From 4cf1dfeef28e3571eac3e8a4495347f778e9c0a5 Mon Sep 17 00:00:00 2001
From: makefu <github@syntax-fehler.de>
Date: Sun, 30 Sep 2018 01:25:06 +0200
Subject: [PATCH 01/74] ma pkgs._4nxci: re-package 4nxci's version of mbedtls

---
 makefu/5pkgs/{4nxci => _4nxci}/default.nix | 44 +++++++++++-----------
 1 file changed, 21 insertions(+), 23 deletions(-)
 rename makefu/5pkgs/{4nxci => _4nxci}/default.nix (55%)

diff --git a/makefu/5pkgs/4nxci/default.nix b/makefu/5pkgs/_4nxci/default.nix
similarity index 55%
rename from makefu/5pkgs/4nxci/default.nix
rename to makefu/5pkgs/_4nxci/default.nix
index 3aba3be45..dafa37ff6 100644
--- a/makefu/5pkgs/4nxci/default.nix
+++ b/makefu/5pkgs/_4nxci/default.nix
@@ -1,33 +1,31 @@
-{ stdenv, lib, fetchFromGitHub, mbedtls, python2 }:
+{ stdenv, lib, fetchFromGitHub, mbedtls, python2, perl }:
 let
-  
-  mymbedtls = lib.overrideDerivation mbedtls (old: rec {
-    name = "mbedtls-${version}";
-    version = "2.13.0";
-    src = fetchFromGitHub {
-      owner = "ARMmbed";
-      repo = "mbedtls";
-      rev = name;
-      sha256 = "1257kp7yxkwwbx5v14kmrmgk1f9zagiddg5alm4wbj0pmgbrm14j";
-    };
-    buildInputs = old.buildInputs ++ [ python2 ];
-    postConfigure = ''
-      perl scripts/config.pl set MBEDTLS_CMAC_C
-    '';
-    doCheck = false;
-
-  });
-in stdenv.mkDerivation rec {
-  name = "4nxci-${version}";
-  version = "1.30";
-
+  version = "1.35";
   src = fetchFromGitHub {
     owner = "The-4n";
     repo = "4NXCI";
     rev = "v${version}";
-    sha256 = "0nrd19z88iahxcdx468lzgxlvkl65smwx8f9s19431cszyhvpxyh";
+    sha256 = "0yq0irxzi4wi71ajw8ld01zfpkrgknpq7g3m76pbnwmdzkm7dra6";
   };
 
+  mymbedtls = stdenv.mkDerivation {
+    name = "mbedtls-${version}";
+    version = "2.6.1";
+    doCheck = false;
+    inherit src;
+    buildInputs = [ perl ];
+    phases = [ "unpackPhase" "buildPhase" "installPhase" ];
+    makeFlags = [ "DESTDIR=$(out)" ];
+    buildPhase = ''
+      cp config.mk.template config.mk
+      cd mbedtls
+      make
+    '';
+  };
+in stdenv.mkDerivation rec {
+  name = "4nxci-${version}";
+
+  inherit src version;
   buildPhase = ''
     cp config.mk.template config.mk
     sed -i 's#\(INCLUDE =\).*#\1${mymbedtls}/include#' Makefile

From 453fc4093a0cc3b18a71fcc6e2e0f3189aed0131 Mon Sep 17 00:00:00 2001
From: jeschli <jeschli@gmail.com>
Date: Fri, 5 Oct 2018 14:04:27 +0200
Subject: [PATCH 02/74] j brauerei: +luis @ dev tmux

---
 jeschli/1systems/brauerei/config.nix | 1 +
 1 file changed, 1 insertion(+)

diff --git a/jeschli/1systems/brauerei/config.nix b/jeschli/1systems/brauerei/config.nix
index 0c01b7948..e419e35be 100644
--- a/jeschli/1systems/brauerei/config.nix
+++ b/jeschli/1systems/brauerei/config.nix
@@ -147,6 +147,7 @@
     isNormalUser = true;
     openssh.authorizedKeys.keys = [
       config.krebs.users.lass.pubkey
+      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDB0d0JA20Vqn7I4lCte6Ne2EOmLZyMJyS9yIKJYXNLjbLwkQ4AYoQKantPBkTxR75M09E7d3j5heuWnCjWH45TrfQfe1EOSSC3ppCI6C6aIVlaNs+KhAYZS0m2Y8WkKn+TT5JLEa8yybYVN/RlZPOilpj/1QgjU6CQK+eJ1k/kK+QFXcwN82GDVh5kbTVcKUNp2tiyxFA+z9LY0xFDg/JHif2ROpjJVLQBJ+YPuOXZN5LDnVcuyLWKThjxy5srQ8iDjoxBg7dwLHjby5Mv41K4W61Gq6xM53gDEgfXk4cQhJnmx7jA/pUnsn2ZQDeww3hcc7vRf8soogXXz2KC9maiq0M/svaATsa9Ul4hrKnqPZP9Q8ScSEAUX+VI+x54iWrnW0p/yqBiRAzwsczdPzaQroUFTBxrq8R/n5TFdSHRMX7fYNOeVMjhfNca/gtfw9dYBVquCvuqUuFiRc0I7yK44rrMjjVQRcAbw6F8O7+04qWCmaJ8MPlmApwu2c05VMv9hiJo5p6PnzterRSLCqF6rIdhSnuOwrUIt1s/V+EEZXHCwSaNLaQJnYL0H9YjaIuGz4c8kVzxw4c0B6nl+hqW5y5/B2cuHiumnlRIDKOIzlv8ufhh21iN7QpIsPizahPezGoT1XqvzeXfH4qryo8O4yTN/PWoA+f7o9POU7L6hQ== lhebendanz@nixos"
       "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAEZgHR1ZPDBMUjGWar/QmI2GiUkZM8pAXRyBDh8j3hGlxlS+0lsBV6bTAI5F13iyzTC4pCuEuDO2OlFB0scwjcOATci8phd8jTjOIDodqDaeQZXbshyuUBfyiAV6q0Sc+cUDV3D6GhzigH3t8EiQmvXmUGm916yFotT12o0dm83SCOh1nAf9ZveC1Hz/eEUTvgWvIb58OdUR5F/S5OVBnIIJZ8tcp0BP9lyjjJCcANWkYJlwaVcNNb0UarCRhvRtptFj+e/EPqQxSCaS2QcxW4zBsQ6C81TFf7WrdH+pwtFg0owlWsxv547sRLLiPf2h2YuQgSoAaW24N0SHhUqvOXd+JyaYw7MAF8Qh3jHm2iJQRgXNuIN0msFi1alwAevilL2mnfAt2biQ9sS9g+CVvQCwX3mg09E4Y3UmFLzvsJafD9meKVrjnDCcXySeAfts59eFmwKtMQ0qrEWaclzUiA6Ay3uD1zma8x1XELGTf8nxnXCGl8s2i2APn7y1Tcwep69DlENWSaReF5zBLIkCtIUDd+8xBFTF3yu5CpyRrRMKGa0QX/MtsQl4SGJWadOTwpM8joIbrIVfKkTNB2McxAjvo0iaRoBDm409gi2Ycy+NSoUV/KAIUG7OysAQZ62hr+E/Kw1ocJCIVI+9vzKx/EnEIHkCSwhYKl5393W7CShVJjJUcKcZddqX2smSShXq8rXPzhIHk1dAVn5Ff/vGZT9z9R0QN3z6Oa9QN5t5TjTdUDToqHTudqOpDxPl2c2yXK9wV+aoHFoML9AmbzTT1U1mKU7GXSoFACiKNzhDzkovyJGpWRyvisX5t75IfuVqvGGI8n3u8OhPMdyyOHRylVaciDzBMZ00xnIHB+dJG9IeYaMm9bW1Li4Jo0CWnogo2+olfHPMLijBuu+bsa5Kp6kFkccJYR/xqcSq0lVXkpGm692JI4dnMGjchipXEGh1gXof9jXHemMMBwjpLFGty+D0r5KdA33m+mIqc9hi0ShquA9nA7E1IxDlgE0gQg+P5ZOeeIN7q54AQmT8iCCCRyne2Kw57XxaGgZoLfj7VjjaeRlzBUglmtyq8B7/c0J3y41vt9Hxhj4sKD+vufZu+M9E6E936KsJlIi+3U0PtopM/b8L4jcH1JYpPljapsys8wkJZ1ymHf6Kj/0FHyi1V+GvquiVrlFN+aHECIzNlCiSMO4MqfPUO1A+s9zkG2ZgPNNv+LoZqnokjbmKM4kdxexMxaL/Eo9Nd/bzdYiFYXlllEL7Uox+yV0N3loQ2juh4zn+ctCnwHi+V9X4l4rB8amW96WrXiJ/WqEK2UO8St8dcQWhCsUUm2OawSrbYYZw5HhJwz/Rhz2UsdSc56s5OUiQLJqpILYvCnqSLlF4iZdRSdDQNpKn+le3CeGUl5UUuvK2BpKGrbPKx0i/2ZSEMxNA5GnDMx/NyiNyDBcoPu/XOlNi8VWsEbCtoTQRamvqHjOmNcPrxCxds+TaF8c0wMR720yj5sWq8= jeschli@nixos"
     ];
   };

From d6ee59430d800fe2cb14ab71143c3fba7bbf9089 Mon Sep 17 00:00:00 2001
From: lassulus <lass@blue.r>
Date: Sun, 7 Oct 2018 15:09:15 +0200
Subject: [PATCH 03/74] add charybdis module until it's fixed in 18.09

---
 krebs/2configs/ircd.nix      |   2 +-
 krebs/3modules/charybdis.nix | 110 +++++++++++++++++++++++++++++++++++
 krebs/3modules/default.nix   |   1 +
 3 files changed, 112 insertions(+), 1 deletion(-)
 create mode 100644 krebs/3modules/charybdis.nix

diff --git a/krebs/2configs/ircd.nix b/krebs/2configs/ircd.nix
index 962dbf49c..65972aacc 100644
--- a/krebs/2configs/ircd.nix
+++ b/krebs/2configs/ircd.nix
@@ -5,7 +5,7 @@
     6667 6669
   ];
 
-  services.charybdis = {
+  krebs.charybdis = {
     enable = true;
     motd = ''
       hello
diff --git a/krebs/3modules/charybdis.nix b/krebs/3modules/charybdis.nix
new file mode 100644
index 000000000..f4a7c1313
--- /dev/null
+++ b/krebs/3modules/charybdis.nix
@@ -0,0 +1,110 @@
+{ config, lib, pkgs, ... }:
+
+let
+  inherit (lib) mkEnableOption mkIf mkOption singleton types;
+  inherit (pkgs) coreutils charybdis;
+  cfg = config.krebs.charybdis;
+
+  configFile = pkgs.writeText "charybdis.conf" ''
+    ${cfg.config}
+  '';
+in
+
+{
+
+  ###### interface
+
+  options = {
+
+    krebs.charybdis = {
+
+      enable = mkEnableOption "Charybdis IRC daemon";
+
+      config = mkOption {
+        type = types.string;
+        description = ''
+          Charybdis IRC daemon configuration file.
+        '';
+      };
+
+      statedir = mkOption {
+        type = types.string;
+        default = "/var/lib/charybdis";
+        description = ''
+          Location of the state directory of charybdis.
+        '';
+      };
+
+      user = mkOption {
+        type = types.string;
+        default = "ircd";
+        description = ''
+          Charybdis IRC daemon user.
+        '';
+      };
+
+      group = mkOption {
+        type = types.string;
+        default = "ircd";
+        description = ''
+          Charybdis IRC daemon group.
+        '';
+      };
+
+      motd = mkOption {
+        type = types.nullOr types.lines;
+        default = null;
+        description = ''
+          Charybdis MOTD text.
+
+          Charybdis will read its MOTD from /etc/charybdis/ircd.motd .
+          If set, the value of this option will be written to this path.
+        '';
+      };
+
+    };
+
+  };
+
+
+  ###### implementation
+
+  config = mkIf cfg.enable (lib.mkMerge [
+    {
+      users.users = singleton {
+        name = cfg.user;
+        description = "Charybdis IRC daemon user";
+        uid = config.ids.uids.ircd;
+        group = cfg.group;
+      };
+
+      users.groups = singleton {
+        name = cfg.group;
+        gid = config.ids.gids.ircd;
+      };
+
+      systemd.services.charybdis = {
+        description = "Charybdis IRC daemon";
+        wantedBy = [ "multi-user.target" ];
+        environment = {
+          BANDB_DBPATH = "${cfg.statedir}/ban.db";
+        };
+        serviceConfig = {
+          ExecStart   = "${charybdis}/bin/charybdis -foreground -logfile /dev/stdout -configfile ${configFile}";
+          Group = cfg.group;
+          User = cfg.user;
+          PermissionsStartOnly = true; # preStart needs to run with root permissions
+        };
+        preStart = ''
+          ${coreutils}/bin/mkdir -p ${cfg.statedir}
+          ${coreutils}/bin/chown ${cfg.user}:${cfg.group} ${cfg.statedir}
+        '';
+      };
+
+    }
+    
+    (mkIf (cfg.motd != null) {
+      environment.etc."charybdis/ircd.motd".text = cfg.motd;
+    })
+  ]);
+}
diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix
index 6307649e3..dd682bf4d 100644
--- a/krebs/3modules/default.nix
+++ b/krebs/3modules/default.nix
@@ -14,6 +14,7 @@ let
       ./buildbot/master.nix
       ./buildbot/slave.nix
       ./build.nix
+      ./charybdis.nix
       ./ci.nix
       ./current.nix
       ./exim.nix

From a19708a441ff7c7bb46131b83e9294890fe079b4 Mon Sep 17 00:00:00 2001
From: jeschli <jeschli@gmail.com>
Date: Sun, 7 Oct 2018 16:42:45 +0200
Subject: [PATCH 04/74] j emacs: remove melpaPackages.mmm-mode

---
 jeschli/2configs/emacs.nix | 1 -
 1 file changed, 1 deletion(-)

diff --git a/jeschli/2configs/emacs.nix b/jeschli/2configs/emacs.nix
index 3bd2dbfc4..5fc887477 100644
--- a/jeschli/2configs/emacs.nix
+++ b/jeschli/2configs/emacs.nix
@@ -67,7 +67,6 @@ let
   emacsWithCustomPackages = (pkgs.emacsPackagesNgGen pkgs.emacs).emacsWithPackages (epkgs: [
     epkgs.melpaPackages.evil
     epkgs.melpaStablePackages.magit
-    epkgs.melpaPackages.mmm-mode
     epkgs.melpaPackages.nix-mode
     epkgs.melpaPackages.go-mode
     epkgs.melpaPackages.google-this

From d92a2971d7c749a5ffa241e679f2e32008adf8c0 Mon Sep 17 00:00:00 2001
From: lassulus <lass@blue.r>
Date: Sun, 7 Oct 2018 16:49:08 +0200
Subject: [PATCH 05/74] krops: init submodule

---
 .gitmodules      | 3 +++
 submodules/krops | 1 +
 2 files changed, 4 insertions(+)
 create mode 160000 submodules/krops

diff --git a/.gitmodules b/.gitmodules
index c96fec739..f35a9250d 100644
--- a/.gitmodules
+++ b/.gitmodules
@@ -1,3 +1,6 @@
 [submodule "submodules/nix-writers"]
 	path = submodules/nix-writers
 	url = http://cgit.krebsco.de/nix-writers
+[submodule "submodules/krops"]
+	path = submodules/krops
+	url = https://cgit.krebsco.de/krops
diff --git a/submodules/krops b/submodules/krops
new file mode 160000
index 000000000..e2b296542
--- /dev/null
+++ b/submodules/krops
@@ -0,0 +1 @@
+Subproject commit e2b29654251367545700154ffbac806705dd04c0

From 4c73914d128e8d5b36a0644834db7cbd09be7434 Mon Sep 17 00:00:00 2001
From: lassulus <lass@blue.r>
Date: Sun, 7 Oct 2018 17:08:01 +0200
Subject: [PATCH 06/74] krops: import from submodules

---
 krebs/krops.nix  | 5 +----
 makefu/krops.nix | 5 +----
 2 files changed, 2 insertions(+), 8 deletions(-)

diff --git a/krebs/krops.nix b/krebs/krops.nix
index 864cc8066..89354c1ea 100644
--- a/krebs/krops.nix
+++ b/krebs/krops.nix
@@ -1,9 +1,6 @@
 { name }: rec {
 
-  krops = builtins.fetchGit {
-    url = https://cgit.krebsco.de/krops/;
-    rev = "c46166d407c7d246112f13346621a3fbdb25889e";
-  };
+  krops = ../submodules/krops;
 
   lib = import "${krops}/lib";
 
diff --git a/makefu/krops.nix b/makefu/krops.nix
index ddb4afece..4f55915af 100644
--- a/makefu/krops.nix
+++ b/makefu/krops.nix
@@ -1,8 +1,5 @@
 { config ? config, name, target ? name }: let
-  krops = builtins.fetchGit {
-    url = https://cgit.krebsco.de/krops/;
-    rev = "4e466eaf05861b47365c5ef46a31a188b70f3615";
-  };
+  krops = ../submodules/krops;
   nixpkgs-src = lib.importJSON ./nixpkgs.json;
 
   lib = import "${krops}/lib";

From 6b08d5aa46adc80d8a1ab4ed1d3e320c61a19f01 Mon Sep 17 00:00:00 2001
From: lassulus <lass@blue.r>
Date: Sun, 7 Oct 2018 20:57:53 +0200
Subject: [PATCH 07/74] remove nin

---
 krebs/3modules/default.nix                  |   1 -
 krebs/3modules/nin/default.nix              | 111 ------
 lass/1systems/prism/config.nix              |   8 -
 nin/0tests/dummysecrets/hashedPasswords.nix |   1 -
 nin/0tests/dummysecrets/ssh.id_ed25519      |   0
 nin/1systems/axon/config.nix                | 132 --------
 nin/1systems/hiawatha/config.nix            | 126 -------
 nin/1systems/onondaga/config.nix            |  23 --
 nin/2configs/ableton.nix                    |  20 --
 nin/2configs/copyq.nix                      |  38 ---
 nin/2configs/default.nix                    | 173 ----------
 nin/2configs/games.nix                      |  70 ----
 nin/2configs/git.nix                        |  60 ----
 nin/2configs/im.nix                         |  19 --
 nin/2configs/retiolum.nix                   |  28 --
 nin/2configs/skype.nix                      |  27 --
 nin/2configs/termite.nix                    |  22 --
 nin/2configs/vim.nix                        | 355 --------------------
 nin/2configs/weechat.nix                    |  21 --
 nin/default.nix                             |   7 -
 nin/krops.nix                               |  35 --
 21 files changed, 1277 deletions(-)
 delete mode 100644 krebs/3modules/nin/default.nix
 delete mode 100644 nin/0tests/dummysecrets/hashedPasswords.nix
 delete mode 100644 nin/0tests/dummysecrets/ssh.id_ed25519
 delete mode 100644 nin/1systems/axon/config.nix
 delete mode 100644 nin/1systems/hiawatha/config.nix
 delete mode 100644 nin/1systems/onondaga/config.nix
 delete mode 100644 nin/2configs/ableton.nix
 delete mode 100644 nin/2configs/copyq.nix
 delete mode 100644 nin/2configs/default.nix
 delete mode 100644 nin/2configs/games.nix
 delete mode 100644 nin/2configs/git.nix
 delete mode 100644 nin/2configs/im.nix
 delete mode 100644 nin/2configs/retiolum.nix
 delete mode 100644 nin/2configs/skype.nix
 delete mode 100644 nin/2configs/termite.nix
 delete mode 100644 nin/2configs/vim.nix
 delete mode 100644 nin/2configs/weechat.nix
 delete mode 100644 nin/default.nix
 delete mode 100644 nin/krops.nix

diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix
index dd682bf4d..8f2e22acf 100644
--- a/krebs/3modules/default.nix
+++ b/krebs/3modules/default.nix
@@ -112,7 +112,6 @@ let
     { krebs = import ./krebs  { inherit config; }; }
     { krebs = import ./lass   { inherit config; }; }
     { krebs = import ./makefu { inherit config; }; }
-    { krebs = import ./nin    { inherit config; }; }
     { krebs = import ./tv     { inherit config; }; }
     {
       krebs.dns.providers = {
diff --git a/krebs/3modules/nin/default.nix b/krebs/3modules/nin/default.nix
deleted file mode 100644
index 1531a2c89..000000000
--- a/krebs/3modules/nin/default.nix
+++ /dev/null
@@ -1,111 +0,0 @@
-{ config, ... }:
-
-with import <stockholm/lib>;
-
-{
-  hosts = mapAttrs (_: recursiveUpdate {
-    owner = config.krebs.users.nin;
-    ci = true;
-  }) {
-    hiawatha = {
-      cores = 2;
-      nets = {
-        retiolum = {
-          ip4.addr = "10.243.132.96";
-          ip6.addr = "42:0000:0000:0000:0000:0000:0000:2342";
-          aliases = [
-            "hiawatha.r"
-          ];
-          tinc.pubkey = ''
-            -----BEGIN RSA PUBLIC KEY-----
-            MIIBCgKCAQEAucIe5yLzKJ8F982XRpZT6CvyXuPrtnNTmw/E/T6Oyq88m/OVHh6o
-            Viho1XAlJZZwqNniItD0AQB98uFB3+3yA7FepnwwC+PEceIfBG4bTDNyYD3ZCsAB
-            iWpmRar9SQ7LFnoZ6X2lYaJkUD9afmvXqJJLR5MClnRQo5OSqXaFdp7ryWinHP7E
-            UkPSNByu4LbQ9CnBEW8mmCVZSBLb8ezxg3HpJSigmUcJgiDBJ6aj22BsZ5L+j1Sr
-            lvUuaCr8WOS41AYsD5dbTYk7EG42tU5utrOS6z5yHmhbA5r8Ro2OFi/R3Td68BIJ
-            yw/m8sfItBCvjJSMEpKHEDfGMBCfQKltCwIDAQAB
-            -----END RSA PUBLIC KEY-----
-          '';
-        };
-      };
-      ssh.privkey.path = <secrets/ssh.id_ed25519>;
-      ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFizK5kauDlnjm/IzyzLi+W4hLKqjSWMkfuxzLwg6egx";
-    };
-     axon= {
-      cores = 2;
-      nets = {
-        retiolum = {
-          ip4.addr = "10.243.134.66";
-          ip6.addr = "42:0000:0000:0000:0000:0000:0000:1379";
-          aliases = [
-            "axon.r"
-          ];
-          tinc.pubkey = ''
-          -----BEGIN RSA PUBLIC KEY-----
-          MIIECgKCBAEA89h5SLDQL/ENM//3SMzNkVnW4dBdg1GOXs/SdRCTcgygJC0TzsAo
-          glfQhfS+OhFSC/mXAjP8DnN7Ys6zXzMfJgH7TgVRJ8tCo5ETehICA19hMjMFINLj
-          KZhhthPuX7u2Jr4uDMQ0eLJnKVHF4PmHnkA+JGcOqO7VSkgcqPvqPMnJFcMkGWvH
-          L3KAz1KGPHZWrAB2NBDrD/bOZj4L39nS4nJIYVOraP7ze1GTTC7s/0CnZj3qwS5j
-          VdUYgAR+bdxlWm1B1PPOjkslP6UOklQQK4SjK3ceLYb2yM7BVICeznjWCbkbMACY
-          PUSvdxyiD7nZcLvuM3cJ1M45zUK+tAHHDB5FFUUAZ+YY/Xml4+JOINekpQdGQqkN
-          X4VsdRGKpjqi+OXNP4ktDcVkl8uALmNR6TFfAEwQJdjgcMxgJGW9PkqvPl3Mqgoh
-          m89lHPpO0Cpf40o6lZRG42gH1OR7Iy1M234uA08a3eFf+IQutHaOBt/Oi0YeiaQp
-          OtJHmWtpsQRz24/m+uroSUtKZ63sESli28G1jP73Qv7CiB8KvSX0Z4zKJOV/CyaT
-          LLguAyeWdNLtVg4bGRd7VExoWA+Rd9YKHCiE5duhETZk0Hb9WZmgPdM7A0RBb+1H
-          /F9BPKSZFl2e42VEsy8yNmBqO8lL7DVbAjLhtikTpPLcyjNeqN99a8jFX4c5nhIK
-          MVsSLKsmNGQq+dylXMbErsGu3P/OuCZ4mRkC32Kp4qwJ+JMrJc8+ZbhKl6Fhwu0w
-          7DwwoUaRoMqtr2AwR+X67eJsYiOVo5EkqBo6DrWIM6mO2GrWHg5LTBIShn08q/Nm
-          ofPK2TmLdfqBycUR0kRCCPVi82f9aElmg3pzzPJnLAn9JLL43q6l+sefvtr9sTs3
-          1co6m8k5mO8zTb8BCmX2nFMkCopuHeF1nQ33y6woq0D8WsXHfHtbPwN9eYRVrbBF
-          29YBp5E+Q1pQB+0rJ4A5N1I3VUKhDGKc72pbQc8cYoAbDXA+RKYbsFOra5z585dt
-          4HQXpwj3a/JGJYRT6FVbJp4p8PjwAtN9VkpXNl4//3lXQdDD6aQ6ssXaKxVAp2Xj
-          FjPjx6J6ok4mRvofKNAREt4eZUdDub34bff6G0zI7Vls9t4ul0uHsJ6+ic3CG+Yl
-          buLfOkDp4hVCAlMPQ2NJfWKSggoVao7OTBPTMB3NiM56YOPptfZgu2ttDRTyuQ7p
-          hrOwutxoy/abH3hA8bWj1+C23vDtQ2gj0r16SWxpPdb3sselquzKp9NIvtyRVfnG
-          yYZTWRHg9mahMC2P0/wWAQVjKb0LnTib4lSe21uqFkWzp+3/Uu+hiwP5xGez/NIi
-          ahyL7t0D9r9y+i1RPjYWypgyR568fiGheQIDAQAB
-          -----END RSA PUBLIC KEY-----
-          '';
-        };
-      };
-      ssh.privkey.path = <secrets/ssh.id_ed25519>;
-      ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF4ubHA2pQzV4tQq9D1zRTD1xOSR6xZM3z6te+5A1ekc";
-    };
-    onondaga = {
-      cores = 1;
-      nets = {
-        retiolum = {
-          ip4.addr = "10.243.132.55";
-          ip6.addr = "42:0000:0000:0000:0000:0000:0000:1357";
-          aliases = [
-            "onondaga.r"
-            "cgit.onondaga.r"
-          ];
-          tinc.pubkey = ''
-            -----BEGIN RSA PUBLIC KEY-----
-            MIIBCgKCAQEAqj6NPhRVsr8abz9FFx9+ld3amfxN7SRNccbksUOqkufGS0vaupFR
-            OWsgj4Qmt3lQ82YVt5yjx0FZHkAsenCEKM3kYoIb4nipT0e1MWkQ7plVveMfGkiu
-            htaJ1aCbI2Adxfmk4YbyAr8k3G+Zl9t7gTikBRh7cf5PMiu2JhGUZHzx9urR0ieH
-            xyashZFjl4TtIy4q6QTiyST9kfzteh8k7CJ72zfYkdHl9dPlr5Nk22zH9xPkyzmO
-            kCNeknuDqKeTT9erNtRLk6pjEcyutt0y2/Uq6iZ38z5qq9k4JzcMuQ3YPpNy8bxn
-            hVuk2qBu6kBTUW3iLchoh0d4cfFLWLx1SQIDAQAB
-            -----END RSA PUBLIC KEY-----
-          '';
-        };
-      };
-      ssh.privkey.path = <secrets/ssh.id_ed25519>;
-      ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGmQk7AXsYLzjUrOjsuhZ3+gT7FjhPtjwxv5XnuU8GJO";
-    };
-
-  };
-  users = {
-    nin = {
-      mail = "nin@axon.r";
-      pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCl4jHl2dya9Tecot7AcHuk57FiPN0lo8eDa03WmTOCCU7gEJLgpi/zwLxY/K4eXsDgOt8LJwddicgruX2WgIYD3LnwtuN40/U9QqqdBIv/5sYZTcShAK2jyPj0vQJlVUpL7DLxxRH+t4lWeRw/1qaAAVt9jEVbzT5RH233E6+SbXxfnQDhDwOXwD1qfM10BOGh63iYz8/loXG1meb+pkv3HTf5/D7x+/y1XvWRPKuJ2Ml33p2pE3cTd+Tie1O8CREr45I9JOIOKUDQk1klFL5NNXnaQ9h1FRCsnQuoGztoBq8ed6XXL/b8mQ0lqJMxHIoCuDN/HBZYJ0z+1nh8X6XH nin@axon";
-    };
-    nin_h = {
-      mail = "nin@hiawatha.r";
-      pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDicZLUPEVNX7SgqYWcjPo0UESRizEfIvVVbiwa1aApA8x25u/5R3sevcgbIpLHYKDMl5tebny9inr6G2zqB6oq/pocQjHxrPnuLzqjvqeSpbjQjlNWJ9GaHT5koTXZHdkEXGL0vfv1SRDNWUiK0rNymr3GXab4DyrnRnuNl/G1UtLf4Zka94YUD0SSPdS9y6knnRrUWKjGMFBZEbNSgHqMGATPQP9VDwKHIO2OWGfiBAJ4nj/MWj+BxHDleCMY9zbym8yY7p/0PLaUe9eIyLC8MftJ5suuMmASlj+UGWgnqUxWxsMHax9y7CTAc23r1NNCXN5LC6/facGt0rEQrdrTizBgOA1FSHAPCl5f0DBEgWBrRuygEcAueuGWvI8/uvtvQQZLhosDbXEfs/3vm2xoYBe7wH4NZHm+d2LqgIcPXehH9hVQsl6pczngTCJt0Q/6tIMffjhDHeYf6xbe/n3AqFT0PylUSvOw/H5iHws3R6rxtgnOio7yTJ4sq0NMzXCtBY6LYPGnkwf0oKsgB8KavZVnxzF8B1TD4nNi0a7ma7bd1LMzI/oGE6i8kDMROgisIECOcoe8YYJZXIne/wimhhRKZAsd+VrKUo4SzNIavCruCodGAVh2vfrqRJD+HD/aWH7Vr1fCEexquaxeKpRtKGIPW9LRCcEsTilqpZdAiw== nin@hiawatha";
-    };
-  };
-}
diff --git a/lass/1systems/prism/config.nix b/lass/1systems/prism/config.nix
index bf7de6fc5..808f35b24 100644
--- a/lass/1systems/prism/config.nix
+++ b/lass/1systems/prism/config.nix
@@ -57,13 +57,6 @@ with import <stockholm/lib>;
           config.krebs.users.makefu.pubkey
         ];
       };
-      users.users.nin = {
-        uid = genid "nin";
-        isNormalUser = true;
-        openssh.authorizedKeys.keys = [
-          config.krebs.users.nin.pubkey
-        ];
-      };
       users.extraUsers.dritter = {
         uid = genid "dritter";
         isNormalUser = true;
@@ -119,7 +112,6 @@ with import <stockholm/lib>;
           services.openssh.enable = true;
           users.users.root.openssh.authorizedKeys.keys = [
             config.krebs.users.lass.pubkey
-            config.krebs.users.nin.pubkey
           ];
         };
         autoStart = true;
diff --git a/nin/0tests/dummysecrets/hashedPasswords.nix b/nin/0tests/dummysecrets/hashedPasswords.nix
deleted file mode 100644
index 0967ef424..000000000
--- a/nin/0tests/dummysecrets/hashedPasswords.nix
+++ /dev/null
@@ -1 +0,0 @@
-{}
diff --git a/nin/0tests/dummysecrets/ssh.id_ed25519 b/nin/0tests/dummysecrets/ssh.id_ed25519
deleted file mode 100644
index e69de29bb..000000000
diff --git a/nin/1systems/axon/config.nix b/nin/1systems/axon/config.nix
deleted file mode 100644
index 5e81afdbd..000000000
--- a/nin/1systems/axon/config.nix
+++ /dev/null
@@ -1,132 +0,0 @@
-# Edit this configuration file to define what should be installed on
-# your system.  Help is available in the configuration.nix(5) man page
-# and in the NixOS manual (accessible by running ‘nixos-help’).
-
-{ config, lib, pkgs, ... }:
-
-with lib;
-
-{
-  imports = [
-    <stockholm/nin>
-    <nixpkgs/nixos/modules/installer/scan/not-detected.nix>
-    #../2configs/copyq.nix
-    <stockholm/nin/2configs/ableton.nix>
-    <stockholm/nin/2configs/games.nix>
-    <stockholm/nin/2configs/git.nix>
-    <stockholm/nin/2configs/retiolum.nix>
-    <stockholm/nin/2configs/termite.nix>
-  ];
-
-  krebs.build.host = config.krebs.hosts.axon;
-
-  boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "sd_mod" "sr_mod" "rtsx_pci_sdmmc" ];
-  boot.kernelModules = [ "kvm-intel" ];
-  boot.extraModulePackages = [ ];
-
-  fileSystems."/" =
-    { device = "/dev/pool/root";
-      fsType = "ext4";
-    };
-
-  fileSystems."/tmp" =
-    { device = "tmpfs";
-      fsType = "tmpfs";
-    };
-
-  fileSystems."/boot" =
-    { device = "/dev/sda1";
-      fsType = "ext2";
-    };
-
-  boot.initrd.luks.devices.crypted.device = "/dev/sda2";
-  boot.initrd.luks.cryptoModules = [ "aes" "sha512" "sha1" "xts" ];
-
-  swapDevices = [ ];
-
-  nix.maxJobs = lib.mkDefault 4;
-  # Use the GRUB 2 boot loader.
-  boot.loader.grub.enable = true;
-  boot.loader.grub.version = 2;
-  # Define on which hard drive you want to install Grub.
-  boot.loader.grub.device = "/dev/sda";
-
-  # Enable the OpenSSH daemon.
-  services.openssh.enable = true;
-
-  # Enable CUPS to print documents.
-  # services.printing.enable = true;
-
-  # nin config
-  time.timeZone = "Europe/Berlin";
-  services.xserver = {
-    enable = true;
-
-    displayManager.lightdm.enable = true;
-  };
-
-  networking.networkmanager.enable = true;
-  #networking.wireless.enable = true;
-
-  hardware.pulseaudio = {
-    enable = true;
-    systemWide = true;
-  };
-
-  hardware.bluetooth.enable = true;
-
-  hardware.opengl.driSupport32Bit = true;
-
-  #nixpkgs.config.steam.java = true;
-
-  environment.systemPackages = with pkgs; [
-    atom
-    chromium
-    firefox
-    git
-    htop
-    keepassx
-    lmms
-    networkmanagerapplet
-    openvpn
-    python
-    ruby
-    steam
-    taskwarrior
-    thunderbird
-    vim
-    virtmanager
-  ];
-
-  nixpkgs.config = {
-
-    allowUnfree = true;
-
-  };
-
-  #services.logind.extraConfig = "HandleLidSwitch=ignore";
-
-  services.xserver.synaptics = {
-    enable = true;
-  };
-
-  services.xserver.displayManager.sessionCommands = ''
-    ${pkgs.xorg.xhost}/bin/xhost + local:
-  '';
-
-  services.xserver.desktopManager.xfce = let
-    xbindConfig = pkgs.writeText "xbindkeysrc" ''
-      "${pkgs.pass}/bin/passmenu --type"
-        Control + p
-  '';
-  in {
-  enable = true;
-      extraSessionCommands = ''
-      ${pkgs.xbindkeys}/bin/xbindkeys -f ${xbindConfig}
-    '';
-  };
-
- # The NixOS release to be compatible with for stateful data such as databases.
-  system.stateVersion = "17.03";
-
-}
diff --git a/nin/1systems/hiawatha/config.nix b/nin/1systems/hiawatha/config.nix
deleted file mode 100644
index a09eed958..000000000
--- a/nin/1systems/hiawatha/config.nix
+++ /dev/null
@@ -1,126 +0,0 @@
-# Edit this configuration file to define what should be installed on
-# your system.  Help is available in the configuration.nix(5) man page
-# and in the NixOS manual (accessible by running ‘nixos-help’).
-
-{ config, lib, pkgs, ... }:
-
-with lib;
-
-{
-  imports = [
-    <stockholm/nin>
-    <nixpkgs/nixos/modules/installer/scan/not-detected.nix>
-    #../2configs/copyq.nix
-    <stockholm/nin/2configs/games.nix>
-    <stockholm/nin/2configs/git.nix>
-    <stockholm/nin/2configs/retiolum.nix>
-    <stockholm/nin/2configs/termite.nix>
-  ];
-
-  krebs.build.host = config.krebs.hosts.hiawatha;
-
-  boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "sd_mod" "sr_mod" "rtsx_pci_sdmmc" ];
-  boot.kernelModules = [ "kvm-intel" ];
-  boot.extraModulePackages = [ ];
-
-  fileSystems."/" =
-    { device = "/dev/disk/by-uuid/b83f8830-84f3-4282-b10e-015c4b76bd9e";
-      fsType = "ext4";
-    };
-
-  fileSystems."/tmp" =
-    { device = "tmpfs";
-      fsType = "tmpfs";
-    };
-
-  fileSystems."/home" =
-    { device = "/dev/fam/home";
-    };
-
-
-  fileSystems."/boot" =
-    { device = "/dev/disk/by-uuid/2f319b08-2560-401d-b53c-2abd28f1a010";
-      fsType = "ext2";
-    };
-
-  boot.initrd.luks.devices = [ { name = "luksroot"; device = "/dev/sda2"; } ];
-  boot.initrd.luks.cryptoModules = [ "aes" "sha512" "sha1" "xts" ];
-
-  swapDevices = [ ];
-
-  nix.maxJobs = lib.mkDefault 4;
-  # Use the GRUB 2 boot loader.
-  boot.loader.grub.enable = true;
-  boot.loader.grub.version = 2;
-  # Define on which hard drive you want to install Grub.
-  boot.loader.grub.device = "/dev/sda";
-
-  # Enable the OpenSSH daemon.
-  services.openssh.enable = true;
-
-  # Enable CUPS to print documents.
-  # services.printing.enable = true;
-
-  fileSystems."/home/nin/.local/share/Steam" = {
-    device = "/dev/fam/steam";
-  };
-
-  # nin config
-  time.timeZone = "Europe/Berlin";
-  services.xserver.enable = true;
-
-  networking.networkmanager.enable = true;
-  #networking.wireless.enable = true;
-
-  hardware.pulseaudio = {
-    enable = true;
-    systemWide = true;
-  };
-
-  hardware.bluetooth.enable = true;
-
-  hardware.opengl.driSupport32Bit = true;
-
-  #nixpkgs.config.steam.java = true;
-
-  environment.systemPackages = with pkgs; [
-    firefox
-    git
-    lmms
-    networkmanagerapplet
-    python
-    steam
-    thunderbird
-    vim
-    virtmanager
-  ];
-
-  nixpkgs.config = {
-
-    allowUnfree = true;
-
-  };
-
-  #services.logind.extraConfig = "HandleLidSwitch=ignore";
-
-  services.xserver.synaptics = {
-    enable = true;
-  };
-
-
-  services.xserver.desktopManager.xfce = let
-    xbindConfig = pkgs.writeText "xbindkeysrc" ''
-      "${pkgs.pass}/bin/passmenu --type"
-        Control + p
-  '';
-  in {
-    enable = true;
-      extraSessionCommands = ''
-      ${pkgs.xbindkeys}/bin/xbindkeys -f ${xbindConfig}
-    '';
-  };
-
- # The NixOS release to be compatible with for stateful data such as databases.
-  system.stateVersion = "17.03";
-
-}
diff --git a/nin/1systems/onondaga/config.nix b/nin/1systems/onondaga/config.nix
deleted file mode 100644
index 3cd0773ae..000000000
--- a/nin/1systems/onondaga/config.nix
+++ /dev/null
@@ -1,23 +0,0 @@
-# Edit this configuration file to define what should be installed on
-# your system.  Help is available in the configuration.nix(5) man page
-# and in the NixOS manual (accessible by running ‘nixos-help’).
-
-{ config, lib, pkgs, ... }:
-
-{
-  imports = [
-    <stockholm/nin>
-    <stockholm/nin/2configs/retiolum.nix>
-    <stockholm/nin/2configs/weechat.nix>
-    <stockholm/nin/2configs/git.nix>
-  ];
-
-  krebs.build.host = config.krebs.hosts.onondaga;
-
-  boot.isContainer = true;
-  networking.useDHCP = false;
-
-  time.timeZone = "Europe/Amsterdam";
-
-  services.openssh.enable = true;
-}
diff --git a/nin/2configs/ableton.nix b/nin/2configs/ableton.nix
deleted file mode 100644
index 343a9089d..000000000
--- a/nin/2configs/ableton.nix
+++ /dev/null
@@ -1,20 +0,0 @@
-{ config, pkgs, ... }: let
-  mainUser = config.users.extraUsers.nin;
-in {
-  users.users= {
-    ableton = {
-      isNormalUser = true;
-      extraGroups = [
-        "audio"
-        "video"
-      ];
-      packages = [
-        pkgs.wine
-        pkgs.winetricks
-      ];
-    };
-  };
-  security.sudo.extraConfig = ''
-    ${mainUser.name} ALL=(ableton) NOPASSWD: ALL
-  '';
-}
diff --git a/nin/2configs/copyq.nix b/nin/2configs/copyq.nix
deleted file mode 100644
index 0616c4025..000000000
--- a/nin/2configs/copyq.nix
+++ /dev/null
@@ -1,38 +0,0 @@
-{ config, pkgs, ... }:
-with import <stockholm/lib>;
-let
-  copyqConfig = pkgs.writeDash "copyq-config" ''
-    ${pkgs.copyq}/bin/copyq config check_clipboard true
-    ${pkgs.copyq}/bin/copyq config check_selection true
-    ${pkgs.copyq}/bin/copyq config copy_clipboard true
-    ${pkgs.copyq}/bin/copyq config copy_selection true
-
-    ${pkgs.copyq}/bin/copyq config activate_closes true
-    ${pkgs.copyq}/bin/copyq config clipboard_notification_lines 0
-    ${pkgs.copyq}/bin/copyq config clipboard_tab clipboard
-    ${pkgs.copyq}/bin/copyq config disable_tray true
-    ${pkgs.copyq}/bin/copyq config hide_tabs true
-    ${pkgs.copyq}/bin/copyq config hide_toolbar true
-    ${pkgs.copyq}/bin/copyq config item_popup_interval true
-    ${pkgs.copyq}/bin/copyq config maxitems 1000
-    ${pkgs.copyq}/bin/copyq config move true
-    ${pkgs.copyq}/bin/copyq config text_wrap true
-  '';
-in {
-  systemd.user.services.copyq = {
-    after = [ "graphical.target" ];
-    wants = [ "graphical.target" ];
-    wantedBy = [ "default.target" ];
-    environment = {
-      DISPLAY = ":0";
-    };
-    serviceConfig = {
-      SyslogIdentifier = "copyq";
-      ExecStart = "${pkgs.copyq}/bin/copyq";
-      ExecStartPost = copyqConfig;
-      Restart = "always";
-      RestartSec = "2s";
-      StartLimitBurst = 0;
-    };
-  };
-}
diff --git a/nin/2configs/default.nix b/nin/2configs/default.nix
deleted file mode 100644
index 62f499a2d..000000000
--- a/nin/2configs/default.nix
+++ /dev/null
@@ -1,173 +0,0 @@
-{ config, lib, pkgs, ... }:
-
-with import <stockholm/lib>;
-{
-  imports = [
-    ../2configs/vim.nix
-    <stockholm/krebs/2configs/binary-cache/nixos.nix>
-    <stockholm/krebs/2configs/binary-cache/prism.nix>
-    {
-      users.extraUsers =
-        mapAttrs (_: h: { hashedPassword = h; })
-                 (import <secrets/hashedPasswords.nix>);
-    }
-    {
-      users.users = {
-        root = {
-          openssh.authorizedKeys.keys = [
-            config.krebs.users.nin.pubkey
-            config.krebs.users.nin_h.pubkey
-          ];
-        };
-        nin = {
-          name = "nin";
-          uid = 1337;
-          home = "/home/nin";
-          group = "users";
-          createHome = true;
-          useDefaultShell = true;
-          extraGroups = [
-            "audio"
-            "fuse"
-          ];
-          openssh.authorizedKeys.keys = [
-            config.krebs.users.nin.pubkey
-            config.krebs.users.nin_h.pubkey
-          ];
-        };
-      };
-    }
-    {
-      environment.variables = {
-        NIX_PATH = mkForce "secrets=/var/src/stockholm/null:/var/src";
-      };
-    }
-    (let ca-bundle = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"; in {
-      environment.variables = {
-        CURL_CA_BUNDLE = ca-bundle;
-        GIT_SSL_CAINFO = ca-bundle;
-        SSL_CERT_FILE = ca-bundle;
-      };
-    })
-  ];
-
-  networking.hostName = config.krebs.build.host.name;
-  nix.maxJobs = config.krebs.build.host.cores;
-
-  krebs = {
-    enable = true;
-    search-domain = "r";
-    build = {
-      user = config.krebs.users.nin;
-    };
-  };
-
-  nix.useSandbox = true;
-
-  users.mutableUsers = false;
-
-  services.timesyncd.enable = true;
-
-  #why is this on in the first place?
-  services.nscd.enable = false;
-
-  boot.tmpOnTmpfs = true;
-  # see tmpfiles.d(5)
-  systemd.tmpfiles.rules = [
-    "d /tmp 1777 root root - -"
-  ];
-
-  # multiple-definition-problem when defining environment.variables.EDITOR
-  environment.extraInit = ''
-    EDITOR=vim
-  '';
-
-  nixpkgs.config.allowUnfree = true;
-
-  environment.shellAliases = {
-    gs = "git status";
-  };
-
-  environment.systemPackages = with pkgs; [
-  #stockholm
-    git
-    gnumake
-    jq
-    proot
-    pavucontrol
-    populate
-    p7zip
-    termite
-    unzip
-    unrar
-    hashPassword
-  ];
-
-  programs.bash = {
-    enableCompletion = true;
-    interactiveShellInit = ''
-      HISTCONTROL='erasedups:ignorespace'
-      HISTSIZE=65536
-      HISTFILESIZE=$HISTSIZE
-
-      shopt -s checkhash
-      shopt -s histappend histreedit histverify
-      shopt -s no_empty_cmd_completion
-      complete -d cd
-    '';
-    promptInit = ''
-      if test $UID = 0; then
-        PS1='\[\033[1;31m\]$PWD\[\033[0m\] '
-      elif test $UID = 1337; then
-        PS1='\[\033[1;32m\]$PWD\[\033[0m\] '
-      else
-        PS1='\[\033[1;33m\]\u@$PWD\[\033[0m\] '
-      fi
-      if test -n "$SSH_CLIENT"; then
-        PS1='\[\033[35m\]\h'" $PS1"
-      fi
-    '';
-  };
-
-  services.openssh = {
-    enable = true;
-    hostKeys = [
-      # XXX bits here make no science
-      { bits = 8192; type = "ed25519"; path = "/etc/ssh/ssh_host_ed25519_key"; }
-    ];
-  };
-
-  services.journald.extraConfig = ''
-    SystemMaxUse=1G
-    RuntimeMaxUse=128M
-  '';
-
-  krebs.iptables = {
-    enable = true;
-    tables = {
-      nat.PREROUTING.rules = [
-        { predicate = "! -i retiolum -p tcp -m tcp --dport 22"; target = "REDIRECT --to-ports 0"; precedence = 100; }
-        { predicate = "-p tcp -m tcp --dport 45621"; target = "REDIRECT --to-ports 22"; precedence = 99; }
-      ];
-      nat.OUTPUT.rules = [
-        { predicate = "-o lo -p tcp -m tcp --dport 45621"; target = "REDIRECT --to-ports 22"; precedence = 100; }
-      ];
-      filter.INPUT.policy = "DROP";
-      filter.FORWARD.policy = "DROP";
-      filter.INPUT.rules = [
-        { predicate = "-m conntrack --ctstate RELATED,ESTABLISHED"; target = "ACCEPT"; precedence = 10001; }
-        { predicate = "-p icmp"; target = "ACCEPT"; precedence = 10000; }
-        { predicate = "-p ipv6-icmp"; target = "ACCEPT"; v4 = false;  precedence = 10000; }
-        { predicate = "-i lo"; target = "ACCEPT"; precedence = 9999; }
-        { predicate = "-p tcp --dport 22"; target = "ACCEPT"; precedence = 9998; }
-        { predicate = "-p tcp -i retiolum"; target = "REJECT --reject-with tcp-reset"; precedence = -10000; }
-        { predicate = "-p udp -i retiolum"; target = "REJECT --reject-with icmp-port-unreachable"; v6 = false; precedence = -10000; }
-        { predicate = "-i retiolum"; target = "REJECT --reject-with icmp-proto-unreachable"; v6 = false; precedence = -10000; }
-      ];
-    };
-  };
-
-  networking.dhcpcd.extraConfig = ''
-    noipv4ll
-  '';
-}
diff --git a/nin/2configs/games.nix b/nin/2configs/games.nix
deleted file mode 100644
index 15e17238d..000000000
--- a/nin/2configs/games.nix
+++ /dev/null
@@ -1,70 +0,0 @@
-{ config, pkgs, ... }:
-
-let
-  mainUser = config.users.extraUsers.mainUser;
-  vdoom = pkgs.writeDash "vdoom" ''
-    ${pkgs.zandronum}/bin/zandronum \
-      -fov 120 \
-      "$@"
-  '';
-  doom = pkgs.writeDash "doom" ''
-    DOOM_DIR=''${DOOM_DIR:-~/doom/}
-    ${vdoom} \
-      -file $DOOM_DIR/lib/brutalv20.pk3 \
-      "$@"
-  '';
-  doom1 = pkgs.writeDashBin "doom1" ''
-    DOOM_DIR=''${DOOM_DIR:-~/doom/}
-    ${doom} -iwad $DOOM_DIR/wads/stock/doom.wad "$@"
-  '';
-  doom2 = pkgs.writeDashBin "doom2" ''
-    DOOM_DIR=''${DOOM_DIR:-~/doom/}
-    ${doom} -iwad $DOOM_DIR/wads/stock/doom2.wad "$@"
-  '';
-  vdoom1 = pkgs.writeDashBin "vdoom1" ''
-    DOOM_DIR=''${DOOM_DIR:-~/doom/}
-    ${vdoom} -iwad $DOOM_DIR/wads/stock/doom.wad "$@"
-  '';
-  vdoom2 = pkgs.writeDashBin "vdoom2" ''
-    DOOM_DIR=''${DOOM_DIR:-~/doom/}
-    ${vdoom} -iwad $DOOM_DIR/wads/stock/doom2.wad "$@"
-  '';
-
-  doomservercfg = pkgs.writeText "doomserver.cfg" ''
-    skill 7
-    #survival true
-    #sv_maxlives 4
-    #sv_norespawn true
-    #sv_weapondrop true
-    no_jump true
-    #sv_noweaponspawn true
-    sv_sharekeys true
-    sv_survivalcountdowntime 1
-    sv_noteamselect true
-    sv_updatemaster false
-    #sv_coop_loseinventory true
-    #cl_startasspectator false
-    #lms_spectatorview false
-  '';
-
-  vdoomserver = pkgs.writeDashBin "vdoomserver" ''
-    DOOM_DIR=''${DOOM_DIR:-~/doom/}
-
-    ${pkgs.zandronum}/bin/zandronum-server \
-    +exec ${doomservercfg} \
-    "$@"
-  '';
-
-in {
-  environment.systemPackages = with pkgs; [
-    dwarf_fortress
-    doom1
-    doom2
-    vdoom1
-    vdoom2
-    vdoomserver
-  ];
-
-  hardware.pulseaudio.support32Bit = true;
-
-}
diff --git a/nin/2configs/git.nix b/nin/2configs/git.nix
deleted file mode 100644
index aed4a9f48..000000000
--- a/nin/2configs/git.nix
+++ /dev/null
@@ -1,60 +0,0 @@
-{ config, lib, pkgs, ... }:
-
-with import <stockholm/lib>;
-
-let
-
-  out = {
-    services.nginx.enable = true;
-    krebs.git = {
-      enable = true;
-      cgit = {
-        settings = {
-          root-title = "public repositories at ${config.krebs.build.host.name}";
-          root-desc = "keep calm and engage";
-        };
-      };
-      repos = mapAttrs (_: s: removeAttrs s ["collaborators"]) repos;
-      rules = rules;
-    };
-
-    krebs.iptables.tables.filter.INPUT.rules = [
-      { predicate = "-i retiolum -p tcp --dport 80"; target = "ACCEPT"; }
-    ];
-  };
-
-  repos = public-repos;
-
-  rules = concatMap make-rules (attrValues repos);
-
-  public-repos = mapAttrs make-public-repo {
-    stockholm = {
-      cgit.desc = "take all the computers hostage, they'll love you!";
-    };
-  };
-
-  make-public-repo = name: { cgit ? {}, ... }: {
-    inherit cgit name;
-    public = true;
-  };
-
-  make-rules =
-    with git // config.krebs.users;
-    repo:
-      singleton {
-        user = [ nin nin_h ];
-        repo = [ repo ];
-        perm = push "refs/*" [ non-fast-forward create delete merge ];
-      } ++
-      optional repo.public {
-        user = attrValues config.krebs.users;
-        repo = [ repo ];
-        perm = fetch;
-      } ++
-      optional (length (repo.collaborators or []) > 0) {
-        user = repo.collaborators;
-        repo = [ repo ];
-        perm = fetch;
-      };
-
-in out
diff --git a/nin/2configs/im.nix b/nin/2configs/im.nix
deleted file mode 100644
index b078dbd53..000000000
--- a/nin/2configs/im.nix
+++ /dev/null
@@ -1,19 +0,0 @@
-{ config, lib, pkgs, ... }:
-with import <stockholm/lib>;
-{
-  environment.systemPackages = with pkgs; [
-    (pkgs.writeDashBin "im" ''
-      export PATH=${makeSearchPath "bin" (with pkgs; [
-        tmux
-        gnugrep
-        weechat
-      ])}
-      ssh chat@onondaga
-      if tmux list-sessions -F\#S | grep -q '^im''$'; then
-        exec tmux attach -t im
-      else
-        exec tmux new -s im weechat
-      fi
-    '')
-  ];
-}
diff --git a/nin/2configs/retiolum.nix b/nin/2configs/retiolum.nix
deleted file mode 100644
index 821e3cc00..000000000
--- a/nin/2configs/retiolum.nix
+++ /dev/null
@@ -1,28 +0,0 @@
-{ ... }:
-
-{
-
-  krebs.iptables = {
-    tables = {
-      filter.INPUT.rules = [
-        { predicate = "-i retiolum -p tcp --dport smtp"; target = "ACCEPT"; }
-        { predicate = "-p tcp --dport tinc"; target = "ACCEPT"; }
-        { predicate = "-p udp --dport tinc"; target = "ACCEPT"; }
-      ];
-    };
-  };
-
-  krebs.tinc.retiolum = {
-    enable = true;
-    connectTo = [
-      "prism"
-      "pigstarter"
-      "gum"
-      "flap"
-    ];
-  };
-
-  nixpkgs.config.packageOverrides = pkgs: {
-    tinc = pkgs.tinc_pre;
-  };
-}
diff --git a/nin/2configs/skype.nix b/nin/2configs/skype.nix
deleted file mode 100644
index 621dfae82..000000000
--- a/nin/2configs/skype.nix
+++ /dev/null
@@ -1,27 +0,0 @@
-{ config, lib, pkgs, ... }:
-
-let
-  mainUser = config.users.extraUsers.nin;
-  inherit (import <stockholm/lib>) genid;
-
-in {
-  users.extraUsers = {
-    skype = {
-      name = "skype";
-      uid = genid "skype";
-      description = "user for running skype";
-      home = "/home/skype";
-      useDefaultShell = true;
-      extraGroups = [ "audio" "video" ];
-      createHome = true;
-    };
-  };
-
-  krebs.per-user.skype.packages = [
-    pkgs.skype
-  ];
-
-  security.sudo.extraConfig = ''
-    ${mainUser.name} ALL=(skype) NOPASSWD: ALL
-  '';
-}
diff --git a/nin/2configs/termite.nix b/nin/2configs/termite.nix
deleted file mode 100644
index 942446b01..000000000
--- a/nin/2configs/termite.nix
+++ /dev/null
@@ -1,22 +0,0 @@
-{ config, pkgs, ... }:
-
-{
-  environment.systemPackages = [
-    pkgs.termite
-  ];
-
-  krebs.per-user.nin.packages = let
-    termitecfg = pkgs.writeTextFile {
-      name = "termite-config";
-      destination = "/etc/xdg/termite/config";
-      text = ''
-        [colors]
-        foreground = #d0d7d0
-        background = #000000
-      '';
-    };
-  in [
-    termitecfg
-  ];
-
-}
diff --git a/nin/2configs/vim.nix b/nin/2configs/vim.nix
deleted file mode 100644
index 7b5d37611..000000000
--- a/nin/2configs/vim.nix
+++ /dev/null
@@ -1,355 +0,0 @@
-{ config, lib, pkgs, ... }:
-
-with import <stockholm/lib>;
-let
-  out = {
-    environment.systemPackages = [
-      vim
-      pkgs.pythonPackages.flake8
-    ];
-
-    environment.etc.vimrc.source = vimrc;
-
-    environment.variables.EDITOR = mkForce "vim";
-    environment.variables.VIMINIT = ":so /etc/vimrc";
-  };
-
-  vimrc = pkgs.writeText "vimrc" ''
-    set nocompatible
-
-    set autoindent
-    set backspace=indent,eol,start
-    set backup
-    set backupdir=${dirs.backupdir}/
-    set directory=${dirs.swapdir}//
-    set hlsearch
-    set incsearch
-    set laststatus=2
-    set mouse=a
-    set noruler
-    set pastetoggle=<INS>
-    set runtimepath=${extra-runtimepath},$VIMRUNTIME
-    set shortmess+=I
-    set showcmd
-    set showmatch
-    set ttimeoutlen=0
-    set undodir=${dirs.undodir}
-    set undofile
-    set undolevels=1000000
-    set undoreload=1000000
-    set viminfo='20,<1000,s100,h,n${files.viminfo}
-    set visualbell
-    set wildignore+=*.o,*.class,*.hi,*.dyn_hi,*.dyn_o
-    set wildmenu
-    set wildmode=longest,full
-
-    set et ts=2 sts=2 sw=2
-
-    filetype plugin indent on
-
-    set t_Co=256
-    colorscheme hack
-    syntax on
-
-    au Syntax * syn match Garbage containedin=ALL /\s\+$/
-            \ | syn match TabStop containedin=ALL /\t\+/
-            \ | syn keyword Todo containedin=ALL TODO
-
-    au BufRead,BufNewFile *.hs so ${hs.vim}
-
-    au BufRead,BufNewFile *.nix so ${nix.vim}
-
-    au BufRead,BufNewFile /dev/shm/* set nobackup nowritebackup noswapfile
-
-    "Syntastic config
-    let g:syntastic_python_checkers=['flake8']
-
-    nmap <esc>q :buffer 
-    nmap <M-q> :buffer 
-
-    cnoremap <C-A> <Home>
-
-    noremap  <C-c> :q<cr>
-    vnoremap < <gv
-    vnoremap > >gv
-
-    nnoremap <esc>[5^  :tabp<cr>
-    nnoremap <esc>[6^  :tabn<cr>
-    nnoremap <esc>[5@  :tabm -1<cr>
-    nnoremap <esc>[6@  :tabm +1<cr>
-
-    nnoremap <f1> :tabp<cr>
-    nnoremap <f2> :tabn<cr>
-    inoremap <f1> <esc>:tabp<cr>
-    inoremap <f2> <esc>:tabn<cr>
-
-    " <C-{Up,Down,Right,Left>
-    noremap <esc>Oa <nop> | noremap! <esc>Oa <nop>
-    noremap <esc>Ob <nop> | noremap! <esc>Ob <nop>
-    noremap <esc>Oc <nop> | noremap! <esc>Oc <nop>
-    noremap <esc>Od <nop> | noremap! <esc>Od <nop>
-    " <[C]S-{Up,Down,Right,Left>
-    noremap <esc>[a <nop> | noremap! <esc>[a <nop>
-    noremap <esc>[b <nop> | noremap! <esc>[b <nop>
-    noremap <esc>[c <nop> | noremap! <esc>[c <nop>
-    noremap <esc>[d <nop> | noremap! <esc>[d <nop>
-    vnoremap u <nop>
-  '';
-
-  extra-runtimepath = concatMapStringsSep "," (pkg: "${pkg.rtp}") [
-    pkgs.vimPlugins.Syntastic
-    pkgs.vimPlugins.undotree
-    pkgs.vimPlugins.airline
-    (pkgs.vimUtils.buildVimPlugin {
-      name = "file-line-1.0";
-      src = pkgs.fetchgit {
-        url = git://github.com/bogado/file-line;
-        rev = "refs/tags/1.0";
-        sha256 = "0z47zq9rqh06ny0q8lpcdsraf3lyzn9xvb59nywnarf3nxrk6hx0";
-      };
-    })
-    ((rtp: rtp // { inherit rtp; }) (pkgs.writeTextFile (let
-      name = "hack";
-    in {
-      name = "vim-color-${name}-1.0.2";
-      destination = "/colors/${name}.vim";
-      text = /* vim */ ''
-        set background=dark
-        hi clear
-        if exists("syntax_on")
-          syntax clear
-        endif
-
-        let colors_name = ${toJSON name}
-
-        hi Normal       ctermbg=235
-        hi Comment      ctermfg=242
-        hi Constant     ctermfg=062
-        hi Identifier   ctermfg=068
-        hi Function     ctermfg=041
-        hi Statement    ctermfg=167
-        hi PreProc      ctermfg=167
-        hi Type         ctermfg=041
-        hi Delimiter    ctermfg=251
-        hi Special      ctermfg=062
-
-        hi Garbage      ctermbg=088
-        hi TabStop      ctermbg=016
-        hi Todo         ctermfg=174 ctermbg=NONE
-
-        hi NixCode      ctermfg=148
-        hi NixData      ctermfg=149
-        hi NixQuote     ctermfg=150
-
-        hi diffNewFile  ctermfg=207
-        hi diffFile     ctermfg=207
-        hi diffLine     ctermfg=207
-        hi diffSubname  ctermfg=207
-        hi diffAdded    ctermfg=010
-        hi diffRemoved  ctermfg=009
-      '';
-    })))
-    ((rtp: rtp // { inherit rtp; }) (pkgs.writeTextFile (let
-      name = "vim";
-    in {
-      name = "vim-syntax-${name}-1.0.0";
-      destination = "/syntax/${name}.vim";
-      text = /* vim */ ''
-        ${concatMapStringsSep "\n" (s: /* vim */ ''
-          syn keyword vimColor${s} ${s}
-            \ containedin=ALLBUT,vimComment,vimLineComment
-          hi vimColor${s} ctermfg=${s}
-        '') (map (i: lpad 3 "0" (toString i)) (range 0 255))}
-      '';
-    })))
-    ((rtp: rtp // { inherit rtp; }) (pkgs.writeTextFile (let
-      name = "showsyntax";
-    in {
-      name = "vim-plugin-${name}-1.0.0";
-      destination = "/plugin/${name}.vim";
-      text = /* vim */ ''
-        if exists('g:loaded_showsyntax')
-          finish
-        endif
-        let g:loaded_showsyntax = 0
-
-        fu! ShowSyntax()
-          let id = synID(line("."), col("."), 1)
-          let name = synIDattr(id, "name")
-          let transName = synIDattr(synIDtrans(id),"name")
-          if name != transName
-            let name .= " (" . transName . ")"
-          endif
-          echo "Syntax: " . name
-        endfu
-
-        command! -n=0 -bar ShowSyntax :call ShowSyntax()
-      '';
-    })))
-  ];
-
-  dirs = {
-    backupdir = "$HOME/.cache/vim/backup";
-    swapdir   = "$HOME/.cache/vim/swap";
-    undodir   = "$HOME/.cache/vim/undo";
-  };
-  files = {
-    viminfo   = "$HOME/.cache/vim/info";
-  };
-
-  mkdirs = let
-    dirOf = s: let out = concatStringsSep "/" (init (splitString "/" s));
-               in assert out != ""; out;
-    alldirs = attrValues dirs ++ map dirOf (attrValues files);
-  in unique (sort lessThan alldirs);
-
-  vim = pkgs.writeDashBin "vim" ''
-    set -efu
-    (umask 0077; exec ${pkgs.coreutils}/bin/mkdir -p ${toString mkdirs})
-    exec ${pkgs.vim}/bin/vim "$@"
-  '';
-
-
-  hs.vim = pkgs.writeText "hs.vim" ''
-    syn region String start=+\[[[:alnum:]]*|+ end=+|]+
-
-    hi link ConId Identifier
-    hi link VarId Identifier
-    hi link hsDelimiter Delimiter
-  '';
-
-  nix.vim = pkgs.writeText "nix.vim" ''
-    setf nix
-
-    " Ref <nix/src/libexpr/lexer.l>
-    syn match NixID    /[a-zA-Z\_][a-zA-Z0-9\_\'\-]*/
-    syn match NixINT   /\<[0-9]\+\>/
-    syn match NixPATH  /[a-zA-Z0-9\.\_\-\+]*\(\/[a-zA-Z0-9\.\_\-\+]\+\)\+/
-    syn match NixHPATH /\~\(\/[a-zA-Z0-9\.\_\-\+]\+\)\+/
-    syn match NixSPATH /<[a-zA-Z0-9\.\_\-\+]\+\(\/[a-zA-Z0-9\.\_\-\+]\+\)*>/
-    syn match NixURI   /[a-zA-Z][a-zA-Z0-9\+\-\.]*:[a-zA-Z0-9\%\/\?\:\@\&\=\+\$\,\-\_\.\!\~\*\']\+/
-    syn region NixSTRING
-      \ matchgroup=NixSTRING
-      \ start='"'
-      \ skip='\\"'
-      \ end='"'
-    syn region NixIND_STRING
-      \ matchgroup=NixIND_STRING
-      \ start="'''"
-      \ skip="'''\('\|[$]\|\\[nrt]\)"
-      \ end="'''"
-
-    syn match NixOther /[():/;=.,?\[\]]/
-
-    syn match NixCommentMatch /\(^\|\s\)#.*/
-    syn region NixCommentRegion start="/\*" end="\*/"
-
-    hi link NixCode Statement
-    hi link NixData Constant
-    hi link NixComment Comment
-
-    hi link NixCommentMatch NixComment
-    hi link NixCommentRegion NixComment
-    hi link NixID NixCode
-    hi link NixINT NixData
-    hi link NixPATH NixData
-    hi link NixHPATH NixData
-    hi link NixSPATH NixData
-    hi link NixURI NixData
-    hi link NixSTRING NixData
-    hi link NixIND_STRING NixData
-
-    hi link NixEnter NixCode
-    hi link NixOther NixCode
-    hi link NixQuote NixData
-
-    syn cluster nix_has_dollar_curly contains=@nix_ind_strings,@nix_strings
-    syn cluster nix_ind_strings contains=NixIND_STRING
-    syn cluster nix_strings contains=NixSTRING
-
-    ${concatStringsSep "\n" (mapAttrsToList (lang: { extraStart ? null }: let
-      startAlts = filter isString [
-        ''/\* ${lang} \*/''
-        extraStart
-      ];
-      sigil = ''\(${concatStringsSep ''\|'' startAlts}\)[ \t\r\n]*'';
-    in /* vim */ ''
-      syn include @nix_${lang}_syntax syntax/${lang}.vim
-      unlet b:current_syntax
-
-      syn match nix_${lang}_sigil
-        \ X${replaceStrings ["X"] ["\\X"] sigil}\ze\('''\|"\)X
-        \ nextgroup=nix_${lang}_region_IND_STRING,nix_${lang}_region_STRING
-        \ transparent
-
-      syn region nix_${lang}_region_STRING
-        \ matchgroup=NixSTRING
-        \ start='"'
-        \ skip='\\"'
-        \ end='"'
-        \ contained
-        \ contains=@nix_${lang}_syntax
-        \ transparent
-
-      syn region nix_${lang}_region_IND_STRING
-        \ matchgroup=NixIND_STRING
-        \ start="'''"
-        \ skip="'''\('\|[$]\|\\[nrt]\)"
-        \ end="'''"
-        \ contained
-        \ contains=@nix_${lang}_syntax
-        \ transparent
-
-      syn cluster nix_ind_strings
-        \ add=nix_${lang}_region_IND_STRING
-
-      syn cluster nix_strings
-        \ add=nix_${lang}_region_STRING
-
-      syn cluster nix_has_dollar_curly
-        \ add=@nix_${lang}_syntax
-    '') {
-      c = {};
-      cabal = {};
-      haskell = {};
-      sh.extraStart = ''write\(Ba\|Da\)sh[^ \t\r\n]*[ \t\r\n]*"[^"]*"'';
-      vim.extraStart =
-        ''write[^ \t\r\n]*[ \t\r\n]*"\(\([^"]*\.\)\?vimrc\|[^"]*\.vim\)"'';
-    })}
-
-    " Clear syntax that interferes with nixINSIDE_DOLLAR_CURLY.
-    syn clear shVarAssign
-
-    syn region nixINSIDE_DOLLAR_CURLY
-      \ matchgroup=NixEnter
-      \ start="[$]{"
-      \ end="}"
-      \ contains=TOP
-      \ containedin=@nix_has_dollar_curly
-      \ transparent
-
-    syn region nix_inside_curly
-      \ matchgroup=NixEnter
-      \ start="{"
-      \ end="}"
-      \ contains=TOP
-      \ containedin=nixINSIDE_DOLLAR_CURLY,nix_inside_curly
-      \ transparent
-
-    syn match NixQuote /'''\([''$']\|\\.\)/he=s+2
-      \ containedin=@nix_ind_strings
-      \ contained
-
-    syn match NixQuote /\\./he=s+1
-      \ containedin=@nix_strings
-      \ contained
-
-    syn sync fromstart
-
-    let b:current_syntax = "nix"
-
-    set isk=@,48-57,_,192-255,-,'
-    set bg=dark
-  '';
-in
-out
diff --git a/nin/2configs/weechat.nix b/nin/2configs/weechat.nix
deleted file mode 100644
index 6c0fb313e..000000000
--- a/nin/2configs/weechat.nix
+++ /dev/null
@@ -1,21 +0,0 @@
-{ config, lib, pkgs, ... }:
-
-let
-  inherit (import <stockholm/lib>) genid;
-in {
-  krebs.per-user.chat.packages = with pkgs; [
-    mosh
-    weechat
-    tmux
-  ];
-
-  users.extraUsers.chat = {
-    home = "/home/chat";
-    uid = genid "chat";
-    useDefaultShell = true;
-    createHome = true;
-    openssh.authorizedKeys.keys = [
-      config.krebs.users.nin.pubkey
-    ];
-  };
-}
diff --git a/nin/default.nix b/nin/default.nix
deleted file mode 100644
index c31d6d949..000000000
--- a/nin/default.nix
+++ /dev/null
@@ -1,7 +0,0 @@
-_:
-{
-  imports = [
-    ../krebs
-    ./2configs
-  ];
-}
diff --git a/nin/krops.nix b/nin/krops.nix
deleted file mode 100644
index d0074840a..000000000
--- a/nin/krops.nix
+++ /dev/null
@@ -1,35 +0,0 @@
-{ name }: let
-  inherit (import ../krebs/krops.nix { inherit name; })
-    krebs-source
-    lib
-    pkgs
-  ;
-
-  source = { test }: lib.evalSource [
-    krebs-source
-    {
-      nixos-config.symlink = "stockholm/nin/1systems/${name}/config.nix";
-      secrets = if test then {
-        file = toString ./0tests/dummysecrets;
-      } else {
-        pass = {
-          dir = "${lib.getEnv "HOME"}/.password-store";
-          name = "hosts/${name}";
-        };
-      };
-    }
-  ];
-
-in {
-  # usage: $(nix-build --no-out-link --argstr name HOSTNAME -A deploy)
-  deploy = pkgs.krops.writeDeploy "${name}-deploy" {
-    source = source { test = false; };
-    target = "root@${name}/var/src";
-  };
-
-  # usage: $(nix-build --no-out-link --argstr name HOSTNAME --argstr target PATH -A test)
-  test = { target }: pkgs.krops.writeTest "${name}-test" {
-    inherit target;
-    source = source { test = true; };
-  };
-}

From 9104af869e8c8ce299fc2ddbf7f2631bbbf48b1e Mon Sep 17 00:00:00 2001
From: makefu <github@syntax-fehler.de>
Date: Sun, 7 Oct 2018 23:09:27 +0200
Subject: [PATCH 08/74] ma pkgs: rip zj-58 and jd-gui

---
 makefu/5pkgs/jd-gui/default.nix | 36 ---------------------------------
 makefu/5pkgs/zj-58/default.nix  | 30 ---------------------------
 2 files changed, 66 deletions(-)
 delete mode 100644 makefu/5pkgs/jd-gui/default.nix
 delete mode 100644 makefu/5pkgs/zj-58/default.nix

diff --git a/makefu/5pkgs/jd-gui/default.nix b/makefu/5pkgs/jd-gui/default.nix
deleted file mode 100644
index adefd80dd..000000000
--- a/makefu/5pkgs/jd-gui/default.nix
+++ /dev/null
@@ -1,36 +0,0 @@
-{ stdenv, lib, pkgs, fetchurl, jre, makeWrapper, unzip }:
-stdenv.mkDerivation rec {
-  name = "${packageName}-${version}";
-  packageName = "jd-gui";
-  version  = "1.4.0";
-
-  src = fetchurl {
-    url = "https://github.com/java-decompiler/jd-gui/releases/download/v${version}/${name}.jar";
-    sha256 = "0rvbplkhafb6s9aiwgcq4ffz4bvzyp7q511pd46hx4ahhzfg7lmx";
-  };
-
-  nativeBuildInputs = [ makeWrapper unzip ];
-
-  phases = [ "installPhase" ];
-
-  installPhase = ''
-    f=$out/lib/jd-gui/
-    bin=$out/bin
-    name=$(basename $src)
-    mkdir -p $f $bin
-
-    # fixup path to java
-    cp $src $f
-    cat > $bin/jd-gui <<EOF
-    #!/bin/sh
-    exec ${pkgs.jre}/bin/java -jar $f/$name \$@
-    EOF
-    chmod +x $bin/jd-gui
-  '';
-
-  meta = {
-    homepage = https://github.com/java-decompiler/jd-gui;
-    description = "A standalone Java Decompiler GUI";
-    license = lib.licenses.gpl3;
-  };
-}
diff --git a/makefu/5pkgs/zj-58/default.nix b/makefu/5pkgs/zj-58/default.nix
deleted file mode 100644
index 6eda84959..000000000
--- a/makefu/5pkgs/zj-58/default.nix
+++ /dev/null
@@ -1,30 +0,0 @@
-{stdenv, fetchFromGitHub, cups}:
-
-stdenv.mkDerivation rec {
-  name = "cups-zj58-2018-02-22";
-
-  src = fetchFromGitHub {
-    owner = "klirichek";
-    repo = "zj-58";
-    rev = "e4212cd";
-    sha256 = "1w2qkspm4qqg5h8n6gmakzhiww7gag64chvy9kf89xsl3wsyp6pi";
-  };
-
-  buildInputs = [cups];
-
-  installPhase = ''
-    mkdir -p $out/lib/cups/filter
-
-    cp rastertozj $out/lib/cups/filter
-
-
-    mkdir -p $out/share/cups/model/zjiang
-    cp ZJ-58.ppd $out/share/cups/model/zjiang/
-  '';
-
-  meta = {
-    description = "CUPS filter for thermal printer Zjiang ZJ-58";
-    homepage = https://github.com/klirichek/zj-58;
-    platforms = stdenv.lib.platforms.linux;
-  };
-}

From 639d591336fc86fa016043a952f9db1a9614c12c Mon Sep 17 00:00:00 2001
From: makefu <github@syntax-fehler.de>
Date: Mon, 8 Oct 2018 00:58:45 +0200
Subject: [PATCH 09/74] nixpkgs: 86fb1e9 -> 86fb1e9

---
 makefu/nixpkgs.json | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/makefu/nixpkgs.json b/makefu/nixpkgs.json
index f39bb6688..c5cd0ac30 100644
--- a/makefu/nixpkgs.json
+++ b/makefu/nixpkgs.json
@@ -1,7 +1,7 @@
 {
   "url": "https://github.com/makefu/nixpkgs",
-  "rev": "8f991294288b27b9dec05cc1e07ec6a360bb39c8",
-  "date": "2018-08-06T14:29:01+02:00",
-  "sha256": "0zan8kdjk1pwdzm1rwc3ka87k11j0zmw4mdnj70r6pm38x2fa9n6",
+  "rev": "86fb1e9ae6ba6dfedc814b82abd8db5cfa4f4687",
+  "date": "2018-10-07T23:33:42+02:00",
+  "sha256": "015yxs3qj299mgqfmz5vgszj2gxqwazifsdsjw6xadris3ri41d3",
   "fetchSubmodules": true
 }

From e51aa863c5c7b6403b2b8dcbe064697476f200ea Mon Sep 17 00:00:00 2001
From: makefu <github@syntax-fehler.de>
Date: Mon, 8 Oct 2018 20:31:31 +0200
Subject: [PATCH 10/74] ma printer: use upstream zj-58

---
 makefu/2configs/printer.nix | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/makefu/2configs/printer.nix b/makefu/2configs/printer.nix
index d5fa65ef9..fb1a67358 100644
--- a/makefu/2configs/printer.nix
+++ b/makefu/2configs/printer.nix
@@ -5,11 +5,11 @@ let
 in {
   services.printing = {
     enable = true;
-    drivers = [
-      pkgs.samsungUnifiedLinuxDriver
-      pkgs.cups-dymo # dymo labelwriter
-      pkgs.foo2zjs # magicolor 1690mf
-      pkgs.zj-58
+    drivers = with pkgs; [
+      samsungUnifiedLinuxDriver
+      cups-dymo # dymo labelwriter
+      foo2zjs # magicolor 1690mf
+      cups-zj-58
     ];
   };
 

From 77bf84d5ffdab0f930c125ae8daaa15e25e4c879 Mon Sep 17 00:00:00 2001
From: makefu <github@syntax-fehler.de>
Date: Mon, 8 Oct 2018 23:39:41 +0200
Subject: [PATCH 11/74] ma pkgs.inkscape: share/extensions solves the issue

see ee44a46c858b5a80c1888ab5d38aef43a9577783 in https://gitlab.com/inkscape/extensions
---
 makefu/2configs/rtorrent.nix               | 19 -------------------
 makefu/5pkgs/custom/inkscape/dxf_fix.patch | 12 ------------
 makefu/5pkgs/default.nix                   |  3 ---
 3 files changed, 34 deletions(-)
 delete mode 100644 makefu/2configs/rtorrent.nix
 delete mode 100644 makefu/5pkgs/custom/inkscape/dxf_fix.patch

diff --git a/makefu/2configs/rtorrent.nix b/makefu/2configs/rtorrent.nix
deleted file mode 100644
index 9e2990cab..000000000
--- a/makefu/2configs/rtorrent.nix
+++ /dev/null
@@ -1,19 +0,0 @@
-_:
-let
-  listenPort = 60123;
-  xml-port = 5000;
-  authfile = <torrent-secrets/authfile>;
-in {
-  makefu.rtorrent = {
-    enable = true;
-    web = {
-      enable = true;
-      enableAuth = true;
-      inherit authfile;
-    };
-    rutorrent.enable = true;
-    enableXMLRPC = true;
-    logLevel = "debug";
-    inherit listenPort;
-  };
-}
diff --git a/makefu/5pkgs/custom/inkscape/dxf_fix.patch b/makefu/5pkgs/custom/inkscape/dxf_fix.patch
deleted file mode 100644
index b7b491d4e..000000000
--- a/makefu/5pkgs/custom/inkscape/dxf_fix.patch
+++ /dev/null
@@ -1,12 +0,0 @@
---- ./share/extensions/dxf_outlines.py	2017-10-08 17:28:45.553368917 +0200
-+++ ./share/extensions/dxf_outlines.py.new	2017-10-08 17:29:20.172554152 +0200
-@@ -341,7 +341,7 @@
-         if not scale:
-             scale = 25.4/96     # if no scale is specified, assume inch as baseunit
-         scale /= self.unittouu('1px')
--        h = self.unittouu(self.document.getroot().xpath('@height', namespaces=inkex.NSS)[0])
-+        h = self.unittouu(self.documentHeight())
-         self.groupmat = [[[scale, 0.0, 0.0], [0.0, -scale, h*scale]]]
-         doc = self.document.getroot()
-         self.process_group(doc)
-
diff --git a/makefu/5pkgs/default.nix b/makefu/5pkgs/default.nix
index 390aabd73..6e86f4264 100644
--- a/makefu/5pkgs/default.nix
+++ b/makefu/5pkgs/default.nix
@@ -30,9 +30,6 @@ in {
     qcma = super.pkgs.libsForQt5.callPackage ./custom/qcma { };
     inherit (callPackage ./devpi {}) devpi-web ;
     nodemcu-uploader = super.pkgs.callPackage ./nodemcu-uploader {};
-    inkscape = super.pkgs.stdenv.lib.overrideDerivation super.inkscape (old: {
-      patches = [ ./custom/inkscape/dxf_fix.patch ];
-    });
 }
 
