Merge remote-tracking branch 'temp/master'

2017-10-17 19:54:15 +02:00 · 2017-10-17 19:54:15 +02:00 · 9afe5210f2
commit 9afe5210f2
parent f4bf911072 4667bb8e41
124 changed files with 2325 additions and 697 deletions
--- a/krebs/1systems/hotdog/config.nix
+++ b/krebs/1systems/hotdog/config.nix
@ -12,6 +12,9 @@
    <stockholm/krebs/2configs/buildbot-all.nix>
    <stockholm/krebs/2configs/gitlab-runner-shackspace.nix>
    <stockholm/krebs/2configs/binary-cache/nixos.nix>
    <stockholm/krebs/2configs/ircd.nix>
    <stockholm/krebs/2configs/reaktor-krebs.nix>
    <stockholm/krebs/2configs/reaktor-retiolum.nix>
  ];
  krebs.build.host = config.krebs.hosts.hotdog;
--- a/krebs/1systems/puyak/config.nix
+++ b/krebs/1systems/puyak/config.nix
@ -27,6 +27,11 @@
    initrd.luks.devices = [ { name = "luksroot"; device = "/dev/sda3"; } ];
    initrd.luks.cryptoModules = [ "aes" "sha512" "sha1" "xts" ];
    initrd.availableKernelModules = [ "xhci_hcd" "ehci_pci" "ahci" "usb_storage" ];
    kernelModules = [ "kvm-intel" ];
    extraModprobeConfig = ''
      options thinkpad_acpi fan_control=1
    '';
  };
  fileSystems = {
@ -65,7 +70,10 @@
  '';
  environment.systemPackages = [ pkgs.zsh ];
-  boot.kernelModules = [ "kvm-intel" ];
+
  system.activationScripts."disengage fancontrol" = ''
    echo level disengaged > /proc/acpi/ibm/fan
  '';
  users.users.joerg = {
    openssh.authorizedKeys.keys = [ config.krebs.users.Mic92.pubkey ];
    isNormalUser = true;
--- a/krebs/2configs/binary-cache/prism.nix
+++ b/krebs/2configs/binary-cache/prism.nix
@ -7,6 +7,7 @@
    ];
    binaryCachePublicKeys = [
      "cache.prism-1:+S+6Lo/n27XEtvdlQKuJIcb1yO5NUqUCE2lolmTgNJU="
      "cache.prism-2:YwmCm3/s/D+SxrPKN/ETjlpw/219pNUbpnluatp6FKI="
    ];
  };
 }
--- a/krebs/2configs/gitlab-runner-shackspace.nix
+++ b/krebs/2configs/gitlab-runner-shackspace.nix
@ -1,4 +1,4 @@
-{ config, ... }:
+{ config, pkgs, ... }:
 let
  url = "https://git.shackspace.de/";
  # generate token from CI-token via:
@ -6,7 +6,7 @@ let
  ## cat /etc/gitlab-runner/config.toml
  token = import <secrets/shackspace-gitlab-ci-token.nix> ;
 in {
-  systemd.services.gitlab-runner.path = [ 
+  systemd.services.gitlab-runner.path = [
    "/run/wrappers" # /run/wrappers/bin/su
    "/" # /bin/sh
  ];
@ -16,19 +16,18 @@ in {
    enable = true;
    # configFile, configOptions and gracefulTimeout not yet in stable
    # gracefulTimeout = "120min";
-    configText = ''
+    configFile = pkgs.writeText "gitlab-runner.cfg" ''
-    concurrent = 1
+      concurrent = 1
-    check_interval = 0
+      check_interval = 0
    [[runners]]
      name = "krebs-shell"
      url = "${url}"
      token = "${token}"
      executor = "shell"
      shell = "sh"
      environment = ["PATH=/bin:/run/wrappers/bin:/etc/per-user/gitlab-runner/bin:/etc/per-user-pkgs/gitlab-runner/bin:/nix/var/nix/profiles/default/bin:/run/current-system/sw/bin"]
      [runners.cache]
      [[runners]]
        name = "krebs-shell"
        url = "${url}"
        token = "${token}"
        executor = "shell"
        shell = "sh"
        environment = ["PATH=/bin:/run/wrappers/bin:/etc/per-user/gitlab-runner/bin:/etc/per-user-pkgs/gitlab-runner/bin:/nix/var/nix/profiles/default/bin:/run/current-system/sw/bin"]
        [runners.cache]
    '';
  };
 }
--- a/krebs/2configs/hw/x220.nix
+++ b/krebs/2configs/hw/x220.nix
@ -8,6 +8,8 @@ with import <stockholm/lib>;
  hardware.cpu.intel.updateMicrocode = true;
  hardware.opengl.enable = true;
  services.tlp.enable = true;
  boot = {
--- a/krebs/2configs/ircd.nix
+++ b/krebs/2configs/ircd.nix
@ -92,6 +92,7 @@
      };
      general {
        #maybe we want ident someday?
        default_floodcount = 1000;
        disable_auth = yes;
        throttle_duration = 1;
        throttle_count = 1000;
--- a/krebs/2configs/reaktor-krebs.nix
+++ b/krebs/2configs/reaktor-krebs.nix
--- a/krebs/2configs/reaktor-retiolum.nix
+++ b/krebs/2configs/reaktor-retiolum.nix
@ -0,0 +1,15 @@
 { config, lib, pkgs, ... }:
 with import <stockholm/lib>;
 {
  krebs.Reaktor.retiolum = {
    nickname = "Reaktor|lass";
    channels = [ "#xxx" ];
    extraEnviron = {
      REAKTOR_HOST = "irc.r";
    };
    plugins = with pkgs.ReaktorPlugins; [
      sed-plugin
    ];
  };
 }
--- a/krebs/2configs/repo-sync.nix
+++ b/krebs/2configs/repo-sync.nix
@ -15,8 +15,8 @@ let
        post-receive = pkgs.git-hooks.irc-announce {
          nick = config.networking.hostName;
          verbose = false;
-          channel = "#retiolum";
+          channel = "#xxx";
-          server = "ni.r";
+          server = "irc.r";
          branches = [ "master" ];
        };
      });
--- a/krebs/2configs/shack/muell_caller.nix
+++ b/krebs/2configs/shack/muell_caller.nix
@ -12,7 +12,7 @@ let
    buildInputs = [
      (pkgs.python3.withPackages (pythonPackages: with pythonPackages; [
        docopt
-        requests2
+        requests
        paramiko
        python
      ]))
--- a/krebs/2configs/shack/radioactive.nix
+++ b/krebs/2configs/shack/radioactive.nix
@ -12,7 +12,7 @@ let
    buildInputs = [
      (pkgs.python3.withPackages (pythonPackages: with pythonPackages; [
        docopt
-        requests2
+        requests
        python
      ]))
    ];
--- a/krebs/2configs/shack/worlddomination.nix
+++ b/krebs/2configs/shack/worlddomination.nix
@ -37,7 +37,7 @@ let
        docopt
        LinkHeader
        aiocoap
-        requests2
+        requests
        paramiko
        python
      ]))
--- a/krebs/3modules/announce-activation.nix
+++ b/krebs/3modules/announce-activation.nix
@ -35,7 +35,7 @@ in {
    irc = {
      # TODO rename channel to target?
      channel = mkOption {
-        default = "#retiolum";
+        default = "#xxx";
        type = types.str; # TODO types.irc-channel
      };
      nick = mkOption {
@ -47,7 +47,7 @@ in {
        type = types.int;
      };
      server = mkOption {
-        default = "ni.r";
+        default = "irc.r";
        type = types.hostname;
      };
    };
--- a/krebs/3modules/bepasty-server.nix
+++ b/krebs/3modules/bepasty-server.nix
@ -3,7 +3,7 @@
 with import <stockholm/lib>;
 let
  gunicorn = pkgs.pythonPackages.gunicorn;
-  bepasty = pkgs.pythonPackages.bepasty-server;
+  bepasty = pkgs.bepasty;
  gevent = pkgs.pythonPackages.gevent;
  python = pkgs.pythonPackages.python;
  cfg = config.krebs.bepasty;
--- a/krebs/3modules/buildbot/slave.nix
+++ b/krebs/3modules/buildbot/slave.nix
@ -160,6 +160,8 @@ let
        # TODO: maybe also prepare buildbot.tac?
        ExecStartPre = pkgs.writeDash "buildbot-master-init" ''
          set -efux
          #remove garbage from old versions
          rm -r ${workdir}
          mkdir -p ${workdir}/info
          cp ${buildbot-slave-init} ${workdir}/buildbot.tac
          echo ${contact} > ${workdir}/info/admin
--- a/krebs/3modules/ci.nix
+++ b/krebs/3modules/ci.nix
@ -133,8 +133,8 @@ in
      irc = {
        enable = true;
        nick = "build|${hostname}";
-        server = "ni.r";
+        server = "irc.r";
-        channels = [ "retiolum" "noise" ];
+        channels = [ "xxx" "noise" ];
        allowForce = true;
      };
      extraConfig = ''
--- a/krebs/3modules/default.nix
+++ b/krebs/3modules/default.nix
@ -24,6 +24,7 @@ let
      ./go.nix
      ./hidden-ssh.nix
      ./htgen.nix
      ./iana-etc.nix
      ./iptables.nix
      ./kapacitor.nix
      ./monit.nix
--- a/krebs/3modules/iana-etc.nix
+++ b/krebs/3modules/iana-etc.nix
@ -0,0 +1,55 @@
 with import <stockholm/lib>;
 { config, pkgs, ... }: {
  options.krebs.iana-etc.services = mkOption {
    default = {};
    type = types.attrsOf (types.submodule ({ config, ... }: {
      options = {
        port = mkOption {
          default = config._module.args.name;
          type = types.addCheck types.str (test "[1-9][0-9]*");
        };
      } // genAttrs ["tcp" "udp"] (protocol: mkOption {
        default = null;
        type = types.nullOr (types.submodule {
          options = {
            name = mkOption {
              type = types.str;
            };
          };
        });
      });
    }));
  };
  config.environment.etc = mkIf (config.krebs.iana-etc.services != {})  {
    services.source = mkForce (pkgs.runCommand "krebs-iana-etc" {} ''
      exec < ${pkgs.iana_etc}/etc/services
      exec > $out
      awk -F '[ /]+' '
        BEGIN {
          port=0
        }
        ${concatMapStringsSep "\n" (entry: ''
          $2 == ${entry.port} {
            port=$2
            next
          }
          port == ${entry.port} {
            ${concatMapStringsSep "\n"
              (proto: let
                s = "${entry.${proto}.name} ${entry.port}/${proto}";
              in
                "print ${toJSON s}")
              (filter (proto: entry.${proto} != null) ["tcp" "udp"])}
            port=0
          }
        '') (attrValues config.krebs.iana-etc.services)}
        {
          print $0
        }
      '
    '');
  };
 }
--- a/krebs/3modules/krebs/default.nix
+++ b/krebs/3modules/krebs/default.nix
@ -74,6 +74,7 @@ in {
            "build.r"
            "build.hotdog.r"
            "cgit.hotdog.r"
            "irc.r"
          ];
          tinc.pubkey = ''
            -----BEGIN RSA PUBLIC KEY-----
--- a/krebs/3modules/lass/default.nix
+++ b/krebs/3modules/lass/default.nix
@ -83,7 +83,7 @@ with import <stockholm/lib>;
      };
      nets = rec {
        internet = {
-          ip4.addr = "213.239.205.240";
+          ip4.addr = "46.4.114.247";
          aliases = [
            "prism.i"
            "paste.i"
@ -101,6 +101,47 @@ with import <stockholm/lib>;
            "paste.r"
            "p.r"
          ];
          tinc.pubkey = ''
            -----BEGIN RSA PUBLIC KEY-----
            MIIECgKCBAEAtpI0+jz2deUiH18T/+JcRshQi7lq8zlRvaXpvyuxJlYCz+o5cLje
            fxrKn67JbDb0cTAiDkI88alHBd8xeq2I6+CY90NT6PNVfsQBFx2v5YXafELXJWlo
            rBvPFrR7nt1VzmG/hzkY8RwgC8hC6jRn7cvWWPCkvm2ZnNtYqAjiYMcUcWv6Vn9Z
            ytPgkebDF9KpD8bL4vQu9iPZGNZpwncCw/Ix66oyTM6e24j/fTYgp7xn28wVUzUB
            wWDH0uMQOxyBGFutEvAQ48XZ+QQxZv+2ZGqWJ+MeXreUPNP5wTxFCQOrkR1EXNio
            /jgdHXtU5wVvqPwziukwwnfGJYUUHw7mjdo6ps5rch/aDxs0lahNc2TMbhr3rqgA
            BkXVfwDTt8W/PB6Z0Y/djXOlUmQKO39OgZuhsYzqM4Uj17up7CDY77SiQYrV901C
            9CR5oFsAvV+WIMFUBc7ZZGPotJ9nZ2yyLQh+fT3sXuqFpGlyaI2SAm2edZUXKWQ5
            Q6AIyQRPkTNRCDuvXxIMdmOE++tBnyCI/Psn/Qet5gFcSsUMPhto8Yaka4SgJfyu
            3iIojFUzskowLWt6dBOGm5brI/OaKz0gyw5K3Hb4T7Jz+EwoeJfhbdZYA6NIY+qH
            TGGl+47ffT+8e+1hvcAnO+bN5Br8WPN3+VD4FQD5yTb6pCFdZuL3QEyoKc9eugDb
            g/+rFOsI8bfVeH5zZrl6B6XJBLGeKEECf3zwE2JObO3IuwxATSkahx1jAEy+hFyZ
            kPwooGj03tkgVGc2AxgdHbfmNUbSVkO+m+ouBojikSrnFNKRTS/wZ69RVg3tl4qg
            7F4Vs/aMQ9bSWycvRBZQXITPQ1Y6mCEUj2mSKVHmgy/5rqwz2va/Yc1zhUptcINo
            7ztGiEzFMPGagkTs/Ntuqh2VbC/MwTao0BKl+gyCNwrACnNW87X4og2gtG3ukduz
            cnSupO84hdTrclthsSEH/rLUauBsuIch58S/F7KCz9hwK45+Btky7Kz4mf/pE451
            k88QfDHw/cTSzlESPnEnthrRnhxn0fW7FRwJpieKm2AmyEEjSiiYt8mUdD3teKj0
            dgYrcGQkCnhmKDawgcw46wstBG/sAKT8qnZPRmlzKpcCS186ffuobQvj42LSmuMu
            ToANi5pw2yEfzwLxNG/3whozB9rqwbqV/YAR/mthMxD0IXpLDKXlV1IeD7MfpV8i
            jx6SghnkX/s2F7UTOlwJYe/Gl1biLRB8EPnOZKadHR0BRWFd+Qz6pJDp0B13jT3/
            AEPNGXLwVjmdhy2TVec3OGL/CukPEdiW1Urw5lfOc9dacTXjTNTXzod7Ub6s7ZOE
            T7Y4dsVeW4OM7NmE/riqS3cG9obGWO7gIQIDAQAB
            -----END RSA PUBLIC KEY-----
          '';
        };
      };
      ssh.privkey.path = <secrets/ssh.id_ed25519>;
      ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAsANFdMi825qWQXQbWLYuNZ6/fARt3lnh1KStQHQQMD";
    };
    archprism = rec {
      cores = 4;
      nets = rec {
        retiolum = {
          via = internet;
          ip4.addr = "10.243.0.104";
          ip6.addr = "42::fa17";
          aliases = [
            "archprism.r"
          ];
          tinc.pubkey = ''
            -----BEGIN RSA PUBLIC KEY-----
            MIIBCgKCAQEAvzhoBsxUaEwm7ctiw3xvLFP2RoVaiHnF+Sm4J8E4DOerPToXxlyl
@ -112,6 +153,13 @@ with import <stockholm/lib>;
            -----END RSA PUBLIC KEY-----
          '';
        };
        internet = {
          ip4.addr = "213.239.205.240";
          aliases = [
            "archprism.i"
          ];
          ssh.port = 45621;
        };
      };
      ssh.privkey.path = <secrets/ssh.id_rsa>;
      ssh.pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQChm4sqQ2bUZj+2YnTf6G5HHRTpSe1jTUhJRnwcYPYZKF+CBqBncipRpuGlGXEsptNa+7ZMcQC0ySsz5SUOMt3Ih+NehVe/qt3VtRz0l0MgOWmH2qBwKK9Y4IuxrJQzUmP4UGlOGlFj9DORssSMOyFIG4eZ9k2qMn3xal0NVRfGTShKlouWsiUILZ8I+sDNE00z8DAYesgc1yazvRnjzvLkRxdNdpYiAFBbmXMpPKK95McRJaWsuNSeal9kd5p5PagWcgN4DZ6+ebzz3NKnmzk4j+vuHX0U9lTXBqKMlzzmM2YNLRtDPfrtJNyHqLpZUpFhJKqZCD+4/0zdrzRfC7Th+5czzUCSvHiKPVsqw5eOdiQX6EyzNAF5zpkpRp//QdUNNXC5/Ku6GKCO491+TuA8VCha0fOwBONccTLUI/hGNmCh88mLbukVoeGJrbYNCOA/6kEz7ZLEveU4i+TT7okhDElMsNk+AWCZ8/NdJQNX3/K6+JJ9qAn+/yC8LdjgYYJ2oU/aw5/HyOgiQ0z4n9UfQ7j+nHysY9CQb1b3guX7yjJoc3KpNXCXEztuIRHjFD1EP8NRTSmGjsa/VjLmTLSsqjD+7IE5mT0tO5RJvmagDgdJSr/iR5D9zjW7hx7ttvektrlp9g0v3CiCFVaW4l95hGYT0HaNBLJ5R0YHm0lD+Q==";
@ -384,8 +432,19 @@ with import <stockholm/lib>;
    eddie = {
      ci = false;
      external = true;
-      nets = {
+      nets = rec {
-        retiolum = {
+        internet = {
          ip4.addr = "129.215.90.4";
          aliases = [ "eddie.i" ];
        };
        retiolum = rec {
          via = internet;
          addrs = [
            # edinburgh university
            "129.215.0.0/16"
            ip4.addr
            ip6.addr
          ];
          ip4.addr = "10.243.29.170";
          ip6.addr = "42:4992:6a6d:700::1";
          aliases = [ "eddie.r" ];
@ -437,8 +496,13 @@ with import <stockholm/lib>;
    inspector = {
      ci = false;
      external = true;
-      nets = {
+      nets = rec {
        internet = {
          ip4.addr = "141.76.44.154";
          aliases = [ "inspector.i" ];
        };
        retiolum = {
          via = internet;
          ip4.addr = "10.243.29.172";
          ip6.addr = "42:4992:6a6d:800::1";
          aliases = [ "inspector.r" ];
@ -467,6 +531,10 @@ with import <stockholm/lib>;
      pubkey = builtins.readFile ./ssh/mors.rsa;
      pgp.pubkeys.default = builtins.readFile ./pgp/mors.pgp;
    };
    lass-android = {
      mail = "lassulus@gmail.com";
      pubkey = builtins.readFile ./ssh/android.rsa;
    };
    lass-helios = {
      mail = "lass@helios.r";
      pubkey = builtins.readFile ./ssh/helios.rsa;
@ -487,10 +555,14 @@ with import <stockholm/lib>;
    fritz = {
      pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCz34435NSXgj72YAOL4cIlRq/4yInKEyL9no+gymURoW5x1nkYpP0EK331e7UyQQSOdWOogRo6d7YHcFqNlYWv5xlYcHucIhgJwC4Zda1liVA+v7tSOJz2BjmFvOT3/qlcPS69f3zdLHZooz2C33uHX1FgGRXlxiA8dpqGnSr8o76QLZjuQkuDqr8reOspjO/RHCo2Moq0Xm5q9OgN1WLAZzupqt9A5lx567mRzYsRAr23pUxVN8T/tSCgDlPe4ktEjYX9CXLKfMyh9WuBVi+AuH4GFEWBT+AMpsHeF45w+w956x56mz0F5nYOQNK87gFr+Jr+mh2AF1ot2CxzrfTb fritz@scriptkiddiT540";
    };
-    prism-repo-sync = {
+    archprism-repo-sync = {
      pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINR9oL/OPHjjKjQ+IyRqWpgrXdZrKKAwFKIte8gYml6C";
      mail = "lass@prism.r";
    };
    prism-repo-sync = {
      pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKhpCKTnSq6VDJPB+0NiHu2ZxSKEIxHN6uPAPnbXYNCe";
      mail = "lass@prism.r";
    };
    mors-repo-sync = {
      pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGv6N/UjFnX5vUicT9Sw0+3x4mR0760iaVWZ/JDtdV4h";
      mail = "lass@mors.r";
--- a/krebs/3modules/lass/ssh/android.rsa
+++ b/krebs/3modules/lass/ssh/android.rsa
@ -0,0 +1 @@
 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAEZgGgImN/9D4yJBjYlkAvT3X45kzt4n8hmgsqPcdcHWNC7fofWG4fZe8NNrTLdKsK+xYxTstj49l8Vb3YDvw4fAyyyhms/eFRlD2BRqAISwc39EIeTC4g3PXNeUtUGdczXKxsJf5iWf4kxUrUOuZ3FeKxeYXDMSqzzk1oKalhWNl4PmgRc5FzjeRJ2WziilwFq7ntLswoeTBW3c53fbcp3XuPza3M1/sN3NHJx9ZMpWVfJhZ/CXr+nqpc25ZIr5HZVZbgDTyJQimlTF5JCfU0NiiBIh7ep7x4o93tARmilit7+mWUkkxk6ba+zG6nr+s+zyd85AFAYRioOEczbC6mI44UZUB11KkEzOon5JWSA8pK+DPqsqhFkwWYMHLXZp8zemdp9kushRZ6nuI9MzBwacngro1vAvDL6jrS5MR7zf7rMAo6wexovWoEowvZz629mjC3OAt9iOm4VJdvEmq+rHLfjjznVEY6llF7DUu2QNEazaXhxZH9V9N1gyubIE97SQVqmwDrf8BGC0Hq+hC4OOweqfo4XP0etbqAfDozZbqcqyE1m9Bj8DpjrSXka1PuJf5fgEtoxPadd2qdiHMfIx9sM+4uu2nI5aFvWO3OlJmhF80QzNdFzZWjsyvJ24C1/a2FAyzoab1Sg9ljstQThseTtvlXcX8jfFn0U3RbgXgCgOWad3Oy9vA0OCdsHut0nzv3UO+T5+wv2+lvE3QSSKOlmVtdKMhCFb+Rg+FliKxyd820h9yR3wDYmkurVkAxaj8Kx5MaY/7aypOi8fRAV2FSDtCKkuMyPv4xEtdPi/4lj55pRBEO8lJkeb+WurCzZ7ZeaPdrW1YIQtToPpiz3dXeRhkts6jq8247xIplzHh9Iu18gOrnZ+ygn70g19x842vvcfLQNAghDPS93msJdSe+EtulMCwNTjUaF9LyzhW9ptLG9NmwgbT5kGsFiRw3BFdyfcQVWVzDhuP3hPPx+hjiZtFfpIKpxV9MjO1xQ830Ngk3JpSphMZTQ432yfvu9yEsUWmAa8ax1jxJ361AiIp0U2xioJmdVd3E2sxkpOUYqE89IR9X6hS3fH38Gc5IL5+BnhuZvRgXuA+nrqdU4pMB3TIoC5oXlOMRXpxaS91YiO4ERx2t6WkBRCoaDuRWnLpewV6lhjwi1+4Emlrs2q1R0K64emZTv7O1MKwWRHOlBJD3HLyCCS763OzYW4mEQcfBAQtbm6sTooJ+D/zbmYgbnZt0z/nP9R/n25pzlSPpZ49fCiRV7QN6D9mksISTz8qIiCzNBn1F7DUewXqkrdPopl4npeNVcOyyo7P1lFFGde+jq/7REdzD+vno1h9+17WZbyzQtlOyipQYzb6l4QuXq/zejJrELJAQdN4yRQq5NJzIh0HXaPnPC083T791moBflyqiwPEIWsSMfILqSqL1jVVNgvV4fHnMixgH2zK9f0EyE3fG9PnuRribPR2DlESqpHZTcBixgh660EPKh0gCLYoWKgU= lass-android@XperiaXCompact
--- a/krebs/3modules/makefu/default.nix
+++ b/krebs/3modules/makefu/default.nix
@ -4,6 +4,31 @@ with import <stockholm/lib>;
 {
  hosts = mapAttrs (_: setAttr "owner" config.krebs.users.makefu) {
    cake = rec {
      cores = 1;
      ci = false;
      nets = {
        retiolum = {
          ip4.addr = "10.243.136.236";
          ip6.addr  = "42:b3b2:9552:eef0:ee67:f3b3:8d33:eee1";
          aliases = [
            "cake.r"
          ];
          tinc.pubkey = ''
            -----BEGIN RSA PUBLIC KEY-----
            MIIBCgKCAQEA0khdelSrOV/ZI9vvbV5aT1wVn2IfUfIdDCQIOnF2mZsrnIcuaedu
            jRfZnJST1vOfL7JksF1+8pYwSn34CjJCGhyFf25lc6mARXmZe/araNrVpTntCy2+
            MqG8KZe4mIda/WPTXRYGtFVQZeClM5SCZ7EECtw8sEkwt2QtOv43p/hiMXAkOQsq
            6xc9/b4Bry7d+IjJs3waKfFQllF+C+GuK8yF0YnCEb6GZw7xkxHIO1QV4KSQ4CH7
            36kEAdCSQ5rgaygRanUlUl+duQn1MLQ+lRlerAEcFfKrr3MKNz2jmGth8iUURdyP
            MHjSWe+RkLQ6zzBaVgoKKuI9MbIbhenJWwIDAQAB
            -----END RSA PUBLIC KEY-----
            '';
        };
      };
      ssh.privkey.path = <secrets/ssh_host_ed25519_key>;
      ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGyJlI0YpIh/LiiPMseD2IBHg+uVGrkSy0MPNeD+Jv8Y cake";
    };
    drop = rec {
      ci = true;
      cores = 1;
@ -78,6 +103,37 @@ with import <stockholm/lib>;
        };
      };
    };
    latte = rec {
      ci = true;
      cores = 1;
      ssh.privkey.path = <secrets/ssh_host_ed25519_key>;
      ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIrkK1mWfPvfZ9ALC1irGLuzOtMefaGAmGY1VD4dj7K1 latte";
      nets = {
        internet = {
          ip4.addr = "185.215.224.160";
          aliases = [
            "latte.i"
          ];
        };
        retiolum = {
          ip4.addr = "10.243.80.249";
          ip6.addr  = "42:ecb0:376:b37d:cf47:1ecf:f32b:a3b9";
          aliases = [
            "latte.r"
          ];
          tinc.pubkey = ''
            -----BEGIN RSA PUBLIC KEY-----
            MIIBCgKCAQEAx70gmNoP4RYeF3ShddEMsbNad9L5ezegwxJTZA7XTfF+/cwr/QwU
            5BL0QXTwBnKzS0gun5NXmhwPzvOdvfczAxtJLk8/NjVHFeE39CiTHGgIxkZFgnbo
            r2Rj6jJb89ZPaTr+hl0+0WQQVpl9NI7MTCUimvFBaD6IPmBh5wTySu6mYBs0mqmf
            43RrvS42ieqQJAvVPkIzxxJeTS/M3NXmjbJ3bdx/2Yzd7INdfPkMhOONHcQhTKS4
            GSXJRTytLYZEah8lp8F4ONggN6ixlhlcQAotToFP4s8c+KqYfIZrtP+pRj7W72Y6
            vhnobLDJwBbAsW1RQ6FHcw10TrP2H+haewIDAQAB
            -----END RSA PUBLIC KEY-----
          '';
        };
      };
    };
    pnp = {
      ci = true;
@ -460,6 +516,8 @@ with import <stockholm/lib>;
          '';
        };
      };
      ssh.privkey.path = <secrets/ssh.id_ed25519>;
      ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN5ZmJSypW3LXIJ67DdbxMxCfLtORFkl5jEuD131S5Tr";
    };
    gum = rec {
@ -522,7 +580,8 @@ with import <stockholm/lib>;
          '';
        };
      };
-      ssh.privkey.path = <secrets/ssh_host_ed25519_key>;
+      # configured manually
      # ssh.privkey.path = <secrets/ssh_host_ed25519_key>;
      ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIcxWFEPzke/Sdd9qNX6rSJgXal8NmINYajpFCxXfYdj root@gum";
    };
    shoney = rec {
@ -973,6 +1032,10 @@ with import <stockholm/lib>;
      inherit (makefu) mail pgp;
      pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDOXG6iwvm6zUVk+OE9ZviO+WNosAHSZw4ku0RxWbXSlSG0RfzvV4IfByF3Dw+4a8yZQmjwNkQalUURh2fEqhBLBI9XNEIL7qIu17zheguyXzpE3Smy4pbI+fjdsnfFrw+WE2n/IO8N6ojdH6sMmnWwfkFZYqqofWyLB3WUN9wy2b2z0w/jc56+HxxyTl3rD7CttTs9ak67HqIn3/pNeHoOM+JQ/te8t4ageIlPi8yJJpqZgww1RUWCgPPwZ9DP6gQjo85he76x0h9jvhnFd7m9N1aGdRDcK55QyoY/9x07R24GRutohAB/KDWSkDWQv5BW7M1LCawpJcF3DDslD1i7 makefu@gum";
    };
    makefu-android = {
      inherit (makefu) mail pgp;
      pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDoAtBa10AbiFXfYL4Za7e0CLeXJeH6FhMqVZFqElLkJBKmQ7c7WEMlnuRhEZWSFDXBpaS7p73s5MMOZA13uYv6fI2ipOOwE9Ej1EoMsrQGegBp2VDMo0wnr/sgTL1do+uGI85E/i0uFw0DYhXqlZQk1eK8SdgXYltiVL27IA3NG2kYuoTIvJgRnaPJjTbhLBWti3m586LuO+pBKtcTt1D9EV6wp+6Jum4owPtCgVPQaZfFGYWkEiINV83WX9HoIk4S3bTPLh8Kfp0je0xsioS4T9/cxSPgUie8MjSg0irvLJXRH0JOVuG5NvZTYhAAekwNkHll9CtypPrutjbrXPXf makefu@x";
    };
    makefu-bob = {
      inherit (makefu) mail pgp;
      pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC+fEK1bCB8cdDiBzXBXEWLFQyp/7xjNGQ5GyqHOtgxxe6Ypb0kAaWJaG3Ak/qI/nToGKwkQJLsuYNA3lZj2rFyBdoxnNO3kRFTc7NoaU5mC2BlHbpmn9dzvgiBoRAKAlzj/022u65SI19AFciKXtwqQfjuB3mPVOFOfCFB2SYjjWb8ffPnHp6PB5KKNLxaVPCbZgOdSju25/wB2lY00W8WIDOTqfbNClQnjkLsUZpTuRnvpHTemKtt1FH+WBZiMwMXRt19rm9LFSO7pvrZjdJz0l1TZVsODkbKZzQzSixoCPmdpPPAYaqrGUQpmukXk0xQtR3E2jEsk+FJv4AkIKqD";
--- a/krebs/3modules/tinc.nix
+++ b/krebs/3modules/tinc.nix
@ -1,5 +1,5 @@
 { config, pkgs, lib, ... }:
 with import <stockholm/lib>;
 { config, pkgs, ... }:
 let
  out = {
    options.krebs.tinc = api;
@ -11,7 +11,7 @@ let
    description = ''
      define a tinc network
    '';
-    type = with types; attrsOf (submodule (tinc: {
+    type = types.attrsOf (types.submodule (tinc: {
      options = let
        netname = tinc.config._module.args.name;
      in {
@ -116,7 +116,7 @@ let
            phases = [ "installPhase" ];
            installPhase = ''
              mkdir $out
-              ${concatStrings (lib.mapAttrsToList (_: host: ''
+              ${concatStrings (mapAttrsToList (_: host: ''
                echo ${shell.escape host.nets."${tinc.config.netname}".tinc.config} \
                  > $out/${shell.escape host.name}
              '') tinc.config.hosts)}
--- a/krebs/5pkgs/simple/Reaktor/default.nix
+++ b/krebs/5pkgs/simple/Reaktor/default.nix
@ -8,7 +8,7 @@ python3Packages.buildPythonPackage rec {
  propagatedBuildInputs = with pkgs;[
    python3Packages.docopt
-    python3Packages.requests2
+    python3Packages.requests
  ];
  src = fetchurl {
    url = "https://pypi.python.org/packages/source/R/Reaktor/Reaktor-${version}.tar.gz";
--- a/krebs/5pkgs/simple/bepasty-client-cli/default.nix
+++ b/krebs/5pkgs/simple/bepasty-client-cli/default.nix
@ -5,7 +5,7 @@ with pythonPackages; buildPythonPackage rec {
  propagatedBuildInputs = [
    python_magic
    click
-    requests2
+    requests
  ];
  src = fetchFromGitHub {
--- a/krebs/5pkgs/simple/cac-panel/default.nix
+++ b/krebs/5pkgs/simple/cac-panel/default.nix
@ -11,7 +11,7 @@ python3Packages.buildPythonPackage rec {
  propagatedBuildInputs = with python3Packages; [
    docopt
-    requests2
+    requests
    beautifulsoup4
  ];
 }
--- a/krebs/5pkgs/simple/git-preview.nix
+++ b/krebs/5pkgs/simple/git-preview.nix
@ -0,0 +1,17 @@
 { coreutils, git, writeDashBin }:
 writeDashBin "git-preview" ''
  set -efu
  head_commit=$(${git}/bin/git log -1 --format=%H)
  merge_commit=$1; shift
  merge_message='Merge for git-preview'
  preview_dir=$(${coreutils}/bin/mktemp --tmpdir -d git-preview.XXXXXXXX)
  preview_branch=$(${coreutils}/bin/basename "$preview_dir")
  ${git}/bin/git worktree add -b "$preview_branch" "$preview_dir" >/dev/null
  ${git}/bin/git -C "$preview_dir" checkout "$head_commit"
  ${git}/bin/git -C "$preview_dir" merge -m "$merge_message" "$merge_commit"
  ${git}/bin/git -C "$preview_dir" diff "$head_commit.." "$@" &
  ${git}/bin/git branch -fd "$preview_branch"
  ${coreutils}/bin/rm -fR "$preview_dir"
  wait
 ''
--- a/krebs/5pkgs/simple/treq/default.nix
+++ b/krebs/5pkgs/simple/treq/default.nix
@ -11,7 +11,7 @@ pythonPackages.buildPythonPackage rec {
  propagatedBuildInputs = with pythonPackages; [
    twisted
    pyopenssl
-    requests2
+    requests
    service-identity
  ];
 }
--- a/krebs/5pkgs/simple/urlwatch/default.nix
+++ b/krebs/5pkgs/simple/urlwatch/default.nix
@ -13,7 +13,7 @@ python3Packages.buildPythonPackage rec {
    minidb
    pycodestyle
    pyyaml
-    requests2
+    requests
  ];
  meta = {
--- a/krebs/source.nix
+++ b/krebs/source.nix
@ -14,6 +14,6 @@ in
    stockholm.file = toString <stockholm>;
    nixpkgs.git = {
      url = https://github.com/NixOS/nixpkgs;
-      ref = "8ed299faacbf8813fc47b4fca34f32b835d6481e"; # nixos-17.03 @ 2017-09-09
+      ref = "07ca7b64d2ff2fa7a79e4eab1aba70ff746fed8c"; # nixos-17.09 @ 2017-10-02
    };
  }
--- a/lass/1systems/archprism/config.nix
+++ b/lass/1systems/archprism/config.nix
@ -0,0 +1,328 @@
 { config, lib, pkgs, ... }:
 with import <stockholm/lib>;
 let
  ip = config.krebs.build.host.nets.internet.ip4.addr;
 in {
  imports = [
    <stockholm/lass>
    {
      networking.interfaces.et0.ip4 = [
        {
          address = ip;
          prefixLength = 24;
        }
      ];
      networking.defaultGateway = "213.239.205.225";
      networking.nameservers = [
        "8.8.8.8"
      ];
      services.udev.extraRules = ''
        SUBSYSTEM=="net", ATTR{address}=="54:04:a6:7e:f4:06", NAME="et0"
      '';
    }
    <stockholm/lass/2configs/retiolum.nix>
    <stockholm/lass/2configs/exim-smarthost.nix>
    #<stockholm/lass/2configs/downloading.nix>
    <stockholm/lass/2configs/ts3.nix>
    <stockholm/lass/2configs/bitlbee.nix>
    <stockholm/lass/2configs/weechat.nix>
    <stockholm/lass/2configs/privoxy-retiolum.nix>
    <stockholm/lass/2configs/radio.nix>
    <stockholm/lass/2configs/repo-sync.nix>
    <stockholm/lass/2configs/binary-cache/server.nix>
    <stockholm/lass/2configs/iodined.nix>
    <stockholm/lass/2configs/libvirt.nix>
    <stockholm/lass/2configs/hfos.nix>
    <stockholm/lass/2configs/monitoring/server.nix>
    <stockholm/lass/2configs/monitoring/monit-alarms.nix>
    <stockholm/lass/2configs/paste.nix>
    <stockholm/lass/2configs/syncthing.nix>
    #<stockholm/lass/2configs/reaktor-coders.nix>
    <stockholm/lass/2configs/ciko.nix>
    <stockholm/lass/2configs/container-networking.nix>
    #<stockholm/lass/2configs/reaktor-krebs.nix>
    #{
    #  lass.pyload.enable = true;
    #}
    {
      imports = [
        <stockholm/lass/2configs/bepasty.nix>
      ];
      krebs.bepasty.servers."paste.r".nginx.extraConfig = ''
        if ( $server_addr = "${config.krebs.build.host.nets.internet.ip4.addr}" ) {
          return 403;
        }
      '';
    }
    {
      users.extraGroups = {
        # ● systemd-tmpfiles-setup.service - Create Volatile Files and Directories
        #    Loaded: loaded (/nix/store/2l33gg7nmncqkpysq9f5fxyhlw6ncm2j-systemd-217/example/systemd/system/systemd-tmpfiles-setup.service)
        #    Active: failed (Result: exit-code) since Mon 2015-03-16 10:29:18 UTC; 4s ago
        #      Docs: man:tmpfiles.d(5)
        #            man:systemd-tmpfiles(8)
        #   Process: 19272 ExecStart=/nix/store/2l33gg7nmncqkpysq9f5fxyhlw6ncm2j-systemd-217/bin/systemd-tmpfiles --create --remove --boot --exclude-prefix=/dev (code=exited, status=1/FAILURE)
        #  Main PID: 19272 (code=exited, status=1/FAILURE)
        #
        # Mar 16 10:29:17 cd systemd-tmpfiles[19272]: [/usr/lib/tmpfiles.d/legacy.conf:26] Unknown group 'lock'.
        # Mar 16 10:29:18 cd systemd-tmpfiles[19272]: Two or more conflicting lines for /var/log/journal configured, ignoring.
        # Mar 16 10:29:18 cd systemd-tmpfiles[19272]: Two or more conflicting lines for /var/log/journal/7b35116927d74ea58785e00b47ac0f0d configured, ignoring.
        # Mar 16 10:29:18 cd systemd[1]: systemd-tmpfiles-setup.service: main process exited, code=exited, status=1/FAILURE
        # Mar 16 10:29:18 cd systemd[1]: Failed to start Create Volatile Files and Directories.
        # Mar 16 10:29:18 cd systemd[1]: Unit systemd-tmpfiles-setup.service entered failed state.
        # Mar 16 10:29:18 cd systemd[1]: systemd-tmpfiles-setup.service failed.
        # warning: error(s) occured while switching to the new configuration
        lock.gid = 10001;
      };
    }
    {
      boot.loader.grub = {
        devices = [
          "/dev/sda"
          "/dev/sdb"
        ];
        splashImage = null;
      };
      boot.initrd.availableKernelModules = [
        "ata_piix"
        "vmw_pvscsi"
      ];
      fileSystems."/" = {
        device = "/dev/pool/nix";
        fsType = "ext4";
      };
      fileSystems."/boot" = {
        device = "/dev/disk/by-uuid/7ca12d8c-606d-41ce-b10d-62b654e50e36";
      };
      fileSystems."/var/download" = {
        device = "/dev/pool/download";
      };
      fileSystems."/srv/http" = {
        device = "/dev/pool/http";
      };
      fileSystems."/srv/o.ubikmedia.de-data" = {
        device = "/dev/pool/owncloud-ubik-data";
      };
      fileSystems."/bku" = {
        device = "/dev/pool/bku";
      };
      fileSystems."/tmp" = {
        device = "tmpfs";
        fsType = "tmpfs";
        options = ["nosuid" "nodev" "noatime"];
      };
    }
    {
      sound.enable = false;
    }
    {
      nixpkgs.config.allowUnfree = true;
    }
    {
      #stuff for juhulian
      users.extraUsers.juhulian = {
        name = "juhulian";
        uid = 1339;
        home = "/home/juhulian";
        group = "users";
        createHome = true;
        useDefaultShell = true;
        extraGroups = [
        ];
        openssh.authorizedKeys.keys = [
          "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDBQhLGvfv4hyQ/nqJGy1YgHXPSVl6igeWTroJSvAhUFgoh+rG+zvqY0EahKXNb3sq0/OYDCTJVuucc0hgCg7T2KqTqMtTb9EEkRmCFbD7F7DWZojCrh/an6sHneqT5eFvzAPZ8E5hup7oVQnj5P5M3I9keRHBWt1rq6q0IcOEhsFvne4qJc73aLASTJkxzlo5U8ju3JQOl6474ECuSn0lb1fTrQ/SR1NgF7jV11eBldkS8SHEB+2GXjn4Yrn+QUKOnDp+B85vZmVlJSI+7XR1/U/xIbtAjGTEmNwB6cTbBv9NCG9jloDDOZG4ZvzzHYrlBXjaigtQh2/4mrHoKa5eV juhulian@juhulian"
        ];
      };
      krebs.iptables.tables.filter.INPUT.rules = [
        { predicate = "-p udp --dport 60000:61000"; target = "ACCEPT";}
      ];
    }
    {
      environment.systemPackages = [
        pkgs.perlPackages.Plack
      ];
      krebs.iptables.tables.filter.INPUT.rules = [
        { predicate = "-p tcp --dport 8080"; target = "ACCEPT";}
      ];
    }
    {
      time.timeZone = "Europe/Berlin";
    }
    {
      imports = [
        <stockholm/lass/2configs/websites/domsen.nix>
        <stockholm/lass/2configs/websites/lassulus.nix>
      ];
      krebs.iptables.tables.filter.INPUT.rules = [
         { predicate = "-p tcp --dport http"; target = "ACCEPT"; }
         { predicate = "-p tcp --dport https"; target = "ACCEPT"; }
      ];
    }
    {
      services.tor = {
        enable = true;
      };
    }
    {
      lass.ejabberd = {
        enable = true;
        hosts = [ "lassul.us" ];
      };
      krebs.iptables.tables.filter.INPUT.rules = [
        { predicate = "-p tcp --dport xmpp-client"; target = "ACCEPT"; }
        { predicate = "-p tcp --dport xmpp-server"; target = "ACCEPT"; }
      ];
    }
    {
      imports = [
        <stockholm/lass/2configs/realwallpaper.nix>
      ];
      services.nginx.virtualHosts."lassul.us".locations."/wallpaper.png".extraConfig = ''
        alias /var/realwallpaper/realwallpaper.png;
      '';
    }
    {
      environment.systemPackages = with pkgs; [
        mk_sql_pair
      ];
    }
    {
      users.users.tv = {
        uid = genid "tv";
        inherit (config.krebs.users.tv) home;
        group = "users";
        createHome = true;
        useDefaultShell = true;
        openssh.authorizedKeys.keys = [
          config.krebs.users.tv.pubkey
        ];
      };
      users.users.makefu = {
        uid = genid "makefu";
        isNormalUser = true;
        openssh.authorizedKeys.keys = [
          config.krebs.users.makefu.pubkey
        ];
      };
      users.users.nin = {
        uid = genid "nin";
        inherit (config.krebs.users.nin) home;
        group = "users";
        createHome = true;
        useDefaultShell = true;
        openssh.authorizedKeys.keys = [
          config.krebs.users.nin.pubkey
        ];
        extraGroups = [
          "libvirtd"
        ];
      };
    }
    {
      krebs.repo-sync.timerConfig = {
        OnBootSec = "15min";
        OnUnitInactiveSec = "90min";
        RandomizedDelaySec = "30min";
      };
      krebs.repo-sync.repos.stockholm.timerConfig = {
        OnBootSec = "5min";
        OnUnitInactiveSec = "2min";
        RandomizedDelaySec = "2min";
      };
    }
    {
      lass.usershadow = {
        enable = true;
      };
    }
    #{
    #  krebs.Reaktor.prism = {
    #    nickname = "Reaktor|lass";
    #    channels = [ "#retiolum" ];
    #    extraEnviron = {
    #      REAKTOR_HOST = "ni.r";
    #    };
    #    plugins = with pkgs.ReaktorPlugins; [
    #      sed-plugin
    #    ];
    #  };
    #}
    {
      #stuff for dritter
      users.extraUsers.dritter = {
        name = "dritter";
        uid = genid "dritter";
        home = "/home/dritter";
        group = "users";
        createHome = true;
        useDefaultShell = true;
        extraGroups = [
          "download"
        ];
        openssh.authorizedKeys.keys = [
          "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDnqOWDDk7QkSAvrSLkEoz7dY22+xPyv5JDn2zlfUndfavmTMfZvPx9REMjgULbcCSM4m3Ncf40yUjciDpVleGoEz82+p/ObHAkVWPQyXRS3ZRM2IJJultBHEFc61+61Pi8k3p5pBhPPaig6VncJ4uUuuNqen9jqLesSTVXNtdntU2IvnC8B8k1Kq6fu9q1T2yEOMxkD31D5hVHlqAly0LdRiYvtsRIoCSmRvlpGl70uvPprhQxhtoiEUeDqmIL7BG9x7gU0Swdl7R0/HtFXlFuOwSlNYDmOf/Zrb1jhOpj4AlCliGUkM0iKIJhgH0tnJna6kfkGKHDwuzITGIh6SpZ dritter@Janeway"
        ];
      };
    }
    {
      #hotdog
      containers.hotdog = {
        config = { ... }: {
          services.openssh.enable = true;
          users.users.root.openssh.authorizedKeys.keys = [
            config.krebs.users.lass.pubkey
          ];
        };
        enableTun = true;
        privateNetwork = true;
        hostAddress = "10.233.2.1";
        localAddress = "10.233.2.2";
      };
    }
    {
      #kaepsele
      containers.kaepsele = {
        config = { ... }: {
          services.openssh.enable = true;
          users.users.root.openssh.authorizedKeys.keys = with config.krebs.users; [
            lass.pubkey
            tv.pubkey
          ];
        };
        enableTun = true;
        privateNetwork = true;
        hostAddress = "10.233.2.3";
        localAddress = "10.233.2.4";
      };
    }
    {
      #onondaga
      containers.onondaga = {
        config = { ... }: {
          services.openssh.enable = true;
          users.users.root.openssh.authorizedKeys.keys = [
            config.krebs.users.lass.pubkey
            config.krebs.users.nin.pubkey
          ];
        };
        enableTun = true;
        privateNetwork = true;
        hostAddress = "10.233.2.4";
        localAddress = "10.233.2.5";
      };
    }
  ];
  krebs.build.host = config.krebs.hosts.archprism;
 }
--- a/lass/1systems/archprism/source.nix
+++ b/lass/1systems/archprism/source.nix
@ -0,0 +1,3 @@
 import <stockholm/lass/source.nix> {
  name = "archprism";
 }
--- a/lass/1systems/daedalus/config.nix
+++ b/lass/1systems/daedalus/config.nix
@ -9,6 +9,8 @@ with import <stockholm/lib>;
    <stockholm/lass/2configs/retiolum.nix>
    <stockholm/lass/2configs/backups.nix>
    <stockholm/lass/2configs/games.nix>
    <stockholm/lass/2configs/steam.nix>
    {
      # bubsy config
      users.users.bubsy = {
@ -34,6 +36,7 @@ with import <stockholm/lib>;
        hexchat
        networkmanagerapplet
        libreoffice
        audacity
      ];
      services.xserver.enable = true;
      services.xserver.displayManager.lightdm.enable = true;
--- a/lass/1systems/helios/config.nix
+++ b/lass/1systems/helios/config.nix
@ -11,7 +11,7 @@ with import <stockholm/lib>;
    <stockholm/lass/2configs/retiolum.nix>
    <stockholm/lass/2configs/otp-ssh.nix>
    <stockholm/lass/2configs/git.nix>
-    <stockholm/lass/2configs/fetchWallpaper.nix>
+    <stockholm/lass/2configs/dcso-vpn.nix>
    { # automatic hardware detection
      boot.initrd.availableKernelModules = [ "xhci_pci" "nvme" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ];
      boot.kernelModules = [ "kvm-intel" ];
@ -45,7 +45,19 @@ with import <stockholm/lib>;
    {
      services.xserver.dpi = 200;
      fonts.fontconfig.dpi = 200;
-      lass.myFont = "-schumacher-clean-*-*-*-*-25-*-*-*-*-*-iso10646-1";
+      lass.fonts.regular = "xft:Hack-Regular:pixelsize=22,xft:Symbola";
      lass.fonts.bold =    "xft:Hack-Bold:pixelsize=22,xft:Symbola";
      lass.fonts.italic =  "xft:Hack-RegularOblique:pixelsize=22,xft:Symbol";
    }
    { #TAPIR, AGATIS, sentral, a3 - foo
      services.redis.enable = true;
    }
    {
      krebs.fetchWallpaper = {
        enable = true;
        url = "http://i.imgur.com/0ktqxSg.png";
        maxTime = 9001;
      };
    }
  ];
  krebs.build.host = config.krebs.hosts.helios;
@ -66,6 +78,7 @@ with import <stockholm/lib>;
  hardware.enableRedistributableFirmware = true;
  environment.systemPackages = with pkgs; [
    ag
    vim
    rxvt_unicode
    git
@ -84,4 +97,22 @@ with import <stockholm/lib>;
  programs.ssh.startAgent = lib.mkForce true;
  services.tlp.enable = true;
  services.xserver.videoDrivers = [ "nvidia" ];
  services.xserver.xrandrHeads = [
    { output = "DP-0.8"; }
    { output = "DP-4"; monitorConfig = ''Option "Rotate" "right"''; }
    { output = "DP-2"; primary = true; }
  ];
  security.pki.certificateFiles = [
   (pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCAROOTC1G1.pem"; sha256 = "14vz9c0fk6li0a26vx0s5ha6y3yivnshx9pjlh9vmnpkbph5a7rh"; })
   (pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCAROOTC2G1.pem"; sha256 = "0r1dd48a850cv7whk4g2maik550rd0vsrsl73r6x0ivzz7ap1xz5"; })
   (pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCAROOTC3G1.pem"; sha256 = "0b5cdchdkvllnr0kz35d8jrmrf9cjw0kd98mmvzr0x6nkc8hwpdy"; })
   (pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCACOMPC2G1.pem"; sha256 = "0rn57zv1ry9vj4p2248mxmafmqqmdhbrfx1plszrxsphshbk2hfz"; })
   (pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCACOMPC3G1.pem"; sha256 = "0w88qaqhwxzvdkx40kzj2gka1yi85ipppjdkxah4mscwfhlryrnk"; })
   (pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCAIDENC2G1.pem"; sha256 = "1z2qkyhgjvri13bvi06ynkb7mjmpcznmc9yw8chx1lnwc3cxa7kf"; })
   (pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCAIDENC3G1.pem"; sha256 = "0smdjjvz95n652cb45yhzdb2lr83zg52najgbzf6lm3w71f8mv7f"; })
  ];
 }
--- a/lass/1systems/mors/config.nix
+++ b/lass/1systems/mors/config.nix
@ -157,4 +157,38 @@ with import <stockholm/lib>;
  krebs.repo-sync.timerConfig = {
    OnCalendar = "00:37";
  };
  environment.shellAliases = {
    deploy = pkgs.writeDash "deploy" ''
      set -eu
      export PATH=${makeBinPath [
        pkgs.bash
        pkgs.coreutils
        pkgs.nix
        (pkgs.writeDashBin "is-git-crypt-locked" ''
          magic=$(dd status=none if="$1" skip=1 bs=1 count=8)
          test "$magic" = GITCRYPT
        '')
      ]}
      cd ~/stockholm
      export SYSTEM="$1"
      if is-git-crypt-locked ~/secrets/ready; then
        echo 'secrets are crypted' >&2
        exit 23
      else
        exec nix-shell -I stockholm="$PWD" --run 'deploy --system="$SYSTEM"'
      fi
    '';
    predeploy = pkgs.writeDash "predeploy" ''
      set -eu
      export PATH=${makeBinPath [
        pkgs.bash
        pkgs.coreutils
        pkgs.nix
      ]}
      cd ~/stockholm
      export SYSTEM="$1"
      exec nix-shell -I stockholm="$PWD" --run 'test --system="$SYSTEM" --target="$SYSTEM/var/test/" --force-populate'
    '';
  };
 }
--- a/lass/1systems/prism/config.nix
+++ b/lass/1systems/prism/config.nix
@ -11,73 +11,20 @@ in {
      networking.interfaces.et0.ip4 = [
        {
          address = ip;
-          prefixLength = 24;
+          prefixLength = 27;
        }
      ];
-      networking.defaultGateway = "213.239.205.225";
+      networking.defaultGateway = "46.4.114.225";
      networking.nameservers = [
        "8.8.8.8"
      ];
      services.udev.extraRules = ''
-        SUBSYSTEM=="net", ATTR{address}=="54:04:a6:7e:f4:06", NAME="et0"
+        SUBSYSTEM=="net", ATTR{address}=="08:60:6e:e7:87:04", NAME="et0"
      '';
    }
    <stockholm/lass/2configs/retiolum.nix>
    <stockholm/lass/2configs/exim-smarthost.nix>
    <stockholm/lass/2configs/downloading.nix>
    <stockholm/lass/2configs/ts3.nix>
    <stockholm/lass/2configs/bitlbee.nix>
    <stockholm/lass/2configs/weechat.nix>
    <stockholm/lass/2configs/privoxy-retiolum.nix>
    <stockholm/lass/2configs/radio.nix>
    <stockholm/lass/2configs/repo-sync.nix>
    <stockholm/lass/2configs/binary-cache/server.nix>
    <stockholm/lass/2configs/iodined.nix>
    <stockholm/lass/2configs/libvirt.nix>
    <stockholm/lass/2configs/hfos.nix>
    <stockholm/lass/2configs/monitoring/server.nix>
    <stockholm/lass/2configs/monitoring/monit-alarms.nix>
    <stockholm/lass/2configs/paste.nix>
    <stockholm/lass/2configs/syncthing.nix>
    <stockholm/lass/2configs/reaktor-coders.nix>
    <stockholm/lass/2configs/ciko.nix>
    <stockholm/lass/2configs/container-networking.nix>
    <stockholm/lass/2configs/reaktor-krebs.nix>
    {
      lass.pyload.enable = true;
    }
    {
      imports = [
        <stockholm/lass/2configs/bepasty.nix>
      ];
      krebs.bepasty.servers."paste.r".nginx.extraConfig = ''
        if ( $server_addr = "${config.krebs.build.host.nets.internet.ip4.addr}" ) {
          return 403;
        }
      '';
    }
    {
-      users.extraGroups = {
+      imports = [ <nixpkgs/nixos/modules/installer/scan/not-detected.nix> ];
-        # ● systemd-tmpfiles-setup.service - Create Volatile Files and Directories
+
        #    Loaded: loaded (/nix/store/2l33gg7nmncqkpysq9f5fxyhlw6ncm2j-systemd-217/example/systemd/system/systemd-tmpfiles-setup.service)
        #    Active: failed (Result: exit-code) since Mon 2015-03-16 10:29:18 UTC; 4s ago
        #      Docs: man:tmpfiles.d(5)
        #            man:systemd-tmpfiles(8)
        #   Process: 19272 ExecStart=/nix/store/2l33gg7nmncqkpysq9f5fxyhlw6ncm2j-systemd-217/bin/systemd-tmpfiles --create --remove --boot --exclude-prefix=/dev (code=exited, status=1/FAILURE)
        #  Main PID: 19272 (code=exited, status=1/FAILURE)
        #
        # Mar 16 10:29:17 cd systemd-tmpfiles[19272]: [/usr/lib/tmpfiles.d/legacy.conf:26] Unknown group 'lock'.
        # Mar 16 10:29:18 cd systemd-tmpfiles[19272]: Two or more conflicting lines for /var/log/journal configured, ignoring.
        # Mar 16 10:29:18 cd systemd-tmpfiles[19272]: Two or more conflicting lines for /var/log/journal/7b35116927d74ea58785e00b47ac0f0d configured, ignoring.
        # Mar 16 10:29:18 cd systemd[1]: systemd-tmpfiles-setup.service: main process exited, code=exited, status=1/FAILURE
        # Mar 16 10:29:18 cd systemd[1]: Failed to start Create Volatile Files and Directories.
        # Mar 16 10:29:18 cd systemd[1]: Unit systemd-tmpfiles-setup.service entered failed state.
        # Mar 16 10:29:18 cd systemd[1]: systemd-tmpfiles-setup.service failed.
        # warning: error(s) occured while switching to the new configuration
        lock.gid = 10001;
      };
    }
    {
      boot.loader.grub = {
        devices = [
          "/dev/sda"
@ -89,126 +36,103 @@ in {
      boot.initrd.availableKernelModules = [
        "ata_piix"
        "vmw_pvscsi"
        "ahci" "sd_mod"
      ];
      boot.kernelModules = [ "kvm-intel" ];
      fileSystems."/" = {
-        device = "/dev/pool/nix";
+        device = "/dev/pool/nix_root";
        fsType = "ext4";
      };
      fileSystems."/boot" = {
        device = "/dev/disk/by-uuid/7ca12d8c-606d-41ce-b10d-62b654e50e36";
      };
      fileSystems."/var/download" = {
        device = "/dev/pool/download";
      };
      fileSystems."/srv/http" = {
        device = "/dev/pool/http";
      };
      fileSystems."/srv/o.ubikmedia.de-data" = {
        device = "/dev/pool/owncloud-ubik-data";
      };
      fileSystems."/bku" = {
        device = "/dev/pool/bku";
      };
      fileSystems."/tmp" = {
        device = "tmpfs";
        fsType = "tmpfs";
        options = ["nosuid" "nodev" "noatime"];
      };
-    }
+      fileSystems."/var/download" = {
-    {
+        device = "/dev/pool/download";
-      sound.enable = false;
+        fsType = "ext4";
    }
    {
      nixpkgs.config.allowUnfree = true;
    }
    {
      #stuff for juhulian
      users.extraUsers.juhulian = {
        name = "juhulian";
        uid = 1339;
        home = "/home/juhulian";
        group = "users";
        createHome = true;
        useDefaultShell = true;
        extraGroups = [
        ];
        openssh.authorizedKeys.keys = [
          "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDBQhLGvfv4hyQ/nqJGy1YgHXPSVl6igeWTroJSvAhUFgoh+rG+zvqY0EahKXNb3sq0/OYDCTJVuucc0hgCg7T2KqTqMtTb9EEkRmCFbD7F7DWZojCrh/an6sHneqT5eFvzAPZ8E5hup7oVQnj5P5M3I9keRHBWt1rq6q0IcOEhsFvne4qJc73aLASTJkxzlo5U8ju3JQOl6474ECuSn0lb1fTrQ/SR1NgF7jV11eBldkS8SHEB+2GXjn4Yrn+QUKOnDp+B85vZmVlJSI+7XR1/U/xIbtAjGTEmNwB6cTbBv9NCG9jloDDOZG4ZvzzHYrlBXjaigtQh2/4mrHoKa5eV juhulian@juhulian"
        ];
      };
-      krebs.iptables.tables.filter.INPUT.rules = [
+
-        { predicate = "-p udp --dport 60000:61000"; target = "ACCEPT";}
+      fileSystems."/srv/http" = {
        device = "/dev/pool/http";
        fsType = "ext4";
      };
      fileSystems."/home" = {
        device = "/dev/pool/home";
        fsType = "ext4";
      };
      swapDevices = [
        { label = "swap1"; }
        { label = "swap2"; }
      ];
-    }
+
-    {
+      sound.enable = false;
-      environment.systemPackages = [
+      nixpkgs.config.allowUnfree = true;
        pkgs.perlPackages.Plack
      ];
      krebs.iptables.tables.filter.INPUT.rules = [
        { predicate = "-p tcp --dport 8080"; target = "ACCEPT";}
      ];
    }
    {
      users.users.chat.openssh.authorizedKeys.keys = [
        "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDjesiOnhpT9XgWZqw/64M5lVQg3q0k22BtMyCv+33sGX8VmfTyD11GuwSjNGf5WiswKLqFvYBQsHfDDtS3k0ZNTDncGw3Pbilm6QoCuHEyDPaQYin0P+JmkocrL/6QF5uhZVFnsXCH5wntwOa00VFGwpMgQYSfRlReRx42Pu9Jk+iJduZMRBbOMvJI68Z7iJ4DgW/1U9J4MQdCsk7QlFgUstQQfV1zk4VfVfXuxDP3hjx6Q05nDChjpmzJbFunzb7aiy/1/Sl0QhROTpvxrQLksg7yYLw4BRs9ptjehX45A2Sxi8WKOb/g5u3xJNy0X07rE+N+o5v2hS7wF0DLQdK5+4TGtO+Y+ABUCqqA+T1ynAjNBWvsgY5uD4PZjuPgCMSw0JBmIy/P0THi3v5/8Cohvfnspl7Jpf80qENMu3unvvE9EePzgSRZY1PvDjPQfkWy0yBX1yQMhHuVGke9QgaletitwuahRujml37waeUuOl8Rpz+2iV+6OIS4tfO368uLFHKWbobXTbTDXODBgxZ/IyvO7vxM2uDX/kIWaeYKrip3nSyWBYnixwrcS4vm6ZQcoejwp2KCfGQwIE4MnGYRlwcOEYjvyjLkZHDiZEivUQ0rThMYBzec8bQ08QW8oxF+NXkFKG3awt3f7TKTRkYqQcOMpFKmV24KDiwgwm0miQ== JuiceSSH"
      ];
    }
    {
      time.timeZone = "Europe/Berlin";
    }
    <stockholm/lass/2configs/retiolum.nix>
    <stockholm/lass/2configs/libvirt.nix>
    {
      services.nginx.enable = true;
      imports = [
        <stockholm/lass/2configs/websites/domsen.nix>
        <stockholm/lass/2configs/websites/lassulus.nix>
      ];
      # needed by domsen.nix ^^
      lass.usershadow = {
        enable = true;
      };
      krebs.iptables.tables.filter.INPUT.rules = [
         { predicate = "-p tcp --dport http"; target = "ACCEPT"; }
         { predicate = "-p tcp --dport https"; target = "ACCEPT"; }
      ];
    }
-    {
+    { # TODO make new hfos.nix out of this vv
-      services.tor = {
+      users.users.riot = {
-        enable = true;
+        uid = genid "riot";
        isNormalUser = true;
        extraGroups = [ "libvirtd" ];
        openssh.authorizedKeys.keys = [
          "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC6o6sdTu/CX1LW2Ff5bNDqGEAGwAsjf0iIe5DCdC7YikCct+7x4LTXxY+nDlPMeGcOF88X9/qFwdyh+9E4g0nUAZaeL14Uc14QDqDt/aiKjIXXTepxE/i4JD9YbTqStAnA/HYAExU15yqgUdj2dnHu7OZcGxk0ZR1OY18yclXq7Rq0Fd3pN3lPP1T4QHM9w66r83yJdFV9szvu5ral3/QuxQnCNohTkR6LoJ4Ny2RbMPTRtb+jPbTQYTWUWwV69mB8ot5nRTP4MRM9pu7vnoPF4I2S5DvSnx4C5zdKzsb7zmIvD4AmptZLrXj4UXUf00Xf7Js5W100Ne2yhYyhq+35 riot@lagrange"
        ];
      };
-    }
+
-    {
+      # TODO write function for proxy_pass (ssl/nonssl)
-      lass.ejabberd = {
+      services.nginx.virtualHosts."hackerfleet.de" = {
-        enable = true;
+        serverAliases = [
-        hosts = [ "lassul.us" ];
+          "*.hackerfleet.de"
        ];
        locations."/".extraConfig = ''
          proxy_pass http://192.168.122.92:80;
        '';
      };
      services.nginx.virtualHosts."hackerfleet.de-s" = {
        serverName = "hackerfleet.de";
        listen = [
          {
            addr = "0.0.0.0";
            port = 443;
          }
        ];
        serverAliases = [
          "*.hackerfleet.de"
        ];
        locations."/".extraConfig = ''
          proxy_pass http://192.168.122.92:443;
        '';
      };
      krebs.iptables.tables.filter.INPUT.rules = [
        { predicate = "-p tcp --dport xmpp-client"; target = "ACCEPT"; }
        { predicate = "-p tcp --dport xmpp-server"; target = "ACCEPT"; }
      ];
    }
    {
      imports = [
        <stockholm/lass/2configs/realwallpaper.nix>
      ];
      services.nginx.virtualHosts."lassul.us".locations."/wallpaper.png".extraConfig = ''
        alias /var/realwallpaper/realwallpaper.png;
      '';
    }
    {
      environment.systemPackages = with pkgs; [
        mk_sql_pair
      ];
    }
    {
      users.users.tv = {
        uid = genid "tv";
-        inherit (config.krebs.users.tv) home;
+        isNormalUser = true;
        group = "users";
        createHome = true;
        useDefaultShell = true;
        openssh.authorizedKeys.keys = [
          config.krebs.users.tv.pubkey
        ];
@ -222,56 +146,14 @@ in {
      };
      users.users.nin = {
        uid = genid "nin";
-        inherit (config.krebs.users.nin) home;
+        isNormalUser = true;
        group = "users";
        createHome = true;
        useDefaultShell = true;
        openssh.authorizedKeys.keys = [
          config.krebs.users.nin.pubkey
        ];
        extraGroups = [
          "libvirtd"
        ];
      };
    }
    {
      krebs.repo-sync.timerConfig = {
        OnBootSec = "15min";
        OnUnitInactiveSec = "90min";
        RandomizedDelaySec = "30min";
      };
      krebs.repo-sync.repos.stockholm.timerConfig = {
        OnBootSec = "5min";
        OnUnitInactiveSec = "2min";
        RandomizedDelaySec = "2min";
      };
    }
    {
      lass.usershadow = {
        enable = true;
      };
    }
    {
      krebs.Reaktor.prism = {
        nickname = "Reaktor|lass";
        channels = [ "#retiolum" ];
        extraEnviron = {
          REAKTOR_HOST = "ni.r";
        };
        plugins = with pkgs.ReaktorPlugins; [
          sed-plugin
        ];
      };
    }
    {
      #stuff for dritter
      users.extraUsers.dritter = {
        name = "dritter";
        uid = genid "dritter";
-        home = "/home/dritter";
+        isNormalUser = true;
        group = "users";
        createHome = true;
        useDefaultShell = true;
        extraGroups = [
          "download"
        ];
@ -279,6 +161,13 @@ in {
          "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDnqOWDDk7QkSAvrSLkEoz7dY22+xPyv5JDn2zlfUndfavmTMfZvPx9REMjgULbcCSM4m3Ncf40yUjciDpVleGoEz82+p/ObHAkVWPQyXRS3ZRM2IJJultBHEFc61+61Pi8k3p5pBhPPaig6VncJ4uUuuNqen9jqLesSTVXNtdntU2IvnC8B8k1Kq6fu9q1T2yEOMxkD31D5hVHlqAly0LdRiYvtsRIoCSmRvlpGl70uvPprhQxhtoiEUeDqmIL7BG9x7gU0Swdl7R0/HtFXlFuOwSlNYDmOf/Zrb1jhOpj4AlCliGUkM0iKIJhgH0tnJna6kfkGKHDwuzITGIh6SpZ dritter@Janeway"
        ];
      };
      users.extraUsers.juhulian = {
        uid = 1339;
        isNormalUser = true;
        openssh.authorizedKeys.keys = [
          "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDBQhLGvfv4hyQ/nqJGy1YgHXPSVl6igeWTroJSvAhUFgoh+rG+zvqY0EahKXNb3sq0/OYDCTJVuucc0hgCg7T2KqTqMtTb9EEkRmCFbD7F7DWZojCrh/an6sHneqT5eFvzAPZ8E5hup7oVQnj5P5M3I9keRHBWt1rq6q0IcOEhsFvne4qJc73aLASTJkxzlo5U8ju3JQOl6474ECuSn0lb1fTrQ/SR1NgF7jV11eBldkS8SHEB+2GXjn4Yrn+QUKOnDp+B85vZmVlJSI+7XR1/U/xIbtAjGTEmNwB6cTbBv9NCG9jloDDOZG4ZvzzHYrlBXjaigtQh2/4mrHoKa5eV juhulian@juhulian"
        ];
      };
    }
    {
      #hotdog
@ -327,7 +216,65 @@ in {
        localAddress = "10.233.2.5";
      };
    }
    <stockholm/lass/2configs/exim-smarthost.nix>
    <stockholm/lass/2configs/ts3.nix>
    <stockholm/lass/2configs/bitlbee.nix>
    <stockholm/lass/2configs/weechat.nix>
    <stockholm/lass/2configs/privoxy-retiolum.nix>
    <stockholm/lass/2configs/radio.nix>
    <stockholm/lass/2configs/repo-sync.nix>
    <stockholm/lass/2configs/binary-cache/server.nix>
    <stockholm/lass/2configs/iodined.nix>
    <stockholm/lass/2configs/monitoring/server.nix>
    <stockholm/lass/2configs/monitoring/monit-alarms.nix>
    <stockholm/lass/2configs/paste.nix>
    <stockholm/lass/2configs/syncthing.nix>
    <stockholm/lass/2configs/reaktor-coders.nix>
    <stockholm/lass/2configs/ciko.nix>
    <stockholm/lass/2configs/container-networking.nix>
    { # quasi bepasty.nix
      imports = [
        <stockholm/lass/2configs/bepasty.nix>
      ];
      krebs.bepasty.servers."paste.r".nginx.extraConfig = ''
        if ( $server_addr = "${config.krebs.build.host.nets.internet.ip4.addr}" ) {
          return 403;
        }
      '';
    }
    {
      services.tor = {
        enable = true;
      };
    }
    {
      lass.ejabberd = {
        enable = true;
        hosts = [ "lassul.us" ];
      };
      krebs.iptables.tables.filter.INPUT.rules = [
        { predicate = "-p tcp --dport xmpp-client"; target = "ACCEPT"; }
        { predicate = "-p tcp --dport xmpp-server"; target = "ACCEPT"; }
      ];
    }
    {
      imports = [
        <stockholm/lass/2configs/realwallpaper.nix>
      ];
      services.nginx.virtualHosts."lassul.us".locations."/wallpaper.png".extraConfig = ''
        alias /var/realwallpaper/realwallpaper.png;
      '';
    }
    {
      services.minecraft-server.enable = true;
      krebs.iptables.tables.filter.INPUT.rules = [
        { predicate = "-p tcp --dport 25565"; target = "ACCEPT"; }
        { predicate = "-p udp --dport 25565"; target = "ACCEPT"; }
      ];
    }
  ];
  krebs.build.host = config.krebs.hosts.prism;
  # workaround because grub store paths are broken
  boot.copyKernels = true;
 }
--- a/lass/1systems/prism/source.nix
+++ b/lass/1systems/prism/source.nix
@ -1,3 +1,4 @@
 with import <stockholm/lib>;
 import <stockholm/lass/source.nix> {
  name = "prism";
 }
--- a/lass/2configs/baseX.nix
+++ b/lass/2configs/baseX.nix
@ -28,9 +28,19 @@ in {
      '';
    }
    { #font magic
-      options.lass.myFont = mkOption {
+      options.lass.fonts = {
-        type = types.str;
+        regular = mkOption {
-        default = "-schumacher-clean-*-*-*-*-*-*-*-*-*-*-iso10646-1";
+          type = types.str;
          default = "xft:Hack-Regular:pixelsize=11,xft:Symbola";
        };
        bold = mkOption {
          type = types.str;
          default = "xft:Hack-Bold:pixelsize=11,xft:Symbola";
        };
        italic = mkOption {
          type = types.str;
          default = "xft:Hack-RegularOblique:pixelsize=11,xft:Symbol";
        };
      };
    }
  ];
@ -82,8 +92,11 @@ in {
    termite
  ];
-  fonts.fonts = [
+  fonts.fonts = with pkgs; [
-    pkgs.xlibs.fontschumachermisc
+    hack-font
    hasklig
    symbola
    xlibs.fontschumachermisc
  ];
  services.xserver = {
--- a/lass/2configs/bepasty.nix
+++ b/lass/2configs/bepasty.nix
@ -31,7 +31,6 @@ in {
    } //
    genAttrs ext-doms (ext-dom: {
      nginx = {
        enableSSL = true;
        forceSSL = true;
        enableACME = true;
      };
--- a/lass/2configs/binary-cache/client.nix
+++ b/lass/2configs/binary-cache/client.nix
@ -8,6 +8,7 @@
    ];
    binaryCachePublicKeys = [
      "cache.prism-1:+S+6Lo/n27XEtvdlQKuJIcb1yO5NUqUCE2lolmTgNJU="
      "cache.prism-2:YwmCm3/s/D+SxrPKN/ETjlpw/219pNUbpnluatp6FKI="
      "hydra.nixos.org-1:CNHJZBh9K4tP3EKF6FkkgeVYsS3ohTl+oS0Qa8bezVs="
    ];
  };
--- a/lass/2configs/copyq.nix
+++ b/lass/2configs/copyq.nix
@ -25,12 +25,15 @@ in {
    environment = {
      DISPLAY = ":0";
    };
    path = with pkgs; [
      qt5.full
    ];
    serviceConfig = {
      SyslogIdentifier = "copyq";
      ExecStart = "${pkgs.copyq}/bin/copyq";
      ExecStartPost = copyqConfig;
      Restart = "always";
-      RestartSec = "2s";
+      RestartSec = "15s";
      StartLimitBurst = 0;
      User = "lass";
    };
--- a/lass/2configs/dcso-vpn.nix
+++ b/lass/2configs/dcso-vpn.nix
@ -0,0 +1,44 @@
 with import <stockholm/lib>;
 { ... }:
 {
  users.extraUsers = {
    dcsovpn = rec {
      name = "dcsovpn";
      uid = genid "dcsovpn";
      description = "user for running dcso openvpn";
      home = "/home/${name}";
    };
  };
  users.extraGroups.dcsovpn.gid = genid "dcsovpn";
  services.openvpn.servers = {
    dcso = {
      config = ''
        client
        dev tun
        tun-mtu 1356
        mssfix
        proto udp
        float
        remote 217.111.55.41 1194
        nobind
        user dcsovpn
        group dcsovpn
        persist-key
        persist-tun
        ca ${toString <secrets/dcsovpn/ca.pem>}
        cert ${toString <secrets/dcsovpn/cert.pem>}
        key ${toString <secrets/dcsovpn/cert.key>}
        verb 3
        mute 20
        auth-user-pass ${toString <secrets/dcsovpn/login.txt>}
        route-method exe
        route-delay 2
      '';
      updateResolvConf = true;
    };
  };
 }
--- a/lass/2configs/default.nix
+++ b/lass/2configs/default.nix
@ -119,6 +119,7 @@ with import <stockholm/lib>;
    aria2
  #neat utils
    file
    kpaste
    krebspaste
    mosh
--- a/lass/2configs/dns-stuff.nix
+++ b/lass/2configs/dns-stuff.nix
@ -4,7 +4,12 @@ with import <stockholm/lib>;
  services.dnscrypt-proxy = {
    enable = true;
    localAddress = "127.1.0.1";
-    resolverName = "cs-de";
+    customResolver = {
      address = config.krebs.hosts.gum.nets.internet.ip4.addr;
      port = 15251;
      name = "2.dnscrypt-cert.euer.krebsco.de";
      key = "1AFC:E58D:F242:0FBB:9EE9:4E51:47F4:5373:D9AE:C2AB:DD96:8448:333D:5D79:272C:A44C";
    };
  };
  services.dnsmasq = {
    enable = true;
@ -17,8 +22,6 @@ with import <stockholm/lib>;
      all-servers
      dnssec
      trust-anchor=.,19036,8,2,49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5
      address=/blog/127.0.0.1
      address=/blog/::1
      rebind-domain-ok=/onion/
      server=/.onion/127.0.0.1#9053
      port=53
--- a/lass/2configs/exim-smarthost.nix
+++ b/lass/2configs/exim-smarthost.nix
@ -43,6 +43,8 @@ with import <stockholm/lib>;
      { from = "radio@lassul.us"; to = lass.mail; }
      { from = "btce@lassul.us"; to = lass.mail; }
      { from = "raf@lassul.us"; to = lass.mail; }
      { from = "apple@lassul.us"; to = lass.mail; }
      { from = "coinbase@lassul.us"; to = lass.mail; }
    ];
    system-aliases = [
      { from = "mailer-daemon"; to = "postmaster"; }
--- a/lass/2configs/gc.nix
+++ b/lass/2configs/gc.nix
@ -3,6 +3,6 @@
 with import <stockholm/lib>;
 {
  nix.gc = {
-    automatic = ! elem config.krebs.build.host.name [ "prism" "mors" ];
+    automatic = ! elem config.krebs.build.host.name [ "prism" "mors" "helios" ];
  };
 }
--- a/lass/2configs/git.nix
+++ b/lass/2configs/git.nix
@ -53,6 +53,10 @@ let
      cgit.desc = "Good Music collection + tools";
      cgit.section  = "art";
    };
    nix-user-chroot = {
      cgit.desc = "Fork of nix-user-chroot my lethalman";
      cgit.section = "software";
    };
  } // mapAttrs make-public-repo-silent {
  };
@ -73,8 +77,8 @@ let
      post-receive = pkgs.git-hooks.irc-announce {
        # TODO make nick = config.krebs.build.host.name the default
        nick = config.krebs.build.host.name;
-        channel = "#retiolum";
+        channel = "#xxx";
-        server = "ni.r";
+        server = "irc.r";
        verbose = config.krebs.build.host.name == "prism";
        # TODO define branches in some kind of option per repo
        branches = [ "master" "staging*" ];
@ -94,8 +98,8 @@ let
      post-receive = pkgs.git-hooks.irc-announce {
        # TODO make nick = config.krebs.build.host.name the default
        nick = config.krebs.build.host.name;
-        channel = "#retiolum";
+        channel = "#xxx";
-        server = "ni.r";
+        server = "irc.r";
        verbose = true;
        # TODO define branches in some kind of option per repo
        branches = [ "master" "staging*" ];
--- a/lass/2configs/mail.nix
+++ b/lass/2configs/mail.nix
@ -74,12 +74,9 @@ let
    virtual-mailboxes \
        "Unread"    "notmuch://?query=tag:unread"\
        "INBOX"     "notmuch://?query=tag:inbox \
                     and NOT tag:killed \
                     and NOT to:shackspace \
                     and NOT to:c-base \
                     and NOT from:security-alert@hpe.com \
                     and NOT to:nix-devel\
-                     and NOT to:radio"\
+                     and NOT to:shackspace\
                     and NOT to:c-base" \
        "shack"     "notmuch://?query=to:shackspace"\
        "c-base"    "notmuch://?query=to:c-base"\
        "security"  "notmuch://?query=to:securityfocus or from:security-alert@hpe.com"\
--- a/lass/2configs/monitoring/monit-alarms.nix
+++ b/lass/2configs/monitoring/monit-alarms.nix
@ -6,7 +6,7 @@ let
      set -euf
      export LOGNAME=prism-alarm
      ${pkgs.irc-announce}/bin/irc-announce \
-        ni.r 6667 ${config.networking.hostName}-alarm \#noise "${msg}" >/dev/null
+        irc.r 6667 ${config.networking.hostName}-alarm \#noise "${msg}" >/dev/null
    '';
 in {
--- a/lass/2configs/monitoring/server.nix
+++ b/lass/2configs/monitoring/server.nix
@ -29,7 +29,7 @@ with import <stockholm/lib>;
        data="$(${pkgs.jq}/bin/jq -r .message)"
        export LOGNAME=prism-alarm
        ${pkgs.irc-announce}/bin/irc-announce \
-          ni.r 6667 prism-alarm \#noise "$data" >/dev/null
+          irc.r 6667 prism-alarm \#noise "$data" >/dev/null
      '';
    in {
      enable = true;
--- a/lass/2configs/pass.nix
+++ b/lass/2configs/pass.nix
@ -3,7 +3,8 @@
 {
  krebs.per-user.lass.packages = with pkgs; [
    pass
-    gnupg1
+    gnupg
  ];
  programs.gnupg.agent.enable = true;
 }
--- a/lass/2configs/repo-sync.nix
+++ b/lass/2configs/repo-sync.nix
@ -15,8 +15,8 @@ let
        post-receive = pkgs.git-hooks.irc-announce {
          nick = config.networking.hostName;
          verbose = false;
-          channel = "#retiolum";
+          channel = "#xxx";
-          server = "ni.r";
+          server = "irc.r";
          branches = [ "newest" ];
        };
      });
--- a/lass/2configs/tests/dummy-secrets/dcsovpn/ca.pem
+++ b/lass/2configs/tests/dummy-secrets/dcsovpn/ca.pem
--- a/lass/2configs/tests/dummy-secrets/dcsovpn/cert.key
+++ b/lass/2configs/tests/dummy-secrets/dcsovpn/cert.key
--- a/lass/2configs/tests/dummy-secrets/dcsovpn/cert.pem
+++ b/lass/2configs/tests/dummy-secrets/dcsovpn/cert.pem
--- a/lass/2configs/tests/dummy-secrets/dcsovpn/login.txt
+++ b/lass/2configs/tests/dummy-secrets/dcsovpn/login.txt
--- a/lass/2configs/vim.nix
+++ b/lass/2configs/vim.nix
@ -5,7 +5,7 @@ let
  out = {
    environment.systemPackages = [
      (hiPrio vim)
-      pkgs.pythonPackages.flake8
+      pkgs.python35Packages.flake8
    ];
    environment.etc.vimrc.source = vimrc;
@ -97,13 +97,17 @@ let
    noremap <esc>[b <nop> | noremap! <esc>[b <nop>
    noremap <esc>[c <nop> | noremap! <esc>[c <nop>
    noremap <esc>[d <nop> | noremap! <esc>[d <nop>
-    vnoremap u <nop>
+
    let g:ackprg = 'ag --vimgrep'
    cnoreabbrev Ack Ack!
  '';
  extra-runtimepath = concatMapStringsSep "," (pkg: "${pkg.rtp}") [
    pkgs.vimPlugins.ack-vim
    pkgs.vimPlugins.Gundo
    pkgs.vimPlugins.Syntastic
    pkgs.vimPlugins.undotree
    pkgs.vimPlugins.vim-go
    (pkgs.vimUtils.buildVimPlugin {
      name = "file-line-1.0";
      src = pkgs.fetchFromGitHub {
--- a/lass/2configs/websites/lassulus.nix
+++ b/lass/2configs/websites/lassulus.nix
@ -73,17 +73,6 @@ in {
      allowKeysForGroup = true;
      group = "lasscert";
    };
    certs."cgit.lassul.us" = {
      email = "lassulus@gmail.com";
      webroot = "/var/lib/acme/acme-challenges";
      plugins = [
        "account_key.json"
        "key.pem"
        "fullchain.pem"
      ];
      group = "nginx";
      allowKeysForGroup = true;
    };
  };
  krebs.tinc_graphs.enable = true;
@ -119,8 +108,8 @@ in {
  ];
  services.nginx.virtualHosts."lassul.us" = {
    addSSL = true;
    enableACME = true;
    serverAliases = [ "lassul.us" ];
    locations."/".extraConfig = ''
      root /srv/http/lassul.us;
    '';
@ -158,30 +147,12 @@ in {
    in ''
      alias ${initscript};
    '';
    enableSSL = true;
    extraConfig = ''
      listen 80;
      listen [::]:80;
    '';
    sslCertificate = "/var/lib/acme/lassul.us/fullchain.pem";
    sslCertificateKey = "/var/lib/acme/lassul.us/key.pem";
  };
  services.nginx.virtualHosts.cgit = {
-    serverAliases = [
+    serverName = "cgit.lassul.us";
-      "cgit.lassul.us"
+    addSSL = true;
-    ];
+    enableACME = true;
    locations."/.well-known/acme-challenge".extraConfig = ''
      root /var/lib/acme/acme-challenges;
    '';
    enableSSL = true;
    extraConfig = ''
      listen 80;
      listen [::]:80;
    '';
    sslCertificate = "/var/lib/acme/cgit.lassul.us/fullchain.pem";
    sslCertificateKey = "/var/lib/acme/cgit.lassul.us/key.pem";
  };
  users.users.blog = {
--- a/lass/2configs/websites/sqlBackup.nix
+++ b/lass/2configs/websites/sqlBackup.nix
@ -3,12 +3,13 @@
 {
  krebs.secret.files.mysql_rootPassword = {
    path = "${config.services.mysql.dataDir}/mysql_rootPassword";
-    owner.name = "root";
+    owner.name = "mysql";
    source-path = toString <secrets> + "/mysql_rootPassword";
  };
  services.mysql = {
    enable = true;
    dataDir = "/var/mysql";
    package = pkgs.mariadb;
    rootPassword = config.krebs.secret.files.mysql_rootPassword.path;
  };
--- a/lass/2configs/weechat.nix
+++ b/lass/2configs/weechat.nix
@ -13,13 +13,19 @@ in {
    uid = genid "chat";
    useDefaultShell = true;
    createHome = true;
-    openssh.authorizedKeys.keys = [
+    openssh.authorizedKeys.keys = with config.krebs.users; [
-      config.krebs.users.lass.pubkey
+      lass.pubkey
-      config.krebs.users.lass-shodan.pubkey
+      lass-shodan.pubkey
-      config.krebs.users.lass-icarus.pubkey
+      lass-icarus.pubkey
      lass-android.pubkey
    ];
  };
  # mosh
  krebs.iptables.tables.filter.INPUT.rules = [
    { predicate = "-p udp --dport 60000:61000"; target = "ACCEPT";}
  ];
  #systemd.services.chat = {
  #  description = "chat environment setup";
  #  after = [ "network.target" ];
--- a/lass/2configs/wine.nix
+++ b/lass/2configs/wine.nix
@ -5,7 +5,7 @@ let
 in {
  krebs.per-user.wine.packages = with pkgs; [
-    wineFull
+    wine
    #(wineFull.override { wineBuild = "wine64"; })
  ];
  users.users= {
--- a/lass/2configs/xresources.nix
+++ b/lass/2configs/xresources.nix
@ -8,8 +8,10 @@ let
    URxvt*scrollBar: false
    URxvt*urgentOnBell: true
    URxvt*SaveLines: 4096
-    URxvt*font: ${config.lass.myFont}
+
-    URxvt*boldFont: ${config.lass.myFont}
+    URxvt.font:       ${config.lass.fonts.regular}
    URxvt.boldFont:   ${config.lass.fonts.bold}
    URxvt.italicFont: ${config.lass.fonts.italic}
    ! ref https://github.com/muennich/urxvt-perls
    URxvt.perl-lib: ${pkgs.urxvt_perls}/lib/urxvt/perl
--- a/lass/3modules/ejabberd/config.nix
+++ b/lass/3modules/ejabberd/config.nix
@ -1,93 +1,129 @@
-{ config, ... }: with import <stockholm/lib>; let
+with import <stockholm/lib>;
-  cfg = config.lass.ejabberd;
+{ config, ... }: let
-  # XXX this is a placeholder that happens to work the default strings.
+  # See https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example
-  toErlang = builtins.toJSON;
+
-in toFile "ejabberd.conf" ''
+  ciphers = concatStringsSep ":" [
-  {loglevel, 3}.
+    "ECDHE-ECDSA-AES256-GCM-SHA384"
-  {hosts, ${toErlang cfg.hosts}}.
+    "ECDHE-RSA-AES256-GCM-SHA384"
-  {listen,
+    "ECDHE-ECDSA-CHACHA20-POLY1305"
-   [
+    "ECDHE-RSA-CHACHA20-POLY1305"
-    {5222, ejabberd_c2s, [
+    "ECDHE-ECDSA-AES128-GCM-SHA256"
-        starttls,
+    "ECDHE-RSA-AES128-GCM-SHA256"
-        {certfile, ${toErlang cfg.certfile.path}},
+    "ECDHE-ECDSA-AES256-SHA384"
-        {access, c2s},
+    "ECDHE-RSA-AES256-SHA384"
-        {shaper, c2s_shaper},
+    "ECDHE-ECDSA-AES128-SHA256"
-        {max_stanza_size, 65536}
+    "ECDHE-RSA-AES128-SHA256"
-             ]},
+  ];
-    {5269, ejabberd_s2s_in, [
+
-           {shaper, s2s_shaper},
+  protocol_options = [
-           {max_stanza_size, 131072}
+    "no_sslv2"
-          ]},
+    "no_sslv3"
-    {5280, ejabberd_http, [
+    "no_tlsv1"
-         captcha,
+    "no_tlsv1_10"
-         http_bind,
+  ];
-         http_poll,
+
-         web_admin
+in /* yaml */ ''
-        ]}
+
-   ]}.
+  access_rules:
-  {s2s_use_starttls, required}.
+    announce:
-  {s2s_certfile, ${toErlang cfg.s2s_certfile.path}}.
+      - allow: admin
-  {auth_method, internal}.
+    local:
-  {shaper, normal, {maxrate, 1000}}.
+      - allow: local
-  {shaper, fast, {maxrate, 50000}}.
+    configure:
-  {max_fsm_queue, 1000}.
+      - allow: admin
-  {acl, local, {user_regexp, ""}}.
+    register:
-  {access, max_user_sessions, [{10, all}]}.
+      - allow
-  {access, max_user_offline_messages, [{5000, admin}, {100, all}]}.
+    s2s:
-  {access, local, [{allow, local}]}.
+      - allow
-  {access, c2s, [{deny, blocked},
+    trusted_network:
-           {allow, all}]}.
+      - allow: loopback
-  {access, c2s_shaper, [{none, admin},
+
-            {normal, all}]}.
+  acl:
-  {access, s2s_shaper, [{fast, all}]}.
+    local:
-  {access, announce, [{allow, admin}]}.
+      user_regexp: ""
-  {access, configure, [{allow, admin}]}.
+    loopback:
-  {access, muc_admin, [{allow, admin}]}.
+      ip:
-  {access, muc_create, [{allow, local}]}.
+        - "127.0.0.0/8"
-  {access, muc, [{allow, all}]}.
+        - "::1/128"
-  {access, pubsub_createnode, [{allow, local}]}.
+        - "::FFFF:127.0.0.1/128"
-  {access, register, [{allow, local}]}.
+
-  {language, "en"}.
+  hosts: ${toJSON config.hosts}
-  {modules,
+
-   [
+  language: "en"
-    {mod_adhoc,    []},
+
-    {mod_announce, [{access, announce}]},
+  listen:
-    {mod_blocking,[]},
+    -
-    {mod_caps,     []},
+      port: 5222
-    {mod_configure,[]},
+      ip: "::"
-    {mod_disco,    []},
+      module: ejabberd_c2s
-    {mod_irc,      []},
+      shaper: c2s_shaper
-    {mod_http_bind, []},
+      certfile: ${toJSON config.certfile.path}
-    {mod_last,     []},
+      ciphers: ${toJSON ciphers}
-    {mod_muc,      [
+      dhfile: ${toJSON config.dhfile.path}
-        {access, muc},
+      protocol_options: ${toJSON protocol_options}
-        {access_create, muc_create},
+      starttls: true
-        {access_persistent, muc_create},
+      starttls_required: true
-        {access_admin, muc_admin}
+      tls: false
-       ]},
+      tls_compression: false
-    {mod_offline,  [{access_max_user_messages, max_user_offline_messages}]},
+      max_stanza_size: 65536
-    {mod_ping,     []},
+    -
-    {mod_privacy,  []},
+      port: 5269
-    {mod_private,  []},
+      ip: "::"
-    {mod_pubsub,   [
+      module: ejabberd_s2s_in
-        {access_createnode, pubsub_createnode},
+      shaper: s2s_shaper
-        {ignore_pep_from_offline, true},
+      max_stanza_size: 131072
-        {last_item_cache, false},
+
-        {plugins, ["flat", "hometree", "pep"]}
+  loglevel: 4
-       ]},
+
-    {mod_register, [
+  modules:
-        {welcome_message, {"Welcome!",
+    mod_adhoc: {}
-               "Hi.\nWelcome to this XMPP server."}},
+    mod_admin_extra: {}
-        {ip_access, [{allow, "127.0.0.0/8"},
+    mod_announce:
-               {allow, "0.0.0.0/0"}]},
+      access: announce
-        {access, register}
+    mod_caps: {}
-       ]},
+    mod_carboncopy: {}
-    {mod_roster,   []},
+    mod_client_state: {}
-    {mod_shared_roster,[]},
+    mod_configure: {}
-    {mod_stats,    []},
+    mod_disco: {}
-    {mod_time,     []},
+    mod_echo: {}
-    {mod_vcard,    []},
+    mod_irc: {}
-    {mod_version,  []}
+    mod_bosh: {}
-   ]}.
+    mod_last: {}
    mod_offline:
      access_max_user_messages: max_user_offline_messages
    mod_ping: {}
    mod_privacy: {}
    mod_private: {}
    mod_register:
      access_from: deny
      access: register
      ip_access: trusted_network
      registration_watchers: ${toJSON config.registration_watchers}
    mod_roster: {}
    mod_shared_roster: {}
    mod_stats: {}
    mod_time: {}
    mod_vcard:
      search: false
    mod_version: {}
    mod_http_api: {}
  s2s_access: s2s
  s2s_certfile: ${toJSON config.s2s_certfile.path}
  s2s_ciphers: ${toJSON ciphers}
  s2s_dhfile: ${toJSON config.dhfile.path}
  s2s_protocol_options: ${toJSON protocol_options}
  s2s_tls_compression: false
  s2s_use_starttls: required
  shaper_rules:
    max_user_offline_messages:
      - 5000: admin
      - 100
    max_user_sessions: 10
    c2s_shaper:
      - none: admin
      - normal
    s2s_shaper: fast
 ''
--- a/lass/3modules/ejabberd/default.nix
+++ b/lass/3modules/ejabberd/default.nix
@ -1,5 +1,16 @@
 { config, lib, pkgs, ... }@args: with import <stockholm/lib>; let
  cfg = config.lass.ejabberd;
  gen-dhparam = pkgs.writeDash "gen-dhparam" ''
    set -efu
    path=$1
    bits=2048
    # TODO regenerate dhfile after some time?
    if ! test -e "$path"; then
      ${pkgs.openssl}/bin/openssl dhparam "$bits" > "$path"
    fi
  '';
 in {
  options.lass.ejabberd = {
    enable = mkEnableOption "lass.ejabberd";
@ -11,20 +22,36 @@ in {
        source-path = "/var/lib/acme/lassul.us/full.pem";
      };
    };
    dhfile = mkOption {
      type = types.secret-file;
      default = {
        path = "${cfg.user.home}/dhparams.pem";
        owner = cfg.user;
        source-path = "/dev/null";
      };
    };
    hosts = mkOption {
      type = with types; listOf str;
    };
    pkgs.ejabberdctl = mkOption {
      type = types.package;
      default = pkgs.writeDashBin "ejabberdctl" ''
        set -efu
        export SPOOLDIR=${shell.escape cfg.user.home}
        export EJABBERD_CONFIG_PATH=${shell.escape (import ./config.nix args)}
        exec ${pkgs.ejabberd}/bin/ejabberdctl \
            --config ${toFile "ejabberd.yaml" (import ./config.nix {
              inherit pkgs;
              config = cfg;
            })} \
            --logs ${shell.escape cfg.user.home} \
            --spool ${shell.escape cfg.user.home} \
            "$@"
      '';
    };
    registration_watchers = mkOption {
      type = types.listOf types.str;
      default = [
        config.krebs.users.tv.mail
      ];
    };
    s2s_certfile = mkOption {
      type = types.secret-file;
      default = cfg.certfile;
@ -50,12 +77,12 @@ in {
      requires = [ "secret.service" ];
      after = [ "network.target" "secret.service" ];
      serviceConfig = {
-        Type = "oneshot";
+        ExecStartPre = "${gen-dhparam} ${cfg.dhfile.path}";
-        RemainAfterExit = "yes";
+        ExecStart = "${cfg.pkgs.ejabberdctl}/bin/ejabberdctl foreground";
-        PermissionsStartOnly = "true";
+        PermissionsStartOnly = true;
        SyslogIdentifier = "ejabberd";
        User = cfg.user.name;
-        ExecStart = "${cfg.pkgs.ejabberdctl}/bin/ejabberdctl start";
+        TimeoutStartSec = 60;
      };
    };
--- a/lass/5pkgs/default.nix
+++ b/lass/5pkgs/default.nix
@ -4,9 +4,6 @@
  nixpkgs.config.packageOverrides = rec {
    acronym = pkgs.callPackage ./acronym/default.nix {};
    dpass = pkgs.callPackage ./dpass {};
    ejabberd = pkgs.callPackage ./ejabberd {
      erlang = pkgs.erlangR16;
    };
    firefoxPlugins = {
      noscript = pkgs.callPackage ./firefoxPlugins/noscript.nix {};
      ublock = pkgs.callPackage ./firefoxPlugins/ublock.nix {};
--- a/lass/5pkgs/ejabberd/default.nix
+++ b/lass/5pkgs/ejabberd/default.nix
@ -1,28 +0,0 @@
 {stdenv, fetchurl, expat, erlang, zlib, openssl, pam, lib}:
 stdenv.mkDerivation rec {
  version = "2.1.13";
  name = "ejabberd-${version}";
  src = fetchurl {
    url = "http://www.process-one.net/downloads/ejabberd/${version}/${name}.tgz";
    sha256 = "0vf8mfrx7vr3c5h3nfp3qcgwf2kmzq20rjv1h9sk3nimwir1q3d8";
  };
  buildInputs = [ expat erlang zlib openssl pam ];
  patchPhase = ''
    sed -i \
      -e "s|erl \\\|${erlang}/bin/erl \\\|" \
      -e 's|EXEC_CMD=\"sh -c\"|EXEC_CMD=\"${stdenv.shell} -c\"|' \
      src/ejabberdctl.template
  '';
  preConfigure = ''
    cd src
  '';
  configureFlags = ["--enable-pam"];
  meta = {
    description = "Open-source XMPP application server written in Erlang";
    license = stdenv.lib.licenses.gpl2;
    homepage = http://www.ejabberd.im;
    maintainers = [ lib.maintainers.sander ];
  };
 }
--- a/lass/5pkgs/xmonad-lass.nix
+++ b/lass/5pkgs/xmonad-lass.nix
@ -31,6 +31,7 @@ import XMonad.Actions.CycleWS (toggleWS)
 import XMonad.Actions.DynamicWorkspaces ( addWorkspacePrompt, renameWorkspace, removeEmptyWorkspace)
 import XMonad.Actions.DynamicWorkspaces (withWorkspace)
 import XMonad.Actions.GridSelect (GSConfig(..), gridselectWorkspace, navNSearch)
 import XMonad.Actions.UpdatePointer (updatePointer)
 import XMonad.Hooks.FloatNext (floatNext)
 import XMonad.Hooks.FloatNext (floatNextHook)
 import XMonad.Hooks.ManageDocks (avoidStruts, ToggleStruts(ToggleStruts))
@ -47,11 +48,11 @@ import XMonad.Layout.SimpleFloat (simpleFloat)
 import XMonad.Stockholm.Shutdown
-urxvtcPath :: FilePath
+myTerm :: FilePath
-urxvtcPath = "${pkgs.rxvt_unicode}/bin/urxvtc"
+myTerm = "${pkgs.rxvt_unicode}/bin/urxvtc"
 myFont :: String
-myFont = "${config.lass.myFont}"
+myFont = "${config.lass.fonts.regular}"
 main :: IO ()
 main = getArgs >>= \case
@ -63,14 +64,15 @@ mainNoArgs = do
    xmonad'
        $ withUrgencyHook (SpawnUrgencyHook "echo emit Urgency ")
        $ def
-            { terminal          = urxvtcPath
+            { terminal           = myTerm
-            , modMask           = mod4Mask
+            , modMask            = mod4Mask
-            , layoutHook = smartBorders $ myLayoutHook
+            , layoutHook         = smartBorders $ myLayoutHook
-            , manageHook        = placeHook (smart (1,0)) <+> floatNextHook
+            , logHook            = updatePointer (0.25, 0.25) (0.25, 0.25)
            , manageHook         = placeHook (smart (1,0)) <+> floatNextHook
            , normalBorderColor  = "#1c1c1c"
            , focusedBorderColor = "#f000b0"
-            , handleEventHook = handleShutdownEvent
+            , handleEventHook    = handleShutdownEvent
-            , workspaces        = [ "dashboard" ]
+            , workspaces         = [ "dashboard", "sys", "wp" ]
            } `additionalKeysP` myKeyMap
 myLayoutHook = defLayout
@ -113,13 +115,13 @@ myKeyMap =
    , ("M4-S-<Backspace>", removeEmptyWorkspace)
    , ("M4-S-c", kill1)
    , ("M4-<Esc>", toggleWS)
-    , ("M4-S-<Enter>", spawn urxvtcPath)
+    , ("M4-S-<Enter>", spawn myTerm)
-    , ("M4-x", floatNext True >> spawn urxvtcPath)
+    , ("M4-x", floatNext True >> spawn myTerm)
    , ("M4-c", floatNext True >> spawn "${pkgs.termite}/bin/termite")
    , ("M4-f", floatNext True)
    , ("M4-b", sendMessage ToggleStruts)
-    , ("M4-v", withWorkspace autoXPConfig (windows . W.view))
+    , ("M4-v", withWorkspace autoXPConfig (windows . W.greedyView))
    , ("M4-S-v", withWorkspace autoXPConfig (windows . W.shift))
    , ("M4-C-v", withWorkspace autoXPConfig (windows . copy))
@ -131,12 +133,12 @@ myKeyMap =
    , ("M4-S-q", return ())
-    , ("M4-w", floatNext True >> spawn "${pkgs.copyq}/bin/copyq show")
+    , ("M4-d", floatNext True >> spawn "${pkgs.copyq}/bin/copyq show")
-    , ("M4-<F1>", spawn "${pkgs.xorg.xbacklight}/bin/xbacklight -set 1")
+    , ("M4-<F5>", spawn "${pkgs.xorg.xbacklight}/bin/xbacklight -set 1")
-    , ("M4-<F2>", spawn "${pkgs.xorg.xbacklight}/bin/xbacklight -set 10")
+    , ("M4-<F6>", spawn "${pkgs.xorg.xbacklight}/bin/xbacklight -set 10")
-    , ("M4-<F3>", spawn "${pkgs.xorg.xbacklight}/bin/xbacklight -set 33")
+    , ("M4-<F7>", spawn "${pkgs.xorg.xbacklight}/bin/xbacklight -set 33")
-    , ("M4-<F4>", spawn "${pkgs.xorg.xbacklight}/bin/xbacklight -set 100")
+    , ("M4-<F8>", spawn "${pkgs.xorg.xbacklight}/bin/xbacklight -set 100")
    ]
 forkFile :: FilePath -> [String] -> Maybe [(String, String)] -> X ()
--- a/lass/source.nix
+++ b/lass/source.nix
@ -9,13 +9,8 @@ in
    {
      nixos-config.symlink = "stockholm/lass/1systems/${name}/config.nix";
      nixpkgs.git = {
-        url = http://cgit.lassul.us/nixpkgs;
+        url = https://github.com/nixos/nixpkgs;
-        # nixos-17.03
+        ref = "68ef4b1";
        # + copytoram:
        #   87a4615 & 334ac4f
        # + acme permissions for groups
        #   fd7a8f1
        ref = "2d3b4fe";
      };
      secrets.file = getAttr builder {
        buildbot = toString <stockholm/lass/2configs/tests/dummy-secrets>;
--- a/lib/types.nix
+++ b/lib/types.nix
@ -92,7 +92,7 @@ rec {
        default = null;
      };
      addrs = mkOption {
-        type = listOf addr;
+        type = listOf cidr;
        default =
          optional (config.ip4 != null) config.ip4.addr ++
          optional (config.ip6 != null) config.ip6.addr;
@ -109,7 +109,7 @@ rec {
              type = addr4;
            };
            prefix = mkOption ({
-              type = str; # TODO routing prefix (CIDR)
+              type = cidr4;
            } // optionalAttrs (config.name == "retiolum") {
              default = "10.243.0.0/16";
            });
@ -125,7 +125,7 @@ rec {
              apply = lib.normalize-ip6-addr;
            };
            prefix = mkOption ({
-              type = str; # TODO routing prefix (CIDR)
+              type = cidr6;
            } // optionalAttrs (config.name == "retiolum") {
              default = "42::/16";
            });
@ -364,6 +364,26 @@ rec {
    merge = mergeOneOption;
  };
  cidr = either cidr4 cidr6;
  cidr4 = mkOptionType {
    name = "CIDRv4 address";
    check = let
      CIDRv4address = let d = "([1-9]?[0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])"; in
        concatMapStringsSep "." (const d) (range 1 4) + "(/([1-2]?[0-9]|3[0-2]))?";
    in
      test CIDRv4address;
    merge = mergeOneOption;
  };
  cidr6 = mkOptionType {
    name = "CIDRv6 address";
    check = let
      # TODO check IPv6 address harder
      CIDRv6address = "[0-9a-f.:]+(/([0-9][0-9]?|1[0-2][0-8]))?";
    in
      test CIDRv6address;
    merge = mergeOneOption;
  };
  binary-cache-pubkey = str;
  pgp-pubkey = str;
--- a/makefu/1systems/cake/config.nix
+++ b/makefu/1systems/cake/config.nix
@ -0,0 +1,55 @@
 { config, lib, pkgs, ... }:
 {
  imports = [
    <stockholm/makefu>
    <stockholm/makefu/2configs/tools/core.nix>
 # configure your hw:
 # <stockholm/makefu/2configs/save-diskspace.nix>
  ];
  users.extraUsers.root.openssh.authorizedKeys.keys = [
    config.krebs.users.tv.pubkey
  ];
  krebs = {
    enable = true;
    tinc.retiolum.enable = true;
    build.host = config.krebs.hosts.cake;
  };
  boot.loader.grub.enable = false;
  boot.loader.generic-extlinux-compatible.enable = true;
  boot.kernelPackages = pkgs.linuxPackages_latest;
  boot.kernelParams = ["cma=32M" "console=ttyS0,115200n8" "console=tty0" ];
  programs.info.enable = false;
  programs.man.enable = false;
  services.nixosManual.enable = false;
  boot.tmpOnTmpfs = lib.mkForce false;
  hardware.enableRedistributableFirmware = true;
  hardware.firmware = [
    (pkgs.stdenv.mkDerivation {
     name = "broadcom-rpi3-rest";
     src = pkgs.fetchurl {
     url = "https://raw.githubusercontent.com/RPi-Distro/firmware-nonfree/54bab3d/brcm80211/brcm/brcmfmac43430-sdio.txt";
     sha256 = "19bmdd7w0xzybfassn7x4rb30l70vynnw3c80nlapna2k57xwbw7";
     };
     phases = [ "installPhase" ];
     installPhase = ''
     mkdir -p $out/lib/firmware/brcm
     cp $src $out/lib/firmware/brcm/brcmfmac43430-sdio.txt
     '';
     })
  ];
  networking.wireless.enable = true;
 # File systems configuration for using the installer's partition layout
  fileSystems = {
    "/boot" = {
      device = "/dev/disk/by-label/NIXOS_BOOT";
      fsType = "vfat";
    };
    "/" = {
      device = "/dev/disk/by-label/NIXOS_SD";
      fsType = "ext4";
    };
  };
 }
--- a/makefu/1systems/cake/source.nix
+++ b/makefu/1systems/cake/source.nix
@ -0,0 +1,4 @@
 import <stockholm/makefu/source.nix> {
  name="cake";
  full = true;
 }
--- a/makefu/1systems/gum/config.nix
+++ b/makefu/1systems/gum/config.nix
@ -40,10 +40,11 @@ in {
      # services
      <stockholm/makefu/2configs/share/gum.nix>
      <stockholm/makefu/2configs/sabnzbd.nix>
-      # <stockholm/makefu/2configs/torrent.nix>
+      <stockholm/makefu/2configs/torrent.nix>
      <stockholm/makefu/2configs/iodined.nix>
      <stockholm/makefu/2configs/vpn/openvpn-server.nix>
      <stockholm/makefu/2configs/dnscrypt/server.nix>
      <stockholm/makefu/2configs/remote-build/slave.nix>
      ## Web
      <stockholm/makefu/2configs/nginx/share-download.nix>
@ -74,10 +75,15 @@ in {
      <stockholm/makefu/2configs/stats/client.nix>
      # <stockholm/makefu/2configs/logging/client.nix>
      # Temporary:
      <stockholm/makefu/2configs/temp/rst-issue.nix>
  ];
  makefu.dl-dir = "/var/download";
-
+  services.openssh.hostKeys = [
    { bits = 4096; path = <secrets/ssh_host_rsa_key>; type = "rsa"; }
    { path = <secrets/ssh_host_ed25519_key>; type = "ed25519"; } ];
  ###### stable
  services.nginx.virtualHosts.cgit.serverAliases = [ "cgit.euer.krebsco.de" ];
  krebs.build.host = config.krebs.hosts.gum;
@ -143,6 +149,8 @@ in {
          53589
          # temp vnc
          18001
          # temp reverseshell
          31337
        ];
        allowedUDPPorts = [
          # tinc
--- a/makefu/1systems/latte/config.nix
+++ b/makefu/1systems/latte/config.nix
@ -0,0 +1,54 @@
 { config, pkgs, ... }:
 let
  # external-ip = config.krebs.build.host.nets.internet.ip4.addr;
  # internal-ip = config.krebs.build.host.nets.retiolum.ip4.addr;
  # default-gw = "185.215.224.1";
  # prefixLength = 24;
  # external-mac = "46:5b:fc:f4:44:c9";
  # ext-if = "et0";
 in {
  imports = [
    <stockholm/makefu>
    # configure your hw:
    <stockholm/makefu/2configs/hw/CAC.nix>
    <stockholm/makefu/2configs/tinc/retiolum.nix>
    <stockholm/makefu/2configs/save-diskspace.nix>
    # Security
    <stockholm/makefu/2configs/sshd-totp.nix>
    <stockholm/makefu/2configs/stats/client.nix>
    # Tools
    <stockholm/makefu/2configs/tools/core.nix>
    <stockholm/makefu/2configs/vim.nix>
    <stockholm/makefu/2configs/zsh-user.nix>
    # Services
    <stockholm/makefu/2configs/remote-build/slave.nix>
    <stockholm/makefu/2configs/torrent.nix>
  ];
  krebs = {
    enable = true;
    build.host = config.krebs.hosts.latte;
  };
  boot.initrd.availableKernelModules = [ "ata_piix" "ehci_pci" "virtio_pci" "virtio_blk" "virtio_net" "virtio_scsi" ];
  boot.loader.grub.device = "/dev/vda";
  boot.loader.grub.copyKernels = true;
  fileSystems."/" = {
    device = "/dev/vda1";
    fsType = "ext4";
  };
  networking = {
    firewall = {
      allowPing = true;
      logRefusedConnections = false;
      allowedTCPPorts = [ ];
      allowedUDPPorts = [ 655 ];
    };
    # network interface receives dhcp address
    nameservers = [ "8.8.8.8" ];
  };
 }
--- a/makefu/1systems/latte/source.nix
+++ b/makefu/1systems/latte/source.nix
@ -0,0 +1,4 @@
 import <stockholm/makefu/source.nix> {
  name = "latte";
  torrent = true;
 }
--- a/makefu/1systems/omo/config.nix
+++ b/makefu/1systems/omo/config.nix
@ -65,6 +65,8 @@ in {
      # services
      <stockholm/makefu/2configs/syncthing.nix>
      <stockholm/makefu/2configs/mqtt.nix>
      <stockholm/makefu/2configs/remote-build/slave.nix>
      # security
      <stockholm/makefu/2configs/sshd-totp.nix>
--- a/makefu/1systems/pnp/config.nix
+++ b/makefu/1systems/pnp/config.nix
@ -34,10 +34,11 @@
  krebs.Reaktor.debug = {
    debug = true;
    extraEnviron = {
-      REAKTOR_HOST = "ni.r";
+      # TODO: remove hard-coded server
      REAKTOR_HOST = "irc.r";
    };
    plugins = with pkgs.ReaktorPlugins; [ stockholm-issue nixos-version sed-plugin ];
-    channels = [ "#retiolum" ];
+    channels = [ "#xxx" ];
  };
  krebs.build.host = config.krebs.hosts.pnp;
--- a/makefu/1systems/wbob/config.nix
+++ b/makefu/1systems/wbob/config.nix
@ -25,7 +25,9 @@ in {
      # <stockholm/makefu/2configs/audio/realtime-audio.nix>
      # <stockholm/makefu/2configs/vncserver.nix>
      <stockholm/makefu/2configs/temp/rst-issue.nix>
-    ];
+      # Services
      <stockholm/makefu/2configs/remote-build/slave.nix>
  ];
  krebs = {
      enable = true;
@ -33,10 +35,48 @@ in {
  };
  swapDevices = [ { device = "/var/swap"; } ];
  services.collectd.extraConfig = lib.mkAfter ''
    #LoadPlugin ping
    # does not work because it requires privileges
    #<Plugin "ping">
    #  Host "google.de"
    #  Host "heise.de"
    #</Plugin>
    LoadPlugin curl
    <Plugin curl>
      TotalTime true
      NamelookupTime true
      ConnectTime true
      <Page "google">
        MeasureResponseTime true
        MeasureResponseCode true
        URL "https://google.de"
      </Page>
      <Page "webde">
        MeasureResponseTime true
        MeasureResponseCode true
        URL "http://web.de"
      </Page>
    </Plugin>
    #LoadPlugin netlink
    #<Plugin "netlink">
    #  Interface "enp0s25"
    #  Interface "wlp2s0"
    #  IgnoreSelected false
    #</Plugin>
  '';
  networking.firewall.allowedUDPPorts = [ 655 ];
-  networking.firewall.allowedTCPPorts = [ 655 49152 ];
+  networking.firewall.allowedTCPPorts = [
    655
    8081 #smokeping
    49152
  ];
  networking.firewall.trustedInterfaces = [ "enp0s25" ];
  #services.tinc.networks.siem = {
  #  name = "display";
@ -90,4 +130,66 @@ in {
      serverAddress = "x.r";
    };
  };
  security.wrappers.fping = {
    source = "${pkgs.fping}/bin/fping";
    setuid = true;
  };
  services.smokeping = {
    enable = true;
    targetConfig = ''
      probe = FPing
      menu = Top
      title = Network Latency Grapher
      remark = Welcome to this SmokePing website.
      + network
      menu = Net latency
      title = Network latency (ICMP pings)
      ++ google
      probe = FPing
      host = google.de
      ++ webde
      probe = FPing
      host = web.de
      + services
      menu = Service latency
      title = Service latency (DNS, HTTP)
      ++ HTTP
      menu = HTTP latency
      title = Service latency (HTTP)
      +++ webdeping
      probe = EchoPingHttp
      host = web.de
      +++ googwebping
      probe = EchoPingHttp
      host = google.de
      #+++ webwww
      #probe = Curl
      #host = web.de
      #+++ googwebwww
      #probe = Curl
      #host = google.de
    '';
    probeConfig = ''
       + FPing
       binary = /run/wrappers/bin/fping
       + EchoPingHttp
       pings = 5
       url = /
       #+ Curl
       ## probe-specific variables
       #binary = ${pkgs.curl}/bin/curl
       #step = 60
       ## a default for this target-specific variable
       #urlformat = http://%host%/
    '';
  };
 }
--- a/makefu/1systems/x/config.nix
+++ b/makefu/1systems/x/config.nix
@ -57,6 +57,7 @@ with import <stockholm/lib>;
      <stockholm/makefu/2configs/tor.nix>
      <stockholm/makefu/2configs/vpn/vpngate.nix>
      # <stockholm/makefu/2configs/buildbot-standalone.nix>
      # <stockholm/makefu/2configs/remote-build/master.nix>
      # Hardware
      <stockholm/makefu/2configs/hw/tp-x230.nix>
--- a/makefu/2configs/binary-cache/lass.nix
+++ b/makefu/2configs/binary-cache/lass.nix
@ -7,6 +7,7 @@
    ];
    binaryCachePublicKeys = [
      "cache.prism-1:+S+6Lo/n27XEtvdlQKuJIcb1yO5NUqUCE2lolmTgNJU="
      "cache.prism-2:YwmCm3/s/D+SxrPKN/ETjlpw/219pNUbpnluatp6FKI="
    ];
  };
 }
--- a/makefu/2configs/deployment/led-fader.nix
+++ b/makefu/2configs/deployment/led-fader.nix
@ -29,11 +29,11 @@ in {
    environment = {
      NIX_PATH = "/var/src";
    };
-    # after = [ (lib.optional config.services.mosqitto.enable "mosquitto.service") ];
+    after = [ "network-online.target"  ] ++ (lib.optional config.services.mosquitto.enable "mosquitto.service");
    wantedBy = [ "multi-user.target"  ];
    after = [ "network-online.target"  ];
    serviceConfig = {
      # User = "nobody"; # need a user with permissions to run nix-shell
      ExecStartPre = pkgs.writeDash "sleep.sh" "sleep 2";
      ExecStart = "${pkg}/bin/ampel 4 ${pkg}/share/times.json";
      PrivateTmp = true;
    };
--- a/makefu/2configs/git/brain-retiolum.nix
+++ b/makefu/2configs/git/brain-retiolum.nix
@ -19,9 +19,9 @@ let
      post-receive = pkgs.git-hooks.irc-announce {
        nick = config.networking.hostName;
        verbose = true;
-        channel = "#retiolum";
+        channel = "#xxx";
        # TODO remove the hardcoded hostname
-        server = "ni.r";
+        server = "irc.r";
      };
    };
  };
--- a/makefu/2configs/git/cgit-retiolum.nix
+++ b/makefu/2configs/git/cgit-retiolum.nix
@ -24,6 +24,7 @@ let
    cac-api = { };
    euer_blog = { };
    ampel = { };
    europastats = { };
    init-stockholm = {
      cgit.desc = "Init stuff for stockholm";
    };
@ -56,9 +57,9 @@ let
      post-receive = pkgs.git-hooks.irc-announce {
        nick = config.networking.hostName;
        verbose = config.krebs.build.host.name == "gum";
-        channel = "#retiolum";
+        channel = "#xxx";
        # TODO remove the hardcoded hostname
-        server = "ni.r";
+        server = "irc.r";
      };
    };
  };
@ -67,7 +68,7 @@ let
  # TODO: get the list of all krebsministers
  krebsminister = with config.krebs.users; [ lass tv ];
-  all-makefu = with config.krebs.users; [ makefu makefu-omo makefu-tsp makefu-vbob makefu-tempx ];
+  all-makefu = with config.krebs.users; [ makefu makefu-omo makefu-tsp makefu-vbob makefu-tempx makefu-android ];
  all-exco = with config.krebs.users; [ exco ];
  priv-rules = repo: set-owners repo all-makefu;
--- a/makefu/2configs/gui/base.nix
+++ b/makefu/2configs/gui/base.nix
@ -58,7 +58,7 @@ in
  hardware.pulseaudio = {
     enable = true;
-     systemWide = true;
+     # systemWide = true;
  };
  services.xserver.displayManager.sessionCommands = let
    xdefaultsfile = pkgs.writeText "Xdefaults"  ''
--- a/makefu/2configs/remote-build/master.nix
+++ b/makefu/2configs/remote-build/master.nix
@ -0,0 +1,14 @@
 { pkgs, ...}:
 let
  sshKey = (toString <secrets>) + "/id_nixBuild";
 in {
  nix.distributedBuilds = true;
  # TODO: iterate over krebs.hosts
  nix.buildMachines = map ( hostName:
  {   inherit hostName sshKey;
      sshUser = "nixBuild";
      system = "x86_64-linux";
      maxJobs = 1;
  }) [ "omo.r"  "gum.r" "latte.r" ];
  # puyak.r "wbob.r"
 }
--- a/makefu/2configs/remote-build/slave.nix
+++ b/makefu/2configs/remote-build/slave.nix
@ -0,0 +1,11 @@
 {
  nix.trustedUsers = [ "nixBuild" ];
  users.users.nixBuild = {
      name = "nixBuild";
      useDefaultShell = true;
      # TODO: put this somewhere else
      openssh.authorizedKeys.keys = [
        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPlhb0TIBW9RN9T8Is4YRIc1RjOg+cxbZCaDjbM4zxrX nixBuild"
      ];
    };
 }
--- a/makefu/2configs/stats/server.nix
+++ b/makefu/2configs/stats/server.nix
@ -2,6 +2,8 @@
 with import <stockholm/lib>;
 let
  irc-server = "rc.r";
  irc-nick = "m-alarm";
  collectd-port = 25826;
  influx-port = 8086;
  grafana-port = 3000; # TODO nginx forward
@ -37,9 +39,9 @@ in {
      echoToIrc = pkgs.writeDash "echo_irc" ''
        set -euf
        data="$(${pkgs.jq}/bin/jq -r .message)"
-        export LOGNAME=malarm
+        export LOGNAME=${irc-nick}
        ${pkgs.irc-announce}/bin/irc-announce \
-          irc.freenode.org 6667 malarm \#krebs-bots "$data" >/dev/null
+          ${irc-server} 6667 ${irc-nick} \#noise "$data" >/dev/null
      '';
  in {
    enable = true;
--- a/makefu/2configs/stats/telegraf/europastats.nix
+++ b/makefu/2configs/stats/telegraf/europastats.nix
@ -4,7 +4,7 @@ let
    rev = "be31da7";
    name = "europastats-${rev}";
    propagatedBuildInputs = [
-      requests2
+      requests
      docopt
    ];
    src = pkgs.fetchgit {
--- a/makefu/2configs/tools/core-gui.nix
+++ b/makefu/2configs/tools/core-gui.nix
@ -13,7 +13,6 @@
    keepassx
    pcmanfm
    evince
    skype
    mirage
    tightvnc
    gnome3.dconf
--- a/makefu/2configs/tools/dev.nix
+++ b/makefu/2configs/tools/dev.nix
@ -16,5 +16,6 @@
    whatsupnix
    brain
    gen-oath-safe
    cdrtools
  ];
 }
--- a/makefu/2configs/tools/extra-gui.nix
+++ b/makefu/2configs/tools/extra-gui.nix
@ -6,7 +6,7 @@
    gimp
    inkscape
    libreoffice
-    skype
+    # skype
    synergy
    tdesktop
    virtmanager
--- a/makefu/2configs/tools/sec-gui.nix
+++ b/makefu/2configs/tools/sec-gui.nix
@ -1,8 +1,15 @@
 { pkgs, ... }:
 {
-  krebs.per-user.makefu.packages = with pkgs; [
+  users.users.makefu = {
-    tpmmanager
+    extraGroups = [ "wireshark" ];
-    wireshark
+    packages = with pkgs; [
-  ];
+      tpmmanager
    ];
  };
  programs.wireshark = {
    enable = true;
    package = pkgs.wireshark;
  };
 }
--- a/makefu/2configs/tools/steam.nix
+++ b/makefu/2configs/tools/steam.nix
@ -1,9 +1,7 @@
 {pkgs, ...}:
 {
-  environment.systemPackages = [ 
+  users.users.makefu.packages = [
-    (pkgs.steam.override {
+    pkgs.steam
      newStdcpp = true;
    })
  ];
  hardware.opengl.driSupport32Bit = true;
  hardware.pulseaudio.support32Bit = true;
--- a/makefu/2configs/urlwatch/default.nix
+++ b/makefu/2configs/urlwatch/default.nix
@ -24,13 +24,18 @@ in {
      # pypi
      https://pypi.python.org/simple/bepasty/
      https://pypi.python.org/simple/xstatic/
      https://pypi.python.org/simple/devpi-client/
      https://pypi.python.org/simple/oslo.config/
      https://pypi.python.org/simple/sqlalchemy_migrate/
      https://pypi.python.org/simple/xstatic/
      https://pypi.python.org/simple/pyserial/
      https://pypi.python.org/simple/semantic_version/
      # weird shit
      http://guest:derpi@cvs2svn.tigris.org/svn/cvs2svn/tags/
      http://ftp.debian.org/debian/pool/main/a/apt-cacher-ng/
      https://erdgeist.org/gitweb/opentracker/info/refs?service=git-upload-pack
      https://git.tasktools.org/TM/taskd/info/refs?service=git-upload-pack
      http://www.iozone.org/src/current/
      {
        url = https://newellrubbermaid.secure.force.com/dymopkb/articles/en_US/FAQ/Dymo-Drivers-and-Downloads/?l=en_US&c=Segment:Dymo&fs=Search&pn=1 ;
--- a/makefu/2configs/vim.nix
+++ b/makefu/2configs/vim.nix
@ -127,6 +127,7 @@ in {
        { names = [ "undotree"
          # "YouCompleteMe"
          "vim-better-whitespace" ]; }
        # vim-nix handles indentation better but does not perform sanity
        { names = [ "vim-addon-nix" ]; ft_regex = "^nix\$"; }
      ];
--- a/makefu/2configs/vpn/openvpn-server.nix
+++ b/makefu/2configs/vpn/openvpn-server.nix
@ -1,13 +1,13 @@
 { config, pkgs, ... }:
 let
-	out-itf = config.makefu.server.primary-itf;
+  out-itf = config.makefu.server.primary-itf;
-	# generate via openvpn --genkey --secret static.key
+  # generate via openvpn --genkey --secret static.key
-	client-key = (toString <secrets>) + "/openvpn-laptop.key";
+  client-key = (toString <secrets>) + "/openvpn-laptop.key";
  # domain = "vpn.euer.krebsco.de";
  domain = "gum.krebsco.de";
  dev = "tun0";
  port = 1194;
-	tcp-port = 3306;
+  tcp-port = 3306;
 in {
  boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
  networking.nat = {
--- a/makefu/3modules/server-config.nix
+++ b/makefu/3modules/server-config.nix
@ -1,15 +1,14 @@
 {config, lib, pkgs, ... }:
-with import <stockholm/lib>;
+with lib;{
 {
  options.makefu.server.primary-itf = lib.mkOption {
-		type = types.str;
+    type = types.str;
-		description = "Primary interface of the server";
+    description = "Primary interface of the server";
-	};
+  };
  options.makefu.gui.user = lib.mkOption {
-		type = types.str;
+    type = types.str;
-		description = "GUI user";
+    description = "GUI user";
    default = config.krebs.build.user.name;
-	};
+  };
 }
--- a/makefu/3modules/wvdial.nix
+++ b/makefu/3modules/wvdial.nix
@ -1,5 +1,6 @@
 # Global configuration for wvdial.
 { config, lib, pkgs, ... }:
 # from 17.03/nixos/modules/programs/wvdial.nix
 with lib;
--- a/makefu/5pkgs/beef/Gemfile
+++ b/makefu/5pkgs/beef/Gemfile
@ -0,0 +1,97 @@
 # BeEF's Gemfile
 #
 # Copyright (c) 2006-2017 Wade Alcorn - wade@bindshell.net
 # Browser Exploitation Framework (BeEF) - http://beefproject.com
 # See the file 'doc/COPYING' for copying permission
 #
 gem 'eventmachine'
 gem 'thin'
 gem 'sinatra'
 gem 'rack', '~> 1.6.5'
 gem 'em-websocket' # WebSocket support
 gem 'uglifier'
 gem 'mime-types'
 gem 'execjs'
 gem 'ansi'
 gem 'term-ansicolor', :require => 'term/ansicolor'
 gem 'dm-core'
 gem 'json'
 gem 'data_objects'
 gem 'rubyzip', '>= 1.2.1'
 gem 'espeak-ruby', '>= 1.0.4' # Text-to-Voice
 gem 'nokogiri', '>= 1.7'
 gem 'therubyracer'
 # SQLite support
 group :sqlite do
  gem 'dm-sqlite-adapter'
 end
 # PostgreSQL support
 group :postgres do
  #gem dm-postgres-adapter
 end
 # MySQL support
 group :mysql do
  #gem dm-mysql-adapter
 end
 # Geolocation support
 group :geoip do
  gem 'geoip'
 end
 gem 'parseconfig'
 gem 'erubis'
 gem 'dm-migrations'
 # Metasploit Integration extension
 group :ext_msf do
  gem 'msfrpc-client'
 end
 # Twitter Notifications extension
 group :ext_twitter do
  #gem 'twitter', '>= 5.0.0'
 end
 # DNS extension
 group :ext_dns do
  gem 'rubydns', '~> 0.7.3'
 end
 # network extension
 group :ext_network do
  gem 'dm-serializer'
 end
 # QRcode extension
 group :ext_qrcode do
  gem 'qr4r'
 end
 # For running unit tests
 group :test do
 if ENV['BEEF_TEST']
  gem 'rake'
  gem 'test-unit'
  gem 'test-unit-full'
  gem 'curb'
  gem 'selenium'
  gem 'selenium-webdriver'
  gem 'rspec'
  gem 'bundler-audit'
  # nokogirl is needed by capybara which may require one of the below commands
  # sudo apt-get install libxslt-dev libxml2-dev
  # sudo port install libxml2 libxslt
  gem 'capybara'
  # RESTful API tests/generic command module tests
  gem 'rest-client', '>= 2.0.1'
 end
 end
 source 'https://rubygems.org'
--- a/makefu/5pkgs/beef/Gemfile.lock
+++ b/makefu/5pkgs/beef/Gemfile.lock
@ -0,0 +1,139 @@
 GEM
  remote: https://rubygems.org/
  specs:
    addressable (2.5.2)
      public_suffix (>= 2.0.2, < 4.0)
    ansi (1.5.0)
    chunky_png (1.3.8)
    daemons (1.2.4)
    data_objects (0.10.17)
      addressable (~> 2.1)
    dm-core (1.2.1)
      addressable (~> 2.3)
    dm-do-adapter (1.2.0)
      data_objects (~> 0.10.6)
      dm-core (~> 1.2.0)
    dm-migrations (1.2.0)
      dm-core (~> 1.2.0)
    dm-serializer (1.2.2)
      dm-core (~> 1.2.0)
      fastercsv (~> 1.5)
      json (~> 1.6)
      json_pure (~> 1.6)
      multi_json (~> 1.0)
    dm-sqlite-adapter (1.2.0)
      dm-do-adapter (~> 1.2.0)
      do_sqlite3 (~> 0.10.6)
    do_sqlite3 (0.10.17)
      data_objects (= 0.10.17)
    em-websocket (0.5.1)
      eventmachine (>= 0.12.9)
      http_parser.rb (~> 0.6.0)
    erubis (2.7.0)
    espeak-ruby (1.0.4)
    eventmachine (1.0.9.1)
    execjs (2.7.0)
    fastercsv (1.5.5)
    filesize (0.1.1)
    geoip (1.6.3)
    http_parser.rb (0.6.0)
    jsobfu (0.4.2)
      rkelly-remix
    json (1.8.6)
    json_pure (1.8.6)
    libv8 (3.16.14.19)
    metasm (1.0.3)
    mime-types (3.1)
      mime-types-data (~> 3.2015)
    mime-types-data (3.2016.0521)
    mini_portile2 (2.3.0)
    mojo_magick (0.5.6)
    msfrpc-client (1.1.1)
      msgpack (~> 1)
      rex (~> 2)
    msgpack (1.1.0)
    multi_json (1.12.2)
    nokogiri (1.8.1)
      mini_portile2 (~> 2.3.0)
    parseconfig (1.0.8)
    public_suffix (3.0.0)
    qr4r (0.4.1)
      mojo_magick
      rqrcode
    rack (1.6.8)
    rack-protection (1.5.3)
      rack
    rainbow (2.2.2)
      rake
    rake (12.1.0)
    rb-readline (0.5.5)
    ref (2.0.0)
    rex (2.0.11)
      filesize
      jsobfu (~> 0.4.1)
      json
      metasm (~> 1.0.2)
      nokogiri
      rb-readline
      robots
    rexec (1.6.3)
      rainbow
    rkelly-remix (0.0.7)
    robots (0.10.1)
    rqrcode (0.10.1)
      chunky_png (~> 1.0)
    rubydns (0.7.3)
      eventmachine (~> 1.0.0)
      rexec (~> 1.6.2)
    rubyzip (1.2.1)
    sinatra (1.4.8)
      rack (~> 1.5)
      rack-protection (~> 1.4)
      tilt (>= 1.3, < 3)
    term-ansicolor (1.6.0)
      tins (~> 1.0)
    therubyracer (0.12.3)
      libv8 (~> 3.16.14.15)
      ref
    thin (1.7.2)
      daemons (~> 1.0, >= 1.0.9)
      eventmachine (~> 1.0, >= 1.0.4)
      rack (>= 1, < 3)
    tilt (2.0.8)
    tins (1.15.0)
    uglifier (3.2.0)
      execjs (>= 0.3.0, < 3)
 PLATFORMS
  ruby
 DEPENDENCIES
  ansi
  data_objects
  dm-core
  dm-migrations
  dm-serializer
  dm-sqlite-adapter
  em-websocket
  erubis
  espeak-ruby (>= 1.0.4)
  eventmachine
  execjs
  geoip
  json
  mime-types
  msfrpc-client
  nokogiri (>= 1.7)
  parseconfig
  qr4r
  rack (~> 1.6.5)
  rubydns (~> 0.7.3)
  rubyzip (>= 1.2.1)
  sinatra
  term-ansicolor
  therubyracer
  thin
  uglifier
 BUNDLED WITH
   1.15.4
--- a/makefu/5pkgs/beef/default.nix
+++ b/makefu/5pkgs/beef/default.nix
@ -0,0 +1,37 @@
 { stdenv, bundlerEnv, ruby, fetchFromGitHub }:
 # nix-shell --command "bundler install && bundix" in the clone, copy gemset.nix, Gemfile and Gemfile.lock
 let
  gems = bundlerEnv {
    name = "beef-env";
    inherit ruby;
    gemdir  = ./.;
  };
 in stdenv.mkDerivation {
  name = "beef-2017-09-21";
  src = fetchFromGitHub {
    owner = "beefproject";
    repo = "beef";
    rev = "69aa2a3";
    sha256 = "1rky61i0wzpwcq3kqfa0m5hf6wyz8q8jgzs7dpfh04w9qh32ic4p";
  };
  buildInputs = [gems ruby];
  installPhase = ''
    mkdir -p $out/{bin,share/beef}
    cp -r * $out/share/beef
    # set the default db path, unfortunately setting to /tmp does not seem to work
    # sed -i 's#db_file: .*#db_file: "/tmp/beef.db"#' $out/share/beef/config.yaml
    bin=$out/bin/beef
    cat > $bin <<EOF
 #!/bin/sh -e
 exec ${gems}/bin/bundle exec ${ruby}/bin/ruby $out/share/beef/beef "\$@"
 EOF
    chmod +x $bin
  '';
  # crashes with segfault
  # also, db cannot be set
  meta.broken = true;
 }
--- a/Show More
+++ b/Show More
		`@ -0,0 +1 @@`
							ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAEZgGgImN/9D4yJBjYlkAvT3X45kzt4n8hmgsqPcdcHWNC7fofWG4fZe8NNrTLdKsK+xYxTstj49l8Vb3YDvw4fAyyyhms/eFRlD2BRqAISwc39EIeTC4g3PXNeUtUGdczXKxsJf5iWf4kxUrUOuZ3FeKxeYXDMSqzzk1oKalhWNl4PmgRc5FzjeRJ2WziilwFq7ntLswoeTBW3c53fbcp3XuPza3M1/sN3NHJx9ZMpWVfJhZ/CXr+nqpc25ZIr5HZVZbgDTyJQimlTF5JCfU0NiiBIh7ep7x4o93tARmilit7+mWUkkxk6ba+zG6nr+s+zyd85AFAYRioOEczbC6mI44UZUB11KkEzOon5JWSA8pK+DPqsqhFkwWYMHLXZp8zemdp9kushRZ6nuI9MzBwacngro1vAvDL6jrS5MR7zf7rMAo6wexovWoEowvZz629mjC3OAt9iOm4VJdvEmq+rHLfjjznVEY6llF7DUu2QNEazaXhxZH9V9N1gyubIE97SQVqmwDrf8BGC0Hq+hC4OOweqfo4XP0etbqAfDozZbqcqyE1m9Bj8DpjrSXka1PuJf5fgEtoxPadd2qdiHMfIx9sM+4uu2nI5aFvWO3OlJmhF80QzNdFzZWjsyvJ24C1/a2FAyzoab1Sg9ljstQThseTtvlXcX8jfFn0U3RbgXgCgOWad3Oy9vA0OCdsHut0nzv3UO+T5+wv2+lvE3QSSKOlmVtdKMhCFb+Rg+FliKxyd820h9yR3wDYmkurVkAxaj8Kx5MaY/7aypOi8fRAV2FSDtCKkuMyPv4xEtdPi/4lj55pRBEO8lJkeb+WurCzZ7ZeaPdrW1YIQtToPpiz3dXeRhkts6jq8247xIplzHh9Iu18gOrnZ+ygn70g19x842vvcfLQNAghDPS93msJdSe+EtulMCwNTjUaF9LyzhW9ptLG9NmwgbT5kGsFiRw3BFdyfcQVWVzDhuP3hPPx+hjiZtFfpIKpxV9MjO1xQ830Ngk3JpSphMZTQ432yfvu9yEsUWmAa8ax1jxJ361AiIp0U2xioJmdVd3E2sxkpOUYqE89IR9X6hS3fH38Gc5IL5+BnhuZvRgXuA+nrqdU4pMB3TIoC5oXlOMRXpxaS91YiO4ERx2t6WkBRCoaDuRWnLpewV6lhjwi1+4Emlrs2q1R0K64emZTv7O1MKwWRHOlBJD3HLyCCS763OzYW4mEQcfBAQtbm6sTooJ+D/zbmYgbnZt0z/nP9R/n25pzlSPpZ49fCiRV7QN6D9mksISTz8qIiCzNBn1F7DUewXqkrdPopl4npeNVcOyyo7P1lFFGde+jq/7REdzD+vno1h9+17WZbyzQtlOyipQYzb6l4QuXq/zejJrELJAQdN4yRQq5NJzIh0HXaPnPC083T791moBflyqiwPEIWsSMfILqSqL1jVVNgvV4fHnMixgH2zK9f0EyE3fG9PnuRribPR2DlESqpHZTcBixgh660EPKh0gCLYoWKgU= lass-android@XperiaXCompact