](https://nixos.org/wiki/) (deprecated, see milestone ["Move the Wiki!"](https://github.com/NixOS/nixpkgs/issues?q=is%3Aopen+is%3Aissue+milestone%3A%22Move+the+wiki%21%22))
 * [Continuous package builds for unstable/master](https://hydra.nixos.org/jobset/nixos/trunk-combined)
-* [Continuous package builds for 16.09 release](https://hydra.nixos.org/jobset/nixos/release-16.09)
+* [Continuous package builds for 17.03 release](https://hydra.nixos.org/jobset/nixos/release-17.03)
 * [Tests for unstable/master](https://hydra.nixos.org/job/nixos/trunk-combined/tested#tabs-constituents)
-* [Tests for 16.09 release](https://hydra.nixos.org/job/nixos/release-16.09/tested#tabs-constituents)
+* [Tests for 17.03 release](https://hydra.nixos.org/job/nixos/release-17.03/tested#tabs-constituents)
 Communication:
--- a/default.nix
+++ b/default.nix
@ -2,7 +2,17 @@ let requiredVersion = import ./lib/minver.nix; in
 if ! builtins ? nixVersion || builtins.compareVersions requiredVersion builtins.nixVersion == 1 then
-  abort "This version of Nixpkgs requires Nix >= ${requiredVersion}, please upgrade! See https://nixos.org/wiki/How_to_update_when_Nix_is_too_old_to_evaluate_Nixpkgs"
+  abort ''
    This version of Nixpkgs requires Nix >= ${requiredVersion}, please upgrade:
    - If you are running NixOS, use `nixos-rebuild' to upgrade your system.
    - If you installed Nix using the install script (https://nixos.org/nix/install),
      it is safe to upgrade by running it again:
          curl https://nixos.org/nix/install | sh
  ''
 else
--- a/doc/configuration.xml
+++ b/doc/configuration.xml
@ -4,83 +4,221 @@
 <title>Global configuration</title>
-<para>Nix packages can be configured to allow or deny certain options.</para>
+<para>Nix comes with certain defaults about what packages can and
 cannot be installed, based on a package's metadata. By default, Nix
 will prevent installation if any of the following criteria are
 true:</para>
-<para>To apply the configuration edit
+<itemizedlist>
-<filename>~/.config/nixpkgs/config.nix</filename> and set it like
+  <listitem><para>The package is thought to be broken, and has had
  its <literal>meta.broken</literal> set to
  <literal>true</literal>.</para></listitem>
  <listitem><para>The package's <literal>meta.license</literal> is set
  to a license which is considered to be unfree.</para></listitem>
  <listitem><para>The package has known security vulnerabilities but
  has not or can not be updated for some reason, and a list of issues
  has been entered in to the package's
  <literal>meta.knownVulnerabilities</literal>.</para></listitem>
 </itemizedlist>
 <para>Note that all this is checked during evaluation already,
 and the check includes any package that is evaluated.
 In particular, all build-time dependencies are checked.
 <literal>nix-env -qa</literal> will (attempt to) hide any packages
 that would be refused.
 </para>
 <para>Each of these criteria can be altered in the nixpkgs
 configuration.</para>
 <para>The nixpkgs configuration for a NixOS system is set in the
 <literal>configuration.nix</literal>, as in the following example:
 <programlisting>
 {
  nixpkgs.config = {
    allowUnfree = true;
  };
 }
 </programlisting>
 However, this does not allow unfree software for individual users.
 Their configurations are managed separately.</para>
 <para>A user's of nixpkgs configuration is stored in a user-specific
 configuration file located at
 <filename>~/.config/nixpkgs/config.nix</filename>. For example:
 <programlisting>
 {
  allowUnfree = true;
 }
 </programlisting>
 </para>
-and will allow the Nix package manager to install unfree licensed packages.</para>
+<section xml:id="sec-allow-broken">
  <title>Installing broken packages</title>
 <para>The configuration as listed also applies to NixOS under
 <option>nixpkgs.config</option> set.</para>
-<itemizedlist>
+  <para>There are two ways to try compiling a package which has been
  marked as broken.</para>
-  <listitem>
+  <itemizedlist>
-    <para>Allow installing of packages that are distributed under
+    <listitem><para>
-    unfree license by setting <programlisting>allowUnfree =
+      For allowing the build of a broken package once, you can use an
-    true;</programlisting> or deny them by setting it to
+      environment variable for a single invocation of the nix tools:
    <literal>false</literal>.</para>
-    <para>Same can be achieved by setting the environment variable:
+      <programlisting>$ export NIXPKGS_ALLOW_BROKEN=1</programlisting>
    </para></listitem>
    <listitem><para>
      For permanently allowing broken packages to be built, you may
      add <literal>allowBroken = true;</literal> to your user's
      configuration file, like this:
 <programlisting>
-$ export NIXPKGS_ALLOW_UNFREE=1
+{
  allowBroken = true;
 }
 </programlisting>
    </para></listitem>
  </itemizedlist>
 </section>
-    </para>
+<section xml:id="sec-allow-unfree">
-  </listitem>
+  <title>Installing unfree packages</title>
-  <listitem>
+  <para>There are several ways to tweak how Nix handles a package
-    <para>Whenever unfree packages are not allowed, single packages
+  which has been marked as unfree.</para>
-    can still be allowed by a predicate function that accepts package
+
-    as an argument and should return a boolean:
+  <itemizedlist>
    <listitem><para>
      To temporarily allow all unfree packages, you can use an
      environment variable for a single invocation of the nix tools:
      <programlisting>$ export NIXPKGS_ALLOW_UNFREE=1</programlisting>
    </para></listitem>
    <listitem><para>
      It is possible to permanently allow individual unfree packages,
      while still blocking unfree packages by default using the
      <literal>allowUnfreePredicate</literal> configuration
      option in the user configuration file.</para>
      <para>This option is a function which accepts a package as a
      parameter, and returns a boolean. The following example
      configuration accepts a package and always returns false:
 <programlisting>
 {
  allowUnfreePredicate = (pkg: false);
 }
 </programlisting>
      </para>
      <para>A more useful example, the following configuration allows
      only allows flash player and visual studio code:
 <programlisting>
-allowUnfreePredicate = (pkg: ...);
+{
  allowUnfreePredicate = (pkg: elem (builtins.parseDrvName pkg.name).name [ "flashplayer" "vscode" ]);
 }
 </programlisting>
    </para></listitem>
-    Example to allow flash player and visual studio code only:
+    <listitem>
      <para>It is also possible to whitelist and blacklist licenses
      that are specifically acceptable or not acceptable, using
      <literal>whitelistedLicenses</literal> and
      <literal>blacklistedLicenses</literal>, respectively.
      </para>
      <para>The following example configuration whitelists the
      licenses <literal>amd</literal> and <literal>wtfpl</literal>:
 <programlisting>
-allowUnfreePredicate = with builtins; (pkg: elem (parseDrvName pkg.name).name [ "flashplayer" "vscode" ]);
+{
  whitelistedLicenses = with stdenv.lib.licenses; [ amd wtfpl ];
 }
 </programlisting>
      </para>
-    </para>
+      <para>The following example configuration blacklists the
-  </listitem>
+      <literal>gpl3</literal> and <literal>agpl3</literal> licenses:
  <listitem>
    <para>Whenever unfree packages are not allowed, packages can still
    be whitelisted by their license:
 <programlisting>
-whitelistedLicenses = with stdenv.lib.licenses; [ amd wtfpl ];
+{
  blacklistedLicenses = with stdenv.lib.licenses; [ agpl3 gpl3 ];
 }
 </programlisting>
-    </para>
+      </para>
-  </listitem>
+    </listitem>
  </itemizedlist>
-  <listitem>
+  <para>A complete list of licenses can be found in the file
-    <para>In addition to whitelisting licenses which are denied by the
+  <filename>lib/licenses.nix</filename> of the nixpkgs tree.</para>
-    <literal>allowUnfree</literal> setting, you can also explicitely
+</section>
-    deny installation of packages which have a certain license:
+
 <section xml:id="sec-allow-insecure">
  <title>
    Installing insecure packages
  </title>
  <para>There are several ways to tweak how Nix handles a package
  which has been marked as insecure.</para>
  <itemizedlist>
    <listitem><para>
      To temporarily allow all insecure packages, you can use an
      environment variable for a single invocation of the nix tools:
      <programlisting>$ export NIXPKGS_ALLOW_INSECURE=1</programlisting>
    </para></listitem>
    <listitem><para>
      It is possible to permanently allow individual insecure
      packages, while still blocking other insecure packages by
      default using the <literal>permittedInsecurePackages</literal>
      configuration option in the user configuration file.</para>
      <para>The following example configuration permits the
      installation of the hypothetically insecure package
      <literal>hello</literal>, version <literal>1.2.3</literal>:
 <programlisting>
 {
  permittedInsecurePackages = [
    "hello-1.2.3"
  ];
 }
 </programlisting>
      </para>
    </listitem>
    <listitem><para>
      It is also possible to create a custom policy around which
      insecure packages to allow and deny, by overriding the
      <literal>allowInsecurePredicate</literal> configuration
      option.</para>
      <para>The <literal>allowInsecurePredicate</literal> option is a
      function which accepts a package and returns a boolean, much
      like <literal>allowUnfreePredicate</literal>.</para>
      <para>The following configuration example only allows insecure
      packages with very short names:
 <programlisting>
-blacklistedLicenses = with stdenv.lib.licenses; [ agpl3 gpl3 ];
+{
  allowInsecurePredicate = (pkg: (builtins.stringLength (builtins.parseDrvName pkg.name).name) &lt;= 5);
 }
 </programlisting>
-    </para>
+      </para>
  </listitem>
 </itemizedlist>
 <para>A complete list of licenses can be found in the file
 <filename>lib/licenses.nix</filename> of the nix package tree.</para>
      <para>Note that <literal>permittedInsecurePackages</literal> is
      only checked if <literal>allowInsecurePredicate</literal> is not
      specified.
    </para></listitem>
  </itemizedlist>
 </section>
 <!--============================================================-->
--- a/doc/default.nix
+++ b/doc/default.nix
@ -68,6 +68,10 @@ pkgs.stdenv.mkDerivation {
      inputFile = ../pkgs/development/r-modules/README.md;
      outputFile = "languages-frameworks/r.xml";
    }
  + toDocbook {
      inputFile = ./languages-frameworks/rust.md;
      outputFile = "./languages-frameworks/rust.xml";
    }
  + toDocbook {
      inputFile = ./languages-frameworks/vim.md;
      outputFile = "./languages-frameworks/vim.xml";
--- a/doc/functions.xml
+++ b/doc/functions.xml
@ -133,7 +133,7 @@
      <varname>stdenv.mkDerivation</varname>, are defined using this
      function, which means most packages in the nixpkgs expression,
      <varname>pkgs</varname>, have this function.
-    </para> 
+    </para>
    <para>
      Example usage:
@ -228,7 +228,7 @@
    ] name)</code> from the <literal>INI</literal> generator. It gets the name
    of a section and returns a sanitized name. The default
    <literal>mkSectionName</literal> escapes <literal>[</literal> and
-    <literal>]</literal> with a backslash. 
+    <literal>]</literal> with a backslash.
  </para>
  <note><para>Nix store paths can be converted to strings by enclosing a
@ -524,6 +524,22 @@
  using its <varname>buildArgs</varname> attribute.
  </para>
  <note>
  <para>
  If you see errors similar to <literal>getProtocolByName: does not exist (no such protocol name: tcp)</literal>
  you may need to add <literal>pkgs.iana-etc</literal> to <varname>contents</varname>.
  </para>
  </note>
  <note>
  <para>
  If you see errors similar to <literal>Error_Protocol ("certificate has unknown CA",True,UnknownCa)</literal>
  you may need to add <literal>pkgs.cacert</literal> to <varname>contents</varname>.
  </para>
  </note>
 </section>
 <section xml:id="ssec-pkgs-dockerTools-fetchFromRegistry">
--- a/doc/languages-frameworks/haskell.md
+++ b/doc/languages-frameworks/haskell.md
@ -823,10 +823,10 @@ alternative implemention for Integer called
 [integer-simple](http://hackage.haskell.org/package/integer-simple).
 To get a GHC compiler build with `integer-simple` instead of `integer-gmp` use
-the attribute: `pkgs.haskell.compiler.integer-simple."${ghcVersion}"`.
+the attribute: `haskell.compiler.integer-simple."${ghcVersion}"`.
 For example:
-    $ nix-build -E '(import <nixpkgs> {}).pkgs.haskell.compiler.integer-simple.ghc802'
+    $ nix-build -E '(import <nixpkgs> {}).haskell.compiler.integer-simple.ghc802'
    ...
    $ result/bin/ghc-pkg list | grep integer
        integer-simple-0.1.1.1
@ -838,7 +838,6 @@ The following command displays the complete list of GHC compilers build with `in
    haskell.compiler.integer-simple.ghc7103  ghc-7.10.3
    haskell.compiler.integer-simple.ghc722   ghc-7.2.2
    haskell.compiler.integer-simple.ghc742   ghc-7.4.2
    haskell.compiler.integer-simple.ghc763   ghc-7.6.3
    haskell.compiler.integer-simple.ghc783   ghc-7.8.3
    haskell.compiler.integer-simple.ghc784   ghc-7.8.4
    haskell.compiler.integer-simple.ghc801   ghc-8.0.1
@ -846,10 +845,10 @@ The following command displays the complete list of GHC compilers build with `in
    haskell.compiler.integer-simple.ghcHEAD  ghc-8.1.20170106
 To get a package set supporting `integer-simple` use the attribute:
-`pkgs.haskell.packages.integer-simple."${ghcVersion}"`. For example
+`haskell.packages.integer-simple."${ghcVersion}"`. For example
 use the following to get the `scientific` package build with `integer-simple`:
-    $ nix-build -A pkgs.haskell.packages.integer-simple.ghc802.scientific
+    $ nix-build -A haskell.packages.integer-simple.ghc802.scientific
 ## Other resources
--- a/doc/languages-frameworks/index.xml
+++ b/doc/languages-frameworks/index.xml
@ -27,6 +27,7 @@ such as Perl or Haskell.  These are described in this chapter.</para>
 <xi:include href="qt.xml" />
 <xi:include href="r.xml" /> <!-- generated from ../../pkgs/development/r-modules/README.md  -->
 <xi:include href="ruby.xml" />
 <xi:include href="rust.xml" />
 <xi:include href="texlive.xml" />
 <xi:include href="vim.xml" />
--- a/doc/languages-frameworks/python.md
+++ b/doc/languages-frameworks/python.md
@ -3,7 +3,7 @@
 ## User Guide
 Several versions of Python are available on Nix as well as a high amount of
-packages. The default interpreter is CPython 3.5.
+packages. The default interpreter is CPython 2.7.
 ### Using Python
@ -74,7 +74,6 @@ can do is write a simple Nix expression which sets up an environment for you,
 requiring you only to type `nix-shell`. Say we want to have Python 3.5, `numpy`
 and `toolz`, like before, in an environment. With a `shell.nix` file
 containing
 ```nix
 with import <nixpkgs> {};
@ -101,22 +100,25 @@ On Nix all packages are built by functions. The main function in Nix for buildin
 Let's see how we would build the `toolz` package. According to [`python-packages.nix`](https://raw.githubusercontent.com/NixOS/nixpkgs/master/pkgs/top-level/python-packages.nix) `toolz` is build using
 ```nix
-toolz = buildPythonPackage rec{
+{ # ...
  name = "toolz-${version}";
  version = "0.7.4";
-  src = pkgs.fetchurl{
+  toolz = buildPythonPackage rec {
-    url = "mirror://pypi/t/toolz/toolz-${version}.tar.gz";
+    name = "toolz-${version}";
-    sha256 = "43c2c9e5e7a16b6c88ba3088a9bfc82f7db8e13378be7c78d6c14a5f8ed05afd";
+    version = "0.7.4";
  };
-  meta = {
+    src = pkgs.fetchurl {
-    homepage = "http://github.com/pytoolz/toolz/";
+      url = "mirror://pypi/t/toolz/toolz-${version}.tar.gz";
-    description = "List processing tools and functional utilities";
+      sha256 = "43c2c9e5e7a16b6c88ba3088a9bfc82f7db8e13378be7c78d6c14a5f8ed05afd";
-    license = licenses.bsd3;
+    };
-    maintainers = with maintainers; [ fridh ];
+
    meta = {
      homepage = "http://github.com/pytoolz/toolz/";
      description = "List processing tools and functional utilities";
      license = licenses.bsd3;
      maintainers = with maintainers; [ fridh ];
    };
  };
-};
+}
 ```
 What happens here? The function `buildPythonPackage` is called and as argument
@ -129,7 +131,7 @@ specify some (optional) [meta information](http://nixos.org/nixpkgs/manual/#chap
 The output of the function is a derivation, which is an attribute with the name
 `toolz` of the set `pythonPackages`. Actually, sets are created for all interpreter versions,
-so `python27Packages`, `python34Packages`, `python35Packages` and `pypyPackages`.
+so e.g. `python27Packages`, `python35Packages` and `pypyPackages`.
 The above example works when you're directly working on
 `pkgs/top-level/python-packages.nix` in the Nixpkgs repository. Often though,
@ -143,7 +145,7 @@ pkgs.python35Packages.buildPythonPackage rec {
  name = "toolz-${version}";
  version = "0.8.0";
-  src = pkgs.fetchurl{
+  src = pkgs.fetchurl {
    url = "mirror://pypi/t/toolz/toolz-${version}.tar.gz";
    sha256 = "e8451af61face57b7c5d09e71c0d27b8005f001ead56e9fdf470417e5cc6d479";
  };
@ -174,7 +176,7 @@ with import <nixpkgs> {};
      name = "toolz-${version}";
      version = "0.8.0";
-      src = pkgs.fetchurl{
+      src = pkgs.fetchurl {
        url = "mirror://pypi/t/toolz/toolz-${version}.tar.gz";
        sha256 = "e8451af61face57b7c5d09e71c0d27b8005f001ead56e9fdf470417e5cc6d479";
      };
@ -215,25 +217,28 @@ The following example shows which arguments are given to `buildPythonPackage` in
 order to build [`datashape`](https://github.com/blaze/datashape).
 ```nix
-datashape = buildPythonPackage rec {
+{ # ...
  name = "datashape-${version}";
  version = "0.4.7";
-  src = pkgs.fetchurl {
+  datashape = buildPythonPackage rec {
-    url = "mirror://pypi/D/DataShape/${name}.tar.gz";
+    name = "datashape-${version}";
-    sha256 = "14b2ef766d4c9652ab813182e866f493475e65e558bed0822e38bf07bba1a278";
+    version = "0.4.7";
    src = pkgs.fetchurl {
      url = "mirror://pypi/D/DataShape/${name}.tar.gz";
      sha256 = "14b2ef766d4c9652ab813182e866f493475e65e558bed0822e38bf07bba1a278";
    };
    buildInputs = with self; [ pytest ];
    propagatedBuildInputs = with self; [ numpy multipledispatch dateutil ];
    meta = {
      homepage = https://github.com/ContinuumIO/datashape;
      description = "A data description language";
      license = licenses.bsd2;
      maintainers = with maintainers; [ fridh ];
    };
  };
-
+}
  buildInputs = with self; [ pytest ];
  propagatedBuildInputs = with self; [ numpy multipledispatch dateutil ];
  meta = {
    homepage = https://github.com/ContinuumIO/datashape;
    description = "A data description language";
    license = licenses.bsd2;
    maintainers = with maintainers; [ fridh ];
  };
 };
 ```
 We can see several runtime dependencies, `numpy`, `multipledispatch`, and
@ -247,23 +252,26 @@ Python bindings to `libxml2` and `libxslt`. These libraries are only required
 when building the bindings and are therefore added as `buildInputs`.
 ```nix
-lxml = buildPythonPackage rec {
+{ # ...
  name = "lxml-3.4.4";
-  src = pkgs.fetchurl {
+  lxml = buildPythonPackage rec {
-    url = "mirror://pypi/l/lxml/${name}.tar.gz";
+    name = "lxml-3.4.4";
-    sha256 = "16a0fa97hym9ysdk3rmqz32xdjqmy4w34ld3rm3jf5viqjx65lxk";
+
    src = pkgs.fetchurl {
      url = "mirror://pypi/l/lxml/${name}.tar.gz";
      sha256 = "16a0fa97hym9ysdk3rmqz32xdjqmy4w34ld3rm3jf5viqjx65lxk";
    };
    buildInputs = with self; [ pkgs.libxml2 pkgs.libxslt ];
    meta = {
      description = "Pythonic binding for the libxml2 and libxslt libraries";
      homepage = http://lxml.de;
      license = licenses.bsd3;
      maintainers = with maintainers; [ sjourdois ];
    };
  };
-
+}
  buildInputs = with self; [ pkgs.libxml2 pkgs.libxslt ];
  meta = {
    description = "Pythonic binding for the libxml2 and libxslt libraries";
    homepage = http://lxml.de;
    license = licenses.bsd3;
    maintainers = with maintainers; [ sjourdois ];
  };
 };
 ```
 In this example `lxml` and Nix are able to work out exactly where the relevant
@ -277,33 +285,37 @@ find each of them in a different folder, and therefore we have to set `LDFLAGS`
 and `CFLAGS`.
 ```nix
-pyfftw = buildPythonPackage rec {
+{ # ...
  name = "pyfftw-${version}";
  version = "0.9.2";
-  src = pkgs.fetchurl {
+  pyfftw = buildPythonPackage rec {
-    url = "mirror://pypi/p/pyFFTW/pyFFTW-${version}.tar.gz";
+    name = "pyfftw-${version}";
-    sha256 = "f6bbb6afa93085409ab24885a1a3cdb8909f095a142f4d49e346f2bd1b789074";
+    version = "0.9.2";
    src = pkgs.fetchurl {
      url = "mirror://pypi/p/pyFFTW/pyFFTW-${version}.tar.gz";
      sha256 = "f6bbb6afa93085409ab24885a1a3cdb8909f095a142f4d49e346f2bd1b789074";
    };
    buildInputs = [ pkgs.fftw pkgs.fftwFloat pkgs.fftwLongDouble];
    propagatedBuildInputs = with self; [ numpy scipy ];
    # Tests cannot import pyfftw. pyfftw works fine though.
    doCheck = false;
    preConfigure = ''
      export LDFLAGS="-L${pkgs.fftw.dev}/lib -L${pkgs.fftwFloat.out}/lib -L${pkgs.fftwLongDouble.out}/lib"
      export CFLAGS="-I${pkgs.fftw.dev}/include -I${pkgs.fftwFloat.dev}/include -I${pkgs.fftwLongDouble.dev}/include"
    '';
    meta = {
      description = "A pythonic wrapper around FFTW, the FFT library, presenting a unified interface for all the supported transforms";
      homepage = http://hgomersall.github.com/pyFFTW/;
      license = with licenses; [ bsd2 bsd3 ];
      maintainer = with maintainers; [ fridh ];
    };
  };
-
+}
  buildInputs = [ pkgs.fftw pkgs.fftwFloat pkgs.fftwLongDouble];
  propagatedBuildInputs = with self; [ numpy scipy ];
  # Tests cannot import pyfftw. pyfftw works fine though.
  doCheck = false;
  LDFLAGS="-L${pkgs.fftw.dev}/lib -L${pkgs.fftwFloat.out}/lib -L${pkgs.fftwLongDouble.out}/lib"
  CFLAGS="-I${pkgs.fftw.dev}/include -I${pkgs.fftwFloat.dev}/include -I${pkgs.fftwLongDouble.dev}/include"
  '';
  meta = {
    description = "A pythonic wrapper around FFTW, the FFT library, presenting a unified interface for all the supported transforms";
    homepage = http://hgomersall.github.com/pyFFTW/;
    license = with licenses; [ bsd2 bsd3 ];
    maintainer = with maintainers; [ fridh ];
  };
 };
 ```
 Note also the line `doCheck = false;`, we explicitly disabled running the test-suite.
@ -316,10 +328,7 @@ That way, you can run updated code without having to reinstall after each and ev
 Development mode is also available. Let's see how you can use it.
 In the previous Nix expression the source was fetched from an url. We can also refer to a local source instead using
-
+`src = ./path/to/source/tree;`
 ```nix
 src = ./path/to/source/tree;
 ```
 If we create a `shell.nix` file which calls `buildPythonPackage`, and if `src`
 is a local source, and if the local source has a `setup.py`, then development
@ -338,7 +347,7 @@ buildPythonPackage rec {
  name = "mypackage";
  src = ./path/to/package/source;
  propagatedBuildInputs = [ pytest numpy pkgs.libsndfile ];
-};
+}
 ```
 It is important to note that due to how development mode is implemented on Nix it is not possible to have multiple packages simultaneously in development mode.
@ -371,7 +380,7 @@ buildPythonPackage rec {
  name = "toolz-${version}";
  version = "0.7.4";
-  src = pkgs.fetchurl{
+  src = pkgs.fetchurl {
    url = "mirror://pypi/t/toolz/toolz-${version}.tar.gz";
    sha256 = "43c2c9e5e7a16b6c88ba3088a9bfc82f7db8e13378be7c78d6c14a5f8ed05afd";
  };
@ -382,7 +391,7 @@ buildPythonPackage rec {
    license = licenses.bsd3;
    maintainers = with maintainers; [ fridh ];
  };
-};
+}
 ```
 It takes two arguments, `pkgs` and `buildPythonPackage`.
@ -392,7 +401,10 @@ We now call this function using `callPackage` in the definition of our environme
 with import <nixpkgs> {};
 ( let
-    toolz = pkgs.callPackage ~/path/to/toolz/release.nix { pkgs=pkgs; buildPythonPackage=pkgs.python35Packages.buildPythonPackage; };
+    toolz = pkgs.callPackage /path/to/toolz/release.nix {
      pkgs = pkgs;
      buildPythonPackage = pkgs.python35Packages.buildPythonPackage;
    };
  in pkgs.python35.withPackages (ps: [ ps.numpy toolz ])
 ).env
 ```
@ -410,8 +422,8 @@ and in this case the `python35` interpreter is automatically used.
 ### Interpreters
-Versions 2.6, 2.7, 3.3, 3.4 and 3.5 of the CPython interpreter are available as respectively
+Versions 2.7, 3.3, 3.4, 3.5 and 3.6 of the CPython interpreter are available as
-`python26`, `python27`, `python33`, `python34` and `python35`. The PyPy interpreter
+respectively `python27`, `python33`, `python34`, `python35` and `python36`. The PyPy interpreter
 is available as `pypy`. The aliases `python2` and `python3` correspond to respectively `python27` and
 `python35`. The default interpreter, `python`, maps to `python2`.
 The Nix expressions for the interpreters can be found in
@ -460,6 +472,7 @@ sets are
 * `pkgs.python33Packages`
 * `pkgs.python34Packages`
 * `pkgs.python35Packages`
 * `pkgs.python36Packages`
 * `pkgs.pypyPackages`
 and the aliases
@ -474,22 +487,27 @@ The `buildPythonPackage` function is implemented in
 `pkgs/development/interpreters/python/build-python-package.nix`
 The following is an example:
 ```nix
 { # ...
-    twisted = buildPythonPackage {
+  twisted = buildPythonPackage {
-      name = "twisted-8.1.0";
+    name = "twisted-8.1.0";
-      src = pkgs.fetchurl {
+    src = pkgs.fetchurl {
-        url = http://tmrc.mit.edu/mirror/twisted/Twisted/8.1/Twisted-8.1.0.tar.bz2;
+      url = http://tmrc.mit.edu/mirror/twisted/Twisted/8.1/Twisted-8.1.0.tar.bz2;
-        sha256 = "0q25zbr4xzknaghha72mq57kh53qw1bf8csgp63pm9sfi72qhirl";
+      sha256 = "0q25zbr4xzknaghha72mq57kh53qw1bf8csgp63pm9sfi72qhirl";
-      };
+    };
-      propagatedBuildInputs = [ self.ZopeInterface ];
+    propagatedBuildInputs = [ self.ZopeInterface ];
-      meta = {
+    meta = {
-        homepage = http://twistedmatrix.com/;
+      homepage = http://twistedmatrix.com/;
-        description = "Twisted, an event-driven networking engine written in Python";
+      description = "Twisted, an event-driven networking engine written in Python";
-        license = stdenv.lib.licenses.mit; };
+      license = stdenv.lib.licenses.mit;
-      };
+    };
  };
 }
 ```
 The `buildPythonPackage` mainly does four things:
@ -539,29 +557,32 @@ Because with an application we're not interested in multiple version the prefix
 Python environments can be created using the low-level `pkgs.buildEnv` function.
 This example shows how to create an environment that has the Pyramid Web Framework.
 Saving the following as `default.nix`
 ```nix
 with import <nixpkgs> {};
-    with import <nixpkgs> {};
+python.buildEnv.override {
-
+  extraLibs = [ pkgs.pythonPackages.pyramid ];
-    python.buildEnv.override {
+  ignoreCollisions = true;
-      extraLibs = [ pkgs.pythonPackages.pyramid ];
+}
-      ignoreCollisions = true;
+```
    }
 and running `nix-build` will create
-
+```
-    /nix/store/cf1xhjwzmdki7fasgr4kz6di72ykicl5-python-2.7.8-env
+/nix/store/cf1xhjwzmdki7fasgr4kz6di72ykicl5-python-2.7.8-env
 ```
 with wrapped binaries in `bin/`.
 You can also use the `env` attribute to create local environments with needed
 packages installed. This is somewhat comparable to `virtualenv`. For example,
 running `nix-shell` with the following `shell.nix`
 ```nix
 with import <nixpkgs> {};
-    with import <nixpkgs> {};
+(python3.buildEnv.override {
-
+  extraLibs = with python3Packages; [ numpy requests2 ];
-    (python3.buildEnv.override {
+}).env
-      extraLibs = with python3Packages; [ numpy requests2 ];
+```
    }).env
 will drop you into a shell where Python will have the
 specified packages in its path.
@ -576,30 +597,33 @@ specified packages in its path.
 #### python.withPackages function
 The `python.withPackages` function provides a simpler interface to the `python.buildEnv` functionality.
-It takes a function as an argument that is passed the set of python packages and returns the list 
+It takes a function as an argument that is passed the set of python packages and returns the list
 of the packages to be included in the environment. Using the `withPackages` function, the previous
 example for the Pyramid Web Framework environment can be written like this:
 ```nix
 with import <nixpkgs> {};
-    with import <nixpkgs> {};
+python.withPackages (ps: [ps.pyramid])
 ```
-    python.withPackages (ps: [ps.pyramid])
+`withPackages` passes the correct package set for the specific interpreter version as an
 `withPackages` passes the correct package set for the specific interpreter version as an 
 argument to the function. In the above example, `ps` equals `pythonPackages`.
 But you can also easily switch to using python3:
-    
+```nix
-    with import <nixpkgs> {};
+with import <nixpkgs> {};
-    python3.withPackages (ps: [ps.pyramid])
+python3.withPackages (ps: [ps.pyramid])
 ```
 Now, `ps` is set to `python3Packages`, matching the version of the interpreter.
 As `python.withPackages` simply uses `python.buildEnv` under the hood, it also supports the `env`
 attribute. The `shell.nix` file from the previous section can thus be also written like this:
 ```nix
 with import <nixpkgs> {};
-    with import <nixpkgs> {};
+(python33.withPackages (ps: [ps.numpy ps.requests2])).env
-
+```
    (python33.withPackages (ps: [ps.numpy ps.requests2])).env
 In contrast to `python.buildEnv`, `python.withPackages` does not support the more advanced options
 such as `ignoreCollisions = true` or `postBuild`. If you need them, you have to use `python.buildEnv`.
@ -613,22 +637,24 @@ install -e . --prefix $TMPDIR/`for the package.
 Warning: `shellPhase` is executed only if `setup.py` exists.
 Given a `default.nix`:
 ```nix
 with import <nixpkgs> {};
-    with import <nixpkgs> {};
+buildPythonPackage { name = "myproject";
-    buildPythonPackage { name = "myproject";
+buildInputs = with pkgs.pythonPackages; [ pyramid ];
-    buildInputs = with pkgs.pythonPackages; [ pyramid ];
+src = ./.; }
-
+```
    src = ./.; }
 Running `nix-shell` with no arguments should give you
 the environment in which the package would be built with
 `nix-build`.
 Shortcut to setup environments with C headers/libraries and python packages:
-
+```shell
-    $ nix-shell -p pythonPackages.pyramid zlib libjpeg git
+nix-shell -p pythonPackages.pyramid zlib libjpeg git
 ```
 Note: There is a boolean value `lib.inNixShell` set to `true` if nix-shell is invoked.
@ -641,6 +667,19 @@ community to help save time. No tool is preferred at the moment.
 - [pypi2nix](https://github.com/garbas/pypi2nix) by Rok Garbas
 - [pypi2nix](https://github.com/offlinehacker/pypi2nix) by Jaka Hudoklin
 ### Deterministic builds
 Python 2.7, 3.5 and 3.6 are now built deterministically and 3.4 mostly.
 Minor modifications had to be made to the interpreters in order to generate
 deterministic bytecode. This has security implications and is relevant for
 those using Python in a `nix-shell`.
 When the environment variable `DETERMINISTIC_BUILD` is set, all bytecode will have timestamp 1.
 The `buildPythonPackage` function sets `DETERMINISTIC_BUILD=1` and
 [PYTHONHASHSEED=0](https://docs.python.org/3.5/using/cmdline.html#envvar-PYTHONHASHSEED).
 Both are also exported in `nix-shell`.
 ## FAQ
 ### How can I install a working Python environment?
@ -663,7 +702,7 @@ with import <nixpkgs> {};
 pkgs.python35.withPackages (ps: with ps; [ numpy ipython ])
 ```
 and install it in your profile with
-```
+```shell
 nix-env -if build.nix
 ```
 Now you can use the Python interpreter, as well as the extra packages that you added to the environment.
@ -671,15 +710,19 @@ Now you can use the Python interpreter, as well as the extra packages that you a
 #### Environment defined in `~/.nixpkgs/config.nix`
 If you prefer to, you could also add the environment as a package override to the Nixpkgs set.
-```
+```nix
 { # ...
  packageOverrides = pkgs: with pkgs; {
    myEnv = python35.withPackages (ps: with ps; [ numpy ipython ]);
  };
 }
 ```
 and install it in your profile with
-```
+```shell
 nix-env -iA nixpkgs.myEnv
 ```
 We're installing using the attribute path and assume the channels is named `nixpkgs`.
 Note that I'm using the attribute path here.
@ -688,9 +731,12 @@ Note that I'm using the attribute path here.
 For the sake of completeness, here's another example how to install the environment system-wide.
 ```nix
-environment.systemPackages = with pkgs; [
+{ # ...
-  (python35.withPackages(ps: with ps; [ numpy ipython ]))
+
-];
+  environment.systemPackages = with pkgs; [
    (python35.withPackages(ps: with ps; [ numpy ipython ]))
  ];
 }
 ```
 ### How to solve circular dependencies?
@ -727,19 +773,18 @@ All packages in the Python package set will now use the updated `scipy` version.
 ```nix
 with import <nixpkgs> {};
-(
+( let
-let
+    packageOverrides = self: super: {
-  packageOverrides = self: super: {
+      scipy = super.scipy_0_17;
-    scipy = super.scipy_0_17;
+    };
-  };
+  in (pkgs.python35.override {inherit packageOverrides;}).withPackages (ps: [ps.blaze])
 in (pkgs.python35.override {inherit packageOverrides;}).withPackages (ps: [ps.blaze])
 ).env
 ```
 The requested package `blaze` depends on `pandas` which itself depends on `scipy`.
 If you want the whole of Nixpkgs to use your modifications, then you can use `overlays`
 as explained in this manual. In the following example we build a `inkscape` using a different version of `numpy`.
-```
+```nix
 let
  pkgs = import <nixpkgs> {};
  newpkgs = import pkgs.path { overlays = [ (pkgsself: pkgssuper: {
@ -762,32 +807,32 @@ This is because files are included that depend on items in the Nix store which h
 The command `bdist_wheel` takes into account `SOURCE_DATE_EPOCH`, and `nix-shell` sets this to 1. By setting it to a value corresponding to 1980 or later, or by unsetting it, it is possible to build wheels.
 Use 1980 as timestamp:
-```
+```shell
 nix-shell --run "SOURCE_DATE_EPOCH=315532800 python3 setup.py bdist_wheel"
 ```
 or the current time:
-```
+```shell
 nix-shell --run "SOURCE_DATE_EPOCH=$(date +%s) python3 setup.py bdist_wheel"
 ```
 or unset:
-```
+```shell
 nix-shell --run "unset SOURCE_DATE_EPOCH; python3 setup.py bdist_wheel"
 ```
 ### `install_data` / `data_files` problems
 If you get the following error:
-
+```
-    could not create '/nix/store/6l1bvljpy8gazlsw2aw9skwwp4pmvyxw-python-2.7.8/etc':
+could not create '/nix/store/6l1bvljpy8gazlsw2aw9skwwp4pmvyxw-python-2.7.8/etc':
-    Permission denied
+Permission denied
-
+```
-This is a [known bug](https://github.com/pypa/setuptools/issues/130) in setuptools.
+This is a [known bug](https://github.com/pypa/setuptools/issues/130) in `setuptools`.
 Setuptools `install_data` does not respect `--prefix`. An example of such package using the feature is `pkgs/tools/X11/xpra/default.nix`.
 As workaround install it as an extra `preInstall` step:
-
+```shell
-    ${python.interpreter} setup.py install_data --install-dir=$out --root=$out
+${python.interpreter} setup.py install_data --install-dir=$out --root=$out
-    sed -i '/ = data\_files/d' setup.py
+sed -i '/ = data\_files/d' setup.py
-
+```
 ###  Rationale of non-existent global site-packages
@ -811,11 +856,11 @@ and install python modules through `pip` the traditional way.
 Create this `default.nix` file, together with a `requirements.txt` and simply execute `nix-shell`.
-```
+```nix
 with import <nixpkgs> {};
 with pkgs.python27Packages;
-stdenv.mkDerivation { 
+stdenv.mkDerivation {
  name = "impurePythonEnv";
  buildInputs = [
    # these packages are required for virtualenv and pip to work:
@ -823,10 +868,10 @@ stdenv.mkDerivation {
    python27Full
    python27Packages.virtualenv
    python27Packages.pip
-    # the following packages are related to the dependencies of your python 
+    # the following packages are related to the dependencies of your python
-    # project. 
+    # project.
-    # In this particular example the python modules listed in the 
+    # In this particular example the python modules listed in the
-    # requirements.tx require the following packages to be installed locally 
+    # requirements.tx require the following packages to be installed locally
    # in order to compile any binary extensions they may require.
    #
    taglib
@ -841,7 +886,7 @@ stdenv.mkDerivation {
  shellHook = ''
  # set SOURCE_DATE_EPOCH so that we can use python wheels
  SOURCE_DATE_EPOCH=$(date +%s)
-  virtualenv --no-setuptools venv 
+  virtualenv --no-setuptools venv
  export PATH=$PWD/venv/bin:$PATH
  pip install -r requirements.txt
  '';
@ -849,10 +894,31 @@ stdenv.mkDerivation {
 ```
 Note that the `pip install` is an imperative action. So every time `nix-shell`
-is executed it will attempt to download the python modules listed in 
+is executed it will attempt to download the python modules listed in
 requirements.txt. However these will be cached locally within the `virtualenv`
 folder and not downloaded again.
 ### How to override a Python package from `configuration.nix`?
 If you need to change a package's attribute(s) from `configuration.nix` you could do:
 ```nix
  nixpkgs.config.packageOverrides = superP: {
    pythonPackages = superP.pythonPackages.override {
      overrides = self: super: {
        bepasty-server = super.bepasty-server.overrideAttrs ( oldAttrs: {
          src = pkgs.fetchgit {
            url = "https://github.com/bepasty/bepasty-server";
            sha256 = "9ziqshmsf0rjvdhhca55sm0x8jz76fsf2q4rwh4m6lpcf8wr0nps";
            rev = "e2516e8cf4f2afb5185337073607eb9e84a61d2d";
          };
        });
      };
    };
  };
 ```
 If you are using the `bepasty-server` package somewhere, for example in `systemPackages` or indirectly from `services.bepasty`, then a `nixos-rebuild switch` will rebuild the system but with the `bepasty-server` package using a different `src` attribute. This way one can modify `python` based software/libraries easily. Using `self` and `super` one can also alter dependencies (`buildInputs`) between the old state (`self`) and new state (`super`). 
 ## Contributing
@ -860,7 +926,8 @@ folder and not downloaded again.
 Following rules are desired to be respected:
-* Make sure package builds for all python interpreters. Use `disabled` argument to `buildPythonPackage` to set unsupported interpreters.
+* Python libraries are supposed to be called from `python-packages.nix` and packaged with `buildPythonPackage`. The expression of a library should be in `pkgs/development/python-modules/<name>/default.nix`. Libraries in `pkgs/top-level/python-packages.nix` are sorted quasi-alphabetically to avoid merge conflicts.
-* If tests need to be disabled for a package, make sure you leave a comment about reasoning.
+* Python applications live outside of `python-packages.nix` and are packaged with `buildPythonApplication`.
-* Packages in `pkgs/top-level/python-packages.nix` are sorted quasi-alphabetically to avoid merge conflicts.
+* Make sure libraries build for all Python interpreters.
-* Python libraries are supposed to be in `python-packages.nix` and packaged with `buildPythonPackage`. Python applications live outside of `python-packages.nix` and are packaged with `buildPythonApplication`.
+* By default we enable tests. Make sure the tests are found and, in the case of libraries, are passing for all interpreters. If certain tests fail they can be disabled individually. Try to avoid disabling the tests altogether. In any case, when you disable tests, leave a comment explaining why.
 * Commit names of Python libraries should include `pythonPackages`, for example `pythonPackages.numpy: 1.11 -> 1.12`.
--- a/doc/languages-frameworks/qt.xml
+++ b/doc/languages-frameworks/qt.xml
@ -2,67 +2,31 @@
         xmlns:xlink="http://www.w3.org/1999/xlink"
         xml:id="sec-language-qt">
-<title>Qt</title>
+<title>Qt and KDE</title>
-<para>The information in this section applies to Qt 5.5 and later.</para>
+<para>Qt is a comprehensive desktop and mobile application development toolkit for C++. Legacy support is available for Qt 3 and Qt 4, but all current development uses Qt 5. The Qt 5 packages in Nixpkgs are updated frequently to take advantage of new features, but older versions are typically retained to support packages that may not be compatible with the latest version. When packaging applications and libraries for Nixpkgs, it is important to ensure that compatible versions of Qt 5 are used throughout; this consideration motivates the tools described below.</para>
 <para>Qt is an application development toolkit for C++. Although it is
 not a distinct programming language, there are special considerations
 for packaging Qt-based programs and libraries. A small set of tools
 and conventions has grown out of these considerations.</para>
 <section xml:id="ssec-qt-libraries"><title>Libraries</title>
-<para>Packages that provide libraries should be listed in
+<para>Libraries that depend on Qt 5 should be built with each available version to avoid linking a dependent package against incompatible versions of Qt 5. (Although Qt 5 maintains backward ABI compatibility, linking against multiple versions at once is generally not possible; at best it will lead to runtime faults.) Packages that provide libraries should be added to the top-level function <varname>mkLibsForQt5</varname>, which is used to build a set of libraries for every Qt 5 version. The <varname>callPackage</varname> provided in this scope will ensure that only one Qt version will be used throughout the dependency tree. Dependencies should be imported unqualified, i.e. <literal>qtbase</literal> not <literal>qt5.qtbase</literal>, so that <varname>callPackage</varname> can do its work. <emphasis>Do not</emphasis> import a package set such as <literal>qt5</literal> or <literal>libsForQt5</literal> into your package; although it may work fine in the moment, it could well break at the next Qt update.</para>
-<varname>qt5LibsFun</varname> so that the library is built with each
+
-Qt version. A set of packages is provided for each version of Qt; for
+<para>If a library does not support a particular version of Qt 5, it is best to mark it as broken by setting its <literal>meta.broken</literal> attribute. A package may be marked broken for certain versions by testing the <literal>qtbase.version</literal> attribute, which will always give the current Qt 5 version.</para>
 example, <varname>qt5Libs</varname> always provides libraries built
 with the latest version, <varname>qt55Libs</varname> provides
 libraries built with Qt 5.5, and so on. To avoid version conflicts, no
 top-level attributes are created for these packages.</para>
 </section>
-<section xml:id="ssec-qt-programs"><title>Programs</title>
+<section xml:id="ssec-qt-applications"><title>Applications</title>
-<para>Application packages do not need to be built with every Qt
+<para>Applications generally do not need to be built with every Qt version because they do not provide any libraries for dependent packages to link against. The primary consideration is merely ensuring that the application itself and its dependencies are linked against only one version of Qt. To call your application expression, use <literal>libsForQt5.callPackage</literal> instead of <literal>callPackage</literal>. Dependencies should be imported unqualified, i.e. <literal>qtbase</literal> not <literal>qt5.qtbase</literal>. <emphasis>Do not</emphasis> import a package set such as <literal>qt5</literal> or <literal>libsForQt5</literal> into your package; although it may work fine in the moment, it could well break at the next Qt update.</para>
 version. To ensure consistency between the package's dependencies,
 call the package with <literal>qt5Libs.callPackage</literal> instead
 of the usual <literal>callPackage</literal>. An older version may be
 selected in case of incompatibility. For example, to build with Qt
 5.5, call the package with
 <literal>qt55Libs.callPackage</literal>.</para>
-<para>Several environment variables must be set at runtime for Qt
+<para>It is generally best to build an application package against the <varname>libsForQt5</varname> library set. In case a package does not build with the latest Qt version, it is possible to pick a set pinned to a particular version, e.g. <varname>libsForQt55</varname> for Qt 5.5, if that is the latest version the package supports.</para>
 applications to function correctly, including:</para>
-<itemizedlist>
+<para>Qt-based applications require that several paths be set at runtime. This is accomplished by wrapping the provided executables in a package with <literal>wrapQtProgram</literal> or <literal>makeQtWrapper</literal> during the <literal>postFixup</literal> phase. To use the wrapper generators, add <literal>makeQtWrapper</literal> to <literal>nativeBuildInputs</literal>. The wrapper generators support the same options as <literal>wrapProgram</literal> and <literal>makeWrapper</literal> respectively. It is usually only necessary to generate wrappers for programs intended to be invoked by the user.</para>
  <listitem><para><envar>QT_PLUGIN_PATH</envar></para></listitem>
  <listitem><para><envar>QML_IMPORT_PATH</envar></para></listitem>
  <listitem><para><envar>QML2_IMPORT_PATH</envar></para></listitem>
  <listitem><para><envar>XDG_DATA_DIRS</envar></para></listitem>
 </itemizedlist>
 <para>To ensure that these are set correctly, the program must be wrapped by
 invoking <literal>wrapQtProgram <replaceable>program</replaceable></literal>
 during installation (for example, during
 <literal>fixupPhase</literal>). <literal>wrapQtProgram</literal>
 accepts the same options as <literal>makeWrapper</literal>.
 </para>
 </section>
 <section xml:id="ssec-qt-kde"><title>KDE</title>
-<para>Many of the considerations above also apply to KDE packages,
+<para>The KDE Frameworks are a set of libraries for Qt 5 which form the basis of the Plasma desktop environment and the KDE Applications suite. Packaging a Frameworks-based library does not require any steps beyond those described above for general Qt-based libraries. Frameworks-based applications should not use <literal>makeQtWrapper</literal>; instead, use <literal>kdeWrapper</literal> to create the necessary wrappers: <literal>kdeWrapper { unwrapped = <replaceable>expr</replaceable>; targets = <replaceable>exes</replaceable>; }</literal>, where <replaceable>expr</replaceable> is the un-wrapped package expression and <replaceable>exes</replaceable> is a list of strings giving the relative paths to programs in the package which should be wrapped.</para>
 especially the need to set the correct environment variables at
 runtime. To ensure that this is done, invoke <literal>wrapKDEProgram
 <replaceable>program</replaceable></literal> during
 installation. <literal>wrapKDEProgram</literal> also generates a
 <literal>ksycoca</literal> database so that required data and services
 can be found. Like its Qt counterpart,
 <literal>wrapKDEProgram</literal> accepts the same options as
 <literal>makeWrapper</literal>.</para>
 </section>
--- a/doc/languages-frameworks/rust.md
+++ b/doc/languages-frameworks/rust.md
@ -0,0 +1,91 @@
 ---
 title: Rust
 author: Matthias Beyer
 date: 2017-03-05
 ---
 # User's Guide to the Rust Infrastructure
 To install the rust compiler and cargo put
 ```
 rustStable.rustc
 rustStable.cargo
 ```
 into the `environment.systemPackages` or bring them into scope with
 `nix-shell -p rustStable.rustc -p rustStable.cargo`.
 There are also `rustBeta` and `rustNightly` package sets available.
 These are not updated very regulary. For daily builds see
 [Using the Rust nightlies overlay](#using-the-rust-nightlies-overlay)
 ## Packaging Rust applications
 Rust applications are packaged by using the `buildRustPackage` helper from `rustPlatform`:
 ```
 with rustPlatform;
 buildRustPackage rec {
  name = "ripgrep-${version}";
  version = "0.4.0";
  src = fetchFromGitHub {
    owner = "BurntSushi";
    repo = "ripgrep";
    rev = "${version}";
    sha256 = "0y5d1n6hkw85jb3rblcxqas2fp82h3nghssa4xqrhqnz25l799pj";
  };
  depsSha256 = "0q68qyl2h6i0qsz82z840myxlnjay8p1w5z7hfyr8fqp7wgwa9cx";
  meta = with stdenv.lib; {
    description = "A utility that combines the usability of The Silver Searcher with the raw speed of grep";
    homepage = https://github.com/BurntSushi/ripgrep;
    license = with licenses; [ unlicense ];
    maintainers = [ maintainers.tailhook ];
    platforms = platforms.all;
  };
 }
 ```
 `buildRustPackage` requires a `depsSha256` attribute which is computed over
 all crate sources of this package. Currently it is obtained by inserting a
 fake checksum into the expression and building the package once. The correct
 checksum can be then take from the failed build.
 To install crates with nix there is also an experimental project called
 [nixcrates](https://github.com/fractalide/nixcrates).
 ## Using the Rust nightlies overlay
 Mozilla provides an overlay for nixpkgs to bring a nightly version of Rust into scope.
 This overlay can _also_ be used to install recent unstable or stable versions
 of Rust, if desired.
 To use this overlay, clone
 [nixpkgs-mozilla](https://github.com/mozilla/nixpkgs-mozilla),
 and create a symbolic link to the file
 [rust-overlay.nix](https://github.com/mozilla/nixpkgs-mozilla/blob/master/rust-overlay.nix)
 in the `~/.config/nixpkgs/overlays` directory.
    $ git clone https://github.com/mozilla/nixpkgs-mozilla.git
    $ mkdir -p ~/.config/nixpkgs/overlays
    $ ln -s $(pwd)/nixpkgs-mozilla/rust-overlay.nix ~/.config/nixpkgs/overlays/rust-overlay.nix
 The latest version can be installed with the following command:
    $ nix-env -Ai nixos.rustChannels.stable.rust
 Or using the attribute with nix-shell:
    $ nix-shell -p nixos.rustChannels.stable.rust
 To install the beta or nightly channel, "stable" should be substituted by
 "nightly" or "beta", or
 use the function provided by this overlay to pull a version based on a
 build date.
 The overlay automatically updates itself as it uses the same source as
 [rustup](https://www.rustup.rs/).
--- a/doc/overlays.xml
+++ b/doc/overlays.xml
@ -34,7 +34,7 @@ first one present is considered, and all the rest are ignored:
  <listitem>
-    <para>In the directory <filename>~/.nixpkgs/overlays/</filename>.</para>
+    <para>In the directory <filename>~/.config/nixpkgs/overlays/</filename>.</para>
  </listitem>
 </orderedlist>
@ -50,7 +50,7 @@ the same recipe. In the case where overlays are loaded from a directory, they ar
 alphabetical order.</para>
 <para>To install an overlay using the last option, you can clone the overlay's repository and add
-a symbolic link to it in <filename>~/.nixpkgs/overlays/</filename> directory.</para>
+a symbolic link to it in <filename>~/.config/nixpkgs/overlays/</filename> directory.</para>
 </section>
--- a/lib/attrsets.nix
+++ b/lib/attrsets.nix
@ -1,12 +1,12 @@
 # Operations on attribute sets.
-with {
+let
  inherit (builtins) head tail length;
  inherit (import ./trivial.nix) or;
  inherit (import ./default.nix) fold;
  inherit (import ./strings.nix) concatStringsSep;
  inherit (import ./lists.nix) concatMap concatLists all deepSeqList;
-};
+in
 rec {
  inherit (builtins) attrNames listToAttrs hasAttr isAttrs getAttr;
--- a/lib/composable-derivation.nix
+++ b/lib/composable-derivation.nix
@ -1,4 +1,4 @@
-{lib, pkgs} :
+{lib, pkgs}:
 let inherit (lib) nv nvs; in
 {
@ -19,7 +19,7 @@ let inherit (lib) nv nvs; in
  # * vim_configurable
  #
  # A minimal example illustrating most features would look like this:
-  # let base = composableDerivation { (fixed : let inherit (fixed.fixed) name in {
+  # let base = composableDerivation { (fixed: let inherit (fixed.fixed) name in {
  #    src = fetchurl {
  #    }
  #    buildInputs = [A];
@ -79,7 +79,7 @@ let inherit (lib) nv nvs; in
        # consider adding addtional elements by derivation.merge { removeAttrs = ["elem"]; };
        removeAttrs ? ["cfg" "flags"]
-      }: (lib.defaultOverridableDelayableArgs ( a: mkDerivation a) 
+      }: (lib.defaultOverridableDelayableArgs ( a: mkDerivation a)
         {
           inherit applyPreTidy removeAttrs;
         }).merge;
--- a/lib/customisation.nix
+++ b/lib/customisation.nix
@ -177,9 +177,10 @@ rec {
    let self = f self // {
          newScope = scope: newScope (self // scope);
          callPackage = self.newScope {};
-          override = g: makeScope newScope (self_:
+          override = g:
-            let super = f self_;
+            makeScope newScope
-            in super // g super self_);
+            (self_: let super = f self_; in super // g super self_);
          packages = f;
        };
    in self;
--- a/lib/debug.nix
+++ b/lib/debug.nix
@ -24,10 +24,10 @@ rec {
  traceValSeq = v: traceVal (builtins.deepSeq v v);
  # this can help debug your code as well - designed to not produce thousands of lines
-  traceShowVal = x : trace (showVal x) x;
+  traceShowVal = x: trace (showVal x) x;
  traceShowValMarked = str: x: trace (str + showVal x) x;
-  attrNamesToStr = a : lib.concatStringsSep "; " (map (x : "${x}=") (attrNames a));
+  attrNamesToStr = a: lib.concatStringsSep "; " (map (x: "${x}=") (attrNames a));
-  showVal = x :
+  showVal = x:
      if isAttrs x then
          if x ? outPath then "x is a derivation, name ${if x ? name then x.name else "<no name>"}, { ${attrNamesToStr x} }"
          else "x is attr set { ${attrNamesToStr x} }"
@ -43,9 +43,9 @@ rec {
  # trace the arguments passed to function and its result
  # maybe rewrite these functions in a traceCallXml like style. Then one function is enough
-  traceCall  = n : f : a : let t = n2 : x : traceShowValMarked "${n} ${n2}:" x; in t "result" (f (t "arg 1" a));
+  traceCall  = n: f: a: let t = n2: x: traceShowValMarked "${n} ${n2}:" x; in t "result" (f (t "arg 1" a));
-  traceCall2 = n : f : a : b : let t = n2 : x : traceShowValMarked "${n} ${n2}:" x; in t "result" (f (t "arg 1" a) (t "arg 2" b));
+  traceCall2 = n: f: a: b: let t = n2: x: traceShowValMarked "${n} ${n2}:" x; in t "result" (f (t "arg 1" a) (t "arg 2" b));
-  traceCall3 = n : f : a : b : c : let t = n2 : x : traceShowValMarked "${n} ${n2}:" x; in t "result" (f (t "arg 1" a) (t "arg 2" b) (t "arg 3" c));
+  traceCall3 = n: f: a: b: c: let t = n2: x: traceShowValMarked "${n} ${n2}:" x; in t "result" (f (t "arg 1" a) (t "arg 2" b) (t "arg 3" c));
  # FIXME: rename this?
  traceValIfNot = c: x:
@ -71,7 +71,7 @@ rec {
  # create a test assuming that list elements are true
  # usage: { testX = allTrue [ true ]; }
-  testAllTrue = expr : { inherit expr; expected = map (x: true) expr; };
+  testAllTrue = expr: { inherit expr; expected = map (x: true) expr; };
  strict = v:
    trace "Warning: strict is deprecated and will be removed in the next release"
--- a/lib/default.nix
+++ b/lib/default.nix
@ -34,6 +34,9 @@ let
  sandbox = import ./sandbox.nix;
  fetchers = import ./fetchers.nix;
  # Eval-time filesystem handling
  filesystem = import ./filesystem.nix;
 in
  { inherit trivial
            attrsets lists strings stringsWithDeps
@ -41,7 +44,7 @@ in
            modules options types
            licenses platforms systems
            debug generators misc
-            sandbox fetchers;
+            sandbox fetchers filesystem;
  }
  # !!! don't include everything at top-level; perhaps only the most
  # commonly used functions.
--- a/lib/deprecated.nix
+++ b/lib/deprecated.nix
@ -16,23 +16,23 @@ rec {
  defaultMergeArg = x : y: if builtins.isAttrs y then
    y
-  else 
+  else
    (y x);
  defaultMerge = x: y: x // (defaultMergeArg x y);
-  foldArgs = merger: f: init: x: 
+  foldArgs = merger: f: init: x:
-    let arg=(merger init (defaultMergeArg init x));
+    let arg = (merger init (defaultMergeArg init x));
-      # now add the function with composed args already applied to the final attrs
+        # now add the function with composed args already applied to the final attrs
-        base = (setAttrMerge "passthru" {} (f arg) 
+        base = (setAttrMerge "passthru" {} (f arg)
-                        ( z : z // rec { 
+                        ( z: z // rec {
-                          function = foldArgs merger f arg; 
+                            function = foldArgs merger f arg;
-			  args = (lib.attrByPath ["passthru" "args"] {} z) // x;
+                            args = (lib.attrByPath ["passthru" "args"] {} z) // x;
                          } ));
-	withStdOverrides = base // {
+        withStdOverrides = base // {
-	   override = base.passthru.function;
+          override = base.passthru.function;
-	   } ;
+        };
        in
-	withStdOverrides;
+          withStdOverrides;
-    
+
  # predecessors: proposed replacement for applyAndFun (which has a bug cause it merges twice)
  # the naming "overridableDelayableArgs" tries to express that you can
@ -49,35 +49,35 @@ rec {
  #
  # examples: see test cases "res" below;
  overridableDelayableArgs =
-          f :        # the function applied to the arguments
+          f:        # the function applied to the arguments
-          initial :  # you pass attrs, the functions below are passing a function taking the fix argument
+          initial:  # you pass attrs, the functions below are passing a function taking the fix argument
    let
        takeFixed = if isFunction initial then initial else (fixed : initial); # transform initial to an expression always taking the fixed argument
-        tidy = args : 
+        tidy = args:
            let # apply all functions given in "applyPreTidy" in sequence
-                applyPreTidyFun = fold ( n : a : x : n ( a x ) ) lib.id (maybeAttr "applyPreTidy" [] args);
+                applyPreTidyFun = fold ( n: a: x: n ( a x ) ) lib.id (maybeAttr "applyPreTidy" [] args);
            in removeAttrs (applyPreTidyFun args) ( ["applyPreTidy"] ++ (maybeAttr  "removeAttrs" [] args) ); # tidy up args before applying them
-        fun = n : x :
+        fun = n: x:
-             let newArgs = fixed :
+            let newArgs = fixed:
-                     let args = takeFixed fixed; 
+                    let args = takeFixed fixed;
-                         mergeFun = args.${n};
+                        mergeFun = args.${n};
-                     in if isAttrs x then (mergeFun args x)
+                    in if isAttrs x then (mergeFun args x)
-                        else assert isFunction x;
+                       else assert isFunction x;
-                             mergeFun args (x ( args // { inherit fixed; }));
+                            mergeFun args (x ( args // { inherit fixed; }));
-             in overridableDelayableArgs f newArgs;
+            in overridableDelayableArgs f newArgs;
    in
    (f (tidy (lib.fix takeFixed))) // {
      merge   = fun "mergeFun";
      replace = fun "keepFun";
    };
-  defaultOverridableDelayableArgs = f : 
+  defaultOverridableDelayableArgs = f:
      let defaults = {
            mergeFun = mergeAttrByFunc; # default merge function. merge strategie (concatenate lists, strings) is given by mergeAttrBy
-            keepFun = a : b : { inherit (a) removeAttrs mergeFun keepFun mergeAttrBy; } // b; # even when using replace preserve these values
+            keepFun = a: b: { inherit (a) removeAttrs mergeFun keepFun mergeAttrBy; } // b; # even when using replace preserve these values
            applyPreTidy = []; # list of functions applied to args before args are tidied up (usage case : prepareDerivationArgs)
            mergeAttrBy = mergeAttrBy // {
-              applyPreTidy = a : b : a ++ b;
+              applyPreTidy = a: b: a ++ b;
-              removeAttrs = a : b: a ++ b;
+              removeAttrs = a: b: a ++ b;
            };
            removeAttrs = ["mergeFun" "keepFun" "mergeAttrBy" "removeAttrs" "fixed" ]; # before applying the arguments to the function make sure these names are gone
          };
@ -86,7 +86,7 @@ rec {
  # rec { # an example of how composedArgsAndFun can be used
-  #  a  = composedArgsAndFun (x : x) { a = ["2"]; meta = { d = "bar";}; };
+  #  a  = composedArgsAndFun (x: x) { a = ["2"]; meta = { d = "bar";}; };
  #  # meta.d will be lost ! It's your task to preserve it (eg using a merge function)
  #  b  = a.passthru.function { a = [ "3" ]; meta = { d2 = "bar2";}; };
  #  # instead of passing/ overriding values you can use a merge function:
@ -119,7 +119,7 @@ rec {
    else if val == true || val == false then false
    else null;
-    
+
  # Return true only if there is an attribute and it is true.
  checkFlag = attrSet: name:
        if name == "true" then true else
@ -134,29 +134,29 @@ rec {
  ( attrByPath [name] (if checkFlag attrSet name then true else
        if argList == [] then null else
        let x = builtins.head argList; in
-                if (head x) == name then 
+                if (head x) == name then
                        (head (tail x))
-                else (getValue attrSet 
+                else (getValue attrSet
                        (tail argList) name)) attrSet );
-                        
+
  # Input : attrSet, [[name default] ...], [ [flagname reqs..] ... ]
  # Output : are reqs satisfied? It's asserted.
-  checkReqs = attrSet : argList : condList :
+  checkReqs = attrSet: argList: condList:
  (
-    fold lib.and true 
+    fold lib.and true
-      (map (x: let name = (head x) ; in
+      (map (x: let name = (head x); in
-        
+
-        ((checkFlag attrSet name) -> 
+        ((checkFlag attrSet name) ->
        (fold lib.and true
        (map (y: let val=(getValue attrSet argList y); in
-                (val!=null) && (val!=false)) 
+                (val!=null) && (val!=false))
-        (tail x))))) condList)) ;
+        (tail x))))) condList));
-        
+
  # This function has O(n^2) performance.
-  uniqList = {inputList, acc ? []} :
+  uniqList = { inputList, acc ? [] }:
-    let go = xs : acc :
+    let go = xs: acc:
             if xs == []
             then []
             else let x = head xs;
@ -164,26 +164,26 @@ rec {
                  in y ++ go (tail xs) (y ++ acc);
    in go inputList acc;
-  uniqListExt = {inputList, outputList ? [],
+  uniqListExt = { inputList,
-    getter ? (x : x), compare ? (x: y: x==y)}:
+                  outputList ? [],
                  getter ? (x: x),
                  compare ? (x: y: x==y) }:
        if inputList == [] then outputList else
-        let x=head inputList; 
+        let x = head inputList;
-        isX = y: (compare (getter y) (getter x));
+            isX = y: (compare (getter y) (getter x));
-        newOutputList = outputList ++
+            newOutputList = outputList ++
-         (if any isX outputList then [] else [x]);
+                (if any isX outputList then [] else [x]);
-        in uniqListExt {outputList=newOutputList; 
+        in uniqListExt { outputList = newOutputList;
-                inputList = (tail inputList);
+                         inputList = (tail inputList);
-                inherit getter compare;
+                         inherit getter compare;
-                };
+                       };
  condConcat = name: list: checker:
        if list == [] then name else
-        if checker (head list) then 
+        if checker (head list) then
-                condConcat 
+                condConcat
-                        (name + (head (tail list))) 
+                        (name + (head (tail list)))
-                        (tail (tail list)) 
+                        (tail (tail list))
                        checker
        else condConcat
                name (tail (tail list)) checker;
@ -202,12 +202,12 @@ rec {
    in
      work startSet [] [];
-  innerModifySumArgs = f: x: a: b: if b == null then (f a b) // x else 
+  innerModifySumArgs = f: x: a: b: if b == null then (f a b) // x else
        innerModifySumArgs f x (a // b);
  modifySumArgs = f: x: innerModifySumArgs f x {};
-  innerClosePropagation = acc : xs :
+  innerClosePropagation = acc: xs:
    if xs == []
    then acc
    else let y  = head xs;
@ -227,31 +227,31 @@ rec {
  closePropagation = list: (uniqList {inputList = (innerClosePropagation [] list);});
  # calls a function (f attr value ) for each record item. returns a list
-  mapAttrsFlatten = f : r : map (attr: f attr r.${attr}) (attrNames r);
+  mapAttrsFlatten = f: r: map (attr: f attr r.${attr}) (attrNames r);
  # attribute set containing one attribute
-  nvs = name : value : listToAttrs [ (nameValuePair name value) ];
+  nvs = name: value: listToAttrs [ (nameValuePair name value) ];
  # adds / replaces an attribute of an attribute set
-  setAttr = set : name : v : set // (nvs name v);
+  setAttr = set: name: v: set // (nvs name v);
  # setAttrMerge (similar to mergeAttrsWithFunc but only merges the values of a particular name)
-  # setAttrMerge "a" [] { a = [2];} (x : x ++ [3]) -> { a = [2 3]; } 
+  # setAttrMerge "a" [] { a = [2];} (x: x ++ [3]) -> { a = [2 3]; }
-  # setAttrMerge "a" [] {         } (x : x ++ [3]) -> { a = [  3]; }
+  # setAttrMerge "a" [] {         } (x: x ++ [3]) -> { a = [  3]; }
-  setAttrMerge = name : default : attrs : f :
+  setAttrMerge = name: default: attrs: f:
    setAttr attrs name (f (maybeAttr name default attrs));
-  # Using f = a : b = b the result is similar to //
+  # Using f = a: b = b the result is similar to //
  # merge attributes with custom function handling the case that the attribute
  # exists in both sets
-  mergeAttrsWithFunc = f : set1 : set2 :
+  mergeAttrsWithFunc = f: set1: set2:
-    fold (n: set : if set ? ${n}
+    fold (n: set: if set ? ${n}
                        then setAttr set n (f set.${n} set2.${n})
                        else set )
           (set2 // set1) (attrNames set2);
  # merging two attribute set concatenating the values of same attribute names
  # eg { a = 7; } {  a = [ 2 3 ]; } becomes { a = [ 7 2 3 ]; }
-  mergeAttrsConcatenateValues = mergeAttrsWithFunc ( a : b : (toList a) ++ (toList b) );
+  mergeAttrsConcatenateValues = mergeAttrsWithFunc ( a: b: (toList a) ++ (toList b) );
  # merges attributes using //, if a name exisits in both attributes
  # an error will be triggered unless its listed in mergeLists
@ -262,10 +262,10 @@ rec {
  # ! deprecated, use mergeAttrByFunc instead
  mergeAttrsNoOverride = { mergeLists ? ["buildInputs" "propagatedBuildInputs"],
                           overrideSnd ? [ "buildPhase" ]
-                         } : attrs1 : attrs2 :
+                         }: attrs1: attrs2:
-    fold (n: set : 
+    fold (n: set:
        setAttr set n ( if set ? ${n}
-            then # merge 
+            then # merge
              if elem n mergeLists # attribute contains list, merge them by concatenating
                then attrs2.${n} ++ attrs1.${n}
              else if elem n overrideSnd
@ -286,14 +286,14 @@ rec {
  # { mergeAttrsBy = [...]; buildInputs = [ a b c d ]; }
  # is used by prepareDerivationArgs, defaultOverridableDelayableArgs and can be used when composing using
  # foldArgs, composedArgsAndFun or applyAndFun. Example: composableDerivation in all-packages.nix
-  mergeAttrByFunc = x : y :
+  mergeAttrByFunc = x: y:
    let
-          mergeAttrBy2 = { mergeAttrBy=lib.mergeAttrs; }
+          mergeAttrBy2 = { mergeAttrBy = lib.mergeAttrs; }
                      // (maybeAttr "mergeAttrBy" {} x)
                      // (maybeAttr "mergeAttrBy" {} y); in
    fold lib.mergeAttrs {} [
      x y
-      (mapAttrs ( a : v : # merge special names using given functions
+      (mapAttrs ( a: v: # merge special names using given functions
          if x ? ${a}
             then if y ? ${a}
               then v x.${a} y.${a} # both have attr, use merge func
@ -313,9 +313,9 @@ rec {
  #
  # This function is best explained by an example:
  #
-  #     {version ? "2.x"} :
+  #     {version ? "2.x"}:
  #
-  #     mkDerivation (mergeAttrsByVersion "package-name" version 
+  #     mkDerivation (mergeAttrsByVersion "package-name" version
  #       { # version specific settings
  #         "git" = { src = ..; preConfigre = "autogen.sh"; buildInputs = [automake autoconf libtool];  };
  #         "2.x" = { src = ..; };
@ -346,21 +346,24 @@ rec {
  # See misc.nix -> versionedDerivation
  # discussion: nixpkgs: pull/310
  mergeAttrsByVersion = name: version: attrsByVersion: base:
-    mergeAttrsByFuncDefaultsClean [ { name = "${name}-${version}"; } base (maybeAttr version (throw "bad version ${version} for ${name}") attrsByVersion)];
+    mergeAttrsByFuncDefaultsClean [ { name = "${name}-${version}"; }
                                    base
                                    (maybeAttr version (throw "bad version ${version} for ${name}") attrsByVersion)
                                  ];
  # sane defaults (same name as attr name so that inherit can be used)
  mergeAttrBy = # { buildInputs = concatList; [...]; passthru = mergeAttr; [..]; }
-    listToAttrs (map (n : nameValuePair n lib.concat)
+    listToAttrs (map (n: nameValuePair n lib.concat)
      [ "nativeBuildInputs" "buildInputs" "propagatedBuildInputs" "configureFlags" "prePhases" "postAll" "patches" ])
-    // listToAttrs (map (n : nameValuePair n lib.mergeAttrs) [ "passthru" "meta" "cfg" "flags" ])
+    // listToAttrs (map (n: nameValuePair n lib.mergeAttrs) [ "passthru" "meta" "cfg" "flags" ])
-    // listToAttrs (map (n : nameValuePair n (a: b: "${a}\n${b}") ) [ "preConfigure" "postInstall" ])
+    // listToAttrs (map (n: nameValuePair n (a: b: "${a}\n${b}") ) [ "preConfigure" "postInstall" ])
  ;
  # prepareDerivationArgs tries to make writing configurable derivations easier
  # example:
  #  prepareDerivationArgs {
  #    mergeAttrBy = {
-  #       myScript = x : y : x ++ "\n" ++ y;
+  #       myScript = x: y: x ++ "\n" ++ y;
  #    };
  #    cfg = {
  #      readlineSupport = true;
@ -392,10 +395,10 @@ rec {
  # TODO use args.mergeFun here as well?
  prepareDerivationArgs = args:
    let args2 = { cfg = {}; flags = {}; } // args;
-        flagName = name : "${name}Support";
+        flagName = name: "${name}Support";
-        cfgWithDefaults = (listToAttrs (map (n : nameValuePair (flagName n) false) (attrNames args2.flags)))
+        cfgWithDefaults = (listToAttrs (map (n: nameValuePair (flagName n) false) (attrNames args2.flags)))
                          // args2.cfg;
-        opts = attrValues (mapAttrs (a : v :
+        opts = attrValues (mapAttrs (a: v:
                let v2 = if v ? set || v ? unset then v else { set = v; };
                    n = if cfgWithDefaults.${flagName a} then "set" else "unset";
                    attr = maybeAttr n {} v2; in
--- a/lib/filesystem.nix
+++ b/lib/filesystem.nix
@ -0,0 +1,26 @@
 { # locateDominatingFile :  RegExp
  #                      -> Path
  #                      -> Nullable { path : Path;
  #                                    matches : [ MatchResults ];
  #                                  }
  # Find the first directory containing a file matching 'pattern'
  # upward from a given 'file'.
  # Returns 'null' if no directories contain a file matching 'pattern'.
  locateDominatingFile = pattern: file:
    let go = path:
          let files = builtins.attrNames (builtins.readDir path);
              matches = builtins.filter (match: match != null)
                          (map (builtins.match pattern) files);
          in
            if builtins.length matches != 0
              then { inherit path matches; }
              else if path == /.
                then null
                else go (dirOf path);
        parent = dirOf file;
        isDir =
          let base = baseNameOf file;
              type = (builtins.readDir parent).${base} or null;
          in file == /. || type == "directory";
    in go (if isDir then file else parent);
 }
--- a/lib/lists.nix
+++ b/lib/lists.nix
@ -16,17 +16,22 @@ rec {
  */
  singleton = x: [x];
-  /* "Fold" a binary function `op' between successive elements of
+  /* “right fold” a binary function `op' between successive elements of
-     `list' with `nul' as the starting value, i.e., `fold op nul [x_1
+     `list' with `nul' as the starting value, i.e.,
-     x_2 ... x_n] == op x_1 (op x_2 ... (op x_n nul))'.  (This is
+     `foldr op nul [x_1 x_2 ... x_n] == op x_1 (op x_2 ... (op x_n nul))'.
-     Haskell's foldr).
+     Type:
       foldr :: (a -> b -> b) -> b -> [a] -> b
     Example:
-       concat = fold (a: b: a + b) "z"
+       concat = foldr (a: b: a + b) "z"
       concat [ "a" "b" "c" ]
       => "abcz"
       # different types
       strange = foldr (int: str: toString (int + 1) + str) "a"
       strange [ 1 2 3 4 ]
       => "2345a"
  */
-  fold = op: nul: list:
+  foldr = op: nul: list:
    let
      len = length list;
      fold' = n:
@ -35,13 +40,25 @@ rec {
        else op (elemAt list n) (fold' (n + 1));
    in fold' 0;
-  /* Left fold: `fold op nul [x_1 x_2 ... x_n] == op (... (op (op nul
+  /* `fold' is an alias of `foldr' for historic reasons */
-     x_1) x_2) ... x_n)'.
+  # FIXME(Profpatsch): deprecate?
  fold = foldr;
  /* “left fold”, like `foldr', but from the left:
     `foldl op nul [x_1 x_2 ... x_n] == op (... (op (op nul x_1) x_2) ... x_n)`.
     Type:
       foldl :: (b -> a -> b) -> b -> [a] -> b
     Example:
       lconcat = foldl (a: b: a + b) "z"
       lconcat [ "a" "b" "c" ]
       => "zabc"
       # different types
       lstrange = foldl (str: int: str + toString (int + 1)) ""
       strange [ 1 2 3 4 ]
       => "a2345"
  */
  foldl = op: nul: list:
    let
@ -52,7 +69,7 @@ rec {
        else op (foldl' (n - 1)) (elemAt list n);
    in foldl' (length list - 1);
-  /* Strict version of foldl.
+  /* Strict version of `foldl'.
     The difference is that evaluation is forced upon access. Usually used
     with small whole results (in contract with lazily-generated list or large
@ -140,7 +157,7 @@ rec {
       any isString [ 1 { } ]
       => false
  */
-  any = builtins.any or (pred: fold (x: y: if pred x then true else y) false);
+  any = builtins.any or (pred: foldr (x: y: if pred x then true else y) false);
  /* Return true iff function `pred' returns true for all elements of
     `list'.
@ -151,7 +168,7 @@ rec {
       all (x: x < 3) [ 1 2 3 ]
       => false
  */
-  all = builtins.all or (pred: fold (x: y: if pred x then y else false) true);
+  all = builtins.all or (pred: foldr (x: y: if pred x then y else false) true);
  /* Count how many times function `pred' returns true for the elements
     of `list'.
@ -219,7 +236,7 @@ rec {
       => { right = [ 5 3 4 ]; wrong = [ 1 2 ]; }
  */
  partition = builtins.partition or (pred:
-    fold (h: t:
+    foldr (h: t:
      if pred h
      then { right = [h] ++ t.right; wrong = t.wrong; }
      else { right = t.right; wrong = [h] ++ t.wrong; }
--- a/lib/maintainers.nix
+++ b/lib/maintainers.nix
@ -14,6 +14,7 @@
  aboseley = "Adam Boseley <adam.boseley@gmail.com>";
  abuibrahim = "Ruslan Babayev <ruslan@babayev.com>";
  acowley = "Anthony Cowley <acowley@gmail.com>";
  adelbertc = "Adelbert Chang <adelbertc@gmail.com>";
  adev = "Adrien Devresse <adev@adev.name>";
  Adjective-Object = "Maxwell Huang-Hobbs <mhuan13@gmail.com>";
  adnelson = "Allen Nelson <ithinkican@gmail.com>";
@ -24,6 +25,7 @@
  aforemny = "Alexander Foremny <alexanderforemny@googlemail.com>";
  afranchuk = "Alex Franchuk <alex.franchuk@gmail.com>";
  aherrmann = "Andreas Herrmann <andreash87@gmx.ch>";
  ahmedtd = "Taahir Ahmed <ahmed.taahir@gmail.com>";
  ak = "Alexander Kjeldaas <ak@formalprivacy.com>";
  akaWolf = "Artjom Vejsel <akawolf0@gmail.com>";
  akc = "Anders Claesson <akc@akc.is>";
@ -58,8 +60,8 @@
  bachp = "Pascal Bach <pascal.bach@nextrem.ch>";
  badi = "Badi' Abdul-Wahid <abdulwahidc@gmail.com>";
  balajisivaraman = "Balaji Sivaraman<sivaraman.balaji@gmail.com>";
  basvandijk = "Bas van Dijk <v.dijk.bas@gmail.com>";
  Baughn = "Svein Ove Aas <sveina@gmail.com>";
  bbenoist = "Baptist BENOIST <return_0@live.com>";
  bcarrell = "Brandon Carrell <brandoncarrell@gmail.com>";
  bcdarwin = "Ben Darwin <bcdarwin@gmail.com>";
  bdimcheff = "Brandon Dimcheff <brandon@dimcheff.com>";
@ -71,6 +73,7 @@
  bjg = "Brian Gough <bjg@gnu.org>";
  bjornfor = "Bjørn Forsman <bjorn.forsman@gmail.com>";
  bluescreen303 = "Mathijs Kwik <mathijs@bluescreen303.nl>";
  bobakker = "Bo Bakker <bobakk3r@gmail.com>";
  bobvanderlinden = "Bob van der Linden <bobvanderlinden@gmail.com>";
  bodil = "Bodil Stokke <nix@bodil.org>";
  boothead = "Ben Ford <ben@perurbis.com>";
@ -81,14 +84,15 @@
  bzizou = "Bruno Bzeznik <Bruno@bzizou.net>";
  c0dehero = "CodeHero <codehero@nerdpol.ch>";
  calrama = "Moritz Maxeiner <moritz@ucworks.org>";
  calvertvl = "Victor Calvert <calvertvl@gmail.com>";
  campadrenalin = "Philip Horger <campadrenalin@gmail.com>";
  canndrew = "Andrew Cann <shum@canndrew.org>";
  carlsverre = "Carl Sverre <accounts@carlsverre.com>";
  cdepillabout = "Dennis Gosnell <cdep.illabout@gmail.com>";
  cfouche = "Chaddaï Fouché <chaddai.fouche@gmail.com>";
  changlinli = "Changlin Li <mail@changlinli.com>";
  chaoflow = "Florian Friesdorf <flo@chaoflow.net>";
  chattered = "Phil Scott <me@philscotted.com>";
  changlinli = "Changlin Li <mail@changlinli.com>";
  choochootrain = "Hurshal Patel <hurshal@imap.cc>";
  chris-martin = "Chris Martin <ch.martin@gmail.com>";
  chrisjefferson = "Christopher Jefferson <chris@bubblescope.net>";
@ -102,6 +106,7 @@
  codsl = "codsl <codsl@riseup.net>";
  codyopel = "Cody Opel <codyopel@gmail.com>";
  colemickens = "Cole Mickens <cole.mickens@gmail.com>";
  colescott = "Cole Scott <colescottsf@gmail.com>";
  copumpkin = "Dan Peebles <pumpkingod@gmail.com>";
  corngood = "David McFarland <corngood@gmail.com>";
  coroa = "Jonas Hörsch <jonas@chaoflow.net>";
@ -133,12 +138,15 @@
  dgonyeo = "Derek Gonyeo <derek@gonyeo.com>";
  dipinhora = "Dipin Hora <dipinhora+github@gmail.com>";
  dmalikov = "Dmitry Malikov <malikov.d.y@gmail.com>";
  DmitryTsygankov = "Dmitry Tsygankov <dmitry.tsygankov@gmail.com>";
  dmjio = "David Johnson <djohnson.m@gmail.com>";
  dochang = "Desmond O. Chang <dochang@gmail.com>";
  domenkozar = "Domen Kozar <domen@dev.si>";
  doublec = "Chris Double <chris.double@double.co.nz>";
  dpaetzel = "David Pätzel <david.a.paetzel@gmail.com>";
  drets = "Dmytro Rets <dmitryrets@gmail.com>";
  drewkett = "Andrew Burkett <burkett.andrew@gmail.com>";
  dsferruzza = "David Sferruzza <david.sferruzza@gmail.com>";
  dtzWill = "Will Dietz <nix@wdtz.org>";
  e-user = "Alexander Kahl <nixos@sodosopa.io>";
  ebzzry = "Rommel Martinez <ebzzry@gmail.com>";
@ -154,6 +162,7 @@
  eleanor = "Dejan Lukan <dejan@proteansec.com>";
  elitak = "Eric Litak <elitak@gmail.com>";
  ellis = "Ellis Whitehead <nixos@ellisw.net>";
  eperuffo = "Emanuele Peruffo <info@emanueleperuffo.com>";
  epitrochoid = "Mabry Cervin <mpcervin@uncg.edu>";
  ericbmerritt = "Eric Merritt <eric@afiniate.com>";
  ericsagnes = "Eric Sagnes <eric.sagnes@gmail.com>";
@ -178,6 +187,7 @@
  ftrvxmtrx = "Siarhei Zirukin <ftrvxmtrx@gmail.com>";
  funfunctor = "Edward O'Callaghan <eocallaghan@alterapraxis.com>";
  fuuzetsu = "Mateusz Kowalczyk <fuuzetsu@fuuzetsu.co.uk>";
  fuzzy-id = "Thomas Bach <hacking+nixos@babibo.de>";
  fxfactorial = "Edgar Aroutiounian <edgar.factorial@gmail.com>";
  gal_bolle = "Florent Becker <florent.becker@ens-lyon.org>";
  garbas = "Rok Garbas <rok@garbas.si>";
@ -202,6 +212,7 @@
  havvy = "Ryan Scheel <ryan.havvy@gmail.com>";
  hbunke = "Hendrik Bunke <bunke.hendrik@gmail.com>";
  hce = "Hans-Christian Esperer <hc@hcesperer.org>";
  heel = "Sergii Paryzhskyi <parizhskiy@gmail.com>";
  henrytill = "Henry Till <henrytill@gmail.com>";
  hinton = "Tom Hinton <t@larkery.com>";
  hrdinka = "Christoph Hrdinka <c.nix@hrdinka.at>";
@ -209,9 +220,11 @@
  ianwookim = "Ian-Woo Kim <ianwookim@gmail.com>";
  igsha = "Igor Sharonov <igor.sharonov@gmail.com>";
  ikervagyok = "Balázs Lengyel <ikervagyok@gmail.com>";
  infinisil = "Silvan Mosberger <infinisil@icloud.com";
  ivan-tkatchev = "Ivan Tkatchev <tkatchev@gmail.com>";
  j-keck = "Jürgen Keck <jhyphenkeck@gmail.com>";
  jagajaga = "Arseniy Seroka <ars.seroka@gmail.com>";
  jansol = "Jan Solanti <jan.solanti@paivola.fi>";
  javaguirre = "Javier Aguirre <contacto@javaguirre.net>";
  jb55 = "William Casarin <bill@casarin.me>";
  jbedo = "Justin Bedő <cu@cua0.org>";
@ -223,6 +236,7 @@
  jgeerds = "Jascha Geerds <jascha@jgeerds.name>";
  jgertm = "Tim Jaeger <jger.tm@gmail.com>";
  jgillich = "Jakob Gillich <jakob@gillich.me>";
  jhhuh = "Ji-Haeng Huh <jhhuh.note@gmail.com>";
  jirkamarsik = "Jirka Marsik <jiri.marsik89@gmail.com>";
  joachifm = "Joachim Fasting <joachifm@fastmail.fm>";
  joamaki = "Jussi Maki <joamaki@gmail.com>";
@ -233,6 +247,7 @@
  jonafato = "Jon Banafato <jon@jonafato.com>";
  jpbernardy = "Jean-Philippe Bernardy <jeanphilippe.bernardy@gmail.com>";
  jpierre03 = "Jean-Pierre PRUNARET <nix@prunetwork.fr>";
  jpotier = "Martin Potier <jpo.contributes.to.nixos@marvid.fr>";
  jraygauthier = "Raymond Gauthier <jraygauthier@gmail.com>";
  juliendehos = "Julien Dehos <dehos@lisic.univ-littoral.fr>";
  jwiegley = "John Wiegley <johnw@newartisans.com>";
@ -310,6 +325,7 @@
  michalrus = "Michal Rus <m@michalrus.com>";
  michelk = "Michel Kuhlmann <michel@kuhlmanns.info>";
  mikefaille = "Michaël Faille <michael@faille.io>";
  miltador = "Vasiliy Solovey <miltador@yandex.ua>";
  mimadrid = "Miguel Madrid <mimadrid@ucm.es>";
  mingchuan = "Ming Chuan <ming@culpring.com>";
  mirdhyn = "Merlin Gaillard <mirdhyn@gmail.com>";
@ -340,9 +356,11 @@
  nathan-gs = "Nathan Bijnens <nathan@nathan.gs>";
  nckx = "Tobias Geerinckx-Rice <tobias.geerinckx.rice@gmail.com>";
  ndowens = "Nathan Owens <ndowens04@gmail.com>";
  neeasade = "Nathan Isom <nathanisom27@gmail.com>";
  nequissimus = "Tim Steinbach <tim@nequissimus.com>";
  nfjinjing = "Jinjing Wang <nfjinjing@gmail.com>";
  nhooyr = "Anmol Sethi <anmol@aubble.com>";
  nickhu = "Nick Hu <me@nickhu.co.uk>";
  nicknovitski = "Nick Novitski <nixpkgs@nicknovitski.com>";
  nico202 = "Nicolò Balzarotti <anothersms@gmail.com>";
  NikolaMandic = "Ratko Mladic <nikola@mandic.email>";
@ -351,6 +369,7 @@
  notthemessiah = "Brian Cohen <brian.cohen.88@gmail.com>";
  np = "Nicolas Pouillard <np.nix@nicolaspouillard.fr>";
  nslqqq = "Nikita Mikhailov <nslqqq@gmail.com>";
  nthorne = "Niklas Thörne <notrupertthorne@gmail.com>";
  obadz = "obadz <obadz-nixos@obadz.com>";
  ocharles = "Oliver Charles <ollie@ocharles.org.uk>";
  odi = "Oliver Dunkl <oliver.dunkl@gmail.com>";
@ -370,7 +389,9 @@
  palo = "Ingolf Wanger <palipalo9@googlemail.com>";
  paperdigits = "Mica Semrick <mica@silentumbrella.com>";
  pashev = "Igor Pashev <pashev.igor@gmail.com>";
  patternspandemic = "Brad Christensen <patternspandemic@live.com>";
  pawelpacana = "Paweł Pacana <pawel.pacana@gmail.com>";
  pbogdan = "Piotr Bogdan <ppbogdan@gmail.com>";
  periklis = "theopompos@gmail.com";
  pesterhazy = "Paulus Esterhazy <pesterhazy@gmail.com>";
  peterhoeg = "Peter Hoeg <peter@hoeg.com>";
@ -380,12 +401,14 @@
  Phlogistique = "Noé Rubinstein <noe.rubinstein@gmail.com>";
  phreedom = "Evgeny Egorochkin <phreedom@yandex.ru>";
  phunehehe = "Hoang Xuan Phu <phunehehe@gmail.com>";
  pierrer = "Pierre Radermecker <pierrer@pi3r.be>";
  pierron = "Nicolas B. Pierron <nixos@nbp.name>";
  piotr = "Piotr Pietraszkiewicz <ppietrasa@gmail.com>";
  pjbarnoy = "Perry Barnoy <pjbarnoy@gmail.com>";
  pjones = "Peter Jones <pjones@devalot.com>";
  pkmx = "Chih-Mao Chen <pkmx.tw@gmail.com>";
  plcplc = "Philip Lykke Carlsen <plcplc@gmail.com>";
  plumps = "Maksim Bronsky <maks.bronsky@web.de";
  pmahoney = "Patrick Mahoney <pat@polycrystal.org>";
  pmiddend = "Philipp Middendorf <pmidden@secure.mailbox.org>";
  polyrod = "Maurizio Di Pietro <dc1mdp@gmail.com>";
@ -447,6 +470,8 @@
  scolobb = "Sergiu Ivanov <sivanov@colimite.fr>";
  sepi = "Raffael Mancini <raffael@mancini.lu>";
  seppeljordan = "Sebastian Jordan <sebastian.jordan.mail@googlemail.com>";
  shanemikel = "Shane Pearlman <shanemikel1@gmail.com>";
  shawndellysse = "Shawn Dellysse <sdellysse@gmail.com>";
  sheenobu = "Sheena Artrip <sheena.artrip@gmail.com>";
  sheganinans = "Aistis Raulinaitis <sheganinans@gmail.com>";
  shell = "Shell Turner <cam.turn@gmail.com>";
@ -478,7 +503,9 @@
  sztupi = "Attila Sztupak <attila.sztupak@gmail.com>";
  taeer = "Taeer Bar-Yam <taeer@necsi.edu>";
  tailhook = "Paul Colomiets <paul@colomiets.name>";
  takikawa = "Asumu Takikawa <asumu@igalia.com>";
  taktoa = "Remy Goldschmidt <taktoa@gmail.com>";
  taku0 = "Takuo Yonezawa <mxxouy6x3m_github@tatapa.org>";
  tavyc = "Octavian Cerna <octavian.cerna@gmail.com>";
  teh = "Tom Hunger <tehunger@gmail.com>";
  telotortium = "Robert Irelan <rirelan@gmail.com>";
@ -501,7 +528,8 @@
  tvorog = "Marsel Zaripov <marszaripov@gmail.com>";
  twey = "James ‘Twey’ Kay <twey@twey.co.uk>";
  uralbash = "Svintsov Dmitry <root@uralbash.ru>";
-  urkud = "Yury G. Kudryashov <urkud+nix@ya.ru>";
+  utdemir = "Utku Demir <me@utdemir.com>";
  #urkud = "Yury G. Kudryashov <urkud+nix@ya.ru>"; inactive since 2012
  uwap = "uwap <me@uwap.name>";
  vandenoever = "Jos van den Oever <jos@vandenoever.info>";
  vanzef = "Ivan Solyankin <vanzef@gmail.com>";
@ -530,6 +558,8 @@
  womfoo = "Kranium Gikos Mendoza <kranium@gikos.net>";
  wscott = "Wayne Scott <wsc9tt@gmail.com>";
  wyvie = "Elijah Rum <elijahrum@gmail.com>";
  xnwdd = "Guillermo NWDD <nwdd+nixos@no.team>";
  xvapx = "Marti Serra <marti.serra.coscollano@gmail.com>";
  xwvvvvwx = "David Terry <davidterry@posteo.de>";
  yarr = "Dmitry V. <savraz@gmail.com>";
  yochai = "Yochai <yochai@titat.info>";
--- a/lib/modules.nix
+++ b/lib/modules.nix
@ -20,7 +20,8 @@ rec {
                , prefix ? []
                , # This should only be used for special arguments that need to be evaluated
                  # when resolving module structure (like in imports). For everything else,
-                  # there's _module.args.
+                  # there's _module.args. If specialArgs.modulesPath is defined it will be
                  # used as the base path for disabledModules.
                  specialArgs ? {}
                , # This would be remove in the future, Prefer _module.args option instead.
                  args ? {}
@ -58,10 +59,7 @@ rec {
      closed = closeModules (modules ++ [ internalModule ]) ({ inherit config options; lib = import ./.; } // specialArgs);
-      # Note: the list of modules is reversed to maintain backward
+      options = mergeModules prefix (reverseList (filterModules (specialArgs.modulesPath or "") closed));
      # compatibility with the old module system.  Not sure if this is
      # the most sensible policy.
      options = mergeModules prefix (reverseList closed);
      # Traverse options and extract the option values into the final
      # config set.  At the same time, check whether all option
@ -87,6 +85,16 @@ rec {
      result = { inherit options config; };
    in result;
 # Filter disabled modules. Modules can be disabled allowing
 # their implementation to be replaced.
 filterModules = modulesPath: modules:
   let
     moduleKey = m: if isString m then toString modulesPath + "/" + m else toString m;
     disabledKeys = map moduleKey (concatMap (m: m.disabledModules) modules);
   in
     filter (m: !(elem m.key disabledKeys)) modules;
  /* Close a set of modules under the ‘imports’ relation. */
  closeModules = modules: args:
    let
@ -106,17 +114,18 @@ rec {
  /* Massage a module into canonical form, that is, a set consisting
     of ‘options’, ‘config’ and ‘imports’ attributes. */
  unifyModuleSyntax = file: key: m:
-    let metaSet = if m ? meta 
+    let metaSet = if m ? meta
      then { meta = m.meta; }
      else {};
    in
    if m ? config || m ? options then
-      let badAttrs = removeAttrs m ["imports" "options" "config" "key" "_file" "meta"]; in
+      let badAttrs = removeAttrs m ["_file" "key" "disabledModules" "imports" "options" "config" "meta"]; in
      if badAttrs != {} then
        throw "Module `${key}' has an unsupported attribute `${head (attrNames badAttrs)}'. This is caused by assignments to the top-level attributes `config' or `options'."
      else
        { file = m._file or file;
          key = toString m.key or key;
          disabledModules = m.disabledModules or [];
          imports = m.imports or [];
          options = m.options or {};
          config = mkMerge [ (m.config or {}) metaSet ];
@ -124,9 +133,10 @@ rec {
    else
      { file = m._file or file;
        key = toString m.key or key;
        disabledModules = m.disabledModules or [];
        imports = m.require or [] ++ m.imports or [];
        options = {};
-        config = mkMerge [ (removeAttrs m ["key" "_file" "require" "imports"]) metaSet ];
+        config = mkMerge [ (removeAttrs m ["_file" "key" "disabledModules" "require" "imports"]) metaSet ];
      };
  applyIfFunction = key: f: args@{ config, options, lib, ... }: if isFunction f then
@ -585,7 +595,7 @@ rec {
       functionality
     This show a warning if any a.b.c or d.e.f is set, and set the value of
-     x.y.z to the result of the merge function 
+     x.y.z to the result of the merge function
  */
  mkMergedOptionModule = from: to: mergeFn:
    { config, options, ... }:
@ -601,12 +611,12 @@ rec {
          let val = getAttrFromPath f config;
              opt = getAttrFromPath f options;
          in
-          optionalString 
+          optionalString
            (val != "_mkMergedOptionModule")
            "The option `${showOption f}' defined in ${showFiles opt.files} has been changed to `${showOption to}' that has a different type. Please read `${showOption to}' documentation and update your configuration accordingly."
        ) from);
      } // setAttrByPath to (mkMerge
-             (optional 
+             (optional
               (any (f: (getAttrFromPath f config) != "_mkMergedOptionModule") from)
               (mergeFn config)));
    };
--- a/lib/strings.nix
+++ b/lib/strings.nix
@ -291,7 +291,7 @@ rec {
      recurse = index: startAt:
        let cutUntil = i: [(substring startAt (i - startAt) s)]; in
-        if index < lastSearch then
+        if index <= lastSearch then
          if startWithSep index then
            let restartAt = index + sepLen; in
            cutUntil index ++ recurse restartAt restartAt
@ -476,10 +476,8 @@ rec {
  readPathsFromFile = rootPath: file:
    let
      root = toString rootPath;
-      lines =
+      lines = lib.splitString "\n" (builtins.readFile file);
-        builtins.map (lib.removeSuffix "\n")
+      removeComments = lib.filter (line: line != "" && !(lib.hasPrefix "#" line));
        (lib.splitString "\n" (builtins.readFile file));
      removeComments = lib.filter (line: !(lib.hasPrefix "#" line));
      relativePaths = removeComments lines;
      absolutePaths = builtins.map (path: builtins.toPath (root + "/" + path)) relativePaths;
    in
--- a/lib/tests.nix
+++ b/lib/tests.nix
@ -1,3 +1,6 @@
 # to run these tests:
 # nix-instantiate --eval --strict nixpkgs/lib/tests.nix
 # if the resulting list is empty, all tests passed
 let inherit (builtins) add; in
 with import ./default.nix;
@ -45,10 +48,34 @@ runTests {
    expected = ["b" "c"];
  };
-  testFold = {
+  testFold =
-    expr = fold (builtins.add) 0 (range 0 100);
+    let
-    expected = 5050;
+      f = op: fold: fold op 0 (range 0 100);
-  };
+      # fold with associative operator
      assoc = f builtins.add;
      # fold with non-associative operator
      nonAssoc = f builtins.sub;
    in {
      expr = {
        assocRight = assoc foldr;
        # right fold with assoc operator is same as left fold
        assocRightIsLeft = assoc foldr == assoc foldl;
        nonAssocRight = nonAssoc foldr;
        nonAssocLeft = nonAssoc foldl;
        # with non-assoc operator the fold results are not the same
        nonAssocRightIsNotLeft = nonAssoc foldl != nonAssoc foldr;
        # fold is an alias for foldr
        foldIsRight = nonAssoc fold == nonAssoc foldr;
      };
      expected = {
        assocRight = 5050;
        assocRightIsLeft = true;
        nonAssocRight = 50;
        nonAssocLeft = (-5050);
        nonAssocRightIsNotLeft = true;
        foldIsRight = true;
      };
    };
  testTake = testAllTrue [
    ([] == (take 0 [  1 2 3 ]))
@ -80,7 +107,7 @@ runTests {
                     y = x.merge {};
                in (y.merge) { a = 10; };
-          resRem7 = res6.replace (a : removeAttrs a ["a"]);
+          resRem7 = res6.replace (a: removeAttrs a ["a"]);
          resReplace6 = let x = defaultOverridableDelayableArgs id { a = 7; mergeAttrBy = { a = add; }; };
                            x2 = x.merge { a = 20; }; # now we have 27
@ -88,10 +115,10 @@ runTests {
          # fixed tests (delayed args): (when using them add some comments, please)
          resFixed1 =
-                let x = defaultOverridableDelayableArgs id ( x : { a = 7; c = x.fixed.b; });
+                let x = defaultOverridableDelayableArgs id ( x: { a = 7; c = x.fixed.b; });
-                    y = x.merge (x : { name = "name-${builtins.toString x.fixed.c}"; });
+                    y = x.merge (x: { name = "name-${builtins.toString x.fixed.c}"; });
                in (y.merge) { b = 10; };
-          strip = attrs : removeAttrs attrs ["merge" "replace"];
+          strip = attrs: removeAttrs attrs ["merge" "replace"];
      in all id
        [ ((strip res1) == { })
          ((strip res2) == { a = 7; })
@ -220,4 +247,34 @@ runTests {
      expected = builtins.toJSON val;
  };
  testSplitStringsSimple = {
    expr = strings.splitString "." "a.b.c.d";
    expected = [ "a" "b" "c" "d" ];
  };
  testSplitStringsEmpty = {
    expr = strings.splitString "." "a..b";
    expected = [ "a" "" "b" ];
  };
  testSplitStringsOne = {
    expr = strings.splitString ":" "a.b";
    expected = [ "a.b" ];
  };
  testSplitStringsNone = {
    expr = strings.splitString "." "";
    expected = [ "" ];
  };
  testSplitStringsFirstEmpty = {
    expr = strings.splitString "/" "/a/b/c";
    expected = [ "" "a" "b" "c" ];
  };
  testSplitStringsLastEmpty = {
    expr = strings.splitString ":" "2001:db8:0:0042::8a2e:370:";
    expected = [ "2001" "db8" "0" "0042" "" "8a2e" "370" "" ];
  };
 }
--- a/lib/tests/modules.sh
+++ b/lib/tests/modules.sh
@ -99,6 +99,14 @@ checkConfigOutput 'true' "$@" ./define-enable.nix ./define-loaOfSub-if-foo-enabl
 checkConfigOutput 'true' "$@" ./define-enable.nix ./define-loaOfSub-foo-if-enable.nix
 checkConfigOutput 'true' "$@" ./define-enable.nix ./define-loaOfSub-foo-enable-if.nix
 # Check disabledModules with config definitions and option declarations.
 set -- config.enable ./define-enable.nix ./declare-enable.nix
 checkConfigOutput "true" "$@"
 checkConfigOutput "false" "$@" ./disable-define-enable.nix
 checkConfigError "The option .*enable.* defined in .* does not exist" "$@" ./disable-declare-enable.nix
 checkConfigError "attribute .*enable.* in selection path .*config.enable.* not found" "$@" ./disable-define-enable.nix ./disable-declare-enable.nix
 checkConfigError "attribute .*enable.* in selection path .*config.enable.* not found" "$@" ./disable-enable-modules.nix
 # Check _module.args.
 set -- config.enable ./declare-enable.nix ./define-enable-with-custom-arg.nix
 checkConfigError 'while evaluating the module argument .*custom.* in .*define-enable-with-custom-arg.nix.*:' "$@"
--- a/lib/tests/modules/default.nix
+++ b/lib/tests/modules/default.nix
@ -1,7 +1,8 @@
-{ lib ? import <nixpkgs/lib>, modules ? [] }:
+{ lib ? import ../.., modules ? [] }:
 {
  inherit (lib.evalModules {
    inherit modules;
    specialArgs.modulesPath = ./.;
  }) config options;
 }
--- a/lib/tests/modules/disable-declare-enable.nix
+++ b/lib/tests/modules/disable-declare-enable.nix
@ -0,0 +1,5 @@
 { lib, ... }:
 {
  disabledModules = [ ./declare-enable.nix ];
 }
--- a/lib/tests/modules/disable-define-enable.nix
+++ b/lib/tests/modules/disable-define-enable.nix
@ -0,0 +1,5 @@
 { lib, ... }:
 {
  disabledModules = [ ./define-enable.nix ];
 }
--- a/lib/tests/modules/disable-enable-modules.nix
+++ b/lib/tests/modules/disable-enable-modules.nix
@ -0,0 +1,5 @@
 { lib, ... }:
 {
  disabledModules = [ "define-enable.nix" "declare-enable.nix" ];
 }
--- a/lib/trivial.nix
+++ b/lib/trivial.nix
@ -1,17 +1,44 @@
 rec {
-  # Identity function.
+  /* The identity function
     For when you need a function that does “nothing”.
     Type: id :: a -> a
  */
  id = x: x;
-  # Constant function.
+  /* The constant function
     Ignores the second argument.
     Or: Construct a function that always returns a static value.
     Type: const :: a -> b -> a
     Example:
       let f = const 5; in f 10
       => 5
  */
  const = x: y: x;
-  # Named versions corresponding to some builtin operators.
+
  ## Named versions corresponding to some builtin operators.
  /* Concat two strings */
  concat = x: y: x ++ y;
  /* boolean “or” */
  or = x: y: x || y;
  /* boolean “and” */
  and = x: y: x && y;
  /* Merge two attribute sets shallowly, right side trumps left
     Example:
       mergeAttrs { a = 1; b = 2; } // { b = 3; c = 4; }
       => { a = 1; b = 3; c = 4; }
  */
  mergeAttrs = x: y: x // y;
  # Compute the fixed point of the given function `f`, which is usually an
  # attribute set that expects its final, non-recursive representation as an
  # argument:
--- a/lib/types.nix
+++ b/lib/types.nix
@ -6,7 +6,7 @@ with import ./attrsets.nix;
 with import ./options.nix;
 with import ./trivial.nix;
 with import ./strings.nix;
-with {inherit (import ./modules.nix) mergeDefinitions filterOverrides; };
+let inherit (import ./modules.nix) mergeDefinitions filterOverrides; in
 rec {
@ -81,7 +81,7 @@ rec {
      #   name: name of the type
      #   type: type function.
      #   wrapped: the type wrapped in case of compound types.
-      #   payload: values of the type, two payloads of the same type must be 
+      #   payload: values of the type, two payloads of the same type must be
      #            combinable with the binOp binary operation.
      #   binOp: binary operation that merge two payloads of the same type.
      functor ? defaultFunctor name
--- a/maintainers/docker/.dockerignore
+++ b/maintainers/docker/.dockerignore
@ -1,14 +0,0 @@
 *~
 ,*
 .*.swp
 .*.swo
 result
 result-*
 /doc/NEWS.html
 /doc/NEWS.txt
 /doc/manual.html
 /doc/manual.pdf
 .version-suffix
 .DS_Store
 .git
--- a/maintainers/docker/Dockerfile
+++ b/maintainers/docker/Dockerfile
@ -1,12 +0,0 @@
 FROM busybox
 RUN dir=`mktemp -d` && trap 'rm -rf "$dir"' EXIT && \
    wget -O- https://nixos.org/releases/nix/nix-1.7/nix-1.7-x86_64-linux.tar.bz2  | bzcat | tar x -C $dir && \
    mkdir -m 0755 /nix && USER=root sh $dir/*/install && \
    echo ". /root/.nix-profile/etc/profile.d/nix.sh" >> /etc/profile
 ADD . /root/nix/nixpkgs
 ONBUILD ENV NIX_PATH nixpkgs=/root/nix/nixpkgs:nixos=/root/nix/nixpkgs/nixos
 ONBUILD ENV PATH /root/.nix-profile/bin:/root/.nix-profile/sbin:/bin:/sbin:/usr/bin:/usr/sbin
 ONBUILD ENV ENV /etc/profile
 ENV ENV /etc/profile
--- a/maintainers/scripts/hydra-eval-failures.py
+++ b/maintainers/scripts/hydra-eval-failures.py
@ -5,6 +5,7 @@
 import subprocess
 import json
 import sys
 import click
 import requests
@ -47,8 +48,8 @@ def get_maintainers(attr_name):
@click.command()
@click.option(
    '--jobset',
-    default="nixos/release-16.09",
+    default="nixos/release-17.03",
-    help='Hydra project like nixos/release-16.09')
+    help='Hydra project like nixos/release-17.03')
 def cli(jobset):
    """
    Given a Hydra project, inspect latest evaluation
@ -73,14 +74,18 @@ def cli(jobset):
    # TODO: dependency failed without propagated builds
    for tr in d('img[alt="Failed"]').parents('tr'):
        a = pq(tr)('a')[1]
-        print "- [ ] [{}]({})".format(a.text, a.get('href'))
+        print("- [ ] [{}]({})".format(a.text, a.get('href')))
        sys.stdout.flush()
        maintainers = get_maintainers(a.text)
        if maintainers:
-            print "  - maintainers: {}".format(", ".join(map(lambda u: '@' + u, maintainers)))
+            print("  - maintainers: {}".format(", ".join(map(lambda u: '@' + u, maintainers))))
        # TODO: print last three persons that touched this file
        # TODO: pinpoint the diff that broke this build, or maybe it's transient or maybe it never worked?
        sys.stdout.flush()
 if __name__ == "__main__":
    try:
--- a/maintainers/scripts/nix-diff.sh
+++ b/maintainers/scripts/nix-diff.sh
@ -0,0 +1,277 @@
 #!/usr/bin/env nix-shell
 #! nix-shell -i bash -p coreutils gnugrep gnused
 ################################################################################
 # nix-diff.sh                                                                  #
 ################################################################################
 # This script "diffs" Nix profile generations.                                 #
 #                                                                              #
 # Example:                                                                     #
 ################################################################################
 # > nix-diff.sh 90 92                                                          #
 # + gnumake-4.2.1                                                              #
 # + gnumake-4.2.1-doc                                                          #
 # - htmldoc-1.8.29                                                             #
 ################################################################################
 # The example shows that as of generation 92 and since generation 90,          #
 # gnumake-4.2.1 and gnumake-4.2.1-doc have been installed, while               #
 # htmldoc-1.8.29 has been removed.                                             #
 #                                                                              #
 # The example above shows the default, minimal output mode of this script.     #
 # For more features, run `nix-diff.sh -h` for usage instructions.              #
 ################################################################################
 usage() {
    cat <<EOF
 usage: nix-diff.sh [-h | [-p profile | -s] [-q] [-l] [range]]
 -h:         print this message before exiting
 -q:         list the derivations installed in the parent generation
 -l:         diff every available intermediate generation between parent and
            child
 -p profile: specify the Nix profile to use
            * defaults to ~/.nix-profile
 -s:         use the system profile
            * equivalent to: -p /nix/var/nix/profiles/system
 profile:    * should be something like /nix/var/nix/profiles/default, not a
              generation link like /nix/var/nix/profiles/default-2-link
 range:      the range of generations to diff
            * the following patterns are allowed, where A, B, and N are positive
              integers, and G is the currently active generation:
                A..B => diffs from generation A to generation B
                ~N   => diffs from the Nth newest generation (older than G) to G
                A    => diffs from generation A to G
            * defaults to ~1
 EOF
 }
 usage_tip() {
    echo 'run `nix-diff.sh -h` for usage instructions' >&2
    exit 1
 }
 while getopts :hqlp:s opt; do
    case $opt in
        h)
            usage
            exit
            ;;
        q)
            opt_query=1
            ;;
        l)
            opt_log=1
            ;;
        p)
            opt_profile=$OPTARG
            ;;
        s)
            opt_profile=/nix/var/nix/profiles/system
            ;;
        \?)
            echo "error: invalid option -$OPTARG" >&2
            usage_tip
            ;;
    esac
 done
 shift $((OPTIND-1))
 if [ -n "$opt_profile" ]; then
    if ! [ -L "$opt_profile" ]; then
        echo "error: expecting \`$opt_profile\` to be a symbolic link" >&2
        usage_tip
    fi
 else
    opt_profile=$(readlink ~/.nix-profile)
    if (( $? != 0 )); then
        echo 'error: unable to dereference `~/.nix-profile`' >&2
        echo 'specify the profile manually with the `-p` flag' >&2
        usage_tip
    fi
 fi
 list_gens() {
    nix-env -p "$opt_profile" --list-generations \
        | sed -r 's:^\s*::' \
        | cut -d' ' -f1
 }
 current_gen() {
    nix-env -p "$opt_profile" --list-generations \
        | grep -E '\(current\)\s*$' \
        | sed -r 's:^\s*::' \
        | cut -d' ' -f1
 }
 neg_gen() {
    local i=0 from=$1 n=$2 tmp
    for gen in $(list_gens | sort -rn); do
        if ((gen < from)); then
            tmp=$gen
            ((i++))
            ((i == n)) && break
        fi
    done
    if ((i < n)); then
        echo -n "error: there aren't $n generation(s) older than" >&2
        echo " generation $from" >&2
        return 1
    fi
    echo $tmp
 }
 match() {
    argv=("$@")
    for i in $(seq $(($#-1))); do
        if grep -E "^${argv[$i]}\$" <(echo "$1") >/dev/null; then
            echo $i
            return
        fi
    done
    echo 0
 }
 case $(match "$1" '' '[0-9]+' '[0-9]+\.\.[0-9]+' '~[0-9]+') in
    1)
        diffTo=$(current_gen)
        diffFrom=$(neg_gen $diffTo 1)
        (($? == 1)) && usage_tip
        ;;
    2)
        diffFrom=$1
        diffTo=$(current_gen)
        ;;
    3)
        diffFrom=${1%%.*}
        diffTo=${1##*.}
        ;;
    4)
        diffTo=$(current_gen)
        diffFrom=$(neg_gen $diffTo ${1#*~})
        (($? == 1)) && usage_tip
        ;;
    0)
        echo 'error: invalid invocation' >&2
        usage_tip
        ;;
 esac
 dirA="${opt_profile}-${diffFrom}-link"
 dirB="${opt_profile}-${diffTo}-link"
 declare -a temp_files
 temp_length() {
    echo -n ${#temp_files[@]}
 }
 temp_make() {
    temp_files[$(temp_length)]=$(mktemp)
 }
 temp_clean() {
    rm -f ${temp_files[@]}
 }
 temp_name() {
    echo -n "${temp_files[$(($(temp_length)-1))]}"
 }
 trap 'temp_clean' EXIT
 temp_make
 versA=$(temp_name)
 refs=$(nix-store -q --references "$dirA")
 (( $? != 0 )) && exit 1
 echo "$refs" \
    | grep -v env-manifest.nix \
    | sort \
          > "$versA"
 print_tag() {
    local gen=$1
    nix-env -p "$opt_profile" --list-generations \
        | grep -E "^\s*${gen}" \
        | sed -r 's:^\s*::' \
        | sed -r 's:\s*$::'
 }
 if [ -n "$opt_query" ]; then
    print_tag $diffFrom
    cat "$versA" \
        | sed -r 's:^[^-]+-(.*)$:    \1:'
    print_line=1
 fi
 if [ -n "$opt_log" ]; then
    gens=$(for gen in $(list_gens); do
               ((diffFrom < gen && gen < diffTo)) && echo $gen
           done)
    # Force the $diffTo generation to be included in this list, instead of using
    # `gen <= diffTo` in the preceding loop, so we encounter an error upon the
    # event of its nonexistence.
    gens=$(echo "$gens"
           echo $diffTo)
 else
    gens=$diffTo
 fi
 temp_make
 add=$(temp_name)
 temp_make
 rem=$(temp_name)
 temp_make
 out=$(temp_name)
 for gen in $gens; do
    [ -n "$print_line" ] && echo
    temp_make
    versB=$(temp_name)
    dirB="${opt_profile}-${gen}-link"
    refs=$(nix-store -q --references "$dirB")
    (( $? != 0 )) && exit 1
    echo "$refs" \
        | grep -v env-manifest.nix \
        | sort \
              > "$versB"
    in=$(comm -3 -1 "$versA" "$versB")
    sed -r 's:^[^-]*-(.*)$:\1+:' <(echo "$in") \
        | sort -f \
               > "$add"
    un=$(comm -3 -2 "$versA" "$versB")
    sed -r 's:^[^-]*-(.*)$:\1-:' <(echo "$un") \
        | sort -f \
               > "$rem"
    cat "$rem" "$add" \
        | sort -f \
        | sed -r 's:(.*)-$:- \1:' \
        | sed -r 's:(.*)\+$:\+ \1:' \
        | grep -v '^$' \
              > "$out"
    if [ -n "$opt_query" -o -n "$opt_log" ]; then
        lines=$(wc -l "$out" | cut -d' ' -f1)
        tag=$(print_tag "$gen")
        (( $? != 0 )) && exit 1
        if [ $lines -eq 0 ]; then
            echo "$tag   (no change)"
        else
            echo "$tag"
        fi
        cat "$out" \
            | sed 's:^:    :'
        print_line=1
    else
        echo "diffing from generation $diffFrom to $diffTo"
        cat "$out"
    fi
    versA=$versB
 done
 exit 0
--- a/nixos/default.nix
+++ b/nixos/default.nix
@ -37,7 +37,4 @@ in
  vm = vmConfig.system.build.vm;
  vmWithBootLoader = vmWithBootLoaderConfig.system.build.vm;
  # The following are used by nixos-rebuild.
  nixFallback = pkgs.nixUnstable.out;
 }
--- a/nixos/doc/manual/configuration/modularity.xml
+++ b/nixos/doc/manual/configuration/modularity.xml
@ -37,7 +37,7 @@ latter might look like this:
 { services.xserver.enable = true;
  services.xserver.displayManager.sddm.enable = true;
-  services.xserver.desktopManager.kde5.enable = true;
+  services.xserver.desktopManager.plasma5.enable = true;
 }
 </programlisting>
--- a/nixos/doc/manual/configuration/network-manager.xml
+++ b/nixos/doc/manual/configuration/network-manager.xml
@ -27,7 +27,11 @@ users.extraUsers.youruser.extraGroups = [ "networkmanager" ];
 <para>NetworkManager is controlled using either <command>nmcli</command> or
 <command>nmtui</command> (curses-based terminal user interface). See their
 manual pages for details on their usage. Some desktop environments (GNOME, KDE)
-have their own configuration tools for NetworkManager.</para>
+have their own configuration tools for NetworkManager. On XFCE, there is no
 configuration tool for NetworkManager by default: by adding
 <code>networkmanagerapplet</code> to the list of system packages, the graphical
 applet will be installed and will launch automatically when XFCE is starting
 (and will show in the status tray).</para>
 <note><para><code>networking.networkmanager</code> and
 <code>networking.wireless</code> (WPA Supplicant) cannot be enabled at the same
--- a/nixos/doc/manual/configuration/x-windows.xml
+++ b/nixos/doc/manual/configuration/x-windows.xml
@ -25,19 +25,23 @@ Otherwise, you can only log into a plain undecorated
 <command>xterm</command> window.  Thus you should pick one or more of
 the following lines:
 <programlisting>
-services.xserver.desktopManager.kde5.enable = true;
+services.xserver.desktopManager.plasma5.enable = true;
 services.xserver.desktopManager.xfce.enable = true;
 services.xserver.desktopManager.gnome3.enable = true;
 services.xserver.windowManager.xmonad.enable = true;
 services.xserver.windowManager.twm.enable = true;
 services.xserver.windowManager.icewm.enable = true;
 services.xserver.windowManager.i3.enable = true;
 </programlisting>
 </para>
 <para>NixOS’s default <emphasis>display manager</emphasis> (the
 program that provides a graphical login prompt and manages the X
-server) is SLiM.  You can select KDE’s <command>sddm</command> instead:
+server) is SLiM. You can select an alternative one by picking one
 of the following lines:
 <programlisting>
 services.xserver.displayManager.sddm.enable = true;
 services.xserver.displayManager.lightdm.enable = true;
 </programlisting>
 </para>
--- a/nixos/doc/manual/configuration/xfce.xml
+++ b/nixos/doc/manual/configuration/xfce.xml
@ -9,10 +9,10 @@
    <para>
        To enable the Xfce Desktop Environment, set
        <programlisting>
-            services.xserver.desktopManager = {
+services.xserver.desktopManager = {
-                xfce.enable = true;
+    xfce.enable = true;
-                default = "xfce";
+    default = "xfce";
-            };
+};
        </programlisting>
    </para>
@ -20,13 +20,13 @@
        Optionally, <emphasis>compton</emphasis>
        can be enabled for nice graphical effects, some example settings:
        <programlisting>
-            services.compton = {
+services.compton = {
-              enable          = true;
+  enable          = true;
-              fade            = true;
+  fade            = true;
-              inactiveOpacity = "0.9";
+  inactiveOpacity = "0.9";
-              shadow          = true;
+  shadow          = true;
-              fadeDelta       = 4;
+  fadeDelta       = 4;
-            };
+};
        </programlisting>
    </para>
@ -34,16 +34,16 @@
        Some Xfce programs are not installed automatically.
        To install them manually (system wide), put them into your
        <literal>environment.systemPackages</literal>.
-	</para>
+    </para>
    <para>
-		NixOS’s default <emphasis>display manager</emphasis>is SLiM.
+        NixOS’s default <emphasis>display manager</emphasis> is SLiM.
-		(DM is the program that provides a graphical login prompt
+        (DM is the program that provides a graphical login prompt
-		 and manages the X server.)
+         and manages the X server.)
-	   	You can, for example, select KDE’s
+        You can, for example, select KDE’s
        <command>sddm</command> instead:
        <programlisting>
-            services.xserver.displayManager.sddm.enable = true;
+services.xserver.displayManager.sddm.enable = true;
        </programlisting>
    </para>
@ -55,7 +55,7 @@
            <emphasis>Thunar</emphasis>
            volume support, put
            <programlisting>
-                services.xserver.desktopManager.xfce.enable = true;
+services.xserver.desktopManager.xfce.enable = true;
            </programlisting>
            into your <emphasis>configuration.nix</emphasis>.
        </para>
@ -84,10 +84,10 @@
            Thunar and/or the desktop takes time to show up.
            Thunar will spit out this kind of message on start
-            (look at journalctl --user -b).
+            (look at <command>journalctl --user -b</command>).
            <programlisting>
-                Thunar:2410): GVFS-RemoteVolumeMonitor-WARNING **: remote volume monitor with dbus name org.gtk.Private.UDisks2VolumeMonitor is not supported
+Thunar:2410): GVFS-RemoteVolumeMonitor-WARNING **: remote volume monitor with dbus name org.gtk.Private.UDisks2VolumeMonitor is not supported
            </programlisting>
            This is caused by some needed GNOME services not running.
@ -95,7 +95,7 @@
            the Advanced tab of the Session and Startup settings panel.
            Alternatively, you can run this command to do the same thing.
            <programlisting>
-                $ xfconf-query -c xfce4-session -p /compat/LaunchGNOME -s true
+$ xfconf-query -c xfce4-session -p /compat/LaunchGNOME -s true
            </programlisting>
            A log-out and re-log will be needed for this to take effect.
        </para>
--- a/nixos/doc/manual/development/replace-modules.xml
+++ b/nixos/doc/manual/development/replace-modules.xml
@ -0,0 +1,75 @@
 <section xmlns="http://docbook.org/ns/docbook"
        xmlns:xlink="http://www.w3.org/1999/xlink"
        xmlns:xi="http://www.w3.org/2001/XInclude"
        version="5.0"
        xml:id="sec-replace-modules">
 <title>Replace Modules</title>
 <para>Modules that are imported can also be disabled.  The option
  declarations and config implementation of a disabled module will be
  ignored, allowing another to take it's place.  This can be used to
  import a set of modules from another channel while keeping the rest
  of the system on a stable release.</para>
 <para><literal>disabledModules</literal> is a top level attribute like
  <literal>imports</literal>, <literal>options</literal> and
  <literal>config</literal>.  It contains a list of modules that will
  be disabled. This can either be the full path to the module or a
  string with the filename relative to the modules path
  (eg. &lt;nixpkgs/nixos/modules&gt; for nixos).
  </para>
 <para>This example will replace the existing postgresql module with
  the version defined in the nixos-unstable channel while keeping the
  rest of the modules and packages from the original nixos channel.
  This only overrides the module definition, this won't use postgresql
  from nixos-unstable unless explicitly configured to do so.</para>
 <programlisting>
 { config, lib, pkgs, ... }:
 {
  disabledModules = [ "services/databases/postgresql.nix" ];
  imports =
    [ # Use postgresql service from nixos-unstable channel.
      # sudo nix-channel --add http://nixos.org/channels/nixos-unstable nixos-unstable
      &lt;nixos-unstable/nixos/modules/services/databases/postgresql.nix&gt;
    ];
  services.postgresql.enable = true;
 }
 </programlisting>
 <para>This example shows how to define a custom module as a
  replacement for an existing module. Importing this module will
  disable the original module without having to know it's
  implementation details.</para>
 <programlisting>
 { config, lib, pkgs, ... }:
 with lib;
 let
  cfg = config.programs.man;
 in
 {
  disabledModules = [ "services/programs/man.nix" ];
  options = {
    programs.man.enable = mkOption {
      type = types.bool;
      default = true;
      description = "Whether to enable manual pages.";
    };
  };
  config = mkIf cfg.enabled {
    warnings = [ "disabled manpages for production deployments." ];
  };
 }
 </programlisting>
 </section>
--- a/nixos/doc/manual/development/sources.xml
+++ b/nixos/doc/manual/development/sources.xml
@ -8,7 +8,7 @@
 <para>By default, NixOS’s <command>nixos-rebuild</command> command
 uses the NixOS and Nixpkgs sources provided by the
-<literal>nixos-unstable</literal> channel (kept in
+<literal>nixos</literal> channel (kept in
 <filename>/nix/var/nix/profiles/per-user/root/channels/nixos</filename>).
 To modify NixOS, however, you should check out the latest sources from
 Git.  This is as follows:
@ -27,8 +27,8 @@ a subdirectory of the Nixpkgs repository.) The remote
 <literal>channels</literal> refers to a read-only repository that
 tracks the Nixpkgs/NixOS channels (see <xref linkend="sec-upgrading"/>
 for more information about channels). Thus, the Git branch
-<literal>channels/nixos-14.12</literal> will contain the latest built
+<literal>channels/nixos-17.03</literal> will contain the latest built
-and tested version available in the <literal>nixos-14.12</literal>
+and tested version available in the <literal>nixos-17.03</literal>
 channel.</para>
 <para>It’s often inconvenient to develop directly on the master
@ -39,9 +39,9 @@ branch based on your current NixOS version:
 <screen>
 $ nixos-version
-14.04.273.ea1952b (Baboon)
+17.09pre104379.6e0b727 (Hummingbird)
-$ git checkout -b local ea1952b
+$ git checkout -b local 6e0b727
 </screen>
 Or, to base your local branch on the latest version available in a
@ -49,17 +49,17 @@ NixOS channel:
 <screen>
 $ git remote update channels
-$ git checkout -b local channels/nixos-14.12
+$ git checkout -b local channels/nixos-17.03
 </screen>
-(Replace <literal>nixos-14.12</literal> with the name of the channel
+(Replace <literal>nixos-17.03</literal> with the name of the channel
 you want to use.) You can use <command>git merge</command> or
 <command>git rebase</command> to keep your local branch in sync with
 the channel, e.g.
 <screen>
 $ git remote update channels
-$ git merge channels/nixos-14.12
+$ git merge channels/nixos-17.03
 </screen>
 You can use <command>git cherry-pick</command> to copy commits from
@ -87,7 +87,11 @@ $ ln -s <replaceable>/my/sources</replaceable>/nixpkgs ~/.nix-defexpr/nixpkgs
 You may want to delete the symlink
 <filename>~/.nix-defexpr/channels_root</filename> to prevent root’s
-NixOS channel from clashing with your own tree.</para>
+NixOS channel from clashing with your own tree (this may break the
 command-not-found utility though). If you want to go back to the default
 state, you may just remove the <filename>~/.nix-defexpr</filename>
 directory completely, log out and log in again and it should have been
 recreated with a link to the root channels.</para>
 <!-- FIXME: not sure what this means.
 <para>You should not pass the base directory
--- a/nixos/doc/manual/development/writing-modules.xml
+++ b/nixos/doc/manual/development/writing-modules.xml
@ -179,5 +179,6 @@ in {
 <xi:include href="option-types.xml" />
 <xi:include href="option-def.xml" />
 <xi:include href="meta-attributes.xml" />
 <xi:include href="replace-modules.xml" />
 </chapter>
--- a/nixos/doc/manual/installation/changing-config.xml
+++ b/nixos/doc/manual/installation/changing-config.xml
@ -7,7 +7,7 @@
 <para>The file <filename>/etc/nixos/configuration.nix</filename>
 contains the current configuration of your machine.  Whenever you’ve
-changed something to that file, you should do
+<link linkend="ch-configuration">changed something</link> in that file, you should do
 <screen>
 # nixos-rebuild switch</screen>
--- a/nixos/doc/manual/installation/installing-uefi.xml
+++ b/nixos/doc/manual/installation/installing-uefi.xml
@ -26,7 +26,8 @@ changes:
    <literal>vfat</literal> filesystem.</para>
  </listitem>
  <listitem>
-    <para>You must set <option>boot.loader.systemd-boot.enable</option> to
+    <para>Instead of <option>boot.loader.grub.device</option>,
    you must set <option>boot.loader.systemd-boot.enable</option> to
    <literal>true</literal>. <command>nixos-generate-config</command>
    should do this automatically for new configurations when booted in
    UEFI mode.</para>
--- a/nixos/doc/manual/installation/installing-usb.xml
+++ b/nixos/doc/manual/installation/installing-usb.xml
@ -11,7 +11,9 @@ a USB stick. You can use the <command>dd</command> utility to write the image:
 <command>dd if=<replaceable>path-to-image</replaceable>
 of=<replaceable>/dev/sdb</replaceable></command>. Be careful about specifying the
 correct drive; you can use the <command>lsblk</command> command to get a list of
-block devices.</para>
+block devices. If you're on OS X you can run <command>diskutil list</command>
 to see the list of devices; the device you'll use for the USB must be ejected
 before writing the image.</para>
 <para>The <command>dd</command> utility will write the image verbatim to the drive,
 making it the recommended option for both UEFI and non-UEFI installations. For
--- a/nixos/doc/manual/installation/upgrading.xml
+++ b/nixos/doc/manual/installation/upgrading.xml
@ -15,12 +15,12 @@ been built.  These channels are:
 <itemizedlist>
  <listitem>
    <para><emphasis>Stable channels</emphasis>, such as <literal
-    xlink:href="https://nixos.org/channels/nixos-14.12">nixos-14.12</literal>.
+    xlink:href="https://nixos.org/channels/nixos-17.03">nixos-17.03</literal>.
    These only get conservative bug fixes and package upgrades.  For
    instance, a channel update may cause the Linux kernel on your
-    system to be upgraded from 3.4.66 to 3.4.67 (a minor bug fix), but
+    system to be upgraded from 4.9.16 to 4.9.17 (a minor bug fix), but
-    not from 3.4.<replaceable>x</replaceable> to
+    not from 4.9.<replaceable>x</replaceable> to
-    3.11.<replaceable>x</replaceable> (a major change that has the
+    4.11.<replaceable>x</replaceable> (a major change that has the
    potential to break things).  Stable channels are generally
    maintained until the next stable branch is created.</para>
    <para></para>
@ -34,7 +34,7 @@ been built.  These channels are:
  </listitem>
  <listitem>
    <para><emphasis>Small channels</emphasis>, such as <literal
-    xlink:href="https://nixos.org/channels/nixos-14.12-small">nixos-14.12-small</literal>
+    xlink:href="https://nixos.org/channels/nixos-17.03-small">nixos-17.03-small</literal>
    or <literal
    xlink:href="https://nixos.org/channels/nixos-unstable-small">nixos-unstable-small</literal>. These
    are identical to the stable and unstable channels described above,
@ -55,8 +55,8 @@ appliances.)</para>
 <para>When you first install NixOS, you’re automatically subscribed to
 the NixOS channel that corresponds to your installation source.   For
-instance, if you installed from a 14.12 ISO, you will be subscribed to
+instance, if you installed from a 17.03 ISO, you will be subscribed to
-the <literal>nixos-14.12</literal> channel.  To see which NixOS
+the <literal>nixos-17.03</literal> channel.  To see which NixOS
 channel you’re subscribed to, run the following as root:
 <screen>
@ -71,16 +71,16 @@ To switch to a different NixOS channel, do
 </screen>
 (Be sure to include the <literal>nixos</literal> parameter at the
-end.)  For instance, to use the NixOS 14.12 stable channel:
+end.)  For instance, to use the NixOS 17.03 stable channel:
 <screen>
-# nix-channel --add https://nixos.org/channels/nixos-14.12 nixos
+# nix-channel --add https://nixos.org/channels/nixos-17.03 nixos
 </screen>
 If you have a server, you may want to use the “small” channel instead:
 <screen>
-# nix-channel --add https://nixos.org/channels/nixos-14.12-small nixos
+# nix-channel --add https://nixos.org/channels/nixos-17.03-small nixos
 </screen>
 And if you want to live on the bleeding edge:
@ -130,7 +130,7 @@ runs, see <command>systemctl list-timers</command>.)  You can also
 specify a channel explicitly, e.g.
 <programlisting>
-system.autoUpgrade.channel = https://nixos.org/channels/nixos-15.09;
+system.autoUpgrade.channel = https://nixos.org/channels/nixos-17.03;
 </programlisting>
 </para>
--- a/nixos/doc/manual/release-notes/release-notes.xml
+++ b/nixos/doc/manual/release-notes/release-notes.xml
@ -9,6 +9,7 @@
 <para>This section lists the release notes for each stable version of NixOS
 and current unstable revision.</para>
 <xi:include href="rl-1709.xml" />
 <xi:include href="rl-1703.xml" />
 <xi:include href="rl-1609.xml" />
 <xi:include href="rl-1603.xml" />
--- a/nixos/doc/manual/release-notes/rl-1703.xml
+++ b/nixos/doc/manual/release-notes/rl-1703.xml
@ -4,7 +4,15 @@
         version="5.0"
         xml:id="sec-release-17.03">
-<title>Release 17.03 (“XXX”, 2017/03/??)</title>
+<title>Release 17.03 (“Gorilla”, 2017/03/31)</title>
 <section xmlns="http://docbook.org/ns/docbook"
         xmlns:xlink="http://www.w3.org/1999/xlink"
         xmlns:xi="http://www.w3.org/2001/XInclude"
         version="5.0"
         xml:id="sec-release-17.03-highlights">
 <title>Highlights</title>
 <para>In addition to numerous new and upgraded packages, this release
 has the following highlights: </para>
@ -16,30 +24,158 @@ has the following highlights: </para>
    manual</link> for more information.</para>
  </listitem>
  <listitem>
    <para>This release is based on Glibc 2.25, GCC 5.4.0 and systemd
    232. The default Linux kernel is 4.9 and Nix is at 1.11.8.</para>
  </listitem>
  <listitem>
    <para>The default desktop environment now is KDE's Plasma 5. KDE 4 has been removed</para>
  </listitem>
  <listitem>
    <para>The setuid wrapper functionality now supports setting
    capabilities.</para>
  </listitem>
  <listitem>
-    <para>X.org server uses branch 1.19.  Due to ABI incompatibilities,
+    <para>X.org server uses branch 1.19. Due to ABI incompatibilities,
      <literal>ati_unfree</literal> keeps forcing 1.17
      and <literal>amdgpu-pro</literal> starts forcing 1.18.</para>
  </listitem>
  <listitem>
    <para>
      Cross compilation has been rewritten. See the nixpkgs manual for
      details. The most obvious breaking change is that in derivations there is no
      <literal>.nativeDrv</literal> nor <literal>.crossDrv</literal> are now
      cross by default, not native.
    </para>
  </listitem>
  <listitem>
    <para>The <literal>overridePackages</literal> function has been rewritten
    to be replaced by <link
    xlink:href="https://nixos.org/nixpkgs/manual/#sec-overlays-install">
    overlays</link></para>
  </listitem>
  <listitem>
    <para>Packages in nixpkgs can be marked as insecure through listed
    vulnerabilities. See the <link
    xlink:href="https://nixos.org/nixpkgs/manual/#sec-allow-insecure">Nixpkgs
    manual</link> for more information.</para>
  </listitem>
  <listitem>
    <para>PHP now defaults to PHP 7.1</para>
  </listitem>
 </itemizedlist>
 </section>
 <section xmlns="http://docbook.org/ns/docbook"
         xmlns:xlink="http://www.w3.org/1999/xlink"
         xmlns:xi="http://www.w3.org/2001/XInclude"
         version="5.0"
         xml:id="sec-release-17.03-new-services">
 <title>New Services</title>
 <para>The following new services were added since the last release:</para>
 <itemizedlist>
-  <listitem>
+  <listitem><para><literal>hardware/ckb.nix</literal></para></listitem>
-    <para></para>
+  <listitem><para><literal>hardware/mcelog.nix</literal></para></listitem>
-  </listitem>
+  <listitem><para><literal>hardware/usb-wwan.nix</literal></para></listitem>
  <listitem><para><literal>hardware/video/capture/mwprocapture.nix</literal></para></listitem>
  <listitem><para><literal>programs/adb.nix</literal></para></listitem>
  <listitem><para><literal>programs/chromium.nix</literal></para></listitem>
  <listitem><para><literal>programs/gphoto2.nix</literal></para></listitem>
  <listitem><para><literal>programs/java.nix</literal></para></listitem>
  <listitem><para><literal>programs/mtr.nix</literal></para></listitem>
  <listitem><para><literal>programs/oblogout.nix</literal></para></listitem>
  <listitem><para><literal>programs/vim.nix</literal></para></listitem>
  <listitem><para><literal>programs/wireshark.nix</literal></para></listitem>
  <listitem><para><literal>security/dhparams.nix</literal></para></listitem>
  <listitem><para><literal>services/audio/ympd.nix</literal></para></listitem>
  <listitem><para><literal>services/computing/boinc/client.nix</literal></para></listitem>
  <listitem><para><literal>services/continuous-integration/buildbot/master.nix</literal></para></listitem>
  <listitem><para><literal>services/continuous-integration/buildbot/worker.nix</literal></para></listitem>
  <listitem><para><literal>services/continuous-integration/gitlab-runner.nix</literal></para></listitem>
  <listitem><para><literal>services/databases/riak-cs.nix</literal></para></listitem>
  <listitem><para><literal>services/databases/stanchion.nix</literal></para></listitem>
  <listitem><para><literal>services/desktops/gnome3/gnome-terminal-server.nix</literal></para></listitem>
  <listitem><para><literal>services/editors/infinoted.nix</literal></para></listitem>
  <listitem><para><literal>services/hardware/illum.nix</literal></para></listitem>
  <listitem><para><literal>services/hardware/trezord.nix</literal></para></listitem>
  <listitem><para><literal>services/logging/journalbeat.nix</literal></para></listitem>
  <listitem><para><literal>services/mail/offlineimap.nix</literal></para></listitem>
  <listitem><para><literal>services/mail/postgrey.nix</literal></para></listitem>
  <listitem><para><literal>services/misc/couchpotato.nix</literal></para></listitem>
  <listitem><para><literal>services/misc/docker-registry.nix</literal></para></listitem>
  <listitem><para><literal>services/misc/errbot.nix</literal></para></listitem>
  <listitem><para><literal>services/misc/geoip-updater.nix</literal></para></listitem>
  <listitem><para><literal>services/misc/gogs.nix</literal></para></listitem>
  <listitem><para><literal>services/misc/leaps.nix</literal></para></listitem>
  <listitem><para><literal>services/misc/nix-optimise.nix</literal></para></listitem>
  <listitem><para><literal>services/misc/ssm-agent.nix</literal></para></listitem>
  <listitem><para><literal>services/misc/sssd.nix</literal></para></listitem>
  <listitem><para><literal>services/monitoring/arbtt.nix</literal></para></listitem>
  <listitem><para><literal>services/monitoring/netdata.nix</literal></para></listitem>
  <listitem><para><literal>services/monitoring/prometheus/default.nix</literal></para></listitem>
  <listitem><para><literal>services/monitoring/prometheus/alertmanager.nix</literal></para></listitem>
  <listitem><para><literal>services/monitoring/prometheus/blackbox-exporter.nix</literal></para></listitem>
  <listitem><para><literal>services/monitoring/prometheus/json-exporter.nix</literal></para></listitem>
  <listitem><para><literal>services/monitoring/prometheus/nginx-exporter.nix</literal></para></listitem>
  <listitem><para><literal>services/monitoring/prometheus/node-exporter.nix</literal></para></listitem>
  <listitem><para><literal>services/monitoring/prometheus/snmp-exporter.nix</literal></para></listitem>
  <listitem><para><literal>services/monitoring/prometheus/unifi-exporter.nix</literal></para></listitem>
  <listitem><para><literal>services/monitoring/prometheus/varnish-exporter.nix</literal></para></listitem>
  <listitem><para><literal>services/monitoring/sysstat.nix</literal></para></listitem>
  <listitem><para><literal>services/monitoring/telegraf.nix</literal></para></listitem>
  <listitem><para><literal>services/monitoring/vnstat.nix</literal></para></listitem>
  <listitem><para><literal>services/network-filesystems/cachefilesd.nix</literal></para></listitem>
  <listitem><para><literal>services/network-filesystems/glusterfs.nix</literal></para></listitem>
  <listitem><para><literal>services/network-filesystems/ipfs.nix</literal></para></listitem>
  <listitem><para><literal>services/networking/dante.nix</literal></para></listitem>
  <listitem><para><literal>services/networking/dnscrypt-wrapper.nix</literal></para></listitem>
  <listitem><para><literal>services/networking/fakeroute.nix</literal></para></listitem>
  <listitem><para><literal>services/networking/flannel.nix</literal></para></listitem>
  <listitem><para><literal>services/networking/htpdate.nix</literal></para></listitem>
  <listitem><para><literal>services/networking/miredo.nix</literal></para></listitem>
  <listitem><para><literal>services/networking/nftables.nix</literal></para></listitem>
  <listitem><para><literal>services/networking/powerdns.nix</literal></para></listitem>
  <listitem><para><literal>services/networking/pdns-recursor.nix</literal></para></listitem>
  <listitem><para><literal>services/networking/quagga.nix</literal></para></listitem>
  <listitem><para><literal>services/networking/redsocks.nix</literal></para></listitem>
  <listitem><para><literal>services/networking/wireguard.nix</literal></para></listitem>
  <listitem><para><literal>services/system/cgmanager.nix</literal></para></listitem>
  <listitem><para><literal>services/torrent/opentracker.nix</literal></para></listitem>
  <listitem><para><literal>services/web-apps/atlassian/confluence.nix</literal></para></listitem>
  <listitem><para><literal>services/web-apps/atlassian/crowd.nix</literal></para></listitem>
  <listitem><para><literal>services/web-apps/atlassian/jira.nix</literal></para></listitem>
  <listitem><para><literal>services/web-apps/frab.nix</literal></para></listitem>
  <listitem><para><literal>services/web-apps/nixbot.nix</literal></para></listitem>
  <listitem><para><literal>services/web-apps/selfoss.nix</literal></para></listitem>
  <listitem><para><literal>services/web-apps/quassel-webserver.nix</literal></para></listitem>
  <listitem><para><literal>services/x11/unclutter-xfixes.nix</literal></para></listitem>
  <listitem><para><literal>services/x11/urxvtd.nix</literal></para></listitem>
  <listitem><para><literal>system/boot/systemd-nspawn.nix</literal></para></listitem>
  <listitem><para><literal>virtualisation/ecs-agent.nix</literal></para></listitem>
  <listitem><para><literal>virtualisation/lxcfs.nix</literal></para></listitem>
  <listitem><para><literal>virtualisation/openstack/keystone.nix</literal></para></listitem>
  <listitem><para><literal>virtualisation/openstack/glance.nix</literal></para></listitem>
 </itemizedlist>
 </section>
 <section xmlns="http://docbook.org/ns/docbook"
         xmlns:xlink="http://www.w3.org/1999/xlink"
         xmlns:xi="http://www.w3.org/2001/XInclude"
         version="5.0"
         xml:id="sec-release-17.03-incompatibilities">
 <title>Backward Incompatibilities</title>
 <para>When upgrading from a previous release, please be aware of the
 following incompatible changes:</para>
@ -47,10 +183,8 @@ following incompatible changes:</para>
 <itemizedlist>
  <listitem>
    <para>
-      Cross compilation has been rewritten. See the nixpkgs manual for
+      Derivations have no <literal>.nativeDrv</literal> nor <literal>.crossDrv</literal> 
-      details. The most obvious breaking change is that derivations absent a
+      and are now cross by default, not native.
      <literal>.nativeDrv</literal> or <literal>.crossDrv</literal> are now
      cross by default, not native.
    </para>
  </listitem>
@ -87,15 +221,6 @@ following incompatible changes:</para>
    </para>
  </listitem>
  <listitem>
    <para>
      The Yama LSM is now enabled by default in the kernel,
      which prevents ptracing non-child processes.
      This means you will not be able to attach gdb to an existing process,
      but will need to start that process from gdb (so it is a child).
    </para>
  </listitem>
  <listitem>
    <para>
      The <literal>stripHash</literal> bash function in <literal>stdenv</literal>
@ -175,7 +300,7 @@ following incompatible changes:</para>
    <para><literal>overridePackages</literal> function no longer exists.
    It is replaced by <link
    xlink:href="https://nixos.org/nixpkgs/manual/#sec-overlays-install">
-    overlays</link>.  For example, the following code:
+    overlays</link>. For example, the following code:
 <programlisting>
  let
@ -217,10 +342,72 @@ following incompatible changes:</para>
    </para>
  </listitem>
  <listitem>
    <para>
    Iputils no longer provide ping6 and traceroute6. The functionality of
    these tools has been integrated into ping and traceroute respectively. To
    enforce an address family the new flags <literal>-4</literal> and
    <literal>-6</literal> have been added. One notable incompatibility is that
    specifying an interface (for link-local IPv6 for instance) is no longer done
    with the <literal>-I</literal> flag, but by encoding the interface into the
    address (<literal>ping fe80::1%eth0</literal>).
    </para>
  </listitem>
  <listitem>
    <para>
      The socket handling of the <literal>services.rmilter</literal> module
      has been fixed and refactored. As rmilter doesn't support binding to
      more than one socket, the options <literal>bindUnixSockets</literal>
      and <literal>bindInetSockets</literal> have been replaced by
      <literal>services.rmilter.bindSocket.*</literal>. The default is still
      a unix socket in <literal>/run/rmilter/rmilter.sock</literal>. Refer to
      the options documentation for more information.
    </para>
  </listitem>
  <listitem>
    <para>
      The <literal>fetch*</literal> functions no longer support md5,
      please use sha256 instead.
    </para>
  </listitem>
  <listitem>
    <para>
      The dnscrypt-proxy module interface has been streamlined around the
      <option>extraArgs</option> option. Where possible, legacy option
      declarations are mapped to <option>extraArgs</option> but will emit
      warnings. The <option>resolverList</option> has been outright
      removed: to use an unlisted resolver, use the
      <option>customResolver</option> option.
    </para>
  </listitem>
  <listitem>
    <para>
      torbrowser now stores local state under
      <filename>~/.local/share/tor-browser</filename> by default. Any
      browser profile data from the old location,
      <filename>~/.torbrowser4</filename>, must be migrated manually.
    </para>
  </listitem>
  <listitem>
    <para>
      The ihaskell, monetdb, offlineimap and sitecopy services have been removed.
    </para>
  </listitem>
 </itemizedlist>
 </section>
 <section xmlns="http://docbook.org/ns/docbook"
         xmlns:xlink="http://www.w3.org/1999/xlink"
         xmlns:xi="http://www.w3.org/2001/XInclude"
         version="5.0"
         xml:id="sec-release-17.03-notable-changes">
-<para>Other notable improvements:</para>
+<title>Other Notable Changes</title>
 <itemizedlist>
@ -241,7 +428,87 @@ following incompatible changes:</para>
    </para>
  </listitem>
  <listitem>
    <para>Python 2.6 interpreter and package set have been removed.</para>
  </listitem>
  <listitem>
    <para>
      The Python 2.7 interpreter does not use modules anymore. Instead, all
      CPython interpreters now include the whole standard library except for `tkinter`,
      which is available in the Python package set.
    </para>
  </listitem>
  <listitem>
    <para>
      Python 2.7, 3.5 and 3.6 are now built deterministically and 3.4 mostly.
      Minor modifications had to be made to the interpreters in order to generate
      deterministic bytecode. This has security implications and is relevant for
      those using Python in a <literal>nix-shell</literal>. See the Nixpkgs manual
      for details.
    </para>
  </listitem>
  <listitem>
    <para>
      The Python package sets now use a fixed-point combinator and the sets are
      available as attributes of the interpreters.
    </para>
  </listitem>
  <listitem>
    <para>
      The Python function <literal>buildPythonPackage</literal> has been improved and can be
      used to build from Setuptools source, Flit source, and precompiled Wheels.
    </para>
  </listitem>
  <listitem>
    <para>
      When adding new or updating current Python libraries, the expressions should be put
      in separate files in <literal>pkgs/development/python-modules</literal> and
      called from <literal>python-packages.nix</literal>.
    </para>
  </listitem>
  <listitem>
    <para>
      The dnscrypt-proxy service supports synchronizing the list of public
      resolvers without working DNS resolution. This fixes issues caused by the
      resolver list becoming outdated. It also improves the viability of
      DNSCrypt only configurations.
    </para>
  </listitem>
  <listitem>
    <para>
      Containers using bridged networking no longer lose their connection after
      changes to the host networking.
    </para>
  </listitem>
  <listitem>
    <para>
      ZFS supports pool auto scrubbing.
    </para>
  </listitem>
  <listitem>
    <para>
      The bind DNS utilities (e.g. dig) have been split into their own output and
      are now also available in <literal>pkgs.dnsutils</literal> and it is no longer
      necessary to pull in all of <literal>bind</literal> to use them.
    </para>
  </listitem>
  <listitem>
    <para>
      Per-user configuration was moved from <filename>~/.nixpkgs</filename> to
      <filename>~/.config/nixpkgs</filename>. The former is still valid for
      <filename>config.nix</filename> for backwards compatibility.
    </para>
  </listitem>
 </itemizedlist>
-
+</section>
 </section>
--- a/nixos/doc/manual/release-notes/rl-1709.xml
+++ b/nixos/doc/manual/release-notes/rl-1709.xml
@ -0,0 +1,71 @@
 <section xmlns="http://docbook.org/ns/docbook"
         xmlns:xlink="http://www.w3.org/1999/xlink"
         xmlns:xi="http://www.w3.org/2001/XInclude"
         version="5.0"
         xml:id="sec-release-17.09">
 <title>Release 17.09 (“Hummingbird”, 2017/09/??)</title>
 <para>In addition to numerous new and upgraded packages, this release
 has the following highlights: </para>
 <itemizedlist>
  <listitem>
    <para>
      The user handling now keeps track of deallocated UIDs/GIDs. When a user
      or group is revived, this allows it to be allocated the UID/GID it had before.
      A consequence is that UIDs and GIDs are no longer reused.
    </para>
  </listitem>
 </itemizedlist>
 <para>The following new services were added since the last release:</para>
 <itemizedlist>
  <listitem>
    <para></para>
  </listitem>
 </itemizedlist>
 <para>When upgrading from a previous release, please be aware of the
 following incompatible changes:</para>
 <itemizedlist>
  <listitem>
    <para>
    </para>
  </listitem>
 </itemizedlist>
 <para>Other notable improvements:</para>
 <itemizedlist>
  <listitem>
    <para>
      Modules can now be disabled by using <link
      xlink:href="https://nixos.org/nixpkgs/manual/#sec-replace-modules">
      disabledModules</link>, allowing another to take it's place.  This can be
      used to import a set of modules from another channel while keeping the
      rest of the system on a stable release.
    </para>
  </listitem>
  <listitem>
    <para>
      Updated to FreeType 2.7.1, including a new TrueType engine.
      The new engine replaces the Infinality engine which was the default in
      NixOS. The default font rendering settings are now provided by
      fontconfig-penultimate, replacing fontconfig-ultimate; the new defaults
      are less invasive and provide rendering that is more consistent with
      other systems and hopefully with each font designer's intent. Some
      system-wide configuration has been removed from the Fontconfig NixOS
      module where user Fontconfig settings are available.
    </para>
  </listitem>
 </itemizedlist>
 </section>
--- a/nixos/lib/make-disk-image.nix
+++ b/nixos/lib/make-disk-image.nix
@ -7,6 +7,12 @@
 , # The size of the disk, in megabytes.
  diskSize
  # The files and directories to be placed in the target file system.
  # This is a list of attribute sets {source, target} where `source'
  # is the file system object (regular file or directory) to be
  # grafted in the file system at path `target'.
 , contents ? []
 , # Whether the disk should be partitioned (with a single partition
  # containing the root filesystem) or contain the root filesystem
  # directly.
@ -45,7 +51,14 @@ pkgs.vmTools.runInLinuxVM (
          ${pkgs.vmTools.qemu}/bin/qemu-img create -f ${format} $diskImage "${toString diskSize}M"
          mv closure xchg/
        '';
-      buildInputs = [ pkgs.utillinux pkgs.perl pkgs.e2fsprogs pkgs.parted ];
+      buildInputs = with pkgs; [ utillinux perl e2fsprogs parted rsync ];
      # I'm preserving the line below because I'm going to search for it across nixpkgs to consolidate
      # image building logic. The comment right below this now appears in 4 different places in nixpkgs :)
      # !!! should use XML.
      sources = map (x: x.source) contents;
      targets = map (x: x.target) contents;
      exportReferencesGraph =
        [ "closure" config.system.build.toplevel ];
      inherit postVM;
@ -98,11 +111,45 @@ pkgs.vmTools.runInLinuxVM (
      # Remove /etc/machine-id so that each machine cloning this image will get its own id
      rm -f /mnt/etc/machine-id
      # Copy arbitrary other files into the image
      # Semi-shamelessly copied from make-etc.sh. I (@copumpkin) shall factor this stuff out as part of
      # https://github.com/NixOS/nixpkgs/issues/23052.
      set -f
      sources_=($sources)
      targets_=($targets)
      set +f
      for ((i = 0; i < ''${#targets_[@]}; i++)); do
        source="''${sources_[$i]}"
        target="''${targets_[$i]}"
        if [[ "$source" =~ '*' ]]; then
          # If the source name contains '*', perform globbing.
          mkdir -p /mnt/$target
          for fn in $source; do
            rsync -a --no-o --no-g "$fn" /mnt/$target/
          done
        else
          mkdir -p /mnt/$(dirname $target)
          if ! [ -e /mnt/$target ]; then
            rsync -a --no-o --no-g $source /mnt/$target
          else
            echo "duplicate entry $target -> $source"
            exit 1
          fi
        fi
      done
      umount /mnt
-      # Make sure resize2fs works
+      # Make sure resize2fs works. Note that resize2fs has stricter criteria for resizing than a normal
      # mount, so the `-c 0` and `-i 0` don't affect it. Setting it to `now` doesn't produce deterministic
      # output, of course, but we can fix that when/if we start making images deterministic.
      ${optionalString (fsType == "ext4") ''
-        tune2fs -c 0 -i 0 $rootDisk
+        tune2fs -T now -c 0 -i 0 $rootDisk
      ''}
    ''
 )
--- a/nixos/lib/testing.nix
+++ b/nixos/lib/testing.nix
@ -108,16 +108,16 @@ rec {
          mkdir -p $out/bin
          echo "$testScript" > $out/test-script
          ln -s ${testDriver}/bin/nixos-test-driver $out/bin/
-          vms="$(for i in ${toString vms}; do echo $i/bin/run-*-vm; done)"
+          vms=($(for i in ${toString vms}; do echo $i/bin/run-*-vm; done))
          wrapProgram $out/bin/nixos-test-driver \
-            --add-flags "$vms" \
+            --add-flags "''${vms[*]}" \
            ${lib.optionalString enableOCR "--prefix PATH : '${ocrProg}/bin'"} \
            --run "testScript=\"\$(cat $out/test-script)\"" \
            --set testScript '$testScript' \
            --set VLANS '${toString vlans}'
          ln -s ${testDriver}/bin/nixos-test-driver $out/bin/nixos-run-vms
          wrapProgram $out/bin/nixos-run-vms \
-            --add-flags "$vms" \
+            --add-flags "''${vms[*]}" \
            ${lib.optionalString enableOCR "--prefix PATH : '${ocrProg}/bin'"} \
            --set tests 'startAll; joinAll;' \
            --set VLANS '${toString vlans}' \
--- a/nixos/maintainers/scripts/ec2/amazon-image.nix
+++ b/nixos/maintainers/scripts/ec2/amazon-image.nix
@ -2,15 +2,34 @@
 with lib;
-{
+let
  cfg = config.amazonImage;
 in {
  imports =
    [ ../../../modules/installer/cd-dvd/channel.nix
      ../../../modules/virtualisation/amazon-image.nix
    ];
-  system.build.amazonImage = import ../../../lib/make-disk-image.nix {
+  options.amazonImage = {
    contents = mkOption {
      example = literalExample ''
        [ { source = pkgs.memtest86 + "/memtest.bin";
            target = "boot/memtest.bin";
          }
        ]
      '';
      default = [];
      description = ''
        This option lists files to be copied to fixed locations in the
        generated image. Glob patterns work.
      '';
    };
  };
  config.system.build.amazonImage = import ../../../lib/make-disk-image.nix {
    inherit lib config;
    inherit (cfg) contents;
    pkgs = import ../../../.. { inherit (pkgs) system; }; # ensure we use the regular qemu-kvm package
    partitioned = config.ec2.hvm;
    diskSize = if config.ec2.hvm then 2048 else 8192;
--- a/nixos/maintainers/scripts/ec2/create-amis.sh
+++ b/nixos/maintainers/scripts/ec2/create-amis.sh
@ -3,23 +3,22 @@
 # To start with do: nix-shell -p awscli --run "aws configure"
-
+set -e
 set -o pipefail
 #set -x
 stateDir=${TMPDIR:-/tmp}/ec2-image
 echo "keeping state in $stateDir"
 mkdir -p $stateDir
 version=$(nix-instantiate --eval --strict '<nixpkgs>' -A lib.nixpkgsVersion | sed s/'"'//g)
 major=${version:0:5}
 echo "NixOS version is $version ($major)"
 stateDir=/var/tmp/ec2-image-$version
 echo "keeping state in $stateDir"
 mkdir -p $stateDir
 rm -f ec2-amis.nix
-types="hvm pv"
+types="hvm"
 stores="ebs s3"
-regions="eu-west-1 eu-west-2 eu-central-1 us-east-1 us-east-2 us-west-1 us-west-2 ap-southeast-1 ap-southeast-2 ap-northeast-1 ap-northeast-2 sa-east-1 ap-south-1"
+regions="eu-west-1 eu-west-2 eu-central-1 us-east-1 us-east-2 us-west-1 us-west-2 ca-central-1 ap-southeast-1 ap-southeast-2 ap-northeast-1 ap-northeast-2 sa-east-1 ap-south-1"
 for type in $types; do
    link=$stateDir/$type
@ -206,7 +205,7 @@ for type in $types; do
                    # Register the AMI.
                    if [ $type = pv ]; then
-                        kernel=$(aws ec2 describe-images --owner amazon --filters "Name=name,Values=pv-grub-hd0_1.04-$arch.gz" | jq -r .Images[0].ImageId)
+                        kernel=$(aws ec2 describe-images --owner amazon --filters "Name=name,Values=pv-grub-hd0_1.05-$arch.gz" | jq -r .Images[0].ImageId)
                        if [ "$kernel" = null ]; then break; fi
                        echo "using PV-GRUB kernel $kernel"
                        extraFlags+=" --virtualization-type paravirtual --kernel $kernel"
--- a/nixos/maintainers/scripts/openstack/nova-image.nix
+++ b/nixos/maintainers/scripts/openstack/nova-image.nix
@ -0,0 +1,24 @@
 { config, lib, pkgs, ... }:
 with lib;
 {
  imports =
    [ ../../../modules/installer/cd-dvd/channel.nix
      ../../../modules/virtualisation/nova-config.nix
    ];
  system.build.novaImage = import ../../../lib/make-disk-image.nix {
    inherit lib config;
    pkgs = import ../../../.. { inherit (pkgs) system; }; # ensure we use the regular qemu-kvm package
    diskSize = 8192;
    format = "qcow2";
    configFile = pkgs.writeText "configuration.nix"
      ''
        {
          imports = [ <nixpkgs/nixos/modules/virtualisation/nova-config.nix> ];
        }
      '';
  };
 }
--- a/nixos/modules/config/fonts/fontconfig-penultimate.nix
+++ b/nixos/modules/config/fonts/fontconfig-penultimate.nix
@ -0,0 +1,270 @@
 { config, pkgs, lib, ... }:
 with lib;
 let
  cfg = config.fonts.fontconfig;
  fcBool = x: "<bool>" + (if x then "true" else "false") + "</bool>";
  # back-supported fontconfig version and package
  # version is used for font cache generation
  supportVersion = "210";
  supportPkg     = pkgs."fontconfig_${supportVersion}";
  # latest fontconfig version and package
  # version is used for configuration folder name, /etc/fonts/VERSION/
  # note: format differs from supportVersion and can not be used with makeCacheConf
  latestVersion  = pkgs.fontconfig.configVersion;
  latestPkg      = pkgs.fontconfig;
  # supported version fonts.conf
  supportFontsConf = pkgs.makeFontsConf { fontconfig = supportPkg; fontDirectories = config.fonts.fonts; };
  # configuration file to read fontconfig cache
  # version dependent
  # priority 0
  cacheConfSupport = makeCacheConf { version = supportVersion; };
  cacheConfLatest  = makeCacheConf {};
  # generate the font cache setting file for a fontconfig version
  # use latest when no version is passed
  makeCacheConf = { version ? null }:
    let
      fcPackage = if builtins.isNull version
                  then "fontconfig"
                  else "fontconfig_${version}";
      makeCache = fontconfig: pkgs.makeFontsCache { inherit fontconfig; fontDirectories = config.fonts.fonts; };
      cache     = makeCache pkgs."${fcPackage}";
      cache32   = makeCache pkgs.pkgsi686Linux."${fcPackage}";
    in
    pkgs.writeText "fc-00-nixos-cache.conf" ''
      <?xml version='1.0'?>
      <!DOCTYPE fontconfig SYSTEM 'fonts.dtd'>
      <fontconfig>
        <!-- Font directories -->
        ${concatStringsSep "\n" (map (font: "<dir>${font}</dir>") config.fonts.fonts)}
        <!-- Pre-generated font caches -->
        <cachedir>${cache}</cachedir>
        ${optionalString (pkgs.stdenv.isx86_64 && cfg.cache32Bit) ''
          <cachedir>${cache32}</cachedir>
        ''}
      </fontconfig>
    '';
  # The configuration to be included in /etc/font/
  penultimateConf = pkgs.runCommand "font-penultimate-conf" {} ''
    support_folder=$out/etc/fonts/conf.d
    latest_folder=$out/etc/fonts/${latestVersion}/conf.d
    mkdir -p $support_folder
    mkdir -p $latest_folder
    ln -s ${supportFontsConf} $support_folder/../fonts.conf
    ln -s ${latestPkg.out}/etc/fonts/fonts.conf \
          $latest_folder/../fonts.conf
    # fontconfig-penultimate various configuration files
    ln -s ${pkgs.fontconfig-penultimate}/etc/fonts/conf.d/*.conf \
          $support_folder
    ln -s ${pkgs.fontconfig-penultimate}/etc/fonts/conf.d/*.conf \
          $latest_folder
    ln -s ${cacheConfSupport} $support_folder/00-nixos-cache.conf
    ln -s ${cacheConfLatest}  $latest_folder/00-nixos-cache.conf
    rm $support_folder/10-antialias.conf $latest_folder/10-antialias.conf
    ln -s ${antialiasConf} $support_folder/10-antialias.conf
    ln -s ${antialiasConf} $latest_folder/10-antialias.conf
    rm $support_folder/10-hinting.conf $latest_folder/10-hinting.conf
    ln -s ${hintingConf} $support_folder/10-hinting.conf
    ln -s ${hintingConf} $latest_folder/10-hinting.conf
    ${optionalString cfg.useEmbeddedBitmaps ''
    rm $support_folder/10-no-embedded-bitmaps.conf
    rm $latest_folder/10-no-embedded-bitmaps.conf
    ''}
    rm $support_folder/10-subpixel.conf $latest_folder/10-subpixel.conf
    ln -s ${subpixelConf} $support_folder/10-subpixel.conf
    ln -s ${subpixelConf} $latest_folder/10-subpixel.conf
    ${optionalString (cfg.dpi != 0) ''
    ln -s ${dpiConf} $support_folder/11-dpi.conf
    ln -s ${dpiConf} $latest_folder/11-dpi.conf
    ''}
    ${optionalString (!cfg.includeUserConf) ''
    rm $support_folder/50-user.conf
    rm $latest_folder/50-user.conf
    ''}
    # 51-local.conf
    rm $latest_folder/51-local.conf
    substitute \
      ${pkgs.fontconfig-penultimate}/etc/fonts/conf.d/51-local.conf \
      $latest_folder/51-local.conf \
      --replace local.conf /etc/fonts/${latestVersion}/local.conf
    ln -s ${defaultFontsConf} $support_folder/52-default-fonts.conf
    ln -s ${defaultFontsConf} $latest_folder/52-default-fonts.conf
    ${optionalString cfg.allowBitmaps ''
    rm $support_folder/53-no-bitmaps.conf
    rm $latest_folder/53-no-bitmaps.conf
    ''}
    ${optionalString (!cfg.allowType1) ''
    ln -s ${rejectType1} $support_folder/53-no-type1.conf
    ln -s ${rejectType1} $latest_folder/53-no-type1.conf
    ''}
  '';
  hintingConf = pkgs.writeText "fc-10-hinting.conf" ''
    <?xml version='1.0'?>
    <!DOCTYPE fontconfig SYSTEM 'fonts.dtd'>
    <fontconfig>
      <!-- Default rendering settings -->
      <match target="pattern">
        <edit mode="append" name="hinting">
          ${fcBool cfg.hinting.enable}
        </edit>
        <edit mode="append" name="autohint">
          ${fcBool cfg.hinting.autohint}
        </edit>
        <edit mode="append" name="hintstyle">
          <const>hintslight</const>
        </edit>
      </match>
    </fontconfig>
  '';
  antialiasConf = pkgs.writeText "fc-10-antialias.conf" ''
    <?xml version='1.0'?>
    <!DOCTYPE fontconfig SYSTEM 'fonts.dtd'>
    <fontconfig>
      <!-- Default rendering settings -->
      <match target="pattern">
        <edit mode="append" name="antialias">
          ${fcBool cfg.antialias}
        </edit>
      </match>
    </fontconfig>
  '';
  subpixelConf = pkgs.writeText "fc-10-subpixel.conf" ''
    <?xml version='1.0'?>
    <!DOCTYPE fontconfig SYSTEM 'fonts.dtd'>
    <fontconfig>
      <!-- Default rendering settings -->
      <match target="pattern">
        <edit mode="append" name="rgba">
          <const>${cfg.subpixel.rgba}</const>
        </edit>
        <edit mode="append" name="lcdfilter">
          <const>lcd${cfg.subpixel.lcdfilter}</const>
        </edit>
      </match>
    </fontconfig>
  '';
  dpiConf = pkgs.writeText "fc-11-dpi.conf" ''
    <?xml version='1.0'?>
    <!DOCTYPE fontconfig SYSTEM 'fonts.dtd'>
    <fontconfig>
      <match target="pattern">
        <edit name="dpi" mode="assign">
          <double>${toString cfg.dpi}</double>
        </edit>
      </match>
    </fontconfig>
  '';
  defaultFontsConf =
    let genDefault = fonts: name:
      optionalString (fonts != []) ''
        <alias>
          <family>${name}</family>
          <prefer>
          ${concatStringsSep ""
          (map (font: ''
            <family>${font}</family>
          '') fonts)}
          </prefer>
        </alias>
      '';
    in
    pkgs.writeText "fc-52-nixos-default-fonts.conf" ''
    <?xml version='1.0'?>
    <!DOCTYPE fontconfig SYSTEM 'fonts.dtd'>
    <fontconfig>
      <!-- Default fonts -->
      ${genDefault cfg.defaultFonts.sansSerif "sans-serif"}
      ${genDefault cfg.defaultFonts.serif     "serif"}
      ${genDefault cfg.defaultFonts.monospace "monospace"}
    </fontconfig>
  '';
  rejectType1 = pkgs.writeText "fc-53-no-type1.conf" ''
    <?xml version="1.0"?>
    <!DOCTYPE fontconfig SYSTEM "fonts.dtd">
    <fontconfig>
    <!-- Reject Type 1 fonts -->
    <selectfont>
      <rejectfont>
        <pattern>
          <patelt name="fontformat"><string>Type 1</string></patelt>
        </pattern>
      </rejectfont>
    </selectfont>
    </fontconfig>
  '';
 in
 {
  options = {
    fonts = {
      fontconfig = {
        penultimate = {
          enable = mkOption {
            type = types.bool;
            default = true;
            description = ''
              Enable fontconfig-penultimate settings to supplement the
              NixOS defaults by providing per-font rendering defaults and
              metric aliases.
            '';
          };
        };
      };
    };
  };
  config = mkIf (config.fonts.fontconfig.enable && cfg.enable) {
    fonts.fontconfig.confPackages = [ penultimateConf ];
  };
 }
--- a/nixos/modules/config/fonts/fontconfig-ultimate.nix
+++ b/nixos/modules/config/fonts/fontconfig-ultimate.nix
@ -8,61 +8,6 @@ let fcBool = x: if x then "<bool>true</bool>" else "<bool>false</bool>";
    latestVersion  = pkgs.fontconfig.configVersion;
    # fontconfig ultimate main configuration file
    # priority 52
    fontconfigUltimateConf = pkgs.writeText "fc-52-fontconfig-ultimate.conf" ''
      <?xml version="1.0"?>
      <!DOCTYPE fontconfig SYSTEM "fonts.dtd">
      <fontconfig>
        ${optionalString (!cfg.allowBitmaps) ''
        <!-- Reject bitmap fonts -->
        <selectfont>
          <rejectfont>
            <pattern>
              <patelt name="scalable"><bool>false</bool></patelt>
            </pattern>
          </rejectfont>
        </selectfont>
        ''}
        ${optionalString cfg.allowType1 ''
        <!-- Reject Type 1 fonts -->
        <selectfont>
          <rejectfont>
            <pattern>
              <patelt name="fontformat">
                <string>Type 1</string>
              </patelt>
            </pattern>
          </rejectfont>
        </selectfont>
        ''}
        <!-- Use embedded bitmaps in fonts like Calibri? -->
        <match target="font">
          <edit name="embeddedbitmap" mode="assign">
            ${fcBool cfg.useEmbeddedBitmaps}
          </edit>
        </match>
        <!-- Force autohint always -->
        <match target="font">
          <edit name="force_autohint" mode="assign">
            ${fcBool cfg.forceAutohint}
          </edit>
        </match>
        <!-- Render some monospace TTF fonts as bitmaps -->
        <match target="pattern">
          <edit name="bitmap_monospace" mode="assign">
            ${fcBool cfg.renderMonoTTFAsBitmap}
          </edit>
        </match>
      </fontconfig>
    '';
    # The configuration to be included in /etc/font/
    confPkg = pkgs.runCommand "font-ultimate-conf" {} ''
      support_folder=$out/etc/fonts/conf.d
@ -71,12 +16,6 @@ let fcBool = x: if x then "<bool>true</bool>" else "<bool>false</bool>";
      mkdir -p $support_folder
      mkdir -p $latest_folder
      # 52-fontconfig-ultimate.conf
      ln -s ${fontconfigUltimateConf} \
            $support_folder/52-fontconfig-ultimate.conf
      ln -s ${fontconfigUltimateConf} \
            $latest_folder/52-fontconfig-ultimate.conf
      # fontconfig ultimate substitutions
      ${optionalString (cfg.substitutions != "none") ''
      ln -s ${pkgs.fontconfig-ultimate}/etc/fonts/presets/${cfg.substitutions}/*.conf \
@ -104,7 +43,7 @@ in
        ultimate = {
          enable = mkOption {
            type = types.bool;
-            default = true;
+            default = false;
            description = ''
              Enable fontconfig-ultimate settings (formerly known as
              Infinality). Besides the customizable settings in this NixOS
@ -113,45 +52,6 @@ in
            '';
          };
          allowBitmaps = mkOption {
            type = types.bool;
            default = true;
            description = ''
              Allow bitmap fonts. Set to <literal>false</literal> to ban all
              bitmap fonts.
            '';
          };
          allowType1 = mkOption {
            type = types.bool;
            default = false;
            description = ''
              Allow Type-1 fonts. Default is <literal>false</literal> because of
              poor rendering.
            '';
          };
          useEmbeddedBitmaps = mkOption {
            type = types.bool;
            default = false;
            description = ''Use embedded bitmaps in fonts like Calibri.'';
          };
          forceAutohint = mkOption {
            type = types.bool;
            default = false;
            description = ''
              Force use of the TrueType Autohinter. Useful for debugging or
              free-software purists.
            '';
          };
          renderMonoTTFAsBitmap = mkOption {
            type = types.bool;
            default = false;
            description = ''Render some monospace TTF fonts as bitmaps.'';
          };
          substitutions = mkOption {
            type = types.nullOr (types.enum ["free" "combi" "ms"]);
            default = "free";
--- a/nixos/modules/config/fonts/fontconfig.nix
+++ b/nixos/modules/config/fonts/fontconfig.nix
@ -41,11 +41,11 @@ let cfg = config.fonts.fontconfig;
    # priority 0
    cacheConfSupport = makeCacheConf { version = supportVersion; };
    cacheConfLatest  = makeCacheConf {};
-    
+
    # generate the font cache setting file for a fontconfig version
    # use latest when no version is passed
    makeCacheConf = { version ? null }:
-      let 
+      let
        fcPackage = if builtins.isNull version
                    then "fontconfig"
                    else "fontconfig_${version}";
@ -75,23 +75,23 @@ let cfg = config.fonts.fontconfig;
      <fontconfig>
        <!-- Default rendering settings -->
-        <match target="font">
+        <match target="pattern">
-          <edit mode="assign" name="hinting">
+          <edit mode="append" name="hinting">
            ${fcBool cfg.hinting.enable}
          </edit>
-          <edit mode="assign" name="autohint">
+          <edit mode="append" name="autohint">
            ${fcBool cfg.hinting.autohint}
          </edit>
-          <edit mode="assign" name="hintstyle">
+          <edit mode="append" name="hintstyle">
-            <const>hint${cfg.hinting.style}</const>
+            <const>hintslight</const>
          </edit>
-          <edit mode="assign" name="antialias">
+          <edit mode="append" name="antialias">
            ${fcBool cfg.antialias}
          </edit>
-          <edit mode="assign" name="rgba">
+          <edit mode="append" name="rgba">
            <const>${cfg.subpixel.rgba}</const>
          </edit>
-          <edit mode="assign" name="lcdfilter">
+          <edit mode="append" name="lcdfilter">
            <const>lcd${cfg.subpixel.lcdfilter}</const>
          </edit>
        </match>
@ -113,7 +113,7 @@ let cfg = config.fonts.fontconfig;
    # default fonts configuration file
    # priority 52
-    defaultFontsConf = 
+    defaultFontsConf =
      let genDefault = fonts: name:
        optionalString (fonts != []) ''
          <alias>
@ -142,7 +142,54 @@ let cfg = config.fonts.fontconfig;
      </fontconfig>
    '';
-    # fontconfig configuration package 
+    # bitmap font options
    # priority 53
    rejectBitmaps = pkgs.writeText "fc-53-nixos-bitmaps.conf" ''
      <?xml version="1.0"?>
      <!DOCTYPE fontconfig SYSTEM "fonts.dtd">
      <fontconfig>
      ${optionalString (!cfg.allowBitmaps) ''
      <!-- Reject bitmap fonts -->
      <selectfont>
        <rejectfont>
          <pattern>
            <patelt name="scalable"><bool>false</bool></patelt>
          </pattern>
        </rejectfont>
      </selectfont>
      ''}
      <!-- Use embedded bitmaps in fonts like Calibri? -->
      <match target="font">
        <edit name="embeddedbitmap" mode="assign">
          ${fcBool cfg.useEmbeddedBitmaps}
        </edit>
      </match>
      </fontconfig>
    '';
    # reject Type 1 fonts
    # priority 53
    rejectType1 = pkgs.writeText "fc-53-nixos-reject-type1.conf" ''
      <?xml version="1.0"?>
      <!DOCTYPE fontconfig SYSTEM "fonts.dtd">
      <fontconfig>
      <!-- Reject Type 1 fonts -->
      <selectfont>
        <rejectfont>
          <pattern>
            <patelt name="fontformat"><string>Type 1</string></patelt>
          </pattern>
        </rejectfont>
      </selectfont>
      </fontconfig>
    '';
    # fontconfig configuration package
    confPkg = pkgs.runCommand "fontconfig-conf" {} ''
      support_folder=$out/etc/fonts
      latest_folder=$out/etc/fonts/${latestVersion}
@ -166,7 +213,7 @@ let cfg = config.fonts.fontconfig;
      substitute ${latestPkg.out}/etc/fonts/conf.d/51-local.conf \
                 $latest_folder/conf.d/51-local.conf \
-                 --replace local.conf /etc/fonts/${latestVersion}/local.conf 
+                 --replace local.conf /etc/fonts/${latestVersion}/local.conf
      # 00-nixos-cache.conf
      ln -s ${cacheConfSupport} \
@ -192,6 +239,16 @@ let cfg = config.fonts.fontconfig;
      # 52-nixos-default-fonts.conf
      ln -s ${defaultFontsConf} $support_folder/conf.d/52-nixos-default-fonts.conf
      ln -s ${defaultFontsConf} $latest_folder/conf.d/52-nixos-default-fonts.conf
      # 53-nixos-bitmaps.conf
      ln -s ${rejectBitmaps} $support_folder/conf.d/53-nixos-bitmaps.conf
      ln -s ${rejectBitmaps} $latest_folder/conf.d/53-nixos-bitmaps.conf
      ${optionalString (! cfg.allowType1) ''
      # 53-nixos-reject-type1.conf
      ln -s ${rejectType1} $support_folder/conf.d/53-nixos-reject-type1.conf
      ln -s ${rejectType1} $latest_folder/conf.d/53-nixos-reject-type1.conf
      ''}
    '';
    # Package with configuration files
@ -233,7 +290,11 @@ in
        antialias = mkOption {
          type = types.bool;
          default = true;
-          description = "Enable font antialiasing.";
+          description = ''
            Enable font antialiasing. At high resolution (> 200 DPI),
            antialiasing has no visible effect; users of such displays may want
            to disable this option.
          '';
        };
        dpi = mkOption {
@ -249,7 +310,7 @@ in
          type = types.lines;
          default = "";
          description = ''
-            System-wide customization file contents, has higher priority than 
+            System-wide customization file contents, has higher priority than
            <literal>defaultFonts</literal> settings.
          '';
        };
@ -287,26 +348,21 @@ in
          enable = mkOption {
            type = types.bool;
            default = true;
-            description = "Enable TrueType hinting.";
+            description = ''
              Enable font hinting. Hinting aligns glyphs to pixel boundaries to
              improve rendering sharpness at low resolution. At high resolution
              (> 200 dpi) hinting will do nothing (at best); users of such
              displays may want to disable this option.
            '';
          };
          autohint = mkOption {
            type = types.bool;
-            default = true;
+            default = false;
            description = ''
-              Enable the autohinter, which provides hinting for otherwise
+              Enable the autohinter in place of the default interpreter.
-              un-hinted fonts. The results are usually lower quality than
+              The results are usually lower quality than correctly-hinted
-              correctly-hinted fonts.
+              fonts, but better than unhinted fonts.
            '';
          };
          style = mkOption {
            type = types.enum ["none" "slight" "medium" "full"];
            default = "full";
            description = ''
              TrueType hinting style, one of <literal>none</literal>,
              <literal>slight</literal>, <literal>medium</literal>, or
              <literal>full</literal>.
            '';
          };
        };
@ -327,7 +383,15 @@ in
            default = "rgb";
            type = types.enum ["rgb" "bgr" "vrgb" "vbgr" "none"];
            description = ''
-              Subpixel order.
+              Subpixel order. The overwhelming majority of displays are
              <literal>rgb</literal> in their normal orientation. Select
              <literal>vrgb</literal> for mounting such a display 90 degrees
              clockwise from its normal orientation or <literal>vbgr</literal>
              for mounting 90 degrees counter-clockwise. Select
              <literal>bgr</literal> in the unlikely event of mounting 180
              degrees from the normal orientation. Reverse these directions in
              the improbable event that the display's native subpixel order is
              <literal>bgr</literal>.
            '';
          };
@ -335,7 +399,9 @@ in
            default = "default";
            type = types.enum ["none" "default" "light" "legacy"];
            description = ''
-              FreeType LCD filter.
+              FreeType LCD filter. At high resolution (> 200 DPI), LCD filtering
              has no visible effect; users of such displays may want to select
              <literal>none</literal>.
            '';
          };
@ -349,16 +415,43 @@ in
          '';
        };
        allowBitmaps = mkOption {
          type = types.bool;
          default = true;
          description = ''
            Allow bitmap fonts. Set to <literal>false</literal> to ban all
            bitmap fonts.
          '';
        };
        allowType1 = mkOption {
          type = types.bool;
          default = false;
          description = ''
            Allow Type-1 fonts. Default is <literal>false</literal> because of
            poor rendering.
          '';
        };
        useEmbeddedBitmaps = mkOption {
          type = types.bool;
          default = false;
          description = ''Use embedded bitmaps in fonts like Calibri.'';
        };
      };
    };
  };
-  config = mkIf cfg.enable {
+  config = mkMerge [
-    fonts.fontconfig.confPackages = [ confPkg ];
+    (mkIf cfg.enable {
-
+      environment.systemPackages    = [ pkgs.fontconfig ];
-    environment.systemPackages    = [ pkgs.fontconfig ];
+      environment.etc.fonts.source  = "${fontconfigEtc}/etc/fonts/";
-    environment.etc.fonts.source  = "${fontconfigEtc}/etc/fonts/";
+    })
-  };
+    (mkIf (cfg.enable && !cfg.penultimate.enable) {
      fonts.fontconfig.confPackages = [ confPkg ];
    })
  ];
 }
--- a/nixos/modules/config/fonts/fonts.nix
+++ b/nixos/modules/config/fonts/fonts.nix
@ -37,6 +37,7 @@ with lib;
        pkgs.xorg.fontbhlucidatypewriter75dpi
        pkgs.dejavu_fonts
        pkgs.freefont_ttf
        pkgs.gyre-fonts # TrueType substitutes for standard PostScript fonts
        pkgs.liberation_ttf
        pkgs.xorg.fontbh100dpi
        pkgs.xorg.fontmiscmisc
--- a/nixos/modules/config/networking.nix
+++ b/nixos/modules/config/networking.nix
@ -178,10 +178,10 @@ in
    environment.etc =
      { # /etc/services: TCP/UDP port assignments.
-        "services".source = pkgs.iana_etc + "/etc/services";
+        "services".source = pkgs.iana-etc + "/etc/services";
        # /etc/protocols: IP protocol numbers.
-        "protocols".source  = pkgs.iana_etc + "/etc/protocols";
+        "protocols".source  = pkgs.iana-etc + "/etc/protocols";
        # /etc/rpc: RPC program numbers.
        "rpc".source = pkgs.glibc.out + "/etc/rpc";
@ -251,11 +251,6 @@ in
    # Install the proxy environment variables
    environment.sessionVariables = cfg.proxy.envVars;
    # The ‘ip-up’ target is kept for backwards compatibility.
    # New services should use systemd upstream targets:
    # See https://www.freedesktop.org/wiki/Software/systemd/NetworkTarget/
    systemd.targets.ip-up.description = "Services Requiring IP Connectivity (deprecated)";
    # This is needed when /etc/resolv.conf is being overriden by networkd
    # and other configurations. If the file is destroyed by an environment
    # activation then it must be rebuilt so that applications which interface
--- a/nixos/modules/config/pulseaudio.nix
+++ b/nixos/modules/config/pulseaudio.nix
@ -274,6 +274,8 @@ in {
          RestartSec = "500ms";
        };
      };
      environment.variables.PULSE_COOKIE = "${stateDir}/.config/pulse/cookie";
    })
  ];
--- a/nixos/modules/config/shells-environment.nix
+++ b/nixos/modules/config/shells-environment.nix
@ -168,9 +168,6 @@ in
         ${cfg.extraInit}
         # The setuid/setcap wrappers override other bin directories.
         export PATH="${config.security.wrapperDir}:$PATH"
         # ~/bin if it exists overrides other bin directories.
         export PATH="$HOME/bin:$PATH"
       '';
--- a/nixos/modules/config/sysctl.nix
+++ b/nixos/modules/config/sysctl.nix
@ -64,5 +64,9 @@ in
    # Removed under grsecurity.
    boot.kernel.sysctl."kernel.kptr_restrict" =
      if (config.boot.kernelPackages.kernel.features.grsecurity or false) then null else 1;
    # Disable YAMA by default to allow easy debugging.
    boot.kernel.sysctl."kernel.yama.ptrace_scope" = mkDefault 0;
  };
 }
--- a/nixos/modules/config/update-users-groups.pl
+++ b/nixos/modules/config/update-users-groups.pl
@ -6,6 +6,21 @@ use JSON;
 make_path("/var/lib/nixos", { mode => 0755 });
 # Keep track of deleted uids and gids.
 my $uidMapFile = "/var/lib/nixos/uid-map";
 my $uidMap = -e $uidMapFile ? decode_json(read_file($uidMapFile)) : {};
 my $gidMapFile = "/var/lib/nixos/gid-map";
 my $gidMap = -e $gidMapFile ? decode_json(read_file($gidMapFile)) : {};
 sub updateFile {
    my ($path, $contents, $perms) = @_;
    write_file("$path.tmp", { binmode => ':utf8', perms => $perms // 0644 }, $contents);
    rename("$path.tmp", $path) or die;
 }
 sub hashPassword {
    my ($password) = @_;
    my $salt = "";
@ -18,10 +33,10 @@ sub hashPassword {
 # Functions for allocating free GIDs/UIDs. FIXME: respect ID ranges in
 # /etc/login.defs.
 sub allocId {
-    my ($used, $idMin, $idMax, $up, $getid) = @_;
+    my ($used, $prevUsed, $idMin, $idMax, $up, $getid) = @_;
    my $id = $up ? $idMin : $idMax;
    while ($id >= $idMin && $id <= $idMax) {
-        if (!$used->{$id} && !defined &$getid($id)) {
+        if (!$used->{$id} && !$prevUsed->{$id} && !defined &$getid($id)) {
            $used->{$id} = 1;
            return $id;
        }
@ -31,23 +46,36 @@ sub allocId {
    die "$0: out of free UIDs or GIDs\n";
 }
-my (%gidsUsed, %uidsUsed);
+my (%gidsUsed, %uidsUsed, %gidsPrevUsed, %uidsPrevUsed);
 sub allocGid {
-    return allocId(\%gidsUsed, 400, 499, 0, sub { my ($gid) = @_; getgrgid($gid) });
+    my ($name) = @_;
    my $prevGid = $gidMap->{$name};
    if (defined $prevGid && !defined $gidsUsed{$prevGid}) {
        print STDERR "reviving group '$name' with GID $prevGid\n";
        $gidsUsed{$prevGid} = 1;
        return $prevGid;
    }
    return allocId(\%gidsUsed, \%gidsPrevUsed, 400, 499, 0, sub { my ($gid) = @_; getgrgid($gid) });
 }
 sub allocUid {
-    my ($isSystemUser) = @_;
+    my ($name, $isSystemUser) = @_;
    my ($min, $max, $up) = $isSystemUser ? (400, 499, 0) : (1000, 29999, 1);
-    return allocId(\%uidsUsed, $min, $max, $up, sub { my ($uid) = @_; getpwuid($uid) });
+    my $prevUid = $uidMap->{$name};
    if (defined $prevUid && $prevUid >= $min && $prevUid <= $max && !defined $uidsUsed{$prevUid}) {
        print STDERR "reviving user '$name' with UID $prevUid\n";
        $uidsUsed{$prevUid} = 1;
        return $prevUid;
    }
    return allocId(\%uidsUsed, \%uidsPrevUsed, $min, $max, $up, sub { my ($uid) = @_; getpwuid($uid) });
 }
 # Read the declared users/groups.
 my $spec = decode_json(read_file($ARGV[0]));
-# Don't allocate UIDs/GIDs that are already in use.
+# Don't allocate UIDs/GIDs that are manually assigned.
 foreach my $g (@{$spec->{groups}}) {
    $gidsUsed{$g->{gid}} = 1 if defined $g->{gid};
 }
@ -56,6 +84,11 @@ foreach my $u (@{$spec->{users}}) {
    $uidsUsed{$u->{uid}} = 1 if defined $u->{uid};
 }
 # Likewise for previously used but deleted UIDs/GIDs.
 $uidsPrevUsed{$_} = 1 foreach values %{$uidMap};
 $gidsPrevUsed{$_} = 1 foreach values %{$gidMap};
 # Read the current /etc/group.
 sub parseGroup {
    chomp;
@ -114,16 +147,18 @@ foreach my $g (@{$spec->{groups}}) {
            }
        }
    } else {
-        $g->{gid} = allocGid if !defined $g->{gid};
+        $g->{gid} = allocGid($name) if !defined $g->{gid};
        $g->{password} = "x";
    }
    $g->{members} = join ",", sort(keys(%members));
    $groupsOut{$name} = $g;
    $gidMap->{$name} = $g->{gid};
 }
 # Update the persistent list of declarative groups.
-write_file($declGroupsFile, { binmode => ':utf8' }, join(" ", sort(keys %groupsOut)));
+updateFile($declGroupsFile, join(" ", sort(keys %groupsOut)));
 # Merge in the existing /etc/group.
 foreach my $name (keys %groupsCur) {
@ -140,8 +175,8 @@ foreach my $name (keys %groupsCur) {
 # Rewrite /etc/group. FIXME: acquire lock.
 my @lines = map { join(":", $_->{name}, $_->{password}, $_->{gid}, $_->{members}) . "\n" }
    (sort { $a->{gid} <=> $b->{gid} } values(%groupsOut));
-write_file("/etc/group.tmp", { binmode => ':utf8' }, @lines);
+updateFile($gidMapFile, encode_json($gidMap));
-rename("/etc/group.tmp", "/etc/group") or die;
+updateFile("/etc/group", \@lines);
 system("nscd --invalidate group");
 # Generate a new /etc/passwd containing the declared users.
@ -167,7 +202,7 @@ foreach my $u (@{$spec->{users}}) {
            $u->{uid} = $existing->{uid};
        }
    } else {
-        $u->{uid} = allocUid($u->{isSystemUser}) if !defined $u->{uid};
+        $u->{uid} = allocUid($name, $u->{isSystemUser}) if !defined $u->{uid};
        if (defined $u->{initialPassword}) {
            $u->{hashedPassword} = hashPassword($u->{initialPassword});
@ -177,7 +212,7 @@ foreach my $u (@{$spec->{users}}) {
    }
    # Create a home directory.
-    if ($u->{createHome} && ! -e $u->{home}) {
+    if ($u->{createHome}) {
        make_path($u->{home}, { mode => 0700 }) if ! -e $u->{home};
        chown $u->{uid}, $u->{gid}, $u->{home};
    }
@ -195,10 +230,12 @@ foreach my $u (@{$spec->{users}}) {
    $u->{fakePassword} = $existing->{fakePassword} // "x";
    $usersOut{$name} = $u;
    $uidMap->{$name} = $u->{uid};
 }
 # Update the persistent list of declarative users.
-write_file($declUsersFile, { binmode => ':utf8' }, join(" ", sort(keys %usersOut)));
+updateFile($declUsersFile, join(" ", sort(keys %usersOut)));
 # Merge in the existing /etc/passwd.
 foreach my $name (keys %usersCur) {
@ -214,8 +251,8 @@ foreach my $name (keys %usersCur) {
 # Rewrite /etc/passwd. FIXME: acquire lock.
@lines = map { join(":", $_->{name}, $_->{fakePassword}, $_->{uid}, $_->{gid}, $_->{description}, $_->{home}, $_->{shell}) . "\n" }
    (sort { $a->{uid} <=> $b->{uid} } (values %usersOut));
-write_file("/etc/passwd.tmp", { binmode => ':utf8' }, @lines);
+updateFile($uidMapFile, encode_json($uidMap));
-rename("/etc/passwd.tmp", "/etc/passwd") or die;
+updateFile("/etc/passwd", \@lines);
 system("nscd --invalidate passwd");
@ -242,5 +279,4 @@ foreach my $u (values %usersOut) {
    push @shadowNew, join(":", $u->{name}, $hashedPassword, "1::::::") . "\n";
 }
-write_file("/etc/shadow.tmp", { binmode => ':utf8', perms => 0600 }, @shadowNew);
+updateFile("/etc/shadow", \@shadowNew, 0600);
 rename("/etc/shadow.tmp", "/etc/shadow") or die;
--- a/nixos/modules/hardware/all-firmware.nix
+++ b/nixos/modules/hardware/all-firmware.nix
@ -26,6 +26,7 @@ with lib;
      firmwareLinuxNonfree
      intel2200BGFirmware
      rtl8723bs-firmware
      rtl8192su-firmware
    ];
  };
--- a/nixos/modules/hardware/cpu/amd-microcode.nix
+++ b/nixos/modules/hardware/cpu/amd-microcode.nix
@ -22,7 +22,8 @@ with lib;
  ###### implementation
  config = mkIf config.hardware.cpu.amd.updateMicrocode {
-    boot.initrd.prepend = [ "${pkgs.microcodeAmd}/amd-ucode.img" ];
+    # Microcode updates must be the first item prepended in the initrd
    boot.initrd.prepend = mkOrder 1 [ "${pkgs.microcodeAmd}/amd-ucode.img" ];
  };
 }
--- a/nixos/modules/hardware/cpu/intel-microcode.nix
+++ b/nixos/modules/hardware/cpu/intel-microcode.nix
@ -22,7 +22,8 @@ with lib;
  ###### implementation
  config = mkIf config.hardware.cpu.intel.updateMicrocode {
-    boot.initrd.prepend = [ "${pkgs.microcodeIntel}/intel-ucode.img" ];
+    # Microcode updates must be the first item prepended in the initrd
    boot.initrd.prepend = mkOrder 1 [ "${pkgs.microcodeIntel}/intel-ucode.img" ];
  };
 }
--- a/nixos/modules/hardware/mcelog.nix
+++ b/nixos/modules/hardware/mcelog.nix
@ -0,0 +1,37 @@
 { config, lib, pkgs, ... }:
 with lib;
 {
  meta.maintainers = [ maintainers.grahamc ];
  options = {
    hardware.mcelog = {
      enable = mkOption {
        type = types.bool;
        default = false;
        description = ''
          Enable the Machine Check Exception logger.
        '';
      };
    };
  };
  config = mkIf config.hardware.mcelog.enable {
    systemd.services.mcelog = {
      description = "Machine Check Exception Logging Daemon";
      wantedBy = [ "multi-user.target" ];
      serviceConfig = {
        ExecStart = "${pkgs.mcelog}/bin/mcelog --daemon --foreground";
        SuccessExitStatus = [ 0 15 ];
        ProtectHome = true;
        PrivateNetwork = true;
        PrivateTmp = true;
      };
    };
  };
 }
--- a/nixos/modules/hardware/sensor/iio.nix
+++ b/nixos/modules/hardware/sensor/iio.nix
@ -0,0 +1,30 @@
 { config, lib, pkgs, ... }:
 with lib;
 {
  ###### interface
  options = {
    hardware.sensor.iio = {
      enable = mkOption {
        description = "Enable this option to support IIO sensors.";
        type = types.bool;
        default = false;
      };
    };
  };
  ###### implementation
  config = mkIf config.hardware.sensor.iio.enable {
    boot.initrd.availableKernelModules = [ "hid-sensor-hub" ];
    environment.systemPackages = with pkgs; [ iio-sensor-proxy ];
    services.dbus.packages = with pkgs; [ iio-sensor-proxy ];
    services.udev.packages = with pkgs; [ iio-sensor-proxy ];
    systemd.packages = with pkgs; [ iio-sensor-proxy ];
  };
 }
--- a/nixos/modules/hardware/usb-wwan.nix
+++ b/nixos/modules/hardware/usb-wwan.nix
@ -0,0 +1,26 @@
 { config, lib, pkgs, ... }:
 with lib;
 {
  ###### interface
  options = {
    hardware.usbWwan = {
      enable = mkOption {
        type = types.bool;
        default = false;
        description = ''
          Enable this option to support USB WWAN adapters.
        '';
      };
    };
  };
  ###### implementation
  config = mkIf config.hardware.usbWwan.enable {
    services.udev.packages = with pkgs; [ usb-modeswitch-data ];
  };
 }
--- a/nixos/modules/hardware/video/bumblebee.nix
+++ b/nixos/modules/hardware/video/bumblebee.nix
@ -13,7 +13,7 @@ let
    useDisplayDevice = cfg.connectDisplay;
  };
-  useBbswitch = cfg.pmMethod == "bbswitch";
+  useBbswitch = cfg.pmMethod == "bbswitch" || cfg.pmMethod == "auto" && useNvidia;
  primus = pkgs.primus.override {
    inherit useNvidia;
@ -65,7 +65,7 @@ in
      pmMethod = mkOption {
        default = "auto";
-        type = types.enum [ "auto" "bbswitch" "nouveau" "switcheroo" "none" ];
+        type = types.enum [ "auto" "bbswitch" "switcheroo" "none" ];
        description = ''
          Set preferred power management method for unused card.
        '';
--- a/nixos/modules/i18n/input-method/ibus.nix
+++ b/nixos/modules/i18n/input-method/ibus.nix
@ -44,7 +44,7 @@ in
      panel = mkOption {
        type = with types; nullOr path;
        default = null;
-        example = literalExample "''${pkgs.kde5.plasma-desktop}/lib/libexec/kimpanel-ibus-panel";
+        example = literalExample "''${pkgs.plasma5.plasma-desktop}/lib/libexec/kimpanel-ibus-panel";
        description = "Replace the IBus panel with another panel.";
      };
    };
--- a/nixos/modules/installer/cd-dvd/channel.nix
+++ b/nixos/modules/installer/cd-dvd/channel.nix
@ -6,6 +6,16 @@
 with lib;
 let
  # Do not include these things:
  #   - The '.git' directory
  #   - Result symlinks from nix-build ('result', 'result-2', 'result-bin', ...)
  #   - VIM/Emacs swap/backup files ('.swp', '.swo', '.foo.swp', 'foo~', ...)
  filterFn = path: type: let basename = baseNameOf (toString path); in
    if type == "directory" then basename != ".git"
    else if type == "symlink" then builtins.match "^result(|-.*)$" basename == null
    else builtins.match "^((|\..*)\.sw[a-z]|.*~)$" basename == null;
  nixpkgs = builtins.filterSource filterFn pkgs.path;
  # We need a copy of the Nix expressions for Nixpkgs and NixOS on the
  # CD.  These are installed into the "nixos" channel of the root
@ -15,12 +25,11 @@ let
    { }
    ''
      mkdir -p $out
-      cp -prd ${pkgs.path} $out/nixos
+      cp -prd ${nixpkgs} $out/nixos
      chmod -R u+w $out/nixos
      if [ ! -e $out/nixos/nixpkgs ]; then
        ln -s . $out/nixos/nixpkgs
      fi
      rm -rf $out/nixos/.git
      echo -n ${config.system.nixosVersionSuffix} > $out/nixos/.version-suffix
    '';
--- a/nixos/modules/installer/cd-dvd/installation-cd-graphical-kde.nix
+++ b/nixos/modules/installer/cd-dvd/installation-cd-graphical-kde.nix
@ -18,7 +18,7 @@ with lib;
      autoLogin = true;
    };
-    desktopManager.kde5 = {
+    desktopManager.plasma5 = {
      enable = true;
      enableQt4Support = false;
    };
@ -66,7 +66,7 @@ with lib;
  in ''
    mkdir -p /root/Desktop
    ln -sfT ${desktopFile} /root/Desktop/nixos-manual.desktop
-    ln -sfT ${pkgs.kde5.konsole}/share/applications/org.kde.konsole.desktop /root/Desktop/org.kde.konsole.desktop
+    ln -sfT ${pkgs.konsole}/share/applications/org.kde.konsole.desktop /root/Desktop/org.kde.konsole.desktop
    ln -sfT ${pkgs.gparted}/share/applications/gparted.desktop /root/Desktop/gparted.desktop
  '';
--- a/nixos/modules/installer/cd-dvd/iso-image.nix
+++ b/nixos/modules/installer/cd-dvd/iso-image.nix
@ -172,7 +172,6 @@ in
    isoImage.includeSystemBuildDependencies = mkOption {
      default = false;
      example = true;
      description = ''
        Set this option to include all the needed sources etc in the
        image. It significantly increases image size. Use that when
@ -280,7 +279,7 @@ in
        options = [ "allow_other" "cow" "nonempty" "chroot=/mnt-root" "max_files=32768" "hide_meta_files" "dirs=/nix/.rw-store=rw:/nix/.ro-store=ro" ];
      };
-    boot.initrd.availableKernelModules = [ "squashfs" "iso9660" "usb-storage" ];
+    boot.initrd.availableKernelModules = [ "squashfs" "iso9660" "usb-storage" "uas" ];
    boot.blacklistedKernelModules = [ "nouveau" ];
--- a/nixos/modules/installer/cd-dvd/sd-image-armv7l-multiplatform.nix
+++ b/nixos/modules/installer/cd-dvd/sd-image-armv7l-multiplatform.nix
@ -28,7 +28,7 @@ in
  boot.loader.generic-extlinux-compatible.enable = true;
  boot.kernelPackages = pkgs.linuxPackages_latest;
-  boot.kernelParams = ["console=ttyS0,115200n8" "console=ttymxc0,115200n8" "console=ttyAMA0,115200n8" "console=ttyO0,115200n8" "console=tty0"];
+  boot.kernelParams = ["console=ttyS0,115200n8" "console=ttymxc0,115200n8" "console=ttyAMA0,115200n8" "console=ttyO0,115200n8" "console=ttySAC2,115200n8" "console=tty0"];
  # FIXME: this probably should be in installation-device.nix
  users.extraUsers.root.initialHashedPassword = "";
--- a/nixos/modules/installer/tools/auto-upgrade.nix
+++ b/nixos/modules/installer/tools/auto-upgrade.nix
@ -48,7 +48,7 @@ let cfg = config.system.autoUpgrade; in
        description = ''
          Specification (in the format described by
          <citerefentry><refentrytitle>systemd.time</refentrytitle>
-          <manvolnum>5</manvolnum></citerefentry>) of the time at
+          <manvolnum>7</manvolnum></citerefentry>) of the time at
          which the update will occur.
