14 files changed, 61 insertions, 53 deletions

diff --git a/nixos/doc/manual/default.nix b/nixos/doc/manual/default.nix
index 4ce6ea1c11187..746ddc071b6a2 100644
--- a/nixos/doc/manual/default.nix
+++ b/nixos/doc/manual/default.nix
@@ -187,6 +187,7 @@ in rec {
         --param man.output.in.separate.dir 1 \
         --param man.output.base.dir "'$out/share/man/'" \
         --param man.endnotes.are.numbered 0 \
+        --param man.break.after.slash 1 \
         ${docbook5_xsl}/xml/xsl/docbook/manpages/docbook.xsl \
         ./man-pages.xml
     '';
diff --git a/nixos/modules/config/gnu.nix b/nixos/modules/config/gnu.nix
index f8c35b440d12d..ad0e35c8a63f9 100644
--- a/nixos/modules/config/gnu.nix
+++ b/nixos/modules/config/gnu.nix
@@ -37,7 +37,6 @@ with lib;
     services.openssh.enable = false;
     services.lshd.enable = true;
     programs.ssh.startAgent = false;
-    services.xserver.startGnuPGAgent = true;
 
     # TODO: GNU dico.
     # TODO: GNU Inetutils' inetd.
diff --git a/nixos/modules/misc/ids.nix b/nixos/modules/misc/ids.nix
index 919271cc4e96d..f71d1e3fe2006 100644
--- a/nixos/modules/misc/ids.nix
+++ b/nixos/modules/misc/ids.nix
@@ -176,7 +176,6 @@
       seeks = 148;
       prosody = 149;
       i2pd = 150;
-      dnscrypt-proxy = 151;
       systemd-network = 152;
       systemd-resolve = 153;
       systemd-timesync = 154;
@@ -255,6 +254,9 @@
       avahi-autoipd = 231;
       nntp-proxy = 232;
       mjpg-streamer = 233;
+      radicale = 234;
+      hydra-queue-runner = 235;
+      hydra-www = 236;
 
       # When adding a uid, make sure it doesn't match an existing gid. And don't use uids above 399!
 
@@ -411,7 +413,6 @@
       seeks = 148;
       prosody = 149;
       i2pd = 150;
-      dnscrypt-proxy = 151;
       systemd-network = 152;
       systemd-resolve = 153;
       systemd-timesync = 154;
@@ -483,6 +484,7 @@
       cfdyndns = 227;
       pdnsd = 229;
       octoprint = 230;
+      radicale = 234;
 
       # When adding a gid, make sure it doesn't match an existing
       # uid. Users and groups with the same name should have equal
diff --git a/nixos/modules/rename.nix b/nixos/modules/rename.nix
index 0de6ca758c165..c6a781b6f00f2 100644
--- a/nixos/modules/rename.nix
+++ b/nixos/modules/rename.nix
@@ -111,6 +111,7 @@ with lib;
     (mkRemovedOptionModule [ "services" "openvpn" "enable" ])
     (mkRemovedOptionModule [ "services" "printing" "cupsFilesConf" ])
     (mkRemovedOptionModule [ "services" "printing" "cupsdConf" ])
+    (mkRemovedOptionModule [ "services" "xserver" "startGnuPGAgent" ])
 
   ];
 }
diff --git a/nixos/modules/services/backup/crashplan.nix b/nixos/modules/services/backup/crashplan.nix
index 74643d1d46356..46d4c5192d9e1 100644
--- a/nixos/modules/services/backup/crashplan.nix
+++ b/nixos/modules/services/backup/crashplan.nix
@@ -48,6 +48,14 @@ with lib;
         ensureDir ${crashplan.vardir}/cache 700
         ensureDir ${crashplan.vardir}/backupArchives 700
         ensureDir ${crashplan.vardir}/log 777
+        cp -avn ${crashplan}/conf.template/* ${crashplan.vardir}/conf
+        for x in app.asar bin EULA.txt install.vars lang lib libjniwrap64.so libjniwrap.so libjtux64.so libjtux.so libmd564.so libmd5.so share skin upgrade; do
+          if [ -e $x ]; then
+            true;
+          else
+            ln -s ${crashplan}/$x ${crashplan.vardir}/$x;
+          fi;
+        done
       '';
 
