diff --git a/krebs/2configs/ergo.nix b/krebs/2configs/ergo.nix
new file mode 100644
index 000000000..db0bc5748
--- /dev/null
+++ b/krebs/2configs/ergo.nix
@@ -0,0 +1,13 @@
+{ config, pkgs, ... }:
+
+{
+  networking.firewall.allowedTCPPorts = [
+    6667
+  ];
+
+  krebs.ergo = {
+    enable = true;
+  };
+}
+
+
diff --git a/krebs/2configs/hw/x220.nix b/krebs/2configs/hw/x220.nix
index 3780e0d7d..bb273652d 100644
--- a/krebs/2configs/hw/x220.nix
+++ b/krebs/2configs/hw/x220.nix
@@ -22,8 +22,6 @@ with import <stockholm/lib>;
     pkgs.vaapiVdpau
   ];
 
-  security.rngd.enable = mkDefault true;
-
   services.xserver = {
     videoDriver = "intel";
   };
diff --git a/krebs/2configs/reaktor2.nix b/krebs/2configs/reaktor2.nix
index 2823aabef..14e0a3d7a 100644
--- a/krebs/2configs/reaktor2.nix
+++ b/krebs/2configs/reaktor2.nix
@@ -119,6 +119,7 @@ in {
   users.users.reaktor2 = {
     uid = genid_uint31 "reaktor2";
     home = stateDir;
+    isSystemUser = true;
   };
 
   krebs.reaktor2 = {
diff --git a/krebs/2configs/shack/muell_mail.nix b/krebs/2configs/shack/muell_mail.nix
index 481564719..951450200 100644
--- a/krebs/2configs/shack/muell_mail.nix
+++ b/krebs/2configs/shack/muell_mail.nix
@@ -12,6 +12,7 @@ let
 in {
   users.users.muell_mail = {
     inherit home;
+    isSystemUser = true;
     createHome = true;
   };
   systemd.services.muell_mail = {
diff --git a/krebs/2configs/shack/muellshack.nix b/krebs/2configs/shack/muellshack.nix
index e894b9394..b032b4299 100644
--- a/krebs/2configs/shack/muellshack.nix
+++ b/krebs/2configs/shack/muellshack.nix
@@ -13,6 +13,7 @@ let
 in {
   users.users.muellshack = {
     inherit home;
+    isSystemUser = true;
     createHome = true;
   };
   services.nginx.virtualHosts."muell.shack" = {
diff --git a/krebs/2configs/shack/node-light.nix b/krebs/2configs/shack/node-light.nix
index 4a981ea87..2e69d5aaa 100644
--- a/krebs/2configs/shack/node-light.nix
+++ b/krebs/2configs/shack/node-light.nix
@@ -14,6 +14,7 @@ in {
   networking.firewall.allowedUDPPorts = [ 2342 ];
   users.users.node-light = {
     inherit home;
+    isSystemUser = true;
     createHome = true;
   };
   services.nginx.virtualHosts."lounge.light.shack" = {
diff --git a/krebs/2configs/shack/powerraw.nix b/krebs/2configs/shack/powerraw.nix
index cc3692e85..43c743587 100644
--- a/krebs/2configs/shack/powerraw.nix
+++ b/krebs/2configs/shack/powerraw.nix
@@ -14,7 +14,10 @@ let
 in {
   # receive response from light.shack / standby.shack
   networking.firewall.allowedUDPPorts = [ 11111 ];
-  users.users.powermeter.extraGroups = [ "dialout" ];
+  users.users.powermeter = {
+    extraGroups = [ "dialout" ];
+    isSystemUser = true;
+  };
 
   # we make sure that usb-ttl has the correct permissions
   # creates /dev/powerraw
diff --git a/krebs/2configs/shack/s3-power.nix b/krebs/2configs/shack/s3-power.nix
index f3ea67f79..0ce8a8786 100644
--- a/krebs/2configs/shack/s3-power.nix
+++ b/krebs/2configs/shack/s3-power.nix
@@ -14,6 +14,7 @@ in {
   users.users.s3_power = {
     inherit home;
     createHome = true;
+    isSystemUser = true;
   };
   systemd.services.s3-power = {
     startAt = "daily";
diff --git a/krebs/2configs/shack/shackDNS.nix b/krebs/2configs/shack/shackDNS.nix
index 807bb7e65..c9cdfd24b 100644
--- a/krebs/2configs/shack/shackDNS.nix
+++ b/krebs/2configs/shack/shackDNS.nix
@@ -30,6 +30,7 @@ in {
   users.users.shackDNS = {
     inherit home;
     createHome = true;
+    isSystemUser = true;
   };
   services.nginx.virtualHosts."leases.shack" = {
     locations."/" = {
diff --git a/krebs/2configs/shack/share.nix b/krebs/2configs/shack/share.nix
index d8d65d309..3eb30964e 100644
--- a/krebs/2configs/shack/share.nix
+++ b/krebs/2configs/shack/share.nix
@@ -1,7 +1,7 @@
 {config, ... }:{
   users.users.smbguest = {
     name = "smbguest";
-    uid = config.ids.uids.smbguest;
+    uid = config.ids.uids.smbguest; #effectively systemUser
     group = "share";
     description = "smb guest user";
     home = "/home/share";
diff --git a/krebs/2configs/wiki.nix b/krebs/2configs/wiki.nix
index e4f05a6e6..9a18b8dff 100644
--- a/krebs/2configs/wiki.nix
+++ b/krebs/2configs/wiki.nix
@@ -4,9 +4,9 @@ let
 
   setupGit = ''
     export PATH=${makeBinPath [ pkgs.git ]}
-    export GIT_SSH_COMMAND='${pkgs.openssh}/bin/ssh -i ${config.krebs.gollum.stateDir}/.ssh/id_ed25519'
+    export GIT_SSH_COMMAND='${pkgs.openssh}/bin/ssh -i ${config.services.gollum.stateDir}/.ssh/id_ed25519'
     repo='git@localhost:wiki'
-    cd ${config.krebs.gollum.stateDir}
+    cd ${config.services.gollum.stateDir}
     if ! url=$(git config remote.origin.url); then
       git remote add origin "$repo"
     elif test "$url" != "$repo"; then
@@ -27,7 +27,7 @@ let
 
 in
 {
-  krebs.gollum = {
+  services.gollum = {
     enable = true;
     extraConfig = ''
       Gollum::Hook.register(:post_commit, :hook_id) do |committer, sha1|
@@ -36,6 +36,8 @@ in
     '';
   };
 
+  systemd.services.gollum.environment.LC_ALL = "en_US.UTF-8";
+
   networking.firewall.allowedTCPPorts = [ 80 ];
   services.nginx = {
     enable = true;
@@ -87,7 +89,7 @@ in
   };
 
   krebs.secret.files.gollum = {
-    path = "${config.krebs.gollum.stateDir}/.ssh/id_ed25519";
+    path = "${config.services.gollum.stateDir}/.ssh/id_ed25519";
     owner = { name = "gollum"; };
     source-path = "${<secrets/gollum.id_ed25519>}";
   };
diff --git a/krebs/3modules/airdcpp.nix b/krebs/3modules/airdcpp.nix
index 56fb31795..0ac9d3350 100644
--- a/krebs/3modules/airdcpp.nix
+++ b/krebs/3modules/airdcpp.nix
@@ -268,6 +268,7 @@ let
         uid = genid "airdcpp";
         home = cfg.stateDir;
         createHome = true;
+        isSystemUser = true;
         inherit (cfg) extraGroups;
       };
       groups.airdcpp.gid = genid "airdcpp";
diff --git a/krebs/3modules/bepasty-server.nix b/krebs/3modules/bepasty-server.nix
index ffa9a29e9..051646b63 100644
--- a/krebs/3modules/bepasty-server.nix
+++ b/krebs/3modules/bepasty-server.nix
@@ -146,6 +146,7 @@ let
       uid = genid_uint31 "bepasty";
       group = "bepasty";
       home = "/var/lib/bepasty-server";
+      isSystemUser = true;
     };
     users.extraGroups.bepasty = {
       gid = genid_uint31 "bepasty";
diff --git a/krebs/3modules/brockman.nix b/krebs/3modules/brockman.nix
index 9b2ed4a71..7a78880ea 100644
--- a/krebs/3modules/brockman.nix
+++ b/krebs/3modules/brockman.nix
@@ -12,7 +12,7 @@ in {
     users.extraUsers.brockman = {
       home = "/var/lib/brockman";
       createHome = true;
-      isNormalUser = false;
+      isSystemUser = true;
       uid = genid_uint31 "brockman";
     };
 
diff --git a/krebs/3modules/buildbot/master.nix b/krebs/3modules/buildbot/master.nix
index 8995753ac..a845bb281 100644
--- a/krebs/3modules/buildbot/master.nix
+++ b/krebs/3modules/buildbot/master.nix
@@ -322,6 +322,7 @@ let
       description = "Buildbot Master";
       home = cfg.workDir;
       createHome = false;
+      isSystemUser = true;
     };
 
     users.extraGroups.buildbotMaster = {
diff --git a/krebs/3modules/buildbot/slave.nix b/krebs/3modules/buildbot/slave.nix
index c15169fba..d877b9911 100644
--- a/krebs/3modules/buildbot/slave.nix
+++ b/krebs/3modules/buildbot/slave.nix
@@ -131,6 +131,7 @@ let
       description = "Buildbot Slave";
       home = cfg.workDir;
       createHome = false;
+      isSystemUser = true;
     };
 
