From fa8abf4a270596ec418f923216c57c95c50cf7c8 Mon Sep 17 00:00:00 2001
From: makefu <github@syntax-fehler.de>
Date: Sat, 17 Oct 2015 23:51:02 +0200
Subject: [PATCH 01/25] m 3,5 tinc_graphs: use new tinc_graphs

---
 makefu/3modules/tinc_graphs.nix      | 6 ++++--
 makefu/5pkgs/tinc_graphs/default.nix | 5 +++--
 2 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/makefu/3modules/tinc_graphs.nix b/makefu/3modules/tinc_graphs.nix
index 62d607527..ff2f55873 100644
--- a/makefu/3modules/tinc_graphs.nix
+++ b/makefu/3modules/tinc_graphs.nix
@@ -83,7 +83,9 @@ let
 
         ExecStartPre = pkgs.writeScript "tinc_graphs-init" ''
           #!/bin/sh
-          mkdir -p "${external_dir}" "${internal_dir}"
+          if ! test -e "${cfg.workingDir}/internal/index.html"; then
+            cp -fr "$(${pkgs.tinc_graphs}/bin/tincstats-static-dir)/internal/" "${internal_dir}"
+          fi
         '';
 
         ExecStart = "${pkgs.tinc_graphs}/bin/all-the-graphs";
@@ -94,10 +96,10 @@ let
           # this is needed because homedir is created with 700
           chmod 755  "${cfg.workingDir}"
         '';
+        PrivateTmp = "yes";
 
         User = "root"; # tinc cannot be queried as user,
                        #  seems to be a tinc-pre issue
-        privateTmp = true;
       };
     };
 
diff --git a/makefu/5pkgs/tinc_graphs/default.nix b/makefu/5pkgs/tinc_graphs/default.nix
index 5bc974157..62a787d30 100644
--- a/makefu/5pkgs/tinc_graphs/default.nix
+++ b/makefu/5pkgs/tinc_graphs/default.nix
@@ -2,20 +2,21 @@
 
 python3Packages.buildPythonPackage rec {
   name = "tinc_graphs-${version}";
-  version = "0.2.12";
+  version = "0.3.6";
   propagatedBuildInputs = with pkgs;[
     python3Packages.pygeoip
     ## ${geolite-legacy}/share/GeoIP/GeoIPCity.dat
   ];
   src = fetchurl {
     url = "https://pypi.python.org/packages/source/t/tinc_graphs/tinc_graphs-${version}.tar.gz";
-    sha256 = "03jxvxahpcbpnz4668x32b629dwaaz5jcjkyaijm0zzpgcn4cbgp";
+    sha256 = "0ghdx9aaipmppvc2b6cgks4nxw6zsb0fhjrmnisbx7rz0vjvzc74";
   };
   preFixup = with pkgs;''
     wrapProgram $out/bin/build-graphs --prefix PATH : "$out/bin"
     wrapProgram $out/bin/all-the-graphs --prefix PATH : "${imagemagick}/bin:${graphviz}/bin:$out/bin"
     wrapProgram $out/bin/tinc-stats2json --prefix PATH : "${tinc}/bin"
   '';
+
   meta = {
     homepage = http://krebsco.de/;
     description = "Create Graphs from Tinc Stats";

From 3175318eb0542d0751491b7f9e881d50f8ba6741 Mon Sep 17 00:00:00 2001
From: makefu <github@syntax-fehler.de>
Date: Mon, 19 Oct 2015 19:46:26 +0200
Subject: [PATCH 02/25] m 2 cgit: add tinc_graphs repo

---
 makefu/2configs/git/cgit-retiolum.nix | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/makefu/2configs/git/cgit-retiolum.nix b/makefu/2configs/git/cgit-retiolum.nix
index 1277a014e..189dd66c8 100644
--- a/makefu/2configs/git/cgit-retiolum.nix
+++ b/makefu/2configs/git/cgit-retiolum.nix
@@ -10,6 +10,9 @@ let
     stockholm = {
       desc = "Make all the systems into 1systems!";
     };
+    tinc_graphs = {
+      desc = "Tinc Advanced Graph Generation";
+    };
   };
 
   priv-repos = mapAttrs make-priv-repo {

From 7656868d1b3232d5a17ed422c25c38e37c81e588 Mon Sep 17 00:00:00 2001
From: makefu <github@syntax-fehler.de>
Date: Mon, 19 Oct 2015 19:48:56 +0200
Subject: [PATCH 03/25] m 1 wry: start Reaktor

---
 makefu/1systems/wry.nix | 32 +++++++++++++++++++-------------
 1 file changed, 19 insertions(+), 13 deletions(-)

diff --git a/makefu/1systems/wry.nix b/makefu/1systems/wry.nix
index 819a208ac..d8c8d6fa1 100644
--- a/makefu/1systems/wry.nix
+++ b/makefu/1systems/wry.nix
@@ -5,23 +5,29 @@ let
   ip = (lib.head config.krebs.build.host.nets.internet.addrs4);
 in {
   imports = [
-    ../../tv/2configs/CAC-CentOS-7-64bit.nix
-    ../2configs/base.nix
-    ../2configs/base-sources.nix
-    ../2configs/tinc-basic-retiolum.nix
+      # TODO: copy this config or move to krebs
+      ../../tv/2configs/CAC-CentOS-7-64bit.nix
+      ../2configs/base.nix
+      ../2configs/base-sources.nix
+      ../2configs/tinc-basic-retiolum.nix
+
+      # Reaktor
+      ../2configs/Reaktor/simpleExtend.nix
   ];
 
+  krebs.Reaktor.enable = true;
+
   networking.firewall.allowPing = true;
   networking.interfaces.enp2s1.ip4 = [
-      {
-        address = ip;
-        prefixLength = 24;
-      }
-    ];
-    networking.defaultGateway = "104.233.87.1";
-    networking.nameservers = [
-      "8.8.8.8"
-    ];
+  {
+    address = ip;
+    prefixLength = 24;
+  }
+  ];
+  networking.defaultGateway = "104.233.87.1";
+  networking.nameservers = [
+    "8.8.8.8"
+  ];
 
   # based on ../../tv/2configs/CAC-Developer-2.nix
   sound.enable = false;

From 952c03b3742cc1a979e4a1c148d083f1334cfe65 Mon Sep 17 00:00:00 2001
From: makefu <github@syntax-fehler.de>
Date: Mon, 19 Oct 2015 20:02:29 +0200
Subject: [PATCH 04/25] krebs 5 retiolum-bootstrap: init new_install.sh package

---
 krebs/5pkgs/retiolum-bootstrap/default.nix | 6 ++++++
 1 file changed, 6 insertions(+)
 create mode 100644 krebs/5pkgs/retiolum-bootstrap/default.nix

diff --git a/krebs/5pkgs/retiolum-bootstrap/default.nix b/krebs/5pkgs/retiolum-bootstrap/default.nix
new file mode 100644
index 000000000..d3bcc05db
--- /dev/null
+++ b/krebs/5pkgs/retiolum-bootstrap/default.nix
@@ -0,0 +1,6 @@
+{ fetchurl }:
+
+fetchurl {
+  url = https://raw.githubusercontent.com/krebscode/painload/master/retiolum/scripts/tinc_setup/new_install.sh; 
+  sha256 = "03kmil8q2xm3rdm2jxyah7vww84pw6w01d0c3siid9zpn2j7la9s";
+}

From 5a1808617aa121b8fc66389d8e92e387bb25a64c Mon Sep 17 00:00:00 2001
From: makefu <github@syntax-fehler.de>
Date: Mon, 19 Oct 2015 21:49:08 +0200
Subject: [PATCH 05/25] krebs 5 retiolum-bootstrap: packing to be used by nginx

---
 krebs/5pkgs/retiolum-bootstrap/default.nix | 31 +++++++++++++++++++---
 1 file changed, 27 insertions(+), 4 deletions(-)

diff --git a/krebs/5pkgs/retiolum-bootstrap/default.nix b/krebs/5pkgs/retiolum-bootstrap/default.nix
index d3bcc05db..331b1cb7f 100644
--- a/krebs/5pkgs/retiolum-bootstrap/default.nix
+++ b/krebs/5pkgs/retiolum-bootstrap/default.nix
@@ -1,6 +1,29 @@
-{ fetchurl }:
+{ stdenv,lib,fetchurl, ... }:
+with lib;
+stdenv.mkDerivation rec {
+  name = "retiolum-bootstrap";
+  version = "4.2.3";
 
