Merge branch 'master' of prism:stockholm

jeschli/1systems/bln/config.nix

@@ -0,0 +1,189 @@
+# Edit this configuration file to define what should be installed on
+# your system.  Help is available in the configuration.nix(5) man page
+# and in the NixOS manual (accessible by running ‘nixos-help’).
+
+{ config, lib, pkgs, ... }:
+
+{
+  imports =
+    [ # Include the results of the hardware scan.
+      <stockholm/jeschli>
+      ./hardware-configuration.nix
+      # ./dcso-vpn.nix
+    ];
+
+  # Use the GRUB 2 boot loader.
+  boot.loader.grub.enable = true;
+  boot.loader.grub.version = 2;
+  # boot.loader.grub.efiSupport = true;
+  # boot.loader.grub.efiInstallAsRemovable = true;
+  # boot.loader.efi.efiSysMountPoint = "/boot/efi";
+  # Define on which hard drive you want to install Grub.
+  boot.loader.grub.device = "/dev/sda"; # or "nodev" for efi only
+  boot.loader.grub.extraEntries = ''
+    menuentry "Debian GNU/Linux, kernel 4.9.0-4-amd64" {
+      search --set=drive1 --fs-uuid f169fd32-bf96-4da0-bc34-294249ffa606
+      linux ($drive1)/vmlinuz-4.9.0-4-amd64 root=/dev/mapper/pool-debian ro
+      initrd ($drive1)/initrd.img-4.9.0-4-amd64
+    }
+  '';
+  boot.initrd.luks.devices = [
+    {
+      name = "root";
+      device = "/dev/disk/by-uuid/cba5d550-c3c8-423e-a913-14b5210bdd32";
+      preLVM = true;
+      allowDiscards = true;
+    }
+  ];
+
+  networking.hostName = "BLN02NB0154"; # Define your hostname.
+  networking.networkmanager.enable = true;
+   #networking.wireless.enable = true;  # Enables wireless support via wpa_supplicant.
+
+  # Select internationalisation properties.
+  # i18n = {
+  #   consoleFont = "Lat2-Terminus16";
+  #   consoleKeyMap = "us";
+  #   defaultLocale = "en_US.UTF-8";
+  # };
+
+  # Set your time zone.
+  time.timeZone = "Europe/Berlin";
+
+
+  # List packages installed in system profile. To search by name, run:
+  # $ nix-env -qaP | grep wget
+  nixpkgs.config.allowUnfree = true;
+  environment.shellAliases = { n = "nix-shell"; };
+  environment.variables = { GOROOT= [ "${pkgs.go.out}/share/go" ]; };
+  environment.systemPackages = with pkgs; [
+  # system helper
+    ag
+    copyq
+    dmenu
+    git
+    i3lock
+    keepass
+    networkmanagerapplet
+    rsync
+    terminator
+    tmux
+    wget
+    rxvt_unicode
+  # editors
+    emacs
+  # internet 
+    thunderbird
+    hipchat
+    chromium
+    google-chrome
+  # programming languages
+    go
+    gcc
+    ghc
+    python35
+    python35Packages.pip
+  # go tools
+    golint
+    gotools
+  # dev tools
+    gnumake
+    jetbrains.pycharm-professional
+    jetbrains.webstorm
+    jetbrains.goland
+    texlive.combined.scheme-full
+    pandoc
+    redis
+  # document viewer
+    zathura
+  ];
+
+
+
+  # Some programs need SUID wrappers, can be configured further or are
+  # started in user sessions.
+  programs.bash.enableCompletion = true;
+  programs.vim.defaultEditor = true;
+  # programs.mtr.enable = true;
+  # programs.gnupg.agent = { enable = true; enableSSHSupport = true; };
+
+  # List services that you want to enable:
+
+  # Enable the OpenSSH daemon.
+  services.openssh.enable = true;
+
+  # Open ports in the firewall.
+  # networking.firewall.allowedTCPPorts = [ ... ];
+  # networking.firewall.allowedUDPPorts = [ ... ];
+  # Or disable the firewall altogether.
+  # networking.firewall.enable = false;
+
+  # Enable CUPS to print documents.
+  services.printing.enable = true;
+  services.printing.drivers = [ pkgs.postscript-lexmark ];
+  # Enable the X11 windowing system.
+  services.xserver.enable = true;
+  # services.xserver.xrandrHeads = [
+  #  { output = "eDP1"; }
+  #  { output = "DP-2-2-8"; primary = true; }
+  #  { output = "DP-2-1-8"; monitorConfig = ''Option "Rotate" "left"''; }
+  # ];
+  # services.xserver.layout = "us";
+  # services.xserver.xkbOptions = "eurosign:e";
+
+  # Enable touchpad support.
+  # services.xserver.libinput.enable = true;
+
+  # Enable the KDE Desktop Environment.
+#  services.xserver.displayManager.lightdm.enable = true;
+  services.xserver.windowManager.xmonad.enable = true;
+  services.xserver.windowManager.xmonad.enableContribAndExtras = true;
+#   services.xserver.desktopManager.gnome3.enable = true;
+  # services.xserver.displayManager.gdm.enable = true;
+  services.xserver.displayManager.sddm.enable = true;
+  #services.xserver.desktopManager.plasma5.enable = true;
+#  services.xserver.displayManager.sessionCommands = ''
+#    (sleep 1 && ${pkgs.xorg.xrandr}/bin/xrandr --output VIRTUAL1 --off --output eDP1 --mode 1920x1080 --pos 5120x688 --rotate normal --output DP1 --off --output DP2-1 --mode 2560x1440 --pos 2560x328 --rotate normal --output DP2-2 --primary --mode 2560x1440 --pos 0x328 --rotate normal --output DP2-3 --off --output HDMI2 --off --output HDMI1 --off --output DP2 --off
+#'';
+
+  # Define a user account. Don't forget to set a password with ‘passwd’.
+  users.extraUsers.markus = {
+    isNormalUser = true;
+    extraGroups = ["docker"];
+    uid = 1000;
+  };
+
+  # This value determines the NixOS release with which your system is to be
+  # compatible, in order to avoid breaking some software such as database
+  # servers. You should change this only after NixOS release notes say you
+  # should.
+  system.stateVersion = "17.09"; # Did you read the comment?
+
+  # Gogland Debugger workaround
+#  nixpkgs.config.packageOverrides = super: {
+#    idea.gogland = lib.overrideDerivation super.idea.gogland (attrs: {
+#      postFixup = ''
+#	interp="$(cat $NIX_CC/nix-support/dynamic-linker)"
+#	patchelf --set-interpreter $interp $out/gogland*/plugins/intellij-go-plugin/lib/dlv/linux/dlv
+#        chmod +x $out/gogland*/plugins/intellij-go-plugin/lib/dlv/linux/dlv
+#     '';
+#    });
+#  };
+
+#  virtualisation.docker.enable = true;
+  
+
+  # DCSO Certificates
+  security.pki.certificateFiles = [
+   (pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCAROOTC1G1.pem"; sha256 = "14vz9c0fk6li0a26vx0s5ha6y3yivnshx9pjlh9vmnpkbph5a7rh"; })
+   (pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCAROOTC2G1.pem"; sha256 = "0r1dd48a850cv7whk4g2maik550rd0vsrsl73r6x0ivzz7ap1xz5"; })
+   (pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCAROOTC3G1.pem"; sha256 = "0b5cdchdkvllnr0kz35d8jrmrf9cjw0kd98mmvzr0x6nkc8hwpdy"; })
+   (pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCACOMPC2G1.pem"; sha256 = "0rn57zv1ry9vj4p2248mxmafmqqmdhbrfx1plszrxsphshbk2hfz"; })
+   (pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCACOMPC3G1.pem"; sha256 = "0w88qaqhwxzvdkx40kzj2gka1yi85ipppjdkxah4mscwfhlryrnk"; })
+   (pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCAIDENC2G1.pem"; sha256 = "1z2qkyhgjvri13bvi06ynkb7mjmpcznmc9yw8chx1lnwc3cxa7kf"; })
+   (pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCAIDENC3G1.pem"; sha256 = "0smdjjvz95n652cb45yhzdb2lr83zg52najgbzf6lm3w71f8mv7f"; })
+  ]; 
+
+  hardware.bluetooth.enable = true;
+  krebs.build.host = config.krebs.hosts.bln;
+}

jeschli/1systems/bln/hardware-configuration.nix

@@ -0,0 +1,34 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, ... }:
+
+{
+  imports =
+    [ <nixpkgs/nixos/modules/installer/scan/not-detected.nix>
+    ];
+
+  boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "sd_mod" "rtsx_pci_sdmmc" ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/02144ea4-947d-440e-bbf9-99cab0dccf05";
+      fsType = "ext4";
+    };
+
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/f169fd32-bf96-4da0-bc34-294249ffa606";
+      fsType = "ext2";
+    };
+
+  fileSystems."/home" =
+    { device = "/dev/disk/by-uuid/68ef2163-7b3d-4dbb-add9-d3543ad7c738";
+      fsType = "ext4";
+    };
+
+  swapDevices = [ ];
+
+  nix.maxJobs = lib.mkDefault 4;
+  powerManagement.cpuFreqGovernor = "powersave";
+}

jeschli/1systems/bln/source.nix

@@ -0,0 +1,4 @@
+import <stockholm/jeschli/source.nix> {
+  name = "bln";
+  secure = true;
+}

jeschli/1systems/brauerei/config.nix

@@ -0,0 +1,132 @@
+# Edit this configuration file to define what should be installed on # your system.  Help is available in the configuration.nix(5) man page # and in the NixOS manual (accessible by running ‘nixos-help’).
+{ config, pkgs, ... }:
+{
+  imports = [
+    <stockholm/jeschli>
+    ./hardware-configuration.nix
+    <stockholm/jeschli/2configs/urxvt.nix>
+  ];
+
+  krebs.build.host = config.krebs.hosts.brauerei;
+  # Use the GRUB 2 boot loader.
+  boot.loader.grub.enable = true;
+  boot.loader.grub.version = 2;
+  boot.loader.grub.efiSupport = true;
+  # Define on which hard drive you want to install Grub.
+  boot.loader.grub.device = "/dev/sda";
+  # or "nodev" for efi only
+  boot.initrd.luks.devices = [ {
+    name = "root";
+    device = "/dev/sda2";
+    preLVM = true;
+    allowDiscards = true;
+  } ];
+  # networking.hostName = "nixos";
+  # Define your hostname.
+  networking.wireless.enable = true;
+  # Enables wireless support via wpa_supplicant.
+  # Select internationalisation properties.
+  # i18n = {
+  #   consoleFont = "Lat2-Terminus16";
+  #   consoleKeyMap = "us";
+  #   defaultLocale = "en_US.UTF-8";
+  # };
+  # Set your time zone.  #
+  time.timeZone = "Europe/Amsterdam";
+  nixpkgs.config.allowUnfree = true;
+  # List packages installed in system profile. To search by name, run: # $ nix-env -qaP | grep wget
+  environment.systemPackages = with pkgs; [
+  # system helper
+    ag
+    curl
+    copyq
+    dmenu
+    git
+    i3lock
+    keepass
+    networkmanagerapplet
+    rsync
+    terminator
+    tmux
+    wget
+  #  rxvt_unicode
+  # editors
+    emacs
+  # internet
+    thunderbird
+    chromium
+    google-chrome
+  # programming languages
+    go
+    gcc
+    ghc
+    python35
+    python35Packages.pip
+  # go tools
+    golint
+    gotools
+  # dev tools
+    gnumake
+    jetbrains.pycharm-professional
+    jetbrains.webstorm
+    jetbrains.goland
+  # document viewer
+    zathura
+  ];
+
+  # Some programs need SUID wrappers, can be configured further or are
+  # started in user sessions.
+  # programs.bash.enableCompletion = true;
+  # programs.mtr.enable = true;
+  programs.gnupg.agent = { enable = true; enableSSHSupport = true; };
+
+  # List services that you want to enable:
+
+  # Enable the OpenSSH daemon.
+  services.openssh.enable = true;
+
+  # Open ports in the firewall.
+  # networking.firewall.allowedTCPPorts = [ ... ];
+  # networking.firewall.allowedUDPPorts = [ ... ];
+  # Or disable the firewall altogether.
+  # networking.firewall.enable = false;
+
+  # Enable CUPS to print documents.
+  # services.printing.enable = true;
+
+  # Enable the X11 windowing system.
+  services.xserver.enable = true;
+  # services.xserver.layout = "us";
+  # services.xserver.xkbOptions = "eurosign:e";
+
+  # Enable touchpad support.
+  # services.xserver.libinput.enable = true;
+
+  # Enable the KDE Desktop Environment.
+  # services.xserver.displayManager.sddm.enable = true;
+  # services.xserver.desktopManager.plasma5.enable = true;
+  services.xserver.displayManager.sddm.enable = true;
+  services.xserver.windowManager.xmonad.enable = true;
+  services.xserver.windowManager.xmonad.enableContribAndExtras = true;
+#
+  # Define a user account. Don't forget to set a password with ‘passwd’.
+  users.extraUsers.jeschli = {
+    isNormalUser = true;
+    uid = 1000;
+  };
+  users.extraUsers.jamie = {
+    isNormalUser = true;
+    uid = 1001;
+  };
+
+  users.users.root.openssh.authorizedKeys.keys = [
+    "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAEZgHR1ZPDBMUjGWar/QmI2GiUkZM8pAXRyBDh8j3hGlxlS+0lsBV6bTAI5F13iyzTC4pCuEuDO2OlFB0scwjcOATci8phd8jTjOIDodqDaeQZXbshyuUBfyiAV6q0Sc+cUDV3D6GhzigH3t8EiQmvXmUGm916yFotT12o0dm83SCOh1nAf9ZveC1Hz/eEUTvgWvIb58OdUR5F/S5OVBnIIJZ8tcp0BP9lyjjJCcANWkYJlwaVcNNb0UarCRhvRtptFj+e/EPqQxSCaS2QcxW4zBsQ6C81TFf7WrdH+pwtFg0owlWsxv547sRLLiPf2h2YuQgSoAaW24N0SHhUqvOXd+JyaYw7MAF8Qh3jHm2iJQRgXNuIN0msFi1alwAevilL2mnfAt2biQ9sS9g+CVvQCwX3mg09E4Y3UmFLzvsJafD9meKVrjnDCcXySeAfts59eFmwKtMQ0qrEWaclzUiA6Ay3uD1zma8x1XELGTf8nxnXCGl8s2i2APn7y1Tcwep69DlENWSaReF5zBLIkCtIUDd+8xBFTF3yu5CpyRrRMKGa0QX/MtsQl4SGJWadOTwpM8joIbrIVfKkTNB2McxAjvo0iaRoBDm409gi2Ycy+NSoUV/KAIUG7OysAQZ62hr+E/Kw1ocJCIVI+9vzKx/EnEIHkCSwhYKl5393W7CShVJjJUcKcZddqX2smSShXq8rXPzhIHk1dAVn5Ff/vGZT9z9R0QN3z6Oa9QN5t5TjTdUDToqHTudqOpDxPl2c2yXK9wV+aoHFoML9AmbzTT1U1mKU7GXSoFACiKNzhDzkovyJGpWRyvisX5t75IfuVqvGGI8n3u8OhPMdyyOHRylVaciDzBMZ00xnIHB+dJG9IeYaMm9bW1Li4Jo0CWnogo2+olfHPMLijBuu+bsa5Kp6kFkccJYR/xqcSq0lVXkpGm692JI4dnMGjchipXEGh1gXof9jXHemMMBwjpLFGty+D0r5KdA33m+mIqc9hi0ShquA9nA7E1IxDlgE0gQg+P5ZOeeIN7q54AQmT8iCCCRyne2Kw57XxaGgZoLfj7VjjaeRlzBUglmtyq8B7/c0J3y41vt9Hxhj4sKD+vufZu+M9E6E936KsJlIi+3U0PtopM/b8L4jcH1JYpPljapsys8wkJZ1ymHf6Kj/0FHyi1V+GvquiVrlFN+aHECIzNlCiSMO4MqfPUO1A+s9zkG2ZgPNNv+LoZqnokjbmKM4kdxexMxaL/Eo9Nd/bzdYiFYXlllEL7Uox+yV0N3loQ2juh4zn+ctCnwHi+V9X4l4rB8amW96WrXiJ/WqEK2UO8St8dcQWhCsUUm2OawSrbYYZw5HhJwz/Rhz2UsdSc56s5OUiQLJqpILYvCnqSLlF4iZdRSdDQNpKn+le3CeGUl5UUuvK2BpKGrbPKx0i/2ZSEMxNA5GnDMx/NyiNyDBcoPu/XOlNi8VWsEbCtoTQRamvqHjOmNcPrxCxds+TaF8c0wMR720yj5sWq8= jeschli@nixos"
+  ];
+
+  # This value determines the NixOS release with which your system is to be
+  # compatible, in order to avoid breaking some software such as database
+  # servers. You should change this only after NixOS release notes say you
+  # should.
+  system.stateVersion = "17.09"; # Did you read the comment?
+
+}

