Merge branch 'staging/jeschli' of prism.r:stockholm into staging/jeschli

2018-03-20 15:37:44 +01:00 · 2018-03-20 15:37:44 +01:00 · 01358d3947
commit 01358d3947
parent 390375cd8a 6267aa4250
96 changed files with 1482 additions and 763 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,2 +1,3 @@
 /.graveyard
 /TODO
 result
--- a/jeschli/1systems/bln/config.nix
+++ b/jeschli/1systems/bln/config.nix
@ -3,12 +3,13 @@
 # and in the NixOS manual (accessible by running ‘nixos-help’).
 { config, lib, pkgs, ... }:
-
+# bln config file
 {
  imports =
    [ # Include the results of the hardware scan.
      <stockholm/jeschli>
      <stockholm/jeschli/2configs/virtualbox.nix>
      <stockholm/jeschli/2configs/urxvt.nix>
      ./hardware-configuration.nix
      # ./dcso-vpn.nix
    ];
@ -16,10 +17,18 @@
  boot.loader.systemd-boot.enable = true;
  boot.loader.efi.canTouchEfiVariables = true;
  jeschliFontSize = 20;
  # Use the GRUB 2 boot loader.
  boot.loader.grub.enable = true;
  boot.loader.grub.version = 2;
  # boot.loader.grub.efiSupport = true;
  # boot.loader.grub.efiInstallAsRemovable = true;
  # boot.loader.efi.efiSysMountPoint = "/boot/efi";
  # Define on which hard drive you want to install Grub.
  environment.shellAliases = {
    n = "nix-shell";
-    gd = "cd /home/jeschli/go/src/gitlab.dcso.lolcat";
+    gd = "cd /home/markus/go/src/gitlab.dcso.lolcat";
-    gh = "cd /home/jeschli/go/src/github.com";
+    gh = "cd /home/markus/go/src/github.com";
    stocki = pkgs.writeDash "deploy" ''
      cd ~/stockholm
      LOGNAME=jeschli exec nix-shell -I stockholm="$PWD" --run 'deploy  --system="bln"'
@ -33,6 +42,7 @@
  nixpkgs.config.allowUnfree = true;
  environment.variables = { GOROOT= [ "${pkgs.go.out}/share/go" ]; };
  environment.systemPackages = with pkgs; [
    termite
  # system helper
    ag
    copyq
@ -57,6 +67,7 @@
    chromium
    google-chrome
  # programming languages
    elmPackages.elm
    go
    gcc
    ghc
--- a/jeschli/1systems/brauerei/config.nix
+++ b/jeschli/1systems/brauerei/config.nix
@ -79,6 +79,8 @@
    jetbrains.goland
  # document viewer
    zathura
  # xorg
    xorg.xbacklight
  ];
  # Some programs need SUID wrappers, can be configured further or are
--- a/jeschli/1systems/enklave/config.nix
+++ b/jeschli/1systems/enklave/config.nix
@ -40,6 +40,16 @@
        };
      };
    }
    {
      services.taskserver = {
        enable = true;
        fqdn = "enklave.r";
        listenHost = "::";
        listenPort = 53589;
        organisations.lass.users = [ "jeschli" ];
      };
      networking.firewall.allowedTCPPorts = [ 53589 ];
    }
  ];
  krebs.build.host = config.krebs.hosts.enklave;
--- a/jeschli/1systems/enklave/taskserver.nix
+++ b/jeschli/1systems/enklave/taskserver.nix
@ -0,0 +1,10 @@
    {
      services.taskserver = {
        enable = true;
        fqdn = "enklave.r";
        listenHost = "::";
        listenPort = 53589;
        organisations.lass.users = [ "jeschli" ];
      };
      networking.firewall.allowedTCPPorts = [ 53589 ];
    }
--- a/jeschli/2configs/default.nix
+++ b/jeschli/2configs/default.nix
@ -4,6 +4,7 @@ with import <stockholm/lib>;
  imports = [
    ./vim.nix
    ./retiolum.nix
    ./zsh.nix
    <stockholm/lass/2configs/security-workarounds.nix>
    {
      environment.variables = {
--- a/jeschli/2configs/urxvt.nix
+++ b/jeschli/2configs/urxvt.nix
@ -1,34 +1,39 @@
 { config, pkgs, ... }:
 with import <stockholm/lib>;
 {
-  services.urxvtd.enable = true;
+  options.jeschliFontSize = mkOption {
-  krebs.xresources.enable = true;
+    type = types.int;
-  krebs.xresources.resources.urxvt = ''
+    default = 12;
-  *foreground: rgb:a8/a8/a8
+  };
-  *background: rgb:00/00/00
+  config = {
-  *faceName: DejaVu Sans Mono
+    services.urxvtd.enable = true;
-  *faceSize: 12
+    krebs.xresources.enable = true;
-  *color0: rgb:00/00/00
+    krebs.xresources.resources.urxvt = ''
-  *color1: rgb:a8/00/00
+    *foreground: rgb:a8/a8/a8
-  *color2: rgb:00/a8/00
+    *background: rgb:00/00/00
-  *color3: rgb:a8/54/00
+    *faceName: DejaVu Sans Mono
-  *color4: rgb:00/00/a8
+    *faceSize: ${toString config.jeschliFontSize}
-  *color5: rgb:a8/00/a8
+    *color0: rgb:00/00/00
-  *color6: rgb:00/a8/a8
+    *color1: rgb:a8/00/00
-  *color7: rgb:a8/a8/a8
+    *color2: rgb:00/a8/00
-  *color8: rgb:54/54/54
+    *color3: rgb:a8/54/00
-  *color9: rgb:fc/54/54
+    *color4: rgb:26/8b/d2
-  *color10: rgb:54/fc/54
+    *color5: rgb:a8/00/a8
-  *color11: rgb:fc/fc/54
+    *color6: rgb:00/a8/a8
-  *color12: rgb:54/54/fc
+    *color7: rgb:a8/a8/a8
-  *color13: rgb:fc/54/fc
+    *color8: rgb:54/54/54
-  *color14: rgb:54/fc/fc
+    *color9: rgb:fc/54/54
-  *color15: rgb:fc/fc/fc
+    *color10: rgb:54/fc/54
    *color11: rgb:fc/fc/54
    *color12: rgb:54/54/fc
    *color13: rgb:fc/54/fc
    *color14: rgb:54/fc/fc
    *color15: rgb:fc/fc/fc
-  URxvt*scrollBar:                      false
+    URxvt*scrollBar:                      false
-  URxvt*urgentOnBell:                   true
+    URxvt*urgentOnBell:                   true
-  URxvt*font: xft:DejaVu Sans Mono:pixelsize=12
+    URxvt*font: xft:DejaVu Sans Mono:pixelsize=${toString config.jeschliFontSize}
-  URXvt*faceSize: 12
+    URXvt*faceSize: ${toString config.jeschliFontSize}
-  '';
+    '';
  }; 
 }
--- a/jeschli/2configs/vim.nix
+++ b/jeschli/2configs/vim.nix
@ -27,6 +27,9 @@ in {
      name = "vim";
      vimrcConfig.customRC = let
        colorscheme = ''colorscheme molokai'';
        highlightTrailingWhiteSpaces = ''
          au Syntax * syn match Garbage containedin=ALL /\s\+$/
        '';
        setStatements = ''
          set autowrite
          set clipboard=unnamedplus
@ -42,6 +45,7 @@ in {
        remapStatements = ''
          imap jk <Esc>
          map gr :GoRun<Enter>         " Map gr to execute go run
          map tt :GoTest<Enter>        " Map tt to execute go test
          map nf :NERDTreeToggle<CR>
          nnoremap <C-TAB> <c-w><c-w>
          nnoremap <S-TAB> :bnext<CR>
@ -74,11 +78,12 @@ in {
        '';
      in ''
        ${colorscheme}
        ${highlightTrailingWhiteSpaces}
        ${remapStatements}
        ${setStatements}
        ${settingsForElm}
        ${settingsForGo}
-        " I dont know what this line is about
+        " dont expand tabs in go files and show it with four whitespaces.
        autocmd BufNewFile,BufRead *.go setlocal noexpandtab tabstop=4 shiftwidth=4
      '';
       vimrcConfig.vam.knownPlugins = pkgs.vimPlugins // customPlugins;
--- a/jeschli/2configs/zsh.nix
+++ b/jeschli/2configs/zsh.nix
@ -0,0 +1,138 @@
 { config, lib, pkgs, ... }:
 {
  environment.systemPackages = [ pkgs.fzf ];
  programs.zsh = {
    enable = true;
    shellInit = ''
      #disable config wizard
      zsh-newuser-install() { :; }
    '';
    interactiveShellInit = ''
      setopt autocd extendedglob
      bindkey -e
      #history magic
      bindkey "[A" up-line-or-local-history
      bindkey "[B" down-line-or-local-history
      up-line-or-local-history() {
          zle set-local-history 1
          zle up-line-or-history
          zle set-local-history 0
      }
      zle -N up-line-or-local-history
      down-line-or-local-history() {
          zle set-local-history 1
          zle down-line-or-history
          zle set-local-history 0
      }
      zle -N down-line-or-local-history
      setopt share_history
      setopt hist_ignore_dups
      # setopt inc_append_history
      bindkey '^R' history-incremental-search-backward
      #C-x C-e open line in editor
      autoload -z edit-command-line
      zle -N edit-command-line
      bindkey "^X^E" edit-command-line
      #fzf inclusion
      source ${pkgs.fzf}/share/fzf/completion.zsh
      source ${pkgs.fzf}/share/fzf/key-bindings.zsh
      #completion magic
      autoload -Uz compinit
      compinit
      zstyle ':completion:*' menu select
      #enable automatic rehashing of $PATH
      zstyle ':completion:*' rehash true
      eval $(dircolors -b ${pkgs.fetchFromGitHub {
        owner = "trapd00r";
        repo = "LS_COLORS";
        rev = "master";
        sha256="05lh5w3bgj9h8d8lrbbwbzw8788709cnzzkl8yh7m1dawkpf6nlp";
      }}/LS_COLORS)
      #beautiful colors
      alias ls='ls --color'
      # zstyle ':completion:*:default' list-colors ''${(s.:.)LS_COLORS}
      #emacs bindings
      bindkey "[7~" beginning-of-line
      bindkey "[8~" end-of-line
      bindkey "Oc" emacs-forward-word
      bindkey "Od" emacs-backward-word
      #aliases
      alias ll='ls -l'
      alias la='ls -la'
      #fancy window title magic
    '';
    promptInit = ''
      # TODO: figure out why we need to set this here
      HISTSIZE=900001
      HISTFILESIZE=$HISTSIZE
      SAVEHIST=$HISTSIZE
      autoload -U promptinit
      promptinit
      p_error='%(?..%F{red}%?%f )'
      t_error='%(?..%? )'
      case $UID in
        0)
          p_username='%F{red}root%f'
          t_username='root'
          ;;
        1337)
          p_username=""
          t_username=""
          ;;
        *)
          p_username='%F{blue}%n%f'
          t_username='%n'
          ;;
      esac
      if test -n "$SSH_CLIENT"; then
        p_hostname='@%F{magenta}%M%f '
        t_hostname='@%M '
      else
        p_hostname=""
        t_hostname=""
      fi
      #check if in nix shell
      if test -n "$buildInputs"; then
        p_nixshell='%F{green}[s]%f '
        t_nixshell='[s] '
      else
        p_nixshell=""
        t_nixshell=""
      fi
      PROMPT="$p_error$p_username$p_hostname$p_nixshell%~ "
      TITLE="$t_error$t_username$t_hostname$t_nixshell%~"
      case $TERM in
        (*xterm* | *rxvt*)
          function precmd {
            PROMPT_EVALED="$(print -P $TITLE)"
            echo -ne "\033]0;$$ $PROMPT_EVALED\007"
          }
          # This is seen while the shell waits for a command to complete.
          function preexec {
            PROMPT_EVALED="$(print -P $TITLE)"
            echo -ne "\033]0;$$ $PROMPT_EVALED $1\007"
          }
        ;;
      esac
    '';
  };
  users.defaultUserShell = "/run/current-system/sw/bin/zsh";
 }
--- a/jeschli/source.nix
+++ b/jeschli/source.nix
@ -4,6 +4,11 @@ host@{ name, secure ? false, override ? {} }: let
              then "buildbot"
              else "jeschli";
  _file = <stockholm> + "/jeschli/1systems/${name}/source.nix";
  pkgs = import <nixpkgs> {
    overlays = map import [
      <stockholm/krebs/5pkgs>
    ];
  };
 in
  evalSource (toString _file) [
    {
@ -17,6 +22,7 @@ in
        jeschli = "${getEnv "HOME"}/secrets/${name}";
      };
      stockholm.file = toString <stockholm>;
      stockholm-version.pipe = "${pkgs.stockholm}/bin/get-version";
    }
    override
  ]
--- a/krebs/2configs/go.nix
+++ b/krebs/2configs/go.nix
@ -8,6 +8,7 @@ with import <stockholm/lib>;
  krebs.go = {
    enable = true;
  };
  networking.firewall.allowedTCPPorts = [ 80 ];
  services.nginx = {
    enable = true;
    virtualHosts.go = {
--- a/krebs/2configs/hw/x220.nix
+++ b/krebs/2configs/hw/x220.nix
@ -14,7 +14,6 @@ with import <stockholm/lib>;
  boot = {
    kernelModules = [ "kvm-intel" "acpi_call" "tpm-rng" ];
    extraModulePackages = [ config.boot.kernelPackages.tp_smapi ];
    kernelParams = [ "acpi_backlight=none" ];
  };
--- a/krebs/3modules/default.nix
+++ b/krebs/3modules/default.nix
@ -233,6 +233,7 @@ let
              "github.com"
              # List generated with
              # curl -sS https://api.github.com/meta | jq -r .git[] | cidr2glob
              "192.30.252.*"
              "192.30.253.*"
              "192.30.254.*"
              "192.30.255.*"
@ -240,9 +241,12 @@ let
              "185.199.109.*"
              "185.199.110.*"
              "185.199.111.*"
-              "18.195.85.27"
+              "13.229.188.59"
              "13.250.177.223"
              "18.194.104.89"
              "18.195.85.27"
              "35.159.8.160"
              "52.74.223.119"
            ];
            publicKey = "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==";
          };
--- a/krebs/3modules/lass/default.nix
+++ b/krebs/3modules/lass/default.nix
@ -551,6 +551,32 @@ with import <stockholm/lib>;
        };
      };
    };
    dpdkm = {
      ci = false;
      external = true;
      nets = rec {
        retiolum = {
          ip4.addr = "10.243.29.173";
          ip6.addr = "42:4992:6a6d:900::1";
          aliases = [ "dpdkm.r" ];
          tinc.pubkey = ''
            -----BEGIN RSA PUBLIC KEY-----
            MIICCgKCAgEAuW31xGBdPMSS45KmsCX81yuTcDZv1z7wSpsGQiAw7RsApG0fbBDj
            NvzWZaZpTTUueG7gtt7U9Gk8DhWYR1hNt8bLXxE5QlY+gxVjU8+caRvlv10Y9XYp
            qZEr1n1O5R7jS1srvutPt74uiA8I3hBoeP5TXndu8tVcehjRWXPqJj4VCy9pT2gP
            X880Z30cXm0jUIu9XKhzQU2UNaxbqRzhJTvFUG04M+0a9olsUoN7PnDV6MC5Dxzn
            f0ZZZDgHkcx6vsSkN/C8Tik/UCXr3tS/VX6/3+PREz6Z3bPd2QfaWdowrlFQPeYa
            bELPvuqYiq7zR/jw3vVsWX2e91goAfKH5LYKNmzJCj5yYq+knB7Wil3HgBn86zvL
            Joj56VsuB8fQrrUxjrDetNgtdwci+yFeXkJouQRLM0r0W24liyCuBX4B6nqbj71T
            B6rAMzhBbl1yixgf31EgiCYFSusk+jiT+hye5lAhes4gBW9GAWxGNU9zE4QeAc1w
            tkPH/CxRIAeuPYNwmjvYI2eQH9UQkgSBa3/Kz7/KT9scbykbs8nhDHCXwT6oAp+n
            dR5aHkuBrTQOCU3Xx5ZwU5A0T83oLExIeH8jR1h2mW1JoJDdO85dAOrIBHWnjLls
            mqrJusBh2gbgvNqIrDaQ9J+o1vefw1QeSvcF71JjF1CEBUmTbUAp8KMCAwEAAQ==
            -----END RSA PUBLIC KEY-----
          '';
        };
      };
    };
    xerxes = {
      cores = 2;
      nets = rec {
@ -624,6 +650,10 @@ with import <stockholm/lib>;
      mail = "lass@xerxes.r";
      pubkey = builtins.readFile ./ssh/xerxes.rsa;
    };
    lass-daedalus = {
      mail = "lass@daedalus.r";
      pubkey = builtins.readFile ./ssh/daedalus.rsa;
    };
    fritz = {
      pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCz34435NSXgj72YAOL4cIlRq/4yInKEyL9no+gymURoW5x1nkYpP0EK331e7UyQQSOdWOogRo6d7YHcFqNlYWv5xlYcHucIhgJwC4Zda1liVA+v7tSOJz2BjmFvOT3/qlcPS69f3zdLHZooz2C33uHX1FgGRXlxiA8dpqGnSr8o76QLZjuQkuDqr8reOspjO/RHCo2Moq0Xm5q9OgN1WLAZzupqt9A5lx567mRzYsRAr23pUxVN8T/tSCgDlPe4ktEjYX9CXLKfMyh9WuBVi+AuH4GFEWBT+AMpsHeF45w+w956x56mz0F5nYOQNK87gFr+Jr+mh2AF1ot2CxzrfTb fritz@scriptkiddiT540";
    };
--- a/krebs/3modules/lass/ssh/daedalus.rsa
+++ b/krebs/3modules/lass/ssh/daedalus.rsa
@ -0,0 +1 @@
 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAEZgF3311cZ/JV7lOzo/Crmy6pi0oBYu5klbTb8lU/Yic55XVRyYFtm+KGrNvqkcFgOx803aS7jogJ1N6HCdUAaEl5MzlkOX++h97ihZ/NeQZKDjYEEQYl4ElmIbCRiddpDm0HVX1OGSCtUzhlyDHJ8ieMCb+QVNrpwovlQnp53c/+Z6rGSZWgBMrzP7stlw+XjC1Alhi1M5L+bJfroa7cEcF+J5ZN+J2mWSmkPiQ6+iuk9zRkc5ELO1Vz4MsLoeKwbJrz+uuNVsY7u070pHtsLwbAsYU5vOWJeN/vtEwy51SY/so30FowvivTD9jIJ0xcmAdC56XjWaxttKuqUVBjJqhwqsUI6+AxLESekFXzkfghmG+AJPPkb2pvpVF3k0Ivn14bFBuFv0T2qPHq68Fs19WLTZn+dK3V+RfVkI6bEZaMOUezyBv59yFEY42wMISPw53jkaWqKIxyGCBECi3XlbeQ61FkwE9TElSY+NmoeMu6jPWw7XGDY4Jt6mtKiYu3hVqI5pg4hq3bxB8r2W7LnkDiYfArbzwmrc2zAmgJtY60/Pcwq7hP3LSDEuDDc4gYgpkLNwHjs+CLWqpbQffCFv+oOZj8G92if+dMBOUSBCr6FDqH6wLxZp2cfhud0p/0kLz09nv/PcRohOHdaQSEW7OAhJ5kgg3DuxhwUwOf/3UX5iLvm4WwE/mb7Iki4U3AENKHUWQ7TOrXcQq9AJX57e9CTI+N4phtzp9qur8vjVl2OpYl2Qb/0yQSGM+4wQ/nM4acePMk80oXLb3OJBlPp0CswzoI7kFBD0TUOnFTCkrJWPaZhgjQXyvCzgFKAvXgqWy4riczqLhdBAhc1vT3a18HsqKXE3mhJa6Kjl6r/ZQaDl2zw7uLmWTHhGuUI9w487L36extGuC3Tv8zEvu2UHqhdEcaSDzRQYcv1kRobfhTWjzFHzdA97Kkc+HuFfJk3MzchsjCxqIuDP4r5YauMBMHAIsUlP7Ar/t29WreAGJbCCd2oulkFL+P+8Sp6SksMMhKQvuRcj74n6BETfailv64z2FjT+qzkCsr/gzvWD08EJRZUCpidX2WfMoL396nBf+EgwhFykqoFg2jlJJ7Vggod8CSHUSeBkslhNk/tkv4y+NnsAIgNluVZlxIeKj1UgazohSNQVRHozs2lkuK0Ytl4TsFrE0X3ar7LpwEVvCLj3eh2kg4kNKNN/vOwWxvMlF9uCBq5FUHaBCst/OXeigjfGZ0ZK5iHsZN+R/iIlG+3V3VN1Rm29aPJPSuAgwl/lfPUfUP5c8QiwnDgdHqMi7VcuCpEtcTLjqDHBssqosRTLodcIZY6qLepm5kQgJ2FfcTPi+ZwT3Z/IFH6p/H7NeVbb8rVYeF/zqDJiWbI+gDy0xFnGgOLpFSBdHq679FjtjZk7Exgz3rVD+QsoSB8VYVOSqpHB1LQyQ2qBry+33CNpxlX5GaaLx5sbEKEguaJ+9R7Mbf8zQMa8EAXhqoT96kIj66IEk= lass@daedalus
--- a/krebs/3modules/lass/ssh/icarus.rsa
+++ b/krebs/3modules/lass/ssh/icarus.rsa
@ -1 +1 @@
-ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDm4qnRU8/Zyb+7x/QxW1grN+i1qcN39Sr/TSkBdccAPyfPdk8ph/G+wZKgsyr9sl5CgbA4hOsqDBN97dp4dKghKARuk0GldHDgo+2odWwBTa4EOSmE4Bfj3z7r9tW33Y+ujy55L4w5Qw21lj51mbhc0qvC/03xypEeKsLM0RtNAf8TsdGMPGmbha7uCF75VjFJvrHysbjonh6ZQ+Or8N0MSNABZ9oawJQxxBUqtLFhnq20zCJmm281f9GS/EaGYwcpOjiHd4fj3XWyfEIJRK/LRBZXkidvVDN7mhOQY3G+qiGZfPeyged9CRDRFoc5QbZ43NtrmPS+yUtjHQZKynkjI0lA00fegRzb0FkEJmYSy1Vdqgj338CjNwcuTaKJTw2EotMqMuHyk1FllnphafJtgMTMLIGoZRTpJpC91gbP0MGTnRoCwD4McZcz1YD3cxng101QsLsDv/FPxzbyxr+P6rjBB6eP6IhP4k4ALjWzoMURdCo1BW4//zt+PXImUpcX2+urtAMmVBQ8BwZry1hsEcR+r6C1Yb+jzeWGnvtfjXSFv+ZjpA0eEnqeKeh3LDCxybjkok51zdTe97EZ0sDAnKcnrVzpXJwehY02E2N9Sw1HhvWIUUulr09a2bC2rYR7HWryOjaEzT2aKmUyrxPkflCawB8gn2iSbVMWK74VJw== lass@icarus
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAEZgEuFS5MwYQRF+0MKAQvyv6O+0ky0QnOKGMVZgFXE4g2JrByTCXQAeQmyJquM1wl9IRD63res8ZguMoAz2PkHfNbRSSsR7pH/G3DaJRl0VGf14zO3bjBbogQ45j1Bwxi78h44SDmuBAkp0t76ca16kWGhwEVt03+8sqmbLV90RjHZlrFw2sDgTu35SDz1q/ZzkdyFP3xSIBUnsQD64qRLMx64yLcBp0uu2h7gBBCVyA1T+VR3Nc1yIOyv0nUaqEHz+CDATtFlgGTgT6cCXoIPN0QAuIa3pDxt7htD/POsWuFbpbqrBQVcgun5s3J5X0OmNyoqGqqubcycvuYipZUjBCxyTb7RxCqj2oR8alSaeGZm64I0VSGX/iSCtXKaEJqBbxwNUgDH6B2oUeZbRwgPl/SG8vBku1oKzt/36IBoY8HttcosqLkfTquyyO7KVtOBu04geCmmiqJpSV4j5iYMxvrD0AQ3JJmrcbzUYoCGxlYO19TPsa+Ybhn/E8suach75+DIPj5LacYAh9Wjirw67Kg5QyYEt8XGTR2xxF78CFi0JGBRcyorPfFPLznmVntqJLe6dGNL3njgdD0Ocz8V5ktk1pjY5D2nG8GXfd45NQl2QjTLYnYX4dGuudBXth0nEJMv/MRHZrXVViIqwazdq4mA5z1Yu4Tb3l17d2cAZobzdut6JuZbd7itXAPIiY0vEWXr8lpEuE8Uz9mz8aPxZlhmHSXvNcwhq+i2+cFO8OPwUGbnE2cAHpymlQ3aDRgpptAIMU2LjIAblqsvA72asJpuRqu7ZOoy0vVRCOhktIzZXWR9hF5/CM/7NZ5skvHzYlmgkvnuu4jDDGusF32Zyiip0WJg+Iijqe8VpOqCup5UEF5QG32yQwaZDrKd71hq7Z1xNe0vEPN8yCxpes8hWafYY9m8YRrUduDVlOon7SzmdU76RPn2oF6udCGP7A/hEeRiwrDaRuIwchh99Xw3LioxXNzLYB1aXd+yKuZyhW+witC20ISdyZz7JPIrb49JCGH8FtbcDzD1B8Xd1By34POfhxriSr9UG5Hj9LGbA3/aKMOajZdcbrKXorUrKdhAuZv1z4rjW5iwYgXF2G/nseeCOw+DPEcB3GexsyCTUzSjJ6fy3Aqlzppwttx5MfkbNhPZWRCfDX3i0g8e0aFlgvlj99aGgUQeEpYg8peZhe1lxl25Ftc0R7pYmXPDeCY1yWxZiXZ3YtVVr43c/FEaQHXfkZ2I+t5lG6CmgJhhYjUry5Sx4/NgfBvpmU22cIBWNmyTn9q3gDFmeoIiTwlF654K7NnsWrdKr2L2fGI10Xe/J/GYkkzX39e5bToQPXh23gUfIr7faYEPBsVU/SaEkWNHojzf/NKjPT0utvlFr0HqnFYSdk4wpWzcrhii7E/UhgKvpA/k2Vlj4ZhkejfZXQWxRbJzejkVSJcUGim+Dt1WUZJXVOgEkJ3WA6z+ha2FN2sBDdvRKlad55aelvRrbu3/vPzEuE= lass@icarus
--- a/krebs/3modules/makefu/default.nix
+++ b/krebs/3modules/makefu/default.nix
@ -503,6 +503,7 @@ with import <stockholm/lib>;
          # ip6.addr = "42:5a02:2c30:c1b1:3f2e:7c19:2496:a732";
          aliases = [
            "wbob.r"
            "hydra.wbob.r"
          ];
          tinc.pubkey = ''
            -----BEGIN RSA PUBLIC KEY-----
@ -1038,6 +1039,10 @@ with import <stockholm/lib>;
      inherit (makefu) mail pgp;
      pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDoAtBa10AbiFXfYL4Za7e0CLeXJeH6FhMqVZFqElLkJBKmQ7c7WEMlnuRhEZWSFDXBpaS7p73s5MMOZA13uYv6fI2ipOOwE9Ej1EoMsrQGegBp2VDMo0wnr/sgTL1do+uGI85E/i0uFw0DYhXqlZQk1eK8SdgXYltiVL27IA3NG2kYuoTIvJgRnaPJjTbhLBWti3m586LuO+pBKtcTt1D9EV6wp+6Jum4owPtCgVPQaZfFGYWkEiINV83WX9HoIk4S3bTPLh8Kfp0je0xsioS4T9/cxSPgUie8MjSg0irvLJXRH0JOVuG5NvZTYhAAekwNkHll9CtypPrutjbrXPXf makefu@x";
    };
    makefu-remote-builder = {
      inherit (makefu) mail pgp;
      pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPlhb0TIBW9RN9T8Is4YRIc1RjOg+cxbZCaDjbM4zxrX nixBuild";
    };
    makefu-bob = {
      inherit (makefu) mail pgp;
      pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC+fEK1bCB8cdDiBzXBXEWLFQyp/7xjNGQ5GyqHOtgxxe6Ypb0kAaWJaG3Ak/qI/nToGKwkQJLsuYNA3lZj2rFyBdoxnNO3kRFTc7NoaU5mC2BlHbpmn9dzvgiBoRAKAlzj/022u65SI19AFciKXtwqQfjuB3mPVOFOfCFB2SYjjWb8ffPnHp6PB5KKNLxaVPCbZgOdSju25/wB2lY00W8WIDOTqfbNClQnjkLsUZpTuRnvpHTemKtt1FH+WBZiMwMXRt19rm9LFSO7pvrZjdJz0l1TZVsODkbKZzQzSixoCPmdpPPAYaqrGUQpmukXk0xQtR3E2jEsk+FJv4AkIKqD";
--- a/krebs/3modules/os-release.nix
+++ b/krebs/3modules/os-release.nix
@ -5,7 +5,11 @@ let
  nixos-version = "${nixos-version-id} (${config.system.nixosCodeName})";
  nixos-pretty-name = "NixOS ${nixos-version}";
-  stockholm-version-id = maybeEnv "STOCKHOLM_VERSION" "unknown";
+  stockholm-version-id = let
    eval = tryEval (removeSuffix "\n" (readFile <stockholm-version>));
  in
    if eval.success then eval.value else "unknown";
  stockholm-version = "${stockholm-version-id}";
  stockholm-pretty-name = "stockholm ${stockholm-version}";
--- a/krebs/3modules/repo-sync.nix
+++ b/krebs/3modules/repo-sync.nix
@ -18,10 +18,10 @@ let
            type = types.attrsOf (types.submodule ({ config, ... }: {
              options = {
                origin = mkOption {
-                  type = types.git-source;
+                  type = types.source-types.git;
                };
                mirror = mkOption {
-                  type = types.git-source;
+                  type = types.source-types.git;
                };
              };
              config = {
@ -31,7 +31,7 @@ let
            }));
          };
          latest = mkOption {
-            type = types.nullOr types.git-source;
+            type = types.nullOr types.source-types.git;
            default = null;
          };
          timerConfig = mkOption {
--- a/krebs/5pkgs/simple/ftb/default.nix
+++ b/krebs/5pkgs/simple/ftb/default.nix
@ -1,4 +1,4 @@
-{ stdenv, fetchurl, makeDesktopItem
+{ stdenv, fetchurl
 , jre, libX11, libXext, libXcursor, libXrandr, libXxf86vm
 , openjdk
 , mesa, openal
@ -7,23 +7,12 @@ with stdenv.lib;
 assert useAlsa -> alsaOss != null;
-let
+stdenv.mkDerivation {
  desktopItem = makeDesktopItem {
    name = "minecraft";
    exec = "minecraft";
    icon = "minecraft";
    comment = "A sandbox-building game";
    desktopName = "Minecraft";
    genericName = "minecraft";
    categories = "Game;";
  };
 in stdenv.mkDerivation {
  name = "ftb";
  src = fetchurl {
    url = "http://ftb.cursecdn.com/FTB2/launcher/FTB_Launcher.jar";
-    sha256 = "10ga4jgyfsj5dy4rj2rla0fpnfpnxv8r3bmxpqpwn7fsry4il79v";
+    sha256 = "0pyh83hhni97ryvz6yy8lyiagjrlx67cwr780s2bja92rxc1sqpj";
  };
  phases = "installPhase";
@ -36,6 +25,7 @@ in stdenv.mkDerivation {
    cat > $out/bin/ftb << EOF
    #!${stdenv.shell}
    export _JAVA_AWT_WM_NONREPARENTING=1
    export LD_LIBRARY_PATH=\$LD_LIBRARY_PATH:${makeLibraryPath [ libX11 libXext libXcursor libXrandr libXxf86vm mesa openal ]}
    ${if useAlsa then "${alsaOss}/bin/aoss" else "" } \
      ${jre}/bin/java -jar $out/ftb.jar
@ -43,9 +33,6 @@ in stdenv.mkDerivation {
    chmod +x $out/bin/ftb
    mkdir -p $out/share/applications
    ln -s ${desktopItem}/share/applications/* $out/share/applications/
    ${openjdk}/bin/jar xf $out/ftb.jar favicon.png
  '';
 }
--- a/krebs/5pkgs/simple/populate/default.nix
+++ b/krebs/5pkgs/simple/populate/default.nix
@ -16,12 +16,12 @@ in
 stdenv.mkDerivation rec {
  name = "populate";
-  version = "2.1.0";
+  version = "2.3.0";
  src = fetchgit {
    url = http://cgit.ni.krebsco.de/populate;
    rev = "refs/tags/v${version}";
-    sha256 = "0cr50y6h6nps0qgpmi01h0z9wzpv2704y5zgx2salk1grkmvcfmh";
+    sha256 = "05zr132k1s3a1cc879lvhb83hax7dbfmsbrnxmh7dxjcdg3yhxd7";
  };
  phases = [
--- a/krebs/5pkgs/simple/stockholm/default.nix
+++ b/krebs/5pkgs/simple/stockholm/default.nix
@ -216,7 +216,6 @@
  init.env = pkgs.writeText "init.env" /* sh */ ''
    export HOSTNAME="$(${pkgs.nettools}/bin/hostname)"
    export STOCKHOLM_VERSION="''${STOCKHOLM_VERSION-$(${cmds.get-version})}"
    export quiet
    export system
@ -251,7 +250,6 @@
            "$target_user@$target_host" -p "$target_port" \
            cd "$target_path/stockholm" \; \
            NIX_PATH=$(${pkgs.quote}/bin/quote "$target_path") \
            STOCKHOLM_VERSION=$(${pkgs.quote}/bin/quote "$STOCKHOLM_VERSION") \
            nix-shell --run "$(${pkgs.quote}/bin/quote "
              ${lib.concatStringsSep " " (lib.mapAttrsToList
                (name: opt: /* sh */
--- a/krebs/5pkgs/simple/urlwatch/default.nix
+++ b/krebs/5pkgs/simple/urlwatch/default.nix
@ -2,13 +2,13 @@
 python3Packages.buildPythonApplication rec {
  name = "urlwatch-${version}";
-  version = "2.7";
+  version = "2.8";
  src = fetchFromGitHub {
    owner  = "thp";
    repo   = "urlwatch";
    rev    = version;
-    sha256 = "0fx964z73yv08b1lpymmjsigf6929zx9ax5bp34rcf2c5gk11l5m";
+    sha256 = "1nja7n6pc45azd3l1xyvav89855lvcgwabrvf34rps81dbl8cnl4";
  };
  propagatedBuildInputs = with python3Packages; [
--- a/krebs/source.nix
+++ b/krebs/source.nix
@ -4,6 +4,11 @@ host@{ name, secure ? false, override ? {} }: let
              then "buildbot"
              else "krebs";
  _file = <stockholm> + "/krebs/1systems/${name}/source.nix";
  pkgs = import <nixpkgs> {
    overlays = map import [
      <stockholm/krebs/5pkgs>
    ];
  };
 in
  evalSource (toString _file) [
    {
@ -16,9 +21,10 @@ in
        };
      };
      stockholm.file = toString <stockholm>;
      stockholm-version.pipe = "${pkgs.stockholm}/bin/get-version";
      nixpkgs.git = {
        url = https://github.com/NixOS/nixpkgs;
-        ref = "b222a0713f4a689519686421b3fbf5ca0c9bd3da"; # nixos-17.09 @ 2018-01-23
+        ref = "c5bc83b503dfb29eb27c1deb0268f15c1858e7ce"; # nixos-17.09 @ 2018-02-27
      };
    }
    override
--- a/lass/1systems/helios/config.nix
+++ b/lass/1systems/helios/config.nix
@ -16,6 +16,7 @@ with import <stockholm/lib>;
    <stockholm/lass/2configs/virtualbox.nix>
    <stockholm/lass/2configs/dcso-dev.nix>
    <stockholm/lass/2configs/steam.nix>
    <stockholm/lass/2configs/rtl-sdr.nix>
    { # automatic hardware detection
      boot.initrd.availableKernelModules = [ "xhci_pci" "nvme" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ];
      boot.kernelModules = [ "kvm-intel" ];
@ -136,24 +137,47 @@ with import <stockholm/lib>;
  networking.hostName = lib.mkForce "BLN02NB0162";
  security.pki.certificateFiles = [
-   (pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCAROOTC1G1.pem"; sha256 = "14vz9c0fk6li0a26vx0s5ha6y3yivnshx9pjlh9vmnpkbph5a7rh"; })
+    (pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCAROOTC1G1.pem"; sha256 = "14vz9c0fk6li0a26vx0s5ha6y3yivnshx9pjlh9vmnpkbph5a7rh"; })
-   (pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCAROOTC2G1.pem"; sha256 = "0r1dd48a850cv7whk4g2maik550rd0vsrsl73r6x0ivzz7ap1xz5"; })
+    (pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCAROOTC2G1.pem"; sha256 = "0r1dd48a850cv7whk4g2maik550rd0vsrsl73r6x0ivzz7ap1xz5"; })
-   (pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCAROOTC3G1.pem"; sha256 = "0b5cdchdkvllnr0kz35d8jrmrf9cjw0kd98mmvzr0x6nkc8hwpdy"; })
+    (pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCAROOTC3G1.pem"; sha256 = "0b5cdchdkvllnr0kz35d8jrmrf9cjw0kd98mmvzr0x6nkc8hwpdy"; })
-   (pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCACOMPC2G1.pem"; sha256 = "0rn57zv1ry9vj4p2248mxmafmqqmdhbrfx1plszrxsphshbk2hfz"; })
+    (pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCACOMPC2G1.pem"; sha256 = "0rn57zv1ry9vj4p2248mxmafmqqmdhbrfx1plszrxsphshbk2hfz"; })
-   (pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCACOMPC3G1.pem"; sha256 = "0w88qaqhwxzvdkx40kzj2gka1yi85ipppjdkxah4mscwfhlryrnk"; })
+    (pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCACOMPC3G1.pem"; sha256 = "0w88qaqhwxzvdkx40kzj2gka1yi85ipppjdkxah4mscwfhlryrnk"; })
-   (pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCAIDENC2G1.pem"; sha256 = "1z2qkyhgjvri13bvi06ynkb7mjmpcznmc9yw8chx1lnwc3cxa7kf"; })
+    (pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCAIDENC2G1.pem"; sha256 = "1z2qkyhgjvri13bvi06ynkb7mjmpcznmc9yw8chx1lnwc3cxa7kf"; })
-   (pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCAIDENC3G1.pem"; sha256 = "0smdjjvz95n652cb45yhzdb2lr83zg52najgbzf6lm3w71f8mv7f"; })
+    (pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCAIDENC3G1.pem"; sha256 = "0smdjjvz95n652cb45yhzdb2lr83zg52najgbzf6lm3w71f8mv7f"; })
    (pkgs.writeText "minio.cert" ''
      -----BEGIN CERTIFICATE-----
      MIIDFDCCAfygAwIBAgIQBEKYm9VmbR6T/XNLP2P5kDANBgkqhkiG9w0BAQsFADAS
      MRAwDgYDVQQKEwdBY21lIENvMB4XDTE4MDIxNDEyNTk1OVoXDTE5MDIxNDEyNTk1
      OVowEjEQMA4GA1UEChMHQWNtZSBDbzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
      AQoCggEBAMmRGUTMDxOaoEZ3osG1ZpGj4enHl6ToWaoCXvRXvI6RB/99QOFlwLdL
      8lGjIbXyovNkH686pVsfgCTOLRGzftWHmWgfmaSUv0TToBW8F9DN4ww9YgiLZjvV
      YZunRyp1n0x9OrBXMs7xEBBa4q0AG1IvlRJTrd7CW519FlVq7T95LLB7P6t6K54C
      ksG4kEzXLRPD/FMdU7LWbhWnQSOxPMCq8erTv3kW3A3Y9hSAKOFQKQHH/3O2HDrM
      CbK5ldNklswg2rIHxx7kg1fteLD1lVCNPfCMfuwlLUaMeoRZ03HDof8wFlRz3pzw
      hQRWPvfLfRvFCZ0LFNvfgAqXtmG/ywUCAwEAAaNmMGQwDgYDVR0PAQH/BAQDAgKk
      MBMGA1UdJQQMMAoGCCsGAQUFBwMBMA8GA1UdEwEB/wQFMAMBAf8wLAYDVR0RBCUw
      I4IJbG9jYWxob3N0ggZoZWxpb3OCCGhlbGlvcy5yhwR/AAABMA0GCSqGSIb3DQEB
      CwUAA4IBAQBzrPb3NmAn60awoJG3d4BystaotaFKsO3iAnP4Lfve1bhKRELIjJ30
