From 549c89dd99db41b2869e6255d1551fce900eb656 Mon Sep 17 00:00:00 2001
From: makefu <github@syntax-fehler.de>
Date: Thu, 13 Apr 2017 14:03:36 +0200
Subject: [PATCH 01/58] k 5 krebspaste: output with +inline

---
 krebs/5pkgs/krebspaste/default.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/krebs/5pkgs/krebspaste/default.nix b/krebs/5pkgs/krebspaste/default.nix
index 8c6676d0e..31ad12780 100644
--- a/krebs/5pkgs/krebspaste/default.nix
+++ b/krebs/5pkgs/krebspaste/default.nix
@@ -2,5 +2,5 @@
 
 # TODO use `execve` instead?
 writeDashBin "krebspaste" ''
-  exec ${bepasty-client-cli}/bin/bepasty-cli -L 1m --url http://paste.r "$@"
+  exec ${bepasty-client-cli}/bin/bepasty-cli -L 1m --url http://paste.r "$@" | sed '$ s/$/\/+inline/g'
 ''

From 621758d990ec5c25d797ffb17f2bec4e27d54728 Mon Sep 17 00:00:00 2001
From: lassulus <lass@lassul.us>
Date: Thu, 13 Apr 2017 15:25:04 +0200
Subject: [PATCH 02/58] l 1 prism: change nickname for #coders Reaktor

---
 lass/1systems/prism.nix | 17 +++++++++--------
 1 file changed, 9 insertions(+), 8 deletions(-)

diff --git a/lass/1systems/prism.nix b/lass/1systems/prism.nix
index e5cbacfc8..8eecaa350 100644
--- a/lass/1systems/prism.nix
+++ b/lass/1systems/prism.nix
@@ -254,19 +254,20 @@ in {
       ];
     }
     {
-      krebs.Reaktor.coders = let
-        lambdabot = (import (pkgs.fetchFromGitHub {
-          owner = "NixOS"; repo = "nixpkgs";
-          rev = "a4ec1841da14fc98c5c35cc72242c23bb698d4ac";
-          sha256 = "148fpw31s922hxrf28yhrci296f7c7zd81hf0k6zs05rq0i3szgy";
-        }) {}).lambdabot;
-      in {
-        nickname = "reaktor-lass";
+      krebs.Reaktor.coders = {
+        nickname = "Reaktor|lass";
         channels = [ "#coders" ];
         extraEnviron = {
           REAKTOR_HOST = "irc.hackint.org";
         };
         plugins = with pkgs.ReaktorPlugins; let
+
+          lambdabot = (import (pkgs.fetchFromGitHub {
+            owner = "NixOS"; repo = "nixpkgs";
+            rev = "a4ec1841da14fc98c5c35cc72242c23bb698d4ac";
+            sha256 = "148fpw31s922hxrf28yhrci296f7c7zd81hf0k6zs05rq0i3szgy";
+          }) {}).lambdabot;
+
           lambdabotflags = ''
             -XStandaloneDeriving -XGADTs -XFlexibleContexts \
             -XFlexibleInstances -XMultiParamTypeClasses \

From b033fd53af2bac56b4bd4b2882f64818dec9acb0 Mon Sep 17 00:00:00 2001
From: lassulus <lass@lassul.us>
Date: Thu, 13 Apr 2017 15:25:28 +0200
Subject: [PATCH 03/58] l 1 prism: add Reaktor for #retiolum

---
 lass/1systems/prism.nix | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/lass/1systems/prism.nix b/lass/1systems/prism.nix
index 8eecaa350..50b222338 100644
--- a/lass/1systems/prism.nix
+++ b/lass/1systems/prism.nix
@@ -350,6 +350,18 @@ in {
         ];
       };
     }
+    {
+      krebs.Reaktor.prism = {
+        nickname = "Reaktor|lass";
+        channels = [ "#retiolum" ];
+        extraEnviron = {
+          REAKTOR_HOST = "ni.r";
+        };
+        plugins = with pkgs.ReaktorPlugins; [
+          sed-plugin
+        ];
+      };
+    }
   ];
 
   krebs.build.host = config.krebs.hosts.prism;

From d65226176267098db98ad36d8c56cf14bea28587 Mon Sep 17 00:00:00 2001
From: lassulus <lass@lassul.us>
Date: Thu, 13 Apr 2017 15:25:37 +0200
Subject: [PATCH 04/58] l 1 prism: update chat authorized_key

---
 lass/1systems/prism.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lass/1systems/prism.nix b/lass/1systems/prism.nix
index 50b222338..343c45561 100644
--- a/lass/1systems/prism.nix
+++ b/lass/1systems/prism.nix
@@ -158,7 +158,7 @@ in {
     }
     {
       users.users.chat.openssh.authorizedKeys.keys = [
-        "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCkmIvB8BekIE2W24+I0gnzkvkEoeulz/zQkDUVJK4oScbIvgTYmcHzQuHJyPueTm67bJCOcYaTwEDNhcR/ZvcyiCQ7Jwa5cLDTkCkcR9LQq8ry5jMNEanvTgrnBIEcwfS7jFpyFb/PRVG6hh2bPOfP+ksFplkq1BTzKt/UTaCBwVEZqi5XuFIlq/MqJg+FIjh+wyeNR5jHtqgAhVjR+YLVNXLgtVPE+dlSfbyRQHuA9FTkUj8BxxnTdwM5Sx33S61ddik1XvRn++IYqFl68fZhzyTME7t/Mvjdz8J7ew2bF2IbJrXt37yQCAOEEp9/RC5OloA7dd/5ZJjZxSzT2HnYROILsYr3S0WV4e+H2G66ZN0ftdUCYh1o5rtY7IrSes6yHsKYbpoij1IAkRkyt2XgEH5EZCk1Omx8AY3ekW1KFIEhz2DZEfnCEjPf4AGCYZ0uy4XEztxzTDkh25TVs/tym1+96qCJ1yAxwWZDbVhS/Z6aSBpsyeDRKcak8qoWVC2dEPdYuTUmwvmo3pmGn/a4UfOLNJTn0jSRjy3kSv1hYzosN4NSYZqEylFB0ABnlqoLpX3tmWtrkiKv19S+djVGxbaaYm3hjPJfds3qCWTJWPvxPPeCE8wGXVLYqOQxa5ZPYeoTwRof5YNSbj5RFYy9sDLTlHl+U4ASTHZM5S3akQ== JuiceSSH"
+        "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDjesiOnhpT9XgWZqw/64M5lVQg3q0k22BtMyCv+33sGX8VmfTyD11GuwSjNGf5WiswKLqFvYBQsHfDDtS3k0ZNTDncGw3Pbilm6QoCuHEyDPaQYin0P+JmkocrL/6QF5uhZVFnsXCH5wntwOa00VFGwpMgQYSfRlReRx42Pu9Jk+iJduZMRBbOMvJI68Z7iJ4DgW/1U9J4MQdCsk7QlFgUstQQfV1zk4VfVfXuxDP3hjx6Q05nDChjpmzJbFunzb7aiy/1/Sl0QhROTpvxrQLksg7yYLw4BRs9ptjehX45A2Sxi8WKOb/g5u3xJNy0X07rE+N+o5v2hS7wF0DLQdK5+4TGtO+Y+ABUCqqA+T1ynAjNBWvsgY5uD4PZjuPgCMSw0JBmIy/P0THi3v5/8Cohvfnspl7Jpf80qENMu3unvvE9EePzgSRZY1PvDjPQfkWy0yBX1yQMhHuVGke9QgaletitwuahRujml37waeUuOl8Rpz+2iV+6OIS4tfO368uLFHKWbobXTbTDXODBgxZ/IyvO7vxM2uDX/kIWaeYKrip3nSyWBYnixwrcS4vm6ZQcoejwp2KCfGQwIE4MnGYRlwcOEYjvyjLkZHDiZEivUQ0rThMYBzec8bQ08QW8oxF+NXkFKG3awt3f7TKTRkYqQcOMpFKmV24KDiwgwm0miQ== JuiceSSH"
       ];
     }
     {

From 48d37be5dea8c74c929bd23153361f3cf419f43e Mon Sep 17 00:00:00 2001
From: lassulus <lass@lassul.us>
Date: Fri, 14 Apr 2017 11:25:18 +0200
Subject: [PATCH 05/58] l 2 nixpkgs: a563923 -> 5acb454

---
 lass/2configs/nixpkgs.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lass/2configs/nixpkgs.nix b/lass/2configs/nixpkgs.nix
index 24437d040..5309c9551 100644
--- a/lass/2configs/nixpkgs.nix
+++ b/lass/2configs/nixpkgs.nix
@@ -3,6 +3,6 @@
 {
   krebs.build.source.nixpkgs.git = {
     url = https://cgit.lassul.us/nixpkgs;
-    ref = "a563923";
+    ref = "5acb454";
   };
 }

From a80cbaa6e962ea6dcdbf4c01f7e1188ac71c631f Mon Sep 17 00:00:00 2001
From: lassulus <lass@lassul.us>
Date: Sat, 15 Apr 2017 17:13:40 +0200
Subject: [PATCH 06/58] realwallpaper: introduce marker_file

---
 krebs/3modules/realwallpaper.nix      | 8 ++++----
 krebs/5pkgs/realwallpaper/default.nix | 8 ++------
 2 files changed, 6 insertions(+), 10 deletions(-)

diff --git a/krebs/3modules/realwallpaper.nix b/krebs/3modules/realwallpaper.nix
index f9eae8c92..1e7a9faae 100644
--- a/krebs/3modules/realwallpaper.nix
+++ b/krebs/3modules/realwallpaper.nix
@@ -32,9 +32,9 @@ let
       default = "http://xplanetclouds.com/free/local/clouds_2048.jpg";
     };
 
-    outFile = mkOption {
+    marker = mkOption {
       type = types.str;
-      default = "/tmp/wallpaper.png";
+      default = "http://graphs.r/marker.json";
     };
 
     timerConfig = mkOption {
@@ -43,7 +43,6 @@ let
         OnCalendar = "*:0/15";
       };
     };
-
   };
 
   imp = {
@@ -63,6 +62,7 @@ let
         imagemagick
         curl
         file
+        jq
       ];
 
       environment = {
@@ -70,7 +70,7 @@ let
         nightmap_url = cfg.nightmap;
         daymap_url = cfg.daymap;
         cloudmap_url = cfg.cloudmap;
-        out_file = cfg.outFile;
+        marker_url = cfg.marker;
       };
 
       restartIfChanged = true;
diff --git a/krebs/5pkgs/realwallpaper/default.nix b/krebs/5pkgs/realwallpaper/default.nix
index 4fea977ec..dec2dada4 100644
--- a/krebs/5pkgs/realwallpaper/default.nix
+++ b/krebs/5pkgs/realwallpaper/default.nix
@@ -5,8 +5,8 @@ stdenv.mkDerivation {
 
   src = fetchgit {
     url = https://github.com/Lassulus/realwallpaper;
-    rev = "c2778c3c235fc32edc8115d533a0d0853ab101c5";
-    sha256 = "0yhbjz19zk8sj5dsvccm6skkqq2vardn1yi70qmd5li7qvp17mvs";
+    rev = "b8408cfb295b6ce5b965309b30358ca6c6409efd";
+    sha256 = "0yyl8hhqshw9bx04xs8glvir3c0qzvfrwzmbvyg318mnz5xalcl0";
   };
 
   phases = [
@@ -15,10 +15,6 @@ stdenv.mkDerivation {
   ];
 
   buildInputs = [
-    xplanet
-    imagemagick
-    curl
-    file
   ];
 
   installPhase = ''

From 930971c9e2c3aa601f4cd87586b987c312607bc7 Mon Sep 17 00:00:00 2001
From: lassulus <lass@lassul.us>
Date: Sat, 15 Apr 2017 17:16:20 +0200
Subject: [PATCH 07/58] lass: update realwallpaper locations

---
 lass/1systems/prism.nix         |  2 +-
 lass/2configs/realwallpaper.nix | 10 ++++++++--
 2 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/lass/1systems/prism.nix b/lass/1systems/prism.nix
index 343c45561..9c17c4433 100644
--- a/lass/1systems/prism.nix
+++ b/lass/1systems/prism.nix
@@ -194,7 +194,7 @@ in {
         ../2configs/realwallpaper.nix
       ];
       services.nginx.virtualHosts."lassul.us".locations."/wallpaper.png".extraConfig = ''
-        alias /tmp/wallpaper.png;
+        alias /var/realwallpaper/realwallpaper.png;
       '';
     }
     {
diff --git a/lass/2configs/realwallpaper.nix b/lass/2configs/realwallpaper.nix
index cf9795071..4794823ce 100644
--- a/lass/2configs/realwallpaper.nix
+++ b/lass/2configs/realwallpaper.nix
@@ -13,8 +13,14 @@ in {
     serverAliases = [
       hostname
     ];
-    locations."/wallpaper.png".extraConfig = ''
-      root /tmp/;
+    locations."/realwallpaper.png".extraConfig = ''
+      root /var/realwallpaper/;
+    '';
+    locations."/realwallpaper-sat.png".extraConfig = ''
+      root /var/realwallpaper/;
+    '';
+    locations."/realwallpaper-sat-krebs.png".extraConfig = ''
+      root /var/realwallpaper/;
     '';
   };
 

From c45cd788d2df7d14175de59d31506d970eb72382 Mon Sep 17 00:00:00 2001
From: makefu <github@syntax-fehler.de>
Date: Sat, 15 Apr 2017 17:58:20 +0200
Subject: [PATCH 08/58] m: graphs -> graph

