From 892c99706a1c997ae064e443c2162a5659b8a05e Mon Sep 17 00:00:00 2001
From: lassulus <lass@aidsballs.de>
Date: Thu, 8 Oct 2015 12:05:32 +0200
Subject: lass 2: add skype.nix

---
 lass/1systems/mors.nix  |  1 +
 lass/2configs/skype.nix | 30 ++++++++++++++++++++++++++++++
 2 files changed, 31 insertions(+)
 create mode 100644 lass/2configs/skype.nix

diff --git a/lass/1systems/mors.nix b/lass/1systems/mors.nix
index 5cc03501f..c0c33828b 100644
--- a/lass/1systems/mors.nix
+++ b/lass/1systems/mors.nix
@@ -24,6 +24,7 @@
     ../2configs/bitlbee.nix
     ../2configs/firefoxPatched.nix
     ../2configs/realwallpaper.nix
+    ../2configs/skype.nix
   ];
 
   krebs.build = {
diff --git a/lass/2configs/skype.nix b/lass/2configs/skype.nix
new file mode 100644
index 000000000..7e4618a7b
--- /dev/null
+++ b/lass/2configs/skype.nix
@@ -0,0 +1,30 @@
+{ config, pkgs, ... }:
+
+let
+  mainUser = config.users.extraUsers.mainUser;
+
+in {
+  imports = [
+    ../3modules/per-user.nix
+  ];
+
+  users.extraUsers = {
+    skype = {
+      name = "skype";
+      uid = 2259819492; #genid skype
+      description = "user for running skype";
+      home = "/home/skype";
+      useDefaultShell = true;
+      extraGroups = [ "audio" "video" ];
+      createHome = true;
+    };
+  };
+
+  lass.per-user.skype.packages = [
+    pkgs.skype
+  ];
+
+  security.sudo.extraConfig = ''
+    ${mainUser.name} ALL=(skype) NOPASSWD: ALL
+  '';
+}
-- 
cgit v1.2.3


From d2720415ac5404f3261a4dafbd97092c282dd169 Mon Sep 17 00:00:00 2001
From: lassulus <lass@aidsballs.de>
Date: Fri, 9 Oct 2015 01:06:22 +0200
Subject: lass 5: add go url shortener

---
 lass/5pkgs/default.nix     |  1 +
 lass/5pkgs/go/default.nix  | 61 ++++++++++++++++++++++++++++++++++++++++++++++
 lass/5pkgs/go/packages.nix | 44 +++++++++++++++++++++++++++++++++
 lass/5pkgs/go/result       |  1 +
 4 files changed, 107 insertions(+)
 create mode 100644 lass/5pkgs/go/default.nix
 create mode 100644 lass/5pkgs/go/packages.nix
 create mode 120000 lass/5pkgs/go/result

diff --git a/lass/5pkgs/default.nix b/lass/5pkgs/default.nix
index 7427cb620..e3e49e37e 100644
--- a/lass/5pkgs/default.nix
+++ b/lass/5pkgs/default.nix
@@ -13,4 +13,5 @@ rec {
     ublock = callPackage ./firefoxPlugins/ublock.nix {};
     vimperator = callPackage ./firefoxPlugins/vimperator.nix {};
   };
+  go = callPackage ./go/default.nix {};
 }
diff --git a/lass/5pkgs/go/default.nix b/lass/5pkgs/go/default.nix
new file mode 100644
index 000000000..2ac809c33
--- /dev/null
+++ b/lass/5pkgs/go/default.nix
@@ -0,0 +1,61 @@
+{ stdenv, makeWrapper, lib, buildEnv, fetchgit, nodePackages, nodejs }:
+
+with lib;
+
+let
+  np = nodePackages.override {
+    generated = ./packages.nix;
+    self = np;
+  };
+
+  node_env = buildEnv {
+    name = "node_env";
+    paths = [
+      np.redis
+      np."formidable"
+    ];
+    pathsToLink = [ "/lib" ];
+    ignoreCollisions = true;
+  };
+
+in nodePackages.buildNodePackage {
+  name = "go";
+
+  src = fetchgit {
+    url = "http://cgit.echelon/go/";
+    rev = "05d02740e0adbb36cc461323647f0c1e7f493156";
+    sha256 = "6015c9a93317375ae8099c7ab982df0aa93a59ec2b48972e253887bb6ca0004f";
+  };
+
+  phases = [
+    "unpackPhase"
+    "installPhase"
+  ];
+
+  deps = (filter (v: nixType v == "derivation") (attrValues np));
+
+  buildInputs = [
+    nodejs
+    nodePackages.redis
+    np.formidable
+    makeWrapper
+  ];
+
+  installPhase = ''
+    mkdir -p $out/bin
+
+    find ${node_env}
+
+    cp index.js $out/
+    cat > $out/go << EOF
+      ${nodejs}/bin/node $out/index.js
+    EOF
+    chmod +x $out/go
+
+    wrapProgram $out/go \
+      --prefix NODE_PATH : ${node_env}/lib/node_modules
+
+     ln -s $out/go /$out/bin/go
+  '';
+
+}
diff --git a/lass/5pkgs/go/packages.nix b/lass/5pkgs/go/packages.nix
new file mode 100644
index 000000000..9acfd7658
--- /dev/null
+++ b/lass/5pkgs/go/packages.nix
@@ -0,0 +1,44 @@
+{ self, fetchurl, fetchgit ? null, lib }:
+
+{
+  by-spec."formidable"."*" =
+    self.by-version."formidable"."1.0.17";
+  by-version."formidable"."1.0.17" = self.buildNodePackage {
+    name = "formidable-1.0.17";
+    version = "1.0.17";
+    bin = false;
+    src = fetchurl {
+      url = "http://registry.npmjs.org/formidable/-/formidable-1.0.17.tgz";
+      name = "formidable-1.0.17.tgz";
+      sha1 = "ef5491490f9433b705faa77249c99029ae348559";
+    };
+    deps = {
+    };
+    optionalDependencies = {
+    };
+    peerDependencies = [];
+    os = [ ];
+    cpu = [ ];
+  };
+  "formidable" = self.by-version."formidable"."1.0.17";
+  by-spec."redis"."*" =
+    self.by-version."redis"."2.1.0";
+  by-version."redis"."2.1.0" = self.buildNodePackage {
+    name = "redis-2.1.0";
+    version = "2.1.0";
+    bin = false;
+    src = fetchurl {
+      url = "http://registry.npmjs.org/redis/-/redis-2.1.0.tgz";
+      name = "redis-2.1.0.tgz";
+      sha1 = "38acb208f90750250f9451219b73ff08ae907f94";
+    };
+    deps = {
+    };
+    optionalDependencies = {
+    };
+    peerDependencies = [];
+    os = [ ];
+    cpu = [ ];
+  };
+  "redis" = self.by-version."redis"."2.1.0";
+}
diff --git a/lass/5pkgs/go/result b/lass/5pkgs/go/result
new file mode 120000
index 000000000..14893ca34
--- /dev/null
+++ b/lass/5pkgs/go/result
@@ -0,0 +1 @@
+/nix/store/nizallgwxcx4fz9awyfp9i17avfymlvx-nodejs-go
\ No newline at end of file
-- 
cgit v1.2.3


From 45acff36265352e168928399957241abf4eb0dc1 Mon Sep 17 00:00:00 2001
From: lassulus <lass@aidsballs.de>
Date: Fri, 9 Oct 2015 01:07:44 +0200
Subject: lass 2 git: add go repo

