Merge remote-tracking branch 'upstream/master'

lib/maintainers.nix

@@ -136,6 +136,7 @@
   dancek = "Hannu Hartikainen <hannu.hartikainen@gmail.com>";
   danielfullmer = "Daniel Fullmer <danielrf12@gmail.com>";
   dasuxullebt = "Christoph-Simon Senjak <christoph.senjak@googlemail.com>";
+  david50407 = "David Kuo <me@davy.tw>";
   davidak = "David Kleuker <post@davidak.de>";
   davidrusu = "David Rusu <davidrusu.me@gmail.com>";
   davorb = "Davor Babic <davor@davor.se>";
@@ -287,6 +288,7 @@
   joelmo = "Joel Moberg <joel.moberg@gmail.com>";
   joelteon = "Joel Taylor <me@joelt.io>";
   johbo = "Johannes Bornhold <johannes@bornhold.name>";
+  johnmh = "John M. Harris, Jr. <johnmh@openblox.org>";
   johnramsden = "John Ramsden <johnramsden@riseup.net>";
   joko = "Ioannis Koutras <ioannis.koutras@gmail.com>";
   jonafato = "Jon Banafato <jon@jonafato.com>";
@@ -373,6 +375,7 @@
   meditans = "Carlo Nucera <meditans@gmail.com>";
   meisternu = "Matt Miemiec <meister@krutt.org>";
   metabar = "Celine Mercier <softs@metabarcoding.org>";
+  mgdelacroix = "Miguel de la Cruz <mgdelacroix@gmail.com>";
   mguentner = "Maximilian Güntner <code@klandest.in>";
   mic92 = "Jörg Thalheim <joerg@thalheim.io>";
   michaelpj = "Michael Peyton Jones <michaelpj@gmail.com>";
@@ -382,7 +385,6 @@
   mikefaille = "Michaël Faille <michael@faille.io>";
   miltador = "Vasiliy Solovey <miltador@yandex.ua>";
   mimadrid = "Miguel Madrid <mimadrid@ucm.es>";
-  mingchuan = "Ming Chuan <ming@culpring.com>";
   mirdhyn = "Merlin Gaillard <mirdhyn@gmail.com>";
   mirrexagon = "Andrew Abbott <mirrexagon@mirrexagon.com>";
   mjanczyk = "Marcin Janczyk <m@dragonvr.pl>";
@@ -456,6 +458,7 @@
   periklis = "theopompos@gmail.com";
   pesterhazy = "Paulus Esterhazy <pesterhazy@gmail.com>";
   peterhoeg = "Peter Hoeg <peter@hoeg.com>";
+  peterromfeldhk = "Peter Romfeld <peter.romfeld.hk@gmail.com>";
   peti = "Peter Simons <simons@cryp.to>";
   philandstuff = "Philip Potter <philip.g.potter@gmail.com>";
   phile314 = "Philipp Hausmann <nix@314.ch>";
@@ -548,8 +551,10 @@
   shell = "Shell Turner <cam.turn@gmail.com>";
   shlevy = "Shea Levy <shea@shealevy.com>";
   siddharthist = "Langston Barrett <langston.barrett@gmail.com>";
+  sifmelcara = "Ming Chuan <ming@culpring.com>";
   sigma = "Yann Hodique <yann.hodique@gmail.com>";
   simonvandel = "Simon Vandel Sillesen <simon.vandel@gmail.com>";
+  sivteck = "Sivaram Balakrishnan <sivaram1992@gmail.com>";
   sjagoe = "Simon Jagoe <simon@simonjagoe.com>";
   sjmackenzie = "Stewart Mackenzie <setori88@gmail.com>";
   sjourdois = "Stéphane ‘kwisatz’ Jourdois <sjourdois@gmail.com>";
@@ -571,10 +576,12 @@
   sternenseemann = "Lukas Epple <post@lukasepple.de>";
   stesie = "Stefan Siegl <stesie@brokenpipe.de>";
   steveej = "Stefan Junker <mail@stefanjunker.de>";
+  stumoss = "Stuart Moss <samoss@gmail.com>";
   SuprDewd = "Bjarki Ágúst Guðmundsson <suprdewd@gmail.com>";
   swarren83 = "Shawn Warren <shawn.w.warren@gmail.com>";
   swflint = "Samuel W. Flint <swflint@flintfam.org>";
   swistak35 = "Rafał Łasocha <me@swistak35.com>";
+  symphorien = "Guillaume Girol <symphorien_nixpkgs@xlumurb.eu>";
   szczyp = "Szczyp <qb@szczyp.com>";
   sztupi = "Attila Sztupak <attila.sztupak@gmail.com>";
   taeer = "Taeer Bar-Yam <taeer@necsi.edu>";
@@ -584,6 +591,7 @@
   taku0 = "Takuo Yonezawa <mxxouy6x3m_github@tatapa.org>";
   tari = "Peter Marheine <peter@taricorp.net>";
   tavyc = "Octavian Cerna <octavian.cerna@gmail.com>";
+  TealG = "Teal Gaure <~@Teal.Gr>";
   teh = "Tom Hunger <tehunger@gmail.com>";
   telotortium = "Robert Irelan <rirelan@gmail.com>";
   teto = "Matthieu Coudron <mcoudron@hotmail.com>";

maintainers/scripts/gnome.sh

@@ -6,7 +6,7 @@ GNOME_FTP=ftp.gnome.org/pub/GNOME/sources
 
 # projects that don't follow the GNOME major versioning, or that we don't want to
 # programmatically update
-NO_GNOME_MAJOR="ghex gtkhtml gdm"
+NO_GNOME_MAJOR="ghex gtkhtml gdm gucharmap"
 
 usage() {
   echo "Usage: $0 <show project>|<update project>|<update-all> [major.minor]" >&2

nixos/doc/manual/release-notes/rl-1709.xml

@@ -6,13 +6,22 @@
 
 <title>Release 17.09 (“Hummingbird”, 2017/09/??)</title>
 
+<section xmlns="http://docbook.org/ns/docbook"
+         xmlns:xlink="http://www.w3.org/1999/xlink"
+         xmlns:xi="http://www.w3.org/2001/XInclude"
+         version="5.0"
+         xml:id="sec-release-17.09-highlights">
+
+<title>Highlights</title>
+
 <para>In addition to numerous new and upgraded packages, this release
 has the following highlights: </para>
 
 <itemizedlist>
   <listitem>
     <para>
-      The GNOME version is now 3.24.
+      The GNOME version is now 3.24. KDE Plasma was upgraded to 5.10,
+      KDE Applications to 17.08.1 and KDE Frameworks to 5.37.
     </para>
   </listitem>
   <listitem>
@@ -47,22 +56,23 @@ has the following highlights: </para>
   </listitem>
   <listitem>
     <para>
-      The handling of SSL in the nginx module has been cleaned up, renaming
-      the misnomed <literal>enableSSL</literal> to <literal>onlySSL</literal>
-      which reflects its original intention. This is not to be used with the
-      already existing <literal>forceSSL</literal> which creates a second
-      non-SSL virtual host redirecting to the SSL virtual host. This by
-      chance had worked earlier due to specific implementation details. In
-      case you had specified both please remove the <literal>enableSSL</literal>
-      option to keep the previous behaviour.
+      The handling of SSL in the <literal>services.nginx</literal> module has
+      been cleaned up, renaming the misnamed <literal>enableSSL</literal> to
+      <literal>onlySSL</literal> which reflects its original intention. This
+      is not to be used with the already existing <literal>forceSSL</literal>
+      which creates a second non-SSL virtual host redirecting to the SSL
+      virtual host. This by chance had worked earlier due to specific
+      implementation details. In case you had specified both please remove
+      the <literal>enableSSL</literal> option to keep the previous behaviour.
     </para>
     <para>
       Another <literal>addSSL</literal> option has been introduced to configure
-      both a non-SSL virtual host and an SSL virtual host.
+      both a non-SSL virtual host and an SSL virtual host with the same
+      configuration.
     </para>
     <para>
-      Options to configure <literal>resolver</literal>s and
-      <literal>upstream</literal>s have been introduced. See their information
+      Options to configure <literal>resolver</literal> options and
+      <literal>upstream</literal> blocks have been introduced. See their information
       for further details.
     </para>
     <para>
@@ -74,19 +84,185 @@ has the following highlights: </para>
   </listitem>
 </itemizedlist>
 
+</section>
+<section xmlns="http://docbook.org/ns/docbook"
+         xmlns:xlink="http://www.w3.org/1999/xlink"
+         xmlns:xi="http://www.w3.org/2001/XInclude"
+         version="5.0"
+         xml:id="sec-release-17.09-new-services">
+
+<title>New Services</title>
+
 <para>The following new services were added since the last release:</para>
 
 <itemizedlist>
-  <listitem>
-    <para></para>
-  </listitem>
+  <listitem><para><literal>config/fonts/fontconfig-penultimate.nix</literal></para></listitem>
+  <listitem><para><literal>config/fonts/fontconfig-ultimate.nix</literal></para></listitem>
+  <listitem><para><literal>config/terminfo.nix</literal></para></listitem>
+  <listitem><para><literal>hardware/sensor/iio.nix</literal></para></listitem>
+  <listitem><para><literal>hardware/nitrokey.nix</literal></para></listitem>
+  <listitem><para><literal>hardware/raid/hpsa.nix</literal></para></listitem>
+  <listitem><para><literal>programs/browserpass.nix</literal></para></listitem>
+  <listitem><para><literal>programs/gnupg.nix</literal></para></listitem>
+  <listitem><para><literal>programs/qt5ct.nix</literal></para></listitem>
+  <listitem><para><literal>programs/slock.nix</literal></para></listitem>
+  <listitem><para><literal>programs/thefuck.nix</literal></para></listitem>
+  <listitem><para><literal>security/auditd.nix</literal></para></listitem>
+  <listitem><para><literal>security/lock-kernel-modules.nix</literal></para></listitem>
+  <listitem><para><literal>service-managers/docker.nix</literal></para></listitem>
+  <listitem><para><literal>service-managers/trivial.nix</literal></para></listitem>
+  <listitem><para><literal>services/admin/salt/master.nix</literal></para></listitem>
+  <listitem><para><literal>services/admin/salt/minion.nix</literal></para></listitem>
+  <listitem><para><literal>services/audio/slimserver.nix</literal></para></listitem>
+  <listitem><para><literal>services/cluster/kubernetes/default.nix</literal></para></listitem>
+  <listitem><para><literal>services/cluster/kubernetes/dns.nix</literal></para></listitem>
+  <listitem><para><literal>services/cluster/kubernetes/dashboard.nix</literal></para></listitem>
+  <listitem><para><literal>services/continuous-integration/hail.nix</literal></para></listitem>
+  <listitem><para><literal>services/databases/clickhouse.nix</literal></para></listitem>
+  <listitem><para><literal>services/databases/postage.nix</literal></para></listitem>
+  <listitem><para><literal>services/desktops/gnome3/gnome-disks.nix</literal></para></listitem>
+  <listitem><para><literal>services/desktops/gnome3/gpaste.nix</literal></para></listitem>
+  <listitem><para><literal>services/logging/SystemdJournal2Gelf.nix</literal></para></listitem>
+  <listitem><para><literal>services/logging/heartbeat.nix</literal></para></listitem>
+  <listitem><para><literal>services/logging/journalwatch.nix</literal></para></listitem>
+  <listitem><para><literal>services/logging/syslogd.nix</literal></para></listitem>
+  <listitem><para><literal>services/mail/mailhog.nix</literal></para></listitem>
+  <listitem><para><literal>services/mail/nullmailer.nix</literal></para></listitem>
+  <listitem><para><literal>services/misc/airsonic.nix</literal></para></listitem>
+  <listitem><para><literal>services/misc/autorandr.nix</literal></para></listitem>
+  <listitem><para><literal>services/misc/exhibitor.nix</literal></para></listitem>
+  <listitem><para><literal>services/misc/fstrim.nix</literal></para></listitem>
+  <listitem><para><literal>services/misc/gollum.nix</literal></para></listitem>
+  <listitem><para><literal>services/misc/irkerd.nix</literal></para></listitem>
+  <listitem><para><literal>services/misc/jackett.nix</literal></para></listitem>
+  <listitem><para><literal>services/misc/radarr.nix</literal></para></listitem>
+  <listitem><para><literal>services/misc/snapper.nix</literal></para></listitem>
+  <listitem><para><literal>services/monitoring/osquery.nix</literal></para></listitem>
+  <listitem><para><literal>services/monitoring/prometheus/collectd-exporter.nix</literal></para></listitem>
+  <listitem><para><literal>services/monitoring/prometheus/fritzbox-exporter.nix</literal></para></listitem>
+  <listitem><para><literal>services/network-filesystems/kbfs.nix</literal></para></listitem>
+  <listitem><para><literal>services/networking/dnscache.nix</literal></para></listitem>
+  <listitem><para><literal>services/networking/fireqos.nix</literal></para></listitem>
+  <listitem><para><literal>services/networking/iwd.nix</literal></para></listitem>
+  <listitem><para><literal>services/networking/keepalived/default.nix</literal></para></listitem>
+  <listitem><para><literal>services/networking/keybase.nix</literal></para></listitem>
+  <listitem><para><literal>services/networking/lldpd.nix</literal></para></listitem>
+  <listitem><para><literal>services/networking/matterbridge.nix</literal></para></listitem>
+  <listitem><para><literal>services/networking/squid.nix</literal></para></listitem>
+  <listitem><para><literal>services/networking/tinydns.nix</literal></para></listitem>
+  <listitem><para><literal>services/networking/xrdp.nix</literal></para></listitem>
+  <listitem><para><literal>services/security/shibboleth-sp.nix</literal></para></listitem>
+  <listitem><para><literal>services/security/sks.nix</literal></para></listitem>
+  <listitem><para><literal>services/security/sshguard.nix</literal></para></listitem>
+  <listitem><para><literal>services/security/torify.nix</literal></para></listitem>
+  <listitem><para><literal>services/security/usbguard.nix</literal></para></listitem>
+  <listitem><para><literal>services/security/vault.nix</literal></para></listitem>
+  <listitem><para><literal>services/system/earlyoom.nix</literal></para></listitem>
+  <listitem><para><literal>services/system/saslauthd.nix</literal></para></listitem>
+  <listitem><para><literal>services/web-apps/nexus.nix</literal></para></listitem>
+  <listitem><para><literal>services/web-apps/pgpkeyserver-lite.nix</literal></para></listitem>
+  <listitem><para><literal>services/web-apps/piwik.nix</literal></para></listitem>
+  <listitem><para><literal>services/web-servers/lighttpd/collectd.nix</literal></para></listitem>
+  <listitem><para><literal>services/web-servers/minio.nix</literal></para></listitem>
+  <listitem><para><literal>services/x11/display-managers/xpra.nix</literal></para></listitem>
+  <listitem><para><literal>services/x11/xautolock.nix</literal></para></listitem>
+  <listitem><para><literal>tasks/filesystems/bcachefs.nix</literal></para></listitem>
+  <listitem><para><literal>tasks/powertop.nix</literal></para></listitem>
 </itemizedlist>
 
+</section>
+<section xmlns="http://docbook.org/ns/docbook"
+         xmlns:xlink="http://www.w3.org/1999/xlink"
+         xmlns:xi="http://www.w3.org/2001/XInclude"
+         version="5.0"
+         xml:id="sec-release-17.09-incompatibilities">
+
+<title>Backward Incompatibilities</title>
 
 <para>When upgrading from a previous release, please be aware of the
 following incompatible changes:</para>
 
 <itemizedlist>
+  <listitem>
+    <para>
+        <emphasis role="strong">
+            In an Qemu-based virtualization environment, the network interface
+            names changed from i.e. <literal>enp0s3</literal> to
+            <literal>ens3</literal>.
+        </emphasis>
+    </para>
+    <para>
+        This is due to a kernel configuration change. The new naming
+        is consistent with those of other Linux distributions with
+        systemd. See
+        <link xlink:href="https://github.com/NixOS/nixpkgs/issues/29197">#29197</link>
+        for more information.
+    </para>
+    <para>
+        A machine is affected if the <literal>virt-what</literal> tool
+        either returns <literal>qemu</literal> or
+        <literal>kvm</literal> <emphasis>and</emphasis> has
+        interface names used in any part of its NixOS configuration,
+        in particular if a static network configuration with
+        <literal>networking.interfaces</literal> is used.
+    </para>
+    <para>
+        Before rebooting affected machines, please ensure:
+        <itemizedlist>
+          <listitem>
+            <para>
+              Change the interface names in your NixOS configuration.
+              The first interface will be called <literal>ens3</literal>,
+              the second one <literal>ens8</literal> and starting from there
+              incremented by 1.
+            </para>
+          </listitem>
+          <listitem>
+            <para>
+              After changing the interface names, rebuild your system with
+              <literal>nixos-rebuild boot</literal> to activate the new
+              configuration after a reboot. If you switch to the new
+              configuration right away you might lose network connectivity!
+              If using <literal>nixops</literal>, deploy with
+              <literal>nixops deploy --force-reboot</literal>.
+            </para>
+          </listitem>
+        </itemizedlist>
+    </para>
+  </listitem>
+  <listitem>
+    <para>
+      The following changes apply if the <literal>stateVersion</literal> is changed to 17.09 or higher.
+      For <literal>stateVersion = "17.03"</literal> or lower the old behavior is preserved.
+    </para>
+    <itemizedlist>
+      <listitem>
+        <para>
+          The <literal>postgres</literal> default version was changed from 9.5 to 9.6.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          The <literal>postgres</literal> superuser name has changed from <literal>root</literal> to <literal>postgres</literal> to more closely follow what other Linux distributions are doing.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          The <literal>postgres</literal> default <literal>dataDir</literal> has changed from <literal>/var/db/postgres</literal> to <literal>/var/lib/postgresql/$psqlSchema</literal> where $psqlSchema is 9.6 for example.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          The <literal>mysql</literal> default <literal>dataDir</literal> has changed from <literal>/var/mysql</literal> to <literal>/var/lib/mysql</literal>.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          Radicale's default package has changed from 1.x to 2.x. Instructions to migrate can be found <link xlink:href="http://radicale.org/1to2/"> here </link>. It is also possible to use the newer version by setting the <literal>package</literal> to <literal>radicale2</literal>, which is done automatically when <literal>stateVersion</literal> is 17.09 or higher. The <literal>extraArgs</literal> option has been added to allow passing the data migration arguments specified in the instructions; see the <filename xlink:href="https://github.com/NixOS/nixpkgs/blob/master/nixos/tests/radicale.nix">radicale.nix</filename> NixOS test for an example migration.
+        </para>
+      </listitem>
+    </itemizedlist>
+  </listitem>
   <listitem>
     <para>
       The <literal>aiccu</literal> package was removed. This is due to SixXS
@@ -115,7 +291,7 @@ following incompatible changes:</para>
   </listitem>
   <listitem>
     <para>
-      The ipfs package now doesn't ignore the <literal>dataDir</literal> option anymore. If you've ever set this option to anything other than the default you'll have to either unset it (so the default gets used) or migrate the old data manually with
+      The <literal>ipfs</literal> service now doesn't ignore the <literal>dataDir</literal> option anymore. If you've ever set this option to anything other than the default you'll have to either unset it (so the default gets used) or migrate the old data manually with
 <programlisting>
 dataDir=&lt;valueOfDataDir&gt;
 mv /var/lib/ipfs/.ipfs/* $dataDir
@@ -123,32 +299,11 @@ rmdir /var/lib/ipfs/.ipfs
 </programlisting>
     </para>
   </listitem>
-  <listitem>
-    <para>
-      The following changes apply if the <literal>stateVersion</literal> is changed to 17.09 or higher.
-      For <literal>stateVersion = "17.03</literal> or lower the old behavior is preserved.
-    </para>
-    <para>
-      The <literal>postgres</literal> default version was changed from 9.5 to 9.6.
-    </para>
-    <para>
-      The <literal>postgres</literal> superuser name has changed from <literal>root</literal> to <literal>postgres</literal> to more closely follow what other Linux distributions are doing.
-    </para>
-    <para>
-      The <literal>postgres</literal> default <literal>dataDir</literal> has changed from <literal>/var/db/postgres</literal> to <literal>/var/lib/postgresql/$psqlSchema</literal> where $psqlSchema is 9.6 for example.
-    </para>
-    <para>
-      The <literal>mysql</literal> default <literal>dataDir</literal> has changed from <literal>/var/mysql</literal> to <literal>/var/lib/mysql</literal>.
-    </para>
-    <para>
-            Radicale's default package has changed from 1.x to 2.x. Instructions to migrate can be found <link xlink:href="http://radicale.org/1to2/"> here </link>. It is also possible to use the newer version by setting the <literal>package</literal> to <literal>radicale2</literal>, which is done automatically when <literal>stateVersion</literal> is 17.09 or higher. The <literal>extraArgs</literal> option has been added to allow passing the data migration arguments specified in the instructions; see the <filename xlink:href="https://github.com/NixOS/nixpkgs/blob/master/nixos/tests/radicale.nix">radicale.nix</filename> NixOS test for an example migration.
-    </para>
-  </listitem>
   <listitem>
     <para>
       The <literal>caddy</literal> service was previously using an extra
-      <literal>.caddy</literal> in the data directory specified with the
-      <literal>dataDir</literal> option. The contents of the
+      <literal>.caddy</literal> directory in the data directory specified
+      with the <literal>dataDir</literal> option. The contents of the
       <literal>.caddy</literal> directory are now expected to be in the
       <literal>dataDir</literal>.
     </para>
@@ -226,15 +381,6 @@ rmdir /var/lib/ipfs/.ipfs
       upstream's announcement</link> for more information.
       No complete replacement for grsecurity/PaX is available presently.
     </para>
-  </listitem>
-    <listitem>
-    <para>
-      The <literal>gnupg</literal> package used to suffix its programs
-      with <literal>2</literal>, like <command>gpg2</command> and
-      <command>gpgv2</command>. This suffix has since been dropped,
-      and the programs are now simply <command>gpg</command>,
-      <command>gpgv</command>, etc.
-    </para>
   </listitem>
   <listitem>
     <para>
@@ -273,22 +419,6 @@ FLUSH PRIVILEGES;
 </programlisting>
     </para>
   </listitem>
-  <listitem>
-    <para>
-      <literal>sha256</literal> argument value of
-      <literal>dockerTools.pullImage</literal> expression must be
-      updated since the mechanism to download the image has been
-      changed. Skopeo is now used to pull the image instead of the
-      Docker daemon.
-    </para>
-  </listitem>
-  <listitem>
-    <para>
-      Templated systemd services e.g <literal>container@name</literal> are
-      now handled currectly when switching to a new configuration, resulting
-      in them being reloaded.
-    </para>
-  </listitem>
 
   <listitem>
     <para>
@@ -330,6 +460,14 @@ FLUSH PRIVILEGES;
     </para>
   </listitem>
 
+  <listitem>
+    <para>
+      Templated systemd services e.g <literal>container@name</literal> are
+      now handled currectly when switching to a new configuration, resulting
+      in them being reloaded.
+    </para>
+  </listitem>
+
   <listitem>
     <para>Steam: the <literal>newStdcpp</literal> parameter
     was removed and should not be needed anymore.</para>
@@ -344,7 +482,14 @@ FLUSH PRIVILEGES;
   </listitem>
 </itemizedlist>
 
-<para>Other notable improvements:</para>
+</section>
+<section xmlns="http://docbook.org/ns/docbook"
+         xmlns:xlink="http://www.w3.org/1999/xlink"
+         xmlns:xi="http://www.w3.org/2001/XInclude"
+         version="5.0"
+         xml:id="sec-release-17.09-notable-changes">
+
+<title>Other Notable Changes</title>
 
 <itemizedlist>
 
@@ -389,7 +534,7 @@ FLUSH PRIVILEGES;
       Nixpkgs overlays may now be specified with a file as well as a directory. The
       value of <literal>&lt;nixpkgs-overlays></literal> may be a file, and
       <filename>~/.config/nixpkgs/overlays.nix</filename> can be used instead of the
-      <filename>~/.config/nixpkgs/overalys</filename> directory.
+      <filename>~/.config/nixpkgs/overlays</filename> directory.
     </para>
     <para>
       See the overlays chapter of the Nixpkgs manual for more details.
@@ -418,22 +563,33 @@ FLUSH PRIVILEGES;
       which makes it possible to remove the install medium after booting.
       This allows tethering from your phone after booting from it.
     </para>
+  </listitem>
+  <listitem>
     <para>
       <literal>services.gitlab-runner.configOptions</literal> has been added
       to specify the configuration of gitlab-runners declaratively.
     </para>
+  </listitem>
+  <listitem>
     <para>
       <literal>services.jenkins.plugins</literal> has been added
       to install plugins easily, this can be generated with jenkinsPlugins2nix.
     </para>
+  </listitem>
+  <listitem>
     <para>
       <literal>services.postfix.config</literal> has been added
       to specify the main.cf with NixOS options. Additionally other options
       have been added to the postfix module and has been improved further.
     </para>
+  </listitem>
+  <listitem>
     <para>
-        The GitLab package and module have been updated to the latest 9.5 release.
+      The GitLab package and module have been updated to the latest 10.0
+      release.
     </para>
+  </listitem>
+  <listitem>
     <para>
       The <literal>systemd-boot</literal> boot loader now lists the NixOS
       version, kernel version and build date of all bootable generations.
@@ -452,3 +608,4 @@ FLUSH PRIVILEGES;
 </itemizedlist>
 
 </section>
+</section>

nixos/doc/manual/release-notes/rl-1803.xml

@@ -6,6 +6,14 @@
 
 <title>Release 18.03 (“Impala”, 2018/03/??)</title>
 
+<section xmlns="http://docbook.org/ns/docbook"
+         xmlns:xlink="http://www.w3.org/1999/xlink"
+         xmlns:xi="http://www.w3.org/2001/XInclude"
+         version="5.0"
+         xml:id="sec-release-18.03-highlights">
+
+<title>Highlights</title>
+
 <para>In addition to numerous new and upgraded packages, this release
 has the following highlights: </para>
 
