12 files changed, 310 insertions, 118 deletions

diff --git a/gnu/services/audio.scm b/gnu/services/audio.scm
index 627b941871..c60053f33c 100644
--- a/gnu/services/audio.scm
+++ b/gnu/services/audio.scm
@@ -163,7 +163,11 @@ audio_output {
 
         (let ((directory #$(mpd-file-name config ".mpd")))
           (mkdir-p directory)
-          (chown directory (passwd:uid %user) (passwd:gid %user))))))
+          (chown directory (passwd:uid %user) (passwd:gid %user))
+
+          ;; Make /var/run/mpd/USER user-owned as well.
+          (chown (dirname directory)
+                 (passwd:uid %user) (passwd:gid %user))))))
 
 
 (define %mpd-accounts
diff --git a/gnu/services/avahi.scm b/gnu/services/avahi.scm
index 54656708ca..7812191cb2 100644
--- a/gnu/services/avahi.scm
+++ b/gnu/services/avahi.scm
@@ -1,5 +1,5 @@
 ;;; GNU Guix --- Functional package management for GNU
-;;; Copyright © 2014, 2015, 2016, 2017, 2018, 2019 Ludovic Courtès <ludo@gnu.org>
+;;; Copyright © 2014, 2015, 2016, 2017, 2018, 2019, 2020 Ludovic Courtès <ludo@gnu.org>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -130,7 +130,7 @@
     (list (shepherd-service
            (documentation "Run the Avahi mDNS/DNS-SD responder.")
            (provision '(avahi-daemon))
-           (requirement '(dbus-system networking))
+           (requirement '(user-processes dbus-system networking))
 
            (start #~(make-forkexec-constructor
                      (list #$(file-append avahi "/sbin/avahi-daemon")
diff --git a/gnu/services/base.scm b/gnu/services/base.scm
index 3fc4d5f885..945b546607 100644
--- a/gnu/services/base.scm
+++ b/gnu/services/base.scm
@@ -1530,6 +1530,8 @@ archive' public keys, with GUIX."
                     (default 0))
   (log-compression  guix-configuration-log-compression
                     (default 'bzip2))
+  (discover?        guix-configuration-discover?
+                    (default #f))
   (extra-options    guix-configuration-extra-options ;list of strings
                     (default '()))
   (log-file         guix-configuration-log-file   ;string
@@ -1566,18 +1568,40 @@ proxy of 'guix-daemon'...~%")
                     (environ environment)
                     #t)))))
 
+(define shepherd-discover-action
+  ;; Shepherd action to enable or disable substitute servers discovery.
+  (shepherd-action
+   (name 'discover)
+   (documentation
+    "Enable or disable substitute servers discovery and restart the
+'guix-daemon'.")
+   (procedure #~(lambda* (_ status)
+                  (let ((environment (environ)))
+                    (if (and status
+                             (string=? status "on"))
+                        (begin
+                          (format #t "enable substitute servers discovery~%")
+                          (setenv "discover" "on"))
+                        (begin
+                          (format #t "disable substitute servers discovery~%")
+                          (unsetenv "discover")))
+                    (action 'guix-daemon 'restart)
+                    (environ environment)
+                    #t)))))
+
 (define (guix-shepherd-service config)
   "Return a <shepherd-service> for the Guix daemon service with CONFIG."
   (match-record config <guix-configuration>
     (guix build-group build-accounts authorize-key? authorized-keys
           use-substitutes? substitute-urls max-silent-time timeout
-          log-compression extra-options log-file http-proxy tmpdir
-          chroot-directories)
+          log-compression discover? extra-options log-file
+          http-proxy tmpdir chroot-directories)
     (list (shepherd-service
            (documentation "Run the Guix daemon.")
            (provision '(guix-daemon))
            (requirement '(user-processes))
-           (actions (list shepherd-set-http-proxy-action))
+           (actions (list shepherd-set-http-proxy-action
+                          shepherd-discover-action))
            (modules '((srfi srfi-1)
                       (ice-9 match)
                       (gnu build shepherd)))
@@ -1592,6 +1616,9 @@ proxy of 'guix-daemon'...~%")
                     ;; the 'set-http-proxy' action.
                     (or (getenv "http_proxy") #$http-proxy))
 