     users.extraGroups.buildbotSlave = {
diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix
index e75afad1d..30ca82b97 100644
--- a/krebs/3modules/default.nix
+++ b/krebs/3modules/default.nix
@@ -20,6 +20,7 @@ let
       ./ci.nix
       ./current.nix
       ./dns.nix
+      ./ergo.nix
       ./exim.nix
       ./exim-retiolum.nix
       ./exim-smarthost.nix
@@ -28,7 +29,6 @@ let
       ./github-known-hosts.nix
       ./git.nix
       ./go.nix
-      ./gollum.nix
       ./hidden-ssh.nix
       ./hosts.nix
       ./htgen.nix
diff --git a/krebs/3modules/ergo.nix b/krebs/3modules/ergo.nix
new file mode 100644
index 000000000..14f85c4d7
--- /dev/null
+++ b/krebs/3modules/ergo.nix
@@ -0,0 +1,136 @@
+{ config, lib, pkgs, ... }:
+
+let
+  inherit (lib) mkEnableOption mkIf mkOption types;
+  inherit (pkgs) coreutils ergo;
+  cfg = config.krebs.ergo;
+
+  configFile = pkgs.writeText "ergo.conf" (builtins.toJSON cfg.config);
+in
+
+{
+
+  ###### interface
+
+  options = {
+
+    krebs.ergo = {
+
+      enable = mkEnableOption "Ergo IRC daemon";
+
+      config = mkOption {
+        type = (pkgs.formats.json {}).type;
+        description = ''
+          Ergo IRC daemon configuration file.
+        '';
+        default = {
+          network = {
+            name = "krebstest";
+          };
+          server = {
+            name = "${config.networking.hostName}.r";
+            listeners = {
+              ":6667" = {};
+            };
+            casemapping = "permissive";
+            enforce-utf = true;
+            lookup-hostnames = false;
+            ip-cloaking = {
+              enabled = false;
+            };
+            forward-confirm-hostnames = false;
+            check-ident = false;
+            relaymsg = {
+              enabled = false;
+            };
+            max-sendq = "1M";
+            ip-limits = {
+              count = false;
+              throttle = false;
+            };
+          };
+          datastore = {
+            path = "${cfg.statedir}/ircd.db";
+          };
+          accounts = {
+            authentication-enabled = true;
+            registration = {
+              enabled = true;
+              email-verification = {
+                enabled = false;
+              };
+            };
+          };
+          channels = {
+            default-modes = "+nt";
+          };
+          limits = {
+            nicklen = 32;
+            identlen = 20;
+            channellen = 64;
+            awaylen = 390;
+            kicklen = 390;
+            topiclen = 390;
+          };
+        };
+      };
+
+      statedir = mkOption {
+        type = types.path;
+        default = "/var/lib/ergo";
+        description = ''
+          Location of the state directory of ergo.
+        '';
+      };
+
+      user = mkOption {
+        type = types.str;
+        default = "ergo";
+        description = ''
+          Ergo IRC daemon user.
+        '';
+      };
+
+      group = mkOption {
+        type = types.str;
+        default = "ergo";
+        description = ''
+          Ergo IRC daemon group.
+        '';
+      };
+
+    };
+
+  };
+
+
+  ###### implementation
+
+  config = mkIf cfg.enable ({
+    users.users.${cfg.user} = {
+      description = "Ergo IRC daemon user";
+      uid = config.ids.uids.ircd;
+      group = cfg.group;
+    };
+
+    users.groups.${cfg.group} = {
+      gid = config.ids.gids.ircd;
+    };
+
+    systemd.tmpfiles.rules = [
+      "d ${cfg.statedir} - ${cfg.user} ${cfg.group} - -"
+    ];
+
+    systemd.services.ergo = {
+      description = "Ergo IRC daemon";
+      wantedBy = [ "multi-user.target" ];
+      serviceConfig = {
+        ExecStartPre = "${ergo}/bin/ergo initdb --conf ${configFile}";
+        ExecStart = "${ergo}/bin/ergo run --conf ${configFile}";
+        Group = cfg.group;
+        User = cfg.user;
+      };
+    };
+
+  });
+}
diff --git a/krebs/3modules/external/default.nix b/krebs/3modules/external/default.nix
index 123bbac47..8e6fa225a 100644
--- a/krebs/3modules/external/default.nix
+++ b/krebs/3modules/external/default.nix
@@ -589,6 +589,32 @@ in {
         };
       };
     };
+    nxnv = {
+      owner = config.krebs.users.rtjure;
+      nets = {
+        retiolum = {
+          ip4.addr = "10.243.122.127";
+          aliases = [
+            "nxnv.r"
+          ];
+          tinc.pubkey = ''
+           -----BEGIN RSA PUBLIC KEY-----
+           MIICCgKCAgEAxEs92W/wRl3wlB6fNS2KUS+ubFAPLkgQYhk4JXeEeTpUq1H27oxB
+           ZWgWOlLMqnvn3w+aHQviWWPl5F6jXCxDOWCwyLhZU4cs45+ub9KKezCeE8IN+gAt
+           NKDqmRFzao9EXoT7sR65BblqEUR/Aqpykv7n4JdL5pGDbw1GGJ6Xf5QZo2sYm4wp
+           wdqOROn/V2Sm8NgmD1K6Sa2i6BLHSvHqunI4qoTyMfGXl8sbw6I2iclpQy8td9bt
+           1WA7F9kVTZdhaWgfpiZ8sKQ9LoFKoy6jnoppQcl/E8V2XNnjPy8obaLX9rTJ/deT
+           eW9qmfZeYiFSaDLLWEIZjhaU2l9z72oWyUW8w8GZQD+ypGi+UDMkbAhRHiaVGOZy
+           S7AodiEL2Ebzj6XJaNYC3LYm5R8U6XlvcHwn4FDtgKkqwXz08cZsPwQLoBjXUEi/
+           9/A5WEwrmp62TJ/ZRcRwV8/dBklrc/4FT0q0CiMuCWcbjF891d68TvcXlVU3gCwN
+           ld80CS17o2dOsBBW4nft7+9tL545p7mMjw6Oa4kRUTo2n1mYkMdTGZR+tOCD6hvW
+           45IG7vGq5EnRwolekGoMRf8RthajU2RXcIoNWnVon0so0Rja+AU9G7dobd/2qila
+           jta1Mou2vzUSAbdwXtBwJHlV9882p1utMlU9XVEZwQXfWSt488tQqzsCAwEAAQ==
+           -----END RSA PUBLIC KEY-----
+          '';
+        };
+      };
+    };
     ada = {
       owner = config.krebs.users.filly;
       nets = {
@@ -675,6 +701,7 @@ in {
             1T6DILDF71H92PNylujKSPA0CKI160xJ61Xy/T6MYl5u0+RblAgYr77o5HJwmXCe
             jFrCu3SKUIlJWYHWE8yNoR+VVYeXakbDFYE3KpVyBDG+ljUbia+Oel8CAwEAAQ==
             -----END RSA PUBLIC KEY-----
+            Ed25519PublicKey = 3IKIoZqg0jm9+pOOka2FEtihx0y8qAdJqKTuRfJtMpK
           '';
         };
       };
diff --git a/krebs/3modules/external/mic92.nix b/krebs/3modules/external/mic92.nix
index 15136cbce..bbefb8ed8 100644
--- a/krebs/3modules/external/mic92.nix
+++ b/krebs/3modules/external/mic92.nix
@@ -39,6 +39,7 @@ in {
             DKhcgvE6xHCwZnVyJN8MMy1CVyDmnHVYoaTEZ2cCvNi/hXIXgO9KWjSpAv5tP764
             UkOE4dlDpEW6G1pNf84BERfRYGDj29A/Jk9LJC/6D09QJXNu18HR0sUCAwEAAQ==
             -----END RSA PUBLIC KEY-----
+            Ed25519PublicKey = 6VktF9Fg9E0hCW5g+rwGnrPACPSx/8vkl+hPNaFYeND
           '';
         };
       };
@@ -72,6 +73,7 @@ in {
             UU8cQZ3yBLIhTtC+38pRlsdBQHt526q0j0rrnd30JXVAUdWBunP2UJ5QGtA8/mWn
             cWSlvRf5sfbyrISz6+mLPM2qGHnCkKwORNxmv/1DY07O3Rn6hX0OY4ECAwEAAQ==
             -----END RSA PUBLIC KEY-----
+            Ed25519PublicKey = qnJmS6W7QSKG3mjW1kPnHGeVmKzhGkyP9xBLGwH5XvD
           '';
         };
       };
@@ -148,6 +150,7 @@ in {
             IzbYu49VO/B1rktYzZ2l2ENQy6OILXWbvFjC8Pt8f1ZZQ4A21PyNA1AdyJ/rbVj7
             awm3OnnvKSvMCXWnwHPFHjksb3qMx96Aep1cw3ZBx0sQQ41UWBoOsi8CAwEAAQ==
             -----END RSA PUBLIC KEY-----
+            Ed25519PublicKey = ikUmx5IC1dvfaHFhpZM9xotwF2LH6EkvpcPTRm6TjeD
           '';
         };
       };
@@ -240,10 +243,10 @@ in {
             61Oahtwy/szBj9mWIAymMfnvFGpeiIcww3ZGzYNyKBCjp1TkkgFRV3Y6eoq1sJ13
             Pxol8FwH5+Q72bLtvg5Zva8D0Vx2U1jYSHEkRDDzaS5Z6Fus+zeZVMsCAwEAAQ==
             -----END RSA PUBLIC KEY-----
+
+            Ed25519PublicKey = 7J1JgVyiy540akMdd/kONta0fMHSl5+FQJ1QhN84TzP
           '';
           tinc.subnets = [
-            # ohorn lan
-            "fd42:4492:6a6d:500:8526:2adf:7451:8bbb"
             # docker network
             "42:0000:002b:1605:3::/80"
           ];
@@ -269,21 +272,26 @@ in {
         '';
       };
     };
-    anindya = {
+    aendernix = {
       owner = config.krebs.users.mic92;
       nets.retiolum = {
-        ip4.addr = "10.243.29.191";
+        ip4.addr = "10.243.29.172";
         aliases = [
-          "anindya.r"
+          "aendernix.r"
         ];
         tinc.pubkey = ''
           -----BEGIN RSA PUBLIC KEY-----
-          MIIBCgKCAQEA8yWr01WlmM4RYuJdxvzvfdN3C5T3DOknWvK7U3y92HYgtQfYtZwu
-          +J8r1fpTsdIS8wKdSEqz7Mjhb1JabJBB1fv/2mkAF4V/gkMbP0jqZ6QQL29kgkNP
-          aI/+zG1yh4kEDgSn843J6XnTsJ/4Na2zmbVP1iIIQYMXyh+meWsBVR6DKV5ighjz
-          4h3wKbuMmDrS50aTk8ahgWoiqcE2DTUMeprw4SIL+RTepmsCINQtAJui5Ys6AAbK
-          ab6gxMzRH2txLBcTfSrbqTX3qHZHLlB9Ai5FEItWqMBxquD6OCxn8DNU+5LgGpt1
-          Z37SI1U0c4uu1oo7kOSx6wYP2ZVOatys6QIDAQAB
+          MIICCgKCAgEAt/dCDTvJU5jugP+5pk2CNM8X6cOnFonJv2eS253nsmKI97T9FSUa
+          QDt417MoqAJNEeZw7o4ve1fmdZmtfKgmXYdDJi2HSJCJoKY6FUgVOKevtzGg4akl
+          4mKTy2z59CxyIbA41MHyLq18W3NLabQ41NpWGBRt9jvHQpZfd+wI8t5IIzdvFrKo
+          JSOFRbzEBL5//Hc3N/443cUg4IMyDBTemS7/jaZ2/Mn+PVZAdoIPLEZjFeWewmTF
+          Jd8Bsc2thzAREYHYnawhq3PLJSebMJd91pCdkD0NB0i59VKORcQTFady3fzE9+w4
+          RSTqAdBTUDuxzU/B8g1dp89/qW+fVPiFuB5Pf7D9t2DgxTDAeSXMiId/4Hwa0B1G
+          QCnCedz0Qk2UdId16BTS8DSq8Pd9fawU6qCmPY6ahSiw5ZQ6odMvDISb480cKj41
+          pslLjhIItTk3WEs8MwnQCzweNABuCK7GzT7CNaYm3f9pznBlOB+KfoZ6mrlzKkEK
+          u+gFJXTFym0ZF0wheXO7FCJ1jp4LFHqKGS3zWQyT7isjLsbcQzpOe8/FdiFlQvlG
+          vltL+5JjcahAMHc/ba+pRa5rSy8ebqf68fg4jlkT94Za13bCIHdK5w7eAXR3s/9z
+          H2wZmhvajUIZAxQSgFUy+7kKWOIkWqFkGPIdmbdwTaHC88OWshvRv8ECAwEAAQ==
           -----END RSA PUBLIC KEY-----
         '';
       };
@@ -356,6 +364,7 @@ in {
             4frtEIGbfdKqQ6nNTvTpCrAo+WAm3NE3khTYqGe4LqX/JMoGtWXp/Ex9IdG+sflM
             mESMjuHp9vPY4aZGPtYPP93Cxv3q7gm+EfIGebajISpaG28J+XjiNNsCAwEAAQ==
             -----END RSA PUBLIC KEY-----
+            Ed25519PublicKey = emKq1mfkW4/aCoCwmeFU3DtppKs+KsTvd9YGoFkFgdC
           '';
         };
       };
@@ -381,8 +390,6 @@ in {
             /vW066YCTe7wi+YrvrMDgkdbyfn/ecMTn2iXsTb4k9/fuO0+hsqL+isCAwEAAQ==
             -----END RSA PUBLIC KEY-----
           '';
-          # ohorn lan
-          tinc.subnets = [ "fd42:4492:6a6d:500::/64" ];
         };
       };
     };
@@ -410,6 +417,7 @@ in {
              74oJVJgBT5M1rTH2+u+MU+kC+x2UD+jjXEjS55owFWsEM1jI4rGra+dpsDuzdGdG
              67wl9JlpDBy4Tkf2Bl3CQWZHsWDsR6jCqwIDAQAB
              -----END RSA PUBLIC KEY-----
+             Ed25519PublicKey = Z5+fArxMfP8oLqlHpXadkGc9ROOPHBqugAMD2czmNlJ
           '';
         };
       };
@@ -417,6 +425,11 @@ in {
     bill = {
       owner = config.krebs.users.mic92;
       nets = rec {
+        internet = {
+          ip4.addr = "131.159.38.191";
+          ip6.addr = "2a09:80c0:38::191";
+          aliases = [ "bill.i" ];
+        };
         retiolum = {
           addrs = [
             config.krebs.hosts.bill.nets.retiolum.ip4.addr
@@ -426,13 +439,19 @@ in {
           aliases = [ "bill.r" ];
           tinc.pubkey = ''
             -----BEGIN RSA PUBLIC KEY-----
-            MIIBCgKCAQEAzg0wJuDvsbflRKSJ7+ug9y7Gn+BH3CR44fuCPZpWmIcGIUbA6rXj
-            CD8pF5heOvXNCFlEip2wqTkaCJPnUs3x8BRtORmD6OxDdmqt0xH54u7CixKzrPp9
-            GIQydv+ZsGA2z3aDbmBydRPDIvYGhW68FJn10qlGRjCZ5zCl1eVEZ/wMddFXc0B8
-            KDbxh7qOkjXon6EOGACVbnrnUR3F1GsIvCxX0cCDrO0P8XHwwsZiAfUwXYkiqw7t
-            zPcty6Bbr34mSJbb9cFb/qQlfPWT0HVgo+Q65HVkr/64o/9tTyREZcj1dk5PpEPE
-            bt7PGlOF1oPZpVFQh8S+NviHTtqrvkuISQIDAQAB
+            MIICCgKCAgEAvzM5dWPpmzzmogjuZC5boNvz+MJcIO0WnE9IINBY+CLSw5ZpNDVB
+            b97EG0Irs92OLJ5eesdPdF5LIyfFcFHOpPN+NdVEfLDWpFZVgOYh4BRy5+JdEk6O
+            ybcxLFIdgBHxahd3W27FxXC1ALu/AInAA2b4rwYoNBi23idj8+wtL4MJldkr5QaQ
+            sx8VQxIMy1xY4AbKcHdOt/nMrPoU6GnE9ObdcLys5cGUl/7Vc0NAMK6RrFQo+jfn
+            2N0uWA1hZPAfZEEKP91xiOiRSx15WG3q9R/rqPmBh6l+rdPyWdRKcPVndCzVDrgw
+            WWPcR9A9Yzr0ZrpEIHOfrDOqb2Ur1HlrXHZRpt55IYOKwC7ZimZzKkMj7zl1t2Rq
+            nC07IJS7OI38amgLI0PSFI/Mx+mAPdYjd0fDcp8q7reOL63QT7cbrOw+cyOzNzGb
+            I7U7QaHaA2unOa1EYj5Ocd6jI1IyHqQe9FkUqgTaDVU44U3WEo/KY6FZfhqSPPHs
+            PsFzMj9nOWUGUr0cAn7DloIfNL49voO1C4HaiEvvhbSFIT/8suq3JznFxmP/q+Ph
+            qYbXI/LXzU2Ln1Abiu9m1OfxTmEOlH9C54zyUvkAfhjcD2/aZWc76g06Oj2L6kZ6
+            EC9Ku7Hk37rVOgZjtXUjuf3eUAvImknQ/JMRM3YDQgmu4iU0tJ1UnqkCAwEAAQ==
             -----END RSA PUBLIC KEY-----
+            Ed25519PublicKey = bN+knMGCqK+HkdOucynEXxeqGFOS2u8oWLRDV/gNIZI
           '';
         };
       };
@@ -440,6 +459,11 @@ in {
     nardole = {
       owner = config.krebs.users.mic92;
       nets = rec {
+        internet = {
+          ip4.addr = "131.159.102.2";
+          ip6.addr = "2a09:80c0:102::2";
+          aliases = [ "nardole.i" ];
+        };
         retiolum = {
           addrs = [
             config.krebs.hosts.nardole.nets.retiolum.ip4.addr
@@ -449,13 +473,19 @@ in {
           aliases = [ "nardole.r" ];
           tinc.pubkey = ''
             -----BEGIN RSA PUBLIC KEY-----
-            MIIBCgKCAQEA05JzZLPH4+t2X8TI1nYsv4WCQ/OUmuMy9YbKUIRITE2EVA+x47Cf
-            qdYPucWUpF7ap1rykxHBcPnmORO/NjAymlt25FDyyYQ2uWm17VE7P7jefAUnX7xj
-            80Rt7aWCXfldQuRAbza35G+Kl50Y6ydkZYkKCbyQ8fMhuzNp6Wn/pAJD3yr+zdka
-            AsIoir9Ut9/9CKayRqGF+zaIf2Lj7nl5GL8bCAVJydU98GjlnXt7iuaWCt0H7NiK
-            FWOjkGhAUlQI9I6l+5ELWClpyk5X+isfbUbYaCCspZJvos+vDE8hJuH5PrH8NuJj
-            fJv8HrHkcGphn/Nn1TotpHBkyMyE5h6akwIDAQAB
+            MIICCgKCAgEAyYIN9FYtTmJTXUlBO4QYp9J7SZbglMEq0QCMpF9xQvCqJHl+C1vm
+            NzAswlhbaK5J1spi6+zUXtYJEVQyP1xesDlVm9G+hntS7woEWtuLO7VUL9whWINb
+            mO0OmYIEaWTMPIOKPTgc3tYsUhk7dw962/6I81JQczCHg1z2ItsRho/Kwi/Jo2Gj
+            jnPJQoRek45+xIzlf9Jx38ntioTQIaLuSw7/lplT1cHNcefLje8FQmVEojY79Ijc
+            6Ij4b9tPln8eQErw2sANS6kSUOVRnVkfeRW+3a4iRtd8SzXJ+aX5TCsq910Z1+/H
+            ClK91GctU0V11s/m8LCp/Wz+o+4Z89JLxnil/ZS/6NHsaHysQPFPbx0Uh5nASF64
+            RoWhzp2CSJTC9/UJKdPIpIokMIEGgKjy8Up3nY4yjoUnf6SZfzr4jmXfRmYmVaMp
+            cCjbMbxBo+MjfXlGRxJAFGkS9zO9/21SEDiWqfOVThg5jbBR/q9ysRGcXndS0ea7
+            NzsCbU1/0StxxmZLpBRz2MxGSHqlZbwInm9RjsXbCGa32tTiUz8VxjR3LTUMU8AP
+            xpPLaIo7TIPdkDvCFL+DtXB9lE2PDpnSHbxyXKVKqxmCW1i/+msrBs/gnQ9VjzyA
+            L1Ip2MBQd+CFUtaj+VdhjfulvpVcpr5e3nZe7cl38qucUp46tbVsJ3UCAwEAAQ==
             -----END RSA PUBLIC KEY-----
+            Ed25519PublicKey = BA8uWkeHofZb5s9bNy6PjefKNZwemETWAA+Q6okKn1M
           '';
         };
       };
@@ -467,7 +497,6 @@ in {
           ip4.addr = "10.243.29.171";
           aliases = [
             "rock.r"
-            "loki.r"
           ];
           tinc.pubkey = ''
             -----BEGIN PUBLIC KEY-----
@@ -518,6 +547,7 @@ in {
             W3jpl1y5zShr5Hz90QoYcUTsxg9uk/+yqKpwUySZ6Gh4q0bo5k7nkM9i8mCMfNGZ
             0UU94QmwS9RoV4Mt4pSLYRcCs0mVeEjLuIfTFHkXc6LCjBWMn8ICfeMCAwEAAQ==
             -----END RSA PUBLIC KEY-----
+            Ed25519PublicKey = 0O1LrgXAFOuei1NfU0vow+qUfim3htBOyCJvPrQFwHE
           '';
         };
       };
@@ -544,9 +574,8 @@ in {
             W5SCP9wx2ONhvZUkRbeihBiTN5/h3DepjOeNWd1DvE6K0Ag8SXMyBGtyKfer4ykW
             OR0iCiRQQ5QBmNuJrBLRUyfoPqFUXBATT1SrRj8vzXO1TjTmANEMFD0CAwEAAQ==
             -----END RSA PUBLIC KEY-----
+            Ed25519PublicKey = bXEnZa/jn2ntL0R4sMsRd7NIoHgzrzUnJ3ReJUQ8iFG
           '';
-          # ohorn lan
-          tinc.subnets = [ "fd42:4492:6a6d:500:f610:15d1:27a3:674b" ];
         };
       };
     };
@@ -621,8 +650,8 @@ in {
       nets = rec {
         internet = {
           # eva.thalheim.io
-          ip4.addr = "52.59.172.193";
-          ip6.addr = "2a05:d014:301:a601:ef0e:5434:d814:b8ed";
+          ip4.addr = "157.90.232.92";
+          ip6.addr = "2a01:4f8:1c1c:9a9::1";
           aliases = [ "eva.i" ];
         };
         retiolum = {
@@ -630,6 +659,7 @@ in {
           ip4.addr = "10.243.29.185";
           aliases = [
             "eva.r"
+            "loki.r"
             "prometheus.r"
             "alertmanager.r"
           ];
@@ -648,6 +678,7 @@ in {
             6uuTTsn7s0PYBJDNdccOf1Qt8fqPPgzqUKqeUciHojYDDPTC5KQh5m2PBv4I4iIR
             LnKOqNUX7UCqbdaE/tfFRG0CAwEAAQ==
             -----END PUBLIC KEY-----
+            Ed25519PublicKey = 7rbs+10zzfwOPj5RoS1i/01QXuw7uIHGOHIgsjB2fHK
           '';
         };
       };
@@ -671,6 +702,7 @@ in {
             EMp7y5QJySmKwJ/XsS6yiHeYXLFwWvfReja/IRFL4RiDSW+6ES4PTEXxoLVDpqgv
             KF44qim4UBabCMTPVtZcU3Rr+ufBALKJCwIDAQAB
             -----END RSA PUBLIC KEY-----
+            Ed25519PublicKey = PmZ8i6lB0Ij/d8qjA0y3QI2rMAlrTZn1ES/hUSNNWMP
           '';
         };
       };
@@ -699,6 +731,7 @@ in {
             fuXAsh5UbnE5kt6vKL5aducScatyd5FRkNumKG5ji26eZR4lZmXn380JLDInV4n7
             SODZL2fQFBnSD1wTWcq9Q/luPh4FitzJUZzHexvNxR/KBZycZJtdVw8CAwEAAQ==
             -----END RSA PUBLIC KEY-----
+            Ed25519PublicKey = pjCpkZToBUBbjUNVMWfYJePZ6g7m7Ccr9WedfKEFsXD
           '';
         };
       };
diff --git a/krebs/3modules/fetchWallpaper.nix b/krebs/3modules/fetchWallpaper.nix
index e89b86e32..852c8f630 100644
--- a/krebs/3modules/fetchWallpaper.nix
+++ b/krebs/3modules/fetchWallpaper.nix
@@ -57,6 +57,7 @@ let
       description = "fetchWallpaper user";
       home = cfg.stateDir;
       createHome = true;
+      isSystemUser = true;
     };
 
     systemd.timers.fetchWallpaper = {
diff --git a/krebs/3modules/github-hosts-sync.nix b/krebs/3modules/github-hosts-sync.nix
index 7d618ebfd..d385ec355 100644
--- a/krebs/3modules/github-hosts-sync.nix
+++ b/krebs/3modules/github-hosts-sync.nix
@@ -65,6 +65,7 @@ let
     users.users.${user.name} = {
       inherit (user) uid;
       home = cfg.dataDir;
+      isSystemUser = true;
     };
   };
 
diff --git a/krebs/3modules/gollum.nix b/krebs/3modules/gollum.nix
deleted file mode 100644
index 4b4e04d16..000000000
--- a/krebs/3modules/gollum.nix
+++ /dev/null
@@ -1,112 +0,0 @@
-{ config, lib, pkgs, ... }:
-
-with lib;
-
-let
-  cfg = config.krebs.gollum;
-in
-
-{
-  options.krebs.gollum = {
-    enable = mkOption {
-      type = types.bool;
-      default = false;
-      description = "Enable the Gollum service.";
-    };
-
-    address = mkOption {
-      type = types.str;
-      default = "0.0.0.0";
-      description = "IP address on which the web server will listen.";
-    };
-
-    port = mkOption {
-      type = types.int;
-      default = 4567;
-      description = "Port on which the web server will run.";
-    };
-
-    extraConfig = mkOption {
-      type = types.lines;
-      default = "";
-      description = "Content of the configuration file";
-    };
-
-    mathjax = mkOption {
-      type = types.bool;
-      default = false;
-      description = "Enable support for math rendering using MathJax";
-    };
-
-    allowUploads = mkOption {
-      type = types.nullOr (types.enum [ "dir" "page" ]);
-      default = null;
-      description = "Enable uploads of external files";
-    };
-
-    emoji = mkOption {
-      type = types.bool;
-      default = false;
-      description = "Parse and interpret emoji tags";
-    };
-
-    branch = mkOption {
-      type = types.str;
-      default = "master";
-      example = "develop";
-      description = "Git branch to serve";
-    };
-
-    stateDir = mkOption {
-      type = types.path;
-      default = "/var/lib/gollum";
-      description = "Specifies the path of the repository directory. If it does not exist, Gollum will create it on startup.";
-    };
-
-  };
-
-  config = mkIf cfg.enable {
-
-    users.users.gollum = {
-      group = config.users.users.gollum.name;
-      description = "Gollum user";
-      home = cfg.stateDir;
-      createHome = false;
-      isSystemUser = true;
-    };
-
-    users.groups.gollum = { };
-
-    systemd.tmpfiles.rules = [
-      "d '${cfg.stateDir}' - ${config.users.users.gollum.name} ${config.users.groups.gollum.name} - -"
-    ];
-
-    systemd.services.gollum = {
-      description = "Gollum wiki";
-      after = [ "network.target" ];
-      wantedBy = [ "multi-user.target" ];
-      path = [ pkgs.git ];
-
-      preStart = ''
-        # This is safe to be run on an existing repo
-        git init ${cfg.stateDir}
-      '';
-
-      serviceConfig = {
-        User = config.users.users.gollum.name;
-        Group = config.users.groups.gollum.name;
-        ExecStart = ''
-          ${pkgs.gollum}/bin/gollum \
-            --port ${toString cfg.port} \
-            --host ${cfg.address} \
-            --config ${pkgs.writeText "gollum-config.rb" cfg.extraConfig} \
-            --ref ${cfg.branch} \
-            ${optionalString cfg.mathjax "--mathjax"} \
-            ${optionalString cfg.emoji "--emoji"} \
-            ${optionalString (cfg.allowUploads != null) "--allow-uploads ${cfg.allowUploads}"} \
-            ${cfg.stateDir}
-        '';
-      };
-    };
-  };
-}
diff --git a/krebs/3modules/jeschli/default.nix b/krebs/3modules/jeschli/default.nix
index 390f7585f..41743612a 100644
--- a/krebs/3modules/jeschli/default.nix
+++ b/krebs/3modules/jeschli/default.nix
@@ -49,6 +49,7 @@ in {
       };
     };
     enklave = {
+      ci = false;
       nets = rec {
         internet = {
           ip4.addr = "88.198.164.182";
diff --git a/krebs/3modules/realwallpaper.nix b/krebs/3modules/realwallpaper.nix
index 86b74a8ca..76f333963 100644
--- a/krebs/3modules/realwallpaper.nix
+++ b/krebs/3modules/realwallpaper.nix
@@ -60,6 +60,7 @@ let
       uid = genid "realwallpaper";
       home = cfg.workingDir;
       createHome = true;
+      isSystemUser = true;
     };
   };
 
diff --git a/krebs/3modules/tinc_graphs.nix b/krebs/3modules/tinc_graphs.nix
index 33a24871f..19cce8aa4 100644
--- a/krebs/3modules/tinc_graphs.nix
+++ b/krebs/3modules/tinc_graphs.nix
@@ -127,6 +127,7 @@ let
     users.extraUsers.tinc_graphs = {
       uid = genid_uint31 "tinc_graphs";
       home = "/var/spool/tinc_graphs";
+      isSystemUser = true;
     };
     services.nginx = mkIf cfg.nginx.enable {
       enable = mkDefault true;
diff --git a/krebs/3modules/urlwatch.nix b/krebs/3modules/urlwatch.nix
index 0b7a71db5..6a159a5b2 100644
--- a/krebs/3modules/urlwatch.nix
+++ b/krebs/3modules/urlwatch.nix
@@ -193,6 +193,7 @@ let
       inherit (user) uid;
       home = cfg.dataDir;
       createHome = true;
+      isSystemUser = true;
     };
   };
 
diff --git a/krebs/5pkgs/simple/buildbot-classic/default.nix b/krebs/5pkgs/simple/buildbot-classic/default.nix
index c127d2987..5e075f1a1 100644
--- a/krebs/5pkgs/simple/buildbot-classic/default.nix
+++ b/krebs/5pkgs/simple/buildbot-classic/default.nix
@@ -1,6 +1,9 @@
-{ pkgs, fetchFromGitHub, python2Packages, git, ... }:
+{ pkgs, fetchFromGitHub, python2Packages, git, ... }: let
 
