Merge remote-tracking branch 'prism/master'

krebs/3modules/buildbot/master.nix

@@ -3,8 +3,15 @@
 with config.krebs.lib;
 let
 
-  buildbot = pkgs.buildbot;
-  buildbot-master-config = pkgs.writePython2 "buildbot-master.cfg" ''
+  # https://github.com/NixOS/nixpkgs/issues/14026
+  nixpkgs-fix = import (pkgs.fetchgit {
+    url = https://github.com/nixos/nixpkgs;
+    rev = "e026b5c243ea39810826e68362718f5d703fb5d0";
+    sha256 = "87e0724910a6df0371f883f99a8cf42e366fb4119f676f6f74ffb404beca2632";
+  }) {};
+
+  buildbot = nixpkgs-fix.buildbot;
+  buildbot-master-config = pkgs.writeText "buildbot-master.cfg" ''
     # -*- python -*-
     from buildbot.plugins import *
     import re

krebs/3modules/makefu/default.nix

@@ -374,8 +374,8 @@ with config.krebs.lib;
             '';
         };
       };
-      #ssh.privkey.path = <secrets/ssh_host_ed25519_key>;
-      #ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIujMZ3ZFxKpWeB/cjfKfYRr77+VRZk0Eik+92t03NoA root@servarch";
+      ssh.privkey.path = <secrets/ssh.id_ed25519>;
+      ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPTBGboU/P00yYiwYje53G0oqDFWmcSJ+hIpMsl4f/HH";
     };
     wbob = rec {
       cores = 1;
@@ -512,6 +512,32 @@ TNs2RYfwDy/r6H/hDeB/BSngPouedEVcPwIDAQAB
         };
       };
     };
+    sdev = rec {
+      cores = 1;
+      ssh.privkey.path = <secrets/ssh_host_ed25519_key>;
+      ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILtm6ETzNgLcXNkrKs2VUEiGsTKBmOFpW2fazbzdUfOg sdev";
+      nets = {
+        retiolum = {
+          ip4.addr = "10.243.83.237";
+          ip6.addr  = "42:af50:99cf:c185:f1a8:14d5:acb:8101";
+          aliases = [
+              "sdev.retiolum"
+              "sdev.r"
+          ];
+          tinc.pubkey = ''
+            -----BEGIN RSA PUBLIC KEY-----
+            MIIBCgKCAQEA8BwHwQ4pLZpskVnQONJsmzRPll4ZKMjAC56sY5p+GfT9ZBMkVDn+
+            LeH9wuTRiX/ehgtBiyu8w37cz62hz/71H+3mnWJlTm9bbBTc5N0y8l9b+YYeExW4
+            XPm4bUbJWKNRG9tHQAns/OREYDsHLsY6UoyNFmB0wTDpgs7egDCoe7E2eT+pG428
+            ysCDYlaZaigOyW+bj/HFLj8FSfpF5C/ug7NE/D7QocadsRUiLtVYrJsfmT+KHWf+
+            f5rLWLvuFiz1SWf7wZ9sICF3RCaC9Qhz7zplgHbvwbOHtF+Z/6DxduRMkggZUsUD
+            nm+40Ex1XJTe+s4V4GKLgh/fDKBTS6JwewIDAQAB
+            -----END RSA PUBLIC KEY-----
+          '';
+        };
+      };
+    };
+
 
     # non-stockholm
 

krebs/5pkgs/go/default.nix

@@ -1,9 +1,9 @@
-{ stdenv, makeWrapper, lib, buildEnv, fetchgit, nodePackages, nodejs }:
+{ stdenv, makeWrapper, callPackage, lib, buildEnv, fetchgit, nodePackages, nodejs }:
 
 with lib;
 
 let
-  np = nodePackages.override {
+  np = (callPackage <nixpkgs/pkgs/top-level/node-packages.nix>) {
     generated = ./packages.nix;
     self = np;
   };
@@ -18,7 +18,7 @@ let
     ignoreCollisions = true;
   };
 
-in nodePackages.buildNodePackage {
+in np.buildNodePackage {
   name = "go";
 
   src = fetchgit {

krebs/5pkgs/haskell-overrides/megaparsec.nix

@@ -1,20 +0,0 @@
-{ mkDerivation, base, bytestring, fetchzip, HUnit, mtl, QuickCheck
-, stdenv, test-framework, test-framework-hunit
-, test-framework-quickcheck2, text, transformers
-}:
-mkDerivation {
-  pname = "megaparsec";
-  version = "4.1.0";
-  src = fetchzip {
-    url = "https://hackage.haskell.org/package/megaparsec-4.1.0/megaparsec-4.1.0.tar.gz";
-    sha256 = "1a1ka53a3r91lwnlvzaa8nyk1dxvfd1ij1i5x5vp83q2r9z9dcmi";
-  };
-  libraryHaskellDepends = [ base bytestring mtl text transformers ];
-  testHaskellDepends = [
-    base HUnit mtl QuickCheck test-framework test-framework-hunit
-    test-framework-quickcheck2 transformers
-  ];
-  homepage = "https://github.com/mrkkrp/megaparsec";
-  description = "Monadic parser combinators";
-  license = stdenv.lib.licenses.bsd3;
-}