jeschli/1systems/brauerei/hardware-configuration.nix

@@ -0,0 +1,33 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, ... }:
+
+{
+  imports =
+    [ <nixpkgs/nixos/modules/installer/scan/not-detected.nix>
+    ];
+
+  boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "sd_mod" "sdhci_pci" ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/e264fc21-45bb-4224-93fc-b0e19c2c3478";
+      fsType = "ext4";
+    };
+
+  fileSystems."/home" =
+    { device = "/dev/disk/by-uuid/bd0846ce-7d39-4329-bcb4-7c76becd6ab1";
+      fsType = "ext4";
+    };
+
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/42BF-0795";
+      fsType = "vfat";
+    };
+
+  swapDevices = [ ];
+
+  nix.maxJobs = lib.mkDefault 4;
+}

jeschli/1systems/brauerei/source.nix

@@ -0,0 +1,4 @@
+import <stockholm/jeschli/source.nix> {
+  name = "brauerei";
+  secure = true;
+}

jeschli/1systems/reagenzglas/config.nix

@@ -0,0 +1,146 @@
+# Edit this configuration file to define what should be installed on
+# your system.  Help is available in the configuration.nix(5) man page
+# and in the NixOS manual (accessible by running ‘nixos-help’).
+
+{ config, pkgs, ... }:
+
+{
+  imports =
+    [ # Include the results of the hardware scan.
+      <stockholm/jeschli>
+      ./hardware-configuration.nix
+    ];
+
+  # Use the GRUB 2 boot loader.
+ # boot.loader.grub.enable = true;
+ # boot.loader.grub.version = 2;
+  # boot.loader.grub.efiSupport = true;
+  # boot.loader.grub.efiInstallAsRemovable = true;
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = true;
+  # Define on which hard drive you want to install Grub.
+#  boot.loader.grub.device = "/dev/disk/by-id/wwn-0x5002538844584d30"; # or "nodev" for efi only
+
+  boot.initrd.luks.devices = [
+    {
+    name = "root";
+    device = "/dev/disk/by-id/wwn-0x5002538844584d30-part2";
+    preLVM = true;
+    allowDiscards = true;
+    }
+  ];
+  networking.hostName = "reaganzglas"; # Define your hostname.
+#  networking.wireless.enable = true;  # Enables wireless support via wpa_supplicant.
+  networking.networkmanager.enable = true;
+  # Select internationalisation properties.
+  # i18n = {
+  #   consoleFont = "Lat2-Terminus16";
+  #   consoleKeyMap = "us";
+  #   defaultLocale = "en_US.UTF-8";
+  # };
+
+  # Set your time zone.
+  # time.timeZone = "Europe/Amsterdam";
+
+  # List packages installed in system profile. To search by name, run:
+  # $ nix-env -qaP | grep wget
+  nixpkgs.config.allowUnfree = true;
+  environment.shellAliases = { n = "nix-shell"; };
+  environment.variables = { GOROOT= [ "${pkgs.go.out}/share/go" ]; };
+  environment.systemPackages = with pkgs; [
+  # system helper
+    ag
+    curl
+    copyq
+    dmenu
+    git
+    i3lock
+    keepass
+    networkmanagerapplet
+    rsync
+    terminator
+    tmux
+    wget
+    rxvt_unicode
+  # editors
+    emacs
+  # internet
+    thunderbird
+    chromium
+    google-chrome
+  # programming languages
+    go
+    gcc
+    ghc
+    python35
+    python35Packages.pip
+  # go tools
+    golint
+    gotools
+  # dev tools
+    gnumake
+  # document viewer
+    zathura
+   ];
+
+  # Some programs need SUID wrappers, can be configured further or are
+  # started in user sessions.
+  # programs.mtr.enable = true;
+  # programs.gnupg.agent = { enable = true; enableSSHSupport = true; };
+
+  # List services that you want to enable:
+
+  # Enable the OpenSSH daemon.
+  services.openssh.enable = true;
+  users.users.root.openssh.authorizedKeys.keys = [
+    "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDMPuFzd6p3zZETIjoV5mRxCTQgeZk9s/P374mEDbj58wDTT0uGWu2JRf7cL1QRTvd5238tYl0eSHXH65+oaFB/mIvmiRnuw6qQODOMHlSbJN5/J2hEw/3v5gveiP1xNLfKlFhj6mmMRF7Etvzns/kLGLCSjj1UTlfo4iHmtinPmU+iQ8J4foS4cZj4oZesF8gndkc2EFMfL6en7EuU8GK6U9GtwKNL9N4UoUZXu8Nf00pkn/jrpmsDdI4zdVVAxWeu/Lo4li43EVixLcfwQiwzf6S9FvYIv30xPdy92GJSJwxm/QkYuc48VZWUoE+qThf3IEPETtX+MRZrM8RTtY01 markus@reaganzglas"
+  ];
+
+  # Open ports in the firewall.
+  # networking.firewall.allowedTCPPorts = [ ... ];
+  # networking.firewall.allowedUDPPorts = [ ... ];
+  # Or disable the firewall altogether.
+  # networking.firewall.enable = false;
+
+  # Enable CUPS to print documents.
+  # services.printing.enable = true;
+
+  # Enable the X11 windowing system.
+   services.xserver.enable = true;
+   services.xserver.layout = "us";
+   services.xserver.xkbOptions = "eurosign:e";
+
+  # Enable touchpad support.
+   services.xserver.libinput.enable = true;
+
+  # Enable the KDE Desktop Environment.
+  services.xserver.displayManager.sddm.enable = true;
+  services.xserver.windowManager.xmonad.enable = true;
+  services.xserver.windowManager.xmonad.enableContribAndExtras = true;
+
+  # services.xserver.desktopManager.plasma5.enable = true;
+
+  # Define a user account. Don't forget to set a password with ‘passwd’.
+  users.extraUsers.jeschli = {
+     isNormalUser = true;
+     uid = 1000;
+  };
+
+  # This value determines the NixOS release with which your system is to be
+  # compatible, in order to avoid breaking some software such as database
+  # servers. You should change this only after NixOS release notes say you
+  # should.
+  system.stateVersion = "18.03"; # Did you read the comment?
+
+  programs.bash = {
+    enableCompletion = true;
+    interactiveShellInit = ''
+      export GOPATH=$HOME/go
+      export PATH=$PATH:$GOPATH/bin
+    '';
+  };
+
+  krebs.build.host = config.krebs.hosts.reagenzglas;
+
+  hardware.bluetooth.enable = true;
+}

jeschli/1systems/reagenzglas/hardware-configuration.nix

@@ -0,0 +1,33 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, ... }:
+
+{
+  imports =
+    [ <nixpkgs/nixos/modules/installer/scan/not-detected.nix>
+    ];
+
+  boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "sd_mod" "sr_mod" "rtsx_pci_sdmmc" ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/09130cf7-b71b-42ab-9fa3-cb3c745f1fc9";
+      fsType = "ext4";
+    };
+
+  fileSystems."/home" =
+    { device = "/dev/disk/by-uuid/8bee50b3-5733-4373-a966-388def141774";
+      fsType = "ext4";
+    };
+
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/DA40-AC19";
+      fsType = "vfat";
+    };
+  swapDevices = [ ];
+
+  nix.maxJobs = lib.mkDefault 8;
+#  powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
+}

jeschli/1systems/reagenzglas/source.nix

@@ -0,0 +1,4 @@
+import <stockholm/jeschli/source.nix> {
+  name = "reagenzglas";
+  secure = true;
+}

jeschli/2configs/default.nix

@@ -0,0 +1,66 @@
+{ config, pkgs, ... }:
+with import <stockholm/lib>;
+{
+  imports = [
+    ./vim.nix
+    ./retiolum.nix
+    {
+      environment.variables = {
+        NIX_PATH = mkForce "secrets=/var/src/stockholm/null:/var/src";
+      };
+    }
+  ];
+
+  nixpkgs.config.allowUnfree = true;
+
+  environment.systemPackages = with pkgs; [
+  #stockholm
+    git
+    gnumake
+    jq
+    parallel
+    proot
+    populate
+
+  #style
+    most
+    rxvt_unicode.terminfo
+
+  #monitoring tools
+    htop
+    iotop
+
+  #network
+    iptables
+    iftop
+
+  #stuff for dl
+    aria2
+
+  #neat utils
+    file
+    kpaste
+    krebspaste
+    mosh
+    pciutils
+    psmisc
+   # q
+   # rs
+    tmux
+    untilport
+    usbutils
+  #  logify
+    goify
+
+  #unpack stuff
+    p7zip
+    unzip
+    unrar
+
+    (pkgs.writeDashBin "sshn" ''
+      ${pkgs.openssh}/bin/ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no "$@"
+    '')
+  ];
+
+  krebs.enable = true;
+}

jeschli/2configs/retiolum.nix

@@ -0,0 +1,22 @@
+{ config, pkgs, ... }:
+
+{
+
+  krebs.tinc.retiolum = {
+    enable = true;
+    connectTo = [
+      "prism"
+      "gum"
+      "ni"
+      "dishfire"
+    ];
+  };
+
+  nixpkgs.config.packageOverrides = pkgs: {
+    tinc = pkgs.tinc_pre;
+  };
+
+  environment.systemPackages = [
+    pkgs.tinc
+  ];
+}

