Critical security update (CVE-2018-16737, CVE-2018-16738, CVE-2018-16758)

(cherry picked from commit 15a190e)

snapshot.debian.org actually keeps track of all of the updates as they
come in rather than doing arbitrary (?) snapshots.

(cherry picked from commit 9cc18fa)

When logging into a container by using
  nixos-container root-login
all nix-related commands in the container would fail, as they
tried to modify the nix db and nix store, which are mounted
read-only in the container.  We want nixos-container to not
try to modify the nix store at all, but instead delegate
any build commands to the nix daemon of the host operating system.

This already works for non-root users inside a nixos-container,
as it doesn't 'own' the nix-store, and thus defaults
to talking to the daemon socket at /nix/var/nix/daemon-socket/,
which is bind-mounted to the host daemon-socket, causing all nix
commands to be delegated to the host.

However, when we are the root user inside the container, we have the
same uid as the nix store owner, eventhough it's not actually
the same root user (due to user namespaces). Nix gets confused,
and is convinced it's running in single-user mode, and tries
to modify the nix store directly instead.

By setting `NIX_REMOTE=daemon` in `/etc/profile`, we force nix
to operate in multi-user mode, so that it will talk to the host
daemon instead, which will modify the nix store for the container.

This fixes NixOS#40355

(cherry picked from commit 3624bb5)

…rs"""

nixos-container can now execute nix commands again inside the container

This reverts commit 9622cd3.

(cherry picked from commit bb31835)

(cherry picked from commit 0668906)

(cherry picked from commit 844bcbd)

I'm not entirely sure what's going on here.  The exact same code works
on master.

(cherry picked from commit 2f7c242)

Included changes:

* upstream repository has moved, URLs changed accordingly
* journaldriver bumped to new upstream release

The new release includes an important workaround for an issue that
could cause log-forwarding to fail after service restarts due to
invalid journal cursors being persisted.

(cherry picked from commit 5ead273)

backported because of moved upstream repo

This seems to cause problems if people have other display-managers
enabled

(cherry picked from commit 5a752ad)

The previous tentative to the fix got the order mixed up a bit. This
new fix has been re-verified to get them in the good order as per the
instructions in the following chapters.

(cherry picked from commit 467bec3)

This reduces gitFull's closure size from 412 MiB to 271 MiB.

(cherry picked from commit 7b9c495)

nfs-utils had a dependency on gcc through
etc/systemd/system-generators/*-server-generator. It was not stripped
correctly because it’s not in an expected path. This adds it to the
strip list.

(cherry picked from commit 1427c50)

This removed glibc.dev from the closure and improves binary
reproducibility.

(cherry picked from commit 1eff910)

This shrank my system closure by about 192 MiB.

(cherry picked from commit 9bbd4f6)

This reduces the closure size from 1689 MiB to 425 MiB.

(cherry picked from commit 2be4295)

(cherry picked from commit c8a2533)

This prevents a runtime dependency on a large number of -dev outputs.

(cherry picked from commit a3382a8)

(cherry picked from commit 13c1f26)

(cherry picked from commit cd3a0b7)

[18.09] net_snmp: fix CVE-2018-18065

(cherry picked from commit 908a75a)

(cherry picked from commit 998d4e4)

(cherry picked from commit d837338)

…ixOS#45574

(cherry picked from commit 0083ca1)

Fixes runtime error:
  GTK+ 2.x symbols detected. Using GTK+ 2.x and GTK+ 3 in the same process is not supported

(cherry picked from commit c047572)

Changelog: https://help.resilio.com/hc/en-us/articles/206216855-Sync-2-x-change-log
(cherry picked from commit 632ae05)