+                  (define discover?
+                    (or (getenv "discover") #$discover?))
+
                   ;; Start the guix-daemon from a container, when supported,
                   ;; to solve an installation issue. See the comment below for
                   ;; more details.
@@ -1606,6 +1633,8 @@ proxy of 'guix-daemon'...~%")
                           #$@(if use-substitutes?
                                  '()
                                  '("--no-substitutes"))
+                          (string-append "--discover="
+                                         (if discover? "yes" "no"))
                           "--substitute-urls" #$(string-join substitute-urls)
                           #$@extra-options
 
@@ -1689,17 +1718,18 @@ proxy of 'guix-daemon'...~%")
   "Return a file that contains the list of references of ITEM."
   (if (struct? item)                              ;lowerable object
       (computed-file name
-                     (with-imported-modules (source-module-closure
-                                             '((guix build store-copy)))
-                       #~(begin
-                           (use-modules (guix build store-copy))
-
-                           (call-with-output-file #$output
-                             (lambda (port)
-                               (write (map store-info-item
-                                           (call-with-input-file "graph"
-                                             read-reference-graph))
-                                      port)))))
+                     (with-extensions (list guile-gcrypt) ;for store-copy
+                       (with-imported-modules (source-module-closure
+                                               '((guix build store-copy)))
+                         #~(begin
+                             (use-modules (guix build store-copy))
+
+                             (call-with-output-file #$output
+                               (lambda (port)
+                                 (write (map store-info-item
+                                             (call-with-input-file "graph"
+                                               read-reference-graph))
+                                        port))))))
                      #:options `(#:local-build? #f
                                  #:references-graphs (("graph" ,item))))
       (plain-file name "()")))
@@ -1744,6 +1774,8 @@ proxy of 'guix-daemon'...~%")
            (default 80))
   (host    guix-publish-configuration-host        ;string
            (default "localhost"))
+  (advertise? guix-publish-advertise?       ;boolean
+              (default #f))
   (compression       guix-publish-configuration-compression
                      (thunked)
                      (default (default-compression this-record
@@ -1790,10 +1822,13 @@ raise a deprecation warning if the 'compression-level' field was used."
                    lst))))
 
   (match-record config <guix-publish-configuration>
-    (guix port host nar-path cache workers ttl cache-bypass-threshold)
+    (guix port host nar-path cache workers ttl cache-bypass-threshold
+          advertise?)
     (list (shepherd-service
            (provision '(guix-publish))
-           (requirement '(guix-daemon))
+           (requirement `(user-processes
+                          guix-daemon
+                          ,@(if advertise? '(avahi-daemon) '())))
            (start #~(make-forkexec-constructor
                      (list #$(file-append guix "/bin/guix")
                            "publish" "-u" "guix-publish"
@@ -1801,6 +1836,9 @@ raise a deprecation warning if the 'compression-level' field was used."
                            #$@(config->compression-options config)
                            (string-append "--nar-path=" #$nar-path)
                            (string-append "--listen=" #$host)
+                           #$@(if advertise?
+                                  #~("--advertise")
+                                  #~())
                            #$@(if workers
                                   #~((string-append "--workers="
                                                     #$(number->string
diff --git a/gnu/services/cuirass.scm b/gnu/services/cuirass.scm
index a50f583807..7706ed41c6 100644
--- a/gnu/services/cuirass.scm
+++ b/gnu/services/cuirass.scm
@@ -69,6 +69,8 @@
                     (default "cuirass"))
   (interval         cuirass-configuration-interval ;integer (seconds)
                     (default 60))
+  (queue-size       cuirass-configuration-queue-size
+                    (default 1))
   (database         cuirass-configuration-database ;string (file-name)
                     (default "/var/lib/cuirass/cuirass.db"))
   (port             cuirass-configuration-port ;integer (port)
@@ -98,6 +100,7 @@
         (user             (cuirass-configuration-user config))
         (group            (cuirass-configuration-group config))
         (interval         (cuirass-configuration-interval config))
+        (queue-size       (cuirass-configuration-queue-size config))
         (database         (cuirass-configuration-database config))
         (ttl              (cuirass-configuration-ttl config))
         (port             (cuirass-configuration-port config))
@@ -119,6 +122,7 @@
                            "--database" #$database
                            "--ttl" #$(string-append (number->string ttl) "s")
                            "--interval" #$(number->string interval)
+                           "--queue-size" #$(number->string queue-size)
                            #$@(if queries-log-file
                                   (list (string-append "--log-queries="
                                                        queries-log-file))
diff --git a/gnu/services/databases.scm b/gnu/services/databases.scm
index 60b31e0373..d2dc5f0da8 100644
--- a/gnu/services/databases.scm
+++ b/gnu/services/databases.scm
@@ -38,15 +38,13 @@
   #:use-module (guix gexp)
   #:use-module (srfi srfi-1)
   #:use-module (ice-9 match)
-  #:export (<postgresql-config-file>
-            postgresql-config-file
+  #:export (postgresql-config-file
             postgresql-config-file?
             postgresql-config-file-log-destination
             postgresql-config-file-hba-file
             postgresql-config-file-ident-file
             postgresql-config-file-extra-config
 
-            <postgresql-configuration>
             postgresql-configuration
             postgresql-configuration?
             postgresql-configuration-postgresql
@@ -59,7 +57,6 @@
             postgresql-service-type
 
             memcached-service-type
-            <memcached-configuration>
             memcached-configuration
             memcached-configuration?
             memcached-configuration-memecached
@@ -68,7 +65,6 @@
             memcached-configuration-udp-port
             memcached-configuration-additional-options
 
-            <mongodb-configuration>
             mongodb-configuration
             mongodb-configuration?
             mongodb-configuration-mongodb
@@ -580,14 +576,14 @@ FLUSH PRIVILEGES;
                    ;; The socket is ready!
                    (execl mysql-upgrade mysql-upgrade
                           (string-append "--socket=" #$socket-file))))
-                 (lambda args
-                   (if (< i timeout)
-                       (begin
-                         (sleep 1)
-                         (loop (+ 1 i)))
-                       ;; No luck, give up.
-                       (throw 'timeout-error
-                              "MySQL server did not appear in time!"))))))))))
+               (lambda args
+                 (if (< i timeout)
+                     (begin
+                       (sleep 1)
+                       (loop (+ 1 i)))
+                     ;; No luck, give up.
+                     (throw 'timeout-error
+                            "MySQL server did not appear in time!"))))))))))
 
 (define (mysql-upgrade-shepherd-service config)
   (list (shepherd-service
diff --git a/gnu/services/linux.scm b/gnu/services/linux.scm
index 72c7779596..1046a7e0c2 100644
--- a/gnu/services/linux.scm
+++ b/gnu/services/linux.scm
@@ -147,35 +147,34 @@ representation."
 (define kernel-module-loader-shepherd-service
   (match-lambda
     ((and (? list? kernel-modules) ((? string?) ...))
-     (list
-      (shepherd-service
-       (documentation "Load kernel modules.")
-       (provision '(kernel-module-loader))
-       (requirement '(file-systems))
-       (one-shot? #t)
-       (modules `((srfi srfi-1)
-                  (srfi srfi-34)
-                  (srfi srfi-35)
-                  (rnrs io ports)
-                  ,@%default-modules))
-       (start
-        #~(lambda _
-            (cond
-             ((null? '#$kernel-modules) #t)
-             ((file-exists? "/proc/sys/kernel/modprobe")
-              (let ((modprobe (call-with-input-file
-                               "/proc/sys/kernel/modprobe" get-line)))
-                (guard (c ((message-condition? c)
-                           (format (current-error-port) "~a~%"
-                                   (condition-message c))
-                           #f))
-                  (every (lambda (module)
-                         (invoke/quiet modprobe "--" module))
-                         '#$kernel-modules))))
-             (else
-               (format (current-error-port) "error: ~a~%"
-                       "Kernel is missing loadable module support.")
-               #f)))))))))
+     (shepherd-service
+      (documentation "Load kernel modules.")
+      (provision '(kernel-module-loader))
+      (requirement '(file-systems))
+      (one-shot? #t)
+      (modules `((srfi srfi-1)
+                 (srfi srfi-34)
+                 (srfi srfi-35)
+                 (rnrs io ports)
+                 ,@%default-modules))
+      (start
+       #~(lambda _
+           (cond
+            ((null? '#$kernel-modules) #t)
+            ((file-exists? "/proc/sys/kernel/modprobe")
+             (let ((modprobe (call-with-input-file
+                                 "/proc/sys/kernel/modprobe" get-line)))
+               (guard (c ((message-condition? c)
+                          (format (current-error-port) "~a~%"
+                                  (condition-message c))
+                          #f))
+                 (every (lambda (module)
+                          (invoke/quiet modprobe "--" module))
+                        '#$kernel-modules))))
+            (else
+             (format (current-error-port) "error: ~a~%"
+                     "Kernel is missing loadable module support.")
+             #f))))))))
 
 (define kernel-module-loader-service-type
   (service-type
@@ -183,7 +182,7 @@ representation."
    (description "Load kernel modules.")
    (extensions
     (list (service-extension shepherd-root-service-type
-                             kernel-module-loader-shepherd-service)))
+                             (compose list kernel-module-loader-shepherd-service))))
    (compose concatenate)
    (extend append)
    (default-value '())))
diff --git a/gnu/services/mail.scm b/gnu/services/mail.scm
index 71fa975b5d..c0f6371104 100644
--- a/gnu/services/mail.scm
+++ b/gnu/services/mail.scm
@@ -4,6 +4,7 @@
 ;;; Copyright © 2017 Carlo Zancanaro <carlo@zancanaro.id.au>
 ;;; Copyright © 2017, 2020 Tobias Geerinckx-Rice <me@tobias.gr>
 ;;; Copyright © 2019 Kristofer Buffington <kristoferbuffington@gmail.com>
+;;; Copyright © 2020 Jonathan Brielmaier <jonathan.brielmaier@web.de>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -31,6 +32,7 @@
   #:use-module (gnu system shadow)
   #:use-module (gnu packages mail)
   #:use-module (gnu packages admin)
+  #:use-module (gnu packages dav)
   #:use-module (gnu packages tls)
   #:use-module (guix records)
   #:use-module (guix packages)
@@ -70,7 +72,12 @@
             imap4d-configuration
             imap4d-configuration?
             imap4d-service-type
-            %default-imap4d-config-file))
+            %default-imap4d-config-file
+
+            radicale-configuration
+            radicale-configuration?
+            radicale-service-type
+            %default-radicale-config-file))
 
 ;;; Commentary:
 ;;;
@@ -1834,3 +1841,75 @@ exim_group = exim
     (list (service-extension
            shepherd-root-service-type imap4d-shepherd-service)))
    (default-value (imap4d-configuration))))
+
+
+;;;
+;;; Radicale.
+;;;
+
+(define-record-type* <radicale-configuration>
+  radicale-configuration make-radicale-configuration
+  radicale-configuration?
+  (package     radicale-configuration-package
+               (default radicale))
+  (config-file radicale-configuration-config-file
+               (default %default-radicale-config-file)))
+
+(define %default-radicale-config-file
+  (plain-file "radicale.conf" "
+[auth]
+type = htpasswd
+htpasswd_filename = /var/lib/radicale/users
+htpasswd_encryption = plain
+
+[server]
+hosts = localhost:5232"))
+
+(define %radicale-accounts
+  (list (user-group
+         (name "radicale")
+         (system? #t))
+        (user-account
+         (name "radicale")
+         (group "radicale")
+         (system? #t)
+         (comment "Radicale Daemon")
+         (home-directory "/var/empty")
+         (shell (file-append shadow "/sbin/nologin")))))
+
+(define radicale-shepherd-service
+  (match-lambda
+    (($ <radicale-configuration> package config-file)
+     (list (shepherd-service
+            (provision '(radicale))
+            (documentation "Run the radicale daemon.")
+            (requirement '(networking))
+            (start #~(make-forkexec-constructor
+                      (list #$(file-append package "/bin/radicale")
+                        "-C" #$config-file)
+                      #:user "radicale"
+                      #:group "radicale"))
+            (stop #~(make-kill-destructor)))))))
+
+(define radicale-activation
+  (match-lambda
+    (($ <radicale-configuration> package config-file)
+     (with-imported-modules '((guix build utils))
+       #~(begin
+           (use-modules (guix build utils))
+           (let ((uid (passwd:uid (getpw "radicale")))
+                 (gid (group:gid (getgr "radicale"))))
+             (mkdir-p "/var/lib/radicale/collections")
+             (chown "/var/lib/radicale" uid gid)
+             (chown "/var/lib/radicale/collections" uid gid)
+             (chmod "/var/lib/radicale" #o700)))))))
+
+(define radicale-service-type
+  (service-type
+   (name 'radicale)
+   (description "Run radicale, a small CalDAV and CardDAV server.")
+   (extensions
+    (list (service-extension shepherd-root-service-type radicale-shepherd-service)
+          (service-extension account-service-type (const %radicale-accounts))
+          (service-extension activation-service-type radicale-activation)))
+   (default-value (radicale-configuration))))
diff --git a/gnu/services/monitoring.scm b/gnu/services/monitoring.scm
index da3d736ba6..5123a8c441 100644
--- a/gnu/services/monitoring.scm
+++ b/gnu/services/monitoring.scm
@@ -1,7 +1,7 @@
 ;;; GNU Guix --- Functional package management for GNU
 ;;; Copyright © 2018 Sou Bunnbu <iyzsong@member.fsf.org>
 ;;; Copyright © 2018, 2019 Gábor Boskovits <boskovits@gmail.com>
-;;; Copyright © 2018, 2019 Oleg Pykhalov <go.wigust@gmail.com>
+;;; Copyright © 2018, 2019, 2020 Oleg Pykhalov <go.wigust@gmail.com>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -36,8 +36,12 @@
   #:use-module (srfi srfi-26)
   #:use-module (srfi srfi-35)
   #:export (darkstat-configuration
-            prometheus-node-exporter-configuration
             darkstat-service-type
+
+            prometheus-node-exporter-configuration
+            prometheus-node-exporter-configuration?
+            prometheus-node-exporter-configuration-package
+            prometheus-node-exporter-web-listen-address
             prometheus-node-exporter-service-type
 
             zabbix-server-configuration
@@ -110,6 +114,11 @@ HTTP.")
           (service-extension shepherd-root-service-type
                              (compose list darkstat-shepherd-service))))))
 
+
+;;;
+;;; Prometheus node exporter
+;;;
+
 (define-record-type* <prometheus-node-exporter-configuration>
   prometheus-node-exporter-configuration
   make-prometheus-node-exporter-configuration
@@ -117,31 +126,73 @@ HTTP.")
   (package prometheus-node-exporter-configuration-package
            (default go-github-com-prometheus-node-exporter))
   (web-listen-address prometheus-node-exporter-web-listen-address
-                      (default ":9100")))
+                      (default ":9100"))
+  (textfile-directory prometheus-node-exporter-textfile-directory
+                      (default "/var/lib/prometheus/node-exporter"))
+  (extra-options      prometheus-node-exporter-extra-options
+                      (default '())))
+
+(define %prometheus-node-exporter-accounts
+  (list (user-account
+         (name "prometheus-node-exporter")
+         (group "prometheus-node-exporter")
+         (system? #t)
+         (comment "Prometheus node exporter daemon user")
+         (home-directory "/var/empty")
+         (shell (file-append shadow "/sbin/nologin")))
+        (user-group
+         (name "prometheus-node-exporter")
+         (system? #t))))
 
 (define prometheus-node-exporter-shepherd-service
   (match-lambda
     (( $ <prometheus-node-exporter-configuration>
-         package web-listen-address)
-     (shepherd-service
-      (documentation "Prometheus node exporter.")
-      (provision '(prometheus-node-exporter))
-      (requirement '(networking))
-      (start #~(make-forkexec-constructor
-                (list #$(file-append package "/bin/node_exporter")
-                      "--web.listen-address" #$web-listen-address)))
-      (stop #~(make-kill-destructor))))))
+         package web-listen-address textfile-directory extra-options)
+     (list
+      (shepherd-service
+       (documentation "Prometheus node exporter.")
+       (provision '(prometheus-node-exporter))
+       (requirement '(networking))
+       (start #~(make-forkexec-constructor
+                 (list #$(file-append package "/bin/node_exporter")
+                       "--web.listen-address" #$web-listen-address
+                       #$@(if textfile-directory
+                              (list "--collector.textfile.directory"
+                                    textfile-directory)
+                              '())
+                       #$@extra-options)
+                 #:user "prometheus-node-exporter"
+                 #:group "prometheus-node-exporter"
+                 #:log-file "/var/log/prometheus-node-exporter.log"))
+       (stop #~(make-kill-destructor)))))))
+
+(define (prometheus-node-exporter-activation config)
+  (with-imported-modules '((guix build utils))
+    #~(let ((textfile-directory
+             #$(prometheus-node-exporter-textfile-directory config)))
+        (use-modules (guix build utils))
+
+        (when textfile-directory
+          (let ((user (getpw "prometheus-node-exporter")))
+            #t
+            (mkdir-p textfile-directory)
+            (chown textfile-directory (passwd:uid user) (passwd:gid user))
+            (chmod textfile-directory #o775))))))
 
 (define prometheus-node-exporter-service-type
   (service-type
    (name 'prometheus-node-exporter)
    (description
     "Run @command{node_exporter} to serve hardware and OS metrics to
-prometheus.")
+Prometheus.")
    (extensions
-    (list (service-extension
-           shepherd-root-service-type
-           (compose list prometheus-node-exporter-shepherd-service))))
+    (list
+     (service-extension account-service-type
+                        (const %prometheus-node-exporter-accounts))
+     (service-extension activation-service-type
+                        prometheus-node-exporter-activation)
+     (service-extension shepherd-root-service-type
+                        prometheus-node-exporter-shepherd-service)))
    (default-value (prometheus-node-exporter-configuration))))
 
 
@@ -343,7 +394,7 @@ configuration file."))
    (group "zabbix")
    "Group who will run the Zabbix agent.")
   (hostname
-   (string "Zabbix server")
+   (string "")
    "Unique, case sensitive hostname which is required for active checks and
 must match hostname as configured on the server.")
   (log-type
diff --git a/gnu/services/nix.scm b/gnu/services/nix.scm
index 93f46ef71e..1aef47db0a 100644
--- a/gnu/services/nix.scm
+++ b/gnu/services/nix.scm
@@ -89,37 +89,41 @@ GID."
          (id 40000))
         (nix-build-accounts 10 #:group "nixbld")))
 
-(define nix-activation
+(define (nix-activation _)
   ;; Return the activation gexp.
+  #~(begin
+      (use-modules (guix build utils)
+                   (srfi srfi-26))
+      (for-each (cut mkdir-p <>) '("/nix/store" "/nix/var/log"
+                                   "/nix/var/nix/gcroots/per-user"
+                                   "/nix/var/nix/profiles/per-user"))
+      (chown "/nix/store"
+             (passwd:uid (getpw "root")) (group:gid (getpw "nixbld01")))
+      (chmod "/nix/store" #o775)
+      (for-each (cut chmod <> #o777) '("/nix/var/nix/profiles"
+                                       "/nix/var/nix/profiles/per-user"))))
+
+(define nix-service-etc
   (match-lambda
     (($ <nix-configuration> package sandbox build-sandbox-items extra-config)
-     (with-imported-modules (source-module-closure
-                             '((guix build store-copy)))
-       #~(begin
-           (use-modules (guix build utils)
-                        (ice-9 format)
-                        (srfi srfi-1)
-                        (srfi srfi-26))
-           (for-each (cut mkdir-p <>) '("/nix/store" "/nix/var/log"
-                                        "/nix/var/nix/gcroots/per-user"
-                                        "/nix/var/nix/profiles/per-user"))
-           (chown "/nix/store"
-                  (passwd:uid (getpw "root")) (group:gid (getpw "nixbld01")))
-           (chmod "/nix/store" #o775)
-           (for-each (cut chmod <> #o777) '("/nix/var/nix/profiles"
-                                            "/nix/var/nix/profiles/per-user"))
-           (mkdir-p "/etc/nix")
-           (with-output-to-file "/etc/nix/nix.conf"
-             (lambda _
-               (format #t "sandbox = ~a~%" (if #$sandbox "true" "false"))
-               ;; config.nix captures store file names.
-               (format #t "build-sandbox-paths = ~{~a ~}~%"
-                       (append (append-map (cut call-with-input-file <> read)
-                                           '#$(map references-file
-                                                   (list package)))
-                               '#$build-sandbox-items))
-               (for-each (cut display <>) '#$extra-config)
-               (newline))))))))
+     (let ((ref-file (references-file package)))
+       `(("nix/nix.conf"
+          ,(computed-file
+            "nix.conf"
+            #~(begin
+                (use-modules (srfi srfi-26)
+                             (ice-9 format))
+                (with-output-to-file #$output
+                  (lambda _
+                    (define internal-sandbox-paths
+                      (call-with-input-file #$ref-file read))
+
+                    (format #t "sandbox = ~a~%" (if #$sandbox "true" "false"))
+                    ;; config.nix captures store file names.
+                    (format #t "build-sandbox-paths = ~{~a ~}~%"
+                            (append internal-sandbox-paths
+                                    '#$build-sandbox-items))
+                    (for-each (cut display <>) '#$extra-config)))))))))))
 
 (define nix-shepherd-service
   ;; Return a <shepherd-service> for Nix.
@@ -143,6 +147,7 @@ GID."
     (list (service-extension shepherd-root-service-type nix-shepherd-service)
           (service-extension account-service-type nix-accounts)
           (service-extension activation-service-type nix-activation)
+          (service-extension etc-service-type nix-service-etc)
           (service-extension profile-service-type
                              (compose list nix-configuration-package))))
    (description "Run the Nix daemon.")
diff --git a/gnu/services/science.scm b/gnu/services/science.scm
index 94ff0f36f2..6f7ac91154 100644
--- a/gnu/services/science.scm
+++ b/gnu/services/science.scm
@@ -1,3 +1,21 @@
+;;; GNU Guix --- Functional package management for GNU
+;;; Copyright © 2020 Efraim Flashner <efraim@flashner.co.il>
+;;;
+;;; This file is part of GNU Guix.
+;;;
+;;; GNU Guix is free software; you can redistribute it and/or modify it
+;;; under the terms of the GNU General Public License as published by
+;;; the Free Software Foundation; either version 3 of the License, or (at
+;;; your option) any later version.
+;;;
+;;; GNU Guix is distributed in the hope that it will be useful, but
+;;; WITHOUT ANY WARRANTY; without even the implied warranty of
+;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+;;; GNU General Public License for more details.
+;;;
+;;; You should have received a copy of the GNU General Public License
+;;; along with GNU Guix.  If not, see <http://www.gnu.org/licenses/>.
+
 (define-module (gnu services science)
   #:export (<rshiny-configuration>
             rshiny-configuration
diff --git a/gnu/services/security-token.scm b/gnu/services/security-token.scm
index 354549b33c..ec26006538 100644
--- a/gnu/services/security-token.scm
+++ b/gnu/services/security-token.scm
@@ -1,5 +1,6 @@
 ;;; GNU Guix --- Functional package management for GNU
 ;;; Copyright © 2018 Arun Isaac <arunisaac@systemreboot.net>
+;;; Copyright © 2020 Tobias Geerinckx-Rice <me@tobias.gr>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -57,7 +58,7 @@
         (modules '((gnu build shepherd)))
         (start #~(lambda _
                    (invoke #$(file-append pcsc-lite "/sbin/pcscd"))
-                   (call-with-input-file "/var/run/pcscd/pcscd.pid" read)))
+                   (call-with-input-file "/run/pcscd/pcscd.pid" read)))
         (stop #~(make-kill-destructor)))))))
 
 (define pcscd-activation
diff --git a/gnu/services/virtualization.scm b/gnu/services/virtualization.scm
index eaf0bbde43..f435630faf 100644
--- a/gnu/services/virtualization.scm
+++ b/gnu/services/virtualization.scm
@@ -36,7 +36,6 @@
   #:use-module (gnu system file-systems)
   #:use-module (gnu system hurd)
   #:use-module (gnu system image)
-  #:use-module (gnu system images hurd)
   #:use-module (gnu system shadow)
   #:use-module (gnu system)
   #:use-module (guix derivations)
@@ -913,14 +912,12 @@ that will be listening to receive secret keys on port 1004, TCP."
 (define (hurd-vm-disk-image config)
   "Return a disk-image for the Hurd according to CONFIG.  The secret-service
 is added to the OS specified in CONFIG."
-  (let ((os (secret-service-operating-system (hurd-vm-configuration-os config)))
-        (disk-size (hurd-vm-configuration-disk-size config)))
-    (system-image
-     (image
-      (inherit hurd-disk-image)
-      (format 'compressed-qcow2)
-      (size disk-size)
-      (operating-system os)))))
+  (let* ((os        (secret-service-operating-system
+                     (hurd-vm-configuration-os config)))
+         (disk-size (hurd-vm-configuration-disk-size config))
+         (type      (lookup-image-type-by-name 'hurd-qcow2))
+         (os->image (image-type-constructor type)))
+    (system-image (os->image os))))
 
 (define (hurd-vm-port config base)
   "Return the forwarded vm port for this childhurd config."