48 files changed, 191 insertions, 799 deletions
diff --git a/modules/naemon/default.nix b/modules/naemon/default.nix
index 38e99a9..976de69 100644
--- a/modules/naemon/default.nix
+++ b/modules/naemon/default.nix
@@ -137,18 +137,18 @@ in
      }
    ];
-    users.users = optionalAttrs (cfg.user == "naemon") (singleton
+    users.users = optionalAttrs (cfg.user == "naemon") {
-      {
+      naemon = {
-        name = "naemon";
        group = cfg.group;
        uid   = config.ids.uids.nagios;
        extraGroups = [ "keys" ];
-      });
+      };
-    users.groups = optionalAttrs (cfg.user == "naemon") (singleton
+    };
-      {
+    users.groups = optionalAttrs (cfg.user == "naemon") {
-        name = "naemon";
+      naemon = {
-        gid   = config.ids.gids.nagios;
+        gid = config.ids.gids.nagios;
-      });
+      };
+    };
    services.filesWatcher.naemon = {
      paths = [ config.secrets.fullPaths."naemon/resources.cfg" ];
diff --git a/modules/opendmarc.nix b/modules/opendmarc.nix
index e18ec82..6137d10 100644
--- a/modules/opendmarc.nix
+++ b/modules/opendmarc.nix
@@ -59,16 +59,18 @@ in {
  config = mkIf cfg.enable {
-    users.users = optionalAttrs (cfg.user == "opendmarc") (singleton
+    users.users = optionalAttrs (cfg.user == "opendmarc") {
-      { name = "opendmarc";
+      opendmarc = {
        group = cfg.group;
        uid = config.ids.uids.opendmarc;
-      });
+      };
+    };
-    users.groups = optionalAttrs (cfg.group == "opendmarc") (singleton
+    users.groups = optionalAttrs (cfg.group == "opendmarc") {
-      { name = "opendmarc";
+      opendmarc = {
        gid = config.ids.gids.opendmarc;
-      });
+      };
+    };
    environment.systemPackages = [ pkgs.opendmarc ];
diff --git a/modules/private/certificates.nix b/modules/private/certificates.nix
index 2bf2730..82ff52f 100644
--- a/modules/private/certificates.nix
+++ b/modules/private/certificates.nix
@@ -12,7 +12,6 @@
          (lib.optionalString config.services.httpd.Inte.enable "systemctl reload httpdInte.service")
          (lib.optionalString config.services.nginx.enable "systemctl reload nginx.service")
        ];
-        plugins = [ "cert.pem" "chain.pem" "fullchain.pem" "full.pem" "key.pem" "account_key.json" "account_reg.json"];
      };
      description = "Default configuration for certificates";
    };
@@ -30,6 +29,7 @@
    myServices.databasesCerts = config.myServices.certificates.certConfig;
    myServices.ircCerts = config.myServices.certificates.certConfig;
+    security.acme.acceptTerms = true;
    security.acme.preliminarySelfsigned = true;
    security.acme.certs = {
@@ -39,18 +39,16 @@
    };
    systemd.services = lib.attrsets.mapAttrs' (k: v:
-      lib.attrsets.nameValuePair "acme-selfsigned-${k}" (lib.mkBefore { script =
+      lib.attrsets.nameValuePair "acme-selfsigned-${k}" { script = lib.mkBefore ''
-        (lib.optionalString (builtins.elem "cert.pem" v.plugins) ''
        cp $workdir/server.crt ${config.security.acme.certs."${k}".directory}/cert.pem
        chown '${v.user}:${v.group}' ${config.security.acme.certs."${k}".directory}/cert.pem
        chmod ${if v.allowKeysForGroup then "750" else "700"} ${config.security.acme.certs."${k}".directory}/cert.pem
-        '') +
-        (lib.optionalString (builtins.elem "chain.pem" v.plugins) ''
        cp $workdir/ca.crt ${config.security.acme.certs."${k}".directory}/chain.pem
        chown '${v.user}:${v.group}' ${config.security.acme.certs."${k}".directory}/chain.pem
        chmod ${if v.allowKeysForGroup then "750" else "700"} ${config.security.acme.certs."${k}".directory}/chain.pem
-        '')
+        '';
-      ; })
+      }
    ) config.security.acme.certs //
    lib.attrsets.mapAttrs' (k: data:
      lib.attrsets.nameValuePair "acme-${k}" {
diff --git a/modules/private/databases/mariadb.nix b/modules/private/databases/mariadb.nix
index 04e4bd6..36edaeb 100644
--- a/modules/private/databases/mariadb.nix
+++ b/modules/private/databases/mariadb.nix
@@ -94,26 +94,27 @@ in {
      enable = true;
      package = cfg.package;
      dataDir = cfg.dataDir;
-      extraOptions = ''
+      settings = {
-        ssl_ca = ${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt
+        mysqld = {
-        ssl_key = ${config.security.acme.certs.mysql.directory}/key.pem
+          ssl_ca = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt";
-        ssl_cert = ${config.security.acme.certs.mysql.directory}/fullchain.pem
+          ssl_key = "${config.security.acme.certs.mysql.directory}/key.pem";
+          ssl_cert = "${config.security.acme.certs.mysql.directory}/fullchain.pem";
-        # for replication
+          # for replication
-        log-bin=mariadb-bin
+          log-bin = "mariadb-bin";
-        server-id=1
+          server-id = "1";
-        # this introduces a small delay before storing on disk, but
+          # this introduces a small delay before storing on disk, but
-        # makes it order of magnitudes quicker
+          # makes it order of magnitudes quicker
-        innodb_flush_log_at_trx_commit = 0
+          innodb_flush_log_at_trx_commit = "0";
-        '';
+        };
+      };
    };
    users.users.mysql.extraGroups = [ "keys" ];
    security.acme.certs."mysql" = config.myServices.databasesCerts // {
      user = "mysql";
      group = "mysql";
-      plugins = [ "fullchain.pem" "key.pem" "account_key.json" "account_reg.json" ];
      domain = "db-1.immae.eu";
      postRun = ''
        systemctl restart mysql.service
@@ -164,23 +165,21 @@ in {
    security.pam.services = let
      pam_ldap = "${pkgs.pam_ldap}/lib/security/pam_ldap.so";
-    in [
+    in {
-      {
+      mysql = {
-        name = "mysql";
        text = ''
          # https://mariadb.com/kb/en/mariadb/pam-authentication-plugin/
          auth    required ${pam_ldap} config=${config.secrets.location}/mysql/pam
          account required ${pam_ldap} config=${config.secrets.location}/mysql/pam
          '';
-      }
+      };
-      {
+      mysql_replication = {
-        name = "mysql_replication";
        text = ''
          auth    required ${pam_ldap} config=${config.secrets.location}/mysql/pam_replication
          account required ${pam_ldap} config=${config.secrets.location}/mysql/pam_replication
          '';
-      }
+      };
-    ];
+    };
  };
 }
diff --git a/modules/private/databases/openldap/default.nix b/modules/private/databases/openldap/default.nix
index efe9379..302aa04 100644
--- a/modules/private/databases/openldap/default.nix
+++ b/modules/private/databases/openldap/default.nix
@@ -107,7 +107,6 @@ in
    security.acme.certs."ldap" = config.myServices.databasesCerts // {
      user = "openldap";
      group = "openldap";
-      plugins = [ "fullchain.pem" "key.pem" "cert.pem" "account_key.json" "account_reg.json" ];
      domain = "ldap.immae.eu";
      postRun = ''
        systemctl restart openldap.service
diff --git a/modules/private/databases/postgresql.nix b/modules/private/databases/postgresql.nix
index d0b1a75..c442a63 100644
--- a/modules/private/databases/postgresql.nix
+++ b/modules/private/databases/postgresql.nix
@@ -100,7 +100,6 @@ in {
    security.acme.certs."postgresql" = config.myServices.databasesCerts // {
      user = "postgres";
      group = "postgres";
-      plugins = [ "fullchain.pem" "key.pem" "account_key.json" "account_reg.json" ];
      domain = "db-1.immae.eu";
      postRun = ''
        systemctl reload postgresql.service
