Merge remote-tracking branch 'prism/master'

krebs/3modules/default.nix

@@ -233,6 +233,7 @@ let
               "github.com"
               # List generated with
               # curl -sS https://api.github.com/meta | jq -r .git[] | cidr2glob
+              "192.30.252.*"
               "192.30.253.*"
               "192.30.254.*"
               "192.30.255.*"
@@ -240,9 +241,12 @@ let
               "185.199.109.*"
               "185.199.110.*"
               "185.199.111.*"
-              "18.195.85.27"
+              "13.229.188.59"
+              "13.250.177.223"
               "18.194.104.89"
+              "18.195.85.27"
               "35.159.8.160"
+              "52.74.223.119"
             ];
             publicKey = "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==";
           };

krebs/3modules/lass/default.nix

@@ -551,6 +551,32 @@ with import <stockholm/lib>;
         };
       };
     };
+    dpdkm = {
+      ci = false;
+      external = true;
+      nets = rec {
+        retiolum = {
+          ip4.addr = "10.243.29.173";
+          ip6.addr = "42:4992:6a6d:900::1";
+          aliases = [ "dpdkm.r" ];
+          tinc.pubkey = ''
+            -----BEGIN RSA PUBLIC KEY-----
+            MIICCgKCAgEAuW31xGBdPMSS45KmsCX81yuTcDZv1z7wSpsGQiAw7RsApG0fbBDj
+            NvzWZaZpTTUueG7gtt7U9Gk8DhWYR1hNt8bLXxE5QlY+gxVjU8+caRvlv10Y9XYp
+            qZEr1n1O5R7jS1srvutPt74uiA8I3hBoeP5TXndu8tVcehjRWXPqJj4VCy9pT2gP
+            X880Z30cXm0jUIu9XKhzQU2UNaxbqRzhJTvFUG04M+0a9olsUoN7PnDV6MC5Dxzn
+            f0ZZZDgHkcx6vsSkN/C8Tik/UCXr3tS/VX6/3+PREz6Z3bPd2QfaWdowrlFQPeYa
+            bELPvuqYiq7zR/jw3vVsWX2e91goAfKH5LYKNmzJCj5yYq+knB7Wil3HgBn86zvL
+            Joj56VsuB8fQrrUxjrDetNgtdwci+yFeXkJouQRLM0r0W24liyCuBX4B6nqbj71T
+            B6rAMzhBbl1yixgf31EgiCYFSusk+jiT+hye5lAhes4gBW9GAWxGNU9zE4QeAc1w
+            tkPH/CxRIAeuPYNwmjvYI2eQH9UQkgSBa3/Kz7/KT9scbykbs8nhDHCXwT6oAp+n
+            dR5aHkuBrTQOCU3Xx5ZwU5A0T83oLExIeH8jR1h2mW1JoJDdO85dAOrIBHWnjLls
+            mqrJusBh2gbgvNqIrDaQ9J+o1vefw1QeSvcF71JjF1CEBUmTbUAp8KMCAwEAAQ==
+            -----END RSA PUBLIC KEY-----
+          '';
+        };
+      };
+    };
     xerxes = {
       cores = 2;
       nets = rec {
@@ -624,6 +650,10 @@ with import <stockholm/lib>;
       mail = "lass@xerxes.r";
       pubkey = builtins.readFile ./ssh/xerxes.rsa;
     };
+    lass-daedalus = {
+      mail = "lass@daedalus.r";
+      pubkey = builtins.readFile ./ssh/daedalus.rsa;
+    };
     fritz = {
       pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCz34435NSXgj72YAOL4cIlRq/4yInKEyL9no+gymURoW5x1nkYpP0EK331e7UyQQSOdWOogRo6d7YHcFqNlYWv5xlYcHucIhgJwC4Zda1liVA+v7tSOJz2BjmFvOT3/qlcPS69f3zdLHZooz2C33uHX1FgGRXlxiA8dpqGnSr8o76QLZjuQkuDqr8reOspjO/RHCo2Moq0Xm5q9OgN1WLAZzupqt9A5lx567mRzYsRAr23pUxVN8T/tSCgDlPe4ktEjYX9CXLKfMyh9WuBVi+AuH4GFEWBT+AMpsHeF45w+w956x56mz0F5nYOQNK87gFr+Jr+mh2AF1ot2CxzrfTb fritz@scriptkiddiT540";
     };

krebs/3modules/lass/ssh/daedalus.rsa

@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAEZgF3311cZ/JV7lOzo/Crmy6pi0oBYu5klbTb8lU/Yic55XVRyYFtm+KGrNvqkcFgOx803aS7jogJ1N6HCdUAaEl5MzlkOX++h97ihZ/NeQZKDjYEEQYl4ElmIbCRiddpDm0HVX1OGSCtUzhlyDHJ8ieMCb+QVNrpwovlQnp53c/+Z6rGSZWgBMrzP7stlw+XjC1Alhi1M5L+bJfroa7cEcF+J5ZN+J2mWSmkPiQ6+iuk9zRkc5ELO1Vz4MsLoeKwbJrz+uuNVsY7u070pHtsLwbAsYU5vOWJeN/vtEwy51SY/so30FowvivTD9jIJ0xcmAdC56XjWaxttKuqUVBjJqhwqsUI6+AxLESekFXzkfghmG+AJPPkb2pvpVF3k0Ivn14bFBuFv0T2qPHq68Fs19WLTZn+dK3V+RfVkI6bEZaMOUezyBv59yFEY42wMISPw53jkaWqKIxyGCBECi3XlbeQ61FkwE9TElSY+NmoeMu6jPWw7XGDY4Jt6mtKiYu3hVqI5pg4hq3bxB8r2W7LnkDiYfArbzwmrc2zAmgJtY60/Pcwq7hP3LSDEuDDc4gYgpkLNwHjs+CLWqpbQffCFv+oOZj8G92if+dMBOUSBCr6FDqH6wLxZp2cfhud0p/0kLz09nv/PcRohOHdaQSEW7OAhJ5kgg3DuxhwUwOf/3UX5iLvm4WwE/mb7Iki4U3AENKHUWQ7TOrXcQq9AJX57e9CTI+N4phtzp9qur8vjVl2OpYl2Qb/0yQSGM+4wQ/nM4acePMk80oXLb3OJBlPp0CswzoI7kFBD0TUOnFTCkrJWPaZhgjQXyvCzgFKAvXgqWy4riczqLhdBAhc1vT3a18HsqKXE3mhJa6Kjl6r/ZQaDl2zw7uLmWTHhGuUI9w487L36extGuC3Tv8zEvu2UHqhdEcaSDzRQYcv1kRobfhTWjzFHzdA97Kkc+HuFfJk3MzchsjCxqIuDP4r5YauMBMHAIsUlP7Ar/t29WreAGJbCCd2oulkFL+P+8Sp6SksMMhKQvuRcj74n6BETfailv64z2FjT+qzkCsr/gzvWD08EJRZUCpidX2WfMoL396nBf+EgwhFykqoFg2jlJJ7Vggod8CSHUSeBkslhNk/tkv4y+NnsAIgNluVZlxIeKj1UgazohSNQVRHozs2lkuK0Ytl4TsFrE0X3ar7LpwEVvCLj3eh2kg4kNKNN/vOwWxvMlF9uCBq5FUHaBCst/OXeigjfGZ0ZK5iHsZN+R/iIlG+3V3VN1Rm29aPJPSuAgwl/lfPUfUP5c8QiwnDgdHqMi7VcuCpEtcTLjqDHBssqosRTLodcIZY6qLepm5kQgJ2FfcTPi+ZwT3Z/IFH6p/H7NeVbb8rVYeF/zqDJiWbI+gDy0xFnGgOLpFSBdHq679FjtjZk7Exgz3rVD+QsoSB8VYVOSqpHB1LQyQ2qBry+33CNpxlX5GaaLx5sbEKEguaJ+9R7Mbf8zQMa8EAXhqoT96kIj66IEk= lass@daedalus

krebs/3modules/lass/ssh/icarus.rsa

@@ -1 +1 @@
-ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDm4qnRU8/Zyb+7x/QxW1grN+i1qcN39Sr/TSkBdccAPyfPdk8ph/G+wZKgsyr9sl5CgbA4hOsqDBN97dp4dKghKARuk0GldHDgo+2odWwBTa4EOSmE4Bfj3z7r9tW33Y+ujy55L4w5Qw21lj51mbhc0qvC/03xypEeKsLM0RtNAf8TsdGMPGmbha7uCF75VjFJvrHysbjonh6ZQ+Or8N0MSNABZ9oawJQxxBUqtLFhnq20zCJmm281f9GS/EaGYwcpOjiHd4fj3XWyfEIJRK/LRBZXkidvVDN7mhOQY3G+qiGZfPeyged9CRDRFoc5QbZ43NtrmPS+yUtjHQZKynkjI0lA00fegRzb0FkEJmYSy1Vdqgj338CjNwcuTaKJTw2EotMqMuHyk1FllnphafJtgMTMLIGoZRTpJpC91gbP0MGTnRoCwD4McZcz1YD3cxng101QsLsDv/FPxzbyxr+P6rjBB6eP6IhP4k4ALjWzoMURdCo1BW4//zt+PXImUpcX2+urtAMmVBQ8BwZry1hsEcR+r6C1Yb+jzeWGnvtfjXSFv+ZjpA0eEnqeKeh3LDCxybjkok51zdTe97EZ0sDAnKcnrVzpXJwehY02E2N9Sw1HhvWIUUulr09a2bC2rYR7HWryOjaEzT2aKmUyrxPkflCawB8gn2iSbVMWK74VJw== lass@icarus
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAEZgEuFS5MwYQRF+0MKAQvyv6O+0ky0QnOKGMVZgFXE4g2JrByTCXQAeQmyJquM1wl9IRD63res8ZguMoAz2PkHfNbRSSsR7pH/G3DaJRl0VGf14zO3bjBbogQ45j1Bwxi78h44SDmuBAkp0t76ca16kWGhwEVt03+8sqmbLV90RjHZlrFw2sDgTu35SDz1q/ZzkdyFP3xSIBUnsQD64qRLMx64yLcBp0uu2h7gBBCVyA1T+VR3Nc1yIOyv0nUaqEHz+CDATtFlgGTgT6cCXoIPN0QAuIa3pDxt7htD/POsWuFbpbqrBQVcgun5s3J5X0OmNyoqGqqubcycvuYipZUjBCxyTb7RxCqj2oR8alSaeGZm64I0VSGX/iSCtXKaEJqBbxwNUgDH6B2oUeZbRwgPl/SG8vBku1oKzt/36IBoY8HttcosqLkfTquyyO7KVtOBu04geCmmiqJpSV4j5iYMxvrD0AQ3JJmrcbzUYoCGxlYO19TPsa+Ybhn/E8suach75+DIPj5LacYAh9Wjirw67Kg5QyYEt8XGTR2xxF78CFi0JGBRcyorPfFPLznmVntqJLe6dGNL3njgdD0Ocz8V5ktk1pjY5D2nG8GXfd45NQl2QjTLYnYX4dGuudBXth0nEJMv/MRHZrXVViIqwazdq4mA5z1Yu4Tb3l17d2cAZobzdut6JuZbd7itXAPIiY0vEWXr8lpEuE8Uz9mz8aPxZlhmHSXvNcwhq+i2+cFO8OPwUGbnE2cAHpymlQ3aDRgpptAIMU2LjIAblqsvA72asJpuRqu7ZOoy0vVRCOhktIzZXWR9hF5/CM/7NZ5skvHzYlmgkvnuu4jDDGusF32Zyiip0WJg+Iijqe8VpOqCup5UEF5QG32yQwaZDrKd71hq7Z1xNe0vEPN8yCxpes8hWafYY9m8YRrUduDVlOon7SzmdU76RPn2oF6udCGP7A/hEeRiwrDaRuIwchh99Xw3LioxXNzLYB1aXd+yKuZyhW+witC20ISdyZz7JPIrb49JCGH8FtbcDzD1B8Xd1By34POfhxriSr9UG5Hj9LGbA3/aKMOajZdcbrKXorUrKdhAuZv1z4rjW5iwYgXF2G/nseeCOw+DPEcB3GexsyCTUzSjJ6fy3Aqlzppwttx5MfkbNhPZWRCfDX3i0g8e0aFlgvlj99aGgUQeEpYg8peZhe1lxl25Ftc0R7pYmXPDeCY1yWxZiXZ3YtVVr43c/FEaQHXfkZ2I+t5lG6CmgJhhYjUry5Sx4/NgfBvpmU22cIBWNmyTn9q3gDFmeoIiTwlF654K7NnsWrdKr2L2fGI10Xe/J/GYkkzX39e5bToQPXh23gUfIr7faYEPBsVU/SaEkWNHojzf/NKjPT0utvlFr0HqnFYSdk4wpWzcrhii7E/UhgKvpA/k2Vlj4ZhkejfZXQWxRbJzejkVSJcUGim+Dt1WUZJXVOgEkJ3WA6z+ha2FN2sBDdvRKlad55aelvRrbu3/vPzEuE= lass@icarus

krebs/3modules/makefu/default.nix

@@ -503,6 +503,7 @@ with import <stockholm/lib>;
           # ip6.addr = "42:5a02:2c30:c1b1:3f2e:7c19:2496:a732";
           aliases = [
             "wbob.r"
+            "hydra.wbob.r"
           ];
           tinc.pubkey = ''
             -----BEGIN RSA PUBLIC KEY-----
@@ -1038,6 +1039,10 @@ with import <stockholm/lib>;
       inherit (makefu) mail pgp;
       pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDoAtBa10AbiFXfYL4Za7e0CLeXJeH6FhMqVZFqElLkJBKmQ7c7WEMlnuRhEZWSFDXBpaS7p73s5MMOZA13uYv6fI2ipOOwE9Ej1EoMsrQGegBp2VDMo0wnr/sgTL1do+uGI85E/i0uFw0DYhXqlZQk1eK8SdgXYltiVL27IA3NG2kYuoTIvJgRnaPJjTbhLBWti3m586LuO+pBKtcTt1D9EV6wp+6Jum4owPtCgVPQaZfFGYWkEiINV83WX9HoIk4S3bTPLh8Kfp0je0xsioS4T9/cxSPgUie8MjSg0irvLJXRH0JOVuG5NvZTYhAAekwNkHll9CtypPrutjbrXPXf makefu@x";
     };
+    makefu-remote-builder = {
+      inherit (makefu) mail pgp;
+      pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPlhb0TIBW9RN9T8Is4YRIc1RjOg+cxbZCaDjbM4zxrX nixBuild";
+    };
     makefu-bob = {
       inherit (makefu) mail pgp;
       pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC+fEK1bCB8cdDiBzXBXEWLFQyp/7xjNGQ5GyqHOtgxxe6Ypb0kAaWJaG3Ak/qI/nToGKwkQJLsuYNA3lZj2rFyBdoxnNO3kRFTc7NoaU5mC2BlHbpmn9dzvgiBoRAKAlzj/022u65SI19AFciKXtwqQfjuB3mPVOFOfCFB2SYjjWb8ffPnHp6PB5KKNLxaVPCbZgOdSju25/wB2lY00W8WIDOTqfbNClQnjkLsUZpTuRnvpHTemKtt1FH+WBZiMwMXRt19rm9LFSO7pvrZjdJz0l1TZVsODkbKZzQzSixoCPmdpPPAYaqrGUQpmukXk0xQtR3E2jEsk+FJv4AkIKqD";

krebs/5pkgs/simple/exim/default.nix

@@ -1,64 +0,0 @@
-{ coreutils, fetchurl, db, openssl, pcre, perl, pkgconfig, stdenv }:
-
-stdenv.mkDerivation rec {
-  name = "exim-4.90.1";
-
-  src = fetchurl {
-    url = "http://ftp.exim.org/pub/exim/exim4/${name}.tar.xz";
-    sha256 = "09ppq8l7cah6dcqwdvpa6r12i6fdcd9lvxlfp18mggj3438xz62w";
-  };
-
-  nativeBuildInputs = [ pkgconfig ];
-  buildInputs = [ coreutils db openssl pcre perl ];
-
-  preBuild = ''
-    sed '
-      s:^\(BIN_DIRECTORY\)=.*:\1='"$out"'/bin:
-      s:^\(CONFIGURE_FILE\)=.*:\1=/etc/exim.conf:
-      s:^\(EXIM_USER\)=.*:\1=ref\:nobody:
-      s:^\(SPOOL_DIRECTORY\)=.*:\1=/exim-homeless-shelter:
-      s:^# \(SUPPORT_MAILDIR\)=.*:\1=yes:
-      s:^EXIM_MONITOR=.*$:# &:
-      s:^\(FIXED_NEVER_USERS\)=root$:\1=0:
-      s:^# \(WITH_CONTENT_SCAN\)=.*:\1=yes:
-      s:^# \(AUTH_PLAINTEXT\)=.*:\1=yes:
-      s:^# \(SUPPORT_TLS\)=.*:\1=yes:
-      s:^# \(USE_OPENSSL_PC=openssl\)$:\1:
-      s:^# \(LOG_FILE_PATH=syslog\)$:\1:
-      s:^# \(HAVE_IPV6=yes\)$:\1:
-      s:^# \(CHOWN_COMMAND\)=.*:\1=${coreutils}/bin/chown:
-      s:^# \(CHGRP_COMMAND\)=.*:\1=${coreutils}/bin/chgrp:
-      s:^# \(CHMOD_COMMAND\)=.*:\1=${coreutils}/bin/chmod:
-      s:^# \(MV_COMMAND\)=.*:\1=${coreutils}/bin/mv:
-      s:^# \(RM_COMMAND\)=.*:\1=${coreutils}/bin/rm:
-      s:^# \(TOUCH_COMMAND\)=.*:\1=${coreutils}/bin/touch:
-      s:^# \(PERL_COMMAND\)=.*:\1=${perl}/bin/perl:
-      #/^\s*#.*/d
-      #/^\s*$/d
-    ' < src/EDITME > Local/Makefile
-  '';
-
-  installPhase = ''
-    mkdir -p $out/bin $out/share/man/man8
-    cp doc/exim.8 $out/share/man/man8
-
-    ( cd build-Linux-*
-      cp exicyclog exim_checkaccess exim_dumpdb exim_lock exim_tidydb \
-        exipick exiqsumm exigrep exim_dbmbuild exim exim_fixdb eximstats \
-        exinext exiqgrep exiwhat \
-        $out/bin )
-
-    ( cd $out/bin
-      for i in mailq newaliases rmail rsmtp runq sendmail; do
-        ln -s exim $i
-      done )
-  '';
-
-  meta = {
-    homepage = http://exim.org/;
-    description = "A mail transfer agent (MTA)";
-    license = stdenv.lib.licenses.gpl3;
-    platforms = stdenv.lib.platforms.linux;
-    maintainers = [ stdenv.lib.maintainers.tv ];
-  };
-}

krebs/source.nix

@@ -18,7 +18,7 @@ in
       stockholm.file = toString <stockholm>;
       nixpkgs.git = {
         url = https://github.com/NixOS/nixpkgs;
-        ref = "2062ac5aa2dc0770322272e3d2b647cf431dd893"; # nixos-17.09 @ 2018-02-09
+        ref = "d09e425aea3e09b6cec5c7b05cc0603f6853748b"; # nixos-17.09 @ 2018-02-22
       };
     }
     override

