50 files changed, 333 insertions, 175 deletions

diff --git a/lib/licenses.nix b/lib/licenses.nix
index 1c953a2ba844..79124855f7fa 100644
--- a/lib/licenses.nix
+++ b/lib/licenses.nix
@@ -231,6 +231,12 @@ lib.mapAttrs (n: v: v // { shortName = n; }) rec {
     fullName = "Eiffel Forum License v2.0";
   };
 
+  elastic = {
+    fullName = "ELASTIC LICENSE";
+    url = https://github.com/elastic/elasticsearch/blob/master/licenses/ELASTIC-LICENSE.txt;
+    free = false;
+  };
+
   epl10 = spdx {
     spdxId = "EPL-1.0";
     fullName = "Eclipse Public License 1.0";
diff --git a/nixos/doc/manual/development/releases.xml b/nixos/doc/manual/development/releases.xml
index 863110a1c7ca..d4e5ff3f4312 100755
--- a/nixos/doc/manual/development/releases.xml
+++ b/nixos/doc/manual/development/releases.xml
@@ -70,7 +70,7 @@
     <listitem>
      <para>
       <link xlink:href="https://github.com/NixOS/nixpkgs/compare/bdf161ed8d21...6b63c4616790">
-      Bump the <literal>system.nixos.defaultChannel</literal> attribute in
+      Bump the <literal>system.defaultChannel</literal> attribute in
       <literal>nixos/modules/misc/version.nix</literal> </link>
      </para>
     </listitem>
diff --git a/nixos/doc/manual/release-notes/rl-1509.xml b/nixos/doc/manual/release-notes/rl-1509.xml
index 2465f370cf13..4eb2f9aa0a95 100644
--- a/nixos/doc/manual/release-notes/rl-1509.xml
+++ b/nixos/doc/manual/release-notes/rl-1509.xml
@@ -433,9 +433,9 @@ system.autoUpgrade.enable = true;
      default. If you have existing systems with such host keys and want to
      continue to use them, please set
 <programlisting>
-system.nixos.stateVersion = "14.12";
+system.stateVersion = "14.12";
 </programlisting>
-     The new option <option>system.nixos.stateVersion</option> ensures that
+     The new option <option>system.stateVersion</option> ensures that
      certain configuration changes that could break existing systems (such as
      the <command>sshd</command> host key setting) will maintain compatibility
      with the specified NixOS release. NixOps sets the state version of
diff --git a/nixos/modules/installer/cd-dvd/installation-cd-base.nix b/nixos/modules/installer/cd-dvd/installation-cd-base.nix
index 298b8d88bb59..36024ce9f45e 100644
--- a/nixos/modules/installer/cd-dvd/installation-cd-base.nix
+++ b/nixos/modules/installer/cd-dvd/installation-cd-base.nix
@@ -32,5 +32,5 @@ with lib;
   # Allow the user to log in as root without a password.
   users.users.root.initialHashedPassword = "";
 
-  system.nixos.stateVersion = mkDefault "18.03";
+  system.stateVersion = mkDefault "18.03";
 }
diff --git a/nixos/modules/installer/tools/nixos-generate-config.pl b/nixos/modules/installer/tools/nixos-generate-config.pl
index 165566912401..cbe145d5a330 100644
--- a/nixos/modules/installer/tools/nixos-generate-config.pl
+++ b/nixos/modules/installer/tools/nixos-generate-config.pl
@@ -628,7 +628,7 @@ $bootLoaderConfig
   # compatible, in order to avoid breaking some software such as database
   # servers. You should change this only after NixOS release notes say you
   # should.
-  system.nixos.stateVersion = "${\(qw(@release@))}"; # Did you read the comment?
+  system.stateVersion = "${\(qw(@release@))}"; # Did you read the comment?
 
 }
 EOF
diff --git a/nixos/modules/installer/virtualbox-demo.nix b/nixos/modules/installer/virtualbox-demo.nix
index f823c0d83bb6..8ca3592f3800 100644
--- a/nixos/modules/installer/virtualbox-demo.nix
+++ b/nixos/modules/installer/virtualbox-demo.nix
@@ -21,5 +21,5 @@ with lib;
   services.xserver.videoDrivers = mkOverride 40 [ "virtualbox" "vmware" "cirrus" "vesa" "modesetting" ];
 
   powerManagement.enable = false;
-  system.nixos.stateVersion = mkDefault "18.03";
+  system.stateVersion = mkDefault "18.03";
 }
diff --git a/nixos/modules/misc/version.nix b/nixos/modules/misc/version.nix
index 33d8a7861693..3be12e4a6375 100644
--- a/nixos/modules/misc/version.nix
+++ b/nixos/modules/misc/version.nix
@@ -12,29 +12,29 @@ in
 
 {
 
-  options.system.nixos = {
+  options.system = {
 
-    version = mkOption {
+    nixos.version = mkOption {
       internal = true;
       type = types.str;
       description = "The full NixOS version (e.g. <literal>16.03.1160.f2d4ee1</literal>).";
     };
 
-    release = mkOption {
+    nixos.release = mkOption {
       readOnly = true;
       type = types.str;
       default = trivial.release;
       description = "The NixOS release (e.g. <literal>16.03</literal>).";
     };
 
-    versionSuffix = mkOption {
+    nixos.versionSuffix = mkOption {
       internal = true;
       type = types.str;
       default = trivial.versionSuffix;
       description = "The NixOS version suffix (e.g. <literal>1160.f2d4ee1</literal>).";
     };
 
-    revision = mkOption {
+    nixos.revision = mkOption {
       internal = true;
       type = types.str;
       default = if pathIsDirectory gitRepo then commitIdFromGitRepo gitRepo
@@ -43,7 +43,7 @@ in
       description = "The Git revision from which this NixOS configuration was built.";
     };
 
-    codeName = mkOption {
+    nixos.codeName = mkOption {
       readOnly = true;
       type = types.str;
       description = "The NixOS release code name (e.g. <literal>Emu</literal>).";
@@ -76,8 +76,8 @@ in
 
   config = {
 
-    warnings = lib.optional (options.system.nixos.stateVersion.highestPrio > 1000)
-      "You don't have `system.nixos.stateVersion` explicitly set. Expect things to break.";
+    warnings = lib.optional (options.system.stateVersion.highestPrio > 1000)
+      "You don't have `system.stateVersion` explicitly set. Expect things to break.";
 
     system.nixos = {
       # These defaults are set here rather than up there so that
diff --git a/nixos/modules/programs/shell.nix b/nixos/modules/programs/shell.nix
index 3b5212c9e76b..944a8bdf16fc 100644
--- a/nixos/modules/programs/shell.nix
+++ b/nixos/modules/programs/shell.nix
@@ -34,7 +34,7 @@ with lib;
 
           # Subscribe the root user to the NixOS channel by default.
           if [ "$USER" = root -a ! -e "$HOME/.nix-channels" ]; then
-              echo "${config.system.nixos.defaultChannel} nixos" > "$HOME/.nix-channels"
+              echo "${config.system.defaultChannel} nixos" > "$HOME/.nix-channels"
           fi
 
           # Create the per-user garbage collector roots directory.
diff --git a/nixos/modules/rename.nix b/nixos/modules/rename.nix
index 5242444a60b8..40f66ccb26b2 100644
--- a/nixos/modules/rename.nix
+++ b/nixos/modules/rename.nix
@@ -4,6 +4,11 @@ with lib;
 
 {
   imports = [
+    # !!! These were renamed the other way, but got reverted later.
+    # !!! Drop these before 18.09 is released.
+    (mkRenamedOptionModule [ "system" "nixos" "stateVersion" ] [ "system" "stateVersion" ])
+    (mkRenamedOptionModule [ "system" "nixos" "defaultChannel" ] [ "system" "defaultChannel" ])
+
     (mkRenamedOptionModule [ "dysnomia" ] [ "services" "dysnomia" ])
     (mkRenamedOptionModule [ "environment" "x11Packages" ] [ "environment" "systemPackages" ])
     (mkRenamedOptionModule [ "environment" "enableBashCompletion" ] [ "programs" "bash" "enableCompletion" ])
@@ -222,8 +227,6 @@ with lib;
     (mkRenamedOptionModule [ "system" "nixosVersionSuffix" ] [ "system" "nixos" "versionSuffix" ])
     (mkRenamedOptionModule [ "system" "nixosRevision" ] [ "system" "nixos" "revision" ])
     (mkRenamedOptionModule [ "system" "nixosLabel" ] [ "system" "nixos" "label" ])
-    (mkRenamedOptionModule [ "system" "stateVersion" ] [ "system" "nixos" "stateVersion" ])
-    (mkRenamedOptionModule [ "system" "defaultChannel" ] [ "system" "nixos" "defaultChannel" ])
 
     # Users
     (mkAliasOptionModule [ "users" "extraUsers" ] [ "users" "users" ])
diff --git a/nixos/modules/services/databases/mysql.nix b/nixos/modules/services/databases/mysql.nix
index 3eb7879e2d9f..0dde9ee6e2e5 100644
--- a/nixos/modules/services/databases/mysql.nix
+++ b/nixos/modules/services/databases/mysql.nix
@@ -218,7 +218,7 @@ in
   config = mkIf config.services.mysql.enable {
 
     services.mysql.dataDir =
-      mkDefault (if versionAtLeast config.system.nixos.stateVersion "17.09" then "/var/lib/mysql"
+      mkDefault (if versionAtLeast config.system.stateVersion "17.09" then "/var/lib/mysql"
                  else "/var/mysql");
 
     users.users.mysql = {
diff --git a/nixos/modules/services/databases/postgresql.nix b/nixos/modules/services/databases/postgresql.nix
index e33bee9db6e9..f59fb1c81772 100644
--- a/nixos/modules/services/databases/postgresql.nix
+++ b/nixos/modules/services/databases/postgresql.nix
@@ -146,7 +146,7 @@ in
       };
       superUser = mkOption {
         type = types.str;
-        default= if versionAtLeast config.system.nixos.stateVersion "17.09" then "postgres" else "root";
+        default= if versionAtLeast config.system.stateVersion "17.09" then "postgres" else "root";
         internal = true;
         description = ''
           NixOS traditionally used 'root' as superuser, most other distros use 'postgres'.
@@ -165,14 +165,14 @@ in
 
     services.postgresql.package =
       # Note: when changing the default, make it conditional on
-      # ‘system.nixos.stateVersion’ to maintain compatibility with existing
+      # ‘system.stateVersion’ to maintain compatibility with existing
       # systems!
-      mkDefault (if versionAtLeast config.system.nixos.stateVersion "17.09" then pkgs.postgresql96
-            else if versionAtLeast config.system.nixos.stateVersion "16.03" then pkgs.postgresql95
+      mkDefault (if versionAtLeast config.system.stateVersion "17.09" then pkgs.postgresql96
+            else if versionAtLeast config.system.stateVersion "16.03" then pkgs.postgresql95
             else pkgs.postgresql94);
 
     services.postgresql.dataDir =
-      mkDefault (if versionAtLeast config.system.nixos.stateVersion "17.09" then "/var/lib/postgresql/${config.services.postgresql.package.psqlSchema}"
+      mkDefault (if versionAtLeast config.system.stateVersion "17.09" then "/var/lib/postgresql/${config.services.postgresql.package.psqlSchema}"
                  else "/var/db/postgresql");
 
     services.postgresql.authentication = mkAfter
diff --git a/nixos/modules/services/misc/matrix-synapse.nix b/nixos/modules/services/misc/matrix-synapse.nix
index 3e3de9114708..18e13f6ac030 100644
--- a/nixos/modules/services/misc/matrix-synapse.nix
+++ b/nixos/modules/services/misc/matrix-synapse.nix
@@ -342,7 +342,7 @@ in {
       };
       database_type = mkOption {
         type = types.enum [ "sqlite3" "psycopg2" ];
-        default = if versionAtLeast config.system.nixos.stateVersion "18.03"
+        default = if versionAtLeast config.system.stateVersion "18.03"
           then "psycopg2"
           else "sqlite3";
         description = ''
diff --git a/nixos/modules/services/network-filesystems/ipfs.nix b/nixos/modules/services/network-filesystems/ipfs.nix
index 21b664e5b2f9..412d57b27b82 100644
--- a/nixos/modules/services/network-filesystems/ipfs.nix
+++ b/nixos/modules/services/network-filesystems/ipfs.nix
@@ -14,7 +14,7 @@ let
     (optionalString (cfg.defaultMode == "norouting") "--routing=none")
   ] ++ cfg.extraFlags);
 
-  defaultDataDir = if versionAtLeast config.system.nixos.stateVersion "17.09" then
+  defaultDataDir = if versionAtLeast config.system.stateVersion "17.09" then
     "/var/lib/ipfs" else
     "/var/lib/ipfs/.ipfs";
 
diff --git a/nixos/modules/services/networking/radicale.nix b/nixos/modules/services/networking/radicale.nix
index 2afab5ee3b3e..d6fabbcd4700 100644
--- a/nixos/modules/services/networking/radicale.nix
+++ b/nixos/modules/services/networking/radicale.nix
@@ -9,7 +9,7 @@ let
   confFile = pkgs.writeText "radicale.conf" cfg.config;
 
   # This enables us to default to version 2 while still not breaking configurations of people with version 1
-  defaultPackage = if versionAtLeast config.system.nixos.stateVersion "17.09" then {
+  defaultPackage = if versionAtLeast config.system.stateVersion "17.09" then {
     pkg = pkgs.radicale2;
     text = "pkgs.radicale2";
   } else {
@@ -35,7 +35,7 @@ in
       defaultText = defaultPackage.text;
       description = ''
         Radicale package to use. This defaults to version 1.x if
-        <literal>system.nixos.stateVersion &lt; 17.09</literal> and version 2.x
+        <literal>system.stateVersion &lt; 17.09</literal> and version 2.x
         otherwise.
       '';
     };
diff --git a/nixos/modules/services/search/elasticsearch.nix b/nixos/modules/services/search/elasticsearch.nix
index d61f588205af..b0831dcd1ca8 100644
--- a/nixos/modules/services/search/elasticsearch.nix
+++ b/nixos/modules/services/search/elasticsearch.nix
@@ -25,18 +25,17 @@ let
     ${cfg.extraConf}
   '';
 
-  configDir = pkgs.buildEnv {
-    name = "elasticsearch-config";
-    paths = [
-      (pkgs.writeTextDir "elasticsearch.yml" esConfig)
-      (if es5 then (pkgs.writeTextDir "log4j2.properties" cfg.logging)
-              else (pkgs.writeTextDir "logging.yml" cfg.logging))
-    ];
-    postBuild = concatStringsSep "\n" (concatLists [
-      # Elasticsearch 5.x won't start when the scripts directory does not exist
-      (optional es5 "${pkgs.coreutils}/bin/mkdir -p $out/scripts")
-      (optional es6 "ln -s ${cfg.package}/config/jvm.options $out/jvm.options")
-    ]);
+  configDir = cfg.dataDir + "/config";
+
+  elasticsearchYml = pkgs.writeTextFile {
+    name = "elasticsearch.yml";
+    text = esConfig;
+  };
+
+  loggingConfigFilename = if es5 then "log4j2.properties" else "logging.yml";
+  loggingConfigFile = pkgs.writeTextFile {
+    name = loggingConfigFilename;
+    text = cfg.logging;
   };
 
   esPlugins = pkgs.buildEnv {
@@ -193,7 +192,24 @@ in {
         ln -sfT ${esPlugins}/plugins ${cfg.dataDir}/plugins
         ln -sfT ${cfg.package}/lib ${cfg.dataDir}/lib
         ln -sfT ${cfg.package}/modules ${cfg.dataDir}/modules
-        if [ "$(id -u)" = 0 ]; then chown -R elasticsearch ${cfg.dataDir}; fi
+
+        # elasticsearch needs to create the elasticsearch.keystore in the config directory
+        # so this directory needs to be writable.
+        mkdir -m 0700 -p ${configDir}
+
+        # Note that we copy config files from the nix store instead of symbolically linking them
+        # because otherwise X-Pack Security will raise the following exception:
+        # java.security.AccessControlException:
+        # access denied ("java.io.FilePermission" "/var/lib/elasticsearch/config/elasticsearch.yml" "read")
+
+        cp ${elasticsearchYml} ${configDir}/elasticsearch.yml
+        # Make sure the logging configuration for old elasticsearch versions is removed:
+        rm -f ${if es5 then "${configDir}/logging.yml" else "${configDir}/log4j2.properties"}
+        cp ${loggingConfigFile} ${configDir}/${loggingConfigFilename}
+        ${optionalString es5 "mkdir -p ${configDir}/scripts"}
+        ${optionalString es6 "cp ${cfg.package}/config/jvm.options ${configDir}/jvm.options"}
+
+        if [ "$(id -u)" = 0 ]; then chown -R elasticsearch:elasticsearch ${cfg.dataDir}; fi
       '';
     };
 
