98 files changed, 406 insertions, 231 deletions

diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix
index daa963bc8..227eb209b 100644
--- a/krebs/3modules/default.nix
+++ b/krebs/3modules/default.nix
@@ -34,10 +34,10 @@ let
       ./Reaktor.nix
       ./realwallpaper.nix
       ./retiolum-bootstrap.nix
-      ./retiolum.nix
       ./rtorrent.nix
       ./secret.nix
       ./setuid.nix
+      ./tinc.nix
       ./tinc_graphs.nix
       ./urlwatch.nix
       ./repo-sync.nix
diff --git a/krebs/3modules/lass/default.nix b/krebs/3modules/lass/default.nix
index b86e05319..0e1cbd876 100644
--- a/krebs/3modules/lass/default.nix
+++ b/krebs/3modules/lass/default.nix
@@ -3,7 +3,10 @@
 with import <stockholm/lib>;
 
 {
-  hosts = mapAttrs (_: setAttr "owner" config.krebs.users.lass) {
+  hosts = mapAttrs (_: recursiveUpdate {
+    owner = config.krebs.users.lass;
+    managed = true;
+  }) {
     dishfire = {
       cores = 4;
       nets = rec {
@@ -124,6 +127,7 @@ with import <stockholm/lib>;
           ssh.port = 2223;
         };
       };
+      managed = false;
     };
     cloudkrebs = {
       cores = 1;
@@ -300,6 +304,7 @@ with import <stockholm/lib>;
     };
     iso = {
       cores = 1;
+      managed = false;
     };
     sokrateslaptop = {
       nets = {
@@ -321,6 +326,7 @@ with import <stockholm/lib>;
           '';
         };
       };
+      managed = false;
     };
   };
   users = {
diff --git a/krebs/3modules/retiolum.nix b/krebs/3modules/tinc.nix
index 0a3d7ed2f..8af15c13b 100644
--- a/krebs/3modules/retiolum.nix
+++ b/krebs/3modules/tinc.nix
@@ -17,6 +17,27 @@ let
       in {
 
         enable = mkEnableOption "krebs.tinc.${netname}" // { default = true; };
+        enableLegacy = mkEnableOption "/etc/tinc/${netname}";
+
+        confDir = mkOption {
+          type = types.package;
+          default = pkgs.linkFarm "${netname}-etc-tinc"
+            (mapAttrsToList (name: path: { inherit name path; }) {
+              "hosts" = tinc.config.hostsPackage;
+              "tinc.conf" = pkgs.writeText "${netname}-tinc.conf" ''
+                Name = ${tinc.config.host.name}
+                Interface = ${netname}
+                ${concatMapStrings (c: "ConnectTo = ${c}\n") tinc.config.connectTo}
+                PrivateKeyFile = ${tinc.config.privkey.path}
+                Port = ${toString tinc.config.host.nets.${netname}.tinc.port}
+                ${tinc.config.extraConfig}
+              '';
+              "tinc-up" = pkgs.writeDash "${netname}-tinc-up" ''
+                ${tinc.config.iproutePackage}/sbin/ip link set ${netname} up
+                ${tinc.config.tincUp}
+              '';
+            });
+        };
 
         host = mkOption {
           type = types.host;
@@ -175,29 +196,16 @@ let
       }
     ) config.krebs.tinc;
 
+    environment.etc = mapAttrs' (netname: cfg:
+      nameValuePair "tinc/${netname}" (mkIf cfg.enableLegacy {
+        source = cfg.confDir;
+      })
+    ) config.krebs.tinc;
+
     systemd.services = mapAttrs (netname: cfg:
       let
         tinc = cfg.tincPackage;
         iproute = cfg.iproutePackage;
-
-        confDir = let
-          namePathPair = name: path: { inherit name path; };
-        in pkgs.linkFarm "${netname}-etc-tinc" (mapAttrsToList namePathPair {
-            "hosts" = cfg.hostsPackage;
-            "tinc.conf" = pkgs.writeText "${cfg.netname}-tinc.conf" ''
-              Name = ${cfg.host.name}
-              Interface = ${netname}
-              ${concatStrings (map (c: "ConnectTo = ${c}\n") cfg.connectTo)}
-              PrivateKeyFile = ${cfg.privkey.path}
-              Port = ${toString cfg.host.nets.${cfg.netname}.tinc.port}
-              ${cfg.extraConfig}
-            '';
-            "tinc-up" = pkgs.writeDash "${netname}-tinc-up" ''
-              ${iproute}/sbin/ip link set ${netname} up
-              ${cfg.tincUp}
-            '';
-          }
-        );
       in {
         description = "Tinc daemon for ${netname}";
         after = [ "network.target" ];
@@ -206,7 +214,7 @@ let
         path = [ tinc iproute ];
         serviceConfig = rec {
           Restart = "always";
-          ExecStart = "${tinc}/sbin/tincd -c ${confDir} -d 0 -U ${cfg.user.name} -D --pidfile=/var/run/tinc.${SyslogIdentifier}.pid";
+          ExecStart = "${tinc}/sbin/tincd -c ${cfg.confDir} -d 0 -U ${cfg.user.name} -D --pidfile=/var/run/tinc.${SyslogIdentifier}.pid";
           SyslogIdentifier = netname;
         };
       }
diff --git a/krebs/5pkgs/default.nix b/krebs/5pkgs/default.nix
index 8bb244cd3..39e89a4b6 100644
--- a/krebs/5pkgs/default.nix
+++ b/krebs/5pkgs/default.nix
@@ -1,64 +1,33 @@
-{ config, lib, pkgs, ... }@args:
 with import <stockholm/lib>;
-{
-  imports = [
-    ./writers.nix
-  ];
-  nixpkgs.config.packageOverrides = oldpkgs: let
-
-    # This callPackage will try to detect obsolete overrides.
-    callPackage = path: args: let
-      override = pkgs.callPackage path args;
-      upstream = optionalAttrs (override ? "name")
-        (oldpkgs.${(parseDrvName override.name).name} or {});
-    in if upstream ? "name" &&
-          override ? "name" &&
-          compareVersions upstream.name override.name != -1
-      then trace "Upstream `${upstream.name}' gets overridden by `${override.name}'." override
-      else override;
-
-  in {}
-  // mapAttrs (_: flip callPackage {})
-              (filterAttrs (_: dir: pathExists (dir + "/default.nix"))
-                           (subdirsOf ./.))
-  // {
-    empty = pkgs.runCommand "empty-1.0.0" {} "mkdir $out";
 
-    haskellPackages = oldpkgs.haskellPackages.override {
-      overrides = self: super:
-        mapAttrs (name: path: self.callPackage path {})
-          (mapAttrs'
-            (name: type:
-              if hasSuffix ".nix" name
-                then {
-                  name = removeSuffix ".nix" name;
-                  value = ./haskell-overrides + "/${name}";
-                }
-                else null)
-            (builtins.readDir ./haskell-overrides));
-    };
+self: super:
 
-    ReaktorPlugins = callPackage ./Reaktor/plugins.nix {};
+# Import files and subdirectories like they are overlays.
+foldl' mergeAttrs {}
+  (map
+    (name: import (./. + "/${name}") self super)
+    (filter
+      (name: name != "default.nix" && !hasPrefix "." name)
+      (attrNames (readDir ./.))))
 
-    buildbot = callPackage ./buildbot {};
-    buildbot-full = callPackage ./buildbot {
-      plugins = with pkgs.buildbot-plugins; [ www console-view waterfall-view ];
-    };
-    buildbot-worker = callPackage ./buildbot/worker.nix {};
+//
 
-    # https://github.com/proot-me/PRoot/issues/106
-    proot = pkgs.writeDashBin "proot" ''
-      export PROOT_NO_SECCOMP=1
-      exec ${oldpkgs.proot}/bin/proot "$@"
-    '';
-
-    # XXX symlinkJoin changed arguments somewhere around nixpkgs d541e0d
-    symlinkJoin = { name, paths, ... }@args: let
-      x = oldpkgs.symlinkJoin args;
-    in if typeOf x != "lambda" then x else oldpkgs.symlinkJoin name paths;
+{
+  ReaktorPlugins = self.callPackage ./simple/Reaktor/plugins.nix {};
 
-    test = {
-      infest-cac-centos7 = callPackage ./test/infest-cac-centos7 {};
-    };
+  buildbot-full = self.callPackage ./simple/buildbot {
+    plugins = with self.buildbot-plugins; [ www console-view waterfall-view ];
   };
+  buildbot-worker = self.callPackage ./simple/buildbot/worker.nix {};
+
+  # https://github.com/proot-me/PRoot/issues/106
+  proot = self.writeDashBin "proot" ''
+    export PROOT_NO_SECCOMP=1
+    exec ${super.proot}/bin/proot "$@"
+  '';
+
+  # XXX symlinkJoin changed arguments somewhere around nixpkgs d541e0d
+  symlinkJoin = { name, paths, ... }@args: let
+    x = super.symlinkJoin args;
+  in if typeOf x != "lambda" then x else super.symlinkJoin name paths;
 }
diff --git a/krebs/5pkgs/haskell-overrides/kirk.nix b/krebs/5pkgs/haskell-overrides/kirk.nix
deleted file mode 100644
index 2cd6bb134..000000000
--- a/krebs/5pkgs/haskell-overrides/kirk.nix
+++ /dev/null
@@ -1,18 +0,0 @@
-{ mkDerivation, async, base, bytestring, fetchgit, network
-, optparse-applicative, stdenv, text
-}:
-mkDerivation {
-  pname = "kirk";
-  version = "1.0.0";
-  src = fetchgit {
-    url = "http://cgit.krebsco.de/kirk";
-    sha256 = "0w4drg2lyyw45abfn3g55zd6m7pl7yqxql5rpyy6qqdbvnyak94w";
-    rev = "c78f3c62c0ba76465e39d1570073f867aa2d4240";
-  };
-  isLibrary = false;
-  isExecutable = true;
-  executableHaskellDepends = [
-    async base bytestring network optparse-applicative text
-  ];
-  license = stdenv.lib.licenses.mit;
-}
diff --git a/krebs/5pkgs/haskell-overrides/blessings.nix b/krebs/5pkgs/haskell/blessings.nix
index f852b4a44..f852b4a44 100644
--- a/krebs/5pkgs/haskell-overrides/blessings.nix
+++ b/krebs/5pkgs/haskell/blessings.nix
diff --git a/krebs/5pkgs/haskell/default.nix b/krebs/5pkgs/haskell/default.nix
new file mode 100644
index 000000000..1120356a7
--- /dev/null
+++ b/krebs/5pkgs/haskell/default.nix
@@ -0,0 +1,15 @@
+with import <stockholm/lib>;
+
+self: super:
+{
+  haskellPackages = super.haskellPackages.override {
+    overrides = self: super:
+      listToAttrs
+        (map
+          (name: nameValuePair (removeSuffix ".nix" name)
+                               (self.callPackage (./. + "/${name}") {}))
+          (filter
+            (name: name != "default.nix" && !hasPrefix "." name)
+            (attrNames (readDir ./.))));
+  };
+}
diff --git a/krebs/5pkgs/haskell-overrides/email-header.nix b/krebs/5pkgs/haskell/email-header.nix
index b54240809..b54240809 100644
--- a/krebs/5pkgs/haskell-overrides/email-header.nix
+++ b/krebs/5pkgs/haskell/email-header.nix
diff --git a/krebs/5pkgs/haskell-overrides/hyphenation.nix b/krebs/5pkgs/haskell/hyphenation.nix
index 6e5fe9455..6e5fe9455 100644
--- a/krebs/5pkgs/haskell-overrides/hyphenation.nix
+++ b/krebs/5pkgs/haskell/hyphenation.nix
diff --git a/krebs/5pkgs/haskell/kirk.nix b/krebs/5pkgs/haskell/kirk.nix
new file mode 100644
index 000000000..073e5d505
--- /dev/null
+++ b/krebs/5pkgs/haskell/kirk.nix
@@ -0,0 +1,21 @@
+{ mkDerivation, async, base, bytestring, fetchgit, network
+, optparse-applicative, stdenv, text
+}:
+mkDerivation {
+  pname = "kirk";
+  version = "1.0.1";
+  src = fetchgit {
+    url = "http://cgit.krebsco.de/kirk";
+    sha256 = "1acsmmc485c54axpy9bd0320j18hs261vl1vdxns4n04sxzqd7k0";
+    rev = "cdf3cb373af8f9b03a9487a63eb32e0226913589";
+  };
+  isLibrary = true;
+  isExecutable = true;
+  libraryHaskellDepends = [
+    base bytestring network optparse-applicative text
+  ];
+  executableHaskellDepends = [
+    async base network optparse-applicative text
+  ];
+  license = stdenv.lib.licenses.mit;
+}
diff --git a/krebs/5pkgs/haskell-overrides/news.nix b/krebs/5pkgs/haskell/news.nix
index ba5e7a5e1..ba5e7a5e1 100644
--- a/krebs/5pkgs/haskell-overrides/news.nix
+++ b/krebs/5pkgs/haskell/news.nix
diff --git a/krebs/5pkgs/haskell-overrides/scanner.nix b/krebs/5pkgs/haskell/scanner.nix
index 071fd757f..071fd757f 100644
--- a/krebs/5pkgs/haskell-overrides/scanner.nix
+++ b/krebs/5pkgs/haskell/scanner.nix
diff --git a/krebs/5pkgs/haskell-overrides/xmonad-stockholm.nix b/krebs/5pkgs/haskell/xmonad-stockholm.nix
index bf19e7d66..bf19e7d66 100644
--- a/krebs/5pkgs/haskell-overrides/xmonad-stockholm.nix
+++ b/krebs/5pkgs/haskell/xmonad-stockholm.nix
diff --git a/krebs/5pkgs/Reaktor/default.nix b/krebs/5pkgs/simple/Reaktor/default.nix
index fc3710820..fc3710820 100644
--- a/krebs/5pkgs/Reaktor/default.nix
+++ b/krebs/5pkgs/simple/Reaktor/default.nix
diff --git a/krebs/5pkgs/Reaktor/plugins.nix b/krebs/5pkgs/simple/Reaktor/plugins.nix
index e85e41cfe..e85e41cfe 100644
--- a/krebs/5pkgs/Reaktor/plugins.nix
+++ b/krebs/5pkgs/simple/Reaktor/plugins.nix
diff --git a/krebs/5pkgs/Reaktor/scripts/random-emoji.sh b/krebs/5pkgs/simple/Reaktor/scripts/random-emoji.sh
index 386aa68b9..386aa68b9 100644
--- a/krebs/5pkgs/Reaktor/scripts/random-emoji.sh
+++ b/krebs/5pkgs/simple/Reaktor/scripts/random-emoji.sh
diff --git a/krebs/5pkgs/Reaktor/scripts/random-issue.sh b/krebs/5pkgs/simple/Reaktor/scripts/random-issue.sh
index 5c47c6156..5c47c6156 100644
--- a/krebs/5pkgs/Reaktor/scripts/random-issue.sh
+++ b/krebs/5pkgs/simple/Reaktor/scripts/random-issue.sh
diff --git a/krebs/5pkgs/Reaktor/scripts/sed-plugin.py b/krebs/5pkgs/simple/Reaktor/scripts/sed-plugin.py
index da8e2f726..da8e2f726 100644
--- a/krebs/5pkgs/Reaktor/scripts/sed-plugin.py
+++ b/krebs/5pkgs/simple/Reaktor/scripts/sed-plugin.py
diff --git a/krebs/5pkgs/Reaktor/scripts/shack-correct.sh b/krebs/5pkgs/simple/Reaktor/scripts/shack-correct.sh
index 3b4d04f80..3b4d04f80 100644
--- a/krebs/5pkgs/Reaktor/scripts/shack-correct.sh
+++ b/krebs/5pkgs/simple/Reaktor/scripts/shack-correct.sh
diff --git a/krebs/5pkgs/apt-cacher-ng/default.nix b/krebs/5pkgs/simple/apt-cacher-ng/default.nix
index e3986713b..e3986713b 100644
--- a/krebs/5pkgs/apt-cacher-ng/default.nix
+++ b/krebs/5pkgs/simple/apt-cacher-ng/default.nix
diff --git a/krebs/5pkgs/bepasty-client-cli/default.nix b/krebs/5pkgs/simple/bepasty-client-cli/default.nix
index c58e637b3..c58e637b3 100644
--- a/krebs/5pkgs/bepasty-client-cli/default.nix
+++ b/krebs/5pkgs/simple/bepasty-client-cli/default.nix
diff --git a/krebs/5pkgs/buildbot/default.nix b/krebs/5pkgs/simple/buildbot/default.nix
index 37eea5fd9..37eea5fd9 100644
--- a/krebs/5pkgs/buildbot/default.nix
+++ b/krebs/5pkgs/simple/buildbot/default.nix
diff --git a/krebs/5pkgs/buildbot/worker.nix b/krebs/5pkgs/simple/buildbot/worker.nix
index 34e526858..34e526858 100644
--- a/krebs/5pkgs/buildbot/worker.nix
+++ b/krebs/5pkgs/simple/buildbot/worker.nix
diff --git a/krebs/5pkgs/cac-api/default.nix b/krebs/5pkgs/simple/cac-api/default.nix
index e2bd8c148..e2bd8c148 100644
--- a/krebs/5pkgs/cac-api/default.nix
+++ b/krebs/5pkgs/simple/cac-api/default.nix
diff --git a/krebs/5pkgs/cac-cert/cac.pem b/krebs/5pkgs/simple/cac-cert/cac.pem
index 9d02b6bcf..9d02b6bcf 100644
--- a/krebs/5pkgs/cac-cert/cac.pem
+++ b/krebs/5pkgs/simple/cac-cert/cac.pem
diff --git a/krebs/5pkgs/cac-cert/default.nix b/krebs/5pkgs/simple/cac-cert/default.nix
index d99019dca..d99019dca 100644
--- a/krebs/5pkgs/cac-cert/default.nix
+++ b/krebs/5pkgs/simple/cac-cert/default.nix
diff --git a/krebs/5pkgs/cac-panel/default.nix b/krebs/5pkgs/simple/cac-panel/default.nix
index fd4799535..fd4799535 100644
--- a/krebs/5pkgs/cac-panel/default.nix
+++ b/krebs/5pkgs/simple/cac-panel/default.nix
diff --git a/krebs/5pkgs/collectd-connect-time/default.nix b/krebs/5pkgs/simple/collectd-connect-time/default.nix
index 525388029..525388029 100644
--- a/krebs/5pkgs/collectd-connect-time/default.nix
+++ b/krebs/5pkgs/simple/collectd-connect-time/default.nix
diff --git a/krebs/5pkgs/simple/default.nix b/krebs/5pkgs/simple/default.nix
new file mode 100644
index 000000000..1b9d8c235
--- /dev/null
+++ b/krebs/5pkgs/simple/default.nix
@@ -0,0 +1,24 @@
+with import <stockholm/lib>;
+
+self: super:
+
+let
+  # This callPackage will try to detect obsolete overrides.
+  callPackage = path: args: let
+    override = self.callPackage path args;
+    upstream = optionalAttrs (override ? "name")
+      (super.${(parseDrvName override.name).name} or {});
+  in if upstream ? "name" &&
+        override ? "name" &&
+        compareVersions upstream.name override.name != -1
+    then trace "Upstream `${upstream.name}' gets overridden by `${override.name}'." override
+    else override;
+in
+
+  listToAttrs
+    (map
+      (name: nameValuePair (removeSuffix ".nix" name)
+                           (callPackage (./. + "/${name}") {}))
+      (filter
+        (name: name != "default.nix" && !hasPrefix "." name)
+        (attrNames (readDir ./.))))
diff --git a/krebs/5pkgs/dic/default.nix b/krebs/5pkgs/simple/dic/default.nix
index 963786f0c..963786f0c 100644
--- a/krebs/5pkgs/dic/default.nix
+++ b/krebs/5pkgs/simple/dic/default.nix
diff --git a/krebs/5pkgs/drivedroid-gen-repo/default.nix b/krebs/5pkgs/simple/drivedroid-gen-repo/default.nix
index de8046c4a..de8046c4a 100644
--- a/krebs/5pkgs/drivedroid-gen-repo/default.nix
+++ b/krebs/5pkgs/simple/drivedroid-gen-repo/default.nix
diff --git a/krebs/5pkgs/simple/empty.nix b/krebs/5pkgs/simple/empty.nix
new file mode 100644
index 000000000..a45723b65
--- /dev/null
+++ b/krebs/5pkgs/simple/empty.nix
@@ -0,0 +1,2 @@
+{ pkgs }:
+pkgs.runCommand "empty-1.0.0" {} "mkdir $out"
diff --git a/krebs/5pkgs/fortclientsslvpn/default.nix b/krebs/5pkgs/simple/fortclientsslvpn/default.nix
index cbcfab05f..cbcfab05f 100644
--- a/krebs/5pkgs/fortclientsslvpn/default.nix
+++ b/krebs/5pkgs/simple/fortclientsslvpn/default.nix
diff --git a/krebs/5pkgs/games-user-env/default.nix b/krebs/5pkgs/simple/games-user-env/default.nix
index abe770ed1..abe770ed1 100644
--- a/krebs/5pkgs/games-user-env/default.nix
+++ b/krebs/5pkgs/simple/games-user-env/default.nix
diff --git a/krebs/5pkgs/get/default.nix b/krebs/5pkgs/simple/get/default.nix
index 83f6b0228..83f6b0228 100644
--- a/krebs/5pkgs/get/default.nix
+++ b/krebs/5pkgs/simple/get/default.nix
diff --git a/krebs/5pkgs/git-hooks/default.nix b/krebs/5pkgs/simple/git-hooks/default.nix
index 4017b873b..4017b873b 100644
--- a/krebs/5pkgs/git-hooks/default.nix
+++ b/krebs/5pkgs/simple/git-hooks/default.nix
diff --git a/krebs/5pkgs/github-hosts-sync/default.nix b/krebs/5pkgs/simple/github-hosts-sync/default.nix
index cdfed468c..cdfed468c 100644
--- a/krebs/5pkgs/github-hosts-sync/default.nix
+++ b/krebs/5pkgs/simple/github-hosts-sync/default.nix
diff --git a/krebs/5pkgs/go-shortener/default.nix b/krebs/5pkgs/simple/go-shortener/default.nix
index 996f7072a..996f7072a 100644
--- a/krebs/5pkgs/go-shortener/default.nix
+++ b/krebs/5pkgs/simple/go-shortener/default.nix
diff --git a/krebs/5pkgs/go-shortener/packages.nix b/krebs/5pkgs/simple/go-shortener/packages.nix
index 9acfd7658..9acfd7658 100644
--- a/krebs/5pkgs/go-shortener/packages.nix
+++ b/krebs/5pkgs/simple/go-shortener/packages.nix
diff --git a/krebs/5pkgs/goify/default.nix b/krebs/5pkgs/simple/goify/default.nix
index 9c44aaeeb..9c44aaeeb 100644
--- a/krebs/5pkgs/goify/default.nix
+++ b/krebs/5pkgs/simple/goify/default.nix
diff --git a/krebs/5pkgs/hashPassword/default.nix b/krebs/5pkgs/simple/hashPassword/default.nix
index 3da65ad79..3da65ad79 100644
--- a/krebs/5pkgs/hashPassword/default.nix
+++ b/krebs/5pkgs/simple/hashPassword/default.nix
diff --git a/krebs/5pkgs/htgen/default.nix b/krebs/5pkgs/simple/htgen/default.nix
index 0fca8bdf2..0fca8bdf2 100644
--- a/krebs/5pkgs/htgen/default.nix
+++ b/krebs/5pkgs/simple/htgen/default.nix
diff --git a/krebs/5pkgs/irc-announce/default.nix b/krebs/5pkgs/simple/irc-announce/default.nix
index e1f4919d5..e1f4919d5 100644
--- a/krebs/5pkgs/irc-announce/default.nix
+++ b/krebs/5pkgs/simple/irc-announce/default.nix
diff --git a/krebs/5pkgs/kpaste/default.nix b/krebs/5pkgs/simple/kpaste/default.nix
index d6823d584..d6823d584 100644
--- a/krebs/5pkgs/kpaste/default.nix
+++ b/krebs/5pkgs/simple/kpaste/default.nix
diff --git a/krebs/5pkgs/krebspaste/default.nix b/krebs/5pkgs/simple/krebspaste/default.nix
index 31ad12780..31ad12780 100644
--- a/krebs/5pkgs/krebspaste/default.nix
+++ b/krebs/5pkgs/simple/krebspaste/default.nix
diff --git a/krebs/5pkgs/krebszones/default.nix b/krebs/5pkgs/simple/krebszones/default.nix
index 9230192bd..9230192bd 100644
--- a/krebs/5pkgs/krebszones/default.nix
+++ b/krebs/5pkgs/simple/krebszones/default.nix
diff --git a/krebs/5pkgs/logf/default.nix b/krebs/5pkgs/simple/logf/default.nix
index ac95acb33..ac95acb33 100644
--- a/krebs/5pkgs/logf/default.nix
+++ b/krebs/5pkgs/simple/logf/default.nix
diff --git a/krebs/5pkgs/much/cabal.nix b/krebs/5pkgs/simple/much/cabal.nix
index 09bc7b5df..09bc7b5df 100644
--- a/krebs/5pkgs/much/cabal.nix
+++ b/krebs/5pkgs/simple/much/cabal.nix
diff --git a/krebs/5pkgs/much/default.nix b/krebs/5pkgs/simple/much/default.nix
index cf55eb537..cf55eb537 100644
--- a/krebs/5pkgs/much/default.nix
+++ b/krebs/5pkgs/simple/much/default.nix
diff --git a/krebs/5pkgs/netcup/default.nix b/krebs/5pkgs/simple/netcup/default.nix
index d1f46299d..d1f46299d 100644
--- a/krebs/5pkgs/netcup/default.nix
+++ b/krebs/5pkgs/simple/netcup/default.nix
diff --git a/krebs/5pkgs/newsbot-js/default.nix b/krebs/5pkgs/simple/newsbot-js/default.nix
index b52454ca4..b52454ca4 100644
--- a/krebs/5pkgs/newsbot-js/default.nix
+++ b/krebs/5pkgs/simple/newsbot-js/default.nix
diff --git a/krebs/5pkgs/newsbot-js/packages.nix b/krebs/5pkgs/simple/newsbot-js/packages.nix
index 62921cb8f..62921cb8f 100644
--- a/krebs/5pkgs/newsbot-js/packages.nix
+++ b/krebs/5pkgs/simple/newsbot-js/packages.nix
diff --git a/krebs/5pkgs/noVNC/default.nix b/krebs/5pkgs/simple/noVNC/default.nix
index 45c3afb3a..45c3afb3a 100644
--- a/krebs/5pkgs/noVNC/default.nix
+++ b/krebs/5pkgs/simple/noVNC/default.nix
diff --git a/krebs/5pkgs/painload/default.nix b/krebs/5pkgs/simple/painload/default.nix
index 136ec4394..136ec4394 100644
--- a/krebs/5pkgs/painload/default.nix
+++ b/krebs/5pkgs/simple/painload/default.nix
diff --git a/krebs/5pkgs/passwdqc-utils/default.nix b/krebs/5pkgs/simple/passwdqc-utils/default.nix
index 53e7f5482..53e7f5482 100644
--- a/krebs/5pkgs/passwdqc-utils/default.nix
+++ b/krebs/5pkgs/simple/passwdqc-utils/default.nix
diff --git a/krebs/5pkgs/populate/default.nix b/krebs/5pkgs/simple/populate/default.nix
index 3ec432229..3ec432229 100644
--- a/krebs/5pkgs/populate/default.nix
+++ b/krebs/5pkgs/simple/populate/default.nix
diff --git a/krebs/5pkgs/posix-array/default.nix b/krebs/5pkgs/simple/posix-array/default.nix
index cfcdb29a7..cfcdb29a7 100644
--- a/krebs/5pkgs/posix-array/default.nix
+++ b/krebs/5pkgs/simple/posix-array/default.nix
diff --git a/krebs/5pkgs/pssh/default.nix b/krebs/5pkgs/simple/pssh/default.nix
index 2676af0cf..2676af0cf 100644
--- a/krebs/5pkgs/pssh/default.nix
+++ b/krebs/5pkgs/simple/pssh/default.nix
diff --git a/krebs/5pkgs/push/default.nix b/krebs/5pkgs/simple/push/default.nix
index 2e0291aac..2e0291aac 100644
--- a/krebs/5pkgs/push/default.nix
+++ b/krebs/5pkgs/simple/push/default.nix
diff --git a/krebs/5pkgs/realwallpaper/default.nix b/krebs/5pkgs/simple/realwallpaper/default.nix
index 15cc277a5..15cc277a5 100644
--- a/krebs/5pkgs/realwallpaper/default.nix
+++ b/krebs/5pkgs/simple/realwallpaper/default.nix
diff --git a/krebs/5pkgs/repo-sync/default.nix b/krebs/5pkgs/simple/repo-sync/default.nix
index 7cba87b09..7cba87b09 100644
--- a/krebs/5pkgs/repo-sync/default.nix
+++ b/krebs/5pkgs/simple/repo-sync/default.nix
diff --git a/krebs/5pkgs/retiolum-bootstrap/default.nix b/krebs/5pkgs/simple/retiolum-bootstrap/default.nix
index 331b1cb7f..331b1cb7f 100644
--- a/krebs/5pkgs/retiolum-bootstrap/default.nix
+++ b/krebs/5pkgs/simple/retiolum-bootstrap/default.nix
diff --git a/krebs/5pkgs/rutorrent/default.nix b/krebs/5pkgs/simple/rutorrent/default.nix
index 1084e7ce7..1084e7ce7 100644
--- a/krebs/5pkgs/rutorrent/default.nix
+++ b/krebs/5pkgs/simple/rutorrent/default.nix
diff --git a/krebs/5pkgs/tarantool/default.nix b/krebs/5pkgs/simple/tarantool/default.nix
index 9e22fd4f3..9e22fd4f3 100644
--- a/krebs/5pkgs/tarantool/default.nix
+++ b/krebs/5pkgs/simple/tarantool/default.nix
diff --git a/krebs/5pkgs/tinc_graphs/default.nix b/krebs/5pkgs/simple/tinc_graphs/default.nix
index 20bbc53ba..20bbc53ba 100644
--- a/krebs/5pkgs/tinc_graphs/default.nix
+++ b/krebs/5pkgs/simple/tinc_graphs/default.nix
diff --git a/krebs/5pkgs/translate-shell/default.nix b/krebs/5pkgs/simple/translate-shell/default.nix
index 00ab226e5..00ab226e5 100644
--- a/krebs/5pkgs/translate-shell/default.nix
+++ b/krebs/5pkgs/simple/translate-shell/default.nix
diff --git a/krebs/5pkgs/treq/default.nix b/krebs/5pkgs/simple/treq/default.nix
index 20387b9cb..20387b9cb 100644
--- a/krebs/5pkgs/treq/default.nix
+++ b/krebs/5pkgs/simple/treq/default.nix
diff --git a/krebs/5pkgs/untilport/default.nix b/krebs/5pkgs/simple/untilport/default.nix
index 61bcc2b89..61bcc2b89 100644
--- a/krebs/5pkgs/untilport/default.nix
+++ b/krebs/5pkgs/simple/untilport/default.nix
diff --git a/krebs/5pkgs/urlwatch/default.nix b/krebs/5pkgs/simple/urlwatch/default.nix
index 7ffbd8870..7ffbd8870 100644
--- a/krebs/5pkgs/urlwatch/default.nix
+++ b/krebs/5pkgs/simple/urlwatch/default.nix
diff --git a/krebs/5pkgs/weechat/default.nix b/krebs/5pkgs/simple/weechat/default.nix
index c703ca8bf..c703ca8bf 100644
--- a/krebs/5pkgs/weechat/default.nix
+++ b/krebs/5pkgs/simple/weechat/default.nix
diff --git a/krebs/5pkgs/simple/whatsupnix/default.nix b/krebs/5pkgs/simple/whatsupnix/default.nix
new file mode 100644
index 000000000..1a108c5e9
--- /dev/null
+++ b/krebs/5pkgs/simple/whatsupnix/default.nix
@@ -0,0 +1,15 @@
+{ bash, coreutils, gawk, nix, makeWrapper, stdenv }:
+
+stdenv.mkDerivation {
+  name = "whatsupnix";
+  phases = [ "installPhase" ];
+  nativeBuildInputs = [ makeWrapper ];
+  installPhase = ''
+    mkdir -p $out/bin
+    cat - ${./whatsupnix.bash} > $out/bin/whatsupnix <<\EOF
+    #! ${bash}/bin/bash
+    export PATH=${stdenv.lib.makeBinPath [ coreutils gawk nix ]}
+    EOF
+    chmod +x $out/bin/whatsupnix
+  '';
+}
diff --git a/krebs/5pkgs/simple/whatsupnix/whatsupnix.bash b/krebs/5pkgs/simple/whatsupnix/whatsupnix.bash
new file mode 100644
index 000000000..a19410055
--- /dev/null
+++ b/krebs/5pkgs/simple/whatsupnix/whatsupnix.bash
@@ -0,0 +1,44 @@
+#!/usr/bin/env bash
+
+# Prints build logs for failed derivations in quiet build mode (-Q).
+# See https://github.com/NixOS/nix/issues/443
+#
+# Usage:
+#
+#    set -o pipefail
+#    nix-build ... -Q ... | whatsupnix
+#
+
+
+GAWK=${GAWK:-gawk}
+NIX_STORE=${NIX_STORE:-nix-store}
+
+broken=$(mktemp)
+trap 'rm -f -- "$broken"' EXIT
+
+exec >&2
+
+$GAWK -v broken="$broken" -f <(cat - <<- 'AWK'
+  match($0, /builder for .*(\/nix\/store\/.+\.drv).* failed/, m) {
+    print m[1] >> broken
+  }
+  { print $0 }
+AWK
+)
+
+export NIX_PAGER='' # for nix-store
+while read -r drv; do
+  title="** FAILED $drv LOG  **"
+  frame=${title//?/*}
+
+  echo "$frame"
+  echo "$title"
+  echo "$frame"
+  echo
+
+  $NIX_STORE -l "$drv"
+
+  echo
+done < "$broken"
+
+exit 0
diff --git a/krebs/5pkgs/with-tmpdir/default.nix b/krebs/5pkgs/simple/with-tmpdir/default.nix
index 9862671f8..9862671f8 100644
--- a/krebs/5pkgs/with-tmpdir/default.nix
+++ b/krebs/5pkgs/simple/with-tmpdir/default.nix
diff --git a/krebs/5pkgs/youtube-tools/default.nix b/krebs/5pkgs/simple/youtube-tools/default.nix
index d767728be..d767728be 100644
--- a/krebs/5pkgs/youtube-tools/default.nix
+++ b/krebs/5pkgs/simple/youtube-tools/default.nix
diff --git a/krebs/5pkgs/zandronum-bin/default.nix b/krebs/5pkgs/simple/zandronum-bin/default.nix
index e97f46add..e97f46add 100644
--- a/krebs/5pkgs/zandronum-bin/default.nix
+++ b/krebs/5pkgs/simple/zandronum-bin/default.nix
diff --git a/krebs/5pkgs/test/default.nix b/krebs/5pkgs/test/default.nix
new file mode 100644
index 000000000..5ee8f913b
--- /dev/null
+++ b/krebs/5pkgs/test/default.nix
@@ -0,0 +1,9 @@
+with import <stockholm/lib>;
+
+self: super:
+
+{
+  test = {
+    infest-cac-centos7 = self.callPackage ./infest-cac-centos7 {};
+  };
+}
diff --git a/krebs/5pkgs/writers.nix b/krebs/5pkgs/writers.nix
index d14090323..8ea9c37d5 100644
--- a/krebs/5pkgs/writers.nix
+++ b/krebs/5pkgs/writers.nix
@@ -1,7 +1,6 @@
-{ pkgs, ... }:
+pkgs: oldpkgs:
 with import <stockholm/lib>;
-{
-  nixpkgs.config.packageOverrides = _: {
+  {
 
     # Combine a list of derivations using symlinks.  Paths in later derivations
     # take precedence over earlier ones.
@@ -323,5 +322,4 @@ with import <stockholm/lib>;
       };
 
     writeSed = pkgs.makeScriptWriter "${pkgs.gnused}/bin/sed -f";
-  };
-}
+  }
diff --git a/krebs/default.nix b/krebs/default.nix
index e5e8cbc49..55bf66f77 100644
--- a/krebs/default.nix
+++ b/krebs/default.nix
@@ -3,6 +3,6 @@ with import <stockholm/lib>;
 {
   imports = [
     ./3modules
-    ./5pkgs
   ];
+  nixpkgs.config.packageOverrides = import ./5pkgs pkgs;
 }
diff --git a/lass/1systems/iso.nix b/lass/1systems/iso.nix
index 30fc674bc..eaeb1991f 100644
--- a/lass/1systems/iso.nix
+++ b/lass/1systems/iso.nix
@@ -16,7 +16,7 @@ with import <stockholm/lib>;
       # /dev/pts is empty except for 1 file
       # my life sucks
       nixpkgs.config.packageOverrides = super: {
-        irc-announce = super.callPackage <stockholm/krebs/5pkgs/irc-announce> {
+        irc-announce = super.callPackage <stockholm/krebs/5pkgs/simple/irc-announce> {
           pkgs = pkgs // { coreutils = pkgs.concat "coreutils-hack" [
             pkgs.coreutils
             (pkgs.writeDashBin "tee" ''
diff --git a/lass/1systems/mors.nix b/lass/1systems/mors.nix
index c8d9465d5..dd3777c64 100644
--- a/lass/1systems/mors.nix
+++ b/lass/1systems/mors.nix
@@ -32,14 +32,11 @@ with import <stockholm/lib>;
         { predicate = "-p tcp --dport 11100"; target = "ACCEPT"; }
       ];
     }
-    #{
-    #  services.elasticsearch = {
-    #    enable = true;
-    #    plugins = [
-    #    #  pkgs.elasticsearchPlugins.elasticsearch_kopf
-    #    ];
-    #  };
-    #}
+    {
+      services.elasticsearch = {
+        enable = true;
+      };
+    }
     {
       #zalando project
       services.postgresql = {
diff --git a/lass/1systems/prism.nix b/lass/1systems/prism.nix
index 01cfe5414..02054a8e5 100644
--- a/lass/1systems/prism.nix
+++ b/lass/1systems/prism.nix
@@ -1,5 +1,4 @@
 { config, lib, pkgs, ... }:
-
 with import <stockholm/lib>;
 
 let
@@ -46,6 +45,7 @@ in {
     ../2configs/monitoring/monit-alarms.nix
     ../2configs/paste.nix
     ../2configs/syncthing.nix
+    ../2configs/coders-irc.nix
     {
       imports = [
         ../2configs/bepasty.nix
@@ -254,103 +254,6 @@ in {
       ];
     }
     {
-      krebs.Reaktor.coders = {
-        nickname = "Reaktor|lass";
-        channels = [ "#coders" "#germany" ];
-        extraEnviron = {
-          REAKTOR_HOST = "irc.hackint.org";
-        };
-        plugins = with pkgs.ReaktorPlugins; let
-
-          lambdabot = (import (pkgs.fetchFromGitHub {
-            owner = "NixOS"; repo = "nixpkgs";
-            rev = "a4ec1841da14fc98c5c35cc72242c23bb698d4ac";
-            sha256 = "148fpw31s922hxrf28yhrci296f7c7zd81hf0k6zs05rq0i3szgy";
-          }) {}).lambdabot;
-
-          lambdabotflags = ''
-            -XStandaloneDeriving -XGADTs -XFlexibleContexts \
-            -XFlexibleInstances -XMultiParamTypeClasses \
-            -XOverloadedStrings -XFunctionalDependencies \'';
-        in [
-          url-title
-          (buildSimpleReaktorPlugin "lambdabot-pl" {
-            pattern = "^@pl (?P<args>.*)$$";
-            script = pkgs.writeDash "lambda-pl" ''
-              exec ${lambdabot}/bin/lambdabot \
-                ${indent lambdabotflags}
-                -e "@pl $1"
-            '';
-          })
-          (buildSimpleReaktorPlugin "lambdabot-type" {
-            pattern = "^@type (?P<args>.*)$$";
-            script = pkgs.writeDash "lambda-type" ''
-              exec ${lambdabot}/bin/lambdabot \
-                ${indent lambdabotflags}
-                -e "@type $1"
-            '';
-          })
-          (buildSimpleReaktorPlugin "lambdabot-let" {
-            pattern = "^@let (?P<args>.*)$$";
-            script = pkgs.writeDash "lambda-let" ''
-              exec ${lambdabot}/bin/lambdabot \
-                ${indent lambdabotflags}
-                -e "@let $1"
-            '';
-          })
-          (buildSimpleReaktorPlugin "lambdabot-run" {
-            pattern = "^@run (?P<args>.*)$$";
-            script = pkgs.writeDash "lambda-run" ''
-              exec ${lambdabot}/bin/lambdabot \
-                ${indent lambdabotflags}
-                -e "@run $1"
-            '';
-          })
-          (buildSimpleReaktorPlugin "lambdabot-kind" {
-            pattern = "^@kind (?P<args>.*)$$";
-            script = pkgs.writeDash "lambda-kind" ''
-              exec ${lambdabot}/bin/lambdabot \
-                ${indent lambdabotflags}
-                -e "@kind $1"
-            '';
-          })
-          (buildSimpleReaktorPlugin "lambdabot-kind" {
-            pattern = "^@kind (?P<args>.*)$$";
-            script = pkgs.writeDash "lambda-kind" ''
-              exec ${lambdabot}/bin/lambdabot \
-                ${indent lambdabotflags}
-                -e "@kind $1"
-            '';
-          })
-          (buildSimpleReaktorPlugin "random-unicorn-porn" {
-            pattern = "^!rup$$";
-            script = pkgs.writePython2 "rup" ''
-              #!${pkgs.python2}/bin/python
-              t1 = """
-                                  _.
-                               ;=',_ ()
-                     8===D~~  S" .--`||
-                             sS  \__ ||
-                          __.' ( \-->||
-                       _=/    _./-\/ ||
-              8===D~~ ((\( /-'   -'l ||
-                       ) |/ \\      (_))
-                          \\  \\
-                           '~ '~
-              """
-              print(t1)
-            '';
-          })
-          (buildSimpleReaktorPlugin "ping" {
-            pattern = "^!ping (?P<args>.*)$$";
-            script = pkgs.writeDash "ping" ''
-              exec /var/setuid-wrappers/ping -q -c1 "$1" 2>&1 | tail -1
-            '';
-          })
-        ];
-      };
-    }
-    {
       krebs.Reaktor.prism = {
         nickname = "Reaktor|lass";
         channels = [ "#retiolum" ];
diff --git a/lass/2configs/baseX.nix b/lass/2configs/baseX.nix
index 9c51effdc..3e2e325d8 100644
--- a/lass/2configs/baseX.nix
+++ b/lass/2configs/baseX.nix
@@ -10,6 +10,7 @@ in {
     ./copyq.nix
     ./xresources.nix
     ./livestream.nix
+    ./dns-stuff.nix
     {
       hardware.pulseaudio = {
         enable = true;
@@ -33,6 +34,7 @@ in {
   time.timeZone = "Europe/Berlin";
 
   programs.ssh.startAgent = false;
+  services.openssh.forwardX11 = true;
 
   services.printing = {
     enable = true;
diff --git a/lass/2configs/bepasty.nix b/lass/2configs/bepasty.nix
index c2bc3f3cd..b2d40d4f3 100644
--- a/lass/2configs/bepasty.nix
+++ b/lass/2configs/bepasty.nix
@@ -35,7 +35,7 @@ in {
         forceSSL = true;
         enableACME = true;
       };
-      defaultPermissions = "read";
+      defaultPermissions = "read,create";
       secretKey = secKey;
     });
   };
diff --git a/lass/2configs/coders-irc.nix b/lass/2configs/coders-irc.nix
new file mode 100644
index 000000000..61cc7cfe0
--- /dev/null
+++ b/lass/2configs/coders-irc.nix
@@ -0,0 +1,92 @@
+{ config, lib, pkgs, ... }:
+with import <stockholm/lib>;
+
+{
+  krebs.Reaktor.coders = {
+    nickname = "Reaktor|lass";
+    channels = [ "#coders" "#germany" ];
+    extraEnviron = {
+      REAKTOR_HOST = "irc.hackint.org";
+    };
+    plugins = with pkgs.ReaktorPlugins; let
+
+      lambdabot = (import (pkgs.fetchFromGitHub {
+        owner = "NixOS"; repo = "nixpkgs";
+        rev = "a4ec1841da14fc98c5c35cc72242c23bb698d4ac";
+        sha256 = "148fpw31s922hxrf28yhrci296f7c7zd81hf0k6zs05rq0i3szgy";
+      }) {}).lambdabot;
+
+      lambdabotflags = ''
+        -XStandaloneDeriving -XGADTs -XFlexibleContexts \
+        -XFlexibleInstances -XMultiParamTypeClasses \
+        -XOverloadedStrings -XFunctionalDependencies \'';
+    in [
+      url-title
+      (buildSimpleReaktorPlugin "lambdabot-pl" {
+        pattern = "^@pl (?P<args>.*)$$";
+        script = pkgs.writeDash "lambda-pl" ''
+          exec ${lambdabot}/bin/lambdabot \
+            ${indent lambdabotflags}
+            -e "@pl $1"
+        '';
+      })
+      (buildSimpleReaktorPlugin "lambdabot-type" {
+        pattern = "^@type (?P<args>.*)$$";
+        script = pkgs.writeDash "lambda-type" ''
+          exec ${lambdabot}/bin/lambdabot \
+            ${indent lambdabotflags}
+            -e "@type $1"
+        '';
+      })
+      (buildSimpleReaktorPlugin "lambdabot-let" {
+        pattern = "^@let (?P<args>.*)$$";
+        script = pkgs.writeDash "lambda-let" ''
+          exec ${lambdabot}/bin/lambdabot \
+            ${indent lambdabotflags}
+            -e "@let $1"
+        '';
+      })
+      (buildSimpleReaktorPlugin "lambdabot-run" {
+        pattern = "^@run (?P<args>.*)$$";
+        script = pkgs.writeDash "lambda-run" ''
+          exec ${lambdabot}/bin/lambdabot \
+            ${indent lambdabotflags}
+            -e "@run $1"
+        '';
+      })
+      (buildSimpleReaktorPlugin "lambdabot-kind" {
+        pattern = "^@kind (?P<args>.*)$$";
+        script = pkgs.writeDash "lambda-kind" ''
+          exec ${lambdabot}/bin/lambdabot \
+            ${indent lambdabotflags}
+            -e "@kind $1"
+        '';
+      })
+      (buildSimpleReaktorPlugin "random-unicorn-porn" {
+        pattern = "^!rup$$";
+        script = pkgs.writePython2 "rup" ''
+          #!${pkgs.python2}/bin/python
+          t1 = """
+                              _.
+                           ;=',_ ()
+                 8===D~~  S" .--`||
+                         sS  \__ ||
+                      __.' ( \-->||
+                   _=/    _./-\/ ||
+          8===D~~ ((\( /-'   -'l ||
+                   ) |/ \\      (_))
+                      \\  \\
+                       '~ '~
+          """
+          print(t1)
+        '';
+      })
+      (buildSimpleReaktorPlugin "ping" {
+        pattern = "^!ping (?P<args>.*)$$";
+        script = pkgs.writeDash "ping" ''
+          exec /var/setuid-wrappers/ping -q -c1 "$1" 2>&1 | tail -1
+        '';
+      })
+    ];
+  };
+}
diff --git a/lass/2configs/default.nix b/lass/2configs/default.nix
index ffed5bb70..d7deb3165 100644
--- a/lass/2configs/default.nix
+++ b/lass/2configs/default.nix
@@ -63,15 +63,6 @@ with import <stockholm/lib>;
         pkgs.pythonPackages.python
       ];
     }
-    {
-      services.dnscrypt-proxy = {
-        enable = true;
-        resolverName = "cs-de";
-      };
-      networking.extraResolvconfConf = ''
-        name_servers='127.0.0.1'
-      '';
-    }
   ];
 
   networking.hostName = config.krebs.build.host.name;
diff --git a/lass/2configs/dns-stuff.nix b/lass/2configs/dns-stuff.nix
new file mode 100644
index 000000000..b52d3050b
--- /dev/null
+++ b/lass/2configs/dns-stuff.nix
@@ -0,0 +1,31 @@
+{ config, pkgs, ... }:
+with import <stockholm/lib>;
+{
+  services.dnscrypt-proxy = {
+    enable = true;
+    localAddress = "127.1.0.1";
+    resolverName = "cs-de";
+  };
+  services.dnsmasq = {
+    enable = true;
+    extraConfig = ''
+      server=127.1.0.1
+      server=/dn42/172.23.75.6
+      #no-resolv
+      cache-size=1000
+      min-cache-ttl=3600
+      bind-dynamic
+      all-servers
+      dnssec
+      trust-anchor=.,19036,8,2,49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5
+      address=/blog/127.0.0.1
+      address=/blog/::1
+      rebind-domain-ok=/onion/
+      server=/.onion/127.0.0.1#9053
+      port=53
+    '';
+  };
+  networking.extraResolvconfConf = ''
+    name_servers='127.0.0.1'
+  '';
+}
diff --git a/lass/2configs/nixpkgs.nix b/lass/2configs/nixpkgs.nix
index 49c44aa88..a3916a2ea 100644
--- a/lass/2configs/nixpkgs.nix
+++ b/lass/2configs/nixpkgs.nix
@@ -3,6 +3,6 @@
 {
   krebs.build.source.nixpkgs.git = {
     url = https://cgit.lassul.us/nixpkgs;
-    ref = "2bb9c1c";
+    ref = "f8dfdd7";
   };
 }
diff --git a/lass/2configs/retiolum.nix b/lass/2configs/retiolum.nix
index 7a7bf95be..e7779f53e 100644
--- a/lass/2configs/retiolum.nix
+++ b/lass/2configs/retiolum.nix
@@ -1,11 +1,10 @@
-{ ... }:
+{ pkgs, ... }:
 
 {
 
   krebs.iptables = {
     tables = {
       filter.INPUT.rules = [
-        { predicate = "-p tcp --dport smtp"; target = "ACCEPT"; }
         { predicate = "-p tcp --dport tinc"; target = "ACCEPT"; }
         { predicate = "-p udp --dport tinc"; target = "ACCEPT"; }
       ];
@@ -13,6 +12,7 @@
   };
 
   krebs.tinc.retiolum = {
+    enableLegacy = true;
     enable = true;
     connectTo = [
       "prism"
@@ -25,4 +25,8 @@
   nixpkgs.config.packageOverrides = pkgs: {
     tinc = pkgs.tinc_pre;
   };
+
+  environment.systemPackages = [
+    pkgs.tinc
+  ];
 }
diff --git a/lass/2configs/websites/domsen.nix b/lass/2configs/websites/domsen.nix
index 581b37d91..b0d28d4da 100644
--- a/lass/2configs/websites/domsen.nix
+++ b/lass/2configs/websites/domsen.nix
@@ -25,9 +25,10 @@ in {
   imports = [
     ./sqlBackup.nix
     (servePage [ "reich-gebaeudereinigung.de" "www.reich-gebaeudereinigung.de" ])
-    (servePage [ "karlaskop.de" "www.karlaskop.de" ])
-    (servePage [ "makeup.apanowicz.de" "www.makeup.apanowicz.de" ])
+    (servePage [ "karlaskop.de" ])
+    (servePage [ "makeup.apanowicz.de" ])
     (servePage [ "pixelpocket.de" ])
+    (servePage [ "habsys.de" "habsys.eu" ])
     (serveOwncloud [ "o.ubikmedia.de" ])
     (serveWordpress [
       "ubikmedia.de"
diff --git a/lass/2configs/websites/fritz.nix b/lass/2configs/websites/fritz.nix
index 9bf7e4a9c..45927b102 100644
--- a/lass/2configs/websites/fritz.nix
+++ b/lass/2configs/websites/fritz.nix
@@ -40,8 +40,6 @@ in {
 
     (serveWordpress [ "eastuttgart.de" "www.eastuttgart.de" ])
 
-    (servePage [ "habsys.de" "www.habsys.de" "habsys.eu" "www.habsys.eu" ])
-
     (serveWordpress [ "goldbarrendiebstahl.radical-dreamers.de" ])
   ];
 
diff --git a/lass/3modules/default.nix b/lass/3modules/default.nix
index 73692446a..fd353e008 100644
--- a/lass/3modules/default.nix
+++ b/lass/3modules/default.nix
@@ -6,6 +6,7 @@ _:
     ./hosts.nix
     ./mysql-backup.nix
     ./news.nix
+    ./pyload.nix
     ./umts.nix
     ./usershadow.nix
     ./xresources.nix
diff --git a/lass/3modules/hosts.nix b/lass/3modules/hosts.nix
index 125819bb0..7e3af10be 100644
--- a/lass/3modules/hosts.nix
+++ b/lass/3modules/hosts.nix
@@ -6,7 +6,7 @@ with import <stockholm/lib>;
   options.lass.hosts = mkOption {
     type = types.attrsOf types.host;
     default =
-      filterAttrs (_: host: host.owner.name == "lass")
+      filterAttrs (_: host: host.owner.name == "lass" && host.managed)
       config.krebs.hosts;
   };
 }
diff --git a/lass/3modules/pyload.nix b/lass/3modules/pyload.nix
new file mode 100644
index 000000000..6f29ffb17
--- /dev/null
+++ b/lass/3modules/pyload.nix
@@ -0,0 +1,55 @@
+{ config, lib, pkgs, ... }:
+
+with import <stockholm/lib>;
+
+let
+  cfg = config.lass.pyload;
+
+  out = {
+    options.lass.pyload = api;
+    config = lib.mkIf cfg.enable imp;
+  };
+
+  api = {
+    enable = mkEnableOption "pyload";
+    user = mkOption {
+      type = types.str;
+      default = "download";
+    };
+  };
+
+  imp = {
+
+    krebs.per-user.${cfg.user}.packages = [
+      pkgs.pyload
+      pkgs.spidermonkey
+      pkgs.tesseract
+    ];
+
+    krebs.iptables.tables.filter.INPUT.rules = [
+       { predicate = "-p tcp --dport 9099"; target = "ACCEPT"; }
+    ];
+    systemd.services.pyload = {
+      description = "pyload";
+      after = [ "network.target" ];
+      wantedBy = [ "multi-user.target" ];
+
+      path = with pkgs; [
+        pyload
+        spidermonkey
+        tesseract
+        dnsmasq
+      ];
+
+      restartIfChanged = true;
+
+      serviceConfig = {
+        Restart = "always";
+        ExecStart = "${pkgs.pyload}/bin/pyLoadCore";
+        User = cfg.user;
+      };
+    };
+
+  };
+
+in out
diff --git a/lib/types.nix b/lib/types.nix
index 30de5e177..530cd1e69 100644
--- a/lib/types.nix
+++ b/lib/types.nix
@@ -31,6 +31,13 @@ rec {
         default = null;
       };
 
+      managed = mkOption {
+        description = ''
+          If true, then the host's configuration is defined in stockholm.
+        '';
+        type = bool;
+      };
+
       owner = mkOption {
         type = user;
       };
diff --git a/makefu/1systems/iso.nix b/makefu/1systems/iso.nix
index ee1046f79..1e4f9c55f 100644
--- a/makefu/1systems/iso.nix
+++ b/makefu/1systems/iso.nix
@@ -31,7 +31,7 @@ with import <stockholm/lib>;
   systemd.services.sshd.wantedBy = lib.mkForce [ "multi-user.target" ];
   # hack `tee` behavior
   nixpkgs.config.packageOverrides = super: {
-    irc-announce = super.callPackage <stockholm/krebs/5pkgs/irc-announce> {
+    irc-announce = super.callPackage <stockholm/krebs/5pkgs/simple/irc-announce> {
       pkgs = pkgs // { coreutils = pkgs.concat "coreutils-hack" [
         pkgs.coreutils
         (pkgs.writeDashBin "tee" ''
diff --git a/makefu/5pkgs/default.nix b/makefu/5pkgs/default.nix
index 25ae2fe4b..d1b8fcc42 100644
--- a/makefu/5pkgs/default.nix
+++ b/makefu/5pkgs/default.nix
@@ -25,7 +25,7 @@ with import <stockholm/lib>;
     alsa-hdsploader = callPackage ./alsa-tools { alsaToolTarget="hdsploader";};
     inherit (callPackage ./devpi {}) devpi-web devpi-server devpi-client;
     nodemcu-uploader = callPackage ./nodemcu-uploader {};
-    pwqgen-ger = callPackage ../../krebs/5pkgs/passwdqc-utils {
+    pwqgen-ger = callPackage <stockholm/krebs/5pkgs/simple/passwdqc-utils> {
       wordset-file = pkgs.fetchurl {
         url = https://gist.githubusercontent.com/makefu/b56f5554c9ef03fe6e09878962e6fd8d/raw/1f147efec51325bc9f80c823bad8381d5b7252f6/wordset_4k.c ;
         sha256 = "18ddzyh11bywrhzdkzvrl7nvgp5gdb4k1s0zxbz2bkhd14vi72bb";
diff --git a/nin/2configs/default.nix b/nin/2configs/default.nix
index a1ed76d98..cb02521ce 100644
--- a/nin/2configs/default.nix
+++ b/nin/2configs/default.nix
@@ -59,7 +59,7 @@ with import <stockholm/lib>;
 
   krebs = {
     enable = true;
-    search-domain = "retiolum";
+    search-domain = "r";
     build = {
       user = config.krebs.users.nin;
       source = let inherit (config.krebs.build) host; in {
diff --git a/nin/2configs/nixpkgs.nix b/nin/2configs/nixpkgs.nix
index 9c3eafffd..14ddb7920 100644
--- a/nin/2configs/nixpkgs.nix
+++ b/nin/2configs/nixpkgs.nix
@@ -3,6 +3,6 @@
 {
   krebs.build.source.nixpkgs.git = {
     url = https://github.com/nixos/nixpkgs;
-    ref = "5b0c9d4";
+    ref = "0afb6d7";
   };
 }