-python2Packages.buildPythonApplication rec {
+  # we need the old sqlparse since the new one is python2 incompatible
+  sqlparse = python2Packages.callPackage ./sqlparse.nix {};
+
+in python2Packages.buildPythonApplication rec {
   name = "buildbot-classic-${version}";
   version = "0.8.18";
   namePrefix = "";
@@ -18,7 +21,7 @@ python2Packages.buildPythonApplication rec {
     python2Packages.jinja2
     python2Packages.twisted
     python2Packages.dateutil
-    python2Packages.sqlalchemy_migrate
+    (python2Packages.sqlalchemy_migrate.override { sqlparse = sqlparse; })
     python2Packages.pysqlite
     pkgs.coreutils
   ];
diff --git a/krebs/5pkgs/simple/buildbot-classic/sqlparse.nix b/krebs/5pkgs/simple/buildbot-classic/sqlparse.nix
new file mode 100644
index 000000000..b6aee633e
--- /dev/null
+++ b/krebs/5pkgs/simple/buildbot-classic/sqlparse.nix
@@ -0,0 +1,34 @@
+{ stdenv
+, buildPythonPackage
+, fetchPypi
+, pytest
+, isPy3k
+}:
+
+buildPythonPackage rec {
+  pname = "sqlparse";
+  version = "0.3.1";
+
+  src = fetchPypi {
+    inherit pname version;
+    sha256 = "e162203737712307dfe78860cc56c8da8a852ab2ee33750e33aeadf38d12c548";
+  };
+
+  checkInputs = [ pytest ];
+  checkPhase = ''
+    py.test
+  '';
+
+  # Package supports 3.x, but tests are clearly 2.x only.
+  doCheck = !isPy3k;
+
+  meta = with stdenv.lib; {
+    description = "Non-validating SQL parser for Python";
+    longDescription = ''
+      Provides support for parsing, splitting and formatting SQL statements.
+    '';
+    homepage = "https://github.com/andialbrecht/sqlparse";
+    license = licenses.bsd3;
+  };
+
+}
diff --git a/krebs/5pkgs/simple/realwallpaper/default.nix b/krebs/5pkgs/simple/realwallpaper/default.nix
index 8728c0ae7..2fbc7ff86 100644
--- a/krebs/5pkgs/simple/realwallpaper/default.nix
+++ b/krebs/5pkgs/simple/realwallpaper/default.nix
@@ -9,8 +9,7 @@ pkgs.writers.writeDashBin "generate-wallpaper" ''
     gnused
     file
     findutils
-    grib2json
-    imagemagick
+    imagemagick6
     inkscape
     jq
     nomads-cloud
diff --git a/krebs/5pkgs/simple/solanum/default.nix b/krebs/5pkgs/simple/solanum/default.nix
deleted file mode 100644
index 3fa765c94..000000000
--- a/krebs/5pkgs/simple/solanum/default.nix
+++ /dev/null
@@ -1,62 +0,0 @@
-{ lib, stdenv
-, fetchFromGitHub
-, autoreconfHook
-, pkg-config
-, bison
-, flex
-, openssl
-, sqlite
-, lksctp-tools
-}:
-
-stdenv.mkDerivation rec {
-  pname = "solanum";
-  version = "unstable-2021-04-27";
-
-  src = fetchFromGitHub {
-    owner = "solanum-ircd";
-    repo = pname;
-    rev = "3ff5a12e75662e9a642f2a4364797bd361eb0925";
-    sha256 = "14ywmfdv8cncbyg08y2qdis00kwg8lvhkcgj185is67smh0qf88f";
-  };
-
-  patches = [
-    ./dont-create-logdir.patch
-  ];
-
-  configureFlags = [
-    "--enable-epoll"
-    "--enable-ipv6"
-    "--enable-openssl=${openssl.dev}"
-    "--with-program-prefix=solanum-"
-    "--localstatedir=/var/lib"
-    "--with-rundir=/run"
-    "--with-logdir=/var/log"
-  ] ++ lib.optionals (stdenv.isLinux) [
-    "--enable-sctp=${lksctp-tools.out}/lib"
-  ];
-
-  nativeBuildInputs = [
-    autoreconfHook
-    bison
-    flex
-    pkg-config
-  ];
-
-  buildInputs = [
-    openssl
-    sqlite
-  ];
-
-  doCheck = !stdenv.isDarwin;
-
-  enableParallelBuilding = true;
-
-  meta = with lib; {
-    description = "An IRCd for unified networks";
-    homepage = "https://github.com/solanum-ircd/solanum";
-    license = licenses.gpl2Only;
-    maintainers = with maintainers; [ hexa ];
-    platforms = platforms.unix;
-  };
-}
diff --git a/krebs/5pkgs/simple/solanum/dont-create-logdir.patch b/krebs/5pkgs/simple/solanum/dont-create-logdir.patch
deleted file mode 100644
index e348dd7b8..000000000
--- a/krebs/5pkgs/simple/solanum/dont-create-logdir.patch
+++ /dev/null
@@ -1,14 +0,0 @@
-diff --git a/Makefile.am b/Makefile.am
-index 19e7b396..21093521 100644
---- a/Makefile.am
-+++ b/Makefile.am
-@@ -35,9 +35,6 @@ include/serno.h:
- 		echo '#define DATECODE 0UL' >>include/serno.h; \
- 	fi
- 
--install-data-hook:
--	test -d ${DESTDIR}${logdir} || mkdir -p ${DESTDIR}${logdir}
--
- install-exec-hook:
- 	rm -f ${DESTDIR}${libdir}/*.la
- 	rm -f ${DESTDIR}${moduledir}/*.la
diff --git a/krebs/nixpkgs-unstable.json b/krebs/nixpkgs-unstable.json
index fe46ec022..aaf66e428 100644
--- a/krebs/nixpkgs-unstable.json
+++ b/krebs/nixpkgs-unstable.json
@@ -1,9 +1,9 @@
 {
   "url": "https://github.com/NixOS/nixpkgs",
-  "rev": "7a1fbc38a4b538450ac0d42aec8a3e513b4d723e",
-  "date": "2021-05-16T12:16:31+02:00",
-  "path": "/nix/store/iq2sy65gmwad2prm8lcdh6k5f7ywxci5-nixpkgs",
-  "sha256": "0jg8dilsw0gr4jfshkk3wd50gddd11hvd836fxkw43m6m47885p7",
+  "rev": "fbfb79400a08bf754e32b4d4fc3f7d8f8055cf94",
+  "date": "2021-06-06T04:54:09-03:00",
+  "path": "/nix/store/51dsmanfc179xy70kn2rl0qvg45cn6qr-nixpkgs",
+  "sha256": "0pgyx1l1gj33g5i9kwjar7dc3sal2g14mhfljcajj8bqzzrbc3za",
   "fetchSubmodules": false,
   "deepClone": false,
   "leaveDotGit": false
diff --git a/krebs/nixpkgs.json b/krebs/nixpkgs.json
index 06b865cc8..18e9ecd83 100644
--- a/krebs/nixpkgs.json
+++ b/krebs/nixpkgs.json
@@ -1,9 +1,9 @@
 {
   "url": "https://github.com/NixOS/nixpkgs",
-  "rev": "33824cdf8e4fec30c5b9ddc91b18991c3c375227",
-  "date": "2021-05-18T19:08:44-04:00",
-  "path": "/nix/store/s3f1q2a5hn60jdnz8h66z7yahrmzifin-nixpkgs",
-  "sha256": "1sad0x998k3iid2vp57kv4skvf90yh4gbs61dv3p45c2qi3sql46",
+  "rev": "60cce7e5e1fdf62421ef6d4184ee399b46209366",
+  "date": "2021-06-09T01:18:50-04:00",
+  "path": "/nix/store/fixgn194626rb7gf99l9jaqm0hbqn2ix-nixpkgs",
+  "sha256": "100xrb925cana1kfd0c7gwkjjalq891vfgr0rn1gl9j8gp3l3gx6",
   "fetchSubmodules": false,
   "deepClone": false,
   "leaveDotGit": false
diff --git a/krebs/update-nixpkgs.sh b/krebs/update-nixpkgs.sh
index 9a0ea7ed4..368a3ecb3 100755
--- a/krebs/update-nixpkgs.sh
+++ b/krebs/update-nixpkgs.sh
@@ -3,7 +3,7 @@ dir=$(dirname $0)
 oldrev=$(cat $dir/nixpkgs.json | jq -r .rev | sed 's/\(.\{7\}\).*/\1/')
 nix-shell -p nix-prefetch-git --run 'nix-prefetch-git \
   --url https://github.com/NixOS/nixpkgs \
-  --rev refs/heads/nixos-20.09' \
+  --rev refs/heads/nixos-21.05' \
 > $dir/nixpkgs.json
 newrev=$(cat $dir/nixpkgs.json | jq -r .rev | sed 's/\(.\{7\}\).*/\1/')
 git commit $dir/nixpkgs.json -m "nixpkgs: $oldrev -> $newrev"
diff --git a/lass/1systems/coaxmetal/config.nix b/lass/1systems/coaxmetal/config.nix
index 3e0b1674a..227c5e1e9 100644
--- a/lass/1systems/coaxmetal/config.nix
+++ b/lass/1systems/coaxmetal/config.nix
@@ -16,38 +16,54 @@
     <stockholm/lass/2configs/steam.nix>
     <stockholm/lass/2configs/wine.nix>
     <stockholm/lass/2configs/fetchWallpaper.nix>
-    <stockholm/lass/2configs/nfs-dl.nix>
+    # <stockholm/lass/2configs/nfs-dl.nix>
     <stockholm/lass/2configs/pass.nix>
     <stockholm/lass/2configs/mail.nix>
     <stockholm/lass/2configs/bitcoin.nix>
+
+    <stockholm/lass/2configs/xonsh.nix>
+    <stockholm/lass/2configs/review.nix>
+    <stockholm/lass/2configs/dunst.nix>
+    # <stockholm/krebs/2configs/ircd.nix>
   ];
 
   krebs.build.host = config.krebs.hosts.coaxmetal;
 
-  environment.shellAliases = {
-    deploy = pkgs.writeDash "deploy" ''
+  environment.systemPackages = with pkgs; [
+    brain
+    bank
+    l-gen-secrets
+    (pkgs.writeDashBin "deploy" ''
       set -eu
       export SYSTEM="$1"
       $(nix-build $HOME/sync/stockholm/lass/krops.nix --no-out-link --argstr name "$SYSTEM" -A deploy)
-    '';
-    usb-tether-on = pkgs.writeDash "usb-tether-on" ''
+    '')
+    (pkgs.writeDashBin "usb-tether-on" ''
       adb shell su -c service call connectivity 33 i32 1 s16 text
-    '';
-    usb-tether-off = pkgs.writeDash "usb-tether-off" ''
+    '')
+    (pkgs.writeDashBin "usb-tether-off" ''
       adb shell su -c service call connectivity 33 i32 0 s16 text
-    '';
-  };
+    '')
+  ];
 
   programs.adb.enable = true;
 
   hardware.bluetooth = {
     enable = true;
     powerOnBoot = true;
-    # config.General.Disable = "Headset";
-    extraConfig = ''
-      [General]
-      Disable = Headset
-    '';
   };
   hardware.pulseaudio.package = pkgs.pulseaudioFull;
+
+  lass.browser.config = {
+    dc = { browser = "chromium";  groups = [ "audio" "video" ]; hidden = true; };
+    ff = { browser = "firefox";  groups = [ "audio" "video" ]; hidden = true; };
+    fy = { browser = "chromium";  groups = [ "audio" "video" ]; hidden = true; };
+  };
+
+  nix.trustedUsers = [ "root" "lass" ];
+
+  services.tor = {
+    enable = true;
+    client.enable = true;
+  };
 }
diff --git a/lass/1systems/coaxmetal/physical.nix b/lass/1systems/coaxmetal/physical.nix
index c94740c54..3632ffd3e 100644
--- a/lass/1systems/coaxmetal/physical.nix
+++ b/lass/1systems/coaxmetal/physical.nix
@@ -7,6 +7,7 @@
 
   networking.hostId = "e0c335ea";
   boot.zfs.requestEncryptionCredentials = true;
+  boot.zfs.enableUnstable = true;
   boot.loader.efi.canTouchEfiVariables = true;
   boot.loader.grub = {
     enable = true;
diff --git a/lass/1systems/daedalus/config.nix b/lass/1systems/daedalus/config.nix
index d84502b3f..b84ce6acf 100644
--- a/lass/1systems/daedalus/config.nix
+++ b/lass/1systems/daedalus/config.nix
@@ -19,6 +19,7 @@ with import <stockholm/lib>;
           "networkmanager"
         ];
         useDefaultShell = true;
+        isNormalUser = true;
       };
       networking.networkmanager.enable = true;
       networking.wireless.enable = mkForce false;
diff --git a/lass/1systems/green/config.nix b/lass/1systems/green/config.nix
index fbd2d223f..d7bf62b40 100644
--- a/lass/1systems/green/config.nix
+++ b/lass/1systems/green/config.nix
@@ -23,7 +23,7 @@ with import <stockholm/lib>;
 
   users.users.mainUser.openssh.authorizedKeys.keys = [
     config.krebs.users.lass-android.pubkey
-    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICMe23IAHn4Ow4J4i8M9GJshqvY80U11NKPLum6b1XLn" # weechat ssh tunnel
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK0rn3003CkJMk3jZrh/3MC6nVorHRymlFSI4x1brCKY" # weechat ssh tunnel
   ];
 
   krebs.bindfs = {
diff --git a/lass/1systems/icarus/physical.nix b/lass/1systems/icarus/physical.nix
index 837872bf5..0b1aff4a8 100644
--- a/lass/1systems/icarus/physical.nix
+++ b/lass/1systems/icarus/physical.nix
@@ -45,16 +45,5 @@
     SUBSYSTEM=="net", ATTR{address}=="f0:de:f1:71:cb:35", NAME="et0"
   '';
 
-  services.thinkfan.enable = true;
-  services.thinkfan.levels = ''
-    (0,     0,      55)
-    (1,     48,     60)
-    (2,     50,     61)
-    (3,     52,     63)
-    (6,     60,     85)
-    (7,     80,     90)
-    (127,   89,     32767)
-  '';
-
   services.logind.lidSwitch = "ignore";
 }
diff --git a/lass/1systems/prism/config.nix b/lass/1systems/prism/config.nix
index 25d688696..89a386139 100644
--- a/lass/1systems/prism/config.nix
+++ b/lass/1systems/prism/config.nix
@@ -345,6 +345,7 @@ with import <stockholm/lib>;
           home = "/var/download";
           useDefaultShell = true;
           uid = genid "download";
+          isSystemUser = true;
           openssh.authorizedKeys.keys = with config.krebs.users; [
             lass.pubkey
             lass-android.pubkey
diff --git a/lass/1systems/uriel/config.nix b/lass/1systems/uriel/config.nix
index b50dc63f5..c3ce8fced 100644
--- a/lass/1systems/uriel/config.nix
+++ b/lass/1systems/uriel/config.nix
@@ -23,6 +23,7 @@ with import <stockholm/lib>;
           "networkmanager"
         ];
         useDefaultShell = true;
+        isNormalUser = true;
       };
       networking.networkmanager.enable = true;
       hardware.pulseaudio = {
diff --git a/lass/1systems/xerxes/config.nix b/lass/1systems/xerxes/config.nix
index 22c80b4da..bf818a9b2 100644
--- a/lass/1systems/xerxes/config.nix
+++ b/lass/1systems/xerxes/config.nix
@@ -81,11 +81,6 @@
   hardware.bluetooth = {
     enable = true;
     powerOnBoot = true;
-    # config.General.Disable = "Headset";
-    extraConfig = ''
-      [General]
-      Disable = Headset
-    '';
   };
   hardware.pulseaudio.package = pkgs.pulseaudioFull;
   # hardware.pulseaudio.configFile = pkgs.writeText "default.pa" ''
diff --git a/lass/2configs/bitcoin.nix b/lass/2configs/bitcoin.nix
index 9f6fd3bf0..9aa97a8ce 100644
--- a/lass/2configs/bitcoin.nix
+++ b/lass/2configs/bitcoin.nix
@@ -4,12 +4,6 @@ let
   mainUser = config.users.extraUsers.mainUser;
 in {
 
-  krebs.per-user.bch.packages = [
-    pkgs.electron-cash
-  ];
-  krebs.per-user.bitcoin.packages = [
-    pkgs.electrum
-  ];
   users.extraUsers = {
     bch = {
       name = "bch";
@@ -17,6 +11,8 @@ in {
       home = "/home/bch";
       useDefaultShell = true;
       createHome = true;
+      packages = [ pkgs.electron-cash ];
+      isNormalUser = true;
     };
     bitcoin = {
       name = "bitcoin";
@@ -24,10 +20,25 @@ in {
       home = "/home/bitcoin";
       useDefaultShell = true;
       createHome = true;
+      packages = [ pkgs.electrum ];
+      isNormalUser = true;
+    };
+    monero = {
+      name = "monero";
+      description = "user for monero stuff";
+      home = "/home/monero";
+      useDefaultShell = true;
+      createHome = true;
+      packages = [
+        pkgs.monero
+        pkgs.monero-gui
+      ];
+      isNormalUser = true;
     };
   };
   security.sudo.extraConfig = ''
-    ${mainUser.name} ALL=(bitcoin) NOPASSWD: ALL
-    ${mainUser.name} ALL=(bch) NOPASSWD: ALL
+    ${mainUser.name} ALL=(bch) ALL
+    ${mainUser.name} ALL=(bitcoin) ALL
+    ${mainUser.name} ALL=(monero) ALL
   '';
 }
diff --git a/lass/2configs/ciko.nix b/lass/2configs/ciko.nix
index 3d87fb620..f32f062ff 100644
--- a/lass/2configs/ciko.nix
+++ b/lass/2configs/ciko.nix
@@ -10,6 +10,7 @@ with import <stockholm/lib>;
     openssh.authorizedKeys.keys = [
       "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDTUWm/fISw/gbuHvf3kwxGEuk1aY5HrNNvr8QXCQv0khDdaYmZSELbtFQtE04WGTWmackNcLpld5mETVyCM0BjOgqMJYQNhtywxfYcodEY5xxHCuGgA3S1t94MZub+DRodXCfB0yUV85Wbb0sltkMTJufMwYmLEGxSLRukxAOcNsXdjlyro96csmYrIiV6R7+REnz8OcR7sKlI4tvKA1mbvWmjbDBd1MZ8Jc0Lwf+b0H/rH69wEQIcB5HRHHJIChoAk0t2azSjXagk1+4AebONZTCKvTHxs/D2wUBIzoxyjmh5S0aso/cKw8qpKcl/A2mZiIvW3KMlJAM5U+RQKMrr"
     ];
+    isNormalUser = true;
   };
 
   system.activationScripts.user-shadow = ''
diff --git a/lass/2configs/default.nix b/lass/2configs/default.nix
index 7b6f01148..193f4bef1 100644
--- a/lass/2configs/default.nix
+++ b/lass/2configs/default.nix
@@ -32,6 +32,7 @@ with import <stockholm/lib>;
           group = "users";
           createHome = true;
           useDefaultShell = true;
+          isNormalUser = true;
           extraGroups = [
             "audio"
             "fuse"
@@ -88,9 +89,7 @@ with import <stockholm/lib>;
 
   services.timesyncd.enable = mkForce true;
 
-  systemd.tmpfiles.rules = [
-    "d /tmp 1777 root root - -"
-  ];
+  boot.tmpOnTmpfs = true;
 
   # multiple-definition-problem when defining environment.variables.EDITOR
   environment.extraInit = ''
diff --git a/lass/2configs/elster.nix b/lass/2configs/elster.nix
index e3a88c789..5d68def35 100644
--- a/lass/2configs/elster.nix
+++ b/lass/2configs/elster.nix
@@ -12,6 +12,7 @@ in {
       useDefaultShell = true;
       extraGroups = [];
       createHome = true;
+      isNormalUser = true;
     };
   };
   krebs.per-user.elster.packages = [
diff --git a/lass/2configs/games.nix b/lass/2configs/games.nix
index 67f250ef3..829773b87 100644
--- a/lass/2configs/games.nix
+++ b/lass/2configs/games.nix
@@ -78,6 +78,7 @@ in {
         # vdoomserver
         retroarchBare
       ];
+      isNormalUser = true;
     };
   };
 
diff --git a/lass/2configs/gg23.nix b/lass/2configs/gg23.nix
index 3d4c1e306..89ccae408 100644
--- a/lass/2configs/gg23.nix
+++ b/lass/2configs/gg23.nix
@@ -8,6 +8,8 @@ with import <stockholm/lib>;
     prefixLength = 24;
   }];
 
+  networking.domain = "gg23";
+
   services.dhcpd4 = {
     enable = true;
     interfaces = [ "int0" ];
diff --git a/lass/2configs/htop.nix b/lass/2configs/htop.nix
index d9307347e..629d74235 100644
--- a/lass/2configs/htop.nix
+++ b/lass/2configs/htop.nix
@@ -3,7 +3,6 @@
 with import <stockholm/lib>;
 
 {
-  security.hideProcessInformation = true;
   nixpkgs.config.packageOverrides = super: {
     htop = pkgs.symlinkJoin {
       name = "htop";
diff --git a/lass/2configs/pass.nix b/lass/2configs/pass.nix
index 6b2a0142a..48070ea06 100644
--- a/lass/2configs/pass.nix
+++ b/lass/2configs/pass.nix
@@ -1,7 +1,7 @@
 { config, pkgs, ... }:
 
 {
-  users.users.lass.packages = with pkgs; [
+  users.users.mainUser.packages = with pkgs; [
     (pass.withExtensions (ext: [ ext.pass-otp ]))
     gnupg
   ];
diff --git a/lass/2configs/power-action.nix b/lass/2configs/power-action.nix
index c7bdb525d..648ffc784 100644
--- a/lass/2configs/power-action.nix
+++ b/lass/2configs/power-action.nix
@@ -32,9 +32,12 @@ in {
     user = "lass";
   };
 
-  users.users.power-action.extraGroups = [
-    "audio"
-  ];
+  users.users.power-action = {
+    isNormalUser = true;
+    extraGroups = [
+      "audio"
+    ];
+  };
 
   security.sudo.extraConfig = ''
     ${config.krebs.power-action.user} ALL= (root) NOPASSWD: ${suspend}
diff --git a/lass/2configs/radio.nix b/lass/2configs/radio.nix
index cfc280e50..a474b0ebc 100644
--- a/lass/2configs/radio.nix
+++ b/lass/2configs/radio.nix
@@ -4,7 +4,6 @@ with import <stockholm/lib>;
 
 let
   name = "radio";
-  mainUser = config.users.extraUsers.mainUser;
 
   music_dir = "/home/radio/music";
 
@@ -84,6 +83,17 @@ let
       }'
   '';
 
+  set_irc_topic = pkgs.writeDash "set_irc_topic" ''
+    ${pkgs.curl}/bin/curl -fsSv --unix-socket /home/radio/reaktor.sock http://z/ \
+      -H content-type:application/json \
+      -d "$(${pkgs.jq}/bin/jq -n \
+        --arg text "$1" '{
+          command:"TOPIC",
+          params:["#the_playlist",$text]
+        }'
+      )"
+  '';
+
   write_to_irc = pkgs.writeDash "write_to_irc" ''
     ${pkgs.curl}/bin/curl -fsSv --unix-socket /home/radio/reaktor.sock http://z/ \
       -H content-type:application/json \
@@ -128,11 +138,25 @@ in {
 
   services.mpd = {
     enable = true;
-    group = "radio";
+    user = "radio";
     musicDirectory = "${music_dir}";
+    dataDir = "/home/radio/state"; # TODO create this somwhere
     extraConfig = ''
       log_level "default"
       auto_update "yes"
+      volume_normalization "yes"
+
+      audio_output {
+        type "httpd"
+        name "lassulus radio mp3"
+        encoder "lame" # optional
+        port "8002"
+        quality "5.0" # do not define if bitrate is defined
+        # bitrate "128" # do not define if quality is defined
+        format "44100:16:2"
+        always_on "yes" # prevent MPD from disconnecting all listeners when playback is stopped.
+        tags "yes" # httpd supports sending tags to listening streams.
+      }
 
       audio_output {
         type "httpd"
@@ -152,6 +176,7 @@ in {
     tables = {
       filter.INPUT.rules = [
         { predicate = "-p tcp --dport 8000"; target = "ACCEPT"; }
+        { predicate = "-p tcp --dport 8002"; target = "ACCEPT"; }
         { predicate = "-i retiolum -p tcp --dport 8001"; target = "ACCEPT"; }
       ];
     };
@@ -200,10 +225,10 @@ in {
         ${pkgs.mpc_cli}/bin/mpc idle player > /dev/null
         ${pkgs.mpc_cli}/bin/mpc current -f %file%
       done | while read track; do
-        listeners=$(${pkgs.iproute}/bin/ss -Hno state established 'sport = :8000' | wc -l)
+        listeners=$(${pkgs.iproute}/bin/ss -Hno state established 'sport = :8000' | grep '^mptcp' | wc -l)
         echo "$(date -Is)" "$track" | tee -a "$HISTORY_FILE"
         echo "$(tail -$LIMIT "$HISTORY_FILE")" > "$HISTORY_FILE"
-        ${write_to_irc} "playing: $track listeners: $listeners"
+        ${set_irc_topic} "playing: $track listeners: $listeners"
       done
     '';
   in {
@@ -349,7 +374,7 @@ in {
   };
   services.syncthing.declarative.folders."the_playlist" = {
     path = "/home/radio/music/the_playlist";
-    devices = [ "mors" "phone" "prism" "xerxes" ];
+    devices = [ "mors" "phone" "prism" ];
   };
   krebs.permown."/home/radio/music/the_playlist" = {
     owner = "radio";
diff --git a/lass/2configs/review.nix b/lass/2configs/review.nix
new file mode 100644
index 000000000..658f32084
--- /dev/null
+++ b/lass/2configs/review.nix
@@ -0,0 +1,14 @@
+{ config, pkgs, ... }:
+
+let
+  mainUser = config.users.extraUsers.mainUser;
+in {
+
+  users.users.review = {
+    isNormalUser = true;
+    packages = [ pkgs.nixpkgs-review ];
+  };
+  security.sudo.extraConfig = ''
+    ${mainUser.name} ALL=(review) NOPASSWD: ALL
+  '';
+}
diff --git a/lass/2configs/websites/domsen.nix b/lass/2configs/websites/domsen.nix
index c43c8c902..e603f49da 100644
--- a/lass/2configs/websites/domsen.nix
+++ b/lass/2configs/websites/domsen.nix
@@ -170,6 +170,7 @@ in {
     home = "/home/UBIK-SFTP";
     useDefaultShell = true;
     createHome = true;
+    isNormalUser = true;
   };
 
   users.users.xanf = {
@@ -178,6 +179,7 @@ in {
     home = "/home/xanf";
     useDefaultShell = true;
     createHome = true;
+    isNormalUser = true;
   };
 
   users.users.domsen = {
@@ -185,8 +187,9 @@ in {
     description = "maintenance acc for domsen";
     home = "/home/domsen";
     useDefaultShell = true;
-    extraGroups = [ "nginx" "download" ];
+    extraGroups = [ "syncthing" "download" "xanf" ];
     createHome = true;
+    isNormalUser = true;
   };
 
   users.users.bruno = {
@@ -194,6 +197,7 @@ in {
     home = "/home/bruno";
     useDefaultShell = true;
     createHome = true;
+    isNormalUser = true;
   };
 
   users.users.jla-trading = {
@@ -201,6 +205,7 @@ in {
     home = "/home/jla-trading";
     useDefaultShell = true;
     createHome = true;
+    isNormalUser = true;
   };
 
   users.users.jms = {
@@ -208,6 +213,7 @@ in {
     home = "/home/jms";
     useDefaultShell = true;
     createHome = true;
+    isNormalUser = true;
   };
 
   users.users.ms = {
@@ -215,6 +221,7 @@ in {
     home = "/home/ms";
     useDefaultShell = true;
     createHome = true;
+    isNormalUser = true;
   };
 
   users.users.testuser = {
@@ -222,20 +229,23 @@ in {
     home = "/home/testuser";
     useDefaultShell = true;
     createHome = true;
+    isNormalUser = true;
   };
 
-  users.users.akayguen = {
-    uid = genid_uint31 "akayguen";
-    home = "/home/akayguen";
-    useDefaultShell = true;
-    createHome = true;
-  };
+  #users.users.akayguen = {
+  #  uid = genid_uint31 "akayguen";
+  #  home = "/home/akayguen";
+  #  useDefaultShell = true;
+  #  createHome = true;
+  #  isNormalUser = true;
+  #};
 
   users.users.bui = {
     uid = genid_uint31 "bui";
     home = "/home/bui";
     useDefaultShell = true;
     createHome = true;
+    isNormalUser = true;
   };
 
   users.users.klabusterbeere = {
@@ -243,6 +253,7 @@ in {
     home = "/home/klabusterbeere";
     useDefaultShell = true;
     createHome = true;
+    isNormalUser = true;
   };
 
   users.users.kasia = {
@@ -250,6 +261,7 @@ in {
     home = "/home/kasia";
     useDefaultShell = true;
     createHome = true;
+    isNormalUser = true;
   };
 
   users.users.XANF_TEAM = {
@@ -258,6 +270,25 @@ in {
     home = "/home/XANF_TEAM";
     useDefaultShell = true;
     createHome = true;
+    isNormalUser = true;
+  };
+
+  users.users.dif = {
+    uid = genid_uint31 "dif";
+    home = "/home/dif";
+    useDefaultShell = true;
+    extraGroups = [ "xanf" ];
+    createHome = true;
+    isNormalUser = true;
+  };
+
+  users.users.lavafilms = {
+    uid = genid_uint31 "lavafilms";
+    home = "/home/lavafilms";
+    useDefaultShell = true;
+    extraGroups = [ "xanf" ];
+    createHome = true;
+    isNormalUser = true;
   };
 
   users.groups.xanf = {};
diff --git a/lass/2configs/websites/lassulus.nix b/lass/2configs/websites/lassulus.nix
index 17df71310..bb983b78e 100644
--- a/lass/2configs/websites/lassulus.nix
+++ b/lass/2configs/websites/lassulus.nix
@@ -97,6 +97,7 @@ in {
     home = "/srv/http/lassul.us";
     useDefaultShell = true;
     createHome = true;
+    isSystemUser = true;
     openssh.authorizedKeys.keys = with config.krebs.users; [
       lass.pubkey
       lass-mors.pubkey
diff --git a/lass/2configs/wine.nix b/lass/2configs/wine.nix
index 5cb019c13..5476624c9 100644
--- a/lass/2configs/wine.nix
+++ b/lass/2configs/wine.nix
@@ -14,8 +14,9 @@ in {
       ];
       createHome = true;
       packages = [
-        pkgs.wineMinimal
+        pkgs.wineWowPackages.stable
       ];
+      isNormalUser = true;
     };
   };
   security.sudo.extraConfig = ''
diff --git a/lass/2configs/xonsh.nix b/lass/2configs/xonsh.nix
new file mode 100644
index 000000000..23ed28847
--- /dev/null
+++ b/lass/2configs/xonsh.nix
@@ -0,0 +1,7 @@
+{ config, lib, pkgs, ... }:
+{
+  environment.systemPackages = [
+    pkgs.xonsh
+    pkgs.xonsh2
+  ];
+}
diff --git a/lass/3modules/browsers.nix b/lass/3modules/browsers.nix
index 0c77d4da8..4171abdb6 100644
--- a/lass/3modules/browsers.nix
+++ b/lass/3modules/browsers.nix
@@ -5,7 +5,9 @@ let
   cfg = config.lass.browser;
 
   browserScripts = {
-    chromium = "${pkgs.chromium}/bin/chromium";
+    brave = "${pkgs.brave}/bin/brave";
+    chrome = "${pkgs.google-chrome}/bin/chrome";
+    chromium = "${pkgs.ungoogled-chromium}/bin/chromium";
     firefox = "${pkgs.firefox.override {
         extraNativeMessagingHosts = [ pkgs.tridactyl-native ];
       }}/bin/firefox";
@@ -14,8 +16,9 @@ let
 
   browser-select = let
     sortedPaths = sort (a: b: a.value.precedence > b.value.precedence)
+                       (filter (x: ! x.value.hidden)
                        (mapAttrsToList (name: value: { inherit name value; })
-                                       cfg.config);
+                                       cfg.config));
   in if (lib.length sortedPaths) > 1 then
     pkgs.writeScriptBin "browser-select" ''
       BROWSER=$(echo -e "${concatStringsSep "\\n" (map (getAttr "name") sortedPaths)}" | ${pkgs.dmenu}/bin/dmenu)
@@ -48,6 +51,10 @@ in {
             type = types.str;
             default = config._module.args.name;
           };
+          hidden = mkOption {
+            type = types.bool;
+            default = false;
+          };
           precedence = mkOption {
             type = types.int;
             default = 0;
@@ -58,7 +65,7 @@ in {
           };
           browser = mkOption {
             type = types.enum (attrNames browserScripts);
-            default = "chromium";
+            default = "brave";
           };
           groups = mkOption {
             type = types.listOf types.str;
diff --git a/lass/3modules/xjail.nix b/lass/3modules/xjail.nix
index 37f90ee1c..526e12db7 100644
--- a/lass/3modules/xjail.nix
+++ b/lass/3modules/xjail.nix
@@ -147,6 +147,7 @@ with import <stockholm/lib>;
         useDefaultShell = true;
         createHome = true;
         extraGroups = cfg.groups;
+        isNormalUser = true;
       }
     ) config.lass.xjail;
 
diff --git a/lass/5pkgs/tdlib-purple/default.nix b/lass/5pkgs/tdlib-purple/default.nix
index 54841588e..d7937da58 100644
--- a/lass/5pkgs/tdlib-purple/default.nix
+++ b/lass/5pkgs/tdlib-purple/default.nix
@@ -1,6 +1,24 @@
-{ stdenv, fetchFromGitHub, cmake, tdlib, pidgin, libwebp, libtgvoip } :
+{ stdenv, pkgs, fetchFromGitHub, cmake, pidgin, libwebp, libtgvoip } :
 
-stdenv.mkDerivation rec {
+let
+
+  tdlib = stdenv.mkDerivation rec {
+    version = "1.6.0";
+    pname = "tdlib";
+
+    src = fetchFromGitHub {
+      owner = "tdlib";
+      repo = "td";
+      rev = "v${version}";
+      sha256 = "0zlzpl6fgszg18kwycyyyrnkm255dvc6fkq0b0y32m5wvwwl36cv";
+    };
+
+    buildInputs = with pkgs; [ gperf openssl readline zlib ];
+    nativeBuildInputs = [ pkgs.cmake ];
+
+  };
+
+in stdenv.mkDerivation rec {
   pname = "tdlib-purple";
   version = "0.7.8";
 
diff --git a/lass/5pkgs/xonsh2/default.nix b/lass/5pkgs/xonsh2/default.nix
new file mode 100644
index 000000000..d55d22445
--- /dev/null
+++ b/lass/5pkgs/xonsh2/default.nix
@@ -0,0 +1,56 @@
+{ lib, stdenv
+, fetchFromGitHub
+, python39Packages
+, glibcLocales
+, coreutils
+, git
+, extraInputs ? []
+}: let
+
+  python3Packages = python39Packages;
+
+in python3Packages.buildPythonApplication rec {
+  pname = "xonsh2";
+  version = "master";
+
+  # fetch from github because the pypi package ships incomplete tests
+  src = fetchFromGitHub {
+    owner = "anki-code";
+    repo = "xonsh2";
+    rev = "bd96fcdce9319ab6b90c7d9ac47d2249b61144d0";
+    sha256 = "0b632rac8macfp2mmvhh1f34cf1m5qfpjajwnf676qk7jzn79vx6";
+  };
+
+  LC_ALL = "en_US.UTF-8";
+
+  postPatch = ''
+    sed -ie 's|/usr/bin/env|${coreutils}/bin/env|' scripts/xon.sh
+    find scripts -name 'xonsh*' -exec sed -i -e "s|env -S|env|" {} \;
+    find -name "*.xsh" | xargs sed -ie 's|/usr/bin/env|${coreutils}/bin/env|'
+    patchShebangs .
+  '';
+
+  doCheck = false;
+
+  checkPhase = ''
+    HOME=$TMPDIR pytest -k 'not test_repath_backslash and not test_os and not test_man_completion and not test_builtins and not test_main and not test_ptk_highlight and not test_pyghooks'
+    HOME=$TMPDIR pytest -k 'test_builtins or test_main' --reruns 5
+    HOME=$TMPDIR pytest -k 'test_ptk_highlight'
+  '';
+
+  checkInputs = [ python3Packages.pytest python3Packages.pytest-rerunfailures glibcLocales git ];
+
+  propagatedBuildInputs = with python3Packages; [ ply prompt_toolkit pygments ] ++ extraInputs;
+
+  meta = with lib; {
+    description = "A Python-ish, BASHwards-compatible shell";
+    homepage = "https://xon.sh/";
+    # changelog = "https://github.com/xonsh/xonsh/releases/tag/${version}";
+    license = licenses.bsd3;
+    platforms = platforms.all;
+  };
+
+  passthru = {
+    shellPath = "/bin/xonsh2";
+  };
+}
diff --git a/makefu/1systems/gum/config.nix b/makefu/1systems/gum/config.nix
index 763d36841..1cfa8e4a4 100644
--- a/makefu/1systems/gum/config.nix
+++ b/makefu/1systems/gum/config.nix
@@ -126,6 +126,9 @@ in {
       <stockholm/makefu/2configs/wireguard/server.nix>
       <stockholm/makefu/2configs/wireguard/wiregrill.nix>
 
+      { # recent changes mediawiki bot
+        networking.firewall.allowedUDPPorts = [ 5005 5006 ];
+      }
       # Removed until move: no extra mails
       # <stockholm/makefu/2configs/urlwatch>
       # Removed until move: avoid letsencrypt ban
diff --git a/makefu/1systems/omo/config.nix b/makefu/1systems/omo/config.nix
index 13918a9b1..6afe792ec 100644
--- a/makefu/1systems/omo/config.nix
+++ b/makefu/1systems/omo/config.nix
@@ -43,7 +43,6 @@ in {
       <stockholm/makefu/2configs/tools/dev.nix>
       <stockholm/makefu/2configs/tools/desktop.nix>
       <stockholm/makefu/2configs/tools/mobility.nix>
-      { environment.systemPackages = [ pkgs.esniper ]; }
       #<stockholm/makefu/2configs/graphite-standalone.nix>
       #<stockholm/makefu/2configs/share-user-sftp.nix>
 
@@ -97,7 +96,7 @@ in {
 
       <stockholm/makefu/2configs/home/airsonic.nix>
       <stockholm/makefu/2configs/home/photoprism.nix>
-      <stockholm/makefu/2configs/home/metube.nix>
+      # <stockholm/makefu/2configs/home/metube.nix>
       <stockholm/makefu/2configs/home/ham>
       <stockholm/makefu/2configs/home/zigbee2mqtt>
       {
@@ -141,6 +140,7 @@ in {
     ];
   makefu.full-populate =  true;
   nixpkgs.config.allowUnfree = true;
+  users.users.share.isNormalUser = true;
   users.groups.share = {
     gid = (import <stockholm/lib>).genid "share";
     members = [ "makefu" "misa" ];
@@ -152,6 +152,7 @@ in {
   users.users.misa = {
     uid = 9002;
     name = "misa";
+    isNormalUser = true;
   };
 
   zramSwap.enable = true;
diff --git a/makefu/1systems/x/config.nix b/makefu/1systems/x/config.nix
index 80655f998..fee4145b9 100644
--- a/makefu/1systems/x/config.nix
+++ b/makefu/1systems/x/config.nix
@@ -130,7 +130,7 @@
       # Virtualization
       # <stockholm/makefu/2configs/virtualisation/libvirt.nix>
       <stockholm/makefu/2configs/virtualisation/docker.nix>
-      # <stockholm/makefu/2configs/virtualisation/virtualbox.nix>
+      <stockholm/makefu/2configs/virtualisation/virtualbox.nix>
       #{
       #  networking.firewall.allowedTCPPorts = [ 8080 ];
       #  networking.nat = {
diff --git a/makefu/1systems/x/x13/default.nix b/makefu/1systems/x/x13/default.nix
index ac601845a..ea557bbef 100644
--- a/makefu/1systems/x/x13/default.nix
+++ b/makefu/1systems/x/x13/default.nix
@@ -8,7 +8,7 @@
     <nixos-hardware/lenovo/thinkpad/l14/amd> # close enough
     # <stockholm/makefu/2configs/hw/tpm.nix>
     <stockholm/makefu/2configs/hw/ssd.nix>
-    <stockholm/makefu/2configs/hw/xmm7360.nix>
+    # <stockholm/makefu/2configs/hw/xmm7360.nix>
   ];
   boot.zfs.requestEncryptionCredentials = true;
   networking.hostId = "f8b8e0a2";
@@ -32,5 +32,9 @@
 
   users.groups.video = {};
   users.users.makefu.extraGroups = [ "video" ];
+
+  boot.extraModprobeConfig = ''
+    options thinkpad_acpi fan_control=1
+  '';
 }
 
diff --git a/makefu/1systems/x/x13/zfs.nix b/makefu/1systems/x/x13/zfs.nix
index adfebbf96..d6b99df41 100644
--- a/makefu/1systems/x/x13/zfs.nix
+++ b/makefu/1systems/x/x13/zfs.nix
@@ -13,6 +13,7 @@
   boot.kernelModules = [ "kvm-amd" ];
   boot.extraModulePackages = [ ];
 
+  boot.zfs.enableUnstable = true; # required for 21.05
   fileSystems."/" =
     { device = "zroot/root/nixos";
       fsType = "zfs";
diff --git a/makefu/2configs/bgt/download.binaergewitter.de.nix b/makefu/2configs/bgt/download.binaergewitter.de.nix
index 4abc7d345..6ce0606a8 100644
--- a/makefu/2configs/bgt/download.binaergewitter.de.nix
+++ b/makefu/2configs/bgt/download.binaergewitter.de.nix
@@ -22,6 +22,7 @@ in {
     uid = genid "auphonic";
     group = "nginx";
     useDefaultShell = true;
+    isSystemUser = true;
     openssh.authorizedKeys.keys = [ ident config.krebs.users.makefu.pubkey ];
   };
 
diff --git a/makefu/2configs/bgt/hidden_service.nix b/makefu/2configs/bgt/hidden_service.nix
index c1a31b8dc..56d319e39 100644
--- a/makefu/2configs/bgt/hidden_service.nix
+++ b/makefu/2configs/bgt/hidden_service.nix
@@ -41,8 +41,8 @@ in
   services.tor = {
     enable = true;
     hiddenServices."${name}".map = [
-     { port = "80"; }
-     # { port = "443"; toHost = "blog.binaergewitter.de"; }
+     { port = 80; }
+     # { port = 443; toHost = "blog.binaergewitter.de"; }
     ];
   };
 }
diff --git a/makefu/2configs/bgt/social-to-irc.nix b/makefu/2configs/bgt/social-to-irc.nix
index 8e81f9b50..d02e60695 100644
--- a/makefu/2configs/bgt/social-to-irc.nix
+++ b/makefu/2configs/bgt/social-to-irc.nix
@@ -13,7 +13,7 @@
       channel = "#binaergewitter";
       notifyErrors = false;
       irc = {
-        host = "irc.freenode.net";
+        host = "irc.libera.chat";
         port = 6667;
       };
       #controller = {
diff --git a/makefu/2configs/bureautomation/default.nix b/makefu/2configs/bureautomation/default.nix
index 669754caf..46bf05963 100644
--- a/makefu/2configs/bureautomation/default.nix
+++ b/makefu/2configs/bureautomation/default.nix
@@ -6,7 +6,7 @@ in {
   imports = [
     ./ota.nix
     ./comic-updater.nix
-    ./puppy-proxy.nix
+    # ./puppy-proxy.nix
 
     ./zigbee2mqtt
 
diff --git a/makefu/2configs/dcpp/hub.nix b/makefu/2configs/dcpp/hub.nix
index fbbce1f09..d9a2869cc 100644
--- a/makefu/2configs/dcpp/hub.nix
+++ b/makefu/2configs/dcpp/hub.nix
@@ -33,10 +33,11 @@ let
   uhubDir = "/var/lib/uhub";
 
 in {
-  users.extraUsers."${ddclientUser}" = {
+  users.users."${ddclientUser}" = {
     uid = genid "ddclient";
     description = "ddclient daemon user";
     home = stateDir;
+    isSystemUser = true;
     createHome = true;
   };
 
diff --git a/makefu/2configs/default.nix b/makefu/2configs/default.nix
index be64e402e..52206c380 100644
--- a/makefu/2configs/default.nix
+++ b/makefu/2configs/default.nix
@@ -23,6 +23,7 @@ with import <stockholm/lib>;
       group = "users";
       home = "/home/makefu";
       createHome = true;
+      isNormalUser = true;
       useDefaultShell = true;
       extraGroups = [ "wheel" ];
         openssh.authorizedKeys.keys = [ config.krebs.users.makefu.pubkey ];
diff --git a/makefu/2configs/deployment/dirctator.nix b/makefu/2configs/deployment/dirctator.nix
index 4f2f8818d..7303bb414 100644
--- a/makefu/2configs/deployment/dirctator.nix
+++ b/makefu/2configs/deployment/dirctator.nix
@@ -15,7 +15,7 @@ in {
     inputConfig = ''
       irc {
         channels => [ "#krebs", "#afra" ]
-        host => "irc.freenode.net"
+        host => "irc.hackint.org"
         nick => "dirctator"
       }
     '';
diff --git a/makefu/2configs/deployment/owncloud.nix b/makefu/2configs/deployment/owncloud.nix
index 86bd4b524..0593cf7fc 100644
--- a/makefu/2configs/deployment/owncloud.nix
+++ b/makefu/2configs/deployment/owncloud.nix
@@ -75,7 +75,7 @@ in {
     };
   };
   services.redis.enable = true;
-  systemd.services.redis.serviceConfig.LimitNOFILE=65536;
+  systemd.services.redis.serviceConfig.LimitNOFILE=mkForce "65536";
   services.postgresql = {
     enable = true;
     # Ensure the database, user, and permissions always exist
diff --git a/makefu/2configs/deployment/rss.euer.krebsco.de.nix b/makefu/2configs/deployment/rss.euer.krebsco.de.nix
index a7ada9395..098ffcdd5 100644
--- a/makefu/2configs/deployment/rss.euer.krebsco.de.nix
+++ b/makefu/2configs/deployment/rss.euer.krebsco.de.nix
@@ -7,6 +7,11 @@ in {
     virtualHost = fqdn;
     selfUrlPath = "https://${fqdn}";
   };
+
+  nixpkgs.config.permittedInsecurePackages = [
+    "python2.7-Pillow-6.2.2"
+  ];
+
   systemd.services.tt-rss.serviceConfig.ExecStart = lib.mkForce "${pkgs.php}/bin/php /var/lib/tt-rss/update_daemon2.php";
   services.postgresql.package = pkgs.postgresql_9_6;
   state = [ config.services.postgresqlBackup.location ];
diff --git a/makefu/2configs/elchos/irc-token.nix b/makefu/2configs/elchos/irc-token.nix
index a91223b28..4844bf29f 100644
--- a/makefu/2configs/elchos/irc-token.nix
+++ b/makefu/2configs/elchos/irc-token.nix
@@ -17,7 +17,7 @@ in {
       echo "$message"
       LOGNAME=sec-announcer
       HOSTNAME=$(${pkgs.systemd}/bin/hostnamectl --transient)
-      IRC_SERVER=irc.freenode.net
+      IRC_SERVER=irc.hackint.org
       IRC_PORT=6667
       IRC_NICK=$HOSTNAME-$$
       IRC_CHANNEL='#eloop'
diff --git a/makefu/2configs/filepimp-share.nix b/makefu/2configs/filepimp-share.nix
index 70c0320a1..abbdcbbb2 100644
--- a/makefu/2configs/filepimp-share.nix
+++ b/makefu/2configs/filepimp-share.nix
@@ -6,7 +6,7 @@ let
 in {
   users.users.smbguest = {
     name = "smbguest";
-    uid = config.ids.uids.smbguest;
+    uid = config.ids.uids.smbguest; # effectively systemUser
     description = "smb guest user";
     home = "/var/empty";
   };
diff --git a/makefu/2configs/home/ham/automation/fenster_auf.nix b/makefu/2configs/home/ham/automation/fenster_auf.nix
index 871f248b9..b24f6445d 100644
--- a/makefu/2configs/home/ham/automation/fenster_auf.nix
+++ b/makefu/2configs/home/ham/automation/fenster_auf.nix
@@ -19,8 +19,8 @@ let
       [
         {
           service = "notify.signal_home";
-          data = {
-            message= "${name} seit ${toString min} Minuten offen\nBitte einmal checken ob das ok ist :)";
+          data_template = {
+            message = "${name} seit ${toString min} Minuten offen und draussen ist es gerade {{states.sensor.dark_sky_temperature.state}}°C bei {{states.sensor.dark_sky_humidity.state}}% Luftfeuchte";
           };
         }
         {
@@ -36,6 +36,7 @@ let
             platform = "state";
             entity_id = entity;
             to = "off";
+            for.seconds = 10;
           }
         ];
       condition = [
@@ -61,12 +62,13 @@ let
 in {
   services.home-assistant.config = {
     input_boolean = {
-      badezimmerfinester_lang_offen.name = "Badezimmer lange offen";
+      badezimmerfenster_lang_offen.name = "Badezimmer lange offen";
       duschfenster_lang_offen.name = "Duschfenster lange offen";
     };
     automation = [
       (fenster_geschlossen_lang "Badezimmerfenster" "binary_sensor.badezimmer_fenster_contact")
-      (fenster_geschlossen_lang "Duschfenster" "binary_sensor.badezimmer_fenster_contact")
+      (fenster_geschlossen_lang "Duschfenster" "binary_sensor.dusche_fenster_contact")
+
       (fenster_offen "Badezimmerfenster" "binary_sensor.badezimmer_fenster_contact")
       (fenster_offen "Duschfenster" "binary_sensor.dusche_fenster_contact")
     ];
diff --git a/makefu/2configs/home/ham/automation/pflanzen_giessen_erinnerung.nix b/makefu/2configs/home/ham/automation/pflanzen_giessen_erinnerung.nix
index 3aaa57bd6..32a373edc 100644
--- a/makefu/2configs/home/ham/automation/pflanzen_giessen_erinnerung.nix
+++ b/makefu/2configs/home/ham/automation/pflanzen_giessen_erinnerung.nix
@@ -5,22 +5,22 @@ let
   };
   notify_home = message: {
     service = "notify.signal_home";
-    data.message = message;
+    data_template.message = message;
   };
 in
 {
   services.home-assistant.config.automation =
   [
-    {
-      alias = "Pflanzen Giessen Erinnerung Daily";
-      trigger = {
-        platform = "time";
-        at = "12:15:00";
-      };
-      action = [
-        (notify_felix "Es ist Mittagszeit und du kannst ruhig einmal alle Blumen im Zimmer giessen")
-      ];
-    }
+    #{
+    #  alias = "Pflanzen Giessen Erinnerung Daily";
+    #  trigger = {
+    #    platform = "time";
+    #    at = "12:15:00";
+    #  };
+    #  action = [
+    #    (notify_felix "Es ist Mittagszeit und du kannst ruhig einmal alle Blumen im Zimmer giessen")
+    #  ];
+    #}
     {
       alias = "Pflanzen Giessen Erinnerung Weekly";
       trigger = {
@@ -32,7 +32,11 @@ in
         weekday = [ "sat" ];
       };
       action = [
-        (notify_home "Es ist Wochenende und die Pflanzen würden sich über ein bisschen Wasser freuen.")
+        (notify_home
+        ''Es ist Wochenende und die Pflanzen würden sich über ein bisschen Wasser freuen.
+         Die Wettervorhersage: {{states.sensor.dark_sky_summary.state}} mit einer Regenwahrscheinlichkeit von {{states.sensor.dark_sky_precip_probability.state}}%.
+         Aktuell sind es {{states.sensor.dark_sky_temperature.state}}°C bei {{states.sensor.dark_sky_humidity.state}}% Luftfeuchte.
+         Der UV Index liegt bei {{states.sensor.dark_sky_uv_index.state}}'')
       ];
     }
   ];
diff --git a/makefu/2configs/home/ham/default.nix b/makefu/2configs/home/ham/default.nix
index 11894906e..79f26a053 100644
--- a/makefu/2configs/home/ham/default.nix
+++ b/makefu/2configs/home/ham/default.nix
@@ -180,7 +180,8 @@ in {
       frontend = { };
       http = {
         use_x_forwarded_for = true;
-        server_host = "127.0.0.1";
+        #server_host = "127.0.0.1";
+        server_host = "0.0.0.0";
         trusted_proxies = [ "127.0.0.1" ];
         #trusted_proxies = [ "192.168.1.0/24" ];
       };
diff --git a/makefu/2configs/home/metube.nix b/makefu/2configs/home/metube.nix
index 50646d210..e6008d475 100644
--- a/makefu/2configs/home/metube.nix
+++ b/makefu/2configs/home/metube.nix
@@ -26,7 +26,10 @@ in
     ];
     user = "metube";
   };
-  users.users.metube.uid = uid;
+  users.users.metube = {
+    uid = uid;
+    isSystemUser = true;
+  };
 
   systemd.services.docker-metube.serviceConfig = {
     StandardOutput = lib.mkForce "journal";
diff --git a/makefu/2configs/home/zigbee2mqtt/default.nix b/makefu/2configs/home/zigbee2mqtt/default.nix
index 95ee56835..1c4582ed5 100644
--- a/makefu/2configs/home/zigbee2mqtt/default.nix
+++ b/makefu/2configs/home/zigbee2mqtt/default.nix
@@ -20,7 +20,7 @@ in
   services.zigbee2mqtt = {
     enable = true;
     inherit dataDir;
-    config = {
+    settings = {
       permit_join = true;
       serial.port = "/dev/cc2531";
       homeassistant = true;
diff --git a/makefu/2configs/lanparty/samba.nix b/makefu/2configs/lanparty/samba.nix
index 4176d7b35..0bd29497d 100644
--- a/makefu/2configs/lanparty/samba.nix
+++ b/makefu/2configs/lanparty/samba.nix
@@ -3,7 +3,7 @@
   networking.firewall.allowedTCPPorts = [ 139 445 ];
   users.users.smbguest = {
     name = "smbguest";
-    uid = config.ids.uids.smbguest;
+    uid = config.ids.uids.smbguest; #effectively systemUser
     description = "smb guest user";
     home = "/data/lanparty";
     createHome = true;
diff --git a/makefu/2configs/nsupdate-data.nix b/makefu/2configs/nsupdate-data.nix
index cfa6193c6..2f8f4acc4 100644
--- a/makefu/2configs/nsupdate-data.nix
+++ b/makefu/2configs/nsupdate-data.nix
@@ -34,6 +34,7 @@ in {
     description = "ddclient daemon user";
     home = stateDir;
     createHome = true;
+    isSystemUser = true;
   };
 