-fetchurl {
-  url = https://raw.githubusercontent.com/krebscode/painload/master/retiolum/scripts/tinc_setup/new_install.sh; 
-  sha256 = "03kmil8q2xm3rdm2jxyah7vww84pw6w01d0c3siid9zpn2j7la9s";
+
+  src = fetchurl {
+    url = https://raw.githubusercontent.com/krebscode/painload/master/retiolum/scripts/tinc_setup/new_install.sh;
+    sha256 = "03kmil8q2xm3rdm2jxyah7vww84pw6w01d0c3siid9zpn2j7la9s";
+  };
+
+  phases = [
+    "installPhase"
+  ];
+
+  installPhase = ''
+    mkdir -p "$out"
+    cp -a ${src} $out/retiolum.sh
+  '';
+
+  meta = {
+    description = "Retiolum boostrap scripts";
+    url = https://github.com/krebscode/painload;
+    license = licenses.wtfpl;
+    platforms = platforms.unix;
+    maintainers = with maintainers; [ makefu ];
+  };
 }

From 754ea55ab89cdeffaac7b4b66ca792558fed9237 Mon Sep 17 00:00:00 2001
From: makefu <github@syntax-fehler.de>
Date: Mon, 19 Oct 2015 21:50:08 +0200
Subject: [PATCH 06/25] krebs 3 retiolum-bootstrap: init module

---
 krebs/3modules/default.nix            |  1 +
 krebs/3modules/retiolum-bootstrap.nix | 60 +++++++++++++++++++++++++++
 2 files changed, 61 insertions(+)
 create mode 100644 krebs/3modules/retiolum-bootstrap.nix

diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix
index ff0cc8346..756245c0b 100644
--- a/krebs/3modules/default.nix
+++ b/krebs/3modules/default.nix
@@ -14,6 +14,7 @@ let
       ./iptables.nix
       ./nginx.nix
       ./Reaktor.nix
+      ./retiolum-bootstrap.nix
       ./realwallpaper.nix
       ./retiolum.nix
       ./urlwatch.nix
diff --git a/krebs/3modules/retiolum-bootstrap.nix b/krebs/3modules/retiolum-bootstrap.nix
new file mode 100644
index 000000000..5cce4c2af
--- /dev/null
+++ b/krebs/3modules/retiolum-bootstrap.nix
@@ -0,0 +1,60 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+let
+  cfg = config.krebs.retiolum-bootstrap;
+
+  out = {
+    options.krebs.retiolum-bootstrap = api;
+    config = mkIf cfg.enable imp ;
+  };
+
+  api = {
+    enable = mkEnableOption "retiolum boot strap for tinc.krebsco.de";
+    hostname = mkOption {
+        type = types.str;
+        description = "hostname which serves tinc boot";
+        default = "tinc.krebsco.de" ;
+    };
+    ssl_certificate_key = mkOption {
+        type = types.str;
+        description = "Certificate key to use for ssl";
+        default = "/root/secrets/tinc.krebsco.de.key";
+    };
+    ssl_certificate = mkOption {
+        type = types.str;
+        description = "Certificate file to use for ssl";
+        default = "/root/secrets/tinc.krebsco.de.crt" ;
+    };
+    # in use:
+    #  <secrets/tinc.krebsco.de.crt>
+    #  <secrets/tinc.krebsco.de.key>
+  };
+
+  imp = {
+    # TODO: assert krebs nginx
+
+    krebs.nginx.servers = {
+      retiolum-boot-redir = {
+        server-names = singleton cfg.hostname;
+        extraConfig = ''
+          return 301 https://$server_name$request_uri;
+        '';
+        locations = [];
+      };
+      retiolum-boot-ssl = {
+        server-names = singleton cfg.hostname;
+        listen = "443 ssl";
+        extraConfig = ''
+          ssl_certificate ${cfg.ssl_certificate};
+          ssl_certificate_key ${cfg.ssl_certificate_key};
+          root ${pkgs.retiolum-bootstrap};
+          try_files $uri $uri/retiolum.sh;
+        '';
+        locations = [];
+      };
+    };
+  };
+
+in
+out

From 858034cc615469c6e4b7e48711f6fb026f16ffb4 Mon Sep 17 00:00:00 2001
From: makefu <github@syntax-fehler.de>
Date: Mon, 19 Oct 2015 21:51:20 +0200
Subject: [PATCH 07/25] m 1 wry: host is the new provider  for tinc.krebsco.de

---
 krebs/3modules/makefu/default.nix | 2 +-
 makefu/1systems/wry.nix           | 6 +++++-
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/krebs/3modules/makefu/default.nix b/krebs/3modules/makefu/default.nix
index 4628b2acc..659e71458 100644
--- a/krebs/3modules/makefu/default.nix
+++ b/krebs/3modules/makefu/default.nix
@@ -130,7 +130,6 @@ with import ../../4lib { inherit lib; };
           io                IN NS     pigstarter.krebsco.de.
           pigstarter        IN A      ${head nets.internet.addrs4}
           gold              IN A      ${head nets.internet.addrs4}
-          tinc              IN A      ${head nets.internet.addrs4}
           boot              IN A      ${head nets.internet.addrs4}'';
       };
       nets = {
@@ -167,6 +166,7 @@ with import ../../4lib { inherit lib; };
         "krebsco.de" = ''
           wry            IN A ${head nets.internet.addrs4}
           graphs         IN A ${head nets.internet.addrs4}
+          tinc           IN A ${head nets.internet.addrs4}
           '';
       };
       nets = rec {
diff --git a/makefu/1systems/wry.nix b/makefu/1systems/wry.nix
index d8c8d6fa1..03b19d1c7 100644
--- a/makefu/1systems/wry.nix
+++ b/makefu/1systems/wry.nix
@@ -34,15 +34,19 @@ in {
 
   # prepare graphs
   nixpkgs.config.packageOverrides = pkgs: { tinc = pkgs.tinc_pre; };
+
   krebs.nginx.enable = true;
+  krebs.retiolum-bootstrap.enable = true;
   makefu.tinc_graphs.enable = true;
+
   makefu.tinc_graphs.krebsNginx = {
     enable = true;
     # TODO: remove hard-coded hostname
     hostnames_complete  = [ "graphs.wry" ];
     hostnames_anonymous = [ "graphs.krebsco.de" ];
   };
-  networking.firewall.allowedTCPPorts = [80];
+
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
 
   krebs.build = {
     user = config.krebs.users.makefu;

From 8d3ebfc096c10e9d498ca0bed934ad9e35e6c022 Mon Sep 17 00:00:00 2001
From: makefu <github@syntax-fehler.de>
Date: Mon, 19 Oct 2015 21:57:05 +0200
Subject: [PATCH 08/25] krebs 3 retiolum-bootstrap: fix assert todo

---
 krebs/3modules/retiolum-bootstrap.nix | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/krebs/3modules/retiolum-bootstrap.nix b/krebs/3modules/retiolum-bootstrap.nix
index 5cce4c2af..eed11642f 100644
--- a/krebs/3modules/retiolum-bootstrap.nix
+++ b/krebs/3modules/retiolum-bootstrap.nix
@@ -32,9 +32,7 @@ let
   };
 
   imp = {
-    # TODO: assert krebs nginx
-
-    krebs.nginx.servers = {
+    krebs.nginx.servers = assert config.krebs.nginx.enable; {
       retiolum-boot-redir = {
         server-names = singleton cfg.hostname;
         extraConfig = ''

From ded0821d9bf7c85e2197cb7811d5f95987ded02e Mon Sep 17 00:00:00 2001
From: makefu <github@syntax-fehler.de>
Date: Mon, 19 Oct 2015 23:46:10 +0200
Subject: [PATCH 09/25] m 1,2 : wry serves as iodine entry point

---
 krebs/3modules/makefu/default.nix |  2 +-
 makefu/1systems/wry.nix           |  4 +++-
 makefu/2configs/base-sources.nix  |  6 +++---
 makefu/2configs/iodined.nix       | 16 ++++++++++++++++
 4 files changed, 23 insertions(+), 5 deletions(-)
 create mode 100644 makefu/2configs/iodined.nix

diff --git a/krebs/3modules/makefu/default.nix b/krebs/3modules/makefu/default.nix
index 659e71458..acc5d7dd2 100644
--- a/krebs/3modules/makefu/default.nix
+++ b/krebs/3modules/makefu/default.nix
@@ -127,7 +127,6 @@ with import ../../4lib { inherit lib; };
         "krebsco.de" = ''
                             IN MX 10  mx42
           euer              IN MX 1   aspmx.l.google.com.
-          io                IN NS     pigstarter.krebsco.de.
           pigstarter        IN A      ${head nets.internet.addrs4}
           gold              IN A      ${head nets.internet.addrs4}
           boot              IN A      ${head nets.internet.addrs4}'';
@@ -165,6 +164,7 @@ with import ../../4lib { inherit lib; };
       extraZones = {
         "krebsco.de" = ''
           wry            IN A ${head nets.internet.addrs4}
+          io             IN NS     wry.krebsco.de.
           graphs         IN A ${head nets.internet.addrs4}
           tinc           IN A ${head nets.internet.addrs4}
           '';
diff --git a/makefu/1systems/wry.nix b/makefu/1systems/wry.nix
index 03b19d1c7..a7ed93c43 100644
--- a/makefu/1systems/wry.nix
+++ b/makefu/1systems/wry.nix
@@ -11,6 +11,8 @@ in {
       ../2configs/base-sources.nix
       ../2configs/tinc-basic-retiolum.nix
 
+      ../2configs/iodined.nix
+
       # Reaktor
       ../2configs/Reaktor/simpleExtend.nix
   ];
@@ -46,7 +48,7 @@ in {
     hostnames_anonymous = [ "graphs.krebsco.de" ];
   };
 
-  networking.firewall.allowedTCPPorts = [ 80 443 ];
+  networking.firewall.allowedTCPPorts = [ 53 80 443 ];
 
   krebs.build = {
     user = config.krebs.users.makefu;
diff --git a/makefu/2configs/base-sources.nix b/makefu/2configs/base-sources.nix
index 826cd6fef..7e6bebec3 100644
--- a/makefu/2configs/base-sources.nix
+++ b/makefu/2configs/base-sources.nix
@@ -3,9 +3,9 @@
 {
   krebs.build.source = {
     git.nixpkgs = {
-      url = https://github.com/NixOS/nixpkgs;
-      #url = https://github.com/makefu/nixpkgs;
-      rev = "dc18f39bfb2f9d1ba62c7e8ad98544bb15cb26b2"; # nixos-15.09
+      #url = https://github.com/NixOS/nixpkgs;
+      url = https://github.com/makefu/nixpkgs;
+      rev = "78340b042463fd35caa587b0db2e400e5666dbe1"; # nixos-15.09 + cherry-picked iodine
     };
 
     dir.secrets = {
diff --git a/makefu/2configs/iodined.nix b/makefu/2configs/iodined.nix
new file mode 100644
index 000000000..db8a1bfed
--- /dev/null
+++ b/makefu/2configs/iodined.nix
@@ -0,0 +1,16 @@
+{ services,builtins,environment,pkgs, ... }:
+
+let
+  # TODO: make this a parameter
+  domain = "io.krebsco.de";
+  pw = import <secrets/iodinepw.nix>;
+in {
+
+  services.iodined = {
+    enable = true;
+    domain = domain;
+    ip = "172.16.10.1/24";
+    extraConfig = "-P ${pw}";
+  };
+
+}

From be44341c6ba0d8fe66220f4fe6493a88fdce849b Mon Sep 17 00:00:00 2001
From: makefu <github@syntax-fehler.de>
Date: Tue, 20 Oct 2015 14:25:49 +0200
Subject: [PATCH 10/25] m 2 mail: split exim-retiolum

---
 makefu/1systems/pornocauster.nix |  1 +
 makefu/2configs/mail-client.nix  | 12 ++++++++++++
 2 files changed, 13 insertions(+)
 create mode 100644 makefu/2configs/mail-client.nix

diff --git a/makefu/1systems/pornocauster.nix b/makefu/1systems/pornocauster.nix
index 8f7f5ea7c..97cf86a4e 100644
--- a/makefu/1systems/pornocauster.nix
+++ b/makefu/1systems/pornocauster.nix
@@ -21,6 +21,7 @@
 
       # applications
       ../2configs/exim-retiolum.nix
+      ../2configs/mail-client.nix
       #../2configs/virtualization.nix
       ../2configs/virtualization-virtualbox.nix
       ../2configs/wwan.nix
diff --git a/makefu/2configs/mail-client.nix b/makefu/2configs/mail-client.nix
new file mode 100644
index 000000000..a6ae33d2f
--- /dev/null
+++ b/makefu/2configs/mail-client.nix
@@ -0,0 +1,12 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+{
+  environment.systemPackages = with pkgs; [
+    msmtp
+    mutt-kz
+    notmuch
+    offlineimap
+  ];
+
+}

From 24271c6f6b4e730eccb238c28ca4b04eb70ede92 Mon Sep 17 00:00:00 2001
From: makefu <github@syntax-fehler.de>
Date: Tue, 20 Oct 2015 18:11:30 +0200
Subject: [PATCH 11/25] m 3 bepasty-server.nix: init

---
 makefu/3modules/bepasty-server.nix | 160 +++++++++++++++++++++++++++++
 1 file changed, 160 insertions(+)
 create mode 100644 makefu/3modules/bepasty-server.nix

diff --git a/makefu/3modules/bepasty-server.nix b/makefu/3modules/bepasty-server.nix
new file mode 100644
index 000000000..d970652a4
--- /dev/null
+++ b/makefu/3modules/bepasty-server.nix
@@ -0,0 +1,160 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+let
+  gunicorn = pkgs.pythonPackages.gunicorn;
+  bepasty = pkgs.pythonPackages.bepasty-server;
+  gevent = pkgs.pythonPackages.gevent;
+  python = pkgs.pythonPackages.python;
+  cfg = config.makefu.bepasty-server;
+
+  out = {
+    options.makefu.bepasty-server = api;
+    config = mkIf cfg.enable (mkMerge [(mkIf cfg.serveNginx nginx-imp) imp ]) ;
+  };
+
+  api = {
+    enable = mkEnableOption "Bepasty Servers";
+    serveNginx = mkEnableOption "Serve Bepasty Servers with Nginx";
+
+    servers = mkOption {
+      type = with types; attrsOf optionSet;
+      options = singleton {
+        nginxCfg = mkOption {
+          # TODO use the correct type
+          type = with types; attrsOf unspecified;
+          description = ''
+            additional nginx configuration. see krebs.nginx for all options
+          '' ;
+        };
+        debug = mkOption {
+          type = types.bool;
+          description = ''
+            run server in debug mode
+          '';
+          default = false;
+        };
+
+        # TODO: assert secretKey
+        secretKey = mkOption {
+          type = types.str;
+          description = ''
+            server secret for safe session cookies, must be set.
+          '';
+        };
+
+        # we create a wsgi socket in $workDir/gunicorn-${name}.wsgi
+        workDir = mkOption {
+          type = types.str;
+          description = ''
+            Path to the working directory (used for sockets and pidfile).
+            Defaults to the users home directory. Must be accessible to nginx,
+            permissions will be set to 755
+          '';
+          default = config.users.extraUsers.bepasty.home;
+        };
+
+        dataDir = mkOption {
+          type = types.str;
+          description = ''
+            Defaults to the new users home dir which defaults to
+            /var/lib/bepasty-server/data
+            '';
+          default = "${config.users.extraUsers.bepasty.home}/data";
+        };
+
+        extraConfig = mkOption {
+          type = types.str;
+          default = "";
+          example = ''
+            PERMISSIONS = {
+              'myadminsecret': 'admin,list,create,read,delete',
+            }
+            MAX_ALLOWED_FILE_SIZE = 5 * 1000 * 1000
+            '';
+        };
+
+        defaultPermissions = mkOption {
+          type = types.str;
+          default = "list";
+        };
+
+      };
+      default = {};
+    };
+
+  };
+
+  imp = {
+    # Configures systemd services for each configured server
+    # environment.systemPackages = [ bepasty gunicorn gevent ];
+    systemd.services = mapAttrs' (name: server:
+      nameValuePair ("bepasty-server-${name}")
+        ({
+          description = "Bepasty Server ${name}";
+          wantedBy = [ "multi-user.target" ];
+          after = [ "network.target" ];
+          restartIfChanged = true;
+          environment = {
+            BEPASTY_CONFIG = "${server.workDir}/bepasty-${name}.conf";
+            PYTHONPATH= "${bepasty}/lib/${python.libPrefix}/site-packages:${gevent}/lib/${python.libPrefix}/site-packages";
+          };
+          serviceConfig = {
+            Type = "simple";
+            PrivateTmp = true;
+            ExecStartPre = pkgs.writeScript "bepasty-server.${name}-init" ''
+              #!/bin/sh
+              chmod 755 ${server.workDir}
+              mkdir -p ${server.dataDir}
+              cat > ${server.workDir}/bepasty-${name}.conf <<EOF
+              SITENAME="${name}"
+              STORAGE_FILESYSTEM_DIRECTORY="${server.dataDir}"
+              SECRET_KEY="${escapeShellArg server.secretKey}"
+              DEFAULT_PERMISSIONS="${server.defaultPermissions}"
+              ${server.extraConfig}
+              EOF
+            '';
+            Directory = "${bepasty}/lib/${python.libPrefix}/site-packages";
+            # we use Gunicorn to start a wsgi server
+            ExecStart = ''${gunicorn}/bin/gunicorn bepasty.wsgi --name ${name} \
+              --workers 3 --log-level=info \
+              --bind=unix:${server.workDir}/gunicorn-${name}.sock \
+              --pid ${server.workDir}/gunicorn-${name}.pid \
+              -k gevent
+            '';
+          };
+        })
+    ) cfg.servers;
+
+    users.extraUsers.bepasty = {
+      uid = 2796546855; #genid bepasty
+      home = "/var/lib/bepasty-server";
+      createHome = true;
+    };
+  };
+  nginx-imp = {
+    assertions = [ { assertion = config.krebs.nginx.enable;
+                      message = "krebs.nginx.enable must be true"; }];
+
+    krebs.nginx.servers = mapAttrs' (name: server:
+      nameValuePair("bepasty-server-${name}")
+      (server.nginxCfg // {
+        extraConfig = ''
+          client_max_body_size 32M;
+          '';
+        locations = [
+          (nameValuePair ("/")
+          (''
+            proxy_set_header Host $http_host;
+            proxy_pass http://unix:${server.workDir}/gunicorn-${name}.sock;
+          ''))
+          (nameValuePair ("/static/")
+          (''
+            alias ${bepasty}/lib/${python.libPrefix}/site-packages/bepasty/static/;
+          ''))
+          ];
+      })
+    ) cfg.servers ;
+  };
+in
+out

From 0bc015bf3c2b8f70952793cc117cd9b976ebc96e Mon Sep 17 00:00:00 2001
From: makefu <github@syntax-fehler.de>
Date: Tue, 20 Oct 2015 19:59:59 +0200
Subject: [PATCH 12/25] krebs 3 retiolum-bootstra: use nginx listen list

consolidate nginx servers into 1, provide a means to override the listen
addresses.
---
 krebs/3modules/retiolum-bootstrap.nix | 22 ++++++++++++++--------
 1 file changed, 14 insertions(+), 8 deletions(-)

diff --git a/krebs/3modules/retiolum-bootstrap.nix b/krebs/3modules/retiolum-bootstrap.nix
index eed11642f..65bb51193 100644
--- a/krebs/3modules/retiolum-bootstrap.nix
+++ b/krebs/3modules/retiolum-bootstrap.nix
@@ -16,6 +16,14 @@ let
         description = "hostname which serves tinc boot";
         default = "tinc.krebsco.de" ;
     };
+    listen = mkOption {
+        type = with types; listOf str;
+        description = ''Addresses to listen on (nginx-syntax).
+        ssl will be configured, http will be redirected to ssl.
+        Make sure to have at least 1 ssl port configured.
+        '';
+        default = [ "80" "443 ssl" ] ;
+    };
     ssl_certificate_key = mkOption {
         type = types.str;
         description = "Certificate key to use for ssl";
@@ -33,19 +41,17 @@ let
 
   imp = {
     krebs.nginx.servers = assert config.krebs.nginx.enable; {
-      retiolum-boot-redir = {
-        server-names = singleton cfg.hostname;
-        extraConfig = ''
-          return 301 https://$server_name$request_uri;
-        '';
-        locations = [];
-      };
       retiolum-boot-ssl = {
         server-names = singleton cfg.hostname;
-        listen = "443 ssl";
+        listen = cfg.listen;
         extraConfig = ''
           ssl_certificate ${cfg.ssl_certificate};
           ssl_certificate_key ${cfg.ssl_certificate_key};
+
+          if ($scheme = http){
+            return 301 https://$server_name$request_uri;
+          }
+
           root ${pkgs.retiolum-bootstrap};
           try_files $uri $uri/retiolum.sh;
         '';

From 0696c3ff38ff629ad5f184bc458392de748a87b6 Mon Sep 17 00:00:00 2001
From: makefu <github@syntax-fehler.de>
Date: Wed, 21 Oct 2015 09:10:21 +0200
Subject: [PATCH 13/25] m 2 mail: remove client packages from server config

---
 makefu/2configs/exim-retiolum.nix | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/makefu/2configs/exim-retiolum.nix b/makefu/2configs/exim-retiolum.nix
index cebfd7cea..b8c5c5236 100644
--- a/makefu/2configs/exim-retiolum.nix
+++ b/makefu/2configs/exim-retiolum.nix
@@ -5,10 +5,6 @@ with lib;
   krebs.exim-retiolum.enable = true;
   environment.systemPackages = with pkgs; [
     msmtp
-    mutt-kz
-    notmuch
-    # TODO: put this somewhere else
-    offlineimap
   ];
 
 }

From 90683369be019254c2b86bfc4ca3c8de3b441ff0 Mon Sep 17 00:00:00 2001
From: makefu <github@syntax-fehler.de>
Date: Wed, 21 Oct 2015 09:11:01 +0200
Subject: [PATCH 14/25] m 3 bepasty-server: fix escape

---
 makefu/3modules/bepasty-server.nix | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/makefu/3modules/bepasty-server.nix b/makefu/3modules/bepasty-server.nix
index d970652a4..bc7158d8d 100644
--- a/makefu/3modules/bepasty-server.nix
+++ b/makefu/3modules/bepasty-server.nix
@@ -104,12 +104,12 @@ let
             PrivateTmp = true;
             ExecStartPre = pkgs.writeScript "bepasty-server.${name}-init" ''
               #!/bin/sh
-              chmod 755 ${server.workDir}
-              mkdir -p ${server.dataDir}
+              chmod 755 "${server.workDir}"
+              mkdir -p "${server.dataDir}"
               cat > ${server.workDir}/bepasty-${name}.conf <<EOF
               SITENAME="${name}"
               STORAGE_FILESYSTEM_DIRECTORY="${server.dataDir}"
-              SECRET_KEY="${escapeShellArg server.secretKey}"
+              SECRET_KEY="${escape server.secretKey}"
               DEFAULT_PERMISSIONS="${server.defaultPermissions}"
               ${server.extraConfig}
               EOF

From ba4708f2638722c8d18e560847946fdb5c87484d Mon Sep 17 00:00:00 2001
From: makefu <github@syntax-fehler.de>
Date: Wed, 21 Oct 2015 17:13:12 +0200
Subject: [PATCH 15/25] m 3 tinc_graphs: new api for nginx

---
 makefu/3modules/tinc_graphs.nix | 49 +++++++++++++++++++--------------
 1 file changed, 29 insertions(+), 20 deletions(-)

diff --git a/makefu/3modules/tinc_graphs.nix b/makefu/3modules/tinc_graphs.nix
index ff2f55873..42b08d62a 100644
--- a/makefu/3modules/tinc_graphs.nix
+++ b/makefu/3modules/tinc_graphs.nix
@@ -20,26 +20,37 @@ let
       default = "${pkgs.geolite-legacy}/share/GeoIP/GeoIPCity.dat";
     };
 
-    krebsNginx = {
-      # configure krebs nginx to serve the new graphs
-      enable = mkEnableOption "tinc_graphs nginx";
+    nginx = {
+      enable = mkEnableOption "enable tinc_graphs to be served with nginx";
 
-      hostnames_complete = mkOption {
-        #TODO: this is not a secure way to serve these graphs,better listen to
-        #      the correct interface, krebs.nginx does not support this yet
+      anonymous = {
+        server-names = mkOption {
+          type = with types; listOf str;
+          description = "hostnames which serve anonymous graphs";
+          default = [ "graphs.${config.krebs.build.host.name}" ];
+        };
+
+        listen = mkOption {
+          type = with types; listOf str;
+          description = "listen address for anonymous graphs";
+          default = [ "80" ];
+        };
 
-        type = with types; listOf str;
-        description = "hostname which serves complete graphs";
-        default = [ "graphs.${config.krebs.build.host.name}" ];
       };
 
-      hostnames_anonymous = mkOption {
-        type = with types; listOf str;
-        description = ''
-          hostname which serves anonymous graphs
-          must be different from hostname_complete
-        '';
-        default = [ "anongraphs.${config.krebs.build.host.name}" ];
+      complete = {
+        server-names = mkOption {
+          type = with types; listOf str;
+          description = "hostname which serves complete graphs";
+          default = [ "graphs.${config.krebs.build.host.name}" ];
+        };
+
+        listen = mkOption {
+          type = with types; listOf str;
+          description = "listen address for complete graphs";
+          default = [ "127.0.0.1:80" ];
+        };
+
       };
     };
 
@@ -110,8 +121,7 @@ let
     };
 
     krebs.nginx.servers = mkIf cfg.krebsNginx.enable {
-      tinc_graphs_complete = {
-        server-names = cfg.krebsNginx.hostnames_complete;
+      tinc_graphs_complete = cfg.nginx.complete {
         locations = [
           (nameValuePair "/" ''
             autoindex on;
@@ -119,8 +129,7 @@ let
           '')
         ];
       };
-      tinc_graphs_anonymous = {
-        server-names = cfg.krebsNginx.hostnames_anonymous;
+      tinc_graphs_anonymous = cfg.nginx.anonymous // {
         locations = [
           (nameValuePair "/" ''
             autoindex on;

From dc1bb40c45e69c6e4556ab2c4d92f04c25e5a2bf Mon Sep 17 00:00:00 2001
From: makefu <github@syntax-fehler.de>
Date: Wed, 21 Oct 2015 18:44:51 +0200
Subject: [PATCH 16/25] krebs 3 nginx: extraConfig is type string

---
 krebs/3modules/nginx.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/krebs/3modules/nginx.nix b/krebs/3modules/nginx.nix
index 0530921a0..921771033 100644
--- a/krebs/3modules/nginx.nix
+++ b/krebs/3modules/nginx.nix
@@ -36,7 +36,7 @@ let
           type = with types; listOf (attrsOf str);
         };
         extraConfig = mkOption {
-          type = with types; str;
+          type = with types; string;
           default = "";
         };
       };

From 506f1c0c382a66f3f2e17519004875f793e489f1 Mon Sep 17 00:00:00 2001
From: makefu <github@syntax-fehler.de>
Date: Wed, 21 Oct 2015 18:45:32 +0200
Subject: [PATCH 17/25] m 2 unstable-sources: sources to unstable nixpkgs

---
 makefu/2configs/unstable-sources.nix | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)
 create mode 100644 makefu/2configs/unstable-sources.nix

diff --git a/makefu/2configs/unstable-sources.nix b/makefu/2configs/unstable-sources.nix
new file mode 100644
index 000000000..f2d28dcaf
--- /dev/null
+++ b/makefu/2configs/unstable-sources.nix
@@ -0,0 +1,19 @@
+{ config, lib, pkgs, ... }:
+
+{
+  krebs.build.source = {
+    git.nixpkgs = {
+      url = https://github.com/makefu/nixpkgs;
+      rev = "984d33884d63d404ff2da76920b8bc8b15471552";
+    };
+
+    dir.secrets = {
+      host = config.krebs.hosts.pornocauster;
+      path = "/home/makefu/secrets/${config.krebs.build.host.name}/";
+    };
+    dir.stockholm = {
+      host = config.krebs.hosts.pornocauster;
+      path = toString ../.. ;
+    };
+  };
+}

From 49b8d341f64b039448a21feeaed777573574549d Mon Sep 17 00:00:00 2001
From: makefu <github@syntax-fehler.de>
Date: Wed, 21 Oct 2015 18:47:26 +0200
Subject: [PATCH 18/25] m 3 tinc_graphs: merge instead of override nginx config

---
 makefu/3modules/tinc_graphs.nix | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/makefu/3modules/tinc_graphs.nix b/makefu/3modules/tinc_graphs.nix
index 42b08d62a..1f87f00cc 100644
--- a/makefu/3modules/tinc_graphs.nix
+++ b/makefu/3modules/tinc_graphs.nix
@@ -31,6 +31,7 @@ let
         };
 
         listen = mkOption {
+          # use the type of the nginx listen option
           type = with types; listOf str;
           description = "listen address for anonymous graphs";
           default = [ "80" ];
@@ -120,23 +121,23 @@ let
       createHome = true;
     };
 
-    krebs.nginx.servers = mkIf cfg.krebsNginx.enable {
-      tinc_graphs_complete = cfg.nginx.complete {
+    krebs.nginx.servers = mkIf cfg.nginx.enable {
+      tinc_graphs_complete = mkMerge [ cfg.nginx.complete  {
         locations = [
           (nameValuePair "/" ''
             autoindex on;
             root ${internal_dir};
           '')
         ];
-      };
-      tinc_graphs_anonymous = cfg.nginx.anonymous // {
+      }] ;
+      tinc_graphs_anonymous = mkMerge [ cfg.nginx.anonymous {
         locations = [
           (nameValuePair "/" ''
             autoindex on;
             root ${external_dir};
           '')
         ];
-      };
+      }];
     };
   };
 

From 34fd2ceb299d55b5edff124f86adf0883101197c Mon Sep 17 00:00:00 2001
From: makefu <github@syntax-fehler.de>
Date: Wed, 21 Oct 2015 18:48:13 +0200
Subject: [PATCH 19/25] m 3 bepasty-server: finishing touches

---
 makefu/3modules/bepasty-server.nix | 48 ++++++++++++++++--------------
 makefu/3modules/default.nix        |  1 +
 2 files changed, 27 insertions(+), 22 deletions(-)

diff --git a/makefu/3modules/bepasty-server.nix b/makefu/3modules/bepasty-server.nix
index bc7158d8d..ff32eea60 100644
--- a/makefu/3modules/bepasty-server.nix
+++ b/makefu/3modules/bepasty-server.nix
@@ -6,10 +6,10 @@ let
   bepasty = pkgs.pythonPackages.bepasty-server;
   gevent = pkgs.pythonPackages.gevent;
   python = pkgs.pythonPackages.python;
-  cfg = config.makefu.bepasty-server;
+  cfg = config.krebs.bepasty;
 
   out = {
-    options.makefu.bepasty-server = api;
+    options.krebs.bepasty = api;
     config = mkIf cfg.enable (mkMerge [(mkIf cfg.serveNginx nginx-imp) imp ]) ;
   };
 
@@ -20,27 +20,20 @@ let
     servers = mkOption {
       type = with types; attrsOf optionSet;
       options = singleton {
-        nginxCfg = mkOption {
+        nginx = mkOption {
           # TODO use the correct type
           type = with types; attrsOf unspecified;
           description = ''
             additional nginx configuration. see krebs.nginx for all options
           '' ;
         };
-        debug = mkOption {
-          type = types.bool;
-          description = ''
-            run server in debug mode
-          '';
-          default = false;
-        };
 
-        # TODO: assert secretKey
         secretKey = mkOption {
           type = types.str;
           description = ''
             server secret for safe session cookies, must be set.
           '';
+          default = "";
         };
 
         # we create a wsgi socket in $workDir/gunicorn-${name}.wsgi
@@ -66,6 +59,7 @@ let
         extraConfig = mkOption {
           type = types.str;
           default = "";
+          # TODO configure permissions in separate
           example = ''
             PERMISSIONS = {
               'myadminsecret': 'admin,list,create,read,delete',
@@ -75,8 +69,13 @@ let
         };
 
         defaultPermissions = mkOption {
+          # TODO: listOf str
           type = types.str;
-          default = "list";
+          description = ''
+          default permissions for all unauthenticated users.
+          '';
+          example = "read,create,delete";
+          default = "read";
         };
 
