Merge branch 'master' of prism.r:stockholm

krebs/1systems/hotdog/config.nix

@@ -20,10 +20,5 @@
 
   boot.isContainer = true;
   networking.useDHCP = false;
-  krebs.repo-sync.repos.stockholm.timerConfig = {
-    OnBootSec = "5min";
-    OnUnitInactiveSec = "2min";
-    RandomizedDelaySec = "2min";
-  };
   krebs.ci.stockholmSrc = "http://cgit.prism.r/stockholm";
 }

krebs/1systems/wolf/config.nix

@@ -10,7 +10,6 @@ in
     <nixpkgs/nixos/modules/profiles/qemu-guest.nix>
     <stockholm/krebs/2configs/collectd-base.nix>
     <stockholm/krebs/2configs/stats/wolf-client.nix>
-    <stockholm/krebs/2configs/save-diskspace.nix>
 
     <stockholm/krebs/2configs/graphite.nix>
     <stockholm/krebs/2configs/buildbot-krebs.nix>

krebs/2configs/buildbot-all.nix

@@ -1,13 +1,10 @@
 with import <stockholm/lib>;
 { lib, config, pkgs, ... }:
 {
-  imports = [
-    <stockholm/krebs/2configs/repo-sync.nix>
-  ];
-
   networking.firewall.allowedTCPPorts = [ 80 8010 9989 ];
   krebs.ci.enable = true;
   krebs.ci.treeStableTimer = 1;
   krebs.ci.hosts = filter (getAttr "ci") (attrValues config.krebs.hosts);
+  krebs.ci.tests = [ "deploy" ];
 }
 

krebs/2configs/hw/x220.nix

@@ -23,7 +23,7 @@ with import <stockholm/lib>;
     pkgs.vaapiVdpau
   ];
 
-  security.rngd.enable = true;
+  security.rngd.enable = mkDefault true;
 
   services.xserver = {
     videoDriver = "intel";

krebs/3modules/buildbot/slave.nix

@@ -161,7 +161,7 @@ let
         ExecStartPre = pkgs.writeDash "buildbot-master-init" ''
           set -efux
           #remove garbage from old versions
-          rm -r ${workdir}
+          rm -rf ${workdir}
           mkdir -p ${workdir}/info
           cp ${buildbot-slave-init} ${workdir}/buildbot.tac
           echo ${contact} > ${workdir}/info/admin

krebs/3modules/ci.nix

@@ -24,6 +24,13 @@ in
         List of hosts that should be build
       '';
     };
+    tests = mkOption {
+      type = types.listOf types.str;
+      default = [];
+      description = ''
+        List of tests that should be build
+      '';
+    };
   };
 
   config = mkIf cfg.enable {
@@ -56,14 +63,14 @@ in
       '';
       scheduler = {
         build-scheduler = ''
-          # build all hosts
           sched.append(
                 schedulers.SingleBranchScheduler(
                     change_filter=util.ChangeFilter(branch_re=".*"),
                     treeStableTimer=${toString cfg.treeStableTimer}*60,
                     name="build-all-branches",
                     builderNames=[
-                        "build-hosts"
+                        ${optionalString (cfg.hosts != []) ''"hosts",''}
+                        ${optionalString (cfg.tests != []) ''"tests",''}
                     ]
                 )
           )
@@ -73,7 +80,8 @@ in
               schedulers.ForceScheduler(
                     name="force",
                     builderNames=[
-                        "build-hosts"
+                        ${optionalString (cfg.hosts != []) ''"hosts",''}
+                        ${optionalString (cfg.tests != []) ''"tests",''}
                     ]
               )
           )
@@ -91,7 +99,7 @@ in
           factory.addStep(steps.ShellCommand(**kwargs))
       '';
       builder = {
-        build-hosts = ''
+        hosts = mkIf (cfg.hosts != []) ''
           f = util.BuildFactory()
           f.addStep(grab_repo)
 
@@ -120,12 +128,42 @@ in
 
           bu.append(
               util.BuilderConfig(
-                  name="build-hosts",
+                  name="hosts",
                   slavenames=slavenames,
                   factory=f
               )
           )
+        '';
+        tests = mkIf (cfg.tests != []) ''
+          f = util.BuildFactory()
+          f.addStep(grab_repo)
 
+          def run_test(test):
+              addShell(f,
+                  name="{}".format(test),
+                  env={
+                    "NIX_PATH": "secrets=/var/src/stockholm/null:/var/src",
+                    "NIX_REMOTE": "daemon",
+                    "dummy_secrets": "true",
+                  },
+                  command=[
+                    "nix-build", "-I", "stockholm=.", "krebs/6tests",
+                    "-A", "{}".format(test)
+                  ],
+                  timeout=90001
+              )
+
+          ${concatMapStringsSep "\n" (test:
+             "run_test(\"${test}\")"
+          ) cfg.tests}
+
+          bu.append(
+              util.BuilderConfig(
+                  name="tests",
+                  slavenames=slavenames,
+                  factory=f
+              )
+          )
         '';
       };
       enable = true;

krebs/3modules/iptables.nix

@@ -61,6 +61,15 @@ let
           };
         };
       })));
+      default = {
+        filter.INPUT.policy = "ACCEPT";
+        filter.FORWARD.policy = "ACCEPT";
+        filter.OUTPUT.policy = "ACCEPT";
+        nat.PREROUTING.policy = "ACCEPT";
+        nat.INPUT.policy = "ACCEPT";
+        nat.OUTPUT.policy = "ACCEPT";
+        nat.POSTROUTING.policy = "ACCEPT";
+      };
     };
   };
 

krebs/3modules/nin/default.nix

@@ -31,6 +31,47 @@ with import <stockholm/lib>;
       };
       ssh.privkey.path = <secrets/ssh.id_ed25519>;
       ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFizK5kauDlnjm/IzyzLi+W4hLKqjSWMkfuxzLwg6egx";
+    };
+     axon= {
+      cores = 2;
+      nets = {
+        retiolum = {
+          ip4.addr = "10.243.134.66";
+          ip6.addr = "42:0000:0000:0000:0000:0000:0000:1379";
+          aliases = [
+            "axon.retiolum"
+            "axon.r"
+          ];
+          tinc.pubkey = ''
+          -----BEGIN RSA PUBLIC KEY-----
+          MIIECgKCBAEA89h5SLDQL/ENM//3SMzNkVnW4dBdg1GOXs/SdRCTcgygJC0TzsAo
+          glfQhfS+OhFSC/mXAjP8DnN7Ys6zXzMfJgH7TgVRJ8tCo5ETehICA19hMjMFINLj
+          KZhhthPuX7u2Jr4uDMQ0eLJnKVHF4PmHnkA+JGcOqO7VSkgcqPvqPMnJFcMkGWvH
+          L3KAz1KGPHZWrAB2NBDrD/bOZj4L39nS4nJIYVOraP7ze1GTTC7s/0CnZj3qwS5j
+          VdUYgAR+bdxlWm1B1PPOjkslP6UOklQQK4SjK3ceLYb2yM7BVICeznjWCbkbMACY
+          PUSvdxyiD7nZcLvuM3cJ1M45zUK+tAHHDB5FFUUAZ+YY/Xml4+JOINekpQdGQqkN
+          X4VsdRGKpjqi+OXNP4ktDcVkl8uALmNR6TFfAEwQJdjgcMxgJGW9PkqvPl3Mqgoh
+          m89lHPpO0Cpf40o6lZRG42gH1OR7Iy1M234uA08a3eFf+IQutHaOBt/Oi0YeiaQp
+          OtJHmWtpsQRz24/m+uroSUtKZ63sESli28G1jP73Qv7CiB8KvSX0Z4zKJOV/CyaT
+          LLguAyeWdNLtVg4bGRd7VExoWA+Rd9YKHCiE5duhETZk0Hb9WZmgPdM7A0RBb+1H
+          /F9BPKSZFl2e42VEsy8yNmBqO8lL7DVbAjLhtikTpPLcyjNeqN99a8jFX4c5nhIK
+          MVsSLKsmNGQq+dylXMbErsGu3P/OuCZ4mRkC32Kp4qwJ+JMrJc8+ZbhKl6Fhwu0w
+          7DwwoUaRoMqtr2AwR+X67eJsYiOVo5EkqBo6DrWIM6mO2GrWHg5LTBIShn08q/Nm
+          ofPK2TmLdfqBycUR0kRCCPVi82f9aElmg3pzzPJnLAn9JLL43q6l+sefvtr9sTs3
+          1co6m8k5mO8zTb8BCmX2nFMkCopuHeF1nQ33y6woq0D8WsXHfHtbPwN9eYRVrbBF
+          29YBp5E+Q1pQB+0rJ4A5N1I3VUKhDGKc72pbQc8cYoAbDXA+RKYbsFOra5z585dt
+          4HQXpwj3a/JGJYRT6FVbJp4p8PjwAtN9VkpXNl4//3lXQdDD6aQ6ssXaKxVAp2Xj
+          FjPjx6J6ok4mRvofKNAREt4eZUdDub34bff6G0zI7Vls9t4ul0uHsJ6+ic3CG+Yl
+          buLfOkDp4hVCAlMPQ2NJfWKSggoVao7OTBPTMB3NiM56YOPptfZgu2ttDRTyuQ7p
+          hrOwutxoy/abH3hA8bWj1+C23vDtQ2gj0r16SWxpPdb3sselquzKp9NIvtyRVfnG
+          yYZTWRHg9mahMC2P0/wWAQVjKb0LnTib4lSe21uqFkWzp+3/Uu+hiwP5xGez/NIi
+          ahyL7t0D9r9y+i1RPjYWypgyR568fiGheQIDAQAB
+          -----END RSA PUBLIC KEY-----
+          '';
+        };
+      };
+      ssh.privkey.path = <secrets/ssh.id_ed25519>;
+      ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF4ubHA2pQzV4tQq9D1zRTD1xOSR6xZM3z6te+5A1ekc";
     };
     onondaga = {
       cores = 1;
@@ -63,6 +104,10 @@ with import <stockholm/lib>;
   };
   users = {
     nin = {
+      mail = "nin@axon.retiolum";
+      pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCl4jHl2dya9Tecot7AcHuk57FiPN0lo8eDa03WmTOCCU7gEJLgpi/zwLxY/K4eXsDgOt8LJwddicgruX2WgIYD3LnwtuN40/U9QqqdBIv/5sYZTcShAK2jyPj0vQJlVUpL7DLxxRH+t4lWeRw/1qaAAVt9jEVbzT5RH233E6+SbXxfnQDhDwOXwD1qfM10BOGh63iYz8/loXG1meb+pkv3HTf5/D7x+/y1XvWRPKuJ2Ml33p2pE3cTd+Tie1O8CREr45I9JOIOKUDQk1klFL5NNXnaQ9h1FRCsnQuoGztoBq8ed6XXL/b8mQ0lqJMxHIoCuDN/HBZYJ0z+1nh8X6XH nin@axon";
+    };
+    nin_h = {
       mail = "nin@hiawatha.retiolum";
       pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDicZLUPEVNX7SgqYWcjPo0UESRizEfIvVVbiwa1aApA8x25u/5R3sevcgbIpLHYKDMl5tebny9inr6G2zqB6oq/pocQjHxrPnuLzqjvqeSpbjQjlNWJ9GaHT5koTXZHdkEXGL0vfv1SRDNWUiK0rNymr3GXab4DyrnRnuNl/G1UtLf4Zka94YUD0SSPdS9y6knnRrUWKjGMFBZEbNSgHqMGATPQP9VDwKHIO2OWGfiBAJ4nj/MWj+BxHDleCMY9zbym8yY7p/0PLaUe9eIyLC8MftJ5suuMmASlj+UGWgnqUxWxsMHax9y7CTAc23r1NNCXN5LC6/facGt0rEQrdrTizBgOA1FSHAPCl5f0DBEgWBrRuygEcAueuGWvI8/uvtvQQZLhosDbXEfs/3vm2xoYBe7wH4NZHm+d2LqgIcPXehH9hVQsl6pczngTCJt0Q/6tIMffjhDHeYf6xbe/n3AqFT0PylUSvOw/H5iHws3R6rxtgnOio7yTJ4sq0NMzXCtBY6LYPGnkwf0oKsgB8KavZVnxzF8B1TD4nNi0a7ma7bd1LMzI/oGE6i8kDMROgisIECOcoe8YYJZXIne/wimhhRKZAsd+VrKUo4SzNIavCruCodGAVh2vfrqRJD+HD/aWH7Vr1fCEexquaxeKpRtKGIPW9LRCcEsTilqpZdAiw== nin@hiawatha";
     };

krebs/3modules/tv/default.nix

@@ -201,24 +201,6 @@ with import <stockholm/lib>;
         };
       };
     };
-    schnabeldrucker = {
-      external = true;
-      nets = {
-        gg23 = {
-          ip4.addr = "10.23.1.21";
-          aliases = ["schnabeldrucker.gg23"];
-        };
-      };
-    };
-    schnabelscanner = {
-      external = true;
-      nets = {
-        gg23 = {
-          ip4.addr = "10.23.1.22";
-          aliases = ["schnabelscanner.gg23"];
-        };
-      };
-    };
     wu = {
       ci = true;
       cores = 4;

krebs/5pkgs/simple/Reaktor/scripts/shack-correct.sh

@@ -2,5 +2,5 @@
 set -eu
 printf "Sie meinten wohl \""
 echo -n $@ | sed 's/Shack/shack/g'
-echo "\""
+echo "\" check out https://wiki.shackspace.de/project/logo_and_ci#name_ci"
 echo "${_from}--"

krebs/5pkgs/simple/bitlbee-discord/default.nix

@@ -0,0 +1,29 @@
+{ fetchurl, fetchFromGitHub, stdenv, bitlbee, autoreconfHook, pkgconfig, glib }:
+
+with stdenv.lib;
+stdenv.mkDerivation rec {
+  name = "bitlbee-discord-2017-12-27";
+
+  src = fetchFromGitHub {
+    rev = "6a03db169ad44fee55609ecd16e19f3c0f99a182";
+    owner = "sm00th";
+    repo = "bitlbee-discord";
+    sha256 = "1ci9a12c6zg8d6i9f95pq6dal79cp4klmmsyj8ag2gin90kl3x95";
+  };
+
+  nativeBuildInputs = [ autoreconfHook pkgconfig ];
+  buildInputs = [ bitlbee glib ];
+
+  preConfigure = ''
+    export BITLBEE_PLUGINDIR=$out/lib/bitlbee
+    ./autogen.sh
+  '';
+
+  meta = {
+    description = "Bitlbee plugin for Discord";
+
+    homepage = https://github.com/sm00th/bitlbee-discord;
+    license = licenses.gpl2Plus;
+    platforms = stdenv.lib.platforms.linux;
+  };
+}

krebs/5pkgs/simple/eximlog.nix

@@ -0,0 +1,28 @@
+{ jq, systemd, writeDashBin }:
+
+let
+  lib = import <stockholm/lib>;
+  user = "exim"; # TODO make this configurable
+in
+
+# TODO execute eximlog only if journalctl doesn't fail
+# bash's set -o pipefail isn't enough
+
+writeDashBin "eximlog" ''
+  ${systemd}/bin/journalctl \
+      -u ${lib.shell.escape user} \
+      -o short-unix \
+      "$@" \
+    |
+  ${jq}/bin/jq -Rr '
+    # Only select lines that start with a timestamp
+    select(test("^[0-9]")) |
+
+    split(" ") |
+    (.[0] | tonumber) as $time |
+    (.[3:] | join(" ")) as $message |
+
+    "\($time | strftime("%Y-%m-%d %H:%M:%S %z")) \($message)"
+
+  '
+''

krebs/5pkgs/simple/fortclientsslvpn/default.nix

@@ -12,8 +12,8 @@ stdenv.mkDerivation rec {
 
   src = fetchurl {
     # archive.org mirror:
-    # https://archive.org/download/ForticlientsslvpnLinux4.4.23171.tar/forticlientsslvpn_linux_4.4.2317.tar.gz
-    url = http://www.zen.co.uk/userfiles/knowledgebase/FortigateSSLVPNClient/forticlientsslvpn_linux_4.4.2317.tar.gz;
+    url = https://archive.org/download/ForticlientsslvpnLinux4.4.23171.tar/forticlientsslvpn_linux_4.4.2317.tar.gz;
+    # url = http://www.zen.co.uk/userfiles/knowledgebase/FortigateSSLVPNClient/forticlientsslvpn_linux_4.4.2317.tar.gz;
     sha256 = "19clnf9rgrnwazlpah8zz5kvz6kc8lxawrgmksx25k5ywflmbcrr";
   };
   phases = [ "unpackPhase" "buildPhase" "installPhase" "fixupPhase" ];

krebs/5pkgs/simple/stockholm/default.nix

@@ -92,6 +92,17 @@
         -I "$target_path"
   '');
 
+  cmds.get-version = pkgs.writeDash "get-version" ''
+    set -efu
+    hostname=''${HOSTNAME-$(${pkgs.nettools}/bin/hostname)}
+    version=git.$(${pkgs.git}/bin/git describe --always --dirty)
+    case $version in (*-dirty)
+      version=$version@$hostname
+    esac
+    date=$(${pkgs.coreutils}/bin/date +%y.%m)
+    echo "$date.$version"
+  '';
+
   cmds.install = pkgs.withGetopt {
     force-populate = { default = /* sh */ "false"; switch = true; };
     quiet = { default = /* sh */ "false"; switch = true; };
@@ -205,7 +216,7 @@
   init.env = pkgs.writeText "init.env" /* sh */ ''
 
     export HOSTNAME="$(${pkgs.nettools}/bin/hostname)"
-    export STOCKHOLM_VERSION="''${STOCKHOLM_VERSION-$(${shell.get-version})}"
+    export STOCKHOLM_VERSION="''${STOCKHOLM_VERSION-$(${cmds.get-version})}"
 
     export quiet
     export system
@@ -274,16 +285,6 @@
     fi
   '';
 
-  shell.get-version = pkgs.writeDash "stockholm.get-version" ''
-    set -efu
-    version=git.$(${pkgs.git}/bin/git describe --always --dirty)
-    case $version in (*-dirty)
-      version=$version@$HOSTNAME
-    esac
-    date=$(${pkgs.coreutils}/bin/date +%y.%m)
-    echo "$date.$version"
-  '';
-
 in
 
   pkgs.writeOut "stockholm" (lib.mapAttrs' (name: link:

krebs/5pkgs/writers.nix

@@ -283,27 +283,33 @@ with import <stockholm/lib>;
         ${pkgs.cabal2nix}/bin/cabal2nix ${path} > $out
       '');
 
-    writePython2 = name: text:
-      assert (with types; either absolute-pathname filename).check name;
-      pkgs.writeOut (baseNameOf name) {
-        ${optionalString (types.absolute-pathname.check name) name} = {
-          check = pkgs.writeDash "python2check.sh" ''
-            exec ${pkgs.python2}/bin/python -m py_compile "$1"
-          '';
-          inherit text;
-        };
-      };
+    writePython2 = deps:
+    let
+      py = pkgs.python2.withPackages(ps: attrVals deps ps);
+    in
+    pkgs.makeScriptWriter {
+      interpreter = "${py}/bin/python";
+      check = pkgs.writeDash "python2check.sh" ''
+        exec ${pkgs.python2Packages.flake8}/bin/flake8 --show-source "$1"
+      '';
+    };
 
-    writePython3 = name: text:
-      assert (with types; either absolute-pathname filename).check name;
-      pkgs.writeOut (baseNameOf name) {
-        ${optionalString (types.absolute-pathname.check name) name} = {
-          check = pkgs.writeDash "python3check.sh" ''
-            exec ${pkgs.python3}/bin/python -m py_compile "$textPath"
-          '';
-          inherit text;
-        };
-      };
+    writePython2Bin = d: name:
+      pkgs.writePython2 d "/bin/${name}";
+
+    writePython3 = deps:
+    let
+      py = pkgs.python3.withPackages(ps: attrVals deps ps);
+    in
+    pkgs.makeScriptWriter {
+      interpreter = "${py}/bin/python";
+      check = pkgs.writeDash "python3check.sh" ''
+        exec ${pkgs.python3Packages.flake8}/bin/flake8 --show-source "$1"
+      '';
+    };
+
+    writePython3Bin = d: name:
+      pkgs.writePython3 d "/bin/${name}";
 
     writeSed = pkgs.makeScriptWriter {
       interpreter = "${pkgs.gnused}/bin/sed -f";

krebs/6tests/default.nix

@@ -0,0 +1,6 @@
+with import <stockholm/lib>;
+{ ... }:
+
+{
+  deploy = import ./deploy.nix;
+}

krebs/6tests/deploy.nix

@@ -1,7 +1,8 @@
 with import <stockholm/lib>;
-import <nixpkgs/nixos/tests/make-test.nix> ({ pkgs, ... }:
+import <nixpkgs/nixos/tests/make-test.nix> ({ ... }:
 
 let
+  pkgs = import <nixpkgs> { overlays = [(import ../5pkgs)]; };
   test-config = <stockholm/krebs/6tests/data/test-config.nix>;
   privKey = ''
     -----BEGIN OPENSSH PRIVATE KEY-----
@@ -41,15 +42,12 @@ let
     cd ${<stockholm>}
     export NIX_PATH=stockholm=${<stockholm>}:nixpkgs=${<nixpkgs>}:$NIX_PATH
     exec >&2
-    : ${minimalSystem}
     source=${pkgs.writeJSON "source.json" populate-source}
-    cat > /tmp/derp <<EOF
-      builtins.fromJSON (builtins.readFile "$source")
-    EOF
     LOGNAME=krebs ${pkgs.populate}/bin/populate --force root@server:22/var/src/ < "$source"
+    # TODO: make deploy work
     #LOGNAME=krebs ${pkgs.stockholm}/bin/deploy \
     #    --force-populate \
-    #    --source=/tmp/derp \
+    #    --source=${./data/test-source.nix} \
     #    --system=server \
   '';
   minimalSystem = (import <nixpkgs/nixos/lib/eval-config.nix> {
@@ -70,22 +68,20 @@ in {
         imports = [ test-config ];
         environment.variables = {
           NIX_PATH = mkForce "nixpkgs=${<nixpkgs>}";
-          #LOL = minimalSystem;
         };
         services.openssh.enable = true;
         users.extraUsers.root.openssh.authorizedKeys.keys = [
           pubKey
         ];
-        #virtualisation.writableStore = true;
         virtualisation.pathsInNixDB = [
           minimalSystem
-          pkgs.stockholm
         ];
+        environment.systemPackages = [ pkgs.git ];
       };
 
     client =
-      { config, pkgs, ... }: { };
-
+      { config, pkgs, ... }:
+      { };
   };
 
   testScript = ''

krebs/source.nix

@@ -17,6 +17,6 @@ in
     stockholm.file = toString <stockholm>;
     nixpkgs.git = {
       url = https://github.com/NixOS/nixpkgs;
-      ref = "cb751f9b1c3fe6885f3257e69ce328f77523ad77"; # nixos-17.09 @ 2017-12-13
+      ref = "0b30c1dd4c638e318957fc6a9198cf2429e38cb5"; # nixos-17.09 @ 2018-01-04
     };
   }

lass/1systems/daedalus/config.nix

@@ -41,6 +41,7 @@ with import <stockholm/lib>;
         skype
         wine
       ];
+      nixpkgs.config.firefox.enableAdobeFlash = true;
       services.xserver.enable = true;
       services.xserver.displayManager.lightdm.enable = true;
       services.xserver.desktopManager.plasma5.enable = true;

lass/1systems/dishfire/config.nix

@@ -43,6 +43,7 @@
       networking.dhcpcd.allowInterfaces = [
         "enp*"
         "eth*"
+        "ens*"
       ];
     }
     {

lass/1systems/helios/config.nix

@@ -120,8 +120,6 @@ with import <stockholm/lib>;
     ];
   };
 
-  programs.ssh.startAgent = lib.mkForce true;
-
   services.tlp.enable = true;
 
   services.xserver.videoDrivers = [ "nvidia" ];

lass/1systems/mors/config.nix

@@ -30,6 +30,7 @@ with import <stockholm/lib>;
     <stockholm/lass/2configs/otp-ssh.nix>
     <stockholm/lass/2configs/c-base.nix>
     <stockholm/lass/2configs/br.nix>
+    <stockholm/lass/2configs/ableton.nix>
     {
       #risk of rain port
       krebs.iptables.tables.filter.INPUT.rules = [
@@ -69,10 +70,6 @@ with import <stockholm/lib>;
         pkgs.ovh-zone
       ];
     }
-    {
-      #ps vita stuff
-      boot.extraModulePackages = [ config.boot.kernelPackages.exfat-nofuse ];
-    }
     {
       services.tor = {
         enable = true;

lass/1systems/prism/config.nix

@@ -234,8 +234,7 @@ in {
     }
     <stockholm/lass/2configs/exim-smarthost.nix>
     <stockholm/lass/2configs/ts3.nix>
-    <stockholm/lass/2configs/bitlbee.nix>
-    <stockholm/lass/2configs/weechat.nix>
+    <stockholm/lass/2configs/IM.nix>
     <stockholm/lass/2configs/privoxy-retiolum.nix>
     <stockholm/lass/2configs/radio.nix>
     <stockholm/lass/2configs/repo-sync.nix>
@@ -303,6 +302,13 @@ in {
         }
       ];
     }
+    {
+      krebs.repo-sync.repos.stockholm.timerConfig = {
+        OnBootSec = "5min";
+        OnUnitInactiveSec = "2min";
+        RandomizedDelaySec = "2min";
+      };
+    }
   ];
 
   krebs.build.host = config.krebs.hosts.prism;

lass/2configs/IM.nix

@@ -0,0 +1,68 @@
+with (import <stockholm/lib>);
+{ config, lib, pkgs, ... }:
+
+let
+  tmux = pkgs.writeDash "tmux" ''
+    exec ${pkgs.tmux}/bin/tmux -f ${pkgs.writeText "tmux.conf" ''
+      set-option -g prefix `
+      unbind-key C-b
+      bind ` send-prefix
+
+      set-option -g status off
+      set-option -g default-terminal screen-256color
+
+      #use session instead of windows
+      bind-key c new-session
+      bind-key p switch-client -p
+      bind-key n switch-client -n
+      bind-key C-s switch-client -l
+    ''} "$@"
+  '';
+in {
+
+  services.bitlbee = {
+    enable = true;
+    portNumber = 6666;
+    plugins = [
+      pkgs.bitlbee-facebook
+      pkgs.bitlbee-steam
+      pkgs.bitlbee-discord
+    ];
+    libpurple_plugins = [ pkgs.telegram-purple ];
+  };
+
+  users.extraUsers.chat = {
+    home = "/home/chat";
+    uid = genid "chat";
+    useDefaultShell = true;
+    createHome = true;
+    openssh.authorizedKeys.keys = with config.krebs.users; [
+      lass.pubkey
+      lass-shodan.pubkey
+      lass-icarus.pubkey
+      lass-android.pubkey
+    ];
+  };
+
+  # mosh
+  krebs.iptables.tables.filter.INPUT.rules = [
+    { predicate = "-p udp --dport 60000:61000"; target = "ACCEPT";}
+    { predicate = "-p tcp --dport 9999"; target = "ACCEPT";}
+  ];
+
+  systemd.services.chat = {
+    description = "chat environment setup";
+    after = [ "network.target" ];
+    wantedBy = [ "multi-user.target" ];
+
+    restartIfChanged = false;
+
+    serviceConfig = {
+      User = "chat";
+      RemainAfterExit = true;
+      Type = "oneshot";
+      ExecStart = "${tmux} -2 new-session -d -s IM ${pkgs.weechat}/bin/weechat";
+      ExecStop = "${tmux} kill-session -t IM";
+    };
+  };
+}

lass/2configs/ableton.nix

@@ -0,0 +1,20 @@
+{ config, pkgs, ... }: let
+  mainUser = config.users.extraUsers.mainUser;
+in {
+  users.users= {
+    ableton = {
+      isNormalUser = true;
+      extraGroups = [
+        "audio"
+        "video"
+      ];
+      packages = [
+        pkgs.wine
+        pkgs.winetricks
+      ];
+    };
+  };
+  security.sudo.extraConfig = ''
+    ${mainUser.name} ALL=(ableton) NOPASSWD: ALL
+  '';
+}

lass/2configs/baseX.nix

@@ -53,7 +53,7 @@ in {
 
   time.timeZone = "Europe/Berlin";
 
-  programs.ssh.startAgent = false;
+  programs.ssh.startAgent = true;
   services.openssh.forwardX11 = true;
 
   services.printing = {

lass/2configs/bitlbee.nix

@@ -1,12 +0,0 @@
-{ config, pkgs, ... }:
-
-{
-  services.bitlbee = {
-    enable = true;
-    portNumber = 6666;
-    plugins = [
-      pkgs.bitlbee-facebook
-      pkgs.bitlbee-steam
-    ];
-  };
-}

lass/2configs/default.nix

@@ -1,5 +1,5 @@
-{ config, pkgs, ... }:
 with import <stockholm/lib>;
+{ config, pkgs, ... }:
 {
   imports = [
     ../2configs/binary-cache/client.nix
@@ -78,7 +78,7 @@ with import <stockholm/lib>;
 
   users.mutableUsers = false;
 
-  services.timesyncd.enable = true;
+  services.timesyncd.enable = mkForce true;
 
   #why is this on in the first place?
   services.nscd.enable = false;

lass/2configs/exim-smarthost.nix

@@ -49,6 +49,11 @@ with import <stockholm/lib>;
       { from = "aliexpress@lassul.us"; to = lass.mail; }
       { from = "business@lassul.us"; to = lass.mail; }
       { from = "payeer@lassul.us"; to = lass.mail; }
+      { from = "github@lassul.us"; to = lass.mail; }
+      { from = "bitwala@lassul.us"; to = lass.mail; }
+      { from = "bitstamp@lassul.us"; to = lass.mail; }
+      { from = "bitcoin.de@lassul.us"; to = lass.mail; }
+      { from = "ableton@lassul.us"; to = lass.mail; }
     ];
     system-aliases = [
       { from = "mailer-daemon"; to = "postmaster"; }

lass/2configs/reaktor-coders.nix

@@ -21,6 +21,7 @@ with import <stockholm/lib>;
         -XFlexibleInstances -XMultiParamTypeClasses \
         -XOverloadedStrings -XFunctionalDependencies \'';
     in [
+      sed-plugin
       url-title
       (buildSimpleReaktorPlugin "lambdabot-pl" {
         pattern = "^@pl (?P<args>.*)$$";
@@ -64,8 +65,7 @@ with import <stockholm/lib>;
       })
       (buildSimpleReaktorPlugin "random-unicorn-porn" {
         pattern = "^!rup$$";
-        script = pkgs.writePython2 "rup" ''
-          #!${pkgs.python2}/bin/python
+        script = pkgs.writePython2 [] "rup" ''
           t1 = """
                               _.
                            ;=',_ ()

lass/2configs/security-workarounds.nix

@@ -5,4 +5,6 @@ with import <stockholm/lib>;
   boot.extraModprobeConfig = ''
     install dccp /run/current-system/sw/bin/false
   '';
+
+  boot.kernelPackages = pkgs.linuxPackages_latest;
 }

lass/2configs/vim.nix

@@ -103,7 +103,6 @@ let
     cnoreabbrev Ack Ack!
 
     " copy/paste from/to xclipboard
-    noremap x "_x
     set clipboard=unnamedplus
   '';
 

lass/2configs/weechat.nix

@@ -1,47 +0,0 @@
-{ config, lib, pkgs, ... }:
-
-let
-  inherit (import <stockholm/lib>) genid;
-in {
-  krebs.per-user.chat.packages = with pkgs; [
-    mosh
-    weechat
-  ];
-
-  users.extraUsers.chat = {
-    home = "/home/chat";
-    uid = genid "chat";
-    useDefaultShell = true;
-    createHome = true;
-    openssh.authorizedKeys.keys = with config.krebs.users; [
-      lass.pubkey
-      lass-shodan.pubkey
-      lass-icarus.pubkey
-      lass-android.pubkey
-    ];
-  };
-
-  # mosh
-  krebs.iptables.tables.filter.INPUT.rules = [
-    { predicate = "-p udp --dport 60000:61000"; target = "ACCEPT";}
-  ];
-
-  #systemd.services.chat = {
-  #  description = "chat environment setup";
-  #  after = [ "network.target" ];
-  #  wantedBy = [ "multi-user.target" ];
-
-  #  path = with pkgs; [
-  #    weechat
-  #    tmux
-  #  ];
-
-  #  restartIfChanged = true;
-
-  #  serviceConfig = {
-  #    User = "chat";
-  #    Restart = "always";
-  #    ExecStart = "${pkgs.tmux}/bin/tmux new -s IM weechat";
-  #  };
-  #};
-}

lass/3modules/news.nix

@@ -38,7 +38,7 @@ let
     };
     ircServer = mkOption {
       type = types.str;
-      default = "echelon.r";
+      default = "localhost";
       description = "to which server the bot should connect";
     };
   };

lass/5pkgs/xmonad-lass.nix

@@ -66,7 +66,7 @@ main' = do
             { terminal           = myTerm
             , modMask            = mod4Mask
             , layoutHook         = smartBorders $ myLayoutHook
-            , manageHook         = placeHook (smart (1,0)) <+> floatNextHook
+            , manageHook         = placeHook (smart (1,0)) <+> floatNextHook <+> floatHooks
             , startupHook =
                 whenJustM (liftIO (lookupEnv "XMONAD_STARTUP_HOOK"))
                           (\path -> forkFile path [] Nothing)
@@ -80,6 +80,14 @@ myLayoutHook = defLayout
   where
     defLayout = minimize $ ((avoidStruts $ Tall 1 (3/100) (1/2) ||| Full ||| Mirror (Tall 1 (3/100) (1/2))) ||| FixedColumn 2 80 80 1 ||| simplestFloat)
 
+floatHooks = composeAll . concat $
+    [ [ title =? t --> doFloat | t <- myTitleFloats]
+    , [ className =? c --> doFloat | c <- myClassFloats ] ]
+  where
+      myTitleFloats = [] -- for the KDE "open link" popup from konsole
+      myClassFloats = ["Pinentry"] -- for gpg passphrase entry
+
+
 myKeyMap :: [([Char], X ())]
 myKeyMap =
     [ ("M4-<F11>", spawn "${config.lass.screenlock.command}")

lass/source.nix

@@ -10,7 +10,7 @@ in
       nixos-config.symlink = "stockholm/lass/1systems/${name}/config.nix";
       nixpkgs.git = {
         url = https://github.com/nixos/nixpkgs;
-        ref = "af7e479";
+        ref = "0b30c1d";
       };
       secrets = getAttr builder {
         buildbot.file = toString <stockholm/lass/2configs/tests/dummy-secrets>;

makefu/1systems/fileleech/config.nix

@@ -6,18 +6,18 @@ let
   rootDisk = byid "ata-INTEL_SSDSA2M080G2GC_CVPO003402PB080BGN";
   rootPartition = rootDisk + "-part3";
 
-	dataDisks =  let
-		idpart = dev: byid  dev + "-part1";
-	in [
-		{ name = "crypt0"; device = idpart "scsi-1ATA_HUA722020ALA330_B9GDLJEF";}
-	  {	name = "crypt1"; device = idpart "scsi-1ATA_HUA722020ALA330_B9GGWG8F";}
-	  {	name = "crypt2"; device = idpart "scsi-1ATA_HUA722020ALA330_B9GH5NAF";}
-	  {	name = "crypt3"; device = idpart "scsi-1ATA_HUA722020ALA330_B9GJWGDF";}
-	  {	name = "crypt4"; device = idpart "scsi-1ATA_HUA722020ALA330_B9GKKXHF";}
-	  {	name = "crypt5"; device = idpart "scsi-1ATA_HUA722020ALA330_B9GKKXVF";}
-	  {	name = "crypt6"; device = idpart "scsi-1ATA_HUA722020ALA330_YAJJ8WRV";}
-	  {	name = "crypt7"; device = idpart "scsi-1ATA_HUA722020ALA330_YBKTUS4F";} # parity
-	];
+  dataDisks =  let
+    idpart = dev: byid  dev + "-part1";
+  in [
+    { name = "crypt0"; device = idpart "scsi-1ATA_HUA722020ALA330_B9GDLJEF";}
+    { name = "crypt1"; device = idpart "scsi-1ATA_HUA722020ALA330_B9GGWG8F";}
+    { name = "crypt2"; device = idpart "scsi-1ATA_HUA722020ALA330_B9GH5NAF";}
+    { name = "crypt3"; device = idpart "scsi-1ATA_HUA722020ALA330_B9GJWGDF";}
+    { name = "crypt4"; device = idpart "scsi-1ATA_HUA722020ALA330_B9GKKXHF";}
+    { name = "crypt5"; device = idpart "scsi-1ATA_HUA722020ALA330_B9GKKXVF";}
+    { name = "crypt6"; device = idpart "scsi-1ATA_HUA722020ALA330_YAJJ8WRV";}
+    { name = "crypt7"; device = idpart "scsi-1ATA_HUA722020ALA330_YBKTUS4F";} # parity
+  ];
 
   disks = [ { name = "luksroot"; device = rootPartition; } ] ++ dataDisks;
 in {
@@ -25,13 +25,13 @@ in {
       <stockholm/makefu>
       <stockholm/makefu/2configs/tinc/retiolum.nix>
       <stockholm/makefu/2configs/disable_v6.nix>
-      # <stockholm/makefu/2configs/torrent.nix>
+      <stockholm/makefu/2configs/torrent.nix>
       <stockholm/makefu/2configs/fs/sda-crypto-root.nix>
 
       #<stockholm/makefu/2configs/elchos/irc-token.nix>
-      <stockholm/makefu/2configs/elchos/log.nix>
-      <stockholm/makefu/2configs/elchos/search.nix>
-      <stockholm/makefu/2configs/elchos/stats.nix>
+      # <stockholm/makefu/2configs/elchos/log.nix>
+      # <stockholm/makefu/2configs/elchos/search.nix>
+      # <stockholm/makefu/2configs/elchos/stats.nix>
 
     ];
   systemd.services.grafana.serviceConfig.LimitNOFILE=10032;
@@ -42,8 +42,8 @@ in {
       enable = true;
       build.host = config.krebs.hosts.fileleech;
   };
-	# git clone https://github.com/makefu/docker-pyload
-	# docker build .
+  # git clone https://github.com/makefu/docker-pyload
+  # docker build .
   # docker run -d -v /var/lib/pyload:/opt/pyload/pyload-config -v /media/crypt0/pyload:/opt/pyload/Downloads --name pyload --restart=always -p 8112:8000 -P docker-pyload
 
   virtualisation.docker.enable = true; # for pyload
@@ -60,7 +60,7 @@ in {
   ];
   services.nginx.virtualHosts._download = {
     default = true;
-    root = "/media/cryptX";
+    root = config.makefu.dl-dir;
     extraConfig = ''
       autoindex on;
     '';
@@ -80,10 +80,11 @@ in {
   services.sabnzbd.enable = true;
   systemd.services.sabnzbd.environment.SSL_CERT_FILE = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt";
 
+  # TODO use users.motd and pam.services.sshd.showMotd
   services.openssh.extraConfig = let banner = pkgs.writeText "openssh-banner" ''
     Services:
-      ssh://download@fileleech - ssh via filebitch.shack
-      ftp://download@fileleech - access to /media/cryptX
+      ssh://download@fileleech - ssh via filebitch
+      ftp://download@fileleech - access to ${config.makefu.dl-dir}
       http://fileleech:8112 - rutorrent
       http://fileleech:8113 - pyload
       https://fileleech:9090 - sabnzb
@@ -104,13 +105,13 @@ in {
     cryptMount = name:
       { "/media/${name}" = { device = "/dev/mapper/${name}"; fsType = "xfs"; };};
   in  cryptMount "crypt0"
-		// cryptMount "crypt1"
-		// cryptMount "crypt2"
-		// cryptMount "crypt3"
-		// cryptMount "crypt4"
-		// cryptMount "crypt5"
-		// cryptMount "crypt6"
-		// cryptMount "crypt7"
+    // cryptMount "crypt1"
+    // cryptMount "crypt2"
+    // cryptMount "crypt3"
+    // cryptMount "crypt4"
+    // cryptMount "crypt5"
+    // cryptMount "crypt6"
+    // cryptMount "crypt7"
 
     # this entry sometimes creates issues
     // { "/media/cryptX" = {
@@ -121,10 +122,10 @@ in {
         }
 
     ;
+  makefu.dl-dir = "/media/cryptX";
   users.users.download = {
     useDefaultShell = true;
     #  name = "download";
-    home = "/media/cryptX/";
     #  createHome = true;
     openssh.authorizedKeys.keys = [
       config.krebs.users.makefu.pubkey
@@ -132,7 +133,7 @@ in {
       "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC7betFnMWVeBYRhJ+2f0B5WbDdbpteIVg/BlyimXbx79R7lZ7nUq5GyMLrp7B00frUuA0su8oFFN3ODPJDstgBslBIP7kWPR2zW8NOXorrbFo3J2fKvlO77k6/wD5/M11m5nS01/aVJgAgMGLg2W12G7EMf5Wq75YsQJC/S9p8kMca589djMPRuQETu7fWq0t/Gmwq+2ELLL0csRK87LvybA92JYkAIneRnGzIlCguOXq0Vcq6pGQ1J1PfVEP76Do33X29l2hZc/+vR9ExW6s2g7fs5/5LDX9Wnq7+AEsxiEf4IOeL0hCG4/CGGCN23J+6cDrNKOP94AHO1si0O2lxFsxgNU2vdVWPNgSLottiUFBPPNEZFD++sZyutzH6PIz6D90hB2Q52X6WN9ZUtlDfQ91rHd+S2BhR6f4dAqiRDXlI5MNNDdoTT4S5R0wU/UrNwjiV/xiu/hWZYGQK7YgY4grFRblr378r8FqjLvumPDFMDLVa9eJKq1ad1x/GV5tZpsttzWj4nbixaKlZOg+TN2GHboujLx3bANz1Jqfvfto8UOeKTtA8pkb8E1PJPpBMOZcA7oHaqJrp6Vuf/SkmglHnQvGbi60OK3s61nuRmIcBiTXd+4qeAJpq1QyEDj3X/+hV0Gwz8rCo6JGkF1ETW37ZYvqU9rxNXjS+/Pfktw== jules@kvasir-2015-02-13"
       "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDINUD+p2yrc9KoTbCiuYhdfLlRu/eNX6BftToSMLs8O9qWQORjgXbDn8M9iUWXCHzdUZ9sm6Rz8TMdEV0jZq/nB01zYnW4NhMrt+NGtrmGqDa+eYrRZ4G7Rx8AYzM/ZSwERKX10txAVugV44xswRxWvFbCedujjXyWsxelf1ngb+Hiy9/CPuWNYEhTZs/YuvNkupCui2BuKuoSivJAkLhGk5YqwwcllCr39YXa/tFJWsgoQNcB9hwpzfhFm6Cc7m5DhmTWSVhQHEWyaas8Lukmd4v+mRY+KZpuhbomCHWzkxqzdBun8SXiiAKlgem9rtBIgeTEfz9OtOfF3/6VfqE7 toerb@mittagspause ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB0IP143FAHBHWjEEKGOnM8SSTIgNF1MJxGCMKaJvTHf momo@k2.local"
       "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC1ZJSpBb7Cxo+c2r2JJIcbYOTm/sJxOv2NFRoDfjxGS9CCwzRbzrwJcv2d23j35mu97x3+fUvo8DyMFLvLvume2PFCijqhMDzZZvjYXZdvXA+hnh53nqZf+Pjq8Xc3tSWBHQxUokaBmZbd4LlKHh8NgKVrP2zve6OPZMzo/Es93v37KEmT8d/PfVMrQEMPZzFrCVdq2RbpdQ1nhx09zRFW7OJOazgotafjx6IYXbVq2VDnjffXInsE9ZxDzYq1cNKIH0c2BLpTd3mv76iD9i+nD6W6s48+usFQnVLt2TY1uKkfMr7043E6jBxx5kNHBe5Xxr6Zs0SkR8kKOEhMO//4ucviUYKZJn8wk2SLkAyMYVBexx8jrTdlI4xgQ7RLpSIDTCm9dfbZY/YhZDJ21lsWduQqu7DFWMe05gg4NZDjf2kwYQOzATyqISGA7ttSEPT1iymr/ffAOgLBLSqWQAteUbI2U5cnflWZGwm33JF/Pyb4S3k3/f2mIBKiRx2lsGv6mx1w0SaYRtJxDWqGYMHuFiNYbq9r/bZfLqV3Fy9kRODFJTfJh8mcTnC4zabpiQ7fnqbh1qHu0WrrBSgFW0PR2WWCJ0e5Btj1yRgXp0+d5OuxxlVInRs+l2HogdxjonMhAHrTCzJtI8UJTKXKN0FBPRDRcepeExhvNqcOUz4Kvw== me@andreaskist.de"
-			"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCo2z8zsI+YF3ho0hvYzzCZi05mNyjk4iFK08+nNFCdXSG07jmRROWzTcC2ysTKZ56XD2al2abLxy4FZfmDcu9b2zJoPnIiXv/Jw0TKeZ71OyN3bILtv+6Xj1FTJ+kAUMXBfEew7UCgZZ8u8RQsFmlhqB9XqCBXmzP7I2EM1wWSzwEAgG/k6C+Ir054JjAj+fLr/wBduD1GAe8bXXF3Ojiky8OMs2oJaoGV96mrVAtVN+ftfWSvHCK31Y/KgCoPDE4LdoTir1IRfx2pZUMPkyzRW/etXT0PKD96I+/3d1xNPzNNjFpd6GqADC3xnfY3WslNgjL7gqwsC9SlEyuT1Xkd lotho@mercurius"
+      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCo2z8zsI+YF3ho0hvYzzCZi05mNyjk4iFK08+nNFCdXSG07jmRROWzTcC2ysTKZ56XD2al2abLxy4FZfmDcu9b2zJoPnIiXv/Jw0TKeZ71OyN3bILtv+6Xj1FTJ+kAUMXBfEew7UCgZZ8u8RQsFmlhqB9XqCBXmzP7I2EM1wWSzwEAgG/k6C+Ir054JjAj+fLr/wBduD1GAe8bXXF3Ojiky8OMs2oJaoGV96mrVAtVN+ftfWSvHCK31Y/KgCoPDE4LdoTir1IRfx2pZUMPkyzRW/etXT0PKD96I+/3d1xNPzNNjFpd6GqADC3xnfY3WslNgjL7gqwsC9SlEyuT1Xkd lotho@mercurius"
       "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQClaVl9Fwp4wdGLeTZdfy5MpJf+hM6fpL1k6UmtYXWgVYU7tgmStdlpLlbyMQspoFRtT7/76n4kPwCmM0c82xNXaJJMuWa98pwMp+bAwSSdOGAP/vjfzL/TUAX+Xtrw6ehF7r1O+zqw/E/bWt6UezKj08wDLWjByzdDQwslJV6lrGek4mmYRdgmHHeZ1oG89ePEZJZOM6jcZqv0AfIj0NID3ir9Z0kz9uSSXb1279Qt4953mfjs5xwhtc1B7vrxJ3qtTZUsBoAkUkLeulUEIjkfn60wvDGu/66GP5ZClXyk2gck/ZNmtFYrQoqx9EtF1KK02cC17A0nfRySQy5BnfWn root@filebitch"
     ];
   };
@@ -142,15 +143,19 @@ in {
     parity = toMapper 7;
   };
   networking.nameservers = [ "8.8.8.8" ];
-  #networking.interfaces.enp6s0f0.ip4 = [{
-  #    address = "151.217.173.20";
-  #    prefixLength = 22;
-  #}];
-  #networking.defaultGateway = "151.217.172.1";
+  # SPF
+  networking.defaultGateway = "151.217.176.1";
+  networking.interfaces.enp6s0f0.ip4 = [{
+      address = "151.217.178.63";
+      prefixLength = 22;
+  }];
+
+  # Gigabit
   networking.interfaces.enp8s0f1.ip4 = [{
       address = "192.168.126.1";
       prefixLength = 24;
   }];
+
   #interfaces.enp6s0f1.ip4 = [{
   #  address = external-ip;
   #  prefixLength = 22;

makefu/1systems/gum/config.nix

@@ -48,9 +48,15 @@ in {
       <stockholm/makefu/2configs/share/gum.nix>
       # <stockholm/makefu/2configs/sabnzbd.nix>
       <stockholm/makefu/2configs/torrent.nix>
-      <stockholm/makefu/2configs/iodined.nix>
+      <stockholm/makefu/2configs/mosh.nix>
+
+      # network
       <stockholm/makefu/2configs/vpn/openvpn-server.nix>
+      <stockholm/makefu/2configs/vpn/vpnws/server.nix>
       <stockholm/makefu/2configs/dnscrypt/server.nix>
+      <stockholm/makefu/2configs/iodined.nix>
+
+      # buildbot
       <stockholm/makefu/2configs/remote-build/slave.nix>
 
       ## Web
@@ -103,15 +109,16 @@ in {
       #}
       { # wireguard server
         networking.firewall.allowedUDPPorts = [ 51820 ];
-        #networking.wireguard.interfaces.wg0 = {
-        #  ips = [ "10.244.0.1/24" ];
-        #  privateKeyFile = (toString <secrets>) + "/wireguard.key";
-        #  allowedIPsAsRoutes = true;
-        #  peers = [{
-        #    allowedIPs = [ "0.0.0.0/0" "::/0" ];
-        #    publicKey = "fe5smvKVy5GAn7EV4w4tav6mqIAKhGWQotm7dRuRt1g=";
-        #  }];
-        #};
+        networking.wireguard.interfaces.wg0 = {
+          ips = [ "10.244.0.1/24" ];
+          privateKeyFile = (toString <secrets>) + "/wireguard.key";
+          allowedIPsAsRoutes = true;
+          peers = [{
+            # allowedIPs = [ "0.0.0.0/0" "::/0" ];
+            allowedIPs = [ "10.244.0.2/32" ];
+            publicKey = "fe5smvKVy5GAn7EV4w4tav6mqIAKhGWQotm7dRuRt1g=";
+          }];
+        };
       }
 
   ];

makefu/1systems/omo/config.nix

@@ -47,6 +47,7 @@ in {
       <stockholm/makefu/2configs/exim-retiolum.nix>
       <stockholm/makefu/2configs/smart-monitor.nix>
       <stockholm/makefu/2configs/mail-client.nix>
+      <stockholm/makefu/2configs/mosh.nix>
       # <stockholm/makefu/2configs/disable_v6.nix>
       #<stockholm/makefu/2configs/graphite-standalone.nix>
       #<stockholm/makefu/2configs/share-user-sftp.nix>

makefu/1systems/vbob/config.nix

@@ -3,37 +3,57 @@
   krebs.build.host = config.krebs.hosts.vbob;
   makefu.awesome.modkey = "Mod1";
   imports =
-    [ # Include the results of the hardware scan.
+    [
       <stockholm/makefu>
-      (toString <nixpkgs/nixos/modules/virtualisation/virtualbox-image.nix>)
-      (toString <nixpkgs/nixos/modules/virtualisation/virtualbox-guest.nix>)
+      {
+        imports = [<stockholm/makefu/2configs/fs/single-partition-ext4.nix> ];
+        boot.loader.grub.device = "/dev/vda";
+      }
+      # {
+      #   imports = [
+      #     <nixpkgs/nixos/modules/virtualisation/virtualbox-image.nix>
+      #   ];
+      #   virtualbox.baseImageSize = 35 * 1024;
+      #   fileSystems."/media/share" = {
+      #     fsType = "vboxsf";
+      #     device = "share";
+      #     options = [ "rw" "uid=9001" "gid=9001" ];
+      #   };
+      # }
+
+      # {
+      #   imports = [
+      #     <nixpkgs/nixos/modules/virtualisation/qemu-vm.nix>
+      #   ];
+      #   fileSystems."/nix" = {
+      #     device ="/dev/disk/by-label/nixstore";
+      #     fsType = "ext4";
+      #   };
+      # }
+
+
       # base gui
-      <stockholm/makefu/2configs/main-laptop.nix>
+      # <stockholm/makefu/2configs/main-laptop.nix>
+      # <stockholm/makefu/2configs/tools/core-gui.nix>
+
+      <stockholm/makefu/2configs/zsh-user.nix>
 
       # security
       <stockholm/makefu/2configs/sshd-totp.nix>
 
       # Tools
       <stockholm/makefu/2configs/tools/core.nix>
-      <stockholm/makefu/2configs/tools/core-gui.nix>
       <stockholm/makefu/2configs/tools/dev.nix>
-      <stockholm/makefu/2configs/tools/extra-gui.nix>
-      <stockholm/makefu/2configs/tools/sec.nix>
+      # <stockholm/makefu/2configs/tools/extra-gui.nix>
+      # <stockholm/makefu/2configs/tools/sec.nix>
 
       # environment
       <stockholm/makefu/2configs/tinc/retiolum.nix>
 
-      <stockholm/makefu/2configs/audio/jack-on-pulse.nix>
-      <stockholm/makefu/2configs/audio/realtime-audio.nix>
-
     ];
   networking.extraHosts = import (toString <secrets/extra-hosts.nix>);
 
   nixpkgs.config.allowUnfree = true;
-  fileSystems."/nix" = {
-    device ="/dev/disk/by-label/nixstore";
-    fsType = "ext4";
-  };
 
   # allow vbob to deploy self
   users.extraUsers = {
@@ -45,9 +65,13 @@
   environment.shellAliases = {
     forti  = "cat ~/vpn/pw.txt | xclip; sudo forticlientsslvpn";
   };
-  # TODO: for forticleintsslpn
-  #       ln -s /r/current-system/sw/bin/pppd /usr/sbin/pppd
-  #       ln -s /r/current-system/sw/bin/tail /usr/bin/tail
+
+  system.activationScripts.prepare-fortclientvpnssl = ''
+    # TODO: for forticlientsslpn
+    mkdir -p /usr/{s,}bin
+    ln -fs ${pkgs.ppp}/bin/pppd /usr/sbin/pppd
+    ln -fs ${pkgs.coreutils}/bin/tail /usr/bin/tail
+  '';
   environment.systemPackages = with pkgs;[
     fortclientsslvpn ppp xclip
     get
@@ -55,7 +79,6 @@
   #  docker
     #devpi-web
     #devpi-client
-    debmirror
     ansible
   ];
   # virtualisation.docker.enable = true;
@@ -67,10 +90,5 @@
     8010
   ];
 
-  fileSystems."/media/share" = {
-    fsType = "vboxsf";
-    device = "share";
-    options = [ "rw" "uid=9001" "gid=9001" ];
-  };
 
 }

makefu/1systems/vbob/source.nix

@@ -1,4 +1,4 @@
 import <stockholm/makefu/source.nix> {
   name="vbob";
-  musnix = true;
+  # musnix = true;
 }

makefu/1systems/wbob/config.nix

@@ -32,10 +32,13 @@ in {
       <stockholm/makefu/2configs/remote-build/slave.nix>
       <stockholm/makefu/2configs/share/wbob.nix>
 
+      # Sensors
       <stockholm/makefu/2configs/stats/telegraf>
       <stockholm/makefu/2configs/deployment/led-fader.nix>
       <stockholm/makefu/2configs/stats/external/aralast.nix>
       <stockholm/makefu/2configs/stats/telegraf/airsensor.nix>
+      # <stockholm/makefu/2configs/stats/telegraf/bamstats.nix>
+
       <stockholm/makefu/2configs/deployment/bureautomation>
       (let
           collectd-port = 25826;

makefu/1systems/x/config.nix

@@ -60,7 +60,6 @@ with import <stockholm/lib>;
       # Hardware
       <stockholm/makefu/2configs/hw/tp-x230.nix>
       <stockholm/makefu/2configs/hw/rtl8812au.nix>
-      <stockholm/makefu/2configs/hw/exfat-nofuse.nix>
       <stockholm/makefu/2configs/hw/wwan.nix>
       # <stockholm/makefu/2configs/hw/stk1160.nix>
       # <stockholm/makefu/2configs/rad1o.nix>

makefu/1systems/x/source.nix

@@ -1,5 +1,7 @@
 import <stockholm/makefu/source.nix> {
   name="x";
   full = true;
+  python = true;
+  hw = true;
   # torrent = true;
 }

makefu/2configs/default.nix

@@ -11,6 +11,9 @@ with import <stockholm/lib>;
     ./vim.nix
     ./binary-cache/nixos.nix
   ];
+
+  boot.kernelPackages = lib.mkDefault pkgs.linuxPackages_latest;
+
   programs.command-not-found.enable = false;
   nixpkgs.config.allowUnfreePredicate =  (pkg: pkgs.lib.hasPrefix "unrar-" pkg.name);
   krebs = {

makefu/2configs/hw/exfat-nofuse.nix

@@ -1,4 +0,0 @@
-{ config, ... }:
-{
-  boot.extraModulePackages = [ config.boot.kernelPackages.exfat-nofuse ];
-}

makefu/2configs/hw/tp-x230.nix

@@ -3,38 +3,14 @@
 with import <stockholm/lib>;
 {
 
-  imports = [ ./tp-x2x0.nix ];
-  boot = {
-    # tp-smapi is not supported bt x230 anymore
-    kernelModules = [
-      "kvm-intel"
-      "thinkpad_ec"
-      "acpi_call"
-   #   "thinkpad_acpi"
-   #   "tpm-rng"
-    ];
-    extraModulePackages = [
-      config.boot.kernelPackages.acpi_call
-    ];
-    # support backlight adjustment
-    kernelParams = [ "acpi_osi=Linux" "acpi_backlight=vendor" ];
-  };
+  imports = [ ./tp-x2x0.nix  <nixos-hardware/lenovo/thinkpad/x230> ];
 
   # configured media keys inside awesomerc
   # sound.mediaKeys.enable = true;
   hardware.bluetooth.enable = true;
 
-  services.acpid.enable = true;
-  hardware.opengl.extraPackages =  [ pkgs.vaapiIntel pkgs.vaapiVdpau ];
-  services.xserver = {
-    videoDriver = "intel";
-    deviceSection = ''
-      Option "AccelMethod" "sna"
-      Option "Backlight"     "intel_backlight"
-    '';
-  };
-
-  security.rngd.enable = true;
+  # possible i915 powersave options:
+  #  options i915 enable_rc6=1 enable_fbc=1 semaphores=1
 
   services.xserver.displayManager.sessionCommands =''
     xinput set-int-prop "TPPS/2 IBM TrackPoint" "Evdev Wheel Emulation" 8 1

makefu/2configs/hw/tp-x2x0.nix

@@ -5,6 +5,11 @@ with import <stockholm/lib>;
   imports = [
     ./tpm.nix
   ];
+
+  boot.kernelModules = [
+    "kvm-intel"
+  ];
+
   networking.wireless.enable = lib.mkDefault true;
 
   hardware.enableAllFirmware = true;
@@ -17,6 +22,8 @@ with import <stockholm/lib>;
 
   # enable synaptics so we can easily disable the touchpad
   #   enable the touchpad with `synclient TouchpadOff=0`
+
+  services.xserver.libinput.enable = false;
   services.xserver.synaptics = {
     enable = true;
     additionalOptions = ''Option "TouchpadOff" "1"'';

makefu/2configs/mosh.nix

@@ -0,0 +1,3 @@
+{
+  programs.mosh.enable = true;
+}

makefu/2configs/remote-build/master.nix

@@ -8,7 +8,7 @@ in {
   {   inherit hostName sshKey;
       sshUser = "nixBuild";
       system = "x86_64-linux";
-      maxJobs = 1;
-  }) [ "omo.r"  "gum.r" "latte.r" ];
-  # puyak.r "wbob.r"
+      maxJobs = 8;
+  }) [ "hotdog.r" ];
+  # puyak.r "wbob.r" "omo.r"  "gum.r" "latte.r"
 }

makefu/2configs/stats/telegraf/airsensor.nix

@@ -1,11 +1,36 @@
 { pkgs, ...}:
-
-{
+let
+  genTopic = name: topic: tags: {
+      servers = [ "tcp://localhost:1883" ];
+      qos = 0;
+      connection_timeout = "30s";
+      topics = [ topic ];
+      tags = tags;
+      persistent_session = false;
+      name_override = name;
+      data_format = "value";
+      data_type = "float";
+    };
+  bamStat = stat:   # Temperature or Humidity
+            host:   # easy{1-4}
+            sensor: # dht11, dht22, ds18
+            (genTopic stat
+                      "/bam/${host}/${sensor}/${stat}"
+                      {"host" = host;
+                       "scope" = "bam";
+                       "sensor" = sensor;
+                      } );
+  dht22 = host: [(bamStat "Temperature" host "dht22")
+                 (bamStat "Humidity" host "dht22")];
+  dht11 = host: [(bamStat "Temperature" host "dht11")
+                 (bamStat "Humidity" host "dht11")];
+  ds18 = host:  [(bamStat "Temperature" host "ds18")];
+in {
   services.udev.extraRules = ''
     SUBSYSTEMS=="usb", ATTRS{product}=="iAQ Stick", GROUP="input"
   '';
   users.users.telegraf.extraGroups = [ "input" ];
-  services.telegraf.extraConfig.inputs.exec = [
+  services.telegraf.extraConfig.inputs.exec =  [
     {
       commands = [ "${pkgs.airsensor-py}/bin/airsensor-py"];
       timeout = "10s";
@@ -16,4 +41,9 @@
       tags.unit="VOC";
     }
   ];
+  services.telegraf.extraConfig.inputs.mqtt_consumer =
+       (dht22 "easy1")
+    ++ (dht22 "easy2")
+    ++ (dht11 "easy3")
+    ++ (ds18  "easy3");
 }

makefu/2configs/stats/telegraf/bamstats.nix

@@ -0,0 +1,35 @@
+{ pkgs, ...}:
+
+let
+  genTopic = name: topic: tags: {
+      servers = [ "tcp://localhost:1883" ];
+      qos = 0;
+      connection_timeout = "30s";
+      topics = [ topic ];
+      tags = tags;
+      persistent_session = false;
+      name_override = name;
+      data_format = "value";
+      data_type = "float";
+    };
+  bamStat = stat:   # Temperature or Humidity
+            host:   # easy{1-4}
+            sensor: # dht11, dht22, ds18
+            (genTopic stat
+                      "/bam/${host}/${sensor}/${stat}"
+                      {"host" = host;
+                       "scope" = "bam";
+                       "sensor" = sensor;
+                      } );
+  dht22 = host: [(bamStat "Temperature" host "dht22")
+                 (bamStat "Humidity" host "dht22")];
+  dht11 = host: [(bamStat "Temperature" host "dht11")
+                 (bamStat "Humidity" host "dht11")];
+  ds18 = host:  [(bamStat "Temperature" host "ds18")];
+in {
+  services.telegraf.extraConfig.inputs.mqtt_consumer =
+       (dht22 "easy1")
+    ++ (dht22 "easy2")
+    ++ (dht11 "easy3")
+    ++ (ds18  "easy3");
+}

makefu/2configs/tools/all.nix

@@ -1,12 +1,14 @@
 {
   imports = [
     ./android-pentest.nix
+    ./consoles.nix
     ./core.nix
     ./core-gui.nix
     ./dev.nix
     ./extra-gui.nix
     ./games.nix
     ./media.nix
+    ./mobility.nix
     ./scanner-tools.nix
     ./sec.nix
     ./sec-gui.nix

makefu/2configs/tools/consoles.nix

@@ -0,0 +1,9 @@
+{ pkgs, ... }:
+{
+  users.users.makefu.packages = with pkgs; [
+    opl-utils
+    hdl-dump
+    bin2iso
+    cue2pops
+  ];
+}

makefu/2configs/tools/dev.nix

@@ -2,8 +2,9 @@
 
 {
   users.users.makefu.packages = with pkgs;[
-    python3Packages.virtualenv
+    python3
     python3Packages.pyserial
+    python3Packages.virtualenv
     # embedded
     gi
     flashrom
@@ -20,5 +21,10 @@
     gen-oath-safe
     cdrtools
     stockholm
+    # nix related
+    nix-repl
+    nix-index
+    # git-related
+    tig
   ];
 }

makefu/2configs/tools/mobility.nix

@@ -0,0 +1,9 @@
+{ config, pkgs, ... }:
+{
+  users.users.makefu.packages = with pkgs;[
+    go-mtpfs
+    mosh
+  ];
+
+  # boot.extraModulePackages = [ config.boot.kernelPackages.exfat-nofuse ];
+}

makefu/2configs/torrent.nix

@@ -8,13 +8,13 @@ let
   peer-port = 51412;
   web-port = 8112;
   daemon-port = 58846;
-  dl-dir = config.makefu.dl-dir;
+  torrent-dir = config.makefu.dl-dir;
 in {
 
   users.users = {
     download = {
       name = "download";
-      home = dl-dir;
+      home = torrent-dir;
       uid = mkDefault (genid "download");
       createHome = true;
       useDefaultShell = true;
@@ -26,9 +26,9 @@ in {
   # todo: race condition, do this after download user has been created
   system.activationScripts."download-dir-chmod" = ''
     for i in finished watch torrents; do
-      mkdir -p "${dl-dir}/$i"
-      chown download:download "${dl-dir}/$i"
-      chmod 770 "${dl-dir}/$i"
+      mkdir -p "${torrent-dir}/$i"
+      chown download:download "${torrent-dir}/$i"
+      chmod 770 "${torrent-dir}/$i"
     done
   '';
 
@@ -54,9 +54,8 @@ in {
     rutorrent.enable = true;
     enableXMLRPC = true;
     listenPort = peer-port;
-    downloadDir = dl-dir + "/finished";
+    workDir = torrent-dir;
     # dump old torrents into watch folder to have them re-added
-    watchDir = dl-dir +"/watch";
   };
 
   networking.firewall.extraCommands = ''

makefu/2configs/vpn/vpnws/client.nix

@@ -0,0 +1,9 @@
+{ pkgs, ... }:
+{
+  users.users.makefu.packages = with pkgs; [ iproute vpn-ws ];
+  # vpn-ws-client  vpnws wss://localhost/vpn --no-verify --exec "ip link set vpnws up;ip addr add 10.244.1.2/24 dev vpnws"
+  networking.interfaces.vpnws = {
+    virtual = true;
+    virtualType = "tap";
+  };
+}

makefu/2configs/vpn/vpnws/server.nix

@@ -0,0 +1,42 @@
+{pkgs, options, ... }:
+let
+  pkg = pkgs.vpn-ws;
+  uid = "nginx";
+  gid = "nginx";
+  ip = "${pkgs.iproute}/bin/ip";
+  socket = "/run/vpn.sock";
+  htpasswd = (toString <secrets>) + "/vpn-ws-auth";
+  nginx-prepared-secrets = "/var/spool/nginx/vpn-ws-auth";
+in {
+  systemd.services.vpn-ws-auth-prepare = {
+    wantedBy = [ "multi-user.target" ];
+    before = [ "nginx.service" ];
+    script = "install -m700 -o${uid} -g${gid} ${htpasswd} ${nginx-prepared-secrets}";
+  };
+  services.nginx.virtualHosts."euer.krebsco.de".locations."/vpn" = {
+    extraConfig = ''
+      auth_basic "please stand by...";
+      auth_basic_user_file ${nginx-prepared-secrets};
+      uwsgi_pass   unix:${socket};
+      include      ${pkgs.nginx}/conf/uwsgi_params;
+    '';
+  };
+
+  networking.interfaces.vpnws = {
+    virtual = true;
+    virtualType = "tap";
+  };
+  systemd.services.vpnws = {
+    wantedBy = [ "multi-user.target" ];
+    after = [ "network.target" ];
+    serviceConfig = {
+      Restart = "always";
+      PrivateTmp = true;
+      ExecStartPre = pkgs.writeDash "vpnws-pre" ''
+        ${ip} link set vpnws up
+        ${ip} addr add 10.244.1.1/24 dev vpnws || :
+      '';
+      ExecStart = "${pkg}/bin/vpn-ws --uid ${uid} --gid ${gid} --tuntap vpnws ${socket}";
+    };
+  };
+}

makefu/5pkgs/bin2iso/default.nix

@@ -0,0 +1,28 @@
+{ stdenv, lib, pkgs, fetchurl }:
+stdenv.mkDerivation rec {
+  pname = "bin2iso";
+  version = "1.9b";
+  _dlver = builtins.replaceStrings ["."] [""] version;
+  name = "${pname}-${version}";
+
+  src = fetchurl {
+    url = "http://users.eastlink.ca/~doiron/${pname}/linux/${pname}${_dlver}_linux.c";
+    sha256 = "0gg4hbzlm83nnbccy79dnxbwpn7lxl3fb87ka36mlclikvknm2hy";
+  };
+
+  unpackPhase = "true";
+
+  buildPhase =''
+    gcc -Wall -o $pname $src
+  '';
+
+  installPhase = ''
+    install -Dm755 $pname $out/bin/$pname
+  '';
+
+  meta = {
+    homepage = http://users.eastlink.ca/~doiron/bin2iso/ ;
+    description = "converts bin+cue to iso";
+    license = lib.licenses.gpl3;
+  };
+}

makefu/5pkgs/cue2pops/default.nix

@@ -0,0 +1,24 @@
+{ stdenv, lib, pkgs, fetchFromGitHub }:
+
+stdenv.mkDerivation rec {
+  pname = "cue2pops";
+  version = "2";
+  name = "${pname}-${version}";
+
+  src = fetchFromGitHub {
+    owner = "makefu";
+    repo = "cue2pops-linux";
+    rev = "541863a";
+    sha256 = "05w84726g3k33rz0wwb9v77g7xh4cnhy9sxlpilf775nli9bynrk";
+  };
+
+  installPhase = ''
+    install -Dm755 $pname $out/bin/$pname
+  '';
+
+  meta = {
+    homepage = http://users.eastlink.ca/~doiron/bin2iso/ ;
+    description = "converts bin+cue to iso";
+    license = lib.licenses.gpl3;
+  };
+}

makefu/5pkgs/hdl-dump/default.nix

@@ -0,0 +1,33 @@
+{ stdenv, lib, pkgs, fetchurl,fetchFromGitHub, upx, wine }:
+stdenv.mkDerivation rec {
+  pname = "hdl-dump";
+  version = "75df8d7";
+  name = "${pname}-${version}";
+
+  src = fetchFromGitHub {
+    owner = "AKuHAK";
+    repo = "hdl-dump";
+    rev = version;
+    sha256 = "10jjr6p5yn0c182x17m7q68jmf8gizcny7wjxw7z5yh0fv5s48z4";
+  };
+
+  buildInputs = [ upx wine ];
+
+  makeFlags = [ "RELEASE=yes" ];
+
+  # uses wine, currently broken
+  #postBuild = ''
+  #  make -C gui
+  #'';
+
+  installPhase = ''
+    mkdir -p $out/bin
+    cp hdl_dump $out/bin
+  '';
+
+  meta = {
+    homepage = https://github.com/AKuHAK/hdl-dump ;
+    description = "copy isos to psx hdd";
+    license = lib.licenses.gpl2;
+  };
+}

makefu/5pkgs/opl-utils/default.nix

@@ -0,0 +1,27 @@
+{ stdenv, lib, pkgs, fetchFromGitHub }:
+stdenv.mkDerivation rec {
+  pname = "opl-utils";
+  version = "881c0d2";
+  name = "${pname}-${version}";
+
+  src = fetchFromGitHub {
+    owner = "ifcaro";
+    repo = "open-ps2-loader";
+    rev = version;
+    sha256 = "1c2hgbyp5hymyq60mrk7g0m3gi00wqx165pdwwwb740q0qig07d1";
+  };
+
+
+  preBuild = "cd pc/";
+
+  installPhase = ''
+    mkdir -p $out/bin
+    cp */bin/* $out/bin
+  '';
+
+  meta = {
+    homepage = https://github.com/ifcaro/Open-PS2-Loader;
+    description = "open-ps2-loader utils (opl2iso,iso2opl,genvmc)";
+    license = lib.licenses.afl3;
+  };
+}

makefu/5pkgs/vpn-ws/default.nix

@@ -0,0 +1,30 @@
+{ stdenv, lib, pkgs, fetchurl,fetchFromGitHub, openssl }:
+stdenv.mkDerivation rec {
+  pname = "vpn-ws";
+  version = "9d0e866";
+  name = "${pname}-${version}";
+
+  src = fetchFromGitHub {
+    owner = "unbit";
+    repo = "vpn-ws";
+    rev = version;
+    sha256 = "0k7338xxvg1k988zz3nb681nsqmfiik9bnkk7jmxjz7j0wfwq8nj";
+  };
+
+  patchPhase = ''
+    sed -i 's/-Werror//' Makefile
+  '';
+
+  installPhase = ''
+    mkdir -p $out/bin
+    cp vpn-ws vpn-ws-client $out/bin
+  '';
+
+  buildInputs = [ openssl.dev ];
+
+  meta = {
+    homepage = https://github.com/unbit/vpn-ws;
+    description = "A VPN system over websockets";
+    license = lib.licenses.mit;
+  };
+}

makefu/source.nix

@@ -4,14 +4,16 @@ host@{ name,
   secure ? false,
   full ? false,
   torrent ? false,
-  musnix ? false
+  hw ? false,
+  musnix ? false,
+  python ? false
 }:
 let
   builder = if getEnv "dummy_secrets" == "true"
               then "buildbot"
               else "makefu";
   _file = <stockholm> + "/makefu/1systems/${name}/source.nix";
-  ref = "3874de4"; # unstable @ 2017-12-08
+  ref = "3e8d708"; # nixos-17.09 @ 2018-01-05
                    # + do_sqlite3 ruby: 55a952be5b5
 
 in
@@ -45,6 +47,20 @@ in
         ref = "d8b989f";
       };
     })
+
+    (mkIf ( hw ) {
+      nixos-hardware.git = {
+        url = https://github.com/nixos/nixos-hardware.git;
+        ref = "8a05dc9";
+      };
+    })
+
+    (mkIf ( python ) {
+      python.git = {
+        url = https://github.com/garbas/nixpkgs-python;
+        ref = "cac319b";
+      };
+    })
     (mkIf ( torrent ) {
       torrent-secrets.file = getAttr builder {
         buildbot = toString <stockholm/makefu/6tests/data/secrets>;

nin/1systems/axon/config.nix

@@ -0,0 +1,117 @@
+# Edit this configuration file to define what should be installed on
+# your system.  Help is available in the configuration.nix(5) man page
+# and in the NixOS manual (accessible by running ‘nixos-help’).
+
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+{
+  imports = [
+    <stockholm/nin>
+    <nixpkgs/nixos/modules/installer/scan/not-detected.nix>
+    #../2configs/copyq.nix
+    <stockholm/nin/2configs/games.nix>
+    <stockholm/nin/2configs/git.nix>
+    <stockholm/nin/2configs/retiolum.nix>
+    <stockholm/nin/2configs/termite.nix>
+  ];
+
+  krebs.build.host = config.krebs.hosts.axon;
+
+  boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "sd_mod" "sr_mod" "rtsx_pci_sdmmc" ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/pool/root";
+      fsType = "ext4";
+    };
+
+  fileSystems."/tmp" =
+    { device = "tmpfs";
+      fsType = "tmpfs";
+    };
+
+  fileSystems."/boot" =
+    { device = "/dev/sda1";
+      fsType = "ext2";
+    };
+
+  boot.initrd.luks.devices.crypted.device = "/dev/sda2";
+  boot.initrd.luks.cryptoModules = [ "aes" "sha512" "sha1" "xts" ];
+
+  swapDevices = [ ];
+
+  nix.maxJobs = lib.mkDefault 4;
+  # Use the GRUB 2 boot loader.
+  boot.loader.grub.enable = true;
+  boot.loader.grub.version = 2;
+  # Define on which hard drive you want to install Grub.
+  boot.loader.grub.device = "/dev/sda";
+
+  # Enable the OpenSSH daemon.
+  services.openssh.enable = true;
+
+  # Enable CUPS to print documents.
+  # services.printing.enable = true;
+
+  # nin config
+  time.timeZone = "Europe/Berlin";
+  services.xserver.enable = true;
+
+  networking.networkmanager.enable = true;
+  #networking.wireless.enable = true;
+
+  hardware.pulseaudio = {
+    enable = true;
+    systemWide = true;
+  };
+
+  hardware.bluetooth.enable = true;
+
+  hardware.opengl.driSupport32Bit = true;
+
+  #nixpkgs.config.steam.java = true;
+
+  environment.systemPackages = with pkgs; [
+    firefox
+    git
+    lmms
+    networkmanagerapplet
+    python
+    steam
+    thunderbird
+    vim
+    virtmanager
+  ];
+
+  nixpkgs.config = {
+
+    allowUnfree = true;
+
+  };
+
+  #services.logind.extraConfig = "HandleLidSwitch=ignore";
+
+  services.xserver.synaptics = {
+    enable = true;
+  };
+
+
+  services.xserver.desktopManager.xfce = let
+    xbindConfig = pkgs.writeText "xbindkeysrc" ''
+      "${pkgs.pass}/bin/passmenu --type"
+        Control + p
+  '';
+  in {
+    enable = true;
+      extraSessionCommands = ''
+      ${pkgs.xbindkeys}/bin/xbindkeys -f ${xbindConfig}
+    '';
+  };
+
+ # The NixOS release to be compatible with for stateful data such as databases.
+  system.stateVersion = "17.03";
+
+}

nin/1systems/axon/source.nix

@@ -0,0 +1,4 @@
+import <stockholm/nin/source.nix> {
+  name = "axon";
+  secure = true;
+}

nin/2configs/default.nix

@@ -16,6 +16,7 @@ with import <stockholm/lib>;
         root = {
           openssh.authorizedKeys.keys = [
             config.krebs.users.nin.pubkey
+            config.krebs.users.nin_h.pubkey
           ];
         };
         nin = {
@@ -31,6 +32,7 @@ with import <stockholm/lib>;
           ];
           openssh.authorizedKeys.keys = [
             config.krebs.users.nin.pubkey
+            config.krebs.users.nin_h.pubkey
           ];
         };
       };

nin/2configs/git.nix

@@ -53,7 +53,7 @@ let
     with git // config.krebs.users;
     repo:
       singleton {
-        user = [ nin ];
+        user = [ nin nin_h ];
         repo = [ repo ];
         perm = push "refs/*" [ non-fast-forward create delete merge ];
       } ++

tv/1systems/querel/config.nix

@@ -29,6 +29,7 @@ with import <stockholm/lib>;
   };
 
   environment.systemPackages = with pkgs; [
+    chromium
     firefoxWrapper
     gimp
     kate
@@ -65,6 +66,8 @@ with import <stockholm/lib>;
 
   networking.networkmanager.enable = true;
 
+  nixpkgs.config.chromium.enablePepperFlash = true;
+
   programs.ssh.startAgent = false;
 
   services.printing = {

tv/1systems/wu/config.nix

@@ -44,12 +44,6 @@ with import <stockholm/lib>;
     };
   };
 
-  krebs.nixpkgs.allowUnfreePredicate = pkg: hasPrefix "nvidia-x11-" pkg.name;
-  hardware.bumblebee.enable = true;
-  hardware.bumblebee.group = "video";
-  hardware.enableRedistributableFirmware= true;
-  hardware.opengl.driSupport32Bit = true;
-
   services.printing.enable = true;
 
   services.udev.extraRules = ''

tv/2configs/default.nix

@@ -1,6 +1,8 @@
 with import <stockholm/lib>;
 { config, pkgs, ... }: {
 
+  boot.kernelPackages = pkgs.linuxPackages_latest;
+
   boot.tmpOnTmpfs = true;
 
   krebs.enable = true;

tv/2configs/exim-retiolum.nix

@@ -3,6 +3,9 @@
 with import <stockholm/lib>;
 
 {
+  environment.systemPackages = [
+    pkgs.eximlog
+  ];
   krebs.exim-retiolum.enable = true;
   tv.iptables.input-retiolum-accept-tcp = singleton "smtp";
 }

tv/2configs/exim-smarthost.nix

@@ -3,6 +3,9 @@
 with import <stockholm/lib>;
 
 {
+  environment.systemPackages = [
+    pkgs.eximlog
+  ];
   krebs.exim-smarthost = {
     enable = true;
     dkim = [

tv/2configs/hw/w110er.nix

@@ -1,8 +1,20 @@
+with import <stockholm/lib>;
 { pkgs, ... }:
 
 {
   imports = [
     ../smartd.nix
+    {
+      # nvidia doesn't build despite
+      #  https://github.com/NixOS/nixpkgs/issues/33284
+      #hardware.bumblebee.enable = true;
+      #hardware.bumblebee.group = "video";
+      #hardware.enableRedistributableFirmware= true;
+      #krebs.nixpkgs.allowUnfreePredicate = pkg:
+      #  hasPrefix "nvidia-x11-" pkg.name ||
+      #  hasPrefix "nvidia-persistenced-" pkg.name ||
+      #  hasPrefix "nvidia-settings-" pkg.name;
+    }
   ];
 
   boot.extraModprobeConfig = ''
@@ -15,6 +27,7 @@
   boot.loader.systemd-boot.enable = true;
   boot.loader.efi.canTouchEfiVariables = true;
 
+  hardware.opengl.driSupport32Bit = true;
   hardware.opengl.extraPackages = [ pkgs.vaapiIntel ];
 
   networking.wireless.enable = true;
@@ -41,4 +54,8 @@
         echo auto > $i/power/control # defaults to 'on'
       done)
   '';
+
+  services.xserver = {
+    videoDriver = "intel";
+  };
 }

tv/2configs/vim.nix

@@ -233,7 +233,7 @@ let {
           lua = {};
           sed.extraStart = ''writeSed[^ \t\r\n]*[ \t\r\n]*"[^"]*"'';
           sh.extraStart = concatStringsSep ''\|'' [
-            ''write\(Ba\|Da\)sh[^ \t\r\n]*[ \t\r\n]*\("[^"]*"\|[a-z]\+\)''
+            ''write\(A\|Ba\|Da\)sh[^ \t\r\n]*[ \t\r\n]*\("[^"]*"\|[a-z]\+\)''
             ''[a-z]*Phase[ \t\r\n]*=''
           ];
           yaml = {};

tv/source.nix

@@ -1,8 +1,10 @@
 with import <stockholm/lib>;
-host@{ name, secure ? false, override ? {} }: let
-  builder = if getEnv "dummy_secrets" == "true"
-              then "buildbot"
-              else "tv";
+{ name
+, dummy_secrets ? getEnv "dummy_secrets" == "true"
+, override ? {}
+, secure ? false
+}@host: let
+  builder = if dummy_secrets then "buildbot" else "tv";
   _file = <stockholm> + "/tv/1systems/${name}/source.nix";
 in
   evalSource (toString _file) [
@@ -10,7 +12,7 @@ in
       nixos-config.symlink = "stockholm/tv/1systems/${name}/config.nix";
       nixpkgs.git = {
         # nixos-17.09
-        ref = mkDefault "d0f0657ca06cc8cb239cb94f430b53bcdf755887";
+        ref = mkDefault "53e6d671a9662922080635482b7e1c418d2cdc72";
         url = https://github.com/NixOS/nixpkgs;
       };
       secrets.file = getAttr builder {