Merge branch 'master' of prism:stockholm

29 files changed, 1170 insertions, 208 deletions

diff --git a/jeschli/1systems/brauerei/config.nix b/jeschli/1systems/brauerei/config.nix
index 1203720a5..49f439a06 100644
--- a/jeschli/1systems/brauerei/config.nix
+++ b/jeschli/1systems/brauerei/config.nix
@@ -6,6 +6,8 @@
     ./hardware-configuration.nix
     <stockholm/jeschli/2configs/urxvt.nix>
     <stockholm/jeschli/2configs/emacs.nix>
+    <stockholm/jeschli/2configs/xdg.nix>
+    <stockholm/jeschli/2configs/xserver>
   ];
 
   krebs.build.host = config.krebs.hosts.brauerei;
@@ -57,7 +59,6 @@
     terminator
     tmux
     wget
-  #  rxvt_unicode
   # editors
     emacs
   # internet
@@ -65,6 +66,7 @@
     chromium
     google-chrome
   # programming languages
+    exercism
     go
     gcc
     ghc
@@ -73,6 +75,9 @@
   # go tools
     golint
     gotools
+  # rust
+    cargo
+    rustc
   # dev tools
     gnumake
     jetbrains.pycharm-professional
@@ -105,8 +110,8 @@
   # services.printing.enable = true;
 
   # Enable the X11 windowing system.
-  services.xserver.enable = true;
-  services.xserver.layout = "us";
+  # services.xserver.enable = true;
+  # services.xserver.layout = "us";
   # services.xserver.xkbOptions = "eurosign:e";
 
   # Enable touchpad support.
@@ -115,18 +120,18 @@
   # Enable the KDE Desktop Environment.
   # services.xserver.displayManager.sddm.enable = true;
   # services.xserver.desktopManager.plasma5.enable = true;
-  services.xserver.displayManager.sddm.enable = true;
-  services.xserver.windowManager.xmonad.enable = true;
-  services.xserver.windowManager.xmonad.enableContribAndExtras = true;
-#
+  #  services.xserver.displayManager.sddm.enable = true;
+  #  services.xserver.windowManager.xmonad.enable = true;
+  #  services.xserver.windowManager.xmonad.enableContribAndExtras = true;
+  #
   # Define a user account. Don't forget to set a password with ‘passwd’.
-  users.extraUsers.jeschli = {
+  users.extraUsers.jeschli = { # TODO: define as krebs.users
     isNormalUser = true;
     uid = 1000;
   };
   users.extraUsers.jamie = {
     isNormalUser = true;
-    uid = 1001;
+    uid = 1001; # TODO genid
   };
 
   users.users.root.openssh.authorizedKeys.keys = [
@@ -139,4 +144,11 @@
   # should.
   system.stateVersion = "17.09"; # Did you read the comment?
 
+  hardware.trackpoint = {
+    enable = true;
+    sensitivity = 220;
+    speed = 0;
+    emulateWheel = true;
+  };
+
 }
diff --git a/jeschli/2configs/emacs.nix b/jeschli/2configs/emacs.nix
index d9e6c854a..4c52432d3 100644
--- a/jeschli/2configs/emacs.nix
+++ b/jeschli/2configs/emacs.nix
@@ -31,6 +31,7 @@ let
     (scroll-bar-mode -1)                ; Disable scroll bar
     (setq inhibit-startup-screen t)     ; Disable startup screen with graphics
     (setq-default indent-tabs-mode nil) ; Use spaces instead of tabs
+    (setq default-tab-width 2)          ; Two spaces is a tab
     (setq tab-width 2)                  ; Four spaces is a tab
     (setq visible-bell nil)             ; Disable annoying visual bell graphic
     (setq ring-bell-function 'ignore)   ; Disable super annoying audio bell
@@ -45,30 +46,26 @@ let
       (setq org-agenda-files (quote ("~/projects/notes")))
     )
   '';
-  emacsFile = ''
+  recentFiles = ''
+    (recentf-mode 1)
+    (setq recentf-max-menu-items 25)
+    (global-set-key "\C-x\ \C-r" 'recentf-open-files)
+  '';
+  dotEmacs = pkgs.writeText "dot-emacs" ''
     ${packageRepos}
+    ${orgMode}
+    ${recentFiles}
     ${windowCosmetics}
-    (custom-set-variables
-     ;; custom-set-variables was added by Custom.
-     ;; If you edit it by hand, you could mess it up, so be careful.
-     ;; Your init file should contain only one such instance.
-     ;; If there is more than one, they won't work right.
-     '(inhibit-startup-screen t)
-     '(org-agenda-files nil)
-     '(package-selected-packages
-       (quote
-        (smex ox-jira org-plus-contrib org-mime org-jira neotree molokai-theme let-alist helm-fuzzy-find go-guru go-autocomplete flymake-go exec-path-from-shell evil-org cl-lib-highlight bbdb atom-one-dark-theme))))
-     ${orgMode}
   '';
-  dotEmacs = pkgs.writeText "dot-emacs" emacsFile;
-  emacs = (pkgs.emacsPackagesNgGen pkgs.emacs).emacsWithPackages (epkgs: [
+  emacsWithCustomPackages = (pkgs.emacsPackagesNgGen pkgs.emacs).emacsWithPackages (epkgs: [
     epkgs.melpaStablePackages.magit
     epkgs.melpaPackages.mmm-mode
     epkgs.melpaPackages.nix-mode
     epkgs.melpaPackages.go-mode
+    epkgs.melpaPackages.google-this
   ]);
   myEmacs = pkgs.writeDashBin "my-emacs" ''
-    exec ${emacs}/bin/emacs -q -l ${dotEmacs} "$@"
+    exec ${emacsWithCustomPackages}/bin/emacs -q -l ${dotEmacs} "$@"
   '';
 in {
   environment.systemPackages = [
diff --git a/jeschli/2configs/xdg.nix b/jeschli/2configs/xdg.nix
new file mode 100644
index 000000000..18bac9b38
--- /dev/null
+++ b/jeschli/2configs/xdg.nix
@@ -0,0 +1,14 @@
+{ config, lib, pkgs, ... }:
+
+with import <stockholm/lib>;
+
+{
+  environment.variables.XDG_RUNTIME_DIR = "/run/xdg/$LOGNAME";
+
+  systemd.tmpfiles.rules = let
+    forUsers = flip map users;
+    isUser = { name, group, ... }:
+      name == "root" || hasSuffix "users" group;
+    users = filter isUser (mapAttrsToList (_: id) config.users.users);
+  in forUsers (u: "d /run/xdg/${u.name} 0700 ${u.name} ${u.group} -");
+}
diff --git a/jeschli/2configs/xserver/Xmodmap.nix b/jeschli/2configs/xserver/Xmodmap.nix
new file mode 100644
index 000000000..d2b1b2604
--- /dev/null
+++ b/jeschli/2configs/xserver/Xmodmap.nix
@@ -0,0 +1,27 @@
+{ config, pkgs, ... }:
+
+with import <stockholm/lib>;
+
+pkgs.writeText "Xmodmap" ''
+  !keycode 66 = Caps_Lock
+  !remove Lock = Caps_Lock
+  clear Lock
+
+  ! caps lock
+  keycode  66 = Mode_switch
+
+  keycode  13 = 4 dollar EuroSign cent
+  keycode  30 = u U udiaeresis Udiaeresis
+  keycode  32 = o O odiaeresis Odiaeresis
+  keycode  38 = a A adiaeresis Adiaeresis
+  keycode  39 = s S ssharp
+
+  keycode  33 = p P Greek_pi Greek_PI
+  keycode  46 = l L Greek_lambda Greek_LAMBDA
+
+  keycode  54 = c C cacute Cacute
+
+  !                       BULLET OPERATOR
+  keycode 17 = 8 asterisk U2219
+  keycode 27 = r R r U211D
+''
diff --git a/jeschli/2configs/xserver/Xresources.nix b/jeschli/2configs/xserver/Xresources.nix
new file mode 100644
index 000000000..e433a855e
--- /dev/null
+++ b/jeschli/2configs/xserver/Xresources.nix
@@ -0,0 +1,52 @@
+{ config, lib, pkgs, ... }:
+
+with import <stockholm/lib>;
+
+pkgs.writeText "Xresources" /* xdefaults */ ''
+  URxvt*cutchars: "\\`\"'&()*,;<=>?@[]^{|}‘’"
+  URxvt*eightBitInput: false
+  URxvt*font: -*-clean-*-*-*-*-*-*-*-*-*-*-iso10646-1
+  URxvt*boldFont: -*-clean-*-*-*-*-*-*-*-*-*-*-iso10646-1
+  URxvt*scrollBar: false
+  URxvt*background: #050505
+  URxvt*foreground: #d0d7d0
+  URxvt*cursorColor: #f042b0
+  URxvt*cursorColor2: #f0b000
+  URxvt*cursorBlink: off
+  URxvt*jumpScroll: true
+  URxvt*allowSendEvents: false
+  URxvt*charClass: 33:48,37:48,45-47:48,64:48,38:48,61:48,63:48
+  URxvt*cutNewline: False
+  URxvt*cutToBeginningOfLine: False
+
+  URxvt*color0: #232342
+  URxvt*color3: #c07000
+  URxvt*color4: #4040c0
+  URxvt*color7: #c0c0c0
+  URxvt*color8: #707070
+  URxvt*color9: #ff6060
+  URxvt*color10: #70ff70
+  URxvt*color11: #ffff70
+  URxvt*color12: #7070ff
+  URxvt*color13: #ff50ff
+  URxvt*color14: #70ffff
+  URxvt*color15: #ffffff
+
+  URxvt*iso14755: False
+
+  URxvt*urgentOnBell: True
+  URxvt*visualBell: True
+
+  ! ref https://github.com/muennich/urxvt-perls
+  URxvt*perl-ext: default,url-select
+  URxvt*keysym.M-u: perl:url-select:select_next
+  URxvt*url-select.underline: true
+  URxvt*colorUL: #4682B4
+  URxvt.perl-lib: ${pkgs.urxvt_perls}/lib/urxvt/perl
+  URxvt*saveLines: 10000
+
+  root-urxvt*background: #230000
+  root-urxvt*foreground: #e0c0c0
+  root-urxvt*BorderColor: #400000
+  root-urxvt*color0: #800000
+''
diff --git a/jeschli/2configs/xserver/default.nix b/jeschli/2configs/xserver/default.nix
new file mode 100644
index 000000000..df06000f3
--- /dev/null
+++ b/jeschli/2configs/xserver/default.nix
@@ -0,0 +1,141 @@
+{ config, pkgs, ... }@args:
+with import <stockholm/lib>;
+let
+  cfg = {
+    cacheDir = cfg.dataDir;
+    configDir = "/var/empty";
+    dataDir = "/run/xdg/${cfg.user.name}/xmonad";
+    user = config.krebs.users.jeschli;
+  };
+in {
+
+  environment.systemPackages = [
+    pkgs.font-size
+    pkgs.gitAndTools.qgit
+    pkgs.mpv
+    pkgs.sxiv
+    pkgs.xdotool
+    pkgs.xsel
+    pkgs.zathura
+  ];
+
+  fonts.fonts = [
+    pkgs.xlibs.fontschumachermisc
+  ];
+
+  # TODO dedicated group, i.e. with a single user [per-user-setuid]
+  # TODO krebs.setuid.slock.path vs /run/wrappers/bin
+  krebs.setuid.slock = {
+    filename = "${pkgs.slock}/bin/slock";
+    group = "wheel";
+    envp = {
+      DISPLAY = ":${toString config.services.xserver.display}";
+      USER = cfg.user.name;
+    };
+  };
+
+  services.xserver = {
+  
+    # Don't install feh into systemPackages
+    # refs <nixpkgs/nixos/modules/services/x11/desktop-managers>
+    desktopManager.session = mkForce [];
+  
+    enable = true;
+    display = 11;
+    tty = 11;
+  
+    synaptics = {
+      enable = true;
+      twoFingerScroll = true;
+      accelFactor = "0.035";
+    };
+  };
+
+  systemd.services.display-manager.enable = false;
+
+  systemd.services.xmonad = {
+    wantedBy = [ "multi-user.target" ];
+    requires = [ "xserver.service" ];
+    environment = {
+      DISPLAY = ":${toString config.services.xserver.display}";
+
+      XMONAD_CACHE_DIR = cfg.cacheDir;
+      XMONAD_CONFIG_DIR = cfg.configDir;
+      XMONAD_DATA_DIR = cfg.dataDir;
+
+      XMONAD_STARTUP_HOOK = pkgs.writeDash "xmonad-startup-hook" ''
+        ${pkgs.xorg.xhost}/bin/xhost +LOCAL: &
+        ${pkgs.xorg.xmodmap}/bin/xmodmap ${import ./Xmodmap.nix args} &
+        ${pkgs.xorg.xrdb}/bin/xrdb ${import ./Xresources.nix args} &
+        ${pkgs.xorg.xsetroot}/bin/xsetroot -solid '#1c1c1c' &
+        wait
+      '';
+
+      # XXX JSON is close enough :)
+      XMONAD_WORKSPACES0_FILE = pkgs.writeText "xmonad.workspaces0" (toJSON [
+        "dashboard" # we start here
+        "stockholm"
+        "pycharm"
+        "chromium"
+        "iRC"
+        "git"
+        "hipbird"
+      ]);
+    };
+    serviceConfig = {
+      SyslogIdentifier = "xmonad";
+      ExecStartPre = "${pkgs.coreutils}/bin/mkdir -p ${toString [
+        "\${XMONAD_CACHE_DIR}"
+        "\${XMONAD_CONFIG_DIR}"
+        "\${XMONAD_DATA_DIR}"
+      ]}";
+      ExecStart = "${pkgs.xmonad-jeschli}/bin/xmonad";
+      ExecStop = "${pkgs.xmonad-jeschli}/bin/xmonad --shutdown";
+      User = cfg.user.name;
+      WorkingDirectory = cfg.user.home;
+    };
+  };
+
+  systemd.services.xserver = {
+    after = [
+      "systemd-udev-settle.service"
+      "local-fs.target"
+      "acpid.service"
+    ];
+    reloadIfChanged = true;
+    environment = {
+      XKB_BINDIR = "${pkgs.xorg.xkbcomp}/bin"; # Needed for the Xkb extension.
+      XORG_DRI_DRIVER_PATH = "/run/opengl-driver/lib/dri"; # !!! Depends on the driver selected at runtime.
+      LD_LIBRARY_PATH = concatStringsSep ":" (
+        [ "${pkgs.xorg.libX11}/lib" "${pkgs.xorg.libXext}/lib" ]
+        ++ concatLists (catAttrs "libPath" config.services.xserver.drivers));
+    };
+    serviceConfig = {
+      SyslogIdentifier = "xserver";
+      ExecReload = "${pkgs.coreutils}/bin/echo NOP";
+      ExecStart = toString [
+        "${pkgs.xorg.xorgserver}/bin/X"
+        ":${toString config.services.xserver.display}"
+        "vt${toString config.services.xserver.tty}"
+        "-config ${import ./xserver.conf.nix args}"
+        "-logfile /dev/null -logverbose 0 -verbose 3"
+        "-nolisten tcp"
+        "-xkbdir ${pkgs.xkeyboard_config}/etc/X11/xkb"
+      ];
+    };
+  };
+
+  systemd.services.urxvtd = {
+    wantedBy = [ "multi-user.target" ];
+    reloadIfChanged = true;
+    serviceConfig = {
+      SyslogIdentifier = "urxvtd";
+      ExecReload = "${pkgs.coreutils}/bin/echo NOP";
+      ExecStart = "${pkgs.rxvt_unicode}/bin/urxvtd";
+      Restart = "always";
+      RestartSec = "2s";
+      StartLimitBurst = 0;
+      User = cfg.user.name;
+    };
+  };
+}
diff --git a/jeschli/2configs/xserver/xserver.conf.nix b/jeschli/2configs/xserver/xserver.conf.nix
new file mode 100644
index 000000000..6f34e0150
--- /dev/null
+++ b/jeschli/2configs/xserver/xserver.conf.nix
@@ -0,0 +1,40 @@
+{ config, lib, pkgs, ... }:
+
+with import <stockholm/lib>;
+
+let
+  cfg = config.services.xserver;
+in
+
+pkgs.stdenv.mkDerivation {
+  name = "xserver.conf";
+
+  xfs = optionalString (cfg.useXFS != false)
+    ''FontPath "${toString cfg.useXFS}"'';
+
+  inherit (cfg) config;
+
+  buildCommand =
+    ''
+      echo 'Section "Files"' >> $out
+      echo $xfs >> $out
+
+      for i in ${toString config.fonts.fonts}; do
+        if test "''${i:0:''${#NIX_STORE}}" == "$NIX_STORE"; then
+          for j in $(find $i -name fonts.dir); do
+            echo "  FontPath \"$(dirname $j)\"" >> $out
+          done
+        fi
+      done
+
+      for i in $(find ${toString cfg.modules} -type d); do
+        if test $(echo $i/*.so* | wc -w) -ne 0; then
+          echo "  ModulePath \"$i\"" >> $out
+        fi
+      done
+
+      echo 'EndSection' >> $out
+
+      echo "$config" >> $out
+    '';
+}
diff --git a/jeschli/5pkgs/default.nix b/jeschli/5pkgs/default.nix
new file mode 100644
index 000000000..3fa5b5e85
--- /dev/null
+++ b/jeschli/5pkgs/default.nix
@@ -0,0 +1,11 @@
+with import <stockholm/lib>;
+
+self: super:
+
+# Import files and subdirectories like they are overlays.
+foldl' mergeAttrs {}
+  (map
+    (name: import (./. + "/${name}") self super)
+    (filter
+      (name: name != "default.nix" && !hasPrefix "." name)
+      (attrNames (readDir ./.))))
diff --git a/jeschli/5pkgs/simple/default.nix b/jeschli/5pkgs/simple/default.nix
new file mode 100644
index 000000000..1b9d8c235
--- /dev/null
+++ b/jeschli/5pkgs/simple/default.nix
@@ -0,0 +1,24 @@
+with import <stockholm/lib>;
+
+self: super:
+
+let
+  # This callPackage will try to detect obsolete overrides.
+  callPackage = path: args: let
+    override = self.callPackage path args;
+    upstream = optionalAttrs (override ? "name")
+      (super.${(parseDrvName override.name).name} or {});
+  in if upstream ? "name" &&
+        override ? "name" &&
+        compareVersions upstream.name override.name != -1
+    then trace "Upstream `${upstream.name}' gets overridden by `${override.name}'." override
+    else override;
+in
+
+  listToAttrs
+    (map
+      (name: nameValuePair (removeSuffix ".nix" name)
+                           (callPackage (./. + "/${name}") {}))
+      (filter
+        (name: name != "default.nix" && !hasPrefix "." name)
+        (attrNames (readDir ./.))))
diff --git a/jeschli/5pkgs/simple/xmonad-jeschli/default.nix b/jeschli/5pkgs/simple/xmonad-jeschli/default.nix
new file mode 100644
index 000000000..5bb391f98
--- /dev/null
+++ b/jeschli/5pkgs/simple/xmonad-jeschli/default.nix
@@ -0,0 +1,294 @@
+{ pkgs, ... }:
+pkgs.writeHaskell "xmonad-jeschli" {
+  executables.xmonad = {
+    extra-depends = [
+      "containers"
+      "extra"
+      "unix"
+      "X11"
+      "xmonad"
+      "xmonad-contrib"
+      "xmonad-stockholm"
+    ];
+    text = /* haskell */ ''
+{-# LANGUAGE DeriveDataTypeable #-} -- for XS
+{-# LANGUAGE FlexibleContexts #-} -- for xmonad'
+{-# LANGUAGE LambdaCase #-}
+{-# LANGUAGE ScopedTypeVariables #-}
+
+
+module Main where
+
+import Control.Exception
+import Control.Monad.Extra (whenJustM)
+import Graphics.X11.ExtraTypes.XF86
+import Text.Read (readEither)
+import XMonad
+import System.IO (hPutStrLn, stderr)
+import System.Environment (getArgs, withArgs, getEnv, getEnvironment, lookupEnv)
+import System.Posix.Process (executeFile)
+import XMonad.Actions.DynamicWorkspaces ( addWorkspacePrompt, renameWorkspace
+                                        , removeEmptyWorkspace)
+import XMonad.Actions.GridSelect
+import XMonad.Actions.CycleWS (toggleWS)
+--import XMonad.Actions.CopyWindow ( copy )
+import XMonad.Layout.NoBorders ( smartBorders )
+import qualified XMonad.StackSet as W
+import Data.Map (Map)
+import qualified Data.Map as Map
+-- TODO import XMonad.Layout.WorkspaceDir
+import XMonad.Hooks.UrgencyHook (SpawnUrgencyHook(..), withUrgencyHook)
+-- import XMonad.Layout.Tabbed
+--import XMonad.Layout.MouseResizableTile
+import XMonad.Layout.Reflect (reflectVert)
+import XMonad.Layout.FixedColumn (FixedColumn(..))
+import XMonad.Hooks.Place (placeHook, smart)
+import XMonad.Hooks.FloatNext (floatNextHook)
+import XMonad.Actions.PerWorkspaceKeys (chooseAction)
+import XMonad.Layout.PerWorkspace (onWorkspace)
+--import XMonad.Layout.BinarySpacePartition
+
+--import XMonad.Actions.Submap
+import XMonad.Stockholm.Pager
+import XMonad.Stockholm.Rhombus
+import XMonad.Stockholm.Shutdown
+
+
+amixerPath :: FilePath
+amixerPath = "${pkgs.alsaUtils}/bin/amixer"
+
+urxvtcPath :: FilePath
+urxvtcPath = "${pkgs.rxvt_unicode}/bin/urxvtc"
+
+myFont :: String
+myFont = "-schumacher-*-*-*-*-*-*-*-*-*-*-*-iso10646-*"
+
+main :: IO ()
+main = getArgs >>= \case
+    ["--shutdown"] -> sendShutdownEvent
+    _ -> mainNoArgs
+
+mainNoArgs :: IO ()
+mainNoArgs = do
+    workspaces0 <- getWorkspaces0
+    xmonad
+        -- $ withUrgencyHookC dzenUrgencyHook { args = ["-bg", "magenta", "-fg", "magenta", "-h", "2"], duration = 500000 }
+        --                   urgencyConfig { remindWhen = Every 1 }
+        -- $ withUrgencyHook borderUrgencyHook "magenta"
+        -- $ withUrgencyHookC BorderUrgencyHook { urgencyBorderColor = "magenta" } urgencyConfig { suppressWhen = Never }
+        $ withUrgencyHook (SpawnUrgencyHook "echo emit Urgency ")
+        $ def
+            { terminal          = urxvtcPath
+            , modMask           = mod4Mask
+            , keys              = myKeys
+            , workspaces        = workspaces0
+            , layoutHook        = smartBorders $ FixedColumn 1 20 80 10 ||| Full
+            -- , handleEventHook   = myHandleEventHooks <+> handleTimerEvent
+            --, handleEventHook   = handleTimerEvent
+            , manageHook        = placeHook (smart (1,0)) <+> floatNextHook
+            , startupHook =
+                whenJustM (liftIO (lookupEnv "XMONAD_STARTUP_HOOK"))
+                          (\path -> forkFile path [] Nothing)
+            , normalBorderColor  = "#1c1c1c"
+            , focusedBorderColor = "#f000b0"
+            , handleEventHook = handleShutdownEvent
+            }
+
+
+getWorkspaces0 :: IO [String]
+getWorkspaces0 =
+    try (getEnv "XMONAD_WORKSPACES0_FILE") >>= \case
+      Left e -> warn (displaySomeException e)
+      Right p -> try (readFile p) >>= \case
+        Left e -> warn (displaySomeException e)
+        Right x -> case readEither x of
+          Left e -> warn e
+          Right y -> return y
+  where
+    warn msg = hPutStrLn stderr ("getWorkspaces0: " ++ msg) >> return []
+
+displaySomeException :: SomeException -> String
+displaySomeException = displayException
+
+
+forkFile :: FilePath -> [String] -> Maybe [(String, String)] -> X ()
+forkFile path args env =
+    xfork (executeFile path False args env) >> return ()
+
+spawnRootTerm :: X ()
+spawnRootTerm =
+    forkFile
+        urxvtcPath
+        ["-name", "root-urxvt", "-e", "/run/wrappers/bin/su", "-"]
+        Nothing
+
+spawnTermAt :: String -> X ()
+spawnTermAt ws = do
+    env <- liftIO getEnvironment
+    let env' = ("XMONAD_SPAWN_WORKSPACE", ws) : env
+    forkFile urxvtcPath [] (Just env')
+
+myKeys :: XConfig Layout -> Map (KeyMask, KeySym) (X ())
+myKeys conf = Map.fromList $
+    [ ((_4  , xK_Escape ), forkFile "/run/wrappers/bin/slock" [] Nothing)
+    , ((_4S , xK_c      ), kill)
+
+    , ((_4  , xK_p      ), forkFile "${pkgs.pass}/bin/passmenu" ["--type"] Nothing)
+
+    , ((_4  , xK_x      ), chooseAction spawnTermAt)
+    , ((_4C , xK_x      ), spawnRootTerm)
+
+    --, ((_4  , xK_F1     ), withFocused jojo)
+    --, ((_4  , xK_F1     ), printAllGeometries)
+
+    , ((0   , xK_Print   ), gets windowset >>= allWorkspaceNames >>= pager pagerConfig (windows . W.view) )
+    , ((_S  , xK_Print   ), gets windowset >>= allWorkspaceNames >>= pager pagerConfig (windows . W.shift) )
+    , ((_C  , xK_Print   ), toggleWS)
+    , ((_4  , xK_Print   ), rhombus horseConfig (liftIO . hPutStrLn stderr) ["Correct", "Horse", "Battery", "Staple", "Stuhl", "Tisch"] )
+    
+    -- %! Rotate through the available layout algorithms
+    , ((_4  , xK_space  ), sendMessage NextLayout)
+    , ((_4S , xK_space  ), setLayout $ XMonad.layoutHook conf) -- reset layout
+
+    ---- BinarySpacePartition
+    --, ((_4  , xK_l), sendMessage $ ExpandTowards R)
+    --, ((_4  , xK_h), sendMessage $ ExpandTowards L)
+    --, ((_4  , xK_j), sendMessage $ ExpandTowards D)
+    --, ((_4  , xK_k), sendMessage $ ExpandTowards U)
+    --, ((_4S , xK_l), sendMessage $ ShrinkFrom R)
+    --, ((_4S , xK_h), sendMessage $ ShrinkFrom L)
+    --, ((_4S , xK_j), sendMessage $ ShrinkFrom D)
+    --, ((_4S , xK_k), sendMessage $ ShrinkFrom U)
+    --, ((_4  , xK_n), sendMessage Rotate)
+    --, ((_4S , xK_n), sendMessage Swap)
+
+    ---- mouseResizableTile
+    --, ((_4    , xK_u), sendMessage ShrinkSlave)
+    --, ((_4    , xK_i), sendMessage ExpandSlave)
+
+    -- move focus up or down the window stack
+    --, ((_4  , xK_m      ), windows W.focusMaster)
+    , ((_4  , xK_j      ), windows W.focusDown)
+    , ((_4  , xK_k      ), windows W.focusUp)
+
+    -- modifying the window order
+    , ((_4S , xK_m      ), windows W.swapMaster)
+    , ((_4S , xK_j      ), windows W.swapDown)
+    , ((_4S , xK_k      ), windows W.swapUp)
+
+    -- resizing the master/slave ratio
+    , ((_4  , xK_h      ), sendMessage Shrink) -- %! Shrink the master area
+    , ((_4  , xK_l      ), sendMessage Expand) -- %! Expand the master area
+
+    -- floating layer support
+    , ((_4  , xK_t      ), withFocused $ windows . W.sink)  -- make tiling
+
+    -- increase or decrease number of windows in the master area
+    , ((_4  , xK_comma  ), sendMessage $ IncMasterN 1)
+    , ((_4  , xK_period ), sendMessage $ IncMasterN (-1))
+
+    , ((_4  , xK_a      ), addWorkspacePrompt def)
+    , ((_4  , xK_r      ), renameWorkspace def)
+    , ((_4  , xK_Delete ), removeEmptyWorkspace)
+
+    , ((_4  , xK_Return ), toggleWS)
+    --,  (0   , xK_Print   ) & \k -> (k, gridselectWorkspace wsGSConfig { gs_navigate = makeGSNav k } W.view)
+    --,  (_4  , xK_v      ) & \k -> (k, gridselectWorkspace wsGSConfig { gs_navigate = makeGSNav k } W.view)
+    --,  (_4S , xK_v      ) & \k -> (k, gridselectWorkspace wsGSConfig { gs_navigate = makeGSNav k } W.shift)
+    --,  (_4  , xK_b      ) & \k -> (k, goToSelected        wGSConfig  { gs_navigate = makeGSNav k })
+    , ((noModMask, xF86XK_AudioLowerVolume), amixer ["sset", "Master", "5%-"])
+    , ((noModMask, xF86XK_AudioRaiseVolume), amixer ["sset", "Master", "5%+"])
+    , ((noModMask, xF86XK_AudioMute), amixer ["sset", "Master", "toggle"])
+    ]
+    where
+    _4 = mod4Mask
+    _C = controlMask
+    _S = shiftMask
+    _M = mod1Mask
+    _4C = _4 .|. _C
+    _4S = _4 .|. _S
+    _4M = _4 .|. _M
+    _4CM = _4 .|. _C .|. _M
+    _4SM = _4 .|. _S .|. _M
+
+    amixer args = forkFile amixerPath args Nothing
+
+
+pagerConfig :: PagerConfig
+pagerConfig = def
+    { pc_font           = myFont
+    , pc_cellwidth      = 64
+    --, pc_cellheight     = 36 -- TODO automatically keep screen aspect
+    --, pc_borderwidth    = 1
+    --, pc_matchcolor     = "#f0b000"
+    , pc_matchmethod    = MatchPrefix
+    --, pc_colors         = pagerWorkspaceColors
+    , pc_windowColors   = windowColors
+    }
+    where
+    windowColors _ _ _ True _ = ("#ef4242","#ff2323")
+    windowColors wsf m c u wf = do
+        let y = defaultWindowColors wsf m c u wf
+        if m == False && wf == True
+            then ("#402020", snd y)
+            else y
+
+horseConfig :: RhombusConfig
+horseConfig = def
+    { rc_font           = myFont
+    , rc_cellwidth      = 64
+    --, rc_cellheight     = 36 -- TODO automatically keep screen aspect
+    --, rc_borderwidth    = 1
+    --, rc_matchcolor     = "#f0b000"
+    , rc_matchmethod    = MatchPrefix
+    --, rc_colors         = pagerWorkspaceColors
+    --, rc_paint          = myPaint
+    }
+
+wGSConfig :: GSConfig Window
+wGSConfig = def
+    { gs_cellheight = 20
+    , gs_cellwidth = 192
+    , gs_cellpadding = 5
+    , gs_font = myFont
+    , gs_navigate = navNSearch
+    }
+
+-- wsGSConfig = def
+--     { gs_cellheight = 20
+--     , gs_cellwidth = 64
+--     , gs_cellpadding = 5
+--     , gs_font = myFont
+--     , gs_navigate = navNSearch
+--     }
+
+-- custom navNSearch
+--makeGSNav :: (KeyMask, KeySym) -> TwoD a (Maybe a)
+--makeGSNav esc = nav
+--    where
+--    nav = makeXEventhandler $ shadowWithKeymap keyMap navNSearchDefaultHandler
+--    keyMap = Map.fromList
+--        [ (esc              , cancel)
+--        , ((0,xK_Escape)    , cancel)
+--        , ((0,xK_Return)    , select)
+--        , ((0,xK_Left)      , move (-1, 0) >> nav)
+--        , ((0,xK_Right)     , move ( 1, 0) >> nav)
+--        , ((0,xK_Down)      , move ( 0, 1) >> nav)
+--        , ((0,xK_Up)        , move ( 0,-1) >> nav)
+--        , ((0,xK_BackSpace) , transformSearchString (\s -> if (s == "") then "" else init s) >> nav)
+--        ]
+--    -- The navigation handler ignores unknown key symbols, therefore we const
+--    navNSearchDefaultHandler (_,s,_) = do
+--        transformSearchString (++ s)
+--        nav
+
+
+(&) :: a -> (a -> c) -> c
+(&) = flip ($)
+
+allWorkspaceNames :: W.StackSet i l a sid sd -> X [i]
+allWorkspaceNames ws =
+    return $ map W.tag (W.hidden ws) ++ [W.tag $ W.workspace $ W.current ws]
+  '';
+  };
+}
diff --git a/jeschli/default.nix b/jeschli/default.nix
index 7886fef49..b57932719 100644
--- a/jeschli/default.nix
+++ b/jeschli/default.nix
@@ -1,9 +1,9 @@
-_:
+{ pkgs, ... }:
 {
   imports = [
     ../krebs
     ./2configs
-#    ./3modules
-#    ./5pkgs
   ];
+
+  nixpkgs.config.packageOverrides = import ./5pkgs pkgs;
 }
diff --git a/krebs/2configs/news-spam.nix b/krebs/2configs/news-spam.nix
index 63848c234..ac3822bc2 100644
--- a/krebs/2configs/news-spam.nix
+++ b/krebs/2configs/news-spam.nix
@@ -120,7 +120,7 @@
       [SPAM]sciencemag|http://news.sciencemag.org/rss/current.xml|#snews
       [SPAM]scmp|http://www.scmp.com/rss/91/feed|#snews
       [SPAM]sec-db|http://feeds.security-database.com/SecurityDatabaseToolsWatch|#snews
-      [SPAM]shackspace|http://blog.shackspace.de/?feed=rss2|#snews
+      [SPAM]shackspace|http://shackspace.de/atom.xml|#snews
       [SPAM]shz_news|http://www.shz.de/nachrichten/newsticker/rss|#snews
       [SPAM]sky_busi|http://feeds.skynews.com/feeds/rss/business.xml|#snews
       [SPAM]sky_pol|http://feeds.skynews.com/feeds/rss/politics.xml|#snews
diff --git a/krebs/2configs/news.nix b/krebs/2configs/news.nix
index 2628c7986..49a5e3459 100644
--- a/krebs/2configs/news.nix
+++ b/krebs/2configs/news.nix
@@ -11,7 +11,7 @@
       painload|https://github.com/krebscode/painload/commits/master.atom|#news
       reddit_haskell|http://www.reddit.com/r/haskell/.rss|#news
       reddit_nix|http://www.reddit.com/r/nixos/.rss|#news
-      shackspace|http://blog.shackspace.de/?feed=rss2|#news
+      shackspace|http://shackspace.de/atom.xml|#news
       tinc|http://tinc-vpn.org/news/index.rss|#news
       vimperator|https://sites.google.com/a/vimperator.org/www/blog/posts.xml|#news
       weechat|http://dev.weechat.org/feed/atom|#news
diff --git a/krebs/3modules/newsbot-js.nix b/krebs/3modules/newsbot-js.nix
index d372081ee..00e346f8e 100644
--- a/krebs/3modules/newsbot-js.nix
+++ b/krebs/3modules/newsbot-js.nix
@@ -93,6 +93,7 @@ let
           User = "newsbot-js";
           Restart = "always";
           ExecStart = "${newsbot.package}/bin/newsbot";
+          WatchdogSec = "86400";
         };
       }
     ) cfg;
diff --git a/krebs/5pkgs/simple/ejabberd/default.nix b/krebs/5pkgs/simple/ejabberd/default.nix
index 2799241fa..9e4ed3df5 100644
--- a/krebs/5pkgs/simple/ejabberd/default.nix
+++ b/krebs/5pkgs/simple/ejabberd/default.nix
@@ -1,5 +1,6 @@
 { stdenv, writeScriptBin, lib, fetchurl, git, cacert
-, erlang, openssl, expat, libyaml, bash, gnused, gnugrep, coreutils, utillinux, procps
+, erlang, openssl, expat, libyaml, bash, gnused, gnugrep, coreutils, utillinux, procps, gd
+, flock
 , withMysql ? false
 , withPgsql ? false
 , withSqlite ? false, sqlite
@@ -23,17 +24,17 @@ let
   ctlpath = lib.makeBinPath [ bash gnused gnugrep coreutils utillinux procps ];
 
 in stdenv.mkDerivation rec {
-  version = "17.07";
+  version = "18.01";
   name = "ejabberd-${version}";
 
   src = fetchurl {
     url = "http://www.process-one.net/downloads/ejabberd/${version}/${name}.tgz";
-    sha256 = "1p8ppp2czjgnq8xnhyksd82npvvx99fwr0g3rrq1wvnwh2vgb8km";
+    sha256 = "01i2n8mlgw293jdf4172f9q8ca8m35vysjws791p7nynpfdb4cn6";
   };
 
   nativeBuildInputs = [ fakegit ];
 
-  buildInputs = [ erlang openssl expat libyaml ]
+  buildInputs = [ erlang openssl expat libyaml gd ]
     ++ lib.optional withSqlite sqlite
     ++ lib.optional withPam pam
     ++ lib.optional withZlib zlib
@@ -50,7 +51,7 @@ in stdenv.mkDerivation rec {
 
     configureFlags = [ "--enable-all" "--with-sqlite3=${sqlite.dev}" ];
 
-    buildInputs = [ git erlang openssl expat libyaml sqlite pam zlib elixir ];
+    nativeBuildInputs = [ git erlang openssl expat libyaml sqlite pam zlib elixir ];
 
     GIT_SSL_CAINFO = "${cacert}/etc/ssl/certs/ca-bundle.crt";
 
@@ -74,7 +75,7 @@ in stdenv.mkDerivation rec {
 
     outputHashMode = "recursive";
     outputHashAlgo = "sha256";
-    outputHash = "1q9yzccn4zf5i4hibq1r0i34q4986a93ph4792l1ph07aiisc8p7";
+    outputHash = "1v3h0c7kfifb6wsfxyv5j1wc7rlxbb7r0pgd4s340wiyxnllzzhk";
   };
 
   configureFlags =
@@ -92,6 +93,10 @@ in stdenv.mkDerivation rec {
 
   enableParallelBuilding = true;
 
+  patches = [
+    ./ejabberdctl.patch
+  ];
+
   preBuild = ''
     cp -r $deps deps
     chmod -R +w deps
@@ -101,18 +106,18 @@ in stdenv.mkDerivation rec {
   postInstall = ''
     sed -i \
       -e '2iexport PATH=${ctlpath}:$PATH' \
-      -e 's,\(^ *FLOCK=\).*,\1${utillinux}/bin/flock,' \
+      -e 's,\(^ *FLOCK=\).*,\1${flock}/bin/flock,' \
       -e 's,\(^ *JOT=\).*,\1,' \
       -e 's,\(^ *CONNLOCKDIR=\).*,\1/var/lock/ejabberdctl,' \
       $out/sbin/ejabberdctl
   '';
 
-  meta = {
+  meta = with stdenv.lib; {
     description = "Open-source XMPP application server written in Erlang";
-    license = lib.licenses.gpl2;
+    license = licenses.gpl2;
     homepage = http://www.ejabberd.im;
-    platforms = lib.platforms.linux;
-    maintainers = [ lib.maintainers.sander lib.maintainers.abbradar ];
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ sander abbradar ];
     broken = withElixir;
   };
 }
diff --git a/krebs/5pkgs/simple/ejabberd/ejabberdctl.patch b/krebs/5pkgs/simple/ejabberd/ejabberdctl.patch
new file mode 100644
index 000000000..f7c842b7b
--- /dev/null
+++ b/krebs/5pkgs/simple/ejabberd/ejabberdctl.patch
@@ -0,0 +1,32 @@
+--- a/ejabberdctl.template  1970-01-01 01:00:01.000000000 +0100
++++ b/ejabberdctl.template  2018-04-24 23:06:54.127715441 +0200
+@@ -42,19 +42,18 @@
+ esac
+ 
+ # parse command line parameters
+-for arg; do
+-    case $arg in
+-        -n|--node) ERLANG_NODE_ARG=$2; shift;;
+-        -s|--spool) SPOOL_DIR=$2; shift;;
+-        -l|--logs) LOGS_DIR=$2; shift;;
+-        -f|--config) EJABBERD_CONFIG_PATH=$2; shift;;
+-        -c|--ctl-config) EJABBERDCTL_CONFIG_PATH=$2; shift;;
+-        -d|--config-dir) ETC_DIR=$2; shift;;
+-        -t|--no-timeout) NO_TIMEOUT="--no-timeout";;
+-        --) :;;
++while test $# -gt 0; do
++    case $1 in
++        -n|--node) ERLANG_NODE_ARG=$2; shift 2;;
++        -s|--spool) SPOOL_DIR=$2; shift 2;;
++        -l|--logs) LOGS_DIR=$2; shift 2;;
++        -f|--config) EJABBERD_CONFIG_PATH=$2; shift 2;;
++        -c|--ctl-config) EJABBERDCTL_CONFIG_PATH=$2; shift 2;;
++        -d|--config-dir) ETC_DIR=$2; shift 2;;
++        -t|--no-timeout) NO_TIMEOUT="--no-timeout"; shift 1;;
++        # --) :;; what is this for?
+         *) break;;
+     esac
+-    shift
+ done
+ 
+ # define ejabberd variables if not already defined from the command line
diff --git a/tv/5pkgs/simple/font-size.nix b/krebs/5pkgs/simple/font-size.nix
index 21097ed6a..21097ed6a 100644
--- a/tv/5pkgs/simple/font-size.nix
+++ b/krebs/5pkgs/simple/font-size.nix
diff --git a/krebs/5pkgs/simple/kops.nix b/krebs/5pkgs/simple/kops.nix
index a6c82f3ca..8db4b8ddd 100644
--- a/krebs/5pkgs/simple/kops.nix
+++ b/krebs/5pkgs/simple/kops.nix
@@ -2,6 +2,6 @@
 
 fetchgit {
   url = https://cgit.krebsco.de/kops;
-  rev = "refs/tags/v1.0.0";
-  sha256 = "0wg8d80sxa46z4i7ir79sci2hwmv3qskzqdg0si64p6vazy8vckb";
+  rev = "refs/tags/v1.1.0";
+  sha256 = "0k3zhv2830z4bljcdvf6ciwjihk2zzcn9y23p49c6sba5hbsd6jb";
 }
diff --git a/krebs/5pkgs/simple/pass-otp/default.nix b/krebs/5pkgs/simple/pass-otp/default.nix
new file mode 100644
index 000000000..33411180a
--- /dev/null
+++ b/krebs/5pkgs/simple/pass-otp/default.nix
@@ -0,0 +1,30 @@
+{ stdenv, fetchFromGitHub, oathToolkit }:
+stdenv.mkDerivation rec {
+  name = "pass-otp-${version}";
+  version = "1.1.0";
+
+  src = fetchFromGitHub {
+    owner = "tadfisher";
+    repo = "pass-otp";
+    rev = "v${version}";
+    sha256 = "1cgj4zc8fq88n3h6c0vkv9i5al785mdprpgpbv5m22dz9p1wqvbb";
+  };
+
+  buildInputs = [ oathToolkit ];
+
+  patchPhase = ''
+    sed -i -e 's|OATH=\$(which oathtool)|OATH=${oathToolkit}/bin/oathtool|' otp.bash
+  '';
+
+  installPhase = ''
+    make PREFIX=$out install
+  '';
+
+  meta = with stdenv.lib; {
+    description = "A pass extension for managing one-time-password (OTP) tokens";
+    homepage = https://github.com/tadfisher/pass-otp;
+    license = licenses.gpl3;
+    maintainers = with maintainers; [ jwiegley tadfisher ];
+    platforms = platforms.unix;
+  };
+}
diff --git a/krebs/5pkgs/simple/pass/default.nix b/krebs/5pkgs/simple/pass/default.nix
new file mode 100644
index 000000000..3b6928087
--- /dev/null
+++ b/krebs/5pkgs/simple/pass/default.nix
@@ -0,0 +1,121 @@
+{ stdenv, lib, fetchurl, fetchFromGitHub
+, coreutils, gnused, getopt, git, tree, gnupg, which, procps, qrencode
+, makeWrapper
+
+, pass-otp
+
+, xclip ? null, xdotool ? null, dmenu ? null
+, x11Support ? !stdenv.isDarwin
+, tombPluginSupport ? false, tomb
+}:
+
+with lib;
+
+assert x11Support -> xclip != null
+                  && xdotool != null
+                  && dmenu != null;
+
+let
+  plugins = map (p: (fetchFromGitHub {
+    owner  = "roddhjav";
+    repo   = "pass-${p.name}";
+    inherit (p) rev sha256;
+  }))
+  ([
+    { name = "import";
+      rev = "491935bd275f29ceac2b876b3a288011d1ce31e7";
+      sha256 = "02mbh05ab8h7kc30hz718d1d1vkjz43b96c7p0xnd92610d2q66q"; }
+    { name = "update";
+      rev = "cf576c9036fd18efb9ed29e0e9f811207b556fde";
+      sha256 = "1hhbrg6a2walrvla6q4cd3pgrqbcrf9brzjkb748735shxfn52hd"; }
+    ] ++ stdenv.lib.optional tombPluginSupport {
+      name = "tomb";
+      rev = "3368134898a42c1b758fabac625ec240e125c6be";
+      sha256 = "0qqmxfg4w3r088qhlkhs44036mya82vjflsjjhw2hk8y0wd2i6ds"; }
+  );
+
+in stdenv.mkDerivation rec {
+  version = "1.7.1";
+  name    = "pass-${version}";
+
+  src = fetchurl {
+    url    = "http://git.zx2c4.com/password-store/snapshot/${name}.tar.xz";
+    sha256 = "0scqkpll2q8jhzcgcsh9kqz0gwdpvynivqjmmbzax2irjfaiklpn";
+  };
+
+  patches = [ ./set-correct-program-name-for-sleep.patch
+            ] ++ stdenv.lib.optional stdenv.isDarwin ./no-darwin-getopt.patch;
+
+  nativeBuildInputs = [ makeWrapper ];
+
+  installFlags = [ "PREFIX=$(out)" "WITH_ALLCOMP=yes" ];
+
+  postInstall = ''
+    # plugins
+    ${stdenv.lib.concatStringsSep "\n" (map (plugin: ''
+      pushd ${plugin}
+      PREFIX=$out make install
+      popd
+    '') plugins)}
+
+    ln -s \
+        ${pass-otp}/lib/password-store/extensions/otp.bash \
+        $out/lib/password-store/extensions/
+
+    ln -s \
+        ${pass-otp}/share/man/man1/pass-otp.1.gz \
+        $out/share/man/man1/
+
+    # Install Emacs Mode. NOTE: We can't install the necessary
+    # dependencies (s.el and f.el) here. The user has to do this
+    # himself.
+    mkdir -p "$out/share/emacs/site-lisp"
+    cp "contrib/emacs/password-store.el" "$out/share/emacs/site-lisp/"
+  '' + optionalString x11Support ''
+    cp "contrib/dmenu/passmenu" "$out/bin/"
+  '';
+
+  wrapperPath = with stdenv.lib; makeBinPath ([
+    coreutils
+    getopt
+    git
+    gnupg
+    gnused
+    tree
+    which
+    qrencode
+  ] ++ optional tombPluginSupport tomb
+    ++ optional stdenv.isLinux procps
+    ++ ifEnable x11Support [ dmenu xclip xdotool ]);
+
+  postFixup = ''
+    # Fix program name in --help
+    substituteInPlace $out/bin/pass \
+      --replace 'PROGRAM="''${0##*/}"' "PROGRAM=pass"
+
+    # Ensure all dependencies are in PATH
+    wrapProgram $out/bin/pass \
+      --prefix PATH : "${wrapperPath}"
+  '' + stdenv.lib.optionalString x11Support ''
+    # We just wrap passmenu with the same PATH as pass. It doesn't
+    # need all the tools in there but it doesn't hurt either.
+    wrapProgram $out/bin/passmenu \
+      --prefix PATH : "$out/bin:${wrapperPath}"
+  '';
+
+  meta = with stdenv.lib; {
+    description = "Stores, retrieves, generates, and synchronizes passwords securely";
+    homepage    = https://www.passwordstore.org/;
+    license     = licenses.gpl2Plus;
+    maintainers = with maintainers; [ lovek323 the-kenny fpletz ];
+    platforms   = platforms.unix;
+
+    longDescription = ''
+      pass is a very simple password store that keeps passwords inside gpg2
+      encrypted files inside a simple directory tree residing at
+      ~/.password-store. The pass utility provides a series of commands for
+      manipulating the password store, allowing the user to add, remove, edit,
+      synchronize, generate, and manipulate passwords.
+    '';
+  };
+}
diff --git a/krebs/5pkgs/simple/pass/no-darwin-getopt.patch b/krebs/5pkgs/simple/pass/no-darwin-getopt.patch
new file mode 100644
index 000000000..e8f7e138f
--- /dev/null
+++ b/krebs/5pkgs/simple/pass/no-darwin-getopt.patch
@@ -0,0 +1,9 @@
+diff -Naur password-store-1.6.5-orig/src/platform/darwin.sh password-store-1.6.5/src/platform/darwin.sh
+--- password-store-1.6.5-orig/src/platform/darwin.sh	2015-01-28 16:43:02.000000000 +0000
++++ password-store-1.6.5/src/platform/darwin.sh	2015-02-15 16:09:02.000000000 +0000
+@@ -31,5 +31,4 @@
+ 	mount -t hfs -o noatime -o nobrowse "$DARWIN_RAMDISK_DEV" "$SECURE_TMPDIR" || die "Error: could not mount filesystem on ramdisk."
+ }
+ 
+-GETOPT="$(brew --prefix gnu-getopt 2>/dev/null || { which port &>/dev/null && echo /opt/local; } || echo /usr/local)/bin/getopt"
+ SHRED="srm -f -z"
diff --git a/krebs/5pkgs/simple/pass/rofi-pass.nix b/krebs/5pkgs/simple/pass/rofi-pass.nix
new file mode 100644
index 000000000..61f51973e
--- /dev/null
+++ b/krebs/5pkgs/simple/pass/rofi-pass.nix
@@ -0,0 +1,57 @@
+{ stdenv, fetchFromGitHub, pass, rofi, coreutils, utillinux, xdotool, gnugrep
+, libnotify, pwgen, findutils, gawk, gnused, xclip, makeWrapper
+}:
+
+stdenv.mkDerivation rec {
+  name = "rofi-pass-${version}";
+  version = "1.5.3";
+
+  src = fetchFromGitHub {
+    owner = "carnager";
+    repo = "rofi-pass";
+    rev = version;
+    sha256 = "1fn1j2rf3abc5qb44zfc8z8ffw6rva4xfp7597hwr1g3szacazpq";
+  };
+
+  buildInputs = [ makeWrapper ];
+
+  dontBuild = true;
+
+  installPhase = ''
+    mkdir -p $out/bin
+    cp -a rofi-pass $out/bin/rofi-pass
+
+    mkdir -p $out/share/doc/rofi-pass/
+    cp -a config.example $out/share/doc/rofi-pass/config.example
+  '';
+
+  wrapperPath = with stdenv.lib; makeBinPath [
+    coreutils
+    findutils
+    gawk
+    gnugrep
+    gnused
+    libnotify
+    pass
+    pwgen
+    rofi
+    utillinux
+    xclip
+    xdotool
+  ];
+
+  fixupPhase = ''
+    patchShebangs $out/bin
+
+    wrapProgram $out/bin/rofi-pass \
+      --prefix PATH : "${wrapperPath}"
+  '';
+
+  meta = {
+    description = "A script to make rofi work with password-store";
+    homepage = https://github.com/carnager/rofi-pass;
+    maintainers = with stdenv.lib.maintainers; [ the-kenny garbas ];
+    license = stdenv.lib.licenses.gpl3;
+    platforms = with stdenv.lib.platforms; linux;
+  };
+}
diff --git a/krebs/5pkgs/simple/pass/set-correct-program-name-for-sleep.patch b/krebs/5pkgs/simple/pass/set-correct-program-name-for-sleep.patch
new file mode 100644
index 000000000..782e06e20
--- /dev/null
+++ b/krebs/5pkgs/simple/pass/set-correct-program-name-for-sleep.patch
@@ -0,0 +1,69 @@
+From 25b44e00ed5df8ffe2782d38ad5cd9f514379599 Mon Sep 17 00:00:00 2001
+From: "Andrew R. M" <andrewmiller237@gmail.com>
+Date: Sat, 8 Apr 2017 13:50:01 -0400
+Subject: [PATCH] Patch the clip() function to work even when using
+ single-binary coreutils
+
+---
+ src/password-store.sh  | 4 ++--
+ src/platform/cygwin.sh | 4 ++--
+ src/platform/darwin.sh | 4 ++--
+ 3 files changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/src/password-store.sh b/src/password-store.sh
+index 6a4172d..4dbd6b8 100755
+--- a/src/password-store.sh
++++ b/src/password-store.sh
+@@ -155,11 +155,11 @@ clip() {
+ 	# variable. Specifically, it cannot store nulls nor (non-trivally) store
+ 	# trailing new lines.
+ 	local sleep_argv0="password store sleep on display $DISPLAY"
+-	pkill -f "^$sleep_argv0" 2>/dev/null && sleep 0.5
++	pkill -P $(pgrep -f "^$sleep_argv0") 2>/dev/null && sleep 0.5
+ 	local before="$(xclip -o -selection "$X_SELECTION" 2>/dev/null | base64)"
+ 	echo -n "$1" | xclip -selection "$X_SELECTION" || die "Error: Could not copy data to the clipboard"
+ 	(
+-		( exec -a "$sleep_argv0" bash <<<"trap 'kill %1' TERM; sleep '$CLIP_TIME' & wait" )
++		( exec -a "$sleep_argv0" bash <(echo trap 'kill %1' TERM\; sleep "$CLIP_TIME & wait") )
+ 		local now="$(xclip -o -selection "$X_SELECTION" | base64)"
+ 		[[ $now != $(echo -n "$1" | base64) ]] && before="$now"
+ 
+diff --git a/src/platform/cygwin.sh b/src/platform/cygwin.sh
+index 6e5dd86..f3574c4 100644
+--- a/src/platform/cygwin.sh
++++ b/src/platform/cygwin.sh
+@@ -3,11 +3,11 @@
+ 
+ clip() {
+ 	local sleep_argv0="password store sleep on display $DISPLAY"
+-	pkill -f "^$sleep_argv0" 2>/dev/null && sleep 0.5
++	pkill -P $(pgrep -f "^$sleep_argv0") 2>/dev/null && sleep 0.5
+ 	local before="$(base64 < /dev/clipboard)"
+ 	echo -n "$1" > /dev/clipboard
+ 	(
+-		( exec -a "$sleep_argv0" sleep "$CLIP_TIME" )
++		( exec -a "$sleep_argv0" bash <(echo sleep "$CLIP_TIME") )
+ 		local now="$(base64 < /dev/clipboard)"
+ 		[[ $now != $(echo -n "$1" | base64) ]] && before="$now"
+ 		echo "$before" | base64 -d > /dev/clipboard
+diff --git a/src/platform/darwin.sh b/src/platform/darwin.sh
+index 86eb325..deb04c4 100644
+--- a/src/platform/darwin.sh
++++ b/src/platform/darwin.sh
+@@ -3,11 +3,11 @@
+ 
+ clip() {
+ 	local sleep_argv0="password store sleep for user $(id -u)"
+-	pkill -f "^$sleep_argv0" 2>/dev/null && sleep 0.5
++	pkill -P $(pgrep -f "^$sleep_argv0") 2>/dev/null && sleep 0.5
+ 	local before="$(pbpaste | openssl base64)"
+ 	echo -n "$1" | pbcopy
+ 	(
+-		( exec -a "$sleep_argv0" sleep "$CLIP_TIME" )
++		( exec -a "$sleep_argv0" bash <(echo sleep "$CLIP_TIME") )
+ 		local now="$(pbpaste | openssl base64)"
+ 		[[ $now != $(echo -n "$1" | openssl base64) ]] && before="$now"
+ 		echo "$before" | openssl base64 -d | pbcopy
+-- 
+2.12.2
+
diff --git a/krebs/5pkgs/simple/pssh/default.nix b/krebs/5pkgs/simple/pssh/default.nix
deleted file mode 100644
index 2676af0cf..000000000
--- a/krebs/5pkgs/simple/pssh/default.nix
+++ /dev/null
@@ -1,36 +0,0 @@
-{ writeDashBin }:
-
-writeDashBin "pssh" ''
-  set -efu
-  case ''${1-} in
-
-  # TODO create plog with -o json | jq ... | map date
-
-  # usage: pssh {-j,--journal} host...
-  # Follow journal at each host.
-  -j|--journal)
-    shift
-    "$0" journalctl -n0 -ocat --follow --all ::: "$@" \
-      | while read line; do
-          printf '%s %s\n' "$(date --rfc-3339=s)" "$line"
-        done
-    ;;
-
-  -*)
-    echo $0: unknown option: $1 >&2
-    exit 1
-    ;;
-
-  # usage: pssh command [arg...] ::: host...
-  # Run command at each host.
-  *)
-    exec parallel \
-      --line-buffer \
-      -j0 \
-      --no-notice \
-      --tagstring {} \
-      ssh -T {} "$@"
-    ;;
-
-  esac
-''
diff --git a/krebs/5pkgs/simple/ucspi-tcp/chmod.patch b/krebs/5pkgs/simple/ucspi-tcp/chmod.patch
deleted file mode 100644
index dd6933208..000000000
--- a/krebs/5pkgs/simple/ucspi-tcp/chmod.patch
+++ /dev/null
@@ -1,15 +0,0 @@
-diff --git a/hier.c b/hier.c
-index 5663ada..1d73b84 100644
---- a/hier.c
-+++ b/hier.c
-@@ -2,8 +2,8 @@
- 
- void hier()
- {
--  h(auto_home,-1,-1,02755);
--  d(auto_home,"bin",-1,-1,02755);
-+  h(auto_home,-1,-1,0755);
-+  d(auto_home,"bin",-1,-1,0755);
- 
-   c(auto_home,"bin","tcpserver",-1,-1,0755);
-   c(auto_home,"bin","tcprules",-1,-1,0755);
diff --git a/krebs/5pkgs/simple/ucspi-tcp/default.nix b/krebs/5pkgs/simple/ucspi-tcp/default.nix
deleted file mode 100644
index 3b043be06..000000000
--- a/krebs/5pkgs/simple/ucspi-tcp/default.nix
+++ /dev/null
@@ -1,86 +0,0 @@
-{ stdenv, fetchurl }:
-
-stdenv.mkDerivation rec {
-  name = "ucspi-tcp-0.88";
-
-  src = fetchurl {
-    url = "http://cr.yp.to/ucspi-tcp/${name}.tar.gz";
-    sha256 = "171yl9kfm8w7l17dfxild99mbf877a9k5zg8yysgb1j8nz51a1ja";
-  };
-
-  # Plain upstream tarball doesn't build, get patches from Debian
-  patches = [
-    (fetchurl {
-      url = "http://ftp.de.debian.org/debian/pool/main/u/ucspi-tcp/ucspi-tcp_0.88-3.diff.gz";
-      sha256 = "0mzmhz8hjkrs0khmkzs5i0s1kgmgaqz07h493bd5jj5fm5njxln6";
-    })
-    ./chmod.patch
-  ];
-
-  # Apply Debian patches
-  postPatch = ''
-    for fname in debian/diff/*.diff; do
-        echo "Applying patch $fname"
-        patch < "$fname"
-    done
-  '';
-
-  # The build system is weird; 'make install' doesn't install anything, instead
-  # it builds an executable called ./install (from C code) which installs
-  # binaries to the directory given on line 1 in ./conf-home.
-  #
-  # Also, assume getgroups and setgroups work, instead of doing a build time
-  # test that breaks on NixOS (I think because nixbld users lack CAP_SETGID
-  # capability).
-  preBuild = ''
-    echo "$out" > conf-home
-
-    echo "main() { return 0; }" > chkshsgr.c
-  '';
-
-  installPhase = ''
-    mkdir -p "$out/bin"
-    mkdir -p "$out/share/man/man1"
-
-    # run the newly built installer
-    ./install
-
-    # Install Debian man pages (upstream has none)
-    cp debian/ucspi-tcp-man/*.1 "$out/share/man/man1"
-  '';
-
-  meta = with stdenv.lib; {
-    description = "Command-line tools for building TCP client-server applications";
-    longDescription = ''
-      tcpserver waits for incoming connections and, for each connection, runs a
-      program of your choice. Your program receives environment variables
-      showing the local and remote host names, IP addresses, and port numbers.
-
-      tcpserver offers a concurrency limit to protect you from running out of
-      processes and memory. When you are handling 40 (by default) simultaneous
-      connections, tcpserver smoothly defers acceptance of new connections.
-
-      tcpserver also provides TCP access control features, similar to
-      tcp-wrappers/tcpd's hosts.allow but much faster. Its access control rules
-      are compiled into a hashed format with cdb, so it can easily deal with
-      thousands of different hosts.
-
-      This package includes a recordio tool that monitors all the input and
-      output of a server.
-
-      tcpclient makes a TCP connection and runs a program of your choice. It
-      sets up the same environment variables as tcpserver.
-
-      This package includes several sample clients built on top of tcpclient:
-      who@, date@, finger@, http@, tcpcat, and mconnect.
-
-      tcpserver and tcpclient conform to UCSPI, the UNIX Client-Server Program
-      Interface, using the TCP protocol. UCSPI tools are available for several
-      different networks.
-    '';
-    homepage = http://cr.yp.to/ucspi-tcp.html;
-    license = licenses.publicDomain;
-    platforms = platforms.linux;
-    maintainers = [ maintainers.bjornfor ];
-  };
-}
diff --git a/krebs/5pkgs/simple/urlwatch/default.nix b/krebs/5pkgs/simple/urlwatch/default.nix
deleted file mode 100644
index 64f3ad1ac..000000000
--- a/krebs/5pkgs/simple/urlwatch/default.nix
+++ /dev/null
@@ -1,29 +0,0 @@
-{ stdenv, fetchFromGitHub, python3Packages }:
-
-python3Packages.buildPythonApplication rec {
-  name = "urlwatch-${version}";
-  version = "2.8";
-
-  src = fetchFromGitHub {
-    owner  = "thp";
-    repo   = "urlwatch";
-    rev    = version;
-    sha256 = "1nja7n6pc45azd3l1xyvav89855lvcgwabrvf34rps81dbl8cnl4";
-  };
-
-  propagatedBuildInputs = with python3Packages; [
-    appdirs
-    keyring
-    minidb
-    pycodestyle
-    pyyaml
-    requests
-  ];
-
-  meta = with stdenv.lib; {
-    description = "A tool for monitoring webpages for updates";
-    homepage = https://thp.io/2008/urlwatch/;
-    license = licenses.bsd3;
-    maintainers = with maintainers; [ tv ];
-  };
-}
diff --git a/lass/2configs/monitoring/node-exporter.nix b/lass/2configs/monitoring/node-exporter.nix
new file mode 100644
index 000000000..8c27e90d4
--- /dev/null
+++ b/lass/2configs/monitoring/node-exporter.nix
@@ -0,0 +1,13 @@
+{ config, lib, pkgs, ... }:
+{
+  networking.firewall.allowedTCPPorts = [ 9100 ];
+
+  services.prometheus.exporters = {
+    node = {
+      enable = true;
+      enabledCollectors = [
+        "systemd"
+      ];
+    };
+  };
+}
diff --git a/lass/2configs/monitoring/prometheus-server.nix b/lass/2configs/monitoring/prometheus-server.nix
new file mode 100644
index 000000000..d56d7e552
--- /dev/null
+++ b/lass/2configs/monitoring/prometheus-server.nix
@@ -0,0 +1,179 @@
+{ pkgs, lib, config, ... }:
+{
+  #networking = {
+  #  firewall.allowedTCPPorts = [
+  #    3000  # grafana
+  #    9090  # prometheus
+  #    9093  # alertmanager
+  #  ];
+  #  useDHCP = true;
+  #};
+
+  services = {
+    prometheus = {
+      enable = true;
+      extraFlags = [
+        "-storage.local.retention 8760h"
+        "-storage.local.series-file-shrink-ratio 0.3"
+        "-storage.local.memory-chunks 2097152"
+        "-storage.local.max-chunks-to-persist 1048576"
+        "-storage.local.index-cache-size.fingerprint-to-metric 2097152"
+        "-storage.local.index-cache-size.fingerprint-to-timerange 1048576"
+        "-storage.local.index-cache-size.label-name-to-label-values 2097152"
+        "-storage.local.index-cache-size.label-pair-to-fingerprints 41943040"
+      ];
+      alertmanagerURL = [ "http://localhost:9093" ];
+      rules = [
+        ''
+          ALERT node_down
+          IF up == 0
+          FOR 5m
+          LABELS {
+            severity="page"
+          }
+          ANNOTATIONS {
+            summary = "{{$labels.alias}}: Node is down.",
+            description = "{{$labels.alias}} has been down for more than 5 minutes."
+          }
+          ALERT node_systemd_service_failed
+          IF node_systemd_unit_state{state="failed"} == 1
+          FOR 4m
+          LABELS {
+            severity="page"
+          }
+          ANNOTATIONS {
+            summary = "{{$labels.alias}}: Service {{$labels.name}} failed to start.",
+            description = "{{$labels.alias}} failed to (re)start service {{$labels.name}}."
+          }
+          ALERT node_filesystem_full_90percent
+          IF sort(node_filesystem_free{device!="ramfs"} < node_filesystem_size{device!="ramfs"} * 0.1) / 1024^3
+          FOR 5m
+          LABELS {
+            severity="page"
+          }
+          ANNOTATIONS {
+            summary = "{{$labels.alias}}: Filesystem is running out of space soon.",
+            description = "{{$labels.alias}} device {{$labels.device}} on {{$labels.mountpoint}} got less than 10% space left on its filesystem."
+          }
+          ALERT node_filesystem_full_in_4h
+          IF predict_linear(node_filesystem_free{device!="ramfs"}[1h], 4*3600) <= 0
+          FOR 5m
+          LABELS {
+            severity="page"
+          }
+          ANNOTATIONS {
+            summary = "{{$labels.alias}}: Filesystem is running out of space in 4 hours.",
+            description = "{{$labels.alias}} device {{$labels.device}} on {{$labels.mountpoint}} is running out of space of in approx. 4 hours"
+          }
+          ALERT node_filedescriptors_full_in_3h
+          IF predict_linear(node_filefd_allocated[1h], 3*3600) >= node_filefd_maximum
+          FOR 20m
+          LABELS {
+            severity="page"
+          }
+          ANNOTATIONS {
+            summary = "{{$labels.alias}} is running out of available file descriptors in 3 hours.",
+            description = "{{$labels.alias}} is running out of available file descriptors in approx. 3 hours"
+          }
+          ALERT node_load1_90percent
+          IF node_load1 / on(alias) count(node_cpu{mode="system"}) by (alias) >= 0.9
+          FOR 1h
+          LABELS {
+            severity="page"
+          }
+          ANNOTATIONS {
+            summary = "{{$labels.alias}}: Running on high load.",
+            description = "{{$labels.alias}} is running with > 90% total load for at least 1h."
+          }
+          ALERT node_cpu_util_90percent
+          IF 100 - (avg by (alias) (irate(node_cpu{mode="idle"}[5m])) * 100) >= 90
+          FOR 1h
+          LABELS {
+            severity="page"
+          }
+          ANNOTATIONS {
+            summary = "{{$labels.alias}}: High CPU utilization.",
+            description = "{{$labels.alias}} has total CPU utilization over 90% for at least 1h."
+          }
+          ALERT node_ram_using_90percent
+          IF node_memory_MemFree + node_memory_Buffers + node_memory_Cached < node_memory_MemTotal * 0.1
+          FOR 30m
+          LABELS {
+            severity="page"
+          }
+          ANNOTATIONS {
+            summary="{{$labels.alias}}: Using lots of RAM.",
+            description="{{$labels.alias}} is using at least 90% of its RAM for at least 30 minutes now.",
+          }
+          ALERT node_swap_using_80percent
+          IF node_memory_SwapTotal - (node_memory_SwapFree + node_memory_SwapCached) > node_memory_SwapTotal * 0.8
+          FOR 10m
+          LABELS {
+            severity="page"
+          }
+          ANNOTATIONS {
+            summary="{{$labels.alias}}: Running out of swap soon.",
+            description="{{$labels.alias}} is using 80% of its swap space for at least 10 minutes now."
+          }
+        ''
+      ];
+      scrapeConfigs = [
+        {
+          job_name = "node";
+          scrape_interval = "10s";
+          static_configs = [
+            {
+              targets = [
+                "localhost:9100"
+              ];
+              labels = {
+                alias = "prometheus.example.com";
+              };
+            }
+          ];
+        }
+      ];
+      alertmanager = {
+        enable = true;
+        listenAddress = "0.0.0.0";
+        configuration = {
+          "global" = {
+            "smtp_smarthost" = "smtp.example.com:587";
+            "smtp_from" = "alertmanager@example.com";
+          };
+          "route" = {
+            "group_by" = [ "alertname" "alias" ];
+            "group_wait" = "30s";
+            "group_interval" = "2m";
+            "repeat_interval" = "4h";
+            "receiver" = "team-admins";
+          };
+          "receivers" = [
+            {
+              "name" = "team-admins";
+              "email_configs" = [
+                {
+                  "to" = "devnull@example.com";
+                  "send_resolved" = true;
+                }
+              ];
+              "webhook_configs" = [
+                {
+                  "url" = "https://example.com/prometheus-alerts";
+                  "send_resolved" = true;
+                }
+              ];
+            }
+          ];
+        };
+      };
+    };
+    grafana = {
+      enable = true;
+      addr = "0.0.0.0";
+      domain = "grafana.example.com";
+      rootUrl = "https://grafana.example.com/";
+      security = import <secrets/grafana_security.nix>; # { AdminUser = ""; adminPassword = ""}
+    };
+  };
+}