Merge branch 'master' of prism.r:stockholm

jeschli/1systems/brauerei/config.nix

@@ -0,0 +1,99 @@
+# Edit this configuration file to define what should be installed on
+# your system.  Help is available in the configuration.nix(5) man page
+# and in the NixOS manual (accessible by running ‘nixos-help’).
+
+{ config, pkgs, ... }:
+
+{
+  imports =
+    [ # Include the results of the hardware scan.
+      ./hardware-configuration.nix
+    ];
+
+  # Use the GRUB 2 boot loader.
+  boot.loader.grub.enable = true;
+  boot.loader.grub.version = 2;
+  boot.loader.grub.efiSupport = true;
+  # boot.loader.grub.efiInstallAsRemovable = true;
+  # boot.loader.efi.efiSysMountPoint = "/boot/efi";
+  # Define on which hard drive you want to install Grub.
+  boot.loader.grub.device = "/dev/sda"; # or "nodev" for efi only
+
+  boot.initrd.luks.devices = [
+    {
+      name = "root";
+      device = "/dev/sda2";
+      preLVM = true;
+      allowDiscards = true;
+    }
+  ];
+
+  # networking.hostName = "nixos"; # Define your hostname.
+  networking.wireless.enable = true;  # Enables wireless support via wpa_supplicant.
+
+  # Select internationalisation properties.
+  # i18n = {
+  #   consoleFont = "Lat2-Terminus16";
+  #   consoleKeyMap = "us";
+  #   defaultLocale = "en_US.UTF-8";
+  # };
+
+  # Set your time zone.
+  # time.timeZone = "Europe/Amsterdam";
+
+  # List packages installed in system profile. To search by name, run:
+  # $ nix-env -qaP | grep wget
+  environment.systemPackages = with pkgs; [
+    vim
+    git
+  ];
+
+  # Some programs need SUID wrappers, can be configured further or are
+  # started in user sessions.
+  # programs.bash.enableCompletion = true;
+  # programs.mtr.enable = true;
+  # programs.gnupg.agent = { enable = true; enableSSHSupport = true; };
+
+  # List services that you want to enable:
+
+  # Enable the OpenSSH daemon.
+  services.openssh.enable = true;
+
+  # Open ports in the firewall.
+  # networking.firewall.allowedTCPPorts = [ ... ];
+  # networking.firewall.allowedUDPPorts = [ ... ];
+  # Or disable the firewall altogether.
+  # networking.firewall.enable = false;
+
+  # Enable CUPS to print documents.
+  # services.printing.enable = true;
+
+  # Enable the X11 windowing system.
+  # services.xserver.enable = true;
+  # services.xserver.layout = "us";
+  # services.xserver.xkbOptions = "eurosign:e";
+
+  # Enable touchpad support.
+  # services.xserver.libinput.enable = true;
+
+  # Enable the KDE Desktop Environment.
+  # services.xserver.displayManager.sddm.enable = true;
+  # services.xserver.desktopManager.plasma5.enable = true;
+
+  # Define a user account. Don't forget to set a password with ‘passwd’.
+  users.extraUsers.jeschli = {
+    isNormalUser = true;
+    uid = 1000;
+  };
+
+  users.users.root.openssh.authorizedKeys.keys = [
+    "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAEZgHR1ZPDBMUjGWar/QmI2GiUkZM8pAXRyBDh8j3hGlxlS+0lsBV6bTAI5F13iyzTC4pCuEuDO2OlFB0scwjcOATci8phd8jTjOIDodqDaeQZXbshyuUBfyiAV6q0Sc+cUDV3D6GhzigH3t8EiQmvXmUGm916yFotT12o0dm83SCOh1nAf9ZveC1Hz/eEUTvgWvIb58OdUR5F/S5OVBnIIJZ8tcp0BP9lyjjJCcANWkYJlwaVcNNb0UarCRhvRtptFj+e/EPqQxSCaS2QcxW4zBsQ6C81TFf7WrdH+pwtFg0owlWsxv547sRLLiPf2h2YuQgSoAaW24N0SHhUqvOXd+JyaYw7MAF8Qh3jHm2iJQRgXNuIN0msFi1alwAevilL2mnfAt2biQ9sS9g+CVvQCwX3mg09E4Y3UmFLzvsJafD9meKVrjnDCcXySeAfts59eFmwKtMQ0qrEWaclzUiA6Ay3uD1zma8x1XELGTf8nxnXCGl8s2i2APn7y1Tcwep69DlENWSaReF5zBLIkCtIUDd+8xBFTF3yu5CpyRrRMKGa0QX/MtsQl4SGJWadOTwpM8joIbrIVfKkTNB2McxAjvo0iaRoBDm409gi2Ycy+NSoUV/KAIUG7OysAQZ62hr+E/Kw1ocJCIVI+9vzKx/EnEIHkCSwhYKl5393W7CShVJjJUcKcZddqX2smSShXq8rXPzhIHk1dAVn5Ff/vGZT9z9R0QN3z6Oa9QN5t5TjTdUDToqHTudqOpDxPl2c2yXK9wV+aoHFoML9AmbzTT1U1mKU7GXSoFACiKNzhDzkovyJGpWRyvisX5t75IfuVqvGGI8n3u8OhPMdyyOHRylVaciDzBMZ00xnIHB+dJG9IeYaMm9bW1Li4Jo0CWnogo2+olfHPMLijBuu+bsa5Kp6kFkccJYR/xqcSq0lVXkpGm692JI4dnMGjchipXEGh1gXof9jXHemMMBwjpLFGty+D0r5KdA33m+mIqc9hi0ShquA9nA7E1IxDlgE0gQg+P5ZOeeIN7q54AQmT8iCCCRyne2Kw57XxaGgZoLfj7VjjaeRlzBUglmtyq8B7/c0J3y41vt9Hxhj4sKD+vufZu+M9E6E936KsJlIi+3U0PtopM/b8L4jcH1JYpPljapsys8wkJZ1ymHf6Kj/0FHyi1V+GvquiVrlFN+aHECIzNlCiSMO4MqfPUO1A+s9zkG2ZgPNNv+LoZqnokjbmKM4kdxexMxaL/Eo9Nd/bzdYiFYXlllEL7Uox+yV0N3loQ2juh4zn+ctCnwHi+V9X4l4rB8amW96WrXiJ/WqEK2UO8St8dcQWhCsUUm2OawSrbYYZw5HhJwz/Rhz2UsdSc56s5OUiQLJqpILYvCnqSLlF4iZdRSdDQNpKn+le3CeGUl5UUuvK2BpKGrbPKx0i/2ZSEMxNA5GnDMx/NyiNyDBcoPu/XOlNi8VWsEbCtoTQRamvqHjOmNcPrxCxds+TaF8c0wMR720yj5sWq8= jeschli@nixos"
+  ];
+
+  # This value determines the NixOS release with which your system is to be
+  # compatible, in order to avoid breaking some software such as database
+  # servers. You should change this only after NixOS release notes say you
+  # should.
+  system.stateVersion = "18.03"; # Did you read the comment?
+
+}

jeschli/1systems/brauerei/hardware-configuration.nix

@@ -0,0 +1,33 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, ... }:
+
+{
+  imports =
+    [ <nixpkgs/nixos/modules/installer/scan/not-detected.nix>
+    ];
+
+  boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "sd_mod" "sdhci_pci" ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/e264fc21-45bb-4224-93fc-b0e19c2c3478";
+      fsType = "ext4";
+    };
+
+  fileSystems."/home" =
+    { device = "/dev/disk/by-uuid/bd0846ce-7d39-4329-bcb4-7c76becd6ab1";
+      fsType = "ext4";
+    };
+
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/42BF-0795";
+      fsType = "vfat";
+    };
+
+  swapDevices = [ ];
+
+  nix.maxJobs = lib.mkDefault 4;
+}

jeschli/1systems/brauerei/source.nix

@@ -0,0 +1,4 @@
+import <stockholm/jeschli/source.nix> {
+  name = "brauerei";
+  secure = true;
+}

krebs/2configs/save-diskspace.nix

@@ -1,7 +1,6 @@
 {lib, ... }:
 # TODO: do not check out nixpkgs master but fetch revision from github
 {
-  environment.noXlibs = true;
   nix.gc.automatic = true;
   nix.gc.dates = lib.mkDefault "03:10";
   programs.info.enable = false;

krebs/3modules/backup.nix

@@ -83,6 +83,7 @@ let
           rsync
           utillinux
         ];
+        restartIfChanged = false;
         serviceConfig = rec {
           ExecStart = start plan;
           SyslogIdentifier = ExecStart.name;

krebs/3modules/default.nix

@@ -44,6 +44,7 @@ let
       ./tinc_graphs.nix
       ./urlwatch.nix
       ./repo-sync.nix
+      ./xresources.nix
       ./zones.nix
     ];
     options.krebs = api;
@@ -226,21 +227,26 @@ let
             };
           })
         //
-        # GitHub's IPv4 address range is 192.30.252.0/22
-        # Refs https://help.github.com/articles/github-s-ip-addresses/
-        # 192.30.252.0/22 = 192.30.252.0-192.30.255.255 (1024 addresses)
-        # Because line length is limited by OPENSSH_LINE_MAX (= 8192),
-        # we split each /24 into its own entry.
-        listToAttrs (map
-          (c: {
-            name = "github${toString c}";
-            value = {
-              hostNames = ["github.com"] ++
-                map (d: "192.30.${toString c}.${toString d}") (range 0 255);
-              publicKey = "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==";
-            };
-          })
-          (range 252 255))
+        {
+          github = {
+            hostNames = [
+              "github.com"
+              # List generated with
+              # curl -sS https://api.github.com/meta | jq -r .git[] | cidr2glob
+              "192.30.253.*"
+              "192.30.254.*"
+              "192.30.255.*"
+              "185.199.108.*"
+              "185.199.109.*"
+              "185.199.110.*"
+              "185.199.111.*"
+              "18.195.85.27"
+              "18.194.104.89"
+              "35.159.8.160"
+            ];
+            publicKey = "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==";
+          };
+        }
         //
         mapAttrs
           (name: host: {

krebs/3modules/jeschli/default.nix

@@ -7,10 +7,7 @@ with import <stockholm/lib>;
     owner = config.krebs.users.jeschli;
     ci = true;
   }) {
-
     bln = {
-      ci = false;
-      external = true;
       nets = {
         retiolum = {
           ip4.addr = "10.243.27.28";
@@ -47,9 +44,44 @@ with import <stockholm/lib>;
         };
       };
     };
+    brauerei = {
+      nets = {
+        retiolum = {
+          ip4.addr = "10.243.27.29";
+          ip6.addr = "42::29";
+          aliases = [
+            "brauerei.r"
+          ];
+          tinc.pubkey = ''
+            -----BEGIN RSA PUBLIC KEY-----
+            MIIECgKCBAEAvC4AjkAoH01sKDXE3xVM2YUpPQ9iewIPQCCCSWYZQh2BWOfl+FFs
+            pW3ix5FjAzTxzkIf5NxW0usff8UTkFHB+sGZLZ9DPqvb8AM4GJsvXR06LORHtBlo
+            Vt/g1sndD3i3NXn5IJ2G4mZDImQjI3vuTkPyFQsR5LRAaPQgIORHBtN/X1UEVMRq
+            gThUeMb1kZ/y4AmUx0pepQYmAcYf0cN/7r9n68dWJCZ7DWX3q49bIz4TPG519IQp
+            KzoCtdXImKl6cFDepa2pRmIW4SPaDXztHDmXoJA1NBfdDOMOW67FUjzhcwZS9usM
+            q9x/1Tph63PJy4Vc0jsJnY29WrInx/nVAb22QuTOXQ9SfBNoOATYoFoVmY+yw1FX
+            67y3bRbq8lQk1y3F2vZVYxQ52WiYLmtNtuzUMZHErL7VgFIEfQKoO2Oa/WZXdgSJ
+            Asmn67NSicc5QNI4rBUthju1JDuM/3ja0yCXh7trDCmPxKd94KzxMlq9VA6S2f/Q
+            uke3VnXEDqOWOZdcon5DnRTT1y4xjk1XHuO/9tVDcrL7x1unkdGL9BNMU6opJiLm
+            batAtKQ/7EJrlgIxYpEQyCNAjj0dEn0BgNZNqQSKkeGe6giVMuHtnXeTYMEraDas
+            DWxHmGOvYWrs3tZdELkB/h/y7DdijOabS4AlLOljKHiacw8e0D7p9qeIU2EwRaXD
+            ebPYaAIIWn1FU1aCYpvF4YJYbdNJZg6aKpoWNz86ZjO9t3GBkf612xB7fRO9mbTg
+            Ww2Hl6lir0rnlo7P9M1xhQqmZ0phaUjkqYRCaTOW1kC5ACpJJ/Jrq0oyplHVBY8Y
+            IvzPDA4nu/YOpyhQjlQwcVt62NgW0CZdwp3ZnMMoy7akgEo71bjoHbRxAeWy5oRB
+            5CgGvQAB+qdf97XjZ5RggWQ2rglkCn49X4fXN6r4zuaIji1VVFTEZGRNsi0vt1YC
+            Eedz68auu1ZDO1qwNcX00n94E09B05DQBjE/6SAX6wBCY/BwUtzdQ9JnyfHNSl8i
+            dmHBPLssB9Dku4U0mo+LLer+bf6fiR7r5gp/KRuY/tMGFahprZRfWFtyO2Pg1cYI
+            HCdmDmSlbFq3EJmBl0egbU8Ym1m6t4EvPcoTxwy3ljZWybHlhm4wvhGcA/2bDRZA
+            jcXSL3G7buBOf8WJNYnMXCtPEyIYUdRyNvz3EUfvmbzZDhHd/bc0pJRrrtI7HqoF
+            +g67gCrtXx6i9PD0LSDJ1jExMZcmU1+DPg0dzDEmLHvW+HW538/HXGJ8FsunWBwD
+            /8wsQfoqAwlBSucLHDDrYVvfSp0+TLzg/HDMhNkcN7d5hm3syrI+IN4gEEjYeZIO
+            g7fjR1X7g5FGCDQnRA/dzNsZVnk6UFpCRwIDAQAB
+            -----END RSA PUBLIC KEY-----
+          '';
+        };
+      };
+    };
     reagenzglas = {
-      ci = false;
-      external = true;
       nets = {
         retiolum = {
           ip4.addr = "10.243.27.27";
@@ -92,5 +124,8 @@ with import <stockholm/lib>;
       mail = "jeschli@gmail.com";
       pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDMPuFzd6p3zZETIjoV5mRxCTQgeZk9s/P374mEDbj58wDTT0uGWu2JRf7cL1QRTvd5238tYl0eSHXH65+oaFB/mIvmiRnuw6qQODOMHlSbJN5/J2hEw/3v5gveiP1xNLfKlFhj6mmMRF7Etvzns/kLGLCSjj1UTlfo4iHmtinPmU+iQ8J4foS4cZj4oZesF8gndkc2EFMfL6en7EuU8GK6U9GtwKNL9N4UoUZXu8Nf00pkn/jrpmsDdI4zdVVAxWeu/Lo4li43EVixLcfwQiwzf6S9FvYIv30xPdy92GJSJwxm/QkYuc48VZWUoE+qThf3IEPETtX+MRZrM8RTtY01";
     };
+    jeschli-bln = {
+      pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDhQdDQFMxXOjbC+Avx3mlcFHqQpFUk/q9sO6ATA65jCV3YzN11vhZDDv54hABVS2h8TPXs7Lu3PCvK9qouASd2h4Ie9cExUmn50G/iwgFIODsCugVYBzVt1iwaAdwz1Hb9DKYXbVXanzVJjimmrrlQNvsyZg85lcnfyedpPX5ad+4FdSP68LHqEHC18LTitldR6V4P1omaKHlOtVpDgR/72tDgbtNZDBn3EU+TPk9OLTzjc6PinPw4iIvjEfiu14APwXpFDIqT7P7SjOEFpa0v/1z7dhxIy/Z9XbqyEdUfhv3PjZR5K2C+VzR7g6jVEVR2xFId51MpLv/Un4/lalbphBEw3I90Rr8tatOJiFhyrXbaKTcLqp1sIu05OxdPkm3hzfmLIhoKxhaIlXH7WQ9sAqxL1NAQ7O+J6yT4DMnwKzvpkkJjBaGtV84Pp1cccfNRH8XXID3FkWkrUpdgXWBpyLnRq4ilUJTajkU0GSdXkq8kLL3mWg9LPRTg3dmDj61ZB/qhjM61ppwHJvDRN9WI5HruXIU6nOQjh5yE2C/JZfLcsZD4Y1UDBy5/JSZrCVT2sQjFopkkYEkRCbX7oITHOH4iyRdxZkKWLUPboFrcmBpXO+owCEhO4JZrtfFWMC6qM++nrmiZWOrdIOIvdYHWluhKR2shlkisEKQP5pUqkw== markus.hihn@dcso.de";
+    };
   };
 }

krebs/3modules/lass/default.nix

@@ -628,8 +628,5 @@ with import <stockholm/lib>;
       pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKbBp2dH2X3dcU1zh+xW3ZsdYROKpJd3n13ssOP092qE";
       mail = "joerg@higgsboson.tk";
     };
-    jeschli = {
-      pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDMPuFzd6p3zZETIjoV5mRxCTQgeZk9s/P374mEDbj58wDTT0uGWu2JRf7cL1QRTvd5238tYl0eSHXH65+oaFB/mIvmiRnuw6qQODOMHlSbJN5/J2hEw/3v5gveiP1xNLfKlFhj6mmMRF7Etvzns/kLGLCSjj1UTlfo4iHmtinPmU+iQ8J4foS4cZj4oZesF8gndkc2EFMfL6en7EuU8GK6U9GtwKNL9N4UoUZXu8Nf00pkn/jrpmsDdI4zdVVAxWeu/Lo4li43EVixLcfwQiwzf6S9FvYIv30xPdy92GJSJwxm/QkYuc48VZWUoE+qThf3IEPETtX+MRZrM8RTtY01";
-    };
   };
 }

krebs/3modules/repo-sync.nix

@@ -173,6 +173,7 @@ let
           REPONAME = "${name}.git";
         };
 
+        restartIfChanged = false;
         serviceConfig = {
           Type = "simple";
           PermissionsStartOnly = true;

krebs/5pkgs/haskell/nix-diff/default.nix

@@ -4,12 +4,15 @@
 }:
 mkDerivation {
   pname = "nix-diff";
-  version = "1.0.0";
+  version = "1.0.0-krebs1";
   src = fetchgit {
     url = "https://github.com/Gabriel439/nix-diff";
     sha256 = "1k00nx8pannqmpzadkwfrs6bf79yk22ynhd033z5rsyw0m8fcz9k";
     rev = "e32ffa2c7f38b47a71325a042c1d887fb46cdf7d";
   };
+  patches = [
+    ./nixos-system.patch
+  ];
   isLibrary = false;
   isExecutable = true;
   executableHaskellDepends = [

krebs/5pkgs/haskell/nix-diff/nixos-system.patch

@@ -0,0 +1,18 @@
+diff --git a/src/Main.hs b/src/Main.hs
+index 959ab8e..d3b6077 100644
+--- a/src/Main.hs
++++ b/src/Main.hs
+@@ -95,7 +95,12 @@ pathToText path =
+     underneath `/nix/store`, but this is the overwhelmingly common use case
+ -}
+ derivationName :: FilePath -> Text
+-derivationName = Data.Text.dropEnd 4 . Data.Text.drop 44 . pathToText
++derivationName p =
++    if Data.Text.isPrefixOf "nixos-system" s
++      then "nixos-system"
++      else s
++  where
++    s = Data.Text.dropEnd 4 . Data.Text.drop 44 . pathToText $ p
+ 
+ -- | Group input derivations by their name
+ groupByName :: Map FilePath (Set Text) -> Map Text (Map FilePath (Set Text))

krebs/5pkgs/simple/apt-cacher-ng/default.nix

@@ -1,21 +0,0 @@
-{ stdenv, fetchurl, cmake, doxygen, zlib, openssl, bzip2, pkgconfig, libpthreadstubs }:
-
-stdenv.mkDerivation rec {
-  name = "apt-cacher-ng-${version}";
-  version = "2";
-
-  src = fetchurl {
-    url = "http://ftp.debian.org/debian/pool/main/a/apt-cacher-ng/apt-cacher-ng_${version}.orig.tar.xz";
-    sha256 = "0bkc3012vinridl5ch46pwnxjalymx4wf6nxax64nm7bdkcj9azf";
-  };
-
-  NIX_LDFLAGS = "-lpthread";
-  buildInputs = [ doxygen cmake zlib openssl bzip2 pkgconfig libpthreadstubs ];
-
-  meta = {
-    description = "A caching proxy specialized for linux distribution files";
-    homepage = http://www.unix-ag.uni-kl.de/~bloch/acng/;
-    license = stdenv.lib.licenses.gpl2;
-    maintainers = [ stdenv.lib.maintainers.makefu ];
-  };
-}

krebs/5pkgs/simple/cidr2glob.nix

@@ -0,0 +1,30 @@
+{ python, writeScriptBin, ... }:
+
+let
+  pythonEnv = python.withPackages (ps: [ ps.netaddr ]);
+in
+  writeScriptBin "cidr2glob" ''
+    #! ${pythonEnv}/bin/python
+
+    import netaddr
+    import re
+    import sys
+
+    def cidr2glob(cidr):
+        net = netaddr.IPNetwork(cidr)
+
+        if net.prefixlen <= 8:
+            return map(lambda subnet: re.sub(r'\.0\.0\.0$', '.*', str(subnet.ip)), net.subnet(8))
+        elif net.prefixlen <= 16:
+            return map(lambda subnet: re.sub(r'\.0\.0$', '.*', str(subnet.ip)), net.subnet(16))
+        elif net.prefixlen <= 24:
+            return map(lambda subnet: re.sub(r'\.0$', '.*', str(subnet.ip)), net.subnet(24))
+        else:
+            return map(lambda ip: str(ip), list(net))
+
+    if __name__ == "__main__":
+        for cidr in sys.stdin:
+            for glob in cidr2glob(cidr):
+                print glob
+
+  ''

krebs/5pkgs/simple/populate/default.nix

@@ -1,24 +1,27 @@
-{ coreutils, fetchgit, git, jq, openssh, proot, rsync, stdenv, ... }:
+{ coreutils, fetchgit, findutils, git, gnused, jq, openssh, pass, rsync, stdenv
+}:
 
 let
   PATH = stdenv.lib.makeBinPath [
     coreutils
+    findutils
     git
+    gnused
     jq
     openssh
-    proot
+    pass
     rsync
   ];
 in
 
 stdenv.mkDerivation rec {
   name = "populate";
-  version = "1.2.5";
+  version = "2.1.0";
 
   src = fetchgit {
     url = http://cgit.ni.krebsco.de/populate;
     rev = "refs/tags/v${version}";
-    sha256 = "10s4x117zp5whqq991xzw1i2jc1xhl580kx8hhzv8f1b4c9carx1";
+    sha256 = "0cr50y6h6nps0qgpmi01h0z9wzpv2704y5zgx2salk1grkmvcfmh";
   };
 
   phases = [

krebs/source.nix

@@ -7,13 +7,16 @@ host@{ name, secure ? false }: let
 in
   evalSource (toString _file) {
     nixos-config.symlink = "stockholm/krebs/1systems/${name}/config.nix";
-    secrets.file = getAttr builder {
-      buildbot = toString <stockholm/krebs/6tests/data/secrets>;
-      krebs = "${getEnv "HOME"}/secrets/krebs/${host.name}";
+    secrets = getAttr builder {
+      buildbot.file = toString <stockholm/krebs/6tests/data/secrets>;
+      krebs.pass = {
+        dir = "${getEnv "HOME"}/brain";
+        name = "krebs-secrets/${name}";
+      };
     };
     stockholm.file = toString <stockholm>;
     nixpkgs.git = {
       url = https://github.com/NixOS/nixpkgs;
-      ref = "0c5a587eeba5302ff87e494baefd2f14f4e19bee"; # nixos-17.09 @ 2017-11-10
+      ref = "cb751f9b1c3fe6885f3257e69ce328f77523ad77"; # nixos-17.09 @ 2017-12-13
     };
   }

lass/2configs/baseX.nix

@@ -41,7 +41,7 @@ in {
           default = "-*-clean-*-*-*-*-*-*-*-*-*-*-iso10646-1";
         };
       };
-      config.services.xresources.resources.X = ''
+      config.krebs.xresources.resources.X = ''
         *.font:       ${config.lass.fonts.regular}
         *.boldFont:   ${config.lass.fonts.bold}
         *.italicFont: ${config.lass.fonts.italic}
@@ -112,11 +112,7 @@ in {
     xkbOptions = "caps:backspace";
   };
 
-  services.logind.extraConfig = ''
-    HandleLidSwitch=ignore
-  '';
-
   services.urxvtd.enable = true;
-  services.xresources.enable = true;
+  krebs.xresources.enable = true;
   lass.screenlock.enable = true;
 }

lass/2configs/br.nix

@@ -18,7 +18,7 @@ with import <stockholm/lib>;
       netDevices = {
         bra = {
           model = "MFCL2700DN";
-          ip = "10.23.42.221";
+          ip = "10.42.23.221";
         };
       };
     };

lass/2configs/browsers.nix

@@ -47,7 +47,7 @@ let
   createFirefoxUser = name: extraGroups: precedence:
     let
       bin = pkgs.writeScriptBin name ''
-        /var/run/wrappers/bin/sudo -u ${name} -i ${pkgs.firefox}/bin/firefox $@
+        /var/run/wrappers/bin/sudo -u ${name} -i ${pkgs.firefox-devedition-bin}/bin/firefox-devedition $@
       '';
     in {
       users.extraUsers.${name} = {

lass/2configs/dcso-dev.nix

@@ -15,6 +15,7 @@ in {
       createHome = true;
       openssh.authorizedKeys.keys = [
         config.krebs.users.lass.pubkey
+        config.krebs.users.lass-android.pubkey
         "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDhQdDQFMxXOjbC+Avx3mlcFHqQpFUk/q9sO6ATA65jCV3YzN11vhZDDv54hABVS2h8TPXs7Lu3PCvK9qouASd2h4Ie9cExUmn50G/iwgFIODsCugVYBzVt1iwaAdwz1Hb9DKYXbVXanzVJjimmrrlQNvsyZg85lcnfyedpPX5ad+4FdSP68LHqEHC18LTitldR6V4P1omaKHlOtVpDgR/72tDgbtNZDBn3EU+TPk9OLTzjc6PinPw4iIvjEfiu14APwXpFDIqT7P7SjOEFpa0v/1z7dhxIy/Z9XbqyEdUfhv3PjZR5K2C+VzR7g6jVEVR2xFId51MpLv/Un4/lalbphBEw3I90Rr8tatOJiFhyrXbaKTcLqp1sIu05OxdPkm3hzfmLIhoKxhaIlXH7WQ9sAqxL1NAQ7O+J6yT4DMnwKzvpkkJjBaGtV84Pp1cccfNRH8XXID3FkWkrUpdgXWBpyLnRq4ilUJTajkU0GSdXkq8kLL3mWg9LPRTg3dmDj61ZB/qhjM61ppwHJvDRN9WI5HruXIU6nOQjh5yE2C/JZfLcsZD4Y1UDBy5/JSZrCVT2sQjFopkkYEkRCbX7oITHOH4iyRdxZkKWLUPboFrcmBpXO+owCEhO4JZrtfFWMC6qM++nrmiZWOrdIOIvdYHWluhKR2shlkisEKQP5pUqkw== markus.hihn@dcso.de"
         "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC1T5+2epslFARSnETdr4wdolA6ocJaD4H9tmz6BZFQKXlwIq+OMp+sSEdwYwW3Lu9+mNbBHPxVVJDWg/We9DXB0ezXPM5Bs1+FcehmkoGwkmgKaFCDt0sL+CfSnog/3wEkN21O/rQxVFqMmiJ7WUDGci6IKCFZ5ZjOsmmfHg5p3LYxU9xv33fNr2v+XauhrGbFtQ7eDz4kSywxN/aw73LN4d8em0V0UV8VPI3Qkw7MamDFwefA+K1TfK8pBzMeruU6N7HLuNkpkAp7kS+K4Zzd72aQtR37a5qMiFUbOxQ9B7iFypuPx0iu6ZwY1s/sM8t3kLmcDJ9O4FOTzlbpneet3as6iJ+Ckr/TlfKor2Tl5pWcXh2FXHoG8VUu5bYmIViJBrKihAlAQfQN0mJ9fdFTnCXVTtbYTy11s4eEVHgUlb7oSpgBnx5bnBONgApbsOX9zyoo8wz8KkZBcf1SQpkV5br8uUAHCcZtHuY6I3kKlv+8lJmgUipiYzMdTi7+dHa49gVEcEKL4ZnJ0msQkl4XT7JjKETLvumC4/TIqVuRu48wuYalkCR9OzxCsTXQ/msBJBztPdYLrEOXVb2HfzuCT+43UuMQ5rP/EoPy0TWQO9BaqfEXqvbOvWjVxj/GMvglQ2ChZTwHxwwTKB8qRVvJLnbZQwizQiSrkzjb6hRJfQ== u0_a165@localhost"
       ];
@@ -42,6 +43,10 @@ in {
     };
   };
 
+  krebs.per-user.dev.packages = [
+    pkgs.go
+  ];
+
   security.sudo.extraConfig = ''
     ${mainUser.name} ALL=(dev) NOPASSWD: ALL
   '';

lass/2configs/exim-smarthost.nix

@@ -48,6 +48,7 @@ with import <stockholm/lib>;
       { from = "tomtop@lassul.us"; to = lass.mail; }
       { from = "aliexpress@lassul.us"; to = lass.mail; }
       { from = "business@lassul.us"; to = lass.mail; }
+      { from = "payeer@lassul.us"; to = lass.mail; }
     ];
     system-aliases = [
       { from = "mailer-daemon"; to = "postmaster"; }

lass/2configs/games.nix

@@ -57,7 +57,7 @@ let
 
 in {
   environment.systemPackages = with pkgs; [
-    dwarf_fortress
+    (dwarf-fortress.override { theme = dwarf-fortress-packages.phoebus-theme; })
     doom1
     doom2
     vdoom1

lass/2configs/hw/brcmfmac4356-pcie.txt

@@ -0,0 +1,125 @@
+# Sample variables file for BCM94356Z NGFF 22x30mm iPA, iLNA board with PCIe for production package
+NVRAMRev=$Rev: 492104 $
+#4356 chip = 4354 A2 chip
+sromrev=11
+boardrev=0x1102
+boardtype=0x073e
+boardflags=0x02400201
+#0x2000 enable 2G spur WAR
+boardflags2=0x00802000
+boardflags3=0x0000000a
+#boardflags3 0x00000100 /* to read swctrlmap from nvram*/
+#define BFL3_5G_SPUR_WAR   0x00080000   /* enable spur WAR in 5G band */
+#define BFL3_AvVim   0x40000000   /* load AvVim from nvram */
+macaddr=00:90:4c:1a:10:01
+ccode=0x5854
+regrev=205
+antswitch=0
+pdgain5g=4
+pdgain2g=4
+tworangetssi2g=0
+tworangetssi5g=0
+paprdis=0
+femctrl=10
+vendid=0x14e4
+devid=0x43ec
+manfid=0x2d0
+#prodid=0x052e
+nocrc=1
+otpimagesize=502
+xtalfreq=37400
+rxgains2gelnagaina0=0
+rxgains2gtrisoa0=7
+rxgains2gtrelnabypa0=0
+rxgains5gelnagaina0=0
+rxgains5gtrisoa0=11
+rxgains5gtrelnabypa0=0
+rxgains5gmelnagaina0=0
+rxgains5gmtrisoa0=13
+rxgains5gmtrelnabypa0=0
+rxgains5ghelnagaina0=0
+rxgains5ghtrisoa0=12
+rxgains5ghtrelnabypa0=0
+rxgains2gelnagaina1=0
+rxgains2gtrisoa1=7
+rxgains2gtrelnabypa1=0
+rxgains5gelnagaina1=0
+rxgains5gtrisoa1=10
+rxgains5gtrelnabypa1=0
+rxgains5gmelnagaina1=0
+rxgains5gmtrisoa1=11
+rxgains5gmtrelnabypa1=0
+rxgains5ghelnagaina1=0
+rxgains5ghtrisoa1=11
+rxgains5ghtrelnabypa1=0
+rxchain=3
+txchain=3
+aa2g=3
+aa5g=3
+agbg0=2
+agbg1=2
+aga0=2
+aga1=2
+tssipos2g=1
+extpagain2g=2
+tssipos5g=1
+extpagain5g=2
+tempthresh=255
+tempoffset=255
+rawtempsense=0x1ff
+pa2ga0=-147,6192,-705
+pa2ga1=-161,6041,-701
+pa5ga0=-194,6069,-739,-188,6137,-743,-185,5931,-725,-171,5898,-715
+pa5ga1=-190,6248,-757,-190,6275,-759,-190,6225,-757,-184,6131,-746
+subband5gver=0x4
+pdoffsetcckma0=0x4
+pdoffsetcckma1=0x4
+pdoffset40ma0=0x0000
+pdoffset80ma0=0x0000
+pdoffset40ma1=0x0000
+pdoffset80ma1=0x0000
+maxp2ga0=76
+maxp5ga0=74,74,74,74
+maxp2ga1=76
+maxp5ga1=74,74,74,74
+cckbw202gpo=0x0000
+cckbw20ul2gpo=0x0000
+mcsbw202gpo=0x99644422
+mcsbw402gpo=0x99644422
+dot11agofdmhrbw202gpo=0x6666
+ofdmlrbw202gpo=0x0022
+mcsbw205glpo=0x88766663
+mcsbw405glpo=0x88666663
+mcsbw805glpo=0xbb666665
+mcsbw205gmpo=0xd8666663
+mcsbw405gmpo=0x88666663
+mcsbw805gmpo=0xcc666665
+mcsbw205ghpo=0xdc666663
+mcsbw405ghpo=0xaa666663
+mcsbw805ghpo=0xdd666665
+mcslr5glpo=0x0000
+mcslr5gmpo=0x0000
+mcslr5ghpo=0x0000
+sb20in40hrpo=0x0
+sb20in80and160hr5glpo=0x0
+sb40and80hr5glpo=0x0
+sb20in80and160hr5gmpo=0x0
+sb40and80hr5gmpo=0x0
+sb20in80and160hr5ghpo=0x0
+sb40and80hr5ghpo=0x0
+sb20in40lrpo=0x0
+sb20in80and160lr5glpo=0x0
+sb40and80lr5glpo=0x0
+sb20in80and160lr5gmpo=0x0
+sb40and80lr5gmpo=0x0
+sb20in80and160lr5ghpo=0x0
+sb40and80lr5ghpo=0x0
+dot11agduphrpo=0x0
+dot11agduplrpo=0x0
+phycal_tempdelta=255
+temps_period=15
+temps_hysteresis=15
+rssicorrnorm_c0=4,4
+rssicorrnorm_c1=4,4
+rssicorrnorm5g_c0=1,2,3,1,2,3,6,6,8,6,6,8
+rssicorrnorm5g_c1=1,2,3,2,2,2,7,7,8,7,7,8

lass/2configs/hw/gpd-pocket.nix

@@ -16,7 +16,6 @@ in {
   boot.kernelParams = [
     "fbcon=rotate:1"
   ];
-  services.tlp.enable = true;
   services.xserver.displayManager.sessionCommands = ''
     (sleep 2 && ${pkgs.xorg.xrandr}/bin/xrandr --output DSI1 --rotate right)
     (sleep 2 && ${pkgs.xorg.xinput}/bin/xinput set-prop 'Goodix Capacitive TouchScreen' 'Coordinate Transformation Matrix' 0 1 0 -1 0 1 0 0 1)

lass/2configs/hw/x220.nix

@@ -29,4 +29,9 @@
       options = ["nosuid" "nodev" "noatime"];
     };
   };
+
+  services.logind.extraConfig = ''
+    HandleLidSwitch=ignore
+  '';
+
 }

lass/2configs/urxvt.nix

@@ -4,7 +4,7 @@ with import <stockholm/lib>;
 {
   services.urxvtd.enable = true;
 
-  services.xresources.resources.urxvt = ''
+  krebs.xresources.resources.urxvt = ''
     URxvt*SaveLines: 4096
     URxvt*scrollBar:            false
     URxvt*urgentOnBell:         true

lass/2configs/websites/lassulus.nix

@@ -153,15 +153,15 @@ in {
   };
 
   security.acme.certs."cgit.lassul.us" = {
-    email = "lassulus@gmail.com";
-    webroot = "/var/lib/acme/acme-challenges";
+    email = "lassulus@lassul.us";
+    webroot = "/var/lib/acme/acme-challenge";
     plugins = [
       "account_key.json"
-      "key.pem"
       "fullchain.pem"
+      "key.pem"
     ];
     group = "nginx";
-    allowKeysForGroup = true;
+    user = "nginx";
   };
 
 
@@ -170,6 +170,9 @@ in {
     addSSL = true;
     sslCertificate = "/var/lib/acme/cgit.lassul.us/fullchain.pem";
     sslCertificateKey = "/var/lib/acme/cgit.lassul.us/key.pem";
+    locations."/.well-known/acme-challenge".extraConfig = ''
+      root /var/lib/acme/acme-challenge;
+    '';
   };
 
   users.users.blog = {

lass/3modules/default.nix

@@ -12,6 +12,5 @@ _:
     ./umts.nix
     ./usershadow.nix
     ./xserver
-    ./xresources.nix
   ];
 }

lass/3modules/xserver/default.nix

@@ -17,10 +17,6 @@ let
   imp = {
 
     services.xserver = {
-      # Don't install feh into systemPackages
-      # refs <nixpkgs/nixos/modules/services/x11/desktop-managers>
-      desktopManager.session = mkForce [];
-
       enable = true;
       display = 11;
       tty = 11;
@@ -80,7 +76,7 @@ let
         ];
       };
     };
-    services.xresources.resources.dpi = ''
+    krebs.xresources.resources.dpi = ''
       ${optionalString (xcfg.dpi != null) "Xft.dpi: ${toString xcfg.dpi}"}
     '';
     systemd.services.urxvtd = {

lass/5pkgs/default.nix

@@ -23,7 +23,7 @@
 
     screengrab = pkgs.writeDashBin "screengrab" ''
       resolution="$(${pkgs.xorg.xrandr}/bin/xrandr | ${pkgs.gnugrep}/bin/grep '*' | ${pkgs.gawk}/bin/awk '{print $1}')"
-      ${pkgs.ffmpeg}/bin/ffmpeg -f x11grab -r 25 -i :0.0 -s $resolution -c:v huffyuv $1
+      ${pkgs.ffmpeg}/bin/ffmpeg -f x11grab -r 25 -i :${toString config.services.xserver.display} -s $resolution -c:v huffyuv $1
     '';
   };
 }

lass/5pkgs/xmonad-lass.nix

@@ -30,6 +30,7 @@ import XMonad.Actions.CycleWS (toggleWS)
 import XMonad.Actions.DynamicWorkspaces ( addWorkspacePrompt, renameWorkspace, removeEmptyWorkspace)
 import XMonad.Actions.DynamicWorkspaces (withWorkspace)
 import XMonad.Actions.GridSelect (GSConfig(..), gridselectWorkspace, navNSearch)
+import XMonad.Hooks.EwmhDesktops (ewmh)
 import XMonad.Hooks.FloatNext (floatNext)
 import XMonad.Hooks.FloatNext (floatNextHook)
 import XMonad.Hooks.ManageDocks (avoidStruts, ToggleStruts(ToggleStruts))
@@ -39,10 +40,10 @@ import XMonad.Hooks.UrgencyHook (SpawnUrgencyHook(..), withUrgencyHook)
 import XMonad.Layout.FixedColumn (FixedColumn(..))
 import XMonad.Layout.Minimize (minimize, minimizeWindow, MinimizeMsg(RestoreNextMinimizedWin))
 import XMonad.Layout.NoBorders (smartBorders)
+import XMonad.Layout.SimplestFloat (simplestFloat)
 import XMonad.Prompt (autoComplete, font, searchPredicate, XPConfig)
 import XMonad.Prompt.Window (windowPromptGoto, windowPromptBringCopy)
 import XMonad.Util.EZConfig (additionalKeysP)
-import XMonad.Layout.SimpleFloat (simpleFloat)
 
 import XMonad.Stockholm.Shutdown
 
@@ -59,7 +60,7 @@ main = getArgs >>= \case
 
 main' :: IO ()
 main' = do
-    xmonad
+    xmonad $ ewmh
         $ withUrgencyHook (SpawnUrgencyHook "echo emit Urgency ")
         $ def
             { terminal           = myTerm
@@ -77,7 +78,7 @@ main' = do
 
 myLayoutHook = defLayout
   where
-    defLayout = minimize $ ((avoidStruts $ Tall 1 (3/100) (1/2) ||| Full ||| Mirror (Tall 1 (3/100) (1/2))) ||| FixedColumn 2 80 80 1) ||| simpleFloat
+    defLayout = minimize $ ((avoidStruts $ Tall 1 (3/100) (1/2) ||| Full ||| Mirror (Tall 1 (3/100) (1/2))) ||| FixedColumn 2 80 80 1 ||| simplestFloat)
 
 myKeyMap :: [([Char], X ())]
 myKeyMap =
@@ -86,6 +87,8 @@ myKeyMap =
     , ("M4-p", spawn "${pkgs.pass}/bin/passmenu --type")
     , ("M4-o", spawn "${pkgs.brain}/bin/brainmenu --type")
     , ("M4-i", spawn "${pkgs.dpass}/bin/dpassmenu --type")
+
+    , ("<XF86AudioMute>", spawn "${pkgs.pulseaudioLight.out}/bin/pactl -- set-sink-mute @DEFAULT_SINK@ toggle")
     , ("<XF86AudioRaiseVolume>", spawn "${pkgs.pulseaudioLight.out}/bin/pactl -- set-sink-volume @DEFAULT_SINK@ +4%")
     , ("<XF86AudioLowerVolume>", spawn "${pkgs.pulseaudioLight.out}/bin/pactl -- set-sink-volume @DEFAULT_SINK@ -4%")
     , ("<XF86MonBrightnessDown>", spawn "${pkgs.xorg.xbacklight}/bin/xbacklight -time 0 -dec 1%")

lass/source.nix

@@ -10,7 +10,7 @@ in
       nixos-config.symlink = "stockholm/lass/1systems/${name}/config.nix";
       nixpkgs.git = {
         url = https://github.com/nixos/nixpkgs;
-        ref = "b4a0c01";
+        ref = "cb751f9";
       };
       secrets.file = getAttr builder {
         buildbot = toString <stockholm/lass/2configs/tests/dummy-secrets>;

lib/types.nix

@@ -231,7 +231,12 @@ rec {
   source = submodule ({ config, ... }: {
     options = {
       type = let
-        types = ["file" "git" "symlink"];
+        types = [
+          "file"
+          "git"
+          "pass"
+          "symlink"
+        ];
       in mkOption {
         type = enum types;
         default = let
@@ -255,6 +260,10 @@ rec {
         type = nullOr git-source;
         default = null;
       };
+      pass = mkOption {
+        type = nullOr pass-source;
+        default = null;
+      };
       symlink = let
         symlink-target = (symlink-source.getSubOptions "FIXME").target.type;
       in mkOption {
@@ -287,6 +296,17 @@ rec {
     };
   };
 
+  pass-source = submodule {
+    options = {
+      dir = mkOption {
+        type = absolute-pathname;
+      };
+      name = mkOption {
+        type = pathname; # TODO relative-pathname
+      };
+    };
+  };
+
   symlink-source = submodule {
     options = {
       target = mkOption {

nin/1systems/hiawatha/config.nix

@@ -15,7 +15,6 @@ with lib;
     <stockholm/nin/2configs/git.nix>
     <stockholm/nin/2configs/retiolum.nix>
     <stockholm/nin/2configs/termite.nix>
-    <stockholm/nin/2configs/skype.nix>
   ];
 
   krebs.build.host = config.krebs.hosts.hiawatha;
@@ -87,6 +86,7 @@ with lib;
   environment.systemPackages = with pkgs; [
     firefox
     git
+    lmms
     networkmanagerapplet
     python
     steam

nin/2configs/default.nix

@@ -4,6 +4,7 @@ with import <stockholm/lib>;
 {
   imports = [
     ../2configs/vim.nix
+    <stockholm/krebs/2configs/binary-cache/nixos.nix>
     <stockholm/krebs/2configs/binary-cache/prism.nix>
     {
       users.extraUsers =

nin/2configs/git.nix

@@ -40,8 +40,8 @@ let
       post-receive = pkgs.git-hooks.irc-announce {
         # TODO make nick = config.krebs.build.host.name the default
         nick = config.krebs.build.host.name;
-        channel = "#retiolum";
-        server = "ni.r";
+        channel = "#xxx";
+        server = "irc.r";
         verbose = config.krebs.build.host.name == "onondaga";
         # TODO define branches in some kind of option per repo
         branches = [ "master" ];

nin/source.nix

@@ -14,6 +14,6 @@ in
     stockholm.file = toString <stockholm>;
     nixpkgs.git = {
       url = https://github.com/nixos/nixpkgs;
-      ref = "c99239b";
+      ref = "afe9649";
     };
   }

tv/1systems/querel/config.nix

@@ -11,6 +11,9 @@ with import <stockholm/lib>;
   krebs.build.host = config.krebs.hosts.querel;
   krebs.build.user = mkForce config.krebs.users.itak;
 
+  boot.extraModulePackages = [
+    config.boot.kernelPackages.exfat-nofuse
+  ];
   boot.initrd.availableKernelModules = [ "ahci" ];
   boot.initrd.luks = {
     cryptoModules = [ "aes" "sha512" "xts" ];

tv/2configs/urlwatch.nix

@@ -13,8 +13,16 @@ with import <stockholm/lib>;
 
       http://www.exim.org/
 
+      {
+        url = https://api.github.com/repos/Gabriel439/nix-diff/git/refs/heads/master;
+        filter = "system:${pkgs.jq}/bin/jq -r .object.sha";
+      }
+
       # ref src/nixpkgs/pkgs/tools/admin/sec/default.nix
-      https://api.github.com/repos/simple-evcorr/sec/tags
+      {
+        url = https://api.github.com/repos/simple-evcorr/sec/tags;
+        filter = "system:${pkgs.jq}/bin/jq .";
+      }
 
       # ref src/nixpkgs/pkgs/tools/networking/urlwatch/default.nix
       https://thp.io/2008/urlwatch/
@@ -47,7 +55,7 @@ with import <stockholm/lib>;
       #http://hackage.haskell.org/package/web-page
 
       # ref <stockholm/krebs/3modules>, services.openssh.knownHosts.github*
-      https://help.github.com/articles/github-s-ip-addresses/
+      https://api.github.com/meta
 
       # <stockholm/tv/2configs/xserver/xserver.conf.nix>
       # is derived from `configFile` in: