diff --git a/krebs/3modules/makefu/default.nix b/krebs/3modules/makefu/default.nix
index 82a5635d2..3d1ac6cfb 100644
--- a/krebs/3modules/makefu/default.nix
+++ b/krebs/3modules/makefu/default.nix
@@ -273,6 +273,7 @@ with lib;
           mattermost.euer   IN A      ${head nets.internet.addrs4}
           git.euer          IN A      ${head nets.internet.addrs4}
           gum               IN A      ${head nets.internet.addrs4}
+          cgit.euer         IN A      ${head nets.internet.addrs4}
         '';
       };
       nets = {
@@ -287,6 +288,7 @@ with lib;
           addrs6 = ["42:f9f0:0000:0000:0000:0000:0000:70d2"];
           aliases = [
             "gum.retiolum"
+            "cgit.gum.retiolum"
           ];
           tinc.pubkey = ''
             -----BEGIN RSA PUBLIC KEY-----
@@ -302,10 +304,26 @@ with lib;
       };
     };
   };
-  users = addNames {
+  users = addNames rec {
     makefu = {
       mail = "makefu@pornocauster.retiolum";
-      pubkey = readFile ../../Zpubkeys/makefu_arch.ssh.pub;
+      pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCl3RTOHd5DLiVeUbUr/GSiKoRWknXQnbkIf+uNiFO+XxiqZVojPlumQUVhasY8UzDzj9tSDruUKXpjut50FhIO5UFAgsBeMJyoZbgY/+R+QKU00Q19+IiUtxeFol/9dCO+F4o937MC0OpAC10LbOXN/9SYIXueYk3pJxIycXwUqhYmyEqtDdVh9Rx32LBVqlBoXRHpNGPLiswV2qNe0b5p919IGcslzf1XoUzfE3a3yjk/XbWh/59xnl4V7Oe7+iQheFxOT6rFA30WYwEygs5As//ZYtxvnn0gA02gOnXJsNjOW9irlxOUeP7IOU6Ye3WRKFRR0+7PS+w8IJLag2xb makefu@pornocauster";
+    };
+    makefu-omo = {
+      inherit (makefu) mail;
+      pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAtDhAxjiCH0SmTGNDqmlKPug9qTf+IFOVjdXfk01lAV2KMVW00CgNo2d5kl5+6pM99K7zZO7Uo7pmSFLSCAg8J6cMRI3v5OxFsnQfcJ9TeGLZt/ua7F8YsyIIr5wtqKtFbujqve31q9xJMypEpiX4np3nLiHfYwcWu7AFAUY8UHcCNl4JXm6hsmPe+9f6Mg2jICOdkfMMn0LtW+iq1KZpw1Nka2YUSiE2YuUtV+V+YaVMzdcjknkVkZNqcVk6tbJ1ZyZKM+bFEnE4VkHJYDABZfELpcgBAszfWrVG0QpEFjVCUq5atpIVHJcWWDx072r0zgdTPcBuzsHHC5PRfVBLEw== makefu@servarch";
+    };
+    makefu-tsp = {
+      inherit (makefu) mail;
+      pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC1srWa67fcsw3r64eqgIuHbMbrj6Ywd9AwzCM+2dfXqYQZblchzH4Q4oydjdFOnV9LaA1LfNcWEjV/gVQKA2/xLSyXSDwzTxQDyOAZaqseKVg1F0a7wAF20+LiegQj6KXE29wcTW1RjcPncmagTBv5/vYbo1eDLKZjwGpEnG0+s+TRftrAhrgtbsuwR1GWWYACxk1CbxbcV+nIZ1RF9E1Fngbl4C4WjXDvsASi8s24utCd/XxgKwKcSFv7EWNfXlNzlETdTqyNVdhA7anc3N7d/TGrQuzCdtrvBFq4WbD3IRhSk79PXaB3L6xJ7LS8DyOSzfPyiJPK65Zw5s4BC07Z makefu@tsp";
+    };
+    makefu-vbob = {
+      inherit (makefu) mail;