   systemd.services = {
diff --git a/makefu/2configs/remote-build/slave.nix b/makefu/2configs/remote-build/slave.nix
index 0227f512a..039698f1d 100644
--- a/makefu/2configs/remote-build/slave.nix
+++ b/makefu/2configs/remote-build/slave.nix
@@ -1,11 +1,12 @@
 {config,...}:{
   nix.trustedUsers = [ "nixBuild" ];
   users.users.nixBuild = {
-      name = "nixBuild";
-      useDefaultShell = true;
-      openssh.authorizedKeys.keys = [
-        config.krebs.users.buildbotSlave.pubkey
-        config.krebs.users.makefu-remote-builder.pubkey
-      ];
-    };
+    name = "nixBuild";
+    isNormalUser = true;
+    useDefaultShell = true;
+    openssh.authorizedKeys.keys = [
+      config.krebs.users.buildbotSlave.pubkey
+      config.krebs.users.makefu-remote-builder.pubkey
+    ];
+  };
 }
diff --git a/makefu/2configs/share-user-sftp.nix b/makefu/2configs/share-user-sftp.nix
index 2c93143ec..26f1d3ba3 100644
--- a/makefu/2configs/share-user-sftp.nix
+++ b/makefu/2configs/share-user-sftp.nix
@@ -5,6 +5,7 @@
     share = {
       uid = 9002;
       home = "/var/empty";
+      isNormalUser = true;
       openssh.authorizedKeys.keys = [ config.krebs.users.makefu.pubkey ];
     };
   };
diff --git a/makefu/2configs/share/gum.nix b/makefu/2configs/share/gum.nix
index 27e0c638b..fd81f28ca 100644
--- a/makefu/2configs/share/gum.nix
+++ b/makefu/2configs/share/gum.nix
@@ -11,7 +11,10 @@ in {
   #   home = "/var/empty";
   # };
   environment.systemPackages = [ pkgs.samba ];
-  users.users.download.uid = genid "download";
+  users.users.download = {
+    uid = genid "download";
+    isNormalUser = true;
+  };
   services.samba = {
     enable = true;
     shares = {
diff --git a/makefu/2configs/share/temp-share-samba.nix b/makefu/2configs/share/temp-share-samba.nix
index ac0eaa978..56beb5b42 100644
--- a/makefu/2configs/share/temp-share-samba.nix
+++ b/makefu/2configs/share/temp-share-samba.nix
@@ -9,7 +9,7 @@
   networking.firewall.allowedTCPPorts = [ 139 445 ];
   users.users.smbguest = {
     name = "smbguest";
-    uid = config.ids.uids.smbguest;
+    uid = config.ids.uids.smbguest; # effectively systemUser
     description = "smb guest user";
     home = "/home/share";
     createHome = true;
diff --git a/makefu/2configs/share/wbob.nix b/makefu/2configs/share/wbob.nix
index 9695751ff..f2c36b551 100644
--- a/makefu/2configs/share/wbob.nix
+++ b/makefu/2configs/share/wbob.nix
@@ -3,7 +3,7 @@
   networking.firewall.allowedTCPPorts = [ 139 445 ];
   users.users.smbguest = {
     name = "smbguest";
-    uid = config.ids.uids.smbguest;
+    uid = config.ids.uids.smbguest;  # effectively systemUser
     description = "smb guest user";
     home = "/home/share";
     createHome = true;
diff --git a/makefu/2configs/stats/arafetch.nix b/makefu/2configs/stats/arafetch.nix
index e96daa038..c8ccbfbb9 100644
--- a/makefu/2configs/stats/arafetch.nix
+++ b/makefu/2configs/stats/arafetch.nix
@@ -23,6 +23,7 @@ in {
     uid = genid "arafetch";
     inherit home;
     createHome = true;
+    isSystemUser = true;
   };
 
   systemd.services.ara2mqtt = {
diff --git a/makefu/2configs/systemdultras/ircbot.nix b/makefu/2configs/systemdultras/ircbot.nix
index 006cafec0..20cdf7ba7 100644
--- a/makefu/2configs/systemdultras/ircbot.nix
+++ b/makefu/2configs/systemdultras/ircbot.nix
@@ -11,7 +11,7 @@
     config = {
       channel = "#systemdultras";
       irc = {
-        host = "irc.freenode.net";
+        host = "irc.hackint.org";
         port = 6667;
       };
       notifyErrors = false;
diff --git a/makefu/2configs/temp/share-samba.nix b/makefu/2configs/temp/share-samba.nix
index 34f0ab0b4..106f8fac6 100644
--- a/makefu/2configs/temp/share-samba.nix
+++ b/makefu/2configs/temp/share-samba.nix
@@ -1,7 +1,7 @@
 {config, ... }:{
   users.users.smbguest = {
     name = "smbguest";
-    uid = config.ids.uids.smbguest;
+    uid = config.ids.uids.smbguest;  # effectively systemUser
     group = "share";
     description = "smb guest user";
     home = "/var/empty";
diff --git a/makefu/2configs/tools/extra-gui.nix b/makefu/2configs/tools/extra-gui.nix
index 5a29eea85..763603dfd 100644
--- a/makefu/2configs/tools/extra-gui.nix
+++ b/makefu/2configs/tools/extra-gui.nix
@@ -16,7 +16,10 @@
     saleae-logic
     gitAndTools.gitFull
     signal-desktop
+    element-desktop
     # rambox
+
     vscode
+    chitubox
   ];
 }
diff --git a/makefu/2configs/tools/media.nix b/makefu/2configs/tools/media.nix
index d66ea7760..14e782e3f 100644
--- a/makefu/2configs/tools/media.nix
+++ b/makefu/2configs/tools/media.nix
@@ -15,6 +15,6 @@
     streamripper
     youtube-dl
 
-    pulseeffects
+    pulseeffects-legacy # for pulse
   ];
 }
diff --git a/makefu/2configs/tools/sec.nix b/makefu/2configs/tools/sec.nix
index 17a980ef7..acc22d647 100644
--- a/makefu/2configs/tools/sec.nix
+++ b/makefu/2configs/tools/sec.nix
@@ -4,7 +4,7 @@
   users.users.makefu.packages = with pkgs; [
     aria2
     # mitmproxy
-    pythonPackages.binwalk-full
+    python3Packages.binwalk-full
     dnsmasq
     iodine
     mtr
diff --git a/makefu/3modules/ps3netsrv.nix b/makefu/3modules/ps3netsrv.nix
index 5222e50ac..30070430c 100644
--- a/makefu/3modules/ps3netsrv.nix
+++ b/makefu/3modules/ps3netsrv.nix
@@ -50,6 +50,7 @@ let
     # TODO only create if user is ps3netsrv
     users.users.ps3netsrv = {
       uid = genid "ps3netsrv";
+      isSystemUser = true;
     };
     users.groups.ps3netsrv.gid = genid "ps3netsrv";
   };
diff --git a/makefu/5pkgs/awesomecfg/full.cfg b/makefu/5pkgs/awesomecfg/full.cfg
index bbf15e603..049c145dd 100644
--- a/makefu/5pkgs/awesomecfg/full.cfg
+++ b/makefu/5pkgs/awesomecfg/full.cfg
@@ -489,6 +489,8 @@ awful.rules.rules = {
        properties = { tag = tags[4] } },
     { rule = { class = "telegram-desktop" },
        properties = { tag = tags[4] } },
+    { rule = { class = "element-desktop" },
+       properties = { tag = tags[4] } },
     { rule = { class = "mutt" },
        properties = { tag = tags[5] } },
     { rule = { class = "mosh" },
diff --git a/makefu/5pkgs/chitubox/default.nix b/makefu/5pkgs/chitubox/default.nix
new file mode 100644
index 000000000..bea33e64f
--- /dev/null
+++ b/makefu/5pkgs/chitubox/default.nix
@@ -0,0 +1,67 @@
+{ stdenv, autoPatchelfHook, libglvnd
+, libgcrypt,zlib,glib,fontconfig,freetype,libdrm
+, libxkbcommon
+, libpulseaudio
+, xlibs
+, gst_all_1
+, kerberos
+, alsaLib
+}:
+# via https://raw.githubusercontent.com/simon-the-sourcerer-ab/chitubox/main/default.nix
+stdenv.mkDerivation rec {
+  pname = "chitubox";
+
+  version = "1.8.1";
+
+  src = builtins.fetchTarball {
+    #url = "https://sac.chitubox.com/software/download.do?softwareId=17839&softwareVersionId=v${version}&fileName=CHITUBOX_V${version}.tar.gz";
+    url = "https://archive.org/download/chitubox-v-1.8.1.tar/CHITUBOX_V${version}.tar.gz";
+    sha256 = "08fh8w7s5qvlx6bhdg24g81a7zprq7n8m27w2vdv0cd8j0wixbsx";
+  };
+  nativeBuildInputs = [ autoPatchelfHook ];
+
+  buildInputs = with xlibs; [ stdenv.cc.cc.lib libglvnd libgcrypt zlib glib fontconfig freetype libdrm 
+  libxkbcommon libpulseaudio kerberos alsaLib
+  xcbutilwm xcbutilimage xcbutilrenderutil xcbutilkeysyms
+  gst_all_1.gst-plugins-base gst_all_1.gstreamer
+];
+
+  buildPhase = ''
+    mkdir -p bin
+    mv CHITUBOX bin/chitubox
+
+    # Remove unused stuff
+    rm AppRun
+
+    # Place resources where ChiTuBox can expect to find them
+    mkdir ChiTuBox
+    mv resource ChiTuBox/
+
+    # Configure Qt paths
+    cat << EOF > bin/qt.conf
+      [Paths]
+      Prefix = $out
+      Plugins = plugins
+      Imports = qml
+      Qml2Imports = qml
+    EOF
+  '';
+
+  installPhase = ''
+    mkdir -p $out
+    mv * $out/
+  '';
+
+  autoPatchelfIgnoreMissingDeps=true;
+
+  meta = {
+    description = "A Revolutionary Tool to Change 3D Printing Processes within One Click";
+    homepage = "https://www.chitubox.com";
+    license = {
+      fullName = "ChiTuBox EULA";
+      shortName = "ChiTuBox";
+      url = "https://www.chitubox.com";
+    };
+  };
+}
+
diff --git a/makefu/5pkgs/droidcam/default.nix b/makefu/5pkgs/droidcam/default.nix
deleted file mode 100644
index d30fb01a6..000000000
--- a/makefu/5pkgs/droidcam/default.nix
+++ /dev/null
@@ -1,55 +0,0 @@
-{ stdenv, fetchFromGitHub
-, pkg-config
-, alsaLib
-, libjpeg_turbo
-, ffmpeg
-, libusbmuxd
-, speex
-, gtk3
-, libappindicator-gtk3
-}:
-
-stdenv.mkDerivation rec {
-  pname = "droidcam";
-  version = "1.6";
-
-  src = fetchFromGitHub {
-    owner = "aramg";
-    repo = "droidcam";
-    rev = "v${version}";
-    sha256 = "1d9qpnmqa3pfwsrpjnxdz76ipk4w37bbxyrazchh4vslnfc886fx";
-  };
-
-  sourceRoot = "source/linux";
-
-  nativeBuildInputs = [ pkg-config ];
-  buildInputs = [
-    alsaLib
-    libjpeg_turbo
-    ffmpeg
-    libusbmuxd
-    speex
-    gtk3
-    libappindicator-gtk3
-  ];
-
-  buildPhase = ''
-    runHook preBuild
-    make JPEG_DIR="" JPEG_INCLUDE="" JPEG_LIB="" JPEG="$(pkg-config --libs --cflags libturbojpeg)"
-  '';
-  installPhase = ''
-    runHook preInstall
-    install -Dm755 "droidcam" "$out/bin/droidcam"
-    install -Dm755 "droidcam-cli" "$out/bin/droidcam-cli"
-    install -Dm644 icon2.png "$out/share/pixmaps/droidcam.png"
-    install -Dm644 README.md "$out/share/licenses/droidcam/LICENSE"
-  '';
-
-  meta = with stdenv.lib; {
-    description = "A kernel module to create V4L2 loopback devices";
-    homepage = "https://github.com/aramg/droidcam";
-    license = licenses.gpl2;
-    maintainers = [ maintainers.makefu ];
-    platforms = platforms.linux;
-  };
-}
diff --git a/makefu/5pkgs/hdl-dump/default.nix b/makefu/5pkgs/hdl-dump/default.nix
deleted file mode 100644
index bd454223a..000000000
--- a/makefu/5pkgs/hdl-dump/default.nix
+++ /dev/null
@@ -1,33 +0,0 @@
-{ stdenv, lib, pkgs, fetchurl,fetchFromGitHub, upx, wine }:
-stdenv.mkDerivation rec {
-  pname = "hdl-dump";
-  version = "75df8d7";
-  name = "${pname}-${version}";
-
-  src = fetchFromGitHub {
-    owner = "AKuHAK";
-    repo = "hdl-dump";
-    rev = version;
-    sha256 = "10jjr6p5yn0c182x17m7q68jmf8gizcny7wjxw7z5yh0fv5s48z4";
-  };
-
-  buildInputs = [ upx wine ];
-
-  makeFlags = [ "RELEASE=yes" ];
-
-  # uses wine, currently broken
-  #postBuild = ''
-  #  make -C gui
-  #'';
-
-  installPhase = ''
-    mkdir -p $out/bin
-    cp hdl_dump $out/bin
-  '';
-
-  meta = {
-    homepage = https://github.com/AKuHAK/hdl-dump ;
-    description = "copy isos to psx hdd";
-    license = lib.licenses.gpl2;
-  };
-}
diff --git a/makefu/5pkgs/shiori/default.nix b/makefu/5pkgs/shiori/default.nix
index ee4aa9304..7de1e5ae1 100644
--- a/makefu/5pkgs/shiori/default.nix
+++ b/makefu/5pkgs/shiori/default.nix
@@ -1,6 +1,6 @@
-{ go_1_14, buildGoPackage, fetchFromGitHub }:
+{ buildGoPackage, fetchFromGitHub }:
 let
-  builder = buildGoPackage.override { go = go_1_14; };
+  builder = buildGoPackage;
 in
 builder rec {
   name = "shiori-${version}";
diff --git a/makefu/5pkgs/tt-rss/default.nix b/makefu/5pkgs/tt-rss/default.nix
deleted file mode 100644
index 4907a73a5..000000000
--- a/makefu/5pkgs/tt-rss/default.nix
+++ /dev/null
@@ -1,25 +0,0 @@
-{ stdenv, fetchurl }:
-
-stdenv.mkDerivation rec {
-  pname = "tt-rss";
-  version = "2020-09-23";
-  rev = "d0ed7890df";
-
-  src = fetchurl {
-    url = "https://git.tt-rss.org/git/tt-rss/archive/${rev}.tar.gz";
-    sha256 = "1b2fczd41bqg9bq37r99svrqswr9qrp35m6gn3nz032yqcwc22ij";
-  };
-
-  installPhase = ''
-    mkdir $out
-    cp -ra * $out/
-  '';
-
-  meta = with stdenv.lib; {
-    description = "Web-based news feed (RSS/Atom) aggregator";
-    license = licenses.gpl2Plus;
-    homepage = "https://tt-rss.org";
-    maintainers = with maintainers; [ globin zohl ];
-    platforms = platforms.all;
-  };
-}
diff --git a/makefu/krops.nix b/makefu/krops.nix
index 697039720..fd53f004e 100644
--- a/makefu/krops.nix
+++ b/makefu/krops.nix
@@ -77,7 +77,7 @@
     (lib.mkIf ( host-src.home-manager ) {
       home-manager.git = {
         url = https://github.com/rycee/home-manager;
-        ref = "63f299b";
+        ref = "fd5fbb0a241f644908cdf01ccd1821d0606fb4fd";
       };
     })
   ];