12 files changed, 88 insertions, 206 deletions

diff --git a/Makefile.am b/Makefile.am
index f50cdf19b216..c97d0e266cd7 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -1,6 +1,6 @@
 SUBDIRS = src perl scripts corepkgs doc misc tests
 EXTRA_DIST = substitute.mk nix.spec nix.spec.in bootstrap.sh \
-  nix.conf.example NEWS version misc/systemd/nix-worker.service
+  NEWS version misc/systemd/nix-worker.service
 
 pkginclude_HEADERS = config.h
 
@@ -10,10 +10,6 @@ nix.spec: nix.spec.in
 
 install-data-local: init-state
 	$(INSTALL) -d $(DESTDIR)$(sysconfdir)/nix
-	$(INSTALL_DATA) $(srcdir)/nix.conf.example $(DESTDIR)$(sysconfdir)/nix
-	if ! test -e $(DESTDIR)$(sysconfdir)/nix/nix.conf; then \
-		$(INSTALL_DATA) $(srcdir)/nix.conf.example $(DESTDIR)$(sysconfdir)/nix/nix.conf; \
-	fi
 	$(INSTALL) -d $(DESTDIR)$(docdir)
 	$(INSTALL_DATA) README $(DESTDIR)$(docdir)/
 
diff --git a/corepkgs/Makefile.am b/corepkgs/Makefile.am
index a8de601657b1..729d15e7b191 100644
--- a/corepkgs/Makefile.am
+++ b/corepkgs/Makefile.am
@@ -1,6 +1,6 @@
 all-local: config.nix
 
-files = nar.nix buildenv.nix buildenv.pl unpack-channel.nix unpack-channel.sh derivation.nix
+files = nar.nix buildenv.nix buildenv.pl unpack-channel.nix unpack-channel.sh derivation.nix fetchurl.nix
 
 install-exec-local:
 	$(INSTALL) -d $(DESTDIR)$(datadir)/nix/corepkgs
diff --git a/corepkgs/config.nix.in b/corepkgs/config.nix.in
index 1be4bd0904ba..26e821d0e2d7 100644
--- a/corepkgs/config.nix.in
+++ b/corepkgs/config.nix.in
@@ -10,5 +10,6 @@ in {
   xz = "@xz@";
   tar = "@tar@";
   tr = "@tr@";
+  curl = "@curl@";
   nixBinDir = fromEnv "NIX_BIN_DIR" "@bindir@";
 }
diff --git a/corepkgs/fetchurl.nix b/corepkgs/fetchurl.nix
new file mode 100644
index 000000000000..4a0ae827995d
--- /dev/null
+++ b/corepkgs/fetchurl.nix
@@ -0,0 +1,36 @@
+with import <nix/config.nix>;
+
+{system ? builtins.currentSystem, url, outputHash ? "", outputHashAlgo ? "", md5 ? "", sha1 ? "", sha256 ? ""}:
+
+assert (outputHash != "" && outputHashAlgo != "")
+    || md5 != "" || sha1 != "" || sha256 != "";
+
+let
+
+  builder = builtins.toFile "fetchurl.sh"
+    ''
+      echo "downloading $url into $out"
+      ${curl} --fail --location --max-redirs 20 --insecure "$url" > "$out"
+    '';
+
+in
+    
+derivation {
+  name = baseNameOf (toString url);
+  builder = shell;
+  args = [ "-e" builder ];
+
+  # New-style output content requirements.
+  outputHashAlgo = if outputHashAlgo != "" then outputHashAlgo else
+      if sha256 != "" then "sha256" else if sha1 != "" then "sha1" else "md5";
+  outputHash = if outputHash != "" then outputHash else
+      if sha256 != "" then sha256 else if sha1 != "" then sha1 else md5;
+  
+  inherit system url;
+
+  # No need to double the amount of network traffic
+  preferLocalBuild = true;
+
+  # Don't build in a chroot because Nix's dependencies may not be there.
+  __noChroot = true;
+}
diff --git a/doc/manual/Makefile.am b/doc/manual/Makefile.am
index 33cb27e054bd..42da3c8b0c09 100644
--- a/doc/manual/Makefile.am
+++ b/doc/manual/Makefile.am
@@ -21,6 +21,8 @@ man1_MANS = nix-env.1 nix-build.1 nix-store.1 nix-instantiate.1 \
  nix-prefetch-url.1 nix-channel.1 \
  nix-install-package.1 nix-hash.1 nix-copy-closure.1
 
+man5_MANS = nix.conf.5
+
 man8_MANS = nix-worker.8
 
 FIGURES = figures/user-environments.png
diff --git a/doc/manual/conf-file.xml b/doc/manual/conf-file.xml
index e2890b1031ed..00016b97b45a 100644
--- a/doc/manual/conf-file.xml
+++ b/doc/manual/conf-file.xml
@@ -1,27 +1,36 @@
-<section xmlns="http://docbook.org/ns/docbook"
-         xmlns:xlink="http://www.w3.org/1999/xlink"
-         xml:id="sec-conf-file">
+<refentry xmlns="http://docbook.org/ns/docbook"
+          xmlns:xlink="http://www.w3.org/1999/xlink"
+          xmlns:xi="http://www.w3.org/2001/XInclude"
+          xml:id="sec-conf-file">
 
-<title>Nix configuration file</title>
+<refmeta>
+  <refentrytitle>nix.conf</refentrytitle>
+  <manvolnum>5</manvolnum>
+  <refmiscinfo class="source">Nix</refmiscinfo>
+  <refmiscinfo class="version"><xi:include href="version.txt" parse="text"/></refmiscinfo>
+</refmeta>
 
+<refnamediv>
+  <refname>nix.conf</refname>
+  <refpurpose>Nix configuration file</refpurpose>
+</refnamediv>
+
+<refsection><title>Description</title>
 
 <para>A number of persistent settings of Nix are stored in the file
 <filename><replaceable>sysconfdir</replaceable>/nix/nix.conf</filename>.
 This file is a list of <literal><replaceable>name</replaceable> =
 <replaceable>value</replaceable></literal> pairs, one per line.
-Comments start with a <literal>#</literal> character.  An example
-configuration file is shown in <xref linkend="ex-nix-conf" />.</para>
-
-<example xml:id='ex-nix-conf'><title>Nix configuration file</title>
+Comments start with a <literal>#</literal> character.  Here is an example
+configuration file:</para>
 
 <programlisting>
 gc-keep-outputs = true       # Nice for developers
 gc-keep-derivations = true   # Idem
 env-keep-derivations = false
 </programlisting>
-</example>
 
-<para>The following variables are currently available: 
+<para>The following settings are currently available: 
 
 <variablelist>
 
@@ -343,5 +352,6 @@ build-use-chroot = /dev /proc /bin</programlisting>
 
 </para>
 
+</refsection>
 
-</section>
+</refentry>
diff --git a/doc/manual/manual.xml b/doc/manual/manual.xml
index 95fbe7d90414..ccff9423cf17 100644
--- a/doc/manual/manual.xml
+++ b/doc/manual/manual.xml
@@ -40,7 +40,6 @@
     <title>Command Reference</title>
     <xi:include href="opt-common.xml" />
     <xi:include href="env-common.xml" />
-    <xi:include href="conf-file.xml" />
     
     <section>
       <title>Main commands</title>
@@ -63,6 +62,11 @@
       <xi:include href="nix-worker.xml" />
     </section>
 
+    <section>
+      <title>Files</title>
+      <xi:include href="conf-file.xml" />
+    </section>
+    
   </appendix>
 
   <xi:include href="troubleshooting.xml" />
diff --git a/nix.conf.example b/nix.conf.example
deleted file mode 100644
index 3c55b570e60f..000000000000
--- a/nix.conf.example
+++ /dev/null
@@ -1,181 +0,0 @@
-### Option `gc-keep-outputs'
-#
-# If `true', the garbage collector will keep the outputs of
-# non-garbage derivations.  If `false' (default), outputs will be
-# deleted unless they are GC roots themselves (or reachable from other
-# roots).
-# 
-# In general, outputs must be registered as roots separately.
-# However, even if the output of a derivation is registered as a root,
-# the collector will still delete store paths that are used only at
-# build time (e.g., the C compiler, or source tarballs downloaded from
-# the network).  To prevent it from doing so, set this option to
-# `true'.
-#gc-keep-outputs = false
-
-
-### Option `gc-keep-derivations'
-#
-# If `true' (default), the garbage collector will keep the derivations
-# from which non-garbage store paths were built.  If `false', they
-# will be deleted unless explicitly registered as a root (or reachable
-# from other roots).
-#
-# Keeping derivation around is useful for querying and traceability
-# (e.g., it allows you to ask with what dependencies or options a
-# store path was built), so by default this option is on.  Turn it off
-# to safe a bit of disk space (or a lot if `gc-keep-outputs' is also
-# turned on).
-#gc-keep-derivations = true
-
-
-### Option `env-keep-derivations'
-#
-# If `false' (default), derivations are not stored in Nix user
-# environments.  That is, the derivation any build-time-only
-# dependencies may be garbage-collected.
-#
-# If `true', when you add a Nix derivation to a user environment, the
-# path of the derivation is stored in the user environment.  Thus, the
-# derivation will not be garbage-collected until the user environment
-# generation is deleted (`nix-env --delete-generations').  To prevent
-# build-time-only dependencies from being collected, you should also
-# turn on `gc-keep-outputs'.
-#
-# The difference between this option and `gc-keep-derivations' is that
-# this one is `sticky': it applies to any user environment created
-# while this option was enabled, while `gc-keep-derivations' only
-# applies at the moment the garbage collector is run.
-#env-keep-derivations = false
-
-
-### Option `build-max-jobs'
-#
-# This option defines the maximum number of jobs that Nix will try to
-# build in parallel.  The default is 1.  You should generally set it
-# to the number of CPUs in your system (e.g., 2 on a Athlon 64 X2).
-# It can be overriden using the `--max-jobs' / `-j' command line
-# switch.
-#build-max-jobs = 1
-
-
-### Option `build-cores'
-#
-# This option defines the number of CPU cores to utilize in parallel
-# within a build job, i.e. by passing an appropriate `-jN' flag to GNU
-# Make. The default is 1, meaning that parallel building within jobs
-# is disabled.  Passing the special value `0' causes Nix to try and
-# auto-detect the number of available cores on the local host.  This
-# setting can be overridden using the `--cores' command line switch.
-#build-cores = 1
-
-
-### Option `build-max-silent-time'
-#
-# This option defines the maximum number of seconds that a builder can
-# go without producing any data on standard output or standard error.
-# This is useful (for instance in a automated build system) to catch
-# builds that are stuck in an infinite loop, or to catch remote builds
-# that are hanging due to network problems.  It can be overriden using
-# the `--max-silent-time' command line switch.
-#
-# The value 0 means that there is no timeout.  This is also the
-# default.
-#
-# Example:
-#   build-max-silent-time = 600 # = 10 minutes
-#build-max-silent-time = 0
-
-
-### Option `build-users-group'
-#
-# This options specifies the Unix group containing the Nix build user
-# accounts.  In multi-user Nix installations, builds should not
-# be performed by the Nix account since that would allow users to
-# arbitrarily modify the Nix store and database by supplying specially
-# crafted builders; and they cannot be performed by the calling user
-# since that would allow him/her to influence the build result.
-#
-# Therefore, if this option is non-empty and specifies a valid group,
-# builds will be performed under the user accounts that are a member
-# of the group specified here (as listed in /etc/group).  Those user
-# accounts should not be used for any other purpose!
-#
-# Nix will never run two builds under the same user account at the
-# same time.  This is to prevent an obvious security hole: a malicious
-# user writing a Nix expression that modifies the build result of a
-# legitimate Nix expression being built by another user.  Therefore it
-# is good to have as many Nix build user accounts as you can spare.
-# (Remember: uids are cheap.)
-#
-# The build users should have permission to create files in the Nix
-# store, but not delete them.  Therefore, /nix/store should be owned
-# by the Nix account, its group should be the group specified here,
-# and its mode should be 1775.
-#
-# If the build users group is empty, builds will be performed under
-# the uid of the Nix process (that is, the uid of the caller if
-# $NIX_REMOTE is empty, the uid under which the Nix daemon runs if
-# $NIX_REMOTE is `daemon', or the uid that owns the setuid nix-worker
-# program if $NIX_REMOTE is `slave').  Obviously, this should not be
-# used in multi-user settings with untrusted users.
-#
-# The default is empty.
-#
-# Example:
-#   build-users-group = nix-builders
-#build-users-group =
-
-
-### Option `build-use-chroot'
-#
-# If set to `true', builds will be performed in a chroot environment,
-# i.e., the build will be isolated from the normal file system
-# hierarchy and will only see the Nix store, the temporary build
-# directory, and the directories configured with the
-# `build-chroot-dirs' option (such as /proc and /dev).  This is useful
-# to prevent undeclared dependencies on files in directories such as
-# /usr/bin.
-#
-# The use of a chroot requires that Nix is run as root (but you can
-# still use the "build users" feature to perform builds under
-# different users than root).  Currently, chroot builds only work on
-# Linux because Nix uses "bind mounts" to make the Nix store and other
-# directories available inside the chroot.
-#
-# The default is `false'.
-#
-# Example:
-#   build-use-chroot = true
-#build-use-chroot = false
-
-
-### Option `build-chroot-dirs'
-#
-# When builds are performed in a chroot environment, Nix will mount
-# (using `mount --bind' on Linux) some directories from the normal
-# file system hierarchy inside the chroot.  These are the Nix store,
-# the temporary build directory (usually /tmp/nix-<pid>-<number>) and
-# the directories listed here.  The default is "/dev /dev/pts /proc".
-# Files in /dev (such as /dev/null) are needed by many builds, and
-# some files in /proc may also be needed occasionally.
-#
-# Example:
-#   build-use-chroot = /dev /proc /bin
-#build-chroot-dirs = /dev /dev/pts /proc
-
-
-### Option `build-cache-failure'
-#
-# If this option is enabled, Nix will do negative caching; that is, it
-# will remember failed builds, and won't attempt to try to build them
-# again if you ask for it.  Negative caching is disabled by default
-# because Nix cannot distinguish between permanent build errors (e.g.,
-# a syntax error in a source file) and transient build errors (e.g., a
-# full disk), as they both cause the builder to return a non-zero exit
-# code.  You can clear the cache by doing `rm -f
-# /nix/var/nix/db/failed/*'.
-#
-# Example:
-#   build-cache-failure = true
-#build-cache-failure = false
diff --git a/nix.spec.in b/nix.spec.in
index 44ea8d7c9476..8b1ea8a543e9 100644
--- a/nix.spec.in
+++ b/nix.spec.in
@@ -121,10 +121,7 @@ ln -sf %{_libdir}/nix/libNixStore.so.0 Store.so
 popd
 
 # Specify build users group
-sed -i "s|#build-users-group =$|build-users-group = %{nixbld_group}|" \
-  $RPM_BUILD_ROOT%{_sysconfdir}/nix/nix.conf
-# ... and delete the example configuration
-rm $RPM_BUILD_ROOT%{_sysconfdir}/nix/nix.conf.example
+echo "build-users-group = %{nixbld_group}" > $RPM_BUILD_ROOT%{_sysconfdir}/nix/nix.conf
 
 # make per-user directories
 for d in profiles gcroots;
@@ -192,8 +189,9 @@ systemctl start  nix-worker.service
 %endif
 %{_datadir}/emacs/site-lisp/nix-mode.el
 %{_datadir}/nix
-%{_mandir}/man1/nix-*.1*
-%{_mandir}/man8/nix-*.8*
+%{_mandir}/man1/*.1*
+%{_mandir}/man5/*.5*
+%{_mandir}/man8/*.8*
 %config(noreplace) %{_sysconfdir}/profile.d/nix.sh
 /nix
 %dir %{_sysconfdir}/nix
diff --git a/tests/Makefile.am b/tests/Makefile.am
index f44caa4b3953..517c382b1960 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -9,7 +9,7 @@ TESTS = init.sh hash.sh lang.sh add.sh simple.sh dependencies.sh \
   gc-runtime.sh install-package.sh check-refs.sh filter-source.sh \
   remote-store.sh export.sh export-graph.sh negative-caching.sh \
   binary-patching.sh timeout.sh secure-drv-outputs.sh nix-channel.sh \
-  multiple-outputs.sh import-derivation.sh
+  multiple-outputs.sh import-derivation.sh fetchurl.sh
 
 XFAIL_TESTS =
 
@@ -38,6 +38,7 @@ EXTRA_DIST = $(TESTS) \
   secure-drv-outputs.nix \
   multiple-outputs.nix \
   import-derivation.nix \
+  fetchurl.nix \
   $(wildcard lang/*.nix) $(wildcard lang/*.exp) $(wildcard lang/*.exp.xml) $(wildcard lang/*.flags) $(wildcard lang/dir*/*.nix) \
   common.sh.in
 
diff --git a/tests/fetchurl.nix b/tests/fetchurl.nix
new file mode 100644
index 000000000000..2abcc039a832
--- /dev/null
+++ b/tests/fetchurl.nix
@@ -0,0 +1,6 @@
+{ filename, sha256 }:
+
+import <nix/fetchurl.nix> {
+  url = "file://${filename}";
+  inherit sha256;
+}
diff --git a/tests/fetchurl.sh b/tests/fetchurl.sh
new file mode 100644
index 000000000000..bb6180ca3954
--- /dev/null
+++ b/tests/fetchurl.sh
@@ -0,0 +1,9 @@
+source common.sh
+
+clearStore
+
+hash=$(nix-hash --flat --type sha256 ./fetchurl.nix)
+
+outPath=$(nix-build ./fetchurl.nix --argstr filename $(pwd)/fetchurl.nix --argstr sha256 $hash)
+
+cmp $outPath fetchurl.nix