---
 krebs/3modules/makefu/default.nix     | 12 ++++++------
 makefu/2configs/deployment/graphs.nix |  4 ++--
 2 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/krebs/3modules/makefu/default.nix b/krebs/3modules/makefu/default.nix
index 56df451b7..cef6a4fd6 100644
--- a/krebs/3modules/makefu/default.nix
+++ b/krebs/3modules/makefu/default.nix
@@ -33,7 +33,7 @@ with import <stockholm/lib>;
       nets = {
         retiolum = {
           ip4.addr = "10.243.113.98";
-          ip6.addr  = "42:5cf1:e7f2:3fd:cd4c:a1ee:ec71:7096";
+          # ip6.addr  = "42:5cf1:e7f2:3fd:cd4c:a1ee:ec71:7096";
           aliases = [
             "fileleech.r"
           ];
@@ -247,7 +247,6 @@ with import <stockholm/lib>;
         "krebsco.de" = ''
           euer              IN MX 1   aspmx.l.google.com.
           nixos.unstable    IN CNAME  krebscode.github.io.
-          pigstarter        IN A      ${nets.internet.ip4.addr}
           gold              IN A      ${nets.internet.ip4.addr}
           boot              IN A      ${nets.internet.ip4.addr}
         '';
@@ -301,7 +300,7 @@ with import <stockholm/lib>;
           ip6.addr = "42:6e1e:cc8a:7cef:827:f938:8c64:baad";
           aliases = [
             "wry.r"
-            "graphs.wry.r"
+            "graph.wry.r"
             "paste.wry.r"
           ];
           tinc.pubkey = ''
@@ -436,12 +435,13 @@ with import <stockholm/lib>;
           mattermost.euer   IN A      ${nets.internet.ip4.addr}
           git.euer          IN A      ${nets.internet.ip4.addr}
           gum               IN A      ${nets.internet.ip4.addr}
+          pigstarter        IN A      ${nets.internet.ip4.addr}
           cgit.euer         IN A      ${nets.internet.ip4.addr}
           o.euer            IN A      ${nets.internet.ip4.addr}
           dl.euer           IN A      ${nets.internet.ip4.addr}
           euer              IN A      ${nets.internet.ip4.addr}
           wiki.euer         IN A      ${nets.internet.ip4.addr}
-          graphs            IN A      ${nets.internet.ip4.addr}
+          graph             IN A      ${nets.internet.ip4.addr}
         '';
       };
       nets = rec {
@@ -461,7 +461,7 @@ with import <stockholm/lib>;
             "o.gum.r"
             "tracker.makefu.r"
 
-            "graphs.r"
+            "graph.r"
             "wiki.makefu.r"
             "wiki.gum.r"
             "blog.makefu.r"
@@ -491,7 +491,7 @@ with import <stockholm/lib>;
           ip4.prefix = "10.8.10.0/24";
           aliases = [
             "shoney.siem"
-            "graphs.siem"
+            "graph.siem"
           ];
           tinc.pubkey = ''
             -----BEGIN RSA PUBLIC KEY-----
diff --git a/makefu/2configs/deployment/graphs.nix b/makefu/2configs/deployment/graphs.nix
index 35a724f6a..b33ddece0 100644
--- a/makefu/2configs/deployment/graphs.nix
+++ b/makefu/2configs/deployment/graphs.nix
@@ -23,8 +23,8 @@ in {
           }
         '';
         serverAliases = [
-          "graphs.r" "graphs.retiolum"
-          "graphs.${hn}" "graphs.${hn}.retiolum"
+          "graph.r"
+          "graph.${hn}" "graph.${hn}.r"
         ];
       };
       anonymous = {

From 4feb0e8e91d228bf4754d130e7d134f41047dc32 Mon Sep 17 00:00:00 2001
From: makefu <github@syntax-fehler.de>
Date: Sat, 15 Apr 2017 18:04:19 +0200
Subject: [PATCH 09/58] k 3 hidden-ssh: init

---
 krebs/3modules/default.nix    |  1 +
 krebs/3modules/hidden-ssh.nix | 53 +++++++++++++++++++++++++++++++++++
 2 files changed, 54 insertions(+)
 create mode 100644 krebs/3modules/hidden-ssh.nix

diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix
index d24cea1a2..0364792b5 100644
--- a/krebs/3modules/default.nix
+++ b/krebs/3modules/default.nix
@@ -20,6 +20,7 @@ let
       ./github-hosts-sync.nix
       ./git.nix
       ./go.nix
+      ./hidden-ssh.nix
       ./htgen.nix
       ./iptables.nix
       ./kapacitor.nix
diff --git a/krebs/3modules/hidden-ssh.nix b/krebs/3modules/hidden-ssh.nix
new file mode 100644
index 000000000..2f75ded9b
--- /dev/null
+++ b/krebs/3modules/hidden-ssh.nix
@@ -0,0 +1,53 @@
+{ config, lib, pkgs, ... }:
+
+with import <stockholm/lib>;
+let
+  cfg = config.krebs.hidden-ssh;
+
+  out = {
+    options.krebs.hidden-ssh = api;
+    config = lib.mkIf cfg.enable imp;
+  };
+
+  api = {
+    enable = mkEnableOption "hidden SSH announce";
+  };
+
+  imp = let
+    torDirectory = "/var/lib/tor"; # from tor.nix
+    hiddenServiceDir = torDirectory + "/ssh-announce-service";
+  in {
+    services.tor = {
+      enable = true;
+      extraConfig = ''
+        HiddenServiceDir ${hiddenServiceDir}
+        HiddenServicePort 22 127.0.0.1:22
+      '';
+      client.enable = true;
+    };
+    systemd.services.hidden-ssh-announce = {
+      description = "irc announce hidden ssh";
+      after = [ "tor.service" ];
+      wants = [ "tor.service" ];
+      wantedBy = [ "multi-user.target" ];
+      serviceConfig = {
+        # ${pkgs.tor}/bin/torify
+        ExecStart = pkgs.writeDash "irc-announce-ssh" ''
+          set -efu
+          until test -e ${hiddenServiceDir}/hostname; do
+            echo "still waiting for ${hiddenServiceDir}/hostname"
+            sleep 1
+          done
+          ${pkgs.irc-announce}/bin/irc-announce \
+            irc.freenode.org 6667 ${config.krebs.build.host.name}-ssh \
+            \#krebs-announce \
+            "SSH Hidden Service at $(cat ${hiddenServiceDir}/hostname)"
+        '';
+        PrivateTmp = "true";
+        User = "tor";
+        Type = "oneshot";
+      };
+    };
+  };
+in
+out

From 64ac9ab74f1cb448da51880a0776848ddd7c63b3 Mon Sep 17 00:00:00 2001
From: lassulus <lass@lassul.us>
Date: Sat, 15 Apr 2017 18:19:15 +0200
Subject: [PATCH 10/58] l 2 realwallpaper: allow only from .r

---
 lass/2configs/realwallpaper.nix | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/lass/2configs/realwallpaper.nix b/lass/2configs/realwallpaper.nix
index 4794823ce..9e26d677c 100644
--- a/lass/2configs/realwallpaper.nix
+++ b/lass/2configs/realwallpaper.nix
@@ -10,6 +10,11 @@ in {
   krebs.realwallpaper.enable = true;
 
   services.nginx.virtualHosts.wallpaper = {
+    extraConfig = ''
+      if ( $server_addr = "${config.krebs.build.host.nets.internet.ip4.addr}" ) {
+        return 403;
+      }
+    '';
     serverAliases = [
       hostname
     ];

From fbc29e63da7fca719dc20df13d31402a8d9c449b Mon Sep 17 00:00:00 2001
From: lassulus <lass@lassul.us>
Date: Sat, 15 Apr 2017 18:19:45 +0200
Subject: [PATCH 11/58] l 2 realwallpaper: listen on .r

---
 lass/2configs/realwallpaper.nix | 1 +
 1 file changed, 1 insertion(+)

diff --git a/lass/2configs/realwallpaper.nix b/lass/2configs/realwallpaper.nix
index 9e26d677c..116d66276 100644
--- a/lass/2configs/realwallpaper.nix
+++ b/lass/2configs/realwallpaper.nix
@@ -17,6 +17,7 @@ in {
     '';
     serverAliases = [
       hostname
+      "${hostname}.r"
     ];
     locations."/realwallpaper.png".extraConfig = ''
       root /var/realwallpaper/;

From 270157937b67c9aeda0b8d245141e6943d78188f Mon Sep 17 00:00:00 2001
From: makefu <github@syntax-fehler.de>
Date: Sat, 15 Apr 2017 18:55:15 +0200
Subject: [PATCH 12/58] k 5 tinc_graphs: bump to 0.3.10

---
 krebs/5pkgs/tinc_graphs/default.nix | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/krebs/5pkgs/tinc_graphs/default.nix b/krebs/5pkgs/tinc_graphs/default.nix
index e5f1e40e8..20bbc53ba 100644
--- a/krebs/5pkgs/tinc_graphs/default.nix
+++ b/krebs/5pkgs/tinc_graphs/default.nix
@@ -2,14 +2,14 @@
 
 python3Packages.buildPythonPackage rec {
   name = "tinc_graphs-${version}";
-  version = "0.3.9";
+  version = "0.3.10";
   propagatedBuildInputs = with pkgs;[
     python3Packages.pygeoip
     ## ${geolite-legacy}/share/GeoIP/GeoIPCity.dat
   ];
   src = fetchurl {
-    url = "https://pypi.python.org/packages/source/t/tinc_graphs/tinc_graphs-${version}.tar.gz";
-    sha256 = "0hjmkiclvyjb3707285x4b8mk5aqjcvh383hvkad1h7p1n61qrfx";
+    url = "mirror://pypi/t/tinc_graphs/${name}.tar.gz";
+    sha256 = "0f4cvb9424fhfmc0hbzmynzh9528fyhx00ayq1nbpgd1p89yw7mc";
   };
   preFixup = with pkgs;''
     wrapProgram $out/bin/build-graphs --prefix PATH : "$out/bin"

From 6dfee5d766d16bd90aaf846f591c7168563554cd Mon Sep 17 00:00:00 2001
From: lassulus <lass@lassul.us>
Date: Sat, 15 Apr 2017 22:27:59 +0200
Subject: [PATCH 13/58] l 1 iso: enable hidden-ssh

---
 lass/1systems/iso.nix | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/lass/1systems/iso.nix b/lass/1systems/iso.nix
index 9dfbf7cb8..bee1c148f 100644
--- a/lass/1systems/iso.nix
+++ b/lass/1systems/iso.nix
@@ -148,5 +148,8 @@ with import <stockholm/lib>;
         };
       };
     }
+    {
+      krebs.hidden-ssh.enable = true;
+    }
   ];
 }

From 8f89bb5d3d5e8f2e2deb70a7029321d05c5d256f Mon Sep 17 00:00:00 2001
From: lassulus <lass@lassul.us>
Date: Sun, 16 Apr 2017 23:31:46 +0200
Subject: [PATCH 14/58] k 3 hidden-ssh: start after network-online.target

---
 krebs/3modules/hidden-ssh.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/krebs/3modules/hidden-ssh.nix b/krebs/3modules/hidden-ssh.nix
index 2f75ded9b..3930dbf42 100644
--- a/krebs/3modules/hidden-ssh.nix
+++ b/krebs/3modules/hidden-ssh.nix
@@ -27,7 +27,7 @@ let
     };
     systemd.services.hidden-ssh-announce = {
       description = "irc announce hidden ssh";
-      after = [ "tor.service" ];
+      after = [ "tor.service" "network-online.target" ];
       wants = [ "tor.service" ];
       wantedBy = [ "multi-user.target" ];
       serviceConfig = {

From 6187206a02ed9bc7b21fdfd9c32e0b57f6f23365 Mon Sep 17 00:00:00 2001
From: lassulus <lass@lassul.us>
Date: Sun, 16 Apr 2017 23:32:05 +0200
Subject: [PATCH 15/58] irc-announce: fix cat2 on live systems

---
 krebs/5pkgs/irc-announce/default.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/krebs/5pkgs/irc-announce/default.nix b/krebs/5pkgs/irc-announce/default.nix
index e1f4919d5..6eb725b71 100644
--- a/krebs/5pkgs/irc-announce/default.nix
+++ b/krebs/5pkgs/irc-announce/default.nix
@@ -24,7 +24,7 @@ pkgs.writeDashBin "irc-announce" ''
   # echo2 and cat2 are used output to both, stdout and stderr
   # This is used to see what we send to the irc server. (debug output)
   echo2() { echo "$*"; echo "$*" >&2; }
-  cat2() { tee /dev/stderr; }
+  cat2() { awk '{print;print > "/dev/stderr"}'; }
 
   # privmsg_cat transforms stdin to a privmsg
   privmsg_cat() { awk '{ print "PRIVMSG "ENVIRON["IRC_CHANNEL"]" :"$0 }'; }

From 7ea694323bf791e6a2dae4897fefa0f09bc2a654 Mon Sep 17 00:00:00 2001
From: lassulus <lass@lassul.us>
Date: Sun, 16 Apr 2017 23:32:43 +0200
Subject: [PATCH 16/58] l 1 mors: disable ipfs

---
 lass/1systems/mors.nix | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/lass/1systems/mors.nix b/lass/1systems/mors.nix
index c196b391a..8891d1829 100644
--- a/lass/1systems/mors.nix
+++ b/lass/1systems/mors.nix
@@ -76,10 +76,6 @@ with import <stockholm/lib>;
     {
       services.redis.enable = true;
     }
-    {
-      #ipfs-testing
-      services.ipfs.enable = true;
-    }
     {
       environment.systemPackages = [
         pkgs.krebszones

From faa8318d13a4b8932e9fd15ebae116d380ede497 Mon Sep 17 00:00:00 2001
From: lassulus <lass@lassul.us>
Date: Sun, 16 Apr 2017 23:33:54 +0200
Subject: [PATCH 17/58] l 1 iso: make sshd work

---
 lass/1systems/iso.nix | 9 +--------
 1 file changed, 1 insertion(+), 8 deletions(-)

diff --git a/lass/1systems/iso.nix b/lass/1systems/iso.nix
index bee1c148f..01d698c4c 100644
--- a/lass/1systems/iso.nix
+++ b/lass/1systems/iso.nix
@@ -15,7 +15,6 @@ with import <stockholm/lib>;
       krebs.enable = true;
       krebs.build.user = config.krebs.users.lass;
       krebs.build.host = config.krebs.hosts.iso;
-      krebs.build.source.nixos-config.symlink = "stockholm/lass/1systems/${config.krebs.buil.host.name}.nix";
     }
     {
       nixpkgs.config.allowUnfree = true;
@@ -122,18 +121,12 @@ with import <stockholm/lib>;
           { bits = 8192; type = "ed25519"; path = "/etc/ssh/ssh_host_ed25519_key"; }
         ];
       };
+      systemd.services.sshd.wantedBy = mkForce [ "multi-user.target" ];
     }
     {
       krebs.iptables = {
         enable = true;
         tables = {
-          nat.PREROUTING.rules = [
-            { predicate = "! -i retiolum -p tcp -m tcp --dport 22"; target = "REDIRECT --to-ports 0"; precedence = 100; }
-            { predicate = "-p tcp -m tcp --dport 45621"; target = "REDIRECT --to-ports 22"; precedence = 99; }
-          ];
-          nat.OUTPUT.rules = [
-            { predicate = "-o lo -p tcp -m tcp --dport 45621"; target = "REDIRECT --to-ports 22"; precedence = 100; }
-          ];
           filter.INPUT.policy = "DROP";
           filter.FORWARD.policy = "DROP";
           filter.INPUT.rules = [