        '';
      };
--- a/nixos/modules/installer/tools/nix-fallback-paths.nix
+++ b/nixos/modules/installer/tools/nix-fallback-paths.nix
@ -1,5 +1,5 @@
 {
-  x86_64-linux = "/nix/store/qdkzm17csr24snk247a1s0c47ikq5sl6-nix-1.11.6";
+  x86_64-linux = "/nix/store/j6q3pb75q1sbk0xsa5x6a629ph98ycdl-nix-1.11.8";
-  i686-linux = "/nix/store/hiwp53747lxlniqy5wpbql5izjrs8z0z-nix-1.11.6";
+  i686-linux = "/nix/store/4m6ps568l988bbr1p2k3w9raq3rblppi-nix-1.11.8";
-  x86_64-darwin = "/nix/store/hca2hqcvwncf23hiqyqgwbsdy8vvl9xv-nix-1.11.6";
+  x86_64-darwin = "/nix/store/cc5q944yn3j2hrs8k0kxx9r2mk9mni8a-nix-1.11.8";
 }
--- a/nixos/modules/installer/tools/nixos-generate-config.pl
+++ b/nixos/modules/installer/tools/nixos-generate-config.pl
@ -607,7 +607,7 @@ $bootLoaderConfig
  # Enable the KDE Desktop Environment.
  # services.xserver.displayManager.sddm.enable = true;
-  # services.xserver.desktopManager.kde5.enable = true;
+  # services.xserver.desktopManager.plasma5.enable = true;
  # Define a user account. Don't forget to set a password with ‘passwd’.
  # users.extraUsers.guest = {
--- a/nixos/modules/installer/tools/nixos-rebuild.sh
+++ b/nixos/modules/installer/tools/nixos-rebuild.sh
@ -278,24 +278,22 @@ if [ -n "$buildNix" ]; then
    echo "building Nix..." >&2
    nixDrv=
    if ! nixDrv="$(nix-instantiate '<nixpkgs/nixos>' --add-root $tmpDir/nix.drv --indirect -A config.nix.package.out "${extraBuildFlags[@]}")"; then
-        if ! nixDrv="$(nix-instantiate '<nixpkgs/nixos>' --add-root $tmpDir/nix.drv --indirect -A nixFallback "${extraBuildFlags[@]}")"; then
+        if ! nixDrv="$(nix-instantiate '<nixpkgs>' --add-root $tmpDir/nix.drv --indirect -A nix "${extraBuildFlags[@]}")"; then
-            if ! nixDrv="$(nix-instantiate '<nixpkgs>' --add-root $tmpDir/nix.drv --indirect -A nix "${extraBuildFlags[@]}")"; then
+            nixStorePath="$(prebuiltNix "$(uname -m)")"
-                nixStorePath="$(prebuiltNix "$(uname -m)")"
+            if ! nix-store -r $nixStorePath --add-root $tmpDir/nix --indirect \
-                if ! nix-store -r $nixStorePath --add-root $tmpDir/nix --indirect \
+                --option extra-binary-caches https://cache.nixos.org/; then
-                    --option extra-binary-caches https://cache.nixos.org/; then
+                echo "warning: don't know how to get latest Nix" >&2
            fi
            # Older version of nix-store -r don't support --add-root.
            [ -e $tmpDir/nix ] || ln -sf $nixStorePath $tmpDir/nix
            if [ -n "$buildHost" ]; then
                remoteNixStorePath="$(prebuiltNix "$(buildHostCmd uname -m)")"
                remoteNix="$remoteNixStorePath/bin"
                if ! buildHostCmd nix-store -r $remoteNixStorePath \
                  --option extra-binary-caches https://cache.nixos.org/ >/dev/null; then
                    remoteNix=
                    echo "warning: don't know how to get latest Nix" >&2
                fi
                # Older version of nix-store -r don't support --add-root.
                [ -e $tmpDir/nix ] || ln -sf $nixStorePath $tmpDir/nix
                if [ -n "$buildHost" ]; then
                    remoteNixStorePath="$(prebuiltNix "$(buildHostCmd uname -m)")"
                    remoteNix="$remoteNixStorePath/bin"
                    if ! buildHostCmd nix-store -r $remoteNixStorePath \
                      --option extra-binary-caches https://cache.nixos.org/ >/dev/null; then
                        remoteNix=
                        echo "warning: don't know how to get latest Nix" >&2
                    fi
                fi
            fi
        fi
    fi
--- a/nixos/modules/misc/ids.nix
+++ b/nixos/modules/misc/ids.nix
@ -288,6 +288,7 @@
      kresd = 270;
      rpc = 271;
      geoip = 272;
      fcron = 273;
      # When adding a uid, make sure it doesn't match an existing gid. And don't use uids above 399!
@ -545,6 +546,7 @@
      kresd = 270;
      #rpc = 271; # unused
      #geoip = 272; # unused
      fcron = 273;
      # When adding a gid, make sure it doesn't match an existing
      # uid. Users and groups with the same name should have equal
--- a/nixos/modules/misc/locate.nix
+++ b/nixos/modules/misc/locate.nix
@ -104,13 +104,13 @@ in {
    users.extraGroups = mkIf isMLocate { mlocate = {}; };
    security.wrappers = mkIf isMLocate {
-      mlocate = {
+      locate = {
        group = "mlocate";
        owner = "root";
        permissions = "u+rx,g+x,o+x";
        setgid = true;
        setuid = false;
-        program = "locate";
+        source = "${cfg.locate}/bin/locate";
      };
    };
--- a/nixos/modules/misc/version.nix
+++ b/nixos/modules/misc/version.nix
@ -95,7 +95,7 @@ in
      nixosVersionSuffix = mkIf (pathIsDirectory gitRepo) (mkDefault (".git." + gitCommitId));
      # Note: code names must only increase in alphabetical order.
-      nixosCodeName = "Gorilla";
+      nixosCodeName = "Hummingbird";
    };
    # Generate /etc/os-release.  See
@ -106,9 +106,12 @@ in
        NAME=NixOS
        ID=nixos
        VERSION="${config.system.nixosVersion} (${config.system.nixosCodeName})"
        VERSION_CODENAME=${toLower config.system.nixosCodeName}
        VERSION_ID="${config.system.nixosVersion}"
        PRETTY_NAME="NixOS ${config.system.nixosVersion} (${config.system.nixosCodeName})"
-        HOME_URL="http://nixos.org/"
+        HOME_URL="https://nixos.org/"
        SUPPORT_URL="https://nixos.org/nixos/support.html"
        BUG_REPORT_URL="https://github.com/NixOS/nixpkgs/issues"
      '';
  };
--- a/nixos/modules/module-list.nix
+++ b/nixos/modules/module-list.nix
@ -1,8 +1,9 @@
 [
  ./config/debug-info.nix
  ./config/fonts/corefonts.nix
  ./config/fonts/fontconfig-ultimate.nix
  ./config/fonts/fontconfig.nix
  ./config/fonts/fontconfig-penultimate.nix
  ./config/fonts/fontconfig-ultimate.nix
  ./config/fonts/fontdir.nix
  ./config/fonts/fonts.nix
  ./config/fonts/ghostscript.nix
@ -29,7 +30,9 @@
  ./hardware/ckb.nix
  ./hardware/cpu/amd-microcode.nix
  ./hardware/cpu/intel-microcode.nix
  ./hardware/sensor/iio.nix
  ./hardware/ksm.nix
  ./hardware/mcelog.nix
  ./hardware/network/b43.nix
  ./hardware/network/intel-2100bg.nix
  ./hardware/network/intel-2200bg.nix
@ -38,6 +41,7 @@
  ./hardware/network/rtl8192c.nix
  ./hardware/opengl.nix
  ./hardware/pcmcia.nix
  ./hardware/usb-wwan.nix
  ./hardware/video/amdgpu.nix
  ./hardware/video/amdgpu-pro.nix
  ./hardware/video/ati.nix
@ -93,6 +97,7 @@
  ./programs/tmux.nix
  ./programs/venus.nix
  ./programs/vim.nix
  ./programs/wireshark.nix
  ./programs/wvdial.nix
  ./programs/xfs_quota.nix
  ./programs/xonsh.nix
@ -104,6 +109,7 @@
  ./security/audit.nix
  ./security/ca.nix
  ./security/chromium-suid-sandbox.nix
  ./security/dhparams.nix
  ./security/duosec.nix
  ./security/grsecurity.nix
  ./security/hidepid.nix
@ -124,6 +130,7 @@
  ./services/audio/liquidsoap.nix
  ./services/audio/mpd.nix
  ./services/audio/mopidy.nix
  ./services/audio/slimserver.nix
  ./services/audio/squeezelite.nix
  ./services/audio/ympd.nix
  ./services/backup/almir.nix
@ -132,7 +139,6 @@
  ./services/backup/mysql-backup.nix
  ./services/backup/postgresql-backup.nix
  ./services/backup/rsnapshot.nix
  ./services/backup/sitecopy-backup.nix
  ./services/backup/tarsnap.nix
  ./services/backup/znapzend.nix
  ./services/cluster/fleet.nix
@ -242,6 +248,7 @@
  ./services/mail/rmilter.nix
  ./services/misc/apache-kafka.nix
  ./services/misc/autofs.nix
  ./services/misc/autorandr.nix
  ./services/misc/bepasty.nix
  ./services/misc/canto-daemon.nix
  ./services/misc/calibre-server.nix
@ -268,6 +275,8 @@
  ./services/misc/gogs.nix
  ./services/misc/gpsd.nix
  #./services/misc/ihaskell.nix
  ./services/misc/irkerd.nix
  ./services/misc/jackett.nix
  ./services/misc/leaps.nix
  ./services/misc/mantisbt.nix
  ./services/misc/mathics.nix
@ -288,6 +297,7 @@
  ./services/misc/parsoid.nix
  ./services/misc/phd.nix
  ./services/misc/plex.nix
  ./services/misc/radarr.nix
  ./services/misc/redmine.nix
  ./services/misc/rippled.nix
  ./services/misc/ripple-rest.nix
@ -324,10 +334,12 @@
  ./services/monitoring/prometheus/default.nix
  ./services/monitoring/prometheus/alertmanager.nix
  ./services/monitoring/prometheus/blackbox-exporter.nix
  ./services/monitoring/prometheus/fritzbox-exporter.nix
  ./services/monitoring/prometheus/json-exporter.nix
  ./services/monitoring/prometheus/nginx-exporter.nix
  ./services/monitoring/prometheus/node-exporter.nix
  ./services/monitoring/prometheus/snmp-exporter.nix
  ./services/monitoring/prometheus/unifi-exporter.nix
  ./services/monitoring/prometheus/varnish-exporter.nix
  ./services/monitoring/riemann.nix
  ./services/monitoring/riemann-dash.nix
@ -424,6 +436,7 @@
  ./services/networking/namecoind.nix
  ./services/networking/nat.nix
  ./services/networking/networkmanager.nix
  ./services/networking/nftables.nix
  ./services/networking/ngircd.nix
  ./services/networking/nix-serve.nix
  ./services/networking/nntp-proxy.nix
@ -444,7 +457,7 @@
  ./services/networking/prayer.nix
  ./services/networking/privoxy.nix
  ./services/networking/prosody.nix
-  ./services/networking/quagga.nix
+  # ./services/networking/quagga.nix
  ./services/networking/quassel.nix
  ./services/networking/racoon.nix
  ./services/networking/radicale.nix
@ -518,6 +531,7 @@
  ./services/system/cgmanager.nix
  ./services/system/cloud-init.nix
  ./services/system/dbus.nix
  ./services/system/earlyoom.nix
  ./services/system/kerberos.nix
  ./services/system/nscd.nix
  ./services/system/uptimed.nix
@ -566,6 +580,7 @@
  ./services/x11/display-managers/lightdm.nix
  ./services/x11/display-managers/sddm.nix
  ./services/x11/display-managers/slim.nix
  ./services/x11/display-managers/xpra.nix
  ./services/x11/hardware/libinput.nix
  ./services/x11/hardware/multitouch.nix
  ./services/x11/hardware/synaptics.nix
--- a/nixos/modules/profiles/graphical.nix
+++ b/nixos/modules/profiles/graphical.nix
@ -1,5 +1,5 @@
-# This module defines a NixOS configuration that contains X11 and
+# This module defines a NixOS configuration with the Plasma 5 desktop.
-# KDE 4.  It's used by the graphical installation CD.
+# It's used by the graphical installation CD.
 { config, pkgs, ... }:
@ -7,7 +7,7 @@
  services.xserver = {
    enable = true;
    displayManager.sddm.enable = true;
-    desktopManager.kde5.enable = true;
+    desktopManager.plasma5.enable = true;
    synaptics.enable = true; # for touchpad support on many laptops
  };
--- a/nixos/modules/programs/adb.nix
+++ b/nixos/modules/programs/adb.nix
@ -10,7 +10,6 @@ with lib;
    programs.adb = {
      enable = mkOption {
        default = false;
        example = true;
        type = types.bool;
        description = ''
          Whether to configure system to use Android Debug Bridge (adb).
--- a/nixos/modules/programs/gphoto2.nix
+++ b/nixos/modules/programs/gphoto2.nix
@ -10,7 +10,6 @@ with lib;
    programs.gphoto2 = {
      enable = mkOption {
        default = false;
        example = true;
        type = types.bool;
        description = ''
          Whether to configure system to use gphoto2.
--- a/nixos/modules/programs/mosh.nix
+++ b/nixos/modules/programs/mosh.nix
@ -14,7 +14,6 @@ in
        Whether to enable mosh. Note, this will open ports in your firewall!
      '';
      default = false;
      example = true;
      type = lib.types.bool;
    };
  };
--- a/nixos/modules/programs/ssmtp.nix
+++ b/nixos/modules/programs/ssmtp.nix
@ -22,7 +22,6 @@ in
      directDelivery = mkOption {
        type = types.bool;
        default = false;
        example = true;
        description = ''
          Use the trivial Mail Transfer Agent (MTA)
          <command>ssmtp</command> package to allow programs to send
@ -40,7 +39,8 @@ in
        example = "mail.example.org";
        description = ''
          The host name of the default mail server to use to deliver
-          e-mail.
+          e-mail. Can also contain a port number (ex: mail.example.org:587),
          defaults to port 25 if no port is given.
        '';
      };
@ -65,7 +65,6 @@ in
      useTLS = mkOption {
        type = types.bool;
        default = false;
        example = true;
        description = ''
          Whether TLS should be used to connect to the default mail
          server.
@ -75,7 +74,6 @@ in
      useSTARTTLS = mkOption {
        type = types.bool;
        default = false;
        example = true;
        description = ''
          Whether the STARTTLS should be used to connect to the default
          mail server.  (This is needed for TLS-capable mail servers
@ -98,9 +96,28 @@ in
        example = "correctHorseBatteryStaple";
        description = ''
          Password used for SMTP auth. (STORED PLAIN TEXT, WORLD-READABLE IN NIX STORE)
          It's recommended to use <option>authPassFile</option>
          which takes precedence over <option>authPass</option>.
        '';
      };
-      
+
      authPassFile = mkOption {
        type = types.nullOr types.str;
        default = null;
        example = "/run/keys/ssmtp-authpass";
        description = ''
          Path to a file that contains the password used for SMTP auth. The file
          should not contain a trailing newline, if the password does not contain one.
          This file should be readable by the users that need to execute ssmtp.
          <option>authPassFile</option> takes precedence over <option>authPass</option>.
          Warning: when <option>authPass</option> is non-empty <option>authPassFile</option>
          defaults to a file in the WORLD-READABLE Nix store containing that password.
        '';
      };
      setSendmail = mkOption {
        type = types.bool;
        default = true;
@ -114,21 +131,28 @@ in
  config = mkIf cfg.directDelivery {
    networking.defaultMailServer.authPassFile = mkIf (cfg.authPass != "")
      (mkDefault (toString (pkgs.writeTextFile {
        name = "ssmtp-authpass";
        text = cfg.authPass;
      })));
    environment.etc."ssmtp/ssmtp.conf".text =
      let yesNo = yes : if yes then "YES" else "NO"; in
      ''
        MailHub=${cfg.hostName}
        FromLineOverride=YES
-        ${if cfg.root != "" then "root=${cfg.root}" else ""}
+        ${optionalString (cfg.root   != "") "root=${cfg.root}"}
-        ${if cfg.domain != "" then "rewriteDomain=${cfg.domain}" else ""}
+        ${optionalString (cfg.domain != "") "rewriteDomain=${cfg.domain}"}
-        UseTLS=${if cfg.useTLS then "YES" else "NO"}
+        UseTLS=${yesNo cfg.useTLS}
-        UseSTARTTLS=${if cfg.useSTARTTLS then "YES" else "NO"}
+        UseSTARTTLS=${yesNo cfg.useSTARTTLS}
        #Debug=YES
-        ${if cfg.authUser != "" then "AuthUser=${cfg.authUser}" else ""}
+        ${optionalString (cfg.authUser != "")       "AuthUser=${cfg.authUser}"}
-        ${if cfg.authPass != "" then "AuthPass=${cfg.authPass}" else ""}
+        ${optionalString (!isNull cfg.authPassFile) "AuthPassFile=${cfg.authPassFile}"}
      '';
    environment.systemPackages = [pkgs.ssmtp];
-    
+
    services.mail.sendmailSetuidWrapper = mkIf cfg.setSendmail {
      program = "sendmail";
      source = "${pkgs.ssmtp}/bin/sendmail";
--- a/nixos/modules/programs/tmux.nix
+++ b/nixos/modules/programs/tmux.nix
@ -65,7 +65,6 @@ in {
      aggressiveResize = mkOption {
        default = false;
        example = true;
        type = types.bool;
        description = ''
          Resize the window to the size of the smallest session for which it is the current window.
@ -81,14 +80,12 @@ in {
      clock24 = mkOption {
        default = false;
        example = true;
        type = types.bool;
        description = "Use 24 hour clock.";
      };
      customPaneNavigationAndResize = mkOption {
        default = false;
        example = true;
        type = types.bool;
        description = "Override the hjkl and HJKL bindings for pane navigation and resizing in VI mode.";
      };
@ -124,14 +121,12 @@ in {
      newSession = mkOption {
        default = false;
        example = true;
        type = types.bool;
        description = "Automatically spawn a session if trying to attach and none are running.";
      };
      reverseSplit = mkOption {
        default = false;
        example = true;
        type = types.bool;
        description = "Reverse the window split shortcuts.";
      };
--- a/nixos/modules/programs/venus.nix
+++ b/nixos/modules/programs/venus.nix
@ -45,7 +45,7 @@ in
        description = ''
          Specification (in the format described by
          <citerefentry><refentrytitle>systemd.time</refentrytitle>
-          <manvolnum>5</manvolnum></citerefentry>) of the time at
+          <manvolnum>7</manvolnum></citerefentry>) of the time at
          which the Venus will collect feeds.
        '';
      };
--- a/nixos/modules/programs/vim.nix
+++ b/nixos/modules/programs/vim.nix
@ -9,7 +9,6 @@ in {
    defaultEditor = mkOption {
      type = types.bool;
      default = false;
      example = true;
      description = ''
        When enabled, installs vim and configures vim to be the default editor
        using the EDITOR environment variable.
--- a/nixos/modules/programs/wireshark.nix
+++ b/nixos/modules/programs/wireshark.nix
@ -0,0 +1,42 @@
 { config, lib, pkgs, ... }:
 with lib;
 let
  cfg = config.programs.wireshark;
  wireshark = cfg.package;
 in {
  options = {
    programs.wireshark = {
      enable = mkOption {
        type = types.bool;
        default = false;
        description = ''
          Whether to add Wireshark to the global environment and configure a
          setcap wrapper for 'dumpcap' for users in the 'wireshark' group.
        '';
      };
      package = mkOption {
        type = types.package;
        default = pkgs.wireshark-cli;
        defaultText = "pkgs.wireshark-cli";
        description = ''
          Which Wireshark package to install in the global environment.
        '';
      };
    };
  };
  config = mkIf cfg.enable {
    environment.systemPackages = [ wireshark ];
    users.extraGroups.wireshark = {};
    security.wrappers.dumpcap = {
      source = "${wireshark}/bin/dumpcap";
      capabilities = "cap_net_raw+p";
      owner = "root";
      group = "wireshark";
      permissions = "u+rx,g+x";
    };
  };
 }
--- a/nixos/modules/rename.nix
+++ b/nixos/modules/rename.nix
@ -35,6 +35,9 @@ with lib;
    (mkRemovedOptionModule [ "security" "setuidOwners" ] "Use security.wrappers instead")
    (mkRemovedOptionModule [ "security" "setuidPrograms" ] "Use security.wrappers instead")
    (mkRemovedOptionModule [ "services" "rmilter" "bindInetSockets" ] "Use services.rmilter.bindSocket.* instead")
    (mkRemovedOptionModule [ "services" "rmilter" "bindUnixSockets" ] "Use services.rmilter.bindSocket.* instead")
    # Old Grub-related options.
    (mkRenamedOptionModule [ "boot" "initrd" "extraKernelModules" ] [ "boot" "initrd" "kernelModules" ])
    (mkRenamedOptionModule [ "boot" "extraKernelParams" ] [ "boot" "kernelParams" ])
@ -103,9 +106,6 @@ with lib;
    (mkRenamedOptionModule [ "services" "xserver" "windowManager" "xbmc" ] [ "services" "xserver" "desktopManager" "kodi" ])
    (mkRenamedOptionModule [ "services" "xserver" "desktopManager" "xbmc" ] [ "services" "xserver" "desktopManager" "kodi" ])
    # DNSCrypt-proxy
    (mkRenamedOptionModule [ "services" "dnscrypt-proxy" "port" ] [ "services" "dnscrypt-proxy" "localPort" ])
    (mkRenamedOptionModule [ "services" "hostapd" "extraCfg" ] [ "services" "hostapd" "extraConfig" ])
    # Enlightenment
@ -141,9 +141,6 @@ with lib;
    # Unity3D
    (mkRenamedOptionModule [ "programs" "unity3d" "enable" ] [ "security" "chromiumSuidSandbox" "enable" ])
    # fontconfig-ultimate
    (mkRenamedOptionModule [ "fonts" "fontconfig" "ultimate" "rendering" ] [ "fonts" "fontconfig" "ultimate" "preset" ])
    # murmur
    (mkRenamedOptionModule [ "services" "murmur" "welcome" ] [ "services" "murmur" "welcometext" ])
@ -178,6 +175,16 @@ with lib;
    (mkRenamedOptionModule [ "services" "nfs" "lockdPort" ] [ "services" "nfs" "server" "lockdPort" ])
    (mkRenamedOptionModule [ "services" "nfs" "statdPort" ] [ "services" "nfs" "server" "statdPort" ])
    # KDE Plasma 5
    (mkRenamedOptionModule [ "services" "xserver" "desktopManager" "kde5" ] [ "services" "xserver" "desktopManager" "plasma5" ])
    # Fontconfig
    (mkRenamedOptionModule [ "config" "fonts" "fontconfig" "ultimate" "allowBitmaps" ] [ "config" "fonts" "fontconfig" "allowBitmaps" ])
    (mkRenamedOptionModule [ "config" "fonts" "fontconfig" "ultimate" "allowType1" ] [ "config" "fonts" "fontconfig" "allowType1" ])
    (mkRenamedOptionModule [ "config" "fonts" "fontconfig" "ultimate" "useEmbeddedBitmaps" ] [ "config" "fonts" "fontconfig" "useEmbeddedBitmaps" ])
    (mkRenamedOptionModule [ "config" "fonts" "fontconfig" "ultimate" "forceAutohint" ] [ "config" "fonts" "fontconfig" "forceAutohint" ])
    (mkRenamedOptionModule [ "config" "fonts" "fontconfig" "ultimate" "renderMonoTTFAsBitmap" ] [ "config" "fonts" "fontconfig" "renderMonoTTFAsBitmap" ])
    # Options that are obsolete and have no replacement.
    (mkRemovedOptionModule [ "boot" "initrd" "luks" "enable" ] "")
    (mkRemovedOptionModule [ "programs" "bash" "enable" ] "")
@ -192,5 +199,10 @@ with lib;
      "See the 16.09 release notes for more information.")
    (mkRemovedOptionModule [ "services" "phpfpm" "phpIni" ] "")
    (mkRemovedOptionModule [ "services" "dovecot2" "package" ] "")
    (mkRemovedOptionModule [ "fonts" "fontconfig" "hinting" "style" ] "")
    (mkRemovedOptionModule [ "services" "xserver" "displayManager" "sddm" "themes" ]
      "Set the option `services.xserver.displayManager.sddm.package' instead.")
    (mkRemovedOptionModule [ "fonts" "fontconfig" "forceAutohint" ] "")
    (mkRemovedOptionModule [ "fonts" "fontconfig" "renderMonoTTFAsBitmap" ] "")
  ];
 }
--- a/nixos/modules/security/acme.nix
+++ b/nixos/modules/security/acme.nix
@ -110,7 +110,7 @@ in
        description = ''
          Systemd calendar expression when to check for renewal. See
          <citerefentry><refentrytitle>systemd.time</refentrytitle>
-          <manvolnum>5</manvolnum></citerefentry>.
+          <manvolnum>7</manvolnum></citerefentry>.
        '';
      };
@ -178,7 +178,7 @@ in
                  path = [ pkgs.simp_le ];
                  preStart = ''
                    mkdir -p '${cfg.directory}'
-                    chown '${data.user}:${data.group}' '${cfg.directory}'
+                    chown -R '${data.user}:${data.group}' '${cfg.directory}'
                    if [ ! -d '${cpath}' ]; then
                      mkdir '${cpath}'
                    fi
--- a/nixos/modules/security/dhparams.nix
+++ b/nixos/modules/security/dhparams.nix
@ -0,0 +1,107 @@
 { config, lib, pkgs, ... }:
 with lib;
 let
  cfg = config.security.dhparams;
 in
 {
  options = {
    security.dhparams = {
      params = mkOption {
        description =
          ''
            Diffie-Hellman parameters to generate.
            The value is the size (in bits) of the DH params to generate. The
            generated DH params path can be found in
            <filename><replaceable>security.dhparams.path</replaceable>/<replaceable>name</replaceable>.pem</filename>.
            Note: The name of the DH params is taken as being the name of the
            service it serves: the params will be generated before the said
            service is started.
            Warning: If you are removing all dhparams from this list, you have
            to leave security.dhparams.enable for at least one activation in
            order to have them be cleaned up. This also means if you rollback to
            a version without any dhparams the existing ones won't be cleaned
            up.
          '';
        type = with types; attrsOf int;
        default = {};
        example = { nginx = 3072; };
      };
      path = mkOption {
        description =
          ''
            Path to the directory in which Diffie-Hellman parameters will be
            stored.
          '';
        type = types.str;
        default = "/var/lib/dhparams";
      };
      enable = mkOption {
        description =
          ''
            Whether to generate new DH params and clean up old DH params.
          '';
        default = false;
        type = types.bool;
      };
    };
  };
  config = mkIf cfg.enable {
    systemd.services = {
      dhparams-init = {
        description = "Cleanup old Diffie-Hellman parameters";
        wantedBy = [ "multi-user.target" ]; # Clean up even when no DH params is set
        serviceConfig.Type = "oneshot";
        script =
          # Create directory
          ''
            if [ ! -d ${cfg.path} ]; then
              mkdir -p ${cfg.path}
            fi
          '' +
          # Remove old dhparams
          ''
            for file in ${cfg.path}/*; do
              if [ ! -f "$file" ]; then
                continue
              fi
          '' + concatStrings (mapAttrsToList (name: value:
          ''
              if [ "$file" == "${cfg.path}/${name}.pem" ] && \
                  ${pkgs.openssl}/bin/openssl dhparam -in "$file" -text | head -n 1 | grep "(${toString value} bit)" > /dev/null; then
                continue
              fi
          ''
          ) cfg.params) +
          ''
              rm $file
            done
            # TODO: Ideally this would be removing the *former* cfg.path, though this
            # does not seem really important as changes to it are quite unlikely
            rmdir --ignore-fail-on-non-empty ${cfg.path}
          '';
      };
    } //
      mapAttrs' (name: value: nameValuePair "dhparams-gen-${name}" {
        description = "Generate Diffie-Hellman parameters for ${name} if they don't exist yet";
        after = [ "dhparams-init.service" ];
        before = [ "${name}.service" ];
        wantedBy = [ "multi-user.target" ];
        serviceConfig.Type = "oneshot";
        script =
          ''
            mkdir -p ${cfg.path}
            if [ ! -f ${cfg.path}/${name}.pem ]; then
              ${pkgs.openssl}/bin/openssl dhparam -out ${cfg.path}/${name}.pem ${toString value}
            fi
          '';
      }) cfg.params;
  };
 }
--- a/nixos/modules/security/grsecurity.nix
+++ b/nixos/modules/security/grsecurity.nix
@ -21,7 +21,6 @@ in
    enable = mkOption {
      type = types.bool;
      example = true;
      default = false;
      description = ''
        Enable grsecurity/PaX.
@ -30,7 +29,6 @@ in
    lockTunables = mkOption {
      type = types.bool;
      example = false;
      default = true;
      description = ''
        Whether to automatically lock grsecurity tunables
@ -43,7 +41,6 @@ in
    disableEfiRuntimeServices = mkOption {
      type = types.bool;
      example = false;
      default = true;
      description = ''
        Whether to disable access to EFI runtime services.  Enabling EFI runtime
--- a/nixos/modules/security/grsecurity.xml
+++ b/nixos/modules/security/grsecurity.xml
@ -214,8 +214,8 @@
            GRKERNSEC_CONFIG_SERVER y
            GRKERNSEC_CONFIG_SECURITY y
          '';
-          };
+        };
-      }
+      };
    </programlisting>
  </para>
@ -312,7 +312,7 @@
      Overflows in boot critical code (e.g., the root filesystem module) can
      render the system unbootable.  Work around by setting
      <programlisting>
-        boot.kernel.kernelParams = [ "pax_size_overflow_report_only" ];
+        boot.kernelParams = [ "pax_size_overflow_report_only" ];
      </programlisting>
    </para></listitem>
--- a/Show More
+++ b/Show More