---
 lass/2configs/git.nix | 1 +
 1 file changed, 1 insertion(+)

diff --git a/lass/2configs/git.nix b/lass/2configs/git.nix
index 595936da5..d63705ab6 100644
--- a/lass/2configs/git.nix
+++ b/lass/2configs/git.nix
@@ -31,6 +31,7 @@ let
     };
     wai-middleware-time = {};
     web-routes-wai-custom = {};
+    go = {};
   };
 
   restricted-repos = mapAttrs make-restricted-repo (
-- 
cgit v1.2.3


From e4b27b52864cd40367b28c9967f1e375988a5445 Mon Sep 17 00:00:00 2001
From: lassulus <lass@aidsballs.de>
Date: Fri, 9 Oct 2015 01:08:27 +0200
Subject: lass 1 echelon: get hostName from build.host.name

---
 lass/1systems/echelon.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lass/1systems/echelon.nix b/lass/1systems/echelon.nix
index b301b504a..bf3ca8723 100644
--- a/lass/1systems/echelon.nix
+++ b/lass/1systems/echelon.nix
@@ -44,6 +44,6 @@ in {
     };
   };
 
-  networking.hostName = "echelon";
+  networking.hostName = config.krebs.build.host.name;
 
 }
-- 
cgit v1.2.3


From d478ed4e06dbf84688bb99aa00b95e1d8b09f3b1 Mon Sep 17 00:00:00 2001
From: lassulus <lass@aidsballs.de>
Date: Fri, 9 Oct 2015 01:09:13 +0200
Subject: lass 2 ircd: change sid and hostname

---
 lass/2configs/ircd.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/lass/2configs/ircd.nix b/lass/2configs/ircd.nix
index f71b769fd..fc0aeb84b 100644
--- a/lass/2configs/ircd.nix
+++ b/lass/2configs/ircd.nix
@@ -5,8 +5,8 @@
     enable = true;
     config = ''
       serverinfo {
-        name = "ire.irc.retiolum";
-        sid = "4z3";
+        name = "${config.krebs.build.host.name}.irc.retiolum";
+        sid = "1as";
         description = "miep!";
         network_name = "irc.retiolum";
         network_desc = "Retiolum IRC Network";
-- 
cgit v1.2.3


From 20724bfcf7cb10a6e8ebf153e46ffac3d9ebbf67 Mon Sep 17 00:00:00 2001
From: lassulus <lass@aidsballs.de>
Date: Fri, 9 Oct 2015 01:10:15 +0200
Subject: lass 2: add redix.nix

---
 lass/2configs/redis.nix | 8 ++++++++
 1 file changed, 8 insertions(+)
 create mode 100644 lass/2configs/redis.nix

diff --git a/lass/2configs/redis.nix b/lass/2configs/redis.nix
new file mode 100644
index 000000000..8dd8df5c3
--- /dev/null
+++ b/lass/2configs/redis.nix
@@ -0,0 +1,8 @@
+{ config, ... }:
+
+{
+  config.services.redis = {
+    enable = true;
+    bind = "127.0.0.1";
+  };
+}
-- 
cgit v1.2.3


From 4752e4a75765faeea6a2d8aa26c78c106d266a1c Mon Sep 17 00:00:00 2001
From: lassulus <lass@aidsballs.de>
Date: Fri, 9 Oct 2015 01:11:29 +0200
Subject: lass 3: add go.nix

---
 lass/3modules/go.nix | 61 ++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 61 insertions(+)
 create mode 100644 lass/3modules/go.nix

diff --git a/lass/3modules/go.nix b/lass/3modules/go.nix
new file mode 100644
index 000000000..aa900f118
--- /dev/null
+++ b/lass/3modules/go.nix
@@ -0,0 +1,61 @@
+{ config, lib, pkgs, ... }:
+
+with builtins;
+with lib;
+
+let
+  cfg = config.lass.go;
+
+  out = {
+    options.lass.go = api;
+    config = mkIf cfg.enable imp;
+  };
+
+  api = {
+    enable = mkEnableOption "Enable go url shortener";
+    port = mkOption {
+      type = types.str;
+      default = "1337";
+      description = "on which port go should run on";
+    };
+    redisKeyPrefix = mkOption {
+      type = types.str;
+      default = "go:";
+      description = "change the Redis key prefix which defaults to `go:`";
+    };
+  };
+
+  imp = {
+    users.extraUsers.go = {
+      name = "go";
+      uid = 42774411; #genid go
+      description = "go url shortener user";
+      home = "/var/lib/go";
+      createHome = true;
+    };
+
+    systemd.services.go = {
+      description = "go url shortener";
+      after = [ "network.target" ];
+      wantedBy = [ "multi-user.target" ];
+
+      path = with pkgs; [
+        go
+      ];
+
+      environment = {
+        PORT = cfg.port;
+        REDIS_KEY_PREFIX = cfg.redisKeyPrefix;
+      };
+
+      restartIfChanged = true;
+
+      serviceConfig = {
+        User = "go";
+        Restart = "always";
+        ExecStart = "${pkgs.go}/bin/go";
+      };
+    };
+  };
+
+in out
-- 
cgit v1.2.3


From 8b42c0631e86da5e05a4659887d9c7958bf27636 Mon Sep 17 00:00:00 2001
From: lassulus <lass@aidsballs.de>
Date: Fri, 9 Oct 2015 01:23:45 +0200
Subject: lass 2 ircd: open port 6667 to retiolum

---
 lass/2configs/ircd.nix | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/lass/2configs/ircd.nix b/lass/2configs/ircd.nix
index fc0aeb84b..de96ad9d6 100644
--- a/lass/2configs/ircd.nix
+++ b/lass/2configs/ircd.nix
@@ -1,6 +1,9 @@
 { config, pkgs, ... }:
 
 {
+  krebs.iptables.tables.filter.INPUT.rules = [
+    { predicate = "-i retiolum -p tcp --dport 6667"; target = "ACCEPT"; }
+  ];
   config.services.charybdis = {
     enable = true;
     config = ''
-- 
cgit v1.2.3


From c8c2b254e5f633618b43be6b348c747e903f7577 Mon Sep 17 00:00:00 2001
From: lassulus <lass@aidsballs.de>
Date: Fri, 9 Oct 2015 01:24:13 +0200
Subject: lass 2: add go.nix

---
 lass/2configs/go.nix | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)
 create mode 100644 lass/2configs/go.nix

diff --git a/lass/2configs/go.nix b/lass/2configs/go.nix
new file mode 100644
index 000000000..30d3e6ae5
--- /dev/null
+++ b/lass/2configs/go.nix
@@ -0,0 +1,16 @@
+{ config, pkgs, ... }:
+
+{
+  imports = [
+    ../3modules/go.nix
+  ];
+  environment.systemPackages = [
+    pkgs.go
+  ];
+  lass.go = {
+    enable = true;
+  };
+  krebs.iptables.tables.filter.INPUT.rules = [
+    { predicate = "-i retiolum -p tcp --dport 1337"; target = "ACCEPT"; }
+  ];
+}
-- 
cgit v1.2.3


From e21fdefcf1cec589db1aec4226bc52a65991b218 Mon Sep 17 00:00:00 2001
From: lassulus <lass@aidsballs.de>
Date: Fri, 9 Oct 2015 01:24:50 +0200
Subject: lass 1 echelon: import new stuff

---
 lass/1systems/echelon.nix | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/lass/1systems/echelon.nix b/lass/1systems/echelon.nix
index bf3ca8723..1320e0782 100644
--- a/lass/1systems/echelon.nix
+++ b/lass/1systems/echelon.nix
@@ -14,6 +14,9 @@ in {
     ../2configs/realwallpaper-server.nix
     ../2configs/privoxy-retiolum.nix
     ../2configs/git.nix
+    ../2configs/redis.nix
+    ../2configs/go.nix
+    ../2configs/ircd.nix
     {
       networking.interfaces.enp2s1.ip4 = [
         {
-- 
cgit v1.2.3


From 4072a32f89b9cc1c1e7c3583ac5b9ce5dcb004af Mon Sep 17 00:00:00 2001
From: lassulus <lass@aidsballs.de>
Date: Fri, 9 Oct 2015 01:31:42 +0200
Subject: lass 5 go: remove debug stuff

---
 lass/5pkgs/go/default.nix | 2 --
 lass/5pkgs/go/result      | 1 -
 2 files changed, 3 deletions(-)
 delete mode 120000 lass/5pkgs/go/result

diff --git a/lass/5pkgs/go/default.nix b/lass/5pkgs/go/default.nix
index 2ac809c33..3b4468d18 100644
--- a/lass/5pkgs/go/default.nix
+++ b/lass/5pkgs/go/default.nix
@@ -44,8 +44,6 @@ in nodePackages.buildNodePackage {
   installPhase = ''
     mkdir -p $out/bin
 
-    find ${node_env}
-
     cp index.js $out/
     cat > $out/go << EOF
       ${nodejs}/bin/node $out/index.js
diff --git a/lass/5pkgs/go/result b/lass/5pkgs/go/result
deleted file mode 120000
index 14893ca34..000000000
--- a/lass/5pkgs/go/result
+++ /dev/null
@@ -1 +0,0 @@
-/nix/store/nizallgwxcx4fz9awyfp9i17avfymlvx-nodejs-go
\ No newline at end of file
-- 
cgit v1.2.3


From 9ae6d1611ef8cd8479235ac91272e694080b9d89 Mon Sep 17 00:00:00 2001
From: tv <tv@shackspace.de>
Date: Fri, 9 Oct 2015 12:06:00 +0200
Subject: add github.com and its addrs4 to known_hosts

---
 krebs/3modules/default.nix                    |  7 +++++++
 krebs/5pkgs/default.nix                       |  1 -
 krebs/5pkgs/github-known_hosts/default.nix    | 13 -------------
 krebs/5pkgs/github-known_hosts/github.ssh.pub |  1 -
 4 files changed, 7 insertions(+), 15 deletions(-)
 delete mode 100644 krebs/5pkgs/github-known_hosts/default.nix
 delete mode 100644 krebs/5pkgs/github-known_hosts/github.ssh.pub

diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix
index 430194405..eeb3acdcb 100644
--- a/krebs/3modules/default.nix
+++ b/krebs/3modules/default.nix
@@ -137,6 +137,13 @@ let
         mkIf (privkey != null) (mkForce [privkey]);
 
       services.openssh.knownHosts =
+        {
+          github = {
+            hostNames = ["github.com"] ++
+              map (i: "192.30.252.${toString i}") (range 0 255);
+            publicKey = "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==";
+          };
+        } //
         mapAttrs
           (name: host: {
             hostNames =
diff --git a/krebs/5pkgs/default.nix b/krebs/5pkgs/default.nix
index 7e136d96f..47e9341cc 100644
--- a/krebs/5pkgs/default.nix
+++ b/krebs/5pkgs/default.nix
@@ -13,7 +13,6 @@ rec {
   genid = callPackage ./genid {};
   get = callPackage ./get {};
   github-hosts-sync = callPackage ./github-hosts-sync {};
-  github-known_hosts = callPackage ./github-known_hosts {};
   hashPassword = callPackage ./hashPassword {};
   jq = callPackage ./jq {};
   krebszones = callPackage ./krebszones {};
diff --git a/krebs/5pkgs/github-known_hosts/default.nix b/krebs/5pkgs/github-known_hosts/default.nix
deleted file mode 100644
index fe5efe413..000000000
--- a/krebs/5pkgs/github-known_hosts/default.nix
+++ /dev/null
@@ -1,13 +0,0 @@
-{ lib, ... }:
-
-with builtins;
-with lib;
-
-let
-  github-pubkey = removeSuffix "\n" (readFile ./github.ssh.pub);
-in
-
-toFile "github-known_hosts"
-  (concatMapStrings
-    (i: "github.com,192.30.252.${toString i} ${github-pubkey}\n")
-    (range 0 255))
diff --git a/krebs/5pkgs/github-known_hosts/github.ssh.pub b/krebs/5pkgs/github-known_hosts/github.ssh.pub
deleted file mode 100644
index 90f6e2b71..000000000
--- a/krebs/5pkgs/github-known_hosts/github.ssh.pub
+++ /dev/null
@@ -1 +0,0 @@
-ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==
-- 
cgit v1.2.3


From f1cc52aeaf6c18afb1c79c08914471ff73943a77 Mon Sep 17 00:00:00 2001
From: tv <tv@shackspace.de>
Date: Fri, 9 Oct 2015 13:18:21 +0200
Subject: known_hosts: GitHub is 192.30.252.0/22

---
 krebs/3modules/default.nix | 23 ++++++++++++++++-------
 1 file changed, 16 insertions(+), 7 deletions(-)

diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix
index eeb3acdcb..69613d4c3 100644
--- a/krebs/3modules/default.nix
+++ b/krebs/3modules/default.nix
@@ -137,13 +137,22 @@ let
         mkIf (privkey != null) (mkForce [privkey]);
 
       services.openssh.knownHosts =
-        {
-          github = {
-            hostNames = ["github.com"] ++
-              map (i: "192.30.252.${toString i}") (range 0 255);
-            publicKey = "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==";
-          };
-        } //
+        # GitHub's IPv4 address range is 192.30.252.0/22
+        # Refs https://help.github.com/articles/what-ip-addresses-does-github-use-that-i-should-whitelist/
+        # 192.30.252.0/22 = 192.30.252.0-192.30.255.255 (1024 addresses)
+        # Because line length is limited by OPENSSH_LINE_MAX (= 8192),
+        # we split each /24 into its own entry.
+        listToAttrs (map
+          (c: {
+            name = "github${toString c}";
+            value = {
+              hostNames = ["github.com"] ++
+                map (d: "192.30.${toString c}.${toString d}") (range 0 255);
+              publicKey = "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==";
+            };
+          })
+          (range 252 255))
+        //
         mapAttrs
           (name: host: {
             hostNames =
-- 
cgit v1.2.3


From 4486c1a0846ecfcc642a4d41b925eaa134697554 Mon Sep 17 00:00:00 2001
From: tv <tv@shackspace.de>
Date: Fri, 9 Oct 2015 13:29:44 +0200
Subject: tv: urlwatch GitHub's IP-addresses

---
 tv/2configs/urlwatch.nix | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/tv/2configs/urlwatch.nix b/tv/2configs/urlwatch.nix
index 26e56e09c..c1c5d19d9 100644
--- a/tv/2configs/urlwatch.nix
+++ b/tv/2configs/urlwatch.nix
@@ -48,6 +48,9 @@
       #http://hackage.haskell.org/package/transformers
       #http://hackage.haskell.org/package/web-routes-wai
       #http://hackage.haskell.org/package/web-page
+
+      # ref <stockholm/krebs/3modules>, services.openssh.knownHosts.github*
+      https://help.github.com/articles/what-ip-addresses-does-github-use-that-i-should-whitelist/
     ];
   };
 }
-- 
cgit v1.2.3


From 5a49ac6d5e8a35c2f960a4cda2b3db243735248b Mon Sep 17 00:00:00 2001
From: tv <tv@shackspace.de>
Date: Fri, 9 Oct 2015 13:31:21 +0200
Subject: tv urlwatch: wu -> cd

---
 tv/1systems/cd.nix | 1 +
 tv/1systems/wu.nix | 1 -
 2 files changed, 1 insertion(+), 1 deletion(-)

diff --git a/tv/1systems/cd.nix b/tv/1systems/cd.nix
index 4f66b3592..4f196095b 100644
--- a/tv/1systems/cd.nix
+++ b/tv/1systems/cd.nix
@@ -30,6 +30,7 @@ with lib;
     #../2configs/consul-server.nix
     ../2configs/exim-smarthost.nix
     ../2configs/git.nix
+    ../2configs/urlwatch.nix
     {
       imports = [ ../2configs/charybdis.nix ];
       tv.charybdis = {
diff --git a/tv/1systems/wu.nix b/tv/1systems/wu.nix
index e54aed056..0ef846f93 100644
--- a/tv/1systems/wu.nix
+++ b/tv/1systems/wu.nix
@@ -32,7 +32,6 @@ with lib;
     ../2configs/xserver.nix
     ../2configs/synaptics.nix # TODO w110er if xserver is enabled
     ../2configs/test.nix
-    ../2configs/urlwatch.nix
     {
       environment.systemPackages = with pkgs; [
 
-- 
cgit v1.2.3


From 87fa7792e3f2debeb221073b393a7909a75a9176 Mon Sep 17 00:00:00 2001
From: tv <tv@shackspace.de>
Date: Fri, 9 Oct 2015 13:34:25 +0200
Subject: disband github-known_hosts harder

---
 krebs/3modules/github-hosts-sync.nix | 2 --
 1 file changed, 2 deletions(-)

diff --git a/krebs/3modules/github-hosts-sync.nix b/krebs/3modules/github-hosts-sync.nix
index f44fe3ad8..eaec0333a 100644
--- a/krebs/3modules/github-hosts-sync.nix
+++ b/krebs/3modules/github-hosts-sync.nix
@@ -60,8 +60,6 @@ let
             -m 0400 \
             ${cfg.ssh-identity-file} \
             "$ssh_identity_file_target"
-
-          ln -snf ${pkgs.github-known_hosts} ${cfg.dataDir}/.ssh/known_hosts
         '';
         ExecStart = "${pkgs.github-hosts-sync}/bin/github-hosts-sync";
       };
-- 
cgit v1.2.3


From f15864623a579f4af1c1b0cae14b5977283d52bd Mon Sep 17 00:00:00 2001
From: tv <tv@shackspace.de>
Date: Fri, 9 Oct 2015 14:07:29 +0200
Subject: krebs lib.types += suffixed-str

---
 krebs/4lib/types.nix | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/krebs/4lib/types.nix b/krebs/4lib/types.nix
index 039f803ef..b3d2c8b70 100644
--- a/krebs/4lib/types.nix
+++ b/krebs/4lib/types.nix
@@ -147,6 +147,13 @@ types // rec {
     merge = mergeOneOption;
   };
 
+  suffixed-str = suffs:
+    mkOptionType {
+      name = "string suffixed by ${concatStringsSep ", " suffs}";
+      check = x: isString x && any (flip hasSuffix x) suffs;
+      merge = mergeOneOption;
+    };
+
   user = submodule {
     options = {
       mail = mkOption {
-- 
cgit v1.2.3


From 51e4b62de206cbf692e5f247d595c904c768e202 Mon Sep 17 00:00:00 2001
From: tv <tv@shackspace.de>
Date: Fri, 9 Oct 2015 14:08:06 +0200
Subject: krebs.github-host-sync.ssh-identity-file: fix type

---
 krebs/3modules/github-hosts-sync.nix | 23 ++++++++---------------
 1 file changed, 8 insertions(+), 15 deletions(-)

diff --git a/krebs/3modules/github-hosts-sync.nix b/krebs/3modules/github-hosts-sync.nix
index eaec0333a..4d4e21252 100644
--- a/krebs/3modules/github-hosts-sync.nix
+++ b/krebs/3modules/github-hosts-sync.nix
@@ -1,7 +1,7 @@
 { config, lib, pkgs, ... }:
 
 with builtins;
-with lib;
+with import ../4lib { inherit lib; };
 let
   cfg = config.krebs.github-hosts-sync;
 
@@ -21,7 +21,7 @@ let
       default = "/var/lib/github-hosts-sync";
     };
     ssh-identity-file = mkOption {
-      type = types.str; # TODO must be named *.ssh.{id_rsa,id_ed25519}
+      type = types.suffixed-str [".ssh.id_ed25519" ".ssh.id_rsa"];
       default = toString <secrets/github-hosts-sync.ssh.id_rsa>;
     };
   };
@@ -42,16 +42,6 @@ let
           #! /bin/sh
           set -euf
 
-          ssh_identity_file_target=$(
-            case ${cfg.ssh-identity-file} in
-              *.ssh.id_rsa|*.ssh.id_ed25519) echo ${cfg.dataDir}/.ssh/id_rsa;;
-              *.ssh.id_ed25519) echo ${cfg.dataDir}/.ssh/id_ed25519;;
-              *)
-                echo "bad identity file name: ${cfg.ssh-identity-file}" >&2
-                exit 1
-            esac
-          )
-
           mkdir -p ${cfg.dataDir}
           chown ${user.name}: ${cfg.dataDir}
 
@@ -59,7 +49,7 @@ let
             -o ${user.name} \
             -m 0400 \
             ${cfg.ssh-identity-file} \
-            "$ssh_identity_file_target"
+            ${cfg.dataDir}/.ssh/${fileExtension cfg.ssh-identity-file}
         '';
         ExecStart = "${pkgs.github-hosts-sync}/bin/github-hosts-sync";
       };
@@ -75,5 +65,8 @@ let
     name = "github-hosts-sync";
     uid = 3220554646; # genid github-hosts-sync
   };
-in
-out
+
+  # TODO move to lib?
+  fileExtension = s: last (splitString "." s);
+
+in out
-- 
cgit v1.2.3


From 509423f1f19ade5586f66c5691b27694ecb68b01 Mon Sep 17 00:00:00 2001
From: tv <tv@shackspace.de>
Date: Fri, 9 Oct 2015 14:31:25 +0200
Subject: github-hosts-sync: fix ca-bundle path

---
 krebs/5pkgs/github-hosts-sync/default.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/krebs/5pkgs/github-hosts-sync/default.nix b/krebs/5pkgs/github-hosts-sync/default.nix
index d69b2b12b..b9dcfa9b8 100644
--- a/krebs/5pkgs/github-hosts-sync/default.nix
+++ b/krebs/5pkgs/github-hosts-sync/default.nix
@@ -16,7 +16,7 @@ stdenv.mkDerivation {
 
   installPhase =
     let
-      ca-bundle = "${pkgs.cacert}/etc/ca-bundle.crt";
+      ca-bundle = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt";
       path = stdenv.lib.makeSearchPath "bin" (with pkgs; [
         coreutils
         findutils
-- 
cgit v1.2.3


From 694c79a5bc05014604fa2467f965b370102ff78f Mon Sep 17 00:00:00 2001
From: tv <tv@shackspace.de>
Date: Fri, 9 Oct 2015 14:32:45 +0200
Subject: github-hosts-sync service: fix directory creation

---
 krebs/3modules/github-hosts-sync.nix | 10 +++-------
 1 file changed, 3 insertions(+), 7 deletions(-)

diff --git a/krebs/3modules/github-hosts-sync.nix b/krebs/3modules/github-hosts-sync.nix
index 4d4e21252..2a1df9e03 100644
--- a/krebs/3modules/github-hosts-sync.nix
+++ b/krebs/3modules/github-hosts-sync.nix
@@ -41,13 +41,9 @@ let
         ExecStartPre = pkgs.writeScript "github-hosts-sync-init" ''
           #! /bin/sh
           set -euf
-
-          mkdir -p ${cfg.dataDir}
-          chown ${user.name}: ${cfg.dataDir}
-
-          install \
-            -o ${user.name} \
-            -m 0400 \
+          install -m 0711 -o ${user.name} -d ${cfg.dataDir}
+          install -m 0700 -o ${user.name} -d ${cfg.dataDir}/.ssh
+          install -m 0400 -o ${user.name} \
             ${cfg.ssh-identity-file} \
             ${cfg.dataDir}/.ssh/${fileExtension cfg.ssh-identity-file}
         '';
-- 
cgit v1.2.3