lass/1systems/helios/config.nix

@@ -16,6 +16,7 @@ with import <stockholm/lib>;
     <stockholm/lass/2configs/virtualbox.nix>
     <stockholm/lass/2configs/dcso-dev.nix>
     <stockholm/lass/2configs/steam.nix>
+    <stockholm/lass/2configs/rtl-sdr.nix>
     { # automatic hardware detection
       boot.initrd.availableKernelModules = [ "xhci_pci" "nvme" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ];
       boot.kernelModules = [ "kvm-intel" ];
@@ -136,24 +137,47 @@ with import <stockholm/lib>;
   networking.hostName = lib.mkForce "BLN02NB0162";
 
   security.pki.certificateFiles = [
-   (pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCAROOTC1G1.pem"; sha256 = "14vz9c0fk6li0a26vx0s5ha6y3yivnshx9pjlh9vmnpkbph5a7rh"; })
+    (pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCAROOTC1G1.pem"; sha256 = "14vz9c0fk6li0a26vx0s5ha6y3yivnshx9pjlh9vmnpkbph5a7rh"; })
-   (pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCAROOTC2G1.pem"; sha256 = "0r1dd48a850cv7whk4g2maik550rd0vsrsl73r6x0ivzz7ap1xz5"; })
+    (pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCAROOTC2G1.pem"; sha256 = "0r1dd48a850cv7whk4g2maik550rd0vsrsl73r6x0ivzz7ap1xz5"; })
-   (pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCAROOTC3G1.pem"; sha256 = "0b5cdchdkvllnr0kz35d8jrmrf9cjw0kd98mmvzr0x6nkc8hwpdy"; })
+    (pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCAROOTC3G1.pem"; sha256 = "0b5cdchdkvllnr0kz35d8jrmrf9cjw0kd98mmvzr0x6nkc8hwpdy"; })
 
-   (pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCACOMPC2G1.pem"; sha256 = "0rn57zv1ry9vj4p2248mxmafmqqmdhbrfx1plszrxsphshbk2hfz"; })
+    (pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCACOMPC2G1.pem"; sha256 = "0rn57zv1ry9vj4p2248mxmafmqqmdhbrfx1plszrxsphshbk2hfz"; })
-   (pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCACOMPC3G1.pem"; sha256 = "0w88qaqhwxzvdkx40kzj2gka1yi85ipppjdkxah4mscwfhlryrnk"; })
+    (pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCACOMPC3G1.pem"; sha256 = "0w88qaqhwxzvdkx40kzj2gka1yi85ipppjdkxah4mscwfhlryrnk"; })
-   (pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCAIDENC2G1.pem"; sha256 = "1z2qkyhgjvri13bvi06ynkb7mjmpcznmc9yw8chx1lnwc3cxa7kf"; })
+    (pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCAIDENC2G1.pem"; sha256 = "1z2qkyhgjvri13bvi06ynkb7mjmpcznmc9yw8chx1lnwc3cxa7kf"; })
-   (pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCAIDENC3G1.pem"; sha256 = "0smdjjvz95n652cb45yhzdb2lr83zg52najgbzf6lm3w71f8mv7f"; })
+    (pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCAIDENC3G1.pem"; sha256 = "0smdjjvz95n652cb45yhzdb2lr83zg52najgbzf6lm3w71f8mv7f"; })
+    (pkgs.writeText "minio.cert" ''
+      -----BEGIN CERTIFICATE-----
+      MIIDFDCCAfygAwIBAgIQBEKYm9VmbR6T/XNLP2P5kDANBgkqhkiG9w0BAQsFADAS
+      MRAwDgYDVQQKEwdBY21lIENvMB4XDTE4MDIxNDEyNTk1OVoXDTE5MDIxNDEyNTk1
+      OVowEjEQMA4GA1UEChMHQWNtZSBDbzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
+      AQoCggEBAMmRGUTMDxOaoEZ3osG1ZpGj4enHl6ToWaoCXvRXvI6RB/99QOFlwLdL
+      8lGjIbXyovNkH686pVsfgCTOLRGzftWHmWgfmaSUv0TToBW8F9DN4ww9YgiLZjvV
+      YZunRyp1n0x9OrBXMs7xEBBa4q0AG1IvlRJTrd7CW519FlVq7T95LLB7P6t6K54C
+      ksG4kEzXLRPD/FMdU7LWbhWnQSOxPMCq8erTv3kW3A3Y9hSAKOFQKQHH/3O2HDrM
+      CbK5ldNklswg2rIHxx7kg1fteLD1lVCNPfCMfuwlLUaMeoRZ03HDof8wFlRz3pzw
+      hQRWPvfLfRvFCZ0LFNvfgAqXtmG/ywUCAwEAAaNmMGQwDgYDVR0PAQH/BAQDAgKk
+      MBMGA1UdJQQMMAoGCCsGAQUFBwMBMA8GA1UdEwEB/wQFMAMBAf8wLAYDVR0RBCUw
+      I4IJbG9jYWxob3N0ggZoZWxpb3OCCGhlbGlvcy5yhwR/AAABMA0GCSqGSIb3DQEB
+      CwUAA4IBAQBzrPb3NmAn60awoJG3d4BystaotaFKsO3iAnP4Lfve1bhKRELIjJ30
+      hX/mRYkEVRbfwKRgkkLab4zpJ/abjb3DjFNo8E4QPNeCqS+8xxeBOf7x61Kg/0Ox
+      jRQ95fTATyItiChwNkoxYjVIwosqxBVsbe3KxwhkmKPQ6wH/nvr6URX/IGUz2qWY
+      EqHdjsop83u4Rjn3C0u46U0P+W4U5IFiLfcE3RzFFYh67ko5YEhkyXP+tBNSgrTM
+      zFisVoQZdXpMCWWxBVWulB4FvvTx3jKUPRZVOrfexBfY4TA/PyhXLoz7FeEK9n2a
+      qFkrxy+GrHBXfSRZgCaHQFdKorg2fwwa
+      -----END CERTIFICATE-----
+    '')
   ];
 
   lass.screenlock.command = "${pkgs.i3lock}/bin/i3lock -i /home/lass/lock.png -t -f";
 
   programs.adb.enable = true;
-  users.users.mainUser.extraGroups = [ "adbusers" ];
+  users.users.mainUser.extraGroups = [ "adbusers" "docker" ];
 
   services.printing.drivers = [ pkgs.postscript-lexmark ];
 
   services.logind.extraConfig = ''
     HandleLidSwitch=ignore
   '';
+
+  virtualisation.docker.enable = true;
 }

lass/1systems/mors/config.nix

@@ -31,6 +31,8 @@ with import <stockholm/lib>;
     <stockholm/lass/2configs/c-base.nix>
     <stockholm/lass/2configs/br.nix>
     <stockholm/lass/2configs/ableton.nix>
+    <stockholm/lass/2configs/dunst.nix>
+    <stockholm/lass/2configs/rtl-sdr.nix>
     {
       #risk of rain port
       krebs.iptables.tables.filter.INPUT.rules = [
@@ -89,6 +91,10 @@ with import <stockholm/lib>;
       fsType = "btrfs";
       options = ["defaults" "noatime" "ssd" "compress=lzo"];
     };
+    "/home/virtual" = {
+      device = "/dev/mapper/pool-virtual";
+      fsType = "ext4";
+    };
   };
 
   services.udev.extraRules = ''
@@ -194,5 +200,6 @@ with import <stockholm/lib>;
 
   nix.package = pkgs.nixUnstable;
   programs.adb.enable = true;
-  users.users.mainUser.extraGroups = [ "adbusers" ];
+  users.users.mainUser.extraGroups = [ "adbusers" "docker" ];
+  virtualisation.docker.enable = true;
 }

lass/1systems/prism/config.nix

@@ -292,11 +292,22 @@ in {
     <stockholm/krebs/2configs/reaktor-krebs.nix>
     <stockholm/lass/2configs/dcso-dev.nix>
     {
+      users.users.jeschli = {
+        uid = genid "jeschli";
+        isNormalUser = true;
+        openssh.authorizedKeys.keys = with config.krebs.users; [
+          jeschli.pubkey
+          jeschli-bln.pubkey
+          jeschli-bolide.pubkey
+          jeschli-brauerei.pubkey
+        ];
+      };
       krebs.git.rules = [
         {
           user = with config.krebs.users; [
             jeschli
             jeschli-bln
+            jeschli-bolide
             jeschli-brauerei
           ];
           repo = [ config.krebs.git.repos.stockholm ];
@@ -313,6 +324,18 @@ in {
     }
     <stockholm/lass/2configs/downloading.nix>
     <stockholm/lass/2configs/minecraft.nix>
+    {
+      services.taskserver = {
+        enable = true;
+        fqdn = "lassul.us";
+        listenHost = "::";
+        listenPort = 53589;
+        organisations.lass.users = [ "lass" "android" ];
+      };
+      krebs.iptables.tables.filter.INPUT.rules = [
+        { predicate = "-p tcp --dport 53589"; target = "ACCEPT"; }
+      ];
+    }
   ];
 
   krebs.build.host = config.krebs.hosts.prism;

lass/1systems/shodan/config.nix

@@ -61,4 +61,8 @@ with import <stockholm/lib>;
     SUBSYSTEM=="net", ATTR{address}=="a0:88:b4:29:26:bc", NAME="wl0"
     SUBSYSTEM=="net", ATTR{address}=="f0:de:f1:0c:a7:63", NAME="et0"
   '';
+
+  services.logind.extraConfig = ''
+    HandleLidSwitch=ignore
+  '';
 }