krebs/5pkgs/newsbot-js/default.nix

@@ -1,9 +1,9 @@
-{ stdenv, makeWrapper, lib, buildEnv, fetchgit, nodePackages, nodejs }:
+{ stdenv, makeWrapper, callPackage, lib, buildEnv, fetchgit, nodePackages, nodejs }:
 
 with lib;
 
 let
-  np = nodePackages.override {
+  np = (callPackage <nixpkgs/pkgs/top-level/node-packages.nix>) {
     generated = ./packages.nix;
     self = np;
   };
@@ -21,7 +21,7 @@ let
     ignoreCollisions = true;
   };
 
-in nodePackages.buildNodePackage {
+in np.buildNodePackage {
   name = "newsbot-js";
 
   src = fetchgit {

lass/1systems/prism.nix

@@ -24,26 +24,6 @@ in {
     ../2configs/repo-sync.nix
     ../2configs/binary-cache/server.nix
     ../2configs/iodined.nix
-    {
-      imports = [
-        ../2configs/git.nix
-      ];
-      krebs.nginx.servers.cgit = {
-        server-names = [
-          "cgit.lassul.us"
-        ];
-        locations = [
-          (nameValuePair "/.well-known/acme-challenge" ''
-            root /var/lib/acme/challenges/cgit.lassul.us/;
-          '')
-        ];
-        ssl = {
-          enable = true;
-          certificate = "/var/lib/acme/cgit.lassul.us/fullchain.pem";
-          certificate_key = "/var/lib/acme/cgit.lassul.us/key.pem";
-        };
-      };
-    }
     {
       users.extraGroups = {
         # ● systemd-tmpfiles-setup.service - Create Volatile Files and Directories
@@ -164,7 +144,6 @@ in {
       users.users.chat.openssh.authorizedKeys.keys = [
         "ecdsa-sha2-nistp521 AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAACFBAHF9tijlMoEevRZCG1AggukxWggfxPHUwg6Ye113ODG6PZ2m98oSmnsjixDy4GfIJjy+8HBbkwS6iH+fsNk86QtAgFNMjBl+9YvEzNRBzcyCqdOkZFvvZvV2oYA7I15il4ln62PDPKjEIS3YPhZPSwc6GhrlsFTnIG56NF/93IhF7R/FA== JuiceSSH"
         config.krebs.users.lass-uriel.pubkey
-        "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDQ8DJhHAqmdrB2+qkV/OuKjR4QDXUww2TWItyDrs+/6F58WacMozgaZr2goA5JQJ5d19nC3LzYb4yLGguADsp987I6cAu5iXPT5PHKc0eRWDN+AGlpTgUtN1BvVrnJZaUJrR9WlHhFYlkOkzAsB15fKYciVWsyxBCVZ+3oiTEjs2L/sfbrgailWqHIUWDftUnJx8EFmSUVZ2GZWklMcgBo0FJD1i0x5u2dQGguNY+28DzQmKgUMS+xD/uUZvrFIWr9I6CBqhsuHJo8n85BT3B3QdG8ARLt5FKPr5L3My6UjlxOkKrDNLjJFjERFCsuIxnrO3tQhvKXQYlOyskHokocYSdcIq8svghJLA3kmRYIjHjZ4y1BNENsk79WyYNMAi5y+A0Evmu+g3ks/DiW3vI/Sw/D3Uc7ilbImpaoL5qUC4+WZM3J2b3Z1AU5D1QiojpKkB9Qt1bokCm8hrRCG9ZDKqAD6IqmI1ARRjfgA4zKwKUhmMqG4p55YGGVf9OeK0rXgX0Z2InyFXeBaU2aBcDfdKD/65w5MnC9CsJnjELdd4r9u2ugTPExzOo3WUlNuOTB1WoZ8CiY2OVGle/E/MzKUDfGuIFhUsFeX0YcLHPbo+mesISNUPaeadSuMuHE8W4FOeEq51toBo/gkxgjtqqWMOd9SxnDQTMBKq3L/w7nEQ== lass@mors"
       ];
     }
     {
@@ -174,6 +153,7 @@ in {
       imports = [
         ../2configs/websites/wohnprojekt-rhh.de.nix
         ../2configs/websites/domsen.nix
+        ../2configs/websites/lassulus.nix
       ];
       krebs.iptables.tables.filter.INPUT.rules = [
          { predicate = "-p tcp --dport http"; target = "ACCEPT"; }
@@ -186,34 +166,6 @@ in {
       };
     }
     {
-      security.acme = {
-        certs."lassul.us" = {
-          email = "lass@lassul.us";
-          webroot = "/var/lib/acme/challenges/lassul.us";
-          plugins = [
-            "account_key.json"
-            "key.pem"
-            "fullchain.pem"
-            "full.pem"
-          ];
-          allowKeysForGroup = true;
-          group = "lasscert";
-        };
-      };
-      users.groups.lasscert.members = [
-        "dovecot2"
-        "ejabberd"
-        "exim"
-        "nginx"
-      ];
-      krebs.nginx.servers."lassul.us" = {
-        server-names = [ "lassul.us" ];
-        locations = [
-          (lib.nameValuePair "/.well-known/acme-challenge" ''
-            root /var/lib/acme/challenges/lassul.us/;
-          '')
-        ];
-      };
       lass.ejabberd = {
         enable = true;
         hosts = [ "lassul.us" ];