      hX/mRYkEVRbfwKRgkkLab4zpJ/abjb3DjFNo8E4QPNeCqS+8xxeBOf7x61Kg/0Ox
      jRQ95fTATyItiChwNkoxYjVIwosqxBVsbe3KxwhkmKPQ6wH/nvr6URX/IGUz2qWY
      EqHdjsop83u4Rjn3C0u46U0P+W4U5IFiLfcE3RzFFYh67ko5YEhkyXP+tBNSgrTM
      zFisVoQZdXpMCWWxBVWulB4FvvTx3jKUPRZVOrfexBfY4TA/PyhXLoz7FeEK9n2a
      qFkrxy+GrHBXfSRZgCaHQFdKorg2fwwa
      -----END CERTIFICATE-----
    '')
  ];
  lass.screenlock.command = "${pkgs.i3lock}/bin/i3lock -i /home/lass/lock.png -t -f";
  programs.adb.enable = true;
-  users.users.mainUser.extraGroups = [ "adbusers" ];
+  users.users.mainUser.extraGroups = [ "adbusers" "docker" ];
  services.printing.drivers = [ pkgs.postscript-lexmark ];
  services.logind.extraConfig = ''
    HandleLidSwitch=ignore
  '';
  virtualisation.docker.enable = true;
 }
--- a/lass/1systems/mors/config.nix
+++ b/lass/1systems/mors/config.nix
@ -31,6 +31,8 @@ with import <stockholm/lib>;
    <stockholm/lass/2configs/c-base.nix>
    <stockholm/lass/2configs/br.nix>
    <stockholm/lass/2configs/ableton.nix>
    <stockholm/lass/2configs/dunst.nix>
    <stockholm/lass/2configs/rtl-sdr.nix>
    {
      #risk of rain port
      krebs.iptables.tables.filter.INPUT.rules = [
@ -89,6 +91,10 @@ with import <stockholm/lib>;
      fsType = "btrfs";
      options = ["defaults" "noatime" "ssd" "compress=lzo"];
    };
    "/home/virtual" = {
      device = "/dev/mapper/pool-virtual";
      fsType = "ext4";
    };
  };
  services.udev.extraRules = ''
@ -176,7 +182,7 @@ with import <stockholm/lib>;
        echo 'secrets are crypted' >&2
        exit 23
      else
-        exec nix-shell -I stockholm="$PWD" --run 'deploy --diff --system="$SYSTEM"'
+        exec nix-shell -I stockholm="$PWD" --run 'deploy --system="$SYSTEM"'
      fi
    '';
    predeploy = pkgs.writeDash "predeploy" ''
@ -194,5 +200,6 @@ with import <stockholm/lib>;
  nix.package = pkgs.nixUnstable;
  programs.adb.enable = true;
-  users.users.mainUser.extraGroups = [ "adbusers" ];
+  users.users.mainUser.extraGroups = [ "adbusers" "docker" ];
  virtualisation.docker.enable = true;
 }
--- a/lass/1systems/prism/config.nix
+++ b/lass/1systems/prism/config.nix
@ -292,11 +292,22 @@ in {
    <stockholm/krebs/2configs/reaktor-krebs.nix>
    <stockholm/lass/2configs/dcso-dev.nix>
    {
      users.users.jeschli = {
        uid = genid "jeschli";
        isNormalUser = true;
        openssh.authorizedKeys.keys = with config.krebs.users; [
          jeschli.pubkey
          jeschli-bln.pubkey
          jeschli-bolide.pubkey
          jeschli-brauerei.pubkey
        ];
      };
      krebs.git.rules = [
        {
          user = with config.krebs.users; [
            jeschli
            jeschli-bln
            jeschli-bolide
            jeschli-brauerei
          ];
          repo = [ config.krebs.git.repos.stockholm ];
@ -313,6 +324,18 @@ in {
    }
    <stockholm/lass/2configs/downloading.nix>
    <stockholm/lass/2configs/minecraft.nix>
    {
      services.taskserver = {
        enable = true;
        fqdn = "lassul.us";
        listenHost = "::";
        listenPort = 53589;
        organisations.lass.users = [ "lass" "android" ];
      };
      krebs.iptables.tables.filter.INPUT.rules = [
        { predicate = "-p tcp --dport 53589"; target = "ACCEPT"; }
      ];
    }
  ];
  krebs.build.host = config.krebs.hosts.prism;
--- a/lass/1systems/shodan/config.nix
+++ b/lass/1systems/shodan/config.nix
@ -61,4 +61,8 @@ with import <stockholm/lib>;
    SUBSYSTEM=="net", ATTR{address}=="a0:88:b4:29:26:bc", NAME="wl0"
    SUBSYSTEM=="net", ATTR{address}=="f0:de:f1:0c:a7:63", NAME="et0"
  '';
  services.logind.extraConfig = ''
    HandleLidSwitch=ignore
  '';
 }
--- a/lass/2configs/IM.nix
+++ b/lass/2configs/IM.nix
@ -41,6 +41,7 @@ in {
      lass-shodan.pubkey
      lass-icarus.pubkey
      lass-android.pubkey
      lass-helios.pubkey
    ];
  };
--- a/lass/2configs/baseX.nix
+++ b/lass/2configs/baseX.nix
@ -2,6 +2,7 @@
 with import <stockholm/lib>;
 let
  user = config.krebs.build.user;
  xmonad-lass = pkgs.callPackage <stockholm/lass/5pkgs/custom/xmonad-lass> { inherit config; };
 in {
  imports = [
    ./mpv.nix
@ -10,6 +11,7 @@ in {
    ./livestream.nix
    ./dns-stuff.nix
    ./urxvt.nix
    ./network-manager.nix
    {
      hardware.pulseaudio = {
        enable = true;
@ -83,7 +85,6 @@ in {
    powertop
    push
    rxvt_unicode_with-plugins
    screengrab
    slock
    sxiv
    timewarrior
@ -98,6 +99,7 @@ in {
    zathura
    cabal2nix
    xephyrify
  ];
  fonts.fonts = with pkgs; [
@ -121,13 +123,13 @@ in {
      name = "xmonad";
      start = ''
        ${pkgs.xorg.xhost}/bin/xhost +LOCAL:
-        ${pkgs.coreutils}/bin/sleep infinity
+        ${pkgs.systemd}/bin/systemctl --user start xmonad
        exec ${pkgs.coreutils}/bin/sleep infinity
      '';
    }];
  };
  systemd.user.services.xmonad = {
    wantedBy = [ "graphical-session.target" ];
    environment = {
      DISPLAY = ":${toString config.services.xserver.display}";
      RXVT_SOCKET = "%t/urxvtd-socket";
@ -135,8 +137,8 @@ in {
    };
    serviceConfig = {
      SyslogIdentifier = "xmonad";
-      ExecStart = "${pkgs.xmonad-lass}/bin/xmonad";
+      ExecStart = "${xmonad-lass}/bin/xmonad";
-      ExecStop = "${pkgs.xmonad-lass}/bin/xmonad --shutdown";
+      ExecStop = "${xmonad-lass}/bin/xmonad --shutdown";
    };
    restartIfChanged = false;
  };
--- a/lass/2configs/dcso-dev.nix
+++ b/lass/2configs/dcso-dev.nix
@ -17,6 +17,7 @@ in {
        config.krebs.users.lass.pubkey
        config.krebs.users.lass-android.pubkey
        config.krebs.users.jeschli-bln.pubkey
        config.krebs.users.jeschli-brauerei.pubkey
        "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC1T5+2epslFARSnETdr4wdolA6ocJaD4H9tmz6BZFQKXlwIq+OMp+sSEdwYwW3Lu9+mNbBHPxVVJDWg/We9DXB0ezXPM5Bs1+FcehmkoGwkmgKaFCDt0sL+CfSnog/3wEkN21O/rQxVFqMmiJ7WUDGci6IKCFZ5ZjOsmmfHg5p3LYxU9xv33fNr2v+XauhrGbFtQ7eDz4kSywxN/aw73LN4d8em0V0UV8VPI3Qkw7MamDFwefA+K1TfK8pBzMeruU6N7HLuNkpkAp7kS+K4Zzd72aQtR37a5qMiFUbOxQ9B7iFypuPx0iu6ZwY1s/sM8t3kLmcDJ9O4FOTzlbpneet3as6iJ+Ckr/TlfKor2Tl5pWcXh2FXHoG8VUu5bYmIViJBrKihAlAQfQN0mJ9fdFTnCXVTtbYTy11s4eEVHgUlb7oSpgBnx5bnBONgApbsOX9zyoo8wz8KkZBcf1SQpkV5br8uUAHCcZtHuY6I3kKlv+8lJmgUipiYzMdTi7+dHa49gVEcEKL4ZnJ0msQkl4XT7JjKETLvumC4/TIqVuRu48wuYalkCR9OzxCsTXQ/msBJBztPdYLrEOXVb2HfzuCT+43UuMQ5rP/EoPy0TWQO9BaqfEXqvbOvWjVxj/GMvglQ2ChZTwHxwwTKB8qRVvJLnbZQwizQiSrkzjb6hRJfQ== u0_a165@localhost"
        "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCjtdqRxD0+UU7O8xogSqAQYd/Hrc79CTTKnvbhKy7jp2TVfxQpl81ndSH6DN6Cz90mu65C+DFGq43YtKTPqXmTn1+2wru71C2UOl6ZR0tmU7UELkRt4SJuFQLEgQCt3BWvXJPye6cKRRIlb+XZHWyVyCDxHo9EYO2GWI1wIP8mHMltKj65mobHY+R0CJNhhwlFURzTto8C30ejfVg2OW81qkNWqYtpdC9txLUlQ9/LBVKrafHGprmcBEp9qtecVgx8kxHpS7cuQNYoFcfljug4IyFO+uBfdbKqnGM5mra3huNhX3+AcQxKbLMlRgZD+jc47Xs+s5qSvWBou2ygd5T413k/SDOTCxDjidA+dcwzRo0qUWcGL201a5g+F0EvWv8rjre9m0lii6QKEoPyj60y3yfaIHeafels1Ia1FItjkBe8XydiXf7rKq8nmVRlpo8vl+vKwVuJY783tObHjUgBtXJdmnyYGiXxkxSrXa2mQhPz3KodK/QrnqCP27dURcMlp1hFF3LxFz7WtMCLW0yvDuUsuI2pdq0+zdt702wuwXVNIvbq/ssvX/CL8ryBLAogaxN9DN0vpjk+aXQLn11Zt99MgmnnqUgvOKQi1Quog/SxnSBiloKqB6aA10a28Uxoxkr0KAfhWhX3XPpfGMlbVj4GJuevLp0sGDVQT2biUQ== rhaist@RH-NB"
      ];
@ -44,6 +45,11 @@ in {
    };
  };
  krebs.iptables.tables.filter.INPUT.rules = [
    { predicate = "-p tcp --dport 8000"; target = "ACCEPT";}
    { predicate = "-p tcp --dport 9000"; target = "ACCEPT";}
  ];
  krebs.per-user.dev.packages = [
    pkgs.go
  ];
@ -51,4 +57,6 @@ in {
  security.sudo.extraConfig = ''
    ${mainUser.name} ALL=(dev) NOPASSWD: ALL
  '';
  services.minio.enable = true;
 }
--- a/lass/2configs/downloading.nix
+++ b/lass/2configs/downloading.nix
@ -16,6 +16,8 @@ with import <stockholm/lib>;
        lass.pubkey
        lass-shodan.pubkey
        lass-icarus.pubkey
        lass-daedalus.pubkey
        lass-helios.pubkey
        makefu.pubkey
        wine-mors.pubkey
      ];
--- a/lass/2configs/dunst.nix
+++ b/lass/2configs/dunst.nix
@ -0,0 +1,277 @@
 { config, pkgs, ... }:
 with import <stockholm/lib>;
 let
  dunstConfig = pkgs.writeText "dunst-config" ''
    [global]
    font = Iosevka Term 11
    # Allow a small subset of html markup:
    #   <b>bold</b>
    #   <i>italic</i>
    #   <s>strikethrough</s>
    #   <u>underline</u>
    #
    # For a complete reference see
    # <http://developer.gnome.org/pango/stable/PangoMarkupFormat.html>.
    # If markup is not allowed, those tags will be stripped out of the
    # message.
    markup = yes
    plain_text = no
    # The format of the message.  Possible variables are:
    #   %a  appname
    #   %s  summary
    #   %b  body
    #   %i  iconname (including its path)
    #   %I  iconname (without its path)
    #   %p  progress value if set ([  0%] to [100%]) or nothing
    # Markup is allowed
    format = "%a\n<b>%s</b>\n%b"
    # Sort messages by urgency.
    sort = yes
    # Show how many messages are currently hidden (because of geometry).
    indicate_hidden = yes
    # Alignment of message text.
    # Possible values are "left", "center" and "right".
    alignment = center
    # The frequency with wich text that is longer than the notification
    # window allows bounces back and forth.
    # This option conflicts with "word_wrap".
    # Set to 0 to disable.
    bounce_freq = 0
    # Show age of message if message is older than show_age_threshold
    # seconds.
    # Set to -1 to disable.
    show_age_threshold = 1
    # Split notifications into multiple lines if they don't fit into
    # geometry.
    word_wrap = yes
    # Ignore newlines '\n' in notifications.
    ignore_newline = no
    # Hide duplicate's count and stack them
    stack_duplicates = yes
    hide_duplicates_count = no
    # The geometry of the window:
    #   [{width}]x{height}[+/-{x}+/-{y}]
    # The geometry of the message window.
    # The height is measured in number of notifications everything else
    # in pixels.  If the width is omitted but the height is given
    # ("-geometry x2"), the message window expands over the whole screen
    # (dmenu-like).  If width is 0, the window expands to the longest
    # message displayed.  A positive x is measured from the left, a
    # negative from the right side of the screen.  Y is measured from
    # the top and down respectevly.
    # The width can be negative.  In this case the actual width is the
    # screen width minus the width defined in within the geometry option.
    geometry = "500x10-0+0"
    # Shrink window if it's smaller than the width.  Will be ignored if
    # width is 0.
    shrink = no
    # The transparency of the window.  Range: [0; 100].
    # This option will only work if a compositing windowmanager is
    # present (e.g. xcompmgr, compiz, etc.).
    # transparency = 5
    # Don't remove messages, if the user is idle (no mouse or keyboard input)
    # for longer than idle_threshold seconds.
    # Set to 0 to disable.
    idle_threshold = 0
    # Which monitor should the notifications be displayed on.
    monitor = keyboard
    # Display notification on focused monitor.  Possible modes are:
    #   mouse: follow mouse pointer
    #   keyboard: follow window with keyboard focus
    #   none: don't follow anything
    #
    # "keyboard" needs a windowmanager that exports the
    # _NET_ACTIVE_WINDOW property.
    # This should be the case for almost all modern windowmanagers.
    #
    # If this option is set to mouse or keyboard, the monitor option
    # will be ignored.
    follow = none
    # Should a notification popped up from history be sticky or timeout
    # as if it would normally do.
    sticky_history = yes
    # Maximum amount of notifications kept in history
    history_length = 15
    # Display indicators for URLs (U) and actions (A).
    show_indicators = no
    # The height of a single line.  If the height is smaller than the
    # font height, it will get raised to the font height.
    # This adds empty space above and under the text.
    line_height = 3
    # Draw a line of "separatpr_height" pixel height between two
    # notifications.
    # Set to 0 to disable.
    separator_height = 1
    # Padding between text and separator.
    padding = 1
    # Horizontal padding.
    horizontal_padding = 1
    # Define a color for the separator.
    # possible values are:
    #  * auto: dunst tries to find a color fitting to the background;
    #  * foreground: use the same color as the foreground;
    #  * frame: use the same color as the frame;
    #  * anything else will be interpreted as a X color.
    separator_color = frame
    # Print a notification on startup.
    # This is mainly for error detection, since dbus (re-)starts dunst
    # automatically after a crash.
    startup_notification = true
    # dmenu path.
    dmenu = ${pkgs.dmenu}/bin/dmenu -p dunst:
    # Browser for opening urls in context menu.
    browser = /usr/bin/firefox -new-tab
    # Align icons left/right/off
    icon_position = off
    max_icon_size = 80
    # Paths to default icons.
    icon_folders = /usr/share/icons/Paper/16x16/mimetypes/:/usr/share/icons/Paper/48x48/status/:/usr/share/icons/Paper/16x16/devices/:/usr/share/icons/Paper/48x48/notifications/:/usr/share/icons/Paper/48x48/emblems/
    frame_width = 2
    frame_color = "#8EC07C"
    [shortcuts]
    # Shortcuts are specified as [modifier+][modifier+]...key
    # Available modifiers are "ctrl", "mod1" (the alt-key), "mod2",
    # "mod3" and "mod4" (windows-key).
    # Xev might be helpful to find names for keys.
    # Close notification.
    close = ctrl+space
    # Close all notifications.
    close_all = ctrl+shift+space
    # Redisplay last message(s).
    # On the US keyboard layout "grave" is normally above TAB and left
    # of "1".
    history = ctrl+grave
    # Context menu.
    context = mod4+u
    [urgency_low]
    # IMPORTANT: colors have to be defined in quotation marks.
    # Otherwise the "#" and following would be interpreted as a comment.
    frame_color = "#3B7C87"
    foreground = "#3B7C87"
    background = "#191311"
    #background = "#2B313C"
    timeout = 0
    [urgency_normal]
    frame_color = "#5B8234"
    foreground = "#5B8234"
    background = "#191311"
    #background = "#2B313C"
    timeout = 0
    [urgency_critical]
    frame_color = "#B7472A"
    foreground = "#B7472A"
    background = "#191311"
    #background = "#2B313C"
    timeout = 0
    # Every section that isn't one of the above is interpreted as a rules to
    # override settings for certain messages.
    # Messages can be matched by "appname", "summary", "body", "icon", "category",
    # "msg_urgency" and you can override the "timeout", "urgency", "foreground",
    # "background", "new_icon" and "format".
    # Shell-like globbing will get expanded.
    #
    # SCRIPTING
    # You can specify a script that gets run when the rule matches by
    # setting the "script" option.
    # The script will be called as follows:
    #   script appname summary body icon urgency
    # where urgency can be "LOW", "NORMAL" or "CRITICAL".
    #
    # NOTE: if you don't want a notification to be displayed, set the format
    # to "".
    # NOTE: It might be helpful to run dunst -print in a terminal in order
    # to find fitting options for rules.
    #[espeak]
    #    summary = "*"
    #    script = dunst_espeak.sh
    #[script-test]
    #    summary = "*script*"
    #    script = dunst_test.sh
    #[ignore]
    #    # This notification will not be displayed
    #    summary = "foobar"
    #    format = ""
    #[signed_on]
    #    appname = Pidgin
    #    summary = "*signed on*"
    #    urgency = low
    #
    #[signed_off]
    #    appname = Pidgin
    #    summary = *signed off*
    #    urgency = low
    #
    #[says]
    #    appname = Pidgin
    #    summary = *says*
    #    urgency = critical
    #
    #[twitter]
    #    appname = Pidgin
    #    summary = *twitter.com*
    #    urgency = normal
    #
    # vim: ft=cfg
  '';
 in {
  systemd.user.services.dunst = {
    wantedBy = [ "graphical-session.target" ];
    requires = [ "xmonad.service" ];
    environment = {
      DISPLAY = ":${toString config.services.xserver.display}";
    };
    serviceConfig = {
      SyslogIdentifier = "dunst";
      ExecStart = "${pkgs.dunst}/bin/dunst -conf ${dunstConfig}";
      Restart = "always";
      RestartSec = "15s";
      StartLimitBurst = 0;
    };
  };
 }
--- a/lass/2configs/exim-smarthost.nix
+++ b/lass/2configs/exim-smarthost.nix
@ -11,7 +11,6 @@ with import <stockholm/lib>;
    primary_hostname = "lassul.us";
    sender_domains = [
      "lassul.us"
      "aidsballs.de"
    ];
    relay_from_hosts = map (host: host.nets.retiolum.ip6.addr) [
      config.krebs.hosts.mors
@ -59,6 +58,26 @@ with import <stockholm/lib>;
      { from = "coinexchange@lassul.us"; to = lass.mail; }
      { from = "verwaltung@lassul.us"; to = lass.mail; }
      { from = "gearbest@lassul.us"; to = lass.mail; }
      { from = "binance@lassul.us"; to = lass.mail; }
      { from = "bitfinex@lassul.us"; to = lass.mail; }
      { from = "alternate@lassul.us"; to = lass.mail; }
      { from = "redacted@lassul.us"; to = lass.mail; }
      { from = "mytaxi@lassul.us"; to = lass.mail; }
      { from = "pizza@lassul.us"; to = lass.mail; }
      { from = "robinhood@lassul.us"; to = lass.mail; }
      { from = "drivenow@lassul.us"; to = lass.mail; }
      { from = "aws@lassul.us"; to = lass.mail; }
      { from = "reddit@lassul.us"; to = lass.mail; }
      { from = "banggood@lassul.us"; to = lass.mail; }
      { from = "immoscout@lassul.us"; to = lass.mail; }
      { from = "gmail@lassul.us"; to = lass.mail; }
      { from = "amazon@lassul.us"; to = lass.mail; }
      { from = "humblebundle@lassul.us"; to = lass.mail; }
      { from = "meetup@lassul.us"; to = lass.mail; }
      { from = "gebfrei@lassul.us"; to = lass.mail; }
      { from = "github@lassul.us"; to = lass.mail; }
      { from = "ovh@lassul.us"; to = lass.mail; }
      { from = "hetzner@lassul.us"; to = lass.mail; }
    ];
    system-aliases = [
      { from = "mailer-daemon"; to = "postmaster"; }
--- a/lass/2configs/logf.nix
+++ b/lass/2configs/logf.nix
@ -10,9 +10,13 @@ let
    echelon = "197";
    cloudkrebs = "119";
  };
  urgent = [
    "\\blass@mors\\b"
  ];
 in {
  environment.systemPackages = [
    (pkgs.writeDashBin "logf" ''
      export LOGF_URGENT=${pkgs.writeJSON "urgent" urgent}
      export LOGF_HOST_COLORS=${pkgs.writeJSON "host-colors" host-colors}
      ${pkgs.logf}/bin/logf ${concatMapStringsSep " " (name: "root@${name}") (attrNames config.lass.hosts)}
    '')
--- a/lass/2configs/mail.nix
+++ b/lass/2configs/mail.nix
@ -21,13 +21,46 @@ let
  '';
  mailboxes = {
-    wireguard = [ "wireguard@lists.zx2c4" ];
+    c-base = [ "to:c-base.org" ];
-    c-base = [ "c-base.org" ];
+    coins = [
-    security = [ "seclists.org" "security" "bugtraq" ];
+      "to:btce@lassul.us"
-    nix-devel = [ "nix-devel@googlegroups.com" ];
+      "to:coinbase@lassul.us"
-    shack = [ "shackspace.de" ];
+      "to:polo@lassul.us"
      "to:bitwala@lassul.us"
      "to:payeer@lassul.us"
      "to:gatehub@lassul.us"
      "to:bitfinex@lassul.us"
      "to:binance@lassul.us"
      "to:bitcoin.de@lassul.us"
      "to:robinhood@lassul.us"
    ];
    dezentrale = [ "to:dezentrale.space" ];
    dhl = [ "to:dhl@lassul.us" ];
    github = [ "to:github@lassul.us" ];
    gmail = [ "to:gmail@lassul.us" "to:lassulus@gmail.com" "lassulus@googlemail.com" ];
    kaosstuff = [ "to:gearbest@lassul.us" "to:banggood@lassul.us" "to:tomtop@lassul.us" ];
    nix-devel = [ "to:nix-devel@googlegroups.com" ];
    patreon = [ "to:patreon@lassul.us" ];
    paypal = [ "to:paypal@lassul.us" ];
    ptl = [ "to:ptl@posttenebraslab.ch" ];
    retiolum = [ "to:lass@mors.r" ];
    security = [ "to:seclists.org" "to:bugtraq" "to:securityfocus@lassul.us" ];
    shack = [ "to:shackspace.de" ];
    steam = [ "to:steam@lassul.us" ];
    tinc = [ "to:tinc@tinc-vpn.org" "to:tinc-devel@tinc-vpn.org" ];
    wireguard = [ "to:wireguard@lists.zx2c4" ];
    zzz = [ "to:pizza@lassul.us" "to:spam@krebsco.de" ];
  };
  tag-new-mails = pkgs.writeDashBin "nm-tag-init" ''
    ${pkgs.notmuch}/bin/notmuch new
    ${concatMapStringsSep "\n" (i: ''${pkgs.notmuch}/bin/notmuch tag -inbox +${i.name} -- tag:inbox ${concatMapStringsSep " or " (f: "${f}") i.value}'') (mapAttrsToList nameValuePair mailboxes)}
  '';
  tag-old-mails = pkgs.writeDashBin "nm-tag-old" ''
    ${concatMapStringsSep "\n" (i: ''${pkgs.notmuch}/bin/notmuch tag -inbox -archive +${i.name} -- ${concatMapStringsSep " or " (f: "${f}") i.value}'') (mapAttrsToList nameValuePair mailboxes)}
  '';
  muttrc = pkgs.writeText "muttrc" ''
    # gpg
    source ${pkgs.neomutt}/share/doc/mutt/samples/gpg.rc
@ -80,16 +113,15 @@ let
      # V
    ''} %r |"
-    virtual-mailboxes \
+    virtual-mailboxes "INBOX" "notmuch://?query=tag:inbox"
-      "Unread" "notmuch://?query=tag:unread"\
+    virtual-mailboxes "Unread" "notmuch://?query=tag:unread"
-      "INBOX" "notmuch://?query=tag:inbox ${concatMapStringsSep " " (f: "and NOT to:${f}") (flatten (attrValues mailboxes))}"\
+    ${concatMapStringsSep "\n" (i: ''${"  "}virtual-mailboxes "${i.name}" "notmuch://?query=tag:${i.name}"'') (mapAttrsToList nameValuePair mailboxes)}
-    ${concatMapStringsSep "\n" (i: ''${"  "}"${i.name}" "notmuch://?query=${concatMapStringsSep " or " (f: "to:${f}") i.value}"\'') (mapAttrsToList nameValuePair mailboxes)}
+    virtual-mailboxes "TODO" "notmuch://?query=tag:TODO"
-      "BOX" "notmuch://?query=${concatMapStringsSep " and " (f: "NOT to:${f}") (flatten (attrValues mailboxes))}"\
+    virtual-mailboxes "Starred" "notmuch://?query=tag:*"
-      "TODO" "notmuch://?query=tag:TODO"\
+    virtual-mailboxes "Archive" "notmuch://?query=tag:archive"
-      "Starred" "notmuch://?query=tag:*"\
+    virtual-mailboxes "Sent" "notmuch://?query=tag:sent"
-      "Archive" "notmuch://?query=tag:archive"\
+    virtual-mailboxes "Junk" "notmuch://?query=tag:junk"
-      "Sent" "notmuch://?query=tag:sent"\
+    virtual-mailboxes "All" "notmuch://?query=*"
      "Junk" "notmuch://?query=tag:junk"
    tag-transforms "junk"     "k" \
                   "unread"   "u" \
@ -163,5 +195,7 @@ in {
    mutt
    pkgs.much
    pkgs.notmuch
    tag-new-mails
    tag-old-mails
  ];
 }
--- a/lass/2configs/minecraft.nix
+++ b/lass/2configs/minecraft.nix
@ -17,5 +17,6 @@
  krebs.iptables.tables.filter.INPUT.rules = [
    { predicate = "-p tcp --dport 25565"; target = "ACCEPT"; }
    { predicate = "-p udp --dport 25565"; target = "ACCEPT"; }
    { predicate = "-p tcp --dport 8123"; target = "ACCEPT"; }
  ];
 }
--- a/lass/2configs/network-manager.nix
+++ b/lass/2configs/network-manager.nix
@ -0,0 +1,24 @@
 { pkgs, lib, ... }:
 {
  networking.wireless.enable = lib.mkForce false;
  systemd.services.modemmanager = {
    description = "ModemManager";
    after = [ "network-manager.service" ];
    bindsTo = [ "network-manager.service" ];
    wantedBy = [ "network-manager.service" ];
    serviceConfig = {
      ExecStart = "${pkgs.modemmanager}/bin/ModemManager";
      PrivateTmp = true;
      Restart = "always";
      RestartSec = "5";
    };
  };
  networking.networkmanager.enable = true;
  users.users.mainUser = {
    extraGroups = [ "networkmanager" ];
    packages = with pkgs; [
      gnome3.gnome_keyring gnome3.dconf
    ];
  };
 }
--- a/lass/2configs/rtl-sdr.nix
+++ b/lass/2configs/rtl-sdr.nix
@ -0,0 +1,6 @@
 {
  boot.blacklistedKernelModules = [ "dvb_usb_rtl28xxu" ];
  services.udev.extraRules = ''
    SUBSYSTEM=="usb", ATTRS{idVendor}=="0bda", ATTRS{idProduct}=="2838", GROUP="adm", MODE="0666", SYMLINK+="rtl_sdr"
  '';
 }
--- a/lass/2configs/vim.nix
+++ b/lass/2configs/vim.nix
@ -6,6 +6,9 @@ let
    environment.systemPackages = [
      (hiPrio vim)
      pkgs.python35Packages.flake8
      (pkgs.writeDashBin "govet" ''
        go vet "$@"
      '')
    ];
    environment.etc.vimrc.source = vimrc;
@ -68,6 +71,9 @@ let
    let g:syntastic_python_checkers=['flake8']
    let g:syntastic_python_flake8_post_args='--ignore=E501'
    let g:go_metalinter_autosave = 1
    let g:go_metalinter_deadline = "10s"
    nmap <esc>q :buffer 
    nmap <M-q> :buffer 
--- a/lass/2configs/websites/util.nix
+++ b/lass/2configs/websites/util.nix
@ -32,7 +32,6 @@ rec {
    let
      domain = head domains;
    in {
      services.phpfpm.phpPackage = pkgs.php56;
      services.nginx.virtualHosts."${domain}" = {
        enableACME = true;
        enableSSL = true;
--- a/lass/2configs/wine.nix
+++ b/lass/2configs/wine.nix
@ -19,23 +19,8 @@ in {
        pkgs.wine
      ];
    };
    wine64 = {
      name = "wine64";
      description = "user for running wine in 64bit";
      home = "/home/wine64";
      useDefaultShell = true;
      extraGroups = [
        "audio"
        "video"
      ];
      createHome = true;
      packages = [
        (pkgs.wine.override { wineBuild = "wineWow"; })
      ];
    };
  };
  security.sudo.extraConfig = ''
    ${mainUser.name} ALL=(wine) NOPASSWD: ALL
    ${mainUser.name} ALL=(wine64) NOPASSWD: ALL
  '';
 }
--- a/lass/2configs/zsh.nix
+++ b/lass/2configs/zsh.nix
@ -50,16 +50,15 @@
      #enable automatic rehashing of $PATH
      zstyle ':completion:*' rehash true
      #beautiful colors
      eval $(dircolors -b ${pkgs.fetchFromGitHub {
        owner = "trapd00r";
        repo = "LS_COLORS";
        rev = "master";
        sha256="05lh5w3bgj9h8d8lrbbwbzw8788709cnzzkl8yh7m1dawkpf6nlp";
      }}/LS_COLORS)
      #beautiful colors
      alias ls='ls --color'
-      # zstyle ':completion:*:default' list-colors ''${(s.:.)LS_COLORS}
+      zstyle ':completion:*:default' list-colors ''${(s.:.)LS_COLORS}
      #emacs bindings
      bindkey "[7~" beginning-of-line
@ -109,7 +108,7 @@
      fi
      #check if in nix shell
-      if test -n "$buildInputs"; then
+      if test -n "$IN_NIX_SHELL"; then
        p_nixshell='%F{green}[s]%f '
        t_nixshell='[s] '
      else
--- a/lass/3modules/xserver/default.nix
+++ b/lass/3modules/xserver/default.nix
@ -33,6 +33,11 @@ let
        XMONAD_STARTUP_HOOK = pkgs.writeDash "xmonad-startup-hook" ''
          ${pkgs.xorg.xhost}/bin/xhost +LOCAL: &
          ${xcfg.displayManager.sessionCommands}
          if test -z "$DBUS_SESSION_BUS_ADDRESS"; then
            exec ${pkgs.dbus.dbus-launch} --exit-with-session "$0" ""
          fi
          export DBUS_SESSION_BUS_ADDRESS
          ${config.systemd.package}/bin/systemctl --user import-environment DISPLAY DBUS_SESSION_BUS_ADDRESS
          wait
        '';
@ -74,6 +79,7 @@ let
          "-xkbdir ${pkgs.xkeyboard_config}/etc/X11/xkb"
          (optional (xcfg.dpi != null) "-dpi ${toString xcfg.dpi}")
        ];
        User = user.name;
      };
    };
    krebs.xresources.resources.dpi = ''
--- a/lass/5pkgs/custom/xmonad-lass/default.nix
+++ b/lass/5pkgs/custom/xmonad-lass/default.nix
@ -23,6 +23,7 @@ import XMonad
 import qualified XMonad.StackSet as W
 import Control.Monad.Extra (whenJustM)
 import Data.List (isInfixOf)
 import Data.Monoid (Endo)
 import System.Environment (getArgs, lookupEnv)
 import System.Posix.Process (executeFile)
 import XMonad.Actions.CopyWindow (copy, kill1)
@ -36,7 +37,7 @@ import XMonad.Hooks.FloatNext (floatNextHook)
 import XMonad.Hooks.ManageDocks (avoidStruts, ToggleStruts(ToggleStruts))
 import XMonad.Hooks.Place (placeHook, smart)
 import XMonad.Hooks.UrgencyHook (focusUrgent)
-import XMonad.Hooks.UrgencyHook (SpawnUrgencyHook(..), withUrgencyHook)
+import XMonad.Hooks.UrgencyHook (withUrgencyHook, UrgencyHook(..))
 import XMonad.Layout.FixedColumn (FixedColumn(..))
 import XMonad.Layout.Minimize (minimize, minimizeWindow, MinimizeMsg(RestoreNextMinimizedWin))
 import XMonad.Layout.NoBorders (smartBorders)
@ -44,9 +45,20 @@ import XMonad.Layout.SimplestFloat (simplestFloat)
 import XMonad.Prompt (autoComplete, font, searchPredicate, XPConfig)
 import XMonad.Prompt.Window (windowPromptGoto, windowPromptBringCopy)
 import XMonad.Util.EZConfig (additionalKeysP)
 import XMonad.Util.NamedWindows (getName)
 import XMonad.Util.Run (safeSpawn)
 import XMonad.Stockholm.Shutdown
 data LibNotifyUrgencyHook = LibNotifyUrgencyHook deriving (Read, Show)
 instance UrgencyHook LibNotifyUrgencyHook where
    urgencyHook LibNotifyUrgencyHook w = do
        name     <- getName w
        Just idx <- fmap (W.findTag w) $ gets windowset
        safeSpawn "${pkgs.libnotify}/bin/notify-send" [show name, "workspace " ++ idx]
 myTerm :: FilePath
 myTerm = "${pkgs.rxvt_unicode_with-plugins}/bin/urxvtc"
@ -61,7 +73,7 @@ main = getArgs >>= \case
 main' :: IO ()
 main' = do
    xmonad $ ewmh
-        $ withUrgencyHook (SpawnUrgencyHook "echo emit Urgency ")
+        $ withUrgencyHook LibNotifyUrgencyHook
        $ def
            { terminal           = myTerm
            , modMask            = mod4Mask
@ -80,11 +92,12 @@ myLayoutHook = defLayout
  where
    defLayout = minimize $ ((avoidStruts $ Tall 1 (3/100) (1/2) ||| Full ||| Mirror (Tall 1 (3/100) (1/2))) ||| FixedColumn 2 80 80 1 ||| simplestFloat)
 floatHooks :: Query (Endo WindowSet)
 floatHooks = composeAll . concat $
    [ [ title =? t --> doFloat | t <- myTitleFloats]
    , [ className =? c --> doFloat | c <- myClassFloats ] ]
  where
-      myTitleFloats = [] -- for the KDE "open link" popup from konsole
+      myTitleFloats = []
      myClassFloats = ["Pinentry"] -- for gpg passphrase entry
@ -130,12 +143,21 @@ myKeyMap =
    , ("M4-d", floatNext True >> spawn "${pkgs.copyq}/bin/copyq show")
    , ("M4-<F4>", spawn "${pkgs.writeDash "nm-dmenu" ''
      export PATH=$PATH:${pkgs.dmenu}/bin:${pkgs.networkmanagerapplet}/bin
      exec ${pkgs.networkmanager_dmenu}/bin/networkmanager_dmenu "$@"
    ''}")
    , ("M4-<F5>", spawn "${pkgs.xorg.xbacklight}/bin/xbacklight -set 1")
    , ("M4-<F6>", spawn "${pkgs.xorg.xbacklight}/bin/xbacklight -set 10")
    , ("M4-<F7>", spawn "${pkgs.xorg.xbacklight}/bin/xbacklight -set 33")
    , ("M4-<F8>", spawn "${pkgs.xorg.xbacklight}/bin/xbacklight -set 100")
    , ("<Pause>", spawn "${pkgs.xcalib}/bin/xcalib -invert -alter")
    --, ("M4-w", screenWorkspace 0 >>= (windows . W.greedyView))
    --, ("M4-e", screenWorkspace 1 >>= (windows . W.greedyView))
    --, ("M4-r", screenWorkspace 2 >>= (windows . W.greedyView))
    ]
 forkFile :: FilePath -> [String] -> Maybe [(String, String)] -> X ()
--- a/lass/5pkgs/default.nix
+++ b/lass/5pkgs/default.nix
@ -1,40 +1,39 @@
-{ config, pkgs, ... }@args:
+with import <stockholm/lib>;
 self: super: let
-{
+  # This callPackage will try to detect obsolete overrides.
-  nixpkgs.config.packageOverrides = rec {
+  callPackage = path: args: let
-    acronym = pkgs.callPackage ./acronym/default.nix {};
+    override =  super.callPackage path args;
-    dpass = pkgs.callPackage ./dpass {};
+    upstream = optionalAttrs (override ? "name")
-    firefoxPlugins = {
+      (super.${(parseDrvName override.name).name} or {});
-      noscript = pkgs.callPackage ./firefoxPlugins/noscript.nix {};
+  in if upstream ? "name" &&
-      ublock = pkgs.callPackage ./firefoxPlugins/ublock.nix {};
+        override ? "name" &&
-      vimperator = pkgs.callPackage ./firefoxPlugins/vimperator.nix {};
+        compareVersions upstream.name override.name != -1
-    };
+    then
-    init = pkgs.callPackage ./init/default.nix args;
+      trace
-    logify = pkgs.callPackage ./logify/default.nix {};
+        "Upstream `${upstream.name}' gets overridden by `${override.name}'."
-    mk_sql_pair = pkgs.callPackage ./mk_sql_pair/default.nix {};
+        override
-    mpv-poll = pkgs.callPackage ./mpv-poll/default.nix {};
+    else override;
    pop = pkgs.callPackage ./pop/default.nix {};
    q = pkgs.callPackage ./q {};
    rs = pkgs.callPackage ./rs/default.nix {};
    urban = pkgs.callPackage ./urban/default.nix {};
    xml2json = pkgs.callPackage ./xml2json/default.nix {};
    xmonad-lass = import ./xmonad-lass.nix { inherit config pkgs; };
    yt-next = pkgs.callPackage ./yt-next/default.nix {};
-    bank = pkgs.writeDashBin "bank" ''
+   subdirsOf = path:
     mapAttrs (name: _: path + "/${name}")
              (filterAttrs (_: eq "directory") (readDir path));
 in {
    bank = self.writeDashBin "bank" ''
      tmp=$(mktemp)
-      ${pkgs.pass}/bin/pass show hledger > $tmp
+      ${self.pass}/bin/pass show hledger > $tmp
-      ${pkgs.hledger}/bin/hledger --file=$tmp "$@"
+      ${self.hledger}/bin/hledger --file=$tmp "$@"
-      ${pkgs.pass}/bin/pass show hledger | if ${pkgs.diffutils}/bin/diff $tmp -; then
+      ${self.pass}/bin/pass show hledger | if ${self.diffutils}/bin/diff $tmp -; then
        exit 0
      else
-        ${pkgs.coreutils}/bin/cat $tmp | ${pkgs.pass}/bin/pass insert -m hledger
+        ${self.coreutils}/bin/cat $tmp | ${self.pass}/bin/pass insert -m hledger
      fi
-      ${pkgs.coreutils}/bin/rm $tmp
+      ${self.coreutils}/bin/rm $tmp
    '';
-    screengrab = pkgs.writeDashBin "screengrab" ''
+    rtl8814au = callPackage ./custom/rtl8814au { kernel = self.linux; };
      resolution="$(${pkgs.xorg.xrandr}/bin/xrandr | ${pkgs.gnugrep}/bin/grep '*' | ${pkgs.gawk}/bin/awk '{print $1}')"
      ${pkgs.ffmpeg}/bin/ffmpeg -f x11grab -r 25 -i :${toString config.services.xserver.display} -s $resolution -c:v huffyuv $1
    '';
  };
 }
 // mapAttrs (_: flip callPackage {})
            (filterAttrs (_: dir: pathExists (dir + "/default.nix"))
                         (subdirsOf ./.))
--- a/lass/5pkgs/xephyrify/default.nix
+++ b/lass/5pkgs/xephyrify/default.nix
@ -0,0 +1,42 @@
 { writeDashBin, writeHaskell, coreutils, xorg, virtualgl, ... }:
 let
  minimalXmonad = writeHaskell "minimalXmonad" {
    executables.xmonad = {
      extra-depends = [
        "containers"
        "xmonad"
      ];
      text = /* haskell */ ''
        module Main where
        import XMonad
        import qualified Data.Map as Map
        main :: IO ()
        main = do
          xmonad def
            { workspaces = [ "1" ]
            , layoutHook = myLayoutHook
            , keys = myKeys
            , normalBorderColor  = "#000000"
            , focusedBorderColor = "#000000"
            }
        myLayoutHook = Full
        myKeys _ = Map.fromList []
      '';
    };
  };
 in writeDashBin "xephyrify" ''
  NDISPLAY=:$(${coreutils}/bin/shuf -i 100-65536 -n 1)
  echo "using DISPLAY $NDISPLAY"
  ${xorg.xorgserver}/bin/Xephyr -br -ac -reset -terminate -resizeable $NDISPLAY &
  XEPHYR_PID=$!
  DISPLAY=$NDISPLAY ${minimalXmonad}/bin/xmonad &
  XMONAD_PID=$!
  DISPLAY=$NDISPLAY ${virtualgl}/bin/vglrun "$@"
  kill $XMONAD_PID
  kill $XEPHYR_PID
 ''
--- a/lass/default.nix
+++ b/lass/default.nix
@ -1,9 +1,9 @@
-_:
+{ pkgs, ... }:
 {
  imports = [
    ../krebs
    ./2configs
    ./3modules
    ./5pkgs
  ];
  nixpkgs.config.packageOverrides = import ./5pkgs pkgs;
 }
--- a/lass/source.nix
+++ b/lass/source.nix
@ -4,6 +4,11 @@ host@{ name, secure ? false, override ? {} }: let
              then "buildbot"
              else "lass";
  _file = <stockholm> + "/lass/1systems/${name}/source.nix";
  pkgs = import <nixpkgs> {
    overlays = map import [
      <stockholm/krebs/5pkgs>
    ];
  };
 in
  evalSource (toString _file) [
    {
@ -17,6 +22,7 @@ in
        };
      };
      stockholm.file = toString <stockholm>;
      stockholm-version.pipe = "${pkgs.stockholm}/bin/get-version";
    }
    override
  ]
--- a/lib/types.nix
+++ b/lib/types.nix
@ -2,7 +2,7 @@
 let
  inherit (lib)
-    all any concatMapStringsSep concatStringsSep const filter flip
+    all any attrNames concatMapStringsSep concatStringsSep const filter flip
    genid hasSuffix head isInt isString length mergeOneOption mkOption
    mkOptionType optional optionalAttrs optionals range splitString
    stringLength substring test testString typeOf;
@ -231,90 +231,93 @@ rec {
  source = submodule ({ config, ... }: {
    options = {
      type = let
-        types = [
+        known-types = attrNames source-types;
-          "file"
+        type-candidates = filter (k: config.${k} != null) known-types;
          "git"
          "pass"
          "symlink"
        ];
      in mkOption {
-        type = enum types;
+        default = if length type-candidates == 1
-        default = let
+                    then head type-candidates
-          cands = filter (k: config.${k} != null) types;
+                    else throw "cannot determine type";
-        in
+        type = enum known-types;
          if length cands == 1
            then head cands
            else throw "cannot determine type";
      };
-      file = let
+      file = mkOption {
        file-path = (file-source.getSubOptions "FIXME").path.type;
      in mkOption {
        type = nullOr (either file-source file-path);
        default = null;
        apply = x:
-          if file-path.check x
+          if absolute-pathname.check x
            then { path = x; }
            else x;
        default = null;
        type = nullOr (either absolute-pathname source-types.file);
      };
      git = mkOption {
        type = nullOr git-source;
        default = null;
        type = nullOr source-types.git;
      };
      pass = mkOption {
        type = nullOr pass-source;
        default = null;
        type = nullOr source-types.pass;
      };
-      symlink = let
+      pipe = mkOption {
-        symlink-target = (symlink-source.getSubOptions "FIXME").target.type;
+        apply = x:
-      in mkOption {
+          if absolute-pathname.check x
-        type = nullOr (either symlink-source symlink-target);
+            then { command = x; }
            else x;
        default = null;
        type = nullOr (either absolute-pathname source-types.pipe);
      };
      symlink = mkOption {
        type = nullOr (either pathname source-types.symlink);
        default = null;
        apply = x:
-          if symlink-target.check x
+          if pathname.check x
            then { target = x; }
            else x;
      };
    };
  });
-  file-source = submodule {
+  source-types = {
-    options = {
+    file = submodule {
-      path = mkOption {
+      options = {
-        type = absolute-pathname;
+        path = mkOption {
          type = absolute-pathname;
        };
      };
    };
-  };
+    git = submodule {
-
+      options = {
-  git-source = submodule {
+        ref = mkOption {
-    options = {
+          type = str; # TODO types.git.ref
-      ref = mkOption {
+        };
-        type = str; # TODO types.git.ref
+        url = mkOption {
-      };
+          type = str; # TODO types.git.url
-      url = mkOption {
+        };
        type = str; # TODO types.git.url
      };
    };
-  };
+    pass = submodule {
-
+      options = {
-  pass-source = submodule {
+        dir = mkOption {
-    options = {
+          type = absolute-pathname;
-      dir = mkOption {
+        };
-        type = absolute-pathname;
+        name = mkOption {
-      };
+          type = pathname; # TODO relative-pathname
-      name = mkOption {
+        };
        type = pathname; # TODO relative-pathname
      };
    };
-  };
+    pipe = submodule {
-
+      options = {
-  symlink-source = submodule {
+        command = mkOption {
-    options = {
+          type = absolute-pathname;
-      target = mkOption {
+        };
-        type = pathname; # TODO relative-pathname
+      };
    };
    symlink = submodule {
      options = {
        target = mkOption {
          type = pathname; # TODO relative-pathname
        };
      };
    };
  };
  };
  suffixed-str = suffs:
    mkOptionType {
--- a/makefu/1systems/gum/config.nix
+++ b/makefu/1systems/gum/config.nix
@ -148,6 +148,11 @@ in {
            allowedIPs = [ "10.244.0.5/32" ];
            publicKey = "QJMwwYu/92koCASbHnR/vqe/rN00EV6/o7BGwLockDw=";
          }
          {
            # workr
            allowedIPs = [ "10.244.0.6/32" ];
            publicKey = "OFhCF56BrV9tjqW1sxqXEKH/GdqamUT1SqZYSADl5GA=";
          }
          ];
        };
      }
--- a/makefu/1systems/omo/config.nix
+++ b/makefu/1systems/omo/config.nix
@ -19,22 +19,24 @@ let
  # __FRONT_
  # |* d0   |
  # |       |
-  # |* d3   |
+  # |* d1   |
  # |       |
  # |* d3   |
  # |       |
  # |*      |
  # |* d2   |
-  # |  * r0 |
+  # |  *    |
  # |  *    |
  # |_______|
  cryptDisk0 = byid "ata-ST2000DM001-1CH164_Z240XTT6";
  cryptDisk1 = byid "ata-TP02000GB_TPW151006050068";
  cryptDisk2 = byid "ata-ST4000DM000-1F2168_Z303HVSG";
  cryptDisk3 = byid "ata-ST8000DM004-2CX188_ZCT01SG4";
  # cryptDisk3 = byid "ata-WDC_WD20EARS-00MVWB0_WD-WMAZA1786907";
  # all physical disks
  # TODO callPackage ../3modules/MonitorDisks { disks = allDisks }
-  dataDisks = [ cryptDisk0 cryptDisk1 cryptDisk2 ];
+  dataDisks = [ cryptDisk0 cryptDisk1 cryptDisk2 cryptDisk3 ];
  allDisks = [ rootDisk ] ++ dataDisks;
 in {
  imports =
@ -68,6 +70,8 @@ in {
      <stockholm/makefu/2configs/syncthing.nix>
      <stockholm/makefu/2configs/mqtt.nix>
      <stockholm/makefu/2configs/remote-build/slave.nix>
      <stockholm/makefu/2configs/deployment/google-muell.nix>
      <stockholm/makefu/2configs/virtualisation/docker.nix>
      # security
@ -116,7 +120,6 @@ in {
  services.sabnzbd.enable = true;
  systemd.services.sabnzbd.environment.SSL_CERT_FILE = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt";
  virtualisation.docker.enable = true;
  makefu.ps3netsrv = {
    enable = true;
    servedir = "/media/cryptX/emu/ps3";
@ -126,6 +129,7 @@ in {
  makefu.snapraid = {
    enable = true;
    # TODO: 3 is not protected
    disks = map toMapper [ 0 1 ];
    parity = toMapper 2;
  };
@ -138,7 +142,7 @@ in {
  '';
  environment.systemPackages = with pkgs;[
    mergerfs # hard requirement for mount
-    wol # wake up filepimp
+    wol      # wake up filepimp
    f3
  ];
  fileSystems = let
@ -150,6 +154,7 @@ in {
  in   cryptMount "crypt0"
    // cryptMount "crypt1"
    // cryptMount "crypt2"
    // cryptMount "crypt3"
    // { "/media/cryptX" = {
            device = (lib.concatMapStringsSep ":" (d: (toMapper d)) [ 0 1 2 ]);
            fsType = "mergerfs";
@ -178,6 +183,7 @@ in {
        (usbkey "crypt0" cryptDisk0)
        (usbkey "crypt1" cryptDisk1)
        (usbkey "crypt2" cryptDisk2)
        (usbkey "crypt3" cryptDisk3)
      ];
    };
    loader.grub.device = lib.mkForce rootDisk;
--- a/makefu/1systems/sdev/config.nix
+++ b/makefu/1systems/sdev/config.nix
@ -5,32 +5,35 @@
  imports =
    [ # Include the results of the hardware scan.
      <stockholm/makefu>
-      (toString <nixpkgs/nixos/modules/virtualisation/virtualbox-image.nix>)
+
-      (toString <nixpkgs/nixos/modules/virtualisation/virtualbox-guest.nix>)
+     #  <stockholm/makefu/2configs/hw/vbox-guest.nix>
      { # until virtualbox-image is fixed
        imports = [
            <stockholm/makefu/2configs/fs/single-partition-ext4.nix>
          ];
        boot.loader.grub.device = "/dev/sda";
      }
      <stockholm/makefu/2configs/main-laptop.nix>
      # <secrets/extra-hosts.nix>
      # environment
      <stockholm/makefu/2configs/tinc/retiolum.nix>
      <stockholm/makefu/2configs/virtualisation/docker.nix>
    ];
  # workaround for https://github.com/NixOS/nixpkgs/issues/16641
  services.xserver.videoDrivers = lib.mkOverride 45 [ "virtualbox" "modesetting" ];
  nixpkgs.config.allowUnfree = true;
  # allow sdev to deploy self
  users.extraUsers = {
    root = {
        openssh.authorizedKeys.keys = [ config.krebs.users.makefu-vbob.pubkey  ];
    };
  };
  # corefonts
  nixpkgs.config.allowUnfree = true;
  environment.systemPackages = with pkgs;[
    ppp xclip
    get
    passwdqc-utils
    docker
    gnupg
    populate
    (pkgs.writeScriptBin "tor-browser" ''
@ -39,18 +42,11 @@
    '')
  ];
  virtualisation.docker.enable = true;
  networking.firewall.allowedTCPPorts = [
    25
    80
    8010
  ];
  fileSystems."/media/share" = {
    fsType = "vboxsf";
    device = "share";
    options = [ "rw" "uid=9001" "gid=9001" ];
  };
 }
--- a/makefu/1systems/vbob/config.nix
+++ b/makefu/1systems/vbob/config.nix
@ -8,30 +8,9 @@
      {
        imports = [<stockholm/makefu/2configs/fs/single-partition-ext4.nix> ];
        boot.loader.grub.device = "/dev/sda";
        virtualisation.virtualbox.guest.enable = true;
      }
-      # {
+      # <stockholm/makefu/2configs/hw/vbox-guest.nix>
-      #   imports = [
+      # <nixpkgs/nixos/modules/virtualisation/qemu-vm.nix>
      #     <nixpkgs/nixos/modules/virtualisation/virtualbox-image.nix>
      #   ];
      #   virtualbox.baseImageSize = 35 * 1024;
      #   fileSystems."/media/share" = {
      #     fsType = "vboxsf";
      #     device = "share";
      #     options = [ "rw" "uid=9001" "gid=9001" ];
      #   };
      # }
      # {
      #   imports = [
      #     <nixpkgs/nixos/modules/virtualisation/qemu-vm.nix>
      #   ];
      #   fileSystems."/nix" = {
      #     device ="/dev/disk/by-label/nixstore";
      #     fsType = "ext4";
      #   };
      # }
      # base gui
      # <stockholm/makefu/2configs/main-laptop.nix>
@ -75,14 +54,8 @@
    ];
  networking.extraHosts = import (toString <secrets/extra-hosts.nix>);
  nixpkgs.config.allowUnfree = true;
  # allow vbob to deploy self
-  users.extraUsers = {
+  users.extraUsers.root.openssh.authorizedKeys.keys = [ config.krebs.users.makefu-vbob.pubkey  ];
    root = {
        openssh.authorizedKeys.keys = [ config.krebs.users.makefu-vbob.pubkey  ];
    };
  };
  environment.shellAliases = {
    forti  = "cat ~/vpn/pw.txt | xclip; sudo forticlientsslvpn";
@ -94,16 +67,18 @@
    ln -fs ${pkgs.ppp}/bin/pppd /usr/sbin/pppd
    ln -fs ${pkgs.coreutils}/bin/tail /usr/bin/tail
  '';
  # for forticlient
  nixpkgs.config.allowUnfree = true;
  environment.systemPackages = with pkgs;[
    fortclientsslvpn ppp xclip
    get
    logstash
  #  docker
    #devpi-web
    #devpi-client
    ansible
  ];
  # virtualisation.docker.enable = true;
  networking.firewall.allowedTCPPorts = [
@ -111,6 +86,6 @@
    80
    8010
  ];
-
+  # required for qemu
  systemd.services."serial-getty@ttyS0".enable = true;
 }
--- a/makefu/1systems/wbob/config.nix
+++ b/makefu/1systems/wbob/config.nix
@ -18,7 +18,7 @@ in {
      <stockholm/makefu/2configs/virtualisation/libvirt.nix>
      <stockholm/makefu/2configs/tinc/retiolum.nix>
      <stockholm/makefu/2configs/mqtt.nix>
-      # <stockholm/makefu/2configs/gui/wbob-kiosk.nix>
+      <stockholm/makefu/2configs/gui/wbob-kiosk.nix>
      <stockholm/makefu/2configs/stats/client.nix>
@ -29,8 +29,69 @@ in {
      # <stockholm/makefu/2configs/vncserver.nix>
      # Services
-      <stockholm/makefu/2configs/remote-build/slave.nix>
+      <stockholm/makefu/2configs/hydra/stockholm.nix>
      <stockholm/makefu/2configs/share/wbob.nix>
      (let
        musicDirectory = "/data/music";
      in {
        services.mpd = {
          enable = true;
          inherit musicDirectory;
          # dataDir = "/home/anders/.mpd";
          network.listenAddress = "any";
          extraConfig = ''
            audio_output {
              type    "pulse"
              name    "Local MPD"
              server  "127.0.0.1"
            }
          '';
        };
        # open because of truestedInterfaces
        # networking.firewall.allowedTCPPorts = [ 6600 4713 ];
        services.samba.shares.music = {
          path = musicDirectory;
          "read only" = "no";
          browseable = "yes";
          "guest ok" = "yes";
        };
        sound.enable = true;
        hardware.pulseaudio = {
          enable = true;
          package = pkgs.pulseaudioFull;
          # systemWide = true;
          support32Bit = true;
          zeroconf.discovery.enable = true;
          zeroconf.publish.enable = true;
          tcp = {
            enable = true;
            anonymousClients.allowAll = true;
            anonymousClients.allowedIpRanges =  [ "127.0.0.1" "192.168.8.0/24" ];
          };
          configFile = pkgs.writeText "default.pa" ''
            load-module module-udev-detect
            load-module module-bluetooth-policy
            load-module module-bluetooth-discover
            load-module module-native-protocol-unix
            load-module module-always-sink
            load-module module-console-kit
            load-module module-systemd-login
            load-module module-intended-roles
            load-module module-position-event-sounds
            load-module module-filter-heuristics
            load-module module-filter-apply
            load-module module-native-protocol-tcp auth-ip-acl=127.0.0.1
            load-module module-switch-on-connect
            # may be required for "system-wide" pulse to connect to bluetooth
            #module-bluez5-device
            #module-bluez5-discover
            '';
        };
        # connect via https://nixos.wiki/wiki/Bluetooth#Using_Bluetooth_headsets_with_PulseAudio
        hardware.bluetooth.enable = true;
      })
      # Sensors
      <stockholm/makefu/2configs/stats/telegraf>
@ -147,7 +208,10 @@ in {
  boot.loader.grub.device = rootdisk;
  hardware.cpu.intel.updateMicrocode = true;
  boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ];
-  boot.kernelModules = [ "kvm-intel" ];
+
  boot.kernelModules = [ "kvm-intel"
    "snd-seq" "snd-rawmidi"
  ];
  fileSystems = {
    "/" = {
      device = rootdisk + "-part1";
@ -174,66 +238,4 @@ in {
      serverAddress = "x.r";
    };
  };
  security.wrappers.fping = {
    source = "${pkgs.fping}/bin/fping";
    setuid = true;
  };
  services.smokeping = {
    enable = true;
    targetConfig = ''
      probe = FPing
      menu = Top
      title = Network Latency Grapher
      remark = Welcome to this SmokePing website.
      + network
      menu = Net latency
      title = Network latency (ICMP pings)
      ++ google
      probe = FPing
      host = google.de
      ++ webde
      probe = FPing
      host = web.de
      + services
      menu = Service latency
      title = Service latency (DNS, HTTP)
      ++ HTTP
      menu = HTTP latency
      title = Service latency (HTTP)
      +++ webdeping
      probe = EchoPingHttp
      host = web.de
      +++ googwebping
      probe = EchoPingHttp
      host = google.de
      #+++ webwww
      #probe = Curl
      #host = web.de
      #+++ googwebwww
      #probe = Curl
      #host = google.de
    '';
    probeConfig = ''
       + FPing
       binary = /run/wrappers/bin/fping
       + EchoPingHttp
       pings = 5
       url = /
       #+ Curl
       ## probe-specific variables
       #binary = ${pkgs.curl}/bin/curl
       #step = 60
       ## a default for this target-specific variable
       #urlformat = http://%host%/
    '';
  };
 }
--- a/makefu/1systems/x/config.nix
+++ b/makefu/1systems/x/config.nix
@ -40,7 +40,7 @@ with import <stockholm/lib>;
      # Virtualization
      <stockholm/makefu/2configs/virtualisation/libvirt.nix>
      <stockholm/makefu/2configs/virtualisation/docker.nix>
-      <stockholm/makefu/2configs/virtualisation/virtualbox.nix>
+      # <stockholm/makefu/2configs/virtualisation/virtualbox.nix>
      {
        networking.firewall.allowedTCPPorts = [ 8080 ];
        networking.nat = {
@ -59,8 +59,9 @@ with import <stockholm/lib>;
      # Hardware
      <stockholm/makefu/2configs/hw/tp-x230.nix>
-      <stockholm/makefu/2configs/hw/rtl8812au.nix>
+      # <stockholm/makefu/2configs/hw/tpm.nix>
-      <stockholm/makefu/2configs/hw/wwan.nix>
+      # <stockholm/makefu/2configs/hw/rtl8812au.nix>
      <stockholm/makefu/2configs/hw/network-manager.nix>
      <stockholm/makefu/2configs/hw/stk1160.nix>
      # <stockholm/makefu/2configs/rad1o.nix>
@ -77,18 +78,82 @@ with import <stockholm/lib>;
      # <stockholm/makefu/2configs/lanparty/lancache-dns.nix>
      # <stockholm/makefu/2configs/lanparty/samba.nix>
      # <stockholm/makefu/2configs/lanparty/mumble-server.nix>
      # <stockholm/makefu/2configs/deployment/photostore.krebsco.de.nix>
      {
        networking.wireguard.interfaces.wg0 = {
          ips = [ "10.244.0.2/24" ];
          privateKeyFile = (toString <secrets>) + "/wireguard.key";
          allowedIPsAsRoutes = true;
          peers = [
          {
            # gum
            endpoint = "${config.krebs.hosts.gum.nets.internet.ip4.addr}:51820";
            allowedIPs = [ "10.244.0.0/24" ];
            publicKey = "yAKvxTvcEVdn+MeKsmptZkR3XSEue+wSyLxwcjBYxxo=";
          }
          #{
          #  # vbob
          #  allowedIPs = [ "10.244.0.3/32" ];
          #  publicKey = "Lju7EsCu1OWXhkhdNR7c/uiN60nr0TUPHQ+s8ULPQTw=";
          #}
          ];
        };
      }
      { # bluetooth+pulse config
        # for blueman-applet
        users.users.makefu.packages = [
          pkgs.blueman
        ];
        hardware.pulseaudio = {
          enable = true;
          package = pkgs.pulseaudioFull;
          # systemWide = true;
          support32Bit = true;
          configFile = pkgs.writeText "default.pa" ''
            load-module module-udev-detect
            load-module module-bluetooth-policy
            load-module module-bluetooth-discover
            load-module module-native-protocol-unix
            load-module module-always-sink
            load-module module-console-kit
            load-module module-systemd-login
            load-module module-intended-roles
            load-module module-position-event-sounds
            load-module module-filter-heuristics
            load-module module-filter-apply
            load-module module-switch-on-connect
            '';
        };
        # presumably a2dp Sink
        # Enable profile:
        ## pacmd set-card-profile "$(pactl list cards short | egrep -o bluez_card[[:alnum:]._]+)" a2dp_sink
        hardware.bluetooth.extraConfig = '';
          [general]
          Enable=Source,Sink,Media,Socket
        '';
        # connect via https://nixos.wiki/wiki/Bluetooth#Using_Bluetooth_headsets_with_PulseAudio
        hardware.bluetooth.enable = true;
      }
      { # auto-mounting
        services.udisks2.enable = true;
        services.devmon.enable = true;
        # services.gnome3.gvfs.enable = true;
        users.users.makefu.packages = with pkgs;[
          gvfs pcmanfm lxmenu-data
        ];
        environment.variables.GIO_EXTRA_MODULES = [ "${pkgs.gvfs}/lib/gio/modules" ];
      }
    ];
  makefu.server.primary-itf = "wlp3s0";
  makefu.full-populate = true;
  makefu.umts.apn = "web.vodafone.de";
  nixpkgs.config.allowUnfree = true;
  environment.systemPackages = [ pkgs.passwdqc-utils ];
  # configure pulseAudio to provide a HDMI sink as well
  networking.firewall.enable = true;
  networking.firewall.allowedTCPPorts = [ 80 24800 26061 8000 3000 ];
@ -100,8 +165,15 @@ with import <stockholm/lib>;
  krebs.tinc.retiolum.connectTo = [ "omo" "gum" "prism" ];
  networking.extraHosts = ''
-    192.168.1.11 omo.local
+    192.168.1.11  omo.local
  '';
  # hard dependency because otherwise the device will not be unlocked
  boot.initrd.luks.devices = [ { name = "luksroot"; device = "/dev/sda2"; allowDiscards=true; }];
  nix.package = pkgs.nixUnstable;
  environment.systemPackages = [ pkgs.passwdqc-utils pkgs.nixUnstable ];
  nixpkgs.overlays = [ (import <python/overlay.nix>) ];
  # environment.variables = { GOROOT = [ "${pkgs.go.out}/share/go" ]; };
 }
--- a/makefu/2configs/deployment/google-muell.nix
+++ b/makefu/2configs/deployment/google-muell.nix
@ -0,0 +1,34 @@
 { config, lib, pkgs, buildPythonPackage, ... }:
 with import <stockholm/lib>;
 let
  pkg = pkgs.ampel;
  home = "/var/lib/ampel";
  sec = "${toString <secrets>}/google-muell.json";
  ampelsec = "${home}/google-muell.json";
  esp = "192.168.1.23";
  sleepval = "1800";
 in {
  users.users.ampel = {
    uid = genid "ampel";
    createHome = true;
    isSystemUser = true;
    inherit home;
  };
  systemd.services.google-muell-ampel = {
    description = "Send led change to rgb cubes";
    after = [ "network-online.target"  ];
    wantedBy = [ "multi-user.target"  ];
    serviceConfig = {
      User = "ampel";
      ExecStartPre = pkgs.writeDash "copy-ampel-secrets" ''
        cp ${sec} ${ampelsec}
        chown ampel ${ampelsec}
      '';
      ExecStart = "${pkg}/bin/google-muell --esp=${esp} --client-secrets=${ampelsec} --credential-path=${home}/google-muell-creds.json --sleepval=${sleepval}";
      PermissionsStartOnly = true;
      Restart = "always";
      RestartSec = 10;
      PrivateTmp = true;
    };
  };
 }
--- a/makefu/2configs/deployment/led-fader.nix
+++ b/makefu/2configs/deployment/led-fader.nix
@ -2,25 +2,7 @@
 let
  mq = "192.168.8.11";
-
+  pkg = pkgs.ampel;
  pkg = pkgs.python3Packages.buildPythonPackage {
    name = "ampel-master";
    src = pkgs.fetchgit {
      url = "http://cgit.euer.krebsco.de/ampel";
      rev = "531741b";
      sha256 = "110yij53jz074zbswylbzcd8jy7z49r9fg6i3j1gk2y3vl91g81c";
    };
    propagatedBuildInputs = with pkgs.python3Packages; [
        docopt
        paho-mqtt
        requests
        pytz
        influxdb
        httplib2
        google_api_python_client
    ];
  };
 in {
  systemd.services.led-fader  = {
    description = "Send led change to message queue";
--- a/makefu/2configs/deployment/owncloud.nix
+++ b/makefu/2configs/deployment/owncloud.nix
@ -1,6 +1,18 @@
 { lib, pkgs, config, ... }:
 with lib;
 # imperative in config.php:
 # #local memcache:
 #     'memcache.local' => '\\OC\\Memcache\\APCu',
 # #local locking:
 #     'memcache.locking' => '\\OC\\Memcache\\Redis',
 #     'redis' =>
 #      array (
 #       'host' => 'localhost',
 #       'port' => 6379,
 #      ),
 let
  # TODO: copy-paste from lass/2/websites/util.nix
  serveCloud = domains:
@ -124,20 +136,48 @@ let
        env[PATH] = ${lib.makeBinPath [ pkgs.php ]}
        catch_workers_output = yes
      '';
      services.phpfpm.phpOptions = ''
        opcache.enable=1
        opcache.enable_cli=1
        opcache.interned_strings_buffer=8
        opcache.max_accelerated_files=10000
        opcache.memory_consumption=128
        opcache.save_comments=1
        opcache.revalidate_freq=1
        display_errors = on
        display_startup_errors = on
        always_populate_raw_post_data = -1
        error_reporting = E_ALL | E_STRICT
        html_errors = On
        date.timezone = "Europe/Berlin"
        # extension=${pkgs.phpPackages.memcached}/lib/php/extensions/memcached.so
        extension=${pkgs.phpPackages.redis}/lib/php/extensions/redis.so
        extension=${pkgs.phpPackages.apcu}/lib/php/extensions/apcu.so
      '';
    };
 in  {
  imports = [
    ( serveCloud [ "o.euer.krebsco.de" ] )
  ];
-  services.mysql = { # TODO: currently nextcloud uses sqlite
+  services.redis.enable = true;
  services.mysql = {
    enable = false;
    package = pkgs.mariadb;
    rootPassword = config.krebs.secret.files.mysql_rootPassword.path;
-  };
+    initialDatabases = [
-  services.mysqlBackup = {
+      # Or use writeText instead of literalExample?
-    enable = false;
+      #{ name = "nextcloud"; schema = literalExample "./nextcloud.sql"; }
-    databases = [ "nextcloud" ];
+      {
        name = "nextcloud";
        schema = pkgs.writeText "nextcloud.sql"
        ''
        create user if not exists 'nextcloud'@'localhost' identified by 'password';
        grant all privileges on nextcloud.* to 'nextcloud'@'localhost' identified by 'password';
        '';
      }
    ];
  };
  # dataDir is only defined after mysql is enabled
  # krebs.secret.files.mysql_rootPassword = {
--- a/makefu/2configs/git/cgit-retiolum.nix
+++ b/makefu/2configs/git/cgit-retiolum.nix
@ -28,6 +28,7 @@ let
    init-stockholm = {
      cgit.desc = "Init stuff for stockholm";
    };
    hydra-stockholm = { };
  };
  priv-repos = mapAttrs make-priv-repo {
--- a/makefu/2configs/gui/base.nix
+++ b/makefu/2configs/gui/base.nix
@ -48,13 +48,14 @@ in
    fonts = [ pkgs.terminus_font ];
  };
-  environment.systemPackages = with pkgs;[
+  users.users.${mainUser} = {
-    pavucontrol
+    extraGroups = [ "audio" ];
-    xlockmore
+    packages = with pkgs;[
-    rxvt_unicode-with-plugins
+      pavucontrol
-    firefox
+      xlockmore
-  ];
+      rxvt_unicode-with-plugins
-  users.extraUsers.${mainUser}.extraGroups = [ "audio" ];
+    ];
  };
  hardware.pulseaudio = {
     enable = true;
--- a/makefu/2configs/gui/wbob-kiosk.nix
+++ b/makefu/2configs/gui/wbob-kiosk.nix
@ -1,11 +1,13 @@
-{ lib, ... }:
+{ pkgs, lib, ... }:
 {
  imports = [
      ./base.nix
  ];
  users.users.makefu.packages = [ pkgs.chromium ];
  services.xserver = {
    layout = lib.mkForce "de";
    xkbVariant = lib.mkForce "";
    windowManager = lib.mkForce {
      awesome.enable = false;
@ -16,7 +18,7 @@
    # xrandrHeads = [ "HDMI1" "HDMI2" ];
    # prevent screen from turning off, disable dpms
    displayManager.sessionCommands = ''
-      xset s off -dpms
+      xset -display :0 s off -dpms
      xrandr --output HDMI2 --right-of HDMI1
    '';
  };
--- a/makefu/2configs/hw/network-manager.nix
+++ b/makefu/2configs/hw/network-manager.nix
@ -0,0 +1,37 @@
 { pkgs, lib, ... }:
 {
  users.users.makefu = {
    extraGroups = [ "networkmanager" ];
    packages = with pkgs;[
      networkmanagerapplet
      gnome3.gnome_keyring gnome3.dconf
    ];
  };
  networking.wireless.enable = lib.mkForce false;
  systemd.services.modemmanager = {
    description = "ModemManager";
    after = [ "network-manager.service" ];
    bindsTo = [ "network-manager.service" ];
    wantedBy = [ "network-manager.service" ];
    serviceConfig = {
      ExecStart = "${pkgs.modemmanager}/bin/ModemManager";
      PrivateTmp = true;
      Restart = "always";
      RestartSec = "5";
    };
  };
  networking.networkmanager.enable = true;
  # TODO: put somewhere else
  services.xserver.displayManager.sessionCommands = ''
    ${pkgs.clipit}/bin/clipit &
    ${pkgs.networkmanagerapplet}/bin/nm-applet &
    '';
 # nixOSUnstable
 # networking.networkmanager.wifi = {
 #   powersave = true;
 #   scanRandMacAddress = true;
 # };
 }
--- a/makefu/2configs/hw/vbox-guest.nix
+++ b/makefu/2configs/hw/vbox-guest.nix
@ -0,0 +1,16 @@
 { lib, ...}:
 {
  ## Guest Extensions are currently broken
  imports = [
    (toString <nixpkgs/nixos/modules/virtualisation/virtualbox-image.nix>)
  ];
  virtualisation.virtualbox.guest.enable = true;
  services.xserver.videoDrivers = lib.mkOverride 45 [ "virtualbox" "modesetting" ];
  fileSystems."/media/share" = {
    fsType = "vboxsf";
    device = "share";
    options = [ "rw" "uid=9001" "gid=9001" "nofail" ];
  };
  # virtualbox.baseImageSize = 35 * 1024;
 }
--- a/makefu/2configs/hw/wwan.nix
+++ b/makefu/2configs/hw/wwan.nix
@ -1,8 +0,0 @@
 _:
 {
  makefu.umts = {
    enable = true;
    modem-device = "/dev/serial/by-id/usb-Lenovo_H5321_gw_2D5A51BA0D3C3A90-if01";
  };
 }
--- a/makefu/2configs/hydra/stockholm.nix
+++ b/makefu/2configs/hydra/stockholm.nix
@ -0,0 +1,34 @@
 # iterative:
 # $ hydra-create-user krebs --password derp --role admin
 # curl 'http://hydra.wbob.r/project/.new' -X PUT -H 'Host: hydra.wbob.r' -H 'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' -H 'X-Requested-With: XMLHttpRequest' -H 'Cookie: redirect_to=%252F; hydra_session=abcdefghijklmnopqrstuvwxyz' -H 'Connection: keep-alive' --data 'enabled=on&visible=on&name=stockholm&displayname=Stockholm&description=make+all+systems+into+1systems&homepage=https%3A%2F%2Fkrebsco.de&owner=krebs&declfile=spec.json&decltype=git&declvalue=http%3A%2F%2Fcgit.euer.krebsco.de%2Fhydra-stockholm'
 {
  # TODO postgres backup
  services.postgresql.enable = true;
  services.hydra = {
    enable = true;
    hydraURL = "http://hydra.wbob.r"; # externally visible URL
    notificationSender = "hydra@wbob.r";
    # you will probably also want, otherwise *everything* will be built from scratch
    useSubstitutes = true;
    port = 3030;
    buildMachinesFiles = [];
  };
  networking.firewall.allowedTCPPorts = [ 80 ];
  services.nginx = {
    enable = true;
    virtualHosts."hydra.wbob.r" = {
      locations."/" =  {
        proxyPass = "http://localhost:3030/";
        extraConfig = ''
          proxy_set_header   Host $host;
          proxy_set_header   X-Real-IP          $remote_addr;
          proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
        '';
      };
    };
  };
 }
--- a/makefu/2configs/tools/mobility.nix
+++ b/makefu/2configs/tools/mobility.nix
@ -5,5 +5,5 @@
    mosh
  ];
-  # boot.extraModulePackages = [ config.boot.kernelPackages.exfat-nofuse ];
+  boot.extraModulePackages = [ config.boot.kernelPackages.exfat-nofuse ];
 }
--- a/makefu/2configs/tools/studio.nix
+++ b/makefu/2configs/tools/studio.nix
@ -9,8 +9,8 @@
    # owncloudclient
    (pkgs.writeScriptBin "prepare-pulseaudio" ''
      pactl load-module module-null-sink sink_name=stream sink_properties=device.description="Streaming"
-      pactl load-module module-loopback source=alsa_output.usb-Burr-Brown_from_TI_USB_Audio_CODEC-00.analog-stereo.monitor sink=stream latency_msec=1
+      pactl load-module module-loopback source=alsa_output.usb-Burr-Brown_from_TI_USB_Audio_CODEC-00.analog-stereo.monitor sink=stream
-      pactl load-module module-loopback source=alsa_input.usb-Burr-Brown_from_TI_USB_Audio_CODEC-00.analog-stereo sink=stream latency_msec=1
+      pactl load-module module-loopback source=alsa_input.usb-Burr-Brown_from_TI_USB_Audio_CODEC-00.analog-stereo sink=stream
      darkice -c ~/lol.conf
    '')
  ];
--- a/makefu/2configs/urlwatch/default.nix
+++ b/makefu/2configs/urlwatch/default.nix
@ -34,7 +34,7 @@ in {
      http://guest:derpi@cvs2svn.tigris.org/svn/cvs2svn/tags/
      http://ftp.debian.org/debian/pool/main/a/apt-cacher-ng/
      https://erdgeist.org/gitweb/opentracker/info/refs?service=git-upload-pack
-      https://git.tasktools.org/TM/taskd/info/refs?service=git-upload-pack
+
      http://www.iozone.org/src/current/
      {
@ -51,6 +51,8 @@ in {
      "embray/d2to1"
      "dorimanx/exfat-nofuse"
      "rapid7/metasploit-framework"
      "GothenburgBitFactory/taskserver"
      "GothenburgBitFactory/taskwarrior"
    ];
  };
 }
--- a/makefu/3modules/awesome-extra.nix
+++ b/makefu/3modules/awesome-extra.nix
@ -29,15 +29,7 @@ let
    nixpkgs.config.packageOverrides = pkgs: rec {
      awesome = pkgs.stdenv.lib.overrideDerivation pkgs.awesome (oldAttrs : {
          postFixup = let
-            rclua = pkgs.substituteAll {
+            rclua = cfg.baseConfig.override { inherit (cfg) modkey; };
              src = cfg.baseConfig;
              modkey = cfg.modkey;
              # inherit (cfg) modkey;
              amixer = "${pkgs.alsaUtils}/bin/amixer";
              xlock = "${pkgs.xlockmore}/bin/xlock";
              xbacklight = "${pkgs.xorg.xbacklight}/bin/xbacklight";
            };
          in "cp ${rclua}  $out/etc/xdg/awesome/rc.lua";
      });
    };
--- a/makefu/3modules/default.nix
+++ b/makefu/3modules/default.nix
@ -14,8 +14,6 @@ _:
    ./snapraid.nix
    ./torrent.nix
    ./udpt.nix
    ./umts.nix
    ./wvdial.nix
  ];
 }
--- a/makefu/3modules/umts.nix
+++ b/makefu/3modules/umts.nix
@ -1,84 +0,0 @@
 { config, lib, pkgs, ... }:
 with import <stockholm/lib>;
 let
  nixpkgs-1509 = import (pkgs.fetchFromGitHub {
    owner = "NixOS"; repo = "nixpkgs-channels";
    rev = "91371c2bb6e20fc0df7a812332d99c38b21a2bda";
    sha256 = "1as1i0j9d2n3iap9b471y4x01561r2s3vmjc5281qinirlr4al73";
  }) {};
  wvdial = nixpkgs-1509.wvdial; # https://github.com/NixOS/nixpkgs/issues/16113
  # TODO: currently it is only netzclub
  umts-bin = pkgs.writeScriptBin "umts" ''
    #!/bin/sh
    set -euf
    systemctl start umts
    trap "systemctl stop umts;trap - INT TERM EXIT;exit" INT TERM EXIT
    echo nameserver 8.8.8.8 | tee -a /etc/resolv.conf
    journalctl -xfu umts
  '';
  wvdial-defaults = ''
    Phone = *99***1#
    Dial Command = ATDT
    Modem = ${cfg.modem-device}
    Baud = 460800
    Init1 = AT+CGDCONT=1,"IP","${config.makefu.umts.apn}","",0,0
    Init2 = ATZ
    Init3 = ATQ0 V1 E1 S0=0 &C1 &D2 +FCLASS=0
    ISDN = 0
    Modem Type = Analog Modem
    Username = netzclub
    Password = netzclub
    Stupid Mode = 1
    Idle Seconds = 0'';
  cfg = config.makefu.umts;
  out = {
    options.makefu.umts = api;
    config = lib.mkIf cfg.enable imp;
  };
  api = {
    enable = mkEnableOption "umts";
    modem-device = mkOption {
      default = "/dev/ttyUSB0";
      type = types.str;
      description = ''
        path to modem device, use <filename>/dev/serial/by-id/...</filename>
        to avoid race conditions.
      '';
    };
    apn = mkOption {
      default = "pinternet.interkom.de";
      type = types.str;
      description = ''
        apn to use for dailing
      '';
    };
  };
  imp = {
    environment.shellAliases = {
      umts = "sudo ${umts-bin}/bin/umts";
    };
    environment.systemPackages = [ ];
    environment.wvdial.dialerDefaults = wvdial-defaults;
    systemd.services.umts = {
      description = "UMTS wvdial Service";
      serviceConfig = {
        Type = "simple";
        Restart = "always";
        RestartSec = "10s";
        ExecStart = "${wvdial}/bin/wvdial -n";
      };
    };
  };
 in out
--- a/makefu/3modules/wvdial.nix
+++ b/makefu/3modules/wvdial.nix
@ -1,71 +0,0 @@
 # Global configuration for wvdial.
 { config, lib, pkgs, ... }:
 with lib;
 let
  configFile = ''
    [Dialer Defaults]
    PPPD PATH = ${pkgs.ppp}/sbin/pppd
    ${config.environment.wvdial.dialerDefaults}
  '';
  cfg = config.environment.wvdial;
 in
 {
  ###### interface
  options = {
    environment.wvdial = {
      dialerDefaults = mkOption {
        default = "";
        type = types.str;
        example = ''Init1 = AT+CGDCONT=1,"IP","internet.t-mobile"'';
        description = ''
          Contents of the "Dialer Defaults" section of
          <filename>/etc/wvdial.conf</filename>.
        '';
      };
      pppDefaults = mkOption {
        default = ''
          noipdefault
          usepeerdns
          defaultroute
          persist
          noauth
        '';
        type = types.str;
        description = "Default ppp settings for wvdial.";
      };
    };
  };
  ###### implementation
  config = mkIf (cfg.dialerDefaults != "") {
    environment = {
      etc =
      [
        { source = pkgs.writeText "wvdial.conf" configFile;
          target = "wvdial.conf";
        }
        { source = pkgs.writeText "wvdial" cfg.pppDefaults;
          target = "ppp/peers/wvdial";
        }
      ];
    };
  };
 }
--- a/makefu/5pkgs/ampel/default.nix
+++ b/makefu/5pkgs/ampel/default.nix
@ -0,0 +1,27 @@
 { lib, pkgs, fetchFromGitHub, ... }:
 with pkgs.python3Packages;buildPythonPackage rec {
  name = "ampel-${version}";
  version = "0.2";
  propagatedBuildInputs = [
    docopt
    paho-mqtt
    requests
    pytz
    influxdb
    httplib2
    google_api_python_client
  ];
  src = pkgs.fetchgit {
      url = "http://cgit.euer.krebsco.de/ampel";
      rev = "d8a0250";
      sha256 = "0n36lc17ca5db6pl6dswdqd5w9f881rfqck9yc4w33a5qpsxj85f";
  };
  meta = {
    homepage = http://cgit.euer.krebsco.de/ampel;
    description = "change colors of rgb cubes";
    license = lib.licenses.asl20;
  };
 }
--- a/makefu/5pkgs/awesomecfg/default.nix
+++ b/makefu/5pkgs/awesomecfg/default.nix
@ -1,7 +1,24 @@
-_:
+{ pkgs
 , lib
 , alsaUtils
 , xlockmore
 , xbacklight
 , modkey?"Mod4"
 , ... }:
 {
-  # replace: @amixer@ @xlock@ @xbacklight@
+  # replace: @alsaUtils@ @xlockmore@ @xbacklight@ @modkey@
-  full = ./full.cfg;
+  full = lib.makeOverridable pkgs.substituteAll {
-  kiosk = ./kiosk.lua;
+    name = "awesome_full_config";
    inherit alsaUtils xlockmore xbacklight modkey;
    isExecutable = false;
    src = ./full.cfg;
  };
  kiosk = lib.makeOverridable pkgs.substituteAll {
    name = "awesome_kiosk_config";
    inherit alsaUtils xlockmore xbacklight modkey;
    isExecutable = false;
    src = ./kiosk.lua;
  };
 }
--- a/makefu/5pkgs/awesomecfg/full.cfg
+++ b/makefu/5pkgs/awesomecfg/full.cfg
@ -365,22 +365,22 @@ globalkeys = awful.util.table.join(
              {description = "restore minimized", group = "client"}),
    awful.key({ }, "XF86MonBrightnessUp", function ()
-        awful.util.spawn("@xbacklight@ -inc 5", false) end),
+        awful.util.spawn("@xbacklight@/bin/xbacklight -inc 5", false) end),
    awful.key({ }, "XF86MonBrightnessDown", function ()
-        awful.util.spawn("@xbacklight@ -dec 5", false) end),
+        awful.util.spawn("@xbacklight@/bin/xbacklight -dec 5", false) end),
    awful.key({ }, "XF86AudioRaiseVolume", function ()
-        awful.util.spawn("@amixer@ set Master 5%+", false) end),
+        awful.util.spawn("@alsaUtils@/bin/amixer set Master 5%+", false) end),
    awful.key({ }, "XF86AudioLowerVolume", function ()
-        awful.util.spawn("@amixer@ set Master 5%-", false) end),
+        awful.util.spawn("@alsaUtils@/bin/amixer set Master 5%-", false) end),
    awful.key({ }, "XF86AudioMute", function ()
-        awful.util.spawn("@amixer@ -q -D default sset Master toggle", false) end),
+        awful.util.spawn("@alsaUtils@/bin/amixer -q -D default sset Master toggle", false) end),
    -- Prompt
    awful.key({ modkey },            "r",     function () awful.screen.focused().mypromptbox:run() end,
              {description = "run prompt", group = "launcher"}),
-    awful.key({ modkey,"Control"  }, "BackSpace",  function ()  awful.util.spawn("@xlock@ -mode blank")   end),
+    awful.key({ modkey,"Control"  }, "BackSpace",  function ()  awful.util.spawn("@xlockmore@/bin/xlock -mode blank")   end),
-    awful.key({ }, "XF86ScreenSaver",  function ()  awful.util.spawn("@xlock@ -mode blank")   end),
+    awful.key({ }, "XF86ScreenSaver",  function ()  awful.util.spawn("@xlockmore@/bin/xlock -mode blank")   end),
 		awful.key({ modkey }, "x",
 									function ()
--- a/makefu/5pkgs/custom/default.nix
+++ b/makefu/5pkgs/custom/default.nix
@ -1,3 +0,0 @@
 {}:
 {
 }
--- a/makefu/5pkgs/custom/qcma/default.nix
+++ b/makefu/5pkgs/custom/qcma/default.nix
@ -1,6 +1,9 @@
 { lib, stdenv, fetchFromGitHub, fetchgit, libusb, libtool, autoconf, pkgconfig, git,
-gettext, automake, libxml2 , qmake,
+gettext, automake, libxml2 
-qtbase, qttools, qtmultimedia, libnotify, ffmpeg, gdk_pixbuf }:
+, autoreconfHook
 , qmake4Hook
 , qmake
 , qtbase, qttools, qtmultimedia, libnotify, ffmpeg, gdk_pixbuf }:
 let
  libvitamtp = stdenv.mkDerivation rec {
    name = "libvitamtp-${version}";
@ -13,8 +16,8 @@ let
      sha256 = "09c9f7gqpyicfpnhrfb4r67s2hci6hh31bzmqlpds4fywv5mzaf8";
    };
-    buildInputs = [ libusb libxml2 libtool autoconf automake gettext pkgconfig ];
+    buildInputs = [ libusb libxml2 libtool autoconf automake gettext pkgconfig
-    preConfigure = "sh ./autogen.sh";
+    autoreconfHook ];
    meta = {
      description = "Content Manager Assistant for the PS Vita";
@ -26,40 +29,29 @@ let
  };
 in stdenv.mkDerivation rec {
  name = "qcma-${version}";
-  version = "0.3.13";
+  version = "8e6cafedc0f47733f33323f829624e3fc847a176";
-  src = fetchgit {
+  src = fetchFromGitHub {
-    url = "git://github.com/codestation/qcma.git";
+    owner = "codestation";
-    rev = "refs/tags/v"+version;
+    repo = "qcma";
-    leaveDotGit = true;
+    rev = version;
-    sha256 = "164abjwlw2nw2i30wlwpsavz1zjkp6a14yprvinma5hflkw4yj6i";
+    sha256 = "1l95kx3x4pf5iwmwigbch5c6n2h27lls5qiy4xh15v59p5442yw5";
  };
  preConfigure = ''
    lrelease common/resources/translations/*.ts
  '';
  # TODO: manually adding qtbase and qtmultimedia to the library path is shit,
  # this should be done somewhere before when building the project, idk.
  installPhase = ''
    make INSTALL_ROOT="$(out)" install
    for i in qcma qcma_cli; do
      wrapQtProgram $out/bin/$i --prefix LD_LIBRARY_PATH : ${lib.makeLibraryPath [
    qtbase qtmultimedia ]}
    done
  '';
  enableParallelBuilding = true;
  buildInputs = [ gdk_pixbuf ffmpeg libnotify libvitamtp git qtmultimedia qtbase ];
-  nativeBuildInputs = [ qmake qttools pkgconfig ];
+  nativeBuildInputs = [ qttools pkgconfig qmake ];
  meta = {
    description = "Content Manager Assistant for the PS Vita";
    homepage = https://github.com/codestation/qcma;
    license = stdenv.lib.licenses.gpl2;
    platforms = stdenv.lib.platforms.linux;
    broken = true;
    maintainers = with stdenv.lib.maintainers; [ makefu ];
  };
