33 files changed, 188 insertions, 76 deletions

diff --git a/nixos/modules/services/continuous-integration/jenkins/default.nix b/nixos/modules/services/continuous-integration/jenkins/default.nix
index cfb1cd773c7f..6fd39e68b1d9 100644
--- a/nixos/modules/services/continuous-integration/jenkins/default.nix
+++ b/nixos/modules/services/continuous-integration/jenkins/default.nix
@@ -161,11 +161,11 @@ in {
       '';
 
       postStart = ''
-        until ${pkgs.curl}/bin/curl -s -L ${cfg.listenAddress}:${toString cfg.port}${cfg.prefix} ; do
+        until ${pkgs.curl.bin}/bin/curl -s -L ${cfg.listenAddress}:${toString cfg.port}${cfg.prefix} ; do
           sleep 10
         done
         while true ; do
-          index=`${pkgs.curl}/bin/curl -s -L ${cfg.listenAddress}:${toString cfg.port}${cfg.prefix}`
+          index=`${pkgs.curl.bin}/bin/curl -s -L ${cfg.listenAddress}:${toString cfg.port}${cfg.prefix}`
           if [[ !("$index" =~ 'Please wait while Jenkins is restarting' ||
                   "$index" =~ 'Please wait while Jenkins is getting ready to work') ]]; then
             exit 0
diff --git a/nixos/modules/services/databases/openldap.nix b/nixos/modules/services/databases/openldap.nix
index 6fd901a00559..9e86559dda04 100644
--- a/nixos/modules/services/databases/openldap.nix
+++ b/nixos/modules/services/databases/openldap.nix
@@ -87,7 +87,7 @@ in
         mkdir -p ${cfg.dataDir}
         chown -R ${cfg.user}:${cfg.group} ${cfg.dataDir}
       '';
-      serviceConfig.ExecStart = "${openldap}/libexec/slapd -u ${cfg.user} -g ${cfg.group} -d 0 -f ${configFile}";
+      serviceConfig.ExecStart = "${openldap.out}/libexec/slapd -u ${cfg.user} -g ${cfg.group} -d 0 -f ${configFile}";
     };
 
     users.extraUsers.openldap =
diff --git a/nixos/modules/services/desktops/gnome3/gvfs.nix b/nixos/modules/services/desktops/gnome3/gvfs.nix
index c4f41a6125c7..a07cdadbb12b 100644
--- a/nixos/modules/services/desktops/gnome3/gvfs.nix
+++ b/nixos/modules/services/desktops/gnome3/gvfs.nix
@@ -37,7 +37,7 @@ in
 
     services.dbus.packages = [ gnome3.gvfs ];
 
-    services.udev.packages = [ pkgs.libmtp ];
+    services.udev.packages = [ pkgs.libmtp.bin ];
 
   };
 
diff --git a/nixos/modules/services/hardware/udev.nix b/nixos/modules/services/hardware/udev.nix
index e267aeee030c..8e883ed7775f 100644
--- a/nixos/modules/services/hardware/udev.nix
+++ b/nixos/modules/services/hardware/udev.nix
@@ -72,7 +72,7 @@ let
       run_progs=$(grep -v '^[[:space:]]*#' $out/* | grep 'RUN+="[^/$]' |
         sed -e 's/.*RUN+="\([^ "]*\)[ "].*/\1/' | uniq)
       for i in $import_progs $run_progs; do
-        if [[ ! -x ${pkgs.udev}/lib/udev/$i && ! $i =~ socket:.* ]]; then
+        if [[ ! -x ${udev}/lib/udev/$i && ! $i =~ socket:.* ]]; then
           echo "FAIL"
           echo "$i is called in udev rules but not installed by udev"
           exit 1
diff --git a/nixos/modules/services/hardware/upower.nix b/nixos/modules/services/hardware/upower.nix
index 739d76fbf1f5..2198842a4511 100644
--- a/nixos/modules/services/hardware/upower.nix
+++ b/nixos/modules/services/hardware/upower.nix
@@ -51,7 +51,7 @@ in
 
     systemd.services.upower =
       { description = "Power Management Daemon";
-        path = [ pkgs.glib ]; # needed for gdbus
+        path = [ pkgs.glib.out ]; # needed for gdbus
         serviceConfig =
           { Type = "dbus";
             BusName = "org.freedesktop.UPower";
diff --git a/nixos/modules/services/misc/docker-registry.nix b/nixos/modules/services/misc/docker-registry.nix
index 0a0e160a7cc3..add339f9bdfe 100644
--- a/nixos/modules/services/misc/docker-registry.nix
+++ b/nixos/modules/services/misc/docker-registry.nix
@@ -65,7 +65,7 @@ in {
       };
 