       };
@@ -102,21 +101,22 @@ let
           serviceConfig = {
             Type = "simple";
             PrivateTmp = true;
-            ExecStartPre = pkgs.writeScript "bepasty-server.${name}-init" ''
+
+            ExecStartPre = assert server.secretKey != ""; pkgs.writeScript "bepasty-server.${name}-init" ''
               #!/bin/sh
-              chmod 755 "${server.workDir}"
-              mkdir -p "${server.dataDir}"
-              cat > ${server.workDir}/bepasty-${name}.conf <<EOF
+              mkdir -p "${server.dataDir}" "${server.workDir}"
+              chown bepasty:bepasty "${server.workDir}" "${server.dataDir}"
+              cat > "${server.workDir}/bepasty-${name}.conf" <<EOF
               SITENAME="${name}"
               STORAGE_FILESYSTEM_DIRECTORY="${server.dataDir}"
-              SECRET_KEY="${escape server.secretKey}"
+              SECRET_KEY="${server.secretKey}"
               DEFAULT_PERMISSIONS="${server.defaultPermissions}"
               ${server.extraConfig}
               EOF
             '';
-            Directory = "${bepasty}/lib/${python.libPrefix}/site-packages";
-            # we use Gunicorn to start a wsgi server
             ExecStart = ''${gunicorn}/bin/gunicorn bepasty.wsgi --name ${name} \
+              -u bepasty \
+              -g bepasty \
               --workers 3 --log-level=info \
               --bind=unix:${server.workDir}/gunicorn-${name}.sock \
               --pid ${server.workDir}/gunicorn-${name}.pid \
@@ -128,17 +128,21 @@ let
 
     users.extraUsers.bepasty = {
       uid = 2796546855; #genid bepasty
+      group = "bepasty";
       home = "/var/lib/bepasty-server";
-      createHome = true;
+    };
+    users.extraGroups.bepasty = {
+      gid = 2796546855; #genid bepasty
     };
   };
+
   nginx-imp = {
     assertions = [ { assertion = config.krebs.nginx.enable;
                       message = "krebs.nginx.enable must be true"; }];
 
     krebs.nginx.servers = mapAttrs' (name: server:
       nameValuePair("bepasty-server-${name}")
-      (server.nginxCfg // {
+      (mkMerge [ server.nginx  {
         extraConfig = ''
           client_max_body_size 32M;
           '';
@@ -153,7 +157,7 @@ let
             alias ${bepasty}/lib/${python.libPrefix}/site-packages/bepasty/static/;
           ''))
           ];
-      })
+      }])
     ) cfg.servers ;
   };
 in
diff --git a/makefu/3modules/default.nix b/makefu/3modules/default.nix
index 598365c39..3ac325b29 100644
--- a/makefu/3modules/default.nix
+++ b/makefu/3modules/default.nix
@@ -3,6 +3,7 @@ _:
 {
   imports = [
     ./tinc_graphs.nix
+    ./bepasty-server.nix
   ];
 }
 

From 6eb195b0bc1b2ecd1a39c842da4d14d4837d98cc Mon Sep 17 00:00:00 2001
From: makefu <github@syntax-fehler.de>
Date: Wed, 21 Oct 2015 18:49:20 +0200
Subject: [PATCH 20/25] wry: is the new provider for paste.krebsco.de

---
 krebs/3modules/makefu/default.nix | 15 +++---
 makefu/1systems/wry.nix           | 85 ++++++++++++++++++-------------
 makefu/2configs/bepasty-dual.nix  | 52 +++++++++++++++++++
 3 files changed, 110 insertions(+), 42 deletions(-)
 create mode 100644 makefu/2configs/bepasty-dual.nix

diff --git a/krebs/3modules/makefu/default.nix b/krebs/3modules/makefu/default.nix
index acc5d7dd2..6b3781b49 100644
--- a/krebs/3modules/makefu/default.nix
+++ b/krebs/3modules/makefu/default.nix
@@ -163,10 +163,11 @@ with import ../../4lib { inherit lib; };
       dc = "makefu"; #dc = "cac";
       extraZones = {
         "krebsco.de" = ''
-          wry            IN A ${head nets.internet.addrs4}
-          io             IN NS     wry.krebsco.de.
-          graphs         IN A ${head nets.internet.addrs4}
-          tinc           IN A ${head nets.internet.addrs4}
+          wry            IN A  ${head nets.internet.addrs4}
+          io             IN NS wry.krebsco.de.
+          graphs         IN A  ${head nets.internet.addrs4}
+          paste       60 IN A  ${head nets.internet.addrs4}
+          tinc           IN A  ${head nets.internet.addrs4}
           '';
       };
       nets = rec {
@@ -174,6 +175,7 @@ with import ../../4lib { inherit lib; };
           addrs4 = ["104.233.87.86"];
           aliases = [
             "wry.internet"
+            "paste.internet"
           ];
         };
         retiolum = {
@@ -182,6 +184,8 @@ with import ../../4lib { inherit lib; };
           addrs6 = ["42:6e1e:cc8a:7cef:827:f938:8c64:baad"];
           aliases = [
             "graphs.wry.retiolum"
+            "paste.wry.retiolum"
+            "paste.retiolum"
             "wry.retiolum"
           ];
           tinc.pubkey = ''
@@ -210,8 +214,7 @@ with import ../../4lib { inherit lib; };
         "krebsco.de" = ''
           omo               IN A      ${head nets.internet.addrs4}
           euer              IN A      ${head nets.internet.addrs4}
-          gum               IN A      ${head nets.internet.addrs4}
-          paste             IN A      ${head nets.internet.addrs4}'';
+          gum               IN A      ${head nets.internet.addrs4} '';
       };
       nets = {
         internet = {
diff --git a/makefu/1systems/wry.nix b/makefu/1systems/wry.nix
index a7ed93c43..63b1f47f7 100644
--- a/makefu/1systems/wry.nix
+++ b/makefu/1systems/wry.nix
@@ -1,59 +1,72 @@
 { config, lib, pkgs, ... }:
 
+with lib;
 let
 
-  ip = (lib.head config.krebs.build.host.nets.internet.addrs4);
+  external-ip = head config.krebs.build.host.nets.internet.addrs4;
+  internal-ip = head config.krebs.build.host.nets.retiolum.addrs4;
 in {
   imports = [
       # TODO: copy this config or move to krebs
       ../../tv/2configs/CAC-CentOS-7-64bit.nix
       ../2configs/base.nix
-      ../2configs/base-sources.nix
+      ../2configs/unstable-sources.nix
       ../2configs/tinc-basic-retiolum.nix
 
+      ../2configs/bepasty-dual.nix
+
       ../2configs/iodined.nix
 
       # Reaktor
       ../2configs/Reaktor/simpleExtend.nix
   ];
 
-  krebs.Reaktor.enable = true;
-
-  networking.firewall.allowPing = true;
-  networking.interfaces.enp2s1.ip4 = [
-  {
-    address = ip;
-    prefixLength = 24;
-  }
-  ];
-  networking.defaultGateway = "104.233.87.1";
-  networking.nameservers = [
-    "8.8.8.8"
-  ];
-
-  # based on ../../tv/2configs/CAC-Developer-2.nix
-  sound.enable = false;
-
-  # prepare graphs
-  nixpkgs.config.packageOverrides = pkgs: { tinc = pkgs.tinc_pre; };
-
-  krebs.nginx.enable = true;
-  krebs.retiolum-bootstrap.enable = true;
-  makefu.tinc_graphs.enable = true;
-
-  makefu.tinc_graphs.krebsNginx = {
-    enable = true;
-    # TODO: remove hard-coded hostname
-    hostnames_complete  = [ "graphs.wry" ];
-    hostnames_anonymous = [ "graphs.krebsco.de" ];
-  };
-
-  networking.firewall.allowedTCPPorts = [ 53 80 443 ];
-
   krebs.build = {
     user = config.krebs.users.makefu;
-    target = "root@${ip}";
+    target = "root@wry";
     host = config.krebs.hosts.wry;
   };
 
+
+
+  krebs.Reaktor.enable = true;
+
+  # bepasty to listen only on the correct interfaces
+  krebs.bepasty.servers.internal.nginx.listen  = [ "${internal-ip}:80" ];
+  krebs.bepasty.servers.external.nginx.listen  = [ "${external-ip}:80" "${external-ip}:443 ssl" ];
+
+  # prepare graphs
+  krebs.nginx.enable = true;
+  krebs.retiolum-bootstrap.enable = true;
+
+  nixpkgs.config.packageOverrides = pkgs: { tinc = pkgs.tinc_pre; };
+  makefu.tinc_graphs = {
+    enable = true;
+    nginx = {
+      enable = true;
+      # TODO: remove hard-coded hostname
+      complete = {
+        listen = [ "${internal-ip}:80" ];
+        server-names = [ "graphs.wry" ];
+      };
+      anonymous = {
+        listen = [ "${external-ip}:80" ] ;
+        server-names = [ "graphs.krebsco.de" ];
+      };
+    };
+  };
+  networking = {
+    firewall.allowPing = true;
+    firewall.allowedTCPPorts = [ 53 80 443 ];
+    interfaces.enp2s1.ip4 = [{
+      address = external-ip;
+      prefixLength = 24;
+    }];
+    defaultGateway = "104.233.87.1";
+    nameservers = [ "8.8.8.8" ];
+  };
+
+
+  # based on ../../tv/2configs/CAC-Developer-2.nix
+  sound.enable = false;
 }
diff --git a/makefu/2configs/bepasty-dual.nix b/makefu/2configs/bepasty-dual.nix
new file mode 100644
index 000000000..fb170957a
--- /dev/null
+++ b/makefu/2configs/bepasty-dual.nix
@@ -0,0 +1,52 @@
+{ config, lib, pkgs, ... }:
+
+# 1systems should configure itself:
+#   krebs.bepasty.servers.internal.nginx.listen  = [ "80" ]
+#   krebs.bepasty.servers.external.nginx.listen  = [ "80" "443 ssl" ]
+#     80 is redirected to 443 ssl
+
+# secrets used:
+#   wildcard.krebsco.de.crt
+#   wildcard.krebsco.de.key
+#   bepasty-secret.nix     <- contains single string
+
+with lib;
+{
+
+  krebs.nginx.enable = mkDefault true;
+  krebs.bepasty = {
+    enable = true;
+    serveNginx= true;
+
+    servers = {
+      internal = {
+        nginx = {
+          server-names = [ "paste.retiolum" "paste.${config.krebs.build.host.name}" ];
+        };
+        defaultPermissions = "admin,list,create,read,delete";
+        secretKey = import <secrets/bepasty-secret.nix>;
+      };
+
+      external = {
+        nginx = {
+          server-names = [ "paste.krebsco.de" ];
+          extraConfig = ''
+          ssl_session_cache    shared:SSL:1m;
+          ssl_session_timeout  10m;
+          ssl_certificate     /root/secrets/wildcard.krebsco.de.crt;
+          ssl_certificate_key /root/secrets/wildcard.krebsco.de.key;
+          ssl_verify_client off;
+          proxy_ssl_session_reuse off;
+          ssl_protocols        TLSv1 TLSv1.1 TLSv1.2;
+          ssl_ciphers RC4:HIGH:!aNULL:!MD5;
+          ssl_prefer_server_ciphers on;
+          if ($scheme = http){
+            return 301 https://$server_name$request_uri;
+          }'';
+        };
+        defaultPermissions = "read";
+        secretKey = import <secrets/bepasty-secret.nix>;
+      };
+    };
+  };
+}

From 6a425334c78fe6eb30f21f9757554905f09436fa Mon Sep 17 00:00:00 2001
From: makefu <github@syntax-fehler.de>
Date: Thu, 22 Oct 2015 13:43:20 +0200
Subject: [PATCH 21/25] m 2 reaktor/random-emoji: html-decode output

using xmlstarlet
---
 makefu/2configs/Reaktor/random-emoji.nix | 1 +
 makefu/2configs/Reaktor/random-emoji.sh  | 3 ++-
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/makefu/2configs/Reaktor/random-emoji.nix b/makefu/2configs/Reaktor/random-emoji.nix
index b2d99b36b..3113a826b 100644
--- a/makefu/2configs/Reaktor/random-emoji.nix
+++ b/makefu/2configs/Reaktor/random-emoji.nix
@@ -12,6 +12,7 @@ let
                         coreutils
                         gnused
                         gnugrep
+                        xmlstarlet
                         curl]);
 in {
   # TODO: make origin a variable, <- module is generic enough to handle different origins, not only stockholm
diff --git a/makefu/2configs/Reaktor/random-emoji.sh b/makefu/2configs/Reaktor/random-emoji.sh
index 913d615be..386aa68b9 100644
--- a/makefu/2configs/Reaktor/random-emoji.sh
+++ b/makefu/2configs/Reaktor/random-emoji.sh
@@ -2,4 +2,5 @@
 curl http://emojicons.com/random -s | \
   grep data-text | \
   sed -n 's/.*>\(.*\)<\/textarea>/\1/p' | \
-  head -n 1
+  head -n 1 | \
+  xmlstarlet unesc

From 9be59a04001698e8e34ae4e2a49e2dea920765b1 Mon Sep 17 00:00:00 2001
From: makefu <github@syntax-fehler.de>
Date: Thu, 22 Oct 2015 15:26:54 +0200
Subject: [PATCH 22/25] krebs 3 modules: bepasty-server is a krebs module

---
 {makefu => krebs}/3modules/bepasty-server.nix | 0
 krebs/3modules/default.nix                    | 1 +
 makefu/3modules/default.nix                   | 1 -
 3 files changed, 1 insertion(+), 1 deletion(-)
 rename {makefu => krebs}/3modules/bepasty-server.nix (100%)

diff --git a/makefu/3modules/bepasty-server.nix b/krebs/3modules/bepasty-server.nix
similarity index 100%
rename from makefu/3modules/bepasty-server.nix
rename to krebs/3modules/bepasty-server.nix
diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix
index 756245c0b..1f34c8e68 100644
--- a/krebs/3modules/default.nix
+++ b/krebs/3modules/default.nix
@@ -6,6 +6,7 @@ let
 
   out = {
     imports = [
+      ./bepasty-server.nix
       ./build.nix
       ./exim-retiolum.nix
       ./exim-smarthost.nix
diff --git a/makefu/3modules/default.nix b/makefu/3modules/default.nix
index 3ac325b29..598365c39 100644
--- a/makefu/3modules/default.nix
+++ b/makefu/3modules/default.nix
@@ -3,7 +3,6 @@ _:
 {
   imports = [
     ./tinc_graphs.nix
-    ./bepasty-server.nix
   ];
 }
 

From 9bb3069f69ed801d98034a2effcb4d88f279a92f Mon Sep 17 00:00:00 2001
From: makefu <github@syntax-fehler.de>
Date: Thu, 22 Oct 2015 15:33:05 +0200
Subject: [PATCH 23/25] krebs 3 tinc_graphs: mv from makefu 3 tinc_graphs

---
 krebs/3modules/default.nix                 | 1 +
 {makefu => krebs}/3modules/tinc_graphs.nix | 4 ++--
 makefu/1systems/wry.nix                    | 2 +-
 makefu/3modules/default.nix                | 1 -
 4 files changed, 4 insertions(+), 4 deletions(-)
 rename {makefu => krebs}/3modules/tinc_graphs.nix (98%)

diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix
index 1f34c8e68..5c5bec005 100644
--- a/krebs/3modules/default.nix
+++ b/krebs/3modules/default.nix
@@ -18,6 +18,7 @@ let
       ./retiolum-bootstrap.nix
       ./realwallpaper.nix
       ./retiolum.nix
+      ./tinc_graphs.nix
       ./urlwatch.nix
     ];
     options.krebs = api;
diff --git a/makefu/3modules/tinc_graphs.nix b/krebs/3modules/tinc_graphs.nix
similarity index 98%
rename from makefu/3modules/tinc_graphs.nix
rename to krebs/3modules/tinc_graphs.nix
index 1f87f00cc..a6c628353 100644
--- a/makefu/3modules/tinc_graphs.nix
+++ b/krebs/3modules/tinc_graphs.nix
@@ -2,12 +2,12 @@
 
 with lib;
 let
-  cfg = config.makefu.tinc_graphs;
+  cfg = config.krebs.tinc_graphs;
   internal_dir = "${cfg.workingDir}/internal";
   external_dir = "${cfg.workingDir}/external";
 
   out = {
-    options.makefu.tinc_graphs = api;
+    options.krebs.tinc_graphs = api;
     config = mkIf cfg.enable imp ;
   };
 
diff --git a/makefu/1systems/wry.nix b/makefu/1systems/wry.nix
index 63b1f47f7..6627d87b5 100644
--- a/makefu/1systems/wry.nix
+++ b/makefu/1systems/wry.nix
@@ -40,7 +40,7 @@ in {
   krebs.retiolum-bootstrap.enable = true;
 
   nixpkgs.config.packageOverrides = pkgs: { tinc = pkgs.tinc_pre; };
-  makefu.tinc_graphs = {
+  krebs.tinc_graphs = {
     enable = true;
     nginx = {
       enable = true;
diff --git a/makefu/3modules/default.nix b/makefu/3modules/default.nix
index 598365c39..a8a1f69d0 100644
--- a/makefu/3modules/default.nix
+++ b/makefu/3modules/default.nix
@@ -2,7 +2,6 @@ _:
 
 {
   imports = [
-    ./tinc_graphs.nix
   ];
 }
 

From be39c6d8494724c6d7c87b826830f626aada15d8 Mon Sep 17 00:00:00 2001
From: makefu <github@syntax-fehler.de>
Date: Thu, 22 Oct 2015 16:14:37 +0200
Subject: [PATCH 24/25] krebs 3 bepasty-server: styling

---
 krebs/3modules/bepasty-server.nix | 100 +++++++++++++++---------------
 1 file changed, 50 insertions(+), 50 deletions(-)

diff --git a/krebs/3modules/bepasty-server.nix b/krebs/3modules/bepasty-server.nix
index ff32eea60..c99c3d11a 100644
--- a/krebs/3modules/bepasty-server.nix
+++ b/krebs/3modules/bepasty-server.nix
@@ -10,7 +10,10 @@ let
 
   out = {
     options.krebs.bepasty = api;
-    config = mkIf cfg.enable (mkMerge [(mkIf cfg.serveNginx nginx-imp) imp ]) ;
+    config = mkIf cfg.enable (mkMerge [
+      (mkIf cfg.serveNginx nginx-imp)
+      imp
+    ]);
   };
 
   api = {
@@ -25,7 +28,7 @@ let
           type = with types; attrsOf unspecified;
           description = ''
             additional nginx configuration. see krebs.nginx for all options
-          '' ;
+          '';
         };
 
         secretKey = mkOption {
@@ -52,7 +55,7 @@ let
           description = ''
             Defaults to the new users home dir which defaults to
             /var/lib/bepasty-server/data
-            '';
+          '';
           default = "${config.users.extraUsers.bepasty.home}/data";
         };
 
@@ -65,14 +68,14 @@ let
               'myadminsecret': 'admin,list,create,read,delete',
             }
             MAX_ALLOWED_FILE_SIZE = 5 * 1000 * 1000
-            '';
+          '';
         };
 
         defaultPermissions = mkOption {
           # TODO: listOf str
           type = types.str;
           description = ''
-          default permissions for all unauthenticated users.
+            default permissions for all unauthenticated users.
           '';
           example = "read,create,delete";
           default = "read";
@@ -88,42 +91,42 @@ let
     # Configures systemd services for each configured server
     # environment.systemPackages = [ bepasty gunicorn gevent ];
     systemd.services = mapAttrs' (name: server:
-      nameValuePair ("bepasty-server-${name}")
-        ({
-          description = "Bepasty Server ${name}";
-          wantedBy = [ "multi-user.target" ];
-          after = [ "network.target" ];
-          restartIfChanged = true;
-          environment = {
-            BEPASTY_CONFIG = "${server.workDir}/bepasty-${name}.conf";
-            PYTHONPATH= "${bepasty}/lib/${python.libPrefix}/site-packages:${gevent}/lib/${python.libPrefix}/site-packages";
-          };
-          serviceConfig = {
-            Type = "simple";
-            PrivateTmp = true;
+      nameValuePair "bepasty-server-${name}" {
+        description = "Bepasty Server ${name}";
+        wantedBy = [ "multi-user.target" ];
+        after = [ "network.target" ];
+        restartIfChanged = true;
+        environment = {
+          BEPASTY_CONFIG = "${server.workDir}/bepasty-${name}.conf";
+          PYTHONPATH= "${bepasty}/lib/${python.libPrefix}/site-packages:${gevent}/lib/${python.libPrefix}/site-packages";
+        };
 
-            ExecStartPre = assert server.secretKey != ""; pkgs.writeScript "bepasty-server.${name}-init" ''
-              #!/bin/sh
-              mkdir -p "${server.dataDir}" "${server.workDir}"
-              chown bepasty:bepasty "${server.workDir}" "${server.dataDir}"
-              cat > "${server.workDir}/bepasty-${name}.conf" <<EOF
-              SITENAME="${name}"
-              STORAGE_FILESYSTEM_DIRECTORY="${server.dataDir}"
-              SECRET_KEY="${server.secretKey}"
-              DEFAULT_PERMISSIONS="${server.defaultPermissions}"
-              ${server.extraConfig}
-              EOF
-            '';
-            ExecStart = ''${gunicorn}/bin/gunicorn bepasty.wsgi --name ${name} \
-              -u bepasty \
-              -g bepasty \
-              --workers 3 --log-level=info \
-              --bind=unix:${server.workDir}/gunicorn-${name}.sock \
-              --pid ${server.workDir}/gunicorn-${name}.pid \
-              -k gevent
-            '';
-          };
-        })
+        serviceConfig = {
+          Type = "simple";
+          PrivateTmp = true;
+
+          ExecStartPre = assert server.secretKey != ""; pkgs.writeScript "bepasty-server.${name}-init" ''
+            #!/bin/sh
+            mkdir -p "${server.dataDir}" "${server.workDir}"
+            chown bepasty:bepasty "${server.workDir}" "${server.dataDir}"
+            cat > "${server.workDir}/bepasty-${name}.conf" <<EOF
+            SITENAME="${name}"
+            STORAGE_FILESYSTEM_DIRECTORY="${server.dataDir}"
+            SECRET_KEY="${server.secretKey}"
+            DEFAULT_PERMISSIONS="${server.defaultPermissions}"
+            ${server.extraConfig}
+            EOF
+          '';
+          ExecStart = ''${gunicorn}/bin/gunicorn bepasty.wsgi --name ${name} \
+            -u bepasty \
+            -g bepasty \
+            --workers 3 --log-level=info \
+            --bind=unix:${server.workDir}/gunicorn-${name}.sock \
+            --pid ${server.workDir}/gunicorn-${name}.pid \
+            -k gevent
+          '';
+        };
+      }
     ) cfg.servers;
 
     users.extraUsers.bepasty = {
@@ -137,8 +140,8 @@ let
   };
 
   nginx-imp = {
-    assertions = [ { assertion = config.krebs.nginx.enable;
-                      message = "krebs.nginx.enable must be true"; }];
+    assertions = [{ assertion = config.krebs.nginx.enable;
+                     message = "krebs.nginx.enable must be true"; }];
 
     krebs.nginx.servers = mapAttrs' (name: server:
       nameValuePair("bepasty-server-${name}")
@@ -147,18 +150,15 @@ let
           client_max_body_size 32M;
           '';
         locations = [
-          (nameValuePair ("/")
-          (''
+          (nameValuePair "/" ''
             proxy_set_header Host $http_host;
             proxy_pass http://unix:${server.workDir}/gunicorn-${name}.sock;
-          ''))
-          (nameValuePair ("/static/")
-          (''
+           '')
+          (nameValuePair "/static/" ''
             alias ${bepasty}/lib/${python.libPrefix}/site-packages/bepasty/static/;
-          ''))
+          '')
           ];
-      }])
-    ) cfg.servers ;
+      }])) cfg.servers ;
   };
 in
 out

From f092e6acb4500569eccee7aed65b521adb3b07b6 Mon Sep 17 00:00:00 2001
From: makefu <github@syntax-fehler.de>
Date: Thu, 22 Oct 2015 17:17:04 +0200
Subject: [PATCH 25/25] krebs 3 zones: remove empty lines

---
 krebs/3modules/default.nix | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix
index 5c5bec005..075db1826 100644
--- a/krebs/3modules/default.nix
+++ b/krebs/3modules/default.nix
@@ -105,10 +105,14 @@ let
 
       # Implements environment.etc."zones/<zone-name>"
       environment.etc = let
+        stripEmptyLines = s: concatStringsSep "\n"
+          (remove "\n" (remove "" (splitString "\n" s)));
         all-zones = foldAttrs (sum: current: sum + "\n" +current ) ""
-          ([cfg.zone-head-config] ++ combined-hosts) ;
+          ([cfg.zone-head-config] ++ combined-hosts);
         combined-hosts = (mapAttrsToList (name: value: value.extraZones)  cfg.hosts );
-      in lib.mapAttrs' (name: value: nameValuePair (("zones/" + name)) ({ text=value; })) all-zones;
+      in lib.mapAttrs' (name: value: nameValuePair
+        ("zones/" + name)
+        { text=(stripEmptyLines value); }) all-zones;
 
       krebs.exim-smarthost.internet-aliases = let
         format = from: to: