diff --git a/default.nix b/default.nix
index 59a76f81b..875f0d5b4 100644
--- a/default.nix
+++ b/default.nix
@@ -8,6 +8,12 @@ let
       "${user-name}/1systems/${system-name}.nix"
       "${user-name}/3modules"
       "krebs/3modules"
+    ] ++ [
+      ({ lib, pkgs, ... }: {
+       _module.args.pkgs =
+         (import ./krebs/5pkgs { inherit lib pkgs; }) //
+         (import (./. + "/${user-name}/5pkgs") { inherit lib pkgs; });
+      })
     ];
   };
 
diff --git a/krebs/3modules/Reaktor.nix b/krebs/3modules/Reaktor.nix
new file mode 100644
index 000000000..fce24fa63
--- /dev/null
+++ b/krebs/3modules/Reaktor.nix
@@ -0,0 +1,132 @@
+{ config, pkgs,lib, ... }:
+
+
+let
+  kpkgs = import ../5pkgs { inherit pkgs; inherit lib; };
+
+  inherit (lib)
+    mkIf
+    mkOption
+    types
+    singleton
+    isString
+    optionalString
+    concatStrings
+    escapeShellArg
+  ;
+
+  ReaktorConfig = pkgs.writeText "config.py" ''
+      ${if (isString cfg.overrideConfig ) then ''
+      # Overriden Config
+      ${cfg.overrideConfig}
+      '' else ""}
+      ## Extra Config
+      ${cfg.extraConfig}
+    '';
+  cfg = config.krebs.Reaktor;
+
+  out = {
+    options.krebs.Reaktor = api;
+    config = mkIf cfg.enable imp;
+  };
+
+  api = {
+    enable = mkOption {
+      default = false;
+      description = ''
+        Start Reaktor at system boot
+      '';
+    };
+
+    nickname = mkOption {
+      default = config.krebs.build.host.name + "|r";
+      type = types.string;
+      description = ''
+        The nick name of the irc bot.
+        Defaults to {hostname}|r
+      '';
+    };
+
+
+    overrideConfig = mkOption {
+      default = null;
+      type = types.nullOr types.str;
+      description = ''
+        configuration to be used instead of default ones.
+        Reaktor default cfg can be retrieved via `reaktor get-config`
+      '';
+    };
+    extraConfig = mkOption {
+      default = "";
+      type = types.string;
+      description = ''
+        configuration appended to the default or overridden configuration
+      '';
+    };
+
+    ReaktorPkg = mkOption {
+      default = kpkgs.Reaktor;
+      description = ''
+        the Reaktor pkg to use.
+      '';
+    };
+    debug = mkOption {
+      default = false;
+      description = ''
+        Reaktor debug output
+      '';
+    };
+  };
+
+  imp = {
+    # for reaktor get-config
+    environment.systemPackages = [ cfg.ReaktorPkg ];
+    users.extraUsers = singleton {
+      name = "Reaktor";
+      # uid = config.ids.uids.Reaktor;
+      uid = 2066439104; #genid Reaktor
+      description = "Reaktor user";
+      home = "/var/lib/Reaktor";
+      createHome = true;
+    };
+
+    #users.extraGroups = singleton {
+    #  name = "Reaktor";
+    #  gid = config.ids.gids.Reaktor;
+    #};
+
+    systemd.services.Reaktor = {
+      path = with pkgs; [
+        utillinux #flock for tell_on-join
+        # git # for nag
+        python # for caps
+        ];
+      description = "Reaktor IRC Bot";
+      after = [ "network.target" ];
+      wantedBy = [ "multi-user.target" ];
+      environment = {
+        GIT_SSL_CAINFO = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt";
+        REAKTOR_NICKNAME = cfg.nickname;
+        REAKTOR_DEBUG = (if cfg.debug  then "True" else "False");
+        };
+      serviceConfig= {
+        ExecStartPre = pkgs.writeScript "Reaktor-init" ''
+          #! /bin/sh
+          ${if (isString cfg.overrideConfig) then
+            ''cp ${ReaktorConfig} /tmp/config.py''
+          else
+            ''(${cfg.ReaktorPkg}/bin/reaktor get-config;cat "${ReaktorConfig}" ) > /tmp/config.py''
+          }
+        '';
+        ExecStart = "${cfg.ReaktorPkg}/bin/reaktor run /tmp/config.py";
+        PrivateTmp = "true";
+        User = "Reaktor";
+        Restart = "on-abort";
+        StartLimitInterval = "1m";
+        StartLimitBurst = "1";
+        };
+    };
+  };
+
+in
+out
diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix
index 78907960b..c683d406c 100644
--- a/krebs/3modules/default.nix
+++ b/krebs/3modules/default.nix
@@ -11,6 +11,7 @@ let
       ./github-hosts-sync.nix
       ./git.nix
       ./nginx.nix
+      ./Reaktor.nix
       ./retiolum.nix
       ./urlwatch.nix
     ];
@@ -332,11 +333,11 @@ let
     };
     users = addNames {
       lass = {
-        pubkey = readFile ../../Zpubkeys/lass.ssh.pub;
+        pubkey = readFile ../Zpubkeys/lass.ssh.pub;
         mail = "lass@mors.retiolum";
       };
       uriel = {
-        pubkey = readFile ../../Zpubkeys/uriel.ssh.pub;
+        pubkey = readFile ../Zpubkeys/uriel.ssh.pub;
         mail = "lass@uriel.retiolum";
       };
     };
@@ -468,6 +469,7 @@ let
                               IN MX 10  mx42
             euer              IN MX 1   aspmx.l.google.com.
             io                IN NS     pigstarter.krebsco.de.
+            euer              IN A      ${elemAt nets.internet.addrs4 0}
             pigstarter        IN A      ${elemAt nets.internet.addrs4 0}
             conf              IN A      ${elemAt nets.internet.addrs4 0}
             gold              IN A      ${elemAt nets.internet.addrs4 0}
@@ -543,7 +545,7 @@ let
     users = addNames {
       makefu = {
         mail = "makefu@pornocauster.retiolum";
-        pubkey = readFile ../../Zpubkeys/makefu_arch.ssh.pub;
+        pubkey = readFile ../Zpubkeys/makefu_arch.ssh.pub;
       };
     };
   };
@@ -714,11 +716,11 @@ let
     users = addNames {
       mv = {
         mail = "mv@cd.retiolum";
-        pubkey = readFile ../../Zpubkeys/mv_vod.ssh.pub;
+        pubkey = readFile ../Zpubkeys/mv_vod.ssh.pub;
       };
       tv = {
         mail = "tv@wu.retiolum";
-        pubkey = readFile ../../Zpubkeys/tv_wu.ssh.pub;
+        pubkey = readFile ../Zpubkeys/tv_wu.ssh.pub;
       };
     };
   };
diff --git a/krebs/3modules/github-hosts-sync.nix b/krebs/3modules/github-hosts-sync.nix
index 0274b9d15..dbc0cc1de 100644
--- a/krebs/3modules/github-hosts-sync.nix
+++ b/krebs/3modules/github-hosts-sync.nix
@@ -61,9 +61,9 @@ let
             ${cfg.ssh-identity-file} \
             "$ssh_identity_file_target"
 
-          ln -snf ${kpkgs.github-known_hosts} ${cfg.dataDir}/.ssh/known_hosts
+          ln -snf ${pkgs.github-known_hosts} ${cfg.dataDir}/.ssh/known_hosts
         '';
-        ExecStart = "${kpkgs.github-hosts-sync}/bin/github-hosts-sync";
+        ExecStart = "${pkgs.github-hosts-sync}/bin/github-hosts-sync";
       };
     };
 