lass/2configs/IM.nix

@@ -41,6 +41,7 @@ in {
       lass-shodan.pubkey
       lass-icarus.pubkey
       lass-android.pubkey
+      lass-helios.pubkey
     ];
   };
 

lass/2configs/baseX.nix

@@ -10,6 +10,7 @@ in {
     ./livestream.nix
     ./dns-stuff.nix
     ./urxvt.nix
+    ./network-manager.nix
     {
       hardware.pulseaudio = {
         enable = true;
@@ -121,13 +122,14 @@ in {
       name = "xmonad";
       start = ''
         ${pkgs.xorg.xhost}/bin/xhost +LOCAL:
-        ${pkgs.coreutils}/bin/sleep infinity
+        ${pkgs.systemd}/bin/systemctl --user start xmonad
+        exec ${pkgs.coreutils}/bin/sleep infinity
       '';
     }];
   };
 
   systemd.user.services.xmonad = {
-    wantedBy = [ "graphical-session.target" ];
+    #wantedBy = [ "graphical-session.target" ];
     environment = {
       DISPLAY = ":${toString config.services.xserver.display}";
       RXVT_SOCKET = "%t/urxvtd-socket";

lass/2configs/dcso-dev.nix

@@ -17,6 +17,7 @@ in {
         config.krebs.users.lass.pubkey
         config.krebs.users.lass-android.pubkey
         config.krebs.users.jeschli-bln.pubkey
+        config.krebs.users.jeschli-brauerei.pubkey
         "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC1T5+2epslFARSnETdr4wdolA6ocJaD4H9tmz6BZFQKXlwIq+OMp+sSEdwYwW3Lu9+mNbBHPxVVJDWg/We9DXB0ezXPM5Bs1+FcehmkoGwkmgKaFCDt0sL+CfSnog/3wEkN21O/rQxVFqMmiJ7WUDGci6IKCFZ5ZjOsmmfHg5p3LYxU9xv33fNr2v+XauhrGbFtQ7eDz4kSywxN/aw73LN4d8em0V0UV8VPI3Qkw7MamDFwefA+K1TfK8pBzMeruU6N7HLuNkpkAp7kS+K4Zzd72aQtR37a5qMiFUbOxQ9B7iFypuPx0iu6ZwY1s/sM8t3kLmcDJ9O4FOTzlbpneet3as6iJ+Ckr/TlfKor2Tl5pWcXh2FXHoG8VUu5bYmIViJBrKihAlAQfQN0mJ9fdFTnCXVTtbYTy11s4eEVHgUlb7oSpgBnx5bnBONgApbsOX9zyoo8wz8KkZBcf1SQpkV5br8uUAHCcZtHuY6I3kKlv+8lJmgUipiYzMdTi7+dHa49gVEcEKL4ZnJ0msQkl4XT7JjKETLvumC4/TIqVuRu48wuYalkCR9OzxCsTXQ/msBJBztPdYLrEOXVb2HfzuCT+43UuMQ5rP/EoPy0TWQO9BaqfEXqvbOvWjVxj/GMvglQ2ChZTwHxwwTKB8qRVvJLnbZQwizQiSrkzjb6hRJfQ== u0_a165@localhost"
         "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCjtdqRxD0+UU7O8xogSqAQYd/Hrc79CTTKnvbhKy7jp2TVfxQpl81ndSH6DN6Cz90mu65C+DFGq43YtKTPqXmTn1+2wru71C2UOl6ZR0tmU7UELkRt4SJuFQLEgQCt3BWvXJPye6cKRRIlb+XZHWyVyCDxHo9EYO2GWI1wIP8mHMltKj65mobHY+R0CJNhhwlFURzTto8C30ejfVg2OW81qkNWqYtpdC9txLUlQ9/LBVKrafHGprmcBEp9qtecVgx8kxHpS7cuQNYoFcfljug4IyFO+uBfdbKqnGM5mra3huNhX3+AcQxKbLMlRgZD+jc47Xs+s5qSvWBou2ygd5T413k/SDOTCxDjidA+dcwzRo0qUWcGL201a5g+F0EvWv8rjre9m0lii6QKEoPyj60y3yfaIHeafels1Ia1FItjkBe8XydiXf7rKq8nmVRlpo8vl+vKwVuJY783tObHjUgBtXJdmnyYGiXxkxSrXa2mQhPz3KodK/QrnqCP27dURcMlp1hFF3LxFz7WtMCLW0yvDuUsuI2pdq0+zdt702wuwXVNIvbq/ssvX/CL8ryBLAogaxN9DN0vpjk+aXQLn11Zt99MgmnnqUgvOKQi1Quog/SxnSBiloKqB6aA10a28Uxoxkr0KAfhWhX3XPpfGMlbVj4GJuevLp0sGDVQT2biUQ== rhaist@RH-NB"
       ];
@@ -44,6 +45,11 @@ in {
     };
   };
 
+  krebs.iptables.tables.filter.INPUT.rules = [
+    { predicate = "-p tcp --dport 8000"; target = "ACCEPT";}
+    { predicate = "-p tcp --dport 9000"; target = "ACCEPT";}
+  ];
+
   krebs.per-user.dev.packages = [
     pkgs.go
   ];
@@ -51,4 +57,6 @@ in {
   security.sudo.extraConfig = ''
     ${mainUser.name} ALL=(dev) NOPASSWD: ALL
   '';
+
+  services.minio.enable = true;
 }

lass/2configs/downloading.nix

@@ -16,6 +16,8 @@ with import <stockholm/lib>;
         lass.pubkey
         lass-shodan.pubkey
         lass-icarus.pubkey
+        lass-daedalus.pubkey
+        lass-helios.pubkey
         makefu.pubkey
         wine-mors.pubkey
       ];

lass/2configs/dunst.nix

@@ -0,0 +1,277 @@
+{ config, pkgs, ... }:
+with import <stockholm/lib>;
+let
+  dunstConfig = pkgs.writeText "dunst-config" ''
+    [global]
+    font = Iosevka Term 11
+
+    # Allow a small subset of html markup:
+    #   <b>bold</b>
+    #   <i>italic</i>
+    #   <s>strikethrough</s>
+    #   <u>underline</u>
+    #
+    # For a complete reference see
+    # <http://developer.gnome.org/pango/stable/PangoMarkupFormat.html>.
+    # If markup is not allowed, those tags will be stripped out of the
+    # message.
+    markup = yes
+    plain_text = no
+
+    # The format of the message.  Possible variables are:
+    #   %a  appname
+    #   %s  summary
+    #   %b  body
+    #   %i  iconname (including its path)
+    #   %I  iconname (without its path)
+    #   %p  progress value if set ([  0%] to [100%]) or nothing
+    # Markup is allowed
+    format = "%a\n<b>%s</b>\n%b"
+
+    # Sort messages by urgency.
+    sort = yes
+
+    # Show how many messages are currently hidden (because of geometry).
+    indicate_hidden = yes
+
+    # Alignment of message text.
+    # Possible values are "left", "center" and "right".
+    alignment = center
+
+    # The frequency with wich text that is longer than the notification
+    # window allows bounces back and forth.
+    # This option conflicts with "word_wrap".
+    # Set to 0 to disable.
+    bounce_freq = 0
+
+    # Show age of message if message is older than show_age_threshold
+    # seconds.
+    # Set to -1 to disable.
+    show_age_threshold = 1
+
+    # Split notifications into multiple lines if they don't fit into
+    # geometry.
+    word_wrap = yes
+
+    # Ignore newlines '\n' in notifications.
+    ignore_newline = no
+
+    # Hide duplicate's count and stack them
+    stack_duplicates = yes
+    hide_duplicates_count = no
+
+
+    # The geometry of the window:
+    #   [{width}]x{height}[+/-{x}+/-{y}]
+    # The geometry of the message window.
+    # The height is measured in number of notifications everything else
+    # in pixels.  If the width is omitted but the height is given
+    # ("-geometry x2"), the message window expands over the whole screen
+    # (dmenu-like).  If width is 0, the window expands to the longest
+    # message displayed.  A positive x is measured from the left, a
+    # negative from the right side of the screen.  Y is measured from
+    # the top and down respectevly.
+    # The width can be negative.  In this case the actual width is the
+    # screen width minus the width defined in within the geometry option.
+    geometry = "500x10-0+0"
+
+    # Shrink window if it's smaller than the width.  Will be ignored if
+    # width is 0.
+    shrink = no
+
+    # The transparency of the window.  Range: [0; 100].
+    # This option will only work if a compositing windowmanager is
+    # present (e.g. xcompmgr, compiz, etc.).
+    # transparency = 5
+
+    # Don't remove messages, if the user is idle (no mouse or keyboard input)
+    # for longer than idle_threshold seconds.
+    # Set to 0 to disable.
+    idle_threshold = 0
+
+    # Which monitor should the notifications be displayed on.
+    monitor = keyboard
+
+    # Display notification on focused monitor.  Possible modes are:
+    #   mouse: follow mouse pointer
+    #   keyboard: follow window with keyboard focus
+    #   none: don't follow anything
+    #
+    # "keyboard" needs a windowmanager that exports the
+    # _NET_ACTIVE_WINDOW property.
+    # This should be the case for almost all modern windowmanagers.
+    #
+    # If this option is set to mouse or keyboard, the monitor option
+    # will be ignored.
+    follow = none
+
+    # Should a notification popped up from history be sticky or timeout
+    # as if it would normally do.
+    sticky_history = yes
+
+    # Maximum amount of notifications kept in history
+    history_length = 15
+
+    # Display indicators for URLs (U) and actions (A).
+    show_indicators = no
+
+    # The height of a single line.  If the height is smaller than the
+    # font height, it will get raised to the font height.
+    # This adds empty space above and under the text.
+    line_height = 3
+
+    # Draw a line of "separatpr_height" pixel height between two
+    # notifications.
+    # Set to 0 to disable.
+    separator_height = 1
+
+    # Padding between text and separator.
+    padding = 1
+
+    # Horizontal padding.
+    horizontal_padding = 1
+
+    # Define a color for the separator.
+    # possible values are:
+    #  * auto: dunst tries to find a color fitting to the background;
+    #  * foreground: use the same color as the foreground;
+    #  * frame: use the same color as the frame;
+    #  * anything else will be interpreted as a X color.
+    separator_color = frame
+
+    # Print a notification on startup.
+    # This is mainly for error detection, since dbus (re-)starts dunst
+    # automatically after a crash.
+    startup_notification = true
+
+    # dmenu path.
+    dmenu = ${pkgs.dmenu}/bin/dmenu -p dunst:
+
+    # Browser for opening urls in context menu.
+    browser = /usr/bin/firefox -new-tab
+
+    # Align icons left/right/off
+    icon_position = off
+    max_icon_size = 80
+
+    # Paths to default icons.
+    icon_folders = /usr/share/icons/Paper/16x16/mimetypes/:/usr/share/icons/Paper/48x48/status/:/usr/share/icons/Paper/16x16/devices/:/usr/share/icons/Paper/48x48/notifications/:/usr/share/icons/Paper/48x48/emblems/
+
+    frame_width = 2
+    frame_color = "#8EC07C"
+
+    [shortcuts]
+
+    # Shortcuts are specified as [modifier+][modifier+]...key
+    # Available modifiers are "ctrl", "mod1" (the alt-key), "mod2",
+    # "mod3" and "mod4" (windows-key).
+    # Xev might be helpful to find names for keys.
+
+    # Close notification.
+    close = ctrl+space
+
+    # Close all notifications.
+    close_all = ctrl+shift+space
+
+    # Redisplay last message(s).
+    # On the US keyboard layout "grave" is normally above TAB and left
+    # of "1".
+    history = ctrl+grave
+
+    # Context menu.
+    context = mod4+u
+
+    [urgency_low]
+    # IMPORTANT: colors have to be defined in quotation marks.
+    # Otherwise the "#" and following would be interpreted as a comment.
+    frame_color = "#3B7C87"
+    foreground = "#3B7C87"
+    background = "#191311"
+    #background = "#2B313C"
+    timeout = 0
+
+    [urgency_normal]
+    frame_color = "#5B8234"
+    foreground = "#5B8234"
+    background = "#191311"
+    #background = "#2B313C"
+    timeout = 0
+
+    [urgency_critical]
+    frame_color = "#B7472A"
+    foreground = "#B7472A"
+    background = "#191311"
+    #background = "#2B313C"
+    timeout = 0
+
+
+    # Every section that isn't one of the above is interpreted as a rules to
+    # override settings for certain messages.
+    # Messages can be matched by "appname", "summary", "body", "icon", "category",
+    # "msg_urgency" and you can override the "timeout", "urgency", "foreground",
+    # "background", "new_icon" and "format".
+    # Shell-like globbing will get expanded.
+    #
+    # SCRIPTING
+    # You can specify a script that gets run when the rule matches by
+    # setting the "script" option.
+    # The script will be called as follows:
+    #   script appname summary body icon urgency
+    # where urgency can be "LOW", "NORMAL" or "CRITICAL".
+    #
+    # NOTE: if you don't want a notification to be displayed, set the format
+    # to "".
+    # NOTE: It might be helpful to run dunst -print in a terminal in order
+    # to find fitting options for rules.
+
+    #[espeak]
+    #    summary = "*"
+    #    script = dunst_espeak.sh
+
+    #[script-test]
+    #    summary = "*script*"
+    #    script = dunst_test.sh
+
+    #[ignore]
+    #    # This notification will not be displayed
+    #    summary = "foobar"
+    #    format = ""
+
+    #[signed_on]
+    #    appname = Pidgin
+    #    summary = "*signed on*"
+    #    urgency = low
+    #
+    #[signed_off]
+    #    appname = Pidgin
+    #    summary = *signed off*
+    #    urgency = low
+    #
+    #[says]
+    #    appname = Pidgin
+    #    summary = *says*
+    #    urgency = critical
+    #
+    #[twitter]
+    #    appname = Pidgin
+    #    summary = *twitter.com*
+    #    urgency = normal
+    #
+    # vim: ft=cfg
+  '';
+in {
+  systemd.user.services.dunst = {
+    wantedBy = [ "graphical-session.target" ];
+    requires = [ "xmonad.service" ];
+    environment = {
+      DISPLAY = ":${toString config.services.xserver.display}";
+    };
+    serviceConfig = {
+      SyslogIdentifier = "dunst";
+      ExecStart = "${pkgs.dunst}/bin/dunst -conf ${dunstConfig}";
+      Restart = "always";
+      RestartSec = "15s";
+      StartLimitBurst = 0;
+    };
+  };
+}

lass/2configs/exim-smarthost.nix

@@ -59,6 +59,17 @@ with import <stockholm/lib>;
       { from = "coinexchange@lassul.us"; to = lass.mail; }
       { from = "verwaltung@lassul.us"; to = lass.mail; }
       { from = "gearbest@lassul.us"; to = lass.mail; }
+      { from = "binance@lassul.us"; to = lass.mail; }
+      { from = "bitfinex@lassul.us"; to = lass.mail; }
+      { from = "alternate@lassul.us"; to = lass.mail; }
+      { from = "redacted@lassul.us"; to = lass.mail; }
+      { from = "mytaxi@lassul.us"; to = lass.mail; }
+      { from = "pizza@lassul.us"; to = lass.mail; }
+      { from = "robinhood@lassul.us"; to = lass.mail; }
+      { from = "drivenow@lassul.us"; to = lass.mail; }
+      { from = "aws@lassul.us"; to = lass.mail; }
+      { from = "reddit@lassul.us"; to = lass.mail; }
+      { from = "banggood@lassul.us"; to = lass.mail; }
     ];
     system-aliases = [
       { from = "mailer-daemon"; to = "postmaster"; }

lass/2configs/logf.nix

@@ -10,9 +10,13 @@ let
     echelon = "197";
     cloudkrebs = "119";
   };
+  urgent = [
+    "\\blass@mors\\b"
+  ];
 in {
   environment.systemPackages = [
     (pkgs.writeDashBin "logf" ''
+      export LOGF_URGENT=${pkgs.writeJSON "urgent" urgent}
       export LOGF_HOST_COLORS=${pkgs.writeJSON "host-colors" host-colors}
       ${pkgs.logf}/bin/logf ${concatMapStringsSep " " (name: "root@${name}") (attrNames config.lass.hosts)}
     '')

lass/2configs/mail.nix

@@ -21,13 +21,21 @@ let
   '';
 
   mailboxes = {
-    wireguard = [ "wireguard@lists.zx2c4" ];
+    c-base = [ "to:c-base.org" ];
-    c-base = [ "c-base.org" ];
+    dezentrale = [ "to:dezentrale.space" ];
-    security = [ "seclists.org" "security" "bugtraq" ];
+    kaosstuff = [ "to:gearbest@lassul.us" "to:banggood@lassul.us" ];
-    nix-devel = [ "nix-devel@googlegroups.com" ];
+    nix-devel = [ "to:nix-devel@googlegroups.com" ];
-    shack = [ "shackspace.de" ];
+    patreon = [ "to:patreon@lassul.us" ];
+    security = [ "to:seclists.org" "to:security" "to:bugtraq" ];
+    shack = [ "to:shackspace.de" ];
+    wireguard = [ "to:wireguard@lists.zx2c4" ];
   };
 
+  tag-mails = pkgs.writeDashBin "nm-init-tag" ''
+    ${pkgs.notmuch}/bin/notmuch new
+    ${concatMapStringsSep "\n" (i: ''${pkgs.notmuch}/bin/notmuch tag -inbox +${i.name} -- tag:inbox ${concatMapStringsSep " or " (f: "${f}") i.value}'') (mapAttrsToList nameValuePair mailboxes)}
+  '';
+
   muttrc = pkgs.writeText "muttrc" ''
     # gpg
     source ${pkgs.neomutt}/share/doc/mutt/samples/gpg.rc
@@ -80,16 +88,15 @@ let
       # V
     ''} %r |"
 
