Merge remote-tracking branch 'lass/master'

2021-04-20 09:01:54 +02:00 · 2021-04-20 09:01:54 +02:00 · 610a81d723
commit 610a81d723
parent bba59bcf11 6b12f7ec6a
28 changed files with 212 additions and 99 deletions
--- a/krebs/0tests/data/secrets/syncthing.cert
+++ b/krebs/0tests/data/secrets/syncthing.cert
--- a/krebs/0tests/data/secrets/syncthing.key
+++ b/krebs/0tests/data/secrets/syncthing.key
--- a/krebs/1systems/news/config.nix
+++ b/krebs/1systems/news/config.nix
@ -18,13 +18,6 @@
  boot.isContainer = true;
  networking.useDHCP = false;
  krebs.bindfs = {
    "/var/lib/htgen-go" = {
      source = "/var/state/htgen-go";
      options = [
        "-m ${toString config.users.users.htgen-go.uid}"
      ];
      clearTarget = true;
    };
    "/var/lib/brockman" = {
      source = "/var/state/brockman";
      options = [
--- a/krebs/1systems/puyak/config.nix
+++ b/krebs/1systems/puyak/config.nix
@ -19,6 +19,12 @@
    <stockholm/krebs/2configs/binary-cache/nixos.nix>
    <stockholm/krebs/2configs/binary-cache/prism.nix>
    ## news host
    <stockholm/krebs/2configs/container-networking.nix>
    <stockholm/krebs/2configs/syncthing.nix>
    <stockholm/krebs/2configs/news-host.nix>
    ### shackspace ###
    # handle the worlddomination map via coap
    <stockholm/krebs/2configs/shack/worlddomination.nix>
--- a/krebs/1systems/puyak/net.nix
+++ b/krebs/1systems/puyak/net.nix
@ -8,8 +8,8 @@ in {
    SUBSYSTEM=="net", ATTR{address}=="3c:97:0e:07:b9:14", NAME="${ext-if}"
  '';
  networking = {
-    firewall.enable = false;
+    firewall.enable = true;
-    firewall.allowedTCPPorts = [ 8088 8086 8083 5901 ];
+    firewall.allowedTCPPorts = [ 80 443 8088 8086 8083 5901 ];
    interfaces."${ext-if}".ipv4.addresses = [
      {
        address = shack-ip;
--- a/krebs/2configs/container-networking.nix
+++ b/krebs/2configs/container-networking.nix
@ -0,0 +1,7 @@
 { lib, ... }:
 {
  networking.nat.enable = true;
  networking.nat.internalInterfaces = ["ve-+"];
  networking.nat.externalInterface = lib.mkDefault "et0";
  networking.networkmanager.unmanaged = [ "interface-name:ve-*" ];
 }
--- a/krebs/2configs/ircd.nix
+++ b/krebs/2configs/ircd.nix
@ -87,6 +87,7 @@
      };
      channel {
        autochanmodes = "+t";
        use_invex = yes;
        use_except = yes;
        use_forward = yes;
--- a/krebs/2configs/news-host.nix
+++ b/krebs/2configs/news-host.nix
@ -4,6 +4,7 @@
      "shodan"
      "mors"
      "styx"
      "puyak"
    ];
    hostIp = "10.233.2.101";
    localIp = "10.233.2.102";
--- a/krebs/2configs/news.nix
+++ b/krebs/2configs/news.nix
@ -15,6 +15,16 @@
      serverAliases = [
        "news.r"
      ];
      locations."/api".extraConfig = ''
        proxy_pass http://127.0.0.1:7777/;
        proxy_pass_header Server;
      '';
      locations."= /graph.html".extraConfig = ''
        alias ${pkgs.fetchurl {
          url = "https://raw.githubusercontent.com/kmein/brockman/05d33c8caaaf6255752f9600981974bb58390851/tools/graph.html";
          sha256 = "0iw2vdzj6kzkix1c447ybmc953lns6z4ap6sr9pcib8bany4g43w";
        }};
      '';
      locations."/".extraConfig = ''
        root /var/lib/brockman;
        index brockman.json;
@ -27,6 +37,7 @@
  };
  systemd.tmpfiles.rules = [
    "d /var/lib/brockman 1750 brockman nginx -"
    "d /run/irc-api 1750 brockman nginx -"
  ];
  systemd.services.brockman-graph = {
@ -67,12 +78,28 @@
      shortener = "http://go.r";
      controller = {
        nick = "brockman";
-        channels = [ "#all" ];
+        extraChannels = [ "#all" ];
      };
      bots = {};
    };
  };
  krebs.reaktor2.api = {
    hostname = "localhost";
    port = "6667";
    nick = "api";
    API.listen = "inet://127.0.0.1:7777";
    plugins = [
      {
        plugin = "register";
        config = {
          channels = [
            "#all"
          ];
        };
      }
    ];
  };
  krebs.reaktor2.news = let
    name = "candyman";
  in {
--- a/krebs/2configs/syncthing.nix
+++ b/krebs/2configs/syncthing.nix
@ -10,6 +10,10 @@ in {
    configDir = "/var/lib/syncthing";
    declarative = {
      devices = mk_peers used_peers;
      key = toString <secrets/syncthing.key>;
      cert = toString <secrets/syncthing.cert>;
    };
  };
  boot.kernel.sysctl."fs.inotify.max_user_watches" = 524288;
 }
--- a/krebs/3modules/krebs/default.nix
+++ b/krebs/3modules/krebs/default.nix
@ -77,6 +77,7 @@ in {
            "wiki.r"
            "wiki.hotdog.r"
          ];
          tinc.port = 0;
          tinc.pubkey = ''
            -----BEGIN RSA PUBLIC KEY-----
            MIIBCgKCAQEAs9+Au3oj29C5ol/YnkG9GjfCH5z53wxjH2iy8UPike8C7GASZKqc
@ -177,6 +178,7 @@ in {
      };
      ssh.privkey.path = <secrets/ssh.id_ed25519>;
      ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPpVwKv9mQGfcn5oFwuitq+b6Dz4jBG9sGhVoCYFw5RY";
      syncthing.id = "DK5CEE2-PNUXYCE-Q42H2HP-623GART-B7KS4VK-HU2RBGQ-EK6QPUP-HUL3PAR";
    };
    wolf = {
      ci = true;
--- a/krebs/3modules/lass/default.nix
+++ b/krebs/3modules/lass/default.nix
@ -67,7 +67,9 @@ in {
            "cgit.prism.r"
            "paste.r"
            "p.r"
            "search.r"
          ];
          tinc.port = 655;
          tinc.pubkey = ''
            -----BEGIN RSA PUBLIC KEY-----
            MIIECgKCBAEAtpI0+jz2deUiH18T/+JcRshQi7lq8zlRvaXpvyuxJlYCz+o5cLje
@ -126,6 +128,7 @@ in {
          aliases = [
            "uriel.r"
          ];
          tinc.port = 0;
          tinc.pubkey = ''
            -----BEGIN RSA PUBLIC KEY-----
            MIIBCgKCAQEAzw0pvoEmqeqiZrzSOPH0IT99gr1rrvMZbvabXoU4MAiVgGoGrkmR
@ -151,6 +154,7 @@ in {
          aliases = [
            "mors.r"
          ];
          tinc.port = 0;
          tinc.pubkey = ''
            -----BEGIN RSA PUBLIC KEY-----
            MIIBCgKCAQEAsj1PCibKOfF68gmFQ+wwyfhUWpqKqpznrJX1dZ+daae7l7nBHvsE
@ -184,6 +188,7 @@ in {
          aliases = [
            "shodan.r"
          ];
          tinc.port = 0;
          tinc.pubkey = ''
            -----BEGIN RSA PUBLIC KEY-----
            MIIBCgKCAQEA9bUSItw8rEu2Cm2+3IGHyRxopre9lqpFjZNG2QTnjXkZ97QlDesT
@ -218,6 +223,7 @@ in {
          aliases = [
            "icarus.r"
          ];
          tinc.port = 0;
          tinc.pubkey = ''
            -----BEGIN RSA PUBLIC KEY-----
            MIIBCgKCAQEAydCY+IWzF8DocCNzPiUM+xccbiDTWS/+r2le812+O4r+sUojXuzr
@ -251,6 +257,7 @@ in {
          aliases = [
            "daedalus.r"
          ];
          tinc.port = 0;
          tinc.pubkey = ''
            -----BEGIN RSA PUBLIC KEY-----
            MIIBCgKCAQEAzlIJfYIoQGXishIQGFNOcaVoeelqy7a731FJ+VfrqeR8WURQ6D+8
@ -282,6 +289,7 @@ in {
          aliases = [
            "skynet.r"
          ];
          tinc.port = 0;
          tinc.pubkey = ''
            -----BEGIN RSA PUBLIC KEY-----
            MIIBCgKCAQEArNpBoTs7MoaZq2edGJLYUjmoLa5ZtXhOFBHjS1KtQ3hMtWkcqpYX
@ -315,6 +323,7 @@ in {
          aliases = [
            "littleT.r"
          ];
          tinc.port = 0;
          tinc.pubkey = ''
            -----BEGIN RSA PUBLIC KEY-----
            MIIECgKCBAEA2nPi6ui8nJhEL3lFzDoPelFbEwFWqPnQa0uVxLAhf2WnmT/vximF
@ -364,6 +373,7 @@ in {
          aliases = [
            "xerxes.r"
          ];
          tinc.port = 0;
          tinc.pubkey = ''
            -----BEGIN RSA PUBLIC KEY-----
            MIIECgKCBAEArqEaK+m7WZe/9/Vbc+qx2TjkkRJ9lDgDMr1dvj98xb8/EveUME6U
@ -414,6 +424,7 @@ in {
          aliases = [
            "red.r"
          ];
          tinc.port = 0;
          tinc.pubkey = ''
            -----BEGIN PUBLIC KEY-----
            MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEArAN/62V2MV18wsZ9VMTG
@ -444,6 +455,7 @@ in {
          aliases = [
            "yellow.r"
          ];
          tinc.port = 0;
          tinc.pubkey = ''
            -----BEGIN PUBLIC KEY-----
            MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA6lHmzq8+04h3zivJmIbP
@ -481,6 +493,7 @@ in {
          aliases = [
            "blue.r"
          ];
          tinc.port = 0;
          tinc.pubkey = ''
            -----BEGIN PUBLIC KEY-----
            MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA28b+WMiQaWbwUPcJlacd
@ -520,6 +533,7 @@ in {
          aliases = [
            "green.r"
          ];
          tinc.port = 0;
          tinc.pubkey = ''
            -----BEGIN PUBLIC KEY-----
            MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAwpgFxMxWQ0Cp3I82bLWk
@ -574,6 +588,7 @@ in {
          aliases = [
            "morpheus.r"
          ];
          tinc.port = 0;
          tinc.pubkey = ''
            -----BEGIN RSA PUBLIC KEY-----
            MIICCgKCAgEAptrlSKQKsBH2QMQxllZR94S/fXneajpJifRjXR5bi+7ME2ThdQXY
@ -611,6 +626,7 @@ in {
          aliases = [
            "hilum.r"
          ];
          tinc.port = 0;
          tinc.pubkey = ''
            -----BEGIN PUBLIC KEY-----
            MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAul1zLdJ76kIqVWjxT2bb
@ -651,6 +667,7 @@ in {
          aliases = [
            "styx.r"
          ];
          tinc.port = 0;
          tinc.pubkey = ''
            -----BEGIN PUBLIC KEY-----
            MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAuMJFklzpbxoDGD8LQ3tn
@ -692,6 +709,7 @@ in {
          aliases = [
            "coaxmetal.r"
          ];
          tinc.port = 0;
          tinc.pubkey = ''
            -----BEGIN PUBLIC KEY-----
            MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAwcuMl/W6DZ7UMK4RHrxA
--- a/krebs/3modules/sync-containers.nix
+++ b/krebs/3modules/sync-containers.nix
@ -93,7 +93,7 @@ in {
  config = mkIf (cfg.containers != {}) {
    programs.fuse.userAllowOther = true;
    # allow syncthing to enter /var/lib/containers
-    system.activationScripts.syncthing-home = ''
+    system.activationScripts.containers-enter = mkDefault ''
      ${pkgs.coreutils}/bin/chmod a+x /var/lib/containers
    '';
--- a/krebs/5pkgs/haskell/recht.nix
+++ b/krebs/5pkgs/haskell/recht.nix
@ -0,0 +1,25 @@
 { mkDerivation, ansi-terminal, async, base, binary, bytestring
 , data-default, directory, filepath, megaparsec
 , optparse-applicative, pandoc, random, safe, scalpel, stdenv, text
 , time
 , fetchFromGitHub
 }:
 mkDerivation rec {
  pname = "recht";
  version = "0.3.0";
  src = fetchFromGitHub {
    owner = "kmein";
    repo = "recht";
    rev = version;
    sha256 = "07cyd06wbnzcp33v0nq8cxyggvqrnbni0v2g8cpxar6idn1wlz85";
  };
  isLibrary = false;
  isExecutable = true;
  executableHaskellDepends = [
    ansi-terminal async base binary bytestring data-default directory
    filepath megaparsec optparse-applicative pandoc random safe scalpel
    text time
  ];
  license = stdenv.lib.licenses.mit;
 }
--- a/krebs/nixpkgs-unstable.json
+++ b/krebs/nixpkgs-unstable.json
@ -1,9 +1,9 @@
 {
  "url": "https://github.com/NixOS/nixpkgs",
-  "rev": "266dc8c3d052f549826ba246d06787a219533b8f",
+  "rev": "04a2b269d8921505a2969fc9ec25c1f517f2b307",
-  "date": "2021-03-15T09:37:03+01:00",
+  "date": "2021-03-30T01:32:47-04:00",
-  "path": "/nix/store/dkim3k1b5bdga370xpw0r52w0ac5y3fn-nixpkgs",
+  "path": "/nix/store/wb6m2d6p3kadk6pbqdjq3ydswbvmb0lq-nixpkgs",
-  "sha256": "09ydqx2lznixmw8z4cfz1j3k137mh8n3cdpygwqymknhfdjq7lg4",
+  "sha256": "15hgx2i71pqgvzv56jwzfs8rkhjbm35wk1i6mxrqbq6wd0y10isv",
  "fetchSubmodules": false,
  "deepClone": false,
  "leaveDotGit": false
--- a/krebs/nixpkgs.json
+++ b/krebs/nixpkgs.json
@ -1,9 +1,9 @@
 {
  "url": "https://github.com/NixOS/nixpkgs",
-  "rev": "36e15cd6e7d55ba143caf3dc930467ace573d85c",
+  "rev": "dec334fa196a4aeedb1b60d8f7d61aa00d327499",
-  "date": "2021-03-16T08:18:29+01:00",
+  "date": "2021-04-14T01:54:42+02:00",
-  "path": "/nix/store/rsh8kmy9jiwdhsm390zw0mq1p256xzrk-nixpkgs",
+  "path": "/nix/store/x1dkzxknsrf0060pz1vwa7ibmq7899wb-nixpkgs",
-  "sha256": "15dwscz9s71n6hn1wml95il8hl8aza16jj9qwywps8bsdamgymfq",
+  "sha256": "1sm1p2qliz11qw6va01knm0rikhpq2h4c70ci98vi4q26y4q9z72",
  "fetchSubmodules": false,
  "deepClone": false,
  "leaveDotGit": false
--- a/lass/1systems/prism/config.nix
+++ b/lass/1systems/prism/config.nix
@ -194,6 +194,7 @@ with import <stockholm/lib>;
    }
    <stockholm/lass/2configs/minecraft.nix>
    <stockholm/lass/2configs/codimd.nix>
    <stockholm/lass/2configs/searx.nix>
    {
      services.taskserver = {
        enable = true;
--- a/lass/2configs/hass/default.nix
+++ b/lass/2configs/hass/default.nix
@ -43,11 +43,9 @@ in {
  services.home-assistant = {
    enable = true;
-    package = (unstable.home-assistant.overrideAttrs (old: {
+    package = unstable.home-assistant.overrideAttrs (old: {
      doInstallCheck = false;
-    })).override {
+    });
      extraPackages = _: [ dwdwfsapi ];
    };
    configWritable = true;
    lovelaceConfigWritable = true;
    config = let
--- a/lass/2configs/searx.nix
+++ b/lass/2configs/searx.nix
@ -0,0 +1,23 @@
 { pkgs, ... }:
 let
  port = 8889;
 in {
  services.nginx.virtualHosts.search = {
    serverAliases = [ "search.r" ];
    locations."/".extraConfig = ''
      proxy_set_header Host $host;
      proxy_pass http://127.0.0.1:${builtins.toString port};
    '';
  };
  services.searx = {
    enable = true;
    configFile = pkgs.writeText "searx.cfg" (builtins.toJSON {
      use_default_settings = true;
      server = {
        port = port;
        secret_key = builtins.readFile <secrets/searx.key>;
      };
    });
  };
 }
--- a/lass/2configs/syncthing.nix
+++ b/lass/2configs/syncthing.nix
@ -3,10 +3,6 @@
  imports = [ <stockholm/krebs/2configs/syncthing.nix> ];
  services.syncthing = {
    group = "syncthing";
    declarative = {
      key = toString <secrets/syncthing.key>;
      cert = toString <secrets/syncthing.cert>;
    };
  };
  krebs.iptables.tables.filter.INPUT.rules = [
    { predicate = "-p tcp --dport 22000"; target = "ACCEPT";}
@ -16,6 +12,4 @@
  system.activationScripts.syncthing-home = mkDefault ''
    ${pkgs.coreutils}/bin/chmod a+x /home/lass
  '';
  boot.kernel.sysctl."fs.inotify.max_user_watches" = 524288;
 }
--- a/lass/2configs/tests/dummy-secrets/searx.key
+++ b/lass/2configs/tests/dummy-secrets/searx.key
@ -0,0 +1 @@
 yolo
--- a/lib/default.nix
+++ b/lib/default.nix
@ -5,6 +5,7 @@ let
    evalSource = import ./eval-source.nix;
    git = import ./git.nix { inherit lib; };
    haskell = import ./haskell.nix { inherit lib; };
    krebs = import ./krebs lib;
    krops = import ../submodules/krops/lib;
    shell = import ./shell.nix { inherit lib; };
--- a/lib/haskell.nix
+++ b/lib/haskell.nix
@ -0,0 +1,51 @@
 { lib }:
 with builtins;
 rec {
  # Derive a file by substituting
  # "${pkgs.foo}/bin/foo" for each {-pkg-}"foo", and
  # "${pkgs.bar}/bin/foo" for each {-pkg:bar-}"foo".
  # If a package doesn't exist, a warning gets printed.
  substitutePkgs = name: { callsite ? null, pkgs, path }:
    pkgs.writeText name (substitutePkgs' {
      inherit pkgs;
      sourceDescription =
        if callsite != null then
          "${name} in ${toString callsite}"
        else
          "${name} from ${toString path}";
      text = readFile path;
    });
  substitutePkgs' = { pkgs, sourceDescription, text }:
    let
      f = s:
        let
          parse = match "(.*)([{]-pkg(:([^}]+))?-[}]\"([^\"]+)\")(.*)" s;
          prefix = elemAt parse 0;
          pname = if elemAt parse 3 != null then elemAt parse 3 else exename;
          exename = elemAt parse 4;
          suffix = elemAt parse 5;
          pkg = pkgs.${pname} or null;
          substitute =
            if pkg != null then
              "${pkg}/bin/${exename}"
            else
              trace (toString [
                "lib.haskell.replacePkg:"
                "warning:"
                "while deriving ${sourceDescription}:"
                "no substitute found for ${elemAt parse 1}"
              ])
              exename;
        in
        if parse == null then
          s
        else
          f (prefix + toJSON substitute + suffix);
    in
    f text;
 }
--- a/tv/2configs/pulse.nix
+++ b/tv/2configs/pulse.nix
@ -43,6 +43,21 @@ let
      "auth-anonymous=1"
      "socket=${runDir}/socket"
    ]}
    ${lib.optionalString (config.krebs.build.host.name == "au") ''
      load-module ${toString [
        "module-native-protocol-tcp"
        "auth-ip-acl=127.0.0.1;10.23.1.0/24"
      ]}
    ''}
    ${lib.optionalString (config.krebs.build.host.name != "au") ''
      load-module ${toString [
        "module-tunnel-sink-new"
        "server=au.hkw"
        "sink_name=au"
        "channels=2"
        "rate=44100"
      ]}
    ''}
  '';
 in
--- a/tv/5pkgs/haskell/xmonad-tv/src/Helpers/Path.hs
+++ b/tv/5pkgs/haskell/xmonad-tv/src/Helpers/Path.hs
@ -1,15 +0,0 @@
 module Helpers.Path where
 import qualified Data.List
 import qualified System.Directory
 import qualified System.IO.Unsafe
 findExecutable :: String -> FilePath
 findExecutable =
    System.IO.Unsafe.unsafePerformIO . find
  where
    find name =
        maybe failure id <$> System.Directory.findExecutable name
      where
        failure = error (Data.List.intercalate " " [name, "not found"])
--- a/tv/5pkgs/haskell/xmonad-tv/src/Paths.hs
+++ b/tv/5pkgs/haskell/xmonad-tv/src/Paths.hs
@ -1,37 +0,0 @@
 module Paths where
 import Helpers.Path
 flameshot :: FilePath
 flameshot = findExecutable "flameshot-once"
 otpmenu :: FilePath
 otpmenu = findExecutable "otpmenu"
 pactl :: FilePath
 pactl = findExecutable "pactl"
 passmenu :: FilePath
 passmenu = findExecutable "passmenu"
 pavucontrol :: FilePath
 pavucontrol = findExecutable "pavucontrol"
 slock :: FilePath
 slock = findExecutable "slock"
 su :: FilePath
 su = findExecutable "su"
 urxvtc :: FilePath
 urxvtc = findExecutable "urxvtc"
 xcalib :: FilePath
 xcalib = findExecutable "xcalib"
 xdpychvt :: FilePath
 xdpychvt = findExecutable "xdpychvt"
 xterm :: FilePath
 xterm = findExecutable "xterm"
--- a/tv/5pkgs/haskell/xmonad-tv/src/main.hs
+++ b/tv/5pkgs/haskell/xmonad-tv/src/main.hs
@ -34,7 +34,6 @@ import XMonad.Actions.PerWorkspaceKeys (chooseAction)
 import XMonad.Stockholm.Pager
 import XMonad.Stockholm.Shutdown
 import qualified Paths
 import THEnv.JSON (getCompileEnvJSONExp)
@ -72,7 +71,7 @@ mainNoArgs = do
    launch
        $ withUrgencyHook (SpawnUrgencyHook "echo emit Urgency ")
        $ def
-            { terminal          = Paths.urxvtc
+            { terminal          = {-pkg:rxvt_unicode-}"urxvtc"
            , modMask           = mod4Mask
            , keys              = myKeys
            , workspaces        = workspaces0
@ -122,14 +121,14 @@ displaySomeException = displayException
 forkFile :: FilePath -> [String] -> Maybe [(String, String)] -> X ()
 forkFile path args env =
-    xfork (executeFile path False args env) >> return ()
+    xfork (executeFile path True args env) >> return ()
 spawnRootTerm :: X ()
 spawnRootTerm =
    forkFile
-        Paths.urxvtc
+        {-pkg:rxvt_unicode-}"urxvtc"
-        ["-name", "root-urxvt", "-e", Paths.su, "-"]
+        ["-name", "root-urxvt", "-e", "/run/wrappers/bin/su", "-"]
        Nothing
@ -137,16 +136,16 @@ spawnTermAt :: String -> X ()
 spawnTermAt ws = do
    env <- io getEnvironment
    let env' = ("XMONAD_SPAWN_WORKSPACE", ws) : env
-    forkFile Paths.urxvtc [] (Just env')
+    forkFile {-pkg:rxvt_unicode-}"urxvtc" [] (Just env')
 myKeys :: XConfig Layout -> Map (KeyMask, KeySym) (X ())
 myKeys conf = Map.fromList $
-    [ ((_4  , xK_Escape ), forkFile Paths.slock [] Nothing)
+    [ ((_4  , xK_Escape ), forkFile {-pkg-}"slock" [] Nothing)
    , ((_4S , xK_c      ), kill)
-    , ((_4  , xK_o      ), forkFile Paths.otpmenu [] Nothing)
+    , ((_4  , xK_o      ), forkFile {-pkg:fzmenu-}"otpmenu" [] Nothing)
-    , ((_4  , xK_p      ), forkFile Paths.passmenu [] Nothing)
+    , ((_4  , xK_p      ), forkFile {-pkg:fzmenu-}"passmenu" [] Nothing)
    , ((_4  , xK_x      ), chooseAction spawnTermAt)
    , ((_4C , xK_x      ), spawnRootTerm)
@ -188,12 +187,12 @@ myKeys conf = Map.fromList $
    , ((0, xF86XK_AudioMute), audioMute)
    , ((_4, xF86XK_AudioMute), pavucontrol [])
-    , ((_4, xK_Prior), forkFile Paths.xcalib ["-invert", "-alter"] Nothing)
+    , ((_4, xK_Prior), forkFile {-pkg-}"xcalib" ["-invert", "-alter"] Nothing)
-    , ((0, xK_Print), forkFile Paths.flameshot [] Nothing)
+    , ((0, xK_Print), forkFile {-pkg-}"flameshot" [] Nothing)
-    , ((_C, xF86XK_Forward), forkFile Paths.xdpychvt ["next"] Nothing)
+    , ((_C, xF86XK_Forward), forkFile {-pkg:xdpytools-}"xdpychvt" ["next"] Nothing)
-    , ((_C, xF86XK_Back), forkFile Paths.xdpychvt ["prev"] Nothing)
+    , ((_C, xF86XK_Back), forkFile {-pkg:xdpytools-}"xdpychvt" ["prev"] Nothing)
    ]
    where
    _4 = mod4Mask
@ -206,8 +205,8 @@ myKeys conf = Map.fromList $
    _4CM = _4 .|. _C .|. _M
    _4SM = _4 .|. _S .|. _M
-    pactl args = forkFile Paths.pactl args Nothing
+    pactl args = forkFile {-pkg:pulseaudio-}"pactl" args Nothing
-    pavucontrol args = forkFile Paths.pavucontrol args Nothing
+    pavucontrol args = forkFile {-pkg-}"pavucontrol" args Nothing
    audioLowerVolume = pactl ["--", "set-sink-volume", "@DEFAULT_SINK@", "-5%"]
    audioRaiseVolume = pactl ["--", "set-sink-volume", "@DEFAULT_SINK@", "+5%"]
@ -222,7 +221,7 @@ myKeys conf = Map.fromList $
 xdeny :: X ()
 xdeny =
    forkFile
-        Paths.xterm
+        {-pkg-}"xterm"
        [ "-fn", myFont
        , "-geometry", "300x100"
        , "-name", "AlertFloat"
--- a/tv/5pkgs/haskell/xmonad-tv/src/xmonad-tv.cabal
+++ b/tv/5pkgs/haskell/xmonad-tv/src/xmonad-tv.cabal
@ -23,8 +23,6 @@ executable xmonad
    xmonad-contrib,
    xmonad-stockholm
  other-modules:
    Helpers.Path,
    Paths,
    THEnv.JSON
  default-language: Haskell2010
  ghc-options: -O2 -Wall -threaded