       postStart = ''
-        until ${pkgs.curl}/bin/curl -s -o /dev/null 'http://${cfg.listenAddress}:${toString cfg.port}/'; do
+        until ${pkgs.curl.bin}/bin/curl -s -o /dev/null 'http://${cfg.listenAddress}:${toString cfg.port}/'; do
           sleep 1;
         done
       '';
diff --git a/nixos/modules/services/misc/nix-daemon.nix b/nixos/modules/services/misc/nix-daemon.nix
index e079a5d80d4c..911f79e5756a 100644
--- a/nixos/modules/services/misc/nix-daemon.nix
+++ b/nixos/modules/services/misc/nix-daemon.nix
@@ -358,7 +358,7 @@ in
     systemd.sockets.nix-daemon.wantedBy = [ "sockets.target" ];
 
     systemd.services.nix-daemon =
-      { path = [ nix pkgs.openssl pkgs.utillinux config.programs.ssh.package ]
+      { path = [ nix pkgs.openssl.bin pkgs.utillinux config.programs.ssh.package ]
           ++ optionals cfg.distributedBuilds [ pkgs.gzip ];
 
         environment = cfg.envVars
diff --git a/nixos/modules/services/misc/subsonic.nix b/nixos/modules/services/misc/subsonic.nix
index 020d53a481de..c1ebe418f727 100644
--- a/nixos/modules/services/misc/subsonic.nix
+++ b/nixos/modules/services/misc/subsonic.nix
@@ -97,7 +97,7 @@ in
 
       transcoders = mkOption {
         type = types.listOf types.path;
-        default = [ "${pkgs.ffmpeg}/bin/ffmpeg" ];
+        default = [ "${pkgs.ffmpeg.bin}/bin/ffmpeg" ];
         description = ''
           List of paths to transcoder executables that should be accessible
           from Subsonic. Symlinks will be created to each executable inside
diff --git a/nixos/modules/services/misc/svnserve.nix b/nixos/modules/services/misc/svnserve.nix
index 37dd133e137d..c74befac749d 100644
--- a/nixos/modules/services/misc/svnserve.nix
+++ b/nixos/modules/services/misc/svnserve.nix
@@ -38,7 +38,7 @@ in
       after = [ "network-interfaces.target" ];
       wantedBy = [ "multi-user.target" ];
       preStart = "mkdir -p ${cfg.svnBaseDir}";
-      script = "${pkgs.subversion}/bin/svnserve -r ${cfg.svnBaseDir} -d --foreground --pid-file=/var/run/svnserve.pid";
+      script = "${pkgs.subversion.out}/bin/svnserve -r ${cfg.svnBaseDir} -d --foreground --pid-file=/var/run/svnserve.pid";
     };
   };
 }
diff --git a/nixos/modules/services/monitoring/cadvisor.nix b/nixos/modules/services/monitoring/cadvisor.nix
index 425e0ee9230f..a67df158be47 100644
--- a/nixos/modules/services/monitoring/cadvisor.nix
+++ b/nixos/modules/services/monitoring/cadvisor.nix
@@ -71,7 +71,7 @@ in {
       after = [ "network.target" "docker.service" "influxdb.service" ];
 
       postStart = mkBefore ''
-        until ${pkgs.curl}/bin/curl -s -o /dev/null 'http://${cfg.listenAddress}:${toString cfg.port}/containers/'; do
+        until ${pkgs.curl.bin}/bin/curl -s -o /dev/null 'http://${cfg.listenAddress}:${toString cfg.port}/containers/'; do
           sleep 1;
         done
       '';
diff --git a/nixos/modules/services/monitoring/graphite.nix b/nixos/modules/services/monitoring/graphite.nix
index 7104a5796f76..e50728aff8f8 100644
--- a/nixos/modules/services/monitoring/graphite.nix
+++ b/nixos/modules/services/monitoring/graphite.nix
@@ -509,7 +509,7 @@ in {
               };
             in "${aenv}/${pkgs.python.sitePackages}";
           GRAPHITE_API_CONFIG = graphiteApiConfig;
-          LD_LIBRARY_PATH = "${pkgs.cairo}/lib";
+          LD_LIBRARY_PATH = "${pkgs.cairo.out}/lib";
         };
         serviceConfig = {
           ExecStart = ''
diff --git a/nixos/modules/services/network-filesystems/tahoe.nix b/nixos/modules/services/network-filesystems/tahoe.nix
index ab441339a560..d4b6c05e9432 100644
--- a/nixos/modules/services/network-filesystems/tahoe.nix
+++ b/nixos/modules/services/network-filesystems/tahoe.nix
@@ -26,6 +26,15 @@ in
               The port on which the introducer will listen.
             '';
           };
+          tub.location = mkOption {
+            default = null;
+            type = types.nullOr types.str;
+            description = ''
+              The external location that the introducer should listen on.
+
+              If specified, the port should be included.
+            '';
+          };
           package = mkOption {
             default = pkgs.tahoelafs;
             defaultText = "pkgs.tahoelafs";
@@ -60,6 +69,18 @@ in
               system to listen on a different port.
             '';
           };
+          tub.location = mkOption {
+            default = null;
+            type = types.nullOr types.str;
+            description = ''
+              The external location that the node should listen on.
+
+              This is the setting to tweak if there are multiple interfaces
+              and you want to alter which interface Tahoe is advertising.
+
+              If specified, the port should be included.
+            '';
+          };
           web.port = mkOption {
             default = 3456;
             type = types.int;
@@ -144,6 +165,8 @@ in
                 [node]
                 nickname = ${settings.nickname}
                 tub.port = ${toString settings.tub.port}
+                ${optionalString (settings.tub.location != null)
+                  "tub.location = ${settings.tub.location}"}
               '';
             });
           # Actually require Tahoe, so that we will have it installed.
@@ -209,6 +232,8 @@ in
                 [node]
                 nickname = ${settings.nickname}
                 tub.port = ${toString settings.tub.port}
+                ${optionalString (settings.tub.location != null)
+                  "tub.location = ${settings.tub.location}"}
                 # This is a Twisted endpoint. Twisted Web doesn't work on
                 # non-TCP. ~ C.
                 web.port = tcp:${toString settings.web.port}
diff --git a/nixos/modules/services/networking/dnscrypt-proxy.nix b/nixos/modules/services/networking/dnscrypt-proxy.nix
index 886bfc30468e..61305f5a755e 100644
--- a/nixos/modules/services/networking/dnscrypt-proxy.nix
+++ b/nixos/modules/services/networking/dnscrypt-proxy.nix
@@ -151,7 +151,7 @@ in
         /etc/group r,
         ${config.environment.etc."nsswitch.conf".source} r,
 