diff --git a/nixos/modules/services/web-servers/caddy.nix b/nixos/modules/services/web-servers/caddy.nix
index 4237cfdd9198..d0b936cb019f 100644
--- a/nixos/modules/services/web-servers/caddy.nix
+++ b/nixos/modules/services/web-servers/caddy.nix
@@ -66,7 +66,7 @@ in {
       description = "Caddy web server";
       after = [ "network-online.target" ];
       wantedBy = [ "multi-user.target" ];
-      environment = mkIf (versionAtLeast config.system.nixos.stateVersion "17.09")
+      environment = mkIf (versionAtLeast config.system.stateVersion "17.09")
         { CADDYPATH = cfg.dataDir; };
       serviceConfig = {
         ExecStart = ''
diff --git a/nixos/modules/testing/test-instrumentation.nix b/nixos/modules/testing/test-instrumentation.nix
index 114e0ca39fa2..d94e21d681f3 100644
--- a/nixos/modules/testing/test-instrumentation.nix
+++ b/nixos/modules/testing/test-instrumentation.nix
@@ -127,7 +127,7 @@ with import ../../lib/qemu-flags.nix { inherit pkgs; };
     services.xserver.displayManager.job.logToJournal = true;
 
     # set default stateVersion to avoid warnings during eval
-    system.nixos.stateVersion = mkDefault "18.03";
+    system.stateVersion = mkDefault "18.03";
   };
 
 }
diff --git a/nixos/modules/virtualisation/amazon-options.nix b/nixos/modules/virtualisation/amazon-options.nix
index 1a45c3093b78..15de8638bbab 100644
--- a/nixos/modules/virtualisation/amazon-options.nix
+++ b/nixos/modules/virtualisation/amazon-options.nix
@@ -3,7 +3,7 @@
   options = {
     ec2 = {
       hvm = lib.mkOption {
-        default = lib.versionAtLeast config.system.nixos.stateVersion "17.03";
+        default = lib.versionAtLeast config.system.stateVersion "17.03";
         internal = true;
         description = ''
           Whether the EC2 instance is a HVM instance.
diff --git a/nixos/modules/virtualisation/containers.nix b/nixos/modules/virtualisation/containers.nix
index 31f5f6fe7807..b91165ce3b82 100644
--- a/nixos/modules/virtualisation/containers.nix
+++ b/nixos/modules/virtualisation/containers.nix
@@ -607,7 +607,7 @@ in
                   { services.postgresql.enable = true;
                     services.postgresql.package = pkgs.postgresql96;
 
-                    system.nixos.stateVersion = "17.03";
+                    system.stateVersion = "17.03";
                   };
               };
           }
diff --git a/nixos/release.nix b/nixos/release.nix
index dfa4ee9e1278..09b0edcf9bd6 100644
--- a/nixos/release.nix
+++ b/nixos/release.nix
@@ -198,7 +198,7 @@ in rec {
         modules = singleton ({ ... }:
           { fileSystems."/".device  = mkDefault "/dev/sda1";
             boot.loader.grub.device = mkDefault "/dev/sda";
-            system.nixos.stateVersion = mkDefault "18.03";
+            system.stateVersion = mkDefault "18.03";
           });
       }).config.system.build.toplevel;
       preferLocalBuild = true;
diff --git a/nixos/tests/containers-imperative.nix b/nixos/tests/containers-imperative.nix
index 42bff6a9a3f9..93b00b5b9772 100644
--- a/nixos/tests/containers-imperative.nix
+++ b/nixos/tests/containers-imperative.nix
@@ -18,7 +18,7 @@ import ./make-test.nix ({ pkgs, ...} : {
           inherit (config.nixpkgs.localSystem) system;
           modules = lib.singleton {
             containers.foo.config = {
-              system.nixos.stateVersion = "18.03";
+              system.stateVersion = "18.03";
             };
           };
         };
diff --git a/nixos/tests/containers-ipv4.nix b/nixos/tests/containers-ipv4.nix
index c4d954592ef0..4affe3d9d56d 100644
--- a/nixos/tests/containers-ipv4.nix
+++ b/nixos/tests/containers-ipv4.nix
@@ -21,7 +21,7 @@ import ./make-test.nix ({ pkgs, ...} : {
               services.httpd.adminAddr = "foo@example.org";
               networking.firewall.allowedTCPPorts = [ 80 ];
               networking.firewall.allowPing = true;
-              system.nixos.stateVersion = "18.03";
+              system.stateVersion = "18.03";
             };
         };
 
diff --git a/nixos/tests/elk.nix b/nixos/tests/elk.nix
index 8dba7a905fa6..4c5c441ca265 100644
--- a/nixos/tests/elk.nix
+++ b/nixos/tests/elk.nix
@@ -1,4 +1,4 @@
-{ system ? builtins.currentSystem }:
+{ system ? builtins.currentSystem, enableUnfree ? false }:
 with import ../lib/testing.nix { inherit system; };
 with pkgs.lib;
 let
@@ -99,9 +99,16 @@ in mapAttrs mkElkTest {
     logstash      = pkgs.logstash5;
     kibana        = pkgs.kibana5;
   };
-  "ELK-6" = {
-    elasticsearch = pkgs.elasticsearch6;
-    logstash      = pkgs.logstash6;
-    kibana        = pkgs.kibana6;
-  };
+  "ELK-6" =
+    if enableUnfree
+    then {
+      elasticsearch = pkgs.elasticsearch6;
+      logstash      = pkgs.logstash6;
+      kibana        = pkgs.kibana6;
+    }
+    else {
+      elasticsearch = pkgs.elasticsearch6-oss;
+      logstash      = pkgs.logstash6-oss;
+      kibana        = pkgs.kibana6-oss;
+    };
 }
diff --git a/nixos/tests/radicale.nix b/nixos/tests/radicale.nix
index 0a9c2d394a7a..bf22fc9291af 100644
--- a/nixos/tests/radicale.nix
+++ b/nixos/tests/radicale.nix
@@ -43,7 +43,7 @@ in
             });
           })
         ];
-        system.nixos.stateVersion = "17.03";
+        system.stateVersion = "17.03";
       };
       radicale1_export = lib.recursiveUpdate radicale1 {
         services.radicale.extraArgs = [
@@ -54,7 +54,7 @@ in
         services.radicale.extraArgs = [ "--verify-storage" ];
       };
       radicale2 = lib.recursiveUpdate (common args) {
-        system.nixos.stateVersion = "17.09";
+        system.stateVersion = "17.09";
       };
     };
 
diff --git a/pkgs/applications/misc/st/default.nix b/pkgs/applications/misc/st/default.nix
index 3562a4f9b168..5ed8b81eabb5 100644
--- a/pkgs/applications/misc/st/default.nix
+++ b/pkgs/applications/misc/st/default.nix
@@ -3,8 +3,7 @@
 
 with stdenv.lib;
 
-let patches' = if patches == null then [] else patches;
-in stdenv.mkDerivation rec {
+stdenv.mkDerivation rec {
   name = "st-0.8.1";
 
   src = fetchurl {
@@ -12,7 +11,7 @@ in stdenv.mkDerivation rec {
     sha256 = "09k94v3n20gg32xy7y68p96x9dq5msl80gknf9gbvlyjp3i0zyy4";
   };
 
-  patches = patches';
+  inherit patches;
 
   configFile = optionalString (conf!=null) (writeText "config.def.h" conf);
   preBuild = optionalString (conf!=null) "cp ${configFile} config.def.h";
diff --git a/pkgs/development/compilers/llvm/4/default.nix b/pkgs/development/compilers/llvm/4/default.nix
index 75037f6a07db..9651dbb72f4d 100644
--- a/pkgs/development/compilers/llvm/4/default.nix
+++ b/pkgs/development/compilers/llvm/4/default.nix
@@ -1,5 +1,5 @@
-{ lowPrio, newScope, stdenv, cmake, libstdcxxHook
-, libxml2, python2, isl, fetchurl, overrideCC, wrapCCWith
+{ lowPrio, newScope, pkgs, stdenv, cmake, libstdcxxHook
+, libxml2, python, isl, fetchurl, overrideCC, wrapCCWith
 , buildLlvmTools # tools, but from the previous stage, for cross
 , targetLlvmLibraries # libraries, but from the next stage, for cross
 }:
@@ -16,25 +16,28 @@ let
   compiler-rt_src = fetch "compiler-rt" "0h5lpv1z554szi4r4blbskhwrkd78ir50v3ng8xvk1s86fa7gj53";
   clang-tools-extra_src = fetch "clang-tools-extra" "1dhmp7ccfpr42bmvk3kp37ngjpf3a9m5d4kkpsn7d00hzi7fdl9m";
 