@@ -77,7 +77,5 @@ let
     name = "github-hosts-sync";
     uid = 3220554646; # genid github-hosts-sync
   };
-
-  kpkgs = import ../../krebs/5pkgs { inherit pkgs; };
 in
 out
diff --git a/krebs/3modules/retiolum.nix b/krebs/3modules/retiolum.nix
index 481d6565c..4e70b78aa 100644
--- a/krebs/3modules/retiolum.nix
+++ b/krebs/3modules/retiolum.nix
@@ -58,7 +58,7 @@ let
 
     hosts = mkOption {
       type = with types; either package path;
-      default = ../../Zhosts;
+      default = ../Zhosts;
       description = ''
         If a path is given, then it will be used to generate an ad-hoc package.
       '';
diff --git a/krebs/3modules/urlwatch.nix b/krebs/3modules/urlwatch.nix
index 531e6c87b..80d9f5e93 100644
--- a/krebs/3modules/urlwatch.nix
+++ b/krebs/3modules/urlwatch.nix
@@ -78,7 +78,7 @@ let
         HOME = cfg.dataDir;
         LC_ALL = "en_US.UTF-8";
         LOCALE_ARCHIVE = "${pkgs.glibcLocales}/lib/locale/locale-archive";
-        SSL_CERT_FILE = "${pkgs.cacert}/etc/ca-bundle.crt";
+        SSL_CERT_FILE = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt";
       };
       serviceConfig = {
         User = user.name;
diff --git a/krebs/4lib/default.nix b/krebs/4lib/default.nix
index b67585335..ca7219c7e 100644
--- a/krebs/4lib/default.nix
+++ b/krebs/4lib/default.nix
@@ -14,5 +14,12 @@ builtins // lib // rec {
 
   dns = import ./dns.nix { inherit lib; };
   listset = import ./listset.nix { inherit lib; };
+  shell = import ./shell.nix { inherit lib; };
   tree = import ./tree.nix { inherit lib; };
+
+  toC = x: {
+    list = "{ ${concatStringsSep ", " (map toC x)} }";
+    null = "NULL";
+    string = toJSON x; # close enough
+  }.${typeOf x};
 }
diff --git a/krebs/4lib/shell.nix b/krebs/4lib/shell.nix
new file mode 100644
index 000000000..2a6da5c16
--- /dev/null
+++ b/krebs/4lib/shell.nix
@@ -0,0 +1,22 @@
+{ lib, ... }:
+
+with builtins;
+with lib;
+
+rec {
+  escape =
+    let
+      isSafeChar = c: match "[-./0-9_a-zA-Z]" c != null;
+    in
+    stringAsChars (c:
+      if isSafeChar c then c
+      else if c == "\n" then "'\n'"
+      else "\\${c}");
+
+  #
+  # shell script generators
+  #
+
+  # example: "${cat (toJSON { foo = "bar"; })} | jq -r .foo"
+  cat = s: "printf '%s' ${escape s}";
+}
diff --git a/krebs/5pkgs/Reaktor/default.nix b/krebs/5pkgs/Reaktor/default.nix
new file mode 100644
index 000000000..524782081
--- /dev/null
+++ b/krebs/5pkgs/Reaktor/default.nix
@@ -0,0 +1,19 @@
+{ lib, pkgs,python3Packages,fetchurl, ... }:
+
+python3Packages.buildPythonPackage rec {
+  name = "Reaktor-${version}";
+  version = "0.4.3";
+  propagatedBuildInputs = with pkgs;[
+    python3Packages.docopt
+    python3Packages.requests2
+  ];
+  src = fetchurl {
+    url = "https://pypi.python.org/packages/source/R/Reaktor/Reaktor-${version}.tar.gz";
+    sha256 = "1rvfw9vg7i7z2ah7m5k3zik2b92d3xdaqa8am62qw6vgvmxcmfp4";
+  };
+  meta = {
+    homepage = http://krebsco.de/;
+    description = "An IRC bot based on asynchat";
+    license = lib.licenses.wtfpl;
+  };
+}
diff --git a/krebs/5pkgs/cac.nix b/krebs/5pkgs/cac/default.nix
similarity index 100%
rename from krebs/5pkgs/cac.nix
rename to krebs/5pkgs/cac/default.nix
diff --git a/tv/5pkgs/charybdis/default.nix b/krebs/5pkgs/charybdis/default.nix
similarity index 100%
rename from tv/5pkgs/charybdis/default.nix
rename to krebs/5pkgs/charybdis/default.nix
diff --git a/tv/5pkgs/charybdis/remove-setenv.patch b/krebs/5pkgs/charybdis/remove-setenv.patch
similarity index 100%
rename from tv/5pkgs/charybdis/remove-setenv.patch
rename to krebs/5pkgs/charybdis/remove-setenv.patch
diff --git a/krebs/5pkgs/default.nix b/krebs/5pkgs/default.nix
index 2454c19c8..39d3d69ce 100644
--- a/krebs/5pkgs/default.nix
+++ b/krebs/5pkgs/default.nix
@@ -1,18 +1,54 @@
-{ pkgs, ... }:
+{ lib, pkgs, ... }:
+
+with import ../4lib { inherit lib; };
 
 let
   inherit (pkgs) callPackage;
 in
 
-pkgs //
-{
-  cac = callPackage ./cac.nix {};
-  dic = callPackage ./dic.nix {};
-  genid = callPackage ./genid.nix {};
-  github-hosts-sync = callPackage ./github-hosts-sync.nix {};
-  github-known_hosts = callPackage ./github-known_hosts.nix {};
-  hashPassword = callPackage ./hashPassword.nix {};
-  nq = callPackage ./nq.nix {};
-  posix-array = callPackage ./posix-array.nix {};
-  youtube-tools = callPackage ./youtube-tools.nix {};
+rec {
+  cac = callPackage ./cac {};
+  charybdis = callPackage ./charybdis {};
+  dic = callPackage ./dic {};
+  genid = callPackage ./genid {};
+  github-hosts-sync = callPackage ./github-hosts-sync {};
+  github-known_hosts = callPackage ./github-known_hosts {};
+  hashPassword = callPackage ./hashPassword {};
+  krebszones = callPackage ./krebszones {};
+  lentil = callPackage ./lentil {};
+  much = callPackage ./much {};
+  nq = callPackage ./nq {};
+  posix-array = callPackage ./posix-array {};
+  pssh = callPackage ./pssh {};
+  Reaktor = callPackage ./Reaktor {};
+  youtube-tools = callPackage ./youtube-tools {};
+
+  execve = name: { filename, argv, envp ? {}, destination ? "" }:
+    writeC name { inherit destination; } ''
+      #include <unistd.h>
+      int main () {
+        const char *filename = ${toC filename};
+        char *const argv[] = ${toC (argv ++ [null])};
+        char *const envp[] = ${toC (
+          mapAttrsToList (k: v: "${k}=${v}") envp ++ [null]
+        )};
+        execve(filename, argv, envp);
+        return -1;
+      }
+    '';
+
+  execveBin = name: cfg: execve name (cfg // { destination = "/bin/${name}"; });
+
+  writeC = name: { destination ? "" }: src: pkgs.runCommand name {} ''
+    PATH=${lib.makeSearchPath "bin" (with pkgs; [
+      binutils
+      coreutils
+      gcc
+    ])}
+    src=${pkgs.writeText "${name}.c" src}
+    exe=$out${destination}
+    mkdir -p "$(dirname "$exe")"
+    gcc -O -Wall -o "$exe" $src
+    strip --strip-unneeded "$exe"
+  '';
 }
diff --git a/krebs/5pkgs/dic.nix b/krebs/5pkgs/dic/default.nix
similarity index 100%
rename from krebs/5pkgs/dic.nix
rename to krebs/5pkgs/dic/default.nix
diff --git a/krebs/5pkgs/genid.nix b/krebs/5pkgs/genid/default.nix
similarity index 100%
rename from krebs/5pkgs/genid.nix
rename to krebs/5pkgs/genid/default.nix
diff --git a/krebs/5pkgs/github-hosts-sync.nix b/krebs/5pkgs/github-hosts-sync/default.nix
similarity index 100%
rename from krebs/5pkgs/github-hosts-sync.nix
rename to krebs/5pkgs/github-hosts-sync/default.nix
diff --git a/krebs/5pkgs/github-known_hosts.nix b/krebs/5pkgs/github-known_hosts/default.nix
similarity index 70%
rename from krebs/5pkgs/github-known_hosts.nix
rename to krebs/5pkgs/github-known_hosts/default.nix
index 302fdd8d5..fe5efe413 100644
--- a/krebs/5pkgs/github-known_hosts.nix
+++ b/krebs/5pkgs/github-known_hosts/default.nix
@@ -4,7 +4,7 @@ with builtins;
 with lib;
 
 let
-  github-pubkey = removeSuffix "\n" (readFile ../../Zpubkeys/github.ssh.pub);
+  github-pubkey = removeSuffix "\n" (readFile ./github.ssh.pub);
 in
 
 toFile "github-known_hosts"
diff --git a/Zpubkeys/github.ssh.pub b/krebs/5pkgs/github-known_hosts/github.ssh.pub
similarity index 100%
rename from Zpubkeys/github.ssh.pub
rename to krebs/5pkgs/github-known_hosts/github.ssh.pub
diff --git a/krebs/5pkgs/hashPassword.nix b/krebs/5pkgs/hashPassword/default.nix
similarity index 100%
rename from krebs/5pkgs/hashPassword.nix
rename to krebs/5pkgs/hashPassword/default.nix
diff --git a/krebs/5pkgs/krebszones/default.nix b/krebs/5pkgs/krebszones/default.nix
new file mode 100644
index 000000000..62805c73c
--- /dev/null
+++ b/krebs/5pkgs/krebszones/default.nix
@@ -0,0 +1,20 @@
+{ lib, pkgs,python3Packages,fetchurl, ... }:
+
+python3Packages.buildPythonPackage rec {
+  name = "krebszones-${version}";
+  version = "0.4.3";
+  propagatedBuildInputs = with pkgs.python3Packages;[
+    d2to1 # for setup to work
+    ovh
+    docopt
+  ];
+  src = fetchurl {
+    url = "https://pypi.python.org/packages/source/k/krebszones/krebszones-${version}.tar.gz";
+    sha256 = "1i6aqy27bikypc4mq7ymfnvf42rr5sxiy6l7gnyk6ifhlp1jq8z5";
+  };
+  meta = {
+    homepage = http://krebsco.de/;
+    description = "OVH Zone Upload";
+    license = lib.licenses.wtfpl;
+  };
+}
diff --git a/tv/5pkgs/lentil/default.nix b/krebs/5pkgs/lentil/default.nix
similarity index 100%
rename from tv/5pkgs/lentil/default.nix
rename to krebs/5pkgs/lentil/default.nix
diff --git a/tv/5pkgs/lentil/syntaxes.patch b/krebs/5pkgs/lentil/syntaxes.patch
similarity index 100%
rename from tv/5pkgs/lentil/syntaxes.patch
rename to krebs/5pkgs/lentil/syntaxes.patch
diff --git a/tv/5pkgs/much.nix b/krebs/5pkgs/much/default.nix
similarity index 100%
rename from tv/5pkgs/much.nix
rename to krebs/5pkgs/much/default.nix
diff --git a/krebs/5pkgs/nq.nix b/krebs/5pkgs/nq/default.nix
similarity index 100%
rename from krebs/5pkgs/nq.nix
rename to krebs/5pkgs/nq/default.nix
diff --git a/krebs/5pkgs/posix-array.nix b/krebs/5pkgs/posix-array/default.nix
similarity index 100%
rename from krebs/5pkgs/posix-array.nix
rename to krebs/5pkgs/posix-array/default.nix
diff --git a/krebs/5pkgs/pssh/default.nix b/krebs/5pkgs/pssh/default.nix
new file mode 100644
index 000000000..fd48d3e7c
--- /dev/null
+++ b/krebs/5pkgs/pssh/default.nix
@@ -0,0 +1,37 @@
+{ writeScriptBin }:
+
+writeScriptBin "pssh" ''
+  #! /bin/sh
+  set -efu
+  case ''${1-} in
+
+  # TODO create plog with -o json | jq ... | map date
+
+  # usage: pssh {-j,--journal} host...
+  # Follow journal at each host.
+  -j|--journal)
+    shift
+    "$0" journalctl -n0 -ocat --follow --all ::: "$@" \
+      | while read line; do
+          printf '%s %s\n' "$(date --rfc-3339=s)" "$line"
+        done
+    ;;
+
+  -*)
+    echo $0: unknown option: $1 >&2
+    exit 1
+    ;;
+
+  # usage: pssh command [arg...] ::: host...
+  # Run command at each host.
+  *)
+    exec parallel \
+      --line-buffer \
+      -j0 \
+      --no-notice \
+      --tagstring {} \
+      ssh -T {} "$@"
+    ;;
+
+  esac
+''
diff --git a/krebs/5pkgs/youtube-tools.nix b/krebs/5pkgs/youtube-tools/default.nix
similarity index 100%
rename from krebs/5pkgs/youtube-tools.nix
rename to krebs/5pkgs/youtube-tools/default.nix
diff --git a/Zhosts/Styx b/krebs/Zhosts/Styx
similarity index 100%
rename from Zhosts/Styx
rename to krebs/Zhosts/Styx
diff --git a/Zhosts/ThinkArmageddon b/krebs/Zhosts/ThinkArmageddon
similarity index 100%
rename from Zhosts/ThinkArmageddon
rename to krebs/Zhosts/ThinkArmageddon
diff --git a/Zhosts/TriBot b/krebs/Zhosts/TriBot
similarity index 100%
rename from Zhosts/TriBot
rename to krebs/Zhosts/TriBot
diff --git a/Zhosts/ach b/krebs/Zhosts/ach
similarity index 100%
rename from Zhosts/ach
rename to krebs/Zhosts/ach
diff --git a/Zhosts/air b/krebs/Zhosts/air
similarity index 100%
rename from Zhosts/air
rename to krebs/Zhosts/air
diff --git a/Zhosts/alarmpi b/krebs/Zhosts/alarmpi
similarity index 100%
rename from Zhosts/alarmpi
rename to krebs/Zhosts/alarmpi
diff --git a/Zhosts/albi10 b/krebs/Zhosts/albi10
similarity index 100%
rename from Zhosts/albi10
rename to krebs/Zhosts/albi10
diff --git a/Zhosts/albi7 b/krebs/Zhosts/albi7
similarity index 100%
rename from Zhosts/albi7
rename to krebs/Zhosts/albi7
diff --git a/Zhosts/almoehi b/krebs/Zhosts/almoehi
similarity index 100%
rename from Zhosts/almoehi
rename to krebs/Zhosts/almoehi
diff --git a/Zhosts/alphalabs b/krebs/Zhosts/alphalabs
similarity index 100%
rename from Zhosts/alphalabs
rename to krebs/Zhosts/alphalabs
diff --git a/Zhosts/apfull b/krebs/Zhosts/apfull
similarity index 100%
rename from Zhosts/apfull
rename to krebs/Zhosts/apfull
diff --git a/Zhosts/bitchctl b/krebs/Zhosts/bitchctl
similarity index 100%
rename from Zhosts/bitchctl
rename to krebs/Zhosts/bitchctl
diff --git a/Zhosts/bitchextend b/krebs/Zhosts/bitchextend
similarity index 100%
rename from Zhosts/bitchextend
rename to krebs/Zhosts/bitchextend
diff --git a/Zhosts/bitchtop b/krebs/Zhosts/bitchtop
similarity index 100%
rename from Zhosts/bitchtop
rename to krebs/Zhosts/bitchtop
diff --git a/Zhosts/box b/krebs/Zhosts/box
similarity index 100%
rename from Zhosts/box
rename to krebs/Zhosts/box
diff --git a/Zhosts/bridge b/krebs/Zhosts/bridge
similarity index 100%
rename from Zhosts/bridge
rename to krebs/Zhosts/bridge
diff --git a/Zhosts/c2ft b/krebs/Zhosts/c2ft
similarity index 100%
rename from Zhosts/c2ft
rename to krebs/Zhosts/c2ft
diff --git a/Zhosts/c2fthome b/krebs/Zhosts/c2fthome
similarity index 100%
rename from Zhosts/c2fthome
rename to krebs/Zhosts/c2fthome
diff --git a/Zhosts/casino b/krebs/Zhosts/casino
similarity index 100%
rename from Zhosts/casino
rename to krebs/Zhosts/casino
diff --git a/Zhosts/cat1 b/krebs/Zhosts/cat1
similarity index 100%
rename from Zhosts/cat1
rename to krebs/Zhosts/cat1
diff --git a/Zhosts/cband b/krebs/Zhosts/cband
similarity index 100%
rename from Zhosts/cband
rename to krebs/Zhosts/cband
diff --git a/Zhosts/cd b/krebs/Zhosts/cd
similarity index 100%
rename from Zhosts/cd
rename to krebs/Zhosts/cd
diff --git a/Zhosts/cloudkrebs b/krebs/Zhosts/cloudkrebs
similarity index 100%
rename from Zhosts/cloudkrebs
rename to krebs/Zhosts/cloudkrebs
diff --git a/Zhosts/darth b/krebs/Zhosts/darth
similarity index 100%
rename from Zhosts/darth
rename to krebs/Zhosts/darth
diff --git a/Zhosts/dei b/krebs/Zhosts/dei
similarity index 100%
rename from Zhosts/dei
rename to krebs/Zhosts/dei
diff --git a/Zhosts/destroy b/krebs/Zhosts/destroy
similarity index 100%
rename from Zhosts/destroy
rename to krebs/Zhosts/destroy
diff --git a/Zhosts/devstar b/krebs/Zhosts/devstar
similarity index 100%
rename from Zhosts/devstar
rename to krebs/Zhosts/devstar
diff --git a/Zhosts/eigenserv b/krebs/Zhosts/eigenserv
similarity index 100%
rename from Zhosts/eigenserv
rename to krebs/Zhosts/eigenserv
diff --git a/Zhosts/elvis b/krebs/Zhosts/elvis
similarity index 100%
rename from Zhosts/elvis
rename to krebs/Zhosts/elvis
diff --git a/Zhosts/eulerwalk b/krebs/Zhosts/eulerwalk