jeschli/2configs/urxvt.nix

@@ -0,0 +1,34 @@
+{ config, pkgs, ... }:
+with import <stockholm/lib>;
+
+{
+  services.urxvtd.enable = true;
+  krebs.xresources.enable = true;
+  krebs.xresources.resources.urxvt = ''
+  *foreground: rgb:a8/a8/a8
+  *background: rgb:00/00/00
+  *faceName: DejaVu Sans Mono
+  *faceSize: 12
+  *color0: rgb:00/00/00
+  *color1: rgb:a8/00/00
+  *color2: rgb:00/a8/00
+  *color3: rgb:a8/54/00
+  *color4: rgb:00/00/a8
+  *color5: rgb:a8/00/a8
+  *color6: rgb:00/a8/a8
+  *color7: rgb:a8/a8/a8
+  *color8: rgb:54/54/54
+  *color9: rgb:fc/54/54
+  *color10: rgb:54/fc/54
+  *color11: rgb:fc/fc/54
+  *color12: rgb:54/54/fc
+  *color13: rgb:fc/54/fc
+  *color14: rgb:54/fc/fc
+  *color15: rgb:fc/fc/fc
+  
+  URxvt*scrollBar:                      false
+  URxvt*urgentOnBell:                   true
+  URxvt*font: xft:DejaVu Sans Mono:pixelsize=20
+  URXvt*faceSize: 12
+  '';
+}

jeschli/2configs/vim.nix

@@ -0,0 +1,92 @@
+{ config, pkgs, ... }:
+
+let
+  customPlugins.vim-javascript = pkgs.vimUtils.buildVimPlugin {
+    name = "vim-javascript";
+    src = pkgs.fetchFromGitHub {
+      owner = "pangloss";
+      repo = "vim-javascript";
+      rev = "1.2.5.1";
+      sha256 = "08l7ricd3j5h2bj9i566byh39v9n5wj5mj75f2c8a5dsc732b2k7";
+    };
+  };
+   customPlugins.vim-jsx = pkgs.vimUtils.buildVimPlugin {
+     name = "vim-jsx";
+     src = pkgs.fetchFromGitHub {
+       owner = "mxw";
+       repo = "vim-jsx";
+       rev = "5b968dfa512c57c38ad7fe420f3e8ab75a73949a";
+       sha256 = "1z3yhhbmbzfw68qjzyvpbmlyv2a1p814sy5q2knn04kcl30vx94a"; 
+     };
+   };
+in {
+# {
+  environment.systemPackages = [
+    (pkgs.vim_configurable.customize {
+      name = "vim";
+
+    vimrcConfig.customRC = ''
+  set nocompatible 
+
+	:imap jk <Esc>
+	:vmap v v
+	:map gr :GoRun<Enter>
+	:nnoremap <S-TAB> :bnext<CR>
+	:nnoremap <C-TAB> <c-w><c-w>
+  :map nf :NERDTreeToggle<CR>
+	set autowrite
+	set number
+	set ruler
+  set path+=** 
+  set wildmenu
+
+	noremap x "_x
+	set clipboard=unnamedplus
+
+  let g:jsx_ext_required = 0
+
+	let g:go_list_type = "quickfix"
+	let g:go_test_timeout = '10s'
+	let g:go_fmt_command = "goimports"
+	let g:go_snippet_case_type = "camelcase"
+	let g:go_highlight_types = 1
+	let g:go_highlight_fields = 1
+	let g:go_highlight_functions = 1
+	let g:go_highlight_methods = 1
+  let g:go_highlight_extra_types = 1
+  autocmd BufNewFile,BufRead *.go setlocal noexpandtab tabstop=4 shiftwidth=4 
+  let g:rehash256 = 1
+  let g:molokai_original = 1
+  colorscheme molokai
+	let g:go_metalinter_enabled = ['vet', 'golint', 'errcheck']
+	let g:go_metalinter_autosave = 1
+	" let g:go_metalinter_autosave_enabled = ['vet', 'golint']
+	" let g:go_def_mode = 'godef'
+	" let g:go_decls_includes = "func,type"
+
+
+	" Trigger configuration. Do not use <tab> if you use https://github.com/Valloric/YouCompleteMe.
+	let g:UltiSnipsExpandTrigger="<c-e>"
+	let g:UltiSnipsJumpForwardTrigger="<c-t>"
+	let g:UltiSnipsJumpBackwardTrigger="<c-q>"
+
+	" If you want :UltiSnipsEdit to split your window.
+	let g:UltiSnipsEditSplit="vertical"
+
+	if has('persistent_undo')      "check if your vim version supports it
+	set undofile                 "turn on the feature  
+	set undodir=$HOME/.vim/undo  "directory where the undo files will be stored
+	endif     
+        '';
+
+       vimrcConfig.vam.knownPlugins = pkgs.vimPlugins // customPlugins;
+       vimrcConfig.vam.pluginDictionaries = [
+         { names = [ "undotree" "molokai" "Syntastic" "ctrlp" "surround" "snipmate" "nerdtree" "easymotion"]; } 
+         { names = [ "vim-addon-nix" ]; ft_regex = "^nix\$"; }
+         { names = [ "vim-go" ]; ft_regex = "^go\$"; } # wanted: nsf/gocode
+         { names = [ "vim-javascript" ]; ft_regex = "^js\$"; }
+         { names = [ "vim-jsx" ]; ft_regex = "^js\$"; }
+       ];
+    })
+  ];
+}

jeschli/default.nix

@@ -0,0 +1,9 @@
+_:
+{
+  imports = [
+    ../krebs
+    ./2configs
+#    ./3modules
+#    ./5pkgs
+  ];
+}

jeschli/source.nix

@@ -0,0 +1,22 @@
+with import <stockholm/lib>;
+host@{ name, secure ? false, override ? {} }: let
+  builder = if getEnv "dummy_secrets" == "true"
+              then "buildbot"
+              else "jeschli";
+  _file = <stockholm> + "/jeschli/1systems/${name}/source.nix";
+in
+  evalSource (toString _file) [
+    {
+      nixos-config.symlink = "stockholm/jeschli/1systems/${name}/config.nix";
+      nixpkgs.git = {
+        url = https://github.com/nixos/nixpkgs;
+        ref = "f9390d6";
+      };
+      secrets.file = getAttr builder {
+        buildbot = toString <stockholm/jeschli/2configs/tests/dummy-secrets>;
+        jeschli = "${getEnv "HOME"}/secrets/${name}";
+      };
+      stockholm.file = toString <stockholm>;
+    }
+    override
+  ]

krebs/2configs/save-diskspace.nix

@@ -1,7 +1,6 @@
 {lib, ... }:
 # TODO: do not check out nixpkgs master but fetch revision from github
 {
-  environment.noXlibs = true;
   nix.gc.automatic = true;
   nix.gc.dates = lib.mkDefault "03:10";
   programs.info.enable = false;

krebs/3modules/backup.nix

@@ -83,6 +83,7 @@ let
           rsync
           utillinux
         ];
+        restartIfChanged = false;
         serviceConfig = rec {
           ExecStart = start plan;
           SyslogIdentifier = ExecStart.name;

krebs/3modules/default.nix

@@ -44,6 +44,7 @@ let
       ./tinc_graphs.nix
       ./urlwatch.nix
       ./repo-sync.nix
+      ./xresources.nix
       ./zones.nix
     ];
     options.krebs = api;
@@ -104,8 +105,9 @@ let
   };
 
   imp = lib.mkMerge [
-    { krebs = import ./lass   { inherit config; }; }
+    { krebs = import ./jeschli { inherit config; }; }
     { krebs = import ./krebs  { inherit config; }; }
+    { krebs = import ./lass   { inherit config; }; }
     { krebs = import ./makefu { inherit config; }; }
     { krebs = import ./mv     { inherit config; }; }
     { krebs = import ./nin    { inherit config; }; }
@@ -225,21 +227,26 @@ let
             };
           })
         //
-        # GitHub's IPv4 address range is 192.30.252.0/22
-        # Refs https://help.github.com/articles/github-s-ip-addresses/
-        # 192.30.252.0/22 = 192.30.252.0-192.30.255.255 (1024 addresses)
-        # Because line length is limited by OPENSSH_LINE_MAX (= 8192),
-        # we split each /24 into its own entry.
-        listToAttrs (map
-          (c: {
-            name = "github${toString c}";
-            value = {
-              hostNames = ["github.com"] ++
-                map (d: "192.30.${toString c}.${toString d}") (range 0 255);
-              publicKey = "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==";
-            };
-          })
-          (range 252 255))
+        {
+          github = {
+            hostNames = [
+              "github.com"
+              # List generated with
+              # curl -sS https://api.github.com/meta | jq -r .git[] | cidr2glob
+              "192.30.253.*"
+              "192.30.254.*"
+              "192.30.255.*"
+              "185.199.108.*"
+              "185.199.109.*"
+              "185.199.110.*"
+              "185.199.111.*"
+              "18.195.85.27"
+              "18.194.104.89"
+              "35.159.8.160"
+            ];
+            publicKey = "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==";
+          };
+        }
         //
         mapAttrs
           (name: host: {

