From 920dd746747d03c7642b4f2fbdd29dc395ed7a29 Mon Sep 17 00:00:00 2001
From: lassulus <lassulus@lassul.us>
Date: Thu, 24 Aug 2017 17:34:46 +0200
Subject: l: open mosh ports

---
 lass/2configs/default.nix | 1 +
 1 file changed, 1 insertion(+)

diff --git a/lass/2configs/default.nix b/lass/2configs/default.nix
index 22a7b1c19..e96f4dc7e 100644
--- a/lass/2configs/default.nix
+++ b/lass/2configs/default.nix
@@ -200,6 +200,7 @@ with import <stockholm/lib>;
       filter.INPUT.policy = "DROP";
       filter.FORWARD.policy = "DROP";
       filter.INPUT.rules = [
+        { predicate = "-i retiolum -p udp --dport 60000:61000"; target = "ACCEPT";}
         { predicate = "-m conntrack --ctstate RELATED,ESTABLISHED"; target = "ACCEPT"; precedence = 10001; }
         { predicate = "-p icmp"; target = "ACCEPT"; precedence = 10000; }
         { predicate = "-p ipv6-icmp"; target = "ACCEPT"; v4 = false;  precedence = 10000; }
-- 
cgit v1.2.3


From 76415ff3cd74b4469087d0c8ee2b5062147b40d2 Mon Sep 17 00:00:00 2001
From: lassulus <lassulus@lassul.us>
Date: Fri, 25 Aug 2017 23:43:19 +0200
Subject: l mors.r: remove deprecated zalando stuff

---
 lass/1systems/mors/config.nix | 9 ---------
 1 file changed, 9 deletions(-)

diff --git a/lass/1systems/mors/config.nix b/lass/1systems/mors/config.nix
index bb6f84c7b..5995e5ec9 100644
--- a/lass/1systems/mors/config.nix
+++ b/lass/1systems/mors/config.nix
@@ -39,15 +39,6 @@ with import <stockholm/lib>;
         enable = true;
       };
     }
-    {
-      #zalando project
-      services.postgresql = {
-        enable = true;
-        package = pkgs.postgresql;
-      };
-      virtualisation.docker.enable = true;
-      #users.users.mainUser.extraGroups = [ "docker" ];
-    }
     {
       lass.umts = {
         enable = true;
-- 
cgit v1.2.3


From eb6fab7527c0bd8d5193ca2adcba420d73c03501 Mon Sep 17 00:00:00 2001
From: lassulus <lassulus@lassul.us>
Date: Fri, 25 Aug 2017 23:43:43 +0200
Subject: l mors.r: enable mongodb

---
 lass/1systems/mors/config.nix | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/lass/1systems/mors/config.nix b/lass/1systems/mors/config.nix
index 5995e5ec9..58f55ce68 100644
--- a/lass/1systems/mors/config.nix
+++ b/lass/1systems/mors/config.nix
@@ -82,6 +82,9 @@ with import <stockholm/lib>;
         client.enable = true;
       };
     }
+    {
+      services.mongodb.enable = true;
+    }
   ];
 
   krebs.build.host = config.krebs.hosts.mors;
-- 
cgit v1.2.3


From 7031d9d2d132c750f6607b57801057b2637332d1 Mon Sep 17 00:00:00 2001
From: lassulus <lassulus@lassul.us>
Date: Fri, 25 Aug 2017 23:44:37 +0200
Subject: l mail: add radio folder

---
 lass/2configs/mail.nix | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/lass/2configs/mail.nix b/lass/2configs/mail.nix
index 9f9bb24fa..0d3e2b228 100644
--- a/lass/2configs/mail.nix
+++ b/lass/2configs/mail.nix
@@ -78,11 +78,13 @@ let
                      and NOT to:shackspace \
                      and NOT to:c-base \
                      and NOT from:security-alert@hpe.com \
-                     and NOT to:nix-devel"\
+                     and NOT to:nix-devel\
+                     and NOT to:radio"\
         "shack"     "notmuch://?query=to:shackspace"\
         "c-base"    "notmuch://?query=to:c-base"\
         "security"  "notmuch://?query=to:securityfocus or from:security-alert@hpe.com"\
         "nix"       "notmuch://?query=to:nix-devel"\
+        "radio"     "notmuch://?query=to:radio or tag:radio"\
         "TODO"      "notmuch://?query=tag:TODO"\
         "Starred"   "notmuch://?query=tag:*"\
         "Archive"   "notmuch://?query=tag:archive"\
-- 
cgit v1.2.3


From c63b86d9aff44c065cdcf5a486ee91b7565cd567 Mon Sep 17 00:00:00 2001
From: lassulus <lassulus@lassul.us>
Date: Fri, 25 Aug 2017 23:45:03 +0200
Subject: l shodan.r: add /home lv

---
 lass/1systems/shodan/config.nix | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/lass/1systems/shodan/config.nix b/lass/1systems/shodan/config.nix
index b6d49d6e4..ef015aebc 100644
--- a/lass/1systems/shodan/config.nix
+++ b/lass/1systems/shodan/config.nix
@@ -41,7 +41,11 @@ with import <stockholm/lib>;
     "/boot" = {
       device = "/dev/sda1";
     };
-
+    "/home" = {
+      device = "/dev/mapper/pool-home";
+      fsType = "btrfs";
+      options = ["defaults" "noatime" "ssd" "compress=lzo"];
+    };
     "/tmp" = {
       device = "tmpfs";
       fsType = "tmpfs";
-- 
cgit v1.2.3


From 900441db8a557c602f478860d290c568c78f7b2a Mon Sep 17 00:00:00 2001
From: lassulus <lassulus@lassul.us>
Date: Fri, 25 Aug 2017 23:47:25 +0200
Subject: l mail: t -> tag mail

---
 lass/2configs/mail.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lass/2configs/mail.nix b/lass/2configs/mail.nix
index 0d3e2b228..7a9881186 100644
--- a/lass/2configs/mail.nix
+++ b/lass/2configs/mail.nix
@@ -128,7 +128,7 @@ let
 
     bind index t noop
     bind pager t noop
-    macro index t "<modify-labels>+TODO\n"        # tag as Archived
+    macro index t "<modify-labels>"        # tag as Archived
 
     # top index bar in email view
     set pager_index_lines=7
-- 
cgit v1.2.3


From 7f08382fbe599a5907ebcdaba59aab1ecf6c71d9 Mon Sep 17 00:00:00 2001
From: lassulus <lassulus@lassul.us>
Date: Fri, 25 Aug 2017 23:48:16 +0200
Subject: l mpv: remove unneded moveToDir bindings

---
 lass/2configs/mpv.nix | 26 +-------------------------
 1 file changed, 1 insertion(+), 25 deletions(-)

diff --git a/lass/2configs/mpv.nix b/lass/2configs/mpv.nix
index 04fd9213e..b3de42c7b 100644
--- a/lass/2configs/mpv.nix
+++ b/lass/2configs/mpv.nix
@@ -2,40 +2,16 @@
 
 let
 
-  scripts = lib.concatStringsSep "," [
-    good
-    delete
-  ];
-
   mpv = pkgs.symlinkJoin {
     name = "mpv";
     paths = [
       (pkgs.writeDashBin "mpv" ''
-        exec ${pkgs.mpv}/bin/mpv --no-config --script=${scripts} "$@"
+        exec ${pkgs.mpv}/bin/mpv --no-config "$@"
       '')
       pkgs.mpv
     ];
   };
 
-  moveToDir = key: dir: pkgs.writeText "move-with-${key}.lua" ''
-    tmp_dir = "${dir}"
-
-    function move_current_track_${key}()
-      track = mp.get_property("path")
-      os.execute("mkdir -p '" .. tmp_dir .. "'")
-      os.execute("mv '" .. track .. "' '" .. tmp_dir .. "'")
-      print("moved '" .. track .. "' to " .. tmp_dir)
-    end
-
-    mp.add_key_binding("${key}", "move_current_track_${key}", move_current_track_${key})
-  '';
-
-  good = moveToDir "G" "./.good";
-  delete = moveToDir "D" "./.graveyard";
-
-  up = moveToDir "U" "./up";
-  down = moveToDir "Y" "./down";
-
 in {
   environment.systemPackages = [
     mpv
-- 
cgit v1.2.3


From d970e20a5a706a0aef494f887f2a771571350b5a Mon Sep 17 00:00:00 2001
From: lassulus <lassulus@lassul.us>
Date: Sat, 26 Aug 2017 12:35:50 +0200
Subject: lass umts: no longer use environment.wvdial

---
 lass/3modules/umts.nix | 21 ++++++++++++++++++++-
 1 file changed, 20 insertions(+), 1 deletion(-)

diff --git a/lass/3modules/umts.nix b/lass/3modules/umts.nix
index 83de4d403..c93c65ad2 100644
--- a/lass/3modules/umts.nix
+++ b/lass/3modules/umts.nix
@@ -31,6 +31,16 @@ let
       type = types.str;
       default = "default";
     };
+    pppDefaults = mkOption {
+      type = types.str;
+      default = ''
+        noipdefault
+        usepeerdns
+        defaultroute
+        persist
+        noauth
+      '';
+    };
   };
 
   nixpkgs-1509 = import (pkgs.fetchFromGitHub {
@@ -71,7 +81,16 @@ let
       lass ALL= (root) NOPASSWD: ${umts-bin}/bin/umts
     '';
 
-    environment.wvdial.dialerDefaults = wvdial-defaults;
+    environment.etc = [
+      {
+        source = pkgs.writeText "wvdial.conf" wvdial-defaults;
+        target = "wvdial.conf";
+      }
+      {
+        source = pkgs.writeText "wvdial" cfg.pppDefaults;
+        target = "ppp/peers/wvdial";
+      }
+    ];
 
     systemd.services.umts = {
       description = "UMTS wvdial Service";
-- 
cgit v1.2.3


From d6aee94277e4329db12d0dfd78fbd6ab58fdeab7 Mon Sep 17 00:00:00 2001
From: lassulus <lassulus@lassul.us>
Date: Sat, 26 Aug 2017 17:18:58 +0200
Subject: init hope.r

---
 krebs/1systems/hope/config.nix   | 41 ++++++++++++++++++++++++++++++++++++++++
 krebs/1systems/hope/source.nix   |  3 +++
 krebs/3modules/krebs/default.nix | 32 +++++++++++++++++++++++++++++++
 3 files changed, 76 insertions(+)
 create mode 100644 krebs/1systems/hope/config.nix
 create mode 100644 krebs/1systems/hope/source.nix

diff --git a/krebs/1systems/hope/config.nix b/krebs/1systems/hope/config.nix
new file mode 100644
index 000000000..c19b210c5
--- /dev/null
+++ b/krebs/1systems/hope/config.nix
@@ -0,0 +1,41 @@
+with import <stockholm/lib>;
+{ config, pkgs, ... }: let
+
+  ip = config.krebs.build.host.nets.internet.ip4.addr;
+  bestGuessGateway = addr: elemAt (match "(.*)(\.[^.])" addr) 0 + ".1";
+
+in {
+  imports = [
+    <stockholm/krebs>
+    <stockholm/krebs/2configs>
+    <stockholm/krebs/2configs/os-templates/CAC-CentOS-7-64bit.nix>
+
+    <stockholm/krebs/2configs/secret-passwords.nix>
+    {
+      users.extraUsers = {
+        satan = {
+          name = "satan";
+          uid = 1338;
+          home = "/home/satan";
+          group = "users";
+          createHome = true;
+          useDefaultShell = true;
+          initialPassword = "test";
+        };
+      };
+    }
+  ];
+
+  krebs.build.host = config.krebs.hosts.hope;
+
+  networking = let
+    address = config.krebs.build.host.nets.internet.ip4.addr;
+  in {
+    defaultGateway = bestGuessGateway address;
+    interfaces.enp2s1.ip4 = singleton {
+      inherit address;
+      prefixLength = 24;
+    };
+    nameservers = ["8.8.8.8"];
+  };
+}
diff --git a/krebs/1systems/hope/source.nix b/krebs/1systems/hope/source.nix
new file mode 100644
index 000000000..7121d1d9d
--- /dev/null
+++ b/krebs/1systems/hope/source.nix
@@ -0,0 +1,3 @@
+import <stockholm/krebs/source.nix> {
+  name = "hope";
+}
diff --git a/krebs/3modules/krebs/default.nix b/krebs/3modules/krebs/default.nix
index 27fbb7088..9cd103175 100644
--- a/krebs/3modules/krebs/default.nix
+++ b/krebs/3modules/krebs/default.nix
@@ -30,6 +30,38 @@ let
   });
 in {
   hosts = {
+    hope = {
+      owner = config.krebs.users.krebs;
+      managed = true;
+      nets = {
+        internet = {
+          ip4.addr = "45.62.225.18";
+          aliases = [
+            "hope.i"
+          ];
+          ssh.port = 45621;
+        };
+        retiolum = {
+          ip4.addr = "10.243.77.4";
+          ip6.addr = "42:0:0:0:0:0:77:4";
+          aliases = [
+            "hope.r"
+          ];
+          tinc.pubkey = ''
+            -----BEGIN RSA PUBLIC KEY-----
+            MIIBCgKCAQEAsQVWCoNZZd77tYw1qEDlUsfcF0ld+jVorq2uR5il1D8sqER644l5
+            uaWxPQjSl27xdq5kvzIH24Ab6/xF2EDgE2fUTwpO5coBYafeiGyi5AwURQmYMp2a
+            2CV7uUAagFQaSzD0Aj796r1BXPn1IeE+uRSBmmc/+/7L0hweRGLiha34NOMZkq+4
+            A0pwI/CjnyRXdV4AqfORHXkelykJPATm+m3bC+KYogPBeNMP2AV2aYgY8a0UJPMK
+            fjAJCzxYJjiYxm8faJlm2U1bWytZODQa8pRZOrYQa4he2UoU6x78CNcrQkYLPOFC
+            K2Q7+B5WJNKV6CqYztXuU/6LTHJRmV0FiwIDAQAB
+            -----END RSA PUBLIC KEY-----
+          '';
+        };
+      };
+      ssh.privkey.path = <secrets/ssh.id_ed25519>;
+      ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOdLHRI29xJj1jmfSidE2Dh7EsDNszm+WH3Kj4zYBkP/";
+    };
     hotdog = {
       owner = config.krebs.users.krebs;
       managed = true;
-- 
cgit v1.2.3


From 48c75276c5a5ed8e7ea33ccb330f8ee6b7a6a927 Mon Sep 17 00:00:00 2001
From: mv <mv@ni.r>
Date: Tue, 29 Aug 2017 21:00:46 +0200
Subject: mv: the future is now!

---
 mv/1systems/stro.nix        | 169 --------------------------------------------
 mv/1systems/stro/config.nix | 156 ++++++++++++++++++++++++++++++++++++++++
 mv/1systems/stro/source.nix |   3 +
 mv/source.nix               |  23 ++++++
 4 files changed, 182 insertions(+), 169 deletions(-)
 delete mode 100644 mv/1systems/stro.nix
 create mode 100644 mv/1systems/stro/config.nix
 create mode 100644 mv/1systems/stro/source.nix
 create mode 100644 mv/source.nix

diff --git a/mv/1systems/stro.nix b/mv/1systems/stro.nix
deleted file mode 100644
index bb37aedda..000000000
--- a/mv/1systems/stro.nix
+++ /dev/null
@@ -1,169 +0,0 @@
-{ config, lib, pkgs, ... }:
-
-with import <stockholm/lib>;
-
-{
-  krebs = {
-    enable = true;
-    build = {
-      user = config.krebs.users.mv;
-      host = config.krebs.hosts.stro;
-      source = let
-        HOME = getEnv "HOME";
-        host = config.krebs.build.host;
-      in {
-        nixos-config.symlink = "stockholm/mv/1systems/${host.name}.nix";
-        secrets.file = "${HOME}/secrets/${host.name}";
-        stockholm.file = "${HOME}/stockholm";
-        nixpkgs.git = {
-          url = https://github.com/NixOS/nixpkgs;
-          ref = "8bf31d7d27cae435d7c1e9e0ccb0a320b424066f";
-        };
-      };
-    };
-  };
-
-  imports = [
-    <secrets>
-    <stockholm/krebs>
-    <stockholm/tv/2configs/audit.nix>
-    <stockholm/tv/2configs/bash.nix>
-    <stockholm/tv/2configs/exim-retiolum.nix>
-    <stockholm/tv/2configs/hw/x220.nix>
-    <stockholm/tv/2configs/im.nix>
-    <stockholm/tv/2configs/mail-client.nix>
-    <stockholm/tv/2configs/nginx/public_html.nix>
-    <stockholm/tv/2configs/retiolum.nix>
-    <stockholm/tv/2configs/ssh.nix>
-    <stockholm/tv/2configs/sshd.nix>
-    <stockholm/tv/2configs/vim.nix>
-    <stockholm/tv/2configs/xdg.nix>
-    <stockholm/tv/2configs/xserver>
-    <stockholm/tv/3modules>
-    <stockholm/tv/5pkgs>
-  ];
-
-  boot.kernel.sysctl = {
-    # Enable IPv6 Privacy Extensions
-    "net.ipv6.conf.all.use_tempaddr" = 2;
-    "net.ipv6.conf.default.use_tempaddr" = 2;
-  };
-
-  boot.initrd.luks = {
-    cryptoModules = [ "aes" "sha512" "xts" ];
-    devices = [
-      {
-        name = "luks1";
-        device = "/dev/disk/by-id/ata-TOSHIBA-TR150_467B50JXK8WU-part2";
-      }
-    ];
-  };
-
-  environment = {
-    profileRelativeEnvVars.PATH = mkForce [ "/bin" ];
-    shellAliases = mkForce {
-      gp = "${pkgs.pari}/bin/gp -q";
-      df = "df -h";
-      du = "du -h";
-      ls = "ls -h --color=auto --group-directories-first";
-      dmesg = "dmesg -L --reltime";
-      view = "vim -R";
-
-      reload = "systemctl reload";
-      restart = "systemctl restart";
-      start = "systemctl start";
-      status = "systemctl status";
-      stop = "systemctl stop";
-    };
-    systemPackages = with pkgs; [
-      dic
-      htop
-      p7zip
-      q
-
-      pavucontrol
-      rxvt_unicode.terminfo
-
-      # stockholm
-      git
-      gnumake
-      populate
-    ];
-    variables = {
-      NIX_PATH = mkForce "secrets=/var/src/stockholm/null:/var/src";
-    };
-  };
-
-  fileSystems = {
-    "/boot" = {
-      device = "/dev/disk/by-id/ata-TOSHIBA-TR150_467B50JXK8WU-part1";
-    };
-    "/" = {
-      device = "/dev/mapper/vg1-root";
-      fsType = "btrfs";
-      options = ["defaults" "noatime" "ssd" "compress=lzo"];
-    };
-    "/home" = {
-      device = "/dev/mapper/vg1-home";
-      fsType = "btrfs";
-      options = ["defaults" "noatime" "ssd" "compress=lzo"];
-    };
-    "/tmp" = {
-      device = "tmpfs";
-      fsType = "tmpfs";
-      options = ["nosuid" "nodev" "noatime"];
-    };
-  };
-
-  hardware.pulseaudio = {
-    enable = true;
-    systemWide = true;
-  };
-
-  networking.hostName = config.krebs.build.host.name;
-
-  nix = {
-    binaryCaches = ["https://cache.nixos.org"];
-    # TODO check if both are required:
-    chrootDirs = [ "/etc/protocols" pkgs.iana_etc.outPath ];
-    requireSignedBinaryCaches = true;
-    useChroot = true;
-  };
-
-  nixpkgs.config.allowUnfree = false;
-
-  users = {
-    defaultUserShell = "/run/current-system/sw/bin/bash";
-    mutableUsers = false;
-    users = {
-      mv = {
-        inherit (config.krebs.users.mv) home uid;
-        isNormalUser = true;
-      };
-    };
-  };
-
-  security.sudo.extraConfig = ''
-    Defaults env_keep+="SSH_CLIENT"
-    Defaults mailto="${config.krebs.users.mv.mail}"
-    Defaults !lecture
-  '';
-
-  services.cron.enable = false;
-  services.journald.extraConfig = ''
-    SystemMaxUse=1G
-    RuntimeMaxUse=128M
-  '';
-  services.nscd.enable = false;
-  services.ntp.enable = false;
-  services.timesyncd.enable = true;
-
-  time.timeZone = "Europe/Berlin";
-
-  tv.iptables = {
-    enable = true;
-    accept-echo-request = "internet";
-  };
-
-  system.stateVersion = "16.03";
-}
diff --git a/mv/1systems/stro/config.nix b/mv/1systems/stro/config.nix
new file mode 100644
index 000000000..669655eec
--- /dev/null
+++ b/mv/1systems/stro/config.nix
@@ -0,0 +1,156 @@
+{ config, lib, pkgs, ... }:
+
+with import <stockholm/lib>;
+
+{
+  krebs = {
+    enable = true;
+    build = {
+      user = config.krebs.users.mv;
+      host = config.krebs.hosts.stro;
+    };
+  };
+
+  imports = [
+    <secrets>
+    <stockholm/krebs>
+    <stockholm/tv/2configs/audit.nix>
+    <stockholm/tv/2configs/bash>
+    <stockholm/tv/2configs/exim-retiolum.nix>
+    <stockholm/tv/2configs/hw/x220.nix>
+    <stockholm/tv/2configs/im.nix>
+    <stockholm/tv/2configs/mail-client.nix>
+    <stockholm/tv/2configs/nginx/public_html.nix>
+    <stockholm/tv/2configs/retiolum.nix>
+    <stockholm/tv/2configs/ssh.nix>
+    <stockholm/tv/2configs/sshd.nix>
+    <stockholm/tv/2configs/vim.nix>
+    <stockholm/tv/2configs/xdg.nix>
+    <stockholm/tv/2configs/xserver>
+    <stockholm/tv/3modules>
+  ];
+
+  boot.kernel.sysctl = {
+    # Enable IPv6 Privacy Extensions
+    "net.ipv6.conf.all.use_tempaddr" = 2;
+    "net.ipv6.conf.default.use_tempaddr" = 2;
+  };
+
+  boot.initrd.luks = {
+    cryptoModules = [ "aes" "sha512" "xts" ];
+    devices = [
+      {
+        name = "luks1";
+        device = "/dev/disk/by-id/ata-TOSHIBA-TR150_467B50JXK8WU-part2";
+      }
+    ];
+  };
+
+  environment = {
+    profileRelativeEnvVars.PATH = mkForce [ "/bin" ];
+    shellAliases = mkForce {
+      gp = "${pkgs.pari}/bin/gp -q";
+      df = "df -h";
+      du = "du -h";
+      ls = "ls -h --color=auto --group-directories-first";
+      dmesg = "dmesg -L --reltime";
+      view = "vim -R";
+
+      reload = "systemctl reload";
+      restart = "systemctl restart";
+      start = "systemctl start";
+      status = "systemctl status";
+      stop = "systemctl stop";
+    };
+    systemPackages = with pkgs; [
+      dic
+      htop
+      p7zip
+      q
+
+      pavucontrol
+      rxvt_unicode.terminfo
+
+      # stockholm
+      git
+      gnumake
+      populate
+    ];
+    variables = {
+      NIX_PATH = mkForce "secrets=/var/src/stockholm/null:/var/src";
+    };
+  };
+
+  fileSystems = {
+    "/boot" = {
+      device = "/dev/disk/by-id/ata-TOSHIBA-TR150_467B50JXK8WU-part1";
+    };
+    "/" = {
+      device = "/dev/mapper/vg1-root";
+      fsType = "btrfs";
+      options = ["defaults" "noatime" "ssd" "compress=lzo"];
+    };
+    "/home" = {
+      device = "/dev/mapper/vg1-home";
+      fsType = "btrfs";
+      options = ["defaults" "noatime" "ssd" "compress=lzo"];
+    };
+    "/tmp" = {
+      device = "tmpfs";
+      fsType = "tmpfs";
+      options = ["nosuid" "nodev" "noatime"];
+    };
+  };
+
+  hardware.pulseaudio = {
+    enable = true;
+    systemWide = true;
+  };
+
+  networking.hostName = config.krebs.build.host.name;
+
+  nix = {
+    binaryCaches = ["https://cache.nixos.org"];
+    requireSignedBinaryCaches = true;
+    # TODO check if both are required:
+    sandboxPaths = [ "/etc/protocols" pkgs.iana_etc.outPath ];
+    useSandbox = true;
+  };
+
+  nixpkgs.config.packageOverrides = import <stockholm/tv/5pkgs> pkgs;
+
+  users = {
+    defaultUserShell = "/run/current-system/sw/bin/bash";
+    mutableUsers = false;
+    users = {
+      mv = {
+        inherit (config.krebs.users.mv) home uid;
+        isNormalUser = true;
+      };
+    };
+  };
+
+  security.sudo.extraConfig = ''
+    Defaults env_keep+="SSH_CLIENT"
+    Defaults mailto="${config.krebs.users.mv.mail}"
+    Defaults !lecture
+  '';
+
+  services.cron.enable = false;
+  services.journald.extraConfig = ''
+    SystemMaxUse=1G
+    RuntimeMaxUse=128M
+  '';
+  services.nscd.enable = false;
+  services.ntp.enable = false;
+  services.timesyncd.enable = true;
+
+  time.timeZone = "Europe/Berlin";
+
+  tv.iptables = {
+    enable = true;
+    accept-echo-request = "internet";
+  };
+
+  system.stateVersion = "16.03";
+}
diff --git a/mv/1systems/stro/source.nix b/mv/1systems/stro/source.nix
new file mode 100644
index 000000000..888d616c8
--- /dev/null
+++ b/mv/1systems/stro/source.nix
@@ -0,0 +1,3 @@
+import <stockholm/mv/source.nix> {
+  name = "stro";
+}
diff --git a/mv/source.nix b/mv/source.nix
new file mode 100644
index 000000000..8b1563914
--- /dev/null
+++ b/mv/source.nix
@@ -0,0 +1,23 @@
+with import <stockholm/lib>;
+host@{ name, override ? {} }: let
+  builder = if getEnv "dummy_secrets" == "true"
+              then "buildbot"
+              else "mv";
+  _file = <stockholm> + "/mv/1systems/${name}/source.nix";
+in
+  evalSource (toString _file) [
+    {
+      nixos-config.symlink = "stockholm/mv/1systems/${name}/config.nix";
+      nixpkgs.git = {
+        # nixos-17.03
+        ref = mkDefault "94941cb0455bfc50b1bf63186cfad7136d629f78";
+        url = https://github.com/NixOS/nixpkgs;
+      };
+      secrets.file = getAttr builder {
+        buildbot = toString <stockholm/mv/dummy_secrets>;
+        mv = "/home/mv/secrets/${name}";
+      };
+      stockholm.file = toString <stockholm>;
+    }
+    override
+  ]
-- 
cgit v1.2.3

[cgit] Unable to lock slot /tmp/cgit/d7000000.lock: No such file or directory (2)