@@ -212,22 +211,20 @@ in {
    security.pam.services = let
      pam_ldap = "${pkgs.pam_ldap}/lib/security/pam_ldap.so";
-    in [
+    in {
-      {
+      postgresql = {
-        name = "postgresql";
        text = ''
          auth    required ${pam_ldap} config=${config.secrets.location}/postgresql/pam
          account required ${pam_ldap} config=${config.secrets.location}/postgresql/pam
          '';
-      }
+      };
-      {
+      postgresql_replication = {
-        name = "postgresql_replication";
        text = ''
          auth    required ${pam_ldap} config=${config.secrets.location}/postgresql/pam_replication
          account required ${pam_ldap} config=${config.secrets.location}/postgresql/pam_replication
          '';
-      }
+      };
-    ];
+    };
  };
 }
diff --git a/modules/private/ftp.nix b/modules/private/ftp.nix
index 417af87..8ae4e65 100644
--- a/modules/private/ftp.nix
+++ b/modules/private/ftp.nix
@@ -32,16 +32,13 @@ in
      };
    };
-    users.users = [
+    users.users.ftp = {
-      {
+      uid = config.ids.uids.ftp; # 8
-        name = "ftp";
+      group = "ftp";
-        uid = config.ids.uids.ftp; # 8
+      description = "Anonymous FTP user";
-        group = "ftp";
+      home = "/homeless-shelter";
-        description = "Anonymous FTP user";
+      extraGroups = [ "keys" ];
-        home = "/homeless-shelter";
+    };
-        extraGroups = [ "keys" ];
-      }
-    ];
    users.groups.ftp.gid = config.ids.gids.ftp;
diff --git a/modules/private/monitoring/status.nix b/modules/private/monitoring/status.nix
index d25d934..7810a1f 100644
--- a/modules/private/monitoring/status.nix
+++ b/modules/private/monitoring/status.nix
@@ -34,7 +34,11 @@
        locations."/".proxyPass = "http://unix:/run/naemon-status/socket.sock:/";
      };
    };
-    security.acme.certs."${name}".extraDomains."status.immae.eu" = null;
+    security.acme.certs."${name}" = {
+      extraDomains."status.immae.eu" = null;
+      user = config.services.nginx.user;
+      group = config.services.nginx.group;
+    };
    myServices.certificates.enable = true;
    networking.firewall.allowedTCPPorts = [ 80 443 ];
diff --git a/modules/private/system.nix b/modules/private/system.nix
index 64fc2d9..70b74d0 100644
--- a/modules/private/system.nix
+++ b/modules/private/system.nix
@@ -65,21 +65,10 @@
    users.mutableUsers = false;
    environment.etc.cnagios.source = "${pkgs.cnagios}/share/doc/cnagios";
-    environment.systemPackages =
+    environment.systemPackages = [
-      let
+      pkgs.git
-        home-manager = builtins.fetchGit {
+      pkgs.vim
-          url = "https://github.com/rycee/home-manager.git";
+    ] ++
-          rev = "ef64bc598f28818d56c86629dad98b468af9c071";
+    (lib.optional (builtins.length (config.hostEnv.users pkgs) > 0) pkgs.home-manager);
-          ref = "release-19.03";
-        };
-      in
-      [
-        pkgs.git
-        pkgs.vim
-      ] ++
-      (lib.optional
-        (builtins.length (config.hostEnv.users pkgs) > 0)
-        ((pkgs.callPackage home-manager {}).home-manager)
-      );
  };
 }
diff --git a/modules/private/system/backup-2.nix b/modules/private/system/backup-2.nix
index 4e24c12..6829f1b 100644
--- a/modules/private/system/backup-2.nix
+++ b/modules/private/system/backup-2.nix
@@ -1,5 +1,5 @@
 { privateFiles }:
-{ config, pkgs, resources, ... }:
+{ config, pkgs, resources, name, ... }:
 {
  boot.kernelPackages = pkgs.linuxPackages_latest;
  myEnv = import "${privateFiles}/environment.nix" // { inherit privateFiles; };
@@ -35,6 +35,10 @@
  };
  myServices.certificates.enable = true;
+  security.acme.certs."${name}" = {
+    user = config.services.nginx.user;
+    group = config.services.nginx.group;
+  };
  services.nginx = {
    enable = true;
    recommendedOptimisation = true;
diff --git a/modules/private/system/dilion.nix b/modules/private/system/dilion.nix
index 788c2dc..911c76d 100644
--- a/modules/private/system/dilion.nix
+++ b/modules/private/system/dilion.nix
@@ -101,8 +101,8 @@
  # This is equivalent to setting environment.sessionVariables.NIX_PATH
  nix.nixPath = [
-    "home-manager=https://github.com/rycee/home-manager/archive/release-19.03.tar.gz"
+    "home-manager=https://github.com/rycee/home-manager/archive/master.tar.gz"
-    "nixpkgs=https://nixos.org/channels/nixos-19.03/nixexprs.tar.xz"
+    "nixpkgs=https://nixos.org/channels/nixos-unstable/nixexprs.tar.xz"
  ];
  nix.binaryCaches = [ "https://hydra.iohk.io" "https://cache.nixos.org" ];
  nix.binaryCachePublicKeys = [ "hydra.iohk.io:f/Ea+s+dFdN+3Y/G+FDgSq+a5NEWhJGzdjvKNGv0/EQ=" ];
diff --git a/modules/private/tasks/default.nix b/modules/private/tasks/default.nix
index 42cc8d2..43d40d6 100644
--- a/modules/private/tasks/default.nix
+++ b/modules/private/tasks/default.nix
@@ -197,7 +197,6 @@ in {
    security.acme.certs."task" = config.myServices.certificates.certConfig // {
      inherit user group;
-      plugins = [ "fullchain.pem" "key.pem" "cert.pem" "account_key.json" "account_reg.json" ];
      domain = fqdn;
      postRun = ''
        systemctl restart taskserver.service
diff --git a/modules/webapps/diaspora.nix b/modules/webapps/diaspora.nix
index 65599b7..d9e9989 100644
--- a/modules/webapps/diaspora.nix
+++ b/modules/webapps/diaspora.nix
@@ -108,19 +108,21 @@ in
  };
  config = lib.mkIf cfg.enable {
-    users.users = lib.optionalAttrs (cfg.user == name) (lib.singleton {
+    users.users = lib.optionalAttrs (cfg.user == name) {
-      inherit name;
+      "${name}" = {
-      inherit uid;
+        inherit uid;
-      group = cfg.group;
+        group = cfg.group;
-      description = "Diaspora user";
+        description = "Diaspora user";
-      home = cfg.dataDir;
+        home = cfg.dataDir;
-      packages = [ cfg.workdir.gems pkgs.nodejs cfg.workdir.gems.ruby ];
+        packages = [ cfg.workdir.gems pkgs.nodejs cfg.workdir.gems.ruby ];
-      useDefaultShell = true;
+        useDefaultShell = true;
-    });
+      };
-    users.groups = lib.optionalAttrs (cfg.group == name) (lib.singleton {
+    };
-      inherit name;
+    users.groups = lib.optionalAttrs (cfg.group == name) {
-      inherit gid;
+      "${name}" = {
-    });
+        inherit gid;
+      };
+    };
    systemd.services.diaspora = {
      description = "Diaspora";
diff --git a/modules/webapps/mastodon.nix b/modules/webapps/mastodon.nix
index 68531cf..cd550c0 100644
--- a/modules/webapps/mastodon.nix
+++ b/modules/webapps/mastodon.nix
@@ -96,18 +96,20 @@ in
  };
  config = lib.mkIf cfg.enable {
-    users.users = lib.optionalAttrs (cfg.user == name) (lib.singleton {
+    users.users = lib.optionalAttrs (cfg.user == name) {
-      inherit name;
+      "${name}" = {
-      inherit uid;
+        inherit uid;
-      group = cfg.group;
+        group = cfg.group;
-      description = "Mastodon user";
+        description = "Mastodon user";
-      home = cfg.dataDir;
+        home = cfg.dataDir;
-      useDefaultShell = true;
+        useDefaultShell = true;
-    });
+      };
-    users.groups = lib.optionalAttrs (cfg.group == name) (lib.singleton {
+    };
-      inherit name;
+    users.groups = lib.optionalAttrs (cfg.group == name) {
-      inherit gid;
+      "${name}" = {
-    });
+        inherit gid;
+      };
+    };
    systemd.services.mastodon-streaming = {
      description = "Mastodon Streaming";
diff --git a/modules/webapps/mediagoblin.nix b/modules/webapps/mediagoblin.nix
index 78bbef6..dbc4c2b 100644