-  # Add man output without introducing extra dependencies.
-  overrideManOutput = drv:
-    let drv-manpages = drv.override { enableManpages = true; }; in
-    drv // { man = drv-manpages.out; /*outputs = drv.outputs ++ ["man"];*/ };
-
   tools = stdenv.lib.makeExtensible (tools: let
-    callPackage = newScope (tools // { inherit stdenv cmake libxml2 python2 isl release_version version fetch; });
+    callPackage = newScope (tools // { inherit stdenv cmake libxml2 python isl release_version version fetch; });
   in {
 
-    llvm = overrideManOutput (callPackage ./llvm.nix {
+    llvm = callPackage ./llvm.nix {
       inherit compiler-rt_src;
-    });
-    clang-unwrapped = overrideManOutput (callPackage ./clang {
+    };
+    clang-unwrapped = callPackage ./clang {
       inherit clang-tools-extra_src;
+    };
+
+    llvm-manpages = lowPrio (tools.llvm.override {
+      enableManpages = true;
+      python = pkgs.python;  # don't use python-boot
+    });
+
+    clang-manpages = lowPrio (tools.clang-unwrapped.override {
+      enableManpages = true;
+      python = pkgs.python;  # don't use python-boot
     });
 
     libclang = tools.clang-unwrapped.lib;
-    llvm-manpages = lowPrio tools.llvm.man;
-    clang-manpages = lowPrio tools.clang-unwrapped.man;
 
     clang = if stdenv.cc.isGNU then tools.libstdcxxClang else tools.libcxxClang;
 
@@ -54,7 +57,7 @@ let
   });
 
   libraries = stdenv.lib.makeExtensible (libraries: let
-    callPackage = newScope (libraries // buildLlvmTools // { inherit stdenv cmake libxml2 python2 isl release_version version fetch; });
+    callPackage = newScope (libraries // buildLlvmTools // { inherit stdenv cmake libxml2 python isl release_version version fetch; });
   in {
 
     stdenv = overrideCC stdenv buildLlvmTools.clang;
diff --git a/pkgs/development/compilers/llvm/4/llvm.nix b/pkgs/development/compilers/llvm/4/llvm.nix
index 514c3a006e38..e474f9a73fe8 100644
--- a/pkgs/development/compilers/llvm/4/llvm.nix
+++ b/pkgs/development/compilers/llvm/4/llvm.nix
@@ -13,7 +13,7 @@
 , compiler-rt_src
 , debugVersion ? false
 , enableManpages ? false
-, enableSharedLibraries ? true
+, enableSharedLibraries ? !enableManpages
 }:
 
 let
diff --git a/pkgs/development/compilers/llvm/5/default.nix b/pkgs/development/compilers/llvm/5/default.nix
index 00b0083108b5..38d2b0d461d4 100644
--- a/pkgs/development/compilers/llvm/5/default.nix
+++ b/pkgs/development/compilers/llvm/5/default.nix
@@ -1,5 +1,5 @@
-{ lowPrio, newScope, stdenv, cmake, libstdcxxHook
-, libxml2, python2, isl, fetchurl, overrideCC, wrapCCWith
+{ lowPrio, newScope, pkgs, stdenv, cmake, libstdcxxHook
+, libxml2, python, isl, fetchurl, overrideCC, wrapCCWith
 , buildLlvmTools # tools, but from the previous stage, for cross
 , targetLlvmLibraries # libraries, but from the next stage, for cross
 }:
@@ -15,13 +15,8 @@ let
 
   clang-tools-extra_src = fetch "clang-tools-extra" "018b3fiwah8f8br5i26qmzh6sjvzchpn358sn8v079m49f2jldm3";
 
-  # Add man output without introducing extra dependencies.
-  overrideManOutput = drv:
-    let drv-manpages = drv.override { enableManpages = true; }; in
-    drv // { man = drv-manpages.out; /*outputs = drv.outputs ++ ["man"];*/ };
-
   tools = stdenv.lib.makeExtensible (tools: let
-    callPackage = newScope (tools // { inherit stdenv cmake libxml2 python2 isl release_version version fetch; });
+    callPackage = newScope (tools // { inherit stdenv cmake libxml2 python isl release_version version fetch; });
     mkExtraBuildCommands = cc: ''
       rsrc="$out/resource-root"
       mkdir "$rsrc"
@@ -33,15 +28,23 @@ let
     '';
   in {
 
-    llvm = overrideManOutput (callPackage ./llvm.nix { });
+    llvm = callPackage ./llvm.nix { };
 
-    clang-unwrapped = overrideManOutput (callPackage ./clang {
+    clang-unwrapped = callPackage ./clang {
       inherit clang-tools-extra_src;
+    };
+
+    llvm-manpages = lowPrio (tools.llvm.override {
+      enableManpages = true;
+      python = pkgs.python;  # don't use python-boot
+    });
+
+    clang-manpages = lowPrio (tools.clang-unwrapped.override {
+      enableManpages = true;
+      python = pkgs.python;  # don't use python-boot
     });
 
     libclang = tools.clang-unwrapped.lib;
-    llvm-manpages = lowPrio tools.llvm.man;
-    clang-manpages = lowPrio tools.clang-unwrapped.man;
 
     clang = if stdenv.cc.isGNU then tools.libstdcxxClang else tools.libcxxClang;
 
@@ -70,7 +73,7 @@ let
   });
 
   libraries = stdenv.lib.makeExtensible (libraries: let
-    callPackage = newScope (libraries // buildLlvmTools // { inherit stdenv cmake libxml2 python2 isl release_version version fetch; });
+    callPackage = newScope (libraries // buildLlvmTools // { inherit stdenv cmake libxml2 python isl release_version version fetch; });
   in {
 
     compiler-rt = callPackage ./compiler-rt.nix {};
diff --git a/pkgs/development/compilers/llvm/5/llvm.nix b/pkgs/development/compilers/llvm/5/llvm.nix
index 68eebc33c6b9..4b24e6dad726 100644
--- a/pkgs/development/compilers/llvm/5/llvm.nix
+++ b/pkgs/development/compilers/llvm/5/llvm.nix
@@ -12,7 +12,7 @@
 , libcxxabi
 , debugVersion ? false
 , enableManpages ? false
-, enableSharedLibraries ? true
+, enableSharedLibraries ? !enableManpages
 }:
 
 let
diff --git a/pkgs/development/compilers/llvm/6/default.nix b/pkgs/development/compilers/llvm/6/default.nix
index 141daa88dcff..831e4b65344c 100644
--- a/pkgs/development/compilers/llvm/6/default.nix
+++ b/pkgs/development/compilers/llvm/6/default.nix
@@ -1,5 +1,5 @@
-{ lowPrio, newScope, stdenv, cmake, libstdcxxHook
-, libxml2, python2, isl, fetchurl, overrideCC, wrapCCWith
+{ lowPrio, newScope, pkgs, stdenv, cmake, libstdcxxHook
+, libxml2, python, isl, fetchurl, overrideCC, wrapCCWith
 , buildLlvmTools # tools, but from the previous stage, for cross
 , targetLlvmLibraries # libraries, but from the next stage, for cross
 }:
@@ -15,13 +15,8 @@ let
 
   clang-tools-extra_src = fetch "clang-tools-extra" "1w8ml7fyn4vyxmy59n2qm4r1k1kgwgwkaldp6m45fdv4g0kkfbhd";
 
-  # Add man output without introducing extra dependencies.
-  overrideManOutput = drv:
-    let drv-manpages = drv.override { enableManpages = true; }; in
-    drv // { man = drv-manpages.out; /*outputs = drv.outputs ++ ["man"];*/ };
-
   tools = stdenv.lib.makeExtensible (tools: let
-    callPackage = newScope (tools // { inherit stdenv cmake libxml2 python2 isl release_version version fetch; });
+    callPackage = newScope (tools // { inherit stdenv cmake libxml2 python isl release_version version fetch; });
     mkExtraBuildCommands = cc: ''
       rsrc="$out/resource-root"
       mkdir "$rsrc"
@@ -33,15 +28,23 @@ let
     '';
   in {
 
