Merge remote-tracking branch 'cd/master'

Makefile

@@ -51,8 +51,6 @@ $(if $(target_user),,$(error unbound variable: target_user))
 $(if $(target_port),,$(error unbound variable: target_port))
 $(if $(target_path),,$(error unbound variable: target_path))
 
-target ?= $(target_user)@$(target_host):$(target_port)$(target_path)
-
 build = \
 	nix-build \
 		--no-out-link \
@@ -88,6 +86,8 @@ deploy:
 			nixos-rebuild $(rebuild-command) --show-trace -I $(target_path)
 
 # usage: make populate system=foo
+populate: populate-target = \
+	$(target_user)@$(target_host):$(target_port)$(target_path)
 ifeq ($(debug),true)
 populate: populate-flags += --debug
 endif
@@ -96,7 +96,7 @@ populate: populate-flags += --ssh=$(ssh)
 endif
 populate:
 	$(call evaluate,config.krebs.build.source) --json --strict | \
-	populate $(target) $(populate-flags)
+	populate $(populate-target) $(populate-flags)
 
 # usage: make pkgs.populate
 pkgs:;@$(error no package selected)

krebs/3modules/makefu/default.nix

@@ -791,6 +791,7 @@ TNs2RYfwDy/r6H/hDeB/BSngPouedEVcPwIDAQAB
 
   } // { # hosts only maintained in stockholm, not owned by me
     muhbaasu = rec {
+      owner = config.krebs.users.root;
       cores = 1;
       nets = {
         internet = {

krebs/3modules/rtorrent.nix

@@ -336,7 +336,6 @@ let
           pm.min_spare_servers = 1
           pm.max_spare_servers = 3
           chdir = /
-          # errors to journal
           php_admin_value[error_log] = 'stderr'
           php_admin_flag[log_errors] = on
           catch_workers_output = yes

krebs/3modules/shared/default.nix

@@ -8,6 +8,7 @@ let
     "test-centos7"
     "test-all-krebs-modules"
   ] (name: {
+    owner = config.krebs.users.shared;
     inherit name;
     cores = 1;
     nets = {
@@ -34,6 +35,7 @@ let
 in {
   hosts = {
     wolf = {
+      owner = config.krebs.users.shared;
       nets = {
         shack = {
           ip4.addr =  "10.42.2.150" ;

krebs/4lib/default.nix

@@ -1,19 +1,12 @@
-{ config, lib, ... }:
+_:
+
+let
+  lib = import <stockholm/lib>;
+in
 
-with builtins;
 with lib;
 
-let out = import <stockholm/lib> // rec {
+let out = lib // rec {
-
-  eq = x: y: x == y;
-  ne = x: y: x != y;
-
-  mod = x: y: x - y * (x / y);
-
-  addName = name: set:
-    set // { inherit name; };
-
-  addNames = mapAttrs addName;
 
   guard = spec@{ type, value, ... }:
     assert isOptionType type;
@@ -26,12 +19,9 @@ let out = import <stockholm/lib> // rec {
       ]));
 
   types = import ./types.nix {
-    inherit config;
     lib = lib // { inherit genid optionalTrace; };
   };
 
-  dir.has-default-nix = path: pathExists (path + "/default.nix");
-
   genid = import ./genid.nix { lib = lib // out; };
   genid_signed = x: ((genid x) + 16777216) / 2;
   git = import ./git.nix { lib = lib // out; };

krebs/4lib/git.nix

@@ -1,7 +1,12 @@
 { lib, ... }:
 
+with lib;
+
 let
-  inherit (lib) addNames escapeShellArg makeSearchPath optionalString;
+  addName = name: set:
+    set // { inherit name; };
+
+  addNames = mapAttrs addName;
 
   commands = addNames {
     git-receive-pack = {};

krebs/4lib/types.nix

@@ -1,14 +1,9 @@
-{ config, lib, ... }:
+{ lib, ... }:
 
 with builtins;
 with lib;
 with types;
 
-let
-  # Inherited attributes are used in submodules that have their own `config`.
-  inherit (config.krebs) build users;
-in
-
 types // rec {
 
   host = submodule ({ config, ... }: {
@@ -27,7 +22,6 @@ types // rec {
 
       owner = mkOption {
         type = user;
-        default = users.krebs;
       };
 
       extraZones = mkOption {
@@ -49,10 +43,6 @@ types // rec {
       ssh.pubkey = mkOption {
         type = nullOr ssh-pubkey;
         default = null;
-        apply = x:
-          optionalTrace (x == null && config.owner.name == build.user.name)
-            "The option `krebs.hosts.${config.name}.ssh.pubkey' is unused."
-            x;
       };
       ssh.privkey = mkOption {
         type = nullOr ssh-privkey;
@@ -187,7 +177,6 @@ types // rec {
       };
       owner = mkOption {
         type = user;
-        default = users.root;
       };
       group-name = mkOption {
         type = str;
@@ -284,6 +273,7 @@ types // rec {
       };
       mail = mkOption {
         type = str; # TODO retiolum mail address
+        default = "${config._module.args.name}@${config.networking.hostName}.r";
       };
       name = mkOption {
         type = username;

krebs/5pkgs/charybdis/default.nix

@@ -6,7 +6,7 @@ stdenv.mkDerivation rec {
   src = fetchgit {
     url = "https://github.com/atheme/charybdis.git";
     rev = "61815bf9324e872f51255e09fe37a8c595f94a60";
-    sha256 = "0zsd6xk2cnspc1cvryy2296p3ix4hwjd9k24wmgbh5wzks0wahwy";
+    sha256 = "1q9h7j2pm1wsbcybmm7r7hzimp1zda04lw9x2akb26l9p12zgfgc";
   };
 
   patches = [

krebs/5pkgs/default.nix

@@ -17,7 +17,7 @@ with config.krebs.lib;
   in {}
   // import ./builders.nix args
   // mapAttrs (_: flip callPackage {})
-              (filterAttrs (_: dir.has-default-nix)
+              (filterAttrs (_: dir: pathExists (dir + "/default.nix"))
                            (subdirsOf ./.))
   // {
     empty = pkgs.runCommand "empty-1.0.0" {} "mkdir $out";

krebs/5pkgs/dic/default.nix

@@ -6,7 +6,7 @@ stdenv.mkDerivation {
   src = fetchgit {
     url = https://github.com/krebscode/painload;
     rev = "35ccac73d563ad30d2851b9aeed4cfef69ff74e3";
-    sha256 = "1y1fs2p3xj2yrqpw0h5kd0f3c5p1y70xk1hjnw99sr33r67s9c35";
+    sha256 = "0arsfcd8qdrqafw7cxiag7f0kn95nwxxwrs0kdzxxdryfr6l1h07";
   };
 
   phases = [

krebs/5pkgs/exim/default.nix

@@ -1,64 +0,0 @@
-{ coreutils, fetchurl, db, openssl, pam, pcre, perl, pkgconfig, stdenv }:
-
-stdenv.mkDerivation rec {
-  name = "exim-4.87";
-
-  src = fetchurl {
-    url = "http://mirror.switch.ch/ftp/mirror/exim/exim/exim4/${name}.tar.bz2";
-    sha256 = "1jbxn13shq90kpn0s73qpjnx5xm8jrpwhcwwgqw5s6sdzw6iwsbl";
-  };
-
-  buildInputs = [ coreutils db openssl pam pcre perl pkgconfig ];
-
-  preBuild = ''
-    sed '
-      s:^\(BIN_DIRECTORY\)=.*:\1='"$out"'/bin:
-      s:^\(CONFIGURE_FILE\)=.*:\1=/etc/exim.conf:
-      s:^\(EXIM_USER\)=.*:\1=ref\:nobody:
-      s:^\(SPOOL_DIRECTORY\)=.*:\1=/exim-homeless-shelter:
-      s:^# \(SUPPORT_MAILDIR\)=.*:\1=yes:
-      s:^EXIM_MONITOR=.*$:# &:
-      s:^\(FIXED_NEVER_USERS\)=root$:\1=0:
-      s:^# \(WITH_CONTENT_SCAN\)=.*:\1=yes:
-      s:^# \(AUTH_PLAINTEXT\)=.*:\1=yes:
-      s:^# \(SUPPORT_TLS\)=.*:\1=yes:
-      s:^# \(USE_OPENSSL_PC=openssl\)$:\1:
-      s:^# \(LOG_FILE_PATH=syslog\)$:\1:
-      s:^# \(SUPPORT_PAM\)=.*:\1=yes\nEXTRALIBS=-lpam:
-      s:^# \(HAVE_IPV6=yes\)$:\1:
-      s:^# \(CHOWN_COMMAND\)=.*:\1=${coreutils}/bin/chown:
-      s:^# \(CHGRP_COMMAND\)=.*:\1=${coreutils}/bin/chgrp:
-      s:^# \(CHMOD_COMMAND\)=.*:\1=${coreutils}/bin/chmod:
-      s:^# \(MV_COMMAND\)=.*:\1=${coreutils}/bin/mv:
-      s:^# \(RM_COMMAND\)=.*:\1=${coreutils}/bin/rm:
-      s:^# \(TOUCH_COMMAND\)=.*:\1=${coreutils}/bin/touch:
-      s:^# \(PERL_COMMAND\)=.*:\1=${perl}/bin/perl:
-      #/^\s*#.*/d
-      #/^\s*$/d
-    ' < src/EDITME > Local/Makefile
-  '';
-
-  installPhase = ''
-    mkdir -p $out/bin $out/share/man/man8
-    cp doc/exim.8 $out/share/man/man8
-
-    ( cd build-Linux-*
-      cp exicyclog exim_checkaccess exim_dumpdb exim_lock exim_tidydb \
-        exipick exiqsumm exigrep exim_dbmbuild exim exim_fixdb eximstats \
-        exinext exiqgrep exiwhat \
-        $out/bin )
-
-    ( cd $out/bin
-      for i in mailq newaliases rmail rsmtp runq sendmail; do
-        ln -s exim $i
-      done )
-  '';
-
-  meta = {
-    homepage = http://exim.org/;
-    description = "A mail transfer agent (MTA)";
-    license = stdenv.lib.licenses.gpl3;
-    platforms = stdenv.lib.platforms.linux;
-    maintainers = [ stdenv.lib.maintainers.tv ];
-  };
-}

krebs/5pkgs/haskell-overrides/blessings.nix

@@ -5,7 +5,7 @@ mkDerivation {
   src = fetchgit {
     url = http://cgit.cd.krebsco.de/blessings;
     rev = "25a510dcb38ea9158e9969d56eb66cb1b860ab5f";
-    sha256 = "b962153e80e51519b52220199d8350b54154833e4bc25a792ecc58898fef3fb2";
+    sha256 = "0xg329h1y68ndg4w3m1jp38pkg3gqg7r19q70gqqj4mswb6qcrqc";
   };
   libraryHaskellDepends = [ base ];
   doHaddock = false;

krebs/5pkgs/haskell-overrides/email-header.nix

@@ -7,8 +7,8 @@ mkDerivation {
   version = "0.3.0";
   src = fetchgit {
     url = "https://github.com/4z3/email-header";
-    sha256 = "f33fba567a39b1f2448869b269c26c40d8007599c23ab83bde5b4dfd9fd76ebc";
     rev = "7b179bd31192ead8afe7a0b6e34bcad4039deaa8";
+    sha256 = "12j2n3sbvzjnw99gga7kkdygm8n3qx2lh8q26ad6a53xm5whnz59";
   };
   buildDepends = [
     attoparsec base base64-bytestring bytestring case-insensitive

krebs/5pkgs/haskell-overrides/scanner.nix

@@ -5,7 +5,7 @@ mkDerivation {
   src = fetchgit {
     url = http://cgit.cd.krebsco.de/scanner;
     rev = "7f091a3bc152ad3974a1873b460fa1759bf8dcad";
-    sha256 = "7d123c227777932039d26fc832b8d32a90f04c0bd6b7e8bcff0a6f49a54e0054";
+    sha256 = "1lgl158axczsm4fx53fyq1d4116v91jsx4dbz66ka4k1ljqrmhgn";
   };
   libraryHaskellDepends = [ base ];
   license = stdenv.lib.licenses.wtfpl;

krebs/5pkgs/much/default.nix

@@ -14,7 +14,7 @@ mkDerivation {
   src = fetchgit {
     url = "http://cgit.cd.krebsco.de/much";
     rev = "045dc986b4de225a927175f81c8ccfdab450202c";
-    sha256 = "cec175e3dc32ef93029ee5285f6c4042ce11d637945bc8cec02cb6699d06cc13";
+    sha256 = "17jbw7x82a3bgn1qv5k764f103knrf865dmx48h7192vdh8gz766";
   };
   isLibrary = false;
   isExecutable = true;

krebs/5pkgs/noVNC/default.nix

@@ -7,7 +7,7 @@ stdenv.mkDerivation rec {
   src = fetchgit {
     url = https://github.com/kanaka/noVNC;
     rev = "refs/tags/v0.5.1";
-    sha256 = "1azsnppwnrsv3axj0r5bw8lfarkibgz5vhgcyj8dzn4afn98f55w";
+    sha256 = "1vckvvfcawgfqmx415r5rnl6k2alx53jbqmsj49kxpbdvvxpb49d";
   };
 
   phases = [

lass/1systems/helios.nix

@@ -102,6 +102,11 @@ with config.krebs.lib;
       device = "/dev/pool/bku";
       fsType = "ext4";
     };
+    "/tmp" = {
+      device = "tmpfs";
+      fsType = "tmpfs";
+      options = ["nosuid" "nodev" "noatime"];
+    };
   };
 
   #services.udev.extraRules = ''

lass/1systems/mors.nix

@@ -23,7 +23,7 @@ with config.krebs.lib;
     ../2configs/teamviewer.nix
     ../2configs/libvirt.nix
     ../2configs/fetchWallpaper.nix
-    ../2configs/c-base.nix
+    #../2configs/c-base.nix
     ../2configs/mail.nix
     ../2configs/krebs-pass.nix
     ../2configs/repo-sync.nix
@@ -54,8 +54,8 @@ with config.krebs.lib;
         enable = true;
         package = pkgs.postgresql;
       };
-      virtualisation.docker.enable = true;
+      #virtualisation.docker.enable = true;
-      users.users.mainUser.extraGroups = [ "docker" ];
+      #users.users.mainUser.extraGroups = [ "docker" ];
     }
     {
       lass.umts = {
@@ -140,6 +140,11 @@ with config.krebs.lib;
       device = "/dev/big/conf";
       fsType = "ext4";
     };
+    "/tmp" = {
+      device = "tmpfs";
+      fsType = "tmpfs";
+      options = ["nosuid" "nodev" "noatime"];
+    };
   };
 
   services.udev.extraRules = ''
@@ -192,8 +197,12 @@ with config.krebs.lib;
     urban
     mk_sql_pair
     remmina
+    thunderbird
 
     logf
+    iodine
+
+    macchanger
   ];
 
   #TODO: fix this shit

lass/1systems/prism.nix

@@ -23,6 +23,7 @@ in {
     ../2configs/buildbot-standalone.nix
     ../2configs/repo-sync.nix
     ../2configs/binary-cache/server.nix
+    ../2configs/iodined.nix
     {
       imports = [
         ../2configs/git.nix
@@ -119,6 +120,12 @@ in {
         device = "/dev/pool/bku";
       };
 
+      fileSystems."/tmp" = {
+        device = "tmpfs";
+        fsType = "tmpfs";
+        options = ["nosuid" "nodev" "noatime"];
+      };
+
     }
     {
       sound.enable = false;
@@ -260,6 +267,11 @@ in {
        { predicate = "-p tcp --dport 8088"; target = "ACCEPT"; }
       ];
     }
+    {
+      krebs.repo-sync.timerConfig = {
+        OnCalendar = "*:0/5";
+      };
+    }
   ];
 
   krebs.build.host = config.krebs.hosts.prism;

lass/1systems/shodan.nix

@@ -50,6 +50,11 @@ with builtins;
       device = "/dev/pool/home-lass";
       fsType = "ext4";
     };
+    "/tmp" = {
+      device = "tmpfs";
+      fsType = "tmpfs";
+      options = ["nosuid" "nodev" "noatime"];
+    };
   };
 
   services.udev.extraRules = ''

lass/1systems/uriel.nix

@@ -1,33 +1,45 @@
 { config, pkgs, ... }:
 
 with builtins;
+with config.krebs.lib;
 {
   imports = [
     ../.
     ../2configs/retiolum.nix
-    ../2configs/baseX.nix
     ../2configs/exim-retiolum.nix
-    ../2configs/browsers.nix
-    ../2configs/games.nix
-    ../2configs/pass.nix
-    ../2configs/bird.nix
-    ../2configs/git.nix
-    ../2configs/chromium-patched.nix
-    ../2configs/bitlbee.nix
-    ../2configs/weechat.nix
-    ../2configs/skype.nix
     {
-      lass.umts = {
+      # locke config
+      time.timeZone = "Europe/Berlin";
+      services.xserver.enable = true;
+      users.users.locke = {
+        uid = genid "locke";
+        home = "/home/locke";
+        group = "users";
+        createHome = true;
+        extraGroups = [
+          "audio"
+          "networkmanager"
+        ];
+        useDefaultShell = true;
+      };
+      networking.networkmanager.enable = true;
+      hardware.pulseaudio = {
+        enable = true;
+        systemWide = true;
+      };
+      environment.systemPackages = with pkgs; [
+        firefox
+        hexchat
+        networkmanagerapplet
+      ];
+      services.xserver.desktopManager.xfce = {
         enable = true;
-        modem = "/dev/serial/by-id/usb-HUAWEI_Technologies_HUAWEI_Mobile-if00-port0";
       };
     }
   ];
 
   krebs.build.host = config.krebs.hosts.uriel;
 
-  networking.wireless.enable = true;
-
   hardware.enableAllFirmware = true;
   nixpkgs.config.allowUnfree = true;
 
@@ -62,6 +74,11 @@ with builtins;
     "/boot" = {
       device = "/dev/sda1";
     };
+    "/tmp" = {
+      device = "tmpfs";
+      fsType = "tmpfs";
+      options = ["nosuid" "nodev" "noatime"];
+    };
   };
 
   services.udev.extraRules = ''

lass/2configs/backups.nix

@@ -23,10 +23,10 @@ with config.krebs.lib;
       dst = { host = config.krebs.hosts.mors;     path = "/bku/dishfire-http"; };
       startAt = "03:05";
     };
-    dishfire-http-uriel = {
+    dishfire-http-shodan = {
       method = "pull";
       src = { host = config.krebs.hosts.dishfire; path = "/srv/http"; };
-      dst = { host = config.krebs.hosts.uriel;    path = "/bku/dishfire-http"; };
+      dst = { host = config.krebs.hosts.shodan;    path = "/bku/dishfire-http"; };
       startAt = "03:10";
     };
     dishfire-sql-prism = {
@@ -41,10 +41,10 @@ with config.krebs.lib;
       dst = { host = config.krebs.hosts.mors;     path = "/bku/dishfire-sql"; };
       startAt = "03:20";
     };
-    dishfire-sql-uriel = {
+    dishfire-sql-shodan = {
       method = "pull";
       src = { host = config.krebs.hosts.dishfire; path = "/bku/sql_dumps"; };
-      dst = { host = config.krebs.hosts.uriel;    path = "/bku/dishfire-sql"; };
+      dst = { host = config.krebs.hosts.shodan;    path = "/bku/dishfire-sql"; };
       startAt = "03:25";
     };
     prism-bitlbee-mors = {
@@ -53,10 +53,10 @@ with config.krebs.lib;
       dst = { host = config.krebs.hosts.mors; path = "/bku/prism-bitlbee"; };
       startAt = "03:25";
     };
-    prism-bitlbee-uriel = {
+    prism-bitlbee-shodan = {
       method = "pull";
       src = { host = config.krebs.hosts.prism; path = "/var/lib/bitlbee"; };
-      dst = { host = config.krebs.hosts.uriel; path = "/bku/prism-bitlbee"; };
+      dst = { host = config.krebs.hosts.shodan; path = "/bku/prism-bitlbee"; };
       startAt = "03:25";
     };
     prism-chat-mors = {
@@ -65,10 +65,10 @@ with config.krebs.lib;
       dst = { host = config.krebs.hosts.mors;  path = "/bku/prism-chat"; };
       startAt = "03:30";
     };
-    prism-chat-uriel = {
+    prism-chat-shodan = {
       method = "pull";
       src = { host = config.krebs.hosts.prism; path = "/home/chat"; };
-      dst = { host = config.krebs.hosts.uriel; path = "/bku/prism-chat"; };
+      dst = { host = config.krebs.hosts.shodan; path = "/bku/prism-chat"; };
       startAt = "03:35";
     };
     prism-sql-mors = {
@@ -77,10 +77,10 @@ with config.krebs.lib;
       dst = { host = config.krebs.hosts.mors;  path = "/bku/prism-sql_dumps"; };
       startAt = "03:40";
     };
-    prism-sql-uriel = {
+    prism-sql-shodan = {
       method = "pull";
       src = { host = config.krebs.hosts.prism; path = "/bku/sql_dumps"; };
-      dst = { host = config.krebs.hosts.uriel; path = "/bku/prism-sql_dumps"; };
+      dst = { host = config.krebs.hosts.shodan; path = "/bku/prism-sql_dumps"; };
       startAt = "03:45";
     };
     prism-http-mors = {
@@ -89,22 +89,22 @@ with config.krebs.lib;
       dst = { host = config.krebs.hosts.mors;  path = "/bku/prism-http"; };
       startAt = "03:50";
     };
-    prism-http-uriel = {
+    prism-http-shodan = {
       method = "pull";
       src = { host = config.krebs.hosts.prism; path = "/srv/http"; };
-      dst = { host = config.krebs.hosts.uriel; path = "/bku/prism-http"; };
+      dst = { host = config.krebs.hosts.shodan; path = "/bku/prism-http"; };
       startAt = "03:55";
     };
-    uriel-home-mors = {
+    shodan-home-mors = {
       method = "pull";
-      src = { host = config.krebs.hosts.uriel; path = "/home"; };
+      src = { host = config.krebs.hosts.shodan; path = "/home"; };
-      dst = { host = config.krebs.hosts.mors;  path = "/bku/uriel-home"; };
+      dst = { host = config.krebs.hosts.mors;  path = "/bku/shodan-home"; };
       startAt = "04:00";
     };
-    mors-home-uriel = {
+    mors-home-shodan = {
       method = "push";
       src = { host = config.krebs.hosts.mors;  path = "/home"; };
-      dst = { host = config.krebs.hosts.uriel; path = "/bku/mors-home"; };
+      dst = { host = config.krebs.hosts.shodan; path = "/bku/mors-home"; };
       startAt = "05:00";
     };
     dishfire-http-helios = {

lass/2configs/browsers.nix

@@ -1,11 +1,28 @@
 { config, lib, pkgs, ... }:
 
+with config.krebs.lib;
 let
-  inherit (config.krebs.lib) genid;
 
   mainUser = config.users.extraUsers.mainUser;
-  createChromiumUser = name: extraGroups: packages:
+
-    {
+  browser-select = pkgs.writeScriptBin "browser-select" ''
+    BROWSER=$(echo -e "${concatStringsSep "\\n" (attrNames config.lass.browser.paths)}" | ${pkgs.dmenu}/bin/dmenu)
+    case $BROWSER in
+    ${concatMapStringsSep "\n" (n: ''
+      ${n})
+        export BIN=${config.lass.browser.paths.${n}}/bin/${n}
+        ;;
+    '') (attrNames config.lass.browser.paths)}
+    esac
+    $BIN "$@"
+  '';
+
+  createChromiumUser = name: extraGroups:
+    let
+      bin = pkgs.writeScriptBin name ''
+        /var/setuid-wrappers/sudo -u ${name} -i ${pkgs.chromium}/bin/chromium $@
+      '';
+    in {
       users.extraUsers.${name} = {
         inherit name;
         inherit extraGroups;
@@ -14,19 +31,21 @@ let
         useDefaultShell = true;
         createHome = true;
       };
-      krebs.per-user.${name}.packages = packages;
+      lass.browser.paths.${name} = bin;
       security.sudo.extraConfig = ''
         ${mainUser.name} ALL=(${name}) NOPASSWD: ALL
       '';
       environment.systemPackages = [
-        (pkgs.writeScriptBin name ''
+        bin
-          /var/setuid-wrappers/sudo -u ${name} -i chromium $@
-        '')
       ];
     };
 
-  createFirefoxUser = name: extraGroups: packages:
+  createFirefoxUser = name: extraGroups:
-    {
+    let
+      bin = pkgs.writeScriptBin name ''
+        /var/setuid-wrappers/sudo -u ${name} -i ${pkgs.firefox}/bin/firefox $@
+      '';
+    in {
       users.extraUsers.${name} = {
         inherit name;
         inherit extraGroups;
@@ -35,14 +54,12 @@ let
         useDefaultShell = true;
         createHome = true;
       };
-      krebs.per-user.${name}.packages = packages;
+      lass.browser.paths.${name} = bin;
       security.sudo.extraConfig = ''
         ${mainUser.name} ALL=(${name}) NOPASSWD: ALL
       '';
       environment.systemPackages = [
-        (pkgs.writeScriptBin name ''
+        bin
-          /var/setuid-wrappers/sudo -u ${name} -i firefox $@
-        '')
       ];
     };
 
@@ -50,19 +67,26 @@ let
 
 in {
 
+  lass.browser.select = browser-select;
+
   environment.systemPackages = [
-    (pkgs.writeScriptBin "browser-select" ''
+    browser-select
-      BROWSER=$(echo -e "ff\ncr\nwk\nfb\ngm\nflash" | dmenu)
-      $BROWSER $@
-    '')
   ];
 
   imports = [
-    ( createFirefoxUser "ff" [ "audio" ] [ pkgs.firefox ] )
+    {
-    ( createChromiumUser "cr" [ "video" "audio" ] [ pkgs.chromium ] )
+      options.lass.browser.select = mkOption {
-    ( createChromiumUser "wk" [ "video" "audio" ] [ pkgs.chromium ] )
+        type = types.path;
-    ( createChromiumUser "fb" [ "video" "audio" ] [ pkgs.chromium ] )
+      };
-    ( createChromiumUser "gm" [ "video" "audio" ] [ pkgs.chromium ] )
+      options.lass.browser.paths = mkOption {
-    ( createChromiumUser "com" [ "video" "audio" ] [ pkgs.chromium ] )
+        type = with types; attrsOf path;
+      };
+    }
+    ( createFirefoxUser "ff" [ "audio" ] )
+    ( createChromiumUser "cr" [ "video" "audio" ] )
+    ( createChromiumUser "wk" [ "video" "audio" ] )
+    ( createChromiumUser "fb" [ "video" "audio" ] )
+    ( createChromiumUser "gm" [ "video" "audio" ] )
+    ( createChromiumUser "com" [ "video" "audio" ] )
   ];
 }

lass/2configs/default.nix

@@ -21,7 +21,6 @@ with config.krebs.lib;
         root = {
           openssh.authorizedKeys.keys = [
             config.krebs.users.lass.pubkey
-            config.krebs.users.lass-uriel.pubkey
             config.krebs.users.lass-shodan.pubkey
           ];
         };
@@ -37,7 +36,6 @@ with config.krebs.lib;
           ];
           openssh.authorizedKeys.keys = [
             config.krebs.users.lass.pubkey
-            config.krebs.users.lass-uriel.pubkey
             config.krebs.users.lass-shodan.pubkey
           ];
         };
@@ -69,7 +67,7 @@ with config.krebs.lib;
     };
   };
 
-  nix.useChroot = true;
+  nix.useSandbox = true;
 
   users.mutableUsers = false;
 
@@ -99,6 +97,7 @@ with config.krebs.lib;
     jq
     parallel
     proot
+    populate
 
   #style
     most
@@ -143,15 +142,6 @@ with config.krebs.lib;
       shopt -s histappend histreedit histverify
       shopt -s no_empty_cmd_completion
       complete -d cd
-
-      #fancy colors
-      if [ -e ~/LS_COLORS ]; then
-        eval $(dircolors ~/LS_COLORS)
-      fi
-
-      if [ -e /etc/nixos/dotfiles/link ]; then
-        /etc/nixos/dotfiles/link
-      fi
     '';
     promptInit = ''
       if test $UID = 0; then

lass/2configs/iodined.nix

@@ -0,0 +1,20 @@
+{ pkgs, config, ... }:
+
+let
+  # TODO: make this a parameter
+  domain = "io.lassul.us";
+  pw = import <secrets/iodinepw.nix>;
+in {
+
+  services.iodine.server = {
+    enable = true;
+    domain = domain;
+    ip = "172.16.10.1/24";
+    extraConfig = "-c -P ${pw} -l ${config.krebs.build.host.nets.internet.ip4.addr}";
+  };
+
+  krebs.iptables.tables.filter.INPUT.rules = [
+    { predicate = "-p udp --dport 53"; target = "ACCEPT";}
+  ];
+
+}

lass/2configs/nixpkgs.nix

@@ -2,7 +2,7 @@
 
 {
   krebs.build.source.nixpkgs.git = {
-    url = https://github.com/lassulus/nixpkgs;
+    url = https://github.com/nixos/nixpkgs;
-    ref = "3fb009d94e70f5d1151f4ec239a90d2de1979a74";
+    ref = "354fd3728952c229fee4f2924737c601d7ab4725";
   };
 }

lass/2configs/tests/dummy-secrets/iodinepw.nix

@@ -0,0 +1 @@
+"derp"

lass/2configs/websites/domsen.nix

@@ -1,9 +1,11 @@
 { config, pkgs, lib, ... }:
 
 let
+
   inherit (import <stockholm/krebs/4lib> { config = {}; inherit lib; })
     genid
-    ;
+    genid_signed
+  ;
   inherit (import <stockholm/lass/2configs/websites/util.nix> {inherit lib pkgs;})
     ssl
     servePage
@@ -20,6 +22,25 @@ let
     exec ${pkgs.msmtp}/bin/msmtp --read-envelope-from -C ${msmtprc} "$@"
   '';
 
+  check-password = pkgs.writeDash "check-password" ''
+    read pw
+
+    file="/home/$PAM_USER/.shadow"
+
+    #check if shadow file exists
+    test -e "$file" || exit 123
+
+    hash="$(${pkgs.coreutils}/bin/head -1 $file)"
+    salt="$(echo $hash | ${pkgs.gnused}/bin/sed 's/.*\$\(.*\)\$.*/\1/')"
+
+    calc_hash="$(echo "$pw" | ${pkgs.mkpasswd}/bin/mkpasswd -m sha-512 -S $salt)"
+    if [ "$calc_hash" == $hash ]; then
+      exit 0
+    else
+      exit 1
+    fi
+  '';
+
 in {
   imports = [
     ./sqlBackup.nix
@@ -122,39 +143,62 @@ in {
     };
   };
 
-
+  services.phpfpm.phpOptions = ''
-  #services.phpfpm.phpOptions = ''
+    sendmail_path = ${sendmail} -t
-  #  extension=${pkgs.phpPackages.apcu}/lib/php/extensions/apcu.so
+    upload_max_filesize = 100M
-  #  sendmail_path = ${sendmail} -t
+    post_max_size = 100M
-  #'';
+    file_uploads = on
-  services.phpfpm.phpIni = pkgs.runCommand "php.ini" {
-     options = ''
-      extension=${pkgs.phpPackages.apcu}/lib/php/extensions/apcu.so
-      sendmail_path = "${sendmail} -t -i"
-      always_populate_raw_post_data = -1
-    '';
-  } ''
-    cat ${pkgs.php}/etc/php-recommended.ini > $out
-    echo "$options" >> $out
   '';
 
   # MAIL STUFF
   # TODO: make into its own module
-    services.dovecot2 = {
+  services.dovecot2 = {
-      enable = true;
+    enable = true;
-      mailLocation = "maildir:~/Mail";
+    mailLocation = "maildir:~/Mail";
-    };
+    sslServerCert = "/var/lib/acme/lassul.us/fullchain.pem";
-    krebs.iptables.tables.filter.INPUT.rules = [
+    sslServerKey = "/var/lib/acme/lassul.us/key.pem";
-      { predicate = "-p tcp --dport pop3"; target = "ACCEPT"; }
+  };
-      { predicate = "-p tcp --dport imap"; target = "ACCEPT"; }
+  krebs.iptables.tables.filter.INPUT.rules = [
-    ];
+    { predicate = "-p tcp --dport pop3s"; target = "ACCEPT"; }
+    { predicate = "-p tcp --dport imaps"; target = "ACCEPT"; }
+    { predicate = "-p tcp --dport 465"; target = "ACCEPT"; }
+  ];
+
+  security.pam.services.exim.text = ''
+    auth        required      pam_env.so
+    auth        sufficient    pam_exec.so debug expose_authtok ${check-password}
+    auth        sufficient    pam_unix.so likeauth nullok
+    auth        required      pam_deny.so
+    account     required      pam_unix.so
+    password    required      pam_cracklib.so retry=3 type=
+    password    sufficient    pam_unix.so nullok use_authtok md5shadow
+    password    required      pam_deny.so
+    session     required      pam_limits.so
+    session     required      pam_unix.so
+  '';
+
   krebs.exim-smarthost = {
+    authenticators.PLAIN = ''
+      driver = plaintext
+      server_prompts = :
+      server_condition = "''${if pam{$auth2:$auth3}{yes}{no}}"
+      server_set_id = $auth2
+    '';
+    authenticators.LOGIN = ''
+      driver = plaintext
+      server_prompts = "Username:: : Password::"
+      server_condition = "''${if pam{$auth1:$auth2}{yes}{no}}"
+      server_set_id = $auth1
+    '';
     internet-aliases = [
       { from = "dominik@apanowicz.de"; to = "dma@ubikmedia.eu"; }
       { from = "mail@jla-trading.com"; to = "jla-trading"; }
+      { from = "testuser@lassul.us"; to = "testuser"; }
     ];
     system-aliases = [
     ];
+    ssl_cert = "/var/lib/acme/lassul.us/fullchain.pem";
+    ssl_key = "/var/lib/acme/lassul.us/key.pem";
   };
 
   users.users.domsen = {

lass/2configs/websites/util.nix

@@ -167,7 +167,6 @@ rec {
         pm.max_spare_servers = 3
         listen.owner = nginx
         listen.group = nginx
-        # errors to journal
         php_admin_value[error_log] = 'stderr'
         php_admin_flag[log_errors] = on
         catch_workers_output = yes
@@ -188,6 +187,7 @@ rec {
           error_log /tmp/nginx_err.log;
           error_page 404 /404.html;
           error_page 500 502 503 504 /50x.html;
+          client_max_body_size 100m;
         '';
         locations = [
           (nameValuePair "/" ''
@@ -219,7 +219,6 @@ rec {
         pm.max_spare_servers = 3
         listen.owner = nginx
         listen.group = nginx
-        # errors to journal
         php_admin_value[error_log] = 'stderr'
         php_admin_flag[log_errors] = on
         catch_workers_output = yes

lass/2configs/xserver/Xresources.nix

@@ -11,7 +11,7 @@ pkgs.writeText "Xresources" ''
   ! ref https://github.com/muennich/urxvt-perls
   URxvt.perl-lib: ${pkgs.urxvt_perls}/lib/urxvt/perl
   URxvt.perl-ext-common:      default,clipboard,url-select,keyboard-select
-  URxvt.url-select.launcher:  browser-select
+  URxvt.url-select.launcher:  ${config.lass.browser.select}/bin/browser-select
   URxvt.url-select.underline: true
   URxvt.keysym.M-u:           perl:url-select:select_next
   URxvt.keysym.M-Escape:      perl:keyboard-select:activate

lass/2configs/xserver/default.nix

@@ -1,143 +1,112 @@
-{ config, lib, pkgs, ... }@args:
+{ config, pkgs, ... }@args:
-
 with config.krebs.lib;
-
 let
-  # TODO krebs.build.user
+  user = config.krebs.build.user;
-  user = config.users.users.mainUser;
+in {
 
-  out = {
+  environment.systemPackages = [
-    services.xserver = {
+    pkgs.gitAndTools.qgit
-      display = 11;
+    pkgs.mpv
-      tty = 11;
+    pkgs.sxiv
+    pkgs.xsel
+    pkgs.zathura
+  ];
 
-      synaptics = {
+  fonts.fonts = [
-        enable = true;
+    pkgs.xlibs.fontschumachermisc
-        twoFingerScroll = true;
+  ];
-        accelFactor = "0.035";
-      };
 
-      #keyboard stuff
+  services.xserver = {
-      layout = "us";
+    enable = true;
-      xkbVariant = "altgr-intl";
+    display = 11;
-      xkbOptions = "caps:backspace";
+    tty = 11;
+
+    synaptics = {
+      enable = true;
+      twoFingerScroll = true;
+      accelFactor = "0.035";
     };
 
-    fonts.fonts = [
+    layout = "us";
-      pkgs.xlibs.fontschumachermisc
+    xkbVariant = "altgr-intl";
+    xkbOptions = "caps:backspace";
+  };
+
+  systemd.services.display-manager.enable = false;
+
+  systemd.services.xmonad = {
+    wantedBy = [ "multi-user.target" ];
+    requires = [ "xserver.service" ];
+    environment = {
+      DISPLAY = ":${toString config.services.xserver.display}";
+
+      XMONAD_STARTUP_HOOK = pkgs.writeDash "xmonad-startup-hook" ''
+        ${pkgs.xorg.xhost}/bin/xhost +LOCAL: &
+        ${pkgs.xorg.xrdb}/bin/xrdb -merge ${import ./Xresources.nix args} &
+        ${pkgs.xorg.xsetroot}/bin/xsetroot -solid '#1c1c1c' &
+        wait
+      '';
+
+      XMONAD_STATE = "/tmp/xmonad.state";
+
+      # XXX JSON is close enough :)
+      XMONAD_WORKSPACES0_FILE = pkgs.writeText "xmonad.workspaces0" (toJSON [
+        "dashboard" # we start here
+      ]);
+    };
+    serviceConfig = {
+      SyslogIdentifier = "xmonad";
+      ExecStart = "${pkgs.xmonad-lass}/bin/xmonad";
+      ExecStop = pkgs.writeScript "xmonad-stop" ''
+        #! /bin/sh
+        ${pkgs.xmonad-lass}/bin/xmonad --shutdown
+        ${pkgs.coreutils}/bin/sleep 2s
+      '';
+      User = user.name;
+      WorkingDirectory = user.home;
+    };
+  };
+
+  systemd.services.xserver = {
+    after = [
+      "systemd-udev-settle.service"
+      "local-fs.target"
+      "acpid.service"
     ];
-
+    reloadIfChanged = true;
-    systemd.services.urxvtd = {
+    environment = {
-      wantedBy = [ "multi-user.target" ];
+      XKB_BINDIR = "${pkgs.xorg.xkbcomp}/bin"; # Needed for the Xkb extension.
-      reloadIfChanged = true;
+      XORG_DRI_DRIVER_PATH = "/run/opengl-driver/lib/dri"; # !!! Depends on the driver selected at runtime.
-      serviceConfig = {
+      LD_LIBRARY_PATH = concatStringsSep ":" (
-        ExecReload = need-reload "urxvtd.service";
+        [ "${pkgs.xorg.libX11}/lib" "${pkgs.xorg.libXext}/lib" ]
-        ExecStart = "${pkgs.rxvt_unicode}/bin/urxvtd";
+        ++ concatLists (catAttrs "libPath" config.services.xserver.drivers));
-        Restart = "always";
-        RestartSec = "2s";
-        StartLimitBurst = 0;
-        User = user.name;
-      };
     };
-
+    serviceConfig = {
-    krebs.per-user.lass.packages = [
+      SyslogIdentifier = "xserver";
-      pkgs.rxvt_unicode_with-plugins
+      ExecReload = "${pkgs.coreutils}/bin/echo NOP";
-    ];
+      ExecStart = toString [
-
+        "${pkgs.xorg.xorgserver}/bin/X"
-    systemd.services.display-manager.enable = false;
+        ":${toString config.services.xserver.display}"
-
+        "vt${toString config.services.xserver.tty}"
-    services.xserver.enable = true;
+        "-config ${import ./xserver.conf.nix args}"
-
+        "-logfile /dev/null -logverbose 0 -verbose 3"
-    systemd.services.xmonad = {
+        "-nolisten tcp"
-      wantedBy = [ "multi-user.target" ];
+        "-xkbdir ${pkgs.xkeyboard_config}/etc/X11/xkb"
-      requires = [ "xserver.service" ];
-      environment = xmonad-environment;
-      restartIfChanged = true;
-      serviceConfig = {
-        ExecStart = "${xmonad-start}/bin/xmonad";
-        ExecStop = "${xmonad-stop}/bin/xmonad-stop";
-        User = user.name;
-        WorkingDirectory = user.home;
-      };
-    };
-
-    systemd.services.xserver = {
-      after = [
-        "systemd-udev-settle.service"
-        "local-fs.target"
-        "acpid.service"
       ];
-      reloadIfChanged = true;
-      environment = xserver-environment;
-      serviceConfig = {
-        ExecReload = need-reload "xserver.service";
-        ExecStart = "${xserver}/bin/xserver";
-      };
     };
   };
 
-  xmonad-environment = {
+  systemd.services.urxvtd = {
-    DISPLAY = ":${toString config.services.xserver.display}";
+    wantedBy = [ "multi-user.target" ];
-    XMONAD_STATE = "/tmp/xmonad.state";
+    reloadIfChanged = true;
-
+    serviceConfig = {
-    # XXX JSON is close enough :)
+      SyslogIdentifier = "urxvtd";
-    XMONAD_WORKSPACES0_FILE = pkgs.writeText "xmonad.workspaces0" (toJSON [
+      ExecReload = "${pkgs.coreutils}/bin/echo NOP";
-      "dashboard"
+      ExecStart = "${pkgs.rxvt_unicode}/bin/urxvtd";
-    ]);
+      Restart = "always";
+      RestartSec = "2s";
+      StartLimitBurst = 0;
+      User = user.name;
+    };
   };
-
+}
-  xmonad-start = pkgs.writeScriptBin "xmonad" ''
-    #! ${pkgs.bash}/bin/bash
-    set -efu
-    export PATH; PATH=${makeSearchPath "bin" ([
-      pkgs.rxvt_unicode
-    ] ++ config.environment.systemPackages)}:/var/setuid-wrappers
-    settle() {(
-      # Use PATH for a clean journal
-      command=''${1##*/}
-      PATH=''${1%/*}; export PATH
-      shift
-      until "$command" "$@"; do
-        ${pkgs.coreutils}/bin/sleep 1
-      done
-    )&}
-    settle ${pkgs.xorg.xhost}/bin/xhost +LOCAL:
-    settle ${pkgs.xorg.xrdb}/bin/xrdb -merge ${import ./Xresources.nix args}
-    settle ${pkgs.xorg.xsetroot}/bin/xsetroot -solid '#1c1c1c'
-    exec ${pkgs.xmonad-lass}/bin/xmonad
-  '';
-
-  xmonad-stop = pkgs.writeScriptBin "xmonad-stop" ''
-    #! /bin/sh
-    ${pkgs.xmonad-lass}/bin/xmonad --shutdown
-    ${pkgs.coreutils}/bin/sleep 2s
-  '';
-
-  xserver-environment = {
-    XKB_BINDIR = "${pkgs.xorg.xkbcomp}/bin"; # Needed for the Xkb extension.
-    XORG_DRI_DRIVER_PATH = "/run/opengl-driver/lib/dri"; # !!! Depends on the driver selected at runtime.
-    LD_LIBRARY_PATH = concatStringsSep ":" (
-      [ "${pkgs.xorg.libX11}/lib" "${pkgs.xorg.libXext}/lib" ]
-      ++ concatLists (catAttrs "libPath" config.services.xserver.drivers));
-  };
-
-  xserver = pkgs.writeScriptBin "xserver" ''
-    #! /bin/sh
-    set -efu
-    exec ${pkgs.xorg.xorgserver.out}/bin/X \
-        :${toString config.services.xserver.display} \
-        vt${toString config.services.xserver.tty} \
-        -config ${import ./xserver.conf.nix args} \
-        -logfile /var/log/X.${toString config.services.xserver.display}.log \
-        -nolisten tcp \
-        -xkbdir ${pkgs.xkeyboard_config}/etc/X11/xkb \
-  '';
-
-  need-reload = s: let
-    pkg = pkgs.writeScriptBin "need-reload" ''
-      #! /bin/sh
-      echo "$*"
-    '';
-  in "${pkg}/bin/need-reload ${s}";
-
-in out

lass/2configs/zsh.nix

@@ -118,5 +118,4 @@
       fi
     '';
   };
-  users.defaultUserShell = "/run/current-system/sw/bin/zsh";
 }

lass/3modules/default.nix

@@ -3,9 +3,11 @@ _:
   imports = [
     ./ejabberd
     ./folderPerms.nix
+    ./hosts.nix
     ./mysql-backup.nix
     ./umts.nix
     ./urxvtd.nix
+    ./usershadow.nix
     ./wordpress_nginx.nix
     ./xresources.nix
   ];

lass/3modules/hosts.nix

@@ -0,0 +1,12 @@
+{ config, ... }:
+
+with config.krebs.lib;
+
+{
+  options.lass.hosts = mkOption {
+    type = types.attrsOf types.host;
+    default =
+      filterAttrs (_: host: host.owner.name == "lass")
+      config.krebs.hosts;
+  };
+}

lass/3modules/owncloud_nginx.nix

@@ -111,7 +111,6 @@ let
       pm.max_spare_servers = 3
       listen.owner = ${user}
       listen.group = ${group}
-      # errors to journal
       php_admin_value[error_log] = 'stderr'
       php_admin_flag[log_errors] = on
       catch_workers_output = yes

lass/3modules/umts.nix

@@ -41,10 +41,6 @@ let
 
   wvdial = nixpkgs-1509.wvdial; # https://github.com/NixOS/nixpkgs/issues/16113
 
-  #modem-device = "/dev/serial/by-id/usb-Lenovo_F5521gw_38214921FBBBC7B0-if09";
-  modem-device = "/dev/serial/by-id/usb-HUAWEI_Technologies_HUAWEI_Mobile-if00-port0";
-
-  # TODO: currently it is only netzclub
   umts-bin = pkgs.writeScriptBin "umts" ''
     #!/bin/sh
     set -euf

lass/3modules/usershadow.nix

@@ -0,0 +1,85 @@
+{ config, lib, pkgs, ... }@args: with config.krebs.lib; let
+
+  cfg = config.lass.usershadow;
+
+  out = {
+    options.lass.usershadow = api;
+    config = lib.mkIf cfg.enable imp;
+  };
+
+  api = {
+    enable = mkEnableOption "usershadow";
+    pattern = mkOption {
+      type = types.str;
+      default = "/home/%/.shadow";
+    };
+  };
+
+  imp = {
+    environment.systemPackages = [ usershadow ];
+    security.pam.services.sshd.text = ''
+      auth required pam_exec.so expose_authtok ${usershadow}/bin/verify ${cfg.pattern}
+      auth required pam_permit.so
+      account required pam_permit.so
+      session required pam_permit.so
+    '';
+
+    security.pam.services.exim.text = ''
+      auth required pam_exec.so expose_authtok ${usershadow}/bin/verify ${cfg.pattern}
+      auth required pam_permit.so
+      account required pam_permit.so
+      session required pam_permit.so
+    '';
+  };
+
+  usershadow = let {
+    deps = [
+      "pwstore-fast"
+      "bytestring"
+    ];
+    body = pkgs.writeHaskell "passwords" {
+      executables.verify = {
+        extra-depends = deps;
+        text = ''
+          import Data.Monoid
+          import System.IO
+          import Data.Char (chr)
+          import System.Environment (getEnv, getArgs)
+          import Crypto.PasswordStore (verifyPasswordWith, pbkdf2)
+          import qualified Data.ByteString.Char8 as BS8
+          import System.Exit (exitFailure, exitSuccess)
+
+          main :: IO ()
+          main = do
+            user <- getEnv "PAM_USER"
+            shadowFilePattern <- head <$> getArgs
+            let shadowFile = lhs <> user <> tail rhs
+                (lhs, rhs) = span (/= '%') shadowFilePattern
+            hash <- readFile shadowFile
+            password <- takeWhile (/= (chr 0)) <$> hGetLine stdin
+            let res = verifyPasswordWith pbkdf2 (2^) (BS8.pack password) (BS8.pack hash)
+            if res then exitSuccess else exitFailure
+        '';
+      };
+      executables.passwd = {
+        extra-depends = deps;
+        text = ''
+          import System.Environment (getEnv)
+          import Crypto.PasswordStore (makePasswordWith, pbkdf2)
+          import qualified Data.ByteString.Char8 as BS8
+          import System.IO (stdin, hSetEcho, putStr)
+
+          main :: IO ()
+          main = do
+            home <- getEnv "HOME"
+            putStr "password:"
+            hSetEcho stdin False
+            password <- BS8.hGetLine stdin
+            hash <- makePasswordWith pbkdf2 password 10
+            BS8.writeFile (home ++ "/.shadow") hash
+        '';
+      };
+    };
+  };
+
+in out

lass/3modules/wordpress_nginx.nix

@@ -154,7 +154,6 @@ let
       pm.max_spare_servers = 3
       listen.owner = ${user}
       listen.group = ${group}
-      # errors to journal
       php_admin_value[error_log] = 'stderr'
       php_admin_flag[log_errors] = on
       catch_workers_output = yes

lass/5pkgs/xmonad-lass.nix

@@ -9,7 +9,7 @@ pkgs.writeHaskell "xmonad-lass" {
       "xmonad-contrib"
       "xmonad-stockholm"
     ];
-    text = ''
+    text = /* haskell */ ''
 {-# LANGUAGE DeriveDataTypeable #-} -- for XS
 {-# LANGUAGE FlexibleContexts #-} -- for xmonad'
 {-# LANGUAGE LambdaCase #-}
@@ -24,6 +24,7 @@ import Control.Exception
 import Data.List (isInfixOf)
 import System.Environment (getArgs, withArgs, getEnv)
 import System.IO (hPutStrLn, stderr)
+import System.Posix.Process (executeFile)
 import Text.Read (readEither)
 import XMonad.Actions.CopyWindow (copy, kill1)
 import XMonad.Actions.CycleWS (toggleWS)
@@ -41,12 +42,13 @@ import XMonad.Layout.Minimize (minimize, minimizeWindow, MinimizeMsg(RestoreNext
 import XMonad.Layout.NoBorders (smartBorders)
 import XMonad.Prompt (autoComplete, searchPredicate, XPConfig)
 import XMonad.Prompt.Window (windowPromptGoto, windowPromptBringCopy)
-import XMonad.Stockholm.Shutdown (sendShutdownEvent, handleShutdownEvent)
 import XMonad.Util.EZConfig (additionalKeysP)
+import XMonad.Layout.SimpleFloat (simpleFloat)
 
+import XMonad.Stockholm.Shutdown
 
-myTerm :: String
+urxvtcPath :: FilePath
-myTerm = "${pkgs.rxvt_unicode}/bin/urxvtc"
+urxvtcPath = "${pkgs.rxvt_unicode}/bin/urxvtc"
 
 myFont :: String
 myFont = "-schumacher-*-*-*-*-*-*-*-*-*-*-*-iso10646-*"
@@ -62,12 +64,14 @@ mainNoArgs = do
     xmonad'
         $ withUrgencyHook (SpawnUrgencyHook "echo emit Urgency ")
         $ def
-            { terminal          = myTerm
+            { terminal          = urxvtcPath
             , modMask           = mod4Mask
             , workspaces        = workspaces0
             , layoutHook = smartBorders $ myLayoutHook
             , manageHook        = placeHook (smart (1,0)) <+> floatNextHook
-            , startupHook       = spawn "echo emit XMonadStartup"
+            , startupHook = do
+                path <- liftIO (getEnv "XMONAD_STARTUP_HOOK")
+                forkFile path [] Nothing
             , normalBorderColor  = "#1c1c1c"
             , focusedBorderColor = "#f000b0"
             , handleEventHook = handleShutdownEvent
@@ -75,7 +79,7 @@ mainNoArgs = do
 
 myLayoutHook = defLayout
   where
-    defLayout = minimize $ ((avoidStruts $ Tall 1 (3/100) (1/2) ||| Full ||| Mirror (Tall 1 (3/100) (1/2))) ||| FixedColumn 2 80 80 1)
+    defLayout = minimize $ ((avoidStruts $ Tall 1 (3/100) (1/2) ||| Full ||| Mirror (Tall 1 (3/100) (1/2))) ||| FixedColumn 2 80 80 1) ||| simpleFloat
 
 
 xmonad' :: (LayoutClass l Window, Read (l Window)) => XConfig l -> IO ()
@@ -83,7 +87,7 @@ xmonad' conf = do
     path <- getEnv "XMONAD_STATE"
     try (readFile path) >>= \case
         Right content -> do
-            hPutStrLn stderr ("resuming from " ++ path ++ "; state = " ++ show content)
+            hPutStrLn stderr ("resuming from " ++ path)
             withArgs ("--resume" : lines content) (xmonad conf)
         Left e -> do
             hPutStrLn stderr (displaySomeException e)
@@ -107,7 +111,7 @@ displaySomeException = displayException
 
 myKeyMap :: [([Char], X ())]
 myKeyMap =
-    [ ("M4-<F11>", spawn "i3lock -i /var/lib/wallpaper/wallpaper -f")
+    [ ("M4-<F11>", spawn "${pkgs.i3lock}/bin/i3lock -i /var/lib/wallpaper/wallpaper -f")
     , ("M4-p", spawn "${pkgs.pass}/bin/passmenu --type")
     , ("<XF86AudioRaiseVolume>", spawn "${pkgs.pulseaudioLight.out}/bin/pactl -- set-sink-volume 0 +4%")
     , ("<XF86AudioLowerVolume>", spawn "${pkgs.pulseaudioLight.out}/bin/pactl -- set-sink-volume 0 -4%")
@@ -123,8 +127,8 @@ myKeyMap =
     , ("M4-S-<Backspace>", removeEmptyWorkspace)
     , ("M4-S-c", kill1)
     , ("M4-<Esc>", toggleWS)
-    , ("M4-S-<Enter>", spawn myTerm)
+    , ("M4-S-<Enter>", spawn urxvtcPath)
-    , ("M4-x", floatNext True >> spawn myTerm)
+    , ("M4-x", floatNext True >> spawn urxvtcPath)
     , ("M4-f", floatNext True)
     , ("M4-b", sendMessage ToggleStruts)
 
@@ -141,6 +145,10 @@ myKeyMap =
     , ("M4-S-q", return ())
     ]
 
+forkFile :: FilePath -> [String] -> Maybe [(String, String)] -> X ()
+forkFile path args env =
+    xfork (executeFile path False args env) >> return ()
+
 autoXPConfig :: XPConfig
 autoXPConfig = def
     { autoComplete = Just 5000
@@ -159,8 +167,6 @@ gridConfig = def
     , gs_navigate = navNSearch
     , gs_font = myFont
     }
-
     '';
   };
 }
-

lib/default.nix

@@ -1,6 +1,10 @@
 let
   lib = import <nixpkgs/lib> // builtins // {
     shell = import ./shell.nix { inherit lib; };
+
+    eq = x: y: x == y;
+    ne = x: y: x != y;
+    mod = x: y: x - y * (x / y);
   };
 in
 

tv/1systems/xu.nix

@@ -24,7 +24,7 @@ with config.krebs.lib;
         # stockholm
         gnumake
         hashPassword
-        haskellPackages.lentil
+        #haskellPackages.lentil
         parallel
         (pkgs.writeBashBin "im" ''
           export PATH=${makeSearchPath "bin" (with pkgs; [
@@ -60,7 +60,7 @@ with config.krebs.lib;
         pass
         q
         qrencode
-        texLive
+        #texLive
         tmux
 
         #ack
@@ -138,6 +138,11 @@ with config.krebs.lib;
       fsType = "btrfs";
       options = ["defaults" "noatime" "ssd" "compress=lzo"];
     };
+    "/bku" = {
+      device = "/dev/mapper/xuvga-bku";
+      fsType = "btrfs";
+      options = ["defaults" "noatime" "ssd" "compress=lzo"];
+    };
     "/home" = {
       device = "/dev/mapper/xuvga-home";
       fsType = "btrfs";

tv/2configs/default.nix

@@ -14,7 +14,7 @@ with config.krebs.lib;
       stockholm.file = "/home/tv/stockholm";
       nixpkgs.git = {
         url = https://github.com/NixOS/nixpkgs;
-        ref = "2568ee3d73bdebd6bab6739adf8a900f3429c8e6";
+        ref = "354fd3728952c229fee4f2924737c601d7ab4725";
       };
     } // optionalAttrs host.secure {
       secrets-master.file = "/home/tv/secrets/master";
@@ -37,6 +37,7 @@ with config.krebs.lib;
       # stockholm dependencies
       environment.systemPackages = with pkgs; [
         git
+        populate
       ];
     }
     {
@@ -53,6 +54,7 @@ with config.krebs.lib;
       };
     }
     {
+      security.hideProcessInformation = true;
       security.sudo.extraConfig = ''
         Defaults env_keep+="SSH_CLIENT"
         Defaults mailto="${config.krebs.users.tv.mail}"
@@ -63,13 +65,13 @@ with config.krebs.lib;
 
     {
       # TODO check if both are required:
-      nix.chrootDirs = [ "/etc/protocols" pkgs.iana_etc.outPath ];
+      nix.sandboxPaths = [ "/etc/protocols" pkgs.iana_etc.outPath ];
 
       nix.requireSignedBinaryCaches = true;
 
       nix.binaryCaches = ["https://cache.nixos.org"];
 
-      nix.useChroot = true;
+      nix.useSandbox = true;
     }
     {
       nixpkgs.config.allowUnfree = false;

tv/2configs/hw/x220.nix

@@ -5,7 +5,7 @@
     ../smartd.nix
   ];
 
-  boot.loader.gummiboot.enable = true;
+  boot.loader.systemd-boot.enable = true;
   boot.loader.efi.canTouchEfiVariables = true;
 
   networking.wireless.enable = true;
@@ -13,6 +13,8 @@
   # Required for Centrino.
   hardware.enableAllFirmware = true;
 
+  hardware.opengl.extraPackages = [ pkgs.vaapiIntel pkgs.vaapiVdpau ];
+
   hardware.trackpoint = {
     enable = true;
     sensitivity = 220;
@@ -41,6 +43,5 @@
 
   services.xserver = {
     videoDriver = "intel";
-    vaapiDrivers = [ pkgs.vaapiIntel pkgs.vaapiVdpau ];
   };
 }

tv/2configs/man.nix

@@ -1,10 +1,10 @@
 { config, lib, pkgs, ... }:
 {
-  environment.etc."man.conf".source = pkgs.runCommand "man.conf" {} ''
+  #environment.etc."man.conf".source = pkgs.runCommand "man.conf" {} ''
-    ${pkgs.gnused}/bin/sed <${pkgs.man}/lib/man.conf >$out '
+  #  ${pkgs.gnused}/bin/sed <${pkgs.man}/lib/man.conf >$out '
-      s:^NROFF\t.*:& -Wbreak:
+  #    s:^NROFF\t.*:& -Wbreak:
-    '
+  #  '
-  '';
+  #'';
   environment.systemPackages = with pkgs; [
     manpages
     posix_man_pages

tv/2configs/urlwatch.nix

@@ -31,6 +31,7 @@ with config.krebs.lib;
 
       ## other
 
+      https://nixos.org/channels/nixos-16.09/git-revision
       https://nixos.org/channels/nixos-unstable/git-revision
 
       ## 2014-10-17

tv/2configs/vim.nix

@@ -21,7 +21,7 @@ let
       src = pkgs.fetchgit {
         url = https://github.com/vito-c/jq.vim;
         rev = "99d55a300047946a82ecdd7617323a751199ad2d";
-        sha256 = "00mmwg4swwmllknzzx07af080lcy7y5i6341rc6c08i2vka48nv9";
+        sha256 = "09c94nah47wx0cr556w61h6pfznxld18pfblc3nv51ivbw7cjqyx";
       };
     })
     (pkgs.vimUtils.buildVimPlugin {

tv/5pkgs/q/default.nix

@@ -178,6 +178,11 @@ in
 pkgs.writeBashBin "q" ''
   set -eu
   export PATH=/var/empty
+  (${q-todo}) || :
+  if [ "$PWD" != "$HOME" ]; then
+    (HOME=$PWD; ${q-todo}) || :
+  fi
+  echo
   ${q-cal}
   echo
   ${q-isodate}
@@ -189,8 +194,4 @@ pkgs.writeBashBin "q" ''
   (${q-online}) &
   (${q-thermal_zone}) &
   wait
-  ${q-todo}
-  if [ "$PWD" != "$HOME" ]; then
-    (HOME=$PWD; ${q-todo})
-  fi
 ''