@@ -16,6 +24,15 @@ has the following highlights: </para>
   </listitem>
 </itemizedlist>
 
+</section>
+<section xmlns="http://docbook.org/ns/docbook"
+         xmlns:xlink="http://www.w3.org/1999/xlink"
+         xmlns:xi="http://www.w3.org/2001/XInclude"
+         version="5.0"
+         xml:id="sec-release-18.03-new-services">
+
+<title>New Services</title>
+
 <para>The following new services were added since the last release:</para>
 
 <itemizedlist>
@@ -24,6 +41,15 @@ has the following highlights: </para>
   </listitem>
 </itemizedlist>
 
+</section>
+<section xmlns="http://docbook.org/ns/docbook"
+         xmlns:xlink="http://www.w3.org/1999/xlink"
+         xmlns:xi="http://www.w3.org/2001/XInclude"
+         version="5.0"
+         xml:id="sec-release-18.03-incompatibilities">
+
+<title>Backward Incompatibilities</title>
+
 <para>When upgrading from a previous release, please be aware of the
 following incompatible changes:</para>
 
@@ -33,7 +59,14 @@ following incompatible changes:</para>
   </listitem>
 </itemizedlist>
 
-<para>Other notable improvements:</para>
+</section>
+<section xmlns="http://docbook.org/ns/docbook"
+         xmlns:xlink="http://www.w3.org/1999/xlink"
+         xmlns:xi="http://www.w3.org/2001/XInclude"
+         version="5.0"
+         xml:id="sec-release-18.03-notable-changes">
+
+<title>Other Notable Changes</title>
 
 <itemizedlist>
   <listitem>
@@ -43,3 +76,4 @@ following incompatible changes:</para>
 </itemizedlist>
 
 </section>
+</section>

nixos/maintainers/scripts/ec2/create-amis.sh

@@ -17,7 +17,7 @@ mkdir -p $stateDir
 rm -f ec2-amis.nix
 
 types="hvm"
-stores="ebs s3"
+stores="ebs"
 regions="eu-west-1 eu-west-2 eu-central-1 us-east-1 us-east-2 us-west-1 us-west-2 ca-central-1 ap-southeast-1 ap-southeast-2 ap-northeast-1 ap-northeast-2 sa-east-1 ap-south-1"
 
 for type in $types; do

nixos/modules/config/krb5.nix

@@ -1,206 +0,0 @@
-{ config, lib, pkgs, ... }:
-
-with lib;
-
-let
-
-  cfg = config.krb5;
-
-in
-
-{
-  ###### interface
-
-  options = {
-
-    krb5 = {
-
-      enable = mkOption {
-        default = false;
-        description = "Whether to enable Kerberos V.";
-      };
-
-      defaultRealm = mkOption {
-        default = "ATENA.MIT.EDU";
-        description = "Default realm.";
-      };
-
-      domainRealm = mkOption {
-        default = "atena.mit.edu";
-        description = "Default domain realm.";
-      };
-
-      kdc = mkOption {
-        default = "kerberos.mit.edu";
-        description = "Key Distribution Center";
-      };
-
-      kerberosAdminServer = mkOption {
-        default = "kerberos.mit.edu";
-        description = "Kerberos Admin Server.";
-      };
-
-    };
-
-  };
-
-  ###### implementation
-
-  config = mkIf config.krb5.enable {
-
-    environment.systemPackages = [ pkgs.krb5Full ];
-
-    environment.etc."krb5.conf".text =
-      ''
-        [libdefaults]
-            default_realm = ${cfg.defaultRealm}
-            encrypt = true
-
-        # The following krb5.conf variables are only for MIT Kerberos.
-            krb4_config = /etc/krb.conf
-            krb4_realms = /etc/krb.realms
-            kdc_timesync = 1
-            ccache_type = 4
-            forwardable = true
-            proxiable = true
-
-        # The following encryption type specification will be used by MIT Kerberos
-        # if uncommented.  In general, the defaults in the MIT Kerberos code are
-        # correct and overriding these specifications only serves to disable new
-        # encryption types as they are added, creating interoperability problems.
-
-        #   default_tgs_enctypes = aes256-cts arcfour-hmac-md5 des3-hmac-sha1 des-cbc-crc des-cbc-md5
-        #   default_tkt_enctypes = aes256-cts arcfour-hmac-md5 des3-hmac-sha1 des-cbc-crc des-cbc-md5
-        #   permitted_enctypes = aes256-cts arcfour-hmac-md5 des3-hmac-sha1 des-cbc-crc des-cbc-md5
-
-        # The following libdefaults parameters are only for Heimdal Kerberos.
-            v4_instance_resolve = false
-            v4_name_convert = {
-                host = {
-                    rcmd = host
-                    ftp = ftp
-                }
-                plain = {
-                    something = something-else
-                }
-            }
-            fcc-mit-ticketflags = true
-
-        [realms]
-            ${cfg.defaultRealm} = {
-                kdc = ${cfg.kdc}
-                admin_server = ${cfg.kerberosAdminServer}
-                #kpasswd_server = ${cfg.kerberosAdminServer}
-            }
-            ATHENA.MIT.EDU = {
-                kdc = kerberos.mit.edu:88
-                kdc = kerberos-1.mit.edu:88
-                kdc = kerberos-2.mit.edu:88
-                admin_server = kerberos.mit.edu
-                default_domain = mit.edu
-            }
-            MEDIA-LAB.MIT.EDU = {
-                kdc = kerberos.media.mit.edu
-                admin_server = kerberos.media.mit.edu
-            }
-            ZONE.MIT.EDU = {
-                kdc = casio.mit.edu
-                kdc = seiko.mit.edu
-                admin_server = casio.mit.edu
-            }
-            MOOF.MIT.EDU = {
-                kdc = three-headed-dogcow.mit.edu:88
-                kdc = three-headed-dogcow-1.mit.edu:88
-                admin_server = three-headed-dogcow.mit.edu
-            }
-            CSAIL.MIT.EDU = {
-                kdc = kerberos-1.csail.mit.edu
-                kdc = kerberos-2.csail.mit.edu
-                admin_server = kerberos.csail.mit.edu
-                default_domain = csail.mit.edu
-                krb524_server = krb524.csail.mit.edu
-            }
-            IHTFP.ORG = {
-                kdc = kerberos.ihtfp.org
-                admin_server = kerberos.ihtfp.org
-            }
-            GNU.ORG = {
-                kdc = kerberos.gnu.org
-                kdc = kerberos-2.gnu.org
-                kdc = kerberos-3.gnu.org
-                admin_server = kerberos.gnu.org
-            }
-            1TS.ORG = {
-                kdc = kerberos.1ts.org
-                admin_server = kerberos.1ts.org
-            }
-            GRATUITOUS.ORG = {
-                kdc = kerberos.gratuitous.org
-                admin_server = kerberos.gratuitous.org
-            }
-            DOOMCOM.ORG = {
-                kdc = kerberos.doomcom.org
-                admin_server = kerberos.doomcom.org
-            }
-            ANDREW.CMU.EDU = {
-                kdc = vice28.fs.andrew.cmu.edu
-                kdc = vice2.fs.andrew.cmu.edu
-                kdc = vice11.fs.andrew.cmu.edu
-                kdc = vice12.fs.andrew.cmu.edu
-                admin_server = vice28.fs.andrew.cmu.edu
-                default_domain = andrew.cmu.edu
-            }
-            CS.CMU.EDU = {
-                kdc = kerberos.cs.cmu.edu
-                kdc = kerberos-2.srv.cs.cmu.edu
-                admin_server = kerberos.cs.cmu.edu
-            }
-            DEMENTIA.ORG = {
-                kdc = kerberos.dementia.org
-                kdc = kerberos2.dementia.org
-                admin_server = kerberos.dementia.org
-            }
-            stanford.edu = {
-                kdc = krb5auth1.stanford.edu
-                kdc = krb5auth2.stanford.edu
-                kdc = krb5auth3.stanford.edu
-                admin_server = krb5-admin.stanford.edu
-                default_domain = stanford.edu
-            }
-
-        [domain_realm]
-            .${cfg.domainRealm} = ${cfg.defaultRealm}
-            ${cfg.domainRealm} = ${cfg.defaultRealm}
-            .mit.edu = ATHENA.MIT.EDU
-            mit.edu = ATHENA.MIT.EDU
-            .exchange.mit.edu = EXCHANGE.MIT.EDU
-            exchange.mit.edu = EXCHANGE.MIT.EDU
-            .media.mit.edu = MEDIA-LAB.MIT.EDU
-            media.mit.edu = MEDIA-LAB.MIT.EDU
-            .csail.mit.edu = CSAIL.MIT.EDU
-            csail.mit.edu = CSAIL.MIT.EDU
-            .whoi.edu = ATHENA.MIT.EDU
-            whoi.edu = ATHENA.MIT.EDU
-            .stanford.edu = stanford.edu
-
-        [logging]
-            kdc = SYSLOG:INFO:DAEMON
-            admin_server = SYSLOG:INFO:DAEMON
-            default = SYSLOG:INFO:DAEMON
-            krb4_convert = true
-            krb4_get_tickets = false
-
-        [appdefaults]
-            pam = {
-                debug = false
-                ticket_lifetime = 36000
-                renew_lifetime = 36000
-                max_timeout = 30
-                timeout_shift = 2
-                initial_timeout = 1
-            }
-      '';
-
-  };
-
-}

nixos/modules/config/krb5/default.nix

@@ -0,0 +1,367 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+
+  cfg = config.krb5;
+
+  # This is to provide support for old configuration options (as much as is
+  # reasonable). This can be removed after 18.03 was released.
+  defaultConfig = {
+    libdefaults = optionalAttrs (cfg.defaultRealm != null)
+      { default_realm = cfg.defaultRealm; };
+
+    realms = optionalAttrs (lib.all (value: value != null) [
+      cfg.defaultRealm cfg.kdc cfg.kerberosAdminServer
+    ]) {
+      "${cfg.defaultRealm}" = {
+        kdc = cfg.kdc;
+        admin_server = cfg.kerberosAdminServer;
+      };
+    };
+
+    domain_realm = optionalAttrs (lib.all (value: value != null) [
+      cfg.domainRealm cfg.defaultRealm
+    ]) {
+      ".${cfg.domainRealm}" = cfg.defaultRealm;
+      "${cfg.domainRealm}" = cfg.defaultRealm;
+    };
+  };
+
+  mergedConfig = (recursiveUpdate defaultConfig {
+    inherit (config.krb5)
+      kerberos libdefaults realms domain_realm capaths appdefaults plugins
+      extraConfig config;
+  });
+
+  filterEmbeddedMetadata = value: if isAttrs value then
+    (filterAttrs
+      (attrName: attrValue: attrName != "_module" && attrValue != null)
+        value)
+    else value;
+
+  mkIndent = depth: concatStrings (builtins.genList (_:  " ") (2 * depth));
+
+  mkRelation = name: value: "${name} = ${mkVal { inherit value; }}";
+
+  mkVal = { value, depth ? 0 }:
+    if (value == true) then "true"
+    else if (value == false) then "false"
+    else if (isInt value) then (toString value)
+    else if (isList value) then
+      concatMapStringsSep " " mkVal { inherit value depth; }
+    else if (isAttrs value) then
+      (concatStringsSep "\n${mkIndent (depth + 1)}"
+        ([ "{" ] ++ (mapAttrsToList
+          (attrName: attrValue: let
+            mappedAttrValue = mkVal {
+              value = attrValue;
+              depth = depth + 1;
+            };
+          in "${attrName} = ${mappedAttrValue}")
+        value))) + "\n${mkIndent depth}}"
+    else value;
+
+  mkMappedAttrsOrString = value: concatMapStringsSep "\n"
+    (line: if builtins.stringLength line > 0
+      then "${mkIndent 1}${line}"
+      else line)
+    (splitString "\n"
+      (if isAttrs value then
+        concatStringsSep "\n"
+            (mapAttrsToList mkRelation value)
+        else value));
+
+in {
+
+  ###### interface
+
+  options = {
+    krb5 = {
+      enable = mkEnableOption "Whether to enable Kerberos V.";
+
+      kerberos = mkOption {
+        type = types.package;
+        default = pkgs.krb5Full;
+        defaultText = "pkgs.krb5Full";
+        example = literalExample "pkgs.heimdalFull";
+        description = ''
+          The Kerberos implementation that will be present in
+          <literal>environment.systemPackages</literal> after enabling this
+          service.
+        '';
+      };
+
+      libdefaults = mkOption {
+        type = with types; either attrs lines;
+        default = {};
+        apply = attrs: filterEmbeddedMetadata attrs;
+        example = literalExample ''
+          {
+            default_realm = "ATHENA.MIT.EDU";
+          };
+        '';
+        description = ''
+          Settings used by the Kerberos V5 library.
+        '';
+      };
+
+      realms = mkOption {
+        type = with types; either attrs lines;
+        default = {};
+        example = literalExample ''
+          {
+            "ATHENA.MIT.EDU" = {
+              admin_server = "athena.mit.edu";
+              kdc = "athena.mit.edu";
+            };
+          };
+        '';
+        apply = attrs: filterEmbeddedMetadata attrs;
+        description = "Realm-specific contact information and settings.";
+      };
+
+      domain_realm = mkOption {
+        type = with types; either attrs lines;
+        default = {};
+        example = literalExample ''
+          {
+            "example.com" = "EXAMPLE.COM";
+            ".example.com" = "EXAMPLE.COM";
+          };
+        '';
+        apply = attrs: filterEmbeddedMetadata attrs;
+        description = ''
+          Map of server hostnames to Kerberos realms.
+        '';
+      };
+
+      capaths = mkOption {
+        type = with types; either attrs lines;
+        default = {};
+        example = literalExample ''
+          {
+            "ATHENA.MIT.EDU" = {
+              "EXAMPLE.COM" = ".";
+            };
+            "EXAMPLE.COM" = {
+              "ATHENA.MIT.EDU" = ".";
+            };
+          };
+        '';
+        apply = attrs: filterEmbeddedMetadata attrs;
+        description = ''
+          Authentication paths for non-hierarchical cross-realm authentication.
+        '';
+      };
+
+      appdefaults = mkOption {
+        type = with types; either attrs lines;
+        default = {};
+        example = literalExample ''
+          {
+            pam = {
+              debug = false;
+              ticket_lifetime = 36000;
+              renew_lifetime = 36000;
+              max_timeout = 30;
+              timeout_shift = 2;
+              initial_timeout = 1;
+            };
+          };
+        '';
+        apply = attrs: filterEmbeddedMetadata attrs;
+        description = ''
+          Settings used by some Kerberos V5 applications.
+        '';
+      };
+
+      plugins = mkOption {
+        type = with types; either attrs lines;
+        default = {};
+        example = literalExample ''
+          {
+            ccselect = {
+              disable = "k5identity";
+            };
+          };
+        '';
+        apply = attrs: filterEmbeddedMetadata attrs;
+        description = ''
+          Controls plugin module registration.
+        '';
+      };
+
+      extraConfig = mkOption {
+        type = with types; nullOr lines;
+        default = null;
+        example = ''
+          [logging]
+            kdc          = SYSLOG:NOTICE
+            admin_server = SYSLOG:NOTICE
+            default      = SYSLOG:NOTICE
+        '';
+        description = ''
+          These lines go to the end of <literal>krb5.conf</literal> verbatim.
+          <literal>krb5.conf</literal> may include any of the relations that are
+          valid for <literal>kdc.conf</literal> (see <literal>man
+          kdc.conf</literal>), but it is not a recommended practice.
+        '';
+      };
+
+      config = mkOption {
+        type = with types; nullOr lines;
+        default = null;
+        example = ''
+          [libdefaults]
+            default_realm = EXAMPLE.COM
+
+          [realms]
+            EXAMPLE.COM = {
+              admin_server = kerberos.example.com
+              kdc = kerberos.example.com
+              default_principal_flags = +preauth
+            }
+
+          [domain_realm]
+            example.com  = EXAMPLE.COM
+            .example.com = EXAMPLE.COM
+
+          [logging]
+            kdc          = SYSLOG:NOTICE
+            admin_server = SYSLOG:NOTICE
+            default      = SYSLOG:NOTICE
+        '';
+        description = ''
+          Verbatim <literal>krb5.conf</literal> configuration.  Note that this
+          is mutually exclusive with configuration via
+          <literal>libdefaults</literal>, <literal>realms</literal>,
+          <literal>domain_realm</literal>, <literal>capaths</literal>,
+          <literal>appdefaults</literal>, <literal>plugins</literal> and
+          <literal>extraConfig</literal> configuration options.  Consult
+          <literal>man krb5.conf</literal> for documentation.
+        '';
+      };
+
+      defaultRealm = mkOption {
+        type = with types; nullOr str;
+        default = null;
+        example = "ATHENA.MIT.EDU";
+        description = ''
+          DEPRECATED, please use
+          <literal>krb5.libdefaults.default_realm</literal>.
+        '';
+      };
+
+      domainRealm = mkOption {
+        type = with types; nullOr str;
+        default = null;
+        example = "athena.mit.edu";
+        description = ''
+          DEPRECATED, please create a map of server hostnames to Kerberos realms
+          in <literal>krb5.domain_realm</literal>.
+        '';
+      };
+
+      kdc = mkOption {
+        type = with types; nullOr str;
+        default = null;
+        example = "kerberos.mit.edu";
+        description = ''
+          DEPRECATED, please pass a <literal>kdc</literal> attribute to a realm
+          in <literal>krb5.realms</literal>.
+        '';
+      };
+
+      kerberosAdminServer = mkOption {
+        type = with types; nullOr str;
+        default = null;
+        example = "kerberos.mit.edu";
+        description = ''
+          DEPRECATED, please pass an <literal>admin_server</literal> attribute
+          to a realm in <literal>krb5.realms</literal>.
+        '';
+      };
+    };
+  };
+
+  ###### implementation
+
+  config = mkIf cfg.enable {
+
+    environment.systemPackages = [ cfg.kerberos ];
+
+    environment.etc."krb5.conf".text = if isString cfg.config
+      then cfg.config
+      else (''
+        [libdefaults]
+        ${mkMappedAttrsOrString mergedConfig.libdefaults}
+
+        [realms]
+        ${mkMappedAttrsOrString mergedConfig.realms}
+
+        [domain_realm]
+        ${mkMappedAttrsOrString mergedConfig.domain_realm}
+
+        [capaths]
+        ${mkMappedAttrsOrString mergedConfig.capaths}
+
+        [appdefaults]
+        ${mkMappedAttrsOrString mergedConfig.appdefaults}
+
+        [plugins]
+        ${mkMappedAttrsOrString mergedConfig.plugins}
+      '' + optionalString (mergedConfig.extraConfig != null)
+          ("\n" + mergedConfig.extraConfig));
+
+    warnings = flatten [
+      (optional (cfg.defaultRealm != null) ''
+        The option krb5.defaultRealm is deprecated, please use
+        krb5.libdefaults.default_realm.
+      '')
+      (optional (cfg.domainRealm != null) ''
+        The option krb5.domainRealm is deprecated, please use krb5.domain_realm.
+      '')
+      (optional (cfg.kdc != null) ''
+        The option krb5.kdc is deprecated, please pass a kdc attribute to a
+        realm in krb5.realms.
+      '')
+      (optional (cfg.kerberosAdminServer != null) ''
+        The option krb5.kerberosAdminServer is deprecated, please pass an
+        admin_server attribute to a realm in krb5.realms.
+      '')
+    ];
+
+    assertions = [
+      { assertion = !((builtins.any (value: value != null) [
+            cfg.defaultRealm cfg.domainRealm cfg.kdc cfg.kerberosAdminServer
+          ]) && ((builtins.any (value: value != {}) [
+              cfg.libdefaults cfg.realms cfg.domain_realm cfg.capaths
+              cfg.appdefaults cfg.plugins
+            ]) || (builtins.any (value: value != null) [
+              cfg.config cfg.extraConfig
+            ])));
+        message = ''
+          Configuration of krb5.conf by deprecated options is mutually exclusive
+          with configuration by section.  Please migrate your config using the
+          attributes suggested in the warnings.
+        '';
+      }
+      { assertion = !(cfg.config != null
+          && ((builtins.any (value: value != {}) [
+              cfg.libdefaults cfg.realms cfg.domain_realm cfg.capaths
+              cfg.appdefaults cfg.plugins
+            ]) || (builtins.any (value: value != null) [
+              cfg.extraConfig cfg.defaultRealm cfg.domainRealm cfg.kdc
+              cfg.kerberosAdminServer
+            ])));
+        message = ''
+          Configuration of krb5.conf using krb.config is mutually exclusive with
+          configuration by section.  If you want to mix the two, you can pass
+          lines to any configuration section or lines to krb5.extraConfig.
+        '';
+      }
+    ];
+  };
+}

nixos/modules/hardware/video/nvidia.nix

@@ -42,7 +42,7 @@ in
   config = mkIf enabled {
     assertions = [
       {
-        assertion = services.xserver.displayManager.gdm.wayland;
+        assertion = config.services.xserver.displayManager.gdm.wayland;
         message = "NVidia drivers don't support wayland";
       }
     ];

nixos/modules/module-list.nix

@@ -9,7 +9,7 @@
   ./config/fonts/ghostscript.nix
   ./config/gnu.nix
   ./config/i18n.nix
-  ./config/krb5.nix
+  ./config/krb5/default.nix
   ./config/ldap.nix
   ./config/networking.nix
   ./config/no-x-libs.nix
@@ -73,6 +73,7 @@
   ./programs/adb.nix
   ./programs/atop.nix
   ./programs/bash/bash.nix
+  ./programs/bcc.nix
   ./programs/blcr.nix
   ./programs/browserpass.nix
   ./programs/cdemu.nix
@@ -102,6 +103,7 @@
   ./programs/spacefm.nix
   ./programs/ssh.nix
   ./programs/ssmtp.nix
+  ./programs/sysdig.nix
   ./programs/thefuck.nix
   ./programs/tmux.nix
   ./programs/venus.nix
@@ -267,6 +269,7 @@
   ./services/mail/offlineimap.nix
   ./services/mail/opendkim.nix
   ./services/mail/opensmtpd.nix
+  ./services/mail/pfix-srsd.nix
   ./services/mail/postfix.nix
   ./services/mail/postsrsd.nix
   ./services/mail/postgrey.nix
@@ -619,6 +622,7 @@
   ./services/web-servers/phpfpm/default.nix
   ./services/web-servers/shellinabox.nix
   ./services/web-servers/tomcat.nix
+  ./services/web-servers/traefik.nix
   ./services/web-servers/uwsgi.nix
   ./services/web-servers/varnish/default.nix
   ./services/web-servers/winstone.nix

nixos/modules/programs/bcc.nix

@@ -0,0 +1,9 @@
+{ config, lib, pkgs, ... }:
+{
+  options.programs.bcc.enable = lib.mkEnableOption "bcc";
+
+  config = lib.mkIf config.programs.bcc.enable {
+    environment.systemPackages = [ config.boot.kernelPackages.bcc ];
+    boot.extraModulePackages = [ config.boot.kernelPackages.bcc ];
+  };
+}

nixos/modules/programs/sysdig.nix

@@ -0,0 +1,14 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+  cfg = config.programs.sysdig;
+in {
+  options.programs.sysdig.enable = mkEnableOption "sysdig";
+
+  config = mkIf cfg.enable {
+    environment.systemPackages = [ pkgs.sysdig ];
+    boot.extraModulePackages = [ config.boot.kernelPackages.sysdig ];
+  };
+}

nixos/modules/security/pam_usb.nix

@@ -22,7 +22,7 @@ in
         description = ''
           Enable USB login for all login systems that support it.  For
           more information, visit <link
-          xlink:href="http://pamusb.org/doc/quickstart#setting_up" />.
+          xlink:href="https://github.com/aluzzardi/pam_usb/wiki/Getting-Started#setting-up-devices-and-users" />.
         '';
       };
 

nixos/modules/services/cluster/kubernetes/dashboard.nix

@@ -11,7 +11,7 @@ let
   image = pkgs.dockerTools.pullImage {
     imageName = name;
     imageTag = version;
-    sha256 = "0b5v7xa3s91yi9yfsw2b8wijiprnicbb02f5kqa579h4yndb3gfz";
+    sha256 = "1sf54d96nkgic9hir9c6p14gw24ns1k5d5a0r1sg414kjrvic0b4";
   };
 in {
   options.services.kubernetes.addons.dashboard = {

nixos/modules/services/cluster/kubernetes/dns.nix

@@ -8,19 +8,19 @@ let
   k8s-dns-kube-dns = pkgs.dockerTools.pullImage {
     imageName = "gcr.io/google_containers/k8s-dns-kube-dns-amd64";
     imageTag = version;
-    sha256 = "0g64jc2076ng28xl4w3w9svf7hc6s9h8rq9mhvvwpfy2p6lgj6gy";
+    sha256 = "0q97xfqrigrfjl2a9cxl5in619py0zv44gch09jm8gqjkxl80imp";
   };
 
   k8s-dns-dnsmasq-nanny = pkgs.dockerTools.pullImage {
     imageName = "gcr.io/google_containers/k8s-dns-dnsmasq-nanny-amd64";
     imageTag = version;
-    sha256 = "0sdpsbj1vismihy7ass1cn96nwmav6sf3r5h6i4k2dxha0y0jsh5";
+    sha256 = "051w5ca4qb88mwva4hbnh9xzlsvv7k1mbk3wz50lmig2mqrqqx6c";
   };
 
   k8s-dns-sidecar = pkgs.dockerTools.pullImage {
     imageName = "gcr.io/google_containers/k8s-dns-sidecar-amd64";
     imageTag = version;
-    sha256 = "01zpi189hpy2z62awl38fap908s8rrhc3v5gb6m90y2pycl4ad6q";
+    sha256 = "1z0d129bcm8i2cqq36x5jhnrv9hirj8c6kjrmdav8vgf7py78vsm";
   };
 
   cfg = config.services.kubernetes.addons.dns;

nixos/modules/services/mail/nullmailer.nix

@@ -35,6 +35,18 @@ with lib;
         description = "Whether to set the system sendmail to nullmailer's.";
       };
 
+      remotesFile = mkOption {
+        type = types.nullOr types.str;
+        default = null;
+        description = ''
+          Path to the <code>remotes</code> control file. This file contains a
+          list of remote servers to which to send each message.
+
+          See <code>man 8 nullmailer-send</code> for syntax and available
+          options.
+        '';
+      };
+
       config = {
         adminaddr = mkOption {
           type = types.nullOr types.str;
@@ -142,7 +154,16 @@ with lib;
           type = types.nullOr types.str;
           default = null;
           description = ''
-            If set, content will override the envelope sender on all messages.
+            A list of remote servers to which to send each message. Each line
+            contains a remote host name or address followed by an optional
+            protocol string, separated by white space.
+
+            See <code>man 8 nullmailer-send</code> for syntax and available
+            options.
+
+            WARNING: This is stored world-readable in the nix store. If you need
+            to specify any secret credentials here, consider using the
+            <code>remotesFile</code> option instead.
           '';
         };
 
@@ -164,13 +185,19 @@ with lib;
     cfg = config.services.nullmailer;
   in mkIf cfg.enable {
 
+    assertions = [
+      { assertion = cfg.config.remotes == null || cfg.remotesFile == null;
+        message = "Only one of `remotesFile` or `config.remotes` may be used at a time.";
+      }
+    ];
+
     environment = {
       systemPackages = [ pkgs.nullmailer ];
       etc = let
-        getval  = attr: builtins.getAttr attr cfg.config;
-        attrs   = builtins.attrNames cfg.config;
-        attrs'  = builtins.filter (attr: ! isNull (getval attr)) attrs;
-      in foldl' (as: attr: as // { "nullmailer/${attr}".text = getval attr; }) {} attrs';
+        validAttrs = filterAttrs (name: value: value != null) cfg.config;
+      in
+        (foldl' (as: name: as // { "nullmailer/${name}".text = validAttrs.${name}; }) {} (attrNames validAttrs))
+          // optionalAttrs (cfg.remotesFile != null) { "nullmailer/remotes".source = cfg.remotesFile; };
     };
 
     users = {
@@ -192,7 +219,7 @@ with lib;
 
       preStart = ''
         mkdir -p /var/spool/nullmailer/{queue,tmp}
-        rm -f var/spool/nullmailer/trigger && mkfifo -m 660 /var/spool/nullmailer/trigger
+        rm -f /var/spool/nullmailer/trigger && mkfifo -m 660 /var/spool/nullmailer/trigger
         chown ${cfg.user} /var/spool/nullmailer/*
       '';
 

nixos/modules/services/mail/pfix-srsd.nix

@@ -0,0 +1,56 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+{
+
+  ###### interface
+
+  options = {
+
+    services.pfix-srsd = {
+      enable = mkOption {
+        default = false;
+        type = types.bool;
+        description = "Whether to run the postfix sender rewriting scheme daemon.";
+      };
+
+      domain = mkOption {
+        description = "The domain for which to enable srs";
+        type = types.str;
+        example = "example.com";
+      };
+
+      secretsFile = mkOption {
+        description = ''
+          The secret data used to encode the SRS address.
+          to generate, use a command like:
+          <literal>for n in $(seq 5); do dd if=/dev/urandom count=1 bs=1024 status=none | sha256sum | sed 's/  -$//' | sed 's/^/          /'; done</literal>
+        '';
+        type = types.path;
+        default = "/var/lib/pfix-srsd/secrets";
+      };
+    };
+  };
+
+  ###### implementation
+
+  config = mkIf config.services.pfix-srsd.enable {
+    environment = {
+      systemPackages = [ pkgs.pfixtools ];
+    };
+
+    systemd.services."pfix-srsd" = {
+      description = "Postfix sender rewriting scheme daemon";
+      before = [ "postfix.service" ];
+      #note that we use requires rather than wants because postfix
+      #is unable to process (almost) all mail without srsd
+      requiredBy = [ "postfix.service" ];
+      serviceConfig = {
+        Type = "forking";
+        PIDFile = "/var/run/pfix-srsd.pid";
+        ExecStart = "${pkgs.pfixtools}/bin/pfix-srsd -p /var/run/pfix-srsd.pid -I ${config.services.pfix-srsd.domain} ${config.services.pfix-srsd.secretsFile}";
+      };
+    };
+  };
+}

nixos/modules/services/mail/postfix.nix

@@ -79,6 +79,12 @@ let
   // optionalAttrs haveTransport { transport_maps = "hash:/etc/postfix/transport"; }
   // optionalAttrs haveVirtual { virtual_alias_maps = "${cfg.virtualMapType}:/etc/postfix/virtual"; }
   // optionalAttrs (cfg.dnsBlacklists != []) { smtpd_client_restrictions = clientRestrictions; }
+  // optionalAttrs cfg.useSrs {
+    sender_canonical_maps = "tcp:127.0.0.1:10001";
+    sender_canonical_classes = "envelope_sender";
+    recipient_canonical_maps = "tcp:127.0.0.1:10002";
+    recipient_canonical_classes= "envelope_recipient";
+  }
   // optionalAttrs cfg.enableHeaderChecks { header_checks = "regexp:/etc/postfix/header_checks"; }
   // optionalAttrs (cfg.sslCert != "") {
     smtp_tls_CAfile = cfg.sslCACert;
@@ -626,6 +632,12 @@ in
         description = "Maps to be compiled and placed into /var/lib/postfix/conf.";
       };
 
+      useSrs = mkOption {
+        type = types.bool;
+        default = false;
+        description = "Whether to enable sender rewriting scheme";
+      };
+
     };
 
   };
@@ -646,6 +658,8 @@ in
         systemPackages = [ pkgs.postfix ];
       };
 
+      services.pfix-srsd.enable = config.services.postfix.useSrs;
+
       services.mail.sendmailSetuidWrapper = mkIf config.services.postfix.setSendmail {
         program = "sendmail";
         source = "${pkgs.postfix}/bin/sendmail";

nixos/modules/services/misc/gitlab.nix

@@ -414,7 +414,7 @@ in {
           Make sure the secret is an RSA private key in PEM format. You can
           generate one with
 
-          openssl genrsa 2048openssl genpkey -algorithm RSA -out - -pkeyopt rsa_keygen_bits:2048
+          openssl genrsa 2048
         '';
       };
 
@@ -567,6 +567,7 @@ in {
         mkdir -p ${cfg.statePath}/log
         mkdir -p ${cfg.statePath}/tmp/pids
         mkdir -p ${cfg.statePath}/tmp/sockets
+        mkdir -p ${cfg.statePath}/shell
 
         rm -rf ${cfg.statePath}/config ${cfg.statePath}/shell/hooks
         mkdir -p ${cfg.statePath}/config
@@ -635,6 +636,13 @@ in {
         chown -R ${cfg.user}:${cfg.group} ${cfg.statePath}
         chmod -R ug+rwX,o-rwx+X ${cfg.statePath}
         chmod -R u+rwX,go-rwx+X ${gitlabEnv.HOME}
+        chmod -R ug+rwX,o-rwx ${cfg.statePath}/repositories
+        chmod -R ug-s ${cfg.statePath}/repositories
+        find ${cfg.statePath}/repositories -type d -print0 | xargs -0 chmod g+s
+        chmod 700 ${cfg.statePath}/uploads
+        chown -R git ${cfg.statePath}/uploads
+        find ${cfg.statePath}/uploads -type f -exec chmod 0644 {} \;
+        find ${cfg.statePath}/uploads -type d -not -path ${cfg.statePath}/uploads -exec chmod 0700 {} \;
       '';
 
       serviceConfig = {

nixos/modules/services/misc/gitlab.xml

@@ -66,6 +66,35 @@ services.gitlab = {
     db = "uPgq1gtwwHiatiuE0YHqbGa5lEIXH7fMsvuTNgdzJi8P0Dg12gibTzBQbq5LT7PNzcc3BP9P1snHVnduqtGF43PgrQtU7XL93ts6gqe9CBNhjtaqUwutQUDkygP5NrV6";
     secret = "devzJ0Tz0POiDBlrpWmcsjjrLaltyiAdS8TtgT9YNBOoUcDsfppiY3IXZjMVtKgXrFImIennFGOpPN8IkP8ATXpRgDD5rxVnKuTTwYQaci2NtaV1XxOQGjdIE50VGsR3";
     otp = "e1GATJVuS2sUh7jxiPzZPre4qtzGGaS22FR50Xs1TerRVdgI3CBVUi5XYtQ38W4xFeS4mDqi5cQjExE838iViSzCdcG19XSL6qNsfokQP9JugwiftmhmCadtsnHErBMI";
+    jws = ''
+      -----BEGIN RSA PRIVATE KEY-----
+      MIIEpAIBAAKCAQEArrtx4oHKwXoqUbMNqnHgAklnnuDon3XG5LJB35yPsXKv/8GK
+      ke92wkI+s1Xkvsp8tg9BIY/7c6YK4SR07EWL+dB5qwctsWR2Q8z+/BKmTx9D99pm
+      hnsjuNIXTF7BXrx3RX6BxZpH5Vzzh9nCwWKT/JCFqtwH7afNGGL7aMf+hdaiUg/Q
+      SD05yRObioiO4iXDolsJOhrnbZvlzVHl1ZYxFJv0H6/Snc0BBA9Fl/3uj6ANpbjP
+      eXF1SnJCqT87bj46r5NdVauzaRxAsIfqHroHK4UZ98X5LjGQFGvSqTvyjPBS4I1i
+      s7VJU28ObuutHxIxSlH0ibn4HZqWmKWlTS652wIDAQABAoIBAGtPcUTTw2sJlR3x
+      4k2wfAvLexkHNbZhBdKEa5JiO5mWPuLKwUiZEY2CU7Gd6csG3oqNWcm7/IjtC7dz
+      xV8p4yp8T4yq7vQIJ93B80NqTLtBD2QTvG2RCMJEPMzJUObWxkVmyVpLQyZo7KOd
+      KE/OM+aj94OUeEYLjRkSCScz1Gvq/qFG/nAy7KPCmN9JDHuhX26WHo2Rr1OnPNT/
+      7diph0bB9F3b8gjjNTqXDrpdAqVOgR/PsjEBz6DMY+bdyMIn87q2yfmMexxRofN6
+      LulpzSaa6Yup8N8H6PzVO6KAkQuf1aQRj0sMwGk1IZEnj6I0KbuHIZkw21Nc6sf2
+      ESFySDECgYEA1PnCNn5tmLnwe62Ttmrzl20zIS3Me1gUVJ1NTfr6+ai0I9iMYU21
+      5czuAjJPm9JKQF2vY8UAaCj2ZoObtHa/anb3xsCd8NXoM3iJq5JDoXI1ldz3Y+ad
+      U/bZUg1DLRvAniTuXmw9iOTwTwPxlDIGq5k+wG2Xmi1lk7zH8ezr9BMCgYEA0gfk
+      EhgcmPH8Z5cU3YYwOdt6HSJOM0OyN4k/5gnkv+HYVoJTj02gkrJmLr+mi1ugKj46
+      7huYO9TVnrKP21tmbaSv1dp5hS3letVRIxSloEtVGXmmdvJvBRzDWos+G+KcvADi
+      fFCz6w8v9NmO40CB7y/3SxTmSiSxDQeoi9LhDBkCgYEAsPgMWm25sfOnkY2NNUIv
+      wT8bAlHlHQT2d8zx5H9NttBpR3P0ShJhuF8N0sNthSQ7ULrIN5YGHYcUH+DyLAWU
+      TuomP3/kfa+xL7vUYb269tdJEYs4AkoppxBySoz8qenqpz422D0G8M6TpIS5Y5Qi
+      GMrQ6uLl21YnlpiCaFOfSQMCgYEAmZxj1kgEQmhZrnn1LL/D7czz1vMMNrpAUhXz
+      wg9iWmSXkU3oR1sDIceQrIhHCo2M6thwyU0tXjUft93pEQocM/zLDaGoVxtmRxxV
+      J08mg8IVD3jFoyFUyWxsBIDqgAKRl38eJsXvkO+ep3mm49Z+Ma3nM+apN3j2dQ0w
+      3HLzXaECgYBFLMEAboVFwi5+MZjGvqtpg2PVTisfuJy2eYnPwHs+AXUgi/xRNFjI
+      YHEa7UBPb5TEPSzWImQpETi2P5ywcUYL1EbN/nqPWmjFnat8wVmJtV4sUpJhubF4
+      Vqm9LxIWc1uQ1q1HDCejRIxIN3aSH+wgRS3Kcj8kCTIoXd1aERb04g==
+      -----END RSA PRIVATE KEY-----
+    '';
   };
   extraConfig = {
     gitlab = {

nixos/modules/services/misc/gogs.nix

@@ -25,6 +25,7 @@ let
     HTTP_ADDR = ${cfg.httpAddress}
     HTTP_PORT = ${toString cfg.httpPort}
     ROOT_URL = ${cfg.rootUrl}
+    STATIC_ROOT_PATH = ${cfg.staticRootPath}
 
     [session]
     COOKIE_NAME = session
@@ -175,6 +176,13 @@ in
         '';
       };
 
+      staticRootPath = mkOption {
+        type = types.str;
+        default = "${pkgs.gogs.data}";
+        example = "/var/lib/gogs/data";
+        description = "Upper level of template and static files path.";
+      };
+
       extraConfig = mkOption {
         type = types.str;
         default = "";
@@ -195,6 +203,8 @@ in
         runConfig = "${cfg.stateDir}/custom/conf/app.ini";
         secretKey = "${cfg.stateDir}/custom/conf/secret_key";
       in ''
+        mkdir -p ${cfg.stateDir}
+
         # copy custom configuration and generate a random secret key if needed
         ${optionalString (cfg.useWizard == false) ''
           mkdir -p ${cfg.stateDir}/custom/conf
@@ -240,7 +250,7 @@ in
       };
     };
 
-    users = {
+    users = mkIf (cfg.user == "gogs") {
       extraUsers.gogs = {
         description = "Go Git Service";
         uid = config.ids.uids.gogs;

nixos/modules/services/network-filesystems/glusterfs.nix

@@ -41,6 +41,57 @@ in
         default = "INFO";
       };
 
+      useRpcbind = mkOption {
+        type = types.bool;
+        description = ''
+          Enable use of rpcbind. This is required for Gluster's NFS functionality.
+
+          You may want to turn it off to reduce the attack surface for DDoS reflection attacks.
+
+          See https://davelozier.com/glusterfs-and-rpcbind-portmap-ddos-reflection-attacks/
+          and https://bugzilla.redhat.com/show_bug.cgi?id=1426842 for details.
+        '';
+        default = true;
+      };
+
+      enableGlustereventsd = mkOption {
+        type = types.bool;
+        description = "Whether to enable the GlusterFS Events Daemon";
+        default = true;
+      };
+
+      killMode = mkOption {
+        type = types.enum ["control-group" "process" "mixed" "none"];
+        description = ''
+          The systemd KillMode to use for glusterd.
+
+          glusterd spawns other daemons like gsyncd.
+          If you want these to stop when glusterd is stopped (e.g. to ensure
+          that NixOS config changes are reflected even for these sub-daemons),
+          set this to 'control-group'.
+          If however you want running volume processes (glusterfsd) and thus
+          gluster mounts not be interrupted when glusterd is restarted
+          (for example, when you want to restart them manually at a later time),
+          set this to 'process'.
+        '';
+        default = "control-group";
+      };
+
+      stopKillTimeout = mkOption {
+        type = types.str;
+        description = ''
+          The systemd TimeoutStopSec to use.
+
+          After this time after having been asked to shut down, glusterd
+          (and depending on the killMode setting also its child processes)
+          are killed by systemd.
+
+          The default is set low because GlusterFS (as of 3.10) is known to
+          not tell its children (like gsyncd) to terminate at all.
+        '';
+        default = "5s";
+      };
+
       extraFlags = mkOption {
         type = types.listOf types.str;
         description = "Extra flags passed to the GlusterFS daemon";
@@ -89,7 +140,7 @@ in
   config = mkIf cfg.enable {
     environment.systemPackages = [ pkgs.glusterfs ];
 
-    services.rpcbind.enable = true;
+    services.rpcbind.enable = cfg.useRpcbind;
 
     environment.etc = mkIf (cfg.tlsSettings != null) {
       "ssl/glusterfs.pem".source = cfg.tlsSettings.tlsPem;
@@ -104,9 +155,8 @@ in
 
       wantedBy = [ "multi-user.target" ];
 
-      requires = [ "rpcbind.service" ];
-      after = [ "rpcbind.service" "network.target" "local-fs.target" ];
-      before = [ "network-online.target" ];
+      requires = lib.optional cfg.useRpcbind "rpcbind.service";
+      after = [ "network.target" "local-fs.target" ] ++ lib.optional cfg.useRpcbind "rpcbind.service";
 
       preStart = ''
         install -m 0755 -d /var/log/glusterfs
@@ -130,11 +180,12 @@ in
         PIDFile="/run/glusterd.pid";
         LimitNOFILE=65536;
         ExecStart="${glusterfs}/sbin/glusterd -p /run/glusterd.pid --log-level=${cfg.logLevel} ${toString cfg.extraFlags}";
-        KillMode="process";
+        KillMode=cfg.killMode;
+        TimeoutStopSec=cfg.stopKillTimeout;
       };
     };
 
-    systemd.services.glustereventsd = {
+    systemd.services.glustereventsd = mkIf cfg.enableGlustereventsd {
       inherit restartTriggers;
 
       description = "Gluster Events Notifier";
@@ -143,6 +194,10 @@ in
 
       after = [ "syslog.target" "network.target" ];
 
+      preStart = ''
+        install -m 0755 -d /var/log/glusterfs
+      '';
+
       serviceConfig = {
         Type="simple";
         Environment="PYTHONPATH=${glusterfs}/usr/lib/python2.7/site-packages";

nixos/modules/services/network-filesystems/ipfs.nix

@@ -7,7 +7,7 @@ let
 
   ipfsFlags = toString ([
     (optionalString  cfg.autoMount                   "--mount")
-    (optionalString  cfg.autoMigrate                 "--migrate")
+    #(optionalString  cfg.autoMigrate                 "--migrate")
     (optionalString  cfg.enableGC                    "--enable-gc")
     (optionalString (cfg.serviceFdlimit != null)     "--manage-fdlimit=false")
     (optionalString (cfg.defaultMode == "offline")   "--offline")
@@ -36,6 +36,7 @@ let
 
   baseService = recursiveUpdate commonEnv {
     wants = [ "ipfs-init.service" ];
+    # NB: migration must be performed prior to pre-start, else we get the failure message!
     preStart = ''
       ipfs repo fsck # workaround for BUG #4212 (https://github.com/ipfs/go-ipfs/issues/4214)
       ipfs --local config Addresses.API ${cfg.apiAddress}
@@ -97,11 +98,17 @@ in {
         description = "systemd service that is enabled by default";
       };
 
+      /*
       autoMigrate = mkOption {
         type = types.bool;
         default = false;
-        description = "Whether IPFS should try to migrate the file system automatically";
+        description = ''
+          Whether IPFS should try to migrate the file system automatically.
+
+          The daemon will need to be able to download a binary from https://ipfs.io to perform the migration.
+        '';
       };
+      */
 
       autoMount = mkOption {
         type = types.bool;

nixos/modules/services/networking/tinc.nix

@@ -163,6 +163,12 @@ in
         wantedBy = [ "multi-user.target" ];
         after = [ "network.target" ];
         path = [ data.package ];
+        restartTriggers =
+          let
+            drvlist = [ config.environment.etc."tinc/${network}/tinc.conf".source ]
+                        ++ mapAttrsToList (host: _: config.environment.etc."tinc/${network}/hosts/${host}".source) data.hosts;
+          in # drvlist might be too long to be used directly
+            [ (builtins.hashString "sha256" (concatMapStrings (d: d.outPath) drvlist)) ];
         serviceConfig = {
           Type = "simple";
           Restart = "always";

nixos/modules/services/web-servers/traefik.nix

@@ -0,0 +1,115 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+  cfg = config.services.traefik;
+  configFile =
+    if cfg.configFile == null then
+      pkgs.runCommand "config.toml" {
+        buildInputs = [ pkgs.remarshal ];
+      } ''
+        remarshal -if json -of toml \
+          < ${pkgs.writeText "config.json" (builtins.toJSON cfg.configOptions)} \
+          > $out
+      ''
+    else cfg.configFile;
+
+in {
+  options.services.traefik = {
+    enable = mkEnableOption "Traefik web server";
+
+    configFile = mkOption {
+      default = null;
+      example = literalExample "/path/to/config.toml";
+      type = types.nullOr types.path;
+      description = ''
+        Path to verbatim traefik.toml to use.
+        (Using that option has precedence over <literal>configOptions</literal>)
+      '';
+    };
+
+    configOptions = mkOption {
+      description = ''
+        Config for Traefik.
+      '';
+      type = types.attrs;
+      default = {
+        defaultEntryPoints = ["http"];
+        entryPoints.http.address = ":80";
+      };
+      example = {
+        defaultEntrypoints = [ "http" ];
+        web.address = ":8080";
+        entryPoints.http.address = ":80";
+
+        file = {};
+        frontends = {
+          frontend1 = {
+            backend = "backend1";
+            routes.test_1.rule = "Host:localhost";
+          };
+        };
+        backends.backend1 = {
+          servers.server1.url = "http://localhost:8000";
+        };
+      };
+    };
+
+    dataDir = mkOption {
+      default = "/var/lib/traefik";
+      type = types.path;
+      description = ''
+      Location for any persistent data traefik creates, ie. acme
+      '';
+    };
+
+    package = mkOption {
+      default = pkgs.traefik;
+      defaultText = "pkgs.traefik";
+      type = types.package;
+      description = "Traefik package to use.";
+    };
+  };
+
+  config = mkIf cfg.enable {
+    systemd.services.traefik = {
+      description = "Traefik web server";
+      after = [ "network-online.target" ];
+      wantedBy = [ "multi-user.target" ];
+      serviceConfig = {
+        PermissionsStartOnly = true;
+        ExecStart = ''${cfg.package.bin}/bin/traefik --configfile=${configFile}'';
+        ExecStartPre = [
+          ''${pkgs.coreutils}/bin/mkdir -p "${cfg.dataDir}"''
+          ''${pkgs.coreutils}/bin/chmod 700 "${cfg.dataDir}"''
+          ''${pkgs.coreutils}/bin/chown -R traefik:traefik "${cfg.dataDir}"''
+        ];
+        Type = "simple";
+        User = "traefik";
+        Group = "traefik";
+        Restart = "on-failure";
+        StartLimitInterval = 86400;
+        StartLimitBurst = 5;
+        AmbientCapabilities = "cap_net_bind_service";
+        CapabilityBoundingSet = "cap_net_bind_service";
+        NoNewPrivileges = true;
+        LimitNPROC = 64;
+        LimitNOFILE = 1048576;
+        PrivateTmp = true;
+        PrivateDevices = true;
+        ProtectHome = true;
+        ProtectSystem = "full";
+        ReadWriteDirectories = cfg.dataDir;
+      };
+    };
+
+    users.extraUsers.traefik = {
+      group = "traefik";
+      home = cfg.dataDir;
+      createHome = true;
+    };
+
+    users.extraGroups.traefik = {};
+  };
+}

nixos/modules/tasks/encrypted-devices.nix

@@ -57,7 +57,7 @@ in
 
   config = mkIf anyEncrypted {
     assertions = map (dev: {
-      assertion = dev.label != null;
+      assertion = dev.encrypted.label != null;
       message = ''
         The filesystem for ${dev.mountPoint} has encrypted.enable set to true, but no encrypted.label set
       '';

nixos/modules/tasks/network-interfaces-scripted.nix

@@ -122,24 +122,32 @@ let
 
                 # Set the default gateway.
                 ${optionalString (cfg.defaultGateway != null && cfg.defaultGateway.address != "") ''
-                  # FIXME: get rid of "|| true" (necessary to make it idempotent).
-                  ip route add default ${optionalString (cfg.defaultGateway.metric != null)
+                  ${optionalString (cfg.defaultGateway.interface != null) ''
+                    ip route replace ${cfg.defaultGateway.address} dev ${cfg.defaultGateway.interface} ${optionalString (cfg.defaultGateway.metric != null)
+                      "metric ${toString cfg.defaultGateway.metric}"
+                    } proto static
+                  ''}
+                  ip route replace default ${optionalString (cfg.defaultGateway.metric != null)
                       "metric ${toString cfg.defaultGateway.metric}"
                     } via "${cfg.defaultGateway.address}" ${
                     optionalString (cfg.defaultGatewayWindowSize != null)
                       "window ${toString cfg.defaultGatewayWindowSize}"} ${
                     optionalString (cfg.defaultGateway.interface != null)
-                      "dev ${cfg.defaultGateway.interface}"} proto static || true
+                      "dev ${cfg.defaultGateway.interface}"} proto static
                 ''}
                 ${optionalString (cfg.defaultGateway6 != null && cfg.defaultGateway6.address != "") ''
-                  # FIXME: get rid of "|| true" (necessary to make it idempotent).
-                  ip -6 route add ::/0 ${optionalString (cfg.defaultGateway6.metric != null)
+                  ${optionalString (cfg.defaultGateway6.interface != null) ''
+                    ip -6 route replace ${cfg.defaultGateway6.address} dev ${cfg.defaultGateway6.interface} ${optionalString (cfg.defaultGateway6.metric != null)
+                      "metric ${toString cfg.defaultGateway6.metric}"
+                    } proto static
+                  ''}
+                  ip -6 route replace default ${optionalString (cfg.defaultGateway6.metric != null)
                       "metric ${toString cfg.defaultGateway6.metric}"
                     } via "${cfg.defaultGateway6.address}" ${
                     optionalString (cfg.defaultGatewayWindowSize != null)
                       "window ${toString cfg.defaultGatewayWindowSize}"} ${
                     optionalString (cfg.defaultGateway6.interface != null)
-                      "dev ${cfg.defaultGateway6.interface}"} proto static || true
+                      "dev ${cfg.defaultGateway6.interface}"} proto static
                 ''}
               '';
           };

nixos/modules/virtualisation/ec2-amis.nix

@@ -223,5 +223,21 @@ let self = {
   "17.03".us-west-2.hvm-ebs = "ami-a93daac9";
   "17.03".us-west-2.hvm-s3 = "ami-5139ae31";
 
