Merge remote-tracking branch 'origin/master'

2018-08-21 19:52:30 +02:00 · 2018-08-21 19:52:30 +02:00 · 8cfc4f5eda
parent f2dadea808 89951ebd81
commit 8cfc4f5eda
51 changed files with 501 additions and 414 deletions
--- a/krebs/1systems/onebutton/source.nix
+++ b/krebs/1systems/onebutton/source.nix
@ -1,11 +1,8 @@
 with import <stockholm/lib>;
 let
  pkgs = import <nixpkgs> {};
-  nixpkgs = pkgs.fetchFromGitHub {
-    owner = "nixos";
-    repo = "nixpkgs-channels";
-    rev = "nixos-unstable"; # only binary cache for unstable arm6
-    sha256 = "1rqzh475xn43phagrr30lb0fd292c1s8as53irihsnd5wcksnbyd";
+  nixpkgs = builtins.fetchTarball {
+    url = https://github.com/NixOS/nixpkgs-channels/archive/nixos-unstable.tar.gz;
  };
 in import <stockholm/krebs/source.nix> {
  name = "onebutton";
--- a/krebs/2configs/news-spam.nix
+++ b/krebs/2configs/news-spam.nix
@ -7,7 +7,6 @@
      [SPAM]aje|http://www.aljazeera.com/Services/Rss/?PostingId=2007731105943979989|#snews
      [SPAM]allafrica|http://allafrica.com/tools/headlines/rdf/latest/headlines.rdf|#snews
      [SPAM]antirez|http://antirez.com/rss|#snews
-      [SPAM]arbor|http://feeds2.feedburner.com/asert/|#snews
      [SPAM]archlinux|http://www.archlinux.org/feeds/news/|#snews
      [SPAM]ars|http://feeds.arstechnica.com/arstechnica/index?format=xml|#snews
      [SPAM]augustl|http://augustl.com/atom.xml|#snews
@ -131,7 +130,6 @@
      [SPAM]slashdot|http://rss.slashdot.org/Slashdot/slashdot|#snews
      [SPAM]slate|http://feeds.slate.com/slate|#snews
      [SPAM]spiegel_eil|http://www.spiegel.de/schlagzeilen/eilmeldungen/index.rss|#snews
-      [SPAM]spiegelfechter|http://feeds.feedburner.com/DerSpiegelfechter?format=xml|#snews
      [SPAM]spiegel_top|http://www.spiegel.de/schlagzeilen/tops/index.rss|#snews
      [SPAM]standardmedia_ke|http://www.standardmedia.co.ke/rss/headlines.php|#snews
      [SPAM]stern|http://www.stern.de/feed/standard/all/|#snews
@ -146,7 +144,6 @@
      [SPAM]the_insider|http://www.theinsider.org/rss/news/headlines-xml.asp|#snews
      [SPAM]tigsource|http://www.tigsource.com/feed/|#snews
      [SPAM]tinc|http://tinc-vpn.org/news/index.rss|#snews
-      [SPAM]topix_b|http://www.topix.com/rss/wire/de/berlin|#snews
      [SPAM]torr_bits|http://feeds.feedburner.com/TorrentfreakBits|#snews
      [SPAM]torrentfreak|http://feeds.feedburner.com/Torrentfreak|#snews
      [SPAM]torr_news|http://feed.torrentfreak.com/Torrentfreak/|#snews
@ -160,7 +157,6 @@
      [SPAM]us_math_society|http://www.ams.org/cgi-bin/content/news_items.cgi?rss=1|#snews
      [SPAM]vimperator|https://sites.google.com/a/vimperator.org/www/blog/posts.xml|#snews
      [SPAM]weechat|http://dev.weechat.org/feed/atom|#snews
-      [SPAM]wp_world|http://feeds.washingtonpost.com/rss/rss_blogpost|#snews
      [SPAM]xkcd|https://xkcd.com/rss.xml|#snews
      [SPAM]zdnet|http://www.zdnet.com/news/rss.xml|#snews
    '';
--- a/krebs/3modules/git.nix
+++ b/krebs/3modules/git.nix
@ -8,21 +8,6 @@

 with import <stockholm/lib>;
 let
-  defaultBool = o: mkOption {
-          type = types.bool;
-          default = option;
-  };
-
-  defaultUint = o: mkOption {
-          type = types.uint;
-          default = o;
-  };
-
-  defaultAbsolutpath = o: mkOption {
-          type = types.absolute-pathname;
-          default = o;
-  };
-
  cfg = config.krebs.git;

  out = {
@ -136,15 +121,42 @@ let
    cgit-settings = types.submodule {
      # A setting's value of `null` means cgit's default should be used.
      options = {
-        cache-root = defaultAbsolutpath("/tmp/cgit");
-        cache-size = defaultUint(1000);
-        css = defaultAbsolutpath("/static/cgit.css");
-        enable-commit-graph = defaultBool(true);
-        enable-index-links = defaultBool(true);
-        enable-index-owner = defaultBool(false);
-        enable-log-filecount = defaultBool(true);
-        enable-log-linecount = defaultBool(true);
-        enable-remote-branches = defaultBool(true);
+        cache-root = mkOption {
+          type = types.absolute-pathname;
+          default = "/tmp/cgit";
+        };
+        cache-size = mkOption {
+          type = types.uint;
+          default = 1000;
+        };
+        css = mkOption {
+          type = types.absolute-pathname;
+          default = "/static/cgit.css";
+        };
+        enable-commit-graph = mkOption {
+          type = types.bool;
+          default = true;
+        };
+        enable-index-links = mkOption {
+          type = types.bool;
+          default = true;
+        };
+        enable-index-owner = mkOption {
+          type = types.bool;
+          default = false;
+        };
+        enable-log-filecount = mkOption {
+          type = types.bool;
+          default = true;
+        };
+        enable-log-linecount = mkOption {
+          type = types.bool;
+          default = true;
+        };
+        enable-remote-branches = mkOption {
+          type = types.bool;
+          default = true;
+        };
        logo = mkOption {
          type = types.absolute-pathname;
          default = "/static/cgit.png";
--- a/krebs/3modules/lass/default.nix
+++ b/krebs/3modules/lass/default.nix
@ -301,37 +301,6 @@ with import <stockholm/lib>;
      ssh.privkey.path = <secrets/ssh.id_ed25519>;
      ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEB/MmASvx3i09DY1xFVM5jOhZRZA8rMRqtf8bCIkC+t";
    };
-    helios = {
-      cores = 8;
-      nets = {
-        retiolum = {
-          ip4.addr = "10.243.133.117";
-          ip6.addr = "42:0:0:0:0:0:3:7105";
-          aliases = [
-            "helios.r"
-            "cgit.helios.r"
-          ];
-          tinc.pubkey = ''
-            -----BEGIN RSA PUBLIC KEY-----
-            MIICCgKCAgEAp+SRmP5MoCSYInx4Dm5MLZzNyXVgfo/CDoeUlUT35X0yE7WHGWsG
-            wHPCu+3RWfBUjuqNdb0qiGtRi3Q/LwznwBROPOX8gMXia/DgCLbIjn5Rx081pTIo
-            3epbUCFtNgyDWg8IHF87ZnVBXTYAy5g4tz9u8kw82D8mR18o595TuZ9t5pDc/Kvi
-            fPHZenT6cd6FtL9uankX/jan1PRP9xTrhpE8dAQ6g+7XH7knMK3cno/Ztis5YzHt
-            Ith0bsIjk5of7hhITj0MXtTikjDqWxkpF5mfOK1cG/rC1goTmB9AfcENUBnu9iAM
-            I/alzqk3CEczznLyaOckfx2fRuar912LAdiJ5v7VPztfvN1p3gIxq5M0Rgkq+98B
-            H/s32xNRBPvqoIleKnhwE9gfrCLaAVqpaMkgKRvgsTkSDNYNhh4smQ3eAKKwwDH/
-            QG3sfP8xyNyDFhBtCiDGkf9hNqBBMaKjZoh8DasZNtcfOop3fGw7jmUUbB6cG8cp
-            +EfYbcb5mVpmrIyXgOTwwYcp7tn+zkd4Wa8C9Q98eFTs0HGVGxGX9Hj6PM/kXK4C
-            aIqIQVNpnJ/9cOwT8JFIriG1MWTOXbamUusKTLs8SRp3ZkyM7XUEcLL5HMh09rUw
-            rzEAmE7TywXVhd7j2IaEy+bx2dfGQH2bFoh6Drm6Olo+ySi1utB5dGkCAwEAAQ==
-            -----END RSA PUBLIC KEY-----
-          '';
-        };
-      };
-      secure = true;
-      ssh.privkey.path = <secrets/ssh.id_ed25519>;
-      ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIqpx9jJnn4QMGO8BOrGOLRN1rgpIkR14sQb8S+otWEL";
-    };
    littleT = {
      cores = 2;
      nets = {
--- a/krebs/3modules/makefu/default.nix
+++ b/krebs/3modules/makefu/default.nix
@ -336,7 +336,6 @@ with import <stockholm/lib>;
        "krebsco.de" = ''
          euer              IN MX 1   aspmx.l.google.com.
          nixos.unstable    IN CNAME  krebscode.github.io.
-          gold              IN A      ${nets.internet.ip4.addr}
          boot              IN A      ${nets.internet.ip4.addr}
        '';
      };
@ -522,6 +521,13 @@ with import <stockholm/lib>;
    };
    nextgum = rec {
      ci = true;
+      extraZones = {
+        "krebsco.de" = ''
+          cache.euer        IN A      ${nets.internet.ip4.addr}
+          cache.gum         IN A      ${nets.internet.ip4.addr}
+          gold              IN A      ${nets.internet.ip4.addr}
+        '';
+      };
      cores = 8;
      nets = rec {
        internet = {
@ -537,6 +543,7 @@ with import <stockholm/lib>;
          ip6.addr = "42:f9f0:0000:0000:0000:0000:0000:70d3";
          aliases = [
            "nextgum.r"
+            "cache.gum.r"
          ];
          tinc.pubkey = ''
            -----BEGIN RSA PUBLIC KEY-----
--- a/krebs/3modules/rtorrent.nix
+++ b/krebs/3modules/rtorrent.nix
@ -29,7 +29,7 @@ let
    ''}

    ${optionalString (cfg.watchDir != null) ''
-      schedule = watch_directory,5,5,load_start=${cfg.watchDir}/*.torrent
+      directory.watch.added = "${cfg.watchDir}", load.start_verbose
    ''}

    directory = ${cfg.downloadDir}
--- a/krebs/5pkgs/haskell/xmonad-stockholm.nix
+++ b/krebs/5pkgs/haskell/xmonad-stockholm.nix
@ -1,16 +1,16 @@
-{ mkDerivation, base, containers, fetchgit, stdenv, X11, X11-xshape
+{ mkDerivation, base, containers, fetchgit, stdenv, X11, X11-xft, X11-xshape
 , xmonad, xmonad-contrib
 }:
 mkDerivation rec {
  pname = "xmonad-stockholm";
-  version = "1.1.1";
+  version = "1.2.0";
  src = fetchgit {
    url = http://cgit.ni.krebsco.de/xmonad-stockholm;
    rev = "refs/tags/v${version}";
-    sha256 = "05nnfg6q35z3qgf507qa80bz32jl4k719dl5phlmchplp3769585";
+    sha256 = "13mvmh3kk9a79l1nii028p0n7l95pb78wz9c4j42l90m02mg6cis";
  };
  libraryHaskellDepends = [
-    base containers X11 X11-xshape xmonad xmonad-contrib
+    base containers X11 X11-xft X11-xshape xmonad xmonad-contrib
  ];
  license = stdenv.lib.licenses.mit;
 }
--- a/krebs/krops.nix
+++ b/krebs/krops.nix
@ -12,7 +12,7 @@

  krebs-source = {
    nixpkgs.git = {
-      ref = "56fad146a12a6f934d1d5ef875eb729be1b19129";
+      ref = "d0c868ec17c2cb2ca845f33fbfe381e9c7e55516";
      url = https://github.com/NixOS/nixpkgs;
    };
    stockholm.file = toString ../.;
--- a/lass/1systems/helios/config.nix
+++ b/lass/1systems/helios/config.nix
@ -8,16 +8,6 @@ with import <stockholm/lib>;
    <stockholm/lass/2configs/browsers.nix>
    <stockholm/lass/2configs/mouse.nix>
    <stockholm/lass/2configs/pass.nix>
-    <stockholm/lass/2configs/retiolum.nix>
-    <stockholm/lass/2configs/otp-ssh.nix>
-    # TODO fix krebs.git.rules.[definition 2-entry 2].lass not defined
-    #<stockholm/lass/2configs/git.nix>
-    #<stockholm/lass/2configs/dcso-vpn.nix>
-    <stockholm/lass/2configs/virtualbox.nix>
-    <stockholm/lass/2configs/dcso-dev.nix>
-    <stockholm/lass/2configs/steam.nix>
-    <stockholm/lass/2configs/rtl-sdr.nix>
-    <stockholm/lass/2configs/backup.nix>
    {
      services.xserver.dpi = 200;
      fonts.fontconfig.dpi = 200;
@ -25,44 +15,9 @@ with import <stockholm/lib>;
      lass.fonts.bold =    "xft:Hack-Bold:pixelsize=22,xft:Symbola";
      lass.fonts.italic =  "xft:Hack-RegularOblique:pixelsize=22,xft:Symbol";
    }
-    { #TAPIR, AGATIS, sentral, a3 - foo
-      services.redis.enable = true;
-    }
-    {
-      krebs.fetchWallpaper = {
-        enable = true;
-        url = "http://i.imgur.com/0ktqxSg.png";
-        maxTime = 9001;
-      };
-    }
-    {
-      #urban terror port
-      krebs.iptables.tables.filter.INPUT.rules = [
-        { predicate = "-p tcp --dport 27960"; target = "ACCEPT"; }
-        { predicate = "-p udp --dport 27960"; target = "ACCEPT"; }
-      ];
-    }
  ];
  krebs.build.host = config.krebs.hosts.helios;

-  krebs.git.rules = [
-    {
-      user = [ config.krebs.users.lass-helios ];
-      repo = [ config.krebs.git.repos.stockholm ];
-      perm = with git; push "refs/heads/*" [ fast-forward non-fast-forward create delete merge ];
-    }
-    {
-      lass.umts = {
-        enable = true;
-        modem = "/dev/serial/by-id/usb-Lenovo_F5521gw_2C7D8D7C35FC7040-if09";
-        initstrings = ''
-          Init1 = AT+CFUN=1
-          Init2 = AT+CGDCONT=1,"IP","pinternet.interkom.de","",0,0
-        '';
-      };
-    }
-  ];
-
  environment.systemPackages = with pkgs; [
    ag
    vim
@ -84,27 +39,10 @@ with import <stockholm/lib>;

  services.tlp.enable = true;

-  networking.hostName = lib.mkForce "BLN02NB0162";
-
-  security.pki.certificateFiles = [
-    (pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCAROOTC1G1.pem"; sha256 = "006j61q2z44z6d92638iin6r46r4cj82ipwm37784h34i5x4mp0d"; })
-    (pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCAROOTC2G1.pem"; sha256 = "1nkd1rjcn02q9xxjg7sw79lbwy08i7hb4v4pn98djknvcmplpz5m"; })
-    (pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCAROOTC3G1.pem"; sha256 = "094m12npglnnv1nf1ijcv70p8l15l00id44qq7rwynhcgxi5539i"; })
-
-    (pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCACOMPC2G1.pem"; sha256 = "1anfncdf5xsp219kryncv21ra87flpzcjwcc85hzvlwbxhid3g4x"; })
-    (pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCACOMPC3G1.pem"; sha256 = "035kkfizyl5dndj7rhvmy91rr75lakqbqgjx4dpiw0kqq369mz8r"; })
-    (pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCAIDENC2G1.pem"; sha256 = "14fpzx1qjs9ws9sz0y7pb6j40336xlckkqcm2rc5j86yn7r22lp7"; })
-    (pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCAIDENC3G1.pem"; sha256 = "1yjl3kyw4chc8vw7bnqac2h9vn8dxryw7lr7i03lqi9sdvs4108s"; })
-  ];
-
-  programs.adb.enable = true;
-  users.users.mainUser.extraGroups = [ "adbusers" "docker" ];
-
  services.printing.drivers = [ pkgs.postscript-lexmark ];

  services.logind.extraConfig = ''
    HandleLidSwitch=ignore
  '';

-  virtualisation.docker.enable = true;
 }
--- a/lass/1systems/helios/physical.nix
+++ b/lass/1systems/helios/physical.nix
@ -1,64 +0,0 @@
-{ pkgs, ... }:
-{
-  imports = [
-    ./config.nix
-    { # automatic hardware detection
-      boot.initrd.availableKernelModules = [ "xhci_pci" "nvme" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ];
-      boot.kernelModules = [ "kvm-intel" ];
-
-      fileSystems."/" = {
-        device = "/dev/pool/root";
-        fsType = "btrfs";
-      };
-
-      fileSystems."/boot" = {
-        device = "/dev/disk/by-uuid/1F60-17C6";
-        fsType = "vfat";
-      };
-
-      fileSystems."/home" = {
-        device = "/dev/pool/home";
-        fsType = "btrfs";
-      };
-
-      fileSystems."/tmp" = {
-        device = "tmpfs";
-        fsType = "tmpfs";
-        options = ["nosuid" "nodev" "noatime"];
-      };
-    }
-    { # crypto stuff
-      boot.initrd.luks = {
-        cryptoModules = [ "aes" "sha512" "sha1" "xts" ];
-        devices =  [{
-           name = "luksroot";
-           device = "/dev/nvme0n1p3";
-        }];
-      };
-    }
-  ];
-
-  # Use the systemd-boot EFI boot loader.
-  boot.loader.systemd-boot.enable = true;
-  boot.loader.efi.canTouchEfiVariables = true;
-
-  networking.wireless.enable = true;
-  hardware.enableRedistributableFirmware = true;
-
-
-  services.udev.extraRules = ''
-    SUBSYSTEM=="net", ATTR{address}=="f8:59:71:a9:05:65", NAME="wl0"
-    SUBSYSTEM=="net", ATTR{address}=="54:e1:ad:4f:06:83", NAME="et0"
-  '';
-
-  services.xserver.videoDrivers = [ "nvidia" ];
-  services.xserver.xrandrHeads = [
-    { output = "DP-2"; primary = true; }
-    { output = "DP-4"; monitorConfig = ''Option "Rotate" "left"''; }
-    { output = "DP-0"; }
-  ];
-
-  services.xserver.displayManager.sessionCommands = ''
-    ${pkgs.xorg.xrandr}/bin/xrandr --output DP-6 --off --output DP-5 --off --output DP-4 --mode 2560x1440 --pos 3840x0 --rotate left --output DP-3 --off --output DP-2 --primary --mode 3840x2160 --scale 0.5x0.5 --pos 0x400 --rotate normal --output DP-1 --off --output DP-0 --mode 2560x1440 --pos 5280x1120 --rotate normal
-  '';
-}
--- a/lass/1systems/helios/source.nix
+++ b/lass/1systems/helios/source.nix
@ -1,4 +0,0 @@
-import <stockholm/lass/source.nix> {
-  name = "helios";
-  secure = true;
-}
--- a/lass/1systems/mors/config.nix
+++ b/lass/1systems/mors/config.nix
@ -33,6 +33,7 @@ with import <stockholm/lib>;
    <stockholm/lass/2configs/dunst.nix>
    <stockholm/lass/2configs/rtl-sdr.nix>
    <stockholm/lass/2configs/backup.nix>
+    <stockholm/lass/2configs/print.nix>
    {
      krebs.iptables.tables.filter.INPUT.rules = [
        #risk of rain
--- a/lass/1systems/prism/config.nix
+++ b/lass/1systems/prism/config.nix
@ -175,7 +175,6 @@ with import <stockholm/lib>;
        alias /var/realwallpaper/realwallpaper.png;
      '';
    }
-    <stockholm/lass/2configs/dcso-dev.nix>
    {
      users.users.jeschli = {
        uid = genid "jeschli";
--- a/lass/2configs/baseX.nix
+++ b/lass/2configs/baseX.nix
@ -8,7 +8,6 @@ in {
    ./mpv.nix
    ./power-action.nix
    ./copyq.nix
-    ./livestream.nix
    ./urxvt.nix
    ./network-manager.nix
    {
@ -58,30 +57,18 @@ in {
  programs.ssh.startAgent = true;
  services.openssh.forwardX11 = true;

-  services.printing = {
-    enable = true;
-    drivers = [
-      pkgs.foomatic_filters
-      pkgs.gutenprint
-    ];
-  };
-
  environment.systemPackages = with pkgs; [
    acpi
    ag
-    bank
    cabal2nix
    cholerab
    dic
    dmenu
    font-size
-    gi
    gitAndTools.qgit
    git-preview
    gnome3.dconf
    lm_sensors
-    mpv-poll
-    much
    ncdu
    nix-index
    nix-repl
@ -90,18 +77,14 @@ in {
    powertop
    push
    rxvt_unicode_with-plugins
-    slock
    sxiv
    taskwarrior
    termite
-    timewarrior
    xclip
    xephyrify
    xorg.xbacklight
    xorg.xhost
    xsel
-    youtube-tools
-    yt-next
    zathura
  ];

@ -112,7 +95,6 @@ in {
    xlibs.fontschumachermisc
  ];

-  #lass.xserver.enable = true;
  services.xserver = {
    enable = true;
    layout = "us";
--- a/lass/2configs/blue.nix
+++ b/lass/2configs/blue.nix
@ -12,6 +12,7 @@ with (import <stockholm/lib>);
  environment.systemPackages = with pkgs; [
    ag
    nmap
+    git-preview
  ];

  services.tor.enable = true;
--- a/lass/2configs/browsers.nix
+++ b/lass/2configs/browsers.nix
@ -29,7 +29,7 @@ let
      environment.systemPackages = [
        config.lass.xjail-bins.${name}
        (pkgs.writeDashBin "cx-${name}" ''
-          DISPLAY=:${toString (genid_signed name)} ${pkgs.xclip}/bin/xclip -o | DISPLAY=:0 ${pkgs.xclip}/bin/xclip
+          DISPLAY=:${toString (genid_uint31 name)} ${pkgs.xclip}/bin/xclip -o | DISPLAY=:0 ${pkgs.xclip}/bin/xclip
        '')
      ];
      lass.browser.paths.${name} = {
@ -66,6 +66,7 @@ in {
    extensions = [
      "cjpalhdlnbpafiamejdnhcphjbkeiagm" # ublock origin
      "dbepggeogbaibhgnhhndojpepiihcmeb" # vimium
+      "liloimnbhkghhdhlamdjipkmadhpcjmn" # krebsgold
    ];
  };

--- a/lass/2configs/ciko.nix
+++ b/lass/2configs/ciko.nix
@ -2,7 +2,7 @@
 with import <stockholm/lib>;
 {
  users.users.ciko = {
-    uid = genid_signed "ciko";
+    uid = genid_uint31 "ciko";
    description = "acc for ciko";
    home = "/home/ciko";
    useDefaultShell = true;
--- a/lass/2configs/dcso-dev.nix
+++ b/lass/2configs/dcso-dev.nix
@ -1,75 +0,0 @@
-{ config, lib, pkgs, ... }:
-
-let
-  mainUser = config.users.extraUsers.mainUser;
-  inherit (import <stockholm/lib>) genid;
-
-in {
-  users.extraUsers = {
-    dev = {
-      name = "dev";
-      uid = genid "dev";
-      extraGroups = [ "docker" "vboxusers" ];
-      description = "user for collaborative development";
-      home = "/home/dev";
-      useDefaultShell = true;
-      createHome = true;
-      openssh.authorizedKeys.keys = [
-        config.krebs.users.lass.pubkey
-        config.krebs.users.lass-android.pubkey
-        config.krebs.users.lass-mors.pubkey
-        config.krebs.users.jeschli-bln.pubkey
-        config.krebs.users.jeschli-brauerei.pubkey
-        "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC1T5+2epslFARSnETdr4wdolA6ocJaD4H9tmz6BZFQKXlwIq+OMp+sSEdwYwW3Lu9+mNbBHPxVVJDWg/We9DXB0ezXPM5Bs1+FcehmkoGwkmgKaFCDt0sL+CfSnog/3wEkN21O/rQxVFqMmiJ7WUDGci6IKCFZ5ZjOsmmfHg5p3LYxU9xv33fNr2v+XauhrGbFtQ7eDz4kSywxN/aw73LN4d8em0V0UV8VPI3Qkw7MamDFwefA+K1TfK8pBzMeruU6N7HLuNkpkAp7kS+K4Zzd72aQtR37a5qMiFUbOxQ9B7iFypuPx0iu6ZwY1s/sM8t3kLmcDJ9O4FOTzlbpneet3as6iJ+Ckr/TlfKor2Tl5pWcXh2FXHoG8VUu5bYmIViJBrKihAlAQfQN0mJ9fdFTnCXVTtbYTy11s4eEVHgUlb7oSpgBnx5bnBONgApbsOX9zyoo8wz8KkZBcf1SQpkV5br8uUAHCcZtHuY6I3kKlv+8lJmgUipiYzMdTi7+dHa49gVEcEKL4ZnJ0msQkl4XT7JjKETLvumC4/TIqVuRu48wuYalkCR9OzxCsTXQ/msBJBztPdYLrEOXVb2HfzuCT+43UuMQ5rP/EoPy0TWQO9BaqfEXqvbOvWjVxj/GMvglQ2ChZTwHxwwTKB8qRVvJLnbZQwizQiSrkzjb6hRJfQ== u0_a165@localhost"
-        "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCjtdqRxD0+UU7O8xogSqAQYd/Hrc79CTTKnvbhKy7jp2TVfxQpl81ndSH6DN6Cz90mu65C+DFGq43YtKTPqXmTn1+2wru71C2UOl6ZR0tmU7UELkRt4SJuFQLEgQCt3BWvXJPye6cKRRIlb+XZHWyVyCDxHo9EYO2GWI1wIP8mHMltKj65mobHY+R0CJNhhwlFURzTto8C30ejfVg2OW81qkNWqYtpdC9txLUlQ9/LBVKrafHGprmcBEp9qtecVgx8kxHpS7cuQNYoFcfljug4IyFO+uBfdbKqnGM5mra3huNhX3+AcQxKbLMlRgZD+jc47Xs+s5qSvWBou2ygd5T413k/SDOTCxDjidA+dcwzRo0qUWcGL201a5g+F0EvWv8rjre9m0lii6QKEoPyj60y3yfaIHeafels1Ia1FItjkBe8XydiXf7rKq8nmVRlpo8vl+vKwVuJY783tObHjUgBtXJdmnyYGiXxkxSrXa2mQhPz3KodK/QrnqCP27dURcMlp1hFF3LxFz7WtMCLW0yvDuUsuI2pdq0+zdt702wuwXVNIvbq/ssvX/CL8ryBLAogaxN9DN0vpjk+aXQLn11Zt99MgmnnqUgvOKQi1Quog/SxnSBiloKqB6aA10a28Uxoxkr0KAfhWhX3XPpfGMlbVj4GJuevLp0sGDVQT2biUQ== rhaist@RH-NB"
-      ];
-      packages = with pkgs; [
-        emacs25-nox
-
-        (pkgs.symlinkJoin {
-          name = "tmux";
-          paths = [
-            (pkgs.writeDashBin "tmux" ''
-              exec ${pkgs.tmux}/bin/tmux -f ${pkgs.writeText "tmux.conf" ''
-                set-option -g default-terminal screen-256color
-
-                #use session instead of windows
-                bind-key c new-session
-                bind-key p switch-client -p
-                bind-key n switch-client -n
-                bind-key C-s switch-client -l
-              ''} "$@"
-            '')
-            pkgs.tmux
-          ];
-        })
-      ];
-    };
-  };
-
-  krebs.iptables.tables.filter.INPUT.rules = [
-    { predicate = "-p tcp --dport 8000"; target = "ACCEPT";}
-    { predicate = "-p tcp --dport 9000"; target = "ACCEPT";}
-  ];
-
-  krebs.per-user.dev.packages = [
-    pkgs.go
-  ];
-  environment.variables.GOPATH = "$HOME/go";
-
-  security.sudo.extraConfig = ''
-    ${mainUser.name} ALL=(dev) NOPASSWD: ALL
-  '';
-
-  networking.interfaces.et0.ipv4.addresses = [
-    { address = "10.99.23.1"; prefixLength = 24; }
-  ];
-  virtualisation.docker.enable = true;
-  environment.etc."docker/daemon.json".source = pkgs.writeText "daemon.json" ''
-    {
-      "bip": "172.25.0.1/16"
-    }
-  '';
-  services.rabbitmq.enable = true;
-  services.postgresql.enable = true;
-}
--- a/lass/2configs/exim-smarthost.nix
+++ b/lass/2configs/exim-smarthost.nix
@ -84,6 +84,7 @@ with import <stockholm/lib>;
      { from = "boardgamegeek@lassul.us"; to = lass.mail; }
      { from = "qwertee@lassul.us"; to = lass.mail; }
      { from = "zazzle@lassul.us"; to = lass.mail; }
+      { from = "hackbeach@lassul.us"; to = lass.mail; }
    ];
    system-aliases = [
      { from = "mailer-daemon"; to = "postmaster"; }
--- a/lass/2configs/print.nix
+++ b/lass/2configs/print.nix
@ -0,0 +1,10 @@
+{ pkgs, ... }:
+{
+  services.printing = {
+    enable = true;
+    drivers = [
+      pkgs.foomatic_filters
+      pkgs.gutenprint
+    ];
+  };
+}
--- a/lass/2configs/urxvt.nix
+++ b/lass/2configs/urxvt.nix
@ -19,9 +19,9 @@ with import <stockholm/lib>;
    URxvt.keysym.M-Escape:      perl:keyboard-select:activate
    URxvt.keysym.M-s:           perl:keyboard-select:search

-    URxvt.keysym.M-F1: command:\033]710;-*-clean-*-*-*-*-*-*-*-*-*-*-iso10646-1\007\033]711;-*-clean-*-*-*-*-*-*-*-*-*-*-iso10646-1\007
-    URxvt.keysym.M-F2: command:\033]710;xft:Monospace:size=15\007\033]711;xft:Monospace:size=15:bold\007
-    URxvt.keysym.M-F3: command:\033]710;xft:Monospace:size=20\007\033]711;xft:Monospace:size=20:bold\007
+    URxvt.keysym.M-F1: command:\033]710;${config.lass.fonts.regular}\007\033]711;${config.lass.fonts.bold}\007
+    URxvt.keysym.M-F2: command:\033]710;xft:Monospace:size=12\007\033]711;xft:Monospace:size=15:bold\007
+    URxvt.keysym.M-F3: command:\033]710;xft:Monospace:size=18\007\033]711;xft:Monospace:size=20:bold\007
    URxvt.keysym.M-F4: command:\033]710;xft:Monospace:size=25\007\033]711;xft:Monospace:size=25:bold\007
    URxvt.keysym.M-F5: command:\033]710;xft:Monospace:size=30\007\033]711;xft:Monospace:size=30:bold\007

--- a/lass/2configs/websites/domsen.nix
+++ b/lass/2configs/websites/domsen.nix
@ -4,7 +4,7 @@ let

  inherit (import <stockholm/lib>)
    genid
-    genid_signed
+    genid_uint31
  ;
  inherit (import <stockholm/lass/2configs/websites/util.nix> {inherit lib pkgs;})
    servePage
@ -134,7 +134,7 @@ in {
  };

  users.users.domsen = {
-    uid = genid_signed "domsen";
+    uid = genid_uint31 "domsen";
    description = "maintenance acc for domsen";
    home = "/home/domsen";
    useDefaultShell = true;
@ -143,49 +143,49 @@ in {
  };

  users.users.bruno = {
-    uid = genid_signed "bruno";
+    uid = genid_uint31 "bruno";
    home = "/home/bruno";
    useDefaultShell = true;
    createHome = true;
  };

  users.users.jla-trading = {
-    uid = genid_signed "jla-trading";
+    uid = genid_uint31 "jla-trading";
    home = "/home/jla-trading";
    useDefaultShell = true;
    createHome = true;
  };

  users.users.jms = {
-    uid = genid_signed "jms";
+    uid = genid_uint31 "jms";
    home = "/home/jms";
    useDefaultShell = true;
    createHome = true;
  };

  users.users.ms = {
-    uid = genid_signed "ms";
+    uid = genid_uint31 "ms";
    home = "/home/ms";
    useDefaultShell = true;
    createHome = true;
  };

  users.users.testuser = {
-    uid = genid_signed "testuser";
+    uid = genid_uint31 "testuser";
    home = "/home/testuser";
    useDefaultShell = true;
    createHome = true;
  };

  users.users.akayguen = {
-    uid = genid_signed "akayguen";
+    uid = genid_uint31 "akayguen";
    home = "/home/akayguen";
    useDefaultShell = true;
    createHome = true;
  };

  users.users.bui = {
-    uid = genid_signed "bui";
+    uid = genid_uint31 "bui";
    home = "/home/bui";
    useDefaultShell = true;
    createHome = true;
--- a/lass/3modules/xjail.nix
+++ b/lass/3modules/xjail.nix
@ -23,7 +23,7 @@ with import <stockholm/lib>;
        };
        display = mkOption {
          type = types.string;
-          default = toString (genid_signed config._module.args.name);
+          default = toString (genid_uint31 config._module.args.name);
        };
        dpi = mkOption {
          type = types.int;
--- a/lass/5pkgs/custom/xmonad-lass/default.nix
+++ b/lass/5pkgs/custom/xmonad-lass/default.nix
@ -64,7 +64,7 @@ myTerm :: FilePath
 myTerm = "${pkgs.rxvt_unicode_with-plugins}/bin/urxvtc"

 myFont :: String
-myFont = "${config.lass.fonts.regular}"
+myFont = "-*-clean-*-*-*-*-*-*-*-*-*-*-iso10646-1"

 main :: IO ()
 main = getArgs >>= \case
@ -160,6 +160,8 @@ myKeyMap =

    , ("<Pause>", spawn "${pkgs.xcalib}/bin/xcalib -invert -alter")

+    , ("M4-s", spawn "${pkgs.knav}/bin/knav")
+
    --, ("M4-w", screenWorkspace 0 >>= (windows . W.greedyView))
    --, ("M4-e", screenWorkspace 1 >>= (windows . W.greedyView))
    --, ("M4-r", screenWorkspace 2 >>= (windows . W.greedyView))
--- a/lass/5pkgs/knav/default.nix
+++ b/lass/5pkgs/knav/default.nix
@ -0,0 +1,26 @@
+{ pkgs, ... }: let
+
+  keynavrc = pkgs.writeText "keynavrc" ''
+    clear
+    Escape quit
+    q record ~/.keynav_macros
+    shift+at playback
+    u history-back
+    a cut-left
+    s cut-down
+    w cut-up
+    d cut-right
+    shift+a move-left
+    shift+s move-down
+    shift+w move-up
+    shift+d move-right
+    t windowzoom
+    c cursorzoom 300 300
+    e warp
+    1 click 1
+    2 click 2
+    3 click 3
+  '';
+in pkgs.writeScriptBin "knav" ''
+  ${pkgs.keynav}/bin/keynav "loadconfig ${keynavrc}, start"
+''
--- a/lib/default.nix
+++ b/lib/default.nix
@ -13,7 +13,7 @@ let
    mod = x: y: x - y * (x / y);

    genid = import ./genid.nix { inherit lib; };
-    genid_signed = x: ((lib.genid x) + 16777216) / 2;
+    genid_uint31 = x: ((lib.genid x) + 16777216) / 2;

    lpad = n: c: s:
      if lib.stringLength s < n
--- a/makefu/1systems/nextgum/config.nix
+++ b/makefu/1systems/nextgum/config.nix
@ -49,6 +49,7 @@ in {
      <stockholm/makefu/2configs/vpn/openvpn-server.nix>
      # <stockholm/makefu/2configs/vpn/vpnws/server.nix>
      <stockholm/makefu/2configs/dnscrypt/server.nix>
+      <stockholm/makefu/2configs/binary-cache/server.nix>
      <stockholm/makefu/2configs/iodined.nix>

      ## buildbot
@ -69,6 +70,8 @@ in {
      #<stockholm/makefu/2configs/nginx/public_html.nix>
      #<stockholm/makefu/2configs/nginx/update.connector.one.nix>
      #<stockholm/makefu/2configs/nginx/misa-felix-hochzeit.ml.nix>
+      <stockholm/makefu/2configs/nginx/gold.krebsco.de.nix>
+      <stockholm/makefu/2configs/deployment/events-publisher>

      #<stockholm/makefu/2configs/deployment/photostore.krebsco.de.nix>
      #<stockholm/makefu/2configs/deployment/graphs.nix>
--- a/makefu/1systems/nextgum/hardware-config.nix
+++ b/makefu/1systems/nextgum/hardware-config.nix
@ -45,12 +45,20 @@ in {
    "ata_piix" "vmw_pvscsi" "virtio_pci" "sd_mod" "ahci"
    "xhci_pci" "ehci_pci" "ahci" "sd_mod"
  ];
-  boot.kernelModules = [ "kvm-intel" ];
+  boot.kernelModules = [ "kvm-intel" "dm-raid" "dm_thin_pool" ];
  hardware.enableRedistributableFirmware = true;
  fileSystems."/" = {
    device = "/dev/mapper/nixos-root";
    fsType = "ext4";
  };
+  fileSystems."/var/lib" = {
+    device = "/dev/mapper/nixos-lib";
+    fsType = "ext4";
+  };
+  fileSystems."/var/download" = {
+    device = "/dev/mapper/nixos-download";
+    fsType = "ext4";
+  };
  fileSystems."/boot" = {
    device = "/dev/sda2";
    fsType = "vfat";
@ -69,7 +77,9 @@ in {
  #pvcreate /dev/sda3
  #pvcreate /dev/sdb1
  #vgcreate nixos /dev/sda3 /dev/sdb1
-  #lvcreate -L 120G -n root nixos
+  #lvcreate -L 120G -m 1 -n root nixos
+  #lvcreate -L 50G -m 1 -n lib nixos
+  #lvcreate -L 50G -n download nixos
  #mkfs.ext4 /dev/mapper/nixos-root
  #mount /dev/mapper/nixos-root /mnt
  #mkdir /mnt/boot
--- a/makefu/1systems/wbob/config.nix
+++ b/makefu/1systems/wbob/config.nix
@ -39,20 +39,27 @@ in {

      # Sensors
      <stockholm/makefu/2configs/stats/telegraf>
-      <stockholm/makefu/2configs/deployment/led-fader.nix>
-      <stockholm/makefu/2configs/stats/external/aralast.nix>
      <stockholm/makefu/2configs/stats/telegraf/airsensor.nix>
+      <stockholm/makefu/2configs/stats/telegraf/europastats.nix>
+      <stockholm/makefu/2configs/stats/external/aralast.nix>
+      <stockholm/makefu/2configs/stats/arafetch.nix>
+      <stockholm/makefu/2configs/deployment/led-fader.nix>
+      <stockholm/makefu/2configs/hw/mceusb.nix>
      # <stockholm/makefu/2configs/stats/telegraf/bamstats.nix>

+
+
      <stockholm/makefu/2configs/deployment/bureautomation>
+      <stockholm/makefu/2configs/deployment/bureautomation/hass.nix>
      (let
          collectd-port = 25826;
          influx-port = 8086;
+          admin-port = 8083;
          grafana-port = 3000; # TODO nginx forward
          db = "collectd_db";
          logging-interface = "enp0s25";
        in {
-          networking.firewall.allowedTCPPorts = [ 3000 ];
+          networking.firewall.allowedTCPPorts = [ 3000 influx-port admin-port ];

          services.grafana.enable = true;
          services.grafana.addr = "0.0.0.0";
@ -61,7 +68,7 @@ in {
            meta.hostname = config.krebs.build.host.name;
            # meta.logging-enabled = true;
            http.bind-address = ":${toString influx-port}";
-            admin.bind-address = ":8083";
+            admin.bind-address = ":${toString admin-port}";
            collectd = [{
              enabled = true;
              typesdb = "${pkgs.collectd}/share/collectd/types.db";
@ -125,7 +132,6 @@ in {
  networking.firewall.allowedTCPPorts = [
    655
    8081 #smokeping
-    8086 #influx
    49152
  ];
  networking.firewall.trustedInterfaces = [ "enp0s25" ];
--- a/makefu/1systems/x/config.nix
+++ b/makefu/1systems/x/config.nix
@ -8,6 +8,7 @@ with import <stockholm/lib>;
  imports =
    [ # base
      <stockholm/makefu>
+      <stockholm/makefu/2configs/nur.nix>
      <stockholm/makefu/2configs/main-laptop.nix>
      <stockholm/makefu/2configs/extra-fonts.nix>
      <stockholm/makefu/2configs/tools/all.nix>
@ -54,7 +55,6 @@ with import <stockholm/lib>;
          internalInterfaces = [ "vboxnet0" ];
        };
      }
-
      # Services
      <stockholm/makefu/2configs/git/brain-retiolum.nix>
      <stockholm/makefu/2configs/tor.nix>
@ -64,6 +64,7 @@ with import <stockholm/lib>;

      # Hardware
      <stockholm/makefu/2configs/hw/tp-x230.nix>
+      <stockholm/makefu/2configs/hw/mceusb.nix>
      # <stockholm/makefu/2configs/hw/tpm.nix>
      # <stockholm/makefu/2configs/hw/rtl8812au.nix>
      <stockholm/makefu/2configs/hw/network-manager.nix>
@ -125,7 +126,7 @@ with import <stockholm/lib>;

  krebs.build.host = config.krebs.hosts.x;

-  krebs.tinc.retiolum.connectTo = [ "omo" "gum" "prism" ];
+  krebs.tinc.retiolum.connectTo = [ "omo" "gum" "prism" "nextgum" ];

  networking.extraHosts = ''
    192.168.1.11  omo.local
@ -133,6 +134,8 @@ with import <stockholm/lib>;
  '';
  # hard dependency because otherwise the device will not be unlocked
  boot.initrd.luks.devices = [ { name = "luksroot"; device = "/dev/sda2"; allowDiscards=true; }];
+  # avoid full boot dir
+  boot.loader.grub.configurationLimit = 3;

  environment.systemPackages = [ pkgs.passwdqc-utils pkgs.nixUnstable ];
  nixpkgs.overlays = [ (import <python/overlay.nix>) ];
--- a/makefu/2configs/binary-cache/server.nix
+++ b/makefu/2configs/binary-cache/server.nix
@ -0,0 +1,31 @@
+{ config, lib, pkgs, ...}:
+
+{
+  # generate private key with:
+  # nix-store --generate-binary-cache-key gum nix-serve.key nix-serve.pub
+  services.nix-serve = {
+    enable = true;
+    secretKeyFile = config.krebs.secret.files.nix-serve-key.path;
+  };
+
+  systemd.services.nix-serve = {
+    requires = ["secret.service"];
+    after = ["secret.service"];
+  };
+  krebs.secret.files.nix-serve-key = {
+    path = "/run/secret/nix-serve.key";
+    owner.name = "nix-serve";
+    source-path = toString <secrets> + "/nix-serve.key";
+  };
+  services.nginx = {
+    enable = true;
+    virtualHosts.nix-serve = {
+      serverAliases = [ "cache.gum.r"
+                        "cache.euer.krebsco.de"
+                        "cache.gum.krebsco.de"
+                      ];
+      locations."/".proxyPass= "http://localhost:${toString config.services.nix-serve.port}";
+    };
+  };
+}
+
--- a/makefu/2configs/deployment/bureautomation/hass.nix
+++ b/makefu/2configs/deployment/bureautomation/hass.nix
@ -1,75 +1,125 @@
 { pkgs, lib, ... }:
 let
-  firetv = "192.168.1.238";
-in {
-  imports = [
-    <nixpkgs-unstable/nixos/modules/services/misc/home-assistant.nix>
+  tasmota_plug = name: topic: {
+          platform = "mqtt";
+          inherit name;
+          state_topic = "/bam/${topic}/stat/POWER";
+          command_topic = "/bam/${topic}/cmnd/POWER";
+          availability_topic = "/bam/${topic}/tele/LWT";
+          qos = 1;
+          payload_on= "ON";
+          payload_off= "OFF";
+          payload_available= "Online";
+          payload_not_available= "Offline";
+          retain= false;
+        };
+  espeasy_dht22 = name: [
+    {
+          platform = "mqtt";
+          device_class = "temperature";
+          state_topic = "/bam/${name}/dht22/Temperature";
+          availability_topic = "/bam/${name}/status/LWT";
+          payload_available = "Connected";
+          payload_not_available = "Connection Lost";
+    }
+    {
+          platform = "mqtt";
+          device_class = "humidity";
+          state_topic = "/bam/${name}/dht22/Temperature";
+          unit_of_measurement =  "C";
+          availability_topic = "/bam/${name}/status/LWT";
+          payload_available = "Connected";
+          payload_not_available = "Connection Lost";
+    }];
+  espeasy_ds18 = name: [
+    {
+          platform = "mqtt";
+          device_class = "temperature";
+          state_topic = "/bam/${name}/ds18/Temperature";
+          availability_topic = "/bam/${name}/status/LWT";
+          payload_available = "Connected";
+          payload_not_available = "Connection Lost";
+    }
  ];
-  systemd.services.firetv = {
-    wantedBy = [ "multi-user.target" ];
-    serviceConfig = {
-      User = "nobody";
-      ExecStart = "${pkgs.python-firetv}/bin/firetv-server -d ${firetv}:5555";
-    };
-  };
-  nixpkgs.config.packageOverrides = oldpkgs: {
-    home-assistant = (import <nixpkgs-unstable> {}).home-assistant;
-  };
-  ids.uids.hass = 286;
-  ids.gids.hass = 286;
+in {
+
+  nixpkgs.config.permittedInsecurePackages = [
+    "homeassistant-0.65.5"
+  ];
+
  services.home-assistant = {
-  #panel_iframe:
-  #configurator:
-  #  title: Configurator
-  #  icon: mdi:wrench
-  #  url: http://hassio.local:3218
-  # sensor:
-  # - platform: random
    enable = true;
    config = {
      homeassistant = {
        name = "Bureautomation";
        time_zone = "Europe/Berlin";
      };
-      panel_iframe = {
-        euer_blog = {
-          title = "Euer Blog";
-          icon =  "mdi:wrench";
-          url = "https://euer.krebsco.de";
+
+      mqtt = {
+        broker = "localhost";
+        port = 1883;
+        client_id = "home-assistant";
+        keepalive = 60;
+        protocol = 3.1;
+        birth_message = {
+          topic = "/bam/hass/tele/LWT";
+          payload = "Online";
+          qos = 1;
+          retain = true;
+        };
+        will_message = {
+          topic = "/bam/hass/tele/LWT";
+          payload = "Offline";
+          qos = 1;
+          retain = true;
        };
      };
-      media_player = [
-        { platform = "kodi";
-          host = firetv;
-        }
-        { platform = "firetv";
-          # assumes python-firetv running
+      switch = [
+        (tasmota_plug "Bauarbeiterlampe" "plug")
+        (tasmota_plug "Blitzdings" "plug2")
+        (tasmota_plug "Fernseher" "plug3")
+        (tasmota_plug "Pluggy" "plug4")
+      ];
+      binary_sensor = [
+        { # esp_easy 
+          platform = "mqtt";
+          device_class = "motion";
+          state_topic = "/bam/easy2/movement/Switch";
+          payload_on = "1";
+          payload_off = "0";
+          availability_topic = "/bam/easy2/status/LWT";
+          payload_available = "Connected";
+          payload_not_available = "Connection Lost";
        }
      ];
-      sensor = [
-        {
-          platform = "luftdaten";
-          name = "Shack 1";
-          sensorid = "50";
-          monitored_conditions = [ "P1" "P2" ];
-        }
-        {
-          platform = "luftdaten";
-          name = "Shack 2";
-          sensorid = "658";
-          monitored_conditions = [ "P1" "P2" ];
-        }
-        {
-          platform = "luftdaten";
-          name = "Ditzingen";
-          sensorid = "5341";
-          monitored_conditions = [ "P1" "P2" ];
-        }
-        { platform = "random"; }
-      ];
+      sensor =
+          (espeasy_dht22 "easy2") ++
+        [ (espeasy_ds18 "easy3" )
+          { platform = "luftdaten";
+            name = "Ditzingen";
+            sensorid = "5341";
+            monitored_conditions = [ "P1" "P2" ];
+          }
+          { platform = "influxdb";
+            queries = [
+              { name = "mean value of feinstaub P1";
+                where = '' "node" = 'esp8266-1355142' '';
+                measurement = "feinstaub";
+                database = "telegraf";
+                field = "P1";
+              }
+              { name = "mean value of feinstaub P2";
+                where = '' "node" = 'esp8266-1355142' '';
+                measurement = "feinstaub";
+                database = "telegraf";
+                field = "P2";
+              }
+            ];
+          }
+        ];
      frontend = { };
      http = { };
-      feedreader.urls = [ "https://nixos.org/blogs.xml" ];
+      feedreader.urls = [ "http://www.heise.de/security/rss/news-atom.xml" ];
    };
  };
 }
--- a/makefu/2configs/deployment/bureautomation/home.nix
+++ b/makefu/2configs/deployment/bureautomation/home.nix
@ -0,0 +1,67 @@
+{ pkgs, lib, ... }:
+let
+  firetv = "192.168.1.238";
+in {
+  systemd.services.firetv = {
+    wantedBy = [ "multi-user.target" ];
+    serviceConfig = {
+      User = "nobody";
+      ExecStart = "${pkgs.python-firetv}/bin/firetv-server -d ${firetv}:5555";
+    };
+  };
+  services.home-assistant = {
+  #panel_iframe:
+  #configurator:
+  #  title: Configurator
+  #  icon: mdi:wrench
+  #  url: http://hassio.local:3218
+  # sensor:
+  # - platform: random
+    enable = true;
+    config = {
+      homeassistant = {
+        name = "Bureautomation";
+        time_zone = "Europe/Berlin";
+      };
+      panel_iframe = {
+        euer_blog = {
+          title = "Euer Blog";
+          icon =  "mdi:wrench";
+          url = "https://euer.krebsco.de";
+        };
+      };
+      media_player = [
+        { platform = "kodi";
+          host = firetv;
+        }
+        { platform = "firetv";
+          # assumes python-firetv running
+        }
+      ];
+      sensor = [
+        {
+          platform = "luftdaten";
+          name = "Shack 1";
+          sensorid = "50";
+          monitored_conditions = [ "P1" "P2" ];
+        }
+        {
+          platform = "luftdaten";
+          name = "Shack 2";
+          sensorid = "658";
+          monitored_conditions = [ "P1" "P2" ];
+        }
+        {
+          platform = "luftdaten";
+          name = "Ditzingen";
+          sensorid = "5341";
+          monitored_conditions = [ "P1" "P2" ];
+        }
+        { platform = "random"; }
+      ];
+      frontend = { };
+      http = { };
+      feedreader.urls = [ "https://nixos.org/blogs.xml" ];
+    };
+  };
+}
--- a/makefu/2configs/deployment/events-publisher/default.nix
+++ b/makefu/2configs/deployment/events-publisher/default.nix
@ -0,0 +1,48 @@
+{ pkgs, ... }:
+with import <stockholm/lib>;
+let
+  shack-announce = pkgs.callPackage (builtins.fetchTarball {
+    url = "https://github.com/makefu/events-publisher/archive/5e7b083c63f25182a02c1fddb3d32cb9534fbc50.tar.gz";
+    sha256 = "1zzlhyj8fr6y3a3b6qlyrm474xxxs1ydqjpkd2jva3g1lnzlmvkp";
+  }) {} ;
+  home = "/var/lib/shackannounce";
+  user = "shackannounce";
+  creds = (toString <secrets>) + "/shack-announce.json";
+in
+{
+  users.users.${user}= {
+    uid = genid user;
+    inherit home;
+    createHome = true;
+  };
+  systemd.services.shack-announce = {
+    description = "Announce shack events";
+    startAt = "*:0/30";
+    path = [ shack-announce ];
+    serviceConfig  = {
+      WorkingDirectory = home;
+      User = user;
+      PermissionsStartOnly = true;
+      ExecStartPre = pkgs.writeDash "shack-announce-pre" ''
+        set -eu
+        cp ${creds} creds.json
+        chown ${user} creds.json
+      '';
+      ExecStart = pkgs.writeDash "shack-announce" ''
+        if test ! -e announce.state; then
+          echo "initializing state"
+          announce-daemon \
+            --lol INFO \
+            --creds creds.json \
+            --state announce.state \
+            --clean --init
+        fi
+        echo "Running announce"
+        announce-daemon \
+           --lol INFO \
+           --creds creds.json \
+           --state announce.state
+      '';
+    };
+  };
+}
--- a/makefu/2configs/deployment/owncloud.nix
+++ b/makefu/2configs/deployment/owncloud.nix
@ -108,7 +108,6 @@ let
          # Add headers to serve security related headers
          add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
          add_header X-Content-Type-Options nosniff;
-          add_header X-Frame-Options "SAMEORIGIN";
          add_header X-XSS-Protection "1; mode=block";
          add_header X-Robots-Tag none;
          # Optional: Don't log access to assets
@ -144,6 +143,8 @@ let
        opcache.memory_consumption=128
        opcache.save_comments=1
        opcache.revalidate_freq=1
+        opcache.file_cache = .opcache
+        zend_extension=${pkgs.php}/lib/php/extensions/opcache.so

        display_errors = on
        display_startup_errors = on
@ -155,6 +156,13 @@ let
        extension=${pkgs.phpPackages.redis}/lib/php/extensions/redis.so
        extension=${pkgs.phpPackages.apcu}/lib/php/extensions/apcu.so
      '';
+      systemd.services."nextcloud-cron-${domain}" = {
+        serviceConfig = {
+          User = "nginx";
+          ExecStart = "${pkgs.php}/bin/php -f ${root}/cron.php";
+        };
+        startAt = "*:0/15";
+      };
    };
 in  {
  imports = [
--- a/makefu/2configs/hw/mceusb.nix
+++ b/makefu/2configs/hw/mceusb.nix
@ -0,0 +1,17 @@
+{pkgs, lib, ...}:{
+  # Disable the MCE remote from acting like a keyboard.  (We use lirc instead.)
+  services.xserver.inputClassSections = [''
+    Identifier   "MCE USB Keyboard mimic blacklist"
+    Driver       "mceusb"
+    MatchProduct "Media Center Ed. eHome Infrared Remote Transceiver (1934:5168)"
+    Option       "Ignore" "on"
+  ''];
+  boot.kernelPatches = lib.singleton {
+    name = "enable-lirc";
+    patch = null;
+    extraConfig = ''
+      LIRC y
+    '';
+  };
+
+}
--- a/makefu/2configs/hw/network-manager.nix
+++ b/makefu/2configs/hw/network-manager.nix
@ -22,15 +22,9 @@
  };
  networking.networkmanager.enable = true;

-  # TODO: put somewhere else
-  services.xserver.displayManager.sessionCommands = ''
-    ${pkgs.clipit}/bin/clipit &
-    ${pkgs.networkmanagerapplet}/bin/nm-applet &
-    '';
-
 # nixOSUnstable
-# networking.networkmanager.wifi = {
-#   powersave = true;
-#   scanRandMacAddress = true;
-# };
+  networking.networkmanager.wifi = {
+    powersave = true;
+    scanRandMacAddress = true;
+  };
 }
--- a/makefu/2configs/hw/stk1160.nix
+++ b/makefu/2configs/hw/stk1160.nix
@ -1,13 +1,12 @@
 { pkgs, lib, ... }:
 {
-  # TODO: un-pin linuxPackages somehow
-  nixpkgs.config.packageOverrides = pkgs: {
-    linux_4_14 = pkgs.linux_4_14.override {
-        extraConfig = ''
-          MEDIA_ANALOG_TV_SUPPORT y
-          VIDEO_STK1160_COMMON m
-          VIDEO_STK1160 m
-        '';
-    };
+  boot.kernelPatches = lib.singleton {
+    name = "enable-stk1160";
+    patch = null;
+    extraConfig = ''
+      MEDIA_ANALOG_TV_SUPPORT y
+      VIDEO_STK1160_COMMON m
+      VIDEO_STK1160 m
+    '';
  };
 }
--- a/makefu/2configs/nginx/gold.krebsco.de.nix
+++ b/makefu/2configs/nginx/gold.krebsco.de.nix
@ -0,0 +1,24 @@
+{ config, lib, pkgs, ... }:
+
+with import <stockholm/lib>;
+let
+  gold = pkgs.fetchFromGitHub {
+    owner = "krebs";
+    repo = "krebsgold";
+    rev = "15f7a74";
+    sha256= "1ya9xgg640k3hbl63022sfm44c1si2mxch8jkxindmwg4pa1y4ly";
+  };
+in {
+
+  services.nginx = {
+    enable = mkDefault true;
+    virtualHosts = {
+      "gold.krebsco.de" = {
+        enableACME = true;
+        forceSSL = true;
+        root = toString gold + "/html";
+      };
+    };
+  };
+}
+
--- a/makefu/2configs/nur.nix
+++ b/makefu/2configs/nur.nix
@ -0,0 +1,7 @@
+{ pkgs, ... }:{
+  nixpkgs.config.packageOverrides = pkgs: {
+    nur = pkgs.callPackage (import (builtins.fetchGit {
+      url = "https://github.com/nix-community/NUR";
+    })) {};
+  };
+}
--- a/makefu/2configs/stats/client.nix
+++ b/makefu/2configs/stats/client.nix
@ -31,6 +31,7 @@
        FSType "tmpfs"
        FSType "binfmt_misc"
        FSType "debugfs"
+        FSType "tracefs"
        FSType "mqueue"
        FSType "hugetlbfs"
        FSType "systemd-1"
--- a/makefu/2configs/task-client.nix
+++ b/makefu/2configs/task-client.nix
@ -1,6 +1,6 @@
 { pkgs, ... }:
 {
-  krebs.per-user.makefu.packages = [
+  users.users.makefu.packages = [
    pkgs.taskwarrior
  ];

--- a/makefu/2configs/tools/core-gui.nix
+++ b/makefu/2configs/tools/core-gui.nix
@ -1,10 +1,10 @@
 { pkgs, ... }:

 {
-  krebs.per-user.makefu.packages = with pkgs; [
+  users.users.makefu.packages = with pkgs; [
    chromium
-    clipit
    feh
+    clipit
    firefox
    keepassx
    pcmanfm
--- a/makefu/2configs/tools/desktop.nix
+++ b/makefu/2configs/tools/desktop.nix
@ -4,8 +4,10 @@
  users.users.makefu.packages = with pkgs; [
    taskwarrior
    pass
+    gopass
    mutt
    weechat
    tmux
  ];
+
 }
--- a/makefu/2configs/tools/extra-gui.nix
+++ b/makefu/2configs/tools/extra-gui.nix
@ -1,7 +1,7 @@
 { pkgs, ... }:

 {
-  krebs.per-user.makefu.packages = with pkgs;[
+  users.users.makefu.packages = with pkgs;[
    # media
    gimp
    inkscape
--- a/makefu/2configs/tools/media.nix
+++ b/makefu/2configs/tools/media.nix
@ -1,7 +1,7 @@
 { pkgs, ... }:

 {
-  krebs.per-user.makefu.packages = with pkgs; [
+  users.users.makefu.packages = with pkgs; [
    kodi
    streamripper
    youtube-dl
--- a/makefu/2configs/tools/sec.nix
+++ b/makefu/2configs/tools/sec.nix
@ -1,7 +1,7 @@
 { pkgs, ... }:

 {
-  krebs.per-user.makefu.packages = with pkgs; [
+  users.users.makefu.packages = with pkgs; [
    aria2
    # mitmproxy
    pythonPackages.binwalk-full
--- a/makefu/2configs/torrent.nix
+++ b/makefu/2configs/torrent.nix
@ -8,13 +8,13 @@ let
  peer-port = 51412;
  web-port = 8112;
  daemon-port = 58846;
-  torrent-dir = config.makefu.dl-dir;
+  base-dir = config.makefu.dl-dir;
 in {

  users.users = {
    download = {
      name = "download";
-      home = torrent-dir;
+      home = base-dir;
      uid = mkDefault (genid "download");
      createHome = true;
      useDefaultShell = true;
@ -25,10 +25,12 @@ in {

  # todo: race condition, do this after download user has been created
  system.activationScripts."download-dir-chmod" = ''
-    for i in finished watch torrents; do
-      mkdir -p "${torrent-dir}/$i"
-      chown download:download "${torrent-dir}/$i"
-      chmod 770 "${torrent-dir}/$i"
+    for i in finished watch; do
+      if test ! -d $i;then
+        mkdir -p "${base-dir}/$i"
+        chown rtorrent:download "${base-dir}/$i"
+        chmod 775 "${base-dir}/$i"
+      fi
    done
  '';

@ -42,6 +44,7 @@ in {
        "nginx"
      ];
    };
+    rtorrent.members = [ "download" ];
  };

  krebs.rtorrent = {
@ -54,7 +57,8 @@ in {
    rutorrent.enable = true;
    enableXMLRPC = true;
    listenPort = peer-port;
-    workDir = torrent-dir;
+    downloadDir = base-dir + "/finished";
+    watchDir = base-dir + "/watch";
    # dump old torrents into watch folder to have them re-added
  };

--- a/makefu/5pkgs/awesomecfg/default.nix
+++ b/makefu/5pkgs/awesomecfg/default.nix
@ -2,7 +2,10 @@
 , lib
 , alsaUtils
 , xbacklight
-, modkey?"Mod4"
+, networkmanagerapplet
+, blueman
+, clipit
+, modkey ? "Mod4"
 , locker? "${pkgs.xlock}/bin/xlock -mode blank"
 , ... }:

@ -10,7 +13,7 @@
  # replace: @alsaUtils@ @xlockmore@ @xbacklight@ @modkey@
  full = lib.makeOverridable pkgs.substituteAll {
    name = "awesome_full_config";
-    inherit alsaUtils locker xbacklight modkey;
+    inherit alsaUtils locker xbacklight modkey networkmanagerapplet blueman clipit;
    isExecutable = false;
    src = ./full.cfg;
  };
--- a/makefu/5pkgs/awesomecfg/full.cfg
+++ b/makefu/5pkgs/awesomecfg/full.cfg
@ -568,6 +568,18 @@ local os = {

 -- }}}

+-- {{{ autostart
+do
+  local cmds =
+  {
+    "@networkmanagerapplet@/bin/nm-applet",
+    "@blueman@/bin/blueman-applet",
+    "@clipit@/bin/clipit"
+  }

+  for _,i in pairs(cmds) do
+    awful.util.spawn(i)
+  end
+end

 -- }}}
--- a/makefu/source.nix
+++ b/makefu/source.nix
@ -24,11 +24,10 @@ let
    ];
  };
  # TODO: automate updating of this ref + cherry-picks
-  ref = "14946ec63a1"; # nixos-18.03 @ 2018-05-31
+  ref = "8f991294288"; # nixos-18.03 @ 2018-08-06
                       # + do_sqlite3 ruby:   55a952be5b5
                       # + exfat-nofuse bump: ee6a5296a35
                       # + uhub/sqlite: 5dd7610401747
-                       # + forecastio:  f27584df02337

 in
  evalSource (toString _file) [