diff --git a/jeschli/1systems/bolide/config.nix b/jeschli/1systems/bolide/config.nix
index 699a85b58..a9f564f75 100644
--- a/jeschli/1systems/bolide/config.nix
+++ b/jeschli/1systems/bolide/config.nix
@@ -2,15 +2,15 @@
 # your system.  Help is available in the configuration.nix(5) man page
 # and in the NixOS manual (accessible by running ‘nixos-help’).
 
-{ config, pkgs, ... }:
-
+{ config, pkgs, lib, ... }:
 {
   imports =
     [
       ./hardware-configuration.nix
       <stockholm/jeschli>
+      <home-manager/nixos>
       <stockholm/jeschli/2configs/urxvt.nix>
-      <stockholm/jeschli/2configs/emacs.nix>
+    #  <stockholm/jeschli/2configs/emacs.nix>
     ];
 
   krebs.build.host = config.krebs.hosts.bolide;
@@ -29,7 +29,8 @@
     allowDiscards = true;
   } ];
 #  networking.hostName = "bolide"; # Define your hostname.
-  networking.wireless.enable = true;  # Enables wireless support via wpa_supplicant.
+#  networking.wireless.enable = true;  # Enables wireless support via wpa_supplicant.
+  networking.networkmanager.enable = true;
 
   # Select internationalisation properties.
   # i18n = {
@@ -52,6 +53,8 @@
   };
   nixpkgs.config.allowUnfree = true;
   environment.systemPackages = with pkgs; [
+    home-manager
+
     wget vim
   # system helper
     ag
@@ -92,6 +95,22 @@
     zathura
   ];
 
+  home-manager.useUserPackages = true;
+  home-manager.users.jeschli = {
+    home.stateVersion = "19.03";
+  };
+
+  home-manager.users.jeschli.home.file = {
+     ".emacs.d" = {
+       source = pkgs.fetchFromGitHub {
+         owner = "jeschli";
+         repo = "emacs.d";
+         rev = "8ed6c40";
+         sha256 = "1q2y478srwp9f58l8cixnd2wj51909gp1z68k8pjlbjy2mrvibs0";
+       };
+       recursive = true;
+     };
+  };
  # Some programs need SUID wrappers, can be configured further or are
  # started in user sessions.
  # programs.bash.enableCompletion = true;
@@ -103,36 +122,37 @@
  # Enable the OpenSSH daemon.
  services.openssh.enable = true;
 
- # Open ports in the firewall.
- # networking.firewall.allowedTCPPorts = [ ... ];
- # networking.firewall.allowedUDPPorts = [ ... ];
- # Or disable the firewall altogether.
- # networking.firewall.enable = false;
 
- # Enable CUPS to print documents.
- # services.printing.enable = true;
+  services.xserver = {
 
- # Enable the X11 windowing system.
- services.xserver.enable = true;
- # services.xserver.layout = "us";
- # services.xserver.xkbOptions = "eurosign:e";
+    enable = true;
 
- services.xserver.displayManager.sddm.enable = true;
- services.xserver.windowManager.xmonad.enable = true;
- services.xserver.windowManager.xmonad.enableContribAndExtras = true;
- # Enable touchpad support.
- # services.xserver.libinput.enable = true;
+    desktopManager = {
+      xfce.enable = true;
+      gnome3.enable = true;
+    };
+#    # Don't install feh into systemPackages
+#    # refs <nixpkgs/nixos/modules/services/x11/desktop-managers>
+#    desktopManager.session = lib.mkForce [];
+#
+#    enable = true;
+#    display = 11;
+#    tty = 11;
+#
+#    dpi = 96;
 
- # Enable the KDE Desktop Environment.
- # services.xserver.displayManager.sddm.enable = true;
- # services.xserver.desktopManager.plasma5.enable = true;
+    videoDrivers = [ "nvidia" ];
+  };
+
+  services.xserver.windowManager.i3.enable = true;
 
- # Define a user account. Don't forget to set a password with ‘passwd’.
   users.extraUsers.jeschli = {
     isNormalUser = true;
+    extraGroups = ["docker" "vboxusers" "audio"];
     uid = 1000;
   };
 
+  hardware.pulseaudio.enable = true;
  # This value determines the NixOS release with which your system is to be
  # compatible, in order to avoid breaking some software such as database
  # servers. You should change this only after NixOS release notes say you
diff --git a/jeschli/1systems/bolide/hardware-configuration.nix b/jeschli/1systems/bolide/hardware-configuration.nix
index 183b29e42..042b746ef 100644
--- a/jeschli/1systems/bolide/hardware-configuration.nix
+++ b/jeschli/1systems/bolide/hardware-configuration.nix
@@ -29,4 +29,5 @@
 
   nix.maxJobs = lib.mkDefault 8;
   powerManagement.cpuFreqGovernor = "powersave";
+  hardware.pulseaudio.enable = true;
 }
diff --git a/jeschli/1systems/bolide/home.nix b/jeschli/1systems/bolide/home.nix
new file mode 100644
index 000000000..60fee8b67
--- /dev/null
+++ b/jeschli/1systems/bolide/home.nix
@@ -0,0 +1,171 @@
+{ pkgs, ... }:
+
+{
+  home.file = {
+     ".emacs.d" = {
+       source = pkgs.fetchFromGitHub {
+         owner = "jeschli";
+         repo = "emacs.d";
+         rev = "8ed6c40";
+         sha256 = "1q2y478srwp9f58l8cixnd2wj51909gp1z68k8pjlbjy2mrvibs0";
+       };
+       recursive = true;
+     };
+     ".config/i3/config".text = ''
+
+set $mod Mod4
+
+font pango:monospace 8
+
+floating_modifier $mod
+
+bindsym $mod+Return exec i3-sensible-terminal
+
+bindsym $mod+Shift+q kill
+
+bindsym $mod+d exec rofi -modi drun#run -combi-modi drun#run -show combi -show-icons -display-combi run
+
+bindsym $mod+x exec rofi -modi window -show window -auto-select
+
+# switch to last used window
+bindsym $mod+Tab exec rofi -show window& sleep 0.15 && xdotool key Down
+
+# change focus
+bindsym $mod+j focus left
+bindsym $mod+k focus down
+bindsym $mod+l focus up
+bindsym $mod+semicolon focus right
+
+# alternatively, you can use the cursor keys:
+bindsym $mod+Left focus left
+bindsym $mod+Down focus down
+bindsym $mod+Up focus up
+bindsym $mod+Right focus right
+
+# Resizing windows by 10 in i3 using keyboard only
+bindsym $mod+Ctrl+Shift+Right resize shrink width 10 px or 10 ppt
+bindsym $mod+Ctrl+Shift+Up resize grow height 10 px or 10 ppt
+bindsym $mod+Ctrl+Shift+Down resize shrink height 10 px or 10 ppt
+bindsym $mod+Ctrl+Shift+Left resize grow width 10 px or 10 ppt
+
+# move focused window
+bindsym $mod+Shift+j move left
+bindsym $mod+Shift+k move down
+bindsym $mod+Shift+l move up
+bindsym $mod+Shift+semicolon move right
+
+# alternatively, you can use the cursor keys:
+bindsym $mod+Shift+Left move left
+bindsym $mod+Shift+Down move down
+bindsym $mod+Shift+Up move up
+bindsym $mod+Shift+Right move right
+
+# split in horizontal orientation
+bindsym $mod+h split h
+
+# split in vertical orientation
+bindsym $mod+v split v
+
+# enter fullscreen mode for the focused container
+bindsym $mod+f fullscreen toggle
+
+# change container layout (stacked, tabbed, toggle split)
+bindsym $mod+s layout stacking
+bindsym $mod+w layout tabbed
+bindsym $mod+e layout toggle split
+
+# toggle tiling / floating
+bindsym $mod+Shift+space floating toggle
+
+# change focus between tiling / floating windows
+bindsym $mod+space focus mode_toggle
+
+# focus the parent container
+bindsym $mod+a focus parent
+
+# focus the child container
+#bindsym $mod+d focus child
+
+# Define names for default workspaces for which we configure key bindings later on.
+# We use variables to avoid repeating the names in multiple places.
+set $ws1 "1"
+set $ws2 "2"
+set $ws3 "3"
+set $ws4 "4"
+set $ws5 "5"
+set $ws6 "6"
+set $ws7 "7"
+set $ws8 "8"
+set $ws9 "9"
+set $ws10 "10"
+
+# switch to workspace
+bindsym $mod+1 workspace $ws1
+bindsym $mod+2 workspace $ws2
+bindsym $mod+3 workspace $ws3
+bindsym $mod+4 workspace $ws4
+bindsym $mod+5 workspace $ws5
+bindsym $mod+6 workspace $ws6
+bindsym $mod+7 workspace $ws7
+bindsym $mod+8 workspace $ws8
+bindsym $mod+9 workspace $ws9
+bindsym $mod+0 workspace $ws10
+
+# move focused container to workspace
+bindsym $mod+Shift+1 move container to workspace $ws1
+bindsym $mod+Shift+2 move container to workspace $ws2
+bindsym $mod+Shift+3 move container to workspace $ws3
+bindsym $mod+Shift+4 move container to workspace $ws4
+bindsym $mod+Shift+5 move container to workspace $ws5
+bindsym $mod+Shift+6 move container to workspace $ws6
+bindsym $mod+Shift+7 move container to workspace $ws7
+bindsym $mod+Shift+8 move container to workspace $ws8
+bindsym $mod+Shift+9 move container to workspace $ws9
+bindsym $mod+Shift+0 move container to workspace $ws10
+
+# reload the configuration file
+bindsym $mod+Shift+c reload
+# restart i3 inplace (preserves your layout/session, can be used to upgrade i3)
+bindsym $mod+Shift+r restart
+# exit i3 (logs you out of your X session)
+bindsym $mod+Shift+e exec "i3-nagbar -t warning -m 'You pressed the exit shortcut. Do you really want to exit i3? This will end your X session.' -b 'Yes, exit i3' 'i3-msg exit'"
+
+bindsym $mod+p exec i3-sensible-pager
+
+# resize window (you can also use the mouse for that)
+mode "resize" {
+        # These bindings trigger as soon as you enter the resize mode
+
+        # Pressing left will shrink the window’s width.
+        # Pressing right will grow the window’s width.
+        # Pressing up will shrink the window’s height.
+        # Pressing down will grow the window’s height.
+        bindsym j resize shrink width 10 px or 10 ppt
+        bindsym k resize grow height 10 px or 10 ppt
+        bindsym l resize shrink height 10 px or 10 ppt
+        bindsym semicolon resize grow width 10 px or 10 ppt
+
+        # same bindings, but for the arrow keys
+        bindsym Left resize shrink width 10 px or 10 ppt
+        bindsym Down resize grow height 10 px or 10 ppt
+        bindsym Up resize shrink height 10 px or 10 ppt
+        bindsym Right resize grow width 10 px or 10 ppt
+
+        # back to normal: Enter or Escape or $mod+r
+        bindsym Return mode "default"
+        bindsym Escape mode "default"
+        bindsym $mod+r mode "default"
+}
+
+bindsym $mod+r mode "resize"
+
+# Start i3bar to display a workspace bar (plus the system information i3status
+# finds out, if available)
+bar {
+        position top
+        status_command i3status
+}
+     '';
+  }; 
+  
+}
diff --git a/jeschli/1systems/brauerei/config.nix b/jeschli/1systems/brauerei/config.nix
index b9bb021b8..059ec6d71 100644
--- a/jeschli/1systems/brauerei/config.nix
+++ b/jeschli/1systems/brauerei/config.nix
@@ -1,19 +1,17 @@
 { config, pkgs, lib, ... }:
 let
   xmonad-jeschli = pkgs.callPackage <stockholm/jeschli/5pkgs/simple/xmonad-jeschli> { inherit config; };
+  mainUser = config.krebs.build.user.name;
 in
 {
   imports = [
     <stockholm/jeschli>
     ./hardware-configuration.nix
+    <home-manager/nixos>
     <stockholm/jeschli/2configs/urxvt.nix>
-#    <stockholm/jeschli/2configs/emacs.nix>
-#    <stockholm/jeschli/2configs/xdg.nix>
-#    <stockholm/jeschli/2configs/xserver>
     <stockholm/jeschli/2configs/steam.nix>
     <stockholm/jeschli/2configs/virtualbox.nix>
-  ];
-
+   ];
   krebs.build.host = config.krebs.hosts.brauerei;
   # Use the GRUB 2 boot loader.
   boot.loader.grub.enable = true;
@@ -54,7 +52,10 @@ in
     copyq
     curl
     dmenu
+    rofi
+    xdotool
     git
+    gnupg
     i3lock
     keepass
     networkmanagerapplet
@@ -92,9 +93,11 @@ in
     })
   # dev tools
     gnumake
+    jetbrains.clion
     jetbrains.goland
     jetbrains.pycharm-professional
     jetbrains.webstorm
+    vscode
   # document viewer
     evince
     zathura
@@ -105,7 +108,6 @@ in
     cargo
     rustracer
     rustup
-    vscode
   # orga tools
     taskwarrior
   # xorg
@@ -120,6 +122,24 @@ in
   # programs.mtr.enable = true;
   programs.gnupg.agent = { enable = true; enableSSHSupport = true; };
 
+  home-manager.useUserPackages = true;
+  home-manager.users.jeschli = {
+    home.stateVersion = "19.03";
+  };
+#  home-manager.enable = true;
+
+  home-manager.users.jeschli.home.file = {
+     ".emacs.d" = {
+       source = pkgs.fetchFromGitHub {
+         owner = "jeschli";
+         repo = "emacs.d";
+         rev = "8ed6c40";
+         sha256 = "1q2y478srwp9f58l8cixnd2wj51909gp1z68k8pjlbjy2mrvibs0";
+       };
+       recursive = true;
+     };
+  };
+
   # List services that you want to enable:
 
   # Enable the OpenSSH daemon.
@@ -155,6 +175,11 @@ in
     extraGroups = ["docker" "vboxusers" "audio"];
     uid = 1000;
   };
+  users.extraUsers.blafoo = {
+    isNormalUser = true;
+    extraGroups = ["audio"];
+    uid = 1002;
+  };
   users.extraUsers.jamie = {
     isNormalUser = true;
     uid = 1001; # TODO genid
diff --git a/jeschli/1systems/enklave/config.nix b/jeschli/1systems/enklave/config.nix
index cadec3cab..86d21f7d3 100644
--- a/jeschli/1systems/enklave/config.nix
+++ b/jeschli/1systems/enklave/config.nix
@@ -49,7 +49,7 @@
         listenPort = 53589;
         organisations.lass.users = [ "jeschli" ];
       };
-      networking.firewall.allowedTCPPorts = [ 53589 ];
+      networking.firewall.allowedTCPPorts = [ 53589 8001 ];
     }
   ];
 
diff --git a/jeschli/2configs/default.nix b/jeschli/2configs/default.nix
index 5aaabe24b..8b61fa29c 100644
--- a/jeschli/2configs/default.nix
+++ b/jeschli/2configs/default.nix
@@ -2,7 +2,7 @@
 with import <stockholm/lib>;
 {
   imports = [
-    ./vim.nix
+#    ./vim.nix
     ./retiolum.nix
     ./zsh.nix
     <stockholm/lass/2configs/security-workarounds.nix>
@@ -56,7 +56,7 @@ with import <stockholm/lib>;
     usbutils
   #  logify
     goify
-
+    vim
   #unpack stuff
     p7zip
     unzip
diff --git a/jeschli/2configs/git.nix b/jeschli/2configs/git.nix
index a26022789..faa8ccf5b 100644
--- a/jeschli/2configs/git.nix
+++ b/jeschli/2configs/git.nix
@@ -60,7 +60,7 @@ let
     with git // config.krebs.users;
     repo:
       singleton {
-        user = [ jeschli jeschli-brauerei];
+        user = [ jeschli jeschli-brauerei jeschli-bolide];
         repo = [ repo ];
         perm = push "refs/*" [ non-fast-forward create delete merge ];
       } ++
diff --git a/jeschli/2configs/home-manager/default.nix b/jeschli/2configs/home-manager/default.nix
new file mode 100644
index 000000000..ad8663d58
--- /dev/null
+++ b/jeschli/2configs/home-manager/default.nix
@@ -0,0 +1,9 @@
+{
+  imports = [
+    <home-manager/nixos>
+  ];
+  home-manager.useUserPackages = true;
+  home-manager.users.jeschli = {
+    home.stateVersion = "19.03";
+  };
+}
diff --git a/jeschli/krops.nix b/jeschli/krops.nix
index dbf94bd0d..f3964a553 100644
--- a/jeschli/krops.nix
+++ b/jeschli/krops.nix
@@ -15,6 +15,12 @@
         file = "${lib.getEnv "HOME"}/secrets/${name}";
       };
     }
+    {
+       home-manager.git = {
+         url = https://github.com/rycee/home-manager;
+         ref = "2ccbf43";
+       };
+    }
   ];
 
 in {
diff --git a/krebs/0tests/data/secrets/shackspace-gitlab-ci b/krebs/0tests/data/secrets/shackspace-gitlab-ci
new file mode 100644
index 000000000..e69de29bb
diff --git a/krebs/1systems/wolf/config.nix b/krebs/1systems/wolf/config.nix
index ec8830711..7ca0f0ec1 100644
--- a/krebs/1systems/wolf/config.nix
+++ b/krebs/1systems/wolf/config.nix
@@ -11,83 +11,44 @@ in
     <stockholm/krebs>
     <stockholm/krebs/2configs>
     <nixpkgs/nixos/modules/profiles/qemu-guest.nix>
-    <stockholm/krebs/2configs/collectd-base.nix>
-    <stockholm/krebs/2configs/stats/wolf-client.nix>
 
-    <stockholm/krebs/2configs/graphite.nix>
     <stockholm/krebs/2configs/binary-cache/nixos.nix>
     <stockholm/krebs/2configs/binary-cache/prism.nix>
 
+    # handle the worlddomination map via coap
     <stockholm/krebs/2configs/shack/worlddomination.nix>
+
+    # drivedroid.shack for shackphone
     <stockholm/krebs/2configs/shack/drivedroid.nix>
     # <stockholm/krebs/2configs/shack/nix-cacher.nix>
-    <stockholm/krebs/2configs/shack/mqtt_sub.nix>
+    # Say if muell will be collected
     <stockholm/krebs/2configs/shack/muell_caller.nix>
-    <stockholm/krebs/2configs/shack/radioactive.nix>
-    <stockholm/krebs/2configs/shack/share.nix>
-    <stockholm/krebs/2configs/shack/mobile.mpd.nix>
-    {
-      systemd.services.telegraf.path = [ pkgs.net_snmp ]; # for snmptranslate
-      systemd.services.telegraf.environment = {
-        MIBDIRS = pkgs.fetchgit {
-          url = "http://git.shackspace.de/makefu/modem-mibs.git";
-          sha256 =
-          "1rhrpaascvj5p3dj29hrw79gm39rp0aa787x95m3r2jrcq83ln1k";
-        }; # extra mibs like ADSL
-      };
-      services.telegraf = {
-        enable = true;
-        extraConfig = {
-          inputs = {
-            snmp = {
-              agents = [ "10.0.1.3:161" ];
-              version = 2;
-              community = "shack";
-              name = "snmp";
-              field = [
-                {
-                  name = "hostname";
-                  oid = "RFC1213-MIB::sysName.0";
-                  is_tag = true;
-                }
-                {
-                  name = "load-percent"; #cisco
-                  oid = ".1.3.6.1.4.1.9.9.109.1.1.1.1.4.9";
-                }
-                {
-                  name = "uptime";
-                  oid = "DISMAN-EVENT-MIB::sysUpTimeInstance";
-                }
-              ];
-              table = [{
-                name = "snmp";
-                inherit_tags = [ "hostname" ];
-                oid = "IF-MIB::ifXTable";
-                field = [{
-                  name = "ifName";
-                  oid = "IF-MIB::ifName";
-                  is_tag = true;
-                }];
-              }];
-            };
-          };
-          outputs = {
-            influxdb = {
-              urls = [ "http://${influx-host}:8086" ];
-              database = "telegraf";
-              write_consistency = "any";
-              timeout = "5s";
-            };
-          };
-        };
-      };
-    }
 
+    # create samba share for anonymous usage with the laser and 3d printer pc
+    <stockholm/krebs/2configs/shack/share.nix>
+
+    # mobile.lounge.mpd.shack
+    <stockholm/krebs/2configs/shack/mobile.mpd.nix>
+    # connect to git.shackspace.de as group runner for rz
+    <stockholm/krebs/2configs/shack/gitlab-runner.nix>
+
+    # Statistics collection and visualization
+    <stockholm/krebs/2configs/graphite.nix>
+    ## Collect data from mqtt.shack and store in graphite database
+    <stockholm/krebs/2configs/shack/mqtt_sub.nix>
+    ## Collect radioactive data and put into graphite
+    <stockholm/krebs/2configs/shack/radioactive.nix>
+    ## Collect local statistics via collectd and send to collectd
+    <stockholm/krebs/2configs/stats/wolf-client.nix>
+    ## write collectd statistics to wolf.shack
+    <stockholm/krebs/2configs/collectd-base.nix>
+    { services.influxdb.enable = true; }
+
+    <stockholm/krebs/2configs/shack/netbox.nix>
   ];
   # use your own binary cache, fallback use cache.nixos.org (which is used by
   # apt-cacher-ng in first place)
 
-  services.influxdb.enable = true;
 
   # local discovery in shackspace
   nixpkgs.config.packageOverrides = pkgs: { tinc = pkgs.tinc_pre; };
@@ -156,10 +117,10 @@ in
   # fallout of ipv6calypse
   networking.extraHosts = ''
     hass.shack    10.42.2.191
-    heidi.shack   10.42.2.135
   '';
 
   users.extraUsers.root.openssh.authorizedKeys.keys = [
+    config.krebs.users."0x4a6f".pubkey
     config.krebs.users.ulrich.pubkey
     config.krebs.users.raute.pubkey
     config.krebs.users.makefu-omo.pubkey
diff --git a/krebs/2configs/shack/gitlab-runner.nix b/krebs/2configs/shack/gitlab-runner.nix
new file mode 100644
index 000000000..0fd06426a
--- /dev/null
+++ b/krebs/2configs/shack/gitlab-runner.nix
@@ -0,0 +1,21 @@
+{ pkgs, ... }:
+let
+  runner-src = builtins.fetchTarball {
+    url = "https://gitlab.com/arianvp/nixos-gitlab-runner/-/archive/master/nixos-gitlab-runner-master.tar.gz";
+    sha256 = "1s0fy5ny2ygcfvx35xws8xz5ih4z4kdfqlq3r6byxpylw7r52fyi";
+  };
+in
+{
+  systemd.services.gitlab-runner.path = [
+    "/run/wrappers" # /run/wrappers/bin/su
+    "/" # /bin/sh
+  ];
+  imports = [
+    "${runner-src}/gitlab-runner.nix"
+  ];
+  services.gitlab-runner2.enable = true;
+  ## registrationConfigurationFile contains:
+  # CI_SERVER_URL=<CI server URL>
+  # REGISTRATION_TOKEN=<registration secret>
+  services.gitlab-runner2.registrationConfigFile = <secrets/shackspace-gitlab-ci>;
+}
diff --git a/krebs/2configs/shack/netbox.nix b/krebs/2configs/shack/netbox.nix
new file mode 100644
index 000000000..4fb5a7dbc
--- /dev/null
+++ b/krebs/2configs/shack/netbox.nix
@@ -0,0 +1,39 @@
+{ pkgs, ... }:
+{
+  environment.systemPackages = [ pkgs.docker-compose ];
+  virtualisation.docker.enable = true;
+  services.nginx = {
+    enable = true;
+    virtualHosts."netbox.shack".locations."/".proxyPass = "http://localhost:18080";
+  };
+  # we store the netbox config there:
+  # state = [ "/var/lib/netbox" ];
+  systemd.services.backup-netbox = {
+    after = [ "netbox-docker-compose.service" ];
+    startAt = "daily";
+    path = with pkgs; [ docker-compose docker gzip coreutils ];
+    script = ''
+      cd /var/lib/netbox
+      mkdir -p backup
+      docker-compose exec -T -upostgres postgres pg_dumpall \
+        | gzip > backup/netdata_$(date -Iseconds).dump.gz
+    '';
+  };
+
+  systemd.services.netbox-docker-compose = {
+    wantedBy = [ "multi-user.target" ];
+    after = [ "network-online.target" "docker.service" ];
+    environment.VERSION = "v2.5.13";
+    serviceConfig = {
+      WorkingDirectory = "/var/lib/netbox";
+      # TODO: grep -q NAPALM_SECRET env/netbox.env
+      # TODO: grep -q NAPALM_SECRET netbox-netprod-importer/switches.yml
+      ExecStartPre = "${pkgs.docker-compose}/bin/docker-compose pull";
+      ExecStart = "${pkgs.docker-compose}/bin/docker-compose up";
+      Restart = "always";
+      RestartSec = "10";
+      StartLimitIntervalSec = 60;
+      StartLimitBurst = 3;
+    };
+  };
+}
diff --git a/krebs/3modules/external/default.nix b/krebs/3modules/external/default.nix
index 080c259aa..ac656f463 100644
--- a/krebs/3modules/external/default.nix
+++ b/krebs/3modules/external/default.nix
@@ -43,6 +43,31 @@ in {
         };
       };
     };
+    wilde = {
+      owner = config.krebs.users.kmein;
+      nets = {
+        retiolum = {
+          ip4.addr = "10.243.2.4";
+          aliases = [ "wilde.r" ];
+          tinc.pubkey = ''
+            -----BEGIN PUBLIC KEY-----
+            MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAtz/MY5OSxJqrEMv6Iwjk
+            g/V58MATljj+2bmOuOuPui/AUYHEZX759lHW4MgLjYdNbZEoVq8UgkxNk0KPGlSg
+            2lsJ7FneCU7jBSE2iLT1aHuNFFa56KzSThFUl6Nj6Vyg5ghSmDF2tikurtG2q+Ay
+            uxf5/yEhFUPc1ZxmvJDqVHMeW5RZkuKXH00C7yN+gdcPuuFEFq+OtHNkBVmaxu7L
+            a8Q6b/QbrwQJAR9FAcm5WSQIj2brv50qnD8pZrU4loVu8dseQIicWkRowC0bzjAo
+            IHZTbF/S+CK0u0/q395sWRQJISkD+WAZKz5qOGHc4djJHBR3PWgHWBnRdkYqlQYM
+            C9zA/n4I+Y2BEfTWtgkD2g0dDssNGP5dlgFScGmRclR9pJ/7dsIbIeo9C72c6q3q
+            sg0EIWggQ8xyWrUTXIMoDXt37htlTSnTgjGsuwRzjotAEMJmgynWRf3br3yYChrq
+            10Exq8Lej+iOuKbdAXlwjKEk0qwN7JWft3OzVc2DMtKf7rcZQkBoLfWKzaCTQ4xo
+            1Y7d4OlcjbgrkLwHltTaShyosm8kbttdeinyBG1xqQcK11pMO43GFj8om+uKrz57
+            lQUVipu6H3WIVGnvLmr0e9MQfThpC1em/7Aq2exn1JNUHhCdEho/mK2x/doiiI+0
+            QAD64zPmuo9wsHnSMR2oKs0CAwEAAQ==
+            -----END PUBLIC KEY-----
+          '';
+        };
+      };
+    };
     dpdkm = {
       owner = config.krebs.users.Mic92;
       nets = rec {
@@ -241,6 +266,13 @@ in {
         };
       };
     };
+    rilke = {
+      owner = config.krebs.users.kmein;
+      nets.wiregrill = {
+        aliases = [ "rilke.w" ];
+        wireguard.pubkey = "09yVPHL/ucvqc6V5n7vFQ2Oi1LBMdwQZDL+7jBwy+iQ=";
+      };
+    };
     rock = {
       owner = config.krebs.users.Mic92;
       nets = {
@@ -487,10 +519,13 @@ in {
       mail = "shackspace.de@myvdr.de";
       pubkey = ssh-for "ulrich";
     };
+    "0x4a6f" = {
+      mail = "0x4a6f@shackspace.de";
+      pubkey = ssh-for "0x4a6f";
+    };
     miaoski = {
     };
     filly = {
     };
   };
 }
-
diff --git a/krebs/3modules/external/palo.nix b/krebs/3modules/external/palo.nix
index cefac0959..05808714c 100644
--- a/krebs/3modules/external/palo.nix
+++ b/krebs/3modules/external/palo.nix
@@ -34,7 +34,10 @@ in {
         retiolum = {
           ip4.addr = "10.243.23.3";
           tinc.port = 720;
-          aliases = [ "kruck.r" ];
+          aliases = [
+            "kruck.r"
+            "video.kruck.r"
+          ];
           tinc.pubkey = tinc-for "palo";
         };
       };
@@ -49,6 +52,7 @@ in {
           tinc.pubkey = tinc-for "palo";
         };
       };
+      syncthing.id = "FLY7DHI-TJLEQBJ-JZNC4YV-NBX53Z2-ZBRWADL-BKSFXYZ-L4FMDVH-MOSEVAQ";
     };
     workhorse = {
       owner = config.krebs.users.palo;
diff --git a/krebs/3modules/external/ssh/0x4a6f.pub b/krebs/3modules/external/ssh/0x4a6f.pub
new file mode 100644
index 000000000..1ea084bad
--- /dev/null
+++ b/krebs/3modules/external/ssh/0x4a6f.pub
@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKMoQSUz0wcV8tnTKsYO3sO6XG6EHap8R63ihfMHkxPS
diff --git a/krebs/3modules/lass/default.nix b/krebs/3modules/lass/default.nix
index 41f3852b9..f4c8f5c6a 100644
--- a/krebs/3modules/lass/default.nix
+++ b/krebs/3modules/lass/default.nix
@@ -35,6 +35,7 @@ in {
           default._domainkey  60 IN TXT    "k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDUv3DMndFellqu208feABEzT/PskOfTSdJCOF/HELBR0PHnbBeRoeHEm9XAcOe/Mz2t/ysgZ6JFXeFxCtoM5fG20brUMRzsVRxb9Ur5cEvOYuuRrbChYcKa+fopu8pYrlrqXD3miHISoy6ErukIYCRpXWUJHi1TlNQhLWFYqAaywIDAQAB"
           cache               60 IN A      ${config.krebs.hosts.prism.nets.internet.ip4.addr}
           cgit                60 IN A      ${config.krebs.hosts.prism.nets.internet.ip4.addr}
+          codi                60 IN A      ${config.krebs.hosts.prism.nets.internet.ip4.addr}
           go                  60 IN A      ${config.krebs.hosts.prism.nets.internet.ip4.addr}
           io                  60 IN NS     ions.lassul.us.
           ions                60 IN A      ${config.krebs.hosts.prism.nets.internet.ip4.addr}
diff --git a/krebs/3modules/makefu/default.nix b/krebs/3modules/makefu/default.nix
index b38c9104f..601762b93 100644
--- a/krebs/3modules/makefu/default.nix
+++ b/krebs/3modules/makefu/default.nix
@@ -143,11 +143,19 @@ in {
       ci = true;
       cores = 4;
       nets = {
+        lan = {
+          ip4.addr = "192.168.8.11";
+          aliases = [
+            "wbob.lan"
+            "log.wbob.lan"
+          ];
+        };
         retiolum = {
           ip4.addr = "10.243.214.15";
           aliases = [
             "wbob.r"
             "hydra.wbob.r"
+            "log.wbob.r"
           ];
         };
       };
@@ -182,6 +190,7 @@ in {
           wiki.euer         IN A      ${nets.internet.ip4.addr}
           wikisearch        IN A      ${nets.internet.ip4.addr}
           io                IN NS     gum.krebsco.de.
+          mediengewitter    IN CNAME  over.dose.io.
         '';
       };
       cores = 8;
@@ -196,13 +205,13 @@ in {
         };
         wiregrill = {
           via = internet;
+          ip4.addr = "10.244.245.1";
           ip6.addr = w6 "1";
-          wireguard = {
-            subnets = [
-              (krebs.genipv6 "wiregrill" "external" 0).subnetCIDR
+          wireguard.port = 51821;
+          wireguard.subnets = [
               (krebs.genipv6 "wiregrill" "makefu" 0).subnetCIDR
-            ];
-          };
+              "10.244.245.0/24" # required for routing directly to gum via rockit
+          ];
         };
         retiolum = {
           via = internet;
@@ -247,7 +256,6 @@ in {
       cores = 1;
       extraZones = {
         "krebsco.de" = ''
-          mediengewitter    IN A      ${nets.internet.ip4.addr}
           flap              IN A      ${nets.internet.ip4.addr}
         '';
       };
@@ -281,6 +289,10 @@ in {
         };
       };
     };
+    rockit = rec { # router@home
+      cores = 1;
+      nets.wiregrill.ip4.addr = "10.244.245.2";
+    };
 
     senderechner = rec {
       cores = 2;
diff --git a/krebs/3modules/makefu/wiregrill/gum.pub b/krebs/3modules/makefu/wiregrill/gum.pub
index 4a5f666cc..67d6c7216 100644
--- a/krebs/3modules/makefu/wiregrill/gum.pub
+++ b/krebs/3modules/makefu/wiregrill/gum.pub
@@ -1 +1 @@
-yAKvxTvcEVdn+MeKsmptZkR3XSEue+wSyLxwcjBYxxo=
+A7UPKSUaCZaJ9hXv6X4jvcZ+5X+PlS1EmCwxlLBAKH0=
diff --git a/krebs/3modules/makefu/wiregrill/rockit.pub b/krebs/3modules/makefu/wiregrill/rockit.pub
new file mode 100644
index 000000000..6cb0d960d
--- /dev/null
+++ b/krebs/3modules/makefu/wiregrill/rockit.pub
@@ -0,0 +1 @@
+YmvTL4c13WS6f88ZAz2m/2deL2pnPXI0Ay3edCPE1Qc=
diff --git a/krebs/3modules/mb/default.nix b/krebs/3modules/mb/default.nix
index c98db4b27..e77811f08 100644
--- a/krebs/3modules/mb/default.nix
+++ b/krebs/3modules/mb/default.nix
@@ -3,7 +3,6 @@ with import <stockholm/lib>;
 
   hostDefaults = hostName: host: flip recursiveUpdate host {
     ci = true;
-    monitoring = true;
     owner = config.krebs.users.mb;
   };
 
@@ -63,6 +62,59 @@ in {
         };
       };
     };
+    gr33n = {
+      nets = {
+        retiolum = {
+          ip4.addr = "10.243.42.123";
+          aliases = [
+            "gr33n.r"
+          ];
+          tinc.pubkey = ''
+            -----BEGIN PUBLIC KEY-----
+            MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAvcqecLfk8TlGFF7JJpv8
+            kjLFNgoNfu9FYRMNG4GSxWL5w+49n6b+GC5ciOC+RJ+N56jfB9JYE0MtbuOmkY5M
+            JUphuvgOCNhTbBJsjnmG9n02evpxZn9HWypNC3oQCvY2K7vHpIxGKR5PyTVKPO0P
+            OOYKAbCLD9F2bmuLaBQ/dFXFQxfu3tjvJI9mYDWBpSkh1mYeMZLw2xxnRZLs0bEO
+            ZWdzxCh9UM/mgb4WYuNED9+sz7MSsaMPAqquarFCguUxhjp6rElGFcNWjXaxA5zt
+            JGS6VompUViVSHjSaQ5/3VRKoIQjr4NOFYQqLpmB5S2OpiggV6I9OpB7QUGlvcYd
+            I3j+1AeK11HuEyPqSwxjNCCrI12bSIo3685BPHbl+AMhWGhzrCkAGcOCbAefreXQ
+            5v4SaKUIDlCYhN+vyNdlu2jvqQlxfJrPAfBt+jJBK6gMcAEKc7P/Oj4B9Fsl331X
+            s0kWH5G9t6OhO/Of8/kb2/P+YEbM6zi1QQdZAOr6Cg0y4cMt9zxLWknaM4yEDAXH
+            oSM33PTv9DOvBjfxRXqOHqOHRq5ayqZdIFgfLUlPTdbWRkhNzjG8f7k7p32m20A6
+            Kal+OF//I2c9E9vKFzyepyTcnwi3B8+cFJ74+XYaNApdwHSb1BU/+c3O9RJExZGV
+            jtTSbSJHU5esECtAuXy1XH8CAwEAAQ==
+            -----END PUBLIC KEY-----
+          '';
+        };
+      };
+    };
+    sunsh1n3 = {
+      ci = false;
+      nets = {
+        retiolum = {
+          ip4.addr = "10.243.42.142";
+          aliases = [
+            "sunsh1n3.r"
+          ];
+          tinc.pubkey = ''
+            -----BEGIN PUBLIC KEY-----
+            MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAo2VCqp6mUbyo3n+1XpKf
+            QavpgRYQyv9wAZzYSYHjxThuLmNb/wERPbWJFMZfAGuku0blKWJISSgFWd9YL7dU
+            pZQZxfqo/9xnS/r0xIKrKSsBiTZt7JZmTQzj1ri11TIO0S1QPjIP5HsxlZZAw0nz
+            idEDlKmgWs74FPdezlXqvJyEUKDqL/ZQBtdhZZIDMkSJnCdBzXxKwv+uLVE46ZBf
+            4HrtQjcj+dyVMogMIoseAgf5lS6V3pyCM7/NHZFxrIxoIAxSsUoB59i2EbK6aUK5
+            yuiWHI6ZHToxN2K/0SX96hzxcwrUmdk49tTHBY0Zhn2ku6NjQPU3LuxgIwrSaSJD
+            /KWh6XkqR7EsCVN0AIsLvFelI2ckSyNyAlnYbMAHDt7GwHlNp4Lsy+x4ZQ6m0xTY
+            Z+/jt6sfoMiulPcwWEpqNCCf5A65lF77DldQhH3qYrdQ756n/kOqSfQtPCnVNYXy
+            LlN5rKCOgxKxxtKkwMUif2OM9RPHpM7wS09Rvek6zpL9ymhU5THF7UylLKxKGjYj
+            6dTooyRVQRJdrwIYLrJIy0MfGyYiGAJxf/C0KOOZnJPCW2b51+bo5Zh+BhKZYN8H
+            C2DEGc8+4h5hX1TAaUfTpfVm3mMTh8H2m9N8Pdl5ji+A0m0IwHDLQyaoskcxSjvU
+            9IxYLfkSD6AJqasnHlz0L08CAwEAAQ==
+            -----END PUBLIC KEY-----
+          '';
+        };
+      };
+    };
   };
   users = {
     mb = {
diff --git a/krebs/3modules/syncthing.nix b/krebs/3modules/syncthing.nix
index f653f7fa5..939c8fddf 100644
--- a/krebs/3modules/syncthing.nix
+++ b/krebs/3modules/syncthing.nix
@@ -24,7 +24,7 @@ let
   getApiKey = pkgs.writeDash "getAPIKey" ''
     ${pkgs.libxml2}/bin/xmllint \
       --xpath 'string(configuration/gui/apikey)'\
-      ${scfg.dataDir}/config.xml
+      ${scfg.configDir}/config.xml
   '';
 
   updateConfig = pkgs.writeDash "merge-syncthing-config" ''
@@ -47,14 +47,20 @@ let
     }
 
     old_config=$(_curl /system/config)
-    patch=${shell.escape (toJSON {
+    new_config=${shell.escape (toJSON {
       inherit devices folders;
     })}
     new_config=$(${pkgs.jq}/bin/jq -en \
         --argjson old_config "$old_config" \
-        --argjson patch "$patch" \
+        --argjson new_config "$new_config" \
         '
-          $old_config * $patch
+          $old_config * $new_config
+          ${optionalString (!kcfg.overridePeers) ''
+            * { devices: $old_config.devices }
+          ''}
+          ${optionalString (!kcfg.overrideFolders) ''
+            * { folders: $old_config.folders }
+          ''}
         '
     )
     echo $new_config | _curl /system/config -d @-
@@ -68,11 +74,6 @@ in
 
     enable = mkEnableOption "syncthing-init";
 
-    id = mkOption {
-      type = types.str;
-      default = config.krebs.build.host.name;
-    };
-
     cert = mkOption {
       type = types.nullOr types.absolute-pathname;
       default = null;
@@ -83,6 +84,13 @@ in
       default = null;
     };
 
+    overridePeers = mkOption {
+      type = types.bool;
+      default = true;
+      description = ''
+        Whether to delete the peers which are not configured via the peers option
+      '';
+    };
     peers = mkOption {
       default = {};
       type = types.attrsOf (types.submodule ({
@@ -103,6 +111,13 @@ in
       }));
     };
 
+    overrideFolders = mkOption {
+      type = types.bool;
+      default = true;
+      description = ''
+        Whether to delete the folders which are not configured via the peers option
+      '';
+    };
     folders = mkOption {
       default = {};
       type = types.attrsOf (types.submodule ({ config, ... }: {
@@ -163,14 +178,14 @@ in
     systemd.services.syncthing = mkIf (kcfg.cert != null || kcfg.key != null) {
       preStart = ''
         ${optionalString (kcfg.cert != null) ''
-          cp ${toString kcfg.cert} ${scfg.dataDir}/cert.pem
-          chown ${scfg.user}:${scfg.group} ${scfg.dataDir}/cert.pem
-          chmod 400 ${scfg.dataDir}/cert.pem
+          cp ${toString kcfg.cert} ${scfg.configDir}/cert.pem
+          chown ${scfg.user}:${scfg.group} ${scfg.configDir}/cert.pem
+          chmod 400 ${scfg.configDir}/cert.pem
         ''}
         ${optionalString (kcfg.key != null) ''
-          cp ${toString kcfg.key} ${scfg.dataDir}/key.pem
-          chown ${scfg.user}:${scfg.group} ${scfg.dataDir}/key.pem
-          chmod 400 ${scfg.dataDir}/key.pem
+          cp ${toString kcfg.key} ${scfg.configDir}/key.pem
+          chown ${scfg.user}:${scfg.group} ${scfg.configDir}/key.pem
+          chmod 400 ${scfg.configDir}/key.pem
         ''}
       '';
     };
diff --git a/krebs/5pkgs/haskell/xmonad-stockholm.nix b/krebs/5pkgs/haskell/xmonad-stockholm.nix
index 228d365a3..1b197b914 100644
--- a/krebs/5pkgs/haskell/xmonad-stockholm.nix
+++ b/krebs/5pkgs/haskell/xmonad-stockholm.nix
@@ -1,5 +1,4 @@
-{ mkDerivation, base, containers, fetchgit, filepath, stdenv, unix, X11, X11-xft
-, X11-xshape, xmonad, xmonad-contrib
+{ mkDerivation, base, containers, fetchgit, filepath, stdenv, unix, X11, X11-xft , X11-xshape, xmonad, xmonad-contrib
 }:
 mkDerivation rec {
   pname = "xmonad-stockholm";
diff --git a/krebs/krops.nix b/krebs/krops.nix
index 94418fdc2..8d38ed5b0 100644
--- a/krebs/krops.nix
+++ b/krebs/krops.nix
@@ -50,7 +50,7 @@
     {
       nixos-config.symlink = "stockholm/krebs/1systems/${name}/config.nix";
       secrets = if test then {
-        file = toString <stockholm/krebs/0tests/data/secrets>;
+        file = toString ./0tests/data/secrets;
       } else {
         pass = {
           dir = "${lib.getEnv "HOME"}/brain";
diff --git a/krebs/nixpkgs.json b/krebs/nixpkgs.json
index 0bc3abf9c..4118a1dd6 100644
--- a/krebs/nixpkgs.json
+++ b/krebs/nixpkgs.json
@@ -1,7 +1,7 @@
 {
   "url": "https://github.com/NixOS/nixpkgs-channels",
-  "rev": "cf3e277dd0bd710af0df667e9364f4bd80c72713",
-  "date": "2019-04-24T23:55:21+02:00",
-  "sha256": "1abyadl3sxf67yi65758hq6hf2j07afgp1fmkk7kd94dadx6r6f4",
+  "rev": "d77e3bd661354ea775a8cacc97bb59ddde513c09",
+  "date": "2019-06-18T23:08:17+02:00",
+  "sha256": "1m82zs00n6nc0pkdpmd9amm013qxwksjfhzcm6gck3p469q7n866",
   "fetchSubmodules": false
 }
diff --git a/lass/1systems/daedalus/config.nix b/lass/1systems/daedalus/config.nix
index 6e3df12f0..df8868034 100644
--- a/lass/1systems/daedalus/config.nix
+++ b/lass/1systems/daedalus/config.nix
@@ -57,6 +57,8 @@ with import <stockholm/lib>;
     {
       krebs.per-user.bitcoin.packages = [
         pkgs.electrum
+        pkgs.electron-cash
+        pkgs.altcoins.litecoin
       ];
       users.extraUsers = {
         bitcoin = {
diff --git a/lass/1systems/mors/config.nix b/lass/1systems/mors/config.nix
index f911b79d6..5076beeef 100644
--- a/lass/1systems/mors/config.nix
+++ b/lass/1systems/mors/config.nix
@@ -49,14 +49,31 @@ with import <stockholm/lib>;
       ];
     }
     {
-      krebs.syncthing.folders."the_playlist" = {
-        path = "/home/lass/tmp/the_playlist";
-        peers = [ "mors" "phone" "prism" ];
+      krebs.syncthing = {
+        peers.schasch.addresses = [ "schasch.r:22000" ];
+        folders = {
+          the_playlist = {
+            path = "/home/lass/tmp/the_playlist";
+            peers = [ "mors" "phone" "prism" ];
+          };
+          free_music = {
+            id = "mu9mn-zgvsw";
+            path = "/home/lass/tmp/free_music";
+            peers = [ "mors" "schasch" ];
+          };
+        };
       };
-      krebs.permown."/home/lass/tmp/the_playlist" = {
-        owner = "lass";
-        group = "syncthing";
-        umask = "0007";
+      krebs.permown = {
+        "/home/lass/tmp/free_music" = {
+          owner = "lass";
+          group = "syncthing";
+          umask = "0007";
+        };
+        "/home/lass/tmp/the_playlist" = {
+          owner = "lass";
+          group = "syncthing";
+          umask = "0007";
+        };
       };
     }
     {
diff --git a/lass/1systems/mors/physical.nix b/lass/1systems/mors/physical.nix
index 25425f146..6828d70de 100644
--- a/lass/1systems/mors/physical.nix
+++ b/lass/1systems/mors/physical.nix
@@ -22,7 +22,7 @@
   };
 
   services.udev.extraRules = ''
-    SUBSYSTEM=="net", ATTR{address}=="10:0b:a9:72:f4:88", NAME="wl0"
+    SUBSYSTEM=="net", DEVPATH=="/devices/pci*/*1c.1/*/net/*", NAME="wl0"
     SUBSYSTEM=="net", ATTR{address}=="f0:de:f1:c4:7a:f1", NAME="et0"
   '';
 
diff --git a/lass/1systems/prism/config.nix b/lass/1systems/prism/config.nix
index d7b0b701a..eec8e34b8 100644
--- a/lass/1systems/prism/config.nix
+++ b/lass/1systems/prism/config.nix
@@ -195,6 +195,7 @@ with import <stockholm/lib>;
       };
     }
     <stockholm/lass/2configs/minecraft.nix>
+    <stockholm/lass/2configs/codimd.nix>
     {
       services.taskserver = {
         enable = true;
@@ -382,7 +383,7 @@ with import <stockholm/lib>;
       '';
 
       fileSystems."/export/download" = {
-        device = "/var/lib/containers/yellow/var/download";
+        device = "/var/lib/containers/yellow/var/download/finished";
         options = [ "bind" ];
       };
       services.nfs.server = {
@@ -395,6 +396,12 @@ with import <stockholm/lib>;
         statdPort = 4000;
       };
       krebs.iptables.tables.filter.INPUT.rules = [
+         { predicate = "-i retiolum -p tcp --dport 111"; target = "ACCEPT"; }
+         { predicate = "-i retiolum -p udp --dport 111"; target = "ACCEPT"; }
+         { predicate = "-i retiolum -p tcp --dport 2049"; target = "ACCEPT"; }
+         { predicate = "-i retiolum -p udp --dport 2049"; target = "ACCEPT"; }
+         { predicate = "-i retiolum -p tcp --dport 4000:4002"; target = "ACCEPT"; }
+         { predicate = "-i retiolum -p udp --dport 4000:4002"; target = "ACCEPT"; }
          { predicate = "-i wiregrill -p tcp --dport 111"; target = "ACCEPT"; }
          { predicate = "-i wiregrill -p udp --dport 111"; target = "ACCEPT"; }
          { predicate = "-i wiregrill -p tcp --dport 2049"; target = "ACCEPT"; }
@@ -456,4 +463,10 @@ with import <stockholm/lib>;
     enable = true;
     freeMemThreshold = 5;
   };
+
+  # prism rsa hack
+  services.openssh.hostKeys = [{
+    path = toString <secrets> + "ssh.id_rsa";
+    type = "rsa";
+  }];
 }
diff --git a/lass/2configs/browsers.nix b/lass/2configs/browsers.nix
index d214e224d..c0085995d 100644
--- a/lass/2configs/browsers.nix
+++ b/lass/2configs/browsers.nix
@@ -66,7 +66,6 @@ in {
     extensions = [
       "cjpalhdlnbpafiamejdnhcphjbkeiagm" # ublock origin
       "dbepggeogbaibhgnhhndojpepiihcmeb" # vimium
-      "liloimnbhkghhdhlamdjipkmadhpcjmn" # krebsgold
     ];
   };
 
diff --git a/lass/2configs/codimd.nix b/lass/2configs/codimd.nix
new file mode 100644
index 000000000..5f802148b
--- /dev/null
+++ b/lass/2configs/codimd.nix
@@ -0,0 +1,28 @@
+{ config, pkgs, ... }:
+with import <stockholm/lib>;
+
+{
+  services.nginx.virtualHosts.codimd = {
+    enableACME = true;
+    addSSL = true;
+    serverName = "codi.lassul.us";
+    locations."/".extraConfig = ''
+      client_max_body_size 4G;
+      proxy_set_header Host $host;
+      proxy_pass http://localhost:3091;
+    '';
+  };
+
+  services.codimd = {
+    enable = true;
+    configuration = {
+      db = {
+        dialect = "sqlite";
+        storage = "/var/lib/codimd/db.codimd.sqlite";
+        useCDN = false;
+      };
+      port = 3091;
+    };
+  };
+}
+
diff --git a/lass/2configs/exim-smarthost.nix b/lass/2configs/exim-smarthost.nix
index 4216bd67a..d1e6b195b 100644
--- a/lass/2configs/exim-smarthost.nix
+++ b/lass/2configs/exim-smarthost.nix
@@ -103,6 +103,9 @@ with import <stockholm/lib>;
       { from = "lobsters@lassul.us"; to = lass.mail; }
       { from = "fysitech@lassul.us"; to = lass.mail; }
       { from = "threema@lassul.us"; to = lass.mail; }
+      { from = "ubisoft@lassul.us"; to = lass.mail; }
+      { from = "kottezeller@lassul.us"; to = lass.mail; }
+      { from = "pie@lassul.us"; to = lass.mail; }
     ];
     system-aliases = [
       { from = "mailer-daemon"; to = "postmaster"; }
diff --git a/lass/2configs/network-manager.nix b/lass/2configs/network-manager.nix
index 5b890b591..ab27eb841 100644
--- a/lass/2configs/network-manager.nix
+++ b/lass/2configs/network-manager.nix
@@ -15,6 +15,8 @@
     };
   };
   networking.networkmanager = {
+    ethernet.macAddress = "random";
+    wifi.macAddress = "random";
     enable = true;
     unmanaged = [
       "docker*"
diff --git a/lass/2configs/radio.nix b/lass/2configs/radio.nix
index 88899c554..b4efd42fc 100644
--- a/lass/2configs/radio.nix
+++ b/lass/2configs/radio.nix
@@ -97,12 +97,17 @@ in {
 
   services.icecast = {
     enable = true;
-    hostname =  "config.krebs.build.host.name";
+    hostname = "radio.lassul.us";
     admin.password = admin-password;
     extraConf = ''
-      <authentication>
-        <source-password>${source-password}</source-password>
-      </authentication>
+      <mount>
+        <mount-name>/radio.mp3</mount-name>
+        <password>${source-password}</password>
+      </mount>
+      <mount>
+        <mount-name>/radio.ogg</mount-name>
+        <password>${source-password}</password>
+      </mount>
     '';
   };
 
@@ -194,8 +199,8 @@ in {
           workdir = config.krebs.reaktor2.the_playlist.stateDir;
           hooks.PRIVMSG = [
             {
-              activate = "match";
-              pattern = ''!([^ ]+)(?:\s*(.*))?'';
+              #activate = "match";
+              pattern = "^\\s*([0-9A-Za-z._][0-9A-Za-z._-]*)(?:\\s+(.*\\S))?\\s*$";
               command = 1;
               arguments = [2];
               commands = {
@@ -218,6 +223,11 @@ in {
       forceSSL = true;
       enableACME = true;
       locations."/".extraConfig = ''
+        proxy_set_header Host $host;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Host $host;
+        proxy_set_header X-Forwarded-Server $host;
+        proxy_set_header X-Real-IP $remote_addr;
         proxy_pass http://localhost:8000;
       '';
       locations."/recent".extraConfig = ''
diff --git a/lass/2configs/retiolum.nix b/lass/2configs/retiolum.nix
index fb76c5735..9932f8172 100644
--- a/lass/2configs/retiolum.nix
+++ b/lass/2configs/retiolum.nix
@@ -20,8 +20,10 @@
       "prism"
       "gum"
       "ni"
-      "dishfire"
     ];
+    extraConfig = ''
+      LocalDiscovery = yes
+    '';
   };
 
   nixpkgs.config.packageOverrides = pkgs: {
diff --git a/lass/2configs/syncthing.nix b/lass/2configs/syncthing.nix
index 48f2625c1..d4df17b9a 100644
--- a/lass/2configs/syncthing.nix
+++ b/lass/2configs/syncthing.nix
@@ -1,5 +1,7 @@
 { config, pkgs, ... }: with import <stockholm/lib>; let
-  peers = mapAttrs (n: v: { id = v.syncthing.id; }) (filterAttrs (n: v: v.syncthing.id != null) config.krebs.hosts);
+  all_peers = filterAttrs (n: v: v.syncthing.id != null) config.krebs.hosts;
+  own_peers = filterAttrs (n: v: v.owner.name == "lass") all_peers;
+  mk_peers = mapAttrs (n: v: { id = v.syncthing.id; });
 in {
   services.syncthing = {
     enable = true;
@@ -14,8 +16,8 @@ in {
     enable = true;
     cert = toString <secrets/syncthing.cert>;
     key = toString <secrets/syncthing.key>;
-    peers = peers;
-    folders."/home/lass/sync".peers = attrNames peers;
+    peers = mk_peers all_peers;
+    folders."/home/lass/sync".peers = attrNames (filterAttrs (n: v: n != "phone") own_peers);
   };
 
   system.activationScripts.syncthing-home = ''
@@ -23,8 +25,9 @@ in {
   '';
 
   krebs.permown."/home/lass/sync" = {
+    file-mode = "u+rw,g+rw";
     owner = "lass";
     group = "syncthing";
-    umask = "0007";
+    umask = "0002";
   };
 }
diff --git a/lass/2configs/vim.nix b/lass/2configs/vim.nix
index 4f7bd4437..f55886e2e 100644
--- a/lass/2configs/vim.nix
+++ b/lass/2configs/vim.nix
@@ -11,6 +11,9 @@ let
       (hiPrio (pkgs.python3.withPackages (ps: [
         ps.python-language-server
         ps.pyls-isort
+        ps.pyflakes
+        ps.flake8
+        ps.yapf
       ])))
     ];
 
@@ -72,10 +75,6 @@ let
 
     au BufRead,BufNewFile /dev/shm/* set nobackup nowritebackup noswapfile
 
-    "Syntastic config
-    "let g:syntastic_python_checkers=['flake8']
-    "let g:syntastic_python_flake8_post_args='--ignore=E501'
-
     nnoremap <F5> :call LanguageClient_contextMenu()<CR>
     set hidden
     let g:LanguageClient_serverCommands = {
@@ -83,7 +82,10 @@ let
         \ 'go': ['~/go/bin/go-langserver']
         \ }
 
-    let g:LanguageClient_diagnosticsDisplay = { 2: { "signText": "W" } }
+    let g:LanguageClient_diagnosticsDisplay = {
+        \ 1: { "signText": "E" },
+        \ 2: { "signText": "W" }
+        \ }
 
     nmap <esc>q :buffer 
     nmap <M-q> :buffer 
@@ -126,7 +128,6 @@ let
   extra-runtimepath = concatMapStringsSep "," (pkg: "${pkg.rtp}") [
     pkgs.vimPlugins.ack-vim
     pkgs.vimPlugins.Gundo
-    #pkgs.vimPlugins.Syntastic
     pkgs.vimPlugins.undotree
     pkgs.vimPlugins.vim-go
     pkgs.vimPlugins.fzf-vim
diff --git a/lass/2configs/websites/domsen.nix b/lass/2configs/websites/domsen.nix
index 2131c7c62..9980e0501 100644
--- a/lass/2configs/websites/domsen.nix
+++ b/lass/2configs/websites/domsen.nix
@@ -26,6 +26,7 @@ in {
     ./default.nix
     ./sqlBackup.nix
     (servePage [ "reich-gebaeudereinigung.de" "www.reich-gebaeudereinigung.de" ])
+    (servePage [ "jarugadesign.de" "www.jarugadesign.de" ])
     (servePage [
       "freemonkey.art"
       "www.freemonkey.art"
@@ -93,6 +94,7 @@ in {
     hostName = "o.xanf.org";
     config = {
       adminpassFile = toString <secrets> + "/nextcloud_pw";
+      overwriteProtocol = "https";
     };
     https = true;
     nginx.enable = true;
@@ -141,6 +143,7 @@ in {
       { from = "akayguen@freemonkey.art"; to ="akayguen"; }
       { from = "bui@freemonkey.art"; to ="bui"; }
       { from = "kontakt@alewis.de"; to ="klabusterbeere"; }
+      { from = "hallo@jarugadesign.de"; to ="kasia"; }
 
       { from = "testuser@lassul.us"; to = "testuser"; }
       { from = "testuser@ubikmedia.eu"; to = "testuser"; }
@@ -150,6 +153,7 @@ in {
       "ubikmedia.eu"
       "ubikmedia.de"
       "alewis.de"
+      "jarugadesign.de"
     ];
     ssl_cert = "/var/lib/acme/lassul.us/fullchain.pem";
     ssl_key = "/var/lib/acme/lassul.us/key.pem";
@@ -234,7 +238,18 @@ in {
     createHome = true;
   };
 
-  krebs.on-failure.plans.restic-backups-domsen = {};
+  users.users.kasia = {
+    uid = genid_uint31 "kasia";
+    home = "/home/kasia";
+    useDefaultShell = true;
+    createHome = true;
+  };
+
+  krebs.on-failure.plans.restic-backups-domsen = {
+    journalctl = {
+      lines = 1000;
+    };
+  };
   services.restic.backups.domsen = {
     initialize = true;
     extraOptions = [ "sftp.command='ssh efOVcMWSZ@wilhelmstr2.duckdns.org -S none -v -p 52222 -i ${toString <secrets> + "/ssh.id_ed25519"} -s sftp'" ];
@@ -247,11 +262,41 @@ in {
       "/home/ms/Mail"
       "/home/klabusterbeere/Mail"
       "/home/jms/Mail"
+      "/home/kasia/Mail"
       "/home/bruno/Mail"
       "/home/akayguen/Mail"
       "/backups/sql_dumps"
     ];
   };
 
+  boot.kernel.sysctl."fs.inotify.max_user_watches" = "1048576";
+  krebs.permown = {
+    "/srv/http/ubikmedia.de" = {
+      owner = "domsen";
+      group = "nginx";
+      umask = "0007";
+    };
+    "/srv/http/o.ubikmedia.de" = {
+      owner = "domsen";
+      group = "nginx";
+      umask = "0007";
+    };
+    "/srv/http/freemonkey.art" = {
+      owner = "domsen";
+      group = "nginx";
+      umask = "0002";
+    };
+    "/srv/http/jarugadesign.de" = {
+      owner = "domsen";
+      group = "nginx";
+      umask = "0002";
+    };
+    "/srv/http/reich-gebaeudereinigung.de" = {
+      owner = "domsen";
+      group = "nginx";
+      umask = "0002";
+    };
+  };
+
 }
 
diff --git a/mb/1systems/gr33n/configuration.nix b/mb/1systems/gr33n/configuration.nix
new file mode 100644
index 000000000..4342ba0e2
--- /dev/null
+++ b/mb/1systems/gr33n/configuration.nix
@@ -0,0 +1,130 @@
+{ config, pkgs, callPackage, ... }: let
+  unstable = import <nixpkgs-unstable> { config = { allowUnfree = true; }; };
+in {
+  imports =
+    [ # Include the results of the hardware scan.
+      ./hardware-configuration.nix
+      <stockholm/mb>
+    ];
+
+  krebs.build.host = config.krebs.hosts.gr33n;
+
+  boot.kernelPackages = pkgs.linuxPackages_latest;
+  boot.extraModulePackages = with config.boot.kernelPackages; [ wireguard ];
+
+  # Use the systemd-boot EFI boot loader.
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = true;
+
+  fileSystems."/".options = [ "noatime" "nodiratime" "discard" ];
+  fileSystems."/mnt/public" = {
+    device = "//192.168.0.4/public";
+    fsType = "cifs";
+    options = let
+      automount_opts = "x-systemd.automount,noauto,x-systemd.idle-timeout=60,x-systemd.device-timeout=5s,x-systemd.mount-timeout=5s";
+    in [ "${automount_opts},user,rw,username=mb0,iocharset=utf8,credentials=${config.users.users.mb.home}/.smbcredentials" ];
+  };
+
+  i18n = {
+    consoleFont = "Lat2-Terminus16";
+    consoleKeyMap = "de";
+    defaultLocale = "en_US.UTF-8";
+  };
+
+  time.timeZone = "Europe/Berlin";
+
+  nixpkgs.config.allowUnfree = true;
+
+  nixpkgs.config.packageOverrides = super: {
+    openvpn = super.openvpn.override {
+      pkcs11Support = true;
+      useSystemd = false;
+    };
+  };
+
+  environment.shellAliases = {
+    ll = "ls -alh";
+    ls = "ls --color=tty";
+  };
+
+  environment.systemPackages = with pkgs; [
+     curl
+     fish
+     git
+     htop
+     nmap
+     ranger
+     tcpdump
+     tmux
+     traceroute
+     tree
+     vim
+     wcalc
+     wget
+     xz
+  ];
+
+  programs.gnupg.agent = { enable = true; enableSSHSupport = true; };
+
+  sound.enable = false;
+
+  services.openssh.enable = true;
+  services.openssh.passwordAuthentication = false;
+
+  networking.wireless.enable = false;
+  networking.networkmanager.enable = false;
+  krebs.iptables.enable = true;
+  networking.enableIPv6 = false;
+
+   programs.fish = {
+    enable = true;
+    shellInit = ''
+      function ssh_agent --description 'launch the ssh-agent and add the id_rsa identity'
+          if begin
+              set -q SSH_AGENT_PID
+              and kill -0 $SSH_AGENT_PID
+              and grep -q '^ssh-agent' /proc/$SSH_AGENT_PID/cmdline
+          end
+              echo "ssh-agent running on pid $SSH_AGENT_PID"
+          else
+              eval (command ssh-agent -c | sed 's/^setenv/set -Ux/')
+          end
+          set -l identity $HOME/.ssh/id_rsa
+          set -l fingerprint (ssh-keygen -lf $identity | awk '{print $2}')
+          ssh-add -l | grep -q $fingerprint
+            or ssh-add $identity
+      end
+    '';
+    promptInit = ''
+      function fish_prompt --description 'Write out the prompt'
+          set -l color_cwd
+          set -l suffix
+          set -l nix_shell_info (
+              if test "$IN_NIX_SHELL" != ""
+                 echo -n " <nix-shell>"
+              end
+          )
+          switch "$USER"
+              case root toor
+                  if set -q fish_color_cwd_root
+                      set color_cwd $fish_color_cwd_root
+                  else
+                      set color_cwd $fish_color_cwd
+                  end
+                  set suffix '#'
+              case '*'
+                  set color_cwd $fish_color_cwd
+                  set suffix '>'
+          end
+
+          echo -n -s "$USER" @ (set_color green) (prompt_hostname) (set_color normal) "$nix_shell_info" ' ' (set_color $color_cwd) (prompt_pwd) (set_color normal) "$suffix "
+      end
+    '';
+  };
+
+  nix.buildCores = 4;
+  system.autoUpgrade.enable = false;
+  system.autoUpgrade.channel = "https://nixos.org/channels/nixos-19.03";
+  system.stateVersion = "19.03";
+
+}
diff --git a/mb/1systems/gr33n/hardware-configuration.nix b/mb/1systems/gr33n/hardware-configuration.nix
new file mode 100644
index 000000000..1d13b8dc7
--- /dev/null
+++ b/mb/1systems/gr33n/hardware-configuration.nix
@@ -0,0 +1,37 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, ... }:
+
+{
+  imports =
+    [ <nixpkgs/nixos/modules/installer/scan/not-detected.nix>
+    ];
+
+  boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "nvme" "usb_storage" "usbhid" "sd_mod" ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+
+  boot.initrd.mdadmConf = ''
+    ARRAY /dev/md0 level=raid6 num-devices=4 metadata=1.2 name=gr33n:0 UUID=5b715fd9:0be6bfa6:19f07db4:c16836d6
+       devices=/dev/sda1,/dev/sdb1,/dev/sdc1,/dev/sdd1
+  '';
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/a9f2c19b-f60f-450c-87f1-146a54c4198b";
+      fsType = "ext4";
+    };
+  fileSystems."/storage" =
+    { device = "/dev/disk/by-label/storage";
+      fsType = "ext4";
+    };
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/93EB-BCA3";
+      fsType = "vfat";
+    };
+
+  swapDevices = [ ];
+
+  nix.maxJobs = lib.mkDefault 4;
+  powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
+}
diff --git a/mb/1systems/orange/configuration.nix b/mb/1systems/orange/configuration.nix
index 4ac0996a4..3e90f89a2 100644
--- a/mb/1systems/orange/configuration.nix
+++ b/mb/1systems/orange/configuration.nix
@@ -27,15 +27,13 @@ in {
 
   fileSystems."/".options = [ "noatime" "nodiratime" "discard" ];
   fileSystems."/mnt/public" = {
-    device = "//192.168.88.252/public";
+    device = "//192.168.0.4/public";
     fsType = "cifs";
     options = let
       automount_opts = "x-systemd.automount,noauto,x-systemd.idle-timeout=60,x-systemd.device-timeout=5s,x-systemd.mount-timeout=5s";
     in [ "${automount_opts},user,rw,username=mb0,iocharset=utf8,credentials=${config.users.users.mb.home}/.smbcredentials" ];
   };
 
-  #networking.hostName = "0r4n93";
-  networking.wireless.enable = false;
 
   # Select internationalisation properties.
   i18n = {
@@ -132,7 +130,6 @@ in {
     vulnix
     wcalc
     wget
-    wireshark-gtk
     xz
   ];
 
@@ -151,6 +148,8 @@ in {
 
   sound.enable = true;
   hardware.pulseaudio.enable = true;
+  hardware.pulseaudio.support32Bit = true;
+  nixpkgs.config.pulseaudio = true;
 
   services.xserver = {
     enable = true;
@@ -173,7 +172,9 @@ in {
   #services.openssh.permitRootLogin = "yes";
   services.openssh.passwordAuthentication = false;
 
+  networking.wireless.enable = false;
   networking.networkmanager.enable = false;
+  krebs.iptables.enable = true;
   #networking.nameservers = [ "8.8.8.8" "141.1.1.1" ];
   networking.enableIPv6 = false;
 
diff --git a/mb/1systems/p1nk/configuration.nix b/mb/1systems/p1nk/configuration.nix
index 28a7c7776..905630e78 100644
--- a/mb/1systems/p1nk/configuration.nix
+++ b/mb/1systems/p1nk/configuration.nix
@@ -22,14 +22,13 @@ in {
   ];
   fileSystems."/".options = [ "noatime" "nodiratime" "discard" ];
   fileSystems."/mnt/public" = {
-    device = "//192.168.88.252/public";
+    device = "//192.168.0.4/public";
     fsType = "cifs";
     options = let
       automount_opts = "x-systemd.automount,noauto,x-systemd.idle-timeout=60,x-systemd.device-timeout=5s,x-systemd.mount-timeout=5s";
     in [ "${automount_opts},user,rw,username=mb0,iocharset=utf8,credentials=${config.users.users.mb.home}/.smbcredentials" ];
   };
 
-  networking.wireless.enable = true;
 
   i18n = {
     consoleFont = "Lat2-Terminus16";
@@ -143,11 +142,12 @@ in {
 
   sound.enable = true;
   hardware.pulseaudio.enable = true;
+  hardware.pulseaudio.support32Bit = true;
 
   services.xserver = {
     enable = true;
     layout = "de";
-    xkbOptions = "neo";
+    xkbOptions = "nodeadkeys";
     libinput.enable = true;
     desktopManager = {
       default = "xfce";
@@ -164,7 +164,9 @@ in {
   services.openssh.enable = true;
   services.openssh.passwordAuthentication = false;
 
+  krebs.iptables.enable = true;
   networking.networkmanager.enable = false;
+  networking.wireless.enable = true;
   networking.nameservers = [ "8.8.8.8" "141.1.1.1" ];
   networking.enableIPv6 = false;
 
diff --git a/mb/2configs/default.nix b/mb/2configs/default.nix
index 75189e192..ab11495c8 100644
--- a/mb/2configs/default.nix
+++ b/mb/2configs/default.nix
@@ -49,7 +49,7 @@ with import <stockholm/lib>;
     build.user = config.krebs.users.mb;
   };
 
-  users.mutableUsers = false;
+  users.mutableUsers = true;
 
   services.timesyncd.enable = mkForce true;
 
@@ -67,6 +67,7 @@ with import <stockholm/lib>;
   environment.systemPackages = with pkgs; [
   #stockholm
     git
+    git-preview
     gnumake
     jq
     parallel