krebs/3modules/jeschli/default.nix

@@ -0,0 +1,134 @@
+{ config, ... }:
+
+with import <stockholm/lib>;
+
+{
+  hosts = mapAttrs (_: recursiveUpdate {
+    owner = config.krebs.users.jeschli;
+    ci = true;
+  }) {
+    bln = {
+      nets = {
+        retiolum = {
+          ip4.addr = "10.243.27.28";
+          ip6.addr = "42::28";
+          aliases = [
+            "bln.r"
+          ];
+          tinc.pubkey = ''
+            -----BEGIN RSA PUBLIC KEY-----
+            MIIECgKCBAEAwoN2f6iyQ1Wnk4rZVqhovny8VpwWvC9buE+NoedRaxmWmA5QIP02
+            BLwTWFKnbiKOQiYN+a4m/JKs0fFOjYCa2EKhqWWKwdEIN4wJTq8zrjzIaa2rdz+8
+            tamE+8rSYDE+RbJ6Gs3SUDfwcxJT6FXCi3JYoirdhAssLSwTf9d5IsfXvkKMabky
+            FpY9Im51utmIR8UmYL4Ti7dEaOxif+5Hgl1LuitC8e2IIZJhXJprK9tJk9J0LRWt
+            PUM31IG1+A2hNBzs5hferLmmwFvYF1sJ22NtFepxVyOLaLcLEFKWHyU+14qEMSgL
+            acsu0lgVZ4A1TY6vVBmawfVCzUzRfalNIty1x+qDA4MB1RQ4W7ivWCjd/+wirSyc
+            BLxCvriXRdUwPIRoHy0kNMmS83HGm2iv2IrHUrcH8lyJvMys216J2lCF2arRVnBn
+            lArObfR3mXgd/YoANmZ4cinLAjLCjCjXfOe39+pvTFph6WnDt4gOO+tQlnCk19Fa
+            NoiK1THcuZiFVE+4CAXVmstNqYKSMgw+Upw7/t6iUzur98iwKpcicomhJjGVVtbg
+            2iDf4lYVrUyb7iPns2T4EzAuHk7iESktEASU5creSbWYRu/4uyhuNlUoiCpVOEKg
+            H9jkrLlCpQGv/GmgdH9oj35Dsv5TINauCT2jjWV65wcKAlvyafy5UtLyF4HBRHaM
+            2xyxC9gxr8bmeOFyOnHVJQvpkeLxyaRp/VppjCTzr82TQvpZd5a+tISIbDGfqX1o
+            cEyPsowb3KHNtW9DqRBp+80fPGnQHsNjVXbJb37wjpnR/ePg/XyENbZF/OQEsjqt
+            bki8hZQXKJAFyx1bq/2A1q4ocx7JlJKynL4szG1unHbSPKNH2OOVvoezuP7e+lXU
+            gnzrSbe9lPIOp4Vu1HjWOi6tNWZFoZrSHVIK+VGxm+wm/HoS+Enj4Yq+vRvU3luv
+            UllR5KHHK2970RbFEUE0zaVMZjQn5KgJjFXfqfrCztp0wZ5CQo+tRFPq35llaIQ2
+            0WyT2IZlxt1Xr2IpOM0DpO4SJnivZT/wdZN7upzsUPf4a9suztpA3KcKAKqH0OM5
+            fv2/LXspc73vACAOZ9qDJnwp8bFrMOaQdAL1oPpOLB3yYTDA3E20IAQ6OKoSy1Nl
+            B4coqo1gBCcMrWwVFYAuc5J4itXJ0SSj67+WUnuDzPm88LI3g+AO0r1m6k6YdA58
+            SeNxYPMLYNLRg86rsjKjXu+QyvBsd04O/QvIxpTFCtdjbUXNS1H4++/inYZSwWPp
+            U0lN9erLJbwr4WqU/Mn6J+jKijXwmCSiF5if5baszMsOL/0u9yFt6OcaLyehE3sJ
+            eAo00n9phSna0lxtbtRnh/Gd4D7rFcX33wIDAQAB
+            -----END RSA PUBLIC KEY-----
+          '';
+        };
+      };
+    };
+    brauerei = {
+      nets = {
+        retiolum = {
+          ip4.addr = "10.243.27.29";
+          ip6.addr = "42::29";
+          aliases = [
+            "brauerei.r"
+          ];
+          tinc.pubkey = ''
+            -----BEGIN RSA PUBLIC KEY-----
+            MIIECgKCBAEAvC4AjkAoH01sKDXE3xVM2YUpPQ9iewIPQCCCSWYZQh2BWOfl+FFs
+            pW3ix5FjAzTxzkIf5NxW0usff8UTkFHB+sGZLZ9DPqvb8AM4GJsvXR06LORHtBlo
+            Vt/g1sndD3i3NXn5IJ2G4mZDImQjI3vuTkPyFQsR5LRAaPQgIORHBtN/X1UEVMRq
+            gThUeMb1kZ/y4AmUx0pepQYmAcYf0cN/7r9n68dWJCZ7DWX3q49bIz4TPG519IQp
+            KzoCtdXImKl6cFDepa2pRmIW4SPaDXztHDmXoJA1NBfdDOMOW67FUjzhcwZS9usM
+            q9x/1Tph63PJy4Vc0jsJnY29WrInx/nVAb22QuTOXQ9SfBNoOATYoFoVmY+yw1FX
+            67y3bRbq8lQk1y3F2vZVYxQ52WiYLmtNtuzUMZHErL7VgFIEfQKoO2Oa/WZXdgSJ
+            Asmn67NSicc5QNI4rBUthju1JDuM/3ja0yCXh7trDCmPxKd94KzxMlq9VA6S2f/Q
+            uke3VnXEDqOWOZdcon5DnRTT1y4xjk1XHuO/9tVDcrL7x1unkdGL9BNMU6opJiLm
+            batAtKQ/7EJrlgIxYpEQyCNAjj0dEn0BgNZNqQSKkeGe6giVMuHtnXeTYMEraDas
+            DWxHmGOvYWrs3tZdELkB/h/y7DdijOabS4AlLOljKHiacw8e0D7p9qeIU2EwRaXD
+            ebPYaAIIWn1FU1aCYpvF4YJYbdNJZg6aKpoWNz86ZjO9t3GBkf612xB7fRO9mbTg
+            Ww2Hl6lir0rnlo7P9M1xhQqmZ0phaUjkqYRCaTOW1kC5ACpJJ/Jrq0oyplHVBY8Y
+            IvzPDA4nu/YOpyhQjlQwcVt62NgW0CZdwp3ZnMMoy7akgEo71bjoHbRxAeWy5oRB
+            5CgGvQAB+qdf97XjZ5RggWQ2rglkCn49X4fXN6r4zuaIji1VVFTEZGRNsi0vt1YC
+            Eedz68auu1ZDO1qwNcX00n94E09B05DQBjE/6SAX6wBCY/BwUtzdQ9JnyfHNSl8i
+            dmHBPLssB9Dku4U0mo+LLer+bf6fiR7r5gp/KRuY/tMGFahprZRfWFtyO2Pg1cYI
+            HCdmDmSlbFq3EJmBl0egbU8Ym1m6t4EvPcoTxwy3ljZWybHlhm4wvhGcA/2bDRZA
+            jcXSL3G7buBOf8WJNYnMXCtPEyIYUdRyNvz3EUfvmbzZDhHd/bc0pJRrrtI7HqoF
+            +g67gCrtXx6i9PD0LSDJ1jExMZcmU1+DPg0dzDEmLHvW+HW538/HXGJ8FsunWBwD
+            /8wsQfoqAwlBSucLHDDrYVvfSp0+TLzg/HDMhNkcN7d5hm3syrI+IN4gEEjYeZIO
+            g7fjR1X7g5FGCDQnRA/dzNsZVnk6UFpCRwIDAQAB
+            -----END RSA PUBLIC KEY-----
+          '';
+        };
+      };
+    };
+    reagenzglas = {
+      nets = {
+        retiolum = {
+          ip4.addr = "10.243.27.27";
+          ip6.addr = "42::27";
+          aliases = [
+            "reagenzglas.r"
+          ];
+          tinc.pubkey = ''
+            -----BEGIN RSA PUBLIC KEY-----
+            MIIECgKCBAEA4Tbq6aiMhPz55Of/WDEmESGmScRJedQSJoyRuDEDabEktdbP/m7P
+            bwpLp0lGYphx42+lutFcYOGoH/Lglfj39yhDcrpkYfTnzcGOWutXGuZ+iR5vmGj0
+            utJRf/4+a4sB5NboBVZ9Ke/RTjDNSov00C2hFCYTXz89Gd2ap1nDPQpnejOS+9aO
+            2W6P/WIKhRH7TfW6M7mUCrjVxWXZgdfSCQYxAXU/+1uAGmJ9qlGlQUIGUGv9Znv5
+            hurqwAHzSgEkKc2iUumosz6a8W9Oo3TAEC+jMEO2l/+GJ/8VysG1wtLWDX03GU3u
+            mBAtrJppEw4QNPTeFg6XSFIwV8Z0fWZ4lGsPJLbAkLUMxtKVWKbdrdpnmiQpLfBW
+            8BRbT1pjwEdw0hefA6NwCO3/Y5piEaUEz/gYz9xHFMDXUj9stHtaF0HaqonWyb06
+            aX3EEqRBxVsj6/Sgd33b77xqY4WBoOlbhfWj+EAD1Ova26lHELpAg0Z4AncpyOzw
+            pJcX81U8GgQp899YAc3EAldFfiu094CvM2NKd110K90VlTpos+sqFfNE87vpprMu
+            3d1NsYzf+FUM/aXASlqTNL+i8qBDAlODkLdj4+VZ2BjkSH+p2BLZouizSzu4X3I/
+            lfy554Dbb/98zlwmX9JrWzBRs2GxxFdIDZ1jK+Ci5qM7oTfujBwiE4jZA6wlK8u5
+            +IenSBdaJb0J8nS0Bziz/BLkuBCrl/YFelpZlY0pw6WYlraKbf/nsOpumOYh6zdz
+            9jiIPElGvso9FhwigX7xWCiYMK3ryAqm8CL0cTscQW3Yy2JKm1tNIQtAacwnNVli
+            PqdnPJSo942I+Fl6ZPjZ19ivJIqC+2TjGEY2Et8DkiL6YZfy4bM1zhoWMlXBIil0
+            ynnKR/h/CC67cq94JCbtRWKiYXIYtfHPQkS7S1Lk6aSYbIch/wROyh7XJ7EGE7nn
+            GAVMqI/P/qbW3rwEJGXzI4eJAHa2hwpP2Slimf6uUD/6L2bAnduhYoTsnNSjJmNE
+            hCC+MHohzk7+isZl0jwIEcMpsohMAwoa5BEhbuYJWeUesT/4PeddLIGYubTZAXp2
+            ZdYRepSNUEhSZV0H99MhlqeooDJxnWpsiba5Gb0s6p4gTReGy0jMtWnxI2P5RUFX
+            vEGt77v4MGrWYTzAL/ZRmESsOj7TXqpSK5YcMC2nr8PcV66LuMjOkRrGoVOV3fBe
+            G/9pNVb68SRwfPoGa5nGe6C7GPcgko9rgGLLcU1r/4L2bqFhdIQdSfaUX2Hscm44
+            5GdN2UvuwwVxOyU1uPqJcBNnr2yt3x3kw5+zDQ00z/pFntTXWm19m6BUtbkdwN2x
+            Bn1P3P/mRTEaHxQr9RGg8Zjnix/Q6G7I5QIDAQAB
+            -----END RSA PUBLIC KEY-----
+          '';
+        };
+      };
+    };
+  };
+  users = {
+    jeschli = {
+      mail = "jeschli@gmail.com";
+      pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDMPuFzd6p3zZETIjoV5mRxCTQgeZk9s/P374mEDbj58wDTT0uGWu2JRf7cL1QRTvd5238tYl0eSHXH65+oaFB/mIvmiRnuw6qQODOMHlSbJN5/J2hEw/3v5gveiP1xNLfKlFhj6mmMRF7Etvzns/kLGLCSjj1UTlfo4iHmtinPmU+iQ8J4foS4cZj4oZesF8gndkc2EFMfL6en7EuU8GK6U9GtwKNL9N4UoUZXu8Nf00pkn/jrpmsDdI4zdVVAxWeu/Lo4li43EVixLcfwQiwzf6S9FvYIv30xPdy92GJSJwxm/QkYuc48VZWUoE+qThf3IEPETtX+MRZrM8RTtY01";
+    };
+    jeschli-bln = {
+      pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDhQdDQFMxXOjbC+Avx3mlcFHqQpFUk/q9sO6ATA65jCV3YzN11vhZDDv54hABVS2h8TPXs7Lu3PCvK9qouASd2h4Ie9cExUmn50G/iwgFIODsCugVYBzVt1iwaAdwz1Hb9DKYXbVXanzVJjimmrrlQNvsyZg85lcnfyedpPX5ad+4FdSP68LHqEHC18LTitldR6V4P1omaKHlOtVpDgR/72tDgbtNZDBn3EU+TPk9OLTzjc6PinPw4iIvjEfiu14APwXpFDIqT7P7SjOEFpa0v/1z7dhxIy/Z9XbqyEdUfhv3PjZR5K2C+VzR7g6jVEVR2xFId51MpLv/Un4/lalbphBEw3I90Rr8tatOJiFhyrXbaKTcLqp1sIu05OxdPkm3hzfmLIhoKxhaIlXH7WQ9sAqxL1NAQ7O+J6yT4DMnwKzvpkkJjBaGtV84Pp1cccfNRH8XXID3FkWkrUpdgXWBpyLnRq4ilUJTajkU0GSdXkq8kLL3mWg9LPRTg3dmDj61ZB/qhjM61ppwHJvDRN9WI5HruXIU6nOQjh5yE2C/JZfLcsZD4Y1UDBy5/JSZrCVT2sQjFopkkYEkRCbX7oITHOH4iyRdxZkKWLUPboFrcmBpXO+owCEhO4JZrtfFWMC6qM++nrmiZWOrdIOIvdYHWluhKR2shlkisEKQP5pUqkw== markus.hihn@dcso.de";
+    };
+   jeschli-brauerei = {
+     pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAEZgHR1ZPDBMUjGWar/QmI2GiUkZM8pAXRyBDh8j3hGlxlS+0lsBV6bTAI5F13iyzTC4pCuEuDO2OlFB0scwjcOATci8phd8jTjOIDodqDaeQZXbshyuUBfyiAV6q0Sc+cUDV3D6GhzigH3t8EiQmvXmUGm916yFotT12o0dm83SCOh1nAf9ZveC1Hz/eEUTvgWvIb58OdUR5F/S5OVBnIIJZ8tcp0BP9lyjjJCcANWkYJlwaVcNNb0UarCRhvRtptFj+e/EPqQxSCaS2QcxW4zBsQ6C81TFf7WrdH+pwtFg0owlWsxv547sRLLiPf2h2YuQgSoAaW24N0SHhUqvOXd+JyaYw7MAF8Qh3jHm2iJQRgXNuIN0msFi1alwAevilL2mnfAt2biQ9sS9g+CVvQCwX3mg09E4Y3UmFLzvsJafD9meKVrjnDCcXySeAfts59eFmwKtMQ0qrEWaclzUiA6Ay3uD1zma8x1XELGTf8nxnXCGl8s2i2APn7y1Tcwep69DlENWSaReF5zBLIkCtIUDd+8xBFTF3yu5CpyRrRMKGa0QX/MtsQl4SGJWadOTwpM8joIbrIVfKkTNB2McxAjvo0iaRoBDm409gi2Ycy+NSoUV/KAIUG7OysAQZ62hr+E/Kw1ocJCIVI+9vzKx/EnEIHkCSwhYKl5393W7CShVJjJUcKcZddqX2smSShXq8rXPzhIHk1dAVn5Ff/vGZT9z9R0QN3z6Oa9QN5t5TjTdUDToqHTudqOpDxPl2c2yXK9wV+aoHFoML9AmbzTT1U1mKU7GXSoFACiKNzhDzkovyJGpWRyvisX5t75IfuVqvGGI8n3u8OhPMdyyOHRylVaciDzBMZ00xnIHB+dJG9IeYaMm9bW1Li4Jo0CWnogo2+olfHPMLijBuu+bsa5Kp6kFkccJYR/xqcSq0lVXkpGm692JI4dnMGjchipXEGh1gXof9jXHemMMBwjpLFGty+D0r5KdA33m+mIqc9hi0ShquA9nA7E1IxDlgE0gQg+P5ZOeeIN7q54AQmT8iCCCRyne2Kw57XxaGgZoLfj7VjjaeRlzBUglmtyq8B7/c0J3y41vt9Hxhj4sKD+vufZu+M9E6E936KsJlIi+3U0PtopM/b8L4jcH1JYpPljapsys8wkJZ1ymHf6Kj/0FHyi1V+GvquiVrlFN+aHECIzNlCiSMO4MqfPUO1A+s9zkG2ZgPNNv+LoZqnokjbmKM4kdxexMxaL/Eo9Nd/bzdYiFYXlllEL7Uox+yV0N3loQ2juh4zn+ctCnwHi+V9X4l4rB8amW96WrXiJ/WqEK2UO8St8dcQWhCsUUm2OawSrbYYZw5HhJwz/Rhz2UsdSc56s5OUiQLJqpILYvCnqSLlF4iZdRSdDQNpKn+le3CeGUl5UUuvK2BpKGrbPKx0i/2ZSEMxNA5GnDMx/NyiNyDBcoPu/XOlNi8VWsEbCtoTQRamvqHjOmNcPrxCxds+TaF8c0wMR720yj5sWq8= jeschli@nixos";
+   };
+  };
+}