-  latest = self."17.03";
+  # 17.09.1483.d0f0657ca0
+  "17.09".eu-west-1.hvm-ebs = "ami-cf33e7b6";
+  "17.09".eu-west-2.hvm-ebs = "ami-7d061419";
+  "17.09".eu-central-1.hvm-ebs = "ami-7548fa1a";
+  "17.09".us-east-1.hvm-ebs = "ami-6f669d15";
+  "17.09".us-east-2.hvm-ebs = "ami-cbe1ccae";
+  "17.09".us-west-1.hvm-ebs = "ami-9d95a5fd";
+  "17.09".us-west-2.hvm-ebs = "ami-d3956fab";
+  "17.09".ca-central-1.hvm-ebs = "ami-ee4ef78a";
+  "17.09".ap-southeast-1.hvm-ebs = "ami-1dfc807e";
+  "17.09".ap-southeast-2.hvm-ebs = "ami-dcb350be";
+  "17.09".ap-northeast-1.hvm-ebs = "ami-00ec3d66";
+  "17.09".ap-northeast-2.hvm-ebs = "ami-1107dd7f";
+  "17.09".sa-east-1.hvm-ebs = "ami-0377086f";
+  "17.09".ap-south-1.hvm-ebs = "ami-4a064625";
+
+  latest = self."17.09";
 }; in self

nixos/modules/virtualisation/grow-partition.nix

@@ -24,7 +24,12 @@ with lib;
       copy_bin_and_libs ${pkgs.gnused}/bin/sed
       copy_bin_and_libs ${pkgs.utillinux}/sbin/sfdisk
       copy_bin_and_libs ${pkgs.utillinux}/sbin/lsblk
-      cp -v ${pkgs.cloud-utils}/bin/.growpart-wrapped $out/bin/growpart
+
+      substitute "${pkgs.cloud-utils}/bin/.growpart-wrapped" "$out/bin/growpart" \
+        --replace "${pkgs.bash}/bin/sh" "/bin/sh" \
+        --replace "awk" "gawk" \
+        --replace "sed" "gnused"
+
       ln -s sed $out/bin/gnused
     '';
 

nixos/release.nix

@@ -278,6 +278,7 @@ in rec {
   tests.login = callTest tests/login.nix {};
   #tests.logstash = callTest tests/logstash.nix {};
   tests.mathics = callTest tests/mathics.nix {};
+  tests.mesos = callTest tests/mesos.nix {};
   tests.misc = callTest tests/misc.nix {};
   tests.mongodb = callTest tests/mongodb.nix {};
   tests.mumble = callTest tests/mumble.nix {};
@@ -302,7 +303,7 @@ in rec {
   #tests.panamax = hydraJob (import tests/panamax.nix { system = "x86_64-linux"; });
   tests.peerflix = callTest tests/peerflix.nix {};
   tests.postgresql = callSubTests tests/postgresql.nix {};
-  tests.pgjwt = callTest tests/pgjwt.nix {};
+  #tests.pgjwt = callTest tests/pgjwt.nix {};
   tests.printing = callTest tests/printing.nix {};
   tests.proxy = callTest tests/proxy.nix {};
   tests.pumpio = callTest tests/pump.io.nix {};

nixos/tests/gnome3-gdm.nix

@@ -21,7 +21,7 @@ import ./make-test.nix ({ pkgs, ...} : {
       };
       services.xserver.desktopManager.gnome3.enable = true;
 
-      virtualisation.memorySize = 512;
+      virtualisation.memorySize = 1024;
     };
 
   testScript =

nixos/tests/krb5/default.nix

@@ -0,0 +1,5 @@
+{ system ? builtins.currentSystem }:
+{
+  example-config = import ./example-config.nix { inherit system; };
+  deprecated-config = import ./deprecated-config.nix { inherit system; };
+}

nixos/tests/krb5/deprecated-config.nix

@@ -0,0 +1,48 @@
+# Verifies that the configuration suggested in deprecated example values
+# will result in the expected output.
+
+import ../make-test.nix ({ pkgs, ...} : {
+  name = "krb5-with-deprecated-config";
+  meta = with pkgs.stdenv.lib.maintainers; {
+    maintainers = [ eqyiel ];
+  };
+
+  machine =
+    { config, pkgs, ... }: {
+      krb5 = {
+        enable = true;
+        defaultRealm = "ATHENA.MIT.EDU";
+        domainRealm = "athena.mit.edu";
+        kdc = "kerberos.mit.edu";
+        kerberosAdminServer = "kerberos.mit.edu";
+      };
+    };
+
+  testScript =
+    let snapshot = pkgs.writeText "krb5-with-deprecated-config.conf" ''
+      [libdefaults]
+        default_realm = ATHENA.MIT.EDU
+
+      [realms]
+        ATHENA.MIT.EDU = {
+          admin_server = kerberos.mit.edu
+          kdc = kerberos.mit.edu
+        }
+
+      [domain_realm]
+        .athena.mit.edu = ATHENA.MIT.EDU
+        athena.mit.edu = ATHENA.MIT.EDU
+
+      [capaths]
+
+
+      [appdefaults]
+
+
+      [plugins]
+
+    '';
+  in ''
+    $machine->succeed("diff /etc/krb5.conf ${snapshot}");
+  '';
+})

nixos/tests/krb5/example-config.nix

@@ -0,0 +1,106 @@
+# Verifies that the configuration suggested in (non-deprecated) example values
+# will result in the expected output.
+
+import ../make-test.nix ({ pkgs, ...} : {
+  name = "krb5-with-example-config";
+  meta = with pkgs.stdenv.lib.maintainers; {
+    maintainers = [ eqyiel ];
+  };
+
+  machine =
+    { config, pkgs, ... }: {
+      krb5 = {
+        enable = true;
+        kerberos = pkgs.krb5Full;
+        libdefaults = {
+          default_realm = "ATHENA.MIT.EDU";
+        };
+        realms = {
+          "ATHENA.MIT.EDU" = {
+            admin_server = "athena.mit.edu";
+            kdc = "athena.mit.edu";
+          };
+        };
+        domain_realm = {
+          "example.com" = "EXAMPLE.COM";
+          ".example.com" = "EXAMPLE.COM";
+        };
+        capaths = {
+          "ATHENA.MIT.EDU" = {
+            "EXAMPLE.COM" = ".";
+          };
+          "EXAMPLE.COM" = {
+            "ATHENA.MIT.EDU" = ".";
+          };
+        };
+        appdefaults = {
+          pam = {
+            debug = false;
+            ticket_lifetime = 36000;
+            renew_lifetime = 36000;
+            max_timeout = 30;
+            timeout_shift = 2;
+            initial_timeout = 1;
+          };
+        };
+        plugins = {
+          ccselect = {
+            disable = "k5identity";
+          };
+        };
+        extraConfig = ''
+          [logging]
+            kdc          = SYSLOG:NOTICE
+            admin_server = SYSLOG:NOTICE
+            default      = SYSLOG:NOTICE
+        '';
+      };
+    };
+
+  testScript =
+    let snapshot = pkgs.writeText "krb5-with-example-config.conf" ''
+      [libdefaults]
+        default_realm = ATHENA.MIT.EDU
+
+      [realms]
+        ATHENA.MIT.EDU = {
+          admin_server = athena.mit.edu
+          kdc = athena.mit.edu
+        }
+
+      [domain_realm]
+        .example.com = EXAMPLE.COM
+        example.com = EXAMPLE.COM
+
+      [capaths]
+        ATHENA.MIT.EDU = {
+          EXAMPLE.COM = .
+        }
+        EXAMPLE.COM = {
+          ATHENA.MIT.EDU = .
+        }
+
+      [appdefaults]
+        pam = {
+          debug = false
+          initial_timeout = 1
+          max_timeout = 30
+          renew_lifetime = 36000
+          ticket_lifetime = 36000
+          timeout_shift = 2
+        }
+
+      [plugins]
+        ccselect = {
+          disable = k5identity
+        }
+
+      [logging]
+        kdc          = SYSLOG:NOTICE
+        admin_server = SYSLOG:NOTICE
+        default      = SYSLOG:NOTICE
+    '';
+  in ''
+    $machine->succeed("diff /etc/krb5.conf ${snapshot}");
+  '';
+})

nixos/tests/pgjwt.nix

@@ -1,42 +1,37 @@
-import ./make-test.nix ({ pkgs, ...} : 
+import ./make-test.nix ({ pkgs, lib, ...}:
 let
-  test = pkgs.writeText "test.sql" ''
-    CREATE EXTENSION pgcrypto;
-    CREATE EXTENSION pgjwt;
-    select sign('{"sub":"1234567890","name":"John Doe","admin":true}', 'secret');
-    select * from verify('eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ', 'secret');
+  test = with pkgs; runCommand "patch-test" {
+    nativeBuildInputs = [ pgjwt ];
+  }
+  ''
+    sed -e '12 i CREATE EXTENSION pgcrypto;\nCREATE EXTENSION pgtap;\nSET search_path TO tap,public;' ${pgjwt.src}/test.sql > $out;
   '';
 in
-{
+with pkgs; {
   name = "pgjwt";
-  meta = with pkgs.stdenv.lib.maintainers; {
-    maintainers = [ spinus ];
+  meta = with lib.maintainers; {
+    maintainers = [ spinus willibutz ];
   };
 
   nodes = {
-    master =
-      { pkgs, config, ... }:
-
-      {
-        services.postgresql = let mypg = pkgs.postgresql95; in {
-            enable = true;
-            package = mypg;
-            extraPlugins =[pkgs.pgjwt];
-            initialScript =  pkgs.writeText "postgresql-init.sql"
-          ''
-          CREATE ROLE postgres WITH superuser login createdb;
-          '';
-          };
+    master = { pkgs, config, ... }:
+    {
+      services.postgresql = {
+        enable = true;
+        extraPlugins = [ pgjwt pgtap ];
       };
+    };
   };
 
-  testScript = ''
+  testScript = { nodes, ... }:
+  let
+    sqlSU = "${nodes.master.config.services.postgresql.superUser}";
+    pgProve = "${pkgs.perlPackages.TAPParserSourceHandlerpgTAP}";
+  in
+  ''
     startAll;
     $master->waitForUnit("postgresql");
-    $master->succeed("timeout 10 bash -c 'while ! psql postgres -c \"SELECT 1;\";do sleep 1;done;'");
-    $master->succeed("cat ${test} | psql postgres");
-    # I can't make original test working :[
-    # $master->succeed("${pkgs.perlPackages.TAPParserSourceHandlerpgTAP}/bin/pg_prove -d postgres ${pkgs.pgjwt.src}/test.sql");
-
+    $master->copyFileFromHost("${test}","/tmp/test.sql");
+    $master->succeed("${pkgs.sudo}/bin/sudo -u ${sqlSU} PGOPTIONS=--search_path=tap,public ${pgProve}/bin/pg_prove -d postgres -v -f /tmp/test.sql");
   '';
 })

pkgs/applications/altcoins/dapp.nix

@@ -1,15 +1,15 @@
 { lib, stdenv, fetchFromGitHub, makeWrapper
-, seth, git, solc, shellcheck, nodejs, hsevm }:
+, seth, git, solc, shellcheck, nodejs, hevm }:
 
 stdenv.mkDerivation rec {
   name = "dapp";
-  version = "0.5.3";
+  version = "0.5.7";
 
   src = fetchFromGitHub {
     owner = "dapphub";
     repo = "dapp";
     rev = "v${version}";
-    sha256 = "13b2krd02py8jnzjis44lay5i31d95z0myrsy5afzw7fa25giird";
+    sha256 = "128f35hczarihb263as391wr9zbyc1q1p49qbxh30via23r1brb0";
   };
 
   nativeBuildInputs = [makeWrapper shellcheck];
@@ -18,7 +18,7 @@ stdenv.mkDerivation rec {
   checkPhase = "make test";
   makeFlags = ["prefix=$(out)"];
   postInstall = let path = lib.makeBinPath [
-    nodejs solc git seth hsevm
+    nodejs solc git seth hevm
   ]; in ''
     wrapProgram "$out/bin/dapp" --prefix PATH : "${path}"
   '';

pkgs/applications/altcoins/default.nix

@@ -1,4 +1,4 @@
-{ callPackage, boost155, boost162, boost163, openssl_1_1_0, haskellPackages }:
+{ callPackage, boost155, boost162, boost163, openssl_1_1_0, haskellPackages, darwin }:
 
 rec {
 
@@ -26,7 +26,10 @@ rec {
   dogecoind = callPackage ./dogecoin.nix { withGui = false; };
 
   freicoin = callPackage ./freicoin.nix { boost = boost155; };
-  go-ethereum = callPackage ./go-ethereum.nix { };
+  go-ethereum = callPackage ./go-ethereum.nix {
+    inherit (darwin) libobjc;
+    inherit (darwin.apple_sdk.frameworks) IOKit;
+  };
   go-ethereum-classic = callPackage ./go-ethereum-classic { };
 
   hivemind = callPackage ./hivemind.nix { withGui = true; };
@@ -46,7 +49,7 @@ rec {
   seth = callPackage ./seth.nix { };
   dapp = callPackage ./dapp.nix { };
 
-  hsevm = (haskellPackages.callPackage ./hsevm.nix {});
+  hevm = (haskellPackages.callPackage ./hevm.nix {});
 
   primecoin  = callPackage ./primecoin.nix { withGui = true; };
   primecoind = callPackage ./primecoin.nix { withGui = false; };

pkgs/applications/altcoins/go-ethereum.nix

@@ -1,10 +1,14 @@
-{ stdenv, lib, buildGoPackage, fetchFromGitHub }:
+{ stdenv, lib, buildGoPackage, fetchFromGitHub, libobjc, IOKit }:
 
 buildGoPackage rec {
   name = "go-ethereum-${version}";
-  version = "1.7.0";
+  version = "1.7.1";
   goPackagePath = "github.com/ethereum/go-ethereum";
 
+  # Fix for usb-related segmentation faults on darwin
+  propagatedBuildInputs =
+    stdenv.lib.optionals stdenv.isDarwin [ libobjc IOKit ];
+
   # Fixes Cgo related build failures (see https://github.com/NixOS/nixpkgs/issues/25959 )
   hardeningDisable = [ "fortify" ];
 
@@ -12,7 +16,7 @@ buildGoPackage rec {
     owner = "ethereum";
     repo = "go-ethereum";
     rev = "v${version}";
-    sha256 = "0ybjaiyrfb320rab6a5r9iiqvkrcd8b2qvixzx0kjmc4a7l1q5zh";
+    sha256 = "1rhqnqp2d951d4084z7dc07q0my4wd5401968a0nqj030a9vgng2";
   };
 
   # Fix cyclic referencing on Darwin

pkgs/applications/altcoins/hevm.nix

@@ -1,24 +1,28 @@
-{ mkDerivation, abstract-par, aeson, ansi-wl-pprint, base
+{ mkDerivation, abstract-par, aeson, ansi-wl-pprint, async, base
 , base16-bytestring, base64-bytestring, binary, brick, bytestring
 , cereal, containers, cryptonite, data-dword, deepseq, directory
-, filepath, ghci-pretty, here, HUnit, lens, lens-aeson, memory
-, monad-par, mtl, optparse-generic, process, QuickCheck
-, quickcheck-text, readline, rosezipper, scientific, stdenv, tasty, tasty-hunit
-, tasty-quickcheck, temporary, text, text-format
-, unordered-containers, vector, vty
+, filepath, ghci-pretty, here, HUnit, lens
+, lens-aeson, memory, monad-par, mtl, optparse-generic, process
+, QuickCheck, quickcheck-text, readline, rosezipper, scientific
+, stdenv, tasty, tasty-hunit, tasty-quickcheck, temporary, text
+, text-format, time, unordered-containers, vector, vty
+
+, restless-git
+
 , fetchFromGitHub, lib, makeWrapper
 , ncurses, zlib, bzip2, solc, coreutils
+, bash
 }:
 
 lib.overrideDerivation (mkDerivation rec {
-  pname = "hsevm";
-  version = "0.6.4";
+  pname = "hevm";
+  version = "0.8.5";
 
   src = fetchFromGitHub {
     owner = "dapphub";
-    repo = "hsevm";
+    repo = "hevm";
     rev = "v${version}";
-    sha256 = "01b67k9cam4gvsi07q3vx527m1w6p6xll64k1nl27bc8ik6jh8l9";
+    sha256 = "1a27bh0azf2hdg5hp6s9azv2rhzy7vrlq1kmg688g9nfwwwhgkp0";
   };
 
   isLibrary = false;
@@ -26,8 +30,9 @@ lib.overrideDerivation (mkDerivation rec {
   enableSharedExecutables = false;
 
   postInstall = ''
-    rm -rf $out/{lib,share}
-    wrapProgram $out/bin/hsevm --add-flags '+RTS -N$((`${coreutils}/bin/nproc` - 1)) -RTS'
+    wrapProgram $out/bin/hevm \
+       --add-flags '+RTS -N$((`${coreutils}/bin/nproc` - 1)) -RTS' \
+       --suffix PATH : "${lib.makeBinPath [bash coreutils]}"
   '';
 
   extraLibraries = [
@@ -36,17 +41,17 @@ lib.overrideDerivation (mkDerivation rec {
     cryptonite data-dword deepseq directory filepath ghci-pretty lens
     lens-aeson memory monad-par mtl optparse-generic process QuickCheck
     quickcheck-text readline rosezipper scientific temporary text text-format
-    unordered-containers vector vty
+    unordered-containers vector vty restless-git
   ];
   executableHaskellDepends = [
-    readline zlib bzip2
+    async readline zlib bzip2
   ];
   testHaskellDepends = [
     base binary bytestring ghci-pretty here HUnit lens mtl QuickCheck
     tasty tasty-hunit tasty-quickcheck text vector
   ];
 
-  homepage = https://github.com/dapphub/hsevm;
+  homepage = https://github.com/dapphub/hevm;
   description = "Ethereum virtual machine evaluator";
   license = stdenv.lib.licenses.agpl3;
   maintainers = [stdenv.lib.maintainers.dbrock];

pkgs/applications/altcoins/zcash/default.nix

@@ -9,13 +9,13 @@ with stdenv.lib;
 stdenv.mkDerivation rec {
 
   name = "zcash" + (toString (optional (!withGui) "d")) + "-" + version;
-  version = "1.0.11";
+  version = "1.0.12";
 
   src = fetchFromGitHub {
     owner = "zcash";
     repo  = "zcash";
     rev = "v${version}";
-    sha256 = "09474jdhsg30maqrwfxigbw3llqi8axhh82lz3a23ii2gj68ni55";
+    sha256 = "19bxhdnkvgncgl9x6nbaf5nwgrdfw99icvdbi9adfh646pd5z64s";
   };
 
   enableParallelBuilding = true;

pkgs/applications/audio/axoloti/default.nix

@@ -0,0 +1,101 @@
+{ stdenv, fetchFromGitHub, fetchurl, makeWrapper, unzip
+, gnumake, gcc-arm-embedded, dfu-util-axoloti, jdk, ant, libfaketime }:
+
+stdenv.mkDerivation rec {
+  version = "1.0.12-1";
+  name = "axoloti-${version}";
+
+  src = fetchFromGitHub {
+    owner = "axoloti";
+    repo = "axoloti";
+    rev = "${version}";
+    sha256 = "13njmv8zac0kaaxgkv4y4zfjcclafn9cw0m8lj2k4926wnwjmf50";
+  };
+
+  chibi_version = "2.6.9";
+  chibi_name = "ChibiOS_${chibi_version}";
+
+  chibios = fetchurl {
+    url = "mirror://sourceforge/project/chibios/ChibiOS_RT%20stable/Version%20${chibi_version}/${chibi_name}.zip";
+    sha256 = "0lb5s8pkj80mqhsy47mmq0lqk34s2a2m3xagzihalvabwd0frhlj";
+  };
+
+  buildInputs = [ makeWrapper unzip gcc-arm-embedded dfu-util-axoloti jdk ant libfaketime ];
+
+  patchPhase = ''
+    unzip ${chibios}
+    mv ${chibi_name} chibios
+    (cd chibios/ext; unzip -q -o fatfs-0.9-patched.zip)
+
+    # Remove source of non-determinism in ChibiOS
+    substituteInPlace "chibios/os/various/shell.c" \
+      --replace "#ifdef __DATE__" "#if 0"
+
+    # Hardcode full path to compiler tools
+    for f in "firmware/Makefile.patch" \
+             "firmware/Makefile" \
+             "firmware/flasher/Makefile" \
+             "firmware/mounter/Makefile"; do
+      substituteInPlace "$f" \
+        --replace "arm-none-eabi-" "${gcc-arm-embedded}/bin/arm-none-eabi-"
+    done
+
+    # Hardcode path to "make"
+    for f in "firmware/compile_firmware_linux.sh" \
+             "firmware/compile_patch_linux.sh"; do
+      substituteInPlace "$f" \
+        --replace "make" "${gnumake}/bin/make"
+    done
+
+    # Hardcode dfu-util path
+    substituteInPlace "platform_linux/upload_fw_dfu.sh" \
+      --replace "/bin/dfu-util" ""
+    substituteInPlace "platform_linux/upload_fw_dfu.sh" \
+      --replace "./dfu-util" "${dfu-util-axoloti}/bin/dfu-util"
+
+    # Fix build version
+    substituteInPlace "build.xml" \
+      --replace "(git missing)" "${version}"
+
+    # Remove build time
+    substituteInPlace "build.xml" \
+      --replace "<tstamp>" ""
+    substituteInPlace "build.xml" \
+      --replace \
+        '<format property="build.time" pattern="dd/MM/yyyy HH:mm:ss z"/>' \
+        '<property name="build.time" value=""/>'
+    substituteInPlace "build.xml" \
+      --replace "</tstamp>" ""
+    substituteInPlace "build.xml" \
+      --replace \
+       '{line.separator}</echo>' \
+       '{line.separator}</echo> <touch file="src/main/java/axoloti/Version.java" millis="0" />'
+  '';
+
+  buildPhase = ''
+    find . -exec touch -d '1970-01-01 00:00' {} \;
+    (cd platform_linux; sh compile_firmware.sh)
+    faketime "1970-01-01 00:00:00" ant -Dbuild.runtime=true
+  '';
+
+  installPhase = ''
+    mkdir -p $out/bin $out/share/axoloti
+
+    cp -r doc firmware chibios platform_linux CMSIS *.txt $out/share/axoloti/
+    install -vD dist/Axoloti.jar $out/share/axoloti/
+
+    makeWrapper ${jdk}/bin/java $out/bin/axoloti --add-flags "-Daxoloti_release=$out/share/axoloti -Daxoloti_runtime=$out/share/axoloti -jar $out/share/axoloti/Axoloti.jar"
+  '';
+
+  meta = with stdenv.lib; {
+    homepage = http://www.axoloti.com;
+    description = ''
+      Sketching embedded digital audio algorithms.
+
+      To fix permissions of the Axoloti USB device node, add a similar udev rule to <literal>services.udev.extraRules</literal>:
+      <literal>SUBSYSTEM=="usb", ATTR{idVendor}=="16c0", ATTR{idProduct}=="0442", OWNER="someuser", GROUP="somegroup"</literal>
+    '';
+    license = licenses.gpl3;
+    maintainers = with maintainers; [ TealG ];
+  };
+}

pkgs/applications/audio/axoloti/dfu-util.nix

@@ -0,0 +1,31 @@
+{ stdenv, fetchurl, pkgconfig, libusb1-axoloti }:
+
+stdenv.mkDerivation rec {
+  name="dfu-util-${version}";
+  version = "0.8";
+
+  nativeBuildInputs = [ pkgconfig ];
+  buildInputs = [ libusb1-axoloti ];
+
+  src = fetchurl {
+    url = "http://dfu-util.sourceforge.net/releases/${name}.tar.gz";
+    sha256 = "0n7h08avlzin04j93m6hkq9id6hxjiiix7ff9gc2n89aw6dxxjsm";
+  };
+
+  meta = with stdenv.lib; {
+    description = "Device firmware update (DFU) USB programmer";
+    longDescription = ''
+      dfu-util is a program that implements the host (PC) side of the USB
+      DFU 1.0 and 1.1 (Universal Serial Bus Device Firmware Upgrade) protocol.
+
+      DFU is intended to download and upload firmware to devices connected over
+      USB. It ranges from small devices like micro-controller boards up to mobile
+      phones. With dfu-util you are able to download firmware to your device or
+      upload firmware from it.
+    '';
+    homepage = http://dfu-util.gnumonks.org/;
+    license = licenses.gpl2Plus;
+    platforms = platforms.unix;
+    maintainers = [ ];
+  };
+}

pkgs/applications/audio/axoloti/libusb1.nix

@@ -0,0 +1,38 @@
+{ stdenv, fetchurl, pkgconfig, systemd ? null, libobjc, IOKit, fetchpatch }:
+
+stdenv.mkDerivation rec {
+  name = "libusb-1.0.19";
+
+  src = fetchurl {
+    url = "mirror://sourceforge/libusb/${name}.tar.bz2";
+    sha256 = "0h38p9rxfpg9vkrbyb120i1diq57qcln82h5fr7hvy82c20jql3c";
+  };
+
+  outputs = [ "out" "dev" ]; # get rid of propagating systemd closure
+
+  buildInputs = [ pkgconfig ];
+  propagatedBuildInputs =
+    stdenv.lib.optional stdenv.isLinux systemd ++
+    stdenv.lib.optionals stdenv.isDarwin [ libobjc IOKit ];
+
+  patches = [
+    (fetchpatch {
+      name = "libusb.stdfu.patch";
+      url = "https://raw.githubusercontent.com/axoloti/axoloti/1.0.12/platform_linux/src/libusb.stdfu.patch";
+      sha256 = "194j7j61i4q6x0ihm9ms8dxd4vliw20n2rj6cm9h17qzdl9xr33d";
+    })
+  ];
+
+  NIX_LDFLAGS = stdenv.lib.optionalString stdenv.isLinux "-lgcc_s";
+
+  preFixup = stdenv.lib.optionalString stdenv.isLinux ''
+    sed 's,-ludev,-L${systemd.lib}/lib -ludev,' -i $out/lib/libusb-1.0.la
+  '';
+
+  meta = {
+    homepage = http://www.libusb.info;
+    description = "User-space USB library";
+    platforms = stdenv.lib.platforms.unix;
+    maintainers = [ ];
+  };
+}

pkgs/applications/audio/gnaural/default.nix

@@ -13,5 +13,6 @@ stdenv.mkDerivation rec {
       license = licenses.gpl2;
       maintainers = [ maintainers.ehmry ];
       platforms = platforms.linux;
+      broken = true;
     };
 }

pkgs/applications/audio/mopidy-iris/default.nix

@@ -2,12 +2,12 @@
 
 pythonPackages.buildPythonApplication rec {
   name = "mopidy-iris-${version}";
-  version = "3.4.1";
+  version = "3.4.9";
 
   src = pythonPackages.fetchPypi {
     inherit version;
     pname = "Mopidy-Iris";
-    sha256 = "04fjj2n5v53ykxnjgna1y8bvk7g3x0yiqisvzrdva693lfz9cbgx";
+    sha256 = "0acr8ss5d0jgcy1qsjb12h0n6kr6qdp9zrbbk9vv3m3s6kcm8vgb";
   };
 
   propagatedBuildInputs = [
@@ -16,6 +16,7 @@ pythonPackages.buildPythonApplication rec {
     pythonPackages.configobj
     pythonPackages.pylast
     pythonPackages.spotipy
+    pythonPackages.raven
   ];
 
   meta = with stdenv.lib; {

pkgs/applications/audio/mpc/default.nix

@@ -17,11 +17,6 @@ stdenv.mkDerivation rec {
 
   enableParallelBuilding = true;
 
-  preConfigure = ''
-    export LIBMPDCLIENT_LIBS=${mpd_clientlib}/lib/libmpdclient.${if stdenv.isDarwin then mpd_clientlib.majorVersion + ".dylib" else "so." + mpd_clientlib.majorVersion + ".0." + mpd_clientlib.minorVersion}
-    export LIBMPDCLIENT_CFLAGS=${mpd_clientlib}
-  '';
-
   meta = with stdenv.lib; {
     description = "A minimalist command line interface to MPD";
     homepage = http://www.musicpd.org/clients/mpc/;

pkgs/applications/audio/mpg123/default.nix

@@ -4,11 +4,11 @@
 }:
 
 stdenv.mkDerivation rec {
-  name = "mpg123-1.25.4";
+  name = "mpg123-1.25.7";
 
   src = fetchurl {
     url = "mirror://sourceforge/mpg123/${name}.tar.bz2";
-    sha256 = "1rxknrnl3ji5hi5rbckpzhbl1k5r8i53kcys4xdgg0xbi8765dfd";
+    sha256 = "1ws40fglyyk51jvmz8gfapjkw1g51pkch1rffdsbh4b1yay5xc9i";
   };
 
   buildInputs = stdenv.lib.optional (!stdenv.isDarwin) alsaLib;

pkgs/applications/audio/ncmpc/default.nix

@@ -1,36 +1,35 @@
-{ stdenv, fetchFromGitHub, autoreconfHook, pkgconfig, glib, ncurses, mpd_clientlib, libintlOrEmpty }:
+{ stdenv, fetchFromGitHub, meson, ninja, pkgconfig, glib, ncurses
+, mpd_clientlib, gettext }:
 
-stdenv.mkDerivation rec {
+let
+  rpath = stdenv.lib.makeLibraryPath [
+    glib ncurses mpd_clientlib
+  ];
+in stdenv.mkDerivation rec {
   name = "ncmpc-${version}";
-  version = "0.27";
+  version = "0.28";
 
   src = fetchFromGitHub {
     owner  = "MusicPlayerDaemon";
     repo   = "ncmpc";
     rev    = "v${version}";
-    sha256 = "0sfal3wadqvy6yas4xzhw35awdylikci8kbdcmgm4l2afpmc1lrr";
+    sha256 = "1z0bdkqsdb3f5k2lsws3qzav4r30fzk8fhxj9l0p738flcka6k4n";
   };
 
   buildInputs = [ glib ncurses mpd_clientlib ];
-    # ++ libintlOrEmpty;
-  nativeBuildInputs = [ autoreconfHook pkgconfig ];
+  nativeBuildInputs = [ meson ninja pkgconfig gettext ];
 
-  NIX_LDFLAGS = stdenv.lib.optionalString stdenv.isDarwin "-lintl";
-
-  # without this, po/Makefile.in.in is not being created
-  preAutoreconf = ''
-    ./autogen.sh
+  postFixup = ''
+    for elf in "$out"/bin/*; do
+      patchelf --set-rpath '${rpath}':"$out/lib" "$elf"
+    done
   '';
 
-  configureFlags = [
-    "--enable-colors"
-    "--enable-lyrics-screen"
-  ];
-
   meta = with stdenv.lib; {
     description = "Curses-based interface for MPD (music player daemon)";
     homepage    = http://www.musicpd.org/clients/ncmpc/;
     license     = licenses.gpl2Plus;
     platforms   = platforms.all;
+    maintainers = with maintainers; [ fpletz ];
   };
 }

pkgs/applications/audio/rosegarden/default.nix

@@ -1,23 +1,35 @@
-{ stdenv, fetchurl, cmake, qt4, pkgconfig, ladspaPlugins, ladspaH,
-  dssi, liblo, liblrdf, fftwSinglePrec, libsndfile,
-  libsamplerate, perl, makedepend, libjack2,
-  withLirc ? false, lirc ? null } :
+{ stdenv, fetchurl, cmake, makedepend, perl, pkgconfig, qttools
+, dssi, fftwSinglePrec, ladspaH, ladspaPlugins, libjack2
+, liblo, liblrdf, libsamplerate, libsndfile, lirc ? null, qtbase }:
 
 stdenv.mkDerivation (rec {
   version = "17.04";
   name = "rosegarden-${version}";
 
   src = fetchurl {
-    url  = "mirror://sourceforge/rosegarden/${name}.tar.bz2";
+    url = "mirror://sourceforge/rosegarden/${name}.tar.bz2";
     sha256 = "1khfcj22asdhjh0jvhkqsz200wgmigkhsrcz09ffia5hqm0n32lq";
   };
 
-  QTDIR = qt4;
+  patchPhase = ''
+    substituteInPlace src/CMakeLists.txt --replace svnheader svnversion
+  '';
+
+  nativeBuildInputs = [ cmake makedepend perl pkgconfig qttools ];
 
   buildInputs = [
-    cmake qt4 pkgconfig ladspaPlugins ladspaH dssi liblo liblrdf fftwSinglePrec
-    libsndfile libsamplerate perl makedepend libjack2
-  ] ++ stdenv.lib.optional withLirc [ lirc ];
+    dssi
+    fftwSinglePrec
+    ladspaH
+    ladspaPlugins
+    libjack2
+    liblo
+    liblrdf
+    libsamplerate
+    libsndfile
+    lirc
+    qtbase
+  ];
 
   enableParallelBuilding = true;
 
@@ -25,11 +37,15 @@ stdenv.mkDerivation (rec {
     homepage = http://www.rosegardenmusic.com/;
     description = "Music composition and editing environment";
     longDescription = ''
-      Rosegarden is a music composition and editing environment based around a MIDI sequencer that features a rich understanding of music notation and includes basic support for digital audio.
-      Rosegarden is an easy-to-learn, attractive application that runs on Linux, ideal for composers, musicians, music students, and small studio or home recording environments.
-      '';
+      Rosegarden is a music composition and editing environment based around
+      a MIDI sequencer that features a rich understanding of music notation
+      and includes basic support for digital audio.
 
-    maintainers = [ maintainers.lebastr ];
+      Rosegarden is an easy-to-learn, attractive application that runs on Linux,
+      ideal for composers, musicians, music students, and small studio or home
+      recording environments.
+    '';
+    maintainers = with maintainers; [ lebastr ];
     license = licenses.lgpl2Plus;
     platforms = platforms.linux;
   };

pkgs/applications/audio/spotify/default.nix

@@ -9,7 +9,7 @@ let
   # Latest version number can be found at:
   # http://repository-origin.spotify.com/pool/non-free/s/spotify-client/
   # Be careful not to pick the testing version.
-  version = "1.0.49.125.g72ee7853-111";
+  version = "1.0.64.407.g9bd02c2d-26";
 
   deps = [
     alsaLib
@@ -54,7 +54,7 @@ stdenv.mkDerivation {
 
   src = fetchurl {
     url = "https://repository-origin.spotify.com/pool/non-free/s/spotify-client/spotify-client_${version}_amd64.deb";
-    sha256 = "0l008x06d257vcw6gq3q90hvv93cq6mxpj11by1np6bzzg61qv8x";
+    sha256 = "0zc8vclf1wx60yllc1jgzhqyv5lkwz95qmmy5f79zkj6vrdak5wc";
   };
 
   buildInputs = [ dpkg makeWrapper ];

pkgs/applications/audio/streamripper/default.nix

@@ -15,7 +15,7 @@ stdenv.mkDerivation rec {
     homepage = http://streamripper.sourceforge.net/;
     description = "Application that lets you record streaming mp3 to your hard drive";
     license = licenses.gpl2;
-    platforms = platforms.unix;
+    platforms = platforms.linux;
     maintainers = with maintainers; [ the-kenny ];
   };
 }

pkgs/applications/editors/android-studio/packages.nix

@@ -27,9 +27,9 @@ in rec {
 
   preview = mkStudio rec {
     pname = "android-studio-preview";
-    version = "3.0.0.14"; # "Android Studio 3.0 Beta 6"
-    build = "171.4333198";
-    sha256Hash = "071a3j0bnsspvhvhh10h9ygay3bi66glriiy8gl8vrwx1dnv55zk";
+    version = "3.0.0.15"; # "Android Studio 3.0 Beta 7"
+    build = "171.4365657";
+    sha256Hash = "0am3rq0ag982ik95mpcxvx2zlv0h4l6747b29mlsbqih66868db6";
 
     meta = stable.meta // {
       description = "The Official IDE for Android (preview version)";

pkgs/applications/editors/aseprite/default.nix

@@ -11,7 +11,7 @@
 
 stdenv.mkDerivation rec {
   name = "aseprite-${version}";
-  version = if unfree then "1.2-beta12" else "1.1.7";
+  version = if unfree then "1.2.2" else "1.1.7";
 
   src = fetchFromGitHub {
     owner = "aseprite";
@@ -19,7 +19,7 @@ stdenv.mkDerivation rec {
     rev = "v${version}";
     fetchSubmodules = true;
     sha256 = if unfree
-      then "1zgsr03d4vwdj2qyiwfwfqsbqngp85n13i3xwbkfkbja036c5yhc"
+      then "1ldi7zikl1g6rq3g9lkypx5wqzza5j0054j1r8bh7lyvb0szicig"
       else "0gd49lns2bpzbkwax5jf9x1xmg1j8ij997kcxr2596cwiswnw4di";
   };
 
@@ -30,6 +30,10 @@ stdenv.mkDerivation rec {
     libX11 libXext libXcursor libXxf86vm
   ] ++ lib.optionals unfree [ cmark ];
 
+  postPatch = ''
+    sed -i src/config.h -e "s-\\(#define VERSION\\) .*-\\1 \"$version\"-"
+  '';
+
   cmakeFlags = [
     "-DENABLE_UPDATER=OFF"
     "-DUSE_SHARED_CURL=ON"

pkgs/applications/editors/atom/default.nix

@@ -2,11 +2,11 @@
 
 stdenv.mkDerivation rec {
   name = "atom-${version}";
-  version = "1.20.0";
+  version = "1.20.1";
 
   src = fetchurl {
     url = "https://github.com/atom/atom/releases/download/v${version}/atom-amd64.deb";
-    sha256 = "1jzpa44ny78djdxc8d2w4jz1m68xmi8bzq87q3wmdffa4g9z4aa0";
+    sha256 = "0mr82m3yv18ljai3r4ncr65bqhjwxyf1si77iza4ijk5zv1llp7i";
     name = "${name}.deb";
   };
 

pkgs/applications/editors/eclipse/plugins.nix

@@ -447,6 +447,28 @@ rec {
     };
   };
 
+  vrapper = buildEclipseUpdateSite rec {
+    name = "vrapper-${version}";
+    version = "0.72.0";
+    owner = "vrapper";
+    repo = "vrapper";
+    date = "20170311";
+
+    src = fetchzip {
+      stripRoot = false;
+      url = "https://github.com/${owner}/${repo}/releases/download/${version}/vrapper_${version}_${date}.zip";
+      sha256 = "0nyirf6km97q211cxfy01kidxac20m8ba3kk9xj73ykrhsk3cxjp";
+    };
+
+    meta = with stdenv.lib; {
+      homepage = "https://github.com/vrapper/vrapper";
+      description = "A wrapper to provide a Vim-like input scheme for moving around and editing text";
+      license = licenses.gpl3;
+      platforms = platforms.all;
+      maintainers = [ maintainers.stumoss ];
+    };
+  };
+
   yedit = buildEclipsePlugin rec {
     name = "yedit-${version}";
     version = "1.0.20.201509041456";

pkgs/applications/editors/emacs-modes/melpa-generated.nix

@@ -10171,6 +10171,27 @@
           license = lib.licenses.free;
         };
       }) {};
+    company-lean = callPackage ({ company, dash, dash-functional, emacs, f, fetchFromGitHub, fetchurl, lean-mode, lib, melpaBuild, s }:
+    melpaBuild {
+        pname = "company-lean";
+        version = "20170920.708";
+        src = fetchFromGitHub {
+          owner = "leanprover";
+          repo = "lean-mode";
+          rev = "fa75bf97442a42e76e77fcf1b3c64e58f4f4169a";
+          sha256 = "1qyg0yjfmpnj8y3bbip3mvlhmh0ccm0j0p3crmb3az84fycvrsnr";
+        };
+        recipeFile = fetchurl {
+          url = "https://raw.githubusercontent.com/milkypostman/melpa/42f4d6438c8aeb94ebc1782f2f5e2abd17f0ffde/recipes/company-lean";
+          sha256 = "1hqkn7w5dyznf7i3r3132q8x31r74q188jsm5kdrjqgbwak2p91a";
+          name = "company-lean";
+        };
+        packageRequires = [ company dash dash-functional emacs f lean-mode s ];
+        meta = {
+          homepage = "https://melpa.org/#/company-lean";
+          license = lib.licenses.free;
+        };
+      }) {};
     company-lua = callPackage ({ company, f, fetchFromGitHub, fetchurl, lib, lua-mode, melpaBuild, s }:
     melpaBuild {
         pname = "company-lua";
@@ -32722,6 +32743,27 @@
           license = lib.licenses.free;
         };
       }) {};
+    helm-lean = callPackage ({ dash, emacs, fetchFromGitHub, fetchurl, helm, lean-mode, lib, melpaBuild }:
+    melpaBuild {
+        pname = "helm-lean";
+        version = "20170919.934";
+        src = fetchFromGitHub {
+          owner = "leanprover";
+          repo = "lean-mode";
+          rev = "fa75bf97442a42e76e77fcf1b3c64e58f4f4169a";
+          sha256 = "1qyg0yjfmpnj8y3bbip3mvlhmh0ccm0j0p3crmb3az84fycvrsnr";
+        };
+        recipeFile = fetchurl {
+          url = "https://raw.githubusercontent.com/milkypostman/melpa/42f4d6438c8aeb94ebc1782f2f5e2abd17f0ffde/recipes/helm-lean";
+          sha256 = "0j5ax14lhlyd9mpqk1jwh7nfp090kj71r045v2qjfaw2fa23b7si";
+          name = "helm-lean";
+        };
+        packageRequires = [ dash emacs helm lean-mode ];
+        meta = {
+          homepage = "https://melpa.org/#/helm-lean";
+          license = lib.licenses.free;
+        };
+      }) {};
     helm-lobsters = callPackage ({ cl-lib ? null, fetchFromGitHub, fetchurl, helm, lib, melpaBuild }:
     melpaBuild {
         pname = "helm-lobsters";
@@ -41631,6 +41673,27 @@
           license = lib.licenses.free;
         };
       }) {};
+    lean-mode = callPackage ({ dash, dash-functional, emacs, f, fetchFromGitHub, fetchurl, flycheck, lib, melpaBuild, s }:
+    melpaBuild {
+        pname = "lean-mode";
+        version = "20170920.755";
+        src = fetchFromGitHub {
+          owner = "leanprover";
+          repo = "lean-mode";
+          rev = "fa75bf97442a42e76e77fcf1b3c64e58f4f4169a";
+          sha256 = "1qyg0yjfmpnj8y3bbip3mvlhmh0ccm0j0p3crmb3az84fycvrsnr";
+        };
+        recipeFile = fetchurl {
+          url = "https://raw.githubusercontent.com/milkypostman/melpa/42f4d6438c8aeb94ebc1782f2f5e2abd17f0ffde/recipes/lean-mode";
+          sha256 = "0rdraxsirkrzbinjwg4qam15iy3qiixqgwsckngzw8d9a4s9l6sj";
+          name = "lean-mode";
+        };
+        packageRequires = [ dash dash-functional emacs f flycheck s ];
+        meta = {
+          homepage = "https://melpa.org/#/lean-mode";
+          license = lib.licenses.free;
+        };
+      }) {};
     leanote = callPackage ({ async, cl-lib ? null, emacs, fetchFromGitHub, fetchurl, let-alist, lib, melpaBuild, pcache, request, s }:
     melpaBuild {
         pname = "leanote";

pkgs/applications/editors/focuswriter/default.nix

@@ -1,25 +1,27 @@
-{ stdenv, fetchurl, qt4, qmake4Hook, pkgconfig, hunspell }:
+{ stdenv, fetchurl, pkgconfig, qmake, qttools, hunspell, qtbase, qtmultimedia }:
 
 stdenv.mkDerivation rec {
   name = "focuswriter-${version}";
-  version = "1.5.3";
+  version = "1.6.7";
 
   src = fetchurl {
-    url = http://gottcode.org/focuswriter/focuswriter-1.5.3-src.tar.bz2;
-    sha256 = "1i58jxbiy95ijf81g8c3gwxhcg3irzssna3wv7vhrd57g4lcfj0w";
+    url = "https://gottcode.org/focuswriter/focuswriter-${version}-src.tar.bz2";
+    sha256 = "10rqzinr6yd6ca06rklg34kdc08a3xgygfzmprsfg7gdsybfay5z";
   };
 
-  buildInputs = [ qt4 qmake4Hook pkgconfig hunspell ];
-  
-  qmakeFlags = [ "PREFIX=/" ];
+  nativeBuildInputs = [ pkgconfig qmake qttools ];
+  buildInputs = [ hunspell qtbase qtmultimedia ];
 
+  enableParallelBuilding = true;
+
+  qmakeFlags = [ "PREFIX=/" ];
   installFlags = [ "INSTALL_ROOT=$(out)" ];
 
-  meta = {
+  meta = with stdenv.lib; {
     description = "Simple, distraction-free writing environment";
-    license = stdenv.lib.licenses.gpl2;
-    maintainers = [ stdenv.lib.maintainers.madjar ];
-    platforms = stdenv.lib.platforms.all;
+    license = licenses.gpl3Plus;
+    maintainers = with maintainers; [ madjar ];
+    platforms = platforms.all;
     homepage = https://gottcode.org/focuswriter/;
   };
 }

pkgs/applications/gis/grass/default.nix

@@ -71,5 +71,6 @@ stdenv.mkDerivation {
     description = "GIS software suite used for geospatial data management and analysis, image processing, graphics and maps production, spatial modeling, and visualization";
     license = stdenv.lib.licenses.gpl2Plus;
     platforms = stdenv.lib.platforms.all;
+    broken = true;
   };
 }

pkgs/applications/graphics/gcolor3/default.nix

@@ -0,0 +1,31 @@
+{ stdenv, fetchFromGitHub, gnome3, libtool, intltool, pkgconfig, gtk3, hicolor_icon_theme, wrapGAppsHook } :
+
+let
+  version = "2.2";
+in stdenv.mkDerivation {
+  name = "gcolor3-${version}";
+
+  src = fetchFromGitHub {
+    owner = "hjdskes";
+    repo = "gcolor3";
+    rev = "v${version}";
+    sha256 = "1rbahsi33pfggpj5cigy6wy5333g3rpm8v2q0b35c6m7pwhmf2gr";
+  };
+
+  nativeBuildInputs = [ gnome3.gnome_common libtool intltool pkgconfig hicolor_icon_theme wrapGAppsHook ];
+
+  buildInputs = [ gtk3 ];
+
+  configureScript = "./autogen.sh";
+
+  # clang-4.0: error: argument unused during compilation: '-pthread'
+  NIX_CFLAGS_COMPILE = stdenv.lib.optional stdenv.cc.isClang "-Wno-error=unused-command-line-argument";
+
+  meta = {
+    description = "A simple color chooser written in GTK3";
+    homepage = https://hjdskes.github.io/projects/gcolor3/;
+    license = stdenv.lib.licenses.gpl2;
+    maintainers = with stdenv.lib.maintainers; [ jtojnar ];
+    platforms = stdenv.lib.platforms.unix;
+  };
+}

pkgs/applications/graphics/kgraphviewer/default.nix

@@ -1,24 +1,38 @@
-{ stdenv, fetchurl, automoc4, cmake, gettext, perl, pkgconfig
-, kdelibs4, boost, graphviz
+{ stdenv, mkDerivation, fetchurl, cmake, extra-cmake-modules, pkgconfig, wrapGAppsHook
+, kconfig, kcrash, kinit, kdoctools, kiconthemes, kio, kparts, kwidgetsaddons
+, qtbase, qtsvg
+, boost, graphviz
 }:
 
-stdenv.mkDerivation rec {
+mkDerivation rec {
   name = "kgraphviewer-${version}";
-  version = "2.2.0";
+  version = "2.4.2";
 
   src = fetchurl {
-    url = "mirror://kde/stable/kgraphviewer/${version}/src/${name}.tar.xz";
-    sha256 = "1vs5x539mx26xqdljwzkh2bj7s3ydw4cb1wm9nlhgs18siw4gjl5";
+    url = "mirror://kde/stable/kgraphviewer/${version}/${name}.tar.xz";
+    sha256 = "1jc5zfgy4narwgn7rscfwz7l5pjy0jghal6yb3kd4sfadi78nhs9";
   };
 
