From e80054feaded04a35d991fdef7decf42e3f0fc66 Mon Sep 17 00:00:00 2001
From: tv <tv@krebsco.de>
Date: Fri, 23 Dec 2016 09:47:06 +0100
Subject: tv: RIP xu-qemu0

---
 tv/1systems/xu-qemu0.nix |  28 ------
 tv/2configs/xu-qemu0.nix | 250 -----------------------------------------------
 2 files changed, 278 deletions(-)
 delete mode 100644 tv/1systems/xu-qemu0.nix
 delete mode 100644 tv/2configs/xu-qemu0.nix

diff --git a/tv/1systems/xu-qemu0.nix b/tv/1systems/xu-qemu0.nix
deleted file mode 100644
index 8945c1907..000000000
--- a/tv/1systems/xu-qemu0.nix
+++ /dev/null
@@ -1,28 +0,0 @@
-{ config, lib, pkgs, ... }:
-
-{
-  krebs.hosts.xu-qemu0 = {
-    cores = 1;
-    ssh.privkey.path = <secrets/ssh.id_ed25519>;
-    # cannot define ssh.pubkey without at least one addr or alias
-    #ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFe51rD0ZqlMXNi/YpapnRzvdzCjI0icmxfCyBLSKG04";
-  };
-  krebs.build.host = config.krebs.hosts.xu-qemu0;
-
-  imports = [
-    ../.
-    <nixpkgs/nixos/modules/profiles/qemu-guest.nix>
-  ];
-
-  boot.loader.grub.device = "/dev/sda";
-
-  fileSystems = {
-    "/boot" = {
-      device = "/dev/sda1";
-    };
-    "/" = {
-      device = "/dev/sda2";
-      fsType = "btrfs";
-    };
-  };
-}
diff --git a/tv/2configs/xu-qemu0.nix b/tv/2configs/xu-qemu0.nix
deleted file mode 100644
index 355a36650..000000000
--- a/tv/2configs/xu-qemu0.nix
+++ /dev/null
@@ -1,250 +0,0 @@
-{ config, lib, pkgs, ... }:
-
-let
-  # XXX cannot use config.build.host.name here because infinite recursion when
-  # defining  krebs.hosts.${host-name}.nets.retiolum.aliases  below.
-  host-name = "xu";
-in
-
-# usage:
-#   echo set_password vnc correcthorze | xu-qemu0-monitor
-#
-#   vncdo -s xu:1 type 'curl init.xu.r' key shift-\\ type sh key return
-#
-#   http://vnc.xu/vnc_auto.html?port=5701&host=xu&password=correcthorze
-#
-#   make [install] system=xu-qemu0 target_host=10.56.0.101
-
-with import <stockholm/lib>;
-
-{
-  networking.dhcpcd.denyInterfaces = [ "qemubr0" ];
-
-  tv.iptables.extra = {
-    nat.POSTROUTING = ["-j MASQUERADE"];
-    filter.FORWARD = [
-      "-m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT"
-      "-i qemubr0 -s 10.56.0.1/24 -m conntrack --ctstate NEW -j ACCEPT"
-    ];
-    filter.INPUT = [
-      "-i qemubr0 -p udp -m udp --dport bootps -j ACCEPT"
-      "-i qemubr0 -p udp -m udp --dport domain -j ACCEPT"
-    ];
-  };
-
-  systemd.network.enable = true;
-  systemd.services.systemd-networkd-wait-online.enable = false;
-
-  services.resolved.enable = mkForce false;
-
-  boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
-
-  systemd.network.networks.qemubr0 = {
-    matchConfig.Name = "qemubr0";
-    address = ["10.56.0.1/24"];
-    routes = [{
-      routeConfig = {
-        Gateway = "*";
-        Destination = "10.56.0.0";
-      };
-    }];
-  };
-  systemd.network.netdevs.qemubr0 = {
-    netdevConfig = {
-      Name = "qemubr0";
-      Kind = "bridge";
-    };
-  };
-
-  users.groups.qemu-users.gid = genid "qemu-users";
-
-  environment.etc."qemu/bridge.conf".text = ''
-    allow qemubr0
-  '';
-
-  krebs.per-user.tv.packages = [
-  ];
-
-  users.users.xu-qemu0 = {
-    createHome = true;
-    group = "qemu-users";
-    home = "/home/xu-qemu0";
-    uid = genid "xu-qemu0";
-  };
-
-  systemd.services.xu-qemu0 = let
-  in {
-    after = [ "network.target" "systemd-resolved.service" ];
-    serviceConfig = {
-      User = "xu-qemu0";
-      SyslogIdentifier = "xu-qemu0";
-      ExecStart = pkgs.writeDash "xu-qemu0" ''
-        set -efu
-        ${pkgs.coreutils}/bin/mkdir -p "$HOME/tmp"
-        img=$HOME/tmp/xu-qemu0.raw
-        if ! test -e "$img"; then
-          ${pkgs.kvm}/bin/qemu-img create "$img" 10G
-        fi
-        exec ${pkgs.kvm}/bin/qemu-kvm \
-            -monitor unix:$HOME/tmp/xu-qemu0-monitor.sock,server,nowait \
-            -boot order=cd \
-            -cdrom ${pkgs.fetchurl {
-              url = https://nixos.org/releases/nixos/15.09/nixos-15.09.1012.9fe0c23/nixos-minimal-15.09.1012.9fe0c23-x86_64-linux.iso;
-              sha256 = "18bc9wrsrjnhj9rya75xliqkl99gxbsk4dmwqivhvwfzb5qb5yp9";
-            }} \
-            -m 1024 \
-            -netdev bridge,br=qemubr0,id=hn0,helper=/var/setuid-wrappers/qemu-bridge-helper \
-            -net nic,netdev=hn0,id=nic1,macaddr=52:54:00:12:34:56 \
-            -drive file="$img",format=raw \
-            -display vnc=:1,websocket=5701,password,lossy \
-            -name xu-qemu0 \
-      '';
-    };
-  };
-
-  krebs.setuid.xu-qemu0-monitor = {
-    filename = pkgs.writeDash "xu-qemu0-monitor" ''
-      exec ${pkgs.socat}/bin/socat \
-          stdio \
-          UNIX-CONNECT:${config.users.users.xu-qemu0.home}/tmp/xu-qemu0-monitor.sock \
-    '';
-    owner = "xu-qemu0";
-    group = "tv";
-  };
-
-  krebs.setuid.qemu-bridge-helper = {
-    filename = "${pkgs.qemu}/libexec/qemu-bridge-helper";
-    group = "qemu-users";
-  };
-
-  users.users.qemu-dnsmasq.uid = genid "qemu-dnsmasq";
-
-  # TODO need custom etc/dbus-1/system.d/dnsmasq.conf for different BusName
-  services.dbus.packages = [ pkgs.dnsmasq ];
-
-  systemd.services.qemu-dnsmasq = let
-    # bind-interfaces
-    conf = pkgs.writeText "qemu-dnsmasq.conf" ''
-      listen-address=10.56.0.1
-      interface=qemubr0
-      dhcp-range=10.56.0.200,10.56.0.250
-      dhcp-no-override
-      dhcp-leasefile=/tmp/qemu-dnsmasq.leases
-      domain=${host-name}.local
-      dhcp-host=52:54:00:12:34:56,xu-qemu0,10.56.0.101,1440m
-    '';
-  in {
-    after = [ "network.target" "systemd-resolved.service" ];
-    wantedBy = [ "multi-user.target" ];
-    serviceConfig = {
-      Type = "dbus";
-      BusName = "uk.org.thekelleys.dnsmasq";
-      # -1 --enable-dbus[=uk.org.thekelleys.dnsmasq]
-      SyslogIdentifier = "qemu-dnsmasq";
-      ExecStart = "${pkgs.dnsmasq}/bin/dnsmasq -1k -u qemu-dnsmasq -C ${conf}";
-      ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
-      PrivateTmp = "true";
-    };
-    restartTriggers = [ config.environment.etc.hosts.source ];
-  };
-
-
-  krebs.nginx.servers.init = {
-    server-names = [
-      "init.${host-name}"
-      "init.${host-name}.r"
-      "init.${host-name}.retiolum"
-    ];
-    extraConfig = ''
-      index init.txt;
-      root ${pkgs.writeTextFile {
-        name = "init-pages";
-        text = ''
-          #! /bin/sh
-          set -efu
-
-          dev=/dev/sda
-          pttype=dos # gpt
-
-          case $pttype in
-            dos)
-              if ! test "$(blkid -o value -s PTTYPE "$dev")" = dos; then
-                parted -s "$dev" mklabel msdos
-              fi
-              if ! test "$(blkid -o value -s PARTLABEL "$dev"1)" = primary; then
-                parted -s "$dev" mkpart primary ext4 1MiB 513MiB
-                parted -s "$dev" set 1 boot on
-              fi
-              ;;
-            gpt)
-              if ! test "$(blkid -o value -s PTTYPE "$dev")" = gpt; then
-                parted -s "$dev" mklabel gpt
-              fi
-              if ! test "$(blkid -o value -s PARTLABEL "$dev"1)" = ESP; then
-                parted -s "$dev" mkpart ESP fat32 1MiB 513MiB
-                parted -s "$dev" set 1 boot on
-              fi
-              ;;
-            *)
-              echo "Error: bad pttype: $pttype" >&2
-              exit -1
-          esac
-
-          if ! test "$(blkid -o value -s PARTLABEL "$dev"2)" = primary; then
-            parted -s "$dev" mkpart primary btrfs 513MiB 100%
-          fi
-          if ! test "$(blkid -o value -s TYPE "$dev"1)" = vfat; then
-            mkfs.vfat "$dev"1
-          fi
-          if ! test "$(blkid -o value -s TYPE "$dev"2)" = btrfs; then
-            mkfs.btrfs "$dev"2
-          fi
-
-          parted "$dev" print
-
-          if ! test "$(lsblk -n -o MOUNTPOINT "$dev"2)" = /mnt; then
-            mount "$dev"2 /mnt
-          fi
-          if ! test "$(lsblk -n -o MOUNTPOINT "$dev"1)" = /mnt/boot; then
-            mkdir -m 0000 -p /mnt/boot
-            mount "$dev"1 /mnt/boot
-          fi
-
-          lsblk "$dev"
-
-          key=${shell.escape config.krebs.users.tv-xu.pubkey}
-
-          if [ "$(cat /root/.ssh/authorized_keys 2>/dev/null)" != "$key" ]; then
-            mkdir -p /root/.ssh
-            echo "$key" > /root/.ssh/authorized_keys
-          fi
-          systemctl start sshd
-          ip route
-          echo READY.
-        '';
-        destination = "/init.txt";
-      }};
-    '';
-  };
-
-
-  krebs.hosts.${host-name}.nets.retiolum.aliases = [
-    "init.${host-name}.r"
-    "init.${host-name}.retiolum"
-    "vnc.${host-name}.r"
-    "vnc.${host-name}.retiolum"
-  ];
-
-  krebs.nginx.servers.noVNC = {
-    server-names = [
-      "vnc.${host-name}"
-      "vnc.${host-name}.r"
-      "vnc.${host-name}.retiolum"
-    ];
-    #rewrite ^([^.]*)$ /vnc_auto.html?host=localhost&port=5701;
-    locations = singleton (nameValuePair "/" ''
-      index vnc.html;
-      root ${pkgs.noVNC};
-    '');
-  };
-}
-- 
cgit v1.2.3


From 7a3e08e967da0452c76ffc10d1f6c476718c77df Mon Sep 17 00:00:00 2001
From: tv <tv@krebsco.de>
Date: Fri, 23 Dec 2016 09:46:32 +0100
Subject: tv: replace krebs.nginx by services.nginx.virtualHosts

---
 tv/2configs/binary-cache/default.nix | 10 +++++-----
 tv/2configs/nginx/default.nix        | 12 ++++++------
 tv/2configs/nginx/public_html.nix    | 14 ++++++--------
 3 files changed, 17 insertions(+), 19 deletions(-)

diff --git a/tv/2configs/binary-cache/default.nix b/tv/2configs/binary-cache/default.nix
index 5902f1895..39c944b1a 100644
--- a/tv/2configs/binary-cache/default.nix
+++ b/tv/2configs/binary-cache/default.nix
@@ -19,15 +19,15 @@
     source-path = toString <secrets> + "/nix-serve.key";
   };
 
-  krebs.nginx = {
+  services.nginx = {
     enable = true;
-    servers.nix-serve = {
-      server-names = [
+    virtualHosts.nix-serve = {
+      serverAliases = [
         "cache.${config.krebs.build.host.name}.gg23"
       ];
-      locations = singleton (nameValuePair "/" ''
+      locations."/".extraConfig = ''
         proxy_pass http://localhost:${toString config.services.nix-serve.port};
-      '');
+      '';
     };
   };
 }
diff --git a/tv/2configs/nginx/default.nix b/tv/2configs/nginx/default.nix
index 39995c052..277f459f0 100644
--- a/tv/2configs/nginx/default.nix
+++ b/tv/2configs/nginx/default.nix
@@ -3,15 +3,15 @@
 with import <stockholm/lib>;
 
 {
-  krebs.nginx = {
-    servers.default.locations = [
-      (nameValuePair "= /etc/os-release" ''
+  services.nginx = {
+    virtualHosts.default = {
+      locations."= /etc/os-release".extraConfig = ''
         default_type text/plain;
         alias /etc/os-release;
-      '')
-    ];
+      '';
+    };
   };
-  tv.iptables = optionalAttrs config.krebs.nginx.enable {
+  tv.iptables = {
     input-retiolum-accept-tcp = singleton "http";
   };
 }
diff --git a/tv/2configs/nginx/public_html.nix b/tv/2configs/nginx/public_html.nix
index 4c74d2250..9744da1e8 100644
--- a/tv/2configs/nginx/public_html.nix
+++ b/tv/2configs/nginx/public_html.nix
@@ -3,20 +3,18 @@
 with import <stockholm/lib>;
 
 {
-  krebs.nginx = {
+  services.nginx = {
     enable = true;
-    servers.default = {
-      server-names = [
+    virtualHosts.default = {
+      serverAliases = [
         "localhost"
         "${config.krebs.build.host.name}"
         "${config.krebs.build.host.name}.r"
         "${config.krebs.build.host.name}.retiolum"
       ];
-      locations = [
-        (nameValuePair "~ ^/~(.+?)(/.*)?\$" ''
-          alias /home/$1/public_html$2;
-        '')
-      ];
+      locations."~ ^/~(.+?)(/.*)?\$".extraConfig = ''
+        alias /home/$1/public_html$2;
+      '';
     };
   };
   tv.iptables.input-internet-accept-tcp = singleton "http";
-- 
cgit v1.2.3


From 563c7a7eafb273bdeed6f209cea66618cb8ac127 Mon Sep 17 00:00:00 2001
From: tv <tv@krebsco.de>
Date: Fri, 23 Dec 2016 10:46:26 +0100
Subject: tv nginx: return 404 by default

---
 tv/2configs/nginx/default.nix | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/tv/2configs/nginx/default.nix b/tv/2configs/nginx/default.nix
index 277f459f0..0e6c2df0e 100644
--- a/tv/2configs/nginx/default.nix
+++ b/tv/2configs/nginx/default.nix
@@ -4,6 +4,13 @@ with import <stockholm/lib>;
 
 {
   services.nginx = {
+    virtualHosts._http = {
+      default = true;
+      extraConfig = ''
+        return 404;
+      '';
+    };
+
     virtualHosts.default = {
       locations."= /etc/os-release".extraConfig = ''
         default_type text/plain;
-- 
cgit v1.2.3


From c208b3fa19fc161f44c52433a4e266daade4ce53 Mon Sep 17 00:00:00 2001
From: tv <tv@krebsco.de>
Date: Fri, 23 Dec 2016 11:09:36 +0100
Subject: tv nginx: enable recommendations

---
 tv/2configs/nginx/default.nix | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/tv/2configs/nginx/default.nix b/tv/2configs/nginx/default.nix
index 0e6c2df0e..b0acb9435 100644
--- a/tv/2configs/nginx/default.nix
+++ b/tv/2configs/nginx/default.nix
@@ -4,6 +4,10 @@ with import <stockholm/lib>;
 
 {
   services.nginx = {
+    recommendedGzipSettings = true;
+    recommendedOptimisation = true;
+    recommendedTlsSettings = true;
+
     virtualHosts._http = {
       default = true;
       extraConfig = ''
-- 
cgit v1.2.3


From a030e180bbc466e067f7b8a490fdcf41fdcb95ce Mon Sep 17 00:00:00 2001
From: lassulus <lass@lassul.us>
Date: Mon, 26 Dec 2016 13:15:34 +0100
Subject: k 3 l: make icarus secure

---
 krebs/3modules/lass/default.nix | 1 +
 1 file changed, 1 insertion(+)

diff --git a/krebs/3modules/lass/default.nix b/krebs/3modules/lass/default.nix
index 2d1819dee..6f79aea0e 100644
--- a/krebs/3modules/lass/default.nix
+++ b/krebs/3modules/lass/default.nix
@@ -298,6 +298,7 @@ with import <stockholm/lib>;
           '';
         };
       };
+      secure = true;
       ssh.privkey.path = <secrets/ssh.id_ed25519>;
       ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOPgQIMYiyD4/Co+nlOQWEzCKssemOEXAY/lbIZZaMhj";
     };
-- 
cgit v1.2.3


From c37b42b702e38bbf2cc6dce150be6c8aa6aa6b25 Mon Sep 17 00:00:00 2001
From: lassulus <lass@lassul.us>
Date: Mon, 26 Dec 2016 13:16:40 +0100
Subject: k 3 realwallpaper: daymap only available via https

---
 krebs/3modules/realwallpaper.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/krebs/3modules/realwallpaper.nix b/krebs/3modules/realwallpaper.nix
index 1564bd94a..f9eae8c92 100644
--- a/krebs/3modules/realwallpaper.nix
+++ b/krebs/3modules/realwallpaper.nix
@@ -24,7 +24,7 @@ let
 
     daymap = mkOption {
       type = types.str;
-      default = "http://www.nnvl.noaa.gov/images/globaldata/SnowIceCover_Daily.png";
+      default = "https://www.nnvl.noaa.gov/images/globaldata/SnowIceCover_Daily.png";
     };
 
     cloudmap = mkOption {
-- 
cgit v1.2.3


From 512f90d10096e81180730374d5d9664384894807 Mon Sep 17 00:00:00 2001
From: lassulus <lass@lassul.us>
Date: Mon, 26 Dec 2016 13:29:06 +0100
Subject: l 2 libvirt: add lass to libvirtd

---
 lass/2configs/libvirt.nix | 20 ++------------------
 1 file changed, 2 insertions(+), 18 deletions(-)

diff --git a/lass/2configs/libvirt.nix b/lass/2configs/libvirt.nix
index e739d2f79..8c095bb01 100644
--- a/lass/2configs/libvirt.nix
+++ b/lass/2configs/libvirt.nix
@@ -1,23 +1,7 @@
 { config, lib, pkgs, ... }:
 
-let
-  mainUser = config.users.extraUsers.mainUser;
-  inherit (import <stockholm/lib>) genid;
-
-in {
+{
+  users.users.mainUser.extraGroups = [ "libvirtd" ];
   virtualisation.libvirtd.enable = true;
 
-  users.extraUsers = {
-    libvirt = {
-      uid = genid "libvirt";
-      description = "user for running libvirt stuff";
-      home = "/home/libvirt";
-      useDefaultShell = true;
-      extraGroups = [ "libvirtd" "audio" ];
-      createHome = true;
-    };
-  };
-  security.sudo.extraConfig = ''
-    ${mainUser.name} ALL=(libvirt) NOPASSWD: ALL
-  '';
 }
-- 
cgit v1.2.3


From 205d0f0d21c0f62aac0590873a6741415f9416fa Mon Sep 17 00:00:00 2001
From: lassulus <lass@lassul.us>
Date: Mon, 26 Dec 2016 13:29:39 +0100
Subject: l 2 libvirt: add iptables config for NAT

---
 lass/2configs/libvirt.nix | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)

diff --git a/lass/2configs/libvirt.nix b/lass/2configs/libvirt.nix
index 8c095bb01..a71638323 100644
--- a/lass/2configs/libvirt.nix
+++ b/lass/2configs/libvirt.nix
@@ -4,4 +4,27 @@
   users.users.mainUser.extraGroups = [ "libvirtd" ];
   virtualisation.libvirtd.enable = true;
 
+  krebs.iptables.tables.filter.INPUT.rules = [
+    { v6 = false; predicate = "-i virbr0 -p udp -m udp --dport 53"; target = "ACCEPT"; }
+    { v6 = false; predicate = "-i virbr0 -p tcp -m tcp --dport 53"; target = "ACCEPT"; }
+    { v6 = false; predicate = "-i virbr0 -p udp -m udp --dport 67"; target = "ACCEPT"; }
+    { v6 = false; predicate = "-i virbr0 -p tcp -m tcp --dport 67"; target = "ACCEPT"; }
+  ];
+  krebs.iptables.tables.filter.FORWARD.rules = [
+    { v6 = false; predicate = "-d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED"; target = "ACCEPT"; }
+    { v6 = false; predicate = "-s 192.168.122.0/24 -i virbr0"; target = "ACCEPT"; }
+    { v6 = false; predicate = "-i virbr0 -o virbr0"; target = "ACCEPT"; }
+    { v6 = false; predicate = "-o virbr0"; target = "REJECT --reject-with icmp-port-unreachable"; }
+    { v6 = false; predicate = "-i virbr0"; target = "REJECT --reject-with icmp-port-unreachable"; }
+  ];
+  krebs.iptables.tables.filter.OUTPUT.rules = [
+    { v6 = false; predicate = "-o virbr0 -p udp -m udp --dport 68"; target = "ACCEPT"; }
+  ];
+  krebs.iptables.tables.nat.POSTROUTING.rules = [
+    { v6 = false; predicate = "-s 192.168.122.0/24 -d 224.0.0.0/24"; target = "RETURN"; }
+    { v6 = false; predicate = "-s 192.168.122.0/24 -d 255.255.255.255"; target = "RETURN"; }
+    { v6 = false; predicate = "-s 192.168.122.0/24 ! -d 192.168.122.0/24"; target = "MASQUERADE"; }
+    { v6 = false; predicate = "-s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp"; target = "MASQUERADE --to-ports 1024-65535"; }
+    { v6 = false; predicate = "-s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp"; target = "MASQUERADE --to-ports 1024-65535"; }
+  ];
 }
-- 
cgit v1.2.3


From 0f34276090f804b7eed2bf45a0804a69fbe8ae35 Mon Sep 17 00:00:00 2001
From: lassulus <lass@lassul.us>
Date: Mon, 26 Dec 2016 13:50:42 +0100
Subject: l 1 prism: import libvirt

---
 lass/1systems/prism.nix | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/lass/1systems/prism.nix b/lass/1systems/prism.nix
index 6c11a2f62..7646f7163 100644
--- a/lass/1systems/prism.nix
+++ b/lass/1systems/prism.nix
@@ -24,6 +24,7 @@ in {
     ../2configs/repo-sync.nix
     ../2configs/binary-cache/server.nix
     ../2configs/iodined.nix
+    ../2configs/libvirt.nix
     {
       users.extraGroups = {
         # ● systemd-tmpfiles-setup.service - Create Volatile Files and Directories
@@ -228,10 +229,6 @@ in {
         enable = true;
       };
     }
-    {
-      virtualisation.libvirtd.enable = true;
-      users.users.mainUser.extraGroups = [ "libvirtd" ];
-    }
   ];
 
   krebs.build.host = config.krebs.hosts.prism;
-- 
cgit v1.2.3


From b9e3b93105d4214de43ee596adff7cf661311780 Mon Sep 17 00:00:00 2001
From: lassulus <lass@lassul.us>
Date: Mon, 26 Dec 2016 14:18:08 +0100
Subject: l: krebs.nginx -> services.nginx

---
 lass/1systems/mors.nix                |  14 +--
 lass/1systems/prism.nix               |  23 ++--
 lass/2configs/binary-cache/server.nix |  10 +-
 lass/2configs/go.nix                  |  16 ++-
 lass/2configs/radio.nix               |  12 +-
 lass/2configs/realwallpaper.nix       |  12 +-
 lass/2configs/websites/domsen.nix     |  12 +-
 lass/2configs/websites/fritz.nix      |  12 --
 lass/2configs/websites/lassulus.nix   |  92 +++++++--------
 lass/2configs/websites/util.nix       | 203 ++++++++++++++--------------------
 10 files changed, 165 insertions(+), 241 deletions(-)

diff --git a/lass/1systems/mors.nix b/lass/1systems/mors.nix
index 4553cc15b..dcdb57f3b 100644
--- a/lass/1systems/mors.nix
+++ b/lass/1systems/mors.nix
@@ -66,20 +66,18 @@ with import <stockholm/lib>;
       };
     }
     {
-      krebs.nginx = {
+      services.nginx = {
         enable = true;
-        servers.default = {
-          server-names = [
+        virtualHosts.default = {
+          serverAliases = [
             "localhost"
             "${config.krebs.build.host.name}"
             "${config.krebs.build.host.name}.r"
             "${config.krebs.build.host.name}.retiolum"
           ];
-          locations = [
-            (nameValuePair "~ ^/~(.+?)(/.*)?\$" ''
-              alias /home/$1/public_html$2;
-            '')
-          ];
+          locations."~ ^/~(.+?)(/.*)?\$".extraConfig = ''
+            alias /home/$1/public_html$2;
+          '';
         };
       };
     }
diff --git a/lass/1systems/prism.nix b/lass/1systems/prism.nix
index 7646f7163..efe79052f 100644
--- a/lass/1systems/prism.nix
+++ b/lass/1systems/prism.nix
@@ -179,11 +179,9 @@ in {
       imports = [
         ../2configs/realwallpaper.nix
       ];
-      krebs.nginx.servers."lassul.us".locations = [
-        (lib.nameValuePair "/wallpaper.png" ''
-          alias /tmp/wallpaper.png;
-        '')
-      ];
+      services.nginx.virtualHosts."lassul.us".locations."/wallpaper.png".extraConfig = ''
+        alias /tmp/wallpaper.png;
+      '';
     }
     {
       environment.systemPackages = with pkgs; [
@@ -203,16 +201,13 @@ in {
       };
     }
     {
-      krebs.nginx = {
+      services.nginx = {
         enable = true;
-        servers.public = {
-          listen = [ "8088" ];
-          server-names = [ "default" ];
-          locations = [
-            (nameValuePair "~ ^/~(.+?)(/.*)?\$" ''
-              alias /home/$1/public_html$2;
-            '')
-          ];
+        virtualHosts.public = {
+          port = 8088;
+          locations."~ ^/~(.+?)(/.*)?\$".extraConfig = ''
+            alias /home/$1/public_html$2;
+          '';
         };
       };
       krebs.iptables.tables.filter.INPUT.rules = [
diff --git a/lass/2configs/binary-cache/server.nix b/lass/2configs/binary-cache/server.nix
index 22ec04307..991bbeb54 100644
--- a/lass/2configs/binary-cache/server.nix
+++ b/lass/2configs/binary-cache/server.nix
@@ -17,13 +17,13 @@
     owner.name = "nix-serve";
     source-path = toString <secrets> + "/nix-serve.key";
   };
-  krebs.nginx = {
+  services.nginx = {
     enable = true;
-    servers.nix-serve = {
-      server-names = [ "cache.prism.r" ];
-      locations = lib.singleton (lib.nameValuePair "/" ''
+    virtualHosts.nix-serve = {
+      serverAliases = [ "cache.prism.r" ];
+      locations."/".extraConfig = ''
         proxy_pass http://localhost:${toString config.services.nix-serve.port};
-      '');
+      '';
     };
   };
 }
diff --git a/lass/2configs/go.nix b/lass/2configs/go.nix
index f6ddbe96d..8e31f050f 100644
--- a/lass/2configs/go.nix
+++ b/lass/2configs/go.nix
@@ -8,16 +8,14 @@ with import <stockholm/lib>;
   krebs.go = {
     enable = true;
   };
-  krebs.nginx = {
+  services.nginx = {
     enable = true;
-    servers.go = {
-      locations = [
-        (nameValuePair "/" ''
-          proxy_set_header Host go;
-          proxy_pass http://localhost:1337;
-        '')
-      ];
-      server-names = [
+    virtualHosts.go = {
+      locations."/".extraConfig = ''
+        proxy_set_header Host go;
+        proxy_pass http://localhost:1337;
+      '';
+      serverAliases = [
         "go"
         "go.retiolum"
       ];
diff --git a/lass/2configs/radio.nix b/lass/2configs/radio.nix
index 88e826683..18574471e 100644
--- a/lass/2configs/radio.nix
+++ b/lass/2configs/radio.nix
@@ -156,7 +156,7 @@ in {
       })
     ];
   };
-  krebs.nginx.servers."lassul.us".locations = let
+  services.nginx.virtualHosts."lassul.us".locations."/the_playlist".extraConfig = let
     html = pkgs.writeText "index.html" ''
       <!DOCTYPE html>
       <html lang="en">
@@ -175,10 +175,8 @@ in {
         </body>
       </html>
     '';
-  in [
-    (nameValuePair "/the_playlist" ''
-      default_type "text/html";
-      alias ${html};
-    '')
-  ];
+  in ''
+    default_type "text/html";
+    alias ${html};
+  '';
 }
diff --git a/lass/2configs/realwallpaper.nix b/lass/2configs/realwallpaper.nix
index 2ab52ed92..cf9795071 100644
--- a/lass/2configs/realwallpaper.nix
+++ b/lass/2configs/realwallpaper.nix
@@ -9,15 +9,13 @@ let
 in {
   krebs.realwallpaper.enable = true;
 
-  krebs.nginx.servers.wallpaper = {
-    server-names = [
+  services.nginx.virtualHosts.wallpaper = {
+    serverAliases = [
       hostname
     ];
-    locations = [
-      (nameValuePair "/wallpaper.png" ''
-        root /tmp/;
-      '')
-    ];
+    locations."/wallpaper.png".extraConfig = ''
+      root /tmp/;
+    '';
   };
 
   krebs.iptables = {
diff --git a/lass/2configs/websites/domsen.nix b/lass/2configs/websites/domsen.nix
index 76e13412b..86800fc05 100644
--- a/lass/2configs/websites/domsen.nix
+++ b/lass/2configs/websites/domsen.nix
@@ -35,10 +35,10 @@ in {
     (servePage [ "makeup.apanowicz.de" "www.makeup.apanowicz.de" ])
 
     (ssl [ "pixelpocket.de" ])
-    (servePage [ "pixelpocket.de" "www.pixelpocket.de" ])
+    (servePage [ "pixelpocket.de" ])
 
     (ssl [ "o.ubikmedia.de" ])
-    (serveOwncloud [ "o.ubikmedia.de" "www.o.ubikmedia.de" ])
+    (serveOwncloud [ "o.ubikmedia.de" ])
 
     (ssl [
       "ubikmedia.de"
@@ -92,11 +92,9 @@ in {
     ])
   ];
 
-  krebs.nginx.servers."ubikmedia.de".locations = [
-    (lib.nameValuePair "/piwik" ''
-      try_files $uri $uri/ /index.php?$args;
-    '')
-  ];
+  services.nginx.virtualHosts."ubikmedia.de".locations."/piwika".extraConfig = ''
+    try_files $uri $uri/ /index.php?$args;
+  '';
 
   lass.mysqlBackup.config.all.databases = [
     "ubikmedia_de"
diff --git a/lass/2configs/websites/fritz.nix b/lass/2configs/websites/fritz.nix
index 52914f444..16b705cdb 100644
--- a/lass/2configs/websites/fritz.nix
+++ b/lass/2configs/websites/fritz.nix
@@ -62,18 +62,6 @@ in {
     "ttf_kleinaspach_de"
   ];
 
-  #password protect some dirs
-  krebs.nginx.servers."biostase.de".locations = [
-    (nameValuePair "/old_biostase.de" ''
-      auth_basic "Administrator Login";
-      auth_basic_user_file /srv/http/biostase.de/old_biostase.de/.htpasswd;
-    '')
-    (nameValuePair "/mysqldumper" ''
-      auth_basic "Administrator Login";
-      auth_basic_user_file /srv/http/biostase.de/mysqldumper/.htpasswd;
-    '')
-  ];
-
   users.users.root.openssh.authorizedKeys.keys = [
     config.krebs.users.fritz.pubkey
   ];
diff --git a/lass/2configs/websites/lassulus.nix b/lass/2configs/websites/lassulus.nix
index 29374e97d..2690d7a0e 100644
--- a/lass/2configs/websites/lassulus.nix
+++ b/lass/2configs/websites/lassulus.nix
@@ -69,59 +69,53 @@ in {
     "nginx"
   ];
 
-  krebs.nginx.servers."lassul.us" = {
-    server-names = [ "lassul.us" ];
-    locations = [
-      (nameValuePair "/" ''
-        root /srv/http/lassul.us;
-      '')
-      (nameValuePair "/.well-known/acme-challenge" ''
-        root /var/lib/acme/challenges/lassul.us/;
-      '')
-      (nameValuePair "= /retiolum-hosts.tar.bz2" ''
-        alias ${config.krebs.tinc.retiolum.hostsArchive};
-      '')
-      (nameValuePair "/tinc" ''
-        alias ${config.krebs.tinc_graphs.workingDir}/external;
-      '')
-      (let
-        script = pkgs.writeBash "test" ''
-          echo "hello world"
-        '';
-        #script = pkgs.execve "ddate-wrapper" {
-        #  filename = "${pkgs.ddate}/bin/ddate";
-        #  argv = [];
-        #};
-      in nameValuePair "= /ddate" ''
-        gzip off;
-        fastcgi_pass unix:/var/run/lass-stuff.socket;
-        include ${pkgs.nginx}/conf/fastcgi_params;
-        fastcgi_param DOCUMENT_ROOT /var/empty;
-        fastcgi_param SCRIPT_FILENAME ${script};
-        fastcgi_param SCRIPT_NAME ${script};
-      '')
-    ];
-    ssl = {
-      enable = true;
-      certificate = "/var/lib/acme/lassul.us/fullchain.pem";
-      certificate_key = "/var/lib/acme/lassul.us/key.pem";
-    };
+  services.nginx.virtualHosts."lassul.us" = {
+    serverAliases = [ "lassul.us" ];
+    locations."/".extraConfig = ''
+      root /srv/http/lassul.us;
+    '';
+    locations."/.well-known/acme-challenge".extraConfig = ''
+      root /var/lib/acme/challenges/lassul.us/;
+    '';
+    locations."= /retiolum-hosts.tar.bz2".extraConfig = ''
+      alias ${config.krebs.tinc.retiolum.hostsArchive};
+    '';
+    locations."/tinc".extraConfig = ''
+      alias ${config.krebs.tinc_graphs.workingDir}/external;
+    '';
+    locations."= /ddate".extraConfig = let
+      script = pkgs.writeBash "test" ''
+        echo "hello world"
+      '';
+      #script = pkgs.execve "ddate-wrapper" {
+      #  filename = "${pkgs.ddate}/bin/ddate";
+      #  argv = [];
+      #};
+    in ''
+      gzip off;
+      fastcgi_pass unix:/var/run/lass-stuff.socket;
+      include ${pkgs.nginx}/conf/fastcgi_params;
+      fastcgi_param DOCUMENT_ROOT /var/empty;
+      fastcgi_param SCRIPT_FILENAME ${script};
+      fastcgi_param SCRIPT_NAME ${script};
+    '';
+
+    enableSSL = true;
+    extraConfig = "listen 80;";
+    sslCertificate = "/var/lib/acme/lassul.us/fullchain.pem";
+    sslCertificateKey = "/var/lib/acme/lassul.us/key.pem";
   };
 
-  krebs.nginx.servers.cgit = {
-    server-names = [
+  services.nginx.virtualHosts.cgit = {
+    serverAliases = [
       "cgit.lassul.us"
     ];
-    locations = [
-      (nameValuePair "/.well-known/acme-challenge" ''
-        root /var/lib/acme/challenges/cgit.lassul.us/;
-      '')
-    ];
-    ssl = {
-      enable = true;
-      certificate = "/var/lib/acme/cgit.lassul.us/fullchain.pem";
-      certificate_key = "/var/lib/acme/cgit.lassul.us/key.pem";
-    };
+    locations."/.well-known/acme-challenge".extraConfig = ''
+      root /var/lib/acme/acme-challenges;
+    '';
+    enableSSL = true;
+    sslCertificate = "/var/lib/acme/cgit.lassul.us/fullchain.pem";
+    sslCertificateKey = "/var/lib/acme/cgit.lassul.us/key.pem";
   };
 
   users.users.blog = {
diff --git a/lass/2configs/websites/util.nix b/lass/2configs/websites/util.nix
index 0b2a6faac..6e236ab63 100644
--- a/lass/2configs/websites/util.nix
+++ b/lass/2configs/websites/util.nix
@@ -4,66 +4,24 @@ with lib;
 
 rec {
 
-  manageCerts = domains:
+  ssl = domains :
     let
       domain = head domains;
     in {
-      #security.acme = {
-      #  certs."${domain}" = {
-      #    email = "lassulus@gmail.com";
-      #    webroot = "/var/lib/acme/challenges/${domain}";
-      #    plugins = [
-      #      "account_key.json"
-      #      "key.pem"
-      #      "fullchain.pem"
-      #    ];
-      #    group = "nginx";
-      #    allowKeysForGroup = true;
-      #    extraDomains = genAttrs domains (_: null);
-      #  };
-      #};
-
-      krebs.nginx.servers."${domain}" = {
-        ssl.acmeEnable = true;
-        server-names = domains;
-        #locations = [
-        #  (nameValuePair "/.well-known/acme-challenge" ''
-        #    root /var/lib/acme/challenges/${domain}/;
-        #  '')
-        #];
-      };
-    };
-
-  ssl = domains:
-    {
-      imports = [
-        ( manageCerts domains )
-        #( activateACME (head domains) )
-      ];
-    };
-
-  activateACME = domain:
-    {
-      krebs.nginx.servers.${domain} = {
-        ssl = {
-          enable = true;
-          certificate = "/var/lib/acme/${domain}/fullchain.pem";
-          certificate_key = "/var/lib/acme/${domain}/key.pem";
-        };
-      };
     };
 
   servePage = domains:
     let
       domain = head domains;
     in {
-      krebs.nginx.servers.${domain} = {
-        server-names = domains;
-        locations = [
-          (nameValuePair "/" ''
-            root /srv/http/${domain};
-          '')
-        ];
+      services.nginx.virtualHosts.${domain} = {
+        enableACME = true;
+        enableSSL = true;
+        extraConfig = "listen 80;";
+        serverAliases = domains;
+        locations."/".extraConfig = ''
+          root /srv/http/${domain};
+        '';
       };
     };
 
@@ -71,9 +29,13 @@ rec {
     let
       domain = head domains;
     in {
-      krebs.nginx.servers."${domain}" = {
-        server-names = domains;
+      services.nginx.virtualHosts."${domain}" = {
+        enableACME = true;
+        enableSSL = true;
+        serverAliases = domains;
         extraConfig = ''
+          listen 80;
+
           # Add headers to serve security related headers
           add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
           add_header X-Content-Type-Options nosniff;
@@ -109,56 +71,53 @@ rec {
           rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
           rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;
         '';
-        locations = [
-          (nameValuePair "/robots.txt" ''
-            allow all;
-            log_not_found off;
-            access_log off;
-          '')
-          (nameValuePair "~ ^/(build|tests|config|lib|3rdparty|templates|data)/" ''
-            deny all;
-          '')
-
-          (nameValuePair "~ ^/(?:autotest|occ|issue|indie|db_|console)" ''
-            deny all;
-          '')
-
-          (nameValuePair "/" ''
-            rewrite ^/remote/(.*) /remote.php last;
-            rewrite ^(/core/doc/[^\/]+/)$ $1/index.html;
-            try_files $uri $uri/ =404;
-          '')
-
-          (nameValuePair "~ \.php(?:$|/)" ''
-            fastcgi_split_path_info ^(.+\.php)(/.+)$;
-            include ${pkgs.nginx}/conf/fastcgi_params;
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            fastcgi_param PATH_INFO $fastcgi_path_info;
-            fastcgi_param HTTPS on;
-            fastcgi_param modHeadersAvailable true; #Avoid sending the security headers twice
-            fastcgi_pass unix:/srv/http/${domain}/phpfpm.pool;
-            fastcgi_intercept_errors on;
-          '')
-
-          # Adding the cache control header for js and css files
-          # Make sure it is BELOW the location ~ \.php(?:$|/) { block
-          (nameValuePair "~* \.(?:css|js)$" ''
-            add_header Cache-Control "public, max-age=7200";
-            # Add headers to serve security related headers
-            add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
-            add_header X-Content-Type-Options nosniff;
-            add_header X-Frame-Options "SAMEORIGIN";
-            add_header X-XSS-Protection "1; mode=block";
-            add_header X-Robots-Tag none;
-            # Optional: Don't log access to assets
-            access_log off;
-          '')
-
-          # Optional: Don't log access to other assets
-          (nameValuePair "~* \.(?:jpg|jpeg|gif|bmp|ico|png|swf)$" ''
-            access_log off;
-          '')
-        ];
+        locations."/robots.txt".extraConfig = ''
+          allow all;
+          log_not_found off;
+          access_log off;
+        '';
+        locations."~ ^/(build|tests|config|lib|3rdparty|templates|data)/".extraConfig = ''
+          deny all;
+        '';
+
+        locations."~ ^/(?:autotest|occ|issue|indie|db_|console)".extraConfig =  ''
+          deny all;
+        '';
+
+        locations."/".extraConfig = ''
+          rewrite ^/remote/(.*) /remote.php last;
+          rewrite ^(/core/doc/[^\/]+/)$ $1/index.html;
+          try_files $uri $uri/ =404;
+        '';
+
+        locations."~ \.php(?:$|/)".extraConfig =  ''
+          fastcgi_split_path_info ^(.+\.php)(/.+)$;
+          include ${pkgs.nginx}/conf/fastcgi_params;
+          fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+          fastcgi_param PATH_INFO $fastcgi_path_info;
+          fastcgi_param HTTPS on;
+          fastcgi_param modHeadersAvailable true; #Avoid sending the security headers twice
+          fastcgi_pass unix:/srv/http/${domain}/phpfpm.pool;
+          fastcgi_intercept_errors on;
+        '';
+
+        # Adding the cache control header for js and css files
+        # Make sure it is BELOW the location ~ \.php(?:$|/) { block
+        locations."~* \.(?:css|js)$".extraConfig = ''
+          add_header Cache-Control "public, max-age=7200";
+          # Add headers to serve security related headers
+          add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
+          add_header X-Content-Type-Options nosniff;
+          add_header X-Frame-Options "SAMEORIGIN";
+          add_header X-XSS-Protection "1; mode=block";
+          add_header X-Robots-Tag none;
+          # Optional: Don't log access to assets
+          access_log off;
+        '';
+        # Optional: Don't log access to other assets
+        locations."~* \.(?:jpg|jpeg|gif|bmp|ico|png|swf)$".extraConfig = ''
+          access_log off;
+        '';
       };
       services.phpfpm.poolConfigs."${domain}" = ''
         listen = /srv/http/${domain}/phpfpm.pool
@@ -183,9 +142,12 @@ rec {
       domain = head domains;
 
     in {
-      krebs.nginx.servers."${domain}" = {
-        server-names = domains;
+      services.nginx.virtualHosts."${domain}" = {
+        enableACME = true;
+        enableSSL = true;
+        serverAliases = domains;
         extraConfig = ''
+          listen 80;
           root /srv/http/${domain}/;
           index index.php;
           access_log /tmp/nginx_acc.log;
@@ -194,24 +156,19 @@ rec {
           error_page 500 502 503 504 /50x.html;
           client_max_body_size 100m;
         '';
-        locations = [
-          (nameValuePair "/" ''
-            try_files $uri $uri/ /index.php?$args;
-          '')
-          (nameValuePair "~ \.php$" ''
-            fastcgi_pass unix:/srv/http/${domain}/phpfpm.pool;
-            include ${pkgs.nginx}/conf/fastcgi.conf;
-          '')
-          #(nameValuePair "~ /\\." ''
-          #  deny all;
-          #'')
-          #Directives to send expires headers and turn off 404 error logging.
-          (nameValuePair "~* ^.+\.(xml|ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|css|rss|atom|js|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$" ''
-            access_log off;
-            log_not_found off;
-            expires max;
-          '')
-        ];
+        locations."/".extraConfig = ''
+          try_files $uri $uri/ /index.php?$args;
+        '';
+        locations."~ \.php$".extraConfig = ''
+          fastcgi_pass unix:/srv/http/${domain}/phpfpm.pool;
+          include ${pkgs.nginx}/conf/fastcgi.conf;
+        '';
+        #Directives to send expires headers and turn off 404 error logging.
+        locations."~* ^.+\.(xml|ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|css|rss|atom|js|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$".extraConfig = ''
+          access_log off;
+          log_not_found off;
+          expires max;
+        '';
       };
       services.phpfpm.poolConfigs."${domain}" = ''
         listen = /srv/http/${domain}/phpfpm.pool
-- 
cgit v1.2.3


From e99e3e4fa52fa1f22df428a5ff5d2b533c11dd02 Mon Sep 17 00:00:00 2001
From: lassulus <lass@lassul.us>
Date: Mon, 26 Dec 2016 14:18:43 +0100
Subject: l 2 downloading: adapt to new api

---
 lass/2configs/downloading.nix | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/lass/2configs/downloading.nix b/lass/2configs/downloading.nix
index ca0aded78..27b6d22d5 100644
--- a/lass/2configs/downloading.nix
+++ b/lass/2configs/downloading.nix
@@ -40,9 +40,8 @@ with import <stockholm/lib>;
     enable = true;
     web = {
       enable = true;
-      enableAuth = true;
-      listenAddress = "9091";
-      authfile = <secrets/torrent-authfile>;
+      port = 9091;
+      basicAuth = import <secrets/torrent-auth>;
     };
     rutorrent.enable = true;
     enableXMLRPC = true;
-- 
cgit v1.2.3


From e2237cca2c5216311d9d327ab8a5f0ec55b39b8e Mon Sep 17 00:00:00 2001
From: lassulus <lass@lassul.us>
Date: Mon, 26 Dec 2016 14:19:04 +0100
Subject: l 2 websites domsen: stop serving *.ubikmedia.de

---
 lass/2configs/websites/domsen.nix | 1 -
 1 file changed, 1 deletion(-)

diff --git a/lass/2configs/websites/domsen.nix b/lass/2configs/websites/domsen.nix
index 86800fc05..2bbfe7333 100644
--- a/lass/2configs/websites/domsen.nix
+++ b/lass/2configs/websites/domsen.nix
@@ -88,7 +88,6 @@ in {
       "www.illucloud.eu"
       "www.illucloud.de"
       "www.illucloud.com"
-      "*.ubikmedia.de"
     ])
   ];
 
-- 
cgit v1.2.3


From 83a00b243d7eafc616bb5f754586a158772da9ef Mon Sep 17 00:00:00 2001
From: lassulus <lass@lassul.us>
Date: Mon, 26 Dec 2016 14:19:25 +0100
Subject: l 2 websites fritz: remove biostase.de

---
 lass/2configs/websites/fritz.nix | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/lass/2configs/websites/fritz.nix b/lass/2configs/websites/fritz.nix
index 16b705cdb..11b905a62 100644
--- a/lass/2configs/websites/fritz.nix
+++ b/lass/2configs/websites/fritz.nix
@@ -26,8 +26,6 @@ let
 in {
   imports = [
     ./sqlBackup.nix
-    (ssl [ "biostase.de" "www.biostase.de" ])
-    (serveWordpress [ "biostase.de" "www.biostase.de" ])
 
     (ssl [ "radical-dreamers.de" "www.radical-dreamers.de" ])
     (serveWordpress [ "radical-dreamers.de" "www.radical-dreamers.de" ])
@@ -55,7 +53,6 @@ in {
   ];
 
   lass.mysqlBackup.config.all.databases = [
-    "biostase_de"
     "eastuttgart_de"
     "radical_dreamers_de"
     "spielwaren_kern_de"
-- 
cgit v1.2.3


From cd952fa68f0f7049a34eeee2ffb8f84f842764c0 Mon Sep 17 00:00:00 2001
From: lassulus <lass@lassul.us>
Date: Mon, 26 Dec 2016 14:19:45 +0100
Subject: l 2 websites lassulus: challenge in default dir

---
 lass/2configs/websites/lassulus.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/lass/2configs/websites/lassulus.nix b/lass/2configs/websites/lassulus.nix
index 2690d7a0e..817fef82d 100644
--- a/lass/2configs/websites/lassulus.nix
+++ b/lass/2configs/websites/lassulus.nix
@@ -14,7 +14,7 @@ in {
   security.acme = {
     certs."lassul.us" = {
       email = "lass@lassul.us";
-      webroot = "/var/lib/acme/challenges/lassul.us";
+      webroot = "/var/lib/acme/acme-challenges";
       plugins = [
         "account_key.json"
         "key.pem"
@@ -26,7 +26,7 @@ in {
     };
     certs."cgit.lassul.us" = {
       email = "lassulus@gmail.com";
-      webroot = "/var/lib/acme/challenges/cgit.lassul.us";
+      webroot = "/var/lib/acme/acme-challenges";
       plugins = [
         "account_key.json"
         "key.pem"
-- 
cgit v1.2.3


From 293c907291b55b46c3857131024f6cb734035704 Mon Sep 17 00:00:00 2001
From: lassulus <lass@lassul.us>
Date: Mon, 26 Dec 2016 14:22:33 +0100
Subject: l 3: remove obsolete nginx modules

---
 lass/3modules/default.nix         |   1 -
 lass/3modules/owncloud_nginx.nix  | 210 ------------------------------
 lass/3modules/wordpress_nginx.nix | 265 --------------------------------------
 3 files changed, 476 deletions(-)
 delete mode 100644 lass/3modules/owncloud_nginx.nix
 delete mode 100644 lass/3modules/wordpress_nginx.nix

diff --git a/lass/3modules/default.nix b/lass/3modules/default.nix
index 6588ca0d3..b169fea40 100644
--- a/lass/3modules/default.nix
+++ b/lass/3modules/default.nix
@@ -8,7 +8,6 @@ _:
     ./umts.nix
     ./urxvtd.nix
     ./usershadow.nix
-    ./wordpress_nginx.nix
     ./xresources.nix
   ];
 }
diff --git a/lass/3modules/owncloud_nginx.nix b/lass/3modules/owncloud_nginx.nix
deleted file mode 100644
index 01e07ae66..000000000
--- a/lass/3modules/owncloud_nginx.nix
+++ /dev/null
@@ -1,210 +0,0 @@
-{ config, lib, pkgs, ... }:
-
-with import <stockholm/lib>;
-
-let
-  cfg = config.lass.owncloud;
-
-  out = {
-    options.lass.owncloud = api;
-    config = imp;
-  };
-
-  api = mkOption {
-    type = with types; attrsOf (submodule ({ config, ... }: {
-      options = {
-        domain = mkOption {
-          type = str;
-          default = config._module.args.name;
-        };
-        dataDir = mkOption {
-          type = str;
-          default = "${config.folder}/data";
-        };
-        dbUser = mkOption {
-          type = str;
-          default = replaceStrings ["."] ["_"] config.domain;
-        };
-        dbName = mkOption {
-          type = str;
-          default = replaceStrings ["."] ["_"] config.domain;
-        };
-        dbType = mkOption {
-        # TODO: check for valid dbType
-          type = str;
-          default = "mysql";
-        };
-        folder = mkOption {
-          type = str;
-          default = "/srv/http/${config.domain}";
-        };
-        auto = mkOption {
-          type = bool;
-          default = false;
-        };
-        instanceid = mkOption {
-          type = str;
-        };
-      };
-    }));
-    default = {};
-  };
-
-  user = config.services.nginx.user;
-  group = config.services.nginx.group;
-
-  imp = {
-    krebs.nginx.servers = flip mapAttrs cfg ( name: { domain, folder, ... }: {
-      server-names = [
-        "${domain}"
-        "www.${domain}"
-      ];
-      locations = [
-        (nameValuePair "/" ''
-          # The following 2 rules are only needed with webfinger
-          rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
-          rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;
-
-          rewrite ^/.well-known/carddav /remote.php/carddav/ redirect;
-          rewrite ^/.well-known/caldav /remote.php/caldav/ redirect;
-
-          rewrite ^(/core/doc/[^\/]+/)$ $1/index.html;
-
-          try_files $uri $uri/ /index.php;
-        '')
-        (nameValuePair "~ \.php$" ''
-          fastcgi_split_path_info ^(.+\.php)(/.+)$;
-          include ${pkgs.nginx}/conf/fastcgi.conf;
-          fastcgi_param PATH_INFO $fastcgi_path_info;
-          fastcgi_pass unix:${folder}/phpfpm.pool;
-        '')
-        (nameValuePair "~ /\\." ''
-          deny all;
-        '')
-      ];
-      extraConfig = ''
-        root ${folder}/;
-        #index index.php;
-        access_log /tmp/nginx_acc.log;
-        error_log /tmp/nginx_err.log;
-
-        # set max upload size
-        client_max_body_size 10G;
-        fastcgi_buffers 64 4K;
-
-        rewrite ^/caldav(.*)$ /remote.php/caldav$1 redirect;
-        rewrite ^/carddav(.*)$ /remote.php/carddav$1 redirect;
-        rewrite ^/webdav(.*)$ /remote.php/webdav$1 redirect;
-
-        error_page 403 /core/templates/403.php;
-        error_page 404 /core/templates/404.php;
-      '';
-    });
-    services.phpfpm.poolConfigs = flip mapAttrs cfg (name: { domain, folder, ... }: ''
-      listen = ${folder}/phpfpm.pool
-      user = ${user}
-      group = ${group}
-      pm = dynamic
-      pm.max_children = 5
-      pm.start_servers = 2
-      pm.min_spare_servers = 1
-      pm.max_spare_servers = 3
-      listen.owner = ${user}
-      listen.group = ${group}
-      php_admin_value[error_log] = 'stderr'
-      php_admin_flag[log_errors] = on
-      catch_workers_output = yes
-    '');
-    #systemd.services = flip mapAttrs' cfg (name: { domain, folder, dbName, dbUser, dbType, dataDir, instanceid, ... }: {
-    #  name = "owncloudInit-${name}";
-    #  value = {
-    #    path = [
-    #      pkgs.mysql
-    #      pkgs.su
-    #      pkgs.gawk
-    #      pkgs.jq
-    #    ];
-    #    requiredBy = [ "nginx.service" ];
-    #    serviceConfig = let
-    #      php.define = name: value:
-    #        "define(${php.newdoc name}, ${php.newdoc value});";
-    #      php.toString = x:
-    #        "'${x}'";
-    #      php.newdoc = s:
-    #        let b = "EOF${builtins.hashString "sha256" s}"; in
-    #        ''<<<'${b}'
-    #        ${s}
-    #        ${b}
-    #        '';
-    #    in {
-    #      Type = "oneshot";
-    #      ExecStart = pkgs.writeScript "wordpressInit" ''
-    #        #!/bin/sh
-    #        set -euf
-    #        oc_secrets=${shell.escape "${toString <secrets>}/${domain}/oc-secrets"}
-    #        db_password=$(cat ${shell.escape "${toString <secrets>}/${domain}/sql-db-pw"})
-    #        get_secret() {
-    #          echo "'$1' => $(jq -r ."$1" "$oc_secrets" | to_php_string),"
-    #        }
-    #        to_php_string() {
-    #          echo "base64_decode('$(base64)')"
-    #        }
-    #        {
-    #          cat ${toString <secrets/mysql_rootPassword>}
-    #          password=$(cat ${shell.escape (toString (<secrets/mysql_rootPassword>))})
-    #          # TODO passwordhash=$(su nobody_oc -c mysql <<< "SELECT PASSWORD($(toSqlString <<< "$password"));")
-    #          # TODO as package pkgs.sqlHashPassword
-    #          # TODO not using mysql
-    #          # SET SESSION sql_mode = 'NO_BACKSLASH_ESCAPES';
-    #          passwordhash=$(su nobody_oc -c 'mysql -u nobody --silent' <<< "SELECT PASSWORD('$db_password');")
-    #          user=${shell.escape dbUser}@localhost
-    #          database=${shell.escape dbName}
-    #          cat << EOF
-    #            CREATE DATABASE IF NOT EXISTS $database;
-    #            GRANT USAGE ON *.* TO $user IDENTIFIED BY PASSWORD '$passwordhash';
-    #            GRANT ALL PRIVILEGES ON $database.* TO $user;
-    #            FLUSH PRIVILEGES;
-    #        EOF
-    #        } | mysql -u root -p
-    #        # TODO nix2php for wp-config.php
-    #        mkdir -p ${folder}/config
-    #        cat > ${folder}/config/config.php << EOF
-    #        <?php
-    #        \$CONFIG = array (
-    #          'dbhost' => 'localhost',
-    #          'dbtableprefix' => 'oc_',
-    #          'dbpassword' => '$db_password',
-    #          'installed' => 'true',
-    #          'trusted_domains' =>
-    #          array (
-    #            0 => '${domain}',
-    #          ),
-    #          'overwrite.cli.url' => 'http://${domain}',
-
-    #        ${concatStringsSep "\n" (mapAttrsToList (name: value:
-    #          "'${name}' => $(printf '%s' ${shell.escape value} | to_php_string),"
-    #        ) {
-    #          instanceid = instanceid;
-    #          datadirectory = dataDir;
-    #          dbtype = dbType;
-    #          dbname = dbName;
-    #          dbuser = dbUser;
-    #        })}
-
-    #        ${concatMapStringsSep "\n" (key: "$(get_secret ${shell.escape key})") [
-    #          "secret"
-    #          "passwordsalt"
-    #        ]}
-    #        );
-    #        EOF
-    #      '';
-    #    };
-    #  };
-    #});
-    users.users.nobody_oc = {
-      uid = genid "nobody_oc";
-      useDefaultShell = true;
-    };
-  };
-
-in out
diff --git a/lass/3modules/wordpress_nginx.nix b/lass/3modules/wordpress_nginx.nix
deleted file mode 100644
index 5d88e3fde..000000000
--- a/lass/3modules/wordpress_nginx.nix
+++ /dev/null
@@ -1,265 +0,0 @@
-{ config, lib, pkgs, ... }:
-
-with import <stockholm/lib>;
-
-let
-  cfg = config.lass.wordpress;
-
-  out = {
-    options.lass.wordpress = api;
-    config = imp;
-  };
-
-  api = mkOption {
-    type = with types; attrsOf (submodule ({ config, ... }: {
-      options = {
-        domain = mkOption {
-          type = str;
-          default = config._module.args.name;
-        };
-        dbUser = mkOption {
-          type = str;
-          default = replaceStrings ["."] ["_"] config.domain;
-        };
-        dbName = mkOption {
-          type = str;
-          default = replaceStrings ["."] ["_"] config.domain;
-        };
-        folder = mkOption {
-          type = str;
-          default = "/srv/http/${config.domain}";
-        };
-        auto = mkOption {
-          type = bool;
-          default = false;
-        };
-        charset = mkOption {
-          type = str;
-          default = "utf8mb4";
-        };
-        collate = mkOption {
-          type = str;
-          default = "";
-        };
-        debug = mkOption {
-          type = bool;
-          default = false;
-        };
-        multiSite = mkOption {
-          type = attrsOf str;
-          default = {};
-          example = {
-            "0" = "bla.testsite.de";
-            "1" = "test.testsite.de";
-          };
-        };
-        ssl = mkOption {
-          type = with types; submodule ({
-            options = {
-              enable = mkEnableOption "ssl";
-              certificate = mkOption {
-                type = str;
-              };
-              certificate_key = mkOption {
-                type = str;
-              };
-              ciphers = mkOption {
-                type = str;
-                default = "AES128+EECDH:AES128+EDH";
-              };
-            };
-          });
-        };
-      };
-    }));
-    default = {};
-  };
-
-  user = config.services.nginx.user;
-  group = config.services.nginx.group;
-
-  imp = {
-    #services.nginx.appendConfig = mkIf (cfg.multiSite != {}) ''
-    #  map $http_host $blogid {
-    #  ${concatStringsSep "\n" (mapAttrsToList (n: v: indent "v n;") multiSite)}
-    #  }
-    #'';
-
-    krebs.nginx.servers = flip mapAttrs cfg ( name: { domain, folder, multiSite, ssl, ... }: {
-      server-names = [
-        "${domain}"
-        "www.${domain}"
-      ];
-        #(mkIf (multiSite != {})
-        #)
-      locations = (if (multiSite != {}) then
-        [
-          (nameValuePair "~ ^/files/(.*)$" ''
-            try_files /wp-content/blogs.dir/$blogid/$uri /wp-includes/ms-files.php?file=$1 ;
-          '')
-          (nameValuePair "^~ /blogs.dir" ''
-            internal;
-            alias ${folder}/wp-content/blogs.dir ;
-            access_log off; log_not_found off; expires max;
-          '')
-        ]
-      else
-        []
-      ) ++
-      [
-        (nameValuePair "/" ''
-          try_files $uri $uri/ /index.php?$args;
-        '')
-        (nameValuePair "~ \.php$" ''
-          fastcgi_pass unix:${folder}/phpfpm.pool;
-          include ${pkgs.nginx}/conf/fastcgi.conf;
-        '')
-        (nameValuePair "~ /\\." ''
-          deny all;
-        '')
-        #Directives to send expires headers and turn off 404 error logging.
-        (nameValuePair "~* ^.+\.(xml|ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|css|rss|atom|js|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$" ''
-          access_log off;
-          log_not_found off;
-          expires max;
-        '')
-      ];
-      extraConfig = ''
-        root ${folder}/;
-        index index.php;
-        access_log /tmp/nginx_acc.log;
-        error_log /tmp/nginx_err.log;
-        error_page 404 /404.html;
-        error_page 500 502 503 504 /50x.html;
-        ${if ssl.enable then ''
-          ssl_certificate ${ssl.certificate};
-          ssl_certificate_key ${ssl.certificate_key};
-        '' else ""}
-
-      '';
-      listen = (if ssl.enable then
-          [ "80" "443 ssl" ]
-        else
-          "80"
-      );
-    });
-    services.phpfpm.poolConfigs = flip mapAttrs cfg (name: { domain, folder, ... }: ''
-      listen = ${folder}/phpfpm.pool
-      user = ${user}
-      group = ${group}
-      pm = dynamic
-      pm.max_children = 5
-      pm.start_servers = 2
-      pm.min_spare_servers = 1
-      pm.max_spare_servers = 3
-      listen.owner = ${user}
-      listen.group = ${group}
-      php_admin_value[error_log] = 'stderr'
-      php_admin_flag[log_errors] = on
-      catch_workers_output = yes
-    '');
-    systemd.services = flip mapAttrs' cfg (name: { domain, folder, charset, collate, dbName, dbUser, debug, multiSite, ... }: {
-      name = "wordpressInit-${name}";
-      value = {
-        path = [
-          pkgs.mysql
-          pkgs.su
-          pkgs.gawk
-          pkgs.jq
-        ];
-        requiredBy = [ "nginx.service" ];
-        serviceConfig = let
-          php.define = name: value:
-            "define(${php.newdoc name}, ${php.newdoc value});";
-          php.toString = x:
-            "'${x}'";
-          php.newdoc = s:
-            let b = "EOF${builtins.hashString "sha256" s}"; in
-            ''<<<'${b}'
-            ${s}
-            ${b}
-            '';
-        in {
-          Type = "oneshot";
-          ExecStart = pkgs.writeScript "wordpressInit" ''
-            #!/bin/sh
-            set -euf
-            wp_secrets=${shell.escape "${toString <secrets>}/${domain}/wp-secrets"}
-            db_password=$(cat ${shell.escape "${toString <secrets>}/${domain}/sql-db-pw"})
-            get_secret() {
-              echo "define('$1', $(jq -r ."$1" "$wp_secrets" | to_php_string));"
-            }
-            to_php_string() {
-              echo "base64_decode('$(base64)')"
-            }
-            {
-              cat ${toString <secrets/mysql_rootPassword>}
-              password=$(cat ${shell.escape (toString (<secrets/mysql_rootPassword>))})
-              # TODO passwordhash=$(su nobody2 -c mysql <<< "SELECT PASSWORD($(toSqlString <<< "$password"));")
-              # TODO as package pkgs.sqlHashPassword
-              # TODO not using mysql
-              # SET SESSION sql_mode = 'NO_BACKSLASH_ESCAPES';
-              passwordhash=$(su nobody2 -c 'mysql -u nobody --silent' <<< "SELECT PASSWORD('$db_password');")
-              user=${shell.escape dbUser}@localhost
-              database=${shell.escape dbName}
-              cat << EOF
-                CREATE DATABASE IF NOT EXISTS $database;
-                GRANT USAGE ON *.* TO $user IDENTIFIED BY PASSWORD '$passwordhash';
-                GRANT ALL PRIVILEGES ON $database.* TO $user;
-                FLUSH PRIVILEGES;
-            EOF
-            } | mysql -u root -p
-            # TODO nix2php for wp-config.php
-            cat > ${folder}/wp-config.php << EOF
-            <?php
-            define('DB_PASSWORD', '$db_password');
-            define('DB_HOST', 'localhost');
-
-            ${concatStringsSep "\n" (mapAttrsToList (name: value:
-              "define('${name}', $(printf '%s' ${shell.escape value} | to_php_string));"
-            ) {
-              DB_NAME = dbName;
-              DB_USER = dbUser;
-              DB_CHARSET = charset;
-              DB_COLLATE = collate;
-            })}
-
-            ${concatMapStringsSep "\n" (key: "$(get_secret ${shell.escape key})") [
-              "AUTH_KEY"
-              "SECURE_AUTH_KEY"
-              "LOGGED_IN_KEY"
-              "NONCE_KEY"
-              "AUTH_SALT"
-              "SECURE_AUTH_SALT"
-              "LOGGED_IN_SALT"
-              "NONCE_SALT"
-            ]}
-
-            \$table_prefix = 'wp_';
-
-            ${if (multiSite != {}) then
-              "define('WP_ALLOW_MULTISITE', true);"
-            else
-              ""
-            }
-
-            define('WP_DEBUG', ${toJSON debug});
-            if ( !defined('ABSPATH') )
-              define('ABSPATH', dirname(__FILE__) . '/');
-
-            /** Sets up WordPress vars and included files. */
-            require_once(ABSPATH . 'wp-settings.php');
-            EOF
-          '';
-        };
-      };
-    });
-    users.users.nobody2 = mkDefault {
-      uid = mkDefault (genid "nobody2");
-      useDefaultShell = mkDefault true;
-    };
-  };
-
-  indent = replaceChars ["\n"] ["\n  "];
-
-in out
-- 
cgit v1.2.3


From adfb714638748f397fc05da46e07f47c9ab90a00 Mon Sep 17 00:00:00 2001
From: lassulus <lass@lassul.us>
Date: Mon, 26 Dec 2016 14:23:52 +0100
Subject: l 2: add hfos.nix

---
 lass/1systems/prism.nix |  1 +
 lass/2configs/hfos.nix  | 33 +++++++++++++++++++++++++++++++++
 2 files changed, 34 insertions(+)
 create mode 100644 lass/2configs/hfos.nix

diff --git a/lass/1systems/prism.nix b/lass/1systems/prism.nix
index efe79052f..39026d102 100644
--- a/lass/1systems/prism.nix
+++ b/lass/1systems/prism.nix
@@ -25,6 +25,7 @@ in {
     ../2configs/binary-cache/server.nix
     ../2configs/iodined.nix
     ../2configs/libvirt.nix
+    ../2configs/hfos.nix
     {
       users.extraGroups = {
         # ● systemd-tmpfiles-setup.service - Create Volatile Files and Directories
diff --git a/lass/2configs/hfos.nix b/lass/2configs/hfos.nix
new file mode 100644
index 000000000..05dd3ce2a
--- /dev/null
+++ b/lass/2configs/hfos.nix
@@ -0,0 +1,33 @@
+{ config, lib, pkgs, ... }:
+
+with import <stockholm/lib>;
+{
+  users.users.riot = {
+    uid = genid "riot";
+    isNormalUser = true;
+    extraGroups = [ "libvirtd" ];
+    openssh.authorizedKeys.keys = [
+      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC5NnADMRySix1kcxQwseHfem/SCDmkbvwc+ZZu7HFz4zss1k4Fh1knsukMY83zlno8p/8bBPWyixLTxuZHNy26af8GP95bvV3brnpRmrijkE4dOlpd+wvPcIyTKNunJvMzNDP/ry9g2GczEZKGWvQZudq/nI54HaCaRWM2kzEMEg8Rr9SGlZEKo8B+8HGVsz1a8USOnm8dqYP9dmfLdpy/s+7yWJSPh8wokvWeOOrahirOhO99ZfXm2gcdHqSKvbD2+4EYEm5w8iFrbYBT2wZ3u9ZOiooL/JuEBBdnDrcqZqeaTw0vOdKPvkUP8/rzRjvIwSkynMSD8fixpdGRNeIB riot@lagrange"
+      config.krebs.users.lass.pubkey
+    ];
+  };
+
+  networking.interfaces.et0.ip4 = [
+    {
+      address = "213.239.205.246";
+      prefixLength = 24;
+    }
+  ];
+
+  krebs.iptables.tables.nat.PREROUTING.rules = [
+    { v6 = false; precedence = 1000; predicate = "-d 213.239.205.246 -p tcp --dport 22"; target = "DNAT --to-destination 192.168.122.208:22"; }
+    { v6 = false; precedence = 1000; predicate = "-d 213.239.205.246 -p tcp --dport 80"; target = "DNAT --to-destination 192.168.122.208:80"; }
+    { v6 = false; precedence = 1000; predicate = "-d 213.239.205.246 -p tcp --dport 443"; target = "DNAT --to-destination 192.168.122.208:1443"; }
+  ];
+
+  krebs.iptables.tables.filter.FORWARD.rules = [
+    { v6 = false; precedence = 1000; predicate = "-d 192.168.122.208 -p tcp --dport 22 -m state --state NEW,ESTABLISHED,RELATED"; target = "ACCEPT"; }
+    { v6 = false; precedence = 1000; predicate = "-d 192.168.122.208 -p tcp --dport 80 -m state --state NEW,ESTABLISHED,RELATED"; target = "ACCEPT"; }
+    { v6 = false; precedence = 1000; predicate = "-d 192.168.122.208 -p tcp --dport 1443 -m state --state NEW,ESTABLISHED,RELATED"; target = "ACCEPT"; }
+  ];
+}
-- 
cgit v1.2.3


From 861f1a094cbaaf72d5073a7ecac0a014745c2e19 Mon Sep 17 00:00:00 2001
From: lassulus <lass@lassul.us>
Date: Mon, 26 Dec 2016 14:24:28 +0100
Subject: l 2 nixpkgs: 2a97e14 -> 9625cae

---
 lass/2configs/nixpkgs.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lass/2configs/nixpkgs.nix b/lass/2configs/nixpkgs.nix
index e2bdd5755..9e8ac4594 100644
--- a/lass/2configs/nixpkgs.nix
+++ b/lass/2configs/nixpkgs.nix
@@ -3,6 +3,6 @@
 {
   krebs.build.source.nixpkgs.git = {
     url = https://github.com/nixos/nixpkgs;
-    ref = "2a97e149e50e1c701a957c6bd060cc74b7e9a905";
+    ref = "9625cae3314aaab8c64b3f23a5d071e917d929bf";
   };
 }
-- 
cgit v1.2.3


From e02701e89848a4893a1549cf7fa0ee871055f255 Mon Sep 17 00:00:00 2001
From: lassulus <lass@lassul.us>
Date: Mon, 26 Dec 2016 17:29:53 +0100
Subject: l 2 websites lassulus: listen cgit also on port 80

---
 lass/2configs/websites/lassulus.nix | 1 +
 1 file changed, 1 insertion(+)

diff --git a/lass/2configs/websites/lassulus.nix b/lass/2configs/websites/lassulus.nix
index 817fef82d..cfdda05db 100644
--- a/lass/2configs/websites/lassulus.nix
+++ b/lass/2configs/websites/lassulus.nix
@@ -114,6 +114,7 @@ in {
       root /var/lib/acme/acme-challenges;
     '';
     enableSSL = true;
+    extraConfig = "listen 80;";
     sslCertificate = "/var/lib/acme/cgit.lassul.us/fullchain.pem";
     sslCertificateKey = "/var/lib/acme/cgit.lassul.us/key.pem";
   };
-- 
cgit v1.2.3


From 2090e075e2ca34c3df02144123bd7e89fe8f6533 Mon Sep 17 00:00:00 2001
From: lassulus <lass@lassul.us>
Date: Mon, 26 Dec 2016 18:52:29 +0100
Subject: l 1 mors: disable skype

---
 lass/1systems/mors.nix | 1 -
 1 file changed, 1 deletion(-)

diff --git a/lass/1systems/mors.nix b/lass/1systems/mors.nix
index dcdb57f3b..ecf437b80 100644
--- a/lass/1systems/mors.nix
+++ b/lass/1systems/mors.nix
@@ -17,7 +17,6 @@ with import <stockholm/lib>;
     ../2configs/steam.nix
     ../2configs/wine.nix
     ../2configs/git.nix
-    ../2configs/skype.nix
     ../2configs/libvirt.nix
     ../2configs/fetchWallpaper.nix
     #../2configs/c-base.nix
-- 
cgit v1.2.3


From c0fac68cdecc7d6d03aa8cdf42bdce16907d4996 Mon Sep 17 00:00:00 2001
From: lassulus <lass@lassul.us>
Date: Mon, 26 Dec 2016 18:55:58 +0100
Subject: l 2 tests secrets: torrent-autfile -> torrent-auth

---
 lass/2configs/tests/dummy-secrets/torrent-auth     | 3 +++
 lass/2configs/tests/dummy-secrets/torrent-authfile | 1 -
 2 files changed, 3 insertions(+), 1 deletion(-)
 create mode 100644 lass/2configs/tests/dummy-secrets/torrent-auth
 delete mode 100644 lass/2configs/tests/dummy-secrets/torrent-authfile

diff --git a/lass/2configs/tests/dummy-secrets/torrent-auth b/lass/2configs/tests/dummy-secrets/torrent-auth
new file mode 100644
index 000000000..f167e71f9
--- /dev/null
+++ b/lass/2configs/tests/dummy-secrets/torrent-auth
@@ -0,0 +1,3 @@
+{
+  x = "xxx";
+}
diff --git a/lass/2configs/tests/dummy-secrets/torrent-authfile b/lass/2configs/tests/dummy-secrets/torrent-authfile
deleted file mode 100644
index 93a8e1fed..000000000
--- a/lass/2configs/tests/dummy-secrets/torrent-authfile
+++ /dev/null
@@ -1 +0,0 @@
-"xxx"
-- 
cgit v1.2.3


From b9c9ff81acd4e2aa77e297a908b09c4836f08fb6 Mon Sep 17 00:00:00 2001
From: lassulus <lass@lassul.us>
Date: Mon, 26 Dec 2016 19:02:38 +0100
Subject: l 2 websites fritz: remove