+      pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCiKvLKaRQPL/Y/4EWx3rNhrY5YGKK4AeqDOFTLgJ7djwJnMo7FP+OIH/4pFxS6Ri2TZwS9QsR3hsycA4n8Z15jXAOXuK52kP65Ei3lLyz9mF+/s1mJsV0Ui/UKF3jE7PEAVky7zXuyYirJpMK8LhXydpFvH95aGrL1Dk30R9/vNkE9rc1XylBfNpT0X0GXmldI+r5OPOtiKLA5BHJdlV8qDYhQsU2fH8S0tmAHF/ir2bh7+PtLE2hmRT+b8I7y1ZagkJsC0sn9GT1AS8ys5s65V2xTTIfQO1zQ4sUH0LczuRuY8MLaO33GAzhyoSQdbdRAmwZQpY/JRJ3C/UROgHYt makefu@vbob";
+    };
+    exco = {
+      mail = "dickbutt@excogitation.de";
+      pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC7HCK+TzelJp7atCbvCbvZZnXFr3cE35ioactgpIJL7BOyQM6lJ/7y24WbbrstClTuV7n0rWolDgfjx/8kVQExP3HXEAgCwV6tIcX/Ep84EXSok7QguN0ozZMCwX9CYXOEyLmqpe2KAx3ggXDyyDUr2mWs04J95CFjiR/YgOhIfM4+gVBxGtLSTyegyR3Fk7O0KFwYDjBRLi7a5TIub3UYuOvw3Dxo7bUkdhtf38Kff8LEK8PKtIku/AyDlwZ0mZT4Z7gnihSG2ezR5mLD6QXVuGhG6gW/gsqfPVRF4aZbrtJWZCp2G21wBRafpEZJ8KFHtR18JNcvsuWA1HJmFOj2K0mAY5hBvzCbXGhSzBtcGxKOmTBDTRlZ7FIFgukP/ckSgDduydFUpsv07ZRj+qY07zKp3Nhh3RuN7ZcveCo2WpaAzTuWCMPB0BMhEQvsO8I/p5YtTaw2T1poOPorBbURQwEgNrZ92kB1lL5t1t1ZB4oNeDJX5fddKLkgnLqQZWOZBTKtoq0EAVXojTDLZaA+5z20h8DU7sicDQ/VG4LWtqm9fh8iDpvt/3IHUn/HJEEnlfE1Gd+F2Q+R80yu4e1PClmuzfWjCtkPc4aY7oDxfcJqyeuRW6husAufPqNs31W6X9qXwoaBh9vRQ1erZUo46iicxbzujXIy/Hwg67X8dw== dickbutt@excogitation.de";
     };
   };
 }
diff --git a/krebs/5pkgs/fortclientsslvpn/default.nix b/krebs/5pkgs/fortclientsslvpn/default.nix
new file mode 100644
index 000000000..720d4004f
--- /dev/null
+++ b/krebs/5pkgs/fortclientsslvpn/default.nix
@@ -0,0 +1,87 @@
+{ stdenv, lib, fetchurl, gtk, glib, libSM, gdk_pixbuf, libX11, libXinerama, iproute,
+  makeWrapper, libredirect, ppp, coreutils, gawk, pango }:
+stdenv.mkDerivation rec {
+  name = "forticlientsslvpn";
+  # forticlient will be copied into /tmp before execution. this is necessary as
+  # the software demands $base to be writeable
+
+  src = fetchurl {
+    # archive.org mirror:
+    # https://archive.org/download/ForticlientsslvpnLinux4.4.23171.tar/forticlientsslvpn_linux_4.4.2317.tar.gz
+    url = http://www.zen.co.uk/userfiles/knowledgebase/FortigateSSLVPNClient/forticlientsslvpn_linux_4.4.2317.tar.gz;
+    sha256 = "19clnf9rgrnwazlpah8zz5kvz6kc8lxawrgmksx25k5ywflmbcrr";
+  };
+  phases = [ "unpackPhase" "buildPhase" "installPhase" "fixupPhase" ];
+
+  buildInputs = [ makeWrapper ];
+
+  binPath = lib.makeSearchPath "bin" [
+    coreutils
+    gawk
+  ];
+
+
+  libPath = lib.makeLibraryPath [
+    stdenv.cc.cc
+  ];
+
+  guiLibPath = lib.makeLibraryPath [
+    gtk
+    glib
+    libSM
+    gdk_pixbuf
+    libX11
+    libXinerama
+    pango
+  ];
+
+  buildPhase = ''
+    # TODO: 32bit, use the 32bit folder
+    patchelf --set-interpreter $(cat $NIX_CC/nix-support/dynamic-linker) \
+      --set-rpath "$libPath" \
+      64bit/forticlientsslvpn_cli
+
+    patchelf --set-interpreter $(cat $NIX_CC/nix-support/dynamic-linker) \
+      --set-rpath "$libPath:$guiLibPath" \
+      64bit/forticlientsslvpn
+
+    patchelf --set-interpreter $(cat $NIX_CC/nix-support/dynamic-linker) \
+      --set-rpath "$libPath" \
+      64bit/helper/subproc
+
+    sed -i 's#\(export PATH=\).*#\1"${binPath}"#' 64bit/helper/waitppp.sh
+  '';
+
+  installPhase = ''
+    mkdir -p "$out/opt/fortinet"
+
+    cp -r 64bit/. "$out/opt/fortinet"
+    wrapProgram $out/opt/fortinet/forticlientsslvpn \
+      --set LD_PRELOAD "${libredirect}/lib/libredirect.so" \
+      --set NIX_REDIRECTS /usr/sbin/ip=${iproute}/bin/ip:/usr/sbin/ppp=${ppp}/bin/ppp
+
+    mkdir -p "$out/bin/"
+
+    cat > $out/bin/forticlientsslvpn <<EOF
+    #!/bin/sh
+    # prepare suid bit in tmp
+    # TODO maybe tmp does not support suid
+    set -euf
+    tmpforti=\$(${coreutils}/bin/mktemp -d)
+    trap "rm -rf \$tmpforti;" INT TERM EXIT
+    cp -r $out/opt/fortinet/. \$tmpforti
+    chmod +s \$tmpforti/helper/subproc
+    cd \$tmpforti
+    "./forticlientsslvpn" "\$@"
+    EOF
+
+    chmod +x $out/bin/forticlientsslvpn
+    chmod -x $out/opt/fortinet/helper/showlicense
+  '';
+  meta = {
+    homepage = http://www.fortinet.com;
+    description = "Forticlient SSL-VPN client";
+    license = lib.licenses.nonfree;
+    maintainers = [ lib.maintainers.makefu ];
+  };
+}
diff --git a/krebs/Zpubkeys/exco.ssh.pub b/krebs/Zpubkeys/exco.ssh.pub
deleted file mode 100644
index e2afcf3fb..000000000
--- a/krebs/Zpubkeys/exco.ssh.pub
+++ /dev/null
@@ -1 +0,0 @@
-ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC7HCK+TzelJp7atCbvCbvZZnXFr3cE35ioactgpIJL7BOyQM6lJ/7y24WbbrstClTuV7n0rWolDgfjx/8kVQExP3HXEAgCwV6tIcX/Ep84EXSok7QguN0ozZMCwX9CYXOEyLmqpe2KAx3ggXDyyDUr2mWs04J95CFjiR/YgOhIfM4+gVBxGtLSTyegyR3Fk7O0KFwYDjBRLi7a5TIub3UYuOvw3Dxo7bUkdhtf38Kff8LEK8PKtIku/AyDlwZ0mZT4Z7gnihSG2ezR5mLD6QXVuGhG6gW/gsqfPVRF4aZbrtJWZCp2G21wBRafpEZJ8KFHtR18JNcvsuWA1HJmFOj2K0mAY5hBvzCbXGhSzBtcGxKOmTBDTRlZ7FIFgukP/ckSgDduydFUpsv07ZRj+qY07zKp3Nhh3RuN7ZcveCo2WpaAzTuWCMPB0BMhEQvsO8I/p5YtTaw2T1poOPorBbURQwEgNrZ92kB1lL5t1t1ZB4oNeDJX5fddKLkgnLqQZWOZBTKtoq0EAVXojTDLZaA+5z20h8DU7sicDQ/VG4LWtqm9fh8iDpvt/3IHUn/HJEEnlfE1Gd+F2Q+R80yu4e1PClmuzfWjCtkPc4aY7oDxfcJqyeuRW6husAufPqNs31W6X9qXwoaBh9vRQ1erZUo46iicxbzujXIy/Hwg67X8dw== christian.stoeveken@gmail.com
diff --git a/krebs/Zpubkeys/makefu_arch.ssh.pub b/krebs/Zpubkeys/makefu_arch.ssh.pub
deleted file mode 100644
index 6092ec469..000000000
--- a/krebs/Zpubkeys/makefu_arch.ssh.pub
+++ /dev/null
@@ -1 +0,0 @@
-ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCl3RTOHd5DLiVeUbUr/GSiKoRWknXQnbkIf+uNiFO+XxiqZVojPlumQUVhasY8UzDzj9tSDruUKXpjut50FhIO5UFAgsBeMJyoZbgY/+R+QKU00Q19+IiUtxeFol/9dCO+F4o937MC0OpAC10LbOXN/9SYIXueYk3pJxIycXwUqhYmyEqtDdVh9Rx32LBVqlBoXRHpNGPLiswV2qNe0b5p919IGcslzf1XoUzfE3a3yjk/XbWh/59xnl4V7Oe7+iQheFxOT6rFA30WYwEygs5As//ZYtxvnn0gA02gOnXJsNjOW9irlxOUeP7IOU6Ye3WRKFRR0+7PS+w8IJLag2xb makefu@pornocauster
diff --git a/krebs/Zpubkeys/makefu_omo.ssh.pub b/krebs/Zpubkeys/makefu_omo.ssh.pub
deleted file mode 100644
index 5567040fb..000000000
--- a/krebs/Zpubkeys/makefu_omo.ssh.pub
+++ /dev/null
@@ -1 +0,0 @@
-ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAtDhAxjiCH0SmTGNDqmlKPug9qTf+IFOVjdXfk01lAV2KMVW00CgNo2d5kl5+6pM99K7zZO7Uo7pmSFLSCAg8J6cMRI3v5OxFsnQfcJ9TeGLZt/ua7F8YsyIIr5wtqKtFbujqve31q9xJMypEpiX4np3nLiHfYwcWu7AFAUY8UHcCNl4JXm6hsmPe+9f6Mg2jICOdkfMMn0LtW+iq1KZpw1Nka2YUSiE2YuUtV+V+YaVMzdcjknkVkZNqcVk6tbJ1ZyZKM+bFEnE4VkHJYDABZfELpcgBAszfWrVG0QpEFjVCUq5atpIVHJcWWDx072r0zgdTPcBuzsHHC5PRfVBLEw== makefu@servarch
diff --git a/krebs/Zpubkeys/makefu_tsp.ssh.pub b/krebs/Zpubkeys/makefu_tsp.ssh.pub
deleted file mode 100644
index 9a9c9b6f8..000000000
--- a/krebs/Zpubkeys/makefu_tsp.ssh.pub
+++ /dev/null
@@ -1 +0,0 @@
-ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC1srWa67fcsw3r64eqgIuHbMbrj6Ywd9AwzCM+2dfXqYQZblchzH4Q4oydjdFOnV9LaA1LfNcWEjV/gVQKA2/xLSyXSDwzTxQDyOAZaqseKVg1F0a7wAF20+LiegQj6KXE29wcTW1RjcPncmagTBv5/vYbo1eDLKZjwGpEnG0+s+TRftrAhrgtbsuwR1GWWYACxk1CbxbcV+nIZ1RF9E1Fngbl4C4WjXDvsASi8s24utCd/XxgKwKcSFv7EWNfXlNzlETdTqyNVdhA7anc3N7d/TGrQuzCdtrvBFq4WbD3IRhSk79PXaB3L6xJ7LS8DyOSzfPyiJPK65Zw5s4BC07Z makefu@tsp
diff --git a/krebs/Zpubkeys/makefu_vbob.ssh.pub b/krebs/Zpubkeys/makefu_vbob.ssh.pub
deleted file mode 100644
index e5063aeb5..000000000
--- a/krebs/Zpubkeys/makefu_vbob.ssh.pub
+++ /dev/null
@@ -1 +0,0 @@
-ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCiKvLKaRQPL/Y/4EWx3rNhrY5YGKK4AeqDOFTLgJ7djwJnMo7FP+OIH/4pFxS6Ri2TZwS9QsR3hsycA4n8Z15jXAOXuK52kP65Ei3lLyz9mF+/s1mJsV0Ui/UKF3jE7PEAVky7zXuyYirJpMK8LhXydpFvH95aGrL1Dk30R9/vNkE9rc1XylBfNpT0X0GXmldI+r5OPOtiKLA5BHJdlV8qDYhQsU2fH8S0tmAHF/ir2bh7+PtLE2hmRT+b8I7y1ZagkJsC0sn9GT1AS8ys5s65V2xTTIfQO1zQ4sUH0LczuRuY8MLaO33GAzhyoSQdbdRAmwZQpY/JRJ3C/UROgHYt makefu@nixos
diff --git a/makefu/1systems/vbob.nix b/makefu/1systems/vbob.nix
index 4d8e8ced1..b121a730a 100644
--- a/makefu/1systems/vbob.nix
+++ b/makefu/1systems/vbob.nix
@@ -1,7 +1,7 @@
 #
 #
 #
-{ config, pkgs, ... }:
+{ lib, config, pkgs, ... }:
 
 {
   krebs.build.host = config.krebs.hosts.vbob;
@@ -12,13 +12,21 @@
       ../2configs/main-laptop.nix #< base-gui
 
       # environment
+
       ../2configs/zsh-user.nix
       ../2configs/virtualization.nix
     ];
+
+  # allow vbob to deploy self
+  users.extraUsers = {
+    root = {
+        openssh.authorizedKeys.keys = [ config.krebs.users.makefu-vbob.pubkey  ];
+    };
+  };
   nixpkgs.config.packageOverrides = pkgs: { tinc = pkgs.tinc_pre; };
   environment.systemPackages = with pkgs;[
     get
-    ];
+  ];
 
   networking.firewall.allowedTCPPorts = [
     25
diff --git a/makefu/2configs/Reaktor/full.nix b/makefu/2configs/Reaktor/full.nix
new file mode 100644
index 000000000..50620890f
--- /dev/null
+++ b/makefu/2configs/Reaktor/full.nix
@@ -0,0 +1,18 @@
+_:
+{
+  # implementation of the complete Reaktor bot
+  imports = [
+      #./stockholmLentil.nix
+      ./simpleExtend.nix
+      ./random-emoji.nix
+      ./titlebot.nix
+      ./shack-correct.nix
+      ./sed-plugin.nix
+  ];
+  krebs.Reaktor.nickname = "Reaktor|bot";
+  krebs.Reaktor.enable = true;
+
+  krebs.Reaktor.extraEnviron = {
+    REAKTOR_CHANNELS = "#krebs,#binaergewitter,#shackspace";
+  };
+}
diff --git a/makefu/2configs/git/cgit-retiolum.nix b/makefu/2configs/git/cgit-retiolum.nix
index 68fd976d6..35bb169cf 100644
--- a/makefu/2configs/git/cgit-retiolum.nix
+++ b/makefu/2configs/git/cgit-retiolum.nix
@@ -80,26 +80,6 @@ let
       };
 
 in {
-  imports = [{
-    krebs.users = {
-      makefu-omo = {
-        name = "makefu-omo" ;
-        pubkey= with builtins; readFile ../../../krebs/Zpubkeys/makefu_omo.ssh.pub;
-      };
-      makefu-vbob = {
-        name = "makefu-vbob" ;
-        pubkey= with builtins; readFile ../../../krebs/Zpubkeys/makefu_vbob.ssh.pub;
-      };
-      makefu-tsp = {
-        name = "makefu-tsp" ;
-        pubkey= with builtins; readFile ../../../krebs/Zpubkeys/makefu_tsp.ssh.pub;
-      };
-      exco = {
-        name = "exco";
-        pubkey= with builtins; readFile ../../../krebs/Zpubkeys/exco.ssh.pub;
-      };
-    };
-  }];
   krebs.git = {
     enable = true;
     root-title = "public repositories";
diff --git a/makefu/2configs/zsh-user.nix b/makefu/2configs/zsh-user.nix
index 3089b706a..266ce256a 100644
--- a/makefu/2configs/zsh-user.nix
+++ b/makefu/2configs/zsh-user.nix
@@ -5,6 +5,36 @@ let
   mainUser = config.krebs.build.user.name;
 in
 {
-  programs.zsh.enable = true;
   users.extraUsers.${mainUser}.shell = "/run/current-system/sw/bin/zsh";
+  programs.zsh= {
+    enable = true;
+    interactiveShellInit = ''
+      HISTSIZE=900001
+      HISTFILESIZE=$HISTSIZE
+      SAVEHIST=$HISTSIZE
+
+      setopt HIST_IGNORE_ALL_DUPS
+      setopt HIST_IGNORE_SPACE
+      setopt HIST_FIND_NO_DUPS
+      bindkey -e
+      # shift-tab
+      bindkey '^[[Z' reverse-menu-complete
+
+      autoload -U compinit && compinit
+      zstyle ':completion:*' menu select
+      '';
+
+    promptInit = ''
+      RPROMPT=""