similarity index 100%
rename from Zhosts/eulerwalk
rename to krebs/Zhosts/eulerwalk
diff --git a/Zhosts/exile b/krebs/Zhosts/exile
similarity index 100%
rename from Zhosts/exile
rename to krebs/Zhosts/exile
diff --git a/Zhosts/exitium_mobilis b/krebs/Zhosts/exitium_mobilis
similarity index 100%
rename from Zhosts/exitium_mobilis
rename to krebs/Zhosts/exitium_mobilis
diff --git a/Zhosts/falk b/krebs/Zhosts/falk
similarity index 100%
rename from Zhosts/falk
rename to krebs/Zhosts/falk
diff --git a/Zhosts/fastpoke b/krebs/Zhosts/fastpoke
similarity index 100%
rename from Zhosts/fastpoke
rename to krebs/Zhosts/fastpoke
diff --git a/Zhosts/filebitch b/krebs/Zhosts/filebitch
similarity index 100%
rename from Zhosts/filebitch
rename to krebs/Zhosts/filebitch
diff --git a/Zhosts/filepimp b/krebs/Zhosts/filepimp
similarity index 100%
rename from Zhosts/filepimp
rename to krebs/Zhosts/filepimp
diff --git a/Zhosts/flap b/krebs/Zhosts/flap
similarity index 100%
rename from Zhosts/flap
rename to krebs/Zhosts/flap
diff --git a/Zhosts/foobar b/krebs/Zhosts/foobar
similarity index 100%
rename from Zhosts/foobar
rename to krebs/Zhosts/foobar
diff --git a/Zhosts/fuerkrebs b/krebs/Zhosts/fuerkrebs
similarity index 100%
rename from Zhosts/fuerkrebs
rename to krebs/Zhosts/fuerkrebs
diff --git a/Zhosts/go b/krebs/Zhosts/go
similarity index 100%
rename from Zhosts/go
rename to krebs/Zhosts/go
diff --git a/Zhosts/gum b/krebs/Zhosts/gum
similarity index 100%
rename from Zhosts/gum
rename to krebs/Zhosts/gum
diff --git a/Zhosts/heidi b/krebs/Zhosts/heidi
similarity index 100%
rename from Zhosts/heidi
rename to krebs/Zhosts/heidi
diff --git a/Zhosts/horisa b/krebs/Zhosts/horisa
similarity index 100%
rename from Zhosts/horisa
rename to krebs/Zhosts/horisa
diff --git a/Zhosts/horreum_magnus b/krebs/Zhosts/horreum_magnus
similarity index 100%
rename from Zhosts/horreum_magnus
rename to krebs/Zhosts/horreum_magnus
diff --git a/Zhosts/incept b/krebs/Zhosts/incept
similarity index 100%
rename from Zhosts/incept
rename to krebs/Zhosts/incept
diff --git a/Zhosts/ire b/krebs/Zhosts/ire
similarity index 100%
rename from Zhosts/ire
rename to krebs/Zhosts/ire
diff --git a/Zhosts/ire2 b/krebs/Zhosts/ire2
similarity index 100%
rename from Zhosts/ire2
rename to krebs/Zhosts/ire2
diff --git a/Zhosts/irkel b/krebs/Zhosts/irkel
similarity index 100%
rename from Zhosts/irkel
rename to krebs/Zhosts/irkel
diff --git a/Zhosts/juhulian b/krebs/Zhosts/juhulian
similarity index 100%
rename from Zhosts/juhulian
rename to krebs/Zhosts/juhulian
diff --git a/Zhosts/k2 b/krebs/Zhosts/k2
similarity index 100%
rename from Zhosts/k2
rename to krebs/Zhosts/k2
diff --git a/Zhosts/kabinett b/krebs/Zhosts/kabinett
similarity index 100%
rename from Zhosts/kabinett
rename to krebs/Zhosts/kabinett
diff --git a/Zhosts/kaepsele b/krebs/Zhosts/kaepsele
similarity index 100%
rename from Zhosts/kaepsele
rename to krebs/Zhosts/kaepsele
diff --git a/Zhosts/kalle b/krebs/Zhosts/kalle
similarity index 100%
rename from Zhosts/kalle
rename to krebs/Zhosts/kalle
diff --git a/Zhosts/karthus b/krebs/Zhosts/karthus
similarity index 100%
rename from Zhosts/karthus
rename to krebs/Zhosts/karthus
diff --git a/Zhosts/khackplug b/krebs/Zhosts/khackplug
similarity index 100%
rename from Zhosts/khackplug
rename to krebs/Zhosts/khackplug
diff --git a/Zhosts/kheurop b/krebs/Zhosts/kheurop
similarity index 100%
rename from Zhosts/kheurop
rename to krebs/Zhosts/kheurop
diff --git a/Zhosts/kiosk b/krebs/Zhosts/kiosk
similarity index 100%
rename from Zhosts/kiosk
rename to krebs/Zhosts/kiosk
diff --git a/Zhosts/krebsplug b/krebs/Zhosts/krebsplug
similarity index 100%
rename from Zhosts/krebsplug
rename to krebs/Zhosts/krebsplug
diff --git a/Zhosts/kvasir b/krebs/Zhosts/kvasir
similarity index 100%
rename from Zhosts/kvasir
rename to krebs/Zhosts/kvasir
diff --git a/Zhosts/laqueus b/krebs/Zhosts/laqueus
similarity index 100%
rename from Zhosts/laqueus
rename to krebs/Zhosts/laqueus
diff --git a/Zhosts/linuxatom b/krebs/Zhosts/linuxatom
similarity index 100%
rename from Zhosts/linuxatom
rename to krebs/Zhosts/linuxatom
diff --git a/Zhosts/luminos b/krebs/Zhosts/luminos
similarity index 100%
rename from Zhosts/luminos
rename to krebs/Zhosts/luminos
diff --git a/Zhosts/machine b/krebs/Zhosts/machine
similarity index 100%
rename from Zhosts/machine
rename to krebs/Zhosts/machine
diff --git a/Zhosts/makalu b/krebs/Zhosts/makalu
similarity index 100%
rename from Zhosts/makalu
rename to krebs/Zhosts/makalu
diff --git a/Zhosts/mako b/krebs/Zhosts/mako
similarity index 100%
rename from Zhosts/mako
rename to krebs/Zhosts/mako
diff --git a/Zhosts/miefda0 b/krebs/Zhosts/miefda0
similarity index 100%
rename from Zhosts/miefda0
rename to krebs/Zhosts/miefda0
diff --git a/Zhosts/minikrebs b/krebs/Zhosts/minikrebs
similarity index 100%
rename from Zhosts/minikrebs
rename to krebs/Zhosts/minikrebs
diff --git a/Zhosts/mkdir b/krebs/Zhosts/mkdir
similarity index 100%
rename from Zhosts/mkdir
rename to krebs/Zhosts/mkdir
diff --git a/Zhosts/monitor b/krebs/Zhosts/monitor
similarity index 100%
rename from Zhosts/monitor
rename to krebs/Zhosts/monitor
diff --git a/Zhosts/mors b/krebs/Zhosts/mors
similarity index 100%
rename from Zhosts/mors
rename to krebs/Zhosts/mors
diff --git a/Zhosts/motor b/krebs/Zhosts/motor
similarity index 100%
rename from Zhosts/motor
rename to krebs/Zhosts/motor
diff --git a/Zhosts/mu b/krebs/Zhosts/mu
similarity index 100%
rename from Zhosts/mu
rename to krebs/Zhosts/mu
diff --git a/Zhosts/muhbaasu b/krebs/Zhosts/muhbaasu
similarity index 100%
rename from Zhosts/muhbaasu
rename to krebs/Zhosts/muhbaasu
diff --git a/Zhosts/nomic b/krebs/Zhosts/nomic
similarity index 100%
rename from Zhosts/nomic
rename to krebs/Zhosts/nomic
diff --git a/Zhosts/nomic2 b/krebs/Zhosts/nomic2
similarity index 100%
rename from Zhosts/nomic2
rename to krebs/Zhosts/nomic2
diff --git a/Zhosts/nukular b/krebs/Zhosts/nukular
similarity index 100%
rename from Zhosts/nukular
rename to krebs/Zhosts/nukular
diff --git a/Zhosts/omo b/krebs/Zhosts/omo
similarity index 100%
rename from Zhosts/omo
rename to krebs/Zhosts/omo
diff --git a/Zhosts/pic b/krebs/Zhosts/pic
similarity index 100%
rename from Zhosts/pic
rename to krebs/Zhosts/pic
diff --git a/Zhosts/pigstarter b/krebs/Zhosts/pigstarter
similarity index 100%
rename from Zhosts/pigstarter
rename to krebs/Zhosts/pigstarter
diff --git a/Zhosts/pike b/krebs/Zhosts/pike
similarity index 100%
rename from Zhosts/pike
rename to krebs/Zhosts/pike
diff --git a/Zhosts/pnp b/krebs/Zhosts/pnp
similarity index 100%
rename from Zhosts/pnp
rename to krebs/Zhosts/pnp
diff --git a/Zhosts/pornocauster b/krebs/Zhosts/pornocauster
similarity index 100%
rename from Zhosts/pornocauster
rename to krebs/Zhosts/pornocauster
diff --git a/Zhosts/radiotuxmini b/krebs/Zhosts/radiotuxmini
similarity index 100%
rename from Zhosts/radiotuxmini
rename to krebs/Zhosts/radiotuxmini
diff --git a/Zhosts/random b/krebs/Zhosts/random
similarity index 100%
rename from Zhosts/random
rename to krebs/Zhosts/random
diff --git a/Zhosts/raspafari b/krebs/Zhosts/raspafari
similarity index 100%
rename from Zhosts/raspafari
rename to krebs/Zhosts/raspafari
diff --git a/Zhosts/reimae b/krebs/Zhosts/reimae
similarity index 100%
rename from Zhosts/reimae
rename to krebs/Zhosts/reimae
diff --git a/Zhosts/rmdir b/krebs/Zhosts/rmdir
similarity index 100%
rename from Zhosts/rmdir
rename to krebs/Zhosts/rmdir
diff --git a/Zhosts/robchina b/krebs/Zhosts/robchina
similarity index 100%
rename from Zhosts/robchina
rename to krebs/Zhosts/robchina
diff --git a/Zhosts/rockit b/krebs/Zhosts/rockit
similarity index 100%
rename from Zhosts/rockit
rename to krebs/Zhosts/rockit
diff --git a/Zhosts/rtjure_debian_oder_so b/krebs/Zhosts/rtjure_debian_oder_so
similarity index 100%
rename from Zhosts/rtjure_debian_oder_so
rename to krebs/Zhosts/rtjure_debian_oder_so
diff --git a/Zhosts/rtjure_ras b/krebs/Zhosts/rtjure_ras
similarity index 100%
rename from Zhosts/rtjure_ras
rename to krebs/Zhosts/rtjure_ras
diff --git a/Zhosts/rtjure_rdrlab_linkstation b/krebs/Zhosts/rtjure_rdrlab_linkstation
similarity index 100%
rename from Zhosts/rtjure_rdrlab_linkstation
rename to krebs/Zhosts/rtjure_rdrlab_linkstation
diff --git a/Zhosts/rubus b/krebs/Zhosts/rubus
similarity index 100%
rename from Zhosts/rubus
rename to krebs/Zhosts/rubus
diff --git a/Zhosts/senderechner b/krebs/Zhosts/senderechner
similarity index 100%
rename from Zhosts/senderechner
rename to krebs/Zhosts/senderechner
diff --git a/Zhosts/serenity b/krebs/Zhosts/serenity
similarity index 100%
rename from Zhosts/serenity
rename to krebs/Zhosts/serenity
diff --git a/Zhosts/seruundroid b/krebs/Zhosts/seruundroid
similarity index 100%
rename from Zhosts/seruundroid
rename to krebs/Zhosts/seruundroid
diff --git a/Zhosts/sir_krebs_a_lot b/krebs/Zhosts/sir_krebs_a_lot
similarity index 100%
rename from Zhosts/sir_krebs_a_lot
rename to krebs/Zhosts/sir_krebs_a_lot
diff --git a/Zhosts/skirfir b/krebs/Zhosts/skirfir
similarity index 100%
rename from Zhosts/skirfir
rename to krebs/Zhosts/skirfir
diff --git a/Zhosts/sleipnir b/krebs/Zhosts/sleipnir
similarity index 100%
rename from Zhosts/sleipnir
rename to krebs/Zhosts/sleipnir
diff --git a/Zhosts/smove b/krebs/Zhosts/smove
similarity index 100%
rename from Zhosts/smove
rename to krebs/Zhosts/smove
diff --git a/Zhosts/sokrates b/krebs/Zhosts/sokrates
similarity index 100%
rename from Zhosts/sokrates
rename to krebs/Zhosts/sokrates
diff --git a/Zhosts/sokrateslaptop b/krebs/Zhosts/sokrateslaptop
similarity index 100%
rename from Zhosts/sokrateslaptop
rename to krebs/Zhosts/sokrateslaptop
diff --git a/Zhosts/soundflower b/krebs/Zhosts/soundflower
similarity index 100%
rename from Zhosts/soundflower
rename to krebs/Zhosts/soundflower
diff --git a/Zhosts/steve b/krebs/Zhosts/steve
similarity index 100%
rename from Zhosts/steve
rename to krebs/Zhosts/steve
diff --git a/Zhosts/tahoe b/krebs/Zhosts/tahoe
similarity index 100%
rename from Zhosts/tahoe
rename to krebs/Zhosts/tahoe
diff --git a/Zhosts/taschenkrebs b/krebs/Zhosts/taschenkrebs
similarity index 100%
rename from Zhosts/taschenkrebs
rename to krebs/Zhosts/taschenkrebs
diff --git a/Zhosts/terrapi b/krebs/Zhosts/terrapi
similarity index 100%
rename from Zhosts/terrapi
rename to krebs/Zhosts/terrapi
diff --git a/Zhosts/thomasDOTde b/krebs/Zhosts/thomasDOTde
similarity index 100%
rename from Zhosts/thomasDOTde
rename to krebs/Zhosts/thomasDOTde
diff --git a/Zhosts/tincdroid b/krebs/Zhosts/tincdroid
similarity index 100%
rename from Zhosts/tincdroid
rename to krebs/Zhosts/tincdroid
diff --git a/Zhosts/tmpd b/krebs/Zhosts/tmpd
similarity index 100%
rename from Zhosts/tmpd
rename to krebs/Zhosts/tmpd
diff --git a/Zhosts/tpsw b/krebs/Zhosts/tpsw
similarity index 100%
rename from Zhosts/tpsw
rename to krebs/Zhosts/tpsw
diff --git a/Zhosts/tsp b/krebs/Zhosts/tsp
similarity index 100%
rename from Zhosts/tsp
rename to krebs/Zhosts/tsp
diff --git a/Zhosts/ufo b/krebs/Zhosts/ufo
similarity index 100%
rename from Zhosts/ufo
rename to krebs/Zhosts/ufo
diff --git a/Zhosts/uriel b/krebs/Zhosts/uriel
similarity index 100%
rename from Zhosts/uriel
rename to krebs/Zhosts/uriel
diff --git a/Zhosts/vault b/krebs/Zhosts/vault
similarity index 100%
rename from Zhosts/vault
rename to krebs/Zhosts/vault
diff --git a/Zhosts/voyager b/krebs/Zhosts/voyager
similarity index 100%
rename from Zhosts/voyager
rename to krebs/Zhosts/voyager
diff --git a/Zhosts/wooktop b/krebs/Zhosts/wooktop
similarity index 100%
rename from Zhosts/wooktop
rename to krebs/Zhosts/wooktop
diff --git a/Zhosts/wu b/krebs/Zhosts/wu
similarity index 100%
rename from Zhosts/wu
rename to krebs/Zhosts/wu
diff --git a/Zhosts/ytart b/krebs/Zhosts/ytart
similarity index 100%
rename from Zhosts/ytart
rename to krebs/Zhosts/ytart
diff --git a/Zhosts/zombiecancer b/krebs/Zhosts/zombiecancer
similarity index 100%
rename from Zhosts/zombiecancer
rename to krebs/Zhosts/zombiecancer
diff --git a/Zpubkeys/deploy_wu.ssh.pub b/krebs/Zpubkeys/deploy_wu.ssh.pub
similarity index 100%
rename from Zpubkeys/deploy_wu.ssh.pub
rename to krebs/Zpubkeys/deploy_wu.ssh.pub
diff --git a/Zpubkeys/lass.ssh.pub b/krebs/Zpubkeys/lass.ssh.pub
similarity index 100%
rename from Zpubkeys/lass.ssh.pub
rename to krebs/Zpubkeys/lass.ssh.pub
diff --git a/Zpubkeys/makefu_arch.ssh.pub b/krebs/Zpubkeys/makefu_arch.ssh.pub
similarity index 100%
rename from Zpubkeys/makefu_arch.ssh.pub
rename to krebs/Zpubkeys/makefu_arch.ssh.pub
diff --git a/Zpubkeys/makefu_omo.ssh.pub b/krebs/Zpubkeys/makefu_omo.ssh.pub
similarity index 100%
rename from Zpubkeys/makefu_omo.ssh.pub
rename to krebs/Zpubkeys/makefu_omo.ssh.pub
diff --git a/Zpubkeys/makefu_tsp.ssh.pub b/krebs/Zpubkeys/makefu_tsp.ssh.pub
similarity index 100%
rename from Zpubkeys/makefu_tsp.ssh.pub
rename to krebs/Zpubkeys/makefu_tsp.ssh.pub
diff --git a/Zpubkeys/mv_vod.ssh.pub b/krebs/Zpubkeys/mv_vod.ssh.pub
similarity index 100%
rename from Zpubkeys/mv_vod.ssh.pub
rename to krebs/Zpubkeys/mv_vod.ssh.pub
diff --git a/Zpubkeys/tv_wu.ssh.pub b/krebs/Zpubkeys/tv_wu.ssh.pub
similarity index 100%
rename from Zpubkeys/tv_wu.ssh.pub
rename to krebs/Zpubkeys/tv_wu.ssh.pub
diff --git a/Zpubkeys/uriel.ssh.pub b/krebs/Zpubkeys/uriel.ssh.pub
similarity index 100%
rename from Zpubkeys/uriel.ssh.pub
rename to krebs/Zpubkeys/uriel.ssh.pub
diff --git a/makefu/1systems/pnp.nix b/makefu/1systems/pnp.nix
index 963d07744..98f3ecd22 100644
--- a/makefu/1systems/pnp.nix
+++ b/makefu/1systems/pnp.nix
@@ -7,24 +7,38 @@
 {
   imports =
     [ # Include the results of the hardware scan.
-      <nixpkgs/nixos/modules/profiles/qemu-guest.nix>
+      # Base
       ../2configs/base.nix
-      ../2configs/cgit-retiolum.nix
-      # ../2configs/graphite-standalone.nix
-      ../2configs/vm-single-partition.nix
       ../2configs/tinc-basic-retiolum.nix
 
+      # HW/FS
+      <nixpkgs/nixos/modules/profiles/qemu-guest.nix>
+      ../2configs/fs/vm-single-partition.nix
+
+      # Services
+      ../2configs/git/cgit-retiolum.nix
+
+      ## Reaktor
+      ## \/ are only plugins, must enable Reaktor explicitly
+      ../2configs/Reaktor/stockholmLentil.nix
+      ../2configs/Reaktor/simpleExtend.nix
+
       ../2configs/exim-retiolum.nix
       ../2configs/urlwatch.nix
+
+      # ../2configs/graphite-standalone.nix
     ];
+  krebs.Reaktor.enable = true;
+
   krebs.build.host = config.krebs.hosts.pnp;
   krebs.build.user = config.krebs.users.makefu;
   krebs.build.target = "root@pnp";
 
+
   krebs.build.deps = {
     nixpkgs = {
       url = https://github.com/NixOS/nixpkgs;
-      rev = "13576925552b1d0751498fdda22e91a055a1ff6c";
+      rev = "03921972268934d900cc32dad253ff383926771c";
     };
   };
 
diff --git a/makefu/1systems/pornocauster.nix b/makefu/1systems/pornocauster.nix
index 415c1af30..4dcfe4eca 100644
--- a/makefu/1systems/pornocauster.nix
+++ b/makefu/1systems/pornocauster.nix
@@ -13,9 +13,7 @@
       ../2configs/tinc-basic-retiolum.nix
       #../2configs/disable_v6.nix
 
-      #../2configs/sda-crypto-root.nix
-      ../2configs/sda-crypto-root-home.nix
-
+      # environment
       ../2configs/zsh-user.nix
 
       # applications
@@ -23,14 +21,22 @@
       ../2configs/virtualization.nix
       ../2configs/wwan.nix
 
+      # services
+      ../2configs/git/brain-retiolum.nix
+      # ../2configs/Reaktor/simpleExtend.nix
+
       # hardware specifics are in here
-      ../2configs/tp-x220.nix
+      ../2configs/hw/tp-x220.nix
+      # mount points
+      ../2configs/fs/sda-crypto-root-home.nix
     ];
 
   krebs.build.host = config.krebs.hosts.pornocauster;
   krebs.build.user = config.krebs.users.makefu;
   krebs.build.target = "root@pornocauster";
 
+  #krebs.Reaktor.nickname = "makefu|r";
+
   networking.firewall.allowedTCPPorts = [
     25
   ];
@@ -39,7 +45,7 @@
     nixpkgs = {
       url = https://github.com/NixOS/nixpkgs;
       #url = https://github.com/makefu/nixpkgs;
-      rev = "13576925552b1d0751498fdda22e91a055a1ff6c";
+      rev = "03921972268934d900cc32dad253ff383926771c";
     };
   };
 }
diff --git a/makefu/1systems/repunit.nix b/makefu/1systems/repunit.nix
index 503fe8f65..d98ff17c1 100644
--- a/makefu/1systems/repunit.nix
+++ b/makefu/1systems/repunit.nix
@@ -49,7 +49,7 @@
   };
   krebs.retiolum = {
     enable = true;
-    hosts = ../../Zhosts;
+    hosts = ../../krebs/Zhosts;
     connectTo = [
       "gum"
       "pigstarter"
diff --git a/makefu/1systems/tsp.nix b/makefu/1systems/tsp.nix
index 67db22460..3c2bb2eda 100644
--- a/makefu/1systems/tsp.nix
+++ b/makefu/1systems/tsp.nix
@@ -9,9 +9,9 @@
       ../2configs/base.nix
       ../2configs/base-gui.nix
       ../2configs/tinc-basic-retiolum.nix
-      ../2configs/sda-crypto-root.nix
+      ../2configs/fs/sda-crypto-root.nix
       # hardware specifics are in here
-      ../2configs/tp-x200.nix #< imports tp-x2x0.nix
+      ../2configs/hw/tp-x200.nix #< imports tp-x2x0.nix
 
       ../2configs/disable_v6.nix
       ../2configs/rad1o.nix
diff --git a/makefu/2configs/Reaktor/random-issue.sh b/makefu/2configs/Reaktor/random-issue.sh
new file mode 100644
index 000000000..5c47c6156
--- /dev/null
+++ b/makefu/2configs/Reaktor/random-issue.sh
@@ -0,0 +1,20 @@
+#! /bin/sh
+set -eu
+# requires env:
+#   $state_dir
+#   $origin
+
+# in PATH: git,lentil,coreutils
+subdir=`echo "$1" | tr -dc "[:alnum:]"`
+name=`echo "$origin" | tr -dc "[:alnum:]"`
+track="$state_dir/$name-checkout"
+(if test -e "$track" ;then
+  cd "$track"
+  git fetch origin master
+  git reset --hard origin/master
+else
+  git clone "$origin" "$track"
+fi) >&2
+
+cd "$track"
+lentil "${subdir:-.}" -f csv | sed 1d | shuf | head -1
diff --git a/makefu/2configs/Reaktor/simpleExtend.nix b/makefu/2configs/Reaktor/simpleExtend.nix
new file mode 100644
index 000000000..95175a4e0
--- /dev/null
+++ b/makefu/2configs/Reaktor/simpleExtend.nix
@@ -0,0 +1,19 @@
+{ config, lib, pkgs, ... }:
+
+with pkgs;
+let
+  nixos-version-script = pkgs.writeScript "nix-version" ''
+  #! /bin/sh
+  . /etc/os-release
+  echo "$PRETTY_NAME"
+  '';
+in {
+  krebs.Reaktor.extraConfig = ''
+  public_commands.insert(0,{
+    'capname' : "nixos-version",
+    'pattern' : indirect_pattern.format("nixos-version"),
+    'argv'    : ["${nixos-version-script}"],
+    'env'     : { 'state_dir': workdir } })
+  '';
+}
+
diff --git a/makefu/2configs/Reaktor/stockholmLentil.nix b/makefu/2configs/Reaktor/stockholmLentil.nix
new file mode 100644
index 000000000..147fb5a7a
--- /dev/null
+++ b/makefu/2configs/Reaktor/stockholmLentil.nix
@@ -0,0 +1,22 @@
+{ config, lib, pkgs, ... }:
+
+with pkgs;
+let
+  random-issue = pkgs.writeScript "random-issue" (builtins.readFile ./random-issue.sh);
+  random-issue-path = lib.makeSearchPath "bin" (with pkgs; [
+                        coreutils
+                        git
+                        gnused
+                        lentil]);
+in {
+  # TODO: make origin a variable, <- module is generic enough to handle different origins, not only stockholm
+  krebs.Reaktor.extraConfig = ''
+  public_commands.insert(0,{
+    'capname' : "stockholm-issue",
+    'pattern' : indirect_pattern.format("stockholm-issue"),
+    'argv'    : ["${random-issue}"],
+    'env'     : { 'state_dir': workdir,
+                  'PATH':'${random-issue-path}',
+                  'origin':'http://cgit.pnp/stockholm' } })
+  '';
+}
diff --git a/makefu/2configs/fs/cac-boot-partition.nix b/makefu/2configs/fs/cac-boot-partition.nix
new file mode 100644
index 000000000..fdf4b89d8
--- /dev/null
+++ b/makefu/2configs/fs/cac-boot-partition.nix
@@ -0,0 +1,23 @@
+{ config, lib, pkgs, ... }:
+
+# vda1 ext4 (label nixos) -> only root partition
+with lib;
+{
+  boot.loader.grub.enable = true;
+  boot.loader.grub.version = 2;
+  boot.loader.grub.device = "/dev/sda";
+
+  fileSystems."/" = {
+    device = "/dev/disk/by-label/nixos";
+    fsType = "ext4";
+  };
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-label/boot";
+    fsType = "ext4";
+  };
+
+  hardware.enableAllFirmware = true;
+  nixpkgs.config.allowUnfree = true;
+  hardware.cpu.amd.updateMicrocode = true;
+
+}
diff --git a/makefu/2configs/sda-crypto-root-home.nix b/makefu/2configs/fs/sda-crypto-root-home.nix
similarity index 100%
rename from makefu/2configs/sda-crypto-root-home.nix
rename to makefu/2configs/fs/sda-crypto-root-home.nix
diff --git a/makefu/2configs/sda-crypto-root.nix b/makefu/2configs/fs/sda-crypto-root.nix
similarity index 100%
rename from makefu/2configs/sda-crypto-root.nix
rename to makefu/2configs/fs/sda-crypto-root.nix
diff --git a/makefu/2configs/vm-single-partition.nix b/makefu/2configs/fs/vm-single-partition.nix
similarity index 100%
rename from makefu/2configs/vm-single-partition.nix
rename to makefu/2configs/fs/vm-single-partition.nix
diff --git a/makefu/2configs/git/brain-retiolum.nix b/makefu/2configs/git/brain-retiolum.nix
new file mode 100644
index 000000000..0ab64773f
--- /dev/null
+++ b/makefu/2configs/git/brain-retiolum.nix
@@ -0,0 +1,77 @@
+{ config, lib, pkgs, ... }:
+# TODO: remove tv lib :)
+with import ../../../tv/4lib { inherit lib pkgs; };
+let
+
+  repos = priv-repos // krebs-repos ;
+  rules = concatMap krebs-rules (attrValues krebs-repos) ++ concatMap priv-rules (attrValues priv-repos);
+
+  krebs-repos = mapAttrs make-krebs-repo {
+    brain = {
+      desc = "braiiiins";
+    };
+  };
+
+  priv-repos = mapAttrs make-priv-repo {
+    autosync = { };
+  };
+
+  # TODO move users to separate module
+  make-priv-repo = name: { desc ? null, ... }: {
+    inherit name desc;
+    public = false;
+  };
+
+  make-krebs-repo = with git; name: { desc ? null, ... }: {
+    inherit name desc;
+    public = false;
+    hooks = {
+      post-receive = git.irc-announce {
+        nick = config.networking.hostName;
+        channel = "#retiolum";
+        # TODO remove the hardcoded hostname
+        server = "cd.retiolum";
+      };
+    };
+  };
+
+  set-owners = with git;repo: user:
+      singleton {
+        inherit user;
+        repo = [ repo ];
+        perm = push "refs/*" [ non-fast-forward create delete merge ];
+      };
+
+  set-ro-access = with git; repo: user:
+      optional repo.public {
+        inherit user;
+        repo = [ repo ];
+        perm = fetch;
+      };
+
+  # TODO: get the list of all krebsministers
+  krebsminister = with config.krebs.users; [ lass tv ];
+  all-makefu = with config.krebs.users; [ makefu makefu-omo makefu-tsp ];
+
+  priv-rules = repo: set-owners repo all-makefu;
+
+  krebs-rules = repo:
+    set-owners repo all-makefu ++ set-ro-access repo krebsminister;
+
+in {
+  imports = [{
+    krebs.users.makefu-omo = {
+        name = "makefu-omo" ;
+        pubkey= with builtins; readFile ../../../krebs/Zpubkeys/makefu_omo.ssh.pub;
+    };
+    krebs.users.makefu-tsp = {
+        name = "makefu-tsp" ;
+        pubkey= with builtins; readFile ../../../krebs/Zpubkeys/makefu_tsp.ssh.pub;
+    };
+  }];
+  krebs.git = {
+    enable = true;
+    cgit = false;
+    inherit repos rules;
+  };
+}
diff --git a/makefu/2configs/cgit-retiolum.nix b/makefu/2configs/git/cgit-retiolum.nix
similarity index 89%
rename from makefu/2configs/cgit-retiolum.nix
rename to makefu/2configs/git/cgit-retiolum.nix
index 8d9439569..40b51e601 100644
--- a/makefu/2configs/cgit-retiolum.nix
+++ b/makefu/2configs/git/cgit-retiolum.nix
@@ -1,6 +1,6 @@
 { config, lib, pkgs, ... }:
 # TODO: remove tv lib :)
-with import ../../tv/4lib { inherit lib pkgs; };
+with import ../../../tv/4lib { inherit lib pkgs; };
 let
 
   repos = priv-repos // krebs-repos ;
@@ -63,11 +63,11 @@ in {
   imports = [{
     krebs.users.makefu-omo = {
         name = "makefu-omo" ;
-        pubkey= with builtins; readFile ../../Zpubkeys/makefu_omo.ssh.pub;
+        pubkey= with builtins; readFile ../../../krebs/Zpubkeys/makefu_omo.ssh.pub;
     };
     krebs.users.makefu-tsp = {
         name = "makefu-tsp" ;
-        pubkey= with builtins; readFile ../../Zpubkeys/makefu_tsp.ssh.pub;
+        pubkey= with builtins; readFile ../../../krebs/Zpubkeys/makefu_tsp.ssh.pub;
     };
   }];
   krebs.git = {
diff --git a/makefu/2configs/tp-x200.nix b/makefu/2configs/hw/tp-x200.nix
similarity index 100%
rename from makefu/2configs/tp-x200.nix
rename to makefu/2configs/hw/tp-x200.nix
diff --git a/makefu/2configs/tp-x220.nix b/makefu/2configs/hw/tp-x220.nix
similarity index 61%
rename from makefu/2configs/tp-x220.nix
rename to makefu/2configs/hw/tp-x220.nix
index 787a0639e..f03922150 100644
--- a/makefu/2configs/tp-x220.nix
+++ b/makefu/2configs/hw/tp-x220.nix
@@ -7,14 +7,19 @@ with lib;
 
   boot.kernelModules = [ "kvm-intel" ];
 
-  #services.xserver.vaapiDrivers = [pkgs.vaapiIntel pkgs.vaapiVdpau ];
-  services.xserver.vaapiDrivers = [];
+  services.xserver = {
+    videoDriver = "intel";
+    vaapiDrivers = [ pkgs.vaapiIntel pkgs.vaapiVdpau ];
+    deviceSection = ''
+      Option "AccelMethod" "sna"
+    '';
+  };
 
   services.xserver.displayManager.sessionCommands =''
   xinput set-int-prop "TPPS/2 IBM TrackPoint" "Evdev Wheel Emulation" 8 1
   xinput set-int-prop "TPPS/2 IBM TrackPoint" "Evdev Wheel Emulation Button" 8 2
-  xinput set-int-prop "TPPS/2 IBM TrackPoint" "Evdev Wheel Emulation Timeout" 8 200
   xinput set-prop "TPPS/2 IBM TrackPoint" "Evdev Wheel Emulation Axes" 6 7 4 5
+  # xinput set-int-prop "TPPS/2 IBM TrackPoint" "Evdev Wheel Emulation Timeout" 8 200
   '';
 
 }
diff --git a/makefu/2configs/tp-x2x0.nix b/makefu/2configs/hw/tp-x2x0.nix
similarity index 74%
rename from makefu/2configs/tp-x2x0.nix
rename to makefu/2configs/hw/tp-x2x0.nix
index b79d94b4a..aa2fc2050 100644
--- a/makefu/2configs/tp-x2x0.nix
+++ b/makefu/2configs/hw/tp-x2x0.nix
@@ -11,9 +11,13 @@ with lib;
   zramSwap.enable = true;
   zramSwap.numDevices = 2;
 
-  hardware.trackpoint.enable = true;
-  hardware.trackpoint.sensitivity = 220;
-  hardware.trackpoint.speed = 220;
+  hardware.trackpoint = {
+    enable = true;
+    sensitivity = 220;
+    speed = 220;
+    emulateWheel = true;
+    };
+
 
   services.tlp.enable = true;
   services.tlp.extraConfig = ''
diff --git a/makefu/2configs/tinc-basic-retiolum.nix b/makefu/2configs/tinc-basic-retiolum.nix
index cb1991bd6..fd6d1683d 100644
--- a/makefu/2configs/tinc-basic-retiolum.nix
+++ b/makefu/2configs/tinc-basic-retiolum.nix
@@ -4,7 +4,7 @@ with lib;
 {
   krebs.retiolum = {
     enable = true;
-    hosts = ../../Zhosts;
+    hosts = ../../krebs/Zhosts;
     connectTo = [
       "gum"
       "pigstarter"
diff --git a/makefu/3modules/default.nix b/makefu/3modules/default.nix
index 015f472f7..417808425 100644
--- a/makefu/3modules/default.nix
+++ b/makefu/3modules/default.nix
@@ -1,6 +1,6 @@
 { config, lib, ... }:
 