krebs/3modules/lass/default.nix

@@ -44,7 +44,7 @@ with import <stockholm/lib>;
       cores = 2;
       nets = rec {
         internet = {
-          ip4.addr = "45.62.226.163";
+          ip4.addr = "64.137.242.41";
           aliases = [
             "echelon.i"
           ];
@@ -535,44 +535,46 @@ with import <stockholm/lib>;
         };
       };
     };
-    reagenzglas = {
-      ci = false;
-      external = true;
-      nets = {
+    xerxes = {
+      cores = 2;
+      nets = rec {
         retiolum = {
-          ip4.addr = "10.243.27.27";
-          ip6.addr = "42::27";
+          ip4.addr = "10.243.1.3";
+          ip6.addr = "42::1:3";
           aliases = [
-            "reagenzglas.r"
+            "xerxes.r"
           ];
           tinc.pubkey = ''
             -----BEGIN RSA PUBLIC KEY-----
-            MIIECgKCBAEA4Tbq6aiMhPz55Of/WDEmESGmScRJedQSJoyRuDEDabEktdbP/m7P
-            bwpLp0lGYphx42+lutFcYOGoH/Lglfj39yhDcrpkYfTnzcGOWutXGuZ+iR5vmGj0
-            utJRf/4+a4sB5NboBVZ9Ke/RTjDNSov00C2hFCYTXz89Gd2ap1nDPQpnejOS+9aO
-            2W6P/WIKhRH7TfW6M7mUCrjVxWXZgdfSCQYxAXU/+1uAGmJ9qlGlQUIGUGv9Znv5
-            hurqwAHzSgEkKc2iUumosz6a8W9Oo3TAEC+jMEO2l/+GJ/8VysG1wtLWDX03GU3u
-            mBAtrJppEw4QNPTeFg6XSFIwV8Z0fWZ4lGsPJLbAkLUMxtKVWKbdrdpnmiQpLfBW
-            8BRbT1pjwEdw0hefA6NwCO3/Y5piEaUEz/gYz9xHFMDXUj9stHtaF0HaqonWyb06
-            aX3EEqRBxVsj6/Sgd33b77xqY4WBoOlbhfWj+EAD1Ova26lHELpAg0Z4AncpyOzw
-            pJcX81U8GgQp899YAc3EAldFfiu094CvM2NKd110K90VlTpos+sqFfNE87vpprMu
-            3d1NsYzf+FUM/aXASlqTNL+i8qBDAlODkLdj4+VZ2BjkSH+p2BLZouizSzu4X3I/
-            lfy554Dbb/98zlwmX9JrWzBRs2GxxFdIDZ1jK+Ci5qM7oTfujBwiE4jZA6wlK8u5
-            +IenSBdaJb0J8nS0Bziz/BLkuBCrl/YFelpZlY0pw6WYlraKbf/nsOpumOYh6zdz
-            9jiIPElGvso9FhwigX7xWCiYMK3ryAqm8CL0cTscQW3Yy2JKm1tNIQtAacwnNVli
-            PqdnPJSo942I+Fl6ZPjZ19ivJIqC+2TjGEY2Et8DkiL6YZfy4bM1zhoWMlXBIil0
-            ynnKR/h/CC67cq94JCbtRWKiYXIYtfHPQkS7S1Lk6aSYbIch/wROyh7XJ7EGE7nn
-            GAVMqI/P/qbW3rwEJGXzI4eJAHa2hwpP2Slimf6uUD/6L2bAnduhYoTsnNSjJmNE
-            hCC+MHohzk7+isZl0jwIEcMpsohMAwoa5BEhbuYJWeUesT/4PeddLIGYubTZAXp2
-            ZdYRepSNUEhSZV0H99MhlqeooDJxnWpsiba5Gb0s6p4gTReGy0jMtWnxI2P5RUFX
-            vEGt77v4MGrWYTzAL/ZRmESsOj7TXqpSK5YcMC2nr8PcV66LuMjOkRrGoVOV3fBe
-            G/9pNVb68SRwfPoGa5nGe6C7GPcgko9rgGLLcU1r/4L2bqFhdIQdSfaUX2Hscm44
-            5GdN2UvuwwVxOyU1uPqJcBNnr2yt3x3kw5+zDQ00z/pFntTXWm19m6BUtbkdwN2x
-            Bn1P3P/mRTEaHxQr9RGg8Zjnix/Q6G7I5QIDAQAB
+            MIIECgKCBAEArqEaK+m7WZe/9/Vbc+qx2TjkkRJ9lDgDMr1dvj98xb8/EveUME6U
+            MZyAqNjLuKq3CKzJLo02ZmdFs4CT1Hj28p5IC0wLUWn53hrqdy8cCJDvIiKIv+Jk
+            gItsxJyMnRtsdDbB6IFJ08D5ReGdAFJT5lqpN0DZuNC6UQRxzUK5fwKYVVzVX2+W
+            /EZzEPe5XbE69V/Op2XJ2G6byg9KjOzNJyJxyjwVco7OXn1OBNp94NXoFrUO7kxb
+            mTNnh3D+iB4c3qv8woLhmb+Uh/9MbXS14QrSf85ou4kfUjb5gdhjIlzz+jfA/6XO
+            X4t86uv8L5IzrhSGb0TmhrIh5HhUmSKT4RdHJom0LB7EASMR2ZY9AqIG11XmXuhj
+            +2b5INBZSj8Cotv5aoRXiPSaOd7bw7lklYe4ZxAU+avXot9K3/4XVLmi6Wa6Okim
+            hz+MEYjW5gXY+YSUWXOR4o24jTmDjQJpdL83eKwLVAtbrE7TcVszHX6zfMoQZ5M9
+            3EtOkDMxhC+WfkL+DLQAURhgcPTZoaj0cAlvpb0TELZESwTBI09jh/IBMXHBZwI4
+            H1gOD5YENpf0yUbLjVu4p82Qly10y58XFnUmYay0EnEgdPOOVViovGEqTiAHMmm5
+            JixtwJDz7a6Prb+owIg27/eE1/E6hpfXpU8U83qDYGkIJazLnufy32MTFE4T9fI4
+            hS8icFcNlsobZp+1pB3YK4GV5BnvMwOIVXVlP8yMCRTDRWZ4oYmAZ5apD7OXyNwe
+            SUP2mCNNlQCqyjRsxj5S1lZQRy1sLQztU5Sff4xYNK+5aPgJACmvSi3uaJAxBloo
+            4xCCYzxhaBlvwVISJXZTq76VSPybeQ+pmSZFMleNnWOstvevLFeOoH2Is0Ioi1Fe
+            vnu5r0D0VYsb746wyRooiEuOAjBmni8X/je6Vwr1gb/WZfZ23EwYpGyakJdxLNv3
+            Li+LD9vUfOR80WL608sUU45tAx1RAy6QcH/YDtdClbOdK53+cQVTsYnCvDW8uGlO
+            scQWgk+od3qvo6yCPO7pRlEd3nedcPSGh/KjBHao6eP+bsVERp733Vb9qrEVwmxv
+            jlZ1m12V63wHVu9uMAGi9MhK+2Q/l7uLTj03OYpi4NYKL2Bu01VXfoxuauuZLdIJ
+            Z3ZV+qUcjzZI0PBlGxubq6CqVFoSB7nhHUbcdPQ66WUnwoKq0cKmE7VOlJQvJ07u
+            /Wsl8BIsxODVt0rTzEAx0hTd5mJCX7sCawRt+NF+1DZizl9ouebNMkNlsEAg4Ps0
+            bQerZLcOmpYjGa5+lWDwJIMXVIcxwTmQR86stlP/KQm0vdOvH2ZUWTXcYvCYlHkQ
+            sgVnnA2wt+7UpZnEBHy04ry+jYaSsPdYgwIDAQAB
             -----END RSA PUBLIC KEY-----
           '';
         };
       };
+      secure = true;
+      ssh.privkey.path = <secrets/ssh.id_ed25519>;
+      ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE5HyLyaIvVH0qHIQ4ciKhDiElhSqsK+uXcA6lTvL+5n";
     };
   };
   users = {
@@ -602,6 +604,10 @@ with import <stockholm/lib>;
       mail = "lass@icarus.r";
       pubkey = builtins.readFile ./ssh/icarus.rsa;
     };
+    lass-xerxes = {
+      mail = "lass@xerxes.r";
+      pubkey = builtins.readFile ./ssh/xerxes.rsa;
+    };
     fritz = {
       pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCz34435NSXgj72YAOL4cIlRq/4yInKEyL9no+gymURoW5x1nkYpP0EK331e7UyQQSOdWOogRo6d7YHcFqNlYWv5xlYcHucIhgJwC4Zda1liVA+v7tSOJz2BjmFvOT3/qlcPS69f3zdLHZooz2C33uHX1FgGRXlxiA8dpqGnSr8o76QLZjuQkuDqr8reOspjO/RHCo2Moq0Xm5q9OgN1WLAZzupqt9A5lx567mRzYsRAr23pUxVN8T/tSCgDlPe4ktEjYX9CXLKfMyh9WuBVi+AuH4GFEWBT+AMpsHeF45w+w956x56mz0F5nYOQNK87gFr+Jr+mh2AF1ot2CxzrfTb fritz@scriptkiddiT540";
     };
@@ -622,8 +628,5 @@ with import <stockholm/lib>;
       pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKbBp2dH2X3dcU1zh+xW3ZsdYROKpJd3n13ssOP092qE";
       mail = "joerg@higgsboson.tk";
     };
-    jeschli = {
-      pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDMPuFzd6p3zZETIjoV5mRxCTQgeZk9s/P374mEDbj58wDTT0uGWu2JRf7cL1QRTvd5238tYl0eSHXH65+oaFB/mIvmiRnuw6qQODOMHlSbJN5/J2hEw/3v5gveiP1xNLfKlFhj6mmMRF7Etvzns/kLGLCSjj1UTlfo4iHmtinPmU+iQ8J4foS4cZj4oZesF8gndkc2EFMfL6en7EuU8GK6U9GtwKNL9N4UoUZXu8Nf00pkn/jrpmsDdI4zdVVAxWeu/Lo4li43EVixLcfwQiwzf6S9FvYIv30xPdy92GJSJwxm/QkYuc48VZWUoE+qThf3IEPETtX+MRZrM8RTtY01";
-    };
   };
 }

krebs/3modules/lass/ssh/xerxes.rsa

@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAEZgGjBN0aFs6GxNwMjCvlddbN6+vb6LZuWiWWe+wbAynaGuGbae0TXCLp0/eMNy7fH8poDjpdW9M4mKbBFKOqyG8WJLCPFoQw761tjKl1hccJn0hFSkQAEGKxtfzHlAl/Mz+59yvqNg7/WNSivv41hE7btYltzRy238VQDYFv2eLM7acyxrgGo7tWOtkbpfELj5cM8Qw1j3TF9bGV5pK6IOEtaHbmalS8Iiz77syAu+6E/y6zKBTtGMHI15l6RNJ/Y7A1LM/WwuNL+9dJMYWJFVHy3/4dpaxiioHREiSawUbz9wNHknCrT6vaPCIVVcujhz9Oee1C5UiYUyyfJrFYdlzaTg7FuLNIt2hKMY6NYx1D8/Pwpq1JOsaEfK/K5ytCgaJb115mRevcaUA5s7KYNWHmmZvy08JzCgSM6ZPRtfkQIcha77wVq6DugJ+KgBz+oADQRKiaMrumOMldd0B3q4Oxb71gDTE1XLAbWJnd/0Up1H5GAtZZUUrMUslZiU/23R6SOkyEMLWQTx/KgkWcz8DZLtib5o03uZpfJDVqp2CR+sjmy4x9aa+lSaOzuZP0KRyg+mOKl0o3zL7TNAzrzSCORVBg7nOh+0SPJkDxVRkc6dVY1L3ZOfdm2P/19fhWEr5ECgVrmYYKnDPwWY1iWJlZsiEc3Mj7KB1m44ov0FJg2hiNnydImqcXTCoszp515MBmeHnpqJsqEZuWS8dAnaEiOwZaSKIO1E7lQ7CoP86+eD4yAwLq6fb2tgjHT69LgDMaIha4hMfrO2o4UDVw9OZMfnPtyatI4pxplaQDoQM1p0dej0rZ7uxL1tfoKAyT0UCdtjhxfnNs0x1gOQbML4eGbqyKuyF82eOQRgKRDqH/tParoE4SRBVi7o3s0kILRmXA3ng3n1uhEiGwPTH8JsQ9huM+XOhH8+CzQeg4yb/jCrhsDzvLaW654+ouq9G+kjwqmO4vLNs5eZxfae84rppbS2MJqK1x8rkJixvKBKEfvYJOuDNV+hXyMbToaq8qtGy7cCSq4+UDio3DsSHY0Tpt9e+yEzoOOqFQLQyq6uHv/+u9MY+VADoa4N64U3S2SXul9tE3g6hOAY0F5BYMbxQSuj59kzwghlAmbsyWN2FCmWdsfCQkkZX7wCTj20DtZB/GdVSGNgHGAoU5JZrXKca3A2Yc9hzbYjyNYr0NmQ9NUbkbaOkcYJRIUXtS2OBOHP+FoUkkqL3ieKXR07l5xJbWLzbyVUxN9Zii4Baj5xnDO/RLZPDvTUxbER/0d1orMZztL2EKmfSn4j4uhWqpi04Rg9sWH+WVLAq22EKhAuqcFEOUimjcyZWYKxcAq5Z51NJNBQB7euz55eCJUZkBUYEpNuYr0UDlmBxKB2r6ZWDeNXT7eLxBdwDHCHSqXV7qOG1vMhHtjbbxmQMnkQ4InhO9TdpaN3tj67nGmc6hhgYO4b7NvyL1/pvDPrHrR/3GzkDkwqvt3uESdVdqAJSCk6gFh9V1aGs= lass@xerxes

krebs/3modules/repo-sync.nix

@@ -173,6 +173,7 @@ let
           REPONAME = "${name}.git";
         };
 
+        restartIfChanged = false;
         serviceConfig = {
           Type = "simple";
           PermissionsStartOnly = true;

krebs/3modules/xresources.nix

@@ -17,7 +17,7 @@ in
 {
 
   options = {
-    services.xresources.enable = mkOption {
+    krebs.xresources.enable = mkOption {
       type = types.bool;
       default = false;
       description = ''
@@ -25,7 +25,7 @@ in
       '';
     };
 