From 6e6a01957d86bffc0ee43978f80c449355365103 Mon Sep 17 00:00:00 2001
From: lassulus <lass@lassul.us>
Date: Sun, 16 Apr 2017 23:34:25 +0200
Subject: [PATCH 18/58] l 2: add sshn to pkgs

---
 lass/2configs/default.nix | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/lass/2configs/default.nix b/lass/2configs/default.nix
index 69f8a681e..b53efa75d 100644
--- a/lass/2configs/default.nix
+++ b/lass/2configs/default.nix
@@ -151,6 +151,10 @@ with import <stockholm/lib>;
     p7zip
     unzip
     unrar
+
+    (pkgs.writeDashBin "sshn" ''
+      ${pkgs.openssh}/bin/ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no "$@"
+    '')
   ];
 
   programs.bash = {

From b6b39b69ff8cf5aea15e9d31a23c58e9a2cd5ab1 Mon Sep 17 00:00:00 2001
From: lassulus <lass@lassul.us>
Date: Sun, 16 Apr 2017 23:35:02 +0200
Subject: [PATCH 19/58] l 1 mors: enable tor

---
 lass/1systems/mors.nix | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/lass/1systems/mors.nix b/lass/1systems/mors.nix
index 8891d1829..d80665a6b 100644
--- a/lass/1systems/mors.nix
+++ b/lass/1systems/mors.nix
@@ -85,6 +85,12 @@ with import <stockholm/lib>;
       #ps vita stuff
       boot.extraModulePackages = [ config.boot.kernelPackages.exfat-nofuse ];
     }
+    {
+      services.tor = {
+        enable = true;
+        client.enable = true;
+      };
+    }
   ];
 
   krebs.build.host = config.krebs.hosts.mors;

From 7a48255b5a88e548eaf36ecdebb66fac96a04602 Mon Sep 17 00:00:00 2001
From: lassulus <lass@lassul.us>
Date: Sun, 16 Apr 2017 23:35:25 +0200
Subject: [PATCH 20/58] l 2: add syncthing.nix

---
 lass/1systems/mors.nix      |  1 +
 lass/1systems/prism.nix     |  1 +
 lass/2configs/syncthing.nix | 12 ++++++++++++
 3 files changed, 14 insertions(+)
 create mode 100644 lass/2configs/syncthing.nix

diff --git a/lass/1systems/mors.nix b/lass/1systems/mors.nix
index d80665a6b..c8d9465d5 100644
--- a/lass/1systems/mors.nix
+++ b/lass/1systems/mors.nix
@@ -25,6 +25,7 @@ with import <stockholm/lib>;
     ../2configs/repo-sync.nix
     ../2configs/ircd.nix
     ../2configs/logf.nix
+    ../2configs/syncthing.nix
     {
       #risk of rain port
       krebs.iptables.tables.filter.INPUT.rules = [
diff --git a/lass/1systems/prism.nix b/lass/1systems/prism.nix
index 9c17c4433..41a909f16 100644
--- a/lass/1systems/prism.nix
+++ b/lass/1systems/prism.nix
@@ -46,6 +46,7 @@ in {
     ../2configs/monitoring/server.nix
     ../2configs/monitoring/monit-alarms.nix
     ../2configs/paste.nix
+    ../2configs/syncthing.nix
     {
       imports = [
         ../2configs/bepasty.nix
diff --git a/lass/2configs/syncthing.nix b/lass/2configs/syncthing.nix
new file mode 100644
index 000000000..cef43d1e6
--- /dev/null
+++ b/lass/2configs/syncthing.nix
@@ -0,0 +1,12 @@
+{ config, pkgs, ... }:
+with import <stockholm/lib>;
+{
+  services.syncthing = {
+    enable = true;
+    useInotify = true;
+  };
+  krebs.iptables.tables.filter.INPUT.rules = [
+    { predicate = "-p tcp --dport 22000"; target = "ACCEPT";}
+    { predicate = "-p udp --dport 21027"; target = "ACCEPT";}
+  ];
+}

From eeffa28de533a4a02f67f28ab789bbc89d084043 Mon Sep 17 00:00:00 2001
From: makefu <github@syntax-fehler.de>
Date: Mon, 17 Apr 2017 13:08:36 +0200
Subject: [PATCH 21/58] m: init syncthing for hosts

---
 makefu/1systems/fileleech.nix |  2 +-
 makefu/1systems/gum.nix       |  5 +++--
 makefu/1systems/omo.nix       |  5 +++--
 makefu/2configs/ipfs.nix      |  5 +++++
 makefu/2configs/syncthing.nix | 11 +++++++++++
 5 files changed, 23 insertions(+), 5 deletions(-)
 create mode 100644 makefu/2configs/ipfs.nix
 create mode 100644 makefu/2configs/syncthing.nix

diff --git a/makefu/1systems/fileleech.nix b/makefu/1systems/fileleech.nix
index 4f92c2b90..3aa5a54f8 100644
--- a/makefu/1systems/fileleech.nix
+++ b/makefu/1systems/fileleech.nix
@@ -32,7 +32,6 @@ in {
       ../2configs/elchos/log.nix
       ../2configs/elchos/search.nix
       ../2configs/elchos/stats.nix
-      ../2configs/stats-srv.nix
 
     ];
   systemd.services.grafana.serviceConfig.LimitNOFILE=10032;
@@ -129,6 +128,7 @@ in {
     #  createHome = true;
     openssh.authorizedKeys.keys = [
       config.krebs.users.makefu.pubkey
+      config.krebs.users.lass.pubkey
       "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC7betFnMWVeBYRhJ+2f0B5WbDdbpteIVg/BlyimXbx79R7lZ7nUq5GyMLrp7B00frUuA0su8oFFN3ODPJDstgBslBIP7kWPR2zW8NOXorrbFo3J2fKvlO77k6/wD5/M11m5nS01/aVJgAgMGLg2W12G7EMf5Wq75YsQJC/S9p8kMca589djMPRuQETu7fWq0t/Gmwq+2ELLL0csRK87LvybA92JYkAIneRnGzIlCguOXq0Vcq6pGQ1J1PfVEP76Do33X29l2hZc/+vR9ExW6s2g7fs5/5LDX9Wnq7+AEsxiEf4IOeL0hCG4/CGGCN23J+6cDrNKOP94AHO1si0O2lxFsxgNU2vdVWPNgSLottiUFBPPNEZFD++sZyutzH6PIz6D90hB2Q52X6WN9ZUtlDfQ91rHd+S2BhR6f4dAqiRDXlI5MNNDdoTT4S5R0wU/UrNwjiV/xiu/hWZYGQK7YgY4grFRblr378r8FqjLvumPDFMDLVa9eJKq1ad1x/GV5tZpsttzWj4nbixaKlZOg+TN2GHboujLx3bANz1Jqfvfto8UOeKTtA8pkb8E1PJPpBMOZcA7oHaqJrp6Vuf/SkmglHnQvGbi60OK3s61nuRmIcBiTXd+4qeAJpq1QyEDj3X/+hV0Gwz8rCo6JGkF1ETW37ZYvqU9rxNXjS+/Pfktw== jules@kvasir-2015-02-13"
       "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDINUD+p2yrc9KoTbCiuYhdfLlRu/eNX6BftToSMLs8O9qWQORjgXbDn8M9iUWXCHzdUZ9sm6Rz8TMdEV0jZq/nB01zYnW4NhMrt+NGtrmGqDa+eYrRZ4G7Rx8AYzM/ZSwERKX10txAVugV44xswRxWvFbCedujjXyWsxelf1ngb+Hiy9/CPuWNYEhTZs/YuvNkupCui2BuKuoSivJAkLhGk5YqwwcllCr39YXa/tFJWsgoQNcB9hwpzfhFm6Cc7m5DhmTWSVhQHEWyaas8Lukmd4v+mRY+KZpuhbomCHWzkxqzdBun8SXiiAKlgem9rtBIgeTEfz9OtOfF3/6VfqE7 toerb@mittagspause ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB0IP143FAHBHWjEEKGOnM8SSTIgNF1MJxGCMKaJvTHf momo@k2.local"
       "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC1ZJSpBb7Cxo+c2r2JJIcbYOTm/sJxOv2NFRoDfjxGS9CCwzRbzrwJcv2d23j35mu97x3+fUvo8DyMFLvLvume2PFCijqhMDzZZvjYXZdvXA+hnh53nqZf+Pjq8Xc3tSWBHQxUokaBmZbd4LlKHh8NgKVrP2zve6OPZMzo/Es93v37KEmT8d/PfVMrQEMPZzFrCVdq2RbpdQ1nhx09zRFW7OJOazgotafjx6IYXbVq2VDnjffXInsE9ZxDzYq1cNKIH0c2BLpTd3mv76iD9i+nD6W6s48+usFQnVLt2TY1uKkfMr7043E6jBxx5kNHBe5Xxr6Zs0SkR8kKOEhMO//4ucviUYKZJn8wk2SLkAyMYVBexx8jrTdlI4xgQ7RLpSIDTCm9dfbZY/YhZDJ21lsWduQqu7DFWMe05gg4NZDjf2kwYQOzATyqISGA7ttSEPT1iymr/ffAOgLBLSqWQAteUbI2U5cnflWZGwm33JF/Pyb4S3k3/f2mIBKiRx2lsGv6mx1w0SaYRtJxDWqGYMHuFiNYbq9r/bZfLqV3Fy9kRODFJTfJh8mcTnC4zabpiQ7fnqbh1qHu0WrrBSgFW0PR2WWCJ0e5Btj1yRgXp0+d5OuxxlVInRs+l2HogdxjonMhAHrTCzJtI8UJTKXKN0FBPRDRcepeExhvNqcOUz4Kvw== me@andreaskist.de"
diff --git a/makefu/1systems/gum.nix b/makefu/1systems/gum.nix
index c39997ebf..3186f8887 100644
--- a/makefu/1systems/gum.nix
+++ b/makefu/1systems/gum.nix
@@ -35,10 +35,12 @@ in {
       ../2configs/nginx/update.connector.one.nix
       ../2configs/deployment/mycube.connector.one.nix
       ../2configs/deployment/graphs.nix
+      # ../2configs/ipfs.nix
+      ../2configs/syncthing.nix
 
       # ../2configs/opentracker.nix
       ../2configs/logging/central-stats-client.nix
-      ../2configs/logging/central-logging-client.nix
+      # ../2configs/logging/central-logging-client.nix
 
   ];
   services.smartd.devices = [ { device = "/dev/sda";} ];
@@ -79,7 +81,6 @@ in {
   ];
   services.bitlbee.enable = true;
   systemd.services.bitlbee.environment.BITLBEE_DEBUG="1";
-  # systemd.services.bitlbee.serviceConfig.ExecStart = "${pkgs.bitlbee}/bin/bitlbee -Dnv -c 
 
   # Hardware
   boot.loader.grub.device = "/dev/sda";
diff --git a/makefu/1systems/omo.nix b/makefu/1systems/omo.nix
index 99303b604..ff34ee843 100644
--- a/makefu/1systems/omo.nix
+++ b/makefu/1systems/omo.nix
@@ -53,9 +53,10 @@ in {
       ../2configs/omo-share.nix
       ../2configs/tinc/retiolum.nix
       ../2configs/logging/central-stats-server.nix
-      ../2configs/logging/central-logging-server.nix
+      # ../2configs/logging/central-logging-server.nix
       ../2configs/logging/central-stats-client.nix
-      ../2configs/logging/central-logging-client.nix
+      ../2configs/syncthing.nix
+      # ../2configs/logging/central-logging-client.nix
 
       # ../2configs/torrent.nix
 
diff --git a/makefu/2configs/ipfs.nix b/makefu/2configs/ipfs.nix
new file mode 100644
index 000000000..cc07e063d
--- /dev/null
+++ b/makefu/2configs/ipfs.nix
@@ -0,0 +1,5 @@
+{...}:
+{
+  services.ipfs.enable = true;
+  networking.firewall.allowedTCPPorts = [ 4001 ];
+}
diff --git a/makefu/2configs/syncthing.nix b/makefu/2configs/syncthing.nix
new file mode 100644
index 000000000..6b758ea2d
--- /dev/null
+++ b/makefu/2configs/syncthing.nix
@@ -0,0 +1,11 @@
+{...}:
+
+with import <stockholm/lib>; {
+  services.syncthing = {
+    enable = true;
+    openDefaultPorts = true;
+    useInotify = true;
+    group = "download";
+  };
+  users.extraGroups.download.gid = genid "download";
+}

From ff038698d1dd68b5d4c512c2214198b5d975594c Mon Sep 17 00:00:00 2001
From: makefu <github@syntax-fehler.de>
Date: Mon, 17 Apr 2017 13:11:32 +0200
Subject: [PATCH 22/58] m 2 urxvtd: init

---
 makefu/1systems/x.nix            |  3 ++-
 makefu/2configs/base-gui.nix     |  5 ++++-
 makefu/2configs/urxvtd.nix       | 21 +++++++++++++++++++++
 makefu/5pkgs/awesomecfg/full.cfg |  2 +-
 4 files changed, 28 insertions(+), 3 deletions(-)
 create mode 100644 makefu/2configs/urxvtd.nix

diff --git a/makefu/1systems/x.nix b/makefu/1systems/x.nix
index 9cedc04a8..51c9543ef 100644
--- a/makefu/1systems/x.nix
+++ b/makefu/1systems/x.nix
@@ -2,6 +2,7 @@
 #
 #
 { config, pkgs, ... }:
+with import <stockholm/lib>;
 
 {
   imports =
@@ -78,7 +79,7 @@
   };
 
   boot.extraModulePackages = [ config.boot.kernelPackages.exfat-nofuse ];
-  environment.systemPackages = [ pkgs.passwdqc-utils pkgs.bintray-upload ];
+  environment.systemPackages = [ pkgs.passwdqc-utils ];
 
   virtualisation.docker.enable = true;
 
diff --git a/makefu/2configs/base-gui.nix b/makefu/2configs/base-gui.nix
index ba4c551b3..1a19ab36b 100644
--- a/makefu/2configs/base-gui.nix
+++ b/makefu/2configs/base-gui.nix
@@ -16,7 +16,10 @@ let
   mainUser = config.krebs.build.user.name;
 in
 {
-  imports = [ ];
+  imports = [
+    ./urxvtd.nix
+  ];
+
   services.xserver = {
     enable = true;
     layout = "us";
diff --git a/makefu/2configs/urxvtd.nix b/makefu/2configs/urxvtd.nix
new file mode 100644
index 000000000..286b87ab3
--- /dev/null
+++ b/makefu/2configs/urxvtd.nix
@@ -0,0 +1,21 @@
+{ config, pkgs, ... }:
+
+let
+	mainUser = config.krebs.build.user.name;
+in {
+  systemd.services.urxvtd = {
+    wantedBy = [ "multi-user.target" ];
+    before = [ "graphical.target" ];
+    reloadIfChanged = true;
+    serviceConfig = {
+      SyslogIdentifier = "urxvtd";
+      ExecReload = "${pkgs.coreutils}/bin/echo NOP";
+      ExecStart = "${pkgs.rxvt_unicode_with-plugins}/bin/urxvtd";
+      Restart = "always";
+      RestartSec = "2s";
+      StartLimitBurst = 0;
+      User = mainUser;
+    };
+  };
+	# TODO: sessionCommands from base-gui related to urxvt in this file
+}
diff --git a/makefu/5pkgs/awesomecfg/full.cfg b/makefu/5pkgs/awesomecfg/full.cfg
index e43341d25..73ff42e9f 100644
--- a/makefu/5pkgs/awesomecfg/full.cfg
+++ b/makefu/5pkgs/awesomecfg/full.cfg
@@ -90,7 +90,7 @@ client.connect_signal("focus", function(c) c.border_color = beautiful.border_foc
 client.connect_signal("unfocus", function(c) c.border_color = beautiful.border_normal end)
 
 -- This is used later as the default terminal and editor to run.
-terminal = "urxvt"
+terminal = "urxvtc"
 editor = os.getenv("EDITOR") or "vim"
 editor_cmd = terminal .. " -e " .. editor
 browser = "firefox"

From 24260ff6d43e390d500655de5991e95f11654d8c Mon Sep 17 00:00:00 2001
From: makefu <github@syntax-fehler.de>
Date: Mon, 17 Apr 2017 13:12:16 +0200
Subject: [PATCH 23/58] m 2 default: 2982661 -> 4fac473

---
 makefu/2configs/default.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/makefu/2configs/default.nix b/makefu/2configs/default.nix
index cd9b4c056..0865c3a31 100644
--- a/makefu/2configs/default.nix
+++ b/makefu/2configs/default.nix
@@ -11,7 +11,7 @@ with import <stockholm/lib>;
     ./vim.nix
     ./binary-cache/nixos.nix
   ];
-
+  programs.command-not-found.enable = false;
   nixpkgs.config.allowUnfreePredicate =  (pkg: pkgs.lib.hasPrefix "unrar-" pkg.name);
   krebs = {
     enable = true;
@@ -22,7 +22,7 @@ with import <stockholm/lib>;
       user = config.krebs.users.makefu;
       source = let
           inherit (config.krebs.build) host user;
-          ref = "2982661"; # unstable @ 2017-03-31 + cups-dymo + snapraid-11.1
+          ref = "4fac473"; # unstable @ 2017-03-31 + command-not-found
       in {
         nixpkgs = if config.makefu.full-populate || (getEnv "dummy_secrets" == "true") then
           {

From 729b0ed1c0779480cae6fb9c8d1dde314fd6f4ad Mon Sep 17 00:00:00 2001
From: makefu <github@syntax-fehler.de>
Date: Mon, 17 Apr 2017 13:13:07 +0200
Subject: [PATCH 24/58] m 2 tools: add packages

---
 makefu/2configs/tools/core-gui.nix  | 2 +-
 makefu/2configs/tools/core.nix      | 1 +
 makefu/2configs/tools/extra-gui.nix | 1 +
 makefu/2configs/tools/sec.nix       | 1 +
 4 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/makefu/2configs/tools/core-gui.nix b/makefu/2configs/tools/core-gui.nix
index 6d62e92c0..0538647ae 100644
--- a/makefu/2configs/tools/core-gui.nix
+++ b/makefu/2configs/tools/core-gui.nix
@@ -12,11 +12,11 @@
     firefox
     keepassx
     pcmanfm
+    evince
     skype
     mirage
     tightvnc
     gnome3.dconf
-    wireshark
     xdotool
     xorg.xbacklight
     scrot
diff --git a/makefu/2configs/tools/core.nix b/makefu/2configs/tools/core.nix
index 86d72c662..6ae2951eb 100644
--- a/makefu/2configs/tools/core.nix
+++ b/makefu/2configs/tools/core.nix
@@ -40,6 +40,7 @@
     cac-api
     cac-panel
     krebspaste
+    krebszones
     ledger
     pass
   ];
diff --git a/makefu/2configs/tools/extra-gui.nix b/makefu/2configs/tools/extra-gui.nix
index 9cfacf408..596734dd5 100644
--- a/makefu/2configs/tools/extra-gui.nix
+++ b/makefu/2configs/tools/extra-gui.nix
@@ -4,6 +4,7 @@
   krebs.per-user.makefu.packages = with pkgs;[
     inkscape
     gimp
+    libreoffice
     skype
     virtmanager
     synergy
diff --git a/makefu/2configs/tools/sec.nix b/makefu/2configs/tools/sec.nix
index 5ab699f35..e53d9ee8e 100644
--- a/makefu/2configs/tools/sec.nix
+++ b/makefu/2configs/tools/sec.nix
@@ -11,5 +11,6 @@
     nmap
     msf
     thc-hydra
+    wireshark
   ];
 }

From 9d7e9bf4a9630bb763d7d7bff7880c70405c7ea3 Mon Sep 17 00:00:00 2001
From: makefu <github@syntax-fehler.de>
Date: Mon, 17 Apr 2017 13:13:35 +0200
Subject: [PATCH 25/58] m 1 shoney: graphs -> graph

---
 makefu/1systems/shoney.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/makefu/1systems/shoney.nix b/makefu/1systems/shoney.nix
index 96aeb2856..9f04e97eb 100644
--- a/makefu/1systems/shoney.nix
+++ b/makefu/1systems/shoney.nix
@@ -31,7 +31,7 @@ in {
         anonymous-domain = "localhost.localdomain";
         anonymous.extraConfig = "return 403;";
         complete = {
-          serverAliases = [ "graphs.siem" ];
+          serverAliases = [ "graph.siem" ];
           extraConfig = ''
             if ( $server_addr = "${ip}" ) {
               return 403;

From 865aa9c1d0198fbd57342c7593396bf4f007e71f Mon Sep 17 00:00:00 2001
From: lassulus <lass@lassul.us>
Date: Sun, 16 Apr 2017 23:32:43 +0200
Subject: [PATCH 26/58] l 1 mors: disable ipfs

---
 lass/1systems/mors.nix | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/lass/1systems/mors.nix b/lass/1systems/mors.nix
index c196b391a..8891d1829 100644
--- a/lass/1systems/mors.nix
+++ b/lass/1systems/mors.nix
@@ -76,10 +76,6 @@ with import <stockholm/lib>;
     {
       services.redis.enable = true;
     }
-    {
-      #ipfs-testing
-      services.ipfs.enable = true;
-    }
     {
       environment.systemPackages = [
         pkgs.krebszones

From 6a53a331d11fcf1ff1d36645c3bd42c4c9d0c51c Mon Sep 17 00:00:00 2001
From: lassulus <lass@lassul.us>
Date: Sun, 16 Apr 2017 23:33:54 +0200
Subject: [PATCH 27/58] l 1 iso: make sshd work

---
 lass/1systems/iso.nix | 9 +--------
 1 file changed, 1 insertion(+), 8 deletions(-)

diff --git a/lass/1systems/iso.nix b/lass/1systems/iso.nix
index bee1c148f..01d698c4c 100644
--- a/lass/1systems/iso.nix
+++ b/lass/1systems/iso.nix
@@ -15,7 +15,6 @@ with import <stockholm/lib>;
       krebs.enable = true;
       krebs.build.user = config.krebs.users.lass;
       krebs.build.host = config.krebs.hosts.iso;
-      krebs.build.source.nixos-config.symlink = "stockholm/lass/1systems/${config.krebs.buil.host.name}.nix";
     }
     {
       nixpkgs.config.allowUnfree = true;
@@ -122,18 +121,12 @@ with import <stockholm/lib>;
           { bits = 8192; type = "ed25519"; path = "/etc/ssh/ssh_host_ed25519_key"; }
         ];
       };
+      systemd.services.sshd.wantedBy = mkForce [ "multi-user.target" ];
     }
     {
       krebs.iptables = {
         enable = true;
         tables = {
-          nat.PREROUTING.rules = [
-            { predicate = "! -i retiolum -p tcp -m tcp --dport 22"; target = "REDIRECT --to-ports 0"; precedence = 100; }
-            { predicate = "-p tcp -m tcp --dport 45621"; target = "REDIRECT --to-ports 22"; precedence = 99; }
-          ];
-          nat.OUTPUT.rules = [
-            { predicate = "-o lo -p tcp -m tcp --dport 45621"; target = "REDIRECT --to-ports 22"; precedence = 100; }
-          ];
           filter.INPUT.policy = "DROP";
           filter.FORWARD.policy = "DROP";
           filter.INPUT.rules = [

From bd58053b7e8123850ca04601505efadace807100 Mon Sep 17 00:00:00 2001
From: lassulus <lass@lassul.us>
Date: Sun, 16 Apr 2017 23:34:25 +0200
Subject: [PATCH 28/58] l 2: add sshn to pkgs

---
 lass/2configs/default.nix | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/lass/2configs/default.nix b/lass/2configs/default.nix
index 69f8a681e..b53efa75d 100644
--- a/lass/2configs/default.nix
+++ b/lass/2configs/default.nix
@@ -151,6 +151,10 @@ with import <stockholm/lib>;
     p7zip
     unzip
     unrar
+
+    (pkgs.writeDashBin "sshn" ''
+      ${pkgs.openssh}/bin/ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no "$@"
+    '')
   ];
 
   programs.bash = {

From cb36b4fb7cd4c51b89328a06ba0b994d627813aa Mon Sep 17 00:00:00 2001
From: lassulus <lass@lassul.us>
Date: Sun, 16 Apr 2017 23:35:02 +0200
Subject: [PATCH 29/58] l 1 mors: enable tor

---
 lass/1systems/mors.nix | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/lass/1systems/mors.nix b/lass/1systems/mors.nix
index 8891d1829..d80665a6b 100644
--- a/lass/1systems/mors.nix
+++ b/lass/1systems/mors.nix
@@ -85,6 +85,12 @@ with import <stockholm/lib>;
       #ps vita stuff
       boot.extraModulePackages = [ config.boot.kernelPackages.exfat-nofuse ];
     }
+    {
+      services.tor = {
+        enable = true;
+        client.enable = true;
+      };
+    }
   ];
 
   krebs.build.host = config.krebs.hosts.mors;

From b3463a3b8227a0732b1c3c4c90998f24c8ab1edf Mon Sep 17 00:00:00 2001
From: lassulus <lass@lassul.us>
Date: Sun, 16 Apr 2017 23:35:25 +0200
Subject: [PATCH 30/58] l 2: add syncthing.nix

---
 lass/1systems/mors.nix      |  1 +
 lass/1systems/prism.nix     |  1 +
 lass/2configs/syncthing.nix | 12 ++++++++++++
 3 files changed, 14 insertions(+)
 create mode 100644 lass/2configs/syncthing.nix

diff --git a/lass/1systems/mors.nix b/lass/1systems/mors.nix
index d80665a6b..c8d9465d5 100644
--- a/lass/1systems/mors.nix
+++ b/lass/1systems/mors.nix
@@ -25,6 +25,7 @@ with import <stockholm/lib>;
     ../2configs/repo-sync.nix
     ../2configs/ircd.nix
     ../2configs/logf.nix
+    ../2configs/syncthing.nix
     {
       #risk of rain port
       krebs.iptables.tables.filter.INPUT.rules = [
diff --git a/lass/1systems/prism.nix b/lass/1systems/prism.nix
index 9c17c4433..41a909f16 100644
--- a/lass/1systems/prism.nix
+++ b/lass/1systems/prism.nix
@@ -46,6 +46,7 @@ in {
     ../2configs/monitoring/server.nix
     ../2configs/monitoring/monit-alarms.nix
     ../2configs/paste.nix
+    ../2configs/syncthing.nix
     {
       imports = [
         ../2configs/bepasty.nix
diff --git a/lass/2configs/syncthing.nix b/lass/2configs/syncthing.nix
new file mode 100644
index 000000000..cef43d1e6
--- /dev/null
+++ b/lass/2configs/syncthing.nix
@@ -0,0 +1,12 @@
+{ config, pkgs, ... }:
+with import <stockholm/lib>;
+{
+  services.syncthing = {
+    enable = true;
+    useInotify = true;
+  };
+  krebs.iptables.tables.filter.INPUT.rules = [
+    { predicate = "-p tcp --dport 22000"; target = "ACCEPT";}
+    { predicate = "-p udp --dport 21027"; target = "ACCEPT";}
+  ];
+}

From 87acf579a91c5fb41393d5ffe027d287194205a4 Mon Sep 17 00:00:00 2001
From: makefu <github@syntax-fehler.de>
Date: Sat, 15 Apr 2017 18:55:15 +0200
Subject: [PATCH 31/58] k 5 tinc_graphs: bump to 0.3.10

---
 krebs/5pkgs/tinc_graphs/default.nix | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/krebs/5pkgs/tinc_graphs/default.nix b/krebs/5pkgs/tinc_graphs/default.nix
index e5f1e40e8..20bbc53ba 100644
--- a/krebs/5pkgs/tinc_graphs/default.nix
+++ b/krebs/5pkgs/tinc_graphs/default.nix
@@ -2,14 +2,14 @@
 
 python3Packages.buildPythonPackage rec {
   name = "tinc_graphs-${version}";
-  version = "0.3.9";
+  version = "0.3.10";
   propagatedBuildInputs = with pkgs;[
     python3Packages.pygeoip
     ## ${geolite-legacy}/share/GeoIP/GeoIPCity.dat
   ];
   src = fetchurl {
-    url = "https://pypi.python.org/packages/source/t/tinc_graphs/tinc_graphs-${version}.tar.gz";
-    sha256 = "0hjmkiclvyjb3707285x4b8mk5aqjcvh383hvkad1h7p1n61qrfx";
+    url = "mirror://pypi/t/tinc_graphs/${name}.tar.gz";
+    sha256 = "0f4cvb9424fhfmc0hbzmynzh9528fyhx00ayq1nbpgd1p89yw7mc";
   };
   preFixup = with pkgs;''
     wrapProgram $out/bin/build-graphs --prefix PATH : "$out/bin"

From 3b0fa5dbe7a7e4f0b6047746545b1ce602f8e65f Mon Sep 17 00:00:00 2001
From: lassulus <lass@lassul.us>
Date: Mon, 17 Apr 2017 15:43:10 +0200
Subject: [PATCH 32/58] l 2 baseX: remove redundant libvirt

---
 lass/2configs/baseX.nix | 2 --
 1 file changed, 2 deletions(-)

diff --git a/lass/2configs/baseX.nix b/lass/2configs/baseX.nix
index 3032e244f..9c51effdc 100644
--- a/lass/2configs/baseX.nix
+++ b/lass/2configs/baseX.nix
@@ -32,8 +32,6 @@ in {
 
   time.timeZone = "Europe/Berlin";
 
-  virtualisation.libvirtd.enable = true;
-
   programs.ssh.startAgent = false;
 
   services.printing = {

From 7c89a9be2b7d41e0feba0a51c6e80bf046179f65 Mon Sep 17 00:00:00 2001
From: lassulus <lass@lassul.us>
Date: Tue, 18 Apr 2017 17:04:40 +0200
Subject: [PATCH 33/58] l 2 buildbot: get stockholm source from cgit.prism

---
 lass/2configs/buildbot-standalone.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lass/2configs/buildbot-standalone.nix b/lass/2configs/buildbot-standalone.nix
index 3006e9dfb..7b38e44c6 100644
--- a/lass/2configs/buildbot-standalone.nix
+++ b/lass/2configs/buildbot-standalone.nix
@@ -20,7 +20,7 @@ in {
   };
 
   config.krebs.buildbot.master = let
-    stockholm-mirror-url = http://cgit.lassul.us/stockholm ;
+    stockholm-mirror-url = http://cgit.prism.r/stockholm ;
   in {
     workers = {
       testworker = "lasspass";

From 4e55661dc4e32af76f074f57c035136a7e7b3869 Mon Sep 17 00:00:00 2001
From: lassulus <lass@lassul.us>
Date: Tue, 18 Apr 2017 17:04:59 +0200
Subject: [PATCH 34/58] l 2: set dnscrypt resolver to cs-de

---
 lass/2configs/default.nix | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/lass/2configs/default.nix b/lass/2configs/default.nix
index b53efa75d..e964704c3 100644
--- a/lass/2configs/default.nix
+++ b/lass/2configs/default.nix
@@ -64,7 +64,10 @@ with import <stockholm/lib>;
       ];
     }
     {
-      services.dnscrypt-proxy.enable = true;
+      services.dnscrypt-proxy = {
+        enable = true;
+        resolverName = "cs-de";
+      };
       networking.extraResolvconfConf = ''
         name_servers='127.0.0.1'
       '';

From 5443d2b08ba11323844dcd4b4b79c7580c4029ef Mon Sep 17 00:00:00 2001
From: lassulus <lass@lassul.us>
Date: Tue, 18 Apr 2017 17:05:18 +0200
Subject: [PATCH 35/58] l 2 fetchWallpaper: get new wp from prism

---
 lass/2configs/fetchWallpaper.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lass/2configs/fetchWallpaper.nix b/lass/2configs/fetchWallpaper.nix
index 971be9588..31a01c754 100644
--- a/lass/2configs/fetchWallpaper.nix
+++ b/lass/2configs/fetchWallpaper.nix
@@ -6,7 +6,7 @@ in {
   krebs.fetchWallpaper = {
     enable = true;
     unitConfig.ConditionPathExists = "!/var/run/ppp0.pid";
-    url = "prism/wallpaper.png";
+    url = "prism/realwallpaper-sat-krebs.png";
     maxTime = 10;
   };
 }

From a773c4c1db47312f5bc8b564b870a826e3bff5fc Mon Sep 17 00:00:00 2001
From: tv <tv@krebsco.de>
Date: Sat, 15 Apr 2017 14:32:05 +0200
Subject: [PATCH 36/58] tv nixpkgs: 5acb454 -> 76c6313

---
 tv/2configs/default.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tv/2configs/default.nix b/tv/2configs/default.nix
index cbbd5c439..8d7ed2b4f 100644
--- a/tv/2configs/default.nix
+++ b/tv/2configs/default.nix
@@ -14,7 +14,7 @@ with import <stockholm/lib>;
       stockholm.file = "/home/tv/stockholm";
       nixpkgs.git = {
         url = https://github.com/NixOS/nixpkgs;
-        ref = "5acb454e2ad3e3783e63b86a9a31e800d2507e66"; # nixos-17.03
+        ref = "76c63133c5310d362c7c23157616b263db9a9510"; # nixos-17.03
       };
     } // optionalAttrs host.secure {
       secrets-master.file = "/home/tv/secrets/master";

From 0efdaf3a2d66a6166b135818748bd1da5e32ab12 Mon Sep 17 00:00:00 2001
From: tv <tv@krebsco.de>
Date: Mon, 17 Apr 2017 13:46:38 +0200
Subject: [PATCH 37/58] tv nixpkgs: 76c6313 -> b647a67

---
 tv/2configs/default.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tv/2configs/default.nix b/tv/2configs/default.nix
index 8d7ed2b4f..ede73f4e5 100644
--- a/tv/2configs/default.nix
+++ b/tv/2configs/default.nix
@@ -14,7 +14,7 @@ with import <stockholm/lib>;
       stockholm.file = "/home/tv/stockholm";
       nixpkgs.git = {
         url = https://github.com/NixOS/nixpkgs;
-        ref = "76c63133c5310d362c7c23157616b263db9a9510"; # nixos-17.03
+        ref = "b647a67dfee066b75d2f54b789f7646016662071"; # nixos-17.03
       };
     } // optionalAttrs host.secure {
       secrets-master.file = "/home/tv/secrets/master";

From 6df0b60f8af8a486ec89f6630e827720efd445ca Mon Sep 17 00:00:00 2001
From: tv <tv@krebsco.de>
Date: Mon, 17 Apr 2017 15:45:32 +0200
Subject: [PATCH 38/58] wolf: cleanup

---
 shared/1systems/wolf.nix | 14 ++++++--------
 1 file changed, 6 insertions(+), 8 deletions(-)

diff --git a/shared/1systems/wolf.nix b/shared/1systems/wolf.nix
index 722a08812..0b4448022 100644
--- a/shared/1systems/wolf.nix
+++ b/shared/1systems/wolf.nix
@@ -1,20 +1,18 @@
-{ config, lib, pkgs, ... }:
-
+{ config, pkgs, ... }:
 let
   shack-ip = config.krebs.build.host.nets.shack.ip4.addr;
-  internal-ip = config.krebs.build.host.nets.retiolum.ip4.addr;
 in
 {
   imports = [
     ../.
     <nixpkgs/nixos/modules/profiles/qemu-guest.nix>
-    ../2configs/collectd-base.nix
-    ../2configs/shack-nix-cacher.nix
-    ../2configs/shack-drivedroid.nix
-    ../2configs/shared-buildbot.nix
     ../2configs/cgit-mirror.nix
-    ../2configs/repo-sync.nix
+    ../2configs/collectd-base.nix
     ../2configs/graphite.nix
+    ../2configs/repo-sync.nix
+    ../2configs/shack-drivedroid.nix
+    ../2configs/shack-nix-cacher.nix
+    ../2configs/shared-buildbot.nix
     ../2configs/share-shack.nix
   ];
   # use your own binary cache, fallback use cache.nixos.org (which is used by

From 6b453f7068e4eff470821341e9fcfdbb6d5483ca Mon Sep 17 00:00:00 2001
From: tv <tv@krebsco.de>
Date: Mon, 17 Apr 2017 15:46:45 +0200
Subject: [PATCH 39/58] shared shack-drivedroid: krebs.nginx -> services.nginx

---
 shared/2configs/shack-drivedroid.nix | 30 ++++++++++++++--------------
 1 file changed, 15 insertions(+), 15 deletions(-)

diff --git a/shared/2configs/shack-drivedroid.nix b/shared/2configs/shack-drivedroid.nix
index 3581f9e96..07fcffa42 100644
--- a/shared/2configs/shack-drivedroid.nix
+++ b/shared/2configs/shack-drivedroid.nix
@@ -1,4 +1,4 @@
-{ pkgs, lib, config, ... }:
+{ config, pkgs, ... }:
 with import <stockholm/lib>;
 let
   repodir = "/var/srv/drivedroid";
@@ -7,6 +7,20 @@ in
 {
   environment.systemPackages = [ pkgs.drivedroid-gen-repo ];
 
+  services.nginx = {
+    enable = mkDefault true;
+    virtualHosts.shack-drivedroid = {
+      serverAliases = [
+        "drivedroid.shack"
+      ];
+      # TODO: prepare this somehow
+      locations."/".extraConfig = ''
+        root ${repodir};
+        index main.json;
+      '';
+    };
+  };
+
   systemd.services.drivedroid = {
     description = "generates drivedroid repo file";
     restartIfChanged = true;
@@ -27,18 +41,4 @@ in
       '';
     };
   };
-
-  krebs.nginx = {
-    enable = lib.mkDefault true;
-    servers = {
-      drivedroid-repo = {
-        server-names = [ "drivedroid.shack" ];
-        # TODO: prepare this somehow
-        locations = lib.singleton (lib.nameValuePair "/" ''
-          root ${repodir};
-          index main.json;
-        '');
-      };
-    };
-  };
 }

From 82aa7c6f101c16d7e2607f3429cfbb222c572438 Mon Sep 17 00:00:00 2001
From: tv <tv@krebsco.de>
Date: Mon, 17 Apr 2017 15:47:07 +0200
Subject: [PATCH 40/58] shared shack-nix-cacher: krebs.nginx -> services.nginx

---
 shared/2configs/shack-nix-cacher.nix | 37 +++++++++++++++-------------
 1 file changed, 20 insertions(+), 17 deletions(-)

diff --git a/shared/2configs/shack-nix-cacher.nix b/shared/2configs/shack-nix-cacher.nix
index 7519bb3ac..4fcbf3a4e 100644
--- a/shared/2configs/shack-nix-cacher.nix
+++ b/shared/2configs/shack-nix-cacher.nix
@@ -1,25 +1,28 @@
-{ pkgs, lib, ... }:
-
+{ config, pkgs, ... }:
+with import <stockholm/lib>;
+let
+  cfg = config.krebs.apt-cacher-ng;
+in
 {
-  krebs.nginx = {
-    enable = lib.mkDefault true;
-    servers = {
-      apt-cacher-ng = {
-        server-names = [ "acng.shack" ];
-        locations = lib.singleton (lib.nameValuePair "/" ''
-          proxy_set_header   Host $host;
-          proxy_set_header   X-Real-IP          $remote_addr;
-          proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
-          proxy_pass http://localhost:3142/;
-        '');
-      };
-    };
-  };
-
   krebs.apt-cacher-ng = {
     enable = true;
     port = 3142;
     bindAddress = "localhost";
     cacheExpiration = 30;
   };
+
+  services.nginx = {
+    enable = mkDefault true;
+    virtualHosts.shack-nix-cacher = {
+      serverAliases = [
+        "acng.shack"
+      ];
+      locations."/".extraConfig = ''
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_pass http://localhost:${toString cfg.port}/;
+      '';
+    };
+  };
 }

From d34d95ec3ed4230faa2dc9dd90938e9991dd73d7 Mon Sep 17 00:00:00 2001
From: tv <tv@krebsco.de>
Date: Mon, 17 Apr 2017 15:59:27 +0200
Subject: [PATCH 41/58] shared shack-drivedroid: cleanup

---
 shared/2configs/shack-drivedroid.nix | 27 ++++++++++++++++-----------
 1 file changed, 16 insertions(+), 11 deletions(-)

diff --git a/shared/2configs/shack-drivedroid.nix b/shared/2configs/shack-drivedroid.nix
index 07fcffa42..12e4a39c3 100644
--- a/shared/2configs/shack-drivedroid.nix
+++ b/shared/2configs/shack-drivedroid.nix
@@ -1,8 +1,7 @@
 { config, pkgs, ... }:
 with import <stockholm/lib>;
 let
-  repodir = "/var/srv/drivedroid";
-  srepodir = shell.escape repodir;
+  root = "/var/srv/drivedroid";
 in
 {
   environment.systemPackages = [ pkgs.drivedroid-gen-repo ];
@@ -15,28 +14,34 @@ in
       ];
       # TODO: prepare this somehow
       locations."/".extraConfig = ''
-        root ${repodir};
+        root ${root};
         index main.json;
       '';
     };
   };
 
-  systemd.services.drivedroid = {
+  systemd.services.drivedroid-gen-repo = {
     description = "generates drivedroid repo file";
-    restartIfChanged = true;
+    path = [
+      pkgs.coreutils
+      pkgs.drivedroid-gen-repo
+      pkgs.inotify-tools
+    ];
     wantedBy = [ "multi-user.target" ];
 
     serviceConfig = {
       Type = "simple";
       Restart = "always";
-      ExecStartPre = pkgs.writeScript "prepare-drivedroid-gen-repo" ''
-        #!/bin/sh
-        mkdir -p ${srepodir}/repos
+      ExecStartPre = pkgs.writeDash "prepare-drivedroid-gen-repo" ''
+        mkdir -p ${root}/repos
       '';
-      ExecStart = pkgs.writeScript "start-drivedroid-gen-repo" ''
-        #!/bin/sh
+      ExecStart = pkgs.writeDash "start-drivedroid-gen-repo" ''
+        set -efu
+        cd ${root}
         while sleep 60; do
-          ${pkgs.inotify-tools}/bin/inotifywait -r ${srepodir} && ${pkgs.drivedroid-gen-repo}/bin/drivedroid-gen-repo --chdir "${srepodir}" repos/ > "${srepodir}/main.json"
+          if inotifywait -r .; then
+            drivedroid-gen-repo repos > main.json
+          fi
         done
       '';
     };

From 57b4a87962e273525a0e3a955ae4a13ca45c59f3 Mon Sep 17 00:00:00 2001
From: tv <tv@krebsco.de>
Date: Mon, 17 Apr 2017 16:20:05 +0200
Subject: [PATCH 42/58] retiolum-bootstrap: krebs.nginx -> services.nginx

---
 krebs/3modules/retiolum-bootstrap.nix | 58 +++++++++------------------
 1 file changed, 20 insertions(+), 38 deletions(-)

diff --git a/krebs/3modules/retiolum-bootstrap.nix b/krebs/3modules/retiolum-bootstrap.nix
index 4bcd596d4..53b06a702 100644
--- a/krebs/3modules/retiolum-bootstrap.nix
+++ b/krebs/3modules/retiolum-bootstrap.nix
@@ -1,53 +1,38 @@
-{ config, lib, pkgs, ... }:
-
+{ config, pkgs, ... }:
 with import <stockholm/lib>;
 let
   cfg = config.krebs.retiolum-bootstrap;
-
-  out = {
-    options.krebs.retiolum-bootstrap = api;
-    config = lib.mkIf cfg.enable imp;
-  };
-
-  api = {
-    enable = mkEnableOption "retiolum boot strap for tinc.krebsco.de";
-    hostname = mkOption {
+in
+{
+  options.krebs.retiolum-bootstrap = {
+    enable = mkEnableOption "retiolum boot strap for ${cfg.serverName}";
+    serverName = mkOption {
         type = types.str;
         description = "hostname which serves tinc boot";
         default = "tinc.krebsco.de" ;
     };
-    listen = mkOption {
-        type = with types; listOf str;
-        description = ''Addresses to listen on (nginx-syntax).
-        ssl will be configured, http will be redirected to ssl.
-        Make sure to have at least 1 ssl port configured.
-        '';
-        default = [ "80" "443 ssl" ] ;
-    };
-    ssl_certificate_key = mkOption {
-        type = types.str;
-        description = "Certificate key to use for ssl";
-        default = "${toString <secrets>}/tinc.krebsco.de.key";
-    };
-    ssl_certificate = mkOption {
+    sslCertificate = mkOption {
         type = types.str;
         description = "Certificate file to use for ssl";
         default = "${toString <secrets>}/tinc.krebsco.de.crt" ;
     };
+    sslCertificateKey = mkOption {
+        type = types.str;
+        description = "Certificate key to use for ssl";
+        default = "${toString <secrets>}/tinc.krebsco.de.key";
+    };
     # in use:
     #  <secrets/tinc.krebsco.de.crt>
     #  <secrets/tinc.krebsco.de.key>
   };
 
-  imp = {
-    krebs.nginx.servers = assert config.krebs.nginx.enable; {
-      retiolum-boot-ssl = {
-        server-names = singleton cfg.hostname;
-        listen = cfg.listen;
-        extraConfig = ''
-          ssl_certificate ${cfg.ssl_certificate};
-          ssl_certificate_key ${cfg.ssl_certificate_key};
-
+  config = mkIf cfg.enable {
+    services.nginx = {
+      enable = mkDefault true;
+      virtualHosts.retiolum-bootstrap = {
+        inherit (cfg) serverName sslCertificate sslCertificateKey;
+        enableSSL = true;
+        extraConfig =''
           if ($scheme = http){
             return 301 https://$server_name$request_uri;
           }
@@ -55,10 +40,7 @@ let
           root ${pkgs.retiolum-bootstrap};
           try_files $uri $uri/retiolum.sh;
         '';
-        locations = [];
       };
     };
   };
-
-in
-out
+}

From c577d6b9972203941c577d9fb5488345d5fe84b5 Mon Sep 17 00:00:00 2001
From: tv <tv@krebsco.de>
Date: Mon, 17 Apr 2017 16:22:09 +0200
Subject: [PATCH 43/58] krebs.nginx: RIP

---
 krebs/3modules/bepasty-server.nix          |   2 +-
 krebs/3modules/buildbot/master.nix         |   1 -
 krebs/3modules/default.nix                 |   1 -
 krebs/3modules/nginx.nix                   | 190 ---------------------
 shared/1systems/test-all-krebs-modules.nix |   1 -
 5 files changed, 1 insertion(+), 194 deletions(-)
 delete mode 100644 krebs/3modules/nginx.nix

diff --git a/krebs/3modules/bepasty-server.nix b/krebs/3modules/bepasty-server.nix
index 4e035e725..0ca13366b 100644
--- a/krebs/3modules/bepasty-server.nix
+++ b/krebs/3modules/bepasty-server.nix
@@ -37,7 +37,7 @@ let
           # TODO use the correct type
           type = with types; attrsOf unspecified;
           description = ''
-            additional nginx configuration. see krebs.nginx for all options
+            Additional nginx configuration.
           '';
         };
         secretKey = mkOption {
diff --git a/krebs/3modules/buildbot/master.nix b/krebs/3modules/buildbot/master.nix
index b31661572..d75e6c880 100644
--- a/krebs/3modules/buildbot/master.nix
+++ b/krebs/3modules/buildbot/master.nix
@@ -78,7 +78,6 @@ let
       #    stopAllBuilds = 'auth',
       #    cancelPendingBuild = 'auth'
       #)
-      # TODO: configure krebs.nginx
       c['www'] = dict(
         port = ${toString cfg.web.port},
         plugins = { 'waterfall_view':{}, 'console_view':{} }
diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix
index 37db5bfe7..d539d4166 100644
--- a/krebs/3modules/default.nix
+++ b/krebs/3modules/default.nix
@@ -26,7 +26,6 @@ let
       ./kapacitor.nix
       ./monit.nix
       ./newsbot-js.nix
-      ./nginx.nix
       ./nixpkgs.nix
       ./on-failure.nix
       ./os-release.nix
diff --git a/krebs/3modules/nginx.nix b/krebs/3modules/nginx.nix
deleted file mode 100644
index b28e97e37..000000000
--- a/krebs/3modules/nginx.nix
+++ /dev/null
@@ -1,190 +0,0 @@
-{ config, lib, pkgs, ... }:
-
-with import <stockholm/lib>;
-let
-  cfg = config.krebs.nginx;
-
-  out = {
-    options.krebs.nginx = api;
-    config = lib.mkIf cfg.enable imp;
-  };
-
-  api = {
-    enable = mkEnableOption "krebs.nginx";
-
-    default404 = mkOption {
-      type = types.bool;
-      default = true;
-      description = ''
-        By default all requests not directed to an explicit hostname are
-        replied with a 404 error to avoid accidental exposition of nginx
-        services.
-
-        Set this value to `false` to disable this behavior - you will then be
-        able to configure a new `default_server` in the listen address entries
-        again.
-      '';
-    };
-
-    servers = mkOption {
-      type = types.attrsOf (types.submodule {
-        options = {
-          server-names = mkOption {
-            type = with types; listOf str;
-            default =
-              [config.krebs.build.host.name] ++
-              concatMap (getAttr "aliases")
-                        (attrValues config.krebs.build.host.nets);
-          };
-          listen = mkOption {
-            type = with types; either str (listOf str);
-            default = "80";
-            apply = x:
-              if typeOf x != "list"
-                then [x]
-                else x;
-          };
-          locations = mkOption {
-            type = with types; listOf (attrsOf str);
-            default = [];
-          };
-          extraConfig = mkOption {
-            type = with types; string;
-            default = "";
-          };
-          ssl = mkOption {
-            type = with types; submodule ({ config, ... }: {
-              options = {
-                enable = mkEnableOption "ssl";
-                acmeEnable = mkOption {
-                  type = bool;
-                  apply = x:
-                    if x && config.enable
-                      #conflicts because of certificate/certificate_key location
-                      then throw "can't use ssl.enable and ssl.acmeEnable together"
-                      else x;
-                  default = false;
-                  description = ''
-                    enables automatical generation of lets-encrypt certificates and setting them as certificate
-                    conflicts with ssl.enable
-                  '';
-                };
-                certificate = mkOption {
-                  type = str;
-                };
-                certificate_key = mkOption {
-                  type = str;
-                };
-                #TODO: check for valid cipher
-                ciphers = mkOption {
-                  type = str;
-                  default = "AES128+EECDH:AES128+EDH";
-                };
-                prefer_server_ciphers = mkOption {
-                  type = bool;
-                  default = true;
-                };
-                force_encryption = mkOption {
-                  type = bool;
-                  default = false;
-                  description = ''
-                    redirect all `http` traffic to the same domain but with ssl
-                    protocol.
-                  '';
-                };
-                protocols = mkOption {
-                  type = listOf (enum [ "SSLv2" "SSLv3" "TLSv1" "TLSv1.1" "TLSv1.2" ]);
-                  default = [ "TLSv1.1" "TLSv1.2" ];
-
-                };
-              };
-            });
-            default = {};
-          };
-        };
-      });
-      default = {};
-    };
-  };
-
-  imp = {
-    security.acme.certs = mapAttrs (_: to-acme) (filterAttrs (_: server: server.ssl.acmeEnable) cfg.servers);
-    services.nginx = {
-      enable = true;
-      httpConfig = ''
-        default_type      application/octet-stream;
-        sendfile          on;
-        keepalive_timeout 65;
-        gzip              on;
-
-        ${optionalString cfg.default404 ''
-          server {
-            listen 80 default_server;
-            server_name _;
-            return 404;
-          }''}
-
-        ${concatStrings (mapAttrsToList (_: to-server) cfg.servers)}
-      '';
-    };
-  };
-
-  to-acme = { server-names, ssl, ... }:
-    optionalAttrs ssl.acmeEnable {
-      email = "lassulus@gmail.com";
-      webroot = "${config.security.acme.directory}/${head server-names}";
-    };
-
-  to-location = { name, value }: ''
-    location ${name} {
-      ${indent value}
-    }
-  '';
-
-  to-server = { server-names, listen, locations, extraConfig, ssl, ... }: let
-    domain = head server-names;
-    acmeLocation = optionalAttrs ssl.acmeEnable (nameValuePair "/.well-known/acme-challenge" ''
-      root ${config.security.acme.certs.${domain}.webroot};
-    '');
-  in ''
-    server {
-      server_name ${toString (unique server-names)};
-      ${concatMapStringsSep "\n" (x: indent "listen ${x};") listen}
-      ${optionalString ssl.enable (indent ''
-        ${optionalString ssl.force_encryption ''
-          if ($scheme = http){
-            return 301 https://$server_name$request_uri;
-          }
-        ''}
-        listen 443 ssl;
-        ssl_certificate ${ssl.certificate};
-        ssl_certificate_key ${ssl.certificate_key};
-        ${optionalString ssl.prefer_server_ciphers ''
-          ssl_prefer_server_ciphers On;
-        ''}
-        ssl_ciphers ${ssl.ciphers};
-        ssl_protocols ${toString ssl.protocols};
-      '')}
-      ${optionalString ssl.acmeEnable (indent ''
-        ${optionalString ssl.force_encryption ''
-          if ($scheme = http){
-            return 301 https://$server_name$request_uri;
-          }
-        ''}
-        listen 443 ssl;
-        ssl_certificate ${config.security.acme.directory}/${domain}/fullchain.pem;
-        ssl_certificate_key ${config.security.acme.directory}/${domain}/key.pem;
-        ${optionalString ssl.prefer_server_ciphers ''
-          ssl_prefer_server_ciphers On;
-        ''}
-        ssl_ciphers ${ssl.ciphers};
-        ssl_protocols ${toString ssl.protocols};
-      '')}
-      ${indent extraConfig}
-      ${optionalString ssl.acmeEnable (indent (to-location acmeLocation))}
-      ${indent (concatMapStrings to-location locations)}
-    }
-  '';
-
-in
-out
diff --git a/shared/1systems/test-all-krebs-modules.nix b/shared/1systems/test-all-krebs-modules.nix
index b42968cfb..39d7c494b 100644
--- a/shared/1systems/test-all-krebs-modules.nix
+++ b/shared/1systems/test-all-krebs-modules.nix
@@ -36,7 +36,6 @@ in {
       enable = true;
       tables = {};
     };
-    nginx.enable = true;
     realwallpaper.enable = true;
     tinc.retiolum.enable = true;
     retiolum-bootstrap.enable = true;

From d53824e7b551759854c6e0ae77411c179a168754 Mon Sep 17 00:00:00 2001
From: makefu <github@syntax-fehler.de>
Date: Mon, 17 Apr 2017 13:08:36 +0200
Subject: [PATCH 44/58] m: init syncthing for hosts

---
 makefu/1systems/fileleech.nix |  2 +-
 makefu/1systems/gum.nix       |  5 +++--
 makefu/1systems/omo.nix       |  5 +++--
 makefu/2configs/ipfs.nix      |  5 +++++
 makefu/2configs/syncthing.nix | 11 +++++++++++
 5 files changed, 23 insertions(+), 5 deletions(-)
 create mode 100644 makefu/2configs/ipfs.nix
 create mode 100644 makefu/2configs/syncthing.nix

diff --git a/makefu/1systems/fileleech.nix b/makefu/1systems/fileleech.nix
index 4f92c2b90..3aa5a54f8 100644
--- a/makefu/1systems/fileleech.nix
+++ b/makefu/1systems/fileleech.nix
@@ -32,7 +32,6 @@ in {
       ../2configs/elchos/log.nix
       ../2configs/elchos/search.nix
       ../2configs/elchos/stats.nix
-      ../2configs/stats-srv.nix
 
     ];
   systemd.services.grafana.serviceConfig.LimitNOFILE=10032;
@@ -129,6 +128,7 @@ in {
     #  createHome = true;
     openssh.authorizedKeys.keys = [
       config.krebs.users.makefu.pubkey
+      config.krebs.users.lass.pubkey
       "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC7betFnMWVeBYRhJ+2f0B5WbDdbpteIVg/BlyimXbx79R7lZ7nUq5GyMLrp7B00frUuA0su8oFFN3ODPJDstgBslBIP7kWPR2zW8NOXorrbFo3J2fKvlO77k6/wD5/M11m5nS01/aVJgAgMGLg2W12G7EMf5Wq75YsQJC/S9p8kMca589djMPRuQETu7fWq0t/Gmwq+2ELLL0csRK87LvybA92JYkAIneRnGzIlCguOXq0Vcq6pGQ1J1PfVEP76Do33X29l2hZc/+vR9ExW6s2g7fs5/5LDX9Wnq7+AEsxiEf4IOeL0hCG4/CGGCN23J+6cDrNKOP94AHO1si0O2lxFsxgNU2vdVWPNgSLottiUFBPPNEZFD++sZyutzH6PIz6D90hB2Q52X6WN9ZUtlDfQ91rHd+S2BhR6f4dAqiRDXlI5MNNDdoTT4S5R0wU/UrNwjiV/xiu/hWZYGQK7YgY4grFRblr378r8FqjLvumPDFMDLVa9eJKq1ad1x/GV5tZpsttzWj4nbixaKlZOg+TN2GHboujLx3bANz1Jqfvfto8UOeKTtA8pkb8E1PJPpBMOZcA7oHaqJrp6Vuf/SkmglHnQvGbi60OK3s61nuRmIcBiTXd+4qeAJpq1QyEDj3X/+hV0Gwz8rCo6JGkF1ETW37ZYvqU9rxNXjS+/Pfktw== jules@kvasir-2015-02-13"
       "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDINUD+p2yrc9KoTbCiuYhdfLlRu/eNX6BftToSMLs8O9qWQORjgXbDn8M9iUWXCHzdUZ9sm6Rz8TMdEV0jZq/nB01zYnW4NhMrt+NGtrmGqDa+eYrRZ4G7Rx8AYzM/ZSwERKX10txAVugV44xswRxWvFbCedujjXyWsxelf1ngb+Hiy9/CPuWNYEhTZs/YuvNkupCui2BuKuoSivJAkLhGk5YqwwcllCr39YXa/tFJWsgoQNcB9hwpzfhFm6Cc7m5DhmTWSVhQHEWyaas8Lukmd4v+mRY+KZpuhbomCHWzkxqzdBun8SXiiAKlgem9rtBIgeTEfz9OtOfF3/6VfqE7 toerb@mittagspause ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB0IP143FAHBHWjEEKGOnM8SSTIgNF1MJxGCMKaJvTHf momo@k2.local"
       "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC1ZJSpBb7Cxo+c2r2JJIcbYOTm/sJxOv2NFRoDfjxGS9CCwzRbzrwJcv2d23j35mu97x3+fUvo8DyMFLvLvume2PFCijqhMDzZZvjYXZdvXA+hnh53nqZf+Pjq8Xc3tSWBHQxUokaBmZbd4LlKHh8NgKVrP2zve6OPZMzo/Es93v37KEmT8d/PfVMrQEMPZzFrCVdq2RbpdQ1nhx09zRFW7OJOazgotafjx6IYXbVq2VDnjffXInsE9ZxDzYq1cNKIH0c2BLpTd3mv76iD9i+nD6W6s48+usFQnVLt2TY1uKkfMr7043E6jBxx5kNHBe5Xxr6Zs0SkR8kKOEhMO//4ucviUYKZJn8wk2SLkAyMYVBexx8jrTdlI4xgQ7RLpSIDTCm9dfbZY/YhZDJ21lsWduQqu7DFWMe05gg4NZDjf2kwYQOzATyqISGA7ttSEPT1iymr/ffAOgLBLSqWQAteUbI2U5cnflWZGwm33JF/Pyb4S3k3/f2mIBKiRx2lsGv6mx1w0SaYRtJxDWqGYMHuFiNYbq9r/bZfLqV3Fy9kRODFJTfJh8mcTnC4zabpiQ7fnqbh1qHu0WrrBSgFW0PR2WWCJ0e5Btj1yRgXp0+d5OuxxlVInRs+l2HogdxjonMhAHrTCzJtI8UJTKXKN0FBPRDRcepeExhvNqcOUz4Kvw== me@andreaskist.de"
diff --git a/makefu/1systems/gum.nix b/makefu/1systems/gum.nix
index c39997ebf..3186f8887 100644
--- a/makefu/1systems/gum.nix
+++ b/makefu/1systems/gum.nix
@@ -35,10 +35,12 @@ in {
       ../2configs/nginx/update.connector.one.nix
       ../2configs/deployment/mycube.connector.one.nix
       ../2configs/deployment/graphs.nix
+      # ../2configs/ipfs.nix
+      ../2configs/syncthing.nix
 
       # ../2configs/opentracker.nix
       ../2configs/logging/central-stats-client.nix
-      ../2configs/logging/central-logging-client.nix
+      # ../2configs/logging/central-logging-client.nix
 
   ];
   services.smartd.devices = [ { device = "/dev/sda";} ];
@@ -79,7 +81,6 @@ in {
   ];
   services.bitlbee.enable = true;
   systemd.services.bitlbee.environment.BITLBEE_DEBUG="1";
-  # systemd.services.bitlbee.serviceConfig.ExecStart = "${pkgs.bitlbee}/bin/bitlbee -Dnv -c 
 
   # Hardware
   boot.loader.grub.device = "/dev/sda";
diff --git a/makefu/1systems/omo.nix b/makefu/1systems/omo.nix
index 99303b604..ff34ee843 100644
--- a/makefu/1systems/omo.nix
+++ b/makefu/1systems/omo.nix
@@ -53,9 +53,10 @@ in {
       ../2configs/omo-share.nix
       ../2configs/tinc/retiolum.nix
       ../2configs/logging/central-stats-server.nix
-      ../2configs/logging/central-logging-server.nix
+      # ../2configs/logging/central-logging-server.nix
       ../2configs/logging/central-stats-client.nix
-      ../2configs/logging/central-logging-client.nix
+      ../2configs/syncthing.nix
+      # ../2configs/logging/central-logging-client.nix
 
       # ../2configs/torrent.nix
 
diff --git a/makefu/2configs/ipfs.nix b/makefu/2configs/ipfs.nix
new file mode 100644
index 000000000..cc07e063d
--- /dev/null
+++ b/makefu/2configs/ipfs.nix
@@ -0,0 +1,5 @@
+{...}:
+{
+  services.ipfs.enable = true;
+  networking.firewall.allowedTCPPorts = [ 4001 ];
+}
diff --git a/makefu/2configs/syncthing.nix b/makefu/2configs/syncthing.nix
new file mode 100644
index 000000000..6b758ea2d
--- /dev/null
+++ b/makefu/2configs/syncthing.nix
@@ -0,0 +1,11 @@
+{...}:
+
+with import <stockholm/lib>; {
+  services.syncthing = {
+    enable = true;
+    openDefaultPorts = true;
+    useInotify = true;
+    group = "download";
+  };
+  users.extraGroups.download.gid = genid "download";
+}

From 6436eac7b9081c3a2f06aff5c27c40a2f54a4eff Mon Sep 17 00:00:00 2001
From: makefu <github@syntax-fehler.de>
Date: Mon, 17 Apr 2017 13:11:32 +0200
Subject: [PATCH 45/58] m 2 urxvtd: init

---
 makefu/1systems/x.nix            |  3 ++-
 makefu/2configs/base-gui.nix     |  5 ++++-
 makefu/2configs/urxvtd.nix       | 21 +++++++++++++++++++++
 makefu/5pkgs/awesomecfg/full.cfg |  2 +-
 4 files changed, 28 insertions(+), 3 deletions(-)
 create mode 100644 makefu/2configs/urxvtd.nix

diff --git a/makefu/1systems/x.nix b/makefu/1systems/x.nix
index 9cedc04a8..51c9543ef 100644
--- a/makefu/1systems/x.nix
+++ b/makefu/1systems/x.nix
@@ -2,6 +2,7 @@
 #
 #
 { config, pkgs, ... }:
+with import <stockholm/lib>;
 
 {
   imports =
@@ -78,7 +79,7 @@
   };
 
   boot.extraModulePackages = [ config.boot.kernelPackages.exfat-nofuse ];
-  environment.systemPackages = [ pkgs.passwdqc-utils pkgs.bintray-upload ];
+  environment.systemPackages = [ pkgs.passwdqc-utils ];
 
   virtualisation.docker.enable = true;
 
diff --git a/makefu/2configs/base-gui.nix b/makefu/2configs/base-gui.nix
index ba4c551b3..1a19ab36b 100644
--- a/makefu/2configs/base-gui.nix
+++ b/makefu/2configs/base-gui.nix
@@ -16,7 +16,10 @@ let
   mainUser = config.krebs.build.user.name;
 in
 {
-  imports = [ ];
+  imports = [
+    ./urxvtd.nix
+  ];
+
   services.xserver = {
     enable = true;
     layout = "us";
diff --git a/makefu/2configs/urxvtd.nix b/makefu/2configs/urxvtd.nix
new file mode 100644
index 000000000..286b87ab3
--- /dev/null
+++ b/makefu/2configs/urxvtd.nix
@@ -0,0 +1,21 @@
+{ config, pkgs, ... }:
+
+let
+	mainUser = config.krebs.build.user.name;
+in {
+  systemd.services.urxvtd = {
+    wantedBy = [ "multi-user.target" ];
+    before = [ "graphical.target" ];
+    reloadIfChanged = true;
+    serviceConfig = {
+      SyslogIdentifier = "urxvtd";
+      ExecReload = "${pkgs.coreutils}/bin/echo NOP";
+      ExecStart = "${pkgs.rxvt_unicode_with-plugins}/bin/urxvtd";
+      Restart = "always";
+      RestartSec = "2s";
+      StartLimitBurst = 0;
+      User = mainUser;
+    };
+  };
+	# TODO: sessionCommands from base-gui related to urxvt in this file
+}
diff --git a/makefu/5pkgs/awesomecfg/full.cfg b/makefu/5pkgs/awesomecfg/full.cfg
index e43341d25..73ff42e9f 100644
--- a/makefu/5pkgs/awesomecfg/full.cfg
+++ b/makefu/5pkgs/awesomecfg/full.cfg
@@ -90,7 +90,7 @@ client.connect_signal("focus", function(c) c.border_color = beautiful.border_foc
 client.connect_signal("unfocus", function(c) c.border_color = beautiful.border_normal end)
 
 -- This is used later as the default terminal and editor to run.
-terminal = "urxvt"
+terminal = "urxvtc"
 editor = os.getenv("EDITOR") or "vim"
 editor_cmd = terminal .. " -e " .. editor
 browser = "firefox"

From c762622a293248f55e46ff83fb870df128a0fb59 Mon Sep 17 00:00:00 2001
From: makefu <github@syntax-fehler.de>
Date: Mon, 17 Apr 2017 13:12:16 +0200
Subject: [PATCH 46/58] m 2 default: 2982661 -> 4fac473

---
 makefu/2configs/default.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/makefu/2configs/default.nix b/makefu/2configs/default.nix
index cd9b4c056..0865c3a31 100644
--- a/makefu/2configs/default.nix
+++ b/makefu/2configs/default.nix
@@ -11,7 +11,7 @@ with import <stockholm/lib>;
     ./vim.nix
     ./binary-cache/nixos.nix
   ];
-
+  programs.command-not-found.enable = false;
   nixpkgs.config.allowUnfreePredicate =  (pkg: pkgs.lib.hasPrefix "unrar-" pkg.name);
   krebs = {
     enable = true;
@@ -22,7 +22,7 @@ with import <stockholm/lib>;
       user = config.krebs.users.makefu;
       source = let
           inherit (config.krebs.build) host user;
-          ref = "2982661"; # unstable @ 2017-03-31 + cups-dymo + snapraid-11.1
+          ref = "4fac473"; # unstable @ 2017-03-31 + command-not-found
       in {
         nixpkgs = if config.makefu.full-populate || (getEnv "dummy_secrets" == "true") then
           {

From 52ff49d7d5a7bc7a815fd457d69e028cfb9b8325 Mon Sep 17 00:00:00 2001
From: makefu <github@syntax-fehler.de>
Date: Mon, 17 Apr 2017 13:13:07 +0200
Subject: [PATCH 47/58] m 2 tools: add packages

---
 makefu/2configs/tools/core-gui.nix  | 2 +-
 makefu/2configs/tools/core.nix      | 1 +
 makefu/2configs/tools/extra-gui.nix | 1 +
 makefu/2configs/tools/sec.nix       | 1 +
 4 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/makefu/2configs/tools/core-gui.nix b/makefu/2configs/tools/core-gui.nix
index 6d62e92c0..0538647ae 100644
--- a/makefu/2configs/tools/core-gui.nix
+++ b/makefu/2configs/tools/core-gui.nix
@@ -12,11 +12,11 @@
     firefox
     keepassx
     pcmanfm
+    evince
     skype
     mirage
     tightvnc
     gnome3.dconf
-    wireshark
     xdotool
     xorg.xbacklight
     scrot
diff --git a/makefu/2configs/tools/core.nix b/makefu/2configs/tools/core.nix
index 86d72c662..6ae2951eb 100644
--- a/makefu/2configs/tools/core.nix
+++ b/makefu/2configs/tools/core.nix
@@ -40,6 +40,7 @@
     cac-api
     cac-panel
     krebspaste
+    krebszones
     ledger
     pass
   ];
diff --git a/makefu/2configs/tools/extra-gui.nix b/makefu/2configs/tools/extra-gui.nix
index 9cfacf408..596734dd5 100644
--- a/makefu/2configs/tools/extra-gui.nix
+++ b/makefu/2configs/tools/extra-gui.nix
@@ -4,6 +4,7 @@
   krebs.per-user.makefu.packages = with pkgs;[
     inkscape
     gimp
+    libreoffice
     skype
     virtmanager
     synergy
diff --git a/makefu/2configs/tools/sec.nix b/makefu/2configs/tools/sec.nix
index 5ab699f35..e53d9ee8e 100644
--- a/makefu/2configs/tools/sec.nix
+++ b/makefu/2configs/tools/sec.nix
@@ -11,5 +11,6 @@
     nmap
     msf
     thc-hydra
+    wireshark
   ];
 }

From 456f20deda1d5d651a8c382aa8edc3cb59e26e7e Mon Sep 17 00:00:00 2001
From: makefu <github@syntax-fehler.de>
Date: Mon, 17 Apr 2017 13:13:35 +0200
Subject: [PATCH 48/58] m 1 shoney: graphs -> graph

---
 makefu/1systems/shoney.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/makefu/1systems/shoney.nix b/makefu/1systems/shoney.nix
index 96aeb2856..9f04e97eb 100644
--- a/makefu/1systems/shoney.nix
+++ b/makefu/1systems/shoney.nix
@@ -31,7 +31,7 @@ in {
         anonymous-domain = "localhost.localdomain";
         anonymous.extraConfig = "return 403;";
         complete = {
-          serverAliases = [ "graphs.siem" ];
+          serverAliases = [ "graph.siem" ];
           extraConfig = ''
             if ( $server_addr = "${ip}" ) {
               return 403;

From 0011f32a343a88ec1b7e5426d271a419bfeb6444 Mon Sep 17 00:00:00 2001
From: lassulus <lass@lassul.us>
Date: Tue, 18 Apr 2017 19:55:19 +0200
Subject: [PATCH 49/58] l 1 iso: enable copytoram

---
 lass/1systems/iso.nix | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/lass/1systems/iso.nix b/lass/1systems/iso.nix
index 01d698c4c..5bbd0c1d7 100644
--- a/lass/1systems/iso.nix
+++ b/lass/1systems/iso.nix
@@ -11,6 +11,9 @@ with import <stockholm/lib>;
     ../2configs/mc.nix
     ../2configs/nixpkgs.nix
     ../2configs/vim.nix
+    {
+      boot.kernelParams = [ "copytoram" ];
+    }
     {
       krebs.enable = true;
       krebs.build.user = config.krebs.users.lass;

From d528daf9e8d4ec59b3e5355576eaf001136763cc Mon Sep 17 00:00:00 2001
From: lassulus <lass@lassul.us>
Date: Tue, 18 Apr 2017 21:02:17 +0200
Subject: [PATCH 50/58] l 2 nixpkgs: 5acb454 -> c85f39e

---
 lass/2configs/nixpkgs.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lass/2configs/nixpkgs.nix b/lass/2configs/nixpkgs.nix
index 5309c9551..5f9800b0f 100644
--- a/lass/2configs/nixpkgs.nix
+++ b/lass/2configs/nixpkgs.nix
@@ -3,6 +3,6 @@
 {
   krebs.build.source.nixpkgs.git = {
     url = https://cgit.lassul.us/nixpkgs;
-    ref = "5acb454";
+    ref = "c85f39e";
   };
 }

From d40738d41573eca83d7e84f8a9946f8d8441a0d0 Mon Sep 17 00:00:00 2001
From: lassulus <lass@lassul.us>
Date: Wed, 19 Apr 2017 00:13:52 +0200
Subject: [PATCH 51/58] l 1 iso: hack around buggy /dev/stderr in live iso

---
 lass/1systems/iso.nix | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/lass/1systems/iso.nix b/lass/1systems/iso.nix
index 5bbd0c1d7..99399550c 100644
--- a/lass/1systems/iso.nix
+++ b/lass/1systems/iso.nix
@@ -12,6 +12,27 @@ with import <stockholm/lib>;
     ../2configs/nixpkgs.nix
     ../2configs/vim.nix
     {
+      # /dev/stderr doesn't work. I don't know why
+      # /proc/self doesn't seem to work correctly
+      # /dev/pts is empty except for 1 file
+      # my life sucks
+      nixpkgs.config.packageOverrides = super: {
+        irc-announce = super.callPackage <stockholm/krebs/5pkgs/irc-announce> {
+          pkgs = pkgs // { coreutils = pkgs.concat "coreutils-hack" [
+            pkgs.coreutils
+            (pkgs.writeDashBin "tee" ''
+              if test "$1" = /dev/stderr; then
+                while read -r line; do
+                  echo "$line"
+                  echo "$line" >&2
+                done
+              else
+                ${super.coreutils}/bin/tee "$@"
+              fi
+            '')
+          ];};
+        };
+      };
       boot.kernelParams = [ "copytoram" ];
     }
     {

From 978e47eedd70476703aa7237efa084260638b287 Mon Sep 17 00:00:00 2001
From: makefu <github@syntax-fehler.de>
Date: Wed, 19 Apr 2017 10:04:27 +0200
Subject: [PATCH 52/58] m 1 x: rm krebs.nginx

---
 makefu/1systems/x.nix | 5 -----
 1 file changed, 5 deletions(-)

diff --git a/makefu/1systems/x.nix b/makefu/1systems/x.nix
index 51c9543ef..866aac3bd 100644
--- a/makefu/1systems/x.nix
+++ b/makefu/1systems/x.nix
@@ -72,11 +72,6 @@ with import <stockholm/lib>;
   makefu.umts.apn = "web.vodafone.de";
 
   nixpkgs.config.allowUnfree = true;
-  krebs.nginx = {
-    default404 = false;
-    servers.default.listen = [ "80 default_server" ];
-    servers.default.server-names = [ "_" ];
-  };
 
   boot.extraModulePackages = [ config.boot.kernelPackages.exfat-nofuse ];
   environment.systemPackages = [ pkgs.passwdqc-utils ];

From c815fda8161f899254ce3dd8debfad830a8f67ee Mon Sep 17 00:00:00 2001
From: makefu <github@syntax-fehler.de>
Date: Wed, 19 Apr 2017 10:04:39 +0200
Subject: [PATCH 53/58] m 2 dnscrypt: change resolver

---
 makefu/2configs/dnscrypt.nix | 1 +
 1 file changed, 1 insertion(+)

diff --git a/makefu/2configs/dnscrypt.nix b/makefu/2configs/dnscrypt.nix
index d810456f3..6e7ef0f82 100644
--- a/makefu/2configs/dnscrypt.nix
+++ b/makefu/2configs/dnscrypt.nix
@@ -1,5 +1,6 @@
 {
   services.dnscrypt-proxy.enable = true;
+  services.dnscrypt-proxy.resolverName = "cs-de";
   networking.extraResolvconfConf = ''
     name_servers='127.0.0.1'
   '';

From 55b77bd2ece03769e6df3ebdfa891bc255f92665 Mon Sep 17 00:00:00 2001
From: makefu <github@syntax-fehler.de>
Date: Wed, 19 Apr 2017 10:05:12 +0200
Subject: [PATCH 54/58] s 1 wolf: send stats to omo

---
 shared/1systems/wolf.nix                 |  1 +
 shared/2configs/central-stats-client.nix | 68 ++++++++++++++++++++++++
 2 files changed, 69 insertions(+)
 create mode 100644 shared/2configs/central-stats-client.nix

diff --git a/shared/1systems/wolf.nix b/shared/1systems/wolf.nix
index 0b4448022..75307be12 100644
--- a/shared/1systems/wolf.nix
+++ b/shared/1systems/wolf.nix
@@ -14,6 +14,7 @@ in
     ../2configs/shack-nix-cacher.nix
     ../2configs/shared-buildbot.nix
     ../2configs/share-shack.nix
+    ../2configs/central-stats-client.nix
   ];
   # use your own binary cache, fallback use cache.nixos.org (which is used by
   # apt-cacher-ng in first place)
diff --git a/shared/2configs/central-stats-client.nix b/shared/2configs/central-stats-client.nix
new file mode 100644
index 000000000..0412eba9a
--- /dev/null
+++ b/shared/2configs/central-stats-client.nix
@@ -0,0 +1,68 @@
+{pkgs, config, ...}:
+{
+  services.collectd = {
+    enable = true;
+    autoLoadPlugin = true;
+    extraConfig = ''
+      Hostname ${config.krebs.build.host.name}
+      LoadPlugin load
+      LoadPlugin disk
+      LoadPlugin memory
+      LoadPlugin df
+      Interval 30.0
+
+      LoadPlugin interface
+      <Plugin "interface">
+        Interface "*Link"
+        Interface "lo"
+        Interface "vboxnet*"
+        Interface "virbr*"
+        IgnoreSelected true
+      </Plugin>
+
+      LoadPlugin df
+      <Plugin "df">
+        MountPoint "/nix/store"
+        # MountPoint "/run*"
+        # MountPoint "/sys*"
+        # MountPoint "/dev"
+        # MountPoint "/dev/shm"
+        # MountPoint "/tmp"
+        FSType "tmpfs"
+        FSType "binfmt_misc"
+        FSType "debugfs"
+        FSType "mqueue"
+        FSType "hugetlbfs"
+        FSType "systemd-1"
+        FSType "cgroup"
+        FSType "securityfs"
+        FSType "ramfs"
+        FSType "proc"
+        FSType "devpts"
+        FSType "devtmpfs"
+        MountPoint "/var/lib/docker/devicemapper"
+        IgnoreSelected true
+      </Plugin>
+
+      LoadPlugin cpu
+      <Plugin cpu>
+        ReportByCpu true
+        ReportByState true
+        ValuesPercentage true
+      </Plugin>
+
+      LoadPlugin network
+      <Plugin "network">
+          Server "stats.makefu.r" "25826"
+      </Plugin>
+
+      LoadPlugin curl
+      <Plugin curl>
+        <Page "smarthome">
+          URL "http://smarthome.shack/";
+          MeasureResponseTime true
+        </Page>
+      </Plugin>
+    '';
+  };
+}

From bc0e4fa234bb4b817efde7e6f8e7ad206359d115 Mon Sep 17 00:00:00 2001
From: makefu <github@syntax-fehler.de>
Date: Wed, 19 Apr 2017 10:05:39 +0200
Subject: [PATCH 55/58] m 2 stats-server: also open ports for v6

---
 makefu/2configs/logging/central-stats-server.nix | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/makefu/2configs/logging/central-stats-server.nix b/makefu/2configs/logging/central-stats-server.nix
index 30ad63879..4f7961f32 100644
--- a/makefu/2configs/logging/central-stats-server.nix
+++ b/makefu/2configs/logging/central-stats-server.nix
@@ -71,5 +71,12 @@ in {
     iptables -A INPUT -i ${logging-interface} -p udp --dport ${toString collectd-port} -j ACCEPT
     iptables -A INPUT -i ${logging-interface} -p tcp --dport ${toString influx-port} -j ACCEPT
     iptables -A INPUT -i ${logging-interface} -p tcp --dport ${toString grafana-port} -j ACCEPT
+
+    ip6tables -A INPUT -i retiolum -p udp --dport ${toString collectd-port} -j ACCEPT
+    ip6tables -A INPUT -i retiolum -p tcp --dport ${toString influx-port} -j ACCEPT
+    ip6tables -A INPUT -i retiolum -p tcp --dport ${toString grafana-port} -j ACCEPT
+    ip6tables -A INPUT -i ${logging-interface} -p udp --dport ${toString collectd-port} -j ACCEPT
+    ip6tables -A INPUT -i ${logging-interface} -p tcp --dport ${toString influx-port} -j ACCEPT
+    ip6tables -A INPUT -i ${logging-interface} -p tcp --dport ${toString grafana-port} -j ACCEPT
   '';
 }

From de22f21195ee0f8d217b6377b0cf915bbfc2d2a8 Mon Sep 17 00:00:00 2001
From: makefu <github@syntax-fehler.de>
Date: Wed, 19 Apr 2017 10:06:36 +0200
Subject: [PATCH 56/58] s 2 buildbot: configure nginx for buildbot

---
 krebs/3modules/shared/default.nix   |  1 +
 shared/2configs/shared-buildbot.nix | 14 +++++++++++++-
 2 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/krebs/3modules/shared/default.nix b/krebs/3modules/shared/default.nix
index 5e4935e3a..17179a39f 100644
--- a/krebs/3modules/shared/default.nix
+++ b/krebs/3modules/shared/default.nix
@@ -47,6 +47,7 @@ in {
           ip6.addr = "42:0:0:0:0:0:77:1";
           aliases = [
             "wolf.r"
+            "build.wolf.r"
             "cgit.wolf.r"
           ];
           tinc.pubkey = ''
diff --git a/shared/2configs/shared-buildbot.nix b/shared/2configs/shared-buildbot.nix
index cf08882a9..1d6883afe 100644
--- a/shared/2configs/shared-buildbot.nix
+++ b/shared/2configs/shared-buildbot.nix
@@ -9,11 +9,20 @@
 {
   # due to the fact that we actually build stuff on the box via the daemon,
   # /nix/store should be cleaned up automatically as well
+  services.nginx.virtualHosts.build = {
+    serverAliases = [ "build.wolf.r" ];
+    locations."/".extraConfig = ''
+      proxy_set_header Upgrade $http_upgrade;
+      proxy_set_header Connection "upgrade";
+      proxy_pass http://localhost:${toString config.krebs.buildbot.master.web.port};
+    '';
+  };
+
   nix.gc.automatic = true;
   nix.gc.dates = "05:23";
   networking.firewall.allowedTCPPorts = [ 8010 9989 ];
   krebs.buildbot.master = let
-    stockholm-mirror-url = http://cgit.wolf/stockholm-mirror ;
+    stockholm-mirror-url = http://cgit.wolf.r/stockholm-mirror ;
   in {
     secrets = [ "retiolum-ci.rsa_key.priv" "cac.json" ];
     workers = {
@@ -151,6 +160,9 @@
       channels = [ { channel = "retiolum"; } ];
       allowForce = true;
     };
+    extraConfig = ''
+      c['buildbotURL'] = "http://build.wolf.r/"
+    '';
   };
 
   krebs.buildbot.worker = {

From 371f8b9b7102c317150da37880dae44bd938d1b1 Mon Sep 17 00:00:00 2001
From: makefu <github@syntax-fehler.de>
Date: Wed, 19 Apr 2017 10:07:48 +0200
Subject: [PATCH 57/58] m 2 fetchwallpaper: use prism

---
 makefu/2configs/fetchWallpaper.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/makefu/2configs/fetchWallpaper.nix b/makefu/2configs/fetchWallpaper.nix
index fb74919c4..16a7a13b2 100644
--- a/makefu/2configs/fetchWallpaper.nix
+++ b/makefu/2configs/fetchWallpaper.nix
@@ -8,7 +8,7 @@
     timerConfig = {
       OnCalendar = "*:0/30";
     };
-    url = "http://echelon/wallpaper.png";
+    url = "http://prism.r/realwallpaper-sat-krebs.png";
   };
 
 }

From d05b989095acf4fd872c955b274a60a9621cd6ec Mon Sep 17 00:00:00 2001
From: lassulus <lass@lassul.us>
Date: Wed, 19 Apr 2017 10:20:34 +0200
Subject: [PATCH 58/58] k 3 realwallpaper: graphs.r -> graph.r

---
 krebs/3modules/realwallpaper.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/krebs/3modules/realwallpaper.nix b/krebs/3modules/realwallpaper.nix
index 1e7a9faae..044811c7d 100644
--- a/krebs/3modules/realwallpaper.nix
+++ b/krebs/3modules/realwallpaper.nix
@@ -34,7 +34,7 @@ let
 
     marker = mkOption {
       type = types.str;
-      default = "http://graphs.r/marker.json";
+      default = "http://graph.r/marker.json";
     };
 
     timerConfig = mkOption {