diff --git a/jeschli/1systems/reagenzglas/.source.nix.swp b/jeschli/1systems/reagenzglas/.source.nix.swp
new file mode 100644
index 000000000..8c1a75f39
Binary files /dev/null and b/jeschli/1systems/reagenzglas/.source.nix.swp differ
diff --git a/jeschli/1systems/reagenzglas/config.nix b/jeschli/1systems/reagenzglas/config.nix
new file mode 100644
index 000000000..d65e897ae
--- /dev/null
+++ b/jeschli/1systems/reagenzglas/config.nix
@@ -0,0 +1,146 @@
+# Edit this configuration file to define what should be installed on
+# your system.  Help is available in the configuration.nix(5) man page
+# and in the NixOS manual (accessible by running ‘nixos-help’).
+
+{ config, pkgs, ... }:
+
+{
+  imports =
+    [ # Include the results of the hardware scan.
+      <stockholm/jeschli>
+      ./hardware-configuration.nix
+    ];
+
+  # Use the GRUB 2 boot loader.
+ # boot.loader.grub.enable = true;
+ # boot.loader.grub.version = 2;
+  # boot.loader.grub.efiSupport = true;
+  # boot.loader.grub.efiInstallAsRemovable = true;
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = true;
+  # Define on which hard drive you want to install Grub.
+#  boot.loader.grub.device = "/dev/disk/by-id/wwn-0x5002538844584d30"; # or "nodev" for efi only
+
+  boot.initrd.luks.devices = [
+    {
+    name = "root";
+    device = "/dev/disk/by-id/wwn-0x5002538844584d30-part2";
+    preLVM = true;
+    allowDiscards = true;
+    }
+  ];
+  networking.hostName = "reaganzglas"; # Define your hostname.
+#  networking.wireless.enable = true;  # Enables wireless support via wpa_supplicant.
+  networking.networkmanager.enable = true;
+  # Select internationalisation properties.
+  # i18n = {
+  #   consoleFont = "Lat2-Terminus16";
+  #   consoleKeyMap = "us";
+  #   defaultLocale = "en_US.UTF-8";
+  # };
+
+  # Set your time zone.
+  # time.timeZone = "Europe/Amsterdam";
+
+  # List packages installed in system profile. To search by name, run:
+  # $ nix-env -qaP | grep wget
+  nixpkgs.config.allowUnfree = true;
+  environment.shellAliases = { n = "nix-shell"; };
+  environment.variables = { GOROOT= [ "${pkgs.go.out}/share/go" ]; };
+  environment.systemPackages = with pkgs; [
+  # system helper
+    ag
+    curl
+    copyq
+    dmenu
+    git
+    i3lock
+    keepass
+    networkmanagerapplet
+    rsync
+    terminator
+    tmux
+    wget
+    rxvt_unicode
+  # editors
+    emacs
+  # internet
+    thunderbird
+    chromium
+    google-chrome
+  # programming languages
+    go
+    gcc
+    ghc
+    python35
+    python35Packages.pip
+  # go tools
+    golint
+    gotools
+  # dev tools
+    gnumake
+  # document viewer
+    zathura
+   ];
+
+  # Some programs need SUID wrappers, can be configured further or are
+  # started in user sessions.
+  # programs.mtr.enable = true;
+  # programs.gnupg.agent = { enable = true; enableSSHSupport = true; };
+
+  # List services that you want to enable:
+
+  # Enable the OpenSSH daemon.
+  services.openssh.enable = true;
+  users.users.root.openssh.authorizedKeys.keys = [
+    "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDMPuFzd6p3zZETIjoV5mRxCTQgeZk9s/P374mEDbj58wDTT0uGWu2JRf7cL1QRTvd5238tYl0eSHXH65+oaFB/mIvmiRnuw6qQODOMHlSbJN5/J2hEw/3v5gveiP1xNLfKlFhj6mmMRF7Etvzns/kLGLCSjj1UTlfo4iHmtinPmU+iQ8J4foS4cZj4oZesF8gndkc2EFMfL6en7EuU8GK6U9GtwKNL9N4UoUZXu8Nf00pkn/jrpmsDdI4zdVVAxWeu/Lo4li43EVixLcfwQiwzf6S9FvYIv30xPdy92GJSJwxm/QkYuc48VZWUoE+qThf3IEPETtX+MRZrM8RTtY01 markus@reaganzglas"
+  ];
+
+  # Open ports in the firewall.
+  # networking.firewall.allowedTCPPorts = [ ... ];
+  # networking.firewall.allowedUDPPorts = [ ... ];
+  # Or disable the firewall altogether.
+  # networking.firewall.enable = false;
+
+  # Enable CUPS to print documents.
+  # services.printing.enable = true;
+
+  # Enable the X11 windowing system.
+   services.xserver.enable = true;
+   services.xserver.layout = "us";
+   services.xserver.xkbOptions = "eurosign:e";
+
+  # Enable touchpad support.
+   services.xserver.libinput.enable = true;
+
+  # Enable the KDE Desktop Environment.
+  services.xserver.displayManager.sddm.enable = true;
+  services.xserver.windowManager.xmonad.enable = true;
+  services.xserver.windowManager.xmonad.enableContribAndExtras = true;
+
+  # services.xserver.desktopManager.plasma5.enable = true;
+
+  # Define a user account. Don't forget to set a password with ‘passwd’.
+  users.extraUsers.jeschli = {
+     isNormalUser = true;
+     uid = 1000;
+  };
+
+  # This value determines the NixOS release with which your system is to be
+  # compatible, in order to avoid breaking some software such as database
+  # servers. You should change this only after NixOS release notes say you
+  # should.
+  system.stateVersion = "18.03"; # Did you read the comment?
+
+  programs.bash = {
+    enableCompletion = true;
+    interactiveShellInit = ''
+      export GOPATH=$HOME/go
+      export PATH=$PATH:$GOPATH/bin
+    '';
+  };
+
+  krebs.build.host = config.krebs.hosts.reagenzglas;
+
+  hardware.bluetooth.enable = true;
+}
diff --git a/jeschli/1systems/reagenzglas/hardware-configuration.nix b/jeschli/1systems/reagenzglas/hardware-configuration.nix
new file mode 100644
index 000000000..a6ab3f16e
--- /dev/null
+++ b/jeschli/1systems/reagenzglas/hardware-configuration.nix
@@ -0,0 +1,33 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, ... }:
+
+{
+  imports =
+    [ <nixpkgs/nixos/modules/installer/scan/not-detected.nix>
+    ];
+
+  boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "sd_mod" "sr_mod" "rtsx_pci_sdmmc" ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/09130cf7-b71b-42ab-9fa3-cb3c745f1fc9";
+      fsType = "ext4";
+    };
+
+  fileSystems."/home" =
+    { device = "/dev/disk/by-uuid/8bee50b3-5733-4373-a966-388def141774";
+      fsType = "ext4";
+    };
+
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/DA40-AC19";
+      fsType = "vfat";
+    };
+  swapDevices = [ ];
+
+  nix.maxJobs = lib.mkDefault 8;
+#  powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
+}
diff --git a/jeschli/1systems/reagenzglas/source.nix b/jeschli/1systems/reagenzglas/source.nix
new file mode 100644
index 000000000..7543de6b9
--- /dev/null
+++ b/jeschli/1systems/reagenzglas/source.nix
@@ -0,0 +1,4 @@
+import <stockholm/jeschli/source.nix> {
+  name = "reagenzglas";
+  secure = true;
+}
diff --git a/jeschli/2configs/copy-vim.nix b/jeschli/2configs/copy-vim.nix
new file mode 100644
index 000000000..43fcb1956
--- /dev/null
+++ b/jeschli/2configs/copy-vim.nix
@@ -0,0 +1,102 @@
+{ config, pkgs, ... }:
+
+
+# let 
+#   customPlugins.ultisnips = pkgs.vimUtils.buildVimPlugin {
+#     name = "ultisnips";
+#     src = pkgs.fetchFromGitHub {
+#       owner = "SirVer";
+#       repo = "ultisnips";
+#       rev = "3.1";
+#       sha256 = "0p9d91h9pm0nx0d77lqsgv6158q052cyj4nm1rd6zvbay9bkkf8b"; 
+#     };
+#   };
+#
+let
+  customPlugins.vim-javascript = pkgs.vimUtils.buildVimPlugin {
+    name = "vim-javascript";
+    src = pkgs.fetchFromGitHub {
+      owner = "pangloss";
+      repo = "vim-javascript";
+      rev = "1.2.5.1";
+      sha256 = "08l7ricd3j5h2bj9i566byh39v9n5wj5mj75f2c8a5dsc732b2k7";
+    };
+  };
+   customPlugins.vim-jsx = pkgs.vimUtils.buildVimPlugin {
+     name = "vim-jsx";
+     src = pkgs.fetchFromGitHub {
+       owner = "mxw";
+       repo = "vim-jsx";
+       rev = "5b968dfa512c57c38ad7fe420f3e8ab75a73949a";
+       sha256 = "1z3yhhbmbzfw68qjzyvpbmlyv2a1p814sy5q2knn04kcl30vx94a"; 
+     };
+   };
+in {
+# {
+  environment.systemPackages = [
+    (pkgs.vim_configurable.customize {
+      name = "vim";
+
+    vimrcConfig.customRC = ''
+	:imap jk <Esc>
+	:vmap v v
+	:map gr :GoRun<Enter>
+	:nnoremap <S-TAB> :bnext<CR>
+	:nnoremap <C-TAB> <c-w><c-w>
+	set autowrite
+	set number
+	set ruler
+
+	noremap x "_x
+	set clipboard=unnamedplus
+
+  let g:jsx_ext_required = 0
+
+	let g:go_list_type = "quickfix"
+	let g:go_test_timeout = '10s'
+	let g:go_fmt_command = "goimports"
+	let g:go_snippet_case_type = "camelcase"
+	let g:go_highlight_types = 1
+	let g:go_highlight_fields = 1
+	let g:go_highlight_functions = 1
+	let g:go_highlight_methods = 1
+  let g:go_highlight_extra_types = 1
+  autocmd BufNewFile,BufRead *.go setlocal noexpandtab tabstop=4 shiftwidth=4 
+  let g:rehash256 = 1
+  let g:molokai_original = 1
+  colorscheme molokai
+	let g:go_metalinter_enabled = ['vet', 'golint', 'errcheck']
+	let g:go_metalinter_autosave = 1
+	" let g:go_metalinter_autosave_enabled = ['vet', 'golint']
+	" let g:go_def_mode = 'godef'
+	" let g:go_decls_includes = "func,type"
+
+
+	" Trigger configuration. Do not use <tab> if you use https://github.com/Valloric/YouCompleteMe.
+	let g:UltiSnipsExpandTrigger="<c-e>"
+	let g:UltiSnipsJumpForwardTrigger="<c-t>"
+	let g:UltiSnipsJumpBackwardTrigger="<c-q>"
+
+	" If you want :UltiSnipsEdit to split your window.
+	let g:UltiSnipsEditSplit="vertical"
+
+	if has('persistent_undo')      "check if your vim version supports it
+	set undofile                 "turn on the feature  
+	set undodir=$HOME/.vim/undo  "directory where the undo files will be stored
+	endif     
+        '';
+
+       vimrcConfig.vam.knownPlugins = pkgs.vimPlugins // customPlugins;
+       vimrcConfig.vam.pluginDictionaries = [
+         { names = [ "undotree" "molokai" ]; } # wanted: fatih/molokai
+         # vim-nix handles indentation better but does not perform sanity
+         { names = [ "vim-addon-nix" ]; ft_regex = "^nix\$"; }
+         { names = [ "vim-go" ]; ft_regex = "^go\$"; } # wanted: nsf/gocode
+         { names = [ "vim-javascript" ]; ft_regex = "^js\$"; }
+         { names = [ "vim-jsx" ]; ft_regex = "^js\$"; }
+         { names = [ "UltiSnips" ]; ft_regex = "^go\$"; } 
+       ];
+
+    })
+  ];
+}
diff --git a/jeschli/2configs/default.nix b/jeschli/2configs/default.nix
new file mode 100644
index 000000000..7fb240951
--- /dev/null
+++ b/jeschli/2configs/default.nix
@@ -0,0 +1,66 @@
+{ config, pkgs, ... }:
+with import <stockholm/lib>;
+{
+  imports = [
+    ./vim.nix
+    ./retiolum.nix
+    {
+      environment.variables = {
+        NIX_PATH = mkForce "secrets=/var/src/stockholm/null:/var/src";
+      };
+    }
+  ];
+
+  nixpkgs.config.allowUnfree = true;
+
+  environment.systemPackages = with pkgs; [
+  #stockholm
+    git
+    gnumake
+    jq
+    parallel
+    proot
+    populate
+
+  #style
+    most
+    rxvt_unicode.terminfo
+
+  #monitoring tools
+    htop
+    iotop
+
+  #network
+    iptables
+    iftop
+
+  #stuff for dl
+    aria2
+
+  #neat utils
+    file
+    kpaste
+    krebspaste
+    mosh
+    pciutils
+    psmisc
+   # q
+   # rs
+    tmux
+    untilport
+    usbutils
+  #  logify
+    goify
+
+  #unpack stuff
+    p7zip
+    unzip
+    unrar
+
+    (pkgs.writeDashBin "sshn" ''
+      ${pkgs.openssh}/bin/ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no "$@"
+    '')
+  ];
+
+  krebs.enable = true;
+}
diff --git a/jeschli/2configs/retiolum.nix b/jeschli/2configs/retiolum.nix
new file mode 100644
index 000000000..403300b30
--- /dev/null
+++ b/jeschli/2configs/retiolum.nix
@@ -0,0 +1,22 @@
+{ config, pkgs, ... }:
+
+{
+
+  krebs.tinc.retiolum = {
+    enable = true;
+    connectTo = [
+      "prism"
+      "gum"
+      "ni"
+      "dishfire"
+    ];
+  };
+
+  nixpkgs.config.packageOverrides = pkgs: {
+    tinc = pkgs.tinc_pre;
+  };
+
+  environment.systemPackages = [
+    pkgs.tinc
+  ];
+}
diff --git a/jeschli/2configs/vim.nix b/jeschli/2configs/vim.nix
new file mode 100644
index 000000000..f6c736fbc
--- /dev/null
+++ b/jeschli/2configs/vim.nix
@@ -0,0 +1,373 @@
+{ config, lib, pkgs, ... }:
+
+with import <stockholm/lib>;
+let
+  out = {
+    environment.systemPackages = [
+      (hiPrio vim)
+      pkgs.python35Packages.flake8
+    ];
+
+    environment.etc.vimrc.source = vimrc;
+
+    environment.variables.EDITOR = mkForce "vim";
+    environment.variables.VIMINIT = ":so /etc/vimrc";
+  };
+
+  vimrc = pkgs.writeText "vimrc" ''
+    set nocompatible
+
+    set autoindent
+    set backspace=indent,eol,start
+    set backup
+    set backupdir=${dirs.backupdir}/
+    set directory=${dirs.swapdir}//
+    set hlsearch
+    set incsearch
+    set mouse=a
+    set ruler
+    set pastetoggle=<INS>
+    set runtimepath=${extra-runtimepath},$VIMRUNTIME
+    set shortmess+=I
+    set showcmd
+    set showmatch
+    set ttimeoutlen=0
+    set undodir=${dirs.undodir}
+    set undofile
+    set undolevels=1000000
+    set undoreload=1000000
+    set viminfo='20,<1000,s100,h,n${files.viminfo}
+    set visualbell
+    set wildignore+=*.o,*.class,*.hi,*.dyn_hi,*.dyn_o
+    set wildmenu
+    set wildmode=longest,full
+
+    set title
+    set titleold=
+    set titlestring=(vim)\ %t%(\ %M%)%(\ (%{expand(\"%:p:h\")})%)%(\ %a%)\ -\ %{v:servername}
+
+    set et ts=2 sts=2 sw=2
+
+    filetype plugin indent on
+
+    set t_Co=256
+    colorscheme hack
+    syntax on
+
+    au Syntax * syn match Garbage containedin=ALL /\s\+$/
+            \ | syn match TabStop containedin=ALL /\t\+/
+            \ | syn keyword Todo containedin=ALL TODO
+
+    au BufRead,BufNewFile *.hs so ${hs.vim}
+
+    au BufRead,BufNewFile *.nix so ${nix.vim}
+
+    au BufRead,BufNewFile /dev/shm/* set nobackup nowritebackup noswapfile
+
+    "Syntastic config
+    let g:syntastic_python_checkers=['flake8']
+    let g:syntastic_python_flake8_post_args='--ignore=E501'
+
+    nmap <esc>q :buffer 
+    nmap <M-q> :buffer 
+
+    cnoremap <C-A> <Home>
+
+    noremap  <C-c> :q<cr>
+    vnoremap < <gv
+    vnoremap > >gv
+
+    nnoremap <esc>[5^  :tabp<cr>
+    nnoremap <esc>[6^  :tabn<cr>
+    nnoremap <esc>[5@  :tabm -1<cr>
+    nnoremap <esc>[6@  :tabm +1<cr>
+
+    nnoremap <f1> :tabp<cr>
+    nnoremap <f2> :tabn<cr>
+    inoremap <f1> <esc>:tabp<cr>
+    inoremap <f2> <esc>:tabn<cr>
+
+    " <C-{Up,Down,Right,Left>
+    noremap <esc>Oa <nop> | noremap! <esc>Oa <nop>
+    noremap <esc>Ob <nop> | noremap! <esc>Ob <nop>
+    noremap <esc>Oc <nop> | noremap! <esc>Oc <nop>
+    noremap <esc>Od <nop> | noremap! <esc>Od <nop>
+    " <[C]S-{Up,Down,Right,Left>
+    noremap <esc>[a <nop> | noremap! <esc>[a <nop>
+    noremap <esc>[b <nop> | noremap! <esc>[b <nop>
+    noremap <esc>[c <nop> | noremap! <esc>[c <nop>
+    noremap <esc>[d <nop> | noremap! <esc>[d <nop>
+
+    " search with ack
+    let g:ackprg = 'ag --vimgrep'
+    cnoreabbrev Ack Ack!
+
+    " copy/paste from/to xclipboard
+    noremap x "_x
+    set clipboard=unnamedplus
+  '';
+
+  extra-runtimepath = concatMapStringsSep "," (pkg: "${pkg.rtp}") [
+    pkgs.vimPlugins.ack-vim
+    pkgs.vimPlugins.Gundo
+    pkgs.vimPlugins.Syntastic
+    pkgs.vimPlugins.undotree
+    pkgs.vimPlugins.vim-go
+    (pkgs.vimUtils.buildVimPlugin {
+      name = "file-line-1.0";
+      src = pkgs.fetchFromGitHub {
+        owner = "bogado";
+        repo = "file-line";
+        rev = "1.0";
+        sha256 = "0z47zq9rqh06ny0q8lpcdsraf3lyzn9xvb59nywnarf3nxrk6hx0";
+      };
+    })
+    ((rtp: rtp // { inherit rtp; }) (pkgs.writeTextFile (let
+      name = "hack";
+    in {
+      name = "vim-color-${name}-1.0.2";
+      destination = "/colors/${name}.vim";
+      text = /* vim */ ''
+        set background=dark
+        hi clear
+        if exists("syntax_on")
+          syntax clear
+        endif
+
+        let colors_name = ${toJSON name}
+
+        hi Normal       ctermbg=235
+        hi Comment      ctermfg=242
+        hi Constant     ctermfg=062
+        hi Identifier   ctermfg=068
+        hi Function     ctermfg=041
+        hi Statement    ctermfg=167
+        hi PreProc      ctermfg=167
+        hi Type         ctermfg=041
+        hi Delimiter    ctermfg=251
+        hi Special      ctermfg=062
+
+        hi Garbage      ctermbg=088
+        hi TabStop      ctermbg=016
+        hi Todo         ctermfg=174 ctermbg=NONE
+
+        hi NixCode      ctermfg=148
+        hi NixData      ctermfg=149
+        hi NixQuote     ctermfg=150
+
+        hi diffNewFile  ctermfg=207
+        hi diffFile     ctermfg=207
+        hi diffLine     ctermfg=207
+        hi diffSubname  ctermfg=207
+        hi diffAdded    ctermfg=010
+        hi diffRemoved  ctermfg=009
+      '';
+    })))
+    ((rtp: rtp // { inherit rtp; }) (pkgs.writeTextFile (let
+      name = "vim";
+    in {
+      name = "vim-syntax-${name}-1.0.0";
+      destination = "/syntax/${name}.vim";
+      text = /* vim */ ''
+        ${concatMapStringsSep "\n" (s: /* vim */ ''
+          syn keyword vimColor${s} ${s}
+            \ containedin=ALLBUT,vimComment,vimLineComment
+          hi vimColor${s} ctermfg=${s}
+        '') (map (i: lpad 3 "0" (toString i)) (range 0 255))}
+      '';
+    })))
+    ((rtp: rtp // { inherit rtp; }) (pkgs.writeTextFile (let
+      name = "showsyntax";
+    in {
+      name = "vim-plugin-${name}-1.0.0";
+      destination = "/plugin/${name}.vim";
+      text = /* vim */ ''
+        if exists('g:loaded_showsyntax')
+          finish
+        endif
+        let g:loaded_showsyntax = 0
+
+        fu! ShowSyntax()
+          let id = synID(line("."), col("."), 1)
+          let name = synIDattr(id, "name")
+          let transName = synIDattr(synIDtrans(id),"name")
+          if name != transName
+            let name .= " (" . transName . ")"
+          endif
+          echo "Syntax: " . name
+        endfu
+
+        command! -n=0 -bar ShowSyntax :call ShowSyntax()
+      '';
+    })))
+  ];
+
+  dirs = {
+    backupdir = "$HOME/.cache/vim/backup";
+    swapdir   = "$HOME/.cache/vim/swap";
+    undodir   = "$HOME/.cache/vim/undo";
+  };
+  files = {
+    viminfo   = "$HOME/.cache/vim/info";
+  };
+
+  mkdirs = let
+    dirOf = s: let out = concatStringsSep "/" (init (splitString "/" s));
+               in assert out != ""; out;
+    alldirs = attrValues dirs ++ map dirOf (attrValues files);
+  in unique (sort lessThan alldirs);
+
+  vim = pkgs.symlinkJoin {
+    name = "vim";
+    paths = [
+      (pkgs.writeDashBin "vim" ''
+        set -efu
+        (umask 0077; exec ${pkgs.coreutils}/bin/mkdir -p ${toString mkdirs})
+        exec ${pkgs.vim}/bin/vim "$@"
+      '')
+      pkgs.vim
+    ];
+  };
+
+  hs.vim = pkgs.writeText "hs.vim" ''
+    syn region String start=+\[[[:alnum:]]*|+ end=+|]+
+
+    hi link ConId Identifier
+    hi link VarId Identifier
+    hi link hsDelimiter Delimiter
+  '';
+
+  nix.vim = pkgs.writeText "nix.vim" ''
+    setf nix
+
+    " Ref <nix/src/libexpr/lexer.l>
+    syn match NixID    /[a-zA-Z\_][a-zA-Z0-9\_\'\-]*/
+    syn match NixINT   /\<[0-9]\+\>/
+    syn match NixPATH  /[a-zA-Z0-9\.\_\-\+]*\(\/[a-zA-Z0-9\.\_\-\+]\+\)\+/
+    syn match NixHPATH /\~\(\/[a-zA-Z0-9\.\_\-\+]\+\)\+/
+    syn match NixSPATH /<[a-zA-Z0-9\.\_\-\+]\+\(\/[a-zA-Z0-9\.\_\-\+]\+\)*>/
+    syn match NixURI   /[a-zA-Z][a-zA-Z0-9\+\-\.]*:[a-zA-Z0-9\%\/\?\:\@\&\=\+\$\,\-\_\.\!\~\*\']\+/
+    syn region NixSTRING
+      \ matchgroup=NixSTRING
+      \ start='"'
+      \ skip='\\"'
+      \ end='"'
+    syn region NixIND_STRING
+      \ matchgroup=NixIND_STRING
+      \ start="'''"
+      \ skip="'''\('\|[$]\|\\[nrt]\)"
+      \ end="'''"
+
+    syn match NixOther /[():/;=.,?\[\]]/
+
+    syn match NixCommentMatch /\(^\|\s\)#.*/
+    syn region NixCommentRegion start="/\*" end="\*/"
+
+    hi link NixCode Statement
+    hi link NixData Constant
+    hi link NixComment Comment
+
+    hi link NixCommentMatch NixComment
+    hi link NixCommentRegion NixComment
+    hi link NixID NixCode
+    hi link NixINT NixData
+    hi link NixPATH NixData
+    hi link NixHPATH NixData
+    hi link NixSPATH NixData
+    hi link NixURI NixData
+    hi link NixSTRING NixData
+    hi link NixIND_STRING NixData
+
+    hi link NixEnter NixCode
+    hi link NixOther NixCode
+    hi link NixQuote NixData
+
+    syn cluster nix_has_dollar_curly contains=@nix_ind_strings,@nix_strings
+    syn cluster nix_ind_strings contains=NixIND_STRING
+    syn cluster nix_strings contains=NixSTRING
+
+    ${concatStringsSep "\n" (mapAttrsToList (lang: { extraStart ? null }: let
+      startAlts = filter isString [
+        ''/\* ${lang} \*/''
+        extraStart
+      ];
+      sigil = ''\(${concatStringsSep ''\|'' startAlts}\)[ \t\r\n]*'';
+    in /* vim */ ''
+      syn include @nix_${lang}_syntax syntax/${lang}.vim
+      unlet b:current_syntax
+
+      syn match nix_${lang}_sigil
+        \ X${replaceStrings ["X"] ["\\X"] sigil}\ze\('''\|"\)X
+        \ nextgroup=nix_${lang}_region_IND_STRING,nix_${lang}_region_STRING
+        \ transparent
+
+      syn region nix_${lang}_region_STRING
+        \ matchgroup=NixSTRING
+        \ start='"'
+        \ skip='\\"'
+        \ end='"'
+        \ contained
+        \ contains=@nix_${lang}_syntax
+        \ transparent
+
+      syn region nix_${lang}_region_IND_STRING
+        \ matchgroup=NixIND_STRING
+        \ start="'''"
+        \ skip="'''\('\|[$]\|\\[nrt]\)"
+        \ end="'''"
+        \ contained
+        \ contains=@nix_${lang}_syntax
+        \ transparent
+
+      syn cluster nix_ind_strings
+        \ add=nix_${lang}_region_IND_STRING
+
+      syn cluster nix_strings
+        \ add=nix_${lang}_region_STRING
+
+      syn cluster nix_has_dollar_curly
+        \ add=@nix_${lang}_syntax
+    '') {
+      c = {};
+      cabal = {};
+      haskell = {};
+      sh.extraStart = ''write\(Ba\|Da\)sh[^ \t\r\n]*[ \t\r\n]*"[^"]*"'';
+      vim.extraStart =
+        ''write[^ \t\r\n]*[ \t\r\n]*"\(\([^"]*\.\)\?vimrc\|[^"]*\.vim\)"'';
+    })}
+
+    " Clear syntax that interferes with nixINSIDE_DOLLAR_CURLY.
+    syn clear shVarAssign
+
+    syn region nixINSIDE_DOLLAR_CURLY
+      \ matchgroup=NixEnter
+      \ start="[$]{"
+      \ end="}"
+      \ contains=TOP
+      \ containedin=@nix_has_dollar_curly
+      \ transparent
+
+    syn region nix_inside_curly
+      \ matchgroup=NixEnter
+      \ start="{"
+      \ end="}"
+      \ contains=TOP
+      \ containedin=nixINSIDE_DOLLAR_CURLY,nix_inside_curly
+      \ transparent
+
+    syn match NixQuote /'''\([''$']\|\\.\)/he=s+2
+      \ containedin=@nix_ind_strings
+      \ contained
+
+    syn match NixQuote /\\./he=s+1
+      \ containedin=@nix_strings
+      \ contained
+
+    syn sync fromstart
+
+    let b:current_syntax = "nix"
+
+    set isk=@,48-57,_,192-255,-,'
+  '';
+in
+out
diff --git a/jeschli/default.nix b/jeschli/default.nix
new file mode 100644
index 000000000..7886fef49
--- /dev/null
+++ b/jeschli/default.nix
@@ -0,0 +1,9 @@
+_:
+{
+  imports = [
+    ../krebs
+    ./2configs
+#    ./3modules
+#    ./5pkgs
+  ];
+}
diff --git a/jeschli/source.nix b/jeschli/source.nix
new file mode 100644
index 000000000..d5e14a8dc
--- /dev/null
+++ b/jeschli/source.nix
@@ -0,0 +1,22 @@
+with import <stockholm/lib>;
+host@{ name, secure ? false, override ? {} }: let
+  builder = if getEnv "dummy_secrets" == "true"
+              then "buildbot"
+              else "jeschli";
+  _file = <stockholm> + "/jeschli/1systems/${name}/source.nix";
+in
+  evalSource (toString _file) [
+    {
+      nixos-config.symlink = "stockholm/jeschli/1systems/${name}/config.nix";
+      nixpkgs.git = {
+        url = https://github.com/nixos/nixpkgs;
+        ref = "f9390d6";
+      };
+      secrets.file = getAttr builder {
+        buildbot = toString <stockholm/jeschli/2configs/tests/dummy-secrets>;
+        jeschli = "/home/jeschli/secrets/${name}";
+      };
+      stockholm.file = toString <stockholm>;
+    }
+    override
+  ]
diff --git a/krebs/3modules/ci.nix b/krebs/3modules/ci.nix
index adbc1ebe1..b56f5c543 100644
--- a/krebs/3modules/ci.nix
+++ b/krebs/3modules/ci.nix
@@ -104,7 +104,7 @@ in
                     "dummy_secrets": "true",
                   },
                   command=[
-                    "nix-shell", "--run", " ".join(["test",
+                    "nix-shell", "-I", "stockholm=.", "--run", " ".join(["test",
                       "--user={}".format(user),
                       "--system={}".format(host),
                       "--force-populate",
diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix
index 5bedbcf25..caeef2885 100644
--- a/krebs/3modules/default.nix
+++ b/krebs/3modules/default.nix
@@ -61,6 +61,7 @@ let
 
     hosts = mkOption {
       type = with types; attrsOf host;
+      default = {};
     };
 
     users = mkOption {
diff --git a/krebs/3modules/lass/default.nix b/krebs/3modules/lass/default.nix
index d2c3000d6..ecf549df9 100644
--- a/krebs/3modules/lass/default.nix
+++ b/krebs/3modules/lass/default.nix
@@ -535,6 +535,86 @@ with import <stockholm/lib>;
         };
       };
     };
+    reagenzglas = {
+      ci = false;
+      external = true;
+      nets = {
+        retiolum = {
+          ip4.addr = "10.243.27.27";
+          ip6.addr = "42::27";
+          aliases = [
+            "reagenzglas.r"
+          ];
+          tinc.pubkey = ''
+            -----BEGIN RSA PUBLIC KEY-----
+            MIIECgKCBAEA4Tbq6aiMhPz55Of/WDEmESGmScRJedQSJoyRuDEDabEktdbP/m7P
+            bwpLp0lGYphx42+lutFcYOGoH/Lglfj39yhDcrpkYfTnzcGOWutXGuZ+iR5vmGj0
+            utJRf/4+a4sB5NboBVZ9Ke/RTjDNSov00C2hFCYTXz89Gd2ap1nDPQpnejOS+9aO
+            2W6P/WIKhRH7TfW6M7mUCrjVxWXZgdfSCQYxAXU/+1uAGmJ9qlGlQUIGUGv9Znv5
+            hurqwAHzSgEkKc2iUumosz6a8W9Oo3TAEC+jMEO2l/+GJ/8VysG1wtLWDX03GU3u
+            mBAtrJppEw4QNPTeFg6XSFIwV8Z0fWZ4lGsPJLbAkLUMxtKVWKbdrdpnmiQpLfBW
+            8BRbT1pjwEdw0hefA6NwCO3/Y5piEaUEz/gYz9xHFMDXUj9stHtaF0HaqonWyb06
+            aX3EEqRBxVsj6/Sgd33b77xqY4WBoOlbhfWj+EAD1Ova26lHELpAg0Z4AncpyOzw
+            pJcX81U8GgQp899YAc3EAldFfiu094CvM2NKd110K90VlTpos+sqFfNE87vpprMu
+            3d1NsYzf+FUM/aXASlqTNL+i8qBDAlODkLdj4+VZ2BjkSH+p2BLZouizSzu4X3I/
+            lfy554Dbb/98zlwmX9JrWzBRs2GxxFdIDZ1jK+Ci5qM7oTfujBwiE4jZA6wlK8u5
+            +IenSBdaJb0J8nS0Bziz/BLkuBCrl/YFelpZlY0pw6WYlraKbf/nsOpumOYh6zdz
+            9jiIPElGvso9FhwigX7xWCiYMK3ryAqm8CL0cTscQW3Yy2JKm1tNIQtAacwnNVli
+            PqdnPJSo942I+Fl6ZPjZ19ivJIqC+2TjGEY2Et8DkiL6YZfy4bM1zhoWMlXBIil0
+            ynnKR/h/CC67cq94JCbtRWKiYXIYtfHPQkS7S1Lk6aSYbIch/wROyh7XJ7EGE7nn
+            GAVMqI/P/qbW3rwEJGXzI4eJAHa2hwpP2Slimf6uUD/6L2bAnduhYoTsnNSjJmNE
+            hCC+MHohzk7+isZl0jwIEcMpsohMAwoa5BEhbuYJWeUesT/4PeddLIGYubTZAXp2
+            ZdYRepSNUEhSZV0H99MhlqeooDJxnWpsiba5Gb0s6p4gTReGy0jMtWnxI2P5RUFX
+            vEGt77v4MGrWYTzAL/ZRmESsOj7TXqpSK5YcMC2nr8PcV66LuMjOkRrGoVOV3fBe
+            G/9pNVb68SRwfPoGa5nGe6C7GPcgko9rgGLLcU1r/4L2bqFhdIQdSfaUX2Hscm44
+            5GdN2UvuwwVxOyU1uPqJcBNnr2yt3x3kw5+zDQ00z/pFntTXWm19m6BUtbkdwN2x
+            Bn1P3P/mRTEaHxQr9RGg8Zjnix/Q6G7I5QIDAQAB
+            -----END RSA PUBLIC KEY-----
+          '';
+        };
+      };
+    };
+    xerxes = {
+      cores = 2;
+      nets = rec {
+        retiolum = {
+          ip4.addr = "10.243.1.3";
+          ip6.addr = "42::1:3";
+          aliases = [
+            "xerxes.r"
+          ];
+          tinc.pubkey = ''
+            -----BEGIN RSA PUBLIC KEY-----
+            MIIECgKCBAEArqEaK+m7WZe/9/Vbc+qx2TjkkRJ9lDgDMr1dvj98xb8/EveUME6U
+            MZyAqNjLuKq3CKzJLo02ZmdFs4CT1Hj28p5IC0wLUWn53hrqdy8cCJDvIiKIv+Jk
+            gItsxJyMnRtsdDbB6IFJ08D5ReGdAFJT5lqpN0DZuNC6UQRxzUK5fwKYVVzVX2+W
+            /EZzEPe5XbE69V/Op2XJ2G6byg9KjOzNJyJxyjwVco7OXn1OBNp94NXoFrUO7kxb
+            mTNnh3D+iB4c3qv8woLhmb+Uh/9MbXS14QrSf85ou4kfUjb5gdhjIlzz+jfA/6XO
+            X4t86uv8L5IzrhSGb0TmhrIh5HhUmSKT4RdHJom0LB7EASMR2ZY9AqIG11XmXuhj
+            +2b5INBZSj8Cotv5aoRXiPSaOd7bw7lklYe4ZxAU+avXot9K3/4XVLmi6Wa6Okim
+            hz+MEYjW5gXY+YSUWXOR4o24jTmDjQJpdL83eKwLVAtbrE7TcVszHX6zfMoQZ5M9
+            3EtOkDMxhC+WfkL+DLQAURhgcPTZoaj0cAlvpb0TELZESwTBI09jh/IBMXHBZwI4
+            H1gOD5YENpf0yUbLjVu4p82Qly10y58XFnUmYay0EnEgdPOOVViovGEqTiAHMmm5
+            JixtwJDz7a6Prb+owIg27/eE1/E6hpfXpU8U83qDYGkIJazLnufy32MTFE4T9fI4
+            hS8icFcNlsobZp+1pB3YK4GV5BnvMwOIVXVlP8yMCRTDRWZ4oYmAZ5apD7OXyNwe
+            SUP2mCNNlQCqyjRsxj5S1lZQRy1sLQztU5Sff4xYNK+5aPgJACmvSi3uaJAxBloo
+            4xCCYzxhaBlvwVISJXZTq76VSPybeQ+pmSZFMleNnWOstvevLFeOoH2Is0Ioi1Fe
+            vnu5r0D0VYsb746wyRooiEuOAjBmni8X/je6Vwr1gb/WZfZ23EwYpGyakJdxLNv3
+            Li+LD9vUfOR80WL608sUU45tAx1RAy6QcH/YDtdClbOdK53+cQVTsYnCvDW8uGlO
+            scQWgk+od3qvo6yCPO7pRlEd3nedcPSGh/KjBHao6eP+bsVERp733Vb9qrEVwmxv
+            jlZ1m12V63wHVu9uMAGi9MhK+2Q/l7uLTj03OYpi4NYKL2Bu01VXfoxuauuZLdIJ
+            Z3ZV+qUcjzZI0PBlGxubq6CqVFoSB7nhHUbcdPQ66WUnwoKq0cKmE7VOlJQvJ07u
+            /Wsl8BIsxODVt0rTzEAx0hTd5mJCX7sCawRt+NF+1DZizl9ouebNMkNlsEAg4Ps0
+            bQerZLcOmpYjGa5+lWDwJIMXVIcxwTmQR86stlP/KQm0vdOvH2ZUWTXcYvCYlHkQ
+            sgVnnA2wt+7UpZnEBHy04ry+jYaSsPdYgwIDAQAB
+            -----END RSA PUBLIC KEY-----
+          '';
+        };
+      };
+      secure = true;
+      ssh.privkey.path = <secrets/ssh.id_ed25519>;
+      ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE5HyLyaIvVH0qHIQ4ciKhDiElhSqsK+uXcA6lTvL+5n";
+    };
   };
   users = {
     lass = {
@@ -563,6 +643,10 @@ with import <stockholm/lib>;
       mail = "lass@icarus.r";
       pubkey = builtins.readFile ./ssh/icarus.rsa;
     };
+    lass-xerxes = {
+      mail = "lass@xerxes.r";
+      pubkey = builtins.readFile ./ssh/xerxes.rsa;
+    };
     fritz = {
       pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCz34435NSXgj72YAOL4cIlRq/4yInKEyL9no+gymURoW5x1nkYpP0EK331e7UyQQSOdWOogRo6d7YHcFqNlYWv5xlYcHucIhgJwC4Zda1liVA+v7tSOJz2BjmFvOT3/qlcPS69f3zdLHZooz2C33uHX1FgGRXlxiA8dpqGnSr8o76QLZjuQkuDqr8reOspjO/RHCo2Moq0Xm5q9OgN1WLAZzupqt9A5lx567mRzYsRAr23pUxVN8T/tSCgDlPe4ktEjYX9CXLKfMyh9WuBVi+AuH4GFEWBT+AMpsHeF45w+w956x56mz0F5nYOQNK87gFr+Jr+mh2AF1ot2CxzrfTb fritz@scriptkiddiT540";
     };
@@ -583,5 +667,8 @@ with import <stockholm/lib>;
       pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKbBp2dH2X3dcU1zh+xW3ZsdYROKpJd3n13ssOP092qE";
       mail = "joerg@higgsboson.tk";
     };
+    jeschli = {
+      pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDMPuFzd6p3zZETIjoV5mRxCTQgeZk9s/P374mEDbj58wDTT0uGWu2JRf7cL1QRTvd5238tYl0eSHXH65+oaFB/mIvmiRnuw6qQODOMHlSbJN5/J2hEw/3v5gveiP1xNLfKlFhj6mmMRF7Etvzns/kLGLCSjj1UTlfo4iHmtinPmU+iQ8J4foS4cZj4oZesF8gndkc2EFMfL6en7EuU8GK6U9GtwKNL9N4UoUZXu8Nf00pkn/jrpmsDdI4zdVVAxWeu/Lo4li43EVixLcfwQiwzf6S9FvYIv30xPdy92GJSJwxm/QkYuc48VZWUoE+qThf3IEPETtX+MRZrM8RTtY01";
+    };
   };
 }
diff --git a/krebs/3modules/lass/ssh/xerxes.rsa b/krebs/3modules/lass/ssh/xerxes.rsa
new file mode 100644
index 000000000..2b5da7b25
--- /dev/null
+++ b/krebs/3modules/lass/ssh/xerxes.rsa
@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAEZgGjBN0aFs6GxNwMjCvlddbN6+vb6LZuWiWWe+wbAynaGuGbae0TXCLp0/eMNy7fH8poDjpdW9M4mKbBFKOqyG8WJLCPFoQw761tjKl1hccJn0hFSkQAEGKxtfzHlAl/Mz+59yvqNg7/WNSivv41hE7btYltzRy238VQDYFv2eLM7acyxrgGo7tWOtkbpfELj5cM8Qw1j3TF9bGV5pK6IOEtaHbmalS8Iiz77syAu+6E/y6zKBTtGMHI15l6RNJ/Y7A1LM/WwuNL+9dJMYWJFVHy3/4dpaxiioHREiSawUbz9wNHknCrT6vaPCIVVcujhz9Oee1C5UiYUyyfJrFYdlzaTg7FuLNIt2hKMY6NYx1D8/Pwpq1JOsaEfK/K5ytCgaJb115mRevcaUA5s7KYNWHmmZvy08JzCgSM6ZPRtfkQIcha77wVq6DugJ+KgBz+oADQRKiaMrumOMldd0B3q4Oxb71gDTE1XLAbWJnd/0Up1H5GAtZZUUrMUslZiU/23R6SOkyEMLWQTx/KgkWcz8DZLtib5o03uZpfJDVqp2CR+sjmy4x9aa+lSaOzuZP0KRyg+mOKl0o3zL7TNAzrzSCORVBg7nOh+0SPJkDxVRkc6dVY1L3ZOfdm2P/19fhWEr5ECgVrmYYKnDPwWY1iWJlZsiEc3Mj7KB1m44ov0FJg2hiNnydImqcXTCoszp515MBmeHnpqJsqEZuWS8dAnaEiOwZaSKIO1E7lQ7CoP86+eD4yAwLq6fb2tgjHT69LgDMaIha4hMfrO2o4UDVw9OZMfnPtyatI4pxplaQDoQM1p0dej0rZ7uxL1tfoKAyT0UCdtjhxfnNs0x1gOQbML4eGbqyKuyF82eOQRgKRDqH/tParoE4SRBVi7o3s0kILRmXA3ng3n1uhEiGwPTH8JsQ9huM+XOhH8+CzQeg4yb/jCrhsDzvLaW654+ouq9G+kjwqmO4vLNs5eZxfae84rppbS2MJqK1x8rkJixvKBKEfvYJOuDNV+hXyMbToaq8qtGy7cCSq4+UDio3DsSHY0Tpt9e+yEzoOOqFQLQyq6uHv/+u9MY+VADoa4N64U3S2SXul9tE3g6hOAY0F5BYMbxQSuj59kzwghlAmbsyWN2FCmWdsfCQkkZX7wCTj20DtZB/GdVSGNgHGAoU5JZrXKca3A2Yc9hzbYjyNYr0NmQ9NUbkbaOkcYJRIUXtS2OBOHP+FoUkkqL3ieKXR07l5xJbWLzbyVUxN9Zii4Baj5xnDO/RLZPDvTUxbER/0d1orMZztL2EKmfSn4j4uhWqpi04Rg9sWH+WVLAq22EKhAuqcFEOUimjcyZWYKxcAq5Z51NJNBQB7euz55eCJUZkBUYEpNuYr0UDlmBxKB2r6ZWDeNXT7eLxBdwDHCHSqXV7qOG1vMhHtjbbxmQMnkQ4InhO9TdpaN3tj67nGmc6hhgYO4b7NvyL1/pvDPrHrR/3GzkDkwqvt3uESdVdqAJSCk6gFh9V1aGs= lass@xerxes
diff --git a/krebs/3modules/makefu/default.nix b/krebs/3modules/makefu/default.nix
index 080b8fced..9f1842b88 100644
--- a/krebs/3modules/makefu/default.nix
+++ b/krebs/3modules/makefu/default.nix
@@ -107,7 +107,7 @@ with import <stockholm/lib>;
       ci = true;
       cores = 1;
       ssh.privkey.path = <secrets/ssh_host_ed25519_key>;
-      ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIrkK1mWfPvfZ9ALC1irGLuzOtMefaGAmGY1VD4dj7K1 latte";
+      # ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIrkK1mWfPvfZ9ALC1irGLuzOtMefaGAmGY1VD4dj7K1 latte";
       nets = {
         internet = {
           ip4.addr = "185.215.224.160";
@@ -500,7 +500,7 @@ with import <stockholm/lib>;
         };
         retiolum = {
           ip4.addr = "10.243.214.15";
-          ip6.addr = "42:5a02:2c30:c1b1:3f2e:7c19:2496:a732";
+          # ip6.addr = "42:5a02:2c30:c1b1:3f2e:7c19:2496:a732";
           aliases = [
             "wbob.r"
           ];
diff --git a/krebs/3modules/repo-sync.nix b/krebs/3modules/repo-sync.nix
index 0211b31ba..b2e3aa7c5 100644
--- a/krebs/3modules/repo-sync.nix
+++ b/krebs/3modules/repo-sync.nix
@@ -173,6 +173,7 @@ let
           REPONAME = "${name}.git";
         };
 
+        restartIfChanged = false;
         serviceConfig = {
           Type = "simple";
           PermissionsStartOnly = true;
diff --git a/krebs/5pkgs/simple/apt-cacher-ng/default.nix b/krebs/5pkgs/simple/apt-cacher-ng/default.nix
deleted file mode 100644
index e3986713b..000000000
--- a/krebs/5pkgs/simple/apt-cacher-ng/default.nix
+++ /dev/null
@@ -1,21 +0,0 @@
-{ stdenv, fetchurl, cmake, doxygen, zlib, openssl, bzip2, pkgconfig, libpthreadstubs }:
-
-stdenv.mkDerivation rec {
-  name = "apt-cacher-ng-${version}";
-  version = "2";
-
-  src = fetchurl {
-    url = "http://ftp.debian.org/debian/pool/main/a/apt-cacher-ng/apt-cacher-ng_${version}.orig.tar.xz";
-    sha256 = "0bkc3012vinridl5ch46pwnxjalymx4wf6nxax64nm7bdkcj9azf";
-  };
-
-  NIX_LDFLAGS = "-lpthread";
-  buildInputs = [ doxygen cmake zlib openssl bzip2 pkgconfig libpthreadstubs ];
-
-  meta = {
-    description = "A caching proxy specialized for linux distribution files";
-    homepage = http://www.unix-ag.uni-kl.de/~bloch/acng/;
-    license = stdenv.lib.licenses.gpl2;
-    maintainers = [ stdenv.lib.maintainers.makefu ];
-  };
-}
diff --git a/krebs/source.nix b/krebs/source.nix
index 39a388e03..73e216900 100644
--- a/krebs/source.nix
+++ b/krebs/source.nix
@@ -14,6 +14,6 @@ in
     stockholm.file = toString <stockholm>;
     nixpkgs.git = {
       url = https://github.com/NixOS/nixpkgs;
-      ref = "0c5a587eeba5302ff87e494baefd2f14f4e19bee"; # nixos-17.09 @ 2017-11-10
+      ref = "cb751f9b1c3fe6885f3257e69ce328f77523ad77"; # nixos-17.09 @ 2017-12-13
     };
   }
diff --git a/lass/1systems/mors/config.nix b/lass/1systems/mors/config.nix
index fee43f8cd..ad133802f 100644
--- a/lass/1systems/mors/config.nix
+++ b/lass/1systems/mors/config.nix
@@ -179,7 +179,7 @@ with import <stockholm/lib>;
         echo 'secrets are crypted' >&2
         exit 23
       else
-        exec nix-shell -I stockholm="$PWD" --run 'deploy --system="$SYSTEM"'
+        exec nix-shell -I stockholm="$PWD" --run 'deploy --diff --system="$SYSTEM"'
       fi
     '';
     predeploy = pkgs.writeDash "predeploy" ''
diff --git a/lass/1systems/prism/config.nix b/lass/1systems/prism/config.nix
index b18abf509..87270b8b8 100644
--- a/lass/1systems/prism/config.nix
+++ b/lass/1systems/prism/config.nix
@@ -287,6 +287,15 @@ in {
     }
     <stockholm/krebs/2configs/reaktor-krebs.nix>
     <stockholm/lass/2configs/dcso-dev.nix>
+    {
+      krebs.git.rules = [
+        {
+          user = [ config.krebs.users.jeschli ];
+          repo = [ config.krebs.git.repos.stockholm ];
+          perm = with git; push "refs/heads/staging/jeschli" [ fast-forward non-fast-forward create delete merge ];
+        }
+      ];
+    }
   ];
 
   krebs.build.host = config.krebs.hosts.prism;
diff --git a/lass/1systems/xerxes/config.nix b/lass/1systems/xerxes/config.nix
new file mode 100644
index 000000000..0669748f5
--- /dev/null
+++ b/lass/1systems/xerxes/config.nix
@@ -0,0 +1,40 @@
+{ config, pkgs, ... }:
+
+{
+  imports = [
+    <stockholm/lass>
+    <stockholm/lass/2configs/hw/gpd-pocket.nix>
+    <stockholm/lass/2configs/boot/stock-x220.nix>
+
+    <stockholm/lass/2configs/retiolum.nix>
+    <stockholm/lass/2configs/exim-retiolum.nix>
+    <stockholm/lass/2configs/baseX.nix>
+    <stockholm/lass/2configs/browsers.nix>
+    <stockholm/lass/2configs/programs.nix>
+    <stockholm/lass/2configs/fetchWallpaper.nix>
+  ];
+
+  krebs.build.host = config.krebs.hosts.xerxes;
+
+  services.udev.extraRules = ''
+    SUBSYSTEM=="net", ATTR{address}=="b0:f1:ec:9f:5c:78", NAME="wl0"
+  '';
+
+  fileSystems."/" = {
+    device = "/dev/disk/by-uuid/d227d88f-bd24-4e8a-aa14-9e966b471437";
+    fsType = "btrfs";
+  };
+
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-uuid/16C8-D053";
+    fsType = "vfat";
+  };
+
+  fileSystems."/home" = {
+    device = "/dev/disk/by-uuid/1ec4193b-7f41-490d-8782-7677d437b358";
+    fsType = "btrfs";
+  };
+
+  boot.initrd.luks.devices = [ { name = "luksroot"; device = "/dev/disk/by-uuid/d17f19a3-dcba-456d-b5da-e45cc15dc9c8"; } ];
+  networking.wireless.enable = true;
+}
diff --git a/lass/1systems/xerxes/source.nix b/lass/1systems/xerxes/source.nix
new file mode 100644
index 000000000..11f5bf796
--- /dev/null
+++ b/lass/1systems/xerxes/source.nix
@@ -0,0 +1,11 @@
+with import <stockholm/lib>;
+import <stockholm/lass/source.nix> {
+  name = "xerxes";
+  secure = true;
+  override = {
+    nixpkgs.git = mkForce {
+      url = https://github.com/lassulus/nixpkgs;
+      ref = "3eccd0b";
+    };
+  };
+}
diff --git a/lass/2configs/baseX.nix b/lass/2configs/baseX.nix
index 32a9f66cf..9712bafff 100644
--- a/lass/2configs/baseX.nix
+++ b/lass/2configs/baseX.nix
@@ -112,10 +112,6 @@ in {
     xkbOptions = "caps:backspace";
   };
 
-  services.logind.extraConfig = ''
-    HandleLidSwitch=ignore
-  '';
-
   services.urxvtd.enable = true;
   services.xresources.enable = true;
   lass.screenlock.enable = true;
diff --git a/lass/2configs/br.nix b/lass/2configs/br.nix
index 35bac8fee..ad307c797 100644
--- a/lass/2configs/br.nix
+++ b/lass/2configs/br.nix
@@ -18,7 +18,7 @@ with import <stockholm/lib>;
       netDevices = {
         bra = {
           model = "MFCL2700DN";
-          ip = "10.23.42.221";
+          ip = "10.42.23.221";
         };
       };
     };
diff --git a/lass/2configs/browsers.nix b/lass/2configs/browsers.nix
index 6c381863c..9459cfd6f 100644
--- a/lass/2configs/browsers.nix
+++ b/lass/2configs/browsers.nix
@@ -5,19 +5,23 @@ let
 
   mainUser = config.users.extraUsers.mainUser;
 
-  browser-select = pkgs.writeScriptBin "browser-select" ''
-    BROWSER=$(echo -e "${concatStringsSep "\\n" (attrNames config.lass.browser.paths)}" | ${pkgs.dmenu}/bin/dmenu)
+  browser-select = let
+    sortedPaths = sort (a: b: a.value.precedence > b.value.precedence)
+                       (mapAttrsToList (name: value: { inherit name value; })
+                                       config.lass.browser.paths);
+  in pkgs.writeScriptBin "browser-select" ''
+    BROWSER=$(echo -e "${concatStringsSep "\\n" (map (getAttr "name") sortedPaths)}" | ${pkgs.dmenu}/bin/dmenu)
     case $BROWSER in
     ${concatMapStringsSep "\n" (n: ''
-      ${n})
-        export BIN=${config.lass.browser.paths.${n}}/bin/${n}
+      ${n.name})
+        export BIN=${n.value.path}/bin/${n.name}
         ;;
-    '') (attrNames config.lass.browser.paths)}
+    '') (sortedPaths)}
     esac
     $BIN "$@"
   '';
 
-  createChromiumUser = name: extraGroups:
+  createChromiumUser = name: extraGroups: precedence:
     let
       bin = pkgs.writeScriptBin name ''
         /var/run/wrappers/bin/sudo -u ${name} -i ${pkgs.chromium}/bin/chromium $@
@@ -31,7 +35,7 @@ let
         useDefaultShell = true;
         createHome = true;
       };
-      lass.browser.paths.${name} = bin;
+      lass.browser.paths.${name}.path = bin;
       security.sudo.extraConfig = ''
         ${mainUser.name} ALL=(${name}) NOPASSWD: ALL
       '';
@@ -40,10 +44,10 @@ let
       ];
     };
 
-  createFirefoxUser = name: extraGroups:
+  createFirefoxUser = name: extraGroups: precedence:
     let
       bin = pkgs.writeScriptBin name ''
-        /var/run/wrappers/bin/sudo -u ${name} -i ${pkgs.firefox}/bin/firefox $@
+        /var/run/wrappers/bin/sudo -u ${name} -i ${pkgs.firefox-devedition-bin}/bin/firefox-devedition $@
       '';
     in {
       users.extraUsers.${name} = {
@@ -54,7 +58,10 @@ let
         useDefaultShell = true;
         createHome = true;
       };
-      lass.browser.paths.${name} = bin;
+      lass.browser.paths.${name} = {
+        path = bin;
+        inherit precedence;
+      };
       security.sudo.extraConfig = ''
         ${mainUser.name} ALL=(${name}) NOPASSWD: ALL
       '';
@@ -79,14 +86,24 @@ in {
         type = types.path;
       };
       options.lass.browser.paths = mkOption {
-        type = with types; attrsOf path;
+        type = types.attrsOf (types.submodule ({
+          options = {
+            path = mkOption {
+              type = types.path;
+            };
+            precedence = mkOption {
+              type = types.int;
+              default = 0;
+            };
+          };
+        }));
       };
     }
-    ( createFirefoxUser "ff" [ "audio" ] )
-    ( createChromiumUser "cr" [ "video" "audio" ] )
+    ( createFirefoxUser "ff" [ "audio" ] 10 )
+    ( createChromiumUser "cr" [ "video" "audio" ] 9 )
+    ( createChromiumUser "gm" [ "video" "audio" ] 8 )
     ( createChromiumUser "wk" [ "video" "audio" ] )
     ( createChromiumUser "fb" [ "video" "audio" ] )
-    ( createChromiumUser "gm" [ "video" "audio" ] )
     ( createChromiumUser "com" [ "video" "audio" ] )
   ];
 }
diff --git a/lass/2configs/dcso-dev.nix b/lass/2configs/dcso-dev.nix
index b7fcc7aab..2b91f91d6 100644
--- a/lass/2configs/dcso-dev.nix
+++ b/lass/2configs/dcso-dev.nix
@@ -15,6 +15,7 @@ in {
       createHome = true;
       openssh.authorizedKeys.keys = [
         config.krebs.users.lass.pubkey
+        config.krebs.users.lass-android.pubkey
         "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDhQdDQFMxXOjbC+Avx3mlcFHqQpFUk/q9sO6ATA65jCV3YzN11vhZDDv54hABVS2h8TPXs7Lu3PCvK9qouASd2h4Ie9cExUmn50G/iwgFIODsCugVYBzVt1iwaAdwz1Hb9DKYXbVXanzVJjimmrrlQNvsyZg85lcnfyedpPX5ad+4FdSP68LHqEHC18LTitldR6V4P1omaKHlOtVpDgR/72tDgbtNZDBn3EU+TPk9OLTzjc6PinPw4iIvjEfiu14APwXpFDIqT7P7SjOEFpa0v/1z7dhxIy/Z9XbqyEdUfhv3PjZR5K2C+VzR7g6jVEVR2xFId51MpLv/Un4/lalbphBEw3I90Rr8tatOJiFhyrXbaKTcLqp1sIu05OxdPkm3hzfmLIhoKxhaIlXH7WQ9sAqxL1NAQ7O+J6yT4DMnwKzvpkkJjBaGtV84Pp1cccfNRH8XXID3FkWkrUpdgXWBpyLnRq4ilUJTajkU0GSdXkq8kLL3mWg9LPRTg3dmDj61ZB/qhjM61ppwHJvDRN9WI5HruXIU6nOQjh5yE2C/JZfLcsZD4Y1UDBy5/JSZrCVT2sQjFopkkYEkRCbX7oITHOH4iyRdxZkKWLUPboFrcmBpXO+owCEhO4JZrtfFWMC6qM++nrmiZWOrdIOIvdYHWluhKR2shlkisEKQP5pUqkw== markus.hihn@dcso.de"
         "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC1T5+2epslFARSnETdr4wdolA6ocJaD4H9tmz6BZFQKXlwIq+OMp+sSEdwYwW3Lu9+mNbBHPxVVJDWg/We9DXB0ezXPM5Bs1+FcehmkoGwkmgKaFCDt0sL+CfSnog/3wEkN21O/rQxVFqMmiJ7WUDGci6IKCFZ5ZjOsmmfHg5p3LYxU9xv33fNr2v+XauhrGbFtQ7eDz4kSywxN/aw73LN4d8em0V0UV8VPI3Qkw7MamDFwefA+K1TfK8pBzMeruU6N7HLuNkpkAp7kS+K4Zzd72aQtR37a5qMiFUbOxQ9B7iFypuPx0iu6ZwY1s/sM8t3kLmcDJ9O4FOTzlbpneet3as6iJ+Ckr/TlfKor2Tl5pWcXh2FXHoG8VUu5bYmIViJBrKihAlAQfQN0mJ9fdFTnCXVTtbYTy11s4eEVHgUlb7oSpgBnx5bnBONgApbsOX9zyoo8wz8KkZBcf1SQpkV5br8uUAHCcZtHuY6I3kKlv+8lJmgUipiYzMdTi7+dHa49gVEcEKL4ZnJ0msQkl4XT7JjKETLvumC4/TIqVuRu48wuYalkCR9OzxCsTXQ/msBJBztPdYLrEOXVb2HfzuCT+43UuMQ5rP/EoPy0TWQO9BaqfEXqvbOvWjVxj/GMvglQ2ChZTwHxwwTKB8qRVvJLnbZQwizQiSrkzjb6hRJfQ== u0_a165@localhost"
       ];
@@ -42,6 +43,10 @@ in {
     };
   };
 
+  krebs.per-user.dev.packages = [
+    pkgs.go
+  ];
+
   security.sudo.extraConfig = ''
     ${mainUser.name} ALL=(dev) NOPASSWD: ALL
   '';
diff --git a/lass/2configs/default.nix b/lass/2configs/default.nix
index f8b750093..0e00dc2fd 100644
--- a/lass/2configs/default.nix
+++ b/lass/2configs/default.nix
@@ -22,6 +22,7 @@ with import <stockholm/lib>;
             config.krebs.users.lass.pubkey
             config.krebs.users.lass-shodan.pubkey
             config.krebs.users.lass-icarus.pubkey
+            config.krebs.users.lass-xerxes.pubkey
           ];
         };
         mainUser = {
diff --git a/lass/2configs/exim-smarthost.nix b/lass/2configs/exim-smarthost.nix
index 763633dd9..2d848773f 100644
--- a/lass/2configs/exim-smarthost.nix
+++ b/lass/2configs/exim-smarthost.nix
@@ -48,6 +48,7 @@ with import <stockholm/lib>;
       { from = "tomtop@lassul.us"; to = lass.mail; }
       { from = "aliexpress@lassul.us"; to = lass.mail; }
       { from = "business@lassul.us"; to = lass.mail; }
+      { from = "payeer@lassul.us"; to = lass.mail; }
     ];
     system-aliases = [
       { from = "mailer-daemon"; to = "postmaster"; }
diff --git a/lass/2configs/games.nix b/lass/2configs/games.nix
index d114a826d..6cea271c1 100644
--- a/lass/2configs/games.nix
+++ b/lass/2configs/games.nix
@@ -57,7 +57,7 @@ let
 
 in {
   environment.systemPackages = with pkgs; [
-    dwarf_fortress
+    (dwarf-fortress.override { theme = dwarf-fortress-packages.phoebus-theme; })
     doom1
     doom2
     vdoom1
diff --git a/lass/2configs/hw/gpd-pocket.nix b/lass/2configs/hw/gpd-pocket.nix
new file mode 100644
index 000000000..87b4c518b
--- /dev/null
+++ b/lass/2configs/hw/gpd-pocket.nix
@@ -0,0 +1,28 @@
+{ pkgs, ... }:
+
+let
+  dummy_firmware = pkgs.writeTextFile {
+    name = "brcmfmac4356-pcie.txt";
+    text = builtins.readFile ./brcmfmac4356-pcie.txt;
+    destination = "/lib/firmware/brcm/brcmfmac4356-pcie.txt";
+  };
+in {
+  #imports = [ <nixpkgs/nixos/modules/installer/scan/not-detected.nix> ];
+  hardware.firmware = [ dummy_firmware ];
+  hardware.enableRedistributableFirmware = true;
+
+  boot.initrd.availableKernelModules = [ "xhci_pci" "usbhid" "usb_storage" "sd_mod" "sdhci_acpi" "sdhci_pci" ];
+  boot.kernelPackages = pkgs.linuxPackages_4_14;
+  boot.kernelParams = [
+    "fbcon=rotate:1"
+  ];
+  services.xserver.displayManager.sessionCommands = ''
+    (sleep 2 && ${pkgs.xorg.xrandr}/bin/xrandr --output DSI1 --rotate right)
+    (sleep 2 && ${pkgs.xorg.xinput}/bin/xinput set-prop 'Goodix Capacitive TouchScreen' 'Coordinate Transformation Matrix' 0 1 0 -1 0 1 0 0 1)
+  '';
+  services.xserver.dpi = 200;
+  fonts.fontconfig.dpi = 200;
+  lass.fonts.regular = "xft:Hack-Regular:pixelsize=22,xft:Symbola";
+  lass.fonts.bold =    "xft:Hack-Bold:pixelsize=22,xft:Symbola";
+  lass.fonts.italic =  "xft:Hack-RegularOblique:pixelsize=22,xft:Symbol";
+}
diff --git a/lass/2configs/hw/x220.nix b/lass/2configs/hw/x220.nix
index bf7decc40..f5651da13 100644
--- a/lass/2configs/hw/x220.nix
+++ b/lass/2configs/hw/x220.nix
@@ -29,4 +29,9 @@
       options = ["nosuid" "nodev" "noatime"];
     };
   };
+
+  services.logind.extraConfig = ''
+    HandleLidSwitch=ignore
+  '';
+
 }
diff --git a/lass/2configs/websites/lassulus.nix b/lass/2configs/websites/lassulus.nix
index 77f0c79e3..25ca1f455 100644
--- a/lass/2configs/websites/lassulus.nix
+++ b/lass/2configs/websites/lassulus.nix
@@ -153,15 +153,15 @@ in {
   };
 
   security.acme.certs."cgit.lassul.us" = {
-    email = "lassulus@gmail.com";
-    webroot = "/var/lib/acme/acme-challenges";
+    email = "lassulus@lassul.us";
+    webroot = "/var/lib/acme/acme-challenge";
     plugins = [
       "account_key.json"
-      "key.pem"
       "fullchain.pem"
+      "key.pem"
     ];
     group = "nginx";
-    allowKeysForGroup = true;
+    user = "nginx";
   };
 
 
@@ -170,6 +170,9 @@ in {
     addSSL = true;
     sslCertificate = "/var/lib/acme/cgit.lassul.us/fullchain.pem";
     sslCertificateKey = "/var/lib/acme/cgit.lassul.us/key.pem";
+    locations."/.well-known/acme-challenge".extraConfig = ''
+      root /var/lib/acme/acme-challenge;
+    '';
   };
 
   users.users.blog = {
diff --git a/lass/5pkgs/default.nix b/lass/5pkgs/default.nix
index 5b668c88f..10df08e7f 100644
--- a/lass/5pkgs/default.nix
+++ b/lass/5pkgs/default.nix
@@ -23,7 +23,7 @@
 
     screengrab = pkgs.writeDashBin "screengrab" ''
       resolution="$(${pkgs.xorg.xrandr}/bin/xrandr | ${pkgs.gnugrep}/bin/grep '*' | ${pkgs.gawk}/bin/awk '{print $1}')"
-      ${pkgs.ffmpeg}/bin/ffmpeg -f x11grab -r 25 -i :0.0 -s $resolution -c:v huffyuv $1
+      ${pkgs.ffmpeg}/bin/ffmpeg -f x11grab -r 25 -i :${toString config.services.xserver.display} -s $resolution -c:v huffyuv $1
     '';
   };
 }
diff --git a/lass/5pkgs/xmonad-lass.nix b/lass/5pkgs/xmonad-lass.nix
index 65bec117d..d3f76903d 100644
--- a/lass/5pkgs/xmonad-lass.nix
+++ b/lass/5pkgs/xmonad-lass.nix
@@ -30,6 +30,7 @@ import XMonad.Actions.CycleWS (toggleWS)
 import XMonad.Actions.DynamicWorkspaces ( addWorkspacePrompt, renameWorkspace, removeEmptyWorkspace)
 import XMonad.Actions.DynamicWorkspaces (withWorkspace)
 import XMonad.Actions.GridSelect (GSConfig(..), gridselectWorkspace, navNSearch)
+import XMonad.Hooks.EwmhDesktops (ewmh)
 import XMonad.Hooks.FloatNext (floatNext)
 import XMonad.Hooks.FloatNext (floatNextHook)
 import XMonad.Hooks.ManageDocks (avoidStruts, ToggleStruts(ToggleStruts))
@@ -39,10 +40,10 @@ import XMonad.Hooks.UrgencyHook (SpawnUrgencyHook(..), withUrgencyHook)
 import XMonad.Layout.FixedColumn (FixedColumn(..))
 import XMonad.Layout.Minimize (minimize, minimizeWindow, MinimizeMsg(RestoreNextMinimizedWin))
 import XMonad.Layout.NoBorders (smartBorders)
+import XMonad.Layout.SimplestFloat (simplestFloat)
 import XMonad.Prompt (autoComplete, font, searchPredicate, XPConfig)
 import XMonad.Prompt.Window (windowPromptGoto, windowPromptBringCopy)
 import XMonad.Util.EZConfig (additionalKeysP)
-import XMonad.Layout.SimpleFloat (simpleFloat)
 
 import XMonad.Stockholm.Shutdown
 
@@ -59,7 +60,7 @@ main = getArgs >>= \case
 
 main' :: IO ()
 main' = do
-    xmonad
+    xmonad $ ewmh
         $ withUrgencyHook (SpawnUrgencyHook "echo emit Urgency ")
         $ def
             { terminal           = myTerm
@@ -77,7 +78,7 @@ main' = do
 
 myLayoutHook = defLayout
   where
-    defLayout = minimize $ ((avoidStruts $ Tall 1 (3/100) (1/2) ||| Full ||| Mirror (Tall 1 (3/100) (1/2))) ||| FixedColumn 2 80 80 1) ||| simpleFloat
+    defLayout = minimize $ ((avoidStruts $ Tall 1 (3/100) (1/2) ||| Full ||| Mirror (Tall 1 (3/100) (1/2))) ||| FixedColumn 2 80 80 1 ||| simplestFloat)
 
 myKeyMap :: [([Char], X ())]
 myKeyMap =
@@ -86,6 +87,8 @@ myKeyMap =
     , ("M4-p", spawn "${pkgs.pass}/bin/passmenu --type")
     , ("M4-o", spawn "${pkgs.brain}/bin/brainmenu --type")
     , ("M4-i", spawn "${pkgs.dpass}/bin/dpassmenu --type")
+
+    , ("<XF86AudioMute>", spawn "${pkgs.pulseaudioLight.out}/bin/pactl -- set-sink-mute @DEFAULT_SINK@ toggle")
     , ("<XF86AudioRaiseVolume>", spawn "${pkgs.pulseaudioLight.out}/bin/pactl -- set-sink-volume @DEFAULT_SINK@ +4%")
     , ("<XF86AudioLowerVolume>", spawn "${pkgs.pulseaudioLight.out}/bin/pactl -- set-sink-volume @DEFAULT_SINK@ -4%")
     , ("<XF86MonBrightnessDown>", spawn "${pkgs.xorg.xbacklight}/bin/xbacklight -time 0 -dec 1%")
diff --git a/lass/source.nix b/lass/source.nix
index 292b92a9e..710bfdf2d 100644
--- a/lass/source.nix
+++ b/lass/source.nix
@@ -10,7 +10,7 @@ in
       nixos-config.symlink = "stockholm/lass/1systems/${name}/config.nix";
       nixpkgs.git = {
         url = https://github.com/nixos/nixpkgs;
-        ref = "f9390d6";
+        ref = "cb751f9";
       };
       secrets.file = getAttr builder {
         buildbot = toString <stockholm/lass/2configs/tests/dummy-secrets>;
diff --git a/makefu/1systems/gum/config.nix b/makefu/1systems/gum/config.nix
index 98d5d2988..b66ef1ab8 100644
--- a/makefu/1systems/gum/config.nix
+++ b/makefu/1systems/gum/config.nix
@@ -46,7 +46,7 @@ in {
 
       # services
       <stockholm/makefu/2configs/share/gum.nix>
-      <stockholm/makefu/2configs/sabnzbd.nix>
+      # <stockholm/makefu/2configs/sabnzbd.nix>
       <stockholm/makefu/2configs/torrent.nix>
       <stockholm/makefu/2configs/iodined.nix>
       <stockholm/makefu/2configs/vpn/openvpn-server.nix>
@@ -65,6 +65,8 @@ in {
       <stockholm/makefu/2configs/deployment/graphs.nix>
       <stockholm/makefu/2configs/deployment/owncloud.nix>
       <stockholm/makefu/2configs/deployment/boot-euer.nix>
+      <stockholm/makefu/2configs/deployment/bgt/hidden_service.nix>
+
       {
         services.taskserver.enable = true;
         services.taskserver.fqdn = config.krebs.build.host.name;
@@ -84,13 +86,40 @@ in {
 
       # Temporary:
       # <stockholm/makefu/2configs/temp/rst-issue.nix>
+      <stockholm/makefu/2configs/virtualisation/docker.nix>
+
+      #{
+      #  services.dockerRegistry.enable = true;
+      #  networking.firewall.allowedTCPPorts = [ 8443 ];
+
+      #  services.nginx.virtualHosts."euer.krebsco.de" = {
+      #    forceSSL = true;
+      #    enableACME = true;
+      #    extraConfig = ''
+      #      client_max_body_size 1000M;
+      #    '';
+      #    locations."/".proxyPass = "http://localhost:5000";
+      #  };
+      #}
+      { # wireguard server
+        networking.firewall.allowedUDPPorts = [ 51820 ];
+        #networking.wireguard.interfaces.wg0 = {
+        #  ips = [ "10.244.0.1/24" ];
+        #  privateKeyFile = (toString <secrets>) + "/wireguard.key";
+        #  allowedIPsAsRoutes = true;
+        #  peers = [{
+        #    allowedIPs = [ "0.0.0.0/0" "::/0" ];
+        #    publicKey = "fe5smvKVy5GAn7EV4w4tav6mqIAKhGWQotm7dRuRt1g=";
+        #  }];
+        #};
+      }
 
   ];
   makefu.dl-dir = "/var/download";
 
   services.openssh.hostKeys = [
-    { bits = 4096; path = <secrets/ssh_host_rsa_key>; type = "rsa"; }
-    { path = <secrets/ssh_host_ed25519_key>; type = "ed25519"; } ];
+    { bits = 4096; path = (toString <secrets/ssh_host_rsa_key>); type = "rsa"; }
+    { path = (toString <secrets/ssh_host_ed25519_key>); type = "ed25519"; } ];
   ###### stable
   services.nginx.virtualHosts.cgit.serverAliases = [ "cgit.euer.krebsco.de" ];
   krebs.build.host = config.krebs.hosts.gum;
diff --git a/makefu/1systems/omo/config.nix b/makefu/1systems/omo/config.nix
index 1d157460b..4af87dc10 100644
--- a/makefu/1systems/omo/config.nix
+++ b/makefu/1systems/omo/config.nix
@@ -61,6 +61,7 @@ in {
       # logs to influx
       <stockholm/makefu/2configs/stats/external/aralast.nix>
       <stockholm/makefu/2configs/stats/telegraf>
+      <stockholm/makefu/2configs/stats/telegraf/europastats.nix>
 
       # services
       <stockholm/makefu/2configs/syncthing.nix>
diff --git a/makefu/1systems/tsp/config.nix b/makefu/1systems/tsp/config.nix
index 7b751e514..680fa2cbc 100644
--- a/makefu/1systems/tsp/config.nix
+++ b/makefu/1systems/tsp/config.nix
@@ -32,6 +32,8 @@
   # acer aspire
   networking.wireless.enable = lib.mkDefault true;
 
+  services.xserver.synaptics.enable = true;
+
   hardware.enableAllFirmware = true;
   nixpkgs.config.allowUnfree = true;
 
diff --git a/makefu/1systems/wbob/config.nix b/makefu/1systems/wbob/config.nix
index ac51fd9ca..c30ee4c58 100644
--- a/makefu/1systems/wbob/config.nix
+++ b/makefu/1systems/wbob/config.nix
@@ -3,6 +3,7 @@ let
   rootdisk = "/dev/disk/by-id/ata-TS256GMTS800_C613840115";
   datadisk = "/dev/disk/by-id/ata-HGST_HTS721010A9E630_JR10006PH3A02F";
   user = config.makefu.gui.user;
+  primaryIP = "192.168.8.11";
 in {
 
   imports =
@@ -10,16 +11,18 @@ in {
       <stockholm/makefu>
       <stockholm/makefu/2configs/zsh-user.nix>
       <stockholm/makefu/2configs/tools/core.nix>
-      <stockholm/makefu/2configs/tools/core-gui.nix>
-      <stockholm/makefu/2configs/tools/extra-gui.nix>
-      <stockholm/makefu/2configs/tools/media.nix>
+      <stockholm/makefu/2configs/disable_v6.nix>
+      # <stockholm/makefu/2configs/tools/core-gui.nix>
+      # <stockholm/makefu/2configs/tools/extra-gui.nix>
+      # <stockholm/makefu/2configs/tools/media.nix>
       <stockholm/makefu/2configs/virtualisation/libvirt.nix>
       <stockholm/makefu/2configs/tinc/retiolum.nix>
       <stockholm/makefu/2configs/mqtt.nix>
-      <stockholm/makefu/2configs/deployment/led-fader.nix>
       # <stockholm/makefu/2configs/gui/wbob-kiosk.nix>
+
       <stockholm/makefu/2configs/stats/client.nix>
 
+
       # <stockholm/makefu/2configs/gui/studio-virtual.nix>
       # <stockholm/makefu/2configs/audio/jack-on-pulse.nix>
       # <stockholm/makefu/2configs/audio/realtime-audio.nix>
@@ -27,6 +30,41 @@ in {
 
       # Services
       <stockholm/makefu/2configs/remote-build/slave.nix>
+      <stockholm/makefu/2configs/share/wbob.nix>
+
+      <stockholm/makefu/2configs/stats/telegraf>
+      <stockholm/makefu/2configs/deployment/led-fader.nix>
+      <stockholm/makefu/2configs/stats/external/aralast.nix>
+      <stockholm/makefu/2configs/stats/telegraf/airsensor.nix>
+      <stockholm/makefu/2configs/deployment/bureautomation>
+      (let
+          collectd-port = 25826;
+          influx-port = 8086;
+          grafana-port = 3000; # TODO nginx forward
+          db = "collectd_db";
+          logging-interface = "enp0s25";
+        in {
+          services.grafana.enable = true;
+          services.grafana.addr = "0.0.0.0";
+
+          services.influxdb.enable = true;
+          services.influxdb.extraConfig = {
+            meta.hostname = config.krebs.build.host.name;
+            # meta.logging-enabled = true;
+            http.bind-address = ":${toString influx-port}";
+            admin.bind-address = ":8083";
+            collectd = [{
+              enabled = true;
+              typesdb = "${pkgs.collectd}/share/collectd/types.db";
+              database = db;
+              bind-address = ":${toString collectd-port}";
+            }];
+          };
+
+          networking.firewall.extraCommands = ''
+            iptables -A INPUT -i ${logging-interface} -p tcp --dport ${toString grafana-port} -j ACCEPT
+          '';
+      })
 
       # temporary
       # <stockholm/makefu/2configs/temp/rst-issue.nix>
diff --git a/makefu/1systems/wbob/source.nix b/makefu/1systems/wbob/source.nix
index 6f079d712..b768aa87d 100644
--- a/makefu/1systems/wbob/source.nix
+++ b/makefu/1systems/wbob/source.nix
@@ -1,4 +1,4 @@
 import <stockholm/makefu/source.nix> {
   name="wbob";
-  musnix = true;
+  # musnix = true;
 }
diff --git a/makefu/2configs/deployment/bgt/hidden_service.nix b/makefu/2configs/deployment/bgt/hidden_service.nix
new file mode 100644
index 000000000..c1a31b8dc
--- /dev/null
+++ b/makefu/2configs/deployment/bgt/hidden_service.nix
@@ -0,0 +1,48 @@
+{ pkgs, lib, ... }:
+
+with lib;
+let
+  name = "bgt_cyberwar_hidden_service";
+  sec = (toString <secrets>) + "/";
+  secdir = sec + name;
+  srvdir = "/var/lib/tor/onion/";
+  basedir = srvdir + name;
+  hn = builtins.readFile (secdir + "/hostname");
+in
+{
+  systemd.services.prepare-hidden-service = {
+    wantedBy = [ "local-fs.target" ];
+    before = [ "tor.service" ];
+    serviceConfig = {
+      ExecStart = pkgs.writeScript "prepare-euer-blog-service" ''
+        #!/bin/sh
+        set -euf
+        if ! test -d "${basedir}" ;then
+          mkdir -p "${srvdir}"
+          cp -r "${secdir}" "${srvdir}"
+          chown -R tor:tor "${srvdir}"
+          chmod -R 700 "${basedir}"
+        else
+          echo "not overwriting ${basedir}"
+        fi
+      '';
+      Type = "oneshot";
+      RemainAfterExit = "yes";
+      TimeoutSec = "0";
+    };
+  };
+  services.nginx.virtualHosts."${hn}".locations."/" = {
+    proxyPass = "https://blog.binaergewitter.de";
+    extraConfig = ''
+        proxy_set_header  Host blog.binaergewitter.de;
+        proxy_ssl_server_name on;
+    '';
+  };
+  services.tor = {
+    enable = true;
+    hiddenServices."${name}".map = [
+     { port = "80"; }
+     # { port = "443"; toHost = "blog.binaergewitter.de"; }
+    ];
+  };
+}
diff --git a/makefu/2configs/deployment/bureautomation/default.nix b/makefu/2configs/deployment/bureautomation/default.nix
new file mode 100644
index 000000000..3897537ea
--- /dev/null
+++ b/makefu/2configs/deployment/bureautomation/default.nix
@@ -0,0 +1,41 @@
+{ pkgs, lib, ... }:
+
+with lib;
+let
+  port = 3001;
+  runit = pkgs.writeDash "runit" ''
+    set -xeuf
+    PATH=${pkgs.curl}/bin:${pkgs.coreutils}/bin
+    name=''${1?must provide name as first arg}
+    state=''${2?must provide state as second arg}
+    # val=''${3?must provide val as third arg}
+
+    # we ignore non-alerting events
+    test $state = alerting || exit 0
+
+    echo $name - $state
+    curl 'http://bauarbeiterlampe/ay?o=1'
+    sleep 5
+    curl 'http://bauarbeiterlampe/ay?o=1'
+  '';
+in {
+  services.logstash = {
+    package = pkgs.logstash5;
+    enable = true;
+    inputConfig = ''
+       http {
+        port => ${toString port}
+        host => "127.0.0.1"
+      }
+    '';
+    filterConfig = ''
+    '';
+    outputConfig = ''
+      stdout { codec => json }
+      exec { command => "${runit} '%{ruleName}' '%{state}'" }
+    '';
+    extraSettings = ''
+      path.plugins: [ "${pkgs.logstash-output-exec}" ]
+    '';
+  };
+}
diff --git a/makefu/2configs/deployment/led-fader.nix b/makefu/2configs/deployment/led-fader.nix
index 4c17a1d50..292b6679d 100644
--- a/makefu/2configs/deployment/led-fader.nix
+++ b/makefu/2configs/deployment/led-fader.nix
@@ -1,27 +1,25 @@
-{ config, lib, pkgs, ... }:
+{ config, lib, pkgs, buildPythonPackage, ... }:
 
-with import <stockholm/lib>;
 let
   mq = "192.168.8.11";
 
-  pkg = pkgs.stdenv.mkDerivation {
+  pkg = pkgs.python3Packages.buildPythonPackage {
     name = "ampel-master";
+
     src = pkgs.fetchgit {
       url = "http://cgit.euer.krebsco.de/ampel";
-      rev = "07a6791de368e16cc0864d2676fd255eba522cee";
-      sha256 = "1jxjapvkfglvgapy7gjbr1nra3ay418nvz70bvypcmv7wc8d4h8q";
+      rev = "531741b";
+      sha256 = "110yij53jz074zbswylbzcd8jy7z49r9fg6i3j1gk2y3vl91g81c";
     };
-    buildInputs = [
-      (pkgs.python35.withPackages (pythonPackages: with pythonPackages; [
+    propagatedBuildInputs = with pkgs.python3Packages; [
         docopt
         paho-mqtt
-      ]))
+        requests
+        pytz
+        influxdb
+        httplib2
+        google_api_python_client
     ];
-    installPhase = ''
-      install -m755 -D fade.py  $out/bin/fade.py
-      install -m755 -D ampel.py $out/bin/ampel
-      install -m755 -D times.json $out/share/times.json
-    '';
   };
 in {
   systemd.services.led-fader  = {
@@ -34,7 +32,9 @@ in {
     serviceConfig = {
       # User = "nobody"; # need a user with permissions to run nix-shell
       ExecStartPre = pkgs.writeDash "sleep.sh" "sleep 2";
-      ExecStart = "${pkg}/bin/ampel 4 ${pkg}/share/times.json";
+      ExecStart = "${pkg}/bin/ampel 4";
+      Restart = "always";
+      RestartSec = 10;
       PrivateTmp = true;
     };
   };
diff --git a/makefu/2configs/deployment/scrape/default.nix b/makefu/2configs/deployment/scrape/default.nix
new file mode 100644
index 000000000..c7a5b5c14
--- /dev/null
+++ b/makefu/2configs/deployment/scrape/default.nix
@@ -0,0 +1,6 @@
+{
+  imports = [
+    ./elkstack.nix
+    ./selenium.nix
+  ];
+}
diff --git a/makefu/2configs/deployment/scrape/selenium.nix b/makefu/2configs/deployment/scrape/selenium.nix
new file mode 100644
index 000000000..d700259ba
--- /dev/null
+++ b/makefu/2configs/deployment/scrape/selenium.nix
@@ -0,0 +1,65 @@
+{config, pkgs, lib, ...}:
+with <stockholm/lib>;
+let
+  selenium-pw = <secrets/selenium-vncpasswd>;
+in {
+  services.jenkinsSlave.enable = true;
+  users.users.selenium = {
+    uid = genid "selenium";
+    extraGroups = [ "plugdev" ];
+  };
+
+  fonts.enableFontDir = true;
+
+  # networking.firewall.allowedTCPPorts = [ 5910 ];
+
+  systemd.services.selenium-X11 =
+  {
+    description = "X11 vnc for selenium";
+    wantedBy = [ "multi-user.target" ];
+    path = [ pkgs.xorg.xorgserver pkgs.tightvnc pkgs.dwm ];
+    environment =
+    {
+      DISPLAY = ":10";
+    };
+    script = ''
+      set -ex
+      [ -e /tmp/.X10-lock ] && ( set +e ; chmod u+w /tmp/.X10-lock ; rm /tmp/.X10-lock )
+      [ -e /tmp/.X11-unix/X10 ] && ( set +e ; chmod u+w /tmp/.X11-unix/X10 ; rm /tmp/.X11-unix/X10 )
+      mkdir -p ~/.vnc
+      cp -f ${selenium-pw} ~/.vnc/passwd
+      chmod go-rwx ~/.vnc/passwd
+      echo > ~/.vnc/xstartup
+      chmod u+x ~/.vnc/xstartup
+      vncserver $DISPLAY -geometry 1280x1024 -depth 24 -name jenkins -ac
+      dwm
+    '';
+    preStop = ''
+      vncserver -kill $DISPLAY
+    '';
+    serviceConfig = {
+      User = "selenium";
+    };
+  };
+
+  systemd.services.selenium-server =
+  {
+    description = "selenium-server";
+    wantedBy = [ "multi-user.target" ];
+    requires = [ "selenium-X11.service" ];
+    path = [ pkgs.chromium
+             pkgs.firefoxWrapper ];
+    environment =
+    {
+      DISPLAY = ":10";
+    };
+    script = ''
+      ${pkgs.selenium-server-standalone}/bin/selenium-server -Dwebdriver.enable.native.events=1
+    '';
+    serviceConfig = {
+      User = "selenium";
+    };
+  };
+
+
+}
diff --git a/makefu/2configs/share/omo.nix b/makefu/2configs/share/omo.nix
index 7d7a4ec57..e4fef7c3c 100644
--- a/makefu/2configs/share/omo.nix
+++ b/makefu/2configs/share/omo.nix
@@ -30,24 +30,18 @@ in {
         browseable = "yes";
         "guest ok" = "yes";
       };
-      usenet = {
-        path = "/media/crypt0/usenet/dst";
-        "read only" = "yes";
-        browseable = "yes";
-        "guest ok" = "yes";
-      };
-      pyload = {
-        path = "/media/crypt0/pyload";
-        "read only" = "yes";
-        browseable = "yes";
-        "guest ok" = "yes";
-      };
       crypt0 = {
         path = "/media/crypt0";
         "read only" = "yes";
         browseable = "yes";
         "guest ok" = "yes";
       };
+      crypX-games = {
+        path = "/media/cryptX/games";
+        "read only" = "yes";
+        browseable = "yes";
+        "guest ok" = "yes";
+      };
       media-rw = {
         path = "/media/";
         "read only" = "no";
diff --git a/makefu/2configs/share/wbob.nix b/makefu/2configs/share/wbob.nix
new file mode 100644
index 000000000..7d3fc38fe
--- /dev/null
+++ b/makefu/2configs/share/wbob.nix
@@ -0,0 +1,38 @@
+{config, ... }:{
+  networking.firewall.allowedUDPPorts = [ 137 138 ];
+  networking.firewall.allowedTCPPorts = [ 139 445 ];
+  users.users.smbguest = {
+    name = "smbguest";
+    uid = config.ids.uids.smbguest;
+    description = "smb guest user";
+    home = "/home/share";
+    createHome = true;
+  };
+  services.samba = {
+    enable = true;
+    enableNmbd = true;
+    shares = {
+      incoming = {
+        path = "/data/incoming";
+        "read only" = "no";
+        browseable = "yes";
+        "guest ok" = "yes";
+      };
+      data = {
+        path = "/data/";
+        "read only" = "yes";
+        browseable = "yes";
+        "guest ok" = "yes";
+      };
+    };
+    extraConfig = ''
+      guest account = smbguest
+      map to guest = bad user
+      # disable printing
+      load printers = no
+      printing = bsd
+      printcap name = /dev/null
+      disable spoolss = yes
+    '';
+  };
+}
diff --git a/makefu/2configs/stats/telegraf/airsensor.nix b/makefu/2configs/stats/telegraf/airsensor.nix
new file mode 100644
index 000000000..09d23e7d4
--- /dev/null
+++ b/makefu/2configs/stats/telegraf/airsensor.nix
@@ -0,0 +1,19 @@
+{ pkgs, ...}:
+
+{
+  services.udev.extraRules = ''
+    SUBSYSTEMS=="usb", ATTRS{product}=="iAQ Stick", GROUP="input"
+  '';
+  users.users.telegraf.extraGroups = [ "input" ];
+  services.telegraf.extraConfig.inputs.exec = [
+    {
+      commands = [ "${pkgs.airsensor-py}/bin/airsensor-py"];
+      timeout = "10s";
+      data_format = "value";
+      data_type = "integer";
+      name_override = "airquality";
+      interval = "10s";
+      tags.unit="VOC";
+    }
+  ];
+}
diff --git a/makefu/2configs/stats/telegraf/default.nix b/makefu/2configs/stats/telegraf/default.nix
index 4da6561d6..049a9c037 100644
--- a/makefu/2configs/stats/telegraf/default.nix
+++ b/makefu/2configs/stats/telegraf/default.nix
@@ -2,9 +2,6 @@
 let
   url = "http://localhost:8086";
 in {
-  imports = [
-    ./europastats.nix
-  ];
   services.telegraf = {
     enable = true;
     extraConfig = {
diff --git a/makefu/2configs/tools/dev.nix b/makefu/2configs/tools/dev.nix
index 46872279a..26e9808b2 100644
--- a/makefu/2configs/tools/dev.nix
+++ b/makefu/2configs/tools/dev.nix
@@ -13,10 +13,12 @@
     esptool
     cac-api
     cac-panel
+    krebszones
     ovh-zone
     whatsupnix
     brain
     gen-oath-safe
     cdrtools
+    stockholm
   ];
 }
diff --git a/makefu/2configs/tools/extra-gui.nix b/makefu/2configs/tools/extra-gui.nix
index bcc068d82..e25290297 100644
--- a/makefu/2configs/tools/extra-gui.nix
+++ b/makefu/2configs/tools/extra-gui.nix
@@ -14,5 +14,6 @@
     saleae-logic
     arduino-user-env
     gitAndTools.gitFull
+    signal-desktop
   ];
 }
diff --git a/makefu/2configs/tools/games.nix b/makefu/2configs/tools/games.nix
index 8da615963..40ea4523d 100644
--- a/makefu/2configs/tools/games.nix
+++ b/makefu/2configs/tools/games.nix
@@ -7,5 +7,6 @@
   users.users.makefu.packages = with pkgs; [
     games-user-env
     wine
+    pkg2zip
   ];
 }
diff --git a/makefu/2configs/zsh-user.nix b/makefu/2configs/zsh-user.nix
index f280fc852..6be078f6a 100644
--- a/makefu/2configs/zsh-user.nix
+++ b/makefu/2configs/zsh-user.nix
@@ -8,11 +8,12 @@ in
   users.extraUsers.${mainUser}.shell = "/run/current-system/sw/bin/zsh";
   programs.zsh= {
     enable = true;
-    enableCompletion = false ; #manually at the end
+    enableCompletion = true ; #manually at the end
     interactiveShellInit = ''
       HISTSIZE=900001
       HISTFILESIZE=$HISTSIZE
       SAVEHIST=$HISTSIZE
+      HISTFILE=$HOME/.zsh_history
 
       setopt HIST_IGNORE_ALL_DUPS
       setopt HIST_IGNORE_SPACE
@@ -65,13 +66,15 @@ in
       zle     -N   fzf-file-widget
       bindkey '^T' fzf-file-widget
 
-      # Auto-Completion
-      for p in ''${(z)NIX_PROFILES}; do
-        fpath+=($p/share/zsh/site-functions $p/share/zsh/$ZSH_VERSION/functions $p/share/zsh/vendor-completions)
-      done
-      autoload -U compinit && compinit
       compdef _pass brain
       zstyle ':completion::complete:brain::' prefix "$HOME/brain"
+
+      # ctrl-x ctrl-e
+      autoload -U edit-command-line
+      zle -N edit-command-line
+      bindkey '^xe' edit-command-line
+      bindkey '^x^e' edit-command-line
+
     '';
 
     promptInit = ''
diff --git a/makefu/5pkgs/PkgDecrypt/default.nix b/makefu/5pkgs/PkgDecrypt/default.nix
new file mode 100644
index 000000000..80bcbcac1
--- /dev/null
+++ b/makefu/5pkgs/PkgDecrypt/default.nix
@@ -0,0 +1,27 @@
+{ stdenv, lib, pkgs, fetchFromGitHub, ... }:
+stdenv.mkDerivation rec {
+  name = "PkgDecrypt-2017-12-01";
+  rev = "e2f9518";
+
+  src = fetchFromGitHub {
+    owner = "St4rk";
+    repo = "PkgDecrypt";
+    inherit rev;
+    sha256 = "0dk13qamxyny0vc990s06vqddxwwc6xmikb1pkc3rnys98yda29p";
+  };
+
+  installPhase = ''
+    install -m755 -D pkg_dec $out/bin/pkg_dec
+    install -m755 -D make_key $out/bin/make_key
+  '';
+
+  buildInputs = with pkgs;[
+    zlib
+  ];
+
+  meta = {
+    homepage = https://github.com/St4rk/PkgDecrypt;
+    description = "St4rk's Vita pkg decrypter";
+    license = lib.licenses.gpl2;
+  };
+}
diff --git a/makefu/5pkgs/airsensor-py/default.nix b/makefu/5pkgs/airsensor-py/default.nix
new file mode 100644
index 000000000..4eae26c0d
--- /dev/null
+++ b/makefu/5pkgs/airsensor-py/default.nix
@@ -0,0 +1,17 @@
+{ pkgs, fetchFromGitHub, ... }:
+with pkgs.python3Packages;
+buildPythonApplication rec {
+    name = "airsensor-py-${version}";
+    version = "2017-12-05";
+    propagatedBuildInputs = [
+      pyusb
+      click
+    ];
+
+    src = fetchFromGitHub {
+      owner = "makefu";
+      repo = "airsensor-py";
+      rev = "7ac5f185dc848fca1b556e4c0396dd73f6a93995";
+      sha256 = "0387b025y8kb0zml7916p70hmzc3y18kqh46b9xv5qayljxymq2w";
+    };
+}
diff --git a/makefu/5pkgs/default.nix b/makefu/5pkgs/default.nix
index 80a453ddc..80a0d33cd 100644
--- a/makefu/5pkgs/default.nix
+++ b/makefu/5pkgs/default.nix
@@ -24,7 +24,7 @@ in {
     alsa-hdspmixer = callPackage ./custom/alsa-tools { alsaToolTarget="hdspmixer";};
     alsa-hdsploader = callPackage ./custom/alsa-tools { alsaToolTarget="hdsploader";};
     qcma = super.pkgs.libsForQt5.callPackage ./custom/qcma { };
-    inherit (callPackage ./devpi {}) devpi-web devpi-server;
+    inherit (callPackage ./devpi {}) devpi-web ;
     nodemcu-uploader = super.pkgs.callPackage ./nodemcu-uploader {};
     inkscape = super.pkgs.stdenv.lib.overrideDerivation super.inkscape (old: {
       patches = [ ./custom/inkscape/dxf_fix.patch ];
diff --git a/makefu/5pkgs/devpi/default.nix b/makefu/5pkgs/devpi/default.nix
index e7c26da55..3ddcd9641 100644
--- a/makefu/5pkgs/devpi/default.nix
+++ b/makefu/5pkgs/devpi/default.nix
@@ -14,18 +14,6 @@ let
     propagatedBuildInputs = with pkgs.python3Packages; [ docutils bleach pygments ];
 
   };
-  devpi-client = pkgs.python3Packages.buildPythonPackage rec {
-    name = "devpi-client";
-    version = "2.7.0";
-
-    src = pkgs.fetchurl {
-      url = "mirror://pypi/d/devpi-client/devpi-client-${version}.tar.gz";
-      sha256 = "0z7vaf0a66n82mz0vx122pbynjvkhp2mjf9lskgyv09y3bxzzpj3";
-    };
-    patches = [ ./py3-fix-encoding.patch ];
-    buildInputs = with pkgs.python3Packages; [ tox check-manifest pkginfo ];
-    propagatedBuildInputs = with pkgs.python3Packages; [ devpi-common py ];
-  };
   devpi-web = pkgs.python3Packages.buildPythonPackage rec {
     name = "devpi-web";
     version = "3.1.1";
@@ -37,7 +25,7 @@ let
     };
 
     propagatedBuildInputs = with pkgs.python3Packages;
-      [ devpi-server pyramid_chameleon beautifulsoup4 defusedxml readme-renderer ];
+      [ pkgs.devpi-server pyramid_chameleon beautifulsoup4 defusedxml readme-renderer ];
 
     meta = {
       homepage = https://bitbucket.org/hpk42/devpi;
@@ -47,53 +35,7 @@ let
     };
   };
 
-  devpi-common-3 = pkgs.python3Packages.buildPythonPackage rec {
-    name = "devpi-common";
-    version = "3.0.1";
-
-    src = pkgs.fetchurl {
-      url = "mirror://pypi/d/devpi-common/devpi-common-${version}.tar.gz";
-      sha256 = "0l3a7iyk596x6pvzg7604lzzi012qszr804fqn6f517zcy1xz23j";
-    };
-
-    propagatedBuildInputs = with pkgs.python3Packages; [ requests py ];
-
-    meta = {
-      homepage = https://bitbucket.org/hpk42/devpi;
-      description = "Utilities jointly used by devpi-server and devpi-client";
-      license = licenses.mit;
-      maintainers = with maintainers; [ lewo makefu ];
-    };
-  };
-
-  devpi-server = pkgs.python3Packages.buildPythonPackage rec {
-    name = "devpi-server";
-    version = "4.1.1";
-
-    # original postFixup adds "import sys; sys.argv[0] = 'devpi-server'" to
-    # `.devpi-server-wrapped` which
-    # results in "not existing devpi-server: 'devpi-server'"
-    postFixup = "";
-
-    src = pkgs.fetchurl {
-      url = "mirror://pypi/d/devpi-server/devpi-server-${version}.tar.gz";
-      sha256 = "1icbn1nw6w0sc5150fr69rlhs0j5ldnnxfzl2qabq2wi0dbar8hf";
-    };
-
-    propagatedBuildInputs = with pkgs.python3Packages;
-      [ devpi-common-3 execnet itsdangerous pluggy waitress pyramid ];
-    buildInputs = with pkgs.python3Packages; [ pytest beautifulsoup4 webtest ];
-
-    meta = {
-      homepage = https://bitbucket.org/hpk42/devpi;
-      description = "Devpi Server";
-      license = licenses.mit;
-      maintainers = with maintainers; [ makefu ];
-    };
-  };
-
 in {
-  inherit devpi-server devpi-client;
   devpi-web =  pkgs.python3.buildEnv.override {
       extraLibs = [ devpi-web devpi-server ];
     };
diff --git a/makefu/5pkgs/pkg2zip/default.nix b/makefu/5pkgs/pkg2zip/default.nix
new file mode 100644
index 000000000..36c3d7176
--- /dev/null
+++ b/makefu/5pkgs/pkg2zip/default.nix
@@ -0,0 +1,29 @@
+{ stdenv, lib, pkgs, fetchFromGitHub, ... }:
+stdenv.mkDerivation rec {
+  name = "pkg2zip-2017-12-01";
+  rev = "fccad26";
+
+  src = fetchFromGitHub {
+    owner = "mmozeiko";
+    repo = "pkg2zip";
+    inherit rev;
+    sha256 = "1sq9yx5cbllmc0yyxhvb6c0yq1mkd1mn8njgkkgxz8alw9zwlarp";
+  };
+
+  installPhase = ''
+    install -m755 -D pkg2zip $out/bin/pkg2zip
+
+    install -m755 -D rif2zrif.py $out/bin/rif2zrif
+    install -m755 -D zrif2rif.py $out/bin/zrif2rif
+  '';
+
+  buildInputs = with pkgs;[
+    python3
+  ];
+
+  meta = {
+    homepage = https://github.com/St4rk/PkgDecrypt;
+    description = "St4rk's Vita pkg decrypter";
+    license = lib.licenses.gpl2;
+  };
+}
diff --git a/makefu/6tests/data/secrets/bgt_cyberwar_hidden_service/hostname b/makefu/6tests/data/secrets/bgt_cyberwar_hidden_service/hostname
new file mode 100644
index 000000000..2ae3807f1
--- /dev/null
+++ b/makefu/6tests/data/secrets/bgt_cyberwar_hidden_service/hostname
@@ -0,0 +1 @@
+dickbutt2342.onion
diff --git a/makefu/source.nix b/makefu/source.nix
index aa49062e9..ce5855430 100644
--- a/makefu/source.nix
+++ b/makefu/source.nix
@@ -11,7 +11,7 @@ let
               then "buildbot"
               else "makefu";
   _file = <stockholm> + "/makefu/1systems/${name}/source.nix";
-  ref = "6778819"; # unstable @ 2017-11-14
+  ref = "3874de4"; # unstable @ 2017-12-08
                    # + do_sqlite3 ruby: 55a952be5b5
 
 in