Merge branch 'master' of prism:stockholm

2017-12-18 21:24:28 +01:00 · 2017-12-18 21:24:28 +01:00 · af30864203
parent 4feafd7020 676c76dd8e
commit af30864203
60 changed files with 1409 additions and 132 deletions
--- a/jeschli/1systems/bln/config.nix
+++ b/jeschli/1systems/bln/config.nix
@ -0,0 +1,189 @@
 # Edit this configuration file to define what should be installed on
 # your system.  Help is available in the configuration.nix(5) man page
 # and in the NixOS manual (accessible by running ‘nixos-help’).
 { config, lib, pkgs, ... }:
 {
  imports =
    [ # Include the results of the hardware scan.
      <stockholm/jeschli>
      ./hardware-configuration.nix
      # ./dcso-vpn.nix
    ];
  # Use the GRUB 2 boot loader.
  boot.loader.grub.enable = true;
  boot.loader.grub.version = 2;
  # boot.loader.grub.efiSupport = true;
  # boot.loader.grub.efiInstallAsRemovable = true;
  # boot.loader.efi.efiSysMountPoint = "/boot/efi";
  # Define on which hard drive you want to install Grub.
  boot.loader.grub.device = "/dev/sda"; # or "nodev" for efi only
  boot.loader.grub.extraEntries = ''
    menuentry "Debian GNU/Linux, kernel 4.9.0-4-amd64" {
      search --set=drive1 --fs-uuid f169fd32-bf96-4da0-bc34-294249ffa606
      linux ($drive1)/vmlinuz-4.9.0-4-amd64 root=/dev/mapper/pool-debian ro
      initrd ($drive1)/initrd.img-4.9.0-4-amd64
    }
  '';
  boot.initrd.luks.devices = [
    {
      name = "root";
      device = "/dev/disk/by-uuid/cba5d550-c3c8-423e-a913-14b5210bdd32";
      preLVM = true;
      allowDiscards = true;
    }
  ];
  networking.hostName = "BLN02NB0154"; # Define your hostname.
  networking.networkmanager.enable = true;
   #networking.wireless.enable = true;  # Enables wireless support via wpa_supplicant.
  # Select internationalisation properties.
  # i18n = {
  #   consoleFont = "Lat2-Terminus16";
  #   consoleKeyMap = "us";
  #   defaultLocale = "en_US.UTF-8";
  # };
  # Set your time zone.
  time.timeZone = "Europe/Berlin";
  # List packages installed in system profile. To search by name, run:
  # $ nix-env -qaP | grep wget
  nixpkgs.config.allowUnfree = true;
  environment.shellAliases = { n = "nix-shell"; };
  environment.variables = { GOROOT= [ "${pkgs.go.out}/share/go" ]; };
  environment.systemPackages = with pkgs; [
  # system helper
    ag
    copyq
    dmenu
    git
    i3lock
    keepass
    networkmanagerapplet
    rsync
    terminator
    tmux
    wget
    rxvt_unicode
  # editors
    emacs
  # internet 
    thunderbird
    hipchat
    chromium
    google-chrome
  # programming languages
    go
    gcc
    ghc
    python35
    python35Packages.pip
  # go tools
    golint
    gotools
  # dev tools
    gnumake
    jetbrains.pycharm-professional
    jetbrains.webstorm
    jetbrains.goland
    texlive.combined.scheme-full
    pandoc
    redis
  # document viewer
    zathura
  ];
  # Some programs need SUID wrappers, can be configured further or are
  # started in user sessions.
  programs.bash.enableCompletion = true;
  programs.vim.defaultEditor = true;
  # programs.mtr.enable = true;
  # programs.gnupg.agent = { enable = true; enableSSHSupport = true; };
  # List services that you want to enable:
  # Enable the OpenSSH daemon.
  services.openssh.enable = true;
  # Open ports in the firewall.
  # networking.firewall.allowedTCPPorts = [ ... ];
  # networking.firewall.allowedUDPPorts = [ ... ];
  # Or disable the firewall altogether.
  # networking.firewall.enable = false;
  # Enable CUPS to print documents.
  services.printing.enable = true;
  services.printing.drivers = [ pkgs.postscript-lexmark ];
  # Enable the X11 windowing system.
  services.xserver.enable = true;
  # services.xserver.xrandrHeads = [
  #  { output = "eDP1"; }
  #  { output = "DP-2-2-8"; primary = true; }
  #  { output = "DP-2-1-8"; monitorConfig = ''Option "Rotate" "left"''; }
  # ];
  # services.xserver.layout = "us";
  # services.xserver.xkbOptions = "eurosign:e";
  # Enable touchpad support.
  # services.xserver.libinput.enable = true;
  # Enable the KDE Desktop Environment.
 #  services.xserver.displayManager.lightdm.enable = true;
  services.xserver.windowManager.xmonad.enable = true;
  services.xserver.windowManager.xmonad.enableContribAndExtras = true;
 #   services.xserver.desktopManager.gnome3.enable = true;
  # services.xserver.displayManager.gdm.enable = true;
  services.xserver.displayManager.sddm.enable = true;
  #services.xserver.desktopManager.plasma5.enable = true;
 #  services.xserver.displayManager.sessionCommands = ''
 #    (sleep 1 && ${pkgs.xorg.xrandr}/bin/xrandr --output VIRTUAL1 --off --output eDP1 --mode 1920x1080 --pos 5120x688 --rotate normal --output DP1 --off --output DP2-1 --mode 2560x1440 --pos 2560x328 --rotate normal --output DP2-2 --primary --mode 2560x1440 --pos 0x328 --rotate normal --output DP2-3 --off --output HDMI2 --off --output HDMI1 --off --output DP2 --off
 #'';
  # Define a user account. Don't forget to set a password with ‘passwd’.
  users.extraUsers.markus = {
    isNormalUser = true;
    extraGroups = ["docker"];
    uid = 1000;
  };
  # This value determines the NixOS release with which your system is to be
  # compatible, in order to avoid breaking some software such as database
  # servers. You should change this only after NixOS release notes say you
  # should.
  system.stateVersion = "17.09"; # Did you read the comment?
  # Gogland Debugger workaround
 #  nixpkgs.config.packageOverrides = super: {
 #    idea.gogland = lib.overrideDerivation super.idea.gogland (attrs: {
 #      postFixup = ''
 #	interp="$(cat $NIX_CC/nix-support/dynamic-linker)"
 #	patchelf --set-interpreter $interp $out/gogland*/plugins/intellij-go-plugin/lib/dlv/linux/dlv
 #        chmod +x $out/gogland*/plugins/intellij-go-plugin/lib/dlv/linux/dlv
 #     '';
 #    });
 #  };
 #  virtualisation.docker.enable = true;
  # DCSO Certificates
  security.pki.certificateFiles = [
   (pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCAROOTC1G1.pem"; sha256 = "14vz9c0fk6li0a26vx0s5ha6y3yivnshx9pjlh9vmnpkbph5a7rh"; })
   (pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCAROOTC2G1.pem"; sha256 = "0r1dd48a850cv7whk4g2maik550rd0vsrsl73r6x0ivzz7ap1xz5"; })
   (pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCAROOTC3G1.pem"; sha256 = "0b5cdchdkvllnr0kz35d8jrmrf9cjw0kd98mmvzr0x6nkc8hwpdy"; })
   (pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCACOMPC2G1.pem"; sha256 = "0rn57zv1ry9vj4p2248mxmafmqqmdhbrfx1plszrxsphshbk2hfz"; })
   (pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCACOMPC3G1.pem"; sha256 = "0w88qaqhwxzvdkx40kzj2gka1yi85ipppjdkxah4mscwfhlryrnk"; })
   (pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCAIDENC2G1.pem"; sha256 = "1z2qkyhgjvri13bvi06ynkb7mjmpcznmc9yw8chx1lnwc3cxa7kf"; })
   (pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCAIDENC3G1.pem"; sha256 = "0smdjjvz95n652cb45yhzdb2lr83zg52najgbzf6lm3w71f8mv7f"; })
  ]; 
  hardware.bluetooth.enable = true;
  krebs.build.host = config.krebs.hosts.bln;
 }
--- a/jeschli/1systems/bln/hardware-configuration.nix
+++ b/jeschli/1systems/bln/hardware-configuration.nix
@ -0,0 +1,34 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, ... }:
 {
  imports =
    [ <nixpkgs/nixos/modules/installer/scan/not-detected.nix>
    ];
  boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "sd_mod" "rtsx_pci_sdmmc" ];
  boot.kernelModules = [ "kvm-intel" ];
  boot.extraModulePackages = [ ];
  fileSystems."/" =
    { device = "/dev/disk/by-uuid/02144ea4-947d-440e-bbf9-99cab0dccf05";
      fsType = "ext4";
    };
  fileSystems."/boot" =
    { device = "/dev/disk/by-uuid/f169fd32-bf96-4da0-bc34-294249ffa606";
      fsType = "ext2";
    };
  fileSystems."/home" =
    { device = "/dev/disk/by-uuid/68ef2163-7b3d-4dbb-add9-d3543ad7c738";
      fsType = "ext4";
    };
  swapDevices = [ ];
  nix.maxJobs = lib.mkDefault 4;
  powerManagement.cpuFreqGovernor = "powersave";
 }
--- a/jeschli/1systems/bln/source.nix
+++ b/jeschli/1systems/bln/source.nix
@ -0,0 +1,4 @@
 import <stockholm/jeschli/source.nix> {
  name = "bln";
  secure = true;
 }
--- a/jeschli/1systems/brauerei/config.nix
+++ b/jeschli/1systems/brauerei/config.nix
@ -0,0 +1,132 @@
 # Edit this configuration file to define what should be installed on # your system.  Help is available in the configuration.nix(5) man page # and in the NixOS manual (accessible by running ‘nixos-help’).
 { config, pkgs, ... }:
 {
  imports = [
    <stockholm/jeschli>
    ./hardware-configuration.nix
    <stockholm/jeschli/2configs/urxvt.nix>
  ];
  krebs.build.host = config.krebs.hosts.brauerei;
  # Use the GRUB 2 boot loader.
  boot.loader.grub.enable = true;
  boot.loader.grub.version = 2;
  boot.loader.grub.efiSupport = true;
  # Define on which hard drive you want to install Grub.
  boot.loader.grub.device = "/dev/sda";
  # or "nodev" for efi only
  boot.initrd.luks.devices = [ {
    name = "root";
    device = "/dev/sda2";
    preLVM = true;
    allowDiscards = true;
  } ];
  # networking.hostName = "nixos";
  # Define your hostname.
  networking.wireless.enable = true;
  # Enables wireless support via wpa_supplicant.
  # Select internationalisation properties.
  # i18n = {
  #   consoleFont = "Lat2-Terminus16";
  #   consoleKeyMap = "us";
  #   defaultLocale = "en_US.UTF-8";
  # };
  # Set your time zone.  #
  time.timeZone = "Europe/Amsterdam";
  nixpkgs.config.allowUnfree = true;
  # List packages installed in system profile. To search by name, run: # $ nix-env -qaP | grep wget
  environment.systemPackages = with pkgs; [
  # system helper
    ag
    curl
    copyq
    dmenu
    git
    i3lock
    keepass
    networkmanagerapplet
    rsync
    terminator
    tmux
    wget
  #  rxvt_unicode
  # editors
    emacs
  # internet
    thunderbird
    chromium
    google-chrome
  # programming languages
    go
    gcc
    ghc
    python35
    python35Packages.pip
  # go tools
    golint
    gotools
  # dev tools
    gnumake
    jetbrains.pycharm-professional
    jetbrains.webstorm
    jetbrains.goland
  # document viewer
    zathura
  ];
  # Some programs need SUID wrappers, can be configured further or are
  # started in user sessions.
  # programs.bash.enableCompletion = true;
  # programs.mtr.enable = true;
  programs.gnupg.agent = { enable = true; enableSSHSupport = true; };
  # List services that you want to enable:
  # Enable the OpenSSH daemon.
  services.openssh.enable = true;
  # Open ports in the firewall.
  # networking.firewall.allowedTCPPorts = [ ... ];
  # networking.firewall.allowedUDPPorts = [ ... ];
  # Or disable the firewall altogether.
  # networking.firewall.enable = false;
  # Enable CUPS to print documents.
  # services.printing.enable = true;
  # Enable the X11 windowing system.
  services.xserver.enable = true;
  # services.xserver.layout = "us";
  # services.xserver.xkbOptions = "eurosign:e";
  # Enable touchpad support.
  # services.xserver.libinput.enable = true;
  # Enable the KDE Desktop Environment.
  # services.xserver.displayManager.sddm.enable = true;
  # services.xserver.desktopManager.plasma5.enable = true;
  services.xserver.displayManager.sddm.enable = true;
  services.xserver.windowManager.xmonad.enable = true;
  services.xserver.windowManager.xmonad.enableContribAndExtras = true;
 #
  # Define a user account. Don't forget to set a password with ‘passwd’.
  users.extraUsers.jeschli = {
    isNormalUser = true;
    uid = 1000;
  };
  users.extraUsers.jamie = {
    isNormalUser = true;
    uid = 1001;
  };
  users.users.root.openssh.authorizedKeys.keys = [
    "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAEZgHR1ZPDBMUjGWar/QmI2GiUkZM8pAXRyBDh8j3hGlxlS+0lsBV6bTAI5F13iyzTC4pCuEuDO2OlFB0scwjcOATci8phd8jTjOIDodqDaeQZXbshyuUBfyiAV6q0Sc+cUDV3D6GhzigH3t8EiQmvXmUGm916yFotT12o0dm83SCOh1nAf9ZveC1Hz/eEUTvgWvIb58OdUR5F/S5OVBnIIJZ8tcp0BP9lyjjJCcANWkYJlwaVcNNb0UarCRhvRtptFj+e/EPqQxSCaS2QcxW4zBsQ6C81TFf7WrdH+pwtFg0owlWsxv547sRLLiPf2h2YuQgSoAaW24N0SHhUqvOXd+JyaYw7MAF8Qh3jHm2iJQRgXNuIN0msFi1alwAevilL2mnfAt2biQ9sS9g+CVvQCwX3mg09E4Y3UmFLzvsJafD9meKVrjnDCcXySeAfts59eFmwKtMQ0qrEWaclzUiA6Ay3uD1zma8x1XELGTf8nxnXCGl8s2i2APn7y1Tcwep69DlENWSaReF5zBLIkCtIUDd+8xBFTF3yu5CpyRrRMKGa0QX/MtsQl4SGJWadOTwpM8joIbrIVfKkTNB2McxAjvo0iaRoBDm409gi2Ycy+NSoUV/KAIUG7OysAQZ62hr+E/Kw1ocJCIVI+9vzKx/EnEIHkCSwhYKl5393W7CShVJjJUcKcZddqX2smSShXq8rXPzhIHk1dAVn5Ff/vGZT9z9R0QN3z6Oa9QN5t5TjTdUDToqHTudqOpDxPl2c2yXK9wV+aoHFoML9AmbzTT1U1mKU7GXSoFACiKNzhDzkovyJGpWRyvisX5t75IfuVqvGGI8n3u8OhPMdyyOHRylVaciDzBMZ00xnIHB+dJG9IeYaMm9bW1Li4Jo0CWnogo2+olfHPMLijBuu+bsa5Kp6kFkccJYR/xqcSq0lVXkpGm692JI4dnMGjchipXEGh1gXof9jXHemMMBwjpLFGty+D0r5KdA33m+mIqc9hi0ShquA9nA7E1IxDlgE0gQg+P5ZOeeIN7q54AQmT8iCCCRyne2Kw57XxaGgZoLfj7VjjaeRlzBUglmtyq8B7/c0J3y41vt9Hxhj4sKD+vufZu+M9E6E936KsJlIi+3U0PtopM/b8L4jcH1JYpPljapsys8wkJZ1ymHf6Kj/0FHyi1V+GvquiVrlFN+aHECIzNlCiSMO4MqfPUO1A+s9zkG2ZgPNNv+LoZqnokjbmKM4kdxexMxaL/Eo9Nd/bzdYiFYXlllEL7Uox+yV0N3loQ2juh4zn+ctCnwHi+V9X4l4rB8amW96WrXiJ/WqEK2UO8St8dcQWhCsUUm2OawSrbYYZw5HhJwz/Rhz2UsdSc56s5OUiQLJqpILYvCnqSLlF4iZdRSdDQNpKn+le3CeGUl5UUuvK2BpKGrbPKx0i/2ZSEMxNA5GnDMx/NyiNyDBcoPu/XOlNi8VWsEbCtoTQRamvqHjOmNcPrxCxds+TaF8c0wMR720yj5sWq8= jeschli@nixos"
  ];
  # This value determines the NixOS release with which your system is to be
  # compatible, in order to avoid breaking some software such as database
  # servers. You should change this only after NixOS release notes say you
  # should.
  system.stateVersion = "17.09"; # Did you read the comment?
 }
--- a/jeschli/1systems/brauerei/hardware-configuration.nix
+++ b/jeschli/1systems/brauerei/hardware-configuration.nix
@ -0,0 +1,33 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, ... }:
 {
  imports =
    [ <nixpkgs/nixos/modules/installer/scan/not-detected.nix>
    ];
  boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "sd_mod" "sdhci_pci" ];
  boot.kernelModules = [ "kvm-intel" ];
  boot.extraModulePackages = [ ];
  fileSystems."/" =
    { device = "/dev/disk/by-uuid/e264fc21-45bb-4224-93fc-b0e19c2c3478";
      fsType = "ext4";
    };
  fileSystems."/home" =
    { device = "/dev/disk/by-uuid/bd0846ce-7d39-4329-bcb4-7c76becd6ab1";
      fsType = "ext4";
    };
  fileSystems."/boot" =
    { device = "/dev/disk/by-uuid/42BF-0795";
      fsType = "vfat";
    };
  swapDevices = [ ];
  nix.maxJobs = lib.mkDefault 4;
 }
--- a/jeschli/1systems/brauerei/source.nix
+++ b/jeschli/1systems/brauerei/source.nix
@ -0,0 +1,4 @@
 import <stockholm/jeschli/source.nix> {
  name = "brauerei";
  secure = true;
 }
--- a/jeschli/1systems/reagenzglas/.source.nix.swp
+++ b/jeschli/1systems/reagenzglas/.source.nix.swp
--- a/jeschli/1systems/reagenzglas/config.nix
+++ b/jeschli/1systems/reagenzglas/config.nix
@ -0,0 +1,146 @@
 # Edit this configuration file to define what should be installed on
 # your system.  Help is available in the configuration.nix(5) man page
 # and in the NixOS manual (accessible by running ‘nixos-help’).
 { config, pkgs, ... }:
 {
  imports =
    [ # Include the results of the hardware scan.
      <stockholm/jeschli>
      ./hardware-configuration.nix
    ];
  # Use the GRUB 2 boot loader.
 # boot.loader.grub.enable = true;
 # boot.loader.grub.version = 2;
  # boot.loader.grub.efiSupport = true;
  # boot.loader.grub.efiInstallAsRemovable = true;
  boot.loader.systemd-boot.enable = true;
  boot.loader.efi.canTouchEfiVariables = true;
  # Define on which hard drive you want to install Grub.
 #  boot.loader.grub.device = "/dev/disk/by-id/wwn-0x5002538844584d30"; # or "nodev" for efi only
  boot.initrd.luks.devices = [
    {
    name = "root";
    device = "/dev/disk/by-id/wwn-0x5002538844584d30-part2";
    preLVM = true;
    allowDiscards = true;
    }
  ];
  networking.hostName = "reaganzglas"; # Define your hostname.
 #  networking.wireless.enable = true;  # Enables wireless support via wpa_supplicant.
  networking.networkmanager.enable = true;
  # Select internationalisation properties.
  # i18n = {
  #   consoleFont = "Lat2-Terminus16";
  #   consoleKeyMap = "us";
  #   defaultLocale = "en_US.UTF-8";
  # };
  # Set your time zone.
  # time.timeZone = "Europe/Amsterdam";
  # List packages installed in system profile. To search by name, run:
  # $ nix-env -qaP | grep wget
  nixpkgs.config.allowUnfree = true;
  environment.shellAliases = { n = "nix-shell"; };
  environment.variables = { GOROOT= [ "${pkgs.go.out}/share/go" ]; };
  environment.systemPackages = with pkgs; [
  # system helper
    ag
    curl
    copyq
    dmenu
    git
    i3lock
    keepass
    networkmanagerapplet
    rsync
    terminator
    tmux
    wget
    rxvt_unicode
  # editors
    emacs
  # internet
    thunderbird
    chromium
    google-chrome
  # programming languages
    go
    gcc
    ghc
    python35
    python35Packages.pip
  # go tools
    golint
    gotools
  # dev tools
    gnumake
  # document viewer
    zathura
   ];
  # Some programs need SUID wrappers, can be configured further or are
  # started in user sessions.
  # programs.mtr.enable = true;
  # programs.gnupg.agent = { enable = true; enableSSHSupport = true; };
  # List services that you want to enable:
  # Enable the OpenSSH daemon.
  services.openssh.enable = true;
  users.users.root.openssh.authorizedKeys.keys = [
    "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDMPuFzd6p3zZETIjoV5mRxCTQgeZk9s/P374mEDbj58wDTT0uGWu2JRf7cL1QRTvd5238tYl0eSHXH65+oaFB/mIvmiRnuw6qQODOMHlSbJN5/J2hEw/3v5gveiP1xNLfKlFhj6mmMRF7Etvzns/kLGLCSjj1UTlfo4iHmtinPmU+iQ8J4foS4cZj4oZesF8gndkc2EFMfL6en7EuU8GK6U9GtwKNL9N4UoUZXu8Nf00pkn/jrpmsDdI4zdVVAxWeu/Lo4li43EVixLcfwQiwzf6S9FvYIv30xPdy92GJSJwxm/QkYuc48VZWUoE+qThf3IEPETtX+MRZrM8RTtY01 markus@reaganzglas"
  ];
  # Open ports in the firewall.
  # networking.firewall.allowedTCPPorts = [ ... ];
  # networking.firewall.allowedUDPPorts = [ ... ];
  # Or disable the firewall altogether.
  # networking.firewall.enable = false;
  # Enable CUPS to print documents.
  # services.printing.enable = true;
  # Enable the X11 windowing system.
   services.xserver.enable = true;
   services.xserver.layout = "us";
   services.xserver.xkbOptions = "eurosign:e";
  # Enable touchpad support.
   services.xserver.libinput.enable = true;
  # Enable the KDE Desktop Environment.
  services.xserver.displayManager.sddm.enable = true;
  services.xserver.windowManager.xmonad.enable = true;
  services.xserver.windowManager.xmonad.enableContribAndExtras = true;
  # services.xserver.desktopManager.plasma5.enable = true;
  # Define a user account. Don't forget to set a password with ‘passwd’.
  users.extraUsers.jeschli = {
     isNormalUser = true;
     uid = 1000;
  };
  # This value determines the NixOS release with which your system is to be
  # compatible, in order to avoid breaking some software such as database
  # servers. You should change this only after NixOS release notes say you
  # should.
  system.stateVersion = "18.03"; # Did you read the comment?
  programs.bash = {
    enableCompletion = true;
    interactiveShellInit = ''
      export GOPATH=$HOME/go
      export PATH=$PATH:$GOPATH/bin
    '';
  };
  krebs.build.host = config.krebs.hosts.reagenzglas;
  hardware.bluetooth.enable = true;
 }
--- a/jeschli/1systems/reagenzglas/hardware-configuration.nix
+++ b/jeschli/1systems/reagenzglas/hardware-configuration.nix
@ -0,0 +1,33 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, ... }:
 {
  imports =
    [ <nixpkgs/nixos/modules/installer/scan/not-detected.nix>
    ];
  boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "sd_mod" "sr_mod" "rtsx_pci_sdmmc" ];
  boot.kernelModules = [ "kvm-intel" ];
  boot.extraModulePackages = [ ];
  fileSystems."/" =
    { device = "/dev/disk/by-uuid/09130cf7-b71b-42ab-9fa3-cb3c745f1fc9";
      fsType = "ext4";
    };
  fileSystems."/home" =
    { device = "/dev/disk/by-uuid/8bee50b3-5733-4373-a966-388def141774";
      fsType = "ext4";
    };
  fileSystems."/boot" =
    { device = "/dev/disk/by-uuid/DA40-AC19";
      fsType = "vfat";
    };
  swapDevices = [ ];
  nix.maxJobs = lib.mkDefault 8;
 #  powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
 }
--- a/jeschli/1systems/reagenzglas/source.nix
+++ b/jeschli/1systems/reagenzglas/source.nix
@ -0,0 +1,4 @@
 import <stockholm/jeschli/source.nix> {
  name = "reagenzglas";
  secure = true;
 }
--- a/jeschli/2configs/default.nix
+++ b/jeschli/2configs/default.nix
@ -0,0 +1,66 @@
 { config, pkgs, ... }:
 with import <stockholm/lib>;
 {
  imports = [
    ./vim.nix
    ./retiolum.nix
    {
      environment.variables = {
        NIX_PATH = mkForce "secrets=/var/src/stockholm/null:/var/src";
      };
    }
  ];
  nixpkgs.config.allowUnfree = true;
  environment.systemPackages = with pkgs; [
  #stockholm
    git
    gnumake
    jq
    parallel
    proot
    populate
  #style
    most
    rxvt_unicode.terminfo
  #monitoring tools
    htop
    iotop
  #network
    iptables
    iftop
  #stuff for dl
    aria2
  #neat utils
    file
    kpaste
    krebspaste
    mosh
    pciutils
    psmisc
   # q
   # rs
    tmux
    untilport
    usbutils
  #  logify
    goify
  #unpack stuff
    p7zip
    unzip
    unrar
    (pkgs.writeDashBin "sshn" ''
      ${pkgs.openssh}/bin/ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no "$@"
    '')
  ];
  krebs.enable = true;
 }
--- a/jeschli/2configs/retiolum.nix
+++ b/jeschli/2configs/retiolum.nix
@ -0,0 +1,22 @@
 { config, pkgs, ... }:
 {
  krebs.tinc.retiolum = {
    enable = true;
    connectTo = [
      "prism"
      "gum"
      "ni"
      "dishfire"
    ];
  };
  nixpkgs.config.packageOverrides = pkgs: {
    tinc = pkgs.tinc_pre;
  };
  environment.systemPackages = [
    pkgs.tinc
  ];
 }
--- a/jeschli/2configs/tests/dummy-secrets/empty
+++ b/jeschli/2configs/tests/dummy-secrets/empty
--- a/jeschli/2configs/urxvt.nix
+++ b/jeschli/2configs/urxvt.nix
@ -0,0 +1,34 @@
 { config, pkgs, ... }:
 with import <stockholm/lib>;
 {
  services.urxvtd.enable = true;
  krebs.xresources.enable = true;
  krebs.xresources.resources.urxvt = ''
  *foreground: rgb:a8/a8/a8
  *background: rgb:00/00/00
  *faceName: DejaVu Sans Mono
  *faceSize: 12
  *color0: rgb:00/00/00
  *color1: rgb:a8/00/00
  *color2: rgb:00/a8/00
  *color3: rgb:a8/54/00
  *color4: rgb:00/00/a8
  *color5: rgb:a8/00/a8
  *color6: rgb:00/a8/a8
  *color7: rgb:a8/a8/a8
  *color8: rgb:54/54/54
  *color9: rgb:fc/54/54
  *color10: rgb:54/fc/54
  *color11: rgb:fc/fc/54
  *color12: rgb:54/54/fc
  *color13: rgb:fc/54/fc
  *color14: rgb:54/fc/fc
  *color15: rgb:fc/fc/fc
  URxvt*scrollBar:                      false
  URxvt*urgentOnBell:                   true
  URxvt*font: xft:DejaVu Sans Mono:pixelsize=20
  URXvt*faceSize: 12
  '';
 }
--- a/jeschli/2configs/vim.nix
+++ b/jeschli/2configs/vim.nix
@ -0,0 +1,92 @@
 { config, pkgs, ... }:
 let
  customPlugins.vim-javascript = pkgs.vimUtils.buildVimPlugin {
    name = "vim-javascript";
    src = pkgs.fetchFromGitHub {
      owner = "pangloss";
      repo = "vim-javascript";
      rev = "1.2.5.1";
      sha256 = "08l7ricd3j5h2bj9i566byh39v9n5wj5mj75f2c8a5dsc732b2k7";
    };
  };
   customPlugins.vim-jsx = pkgs.vimUtils.buildVimPlugin {
     name = "vim-jsx";
     src = pkgs.fetchFromGitHub {
       owner = "mxw";
       repo = "vim-jsx";
       rev = "5b968dfa512c57c38ad7fe420f3e8ab75a73949a";
       sha256 = "1z3yhhbmbzfw68qjzyvpbmlyv2a1p814sy5q2knn04kcl30vx94a"; 
     };
   };
 in {
 # {
  environment.systemPackages = [
    (pkgs.vim_configurable.customize {
      name = "vim";
    vimrcConfig.customRC = ''
  set nocompatible 
 	:imap jk <Esc>
 	:vmap v v
 	:map gr :GoRun<Enter>
 	:nnoremap <S-TAB> :bnext<CR>
 	:nnoremap <C-TAB> <c-w><c-w>
  :map nf :NERDTreeToggle<CR>
 	set autowrite
 	set number
 	set ruler
  set path+=** 
  set wildmenu
 	noremap x "_x
 	set clipboard=unnamedplus
  let g:jsx_ext_required = 0
 	let g:go_list_type = "quickfix"
 	let g:go_test_timeout = '10s'
 	let g:go_fmt_command = "goimports"
 	let g:go_snippet_case_type = "camelcase"
 	let g:go_highlight_types = 1
 	let g:go_highlight_fields = 1
 	let g:go_highlight_functions = 1
 	let g:go_highlight_methods = 1
  let g:go_highlight_extra_types = 1
  autocmd BufNewFile,BufRead *.go setlocal noexpandtab tabstop=4 shiftwidth=4 
  let g:rehash256 = 1
  let g:molokai_original = 1
  colorscheme molokai
 	let g:go_metalinter_enabled = ['vet', 'golint', 'errcheck']
 	let g:go_metalinter_autosave = 1
 	" let g:go_metalinter_autosave_enabled = ['vet', 'golint']
 	" let g:go_def_mode = 'godef'
 	" let g:go_decls_includes = "func,type"
 	" Trigger configuration. Do not use <tab> if you use https://github.com/Valloric/YouCompleteMe.
 	let g:UltiSnipsExpandTrigger="<c-e>"
 	let g:UltiSnipsJumpForwardTrigger="<c-t>"
 	let g:UltiSnipsJumpBackwardTrigger="<c-q>"
 	" If you want :UltiSnipsEdit to split your window.
 	let g:UltiSnipsEditSplit="vertical"
 	if has('persistent_undo')      "check if your vim version supports it
 	set undofile                 "turn on the feature  
 	set undodir=$HOME/.vim/undo  "directory where the undo files will be stored
 	endif     
        '';
       vimrcConfig.vam.knownPlugins = pkgs.vimPlugins // customPlugins;
       vimrcConfig.vam.pluginDictionaries = [
         { names = [ "undotree" "molokai" "Syntastic" "ctrlp" "surround" "snipmate" "nerdtree" "easymotion"]; } 
         { names = [ "vim-addon-nix" ]; ft_regex = "^nix\$"; }
         { names = [ "vim-go" ]; ft_regex = "^go\$"; } # wanted: nsf/gocode
         { names = [ "vim-javascript" ]; ft_regex = "^js\$"; }
         { names = [ "vim-jsx" ]; ft_regex = "^js\$"; }
       ];
    })
  ];
 }
--- a/jeschli/default.nix
+++ b/jeschli/default.nix
@ -0,0 +1,9 @@
 _:
 {
  imports = [
    ../krebs
    ./2configs
 #    ./3modules
 #    ./5pkgs
  ];
 }
--- a/jeschli/source.nix
+++ b/jeschli/source.nix
@ -0,0 +1,22 @@
 with import <stockholm/lib>;
 host@{ name, secure ? false, override ? {} }: let
  builder = if getEnv "dummy_secrets" == "true"
              then "buildbot"
              else "jeschli";
  _file = <stockholm> + "/jeschli/1systems/${name}/source.nix";
 in
  evalSource (toString _file) [
    {
      nixos-config.symlink = "stockholm/jeschli/1systems/${name}/config.nix";
      nixpkgs.git = {
        url = https://github.com/nixos/nixpkgs;
        ref = "f9390d6";
      };
      secrets.file = getAttr builder {
        buildbot = toString <stockholm/jeschli/2configs/tests/dummy-secrets>;
        jeschli = "${getEnv "HOME"}/secrets/${name}";
      };
      stockholm.file = toString <stockholm>;
    }
    override
  ]
--- a/krebs/2configs/save-diskspace.nix
+++ b/krebs/2configs/save-diskspace.nix
@ -1,7 +1,6 @@
 {lib, ... }:
 # TODO: do not check out nixpkgs master but fetch revision from github
 {
  environment.noXlibs = true;
  nix.gc.automatic = true;
  nix.gc.dates = lib.mkDefault "03:10";
  programs.info.enable = false;
--- a/krebs/3modules/backup.nix
+++ b/krebs/3modules/backup.nix
@ -83,6 +83,7 @@ let
          rsync
          utillinux
        ];
        restartIfChanged = false;
        serviceConfig = rec {
          ExecStart = start plan;
          SyslogIdentifier = ExecStart.name;
--- a/krebs/3modules/default.nix
+++ b/krebs/3modules/default.nix
@ -44,6 +44,7 @@ let
      ./tinc_graphs.nix
      ./urlwatch.nix
      ./repo-sync.nix
      ./xresources.nix
      ./zones.nix
    ];
    options.krebs = api;
@ -104,8 +105,9 @@ let
  };
  imp = lib.mkMerge [
-    { krebs = import ./lass   { inherit config; }; }
+    { krebs = import ./jeschli { inherit config; }; }
    { krebs = import ./krebs  { inherit config; }; }
    { krebs = import ./lass   { inherit config; }; }
    { krebs = import ./makefu { inherit config; }; }
    { krebs = import ./mv     { inherit config; }; }
    { krebs = import ./nin    { inherit config; }; }
@ -225,21 +227,26 @@ let
            };
          })
        //
-        # GitHub's IPv4 address range is 192.30.252.0/22
+        {
-        # Refs https://help.github.com/articles/github-s-ip-addresses/
+          github = {
-        # 192.30.252.0/22 = 192.30.252.0-192.30.255.255 (1024 addresses)
+            hostNames = [
-        # Because line length is limited by OPENSSH_LINE_MAX (= 8192),
+              "github.com"
-        # we split each /24 into its own entry.
+              # List generated with
-        listToAttrs (map
+              # curl -sS https://api.github.com/meta | jq -r .git[] | cidr2glob
-          (c: {
+              "192.30.253.*"
-            name = "github${toString c}";
+              "192.30.254.*"
-            value = {
+              "192.30.255.*"
-              hostNames = ["github.com"] ++
+              "185.199.108.*"
-                map (d: "192.30.${toString c}.${toString d}") (range 0 255);
+              "185.199.109.*"
-              publicKey = "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==";
+              "185.199.110.*"
-            };
+              "185.199.111.*"
-          })
+              "18.195.85.27"
-          (range 252 255))
+              "18.194.104.89"
              "35.159.8.160"
            ];
            publicKey = "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==";
          };
        }
        //
        mapAttrs
          (name: host: {
--- a/krebs/3modules/jeschli/default.nix
+++ b/krebs/3modules/jeschli/default.nix
@ -0,0 +1,134 @@
 { config, ... }:
 with import <stockholm/lib>;
 {
  hosts = mapAttrs (_: recursiveUpdate {
    owner = config.krebs.users.jeschli;
    ci = true;
  }) {
    bln = {
      nets = {
        retiolum = {
          ip4.addr = "10.243.27.28";
          ip6.addr = "42::28";
          aliases = [
            "bln.r"
          ];
          tinc.pubkey = ''
            -----BEGIN RSA PUBLIC KEY-----
            MIIECgKCBAEAwoN2f6iyQ1Wnk4rZVqhovny8VpwWvC9buE+NoedRaxmWmA5QIP02
            BLwTWFKnbiKOQiYN+a4m/JKs0fFOjYCa2EKhqWWKwdEIN4wJTq8zrjzIaa2rdz+8
            tamE+8rSYDE+RbJ6Gs3SUDfwcxJT6FXCi3JYoirdhAssLSwTf9d5IsfXvkKMabky
            FpY9Im51utmIR8UmYL4Ti7dEaOxif+5Hgl1LuitC8e2IIZJhXJprK9tJk9J0LRWt
            PUM31IG1+A2hNBzs5hferLmmwFvYF1sJ22NtFepxVyOLaLcLEFKWHyU+14qEMSgL
            acsu0lgVZ4A1TY6vVBmawfVCzUzRfalNIty1x+qDA4MB1RQ4W7ivWCjd/+wirSyc
            BLxCvriXRdUwPIRoHy0kNMmS83HGm2iv2IrHUrcH8lyJvMys216J2lCF2arRVnBn
            lArObfR3mXgd/YoANmZ4cinLAjLCjCjXfOe39+pvTFph6WnDt4gOO+tQlnCk19Fa
            NoiK1THcuZiFVE+4CAXVmstNqYKSMgw+Upw7/t6iUzur98iwKpcicomhJjGVVtbg
            2iDf4lYVrUyb7iPns2T4EzAuHk7iESktEASU5creSbWYRu/4uyhuNlUoiCpVOEKg
            H9jkrLlCpQGv/GmgdH9oj35Dsv5TINauCT2jjWV65wcKAlvyafy5UtLyF4HBRHaM
            2xyxC9gxr8bmeOFyOnHVJQvpkeLxyaRp/VppjCTzr82TQvpZd5a+tISIbDGfqX1o
            cEyPsowb3KHNtW9DqRBp+80fPGnQHsNjVXbJb37wjpnR/ePg/XyENbZF/OQEsjqt
            bki8hZQXKJAFyx1bq/2A1q4ocx7JlJKynL4szG1unHbSPKNH2OOVvoezuP7e+lXU
            gnzrSbe9lPIOp4Vu1HjWOi6tNWZFoZrSHVIK+VGxm+wm/HoS+Enj4Yq+vRvU3luv
            UllR5KHHK2970RbFEUE0zaVMZjQn5KgJjFXfqfrCztp0wZ5CQo+tRFPq35llaIQ2
            0WyT2IZlxt1Xr2IpOM0DpO4SJnivZT/wdZN7upzsUPf4a9suztpA3KcKAKqH0OM5
            fv2/LXspc73vACAOZ9qDJnwp8bFrMOaQdAL1oPpOLB3yYTDA3E20IAQ6OKoSy1Nl
            B4coqo1gBCcMrWwVFYAuc5J4itXJ0SSj67+WUnuDzPm88LI3g+AO0r1m6k6YdA58
            SeNxYPMLYNLRg86rsjKjXu+QyvBsd04O/QvIxpTFCtdjbUXNS1H4++/inYZSwWPp
            U0lN9erLJbwr4WqU/Mn6J+jKijXwmCSiF5if5baszMsOL/0u9yFt6OcaLyehE3sJ
            eAo00n9phSna0lxtbtRnh/Gd4D7rFcX33wIDAQAB
            -----END RSA PUBLIC KEY-----
          '';
        };
      };
    };
    brauerei = {
      nets = {
        retiolum = {
          ip4.addr = "10.243.27.29";
          ip6.addr = "42::29";
          aliases = [
            "brauerei.r"
          ];
          tinc.pubkey = ''
            -----BEGIN RSA PUBLIC KEY-----
            MIIECgKCBAEAvC4AjkAoH01sKDXE3xVM2YUpPQ9iewIPQCCCSWYZQh2BWOfl+FFs
            pW3ix5FjAzTxzkIf5NxW0usff8UTkFHB+sGZLZ9DPqvb8AM4GJsvXR06LORHtBlo
            Vt/g1sndD3i3NXn5IJ2G4mZDImQjI3vuTkPyFQsR5LRAaPQgIORHBtN/X1UEVMRq
            gThUeMb1kZ/y4AmUx0pepQYmAcYf0cN/7r9n68dWJCZ7DWX3q49bIz4TPG519IQp
            KzoCtdXImKl6cFDepa2pRmIW4SPaDXztHDmXoJA1NBfdDOMOW67FUjzhcwZS9usM
            q9x/1Tph63PJy4Vc0jsJnY29WrInx/nVAb22QuTOXQ9SfBNoOATYoFoVmY+yw1FX
            67y3bRbq8lQk1y3F2vZVYxQ52WiYLmtNtuzUMZHErL7VgFIEfQKoO2Oa/WZXdgSJ
            Asmn67NSicc5QNI4rBUthju1JDuM/3ja0yCXh7trDCmPxKd94KzxMlq9VA6S2f/Q
            uke3VnXEDqOWOZdcon5DnRTT1y4xjk1XHuO/9tVDcrL7x1unkdGL9BNMU6opJiLm
            batAtKQ/7EJrlgIxYpEQyCNAjj0dEn0BgNZNqQSKkeGe6giVMuHtnXeTYMEraDas
            DWxHmGOvYWrs3tZdELkB/h/y7DdijOabS4AlLOljKHiacw8e0D7p9qeIU2EwRaXD
            ebPYaAIIWn1FU1aCYpvF4YJYbdNJZg6aKpoWNz86ZjO9t3GBkf612xB7fRO9mbTg
            Ww2Hl6lir0rnlo7P9M1xhQqmZ0phaUjkqYRCaTOW1kC5ACpJJ/Jrq0oyplHVBY8Y
            IvzPDA4nu/YOpyhQjlQwcVt62NgW0CZdwp3ZnMMoy7akgEo71bjoHbRxAeWy5oRB
            5CgGvQAB+qdf97XjZ5RggWQ2rglkCn49X4fXN6r4zuaIji1VVFTEZGRNsi0vt1YC
            Eedz68auu1ZDO1qwNcX00n94E09B05DQBjE/6SAX6wBCY/BwUtzdQ9JnyfHNSl8i
            dmHBPLssB9Dku4U0mo+LLer+bf6fiR7r5gp/KRuY/tMGFahprZRfWFtyO2Pg1cYI
            HCdmDmSlbFq3EJmBl0egbU8Ym1m6t4EvPcoTxwy3ljZWybHlhm4wvhGcA/2bDRZA
            jcXSL3G7buBOf8WJNYnMXCtPEyIYUdRyNvz3EUfvmbzZDhHd/bc0pJRrrtI7HqoF
            +g67gCrtXx6i9PD0LSDJ1jExMZcmU1+DPg0dzDEmLHvW+HW538/HXGJ8FsunWBwD
            /8wsQfoqAwlBSucLHDDrYVvfSp0+TLzg/HDMhNkcN7d5hm3syrI+IN4gEEjYeZIO
            g7fjR1X7g5FGCDQnRA/dzNsZVnk6UFpCRwIDAQAB
            -----END RSA PUBLIC KEY-----
          '';
        };
      };
    };
    reagenzglas = {
      nets = {
        retiolum = {
          ip4.addr = "10.243.27.27";
          ip6.addr = "42::27";
          aliases = [
            "reagenzglas.r"
          ];
          tinc.pubkey = ''
            -----BEGIN RSA PUBLIC KEY-----
            MIIECgKCBAEA4Tbq6aiMhPz55Of/WDEmESGmScRJedQSJoyRuDEDabEktdbP/m7P
            bwpLp0lGYphx42+lutFcYOGoH/Lglfj39yhDcrpkYfTnzcGOWutXGuZ+iR5vmGj0
            utJRf/4+a4sB5NboBVZ9Ke/RTjDNSov00C2hFCYTXz89Gd2ap1nDPQpnejOS+9aO
            2W6P/WIKhRH7TfW6M7mUCrjVxWXZgdfSCQYxAXU/+1uAGmJ9qlGlQUIGUGv9Znv5
            hurqwAHzSgEkKc2iUumosz6a8W9Oo3TAEC+jMEO2l/+GJ/8VysG1wtLWDX03GU3u
            mBAtrJppEw4QNPTeFg6XSFIwV8Z0fWZ4lGsPJLbAkLUMxtKVWKbdrdpnmiQpLfBW
            8BRbT1pjwEdw0hefA6NwCO3/Y5piEaUEz/gYz9xHFMDXUj9stHtaF0HaqonWyb06
            aX3EEqRBxVsj6/Sgd33b77xqY4WBoOlbhfWj+EAD1Ova26lHELpAg0Z4AncpyOzw
            pJcX81U8GgQp899YAc3EAldFfiu094CvM2NKd110K90VlTpos+sqFfNE87vpprMu
            3d1NsYzf+FUM/aXASlqTNL+i8qBDAlODkLdj4+VZ2BjkSH+p2BLZouizSzu4X3I/
            lfy554Dbb/98zlwmX9JrWzBRs2GxxFdIDZ1jK+Ci5qM7oTfujBwiE4jZA6wlK8u5
            +IenSBdaJb0J8nS0Bziz/BLkuBCrl/YFelpZlY0pw6WYlraKbf/nsOpumOYh6zdz
            9jiIPElGvso9FhwigX7xWCiYMK3ryAqm8CL0cTscQW3Yy2JKm1tNIQtAacwnNVli
            PqdnPJSo942I+Fl6ZPjZ19ivJIqC+2TjGEY2Et8DkiL6YZfy4bM1zhoWMlXBIil0
            ynnKR/h/CC67cq94JCbtRWKiYXIYtfHPQkS7S1Lk6aSYbIch/wROyh7XJ7EGE7nn
            GAVMqI/P/qbW3rwEJGXzI4eJAHa2hwpP2Slimf6uUD/6L2bAnduhYoTsnNSjJmNE
            hCC+MHohzk7+isZl0jwIEcMpsohMAwoa5BEhbuYJWeUesT/4PeddLIGYubTZAXp2
            ZdYRepSNUEhSZV0H99MhlqeooDJxnWpsiba5Gb0s6p4gTReGy0jMtWnxI2P5RUFX
            vEGt77v4MGrWYTzAL/ZRmESsOj7TXqpSK5YcMC2nr8PcV66LuMjOkRrGoVOV3fBe
            G/9pNVb68SRwfPoGa5nGe6C7GPcgko9rgGLLcU1r/4L2bqFhdIQdSfaUX2Hscm44
            5GdN2UvuwwVxOyU1uPqJcBNnr2yt3x3kw5+zDQ00z/pFntTXWm19m6BUtbkdwN2x
            Bn1P3P/mRTEaHxQr9RGg8Zjnix/Q6G7I5QIDAQAB
            -----END RSA PUBLIC KEY-----
          '';
        };
      };
    };
  };
  users = {
    jeschli = {
      mail = "jeschli@gmail.com";
      pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDMPuFzd6p3zZETIjoV5mRxCTQgeZk9s/P374mEDbj58wDTT0uGWu2JRf7cL1QRTvd5238tYl0eSHXH65+oaFB/mIvmiRnuw6qQODOMHlSbJN5/J2hEw/3v5gveiP1xNLfKlFhj6mmMRF7Etvzns/kLGLCSjj1UTlfo4iHmtinPmU+iQ8J4foS4cZj4oZesF8gndkc2EFMfL6en7EuU8GK6U9GtwKNL9N4UoUZXu8Nf00pkn/jrpmsDdI4zdVVAxWeu/Lo4li43EVixLcfwQiwzf6S9FvYIv30xPdy92GJSJwxm/QkYuc48VZWUoE+qThf3IEPETtX+MRZrM8RTtY01";
    };
    jeschli-bln = {
      pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDhQdDQFMxXOjbC+Avx3mlcFHqQpFUk/q9sO6ATA65jCV3YzN11vhZDDv54hABVS2h8TPXs7Lu3PCvK9qouASd2h4Ie9cExUmn50G/iwgFIODsCugVYBzVt1iwaAdwz1Hb9DKYXbVXanzVJjimmrrlQNvsyZg85lcnfyedpPX5ad+4FdSP68LHqEHC18LTitldR6V4P1omaKHlOtVpDgR/72tDgbtNZDBn3EU+TPk9OLTzjc6PinPw4iIvjEfiu14APwXpFDIqT7P7SjOEFpa0v/1z7dhxIy/Z9XbqyEdUfhv3PjZR5K2C+VzR7g6jVEVR2xFId51MpLv/Un4/lalbphBEw3I90Rr8tatOJiFhyrXbaKTcLqp1sIu05OxdPkm3hzfmLIhoKxhaIlXH7WQ9sAqxL1NAQ7O+J6yT4DMnwKzvpkkJjBaGtV84Pp1cccfNRH8XXID3FkWkrUpdgXWBpyLnRq4ilUJTajkU0GSdXkq8kLL3mWg9LPRTg3dmDj61ZB/qhjM61ppwHJvDRN9WI5HruXIU6nOQjh5yE2C/JZfLcsZD4Y1UDBy5/JSZrCVT2sQjFopkkYEkRCbX7oITHOH4iyRdxZkKWLUPboFrcmBpXO+owCEhO4JZrtfFWMC6qM++nrmiZWOrdIOIvdYHWluhKR2shlkisEKQP5pUqkw== markus.hihn@dcso.de";
    };
   jeschli-brauerei = {
     pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAEZgHR1ZPDBMUjGWar/QmI2GiUkZM8pAXRyBDh8j3hGlxlS+0lsBV6bTAI5F13iyzTC4pCuEuDO2OlFB0scwjcOATci8phd8jTjOIDodqDaeQZXbshyuUBfyiAV6q0Sc+cUDV3D6GhzigH3t8EiQmvXmUGm916yFotT12o0dm83SCOh1nAf9ZveC1Hz/eEUTvgWvIb58OdUR5F/S5OVBnIIJZ8tcp0BP9lyjjJCcANWkYJlwaVcNNb0UarCRhvRtptFj+e/EPqQxSCaS2QcxW4zBsQ6C81TFf7WrdH+pwtFg0owlWsxv547sRLLiPf2h2YuQgSoAaW24N0SHhUqvOXd+JyaYw7MAF8Qh3jHm2iJQRgXNuIN0msFi1alwAevilL2mnfAt2biQ9sS9g+CVvQCwX3mg09E4Y3UmFLzvsJafD9meKVrjnDCcXySeAfts59eFmwKtMQ0qrEWaclzUiA6Ay3uD1zma8x1XELGTf8nxnXCGl8s2i2APn7y1Tcwep69DlENWSaReF5zBLIkCtIUDd+8xBFTF3yu5CpyRrRMKGa0QX/MtsQl4SGJWadOTwpM8joIbrIVfKkTNB2McxAjvo0iaRoBDm409gi2Ycy+NSoUV/KAIUG7OysAQZ62hr+E/Kw1ocJCIVI+9vzKx/EnEIHkCSwhYKl5393W7CShVJjJUcKcZddqX2smSShXq8rXPzhIHk1dAVn5Ff/vGZT9z9R0QN3z6Oa9QN5t5TjTdUDToqHTudqOpDxPl2c2yXK9wV+aoHFoML9AmbzTT1U1mKU7GXSoFACiKNzhDzkovyJGpWRyvisX5t75IfuVqvGGI8n3u8OhPMdyyOHRylVaciDzBMZ00xnIHB+dJG9IeYaMm9bW1Li4Jo0CWnogo2+olfHPMLijBuu+bsa5Kp6kFkccJYR/xqcSq0lVXkpGm692JI4dnMGjchipXEGh1gXof9jXHemMMBwjpLFGty+D0r5KdA33m+mIqc9hi0ShquA9nA7E1IxDlgE0gQg+P5ZOeeIN7q54AQmT8iCCCRyne2Kw57XxaGgZoLfj7VjjaeRlzBUglmtyq8B7/c0J3y41vt9Hxhj4sKD+vufZu+M9E6E936KsJlIi+3U0PtopM/b8L4jcH1JYpPljapsys8wkJZ1ymHf6Kj/0FHyi1V+GvquiVrlFN+aHECIzNlCiSMO4MqfPUO1A+s9zkG2ZgPNNv+LoZqnokjbmKM4kdxexMxaL/Eo9Nd/bzdYiFYXlllEL7Uox+yV0N3loQ2juh4zn+ctCnwHi+V9X4l4rB8amW96WrXiJ/WqEK2UO8St8dcQWhCsUUm2OawSrbYYZw5HhJwz/Rhz2UsdSc56s5OUiQLJqpILYvCnqSLlF4iZdRSdDQNpKn+le3CeGUl5UUuvK2BpKGrbPKx0i/2ZSEMxNA5GnDMx/NyiNyDBcoPu/XOlNi8VWsEbCtoTQRamvqHjOmNcPrxCxds+TaF8c0wMR720yj5sWq8= jeschli@nixos";
   };
  };
 }
--- a/krebs/3modules/lass/default.nix
+++ b/krebs/3modules/lass/default.nix
@ -44,7 +44,7 @@ with import <stockholm/lib>;
      cores = 2;
      nets = rec {
        internet = {
-          ip4.addr = "45.62.226.163";
+          ip4.addr = "64.137.242.41";
          aliases = [
            "echelon.i"
          ];
@ -535,44 +535,46 @@ with import <stockholm/lib>;
        };
      };
    };
-    reagenzglas = {
+    xerxes = {
-      ci = false;
+      cores = 2;
-      external = true;
+      nets = rec {
      nets = {
        retiolum = {
-          ip4.addr = "10.243.27.27";
+          ip4.addr = "10.243.1.3";
-          ip6.addr = "42::27";
+          ip6.addr = "42::1:3";
          aliases = [
-            "reagenzglas.r"
+            "xerxes.r"
          ];
          tinc.pubkey = ''
            -----BEGIN RSA PUBLIC KEY-----
-            MIIECgKCBAEA4Tbq6aiMhPz55Of/WDEmESGmScRJedQSJoyRuDEDabEktdbP/m7P
+            MIIECgKCBAEArqEaK+m7WZe/9/Vbc+qx2TjkkRJ9lDgDMr1dvj98xb8/EveUME6U
-            bwpLp0lGYphx42+lutFcYOGoH/Lglfj39yhDcrpkYfTnzcGOWutXGuZ+iR5vmGj0
+            MZyAqNjLuKq3CKzJLo02ZmdFs4CT1Hj28p5IC0wLUWn53hrqdy8cCJDvIiKIv+Jk
-            utJRf/4+a4sB5NboBVZ9Ke/RTjDNSov00C2hFCYTXz89Gd2ap1nDPQpnejOS+9aO
+            gItsxJyMnRtsdDbB6IFJ08D5ReGdAFJT5lqpN0DZuNC6UQRxzUK5fwKYVVzVX2+W
-            2W6P/WIKhRH7TfW6M7mUCrjVxWXZgdfSCQYxAXU/+1uAGmJ9qlGlQUIGUGv9Znv5
+            /EZzEPe5XbE69V/Op2XJ2G6byg9KjOzNJyJxyjwVco7OXn1OBNp94NXoFrUO7kxb
-            hurqwAHzSgEkKc2iUumosz6a8W9Oo3TAEC+jMEO2l/+GJ/8VysG1wtLWDX03GU3u
+            mTNnh3D+iB4c3qv8woLhmb+Uh/9MbXS14QrSf85ou4kfUjb5gdhjIlzz+jfA/6XO
-            mBAtrJppEw4QNPTeFg6XSFIwV8Z0fWZ4lGsPJLbAkLUMxtKVWKbdrdpnmiQpLfBW
+            X4t86uv8L5IzrhSGb0TmhrIh5HhUmSKT4RdHJom0LB7EASMR2ZY9AqIG11XmXuhj
-            8BRbT1pjwEdw0hefA6NwCO3/Y5piEaUEz/gYz9xHFMDXUj9stHtaF0HaqonWyb06
+            +2b5INBZSj8Cotv5aoRXiPSaOd7bw7lklYe4ZxAU+avXot9K3/4XVLmi6Wa6Okim
-            aX3EEqRBxVsj6/Sgd33b77xqY4WBoOlbhfWj+EAD1Ova26lHELpAg0Z4AncpyOzw
+            hz+MEYjW5gXY+YSUWXOR4o24jTmDjQJpdL83eKwLVAtbrE7TcVszHX6zfMoQZ5M9
-            pJcX81U8GgQp899YAc3EAldFfiu094CvM2NKd110K90VlTpos+sqFfNE87vpprMu
+            3EtOkDMxhC+WfkL+DLQAURhgcPTZoaj0cAlvpb0TELZESwTBI09jh/IBMXHBZwI4
-            3d1NsYzf+FUM/aXASlqTNL+i8qBDAlODkLdj4+VZ2BjkSH+p2BLZouizSzu4X3I/
+            H1gOD5YENpf0yUbLjVu4p82Qly10y58XFnUmYay0EnEgdPOOVViovGEqTiAHMmm5
-            lfy554Dbb/98zlwmX9JrWzBRs2GxxFdIDZ1jK+Ci5qM7oTfujBwiE4jZA6wlK8u5
+            JixtwJDz7a6Prb+owIg27/eE1/E6hpfXpU8U83qDYGkIJazLnufy32MTFE4T9fI4
-            +IenSBdaJb0J8nS0Bziz/BLkuBCrl/YFelpZlY0pw6WYlraKbf/nsOpumOYh6zdz
+            hS8icFcNlsobZp+1pB3YK4GV5BnvMwOIVXVlP8yMCRTDRWZ4oYmAZ5apD7OXyNwe
-            9jiIPElGvso9FhwigX7xWCiYMK3ryAqm8CL0cTscQW3Yy2JKm1tNIQtAacwnNVli
+            SUP2mCNNlQCqyjRsxj5S1lZQRy1sLQztU5Sff4xYNK+5aPgJACmvSi3uaJAxBloo
-            PqdnPJSo942I+Fl6ZPjZ19ivJIqC+2TjGEY2Et8DkiL6YZfy4bM1zhoWMlXBIil0
+            4xCCYzxhaBlvwVISJXZTq76VSPybeQ+pmSZFMleNnWOstvevLFeOoH2Is0Ioi1Fe
-            ynnKR/h/CC67cq94JCbtRWKiYXIYtfHPQkS7S1Lk6aSYbIch/wROyh7XJ7EGE7nn
+            vnu5r0D0VYsb746wyRooiEuOAjBmni8X/je6Vwr1gb/WZfZ23EwYpGyakJdxLNv3
-            GAVMqI/P/qbW3rwEJGXzI4eJAHa2hwpP2Slimf6uUD/6L2bAnduhYoTsnNSjJmNE
+            Li+LD9vUfOR80WL608sUU45tAx1RAy6QcH/YDtdClbOdK53+cQVTsYnCvDW8uGlO
-            hCC+MHohzk7+isZl0jwIEcMpsohMAwoa5BEhbuYJWeUesT/4PeddLIGYubTZAXp2
+            scQWgk+od3qvo6yCPO7pRlEd3nedcPSGh/KjBHao6eP+bsVERp733Vb9qrEVwmxv
-            ZdYRepSNUEhSZV0H99MhlqeooDJxnWpsiba5Gb0s6p4gTReGy0jMtWnxI2P5RUFX
+            jlZ1m12V63wHVu9uMAGi9MhK+2Q/l7uLTj03OYpi4NYKL2Bu01VXfoxuauuZLdIJ
-            vEGt77v4MGrWYTzAL/ZRmESsOj7TXqpSK5YcMC2nr8PcV66LuMjOkRrGoVOV3fBe
+            Z3ZV+qUcjzZI0PBlGxubq6CqVFoSB7nhHUbcdPQ66WUnwoKq0cKmE7VOlJQvJ07u
-            G/9pNVb68SRwfPoGa5nGe6C7GPcgko9rgGLLcU1r/4L2bqFhdIQdSfaUX2Hscm44
+            /Wsl8BIsxODVt0rTzEAx0hTd5mJCX7sCawRt+NF+1DZizl9ouebNMkNlsEAg4Ps0
-            5GdN2UvuwwVxOyU1uPqJcBNnr2yt3x3kw5+zDQ00z/pFntTXWm19m6BUtbkdwN2x
+            bQerZLcOmpYjGa5+lWDwJIMXVIcxwTmQR86stlP/KQm0vdOvH2ZUWTXcYvCYlHkQ
-            Bn1P3P/mRTEaHxQr9RGg8Zjnix/Q6G7I5QIDAQAB
+            sgVnnA2wt+7UpZnEBHy04ry+jYaSsPdYgwIDAQAB
            -----END RSA PUBLIC KEY-----
          '';
        };
      };
      secure = true;
      ssh.privkey.path = <secrets/ssh.id_ed25519>;
      ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE5HyLyaIvVH0qHIQ4ciKhDiElhSqsK+uXcA6lTvL+5n";
    };
  };
  users = {
@ -602,6 +604,10 @@ with import <stockholm/lib>;
      mail = "lass@icarus.r";
      pubkey = builtins.readFile ./ssh/icarus.rsa;
    };
    lass-xerxes = {
      mail = "lass@xerxes.r";
      pubkey = builtins.readFile ./ssh/xerxes.rsa;
    };
    fritz = {
      pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCz34435NSXgj72YAOL4cIlRq/4yInKEyL9no+gymURoW5x1nkYpP0EK331e7UyQQSOdWOogRo6d7YHcFqNlYWv5xlYcHucIhgJwC4Zda1liVA+v7tSOJz2BjmFvOT3/qlcPS69f3zdLHZooz2C33uHX1FgGRXlxiA8dpqGnSr8o76QLZjuQkuDqr8reOspjO/RHCo2Moq0Xm5q9OgN1WLAZzupqt9A5lx567mRzYsRAr23pUxVN8T/tSCgDlPe4ktEjYX9CXLKfMyh9WuBVi+AuH4GFEWBT+AMpsHeF45w+w956x56mz0F5nYOQNK87gFr+Jr+mh2AF1ot2CxzrfTb fritz@scriptkiddiT540";
    };
@ -622,8 +628,5 @@ with import <stockholm/lib>;
      pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKbBp2dH2X3dcU1zh+xW3ZsdYROKpJd3n13ssOP092qE";
      mail = "joerg@higgsboson.tk";
    };
    jeschli = {
      pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDMPuFzd6p3zZETIjoV5mRxCTQgeZk9s/P374mEDbj58wDTT0uGWu2JRf7cL1QRTvd5238tYl0eSHXH65+oaFB/mIvmiRnuw6qQODOMHlSbJN5/J2hEw/3v5gveiP1xNLfKlFhj6mmMRF7Etvzns/kLGLCSjj1UTlfo4iHmtinPmU+iQ8J4foS4cZj4oZesF8gndkc2EFMfL6en7EuU8GK6U9GtwKNL9N4UoUZXu8Nf00pkn/jrpmsDdI4zdVVAxWeu/Lo4li43EVixLcfwQiwzf6S9FvYIv30xPdy92GJSJwxm/QkYuc48VZWUoE+qThf3IEPETtX+MRZrM8RTtY01";
    };
  };
 }
--- a/krebs/3modules/lass/ssh/xerxes.rsa
+++ b/krebs/3modules/lass/ssh/xerxes.rsa
@ -0,0 +1 @@
 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAEZgGjBN0aFs6GxNwMjCvlddbN6+vb6LZuWiWWe+wbAynaGuGbae0TXCLp0/eMNy7fH8poDjpdW9M4mKbBFKOqyG8WJLCPFoQw761tjKl1hccJn0hFSkQAEGKxtfzHlAl/Mz+59yvqNg7/WNSivv41hE7btYltzRy238VQDYFv2eLM7acyxrgGo7tWOtkbpfELj5cM8Qw1j3TF9bGV5pK6IOEtaHbmalS8Iiz77syAu+6E/y6zKBTtGMHI15l6RNJ/Y7A1LM/WwuNL+9dJMYWJFVHy3/4dpaxiioHREiSawUbz9wNHknCrT6vaPCIVVcujhz9Oee1C5UiYUyyfJrFYdlzaTg7FuLNIt2hKMY6NYx1D8/Pwpq1JOsaEfK/K5ytCgaJb115mRevcaUA5s7KYNWHmmZvy08JzCgSM6ZPRtfkQIcha77wVq6DugJ+KgBz+oADQRKiaMrumOMldd0B3q4Oxb71gDTE1XLAbWJnd/0Up1H5GAtZZUUrMUslZiU/23R6SOkyEMLWQTx/KgkWcz8DZLtib5o03uZpfJDVqp2CR+sjmy4x9aa+lSaOzuZP0KRyg+mOKl0o3zL7TNAzrzSCORVBg7nOh+0SPJkDxVRkc6dVY1L3ZOfdm2P/19fhWEr5ECgVrmYYKnDPwWY1iWJlZsiEc3Mj7KB1m44ov0FJg2hiNnydImqcXTCoszp515MBmeHnpqJsqEZuWS8dAnaEiOwZaSKIO1E7lQ7CoP86+eD4yAwLq6fb2tgjHT69LgDMaIha4hMfrO2o4UDVw9OZMfnPtyatI4pxplaQDoQM1p0dej0rZ7uxL1tfoKAyT0UCdtjhxfnNs0x1gOQbML4eGbqyKuyF82eOQRgKRDqH/tParoE4SRBVi7o3s0kILRmXA3ng3n1uhEiGwPTH8JsQ9huM+XOhH8+CzQeg4yb/jCrhsDzvLaW654+ouq9G+kjwqmO4vLNs5eZxfae84rppbS2MJqK1x8rkJixvKBKEfvYJOuDNV+hXyMbToaq8qtGy7cCSq4+UDio3DsSHY0Tpt9e+yEzoOOqFQLQyq6uHv/+u9MY+VADoa4N64U3S2SXul9tE3g6hOAY0F5BYMbxQSuj59kzwghlAmbsyWN2FCmWdsfCQkkZX7wCTj20DtZB/GdVSGNgHGAoU5JZrXKca3A2Yc9hzbYjyNYr0NmQ9NUbkbaOkcYJRIUXtS2OBOHP+FoUkkqL3ieKXR07l5xJbWLzbyVUxN9Zii4Baj5xnDO/RLZPDvTUxbER/0d1orMZztL2EKmfSn4j4uhWqpi04Rg9sWH+WVLAq22EKhAuqcFEOUimjcyZWYKxcAq5Z51NJNBQB7euz55eCJUZkBUYEpNuYr0UDlmBxKB2r6ZWDeNXT7eLxBdwDHCHSqXV7qOG1vMhHtjbbxmQMnkQ4InhO9TdpaN3tj67nGmc6hhgYO4b7NvyL1/pvDPrHrR/3GzkDkwqvt3uESdVdqAJSCk6gFh9V1aGs= lass@xerxes
--- a/krebs/3modules/repo-sync.nix
+++ b/krebs/3modules/repo-sync.nix
@ -173,6 +173,7 @@ let
          REPONAME = "${name}.git";
        };
        restartIfChanged = false;
        serviceConfig = {
          Type = "simple";
          PermissionsStartOnly = true;
--- a/krebs/3modules/xresources.nix
+++ b/krebs/3modules/xresources.nix
@ -17,7 +17,7 @@ in
 {
  options = {
-    services.xresources.enable = mkOption {
+    krebs.xresources.enable = mkOption {
      type = types.bool;
      default = false;
      description = ''
@ -25,7 +25,7 @@ in
      '';
    };
-    services.xresources.resources = mkOption {
+    krebs.xresources.resources = mkOption {
      default = {};
      type = types.attrsOf types.str;
      example = {
@ -42,7 +42,7 @@ in
  config =
    let
-      cfg = config.services.xresources;
+      cfg = config.krebs.xresources;
      xres = writeText "xresources" (concatStringsSep "\n" (attrValues cfg.resources));
    in mkIf cfg.enable {
--- a/krebs/5pkgs/haskell/nix-diff/default.nix
+++ b/krebs/5pkgs/haskell/nix-diff/default.nix
@ -4,12 +4,15 @@
 }:
 mkDerivation {
  pname = "nix-diff";
-  version = "1.0.0";
+  version = "1.0.0-krebs1";
  src = fetchgit {
    url = "https://github.com/Gabriel439/nix-diff";
    sha256 = "1k00nx8pannqmpzadkwfrs6bf79yk22ynhd033z5rsyw0m8fcz9k";
    rev = "e32ffa2c7f38b47a71325a042c1d887fb46cdf7d";
  };
  patches = [
    ./nixos-system.patch
  ];
  isLibrary = false;
  isExecutable = true;
  executableHaskellDepends = [
--- a/krebs/5pkgs/haskell/nix-diff/nixos-system.patch
+++ b/krebs/5pkgs/haskell/nix-diff/nixos-system.patch
@ -0,0 +1,18 @@
 diff --git a/src/Main.hs b/src/Main.hs
 index 959ab8e..d3b6077 100644
 --- a/src/Main.hs
 +++ b/src/Main.hs
@@ -95,7 +95,12 @@ pathToText path =
     underneath `/nix/store`, but this is the overwhelmingly common use case
 -}
 derivationName :: FilePath -> Text
 -derivationName = Data.Text.dropEnd 4 . Data.Text.drop 44 . pathToText
 +derivationName p =
 +    if Data.Text.isPrefixOf "nixos-system" s
 +      then "nixos-system"
 +      else s
 +  where
 +    s = Data.Text.dropEnd 4 . Data.Text.drop 44 . pathToText $ p
 -- | Group input derivations by their name
 groupByName :: Map FilePath (Set Text) -> Map Text (Map FilePath (Set Text))
--- a/krebs/5pkgs/simple/cidr2glob.nix
+++ b/krebs/5pkgs/simple/cidr2glob.nix
@ -0,0 +1,30 @@
 { python, writeScriptBin, ... }:
 let
  pythonEnv = python.withPackages (ps: [ ps.netaddr ]);
 in
  writeScriptBin "cidr2glob" ''
    #! ${pythonEnv}/bin/python
    import netaddr
    import re
    import sys
    def cidr2glob(cidr):
        net = netaddr.IPNetwork(cidr)
        if net.prefixlen <= 8:
            return map(lambda subnet: re.sub(r'\.0\.0\.0$', '.*', str(subnet.ip)), net.subnet(8))
        elif net.prefixlen <= 16:
            return map(lambda subnet: re.sub(r'\.0\.0$', '.*', str(subnet.ip)), net.subnet(16))
        elif net.prefixlen <= 24:
            return map(lambda subnet: re.sub(r'\.0$', '.*', str(subnet.ip)), net.subnet(24))
        else:
            return map(lambda ip: str(ip), list(net))
    if __name__ == "__main__":
        for cidr in sys.stdin:
            for glob in cidr2glob(cidr):
                print glob
  ''
--- a/krebs/5pkgs/simple/populate/default.nix
+++ b/krebs/5pkgs/simple/populate/default.nix
@ -1,24 +1,27 @@
-{ coreutils, fetchgit, git, jq, openssh, proot, rsync, stdenv, ... }:
+{ coreutils, fetchgit, findutils, git, gnused, jq, openssh, pass, rsync, stdenv
 }:
 let
  PATH = stdenv.lib.makeBinPath [
    coreutils
    findutils
    git
    gnused
    jq
    openssh
-    proot
+    pass
    rsync
  ];
 in
 stdenv.mkDerivation rec {
  name = "populate";
-  version = "1.2.5";
+  version = "2.1.0";
  src = fetchgit {
    url = http://cgit.ni.krebsco.de/populate;
    rev = "refs/tags/v${version}";
-    sha256 = "10s4x117zp5whqq991xzw1i2jc1xhl580kx8hhzv8f1b4c9carx1";
+    sha256 = "0cr50y6h6nps0qgpmi01h0z9wzpv2704y5zgx2salk1grkmvcfmh";
  };
  phases = [
--- a/krebs/source.nix
+++ b/krebs/source.nix
@ -7,13 +7,16 @@ host@{ name, secure ? false }: let
 in
  evalSource (toString _file) {
    nixos-config.symlink = "stockholm/krebs/1systems/${name}/config.nix";
-    secrets.file = getAttr builder {
+    secrets = getAttr builder {
-      buildbot = toString <stockholm/krebs/6tests/data/secrets>;
+      buildbot.file = toString <stockholm/krebs/6tests/data/secrets>;
-      krebs = "${getEnv "HOME"}/secrets/krebs/${host.name}";
+      krebs.pass = {
        dir = "${getEnv "HOME"}/brain";
        name = "krebs-secrets/${name}";
      };
    };
    stockholm.file = toString <stockholm>;
    nixpkgs.git = {
      url = https://github.com/NixOS/nixpkgs;
-      ref = "0c5a587eeba5302ff87e494baefd2f14f4e19bee"; # nixos-17.09 @ 2017-11-10
+      ref = "cb751f9b1c3fe6885f3257e69ce328f77523ad77"; # nixos-17.09 @ 2017-12-13
    };
  }
--- a/lass/1systems/helios/config.nix
+++ b/lass/1systems/helios/config.nix
@ -20,20 +20,26 @@ with import <stockholm/lib>;
      boot.initrd.availableKernelModules = [ "xhci_pci" "nvme" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ];
      boot.kernelModules = [ "kvm-intel" ];
-      fileSystems."/" =
+      fileSystems."/" = {
-        { device = "/dev/pool/root";
+        device = "/dev/pool/root";
-          fsType = "btrfs";
+        fsType = "btrfs";
-        };
+      };
-      fileSystems."/boot" =
+      fileSystems."/boot" = {
-        { device = "/dev/disk/by-uuid/1F60-17C6";
+        device = "/dev/disk/by-uuid/1F60-17C6";
-          fsType = "vfat";
+        fsType = "vfat";
-        };
+      };
-      fileSystems."/home" =
+      fileSystems."/home" = {
-        { device = "/dev/pool/home";
+        device = "/dev/pool/home";
-          fsType = "btrfs";
+        fsType = "btrfs";
-        };
+      };
      fileSystems."/tmp" = {
        device = "tmpfs";
        fsType = "tmpfs";
        options = ["nosuid" "nodev" "noatime"];
      };
      nix.maxJobs = lib.mkDefault 8;
    }
@ -150,4 +156,7 @@ with import <stockholm/lib>;
  services.printing.drivers = [ pkgs.postscript-lexmark ];
  services.logind.extraConfig = ''
    HandleLidSwitch=ignore
  '';
 }
--- a/lass/1systems/mors/config.nix
+++ b/lass/1systems/mors/config.nix
@ -179,7 +179,7 @@ with import <stockholm/lib>;
        echo 'secrets are crypted' >&2
        exit 23
      else
-        exec nix-shell -I stockholm="$PWD" --run 'deploy --system="$SYSTEM"'
+        exec nix-shell -I stockholm="$PWD" --run 'deploy --diff --system="$SYSTEM"'
      fi
    '';
    predeploy = pkgs.writeDash "predeploy" ''
--- a/lass/1systems/prism/config.nix
+++ b/lass/1systems/prism/config.nix
@ -186,6 +186,7 @@ in {
      #hotdog
      containers.hotdog = {
        config = { ... }: {
          environment.systemPackages = [ pkgs.git ];
          services.openssh.enable = true;
          users.users.root.openssh.authorizedKeys.keys = [
            config.krebs.users.lass.pubkey
@ -201,6 +202,7 @@ in {
      #kaepsele
      containers.kaepsele = {
        config = { ... }: {
          environment.systemPackages = [ pkgs.git ];
          services.openssh.enable = true;
          users.users.root.openssh.authorizedKeys.keys = with config.krebs.users; [
            lass.pubkey
@ -217,6 +219,7 @@ in {
      #onondaga
      containers.onondaga = {
        config = { ... }: {
          environment.systemPackages = [ pkgs.git ];
          services.openssh.enable = true;
          users.users.root.openssh.authorizedKeys.keys = [
            config.krebs.users.lass.pubkey
@ -287,6 +290,19 @@ in {
    }
    <stockholm/krebs/2configs/reaktor-krebs.nix>
    <stockholm/lass/2configs/dcso-dev.nix>
    {
      krebs.git.rules = [
        {
          user = with config.krebs.users; [
            jeschli
            jeschli-bln
            jeschli-brauerei
          ];
          repo = [ config.krebs.git.repos.stockholm ];
          perm = with git; push "refs/heads/staging/jeschli" [ fast-forward non-fast-forward create delete merge ];
        }
      ];
    }
  ];
  krebs.build.host = config.krebs.hosts.prism;
--- a/lass/1systems/xerxes/config.nix
+++ b/lass/1systems/xerxes/config.nix
@ -0,0 +1,40 @@
 { config, pkgs, ... }:
 {
  imports = [
    <stockholm/lass>
    <stockholm/lass/2configs/hw/gpd-pocket.nix>
    <stockholm/lass/2configs/boot/stock-x220.nix>
    <stockholm/lass/2configs/retiolum.nix>
    <stockholm/lass/2configs/exim-retiolum.nix>
    <stockholm/lass/2configs/baseX.nix>
    <stockholm/lass/2configs/browsers.nix>
    <stockholm/lass/2configs/programs.nix>
    <stockholm/lass/2configs/fetchWallpaper.nix>
  ];
  krebs.build.host = config.krebs.hosts.xerxes;
  services.udev.extraRules = ''
    SUBSYSTEM=="net", ATTR{address}=="b0:f1:ec:9f:5c:78", NAME="wl0"
  '';
  fileSystems."/" = {
    device = "/dev/disk/by-uuid/d227d88f-bd24-4e8a-aa14-9e966b471437";
    fsType = "btrfs";
  };
  fileSystems."/boot" = {
    device = "/dev/disk/by-uuid/16C8-D053";
    fsType = "vfat";
  };
  fileSystems."/home" = {
    device = "/dev/disk/by-uuid/1ec4193b-7f41-490d-8782-7677d437b358";
    fsType = "btrfs";
  };
  boot.initrd.luks.devices = [ { name = "luksroot"; device = "/dev/disk/by-uuid/d17f19a3-dcba-456d-b5da-e45cc15dc9c8"; } ];
  networking.wireless.enable = true;
 }
--- a/lass/1systems/xerxes/source.nix
+++ b/lass/1systems/xerxes/source.nix
@ -0,0 +1,11 @@
 with import <stockholm/lib>;
 import <stockholm/lass/source.nix> {
  name = "xerxes";
  secure = true;
  override = {
    nixpkgs.git = mkForce {
      url = https://github.com/lassulus/nixpkgs;
      ref = "3eccd0b";
    };
  };
 }
--- a/lass/2configs/baseX.nix
+++ b/lass/2configs/baseX.nix
@ -41,7 +41,7 @@ in {
          default = "-*-clean-*-*-*-*-*-*-*-*-*-*-iso10646-1";
        };
      };
-      config.services.xresources.resources.X = ''
+      config.krebs.xresources.resources.X = ''
        *.font:       ${config.lass.fonts.regular}
        *.boldFont:   ${config.lass.fonts.bold}
        *.italicFont: ${config.lass.fonts.italic}
@ -66,12 +66,12 @@ in {
  environment.systemPackages = with pkgs; [
    acpi
    bank
    dic
    dmenu
    gi
    git-preview
    gitAndTools.qgit
    haskellPackages.hledger
    lm_sensors
    mpv-poll
    much
@ -112,11 +112,7 @@ in {
    xkbOptions = "caps:backspace";
  };
  services.logind.extraConfig = ''
    HandleLidSwitch=ignore
  '';
  services.urxvtd.enable = true;
-  services.xresources.enable = true;
+  krebs.xresources.enable = true;
  lass.screenlock.enable = true;
 }
--- a/lass/2configs/br.nix
+++ b/lass/2configs/br.nix
@ -18,7 +18,7 @@ with import <stockholm/lib>;
      netDevices = {
        bra = {
          model = "MFCL2700DN";
-          ip = "10.23.42.221";
+          ip = "10.42.23.221";
        };
      };
    };
--- a/lass/2configs/browsers.nix
+++ b/lass/2configs/browsers.nix
@ -47,7 +47,7 @@ let
  createFirefoxUser = name: extraGroups: precedence:
    let
      bin = pkgs.writeScriptBin name ''
-        /var/run/wrappers/bin/sudo -u ${name} -i ${pkgs.firefox}/bin/firefox $@
+        /var/run/wrappers/bin/sudo -u ${name} -i ${pkgs.firefox-devedition-bin}/bin/firefox-devedition $@
      '';
    in {
      users.extraUsers.${name} = {
--- a/lass/2configs/dcso-dev.nix
+++ b/lass/2configs/dcso-dev.nix
@ -15,8 +15,10 @@ in {
      createHome = true;
      openssh.authorizedKeys.keys = [
        config.krebs.users.lass.pubkey
-        "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDhQdDQFMxXOjbC+Avx3mlcFHqQpFUk/q9sO6ATA65jCV3YzN11vhZDDv54hABVS2h8TPXs7Lu3PCvK9qouASd2h4Ie9cExUmn50G/iwgFIODsCugVYBzVt1iwaAdwz1Hb9DKYXbVXanzVJjimmrrlQNvsyZg85lcnfyedpPX5ad+4FdSP68LHqEHC18LTitldR6V4P1omaKHlOtVpDgR/72tDgbtNZDBn3EU+TPk9OLTzjc6PinPw4iIvjEfiu14APwXpFDIqT7P7SjOEFpa0v/1z7dhxIy/Z9XbqyEdUfhv3PjZR5K2C+VzR7g6jVEVR2xFId51MpLv/Un4/lalbphBEw3I90Rr8tatOJiFhyrXbaKTcLqp1sIu05OxdPkm3hzfmLIhoKxhaIlXH7WQ9sAqxL1NAQ7O+J6yT4DMnwKzvpkkJjBaGtV84Pp1cccfNRH8XXID3FkWkrUpdgXWBpyLnRq4ilUJTajkU0GSdXkq8kLL3mWg9LPRTg3dmDj61ZB/qhjM61ppwHJvDRN9WI5HruXIU6nOQjh5yE2C/JZfLcsZD4Y1UDBy5/JSZrCVT2sQjFopkkYEkRCbX7oITHOH4iyRdxZkKWLUPboFrcmBpXO+owCEhO4JZrtfFWMC6qM++nrmiZWOrdIOIvdYHWluhKR2shlkisEKQP5pUqkw== markus.hihn@dcso.de"
+        config.krebs.users.lass-android.pubkey
        config.krebs.users.jeschli-bln.pubkey
        "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC1T5+2epslFARSnETdr4wdolA6ocJaD4H9tmz6BZFQKXlwIq+OMp+sSEdwYwW3Lu9+mNbBHPxVVJDWg/We9DXB0ezXPM5Bs1+FcehmkoGwkmgKaFCDt0sL+CfSnog/3wEkN21O/rQxVFqMmiJ7WUDGci6IKCFZ5ZjOsmmfHg5p3LYxU9xv33fNr2v+XauhrGbFtQ7eDz4kSywxN/aw73LN4d8em0V0UV8VPI3Qkw7MamDFwefA+K1TfK8pBzMeruU6N7HLuNkpkAp7kS+K4Zzd72aQtR37a5qMiFUbOxQ9B7iFypuPx0iu6ZwY1s/sM8t3kLmcDJ9O4FOTzlbpneet3as6iJ+Ckr/TlfKor2Tl5pWcXh2FXHoG8VUu5bYmIViJBrKihAlAQfQN0mJ9fdFTnCXVTtbYTy11s4eEVHgUlb7oSpgBnx5bnBONgApbsOX9zyoo8wz8KkZBcf1SQpkV5br8uUAHCcZtHuY6I3kKlv+8lJmgUipiYzMdTi7+dHa49gVEcEKL4ZnJ0msQkl4XT7JjKETLvumC4/TIqVuRu48wuYalkCR9OzxCsTXQ/msBJBztPdYLrEOXVb2HfzuCT+43UuMQ5rP/EoPy0TWQO9BaqfEXqvbOvWjVxj/GMvglQ2ChZTwHxwwTKB8qRVvJLnbZQwizQiSrkzjb6hRJfQ== u0_a165@localhost"
        "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCjtdqRxD0+UU7O8xogSqAQYd/Hrc79CTTKnvbhKy7jp2TVfxQpl81ndSH6DN6Cz90mu65C+DFGq43YtKTPqXmTn1+2wru71C2UOl6ZR0tmU7UELkRt4SJuFQLEgQCt3BWvXJPye6cKRRIlb+XZHWyVyCDxHo9EYO2GWI1wIP8mHMltKj65mobHY+R0CJNhhwlFURzTto8C30ejfVg2OW81qkNWqYtpdC9txLUlQ9/LBVKrafHGprmcBEp9qtecVgx8kxHpS7cuQNYoFcfljug4IyFO+uBfdbKqnGM5mra3huNhX3+AcQxKbLMlRgZD+jc47Xs+s5qSvWBou2ygd5T413k/SDOTCxDjidA+dcwzRo0qUWcGL201a5g+F0EvWv8rjre9m0lii6QKEoPyj60y3yfaIHeafels1Ia1FItjkBe8XydiXf7rKq8nmVRlpo8vl+vKwVuJY783tObHjUgBtXJdmnyYGiXxkxSrXa2mQhPz3KodK/QrnqCP27dURcMlp1hFF3LxFz7WtMCLW0yvDuUsuI2pdq0+zdt702wuwXVNIvbq/ssvX/CL8ryBLAogaxN9DN0vpjk+aXQLn11Zt99MgmnnqUgvOKQi1Quog/SxnSBiloKqB6aA10a28Uxoxkr0KAfhWhX3XPpfGMlbVj4GJuevLp0sGDVQT2biUQ== rhaist@RH-NB"
      ];
      packages = with pkgs; [
        emacs25-nox
@ -42,6 +44,10 @@ in {
    };
  };
  krebs.per-user.dev.packages = [
    pkgs.go
  ];
  security.sudo.extraConfig = ''
    ${mainUser.name} ALL=(dev) NOPASSWD: ALL
  '';
--- a/lass/2configs/default.nix
+++ b/lass/2configs/default.nix
@ -22,6 +22,7 @@ with import <stockholm/lib>;
            config.krebs.users.lass.pubkey
            config.krebs.users.lass-shodan.pubkey
            config.krebs.users.lass-icarus.pubkey
            config.krebs.users.lass-xerxes.pubkey
          ];
        };
        mainUser = {
--- a/lass/2configs/exim-smarthost.nix
+++ b/lass/2configs/exim-smarthost.nix
@ -48,6 +48,7 @@ with import <stockholm/lib>;
      { from = "tomtop@lassul.us"; to = lass.mail; }
      { from = "aliexpress@lassul.us"; to = lass.mail; }
      { from = "business@lassul.us"; to = lass.mail; }
      { from = "payeer@lassul.us"; to = lass.mail; }
    ];
    system-aliases = [
      { from = "mailer-daemon"; to = "postmaster"; }
--- a/lass/2configs/games.nix
+++ b/lass/2configs/games.nix
@ -57,7 +57,7 @@ let
 in {
  environment.systemPackages = with pkgs; [
-    dwarf_fortress
+    (dwarf-fortress.override { theme = dwarf-fortress-packages.phoebus-theme; })
    doom1
    doom2
    vdoom1
--- a/lass/2configs/hw/brcmfmac4356-pcie.txt
+++ b/lass/2configs/hw/brcmfmac4356-pcie.txt
@ -0,0 +1,125 @@
 # Sample variables file for BCM94356Z NGFF 22x30mm iPA, iLNA board with PCIe for production package
 NVRAMRev=$Rev: 492104 $
 #4356 chip = 4354 A2 chip
 sromrev=11
 boardrev=0x1102
 boardtype=0x073e
 boardflags=0x02400201
 #0x2000 enable 2G spur WAR
 boardflags2=0x00802000
 boardflags3=0x0000000a
 #boardflags3 0x00000100 /* to read swctrlmap from nvram*/
 #define BFL3_5G_SPUR_WAR   0x00080000   /* enable spur WAR in 5G band */
 #define BFL3_AvVim   0x40000000   /* load AvVim from nvram */
 macaddr=00:90:4c:1a:10:01
 ccode=0x5854
 regrev=205
 antswitch=0
 pdgain5g=4
 pdgain2g=4
 tworangetssi2g=0
 tworangetssi5g=0
 paprdis=0
 femctrl=10
 vendid=0x14e4
 devid=0x43ec
 manfid=0x2d0
 #prodid=0x052e
 nocrc=1
 otpimagesize=502
 xtalfreq=37400
 rxgains2gelnagaina0=0
 rxgains2gtrisoa0=7
 rxgains2gtrelnabypa0=0
 rxgains5gelnagaina0=0
 rxgains5gtrisoa0=11
 rxgains5gtrelnabypa0=0
 rxgains5gmelnagaina0=0
 rxgains5gmtrisoa0=13
 rxgains5gmtrelnabypa0=0
 rxgains5ghelnagaina0=0
 rxgains5ghtrisoa0=12
 rxgains5ghtrelnabypa0=0
 rxgains2gelnagaina1=0
 rxgains2gtrisoa1=7
 rxgains2gtrelnabypa1=0
 rxgains5gelnagaina1=0
 rxgains5gtrisoa1=10
 rxgains5gtrelnabypa1=0
 rxgains5gmelnagaina1=0
 rxgains5gmtrisoa1=11
 rxgains5gmtrelnabypa1=0
 rxgains5ghelnagaina1=0
 rxgains5ghtrisoa1=11
 rxgains5ghtrelnabypa1=0
 rxchain=3
 txchain=3
 aa2g=3
 aa5g=3
 agbg0=2
 agbg1=2
 aga0=2
 aga1=2
 tssipos2g=1
 extpagain2g=2
 tssipos5g=1
 extpagain5g=2
 tempthresh=255
 tempoffset=255
 rawtempsense=0x1ff
 pa2ga0=-147,6192,-705
 pa2ga1=-161,6041,-701
 pa5ga0=-194,6069,-739,-188,6137,-743,-185,5931,-725,-171,5898,-715
 pa5ga1=-190,6248,-757,-190,6275,-759,-190,6225,-757,-184,6131,-746
 subband5gver=0x4
 pdoffsetcckma0=0x4
 pdoffsetcckma1=0x4
 pdoffset40ma0=0x0000
 pdoffset80ma0=0x0000
 pdoffset40ma1=0x0000
 pdoffset80ma1=0x0000
 maxp2ga0=76
 maxp5ga0=74,74,74,74
 maxp2ga1=76
 maxp5ga1=74,74,74,74
 cckbw202gpo=0x0000
 cckbw20ul2gpo=0x0000
 mcsbw202gpo=0x99644422
 mcsbw402gpo=0x99644422
 dot11agofdmhrbw202gpo=0x6666
 ofdmlrbw202gpo=0x0022
 mcsbw205glpo=0x88766663
 mcsbw405glpo=0x88666663
 mcsbw805glpo=0xbb666665
 mcsbw205gmpo=0xd8666663
 mcsbw405gmpo=0x88666663
 mcsbw805gmpo=0xcc666665
 mcsbw205ghpo=0xdc666663
 mcsbw405ghpo=0xaa666663
 mcsbw805ghpo=0xdd666665
 mcslr5glpo=0x0000
 mcslr5gmpo=0x0000
 mcslr5ghpo=0x0000
 sb20in40hrpo=0x0
 sb20in80and160hr5glpo=0x0
 sb40and80hr5glpo=0x0
 sb20in80and160hr5gmpo=0x0
 sb40and80hr5gmpo=0x0
 sb20in80and160hr5ghpo=0x0
 sb40and80hr5ghpo=0x0
 sb20in40lrpo=0x0
 sb20in80and160lr5glpo=0x0
 sb40and80lr5glpo=0x0
 sb20in80and160lr5gmpo=0x0
 sb40and80lr5gmpo=0x0
 sb20in80and160lr5ghpo=0x0
 sb40and80lr5ghpo=0x0
 dot11agduphrpo=0x0
 dot11agduplrpo=0x0
 phycal_tempdelta=255
 temps_period=15
 temps_hysteresis=15
 rssicorrnorm_c0=4,4
 rssicorrnorm_c1=4,4
 rssicorrnorm5g_c0=1,2,3,1,2,3,6,6,8,6,6,8
 rssicorrnorm5g_c1=1,2,3,2,2,2,7,7,8,7,7,8
--- a/lass/2configs/hw/gpd-pocket.nix
+++ b/lass/2configs/hw/gpd-pocket.nix
@ -7,14 +7,22 @@ let
    destination = "/lib/firmware/brcm/brcmfmac4356-pcie.txt";
  };
 in {
  #imports = [ <nixpkgs/nixos/modules/installer/scan/not-detected.nix> ];
  hardware.firmware = [ dummy_firmware ];
  hardware.enableRedistributableFirmware = true;
  boot.initrd.availableKernelModules = [ "xhci_pci" "usbhid" "usb_storage" "sd_mod" "sdhci_acpi" "sdhci_pci" ];
  boot.kernelPackages = pkgs.linuxPackages_4_14;
  boot.kernelParams = [
    "fbcon=rotate:1"
  ];
  services.tlp.enable = true;
  services.xserver.displayManager.sessionCommands = ''
    (sleep 2 && ${pkgs.xorg.xrandr}/bin/xrandr --output DSI1 --rotate right)
    (sleep 2 && ${pkgs.xorg.xinput}/bin/xinput set-prop 'Goodix Capacitive TouchScreen' 'Coordinate Transformation Matrix' 0 1 0 -1 0 1 0 0 1)
  '';
  services.xserver.dpi = 200;
  fonts.fontconfig.dpi = 200;
  lass.fonts.regular = "xft:Hack-Regular:pixelsize=22,xft:Symbola";
  lass.fonts.bold =    "xft:Hack-Bold:pixelsize=22,xft:Symbola";
  lass.fonts.italic =  "xft:Hack-RegularOblique:pixelsize=22,xft:Symbol";
 }
--- a/lass/2configs/hw/x220.nix
+++ b/lass/2configs/hw/x220.nix
@ -29,4 +29,9 @@
      options = ["nosuid" "nodev" "noatime"];
    };
  };
  services.logind.extraConfig = ''
    HandleLidSwitch=ignore
  '';
 }
--- a/lass/2configs/urxvt.nix
+++ b/lass/2configs/urxvt.nix
@ -4,7 +4,7 @@ with import <stockholm/lib>;
 {
  services.urxvtd.enable = true;
-  services.xresources.resources.urxvt = ''
+  krebs.xresources.resources.urxvt = ''
    URxvt*SaveLines: 4096
    URxvt*scrollBar:            false
    URxvt*urgentOnBell:         true
--- a/lass/2configs/websites/domsen.nix
+++ b/lass/2configs/websites/domsen.nix
@ -26,15 +26,6 @@ in {
    ./default.nix
    ./sqlBackup.nix
    (servePage [ "reich-gebaeudereinigung.de" "www.reich-gebaeudereinigung.de" ])
    (servePage [
      "karlaskop.de"
      "www.karlaskop.de"
    ])
    (servePage [ "makeup.apanowicz.de" ])
    (servePage [
      "pixelpocket.de"
      "www.pixelpocket.de"
    ])
    (servePage [
      "habsys.de"
      "habsys.eu"
@ -48,22 +39,18 @@ in {
      "nirwanabluete.de"
      "aldonasiech.com"
      "ubikmedia.eu"
      "facts.cloud"
      "youthtube.xyz"
      "illucloud.eu"
      "illucloud.de"
      "illucloud.com"
      "joemisch.com"
      "weirdwednesday.de"
      "www.apanowicz.de"
      "www.nirwanabluete.de"
      "www.aldonasiech.com"
      "www.ubikmedia.eu"
      "www.facts.cloud"
      "www.youthtube.xyz"
      "www.illucloud.eu"
      "www.illucloud.de"
      "www.illucloud.com"
      "www.ubikmedia.de"
      "www.weirdwednesday.de"
      "aldona2.ubikmedia.de"
      "apanowicz.ubikmedia.de"
      "cinevita.ubikmedia.de"
@ -74,8 +61,6 @@ in {
      "nb.ubikmedia.de"
      "youthtube.ubikmedia.de"
      "weirdwednesday.ubikmedia.de"
      "weirdwednesday.de"
      "www.weirdwednesday.de"
      "freemonkey.ubikmedia.de"
      "jarugadesign.ubikmedia.de"
    ])
--- a/lass/2configs/websites/lassulus.nix
+++ b/lass/2configs/websites/lassulus.nix
@ -153,15 +153,15 @@ in {
  };
  security.acme.certs."cgit.lassul.us" = {
-    email = "lassulus@gmail.com";
+    email = "lassulus@lassul.us";
-    webroot = "/var/lib/acme/acme-challenges";
+    webroot = "/var/lib/acme/acme-challenge";
    plugins = [
      "account_key.json"
      "key.pem"
      "fullchain.pem"
      "key.pem"
    ];
    group = "nginx";
-    allowKeysForGroup = true;
+    user = "nginx";
  };
@ -170,6 +170,9 @@ in {
    addSSL = true;
    sslCertificate = "/var/lib/acme/cgit.lassul.us/fullchain.pem";
    sslCertificateKey = "/var/lib/acme/cgit.lassul.us/key.pem";
    locations."/.well-known/acme-challenge".extraConfig = ''
      root /var/lib/acme/acme-challenge;
    '';
  };
  users.users.blog = {
--- a/lass/3modules/default.nix
+++ b/lass/3modules/default.nix
@ -12,6 +12,5 @@ _:
    ./umts.nix
    ./usershadow.nix
    ./xserver
    ./xresources.nix
  ];
 }
--- a/lass/3modules/xserver/default.nix
+++ b/lass/3modules/xserver/default.nix
@ -17,10 +17,6 @@ let
  imp = {
    services.xserver = {
      # Don't install feh into systemPackages
      # refs <nixpkgs/nixos/modules/services/x11/desktop-managers>
      desktopManager.session = mkForce [];
      enable = true;
      display = 11;
      tty = 11;
@ -80,7 +76,7 @@ let
        ];
      };
    };
-    services.xresources.resources.dpi = ''
+    krebs.xresources.resources.dpi = ''
      ${optionalString (xcfg.dpi != null) "Xft.dpi: ${toString xcfg.dpi}"}
    '';
    systemd.services.urxvtd = {
--- a/lass/5pkgs/default.nix
+++ b/lass/5pkgs/default.nix
@ -21,9 +21,20 @@
    xmonad-lass = import ./xmonad-lass.nix { inherit config pkgs; };
    yt-next = pkgs.callPackage ./yt-next/default.nix {};
    bank = pkgs.writeDashBin "bank" ''
      tmp=$(mktemp)
      ${pkgs.pass}/bin/pass show hledger > $tmp
      ${pkgs.hledger}/bin/hledger --file=$tmp "$@"
      ${pkgs.pass}/bin/pass show hledger | if ${pkgs.diffutils}/bin/diff $tmp -; then
        exit 0
      else
        ${pkgs.coreutils}/bin/cat $tmp | ${pkgs.pass}/bin/pass insert -m hledger
      fi
      ${pkgs.coreutils}/bin/rm $tmp
    '';
    screengrab = pkgs.writeDashBin "screengrab" ''
      resolution="$(${pkgs.xorg.xrandr}/bin/xrandr | ${pkgs.gnugrep}/bin/grep '*' | ${pkgs.gawk}/bin/awk '{print $1}')"
-      ${pkgs.ffmpeg}/bin/ffmpeg -f x11grab -r 25 -i :0.0 -s $resolution -c:v huffyuv $1
+      ${pkgs.ffmpeg}/bin/ffmpeg -f x11grab -r 25 -i :${toString config.services.xserver.display} -s $resolution -c:v huffyuv $1
    '';
  };
 }
--- a/lass/5pkgs/xmonad-lass.nix
+++ b/lass/5pkgs/xmonad-lass.nix
@ -30,6 +30,7 @@ import XMonad.Actions.CycleWS (toggleWS)
 import XMonad.Actions.DynamicWorkspaces ( addWorkspacePrompt, renameWorkspace, removeEmptyWorkspace)
 import XMonad.Actions.DynamicWorkspaces (withWorkspace)
 import XMonad.Actions.GridSelect (GSConfig(..), gridselectWorkspace, navNSearch)
 import XMonad.Hooks.EwmhDesktops (ewmh)
 import XMonad.Hooks.FloatNext (floatNext)
 import XMonad.Hooks.FloatNext (floatNextHook)
 import XMonad.Hooks.ManageDocks (avoidStruts, ToggleStruts(ToggleStruts))
@ -39,10 +40,10 @@ import XMonad.Hooks.UrgencyHook (SpawnUrgencyHook(..), withUrgencyHook)
 import XMonad.Layout.FixedColumn (FixedColumn(..))
 import XMonad.Layout.Minimize (minimize, minimizeWindow, MinimizeMsg(RestoreNextMinimizedWin))
 import XMonad.Layout.NoBorders (smartBorders)
 import XMonad.Layout.SimplestFloat (simplestFloat)
 import XMonad.Prompt (autoComplete, font, searchPredicate, XPConfig)
 import XMonad.Prompt.Window (windowPromptGoto, windowPromptBringCopy)
 import XMonad.Util.EZConfig (additionalKeysP)
 import XMonad.Layout.SimpleFloat (simpleFloat)
 import XMonad.Stockholm.Shutdown
@ -59,7 +60,7 @@ main = getArgs >>= \case
 main' :: IO ()
 main' = do
-    xmonad
+    xmonad $ ewmh
        $ withUrgencyHook (SpawnUrgencyHook "echo emit Urgency ")
        $ def
            { terminal           = myTerm
@ -77,7 +78,7 @@ main' = do
 myLayoutHook = defLayout
  where
-    defLayout = minimize $ ((avoidStruts $ Tall 1 (3/100) (1/2) ||| Full ||| Mirror (Tall 1 (3/100) (1/2))) ||| FixedColumn 2 80 80 1) ||| simpleFloat
+    defLayout = minimize $ ((avoidStruts $ Tall 1 (3/100) (1/2) ||| Full ||| Mirror (Tall 1 (3/100) (1/2))) ||| FixedColumn 2 80 80 1 ||| simplestFloat)
 myKeyMap :: [([Char], X ())]
 myKeyMap =
@ -86,6 +87,8 @@ myKeyMap =
    , ("M4-p", spawn "${pkgs.pass}/bin/passmenu --type")
    , ("M4-o", spawn "${pkgs.brain}/bin/brainmenu --type")
    , ("M4-i", spawn "${pkgs.dpass}/bin/dpassmenu --type")
    , ("<XF86AudioMute>", spawn "${pkgs.pulseaudioLight.out}/bin/pactl -- set-sink-mute @DEFAULT_SINK@ toggle")
    , ("<XF86AudioRaiseVolume>", spawn "${pkgs.pulseaudioLight.out}/bin/pactl -- set-sink-volume @DEFAULT_SINK@ +4%")
    , ("<XF86AudioLowerVolume>", spawn "${pkgs.pulseaudioLight.out}/bin/pactl -- set-sink-volume @DEFAULT_SINK@ -4%")
    , ("<XF86MonBrightnessDown>", spawn "${pkgs.xorg.xbacklight}/bin/xbacklight -time 0 -dec 1%")
--- a/lass/source.nix
+++ b/lass/source.nix
@ -10,11 +10,14 @@ in
      nixos-config.symlink = "stockholm/lass/1systems/${name}/config.nix";
      nixpkgs.git = {
        url = https://github.com/nixos/nixpkgs;
-        ref = "f9390d6";
+        ref = "af7e479";
      };
-      secrets.file = getAttr builder {
+      secrets = getAttr builder {
-        buildbot = toString <stockholm/lass/2configs/tests/dummy-secrets>;
+        buildbot.file = toString <stockholm/lass/2configs/tests/dummy-secrets>;
-        lass = "/home/lass/secrets/${name}";
+        lass.pass = {
          dir = "${getEnv "HOME"}/.password-store";
          name = "hosts/${name}";
        };
      };
      stockholm.file = toString <stockholm>;
    }
--- a/lib/types.nix
+++ b/lib/types.nix
@ -231,7 +231,12 @@ rec {
  source = submodule ({ config, ... }: {
    options = {
      type = let
-        types = ["file" "git" "symlink"];
+        types = [
          "file"
          "git"
          "pass"
          "symlink"
        ];
      in mkOption {
        type = enum types;
        default = let
@ -255,6 +260,10 @@ rec {
        type = nullOr git-source;
        default = null;
      };
      pass = mkOption {
        type = nullOr pass-source;
        default = null;
      };
      symlink = let
        symlink-target = (symlink-source.getSubOptions "FIXME").target.type;
      in mkOption {
@ -287,6 +296,17 @@ rec {
    };
  };
  pass-source = submodule {
    options = {
      dir = mkOption {
        type = absolute-pathname;
      };
      name = mkOption {
        type = pathname; # TODO relative-pathname
      };
    };
  };
  symlink-source = submodule {
    options = {
      target = mkOption {
--- a/nin/1systems/hiawatha/config.nix
+++ b/nin/1systems/hiawatha/config.nix
@ -15,7 +15,6 @@ with lib;
    <stockholm/nin/2configs/git.nix>
    <stockholm/nin/2configs/retiolum.nix>
    <stockholm/nin/2configs/termite.nix>
    <stockholm/nin/2configs/skype.nix>
  ];
  krebs.build.host = config.krebs.hosts.hiawatha;
@ -87,6 +86,7 @@ with lib;
  environment.systemPackages = with pkgs; [
    firefox
    git
    lmms
    networkmanagerapplet
    python
    steam
--- a/nin/2configs/default.nix
+++ b/nin/2configs/default.nix
@ -4,6 +4,7 @@ with import <stockholm/lib>;
 {
  imports = [
    ../2configs/vim.nix
    <stockholm/krebs/2configs/binary-cache/nixos.nix>
    <stockholm/krebs/2configs/binary-cache/prism.nix>
    {
      users.extraUsers =
--- a/nin/2configs/git.nix
+++ b/nin/2configs/git.nix
@ -40,8 +40,8 @@ let
      post-receive = pkgs.git-hooks.irc-announce {
        # TODO make nick = config.krebs.build.host.name the default
        nick = config.krebs.build.host.name;
-        channel = "#retiolum";
+        channel = "#xxx";
-        server = "ni.r";
+        server = "irc.r";
        verbose = config.krebs.build.host.name == "onondaga";
        # TODO define branches in some kind of option per repo
        branches = [ "master" ];
--- a/nin/source.nix
+++ b/nin/source.nix
@ -14,6 +14,6 @@ in
    stockholm.file = toString <stockholm>;
    nixpkgs.git = {
      url = https://github.com/nixos/nixpkgs;
-      ref = "c99239b";
+      ref = "afe9649";
    };
  }
--- a/tv/1systems/querel/config.nix
+++ b/tv/1systems/querel/config.nix
@ -11,6 +11,9 @@ with import <stockholm/lib>;
  krebs.build.host = config.krebs.hosts.querel;
  krebs.build.user = mkForce config.krebs.users.itak;
  boot.extraModulePackages = [
    config.boot.kernelPackages.exfat-nofuse
  ];
  boot.initrd.availableKernelModules = [ "ahci" ];
  boot.initrd.luks = {
    cryptoModules = [ "aes" "sha512" "xts" ];
--- a/tv/2configs/urlwatch.nix
+++ b/tv/2configs/urlwatch.nix
@ -13,8 +13,16 @@ with import <stockholm/lib>;
      http://www.exim.org/
      {
        url = https://api.github.com/repos/Gabriel439/nix-diff/git/refs/heads/master;
        filter = "system:${pkgs.jq}/bin/jq -r .object.sha";
      }
      # ref src/nixpkgs/pkgs/tools/admin/sec/default.nix
-      https://api.github.com/repos/simple-evcorr/sec/tags
+      {
        url = https://api.github.com/repos/simple-evcorr/sec/tags;
        filter = "system:${pkgs.jq}/bin/jq .";
      }
      # ref src/nixpkgs/pkgs/tools/networking/urlwatch/default.nix
      https://thp.io/2008/urlwatch/
@ -47,7 +55,7 @@ with import <stockholm/lib>;
      #http://hackage.haskell.org/package/web-page
      # ref <stockholm/krebs/3modules>, services.openssh.knownHosts.github*
-      https://help.github.com/articles/github-s-ip-addresses/
+      https://api.github.com/meta
      # <stockholm/tv/2configs/xserver/xserver.conf.nix>
      # is derived from `configFile` in:
		`@ -0,0 +1 @@`
							ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAEZgGjBN0aFs6GxNwMjCvlddbN6+vb6LZuWiWWe+wbAynaGuGbae0TXCLp0/eMNy7fH8poDjpdW9M4mKbBFKOqyG8WJLCPFoQw761tjKl1hccJn0hFSkQAEGKxtfzHlAl/Mz+59yvqNg7/WNSivv41hE7btYltzRy238VQDYFv2eLM7acyxrgGo7tWOtkbpfELj5cM8Qw1j3TF9bGV5pK6IOEtaHbmalS8Iiz77syAu+6E/y6zKBTtGMHI15l6RNJ/Y7A1LM/WwuNL+9dJMYWJFVHy3/4dpaxiioHREiSawUbz9wNHknCrT6vaPCIVVcujhz9Oee1C5UiYUyyfJrFYdlzaTg7FuLNIt2hKMY6NYx1D8/Pwpq1JOsaEfK/K5ytCgaJb115mRevcaUA5s7KYNWHmmZvy08JzCgSM6ZPRtfkQIcha77wVq6DugJ+KgBz+oADQRKiaMrumOMldd0B3q4Oxb71gDTE1XLAbWJnd/0Up1H5GAtZZUUrMUslZiU/23R6SOkyEMLWQTx/KgkWcz8DZLtib5o03uZpfJDVqp2CR+sjmy4x9aa+lSaOzuZP0KRyg+mOKl0o3zL7TNAzrzSCORVBg7nOh+0SPJkDxVRkc6dVY1L3ZOfdm2P/19fhWEr5ECgVrmYYKnDPwWY1iWJlZsiEc3Mj7KB1m44ov0FJg2hiNnydImqcXTCoszp515MBmeHnpqJsqEZuWS8dAnaEiOwZaSKIO1E7lQ7CoP86+eD4yAwLq6fb2tgjHT69LgDMaIha4hMfrO2o4UDVw9OZMfnPtyatI4pxplaQDoQM1p0dej0rZ7uxL1tfoKAyT0UCdtjhxfnNs0x1gOQbML4eGbqyKuyF82eOQRgKRDqH/tParoE4SRBVi7o3s0kILRmXA3ng3n1uhEiGwPTH8JsQ9huM+XOhH8+CzQeg4yb/jCrhsDzvLaW654+ouq9G+kjwqmO4vLNs5eZxfae84rppbS2MJqK1x8rkJixvKBKEfvYJOuDNV+hXyMbToaq8qtGy7cCSq4+UDio3DsSHY0Tpt9e+yEzoOOqFQLQyq6uHv/+u9MY+VADoa4N64U3S2SXul9tE3g6hOAY0F5BYMbxQSuj59kzwghlAmbsyWN2FCmWdsfCQkkZX7wCTj20DtZB/GdVSGNgHGAoU5JZrXKca3A2Yc9hzbYjyNYr0NmQ9NUbkbaOkcYJRIUXtS2OBOHP+FoUkkqL3ieKXR07l5xJbWLzbyVUxN9Zii4Baj5xnDO/RLZPDvTUxbER/0d1orMZztL2EKmfSn4j4uhWqpi04Rg9sWH+WVLAq22EKhAuqcFEOUimjcyZWYKxcAq5Z51NJNBQB7euz55eCJUZkBUYEpNuYr0UDlmBxKB2r6ZWDeNXT7eLxBdwDHCHSqXV7qOG1vMhHtjbbxmQMnkQ4InhO9TdpaN3tj67nGmc6hhgYO4b7NvyL1/pvDPrHrR/3GzkDkwqvt3uESdVdqAJSCk6gFh9V1aGs= lass@xerxes