-    llvm = overrideManOutput (callPackage ./llvm.nix { });
+    llvm = callPackage ./llvm.nix { };
 
-    clang-unwrapped = overrideManOutput (callPackage ./clang {
+    clang-unwrapped = callPackage ./clang {
       inherit clang-tools-extra_src;
+    };
+
+    llvm-manpages = lowPrio (tools.llvm.override {
+      enableManpages = true;
+      python = pkgs.python;  # don't use python-boot
+    });
+
+    clang-manpages = lowPrio (tools.clang-unwrapped.override {
+      enableManpages = true;
+      python = pkgs.python;  # don't use python-boot
     });
 
     libclang = tools.clang-unwrapped.lib;
-    llvm-manpages = lowPrio tools.llvm.man;
-    clang-manpages = lowPrio tools.clang-unwrapped.man;
 
     clang = if stdenv.cc.isGNU then tools.libstdcxxClang else tools.libcxxClang;
 
@@ -70,7 +73,7 @@ let
   });
 
   libraries = stdenv.lib.makeExtensible (libraries: let
-    callPackage = newScope (libraries // buildLlvmTools // { inherit stdenv cmake libxml2 python2 isl release_version version fetch; });
+    callPackage = newScope (libraries // buildLlvmTools // { inherit stdenv cmake libxml2 python isl release_version version fetch; });
   in {
 
     compiler-rt = callPackage ./compiler-rt.nix {};
diff --git a/pkgs/development/coq-modules/category-theory/default.nix b/pkgs/development/coq-modules/category-theory/default.nix
index 766a10c9579d..a5e4dd921165 100644
--- a/pkgs/development/coq-modules/category-theory/default.nix
+++ b/pkgs/development/coq-modules/category-theory/default.nix
@@ -3,15 +3,15 @@
 let param =
   {
     "8.6" = {
-      version = "20171214";
-      rev = "babf9c013506da1dbd67171e4a3ae87fdb7e9d00";
-      sha256 = "16fsf4cggx9s9fkijnpi4g614nmdb2yx7inzqqn070f8p959qcrd";
+      version = "20180709";
+      rev = "3b9ba7b26a64d49a55e8b6ccea570a7f32c11ead";
+      sha256 = "0f2nr8dgn1ab7hr7jrdmr1zla9g9h8216q4yf4wnff9qkln8sbbs";
     };
 
     "8.7" = {
-      version = "20171214";
-      rev = "babf9c013506da1dbd67171e4a3ae87fdb7e9d00";
-      sha256 = "16fsf4cggx9s9fkijnpi4g614nmdb2yx7inzqqn070f8p959qcrd";
+      version = "20180709";
+      rev = "3b9ba7b26a64d49a55e8b6ccea570a7f32c11ead";
+      sha256 = "0f2nr8dgn1ab7hr7jrdmr1zla9g9h8216q4yf4wnff9qkln8sbbs";
     };
 
   }."${coq.coq-version}"
@@ -27,7 +27,7 @@ stdenv.mkDerivation rec {
   };
 
   buildInputs = [ coq.ocaml coq.camlp5 coq.findlib ];
-  propagatedBuildInputs = [ coq ssreflect ];
+  propagatedBuildInputs = [ coq ssreflect equations ];
 
   enableParallelBuilding = false;
 
diff --git a/pkgs/development/haskell-modules/configuration-common.nix b/pkgs/development/haskell-modules/configuration-common.nix
index 1ec0adafef8f..3c8f94860b40 100644
--- a/pkgs/development/haskell-modules/configuration-common.nix
+++ b/pkgs/development/haskell-modules/configuration-common.nix
@@ -249,14 +249,6 @@ self: super: {
   # doJailbreak: Can be removed once https://github.com/haskell-nix/hnix/pull/329 is in (5.2 probably)
   #   This is due to hnix currently having an upper bound of <0.5 on deriving-compat, works just fine with our current version 0.5.1 though
   hnix = dontCheck (doJailbreak (overrideCabal super.hnix (old: {
-    patches = old.patches or [] ++ [
-      # should land in hnix-5.2
-      (pkgs.fetchpatch {
-        url = "https://github.com/haskell-nix/hnix/commit/9cfe060a9dbe9e7c64867956a0523eed9661803a.patch";
-        sha256 = "0ci4n7nw2pzqw0gkmkp4szzvxjyb143a4znjm39jmb0s397a68sh";
-        name = "disable-hpack-test-by-default.patch";
-      })
-    ];
     testHaskellDepends = old.testHaskellDepends or [] ++ [ pkgs.nix ];
   })));
 
diff --git a/pkgs/development/interpreters/python/cpython/2.7/boot.nix b/pkgs/development/interpreters/python/cpython/2.7/boot.nix
index 66f358e4b95b..7d6f2541d3d1 100644
--- a/pkgs/development/interpreters/python/cpython/2.7/boot.nix
+++ b/pkgs/development/interpreters/python/cpython/2.7/boot.nix
@@ -75,6 +75,8 @@ stdenv.mkDerivation rec {
 
   enableParallelBuilding = true;
 
+  passthru.pkgs = builtins.throw "python-boot does not support packages, this package is only intended for bootstrapping." {};
+
   meta = {
     homepage = http://python.org;
     description = "A high-level dynamically-typed programming language";
diff --git a/pkgs/development/libraries/skalibs/default.nix b/pkgs/development/libraries/skalibs/default.nix
index 6fe88fd7cea8..b3f5e12b0ecd 100644
--- a/pkgs/development/libraries/skalibs/default.nix
+++ b/pkgs/development/libraries/skalibs/default.nix
@@ -2,7 +2,7 @@
 
 let
 
-  version = "2.6.0.1";
+  version = "2.6.4.0";
 
 in stdenv.mkDerivation rec {
 
@@ -11,7 +11,7 @@ in stdenv.mkDerivation rec {
   src = fetchgit {
     url = "git://git.skarnet.org/skalibs";
     rev = "refs/tags/v${version}";
-    sha256 = "0skdv3wff1i78hb0y771apw0cak5rzxbwbh6l922snfm01z9k1ws";
+    sha256 = "13icrwxxb7k3cj37dl07h0apk6lwyrg1qrwjwh4l82i8f32bnjz2";
   };
 
   outputs = [ "lib" "dev" "doc" "out" ];
diff --git a/pkgs/development/tools/build-managers/bazel/default.nix b/pkgs/development/tools/build-managers/bazel/default.nix
index b59a93d37324..56b64cd061b5 100644
--- a/pkgs/development/tools/build-managers/bazel/default.nix
+++ b/pkgs/development/tools/build-managers/bazel/default.nix
@@ -26,7 +26,7 @@ let
 in
 stdenv.mkDerivation rec {
 
-  version = "0.15.1";
+  version = "0.15.2";
 
   meta = with stdenv.lib; {
     homepage = "https://github.com/bazelbuild/bazel/";
@@ -40,7 +40,7 @@ stdenv.mkDerivation rec {
 
   src = fetchurl {
     url = "https://github.com/bazelbuild/bazel/releases/download/${version}/bazel-${version}-dist.zip";
-    sha256 = "0v7wdwbxy4bcx488lm1glf4iv3wfdwbkg8fh6kmmmfn1lhgkaay6";
+    sha256 = "1w83zi6d9npi1jmiy022v92xp1cwdvn2qqgghlnl2v9sprryqlxz";
   };
 
   sourceRoot = ".";
@@ -128,10 +128,10 @@ stdenv.mkDerivation rec {
   buildPhase = ''
     export TMPDIR=/tmp/.bazel-$UID
     ./compile.sh
-    ./output/bazel --output_user_root=$TMPDIR/.bazel build //scripts:bash_completion \
-      --spawn_strategy=standalone \
-      --genrule_strategy=standalone
-    cp bazel-bin/scripts/bazel-complete.bash output/
+    scripts/generate_bash_completion.sh \
+        --bazel=./output/bazel \
+        --output=output/bazel-complete.bash \
+        --prepend=scripts/bazel-complete-template.bash
   '';
 
