57 files changed, 1448 insertions, 442 deletions

diff --git a/lass/1systems/cloudkrebs.nix b/lass/1systems/cloudkrebs.nix
index a3cc9d7b3..5aa35f5a7 100644
--- a/lass/1systems/cloudkrebs.nix
+++ b/lass/1systems/cloudkrebs.nix
@@ -13,7 +13,6 @@ in {
     ../2configs/retiolum.nix
     ../2configs/git.nix
     ../2configs/realwallpaper.nix
-    ../2configs/realwallpaper-server.nix
     ../2configs/privoxy-retiolum.nix
     {
       networking.interfaces.enp2s1.ip4 = [
diff --git a/lass/1systems/dishfire.nix b/lass/1systems/dishfire.nix
index b5e551952..ec9f53694 100644
--- a/lass/1systems/dishfire.nix
+++ b/lass/1systems/dishfire.nix
@@ -5,7 +5,7 @@
     ../.
     <nixpkgs/nixos/modules/profiles/qemu-guest.nix>
     ../2configs/default.nix
-    ../2configs/exim-retiolum.nix
+    #../2configs/exim-retiolum.nix
     ../2configs/git.nix
     {
       boot.loader.grub = {
@@ -63,6 +63,35 @@
          { predicate = "-p tcp --dport https"; target = "ACCEPT"; }
       ];
     }
+    {
+      #TODO: abstract & move to own file
+      krebs.exim-smarthost = {
+        enable = true;
+        relay_from_hosts = map (host: host.nets.retiolum.ip4.addr) [
+          config.krebs.hosts.mors
+          config.krebs.hosts.uriel
+          config.krebs.hosts.helios
+        ];
+        system-aliases = [
+          { from = "mailer-daemon"; to = "postmaster"; }
+          { from = "postmaster"; to = "root"; }
+          { from = "nobody"; to = "root"; }
+          { from = "hostmaster"; to = "root"; }
+          { from = "usenet"; to = "root"; }
+          { from = "news"; to = "root"; }
+          { from = "webmaster"; to = "root"; }
+          { from = "www"; to = "root"; }
+          { from = "ftp"; to = "root"; }
+          { from = "abuse"; to = "root"; }
+          { from = "noc"; to = "root"; }
+          { from = "security"; to = "root"; }
+          { from = "root"; to = "lass"; }
+        ];
+      };
+      krebs.iptables.tables.filter.INPUT.rules = [
+        { predicate = "-p tcp --dport smtp"; target = "ACCEPT"; }
+      ];
+    }
   ];
 
   krebs.build.host = config.krebs.hosts.dishfire;
diff --git a/lass/1systems/echelon.nix b/lass/1systems/echelon.nix
index 97734a7bd..8d944ed40 100644
--- a/lass/1systems/echelon.nix
+++ b/lass/1systems/echelon.nix
@@ -11,7 +11,7 @@ in {
     ../2configs/default.nix
     ../2configs/exim-retiolum.nix
     ../2configs/retiolum.nix
-    ../2configs/realwallpaper-server.nix
+    ../2configs/realwallpaper.nix
     ../2configs/privoxy-retiolum.nix
     ../2configs/git.nix
     #../2configs/redis.nix
diff --git a/lass/1systems/mors.nix b/lass/1systems/mors.nix
index a7a1fd253..f26f0ed5f 100644
--- a/lass/1systems/mors.nix
+++ b/lass/1systems/mors.nix
@@ -3,6 +3,7 @@
 {
   imports = [
     ../.
+    ../2configs/hw/tp-x220.nix
     ../2configs/baseX.nix
     ../2configs/exim-retiolum.nix
     ../2configs/programs.nix
@@ -14,22 +15,18 @@
     ../2configs/elster.nix
     ../2configs/steam.nix
     ../2configs/wine.nix
-    #../2configs/texlive.nix
-    ../2configs/binary-caches.nix
-    #../2configs/ircd.nix
     ../2configs/chromium-patched.nix
     ../2configs/git.nix
-    #../2configs/wordpress.nix
     ../2configs/bitlbee.nix
-    #../2configs/firefoxPatched.nix
     ../2configs/skype.nix
     ../2configs/teamviewer.nix
     ../2configs/libvirt.nix
     ../2configs/fetchWallpaper.nix
-    ../2configs/cbase.nix
+    ../2configs/c-base.nix
     ../2configs/mail.nix
     ../2configs/krebs-pass.nix
-    #../2configs/buildbot-standalone.nix
+    ../2configs/umts.nix
+    ../2configs/repo-sync.nix
     {
       #risk of rain port
       krebs.iptables.tables.filter.INPUT.rules = [
@@ -57,17 +54,10 @@
     #    package = pkgs.postgresql;
     #  };
     #}
-    {
-    }
   ];
 
   krebs.build.host = config.krebs.hosts.mors;
 
-  networking.wireless.enable = true;
-
-  hardware.enableAllFirmware = true;
-  nixpkgs.config.allowUnfree = true;
-
   boot = {
     loader.grub.enable = true;
     loader.grub.version = 2;
@@ -77,7 +67,6 @@
     initrd.luks.cryptoModules = [ "aes" "sha512" "sha1" "xts" ];
     initrd.availableKernelModules = [ "xhci_hcd" "ehci_pci" "ahci" "usb_storage" ];
     #kernelModules = [ "kvm-intel" "msr" ];
-    kernelModules = [ "msr" ];
   };
   fileSystems = {
     "/" = {
@@ -131,8 +120,8 @@
   };
 
   services.udev.extraRules = ''
-    SUBSYSTEM=="net", ATTR{address}=="a0:88:b4:29:26:bc", NAME="wl0"
-    SUBSYSTEM=="net", ATTR{address}=="f0:de:f1:0c:a7:63", NAME="et0"
+    SUBSYSTEM=="net", ATTR{address}=="00:24:d7:f0:a0:0c", NAME="wl0"
+    SUBSYSTEM=="net", ATTR{address}=="f0:de:f1:8f:85:c9", NAME="et0"
   '';
 
   #TODO activationScripts seem broken, fix them!
@@ -146,7 +135,7 @@
     #Autosuspend for USB device Broadcom Bluetooth Device [Broadcom Corp]
     #echo 'auto' > '/sys/bus/usb/devices/1-1.4/power/control'
     #Autosuspend for USB device Biometric Coprocessor
-    echo 'auto' > '/sys/bus/usb/devices/1-1.3/power/control'
+    #echo 'auto' > '/sys/bus/usb/devices/1-1.3/power/control'
 
     #Runtime PMs
     echo 'auto' > '/sys/bus/pci/devices/0000:00:02.0/power/control'
@@ -168,22 +157,6 @@
     echo 'auto' > '/sys/bus/pci/devices/0000:00:1c.4/power/control'
   '';
 
-  hardware.trackpoint = {
-    enable = true;
-    sensitivity = 220;
-    speed = 0;
-    emulateWheel = true;
-  };
-
-  services.xserver = {
-    videoDriver = "intel";
-    vaapiDrivers = [ pkgs.vaapiIntel ];
-    deviceSection = ''
-      Option "AccelMethod" "sna"
-      BusID "PCI:0:2:0"
-    '';
-  };
-
   environment.systemPackages = with pkgs; [
     acronym
     cac-api
@@ -214,15 +187,11 @@
     };
   };
 
-  services.mongodb = {
-    enable = true;
+  krebs.repo-sync.timerConfig = {
+    OnCalendar = "00:37";
   };
 
-  krebs.iptables = {
-    tables = {
-      filter.INPUT.rules = [
-        { predicate = "-p tcp --dport 8000"; target = "ACCEPT"; precedence = 9001; }
-      ];
-    };
+  services.mongodb = {
+    enable = true;
   };
 }
diff --git a/lass/1systems/prism.nix b/lass/1systems/prism.nix
index 6ed80ac39..5477a8b86 100644
--- a/lass/1systems/prism.nix
+++ b/lass/1systems/prism.nix
@@ -19,6 +19,8 @@ in {
     ../2configs/privoxy-retiolum.nix
     ../2configs/radio.nix
     ../2configs/buildbot-standalone.nix
+    ../2configs/repo-sync.nix
+    ../2configs/binary-cache/server.nix
     {
       imports = [
         ../2configs/git.nix
@@ -66,8 +68,6 @@ in {
 
     }
     {
-      #boot.loader.gummiboot.enable = true;
-      #boot.loader.efi.canTouchEfiVariables = true;
       boot.loader.grub = {
         devices = [
           "/dev/sda"
@@ -110,10 +110,6 @@ in {
     {
       sound.enable = false;
     }
-    #{
-    #  #workaround for server dying after 6-7h
-    #  boot.kernelPackages = pkgs.linuxPackages_4_2;
-    #}
     {
       nixpkgs.config.allowUnfree = true;
     }
@@ -202,7 +198,7 @@ in {
     }
     {
       imports = [
-        ../2configs/realwallpaper-server.nix
+        ../2configs/realwallpaper.nix
       ];
       krebs.nginx.servers."lassul.us".locations = [
         (lib.nameValuePair "/wallpaper.png" ''
diff --git a/lass/1systems/shodan.nix b/lass/1systems/shodan.nix
index 6829428ff..96d64bda3 100644
--- a/lass/1systems/shodan.nix
+++ b/lass/1systems/shodan.nix
@@ -4,7 +4,9 @@ with builtins;
 {
   imports = [
     ../.
+    ../2configs/hw/tp-x220.nix
     ../2configs/baseX.nix
+    ../2configs/git.nix
     ../2configs/exim-retiolum.nix
     ../2configs/browsers.nix
     ../2configs/programs.nix
@@ -19,34 +21,10 @@ with builtins;
     #    };
     #  };
     #}
-    {
-      #x220 config from mors
-      #TODO: make x220 config file (or look in other user dir)
-      hardware.trackpoint = {
-        enable = true;
-        sensitivity = 220;
-        speed = 0;
-        emulateWheel = true;
-      };
-
-      services.xserver = {
-        videoDriver = "intel";
-        vaapiDrivers = [ pkgs.vaapiIntel ];
-        deviceSection = ''
-          Option "AccelMethod" "sna"
-          BusID "PCI:0:2:0"
-        '';
-      };
-    }
   ];
 
   krebs.build.host = config.krebs.hosts.shodan;
 
-  networking.wireless.enable = true;
-
-  hardware.enableAllFirmware = true;
-  nixpkgs.config.allowUnfree = true;
-
   boot = {
     loader.grub.enable = true;
     loader.grub.version = 2;
@@ -56,7 +34,6 @@ with builtins;
     initrd.luks.cryptoModules = [ "aes" "sha512" "sha1" "xts" ];
     initrd.availableKernelModules = [ "xhci_hcd" "ehci_pci" "ahci" "usb_storage" ];
     #kernelModules = [ "kvm-intel" "msr" ];
-    kernelModules = [ "msr" ];
   };
   fileSystems = {
     "/" = {
@@ -67,10 +44,15 @@ with builtins;
     "/boot" = {
       device = "/dev/sda1";
     };
+
+    "/home/lass" = {
+      device = "/dev/pool/home-lass";
+      fsType = "ext4";
+    };
   };
 
-  #services.udev.extraRules = ''
-  #  SUBSYSTEM=="net", ATTR{address}=="64:27:37:7d:d8:ae", NAME="wl0"
-  #  SUBSYSTEM=="net", ATTR{address}=="f0:de:f1:b8:c8:2e", NAME="et0"
-  #'';
+  services.udev.extraRules = ''
+    SUBSYSTEM=="net", ATTR{address}=="a0:88:b4:29:26:bc", NAME="wl0"
+    SUBSYSTEM=="net", ATTR{address}=="f0:de:f1:0c:a7:63", NAME="et0"
+  '';
 }
diff --git a/lass/2configs/baseX.nix b/lass/2configs/baseX.nix
index 16f7502ac..6d26ff89a 100644
--- a/lass/2configs/baseX.nix
+++ b/lass/2configs/baseX.nix
@@ -8,7 +8,13 @@ in {
     #./urxvt.nix
     ./xserver
     ./mpv.nix
+    #./pulse.nix
+    ./power-action.nix
   ];
+  hardware.pulseaudio = {
+    enable = true;
+    systemWide = true;
+  };
 
   users.extraUsers.mainUser.extraGroups = [ "audio" ];
 
@@ -16,11 +22,6 @@ in {
 
   virtualisation.libvirtd.enable = true;
 
-  hardware.pulseaudio = {
-    enable = true;
-    systemWide = true;
-  };
-
   programs.ssh.startAgent = false;
 
   security.setuidPrograms = [ "slock" ];
@@ -32,6 +33,7 @@ in {
 
   environment.systemPackages = with pkgs; [
 
+    acpi
     dmenu
     gitAndTools.qgit
     lm_sensors
@@ -44,6 +46,7 @@ in {
     sxiv
     xclip
     xorg.xbacklight
+    xorg.xhost
     xsel
     zathura
 
diff --git a/lass/2configs/binary-cache/client.nix b/lass/2configs/binary-cache/client.nix
new file mode 100644
index 000000000..108ff7a1e
--- /dev/null
+++ b/lass/2configs/binary-cache/client.nix
@@ -0,0 +1,9 @@
+{ config, ... }:
+
+{
+  nix = {
+    binaryCaches = ["http://cache.prism.r"];
+    binaryCachePublicKeys = ["cache.prism-1:+S+6Lo/n27XEtvdlQKuJIcb1yO5NUqUCE2lolmTgNJU="];
+  };
+}
+
diff --git a/lass/2configs/binary-cache/server.nix b/lass/2configs/binary-cache/server.nix
new file mode 100644
index 000000000..22ec04307
--- /dev/null
+++ b/lass/2configs/binary-cache/server.nix
@@ -0,0 +1,30 @@
+{ config, lib, pkgs, ...}:
+
+{
+  # generate private key with:
+  # nix-store --generate-binary-cache-key my-secret-key my-public-key
+  services.nix-serve = {
+    enable = true;
+    secretKeyFile = config.krebs.secret.files.nix-serve-key.path;
+  };
+
+  systemd.services.nix-serve = {
+    requires = ["secret.service"];
+    after = ["secret.service"];
+  };
+  krebs.secret.files.nix-serve-key = {
+    path = "/run/secret/nix-serve.key";
+    owner.name = "nix-serve";
+    source-path = toString <secrets> + "/nix-serve.key";
+  };
+  krebs.nginx = {
+    enable = true;
+    servers.nix-serve = {
+      server-names = [ "cache.prism.r" ];
+      locations = lib.singleton (lib.nameValuePair "/" ''
+        proxy_pass http://localhost:${toString config.services.nix-serve.port};
+      '');
+    };
+  };
+}
+
diff --git a/lass/2configs/binary-caches.nix b/lass/2configs/binary-caches.nix
deleted file mode 100644
index c2727520d..000000000
--- a/lass/2configs/binary-caches.nix
+++ /dev/null
@@ -1,13 +0,0 @@
-{ config, ... }:
-
-{
-  nix.sshServe.enable = true;
-  nix.sshServe.keys = [
-    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBF9SBNKE3Pw/ALwTfzpzs+j6Rpaf0kUy6FiPMmgNNNt root@mors"
-    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFCZSq5oLrokkh3F+MOdK5/nzVIEDvqyvfzLMNWmzsYD root@uriel"
-  ];
-  nix.binaryCaches = [
-    #"scp://nix-ssh@mors"
-    #"scp://nix-ssh@uriel"
-  ];
-}
diff --git a/lass/2configs/buildbot-standalone.nix b/lass/2configs/buildbot-standalone.nix
index 604d0728d..04bdcf9d8 100644
--- a/lass/2configs/buildbot-standalone.nix
+++ b/lass/2configs/buildbot-standalone.nix
@@ -1,6 +1,14 @@
 { lib, config, pkgs, ... }:
-{
-  krebs.buildbot.master = let
+
+with config.krebs.lib;
+
+let
+  sshWrapper = pkgs.writeDash "ssh-wrapper" ''
+    ${pkgs.openssh}/bin/ssh -i ${shell.escape config.lass.build-ssh-privkey.path} "$@"
+  '';
+
+in {
+  config.krebs.buildbot.master = let
     stockholm-mirror-url = http://cgit.prism/stockholm ;
   in {
     slaves = {
@@ -25,20 +33,38 @@
         sched.append(schedulers.SingleBranchScheduler(
                                     ## all branches
                                     change_filter=util.ChangeFilter(branch_re=".*"),
-                                    # treeStableTimer=10,
+                                    treeStableTimer=10,
                                     name="fast-all-branches",
                                     builderNames=["fast-tests"]))
       '';
+      build-scheduler = ''
+        # build all hosts
+        sched.append(schedulers.SingleBranchScheduler(
+                                    change_filter=util.ChangeFilter(branch_re=".*"),
+                                    treeStableTimer=10,
+                                    name="prism-all-branches",
+                                    builderNames=["build-all"]))
+      '';
     };
     builder_pre = ''
       # prepare grab_repo step for stockholm
       grab_repo = steps.Git(repourl=stockholm_repo, mode='incremental')
 
-      env = {"LOGNAME": "lass", "NIX_REMOTE": "daemon"}
+      # TODO: get nixpkgs/stockholm paths from krebs
+      env_lass = {
+        "LOGNAME": "lass",
+        "NIX_REMOTE": "daemon",
+        "dummy_secrets": "true",
+      }
+      env_makefu = {
+        "LOGNAME": "makefu",
+        "NIX_REMOTE": "daemon",
+        "dummy_secrets": "true",
+      }
 
       # prepare nix-shell
       # the dependencies which are used by the test script
-      deps = [ "gnumake", "jq","nix","rsync" ]
+      deps = [ "gnumake", "jq", "nix", "rsync", "proot" ]
       # TODO: --pure , prepare ENV in nix-shell command:
       #                   SSL_CERT_FILE,LOGNAME,NIX_REMOTE
       nixshell = ["nix-shell",
@@ -51,16 +77,45 @@
         factory.addStep(steps.ShellCommand(**kwargs))
     '';
     builder = {
+      build-all = ''
+        f = util.BuildFactory()
+        f.addStep(grab_repo)
+        for i in [ "mors", "uriel", "shodan", "helios", "cloudkrebs", "echelon", "dishfire", "prism" ]:
+          addShell(f,name="build-{}".format(i),env=env_lass,
+                  command=nixshell + \
+                      ["make \
+                            test \
+                            ssh=${sshWrapper} \
+                            target=build@localhost:${config.users.users.build.home}/testbuild \
+                            method=build \
+                            system={}".format(i)])
+
+        for i in [ "pornocauster", "wry" ]:
+          addShell(f,name="build-{}".format(i),env=env_makefu,
+                  command=nixshell + \
+                      ["make \
+                            test \
+                            ssh=${sshWrapper} \
+                            target=build@localhost:${config.users.users.build.home}/testbuild \
+                            method=build \
+                            system={}".format(i)])
+
+        bu.append(util.BuilderConfig(name="build-all",
+              slavenames=slavenames,
+              factory=f))
+
+            '';
+
       fast-tests = ''
         f = util.BuildFactory()
         f.addStep(grab_repo)
         for i in [ "prism", "mors", "echelon" ]:
-          addShell(f,name="populate-{}".format(i),env=env,
+          addShell(f,name="populate-{}".format(i),env=env_lass,
                   command=nixshell + \
                             ["{}( make system={} eval.config.krebs.build.populate \
                                | jq -er .)".format("!" if "failing" in i else "",i)])
 
-        addShell(f,name="build-test-minimal",env=env,
+        addShell(f,name="build-test-minimal",env=env_lass,
                   command=nixshell + \
                             ["nix-instantiate \
                                   --show-trace --eval --strict --json \
@@ -86,17 +141,17 @@
     };
   };
 
-  krebs.buildbot.slave = {
+  config.krebs.buildbot.slave = {
     enable = true;
     masterhost = "localhost";
     username = "testslave";
     password = "lasspass";
     packages = with pkgs;[ git nix gnumake jq rsync ];
     extraEnviron = {
-      NIX_PATH="nixpkgs=/var/src/nixpkgs:nixos-config=./shared/1systems/wolf.nix";
+      NIX_PATH="nixpkgs=/var/src/nixpkgs";
     };
   };
-  krebs.iptables = {
+  config.krebs.iptables = {
     tables = {
       filter.INPUT.rules = [
         { predicate = "-p tcp --dport 8010"; target = "ACCEPT"; }
@@ -104,4 +159,29 @@
       ];
     };
   };
+
+  #ssh workaround for make test
+  options.lass.build-ssh-privkey = mkOption {
+    type = types.secret-file;
+    default = {
+      path = "${config.users.users.buildbotSlave.home}/ssh.privkey";
+      owner = { inherit (config.users.users.buildbotSlave ) name uid;};
+      source-path = toString <secrets> + "/build.ssh.key";
+    };
+  };
+  config.krebs.secret.files = {
+    build-ssh-privkey = config.lass.build-ssh-privkey;
+  };
+  config.users.users = {
+    build = {
+      name = "build";
+      uid = genid "build";
+      home = "/home/build";
+      useDefaultShell = true;
+      createHome = true;
+      openssh.authorizedKeys.keys = [
+        "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDiV0Xn60aVLHC/jGJknlrcxSvKd/MVeh2tjBpxSBT3II9XQGZhID2Gdh84eAtoWyxGVFQx96zCHSuc7tfE2YP2LhXnwaxHTeDc8nlMsdww53lRkxihZIEV7QHc/3LRcFMkFyxdszeUfhWz8PbJGL2GYT+s6CqoPwwa68zF33U1wrMOAPsf/NdpSN4alsqmjFc2STBjnOd9dXNQn1VEJQqGLG3kR3WkCuwMcTLS5eu0KLwG4i89Twjy+TGp2QsF5K6pNE+ZepwaycRgfYzGcPTn5d6YQXBgcKgHMoSJsK8wqpr0+eFPCDiEA3HDnf76E4mX4t6/9QkMXCLmvs0IO/WP lass@mors"
+      ];
+    };
+  };
 }
diff --git a/lass/2configs/cbase.nix b/lass/2configs/c-base.nix
index 9d13bc30d..9d13bc30d 100644
--- a/lass/2configs/cbase.nix
+++ b/lass/2configs/c-base.nix
diff --git a/lass/2configs/default.nix b/lass/2configs/default.nix
index 1c06acf38..377554514 100644
--- a/lass/2configs/default.nix
+++ b/lass/2configs/default.nix
@@ -7,6 +7,9 @@ with config.krebs.lib;
     ../2configs/zsh.nix
     ../2configs/mc.nix
     ../2configs/retiolum.nix
+    ../2configs/nixpkgs.nix
+    ../2configs/binary-cache/client.nix
+    ../2configs/gc.nix
     ./backups.nix
     {
       users.extraUsers =
@@ -52,21 +55,18 @@ with config.krebs.lib;
       user = config.krebs.users.lass;
       source = mapAttrs (_: mkDefault) ({
         nixos-config = "symlink:stockholm/lass/1systems/${config.krebs.build.host.name}.nix";
-        secrets = "/home/lass/secrets/${config.krebs.build.host.name}";
+        secrets = if getEnv "dummy_secrets" == "true"
+          then toString <stockholm/lass/2configs/tests/dummy-secrets>
+          else "/home/lass/secrets/${config.krebs.build.host.name}";
         #secrets-common = "/home/lass/secrets/common";
-        stockholm = "/home/lass/stockholm";
-        nixpkgs = {
-          url = https://github.com/lassulus/nixpkgs;
-          rev = "f632f8edaf80ffa8bf0b8c9b9064cae3ccbe3894";
-          dev = "/home/lass/src/nixpkgs";
-        };
+        stockholm = getEnv "PWD";
       } // optionalAttrs config.krebs.build.host.secure {
         #secrets-master = "/home/lass/secrets/master";
       });
     };
   };
 
-  nix.useChroot = true;
+  nix.useSandbox = true;
 
   users.mutableUsers = false;
 
@@ -114,8 +114,13 @@ with config.krebs.lib;
 
   #neat utils
     krebspaste
+    pciutils
     psmisc
+    q
+    rs
+    tmux
     untilport
+    usbutils
 
   #unpack stuff
     p7zip
diff --git a/lass/2configs/downloading.nix b/lass/2configs/downloading.nix
index 3639a743a..cf9b631c8 100644
--- a/lass/2configs/downloading.nix
+++ b/lass/2configs/downloading.nix
@@ -21,6 +21,7 @@ in {
       openssh.authorizedKeys.keys = [
         config.krebs.users.lass.pubkey
         config.krebs.users.lass-uriel.pubkey
+        config.krebs.users.lass-shodan.pubkey
       ];
     };
 
diff --git a/lass/2configs/exim-smarthost.nix b/lass/2configs/exim-smarthost.nix
index 8199f2bd7..1ba99c8cb 100644
--- a/lass/2configs/exim-smarthost.nix
+++ b/lass/2configs/exim-smarthost.nix
@@ -28,6 +28,8 @@ with config.krebs.lib;
       { from = "wordpress@ubikmedia.de"; to = lass.mail; }
       { from = "finanzamt@lassul.us"; to = lass.mail; }
       { from = "dominik@apanowicz.de"; to = "dma@ubikmedia.eu"; }
+      { from = "netzclub@lassul.us"; to = lass.mail; }
+      { from = "nebenan@lassul.us"; to = lass.mail; }
     ];
     system-aliases = [
       { from = "mailer-daemon"; to = "postmaster"; }
diff --git a/lass/2configs/fetchWallpaper.nix b/lass/2configs/fetchWallpaper.nix
index f3b65e816..a724e2e45 100644
--- a/lass/2configs/fetchWallpaper.nix
+++ b/lass/2configs/fetchWallpaper.nix
@@ -5,7 +5,8 @@ let
 in {
   krebs.fetchWallpaper = {
     enable = true;
-    url = "cloudkrebs/wallpaper.png";
+    unitConfig.ConditionPathExists = "!/var/run/ppp0.pid";
+    url = "prism/wallpaper.png";
   };
 }
 
diff --git a/lass/2configs/gc.nix b/lass/2configs/gc.nix
new file mode 100644
index 000000000..8762ad95e
--- /dev/null
+++ b/lass/2configs/gc.nix
@@ -0,0 +1,8 @@
+{ config, ... }:
+
+with config.krebs.lib;
+{
+  nix.gc = {
+    automatic = ! elem config.krebs.build.host.name [ "prism" "mors" ];
+  };
+}
diff --git a/lass/2configs/git.nix b/lass/2configs/git.nix
index c0affe981..381a37e1b 100644
--- a/lass/2configs/git.nix
+++ b/lass/2configs/git.nix
@@ -29,18 +29,10 @@ let
   rules = concatMap make-rules (attrValues repos);
 
   public-repos = mapAttrs make-public-repo {
-    painload = {};
     stockholm = {
       cgit.desc = "take all the computers hostage, they'll love you!";
     };
-    wai-middleware-time = {};
-    web-routes-wai-custom = {};
-    go = {};
-    newsbot-js = {};
     kimsufi-check = {};
-    realwallpaper = {};
-    xmonad-stockholm = {};
-    the_playlist = {};
   } // mapAttrs make-public-repo-silent {
     the_playlist = {};
   };
@@ -50,8 +42,6 @@ let
       brain = {
         collaborators = with config.krebs.users; [ tv makefu ];
       };
-      extraction_webinterface = {};
-      politics-fetching = {};
     } //
     import <secrets/repos.nix> { inherit config lib pkgs; }
   );
@@ -66,6 +56,7 @@ let
         channel = "#retiolum";
         server = "cd.retiolum";
         verbose = config.krebs.build.host.name == "prism";
+        branches = [ "master" ];
       };
     };
   };
@@ -84,7 +75,7 @@ let
     with git // config.krebs.users;
     repo:
       singleton {
-        user = [ lass lass-helios lass-uriel ];
+        user = [ lass lass-uriel ];
         repo = [ repo ];
         perm = push "refs/*" [ non-fast-forward create delete merge ];
       } ++
diff --git a/lass/2configs/hw/tp-x220.nix b/lass/2configs/hw/tp-x220.nix
new file mode 100644
index 000000000..be1faccea
--- /dev/null
+++ b/lass/2configs/hw/tp-x220.nix
@@ -0,0 +1,54 @@
+{ config, lib, pkgs, ... }:
+
+with config.krebs.lib;
+{
+  networking.wireless.enable = lib.mkDefault true;
+
+  hardware.enableAllFirmware = true;
+  nixpkgs.config.allowUnfree = true;
+
+  hardware.cpu.intel.updateMicrocode = true;
+
+  zramSwap.enable = true;
+  zramSwap.numDevices = 2;
+
+  hardware.trackpoint = {
+    enable = true;
+    sensitivity = 220;
+    speed = 0;
+    emulateWheel = true;
+  };
+
+  services.tlp.enable = true;
+  services.tlp.extraConfig = ''
+    # BUG: http://linrunner.de/en/tlp/docs/tlp-faq.html#erratic-battery
+    #START_CHARGE_THRESH_BAT0=80
+    STOP_CHARGE_THRESH_BAT0=95
+
+    CPU_SCALING_GOVERNOR_ON_AC=performance
+    CPU_SCALING_GOVERNOR_ON_BAT=ondemand
+    CPU_MIN_PERF_ON_AC=0
+    CPU_MAX_PERF_ON_AC=100
+    CPU_MIN_PERF_ON_BAT=0
+    CPU_MAX_PERF_ON_BAT=30
+  '';
+
+  boot = {
+    kernelModules = [ "kvm-intel" "acpi_call" "tpm-rng" ];
+    extraModulePackages = [ config.boot.kernelPackages.tp_smapi ];
+  };
+
+  hardware.opengl.extraPackages = [
+    pkgs.vaapiIntel
+    pkgs.vaapiVdpau
+  ];
+
+  services.xserver = {
+    videoDriver = "intel";
+    deviceSection = ''
+      Option "AccelMethod" "sna"
+    '';
+  };
+
+  security.rngd.enable = true;
+}
diff --git a/lass/2configs/mail.nix b/lass/2configs/mail.nix
index 72d6f987f..7c050005b 100644
--- a/lass/2configs/mail.nix
+++ b/lass/2configs/mail.nix
@@ -10,8 +10,9 @@ let
     account default: prism
   '';
 
-  msmtp = pkgs.writeDashBin "msmtp" ''
-    exec ${pkgs.msmtp}/bin/msmtp -C ${msmtprc} $@
+  msmtp = pkgs.writeBashBin "msmtp" ''
+    ${pkgs.coreutils}/bin/tee >(${pkgs.notmuch}/bin/notmuch insert +sent) | \
+      ${pkgs.msmtp}/bin/msmtp -C ${msmtprc} $@
   '';
 
   muttrc = pkgs.writeText "muttrc" ''
@@ -42,7 +43,7 @@ let
     set nm_record = yes
     set nm_record_tags = "-inbox me archive"
     set virtual_spoolfile=yes                    # enable virtual folders
-    set sendmail="msmtp"                         # enables parsing of outgoing mail
+    set sendmail="${msmtp}/bin/msmtp"                         # enables parsing of outgoing mail
     set use_from=yes
     set envelope_from=yes
 
diff --git a/lass/2configs/newsbot-js.nix b/lass/2configs/newsbot-js.nix
index 636b44395..f2b70d831 100644
--- a/lass/2configs/newsbot-js.nix
+++ b/lass/2configs/newsbot-js.nix
@@ -41,7 +41,6 @@ let
     cryptogon|http://www.cryptogon.com/?feed=rss2|#news
     csm|http://rss.csmonitor.com/feeds/csm|#news
     csm_world|http://rss.csmonitor.com/feeds/world|#news
-    cyberguerrilla|https://www.cyberguerrilla.org/a/2012/?feed=rss2|#news
     danisch|http://www.danisch.de/blog/feed/|#news
     dod|http://www.defense.gov/news/afps2.xml|#news
     dwn|http://deutsche-wirtschafts-nachrichten.de/feed/customfeed/|#news
@@ -102,7 +101,7 @@ let
     npr_headlines|http://www.npr.org/rss/rss.php?id=1001|#news
     npr_pol|http://www.npr.org/rss/rss.php?id=1012|#news
     npr_world|http://www.npr.org/rss/rss.php?id=1004|#news
-    nsa|http://www.nsa.gov/rss.shtml|#news #bullerei
+    nsa|https://www.nsa.gov/rss.xml|#news #bullerei
     nytimes|http://rss.nytimes.com/services/xml/rss/nyt/World.xml|#news
     painload|https://github.com/krebscode/painload/commits/master.atom|#news
     phys|http://phys.org/rss-feed/|#news
diff --git a/lass/2configs/nixpkgs.nix b/lass/2configs/nixpkgs.nix
new file mode 100644
index 000000000..0021a8615
--- /dev/null
+++ b/lass/2configs/nixpkgs.nix
@@ -0,0 +1,8 @@
+{ ... }:
+
+{
+  krebs.build.source.nixpkgs = {
+      url = https://github.com/lassulus/nixpkgs;
+      rev = "c78f9ad2f91019648bdcf5a911f86ea3a397d290";
+    };
+}
diff --git a/lass/2configs/power-action.nix b/lass/2configs/power-action.nix
new file mode 100644
index 000000000..0ff8547c7
--- /dev/null
+++ b/lass/2configs/power-action.nix
@@ -0,0 +1,41 @@
+{ config, pkgs, ... }:
+
+let
+  suspend = pkgs.writeDash "suspend" ''
+    ${pkgs.systemd}/bin/systemctl suspend
+  '';
+
+  speak = text:
+    pkgs.writeDash "speak" ''
+      ${pkgs.espeak}/bin/espeak -v +whisper -s 110 "${text}"
+    '';
+
+in {
+  lass.power-action = {
+    enable = true;
+    plans.low-battery = {
+      upperLimit = 30;
+      lowerLimit = 25;
+      charging = false;
+      action = pkgs.writeDash "warn-low-battery" ''
+        ${speak "power level low"}
+      '';
+    };
+    plans.suspend = {
+      upperLimit = 10;
+      lowerLimit = 0;
+      charging = false;
+      action = pkgs.writeDash "suspend-wrapper" ''
+        /var/setuid-wrappers/sudo ${suspend}
+      '';
+    };
+  };
+
+  users.users.power-action.extraGroups = [
+    "audio"
+  ];
+
+  security.sudo.extraConfig = ''
+    ${config.lass.power-action.user.name} ALL= (root) NOPASSWD: ${suspend}
+  '';
+}
diff --git a/lass/2configs/pulse.nix b/lass/2configs/pulse.nix
new file mode 100644
index 000000000..3be482191
--- /dev/null
+++ b/lass/2configs/pulse.nix
@@ -0,0 +1,96 @@
+{ config, lib, pkgs, ... }:
+
+with config.krebs.lib;
+let
+  pkg = pkgs.pulseaudioLight;
+  runDir = "/run/pulse";
+
+  alsaConf = pkgs.writeText "asound.conf" ''
+    ctl_type.pulse {
+      libs.native = ${pkgs.alsaPlugins}/lib/alsa-lib/libasound_module_ctl_pulse.so;
+    }
+    pcm_type.pulse {
+      libs.native = ${pkgs.alsaPlugins}/lib/alsa-lib/libasound_module_pcm_pulse.so;
+    }
+    ctl.!default {
+      type pulse
+    }
+    pcm.!default {
+      type pulse
+    }
+  '';
+
+  clientConf = pkgs.writeText "client.conf" ''
+    autospawn=no
+    default-server = unix:${runDir}/socket
+  '';
+
+  daemonConf = pkgs.writeText "daemon.conf" ''
+    exit-idle-time=0
+    flat-volumes = no
+    default-fragments = 4
+    default-fragment-size-msec = 25
+  '';
+
+  configFile = pkgs.writeText "default.pa" ''
+    .include ${pkg}/etc/pulse/default.pa
+    load-module ${toString [
+      "module-native-protocol-unix"
+      "auth-anonymous=1"
+      "socket=${runDir}/socket"
+    ]}
+  '';
+in
+
+{
+  environment = {
+    etc = {
+      "asound.conf".source = alsaConf;
+      # XXX mkForce is not strong enough (and neither is mkOverride) to create
+      # /etc/pulse/client.conf, see pulseaudio-hack below for a solution.
+      #"pulse/client.conf" = mkForce { source = clientConf; };
+      #"pulse/client.conf".source = mkForce clientConf;
+      "pulse/default.pa".source = configFile;
+      "pulse/daemon.pa".source = daemonConf;
+    };
+    systemPackages = [
+      pkg
+    ] ++ optionals config.services.xserver.enable [
+      pkgs.pavucontrol
+    ];
+  };
+
+  # Allow PulseAudio to get realtime priority using rtkit.
+  security.rtkit.enable = true;
+
+  system.activationScripts.pulseaudio-hack = ''
+    ln -fns ${clientConf} /etc/pulse/client.conf
+  '';
+
+  systemd.services.pulse = {
+    wantedBy = [ "sound.target" ];
+    before = [ "sound.target" ];
+    environment = {
+      PULSE_RUNTIME_PATH = "${runDir}/home";
+    };
+    serviceConfig = {
+      ExecStart = "${pkg}/bin/pulseaudio";
+      ExecStartPre = pkgs.writeDash "pulse-start" ''
+        install -o pulse -g audio -m 0750 -d ${runDir}
+        install -o pulse -g audio -m 0700 -d ${runDir}/home
+      '';
+      PermissionsStartOnly = "true";
+      User = "pulse";
+    };
+  };
+
+  users = {
+    groups.pulse.gid = config.users.users.pulse.uid;
+    users.pulse = {
+      uid = genid "pulse";
+      group = "pulse";
+      extraGroups = [ "audio" ];
+      home = "${runDir}/home";
+    };
+  };
+}
diff --git a/lass/2configs/radio.nix b/lass/2configs/radio.nix
index 17be327b9..59678dbff 100644
--- a/lass/2configs/radio.nix
+++ b/lass/2configs/radio.nix
@@ -11,7 +11,7 @@ let
   source-password = import <secrets/icecast-source-pw>;
 
   add_random = pkgs.writeDashBin "add_random" ''
-    mpc add "$(mpc ls | shuf -n1)"
+    ${pkgs.mpc_cli}/bin/mpc add "$(${pkgs.mpc_cli}/bin/mpc ls | shuf -n1)"
   '';
 
   skip_track = pkgs.writeDashBin "skip_track" ''
@@ -52,13 +52,8 @@ in {
     print_current
     ncmpcpp
     mpc_cli
-    tmux
   ];
 
-  security.sudo.extraConfig = ''
-    ${mainUser.name} ALL=(${name}) NOPASSWD: ALL
-  '';
-
   services.mpd = {
     enable = true;
     group = "radio";
@@ -67,7 +62,7 @@ in {
       audio_output {
           type        "shout"
           encoding    "ogg"
-          name        "my cool stream"
+          name        "the_playlist"
           host        "localhost"
           port        "8000"
           mount       "/radio.ogg"
@@ -84,7 +79,7 @@ in {
       # Optional Parameters
           user        "source"
       #   description "here is my long description"
-      #   genre       "jazz"
+         genre       "good music"
       } # end of audio_output
 
     '';
@@ -114,7 +109,7 @@ in {
     wantedBy = [ "timers.target" ];
 
     timerConfig = {
-      OnCalendar = "*:*";
+      OnCalendar = "*:0/1";
     };
   };
 
@@ -123,8 +118,8 @@ in {
       LIMIT=$1 #in secconds
 
       timeLeft () {
-        playlistDuration=$(mpc --format '%time%' playlist | awk -F ':' 'BEGIN{t=0} {t+=$1*60+$2} END{print t}')
-        currentTime=$(mpc status | awk '/^\[playing\]/ { sub(/\/.+/,"",$3); split($3,a,/:/); print a[1]*60+a[2] }')
+        playlistDuration=$(${pkgs.mpc_cli}/bin/mpc --format '%time%' playlist | ${pkgs.gawk}/bin/awk -F ':' 'BEGIN{t=0} {t+=$1*60+$2} END{print t}')
+        currentTime=$(${pkgs.mpc_cli}/bin/mpc status | ${pkgs.gawk}/bin/awk '/^\[playing\]/ { sub(/\/.+/,"",$3); split($3,a,/:/); print a[1]*60+a[2] }')
         expr ''${playlistDuration:-0} - ''${currentTime:-0}
       }
 
@@ -136,16 +131,10 @@ in {
     description = "radio playlist autoadder";
     after = [ "network.target" ];
 
-    path = with pkgs; [
-      gawk
-      mpc_cli
-    ];
-
     restartIfChanged = true;
 
     serviceConfig = {
-      Restart = "always";
-      ExecStart = "${autoAdd} 100";
+      ExecStart = "${autoAdd} 150";
     };
   };
 
diff --git a/lass/2configs/realwallpaper-server.nix b/lass/2configs/realwallpaper-server.nix
deleted file mode 100644
index 7340fc7ca..000000000
--- a/lass/2configs/realwallpaper-server.nix
+++ /dev/null
@@ -1,32 +0,0 @@
-{ config, lib, ... }:
-
-let
-  hostname = config.krebs.build.host.name;
-  inherit (lib)
-    nameValuePair
-  ;
-
-in {
-  imports = [
-    ./realwallpaper.nix
-  ];
-
-  krebs.nginx.servers.wallpaper = {
-    server-names = [
-      hostname
-    ];
-    locations = [
-      (nameValuePair "/wallpaper.png" ''
-        root /tmp/;
-      '')
-    ];
-  };
-
-  krebs.iptables = {
-    tables = {
-      filter.INPUT.rules = [
-        { predicate = "-i retiolum -p tcp --dport 80"; target = "ACCEPT"; }
-      ];
-    };
-  };
-}
diff --git a/lass/2configs/realwallpaper.nix b/lass/2configs/realwallpaper.nix
index c69cb1660..2ab52ed92 100644
--- a/lass/2configs/realwallpaper.nix
+++ b/lass/2configs/realwallpaper.nix
@@ -1,5 +1,30 @@
-{ config, ... }:
+{ config, lib, ... }:
 
-{
+let
+  hostname = config.krebs.build.host.name;
+  inherit (lib)
+    nameValuePair
+  ;
+
+in {
   krebs.realwallpaper.enable = true;
+
+  krebs.nginx.servers.wallpaper = {
+    server-names = [
+      hostname
+    ];
+    locations = [
+      (nameValuePair "/wallpaper.png" ''
+        root /tmp/;
+      '')
+    ];
+  };
+
+  krebs.iptables = {
+    tables = {
+      filter.INPUT.rules = [
+        { predicate = "-i retiolum -p tcp --dport 80"; target = "ACCEPT"; }
+      ];
+    };
+  };
 }
diff --git a/lass/2configs/repo-sync.nix b/lass/2configs/repo-sync.nix
new file mode 100644
index 000000000..45a4e2afd
--- /dev/null
+++ b/lass/2configs/repo-sync.nix
@@ -0,0 +1,106 @@
+{ config, lib, pkgs, ... }:
+
+with config.krebs.lib;
+
+let
+  mirror = "git@${config.networking.hostName}:";
+
+  defineRepo = name: announce: let
+    repo = {
+      public = true;
+      name = mkDefault "${name}";
+      cgit.desc = mkDefault "mirror for ${name}";
+      hooks = mkIf announce (mkDefault {
+        post-receive = pkgs.git-hooks.irc-announce {
+          nick = config.networking.hostName;
+          verbose = false;
+          channel = "#retiolum";
+          server = "cd.retiolum";
+          branches = [ "newest" ];
+        };
+      });
+    };
+  in {
+    rules = with git; singleton {
+      user = with config.krebs.users; [
+        config.krebs.users."${config.networking.hostName}-repo-sync"
+        lass
+        lass-shodan
+      ];
+      repo = [ repo ];
+      perm = push ''refs/*'' [ non-fast-forward create delete merge ];
+    };
+    repos."${name}" = repo;
+  };
+
+  sync-retiolum = name:
+    {
+      krebs.repo-sync.repos.${name} = {
+        makefu = {
+          origin.url = "http://cgit.gum/${name}";
+          mirror.url = "${mirror}${name}";
+        };
+        tv = {
+          origin.url = "http://cgit.cd/${name}";
+          mirror.url = "${mirror}${name}";
+        };
+        lassulus = {
+          origin.url = "http://cgit.prism/${name}";
+          mirror.url = "${mirror}${name}";
+        };
+        "@latest" = {
+          mirror.url = "${mirror}${name}";
+          mirror.ref = "heads/newest";
+        };
+      };
+      krebs.git = defineRepo name (config.networking.hostName == "prism");
+    };
+
+  sync-remote = name: url:
+    {
+      krebs.repo-sync.repos.${name} = {
+        remote = {
+          origin.url = url;
+          mirror.url = "${mirror}${name}";
+        };
+      };
+      krebs.git = defineRepo name (config.networking.hostName == "prism");
+    };
+
+  sync-remote-silent = name: url:
+    {
+      krebs.repo-sync.repos.${name} = {
+        remote = {
+          origin.url = url;
+          mirror.url = "${mirror}${name}";
+        };
+      };
+      krebs.git = defineRepo name false;
+    };
+
+in {
+  krebs.repo-sync = {
+    enable = true;
+    unitConfig.ConditionPathExists = "!/var/run/ppp0.pid";
+  };
+  imports = [
+    (sync-remote "array" "https://github.com/makefu/array")
+    (sync-remote "email-header" "https://github.com/4z3/email-header")
+    (sync-remote "mycube-flask" "https://github.com/makefu/mycube-flask")
+    (sync-remote "reaktor-titlebot" "https://github.com/makefu/reaktor-titlebot")
+    (sync-remote "repo-sync" "https://github.com/makefu/repo-sync")
+    (sync-remote "skytraq-datalogger" "https://github.com/makefu/skytraq-datalogger")
+    (sync-remote "xintmap" "https://github.com/4z3/xintmap")
+    (sync-remote-silent "nixpkgs" "https://github.com/nixos/nixpkgs")
+    (sync-retiolum "go")
+    (sync-retiolum "much")
+    (sync-retiolum "newsbot-js")
+    (sync-retiolum "painload")
+    (sync-retiolum "realwallpaper")
+    (sync-retiolum "stockholm")
+    (sync-retiolum "wai-middleware-time")
+    (sync-retiolum "web-routes-wai-custom")
+    (sync-retiolum "xmonad-stockholm")
+  ];
+}
+
diff --git a/lass/2configs/tests/dummy-secrets/cbase.txt b/lass/2configs/tests/dummy-secrets/cbase.txt
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/lass/2configs/tests/dummy-secrets/cbase.txt
diff --git a/lass/2configs/tests/dummy-secrets/hashedPasswords.nix b/lass/2configs/tests/dummy-secrets/hashedPasswords.nix
new file mode 100644
index 000000000..0967ef424
--- /dev/null
+++ b/lass/2configs/tests/dummy-secrets/hashedPasswords.nix
@@ -0,0 +1 @@
+{}
diff --git a/lass/2configs/tests/dummy-secrets/icecast-admin-pw b/lass/2configs/tests/dummy-secrets/icecast-admin-pw
new file mode 100644
index 000000000..16b542cee
--- /dev/null
+++ b/lass/2configs/tests/dummy-secrets/icecast-admin-pw
@@ -0,0 +1 @@
+"blabla"
diff --git a/lass/2configs/tests/dummy-secrets/icecast-source-pw b/lass/2configs/tests/dummy-secrets/icecast-source-pw
new file mode 100644
index 000000000..16b542cee
--- /dev/null
+++ b/lass/2configs/tests/dummy-secrets/icecast-source-pw
@@ -0,0 +1 @@
+"blabla"
diff --git a/lass/2configs/tests/dummy-secrets/lassul.us.dkim.priv b/lass/2configs/tests/dummy-secrets/lassul.us.dkim.priv
new file mode 100644
index 000000000..215a7fa0c
--- /dev/null
+++ b/lass/2configs/tests/dummy-secrets/lassul.us.dkim.priv
@@ -0,0 +1,3 @@
+-----BEGIN RSA PRIVATE KEY-----
+this is a private key 
+-----END RSA PRIVATE KEY-----
diff --git a/lass/2configs/tests/dummy-secrets/mysql_rootPassword b/lass/2configs/tests/dummy-secrets/mysql_rootPassword
new file mode 100644
index 000000000..922a74472
--- /dev/null
+++ b/lass/2configs/tests/dummy-secrets/mysql_rootPassword
@@ -0,0 +1 @@
+blabla123
diff --git a/lass/2configs/tests/dummy-secrets/nix-serve.key b/lass/2configs/tests/dummy-secrets/nix-serve.key
new file mode 100644
index 000000000..91448ad2f
--- /dev/null
+++ b/lass/2configs/tests/dummy-secrets/nix-serve.key
@@ -0,0 +1 @@
+key-name:blabla123
diff --git a/lass/2configs/tests/dummy-secrets/repos.nix b/lass/2configs/tests/dummy-secrets/repos.nix
new file mode 100644
index 000000000..eed712458
--- /dev/null
+++ b/lass/2configs/tests/dummy-secrets/repos.nix
@@ -0,0 +1 @@
+_: {}
diff --git a/lass/2configs/tests/dummy-secrets/retiolum.rsa_key.priv b/lass/2configs/tests/dummy-secrets/retiolum.rsa_key.priv
new file mode 100644
index 000000000..99a4033f6
--- /dev/null
+++ b/lass/2configs/tests/dummy-secrets/retiolum.rsa_key.priv
@@ -0,0 +1,4 @@
+
+-----BEGIN RSA PRIVATE KEY-----
+this is a private key
+-----END RSA PRIVATE KEY-----
diff --git a/lass/2configs/tests/dummy-secrets/ssh.id_ed25519 b/lass/2configs/tests/dummy-secrets/ssh.id_ed25519
new file mode 100644
index 000000000..5c12da0b3
--- /dev/null
+++ b/lass/2configs/tests/dummy-secrets/ssh.id_ed25519
@@ -0,0 +1,3 @@
+-----BEGIN OPENSSH PRIVATE KEY-----
+private key bla
+-----END OPENSSH PRIVATE KEY-----
diff --git a/lass/2configs/tests/dummy-secrets/ssh.id_rsa b/lass/2configs/tests/dummy-secrets/ssh.id_rsa
new file mode 100644
index 000000000..885cf61f0
--- /dev/null
+++ b/lass/2configs/tests/dummy-secrets/ssh.id_rsa
@@ -0,0 +1,3 @@
+-----BEGIN RSA PRIVATE KEY-----
+private key bla
+-----END RSA PRIVATE KEY-----
diff --git a/lass/2configs/tests/dummy-secrets/transmission-pw b/lass/2configs/tests/dummy-secrets/transmission-pw
new file mode 100644
index 000000000..b71df1a2d
--- /dev/null
+++ b/lass/2configs/tests/dummy-secrets/transmission-pw
@@ -0,0 +1 @@
+"krebskrebs123"
diff --git a/lass/2configs/umts.nix b/lass/2configs/umts.nix
new file mode 100644
index 000000000..c1fce9ea2
--- /dev/null
+++ b/lass/2configs/umts.nix
@@ -0,0 +1,62 @@
+{ config, lib, pkgs, ... }:
+
+with config.krebs.lib;
+
+let
+  nixpkgs-1509 = import (pkgs.fetchFromGitHub {
+    owner = "NixOS"; repo = "nixpkgs-channels";
+    rev = "91371c2bb6e20fc0df7a812332d99c38b21a2bda";
+    sha256 = "1as1i0j9d2n3iap9b471y4x01561r2s3vmjc5281qinirlr4al73";
+  }) {};
+
+  wvdial = nixpkgs-1509.wvdial; # https://github.com/NixOS/nixpkgs/issues/16113
+
+  modem-device = "/dev/serial/by-id/usb-Lenovo_F5521gw_38214921FBBBC7B0-if09";
+
+  # TODO: currently it is only netzclub
+  umts-bin = pkgs.writeScriptBin "umts" ''
+    #!/bin/sh
+    set -euf
+    systemctl stop wpa_supplicant
+    systemctl start umts
+    trap "systemctl stop umts && systemctl start wpa_supplicant;trap - INT TERM EXIT;exit" INT TERM EXIT
+    echo nameserver 8.8.8.8 | tee -a /etc/resolv.conf
+    journalctl -xfu umts
+  '';
+
+  wvdial-defaults = ''
+    Modem = ${modem-device}
+    Init1 = AT+CFUN=1
+    Init2 = AT+CGDCONT=1,"IP","pinternet.interkom.de","",0,0
+    Baud = 460800
+    phone= *99#
+    Username = netzclub
+    Password = netzclub
+    Stupid Mode = 1
+    Idle Seconds = 0
+  '';
+
+
+  out = {
+    environment.shellAliases = {
+      umts = "sudo ${umts-bin}/bin/umts";
+    };
+
+    security.sudo.extraConfig = ''
+      lass ALL= (root) NOPASSWD: ${umts-bin}/bin/umts
+    '';
+
+    environment.wvdial.dialerDefaults = wvdial-defaults;
+
+    systemd.services.umts = {
+      description = "UMTS wvdial Service";
+      serviceConfig = {
+        Type = "simple";
+        Restart = "always";
+        RestartSec = "10s";
+        ExecStart = "${wvdial}/bin/wvdial -n";
+      };
+    };
+  };
+in out
+
diff --git a/lass/2configs/vim.nix b/lass/2configs/vim.nix
index 8295d9d49..9eed08635 100644
--- a/lass/2configs/vim.nix
+++ b/lass/2configs/vim.nix
@@ -1,158 +1,351 @@
-{ config, pkgs, ... }:
+{ config, lib, pkgs, ... }:
 
+with config.krebs.lib;
 let
-  customPlugins = {
-    mustang2 = pkgs.vimUtils.buildVimPlugin {
-      name = "Mustang2";
-      src = pkgs.fetchFromGitHub {
-        owner = "croaker";
-        repo = "mustang-vim";
-        rev = "6533d7d21bf27cae94d9c2caa575f627f003dfd5";
-        sha256 = "0zlmcrr04j3dkiivrhqi90f618lmnnnpvbz1b9msfs78cmgw9w67";
-      };
-    };
-    unimpaired = pkgs.vimUtils.buildVimPlugin {
-      name = "unimpaired-vim";
-      src = pkgs.fetchFromGitHub {
-        owner = "tpope";
-        repo = "vim-unimpaired";
-        rev = "11dc568dbfd7a56866a4354c737515769f08e9fe";
-        sha256 = "1an941j5ckas8l3vkfhchdzjwcray16229rhv3a1d4pbxifwshi8";
-      };
-    };
-    brogrammer = pkgs.vimUtils.buildVimPlugin {
-      name = "brogrammer";
-      src = pkgs.fetchFromGitHub {
-        owner = "marciomazza";
-        repo = "vim-brogrammer-theme";
-        rev = "3e412d8e8909d8d89eb5a4cbe955b5bc0833a3c3";
-        sha256 = "0am1qk8ls74z5ipgf9viacayq08y9i9vd7sxxiivwgsjh2ancbv6";
-      };
-    };
-    file-line = pkgs.vimUtils.buildVimPlugin {
-      name = "file-line";
-      src = pkgs.fetchFromGitHub {
-        owner = "bogado";
-        repo = "file-line";
-        rev = "f9ffa1879ad84ce4a386110446f395bc1795b72a";
-        sha256 = "173n47w9zd01rcyrrmm194v79xq7d1ggzr19n1lsxrqfgr2c1rvk";
-      };
-    };
+  out = {
+    environment.systemPackages = [
+      vim
+    ];
+
+    environment.etc.vimrc.source = vimrc;
+
+    environment.variables.EDITOR = mkForce "vim";
+    environment.variables.VIMINIT = ":so /etc/vimrc";
   };
 
-in {
+  extra-runtimepath = concatMapStringsSep "," (pkg: "${pkg.rtp}") [
+    pkgs.vimPlugins.Gundo
+    pkgs.vimPlugins.Syntastic
+    pkgs.vimPlugins.undotree
+    (pkgs.vimUtils.buildVimPlugin {
+      name = "file-line-1.0";
+      src = pkgs.fetchgit {
+        url = git://github.com/bogado/file-line;
+        rev = "refs/tags/1.0";
+        sha256 = "0z47zq9rqh06ny0q8lpcdsraf3lyzn9xvb59nywnarf3nxrk6hx0";
+      };
+    })
+    ((rtp: rtp // { inherit rtp; }) (pkgs.writeTextFile (let
+      name = "hack";
+    in {
+      name = "vim-color-${name}-1.0.2";
+      destination = "/colors/${name}.vim";
+      text = /* vim */ ''
+        set background=dark
+        hi clear
+        if exists("syntax_on")
+          syntax clear
+        endif
+
+        let colors_name = ${toJSON name}
+
+        hi Normal       ctermbg=235
+        hi Comment      ctermfg=242
+        hi Constant     ctermfg=062
+        hi Identifier   ctermfg=068
+        hi Function     ctermfg=041
+        hi Statement    ctermfg=167
+        hi PreProc      ctermfg=167
+        hi Type         ctermfg=041
+        hi Delimiter    ctermfg=251
+        hi Special      ctermfg=062
 
-  environment.systemPackages = [
-    (pkgs.vim_configurable.customize {
+        hi Garbage      ctermbg=088
+        hi TabStop      ctermbg=016
+        hi Todo         ctermfg=174 ctermbg=NONE
+
+        hi NixCode      ctermfg=148
+        hi NixData      ctermfg=149
+        hi NixQuote     ctermfg=150
+
+        hi diffNewFile  ctermfg=207
+        hi diffFile     ctermfg=207
+        hi diffLine     ctermfg=207
+        hi diffSubname  ctermfg=207
+        hi diffAdded    ctermfg=010
+        hi diffRemoved  ctermfg=009
+      '';
+    })))
+    ((rtp: rtp // { inherit rtp; }) (pkgs.writeTextFile (let
       name = "vim";
+    in {
+      name = "vim-syntax-${name}-1.0.0";
+      destination = "/syntax/${name}.vim";
+      text = /* vim */ ''
+        ${concatMapStringsSep "\n" (s: /* vim */ ''
+          syn keyword vimColor${s} ${s}
+            \ containedin=ALLBUT,vimComment,vimLineComment
+          hi vimColor${s} ctermfg=${s}
+        '') (map (i: lpad 3 "0" (toString i)) (range 0 255))}
+      '';
+    })))
+    ((rtp: rtp // { inherit rtp; }) (pkgs.writeTextFile (let
+      name = "showsyntax";
+    in {
+      name = "vim-plugin-${name}-1.0.0";
+      destination = "/plugin/${name}.vim";
+      text = /* vim */ ''
+        if exists('g:loaded_showsyntax')
+          finish
+        endif
+        let g:loaded_showsyntax = 0
 
-    vimrcConfig.customRC = ''
-      set nocompatible
-      set t_Co=16
-      syntax on
-      " TODO autoload colorscheme file
-      set background=dark
-      colorscheme brogrammer
-      filetype off
-      filetype plugin indent on
+        fu! ShowSyntax()
+          let id = synID(line("."), col("."), 1)
+          let name = synIDattr(id, "name")
+          let transName = synIDattr(synIDtrans(id),"name")
+          if name != transName
+            let name .= " (" . transName . ")"
+          endif
+          echo "Syntax: " . name
+        endfu
 
-      imap <F1> <nop>
+        command! -n=0 -bar ShowSyntax :call ShowSyntax()
+      '';
+    })))
+  ];
 
-      set mouse=a
-      set ruler
-      set showmatch
-      set backspace=2
-      set visualbell
-      set encoding=utf8
-      set showcmd
-      set wildmenu
+  dirs = {
+    backupdir = "$HOME/.cache/vim/backup";
+    swapdir   = "$HOME/.cache/vim/swap";
+    undodir   = "$HOME/.cache/vim/undo";
+  };
+  files = {
+    viminfo   = "$HOME/.cache/vim/info";
+  };
 
-      set title
-      set titleold=
-      set titlestring=%t%(\ %M%)%(\ (%{expand(\"%:p:h\")})%)%(\ %a%)\ -\ %{v:servername}
+  mkdirs = let
+    dirOf = s: let out = concatStringsSep "/" (init (splitString "/" s));
+               in assert out != ""; out;
+    alldirs = attrValues dirs ++ map dirOf (attrValues files);
+  in unique (sort lessThan alldirs);
 
-      set autoindent
+  vim = pkgs.writeDashBin "vim" ''
+    set -efu
+    (umask 0077; exec ${pkgs.coreutils}/bin/mkdir -p ${toString mkdirs})
+    exec ${pkgs.neovim}/bin/nvim "$@"
+  '';
 
-      set ttyfast
+  vimrc = pkgs.writeText "vimrc" ''
+    set nocompatible
 
-      set pastetoggle=<INS>
+    set autoindent
+    set backspace=indent,eol,start
+    set backup
+    set backupdir=${dirs.backupdir}/
+    set directory=${dirs.swapdir}//
+    set hlsearch
+    set incsearch
+    set mouse=a
+    set noruler
+    set pastetoggle=<INS>
+    set runtimepath=${extra-runtimepath},$VIMRUNTIME
+    set shortmess+=I
+    set showcmd
+    set showmatch
+    set ttimeoutlen=0
+    set undodir=${dirs.undodir}
+    set undofile
+    set undolevels=1000000
+    set undoreload=1000000
+    set viminfo='20,<1000,s100,h,n${files.viminfo}
+    set visualbell
+    set wildignore+=*.o,*.class,*.hi,*.dyn_hi,*.dyn_o
+    set wildmenu
+    set wildmode=longest,full
 
+    set et ts=2 sts=2 sw=2
 
-      " Force Saving Files that Require Root Permission
-      command! W silent w !sudo tee "%" >/dev/null
+    filetype plugin indent on
 
-      nnoremap <C-c> :q<Return>
-      vnoremap < <gv
-      vnoremap > >gv
+    set t_Co=256
+    colorscheme hack
+    syntax on
 
-      nmap <esc>q :buffer
+    au Syntax * syn match Garbage containedin=ALL /\s\+$/
+            \ | syn match TabStop containedin=ALL /\t\+/
+            \ | syn keyword Todo containedin=ALL TODO
 
+    au BufRead,BufNewFile *.hs so ${hs.vim}
 
-      "Tabwidth
-      set ts=2 sts=2 sw=2 et
+    au BufRead,BufNewFile *.nix so ${nix.vim}
 
-      " create Backup/tmp/undo dirs
-      function! InitBackupDir()
-        let l:parent = $HOME . '/.vim/'
-        let l:backup = l:parent . 'backups/'
-        let l:tmpdir = l:parent . 'tmp/'
-        let l:undodi = l:parent . 'undo/'
+    au BufRead,BufNewFile /dev/shm/* set nobackup nowritebackup noswapfile
 
-        if !isdirectory(l:parent)
-          call mkdir(l:parent)
-        endif
-        if !isdirectory(l:backup)
-          call mkdir(l:backup)
-        endif
-        if !isdirectory(l:tmpdir)
-          call mkdir(l:tmpdir)
-        endif
-        if !isdirectory(l:undodi)
-          call mkdir(l:undodi)
-        endif
-      endfunction
-      call InitBackupDir()
-
-      " Backups & Files
-      set backup
-      set backupdir=~/.vim/backups
-      set directory=~/.vim/tmp//
-      set viminfo='20,<1000,s100,h,n~/.vim/tmp/info
-      set undodir=$HOME/.vim/undo
-      set undofile
-
-      " highlight whitespaces
-      highlight ExtraWhitespace ctermbg=red guibg=red
-      match ExtraWhitespace /\s\+$/
-      autocmd BufWinEnter * match ExtraWhitespace /\s\+$/
-      autocmd InsertEnter * match ExtraWhitespace /\s\+\%#\@<!$/
-      autocmd InsertLeave * match ExtraWhitespace /\s\+$/
-      autocmd BufWinLeave * call clearmatches()
-
-      "ft specific stuff
-      autocmd BufRead *.js,*.json set ts=2 sts=2 sw=2 et
-      autocmd BufRead *.hs set ts=4 sts=4 sw=4 et
-
-      "esc timeout
-      set timeoutlen=1000 ttimeoutlen=0
-
-      "foldfunctions
-      inoremap <F9> <C-O>za
-      nnoremap <F9> za
-      onoremap <F9> <C-C>za
-      vnoremap <F9> zf
-    '';
-
-      vimrcConfig.vam.knownPlugins = pkgs.vimPlugins // customPlugins;
-      vimrcConfig.vam.pluginDictionaries = [
-        { names = [
-          "brogrammer"
-          "file-line"
-          "Gundo"
-        ]; }
-        { names = [ "vim-addon-nix" ]; ft_regex = "^nix\$"; }
+    "Syntastic config
+    let g:syntastic_python_checkers=['flake8']
+
+    nmap <esc>q :buffer
+    nmap <M-q> :buffer
+
+    cnoremap <C-A> <Home>
+
+    noremap  <C-c> :q<cr>
+    vnoremap < <gv
+    vnoremap > >gv
+
+    nnoremap <esc>[5^  :tabp<cr>
+    nnoremap <esc>[6^  :tabn<cr>
+    nnoremap <esc>[5@  :tabm -1<cr>
+    nnoremap <esc>[6@  :tabm +1<cr>
+
+    nnoremap <f1> :tabp<cr>
+    nnoremap <f2> :tabn<cr>
+    inoremap <f1> <esc>:tabp<cr>
+    inoremap <f2> <esc>:tabn<cr>
+
+    " <C-{Up,Down,Right,Left>
+    noremap <esc>Oa <nop> | noremap! <esc>Oa <nop>
+    noremap <esc>Ob <nop> | noremap! <esc>Ob <nop>
+    noremap <esc>Oc <nop> | noremap! <esc>Oc <nop>
+    noremap <esc>Od <nop> | noremap! <esc>Od <nop>
+    " <[C]S-{Up,Down,Right,Left>
+    noremap <esc>[a <nop> | noremap! <esc>[a <nop>
+    noremap <esc>[b <nop> | noremap! <esc>[b <nop>
+    noremap <esc>[c <nop> | noremap! <esc>[c <nop>
+    noremap <esc>[d <nop> | noremap! <esc>[d <nop>
+    vnoremap u <nop>
+  '';
+
+  hs.vim = pkgs.writeText "hs.vim" ''
+    syn region String start=+\[[[:alnum:]]*|+ end=+|]+
+
+    hi link ConId Identifier
+    hi link VarId Identifier
+    hi link hsDelimiter Delimiter
+  '';
+
+  nix.vim = pkgs.writeText "nix.vim" ''
+    setf nix
+
+    " Ref <nix/src/libexpr/lexer.l>
+    syn match NixID    /[a-zA-Z\_][a-zA-Z0-9\_\'\-]*/
+    syn match NixINT   /\<[0-9]\+\>/
+    syn match NixPATH  /[a-zA-Z0-9\.\_\-\+]*\(\/[a-zA-Z0-9\.\_\-\+]\+\)\+/
+    syn match NixHPATH /\~\(\/[a-zA-Z0-9\.\_\-\+]\+\)\+/
+    syn match NixSPATH /<[a-zA-Z0-9\.\_\-\+]\+\(\/[a-zA-Z0-9\.\_\-\+]\+\)*>/
+    syn match NixURI   /[a-zA-Z][a-zA-Z0-9\+\-\.]*:[a-zA-Z0-9\%\/\?\:\@\&\=\+\$\,\-\_\.\!\~\*\']\+/
+    syn region NixSTRING
+      \ matchgroup=NixSTRING
+      \ start='"'
+      \ skip='\\"'
+      \ end='"'
+    syn region NixIND_STRING
+      \ matchgroup=NixIND_STRING
+      \ start="'''"
+      \ skip="'''\('\|[$]\|\\[nrt]\)"
+      \ end="'''"
+
+    syn match NixOther /[():/;=.,?\[\]]/
+
+    syn match NixCommentMatch /\(^\|\s\)#.*/
+    syn region NixCommentRegion start="/\*" end="\*/"
+
+    hi link NixCode Statement
+    hi link NixData Constant
+    hi link NixComment Comment
+
+    hi link NixCommentMatch NixComment
+    hi link NixCommentRegion NixComment
+    hi link NixID NixCode
+    hi link NixINT NixData
+    hi link NixPATH NixData
+    hi link NixHPATH NixData
+    hi link NixSPATH NixData
+    hi link NixURI NixData
+    hi link NixSTRING NixData
+    hi link NixIND_STRING NixData
+
+    hi link NixEnter NixCode
+    hi link NixOther NixCode
+    hi link NixQuote NixData
+
+    syn cluster nix_has_dollar_curly contains=@nix_ind_strings,@nix_strings
+    syn cluster nix_ind_strings contains=NixIND_STRING
+    syn cluster nix_strings contains=NixSTRING
+
+    ${concatStringsSep "\n" (mapAttrsToList (lang: { extraStart ? null }: let
+      startAlts = filter isString [
+        ''/\* ${lang} \*/''
+        extraStart
       ];
+      sigil = ''\(${concatStringsSep ''\|'' startAlts}\)[ \t\r\n]*'';
+    in /* vim */ ''
+      syn include @nix_${lang}_syntax syntax/${lang}.vim
+      unlet b:current_syntax
 
-    })
-  ];
-}
+      syn match nix_${lang}_sigil
+        \ X${replaceStrings ["X"] ["\\X"] sigil}\ze\('''\|"\)X
+        \ nextgroup=nix_${lang}_region_IND_STRING,nix_${lang}_region_STRING
+        \ transparent
+
+      syn region nix_${lang}_region_STRING
+        \ matchgroup=NixSTRING
+        \ start='"'
+        \ skip='\\"'
+        \ end='"'
+        \ contained
+        \ contains=@nix_${lang}_syntax
+        \ transparent
+
+      syn region nix_${lang}_region_IND_STRING
+        \ matchgroup=NixIND_STRING
+        \ start="'''"
+        \ skip="'''\('\|[$]\|\\[nrt]\)"
+        \ end="'''"
+        \ contained
+        \ contains=@nix_${lang}_syntax
+        \ transparent
+
+      syn cluster nix_ind_strings
+        \ add=nix_${lang}_region_IND_STRING
+
+      syn cluster nix_strings
+        \ add=nix_${lang}_region_STRING
+
+      syn cluster nix_has_dollar_curly
+        \ add=@nix_${lang}_syntax
+    '') {
+      c = {};
+      cabal = {};
+      haskell = {};
+      sh.extraStart = ''write\(Ba\|Da\)sh[^ \t\r\n]*[ \t\r\n]*"[^"]*"'';
+      vim.extraStart =
+        ''write[^ \t\r\n]*[ \t\r\n]*"\(\([^"]*\.\)\?vimrc\|[^"]*\.vim\)"'';
+    })}
+
+    " Clear syntax that interferes with nixINSIDE_DOLLAR_CURLY.
+    syn clear shVarAssign
+
+    syn region nixINSIDE_DOLLAR_CURLY
+      \ matchgroup=NixEnter
+      \ start="[$]{"
+      \ end="}"
+      \ contains=TOP
+      \ containedin=@nix_has_dollar_curly
+      \ transparent
+
+    syn region nix_inside_curly
+      \ matchgroup=NixEnter
+      \ start="{"
+      \ end="}"
+      \ contains=TOP
+      \ containedin=nixINSIDE_DOLLAR_CURLY,nix_inside_curly
+      \ transparent
+
+    syn match NixQuote /'''\([''$']\|\\.\)/he=s+2
+      \ containedin=@nix_ind_strings
+      \ contained
+
+    syn match NixQuote /\\./he=s+1
+      \ containedin=@nix_strings
+      \ contained
+
+    syn sync fromstart
+
+    let b:current_syntax = "nix"
+
+    set isk=@,48-57,_,192-255,-,'
+  '';
+in
+out
diff --git a/lass/2configs/websites/domsen.nix b/lass/2configs/websites/domsen.nix
index 45d09c3b9..f88dc927e 100644
--- a/lass/2configs/websites/domsen.nix
+++ b/lass/2configs/websites/domsen.nix
@@ -11,9 +11,9 @@ let
     serveWordpress;
 
   msmtprc = pkgs.writeText "msmtprc" ''
-    account prism
+    account localhost
       host localhost
-    account default: prism
+    account default: localhost
   '';
 
   sendmail = pkgs.writeDash "msmtp" ''
@@ -23,23 +23,55 @@ let
 in {
   imports = [
     ./sqlBackup.nix
-    (ssl [ "reich-gebaeudereinigung.de" ])
-    (servePage [ "reich-gebaeudereinigung.de" ])
+    (ssl [ "reich-gebaeudereinigung.de" "www.reich-gebaeudereinigung.de" ])
+    (servePage [ "reich-gebaeudereinigung.de" "www.reich-gebaeudereinigung.de" ])
 
-    (ssl [ "karlaskop.de" ])
-    (servePage [ "karlaskop.de" ])
+    (ssl [ "karlaskop.de" "www.karlaskop.de" ])
+    (servePage [ "karlaskop.de" "www.karlaskop.de" ])
 
-    (ssl [ "makeup.apanowicz.de" ])
-    (servePage [ "makeup.apanowicz.de" ])
+    (ssl [ "makeup.apanowicz.de" "www.makeup.apanowicz.de" ])
+    (servePage [ "makeup.apanowicz.de" "www.makeup.apanowicz.de" ])
 
-    (ssl [ "pixelpocket.de" ])
-    (servePage [ "pixelpocket.de" ])
+    (ssl [ "pixelpocket.de" "www.pixelpocket.de" ])
+    (servePage [ "pixelpocket.de" "www.pixelpocket.de" ])
 
-    (ssl [ "o.ubikmedia.de" ])
-    (serveOwncloud [ "o.ubikmedia.de" ])
+    (ssl [ "o.ubikmedia.de" "www.o.ubikmedia.de" ])
+    (serveOwncloud [ "o.ubikmedia.de" "www.o.ubikmedia.de" ])
 
-    (ssl [ "ubikmedia.de" "aldona.ubikmedia.de" "apanowicz.de" "nirwanabluete.de" "aldonasiech.com" "360gradvideo.tv" "ubikmedia.eu" ])
-    (serveWordpress [ "ubikmedia.de" "*.ubikmedia.de" "apanowicz.de" "nirwanabluete.de" "aldonasiech.com" "360gradvideo.tv" "ubikmedia.eu" ])
+    (ssl [
+      "ubikmedia.de"
+      "aldona.ubikmedia.de"
+      "apanowicz.de"
+      "nirwanabluete.de"
+      "aldonasiech.com"
+      "360gradvideo.tv"
+      "ubikmedia.eu"
+      "facts.cloud"
+      "www.ubikmedia.de"
+      "www.aldona.ubikmedia.de"
+      "www.apanowicz.de"
+      "www.nirwanabluete.de"
+      "www.aldonasiech.com"
+      "www.360gradvideo.tv"
+      "www.ubikmedia.eu"
+      "www.facts.cloud"
+    ])
+    (serveWordpress [
+      "ubikmedia.de"
+      "apanowicz.de"
+      "nirwanabluete.de"
+      "aldonasiech.com"
+      "360gradvideo.tv"
+      "ubikmedia.eu"
+      "facts.cloud"
+      "*.ubikmedia.de"
+      "www.apanowicz.de"
+      "www.nirwanabluete.de"
+      "www.aldonasiech.com"
+      "www.360gradvideo.tv"
+      "www.ubikmedia.eu"
+      "www.facts.cloud"
+    ])
   ];
 
   lass.mysqlBackup.config.all.databases = [
@@ -47,6 +79,27 @@ in {
     "o_ubikmedia_de"
   ];
 
+  krebs.backup.plans = {
+    prism-sql-domsen = {
+      method = "push";
+      src = { host = config.krebs.hosts.prism;      path = "/bku/sql_dumps"; };
+      dst = { host = config.krebs.hosts.domsen-nas; path = "/mnt/UBIK-9TB-Pool/BACKUP/XXXX-MAX-UND-ANDERES/prism-sql"; };
+      startAt = "00:01";
+    };
+    prism-http-domsen = {
+      method = "push";
+      src = { host = config.krebs.hosts.prism;      path = "/srv/http"; };
+      dst = { host = config.krebs.hosts.domsen-nas; path = "/mnt/UBIK-9TB-Pool/BACKUP/XXXX-MAX-UND-ANDERES/prism-http"; };
+      startAt = "00:10";
+    };
+    prism-o-ubikmedia-domsen = {
+      method = "push";
+      src = { host = config.krebs.hosts.prism;      path = "/srv/o.ubikmedia.de-data"; };
+      dst = { host = config.krebs.hosts.domsen-nas; path = "/mnt/UBIK-9TB-Pool/BACKUP/XXXX-MAX-UND-ANDERES/prism-owncloud"; };
+      startAt = "00:30";
+    };
+  };
+
   users.users.domsen = {
     uid = genid "domsen";
     description = "maintenance acc for domsen";
@@ -56,18 +109,18 @@ in {
     createHome = true;
   };
 
-  #services.phpfpm.phpOptions = ''
-  #  extension=${pkgs.phpPackages.apcu}/lib/php/extensions/apcu.so
-  #  sendmail_path = ${sendmail} -t
-  #'';
-  services.phpfpm.phpIni = pkgs.runCommand "php.ini" {
-     options = ''
-      extension=${pkgs.phpPackages.apcu}/lib/php/extensions/apcu.so
-      sendmail_path = ${sendmail} -t -i"
-    '';
-  } ''
-    cat ${pkgs.php}/etc/php-recommended.ini > $out
-    echo "$options" >> $out
+  services.phpfpm.phpOptions = ''
+    extension=${pkgs.phpPackages.apcu}/lib/php/extensions/apcu.so
+    sendmail_path = ${sendmail} -t
   '';
+  #services.phpfpm.phpIni = pkgs.runCommand "php.ini" {
+  #   options = ''
+  #    extension=${pkgs.phpPackages.apcu}/lib/php/extensions/apcu.so
+  #    sendmail_path = "${sendmail} -t -i"
+  #  '';
+  #} ''
+  #  cat ${pkgs.php}/etc/php-recommended.ini > $out
+  #  echo "$options" >> $out
+  #'';
 }
 
diff --git a/lass/2configs/websites/fritz.nix b/lass/2configs/websites/fritz.nix
index 63efbecb6..0107da739 100644
--- a/lass/2configs/websites/fritz.nix
+++ b/lass/2configs/websites/fritz.nix
@@ -1,10 +1,10 @@
 { config, pkgs, lib, ... }:
 
+with lib;
 let
   inherit (import <stockholm/krebs/4lib> { config = {}; inherit lib; })
     genid
     head
-    nameValuePair
   ;
   inherit (import <stockholm/lass/2configs/websites/util.nix> {inherit lib pkgs;})
     ssl
@@ -12,6 +12,16 @@ let
     serveWordpress
   ;
 
+  msmtprc = pkgs.writeText "msmtprc" ''
+    account localhost
+      host localhost
+    account default: localhost
+  '';
+
+  sendmail = pkgs.writeDash "msmtp" ''
+    exec ${pkgs.msmtp}/bin/msmtp --read-envelope-from -C ${msmtprc} "$@"
+  '';
+
 in {
   imports = [
     ./sqlBackup.nix
@@ -48,7 +58,34 @@ in {
     "ttf_kleinaspach_de"
   ];
 
+  #password protect some dirs
+  krebs.nginx.servers."biostase.de".locations = [
+    (nameValuePair "/old_biostase.de" ''
+      auth_basic "Administrator Login";
+      auth_basic_user_file /srv/http/biostase.de/old_biostase.de/.htpasswd;
+    '')
+    (nameValuePair "/mysqldumper" ''
+      auth_basic "Administrator Login";
+      auth_basic_user_file /srv/http/biostase.de/mysqldumper/.htpasswd;
+    '')
+  ];
+
   users.users.root.openssh.authorizedKeys.keys = [
     config.krebs.users.fritz.pubkey
   ];
+
+  services.phpfpm.phpOptions = ''
+    extension=${pkgs.phpPackages.apcu}/lib/php/extensions/apcu.so
+    sendmail_path = ${sendmail} -t
+  '';
+
+  #services.phpfpm.phpIni = pkgs.runCommand "php.ini" {
+  #   options = ''
+  #    extension=${pkgs.phpPackages.apcu}/lib/php/extensions/apcu.so
+  #    sendmail_path = "${sendmail} -t -i"
+  #  '';
+  #} ''
+  #  cat ${pkgs.php}/etc/php-recommended.ini > $out
+  #  echo "$options" >> $out
+  #'';
 }
diff --git a/lass/2configs/weechat.nix b/lass/2configs/weechat.nix
index 5e14871ac..0bfd9fe6b 100644
--- a/lass/2configs/weechat.nix
+++ b/lass/2configs/weechat.nix
@@ -5,7 +5,6 @@ let
 in {
   krebs.per-user.chat.packages = with pkgs; [
     mosh
-    tmux
     weechat
   ];
 
diff --git a/lass/2configs/wordpress.nix b/lass/2configs/wordpress.nix
deleted file mode 100644
index bd59080d9..000000000
--- a/lass/2configs/wordpress.nix
+++ /dev/null
@@ -1,59 +0,0 @@
-{ config, pkgs, ... }:
-
-{
-  containers.wordpress = {
-    privateNetwork = true;
-    hostAddress = "192.168.101.1";
-    localAddress = "192.168.101.2";
-
-    config = {
-      imports = [
-        ../../krebs/3modules/iptables.nix
-      ];
-
-      krebs.iptables = {
-        enable = true;
-        tables = {
-          filter.INPUT.policy = "DROP";
-          filter.FORWARD.policy = "DROP";
-          filter.INPUT.rules = [
-            { predicate = "-m conntrack --ctstate RELATED,ESTABLISHED"; target = "ACCEPT"; precedence = 10001; }
-            { predicate = "-p icmp"; target = "ACCEPT"; precedence = 10000; }
-            { predicate = "-i lo"; target = "ACCEPT"; precedence = 9999; }
-            { predicate = "-p tcp --dport 22"; target = "ACCEPT"; precedence = 9998; }
-            { predicate = "-p tcp --dport 80"; target = "ACCEPT"; precedence = 9998; }
-          ];
-        };
-      };
-
-      environment.systemPackages = with pkgs; [
-        iptables
-      ];
-
-      services.postgresql = {
-        enable = true;
-        package = pkgs.postgresql;
-      };
-
-      services.httpd = {
-        enable = true;
-        adminAddr = "root@apanowicz.de";
-        extraModules = [
-          { name = "php5"; path = "${pkgs.php}/modules/libphp5.so"; }
-        ];
-        virtualHosts = [
-          {
-            hostName = "wordpress";
-            serverAliases = [ "wordpress" "www.wordpress" ];
-
-            extraSubservices = [
-              {
-                serviceName = "wordpress";
-              }
-            ];
-          }
-        ];
-      };
-    };
-  };
-}
diff --git a/lass/2configs/xserver/Xresources.nix b/lass/2configs/xserver/Xresources.nix
index e3b0f45dc..5d3661706 100644
--- a/lass/2configs/xserver/Xresources.nix
+++ b/lass/2configs/xserver/Xresources.nix
@@ -19,9 +19,48 @@ pkgs.writeText "Xresources" ''
 
   URxvt.intensityStyles: false
 
-  URxvt*background:                     #000000
-  URxvt*foreground:                     #ffffff
+  URxvt*background:	#050505
+  ! URxvt*background:	#041204
+
+  !URxvt.depth: 32
+  !URxvt*background: rgba:0500/0500/0500/cccc
+
+  ! URxvt*background:	#080810
+  URxvt*foreground:	#d0d7d0
+  ! URxvt*background:	black
+  ! URxvt*foreground:	white
+  ! URxvt*background:	rgb:00/00/40
+  ! URxvt*foreground:	rgb:a0/a0/d0
+  ! XTerm*cursorColor:	rgb:00/00/60
+  URxvt*cursorColor:	#f042b0
+  URxvt*cursorColor2:	#f0b000
+  URxvt*cursorBlink:	off
+  ! URxvt*cursorUnderline: true
+  ! URxvt*highlightColor: #232323
+  ! URxvt*highlightTextColor: #b0ffb0
+
+  URxvt*.pointerBlank: true
+  URxvt*.pointerBlankDelay: 987654321
+  URxvt*.pointerColor: #f042b0
+  URxvt*.pointerColor2: #050505
+
+  ! URxvt*color0:	#000000
+  ! URxvt*color1:	#c00000
+  ! URxvt*color2:	#80c070
+  URxvt*color3:	#c07000
+  ! URxvt*color4:	#0000c0
+  URxvt*color4:	#4040c0
+  ! URxvt*color5:	#c000c0
+  ! URxvt*color6:	#008080
+  URxvt*color7:	#c0c0c0
+
+  URxvt*color8:	#707070
+  URxvt*color9:	#ff6060
+  URxvt*color10:	#70ff70
+  URxvt*color11:	#ffff70
+  URxvt*color12:	#7070ff
+  URxvt*color13:	#ff50ff
+  URxvt*color14:	#70ffff
+  URxvt*color15:	#ffffff
 
-  !change unreadable blue
-  URxvt*color4:                         #268bd2
 ''
diff --git a/lass/2configs/zsh.nix b/lass/2configs/zsh.nix
index 7299e9ac0..b221d7677 100644
--- a/lass/2configs/zsh.nix
+++ b/lass/2configs/zsh.nix
@@ -7,9 +7,6 @@
       zsh-newuser-install() { :; }
     '';
     interactiveShellInit = ''
-      HISTFILE=~/.histfile
-      HISTSIZE=1000000
-      SAVEHIST=100000
       #unsetopt nomatch
       setopt autocd extendedglob
       bindkey -e
@@ -92,6 +89,11 @@
       esac
     '';
     promptInit = ''
+      # TODO: figure out why we need to set this here
+      HISTSIZE=900001
+      HISTFILESIZE=$HISTSIZE
+      SAVEHIST=$HISTSIZE
+
       autoload -U promptinit
       promptinit
 
diff --git a/lass/3modules/default.nix b/lass/3modules/default.nix
index 380d83a91..b3037205e 100644
--- a/lass/3modules/default.nix
+++ b/lass/3modules/default.nix
@@ -4,6 +4,7 @@ _:
     ./ejabberd
     ./folderPerms.nix
     ./mysql-backup.nix
+    ./power-action.nix
     ./urxvtd.nix
     ./wordpress_nginx.nix
     ./xresources.nix
diff --git a/lass/3modules/power-action.nix b/lass/3modules/power-action.nix
new file mode 100644
index 000000000..3116514a8
--- /dev/null
+++ b/lass/3modules/power-action.nix
@@ -0,0 +1,93 @@
+{ config, lib, pkgs, ... }:
+
+with config.krebs.lib;
+
+let
+  cfg = config.lass.power-action;
+
+  out = {
+    options.lass.power-action = api;
+    config = lib.mkIf cfg.enable imp;
+  };
+
+  api = {
+    enable = mkEnableOption "power-action";
+    user = mkOption {
+      type = types.user;
+      default = {
+        name = "power-action";
+      };
+    };
+    startAt = mkOption {
+      type = types.str;
+      default = "*:0/1";
+    };
+    plans = mkOption {
+      type = with types; attrsOf (submodule {
+        options = {
+          charging = mkOption {
+            type = nullOr bool;
+            default = null;
+            description = ''
+              check for charging status.
+              null = don't care
+              true = only if system is charging
+              false = only if system is discharging
+            '';
+          };
+          upperLimit = mkOption {
+            type = int;
+          };
+          lowerLimit = mkOption {
+            type = int;
+          };
+          action = mkOption {
+            type = path;
+          };
+        };
+      });
+    };
+  };
+
+  imp = {
+    systemd.services.power-action = {
+      serviceConfig = rec {
+        ExecStart = startScript;
+        User = cfg.user.name;
+      };
+      startAt = cfg.startAt;
+    };
+    users.users.${cfg.user.name} = {
+      inherit (cfg.user) name uid;
+    };
+  };
+
+  startScript = pkgs.writeDash "power-action" ''
+    set -euf
+
+    power="$(${powerlvl})"
+    state="$(${state})"
+    ${concatStringsSep "\n" (mapAttrsToList writeRule cfg.plans)}
+  '';
+  charging_check = plan:
+    if (plan.charging == null) then "" else
+      if plan.charging
+        then ''&& [ "$state" = "true" ]''
+        else ''&& ! [ "$state" = "true" ]''
+    ;
+
+  writeRule = _: plan:
+    "if [ $power -ge ${toString plan.lowerLimit} ] && [ $power -le ${toString plan.upperLimit} ] ${charging_check plan}; then ${plan.action}; fi";
+
+  powerlvl = pkgs.writeDash "powerlvl" ''
+    cat /sys/class/power_supply/BAT0/capacity
+  '';
+
+  state = pkgs.writeDash "state" ''
+    if [ "$(cat /sys/class/power_supply/BAT0/status)" = "Discharging" ]
+      then echo "false"
+      else echo "true"
+    fi
+  '';
+
+in out
diff --git a/lass/5pkgs/default.nix b/lass/5pkgs/default.nix
index 467867f63..c48188f9d 100644
--- a/lass/5pkgs/default.nix
+++ b/lass/5pkgs/default.nix
@@ -3,6 +3,9 @@
 {
   nixpkgs.config.packageOverrides = rec {
     acronym = pkgs.callPackage ./acronym/default.nix {};
+    ejabberd = pkgs.callPackage ./ejabberd {
+      erlang = pkgs.erlangR16;
+    };
     firefoxPlugins = {
       noscript = pkgs.callPackage ./firefoxPlugins/noscript.nix {};
       ublock = pkgs.callPackage ./firefoxPlugins/ublock.nix {};
@@ -10,11 +13,11 @@
     };
     mk_sql_pair = pkgs.callPackage ./mk_sql_pair/default.nix {};
     mpv-poll = pkgs.callPackage ./mpv-poll/default.nix {};
+    q = pkgs.callPackage ./q {};
+    rs = pkgs.callPackage ./rs/default.nix {};
     untilport = pkgs.callPackage ./untilport/default.nix {};
     urban = pkgs.callPackage ./urban/default.nix {};
-    xmonad-lass =
-      let src = pkgs.writeNixFromCabal "xmonad-lass.nix" ./xmonad-lass; in
-      pkgs.haskellPackages.callPackage src {};
+    xmonad-lass = import ./xmonad-lass.nix { inherit pkgs; };
     yt-next = pkgs.callPackage ./yt-next/default.nix {};
   };
 }
diff --git a/lass/5pkgs/q/default.nix b/lass/5pkgs/q/default.nix
new file mode 100644
index 000000000..644be0d17
--- /dev/null
+++ b/lass/5pkgs/q/default.nix
@@ -0,0 +1,185 @@
+{ pkgs, ... }:
+let
+  q-cal = let
+    # XXX 23 is the longest line of cal's output
+    pad = ''{
+      ${pkgs.gnused}/bin/sed '
+            # rtrim
+            s/ *$//
+
+            # delete last empty line
+            ''${/^$/d}
+          ' \
+        | ${pkgs.gawk}/bin/awk '{printf "%-23s\n", $0}' \
+        | ${pkgs.gnused}/bin/sed '
+              # colorize header
+              1,2s/.*/&/
+
+              # colorize week number
+              s/^[ 1-9][0-9]/&/
+            '
+    }'';
+  in ''
+    ${pkgs.coreutils}/bin/paste \
+        <(${pkgs.utillinux}/bin/cal -mw \
+              $(${pkgs.coreutils}/bin/date +'%m %Y' -d 'last month') \
+            | ${pad}
+        ) \
+        <(${pkgs.utillinux}/bin/cal -mw \
+            | ${pkgs.gnused}/bin/sed '
+                # colorize day of month
+                s/\(^\| \)'"$(${pkgs.coreutils}/bin/date +%e)"'\>/&/
+              ' \
+            | ${pad}
+        ) \
+        <(${pkgs.utillinux}/bin/cal -mw \
+              $(${pkgs.coreutils}/bin/date +'%m %Y' -d 'next month') \
+            | ${pad}
+        ) \
+      | ${pkgs.gnused}/bin/sed 's/\t/  /g'
+  '';
+
+  q-isodate = ''
+    ${pkgs.coreutils}/bin/date \
+        '+%Y-%m-%dT%H:%M:%S%:z'
+  '';
+
+  q-gitdir = ''
+    if test -d .git; then
+      #git status --porcelain
+      branch=$(
+        ${pkgs.git}/bin/git branch \
+          | ${pkgs.gnused}/bin/sed -rn 's/^\* (.*)/\1/p'
+      )
+      echo "± $LOGNAME@''${HOSTNAME-$(${pkgs.nettools}/bin/hostname)}:$PWD .git $branch"
+    fi
+  '';
+
+  q-power_supply = ''
+    for uevent in /sys/class/power_supply/*/uevent; do
+      if test -f $uevent; then
+        eval "$(${pkgs.gnused}/bin/sed -n '
+          s/^\([A-Z_]\+=\)\(.*\)/\1'\'''\2'\'''/p
+        ' $uevent)"
+
+        if test "x''${POWER_SUPPLY_CHARGE_NOW-}" = x; then
+          continue
+        fi
+
+        charge_percentage=$(echo "
+          scale=2
+          $POWER_SUPPLY_CHARGE_NOW / $POWER_SUPPLY_CHARGE_FULL
+        " | ${pkgs.bc}/bin/bc)
+
+        lfc=$POWER_SUPPLY_CHARGE_FULL
+        rc=$POWER_SUPPLY_CHARGE_NOW
+        #rc=2800
+        N=78; N=76
+        N=10
+        n=$(echo $N-1 | ${pkgs.bc}/bin/bc)
+        centi=$(echo "$rc*100/$lfc" | ${pkgs.bc}/bin/bc)
+        deci=$(echo "$rc*$N/$lfc" | ${pkgs.bc}/bin/bc)
+        energy_evel=$(
+          echo -n '☳ ' # TRIGRAM FOR THUNDER
+          if   test $centi -ge 42; then echo -n ''
+          elif test $centi -ge 23; then echo -n ''
+          elif test $centi -ge 11; then echo -n ''
+          else                        echo -n ''; fi
+          for i in $(${pkgs.coreutils}/bin/seq 1 $deci); do
+            echo -n ■
+          done
+          echo -n ''
+          for i in $(${pkgs.coreutils}/bin/seq $deci $n); do
+            echo -n ■
+          done
+          echo '' $rc #/ $lfc
+        )
+        echo "$energy_evel $charge_percentage"
+      fi
+    done
+  '';
+
+  q-virtualization = ''
+    echo "VT: $(${pkgs.systemd}/bin/systemd-detect-virt)"
+  '';
+
+  q-wireless = ''
+    for dev in $(
+      ${pkgs.iw}/bin/iw dev \
+        | ${pkgs.gnused}/bin/sed -n 's/^\s*Interface\s\+\([0-9a-z]\+\)$/\1/p'
+    ); do
+      inet=$(${pkgs.iproute}/bin/ip addr show $dev \
+        | ${pkgs.gnused}/bin/sed -n '
+            s/.*inet \([0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+\).*/\1/p
+          ') \
+        || unset inet
+      ssid=$(${pkgs.iw}/bin/iw dev $dev link \
+        | ${pkgs.gnused}/bin/sed -n '
+            s/.*\tSSID: \(.*\)/\1/p
+          ') \
+        || unset ssid
+      echo "$dev''${inet+ $inet}''${ssid+ $ssid}"
+    done
+  '';
+
+  q-online = ''
+    if ${pkgs.curl.bin}/bin/curl -s google.com >/dev/null; then
+      echo 'online'
+    else
+      echo offline
+    fi
+  '';
+
+  q-thermal_zone = ''
+    for i in /sys/class/thermal/thermal_zone*; do
+      type=$(${pkgs.coreutils}/bin/cat $i/type)
+      temp=$(${pkgs.coreutils}/bin/cat $i/temp)
+      printf '%s %s°C\n' $type $(echo $temp / 1000 | ${pkgs.bc}/bin/bc)
+    done
+  '';
+
+  q-todo = ''
+    TODO_file=$HOME/TODO
+    if test -e "$TODO_file"; then
+      ${pkgs.coreutils}/bin/cat "$TODO_file" \
+        | ${pkgs.gawk}/bin/gawk -v now=$(${pkgs.coreutils}/bin/date +%s) '
+            BEGIN { print "remind=0" }
+            /^[0-9]/{
+              x = $1
+              gsub(".", "\\\\&", x)
+              rest = substr($0, index($0, " "))
+              rest = $0
+              sub(" *", "", rest)
+              gsub(".", "\\\\&", rest)
+              print "test $(${pkgs.coreutils}/bin/date +%s -d"x") -lt "now" && \
+                echo \"\x1b[38;5;208m\""rest esc "\"\x1b[m\" && \
+                (( remind++ ))"
+            }
+            END { print "test $remind = 0 && echo \"nothing to remind\"" }
+          ' \
+        | {
+          # bash needed for (( ... ))
+          ${pkgs.bash}/bin/bash
+        }
+    else
+      echo "$TODO_file: no such file or directory"
+    fi
+  '';
+
+in
+# bash needed for <(...)
+pkgs.writeBashBin "q" ''
+  set -eu
+  export PATH=/var/empty
+  ${q-cal}
+  echo
+  ${q-isodate}
+  (${q-gitdir}) &
+  (${q-power_supply}) &
+  (${q-virtualization}) &
+  (${q-wireless}) &
+  (${q-online}) &
+  (${q-thermal_zone}) &
+  wait
+  ${q-todo}
+''
diff --git a/lass/5pkgs/rs/default.nix b/lass/5pkgs/rs/default.nix
new file mode 100644
index 000000000..6b27908fb
--- /dev/null
+++ b/lass/5pkgs/rs/default.nix
@@ -0,0 +1,6 @@
+{ pkgs, ... }:
+
+#TODO: get tab-completion working again
+pkgs.writeBashBin "rs" ''
+  rsync -vaP --append-verify "$@"
+''
diff --git a/lass/5pkgs/xmonad-lass/Main.hs b/lass/5pkgs/xmonad-lass.nix
index d7c66bf4d..841821a7a 100644
--- a/lass/5pkgs/xmonad-lass/Main.hs
+++ b/lass/5pkgs/xmonad-lass.nix
@@ -1,3 +1,15 @@
+{ pkgs, ... }:
+pkgs.writeHaskell "xmonad-lass" {
+  executables.xmonad = {
+    extra-depends = [
+      "containers"
+      "unix"
+      "X11"
+      "xmonad"
+      "xmonad-contrib"
+      "xmonad-stockholm"
+    ];
+    text = ''
 {-# LANGUAGE DeriveDataTypeable #-} -- for XS
 {-# LANGUAGE FlexibleContexts #-} -- for xmonad'
 {-# LANGUAGE LambdaCase #-}
@@ -147,3 +159,8 @@ gridConfig = def
     , gs_navigate = navNSearch
     , gs_font = myFont
     }
+
+    '';
+  };
+}
+
diff --git a/lass/5pkgs/xmonad-lass/.gitignore b/lass/5pkgs/xmonad-lass/.gitignore
deleted file mode 100644
index 616204547..000000000
--- a/lass/5pkgs/xmonad-lass/.gitignore
+++ /dev/null
@@ -1 +0,0 @@
-/shell.nix
diff --git a/lass/5pkgs/xmonad-lass/Makefile b/lass/5pkgs/xmonad-lass/Makefile
deleted file mode 100644
index cbb0776e6..000000000
--- a/lass/5pkgs/xmonad-lass/Makefile
+++ /dev/null
@@ -1,6 +0,0 @@
-.PHONY: ghci
-ghci: shell.nix
-	nix-shell --command 'exec ghci -Wall'
-
-shell.nix: xmonad.cabal
-	cabal2nix --shell . > $@
diff --git a/lass/5pkgs/xmonad-lass/xmonad.cabal b/lass/5pkgs/xmonad-lass/xmonad.cabal
deleted file mode 100644
index 37809b599..000000000
--- a/lass/5pkgs/xmonad-lass/xmonad.cabal
+++ /dev/null
@@ -1,17 +0,0 @@
-Author: lass
-Build-Type: Simple
-Cabal-Version: >= 1.2
-License: MIT
-Name: xmonad-lass
-Version: 0
-
-Executable xmonad
-  Build-Depends:
-    base,
-    containers,
-    unix,
-    xmonad,
-    xmonad-contrib,
-    xmonad-stockholm
-  GHC-Options: -Wall -O3 -threaded -rtsopts
-  Main-Is: Main.hs