 // (mapAttrs (_: flip callPackage {})

From 9b638b239aa37038b0223840cdf4e5885d1565ea Mon Sep 17 00:00:00 2001
From: makefu <github@syntax-fehler.de>
Date: Wed, 10 Oct 2018 00:08:16 +0200
Subject: [PATCH 12/74] ma pkgs.esniper: replaced by upstream

---
 .../events-publisher/default.nix              |  0
 makefu/5pkgs/esniper/default.nix              | 32 -------------------
 makefu/5pkgs/esniper/find-ca-bundle.patch     | 26 ---------------
 3 files changed, 58 deletions(-)
 rename makefu/2configs/{deployment => shack}/events-publisher/default.nix (100%)
 delete mode 100644 makefu/5pkgs/esniper/default.nix
 delete mode 100644 makefu/5pkgs/esniper/find-ca-bundle.patch

diff --git a/makefu/2configs/deployment/events-publisher/default.nix b/makefu/2configs/shack/events-publisher/default.nix
similarity index 100%
rename from makefu/2configs/deployment/events-publisher/default.nix
rename to makefu/2configs/shack/events-publisher/default.nix
diff --git a/makefu/5pkgs/esniper/default.nix b/makefu/5pkgs/esniper/default.nix
deleted file mode 100644
index a6aac5748..000000000
--- a/makefu/5pkgs/esniper/default.nix
+++ /dev/null
@@ -1,32 +0,0 @@
-{ stdenv, fetchurl , openssl, curl, coreutils, gawk, bash, which }:
-
-stdenv.mkDerivation rec {
-  name = "${pname}-2-35-0";
-  pname = "esniper";
-  version = "2.35.0";
-  src = fetchurl {
-    url = "mirror://sourceforge/${pname}/${name}.tgz";
-    sha256 = "04iwjb42lw90c03125bjdpnm0fp78dmwf2j35r7mah0nwcrlagd9";
-  };
-
-
-  buildInputs = [ openssl curl ];
-
-  # Add support for CURL_CA_BUNDLE variable.
-  # Fix <http://sourceforge.net/p/esniper/bugs/648/>.
-  patches = [ ./find-ca-bundle.patch ];
-
-  postInstall = ''
-    sed <"frontends/snipe" >"$out/bin/snipe" \
-      -e "2i export PATH=\"$out/bin:${stdenv.lib.makeBinPath [ coreutils gawk bash which ]}:\$PATH\""
-    chmod 555 "$out/bin/snipe"
-  '';
-
-  meta = with stdenv.lib; {
-    description = "Simple, lightweight tool for sniping eBay auctions";
-    homepage    = http://esniper.sourceforge.net;
-    license     = licenses.gpl2;
-    maintainers = with maintainers; [ lovek323 peti ];
-    platforms   = platforms.all;
-  };
-}
diff --git a/makefu/5pkgs/esniper/find-ca-bundle.patch b/makefu/5pkgs/esniper/find-ca-bundle.patch
deleted file mode 100644
index e4df272a0..000000000
--- a/makefu/5pkgs/esniper/find-ca-bundle.patch
+++ /dev/null
@@ -1,26 +0,0 @@
-diff -ubr '--exclude=*.o' esniper-2-27-0-orig/http.c esniper-2-27-0-patched/http.c
---- esniper-2-27-0-orig/http.c	2012-02-06 22:04:06.000000000 +0100
-+++ esniper-2-27-0-patched/http.c	2012-07-27 10:54:20.893054646 +0200
-@@ -200,6 +200,9 @@
- int
- initCurlStuff(void)
- {
-+	/* Path to OpenSSL bundle file. */
-+	const char *ssl_capath=NULL;
-+
- 	/* list for custom headers */
- 	struct curl_slist *slist=NULL;
- 
-@@ -241,6 +244,12 @@
- 	if ((curlrc = curl_easy_setopt(easyhandle, CURLOPT_COOKIEFILE, "")))
- 		return initCurlStuffFailed();
- 
-+	/* If the environment variable CURL_CA_BUNDLE is set, pass through its
-+	 * contents to curl. */
-+	if ((ssl_capath = getenv("CURL_CA_BUNDLE")))
-+		if ((curlrc = curl_easy_setopt(easyhandle, CURLOPT_CAINFO, ssl_capath)))
-+			return initCurlStuffFailed();
-+
- 	slist = curl_slist_append(slist, "Accept: text/*");
- 	slist = curl_slist_append(slist, "Accept-Language: en");
- 	slist = curl_slist_append(slist, "Accept-Charset: iso-8859-1,*,utf-8");

From a083d352b416ba6d13bd15534473053a29ede50b Mon Sep 17 00:00:00 2001
From: makefu <github@syntax-fehler.de>
Date: Wed, 10 Oct 2018 14:07:42 +0200
Subject: [PATCH 13/74] ma pkgs.ifdnfc: rip

---
 makefu/5pkgs/ifdnfc/default.nix | 45 ---------------------------------
 1 file changed, 45 deletions(-)
 delete mode 100644 makefu/5pkgs/ifdnfc/default.nix

diff --git a/makefu/5pkgs/ifdnfc/default.nix b/makefu/5pkgs/ifdnfc/default.nix
deleted file mode 100644
index cc7956c8c..000000000
--- a/makefu/5pkgs/ifdnfc/default.nix
+++ /dev/null
@@ -1,45 +0,0 @@
-{ stdenv, fetchFromGitHub , pkgconfig
-, pcsclite
-, autoreconfHook
-, libnfc
-}:
-
-stdenv.mkDerivation rec {
-  name = "ifdnfc-${version}";
-  version = "2016-03-01";
-
-  src = fetchFromGitHub {
-    owner = "nfc-tools";
-    repo = "ifdnfc";
-    rev = "0e48e8e";
-    sha256 = "1cxnvhhlcbm8h49rlw5racspb85fmwqqhd3gzzpzy68vrs0b37vg";
-  };
-  nativeBuildInputs = [ pkgconfig autoreconfHook ];
-  buildInputs = [ pcsclite libnfc ];
-
-  configureFlags = [ "--prefix=$(out)" ];
-  makeFlags = [ "DESTDIR=/" "usbdropdir=$(out)/pcsc/drivers" ];
-
-  meta = with stdenv.lib; {
-    description = "PC/SC IFD Handler based on libnfc";
-    long_description = 
-    '' libnfc Interface Plugin to be used in <code>services.pcscd.plugins</code>.
-       It provides support for all readers which are not supported by ccid but by libnfc.
-
-       For activating your reader you need to run
-       <code>ifdnfc-activate yes<code> with this package in your
-       <code>environment.systemPackages</code>
-
-       To use your reader you may need to blacklist your reader kernel modules:
-       <code>boot.blacklistedKernelModules = [ "pn533" "pn533_usb" "nfc" ];</code>
-
-       Supports the pn533 smart-card reader chip which is for example used in
-       the SCM SCL3711.
-    '';
-    homepage = https://github.com/nfc-tools/ifdnfc;
-    license = licenses.gpl3;
-    platforms = platforms.linux;
-    maintainers = with maintainers; [ makefu ];
-  };
-}
-

From f97f63deab36b7ff774c4f132c1a87daecc8e9f5 Mon Sep 17 00:00:00 2001
From: makefu <github@syntax-fehler.de>
Date: Wed, 10 Oct 2018 14:08:18 +0200
Subject: [PATCH 14/74] ma events-publisher: bump version

---
 makefu/2configs/shack/events-publisher/default.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/makefu/2configs/shack/events-publisher/default.nix b/makefu/2configs/shack/events-publisher/default.nix
index 37d74c282..93a965e95 100644
--- a/makefu/2configs/shack/events-publisher/default.nix
+++ b/makefu/2configs/shack/events-publisher/default.nix
@@ -2,8 +2,8 @@
 with import <stockholm/lib>;
 let
   shack-announce = pkgs.callPackage (builtins.fetchTarball {
-    url = "https://github.com/makefu/events-publisher/archive/c5218195e6afdc646cb7682d8f355a7ec2b90716.tar.gz";
-    sha256 = "0xk74q7gah3l5zy3bkvih3k9fr1hclvf71rm3ixcmslhicl7khav";
+    url = "https://github.com/makefu/events-publisher/archive/1e98edfabfe5574586b4eb8d30d315ae2afb1f9f.tar.gz";
+    sha256 = "013ca4dkkzc7q49cwad6fxpxv01hd8va02025pazlz5q223nk70z";
   }) {} ;
   home = "/var/lib/shackannounce";
   user = "shackannounce";

From 431cf1348b97fe6364ece67616f345b887f34b75 Mon Sep 17 00:00:00 2001
From: makefu <github@syntax-fehler.de>
Date: Sun, 14 Oct 2018 23:46:51 +0200
Subject: [PATCH 15/74] ma omo.r: enable airdcpp

---
 makefu/1systems/omo/config.nix | 43 ++++++++++++++++++++++++----------
 1 file changed, 31 insertions(+), 12 deletions(-)

diff --git a/makefu/1systems/omo/config.nix b/makefu/1systems/omo/config.nix
index be49db024..9eb8cbf49 100644
--- a/makefu/1systems/omo/config.nix
+++ b/makefu/1systems/omo/config.nix
@@ -8,11 +8,11 @@ let
 in {
   imports =
     [
-      #./hw/omo.nix
-      ./hw/tsp.nix
+      ./hw/omo.nix
+      #./hw/tsp.nix
       <stockholm/makefu>
       <stockholm/makefu/2configs/zsh-user.nix>
-      <stockholm/makefu/2configs/backup.nix>
+      <stockholm/makefu/2configs/backup/state.nix>
       <stockholm/makefu/2configs/exim-retiolum.nix>
       # <stockholm/makefu/2configs/smart-monitor.nix>
       <stockholm/makefu/2configs/mail-client.nix>
@@ -25,6 +25,22 @@ in {
       #<stockholm/makefu/2configs/graphite-standalone.nix>
       #<stockholm/makefu/2configs/share-user-sftp.nix>
       <stockholm/makefu/2configs/share/omo.nix>
+      <stockholm/makefu/2configs/dcpp/airdcpp.nix>
+      { krebs.airdcpp.dcpp.shares = let
+          d = path: "/media/cryptX/${path}";
+        in {
+          emu.path = d "emu";
+          audiobooks.path = lib.mkForce (d "audiobooks");
+          incoming.path = lib.mkForce (d "torrent");
+          anime.path = d "anime";
+        };
+        krebs.airdcpp.dcpp.DownloadDirectory = "/media/cryptX/torrent/dcpp";
+      }
+      {
+        # copy config from <secrets/sabnzbd.ini> to /var/lib/sabnzbd/
+        #services.sabnzbd.enable = true;
+        #systemd.services.sabnzbd.environment.SSL_CERT_FILE = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt";
+      }
       # <stockholm/makefu/2configs/share/omo-timemachine.nix>
       <stockholm/makefu/2configs/tinc/retiolum.nix>
 
@@ -41,12 +57,22 @@ in {
       <stockholm/makefu/2configs/stats/arafetch.nix>
 
       # services
-      <stockholm/makefu/2configs/syncthing.nix>
+      {
+        services.nginx.enable = true;
+        networking.firewall.allowedTCPPorts = [ 80 ];
+      }
+      # <stockholm/makefu/2configs/syncthing.nix>
       <stockholm/makefu/2configs/remote-build/slave.nix>
       <stockholm/makefu/2configs/deployment/google-muell.nix>
       <stockholm/makefu/2configs/virtualisation/docker.nix>
       <stockholm/makefu/2configs/bluetooth-mpd.nix>
       <stockholm/makefu/2configs/deployment/homeautomation>
+      {
+        makefu.ps3netsrv = {
+          enable = true;
+          servedir = "/media/cryptX/emu/ps3";
+        };
+      }
       {
         hardware.pulseaudio.systemWide = true;
         makefu.mpd.musicDirectory = "/media/cryptX/music";
@@ -74,7 +100,7 @@ in {
   krebs.rtorrent = (builtins.trace (builtins.toJSON config.services.telegraf.extraConfig)) {
     downloadDir = lib.mkForce "/media/cryptX/torrent";
     extraConfig = ''
-      upload_rate = 200
+      upload_rate = 500
     '';
   };
   users.groups.share = {
@@ -83,14 +109,7 @@ in {
   };
   networking.firewall.trustedInterfaces = [ primaryInterface ];
 
-  # copy config from <secrets/sabnzbd.ini> to /var/lib/sabnzbd/
-  services.sabnzbd.enable = true;
-  systemd.services.sabnzbd.environment.SSL_CERT_FILE = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt";
 
-  makefu.ps3netsrv = {
-    enable = true;
-    servedir = "/media/cryptX/emu/ps3";
-  };
 
   users.users.misa = {
     uid = 9002;

From 0cfc9b54a0d588dadef3642aa6b3872f0392a220 Mon Sep 17 00:00:00 2001
From: makefu <github@syntax-fehler.de>
Date: Sun, 14 Oct 2018 23:47:18 +0200
Subject: [PATCH 16/74] ma airdcpp: enable state tracking

---
 makefu/2configs/dcpp/airdcpp.nix | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/makefu/2configs/dcpp/airdcpp.nix b/makefu/2configs/dcpp/airdcpp.nix
index fe05effd9..ad62babc3 100644
--- a/makefu/2configs/dcpp/airdcpp.nix
+++ b/makefu/2configs/dcpp/airdcpp.nix
@@ -44,5 +44,6 @@
 
     '';
   };
-
+  state = map (f: "${config.krebs.airdcpp.stateDir}/${f}")
+    [ "Favorites.xml" "DCPlusPlus.xml" "WebServer.xml" "Recents.xml" "IgnoredUsers.xml" ];
 }

From efc70c213c464d0a4eecd80e1acf886c8deb787a Mon Sep 17 00:00:00 2001
From: makefu <github@syntax-fehler.de>
Date: Wed, 17 Oct 2018 00:34:46 +0200
Subject: [PATCH 17/74] ma homeautomation: cleanup, add flurlicht

---
 .../deployment/bureautomation/home.nix        |  67 ---------
 .../deployment/homeautomation/default.nix     | 127 ++++++++++++++----
 2 files changed, 102 insertions(+), 92 deletions(-)
 delete mode 100644 makefu/2configs/deployment/bureautomation/home.nix

diff --git a/makefu/2configs/deployment/bureautomation/home.nix b/makefu/2configs/deployment/bureautomation/home.nix
deleted file mode 100644
index 28edb6af2..000000000
--- a/makefu/2configs/deployment/bureautomation/home.nix
+++ /dev/null
@@ -1,67 +0,0 @@
-{ pkgs, lib, ... }:
-let
-  firetv = "192.168.1.238";
-in {
-  systemd.services.firetv = {
-    wantedBy = [ "multi-user.target" ];
-    serviceConfig = {
-      User = "nobody";
-      ExecStart = "${pkgs.python-firetv}/bin/firetv-server -d ${firetv}:5555";
-    };
-  };
-  services.home-assistant = {
-  #panel_iframe:
-  #configurator:
-  #  title: Configurator
-  #  icon: mdi:wrench
-  #  url: http://hassio.local:3218
-  # sensor:
-  # - platform: random
-    enable = true;
-    config = {
-      homeassistant = {
-        name = "Bureautomation";
-        time_zone = "Europe/Berlin";
-      };
-      panel_iframe = {
-        euer_blog = {
-          title = "Euer Blog";
-          icon =  "mdi:wrench";
-          url = "https://euer.krebsco.de";
-        };
-      };
-      media_player = [
-        { platform = "kodi";
-          host = firetv;
-        }
-        { platform = "firetv";
-          # assumes python-firetv running
-        }
-      ];
-      sensor = [
-        {
-          platform = "luftdaten";
-          name = "Shack 1";
-          sensorid = "50";
-          monitored_conditions = [ "P1" "P2" ];
-        }
-        {
-          platform = "luftdaten";
-          name = "Shack 2";
-          sensorid = "658";
-          monitored_conditions = [ "P1" "P2" ];
-        }
-        {
-          platform = "luftdaten";
-          name = "Ditzingen";
-          sensorid = "5341";
-          monitored_conditions = [ "P1" "P2" ];
-        }
-        { platform = "random"; }
-      ];
-      frontend = { };
-      http = { };
-      feedreader.urls = [ "https://nixos.org/blogs.xml" ];
-    };
-  };
-}
diff --git a/makefu/2configs/deployment/homeautomation/default.nix b/makefu/2configs/deployment/homeautomation/default.nix
index f2a3b36e2..5da0dba2e 100644
--- a/makefu/2configs/deployment/homeautomation/default.nix
+++ b/makefu/2configs/deployment/homeautomation/default.nix
@@ -1,9 +1,60 @@
-{ pkgs, config, ... }:
+{ pkgs, lib, config, ... }:
 
 # Ideas:
 ## wake-on-lan server
 ## 
 let
+  tasmota_rgb = name: topic:
+# LED WS2812b
+#      effect_state_topic: "stat/led/Scheme"
+#      effect_command_topic: "cmnd/led/Scheme"
+#      effect_value_template: "{{ value_json.Scheme }}"
+  { platform = "mqtt";
+    inherit name;
+    retain = false;
+    qos = 1;
+    optimistic = false;
+    # state
+    # TODO: currently broken, will not use the custom state topic
+    #state_topic = "/ham/${topic}/stat/POWER";
+    state_topic = "stat/${topic}/POWER";
+    command_topic = "/ham/${topic}/cmnd/POWER";
+    availability_topic = "/ham/${topic}/tele/LWT";
+    payload_on= "ON";
+    payload_off= "OFF";
+    payload_available= "Online";
+    payload_not_available= "Offline";
+    # brightness
+    brightness_state_topic = "/ham/${topic}/stat/Dimmer";
+    brightness_command_topic = "/ham/${topic}/cmnd/Dimmer";
+    brightness_value_template = "{{ value_json.Dimmer }}";
+    brightness_scale = 100;
+    # color
+    rgb_state_topic = "/ham/${topic}/stat/Color";
+    rgb_command_topic = "/ham/${topic}/cmnd/Color2";
+    rgb_command_mode = "hex";
+    rgb_command_template = "{{ '%02x%02x%02x' | format(red, green, blue)}}";
+    # effects
+    effect_state_topic = "/ham/${topic}/stat/Scheme";
+    effect_command_topic = "/ham/${topic}/cmnd/Scheme";
+    effect_value_template = "{{ value_json.Scheme }}";
+    effect_list = [ 0 1 2 3 4 5 6 7 8 9 10 11 12 ];
+};
+    # switchmode 1 - also toggle power
+    # switchtopic flurlicht
+    tasmota_motion = name: topic:
+    { platform = "mqtt";
+      device_class = "motion";
+      inherit name;
+      # TODO: currently broken, will not use the custom state topic
+      state_topic = "stat/${topic}/POWER";
+      payload_on = "ON";
+      payload_off = "OFF";
+      availability_topic = "/ham/${topic}/tele/LWT";
+      payload_available = "Online";
+      payload_not_available = "Offline";
+    };
+
   firetv = "192.168.1.238";
   tasmota_plug = name: topic:
   { platform = "mqtt";
@@ -40,16 +91,13 @@ in {
   imports = [
     ./mqtt.nix
   ];
-  systemd.services.firetv = {
-    wantedBy = [ "multi-user.target" ];
-    serviceConfig = {
-      User = "nobody";
-      ExecStart = "${pkgs.python-firetv}/bin/firetv-server -d ${firetv}:5555";
-    };
-  };
-  nixpkgs.config.permittedInsecurePackages = [
-    "homeassistant-0.65.5"
-  ];
+  #systemd.services.firetv = {
+  #  wantedBy = [ "multi-user.target" ];
+  #  serviceConfig = {
+  #    User = "nobody";
+  #    ExecStart = "${pkgs.python-firetv}/bin/firetv-server -d ${firetv}:5555";
+  #  };
+  #};
   services.home-assistant = {
     config = {
       homeassistant = {
@@ -58,7 +106,7 @@ in {
         longitude = "9.2478";
         elevation = 247;
       };
-      discovery = {};
+      #discovery = {};
       conversation = {};
       history = {};
       logbook = {};
@@ -71,16 +119,16 @@ in {
         { platform = "kodi";
           host = firetv;
         }
-        { platform = "firetv";
-          # assumes python-firetv running
-        }
+        #{ platform = "firetv";
+        #  # assumes python-firetv running
+        #}
       ];
       mqtt = {
         broker = "localhost";
         port = 1883;
         client_id = "home-assistant";
         username = "hass";
-        password = builtins.readFile <secrets/mqtt/hass>;
+        password = lib.removeSuffix "\n" (builtins.readFile <secrets/mqtt/hass>);
         keepalive = 60;
         protocol = 3.1;
         birth_message = {
@@ -96,10 +144,14 @@ in {
           retain = true;
         };
       };
+      binary_sensor = [
+        (tasmota_motion "Flur Bewegung" "flurlicht")
+      ];
       sensor = [
-        { platform = "speedtest";
-          monitored_conditions = [ "ping" "download" "upload" ];
-        }
+        # broken
+        #{ platform = "speedtest";
+        #  monitored_conditions = [ "ping" "download" "upload" ];
+        #}
         { platform = "luftdaten";
           name = "Ditzingen";
           sensorid = "663";
@@ -107,7 +159,8 @@ in {
         }
         # https://www.home-assistant.io/cookbook/automation_for_rainy_days/
         { platform = "darksky";
-          api_key = "c73619e6ea79e553a585be06aacf3679";
+          api_key = lib.removeSuffix "\n"
+            (builtins.readFile <secrets/hass/darksky.apikey>);
           language = "de";
           monitored_conditions = [ "summary" "icon"
           "nearest_storm_distance" "precip_probability"
@@ -125,15 +178,39 @@ in {
         }
       ] ++ (tasmota_bme "Schlafzimmer" "schlafzimmer");
       frontend = { };
-      #group = [
-      #  { default_view = { view = "yes"; entities = [
-      #    "sensor.luftdaten"
-      #  ]}
-      #];
+      group =
+        { default_view =
+          { view = "yes";
+            entities = [
+              "group.flur"
+              "group.schlafzimmer"
+              "group.draussen"
+              "group.wohnzimmer"
+            ];
+          };
+          flur = [
+            "light.flurlicht"
+            "binary_sensor.flur_bewegung"
+          ];
+          wohnzimmer = [
+            "media_player.kodi"
+          ];
+          draussen = [
+            "sensor.dark_sky_temperature"
+            "sensor.dark_sky_hourly_summary"
+          ];
+          schlafzimmer = [
+            "sensor.schlafzimmer_temperatur"
+            "sensor.schlafzimmer_luftdruck"
+            "sensor.schlafzimmer_luftfeuchtigkeit"
+            "switch.lichterkette_schlafzimmer"
+          ];
+        };
       http = { };
       switch = [
         (tasmota_plug "Lichterkette Schlafzimmer" "schlafzimmer")
       ];
+      light = [ (tasmota_rgb "Flurlicht" "flurlicht" ) ];
     };
     enable = true;
     #configDir = "/var/lib/hass";

From c6de0074ebe4197fbcdd9665cc597b455312b32c Mon Sep 17 00:00:00 2001
From: makefu <github@syntax-fehler.de>
Date: Sat, 20 Oct 2018 21:39:26 +0200
Subject: [PATCH 18/74] ma pkgs.ns-atmosphere-programmer: init

---
 .../ns-atmosphere-programmer/default.nix      | 36 +++++++++++++++++++
 1 file changed, 36 insertions(+)
 create mode 100644 makefu/5pkgs/ns-atmosphere-programmer/default.nix

diff --git a/makefu/5pkgs/ns-atmosphere-programmer/default.nix b/makefu/5pkgs/ns-atmosphere-programmer/default.nix
new file mode 100644
index 000000000..1e1cb1d86
--- /dev/null
+++ b/makefu/5pkgs/ns-atmosphere-programmer/default.nix
@@ -0,0 +1,36 @@
+{ stdenv, fetchzip
+, makeWrapper
+, autoPatchelfHook
+, xlibs
+, gnome3
+, libpng12
+}:
+stdenv.mkDerivation rec {
+  name = "ns-atmosphere-programmer-${version}";
+  version = "0.1";
+
+  src = fetchzip {
+    url = "http://www.ns-atmosphere.com/media/content/ns-atmosphere-programmer-linux-v01.zip";
+    sha256 = "0g2fxbirgi0lm0mi69cmknqj7626fxjkwn98bqx5pcalxplww8k0";
+  };
+
+  buildInputs = with xlibs; [ libX11 libXxf86vm libSM gnome3.gtk libpng12 ];
+  nativeBuildInputs = [ autoPatchelfHook makeWrapper ];
+
+  installPhase = ''
+    install -D -m755 NS-Atmosphere-Programmer-Linux-v0.1/NS-Atmosphere $out/bin/NS-Atmosphere
+    wrapProgram $out/bin/NS-Atmosphere --prefix XDG_DATA_DIRS : "$GSETTINGS_SCHEMAS_PATH" \
+--suffix XDG_DATA_DIRS : '${gnome3.defaultIconTheme}/share'
+  '';
+
+  dontStrip = true;
+
+  meta = with stdenv.lib; {
+    description = "Payload programmer for ns-atmosphere injector";
+    homepage = http://www.ns-atmosphere.com;
+    maintainers = [ maintainers.makefu ];
+    platforms = platforms.linux;
+    license = with licenses; [ unfree ];
+  };
+
+}

From 72a009b6a5593ca6885ca83517dfd99cefe2d3cb Mon Sep 17 00:00:00 2001
From: makefu <github@syntax-fehler.de>
Date: Sun, 21 Oct 2018 00:16:12 +0200
Subject: [PATCH 19/74] ma shack/events-publisher: bump to latest version

---
 makefu/2configs/shack/events-publisher/default.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/makefu/2configs/shack/events-publisher/default.nix b/makefu/2configs/shack/events-publisher/default.nix
index 93a965e95..531d2525e 100644
--- a/makefu/2configs/shack/events-publisher/default.nix
+++ b/makefu/2configs/shack/events-publisher/default.nix
@@ -2,8 +2,8 @@
 with import <stockholm/lib>;
 let
   shack-announce = pkgs.callPackage (builtins.fetchTarball {
-    url = "https://github.com/makefu/events-publisher/archive/1e98edfabfe5574586b4eb8d30d315ae2afb1f9f.tar.gz";
-    sha256 = "013ca4dkkzc7q49cwad6fxpxv01hd8va02025pazlz5q223nk70z";
+    url = "https://github.com/makefu/events-publisher/archive/670f4d7182a41b6763296e301612499d2986f213.tar.gz";
+    sha256 = "1yf9cb08v4rc6x992yx5lcyn62sm3p8i2b48rsmr4m66xdi4bpnd";
   }) {} ;
   home = "/var/lib/shackannounce";
   user = "shackannounce";

From cea8403dc5eb48792c9ccd4c4fc9584a84ba4238 Mon Sep 17 00:00:00 2001
From: makefu <github@syntax-fehler.de>
Date: Sun, 21 Oct 2018 00:18:59 +0200
Subject: [PATCH 20/74] ma shack/gitlab-ci: maintain own config

---
 .../2configs/shack/gitlab-runner/default.nix  | 31 +++++++++++++++++++
 1 file changed, 31 insertions(+)
 create mode 100644 makefu/2configs/shack/gitlab-runner/default.nix

diff --git a/makefu/2configs/shack/gitlab-runner/default.nix b/makefu/2configs/shack/gitlab-runner/default.nix
new file mode 100644
index 000000000..55dc50fa8
--- /dev/null
+++ b/makefu/2configs/shack/gitlab-runner/default.nix
@@ -0,0 +1,31 @@
+
+{
+  systemd.services.gitlab-runner.path = [
+    "/run/wrappers" # /run/wrappers/bin/su
+    "/" # /bin/sh
+  ];
+  services.gitlab-runner = {
+    enable = true;
+    configOptions =
+    { concurrent = 1;
+      runners = [
+        { builds_dir = "";
+          #docker =
+          #{ cache_dir = "";
+          #  disable_cache = true;
+          #  host = ""; image = "nixos/nix:2.1.3";
+          #  privileged = true;
+          #};
+          #executor = "docker";
+          # name = "docker-nix";
+          name = "gum-shell";
+          executor = "shell";
+          environment = [ "PATH=/bin:/run/wrappers/bin:/etc/per-user/gitlab-runner/bin:/etc/per-user-pkgs/gitlab-runner/bin:/nix/var/nix/profiles/default/bin:/run/current-system/sw/bin" ];
+          # generate via `gitlab-runner register`
+          token = import <secrets/shackspace-gitlab-ci-token.nix>;
+          url = "https://git.shackspace.de/";
+        }
+      ];
+    };
+  };
+}

From 489d3924307171751b174d62f64ce29a5c2550cf Mon Sep 17 00:00:00 2001
From: makefu <github@syntax-fehler.de>
Date: Sun, 21 Oct 2018 23:04:27 +0200
Subject: [PATCH 21/74] ma backup: init

---
 makefu/2configs/backup/server.nix      | 11 +++++++++++
 makefu/2configs/backup/ssh/gum.pub     |  1 +
 makefu/2configs/backup/ssh/nextgum.pub |  1 +
 makefu/2configs/backup/ssh/omo.pub     |  1 +
 makefu/2configs/backup/ssh/x.pub       |  1 +
 makefu/2configs/backup/state.nix       | 25 +++++++++++++++++++++++++
 6 files changed, 40 insertions(+)
 create mode 100644 makefu/2configs/backup/server.nix
 create mode 100644 makefu/2configs/backup/ssh/gum.pub
 create mode 100644 makefu/2configs/backup/ssh/nextgum.pub
 create mode 100644 makefu/2configs/backup/ssh/omo.pub
 create mode 100644 makefu/2configs/backup/ssh/x.pub
 create mode 100644 makefu/2configs/backup/state.nix

diff --git a/makefu/2configs/backup/server.nix b/makefu/2configs/backup/server.nix
new file mode 100644
index 000000000..f157e715f
--- /dev/null
+++ b/makefu/2configs/backup/server.nix
@@ -0,0 +1,11 @@
+{lib, ... }:
+let
+  hosts = lib.mapAttrsToList (f: _: lib.removeSuffix ".pub" f) (builtins.readDir ./ssh );
+in {
+  # TODO: for all enabled machines
+  services.borgbackup.repos = lib.genAttrs hosts (host: {
+    authorizedKeys = [ (builtins.readFile (./ssh + "/${host}.pub") ) ];
+    path = "/var/lib/borgbackup/${host}";
+    user = "borg-${host}";
+  }) ;
+}
diff --git a/makefu/2configs/backup/ssh/gum.pub b/makefu/2configs/backup/ssh/gum.pub
new file mode 100644
index 000000000..ed203d544
--- /dev/null
+++ b/makefu/2configs/backup/ssh/gum.pub
@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOSCJe7DQkKbL58pL78ImO+nVI/aaNFP8Zyqgo8EbNhW makefu@x
diff --git a/makefu/2configs/backup/ssh/nextgum.pub b/makefu/2configs/backup/ssh/nextgum.pub
new file mode 100644
index 000000000..52d56d956
--- /dev/null
+++ b/makefu/2configs/backup/ssh/nextgum.pub
@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOUZcfi2SXxCo1if0oU3x9qPK8/O5FmiXy2HFZyTp/P1 makefu@x
diff --git a/makefu/2configs/backup/ssh/omo.pub b/makefu/2configs/backup/ssh/omo.pub
new file mode 100644
index 000000000..053b4da87
--- /dev/null
+++ b/makefu/2configs/backup/ssh/omo.pub
@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAtA3XzpjByYQ9uSHQr0dkNUyi6nROjwv1S2IQtUu4pi makefu@x
diff --git a/makefu/2configs/backup/ssh/x.pub b/makefu/2configs/backup/ssh/x.pub
new file mode 100644
index 000000000..fe894df33
--- /dev/null
+++ b/makefu/2configs/backup/ssh/x.pub
@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBRfhUv9twYbO7tUe2r2LOXEMNxW14GO3Q0RTkUWeMxw makefu@x
diff --git a/makefu/2configs/backup/state.nix b/makefu/2configs/backup/state.nix
new file mode 100644
index 000000000..1143708bf
--- /dev/null
+++ b/makefu/2configs/backup/state.nix
@@ -0,0 +1,25 @@
+{ config, ... }:
+# back up all state
+let
+  sec = toString <secrets>;
+  sshkey = sec + "/borg.priv";
+  phrase = sec + "/borg.pw";
+in
+{
+  services.borgbackup.jobs.state = {
+    repo = "borg-${config.krebs.build.host.name}@backup.makefu.r:.";
+    paths = config.state;
+    encryption = {
+      mode = "repokey";
+      passCommand = "cat ${phrase}";
+    };
+    environment.BORG_RSH = "ssh -i ${sshkey}";
+    prune.keep =
+    { daily = 7;
+      weekly = 4;
+      monthly = -1; # Keep at least one archive for each month
+    };
+    compression = "auto,lzma";
+    startAt = "daily";
+  };
+}

From 23d99c1ae27744d00b25e0615797c357642c4112 Mon Sep 17 00:00:00 2001
From: makefu <github@syntax-fehler.de>
Date: Sun, 21 Oct 2018 23:05:21 +0200
Subject: [PATCH 22/74] ma backup: streamline, RIP old rsync

---
 makefu/2configs/backup.nix        | 52 -------------------------------
 makefu/2configs/laptop-backup.nix | 12 -------
 2 files changed, 64 deletions(-)
 delete mode 100644 makefu/2configs/backup.nix
 delete mode 100644 makefu/2configs/laptop-backup.nix

diff --git a/makefu/2configs/backup.nix b/makefu/2configs/backup.nix
deleted file mode 100644
index a4d02af6b..000000000
--- a/makefu/2configs/backup.nix
+++ /dev/null
@@ -1,52 +0,0 @@
-{ config, lib, pkgs, ... }:
-with import <stockholm/lib>;
-let
-  # preparation:
-  # mkdir -p defaultBackupDir/host.name/src
-  # as root on omo:
-  #   ssh-copy-id root@src
-  startAt = "0,6,12,18:00";
-  defaultBackupServer = config.krebs.hosts.omo;
-  defaultBackupDir = "/home/backup";
-  defaultPull = host: src: {
-    method = "pull";
-    src = {
-      inherit host;
-      path = src;
-    };
-    dst = {
-      host = defaultBackupServer;
-      path = "${defaultBackupDir}/${host.name}${src}";
-    };
-    startAt = "0,6,12,18:00";
-    snapshots = {
-      hourly   = { format = "%Y-%m-%dT%H";    retain =  4; };
-      daily    = { format = "%Y-%m-%d";       retain =  7; };
-      weekly   = { format = "%YW%W";          retain =  4; };
-      monthly  = { format = "%Y-%m";          retain = 12; };
-      yearly   = { format = "%Y";                          };
-    };
-  };
-in {
-  krebs.backup.plans = {
-    # wry-to-omo_root = defaultPull config.krebs.hosts.wry "/";
-    gum-to-omo_root = defaultPull config.krebs.hosts.gum "/";
-    gum-dl-to-omo_external = (defaultPull config.krebs.hosts.gum "/var/download" )//
-      {
-        dst.path = "/media/cryptX/backup/gum/var-download";
-        dst.host = defaultBackupServer;
-        startAt = "19:00";
-      };
-    gum-owncloud-to-omo_external = (defaultPull config.krebs.hosts.gum "/var/www/o.euer.krebsco.de" )//
-      {
-        dst.path = "/media/cryptX/backup/gum/var-www-o.euer.krebsco.de";
-        dst.host = defaultBackupServer;
-
-        startAt = "05:00";
-      };
-    # wolf-to-omo_root = defaultPull config.krebs.hosts.wolf "/";
-  };
-  environment.systemPackages = [
-    pkgs.borgbackup
-  ];
-}
diff --git a/makefu/2configs/laptop-backup.nix b/makefu/2configs/laptop-backup.nix
deleted file mode 100644
index 8df7043c8..000000000
--- a/makefu/2configs/laptop-backup.nix
+++ /dev/null
@@ -1,12 +0,0 @@
-{config, lib, pkgs, ... }:
-
-{
-  systemd.user.services.duply-secrets = {
-    description = "run daily secrets backup";
-    startAt = "daily";
-    serviceConfig = {
-      Type = "oneshot";
-      ExecStart = "{pkgs.duply}/bin/duply omo-secrets backup";
-    };
-  };
-}

From 102d394330ae8212907380b284c07bea4edd69e1 Mon Sep 17 00:00:00 2001
From: makefu <github@syntax-fehler.de>
Date: Sun, 21 Oct 2018 23:09:24 +0200
Subject: [PATCH 23/74] ma krops: bump home-manager

---
 makefu/krops.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/makefu/krops.nix b/makefu/krops.nix
index 4f55915af..2f6f3a3d7 100644
--- a/makefu/krops.nix
+++ b/makefu/krops.nix
@@ -69,7 +69,7 @@
     (lib.mkIf ( host-src.home-manager ) {
       home-manager.git = {
         url = https://github.com/rycee/home-manager;
-        ref = "6eea2a4";
+        ref = "f947faf";
       };
     })
   ];

From 8845ee8363feff8d944db4dd954bae9fda6345f1 Mon Sep 17 00:00:00 2001
From: makefu <github@syntax-fehler.de>
Date: Sun, 21 Oct 2018 23:09:48 +0200
Subject: [PATCH 24/74] ma pkgs.switch-launcher: init

---
 makefu/5pkgs/switch-launcher/default.nix | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)
 create mode 100644 makefu/5pkgs/switch-launcher/default.nix

diff --git a/makefu/5pkgs/switch-launcher/default.nix b/makefu/5pkgs/switch-launcher/default.nix
new file mode 100644
index 000000000..cc7905a31
--- /dev/null
+++ b/makefu/5pkgs/switch-launcher/default.nix
@@ -0,0 +1,24 @@
+{ lib, pkgs, python3Packages, ... }:
+
+with python3Packages; buildPythonPackage rec {
+  name = "nodemcu-uploader-${version}";
+  version = "0.1.0";
+
+  src = pkgs.fetchFromGitHub {
+    owner = "ksmit799";
+    repo = "switch-launcher";
+    rev = version;
+    sha256 = "0j24dwiqqjiks59s8gilnplsls130mp1jssg2rpjrvj0jg0w52zz";
+  };
+
+
+  propagatedBuildInputs = [
+    pyusb
+  ];
+
+  meta = {
+    homepage = https://github.com/ksmit799/switch-launcher;
+    description = "Desktop switch payload launcher based on a modified reswitched injector";
+    license = lib.licenses.bsd3;
+  };
+}

From 29752c0970c2964a7b1a5434fb7a583dd302ef43 Mon Sep 17 00:00:00 2001
From: makefu <github@syntax-fehler.de>
Date: Sun, 21 Oct 2018 23:10:25 +0200
Subject: [PATCH 25/74] ma pkgs.target-cli: init at 2.1

---
 makefu/5pkgs/targetcli/default.nix | 64 ++++++++++++++++++++++++++++++
 1 file changed, 64 insertions(+)
 create mode 100644 makefu/5pkgs/targetcli/default.nix

diff --git a/makefu/5pkgs/targetcli/default.nix b/makefu/5pkgs/targetcli/default.nix
new file mode 100644
index 000000000..927c34c5a
--- /dev/null
+++ b/makefu/5pkgs/targetcli/default.nix
@@ -0,0 +1,64 @@
+{ pkgs, fetchFromGitHub, ... }:
+with pkgs.python2Packages;
+let
+  version = "2.1";
+  rtslib = buildPythonPackage rec {
+    pname = "rtslib";
+    inherit version;
+    src = fetchFromGitHub {
+      owner = "datera";
+      repo = "rtslib";
+      rev = version;
+      sha256 = "1d58k9i4xigfqgycyismsqzkz65ssjdri2v9fg0wpica1klyyv22";
+    };
+    propagatedBuildInputs = [ ipaddr netifaces configobj ];
+  };
+  configshell = buildPythonPackage rec {
+    pname = "configshell";
+    version = "1.6";
+    src = fetchFromGitHub {
+      owner = "datera";
+      repo = "configshell";
+      rev = version;
+      sha256 = "14n7xbcaicsvwajv1aihz727dlkn6zfaqjbnn7mcpns83c2hms7y";
+    };
+    propagatedBuildInputs = [ pyparsing ];
+  };
+
+  tcm-py  = buildPythonPackage rec {
+    pname = "tcm-py";
+    version = "0ac9091c1ff7a52d5435a4f4449e82637142e06e";
+    src = fetchFromGitHub {
+      owner = "datera";
+      repo = "lio-utils";
+      rev = "0ac9091c1ff7a52d5435a4f4449e82637142e06e";
+      sha256 = "0fc922kxvgr7rwg1y875vqvkipcrixmlafsp5g8mipmq90i8zcq0";
+    } + "/tcm-py";
+    propagatedBuildInputs = [ ];
+  };
+
+  lio-py = buildPythonPackage rec {
+    pname = "lio-py";
+    version = "0ac9091c1ff7a52d5435a4f4449e82637142e06e";
+    src = fetchFromGitHub {
+      owner = "datera";
+      repo = "lio-utils";
+      rev = "0ac9091c1ff7a52d5435a4f4449e82637142e06e";
+      sha256 = "0fc922kxvgr7rwg1y875vqvkipcrixmlafsp5g8mipmq90i8zcq0";
+    } + "/lio-py";
+    propagatedBuildInputs = [ ];
+  };
+
+in buildPythonApplication rec {
+  pname = "targetcli";
+  inherit version;
+
+  propagatedBuildInputs = [ rtslib configshell lio-py tcm-py ];
+
+  src = fetchFromGitHub {
+    owner = "datera";
+    repo = "targetcli";
+    rev = version;
+    sha256 = "10nax7761g93qzky01y3hra8i4s11cgyy9w5w6l8781lj21lgi3d";
+  };
+}

From 56945ee3f2e16719943b8429d85ae3d61d8ee61f Mon Sep 17 00:00:00 2001
From: makefu <github@syntax-fehler.de>
Date: Sun, 21 Oct 2018 23:10:56 +0200
Subject: [PATCH 26/74] ma hw/switch: init udev rules

---
 makefu/2configs/hw/switch.nix | 10 ++++++++++
 1 file changed, 10 insertions(+)
 create mode 100644 makefu/2configs/hw/switch.nix

diff --git a/makefu/2configs/hw/switch.nix b/makefu/2configs/hw/switch.nix
new file mode 100644
index 000000000..d46e8cf3f
--- /dev/null
+++ b/makefu/2configs/hw/switch.nix
@@ -0,0 +1,10 @@
+{ config, lib, pkgs, ... }:
+
+{
+
+  users.extraUsers.${config.krebs.build.user.name}.extraGroups = [ "plugdev" ];
+
+  services.udev.extraRules = ''
+    SUBSYSTEM=="usb", ATTR{idVendor}=="0955", MODE="0664", GROUP="plugdev"
+  '';
+}

From 8c3e92d9eb51f4eae4bca0e11839be652cc142ad Mon Sep 17 00:00:00 2001
From: makefu <github@syntax-fehler.de>
Date: Sun, 21 Oct 2018 23:11:23 +0200
Subject: [PATCH 27/74] ma mcomix: rip

---
 makefu/5pkgs/mcomix/default.nix | 24 ------------------------
 1 file changed, 24 deletions(-)
 delete mode 100644 makefu/5pkgs/mcomix/default.nix

diff --git a/makefu/5pkgs/mcomix/default.nix b/makefu/5pkgs/mcomix/default.nix
deleted file mode 100644
index 7fb9cd375..000000000
--- a/makefu/5pkgs/mcomix/default.nix
+++ /dev/null
@@ -1,24 +0,0 @@
-{ pkgs, lib ,python2Packages, fetchurl, gtk3}:
-python2Packages.buildPythonPackage rec {
-  name = "mcomix-${version}";
-  version = "1.2.1";
-
-  src = fetchurl {
-    url = "mirror://sourceforge/mcomix/${name}.tar.bz2";
-    sha256 = "0fzsf9pklhfs1rzwzj64c0v30b74nk94p93h371rpg45qnfiahvy";
-  };
-
-  propagatedBuildInputs = with python2Packages;
-    [ python2Packages.pygtk gtk3 python2Packages.pillow ];
-
-  # for module in sys.modules.itervalues():
-  #   RuntimeError: dictionary changed size during iteration
-  doCheck = false;
-
-  meta = {
-    homepage = https://github.com/pyload/pyload;
-    description = "Free and Open Source download manager written in Python";
-    license = lib.licenses.gpl3;
-    maintainers = with lib.maintainers; [ makefu ];
-  };
-}

From d8e481ac79f7d65fdede7cb553da8f27d7ccbfb8 Mon Sep 17 00:00:00 2001
From: makefu <github@syntax-fehler.de>
Date: Sun, 21 Oct 2018 23:16:34 +0200
Subject: [PATCH 28/74] ma nginx/euer.{blog,wiki}: add state dirs

---
 makefu/2configs/nginx/euer.blog.nix | 1 +
 makefu/2configs/nginx/euer.wiki.nix | 1 +
 2 files changed, 2 insertions(+)

diff --git a/makefu/2configs/nginx/euer.blog.nix b/makefu/2configs/nginx/euer.blog.nix
index 65d36d9b6..14d1285db 100644
--- a/makefu/2configs/nginx/euer.blog.nix
+++ b/makefu/2configs/nginx/euer.blog.nix
@@ -39,4 +39,5 @@ in {
       };
     };
   };
+  state = [ base-dir ];
 }
diff --git a/makefu/2configs/nginx/euer.wiki.nix b/makefu/2configs/nginx/euer.wiki.nix
index 99533b25c..280622259 100644
--- a/makefu/2configs/nginx/euer.wiki.nix
+++ b/makefu/2configs/nginx/euer.wiki.nix
@@ -21,6 +21,7 @@ let
   tw-pass-file = "${sec}/tw-pass.ini";
 
 in {
+  state = [ base-dir ];
   services.phpfpm = {
     # phpfpm does not have an enable option
     poolConfigs  = {

From 851c0e47d1ac7073ea5a38a656f93054b20d4b44 Mon Sep 17 00:00:00 2001
From: makefu <github@syntax-fehler.de>
Date: Sun, 21 Oct 2018 23:17:37 +0200
Subject: [PATCH 29/74] ma bureautomation: add tasks for shutting down monitor

---
 .../deployment/bureautomation/hass.nix        | 32 ++++++++++++++++++-
 1 file changed, 31 insertions(+), 1 deletion(-)

diff --git a/makefu/2configs/deployment/bureautomation/hass.nix b/makefu/2configs/deployment/bureautomation/hass.nix
index 4605e8933..b1eba22b4 100644
--- a/makefu/2configs/deployment/bureautomation/hass.nix
+++ b/makefu/2configs/deployment/bureautomation/hass.nix
@@ -11,6 +11,11 @@ let
     payload_available= "Online";
     payload_not_available= "Offline";
   };
+  tasmota_stecki = name: topic:
+    ( tasmota_plug name topic) // 
+    { state_topic = "/bam/${topic}/stat/POWER";
+      command_topic = "/bam/${topic}/cmnd/POWER";
+  };
   espeasy_dht22 = name: [
   { platform = "mqtt";
     name = "${name} DHT22 Temperature";
@@ -72,7 +77,7 @@ in {
       switch = [
         (tasmota_plug "Bauarbeiterlampe" "plug")
         (tasmota_plug "Blitzdings" "plug2")
-        (tasmota_plug "Fernseher" "plug3")
+        (tasmota_stecki "Fernseher" "fernseher")
         (tasmota_plug "Pluggy" "plug4")
       ];
       binary_sensor = [
@@ -116,6 +121,31 @@ in {
       frontend = { };
       http = { };
       feedreader.urls = [ "http://www.heise.de/security/rss/news-atom.xml" ];
+      automation = [
+        { alias = "Turn on Fernseher on movement";
+          trigger = {
+            platform = "state";
+            entity_id = "binary_sensor.motion";
+            to = "on";
+          };
+          action = {
+            service= "homeassistant.turn_on";
+            entity_id= "switch.fernseher";
+          };
+        }
+        { alias = "Turn off Fernseher 10 minutes after last movement";
+          trigger = {
+            platform = "state";
+            entity_id = "binary_sensor.motion";
+            to = "off";
+            for.minutes = 10;
+          };
+          action = {
+            service= "homeassistant.turn_off";
+            entity_id= "switch.fernseher";
+          };
+        }
+      ];
     };
   };
 }

From 99b737e3e554b866fef2a9ba5fa58107e6c75aac Mon Sep 17 00:00:00 2001
From: makefu <github@syntax-fehler.de>
Date: Sun, 21 Oct 2018 23:19:09 +0200
Subject: [PATCH 30/74] ma bepasty-dual: unauthorized on error

---
 makefu/2configs/bepasty-dual.nix      | 5 +++++
 makefu/2configs/deployment/graphs.nix | 5 -----
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/makefu/2configs/bepasty-dual.nix b/makefu/2configs/bepasty-dual.nix
index 890652285..f63dbefd8 100644
--- a/makefu/2configs/bepasty-dual.nix
+++ b/makefu/2configs/bepasty-dual.nix
@@ -32,6 +32,11 @@ in {
             "paste.${config.krebs.build.host.name}"
             "paste.r"
           ];
+          extraConfig = ''
+            if ( $server_addr = "${external-ip}" ) {
+              return 403;
+            }
+          '';
         };
         defaultPermissions = "admin,list,create,read,delete";
         secretKeyFile = secKey;
diff --git a/makefu/2configs/deployment/graphs.nix b/makefu/2configs/deployment/graphs.nix
index bde9892cd..e7dc54dd0 100644
--- a/makefu/2configs/deployment/graphs.nix
+++ b/makefu/2configs/deployment/graphs.nix
@@ -6,11 +6,6 @@ let
   internal-ip = config.krebs.build.host.nets.retiolum.ip4.addr;
   hn = config.krebs.build.host.name;
 in {
-  krebs.bepasty.servers."paste.r".nginx.extraConfig = ''
-    if ( $server_addr = "${external-ip}" ) {
-      return 403;
-    }
-  '';
   krebs.tinc_graphs = {
     enable = true;
     nginx = {

From 4a445704512f50032747e73e10c5afeaa5cce6fc Mon Sep 17 00:00:00 2001
From: makefu <github@syntax-fehler.de>
Date: Sun, 21 Oct 2018 23:19:46 +0200
Subject: [PATCH 31/74] ma pkgs.cozy: now upstream

---
 makefu/5pkgs/cozy-audiobooks/default.nix | 95 ------------------------
 1 file changed, 95 deletions(-)
 delete mode 100644 makefu/5pkgs/cozy-audiobooks/default.nix

diff --git a/makefu/5pkgs/cozy-audiobooks/default.nix b/makefu/5pkgs/cozy-audiobooks/default.nix
deleted file mode 100644
index 870fa8ce2..000000000
--- a/makefu/5pkgs/cozy-audiobooks/default.nix
+++ /dev/null
@@ -1,95 +0,0 @@
-{ stdenv, fetchFromGitHub
-, ninja
-, boost
-, meson
-, pkgconfig
-, wrapGAppsHook
-, appstream-glib
-, desktop-file-utils
-, gtk3
-, glib
-, gst_all_1
-, gobjectIntrospection
-, python3Packages
-, file
-, cairo , sqlite , gettext
-, gnome3
-}:
-
-let
-  peewee = with python3Packages; buildPythonPackage rec {
-    # https://git.archlinux.org/svntogit/community.git/tree/trunk/PKGBUILD?h=packages/python-peewee
-    pname = "peewee";
-    version = "3.6.4";
-    src = fetchPypi {
-      inherit pname version;
-      sha256 = "1fi4z9n86ri79gllwav0gv3hmwipzmkvivzfyszfqn9fi5zpp3ak";
-    };
-    doCheck = false;
-
-    checkPhase = ''
-      python runtests.py
-    '';
-
-    buildInputs = [
-      cython
-      sqlite
-      # psycopg2
-      # mysql-connector
-    ];
-    meta.license = stdenv.lib.licenses.mit;
-  };
-in
-stdenv.mkDerivation rec {
-  name = "cozy-${version}";
-  version = "0.6.0";
-
-  src = fetchFromGitHub {
-    owner = "geigi";
-    repo = "cozy";
-    rev = version;
-    sha256 = "1afl3qsn9h4k8fgp63z0ab9p5ashrg3g936a9rh3i9qydv6s3srd";
-  };
-
-  postPatch = ''
-    chmod +x data/meson_post_install.py
-    patchShebangs data/meson_post_install.py
-    substituteInPlace cozy/magic/magic.py --replace "ctypes.util.find_library('magic')" "'${file}/lib/libmagic${stdenv.hostPlatform.extensions.sharedLibrary}'"
-  '';
-  postInstall = ''
-      wrapProgram $out/bin/com.github.geigi.cozy \
-      --prefix PYTHONPATH : "$PYTHONPATH:$(toPythonPath $out)"
-
-  '';
-  wrapPrefixVariables = [ "PYTHONPATH" ];
-
-
-  nativeBuildInputs = [
-    meson ninja pkgconfig
-    wrapGAppsHook
-    appstream-glib
-    desktop-file-utils
-    gobjectIntrospection
-
-  ];
-  buildInputs = with gst_all_1; [ gtk3 glib
-  gstreamer gst-plugins-good  gst-plugins-ugly gst-plugins-base cairo gettext
-  gnome3.defaultIconTheme gnome3.gsettings-desktop-schemas
-  ]
-   ++ (with python3Packages; [
-    python gst-python pygobject3 dbus-python mutagen peewee magic
-
-  ]);
-
-  checkPhase = ''
-    ninja test
-  '';
-
-  meta = with stdenv.lib; {
-    description = ''
-       A modern audio book player for Linux using GTK+ 3
-    '';
-    maintainers = [ maintainers.makefu ];
-    license = licenses.mit;
-  };
-}

From f2b532c7ea8a87e46b3d0c8107c33bd631ff08ab Mon Sep 17 00:00:00 2001
From: makefu <github@syntax-fehler.de>
Date: Sun, 21 Oct 2018 23:20:19 +0200
Subject: [PATCH 32/74] ma torrent: add state, torrent.<hostname>.r

---
 makefu/2configs/torrent.nix | 20 +++++---------------
 1 file changed, 5 insertions(+), 15 deletions(-)

diff --git a/makefu/2configs/torrent.nix b/makefu/2configs/torrent.nix
index 3df0ddbfe..ca368dbf0 100644
--- a/makefu/2configs/torrent.nix
+++ b/makefu/2configs/torrent.nix
@@ -3,12 +3,11 @@
 with import <stockholm/lib>;
 
 let
-  daemon-user = "tor";
   basicAuth = import <torrent-secrets/auth.nix>;
   peer-port = 51412;
   web-port = 8112;
   daemon-port = 58846;
-  base-dir = config.makefu.dl-dir;
+  base-dir = config.krebs.rtorrent.workDir;
 in {
 
   users.users = {
@@ -23,17 +22,6 @@ in {
     };
   };
 
-  # todo: race condition, do this after download user has been created
-  system.activationScripts."download-dir-chmod" = ''
-    for i in finished watch; do
-      if test ! -d $i;then
-        mkdir -p "${base-dir}/$i"
-        chown rtorrent:download "${base-dir}/$i"
-        chmod 775 "${base-dir}/$i"
-      fi
-    done
-  '';
-
   users.extraGroups = {
     download = {
       gid = lib.mkDefault (genid "download");
@@ -57,15 +45,17 @@ in {
     rutorrent.enable = true;
     enableXMLRPC = true;
     listenPort = peer-port;
-    downloadDir = base-dir + "/finished";
-    watchDir = base-dir + "/watch";
+    downloadDir = config.makefu.dl-dir;
     # dump old torrents into watch folder to have them re-added
   };
 
+  services.nginx.virtualHosts."torrent.${config.krebs.build.host.name}.r".locations."/" = { proxyPass = "http://localhost:${toString web-port}/"; };
+
   networking.firewall.extraCommands = ''
     iptables -A INPUT -i retiolum -p tcp --dport ${toString web-port} -j ACCEPT
   '';
 
   networking.firewall.allowedTCPPorts = [ peer-port ];
   networking.firewall.allowedUDPPorts = [ peer-port ];
+  state = [ config.krebs.rtorrent.sessionDir ]; # state which torrents were loaded
 }

From 8f10933423df2f4dd71e13ef28a006e2fad67405 Mon Sep 17 00:00:00 2001
From: makefu <github@syntax-fehler.de>
Date: Sun, 21 Oct 2018 23:20:51 +0200
Subject: [PATCH 33/74] ma tools: shuffle

---
 makefu/2configs/tools/android-pentest.nix | 2 +-
 makefu/2configs/tools/desktop.nix         | 2 +-
 makefu/2configs/tools/extra-gui.nix       | 1 -
 makefu/2configs/tools/media.nix           | 2 +-
 makefu/2configs/tools/mobility.nix        | 2 ++
 makefu/2configs/tools/secrets.nix         | 2 +-
 6 files changed, 6 insertions(+), 5 deletions(-)

diff --git a/makefu/2configs/tools/android-pentest.nix b/makefu/2configs/tools/android-pentest.nix
index da8a357ae..9dedafdd2 100644
--- a/makefu/2configs/tools/android-pentest.nix
+++ b/makefu/2configs/tools/android-pentest.nix
@@ -9,7 +9,7 @@
     dex2jar
     apktool
     jd-gui
-    android-studio
+    # android-studio
     jdk
     jre
     openssl
diff --git a/makefu/2configs/tools/desktop.nix b/makefu/2configs/tools/desktop.nix
index bb14c3eb5..924668803 100644
--- a/makefu/2configs/tools/desktop.nix
+++ b/makefu/2configs/tools/desktop.nix
@@ -3,7 +3,7 @@
 {
   users.users.makefu.packages = with pkgs; [
     taskwarrior
-    pass
+    (pass.withExtensions (ext: [ ext.pass-otp ]))
     gopass
     mutt
     weechat
diff --git a/makefu/2configs/tools/extra-gui.nix b/makefu/2configs/tools/extra-gui.nix
index 1c28eeffd..3d26cc574 100644
--- a/makefu/2configs/tools/extra-gui.nix
+++ b/makefu/2configs/tools/extra-gui.nix
@@ -6,7 +6,6 @@
     gimp
     inkscape
     libreoffice
-    quodlibet
     # skype
     synergy
     tdesktop
diff --git a/makefu/2configs/tools/media.nix b/makefu/2configs/tools/media.nix
index a61b6c88e..988550655 100644
--- a/makefu/2configs/tools/media.nix
+++ b/makefu/2configs/tools/media.nix
@@ -7,7 +7,7 @@
     vlc
     mumble
     mplayer
-    quodlibet
+    quodlibet # exfalso
 
     plowshare
     streamripper
diff --git a/makefu/2configs/tools/mobility.nix b/makefu/2configs/tools/mobility.nix
index 8a559dbbd..11151003d 100644
--- a/makefu/2configs/tools/mobility.nix
+++ b/makefu/2configs/tools/mobility.nix
@@ -7,6 +7,8 @@
     rclone
     exfat
     (pkgs.callPackage ./secrets.nix {})
+
+    opensc pcsctools libu2f-host
   ];
 
   # boot.extraModulePackages = [ config.boot.kernelPackages.exfat-nofuse ];
diff --git a/makefu/2configs/tools/secrets.nix b/makefu/2configs/tools/secrets.nix
index f88618cbc..7d10983c7 100644
--- a/makefu/2configs/tools/secrets.nix
+++ b/makefu/2configs/tools/secrets.nix
@@ -1,7 +1,7 @@
 { pass, write, writeDash, ... }:
 
 write "secrets" {
-  "/bin/secrets".link = writeDash "brain" ''
+  "/bin/secrets".link = writeDash "secrets" ''
     PASSWORD_STORE_DIR=$HOME/.secrets-pass/ \
     exec ${pass}/bin/pass $@
   '';

From 90da0939308ac0b7e3d73370ee6c12b5901990b7 Mon Sep 17 00:00:00 2001
From: makefu <github@syntax-fehler.de>
Date: Sun, 21 Oct 2018 23:21:22 +0200
Subject: [PATCH 34/74] ma cgit-retiolum: add secrets repo

---
 makefu/2configs/git/cgit-retiolum.nix | 1 +
 1 file changed, 1 insertion(+)

diff --git a/makefu/2configs/git/cgit-retiolum.nix b/makefu/2configs/git/cgit-retiolum.nix
index 1a7f3d987..4890e4afe 100644
--- a/makefu/2configs/git/cgit-retiolum.nix
+++ b/makefu/2configs/git/cgit-retiolum.nix
@@ -41,6 +41,7 @@ let
     autosync = { };
     fenkins = { };
     pass = { };
+    secrets = { };
   };
 
   connector-repos = mapAttrs make-priv-repo {

From f1bd2ce84d820d0b35c56245d820beffd7d2eb5b Mon Sep 17 00:00:00 2001
From: makefu <github@syntax-fehler.de>
Date: Sun, 21 Oct 2018 23:21:58 +0200
Subject: [PATCH 35/74] ma gui: do not use antialiased fonts

---
 makefu/2configs/gui/base.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/makefu/2configs/gui/base.nix b/makefu/2configs/gui/base.nix
index 861a9327e..6bcd09826 100644
--- a/makefu/2configs/gui/base.nix
+++ b/makefu/2configs/gui/base.nix
@@ -66,7 +66,7 @@ in
       cat |derp <<EOF
       XTerm*background: black
       XTerm*foreground: white
-      XTerm*FaceName  : xft:xos4 Terminus:pixelsize=11
+      XTerm*FaceName  : xft:Terminus:pixelsize=12
 
       URxvt*termName:         rxvt
       URxvt*saveLines:            10000
@@ -78,7 +78,7 @@ in
       URxvt.background: black
       URxvt.urgentOnBell: true
       URxvt.visualBell: false
-      URxvt.font : xft:xos4 Terminus:size=11
+      URxvt.font : xft:Terminus:size=12
 
 
       ! blue

From 4d9b2888b037ad9b239477a5399fd9e6ec210f58 Mon Sep 17 00:00:00 2001
From: makefu <github@syntax-fehler.de>
Date: Sun, 21 Oct 2018 23:22:21 +0200
Subject: [PATCH 36/74] ma gui/wbob-kiosk: disable screensaver on startup

---
 makefu/2configs/gui/wbob-kiosk.nix | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/makefu/2configs/gui/wbob-kiosk.nix b/makefu/2configs/gui/wbob-kiosk.nix
index 7db749227..b0479d0d7 100644
--- a/makefu/2configs/gui/wbob-kiosk.nix
+++ b/makefu/2configs/gui/wbob-kiosk.nix
@@ -22,4 +22,16 @@
       xrandr --output HDMI2 --right-of HDMI1
     '';
   };
+
+  systemd.services.xset-off = {
+    after = [ "display-manager.service" ];
+    wantedBy = [ "multi-user.target" ];
+    serviceConfig = {
+      ExecStart = "${pkgs.xlibs.xset}/bin/xset -display :0 s off -dpms";
+      RemainAfterExit = "yes";
+      TimeoutSec = "5";
+      Restart = "on-failure";
+    };
+  };
+
 }

From 7a3801c75ef2ecccb976be8ed62367e6ddb3ce25 Mon Sep 17 00:00:00 2001
From: makefu <github@syntax-fehler.de>
Date: Sun, 21 Oct 2018 23:28:52 +0200
Subject: [PATCH 37/74] ma home-manager: bump

---
 makefu/2configs/home-manager/cli.nix     |  8 +++-
 makefu/2configs/home-manager/default.nix |  3 ++
 makefu/2configs/home-manager/desktop.nix | 52 +++++++++++++++---------
 makefu/2configs/home-manager/mail.nix    |  3 +-
 4 files changed, 44 insertions(+), 22 deletions(-)

diff --git a/makefu/2configs/home-manager/cli.nix b/makefu/2configs/home-manager/cli.nix
index 1efc4d2bf..64aa03bd7 100644
--- a/makefu/2configs/home-manager/cli.nix
+++ b/makefu/2configs/home-manager/cli.nix
@@ -1,12 +1,18 @@
-{
+{pkgs, ... }: {
   home-manager.users.makefu = {
     services.gpg-agent = {
+      enable = true;
       defaultCacheTtl = 900;
       maxCacheTtl = 7200;
       defaultCacheTtlSsh = 3600;
       maxCacheTtlSsh = 86400;
       enableSshSupport = true;
+      enableScDaemon = true;
     };
     programs.fzf.enable = true; # alt-c
   };
+  services.udev.packages = [
+    pkgs.libu2f-host
+    pkgs.yubikey-personalization
+  ];
 }
diff --git a/makefu/2configs/home-manager/default.nix b/makefu/2configs/home-manager/default.nix
index e75ee6262..2a4574cc8 100644
--- a/makefu/2configs/home-manager/default.nix
+++ b/makefu/2configs/home-manager/default.nix
@@ -4,4 +4,7 @@
   ];
   home-manager.users.makefu = {
   };
+  environment.variables = {
+    GTK_DATA_PREFIX = "/run/current-system/sw";
+  };
 }
diff --git a/makefu/2configs/home-manager/desktop.nix b/makefu/2configs/home-manager/desktop.nix
index c2f854d47..ce98e651a 100644
--- a/makefu/2configs/home-manager/desktop.nix
+++ b/makefu/2configs/home-manager/desktop.nix
@@ -1,31 +1,43 @@
-{pkgs, ... }: {
+{ pkgs, lib, ... }: 
+
+{
   home-manager.users.makefu = {
     programs.browserpass = { browsers = [ "firefox" ] ; enable = true; };
+    programs.firefox.enable = true;
     services.network-manager-applet.enable = true;
+    systemd.user.services.network-manager-applet.Service.Environment = ''XDG_DATA_DIRS=/etc/profiles/per-user/makefu/share GDK_PIXBUF_MODULE_FILE=${pkgs.librsvg.out}/lib/gdk-pixbuf-2.0/2.10.0/loaders.cache'';
     services.blueman-applet.enable = true;
     services.pasystray.enable = true;
-
-  systemd.user.services.network-manager-applet.Service.Environment = ''
-        XDG_DATA_DIRS=/etc/profiles/per-user/makefu/share GDK_PIXBUF_MODULE_FILE=${pkgs.librsvg.out}/lib/gdk-pixbuf-2.0/2.10.0/loaders.cache
-      '';
-  systemd.user.services.clipit = {
-    Unit = {
-      Description = "clipboard manager";
-      After = [ "graphical-session-pre.target" ];
-      PartOf = [ "graphical-session.target" ];
+    systemd.user.services.pasystray.Service.Environment = "PATH=" + (lib.makeBinPath (with pkgs;[ pavucontrol paprefs /* pavumeter  */  /* paman */ ]) );
+    programs.chromium = {
+      enable = true;
+      extensions = [
+        "cjpalhdlnbpafiamejdnhcphjbkeiagm" # ublock origin
+        "dbepggeogbaibhgnhhndojpepiihcmeb" # vimium
+        # "liloimnbhkghhdhlamdjipkmadhpcjmn" # krebsgold
+        "fpnmgdkabkmnadcjpehmlllkndpkmiak" # wayback machine
+        "gcknhkkoolaabfmlnjonogaaifnjlfnp" # foxyproxy
+        "abkfbakhjpmblaafnpgjppbmioombali" # memex
+        "kjacjjdnoddnpbbcjilcajfhhbdhkpgk" # forest
+      ];
     };
 
-    Install = {
-      WantedBy = [ "graphical-session.target" ];
-    };
+    systemd.user.services.clipit = {
+      Unit = {
+        Description = "clipboard manager";
+        After = [ "graphical-session-pre.target" ];
+        PartOf = [ "graphical-session.target" ];
+      };
 
-    Service = {
-      Environment = ''
-        XDG_DATA_DIRS=/etc/profiles/per-user/makefu/share GDK_PIXBUF_MODULE_FILE=${pkgs.librsvg.out}/lib/gdk-pixbuf-2.0/2.10.0/loaders.cache
-      '';
-      ExecStart = "${pkgs.clipit}/bin/clipit";
-      Restart = "on-abort";
+      Install = {
+        WantedBy = [ "graphical-session.target" ];
+      };
+
+      Service = {
+        Environment = ''XDG_DATA_DIRS=/etc/profiles/per-user/makefu/share GDK_PIXBUF_MODULE_FILE=${pkgs.librsvg.out}/lib/gdk-pixbuf-2.0/2.10.0/loaders.cache'';
+        ExecStart = "${pkgs.clipit}/bin/clipit";
+        Restart = "on-abort";
+      };
     };
   };
-  };
 }
diff --git a/makefu/2configs/home-manager/mail.nix b/makefu/2configs/home-manager/mail.nix
index ce7ae4f4d..467e0d7a0 100644
--- a/makefu/2configs/home-manager/mail.nix
+++ b/makefu/2configs/home-manager/mail.nix
@@ -1,5 +1,6 @@
 {
   home-manager.users.makefu = {
+    accounts.email.maildirBasePath =  "/home/makefu/Mail";
     accounts.email.accounts.syntaxfehler = {
       address = "felix.richter@syntax-fehler.de";
       userName = "Felix.Richter@syntax-fehler.de";
@@ -27,7 +28,7 @@
       };
       primary = true;
       realName = "Felix Richter";
-      passwordCommand = "gpg --use-agent --quiet --batch -d /home/makefu/.mail/syntax-fehler.gpg";
+      passwordCommand = "gpg --use-agent --quiet --batch -d /home/makefu/.gnupg/mail/syntax-fehler.gpg";
     };
     programs.offlineimap.enable = true;
     programs.offlineimap.extraConfig = {

From f6b82f2d1f3cd5df1d70bf2b8e9f69196268f1e3 Mon Sep 17 00:00:00 2001
From: makefu <github@syntax-fehler.de>
Date: Sun, 21 Oct 2018 23:29:34 +0200
Subject: [PATCH 38/74] ma hw/bluetooth: add blueman to dbus packages

---
 makefu/2configs/hw/bluetooth.nix | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/makefu/2configs/hw/bluetooth.nix b/makefu/2configs/hw/bluetooth.nix
index 313ca0147..e556b43c0 100644
--- a/makefu/2configs/hw/bluetooth.nix
+++ b/makefu/2configs/hw/bluetooth.nix
@@ -1,9 +1,7 @@
 { pkgs, ... }:
 { # bluetooth+pulse config
 # for blueman-applet
-  users.users.makefu.packages = [
-    pkgs.blueman
-  ];
+  users.users.makefu.packages = [ pkgs.blueman ];
   hardware.pulseaudio = {
     enable = true;
     package = pkgs.pulseaudioFull;
@@ -39,4 +37,5 @@
       Enable=Source,Sink,Media,Socket
     '';
   };
+  services.dbus.packages = [ pkgs.blueman ];
 }

From 85e7795a34c757993118a39a8b6bb23465c0246b Mon Sep 17 00:00:00 2001
From: makefu <github@syntax-fehler.de>
Date: Sun, 21 Oct 2018 23:29:55 +0200
Subject: [PATCH 39/74] ma hw/network-manager: collect state

---
 makefu/2configs/hw/network-manager.nix | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/makefu/2configs/hw/network-manager.nix b/makefu/2configs/hw/network-manager.nix
index ffc32e0cb..3b9d04549 100644
--- a/makefu/2configs/hw/network-manager.nix
+++ b/makefu/2configs/hw/network-manager.nix
@@ -27,4 +27,7 @@
     powersave = true;
     scanRandMacAddress = true;
   };
+  state = [
+    "/etc/NetworkManager/system-connections"  #NM stateful config files
+  ];
 }

From 2e88305f407f1b3b2d71e7c3948645374c8cfd65 Mon Sep 17 00:00:00 2001
From: makefu <github@syntax-fehler.de>
Date: Sun, 21 Oct 2018 23:31:37 +0200
Subject: [PATCH 40/74] ma virtualbox: cleanup

---
 makefu/2configs/virtualisation/virtualbox.nix | 21 ++-----------------
 1 file changed, 2 insertions(+), 19 deletions(-)

diff --git a/makefu/2configs/virtualisation/virtualbox.nix b/makefu/2configs/virtualisation/virtualbox.nix
index 30de6e44a..e90cc1e8d 100644
--- a/makefu/2configs/virtualisation/virtualbox.nix
+++ b/makefu/2configs/virtualisation/virtualbox.nix
@@ -1,26 +1,9 @@
 { config, lib, pkgs, ... }:
 
-let
-  mainUser = config.krebs.build.user;
-  vboxguestpkg =  lib.stdenv.mkDerivation rec {
-    name = "Virtualbox-Extensions-${version}-${rev}";
-    version = "5.0.20";
-    rev = "106931";
-    src = pkgs.fetchurl {
-        url = "http://download.virtualbox.org/virtualbox/${version}/Oracle_VM_VirtualBox_Extension_Pack-${version}-${rev}.vbox-extpack";
-        sha256 = "1dc70x2m7x266zzw5vw36mxqj7xykkbk357fc77f9zrv4lylzvaf";
-      };
-  };
-in {
+{
   virtualisation.virtualbox.host.enable = true;
   nixpkgs.config.virtualbox.enableExtensionPack = true;
   virtualisation.virtualbox.host.enableHardening = false;
 
-  users.extraGroups.vboxusers.members = [ "${mainUser.name}" ];
-  nixpkgs.config.packageOverrides = super: {
-    boot.kernelPackages.virtualbox = super.boot.kernelPackages.virtualbox.override {
-      buildInputs = super.boot.kernelPackages.virtualBox.buildInputs
-        ++ [ vboxguestpkg ];
-    };
-  };
+  users.extraGroups.vboxusers.members = [ config.krebs.build.user.name ];
 }

From 5c1e92aaf6fc0a3882207a5cb3ff03b7aeab04d6 Mon Sep 17 00:00:00 2001
From: makefu <github@syntax-fehler.de>
Date: Sun, 21 Oct 2018 23:33:33 +0200
Subject: [PATCH 41/74] ma gum.r: manage less services

---
 makefu/1systems/gum/config.nix | 67 +++++++++++++++++-----------------
 1 file changed, 34 insertions(+), 33 deletions(-)

diff --git a/makefu/1systems/gum/config.nix b/makefu/1systems/gum/config.nix
index 36af23bb5..75b0680b2 100644
--- a/makefu/1systems/gum/config.nix
+++ b/makefu/1systems/gum/config.nix
@@ -8,11 +8,23 @@ in {
   imports = [
       <stockholm/makefu>
       ./hardware-config.nix
+      {
+        users.users.lass = {
+          uid = 9002;
+          isNormalUser = true;
+          createHome = true;
+          useDefaultShell = true;
+          openssh.authorizedKeys.keys = with config.krebs.users; [
+            lass.pubkey
+            makefu.pubkey
+          ];
+        };
+      }
       <stockholm/makefu/2configs/headless.nix>
       # <stockholm/makefu/2configs/smart-monitor.nix>
 
       <stockholm/makefu/2configs/git/cgit-retiolum.nix>
-      <stockholm/makefu/2configs/backup.nix>
+      <stockholm/makefu/2configs/backup/state.nix>
       # <stockholm/makefu/2configs/mattermost-docker.nix>
       # <stockholm/makefu/2configs/disable_v6.nix>
       <stockholm/makefu/2configs/exim-retiolum.nix>
@@ -42,23 +54,24 @@ in {
 
       # buildbot
       <stockholm/makefu/2configs/remote-build/slave.nix>
+      <stockholm/makefu/2configs/shack/gitlab-runner>
 
       ## Web
-      <stockholm/makefu/2configs/nginx/share-download.nix>
-      <stockholm/makefu/2configs/nginx/euer.test.nix>
-      <stockholm/makefu/2configs/nginx/euer.mon.nix>
-      <stockholm/makefu/2configs/nginx/euer.wiki.nix>
-      <stockholm/makefu/2configs/nginx/euer.blog.nix>
-      # <stockholm/makefu/2configs/nginx/gum.krebsco.de.nix>
-      <stockholm/makefu/2configs/nginx/public_html.nix>
-      <stockholm/makefu/2configs/nginx/update.connector.one.nix>
-      <stockholm/makefu/2configs/nginx/misa-felix-hochzeit.ml.nix>
+      #<stockholm/makefu/2configs/nginx/share-download.nix>
+      #<stockholm/makefu/2configs/nginx/euer.test.nix>
+      #<stockholm/makefu/2configs/nginx/euer.mon.nix>
+      #<stockholm/makefu/2configs/nginx/euer.wiki.nix>
+      #<stockholm/makefu/2configs/nginx/euer.blog.nix>
+      ## <stockholm/makefu/2configs/nginx/gum.krebsco.de.nix>
+      #<stockholm/makefu/2configs/nginx/public_html.nix>
+      #<stockholm/makefu/2configs/nginx/update.connector.one.nix>
+      #<stockholm/makefu/2configs/nginx/misa-felix-hochzeit.ml.nix>
 
-      <stockholm/makefu/2configs/deployment/photostore.krebsco.de.nix>
+      # <stockholm/makefu/2configs/deployment/photostore.krebsco.de.nix>
       # <stockholm/makefu/2configs/deployment/graphs.nix>
-      <stockholm/makefu/2configs/deployment/owncloud.nix>
-      <stockholm/makefu/2configs/deployment/boot-euer.nix>
-      <stockholm/makefu/2configs/deployment/bgt/hidden_service.nix>
+      # <stockholm/makefu/2configs/deployment/owncloud.nix>
+      # <stockholm/makefu/2configs/deployment/boot-euer.nix>
+      # <stockholm/makefu/2configs/deployment/bgt/hidden_service.nix>
 
       {
         services.taskserver.enable = true;
@@ -71,11 +84,11 @@ in {
         '';
       }
       # <stockholm/makefu/2configs/ipfs.nix>
-      <stockholm/makefu/2configs/syncthing.nix>
+      # <stockholm/makefu/2configs/syncthing.nix>
 
       # <stockholm/makefu/2configs/opentracker.nix>
       <stockholm/makefu/2configs/dcpp/hub.nix>
-      <stockholm/makefu/2configs/dcpp/client.nix>
+      <stockholm/makefu/2configs/dcpp/airdcpp.nix>
 
       <stockholm/makefu/2configs/stats/client.nix>
       # <stockholm/makefu/2configs/logging/client.nix>
@@ -98,10 +111,6 @@ in {
       #  };
       #}
       <stockholm/makefu/2configs/wireguard/server.nix>
-      { # iperf3
-        networking.firewall.allowedUDPPorts = [ 5201 ];
-        networking.firewall.allowedTCPPorts = [ 5201 ];
-      }
 
   ];
   makefu.dl-dir = "/var/download";
@@ -133,20 +142,12 @@ in {
     makefu.openssh.authorizedKeys.keys = [ config.krebs.users.makefu-vbob.pubkey config.krebs.users.makefu-bob.pubkey ];
   };
 
-  # Chat
-  environment.systemPackages = with pkgs;[
-    weechat
-    bepasty-client-cli
-    get
-    tmux
-  ];
-
   # Network
   networking = {
     firewall = {
-        allowPing = true;
-        logRefusedConnections = false;
-        allowedTCPPorts = [
+      allowPing = true;
+      logRefusedConnections = false;
+      allowedTCPPorts = [
           # smtp
           25
           # http
@@ -174,9 +175,9 @@ in {
           # tinc-shack
           21032
         ];
+      };
+      nameservers = [ "8.8.8.8" ];
     };
-    nameservers = [ "8.8.8.8" ];
-  };
   users.users.makefu.extraGroups = [ "download" "nginx" ];
   boot.tmpOnTmpfs = true;
 }

From cfd65930a09d0b147bdd54bccf26b4f1004862dc Mon Sep 17 00:00:00 2001
From: makefu <github@syntax-fehler.de>
Date: Sun, 21 Oct 2018 23:34:54 +0200
Subject: [PATCH 42/74] ma x.r: manage more state, use new services

---
 makefu/1systems/x/config.nix | 28 +++++++++++++++++++---------
 1 file changed, 19 insertions(+), 9 deletions(-)

diff --git a/makefu/1systems/x/config.nix b/makefu/1systems/x/config.nix
index 66d904512..5a4eea2e4 100644
--- a/makefu/1systems/x/config.nix
+++ b/makefu/1systems/x/config.nix
@@ -15,7 +15,7 @@
       <stockholm/makefu/2configs/extra-fonts.nix>
       <stockholm/makefu/2configs/tools/all.nix>
 
-      <stockholm/makefu/2configs/laptop-backup.nix>
+      <stockholm/makefu/2configs/backup/state.nix>
       # <stockholm/makefu/2configs/dnscrypt/client.nix>
       <stockholm/makefu/2configs/avahi.nix>
 
@@ -74,6 +74,7 @@
       <stockholm/makefu/2configs/hw/network-manager.nix>
       <stockholm/makefu/2configs/hw/stk1160.nix>
       <stockholm/makefu/2configs/hw/irtoy.nix>
+      <stockholm/makefu/2configs/hw/switch.nix>
       <stockholm/makefu/2configs/hw/bluetooth.nix>
       # <stockholm/makefu/2configs/hw/rad1o.nix>
       <stockholm/makefu/2configs/hw/smartcard.nix>
@@ -83,11 +84,11 @@
 
       # Security
       <stockholm/makefu/2configs/sshd-totp.nix>
-      {
-        programs.adb.enable = true;
-      }
+      { programs.adb.enable = true; }
       # temporary
+      { services.redis.enable = true; }
       <stockholm/makefu/2configs/pyload.nix>
+      # <stockholm/makefu/2configs/dcpp/airdcpp.nix>
       # <stockholm/makefu/2configs/nginx/rompr.nix>
       # <stockholm/makefu/2configs/lanparty/lancache.nix>
       # <stockholm/makefu/2configs/lanparty/lancache-dns.nix>
@@ -121,13 +122,11 @@
     ];
 
   makefu.server.primary-itf = "wlp3s0";
-  makefu.full-populate = true;
 
   nixpkgs.config.allowUnfree = true;
 
   # configure pulseAudio to provide a HDMI sink as well
   networking.firewall.enable = true;
-  networking.firewall.allowedTCPPorts = [ 80 24800 26061 8000 3000 ];
   networking.firewall.allowedUDPPorts = [ 665 26061 ];
   networking.firewall.trustedInterfaces = [ "vboxnet0" ];
 
@@ -144,14 +143,25 @@
   # avoid full boot dir
   boot.loader.grub.configurationLimit = 3;
 
-  environment.systemPackages = [ pkgs.passwdqc-utils pkgs.nixUnstable ];
+  environment.systemPackages = [ pkgs.passwdqc-utils ];
 
   # environment.variables = { GOROOT = [ "${pkgs.go.out}/share/go" ]; };
   state = [
     "/home/makefu/stockholm"
-    "/home/makefu/backup/borgun"
-    "/home/makefu/.mail/"
+    "/home/makefu/.ssh/"
+    "/home/makefu/.zsh_history"
+    "/home/makefu/.bash_history"
+    "/home/makefu/.zshrc"
+    "/home/makefu/bin"
+    "/home/makefu/.gnupg"
+    "/home/makefu/.imapfilter"
+    "/home/makefu/.mutt"
+    "/home/makefu/docs"
+    "/home/makefu/.password-store"
+    "/home/makefu/.secrets-pass"
+    "/home/makefu/autosync/Database.kdb"
   ];
+
   services.syncthing.user = lib.mkForce "makefu";
   services.syncthing.dataDir = lib.mkForce "/home/makefu/.config/syncthing/";
 }

From ba234de4e1aa42e2abbd6edcfbb509b755ac6c16 Mon Sep 17 00:00:00 2001
From: makefu <github@syntax-fehler.de>
Date: Sun, 21 Oct 2018 23:35:17 +0200
Subject: [PATCH 43/74] ma nextgum.r: almost finished the migration

---
 makefu/1systems/nextgum/config.nix | 26 ++++++++++++++------------
 1 file changed, 14 insertions(+), 12 deletions(-)

diff --git a/makefu/1systems/nextgum/config.nix b/makefu/1systems/nextgum/config.nix
index 64516fa98..1c5cca0de 100644
--- a/makefu/1systems/nextgum/config.nix
+++ b/makefu/1systems/nextgum/config.nix
@@ -21,10 +21,10 @@ in {
       <stockholm/makefu/2configs/tools/sec.nix>
       <stockholm/makefu/2configs/zsh-user.nix>
       <stockholm/makefu/2configs/mosh.nix>
-      <stockholm/makefu/2configs/gui/xpra.nix>
+      # <stockholm/makefu/2configs/gui/xpra.nix>
 
       <stockholm/makefu/2configs/git/cgit-retiolum.nix>
-      <stockholm/makefu/2configs/backup.nix>
+      # <stockholm/makefu/2configs/backup.nix>
       # <stockholm/makefu/2configs/exim-retiolum.nix>
       <stockholm/makefu/2configs/tinc/retiolum.nix>
 
@@ -52,6 +52,7 @@ in {
       # <stockholm/makefu/2configs/vpn/vpnws/server.nix>
       <stockholm/makefu/2configs/dnscrypt/server.nix>
       <stockholm/makefu/2configs/binary-cache/server.nix>
+      <stockholm/makefu/2configs/backup/server.nix>
       <stockholm/makefu/2configs/iodined.nix>
       <stockholm/makefu/2configs/bitlbee.nix>
 
@@ -66,22 +67,22 @@ in {
       ### Web
       #<stockholm/makefu/2configs/nginx/share-download.nix>
       #<stockholm/makefu/2configs/nginx/euer.test.nix>
-      #<stockholm/makefu/2configs/nginx/euer.mon.nix>
-      #<stockholm/makefu/2configs/nginx/euer.wiki.nix>
-      #<stockholm/makefu/2configs/nginx/euer.blog.nix>
+      <stockholm/makefu/2configs/nginx/euer.mon.nix>
+      <stockholm/makefu/2configs/nginx/euer.wiki.nix>
+      <stockholm/makefu/2configs/nginx/euer.blog.nix>
       ## <stockholm/makefu/2configs/nginx/gum.krebsco.de.nix>
       #<stockholm/makefu/2configs/nginx/public_html.nix>
       #<stockholm/makefu/2configs/nginx/update.connector.one.nix>
-      #<stockholm/makefu/2configs/nginx/misa-felix-hochzeit.ml.nix>
+      <stockholm/makefu/2configs/nginx/misa-felix-hochzeit.ml.nix>
       <stockholm/makefu/2configs/nginx/gold.krebsco.de.nix>
       <stockholm/makefu/2configs/nginx/iso.euer.nix>
-      <stockholm/makefu/2configs/deployment/events-publisher>
+      <stockholm/makefu/2configs/shack/events-publisher>
 
-      #<stockholm/makefu/2configs/deployment/photostore.krebsco.de.nix>
-      #<stockholm/makefu/2configs/deployment/graphs.nix>
-      #<stockholm/makefu/2configs/deployment/owncloud.nix>
-      #<stockholm/makefu/2configs/deployment/boot-euer.nix>
-      #<stockholm/makefu/2configs/deployment/bgt/hidden_service.nix>
+      <stockholm/makefu/2configs/deployment/photostore.krebsco.de.nix>
+      <stockholm/makefu/2configs/deployment/graphs.nix>
+      <stockholm/makefu/2configs/deployment/owncloud.nix>
+      <stockholm/makefu/2configs/deployment/boot-euer.nix>
+      <stockholm/makefu/2configs/deployment/bgt/hidden_service.nix>
 
       {
         services.taskserver.enable = true;
@@ -250,4 +251,5 @@ in {
   };
   users.users.makefu.extraGroups = [ "download" "nginx" ];
   boot.tmpOnTmpfs = true;
+  state = [ "/home/makefu/.weechat" ];
 }

From acaadbb6fd7f61ccd2f131ad9b59c140068d7473 Mon Sep 17 00:00:00 2001
From: makefu <github@syntax-fehler.de>
Date: Sun, 21 Oct 2018 23:36:19 +0200
Subject: [PATCH 44/74] ma wbob.r: no more synergy

---
 makefu/1systems/wbob/config.nix | 16 ----------------
 1 file changed, 16 deletions(-)

diff --git a/makefu/1systems/wbob/config.nix b/makefu/1systems/wbob/config.nix
index e1d66a2f9..e1d61081e 100644
--- a/makefu/1systems/wbob/config.nix
+++ b/makefu/1systems/wbob/config.nix
@@ -174,20 +174,4 @@ in {
       fsType = "ext4";
     };
   };
-
-  # DualHead on NUC
-  # TODO: update synergy package with these extras (username)
-  # TODO: add crypto layer
-  systemd.services."synergy-client" = {
-    environment.DISPLAY = ":0";
-    serviceConfig.User = user;
-  };
-
-  services.synergy = {
-    client = {
-      enable = true;
-      screenName = "wbob";
-      serverAddress = "x.r";
-    };
-  };
 }

From 228d4acd7b17afb245627f62f8943f418fb1dd8d Mon Sep 17 00:00:00 2001
From: lassulus <lass@blue.r>
Date: Tue, 30 Oct 2018 19:26:02 +0100
Subject: [PATCH 45/74] l: adopt kruck.r (palo)

---
 krebs/3modules/lass/default.nix | 29 +++++++++++++++++++++++++++++
 1 file changed, 29 insertions(+)

diff --git a/krebs/3modules/lass/default.nix b/krebs/3modules/lass/default.nix
index 6b4dc3f17..4d382cfd3 100644
--- a/krebs/3modules/lass/default.nix
+++ b/krebs/3modules/lass/default.nix
@@ -338,6 +338,35 @@ with import <stockholm/lib>;
         };
       };
     };
+    kruck = {
+      monitoring = false;
+      ci = false;
+      external = true;
+      nets = {
+        retiolum = {
+          ip4.addr = "10.243.29.201";
+          ip6.addr = "42:4234:6a6d:600::1";
+          aliases = [
+            "kruck.r"
+          ];
+          tinc.pubkey = ''
+            -----BEGIN RSA PUBLIC KEY-----
+            MIICCgKCAgEAxcui2sirT5YY9HrSauj9nSF3AxUnfd2CCEGyzmzbi5+qw8T9jdNh
+            QcIG3s+eC3uEy6leL/eeR4NjVtQRt8CDmhGul95Vs3I1jx9gdvYR+HOatPgK0YQA
+            EFwk0jv8Z8tOc87X1qwA00Gb+25+kAzsf+8+4HQuh/szSGje3RBmBFkUyNHh8R0U
+            uzs8NSTRdN+edvYtzjnYcE1sq59HFBPkVcJNp5I3qYTp6m9SxGHMvsq6vRpNnjq/
+            /RZVBhnPDBlgxia/aVfVQKeEOHZV3svLvsJzGDrUWsJCEvF0YwW4bvohY19myTNR
+            9lXo/VFx86qAkY09il2OloE7iu5cA2RV+FWwLeajE9vIDA06AD7nECVgthNoZd1s
+            qsDfuu3WqlpyBmr6XhRkYOFFE4xVLrZ0vItGYlgR2UPp9TjHrzfsedoyJoJAbhMH
+            gDlFgiHlAy1fhG1sCX5883XmSjWn0eJwmZ2O9sZNBP5dxfGUXg/x8NWfQj7E1lqj
+            jQ59UC6yiz7bFtObKvpdn1D4tPbqBvndZzn19U/3wKo+cCBRjtLmUD7HQHC65dCs
+            fAiCFvUTVMM3SNDvYChm0U/KGjZZFwQ+cCLj1JNVPet2C+CJ0qI2muXOnCuv/0o5
+            TBZrrHMpj6Th8AiOgeMVuxzjX1FsmAThWj9Qp/jQu6O0qvnkUNaU7I8CAwEAAQ==
+            -----END RSA PUBLIC KEY-----
+          '';
+        };
+      };
+    };
     turingmachine = {
       monitoring = false;
       ci = false;

From f170326b0518d28f6ac611559edf1e4cbadeadc1 Mon Sep 17 00:00:00 2001
From: lassulus <lass@blue.r>
Date: Wed, 31 Oct 2018 13:40:57 +0100
Subject: [PATCH 46/74] nixpkgs: 81f5c26 -> 06fb025

---
 krebs/nixpkgs.json | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/krebs/nixpkgs.json b/krebs/nixpkgs.json
index 60307e694..b761246cd 100644
--- a/krebs/nixpkgs.json
+++ b/krebs/nixpkgs.json
@@ -1,7 +1,7 @@
 {
   "url": "https://github.com/NixOS/nixpkgs-channels",
-  "rev": "81f5c2698a87c65b4970c69d472960c574ea0db4",
-  "date": "2018-10-17T20:48:45-04:00",
-  "sha256": "0p4x9532d3qlbykyyq8zk62k8py9mxd1s7zgbv54zmv597rs5y35",
+  "rev": "06fb0253afabb8cc7dc85db742e2de94a4d68ca0",
+  "date": "2018-10-24T10:37:15-04:00",
+  "sha256": "0jkldgvdm8pl9cfw5faw90n0qbbzrdssgwgbihk1by4xq66khf1b",
   "fetchSubmodules": false
 }

From 77a83976ceab16e394602c1128b633ef67bd87cf Mon Sep 17 00:00:00 2001
From: lassulus <lassulus@lassul.us>
Date: Sun, 4 Nov 2018 18:26:04 +0100
Subject: [PATCH 47/74] l: prism.r -> archprism.r, new prism.r

---
 krebs/3modules/lass/default.nix      |  42 +++-
 lass/1systems/archprism/config.nix   | 356 +++++++++++++++++++++++++++
 lass/1systems/archprism/physical.nix |  77 ++++++
 3 files changed, 474 insertions(+), 1 deletion(-)
 create mode 100644 lass/1systems/archprism/config.nix
 create mode 100644 lass/1systems/archprism/physical.nix

diff --git a/krebs/3modules/lass/default.nix b/krebs/3modules/lass/default.nix
index 4d382cfd3..fbe0f6c1c 100644
--- a/krebs/3modules/lass/default.nix
+++ b/krebs/3modules/lass/default.nix
@@ -38,7 +38,7 @@ with import <stockholm/lib>;
       };
       nets = rec {
         internet = {
-          ip4.addr = "46.4.114.247";
+          ip4.addr = "95.216.1.150";
           aliases = [
             "prism.i"
             "paste.i"
@@ -87,6 +87,46 @@ with import <stockholm/lib>;
       ssh.privkey.path = <secrets/ssh.id_ed25519>;
       ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAsANFdMi825qWQXQbWLYuNZ6/fARt3lnh1KStQHQQMD";
     };
+
+    archprism = {
+      cores = 1;
+      nets = rec {
+        internet = {
+          ip4.addr = "46.4.114.247";
+          aliases = [
+            "archprism.i"
+          ];
+          ssh.port = 45621;
+        };
+        retiolum = {
+          via = internet;
+          ip4.addr = "10.243.0.123";
+          ip6.addr = "42:0:0:0:0:0:0:123";
+          aliases = [
+            "prism.r"
+          ];
+          tinc.pubkey = ''
+            -----BEGIN PUBLIC KEY-----
+            MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA6dK0jsPSb7kWMGjfyWbG
+            wQYYt8vi5pY/1/Ohk0iy84+mfb1SCJdm5IOC4WXgHtmfd468OluUpU5etAu13D3n
+            f0iDeCuohH0uTjP+EojnKrAXYTiTRpySqXjVmhaWwFyMAACFdzKFb9cgMoByrP0U
+            5qruBcupK8Zwxt+Pe8IadRpPuOmz/bMYS7r+NKwybttoIX+YVm4myNzqdtMT77+H
+            BYR2mzW99T5YI54YZoCe0+XiIEQsosd6IL/9dP0+6vku6nHLD4qb81Q9AgaT+hte
+            s/ivHL+Fe2GULEQUi8aoEfXrPwnGFVY+QYxLw2G9A0Gfe9KnYBXDn99HXUGcFu2l
+            x7duN6mnT3WNC6VReh9m5+rPMnih/3l82W0tH1lBWUtdKcxx6yhkyUFgKOvkm4UP
+            gf1+EIpxf+bM7jlWylKGc+bD+dTMFV+tzHE6qHlcnzdZQrhYd0zjOXGnm4Kl1ec5
+            GSlpmqTcjgR+42l6frAENo3fndqYw1WkDtswImDz3Wjuco7BiOULHTJvQN+Ao1DI
+            l2MQDOWJoN4eYIE4XPqLSvdOSavHQB2WGv+dFDDpWOxnDLNi19aubtynIfpGJXxV
+            L8s9kUTG00Hdv08BG06hGt0+2Sy1PTVniDcTftHKmEOPS6Y5rJzQih7JdakSUQCc
+            6j/HwgWTf85Io/tbVMTNtkECAwEAAQ==
+            -----END PUBLIC KEY-----
+          '';
+        };
+      };
+      ssh.privkey.path = <secrets/ssh.id_ed25519>;
+      ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAsANFdMi825qWQXQbWLYuNZ6/fARt3lnh1KStQHQQMD";
+    };
+
     domsen-nas = {
       ci = false;
       monitoring = false;
diff --git a/lass/1systems/archprism/config.nix b/lass/1systems/archprism/config.nix
new file mode 100644
index 000000000..0a286c6f0
--- /dev/null
+++ b/lass/1systems/archprism/config.nix
@@ -0,0 +1,356 @@
+{ config, lib, pkgs, ... }:
+with import <stockholm/lib>;
+
+{
+  imports = [
+    <stockholm/lass>
+    <stockholm/lass/2configs/retiolum.nix>
+    <stockholm/lass/2configs/libvirt.nix>
+    {
+      services.nginx.enable = true;
+      imports = [
+        <stockholm/lass/2configs/websites/domsen.nix>
+        <stockholm/lass/2configs/websites/lassulus.nix>
+      ];
+      # needed by domsen.nix ^^
+      lass.usershadow = {
+        enable = true;
+      };
+
+      krebs.iptables.tables.filter.INPUT.rules = [
+         { predicate = "-p tcp --dport http"; target = "ACCEPT"; }
+         { predicate = "-p tcp --dport https"; target = "ACCEPT"; }
+      ];
+    }
+    { # TODO make new hfos.nix out of this vv
+      boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
+      users.users.riot = {
+        uid = genid "riot";
+        isNormalUser = true;
+        extraGroups = [ "libvirtd" ];
+        openssh.authorizedKeys.keys = [
+          "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC6o6sdTu/CX1LW2Ff5bNDqGEAGwAsjf0iIe5DCdC7YikCct+7x4LTXxY+nDlPMeGcOF88X9/qFwdyh+9E4g0nUAZaeL14Uc14QDqDt/aiKjIXXTepxE/i4JD9YbTqStAnA/HYAExU15yqgUdj2dnHu7OZcGxk0ZR1OY18yclXq7Rq0Fd3pN3lPP1T4QHM9w66r83yJdFV9szvu5ral3/QuxQnCNohTkR6LoJ4Ny2RbMPTRtb+jPbTQYTWUWwV69mB8ot5nRTP4MRM9pu7vnoPF4I2S5DvSnx4C5zdKzsb7zmIvD4AmptZLrXj4UXUf00Xf7Js5W100Ne2yhYyhq+35 riot@lagrange"
+        ];
+      };
+
+      # TODO write function for proxy_pass (ssl/nonssl)
+
+      krebs.iptables.tables.filter.FORWARD.rules = [
+        { v6 = false; precedence = 1000; predicate = "-d 192.168.122.92"; target = "ACCEPT"; }
+      ];
+      krebs.iptables.tables.nat.PREROUTING.rules = [
+        { v6 = false; precedence = 1000; predicate = "-d 46.4.114.243"; target = "DNAT --to-destination 192.168.122.92"; }
+      ];
+    }
+    {
+      users.users.tv = {
+        uid = genid "tv";
+        isNormalUser = true;
+        openssh.authorizedKeys.keys = [
+          config.krebs.users.tv.pubkey
+        ];
+      };
+      users.users.makefu = {
+        uid = genid "makefu";
+        isNormalUser = true;
+        openssh.authorizedKeys.keys = [
+          config.krebs.users.makefu.pubkey
+        ];
+      };
+      users.users.nin = {
+        uid = genid "nin";
+        isNormalUser = true;
+        openssh.authorizedKeys.keys = [
+          config.krebs.users.nin.pubkey
+        ];
+      };
+      users.extraUsers.dritter = {
+        uid = genid "dritter";
+        isNormalUser = true;
+        extraGroups = [
+          "download"
+        ];
+        openssh.authorizedKeys.keys = [
+          "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDnqOWDDk7QkSAvrSLkEoz7dY22+xPyv5JDn2zlfUndfavmTMfZvPx9REMjgULbcCSM4m3Ncf40yUjciDpVleGoEz82+p/ObHAkVWPQyXRS3ZRM2IJJultBHEFc61+61Pi8k3p5pBhPPaig6VncJ4uUuuNqen9jqLesSTVXNtdntU2IvnC8B8k1Kq6fu9q1T2yEOMxkD31D5hVHlqAly0LdRiYvtsRIoCSmRvlpGl70uvPprhQxhtoiEUeDqmIL7BG9x7gU0Swdl7R0/HtFXlFuOwSlNYDmOf/Zrb1jhOpj4AlCliGUkM0iKIJhgH0tnJna6kfkGKHDwuzITGIh6SpZ dritter@Janeway"
+        ];
+      };
+      users.extraUsers.juhulian = {
+        uid = 1339;
+        isNormalUser = true;
+        openssh.authorizedKeys.keys = [
+          "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDBQhLGvfv4hyQ/nqJGy1YgHXPSVl6igeWTroJSvAhUFgoh+rG+zvqY0EahKXNb3sq0/OYDCTJVuucc0hgCg7T2KqTqMtTb9EEkRmCFbD7F7DWZojCrh/an6sHneqT5eFvzAPZ8E5hup7oVQnj5P5M3I9keRHBWt1rq6q0IcOEhsFvne4qJc73aLASTJkxzlo5U8ju3JQOl6474ECuSn0lb1fTrQ/SR1NgF7jV11eBldkS8SHEB+2GXjn4Yrn+QUKOnDp+B85vZmVlJSI+7XR1/U/xIbtAjGTEmNwB6cTbBv9NCG9jloDDOZG4ZvzzHYrlBXjaigtQh2/4mrHoKa5eV juhulian@juhulian"
+        ];
+      };
+      users.users.hellrazor = {
+        uid = genid "hellrazor";
+        isNormalUser = true;
+        extraGroups = [
+          "download"
+        ];
+        openssh.authorizedKeys.keys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDQFaYOWRUvHP6I37q9Dd4PJOq8FNQqAeJZ8pLx0G62uC450kbPGcG80rHHvXmk7HqQP6biJmMg48bOsvXAScPot2Qhp1Qc35CuUqVhLiTvUAsi8l/iJjhjZ23yRGDCAmW5+JIOzIvECkcbMnG7YoYAQ9trNGHe9qwGzQGhpt3QVClE23WtE3PVKRLQx1VbiabSnAm6tXVd2zpUoSdpWt8Gpi2taM4XXJ5+l744MNxFHvDapN5xqpYzwrA34Ii13jNLWcGbtgxESpR+VjnamdWByrkBsW4X5/xn2K1I1FrujaM/DBHV1QMaDKst9V8+uL5X7aYNt0OUBu2eyZdg6aujY2BYovB9uRyR1JIuSbA/a54MM96yN9WirMUufJF/YZrV0L631t9EW8ORyWUo1GRzMuBHVHQlfApj7NCU/jEddUuTqKgwyRgTmMFMUI4M0tRULAB/7pBE1Vbcx9tg6RsKIk8VkskfbBJW9Y6Sx6YoFlxPdgMNIrBefqEjIV62piP7YLMlvfIDCJ7TNd9dLN86XGggZ/nD5zt6SL1o61vVnw9If8pHosppxADPJsJvcdN6fOe16/tFAeE0JRo0jTcyFVTBGfhpey+rFfuW8wtUyuO5WPUxkOn7xMHGMWHJAtWX2vwVIDtLxvqn48B4SmEOpPD6ii+vcpwqAex3ycqBUQ==" ];
+      };
+    }
+    {
+      #hotdog
+      systemd.services."container@hotdog".reloadIfChanged = mkForce false;
+      containers.hotdog = {
+        config = { ... }: {
+          imports = [ <stockholm/lass/2configs/rebuild-on-boot.nix> ];
+          environment.systemPackages = [ pkgs.git ];
+          services.openssh.enable = true;
+          users.users.root.openssh.authorizedKeys.keys = [
+            config.krebs.users.lass.pubkey
+          ];
+        };
+        autoStart = true;
+        enableTun = true;
+        privateNetwork = true;
+        hostAddress = "10.233.2.1";
+        localAddress = "10.233.2.2";
+      };
+    }
+    {
+      #onondaga
+      systemd.services."container@onondaga".reloadIfChanged = mkForce false;
+      containers.onondaga = {
+        config = { ... }: {
+          imports = [ <stockholm/lass/2configs/rebuild-on-boot.nix> ];
+          environment.systemPackages = [ pkgs.git ];
+          services.openssh.enable = true;
+          users.users.root.openssh.authorizedKeys.keys = [
+            config.krebs.users.lass.pubkey
+            config.krebs.users.nin.pubkey
+          ];
+        };
+        autoStart = true;
+        enableTun = true;
+        privateNetwork = true;
+        hostAddress = "10.233.2.5";
+        localAddress = "10.233.2.6";
+      };
+    }
+    <stockholm/lass/2configs/exim-smarthost.nix>
+    <stockholm/lass/2configs/ts3.nix>
+    <stockholm/lass/2configs/privoxy-retiolum.nix>
+    <stockholm/lass/2configs/radio.nix>
+    <stockholm/lass/2configs/binary-cache/server.nix>
+    <stockholm/lass/2configs/iodined.nix>
+    <stockholm/lass/2configs/paste.nix>
+    <stockholm/lass/2configs/syncthing.nix>
+    <stockholm/lass/2configs/reaktor-coders.nix>
+    <stockholm/lass/2configs/ciko.nix>
+    <stockholm/lass/2configs/container-networking.nix>
+    <stockholm/lass/2configs/monitoring/prometheus-server.nix>
+    { # quasi bepasty.nix
+      imports = [
+        <stockholm/lass/2configs/bepasty.nix>
+      ];
+      krebs.bepasty.servers."paste.r".nginx.extraConfig = ''
+        if ( $server_addr = "${config.krebs.build.host.nets.internet.ip4.addr}" ) {
+          return 403;
+        }
+      '';
+    }
+    {
+      services.tor = {
+        enable = true;
+      };
+    }
+    {
+      lass.ejabberd = {
+        enable = true;
+        hosts = [ "lassul.us" ];
+      };
+      krebs.iptables.tables.filter.INPUT.rules = [
+        { predicate = "-p tcp --dport xmpp-client"; target = "ACCEPT"; }
+        { predicate = "-p tcp --dport xmpp-server"; target = "ACCEPT"; }
+      ];
+    }
+    {
+      imports = [
+        <stockholm/lass/2configs/realwallpaper.nix>
+      ];
+      services.nginx.virtualHosts."lassul.us".locations."/wallpaper.png".extraConfig = ''
+        alias /var/realwallpaper/realwallpaper.png;
+      '';
+    }
+    {
+      users.users.jeschli = {
+        uid = genid "jeschli";
+        isNormalUser = true;
+        openssh.authorizedKeys.keys = with config.krebs.users; [
+          jeschli.pubkey
+          jeschli-bln.pubkey
+          jeschli-bolide.pubkey
+          jeschli-brauerei.pubkey
+        ];
+      };
+      krebs.git.rules = [
+        {
+          user = with config.krebs.users; [
+            jeschli
+            jeschli-bln
+            jeschli-bolide
+            jeschli-brauerei
+          ];
+          repo = [ config.krebs.git.repos.xmonad-stockholm ];
+          perm = with git; push "refs/heads/jeschli*" [ fast-forward non-fast-forward create delete merge ];
+        }
+        {
+          user = with config.krebs.users; [
+            jeschli
+            jeschli-bln
+            jeschli-bolide
+            jeschli-brauerei
+          ];
+          repo = [ config.krebs.git.repos.stockholm ];
+          perm = with git; push "refs/heads/staging/jeschli*" [ fast-forward non-fast-forward create delete merge ];
+        }
+      ];
+    }
+    {
+      krebs.repo-sync.repos.stockholm.timerConfig = {
+        OnBootSec = "5min";
+        OnUnitInactiveSec = "2min";
+        RandomizedDelaySec = "2min";
+      };
+    }
+    <stockholm/lass/2configs/downloading.nix>
+    <stockholm/lass/2configs/minecraft.nix>
+    {
+      services.taskserver = {
+        enable = true;
+        fqdn = "lassul.us";
+        listenHost = "::";
+        listenPort = 53589;
+        organisations.lass.users = [ "lass" "android" ];
+      };
+      krebs.iptables.tables.filter.INPUT.rules = [
+        { predicate = "-p tcp --dport 53589"; target = "ACCEPT"; }
+      ];
+    }
+    #<stockholm/lass/2configs/go.nix>
+    {
+      environment.systemPackages = [ pkgs.cryptsetup ];
+      systemd.services."container@red".reloadIfChanged = mkForce false;
+      containers.red = {
+        config = { ... }: {
+          environment.systemPackages = [ pkgs.git ];
+          services.openssh.enable = true;
+          users.users.root.openssh.authorizedKeys.keys = [
+            config.krebs.users.lass.pubkey
+          ];
+        };
+        autoStart = false;
+        enableTun = true;
+        privateNetwork = true;
+        hostAddress = "10.233.2.3";
+        localAddress = "10.233.2.4";
+      };
+      services.nginx.virtualHosts."rote-allez-fraktion.de" = {
+        enableACME = true;
+        forceSSL = true;
+        locations."/" = {
+          extraConfig = ''
+            proxy_set_header Host rote-allez-fraktion.de;
+            proxy_pass http://10.233.2.4;
+          '';
+        };
+      };
+    }
+    #{
+    #  imports = [ <stockholm/lass/2configs/backup.nix> ];
+    #  lass.restic = genAttrs [
+    #    "daedalus"
+    #    "icarus"
+    #    "littleT"
+    #    "mors"
+    #    "shodan"
+    #    "skynet"
+    #  ] (dest: {
+    #    dirs = [
+    #      "/home/chat/.weechat"
+    #      "/bku/sql_dumps"
+    #    ];
+    #    passwordFile = (toString <secrets>) + "/restic/${dest}";
+    #    repo = "sftp:backup@${dest}.r:/backups/prism";
+    #    extraArguments = [
+    #      "sftp.command='ssh backup@${dest}.r -i ${config.krebs.build.host.ssh.privkey.path} -s sftp'"
+    #    ];
+    #    timerConfig = {
+    #      OnCalendar = "00:05";
+    #      RandomizedDelaySec = "5h";
+    #    };
+    #  });
+    #}
+    {
+      users.users.download.openssh.authorizedKeys.keys = [
+        "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDB0d0JA20Vqn7I4lCte6Ne2EOmLZyMJyS9yIKJYXNLjbLwkQ4AYoQKantPBkTxR75M09E7d3j5heuWnCjWH45TrfQfe1EOSSC3ppCI6C6aIVlaNs+KhAYZS0m2Y8WkKn+TT5JLEa8yybYVN/RlZPOilpj/1QgjU6CQK+eJ1k/kK+QFXcwN82GDVh5kbTVcKUNp2tiyxFA+z9LY0xFDg/JHif2ROpjJVLQBJ+YPuOXZN5LDnVcuyLWKThjxy5srQ8iDjoxBg7dwLHjby5Mv41K4W61Gq6xM53gDEgfXk4cQhJnmx7jA/pUnsn2ZQDeww3hcc7vRf8soogXXz2KC9maiq0M/svaATsa9Ul4hrKnqPZP9Q8ScSEAUX+VI+x54iWrnW0p/yqBiRAzwsczdPzaQroUFTBxrq8R/n5TFdSHRMX7fYNOeVMjhfNca/gtfw9dYBVquCvuqUuFiRc0I7yK44rrMjjVQRcAbw6F8O7+04qWCmaJ8MPlmApwu2c05VMv9hiJo5p6PnzterRSLCqF6rIdhSnuOwrUIt1s/V+EEZXHCwSaNLaQJnYL0H9YjaIuGz4c8kVzxw4c0B6nl+hqW5y5/B2cuHiumnlRIDKOIzlv8ufhh21iN7QpIsPizahPezGoT1XqvzeXfH4qryo8O4yTN/PWoA+f7o9POU7L6hQ== lhebendanz@nixos"
+        "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACADLPxtB2f2tocXHxD3ul9D1537hTht6/un87JYZNnoYABveasyIcdFIfp5lPJmj3PjwqXNTA4M/3V+ufrpZ91dxFeXWI5mOI4YB3xRu+Elja8g7nfvCz1HrH3sD1equos/7ltQ1GZYvHGw40qD1/ZtOODwRwrYJ7l/DUBrjk/tzXRjm0+ZgyQsb3G9a80cA8d3fiuQDxbAzdoJF46wt36ZfuSMpJ/Td8CbCoLlV/uL9QZemOglyxNxR607qGfRNXF1An+P+fFq24GmdHpMJ00DfjZ/dJRL9QSs7vd07uyB4Qty4VHwRhc46XH6KL7VTF1D3INF/BeBZx90GBxOvpgEji7Zrf7O5eSAjM2Do1+t+Ev2IIuiltB+QqTir4rZcrCBrJ2+zD3DDymKffVi8sz15AvdrFkIplzZxpOcgm9Ns2w/uh8sxeV6J58aoLEVmd2KRUfJFYiS1EuEjYo2OHlj8ltIh3VlfYdWksGpQc71IT0iEWvzvjYcfCda9uzFLKdLfBy4GB8+s4zR2CX9aGDyJaIY1kt/xqDeztnYwW1owG+fLMrDJlq3Mu+KmJljb30jzrOPhFYVZgWenmMFgH2RBzVEmnsR0f2LFVLj6N/a9fpEJ3WhxMOc5Ybdpgg/l9KUdgvWLk6KOtba+z9fuYT1YgwtZBoMgHAdZLmZ/DGtff palo@pepe"
+        "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDGMjbYFmmvpF60YBShyFISbjN+O3e4GPkfsre6xFqz20joi8YqpD/5PtrMsGrPd1ZoZ9qSwXJtbb1WBomFg0xzRSNa1/FliKiE1ilcaB3aUZRtP0OWHIvWD3/YL/0h+/YXDGTfb8FNvpgJmnbN3Q0gw8cwWw+eve5BMyqDhzFvycxO4qDuP2JXkGpdhJqjaYZhP5rPH2mgv1oU1RnOA3A7APZVGf1m6JSmV7FZR514aGlFV+NpsvS29Mib8fcswgpoGhMN6jeh/nf49tp01LUAOmXSqdHIWNOTt3Mt7S4rU7RZwEhswdSRbKdKFRMj+uRkhJ4CPcNuuGtSY3id0Ja7IvrvxNaQUk1L8nBcza709jvSBYWSY5/aGL1ocA/PNWXDpOTp2PWwxkh39aPMqZXPTH3KC4IkRp5SiKibEhdmjnToV7nUAJe4IWn1b7QdoqS03ib0X87DnHWIbvi8UZlImM7pn0rs+rwnOo4lQwrTz7kbBHPaa6XOZAuDYND2728vtcrhwzVrKgiXWbyF6VzvwxPeeStmn1gENvozbj1hl9gbQ1cH/a4pZFBV/OFl/ryzDnB2ghM4acNJazXx/6/us9hX+np1YxIzJaxENj677MLc6HitM2g6XJGaixBQ0U2NNjcjIuQT0ZaeKXsSLnu1Y7+uslbVAwsQ4pJmSxxMMQ== palo@workhorse"
+      ];
+    }
+    {
+    }
+    {
+      lass.nichtparasoup.enable = true;
+      services.nginx = {
+        enable = true;
+        virtualHosts."lol.lassul.us" = {
+          forceSSL = true;
+          enableACME = true;
+          locations."/".extraConfig = ''
+            proxy_pass http://localhost:5001;
+          '';
+        };
+      };
+    }
+    {
+      krebs.iptables.tables.filter.INPUT.rules = [
+         { predicate = "-p udp --dport 51820"; target = "ACCEPT"; }
+      ];
+      krebs.iptables.tables.nat.PREROUTING.rules = [
+        { v6 = false; precedence = 1000; predicate = "-s 10.244.1.0/24"; target = "ACCEPT"; }
+      ];
+      krebs.iptables.tables.filter.FORWARD.rules = [
+        { v6 = false; precedence = 1000; predicate = "-s 10.244.1.0/24"; target = "ACCEPT"; }
+        { v6 = false; precedence = 1000; predicate = "-s 10.243.0.0/16 -d 10.244.1.0/24"; target = "ACCEPT"; }
+      ];
+      krebs.iptables.tables.nat.POSTROUTING.rules = [
+        { v6 = false; predicate = "-s 10.244.1.0/24 ! -d 10.244.1.0/24"; target = "MASQUERADE"; }
+      ];
+      networking.wireguard.interfaces.wg0 = {
+        ips = [ "10.244.1.1/24" ];
+        listenPort = 51820;
+        privateKeyFile = (toString <secrets>) + "/wireguard.key";
+        allowedIPsAsRoutes = true;
+        peers = [
+          {
+            # lass-android
+            allowedIPs = [ "10.244.1.2/32" ];
+            publicKey = "zVunBVOxsMETlnHkgjfH71HaZjjNUOeYNveAVv5z3jw=";
+          }
+        ];
+      };
+    }
+    {
+      krebs.iptables.tables.filter.INPUT.rules = [
+        { predicate = "-p udp --dport 60000:61000"; target = "ACCEPT";}
+      ];
+    }
+    {
+      services.murmur.enable = true;
+      services.murmur.registerName = "lassul.us";
+      krebs.iptables.tables.filter.INPUT.rules = [
+        { predicate = "-p tcp --dport 64738"; target = "ACCEPT";}
+      ];
+
+    }
+  ];
+
+  krebs.build.host = config.krebs.hosts.archprism;
+  services.earlyoom = {
+    enable = true;
+    freeMemThreshold = 5;
+  };
+}
diff --git a/lass/1systems/archprism/physical.nix b/lass/1systems/archprism/physical.nix
new file mode 100644
index 000000000..56348d0ab
--- /dev/null
+++ b/lass/1systems/archprism/physical.nix
@@ -0,0 +1,77 @@
+{ config, lib, pkgs, ... }:
+{
+  imports = [
+    ./config.nix
+    {
+      boot.kernelParams = [ "net.ifnames=0" ];
+      networking = {
+        defaultGateway = "46.4.114.225";
+        # Use google's public DNS server
+        nameservers = [ "8.8.8.8" ];
+        interfaces.eth0 = {
+          ipAddress = "46.4.114.247";
+          prefixLength = 27;
+        };
+      };
+      # TODO use this network config
+      #networking.interfaces.et0.ipv4.addresses = [
+      #  {
+      #    address = config.krebs.build.host.nets.internet.ip4.addr;
+      #    prefixLength = 27;
+      #  }
+      #  {
+      #    address = "46.4.114.243";
+      #    prefixLength = 27;
+      #  }
+      #];
+      #networking.defaultGateway = "46.4.114.225";
+      #networking.nameservers = [
+      #  "8.8.8.8"
+      #];
+      #services.udev.extraRules = ''
+      #  SUBSYSTEM=="net", ATTR{address}=="08:60:6e:e7:87:04", NAME="et0"
+      #'';
+    }
+    {
+      imports = [ <nixpkgs/nixos/modules/installer/scan/not-detected.nix> ];
+
+      networking.hostId = "fb4173ea";
+      boot.loader.grub = {
+        devices = [
+          "/dev/sda"
+          "/dev/sdb"
+        ];
+        splashImage = null;
+      };
+
+      boot.initrd.availableKernelModules = [
+        "ata_piix"
+        "vmw_pvscsi"
+        "ahci" "sd_mod"
+      ];
+
+      boot.kernelModules = [ "kvm-intel" ];
+
+      sound.enable = false;
+      nixpkgs.config.allowUnfree = true;
+      time.timeZone = "Europe/Berlin";
+
+      fileSystems."/" = {
+        device = "rpool/root/nixos";
+        fsType = "zfs";
+      };
+
+      fileSystems."/home" = {
+        device = "rpool/home";
+        fsType = "zfs";
+      };
+
+      fileSystems."/boot" = {
+        device = "/dev/disk/by-uuid/b67c3370-1597-4ce8-8a46-e257ca32150d";
+        fsType = "ext4";
+      };
+
+    }
+  ];
+
+}