   # Build the CPP and Java examples to verify that Bazel works.
@@ -149,7 +149,7 @@ stdenv.mkDerivation rec {
     mv output/bazel $out/bin
     wrapProgram "$out/bin/bazel" --set JAVA_HOME "${jdk}"
     mkdir -p $out/share/bash-completion/completions $out/share/zsh/site-functions
-    mv output/bazel-complete.bash $out/share/bash-completion/completions/
+    mv output/bazel-complete.bash $out/share/bash-completion/completions/bazel
     cp scripts/zsh_completion/_bazel $out/share/zsh/site-functions/
   '';
 
diff --git a/pkgs/development/tools/misc/kibana/6.x.nix b/pkgs/development/tools/misc/kibana/6.x.nix
index 17620c9df6c8..1fd52f435574 100644
--- a/pkgs/development/tools/misc/kibana/6.x.nix
+++ b/pkgs/development/tools/misc/kibana/6.x.nix
@@ -1,4 +1,13 @@
-{ stdenv, makeWrapper, fetchurl, elk6Version, nodejs, coreutils, which }:
+{ elk6Version
+, enableUnfree ? true
+, stdenv
+, makeWrapper
+, fetchzip
+, fetchurl
+, nodejs
+, coreutils
+, which
+}:
 
 with stdenv.lib;
 let
@@ -6,12 +15,31 @@ let
   info = splitString "-" stdenv.system;
   arch = elemAt info 0;
   plat = elemAt info 1;
-  shas = {
-    "x86_64-linux"  = "1br9nvwa3i5sfcbnrxp2x3dxxnsbs9iavz6zwgw0jlh5ngf5vysk";
-    "x86_64-darwin" = "1w4dck02i0rrl8m18kvy2zz02cb7bb9a2pdhkd1jfy1qz4ssnhii";
+  shas =
+    if enableUnfree
+    then {
+      "x86_64-linux"  = "1kk97ggpzmblhqm6cfd2sv5940f58h323xcyg6rba1njj7lzanv0";
+      "x86_64-darwin" = "1xvwffk8d8br92h0laf4b1m76kvki6cj0pbgcvirfcj1r70vk6c3";
+    }
+    else {
+      "x86_64-linux"  = "0m81ki1v61gpwb3s6zf84azqrirlm9pdfx65g3xmvdp3d3wii5ly";
+      "x86_64-darwin" = "0zh9p6vsq1d0gh6ks7z6bh8sbhn6rm4jshjcfp3c9k7n2qa8vv9b";
+    };
+
+  # For the correct phantomjs version see:
+  # https://github.com/elastic/kibana/blob/master/x-pack/plugins/reporting/server/browsers/phantom/paths.js
+  phantomjs = rec {
+    name = "phantomjs-${version}-linux-x86_64";
+    version = "2.1.1";
+    src = fetchzip {
+      inherit name;
+      url = "https://github.com/Medium/phantomjs/releases/download/v${version}/${name}.tar.bz2";
+      sha256 = "0g2dqjzr2daz6rkd6shj6rrlw55z4167vqh7bxadl8jl6jk7zbfv";
+    };
   };
+
 in stdenv.mkDerivation rec {
-  name = "kibana-${version}";
+  name = "kibana-${optionalString (!enableUnfree) "oss-"}${version}";
   version = elk6Version;
 
   src = fetchurl {
@@ -28,12 +56,19 @@ in stdenv.mkDerivation rec {
     makeWrapper $out/libexec/kibana/bin/kibana $out/bin/kibana \
       --prefix PATH : "${stdenv.lib.makeBinPath [ nodejs coreutils which ]}"
     sed -i 's@NODE=.*@NODE=${nodejs}/bin/node@' $out/libexec/kibana/bin/kibana
+  '' +
+  # phantomjs is needed in the unfree version. When phantomjs doesn't exist in
+  # $out/libexec/kibana/data kibana will try to download and unpack it during
+  # runtime which will fail because the nix store is read-only. So we make sure
+  # it already exist in the nix store.
+  optionalString enableUnfree ''
+    ln -s ${phantomjs.src} $out/libexec/kibana/data/${phantomjs.name}
   '';
 
   meta = {
     description = "Visualize logs and time-stamped data";
     homepage = http://www.elasticsearch.org/overview/kibana;
-    license = licenses.asl20;
+    license = if enableUnfree then licenses.elastic else licenses.asl20;
     maintainers = with maintainers; [ offline rickynils basvandijk ];
     platforms = with platforms; unix;
   };
diff --git a/pkgs/misc/logging/beats/6.x.nix b/pkgs/misc/logging/beats/6.x.nix
index ce911ae40d5e..111bc449d888 100644
--- a/pkgs/misc/logging/beats/6.x.nix
+++ b/pkgs/misc/logging/beats/6.x.nix
@@ -8,7 +8,7 @@ let beat = package : extraArgs : buildGoPackage (rec {
         owner = "elastic";
         repo = "beats";
         rev = "v${version}";
-        sha256 = "194z3j9zwlbc6j97iy1m1cl0xqks3ws2bjp2xrgy8cwpi7fclaw2";
+        sha256 = "0ymg6y6v0mdhs1rs11fn33xdp3r6v85563z0f4p7s22j1kd3nd6r";
       };
 
       goPackagePath = "github.com/elastic/beats";
diff --git a/pkgs/servers/search/elasticsearch/6.x.nix b/pkgs/servers/search/elasticsearch/6.x.nix
index 06caf191587c..84872649c492 100644
--- a/pkgs/servers/search/elasticsearch/6.x.nix
+++ b/pkgs/servers/search/elasticsearch/6.x.nix
@@ -1,14 +1,26 @@
-{ stdenv, fetchurl, elk6Version, makeWrapper, jre_headless, utillinux }:
+{ elk6Version
+, enableUnfree ? true
+, stdenv
+, fetchurl
+, makeWrapper
+, jre_headless
+, utillinux
+, autoPatchelfHook
+, zlib
+}:
 
 with stdenv.lib;
 
-stdenv.mkDerivation rec {
+stdenv.mkDerivation (rec {
   version = elk6Version;
-  name = "elasticsearch-${version}";
+  name = "elasticsearch-${optionalString (!enableUnfree) "oss-"}${version}";
 
   src = fetchurl {
     url = "https://artifacts.elastic.co/downloads/elasticsearch/${name}.tar.gz";
-    sha256 = "13hf00khq33yw6zv022vcrsf6vm43isx40x7ww8r1lqx3vmg3rli";
+    sha256 =
+      if enableUnfree
+      then "0960ak602pm95p2mha9cb1mrwdky8pfw3y89r2v4zpr5n730hmnh"
+      else "1i4i1ai75bf8k0zd1qf8x0bavrm8rcw13xdim443zza09w95ypk4";
   };
 
   patches = [ ./es-home-6.x.patch ];
@@ -32,10 +44,22 @@ stdenv.mkDerivation rec {
     wrapProgram $out/bin/elasticsearch-plugin --set JAVA_HOME "${jre_headless}"
   '';
 
+  passthru = { inherit enableUnfree; };
+
   meta = {
     description = "Open Source, Distributed, RESTful Search Engine";
-    license = licenses.asl20;
+    license = if enableUnfree then licenses.elastic else licenses.asl20;
     platforms = platforms.unix;
     maintainers = with maintainers; [ apeschar basvandijk ];
   };
-}
+} // optionalAttrs enableUnfree {
+  dontPatchELF = true;
+  nativeBuildInputs = [ autoPatchelfHook ];
+  runtimeDependencies = [ zlib ];
+  postFixup = ''
+    for exe in $(find $out/modules/x-pack/x-pack-ml/platform/linux-x86_64/bin -executable -type f); do
+      echo "patching $exe..."
+      patchelf --set-interpreter "$(cat $NIX_CC/nix-support/dynamic-linker)" "$exe"
+    done
+  '';
+})
diff --git a/pkgs/servers/x11/xorg/default.nix b/pkgs/servers/x11/xorg/default.nix
index a1b458986e50..cc28dc73ca87 100644
--- a/pkgs/servers/x11/xorg/default.nix
+++ b/pkgs/servers/x11/xorg/default.nix
@@ -2476,6 +2476,7 @@ let
     };
     nativeBuildInputs = [ pkgconfig ];
     buildInputs = [ libX11 xproto ];
+    configureFlags = [ "--with-xkb-rules-symlink=xorg" ];
     meta.platforms = stdenv.lib.platforms.unix;
   }) // {inherit libX11 xproto ;};
 
diff --git a/pkgs/stdenv/darwin/default.nix b/pkgs/stdenv/darwin/default.nix
index b7b3640a9535..22dd700b2dda 100644
--- a/pkgs/stdenv/darwin/default.nix
+++ b/pkgs/stdenv/darwin/default.nix
@@ -339,15 +339,7 @@ in rec {
 
       llvmPackages_5 = super.llvmPackages_5 // (let
         tools = super.llvmPackages_5.tools.extend (_: super: {
-          # Build man pages with final stdenv not before
-          llvm = lib.extendDerivation
-            true
-            { inherit (super.llvm) man; }
-            llvmPackages_5.llvm;
-          clang-unwrapped = lib.extendDerivation
-            true
-            { inherit (super.clang-unwrapped) man; }
-            llvmPackages_5.clang-unwrapped;
+          inherit (llvmPackages_5) llvm clang-unwrapped;
         });
         libraries = super.llvmPackages_5.libraries.extend (_: _: {
           inherit (llvmPackages_5) compiler-rt libcxx libcxxabi;
@@ -384,9 +376,8 @@ in rec {
     initialPath = import ../common-path.nix { inherit pkgs; };
     shell       = "${pkgs.bash}/bin/bash";
 