       serviceConfig = {
diff --git a/nixos/modules/services/networking/dnscrypt-proxy.nix b/nixos/modules/services/networking/dnscrypt-proxy.nix
index a6b5b1deed76f..886bfc30468e8 100644
--- a/nixos/modules/services/networking/dnscrypt-proxy.nix
+++ b/nixos/modules/services/networking/dnscrypt-proxy.nix
@@ -5,14 +5,17 @@ let
   apparmorEnabled = config.security.apparmor.enable;
   dnscrypt-proxy = pkgs.dnscrypt-proxy;
   cfg = config.services.dnscrypt-proxy;
+
   resolverListFile = "${dnscrypt-proxy}/share/dnscrypt-proxy/dnscrypt-resolvers.csv";
   localAddress = "${cfg.localAddress}:${toString cfg.localPort}";
+
   daemonArgs =
     [ "--local-address=${localAddress}"
       (optionalString cfg.tcpOnly "--tcp-only")
       (optionalString cfg.ephemeralKeys "-E")
     ]
     ++ resolverArgs;
+
   resolverArgs = if (cfg.customResolver != null)
     then
       [ "--resolver-address=${cfg.customResolver.address}:${toString cfg.customResolver.port}"
@@ -50,7 +53,7 @@ in
           services.dnsmasq.resolveLocalQueries = true; # this is the default
         }
         </programlisting>
-     ''; };
+      ''; };
       localAddress = mkOption {
         default = "127.0.0.1";
         type = types.string;
@@ -71,13 +74,13 @@ in
         '';
       };
       resolverName = mkOption {
-        default = "cisco";
+        default = "dnscrypt.eu-nl";
         type = types.nullOr types.string;
         description = ''
           The name of the upstream DNSCrypt resolver to use. See
-          <filename>${resolverListFile}</filename> for alternative resolvers
-          (e.g., if you are concerned about logging and/or server
-          location).
+          <filename>${resolverListFile}</filename> for alternative resolvers.
+          The default resolver is located in Holland, supports DNS security
+          extensions, and claims to not keep logs.
         '';
       };
       customResolver = mkOption {
@@ -170,11 +173,12 @@ in
       }
     ''));
 
-    users.extraUsers.dnscrypt-proxy = {
-      uid = config.ids.uids.dnscrypt-proxy;
+    users.users.dnscrypt-proxy = {
       description = "dnscrypt-proxy daemon user";
+      isSystemUser = true;
+      group = "dnscrypt-proxy";
     };
-    users.extraGroups.dnscrypt-proxy.gid = config.ids.gids.dnscrypt-proxy;
+    users.groups.dnscrypt-proxy = {};
 
     systemd.sockets.dnscrypt-proxy = {
       description = "dnscrypt-proxy listening socket";
@@ -187,16 +191,21 @@ in
 
     systemd.services.dnscrypt-proxy = {
       description = "dnscrypt-proxy daemon";
+
       after = [ "network.target" ] ++ optional apparmorEnabled "apparmor.service";
       requires = [ "dnscrypt-proxy.socket "] ++ optional apparmorEnabled "apparmor.service";
+
       serviceConfig = {
         Type = "simple";
         NonBlocking = "true";
         ExecStart = "${dnscrypt-proxy}/bin/dnscrypt-proxy ${toString daemonArgs}";
+
         User = "dnscrypt-proxy";
         Group = "dnscrypt-proxy";
+
         PrivateTmp = true;
         PrivateDevices = true;
+        ProtectHome = true;
       };
     };
   };
diff --git a/nixos/modules/services/networking/iodined.nix b/nixos/modules/services/networking/iodined.nix
index 6bfe62e6261ca..20d371c4e2d1f 100644
--- a/nixos/modules/services/networking/iodined.nix
+++ b/nixos/modules/services/networking/iodined.nix
@@ -64,8 +64,7 @@ in
 
     systemd.services.iodined = {
       description = "iodine, ip over dns daemon";
-      after = [ "network.target" ];
-      wantedBy = [ "multi-user.target" ];
+      wantedBy = [ "ip-up.target" ];
       serviceConfig.ExecStart = "${pkgs.iodine}/sbin/iodined -f -u ${iodinedUser} ${cfg.extraConfig} ${cfg.ip} ${cfg.domain}";
     };
 
diff --git a/nixos/modules/services/networking/radicale.nix b/nixos/modules/services/networking/radicale.nix
index 4b77ef22ac12c..19762f4e570cf 100644
--- a/nixos/modules/services/networking/radicale.nix
+++ b/nixos/modules/services/networking/radicale.nix
@@ -35,12 +35,27 @@ in
   config = mkIf cfg.enable {
     environment.systemPackages = [ pkgs.pythonPackages.radicale ];
 
+    users.extraUsers = singleton
+      { name = "radicale";
+        uid = config.ids.uids.radicale;
+        description = "radicale user";
+        home = "/var/lib/radicale";
+        createHome = true;
+      };
+
+    users.extraGroups = singleton
+      { name = "radicale";
+        gid = config.ids.gids.radicale;
+      };
+
     systemd.services.radicale = {
       description = "A Simple Calendar and Contact Server";
       after = [ "network-interfaces.target" ];
       wantedBy = [ "multi-user.target" ];
       script = "${pkgs.pythonPackages.radicale}/bin/radicale -C ${confFile} -d";
       serviceConfig.Type = "forking";
+      serviceConfig.User = "radicale";
+      serviceConfig.Group = "radicale";
     };
   };
 }
diff --git a/nixos/modules/services/x11/display-managers/default.nix b/nixos/modules/services/x11/display-managers/default.nix
index 533b03aff08dc..7dffdfc2b36cf 100644
--- a/nixos/modules/services/x11/display-managers/default.nix
+++ b/nixos/modules/services/x11/display-managers/default.nix
@@ -49,17 +49,6 @@ let
         fi
       ''}
 
-      ${optionalString cfg.startGnuPGAgent ''
-        if test -z "$SSH_AUTH_SOCK"; then
-            # Restart this script as a child of the GnuPG agent.
-            exec "${pkgs.gnupg}/bin/gpg-agent"                         \
-              --enable-ssh-support --daemon                             \
-              --pinentry-program "${pkgs.pinentry}/bin/pinentry-gtk-2"  \
-              --write-env-file "$HOME/.gpg-agent-info"                  \
-              "$0" "$sessionType"
-        fi
-      ''}
-
       # Handle being called by kdm.
       if test "''${1:0:1}" = /; then eval exec "$1"; fi
 
diff --git a/nixos/modules/services/x11/window-managers/default.nix b/nixos/modules/services/x11/window-managers/default.nix
index 63136beac7100..fce71bbda7e22 100644
--- a/nixos/modules/services/x11/window-managers/default.nix
+++ b/nixos/modules/services/x11/window-managers/default.nix
@@ -10,7 +10,6 @@ in
   imports = [
     ./afterstep.nix
     ./bspwm.nix
-    ./clfswm.nix
     ./compiz.nix
     ./dwm.nix
     ./exwm.nix
diff --git a/nixos/modules/services/x11/xserver.nix b/nixos/modules/services/x11/xserver.nix
index abbe00cc8881e..0fcea6ce5e4f5 100644
--- a/nixos/modules/services/x11/xserver.nix
+++ b/nixos/modules/services/x11/xserver.nix
@@ -219,17 +219,6 @@ in
         '';
       };
 
-      startGnuPGAgent = mkOption {
-        type = types.bool;
-        default = false;
-        description = ''
-          Whether to start the GnuPG agent when you log in.  The GnuPG agent
-          remembers private keys for you so that you don't have to type in
-          passphrases every time you make an SSH connection or sign/encrypt
-          data.  Use <command>ssh-add</command> to add a key to the agent.
-        '';
-      };
-
       startDbusSession = mkOption {
         type = types.bool;
         default = true;
@@ -444,14 +433,7 @@ in
       in optional (driver != null) ({ inherit name; driverName = name; } // driver));
 
     assertions =
-      [ { assertion = !(config.programs.ssh.startAgent && cfg.startGnuPGAgent);
-          message =
-            ''
-              The OpenSSH agent and GnuPG agent cannot be started both. Please
-              choose between ‘programs.ssh.startAgent’ and ‘services.xserver.startGnuPGAgent’.
-            '';
-        }
-        { assertion = config.security.polkit.enable;
+      [ { assertion = config.security.polkit.enable;
           message = "X11 requires Polkit to be enabled (‘security.polkit.enable = true’).";
         }
       ];
diff --git a/nixos/tests/chromium.nix b/nixos/tests/chromium.nix
index 974af6888b696..9a6414f81c390 100644
--- a/nixos/tests/chromium.nix
+++ b/nixos/tests/chromium.nix
@@ -1,4 +1,11 @@
-{ system ? builtins.currentSystem }:
+{ system ? builtins.currentSystem
+, pkgs ? import ../.. { inherit system; }
+, channelMap ? {
+    stable = pkgs.chromium;
+    beta   = pkgs.chromiumBeta;
+    dev    = pkgs.chromiumDev;
+  }
+}:
 
 with import ../lib/testing.nix { inherit system; };
 with pkgs.lib;
@@ -160,8 +167,4 @@ mapAttrs (channel: chromiumPkg: makeTest rec {
 
     $machine->shutdown;
   '';
-}) {
-  stable = pkgs.chromium;
-  beta   = pkgs.chromiumBeta;
-  dev    = pkgs.chromiumDev;
-}
+}) channelMap
diff --git a/nixos/tests/dnscrypt-proxy.nix b/nixos/tests/dnscrypt-proxy.nix
index 20ec3a333e778..b686e9582a7d9 100644
--- a/nixos/tests/dnscrypt-proxy.nix
+++ b/nixos/tests/dnscrypt-proxy.nix
@@ -23,10 +23,11 @@ import ./make-test.nix ({ pkgs, ... }: {
 
   testScript = ''
     $client->start;
-    $client->waitForUnit("multi-user.target");
+    $client->waitForUnit("sockets.target");
+    $client->waitForUnit("dnsmasq");
 
     # The daemon is socket activated; sending a single ping should activate it.
     $client->execute("${pkgs.iputils}/bin/ping -c1 example.com");
-    $client->succeed("systemctl is-active dnscrypt-proxy.service");
+    $client->succeed("systemctl is-active dnscrypt-proxy");
   '';
 })
diff --git a/nixos/tests/riak.nix b/nixos/tests/riak.nix
index f36d12bdb2cf4..18d028232ac24 100644
--- a/nixos/tests/riak.nix
+++ b/nixos/tests/riak.nix
@@ -7,7 +7,7 @@ import ./make-test.nix {
 
       {
         services.riak.enable = true;
-        services.riak.package = pkgs.riak2;
+        services.riak.package = pkgs.riak;
       };
   };