Merge remote-tracking branch 'lass/master'

2017-10-07 11:08:13 +02:00 · 2017-10-07 11:08:13 +02:00 · 8290c6507e
parent 52f9105027 a8db051451
commit 8290c6507e
46 changed files with 320 additions and 316 deletions
--- a/krebs/2configs/gitlab-runner-shackspace.nix
+++ b/krebs/2configs/gitlab-runner-shackspace.nix
@ -1,4 +1,4 @@
-{ config, ... }:
+{ config, pkgs, ... }:
 let
  url = "https://git.shackspace.de/";
  # generate token from CI-token via:
@ -6,7 +6,7 @@ let
  ## cat /etc/gitlab-runner/config.toml
  token = import <secrets/shackspace-gitlab-ci-token.nix> ;
 in {
-  systemd.services.gitlab-runner.path = [ 
+  systemd.services.gitlab-runner.path = [
    "/run/wrappers" # /run/wrappers/bin/su
    "/" # /bin/sh
  ];
@ -16,19 +16,18 @@ in {
    enable = true;
    # configFile, configOptions and gracefulTimeout not yet in stable
    # gracefulTimeout = "120min";
-    configText = ''
+    configFile = pkgs.writeText "gitlab-runner.cfg" ''
-    concurrent = 1
+      concurrent = 1
-    check_interval = 0
+      check_interval = 0
    [[runners]]
      name = "krebs-shell"
      url = "${url}"
      token = "${token}"
      executor = "shell"
      shell = "sh"
      environment = ["PATH=/bin:/run/wrappers/bin:/etc/per-user/gitlab-runner/bin:/etc/per-user-pkgs/gitlab-runner/bin:/nix/var/nix/profiles/default/bin:/run/current-system/sw/bin"]
      [runners.cache]
      [[runners]]
        name = "krebs-shell"
        url = "${url}"
        token = "${token}"
        executor = "shell"
        shell = "sh"
        environment = ["PATH=/bin:/run/wrappers/bin:/etc/per-user/gitlab-runner/bin:/etc/per-user-pkgs/gitlab-runner/bin:/nix/var/nix/profiles/default/bin:/run/current-system/sw/bin"]
        [runners.cache]
    '';
  };
 }
--- a/krebs/2configs/ircd.nix
+++ b/krebs/2configs/ircd.nix
@ -92,6 +92,7 @@
      };
      general {
        #maybe we want ident someday?
        default_floodcount = 1000;
        disable_auth = yes;
        throttle_duration = 1;
        throttle_count = 1000;
--- a/krebs/2configs/shack/muell_caller.nix
+++ b/krebs/2configs/shack/muell_caller.nix
@ -12,7 +12,7 @@ let
    buildInputs = [
      (pkgs.python3.withPackages (pythonPackages: with pythonPackages; [
        docopt
-        requests2
+        requests
        paramiko
        python
      ]))
--- a/krebs/2configs/shack/radioactive.nix
+++ b/krebs/2configs/shack/radioactive.nix
@ -12,7 +12,7 @@ let
    buildInputs = [
      (pkgs.python3.withPackages (pythonPackages: with pythonPackages; [
        docopt
-        requests2
+        requests
        python
      ]))
    ];
--- a/krebs/2configs/shack/worlddomination.nix
+++ b/krebs/2configs/shack/worlddomination.nix
@ -37,7 +37,7 @@ let
        docopt
        LinkHeader
        aiocoap
-        requests2
+        requests
        paramiko
        python
      ]))
--- a/krebs/3modules/bepasty-server.nix
+++ b/krebs/3modules/bepasty-server.nix
@ -3,7 +3,7 @@
 with import <stockholm/lib>;
 let
  gunicorn = pkgs.pythonPackages.gunicorn;
-  bepasty = pkgs.pythonPackages.bepasty-server;
+  bepasty = pkgs.bepasty;
  gevent = pkgs.pythonPackages.gevent;
  python = pkgs.pythonPackages.python;
  cfg = config.krebs.bepasty;
--- a/krebs/3modules/buildbot/slave.nix
+++ b/krebs/3modules/buildbot/slave.nix
@ -160,6 +160,8 @@ let
        # TODO: maybe also prepare buildbot.tac?
        ExecStartPre = pkgs.writeDash "buildbot-master-init" ''
          set -efux
          #remove garbage from old versions
          rm -r ${workdir}
          mkdir -p ${workdir}/info
          cp ${buildbot-slave-init} ${workdir}/buildbot.tac
          echo ${contact} > ${workdir}/info/admin
--- a/krebs/3modules/lass/default.nix
+++ b/krebs/3modules/lass/default.nix
@ -432,8 +432,13 @@ with import <stockholm/lib>;
    eddie = {
      ci = false;
      external = true;
-      nets = {
+      nets = rec {
        internet = {
          ip4.addr = "129.215.90.4";
          aliases = [ "eddie.i" ];
        };
        retiolum = {
          via = internet;
          ip4.addr = "10.243.29.170";
          ip6.addr = "42:4992:6a6d:700::1";
          aliases = [ "eddie.r" ];
@ -485,8 +490,13 @@ with import <stockholm/lib>;
    inspector = {
      ci = false;
      external = true;
-      nets = {
+      nets = rec {
        internet = {
          ip4.addr = "141.76.44.154";
          aliases = [ "inspector.i" ];
        };
        retiolum = {
          via = internet;
          ip4.addr = "10.243.29.172";
          ip6.addr = "42:4992:6a6d:800::1";
          aliases = [ "inspector.r" ];
--- a/krebs/3modules/lass/ssh/android.rsa
+++ b/krebs/3modules/lass/ssh/android.rsa
@ -1 +1 @@
-ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDjesiOnhpT9XgWZqw/64M5lVQg3q0k22BtMyCv+33sGX8VmfTyD11GuwSjNGf5WiswKLqFvYBQsHfDDtS3k0ZNTDncGw3Pbilm6QoCuHEyDPaQYin0P+JmkocrL/6QF5uhZVFnsXCH5wntwOa00VFGwpMgQYSfRlReRx42Pu9Jk+iJduZMRBbOMvJI68Z7iJ4DgW/1U9J4MQdCsk7QlFgUstQQfV1zk4VfVfXuxDP3hjx6Q05nDChjpmzJbFunzb7aiy/1/Sl0QhROTpvxrQLksg7yYLw4BRs9ptjehX45A2Sxi8WKOb/g5u3xJNy0X07rE+N+o5v2hS7wF0DLQdK5+4TGtO+Y+ABUCqqA+T1ynAjNBWvsgY5uD4PZjuPgCMSw0JBmIy/P0THi3v5/8Cohvfnspl7Jpf80qENMu3unvvE9EePzgSRZY1PvDjPQfkWy0yBX1yQMhHuVGke9QgaletitwuahRujml37waeUuOl8Rpz+2iV+6OIS4tfO368uLFHKWbobXTbTDXODBgxZ/IyvO7vxM2uDX/kIWaeYKrip3nSyWBYnixwrcS4vm6ZQcoejwp2KCfGQwIE4MnGYRlwcOEYjvyjLkZHDiZEivUQ0rThMYBzec8bQ08QW8oxF+NXkFKG3awt3f7TKTRkYqQcOMpFKmV24KDiwgwm0miQ== JuiceSSH
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAEZgGgImN/9D4yJBjYlkAvT3X45kzt4n8hmgsqPcdcHWNC7fofWG4fZe8NNrTLdKsK+xYxTstj49l8Vb3YDvw4fAyyyhms/eFRlD2BRqAISwc39EIeTC4g3PXNeUtUGdczXKxsJf5iWf4kxUrUOuZ3FeKxeYXDMSqzzk1oKalhWNl4PmgRc5FzjeRJ2WziilwFq7ntLswoeTBW3c53fbcp3XuPza3M1/sN3NHJx9ZMpWVfJhZ/CXr+nqpc25ZIr5HZVZbgDTyJQimlTF5JCfU0NiiBIh7ep7x4o93tARmilit7+mWUkkxk6ba+zG6nr+s+zyd85AFAYRioOEczbC6mI44UZUB11KkEzOon5JWSA8pK+DPqsqhFkwWYMHLXZp8zemdp9kushRZ6nuI9MzBwacngro1vAvDL6jrS5MR7zf7rMAo6wexovWoEowvZz629mjC3OAt9iOm4VJdvEmq+rHLfjjznVEY6llF7DUu2QNEazaXhxZH9V9N1gyubIE97SQVqmwDrf8BGC0Hq+hC4OOweqfo4XP0etbqAfDozZbqcqyE1m9Bj8DpjrSXka1PuJf5fgEtoxPadd2qdiHMfIx9sM+4uu2nI5aFvWO3OlJmhF80QzNdFzZWjsyvJ24C1/a2FAyzoab1Sg9ljstQThseTtvlXcX8jfFn0U3RbgXgCgOWad3Oy9vA0OCdsHut0nzv3UO+T5+wv2+lvE3QSSKOlmVtdKMhCFb+Rg+FliKxyd820h9yR3wDYmkurVkAxaj8Kx5MaY/7aypOi8fRAV2FSDtCKkuMyPv4xEtdPi/4lj55pRBEO8lJkeb+WurCzZ7ZeaPdrW1YIQtToPpiz3dXeRhkts6jq8247xIplzHh9Iu18gOrnZ+ygn70g19x842vvcfLQNAghDPS93msJdSe+EtulMCwNTjUaF9LyzhW9ptLG9NmwgbT5kGsFiRw3BFdyfcQVWVzDhuP3hPPx+hjiZtFfpIKpxV9MjO1xQ830Ngk3JpSphMZTQ432yfvu9yEsUWmAa8ax1jxJ361AiIp0U2xioJmdVd3E2sxkpOUYqE89IR9X6hS3fH38Gc5IL5+BnhuZvRgXuA+nrqdU4pMB3TIoC5oXlOMRXpxaS91YiO4ERx2t6WkBRCoaDuRWnLpewV6lhjwi1+4Emlrs2q1R0K64emZTv7O1MKwWRHOlBJD3HLyCCS763OzYW4mEQcfBAQtbm6sTooJ+D/zbmYgbnZt0z/nP9R/n25pzlSPpZ49fCiRV7QN6D9mksISTz8qIiCzNBn1F7DUewXqkrdPopl4npeNVcOyyo7P1lFFGde+jq/7REdzD+vno1h9+17WZbyzQtlOyipQYzb6l4QuXq/zejJrELJAQdN4yRQq5NJzIh0HXaPnPC083T791moBflyqiwPEIWsSMfILqSqL1jVVNgvV4fHnMixgH2zK9f0EyE3fG9PnuRribPR2DlESqpHZTcBixgh660EPKh0gCLYoWKgU= lass-android@XperiaXCompact
--- a/krebs/3modules/tinc.nix
+++ b/krebs/3modules/tinc.nix
@ -1,5 +1,5 @@
 { config, pkgs, lib, ... }:
 with import <stockholm/lib>;
 { config, pkgs, ... }:
 let
  out = {
    options.krebs.tinc = api;
@ -11,7 +11,7 @@ let
    description = ''
      define a tinc network
    '';
-    type = with types; attrsOf (submodule (tinc: {
+    type = types.attrsOf (types.submodule (tinc: {
      options = let
        netname = tinc.config._module.args.name;
      in {
@ -116,7 +116,7 @@ let
            phases = [ "installPhase" ];
            installPhase = ''
              mkdir $out
-              ${concatStrings (lib.mapAttrsToList (_: host: ''
+              ${concatStrings (mapAttrsToList (_: host: ''
                echo ${shell.escape host.nets."${tinc.config.netname}".tinc.config} \
                  > $out/${shell.escape host.name}
              '') tinc.config.hosts)}
--- a/krebs/5pkgs/simple/Reaktor/default.nix
+++ b/krebs/5pkgs/simple/Reaktor/default.nix
@ -8,7 +8,7 @@ python3Packages.buildPythonPackage rec {
  propagatedBuildInputs = with pkgs;[
    python3Packages.docopt
-    python3Packages.requests2
+    python3Packages.requests
  ];
  src = fetchurl {
    url = "https://pypi.python.org/packages/source/R/Reaktor/Reaktor-${version}.tar.gz";
--- a/krebs/5pkgs/simple/bepasty-client-cli/default.nix
+++ b/krebs/5pkgs/simple/bepasty-client-cli/default.nix
@ -5,7 +5,7 @@ with pythonPackages; buildPythonPackage rec {
  propagatedBuildInputs = [
    python_magic
    click
-    requests2
+    requests
  ];
  src = fetchFromGitHub {
--- a/krebs/5pkgs/simple/cac-panel/default.nix
+++ b/krebs/5pkgs/simple/cac-panel/default.nix
@ -11,7 +11,7 @@ python3Packages.buildPythonPackage rec {
  propagatedBuildInputs = with python3Packages; [
    docopt
-    requests2
+    requests
    beautifulsoup4
  ];
 }
--- a/krebs/5pkgs/simple/treq/default.nix
+++ b/krebs/5pkgs/simple/treq/default.nix
@ -11,7 +11,7 @@ pythonPackages.buildPythonPackage rec {
  propagatedBuildInputs = with pythonPackages; [
    twisted
    pyopenssl
-    requests2
+    requests
    service-identity
  ];
 }
--- a/krebs/5pkgs/simple/urlwatch/default.nix
+++ b/krebs/5pkgs/simple/urlwatch/default.nix
@ -13,7 +13,7 @@ python3Packages.buildPythonPackage rec {
    minidb
    pycodestyle
    pyyaml
-    requests2
+    requests
  ];
  meta = {
--- a/krebs/source.nix
+++ b/krebs/source.nix
@ -14,6 +14,6 @@ in
    stockholm.file = toString <stockholm>;
    nixpkgs.git = {
      url = https://github.com/NixOS/nixpkgs;
-      ref = "8ed299faacbf8813fc47b4fca34f32b835d6481e"; # nixos-17.03 @ 2017-09-09
+      ref = "07ca7b64d2ff2fa7a79e4eab1aba70ff746fed8c"; # nixos-17.09 @ 2017-10-02
    };
  }
--- a/lass/1systems/helios/config.nix
+++ b/lass/1systems/helios/config.nix
@ -11,6 +11,7 @@ with import <stockholm/lib>;
    <stockholm/lass/2configs/retiolum.nix>
    <stockholm/lass/2configs/otp-ssh.nix>
    <stockholm/lass/2configs/git.nix>
    <stockholm/lass/2configs/dcso-vpn.nix>
    { # automatic hardware detection
      boot.initrd.availableKernelModules = [ "xhci_pci" "nvme" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ];
      boot.kernelModules = [ "kvm-intel" ];
@ -94,4 +95,17 @@ with import <stockholm/lib>;
  programs.ssh.startAgent = lib.mkForce true;
  services.tlp.enable = true;
  services.xserver.videoDrivers = [ "nvidia" ];
  security.pki.certificateFiles = [
   (pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCAROOTC1G1.pem"; sha256 = "14vz9c0fk6li0a26vx0s5ha6y3yivnshx9pjlh9vmnpkbph5a7rh"; })
   (pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCAROOTC2G1.pem"; sha256 = "0r1dd48a850cv7whk4g2maik550rd0vsrsl73r6x0ivzz7ap1xz5"; })
   (pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCAROOTC3G1.pem"; sha256 = "0b5cdchdkvllnr0kz35d8jrmrf9cjw0kd98mmvzr0x6nkc8hwpdy"; })
   (pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCACOMPC2G1.pem"; sha256 = "0rn57zv1ry9vj4p2248mxmafmqqmdhbrfx1plszrxsphshbk2hfz"; })
   (pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCACOMPC3G1.pem"; sha256 = "0w88qaqhwxzvdkx40kzj2gka1yi85ipppjdkxah4mscwfhlryrnk"; })
   (pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCAIDENC2G1.pem"; sha256 = "1z2qkyhgjvri13bvi06ynkb7mjmpcznmc9yw8chx1lnwc3cxa7kf"; })
   (pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCAIDENC3G1.pem"; sha256 = "0smdjjvz95n652cb45yhzdb2lr83zg52najgbzf6lm3w71f8mv7f"; })
  ];
 }
--- a/lass/1systems/prism/config.nix
+++ b/lass/1systems/prism/config.nix
@ -115,7 +115,12 @@ in {
      };
      services.nginx.virtualHosts."hackerfleet.de-s" = {
        serverName = "hackerfleet.de";
-        port = 443;
+        listen = [
          {
            addr = "0.0.0.0";
            port = 443;
          }
        ];
        serverAliases = [
          "*.hackerfleet.de"
        ];
--- a/lass/2configs/bepasty.nix
+++ b/lass/2configs/bepasty.nix
@ -31,7 +31,6 @@ in {
    } //
    genAttrs ext-doms (ext-dom: {
      nginx = {
        enableSSL = true;
        forceSSL = true;
        enableACME = true;
      };
--- a/lass/2configs/copyq.nix
+++ b/lass/2configs/copyq.nix
@ -25,12 +25,15 @@ in {
    environment = {
      DISPLAY = ":0";
    };
    path = with pkgs; [
      qt5.full
    ];
    serviceConfig = {
      SyslogIdentifier = "copyq";
      ExecStart = "${pkgs.copyq}/bin/copyq";
      ExecStartPost = copyqConfig;
      Restart = "always";
-      RestartSec = "2s";
+      RestartSec = "15s";
      StartLimitBurst = 0;
      User = "lass";
    };
--- a/lass/2configs/dcso-vpn.nix
+++ b/lass/2configs/dcso-vpn.nix
@ -0,0 +1,44 @@
 with import <stockholm/lib>;
 { ... }:
 {
  users.extraUsers = {
    dcsovpn = rec {
      name = "dcsovpn";
      uid = genid "dcsovpn";
      description = "user for running dcso openvpn";
      home = "/home/${name}";
    };
  };
  users.extraGroups.dcsovpn.gid = genid "dcsovpn";
  services.openvpn.servers = {
    dcso = {
      config = ''
        client
        dev tun
        tun-mtu 1356
        mssfix
        proto udp
        float
        remote 217.111.55.41 1194
        nobind
        user dcsovpn
        group dcsovpn
        persist-key
        persist-tun
        ca ${toString <secrets/dcsovpn/ca.pem>}
        cert ${toString <secrets/dcsovpn/cert.pem>}
        key ${toString <secrets/dcsovpn/cert.key>}
        verb 3
        mute 20
        auth-user-pass ${toString <secrets/dcsovpn/login.txt>}
        route-method exe
        route-delay 2
      '';
      updateResolvConf = true;
    };
  };
 }
--- a/lass/2configs/gc.nix
+++ b/lass/2configs/gc.nix
@ -3,6 +3,6 @@
 with import <stockholm/lib>;
 {
  nix.gc = {
-    automatic = ! elem config.krebs.build.host.name [ "prism" "mors" ];
+    automatic = ! elem config.krebs.build.host.name [ "prism" "mors" "helios" ];
  };
 }
--- a/lass/2configs/pass.nix
+++ b/lass/2configs/pass.nix
@ -3,7 +3,8 @@
 {
  krebs.per-user.lass.packages = with pkgs; [
    pass
-    gnupg1
+    gnupg
  ];
  programs.gnupg.agent.enable = true;
 }
--- a/lass/2configs/tests/dummy-secrets/dcsovpn/ca.pem
+++ b/lass/2configs/tests/dummy-secrets/dcsovpn/ca.pem
--- a/lass/2configs/tests/dummy-secrets/dcsovpn/cert.key
+++ b/lass/2configs/tests/dummy-secrets/dcsovpn/cert.key
--- a/lass/2configs/tests/dummy-secrets/dcsovpn/cert.pem
+++ b/lass/2configs/tests/dummy-secrets/dcsovpn/cert.pem
--- a/lass/2configs/tests/dummy-secrets/dcsovpn/login.txt
+++ b/lass/2configs/tests/dummy-secrets/dcsovpn/login.txt
--- a/lass/2configs/websites/lassulus.nix
+++ b/lass/2configs/websites/lassulus.nix
@ -73,17 +73,6 @@ in {
      allowKeysForGroup = true;
      group = "lasscert";
    };
    certs."cgit.lassul.us" = {
      email = "lassulus@gmail.com";
      webroot = "/var/lib/acme/acme-challenges";
      plugins = [
        "account_key.json"
        "key.pem"
        "fullchain.pem"
      ];
      group = "nginx";
      allowKeysForGroup = true;
    };
  };
  krebs.tinc_graphs.enable = true;
@ -119,8 +108,8 @@ in {
  ];
  services.nginx.virtualHosts."lassul.us" = {
    addSSL = true;
    enableACME = true;
    serverAliases = [ "lassul.us" ];
    locations."/".extraConfig = ''
      root /srv/http/lassul.us;
    '';
@ -158,30 +147,12 @@ in {
    in ''
      alias ${initscript};
    '';
    enableSSL = true;
    extraConfig = ''
      listen 80;
      listen [::]:80;
    '';
    sslCertificate = "/var/lib/acme/lassul.us/fullchain.pem";
    sslCertificateKey = "/var/lib/acme/lassul.us/key.pem";
  };
  services.nginx.virtualHosts.cgit = {
-    serverAliases = [
+    serverName = "cgit.lassul.us";
-      "cgit.lassul.us"
+    addSSL = true;
-    ];
+    enableACME = true;
    locations."/.well-known/acme-challenge".extraConfig = ''
      root /var/lib/acme/acme-challenges;
    '';
    enableSSL = true;
    extraConfig = ''
      listen 80;
      listen [::]:80;
    '';
    sslCertificate = "/var/lib/acme/cgit.lassul.us/fullchain.pem";
    sslCertificateKey = "/var/lib/acme/cgit.lassul.us/key.pem";
  };
  users.users.blog = {
--- a/lass/2configs/websites/sqlBackup.nix
+++ b/lass/2configs/websites/sqlBackup.nix
@ -3,12 +3,13 @@
 {
  krebs.secret.files.mysql_rootPassword = {
    path = "${config.services.mysql.dataDir}/mysql_rootPassword";
-    owner.name = "root";
+    owner.name = "mysql";
    source-path = toString <secrets> + "/mysql_rootPassword";
  };
  services.mysql = {
    enable = true;
    dataDir = "/var/mysql";
    package = pkgs.mariadb;
    rootPassword = config.krebs.secret.files.mysql_rootPassword.path;
  };
--- a/lass/2configs/weechat.nix
+++ b/lass/2configs/weechat.nix
@ -21,6 +21,11 @@ in {
    ];
  };
  # mosh
  krebs.iptables.tables.filter.INPUT.rules = [
    { predicate = "-p udp --dport 60000:61000"; target = "ACCEPT";}
  ];
  #systemd.services.chat = {
  #  description = "chat environment setup";
  #  after = [ "network.target" ];
--- a/lass/2configs/wine.nix
+++ b/lass/2configs/wine.nix
@ -5,7 +5,7 @@ let
 in {
  krebs.per-user.wine.packages = with pkgs; [
-    wineFull
+    wine
    #(wineFull.override { wineBuild = "wine64"; })
  ];
  users.users= {
--- a/lass/3modules/ejabberd/config.nix
+++ b/lass/3modules/ejabberd/config.nix
@ -1,93 +1,129 @@
-{ config, ... }: with import <stockholm/lib>; let
+with import <stockholm/lib>;
-  cfg = config.lass.ejabberd;
+{ config, ... }: let
-  # XXX this is a placeholder that happens to work the default strings.
+  # See https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example
-  toErlang = builtins.toJSON;
+
-in toFile "ejabberd.conf" ''
+  ciphers = concatStringsSep ":" [
-  {loglevel, 3}.
+    "ECDHE-ECDSA-AES256-GCM-SHA384"
-  {hosts, ${toErlang cfg.hosts}}.
+    "ECDHE-RSA-AES256-GCM-SHA384"
-  {listen,
+    "ECDHE-ECDSA-CHACHA20-POLY1305"
-   [
+    "ECDHE-RSA-CHACHA20-POLY1305"
-    {5222, ejabberd_c2s, [
+    "ECDHE-ECDSA-AES128-GCM-SHA256"
-        starttls,
+    "ECDHE-RSA-AES128-GCM-SHA256"
-        {certfile, ${toErlang cfg.certfile.path}},
+    "ECDHE-ECDSA-AES256-SHA384"
-        {access, c2s},
+    "ECDHE-RSA-AES256-SHA384"
-        {shaper, c2s_shaper},
+    "ECDHE-ECDSA-AES128-SHA256"
-        {max_stanza_size, 65536}
+    "ECDHE-RSA-AES128-SHA256"
-             ]},
+  ];
-    {5269, ejabberd_s2s_in, [
+
-           {shaper, s2s_shaper},
+  protocol_options = [
-           {max_stanza_size, 131072}
+    "no_sslv2"
-          ]},
+    "no_sslv3"
-    {5280, ejabberd_http, [
+    "no_tlsv1"
-         captcha,
+    "no_tlsv1_10"
-         http_bind,
+  ];
-         http_poll,
+
-         web_admin
+in /* yaml */ ''
-        ]}
+
-   ]}.
+  access_rules:
-  {s2s_use_starttls, required}.
+    announce:
-  {s2s_certfile, ${toErlang cfg.s2s_certfile.path}}.
+      - allow: admin
-  {auth_method, internal}.
+    local:
-  {shaper, normal, {maxrate, 1000}}.
+      - allow: local
-  {shaper, fast, {maxrate, 50000}}.
+    configure:
-  {max_fsm_queue, 1000}.
+      - allow: admin
-  {acl, local, {user_regexp, ""}}.
+    register:
-  {access, max_user_sessions, [{10, all}]}.
+      - allow
-  {access, max_user_offline_messages, [{5000, admin}, {100, all}]}.
+    s2s:
-  {access, local, [{allow, local}]}.
+      - allow
-  {access, c2s, [{deny, blocked},
+    trusted_network:
-           {allow, all}]}.
+      - allow: loopback
-  {access, c2s_shaper, [{none, admin},
+
-            {normal, all}]}.
+  acl:
-  {access, s2s_shaper, [{fast, all}]}.
+    local:
-  {access, announce, [{allow, admin}]}.
+      user_regexp: ""
-  {access, configure, [{allow, admin}]}.
+    loopback:
-  {access, muc_admin, [{allow, admin}]}.
+      ip:
-  {access, muc_create, [{allow, local}]}.
+        - "127.0.0.0/8"
-  {access, muc, [{allow, all}]}.
+        - "::1/128"
-  {access, pubsub_createnode, [{allow, local}]}.
+        - "::FFFF:127.0.0.1/128"
-  {access, register, [{allow, local}]}.
+
-  {language, "en"}.
+  hosts: ${toJSON config.hosts}
-  {modules,
+
-   [
+  language: "en"
-    {mod_adhoc,    []},
+
-    {mod_announce, [{access, announce}]},
+  listen:
-    {mod_blocking,[]},
+    -
-    {mod_caps,     []},
+      port: 5222
-    {mod_configure,[]},
+      ip: "::"
-    {mod_disco,    []},
+      module: ejabberd_c2s
-    {mod_irc,      []},
+      shaper: c2s_shaper
-    {mod_http_bind, []},
+      certfile: ${toJSON config.certfile.path}
-    {mod_last,     []},
+      ciphers: ${toJSON ciphers}
-    {mod_muc,      [
+      dhfile: ${toJSON config.dhfile.path}
-        {access, muc},
+      protocol_options: ${toJSON protocol_options}
-        {access_create, muc_create},
+      starttls: true
-        {access_persistent, muc_create},
+      starttls_required: true
-        {access_admin, muc_admin}
+      tls: false
-       ]},
+      tls_compression: false
-    {mod_offline,  [{access_max_user_messages, max_user_offline_messages}]},
+      max_stanza_size: 65536
-    {mod_ping,     []},
+    -
-    {mod_privacy,  []},
+      port: 5269
-    {mod_private,  []},
+      ip: "::"
-    {mod_pubsub,   [
+      module: ejabberd_s2s_in
-        {access_createnode, pubsub_createnode},
+      shaper: s2s_shaper
-        {ignore_pep_from_offline, true},
+      max_stanza_size: 131072
-        {last_item_cache, false},
+
-        {plugins, ["flat", "hometree", "pep"]}
+  loglevel: 4
-       ]},
+
-    {mod_register, [
+  modules:
-        {welcome_message, {"Welcome!",
+    mod_adhoc: {}
-               "Hi.\nWelcome to this XMPP server."}},
+    mod_admin_extra: {}
-        {ip_access, [{allow, "127.0.0.0/8"},
+    mod_announce:
-               {allow, "0.0.0.0/0"}]},
+      access: announce
-        {access, register}
+    mod_caps: {}
-       ]},
+    mod_carboncopy: {}
-    {mod_roster,   []},
+    mod_client_state: {}
-    {mod_shared_roster,[]},
+    mod_configure: {}
-    {mod_stats,    []},
+    mod_disco: {}
-    {mod_time,     []},
+    mod_echo: {}
-    {mod_vcard,    []},
+    mod_irc: {}
-    {mod_version,  []}
+    mod_bosh: {}
-   ]}.
+    mod_last: {}
    mod_offline:
      access_max_user_messages: max_user_offline_messages
    mod_ping: {}
    mod_privacy: {}
    mod_private: {}
    mod_register:
      access_from: deny
      access: register
      ip_access: trusted_network
      registration_watchers: ${toJSON config.registration_watchers}
    mod_roster: {}
    mod_shared_roster: {}
    mod_stats: {}
    mod_time: {}
    mod_vcard:
      search: false
    mod_version: {}
    mod_http_api: {}
  s2s_access: s2s
  s2s_certfile: ${toJSON config.s2s_certfile.path}
  s2s_ciphers: ${toJSON ciphers}
  s2s_dhfile: ${toJSON config.dhfile.path}
  s2s_protocol_options: ${toJSON protocol_options}
  s2s_tls_compression: false
  s2s_use_starttls: required
  shaper_rules:
    max_user_offline_messages:
      - 5000: admin
      - 100
    max_user_sessions: 10
    c2s_shaper:
      - none: admin
      - normal
    s2s_shaper: fast
 ''
--- a/lass/3modules/ejabberd/default.nix
+++ b/lass/3modules/ejabberd/default.nix
@ -1,5 +1,16 @@
 { config, lib, pkgs, ... }@args: with import <stockholm/lib>; let
  cfg = config.lass.ejabberd;
  gen-dhparam = pkgs.writeDash "gen-dhparam" ''
    set -efu
    path=$1
    bits=2048
    # TODO regenerate dhfile after some time?
    if ! test -e "$path"; then
      ${pkgs.openssl}/bin/openssl dhparam "$bits" > "$path"
    fi
  '';
 in {
  options.lass.ejabberd = {
    enable = mkEnableOption "lass.ejabberd";
@ -11,20 +22,36 @@ in {
        source-path = "/var/lib/acme/lassul.us/full.pem";
      };
    };
    dhfile = mkOption {
      type = types.secret-file;
      default = {
        path = "${cfg.user.home}/dhparams.pem";
        owner = cfg.user;
        source-path = "/dev/null";
      };
    };
    hosts = mkOption {
      type = with types; listOf str;
    };
    pkgs.ejabberdctl = mkOption {
      type = types.package;
      default = pkgs.writeDashBin "ejabberdctl" ''
        set -efu
        export SPOOLDIR=${shell.escape cfg.user.home}
        export EJABBERD_CONFIG_PATH=${shell.escape (import ./config.nix args)}
        exec ${pkgs.ejabberd}/bin/ejabberdctl \
            --config ${toFile "ejabberd.yaml" (import ./config.nix {
              inherit pkgs;
              config = cfg;
            })} \
            --logs ${shell.escape cfg.user.home} \
            --spool ${shell.escape cfg.user.home} \
            "$@"
      '';
    };
    registration_watchers = mkOption {
      type = types.listOf types.str;
      default = [
        config.krebs.users.tv.mail
      ];
    };
    s2s_certfile = mkOption {
      type = types.secret-file;
      default = cfg.certfile;
@ -50,12 +77,12 @@ in {
      requires = [ "secret.service" ];
      after = [ "network.target" "secret.service" ];
      serviceConfig = {
-        Type = "oneshot";
+        ExecStartPre = "${gen-dhparam} ${cfg.dhfile.path}";
-        RemainAfterExit = "yes";
+        ExecStart = "${cfg.pkgs.ejabberdctl}/bin/ejabberdctl foreground";
-        PermissionsStartOnly = "true";
+        PermissionsStartOnly = true;
        SyslogIdentifier = "ejabberd";
        User = cfg.user.name;
-        ExecStart = "${cfg.pkgs.ejabberdctl}/bin/ejabberdctl start";
+        TimeoutStartSec = 60;
      };
    };
--- a/lass/5pkgs/default.nix
+++ b/lass/5pkgs/default.nix
@ -4,9 +4,6 @@
  nixpkgs.config.packageOverrides = rec {
    acronym = pkgs.callPackage ./acronym/default.nix {};
    dpass = pkgs.callPackage ./dpass {};
    ejabberd = pkgs.callPackage ./ejabberd {
      erlang = pkgs.erlangR16;
    };
    firefoxPlugins = {
      noscript = pkgs.callPackage ./firefoxPlugins/noscript.nix {};
      ublock = pkgs.callPackage ./firefoxPlugins/ublock.nix {};
--- a/lass/5pkgs/ejabberd/default.nix
+++ b/lass/5pkgs/ejabberd/default.nix
@ -1,28 +0,0 @@
 {stdenv, fetchurl, expat, erlang, zlib, openssl, pam, lib}:
 stdenv.mkDerivation rec {
  version = "2.1.13";
  name = "ejabberd-${version}";
  src = fetchurl {
    url = "http://www.process-one.net/downloads/ejabberd/${version}/${name}.tgz";
    sha256 = "0vf8mfrx7vr3c5h3nfp3qcgwf2kmzq20rjv1h9sk3nimwir1q3d8";
  };
  buildInputs = [ expat erlang zlib openssl pam ];
  patchPhase = ''
    sed -i \
      -e "s|erl \\\|${erlang}/bin/erl \\\|" \
      -e 's|EXEC_CMD=\"sh -c\"|EXEC_CMD=\"${stdenv.shell} -c\"|' \
      src/ejabberdctl.template
  '';
  preConfigure = ''
    cd src
  '';
  configureFlags = ["--enable-pam"];
  meta = {
    description = "Open-source XMPP application server written in Erlang";
    license = stdenv.lib.licenses.gpl2;
    homepage = http://www.ejabberd.im;
    maintainers = [ lib.maintainers.sander ];
  };
 }
--- a/lass/5pkgs/xmonad-lass.nix
+++ b/lass/5pkgs/xmonad-lass.nix
@ -31,6 +31,7 @@ import XMonad.Actions.CycleWS (toggleWS)
 import XMonad.Actions.DynamicWorkspaces ( addWorkspacePrompt, renameWorkspace, removeEmptyWorkspace)
 import XMonad.Actions.DynamicWorkspaces (withWorkspace)
 import XMonad.Actions.GridSelect (GSConfig(..), gridselectWorkspace, navNSearch)
 import XMonad.Actions.UpdatePointer (updatePointer)
 import XMonad.Hooks.FloatNext (floatNext)
 import XMonad.Hooks.FloatNext (floatNextHook)
 import XMonad.Hooks.ManageDocks (avoidStruts, ToggleStruts(ToggleStruts))
@ -63,14 +64,15 @@ mainNoArgs = do
    xmonad'
        $ withUrgencyHook (SpawnUrgencyHook "echo emit Urgency ")
        $ def
-            { terminal          = urxvtcPath
+            { terminal           = urxvtcPath
-            , modMask           = mod4Mask
+            , modMask            = mod4Mask
-            , layoutHook = smartBorders $ myLayoutHook
+            , layoutHook         = smartBorders $ myLayoutHook
-            , manageHook        = placeHook (smart (1,0)) <+> floatNextHook
+            , logHook            = updatePointer (0.25, 0.25) (0.25, 0.25)
            , manageHook         = placeHook (smart (1,0)) <+> floatNextHook
            , normalBorderColor  = "#1c1c1c"
            , focusedBorderColor = "#f000b0"
-            , handleEventHook = handleShutdownEvent
+            , handleEventHook    = handleShutdownEvent
-            , workspaces        = [ "dashboard" ]
+            , workspaces         = [ "dashboard", "sys", "wp" ]
            } `additionalKeysP` myKeyMap
 myLayoutHook = defLayout
@ -119,7 +121,7 @@ myKeyMap =
    , ("M4-f", floatNext True)
    , ("M4-b", sendMessage ToggleStruts)
-    , ("M4-v", withWorkspace autoXPConfig (windows . W.view))
+    , ("M4-v", withWorkspace autoXPConfig (windows . W.greedyView))
    , ("M4-S-v", withWorkspace autoXPConfig (windows . W.shift))
    , ("M4-C-v", withWorkspace autoXPConfig (windows . copy))
@ -131,12 +133,12 @@ myKeyMap =
    , ("M4-S-q", return ())
-    , ("M4-w", floatNext True >> spawn "${pkgs.copyq}/bin/copyq show")
+    , ("M4-d", floatNext True >> spawn "${pkgs.copyq}/bin/copyq show")
-    , ("M4-<F1>", spawn "${pkgs.xorg.xbacklight}/bin/xbacklight -set 1")
+    , ("M4-<F5>", spawn "${pkgs.xorg.xbacklight}/bin/xbacklight -set 1")
-    , ("M4-<F2>", spawn "${pkgs.xorg.xbacklight}/bin/xbacklight -set 10")
+    , ("M4-<F6>", spawn "${pkgs.xorg.xbacklight}/bin/xbacklight -set 10")
-    , ("M4-<F3>", spawn "${pkgs.xorg.xbacklight}/bin/xbacklight -set 33")
+    , ("M4-<F7>", spawn "${pkgs.xorg.xbacklight}/bin/xbacklight -set 33")
-    , ("M4-<F4>", spawn "${pkgs.xorg.xbacklight}/bin/xbacklight -set 100")
+    , ("M4-<F8>", spawn "${pkgs.xorg.xbacklight}/bin/xbacklight -set 100")
    ]
 forkFile :: FilePath -> [String] -> Maybe [(String, String)] -> X ()
--- a/lass/source.nix
+++ b/lass/source.nix
@ -9,13 +9,8 @@ in
    {
      nixos-config.symlink = "stockholm/lass/1systems/${name}/config.nix";
      nixpkgs.git = {
-        url = http://cgit.lassul.us/nixpkgs;
+        url = https://github.com/nixos/nixpkgs;
-        # nixos-17.03
+        ref = "1987983";
        # + copytoram:
        #   87a4615 & 334ac4f
        # + acme permissions for groups
        #   fd7a8f1
        ref = "2d3b4fe";
      };
      secrets.file = getAttr builder {
        buildbot = toString <stockholm/lass/2configs/tests/dummy-secrets>;
--- a/mv/source.nix
+++ b/mv/source.nix
@ -9,8 +9,8 @@ in
    {
      nixos-config.symlink = "stockholm/mv/1systems/${name}/config.nix";
      nixpkgs.git = {
-        # nixos-17.03
+        # nixos-17.09
-        ref = mkDefault "3d04a557b72aa0987d9bf079e1445280b6bfd907";
+        ref = mkDefault "d0f0657ca06cc8cb239cb94f430b53bcdf755887";
        url = https://github.com/NixOS/nixpkgs;
      };
      secrets.file = getAttr builder {
--- a/tv/1systems/alnus/source.nix
+++ b/tv/1systems/alnus/source.nix
@ -1,4 +1,4 @@
 import <stockholm/tv/source.nix> {
  name = "alnus";
-  override.nixpkgs.git.ref = "9b948ea439ddbaa26740ce35543e7e35d2aa6d18";
+  override.nixpkgs.git.ref = "d0f0657ca06cc8cb239cb94f430b53bcdf755887";
 }
--- a/tv/1systems/mu/config.nix
+++ b/tv/1systems/mu/config.nix
@ -52,11 +52,13 @@ with import <stockholm/lib>;
  networking.networkmanager.enable = true;
  environment.systemPackages = with pkgs; [
    (pkgs.kdeApplications.callPackage
      (import <nixpkgs/pkgs/applications/kde/kde-locale-5.nix> "de" {})
      {})
    chromium
    firefoxWrapper
    gimp
    iptables
    kdeApplications.l10n.de.qt5
    libreoffice
    pidginotr
    pidgin-with-plugins
--- a/tv/2configs/br.nix
+++ b/tv/2configs/br.nix
@ -45,5 +45,4 @@ with import <stockholm/lib>;
    ];
  };
  systemd.services.cups.serviceConfig.PrivateTmp = true;
 }
--- a/tv/2configs/gitrepos.nix
+++ b/tv/2configs/gitrepos.nix
@ -100,7 +100,7 @@ let {
  );
  irc-announce = args: pkgs.git-hooks.irc-announce (recursiveUpdate {
-    channel = "#krebs";
+    channel = "#xxx";
    # TODO make nick = config.krebs.build.host.name the default
    nick = config.krebs.build.host.name;
    server = "irc.r";
--- a/tv/5pkgs/default.nix
+++ b/tv/5pkgs/default.nix
@ -13,6 +13,14 @@ foldl' mergeAttrs {}
 //
 {
  brscan4 = overrideDerivation super.brscan4 (original: rec {
    name = "brscan4-0.4.4-4";
    src = super.fetchurl {
      url = "http://download.brother.com/welcome/dlf006645/${name}.amd64.deb";
      sha256 = "0xy5px96y1saq9l80vwvfn6anr2q42qlxdhm6ci2a0diwib5q9fd";
    };
  });
  # TODO use XDG_RUNTIME_DIR?
  cr = self.writeDashBin "cr" ''
    set -efu
@ -32,7 +40,7 @@ foldl' mergeAttrs {}
    exec ${self.firefoxWrapper}/bin/firefox "$@"
  '';
-  gnupg = self.gnupg21;
+  gnupg = self.gnupg22;
  # https://github.com/NixOS/nixpkgs/issues/16113
  wvdial = let
--- a/tv/5pkgs/simple/mfcl2700dncupswrapper/default.nix
+++ b/tv/5pkgs/simple/mfcl2700dncupswrapper/default.nix
@ -1,45 +0,0 @@
 { coreutils, dpkg, fetchurl, gnugrep, gnused, makeWrapper, mfcl2700dnlpr,
 perl, stdenv }:
 stdenv.mkDerivation rec {
  name = "mfcl2700dncupswrapper-${meta.version}";
  src = fetchurl {
    url = "http://download.brother.com/welcome/dlf102086/${name}.i386.deb";
    sha256 = "07w48mah0xbv4h8vsh1qd5cd4b463bx8y6gc5x9pfgsxsy6h6da1";
  };
  nativeBuildInputs = [ dpkg makeWrapper ];
  phases = [ "installPhase" ];
  installPhase = ''
    dpkg-deb -x $src $out
    basedir=${mfcl2700dnlpr}/opt/brother/Printers/MFCL2700DN
    dir=$out/opt/brother/Printers/MFCL2700DN
    substituteInPlace $dir/cupswrapper/brother_lpdwrapper_MFCL2700DN \
      --replace /usr/bin/perl ${perl}/bin/perl \
      --replace "basedir =~" "basedir = \"$basedir\"; #" \
      --replace "PRINTER =~" "PRINTER = \"MFCL2700DN\"; #"
    wrapProgram $dir/cupswrapper/brother_lpdwrapper_MFCL2700DN \
      --prefix PATH : ${stdenv.lib.makeBinPath [ coreutils gnugrep gnused ]}
    mkdir -p $out/lib/cups/filter
    mkdir -p $out/share/cups/model
    ln $dir/cupswrapper/brother_lpdwrapper_MFCL2700DN $out/lib/cups/filter
    ln $dir/cupswrapper/brother-MFCL2700DN-cups-en.ppd $out/share/cups/model
  '';
  meta = {
    description = "Brother MFC-L2700DN CUPS wrapper driver";
    homepage = "http://www.brother.com/";
    license = stdenv.lib.licenses.gpl2Plus;
    maintainers = [ stdenv.lib.maintainers.tv ];
    platforms = stdenv.lib.platforms.linux;
    version = "3.2.0-1";
  };
 }
--- a/tv/5pkgs/simple/mfcl2700dnlpr/default.nix
+++ b/tv/5pkgs/simple/mfcl2700dnlpr/default.nix
@ -1,44 +0,0 @@
 { coreutils, dpkg, fetchurl, ghostscript, gnugrep, gnused, pkgsi686Linux, makeWrapper, perl, stdenv, which }:
 stdenv.mkDerivation rec {
  name = "mfcl2700dnlpr-${meta.version}";
  src = fetchurl {
    url = "http://download.brother.com/welcome/dlf102085/${name}.i386.deb";
    sha256 = "170qdzxlqikzvv2wphvfb37m19mn13az4aj88md87ka3rl5knk4m";
  };
  nativeBuildInputs = [ dpkg makeWrapper ];
  phases = [ "installPhase" ];
  installPhase = ''
    dpkg-deb -x $src $out
    dir=$out/opt/brother/Printers/MFCL2700DN
    substituteInPlace $dir/lpd/filter_MFCL2700DN \
      --replace /usr/bin/perl ${perl}/bin/perl \
      --replace "BR_PRT_PATH =~" "BR_PRT_PATH = \"$dir\"; #" \
      --replace "PRINTER =~" "PRINTER = \"MFCL2700DN\"; #"
    wrapProgram $dir/lpd/filter_MFCL2700DN \
      --prefix PATH : ${stdenv.lib.makeBinPath [
        coreutils ghostscript gnugrep gnused which
      ]}
    interpreter=${pkgsi686Linux.stdenv.cc.libc.out}/lib/ld-linux.so.2
    patchelf --set-interpreter "$interpreter" $dir/inf/braddprinter
    patchelf --set-interpreter "$interpreter" $dir/lpd/brprintconflsr3
    patchelf --set-interpreter "$interpreter" $dir/lpd/rawtobr3
  '';
  meta = {
    description = "Brother MFC-L2700DN LPR driver";
    homepage = "http://www.brother.com/";
    license = stdenv.lib.licenses.unfree;
    maintainers = [ stdenv.lib.maintainers.tv ];
    platforms = stdenv.lib.platforms.linux;
    version = "3.2.0-1";
  };
 }
--- a/tv/source.nix
+++ b/tv/source.nix
@ -9,8 +9,8 @@ in
    {
      nixos-config.symlink = "stockholm/tv/1systems/${name}/config.nix";
      nixpkgs.git = {
-        # nixos-17.03
+        # nixos-17.09
-        ref = mkDefault "94941cb0455bfc50b1bf63186cfad7136d629f78";
+        ref = mkDefault "d0f0657ca06cc8cb239cb94f430b53bcdf755887";
        url = https://github.com/NixOS/nixpkgs;
      };
      secrets.file = getAttr builder {
`@ -1 +1 @@`
	ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDjesiOnhpT9XgWZqw/64M5lVQg3q0k22BtMyCv+33sGX8VmfTyD11GuwSjNGf5WiswKLqFvYBQsHfDDtS3k0ZNTDncGw3Pbilm6QoCuHEyDPaQYin0P+JmkocrL/6QF5uhZVFnsXCH5wntwOa00VFGwpMgQYSfRlReRx42Pu9Jk+iJduZMRBbOMvJI68Z7iJ4DgW/1U9J4MQdCsk7QlFgUstQQfV1zk4VfVfXuxDP3hjx6Q05nDChjpmzJbFunzb7aiy/1/Sl0QhROTpvxrQLksg7yYLw4BRs9ptjehX45A2Sxi8WKOb/g5u3xJNy0X07rE+N+o5v2hS7wF0DLQdK5+4TGtO+Y+ABUCqqA+T1ynAjNBWvsgY5uD4PZjuPgCMSw0JBmIy/P0THi3v5/8Cohvfnspl7Jpf80qENMu3unvvE9EePzgSRZY1PvDjPQfkWy0yBX1yQMhHuVGke9QgaletitwuahRujml37waeUuOl8Rpz+2iV+6OIS4tfO368uLFHKWbobXTbTDXODBgxZ/IyvO7vxM2uDX/kIWaeYKrip3nSyWBYnixwrcS4vm6ZQcoejwp2KCfGQwIE4MnGYRlwcOEYjvyjLkZHDiZEivUQ0rThMYBzec8bQ08QW8oxF+NXkFKG3awt3f7TKTRkYqQcOMpFKmV24KDiwgwm0miQ== JuiceSSH	ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAEZgGgImN/9D4yJBjYlkAvT3X45kzt4n8hmgsqPcdcHWNC7fofWG4fZe8NNrTLdKsK+xYxTstj49l8Vb3YDvw4fAyyyhms/eFRlD2BRqAISwc39EIeTC4g3PXNeUtUGdczXKxsJf5iWf4kxUrUOuZ3FeKxeYXDMSqzzk1oKalhWNl4PmgRc5FzjeRJ2WziilwFq7ntLswoeTBW3c53fbcp3XuPza3M1/sN3NHJx9ZMpWVfJhZ/CXr+nqpc25ZIr5HZVZbgDTyJQimlTF5JCfU0NiiBIh7ep7x4o93tARmilit7+mWUkkxk6ba+zG6nr+s+zyd85AFAYRioOEczbC6mI44UZUB11KkEzOon5JWSA8pK+DPqsqhFkwWYMHLXZp8zemdp9kushRZ6nuI9MzBwacngro1vAvDL6jrS5MR7zf7rMAo6wexovWoEowvZz629mjC3OAt9iOm4VJdvEmq+rHLfjjznVEY6llF7DUu2QNEazaXhxZH9V9N1gyubIE97SQVqmwDrf8BGC0Hq+hC4OOweqfo4XP0etbqAfDozZbqcqyE1m9Bj8DpjrSXka1PuJf5fgEtoxPadd2qdiHMfIx9sM+4uu2nI5aFvWO3OlJmhF80QzNdFzZWjsyvJ24C1/a2FAyzoab1Sg9ljstQThseTtvlXcX8jfFn0U3RbgXgCgOWad3Oy9vA0OCdsHut0nzv3UO+T5+wv2+lvE3QSSKOlmVtdKMhCFb+Rg+FliKxyd820h9yR3wDYmkurVkAxaj8Kx5MaY/7aypOi8fRAV2FSDtCKkuMyPv4xEtdPi/4lj55pRBEO8lJkeb+WurCzZ7ZeaPdrW1YIQtToPpiz3dXeRhkts6jq8247xIplzHh9Iu18gOrnZ+ygn70g19x842vvcfLQNAghDPS93msJdSe+EtulMCwNTjUaF9LyzhW9ptLG9NmwgbT5kGsFiRw3BFdyfcQVWVzDhuP3hPPx+hjiZtFfpIKpxV9MjO1xQ830Ngk3JpSphMZTQ432yfvu9yEsUWmAa8ax1jxJ361AiIp0U2xioJmdVd3E2sxkpOUYqE89IR9X6hS3fH38Gc5IL5+BnhuZvRgXuA+nrqdU4pMB3TIoC5oXlOMRXpxaS91YiO4ERx2t6WkBRCoaDuRWnLpewV6lhjwi1+4Emlrs2q1R0K64emZTv7O1MKwWRHOlBJD3HLyCCS763OzYW4mEQcfBAQtbm6sTooJ+D/zbmYgbnZt0z/nP9R/n25pzlSPpZ49fCiRV7QN6D9mksISTz8qIiCzNBn1F7DUewXqkrdPopl4npeNVcOyyo7P1lFFGde+jq/7REdzD+vno1h9+17WZbyzQtlOyipQYzb6l4QuXq/zejJrELJAQdN4yRQq5NJzIh0HXaPnPC083T791moBflyqiwPEIWsSMfILqSqL1jVVNgvV4fHnMixgH2zK9f0EyE3fG9PnuRribPR2DlESqpHZTcBixgh660EPKh0gCLYoWKgU= lass-android@XperiaXCompact