-    # Hack to avoid man pages in stdenv, building bootstrap python
     cc = pkgs.llvmPackages.libcxxClang.override {
-      cc = builtins.removeAttrs pkgs.llvmPackages.clang-unwrapped [ "man" ];
+      cc = pkgs.llvmPackages.clang-unwrapped;
     };
 
     extraNativeBuildInputs = [];
diff --git a/pkgs/tools/filesystems/android-file-transfer/default.nix b/pkgs/tools/filesystems/android-file-transfer/default.nix
new file mode 100644
index 000000000000..40725defbed9
--- /dev/null
+++ b/pkgs/tools/filesystems/android-file-transfer/default.nix
@@ -0,0 +1,27 @@
+{ lib, stdenv, fetchFromGitHub, cmake, fuse, readline, pkgconfig, qtbase }:
+
+stdenv.mkDerivation rec {
+  name = "android-file-transfer-${version}";
+  version = "3.4";
+  src = fetchFromGitHub {
+    owner = "whoozle";
+    repo = "android-file-transfer-linux";
+    rev = "v${version}";
+    sha256 = "1xwl0vk57174gdjhgqkzrirwzd2agdm84q30dq9q376ixgxjrifc";
+  };
+  buildInputs = [ cmake fuse readline pkgconfig qtbase ];
+  buildPhase = ''
+    cmake .
+    make
+  '';
+  installPhase = ''
+    make install
+  '';
+  meta = with stdenv.lib; {
+    description = "Reliable MTP client with minimalistic UI";
+    homepage = http://whoozle.github.io/android-file-transfer-linux/;
+    license = licenses.lgpl21;
+    maintainers = [ maintainers.xaverdh ];
+    platforms = platforms.linux;
+  };
+}
diff --git a/pkgs/tools/misc/execline/default.nix b/pkgs/tools/misc/execline/default.nix
index 6cd9623ad1c0..0b606882a5c3 100644
--- a/pkgs/tools/misc/execline/default.nix
+++ b/pkgs/tools/misc/execline/default.nix
@@ -2,7 +2,7 @@
 
 let
 
-  version = "2.3.0.3";
+  version = "2.5.0.0";
 
 in stdenv.mkDerivation rec {
 
@@ -11,7 +11,7 @@ in stdenv.mkDerivation rec {
   src = fetchgit {
     url = "git://git.skarnet.org/execline";
     rev = "refs/tags/v${version}";
-    sha256 = "1q0izb8ajzxl36fjpy4rn63sz01055r9s33fga99jprdmkkfzz6x";
+    sha256 = "19vd8252g5bmzm4i9gybpj7i2mhsflcgfl4ns5k3g1vv7f69i1dn";
   };
 
   outputs = [ "bin" "lib" "dev" "doc" "out" ];
diff --git a/pkgs/tools/misc/fortune/default.nix b/pkgs/tools/misc/fortune/default.nix
index 5e6db9fdc209..59c0396eebea 100644
--- a/pkgs/tools/misc/fortune/default.nix
+++ b/pkgs/tools/misc/fortune/default.nix
@@ -2,24 +2,25 @@
 
 stdenv.mkDerivation {
   name = "fortune-mod-1.99.1";
-  
+
   src = fetchurl {
     url = http://ftp.de.debian.org/debian/pool/main/f/fortune-mod/fortune-mod_1.99.1.orig.tar.gz;
     sha256 = "1kpa2hgbglj5dbfasvl9wc1q3xpl91mqn3sfby46r4rwyzhswlgw";
   };
-  
+
   buildInputs = [ recode ];
-  
+
   preConfigure = ''
-    sed -i "s|/usr/|$out/|" Makefile 
+    sed -i "s|/usr/|$out/|" Makefile
   '';
 
   preBuild = ''
     makeFlagsArray=("CC=$CC" "REGEXDEFS=-DHAVE_REGEX_H -DPOSIX_REGEX" "LDFLAGS=")
   '';
-  
+
   postInstall = ''
-    ln -s $out/games/fortune $out/bin/fortune
+    mv $out/games/fortune $out/bin/fortune
+    rmdir $out/games
   '';
 
   meta = {
diff --git a/pkgs/tools/misc/logstash/6.x.nix b/pkgs/tools/misc/logstash/6.x.nix
index 6aa3fd836965..4f15ba90d39d 100644
--- a/pkgs/tools/misc/logstash/6.x.nix
+++ b/pkgs/tools/misc/logstash/6.x.nix
@@ -1,12 +1,23 @@
-{ stdenv, fetchurl, elk6Version, makeWrapper, jre  }:
+{ elk6Version
+, enableUnfree ? true
+, stdenv
+, fetchurl
+, makeWrapper
+, jre
+}:
+
+with stdenv.lib;
 
 stdenv.mkDerivation rec {
   version = elk6Version;
-  name = "logstash-${version}";
+  name = "logstash-${optionalString (!enableUnfree) "oss-"}${version}";
 
   src = fetchurl {
     url = "https://artifacts.elastic.co/downloads/logstash/${name}.tar.gz";
-    sha256 = "07j3jjg5ik4gjgvcx15qqqas9p1m3815jml82a5r1ip9l6vc4h20";
+    sha256 =
+      if enableUnfree
+      then "0yx9hpiav4d5z1b52x2h5i0iknqs9lmxy8vmz0wkb23mjiz8njdr"
+      else "1ir8pbq706mxr56k5cgc9ajn2jp603zrqj66dimx6xxf2nfamw0w";
   };
 
   dontBuild         = true;
@@ -35,7 +46,7 @@ stdenv.mkDerivation rec {
   meta = with stdenv.lib; {
     description = "Logstash is a data pipeline that helps you process logs and other event data from a variety of systems";
     homepage    = https://www.elastic.co/products/logstash;
-    license     = licenses.asl20;
+    license     = if enableUnfree then licenses.elastic else licenses.asl20;
     platforms   = platforms.unix;
     maintainers = with maintainers; [ wjlroe offline basvandijk ];
   };
diff --git a/pkgs/tools/networking/s6-dns/default.nix b/pkgs/tools/networking/s6-dns/default.nix
index c0163f066aae..db2071ab17da 100644
--- a/pkgs/tools/networking/s6-dns/default.nix
+++ b/pkgs/tools/networking/s6-dns/default.nix
@@ -2,7 +2,7 @@
 
 let
 
-  version = "2.2.0.1";
+  version = "2.3.0.0";
 
 in stdenv.mkDerivation rec {
 
@@ -11,7 +11,7 @@ in stdenv.mkDerivation rec {
   src = fetchgit {
     url = "git://git.skarnet.org/s6-dns";
     rev = "refs/tags/v${version}";
-    sha256 = "10qvkh608nsx8gqs3pj4pb8aivwpshbmjw2766grgmrb35d31brl";
+    sha256 = "1hczdg3dzi9z6f0wicm2qa2239fiax915zp66xspdz6qd23nqrxb";
   };
 
   outputs = [ "bin" "lib" "dev" "doc" "out" ];
diff --git a/pkgs/tools/networking/s6-networking/default.nix b/pkgs/tools/networking/s6-networking/default.nix
index c70e8273163a..1971bbffa406 100644
--- a/pkgs/tools/networking/s6-networking/default.nix
+++ b/pkgs/tools/networking/s6-networking/default.nix
@@ -1,10 +1,25 @@
-{ stdenv, execline, fetchgit, s6, s6-dns, skalibs }:
+{ stdenv, execline, fetchgit, s6, s6-dns, skalibs
+
+# Whether to build the TLS/SSL tools and what library to use
+# acceptable values: "libressl", false
+# TODO: add bearssl
+, sslSupport ? "libressl" , libressl
+}:
 
 let
+  inherit (stdenv) lib;
 
   version = "2.3.0.2";
 
-in stdenv.mkDerivation rec {
+  sslSupportEnabled = sslSupport != false;
+  sslLibs = {
+    "libressl" = libressl;
+  };
+
+in
+assert sslSupportEnabled -> sslLibs ? ${sslSupport};
+
+stdenv.mkDerivation rec {
 
   name = "s6-networking-${version}";
 
@@ -41,7 +56,12 @@ in stdenv.mkDerivation rec {
     "--with-dynlib=${s6.out}/lib"
     "--with-dynlib=${s6-dns.lib}/lib"
   ]
-  ++ (stdenv.lib.optional stdenv.isDarwin "--build=${stdenv.system}");
+  ++ (lib.optionals sslSupportEnabled [
+       "--enable-ssl=${sslSupport}"
+       "--with-include=${lib.getDev sslLibs.${sslSupport}}/include"
+       "--with-lib=${lib.getLib sslLibs.${sslSupport}}/lib"
+     ])
+  ++ (lib.optional stdenv.isDarwin "--build=${stdenv.system}");
 
   postInstall = ''
     mkdir -p $doc/share/doc/s6-networking/
@@ -51,8 +71,8 @@ in stdenv.mkDerivation rec {
   meta = {
     homepage = http://www.skarnet.org/software/s6-networking/;
     description = "A suite of small networking utilities for Unix systems";
-    platforms = stdenv.lib.platforms.all;
-    license = stdenv.lib.licenses.isc;
+    platforms = lib.platforms.all;
+    license = lib.licenses.isc;
     maintainers = with stdenv.lib.maintainers; [ pmahoney Profpatsch ];
   };
 
diff --git a/pkgs/tools/system/s6-rc/default.nix b/pkgs/tools/system/s6-rc/default.nix
index 5436c2f8c707..f6eed5671cea 100644
--- a/pkgs/tools/system/s6-rc/default.nix
+++ b/pkgs/tools/system/s6-rc/default.nix
@@ -2,7 +2,7 @@
 
 let
 
-  version = "0.3.0.0";
+  version = "0.4.0.1";
 
 in stdenv.mkDerivation rec {
 
@@ -11,7 +11,7 @@ in stdenv.mkDerivation rec {
   src = fetchgit {
     url = "git://git.skarnet.org/s6-rc";
     rev = "refs/tags/v${version}";
-    sha256 = "174a3l92nkhxrx8gq36xmb5a7krj40iz1xdiii25nxwjfiw5ynfb";
+    sha256 = "10gkkdbvkb4s2yshx425v9diwm7vvbl320a2bm0c3wz71xr94wsw";
   };
 
   outputs = [ "bin" "lib" "dev" "doc" "out" ];
diff --git a/pkgs/tools/system/s6/default.nix b/pkgs/tools/system/s6/default.nix
index 05666a7ad678..035d4280494c 100644
--- a/pkgs/tools/system/s6/default.nix
+++ b/pkgs/tools/system/s6/default.nix
@@ -2,7 +2,7 @@
 
 let
 
-  version = "2.6.1.1";
+  version = "2.7.1.1";
 
 in stdenv.mkDerivation rec {
 
@@ -11,7 +11,7 @@ in stdenv.mkDerivation rec {
   src = fetchgit {
     url = "git://git.skarnet.org/s6";
     rev = "refs/tags/v${version}";
-    sha256 = "162hng8xcwjp8pr4d78zq3f82lm9c6ldbcfll0mjsmnxdds5hrsg";
+    sha256 = "0dncw3h9wc4cgc9q8zjwicgbcqcn6722yhk8g9bvrhs7h4fkfqav";
   };
 
   # NOTE lib: cannot split lib from bin at the moment,
diff --git a/pkgs/top-level/aliases.nix b/pkgs/top-level/aliases.nix
index 55251c904514..3663f6e9798a 100644
--- a/pkgs/top-level/aliases.nix
+++ b/pkgs/top-level/aliases.nix
@@ -313,6 +313,7 @@ mapAliases ({
   # added 2018-07-16
   forceSystem = system: _:
     (import self.path { localSystem = { inherit system; }; });
+  callPackage_i686 = pkgsi686Linux.callPackage;
 
   inherit (ocaml-ng) # added 2016-09-14
     ocamlPackages_3_10_0 ocamlPackages_3_11_2 ocamlPackages_3_12_1
diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
index c9f6c16e9928..5c5a58c4f4ff 100644
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@@ -2254,12 +2254,15 @@ with pkgs;
 
   # The latest version used by elasticsearch, logstash, kibana and the the beats from elastic.
   elk5Version = "5.6.9";
-  elk6Version = "6.2.4";
+  elk6Version = "6.3.2";
 
   elasticsearch = callPackage ../servers/search/elasticsearch { };
   elasticsearch2 = callPackage ../servers/search/elasticsearch/2.x.nix { };
   elasticsearch5 = callPackage ../servers/search/elasticsearch/5.x.nix { };
   elasticsearch6 = callPackage ../servers/search/elasticsearch/6.x.nix { };
+  elasticsearch6-oss = callPackage ../servers/search/elasticsearch/6.x.nix {
+    enableUnfree = false;
+  };
 
   elasticsearchPlugins = recurseIntoAttrs (
     callPackage ../servers/search/elasticsearch/plugins.nix { }
@@ -3364,6 +3367,9 @@ with pkgs;
   kibana  = callPackage ../development/tools/misc/kibana { };
   kibana5 = callPackage ../development/tools/misc/kibana/5.x.nix { };
   kibana6 = callPackage ../development/tools/misc/kibana/6.x.nix { };
+  kibana6-oss = callPackage ../development/tools/misc/kibana/6.x.nix {
+    enableUnfree = false;
+  };
 
   kismet = callPackage ../applications/networking/sniffers/kismet { };
 
@@ -3443,6 +3449,9 @@ with pkgs;
   logstash  = callPackage ../tools/misc/logstash { };
   logstash5 = callPackage ../tools/misc/logstash/5.x.nix { };
   logstash6 = callPackage ../tools/misc/logstash/6.x.nix { };
+  logstash6-oss = callPackage ../tools/misc/logstash/6.x.nix {
+    enableUnfree = false;
+  };
 
   logstash-contrib = callPackage ../tools/misc/logstash/contrib.nix { };
 
@@ -6213,6 +6222,7 @@ with pkgs;
   };
 
   clang = llvmPackages.clang;
+  clang-manpages = llvmPackages.clang-manpages;
 
   clang-sierraHack = clang.override {
     name = "clang-wrapper-with-reexport-hack";
@@ -6845,6 +6855,7 @@ with pkgs;
   lldb_6 = llvmPackages_6.lldb;
 
   llvm = llvmPackages.llvm;
+  llvm-manpages = llvmPackages.llvm-manpages;
 
   llvm_6  = llvmPackages_6.llvm;
   llvm_5  = llvmPackages_5.llvm;
@@ -11866,7 +11877,7 @@ with pkgs;
   sofia_sip = callPackage ../development/libraries/sofia-sip { };
 
   soil = callPackage ../development/libraries/soil { };
-  
+
   sonic = callPackage ../development/libraries/sonic { };
 
   soprano = callPackage ../development/libraries/soprano { };
@@ -18251,7 +18262,7 @@ with pkgs;
 
   st = callPackage ../applications/misc/st {
     conf = config.st.conf or null;
-    patches = config.st.patches or null;
+    patches = config.st.patches or [];
     extraLibs = config.st.extraLibs or [];
   };
 
@@ -20941,7 +20952,7 @@ with pkgs;
   spyder = pythonPackages.spyder;
 
   openspace = callPackage ../applications/science/astronomy/openspace { };
-  
+
   stellarium = libsForQt5.callPackage ../applications/science/astronomy/stellarium { };
 
   tulip = callPackage ../applications/science/misc/tulip {
@@ -21012,6 +21023,8 @@ with pkgs;
 
   ### MISC
 
+  android-file-transfer = libsForQt5.callPackage ../tools/filesystems/android-file-transfer { };
+
   antimicro = libsForQt5.callPackage ../tools/misc/antimicro { };
 
   atari800 = callPackage ../misc/emulators/atari800 { };