-  buildInputs = [ kdelibs4 boost graphviz ];
-  nativeBuildInputs = [ automoc4 cmake gettext perl pkgconfig ];
+  buildInputs = [
+    qtbase qtsvg
+    boost graphviz
+  ];
+
+  nativeBuildInputs = [
+    cmake extra-cmake-modules pkgconfig wrapGAppsHook
+    kdoctools
+  ];
+
+  propagatedBuildInputs = [
+    kconfig kinit kio kparts kwidgetsaddons
+  ];
+
+  enableParallelBuilding = true;
 
   meta = with stdenv.lib; {
     description = "A Graphviz dot graph viewer for KDE";
-    license = licenses.gpl2;
-    platforms = platforms.linux;
-    maintainers = [ maintainers.lethalman ];
+    license     = licenses.gpl2;
+    maintainers = with maintainers; [ lethalman ];
+    platforms   = platforms.linux;
   };
 }
-

pkgs/applications/graphics/meshlab/default.nix

@@ -46,6 +46,6 @@ stdenv.mkDerivation rec {
     license = stdenv.lib.licenses.gpl2Plus;
     maintainers = with stdenv.lib.maintainers; [viric];
     platforms = with stdenv.lib.platforms; linux;
-    broken = stdenv.isLinux && stdenv.isi686;
+    broken = true;
   };
 }

pkgs/applications/graphics/sane/backends/brscan4/default.nix

@@ -10,17 +10,17 @@ let
   udevRules = callPackage ./udev_rules_type1.nix {};
 
 in stdenv.mkDerivation rec {
-  name = "brscan4-0.4.4-2";
+  name = "brscan4-0.4.4-4";
   src = 
     if stdenv.system == "i686-linux" then
       fetchurl {
         url = "http://download.brother.com/welcome/dlf006646/${name}.i386.deb";
-        sha256 = "1rd6qmg49lvack8rg9kkqs3vxfvvqf2x45h93pkrhk8a4aj5c8ll";
+        sha256 = "13mhjbzf9nvpdzrc2s98684r7likg76zxs1wlz2h8w59fsqgx4k2";
       }
     else if stdenv.system == "x86_64-linux" then
       fetchurl {
         url = "http://download.brother.com/welcome/dlf006645/${name}.amd64.deb";
-        sha256 = "1r3cq1k2a2bghibkckmk00x7y59ic31gv7jcsw7380szf1j3la59";
+        sha256 = "0xy5px96y1saq9l80vwvfn6anr2q42qlxdhm6ci2a0diwib5q9fd";
       }
     else throw "${name} is not supported on ${stdenv.system} (only i686-linux and x86_64 linux are supported)";
 

pkgs/applications/graphics/synfigstudio/default.nix

@@ -42,6 +42,8 @@ let
       ETL boost cairo gettext glibmm mlt-qt5 libsigcxx libxmlxx pango
       pkgconfig autoreconfHook
     ];
+
+    meta.broken = true;
   };
 in
 stdenv.mkDerivation rec {

pkgs/applications/graphics/xzgv/default.nix

@@ -1,22 +1,23 @@
-{ stdenv, fetchurl, gtk2, pkgconfig, texinfo }:
+{ stdenv, fetchurl, gtk2, libexif, pkgconfig, texinfo }:
 
 stdenv.mkDerivation rec {
   name = "xzgv-${version}";
-  version = "0.9.1";
+  version = "0.9.2";
   src = fetchurl {
     url = "mirror://sourceforge/xzgv/xzgv-${version}.tar.gz";
-    sha256 = "1rh432wnvzs434knzbda0fslhfx0gngryrrnqkfm6gwd2g5mxcph";
+    sha256 = "17l1xr9v07ggwga3vn0z1i4lnwjrr20rr8z1kjbw71aaijxl18i5";
   };
-  buildInputs = [ gtk2 pkgconfig texinfo ];
-  patches = [ ./fix-linker-paths.patch ];
+  nativeBuildInputs = [ pkgconfig texinfo ];
+  buildInputs = [ gtk2 libexif ];
   postPatch = ''
     substituteInPlace config.mk \
       --replace /usr/local $out
-    substituteInPlace config.mk \
-      --replace "CFLAGS=-O2 -Wall" "CFLAGS=-Wall"
     substituteInPlace Makefile \
       --replace "all: src man" "all: src man info"
   '';
+  preInstall = ''
+    mkdir -p $out/share/{app-install/desktop,applications,info,pixmaps}
+  '';
   meta = with stdenv.lib; {
     homepage = http://sourceforge.net/projects/xzgv/;
     description = "Picture viewer for X with a thumbnail-based selector";

pkgs/applications/graphics/xzgv/fix-linker-paths.patch

@@ -1,25 +0,0 @@
-taken from http://sourceforge.net/p/xzgv/code/53/tree//trunk/xzgv/src/Makefile?diff=514dada434309d2ec11f5eff:52
---- a/src/Makefile
-+++ b/src/Makefile
-@@ -9,8 +9,10 @@
- # This gets definitions for CC, CFLAGS, BINDIR etc.
- include ../config.mk
- 
--CFLAGS+=`pkg-config --cflags gtk+-2.0` `pkg-config --cflags gdk-pixbuf-2.0`
--LDFLAGS+=`pkg-config --libs gtk+-2.0` `pkg-config --libs gdk-pixbuf-2.0`
-+CFLAGS+=`pkg-config --cflags gtk+-2.0` `pkg-config --cflags gdk-pixbuf-2.0` \
-+	`pkg-config --cflags x11`
-+LDFLAGS+=`pkg-config --libs gtk+-2.0` `pkg-config --libs gdk-pixbuf-2.0` \
-+	`pkg-config --libs x11` -lm
- 
- all: xzgv
- 
-@@ -23,7 +25,7 @@
- 	backend.o
- 
- xzgv: $(OBJS)
--	$(CC) $(LDFLAGS) -o xzgv $(OBJS)
-+	$(CC) -o xzgv $(OBJS) $(LDFLAGS)
- 
- installdirs:
- 	/bin/sh ../mkinstalldirs $(BINDIR)

pkgs/applications/misc/electron-cash/default.nix

@@ -0,0 +1,66 @@
+{ stdenv, fetchFromGitHub, python2Packages }:
+
+python2Packages.buildPythonApplication rec {
+  version = "2.9.3";
+  name = "electron-cash-${version}";
+
+  src = fetchFromGitHub {
+    owner = "fyookball";
+    repo = "electrum";
+    rev = version;
+    sha256 = "1r39b5ag5fipzgr84pzb53cfm8a4dy53257608754dwr1gfpma3v";
+  };
+
+  propagatedBuildInputs = with python2Packages; [
+    dns
+    ecdsa
+    jsonrpclib
+    pbkdf2
+    pyaes
+    pycrypto
+    pyqt4
+    pysocks
+    qrcode
+    requests
+    tlslite
+
+    # plugins
+    keepkey
+    trezor
+  ];
+
+  preBuild = ''
+    sed -i 's,usr_share = .*,usr_share = "'$out'/share",g' setup.py
+    pyrcc4 icons.qrc -o gui/qt/icons_rc.py
+    # Recording the creation timestamps introduces indeterminism to the build
+    sed -i '/Created: .*/d' gui/qt/icons_rc.py
+  '';
+
+  postInstall = ''
+    # Despite setting usr_share above, these files are installed under
+    # $out/nix ...
+    mv $out/lib/python2.7/site-packages/nix/store"/"*/share $out
+    rm -rf $out/lib/python2.7/site-packages/nix
+
+    substituteInPlace $out/share/applications/electron.desktop \
+      --replace "Exec=electrum %u" "Exec=$out/bin/electrum %u"
+  '';
+
+  doInstallCheck = true;
+  installCheckPhase = ''
+    $out/bin/electrum help >/dev/null
+  '';
+
+  meta = with stdenv.lib; {
+    description = "A lightweight Bitcoin wallet";
+    longDescription = ''
+      An easy-to-use Bitcoin client featuring wallets generated from
+      mnemonic seeds (in addition to other, more advanced, wallet options)
+      and the ability to perform transactions without downloading a copy
+      of the blockchain.
+    '';
+    homepage = https://www.electroncash.org/;
+    maintainers = with maintainers; [ lassulus ];
+    license = licenses.mit;
+  };
+}

pkgs/applications/misc/far2l/default.nix

@@ -1,29 +1,34 @@
 { stdenv, fetchFromGitHub, makeWrapper, cmake, pkgconfig, wxGTK30, glib, pcre, m4, bash,
-  xdg_utils, gvfs, zip, unzip, gzip, bzip2, gnutar, p7zip, xz, imagemagick }:
+  xdg_utils, gvfs, zip, unzip, gzip, bzip2, gnutar, p7zip, xz, imagemagick, darwin }:
 
+with stdenv.lib;
 stdenv.mkDerivation rec {
-  rev = "de5554dbc0ec69329b75777d4a3b2f01851fc5ed";
-  build = "unstable-2017-07-13.git${builtins.substring 0 7 rev}";
+  rev = "1ecd3a37c7b866a4599c547ea332541de2a2af26";
+  build = "unstable-2017-09-30.git${builtins.substring 0 7 rev}";
   name = "far2l-2.1.${build}";
 
   src = fetchFromGitHub {
     owner = "elfmz";
     repo = "far2l";
     rev = rev;
-    sha256 = "07l8w9p6zxm9qgh9wlci584lgv8gd4aw742jaqh9acgkxy9caih8";
+    sha256 = "0mavg9z1n81b1hbkj320m36r8lpw28j07rl1d2hpg69y768yyq05";
   };
 
   nativeBuildInputs = [ cmake pkgconfig m4 makeWrapper imagemagick ];
 
-  buildInputs = [ wxGTK30 glib pcre ];
+  buildInputs = [ wxGTK30 glib pcre ]
+    ++ optional stdenv.isDarwin darwin.apple_sdk.frameworks.Cocoa;
 
   patches = [ ./add-nix-syntax-highlighting.patch ];
 
-  postPatch = ''
-    echo 'echo ${build}' > far2l/bootstrap/scripts/vbuild.sh
-
-    substituteInPlace far2l/bootstrap/open.sh              \
+  postPatch = optionalString stdenv.isLinux ''
+    substituteInPlace far2l/bootstrap/open.sh \
       --replace 'gvfs-trash'  '${gvfs}/bin/gvfs-trash'
+  '' + optionalString stdenv.isDarwin ''
+    substituteInPlace far2l/CMakeLists.txt \
+      --replace "-framework System" -lSystem
+  '' + ''
+    echo 'echo ${build}' > far2l/bootstrap/scripts/vbuild.sh
     substituteInPlace far2l/bootstrap/open.sh              \
       --replace 'xdg-open'    '${xdg_utils}/bin/xdg-open'
     substituteInPlace far2l/vtcompletor.cpp                \
@@ -62,7 +67,7 @@ stdenv.mkDerivation rec {
 
   enableParallelBuilding = true;
 
-  meta = with stdenv.lib; {
+  meta = {
     description = "An orthodox file manager";
     homepage = https://github.com/elfmz/far2l;
     license = licenses.gpl2;

pkgs/applications/misc/googler/default.nix

@@ -0,0 +1,25 @@
+{stdenv, fetchFromGitHub, python}:
+
+stdenv.mkDerivation rec {
+  version = "3.3";
+  name = "googler-${version}";
+
+  src = fetchFromGitHub {
+    owner = "jarun";
+    repo = "googler";
+    rev = "v${version}";
+    sha256 = "0gkzgcf0qss7fskgswryk835vivlv1f99ym1pbxy3vv9wcwx6a43";
+  };
+
+  propagatedBuildInputs = [ python ];
+
+  makeFlags = "PREFIX=$(out)";
+
+  meta = with stdenv.lib; {
+    homepage = https://github.com/jarun/googler;
+    description = "Google Search, Google Site Search, Google News from the terminal";
+    license = licenses.gpl3;
+    maintainers = with maintainers; [ koral ];
+    platforms = platforms.unix;
+  };
+}

pkgs/applications/misc/gqrx/default.nix

@@ -8,13 +8,13 @@ assert pulseaudioSupport -> libpulseaudio != null;
 
 stdenv.mkDerivation rec {
   name = "gqrx-${version}";
-  version = "2.7";
+  version = "2.8";
 
   src = fetchFromGitHub {
     owner = "csete";
     repo = "gqrx";
     rev = "v${version}";
-    sha256 = "1dslb8l8ggj6vf9257c2bj0z8z1wy9c6sr2zksp5jdgf8m4j71im";
+    sha256 = "0niy4c05886mhbfmix93j2bnj4kzdh9bvrmymawl6z28glyz5d3c";
   };
 
   nativeBuildInputs = [ cmake ];

pkgs/applications/misc/hamster-time-tracker/default.nix

@@ -31,6 +31,10 @@ pythonPackages.buildPythonApplication rec {
     python waf build
   '';
 
+  postFixup = ''
+    wrapPythonProgramsIn $out/lib/hamster-time-tracker "$out $pythonPath"
+  '';
+
   installPhase = ''
     python waf install
   '';

pkgs/applications/misc/hugo/default.nix

@@ -2,7 +2,7 @@
 
 buildGoPackage rec {
   name = "hugo-${version}";
-  version = "0.27.1";
+  version = "0.29";
 
   goPackagePath = "github.com/gohugoio/hugo";
 
@@ -10,7 +10,7 @@ buildGoPackage rec {
     owner = "gohugoio";
     repo = "hugo";
     rev = "v${version}";
-    sha256 = "0vxzjwm9dsan314cz0gnj4spssg4w8y6ywsak8n9c6w0l45xf07p";
+    sha256 = "1vklws05534ig9rj55cqnxpqfsvns64kfdg6zjyrcpz7l0z07a33";
   };
 
   goDeps = ./deps.nix;

pkgs/applications/misc/hugo/deps.nix

@@ -26,6 +26,15 @@
       sha256 = "13r896yy71i6jj1cwv2pjp53wjfxkg7bh884fggv6y79ly0qr63j";
     };
   }
+  {
+    goPackagePath = "github.com/alecthomas/chroma";
+    fetch = {
+      type = "git";
+      url = "https://github.com/alecthomas/chroma";
+      rev = "b0295f66bdb7c61d54906003d7649185794e21b4";
+      sha256 = "1hnvv13nphbzr9xm21fys7lgm0kd6qlbk58vc8fi802lxzsfmdis";
+    };
+  }
   {
     goPackagePath = "github.com/bep/gitmap";
     fetch = {
@@ -40,8 +49,8 @@
     fetch = {
       type = "git";
       url = "https://github.com/chaseadamsio/goorgeous";
-      rev = "677defd0e024333503d8c946dd4ba3f32ad3e5d2";
-      sha256 = "1mcncs3qdb62m9xwhkxy743ddvgsjfbmbl2djnhqmz1va05njna1";
+      rev = "098da33fde5f9220736531b3cb26a2dec86a8367";
+      sha256 = "1cwag5vzgrzy22rvcp12whzgqbgrmdmaxar0fl4nwqxdhy90s67k";
     };
   }
   {
@@ -53,6 +62,15 @@
       sha256 = "1a87v4cnd5y5whcdkjcqjpg1s5pxqhrspdxrsk2af49zsw9fsj9f";
     };
   }
+  {
+    goPackagePath = "github.com/danwakefield/fnmatch";
+    fetch = {
+      type = "git";
+      url = "https://github.com/danwakefield/fnmatch";
+      rev = "cbb64ac3d964b81592e64f957ad53df015803288";
+      sha256 = "0cbf511ppsa6hf59mdl7nbyn2b2n71y0bpkzbmfkdqjhanqh1lqz";
+    };
+  }
   {
     goPackagePath = "github.com/dchest/cssmin";
     fetch = {
@@ -62,6 +80,15 @@
       sha256 = "09sdijfx5d05z4cd5k6lhl7k3kbpdf2amzlngv15h5v0fff9qw4s";
     };
   }
+  {
+    goPackagePath = "github.com/dlclark/regexp2";
+    fetch = {
+      type = "git";
+      url = "https://github.com/dlclark/regexp2";
+      rev = "487489b64fb796de2e55f4e8a4ad1e145f80e957";
+      sha256 = "144s81ndviwhyy20ipxvvfvap8phv5p762glxrz6aqxprkxfarj5";
+    };
+  }
   {
     goPackagePath = "github.com/eknkc/amber";
     fetch = {
@@ -206,15 +233,6 @@
       sha256 = "0fxjgmwn9927wckl2xx8byv64cxgc0yxdwpfzval5n3wm5l5ij1i";
     };
   }
-  {
-    goPackagePath = "github.com/pelletier/go-buffruneio";
-    fetch = {
-      type = "git";
-      url = "https://github.com/pelletier/go-buffruneio";
-      rev = "c37440a7cf42ac63b919c752ca73a85067e05992";
-      sha256 = "0l83p1gg6g5mmhmxjisrhfimhbm71lwn1r2w7d6siwwqm9q08sd2";
-    };
-  }
   {
     goPackagePath = "github.com/pelletier/go-toml";
     fetch = {

pkgs/applications/misc/josm/default.nix

@@ -2,11 +2,11 @@
 
 stdenv.mkDerivation rec {
   name = "josm-${version}";
-  version = "12712";
+  version = "12914";
 
   src = fetchurl {
     url = "https://josm.openstreetmap.de/download/josm-snapshot-${version}.jar";
-    sha256 = "0lpz4yzkvjpn5g36nibrkh773jnlkiqj6lghsx69i86h0xfb7gqf";
+    sha256 = "104yih9xfgkpcqg8sqgwkpij2l6pwm12jx6kif45j11sg7hxlh8x";
   };
 
   buildInputs = [ jre8 makeWrapper ];

pkgs/applications/misc/merkaartor/default.nix

@@ -1,25 +1,27 @@
-{ stdenv, fetchFromGitHub, qt4, qmake4Hook, boost, proj, gdal, sqlite, pkgconfig }:
+{ stdenv, fetchFromGitHub, qmake, pkgconfig, boost, gdal, proj
+, qtbase, qtsvg, qtwebkit }:
 
 stdenv.mkDerivation rec {
   name = "merkaartor-${version}";
-  version = "0.18.2";
+  version = "0.18.3";
 
   src = fetchFromGitHub {
     owner = "openstreetmap";
     repo = "merkaartor";
     rev = version;
-    sha256 = "1a8kzrc9w0b2a2zgw9dbbi15jy9ynv6nf2sg3k4dbh7f1s2ajx9l";
+    sha256 = "0ls3q8m1hxiwyrypy6qca8wczhl4969ncl0sszfdwfv70rzxjk88";
   };
 
-  buildInputs = [ qt4 boost proj gdal sqlite ];
+  nativeBuildInputs = [ qmake pkgconfig ];
 
-  nativeBuildInputs = [ qmake4Hook pkgconfig ];
+  buildInputs = [ boost gdal proj qtbase qtsvg qtwebkit ];
 
-  meta = {
-    description = "An openstreetmap editor";
-    homepage = http://merkaartor.org/;
-    license = stdenv.lib.licenses.gpl2Plus;
-    maintainers = with stdenv.lib.maintainers; [viric];
-    inherit (qt4.meta) platforms;
+  enableParallelBuilding = true;
+
+  meta = with stdenv.lib; {
+    description = "OpenStreetMap editor";
+    homepage = http://merkaartor.be/;
+    license = licenses.gpl2Plus;
+    maintainers = with maintainers; [ viric ];
   };
 }

pkgs/applications/misc/octoprint/default.nix

@@ -91,6 +91,8 @@ in pythonPackages.buildPythonApplication rec {
       -e 's,psutil>=[^"]*,psutil,g' \
       -e 's,requests>=[^"]*,requests,g' \
       -e 's,future>=[^"]*,future,g' \
+      -e 's,pyserial>=[^"]*,pyserial,g' \
+      -e 's,semantic_version>=[^"]*,semantic_version,g' \
       setup.py
   '';
 

pkgs/applications/misc/octoprint/m33-fio-one-library.patch

@@ -1,18 +1,18 @@
-From 0defcf6ec155899c414f66524b7df629f59327f0 Mon Sep 17 00:00:00 2001
+From 314bcebfcd1759981ce12255be29d8ae68cd400b Mon Sep 17 00:00:00 2001
 From: Nikolay Amiantov <ab@fmap.me>
 Date: Wed, 23 Nov 2016 00:40:48 +0300
 Subject: [PATCH] Build and use one version of preprocessor library
 
 ---
- octoprint_m33fio/__init__.py   | 67 ++----------------------------------------
- shared library source/Makefile | 62 +++-----------------------------------
- 2 files changed, 6 insertions(+), 123 deletions(-)
+ octoprint_m33fio/__init__.py   | 73 ++----------------------------------------
+ shared library source/Makefile | 62 +++--------------------------------
+ 2 files changed, 6 insertions(+), 129 deletions(-)
 
 diff --git a/octoprint_m33fio/__init__.py b/octoprint_m33fio/__init__.py
-index 4b43c59..d1259e4 100755
+index 054870a..4d5ecc1 100755
 --- a/octoprint_m33fio/__init__.py
 +++ b/octoprint_m33fio/__init__.py
-@@ -1062,71 +1062,8 @@ class M33FioPlugin(
+@@ -1189,78 +1189,9 @@ class M33FioPlugin(
  		# Check if using shared library or checking if it is usable
  		if self._settings.get_boolean(["UseSharedLibrary"]) or isUsable :
  	
@@ -54,7 +54,9 @@ index 4b43c59..d1259e4 100755
 -
 -			# Otherwise check if running on Windows and using an i386 or x86-64 device
 -			elif platform.uname()[0].startswith("Windows") and (platform.uname()[4].endswith("86") or platform.uname()[4].endswith("64")) :
--
++			# Set shared library
++			self.sharedLibrary = ctypes.cdll.LoadLibrary(self._basefolder.replace('\\', '/') + "/static/libraries/libpreprocessor.so")
+ 
 -				# Check if Python is running as 32-bit
 -				if platform.architecture()[0].startswith("32") :
 -	
@@ -81,11 +83,16 @@ index 4b43c59..d1259e4 100755
 -	
 -					# Set shared library
 -					self.sharedLibrary = ctypes.cdll.LoadLibrary(self._basefolder.replace("\\", "/") + "/static/libraries/preprocessor_x86-64.dylib")
-+			# Set shared library
-+			self.sharedLibrary = ctypes.cdll.LoadLibrary(self._basefolder.replace('\\', '/') + "/static/libraries/libpreprocessor.so")
- 
+-			
+-			# Otherwise check if running FreeBSD
+-			elif platform.uname()[0].startswith("FreeBSD") :
+-			
+-				# TODO: Compile FreeBSD shared library pre-processors
+-				pass
+-			
  			# Check if shared library was set
  			if self.sharedLibrary :
+ 
 diff --git a/shared library source/Makefile b/shared library source/Makefile
 index 792b4f4..4c74f5c 100755
 --- a/shared library source/Makefile	
@@ -164,5 +171,5 @@ index 792b4f4..4c74f5c 100755
  clean:
  	rm -f ../octoprint_m33fio/static/libraries/$(PROG)
 -- 
-2.11.0
+2.14.1
 

pkgs/applications/misc/octoprint/plugins.nix

@@ -12,13 +12,13 @@ let
 
     m33-fio = buildPlugin rec {
       name = "M33-Fio-${version}";
-      version = "1.20";
+      version = "1.21";
 
       src = fetchFromGitHub {
         owner = "donovan6000";
         repo = "M33-Fio";
         rev = "V${version}";
-        sha256 = "1ng7lzlkqsjcr1w7wgzwsqkkvcvpajcj2cwqlffh95916sw8n767";
+        sha256 = "1la3611kkqn8yiwjn6cizc45ri8pnk6ckld1na4nk6mqk88jvjq7";
       };
 
       patches = [

pkgs/applications/misc/pcmanx-gtk2/default.nix

@@ -17,7 +17,7 @@ stdenv.mkDerivation {
     homepage = http://pcman.ptt.cc;
     license = licenses.gpl2;
     description = "Telnet BBS browser with GTK+ interface";
-    maintainers = [ maintainers.mingchuan ];
+    maintainers = [ maintainers.sifmelcara ];
     platforms = platforms.linux;
   };
 }

pkgs/applications/misc/pytrainer/default.nix

@@ -1,38 +1,45 @@
-{ stdenv, fetchurl, pythonPackages, sqlite, gpsbabel }:
+{ stdenv, fetchFromGitHub, perl, python2Packages, sqlite, gpsbabel
+, withWebKit ? false }:
 
 let
 
   # Pytrainer needs a matplotlib with GTK backend. Also ensure we are
   # using the pygtk with glade support as needed by pytrainer.
-  matplotlibGtk = pythonPackages.matplotlib.override {
+  matplotlibGtk = python2Packages.matplotlib.override {
     enableGtk2 = true;
-    pygtk = pythonPackages.pyGtkGlade;
+    pygtk = python2Packages.pyGtkGlade;
   };
 
 in
 
-pythonPackages.buildPythonApplication rec {
+python2Packages.buildPythonApplication rec {
   name = "pytrainer-${version}";
-  version = "1.10.0";
+  version = "1.11.0";
 
-  src = fetchurl {
-    url = "https://github.com/pytrainer/pytrainer/archive/v${version}.tar.gz";
-    sha256 = "0l42p630qhymgrcvxgry8chrpzcp6nr3d1vd7vhifh2npfq9l09y";
+  src = fetchFromGitHub {
+    owner = "pytrainer";
+    repo = "pytrainer";
+    rev = "v${version}";
+    sha256 = "1x4f1ydjql0aisvxs5kyi9lx35b4q3768dx42fyzq1nxdwzaqyvy";
   };
 
   namePrefix = "";
 
-  # The existing use of pywebkitgtk shows raw HTML text instead of
-  # map. This patch solves the problems by showing the file from a
-  # string, which allows setting an explicit MIME type.
-  patches = [ ./pytrainer-webkit.patch ];
+  patches = [
+    # The test fails in the UTC timezone and C locale.
+    ./fix-test-tz.patch
 
-  propagatedBuildInputs = with pythonPackages; [
-    dateutil lxml matplotlibGtk pyGtkGlade pywebkitgtk
-    sqlalchemy_migrate
+    # The existing use of pywebkitgtk shows raw HTML text instead of
+    # map. This patch solves the problems by showing the file from a
+    # string, which allows setting an explicit MIME type.
+    ./pytrainer-webkit.patch
   ];
 
-  buildInputs = [ gpsbabel sqlite ];
+  propagatedBuildInputs = with python2Packages; [
+    dateutil lxml matplotlibGtk pyGtkGlade sqlalchemy_migrate
+  ] ++ stdenv.lib.optional withWebKit [ pywebkitgtk ];
+
+  buildInputs = [ perl gpsbabel sqlite ];
 
   # This package contains no binaries to patch or strip.
   dontPatchELF = true;

pkgs/applications/misc/pytrainer/fix-test-tz.patch

@@ -0,0 +1,33 @@
+diff -Nurp pytrainer-v1.11.0-a/pytrainer/test/core/test_activity.py pytrainer-v1.11.0-b/pytrainer/test/core/test_activity.py
+--- pytrainer-v1.11.0-a/pytrainer/test/core/test_activity.py	1980-01-02 00:00:00.000000000 +0100
++++ pytrainer-v1.11.0-b/pytrainer/test/core/test_activity.py	2017-09-30 18:56:43.127016847 +0200
+@@ -69,7 +69,7 @@ class ActivityTest(unittest.TestCase):
+         self.assertEquals(self.activity.time, self.activity.duration)
+ 
+     def test_activity_starttime(self):
+-        self.assertEquals(self.activity.starttime, '12:58:23 PM')
++        self.assertEquals(self.activity.starttime, '12:58:23')
+ 
+     def test_activity_time_tuple(self):
+         self.assertEquals(self.activity.time_tuple, (2, 3, 46))
+diff -Nurp pytrainer-v1.11.0-a/pytrainer/test/imports/test_garmintcxv2.py pytrainer-v1.11.0-b/pytrainer/test/imports/test_garmintcxv2.py
+--- pytrainer-v1.11.0-a/pytrainer/test/imports/test_garmintcxv2.py	1980-01-02 00:00:00.000000000 +0100
++++ pytrainer-v1.11.0-b/pytrainer/test/imports/test_garmintcxv2.py	2017-09-30 18:55:45.078128980 +0200
+@@ -23,7 +23,7 @@ class GarminTCXv2Test(unittest.TestCase)
+             self.fail()
+ 
+     def test_workout_summary(self):
+-        summary = [(0, False, '2012-10-14T12:02:42', '10.12', '00:39:51', 'Running')]
++        summary = [(0, False, '2012-10-14T10:02:42', '10.12', '00:39:51', 'Running')]
+         try:
+             current_path = os.path.dirname(os.path.abspath(__file__))
+             data_path = os.path.dirname(os.path.dirname(os.path.dirname(current_path))) + "/"
+diff -Nurp pytrainer-v1.11.0-a/pytrainer/test/lib/test_date.py pytrainer-v1.11.0-b/pytrainer/test/lib/test_date.py
+--- pytrainer-v1.11.0-a/pytrainer/test/lib/test_date.py	1980-01-02 00:00:00.000000000 +0100
++++ pytrainer-v1.11.0-b/pytrainer/test/lib/test_date.py	2017-09-30 18:56:23.448720166 +0200
+@@ -45,4 +45,4 @@ class DateFunctionTest(unittest.TestCase
+     def test_getDateTime(self):
+         utctime, localtime = getDateTime('Tue Nov 24 17:29:05 UTC 2015')
+         self.assertEqual(datetime.datetime(2015, 11, 24, 17, 29, 5, tzinfo=tzutc()), utctime)
+-        self.assertEqual(datetime.datetime(2015, 11, 24, 19, 29, 5, tzinfo=tzlocal()), localtime)
++        self.assertEqual(datetime.datetime(2015, 11, 24, 17, 29, 5, tzinfo=tzlocal()), localtime)

pkgs/applications/misc/qmapshack/default.nix

@@ -0,0 +1,33 @@
+{ stdenv, fetchFromBitbucket, cmake, qtscript, qtwebkit, gdal, proj, routino, quazip }:
+
+stdenv.mkDerivation rec {
+  name = "qmapshack-${version}";
+  version = "1.9.1";
+
+  src = fetchFromBitbucket {
+    owner = "maproom";
+    repo = "qmapshack";
+    rev = "V%20${version}";
+    sha256 = "1yswdq1s9jjhwb3wfiy3kkiiaqzagw28vjqvl13jxcnmq7y763sr";
+  };
+
+  nativeBuildInputs = [ cmake ];
+
+  buildInputs = [ qtscript qtwebkit gdal proj routino quazip ];
+
+  cmakeFlags = [
+    "-DROUTINO_XML_PATH=${routino}/share/routino"
+    "-DQUAZIP_INCLUDE_DIR=${quazip}/include/quazip"
+    "-DLIBQUAZIP_LIBRARY=${quazip}/lib/libquazip.so"
+  ];
+
+  enableParallelBuilding = true;
+
+  meta = with stdenv.lib; {
+    homepage = https://bitbucket.org/maproom/qmapshack/wiki/Home;
+    description = "Plan your next outdoor trip";
+    license = licenses.gpl3;
+    maintainter = with maintainers; [ dotlambda ];
+    platforms = with platforms; linux;
+  };
+}

pkgs/applications/misc/rescuetime/default.nix

@@ -9,14 +9,14 @@ let
     } else fetchurl {
       name = "rescuetime-installer.deb";
       url = "https://www.rescuetime.com/installers/rescuetime_current_amd64.deb";
-      sha256 = "161f71kvcrilv9qxldwn8xsqs2g9c2f2g9wb5brbfc0lqbbc8n89";
+      sha256 = "1xjwaqz0gs12ndgw7c2f1nkvj0nqcl0bxhd54pwk0dwrx9pn9avz";
     };
 
 in
 
 stdenv.mkDerivation {
   # https://www.rescuetime.com/updates/linux_release_notes.html
-  name = "rescuetime-2.9.11.1285";
+  name = "rescuetime-2.9.11.1300";
   inherit src;
   buildInputs = [ dpkg makeWrapper ];
   unpackPhase = ''

pkgs/applications/misc/robo3t/default.nix

@@ -0,0 +1,77 @@
+{ stdenv, fetchurl, zlib, glib, xorg, dbus, fontconfig,
+  freetype, xkeyboard_config, makeDesktopItem, makeWrapper }:
+
+stdenv.mkDerivation rec {
+  name = "robo3t-${version}";
+  version = "1.1.1";
+
+  src = fetchurl {
+    url = "https://download.robomongo.org/1.1.1/linux/robo3t-${version}-linux-x86_64-c93c6b0.tar.gz";
+    sha256 = "140cn80vg7c8vpdjasqi4b3kyqj4n033lcm3ikz5674x3jr7r5zs";
+  };
+
+  icon = fetchurl {
+    url = "https://github.com/Studio3T/robomongo/raw/${version}/trash/install/linux/robomongo.png";
+    sha256 = "15li8536x600kkfkb3h6mw7y0f2ljkv951pc45dpiw036vldibv2";
+  };
+
+  desktopItem = makeDesktopItem {
+    name = "Robo3T";
+    exec = "robo3t";
+    icon = icon;
+    comment = "Query GUI for mongodb";
+    desktopName = "Robo3T";
+    genericName = "MongoDB management tool";
+    categories = "Development;IDE;mongodb;";
+  };
+
+  nativeBuildInputs = [makeWrapper];
+
+  ldLibraryPath = stdenv.lib.makeLibraryPath [
+    stdenv.cc.cc
+    zlib
+    glib
+    xorg.libXi
+    xorg.libxcb
+    xorg.libXrender
+    xorg.libX11
+    xorg.libSM
+    xorg.libICE
+    xorg.libXext
+    dbus
+    fontconfig
+    freetype
+  ];
+
+  installPhase = ''
+    BASEDIR=$out/lib/robo3t
+
+    mkdir -p $BASEDIR/bin
+    cp bin/* $BASEDIR/bin
+
+    mkdir -p $BASEDIR/lib
+    cp -r lib/* $BASEDIR/lib
+
+    mkdir -p $out/share/applications
+    cp $desktopItem/share/applications/* $out/share/applications
+
+    mkdir -p $out/share/icons
+    cp ${icon} $out/share/icons/robomongo.png
+
+    patchelf --set-interpreter ${stdenv.glibc}/lib/ld-linux-x86-64.so.2 $BASEDIR/bin/robo3t
+
+    mkdir $out/bin
+
+    makeWrapper $BASEDIR/bin/robo3t $out/bin/robo3t \
+      --suffix LD_LIBRARY_PATH : ${ldLibraryPath} \
+      --suffix QT_XKB_CONFIG_ROOT : ${xkeyboard_config}/share/X11/xkb
+  '';
+
+  meta = {
+    homepage = https://robomongo.org/;
+    description = "Query GUI for mongodb";
+    platforms = stdenv.lib.intersectLists stdenv.lib.platforms.linux stdenv.lib.platforms.x86_64;
+    license = stdenv.lib.licenses.gpl3;
+    maintainers = [ stdenv.lib.maintainers.eperuffo ];
+  };
+}

pkgs/applications/misc/tint2/default.nix

@@ -6,13 +6,13 @@
 
 stdenv.mkDerivation rec {
   name = "tint2-${version}";
-  version = "15.1";
+  version = "15.2";
 
   src = fetchFromGitLab {
     owner = "o9000";
     repo = "tint2";
     rev = version;
-    sha256 = "16mpvknibbqy0vjgkwig7g8i6rivm14ipd7ixvqydgcj7wibn0b7";
+    sha256 = "1lfk3zcgmmlby353gs70gpi0m28nx2c20wxqgaw7268a69r5cz7a";
   };
 
   enableParallelBuilding = true;
@@ -37,7 +37,7 @@ stdenv.mkDerivation rec {
     homepage = https://gitlab.com/o9000/tint2;
     description = "Simple panel/taskbar unintrusive and light (memory, cpu, aestetic)";
     license = stdenv.lib.licenses.gpl2;
-    platforms = stdenv.lib.platforms.unix;
+    platforms = stdenv.lib.platforms.linux;
     maintainers = [ stdenv.lib.maintainers.romildo ];
   };
 }

pkgs/applications/networking/browsers/chromium/common.nix

@@ -90,6 +90,15 @@ let
     sha256 = "1vhslc4xg0d6wzlsi99zpah2xzjziglccrxn55k7qna634wyxg77";
   };
 
+  versionRange = min-version: upto-version:
+    let inherit (upstream-info) version;
+        result = versionAtLeast version min-version && versionOlder version upto-version;
+        stable-version = (import ./upstream-info.nix).stable.version;
+    in if versionAtLeast stable-version upto-version
+       then warn "chromium: stable version ${stable-version} is newer than a patchset bounded at ${upto-version}. You can safely delete it."
+            result
+       else result;
+
   base = rec {
     name = "${packageName}-${version}";
     inherit (upstream-info) version;
@@ -117,15 +126,31 @@ let
 
     patches = [
       ./patches/nix_plugin_paths_52.patch
+      # To enable ChromeCast, go to chrome://flags and set "Load Media Router Component Extension" to Enabled
+      # Fixes Chromecast: https://bugs.chromium.org/p/chromium/issues/detail?id=734325
+      ./patches/fix_network_api_crash.patch
+    ] # As major versions are added, you can trawl the gentoo and arch repos at
+      # https://gitweb.gentoo.org/repo/gentoo.git/plain/www-client/chromium/
+      # https://git.archlinux.org/svntogit/packages.git/tree/trunk?h=packages/chromium
+      # for updated patches and hints about build flags
+      ++ optionals (versionRange "61" "62") [
       ./patches/chromium-gn-bootstrap-r14.patch
       ./patches/chromium-gcc-r1.patch
       ./patches/chromium-atk-r1.patch
       ./patches/chromium-gcc5-r1.patch
-      # To enable ChromeCast, go to chrome://flags and set "Load Media Router Component Extension" to Enabled
-      # Fixes Chromecast: https://bugs.chromium.org/p/chromium/issues/detail?id=734325
-      ./patches/fix_network_api_crash.patch
-
-    ] ++ optional enableWideVine ./patches/widevine.patch;
+    ]
+      ++ optionals (versionRange "62" "63") [
+      ./patches/chromium-gn-bootstrap-r17.patch
+      ./patches/chromium-gcc5-r2.patch
+      ./patches/chromium-glibc2.26-r1.patch
+    ]
+      ++ optionals (versionAtLeast version "63") [
+      ./patches/chromium-gn-bootstrap-r19.patch
+      ./patches/chromium-gcc5-r2.patch
+      ./patches/chromium-glibc2.26-r1.patch
+      ./patches/chromium-sysroot-r1.patch
+    ]
+      ++ optional enableWideVine ./patches/widevine.patch;
 
     postPatch = ''
       # We want to be able to specify where the sandbox is via CHROME_DEVEL_SANDBOX

pkgs/applications/networking/browsers/chromium/patches/chromium-gcc5-r2.patch

@@ -0,0 +1,36 @@
+--- a/third_party/WebKit/Source/platform/wtf/typed_arrays/ArrayBufferContents.h
++++ b/third_party/WebKit/Source/platform/wtf/typed_arrays/ArrayBufferContents.h
+@@ -63,7 +63,7 @@ class WTF_EXPORT ArrayBufferContents {
+           allocation_length_(0),
+           data_(data),
+           data_length_(0),
+-          kind_(AllocationKind::kNormal),
++          kind_(WTF::ArrayBufferContents::AllocationKind::kNormal),
+           deleter_(deleter) {}
+     DataHandle(void* allocation_base,
+                size_t allocation_length,
+@@ -94,11 +94,11 @@ class WTF_EXPORT ArrayBufferContents {
+              reinterpret_cast<uintptr_t>(allocation_base_) +
+                  allocation_length_);
+       switch (kind_) {
+-        case AllocationKind::kNormal:
++        case WTF::ArrayBufferContents::AllocationKind::kNormal:
+           DCHECK(deleter_);
+           deleter_(data_);
+           return;
+-        case AllocationKind::kReservation:
++        case WTF::ArrayBufferContents::AllocationKind::kReservation:
+           ReleaseReservedMemory(allocation_base_, allocation_length_);
+           return;
+       }
+--- a/third_party/webrtc/modules/audio_processing/aec3/aec_state.cc.orig	2017-08-15 12:45:59.433532111 +0000
++++ b/third_party/webrtc/modules/audio_processing/aec3/aec_state.cc	2017-08-15 17:52:59.691328825 +0000
+@@ -10,7 +10,7 @@
+ 
+ #include "webrtc/modules/audio_processing/aec3/aec_state.h"
+ 
+-#include <math.h>
++#include <cmath>
+ #include <numeric>
+ #include <vector>
+ 

pkgs/applications/networking/browsers/chromium/patches/chromium-glibc2.26-r1.patch

@@ -0,0 +1,220 @@
+diff --git a/breakpad/src/client/linux/dump_writer_common/ucontext_reader.cc b/breakpad/src/client/linux/dump_writer_common/ucontext_reader.cc
+index c80724d..052ce37 100644
+--- a/breakpad/src/client/linux/dump_writer_common/ucontext_reader.cc
++++ b/breakpad/src/client/linux/dump_writer_common/ucontext_reader.cc
+@@ -36,19 +36,19 @@ namespace google_breakpad {
+ 
+ // Minidump defines register structures which are different from the raw
+ // structures which we get from the kernel. These are platform specific
+-// functions to juggle the ucontext and user structures into minidump format.
++// functions to juggle the ucontext_t and user structures into minidump format.
+ 
+ #if defined(__i386__)
+ 
+-uintptr_t UContextReader::GetStackPointer(const struct ucontext* uc) {
++uintptr_t UContextReader::GetStackPointer(const ucontext_t* uc) {
+   return uc->uc_mcontext.gregs[REG_ESP];
+ }
+ 
+-uintptr_t UContextReader::GetInstructionPointer(const struct ucontext* uc) {
++uintptr_t UContextReader::GetInstructionPointer(const ucontext_t* uc) {
+   return uc->uc_mcontext.gregs[REG_EIP];
+ }
+ 
+-void UContextReader::FillCPUContext(RawContextCPU *out, const ucontext *uc,
++void UContextReader::FillCPUContext(RawContextCPU *out, const ucontext_t *uc,
+                                     const struct _libc_fpstate* fp) {
+   const greg_t* regs = uc->uc_mcontext.gregs;
+ 
+@@ -88,15 +88,15 @@ void UContextReader::FillCPUContext(RawContextCPU *out, const ucontext *uc,
+ 
+ #elif defined(__x86_64)
+ 
+-uintptr_t UContextReader::GetStackPointer(const struct ucontext* uc) {
++uintptr_t UContextReader::GetStackPointer(const ucontext_t* uc) {
+   return uc->uc_mcontext.gregs[REG_RSP];
+ }
+ 
+-uintptr_t UContextReader::GetInstructionPointer(const struct ucontext* uc) {
++uintptr_t UContextReader::GetInstructionPointer(const ucontext_t* uc) {
+   return uc->uc_mcontext.gregs[REG_RIP];
+ }
+ 
+-void UContextReader::FillCPUContext(RawContextCPU *out, const ucontext *uc,
++void UContextReader::FillCPUContext(RawContextCPU *out, const ucontext_t *uc,
+                                     const struct _libc_fpstate* fpregs) {
+   const greg_t* regs = uc->uc_mcontext.gregs;
+ 
+@@ -145,15 +145,15 @@ void UContextReader::FillCPUContext(RawContextCPU *out, const ucontext *uc,
+ 
+ #elif defined(__ARM_EABI__)
+ 
+-uintptr_t UContextReader::GetStackPointer(const struct ucontext* uc) {
++uintptr_t UContextReader::GetStackPointer(const ucontext_t* uc) {
+   return uc->uc_mcontext.arm_sp;
+ }
+ 
+-uintptr_t UContextReader::GetInstructionPointer(const struct ucontext* uc) {
++uintptr_t UContextReader::GetInstructionPointer(const ucontext_t* uc) {
+   return uc->uc_mcontext.arm_pc;
+ }
+ 
+-void UContextReader::FillCPUContext(RawContextCPU *out, const ucontext *uc) {
++void UContextReader::FillCPUContext(RawContextCPU *out, const ucontext_t *uc) {
+   out->context_flags = MD_CONTEXT_ARM_FULL;
+ 
+   out->iregs[0] = uc->uc_mcontext.arm_r0;
+@@ -184,15 +184,15 @@ void UContextReader::FillCPUContext(RawContextCPU *out, const ucontext *uc) {
+ 
+ #elif defined(__aarch64__)
+ 
+-uintptr_t UContextReader::GetStackPointer(const struct ucontext* uc) {
++uintptr_t UContextReader::GetStackPointer(const ucontext_t* uc) {
+   return uc->uc_mcontext.sp;
+ }
+ 
+-uintptr_t UContextReader::GetInstructionPointer(const struct ucontext* uc) {
++uintptr_t UContextReader::GetInstructionPointer(const ucontext_t* uc) {
+   return uc->uc_mcontext.pc;
+ }
+ 
+-void UContextReader::FillCPUContext(RawContextCPU *out, const ucontext *uc,
++void UContextReader::FillCPUContext(RawContextCPU *out, const ucontext_t *uc,
+                                     const struct fpsimd_context* fpregs) {
+   out->context_flags = MD_CONTEXT_ARM64_FULL;
+ 
+@@ -210,15 +210,15 @@ void UContextReader::FillCPUContext(RawContextCPU *out, const ucontext *uc,
+ 
+ #elif defined(__mips__)
+ 
+-uintptr_t UContextReader::GetStackPointer(const struct ucontext* uc) {
++uintptr_t UContextReader::GetStackPointer(const ucontext_t* uc) {
+   return uc->uc_mcontext.gregs[MD_CONTEXT_MIPS_REG_SP];
+ }
+ 
+-uintptr_t UContextReader::GetInstructionPointer(const struct ucontext* uc) {
++uintptr_t UContextReader::GetInstructionPointer(const ucontext_t* uc) {
+   return uc->uc_mcontext.pc;
+ }
+ 
+-void UContextReader::FillCPUContext(RawContextCPU *out, const ucontext *uc) {
++void UContextReader::FillCPUContext(RawContextCPU *out, const ucontext_t *uc) {
+ #if _MIPS_SIM == _ABI64
+   out->context_flags = MD_CONTEXT_MIPS64_FULL;
+ #elif _MIPS_SIM == _ABIO32
+diff --git a/breakpad/src/client/linux/dump_writer_common/ucontext_reader.h b/breakpad/src/client/linux/dump_writer_common/ucontext_reader.h
+index b6e77b4..2de80b7 100644
+--- a/breakpad/src/client/linux/dump_writer_common/ucontext_reader.h
++++ b/breakpad/src/client/linux/dump_writer_common/ucontext_reader.h
+@@ -39,23 +39,23 @@
+ 
+ namespace google_breakpad {
+ 
+-// Wraps platform-dependent implementations of accessors to ucontext structs.
++// Wraps platform-dependent implementations of accessors to ucontext_t structs.
+ struct UContextReader {
+-  static uintptr_t GetStackPointer(const struct ucontext* uc);
++  static uintptr_t GetStackPointer(const ucontext_t* uc);
+ 
+-  static uintptr_t GetInstructionPointer(const struct ucontext* uc);
++  static uintptr_t GetInstructionPointer(const ucontext_t* uc);
+ 
+-  // Juggle a arch-specific ucontext into a minidump format
++  // Juggle a arch-specific ucontext_t into a minidump format
+   //   out: the minidump structure
+   //   info: the collection of register structures.
+ #if defined(__i386__) || defined(__x86_64)
+-  static void FillCPUContext(RawContextCPU *out, const ucontext *uc,
++  static void FillCPUContext(RawContextCPU *out, const ucontext_t *uc,
+                              const struct _libc_fpstate* fp);
+ #elif defined(__aarch64__)
+-  static void FillCPUContext(RawContextCPU *out, const ucontext *uc,
++  static void FillCPUContext(RawContextCPU *out, const ucontext_t *uc,
+                              const struct fpsimd_context* fpregs);
+ #else
+-  static void FillCPUContext(RawContextCPU *out, const ucontext *uc);
++  static void FillCPUContext(RawContextCPU *out, const ucontext_t *uc);
+ #endif
+ };
+ 
+diff --git a/breakpad/src/client/linux/handler/exception_handler.cc b/breakpad/src/client/linux/handler/exception_handler.cc
+index 586d84e..05936d2 100644
+--- a/breakpad/src/client/linux/handler/exception_handler.cc
++++ b/breakpad/src/client/linux/handler/exception_handler.cc
+@@ -457,9 +457,9 @@ bool ExceptionHandler::HandleSignal(int /*sig*/, siginfo_t* info, void* uc) {
+   // Fill in all the holes in the struct to make Valgrind happy.
+   memset(&g_crash_context_, 0, sizeof(g_crash_context_));
+   memcpy(&g_crash_context_.siginfo, info, sizeof(siginfo_t));
+-  memcpy(&g_crash_context_.context, uc, sizeof(struct ucontext));
++  memcpy(&g_crash_context_.context, uc, sizeof(ucontext_t));
+ #if defined(__aarch64__)
+-  struct ucontext* uc_ptr = (struct ucontext*)uc;
++  ucontext_t* uc_ptr = (ucontext_t*)uc;
+   struct fpsimd_context* fp_ptr =
+       (struct fpsimd_context*)&uc_ptr->uc_mcontext.__reserved;
+   if (fp_ptr->head.magic == FPSIMD_MAGIC) {
+@@ -468,9 +468,9 @@ bool ExceptionHandler::HandleSignal(int /*sig*/, siginfo_t* info, void* uc) {
+   }
+ #elif !defined(__ARM_EABI__) && !defined(__mips__)
+   // FP state is not part of user ABI on ARM Linux.
+-  // In case of MIPS Linux FP state is already part of struct ucontext
++  // In case of MIPS Linux FP state is already part of ucontext_t
+   // and 'float_state' is not a member of CrashContext.
+-  struct ucontext* uc_ptr = (struct ucontext*)uc;
++  ucontext_t* uc_ptr = (ucontext_t*)uc;
+   if (uc_ptr->uc_mcontext.fpregs) {
+     memcpy(&g_crash_context_.float_state, uc_ptr->uc_mcontext.fpregs,
+            sizeof(g_crash_context_.float_state));
+@@ -494,7 +494,7 @@ bool ExceptionHandler::SimulateSignalDelivery(int sig) {
+   // ExceptionHandler::HandleSignal().
+   siginfo.si_code = SI_USER;
+   siginfo.si_pid = getpid();
+-  struct ucontext context;
++  ucontext_t context;
+   getcontext(&context);
+   return HandleSignal(sig, &siginfo, &context);
+ }
+diff --git a/breakpad/src/client/linux/handler/exception_handler.h b/breakpad/src/client/linux/handler/exception_handler.h
+index daba57e..25598a2 100644
+--- a/breakpad/src/client/linux/handler/exception_handler.h
++++ b/breakpad/src/client/linux/handler/exception_handler.h
+@@ -191,11 +191,11 @@ class ExceptionHandler {
+   struct CrashContext {
+     siginfo_t siginfo;
+     pid_t tid;  // the crashing thread.
+-    struct ucontext context;
++    ucontext_t context;
+ #if !defined(__ARM_EABI__) && !defined(__mips__)
+     // #ifdef this out because FP state is not part of user ABI for Linux ARM.
+     // In case of MIPS Linux FP state is already part of struct
+-    // ucontext so 'float_state' is not required.
++    // ucontext_t so 'float_state' is not required.
+     fpstate_t float_state;
+ #endif
+   };
+diff --git a/breakpad/src/client/linux/microdump_writer/microdump_writer.cc b/breakpad/src/client/linux/microdump_writer/microdump_writer.cc
+index 3764eec..80ad5c4 100644
+--- a/breakpad/src/client/linux/microdump_writer/microdump_writer.cc
++++ b/breakpad/src/client/linux/microdump_writer/microdump_writer.cc
+@@ -593,7 +593,7 @@ class MicrodumpWriter {
+ 
+   void* Alloc(unsigned bytes) { return dumper_->allocator()->Alloc(bytes); }
+ 
+-  const struct ucontext* const ucontext_;
++  const ucontext_t* const ucontext_;
+ #if !defined(__ARM_EABI__) && !defined(__mips__)
+   const google_breakpad::fpstate_t* const float_state_;
+ #endif
+diff --git a/breakpad/src/client/linux/minidump_writer/minidump_writer.cc b/breakpad/src/client/linux/minidump_writer/minidump_writer.cc
+index d11ba6e..c716143 100644
+--- a/breakpad/src/client/linux/minidump_writer/minidump_writer.cc
++++ b/breakpad/src/client/linux/minidump_writer/minidump_writer.cc
+@@ -1323,7 +1323,7 @@ class MinidumpWriter {
+   const int fd_;  // File descriptor where the minidum should be written.
+   const char* path_;  // Path to the file where the minidum should be written.
+ 
+-  const struct ucontext* const ucontext_;  // also from the signal handler
++  const ucontext_t* const ucontext_;  // also from the signal handler
+ #if !defined(__ARM_EABI__) && !defined(__mips__)
+   const google_breakpad::fpstate_t* const float_state_;  // ditto
+ #endif

pkgs/applications/networking/browsers/chromium/patches/chromium-gn-bootstrap-r17.patch

@@ -0,0 +1,68 @@
+--- a/tools/gn/bootstrap/bootstrap.py
++++ b/tools/gn/bootstrap/bootstrap.py
+@@ -179,6 +179,7 @@ def build_gn_with_ninja_manually(tempdir, options):
+ 
+   write_buildflag_header_manually(root_gen_dir, 'base/debug/debugging_flags.h',
+       {
++          'ENABLE_LOCATION_SOURCE': 'false',
+           'ENABLE_PROFILING': 'false',
+           'CAN_UNWIND_WITH_FRAME_POINTERS': 'false'
+       })
+@@ -204,7 +205,7 @@ def build_gn_with_ninja_manually(tempdir, options):
+ 
+   write_gn_ninja(os.path.join(tempdir, 'build.ninja'),
+                  root_gen_dir, options)
+-  cmd = ['ninja', '-C', tempdir]
++  cmd = ['ninja', '-C', tempdir, '-w', 'dupbuild=err']
+   if options.verbose:
+     cmd.append('-v')
+ 
+@@ -458,6 +459,7 @@ def write_gn_ninja(path, root_gen_dir, options):
+       'base/metrics/bucket_ranges.cc',
+       'base/metrics/field_trial.cc',
+       'base/metrics/field_trial_param_associator.cc',
++      'base/metrics/field_trial_params.cc',
+       'base/metrics/histogram.cc',
+       'base/metrics/histogram_base.cc',
+       'base/metrics/histogram_functions.cc',
+@@ -507,6 +509,7 @@ def write_gn_ninja(path, root_gen_dir, options):
+       'base/task_scheduler/scheduler_lock_impl.cc',
+       'base/task_scheduler/scheduler_single_thread_task_runner_manager.cc',
+       'base/task_scheduler/scheduler_worker.cc',
++      'base/task_scheduler/scheduler_worker_pool.cc',
+       'base/task_scheduler/scheduler_worker_pool_impl.cc',
+       'base/task_scheduler/scheduler_worker_pool_params.cc',
+       'base/task_scheduler/scheduler_worker_stack.cc',
+@@ -523,6 +526,7 @@ def write_gn_ninja(path, root_gen_dir, options):
+       'base/third_party/icu/icu_utf.cc',
+       'base/third_party/nspr/prtime.cc',
+       'base/threading/post_task_and_reply_impl.cc',
++      'base/threading/scoped_blocking_call.cc',
+       'base/threading/sequence_local_storage_map.cc',
+       'base/threading/sequenced_task_runner_handle.cc',
+       'base/threading/sequenced_worker_pool.cc',
+@@ -579,7 +583,6 @@ def write_gn_ninja(path, root_gen_dir, options):
+       'base/unguessable_token.cc',
+       'base/value_iterators.cc',
+       'base/values.cc',
+-      'base/value_iterators.cc',
+       'base/vlog.cc',
+   ])
+ 
+@@ -652,7 +655,6 @@ def write_gn_ninja(path, root_gen_dir, options):
+     static_libraries['base']['sources'].extend([
+         'base/memory/shared_memory_handle_posix.cc',
+         'base/memory/shared_memory_posix.cc',
+-        'base/memory/shared_memory_tracker.cc',
+         'base/nix/xdg_util.cc',
+         'base/process/internal_linux.cc',
+         'base/process/memory_linux.cc',
+@@ -827,7 +829,7 @@ def build_gn_with_gn(temp_gn, build_dir, options):
+   cmd = [temp_gn, 'gen', build_dir, '--args=%s' % gn_gen_args]
+   check_call(cmd)
+ 
+-  cmd = ['ninja', '-C', build_dir]
++  cmd = ['ninja', '-C', build_dir, '-w', 'dupbuild=err']
+   if options.verbose:
+     cmd.append('-v')
+   cmd.append('gn')

pkgs/applications/networking/browsers/chromium/patches/chromium-gn-bootstrap-r19.patch

@@ -0,0 +1,10 @@
+--- a/tools/gn/bootstrap/bootstrap.py
++++ b/tools/gn/bootstrap/bootstrap.py
+@@ -576,7 +576,6 @@ def write_gn_ninja(path, root_gen_dir, options):
+       'base/trace_event/trace_log.cc',
+       'base/trace_event/trace_log_constants.cc',
+       'base/trace_event/tracing_agent.cc',
+-      'base/tracked_objects.cc',
+       'base/unguessable_token.cc',
+       'base/value_iterators.cc',
+       'base/values.cc',

pkgs/applications/networking/browsers/chromium/patches/chromium-sysroot-r1.patch

@@ -0,0 +1,14 @@
+--- a/chrome/installer/BUILD.gn
++++ b/chrome/installer/BUILD.gn
+@@ -3,9 +3,10 @@
+ # found in the LICENSE file.
+ 
+ import("//build/config/chrome_build.gni")
++import("//build/config/sysroot.gni")
+ 
+ declare_args() {
+-  enable_linux_installer = is_linux && !is_component_build
++  enable_linux_installer = is_linux && !is_component_build && use_sysroot
+ }
+ 
+ # Meta-target that forwards to the installer of the correct type (if any).

pkgs/applications/networking/browsers/chromium/upstream-info.nix

@@ -1,18 +1,18 @@
 # This file is autogenerated from update.sh in the same directory.
 {
   beta = {
-    sha256 = "09q7s5x22vnmvqyz0f1l6qnaryglmsp0rc63qcg5sfvgv2g17g5x";
-    sha256bin64 = "12z6z8gjxl4mx8j6db8nnlzrj03rh4qwyrvcf4hqcsv7b1armg6j";
-    version = "61.0.3163.79";
+    sha256 = "0c8qn2i7iygl3kgrdwwd8h3l5j8hg66dw99qgr618cgca1b4im68";
+    sha256bin64 = "04mfg18zpx19ha0mrlwx2aabn0vhl08n9c60hazivmw99pzlg8dn";
+    version = "62.0.3202.29";
   };
   dev = {
-    sha256 = "168i6dcdl13an3vlr2m83q8fcprgckmclkmzwj70jdkp84qx80fq";
-    sha256bin64 = "116vddp01m2ls337zj6r4h1nvybphvldlk9bs8czypx5skn29vbz";
-    version = "62.0.3202.9";
+    sha256 = "1zd7rid626fglbyrp7c6517jldhgfk3vjn357vhlhy6pgj1ydrrn";
+    sha256bin64 = "0hqb5prf0ags4bnla6skyi5vmkrazhd8n3ri4ijhbqjbb536bfpb";
+    version = "63.0.3218.0";
   };
   stable = {
-    sha256 = "09q7s5x22vnmvqyz0f1l6qnaryglmsp0rc63qcg5sfvgv2g17g5x";
-    sha256bin64 = "0a0wd06c0v061lnmb8x20gqgsg9zqafp2kq1fl3cjm0ldg9rwayw";
-    version = "61.0.3163.79";
+    sha256 = "06r89jim9cq87668ya8wwk69hh17rl04cj94nb9c28v6mj69cda1";
+    sha256bin64 = "1cm9snw29nkzq4bafqgi6fd0gqcc3jp60y6vfsrf9k4dvdard2sv";
+    version = "61.0.3163.100";
   };
 }

pkgs/applications/networking/browsers/falkon/default.nix

@@ -0,0 +1,43 @@
+{ stdenv, lib, fetchFromGitHub, cmake, extra-cmake-modules, pkgconfig, qmake
+, libpthreadstubs, libxcb, libXdmcp, qtsvg, qttools, qtwebengine, qtx11extras, kwallet, openssl }:
+
+stdenv.mkDerivation rec {
+  # Last qupvilla release is 2.1.2 so we add the .1 although it isn't actually a
+  # release but it is basically 2.1.2 with the falkon name
+  name = "falkon-${version}.1";
+  version = "2.1.2";
+
+  src = fetchFromGitHub {
+    owner  = "KDE";
+    repo   = "falkon";
+    rev    = "eecaf2e9d6b572a7f7d2e6dc324e3d79b61c31db";
+    sha256 = "01r5aw10jd0qz7xvad0cqzjbnsj7vwblh54wbq4x1m6xbkp6xcgy";
+  };
+
+  preConfigure = ''
+    export NONBLOCK_JS_DIALOGS=true
+    export KDE_INTEGRATION=true
+    export GNOME_INTEGRATION=false
+    export FALKON_PREFIX=$out
+  '';
+
+  dontUseCmakeConfigure = true;
+
+  buildInputs = [
+    libpthreadstubs libxcb libXdmcp
+    kwallet
+    qtsvg qtwebengine qtx11extras
+  ];
+
+  nativeBuildInputs = [ cmake extra-cmake-modules pkgconfig qmake qttools ];
+
+  enableParallelBuilding = true;
+
+  meta = with stdenv.lib; {
+    description = "QtWebEngine based cross-platform web browser";
+    homepage    = https://community.kde.org/Incubator/Projects/Falkon;
+    license     = licenses.gpl3;
+    maintainers = with maintainers; [ peterhoeg ];
+    platforms   = platforms.unix;
+  };
+}

pkgs/applications/networking/browsers/tor-browser-bundle-bin/default.nix

@@ -98,7 +98,7 @@ let
   fteLibPath = makeLibraryPath [ stdenv.cc.cc gmp ];
 
   # Upstream source
-  version = "7.0.5";
+  version = "7.0.6";
 
   lang = "en-US";
 
@@ -108,7 +108,7 @@ let
         "https://github.com/TheTorProject/gettorbrowser/releases/download/v${version}/tor-browser-linux64-${version}_${lang}.tar.xz"
         "https://dist.torproject.org/torbrowser/${version}/tor-browser-linux64-${version}_${lang}.tar.xz"
       ];
-      sha256 = "1ixa1pmh3fm82gwzkm7r3gbly1lrihpvk1irmpc8b8zsi2s49ghd";
+      sha256 = "11z3r0577p78ifi9lk4lrh9wb46k77wy77g5p9l8il02760bgq6m";
     };
 
     "i686-linux" = fetchurl {
@@ -116,7 +116,7 @@ let
         "https://github.com/TheTorProject/gettorbrowser/releases/download/v${version}/tor-browser-linux32-${version}_${lang}.tar.xz"
         "https://dist.torproject.org/torbrowser/${version}/tor-browser-linux32-${version}_${lang}.tar.xz"
       ];
-      sha256 = "1kb0m4xikxcgj03h6l0ch5d53i8hxdacwm7q745a377g44q84nzb";
+      sha256 = "1r8v5w66clmm76kzpkf0f5jcxs76whb5xrl20rkirp79fybqn4hx";
     };
   };
 in

pkgs/applications/networking/browsers/tor-browser-bundle/default.nix

@@ -1,7 +1,6 @@
 { stdenv
-, lib
-, fetchurl
 , fetchgit
+, fetchurl
 , symlinkJoin
 
 , tor
@@ -14,6 +13,19 @@
 , noto-fonts
 , noto-fonts-emoji
 
+# Audio support
+, audioSupport ? mediaSupport
+, apulse
+
+# Media support (implies audio support)
+, mediaSupport ? false
+, gstreamer
+, gst-plugins-base
+, gst-plugins-good
+, gst-ffmpeg
+, gmp
+, ffmpeg
+
 # Extensions, common
 , zip
 
@@ -24,11 +36,16 @@
 , python27Packages
 , rsync
 
+# Pluggable transports
+, obfsproxy
+
 # Customization
 , extraPrefs ? ""
 , extraExtensions ? [ ]
 }:
 
+with stdenv.lib;
+
 let
   tor-browser-build_src = fetchgit {
     url = "https://git.torproject.org/builders/tor-browser-build.git";
@@ -41,15 +58,12 @@ let
       git libxml2 python27 python27Packages rsync;
   };
 
-  extensionsEnv = symlinkJoin {
-    name = "tor-browser-extensions";
-    paths = with firefoxExtensions; [
-      https-everywhere
-      noscript
-      torbutton
-      tor-launcher
-    ] ++ extraExtensions;
-  };
+  bundledExtensions = with firefoxExtensions; [
+    https-everywhere
+    noscript
+    torbutton
+    tor-launcher
+  ] ++ extraExtensions;
 
   fontsEnv = symlinkJoin {
     name = "tor-browser-fonts";
@@ -57,6 +71,21 @@ let
   };
 
   fontsDir = "${fontsEnv}/share/fonts";
+
+  gstPluginsPath = concatMapStringsSep ":" (x:
+    "${x}/lib/gstreamer-0.10") [
+      gstreamer
+      gst-plugins-base
+      gst-plugins-good
+      gst-ffmpeg
+    ];
+
+  gstLibPath = makeLibraryPath [
+    gstreamer
+    gst-plugins-base
+    gmp
+    ffmpeg
+  ];
 in
 stdenv.mkDerivation rec {
   name = "tor-browser-bundle-${version}";
@@ -68,6 +97,11 @@ stdenv.mkDerivation rec {
 
   buildPhase = ":";
 
+  # The following creates a customized firefox distribution.  For
+  # simplicity, we copy the entire base firefox runtime, to work around
+  # firefox's annoying insistence on resolving the installation directory
+  # relative to the real firefox executable.  A little tacky and
+  # inefficient but it works.
   installPhase = ''
     TBBUILD=${tor-browser-build_src}/projects/tor-browser
     TBDATA_PATH=TorBrowser-Data
@@ -95,6 +129,7 @@ stdenv.mkDerivation rec {
     lockPref("app.update.enabled", false);
     lockPref("extensions.update.autoUpdateDefault", false);
     lockPref("extensions.update.enabled", false);
+    lockPref("extensions.torbutton.updateNeeded", false);
     lockPref("extensions.torbutton.versioncheck_enabled", false);
 
     // Where to find the Nixpkgs tor executable & config
@@ -109,13 +144,19 @@ stdenv.mkDerivation rec {
     lockPref("extensions.torlauncher.control_port_use_ipc", true);
     lockPref("extensions.torlauncher.socks_port_use_ipc", true);
 
+    // Allow sandbox access to sound devices if using ALSA directly
+    ${if audioSupport then ''
+      pref("security.sandbox.content.write_path_whitelist", "/dev/snd/");
+    '' else ''
+      clearPref("security.sandbox.content.write_path_whitelist");
+    ''}
+
     // User customization
     ${extraPrefs}
     EOF
 
     # Preload extensions
-    # XXX: the fact that ln -s env browser/extensions fails, symlinkJoin seems a little redundant ...
-    ln -s -t browser/extensions ${extensionsEnv}"/"*
+    find ${toString bundledExtensions} -name '*.xpi' -exec ln -s -t browser/extensions '{}' '+'
 
     # Copy bundle data
     bundlePlatform=linux
@@ -127,28 +168,58 @@ stdenv.mkDerivation rec {
       >> $TBDATA_PATH/torrc-defaults
     cat \
       $bundleData/$bundlePlatform/Data/Browser/profile.default/preferences/extension-overrides.js \
+      $bundleData/PTConfigs/bridge_prefs.js \
       >> defaults/pref/extension-overrides.js
 
+    # Configure geoip
+    #
+    # tor-launcher insists on resolving geoip data relative to torrc-defaults
+    # (and passes them directly on the tor command-line).
+    #
+    # Write the paths into torrc-defaults anyway, otherwise they'll be
+    # captured in the runtime torrc.
+    ln -s -t $TBDATA_PATH ${tor.geoip}/share/tor/geoip{,6}
+    cat >>$TBDATA_PATH/torrc-defaults <<EOF
+    GeoIPFile $TBDATA_IN_STORE/geoip
+    GeoIPv6File $TBDATA_IN_STORE/geoip6
+    EOF
+
+    # Configure pluggable transports
+    cat >>$TBDATA_PATH/torrc-defaults <<EOF
+    ClientTransportPlugin obfs2,obfs3 exec ${obfsproxy}/bin/obfsproxy managed
+    EOF
+
     # Hard-code path to TBB fonts; xref: FONTCONFIG_FILE in the wrapper below
     sed $bundleData/$bundlePlatform/Data/fontconfig/fonts.conf \
         -e "s,<dir>fonts</dir>,<dir>${fontsDir}</dir>," \
         > $TBDATA_PATH/fonts.conf
 
     # Generate a suitable wrapper
-    wrapper_PATH=${lib.makeBinPath [ coreutils ]}
-    wrapper_XDG_DATA_DIRS=${lib.concatMapStringsSep ":" (x: "${x}/share") [
+    wrapper_PATH=${makeBinPath [ coreutils ]}
+    wrapper_XDG_DATA_DIRS=${concatMapStringsSep ":" (x: "${x}/share") [
       hicolor_icon_theme
       shared_mime_info
     ]}
 
+    ${optionalString audioSupport ''
+      # apulse uses a non-standard library path ...
+      wrapper_LD_LIBRARY_PATH=${apulse}/lib/apulse''${wrapper_LD_LIBRARY_PATH:+:$wrapper_LD_LIBRARY_PATH}
+    ''}
+
+    ${optionalString mediaSupport ''
+      wrapper_LD_LIBRARY_PATH=${gstLibPath}''${wrapper_LD_LIBRARY_PATH:+:$wrapper_LD_LIBRARY_PATH}
+    ''}
+
     mkdir -p $out/bin
     cat >$out/bin/tor-browser <<EOF
     #! ${stdenv.shell} -eu
 
+    umask 077
+
     PATH=$wrapper_PATH
 
     readonly THE_HOME=\$HOME
-    TBB_HOME=\''${TBB_HOME:-\''${XDG_DATA_HOME:-$HOME/.local/share}/tor-browser}
+    TBB_HOME=\''${TBB_HOME:-\''${XDG_DATA_HOME:-\$HOME/.local/share}/tor-browser}
     if [[ \''${TBB_HOME:0:1} != / ]] ; then
       TBB_HOME=\$PWD/\$TBB_HOME
     fi
@@ -209,9 +280,21 @@ stdenv.mkDerivation rec {
     # XDG_DATA_DIRS is set to prevent searching system directories for
     # mime and icon data.
     #
+    # PULSE_{SERVER,COOKIE} is necessary for audio playback w/pulseaudio
+    #
+    # APULSE_PLAYBACK_DEVICE is for audio playback w/o pulseaudio (no capture yet)
+    #
+    # GST_PLUGIN_SYSTEM_PATH is for HD video playback
+    #
+    # GST_REGISTRY is set to devnull to minimize disk writes
+    #
+    # TOR_* is for using an external tor instance
+    #
     # Parameters lacking a default value below are *required* (enforced by
     # -o nounset).
     exec env -i \
+      LD_LIBRARY_PATH=$wrapper_LD_LIBRARY_PATH \
+      \
       TZ=":" \
       \
       DISPLAY="\$DISPLAY" \
@@ -223,11 +306,22 @@ stdenv.mkDerivation rec {
       XDG_CONFIG_HOME="\$XDG_CONFIG_HOME" \
       XDG_DATA_HOME="\$XDG_DATA_HOME" \
       XDG_CACHE_HOME="\$XDG_CACHE_HOME" \
+      XDG_RUNTIME_DIR="\$HOME/run" \
       \
       XDG_DATA_DIRS="$wrapper_XDG_DATA_DIRS" \
       \
       FONTCONFIG_FILE="$TBDATA_IN_STORE/fonts.conf" \
       \
+      APULSE_PLAYBACK_DEVICE="\''${APULSE_PLAYBACK_DEVICE:-plug:dmix}" \
+      \
+      GST_PLUGIN_SYSTEM_PATH="${optionalString mediaSupport gstPluginsPath}" \
+      GST_REGISTRY="/dev/null" \
+      GST_REGISTRY_UPDATE="no" \
+      \
+      TOR_SKIP_LAUNCH="\''${TOR_SKIP_LAUNCH:-}" \
+      TOR_CONTROL_PORT="\''${TOR_CONTROL_PORT:-}" \
+      TOR_SOCKS_PORT="\''${TOR_SOCKS_PORT:-}" \
+      \
       $self/firefox \
         -no-remote \
         -profile "\$HOME/TorBrowser/Data/Browser/profile.default" \
@@ -239,7 +333,7 @@ stdenv.mkDerivation rec {
     bash -n $out/bin/tor-browser
 
     echo "Checking wrapper ..."
-    DISPLAY="" XAUTHORITY="" DBUS_SESSION_BUS_ADDRESS="" TBB_HOME=$TMPDIR/tbb \
+    DISPLAY="" XAUTHORITY="" DBUS_SESSION_BUS_ADDRESS="" TBB_HOME=$(mktemp -d) \
     $out/bin/tor-browser -version >/dev/null
   '';
 

pkgs/applications/networking/browsers/tor-browser-bundle/extensions.nix

@@ -16,14 +16,15 @@
 {
   https-everywhere = stdenv.mkDerivation rec {
     name = "https-everywhere-${version}";
-    version = "5.2.21";
+    version = "2017.9.12";
 
     extid = "https-everywhere-eff@eff.org";
 
     src = fetchgit {
       url = "https://git.torproject.org/https-everywhere.git";
       rev = "refs/tags/${version}";
-      sha256 = "0z9madihh4b4z4blvfmh6w1hsv8afyi0x7b243nciq9r4w55xgfa";
+      sha256 = "179429pngyksp9xkr86nf2m5q6zmg19c7ng1dhqjfb1vsncwgw66";
+      fetchSubmodules = true; # for translations, TODO: remove
     };
 
     nativeBuildInputs = [
@@ -35,10 +36,6 @@
       zip
     ];
 
-    unpackPhase = ''
-      cp -dR --no-preserve=mode "$src" src && cd src
-    '';
-
     buildPhase = ''
       $shell ./makexpi.sh ${version} --no-recurse
     '';
@@ -80,10 +77,6 @@
 
     nativeBuildInputs = [ zip ];
 
-    unpackPhase = ''
-      cp -dR --no-preserve=mode "$src" src && cd src
-    '';
-
     buildPhase = ''
       $shell ./makexpi.sh
     '';
@@ -107,10 +100,6 @@
 
     nativeBuildInputs = [ zip ];
 
-    unpackPhase = ''
-      cp -dR --no-preserve=mode "$src" src && cd src
-    '';
-
     buildPhase = ''
       make package
     '';

pkgs/applications/networking/browsers/vivaldi/chromium-gcc-r1.patch

@@ -0,0 +1,14 @@
+diff --git a/base/numerics/safe_math_shared_impl.h b/base/numerics/safe_math_shared_impl.h
+index 99f230ce7e9a..de2415d402f5 100644
+--- a/base/numerics/safe_math_shared_impl.h
++++ b/base/numerics/safe_math_shared_impl.h
+@@ -21,8 +21,7 @@
+ #if !defined(__native_client__) &&                         \
+     ((defined(__clang__) &&                                \
+       ((__clang_major__ > 3) ||                            \
+-       (__clang_major__ == 3 && __clang_minor__ >= 4))) || \
+-     (defined(__GNUC__) && __GNUC__ >= 5))
++       (__clang_major__ == 3 && __clang_minor__ >= 4))))
+ #include "base/numerics/safe_math_clang_gcc_impl.h"
+ #define BASE_HAS_OPTIMIZED_SAFE_MATH (1)
+ #else

pkgs/applications/networking/browsers/vivaldi/chromium-gcc5-r1.patch

@@ -0,0 +1,66 @@
+--- a/chrome/browser/devtools/devtools_file_system_indexer.cc
++++ b/chrome/browser/devtools/devtools_file_system_indexer.cc
+@@ -34,7 +34,6 @@ using base::TimeDelta;
+ using base::TimeTicks;
+ using content::BrowserThread;
+ using std::map;
+-using std::set;
+ using std::string;
+ using std::vector;
+ 
+@@ -191,7 +190,7 @@ vector<FilePath> Index::Search(const string& query) {
+     if (trigram != kUndefinedTrigram)
+       trigrams.push_back(trigram);
+   }
+-  set<FileId> file_ids;
++  std::set<FileId> file_ids;
+   bool first = true;
+   vector<Trigram>::const_iterator it = trigrams.begin();
+   for (; it != trigrams.end(); ++it) {
+@@ -203,7 +202,7 @@ vector<FilePath> Index::Search(const string& query) {
+       first = false;
+       continue;
+     }
+-    set<FileId> intersection = base::STLSetIntersection<set<FileId> >(
++    std::set<FileId> intersection = base::STLSetIntersection<std::set<FileId> >(
+         file_ids, index_[trigram]);
+     file_ids.swap(intersection);
+   }
+diff --git a/third_party/WebKit/Source/platform/wtf/typed_arrays/ArrayBufferContents.h b/third_party/WebKit/Source/platform/wtf/typed_arrays/ArrayBufferContents.h
+index 94bb9161ec85..e40c6387f72e 100644
+--- a/third_party/WebKit/Source/platform/wtf/typed_arrays/ArrayBufferContents.h
++++ b/third_party/WebKit/Source/platform/wtf/typed_arrays/ArrayBufferContents.h
+@@ -63,7 +63,7 @@ class WTF_EXPORT ArrayBufferContents {
+           allocation_length_(0),
+           data_(data),
+           data_length_(0),
+-          kind_(AllocationKind::kNormal),
++          kind_(WTF::ArrayBufferContents::AllocationKind::kNormal),
+           deleter_(deleter) {}
+     DataHandle(void* allocation_base,
+                size_t allocation_length,
+@@ -94,11 +94,11 @@ class WTF_EXPORT ArrayBufferContents {
+              reinterpret_cast<uintptr_t>(allocation_base_) +
+                  allocation_length_);
+       switch (kind_) {
+-        case AllocationKind::kNormal:
++        case WTF::ArrayBufferContents::AllocationKind::kNormal:
+           DCHECK(deleter_);
+           deleter_(data_);
+           return;
+-        case AllocationKind::kReservation:
++        case WTF::ArrayBufferContents::AllocationKind::kReservation:
+           ReleaseReservedMemory(allocation_base_, allocation_length_);
+           return;
+       }
+--- a/third_party/webrtc/modules/audio_processing/aec3/aec_state.cc.orig	2017-08-15 12:45:59.433532111 +0000
++++ b/third_party/webrtc/modules/audio_processing/aec3/aec_state.cc	2017-08-15 17:52:59.691328825 +0000
+@@ -10,7 +10,7 @@
+ 
+ #include "webrtc/modules/audio_processing/aec3/aec_state.h"
+ 
+-#include <math.h>
++#include <cmath>
+ #include <numeric>
+ #include <vector>
+ 

pkgs/applications/networking/browsers/vivaldi/chromium-gn-bootstrap-r14.patch

@@ -0,0 +1,27 @@
+commit 96c271f8ab2be7ea4199078ea65ac50c6ada4685
+Author: Pawel Hajdan, Jr <phajdan.jr@chromium.org>
+Date:   Wed Jul 26 21:51:54 2017 +0000
+
+    wip
+
+diff --git a/tools/gn/bootstrap/bootstrap.py b/tools/gn/bootstrap/bootstrap.py
+index 1390560f8e37..ff2ae57c46b0 100755
+--- a/tools/gn/bootstrap/bootstrap.py
++++ b/tools/gn/bootstrap/bootstrap.py
+@@ -449,6 +449,7 @@ def write_gn_ninja(path, root_gen_dir, options):
+       'base/metrics/histogram_base.cc',
+       'base/metrics/histogram_functions.cc',
+       'base/metrics/histogram_samples.cc',
++      'base/metrics/histogram_snapshot_manager.cc',
+       'base/metrics/metrics_hashes.cc',
+       'base/metrics/persistent_histogram_allocator.cc',
+       'base/metrics/persistent_memory_allocator.cc',
+@@ -534,7 +535,7 @@ def write_gn_ninja(path, root_gen_dir, options):
+       'base/trace_event/heap_profiler_allocation_context_tracker.cc',
+       'base/trace_event/heap_profiler_allocation_register.cc',
+       'base/trace_event/heap_profiler_event_filter.cc',
+-      'base/trace_event/heap_profiler_event_writer.cc',
++      'base/trace_event/heap_profiler_heap_dump_writer.cc',
+       'base/trace_event/heap_profiler_serialization_state.cc',
+       'base/trace_event/heap_profiler_stack_frame_deduplicator.cc',
+       'base/trace_event/heap_profiler_type_name_deduplicator.cc',