-    services.xresources.resources = mkOption {
+    krebs.xresources.resources = mkOption {
       default = {};
       type = types.attrsOf types.str;
       example = {
@@ -42,7 +42,7 @@ in
 
   config =
     let
-      cfg = config.services.xresources;
+      cfg = config.krebs.xresources;
       xres = writeText "xresources" (concatStringsSep "\n" (attrValues cfg.resources));
 
     in mkIf cfg.enable {

krebs/5pkgs/haskell/nix-diff/default.nix

@@ -4,12 +4,15 @@
 }:
 mkDerivation {
   pname = "nix-diff";
-  version = "1.0.0";
+  version = "1.0.0-krebs1";
   src = fetchgit {
     url = "https://github.com/Gabriel439/nix-diff";
     sha256 = "1k00nx8pannqmpzadkwfrs6bf79yk22ynhd033z5rsyw0m8fcz9k";
     rev = "e32ffa2c7f38b47a71325a042c1d887fb46cdf7d";
   };
+  patches = [
+    ./nixos-system.patch
+  ];
   isLibrary = false;
   isExecutable = true;
   executableHaskellDepends = [

krebs/5pkgs/haskell/nix-diff/nixos-system.patch

@@ -0,0 +1,18 @@
+diff --git a/src/Main.hs b/src/Main.hs
+index 959ab8e..d3b6077 100644
+--- a/src/Main.hs
++++ b/src/Main.hs
+@@ -95,7 +95,12 @@ pathToText path =
+     underneath `/nix/store`, but this is the overwhelmingly common use case
+ -}
+ derivationName :: FilePath -> Text
+-derivationName = Data.Text.dropEnd 4 . Data.Text.drop 44 . pathToText
++derivationName p =
++    if Data.Text.isPrefixOf "nixos-system" s
++      then "nixos-system"
++      else s
++  where
++    s = Data.Text.dropEnd 4 . Data.Text.drop 44 . pathToText $ p
+ 
+ -- | Group input derivations by their name
+ groupByName :: Map FilePath (Set Text) -> Map Text (Map FilePath (Set Text))

krebs/5pkgs/simple/cidr2glob.nix

@@ -0,0 +1,30 @@
+{ python, writeScriptBin, ... }:
+
+let
+  pythonEnv = python.withPackages (ps: [ ps.netaddr ]);
+in
+  writeScriptBin "cidr2glob" ''
+    #! ${pythonEnv}/bin/python
+
+    import netaddr
+    import re
+    import sys
+
+    def cidr2glob(cidr):
+        net = netaddr.IPNetwork(cidr)
+
+        if net.prefixlen <= 8:
+            return map(lambda subnet: re.sub(r'\.0\.0\.0$', '.*', str(subnet.ip)), net.subnet(8))
+        elif net.prefixlen <= 16:
+            return map(lambda subnet: re.sub(r'\.0\.0$', '.*', str(subnet.ip)), net.subnet(16))
+        elif net.prefixlen <= 24:
+            return map(lambda subnet: re.sub(r'\.0$', '.*', str(subnet.ip)), net.subnet(24))
+        else:
+            return map(lambda ip: str(ip), list(net))
+
+    if __name__ == "__main__":
+        for cidr in sys.stdin:
+            for glob in cidr2glob(cidr):
+                print glob
+
+  ''

krebs/5pkgs/simple/populate/default.nix

@@ -1,24 +1,27 @@
-{ coreutils, fetchgit, git, jq, openssh, proot, rsync, stdenv, ... }:
+{ coreutils, fetchgit, findutils, git, gnused, jq, openssh, pass, rsync, stdenv
+}:
 
 let
   PATH = stdenv.lib.makeBinPath [
     coreutils
+    findutils
     git
+    gnused
     jq
     openssh
-    proot
+    pass
     rsync
   ];
 in
 
 stdenv.mkDerivation rec {
   name = "populate";
-  version = "1.2.5";
+  version = "2.1.0";
 
   src = fetchgit {
     url = http://cgit.ni.krebsco.de/populate;
     rev = "refs/tags/v${version}";
-    sha256 = "10s4x117zp5whqq991xzw1i2jc1xhl580kx8hhzv8f1b4c9carx1";
+    sha256 = "0cr50y6h6nps0qgpmi01h0z9wzpv2704y5zgx2salk1grkmvcfmh";
   };
 
   phases = [

krebs/source.nix

@@ -7,13 +7,16 @@ host@{ name, secure ? false }: let
 in
   evalSource (toString _file) {
     nixos-config.symlink = "stockholm/krebs/1systems/${name}/config.nix";
-    secrets.file = getAttr builder {
-      buildbot = toString <stockholm/krebs/6tests/data/secrets>;
-      krebs = "${getEnv "HOME"}/secrets/krebs/${host.name}";
+    secrets = getAttr builder {
+      buildbot.file = toString <stockholm/krebs/6tests/data/secrets>;
+      krebs.pass = {
+        dir = "${getEnv "HOME"}/brain";
+        name = "krebs-secrets/${name}";
+      };
     };
     stockholm.file = toString <stockholm>;
     nixpkgs.git = {
       url = https://github.com/NixOS/nixpkgs;
-      ref = "0c5a587eeba5302ff87e494baefd2f14f4e19bee"; # nixos-17.09 @ 2017-11-10
+      ref = "cb751f9b1c3fe6885f3257e69ce328f77523ad77"; # nixos-17.09 @ 2017-12-13
     };
   }

lass/1systems/helios/config.nix

@@ -20,20 +20,26 @@ with import <stockholm/lib>;
       boot.initrd.availableKernelModules = [ "xhci_pci" "nvme" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ];
       boot.kernelModules = [ "kvm-intel" ];
 
-      fileSystems."/" =
-        { device = "/dev/pool/root";
-          fsType = "btrfs";
-        };
+      fileSystems."/" = {
+        device = "/dev/pool/root";
+        fsType = "btrfs";
+      };
 
-      fileSystems."/boot" =
-        { device = "/dev/disk/by-uuid/1F60-17C6";
-          fsType = "vfat";
-        };
+      fileSystems."/boot" = {
+        device = "/dev/disk/by-uuid/1F60-17C6";
+        fsType = "vfat";
+      };
 
-      fileSystems."/home" =
-        { device = "/dev/pool/home";
-          fsType = "btrfs";
-        };
+      fileSystems."/home" = {
+        device = "/dev/pool/home";
+        fsType = "btrfs";
+      };
+
+      fileSystems."/tmp" = {
+        device = "tmpfs";
+        fsType = "tmpfs";
+        options = ["nosuid" "nodev" "noatime"];
+      };
 
       nix.maxJobs = lib.mkDefault 8;
     }
@@ -150,4 +156,7 @@ with import <stockholm/lib>;
 
   services.printing.drivers = [ pkgs.postscript-lexmark ];
 
+  services.logind.extraConfig = ''
+    HandleLidSwitch=ignore
+  '';
 }

lass/1systems/mors/config.nix

@@ -179,7 +179,7 @@ with import <stockholm/lib>;
         echo 'secrets are crypted' >&2
         exit 23
       else
-        exec nix-shell -I stockholm="$PWD" --run 'deploy --system="$SYSTEM"'
+        exec nix-shell -I stockholm="$PWD" --run 'deploy --diff --system="$SYSTEM"'
       fi
     '';
     predeploy = pkgs.writeDash "predeploy" ''

lass/1systems/prism/config.nix

@@ -186,6 +186,7 @@ in {
       #hotdog
       containers.hotdog = {
         config = { ... }: {
+          environment.systemPackages = [ pkgs.git ];
           services.openssh.enable = true;
           users.users.root.openssh.authorizedKeys.keys = [
             config.krebs.users.lass.pubkey
@@ -201,6 +202,7 @@ in {
       #kaepsele
       containers.kaepsele = {
         config = { ... }: {
+          environment.systemPackages = [ pkgs.git ];
           services.openssh.enable = true;
           users.users.root.openssh.authorizedKeys.keys = with config.krebs.users; [
             lass.pubkey
@@ -217,6 +219,7 @@ in {
       #onondaga
       containers.onondaga = {
         config = { ... }: {
+          environment.systemPackages = [ pkgs.git ];
           services.openssh.enable = true;
           users.users.root.openssh.authorizedKeys.keys = [
             config.krebs.users.lass.pubkey
@@ -287,6 +290,19 @@ in {
     }
     <stockholm/krebs/2configs/reaktor-krebs.nix>
     <stockholm/lass/2configs/dcso-dev.nix>
+    {
+      krebs.git.rules = [
+        {
+          user = with config.krebs.users; [
+            jeschli
+            jeschli-bln
+            jeschli-brauerei
+          ];
+          repo = [ config.krebs.git.repos.stockholm ];
+          perm = with git; push "refs/heads/staging/jeschli" [ fast-forward non-fast-forward create delete merge ];
+        }
+      ];
+    }
   ];
 
   krebs.build.host = config.krebs.hosts.prism;

lass/1systems/xerxes/config.nix

@@ -0,0 +1,40 @@
+{ config, pkgs, ... }:
+
+{
+  imports = [
+    <stockholm/lass>
+    <stockholm/lass/2configs/hw/gpd-pocket.nix>
+    <stockholm/lass/2configs/boot/stock-x220.nix>
+
+    <stockholm/lass/2configs/retiolum.nix>
+    <stockholm/lass/2configs/exim-retiolum.nix>
+    <stockholm/lass/2configs/baseX.nix>
+    <stockholm/lass/2configs/browsers.nix>
+    <stockholm/lass/2configs/programs.nix>
+    <stockholm/lass/2configs/fetchWallpaper.nix>
+  ];
+
+  krebs.build.host = config.krebs.hosts.xerxes;
+
+  services.udev.extraRules = ''
+    SUBSYSTEM=="net", ATTR{address}=="b0:f1:ec:9f:5c:78", NAME="wl0"
+  '';
+
+  fileSystems."/" = {
+    device = "/dev/disk/by-uuid/d227d88f-bd24-4e8a-aa14-9e966b471437";
+    fsType = "btrfs";
+  };
+
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-uuid/16C8-D053";
+    fsType = "vfat";
+  };
+
+  fileSystems."/home" = {
+    device = "/dev/disk/by-uuid/1ec4193b-7f41-490d-8782-7677d437b358";
+    fsType = "btrfs";
+  };
+
+  boot.initrd.luks.devices = [ { name = "luksroot"; device = "/dev/disk/by-uuid/d17f19a3-dcba-456d-b5da-e45cc15dc9c8"; } ];
+  networking.wireless.enable = true;
+}

lass/1systems/xerxes/source.nix

@@ -0,0 +1,11 @@
+with import <stockholm/lib>;
+import <stockholm/lass/source.nix> {
+  name = "xerxes";
+  secure = true;
+  override = {
+    nixpkgs.git = mkForce {
+      url = https://github.com/lassulus/nixpkgs;
+      ref = "3eccd0b";
+    };
+  };
+}

lass/2configs/baseX.nix

@@ -41,7 +41,7 @@ in {
           default = "-*-clean-*-*-*-*-*-*-*-*-*-*-iso10646-1";
         };
       };
-      config.services.xresources.resources.X = ''
+      config.krebs.xresources.resources.X = ''
         *.font:       ${config.lass.fonts.regular}
         *.boldFont:   ${config.lass.fonts.bold}
         *.italicFont: ${config.lass.fonts.italic}
@@ -66,12 +66,12 @@ in {
 
   environment.systemPackages = with pkgs; [
     acpi
+    bank
     dic
     dmenu
     gi
     git-preview
     gitAndTools.qgit
-    haskellPackages.hledger
     lm_sensors
     mpv-poll
     much
@@ -112,11 +112,7 @@ in {
     xkbOptions = "caps:backspace";
   };
 
-  services.logind.extraConfig = ''
-    HandleLidSwitch=ignore
-  '';
-
   services.urxvtd.enable = true;
-  services.xresources.enable = true;
+  krebs.xresources.enable = true;
   lass.screenlock.enable = true;
 }

lass/2configs/br.nix

@@ -18,7 +18,7 @@ with import <stockholm/lib>;
       netDevices = {
         bra = {
           model = "MFCL2700DN";
-          ip = "10.23.42.221";
+          ip = "10.42.23.221";
         };
       };
     };

lass/2configs/browsers.nix

@@ -47,7 +47,7 @@ let
   createFirefoxUser = name: extraGroups: precedence:
     let
       bin = pkgs.writeScriptBin name ''
-        /var/run/wrappers/bin/sudo -u ${name} -i ${pkgs.firefox}/bin/firefox $@
+        /var/run/wrappers/bin/sudo -u ${name} -i ${pkgs.firefox-devedition-bin}/bin/firefox-devedition $@
       '';
     in {
       users.extraUsers.${name} = {

lass/2configs/dcso-dev.nix

@@ -15,8 +15,10 @@ in {
       createHome = true;
       openssh.authorizedKeys.keys = [
         config.krebs.users.lass.pubkey
-        "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDhQdDQFMxXOjbC+Avx3mlcFHqQpFUk/q9sO6ATA65jCV3YzN11vhZDDv54hABVS2h8TPXs7Lu3PCvK9qouASd2h4Ie9cExUmn50G/iwgFIODsCugVYBzVt1iwaAdwz1Hb9DKYXbVXanzVJjimmrrlQNvsyZg85lcnfyedpPX5ad+4FdSP68LHqEHC18LTitldR6V4P1omaKHlOtVpDgR/72tDgbtNZDBn3EU+TPk9OLTzjc6PinPw4iIvjEfiu14APwXpFDIqT7P7SjOEFpa0v/1z7dhxIy/Z9XbqyEdUfhv3PjZR5K2C+VzR7g6jVEVR2xFId51MpLv/Un4/lalbphBEw3I90Rr8tatOJiFhyrXbaKTcLqp1sIu05OxdPkm3hzfmLIhoKxhaIlXH7WQ9sAqxL1NAQ7O+J6yT4DMnwKzvpkkJjBaGtV84Pp1cccfNRH8XXID3FkWkrUpdgXWBpyLnRq4ilUJTajkU0GSdXkq8kLL3mWg9LPRTg3dmDj61ZB/qhjM61ppwHJvDRN9WI5HruXIU6nOQjh5yE2C/JZfLcsZD4Y1UDBy5/JSZrCVT2sQjFopkkYEkRCbX7oITHOH4iyRdxZkKWLUPboFrcmBpXO+owCEhO4JZrtfFWMC6qM++nrmiZWOrdIOIvdYHWluhKR2shlkisEKQP5pUqkw== markus.hihn@dcso.de"
+        config.krebs.users.lass-android.pubkey
+        config.krebs.users.jeschli-bln.pubkey
         "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC1T5+2epslFARSnETdr4wdolA6ocJaD4H9tmz6BZFQKXlwIq+OMp+sSEdwYwW3Lu9+mNbBHPxVVJDWg/We9DXB0ezXPM5Bs1+FcehmkoGwkmgKaFCDt0sL+CfSnog/3wEkN21O/rQxVFqMmiJ7WUDGci6IKCFZ5ZjOsmmfHg5p3LYxU9xv33fNr2v+XauhrGbFtQ7eDz4kSywxN/aw73LN4d8em0V0UV8VPI3Qkw7MamDFwefA+K1TfK8pBzMeruU6N7HLuNkpkAp7kS+K4Zzd72aQtR37a5qMiFUbOxQ9B7iFypuPx0iu6ZwY1s/sM8t3kLmcDJ9O4FOTzlbpneet3as6iJ+Ckr/TlfKor2Tl5pWcXh2FXHoG8VUu5bYmIViJBrKihAlAQfQN0mJ9fdFTnCXVTtbYTy11s4eEVHgUlb7oSpgBnx5bnBONgApbsOX9zyoo8wz8KkZBcf1SQpkV5br8uUAHCcZtHuY6I3kKlv+8lJmgUipiYzMdTi7+dHa49gVEcEKL4ZnJ0msQkl4XT7JjKETLvumC4/TIqVuRu48wuYalkCR9OzxCsTXQ/msBJBztPdYLrEOXVb2HfzuCT+43UuMQ5rP/EoPy0TWQO9BaqfEXqvbOvWjVxj/GMvglQ2ChZTwHxwwTKB8qRVvJLnbZQwizQiSrkzjb6hRJfQ== u0_a165@localhost"
+        "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCjtdqRxD0+UU7O8xogSqAQYd/Hrc79CTTKnvbhKy7jp2TVfxQpl81ndSH6DN6Cz90mu65C+DFGq43YtKTPqXmTn1+2wru71C2UOl6ZR0tmU7UELkRt4SJuFQLEgQCt3BWvXJPye6cKRRIlb+XZHWyVyCDxHo9EYO2GWI1wIP8mHMltKj65mobHY+R0CJNhhwlFURzTto8C30ejfVg2OW81qkNWqYtpdC9txLUlQ9/LBVKrafHGprmcBEp9qtecVgx8kxHpS7cuQNYoFcfljug4IyFO+uBfdbKqnGM5mra3huNhX3+AcQxKbLMlRgZD+jc47Xs+s5qSvWBou2ygd5T413k/SDOTCxDjidA+dcwzRo0qUWcGL201a5g+F0EvWv8rjre9m0lii6QKEoPyj60y3yfaIHeafels1Ia1FItjkBe8XydiXf7rKq8nmVRlpo8vl+vKwVuJY783tObHjUgBtXJdmnyYGiXxkxSrXa2mQhPz3KodK/QrnqCP27dURcMlp1hFF3LxFz7WtMCLW0yvDuUsuI2pdq0+zdt702wuwXVNIvbq/ssvX/CL8ryBLAogaxN9DN0vpjk+aXQLn11Zt99MgmnnqUgvOKQi1Quog/SxnSBiloKqB6aA10a28Uxoxkr0KAfhWhX3XPpfGMlbVj4GJuevLp0sGDVQT2biUQ== rhaist@RH-NB"
       ];
       packages = with pkgs; [
         emacs25-nox
@@ -42,6 +44,10 @@ in {
     };
   };
 
+  krebs.per-user.dev.packages = [
+    pkgs.go
+  ];
+
   security.sudo.extraConfig = ''
     ${mainUser.name} ALL=(dev) NOPASSWD: ALL
   '';

lass/2configs/default.nix

@@ -22,6 +22,7 @@ with import <stockholm/lib>;
             config.krebs.users.lass.pubkey
             config.krebs.users.lass-shodan.pubkey
             config.krebs.users.lass-icarus.pubkey
+            config.krebs.users.lass-xerxes.pubkey
           ];
         };
         mainUser = {

lass/2configs/exim-smarthost.nix

@@ -48,6 +48,7 @@ with import <stockholm/lib>;
       { from = "tomtop@lassul.us"; to = lass.mail; }
       { from = "aliexpress@lassul.us"; to = lass.mail; }
       { from = "business@lassul.us"; to = lass.mail; }
+      { from = "payeer@lassul.us"; to = lass.mail; }
     ];
     system-aliases = [
       { from = "mailer-daemon"; to = "postmaster"; }

lass/2configs/games.nix

@@ -57,7 +57,7 @@ let
 
 in {
   environment.systemPackages = with pkgs; [
-    dwarf_fortress
+    (dwarf-fortress.override { theme = dwarf-fortress-packages.phoebus-theme; })
     doom1
     doom2
     vdoom1

lass/2configs/hw/brcmfmac4356-pcie.txt

@@ -0,0 +1,125 @@
+# Sample variables file for BCM94356Z NGFF 22x30mm iPA, iLNA board with PCIe for production package
+NVRAMRev=$Rev: 492104 $
+#4356 chip = 4354 A2 chip
+sromrev=11
+boardrev=0x1102
+boardtype=0x073e
+boardflags=0x02400201
+#0x2000 enable 2G spur WAR
+boardflags2=0x00802000
+boardflags3=0x0000000a
+#boardflags3 0x00000100 /* to read swctrlmap from nvram*/
+#define BFL3_5G_SPUR_WAR   0x00080000   /* enable spur WAR in 5G band */
+#define BFL3_AvVim   0x40000000   /* load AvVim from nvram */
+macaddr=00:90:4c:1a:10:01
+ccode=0x5854
+regrev=205
+antswitch=0
+pdgain5g=4
+pdgain2g=4
+tworangetssi2g=0
+tworangetssi5g=0
+paprdis=0
+femctrl=10
+vendid=0x14e4
+devid=0x43ec
+manfid=0x2d0
+#prodid=0x052e
+nocrc=1
+otpimagesize=502
+xtalfreq=37400
+rxgains2gelnagaina0=0
+rxgains2gtrisoa0=7
+rxgains2gtrelnabypa0=0
+rxgains5gelnagaina0=0
+rxgains5gtrisoa0=11
+rxgains5gtrelnabypa0=0
+rxgains5gmelnagaina0=0
+rxgains5gmtrisoa0=13
+rxgains5gmtrelnabypa0=0
+rxgains5ghelnagaina0=0
+rxgains5ghtrisoa0=12
+rxgains5ghtrelnabypa0=0
+rxgains2gelnagaina1=0
+rxgains2gtrisoa1=7
+rxgains2gtrelnabypa1=0
+rxgains5gelnagaina1=0
+rxgains5gtrisoa1=10
+rxgains5gtrelnabypa1=0
+rxgains5gmelnagaina1=0
+rxgains5gmtrisoa1=11
+rxgains5gmtrelnabypa1=0
+rxgains5ghelnagaina1=0
+rxgains5ghtrisoa1=11
+rxgains5ghtrelnabypa1=0
+rxchain=3
+txchain=3
+aa2g=3
+aa5g=3
+agbg0=2
+agbg1=2
+aga0=2
+aga1=2
+tssipos2g=1
+extpagain2g=2
+tssipos5g=1
+extpagain5g=2
+tempthresh=255
+tempoffset=255
+rawtempsense=0x1ff
+pa2ga0=-147,6192,-705
+pa2ga1=-161,6041,-701
+pa5ga0=-194,6069,-739,-188,6137,-743,-185,5931,-725,-171,5898,-715
+pa5ga1=-190,6248,-757,-190,6275,-759,-190,6225,-757,-184,6131,-746
+subband5gver=0x4
+pdoffsetcckma0=0x4
+pdoffsetcckma1=0x4
+pdoffset40ma0=0x0000
+pdoffset80ma0=0x0000
+pdoffset40ma1=0x0000
+pdoffset80ma1=0x0000
+maxp2ga0=76
+maxp5ga0=74,74,74,74
+maxp2ga1=76
+maxp5ga1=74,74,74,74
+cckbw202gpo=0x0000
+cckbw20ul2gpo=0x0000
+mcsbw202gpo=0x99644422
+mcsbw402gpo=0x99644422
+dot11agofdmhrbw202gpo=0x6666
+ofdmlrbw202gpo=0x0022
+mcsbw205glpo=0x88766663
+mcsbw405glpo=0x88666663
+mcsbw805glpo=0xbb666665
+mcsbw205gmpo=0xd8666663
+mcsbw405gmpo=0x88666663
+mcsbw805gmpo=0xcc666665
+mcsbw205ghpo=0xdc666663
+mcsbw405ghpo=0xaa666663
+mcsbw805ghpo=0xdd666665
+mcslr5glpo=0x0000
+mcslr5gmpo=0x0000
+mcslr5ghpo=0x0000
+sb20in40hrpo=0x0
+sb20in80and160hr5glpo=0x0
+sb40and80hr5glpo=0x0
+sb20in80and160hr5gmpo=0x0
+sb40and80hr5gmpo=0x0
+sb20in80and160hr5ghpo=0x0
+sb40and80hr5ghpo=0x0
+sb20in40lrpo=0x0
+sb20in80and160lr5glpo=0x0
+sb40and80lr5glpo=0x0
+sb20in80and160lr5gmpo=0x0
+sb40and80lr5gmpo=0x0
+sb20in80and160lr5ghpo=0x0
+sb40and80lr5ghpo=0x0
+dot11agduphrpo=0x0
+dot11agduplrpo=0x0
+phycal_tempdelta=255
+temps_period=15
+temps_hysteresis=15
+rssicorrnorm_c0=4,4
+rssicorrnorm_c1=4,4
+rssicorrnorm5g_c0=1,2,3,1,2,3,6,6,8,6,6,8
+rssicorrnorm5g_c1=1,2,3,2,2,2,7,7,8,7,7,8

lass/2configs/hw/gpd-pocket.nix

@@ -7,14 +7,22 @@ let
     destination = "/lib/firmware/brcm/brcmfmac4356-pcie.txt";
   };
 in {
+  #imports = [ <nixpkgs/nixos/modules/installer/scan/not-detected.nix> ];
   hardware.firmware = [ dummy_firmware ];
+  hardware.enableRedistributableFirmware = true;
 
+  boot.initrd.availableKernelModules = [ "xhci_pci" "usbhid" "usb_storage" "sd_mod" "sdhci_acpi" "sdhci_pci" ];
   boot.kernelPackages = pkgs.linuxPackages_4_14;
   boot.kernelParams = [
     "fbcon=rotate:1"
   ];
-  services.tlp.enable = true;
   services.xserver.displayManager.sessionCommands = ''
     (sleep 2 && ${pkgs.xorg.xrandr}/bin/xrandr --output DSI1 --rotate right)
+    (sleep 2 && ${pkgs.xorg.xinput}/bin/xinput set-prop 'Goodix Capacitive TouchScreen' 'Coordinate Transformation Matrix' 0 1 0 -1 0 1 0 0 1)
   '';
+  services.xserver.dpi = 200;
+  fonts.fontconfig.dpi = 200;
+  lass.fonts.regular = "xft:Hack-Regular:pixelsize=22,xft:Symbola";
+  lass.fonts.bold =    "xft:Hack-Bold:pixelsize=22,xft:Symbola";
+  lass.fonts.italic =  "xft:Hack-RegularOblique:pixelsize=22,xft:Symbol";
 }

lass/2configs/hw/x220.nix

@@ -29,4 +29,9 @@
       options = ["nosuid" "nodev" "noatime"];
     };
   };
+
+  services.logind.extraConfig = ''
+    HandleLidSwitch=ignore
+  '';
+
 }

lass/2configs/urxvt.nix

@@ -4,7 +4,7 @@ with import <stockholm/lib>;
 {
   services.urxvtd.enable = true;
 