From e39e8318b647a737fe759aa37ef35d18901c8efd Mon Sep 17 00:00:00 2001
From: lassulus <lassulus@lassul.us>
Date: Sun, 4 Nov 2018 18:26:04 +0100
Subject: [PATCH 48/74] l: prism.r -> archprism.r, new prism.r

---
 krebs/3modules/lass/default.nix      |  42 +++-
 lass/1systems/archprism/config.nix   | 356 +++++++++++++++++++++++++++
 lass/1systems/archprism/physical.nix |  77 ++++++
 3 files changed, 474 insertions(+), 1 deletion(-)
 create mode 100644 lass/1systems/archprism/config.nix
 create mode 100644 lass/1systems/archprism/physical.nix

diff --git a/krebs/3modules/lass/default.nix b/krebs/3modules/lass/default.nix
index 4d382cfd3..9b9f052a5 100644
--- a/krebs/3modules/lass/default.nix
+++ b/krebs/3modules/lass/default.nix
@@ -38,7 +38,7 @@ with import <stockholm/lib>;
       };
       nets = rec {
         internet = {
-          ip4.addr = "46.4.114.247";
+          ip4.addr = "95.216.1.150";
           aliases = [
             "prism.i"
             "paste.i"
@@ -87,6 +87,46 @@ with import <stockholm/lib>;
       ssh.privkey.path = <secrets/ssh.id_ed25519>;
       ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAsANFdMi825qWQXQbWLYuNZ6/fARt3lnh1KStQHQQMD";
     };
+
+    archprism = {
+      cores = 1;
+      nets = rec {
+        internet = {
+          ip4.addr = "46.4.114.247";
+          aliases = [
+            "archprism.i"
+          ];
+          ssh.port = 45621;
+        };
+        retiolum = {
+          via = internet;
+          ip4.addr = "10.243.0.123";
+          ip6.addr = "42:0:0:0:0:0:0:123";
+          aliases = [
+            "archprism.r"
+          ];
+          tinc.pubkey = ''
+            -----BEGIN PUBLIC KEY-----
+            MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA6dK0jsPSb7kWMGjfyWbG
+            wQYYt8vi5pY/1/Ohk0iy84+mfb1SCJdm5IOC4WXgHtmfd468OluUpU5etAu13D3n
+            f0iDeCuohH0uTjP+EojnKrAXYTiTRpySqXjVmhaWwFyMAACFdzKFb9cgMoByrP0U
+            5qruBcupK8Zwxt+Pe8IadRpPuOmz/bMYS7r+NKwybttoIX+YVm4myNzqdtMT77+H
+            BYR2mzW99T5YI54YZoCe0+XiIEQsosd6IL/9dP0+6vku6nHLD4qb81Q9AgaT+hte
+            s/ivHL+Fe2GULEQUi8aoEfXrPwnGFVY+QYxLw2G9A0Gfe9KnYBXDn99HXUGcFu2l
+            x7duN6mnT3WNC6VReh9m5+rPMnih/3l82W0tH1lBWUtdKcxx6yhkyUFgKOvkm4UP
+            gf1+EIpxf+bM7jlWylKGc+bD+dTMFV+tzHE6qHlcnzdZQrhYd0zjOXGnm4Kl1ec5
+            GSlpmqTcjgR+42l6frAENo3fndqYw1WkDtswImDz3Wjuco7BiOULHTJvQN+Ao1DI
+            l2MQDOWJoN4eYIE4XPqLSvdOSavHQB2WGv+dFDDpWOxnDLNi19aubtynIfpGJXxV
+            L8s9kUTG00Hdv08BG06hGt0+2Sy1PTVniDcTftHKmEOPS6Y5rJzQih7JdakSUQCc
+            6j/HwgWTf85Io/tbVMTNtkECAwEAAQ==
+            -----END PUBLIC KEY-----
+          '';
+        };
+      };
+      ssh.privkey.path = <secrets/ssh.id_ed25519>;
+      ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAsANFdMi825qWQXQbWLYuNZ6/fARt3lnh1KStQHQQMD";
+    };
+
     domsen-nas = {
       ci = false;
       monitoring = false;
diff --git a/lass/1systems/archprism/config.nix b/lass/1systems/archprism/config.nix
new file mode 100644
index 000000000..0a286c6f0
--- /dev/null
+++ b/lass/1systems/archprism/config.nix
@@ -0,0 +1,356 @@
+{ config, lib, pkgs, ... }:
+with import <stockholm/lib>;
+
+{
+  imports = [
+    <stockholm/lass>
+    <stockholm/lass/2configs/retiolum.nix>
+    <stockholm/lass/2configs/libvirt.nix>
+    {
+      services.nginx.enable = true;
+      imports = [
+        <stockholm/lass/2configs/websites/domsen.nix>
+        <stockholm/lass/2configs/websites/lassulus.nix>
+      ];
+      # needed by domsen.nix ^^
+      lass.usershadow = {
+        enable = true;
+      };
+
+      krebs.iptables.tables.filter.INPUT.rules = [
+         { predicate = "-p tcp --dport http"; target = "ACCEPT"; }
+         { predicate = "-p tcp --dport https"; target = "ACCEPT"; }
+      ];
+    }
+    { # TODO make new hfos.nix out of this vv
+      boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
+      users.users.riot = {
+        uid = genid "riot";
+        isNormalUser = true;
+        extraGroups = [ "libvirtd" ];
+        openssh.authorizedKeys.keys = [
+          "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC6o6sdTu/CX1LW2Ff5bNDqGEAGwAsjf0iIe5DCdC7YikCct+7x4LTXxY+nDlPMeGcOF88X9/qFwdyh+9E4g0nUAZaeL14Uc14QDqDt/aiKjIXXTepxE/i4JD9YbTqStAnA/HYAExU15yqgUdj2dnHu7OZcGxk0ZR1OY18yclXq7Rq0Fd3pN3lPP1T4QHM9w66r83yJdFV9szvu5ral3/QuxQnCNohTkR6LoJ4Ny2RbMPTRtb+jPbTQYTWUWwV69mB8ot5nRTP4MRM9pu7vnoPF4I2S5DvSnx4C5zdKzsb7zmIvD4AmptZLrXj4UXUf00Xf7Js5W100Ne2yhYyhq+35 riot@lagrange"
+        ];
+      };
+
+      # TODO write function for proxy_pass (ssl/nonssl)
+
+      krebs.iptables.tables.filter.FORWARD.rules = [
+        { v6 = false; precedence = 1000; predicate = "-d 192.168.122.92"; target = "ACCEPT"; }
+      ];
+      krebs.iptables.tables.nat.PREROUTING.rules = [
+        { v6 = false; precedence = 1000; predicate = "-d 46.4.114.243"; target = "DNAT --to-destination 192.168.122.92"; }
+      ];
+    }
+    {
+      users.users.tv = {
+        uid = genid "tv";
+        isNormalUser = true;
+        openssh.authorizedKeys.keys = [
+          config.krebs.users.tv.pubkey
+        ];
+      };
+      users.users.makefu = {
+        uid = genid "makefu";
+        isNormalUser = true;
+        openssh.authorizedKeys.keys = [
+          config.krebs.users.makefu.pubkey
+        ];
+      };
+      users.users.nin = {
+        uid = genid "nin";
+        isNormalUser = true;
+        openssh.authorizedKeys.keys = [
+          config.krebs.users.nin.pubkey
+        ];
+      };
+      users.extraUsers.dritter = {
+        uid = genid "dritter";
+        isNormalUser = true;
+        extraGroups = [
+          "download"
+        ];
+        openssh.authorizedKeys.keys = [
+          "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDnqOWDDk7QkSAvrSLkEoz7dY22+xPyv5JDn2zlfUndfavmTMfZvPx9REMjgULbcCSM4m3Ncf40yUjciDpVleGoEz82+p/ObHAkVWPQyXRS3ZRM2IJJultBHEFc61+61Pi8k3p5pBhPPaig6VncJ4uUuuNqen9jqLesSTVXNtdntU2IvnC8B8k1Kq6fu9q1T2yEOMxkD31D5hVHlqAly0LdRiYvtsRIoCSmRvlpGl70uvPprhQxhtoiEUeDqmIL7BG9x7gU0Swdl7R0/HtFXlFuOwSlNYDmOf/Zrb1jhOpj4AlCliGUkM0iKIJhgH0tnJna6kfkGKHDwuzITGIh6SpZ dritter@Janeway"
+        ];
+      };
+      users.extraUsers.juhulian = {
+        uid = 1339;
+        isNormalUser = true;
+        openssh.authorizedKeys.keys = [
+          "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDBQhLGvfv4hyQ/nqJGy1YgHXPSVl6igeWTroJSvAhUFgoh+rG+zvqY0EahKXNb3sq0/OYDCTJVuucc0hgCg7T2KqTqMtTb9EEkRmCFbD7F7DWZojCrh/an6sHneqT5eFvzAPZ8E5hup7oVQnj5P5M3I9keRHBWt1rq6q0IcOEhsFvne4qJc73aLASTJkxzlo5U8ju3JQOl6474ECuSn0lb1fTrQ/SR1NgF7jV11eBldkS8SHEB+2GXjn4Yrn+QUKOnDp+B85vZmVlJSI+7XR1/U/xIbtAjGTEmNwB6cTbBv9NCG9jloDDOZG4ZvzzHYrlBXjaigtQh2/4mrHoKa5eV juhulian@juhulian"
+        ];
+      };
+      users.users.hellrazor = {
+        uid = genid "hellrazor";
+        isNormalUser = true;
+        extraGroups = [
+          "download"
+        ];
+        openssh.authorizedKeys.keys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDQFaYOWRUvHP6I37q9Dd4PJOq8FNQqAeJZ8pLx0G62uC450kbPGcG80rHHvXmk7HqQP6biJmMg48bOsvXAScPot2Qhp1Qc35CuUqVhLiTvUAsi8l/iJjhjZ23yRGDCAmW5+JIOzIvECkcbMnG7YoYAQ9trNGHe9qwGzQGhpt3QVClE23WtE3PVKRLQx1VbiabSnAm6tXVd2zpUoSdpWt8Gpi2taM4XXJ5+l744MNxFHvDapN5xqpYzwrA34Ii13jNLWcGbtgxESpR+VjnamdWByrkBsW4X5/xn2K1I1FrujaM/DBHV1QMaDKst9V8+uL5X7aYNt0OUBu2eyZdg6aujY2BYovB9uRyR1JIuSbA/a54MM96yN9WirMUufJF/YZrV0L631t9EW8ORyWUo1GRzMuBHVHQlfApj7NCU/jEddUuTqKgwyRgTmMFMUI4M0tRULAB/7pBE1Vbcx9tg6RsKIk8VkskfbBJW9Y6Sx6YoFlxPdgMNIrBefqEjIV62piP7YLMlvfIDCJ7TNd9dLN86XGggZ/nD5zt6SL1o61vVnw9If8pHosppxADPJsJvcdN6fOe16/tFAeE0JRo0jTcyFVTBGfhpey+rFfuW8wtUyuO5WPUxkOn7xMHGMWHJAtWX2vwVIDtLxvqn48B4SmEOpPD6ii+vcpwqAex3ycqBUQ==" ];
+      };
+    }
+    {
+      #hotdog
+      systemd.services."container@hotdog".reloadIfChanged = mkForce false;
+      containers.hotdog = {
+        config = { ... }: {
+          imports = [ <stockholm/lass/2configs/rebuild-on-boot.nix> ];
+          environment.systemPackages = [ pkgs.git ];
+          services.openssh.enable = true;
+          users.users.root.openssh.authorizedKeys.keys = [
+            config.krebs.users.lass.pubkey
+          ];
+        };
+        autoStart = true;
+        enableTun = true;
+        privateNetwork = true;
+        hostAddress = "10.233.2.1";
+        localAddress = "10.233.2.2";
+      };
+    }
+    {
+      #onondaga
+      systemd.services."container@onondaga".reloadIfChanged = mkForce false;
+      containers.onondaga = {
+        config = { ... }: {
+          imports = [ <stockholm/lass/2configs/rebuild-on-boot.nix> ];
+          environment.systemPackages = [ pkgs.git ];
+          services.openssh.enable = true;
+          users.users.root.openssh.authorizedKeys.keys = [
+            config.krebs.users.lass.pubkey
+            config.krebs.users.nin.pubkey
+          ];
+        };
+        autoStart = true;
+        enableTun = true;
+        privateNetwork = true;
+        hostAddress = "10.233.2.5";
+        localAddress = "10.233.2.6";
+      };
+    }
+    <stockholm/lass/2configs/exim-smarthost.nix>
+    <stockholm/lass/2configs/ts3.nix>
+    <stockholm/lass/2configs/privoxy-retiolum.nix>
+    <stockholm/lass/2configs/radio.nix>
+    <stockholm/lass/2configs/binary-cache/server.nix>
+    <stockholm/lass/2configs/iodined.nix>
+    <stockholm/lass/2configs/paste.nix>
+    <stockholm/lass/2configs/syncthing.nix>
+    <stockholm/lass/2configs/reaktor-coders.nix>
+    <stockholm/lass/2configs/ciko.nix>
+    <stockholm/lass/2configs/container-networking.nix>
+    <stockholm/lass/2configs/monitoring/prometheus-server.nix>
+    { # quasi bepasty.nix
+      imports = [
+        <stockholm/lass/2configs/bepasty.nix>
+      ];
+      krebs.bepasty.servers."paste.r".nginx.extraConfig = ''
+        if ( $server_addr = "${config.krebs.build.host.nets.internet.ip4.addr}" ) {
+          return 403;
+        }
+      '';
+    }
+    {
+      services.tor = {
+        enable = true;
+      };
+    }
+    {
+      lass.ejabberd = {
+        enable = true;
+        hosts = [ "lassul.us" ];
+      };
+      krebs.iptables.tables.filter.INPUT.rules = [
+        { predicate = "-p tcp --dport xmpp-client"; target = "ACCEPT"; }
+        { predicate = "-p tcp --dport xmpp-server"; target = "ACCEPT"; }
+      ];
+    }
+    {
+      imports = [
+        <stockholm/lass/2configs/realwallpaper.nix>
+      ];
+      services.nginx.virtualHosts."lassul.us".locations."/wallpaper.png".extraConfig = ''
+        alias /var/realwallpaper/realwallpaper.png;
+      '';
+    }
+    {
+      users.users.jeschli = {
+        uid = genid "jeschli";
+        isNormalUser = true;
+        openssh.authorizedKeys.keys = with config.krebs.users; [
+          jeschli.pubkey
+          jeschli-bln.pubkey
+          jeschli-bolide.pubkey
+          jeschli-brauerei.pubkey
+        ];
+      };
+      krebs.git.rules = [
+        {
+          user = with config.krebs.users; [
+            jeschli
+            jeschli-bln
+            jeschli-bolide
+            jeschli-brauerei
+          ];
+          repo = [ config.krebs.git.repos.xmonad-stockholm ];
+          perm = with git; push "refs/heads/jeschli*" [ fast-forward non-fast-forward create delete merge ];
+        }
+        {
+          user = with config.krebs.users; [
+            jeschli
+            jeschli-bln
+            jeschli-bolide
+            jeschli-brauerei
+          ];
+          repo = [ config.krebs.git.repos.stockholm ];
+          perm = with git; push "refs/heads/staging/jeschli*" [ fast-forward non-fast-forward create delete merge ];
+        }
+      ];
+    }
+    {
+      krebs.repo-sync.repos.stockholm.timerConfig = {
+        OnBootSec = "5min";
+        OnUnitInactiveSec = "2min";
+        RandomizedDelaySec = "2min";
+      };
+    }
+    <stockholm/lass/2configs/downloading.nix>
+    <stockholm/lass/2configs/minecraft.nix>
+    {
+      services.taskserver = {
+        enable = true;
+        fqdn = "lassul.us";
+        listenHost = "::";
+        listenPort = 53589;
+        organisations.lass.users = [ "lass" "android" ];
+      };
+      krebs.iptables.tables.filter.INPUT.rules = [
+        { predicate = "-p tcp --dport 53589"; target = "ACCEPT"; }
+      ];
+    }
+    #<stockholm/lass/2configs/go.nix>
+    {
+      environment.systemPackages = [ pkgs.cryptsetup ];
+      systemd.services."container@red".reloadIfChanged = mkForce false;
+      containers.red = {
+        config = { ... }: {
+          environment.systemPackages = [ pkgs.git ];
+          services.openssh.enable = true;
+          users.users.root.openssh.authorizedKeys.keys = [
+            config.krebs.users.lass.pubkey
+          ];
+        };
+        autoStart = false;
+        enableTun = true;
+        privateNetwork = true;
+        hostAddress = "10.233.2.3";
+        localAddress = "10.233.2.4";
+      };
+      services.nginx.virtualHosts."rote-allez-fraktion.de" = {
+        enableACME = true;
+        forceSSL = true;
+        locations."/" = {
+          extraConfig = ''
+            proxy_set_header Host rote-allez-fraktion.de;
+            proxy_pass http://10.233.2.4;
+          '';
+        };
+      };
+    }
+    #{
+    #  imports = [ <stockholm/lass/2configs/backup.nix> ];
+    #  lass.restic = genAttrs [
+    #    "daedalus"
+    #    "icarus"
+    #    "littleT"
+    #    "mors"
+    #    "shodan"
+    #    "skynet"
+    #  ] (dest: {
+    #    dirs = [
+    #      "/home/chat/.weechat"
+    #      "/bku/sql_dumps"
+    #    ];
+    #    passwordFile = (toString <secrets>) + "/restic/${dest}";
+    #    repo = "sftp:backup@${dest}.r:/backups/prism";
+    #    extraArguments = [
+    #      "sftp.command='ssh backup@${dest}.r -i ${config.krebs.build.host.ssh.privkey.path} -s sftp'"
+    #    ];
+    #    timerConfig = {
+    #      OnCalendar = "00:05";
+    #      RandomizedDelaySec = "5h";
+    #    };
+    #  });
+    #}
+    {
+      users.users.download.openssh.authorizedKeys.keys = [
+        "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDB0d0JA20Vqn7I4lCte6Ne2EOmLZyMJyS9yIKJYXNLjbLwkQ4AYoQKantPBkTxR75M09E7d3j5heuWnCjWH45TrfQfe1EOSSC3ppCI6C6aIVlaNs+KhAYZS0m2Y8WkKn+TT5JLEa8yybYVN/RlZPOilpj/1QgjU6CQK+eJ1k/kK+QFXcwN82GDVh5kbTVcKUNp2tiyxFA+z9LY0xFDg/JHif2ROpjJVLQBJ+YPuOXZN5LDnVcuyLWKThjxy5srQ8iDjoxBg7dwLHjby5Mv41K4W61Gq6xM53gDEgfXk4cQhJnmx7jA/pUnsn2ZQDeww3hcc7vRf8soogXXz2KC9maiq0M/svaATsa9Ul4hrKnqPZP9Q8ScSEAUX+VI+x54iWrnW0p/yqBiRAzwsczdPzaQroUFTBxrq8R/n5TFdSHRMX7fYNOeVMjhfNca/gtfw9dYBVquCvuqUuFiRc0I7yK44rrMjjVQRcAbw6F8O7+04qWCmaJ8MPlmApwu2c05VMv9hiJo5p6PnzterRSLCqF6rIdhSnuOwrUIt1s/V+EEZXHCwSaNLaQJnYL0H9YjaIuGz4c8kVzxw4c0B6nl+hqW5y5/B2cuHiumnlRIDKOIzlv8ufhh21iN7QpIsPizahPezGoT1XqvzeXfH4qryo8O4yTN/PWoA+f7o9POU7L6hQ== lhebendanz@nixos"
+        "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACADLPxtB2f2tocXHxD3ul9D1537hTht6/un87JYZNnoYABveasyIcdFIfp5lPJmj3PjwqXNTA4M/3V+ufrpZ91dxFeXWI5mOI4YB3xRu+Elja8g7nfvCz1HrH3sD1equos/7ltQ1GZYvHGw40qD1/ZtOODwRwrYJ7l/DUBrjk/tzXRjm0+ZgyQsb3G9a80cA8d3fiuQDxbAzdoJF46wt36ZfuSMpJ/Td8CbCoLlV/uL9QZemOglyxNxR607qGfRNXF1An+P+fFq24GmdHpMJ00DfjZ/dJRL9QSs7vd07uyB4Qty4VHwRhc46XH6KL7VTF1D3INF/BeBZx90GBxOvpgEji7Zrf7O5eSAjM2Do1+t+Ev2IIuiltB+QqTir4rZcrCBrJ2+zD3DDymKffVi8sz15AvdrFkIplzZxpOcgm9Ns2w/uh8sxeV6J58aoLEVmd2KRUfJFYiS1EuEjYo2OHlj8ltIh3VlfYdWksGpQc71IT0iEWvzvjYcfCda9uzFLKdLfBy4GB8+s4zR2CX9aGDyJaIY1kt/xqDeztnYwW1owG+fLMrDJlq3Mu+KmJljb30jzrOPhFYVZgWenmMFgH2RBzVEmnsR0f2LFVLj6N/a9fpEJ3WhxMOc5Ybdpgg/l9KUdgvWLk6KOtba+z9fuYT1YgwtZBoMgHAdZLmZ/DGtff palo@pepe"
+        "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDGMjbYFmmvpF60YBShyFISbjN+O3e4GPkfsre6xFqz20joi8YqpD/5PtrMsGrPd1ZoZ9qSwXJtbb1WBomFg0xzRSNa1/FliKiE1ilcaB3aUZRtP0OWHIvWD3/YL/0h+/YXDGTfb8FNvpgJmnbN3Q0gw8cwWw+eve5BMyqDhzFvycxO4qDuP2JXkGpdhJqjaYZhP5rPH2mgv1oU1RnOA3A7APZVGf1m6JSmV7FZR514aGlFV+NpsvS29Mib8fcswgpoGhMN6jeh/nf49tp01LUAOmXSqdHIWNOTt3Mt7S4rU7RZwEhswdSRbKdKFRMj+uRkhJ4CPcNuuGtSY3id0Ja7IvrvxNaQUk1L8nBcza709jvSBYWSY5/aGL1ocA/PNWXDpOTp2PWwxkh39aPMqZXPTH3KC4IkRp5SiKibEhdmjnToV7nUAJe4IWn1b7QdoqS03ib0X87DnHWIbvi8UZlImM7pn0rs+rwnOo4lQwrTz7kbBHPaa6XOZAuDYND2728vtcrhwzVrKgiXWbyF6VzvwxPeeStmn1gENvozbj1hl9gbQ1cH/a4pZFBV/OFl/ryzDnB2ghM4acNJazXx/6/us9hX+np1YxIzJaxENj677MLc6HitM2g6XJGaixBQ0U2NNjcjIuQT0ZaeKXsSLnu1Y7+uslbVAwsQ4pJmSxxMMQ== palo@workhorse"
+      ];
+    }
+    {
+    }
+    {
+      lass.nichtparasoup.enable = true;
+      services.nginx = {
+        enable = true;
+        virtualHosts."lol.lassul.us" = {
+          forceSSL = true;
+          enableACME = true;
+          locations."/".extraConfig = ''
+            proxy_pass http://localhost:5001;
+          '';
+        };
+      };
+    }
+    {
+      krebs.iptables.tables.filter.INPUT.rules = [
+         { predicate = "-p udp --dport 51820"; target = "ACCEPT"; }
+      ];
+      krebs.iptables.tables.nat.PREROUTING.rules = [
+        { v6 = false; precedence = 1000; predicate = "-s 10.244.1.0/24"; target = "ACCEPT"; }
+      ];
+      krebs.iptables.tables.filter.FORWARD.rules = [
+        { v6 = false; precedence = 1000; predicate = "-s 10.244.1.0/24"; target = "ACCEPT"; }
+        { v6 = false; precedence = 1000; predicate = "-s 10.243.0.0/16 -d 10.244.1.0/24"; target = "ACCEPT"; }
+      ];
+      krebs.iptables.tables.nat.POSTROUTING.rules = [
+        { v6 = false; predicate = "-s 10.244.1.0/24 ! -d 10.244.1.0/24"; target = "MASQUERADE"; }
+      ];
+      networking.wireguard.interfaces.wg0 = {
+        ips = [ "10.244.1.1/24" ];
+        listenPort = 51820;
+        privateKeyFile = (toString <secrets>) + "/wireguard.key";
+        allowedIPsAsRoutes = true;
+        peers = [
+          {
+            # lass-android
+            allowedIPs = [ "10.244.1.2/32" ];
+            publicKey = "zVunBVOxsMETlnHkgjfH71HaZjjNUOeYNveAVv5z3jw=";
+          }
+        ];
+      };
+    }
+    {
+      krebs.iptables.tables.filter.INPUT.rules = [
+        { predicate = "-p udp --dport 60000:61000"; target = "ACCEPT";}
+      ];
+    }
+    {
+      services.murmur.enable = true;
+      services.murmur.registerName = "lassul.us";
+      krebs.iptables.tables.filter.INPUT.rules = [
+        { predicate = "-p tcp --dport 64738"; target = "ACCEPT";}
+      ];
+
+    }
+  ];
+
+  krebs.build.host = config.krebs.hosts.archprism;
+  services.earlyoom = {
+    enable = true;
+    freeMemThreshold = 5;
+  };
+}
diff --git a/lass/1systems/archprism/physical.nix b/lass/1systems/archprism/physical.nix
new file mode 100644
index 000000000..56348d0ab
--- /dev/null
+++ b/lass/1systems/archprism/physical.nix
@@ -0,0 +1,77 @@
+{ config, lib, pkgs, ... }:
+{
+  imports = [
+    ./config.nix
+    {
+      boot.kernelParams = [ "net.ifnames=0" ];
+      networking = {
+        defaultGateway = "46.4.114.225";
+        # Use google's public DNS server
+        nameservers = [ "8.8.8.8" ];
+        interfaces.eth0 = {
+          ipAddress = "46.4.114.247";
+          prefixLength = 27;
+        };
+      };
+      # TODO use this network config
+      #networking.interfaces.et0.ipv4.addresses = [
+      #  {
+      #    address = config.krebs.build.host.nets.internet.ip4.addr;
+      #    prefixLength = 27;
+      #  }
+      #  {
+      #    address = "46.4.114.243";
+      #    prefixLength = 27;
+      #  }
+      #];
+      #networking.defaultGateway = "46.4.114.225";
+      #networking.nameservers = [
+      #  "8.8.8.8"
+      #];
+      #services.udev.extraRules = ''
+      #  SUBSYSTEM=="net", ATTR{address}=="08:60:6e:e7:87:04", NAME="et0"
+      #'';
+    }
+    {
+      imports = [ <nixpkgs/nixos/modules/installer/scan/not-detected.nix> ];
+
+      networking.hostId = "fb4173ea";
+      boot.loader.grub = {
+        devices = [
+          "/dev/sda"
+          "/dev/sdb"
+        ];
+        splashImage = null;
+      };
+
+      boot.initrd.availableKernelModules = [
+        "ata_piix"
+        "vmw_pvscsi"
+        "ahci" "sd_mod"
+      ];
+
+      boot.kernelModules = [ "kvm-intel" ];
+
+      sound.enable = false;
+      nixpkgs.config.allowUnfree = true;
+      time.timeZone = "Europe/Berlin";
+
+      fileSystems."/" = {
+        device = "rpool/root/nixos";
+        fsType = "zfs";
+      };
+
+      fileSystems."/home" = {
+        device = "rpool/home";
+        fsType = "zfs";
+      };
+
+      fileSystems."/boot" = {
+        device = "/dev/disk/by-uuid/b67c3370-1597-4ce8-8a46-e257ca32150d";
+        fsType = "ext4";
+      };
+
+    }
+  ];
+
+}

From 5297f29d422aebc10727c929126d54f4aee8daee Mon Sep 17 00:00:00 2001
From: lassulus <lassulus@lassul.us>
Date: Sun, 4 Nov 2018 19:13:46 +0100
Subject: [PATCH 49/74] l baseX: remove broken pkgs.push

---
 lass/2configs/baseX.nix | 1 -
 1 file changed, 1 deletion(-)

diff --git a/lass/2configs/baseX.nix b/lass/2configs/baseX.nix
index e8a2539f3..9b44e8f0e 100644
--- a/lass/2configs/baseX.nix
+++ b/lass/2configs/baseX.nix
@@ -74,7 +74,6 @@ in {
     nmap
     pavucontrol
     powertop
-    push
     rxvt_unicode_with-plugins
     sxiv
     taskwarrior

From fbbb800cbe8daee2d8d660bab996ef9fd7c0fa37 Mon Sep 17 00:00:00 2001
From: lassulus <lassulus@lassul.us>
Date: Sun, 4 Nov 2018 21:46:32 +0100
Subject: [PATCH 50/74] nixpkgs: 81f5c26 -> 06fb025

---
 krebs/nixpkgs.json | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/krebs/nixpkgs.json b/krebs/nixpkgs.json
index 60307e694..b761246cd 100644
--- a/krebs/nixpkgs.json
+++ b/krebs/nixpkgs.json
@@ -1,7 +1,7 @@
 {
   "url": "https://github.com/NixOS/nixpkgs-channels",
-  "rev": "81f5c2698a87c65b4970c69d472960c574ea0db4",
-  "date": "2018-10-17T20:48:45-04:00",
-  "sha256": "0p4x9532d3qlbykyyq8zk62k8py9mxd1s7zgbv54zmv597rs5y35",
+  "rev": "06fb0253afabb8cc7dc85db742e2de94a4d68ca0",
+  "date": "2018-10-24T10:37:15-04:00",
+  "sha256": "0jkldgvdm8pl9cfw5faw90n0qbbzrdssgwgbihk1by4xq66khf1b",
   "fetchSubmodules": false
 }

From 100ca928ad483471d61b36bd9e977e34441d404b Mon Sep 17 00:00:00 2001
From: lassulus <lassulus@lassul.us>
Date: Mon, 5 Nov 2018 10:33:28 +0100
Subject: [PATCH 51/74] nixpkgs: 06fb025 -> bf7930d

---
 krebs/nixpkgs.json | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/krebs/nixpkgs.json b/krebs/nixpkgs.json
index b761246cd..e013645ea 100644
--- a/krebs/nixpkgs.json
+++ b/krebs/nixpkgs.json
@@ -1,7 +1,7 @@
 {
   "url": "https://github.com/NixOS/nixpkgs-channels",
-  "rev": "06fb0253afabb8cc7dc85db742e2de94a4d68ca0",
-  "date": "2018-10-24T10:37:15-04:00",
-  "sha256": "0jkldgvdm8pl9cfw5faw90n0qbbzrdssgwgbihk1by4xq66khf1b",
+  "rev": "bf7930d582bcf7953c3b87e649858f3f1873eb9c",
+  "date": "2018-11-04T19:36:25+01:00",
+  "sha256": "0nvn6g0pxp0glqjg985qxs7ash0cmcdc80h8jxxk6z4pnr3f2n1m",
   "fetchSubmodules": false
 }

From 82a97181d6c20b1ceaf544d80327cce7782d9fd9 Mon Sep 17 00:00:00 2001
From: lassulus <lassulus@lassul.us>
Date: Mon, 5 Nov 2018 10:33:28 +0100
Subject: [PATCH 52/74] nixpkgs: 06fb025 -> bf7930d

---
 krebs/nixpkgs.json | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/krebs/nixpkgs.json b/krebs/nixpkgs.json
index b761246cd..e013645ea 100644
--- a/krebs/nixpkgs.json
+++ b/krebs/nixpkgs.json
@@ -1,7 +1,7 @@
 {
   "url": "https://github.com/NixOS/nixpkgs-channels",
-  "rev": "06fb0253afabb8cc7dc85db742e2de94a4d68ca0",
-  "date": "2018-10-24T10:37:15-04:00",
-  "sha256": "0jkldgvdm8pl9cfw5faw90n0qbbzrdssgwgbihk1by4xq66khf1b",
+  "rev": "bf7930d582bcf7953c3b87e649858f3f1873eb9c",
+  "date": "2018-11-04T19:36:25+01:00",
+  "sha256": "0nvn6g0pxp0glqjg985qxs7ash0cmcdc80h8jxxk6z4pnr3f2n1m",
   "fetchSubmodules": false
 }

From 9520ee2c51b49a0e6cb0c96f9ab1724381e0e9cd Mon Sep 17 00:00:00 2001
From: makefu <github@syntax-fehler.de>
Date: Mon, 5 Nov 2018 13:48:25 +0100
Subject: [PATCH 53/74] ma nixpkgs: 86fb1e9 -> bf46294

---
 makefu/nixpkgs.json | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/makefu/nixpkgs.json b/makefu/nixpkgs.json
index c5cd0ac30..73798f44d 100644
--- a/makefu/nixpkgs.json
+++ b/makefu/nixpkgs.json
@@ -1,7 +1,7 @@
 {
   "url": "https://github.com/makefu/nixpkgs",
-  "rev": "86fb1e9ae6ba6dfedc814b82abd8db5cfa4f4687",
-  "date": "2018-10-07T23:33:42+02:00",
-  "sha256": "015yxs3qj299mgqfmz5vgszj2gxqwazifsdsjw6xadris3ri41d3",
-  "fetchSubmodules": true
+  "rev": "bf46294e4cf20649182f76fc9200a48436f5874a",
+  "date": "2018-09-18T02:20:45+02:00",
+  "sha256": "13900gack7pgf5a7c11x30rzb3s0kjpbm2z2g8fw4720cr9lkd94",
+  "fetchSubmodules": false
 }

From ea3afff61105fd32be1ea658460329aecf061eec Mon Sep 17 00:00:00 2001
From: makefu <github@syntax-fehler.de>
Date: Mon, 5 Nov 2018 13:50:22 +0100
Subject: [PATCH 54/74] ma gum: prepare replacement by nextgum

---
 makefu/1systems/gum/config.nix     |  23 ------
 makefu/1systems/nextgum/config.nix | 120 ++++++++---------------------
 makefu/1systems/nextgum/rescue.txt |  11 +++
 makefu/2configs/taskd.nix          |  11 +++
 4 files changed, 52 insertions(+), 113 deletions(-)
 create mode 100644 makefu/1systems/nextgum/rescue.txt
 create mode 100644 makefu/2configs/taskd.nix

diff --git a/makefu/1systems/gum/config.nix b/makefu/1systems/gum/config.nix
index 75b0680b2..af2e6f6b0 100644
--- a/makefu/1systems/gum/config.nix
+++ b/makefu/1systems/gum/config.nix
@@ -8,18 +8,6 @@ in {
   imports = [
       <stockholm/makefu>
       ./hardware-config.nix
-      {
-        users.users.lass = {
-          uid = 9002;
-          isNormalUser = true;
-          createHome = true;
-          useDefaultShell = true;
-          openssh.authorizedKeys.keys = with config.krebs.users; [
-            lass.pubkey
-            makefu.pubkey
-          ];
-        };
-      }
       <stockholm/makefu/2configs/headless.nix>
       # <stockholm/makefu/2configs/smart-monitor.nix>
 
@@ -73,16 +61,6 @@ in {
       # <stockholm/makefu/2configs/deployment/boot-euer.nix>
       # <stockholm/makefu/2configs/deployment/bgt/hidden_service.nix>
 
-      {
-        services.taskserver.enable = true;
-        services.taskserver.fqdn = config.krebs.build.host.name;
-        services.taskserver.listenHost = "::";
-        services.taskserver.organisations.home.users = [ "makefu" ];
-        networking.firewall.extraCommands = ''
-          iptables -A INPUT -i retiolum -p tcp --dport 53589 -j ACCEPT
-          ip6tables -A INPUT -i retiolum -p tcp --dport 53589 -j ACCEPT
-        '';
-      }
       # <stockholm/makefu/2configs/ipfs.nix>
       # <stockholm/makefu/2configs/syncthing.nix>
 
@@ -110,7 +88,6 @@ in {
       #    locations."/".proxyPass = "http://localhost:5000";
       #  };
       #}
-      <stockholm/makefu/2configs/wireguard/server.nix>
 
   ];
   makefu.dl-dir = "/var/download";
diff --git a/makefu/1systems/nextgum/config.nix b/makefu/1systems/nextgum/config.nix
index 1c5cca0de..118b5b9d4 100644
--- a/makefu/1systems/nextgum/config.nix
+++ b/makefu/1systems/nextgum/config.nix
@@ -9,6 +9,18 @@ in {
       <stockholm/makefu>
       ./hardware-config.nix
       ./transfer-config.nix
+      {
+        users.users.lass = {
+          uid = 9002;
+          isNormalUser = true;
+          createHome = true;
+          useDefaultShell = true;
+          openssh.authorizedKeys.keys = with config.krebs.users; [
+            lass.pubkey
+            makefu.pubkey
+          ];
+        };
+      }
       <stockholm/makefu/2configs/headless.nix>
       # <stockholm/makefu/2configs/smart-monitor.nix>
 
@@ -23,11 +35,21 @@ in {
       <stockholm/makefu/2configs/mosh.nix>
       # <stockholm/makefu/2configs/gui/xpra.nix>
 
-      <stockholm/makefu/2configs/git/cgit-retiolum.nix>
+      # networking
+      <stockholm/makefu/2configs/vpn/openvpn-server.nix>
+      # <stockholm/makefu/2configs/vpn/vpnws/server.nix>
+      #<stockholm/makefu/2configs/dnscrypt/server.nix>
+      <stockholm/makefu/2configs/iodined.nix>
       # <stockholm/makefu/2configs/backup.nix>
-      # <stockholm/makefu/2configs/exim-retiolum.nix>
       <stockholm/makefu/2configs/tinc/retiolum.nix>
 
+      # ci
+      # <stockholm/makefu/2configs/exim-retiolum.nix>
+      <stockholm/makefu/2configs/git/cgit-retiolum.nix>
+      <stockholm/makefu/2configs/shack/gitlab-runner>
+      <stockholm/makefu/2configs/remote-build/slave.nix>
+      <stockholm/makefu/2configs/taskd.nix>
+
       # services
       <stockholm/makefu/2configs/sabnzbd.nix>
       <stockholm/makefu/2configs/mail/mail.euer.nix>
@@ -55,14 +77,10 @@ in {
       <stockholm/makefu/2configs/backup/server.nix>
       <stockholm/makefu/2configs/iodined.nix>
       <stockholm/makefu/2configs/bitlbee.nix>
-
-      ## buildbot
-      <stockholm/makefu/2configs/remote-build/slave.nix>
+      <stockholm/makefu/2configs/wireguard/server.nix>
 
       # Removed until move: no extra mails
       <stockholm/makefu/2configs/urlwatch>
-      # Removed until move: avoid double-update of domain
-      # <stockholm/makefu/2configs/hub.nix>
       # Removed until move: avoid letsencrypt ban
       ### Web
       #<stockholm/makefu/2configs/nginx/share-download.nix>
@@ -84,94 +102,18 @@ in {
       <stockholm/makefu/2configs/deployment/boot-euer.nix>
       <stockholm/makefu/2configs/deployment/bgt/hidden_service.nix>
 
-      {
-        services.taskserver.enable = true;
-        services.taskserver.fqdn = config.krebs.build.host.name;
-        services.taskserver.listenHost = "::";
-        services.taskserver.organisations.home.users = [ "makefu" ];
-        networking.firewall.extraCommands = ''
-          iptables -A INPUT -i retiolum -p tcp --dport 53589 -j ACCEPT
-          ip6tables -A INPUT -i retiolum -p tcp --dport 53589 -j ACCEPT
-        '';
-      }
-
-
       <stockholm/makefu/2configs/stats/client.nix>
-      <stockholm/makefu/2configs/dcpp/airdcpp.nix>
       # <stockholm/makefu/2configs/logging/client.nix>
 
+      # sharing
+      <stockholm/makefu/2configs/dcpp/airdcpp.nix>
+      <stockholm/makefu/2configs/dcpp/hub.nix>
+
       ## Temporary:
       # <stockholm/makefu/2configs/temp/rst-issue.nix>
       <stockholm/makefu/2configs/virtualisation/docker.nix>
       <stockholm/makefu/2configs/virtualisation/libvirt.nix>
 
-      #{
-      #  services.dockerRegistry.enable = true;
-      #  networking.firewall.allowedTCPPorts = [ 8443 ];
-
-      #  services.nginx.virtualHosts."euer.krebsco.de" = {
-      #    forceSSL = true;
-      #    enableACME = true;
-      #    extraConfig = ''
-      #      client_max_body_size 1000M;
-      #    '';
-      #    locations."/".proxyPass = "http://localhost:5000";
-      #  };
-      #}
-      { # wireguard server
-
-        # opkg install wireguard luci-proto-wireguard
-
-        # TODO: networking.nat
-
-        # boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
-        # conf.all.proxy_arp =1
-        networking.firewall = {
-          allowedUDPPorts = [ 51820 ];
-          extraCommands = ''
-            iptables -t nat -A POSTROUTING -s 10.244.0.0/24 -o ${ext-if} -j MASQUERADE
-          '';
-        };
-
-        networking.wireguard.interfaces.wg0 = {
-          ips = [ "10.244.0.1/24" ];
-          listenPort = 51820;
-          privateKeyFile = (toString <secrets>) + "/wireguard.key";
-          allowedIPsAsRoutes = true;
-          peers = [
-          {
-            # x
-            allowedIPs = [ "10.244.0.2/32" ];
-            publicKey = "fe5smvKVy5GAn7EV4w4tav6mqIAKhGWQotm7dRuRt1g=";
-          }
-          {
-            # vbob
-            allowedIPs = [ "10.244.0.3/32" ];
-            publicKey = "Lju7EsCu1OWXhkhdNR7c/uiN60nr0TUPHQ+s8ULPQTw=";
-          }
-          {
-            # x-test
-            allowedIPs = [ "10.244.0.4/32" ];
-            publicKey = "vZ/AJpfDLJyU3DzvYeW70l4FNziVgSTumA89wGHG7XY=";
-          }
-          {
-            # work-router
-            allowedIPs = [ "10.244.0.5/32" ];
-            publicKey = "QJMwwYu/92koCASbHnR/vqe/rN00EV6/o7BGwLockDw=";
-          }
-          {
-            # workr
-            allowedIPs = [ "10.244.0.6/32" ];
-            publicKey = "OFhCF56BrV9tjqW1sxqXEKH/GdqamUT1SqZYSADl5GA=";
-          }
-          ];
-        };
-      }
-      { # iperf3
-        networking.firewall.allowedUDPPorts = [ 5201 ];
-        networking.firewall.allowedTCPPorts = [ 5201 ];
-      }
-
       # krebs infrastructure services
       <stockholm/makefu/2configs/stats/server.nix>
   ];
@@ -191,9 +133,7 @@ in {
       ListenAddress = ${external-ip} 21031
     '';
     connectTo = [
-      "muhbaasu" "tahoe" "flap" "wry"
-      "ni"
-      "fastpoke" "prism" "dishfire" "echelon" "cloudkrebs"
+      "prism" "ni" "enklave" "dishfire" "echelon" "hotdog"
     ];
   };
 
diff --git a/makefu/1systems/nextgum/rescue.txt b/makefu/1systems/nextgum/rescue.txt
new file mode 100644
index 000000000..30276b7db
--- /dev/null
+++ b/makefu/1systems/nextgum/rescue.txt
@@ -0,0 +1,11 @@
+mount /dev/mapper/nixos-root /mnt
+mount /dev/sda2 /mnt/boot
+
+chroot-prepare /mnt
+chroot /mnt /bin/sh
+
+journalctl  -D /mnt/var/log/journal --since today # find the active system (or check grub)
+
+export PATH=/nix/store/9incs5sfn7n1vh1lavgp95v761nh11w3-nixos-system-nextgum-18.03pre-git/sw/bin
+/nix/store/9incs5sfn7n1vh1lavgp95v761nh11w3-nixos-system-nextgum-18.03pre-git/activate
+/nix/store/9incs5sfn7n1vh1lavgp95v761nh11w3-nixos-system-nextgum-18.03pre-git/sw/bin/nixos-rebuild
diff --git a/makefu/2configs/taskd.nix b/makefu/2configs/taskd.nix
new file mode 100644
index 000000000..5ca3b9904
--- /dev/null
+++ b/makefu/2configs/taskd.nix
@@ -0,0 +1,11 @@
+{config, ... }:
+{
+  services.taskserver.enable = true;
+  services.taskserver.fqdn = config.krebs.build.host.name;
+  services.taskserver.listenHost = "::";
+  services.taskserver.organisations.home.users = [ "makefu" ];
+  networking.firewall.extraCommands = ''
+    iptables -A INPUT -i retiolum -p tcp --dport 53589 -j ACCEPT
+    ip6tables -A INPUT -i retiolum -p tcp --dport 53589 -j ACCEPT
+  '';
+}

From 2487cbc8829b9c81545d1627d4a03b8fed12de01 Mon Sep 17 00:00:00 2001
From: makefu <github@syntax-fehler.de>
Date: Mon, 5 Nov 2018 13:51:28 +0100
Subject: [PATCH 55/74] ma wbob.r: more automation

---
 makefu/1systems/wbob/config.nix               |  14 +-
 .../deployment/bureautomation/hass.nix        | 129 +++++++++++++++---
 .../deployment/bureautomation/mpd.nix         |   9 ++
 3 files changed, 124 insertions(+), 28 deletions(-)
 create mode 100644 makefu/2configs/deployment/bureautomation/mpd.nix

diff --git a/makefu/1systems/wbob/config.nix b/makefu/1systems/wbob/config.nix
index e1d61081e..24a3dddc6 100644
--- a/makefu/1systems/wbob/config.nix
+++ b/makefu/1systems/wbob/config.nix
@@ -11,10 +11,10 @@ in {
       <stockholm/makefu>
       <stockholm/makefu/2configs/zsh-user.nix>
       <stockholm/makefu/2configs/tools/core.nix>
-      <stockholm/makefu/2configs/disable_v6.nix>
-      # <stockholm/makefu/2configs/tools/core-gui.nix>
-      # <stockholm/makefu/2configs/tools/extra-gui.nix>
-      # <stockholm/makefu/2configs/tools/media.nix>
+      # <stockholm/makefu/2configs/disable_v6.nix>
+      <stockholm/makefu/2configs/tools/core-gui.nix>
+      <stockholm/makefu/2configs/tools/extra-gui.nix>
+      <stockholm/makefu/2configs/tools/media.nix>
       <stockholm/makefu/2configs/virtualisation/libvirt.nix>
       <stockholm/makefu/2configs/tinc/retiolum.nix>
       <stockholm/makefu/2configs/mqtt.nix>
@@ -33,9 +33,6 @@ in {
 
       <stockholm/makefu/2configs/share/wbob.nix>
       <stockholm/makefu/2configs/bluetooth-mpd.nix>
-      {
-        users.users.makefu.extraGroups = [ "pulse" ];
-      }
 
       # Sensors
       <stockholm/makefu/2configs/stats/telegraf>
@@ -46,10 +43,11 @@ in {
       <stockholm/makefu/2configs/deployment/led-fader.nix>
       <stockholm/makefu/2configs/hw/mceusb.nix>
       # <stockholm/makefu/2configs/stats/telegraf/bamstats.nix>
-
+      { environment.systemPackages = [ pkgs.vlc ]; }
 
 
       <stockholm/makefu/2configs/deployment/bureautomation>
+      <stockholm/makefu/2configs/deployment/bureautomation/mpd.nix>
       <stockholm/makefu/2configs/deployment/bureautomation/hass.nix>
       (let
           collectd-port = 25826;
diff --git a/makefu/2configs/deployment/bureautomation/hass.nix b/makefu/2configs/deployment/bureautomation/hass.nix
index b1eba22b4..443484a34 100644
--- a/makefu/2configs/deployment/bureautomation/hass.nix
+++ b/makefu/2configs/deployment/bureautomation/hass.nix
@@ -12,7 +12,7 @@ let
     payload_not_available= "Offline";
   };
   tasmota_stecki = name: topic:
-    ( tasmota_plug name topic) // 
+    ( tasmota_plug name topic) //
     { state_topic = "/bam/${topic}/stat/POWER";
       command_topic = "/bam/${topic}/cmnd/POWER";
   };
@@ -43,9 +43,6 @@ let
   };
 in {
   networking.firewall.allowedTCPPorts = [ 8123 ];
-  nixpkgs.config.permittedInsecurePackages = [
-    "homeassistant-0.65.5"
-  ];
 
   services.home-assistant = {
     enable = true;
@@ -53,6 +50,9 @@ in {
       homeassistant = {
         name = "Bureautomation";
         time_zone = "Europe/Berlin";
+        latitude = "48.8265";
+        longitude = "9.0676";
+        elevation = 303;
       };
 
       mqtt = {
@@ -101,26 +101,109 @@ in {
             sensorid = "5341";
             monitored_conditions = [ "P1" "P2" ];
           }
-          { platform = "influxdb";
-            queries = [
-              { name = "mean value of feinstaub P1";
-                where = '' "node" = 'esp8266-1355142' '';
-                measurement = "feinstaub";
-                database = "telegraf";
-                field = "P1";
-              }
-              { name = "mean value of feinstaub P2";
-                where = '' "node" = 'esp8266-1355142' '';
-                measurement = "feinstaub";
-                database = "telegraf";
-                field = "P2";
-              }
-            ];
+
+          { platform = "darksky";
+            api_key = lib.removeSuffix "\n"
+              (builtins.readFile <secrets/hass/darksky.apikey>);
+            language = "de";
+            monitored_conditions = [ "summary" "icon"
+            "nearest_storm_distance" "precip_probability"
+            "precip_intensity"
+            "temperature" # "temperature_high" "temperature_low"
+            "apparent_temperature"
+            "hourly_summary" # next 24 hours text
+            "minutely_summary"
+            "humidity"
+            "pressure"
+            "uv_index" ];
+            units =  "si" ;
+            update_interval = {
+                  days = 0;
+                  hours = 0;
+                  minutes = 30;
+                  seconds = 0;
+            };
+          }
+          #{ platform = "influxdb";
+          #  queries = [
+          #    { name = "mean value of feinstaub P1";
+          #      where = '' "node" = 'esp8266-1355142' '';
+          #      measurement = "feinstaub";
+          #      database = "telegraf";
+          #      field = "P1";
+          #    }
+          #    { name = "mean value of feinstaub P2";
+          #      where = '' "node" = 'esp8266-1355142' '';
+          #      measurement = "feinstaub";
+          #      database = "telegraf";
+          #      field = "P2";
+          #    }
+          #  ];
+          #}
+        ];
+        camera = [
+          { name = "Baumarkt";
+            platform = "generic";
+            still_image_url = http://t4915209254324-p80-c0-h6jv2afnujcoftrcstsafb45kdrqv4buy.webdirect.mdex.de/oneshotimage ;# baumarkt
+          }
+          { name = "Autobahn Heilbronn";
+            platform = "generic";
+            still_image_url = https://api.svz-bw.de/v2/verkehrskameras/kameras/K10 ;
+          }
+          { name = "Autobahn Singen";
+            platform = "generic";
+            still_image_url = https://api.svz-bw.de/v2/verkehrskameras/kameras/K11 ;
           }
         ];
       frontend = { };
       http = { };
-      feedreader.urls = [ "http://www.heise.de/security/rss/news-atom.xml" ];
+      conversation = {};
+      history = {};
+      logbook = {};
+      tts = [ { platform = "google";} ];
+      recorder = {};
+      group =
+      { default_view =
+        { view = "yes";
+          entities = [
+              "group.sensors"
+              "group.outside"
+              "group.switches"
+              "group.automation"
+              "group.camera"
+            ];
+          };
+        automation = [
+          "automation.turn_off_fernseher_10_minutes_after_last_movement"
+        ];
+        switches = [
+          "switch.bauarbeiterlampe"
+          "switch.blitzdings"
+          "switch.fernseher"
+          "switch.pluggy"
+        ];
+        camera = [
+          "camera.Baumarkt"
+          "camera.Autobahn_Heilbronn"
+          "camera.Autobahn_Singen"
+        ];
+        sensors = [
+          "binary_sensor.motion"
+          "sensor.easy2_dht22_humidity"
+          "sensor.easy2_dht22_temperature"
+        ];
+        outside = [
+          "sensor.ditzingen_pm10"
+          "sensor.ditzingen_pm25"
+          "sensor.dark_sky_temperature"
+          "sensor.dark_sky_humidity"
+          "sensor.dark_sky_pressure"
+          "sensor.dark_sky_hourly_summary"
+          "sensor.dark_sky_minutely_summary"
+        ];
+      };
+      # only for automation
+      # feedreader.urls = [ "http://www.heise.de/security/rss/news-atom.xml" ];
       automation = [
         { alias = "Turn on Fernseher on movement";
           trigger = {
@@ -144,6 +227,12 @@ in {
             service= "homeassistant.turn_off";
             entity_id= "switch.fernseher";
           };
+          condition = [{
+            condition = "time";
+            before = "06:30:00"; #only turn off between 6:30 and 18:00
+            after  = "18:00:00";
+            weekday = [ "mon" "tue" "wed" "thu" "fri" ];
+          }];
         }
       ];
     };
diff --git a/makefu/2configs/deployment/bureautomation/mpd.nix b/makefu/2configs/deployment/bureautomation/mpd.nix
new file mode 100644
index 000000000..1f5acb357
--- /dev/null
+++ b/makefu/2configs/deployment/bureautomation/mpd.nix
@@ -0,0 +1,9 @@
+{lib,pkgs, ... }:
+
+{
+  systemd.services."ympd-wbob" = {
+    description = "mpd ";
+    wantedBy = [ "multi-user.target" ];
+    serviceConfig.ExecStart = "${pkgs.ympd}/bin/ympd --host localhost --port 6600 --webport 8866 --user nobody";
+  };
+}

From 7f52e698476f3d782caa4134a6166c68a9abc56e Mon Sep 17 00:00:00 2001
From: makefu <github@syntax-fehler.de>
Date: Mon, 5 Nov 2018 13:51:54 +0100
Subject: [PATCH 56/74] ma wbob-kiosk: trying to get xset working ...

---
 makefu/2configs/gui/wbob-kiosk.nix | 22 +++++++++++++---------
 1 file changed, 13 insertions(+), 9 deletions(-)

diff --git a/makefu/2configs/gui/wbob-kiosk.nix b/makefu/2configs/gui/wbob-kiosk.nix
index b0479d0d7..6da1a37e7 100644
--- a/makefu/2configs/gui/wbob-kiosk.nix
+++ b/makefu/2configs/gui/wbob-kiosk.nix
@@ -4,23 +4,26 @@
   imports = [
       ./base.nix
   ];
-  users.users.makefu.packages = [ pkgs.chromium ];
+  users.users.makefu = {
+    packages = [ pkgs.chromium ];
+    extraGroups = [ "audio" "pulse" ];
+  };
   services.xserver = {
-    layout = lib.mkForce "de";
-    xkbVariant = lib.mkForce "";
 
     windowManager = lib.mkForce {
       awesome.enable = false;
       default = "none";
     };
-    desktopManager.xfce.enable = true;
+    desktopManager.xfce = {
+      extraSessionCommands = ''
+        ${pkgs.xlibs.xset}/bin/xset -display :0 s off -dpms
+        ${pkgs.xlibs.xrandr}/bin/xrandr --output HDMI2 --right-of HDMI1
+      '';
+      enable = true;
+    };
 
     # xrandrHeads = [ "HDMI1" "HDMI2" ];
     # prevent screen from turning off, disable dpms
-    displayManager.sessionCommands = ''
-      xset -display :0 s off -dpms
-      xrandr --output HDMI2 --right-of HDMI1
-    '';
   };
 
   systemd.services.xset-off = {
@@ -29,7 +32,8 @@
     serviceConfig = {
       ExecStart = "${pkgs.xlibs.xset}/bin/xset -display :0 s off -dpms";
       RemainAfterExit = "yes";
-      TimeoutSec = "5";
+      TimeoutSec = "5s";
+      RestartSec="5s";
       Restart = "on-failure";
     };
   };

From e706831281d6e4a0638cab2a8f38ac21af23081c Mon Sep 17 00:00:00 2001
From: makefu <github@syntax-fehler.de>
Date: Mon, 5 Nov 2018 13:52:11 +0100
Subject: [PATCH 57/74] ma homeautomation: more sensors

---
 .../deployment/homeautomation/default.nix     | 54 ++++++++++++++++---
 1 file changed, 48 insertions(+), 6 deletions(-)

diff --git a/makefu/2configs/deployment/homeautomation/default.nix b/makefu/2configs/deployment/homeautomation/default.nix
index 5da0dba2e..94799b11d 100644
--- a/makefu/2configs/deployment/homeautomation/default.nix
+++ b/makefu/2configs/deployment/homeautomation/default.nix
@@ -17,7 +17,7 @@ let
     # state
     # TODO: currently broken, will not use the custom state topic
     #state_topic = "/ham/${topic}/stat/POWER";
-    state_topic = "stat/${topic}/POWER";
+    state_topic = "/ham/${topic}/stat/POWER";
     command_topic = "/ham/${topic}/cmnd/POWER";
     availability_topic = "/ham/${topic}/tele/LWT";
     payload_on= "ON";
@@ -47,7 +47,7 @@ let
       device_class = "motion";
       inherit name;
       # TODO: currently broken, will not use the custom state topic
-      state_topic = "stat/${topic}/POWER";
+      state_topic = "/ham/${topic}/stat/POWER";
       payload_on = "ON";
       payload_off = "OFF";
       availability_topic = "/ham/${topic}/tele/LWT";
@@ -87,6 +87,20 @@ let
       unit_of_measurement = "hPa";
     }
   ];
+  tasmota_am2301 = name: topic:
+  [ { platform = "mqtt";
+      name = "${name} Temperatur";
+      state_topic = "/ham/${topic}/tele/SENSOR";
+      value_template = "{{ value_json.AM2301.Temperature }}";
+      unit_of_measurement = "°C";
+    }
+    { platform = "mqtt";
+      name = "${name} Luftfeuchtigkeit";
+      state_topic = "/ham/${topic}/tele/SENSOR";
+      value_template = "{{ value_json.AM2301.Humidity }}";
+      unit_of_measurement = "%";
+    }
+  ];
 in {
   imports = [
     ./mqtt.nix
@@ -153,7 +167,7 @@ in {
         #  monitored_conditions = [ "ping" "download" "upload" ];
         #}
         { platform = "luftdaten";
-          name = "Ditzingen";
+          name = "Wangen";
           sensorid = "663";
           monitored_conditions = [ "P1" "P2" ];
         }
@@ -165,18 +179,23 @@ in {
           monitored_conditions = [ "summary" "icon"
           "nearest_storm_distance" "precip_probability"
           "precip_intensity"
-          "temperature" # "temperature_high" "temperature_low"
+          "temperature"
+          "apparent_temperature"
           "hourly_summary"
+          "humidity"
+          "pressure"
           "uv_index" ];
           units =  "si" ;
           update_interval = {
                 days = 0;
                 hours = 0;
-                minutes = 10;
+                minutes = 30;
                 seconds = 0;
           };
         }
-      ] ++ (tasmota_bme "Schlafzimmer" "schlafzimmer");
+      ]
+      ++ (tasmota_bme "Schlafzimmer" "schlafzimmer")
+      ++ (tasmota_am2301 "Arbeitszimmer" "arbeitszimmer");
       frontend = { };
       group =
         { default_view =
@@ -186,6 +205,7 @@ in {
               "group.schlafzimmer"
               "group.draussen"
               "group.wohnzimmer"
+              "group.arbeitszimmer"
             ];
           };
           flur = [
@@ -198,6 +218,8 @@ in {
           draussen = [
             "sensor.dark_sky_temperature"
             "sensor.dark_sky_hourly_summary"
+            "sensor.wangen_pm10"
+            "sensor.wangen_pm25"
           ];
           schlafzimmer = [
             "sensor.schlafzimmer_temperatur"
@@ -205,12 +227,32 @@ in {
             "sensor.schlafzimmer_luftfeuchtigkeit"
             "switch.lichterkette_schlafzimmer"
           ];
+          arbeitszimmer = [
+            "switch.strom_staubsauger"
+            "sensor.arbeitszimmer_temperatur"
+            "sensor.arbeitszimmer_luftfeuchtigkeit"
+          ];
         };
       http = { };
       switch = [
         (tasmota_plug "Lichterkette Schlafzimmer" "schlafzimmer")
+        (tasmota_plug "Strom Staubsauger" "arbeitszimmer")
       ];
       light = [ (tasmota_rgb "Flurlicht" "flurlicht" ) ];
+      automation = [
+        { alias = "Staubsauger Strom aus nach 6h";
+          trigger = {
+            platform = "state";
+            entity_id = "switch.strom_staubsauger";
+            to = "on";
+            for.hours = 6;
+          };
+          action = {
+            service= "homeassistant.turn_off";
+            entity_id= "switch.strom_staubsauger";
+          };
+        }
+      ];
     };
     enable = true;
     #configDir = "/var/lib/hass";

From af41e7225900113b6a9c9b666a5fa25e209965b7 Mon Sep 17 00:00:00 2001
From: makefu <github@syntax-fehler.de>
Date: Mon, 5 Nov 2018 13:55:24 +0100
Subject: [PATCH 58/74] ma wbob: cleanup config, minor tweaks

---
 makefu/2configs/bluetooth-mpd.nix  | 2 ++
 makefu/2configs/stats/arafetch.nix | 2 ++
 makefu/2configs/tools/media.nix    | 2 ++
 makefu/5pkgs/awesomecfg/full.cfg   | 6 +++---
 4 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/makefu/2configs/bluetooth-mpd.nix b/makefu/2configs/bluetooth-mpd.nix
index b59d3ce10..e007b6072 100644
--- a/makefu/2configs/bluetooth-mpd.nix
+++ b/makefu/2configs/bluetooth-mpd.nix
@@ -57,6 +57,8 @@ in {
         load-module module-filter-heuristics
         load-module module-filter-apply
         load-module module-switch-on-connect
+        load-module module-equalizer-sink
+        load-module module-dbus-protocol
         #load-module module-bluez5-device
         #load-module module-bluez5-discover
       '';
diff --git a/makefu/2configs/stats/arafetch.nix b/makefu/2configs/stats/arafetch.nix
index 422676b24..c16629cc5 100644
--- a/makefu/2configs/stats/arafetch.nix
+++ b/makefu/2configs/stats/arafetch.nix
@@ -27,12 +27,14 @@ in {
   systemd.services.arafetch = {
     startAt = "Mon,Wed,Fri 09:15:00";
     wantedBy = [ "multi-user.target" ];
+    after = [ "network-online.target" ];
     environment = {
       OUTDIR = home;
     };
     path = [ pkg  pkgs.git pkgs.wget ];
     serviceConfig = {
       User = "arafetch";
+      Restart = "always";
       WorkingDirectory = home;
       PrivateTmp = true;
       ExecStart = pkgs.writeDash "start-weekrun" ''
diff --git a/makefu/2configs/tools/media.nix b/makefu/2configs/tools/media.nix
index 988550655..88a7c6882 100644
--- a/makefu/2configs/tools/media.nix
+++ b/makefu/2configs/tools/media.nix
@@ -12,5 +12,7 @@
     plowshare
     streamripper
     youtube-dl
+
+    pulseeffects
   ];
 }
diff --git a/makefu/5pkgs/awesomecfg/full.cfg b/makefu/5pkgs/awesomecfg/full.cfg
index 12d357913..11f9f59b8 100644
--- a/makefu/5pkgs/awesomecfg/full.cfg
+++ b/makefu/5pkgs/awesomecfg/full.cfg
@@ -572,9 +572,9 @@ local os = {
 do
   local cmds =
   {
-    "@networkmanagerapplet@/bin/nm-applet",
-    "@blueman@/bin/blueman-applet",
-    "@clipit@/bin/clipit"
+    -- "@networkmanagerapplet@/bin/nm-applet",
+    -- "@blueman@/bin/blueman-applet",
+    -- "@clipit@/bin/clipit"
   }
 
   for _,i in pairs(cmds) do

From 72cd32c0bc7d66536e163b42a9404986e479c597 Mon Sep 17 00:00:00 2001
From: makefu <github@syntax-fehler.de>
Date: Mon, 5 Nov 2018 16:22:39 +0100
Subject: [PATCH 59/74] ma nextgum.r becomes gum.r

---
 krebs/3modules/makefu/default.nix             | 100 +++------
 makefu/1systems/gum/config.nix                | 149 ++++++++-----
 makefu/1systems/gum/hardware-config.nix       |  77 +++++--
 makefu/1systems/{nextgum => gum}/rescue.txt   |   0
 makefu/1systems/gum/source.nix                |   2 +-
 .../{nextgum => gum}/transfer-config.nix      |   0
 makefu/1systems/nextgum/config.nix            | 195 ------------------
 makefu/1systems/nextgum/hardware-config.nix   |  99 ---------
 makefu/1systems/nextgum/source.nix            |   5 -
 9 files changed, 190 insertions(+), 437 deletions(-)
 rename makefu/1systems/{nextgum => gum}/rescue.txt (100%)
 rename makefu/1systems/{nextgum => gum}/transfer-config.nix (100%)
 delete mode 100644 makefu/1systems/nextgum/config.nix
 delete mode 100644 makefu/1systems/nextgum/hardware-config.nix
 delete mode 100644 makefu/1systems/nextgum/source.nix

diff --git a/krebs/3modules/makefu/default.nix b/krebs/3modules/makefu/default.nix
index e2152ea1a..94af67fc7 100644
--- a/krebs/3modules/makefu/default.nix
+++ b/krebs/3modules/makefu/default.nix
@@ -494,6 +494,8 @@ in {
           ip6.addr = "42:f9f0::10";
           aliases = [
             "omo.r"
+            "dcpp.omo.r"
+            "torrent.omo.r"
           ];
           tinc.pubkey = ''
             -----BEGIN RSA PUBLIC KEY-----
@@ -554,7 +556,7 @@ in {
       ssh.privkey.path = <secrets/ssh.id_ed25519>;
       ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN5ZmJSypW3LXIJ67DdbxMxCfLtORFkl5jEuD131S5Tr";
     };
-    nextgum = rec {
+    gum = rec {
       ci = true;
       extraZones = {
         "krebsco.de" = ''
@@ -563,6 +565,23 @@ in {
           graph             IN A      ${nets.internet.ip4.addr}
           gold              IN A      ${nets.internet.ip4.addr}
           iso.euer          IN A      ${nets.internet.ip4.addr}
+          wg.euer           IN A      ${nets.internet.ip4.addr}
+          photostore        IN A      ${nets.internet.ip4.addr}
+          o.euer            IN A      ${nets.internet.ip4.addr}
+          mon.euer          IN A      ${nets.internet.ip4.addr}
+          boot.euer         IN A      ${nets.internet.ip4.addr}
+          wiki.euer         IN A      ${nets.internet.ip4.addr}
+          pigstarter        IN A      ${nets.internet.ip4.addr}
+          cgit.euer         IN A      ${nets.internet.ip4.addr}
+          git.euer          IN A      ${nets.internet.ip4.addr}
+          euer              IN A      ${nets.internet.ip4.addr}
+          share.euer        IN A      ${nets.internet.ip4.addr}
+          gum               IN A      ${nets.internet.ip4.addr}
+          wikisearch        IN A      ${nets.internet.ip4.addr}
+          dl.euer           IN A      ${nets.internet.ip4.addr}
+          ghook             IN A      ${nets.internet.ip4.addr}
+          dockerhub         IN A      ${nets.internet.ip4.addr}
+          io                IN NS     gum.krebsco.de.
         '';
       };
       cores = 8;
@@ -571,6 +590,7 @@ in {
           ip4.addr = "144.76.26.247";
           ip6.addr = "2a01:4f8:191:12f6::2";
           aliases = [
+            "gum.i"
             "nextgum.i"
           ];
         };
@@ -594,6 +614,16 @@ in {
             "stats.makefu.r"
             "backup.makefu.r"
             "dcpp.nextgum.r"
+            "gum.r"
+            "cgit.gum.r"
+            "o.gum.r"
+            "tracker.makefu.r"
+            "search.makefu.r"
+            "wiki.makefu.r"
+            "wiki.gum.r"
+            "blog.makefu.r"
+            "blog.gum.r"
+            "dcpp.gum.r"
           ];
           tinc.pubkey = ''
             -----BEGIN RSA PUBLIC KEY-----
@@ -609,73 +639,7 @@ in {
       };
       ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIcxWFEPzke/Sdd9qNX6rSJgXal8NmINYajpFCxXfYdj root@gum";
     };
-
-    gum = rec {
-      ci = true;
-      cores = 2;
-
-      extraZones = {
-        "krebsco.de" = ''
-          share.euer        IN A      ${nets.internet.ip4.addr}
-          mattermost.euer   IN A      ${nets.internet.ip4.addr}
-          gum               IN A      ${nets.internet.ip4.addr}
-          wikisearch        IN A      ${nets.internet.ip4.addr}
-          pigstarter        IN A      ${nets.internet.ip4.addr}
-          cgit.euer         IN A      ${nets.internet.ip4.addr}
-          euer              IN A      ${nets.internet.ip4.addr}
-          o.euer            IN A      ${nets.internet.ip4.addr}
-          git.euer          IN A      ${nets.internet.ip4.addr}
-          dl.euer           IN A      ${nets.internet.ip4.addr}
-          boot.euer         IN A      ${nets.internet.ip4.addr}
-          wiki.euer         IN A      ${nets.internet.ip4.addr}
-          mon.euer          IN A      ${nets.internet.ip4.addr}
-          ghook             IN A      ${nets.internet.ip4.addr}
-          dockerhub         IN A      ${nets.internet.ip4.addr}
-          photostore        IN A      ${nets.internet.ip4.addr}
-          io                IN NS     gum.krebsco.de.
-        '';
-      };
-      nets = rec {
-        internet = {
-          ip4.addr = "185.194.143.140";
-          ip6.addr = "2a03:4000:1c:43f::1";
-          aliases = [
-            "gum.i"
-          ];
-        };
-        retiolum = {
-          via = internet;
-          ip4.addr = "10.243.0.211";
-          ip6.addr = "42:f9f0:0000:0000:0000:0000:0000:70d2";
-          aliases = [
-            "gum.r"
-            "cgit.gum.r"
-            "o.gum.r"
-            "tracker.makefu.r"
-
-            "search.makefu.r"
-            "wiki.makefu.r"
-            "wiki.gum.r"
-            "blog.makefu.r"
-            "blog.gum.r"
-            "dcpp.gum.r"
-          ];
-          tinc.pubkey = ''
-            -----BEGIN RSA PUBLIC KEY-----
-            MIIBCgKCAQEAvgvzx3rT/3zLuCkzXk1ZkYBkG4lltxrLOLNivohw2XAzrYDIw/ZY
-            BTDDcD424EkNOF6g/3tIRWqvVGZ1u12WQ9A/R+2F7i1SsaE4nTxdNlQ5rjy80gO3
-            i1ZubMkTGwd1OYjJytYdcMTwM9V9/8QYFiiWqh77Xxu/FhY6PcQqwHxM7SMyZCJ7
-            09gtZuR16ngKnKfo2tw6C3hHQtWCfORVbWQq5cmGzCb4sdIKow5BxUC855MulNsS
-            u5l+G8wX+UbDI85VSDAtOP4QaSFzLL+U0aaDAmq0NO1QiODJoCo0iPhULZQTFZUa
-            OMDYHHfqzluEI7n8ENI4WwchDXH+MstsgwIDAQAB
-            -----END RSA PUBLIC KEY-----
-          '';
-        };
-      };
-      # configured manually
-      # ssh.privkey.path = <secrets/ssh_host_ed25519_key>;
-      ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIcxWFEPzke/Sdd9qNX6rSJgXal8NmINYajpFCxXfYdj root@gum";
-    };
+            
     shoney = rec {
       ci = true;
       cores = 1;
diff --git a/makefu/1systems/gum/config.nix b/makefu/1systems/gum/config.nix
index af2e6f6b0..118b5b9d4 100644
--- a/makefu/1systems/gum/config.nix
+++ b/makefu/1systems/gum/config.nix
@@ -8,16 +8,22 @@ in {
   imports = [
       <stockholm/makefu>
       ./hardware-config.nix
+      ./transfer-config.nix
+      {
+        users.users.lass = {
+          uid = 9002;
+          isNormalUser = true;
+          createHome = true;
+          useDefaultShell = true;
+          openssh.authorizedKeys.keys = with config.krebs.users; [
+            lass.pubkey
+            makefu.pubkey
+          ];
+        };
+      }
       <stockholm/makefu/2configs/headless.nix>
       # <stockholm/makefu/2configs/smart-monitor.nix>
 
-      <stockholm/makefu/2configs/git/cgit-retiolum.nix>
-      <stockholm/makefu/2configs/backup/state.nix>
-      # <stockholm/makefu/2configs/mattermost-docker.nix>
-      # <stockholm/makefu/2configs/disable_v6.nix>
-      <stockholm/makefu/2configs/exim-retiolum.nix>
-      <stockholm/makefu/2configs/tinc/retiolum.nix>
-
       # Security
       <stockholm/makefu/2configs/sshd-totp.nix>
 
@@ -26,69 +32,90 @@ in {
       <stockholm/makefu/2configs/tools/dev.nix>
       <stockholm/makefu/2configs/tools/sec.nix>
       <stockholm/makefu/2configs/zsh-user.nix>
+      <stockholm/makefu/2configs/mosh.nix>
+      # <stockholm/makefu/2configs/gui/xpra.nix>
+
+      # networking
+      <stockholm/makefu/2configs/vpn/openvpn-server.nix>
+      # <stockholm/makefu/2configs/vpn/vpnws/server.nix>
+      #<stockholm/makefu/2configs/dnscrypt/server.nix>
+      <stockholm/makefu/2configs/iodined.nix>
+      # <stockholm/makefu/2configs/backup.nix>
+      <stockholm/makefu/2configs/tinc/retiolum.nix>
+
+      # ci
+      # <stockholm/makefu/2configs/exim-retiolum.nix>
+      <stockholm/makefu/2configs/git/cgit-retiolum.nix>
+      <stockholm/makefu/2configs/shack/gitlab-runner>
+      <stockholm/makefu/2configs/remote-build/slave.nix>
+      <stockholm/makefu/2configs/taskd.nix>
 
       # services
-      <stockholm/makefu/2configs/share/gum.nix>
-      # <stockholm/makefu/2configs/sabnzbd.nix>
-      <stockholm/makefu/2configs/torrent.nix>
-      <stockholm/makefu/2configs/mosh.nix>
-      # <stockholm/makefu/2configs/retroshare.nix>
+      <stockholm/makefu/2configs/sabnzbd.nix>
+      <stockholm/makefu/2configs/mail/mail.euer.nix>
 
-      # network
+      # sharing
+      <stockholm/makefu/2configs/share/gum.nix>
+      <stockholm/makefu/2configs/torrent.nix>
+      #<stockholm/makefu/2configs/retroshare.nix>
+      ## <stockholm/makefu/2configs/ipfs.nix>
+      #<stockholm/makefu/2configs/syncthing.nix>
+      { # ncdc
+        environment.systemPackages = [ pkgs.ncdc ];
+        networking.firewall = {
+          allowedUDPPorts = [ 51411 ];
+          allowedTCPPorts = [ 51411 ];
+        };
+      }
+      # <stockholm/makefu/2configs/opentracker.nix>
+
+      ## network
       <stockholm/makefu/2configs/vpn/openvpn-server.nix>
       # <stockholm/makefu/2configs/vpn/vpnws/server.nix>
       <stockholm/makefu/2configs/dnscrypt/server.nix>
+      <stockholm/makefu/2configs/binary-cache/server.nix>
+      <stockholm/makefu/2configs/backup/server.nix>
       <stockholm/makefu/2configs/iodined.nix>
+      <stockholm/makefu/2configs/bitlbee.nix>
+      <stockholm/makefu/2configs/wireguard/server.nix>
 
-      # buildbot
-      <stockholm/makefu/2configs/remote-build/slave.nix>
-      <stockholm/makefu/2configs/shack/gitlab-runner>
-
-      ## Web
+      # Removed until move: no extra mails
+      <stockholm/makefu/2configs/urlwatch>
+      # Removed until move: avoid letsencrypt ban
+      ### Web
       #<stockholm/makefu/2configs/nginx/share-download.nix>
       #<stockholm/makefu/2configs/nginx/euer.test.nix>
-      #<stockholm/makefu/2configs/nginx/euer.mon.nix>
-      #<stockholm/makefu/2configs/nginx/euer.wiki.nix>
-      #<stockholm/makefu/2configs/nginx/euer.blog.nix>
+      <stockholm/makefu/2configs/nginx/euer.mon.nix>
+      <stockholm/makefu/2configs/nginx/euer.wiki.nix>
+      <stockholm/makefu/2configs/nginx/euer.blog.nix>
       ## <stockholm/makefu/2configs/nginx/gum.krebsco.de.nix>
       #<stockholm/makefu/2configs/nginx/public_html.nix>
       #<stockholm/makefu/2configs/nginx/update.connector.one.nix>
-      #<stockholm/makefu/2configs/nginx/misa-felix-hochzeit.ml.nix>
+      <stockholm/makefu/2configs/nginx/misa-felix-hochzeit.ml.nix>
+      <stockholm/makefu/2configs/nginx/gold.krebsco.de.nix>
+      <stockholm/makefu/2configs/nginx/iso.euer.nix>
+      <stockholm/makefu/2configs/shack/events-publisher>
 
-      # <stockholm/makefu/2configs/deployment/photostore.krebsco.de.nix>
-      # <stockholm/makefu/2configs/deployment/graphs.nix>
-      # <stockholm/makefu/2configs/deployment/owncloud.nix>
-      # <stockholm/makefu/2configs/deployment/boot-euer.nix>
-      # <stockholm/makefu/2configs/deployment/bgt/hidden_service.nix>
-
-      # <stockholm/makefu/2configs/ipfs.nix>
-      # <stockholm/makefu/2configs/syncthing.nix>
-
-      # <stockholm/makefu/2configs/opentracker.nix>
-      <stockholm/makefu/2configs/dcpp/hub.nix>
-      <stockholm/makefu/2configs/dcpp/airdcpp.nix>
+      <stockholm/makefu/2configs/deployment/photostore.krebsco.de.nix>
+      <stockholm/makefu/2configs/deployment/graphs.nix>
+      <stockholm/makefu/2configs/deployment/owncloud.nix>
+      <stockholm/makefu/2configs/deployment/boot-euer.nix>
+      <stockholm/makefu/2configs/deployment/bgt/hidden_service.nix>
 
       <stockholm/makefu/2configs/stats/client.nix>
       # <stockholm/makefu/2configs/logging/client.nix>
 
-      # Temporary:
+      # sharing
+      <stockholm/makefu/2configs/dcpp/airdcpp.nix>
+      <stockholm/makefu/2configs/dcpp/hub.nix>
+
+      ## Temporary:
       # <stockholm/makefu/2configs/temp/rst-issue.nix>
       <stockholm/makefu/2configs/virtualisation/docker.nix>
+      <stockholm/makefu/2configs/virtualisation/libvirt.nix>
 
-      #{
-      #  services.dockerRegistry.enable = true;
-      #  networking.firewall.allowedTCPPorts = [ 8443 ];
-
-      #  services.nginx.virtualHosts."euer.krebsco.de" = {
-      #    forceSSL = true;
-      #    enableACME = true;
-      #    extraConfig = ''
-      #      client_max_body_size 1000M;
-      #    '';
-      #    locations."/".proxyPass = "http://localhost:5000";
-      #  };
-      #}
-
+      # krebs infrastructure services
+      <stockholm/makefu/2configs/stats/server.nix>
   ];
   makefu.dl-dir = "/var/download";
 
@@ -106,9 +133,7 @@ in {
       ListenAddress = ${external-ip} 21031
     '';
     connectTo = [
-      "muhbaasu" "tahoe" "flap" "wry"
-      "ni"
-      "fastpoke" "prism" "dishfire" "echelon" "cloudkrebs"
+      "prism" "ni" "enklave" "dishfire" "echelon" "hotdog"
     ];
   };
 
@@ -119,12 +144,21 @@ in {
     makefu.openssh.authorizedKeys.keys = [ config.krebs.users.makefu-vbob.pubkey config.krebs.users.makefu-bob.pubkey ];
   };
 
+  # Chat
+  environment.systemPackages = with pkgs;[
+    weechat
+    bepasty-client-cli
+    tmux
+  ];
+
+  # Hardware
+
   # Network
   networking = {
     firewall = {
-      allowPing = true;
-      logRefusedConnections = false;
-      allowedTCPPorts = [
+        allowPing = true;
+        logRefusedConnections = false;
+        allowedTCPPorts = [
           # smtp
           25
           # http
@@ -152,9 +186,10 @@ in {
           # tinc-shack
           21032
         ];
-      };
-      nameservers = [ "8.8.8.8" ];
     };
+    nameservers = [ "8.8.8.8" ];
+  };
   users.users.makefu.extraGroups = [ "download" "nginx" ];
   boot.tmpOnTmpfs = true;
+  state = [ "/home/makefu/.weechat" ];
 }
diff --git a/makefu/1systems/gum/hardware-config.nix b/makefu/1systems/gum/hardware-config.nix
index a40709169..bfe29b46c 100644
--- a/makefu/1systems/gum/hardware-config.nix
+++ b/makefu/1systems/gum/hardware-config.nix
@@ -1,26 +1,24 @@
 { config, ... }:
 let
-  external-mac = "2a:c5:6e:d2:fc:7f";
-  main-disk = "/dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_drive-scsi0-0-0-0";
-  external-gw = "185.194.140.1";
+  external-mac = "50:46:5d:9f:63:6b";
+  main-disk = "/dev/disk/by-id/ata-TOSHIBA_DT01ACA300_13H8863AS";
+  sec-disk = "/dev/disk/by-id/ata-TOSHIBA_DT01ACA300_23OJ2GJAS";
+  external-gw = "144.76.26.225";
   # single partition, label "nixos"
   # cd /var/src; curl https://github.com/nixos/nixpkgs/tarball/809cf38 -L | tar zx ; mv * nixpkgs && touch .populate
 
 
   # static
-  external-ip = config.krebs.build.host.nets.internet.ip4.addr;
-  external-ip6 = config.krebs.build.host.nets.internet.ip6.addr;
+  external-ip = "144.76.26.247";
+  external-ip6 = "2a01:4f8:191:12f6::2";
   external-gw6 = "fe80::1";
-  external-netmask = 22;
+  external-netmask = 27;
   external-netmask6 = 64;
   internal-ip = config.krebs.build.host.nets.retiolum.ip4.addr;
   ext-if = "et0"; # gets renamed on the fly
 in {
   imports = [
-      <nixpkgs/nixos/modules/profiles/qemu-guest.nix>
-      <stockholm/makefu/2configs/fs/single-partition-ext4.nix>
   ];
-
   makefu.server.primary-itf = ext-if;
   services.udev.extraRules = ''
     SUBSYSTEM=="net", ATTR{address}=="${external-mac}", NAME="${ext-if}"
@@ -40,7 +38,62 @@ in {
     defaultGateway = external-gw;
   };
   boot.kernelParams = [ ];
-  boot.loader.grub.device = main-disk;
-  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "sd_mod" "sr_mod" ];
-  boot.kernelModules = [ "kvm-intel" ];
+  boot.loader.grub.enable = true;
+  boot.loader.grub.version = 2;
+  boot.loader.grub.devices = [ main-disk ];
+  boot.initrd.kernelModules = [  "dm-raid" ];
+  boot.initrd.availableKernelModules = [
+    "ata_piix" "vmw_pvscsi" "virtio_pci" "sd_mod" "ahci"
+    "xhci_pci" "ehci_pci" "ahci" "sd_mod"
+  ];
+  boot.kernelModules = [ "kvm-intel"  ];
+  hardware.enableRedistributableFirmware = true;
+  fileSystems."/" = {
+    device = "/dev/mapper/nixos-root";
+    fsType = "ext4";
+  };
+  fileSystems."/var/lib" = {
+    device = "/dev/mapper/nixos-lib";
+    fsType = "ext4";
+  };
+  fileSystems."/var/download" = {
+    device = "/dev/mapper/nixos-download";
+    fsType = "ext4";
+  };
+  fileSystems."/var/lib/borgbackup" = {
+    device = "/dev/mapper/nixos-backup";
+    fsType = "ext4";
+  };
+  fileSystems."/boot" = {
+    device = "/dev/sda2";
+    fsType = "vfat";
+  };
+  # parted -s -a optimal "$disk" \
+  #      mklabel gpt \
+  #      mkpart no-fs 0 1024KiB \
+  #      set 1 bios_grub on \
+  #      mkpart ESP fat32 1025KiB 1024MiB  set 2 boot on \
+  #      mkpart primary 1025MiB 100%
+  # parted -s -a optimal "/dev/sdb" \
+  #      mklabel gpt \
+  #      mkpart primary 1M 100%
+
+  #mkfs.vfat /dev/sda2
+  #pvcreate /dev/sda3
+  #pvcreate /dev/sdb1
+  #vgcreate nixos /dev/sda3 /dev/sdb1
+  #lvcreate -L 120G -m 1 -n root nixos
+  #lvcreate -L 50G -m 1 -n lib nixos
+  #lvcreate -L 100G -n download nixos
+  #lvcreate -L 100G -n backup nixos
+  #mkfs.ext4 /dev/mapper/nixos-root
+  #mkfs.ext4 /dev/mapper/nixos-lib
+  #mkfs.ext4 /dev/mapper/nixos-download
+  #mkfs.ext4 /dev/mapper/nixos-borgbackup
+  #mount /dev/mapper/nixos-root /mnt
+  #mkdir /mnt/boot
+  #mount /dev/sda2 /mnt/boot
+  #mkdir -p /mnt/var/src
+  #touch /mnt/var/src/.populate
+
 }
diff --git a/makefu/1systems/nextgum/rescue.txt b/makefu/1systems/gum/rescue.txt
similarity index 100%
rename from makefu/1systems/nextgum/rescue.txt
rename to makefu/1systems/gum/rescue.txt
diff --git a/makefu/1systems/gum/source.nix b/makefu/1systems/gum/source.nix
index 1e36c6e87..6940498f1 100644
--- a/makefu/1systems/gum/source.nix
+++ b/makefu/1systems/gum/source.nix
@@ -1,5 +1,5 @@
 {
-  name="gum";
+  name="nextgum";
   torrent = true;
   clever_kexec = true;
 }
diff --git a/makefu/1systems/nextgum/transfer-config.nix b/makefu/1systems/gum/transfer-config.nix
similarity index 100%
rename from makefu/1systems/nextgum/transfer-config.nix
rename to makefu/1systems/gum/transfer-config.nix
diff --git a/makefu/1systems/nextgum/config.nix b/makefu/1systems/nextgum/config.nix
deleted file mode 100644
index 118b5b9d4..000000000
--- a/makefu/1systems/nextgum/config.nix
+++ /dev/null
@@ -1,195 +0,0 @@
-{ config, lib, pkgs, ... }:
-
-with import <stockholm/lib>;
-let
-  external-ip = config.krebs.build.host.nets.internet.ip4.addr;
-  ext-if = config.makefu.server.primary-itf;
-in {
-  imports = [
-      <stockholm/makefu>
-      ./hardware-config.nix
-      ./transfer-config.nix
-      {
-        users.users.lass = {
-          uid = 9002;
-          isNormalUser = true;
-          createHome = true;
-          useDefaultShell = true;
-          openssh.authorizedKeys.keys = with config.krebs.users; [
-            lass.pubkey
-            makefu.pubkey
-          ];
-        };
-      }
-      <stockholm/makefu/2configs/headless.nix>
-      # <stockholm/makefu/2configs/smart-monitor.nix>
-
-      # Security
-      <stockholm/makefu/2configs/sshd-totp.nix>
-
-      # Tools
-      <stockholm/makefu/2configs/tools/core.nix>
-      <stockholm/makefu/2configs/tools/dev.nix>
-      <stockholm/makefu/2configs/tools/sec.nix>
-      <stockholm/makefu/2configs/zsh-user.nix>
-      <stockholm/makefu/2configs/mosh.nix>
-      # <stockholm/makefu/2configs/gui/xpra.nix>
-
-      # networking
-      <stockholm/makefu/2configs/vpn/openvpn-server.nix>
-      # <stockholm/makefu/2configs/vpn/vpnws/server.nix>
-      #<stockholm/makefu/2configs/dnscrypt/server.nix>
-      <stockholm/makefu/2configs/iodined.nix>
-      # <stockholm/makefu/2configs/backup.nix>
-      <stockholm/makefu/2configs/tinc/retiolum.nix>
-
-      # ci
-      # <stockholm/makefu/2configs/exim-retiolum.nix>
-      <stockholm/makefu/2configs/git/cgit-retiolum.nix>
-      <stockholm/makefu/2configs/shack/gitlab-runner>
-      <stockholm/makefu/2configs/remote-build/slave.nix>
-      <stockholm/makefu/2configs/taskd.nix>
-
-      # services
-      <stockholm/makefu/2configs/sabnzbd.nix>
-      <stockholm/makefu/2configs/mail/mail.euer.nix>
-
-      # sharing
-      <stockholm/makefu/2configs/share/gum.nix>
-      <stockholm/makefu/2configs/torrent.nix>
-      #<stockholm/makefu/2configs/retroshare.nix>
-      ## <stockholm/makefu/2configs/ipfs.nix>
-      #<stockholm/makefu/2configs/syncthing.nix>
-      { # ncdc
-        environment.systemPackages = [ pkgs.ncdc ];
-        networking.firewall = {
-          allowedUDPPorts = [ 51411 ];
-          allowedTCPPorts = [ 51411 ];
-        };
-      }
-      # <stockholm/makefu/2configs/opentracker.nix>
-
-      ## network
-      <stockholm/makefu/2configs/vpn/openvpn-server.nix>
-      # <stockholm/makefu/2configs/vpn/vpnws/server.nix>
-      <stockholm/makefu/2configs/dnscrypt/server.nix>
-      <stockholm/makefu/2configs/binary-cache/server.nix>
-      <stockholm/makefu/2configs/backup/server.nix>
-      <stockholm/makefu/2configs/iodined.nix>
-      <stockholm/makefu/2configs/bitlbee.nix>
-      <stockholm/makefu/2configs/wireguard/server.nix>
-
-      # Removed until move: no extra mails
-      <stockholm/makefu/2configs/urlwatch>
-      # Removed until move: avoid letsencrypt ban
-      ### Web
-      #<stockholm/makefu/2configs/nginx/share-download.nix>
-      #<stockholm/makefu/2configs/nginx/euer.test.nix>
-      <stockholm/makefu/2configs/nginx/euer.mon.nix>
-      <stockholm/makefu/2configs/nginx/euer.wiki.nix>
-      <stockholm/makefu/2configs/nginx/euer.blog.nix>
-      ## <stockholm/makefu/2configs/nginx/gum.krebsco.de.nix>
-      #<stockholm/makefu/2configs/nginx/public_html.nix>
-      #<stockholm/makefu/2configs/nginx/update.connector.one.nix>
-      <stockholm/makefu/2configs/nginx/misa-felix-hochzeit.ml.nix>
-      <stockholm/makefu/2configs/nginx/gold.krebsco.de.nix>
-      <stockholm/makefu/2configs/nginx/iso.euer.nix>
-      <stockholm/makefu/2configs/shack/events-publisher>
-
-      <stockholm/makefu/2configs/deployment/photostore.krebsco.de.nix>
-      <stockholm/makefu/2configs/deployment/graphs.nix>
-      <stockholm/makefu/2configs/deployment/owncloud.nix>
-      <stockholm/makefu/2configs/deployment/boot-euer.nix>
-      <stockholm/makefu/2configs/deployment/bgt/hidden_service.nix>
-
-      <stockholm/makefu/2configs/stats/client.nix>
-      # <stockholm/makefu/2configs/logging/client.nix>
-
-      # sharing
-      <stockholm/makefu/2configs/dcpp/airdcpp.nix>
-      <stockholm/makefu/2configs/dcpp/hub.nix>
-
-      ## Temporary:
-      # <stockholm/makefu/2configs/temp/rst-issue.nix>
-      <stockholm/makefu/2configs/virtualisation/docker.nix>
-      <stockholm/makefu/2configs/virtualisation/libvirt.nix>
-
-      # krebs infrastructure services
-      <stockholm/makefu/2configs/stats/server.nix>
-  ];
-  makefu.dl-dir = "/var/download";
-
-  services.openssh.hostKeys = [
-    { bits = 4096; path = (toString <secrets/ssh_host_rsa_key>); type = "rsa"; }
-    { path = (toString <secrets/ssh_host_ed25519_key>); type = "ed25519"; } ];
-  ###### stable
-  services.nginx.virtualHosts.cgit.serverAliases = [ "cgit.euer.krebsco.de" ];
-  krebs.build.host = config.krebs.hosts.gum;
-
-  krebs.tinc.retiolum = {
-    extraConfig = ''
-      ListenAddress = ${external-ip} 53
-      ListenAddress = ${external-ip} 655
-      ListenAddress = ${external-ip} 21031
-    '';
-    connectTo = [
-      "prism" "ni" "enklave" "dishfire" "echelon" "hotdog"
-    ];
-  };
-
-
-  # access
-  users.users = {
-    root.openssh.authorizedKeys.keys = [ config.krebs.users.makefu-omo.pubkey ];
-    makefu.openssh.authorizedKeys.keys = [ config.krebs.users.makefu-vbob.pubkey config.krebs.users.makefu-bob.pubkey ];
-  };
-
-  # Chat
-  environment.systemPackages = with pkgs;[
-    weechat
-    bepasty-client-cli
-    tmux
-  ];
-
-  # Hardware
-
-  # Network
-  networking = {
-    firewall = {
-        allowPing = true;
-        logRefusedConnections = false;
-        allowedTCPPorts = [
-          # smtp
-          25
-          # http
-          80 443
-          # httptunnel
-          8080 8443
-          # tinc
-          655
-          # tinc-shack
-          21032
-          # tinc-retiolum
-          21031
-          # taskserver
-          53589
-          # temp vnc
-          18001
-          # temp reverseshell
-          31337
-        ];
-        allowedUDPPorts = [
-          # tinc
-          655 53
-          # tinc-retiolum
-          21031
-          # tinc-shack
-          21032
-        ];
-    };
-    nameservers = [ "8.8.8.8" ];
-  };
-  users.users.makefu.extraGroups = [ "download" "nginx" ];
-  boot.tmpOnTmpfs = true;
-  state = [ "/home/makefu/.weechat" ];
-}
diff --git a/makefu/1systems/nextgum/hardware-config.nix b/makefu/1systems/nextgum/hardware-config.nix
deleted file mode 100644
index bfe29b46c..000000000
--- a/makefu/1systems/nextgum/hardware-config.nix
+++ /dev/null
@@ -1,99 +0,0 @@
-{ config, ... }:
-let
-  external-mac = "50:46:5d:9f:63:6b";
-  main-disk = "/dev/disk/by-id/ata-TOSHIBA_DT01ACA300_13H8863AS";
-  sec-disk = "/dev/disk/by-id/ata-TOSHIBA_DT01ACA300_23OJ2GJAS";
-  external-gw = "144.76.26.225";
-  # single partition, label "nixos"
-  # cd /var/src; curl https://github.com/nixos/nixpkgs/tarball/809cf38 -L | tar zx ; mv * nixpkgs && touch .populate
-
-
-  # static
-  external-ip = "144.76.26.247";
-  external-ip6 = "2a01:4f8:191:12f6::2";
-  external-gw6 = "fe80::1";
-  external-netmask = 27;
-  external-netmask6 = 64;
-  internal-ip = config.krebs.build.host.nets.retiolum.ip4.addr;
-  ext-if = "et0"; # gets renamed on the fly
-in {
-  imports = [
-  ];
-  makefu.server.primary-itf = ext-if;
-  services.udev.extraRules = ''
-    SUBSYSTEM=="net", ATTR{address}=="${external-mac}", NAME="${ext-if}"
-  '';
-  networking = {
-    interfaces."${ext-if}" = {
-      ipv4.addresses = [{
-        address = external-ip;
-        prefixLength = external-netmask;
-      }];
-      ipv6.addresses = [{
-        address = external-ip6;
-        prefixLength = external-netmask6;
-      }];
-    };
-    defaultGateway6 = external-gw6;
-    defaultGateway = external-gw;
-  };
-  boot.kernelParams = [ ];
-  boot.loader.grub.enable = true;
-  boot.loader.grub.version = 2;
-  boot.loader.grub.devices = [ main-disk ];
-  boot.initrd.kernelModules = [  "dm-raid" ];
-  boot.initrd.availableKernelModules = [
-    "ata_piix" "vmw_pvscsi" "virtio_pci" "sd_mod" "ahci"
-    "xhci_pci" "ehci_pci" "ahci" "sd_mod"
-  ];
-  boot.kernelModules = [ "kvm-intel"  ];
-  hardware.enableRedistributableFirmware = true;
-  fileSystems."/" = {
-    device = "/dev/mapper/nixos-root";
-    fsType = "ext4";
-  };
-  fileSystems."/var/lib" = {
-    device = "/dev/mapper/nixos-lib";
-    fsType = "ext4";
-  };
-  fileSystems."/var/download" = {
-    device = "/dev/mapper/nixos-download";
-    fsType = "ext4";
-  };
-  fileSystems."/var/lib/borgbackup" = {
-    device = "/dev/mapper/nixos-backup";
-    fsType = "ext4";
-  };
-  fileSystems."/boot" = {
-    device = "/dev/sda2";
-    fsType = "vfat";
-  };
-  # parted -s -a optimal "$disk" \
-  #      mklabel gpt \
-  #      mkpart no-fs 0 1024KiB \
-  #      set 1 bios_grub on \
-  #      mkpart ESP fat32 1025KiB 1024MiB  set 2 boot on \
-  #      mkpart primary 1025MiB 100%
-  # parted -s -a optimal "/dev/sdb" \
-  #      mklabel gpt \
-  #      mkpart primary 1M 100%
-
-  #mkfs.vfat /dev/sda2
-  #pvcreate /dev/sda3
-  #pvcreate /dev/sdb1
-  #vgcreate nixos /dev/sda3 /dev/sdb1
-  #lvcreate -L 120G -m 1 -n root nixos
-  #lvcreate -L 50G -m 1 -n lib nixos
-  #lvcreate -L 100G -n download nixos
-  #lvcreate -L 100G -n backup nixos
-  #mkfs.ext4 /dev/mapper/nixos-root
-  #mkfs.ext4 /dev/mapper/nixos-lib
-  #mkfs.ext4 /dev/mapper/nixos-download
-  #mkfs.ext4 /dev/mapper/nixos-borgbackup
-  #mount /dev/mapper/nixos-root /mnt
-  #mkdir /mnt/boot
-  #mount /dev/sda2 /mnt/boot
-  #mkdir -p /mnt/var/src
-  #touch /mnt/var/src/.populate
-
-}
diff --git a/makefu/1systems/nextgum/source.nix b/makefu/1systems/nextgum/source.nix
deleted file mode 100644
index 6940498f1..000000000
--- a/makefu/1systems/nextgum/source.nix
+++ /dev/null
@@ -1,5 +0,0 @@
-{
-  name="nextgum";
-  torrent = true;
-  clever_kexec = true;
-}

From 51fe1cf77b1d66a75c8ad86bec231a889f11ed86 Mon Sep 17 00:00:00 2001
From: makefu <github@syntax-fehler.de>
Date: Mon, 5 Nov 2018 16:48:37 +0100
Subject: [PATCH 60/74] Revert "ma nixpkgs: 86fb1e9 -> bf46294" ... for now

This reverts commit 9520ee2c51b49a0e6cb0c96f9ab1724381e0e9cd.
---
 makefu/nixpkgs.json | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/makefu/nixpkgs.json b/makefu/nixpkgs.json
index 73798f44d..c5cd0ac30 100644
--- a/makefu/nixpkgs.json
+++ b/makefu/nixpkgs.json
@@ -1,7 +1,7 @@
 {
   "url": "https://github.com/makefu/nixpkgs",
-  "rev": "bf46294e4cf20649182f76fc9200a48436f5874a",
-  "date": "2018-09-18T02:20:45+02:00",
-  "sha256": "13900gack7pgf5a7c11x30rzb3s0kjpbm2z2g8fw4720cr9lkd94",
-  "fetchSubmodules": false
+  "rev": "86fb1e9ae6ba6dfedc814b82abd8db5cfa4f4687",
+  "date": "2018-10-07T23:33:42+02:00",
+  "sha256": "015yxs3qj299mgqfmz5vgszj2gxqwazifsdsjw6xadris3ri41d3",
+  "fetchSubmodules": true
 }

From 8b57f04ff84b53742ef6a8a9677560745075ffb1 Mon Sep 17 00:00:00 2001
From: makefu <github@syntax-fehler.de>
Date: Mon, 5 Nov 2018 18:18:35 +0100
Subject: [PATCH 61/74] ma gum.r: bye transfer-config

---
 makefu/1systems/gum/config.nix          | 1 -
 makefu/1systems/gum/transfer-config.nix | 7 -------
 2 files changed, 8 deletions(-)
 delete mode 100644 makefu/1systems/gum/transfer-config.nix

diff --git a/makefu/1systems/gum/config.nix b/makefu/1systems/gum/config.nix
index 118b5b9d4..3d2cbac6f 100644
--- a/makefu/1systems/gum/config.nix
+++ b/makefu/1systems/gum/config.nix
@@ -8,7 +8,6 @@ in {
   imports = [
       <stockholm/makefu>
       ./hardware-config.nix
-      ./transfer-config.nix
       {
         users.users.lass = {
           uid = 9002;
diff --git a/makefu/1systems/gum/transfer-config.nix b/makefu/1systems/gum/transfer-config.nix
deleted file mode 100644
index 92df60195..000000000
--- a/makefu/1systems/gum/transfer-config.nix
+++ /dev/null
@@ -1,7 +0,0 @@
-{ config, lib, ... }:
-# configuration which is only required for the time of the transfer
-{
-  krebs.tinc.retiolum.connectTo = [ "gum" ];
-  krebs.build.host = lib.mkForce config.krebs.hosts.nextgum;
-}
-

From 70bffd8b90a7740546a20dbbdd6730ab00c7158b Mon Sep 17 00:00:00 2001
From: lassulus <lassulus@lassul.us>
Date: Sat, 10 Nov 2018 18:47:06 +0100
Subject: [PATCH 62/74] hotdog.r: remove import of gitlab-runner-shackspace

---
 krebs/1systems/hotdog/config.nix | 1 -
 1 file changed, 1 deletion(-)

diff --git a/krebs/1systems/hotdog/config.nix b/krebs/1systems/hotdog/config.nix
index 0a848426c..cf72e0d73 100644
--- a/krebs/1systems/hotdog/config.nix
+++ b/krebs/1systems/hotdog/config.nix
@@ -10,7 +10,6 @@
     <stockholm/krebs/2configs>
 
     <stockholm/krebs/2configs/buildbot-stockholm.nix>
-    <stockholm/krebs/2configs/gitlab-runner-shackspace.nix>
     <stockholm/krebs/2configs/binary-cache/nixos.nix>
     <stockholm/krebs/2configs/ircd.nix>
     <stockholm/krebs/2configs/reaktor-retiolum.nix>

From 6416e2637665a99c7efc07d036a023463500fefe Mon Sep 17 00:00:00 2001
From: lassulus <lassulus@lassul.us>
Date: Sat, 10 Nov 2018 18:47:34 +0100
Subject: [PATCH 63/74] realwallpaper: e056328 -> 847faeb

---
 krebs/5pkgs/simple/realwallpaper/default.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/krebs/5pkgs/simple/realwallpaper/default.nix b/krebs/5pkgs/simple/realwallpaper/default.nix
index 15cc277a5..7c9812117 100644
--- a/krebs/5pkgs/simple/realwallpaper/default.nix
+++ b/krebs/5pkgs/simple/realwallpaper/default.nix
@@ -5,8 +5,8 @@ stdenv.mkDerivation {
 
   src = fetchgit {
     url = https://github.com/Lassulus/realwallpaper;
-    rev = "e0563289c2ab592b669ce4549fc40130246e9d79";
-    sha256 = "1zgk8ips2d686216h203w62wrw7zy9z0lrndx9f8z6f1vpvjcmqc";
+    rev = "847faebc9b7e87e4bea078e3a2304ec00b4cdfc0";
+    sha256 = "10zihkwj9vpshlxw2jk67zbsy8g4i8b1y4jzna9fdcsgn7s12jrr";
   };
 
   phases = [

From df660ff2fa05a624903b0b8c93b84c2fef3eb4e8 Mon Sep 17 00:00:00 2001
From: lassulus <lassulus@lassul.us>
Date: Sat, 10 Nov 2018 18:49:05 +0100
Subject: [PATCH 64/74] l archprism.r: new hfos ip

---
 lass/1systems/archprism/config.nix   |  4 ++--
 lass/1systems/archprism/physical.nix | 20 ++++++++++----------
 2 files changed, 12 insertions(+), 12 deletions(-)

diff --git a/lass/1systems/archprism/config.nix b/lass/1systems/archprism/config.nix
index 0a286c6f0..e6eddf8b2 100644
--- a/lass/1systems/archprism/config.nix
+++ b/lass/1systems/archprism/config.nix
@@ -36,10 +36,10 @@ with import <stockholm/lib>;
       # TODO write function for proxy_pass (ssl/nonssl)
 
       krebs.iptables.tables.filter.FORWARD.rules = [
-        { v6 = false; precedence = 1000; predicate = "-d 192.168.122.92"; target = "ACCEPT"; }
+        { v6 = false; precedence = 1000; predicate = "-d 192.168.122.179"; target = "ACCEPT"; }
       ];
       krebs.iptables.tables.nat.PREROUTING.rules = [
-        { v6 = false; precedence = 1000; predicate = "-d 46.4.114.243"; target = "DNAT --to-destination 192.168.122.92"; }
+        { v6 = false; precedence = 1000; predicate = "-d 46.4.114.243"; target = "DNAT --to-destination 192.168.122.179"; }
       ];
     }
     {
diff --git a/lass/1systems/archprism/physical.nix b/lass/1systems/archprism/physical.nix
index 56348d0ab..36de7dc17 100644
--- a/lass/1systems/archprism/physical.nix
+++ b/lass/1systems/archprism/physical.nix
@@ -14,16 +14,16 @@
         };
       };
       # TODO use this network config
-      #networking.interfaces.et0.ipv4.addresses = [
-      #  {
-      #    address = config.krebs.build.host.nets.internet.ip4.addr;
-      #    prefixLength = 27;
-      #  }
-      #  {
-      #    address = "46.4.114.243";
-      #    prefixLength = 27;
-      #  }
-      #];
+      networking.interfaces.eth0.ipv4.addresses = [
+        {
+          address = config.krebs.build.host.nets.internet.ip4.addr;
+          prefixLength = 27;
+        }
+        {
+          address = "46.4.114.243";
+          prefixLength = 27;
+        }
+      ];
       #networking.defaultGateway = "46.4.114.225";
       #networking.nameservers = [
       #  "8.8.8.8"

From 3902f97c56cd374c67374b57357811621d8cec29 Mon Sep 17 00:00:00 2001
From: lassulus <lassulus@lassul.us>
Date: Sat, 10 Nov 2018 18:53:16 +0100
Subject: [PATCH 65/74] l prism.r: remove deprecated grub workaround

---
 lass/1systems/prism/config.nix | 2 --
 1 file changed, 2 deletions(-)

diff --git a/lass/1systems/prism/config.nix b/lass/1systems/prism/config.nix
index bf7de6fc5..01479b69c 100644
--- a/lass/1systems/prism/config.nix
+++ b/lass/1systems/prism/config.nix
@@ -349,8 +349,6 @@ with import <stockholm/lib>;
   ];
 
   krebs.build.host = config.krebs.hosts.prism;
-  # workaround because grub store paths are broken
-  boot.copyKernels = true;
   services.earlyoom = {
     enable = true;
     freeMemThreshold = 5;

From cf22b956cd0f11a25c09c6e04b440dd456a23e03 Mon Sep 17 00:00:00 2001
From: lassulus <lassulus@lassul.us>
Date: Sat, 10 Nov 2018 18:56:25 +0100
Subject: [PATCH 66/74] l prism.r: new physical host

---
 lass/1systems/prism/physical.nix | 119 +++++++++++++------------------
 1 file changed, 49 insertions(+), 70 deletions(-)

diff --git a/lass/1systems/prism/physical.nix b/lass/1systems/prism/physical.nix
index 56348d0ab..4388c13fa 100644
--- a/lass/1systems/prism/physical.nix
+++ b/lass/1systems/prism/physical.nix
@@ -1,77 +1,56 @@
 { config, lib, pkgs, ... }:
+
 {
+
   imports = [
     ./config.nix
-    {
-      boot.kernelParams = [ "net.ifnames=0" ];
-      networking = {
-        defaultGateway = "46.4.114.225";
-        # Use google's public DNS server
-        nameservers = [ "8.8.8.8" ];
-        interfaces.eth0 = {
-          ipAddress = "46.4.114.247";
-          prefixLength = 27;
-        };
-      };
-      # TODO use this network config
-      #networking.interfaces.et0.ipv4.addresses = [
-      #  {
-      #    address = config.krebs.build.host.nets.internet.ip4.addr;
-      #    prefixLength = 27;
-      #  }
-      #  {
-      #    address = "46.4.114.243";
-      #    prefixLength = 27;
-      #  }
-      #];
-      #networking.defaultGateway = "46.4.114.225";
-      #networking.nameservers = [
-      #  "8.8.8.8"
-      #];
-      #services.udev.extraRules = ''
-      #  SUBSYSTEM=="net", ATTR{address}=="08:60:6e:e7:87:04", NAME="et0"
-      #'';
-    }
-    {
-      imports = [ <nixpkgs/nixos/modules/installer/scan/not-detected.nix> ];
-
-      networking.hostId = "fb4173ea";
-      boot.loader.grub = {
-        devices = [
-          "/dev/sda"
-          "/dev/sdb"
-        ];
-        splashImage = null;
-      };
-
-      boot.initrd.availableKernelModules = [
-        "ata_piix"
-        "vmw_pvscsi"
-        "ahci" "sd_mod"
-      ];
-
-      boot.kernelModules = [ "kvm-intel" ];
-
-      sound.enable = false;
-      nixpkgs.config.allowUnfree = true;
-      time.timeZone = "Europe/Berlin";
-
-      fileSystems."/" = {
-        device = "rpool/root/nixos";
-        fsType = "zfs";
-      };
-
-      fileSystems."/home" = {
-        device = "rpool/home";
-        fsType = "zfs";
-      };
-
-      fileSystems."/boot" = {
-        device = "/dev/disk/by-uuid/b67c3370-1597-4ce8-8a46-e257ca32150d";
-        fsType = "ext4";
-      };
-
-    }
+    <nixpkgs/nixos/modules/installer/scan/not-detected.nix>
   ];
 
+  boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "sd_mod" ];
+  boot.kernelModules = [ "kvm-intel" ];
+
+  fileSystems."/" = {
+    device = "rpool/root/nixos";
+    fsType = "zfs";
+  };
+
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-uuid/d155d6ff-8e89-4876-a9e7-d1b7ba6a4804";
+    fsType = "ext4";
+  };
+
+  fileSystems."/srv/http" = {
+    device = "tank/srv-http";
+    fsType = "zfs";
+  };
+
+  fileSystems."/var/lib/containers" = {
+    device = "tank/containers";
+    fsType = "zfs";
+  };
+
+  fileSystems."/home" = {
+    device = "tank/home";
+    fsType = "zfs";
+  };
+
+  nix.maxJobs = lib.mkDefault 8;
+  powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
+
+  boot.loader.grub.enable = true;
+  boot.loader.grub.version = 2;
+  boot.loader.grub.devices = [ "/dev/sda" "/dev/sdb" ];
+
+  boot.kernelParams = [ "net.ifnames=0" ];
+  networking = {
+    hostId = "2283aaae";
+    defaultGateway = "95.216.1.129";
+    # Use google's public DNS server
+    nameservers = [ "8.8.8.8" ];
+    interfaces.eth0 = {
+      ipAddress = "95.216.1.150";
+      prefixLength = 26;
+    };
+  };
 }

From 2912ca43a9607f88780535fc32c5ad0a43d7bd3a Mon Sep 17 00:00:00 2001
From: lassulus <lassulus@lassul.us>
Date: Sat, 10 Nov 2018 19:00:04 +0100
Subject: [PATCH 67/74] l blue: add l-gen-secrets

---
 lass/2configs/blue.nix | 1 +
 1 file changed, 1 insertion(+)

diff --git a/lass/2configs/blue.nix b/lass/2configs/blue.nix
index 68f2256cf..4d4a92eb9 100644
--- a/lass/2configs/blue.nix
+++ b/lass/2configs/blue.nix
@@ -15,6 +15,7 @@ with (import <stockholm/lib>);
     dic
     nmap
     git-preview
+    l-gen-secrets
   ];
 
   services.tor.enable = true;

From 95c9cd185bdd29b19454a771d5a98d7c594d7cdb Mon Sep 17 00:00:00 2001
From: lassulus <lassulus@lassul.us>
Date: Sat, 10 Nov 2018 19:02:49 +0100
Subject: [PATCH 68/74] l ciko: chmod +x

---
 lass/2configs/ciko.nix | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/lass/2configs/ciko.nix b/lass/2configs/ciko.nix
index b08cf9307..6818db460 100644
--- a/lass/2configs/ciko.nix
+++ b/lass/2configs/ciko.nix
@@ -19,5 +19,9 @@ with import <stockholm/lib>;
       "slash16.net"
     ];
   };
+
+  system.activationScripts.user-shadow = ''
+    ${pkgs.coreutils}/bin/chmod +x /home/ciko
+  '';
 }
 

From 4a5608ba7bb92450ca5c3ef5567818d65b0330a9 Mon Sep 17 00:00:00 2001
From: lassulus <lassulus@lassul.us>
Date: Sat, 10 Nov 2018 19:03:08 +0100
Subject: [PATCH 69/74] l: add neocron@lassul.us

---
 lass/2configs/exim-smarthost.nix | 1 +
 1 file changed, 1 insertion(+)

diff --git a/lass/2configs/exim-smarthost.nix b/lass/2configs/exim-smarthost.nix
index 6ef3c8595..733115a74 100644
--- a/lass/2configs/exim-smarthost.nix
+++ b/lass/2configs/exim-smarthost.nix
@@ -90,6 +90,7 @@ with import <stockholm/lib>;
       { from = "afra@lassul.us"; to = lass.mail; }
       { from = "ksp@lassul.us"; to = lass.mail; }
       { from = "ccc@lassul.us"; to = lass.mail; }
+      { from = "neocron@lassul.us"; to = lass.mail; }
     ];
     system-aliases = [
       { from = "mailer-daemon"; to = "postmaster"; }

From 93b4db56dfbb4981e5732cad981fba899c1309ce Mon Sep 17 00:00:00 2001
From: lassulus <lassulus@lassul.us>
Date: Sat, 10 Nov 2018 19:03:43 +0100
Subject: [PATCH 70/74] l games: add steam-run & dolphinEmu to pkgs

---
 lass/2configs/games.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/lass/2configs/games.nix b/lass/2configs/games.nix
index 17c3cf3be..49602898e 100644
--- a/lass/2configs/games.nix
+++ b/lass/2configs/games.nix
@@ -75,6 +75,8 @@ in {
       packages = with pkgs; [
         ftb
         minecraft
+        steam-run
+        dolphinEmu
       ];
     };
   };

From ab6b32baa7282a5127def657dc0e595464b0bf9c Mon Sep 17 00:00:00 2001
From: lassulus <lassulus@lassul.us>
Date: Sat, 10 Nov 2018 19:13:01 +0100
Subject: [PATCH 71/74] l git: chmod +x /var/spool

---
 lass/2configs/git.nix | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/lass/2configs/git.nix b/lass/2configs/git.nix
index c5b5c01fb..62173e33f 100644
--- a/lass/2configs/git.nix
+++ b/lass/2configs/git.nix
@@ -21,6 +21,10 @@ let
     krebs.iptables.tables.filter.INPUT.rules = [
       { predicate = "-i retiolum -p tcp --dport 80"; target = "ACCEPT"; }
     ];
+
+    system.activationScripts.spool-chmod = ''
+      ${pkgs.coreutils}/bin/chmod +x /var/spool
+    '';
   };
 
   cgit-clear-cache = pkgs.cgit-clear-cache.override {

From 1c473c7c203e30aa7f48715c965786350084f901 Mon Sep 17 00:00:00 2001
From: lassulus <lassulus@lassul.us>
Date: Sat, 10 Nov 2018 19:15:11 +0100
Subject: [PATCH 72/74] l mail: add nix@lassul.us to nix ml

---
 lass/2configs/mail.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lass/2configs/mail.nix b/lass/2configs/mail.nix
index e50689254..46939c97e 100644
--- a/lass/2configs/mail.nix
+++ b/lass/2configs/mail.nix
@@ -51,7 +51,7 @@ let
     gmail = [ "to:gmail@lassul.us" "to:lassulus@gmail.com" "lassulus@googlemail.com" ];
     kaosstuff = [ "to:gearbest@lassul.us" "to:banggood@lassul.us" "to:tomtop@lassul.us" ];
     lugs = [ "to:lugs@lug-s.org" ];
-    nix-devel = [ "to:nix-devel@googlegroups.com" ];
+    nix = [ "to:nix-devel@googlegroups.com" "to:nix@lassul.us" ];
     patreon = [ "to:patreon@lassul.us" ];
     paypal = [ "to:paypal@lassul.us" ];
     ptl = [ "to:ptl@posttenebraslab.ch" ];

From 70c12e9b021d2b5e532110713a6456ab312f6b64 Mon Sep 17 00:00:00 2001
From: lassulus <lassulus@lassul.us>
Date: Sat, 10 Nov 2018 19:38:54 +0100
Subject: [PATCH 73/74] l sqlBackup: remove mysql_password

---
 lass/2configs/websites/sqlBackup.nix | 1 -
 1 file changed, 1 deletion(-)

diff --git a/lass/2configs/websites/sqlBackup.nix b/lass/2configs/websites/sqlBackup.nix
index 2fffa6cc9..897e35e61 100644
--- a/lass/2configs/websites/sqlBackup.nix
+++ b/lass/2configs/websites/sqlBackup.nix
@@ -11,7 +11,6 @@
     enable = true;
     dataDir = "/var/mysql";
     package = pkgs.mariadb;
-    rootPassword = config.krebs.secret.files.mysql_rootPassword.path;
   };
 
   systemd.services.mysql = {

From 62aebdf0584ee8c512da2f9a8d12d87995266484 Mon Sep 17 00:00:00 2001
From: lassulus <lassulus@lassul.us>
Date: Sat, 10 Nov 2018 19:39:07 +0100
Subject: [PATCH 74/74] l ejabberd: allow registration

---
 lass/3modules/ejabberd/config.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/lass/3modules/ejabberd/config.nix b/lass/3modules/ejabberd/config.nix
index 68bcfa340..e7288313a 100644
--- a/lass/3modules/ejabberd/config.nix
+++ b/lass/3modules/ejabberd/config.nix
@@ -96,9 +96,9 @@ in /* yaml */ ''
     mod_privacy: {}
     mod_private: {}
     mod_register:
-      access_from: deny
+      access_from: allow
       access: register
-      ip_access: trusted_network
+      # ip_access: trusted_network
       registration_watchers: ${toJSON config.registration_watchers}
     mod_roster: {}
     mod_shared_roster: {}