lass/1systems/uriel.nix

@@ -9,6 +9,7 @@ with config.krebs.lib;
     ../2configs/exim-retiolum.nix
     {
       # locke config
+      i18n.defaultLocale ="de_DE.UTF-8";
       time.timeZone = "Europe/Berlin";
       services.xserver.enable = true;
       users.users.locke = {
@@ -28,6 +29,7 @@ with config.krebs.lib;
         systemWide = true;
       };
       environment.systemPackages = with pkgs; [
+        pavucontrol
         firefox
         hexchat
         networkmanagerapplet
@@ -51,8 +53,8 @@ with config.krebs.lib;
     #loader.grub.version = 2;
     #loader.grub.device = "/dev/sda";
 
-    loader.gummiboot.enable = true;
-    loader.gummiboot.timeout = 5;
+    loader.systemd-boot.enable = true;
+    loader.timeout = 5;
 
     initrd.luks.devices = [ { name = "luksroot"; device = "/dev/sda2"; } ];
     initrd.luks.cryptoModules = [ "aes" "sha512" "sha1" "xts" ];

lass/2configs/baseX.nix

@@ -49,6 +49,8 @@ in {
 
     mpv-poll
     yt-next
+
+    youtube-tools
   #window manager stuff
     #haskellPackages.xmobar
     #haskellPackages.yeganesh

lass/2configs/buildbot-standalone.nix

@@ -172,7 +172,6 @@ in {
           "hashPassword",
           "haskellPackages.blessings",
           "haskellPackages.email-header",
-          "haskellPackages.megaparsec",
           "haskellPackages.scanner",
           "haskellPackages.xmonad-stockholm",
           "krebspaste",

lass/2configs/exim-smarthost.nix

@@ -29,6 +29,8 @@ with config.krebs.lib;
       { from = "finanzamt@lassul.us"; to = lass.mail; }
       { from = "netzclub@lassul.us"; to = lass.mail; }
       { from = "nebenan@lassul.us"; to = lass.mail; }
+      { from = "feed@lassul.us"; to = lass.mail; }
+      { from = "art@lassul.us"; to = lass.mail; }
     ];
     system-aliases = [
       { from = "mailer-daemon"; to = "postmaster"; }

lass/2configs/nixpkgs.nix

@@ -3,6 +3,6 @@
 {
   krebs.build.source.nixpkgs.git = {
     url = https://github.com/nixos/nixpkgs;
-    ref = "354fd3728952c229fee4f2924737c601d7ab4725";
+    ref = "b8ede35d2efa96490857c22c751e75d600bea44f";
   };
 }

lass/2configs/repo-sync.nix

@@ -92,6 +92,7 @@ in {
     (sync-remote "skytraq-datalogger" "https://github.com/makefu/skytraq-datalogger")
     (sync-remote "xintmap" "https://github.com/4z3/xintmap")
     (sync-remote "realwallpaper" "https://github.com/lassulus/realwallpaper")
+    (sync-remote "lassulus-blog" "https://github.com/lassulus/lassulus-blog")
     (sync-remote-silent "nixpkgs" "https://github.com/nixos/nixpkgs")
     (sync-retiolum "go")
     (sync-retiolum "much")

lass/2configs/websites/domsen.nix

@@ -191,7 +191,7 @@ in {
       server_set_id = $auth1
     '';
     internet-aliases = [
-      { from = "dominik@apanowicz.de"; to = "dma@ubikmedia.eu"; }
+      { from = "dominik@apanowicz.de"; to = "dominik_a@gmx.de"; }
       { from = "mail@jla-trading.com"; to = "jla-trading"; }
       { from = "testuser@lassul.us"; to = "testuser"; }
     ];

lass/2configs/websites/lassulus.nix

@@ -0,0 +1,91 @@
+{ config, pkgs, lib, ... }:
+
+with lib;
+let
+  inherit (import <stockholm/krebs/4lib> { config = {}; inherit lib; })
+    genid
+  ;
+
+in {
+  imports = [
+    ../git.nix
+  ];
+
+  security.acme = {
+    certs."lassul.us" = {
+      email = "lass@lassul.us";
+      webroot = "/var/lib/acme/challenges/lassul.us";
+      plugins = [
+        "account_key.json"
+        "key.pem"
+        "fullchain.pem"
+        "full.pem"
+      ];
+      allowKeysForGroup = true;
+      group = "lasscert";
+    };
+    certs."cgit.lassul.us" = {
+      email = "lassulus@gmail.com";
+      webroot = "/var/lib/acme/challenges/cgit.lassul.us";
+      plugins = [
+        "account_key.json"
+        "key.pem"
+        "fullchain.pem"
+      ];
+      group = "nginx";
+      allowKeysForGroup = true;
+    };
+  };
+
+  users.groups.lasscert.members = [
+    "dovecot2"
+    "ejabberd"
+    "exim"
+    "nginx"
+  ];
+
+  krebs.nginx.servers."lassul.us" = {
+    server-names = [ "lassul.us" ];
+    locations = [
+      (nameValuePair "/" ''
+        root /srv/http/lassul.us;
+      '')
+      (nameValuePair "/.well-known/acme-challenge" ''
+        root /var/lib/acme/challenges/lassul.us/;
+      '')
+    ];
+    ssl = {
+      enable = true;
+      certificate = "/var/lib/acme/lassul.us/fullchain.pem";
+      certificate_key = "/var/lib/acme/lassul.us/key.pem";
+    };
+  };
+
+  krebs.nginx.servers.cgit = {
+    server-names = [
+      "cgit.lassul.us"
+    ];
+    locations = [
+      (nameValuePair "/.well-known/acme-challenge" ''
+        root /var/lib/acme/challenges/cgit.lassul.us/;
+      '')
+    ];
+    ssl = {
+      enable = true;
+      certificate = "/var/lib/acme/cgit.lassul.us/fullchain.pem";
+      certificate_key = "/var/lib/acme/cgit.lassul.us/key.pem";
+    };
+  };
+
+  users.users.blog = {
+    uid = genid "blog";
+    description = "lassul.us blog deployment";
+    home = "/srv/http/lassul.us";
+    useDefaultShell = true;
+    createHome = true;
+    openssh.authorizedKeys.keys = [
+      config.krebs.users.lass.pubkey
+    ];
+  };
+}
+

makefu/1systems/filepimp.nix

@@ -24,7 +24,9 @@ in {
       ../2configs/fs/single-partition-ext4.nix
       ../2configs/smart-monitor.nix
       ../2configs/tinc/retiolum.nix
+      ../2configs/filepimp-share.nix
     ];
+
   krebs.build.host = config.krebs.hosts.filepimp;
   # AMD N54L
   boot = {
@@ -76,6 +78,9 @@ in {
     (xfsmount "j2" (part1 jDisk2))   //
     (xfsmount "par0" (part1 jDisk3))
     ;
+
+  networking.firewall.trustedInterfaces = [ primary-interface ];
+
   services.wakeonlan.interfaces = [
     {
       interface = primary-interface;

makefu/1systems/gum.nix

@@ -22,6 +22,7 @@ in {
       ../2configs/tinc/retiolum.nix
       ../2configs/urlwatch.nix
       ../2configs/torrent.nix
+      ../2configs/graphite-standalone.nix
       ../2configs/sabnzbd.nix
 
       ../2configs/opentracker.nix

makefu/1systems/omo.nix

@@ -44,6 +44,7 @@ in {
       ../2configs/fs/sda-crypto-root.nix
       ../2configs/zsh-user.nix
       ../2configs/urlwatch.nix
+      ../2configs/backup.nix
       ../2configs/exim-retiolum.nix
       ../2configs/smart-monitor.nix
       ../2configs/mail-client.nix

makefu/1systems/wbob.nix

@@ -55,6 +55,10 @@ in {
   # rt2870 with nonfree creates wlp2s0 from wlp0s20u2
   # not explicitly setting the interface results in wpa_supplicant to crash
   networking.wireless.interfaces = [ "wlp2s0" ];
+  networking.interfaces.virbr1.ip4 = [{
+    address = "10.8.8.11";
+    prefixLength = 24;
+  }];
 
 
   # nuc hardware

makefu/1systems/wry.nix

@@ -16,13 +16,15 @@ in {
       ../2configs/bepasty-dual.nix
 
       ../2configs/iodined.nix
-
+      ../2configs/backup.nix
 
       # other nginx
       ../2configs/nginx/euer.wiki.nix
       ../2configs/nginx/euer.blog.nix
       ../2configs/nginx/euer.test.nix
 
+      #../2configs/elchos/stats.nix
+
       # collectd
       # ../2configs/collectd/collectd-base.nix
 

makefu/1systems/x.nix

@@ -63,11 +63,10 @@
 
   # configure pulseAudio to provide a HDMI sink as well
   networking.firewall.enable = true;
-  networking.firewall.allowedTCPPorts = [ 80 24800 26061 8000 ];
+  networking.firewall.allowedTCPPorts = [ 80 24800 26061 8000 3000 ];
   networking.firewall.allowedUDPPorts = [ 665 26061 ];
 
   krebs.build.host = config.krebs.hosts.x;
-  krebs.hosts.omo.nets.retiolum.via.ip4.addr = "192.168.1.11";
 
   krebs.tinc.retiolum.connectTo = [ "omo" "gum" "prism" ];
 

makefu/2configs/backup.nix

@@ -1,6 +1,10 @@
 { config, lib, ... }:
 with config.krebs.lib;
 let
+  # preparation:
+  # mkdir -p defaultBackupDir/host.name/src
+  # as root on omo:
+  #   ssh-copy-id root@src
   startAt = "0,6,12,18:00";
   defaultBackupServer = config.krebs.hosts.omo;
   defaultBackupDir = "/home/backup";
@@ -12,7 +16,7 @@ let
     };
     dst = {
       host = defaultBackupServer;
-      path = defaultBackupDir + src;
+      path = "${defaultBackupDir}/${host.name}${src}";
     };
     startAt = "0,6,12,18:00";
     snapshots = {
@@ -25,6 +29,6 @@ let
   };
 in {
   krebs.backup.plans = {
-    wry-to-omo_var-www = defaultPull wry "/var/www";
+    wry-to-omo_var-www = defaultPull config.krebs.hosts.wry "/";
   };
 }

makefu/2configs/base-gui.nix

@@ -82,7 +82,6 @@ in
 
       URxvt.perl-ext:      default,url-select
       URxvt.keysym.M-u:    perl:url-select:select_next
-      #URxvt.url-select.launcher:   firefox -new-tab
       URxvt.url-select.launcher:   chromium
       URxvt.url-select.underline: true
       URxvt.searchable-scrollback: CM-s

makefu/2configs/default.nix

@@ -21,10 +21,13 @@ with config.krebs.lib;
     search-domain = "retiolum";
     build = {
       user = config.krebs.users.makefu;
-      source = let inherit (config.krebs.build) host user; in {
+      source = let
+          inherit (config.krebs.build) host user;
+          ref = "b8ede35"; # stable @ 2016-10-19
+      in {
         nixpkgs = if config.makefu.full-populate || (getEnv "dummy_secrets" == "true") then
-          { # stable @ 2016-07-20
-            git = { url = https://github.com/nixos/nixpkgs; ref = "125ffff"; };
+          {
+            git = { url = https://github.com/nixos/nixpkgs; inherit ref; };
           }
             else
             # TODO use http, once it is implemented
@@ -32,7 +35,7 @@ with config.krebs.lib;
 
             ## prepare so we do not have to wait for rsync:
             ## cd /var/src; curl https://github.com/nixos/nixpkgs/tarball/125ffff  -L | tar zx  && mv NixOS-nixpkgs-125ffff nixpkgs
-            { file = "/home/makefu/store/125ffff";};
+            { file = "/home/makefu/store/${ref}";};
         secrets.file =
           if getEnv "dummy_secrets" == "true"
             then toString <stockholm/makefu/6tests/data/secrets>

makefu/2configs/elchos/stats.nix

@@ -0,0 +1,96 @@
+{ config, lib, pkgs, ... }:
+
+# graphite-web on port 8080
+# carbon cache on port 2003 (tcp/udp)
+with config.krebs.lib;
+let
+  sec = toString <secrets>;
+  acmepath = "/var/lib/acme/";
+  acmechall = acmepath + "/challenges/";
+  ext-dom = "stats.nsupdate.info";
+  #ssl_cert = "${sec}/wildcard.krebsco.de.crt";
+  #ssl_key  = "${sec}/wildcard.krebsco.de.key";
+  ssl_cert = "${acmepath}/${ext-dom}/fullchain.pem";
+  ssl_key = "${acmepath}/${ext-dom}/key.pem";
+in {
+  networking.firewall = {
+    allowedTCPPorts = [ 2003 80 443 ];
+    allowedUDPPorts = [ 2003 ];
+  };
+
+  services.grafana = {
+    enable = true;
+    addr = "127.0.0.1";
+    extraOptions = { "AUTH_ANONYMOUS_ENABLED" = "true"; };
+    users.allowSignUp = false;
+    users.allowOrgCreate = false;
+    users.autoAssignOrg = false;
+    security = import <secrets/grafana_security.nix>; # { AdminUser = ""; adminPassword = ""}
+  };
+  krebs.nginx = {
+    enable = true;
+    servers.elch-stats = {
+      server-names = [ ext-dom ];
+      listen = [ "80" "443 ssl" ];
+      ssl = {
+          enable = true;
+          # these certs will be needed if acme has not yet created certificates:
+          certificate =   ssl_cert;
+          certificate_key = ssl_key;
+          force_encryption = true;
+      };
+
+      locations = [
+          (nameValuePair "/" ''
+            proxy_set_header   Host $host;
+            proxy_set_header   X-Real-IP          $remote_addr;
+            proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_pass http://localhost:3000/;
+          '')
+          (nameValuePair  "/.well-known/acme-challenge" ''
+            root ${acmechall}/${ext-dom}/;
+          '')
+      ];
+    };
+  };
+
+  security.acme.certs."${ext-dom}" = {
+    email = "acme@syntax-fehler.de";
+    webroot = "${acmechall}/${ext-dom}/";
+    group = "nginx";
+    allowKeysForGroup = true;
+    postRun = "systemctl reload nginx.service";
+    extraDomains."${ext-dom}" = null ;
+  };
+
+  services.graphite = {
+    web = {
+      enable = true;
+      host = "127.0.0.1";
+      port = 8080;
+    };
+    carbon = {
+      enableCache = true;
+      # save disk usage by restricting to 1 bulk update per second
+      config = ''
+        [cache]
+        MAX_CACHE_SIZE = inf
+        MAX_UPDATES_PER_SECOND = 1
+        MAX_CREATES_PER_MINUTE = 500
+        '';
+      storageSchemas = ''
+        [carbon]
+        pattern = ^carbon\.
+        retentions = 60:90d
+
+        [elchos]
+        patterhn = ^elchos\.
+        retention = 10s:30d,60s:1y
+
+        [default]
+        pattern = .*
+        retentions = 30s:30d,300s:1y
+        '';
+    };
+  };
+}

makefu/2configs/filepimp-share.nix

@@ -0,0 +1,33 @@
+{ config, lib, pkgs, ... }:
+
+with config.krebs.lib;
+let
+  hostname = config.krebs.build.host.name;
+in {
+  users.users.smbguest = {
+    name = "smbguest";
+    uid = config.ids.uids.smbguest;
+    description = "smb guest user";
+    home = "/var/empty";
+  };
+  services.samba = {
+    enable = true;
+    shares = {
+      media = {
+        path = "/media/";
+        "read only" = "no";
+        browseable = "yes";
+        "guest ok" = "yes";
+      };
+    };
+    extraConfig = ''
+      guest account = smbguest
+      map to guest = bad user
+      # disable printing
+      load printers = no
+      printing = bsd
+      printcap name = /dev/null
+      disable spoolss = yes
+    '';
+  };
+}

makefu/2configs/hw/tp-x220.nix

@@ -5,7 +5,7 @@ with config.krebs.lib;
 
   imports = [ ./tp-x2x0.nix ];
   boot = {
-    kernelModules = [ "kvm-intel" "acpi_call" "tpm-rng" ];
+    kernelModules = [ "kvm-intel" "acpi_call" "tpm-rng" "tp_smapi" ];
     extraModulePackages = [ config.boot.kernelPackages.tp_smapi ];
   };
   hardware.opengl.extraPackages =  [ pkgs.vaapiIntel pkgs.vaapiVdpau ];

makefu/2configs/hw/tp-x2x0.nix

@@ -38,4 +38,8 @@ with config.krebs.lib;
     CPU_MIN_PERF_ON_BAT=0
     CPU_MAX_PERF_ON_BAT=30
   '';
+
+  powerManagement.resumeCommands = ''
+    {pkgs.rfkill}/bin/rfkill unblock all
+  '';
 }

makefu/2configs/iodined.nix

@@ -5,8 +5,9 @@ let
   domain = "io.krebsco.de";
   pw = import <secrets/iodinepw.nix>;
 in {
+  networking.firewall.allowedUDPPorts = [ 53 ];
 
-  services.iodined = {
+  services.iodine = {
     server = {
       enable = true;
       domain = domain;

makefu/2configs/nginx/icecult.nix

@@ -0,0 +1,28 @@
+{ config, pkgs, lib, ... }:
+
+with config.krebs.lib;
+
+let
+  icecult = pkgs.fetchFromGitHub {
+    owner = "kraiz";
+    repo = "icecult";
+    rev = "1942d43381a97f30111a48725f7532c343a6f4d7";
+    sha256 = "0l8q7kw3w1kpvmy8hza9vr5liiycivbljkmwpacaifbay5y98z58";
+  };
+in{
+  krebs.nginx = {
+    enable = true;
+    servers.default = {
+        extraConfig = ''
+          root ${icecult}/app;
+        '';
+        locations = [
+          (nameValuePair "/rpc" ''
+        rewrite /rpc/(.*) /$1 break;
+        proxy_http_version 1.1;
+        proxy_pass http://10.42.22.163:3121;
+          '')
+      ];
+    };
+  };
+}

makefu/2configs/rad1o.nix

@@ -3,7 +3,7 @@
 {
 
   environment.systemPackages = with pkgs; [
-    gnuradio-full
+    gnuradio-with-packages
     gnuradio-osmosdr
     gqrx
     ];

makefu/2configs/solr.nix

@@ -0,0 +1,24 @@
+{ config, lib, pkgs, ... }:
+
+# graphite-web on port 8080
+# carbon cache on port 2003 (tcp/udp)
+with config.krebs.lib;
+let
+  solrHome = "/var/db/solr";
+in {
+  imports = [ ];
+  users.users.solr = {
+    home = solrHome;
+    uid = genid "solr";
+    createHome = true;
+    group = "solr";
+  };
+  users.groups.solr.gid = genid "solr";
+
+  services.solr = {
+    enable = true;
+    inherit solrHome;
+    user = "solr";
+    group = "solr";
+  };
+}

makefu/2configs/urlwatch.nix

@@ -14,6 +14,8 @@
       https://pypi.python.org/simple/xstatic/
       http://guest:derpi@cvs2svn.tigris.org/svn/cvs2svn/tags/
       http://ftp.debian.org/debian/pool/main/a/apt-cacher-ng/
+      https://github.com/amadvance/snapraid/releases.atom
+      https://erdgeist.org/gitweb/opentracker/commit/
     ];
   };
 }

makefu/5pkgs/default.nix

@@ -2,16 +2,9 @@
 
 let
   inherit (pkgs) callPackage;
-  nixpkgs-1509 = import (pkgs.fetchFromGitHub {
-    owner = "NixOS"; repo = "nixpkgs-channels";
-    rev = "91371c2bb6e20fc0df7a812332d99c38b21a2bda";
-    sha256 = "1as1i0j9d2n3iap9b471y4x01561r2s3vmjc5281qinirlr4al73";
-  }) {};
-
 in
 {
   nixpkgs.config.packageOverrides = rec {
-    cups = nixpkgs-1509.cups;
     alsa-hdspconf = callPackage ./alsa-tools { alsaToolTarget="hdspconf";};
     alsa-hdspmixer = callPackage ./alsa-tools { alsaToolTarget="hdspmixer";};
     alsa-hdsploader = callPackage ./alsa-tools { alsaToolTarget="hdsploader";};

makefu/5pkgs/devpi/default.nix

@@ -1,33 +1,43 @@
 { pkgs ? import <nixpkgs> {} }:
 with pkgs.stdenv.lib;
 let
-  execnet14 = pkgs.python3Packages.buildPythonPackage rec {
-    name = "execnet-1.4.1";
+
+  readme-renderer = pkgs.python3Packages.buildPythonPackage rec {
+    name = "readme_renderer";
+    version = "0.7.0";
 
     src = pkgs.fetchurl {
-      url = "https://pypi.python.org/packages/source/e/execnet/${name}.tar.gz";
-      sha256 = "1rpk1vyclhg911p3hql0m0nrpq7q7mysxnaaw6vs29cpa6kx8vgn";
+      url = "mirror://pypi/r/readme_renderer/readme_renderer-${version}.tar.gz";
+      sha256 = "1kh9ggff8m9sdgr631vf2n4k97h4z1871vay6qgk3ydy3rd856ak";
     };
-    doCheck = false; # http://prism:8010/builders/build-all/builds/177/steps/build-vbob/logs/stdio
-    propagatedBuildInputs = with pkgs.python3Packages;
-      [ setuptools_scm apipkg ];
-    meta = {
-      description = "rapid multi-Python deployment";
-      license = licenses.gpl2;
-    };
-  };
+    buildInputs = with pkgs.python3Packages; [ pytest ];
+    propagatedBuildInputs = with pkgs.python3Packages; [ docutils bleach pygments ];
 
+  };
+  devpi-client = pkgs.python3Packages.buildPythonPackage rec {
+    name = "devpi-client";
+    version = "2.7.0";
+
+    src = pkgs.fetchurl {
+      url = "mirror://pypi/d/devpi-client/devpi-client-${version}.tar.gz";
+      sha256 = "0z7vaf0a66n82mz0vx122pbynjvkhp2mjf9lskgyv09y3bxzzpj3";
+    };
+    patches = [ ./py3-fix-encoding.patch ];
+    buildInputs = with pkgs.python3Packages; [ tox check-manifest pkginfo ];
+    propagatedBuildInputs = with pkgs.python3Packages; [ devpi-common py ];
+  };
   devpi-web = pkgs.python3Packages.buildPythonPackage rec {
     name = "devpi-web";
-    version = "3.0.0";
+    version = "3.1.1";
+
 
     src = pkgs.fetchurl {
-      url = "https://pypi.python.org/packages/source/d/devpi-web/devpi-web-${version}.tar.gz";
-      sha256 = "156abxyhj17a8cg38hpyr31qkjb61mb2kggsxij4p4xvy9jwkbwi";
+      url = "mirror://pypi/d/devpi-web/devpi-web-${version}.tar.gz";
+      sha256 = "0bvqv52jmasfm4sdyccwsgvk9a663d3grj7zjw8r9x7xm7l3svqv";
     };
 
     propagatedBuildInputs = with pkgs.python3Packages;
-      [ devpi-server pyramid_chameleon beautifulsoup4 Whoosh defusedxml ];
+      [ devpi-server pyramid_chameleon beautifulsoup4 defusedxml readme-renderer ];
 