-        ${pkgs.glibc}/lib/*.so mr,
+        ${pkgs.glibc.out}/lib/*.so mr,
         ${pkgs.tzdata}/share/zoneinfo/** r,
 
         network inet stream,
@@ -159,12 +159,12 @@ in
         network inet dgram,
         network inet6 dgram,
 
-        ${pkgs.gcc.cc}/lib/libssp.so.* mr,
-        ${pkgs.libsodium}/lib/libsodium.so.* mr,
+        ${pkgs.gcc.cc.lib}/lib/libssp.so.* mr,
+        ${pkgs.libsodium.out}/lib/libsodium.so.* mr,
         ${pkgs.systemd}/lib/libsystemd.so.* mr,
-        ${pkgs.xz}/lib/liblzma.so.* mr,
-        ${pkgs.libgcrypt}/lib/libgcrypt.so.* mr,
-        ${pkgs.libgpgerror}/lib/libgpg-error.so.* mr,
+        ${pkgs.xz.out}/lib/liblzma.so.* mr,
+        ${pkgs.libgcrypt.out}/lib/libgcrypt.so.* mr,
+        ${pkgs.libgpgerror.out}/lib/libgpg-error.so.* mr,
         ${pkgs.libcap}/lib/libcap.so.* mr,
         ${pkgs.lz4}/lib/liblz4.so.* mr,
         ${pkgs.attr}/lib/libattr.so.* mr,
diff --git a/nixos/modules/services/networking/i2pd.nix b/nixos/modules/services/networking/i2pd.nix
index 15ec9be80121..0cbf57314c4b 100644
--- a/nixos/modules/services/networking/i2pd.nix
+++ b/nixos/modules/services/networking/i2pd.nix
@@ -8,7 +8,7 @@ let
 
   homeDir = "/var/lib/i2pd";
 
-  extip = "EXTIP=\$(${pkgs.curl}/bin/curl -sf \"http://jsonip.com\" | ${pkgs.gawk}/bin/awk -F'\"' '{print $4}')";
+  extip = "EXTIP=\$(${pkgs.curl.bin}/bin/curl -sf \"http://jsonip.com\" | ${pkgs.gawk}/bin/awk -F'\"' '{print $4}')";
 
   toYesNo = b: if b then "yes" else "no";
 
diff --git a/nixos/modules/services/networking/nix-serve.nix b/nixos/modules/services/networking/nix-serve.nix
index 880a1d361dfe..8f6881441cf7 100644
--- a/nixos/modules/services/networking/nix-serve.nix
+++ b/nixos/modules/services/networking/nix-serve.nix
@@ -50,7 +50,7 @@ in
       after = [ "network.target" ];
       wantedBy = [ "multi-user.target" ];
 
-      path = [ config.nix.package pkgs.bzip2 ];
+      path = [ config.nix.package pkgs.bzip2.bin ];
       environment.NIX_REMOTE = "daemon";
       environment.NIX_SECRET_KEY_FILE = cfg.secretKeyFile;
 
diff --git a/nixos/modules/services/networking/shout.nix b/nixos/modules/services/networking/shout.nix
index f069fe7bec96..3664c2857739 100644
--- a/nixos/modules/services/networking/shout.nix
+++ b/nixos/modules/services/networking/shout.nix
@@ -6,6 +6,21 @@ let
   cfg = config.services.shout;
   shoutHome = "/var/lib/shout";
 
+  defaultConfig = pkgs.runCommand "config.js" {} ''
+    EDITOR=true ${pkgs.shout}/bin/shout config --home $PWD
+    mv config.js $out
+  '';
+
+  finalConfigFile = if (cfg.configFile != null) then cfg.configFile else ''
+    var _ = require('${pkgs.shout}/lib/node_modules/shout/node_modules/lodash')
+
+    module.exports = _.merge(
+      {},
+      require('${defaultConfig}'),
+      ${builtins.toJSON cfg.config}
+    )
+  '';
+
 in {
   options.services.shout = {
     enable = mkEnableOption "Shout web IRC client";
@@ -35,8 +50,31 @@ in {
       type = types.nullOr types.lines;
       default = null;
       description = ''
-        Contents of Shout's <filename>config.js</filename> file. If left empty,
-        Shout will generate from its defaults at first startup.
+        Contents of Shout's <filename>config.js</filename> file.
+
+        Used for backward compatibility, recommended way is now to use
+        the <literal>config</literal> option.
+
+        Documentation: http://shout-irc.com/docs/server/configuration.html
+      '';
+    };
+
+    config = mkOption {
+      default = {};
+      type = types.attrs;
+      example = {
+        displayNetwork = false;
+        defaults = {
+          name = "Your Network";
+          host = "localhost";
+          port = 6697;
+        };
+      };
+      description = ''
+        Shout <filename>config.js</filename> contents as attribute set (will be
+        converted to JSON to generate the configuration file).
+
+        The options defined here will be merged to the default configuration file.
 
         Documentation: http://shout-irc.com/docs/server/configuration.html
       '';
@@ -57,11 +95,7 @@ in {
       wantedBy = [ "multi-user.target" ];
       wants = [ "network-online.target" ];
       after = [ "network-online.target" ];
-      preStart = if isNull cfg.configFile then ""
-                 else ''
-                   ln -sf ${pkgs.writeText "config.js" cfg.configFile} \
-                          ${shoutHome}/config.js
-                 '';
+      preStart = "ln -sf ${pkgs.writeText "config.js" finalConfigFile} ${shoutHome}/config.js";
       script = concatStringsSep " " [
         "${pkgs.shout}/bin/shout"
         (if cfg.private then "--private" else "--public")
diff --git a/nixos/modules/services/printing/cupsd.nix b/nixos/modules/services/printing/cupsd.nix
index 9e122dc7beac..29166be2399b 100644
--- a/nixos/modules/services/printing/cupsd.nix
+++ b/nixos/modules/services/printing/cupsd.nix
@@ -14,21 +14,21 @@ let
   additionalBackends = pkgs.runCommand "additional-cups-backends" { }
     ''
       mkdir -p $out
-      if [ ! -e ${cups}/lib/cups/backend/smb ]; then
+      if [ ! -e ${cups.out}/lib/cups/backend/smb ]; then
         mkdir -p $out/lib/cups/backend
         ln -sv ${pkgs.samba}/bin/smbspool $out/lib/cups/backend/smb
       fi
 
       # Provide support for printing via HTTPS.
-      if [ ! -e ${cups}/lib/cups/backend/https ]; then
+      if [ ! -e ${cups.out}/lib/cups/backend/https ]; then
         mkdir -p $out/lib/cups/backend
-        ln -sv ${cups}/lib/cups/backend/ipp $out/lib/cups/backend/https
+        ln -sv ${cups.out}/lib/cups/backend/ipp $out/lib/cups/backend/https
       fi
     '';
 
   # Here we can enable additional backends, filters, etc. that are not
   # part of CUPS itself, e.g. the SMB backend is part of Samba.  Since
-  # we can't update ${cups}/lib/cups itself, we create a symlink tree
+  # we can't update ${cups.out}/lib/cups itself, we create a symlink tree
   # here and add the additional programs.  The ServerBin directive in
   # cupsd.conf tells cupsd to use this tree.
   bindir = pkgs.buildEnv {
diff --git a/nixos/modules/services/search/elasticsearch.nix b/nixos/modules/services/search/elasticsearch.nix
index 31332489a784..c51a42b8e9c1 100644
--- a/nixos/modules/services/search/elasticsearch.nix
+++ b/nixos/modules/services/search/elasticsearch.nix
@@ -148,7 +148,7 @@ in {
         if [ "$(id -u)" = 0 ]; then chown -R elasticsearch ${cfg.dataDir}; fi
       '';
       postStart = mkBefore ''
-        until ${pkgs.curl}/bin/curl -s -o /dev/null ${cfg.listenAddress}:${toString cfg.port}; do
+        until ${pkgs.curl.bin}/bin/curl -s -o /dev/null ${cfg.listenAddress}:${toString cfg.port}; do
           sleep 1
         done
       '';
diff --git a/nixos/modules/services/system/dbus.nix b/nixos/modules/services/system/dbus.nix
index ba34eb25169c..327993443048 100644
--- a/nixos/modules/services/system/dbus.nix
+++ b/nixos/modules/services/system/dbus.nix
@@ -121,7 +121,7 @@ in
 
     security.setuidOwners = singleton
       { program = "dbus-daemon-launch-helper";
-        source = "${pkgs.dbus_daemon}/libexec/dbus-daemon-launch-helper";
+        source = "${pkgs.dbus_daemon.lib}/libexec/dbus-daemon-launch-helper";
         owner = "root";
         group = "messagebus";
         setuid = true;
diff --git a/nixos/modules/services/system/nscd.nix b/nixos/modules/services/system/nscd.nix
index 3c0d2043ed5d..d98ef8a306d5 100644
--- a/nixos/modules/services/system/nscd.nix
+++ b/nixos/modules/services/system/nscd.nix
@@ -64,14 +64,14 @@ in
         restartTriggers = [ config.environment.etc.hosts.source config.environment.etc."nsswitch.conf".source ];
 
         serviceConfig =
-          { ExecStart = "@${pkgs.glibc}/sbin/nscd nscd -f ${cfgFile}";
+          { ExecStart = "@${pkgs.glibc.bin}/sbin/nscd nscd -f ${cfgFile}";
             Type = "forking";
             PIDFile = "/run/nscd/nscd.pid";
             Restart = "always";
             ExecReload =
-              [ "${pkgs.glibc}/sbin/nscd --invalidate passwd"
-                "${pkgs.glibc}/sbin/nscd --invalidate group"
-                "${pkgs.glibc}/sbin/nscd --invalidate hosts"
+              [ "${pkgs.glibc.bin}/sbin/nscd --invalidate passwd"
+                "${pkgs.glibc.bin}/sbin/nscd --invalidate group"
+                "${pkgs.glibc.bin}/sbin/nscd --invalidate hosts"
               ];
           };
 
@@ -79,7 +79,7 @@ in
         # its pid. So wait until it's ready.
         postStart =
           ''
-            while ! ${pkgs.glibc}/sbin/nscd -g -f ${cfgFile} > /dev/null; do
+            while ! ${pkgs.glibc.bin}/sbin/nscd -g -f ${cfgFile} > /dev/null; do
               sleep 0.2
             done
           '';
diff --git a/nixos/modules/services/torrent/transmission.nix b/nixos/modules/services/torrent/transmission.nix
index 7718a721763c..c2220cb0cff7 100644
--- a/nixos/modules/services/torrent/transmission.nix
+++ b/nixos/modules/services/torrent/transmission.nix
@@ -113,21 +113,21 @@ in
           #include <abstractions/base>
           #include <abstractions/nameservice>
 
-          ${pkgs.glibc}/lib/*.so                    mr,
-          ${pkgs.libevent}/lib/libevent*.so*        mr,
-          ${pkgs.curl}/lib/libcurl*.so*             mr,
-          ${pkgs.openssl}/lib/libssl*.so*           mr,
-          ${pkgs.openssl}/lib/libcrypto*.so*        mr,
-          ${pkgs.zlib}/lib/libz*.so*                mr,
-          ${pkgs.libssh2}/lib/libssh2*.so*          mr,
+          ${pkgs.glibc.out}/lib/*.so                    mr,
+          ${pkgs.libevent.out}/lib/libevent*.so*        mr,
+          ${pkgs.curl.out}/lib/libcurl*.so*             mr,
+          ${pkgs.openssl.out}/lib/libssl*.so*           mr,
+          ${pkgs.openssl.out}/lib/libcrypto*.so*        mr,
+          ${pkgs.zlib.out}/lib/libz*.so*                mr,
+          ${pkgs.libssh2.out}/lib/libssh2*.so*          mr,
           ${pkgs.systemd}/lib/libsystemd*.so*       mr,
-          ${pkgs.xz}/lib/liblzma*.so*               mr,
-          ${pkgs.libgcrypt}/lib/libgcrypt*.so*      mr,
-          ${pkgs.libgpgerror}/lib/libgpg-error*.so* mr,
-          ${pkgs.libnghttp2}/lib/libnghttp2*.so*    mr,
-          ${pkgs.c-ares}/lib/libcares*.so*          mr,
-          ${pkgs.libcap}/lib/libcap*.so*            mr,
-          ${pkgs.attr}/lib/libattr*.so*             mr,
+          ${pkgs.xz.out}/lib/liblzma*.so*               mr,
+          ${pkgs.libgcrypt.out}/lib/libgcrypt*.so*      mr,
+          ${pkgs.libgpgerror.out}/lib/libgpg-error*.so* mr,
+          ${pkgs.libnghttp2.out}/lib/libnghttp2*.so*    mr,
+          ${pkgs.c-ares.out}/lib/libcares*.so*          mr,
+          ${pkgs.libcap.out}/lib/libcap*.so*            mr,
+          ${pkgs.attr.out}/lib/libattr*.so*             mr,
           ${pkgs.lz4}/lib/liblz4*.so*               mr,
 
           @{PROC}/sys/kernel/random/uuid   r,
diff --git a/nixos/modules/services/web-servers/apache-httpd/default.nix b/nixos/modules/services/web-servers/apache-httpd/default.nix
index fdbd61c85e65..7953729c00cd 100644
--- a/nixos/modules/services/web-servers/apache-httpd/default.nix
+++ b/nixos/modules/services/web-servers/apache-httpd/default.nix
@@ -6,13 +6,13 @@ let
 
   mainCfg = config.services.httpd;
 
-  httpd = mainCfg.package;
+  httpd = mainCfg.package.out;
 
   version24 = !versionOlder httpd.version "2.4";
 
   httpdConf = mainCfg.configFile;
 
-  php = pkgs.php.override { apacheHttpd = httpd; };
+  php = pkgs.php.override { apacheHttpd = httpd.dev; /* otherwise it only gets .out */ };
 
   getPort = cfg: if cfg.port != 0 then cfg.port else if cfg.enableSSL then 443 else 80;
 
diff --git a/nixos/modules/services/web-servers/apache-httpd/owncloud.nix b/nixos/modules/services/web-servers/apache-httpd/owncloud.nix
index a9ec20ae8471..94e85f1f4289 100644
--- a/nixos/modules/services/web-servers/apache-httpd/owncloud.nix
+++ b/nixos/modules/services/web-servers/apache-httpd/owncloud.nix
@@ -333,7 +333,7 @@ let
 
       'version' => '${config.package.version}',
 
-      'openssl' => '${pkgs.openssl}/bin/openssl'
+      'openssl' => '${pkgs.openssl.bin}/bin/openssl'
 
       );
 
diff --git a/nixos/modules/services/web-servers/apache-httpd/phabricator.nix b/nixos/modules/services/web-servers/apache-httpd/phabricator.nix
index e4e3aac8d411..efd4a7b5f0fb 100644
--- a/nixos/modules/services/web-servers/apache-httpd/phabricator.nix
+++ b/nixos/modules/services/web-servers/apache-httpd/phabricator.nix
@@ -39,7 +39,7 @@ in {
       "${pkgs.diffutils}"
       ] ++
       (if config.mercurial then ["${pkgs.mercurial}"] else []) ++
-      (if config.subversion then ["${pkgs.subversion}"] else []) ++
+      (if config.subversion then ["${pkgs.subversion.out}"] else []) ++
       (if config.git then ["${pkgs.git}"] else []);
 
   startupScript = pkgs.writeScript "activatePhabricator" ''
diff --git a/nixos/modules/services/web-servers/caddy.nix b/nixos/modules/services/web-servers/caddy.nix
new file mode 100644
index 000000000000..0d2612aaa66b
--- /dev/null
+++ b/nixos/modules/services/web-servers/caddy.nix
@@ -0,0 +1,53 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+  cfg = config.services.caddy;
+  configFile = pkgs.writeText "Caddyfile" cfg.config;
+in
+{
+  options.services.caddy = {
+    enable = mkEnableOption "Caddy web server";
+
+    config = mkOption {
+      description = "Verbatim Caddyfile to use";
+    };
+
+    email = mkOption {
+      default = "";
+      type = types.string;
+      description = "Email address (for Let's Encrypt certificate)";
+    };
+
+    dataDir = mkOption {
+      default = "/var/lib/caddy";
+      type = types.path;
+      description = "The data directory, for storing certificates.";
+    };
+  };
+
+  config = mkIf cfg.enable {
+    systemd.services.caddy = {
+      description = "Caddy web server";
+      after = [ "network.target" ];
+      wantedBy = [ "multi-user.target" ];
+      serviceConfig = {
+        ExecStart = "${pkgs.caddy}/bin/caddy -conf=${configFile} -email=${cfg.email}";
+	Type = "simple";
+	User = "caddy";
+	Group = "caddy";
+	AmbientCapabilities = "cap_net_bind_service";
+      };
+    };
+
+    users.extraUsers.caddy = {
+      group = "caddy";
+      uid = config.ids.uids.caddy;
+      home = cfg.dataDir;
+      createHome = true;
+    };
+
+    users.extraGroups.caddy.gid = config.ids.uids.caddy;
+  };
+}
diff --git a/nixos/modules/services/x11/desktop-managers/gnome3.nix b/nixos/modules/services/x11/desktop-managers/gnome3.nix
index be7700424bc6..b112fc2422a7 100644
--- a/nixos/modules/services/x11/desktop-managers/gnome3.nix
+++ b/nixos/modules/services/x11/desktop-managers/gnome3.nix
@@ -166,7 +166,7 @@ in {
       };
 
     environment.variables.GIO_EXTRA_MODULES = [ "${gnome3.dconf}/lib/gio/modules"
-                                                "${gnome3.glib_networking}/lib/gio/modules"
+                                                "${gnome3.glib_networking.out}/lib/gio/modules"
                                                 "${gnome3.gvfs}/lib/gio/modules" ];
     environment.systemPackages = gnome3.corePackages ++ cfg.sessionPath
       ++ (removePackagesByName gnome3.optionalPackages config.environment.gnome3.excludePackages);
diff --git a/nixos/modules/services/x11/desktop-managers/kde5.nix b/nixos/modules/services/x11/desktop-managers/kde5.nix
index 71361bae82dc..4f74d5732af5 100644
--- a/nixos/modules/services/x11/desktop-managers/kde5.nix
+++ b/nixos/modules/services/x11/desktop-managers/kde5.nix
@@ -62,13 +62,13 @@ in
           ${config.hardware.pulseaudio.package}/bin/pactl load-module module-device-manager "do_routing=1"
         ''}
 
-        exec ${kde5.plasma-workspace}/bin/startkde
+        exec startkde
       '';
     };
 
     security.setuidOwners = singleton {
       program = "kcheckpass";
-      source = "${kde5.plasma-workspace}/lib/libexec/kcheckpass";
+      source = "${kde5.plasma-workspace.out}/lib/libexec/kcheckpass";
       owner = "root";
       group = "root";
       setuid = true;
@@ -171,12 +171,12 @@ in
 
     # Enable GTK applications to load SVG icons
     environment.variables = mkIf (lib.hasAttr "breeze-icons" kde5) {
-      GDK_PIXBUF_MODULE_FILE = "${pkgs.librsvg}/lib/gdk-pixbuf-2.0/2.10.0/loaders.cache";
+      GDK_PIXBUF_MODULE_FILE = "${pkgs.librsvg.out}/lib/gdk-pixbuf-2.0/2.10.0/loaders.cache";
     };
 
     fonts.fonts = [ (kde5.oxygen-fonts or pkgs.noto-fonts) ];
 
-    programs.ssh.askPassword = "${kde5.ksshaskpass}/bin/ksshaskpass";
+    programs.ssh.askPassword = "${kde5.ksshaskpass.out}/bin/ksshaskpass";
 
     # Enable helpful DBus services.
     services.udisks2.enable = true;
diff --git a/nixos/modules/services/x11/display-managers/default.nix b/nixos/modules/services/x11/display-managers/default.nix
index 7dffdfc2b36c..be634fc259a2 100644
--- a/nixos/modules/services/x11/display-managers/default.nix
+++ b/nixos/modules/services/x11/display-managers/default.nix
@@ -45,7 +45,7 @@ let
 
       ${optionalString cfg.startDbusSession ''
         if test -z "$DBUS_SESSION_BUS_ADDRESS"; then
-          exec ${pkgs.dbus.tools}/bin/dbus-launch --exit-with-session "$0" "$sessionType"
+          exec ${pkgs.dbus.dbus-launch} --exit-with-session "$0" "$sessionType"
         fi
       ''}
 
@@ -55,11 +55,11 @@ let
       # Start PulseAudio if enabled.
       ${optionalString (config.hardware.pulseaudio.enable) ''
         ${optionalString (!config.hardware.pulseaudio.systemWide)
-          "${config.hardware.pulseaudio.package}/bin/pulseaudio --start"
+          "${config.hardware.pulseaudio.package.out}/bin/pulseaudio --start"
         }
 
         # Publish access credentials in the root window.
-        ${config.hardware.pulseaudio.package}/bin/pactl load-module module-x11-publish "display=$DISPLAY"
+        ${config.hardware.pulseaudio.package.out}/bin/pactl load-module module-x11-publish "display=$DISPLAY"
       ''}
 
       # Tell systemd about our $DISPLAY. This is needed by the
@@ -275,7 +275,7 @@ in
   };
 
   config = {
-    services.xserver.displayManager.xserverBin = "${xorg.xorgserver}/bin/X";
+    services.xserver.displayManager.xserverBin = "${xorg.xorgserver.out}/bin/X";
   };
 
   imports = [
diff --git a/nixos/modules/services/x11/display-managers/lightdm-greeters/gtk.nix b/nixos/modules/services/x11/display-managers/lightdm-greeters/gtk.nix
index f5b6c20c5a05..543dd628ce66 100644
--- a/nixos/modules/services/x11/display-managers/lightdm-greeters/gtk.nix
+++ b/nixos/modules/services/x11/display-managers/lightdm-greeters/gtk.nix
@@ -24,9 +24,9 @@ let
       # This wrapper ensures that we actually get themes
       makeWrapper ${pkgs.lightdm_gtk_greeter}/sbin/lightdm-gtk-greeter \
         $out/greeter \
-        --prefix PATH : "${pkgs.glibc}/bin" \
-        --set GDK_PIXBUF_MODULE_FILE "${pkgs.gdk_pixbuf}/lib/gdk-pixbuf-2.0/2.10.0/loaders.cache" \
-        --set GTK_PATH "${theme}:${pkgs.gtk3}" \
+        --prefix PATH : "${pkgs.glibc.bin}/bin" \
+        --set GDK_PIXBUF_MODULE_FILE "${pkgs.gdk_pixbuf.out}/lib/gdk-pixbuf-2.0/2.10.0/loaders.cache" \
+        --set GTK_PATH "${theme}:${pkgs.gtk3.out}" \
         --set GTK_EXE_PREFIX "${theme}" \
         --set GTK_DATA_PREFIX "${theme}" \
         --set XDG_DATA_DIRS "${theme}/share:${icons}/share" \
diff --git a/nixos/modules/services/x11/display-managers/sddm.nix b/nixos/modules/services/x11/display-managers/sddm.nix
index 4d61afe0eaeb..7a17a222bcab 100644
--- a/nixos/modules/services/x11/display-managers/sddm.nix
+++ b/nixos/modules/services/x11/display-managers/sddm.nix
@@ -48,7 +48,7 @@ let
     [XDisplay]
     MinimumVT=${toString xcfg.tty}
     ServerPath=${xserverWrapper}
-    XephyrPath=${pkgs.xorg.xorgserver}/bin/Xephyr
+    XephyrPath=${pkgs.xorg.xorgserver.out}/bin/Xephyr
     SessionCommand=${dmcfg.session.script}
     SessionDir=${dmcfg.session.desktops}
     XauthPath=${pkgs.xorg.xauth}/bin/xauth
diff --git a/nixos/modules/services/x11/terminal-server.nix b/nixos/modules/services/x11/terminal-server.nix
index 4d5dbd604159..09d0ab077515 100644
--- a/nixos/modules/services/x11/terminal-server.nix
+++ b/nixos/modules/services/x11/terminal-server.nix
@@ -41,7 +41,7 @@ with lib;
       { description = "Terminal Server";
 
         path =
-          [ pkgs.xorgserver pkgs.gawk pkgs.which pkgs.openssl pkgs.xorg.xauth
+          [ pkgs.xorgserver.out pkgs.gawk pkgs.which pkgs.openssl pkgs.xorg.xauth
             pkgs.nettools pkgs.shadow pkgs.procps pkgs.utillinux pkgs.bash
           ];
 
diff --git a/nixos/modules/services/x11/window-managers/metacity.nix b/nixos/modules/services/x11/window-managers/metacity.nix
index 3e5229be634f..2957ad91be45 100644
--- a/nixos/modules/services/x11/window-managers/metacity.nix
+++ b/nixos/modules/services/x11/window-managers/metacity.nix
@@ -20,7 +20,7 @@ in
     services.xserver.windowManager.session = singleton
       { name = "metacity";
         start = ''
-          env LD_LIBRARY_PATH=${xorg.libX11}/lib:${xorg.libXext}/lib:/usr/lib/
+          env LD_LIBRARY_PATH=${xorg.libX11.out}/lib:${xorg.libXext.out}/lib:/usr/lib/
           # !!! Hack: load the schemas for Metacity.
           GCONF_CONFIG_SOURCE=xml::~/.gconf ${gnome.GConf}/bin/gconftool-2 \
             --makefile-install-rule ${gnome.metacity}/etc/gconf/schemas/*.schemas # */
diff --git a/nixos/modules/services/x11/xserver.nix b/nixos/modules/services/x11/xserver.nix
index 70df18b40209..dcf9f820f59c 100644
--- a/nixos/modules/services/x11/xserver.nix
+++ b/nixos/modules/services/x11/xserver.nix
@@ -456,7 +456,7 @@ in
         ]);
 
     environment.systemPackages =
-      [ xorg.xorgserver
+      [ xorg.xorgserver.out
         xorg.xrandr
         xorg.xrdb
         xorg.setxkbmap
@@ -466,6 +466,7 @@ in
         xorg.xsetroot
         xorg.xinput
         xorg.xprop
+        xorg.xauth
         pkgs.xterm
         pkgs.xdg_utils
       ]
@@ -493,7 +494,7 @@ in
             XKB_BINDIR = "${xorg.xkbcomp}/bin"; # Needed for the Xkb extension.
             XORG_DRI_DRIVER_PATH = "/run/opengl-driver/lib/dri"; # !!! Depends on the driver selected at runtime.
             LD_LIBRARY_PATH = concatStringsSep ":" (
-              [ "${xorg.libX11}/lib" "${xorg.libXext}/lib" ]
+              [ "${xorg.libX11.out}/lib" "${xorg.libXext.out}/lib" ]
               ++ concatLists (catAttrs "libPath" cfg.drivers));
           } // cfg.displayManager.job.environment;
 
@@ -513,8 +514,7 @@ in
       };
 
     services.xserver.displayManager.xserverArgs =
-      [ "-ac"
-        "-terminate"
+      [ "-terminate"
         "-config ${configFile}"
         "-xkbdir" "${cfg.xkbDir}"
       ] ++ optional (cfg.display != null) ":${toString cfg.display}"
@@ -525,7 +525,7 @@ in
 
     services.xserver.modules =
       concatLists (catAttrs "modules" cfg.drivers) ++
-      [ xorg.xorgserver
+      [ xorg.xorgserver.out
         xorg.xf86inputevdev
       ];