 }
--- a/makefu/5pkgs/default.nix
+++ b/makefu/5pkgs/default.nix
@ -3,7 +3,7 @@ self: super: let
  # This callPackage will try to detect obsolete overrides.
  callPackage = path: args: let
-    override = super.callPackage path args;
+    override =  super.callPackage path args;
    upstream = optionalAttrs (override ? "name")
      (super.${(parseDrvName override.name).name} or {});
  in if upstream ? "name" &&
--- a/makefu/5pkgs/dionaea/default.nix
+++ b/makefu/5pkgs/dionaea/default.nix
@ -1,50 +0,0 @@
 { stdenv, lib, pkgs, fetchurl,fetchFromGitHub,
  libpcap, libdnet, libevent, readline, autoconf, automake, libtool, zlib, pcre,
  libev,
  ... }:
 let
  liblcfg = stdenv.mkDerivation rec {
    name = "liblcfg-${version}";
    version = "750bc90";
    src = fetchFromGitHub {
      owner = "ThomasAdam";
      repo = "liblcfg";
      rev = version;
      sha256 = "1k3r47p81paw5802jklx9xqbjrxr26pahipxn9nq3177qhxxibkr";
    };
    buildInputs = with pkgs;[ autoconf automake ];
    preConfigure = ''autoreconf -fi'';
    sourceRoot = "${name}-src/code";
  };
 in stdenv.mkDerivation rec {
  name = "liblcfg-${version}";
  #version = "1.5c"; #original, does not compile due to libc errors
  #src = fetchurl {
  #  url = "http://www.honeyd.org/uploads/honeyd-${version}.tar.gz";
  #  sha256 = "0vcih16fk5pir5ssfil8x79nvi62faw0xvk8s5klnysv111db1ii";
  #};
  #version = "64d087c"; # honeyd-1.6.7
  #  sha256 = "0zhnn13r24y1q494xcfx64vyp84zqk8qmsl41fq2674230bn0p31";
  version  = "6756787f94c4f1ac53d1e5545d052774a0446c04";
  src = fetchFromGitHub {
    owner = "rep";
    repo = "dionaea";
    rev = version;
    sha256 = "04zjr9b7x0rqwzgb9gfxq6pclb817gz4qaghdl8xa79bqf9vv2p7";
  };
  buildInputs = with pkgs;[ libtool automake autoconf ];
  configureFlags = [
    "--with-liblcfg=${liblcfg}"
    "--with-libpcap=${libpcap}"
  ];
  meta = {
    homepage = http://www.honeyd.org/;
    description = "virtual Honeypots";
    license = lib.licenses.gpl2;
  };
 }
--- a/makefu/5pkgs/farpd/default.nix
+++ b/makefu/5pkgs/farpd/default.nix
@ -1,63 +0,0 @@
 { stdenv, lib, pkgs, fetchurl,fetchFromGitHub,
  libpcap, libdnet, libevent, readline, autoconf, automake, libtool, zlib, pcre,
  ... }:
 stdenv.mkDerivation rec {
  name = "farpd-${version}";
  version  = "0.2";
  src = fetchurl {
    url = https://launchpad.net/ubuntu/+archive/primary/+files/farpd_0.2.orig.tar.gz ;
    sha256 = "1m3pynvynr4vgkwh7z5i0yqlang2y0ph32cys3vbi2hx2apk9abd";
  };
  buildInputs = with pkgs;[
    automake
    gnugrep
    libpcap
    libdnet
    pcre
    libevent.out # requires .so and .h
    readline
    autoconf
    libtool
    zlib
    coreutils
    python
    pythonPackages.pysqlite
  ];
  patches = [
    ( fetchurl {
      url = https://launchpad.net/ubuntu/+archive/primary/+files/farpd_0.2-11.diff.gz;
      sha256 = "2c246b37de8aab9c73f955fb77101adefd90637d03f582b9f8ffae2903af2f94";
    })
  ];
  # removes user install script from Makefile before automake
  #patches = [ ./autoconf.patch ];
  preConfigure = ''
    autoreconf -fi
    substituteInPlace configure \
      --replace "dumbnet" "dnet" \
      --replace "libpcap.a" "libpcap.so" \
      --replace "libevent.a" "libevent.so" \
      --replace "net/bpf.h" "pcap/bpf.h"
  '';
  makeFlags = [ "LIBS=-lz" ];
  configureFlags = [
    "--with-libpcap=${libpcap}"
    "--with-libevent=${libevent}"
    "--with-libdnet=${libdnet}"
  ];
  postInstall = ''
    mv $out/sbin/arpd $out/sbin/farpd
    mv $out/share/man/man8/arpd.8 $out/share/man/man8/farpd.8
  '';
  meta = {
    homepage = https://launchpad.net/ubuntu/+source/farpd/ ;
    description = "fake arp";
    license = lib.licenses.gpl2;
  };
 }
--- a/makefu/5pkgs/mcomix/default.nix
+++ b/makefu/5pkgs/mcomix/default.nix
@ -11,6 +11,10 @@ python2Packages.buildPythonPackage rec {
  propagatedBuildInputs = with python2Packages;
    [ python2Packages.pygtk gtk3 python2Packages.pillow ];
  # for module in sys.modules.itervalues():
  #   RuntimeError: dictionary changed size during iteration
  doCheck = false;
  meta = {
    homepage = https://github.com/pyload/pyload;
    description = "Free and Open Source download manager written in Python";
--- a/makefu/5pkgs/opl-utils/default.nix
+++ b/makefu/5pkgs/opl-utils/default.nix
@ -22,6 +22,7 @@ stdenv.mkDerivation rec {
  meta = {
    homepage = https://github.com/ifcaro/Open-PS2-Loader;
    description = "open-ps2-loader utils (opl2iso,iso2opl,genvmc)";
-    license = lib.licenses.afl3;
+    ## not yet in stable
    # license = lib.licenses.afl3;
  };
 }
--- a/makefu/5pkgs/pfsshell/default.nix
+++ b/makefu/5pkgs/pfsshell/default.nix
@ -0,0 +1,27 @@
 { stdenv, lib, pkgs, fetchurl,fetchFromGitHub, upx, wine }:
 stdenv.mkDerivation rec {
  pname = "pfsshell";
  version = "64f8c2";
  name = "${pname}-${version}";
  src = fetchFromGitHub {
    owner = "makefu";
    repo = "pfsshell";
    rev = version;
    sha256 = "01lbqf8s91p8id58xa16fp555i03vfycqvhv7qzpnrjy6yvp9dm8";
  };
  buildInputs = [ ];
  makeFlags = [ ];
  installPhase = ''
    mkdir -p $out/bin
    cp pfsshell $out/bin
  '';
  meta = {
    homepage = https://github.com/uyjulian/pfsshell ;
    description = "browse and transfer files to/from PFS filesystems";
  };
 }
--- a/makefu/5pkgs/programs-db/default.nix
+++ b/makefu/5pkgs/programs-db/default.nix
@ -1,12 +0,0 @@
 { stdenv }:
 stdenv.mkDerivation rec {
  name = "programs-db";
  src = builtins.fetchTarball https://nixos.org/channels/nixos-unstable/nixexprs.tar.xz ;
  phases = [ "unpackPhase" "installPhase" ];
  installPhase = ''
    cp programs.sqlite $out
  '';
 }
--- a/makefu/5pkgs/shackie/default.nix
+++ b/makefu/5pkgs/shackie/default.nix
@ -1,33 +0,0 @@
 { pkgs, fetchFromGitHub, ... }:
 with pkgs.python3Packages;
 let
  asyncio-irc = buildPythonPackage rec {
      name = "asyncio-irc-${version}";
      version = "2016-09-02";
      src = fetchFromGitHub {
        owner = "watchtower";
        repo = "asyncirc";
        rev = "5384d19";
        sha256 = "0xgzdvp0ig0im7r3vbqd3a9rzac0lkk2mvf7y4fw56p8k61df8nv";
      };
      propagatedBuildInputs = [ blinker ];
  };
 in
 buildPythonPackage rec {
    name = "shackie-${version}";
    version = "2017-04-24";
    propagatedBuildInputs = [
      asyncio-irc
      beautifulsoup4
      lxml
      pytz
      redis
      requests
    ];
    src = fetchFromGitHub {
      owner = "shackspace";
      repo = "shackie";
      rev = "e717ec7";
      sha256 = "1ffbjm3x2xcyxl42hfsjs5xg1pm0xsprdi5if9zxa5ycqydmiw3l";
    };
 }
--- a/makefu/6tests/data/secrets/torrent-secrets/auth.nix
+++ b/makefu/6tests/data/secrets/torrent-secrets/auth.nix
@ -0,0 +1 @@
 {}
--- a/makefu/source.nix
+++ b/makefu/source.nix
@ -13,7 +13,13 @@ let
              then "buildbot"
              else "makefu";
  _file = <stockholm> + "/makefu/1systems/${name}/source.nix";
-  ref = "0f19bee"; # nixos-17.09 @ 2018-01-05
+  pkgs = import <nixpkgs> {
    overlays = map import [
      <stockholm/krebs/5pkgs>
    ];
  };
  # TODO: automate updating of this ref + cherry-picks
  ref = "51810e0"; # nixos-17.09 @ 2018-02-14
                   # + do_sqlite3 ruby: 55a952be5b5
                   # + signal: 0f19beef3
@ -41,6 +47,7 @@ in
      };
      stockholm.file = toString <stockholm>;
      stockholm-version.pipe = "${pkgs.stockholm}/bin/get-version";
    }
    (mkIf ( musnix ) {
      musnix.git = {
--- a/mv/source.nix
+++ b/mv/source.nix
@ -4,6 +4,11 @@ host@{ name, override ? {} }: let
              then "buildbot"
              else "mv";
  _file = <stockholm> + "/mv/1systems/${name}/source.nix";
  pkgs = import <nixpkgs> {
    overlays = map import [
      <stockholm/krebs/5pkgs>
    ];
  };
 in
  evalSource (toString _file) [
    {
@ -18,6 +23,7 @@ in
        mv = "/home/mv/secrets/${name}";
      };
      stockholm.file = toString <stockholm>;
      stockholm-version.pipe = "${pkgs.stockholm}/bin/get-version";
    }
    override
  ]
--- a/nin/1systems/axon/config.nix
+++ b/nin/1systems/axon/config.nix
@ -11,6 +11,7 @@ with lib;
    <stockholm/nin>
    <nixpkgs/nixos/modules/installer/scan/not-detected.nix>
    #../2configs/copyq.nix
    <stockholm/nin/2configs/ableton.nix>
    <stockholm/nin/2configs/games.nix>
    <stockholm/nin/2configs/git.nix>
    <stockholm/nin/2configs/retiolum.nix>
@ -98,6 +99,9 @@ with lib;
    enable = true;
  };
  services.xserver.displayManager.sessionCommands = ''
    ${pkgs.xorg.xhost}/bin/xhost + local:
  '';
  services.xserver.desktopManager.xfce = let
    xbindConfig = pkgs.writeText "xbindkeysrc" ''
--- a/nin/2configs/ableton.nix
+++ b/nin/2configs/ableton.nix
@ -0,0 +1,20 @@
 { config, pkgs, ... }: let
  mainUser = config.users.extraUsers.nin;
 in {
  users.users= {
    ableton = {
      isNormalUser = true;
      extraGroups = [
        "audio"
        "video"
      ];
      packages = [
        pkgs.wine
        pkgs.winetricks
      ];
    };
  };
  security.sudo.extraConfig = ''
    ${mainUser.name} ALL=(ableton) NOPASSWD: ALL
  '';
 }
--- a/nin/2configs/git.nix
+++ b/nin/2configs/git.nix
@ -36,17 +36,6 @@ let
  make-public-repo = name: { cgit ? {}, ... }: {
    inherit cgit name;
    public = true;
    hooks = {
      post-receive = pkgs.git-hooks.irc-announce {
        # TODO make nick = config.krebs.build.host.name the default
        nick = config.krebs.build.host.name;
        channel = "#xxx";
        server = "irc.r";
        verbose = config.krebs.build.host.name == "onondaga";
        # TODO define branches in some kind of option per repo
        branches = [ "master" ];
      };
    };
  };
  make-rules =
--- a/nin/2configs/im.nix
+++ b/nin/2configs/im.nix
@ -0,0 +1,19 @@
 { config, lib, pkgs, ... }:
 with import <stockholm/lib>;
 {
  environment.systemPackages = with pkgs; [
    (pkgs.writeDashBin "im" ''
      export PATH=${makeSearchPath "bin" (with pkgs; [
        tmux
        gnugrep
        weechat
      ])}
      ssh chat@onondaga
      if tmux list-sessions -F\#S | grep -q '^im''$'; then
        exec tmux attach -t im
      else
        exec tmux new -s im weechat
      fi
    '')
  ];
 }
--- a/nin/source.nix
+++ b/nin/source.nix
@ -4,6 +4,11 @@ host@{ name, secure ? false }: let
              then "buildbot"
              else "nin";
  _file = <stockholm> + "/nin/1systems/${name}/source.nix";
  pkgs = import <nixpkgs> {
    overlays = map import [
      <stockholm/krebs/5pkgs>
    ];
  };
 in
  evalSource (toString _file) {
    nixos-config.symlink = "stockholm/nin/1systems/${name}/config.nix";
@ -12,8 +17,6 @@ in
      nin = "/home/nin/secrets/${name}";
    };
    stockholm.file = toString <stockholm>;
-    nixpkgs.git = {
+    stockholm-version.pipe = "${pkgs.stockholm}/bin/get-version";
-      url = https://github.com/nixos/nixpkgs;
+    nixpkgs = (import <stockholm/krebs/source.nix> host).nixpkgs;
      ref = "afe9649";
    };
  }
--- a/tv/2configs/gitrepos.nix
+++ b/tv/2configs/gitrepos.nix
@ -42,6 +42,9 @@ let {
    kirk = {
      cgit.desc = "IRC tools";
    };
    kops = {
      cgit.desc = "deployment tools";
    };
    load-env = {};
    loldns = {
      cgit.desc = "toy DNS server";
@ -128,11 +131,6 @@ let {
        repo = [ repo ];
        perm = push "refs/*" [ non-fast-forward create delete merge ];
      } ++
      optional repo.public {
        user = attrValues config.krebs.users;
        repo = [ repo ];
        perm = fetch;
      } ++
      optional (repo.collaborators or [] != []) {
        user = repo.collaborators;
        repo = [ repo ];
--- a/tv/source.nix
+++ b/tv/source.nix
@ -6,6 +6,11 @@ with import <stockholm/lib>;
 }@host: let
  builder = if dummy_secrets then "buildbot" else "tv";
  _file = <stockholm> + "/tv/1systems/${name}/source.nix";
  pkgs = import <nixpkgs> {
    overlays = map import [
      <stockholm/krebs/5pkgs>
    ];
  };
 in
  evalSource (toString _file) [
    {
@ -20,6 +25,7 @@ in
        tv = "/home/tv/secrets/${name}";
      };
      stockholm.file = toString <stockholm>;
      stockholm-version.pipe = "${pkgs.stockholm}/bin/get-version";
    }
    (mkIf (builder == "tv") {
      secrets-common.file = "/home/tv/secrets/common";
		`@ -0,0 +1 @@`
							ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAEZgF3311cZ/JV7lOzo/Crmy6pi0oBYu5klbTb8lU/Yic55XVRyYFtm+KGrNvqkcFgOx803aS7jogJ1N6HCdUAaEl5MzlkOX++h97ihZ/NeQZKDjYEEQYl4ElmIbCRiddpDm0HVX1OGSCtUzhlyDHJ8ieMCb+QVNrpwovlQnp53c/+Z6rGSZWgBMrzP7stlw+XjC1Alhi1M5L+bJfroa7cEcF+J5ZN+J2mWSmkPiQ6+iuk9zRkc5ELO1Vz4MsLoeKwbJrz+uuNVsY7u070pHtsLwbAsYU5vOWJeN/vtEwy51SY/so30FowvivTD9jIJ0xcmAdC56XjWaxttKuqUVBjJqhwqsUI6+AxLESekFXzkfghmG+AJPPkb2pvpVF3k0Ivn14bFBuFv0T2qPHq68Fs19WLTZn+dK3V+RfVkI6bEZaMOUezyBv59yFEY42wMISPw53jkaWqKIxyGCBECi3XlbeQ61FkwE9TElSY+NmoeMu6jPWw7XGDY4Jt6mtKiYu3hVqI5pg4hq3bxB8r2W7LnkDiYfArbzwmrc2zAmgJtY60/Pcwq7hP3LSDEuDDc4gYgpkLNwHjs+CLWqpbQffCFv+oOZj8G92if+dMBOUSBCr6FDqH6wLxZp2cfhud0p/0kLz09nv/PcRohOHdaQSEW7OAhJ5kgg3DuxhwUwOf/3UX5iLvm4WwE/mb7Iki4U3AENKHUWQ7TOrXcQq9AJX57e9CTI+N4phtzp9qur8vjVl2OpYl2Qb/0yQSGM+4wQ/nM4acePMk80oXLb3OJBlPp0CswzoI7kFBD0TUOnFTCkrJWPaZhgjQXyvCzgFKAvXgqWy4riczqLhdBAhc1vT3a18HsqKXE3mhJa6Kjl6r/ZQaDl2zw7uLmWTHhGuUI9w487L36extGuC3Tv8zEvu2UHqhdEcaSDzRQYcv1kRobfhTWjzFHzdA97Kkc+HuFfJk3MzchsjCxqIuDP4r5YauMBMHAIsUlP7Ar/t29WreAGJbCCd2oulkFL+P+8Sp6SksMMhKQvuRcj74n6BETfailv64z2FjT+qzkCsr/gzvWD08EJRZUCpidX2WfMoL396nBf+EgwhFykqoFg2jlJJ7Vggod8CSHUSeBkslhNk/tkv4y+NnsAIgNluVZlxIeKj1UgazohSNQVRHozs2lkuK0Ytl4TsFrE0X3ar7LpwEVvCLj3eh2kg4kNKNN/vOwWxvMlF9uCBq5FUHaBCst/OXeigjfGZ0ZK5iHsZN+R/iIlG+3V3VN1Rm29aPJPSuAgwl/lfPUfUP5c8QiwnDgdHqMi7VcuCpEtcTLjqDHBssqosRTLodcIZY6qLepm5kQgJ2FfcTPi+ZwT3Z/IFH6p/H7NeVbb8rVYeF/zqDJiWbI+gDy0xFnGgOLpFSBdHq679FjtjZk7Exgz3rVD+QsoSB8VYVOSqpHB1LQyQ2qBry+33CNpxlX5GaaLx5sbEKEguaJ+9R7Mbf8zQMa8EAXhqoT96kIj66IEk= lass@daedalus
`@ -1 +1 @@`
	ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDm4qnRU8/Zyb+7x/QxW1grN+i1qcN39Sr/TSkBdccAPyfPdk8ph/G+wZKgsyr9sl5CgbA4hOsqDBN97dp4dKghKARuk0GldHDgo+2odWwBTa4EOSmE4Bfj3z7r9tW33Y+ujy55L4w5Qw21lj51mbhc0qvC/03xypEeKsLM0RtNAf8TsdGMPGmbha7uCF75VjFJvrHysbjonh6ZQ+Or8N0MSNABZ9oawJQxxBUqtLFhnq20zCJmm281f9GS/EaGYwcpOjiHd4fj3XWyfEIJRK/LRBZXkidvVDN7mhOQY3G+qiGZfPeyged9CRDRFoc5QbZ43NtrmPS+yUtjHQZKynkjI0lA00fegRzb0FkEJmYSy1Vdqgj338CjNwcuTaKJTw2EotMqMuHyk1FllnphafJtgMTMLIGoZRTpJpC91gbP0MGTnRoCwD4McZcz1YD3cxng101QsLsDv/FPxzbyxr+P6rjBB6eP6IhP4k4ALjWzoMURdCo1BW4//zt+PXImUpcX2+urtAMmVBQ8BwZry1hsEcR+r6C1Yb+jzeWGnvtfjXSFv+ZjpA0eEnqeKeh3LDCxybjkok51zdTe97EZ0sDAnKcnrVzpXJwehY02E2N9Sw1HhvWIUUulr09a2bC2rYR7HWryOjaEzT2aKmUyrxPkflCawB8gn2iSbVMWK74VJw== lass@icarus	ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAEZgEuFS5MwYQRF+0MKAQvyv6O+0ky0QnOKGMVZgFXE4g2JrByTCXQAeQmyJquM1wl9IRD63res8ZguMoAz2PkHfNbRSSsR7pH/G3DaJRl0VGf14zO3bjBbogQ45j1Bwxi78h44SDmuBAkp0t76ca16kWGhwEVt03+8sqmbLV90RjHZlrFw2sDgTu35SDz1q/ZzkdyFP3xSIBUnsQD64qRLMx64yLcBp0uu2h7gBBCVyA1T+VR3Nc1yIOyv0nUaqEHz+CDATtFlgGTgT6cCXoIPN0QAuIa3pDxt7htD/POsWuFbpbqrBQVcgun5s3J5X0OmNyoqGqqubcycvuYipZUjBCxyTb7RxCqj2oR8alSaeGZm64I0VSGX/iSCtXKaEJqBbxwNUgDH6B2oUeZbRwgPl/SG8vBku1oKzt/36IBoY8HttcosqLkfTquyyO7KVtOBu04geCmmiqJpSV4j5iYMxvrD0AQ3JJmrcbzUYoCGxlYO19TPsa+Ybhn/E8suach75+DIPj5LacYAh9Wjirw67Kg5QyYEt8XGTR2xxF78CFi0JGBRcyorPfFPLznmVntqJLe6dGNL3njgdD0Ocz8V5ktk1pjY5D2nG8GXfd45NQl2QjTLYnYX4dGuudBXth0nEJMv/MRHZrXVViIqwazdq4mA5z1Yu4Tb3l17d2cAZobzdut6JuZbd7itXAPIiY0vEWXr8lpEuE8Uz9mz8aPxZlhmHSXvNcwhq+i2+cFO8OPwUGbnE2cAHpymlQ3aDRgpptAIMU2LjIAblqsvA72asJpuRqu7ZOoy0vVRCOhktIzZXWR9hF5/CM/7NZ5skvHzYlmgkvnuu4jDDGusF32Zyiip0WJg+Iijqe8VpOqCup5UEF5QG32yQwaZDrKd71hq7Z1xNe0vEPN8yCxpes8hWafYY9m8YRrUduDVlOon7SzmdU76RPn2oF6udCGP7A/hEeRiwrDaRuIwchh99Xw3LioxXNzLYB1aXd+yKuZyhW+witC20ISdyZz7JPIrb49JCGH8FtbcDzD1B8Xd1By34POfhxriSr9UG5Hj9LGbA3/aKMOajZdcbrKXorUrKdhAuZv1z4rjW5iwYgXF2G/nseeCOw+DPEcB3GexsyCTUzSjJ6fy3Aqlzppwttx5MfkbNhPZWRCfDX3i0g8e0aFlgvlj99aGgUQeEpYg8peZhe1lxl25Ftc0R7pYmXPDeCY1yWxZiXZ3YtVVr43c/FEaQHXfkZ2I+t5lG6CmgJhhYjUry5Sx4/NgfBvpmU22cIBWNmyTn9q3gDFmeoIiTwlF654K7NnsWrdKr2L2fGI10Xe/J/GYkkzX39e5bToQPXh23gUfIr7faYEPBsVU/SaEkWNHojzf/NKjPT0utvlFr0HqnFYSdk4wpWzcrhii7E/UhgKvpA/k2Vlj4ZhkejfZXQWxRbJzejkVSJcUGim+Dt1WUZJXVOgEkJ3WA6z+ha2FN2sBDdvRKlad55aelvRrbu3/vPzEuE= lass@icarus