     meta = {
       homepage = https://bitbucket.org/hpk42/devpi;
@@ -36,9 +46,29 @@ let
       maintainers = with maintainers; [ makefu ];
     };
   };
+
+  devpi-common-3 = pkgs.python3Packages.buildPythonPackage rec {
+    name = "devpi-common";
+    version = "3.0.1";
+
+    src = pkgs.fetchurl {
+      url = "mirror://pypi/d/devpi-common/devpi-common-${version}.tar.gz";
+      sha256 = "0l3a7iyk596x6pvzg7604lzzi012qszr804fqn6f517zcy1xz23j";
+    };
+
+    propagatedBuildInputs = with pkgs.python3Packages; [ requests2 py ];
+
+    meta = {
+      homepage = https://bitbucket.org/hpk42/devpi;
+      description = "Utilities jointly used by devpi-server and devpi-client";
+      license = licenses.mit;
+      maintainers = with maintainers; [ lewo makefu ];
+    };
+  };
+
   devpi-server = pkgs.python3Packages.buildPythonPackage rec {
     name = "devpi-server";
-    version = "3.0.2";
+    version = "4.1.1";
 
     # original postFixup adds "import sys; sys.argv[0] = 'devpi-server'" to
     # `.devpi-server-wrapped` which
@@ -46,12 +76,12 @@ let
     postFixup = "";
 
     src = pkgs.fetchurl {
-      url = "https://pypi.python.org/packages/source/d/devpi-server/devpi-server-${version}.tar.gz";
-      sha256 = "14r1024i3x2pb72khyzvi56sh9smpdswmrbc88xvjxnalmzfn99d";
+      url = "mirror://pypi/d/devpi-server/devpi-server-${version}.tar.gz";
+      sha256 = "1icbn1nw6w0sc5150fr69rlhs0j5ldnnxfzl2qabq2wi0dbar8hf";
     };
 
     propagatedBuildInputs = with pkgs.python3Packages;
-      [ devpi-common execnet14 itsdangerous pluggy waitress pyramid ];
+      [ devpi-common-3 execnet itsdangerous pluggy waitress pyramid ];
     buildInputs = with pkgs.python3Packages; [ pytest beautifulsoup4 webtest ];
 
     meta = {
@@ -63,7 +93,7 @@ let
   };
 
 in {
-  inherit devpi-server;
+  inherit devpi-server devpi-client;
   devpi-web =  pkgs.python3.buildEnv.override {
       extraLibs = [ devpi-web devpi-server ];
     };

makefu/5pkgs/devpi/py3-fix-encoding.patch

@@ -0,0 +1,11 @@
++++ a/setup.py
+--- b/setup.py
+@@ -26,7 +26,7 @@
+ 
+ 
+ def get_changelog():
+-    text = open(os.path.join(here, 'CHANGELOG')).read()
++    text = open(os.path.join(here, 'CHANGELOG'),encoding='utf-8').read()
+     header_matches = list(re.finditer('^-+$', text, re.MULTILINE))
+     # until fifth header
+     text = text[:header_matches[5].start()]

makefu/5pkgs/mergerfs/default.nix

@@ -2,13 +2,13 @@
 
 stdenv.mkDerivation rec {
   name = "mergerfs-${version}";
-  version = "2.14.0";
+  version = "2.16.1";
 
   # not using fetchFromGitHub because of changelog being built with git log
   src = fetchgit {
     url = "https://github.com/trapexit/mergerfs";
     rev = "refs/tags/${version}";
-    sha256 = "0j5r96xddlj5gp3n1xhfwjmr6yf861xg3hgby4p078c8zfriq5rm";
+    sha256 = "12fqgk54fnnibqiq82p4g2k6qnw3iy6dd64csmlf73yi67za5iwf";
     deepClone = true;
   };
 

shared/2configs/default.nix

@@ -11,7 +11,7 @@ with config.krebs.lib;
     nixos-config.symlink = "stockholm/${user.name}/1systems/${host.name}.nix";
     nixpkgs.git = {
       url = https://github.com/NixOS/nixpkgs;
-      ref = "9cb194cfa449c43f63185a25c8d10307aea3b358"; # nixos-16.03 @ 2016-08-05
+      ref = "b8ede35d2efa96490857c22c751e75d600bea44f"; # nixos-16.09 @ 2016-10-19
     };
     secrets.file =
       if getEnv "dummy_secrets" == "true"
@@ -28,7 +28,7 @@ with config.krebs.lib;
     "http://cache.nixos.org"
     "http://hydra.nixos.org"
   ];
-  nix.useChroot = true;
+  nix.useSandbox = true;
 
   nixpkgs.config.packageOverrides = pkgs: {
     nano = pkgs.vim;

shared/2configs/graphite.nix

@@ -12,7 +12,7 @@ with config.krebs.lib;
   services.graphite = {
     web = {
       enable = true;
-      host = "0.0.0.0";
+      listenAddress = "0.0.0.0";
     };
     carbon = {
       enableCache = true;