--- a/modules/webapps/mediagoblin.nix
+++ b/modules/webapps/mediagoblin.nix
@@ -151,18 +151,20 @@ in
  };
  config = lib.mkIf cfg.enable {
-    users.users = lib.optionalAttrs (cfg.user == name) (lib.singleton {
+    users.users = lib.optionalAttrs (cfg.user == name) {
-      inherit name;
+      "${name}" = {
-      inherit uid;
+        inherit uid;
-      group = cfg.group;
+        group = cfg.group;
-      description = "Mediagoblin user";
+        description = "Mediagoblin user";
-      home = cfg.dataDir;
+        home = cfg.dataDir;
-      useDefaultShell = true;
+        useDefaultShell = true;
-    });
+      };
-    users.groups = lib.optionalAttrs (cfg.group == name) (lib.singleton {
+    };
-      inherit name;
+    users.groups = lib.optionalAttrs (cfg.group == name) {
-      inherit gid;
+      "${name}" = {
-    });
+        inherit gid;
+      };
+    };
    systemd.services.mediagoblin-web = {
      description = "Mediagoblin service";
diff --git a/modules/webapps/peertube.nix b/modules/webapps/peertube.nix
index 89dcc67..281ff8b 100644
--- a/modules/webapps/peertube.nix
+++ b/modules/webapps/peertube.nix
@@ -53,18 +53,20 @@ in
  };
  config = lib.mkIf cfg.enable {
-    users.users = lib.optionalAttrs (cfg.user == name) (lib.singleton {
+    users.users = lib.optionalAttrs (cfg.user == name) {
-      inherit name;
+      "${name}" = {
-      inherit uid;
+        inherit uid;
-      group = cfg.group;
+        group = cfg.group;
-      description = "Peertube user";
+        description = "Peertube user";
-      home = cfg.dataDir;
+        home = cfg.dataDir;
-      useDefaultShell = true;
+        useDefaultShell = true;
-    });
+      };
-    users.groups = lib.optionalAttrs (cfg.group == name) (lib.singleton {
+    };
-      inherit name;
+    users.groups = lib.optionalAttrs (cfg.group == name) {
-      inherit gid;
+      "${name}" = {
-    });
+        inherit gid;
+      };
+    };
    systemd.services.peertube = {
      description = "Peertube";
diff --git a/modules/websites/httpd-service-builder.nix b/modules/websites/httpd-service-builder.nix
index ec79a90..c5f72f9 100644
--- a/modules/websites/httpd-service-builder.nix
+++ b/modules/websites/httpd-service-builder.nix
@@ -470,7 +470,7 @@ in
      };
      virtualHosts = mkOption {
-        type = with types; attrsOf (submodule (import ./vhost-options.nix));
+        type = with types; attrsOf (submodule (import <nixpkgs/nixos/modules/services/web-servers/apache-httpd/vhost-options.nix>));
        default = {
          localhost = {
            documentRoot = "${pkg}/htdocs";
diff --git a/modules/websites/location-options.nix b/modules/websites/location-options.nix
deleted file mode 100644
index 8ea88f9..0000000
--- a/modules/websites/location-options.nix
+++ /dev/null
@@ -1,54 +0,0 @@
-{ config, lib, name, ... }:
-let
-  inherit (lib) mkOption types;
-in
-{
-  options = {
-    proxyPass = mkOption {
-      type = with types; nullOr str;
-      default = null;
-      example = "http://www.example.org/";
-      description = ''
-        Sets up a simple reverse proxy as described by <link xlink:href="https://httpd.apache.org/docs/2.4/howto/reverse_proxy.html#simple" />.
-      '';
-    };
-    index = mkOption {
-      type = with types; nullOr str;
-      default = null;
-      example = "index.php index.html";
-      description = ''
-        Adds DirectoryIndex directive. See <link xlink:href="https://httpd.apache.org/docs/2.4/mod/mod_dir.html#directoryindex" />.
-      '';
-    };
-    alias = mkOption {
-      type = with types; nullOr path;
-      default = null;
-      example = "/your/alias/directory";
-      description = ''
-        Alias directory for requests. See <link xlink:href="https://httpd.apache.org/docs/2.4/mod/mod_alias.html#alias" />.
-      '';
-    };
-    extraConfig = mkOption {
-      type = types.lines;
-      default = "";
-      description = ''
-        These lines go to the end of the location verbatim.
-      '';
-    };
-    priority = mkOption {
-      type = types.int;
-      default = 1000;
-      description = ''
-        Order of this location block in relation to the others in the vhost.
-        The semantics are the same as with `lib.mkOrder`. Smaller values have
-        a greater priority.
-      '';
-    };
-  };
-}
diff --git a/modules/websites/vhost-options.nix b/modules/websites/vhost-options.nix
deleted file mode 100644
index 263980a..0000000
--- a/modules/websites/vhost-options.nix
+++ /dev/null
@@ -1,275 +0,0 @@
-{ config, lib, name, ... }:
-let
-  inherit (lib) literalExample mkOption nameValuePair types;
-in
-{
-  options = {
-    hostName = mkOption {
-      type = types.str;
-      default = name;
-      description = "Canonical hostname for the server.";
-    };
-    serverAliases = mkOption {
-      type = types.listOf types.str;
-      default = [];
-      example = ["www.example.org" "www.example.org:8080" "example.org"];
-      description = ''
-        Additional names of virtual hosts served by this virtual host configuration.
-      '';
-    };
-    listen = mkOption {
-      type = with types; listOf (submodule ({
-        options = {
-          port = mkOption {
-            type = types.port;
-            description = "Port to listen on";
-          };
-          ip = mkOption {
-            type = types.str;
-            default = "*";
-            description = "IP to listen on. 0.0.0.0 for IPv4 only, * for all.";
-          };
-          ssl = mkOption {
-            type = types.bool;
-            default = false;
-            description = "Whether to enable SSL (https) support.";
-          };
-        };
-      }));
-      default = [];
-      example = [
-        { ip = "195.154.1.1"; port = 443; ssl = true;}
-        { ip = "192.154.1.1"; port = 80; }
-        { ip = "*"; port = 8080; }
-      ];
-      description = ''
-        Listen addresses and ports for this virtual host.
-        <note><para>
-          This option overrides <literal>addSSL</literal>, <literal>forceSSL</literal> and <literal>onlySSL</literal>.
-        </para></note>
-      '';
-    };
-    enableSSL = mkOption {
-      type = types.bool;
-      visible = false;
-      default = false;
-    };
-    addSSL = mkOption {
-      type = types.bool;
-      default = false;
-      description = ''
-        Whether to enable HTTPS in addition to plain HTTP. This will set defaults for
-        <literal>listen</literal> to listen on all interfaces on the respective default
-        ports (80, 443).
-      '';
-    };
-    onlySSL = mkOption {
-      type = types.bool;
-      default = false;
-      description = ''
-        Whether to enable HTTPS and reject plain HTTP connections. This will set
-        defaults for <literal>listen</literal> to listen on all interfaces on port 443.
-      '';
-    };
-    forceSSL = mkOption {
-      type = types.bool;
-      default = false;
-      description = ''
-        Whether to add a separate nginx server block that permanently redirects (301)
-        all plain HTTP traffic to HTTPS. This will set defaults for
-        <literal>listen</literal> to listen on all interfaces on the respective default
-        ports (80, 443), where the non-SSL listens are used for the redirect vhosts.
-      '';
-    };
-    enableACME = mkOption {
-      type = types.bool;
-      default = false;
-      description = ''
-        Whether to ask Let's Encrypt to sign a certificate for this vhost.
-        Alternately, you can use an existing certificate through <option>useACMEHost</option>.
-      '';
-    };
-    useACMEHost = mkOption {
-      type = types.nullOr types.str;
-      default = null;
-      description = ''
-        A host of an existing Let's Encrypt certificate to use.
-        This is useful if you have many subdomains and want to avoid hitting the
-        <link xlink:href="https://letsencrypt.org/docs/rate-limits/">rate limit</link>.
-        Alternately, you can generate a certificate through <option>enableACME</option>.
-        <emphasis>Note that this option does not create any certificates, nor it does add subdomains to existing ones – you will need to create them manually using  <xref linkend="opt-security.acme.certs"/>.</emphasis>
-      '';
-    };
-    acmeRoot = mkOption {
-      type = types.str;
-      default = "/var/lib/acme/acme-challenges";
-      description = "Directory for the acme challenge which is PUBLIC, don't put certs or keys in here";
-    };
-    sslServerCert = mkOption {
-      type = types.path;
-      example = "/var/host.cert";
-      description = "Path to server SSL certificate.";
-    };
-    sslServerKey = mkOption {
-      type = types.path;
-      example = "/var/host.key";
-      description = "Path to server SSL certificate key.";
-    };
-    sslServerChain = mkOption {
-      type = types.nullOr types.path;
-      default = null;
-      example = "/var/ca.pem";
-      description = "Path to server SSL chain file.";
-    };
-    http2 = mkOption {
-      type = types.bool;
-      default = false;
-      description = ''
-        Whether to enable HTTP 2. HTTP/2 is supported in all multi-processing modules that come with httpd. <emphasis>However, if you use the prefork mpm, there will
-        be severe restrictions.</emphasis> Refer to <link xlink:href="https://httpd.apache.org/docs/2.4/howto/http2.html#mpm-config"/> for details.
-      '';
-    };
-    adminAddr = mkOption {
-      type = types.nullOr types.str;
-      default = null;
-      example = "admin@example.org";
-      description = "E-mail address of the server administrator.";
-    };
-    documentRoot = mkOption {
-      type = types.nullOr types.path;
-      default = null;
-      example = "/data/webserver/docs";
-      description = ''
-        The path of Apache's document root directory.  If left undefined,
-        an empty directory in the Nix store will be used as root.
-      '';
-    };
-    servedDirs = mkOption {
-      type = types.listOf types.attrs;
-      default = [];
-      example = [
-        { urlPath = "/nix";
-          dir = "/home/eelco/Dev/nix-homepage";
-        }
-      ];
-      description = ''
-        This option provides a simple way to serve static directories.
-      '';
-    };
-    servedFiles = mkOption {
-      type = types.listOf types.attrs;
-      default = [];
-      example = [
-        { urlPath = "/foo/bar.png";
-          file = "/home/eelco/some-file.png";
-        }
-      ];
-      description = ''
-        This option provides a simple way to serve individual, static files.
-        <note><para>
-          This option has been deprecated and will be removed in a future
-          version of NixOS. You can achieve the same result by making use of
-          the <literal>locations.&lt;name&gt;.alias</literal> option.
-        </para></note>
-      '';
-    };
-    extraConfig = mkOption {
-      type = types.lines;
-      default = "";
-      example = ''
-        <Directory /home>
-          Options FollowSymlinks
-          AllowOverride All
-        </Directory>
-      '';
-      description = ''
-        These lines go to httpd.conf verbatim. They will go after
-        directories and directory aliases defined by default.
-      '';
-    };
-    enableUserDir = mkOption {
-      type = types.bool;
-      default = false;
-      description = ''
-        Whether to enable serving <filename>~/public_html</filename> as
-        <literal>/~<replaceable>username</replaceable></literal>.
-      '';
-    };
-    globalRedirect = mkOption {
-      type = types.nullOr types.str;
-      default = null;
-      example = http://newserver.example.org/;
-      description = ''
-        If set, all requests for this host are redirected permanently to
-        the given URL.
-      '';
-    };
-    logFormat = mkOption {
-      type = types.str;
-      default = "common";
-      example = "combined";
-      description = ''
-        Log format for Apache's log files. Possible values are: combined, common, referer, agent.
-      '';
-    };
-    robotsEntries = mkOption {
-      type = types.lines;
-      default = "";
-      example = "Disallow: /foo/";
-      description = ''
-        Specification of pages to be ignored by web crawlers. See <link
-        xlink:href='http://www.robotstxt.org/'/> for details.
-      '';
-    };
-    locations = mkOption {
-      type = with types; attrsOf (submodule (import ./location-options.nix));
-      default = {};
-      example = literalExample ''
-        {
-          "/" = {
-            proxyPass = "http://localhost:3000";
-          };
-          "/foo/bar.png" = {
-            alias = "/home/eelco/some-file.png";
-          };
-        };
-      '';
-      description = ''
-        Declarative location config. See <link
-        xlink:href="https://httpd.apache.org/docs/2.4/mod/core.html#location"/> for details.
-      '';
-    };
-  };
-  config = {
-    locations = builtins.listToAttrs (map (elem: nameValuePair elem.urlPath { alias = elem.file; }) config.servedFiles);
-  };
-}
diff --git a/nix/sources.json b/nix/sources.json
index 7c306c9..09c4455 100644
--- a/nix/sources.json
+++ b/nix/sources.json
@@ -18,27 +18,27 @@
        "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
    },
    "nixpkgs": {
-        "branch": "nixos-19.03",
+        "branch": "nixos-unstable",
        "description": "A read-only mirror of NixOS/nixpkgs tracking the released channels. Send issues and PRs to",
        "homepage": "https://github.com/NixOS/nixpkgs",
        "owner": "NixOS",
        "repo": "nixpkgs-channels",
-        "rev": "34c7eb7545d155cc5b6f499b23a7cb1c96ab4d59",
+        "rev": "ae6bdcc53584aaf20211ce1814bea97ece08a248",
-        "sha256": "11z6ajj108fy2q5g8y4higlcaqncrbjm3dnv17pvif6avagw4mcb",
+        "sha256": "0hjhznns1cxgl3hww2d5si6vhy36pnm53hms9h338v6r633dcy77",
        "type": "tarball",
-        "url": "https://github.com/NixOS/nixpkgs-channels/archive/34c7eb7545d155cc5b6f499b23a7cb1c96ab4d59.tar.gz",
+        "url": "https://github.com/NixOS/nixpkgs-channels/archive/ae6bdcc53584aaf20211ce1814bea97ece08a248.tar.gz",
        "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
    },
    "nixpkgs-nixops": {
-        "branch": "nixos-19.09",
+        "branch": "nixos-unstable",
        "description": "A read-only mirror of NixOS/nixpkgs tracking the released channels. Send issues and PRs to",
        "homepage": "https://github.com/NixOS/nixpkgs",
        "owner": "NixOS",
        "repo": "nixpkgs-channels",
-        "rev": "856dbd1a5c7fd826cf3668ff12a7389be0686f41",
+        "rev": "ae6bdcc53584aaf20211ce1814bea97ece08a248",
-        "sha256": "1d895i1lc25d2akniaqg2n1jrg2rcd1gih8rpmhyrlv4lpggfmsx",
+        "sha256": "0hjhznns1cxgl3hww2d5si6vhy36pnm53hms9h338v6r633dcy77",
        "type": "tarball",
-        "url": "https://github.com/NixOS/nixpkgs-channels/archive/856dbd1a5c7fd826cf3668ff12a7389be0686f41.tar.gz",
+        "url": "https://github.com/NixOS/nixpkgs-channels/archive/ae6bdcc53584aaf20211ce1814bea97ece08a248.tar.gz",
        "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
    },
    "nixpkgs-nixops-next": {
diff --git a/nixops/Makefile b/nixops/Makefile
index 8caf8b1..3cbf50b 100644
--- a/nixops/Makefile
+++ b/nixops/Makefile
@@ -55,10 +55,10 @@ dry-run:
        $(NIXOPS_PRIV) deploy --dry-run
 build:
-        $(NIXOPS_PRIV) deploy --build-only --max-jobs 1
+        $(NIXOPS_PRIV) deploy --build-only --keep-going
 upload:
-        $(NIXOPS_PRIV) deploy --copy-only --max-concurrent-copy 1
+        $(NIXOPS_PRIV) deploy --copy-only
 deploy:
        $(NIXOPS_PRIV) deploy
diff --git a/overlays/bonfire/default.nix b/overlays/bonfire/default.nix
new file mode 100644
index 0000000..68bde20
--- /dev/null
+++ b/overlays/bonfire/default.nix
@@ -0,0 +1,24 @@
+self: super: {
+  bonfire = let
+    click = self.python3Packages.click.overridePythonAttrs(old: rec {
+      version = "6.7";
+      src = self.python3Packages.fetchPypi {
+        pname = "click";
+        inherit version;
+        sha256 = "02qkfpykbq35id8glfgwc38yc430427yd05z1wc5cnld8zgicmgi";
+      };
+    });
+  in
+    super.bonfire.overridePythonAttrs(old: {
+      version = "0.0.8";
+      src = self.fetchFromGitHub {
+        owner = "blue-yonder";
+        repo = "bonfire";
+        rev = "0a0f18469d484aba6871fa7421bbb2c00ccefcb0";
+        sha256 = "1y2r537ibghhmk6jngw0zwvh1vn2bihqcvji50ffh1j0qc6q3x6x";
+      };
+      postPatch = "";
+      propagatedBuildInputs = self.lib.remove self.python3Packages.click old.propagatedBuildInputs ++ [ click ];
+      meta.broken = false;
+    });
+}
diff --git a/overlays/databases/mysql/default.nix b/overlays/databases/mysql/default.nix
index 797332b..24bad1b 100644
--- a/overlays/databases/mysql/default.nix
+++ b/overlays/databases/mysql/default.nix
@@ -3,16 +3,5 @@ self: super: rec {
  mariadbPAM = super.mariadb.overrideAttrs(old: {
    cmakeFlags = old.cmakeFlags ++ [ "-DWITH_AUTHENTICATION_PAM=ON" ];
    buildInputs = old.buildInputs ++ [ self.pam ];
-    postInstall = old.postInstall + ''
-      # FIXME: hack because mariadb cannot find dialog.so
-      # fixed in 20.03: https://github.com/NixOS/nixpkgs/pull/80768
-      ln -s /nix $out/nix
-      cp "$dev"/lib/mysql/plugin/{caching_sha2_password.so,dialog.so,mysql_clear_password.so,sha256_password.so} "$out"/lib/mysql/plugin
-      '';
-  }) // (with super.mariadb; {
-    inherit client;
-    servier = super.mariadb;
-    inherit connector-c;
-    inherit galera;
  });
 }
diff --git a/overlays/default.nix b/overlays/default.nix
index b488fd7..881083d 100644
--- a/overlays/default.nix
+++ b/overlays/default.nix
@@ -4,6 +4,7 @@
  bitlbee = import ./bitlbee;
  bitlbee-discord = import ./bitlbee-discord;
+  bonfire = import ./bonfire;
  bundix = import ./bundix;
  dwm = import ./dwm;
  elinks = import ./elinks;
@@ -13,24 +14,20 @@
  ldapvi = import ./ldapvi;
  lesspipe = import ./lesspipe;
  mysql = import ./databases/mysql;
-  neomutt = import ./neomutt;
  nixops = import ./nixops;
  pass = import ./pass;
  pelican = import ./pelican;
  postgresql = import ./databases/postgresql;
-  profanity = import ./profanity;
  s6 = import ./s6;
  sc-im = import ./sc-im;
  shaarli = import ./shaarli;
  slrn = import ./slrn;
  taskwarrior = import ./taskwarrior;
  vcsh = import ./vcsh;
-  vit = import ./vit;
  weboob = import ./weboob;
  weechat = import ./weechat;
  ympd = import ./ympd;
  doing = import ./doing;
  xmr-stak = import ./xmr-stak;
-  simp_le = import ./simp_le;
 }
 // import ./python-packages
diff --git a/overlays/neomutt/commands.patch b/overlays/neomutt/commands.patch
deleted file mode 100644
index 6c910cf..0000000
--- a/overlays/neomutt/commands.patch
+++ /dev/null
@@ -1,87 +0,0 @@
-commit 763056828abe9716c4dfce754a47d8ecdefb3029
-Author: Ismaël Bouya <ismael.bouya@normalesup.org>
-Date:   Mon Feb 10 16:13:33 2020 +0100
-    Fix commands that don’t need to have a non-empty mailbox to be valid
-    
-    Some commands act on the whole mailbox (tag-pattern, delete-pattern,
-    search), and even though they don’t do anything when the mailbox is
-    empty, there is no reason to fail when it happens. This commit removes
-    the check that the mailbox is non-empty before doing said actions.
-diff --git a/index.c b/index.c
-index 0f4b9f99f..0adfc19f1 100644
--- a/index.c
-+++ b/index.c
-@@ -1642,7 +1642,7 @@ int mutt_index_menu(struct MuttWindow *dlg)
-       case OP_JUMP:
-       {
-         int msg_num = 0;
-        if (!prereq(Context, menu, CHECK_IN_MAILBOX | CHECK_MSGCOUNT | CHECK_VISIBLE))
-+        if (!prereq(Context, menu, CHECK_IN_MAILBOX))
-           break;
-         if (isdigit(LastKey))
-           mutt_unget_event(LastKey, 0);
-@@ -1687,7 +1687,7 @@ int mutt_index_menu(struct MuttWindow *dlg)
- 
-       case OP_MAIN_DELETE_PATTERN:
-         if (!prereq(Context, menu,
-                    CHECK_IN_MAILBOX | CHECK_MSGCOUNT | CHECK_VISIBLE | CHECK_READONLY | CHECK_ATTACH))
-+                    CHECK_IN_MAILBOX | CHECK_READONLY | CHECK_ATTACH))
-         {
-           break;
-         }
-@@ -1852,12 +1852,17 @@ int mutt_index_menu(struct MuttWindow *dlg)
-         menu->redraw = REDRAW_FULL;
-         break;
- 
-      case OP_SEARCH:
-+      // Initiating a search can happen on an empty mailbox, but
-+      // searching for next/previous/... needs to be on a message and
-+      // thus a non-empty mailbox
-       case OP_SEARCH_REVERSE:
-       case OP_SEARCH_NEXT:
-       case OP_SEARCH_OPPOSITE:
-         if (!prereq(Context, menu, CHECK_IN_MAILBOX | CHECK_MSGCOUNT | CHECK_VISIBLE))
-           break;
-+      case OP_SEARCH:
-+        if (!prereq(Context, menu, CHECK_IN_MAILBOX))
-+          break;
-         menu->current = mutt_search_command(menu->current, op);
-         if (menu->current == -1)
-           menu->current = menu->oldcurrent;
-@@ -1926,14 +1931,14 @@ int mutt_index_menu(struct MuttWindow *dlg)
-       }
- 
-       case OP_MAIN_TAG_PATTERN:
-        if (!prereq(Context, menu, CHECK_IN_MAILBOX | CHECK_MSGCOUNT | CHECK_VISIBLE))
-+        if (!prereq(Context, menu, CHECK_IN_MAILBOX))
-           break;
-         mutt_pattern_func(MUTT_TAG, _("Tag messages matching: "));
-         menu->redraw |= REDRAW_INDEX | REDRAW_STATUS;
-         break;
- 
-       case OP_MAIN_UNDELETE_PATTERN:
-        if (!prereq(Context, menu, CHECK_IN_MAILBOX | CHECK_MSGCOUNT | CHECK_VISIBLE | CHECK_READONLY))
-+        if (!prereq(Context, menu, CHECK_IN_MAILBOX | CHECK_READONLY))
-           break;
-         /* L10N: CHECK_ACL */
-         /* L10N: Due to the implementation details we do not know whether we
-@@ -1950,7 +1955,7 @@ int mutt_index_menu(struct MuttWindow *dlg)
-         break;
- 
-       case OP_MAIN_UNTAG_PATTERN:
-        if (!prereq(Context, menu, CHECK_IN_MAILBOX | CHECK_MSGCOUNT | CHECK_VISIBLE))
-+        if (!prereq(Context, menu, CHECK_IN_MAILBOX))
-           break;
-         if (mutt_pattern_func(MUTT_UNTAG, _("Untag messages matching: ")) == 0)
-           menu->redraw |= REDRAW_INDEX | REDRAW_STATUS;
-@@ -3189,7 +3194,7 @@ int mutt_index_menu(struct MuttWindow *dlg)
-       }
- 
-       case OP_MAIN_COLLAPSE_ALL:
-        if (!prereq(Context, menu, CHECK_IN_MAILBOX | CHECK_MSGCOUNT | CHECK_VISIBLE))
-+        if (!prereq(Context, menu, CHECK_IN_MAILBOX))
-           break;
- 
-         if ((C_Sort & SORT_MASK) != SORT_THREADS)
diff --git a/overlays/neomutt/default.nix b/overlays/neomutt/default.nix
deleted file mode 100644
index 0b23734..0000000
--- a/overlays/neomutt/default.nix
+++ /dev/null
@@ -1,18 +0,0 @@
-self: super: {
-  neomutt = super.neomutt.overrideAttrs (old:
-    rec {
-      name = "neomutt-${version}";
-      version = "20191207";
-      src = self.fetchFromGitHub {
-        owner = "neomutt";
-        repo = "neomutt";
-        rev = version;
-        sha256 = "16xr7wdmjw0i72xbnyyh098wx4cr0m8w2cr1szdi1b14p4kpgr67";
-      };
-      patches = old.patches or [] ++ [ ./commands.patch ];
-      buildInputs = old.buildInputs ++ [ self.gdbm ];
-      configureFlags = old.configureFlags ++ [ "--gdbm" ];
-      doCheck = false;
-    }
-  );
-}
diff --git a/overlays/pelican/default.nix b/overlays/pelican/default.nix
index 5a487aa..4f8aece 100644
--- a/overlays/pelican/default.nix
+++ b/overlays/pelican/default.nix
@@ -1,6 +1,7 @@
 self: super: {
  pelican = with self.python3Packages;
-    pelican.overrideAttrs(old: self.mylibs.fetchedGithub ./pelican.json // {
+    pelican.overrideAttrs(old: {
      propagatedBuildInputs = old.propagatedBuildInputs ++ [ pyyaml markdown ];
+      doInstallCheck = false;
    });
 }
diff --git a/overlays/pelican/pelican.json b/overlays/pelican/pelican.json
deleted file mode 100644
index d8f4425..0000000
--- a/overlays/pelican/pelican.json
+++ /dev/null
@@ -1,15 +0,0 @@
-{
-  "tag": "4.0.1",
-  "meta": {
-    "name": "pelican",
-    "url": "https://github.com/getpelican/pelican",
-    "branch": "refs/tags/4.0.1"
-  },
-  "github": {
-    "owner": "getpelican",
-    "repo": "pelican",
-    "rev": "24d6efa9fda4ad45649ddf88c1c596193d589bf8",
-    "sha256": "09fcwnnfln0cl5v0qpxzrllj27znrg6dbhaksxrl0192c3mbyjvl",
-    "fetchSubmodules": true
-  }
-}
diff --git a/overlays/profanity/default.nix b/overlays/profanity/default.nix
deleted file mode 100644
index 64fae49..0000000
--- a/overlays/profanity/default.nix
+++ /dev/null
@@ -1,20 +0,0 @@
-self: super: {
-  profanity = (super.profanity.override {
-    notifySupport = true;
-    inherit (self) libnotify gpgme gdk_pixbuf;
-    python = self.python3;
-  }).overrideAttrs (old: rec {
-    version = "0.7.1";
-    pname = "profanity";
-    name = "profanity-0.7.1";
-    src = self.fetchFromGitHub {
-      owner = "profanity-im";
-      repo = "profanity";
-      rev = version;
-      sha256 = "1mcgr86wqyzqx7mqxfkk2jwx6cgnvrky3zi4v1ww0lh6j05wj9gf";
-    };
-    patches = builtins.tail old.patches;
-    buildInputs = old.buildInputs ++ [ self.libsignal-protocol-c self.libgcrypt ];
-    configureFlags = old.configureFlags ++ [ "--enable-plugins" "--enable-omemo" ];
-  });
-}
diff --git a/overlays/simp_le/default.nix b/overlays/simp_le/default.nix
deleted file mode 100644
index 76891ed..0000000
--- a/overlays/simp_le/default.nix
+++ /dev/null
@@ -1,3 +0,0 @@
-self: super: {
-  simp_le = self.simp_le_0_17;
-}
diff --git a/overlays/vit/default.nix b/overlays/vit/default.nix
deleted file mode 100644
index 4624284..0000000
--- a/overlays/vit/default.nix
+++ /dev/null
@@ -1,8 +0,0 @@
-self: super:
-{
-  vit = (super.vit.override { inherit (self) taskwarrior; }).overrideAttrs (old:
-    self.mylibs.fetchedGithub ./vit.json // {
-      buildInputs = old.buildInputs ++ (with self.perlPackages; [ TryTiny TextCharWidth ]);
-    }
-  );
-}
diff --git a/overlays/vit/vit.json b/overlays/vit/vit.json
deleted file mode 100644
index d062f68..0000000
--- a/overlays/vit/vit.json
+++ /dev/null
@@ -1,15 +0,0 @@
-{
-  "tag": "dbacada-1.3",
-  "meta": {
-    "name": "vit",
-    "url": "https://github.com/scottkosty/vit",
-    "branch": "1.3"
-  },
-  "github": {
-    "owner": "scottkosty",
-    "repo": "vit",
-    "rev": "dbacada5867b238fdf35dbf00a3ca0daf7703038",
-    "sha256": "1wlk62cv6dc0dqv8265xcx2l7ydzg40xf6l4qbrf6h5156ncc90l",
-    "fetchSubmodules": true
-  }
-}
diff --git a/overlays/weechat/default.nix b/overlays/weechat/default.nix
index 17faa0e..e8cc792 100644
--- a/overlays/weechat/default.nix
+++ b/overlays/weechat/default.nix
@@ -2,9 +2,7 @@ self: super: {
  weechat = super.weechat.override {
    configure = { availablePlugins, ... }: {
      plugins = with self; with availablePlugins; [
-          # Make sure websocket_client is not 0.55.0, it provokes
+         (python.withPackages (ps: with ps; [websocket_client emoji]))
-          # regular crashes
-         (python.withPackages (ps: with ps; assert websocket_client.version == "0.54.0"; [websocket_client emoji]))
         perl
         ruby
        ];
diff --git a/pkgs/crypto/cardano-cli/default.nix b/pkgs/crypto/cardano-cli/default.nix
index 4bd18d9..3cd5a4c 100644
--- a/pkgs/crypto/cardano-cli/default.nix
+++ b/pkgs/crypto/cardano-cli/default.nix
@@ -11,6 +11,6 @@ rustPlatform.buildRustPackage rec {
    fetchSubmodules = true;
  };
-  cargoSha256 = "1jra0635inm95xp7vg8l7s7ybijcy28956cd6jl8qw2p8bw0z1p3";
+  cargoSha256 = "0j68dsqahvgpa9ms62149530lbfa55lmpd56rgdxkrh2z32lshs8";
  verifyCargoDeps = true;
 }
diff --git a/pkgs/crypto/iota-cli-app/default.nix b/pkgs/crypto/iota-cli-app/default.nix
index 1a9d3ed..17d7714 100644
--- a/pkgs/crypto/iota-cli-app/default.nix
+++ b/pkgs/crypto/iota-cli-app/default.nix
@@ -1,6 +1,6 @@
-{ stdenv, mylibs, fetchurl, fetchgit, callPackage, nodePackages, nodejs-8_x }:
+{ stdenv, mylibs, fetchurl, fetchgit, callPackage, nodePackages, nodejs-10_x }:
 let
-  nodeEnv = callPackage mylibs.nodeEnv { nodejs = nodejs-8_x; };
+  nodeEnv = callPackage mylibs.nodeEnv { nodejs = nodejs-10_x; };
  # built using node2nix -8 -l package-lock.json
  # and changing "./." to "src"
  packageEnv = import ./node-packages.nix {
diff --git a/pkgs/mtop/default.nix b/pkgs/mtop/default.nix
index 4a89430..3f6b6bc 100644
--- a/pkgs/mtop/default.nix
+++ b/pkgs/mtop/default.nix
@@ -1,6 +1,6 @@
 { buildPerlPackage, fetchurl, perlPackages, lib }:
 buildPerlPackage rec {
-  name = "mtop-${version}";
+  pname = "mtop";
  version = "0.6.6";
  src = fetchurl {
    url = "http://downloads.sourceforge.net/project/mtop/mtop/v${version}/mtop-${version}.tar.gz";
diff --git a/pkgs/note/default.nix b/pkgs/note/default.nix
index 0c422bc..d5fcccd 100644
--- a/pkgs/note/default.nix
+++ b/pkgs/note/default.nix
@@ -1,8 +1,9 @@
 { lib, buildPerlPackage, fetchurl, perlPackages }:
 buildPerlPackage rec {
-  name = "note-1.3.26";
+  pname = "note";
+  version = "1.3.26";
  src = fetchurl {
-    url = "mirror://cpan/authors/id/T/TL/TLINDEN/${name}.tar.gz";
+    url = "mirror://cpan/authors/id/T/TL/TLINDEN/${pname}-${version}.tar.gz";
    sha256 = "1h645rnb5vpms48fcyzvp7cwwcbf9k5xq49w2bpniyzzgk2brjrq";
  };
  outputs = ["out" "man"];
diff --git a/pkgs/private/webapps/aten/default.nix b/pkgs/private/webapps/aten/default.nix
index 5a726e9..9c4e29f 100644
--- a/pkgs/private/webapps/aten/default.nix
+++ b/pkgs/private/webapps/aten/default.nix
@@ -22,7 +22,7 @@ let
        postInstall = let
          nodeHeaders = fetchurl {
            url = "https://nodejs.org/download/release/v${nodejs.version}/node-v${nodejs.version}-headers.tar.gz";
-            sha256 = "1g6zi96k8sbim8wa8rzskxy44mgpcv1mn2bs8p4mq36w3kwglwyj";
+            sha256 = "1df3yhlwlvai0m9kvjyknjg11hnw0kj0rnhyzbwvsfjnmr6z8r76";
          };
        in
          ''
diff --git a/pkgs/python-packages/buildbot/plugins/buildslist/default.nix b/pkgs/python-packages/buildbot/plugins/buildslist/default.nix
index e5087e4..dc6104e 100644
--- a/pkgs/python-packages/buildbot/plugins/buildslist/default.nix
+++ b/pkgs/python-packages/buildbot/plugins/buildslist/default.nix
@@ -1,4 +1,4 @@
-{ mylibs, stdenv, runCommand, writeScriptBin, buildBowerComponents, pythonPackages, libsass, python, python2, fetchurl, jq, yarn, nodejs }:
+{ mylibs, stdenv, runCommand, writeScriptBin, buildBowerComponents, pythonPackages, libsass, python, fetchurl, jq, yarn, nodejs }:
 let
  buildslist_src = mylibs.fetchedGit ./buildslist.json;
  packagejson = runCommand "package.json" { buildInputs = [ jq ]; } ''
@@ -6,7 +6,7 @@ let
    '';
  nodeHeaders = fetchurl {
    url = "https://nodejs.org/download/release/v${nodejs.version}/node-v${nodejs.version}-headers.tar.gz";
-    sha256 = "1g6zi96k8sbim8wa8rzskxy44mgpcv1mn2bs8p4mq36w3kwglwyj";
+    sha256 = "1df3yhlwlvai0m9kvjyknjg11hnw0kj0rnhyzbwvsfjnmr6z8r76";
  };
  buildslist_yarn = mylibs.yarn2nixPackage.mkYarnModules rec {
    name = "buildslist-yarn-modules";
diff --git a/pkgs/python-packages/wokkel.nix b/pkgs/python-packages/wokkel.nix
index b34caec..3237f2b 100644
--- a/pkgs/python-packages/wokkel.nix
+++ b/pkgs/python-packages/wokkel.nix
@@ -7,5 +7,5 @@ buildPythonPackage rec {
    sha256 = "1spq44gg8gsviqx1dvlmjpgfc0wk0jpyx4ap01y2pad1ai9cw016";
  };
  propagatedBuildInputs = [ twisted.extras.tls twisted incremental dateutil ];
-  doChecks = false;
+  doCheck = false;
 }
diff --git a/pkgs/simp_le/default.nix b/pkgs/simp_le/default.nix
deleted file mode 100644
index eaefba3..0000000
--- a/pkgs/simp_le/default.nix
+++ /dev/null
@@ -1,32 +0,0 @@
-{ stdenv, python3Packages, bash }:
-python3Packages.buildPythonApplication rec {
-  pname = "simp_le-client";
-  version = "0.17.0";
-  src = python3Packages.fetchPypi {
-    inherit pname version;
-    sha256 = "0m1jynar4calaffp2zdxr5yy9vnhw2qf2hsfxwzfwf8fqb5h7bjb";
-  };
-  postPatch = ''
-    # drop upper bound of idna requirement
-    sed -ri "s/'(idna)<[^']+'/'\1'/" setup.py
-    substituteInPlace simp_le.py \
-      --replace "/bin/sh" "${bash}/bin/sh"
-  '';
-  checkPhase = ''
-    $out/bin/simp_le --test
-  '';
-  propagatedBuildInputs = with python3Packages; [ acme setuptools_scm josepy idna ];
-  meta = with stdenv.lib; {
-    homepage = https://github.com/zenhack/simp_le;
-    description = "Simple Let's Encrypt client";
-    license = licenses.gpl3;
-    maintainers = with maintainers; [ gebner makefu ];
-    platforms = platforms.linux;
-  };
-}
diff --git a/pkgs/telegram-cli/default.nix b/pkgs/telegram-cli/default.nix
index 6987748..87c93e5 100644
--- a/pkgs/telegram-cli/default.nix
+++ b/pkgs/telegram-cli/default.nix
@@ -1,8 +1,5 @@
 { stdenv, mylibs, pkgconfig, libevent, lua, jansson, openssl, readline, zlib, libconfig }:
 stdenv.mkDerivation (mylibs.fetchedGithub ./telegram-cli.json // {
-  patches = [
-    ./telegram-cli.patch
-    ];
  buildInputs = [ pkgconfig libevent lua jansson openssl readline zlib libconfig ];
  preBuild = ''
    sed -i -e 's@"/etc/" PROG_NAME "/server.pub"@"'$out'/etc/server.pub"@' main.c
diff --git a/pkgs/telegram-cli/telegram-cli.json b/pkgs/telegram-cli/telegram-cli.json
index 53e0a7b..2e7ed9a 100644
--- a/pkgs/telegram-cli/telegram-cli.json
+++ b/pkgs/telegram-cli/telegram-cli.json
@@ -1,15 +1,15 @@
 {
-  "tag": "6547c0b-master",
+  "tag": "3da0e4a-master",
  "meta": {
    "name": "telegram-cli",
-    "url": "https://github.com/vysheng/tg",
+    "url": "https://github.com/kenorb-contrib/tg/",
    "branch": "master"
  },
  "github": {
-    "owner": "vysheng",
+    "owner": "kenorb-contrib",
    "repo": "tg",
-    "rev": "6547c0b21b977b327b3c5e8142963f4bc246187a",
+    "rev": "3da0e4a54c3a63cee11aae3c23f2077adfc4949d",
-    "sha256": "07sss5cnw2ygd7mp8f5532lmj7qm6ywqf4cjaq5g13i8igzqzwzj",
+    "sha256": "0pvswzajipzkk1x5cyf10dw18ka9jalar0aa2i7y23ifm4ddnif4",
    "fetchSubmodules": true
  }
 }
diff --git a/pkgs/telegram-cli/telegram-cli.patch b/pkgs/telegram-cli/telegram-cli.patch
deleted file mode 100644
index 2d2b7b0..0000000
--- a/pkgs/telegram-cli/telegram-cli.patch
+++ /dev/null
@@ -1,90 +0,0 @@
-diff --git a/tgl/crypto/rsa_pem_openssl.c b/tgl/crypto/rsa_pem_openssl.c
-index db653f2..5e6a697 100644
--- a/tgl/crypto/rsa_pem_openssl.c
-+++ b/tgl/crypto/rsa_pem_openssl.c
-@@ -36,6 +36,12 @@ TGLC_WRAPPER_ASSOC(rsa,RSA)
- // TODO: Refactor crucial struct-identity into its own header.
- TGLC_WRAPPER_ASSOC(bn,BIGNUM)
- 
-+/*
-+ * Since OpenSSL version 1.1.0 the RSA struct (rsa_st) is opaque,
-+ * see also https://wiki.openssl.org/index.php/OpenSSL_1.1.0_Changes
-+ */
-+#if (OPENSSL_VERSION_NUMBER < 0x10100000L)
-+
- TGLC_rsa *TGLC_rsa_new (unsigned long e, int n_bytes, const unsigned char *n) {
-   RSA *ret = RSA_new ();
-   ret->e = unwrap_bn (TGLC_bn_new ());
-@@ -47,7 +53,30 @@ TGLC_rsa *TGLC_rsa_new (unsigned long e, int n_bytes, const unsigned char *n) {
- #define RSA_GETTER(M)                                                          \
-   TGLC_bn *TGLC_rsa_ ## M (TGLC_rsa *key) {                                    \
-     return wrap_bn (unwrap_rsa (key)->M);                                      \
-  }                                                                            \
-+  }
-+
-+#else // OPENSSL_VERSION_NUMBER
-+
-+TGLC_rsa *TGLC_rsa_new (unsigned long e, int n_bytes, const unsigned char *n) {
-+  RSA *ret = RSA_new ();
-+  BIGNUM *ret_e = unwrap_bn (TGLC_bn_new ());
-+  BIGNUM *ret_n = unwrap_bn (TGLC_bn_bin2bn (n, n_bytes, NULL));
-+  RSA_set0_key (ret, ret_n, ret_e, NULL);
-+  TGLC_bn_set_word (wrap_bn (ret_e), e);
-+  return wrap_rsa (ret);
-+}
-+
-+#define RSA_GETTER(M)                       \
-+TGLC_bn *TGLC_rsa_ ## M (TGLC_rsa *key) {   \
-+    BIGNUM *rsa_n, *rsa_e, *rsa_d;          \
-+    RSA_get0_key(unwrap_rsa (key),          \
-+        (const BIGNUM **) &rsa_n,           \
-+        (const BIGNUM **) &rsa_e,           \
-+        (const BIGNUM **) &rsa_d);          \
-+    return wrap_bn (rsa_ ## M);             \
-+}
-+
-+#endif // OPENSSL_VERSION_NUMBER
- 
- RSA_GETTER(n);
- RSA_GETTER(e);
-@@ -60,4 +89,4 @@ TGLC_rsa *TGLC_pem_read_RSAPublicKey (FILE *fp) {
-   return wrap_rsa (PEM_read_RSAPublicKey (fp, NULL, NULL, NULL));
- }
- 
-#endif
-+#endif // TGL_AVOID_OPENSSL
-diff --git a/tgl/mtproto-utils.c b/tgl/mtproto-utils.c
-index 0948bc8..cfdb216 100644
--- a/tgl/mtproto-utils.c
-+++ b/tgl/mtproto-utils.c
-@@ -98,7 +98,7 @@ static unsigned long long BN2ull (TGLC_bn *b) {
-   if (sizeof (unsigned long) == 8) {
-     return TGLC_bn_get_word (b);
-   } else if (sizeof (unsigned long long) == 8) {
-    assert (0); // As long as nobody ever uses this code, assume it is broken.
-+//    assert (0); // As long as nobody ever uses this code, assume it is broken.
-     unsigned long long tmp;
-     /* Here be dragons, but it should be okay due to be64toh */
-     TGLC_bn_bn2bin (b, (unsigned char *) &tmp);
-@@ -112,7 +112,7 @@ static void ull2BN (TGLC_bn *b, unsigned long long val) {
-   if (sizeof (unsigned long) == 8 || val < (1ll << 32)) {
-     TGLC_bn_set_word (b, val);
-   } else if (sizeof (unsigned long long) == 8) {
-    assert (0); // As long as nobody ever uses this code, assume it is broken.
-+//    assert (0); // As long as nobody ever uses this code, assume it is broken.
-     htobe64(val);
-     /* Here be dragons, but it should be okay due to htobe64 */
-     TGLC_bn_bin2bn ((unsigned char *) &val, 8, b);
-diff --git a/tgl/tl-parser/tl-parser.c b/tgl/tl-parser/tl-parser.c
-index 524b196..aeadbd2 100644
--- a/tgl/tl-parser/tl-parser.c
-+++ b/tgl/tl-parser/tl-parser.c
-@@ -1903,7 +1903,7 @@ struct tl_combinator_tree *tl_parse_args134 (struct tree *T) {
-       //assert (S->data);
-       char *name = S->data;
-       if (!name) {
-        static char s[20];
-+        static char s[21];
-         sprintf (s, "%lld", lrand48 () * (1ll << 32) + lrand48 ());
-         name = s;
-       }
diff --git a/pkgs/terminal-velocity/default.nix b/pkgs/terminal-velocity/default.nix
index 9e79dee..1a015c0 100644
--- a/pkgs/terminal-velocity/default.nix
+++ b/pkgs/terminal-velocity/default.nix
@@ -15,6 +15,10 @@ buildPythonApplication rec {
    ./fix_build.patch
  ];
+  preCheck = ''
+    # Needed for urwid test
+    export LC_ALL=en_US.UTF-8
+    '';
  propagatedBuildInputs = [
    chardet
    urwid
diff --git a/pkgs/tiv/default.nix b/pkgs/tiv/default.nix
index c03aabe..3e7a56c 100644
--- a/pkgs/tiv/default.nix
+++ b/pkgs/tiv/default.nix
@@ -1,6 +1,6 @@
 { buildPerlPackage, fetchurl, perlPackages }:
 buildPerlPackage rec {
-  name = "tiv-${version}";
+  pname = "tiv";
  version = "2015";
  src = fetchurl {
    url = "http://xyne.archlinux.ca/projects/tiv/src/tiv-${version}.tar.xz";
diff --git a/pkgs/webapps/mediagoblin/default.nix b/pkgs/webapps/mediagoblin/default.nix
index f6393fe..c20bcb4 100644
--- a/pkgs/webapps/mediagoblin/default.nix
+++ b/pkgs/webapps/mediagoblin/default.nix
@@ -28,6 +28,8 @@ let
          inherit (old) pname;
          sha256 = "02wxsc6bhqvzh8j6w758kvgqbnj14l796mvmrcms8fgfamd2lak9";
        };
+        doCheck = false;
+        doInstallCheck = false;
      });
      amqp = super.amqp.overridePythonAttrs(old: rec {
        version = "1.4.9";
diff --git a/pkgs/webapps/peertube/default.nix b/pkgs/webapps/peertube/default.nix
index 8995419..9929106 100644
--- a/pkgs/webapps/peertube/default.nix
+++ b/pkgs/webapps/peertube/default.nix
@@ -3,7 +3,7 @@
 let
  nodeHeaders = fetchurl {
    url = "https://nodejs.org/download/release/v${nodejs.version}/node-v${nodejs.version}-headers.tar.gz";
-    sha256 = "1g6zi96k8sbim8wa8rzskxy44mgpcv1mn2bs8p4mq36w3kwglwyj";
+    sha256 = "1df3yhlwlvai0m9kvjyknjg11hnw0kj0rnhyzbwvsfjnmr6z8r76";
  };
  patchedPackages = stdenv.mkDerivation (mylibs.fetchedGithub ./peertube.json // rec {
    patches = if ldap then [ ./ldap.patch ././yarn_fix_bluebird_ldap.patch ] else [ ./yarn_fix_bluebird.patch ];