-    virtual-mailboxes \
+    virtual-mailboxes "INBOX" "notmuch://?query=tag:inbox"
-      "Unread" "notmuch://?query=tag:unread"\
+    virtual-mailboxes "Unread" "notmuch://?query=tag:unread"
-      "INBOX" "notmuch://?query=tag:inbox ${concatMapStringsSep " " (f: "and NOT to:${f}") (flatten (attrValues mailboxes))}"\
+    ${concatMapStringsSep "\n" (i: ''${"  "}virtual-mailboxes "${i.name}" "notmuch://?query=tag:${i.name}"'') (mapAttrsToList nameValuePair mailboxes)}
-    ${concatMapStringsSep "\n" (i: ''${"  "}"${i.name}" "notmuch://?query=${concatMapStringsSep " or " (f: "to:${f}") i.value}"\'') (mapAttrsToList nameValuePair mailboxes)}
+    virtual-mailboxes "TODO" "notmuch://?query=tag:TODO"
-      "BOX" "notmuch://?query=${concatMapStringsSep " and " (f: "NOT to:${f}") (flatten (attrValues mailboxes))}"\
+    virtual-mailboxes "Starred" "notmuch://?query=tag:*"
-      "TODO" "notmuch://?query=tag:TODO"\
+    virtual-mailboxes "Archive" "notmuch://?query=tag:archive"
-      "Starred" "notmuch://?query=tag:*"\
+    virtual-mailboxes "Sent" "notmuch://?query=tag:sent"
-      "Archive" "notmuch://?query=tag:archive"\
+    virtual-mailboxes "Junk" "notmuch://?query=tag:junk"
-      "Sent" "notmuch://?query=tag:sent"\
+    virtual-mailboxes "All" "notmuch://?query=*"
-      "Junk" "notmuch://?query=tag:junk"
 
     tag-transforms "junk"     "k" \
                    "unread"   "u" \
@@ -163,5 +170,6 @@ in {
     mutt
     pkgs.much
     pkgs.notmuch
+    tag-mails
   ];
 }

lass/2configs/minecraft.nix

@@ -17,5 +17,6 @@
   krebs.iptables.tables.filter.INPUT.rules = [
     { predicate = "-p tcp --dport 25565"; target = "ACCEPT"; }
     { predicate = "-p udp --dport 25565"; target = "ACCEPT"; }
+    { predicate = "-p tcp --dport 8123"; target = "ACCEPT"; }
   ];
 }

lass/2configs/network-manager.nix

@@ -0,0 +1,24 @@
+{ pkgs, lib, ... }:
+{
+  networking.wireless.enable = lib.mkForce false;
+
+  systemd.services.modemmanager = {
+    description = "ModemManager";
+    after = [ "network-manager.service" ];
+    bindsTo = [ "network-manager.service" ];
+    wantedBy = [ "network-manager.service" ];
+    serviceConfig = {
+      ExecStart = "${pkgs.modemmanager}/bin/ModemManager";
+      PrivateTmp = true;
+      Restart = "always";
+      RestartSec = "5";
+    };
+  };
+  networking.networkmanager.enable = true;
+  users.users.mainUser = {
+    extraGroups = [ "networkmanager" ];
+    packages = with pkgs; [
+      gnome3.gnome_keyring gnome3.dconf
+    ];
+  };
+}

lass/2configs/rtl-sdr.nix

@@ -0,0 +1,6 @@
+{
+  boot.blacklistedKernelModules = [ "dvb_usb_rtl28xxu" ];
+  services.udev.extraRules = ''
+    SUBSYSTEM=="usb", ATTRS{idVendor}=="0bda", ATTRS{idProduct}=="2838", GROUP="adm", MODE="0666", SYMLINK+="rtl_sdr"
+  '';
+}

lass/2configs/vim.nix

@@ -6,6 +6,9 @@ let
     environment.systemPackages = [
       (hiPrio vim)
       pkgs.python35Packages.flake8
+      (pkgs.writeDashBin "govet" ''
+        go vet "$@"
+      '')
     ];
 
     environment.etc.vimrc.source = vimrc;
@@ -68,6 +71,9 @@ let
     let g:syntastic_python_checkers=['flake8']
     let g:syntastic_python_flake8_post_args='--ignore=E501'
 
+    let g:go_metalinter_autosave = 1
+    let g:go_metalinter_deadline = "10s"
+
     nmap <esc>q :buffer 
     nmap <M-q> :buffer 
 

lass/2configs/websites/util.nix

@@ -32,7 +32,6 @@ rec {
     let
       domain = head domains;
     in {
-      services.phpfpm.phpPackage = pkgs.php56;
       services.nginx.virtualHosts."${domain}" = {
         enableACME = true;
         enableSSL = true;

lass/2configs/wine.nix

@@ -19,23 +19,8 @@ in {
         pkgs.wine
       ];
     };
-    wine64 = {
-      name = "wine64";
-      description = "user for running wine in 64bit";
-      home = "/home/wine64";
-      useDefaultShell = true;
-      extraGroups = [
-        "audio"
-        "video"
-      ];
-      createHome = true;
-      packages = [
-        (pkgs.wine.override { wineBuild = "wineWow"; })
-      ];
-    };
   };
   security.sudo.extraConfig = ''
     ${mainUser.name} ALL=(wine) NOPASSWD: ALL
-    ${mainUser.name} ALL=(wine64) NOPASSWD: ALL
   '';
 }

lass/2configs/zsh.nix

@@ -50,16 +50,15 @@
       #enable automatic rehashing of $PATH
       zstyle ':completion:*' rehash true
 
+      #beautiful colors
       eval $(dircolors -b ${pkgs.fetchFromGitHub {
         owner = "trapd00r";
         repo = "LS_COLORS";
         rev = "master";
         sha256="05lh5w3bgj9h8d8lrbbwbzw8788709cnzzkl8yh7m1dawkpf6nlp";
       }}/LS_COLORS)
-
-      #beautiful colors
       alias ls='ls --color'
-      # zstyle ':completion:*:default' list-colors ''${(s.:.)LS_COLORS}
+      zstyle ':completion:*:default' list-colors ''${(s.:.)LS_COLORS}
 
       #emacs bindings
       bindkey "[7~" beginning-of-line
@@ -109,7 +108,7 @@
       fi
 
       #check if in nix shell
-      if test -n "$buildInputs"; then
+      if test -n "$IN_NIX_SHELL"; then
         p_nixshell='%F{green}[s]%f '
         t_nixshell='[s] '
       else

lass/3modules/xserver/default.nix

@@ -33,6 +33,11 @@ let
         XMONAD_STARTUP_HOOK = pkgs.writeDash "xmonad-startup-hook" ''
           ${pkgs.xorg.xhost}/bin/xhost +LOCAL: &
           ${xcfg.displayManager.sessionCommands}
+          if test -z "$DBUS_SESSION_BUS_ADDRESS"; then
+            exec ${pkgs.dbus.dbus-launch} --exit-with-session "$0" ""
+          fi
+          export DBUS_SESSION_BUS_ADDRESS
+          ${config.systemd.package}/bin/systemctl --user import-environment DISPLAY DBUS_SESSION_BUS_ADDRESS
           wait
         '';
 
@@ -74,6 +79,7 @@ let
           "-xkbdir ${pkgs.xkeyboard_config}/etc/X11/xkb"
           (optional (xcfg.dpi != null) "-dpi ${toString xcfg.dpi}")
         ];
+        User = user.name;
       };
     };
     krebs.xresources.resources.dpi = ''

lass/5pkgs/xmonad-lass.nix

@@ -23,6 +23,7 @@ import XMonad
 import qualified XMonad.StackSet as W
 import Control.Monad.Extra (whenJustM)
 import Data.List (isInfixOf)
+import Data.Monoid (Endo)
 import System.Environment (getArgs, lookupEnv)
 import System.Posix.Process (executeFile)
 import XMonad.Actions.CopyWindow (copy, kill1)
@@ -36,7 +37,7 @@ import XMonad.Hooks.FloatNext (floatNextHook)
 import XMonad.Hooks.ManageDocks (avoidStruts, ToggleStruts(ToggleStruts))
 import XMonad.Hooks.Place (placeHook, smart)
 import XMonad.Hooks.UrgencyHook (focusUrgent)
-import XMonad.Hooks.UrgencyHook (SpawnUrgencyHook(..), withUrgencyHook)
+import XMonad.Hooks.UrgencyHook (withUrgencyHook, UrgencyHook(..))
 import XMonad.Layout.FixedColumn (FixedColumn(..))
 import XMonad.Layout.Minimize (minimize, minimizeWindow, MinimizeMsg(RestoreNextMinimizedWin))
 import XMonad.Layout.NoBorders (smartBorders)
@@ -44,9 +45,20 @@ import XMonad.Layout.SimplestFloat (simplestFloat)
 import XMonad.Prompt (autoComplete, font, searchPredicate, XPConfig)
 import XMonad.Prompt.Window (windowPromptGoto, windowPromptBringCopy)
 import XMonad.Util.EZConfig (additionalKeysP)
+import XMonad.Util.NamedWindows (getName)
+import XMonad.Util.Run (safeSpawn)
 
 import XMonad.Stockholm.Shutdown
 
+data LibNotifyUrgencyHook = LibNotifyUrgencyHook deriving (Read, Show)
+
+instance UrgencyHook LibNotifyUrgencyHook where
+    urgencyHook LibNotifyUrgencyHook w = do
+        name     <- getName w
+        Just idx <- fmap (W.findTag w) $ gets windowset
+
+        safeSpawn "${pkgs.libnotify}/bin/notify-send" [show name, "workspace " ++ idx]
+
 myTerm :: FilePath
 myTerm = "${pkgs.rxvt_unicode_with-plugins}/bin/urxvtc"
 
@@ -61,7 +73,7 @@ main = getArgs >>= \case
 main' :: IO ()
 main' = do
     xmonad $ ewmh
-        $ withUrgencyHook (SpawnUrgencyHook "echo emit Urgency ")
+        $ withUrgencyHook LibNotifyUrgencyHook
         $ def
             { terminal           = myTerm
             , modMask            = mod4Mask
@@ -80,11 +92,12 @@ myLayoutHook = defLayout
   where
     defLayout = minimize $ ((avoidStruts $ Tall 1 (3/100) (1/2) ||| Full ||| Mirror (Tall 1 (3/100) (1/2))) ||| FixedColumn 2 80 80 1 ||| simplestFloat)
 
+floatHooks :: Query (Endo WindowSet)
 floatHooks = composeAll . concat $
     [ [ title =? t --> doFloat | t <- myTitleFloats]
     , [ className =? c --> doFloat | c <- myClassFloats ] ]
   where
-      myTitleFloats = [] -- for the KDE "open link" popup from konsole
+      myTitleFloats = []
       myClassFloats = ["Pinentry"] -- for gpg passphrase entry
 
 

makefu/1systems/gum/config.nix

@@ -148,6 +148,11 @@ in {
             allowedIPs = [ "10.244.0.5/32" ];
             publicKey = "QJMwwYu/92koCASbHnR/vqe/rN00EV6/o7BGwLockDw=";
           }
+          {
+            # workr
+            allowedIPs = [ "10.244.0.6/32" ];
+            publicKey = "OFhCF56BrV9tjqW1sxqXEKH/GdqamUT1SqZYSADl5GA=";
+          }
           ];
         };
       }

makefu/1systems/omo/config.nix

@@ -25,16 +25,18 @@ let
   # |       |
   # |*      |
   # |* d2   |
-  # |  * r0 |
+  # |  *    |
+  # |  *    |
   # |_______|
   cryptDisk0 = byid "ata-ST2000DM001-1CH164_Z240XTT6";
   cryptDisk1 = byid "ata-TP02000GB_TPW151006050068";
   cryptDisk2 = byid "ata-ST4000DM000-1F2168_Z303HVSG";
+  cryptDisk3 = byid "ata-ST8000DM004-2CX188_ZCT01SG4";
   # cryptDisk3 = byid "ata-WDC_WD20EARS-00MVWB0_WD-WMAZA1786907";
   # all physical disks
 
   # TODO callPackage ../3modules/MonitorDisks { disks = allDisks }
-  dataDisks = [ cryptDisk0 cryptDisk1 cryptDisk2 ];
+  dataDisks = [ cryptDisk0 cryptDisk1 cryptDisk2 cryptDisk3 ];
   allDisks = [ rootDisk ] ++ dataDisks;
 in {
   imports =
@@ -69,6 +71,7 @@ in {
       <stockholm/makefu/2configs/mqtt.nix>
       <stockholm/makefu/2configs/remote-build/slave.nix>
       <stockholm/makefu/2configs/deployment/google-muell.nix>
+      <stockholm/makefu/2configs/virtualisation/docker.nix>
 
 
       # security
@@ -117,7 +120,6 @@ in {
   services.sabnzbd.enable = true;
   systemd.services.sabnzbd.environment.SSL_CERT_FILE = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt";
 
-  virtualisation.docker.enable = true;
   makefu.ps3netsrv = {
     enable = true;
     servedir = "/media/cryptX/emu/ps3";
@@ -127,6 +129,7 @@ in {
 
   makefu.snapraid = {
     enable = true;
+    # TODO: 3 is not protected
     disks = map toMapper [ 0 1 ];
     parity = toMapper 2;
   };
@@ -139,7 +142,7 @@ in {
   '';
   environment.systemPackages = with pkgs;[
     mergerfs # hard requirement for mount
-    wol # wake up filepimp
+    wol      # wake up filepimp
     f3
   ];
   fileSystems = let
@@ -151,6 +154,7 @@ in {
   in   cryptMount "crypt0"
     // cryptMount "crypt1"
     // cryptMount "crypt2"
+    // cryptMount "crypt3"
     // { "/media/cryptX" = {
             device = (lib.concatMapStringsSep ":" (d: (toMapper d)) [ 0 1 2 ]);
             fsType = "mergerfs";
@@ -179,6 +183,7 @@ in {
         (usbkey "crypt0" cryptDisk0)
         (usbkey "crypt1" cryptDisk1)
         (usbkey "crypt2" cryptDisk2)
+        (usbkey "crypt3" cryptDisk3)
       ];
     };
     loader.grub.device = lib.mkForce rootDisk;

makefu/1systems/sdev/config.nix

@@ -5,32 +5,35 @@
   imports =
     [ # Include the results of the hardware scan.
       <stockholm/makefu>
-      (toString <nixpkgs/nixos/modules/virtualisation/virtualbox-image.nix>)
+
-      (toString <nixpkgs/nixos/modules/virtualisation/virtualbox-guest.nix>)
+     #  <stockholm/makefu/2configs/hw/vbox-guest.nix>
+      { # until virtualbox-image is fixed
+        imports = [
+            <stockholm/makefu/2configs/fs/single-partition-ext4.nix>
+          ];
+        boot.loader.grub.device = "/dev/sda";
+      }
       <stockholm/makefu/2configs/main-laptop.nix>
       # <secrets/extra-hosts.nix>
 
       # environment
       <stockholm/makefu/2configs/tinc/retiolum.nix>
+      <stockholm/makefu/2configs/virtualisation/docker.nix>
 
     ];
-  # workaround for https://github.com/NixOS/nixpkgs/issues/16641
-  services.xserver.videoDrivers = lib.mkOverride 45 [ "virtualbox" "modesetting" ];
-
-  nixpkgs.config.allowUnfree = true;
-
   # allow sdev to deploy self
   users.extraUsers = {
     root = {
         openssh.authorizedKeys.keys = [ config.krebs.users.makefu-vbob.pubkey  ];
     };
   };
+  # corefonts
+  nixpkgs.config.allowUnfree = true;
 
   environment.systemPackages = with pkgs;[
     ppp xclip
     get
     passwdqc-utils
-    docker
     gnupg
     populate
     (pkgs.writeScriptBin "tor-browser" ''
@@ -39,18 +42,11 @@
     '')
   ];
 
-  virtualisation.docker.enable = true;
-
   networking.firewall.allowedTCPPorts = [
     25
     80
     8010
   ];
 
-  fileSystems."/media/share" = {
-    fsType = "vboxsf";
-    device = "share";
-    options = [ "rw" "uid=9001" "gid=9001" ];
-  };
 
 }

makefu/1systems/vbob/config.nix

@@ -8,30 +8,9 @@
       {
         imports = [<stockholm/makefu/2configs/fs/single-partition-ext4.nix> ];
         boot.loader.grub.device = "/dev/sda";
-        virtualisation.virtualbox.guest.enable = true;
       }
-      # {
+      # <stockholm/makefu/2configs/hw/vbox-guest.nix>
-      #   imports = [
+      # <nixpkgs/nixos/modules/virtualisation/qemu-vm.nix>
-      #     <nixpkgs/nixos/modules/virtualisation/virtualbox-image.nix>
-      #   ];
-      #   virtualbox.baseImageSize = 35 * 1024;
-      #   fileSystems."/media/share" = {
-      #     fsType = "vboxsf";
-      #     device = "share";
-      #     options = [ "rw" "uid=9001" "gid=9001" ];
-      #   };
-      # }
-
-      # {
-      #   imports = [
-      #     <nixpkgs/nixos/modules/virtualisation/qemu-vm.nix>
-      #   ];
-      #   fileSystems."/nix" = {
-      #     device ="/dev/disk/by-label/nixstore";
-      #     fsType = "ext4";
-      #   };
-      # }
-
 
       # base gui
       # <stockholm/makefu/2configs/main-laptop.nix>
@@ -75,14 +54,8 @@
     ];
   networking.extraHosts = import (toString <secrets/extra-hosts.nix>);
 
-  nixpkgs.config.allowUnfree = true;
-
   # allow vbob to deploy self
-  users.extraUsers = {
+  users.extraUsers.root.openssh.authorizedKeys.keys = [ config.krebs.users.makefu-vbob.pubkey  ];
-    root = {
-        openssh.authorizedKeys.keys = [ config.krebs.users.makefu-vbob.pubkey  ];
-    };
-  };
 
   environment.shellAliases = {
     forti  = "cat ~/vpn/pw.txt | xclip; sudo forticlientsslvpn";
@@ -94,16 +67,18 @@
     ln -fs ${pkgs.ppp}/bin/pppd /usr/sbin/pppd
     ln -fs ${pkgs.coreutils}/bin/tail /usr/bin/tail
   '';
+
+  # for forticlient
+  nixpkgs.config.allowUnfree = true;
+
   environment.systemPackages = with pkgs;[
     fortclientsslvpn ppp xclip
     get
     logstash
-  #  docker
     #devpi-web
     #devpi-client
     ansible
   ];
-  # virtualisation.docker.enable = true;
 
 
   networking.firewall.allowedTCPPorts = [
@@ -111,6 +86,6 @@
     80
     8010
   ];
-
+  # required for qemu
   systemd.services."serial-getty@ttyS0".enable = true;
 }

makefu/1systems/wbob/config.nix

@@ -29,7 +29,8 @@ in {
       # <stockholm/makefu/2configs/vncserver.nix>
 
       # Services
-      <stockholm/makefu/2configs/remote-build/slave.nix>
+      <stockholm/makefu/2configs/hydra/stockholm.nix>
+
       <stockholm/makefu/2configs/share/wbob.nix>
       (let
         musicDirectory = "/data/music";
@@ -83,6 +84,9 @@ in {
             load-module module-filter-apply
             load-module module-native-protocol-tcp auth-ip-acl=127.0.0.1
             load-module module-switch-on-connect
+            # may be required for "system-wide" pulse to connect to bluetooth
+            #module-bluez5-device
+            #module-bluez5-discover
             '';
         };
         # connect via https://nixos.wiki/wiki/Bluetooth#Using_Bluetooth_headsets_with_PulseAudio

makefu/1systems/x/config.nix

@@ -40,7 +40,7 @@ with import <stockholm/lib>;
       # Virtualization
       <stockholm/makefu/2configs/virtualisation/libvirt.nix>
       <stockholm/makefu/2configs/virtualisation/docker.nix>
-      <stockholm/makefu/2configs/virtualisation/virtualbox.nix>
+      # <stockholm/makefu/2configs/virtualisation/virtualbox.nix>
       {
         networking.firewall.allowedTCPPorts = [ 8080 ];
         networking.nat = {
@@ -60,7 +60,7 @@ with import <stockholm/lib>;
       # Hardware
       <stockholm/makefu/2configs/hw/tp-x230.nix>
       # <stockholm/makefu/2configs/hw/tpm.nix>
-      <stockholm/makefu/2configs/hw/rtl8812au.nix>
+      # <stockholm/makefu/2configs/hw/rtl8812au.nix>
       <stockholm/makefu/2configs/hw/network-manager.nix>
       <stockholm/makefu/2configs/hw/stk1160.nix>
       # <stockholm/makefu/2configs/rad1o.nix>
@@ -78,6 +78,74 @@ with import <stockholm/lib>;
       # <stockholm/makefu/2configs/lanparty/lancache-dns.nix>
       # <stockholm/makefu/2configs/lanparty/samba.nix>
       # <stockholm/makefu/2configs/lanparty/mumble-server.nix>
+      # <stockholm/makefu/2configs/deployment/photostore.krebsco.de.nix>
+
+      {
+        networking.wireguard.interfaces.wg0 = {
+          ips = [ "10.244.0.2/24" ];
+          privateKeyFile = (toString <secrets>) + "/wireguard.key";
+          allowedIPsAsRoutes = true;
+          peers = [
+          {
+            # gum
+            endpoint = "${config.krebs.hosts.gum.nets.internet.ip4.addr}:51820";
+            allowedIPs = [ "10.244.0.0/24" ];
+            publicKey = "yAKvxTvcEVdn+MeKsmptZkR3XSEue+wSyLxwcjBYxxo=";
+          }
+          #{
+          #  # vbob
+          #  allowedIPs = [ "10.244.0.3/32" ];
+          #  publicKey = "Lju7EsCu1OWXhkhdNR7c/uiN60nr0TUPHQ+s8ULPQTw=";
+          #}
+          ];
+        };
+      }
+      { # bluetooth+pulse config
+        # for blueman-applet
+        users.users.makefu.packages = [
+          pkgs.blueman
+        ];
+        hardware.pulseaudio = {
+          enable = true;
+          package = pkgs.pulseaudioFull;
+          # systemWide = true;
+          support32Bit = true;
+          configFile = pkgs.writeText "default.pa" ''
+            load-module module-udev-detect
+            load-module module-bluetooth-policy
+            load-module module-bluetooth-discover
+            load-module module-native-protocol-unix
+            load-module module-always-sink
+            load-module module-console-kit
+            load-module module-systemd-login
+            load-module module-intended-roles
+            load-module module-position-event-sounds
+            load-module module-filter-heuristics
+            load-module module-filter-apply
+            load-module module-switch-on-connect
+            '';
+        };
+
+        # presumably a2dp Sink
+        # Enable profile:
+        ## pacmd set-card-profile "$(pactl list cards short | egrep -o bluez_card[[:alnum:]._]+)" a2dp_sink
+        hardware.bluetooth.extraConfig = '';
+          [general]
+          Enable=Source,Sink,Media,Socket
+        '';
+
+        # connect via https://nixos.wiki/wiki/Bluetooth#Using_Bluetooth_headsets_with_PulseAudio
+        hardware.bluetooth.enable = true;
+      }
+      { # auto-mounting
+        services.udisks2.enable = true;
+        services.devmon.enable = true;
+        # services.gnome3.gvfs.enable = true;
+        users.users.makefu.packages = with pkgs;[
+          gvfs pcmanfm lxmenu-data
+        ];
+        environment.variables.GIO_EXTRA_MODULES = [ "${pkgs.gvfs}/lib/gio/modules" ];
+      }
 
     ];
 

makefu/2configs/git/cgit-retiolum.nix

@@ -28,6 +28,7 @@ let
     init-stockholm = {
       cgit.desc = "Init stuff for stockholm";
     };
+    hydra-stockholm = { };
   };
 
   priv-repos = mapAttrs make-priv-repo {

makefu/2configs/hw/vbox-guest.nix

@@ -0,0 +1,16 @@
+{ lib, ...}:
+{
+  ## Guest Extensions are currently broken
+  imports = [
+    (toString <nixpkgs/nixos/modules/virtualisation/virtualbox-image.nix>)
+  ];
+  virtualisation.virtualbox.guest.enable = true;
+  services.xserver.videoDrivers = lib.mkOverride 45 [ "virtualbox" "modesetting" ];
+
+  fileSystems."/media/share" = {
+    fsType = "vboxsf";
+    device = "share";
+    options = [ "rw" "uid=9001" "gid=9001" "nofail" ];
+  };
+  # virtualbox.baseImageSize = 35 * 1024;
+}

makefu/2configs/hydra/stockholm.nix

@@ -0,0 +1,34 @@
+# iterative:
+# $ hydra-create-user krebs --password derp --role admin
+# curl 'http://hydra.wbob.r/project/.new' -X PUT -H 'Host: hydra.wbob.r' -H 'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' -H 'X-Requested-With: XMLHttpRequest' -H 'Cookie: redirect_to=%252F; hydra_session=abcdefghijklmnopqrstuvwxyz' -H 'Connection: keep-alive' --data 'enabled=on&visible=on&name=stockholm&displayname=Stockholm&description=make+all+systems+into+1systems&homepage=https%3A%2F%2Fkrebsco.de&owner=krebs&declfile=spec.json&decltype=git&declvalue=http%3A%2F%2Fcgit.euer.krebsco.de%2Fhydra-stockholm'
+
+{
+
+  # TODO postgres backup
+  services.postgresql.enable = true;
+
+  services.hydra = {
+    enable = true;
+    hydraURL = "http://hydra.wbob.r"; # externally visible URL
+    notificationSender = "hydra@wbob.r";
+    # you will probably also want, otherwise *everything* will be built from scratch
+    useSubstitutes = true;
+    port = 3030;
+    buildMachinesFiles = [];
+  };
+
+  networking.firewall.allowedTCPPorts = [ 80 ];
+  services.nginx = {
+    enable = true;
+    virtualHosts."hydra.wbob.r" = {
+      locations."/" =  {
+        proxyPass = "http://localhost:3030/";
+        extraConfig = ''
+          proxy_set_header   Host $host;
+          proxy_set_header   X-Real-IP          $remote_addr;
+          proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
+        '';
+      };
+    };
+  };
+}

makefu/2configs/tools/mobility.nix

@@ -5,5 +5,5 @@
     mosh
   ];
 
-  # boot.extraModulePackages = [ config.boot.kernelPackages.exfat-nofuse ];
+  boot.extraModulePackages = [ config.boot.kernelPackages.exfat-nofuse ];
 }

makefu/2configs/tools/studio.nix

@@ -9,8 +9,8 @@
     # owncloudclient
     (pkgs.writeScriptBin "prepare-pulseaudio" ''
       pactl load-module module-null-sink sink_name=stream sink_properties=device.description="Streaming"
-      pactl load-module module-loopback source=alsa_output.usb-Burr-Brown_from_TI_USB_Audio_CODEC-00.analog-stereo.monitor sink=stream latency_msec=1
+      pactl load-module module-loopback source=alsa_output.usb-Burr-Brown_from_TI_USB_Audio_CODEC-00.analog-stereo.monitor sink=stream
-      pactl load-module module-loopback source=alsa_input.usb-Burr-Brown_from_TI_USB_Audio_CODEC-00.analog-stereo sink=stream latency_msec=1
+      pactl load-module module-loopback source=alsa_input.usb-Burr-Brown_from_TI_USB_Audio_CODEC-00.analog-stereo sink=stream
       darkice -c ~/lol.conf
     '')
   ];

makefu/2configs/urlwatch/default.nix

@@ -34,7 +34,7 @@ in {
       http://guest:derpi@cvs2svn.tigris.org/svn/cvs2svn/tags/
       http://ftp.debian.org/debian/pool/main/a/apt-cacher-ng/
       https://erdgeist.org/gitweb/opentracker/info/refs?service=git-upload-pack
-      https://git.tasktools.org/TM/taskd/info/refs?service=git-upload-pack
+
       http://www.iozone.org/src/current/
 
       {
@@ -51,6 +51,8 @@ in {
       "embray/d2to1"
       "dorimanx/exfat-nofuse"
       "rapid7/metasploit-framework"
+      "GothenburgBitFactory/taskserver"
+      "GothenburgBitFactory/taskwarrior"
     ];
   };
 }

makefu/5pkgs/default.nix

@@ -3,7 +3,7 @@ self: super: let
 
   # This callPackage will try to detect obsolete overrides.
   callPackage = path: args: let
-    override = super.callPackage path args;
+    override =  super.callPackage path args;
     upstream = optionalAttrs (override ? "name")
       (super.${(parseDrvName override.name).name} or {});
   in if upstream ? "name" &&

makefu/5pkgs/programs-db/default.nix

@@ -1,12 +0,0 @@
-{ stdenv }:
-
-stdenv.mkDerivation rec {
-  name = "programs-db";
-  src = builtins.fetchTarball https://nixos.org/channels/nixos-unstable/nixexprs.tar.xz ;
-
-  phases = [ "unpackPhase" "installPhase" ];
-  installPhase = ''
-    cp programs.sqlite $out
-  '';
-
-}

makefu/6tests/data/secrets/torrent-secrets/auth.nix

@@ -0,0 +1 @@
+{}

makefu/source.nix

@@ -13,7 +13,8 @@ let
               then "buildbot"
               else "makefu";
   _file = <stockholm> + "/makefu/1systems/${name}/source.nix";
-  ref = "cd36b3d"; # nixos-17.09 @ 2018-02-06
+  # TODO: automate updating of this ref + cherry-picks
+  ref = "51810e0"; # nixos-17.09 @ 2018-02-14
                    # + do_sqlite3 ruby: 55a952be5b5
                    # + signal: 0f19beef3
 

tv/2configs/gitrepos.nix

@@ -128,11 +128,6 @@ let {
         repo = [ repo ];
         perm = push "refs/*" [ non-fast-forward create delete merge ];
       } ++
-      optional repo.public {
-        user = attrValues config.krebs.users;
-        repo = [ repo ];
-        perm = fetch;
-      } ++
       optional (repo.collaborators or [] != []) {
         user = repo.collaborators;
         repo = [ repo ];