+      autoload colors && colors
+      case $UID in
+         0) PROMPT="%{$fg[red]%}%~%{$reset_color%} " ;;
+      9001) PROMPT="%{$fg[green]%}%~%{$reset_color%} " ;;
+         *) PROMPT="%{$fg[yellow]%}%n %{$fg[green]%}%~%{$reset_color%} " ;;
+      esac
+      if test -n "$SSH_CLIENT"; then
+        PROMPT="%{$fg[magenta]%}%m $PROMPT"
+      fi
+      '';
+  };
 }
diff --git a/makefu/3modules/buildbot/master.nix b/makefu/3modules/buildbot/master.nix
new file mode 100644
index 000000000..310b8460d
--- /dev/null
+++ b/makefu/3modules/buildbot/master.nix
@@ -0,0 +1,179 @@
+{ config, pkgs, lib, ... }:
+
+with lib;
+let
+  buildbot = pkgs.buildbot;
+  buildbot-master-config = pkgs.writeText "buildbot-master.cfg" ''
+    # -*- python -*-
+    from buildbot.plugins import *
+
+    c = BuildmasterConfig = {}
+
+    c['slaves'] = []
+    # TODO: template potential buildslaves
+    # TODO: set password?
+    for i in [ 'testslave' ]:
+      c['slaves'].append(buildslave.BuildSlave(i, "krebspass"))
+
+    c['protocols'] = {'pb': {'port': 9989}}
+
+    ####### Build Inputs
+    stockholm_repo = 'http://cgit.gum/stockholm'
+    c['change_source'] = []
+    c['change_source'].append(changes.GitPoller(
+            stockholm_repo,
+            workdir='stockholm-poller', branch='master',
+            project='stockholm',
+            pollinterval=300))
+
+    ####### Build Scheduler
+    # TODO: configure scheduler
+    important_files = util.ChangeFilter(
+                  project_re="^((krebs|share)/.*|Makefile|default.nix)",
+                  branch='master')
+    c['schedulers'] = []
+    c['schedulers'].append(schedulers.SingleBranchScheduler(
+                                name="all-important-files",
+                                change_filter=important_files,
+                                # 3 minutes stable tree
+                                treeStableTimer=3*60,
+                                builderNames=["runtests"]))
+    c['schedulers'].append(schedulers.ForceScheduler(
+                                name="force",
+                                builderNames=["runtests"]))
+    ###### The actual build
+    factory = util.BuildFactory()
+    factory.addStep(steps.Git(repourl=stockholm_repo, mode='incremental'))
+
+    deps = [ "gnumake", "jq" ]
+    factory.addStep(steps.ShellCommand(command=["nix-shell", "-p" ] + deps ))
+    factory.addStep(steps.ShellCommand(env={"LOGNAME": "shared"},
+                                       command=["make", "get=krebs.deploy",
+                                                        "system=test-centos7"]))
+
+    # TODO: different Builders?
+    c['builders'] = []
+    c['builders'].append(
+        util.BuilderConfig(name="runtests",
+          # TODO: only some slaves being used in builder?
+          slavenames=c['slaves'],
+          factory=factory))
+
+    ####### Status of Builds
+    c['status'] = []
+
+    from buildbot.status import html
+    from buildbot.status.web import authz, auth
+    # TODO: configure if http is wanted
+    authz_cfg=authz.Authz(
+        # TODO: configure user/pw
+        auth=auth.BasicAuth([("krebs","bob")]),
+        gracefulShutdown = False,
+        forceBuild = 'auth',
+        forceAllBuilds = 'auth',
+        pingBuilder = False,
+        stopBuild = False,
+        stopAllBuilds = False,
+        cancelPendingBuild = False,
+    )
+    # TODO: configure nginx
+    c['status'].append(html.WebStatus(http_port=8010, authz=authz_cfg))
+
+    from buildbot.status import words
+    # TODO: configure IRC Bot
+    irc = words.IRC("irc.freenode.net", "krebsbuild",
+                    channels=["krebs"],
+                    notify_events={
+                      'sucess': 1,
+                      'failure': 1,
+                      'exception': 1,
+                      'successToFailure': 1,
+                      'failureToSuccess': 1,
+                    },allowForce=True)
+    c['status'].append(irc)
+
+    ####### PROJECT IDENTITY
+    c['title'] = "Stockholm"
+    c['titleURL'] = "http://krebsco.de"
+
+    c['buildbotURL'] = "http://buildbot.krebsco.de/"
+
+    ####### DB URL
+    c['db'] = {
+        'db_url' : "sqlite:///state.sqlite",
+    }
+    ${cfg.extraConfig}
+    '';
+
+  cfg = config.makefu.buildbot.master;
+
+  api = {
+    enable = mkEnableOption "Buildbot Master";
+
+    workDir = mkOption {
+      default = "/var/lib/buildbot/master";
+      type = types.str;
+      description = ''
+        Path to build bot master directory.
+        Will be created on startup.
+      '';
+    };
+
+    extraConfig = mkOption {
+      default = "";
+      type = types.lines;
+      description = ''
+        extra config appended to the generated master.cfg
+      '';
+    };
+  };
+
+  imp = {
+
+    users.extraUsers.buildbotMaster = {
+      uid = 672626386; #genid buildbotMaster
+      description = "Buildbot Master";
+      home = cfg.workDir;
+      createHome = false;
+    };
+
+    users.extraGroups.buildbotMaster = {
+      gid = 672626386;
+    };
+
+    systemd.services.buildbotMaster = {
+      description = "Buildbot Master";
+      after = [ "network.target" ];
+      wantedBy = [ "multi-user.target" ];
+      serviceConfig = {
+        PermissionsStartOnly = true;
+        # TODO: maybe also prepare buildbot.tac?
+        ExecStartPre = pkgs.writeScript "buildbot-master-init" ''
+          #!/bin/sh
+          set -efux
+          workdir=${lib.shell.escape cfg.workDir}
+          if [ ! -e $workdir ];then
+            mkdir -p $workdir
+            ${buildbot}/bin/buildbot create-master -r -l 10 -f $workdir
+            chown buildbotMaster:buildbotMaster  $workdir
+          fi
+          # always override the master.cfg
+          cp ${toString buildbot-master-config} "$workdir/master.cfg"
+          # sanity
+          ${buildbot}/bin/buildbot checkconfig $workdir
+          # upgrade
+          ${buildbot}/bin/buildbot upgrade-master $workdir
+        '';
+        ExecStart = "${buildbot}/bin/buildbot ${lib.shell.escape cfg.workDir}";
+        PrivateTmp = "true";
+        User = "buildbotMaster";
+        Restart = "always";
+        RestartSec = "10";
+      };
+    };
+  };
+in
+{
+  options.makefu.buildbot.master = api;
+  config = mkIf cfg.enable imp;
+}