-with import ../../krebs/4lib { inherit lib; };
+with lib;
 let
   cfg = config.krebs;
 
diff --git a/tv/1systems/cd.nix b/tv/1systems/cd.nix
index 9f412d9b8..b385848f1 100644
--- a/tv/1systems/cd.nix
+++ b/tv/1systems/cd.nix
@@ -2,10 +2,6 @@
 
 with lib;
 
-let
-  tvpkgs = import ../5pkgs { inherit pkgs; };
-in
-
 {
   krebs.build.host = config.krebs.hosts.cd;
   krebs.build.user = config.krebs.users.tv;
@@ -29,13 +25,13 @@ in
     ../2configs/CAC-Developer-2.nix
     ../2configs/CAC-CentOS-7-64bit.nix
     ../2configs/base.nix
-    ../2configs/consul-server.nix
+    #../2configs/consul-server.nix
     ../2configs/git.nix
     {
       imports = [ ../2configs/charybdis.nix ];
       tv.charybdis = {
         enable = true;
-        sslCert = ../../Zcerts/charybdis_cd.crt.pem;
+        sslCert = ../Zcerts/charybdis_cd.crt.pem;
       };
     }
     {
@@ -136,7 +132,7 @@ in
         server-names = singleton "viljetic.de";
         # TODO directly set root (instead via location)
         locations = singleton (nameValuePair "/" ''
-          root ${tvpkgs.viljetic-pages};
+          root ${pkgs.viljetic-pages};
         '');
       };
     }
@@ -171,6 +167,7 @@ in
     iptables
     mutt    # for mv
     nethogs
+    ntp     # ntpate
     rxvt_unicode.terminfo
     tcpdump
   ];
diff --git a/tv/1systems/nomic.nix b/tv/1systems/nomic.nix
index 028e53539..f08e74bbe 100644
--- a/tv/1systems/nomic.nix
+++ b/tv/1systems/nomic.nix
@@ -24,7 +24,7 @@ with lib;
   imports = [
     ../2configs/AO753.nix
     ../2configs/base.nix
-    ../2configs/consul-server.nix
+    #../2configs/consul-server.nix
     ../2configs/git.nix
     {
       tv.iptables = {
@@ -112,6 +112,7 @@ with lib;
           exit 23
       esac
     '')
+    ntp # ntpate
     rxvt_unicode.terminfo
     tmux
   ];
diff --git a/tv/1systems/wu.nix b/tv/1systems/wu.nix
index e48da90ad..6cd1565f7 100644
--- a/tv/1systems/wu.nix
+++ b/tv/1systems/wu.nix
@@ -2,10 +2,6 @@
 
 with lib;
 
-let
-  tvpkgs = import ../5pkgs { inherit pkgs; };
-in
-
 {
   krebs.build.host = config.krebs.hosts.wu;
   krebs.build.user = config.krebs.users.tv;
@@ -28,22 +24,23 @@ in
   imports = [
     ../2configs/w110er.nix
     ../2configs/base.nix
-    ../2configs/consul-client.nix
+    #../2configs/consul-client.nix
     ../2configs/git.nix
     ../2configs/mail-client.nix
     ../2configs/xserver.nix
     ../2configs/synaptics.nix # TODO w110er if xserver is enabled
+    ../2configs/test.nix
     ../2configs/urlwatch.nix
     {
       environment.systemPackages = with pkgs; [
 
         # stockholm
+        genid
         git
         gnumake
+        hashPassword
+        lentil
         parallel
-        tvpkgs.genid
-        tvpkgs.hashPassword
-        tvpkgs.lentil
         (pkgs.writeScriptBin "ff" ''
           #! ${pkgs.bash}/bin/bash
           exec sudo -u ff -i <<EOF
@@ -71,6 +68,8 @@ in
         # tv
         bc
         bind # dig
+        cac
+        dic
         file
         gitAndTools.qgit
         gnupg21
@@ -83,16 +82,15 @@ in
         netcat
         nix-repl
         nmap
+        nq
         p7zip
         pavucontrol
         posix_man_pages
+        pssh
         qrencode
         sxiv
         texLive
         tmux
-        tvpkgs.cac
-        tvpkgs.dic
-        tvpkgs.nq
         zathura
 
         #ack
diff --git a/tv/2configs/charybdis.nix b/tv/2configs/charybdis.nix
index a2952219d..a949026de 100644
--- a/tv/2configs/charybdis.nix
+++ b/tv/2configs/charybdis.nix
@@ -1,9 +1,5 @@
 { config, lib, pkgs, ... }:
 
-let
-  tvpkgs = import ../5pkgs { inherit pkgs; };
-in
-
 with builtins;
 with lib;
 let
@@ -63,7 +59,7 @@ let
         ExecStart = pkgs.writeScript "charybdis-service" ''
           #! /bin/sh
           set -euf
-          exec ${tvpkgs.charybdis}/bin/charybdis-ircd \
+          exec ${pkgs.charybdis}/bin/charybdis-ircd \
             -foreground \
             -logfile /dev/stderr \
             -configfile ${configFile}
diff --git a/tv/2configs/mail-client.nix b/tv/2configs/mail-client.nix
index a632cf7c4..8b6f8bbcd 100644
--- a/tv/2configs/mail-client.nix
+++ b/tv/2configs/mail-client.nix
@@ -1,7 +1,6 @@
 { pkgs, ... }:
 
-with import ../5pkgs { inherit pkgs; };
-
+with pkgs;
 {
   environment.systemPackages = [
     much
diff --git a/tv/2configs/test.nix b/tv/2configs/test.nix
new file mode 100644
index 000000000..409b4e9b4
--- /dev/null
+++ b/tv/2configs/test.nix
@@ -0,0 +1,31 @@
+{ config, lib, pkgs, ... }:
+
+with import ../4lib { inherit lib pkgs; };
+
+let
+  out = {
+    environment.systemPackages = [
+      su-test
+    ];
+    security.sudo.extraConfig = ''
+      tv ALL=(test) NOPASSWD: ALL
+    '';
+    users.extraUsers.test = {
+      shell = "${test-shell}";
+    };
+  };
+
+  su-test = pkgs.execveBin "su-test" rec {
+    filename = "/var/setuid-wrappers/sudo";
+    argv = ["sudo" "-u" "test" "-i"];
+  };
+
+  test-shell = pkgs.execve "test-shell" rec {
+    filename = "${pkgs.bash}/bin/bash";
+    argv = ["sh" "--noprofile" "-l"];
+    envp.ENV = pkgs.writeText "test-env" ''
+      ${shell.cat "Hello, `$(j0w\nd0g!)`!\\o/\n"} >&2
+    '';
+  };
+
+in out
diff --git a/tv/4lib/default.nix b/tv/4lib/default.nix
index 352689af4..106535ba2 100644
--- a/tv/4lib/default.nix
+++ b/tv/4lib/default.nix
@@ -16,12 +16,5 @@ krebs // rec {
   # "7.4.335" -> "74"
   majmin = with lib; x : concatStrings (take 2 (splitString "." x));
 
-  shell-escape =
-    let
-      isSafeChar = c: match "[-./0-9_a-zA-Z]" c != null;
-    in
-    stringAsChars (c:
-      if isSafeChar c then c
-      else if c == "\n" then "'\n'"
-      else "\\${c}");
+  shell-escape = krebs.shell.escape;
 }
diff --git a/tv/5pkgs/default.nix b/tv/5pkgs/default.nix
index 7b5d10a60..4175292f2 100644
--- a/tv/5pkgs/default.nix
+++ b/tv/5pkgs/default.nix
@@ -2,12 +2,8 @@
 
 let
   inherit (pkgs) callPackage;
-  kpkgs = import ../../krebs/5pkgs { inherit pkgs; };
 in
 
-kpkgs // {
-  charybdis = callPackage ./charybdis {};
-  lentil = callPackage ./lentil {};
-  much = callPackage ./much.nix {};
+{
   viljetic-pages = callPackage ./viljetic-pages {};
 }
diff --git a/Zcerts/charybdis_cd.crt.pem b/tv/Zcerts/charybdis_cd.crt.pem
similarity index 100%
rename from Zcerts/charybdis_cd.crt.pem
rename to tv/Zcerts/charybdis_cd.crt.pem