-  services.xresources.resources.urxvt = ''
+  krebs.xresources.resources.urxvt = ''
     URxvt*SaveLines: 4096
     URxvt*scrollBar:            false
     URxvt*urgentOnBell:         true

lass/2configs/websites/domsen.nix

@@ -26,15 +26,6 @@ in {
     ./default.nix
     ./sqlBackup.nix
     (servePage [ "reich-gebaeudereinigung.de" "www.reich-gebaeudereinigung.de" ])
-    (servePage [
-      "karlaskop.de"
-      "www.karlaskop.de"
-    ])
-    (servePage [ "makeup.apanowicz.de" ])
-    (servePage [
-      "pixelpocket.de"
-      "www.pixelpocket.de"
-    ])
     (servePage [
       "habsys.de"
       "habsys.eu"
@@ -48,22 +39,18 @@ in {
       "nirwanabluete.de"
       "aldonasiech.com"
       "ubikmedia.eu"
-      "facts.cloud"
       "youthtube.xyz"
-      "illucloud.eu"
-      "illucloud.de"
-      "illucloud.com"
       "joemisch.com"
+      "weirdwednesday.de"
+
       "www.apanowicz.de"
       "www.nirwanabluete.de"
       "www.aldonasiech.com"
       "www.ubikmedia.eu"
-      "www.facts.cloud"
       "www.youthtube.xyz"
-      "www.illucloud.eu"
-      "www.illucloud.de"
-      "www.illucloud.com"
       "www.ubikmedia.de"
+      "www.weirdwednesday.de"
+
       "aldona2.ubikmedia.de"
       "apanowicz.ubikmedia.de"
       "cinevita.ubikmedia.de"
@@ -74,8 +61,6 @@ in {
       "nb.ubikmedia.de"
       "youthtube.ubikmedia.de"
       "weirdwednesday.ubikmedia.de"
-      "weirdwednesday.de"
-      "www.weirdwednesday.de"
       "freemonkey.ubikmedia.de"
       "jarugadesign.ubikmedia.de"
     ])

lass/2configs/websites/lassulus.nix

@@ -153,15 +153,15 @@ in {
   };
 
   security.acme.certs."cgit.lassul.us" = {
-    email = "lassulus@gmail.com";
-    webroot = "/var/lib/acme/acme-challenges";
+    email = "lassulus@lassul.us";
+    webroot = "/var/lib/acme/acme-challenge";
     plugins = [
       "account_key.json"
-      "key.pem"
       "fullchain.pem"
+      "key.pem"
     ];
     group = "nginx";
-    allowKeysForGroup = true;
+    user = "nginx";
   };
 
 
@@ -170,6 +170,9 @@ in {
     addSSL = true;
     sslCertificate = "/var/lib/acme/cgit.lassul.us/fullchain.pem";
     sslCertificateKey = "/var/lib/acme/cgit.lassul.us/key.pem";
+    locations."/.well-known/acme-challenge".extraConfig = ''
+      root /var/lib/acme/acme-challenge;
+    '';
   };
 
   users.users.blog = {

lass/3modules/default.nix

@@ -12,6 +12,5 @@ _:
     ./umts.nix
     ./usershadow.nix
     ./xserver
-    ./xresources.nix
   ];
 }

lass/3modules/xserver/default.nix

@@ -17,10 +17,6 @@ let
   imp = {
 
     services.xserver = {
-      # Don't install feh into systemPackages
-      # refs <nixpkgs/nixos/modules/services/x11/desktop-managers>
-      desktopManager.session = mkForce [];
-
       enable = true;
       display = 11;
       tty = 11;
@@ -80,7 +76,7 @@ let
         ];
       };
     };
-    services.xresources.resources.dpi = ''
+    krebs.xresources.resources.dpi = ''
       ${optionalString (xcfg.dpi != null) "Xft.dpi: ${toString xcfg.dpi}"}
     '';
     systemd.services.urxvtd = {

lass/5pkgs/default.nix

@@ -21,9 +21,20 @@
     xmonad-lass = import ./xmonad-lass.nix { inherit config pkgs; };
     yt-next = pkgs.callPackage ./yt-next/default.nix {};
 
+    bank = pkgs.writeDashBin "bank" ''
+      tmp=$(mktemp)
+      ${pkgs.pass}/bin/pass show hledger > $tmp
+      ${pkgs.hledger}/bin/hledger --file=$tmp "$@"
+      ${pkgs.pass}/bin/pass show hledger | if ${pkgs.diffutils}/bin/diff $tmp -; then
+        exit 0
+      else
+        ${pkgs.coreutils}/bin/cat $tmp | ${pkgs.pass}/bin/pass insert -m hledger
+      fi
+      ${pkgs.coreutils}/bin/rm $tmp
+    '';
     screengrab = pkgs.writeDashBin "screengrab" ''
       resolution="$(${pkgs.xorg.xrandr}/bin/xrandr | ${pkgs.gnugrep}/bin/grep '*' | ${pkgs.gawk}/bin/awk '{print $1}')"
-      ${pkgs.ffmpeg}/bin/ffmpeg -f x11grab -r 25 -i :0.0 -s $resolution -c:v huffyuv $1
+      ${pkgs.ffmpeg}/bin/ffmpeg -f x11grab -r 25 -i :${toString config.services.xserver.display} -s $resolution -c:v huffyuv $1
     '';
   };
 }

lass/5pkgs/xmonad-lass.nix

@@ -30,6 +30,7 @@ import XMonad.Actions.CycleWS (toggleWS)
 import XMonad.Actions.DynamicWorkspaces ( addWorkspacePrompt, renameWorkspace, removeEmptyWorkspace)
 import XMonad.Actions.DynamicWorkspaces (withWorkspace)
 import XMonad.Actions.GridSelect (GSConfig(..), gridselectWorkspace, navNSearch)
+import XMonad.Hooks.EwmhDesktops (ewmh)
 import XMonad.Hooks.FloatNext (floatNext)
 import XMonad.Hooks.FloatNext (floatNextHook)
 import XMonad.Hooks.ManageDocks (avoidStruts, ToggleStruts(ToggleStruts))
@@ -39,10 +40,10 @@ import XMonad.Hooks.UrgencyHook (SpawnUrgencyHook(..), withUrgencyHook)
 import XMonad.Layout.FixedColumn (FixedColumn(..))
 import XMonad.Layout.Minimize (minimize, minimizeWindow, MinimizeMsg(RestoreNextMinimizedWin))
 import XMonad.Layout.NoBorders (smartBorders)
+import XMonad.Layout.SimplestFloat (simplestFloat)
 import XMonad.Prompt (autoComplete, font, searchPredicate, XPConfig)
 import XMonad.Prompt.Window (windowPromptGoto, windowPromptBringCopy)
 import XMonad.Util.EZConfig (additionalKeysP)
-import XMonad.Layout.SimpleFloat (simpleFloat)
 
 import XMonad.Stockholm.Shutdown
 
@@ -59,7 +60,7 @@ main = getArgs >>= \case
 
 main' :: IO ()
 main' = do
-    xmonad
+    xmonad $ ewmh
         $ withUrgencyHook (SpawnUrgencyHook "echo emit Urgency ")
         $ def
             { terminal           = myTerm
@@ -77,7 +78,7 @@ main' = do
 
 myLayoutHook = defLayout
   where
-    defLayout = minimize $ ((avoidStruts $ Tall 1 (3/100) (1/2) ||| Full ||| Mirror (Tall 1 (3/100) (1/2))) ||| FixedColumn 2 80 80 1) ||| simpleFloat
+    defLayout = minimize $ ((avoidStruts $ Tall 1 (3/100) (1/2) ||| Full ||| Mirror (Tall 1 (3/100) (1/2))) ||| FixedColumn 2 80 80 1 ||| simplestFloat)
 
 myKeyMap :: [([Char], X ())]
 myKeyMap =
@@ -86,6 +87,8 @@ myKeyMap =
     , ("M4-p", spawn "${pkgs.pass}/bin/passmenu --type")
     , ("M4-o", spawn "${pkgs.brain}/bin/brainmenu --type")
     , ("M4-i", spawn "${pkgs.dpass}/bin/dpassmenu --type")
+
+    , ("<XF86AudioMute>", spawn "${pkgs.pulseaudioLight.out}/bin/pactl -- set-sink-mute @DEFAULT_SINK@ toggle")
     , ("<XF86AudioRaiseVolume>", spawn "${pkgs.pulseaudioLight.out}/bin/pactl -- set-sink-volume @DEFAULT_SINK@ +4%")
     , ("<XF86AudioLowerVolume>", spawn "${pkgs.pulseaudioLight.out}/bin/pactl -- set-sink-volume @DEFAULT_SINK@ -4%")
     , ("<XF86MonBrightnessDown>", spawn "${pkgs.xorg.xbacklight}/bin/xbacklight -time 0 -dec 1%")

lass/source.nix

@@ -10,11 +10,14 @@ in
       nixos-config.symlink = "stockholm/lass/1systems/${name}/config.nix";
       nixpkgs.git = {
         url = https://github.com/nixos/nixpkgs;
-        ref = "f9390d6";
+        ref = "af7e479";
       };
-      secrets.file = getAttr builder {
-        buildbot = toString <stockholm/lass/2configs/tests/dummy-secrets>;
-        lass = "/home/lass/secrets/${name}";
+      secrets = getAttr builder {
+        buildbot.file = toString <stockholm/lass/2configs/tests/dummy-secrets>;
+        lass.pass = {
+          dir = "${getEnv "HOME"}/.password-store";
+          name = "hosts/${name}";
+        };
       };
       stockholm.file = toString <stockholm>;
     }

lib/types.nix

@@ -231,7 +231,12 @@ rec {
   source = submodule ({ config, ... }: {
     options = {
       type = let
-        types = ["file" "git" "symlink"];
+        types = [
+          "file"
+          "git"
+          "pass"
+          "symlink"
+        ];
       in mkOption {
         type = enum types;
         default = let
@@ -255,6 +260,10 @@ rec {
         type = nullOr git-source;
         default = null;
       };
+      pass = mkOption {
+        type = nullOr pass-source;
+        default = null;
+      };
       symlink = let
         symlink-target = (symlink-source.getSubOptions "FIXME").target.type;
       in mkOption {
@@ -287,6 +296,17 @@ rec {
     };
   };
 
+  pass-source = submodule {
+    options = {
+      dir = mkOption {
+        type = absolute-pathname;
+      };
+      name = mkOption {
+        type = pathname; # TODO relative-pathname
+      };
+    };
+  };
+
   symlink-source = submodule {
     options = {
       target = mkOption {

nin/1systems/hiawatha/config.nix

@@ -15,7 +15,6 @@ with lib;
     <stockholm/nin/2configs/git.nix>
     <stockholm/nin/2configs/retiolum.nix>
     <stockholm/nin/2configs/termite.nix>
-    <stockholm/nin/2configs/skype.nix>
   ];
 
   krebs.build.host = config.krebs.hosts.hiawatha;
@@ -87,6 +86,7 @@ with lib;
   environment.systemPackages = with pkgs; [
     firefox
     git
+    lmms
     networkmanagerapplet
     python
     steam

nin/2configs/default.nix

@@ -4,6 +4,7 @@ with import <stockholm/lib>;
 {
   imports = [
     ../2configs/vim.nix
+    <stockholm/krebs/2configs/binary-cache/nixos.nix>
     <stockholm/krebs/2configs/binary-cache/prism.nix>
     {
       users.extraUsers =

nin/2configs/git.nix

@@ -40,8 +40,8 @@ let
       post-receive = pkgs.git-hooks.irc-announce {
         # TODO make nick = config.krebs.build.host.name the default
         nick = config.krebs.build.host.name;
-        channel = "#retiolum";
-        server = "ni.r";
+        channel = "#xxx";
+        server = "irc.r";
         verbose = config.krebs.build.host.name == "onondaga";
         # TODO define branches in some kind of option per repo
         branches = [ "master" ];

nin/source.nix

@@ -14,6 +14,6 @@ in
     stockholm.file = toString <stockholm>;
     nixpkgs.git = {
       url = https://github.com/nixos/nixpkgs;
-      ref = "c99239b";
+      ref = "afe9649";
     };
   }

tv/1systems/querel/config.nix

@@ -11,6 +11,9 @@ with import <stockholm/lib>;
   krebs.build.host = config.krebs.hosts.querel;
   krebs.build.user = mkForce config.krebs.users.itak;
 
+  boot.extraModulePackages = [
+    config.boot.kernelPackages.exfat-nofuse
+  ];
   boot.initrd.availableKernelModules = [ "ahci" ];
   boot.initrd.luks = {
     cryptoModules = [ "aes" "sha512" "xts" ];

tv/2configs/urlwatch.nix

@@ -13,8 +13,16 @@ with import <stockholm/lib>;
 
       http://www.exim.org/
 
+      {
+        url = https://api.github.com/repos/Gabriel439/nix-diff/git/refs/heads/master;
+        filter = "system:${pkgs.jq}/bin/jq -r .object.sha";
+      }
+
       # ref src/nixpkgs/pkgs/tools/admin/sec/default.nix
-      https://api.github.com/repos/simple-evcorr/sec/tags
+      {
+        url = https://api.github.com/repos/simple-evcorr/sec/tags;
+        filter = "system:${pkgs.jq}/bin/jq .";
+      }
 
       # ref src/nixpkgs/pkgs/tools/networking/urlwatch/default.nix
       https://thp.io/2008/urlwatch/
@@ -47,7 +55,7 @@ with import <stockholm/lib>;
       #http://hackage.haskell.org/package/web-page
 
       # ref <stockholm/krebs/3modules>, services.openssh.knownHosts.github*
-      https://help.github.com/articles/github-s-ip-addresses/
+      https://api.github.com/meta
 
       # <stockholm/tv/2configs/xserver/xserver.conf.nix>
       # is derived from `configFile` in: