Merge remote-tracking branch 'lass/master'

2020-10-23 21:02:02 +02:00 · 2020-10-23 21:02:02 +02:00 · e8b6cc0587
parent fd41a76d4c 242530680d
commit e8b6cc0587
85 changed files with 1013 additions and 340 deletions
--- a/jeschli/krops.nix
+++ b/jeschli/krops.nix
@ -10,7 +10,7 @@
    {
      nixos-config.symlink = "stockholm/jeschli/1systems/${name}/config.nix";
      nixpkgs-unstable.git = {
-        url = "https://github.com/nixos/nixpkgs-channels";
+        url = "https://github.com/nixos/nixpkgs";
        ref = (lib.importJSON ../krebs/nixpkgs-unstable.json).rev;
      };
      secrets = if test then {
--- a/krebs/2configs/reaktor2.nix
+++ b/krebs/2configs/reaktor2.nix
@ -137,6 +137,7 @@ in {
        systemPlugin
      ];
      username = "reaktor2";
      port = "6697";
    };
    r = {
      nick = "reaktor2|krebs";
--- a/krebs/3modules/external/default.nix
+++ b/krebs/3modules/external/default.nix
@ -18,12 +18,15 @@ with import <stockholm/lib>;
 in {
  hosts = mapAttrs hostDefaults {
-    catullus = {
+    toum = {
      owner = config.krebs.users.kmein;
      nets = {
        retiolum = {
          ip4.addr = "10.243.2.3";
-          aliases = [ "catullus.r" ];
+          aliases = [
            "toum.r"
            "toum.kmein.r"
          ];
          tinc.pubkey = ''
            -----BEGIN PUBLIC KEY-----
            MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA2tRtskPP6391+ZX9xzsx
@ -48,7 +51,10 @@ in {
      nets = {
        retiolum = {
          ip4.addr = "10.243.2.4";
-          aliases = [ "wilde.r" ];
+          aliases = [
            "wilde.r"
            "wilde.kmein.r"
          ];
          tinc.pubkey = ''
            -----BEGIN PUBLIC KEY-----
            MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAtz/MY5OSxJqrEMv6Iwjk
@ -100,6 +106,7 @@ in {
          ip4.addr = "10.243.2.1";
          aliases = [
            "homeros.r"
            "homeros.kmein.r"
          ];
          tinc.pubkey = ''
            -----BEGIN PUBLIC KEY-----
@ -221,6 +228,32 @@ in {
        wireguard.pubkey = "09yVPHL/ucvqc6V5n7vFQ2Oi1LBMdwQZDL+7jBwy+iQ=";
      };
    };
    rtjure = {
      owner = config.krebs.users.rtjure;
      nets = {
        retiolum = {
          ip4.addr = "10.243.122.122";
          aliases = [
            "rtjure.r"
          ];
          tinc.pubkey = ''
             -----BEGIN RSA PUBLIC KEY-----
             MIICCgKCAgEA3YkPPsO3WDGrXyOBdAxxP1MNNuPa19Gx1pA73FKv0gnfp4wYyjwl
             sc9A0C5yr741+LhJNqfkUT9Vb7dE2PZcEcAxZ6Vk9FBkkCWHGVyMfeqeK/hTuYqk
             FKGNPcGWCKZDM6CYSNYr2PW3ER8xMrQP9VSvHk1smdqr8cj3wWJ8TRtUmHzkvPZc
             C4bgrLDiQ8uev5VCt4POilrnjfcBNzgOFxWZ5uneTwM6tLhOj9uaylJEtDbW2XrF
             ocm8cGrYkS4c1x77mz/eYfJUJQFhTVGp29QTIiIHglP7W67LLq4qMvREvRhGTovd
             AT4KUOEXRgcPzHhbcVNeu2/ekKGHAubpjFfqxW7Y9zRTOXeSwyDnVbh+jg/VBGIV
             2BQZnUqNSQIHVeHQCoI3ugdSsqK5Gf1z9cKqpeNfwo+JK72NTC+nH2d5ypRksTzv
             VoTrFrv0P2qtKkhI79zY3ezw3HjCf6osKz9/EAYgzGH1Ix4WD3jjc1gqePiHYYlL
             EQV4HkwmarmMNrNA8qRDhKCTK4G7CS6btOcSsCM3y1lYbkubaOncIACSWIJ1uAMJ
             SEY30YYtOw2PPWstaWdy8MMZK8/MAXGEkt10OBpai7AdFZq8Oyz6xmLpgVIsWPbt
             UI8BvkKmFhMU2EHKUbe0qe5M1r218dsrOjPk99QI99iazMG34hyxQB8CAwEAAQ==
             -----END RSA PUBLIC KEY-----
          '';
        };
      };
    };
    scardanelli = {
      owner = config.krebs.users.kmein;
      nets = {
@ -228,6 +261,7 @@ in {
          ip4.addr = "10.243.2.2";
          aliases = [
            "scardanelli.r"
            "scardanelli.kmein.r"
          ];
          tinc.pubkey = ''
            -----BEGIN PUBLIC KEY-----
@ -477,6 +511,8 @@ in {
      mail = "macxylo@gmail.com";
      pubkey = ssh-for "raute";
    };
    rtjure = {
    };
    sokratess = {
    };
    ulrich = {
--- a/krebs/3modules/external/mic92.nix
+++ b/krebs/3modules/external/mic92.nix
@ -485,5 +485,28 @@ in {
        };
      };
    };
    doctor = {
      owner = config.krebs.users.mic92;
      nets = rec {
        retiolum = {
          addrs = [
            config.krebs.hosts.doctor.nets.retiolum.ip4.addr
            config.krebs.hosts.doctor.nets.retiolum.ip6.addr
          ];
          ip4.addr = "10.243.29.186";
          aliases = [ "doctor.r" ];
          tinc.pubkey = ''
            -----BEGIN RSA PUBLIC KEY-----
            MIIBCgKCAQEAx0zdjPX9C0fBQR+8kdlsBTuMr4KxWhqw4ARqW02oSGKJxY+D57oO
            ORVfjBhrvIiZJfXaY0M+/n+M4Bvt4r5ol3N1NxkT7vc0bAbz9Kk/0M8dlspNoSO9
            WW+mITVfxg/DgzDegjj4TOrsWC1jBjo4PVrvA+PnxZC4VucnqZZ55JHWAk/mPtzs
            PUc3mkn3e9pwwrJMQRy7qg9fbatljHCb/fJoDk6DiQP4ZRE/pCf4OYCx7huHibsd
            EMp7y5QJySmKwJ/XsS6yiHeYXLFwWvfReja/IRFL4RiDSW+6ES4PTEXxoLVDpqgv
            KF44qim4UBabCMTPVtZcU3Rr+ufBALKJCwIDAQAB
            -----END RSA PUBLIC KEY-----
          '';
        };
      };
    };
  };
 }
--- a/krebs/3modules/lass/default.nix
+++ b/krebs/3modules/lass/default.nix
@ -95,6 +95,7 @@ in {
        };
        wiregrill = {
          via = internet;
          ip4.addr = "10.244.1.103";
          ip6.addr = w6 "1";
          aliases = [
            "prism.w"
@ -104,6 +105,7 @@ in {
            subnets = [
              (krebs.genipv6 "wiregrill" "external" 0).subnetCIDR
              (krebs.genipv6 "wiregrill" "lass" 0).subnetCIDR
              "10.244.1.0/24"
            ];
          };
        };
@ -196,6 +198,7 @@ in {
        };
        wiregrill = {
          ip6.addr = w6 "50da";
          ip4.addr = "10.244.1.4";
          aliases = [
            "shodan.w"
          ];
@ -554,6 +557,7 @@ in {
    phone = {
      nets = {
        wiregrill = {
          ip4.addr = "10.244.1.13";
          ip6.addr = w6 "a";
          aliases = [
            "phone.w"
--- a/krebs/3modules/lass/pgp/yubikey.pgp
+++ b/krebs/3modules/lass/pgp/yubikey.pgp
@ -35,30 +35,30 @@ N6p/mTAfwLHrgKEDY+YLLqaogdZ0O7wL+jgrL6fuKqALuIJqO/6FBVXfyR5rvUGs
 8R9rdy39x0NkWdyt+I0kXf50cWVi/tSi47HGYJpc1JSjFOfLjpQihij+nWlMnaF4
 bpeJBUYx5FZlIou4a7+aRsPQC7P58tcMSFR7gKlomBacBQoVkf8iZ6ml0aWRTZnr
 s2XOGn7h6A4AoeLr1i4U8XkJGHatunhvhXJTPHk0QZvgfq92gQc3IdUAEQEAAYkE
-cgQYAQoAJhYhBNvNdXhGBps5LqlAHWZXvoqNHugHBQJdok2SAhsCBQkB4TOAAkAJ
+cgQYAQoAJgIbAhYhBNvNdXhGBps5LqlAHWZXvoqNHugHBQJfiXYPBQkFqY99AkDB
-EGZXvoqNHugHwXQgBBkBCgAdFiEEVAotn4qIhqe83vdsfheGip18nM8FAl2iTZIA
+dCAEGQEKAB0WIQRUCi2fioiGp7ze92x+F4aKnXyczwUCXaJNkgAKCRB+F4aKnXyc
-CgkQfheGip18nM9DVxAAuqX7iztddbttkIfN65R5XJPjz7NRg0AI8G+1qnkvF3c2
+z0NXEAC6pfuLO111u22Qh83rlHlck+PPs1GDQAjwb7WqeS8Xdza582Mv74ElK+Vu
-ufNjL++BJSvlbi/2ov92S+0CPF08E4kDsHjA/JM782D6lDfSZltW4YBBqkJZdtiP
+L/ai/3ZL7QI8XTwTiQOweMD8kzvzYPqUN9JmW1bhgEGqQll22I8SVwioiEzoRft+
-ElcIqIhM6EX7fs3Ag/RjUVPb4tYkH20xcNhyl+0RdBuSvR0+KOXXBfoNmsyQM4/h
+zcCD9GNRU9vi1iQfbTFw2HKX7RF0G5K9HT4o5dcF+g2azJAzj+FQqJZbe8Y5k4GZ
-UKiWW3vGOZOBmYPNcvAQcMs+p4D5JHQcOyxgtXyiXU/VxvUWI7cH6I7daRDTFR3L
+g81y8BBwyz6ngPkkdBw7LGC1fKJdT9XG9RYjtwfojt1pENMVHcvjNegitHCoSDEi
-4zXoIrRwqEgxIqof2Zm4smoHDLfXxGQrcjj6eKkn/gt/T7qYxnhcG5guS2DwIay5
+qh/ZmbiyagcMt9fEZCtyOPp4qSf+C39PupjGeFwbmC5LYPAhrLlzvFXXG4HukOAz
-c7xV1xuB7pDgM1On56heD21DI4vtXXnTkjo7/6hsw2e6TBcn295fEekvBupYVwaz
+U6fnqF4PbUMji+1dedOSOjv/qGzDZ7pMFyfb3l8R6S8G6lhXBrN58FKWvZ/fHGUO
-efBSlr2f3xxlDvd35D5tWZRVGspzxO15DcTaTglOeNtRnYGRwHwE/tiJ0G0uwGfv
+93fkPm1ZlFUaynPE7XkNxNpOCU5421GdgZHAfAT+2InQbS7AZ+9ojTF57G6GdN+8
-aI0xeexuhnTfvEkpJ4SJ/iMl+FpOw7I35H7mz8MrRNMjtR+Es8gzuw7hNErmbh0S
+SSknhIn+IyX4Wk7DsjfkfubPwytE0yO1H4SzyDO7DuE0SuZuHRItm912g+eq32QX
-LZvddoPnqt9kF8ayA1iz1X9KiBkkj3EbvI99jYjdDDm5lsxCZKLSX4r9Mp236K6D
+xrIDWLPVf0qIGSSPcRu8j32NiN0MObmWzEJkotJfiv0ynbforoMwaWJ9E3YB91fO
-MGlifRN2AfdXziXhPABQkKE5m7kcn1gALn9Mcg5HgeXTdxan6QP35ygDtmNldJGE
+JeE8AFCQoTmbuRyfWAAuf0xyDkeB5dN3FqfpA/fnKAO2Y2V0kYQ/4BYBnhHBoUrw
-P+AWAZ4RwaFK8P3/oqQ/8XhnkwH5n2SPd8WQqnldvrtajUzUegvJUstLS5B1TFQl
+/f+ipD/xeGeTAfmfZI93xZCqeV2+u1qNTNR6C8lSy0tLkHVMVAkQZle+io0e6Afj
-Ug/9EV4nuVrGU0uFQLFKLzCXAxWGQPwFwJW4XI4SfhHzyXm8nuJLAKJunxxYni9z
+AQ/+Lzh1018ILwq/IvV57GrjsYp2lBlcp2n/jZ5KlCVpVPsYjkGT+e2XYvcloPBK
-7bIe297hNCMLh8VwW6WkGCz4v9BfURE1jUEPeuu0biCHxa+U8vd1l/CIgAYbNTgj
+IXzkHr88/U4iyJGJeIC+a/pYJ6RpR6EzPb1kDB2i0kGbZinoxZwix0b4wvkMoSbT
-8eNsN6hV4X9fpGaW0YjDtGSkl1FMC+4YLXm8xRHzdM0RpZpRMaUKSuAYJzi21LGa
+KDMkZYEIe0/v6CEU3mCbE9gnNWhPSF+XwXYxNyFNfMqaSqx4mjC6LAuFZA4AgqHB
-QyhdrTn77RvbkeFu0I3b8If5QLTFxLTkAM2IwfyHd7ytlhl6vxHaUwh8djop9jjc
+uGudBgeIQ+sP8zJTSHKtePgK1JgAMYPGUHgfJHE3tcMDxMgKr2x3PN1Z6/YH/ifZ
-Ty+bSyEjEIZyR+buj3CVUiheQXWw6rGFdR/TLGERWMf6rYF/fuXp5s6jmRCPmB0d
+wq1oUFPbB0LGZhkwrSDzgIya5FBoBfnawAwbh562LRuphHdqk+wBYigfFBztbmQx
-7iX3WkZ6XvjW6wuM9TaBhK3PixPHcHss8uwhtg7+WeVqRAr4VWTFxTIy60vacDvL
+MqtA6pmH+k8vNUq6QY/CbZfvcpkRAAR1ib2QaZYXTlq7jqb+nLM9EbACxj9651SQ
-5Sskqas4JWnYxfuFpm60IDnBS2kkHM07O+PY2x4S5o+7S0qT9RPtcvqVtAp8eont
+D7u4ShvPtxqFf+mv/4eHYx2akBIIUQYAf5OYGnE3E0kqiuK4qHKgt1NI5z1mSd9D
-2ovc9fXn4UpbeENFeytwed65QrFYDLGlNtq66iO2kp2mX/sFk634TUZ04vyz6nut
+duWIuoRbBUrApTKsHgwtMxNrNVioGIE1dTRuu56drhwY2ZPyzVtSb7q/hRU/a3UZ
-senoOofrZefND2uhzJ8pyJkYWTWBsmGitn0JPSBxbIil7PSDBbqEdHE/fD6QnOdw
+5S6EsrmDGIIlAHrgKfKfuerESE5VzN1Nn3QHpfjwX+gq51cosTqlRiu4oMesPk31
-dmDrFJUdcDzwdBDlmn80VOmooyR8pfrH5u6wKfNZ9xBjVsh1z6lWQbuBgXtltTtE
+ZmPcuG6H/m7nGagX9+l00sDsqISqMG4lZCJAFa020OS/g6V3q6LCqggky6+4sQTG
-5rJJvZ7Pawt8nmb+UW0WxCL3TsWCG3sq1MV8ryU/9l0hTEK5Ag0EXaJN1gEQANML
+5HB8jGba2tXMSQfBQEtDFve6agiRTw8z1V8s1gPCMmPhsLi5Ag0EXaJN1gEQANML
 yxoeknGlTtkG640UP5ZkUEojwXxlni3v2dpWEaEJO9yqvkELCWum5pRz+iDzoDFS
 lUPnP3YKVFkLbAlk56abIAQ6VK7wkOSHCw1F7LlCY830bRkgGJ8/b8us9KpET6Am
 ei7OGYVtqNBUodEJi6XkH5q9RLQeVR+7ynt0LTAxO/mMFYc3nhccrhadubhh5rTd
@ -69,19 +69,19 @@ qfwnT2M6m8P4OS1sAHv5vDDYXezB0WrJNstYvhtHhi4ctuolBuwOb7nyIBlZovhk
 5/6IAFmoUprfGHOuttEcPTRDGv737cR1cYaz5QMuz2svNU3ivI/tYfIQwMAjv84A
 ZN2wl63QkghYo/dm9a5Ex78CNwZD/z7HOE3zD+Rd0C9/hXLpVVhN0mKmDzgJHPUo
 VDk//P3YgzM+dtUWWPJ1FfaTz2543V9MwVWUJQj0DIgl4noLHX3wkd/d4gYGAhlW
-kBxkbQPJ4NT7EKBFk44fa6DVuGOGatBAxKQq1GftABEBAAGJAjwEGAEKACYWIQTb
+kBxkbQPJ4NT7EKBFk44fa6DVuGOGatBAxKQq1GftABEBAAGJAjwEGAEKACYCGwwW
-zXV4RgabOS6pQB1mV76KjR7oBwUCXaJN1gIbDAUJAeEzgAAKCRBmV76KjR7oB4ke
+IQTbzXV4RgabOS6pQB1mV76KjR7oBwUCX4l2DwUJBamPOQAKCRBmV76KjR7oB/Ds
-D/94TykloLIX2yjqUgsIbzPNH4Q+wzXYAUwhPaY9WlRsnwMJdoWxLVvMDF44JxKj
+D/96TGfHa6BW1v2kUyHUKmpdk62UhZz49nTsOu1JeMI2cDMLkKaPyeKLsRpzV2qc
-nzUi5UctaeI2GylLv5G2na5/trRnvIAQq0IyMCz7+mQwSDcZL1UgWpoljRnKbPYs
+OoG1dal7dgjtzKsWdz0HxrrbEs0rBJO4xOmg12Sv9fttTocTt2bQMe3d20Vihbi+
-dYSS1t7LLjP9So4YXeHlAu6tKfF5XkUvB8yfcpupPF+mhfIGPMDRPMBuO3GovpNk
+NDEx2PeyncYulDd8PNfDkh8vWUJQoThqimXoVARwKNuH2oDytGceIp+BZLOH8HRz
-Gutgrzo3dttRr5b4lwFv6uZBw906b5dgKf82nC3zhvJ0q45VFPmBvriCMHdCzR+E
+0ESH9nCAGw3gVX6vQPtjbMgoIXHAnAJkIe2boyyUHu2ZmD6CGjxGSSICMzShcDvN
-i6Lv06/xSe/ksY2m2Ma16M5n/cvPdl0NFMSwPz/VctEbWV+HoIJs/swW3l5xSV1f
+kcyPKG5BbOGRpbehaMcOOiGH0NsudUPOsyxQt90bP/U+WHPhvOTGk0PqGaOf8QDE
-06GQ9h+kaTlF7UUaXWqgiKaOBpvjgVhg88AUwxbpkH/BN1MJ3ww3XAk8gyI7AW0P
+saGlChd3wVK+uCGl60szcxQsbgzlEQVUG3tTW4QGfzL3XK5bHvuGj03Vb45005Y4
-60Xzj0q8zlKxYWxaDWCrBc0yCfC0ulChetVGGaJ9WWRVu2ZjPLwHoZmwEpevSrNc
+6UCUP4ZkEYDsw1Hrn5bkPOP/Pc8Sz1MQt+nw1U3QXbHLxLb8fB82B6oDMakHPgaw
-0UmO4jtB/5ojCzTI+l5lLHDLYjAZFDvA2qaLfgs5roQvEaGxW9MDpuz10AclrUfV
+73HxYwbaXDswBb6BVTc86RmXRH1+StObDiJp+h16EqdsSyp15tSM80GRf1KaNKxc
-u6UikxdivbYssVA0/ytdiIDmITONY6kNL3PLSA7Ki/N3oz4s5WpPFUOBL3wPmpW/
+MA4N7/i7j9M/z2fKWT7vTAGdcg8vhZH0MDQ9vRmYsuQZtoNieZVXnyQ/ILAgPhiL
-MXq/d/GvzbgjXHHWdPKrC3sz12/R+PUzr+dTQeJR72eW+6QQqAEmEhS8xfffjsvQ
+pdyPffQV0BpWKd68C8kEhoMP0D3h6Uj88ZOuapyOCvsrBvR7SQOVh+L+KMjh1Xgx
-z3unfvv/4c/mVInpnGBuQXNFYbZxgEsFxbzVavnwppvAirkCDQRdok4KARAAyG97
+WvPJuoU4Jox4og85/Gz0Ui8EROYyHg5yqPqsBBmz6h8F7rkCDQRdok4KARAAyG97
 rjKhP8Uie1i/16SekDo+GkpodBmvhrZiZdwg75YxriHhgioe2AKKmQItOdZOY+mV
 qMA63FmByDlPodHmQnrIAn/gr7p5V3lM+l0oVTI8maPO39iT7Nh6W/rv4ni8eMBk
 L6P2cPPaTpcv76qWl/WcMiEflPNSAFaxyIapq04rafthcIILWmOBbQ+liMn9YT7a
@ -92,18 +92,18 @@ pKuIRv+sBcDY0jJ799CHB2c8eiAYoTRm64rKyYS8RIilqTCmIHnpoSIq3n1wOlMV
 X4sB4N4CfAZRAbI9LZfx1QEYn0dst9+mCDRJ/ALBxocKz0wRTpwU5nwP1Zz9TZVh
 81wn1Ypj+mFb3aBggpwMLxbifmbsZmd1MwW9k3p2WTs8M1dLFM2ZNA9QmkgRSVFN
 6GTTpAyDOs+ZSGYM7MisG9/EvFbNx2BPg6qZH7JeMnlOZXXOg8K5VcLkiGuL1brO
-Hlg94Axha8ffMmqjsde6XOAgvSl5P9k47SWOcZkAEQEAAYkCPAQYAQoAJhYhBNvN
+Hlg94Axha8ffMmqjsde6XOAgvSl5P9k47SWOcZkAEQEAAYkCPAQYAQoAJgIbIBYh
-dXhGBps5LqlAHWZXvoqNHugHBQJdok4KAhsgBQkB4TOAAAoJEGZXvoqNHugHSVkP
+BNvNdXhGBps5LqlAHWZXvoqNHugHBQJfiXYPBQkFqY8FAAoJEGZXvoqNHugHuLUP
-/iEIS7oVZuXBRYCv6GSfrS7b8h5NH8TFiu89sl3B0aRjRXhcsCgutFHVa4ztJqjF
+gJ01mSEs3+0jriWqg7V+Q59rulMVrUdV2mjBtzz3gvF9PLiEnVEl7EgGdLpVIr/
-rzuzmZ/6dlZ2F/LGu1Qzgu8Vd3VNFTuxanUE5W82mFqTcYij1G2HjN0gBoOhscl3
+Wr9QIiUnS1NNrDz8oeDf54Q+OXtQOiczGClK+yWSm/CM02+HATFws66umAl4GQ4X
-Oy5zsYfP4gyB3pypPujcqhKfFxxW4V7HK8CvspQ6Anh8TrrAobM7b5gREm3BUvl+
+qAJwdSDDKIHCP1/0VqXNQUOWW0GCCGCAdn55u4pf+B1rmkA3cWhN51SvAriA/YcG
-VH7ErYLy13XkH2dNhUeAY2lNLLBbftwBE3RDFtaT9on/e4FZycgtfOM9fXOqdNXk
+qmyJZgXO+qZOPWNHxNUdgq9lVEO132dhDzH1b9ufnvQMDxF2V681fQ7E3zWEJZZb
-EQW4fXBoazWWYXXcVMro0+KTpITjXdX9F613C9xwLEATS8OVIDxQZFuyrl1r/Dty
+YLRB4jrSz8oxipGRGKgDLiR7lyQ/xRU161jSawblBTcIRXK9c4hv178xQWAInMjt
-keEn2OKi1RVdZhW7aV09ckKKeH1X/89850WDQatrsREjLXfJBJU94XKwekFC0wsw
+Hst4YCpvclG26ypZLCzvw6swfnXf3A6Q4A8pZQVvogWZ01dlgofwHm8qlYxT7wSq
-uUJkyf5tb/FbAQg8fTMLhVv1D+IqkEISSwr3JmRZXqDEAYqCZHHWqnRrB8mm6eoB
+eicOu3FkSHD8vNwkXnMLqxwkFr4BcSefzCiXulyMcb3h67ZfXAYAFGrrR581vGEt
-vI93yMV1bkxb2/aI4xBtGKhPzfLIiiV5PevmnDOq08htU/Jr6VGhW+Wm1/qnHmPw
+Xy+xfXK5PqBX7CWEl3Vs2an9whEncZuv1I9iyXDUmGP7Y373JjqNtpS2GMMPA73k
-JE1J+yH8NHJQ6NemztSomK8K9J23zgJfgb24Eztc8zIBcNb2CWJ9BgkSYy1BLFy4
+nB7eI/zpVS5qoxUlqw35Pldvt+L4E3hvrvE7iZE3w4lB9WUyY1OnSRDU10l2rqWt
-gsfSx3i91GdfsjMpBL7o4/rjdlJGbt76k18dSyWJEdtwYYKwGYvNes21GwbZ/aOx
+Ptyk3LE2ed5hz5I+gy8/RsXrAooMBXIGV/GJrhye45wf5F/XQqPulnj38sKhmrQC
-z8vpeBc06aBx5UOb4Y22HNfG9hDfuuDhGP7Kl0b0LIqq
+QTubPgJwG/kTpNdrA3YukE3E7T5ejaGTT2n5nKat6bj7
-=U2Jf
+=h9fX
 -----END PGP PUBLIC KEY BLOCK-----
--- a/krebs/3modules/newsbot-js.nix
+++ b/krebs/3modules/newsbot-js.nix
@ -48,7 +48,7 @@ let
        };
        urlShortenerHost = mkOption {
          type = types.str;
-          default = "go";
+          default = "go.r";
          description = "what server to use for url shortening, host";
        };
        urlShortenerPort = mkOption {
--- a/krebs/3modules/secret.nix
+++ b/krebs/3modules/secret.nix
@ -3,6 +3,14 @@ with import <stockholm/lib>;
  cfg = config.krebs.secret;
 in {
  options.krebs.secret = {
    directory = mkOption {
      default = toString <secrets>;
      type = types.absolute-pathname;
    };
    file = mkOption {
      default = relpath: "${cfg.directory}/${relpath}";
      readOnly = true;
    };
    files = mkOption {
      type = with types; attrsOf secret-file;
      default = {};
--- a/krebs/3modules/tv/default.nix
+++ b/krebs/3modules/tv/default.nix
@ -52,7 +52,7 @@ in {
          '';
        };
      };
-      ssh.privkey.path = <secrets/ssh.id_rsa>;
+      ssh.privkey.path = config.krebs.secret.file "ssh.id_rsa";
      ssh.pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDP9JS2Nyjx4Pn+/4MrFi1EvBBYVKkGm2Q4lhgaAiSuiGLol53OSsL2KIo01mbcSSBWow9QpQpn8KDoRnT2aMLDrdTFqL20ztDLOXmtrSsz3flgCjmW4f6uOaoZF0RNjAybd1coqwSJ7EINugwoqOsg1zzN2qeIGKYFvqFIKibYFAnQ8hcksmkvPdIO5O8CbdIiP9sZSrSDp0ZyLK2T0PML2jensVZOeqSPulQDFqLsbmavpVLkpDjdzzPRwbZWNB4++YeipbYNOkX4GR1EB4wMZ93IbBV7kpJtib2Zb2AnUf7UW37hxWBjILdstj9ClwNOQggn8kD9ub7YxBzH1dz0Xd8a0mPOAWIDJz9MypXgFRc3vdvPB/W1I4Se0CLbgOkORun9CkgijKr9oEY8JNt8HFd6viZcAaQxOyIm6PNHZTnHfdSc7bIBS2n3e3IZBv0fTd77knGLXg402aTuu2bm/kxsKivxsILXIaGbeXe4ceN3Fynr3FzSM2bUkzHb0mAHu1BQ9YaX0xzCwjVueA5nzGls7ODSFkXsiBfg2FvMN/sTLFca6tnwyqcnD6nujoiS5+BxjDWPgnZYqCaW3B/IkpTsRMsX6QrfhOFcsP8qlJ2Cp82orWoDK/D0vZ9pdzAc6PFGga0RofuJKY2yiq+SRZ7/e9E6VncIVCYZ1OfN0Q==";
    };
    au = {
@ -79,7 +79,7 @@ in {
        };
      };
      secure = true;
-      ssh.privkey.path = <secrets/ssh.id_ed25519>;
+      ssh.privkey.path = config.krebs.secret.file "ssh.id_ed25519";
      ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBsqDuhGJpjpqNv4QmjoOhcODObrPyY3GHLvtVkgXV0g root@au";
    };
    mu = {
@ -103,7 +103,7 @@ in {
          '';
        };
      };
-      ssh.privkey.path = <secrets/ssh.id_ed25519>;
+      ssh.privkey.path = config.krebs.secret.file "ssh.id_ed25519";
      ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM1vJsAddvxMA84u9iJEOrIkKn7pQiemMbfW5cfK1d7g root@mu";
    };
    ni = {
@ -177,7 +177,7 @@ in {
        };
      };
      secure = true;
-      ssh.privkey.path = <secrets/ssh.id_ed25519>;
+      ssh.privkey.path = config.krebs.secret.file "ssh.id_ed25519";
      ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMIHmwXHV7E9UGuk4voVCADjlLkyygqNw054jvrsPn5t root@nomic";
    };
    wu = {
@ -203,7 +203,7 @@ in {
        };
      };
      secure = true;
-      ssh.privkey.path = <secrets/ssh.id_ed25519>;
+      ssh.privkey.path = config.krebs.secret.file "ssh.id_ed25519";
      ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIcJvu8JDVzObLUtlAQg9qVugthKSfitwCljuJ5liyHa";
    };
    querel = {
@ -262,7 +262,7 @@ in {
        };
      };
      secure = true;
-      ssh.privkey.path = <secrets/ssh.id_ed25519>;
+      ssh.privkey.path = config.krebs.secret.file "ssh.id_ed25519";
      ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPnjfceKuHNQu7S4eYFN1FqgzMqiL7haNZMh2ZLhvuhK root@xu";
    };
    zu = {
--- a/krebs/5pkgs/simple/flameshot-once/profile.nix
+++ b/krebs/5pkgs/simple/flameshot-once/profile.nix
@ -118,7 +118,7 @@ let
          type = types.bool;
        };
        timeout = mkOption {
-          default = 100;
+          default = 200;
          description = ''
            Maximum time in milliseconds allowed for the flameshot daemon to
            react.
--- a/krebs/5pkgs/simple/realwallpaper/default.nix
+++ b/krebs/5pkgs/simple/realwallpaper/default.nix
@ -104,7 +104,7 @@ pkgs.writers.writeDashBin "generate-wallpaper" ''
      'https://neo.sci.gsfc.nasa.gov/view.php?datasetId=MOD10C1_E_SNOW') &
    fetch_older_days 7 chlora-raw.jpg $(get_neo_url \
      'https://neo.sci.gsfc.nasa.gov/view.php?datasetId=MY1DMM_CHLORA') &
-    fetch_older_days 3 fire-raw.jpg $(get_neo_url \
+    fetch_older_days 7 fire-raw.jpg $(get_neo_url \
      'https://neo.sci.gsfc.nasa.gov/view.php?datasetId=MOD14A1_E_FIRE') &
    # regular fetches
--- a/krebs/nixpkgs-unstable.json
+++ b/krebs/nixpkgs-unstable.json
@ -1,7 +1,7 @@
 {
-  "url": "https://github.com/NixOS/nixpkgs-channels",
+  "url": "https://github.com/NixOS/nixpkgs",
-  "rev": "c59ea8b8a0e7f927e7291c14ea6cd1bd3a16ff38",
+  "rev": "007126eef72271480cb7670e19e501a1ad2c1ff2",
-  "date": "2020-08-20T19:08:02+02:00",
+  "date": "2020-10-20T10:30:15+10:00",
-  "sha256": "1ak7jqx94fjhc68xh1lh35kh3w3ndbadprrb762qgvcfb8351x8v",
+  "sha256": "1rfvw560vp2wn3dxdhqn1rk1fgk0ak9lnqm2dqpnsrkl4b8ay9mq",
  "fetchSubmodules": false
 }
--- a/krebs/nixpkgs.json
+++ b/krebs/nixpkgs.json
@ -1,7 +1,7 @@
 {
-  "url": "https://github.com/NixOS/nixpkgs-channels",
+  "url": "https://github.com/NixOS/nixpkgs",
-  "rev": "42674051d12540d4a996504990c6ea3619505953",
+  "rev": "7c2a362b58a1c2ba72d24aa3869da3b1a91d39e1",
-  "date": "2020-09-06T21:21:08-04:00",
+  "date": "2020-10-20T09:32:31+02:00",
-  "sha256": "1hz1n1hghilgzk4zlya498xm5lvhsf0r5b49yii7q86h3616fhwy",
+  "sha256": "0gl4xndyahasa9dv5mi3x9w8s457wl2xh9lcldizcn1irjvkrzs4",
  "fetchSubmodules": false
 }
--- a/krebs/update-nixpkgs-unstable.sh
+++ b/krebs/update-nixpkgs-unstable.sh
@ -2,7 +2,7 @@
 dir=$(dirname $0)
 oldrev=$(cat $dir/nixpkgs-unstable.json | jq -r .rev | sed 's/\(.\{7\}\).*/\1/')
 nix-shell -p nix-prefetch-git --run 'nix-prefetch-git \
-  --url https://github.com/NixOS/nixpkgs-channels \
+  --url https://github.com/NixOS/nixpkgs \
  --rev refs/heads/nixos-unstable' \
 > $dir/nixpkgs-unstable.json
 newrev=$(cat $dir/nixpkgs-unstable.json | jq -r .rev | sed 's/\(.\{7\}\).*/\1/')
--- a/krebs/update-nixpkgs.sh
+++ b/krebs/update-nixpkgs.sh
@ -2,7 +2,7 @@
 dir=$(dirname $0)
 oldrev=$(cat $dir/nixpkgs.json | jq -r .rev | sed 's/\(.\{7\}\).*/\1/')
 nix-shell -p nix-prefetch-git --run 'nix-prefetch-git \
-  --url https://github.com/NixOS/nixpkgs-channels \
+  --url https://github.com/NixOS/nixpkgs \
  --rev refs/heads/nixos-20.03' \
 > $dir/nixpkgs.json
 newrev=$(cat $dir/nixpkgs.json | jq -r .rev | sed 's/\(.\{7\}\).*/\1/')
--- a/lass/1systems/blue/config.nix
+++ b/lass/1systems/blue/config.nix
@ -17,27 +17,6 @@ with import <stockholm/lib>;
  networking.nameservers = [ "1.1.1.1" ];
  services.restic.backups = genAttrs [
    "daedalus"
    "icarus"
    "littleT"
    "prism"
    "shodan"
    "skynet"
  ] (dest: {
    initialize = true;
    extraOptions = [
      "sftp.command='ssh backup@${dest}.r -i ${config.krebs.build.host.ssh.privkey.path} -s sftp'"
    ];
    repository = "sftp:backup@${dest}.r:/backups/blue";
    passwordFile = (toString <secrets>) + "/restic/${dest}";
    timerConfig = { OnCalendar = "00:05"; RandomizedDelaySec = "5h"; };
    paths = [
      "/home/"
      "/var/lib"
    ];
  });
  time.timeZone = "Europe/Berlin";
  users.users.mainUser.openssh.authorizedKeys.keys = [ config.krebs.users.lass-android.pubkey ];
 }
--- a/lass/1systems/morpheus/config.nix
+++ b/lass/1systems/morpheus/config.nix
@ -18,6 +18,7 @@ with import <stockholm/lib>;
    gitAndTools.hub
    nix-review
    firefox
    ag
  ];
  services.openssh.forwardX11 = true;
--- a/lass/1systems/mors/config.nix
+++ b/lass/1systems/mors/config.nix
@ -126,8 +126,6 @@ with import <stockholm/lib>;
    remmina
    transmission
    iodine
    macchanger
    dpass
--- a/lass/1systems/mors/physical.nix
+++ b/lass/1systems/mors/physical.nix
@ -23,7 +23,7 @@
  services.udev.extraRules = ''
    SUBSYSTEM=="net", DEVPATH=="/devices/pci*/*1c.1/*/net/*", NAME="wl0"
-    SUBSYSTEM=="net", ATTR{address}=="3c:97:0e:4f:42:35", NAME="et0"
+    SUBSYSTEM=="net", ATTR{address}=="3c:97:0e:37:15:d9", NAME="et0"
  '';
  #TODO activationScripts seem broken, fix them!
--- a/lass/1systems/prism/config.nix
+++ b/lass/1systems/prism/config.nix
@ -272,9 +272,9 @@ with import <stockholm/lib>;
        resolveLocalQueries = false;
        extraConfig= ''
-          listen-address=42:1:ce16::1
+          listen-address=42:1:ce16::1,10.244.1.103
          except-interface=lo
-          interface=wg0
+          interface=wiregrill
        '';
      };
    }
@ -284,7 +284,10 @@ with import <stockholm/lib>;
      ];
    }
    {
-      services.murmur.enable = true;
+      services.murmur = {
        enable = true;
        bandwidth = 10000000;
      };
      services.murmur.registerName = "lassul.us";
      krebs.iptables.tables.filter.INPUT.rules = [
        { predicate = "-p tcp --dport 64738"; target = "ACCEPT";}
--- a/lass/1systems/prism/physical.nix
+++ b/lass/1systems/prism/physical.nix
@ -55,6 +55,16 @@
    fsType = "zfs";
  };
  fileSystems."/var/realwallpaper/archive" = {
    device = "tank/wallpaper";
    fsType = "zfs";
  };
  fileSystems."/home/xanf" = {
    device = "/dev/disk/by-id/wwn-0x500a07511becb076";
    fsType = "ext4";
  };
  nix.maxJobs = lib.mkDefault 8;
  powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
--- a/lass/1systems/shodan/physical.nix
+++ b/lass/1systems/shodan/physical.nix
@ -10,7 +10,7 @@
    loader.grub.version = 2;
    loader.grub.device = "/dev/sda";
-    initrd.luks.devices = [ { name = "luksroot"; device = "/dev/sda2"; } ];
+    initrd.luks.devices.lusksroot.device = "/dev/sda2";
    initrd.luks.cryptoModules = [ "aes" "sha512" "sha1" "xts" ];
    initrd.availableKernelModules = [ "xhci_hcd" "ehci_pci" "ahci" "usb_storage" ];
  };
--- a/lass/1systems/wizard/run-vm.sh
+++ b/lass/1systems/wizard/run-vm.sh
@ -0,0 +1,7 @@
 #!/usr/bin/env nix-shell
 #! nix-shell -i bash -p nixos-generators
 set -efu
 WD=$(dirname "$0")
 nixos-generate -I stockholm="$WD"/../../.. -c "$WD"/config.nix -f vm-nogui --run
--- a/lass/1systems/wizard/test.nix
+++ b/lass/1systems/wizard/test.nix
@ -1,7 +1,7 @@
 { config, lib, pkgs, ... }:
 {
  imports = [
-    ./default.nix
+    ./config.nix
  ];
  virtualisation.emptyDiskImages = [
    8000
--- a/lass/1systems/xerxes/config.nix
+++ b/lass/1systems/xerxes/config.nix
@ -41,22 +41,6 @@
    displayManager.lightdm.autoLogin.user = "lass";
  };
  services.syncthing.declarative = {
    folders = {
      the_playlist = {
        path = "/home/lass/tmp/the_playlist";
        devices = [ "mors" "phone" "prism" "xerxes" ];
      };
    };
  };
  krebs.permown = {
    "/home/lass/tmp/the_playlist" = {
      owner = "lass";
      group = "syncthing";
      umask = "0007";
    };
  };
  boot.blacklistedKernelModules = [ "xpad" ];
  systemd.services.xboxdrv = {
    wantedBy = [ "multi-user.target" ];
@ -93,7 +77,15 @@
    };
  };
-  hardware.bluetooth.enable = true;
+  hardware.bluetooth = {
    enable = true;
    powerOnBoot = true;
    # config.General.Disable = "Headset";
    extraConfig = ''
      [General]
      Disable = Headset
    '';
  };
  hardware.pulseaudio.package = pkgs.pulseaudioFull;
  # hardware.pulseaudio.configFile = pkgs.writeText "default.pa" ''
  #   load-module module-bluetooth-policy
--- a/lass/1systems/yellow/config.nix
+++ b/lass/1systems/yellow/config.nix
@ -172,7 +172,7 @@ with import <stockholm/lib>;
    client
    dev tun
    proto udp
-    remote 89.249.65.83 1194
+    remote 185.230.127.27 1194
    resolv-retry infinite
    remote-random
    nobind
@ -195,7 +195,6 @@ with import <stockholm/lib>;
    fast-io
    cipher AES-256-CBC
    auth SHA512
    <ca>
    -----BEGIN CERTIFICATE-----
    MIIFCjCCAvKgAwIBAgIBATANBgkqhkiG9w0BAQ0FADA5MQswCQYDVQQGEwJQQTEQ
--- a/lass/2configs/baseX.nix
+++ b/lass/2configs/baseX.nix
@ -72,10 +72,11 @@ in {
    git-preview
    gnome3.dconf
    iodine
    libarchive
    lm_sensors
    ncdu
    nix-index
-    nix-review
+    nixpkgs-review
    nmap
    pavucontrol
    ponymix
@ -92,6 +93,8 @@ in {
    xsel
    zathura
    (pkgs.writeDashBin "screenshot" ''
      set -efu
      ${pkgs.flameshot-once}/bin/flameshot-once
      ${pkgs.klem}/bin/klem
    '')
--- a/lass/2configs/blue-host.nix
+++ b/lass/2configs/blue-host.nix
@ -49,54 +49,54 @@ in {
  };
-  systemd.services = builtins.listToAttrs (map (host:
+  #systemd.services = builtins.listToAttrs (map (host:
-    let
+  #  let
-    in nameValuePair "sync-blue-${host}" {
+  #  in nameValuePair "sync-blue-${host}" {
-    bindsTo = [ "container@blue.service" ];
+  #  bindsTo = [ "container@blue.service" ];
-    wantedBy = [ "container@blue.service" ];
+  #  wantedBy = [ "container@blue.service" ];
-    # ssh needed for rsync
+  #  # ssh needed for rsync
-    path = [ pkgs.openssh ];
+  #  path = [ pkgs.openssh ];
-    serviceConfig = {
+  #  serviceConfig = {
-      Restart = "always";
+  #    Restart = "always";
-      RestartSec = 10;
+  #    RestartSec = 10;
-      ExecStart = pkgs.writeDash "sync-blue-${host}" ''
+  #    ExecStart = pkgs.writeDash "sync-blue-${host}" ''
-        set -efu
+  #      set -efu
-        #make sure blue is running
+  #      #make sure blue is running
-        /run/wrappers/bin/ping -c1 blue.r > /dev/null
+  #      /run/wrappers/bin/ping -c1 blue.r > /dev/null
-        #make sure the container is unlocked
+  #      #make sure the container is unlocked
-        ${pkgs.mount}/bin/mount | ${pkgs.gnugrep}/bin/grep -q '^encfs on /var/lib/containers/blue'
+  #      ${pkgs.mount}/bin/mount | ${pkgs.gnugrep}/bin/grep -q '^encfs on /var/lib/containers/blue'
-        #make sure our target is reachable
+  #      #make sure our target is reachable
-        ${pkgs.untilport}/bin/untilport ${host}.r 22 2>/dev/null
+  #      ${pkgs.untilport}/bin/untilport ${host}.r 22 2>/dev/null
-        #start sync
+  #      #start sync
-        ${pkgs.lsyncd}/bin/lsyncd -log scarce ${pkgs.writeText "lsyncd-config.lua" ''
+  #      ${pkgs.lsyncd}/bin/lsyncd -log scarce ${pkgs.writeText "lsyncd-config.lua" ''
-          settings {
+  #        settings {
-            nodaemon = true,
+  #          nodaemon = true,
-            inotifyMode = "CloseWrite or Modify",
+  #          inotifyMode = "CloseWrite or Modify",
-          }
+  #        }
-          sync {
+  #        sync {
-            default.rsyncssh,
+  #          default.rsyncssh,
-            source = "/var/lib/containers/.blue",
+  #          source = "/var/lib/containers/.blue",
-            host = "${host}.r",
+  #          host = "${host}.r",
-            targetdir = "/var/lib/containers/.blue",
+  #          targetdir = "/var/lib/containers/.blue",
-            rsync = {
+  #          rsync = {
-              archive = true,
+  #            archive = true,
-              owner = true,
+  #            owner = true,
-              group = true,
+  #            group = true,
-            };
+  #          };
-            ssh = {
+  #          ssh = {
-              binary = "${pkgs.openssh}/bin/ssh";
+  #            binary = "${pkgs.openssh}/bin/ssh";
-              identityFile = "/var/lib/containers/blue/home/lass/.ssh/id_rsa",
+  #            identityFile = "/var/lib/containers/blue/home/lass/.ssh/id_rsa",
-            },
+  #          },
-          }
+  #        }
-        ''}
+  #      ''}
-      '';
+  #    '';
-    };
+  #  };
-    unitConfig.ConditionPathExists = "!/var/run/ppp0.pid";
+  #  unitConfig.ConditionPathExists = "!/var/run/ppp0.pid";
-    }
+  #  }
-  ) remote_hosts);
+  #) remote_hosts);
  environment.systemPackages = [
    (pkgs.writeDashBin "start-blue" ''
--- a/lass/2configs/blue.nix
+++ b/lass/2configs/blue.nix
@ -26,6 +26,8 @@ with (import <stockholm/lib>);
    { predicate = "-i wiregrill -p udp --dport 60000:61000"; target = "ACCEPT";}
    { predicate = "-i retiolum -p tcp --dport 9998:9999"; target = "ACCEPT";}
    { predicate = "-i wiregrill -p tcp --dport 9998:9999"; target = "ACCEPT";}
    { predicate = "-i retiolum -p tcp --dport imap"; target = "ACCEPT";}
    { predicate = "-i wiregrill -p tcp --dport imap"; target = "ACCEPT";}
  ];
  systemd.services.chat = let
@ -64,4 +66,9 @@ with (import <stockholm/lib>);
      ExecStop = "${tmux} kill-session -t IM";
    };
  };
  services.dovecot2 = {
    enable = true;
    mailLocation = "maildir:~/Maildir";
  };
 }
--- a/lass/2configs/default.nix
+++ b/lass/2configs/default.nix
@ -44,7 +44,15 @@ with import <stockholm/lib>;
            config.krebs.users.lass-yubikey.pubkey
          ];
        };
        nix = {
          isNormalUser = true;
          uid = genid_uint31 "nix";
          openssh.authorizedKeys.keys = [
            config.krebs.hosts.mors.ssh.pubkey
          ];
        };
      };
      nix.trustedUsers = ["nix"];
    }
    {
      environment.variables = {
@ -212,4 +220,7 @@ with import <stockholm/lib>;
  networking.dhcpcd.extraConfig = ''
    noipv4ll
  '';
  # use 24:00 time format, the default got sneakily changed around 20.03
  i18n.defaultLocale = mkDefault "C.UTF-8";
 }
--- a/lass/2configs/exim-smarthost.nix
+++ b/lass/2configs/exim-smarthost.nix
@ -2,8 +2,6 @@
  to = concatStringsSep "," [
    "lass@blue.r"
    "lass@xerxes.r"
    "lass@mors.r"
  ];
  mails = [
@ -110,6 +108,12 @@
    "auschein@lassul.us"
    "tleech@lassul.us"
    "durstexpress@lassul.us"
    "acme@lassul.us"
    "antstore@lassul.us"
    "openweather@lassul.us"
    "lobsters@lassul.us"
    "rewe@lassul.us"
    "spotify@lassul.us"
  ];
 in {
--- a/lass/2configs/gc.nix
+++ b/lass/2configs/gc.nix
@ -4,5 +4,6 @@ with import <stockholm/lib>;
 {
  nix.gc = {
    automatic = ! (elem config.krebs.build.host.name [ "mors" "xerxes" ] || config.boot.isContainer);
    options = "--delete-older-than 15d";
  };
 }
--- a/lass/2configs/git.nix
+++ b/lass/2configs/git.nix
@ -58,6 +58,10 @@ let
      cgit.desc = "url shortener";
      cgit.section = "software";
    };
    grib2json-bin = {
      cgit.desc = "build jar of grib2json";
      cgit.section = "deployment";
    };
    krebspage = {
      cgit.desc = "homepage of krebs";
      cgit.section = "configuration";
--- a/lass/2configs/green-host.nix
+++ b/lass/2configs/green-host.nix
@ -1,38 +1,44 @@
 { config, lib, pkgs, ... }:
 with import <stockholm/lib>;
-{
+let
  cname = "green";
  cryfs = pkgs.cryfs.overrideAttrs (old: {
    patches = [
      (pkgs.writeText "file_mode.patch" ''
        --- a/src/cryfs/filesystem/CryNode.cpp
        +++ b/src/cryfs/filesystem/CryNode.cpp
        @@ -171,7 +171,7 @@ CryNode::stat_info CryNode::stat() const {
             result.uid = fspp::uid_t(getuid());
             result.gid = fspp::gid_t(getgid());
         #endif
        -    result.mode = fspp::mode_t().addDirFlag().addUserReadFlag().addUserWriteFlag().addUserExecFlag();
        +    result.mode = fspp::mode_t().addDirFlag().addUserReadFlag().addUserWriteFlag().addUserExecFlag().addGroupReadFlag().addGroupExecFlag().addOtherReadFlag().addOtherExecFlag();;
             result.size = fsblobstore::DirBlob::DIR_LSTAT_SIZE;
             //TODO If possible without performance loss, then for a directory, st_nlink should return number of dir entries (including "." and "..")
             result.nlink = 1;
      '')
    ] ++ old.patches;
  });
 in {
  imports = [
    <stockholm/lass/2configs/container-networking.nix>
    <stockholm/lass/2configs/syncthing.nix>
    { #hack for already defined
      systemd.services."container@green".reloadIfChanged = mkForce false;
      systemd.services."container@green".preStart = ''
        ${pkgs.mount}/bin/mount | ${pkgs.gnugrep}/bin/grep -q ' on /var/lib/containers/green '
      '';
      systemd.services."container@green".postStop = ''
        set -x
        ${pkgs.umount}/bin/umount /var/lib/containers/green
        ls -la /dev/mapper/control
        ${pkgs.devicemapper}/bin/dmsetup ls
        ${pkgs.cryptsetup}/bin/cryptsetup -v luksClose /var/lib/sync-containers/green.img
      '';
    }
  ];
-  services.syncthing.declarative.folders."/var/lib/sync-containers".devices = [ "icarus" "skynet" "littleT" "shodan" ];
+  programs.fuse.userAllowOther = true;
  krebs.permown."/var/lib/sync-containers" = {
    owner = "root";
    group = "syncthing";
    umask = "0007";
  };
-  system.activationScripts.containerPermissions = ''
+  services.syncthing.declarative.folders."/var/lib/sync-containers/${cname}".devices = [ "icarus" "skynet" "littleT" "shodan" ];
-    mkdir -p /var/lib/containers
+  # krebs.permown."/var/lib/sync-containers/${cname}" = {
-    chmod 711 /var/lib/containers
+  #   owner = "root";
-  '';
+  #   group = "syncthing";
  #   umask = "0007";
  # };
-  containers.green = {
+  systemd.services."container@green".reloadIfChanged = mkForce false;
  containers.${cname} = {
    config = { ... }: {
      environment.systemPackages = [
        pkgs.git
@ -42,41 +48,52 @@ with import <stockholm/lib>;
      users.users.root.openssh.authorizedKeys.keys = [
        config.krebs.users.lass.pubkey
      ];
      system.activationScripts.fuse = {
        text = ''
          ${pkgs.coreutils}/bin/mknod /dev/fuse c 10 229
        '';
        deps = [];
      };
    };
    allowedDevices = [
      { modifier = "rwm"; node = "/dev/fuse"; }
    ];
    autoStart = false;
    enableTun = true;
    privateNetwork = true;
-    hostAddress = "10.233.2.15";
+    hostAddress = "10.233.2.15"; # TODO find way to automatically calculate IPs
-    localAddress = "10.233.2.16";
+    localAddress = "10.233.2.16"; # TODO find way to automatically calculate IPs
  };
  environment.systemPackages = [
-    (pkgs.writeDashBin "start-green" ''
+    (pkgs.writeDashBin "start-${cname}" ''
-      set -fu
+      set -euf
      CONTAINER='green'
      IMAGE='/var/lib/sync-containers/green.img'
-      ${pkgs.cryptsetup}/bin/cryptsetup status "$CONTAINER" >/dev/null
+      mkdir -p /var/lib/containers/${cname}/var/state
-      if [ "$?" -ne 0 ]; then
+      chown ${config.services.syncthing.user}: /var/lib/containers/${cname}/var/state
-        ${pkgs.cryptsetup}/bin/cryptsetup luksOpen "$IMAGE" "$CONTAINER"
+      if ! ${pkgs.mount}/bin/mount | grep -q '^cryfs@/var/lib/sync-containers/${cname} on /var/lib/containers/${cname}/var/state '; then
        /run/wrappers/bin/sudo -u "${config.services.syncthing.user}" \
          ${cryfs}/bin/cryfs /var/lib/sync-containers/${cname} /var/lib/containers/${cname}/var/state -o allow_other -o default_permissions
      fi
-      mkdir -p /var/lib/containers/"$CONTAINER"
+      STATE=$(${pkgs.nixos-container}/bin/nixos-container status ${cname})
      ${pkgs.mount}/bin/mount | grep -q " on /var/lib/containers/"$CONTAINER" "
      if [ "$?" -ne 0 ]; then
        ${pkgs.mount}/bin/mount -o sync /dev/mapper/"$CONTAINER" /var/lib/containers/"$CONTAINER"
      fi
      STATE=$(${pkgs.nixos-container}/bin/nixos-container status "$CONTAINER")
      if [ "$STATE" = 'down' ]; then
-        ${pkgs.nixos-container}/bin/nixos-container start "$CONTAINER"
+        ${pkgs.nixos-container}/bin/nixos-container start ${cname}
      fi
      ping -c1 green.r
      if [ "$?" -ne 0 ]; then
        ${pkgs.nixos-container}/bin/nixos-container run green -- nixos-rebuild -I /var/src switch
      fi
      if ! ping -c1 -q -w5 ${cname}.r && [ -d /var/lib/containers/${cname}/var/src ]; then
        ${pkgs.nixos-container}/bin/nixos-container run ${cname} -- ${pkgs.writeDash "deploy-${cname}" ''
          mkdir -p /var/state/var_src
          ln -sf state/var_Src /var/src
          nixos-rebuild -I /var/src switch
        ''}
      fi
    '')
    (pkgs.writeDashBin "stop-${cname}" ''
      set -euf
      ${pkgs.nixos-container}/bin/nixos-container stop ${cname}
      ${cryfs}/bin/cryfs-unmount /var/lib/containers/${cname}/var/state
    '')
  ];
 }
--- a/lass/2configs/hass/default.nix
+++ b/lass/2configs/hass/default.nix
@ -23,6 +23,7 @@ with import ./lib.nix { inherit lib; };
      # extraComponents = [ "hue" ];
    };
    configWritable = true;
    lovelaceConfigWritable = true;
  };
  lass.hass.config = let
--- a/lass/2configs/hass/rooms/bett.nix
+++ b/lass/2configs/hass/rooms/bett.nix
@ -5,4 +5,35 @@ with import ../lib.nix { inherit lib; };
  lass.hass.config = lib.mkMerge [
    (lightswitch switches.dimmer.bett lights.bett)
  ];
  lass.hass.love = {
    resources = [{
      url = "https://raw.githubusercontent.com/ljmerza/light-entity-card/master/dist/light-entity-card.js.map";
      type = "js";
    }];
    views = [{
      title = "bett";
      cards = [
        {
          type = "markdown";
          title = "hello world";
          content = "This is just a test";
        }
        {
          type = "light";
          entity = "light.${lights.bett}";
        }
        {
          type = "custom:light-entity-card";
          entity = "light.${lights.bett}";
        }
        {
          type = "history-graph";
          entities = [
            "light.${lights.bett}"
          ];
        }
      ];
    }];
  };
 }
--- a/lass/2configs/hw/x220.nix
+++ b/lass/2configs/hw/x220.nix
@ -5,7 +5,7 @@
  ];
  boot = {
-    initrd.luks.devices = [ { name = "luksroot"; device = "/dev/sda3"; } ];
+    initrd.luks.devices.luksroot.device = "/dev/sda3";
    initrd.luks.cryptoModules = [ "aes" "sha512" "sha1" "xts" ];
    initrd.availableKernelModules = [ "xhci_hcd" "ehci_pci" "ahci" "usb_storage" ];
    extraModulePackages = [
@ -47,9 +47,10 @@
  services.logind.lidSwitchDocked = "ignore";
  services.tlp.enable = true;
-  services.tlp.extraConfig = ''
+  #services.tlp.extraConfig = ''
-    START_CHARGE_THRESH_BAT0=80
+  #  START_CHARGE_THRESH_BAT0=80
-    STOP_CHARGE_THRESH_BAT0=95
+  #  STOP_CHARGE_THRESH_BAT0=95
-  '';
+  #'';
  services.xserver.dpi = 80;
 }
--- a/lass/2configs/mail.nix
+++ b/lass/2configs/mail.nix
@ -107,10 +107,12 @@ let
    set mailcap_path = ${mailcap}
    # notmuch
-    set nm_default_uri="notmuch://$HOME/Maildir" # path to the maildir
+    set folder="$HOME/Maildir"
    set nm_default_uri = "notmuch://$HOME/Maildir"
    set nm_record = yes
    set nm_record_tags = "-inbox me archive"
-    set virtual_spoolfile=yes                    # enable virtual folders
+    set spoolfile = +Inbox
    set virtual_spoolfile = yes
    set sendmail="${msmtp}/bin/msmtp"            # enables parsing of outgoing mail
@ -132,8 +134,8 @@ let
      # V
    ''} %r |"
    virtual-mailboxes "INBOX" "notmuch://?query=tag:inbox"
    virtual-mailboxes "Unread" "notmuch://?query=tag:unread"
    virtual-mailboxes "INBOX" "notmuch://?query=tag:inbox"
    ${concatMapStringsSep "\n" (i: ''${"  "}virtual-mailboxes "${i.name}" "notmuch://?query=tag:${i.name}"'') (mapAttrsToList nameValuePair mailboxes)}
    virtual-mailboxes "TODO" "notmuch://?query=tag:TODO"
    virtual-mailboxes "Starred" "notmuch://?query=tag:*"
@ -200,9 +202,15 @@ let
    macro pager ] ,@1 'Toggle indexbar
    # sidebar
    set sidebar_divider_char = '│'
    set sidebar_delim_chars = "/"
    set sidebar_short_path
    set sidebar_folder_indent
    set sidebar_visible = yes
    set sidebar_format = '%B%?F? [%F]?%* %?N?%N/? %?S?%S?'
    set sidebar_width   = 20
-    set sidebar_visible = yes               # set to "no" to disable sidebar view at startup
+    color sidebar_new yellow red
-    color sidebar_new yellow default
+
    # sidebar bindings
    bind index <left> sidebar-prev          # got to previous folder in sidebar
    bind index <right> sidebar-next         # got to next folder in sidebar
@ -229,7 +237,6 @@ in {
    mutt
    pkgs.notmuch
    pkgs.muchsync
    pkgs.haskellPackages.much
    tag-new-mails
    tag-old-mails
  ];
--- a/lass/2configs/mpv.nix
+++ b/lass/2configs/mpv.nix
@ -80,7 +80,7 @@ let
    name = "mpv";
    paths = [
      (pkgs.writeDashBin "mpv" ''
-        exec ${pkgs.mpv}/bin/mpv --no-config --script=${autosub} "$@"
+        exec ${pkgs.mpv}/bin/mpv -vo=gpu --no-config --script=${autosub} "$@"
      '')
      pkgs.mpv
    ];
--- a/lass/2configs/paste.nix
+++ b/lass/2configs/paste.nix
@ -7,7 +7,17 @@ with import <stockholm/lib>;
    locations."/".extraConfig = ''
      client_max_body_size 4G;
      proxy_set_header Host $host;
-      proxy_pass http://localhost:9081;
+      proxy_pass http://127.0.0.1:${toString config.krebs.htgen.paste.port};
    '';
    locations."/image".extraConfig = /* nginx */ ''
      client_max_body_size 40M;
      proxy_set_header Host $host;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto $scheme;
      proxy_pass http://127.0.0.1:${toString config.krebs.htgen.imgur.port};
      proxy_pass_header Server;
    '';
  };
  services.nginx.virtualHosts."p.krebsco.de" = {
@ -19,21 +29,36 @@ with import <stockholm/lib>;
        return 403;
      }
      proxy_set_header Host $host;
-      proxy_pass http://localhost:9081;
+      proxy_pass http://127.0.0.1:${toString config.krebs.htgen.paste.port};
    '';
    locations."/image".extraConfig = ''
      proxy_set_header Host $host;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto $scheme;
      proxy_pass http://127.0.0.1:${toString config.krebs.htgen.imgur.port};
      proxy_pass_header Server;
    '';
  };
  krebs.htgen.paste = {
    port = 9081;
    script = toString [
      "PATH=${makeBinPath [
        pkgs.nix
        pkgs.file
      ]}:$PATH"
      "STATEDIR=$HOME"
      ". ${pkgs.htgen}/examples/paste"
    ];
  };
  krebs.htgen.imgur = {
    port = 7771;
    script = /* sh */ ''
      (. ${pkgs.htgen-imgur}/bin/htgen-imgur)
    '';
  };
  krebs.iptables.tables.filter.INPUT.rules = [
    { predicate = "-i retiolum -p tcp --dport 80"; target = "ACCEPT";}
    { predicate = "-i retiolum -p tcp --dport 9081"; target = "ACCEPT";}
  ];
 }
--- a/lass/2configs/radio.nix
+++ b/lass/2configs/radio.nix
@ -12,7 +12,16 @@ let
  music_dir = "/home/radio/music";
  add_random = pkgs.writeDashBin "add_random" ''
-    ${pkgs.mpc_cli}/bin/mpc add "$(${pkgs.findutils}/bin/find "${music_dir}/the_playlist" | grep -v '/other/' | grep '\.ogg$' | shuf -n1 | sed 's,${music_dir}/,,')"
+    ${pkgs.mpc_cli}/bin/mpc add "$(${pkgs.findutils}/bin/find "${music_dir}/the_playlist" \
      | grep -Ev '/other/|/.graveyard/' \
      | grep '\.ogg$' \
      | shuf -n1 \
      | sed 's,${music_dir}/,,' \
    )"
  '';
  get_current_track_position = pkgs.writeDash "get_current_track_position" ''
    ${pkgs.mpc_cli}/bin/mpc status | ${pkgs.gawk}/bin/awk '/^\[playing\]/ { sub(/\/.+/,"",$3); split($3,a,/:/); print a[1]*60+a[2] }'
  '';
  skip_track = pkgs.writeBashBin "skip_track" ''
@ -28,8 +37,8 @@ let
      ${pkgs.attr}/bin/setfattr -n user.skip_count -v "$skip_count" "$music_dir"/"$current_track"
      echo skipping: "$track_infos" skip_count: "$skip_count"
    else
-      mkdir -p "$music_dir"/.graveyard/
+      mkdir -p "$music_dir"/the_playlist/.graveyard/
-      mv "$music_dir"/"$current_track" "$music_dir"/.graveyard/
+      mv "$music_dir"/"$current_track" "$music_dir"/the_playlist/.graveyard/
      echo killing: "$track_infos"
    fi
    ${pkgs.mpc_cli}/bin/mpc -q next
@ -62,10 +71,18 @@ let
  print_current_json = pkgs.writeDashBin "print_current_json" ''
    ${pkgs.jq}/bin/jq -n -c \
      --arg name "$(${pkgs.mpc_cli}/bin/mpc current)" \
      --arg artist "$(${pkgs.mpc_cli}/bin/mpc current -f %artist%)" \
      --arg title "$(${pkgs.mpc_cli}/bin/mpc current -f %title%)" \
      --arg filename "$(${pkgs.mpc_cli}/bin/mpc current -f %file%)" \
      --arg position "$(${get_current_track_position})" \
      --arg length "$(${pkgs.mpc_cli}/bin/mpc current -f %time%)" \
      --arg youtube "$(${track_youtube_link})" '{
        name: $name,
        artist: $artist,
        title: $title,
        filename: $filename,
        position: $position,
        length: $length,
        youtube: $youtube
      }'
  '';
@ -193,7 +210,7 @@ in {
      timeLeft () {
        playlistDuration=$(${pkgs.mpc_cli}/bin/mpc --format '%time%' playlist | ${pkgs.gawk}/bin/awk -F ':' 'BEGIN{t=0} {t+=$1*60+$2} END{print t}')
-        currentTime=$(${pkgs.mpc_cli}/bin/mpc status | ${pkgs.gawk}/bin/awk '/^\[playing\]/ { sub(/\/.+/,"",$3); split($3,a,/:/); print a[1]*60+a[2] }')
+        currentTime=$(${get_current_track_position})
        expr ''${playlistDuration:-0} - ''${currentTime:-0}
      }
@ -221,9 +238,11 @@ in {
        ${pkgs.mpc_cli}/bin/mpc idle player > /dev/null
        ${pkgs.mpc_cli}/bin/mpc current -f %file%
      done | while read track; do
        listeners=$(${pkgs.curl}/bin/curl 'http://localhost:8000/status-json.xsl' \
          | ${pkgs.jq}/bin/jq '[.icestats.source[].listeners] | add')
        echo "$(date -Is)" "$track" | tee -a "$HISTORY_FILE"
        echo "$(tail -$LIMIT "$HISTORY_FILE")" > "$HISTORY_FILE"
-        ${write_to_irc} "playing: $track"
+        ${write_to_irc} "playing: $track listeners: $listeners"
      done
    '';
  in {
--- a/lass/2configs/steam.nix
+++ b/lass/2configs/steam.nix
@ -13,7 +13,11 @@
  nixpkgs.config.steam.java = true;
  hardware.opengl.extraPackages32 = with pkgs.pkgsi686Linux; [ libva ];
-  users.users.games.packages = [ pkgs.steam ];
+  users.users.games.packages = [ (pkgs.steam.override {
    extraPkgs = p: with p; [
      gnutls # needed for Halo MCC
    ];
  }) ];
  #ports for inhome streaming
  krebs.iptables = {
--- a/lass/2configs/syncthing.nix
+++ b/lass/2configs/syncthing.nix
@ -31,5 +31,6 @@ in {
    owner = "lass";
    group = "syncthing";
    umask = "0002";
    keepGoing = true;
  };
 }
--- a/lass/2configs/websites/domsen.nix
+++ b/lass/2configs/websites/domsen.nix
@ -26,6 +26,7 @@ in {
    ./default.nix
    ./sqlBackup.nix
    (servePage [ "aldonasiech.com" "www.aldonasiech.com" ])
    (servePage [ "apanowicz.de" "www.apanowicz.de" ])
    (servePage [ "reich-gebaeudereinigung.de" "www.reich-gebaeudereinigung.de" ])
    (servePage [
      "freemonkey.art"
@ -34,7 +35,6 @@ in {
    (serveOwncloud [ "o.ubikmedia.de" ])
    (serveWordpress [
      "ubikmedia.de"
      "apanowicz.de"
      "nirwanabluete.de"
      "ubikmedia.eu"
      "youthtube.xyz"
@ -42,7 +42,6 @@ in {
      "weirdwednesday.de"
      "jarugadesign.de"
      "www.apanowicz.de"
      "www.nirwanabluete.de"
      "www.ubikmedia.eu"
      "www.youthtube.xyz"
@ -52,7 +51,6 @@ in {
      "www.jarugadesign.de"
      "aldona2.ubikmedia.de"
      "apanowicz.ubikmedia.de"
      "cinevita.ubikmedia.de"
      "factscloud.ubikmedia.de"
      "illucloud.ubikmedia.de"
@ -93,6 +91,7 @@ in {
  services.nextcloud = {
    enable = true;
    hostName = "o.xanf.org";
    package = pkgs.nextcloud18;
    config = {
      adminpassFile = toString <secrets> + "/nextcloud_pw";
      overwriteProtocol = "https";
@ -107,6 +106,10 @@ in {
  # MAIL STUFF
  # TODO: make into its own module
  # workaround for android 7
  security.acme.certs."lassul.us".keyType = "rsa4096";
  services.dovecot2 = {
    enable = true;
    mailLocation = "maildir:~/Mail";
@ -131,18 +134,16 @@ in {
      server_condition = ''${run{${config.lass.usershadow.path}/bin/verify_arg ${config.lass.usershadow.pattern} $auth1 $auth2}{yes}{no}}
    '';
    internet-aliases = [
      { from = "dominik@apanowicz.de"; to = "dominik_a@gmx.de"; }
      { from = "dma@ubikmedia.de"; to = "domsen"; }
      { from = "dma@ubikmedia.eu"; to = "domsen"; }
      { from = "mail@habsys.de"; to = "domsen"; }
      { from = "mail@habsys.eu"; to = "domsen"; }
      { from = "hallo@apanowicz.de"; to = "domsen"; }
      { from = "bruno@apanowicz.de"; to = "bruno"; }
      { from = "mail@jla-trading.com"; to = "jla-trading"; }
      { from = "jms@ubikmedia.eu"; to = "jms"; }
      { from = "ms@ubikmedia.eu"; to = "ms"; }
      { from = "ubik@ubikmedia.eu"; to = "domsen, jms, ms"; }
      { from = "akayguen@freemonkey.art"; to ="akayguen"; }
      { from = "bui@freemonkey.art"; to ="bui"; }
      { from = "kontakt@alewis.de"; to ="klabusterbeere"; }
      { from = "hallo@jarugadesign.de"; to ="kasia"; }
@ -153,9 +154,14 @@ in {
      "jla-trading.com"
      "ubikmedia.eu"
      "ubikmedia.de"
      "apanowicz.de"
      "alewis.de"
      "jarugadesign.de"
    ];
    dkim = [
      { domain = "ubikmedia.eu"; }
      { domain = "apanowicz.de"; }
    ];
    ssl_cert = "/var/lib/acme/lassul.us/fullchain.pem";
    ssl_key = "/var/lib/acme/lassul.us/key.pem";
  };
--- a/lass/2configs/websites/lassulus.nix
+++ b/lass/2configs/websites/lassulus.nix
@ -61,7 +61,7 @@ in {
        pubkey = config.krebs.users.lass.pubkey;
      };
    in ''
-      alias ${initscript};
+      alias ${initscript}/bin/init;
    '';
    locations."= /blue.pub".extraConfig = ''
      alias ${pkgs.writeText "pub" config.krebs.users.lass.pubkey};
@ -69,6 +69,9 @@ in {
    locations."= /mors.pub".extraConfig = ''
      alias ${pkgs.writeText "pub" config.krebs.users.lass-mors.pubkey};
    '';
    locations."= /yubi.pub".extraConfig = ''
      alias ${pkgs.writeText "pub" config.krebs.users.lass-yubikey.pubkey};
    '';
  };
  security.acme.certs."cgit.lassul.us" = {
--- a/lass/2configs/wine.nix
+++ b/lass/2configs/wine.nix
@ -14,8 +14,7 @@ in {
      ];
      createHome = true;
      packages = [
-        pkgs.wine
+        pkgs.wineMinimal
        pkgs.winetricks
      ];
    };
  };
--- a/lass/2configs/zsh.nix
+++ b/lass/2configs/zsh.nix
@ -122,14 +122,15 @@
      case $TERM in
        (*xterm* | *rxvt*)
          function precmd {
-            PROMPT_EVALED="$(print -P $TITLE)"
+            PROMPT_EVALED=$(print -P "$TITLE")
            echo -ne "\033]0;$$ $PROMPT_EVALED\007"
          }
-          # This is seen while the shell waits for a command to complete.
+          # This seems broken for some reason
-          function preexec {
+          # # This is seen while the shell waits for a command to complete.
-            PROMPT_EVALED="$(print -P $TITLE)"
+          # function preexec {
-            echo -ne "\033]0;$$ $PROMPT_EVALED $1\007"
+          #   PROMPT_EVALED=$(print -P "$TITLE")
-          }
+          #   echo -ne "\033]0;$$ $PROMPT_EVALED $1\007"
          # }
        ;;
      esac
    '';
--- a/lass/3modules/hass.nix
+++ b/lass/3modules/hass.nix
@ -22,6 +22,22 @@ in {
          };
        in valueType;
    };
    love = mkOption {
      default = {};
      type =  with lib.types; let
          valueType = nullOr (oneOf [
            bool
            int
            float
            str
            (attrsOf valueType)
            (listOf valueType)
          ]) // {
            description = "Yaml value";
            emptyValue.value = {};
          };
        in valueType;
    };
  };
  config =
@ -29,6 +45,7 @@ in {
    mkIf (cfg.config != {})
     {
      services.home-assistant.config = cfg.config;
      # services.home-assistant.lovelaceConfig = cfg.love;
    };
 }
--- a/lass/5pkgs/custom/xmonad-lass/default.nix
+++ b/lass/5pkgs/custom/xmonad-lass/default.nix
@ -19,6 +19,8 @@ import System.Environment (getArgs, lookupEnv)
 import System.Exit (exitFailure)
 import System.IO (hPutStrLn, stderr)
 import System.Posix.Process (executeFile)
 import Data.Ratio
 import XMonad.Actions.CopyWindow (copy, copyToAll, kill1)
 import XMonad.Actions.CycleWS (toggleWS)
 import XMonad.Actions.DynamicWorkspaces ( addWorkspacePrompt, renameWorkspace, removeEmptyWorkspace)
@ -29,14 +31,17 @@ import XMonad.Hooks.EwmhDesktops (ewmh)
 import XMonad.Hooks.FloatNext (floatNext)
 import XMonad.Hooks.FloatNext (floatNextHook)
 import XMonad.Hooks.ManageDocks (avoidStruts, ToggleStruts(ToggleStruts))
-import XMonad.Hooks.ManageHelpers (composeOne, doCenterFloat, (-?>))
+import XMonad.Hooks.ManageHelpers (doCenterFloat, doRectFloat, (-?>))
 import XMonad.Hooks.Place (placeHook, smart)
 import XMonad.Hooks.UrgencyHook (focusUrgent)
 import XMonad.Hooks.UrgencyHook (withUrgencyHook, UrgencyHook(..))
 import XMonad.Layout.FixedColumn (FixedColumn(..))
 import XMonad.Layout.Grid (Grid(..))
 import XMonad.Layout.Minimize (minimize)
 import XMonad.Layout.NoBorders (smartBorders)
 import XMonad.Layout.MouseResizableTile (mouseResizableTile)
 import XMonad.Layout.SimplestFloat (simplestFloat)
 import XMonad.ManageHook (composeAll)
 import XMonad.Prompt (autoComplete, font, searchPredicate, XPConfig)
 import XMonad.Prompt.Window (windowPromptGoto, windowPromptBringCopy)
 import XMonad.Util.EZConfig (additionalKeysP)
@ -76,7 +81,7 @@ main' = do
            { terminal           = myTerm
            , modMask            = mod4Mask
            , layoutHook         = smartBorders $ myLayoutHook
-            , manageHook         = floatHooks <+> floatNextHook
+            , manageHook         = floatHooks
            , startupHook =
                whenJustM (liftIO (lookupEnv "XMONAD_STARTUP_HOOK"))
                          (\path -> forkFile path [] Nothing)
@ -88,14 +93,17 @@ main' = do
 myLayoutHook = defLayout
  where
-    defLayout = minimize $ ((avoidStruts $ Mirror (Tall 1 (3/100) (1/2))) ||| Full ||| FixedColumn 2 80 80 1 ||| Tall 1 (3/100) (1/2) ||| simplestFloat ||| mouseResizableTile)
+    defLayout = minimize $ ((avoidStruts $ Mirror (Tall 1 (3/100) (1/2))) ||| Full ||| FixedColumn 2 80 80 1 ||| Tall 1 (3/100) (1/2) ||| simplestFloat ||| mouseResizableTile ||| Grid)
-floatHooks :: Query (Endo WindowSet)
+floatHooks = composeAll
-floatHooks = composeOne
+   [ className =? "Pinentry" --> doCenterFloat
-   [ className =? "Pinentry" -?> doCenterFloat
+   , title =? "fzfmenu" --> doCenterFloat
-   , title =? "fzfmenu" -?> doCenterFloat
+   , title =? "glxgears" --> doCenterFloat
-   , title =? "glxgears" -?> doCenterFloat
+   , resource =? "Dialog" --> doFloat
-   , resource =? "Dialog" -?> doFloat
+   , title =? "Upload to Imgur" -->
       doRectFloat (W.RationalRect 0 0 (1 % 8) (1 % 8))
   , placeHook (smart (1,0))
   , floatNextHook
   ]
 myKeyMap :: [([Char], X ())]
@ -105,7 +113,6 @@ myKeyMap =
    , ("M4-p", spawn "${pkgs.pass}/bin/passmenu --type")
    , ("M4-S-p", spawn "${pkgs.otpmenu}/bin/otpmenu")
    , ("M4-o", spawn "${pkgs.brain}/bin/brainmenu --type")
    , ("M4-i", spawn "${pkgs.dpass}/bin/dpassmenu --type")
    , ("M4-z", spawn "${pkgs.emot-menu}/bin/emoticons")
    , ("<XF86AudioMute>", spawn "${pkgs.pulseaudioLight.out}/bin/pactl -- set-sink-mute @DEFAULT_SINK@ toggle")
--- a/lass/5pkgs/emot-menu/default.nix
+++ b/lass/5pkgs/emot-menu/default.nix
@ -29,6 +29,6 @@ writeDashBin "emoticons" ''
  data=$(${coreutils}/bin/cat ${emoticons})
  emoticon=$(echo "$data" | ${dmenu}/bin/dmenu | ${gnused}/bin/sed 's/ | .*//')
-  ${xdotool}/bin/xdotool type -- "$emoticon"
+  ${xdotool}/bin/xdotool type --clearmodifiers -- "$emoticon"
  exit 0
 ''
--- a/lass/5pkgs/init/default.nix
+++ b/lass/5pkgs/init/default.nix
@ -2,10 +2,10 @@
 with lib;
-pkgs.writeScript "init" ''
+pkgs.writeScriptBin "init" ''
  #!/usr/bin/env nix-shell
-  #! nix-shell -i bash -p jq parted libxfs
+  #! nix-shell -i bash -p cryptsetup gptfdisk jq libxfs
-  set -efu
+  set -xefuo pipefail
  disk=$1
@ -14,12 +14,12 @@ pkgs.writeScript "init" ''
    exit 2
  fi
  bootdev="$disk"2
  luksdev="$disk"3
  luksmap=/dev/mapper/${luksmap}
  vgname=${vgname}
  bootdev=/dev/sda2
  rootdev=/dev/mapper/${vgname}-root
  homedev=/dev/mapper/${vgname}-home
@ -35,15 +35,13 @@ pkgs.writeScript "init" ''
  #   dd if=/dev/zero bs=512 count=34 of=/dev/sda
  # TODO zero last 34 blocks (lsblk -bno SIZE /dev/sda)
  if ! test "$(blkid -o value -s PTTYPE "$disk")" = gpt; then
-    parted -s -a optimal "$disk" \
+    sgdisk -og "$disk"
-        mklabel gpt \
+    sgdisk -n 1:2048:4095 -c 1:"BIOS Boot Partition" -t 1:ef02 "$disk"
-        mkpart no-fs 0 1024KiB \
+    sgdisk -n 2:4096:+1G -c 2:"EFI System Partition" -t 2:ef00 "$disk"
-        set 1 bios_grub on \
+    sgdisk -n 3:0:0 -c 3:"LUKS container" -t 3:8300 "$disk"
        mkpart ESP fat32 1025KiB 1024MiB  set 2 boot on \
        mkpart primary 1025MiB 100%
  fi
-  if ! test "$(blkid -o value -s PARTLABEL "$luksdev")" = primary; then
+  if ! test "$(blkid -o value -s PARTLABEL "$luksdev")" = "LUKS container"; then
    echo zonk2
    exit 23
  fi
@ -58,7 +56,6 @@ pkgs.writeScript "init" ''
  if ! test -e "$luksmap"; then
    echo "$lukspw" | cryptsetup luksOpen "$luksdev" "$(basename "$luksmap")" -
  fi
  # cryptsetup close
  if ! test "$(blkid -o value -s TYPE "$luksmap")" = LVM2_member; then
    pvcreate "$luksmap"
@ -68,11 +65,7 @@ pkgs.writeScript "init" ''
  lvchange -a y /dev/mapper/"$vgname"
-  if ! test -e "$rootdev"; then lvcreate -L 7G -n root "$vgname"; fi
+  if ! test -e "$rootdev"; then lvcreate -L 3G -n root "$vgname"; fi
  if ! test -e "$homedev"; then lvcreate -L 100M -n home "$vgname"; fi
  # lvchange -a n "$vgname"
  #
  # formatting
@ -82,35 +75,23 @@ pkgs.writeScript "init" ''
    mkfs.vfat "$bootdev"
  fi
-  if ! test "$(blkid -o value -s TYPE "$rootdev")" = btrfs; then
+  if ! test "$(blkid -o value -s TYPE "$rootdev")" = xfs; then
    mkfs.xfs "$rootdev"
  fi
  if ! test "$(blkid -o value -s TYPE "$homedev")" = btrfs; then
    mkfs.xfs "$homedev"
  fi
  if ! test "$(lsblk -n -o MOUNTPOINT "$rootdev")" = /mnt; then
    mkdir -p /mnt
    mount "$rootdev" /mnt
  fi
  if ! test "$(lsblk -n -o MOUNTPOINT "$bootdev")" = /mnt/boot; then
    mkdir -m 0000 -p /mnt/boot
    mount "$bootdev" /mnt/boot
  fi
  if ! test "$(lsblk -n -o MOUNTPOINT "$homedev")" = /mnt/home; then
    mkdir -m 0000 -p /mnt/home
    mount "$homedev" /mnt/home
  fi
  # umount -R /mnt
  #
  # dependencies for stockholm
  #
  nix-env -iA nixos.git
  # TODO: get sentinal file from target_path
  mkdir -p /mnt/var/src
  touch /mnt/var/src/.populate
@ -119,7 +100,7 @@ pkgs.writeScript "init" ''
  # print all the infos
  #
-  parted "$disk" print
+  gdisk -l "$disk"
  lsblk "$disk"
  echo READY.
--- a/lass/5pkgs/init/run-vm.sh
+++ b/lass/5pkgs/init/run-vm.sh
@ -0,0 +1,7 @@
 #!/usr/bin/env nix-shell
 #! nix-shell -i bash -p nixos-generators
 set -efu
 WD=$(dirname "$0")
 nixos-generate -I stockholm="$WD"/../../.. -c "$WD"/config.nix -f vm-nogui --run
--- a/lass/5pkgs/init/test.nix
+++ b/lass/5pkgs/init/test.nix
@ -0,0 +1,13 @@
 { config, lib, pkgs, ... }:
 {
  virtualisation.emptyDiskImages = [
    8000
  ];
  virtualisation.memorySize = 1500;
  boot.tmpOnTmpfs = true;
  environment.systemPackages = [
    (pkgs.callPackage ./default.nix {})
  ];
  services.mingetty.autologinUser = lib.mkForce "root";
 }
--- a/lass/5pkgs/init/test.sh
+++ b/lass/5pkgs/init/test.sh
@ -0,0 +1,11 @@
 #!/usr/bin/env nix-shell
 #! nix-shell -i bash -p nixos-generators
 set -xefu
 WD=$(realpath $(dirname "$0"))
 TMPDIR=$(mktemp -d)
 cd "$TMPDIR"
 nixos-generate -c "$WD"/test.nix -f vm-nogui --run "$@"
 cd -
 rm -r "$TMPDIR"
--- a/lass/krops.nix
+++ b/lass/krops.nix
@ -11,8 +11,9 @@
    {
      nixos-config.symlink = "stockholm/lass/1systems/${name}/physical.nix";
      nixpkgs-unstable.git = {
-        url = "https://github.com/nixos/nixpkgs-channels";
+        url = "https://github.com/nixos/nixpkgs";
        ref = (lib.importJSON ../krebs/nixpkgs-unstable.json).rev;
        shallow = true;
      };
      secrets = if test then {
        file = toString ./2configs/tests/dummy-secrets;
--- a/lib/default.nix
+++ b/lib/default.nix
@ -60,13 +60,17 @@ let
    }.${typeOf x};
    mapNixDir1 = f: dirPath:
      let
        toPackageName = name:
          if test "^[0-9].*" name then "_${name}" else name;
      in
      listToAttrs
        (map
          (relPath: let
            name = removeSuffix ".nix" relPath;
            path = dirPath + "/${relPath}";
          in
-            nameValuePair name (f path))
+            nameValuePair (toPackageName name) (f path))
          (filter
            (name: name != "default.nix" && !hasPrefix "." name)
            (attrNames (readDir dirPath))));
--- a/lib/types.nix
+++ b/lib/types.nix
@ -116,6 +116,10 @@ rec {
        type = listOf hostname;
        default = [];
      };
      mac = mkOption {
        type = nullOr str;
        default = null;
      };
      ip4 = mkOption {
        type = nullOr (submodule {
          options = {
--- a/makefu/krops.nix
+++ b/makefu/krops.nix
@ -48,7 +48,7 @@
    }
    (lib.mkIf (host-src.unstable) {
      nixpkgs-unstable.git = {
-          url = "https://github.com/nixos/nixpkgs-channels";
+          url = "https://github.com/nixos/nixpkgs";
          ref = (lib.importJSON ../krebs/nixpkgs-unstable.json).rev;
        };
    })
--- a/tv/1systems/au/config.nix
+++ b/tv/1systems/au/config.nix
@ -3,6 +3,7 @@
    ./disks.nix
    <stockholm/tv>
    <stockholm/tv/2configs/hw/x220.nix>
    <stockholm/tv/2configs/ppp.nix>
    <stockholm/tv/2configs/retiolum.nix>
  ];
--- a/tv/2configs/default.nix
+++ b/tv/2configs/default.nix
@ -1,7 +1,7 @@
 with import <stockholm/lib>;
 { config, pkgs, ... }: {
-  boot.kernelPackages = pkgs.linuxPackages_latest;
+  boot.kernelPackages = mkDefault pkgs.linuxPackages_latest;
  boot.tmpOnTmpfs = true;
@ -68,18 +68,13 @@ with import <stockholm/lib>;
      ];
      environment.shellAliases = mkForce {
        # alias cal='cal -m3'
        gp = "${pkgs.pari}/bin/gp -q";
        df = "df -h";
        du = "du -h";
        # alias grep='grep --color=auto'
        # TODO alias cannot contain #\'
        # "ps?" = "ps ax | head -n 1;ps ax | fgrep -v ' grep --color=auto ' | grep";
        # alias la='ls -lA'
        lAtr = "ls -lAtr";
        # alias ll='ls -l'
        ls = "ls -h --color=auto --group-directories-first";
        dmesg = "dmesg -L --reltime";
        view = "vim -R";
--- a/tv/2configs/ppp.nix
+++ b/tv/2configs/ppp.nix
@ -1,9 +1,25 @@
-{ pkgs, ... }: {
+{ config, pkgs, ... }: let
-
+  lib = import <stockholm/lib>;
-  # usage: pppd call default
+  cfg = {
-
+    pin = "@${toString <secrets/o2.pin>}";
-  environment.etc."ppp/peers/default".text = ''
+    ttys.ppp = "/dev/ttyACM0";
-    /dev/ttyACM2
+    ttys.com = "/dev/ttyACM1";
  };
 in {
  assertions = [
    {
      assertion = config.networking.resolvconf.enable;
      message = "ppp configuration needs resolvconf";
    }
  ];
  environment.etc."ppp/ip-up".source = pkgs.writeDash "ppp.ip-up" ''
    ${pkgs.openresolv}/bin/resolvconf -a "$IFNAME" < /etc/ppp/resolv.conf
  '';
  environment.etc."ppp/ip-down".source = pkgs.writeDash "ppp.ip-down" ''
    ${pkgs.openresolv}/bin/resolvconf -fd "$IFNAME"
  '';
  environment.etc."ppp/peers/o2".text = /* sh */ ''
    ${cfg.ttys.ppp}
    921600
    crtscts
    defaultroute
@ -16,17 +32,53 @@
    passive
    persist
    usepeerdns
-    connect "${pkgs.ppp}/bin/chat -f ${pkgs.writeText "default.chat" ''
+    connect "${pkgs.ppp}/bin/chat ''${DEBUG+-v} -Ss -f ${pkgs.writeText "o2.chat" /* sh */ ''
      ABORT "BUSY"
      ABORT "NO CARRIER"
      REPORT CONNECT
-      "" "ATDT*99#"
+      "*EMRDY: 1"
-      CONNECT
+      ATZ OK
      AT+CFUN=1 OK
      ${cfg.pin} TIMEOUT 2 ERROR-AT-OK
      AT+CGDCONT=1,\042IP\042,\042internet\042 OK
      ATDT*99***1# CONNECT
    ''}"
  '';
-
+  users.users.root.packages = [
-  environment.systemPackages = [
+    (pkgs.writeDashBin "connect" ''
-    pkgs.ppp
+      # usage:
      #   connect wlan
      #   connect wwan [PEERNAME]
      set -efu
      rfkill_wlan=/sys/class/rfkill/rfkill2
      rfkill_wwan=/sys/class/rfkill/rfkill1
      case $1 in
        wlan)
          ${pkgs.procps}/bin/pkill pppd || :
          echo 0 > "$rfkill_wwan"/state
          echo 1 > "$rfkill_wlan"/state
          ;;
        wwan)
          name=''${2-o2}
          echo 0 > "$rfkill_wlan"/state
          echo 1 > "$rfkill_wwan"/state
          ${pkgs.ppp}/bin/pppd call "$name" updetach
          ;;
        *)
          echo "$0: error: bad arguments: $*" >&2
          exit 1
      esac
    '')
    (pkgs.writeDashBin "modem-send" ''
      # usage: modem-send ATCOMMAND
      set -efu
      tty=${lib.shell.escape cfg.ttys.com}
      exec <"$tty"
      printf '%s\r\n' "$1" >"$tty"
      ${pkgs.gnused}/bin/sed -E '
        /^OK\r?$/q
        /^ERROR\r?$/q
      '
    '')
  ];
 }
--- a/tv/2configs/sshd.nix
+++ b/tv/2configs/sshd.nix
@ -1,10 +1,22 @@
 { config, lib, pkgs, ... }:
 with import <stockholm/lib>;
-
+{ config, ... }: let
-{
+  cfg.host = config.krebs.build.host;
 in {
  services.openssh = {
    enable = true;
  };
  tv.iptables.input-internet-accept-tcp = singleton "ssh";
  tv.iptables.extra.nat.OUTPUT = [
    "-o lo -p tcp --dport 11423 -j REDIRECT --to-ports 22"
  ];
  tv.iptables.extra4.nat.PREROUTING = [
    "-d ${cfg.host.nets.retiolum.ip4.addr} -p tcp --dport 22 -j ACCEPT"
  ];
  tv.iptables.extra6.nat.PREROUTING = [
    "-d ${cfg.host.nets.retiolum.ip6.addr} -p tcp --dport 22 -j ACCEPT"
  ];
  tv.iptables.extra.nat.PREROUTING = [
    "-p tcp --dport 22 -j REDIRECT --to-ports 0"
    "-p tcp --dport 11423 -j REDIRECT --to-ports 22"
  ];
 }
--- a/tv/2configs/xserver/default.nix
+++ b/tv/2configs/xserver/default.nix
@ -6,6 +6,19 @@ let
    configDir = "/var/empty";
    dataDir = "/run/xdg/${cfg.user.name}/xmonad";
    user = config.krebs.build.user;
    xmonad.pkg = pkgs.haskellPackages.xmonad-tv.overrideAttrs (_: {
      au = {
        XMONAD_BUILD_SCREEN_WIDTH = 1920;
        XMONAD_BUILD_TERM_FONT_WIDTH = 10;
        XMONAD_BUILD_TERM_FONT = "xft:Input Mono:size=12:style=Regular";
        XMONAD_BUILD_TERM_PADDING = 2;
      };
    }.${config.krebs.build.host.name} or {
      XMONAD_BUILD_SCREEN_WIDTH = 1366;
      XMONAD_BUILD_TERM_FONT_WIDTH = 6;
      XMONAD_BUILD_TERM_FONT = "-*-clean-*-*-*-*-*-*-*-*-*-*-iso10646-1";
      XMONAD_BUILD_TERM_PADDING = 2;
    });
  };
 in {
@ -51,7 +64,7 @@ in {
  systemd.services.display-manager.enable = false;
  systemd.services.xmonad = let
-    xmonad = "${pkgs.haskellPackages.xmonad-tv}/bin/xmonad";
+    xmonad = "${cfg.xmonad.pkg}/bin/xmonad";
    xmonad-start = pkgs.writeDash "xmonad-start" ''
      ${pkgs.coreutils}/bin/mkdir -p "$XMONAD_CACHE_DIR"
      ${pkgs.coreutils}/bin/mkdir -p "$XMONAD_CONFIG_DIR"
--- a/tv/3modules/iptables.nix
+++ b/tv/3modules/iptables.nix
@ -135,15 +135,8 @@ let {
      :INPUT ACCEPT [0:0]
      :OUTPUT ACCEPT [0:0]
      :POSTROUTING ACCEPT [0:0]
      ${concatMapStringsSep "\n" (rule: "-A PREROUTING ${rule}") [
        "! -i retiolum -p tcp -m tcp --dport 22 -j REDIRECT --to-ports 0"
        "-p tcp -m tcp --dport 11423 -j REDIRECT --to-ports 22"
      ]}
      ${concatMapStringsSep "\n" (rule: "-A OUTPUT ${rule}") [
        "-o lo -p tcp -m tcp --dport 11423 -j REDIRECT --to-ports 22"
      ]}
      ${formatTable cfg.extra.nat}
      ${formatTable cfg."extra${toString iptables-version}".nat}
      ${formatTable cfg.extra.nat}
      COMMIT
      *filter
      :INPUT DROP [0:0]
--- a/tv/5pkgs/haskell/th-env/default.nix
+++ b/tv/5pkgs/haskell/th-env/default.nix
@ -0,0 +1,10 @@
 { mkDerivation, base, stdenv, template-haskell, text }:
 mkDerivation {
  pname = "th-env";
  version = "1.0.0";
  src = ./.;
  libraryHaskellDepends = [ base template-haskell text ];
  homepage = "https://stackoverflow.com/q/57635686";
  license = "unknown";
  hydraPlatforms = stdenv.lib.platforms.none;
 }
--- a/tv/5pkgs/haskell/th-env/src/THEnv.hs
+++ b/tv/5pkgs/haskell/th-env/src/THEnv.hs
@ -0,0 +1,49 @@
 {-# LANGUAGE TemplateHaskell #-}
 module THEnv
    (
    -- * Compile-time configuration
      lookupCompileEnv
    , lookupCompileEnvExp
    , getCompileEnv
    , getCompileEnvExp
    , fileAsString
    ) where
 import Control.Monad
 import qualified Data.Text as T
 import qualified Data.Text.IO as T
 import Language.Haskell.TH
 import Language.Haskell.TH.Syntax (Lift(..))
 import System.Environment (getEnvironment)
 -- Functions that work with compile-time configuration
 -- | Looks up a compile-time environment variable.
 lookupCompileEnv :: String -> Q (Maybe String)
 lookupCompileEnv key = lookup key `liftM` runIO getEnvironment
 -- | Looks up a compile-time environment variable. The result is a TH
 -- expression of type @Maybe String@.
 lookupCompileEnvExp :: String -> Q Exp
 lookupCompileEnvExp = (`sigE` [t| Maybe String |]) . lift <=< lookupCompileEnv
    -- We need to explicly type the result so that things like `print Nothing`
    -- work.
 -- | Looks up an compile-time environment variable and fail, if it's not
 -- present.
 getCompileEnv :: String -> Q String
 getCompileEnv key =
  lookupCompileEnv key >>=
  maybe (fail $ "Environment variable " ++ key ++ " not defined") return
 -- | Looks up an compile-time environment variable and fail, if it's not
 -- present. The result is a TH expression of type @String@.
 getCompileEnvExp :: String -> Q Exp
 getCompileEnvExp = lift <=< getCompileEnv
 -- | Loads the content of a file as a string constant expression.
 -- The given path is relative to the source directory.
 fileAsString :: FilePath -> Q Exp
 fileAsString = do
  -- addDependentFile path -- works only with template-haskell >= 2.7
  stringE . T.unpack . T.strip <=< runIO . T.readFile
--- a/tv/5pkgs/haskell/th-env/th-env.cabal
+++ b/tv/5pkgs/haskell/th-env/th-env.cabal
@ -0,0 +1,20 @@
 name: th-env
 version: 1.0.0
 -- license: https://creativecommons.org/licenses/by-sa/4.0/
 license: OtherLicense
 author: https://stackoverflow.com/users/9348482
 homepage: https://stackoverflow.com/q/57635686
 maintainer: tv <tv@krebsco.de>
 build-type: Simple
 cabal-version: >=1.10
 library
  hs-source-dirs: src
  build-depends:
    base,
    template-haskell,
    text
  exposed-modules:
    THEnv
  default-language: Haskell2010
  ghc-options: -O2 -Wall
--- a/tv/5pkgs/haskell/xmonad-tv/default.nix
+++ b/tv/5pkgs/haskell/xmonad-tv/default.nix
@ -1,5 +1,6 @@
-{ mkDerivation, base, containers, directory, extra, stdenv, unix
+{ mkDerivation, aeson, base, bytestring, containers, directory
-, X11, xmonad, xmonad-contrib, xmonad-stockholm
+, extra, stdenv, template-haskell, th-env, unix, X11, xmonad
 , xmonad-contrib, xmonad-stockholm
 }:
 mkDerivation {
  pname = "xmonad-tv";
@ -8,8 +9,8 @@ mkDerivation {
  isLibrary = false;
  isExecutable = true;
  executableHaskellDepends = [
-    base containers directory extra unix X11 xmonad xmonad-contrib
+    aeson base bytestring containers directory extra template-haskell
-    xmonad-stockholm
+    th-env unix X11 xmonad xmonad-contrib xmonad-stockholm
  ];
  license = stdenv.lib.licenses.mit;
 }
--- a/tv/5pkgs/haskell/xmonad-tv/src/THEnv/JSON.hs
+++ b/tv/5pkgs/haskell/xmonad-tv/src/THEnv/JSON.hs
@ -0,0 +1,18 @@
 {-# LANGUAGE ScopedTypeVariables #-}
 module THEnv.JSON where
 import Data.Aeson (eitherDecode,FromJSON)
 import Data.ByteString.Lazy.Char8 (pack)
 import Language.Haskell.TH.Syntax (Exp,Lift(lift),Q)
 import THEnv (getCompileEnv)
 import Control.Monad
 getCompileEnvJSON :: (FromJSON a) => String -> Q a
 getCompileEnvJSON name =
    either error (id :: a -> a) . eitherDecode . pack <$>  getCompileEnv name
 getCompileEnvJSONExp ::
  forall proxy a. (FromJSON a, Lift a) => proxy a -> String -> Q Exp
 getCompileEnvJSONExp _ =
    (lift :: a -> Q Exp) <=< getCompileEnvJSON
--- a/tv/5pkgs/haskell/xmonad-tv/src/main.hs
+++ b/tv/5pkgs/haskell/xmonad-tv/src/main.hs
@ -1,4 +1,6 @@
 {-# LANGUAGE LambdaCase #-}
 {-# LANGUAGE TemplateHaskell #-}
 {-# LANGUAGE TypeApplications #-}
 module Main (main) where
@ -32,10 +34,23 @@ import XMonad.Stockholm.Pager
 import XMonad.Stockholm.Shutdown
 import qualified Paths
 import THEnv.JSON (getCompileEnvJSONExp)
 myFont :: String
 myFont = "-schumacher-*-*-*-*-*-*-*-*-*-*-*-iso10646-*"
 myScreenWidth :: Dimension
 myScreenWidth =
  $(getCompileEnvJSONExp (id @Dimension) "XMONAD_BUILD_SCREEN_WIDTH")
 myTermFontWidth :: Dimension
 myTermFontWidth =
  $(getCompileEnvJSONExp (id @Dimension) "XMONAD_BUILD_TERM_FONT_WIDTH")
 myTermPadding :: Dimension
 myTermPadding = 2
 main :: IO ()
 main = getArgs >>= \case
@ -46,7 +61,6 @@ main = getArgs >>= \case
 mainNoArgs :: IO ()
 mainNoArgs = do
    let width = 1366
    workspaces0 <- getWorkspaces0
    handleShutdownEvent <- newShutdownEventHandler
    launch
@ -60,8 +74,9 @@ mainNoArgs = do
                smartBorders $
                  ResizableTall
                    1
-                    (10 * 6 / width)
+                    (fromIntegral (10 * myTermFontWidth) / fromIntegral myScreenWidth)
-                    ((80 * 6 + 2 * (1+1+1))/width) []
+                    (fromIntegral (80 * myTermFontWidth + 2 * (myTermPadding + borderWidth def)) / fromIntegral myScreenWidth)
                    []
                  |||
                  Full
            , manageHook =
--- a/tv/5pkgs/haskell/xmonad-tv/src/xmonad-tv.cabal
+++ b/tv/5pkgs/haskell/xmonad-tv/src/xmonad-tv.cabal
@ -9,10 +9,14 @@ cabal-version: >=1.10
 executable xmonad
  main-is: main.hs
  build-depends:
    aeson,
    base,
    bytestring,
    containers,
    directory,
    extra,
    template-haskell,
    th-env,
    unix,
    X11,
    xmonad,
@ -20,6 +24,7 @@ executable xmonad
    xmonad-stockholm
  other-modules:
    Helpers.Path,
-    Paths
+    Paths,
    THEnv.JSON
  default-language: Haskell2010
  ghc-options: -O2 -Wall -threaded
--- a/tv/5pkgs/override/default.nix
+++ b/tv/5pkgs/override/default.nix
@ -1,5 +1,18 @@
 with import <stockholm/lib>;
 self: super: {
  input-fonts = super.input-fonts.overrideAttrs (old: rec {
    src = self.fetchurl {
      url = "http://xu.r/~tv/mirrors/input-fonts/Input-Font-2.zip";
      sha256 = "1vvipqcflz4ximy7xpqy9idrdpq3a0c490hp5137r2dq03h865y0";
    };
    outputHash = null;
    outputHashAlgo = null;
    outputHashMode = null;
  });
  nix-prefetch-github =
    self.python3Packages.callPackage ./nix-prefetch-github.nix {};
  rxvt_unicode = self.callPackage ./rxvt_unicode.nix {
    rxvt_unicode = super.rxvt_unicode;
  };
--- a/tv/5pkgs/override/nix-prefetch-github.nix
+++ b/tv/5pkgs/override/nix-prefetch-github.nix
@ -0,0 +1,47 @@
 { fetchPypi
 , lib
 , buildPythonPackage
 , pythonOlder
 , attrs
 , click
 , effect
 , jinja2
 , git
 , pytestCheckHook
 , pytest-black
 , pytestcov
 , pytest-isort
 }:
 buildPythonPackage rec {
  pname = "nix-prefetch-github";
  version = "3.0";
  src = fetchPypi {
    inherit pname version;
    sha256 = "sha256-EN+EbVXUaf+id5UsK4EBm/9k9FYaH79g08kblvW60XA=";
  };
  propagatedBuildInputs = [
    attrs
    click
    effect
    jinja2
  ];
  checkInputs = [ pytestCheckHook pytest-black pytestcov pytest-isort git ];
  checkPhase = ''
    pytest -m 'not network'
  '';
  # latest version of isort will cause tests to fail
  # ignore tests which are impure
  disabledTests = [ "isort" "life" "outputs" "fetch_submodules" ];
  meta = with lib; {
    description = "Prefetch sources from github";
    homepage = "https://github.com/seppeljordan/nix-prefetch-github";
    license = licenses.gpl3;
    maintainers = with maintainers; [ seppeljordan ];
  };
 }
--- a/tv/5pkgs/rpi/433Utils/RPi_utils.codesend.codestring.patch
+++ b/tv/5pkgs/rpi/433Utils/RPi_utils.codesend.codestring.patch
@ -0,0 +1,24 @@
 --- a/RPi_utils/codesend.cpp
 +++ b/RPi_utils/codesend.cpp
@@ -40,18 +40,18 @@ int main(int argc, char *argv[]) {
     }
     // Change protocol and pulse length accroding to parameters
 -    int code = atoi(argv[1]);
 +    const char *code = argv[1];
     if (argc >= 3) protocol = atoi(argv[2]);
     if (argc >= 4) pulseLength = atoi(argv[3]);
     if (wiringPiSetup () == -1) return 1;
 -    printf("sending code[%i]\n", code);
 +    printf("sending code[%s]\n", code);
     RCSwitch mySwitch = RCSwitch();
     if (protocol != 0) mySwitch.setProtocol(protocol);
     if (pulseLength != 0) mySwitch.setPulseLength(pulseLength);
     mySwitch.enableTransmit(PIN);
 -    mySwitch.send(code, 24);
 +    mySwitch.send(code);
     return 0;
--- a/tv/5pkgs/rpi/433Utils/default.nix
+++ b/tv/5pkgs/rpi/433Utils/default.nix
@ -0,0 +1,42 @@
 { fetchFromGitHub, stdenv
 , wiringPi ? WiringPi.wiringPi
 , wiringPiDev ? WiringPi.wiringPiDev
 , WiringPi ? rpiPackages.WiringPi
 , rpiPackages
 }:
 stdenv.mkDerivation {
  pname = "433Utils-RPi_utils";
  version = "2018-06-07";
  src = fetchFromGitHub (stdenv.lib.importJSON ./src.json);
  patches = [
    ./rc-switch.protocols.patch
    ./RPi_utils.codesend.codestring.patch
  ];
  buildPhase = ''
    runHook postBuild
    make -C RPi_utils
    runHook preBuild
  '';
  buildInputs = [
    wiringPi
    wiringPiDev
  ];
  installPhase = ''
    runHook preInstall
    mkdir -p $out/bin
    for name in send codesend RFSniffer; do
      cp RPi_utils/$name $out/bin/
    done
    runHook postInstall
  '';
 }
--- a/tv/5pkgs/rpi/433Utils/rc-switch.protocols.patch
+++ b/tv/5pkgs/rpi/433Utils/rc-switch.protocols.patch
@ -0,0 +1,10 @@
 --- a/rc-switch/RCSwitch.cpp
 +++ b/rc-switch/RCSwitch.cpp
@@ -78,6 +78,7 @@ static const RCSwitch::Protocol PROGMEM proto[] = {
     { 100, { 30, 71 }, {  4, 11 }, {  9,  6 } },    // protocol 3
     { 380, {  1,  6 }, {  1,  3 }, {  3,  1 } },    // protocol 4
     { 500, {  6, 14 }, {  1,  2 }, {  2,  1 } },    // protocol 5
 +    { 136, {  1, 31 }, {  1,  3 }, {  3,  1 } },    // protocol 6
 };
 enum {
--- a/tv/5pkgs/rpi/433Utils/src.json
+++ b/tv/5pkgs/rpi/433Utils/src.json
@ -0,0 +1,7 @@
 {
    "owner": "ninjablocks",
    "repo": "433Utils",
    "rev": "31c0ea4e158287595a6f6116b6151e72691e1839",
    "sha256": "04r2qlkdsz46qgpnbizrfccz1i0qlkb1iqz0jzyq4fzvksqp9dg1",
    "fetchSubmodules": true
 }
--- a/tv/5pkgs/rpi/WiringPi/default.nix
+++ b/tv/5pkgs/rpi/WiringPi/default.nix
@ -0,0 +1,61 @@
 { fetchFromGitHub, runCommand, stdenv }:
 let
  generic = name: extraAttrs:
    stdenv.mkDerivation ({
      pname = "WiringPi-${name}";
      version = "2020-09-14";
      src = fetchFromGitHub (stdenv.lib.importJSON ./src.json);
      buildPhase = ''
        runHook postBuild
        make -C ${name} all
        runHook preBuild
      '';
      installPhase = ''
        runHook preInstall
        export DESTDIR=$out
        export PREFIX=
        export LDCONFIG=true
        make -C ${name} install
        runHook postInstall
      '';
    } // extraAttrs);
  fakeutils = runCommand "fakeutils-1.0" {} /* sh */ ''
    mkdir -p $out/bin
    for name in chown chmod; do
      touch $out/bin/$name
      chmod +x $out/bin/$name
    done
  '';
 in
 rec {
  wiringPi = generic "wiringPi" {};
  wiringPiDev = generic "devLib" {
    buildInputs = [
      wiringPi
    ];
  };
  gpio = generic "gpio" {
    preInstall = ''
      # fakeutils cannot be buildInputs because they have to override existing
      # executables and therefore need to be prepended to the search path.
      PATH=${fakeutils}/bin:$PATH
      mkdir -p $out/bin
    '';
    buildInputs = [
      wiringPi
      wiringPiDev
    ];
  };
 }
--- a/tv/5pkgs/rpi/WiringPi/src.json
+++ b/tv/5pkgs/rpi/WiringPi/src.json
@ -0,0 +1,6 @@
 {
  "owner": "WiringPi",
  "repo": "WiringPi",
  "rev": "5c6bab7d4279e8c0cc890984eaa1a69ff3af1c99",
  "sha256": "1jlx7lb3ybwv06b2dpmsr718d0xj85awl1dgdqc607k50kk25mjb"
 }
--- a/tv/5pkgs/rpi/default.nix
+++ b/tv/5pkgs/rpi/default.nix
@ -0,0 +1,9 @@
 let
  lib = import <stockholm/lib>;
 in
 self: super:
 {
  rpiPackages = lib.mapNixDir (path: self.callPackage path {}) ./.;
 }
--- a/tv/5pkgs/simple/rxvt-unicode-256color-terminfo/default.nix
+++ b/tv/5pkgs/simple/rxvt-unicode-256color-terminfo/default.nix
@ -0,0 +1,16 @@
 # This package is mainly intended for cross-built systems for which we cannot
 # or don't want to build pkgs.rxvt_unicode for some reason.
 #
 # ${./rxvt-unicode-256color.terminfo} was copied from a previously built
 # /run/current-system/sw/share/terminfo/r/rxvt-unicode-256color
 { runCommand }:
 runCommand "rxvt-unicode-256color-terminfo" {} /* sh */ ''
  mkdir -p $out/nix-support
  mkdir -p $out/share/terminfo/r
  ln -s ${./rxvt-unicode-256color.terminfo} \
      $out/share/terminfo/r/rxvt-unicode-256color
  echo "$out" >> $out/nix-support/propagated-user-env-packages
 ''
--- a/tv/5pkgs/simple/rxvt-unicode-256color-terminfo/rxvt-unicode-256color.terminfo
+++ b/tv/5pkgs/simple/rxvt-unicode-256color-terminfo/rxvt-unicode-256color.terminfo
--- a/tv/5pkgs/simple/viljetic-pages/default.nix
+++ b/tv/5pkgs/simple/viljetic-pages/default.nix
@ -11,6 +11,7 @@ stdenv.mkDerivation {
  installPhase = ''
    mkdir -p $out
    cp ${./index.html} $out/index.html
    convert ${./logo.xpm} $out/favicon.ico
    convert ${./logo.xpm} $out/favicon2.png
  '';
 }
--- a/tv/5pkgs/vim/nix.nix
+++ b/tv/5pkgs/vim/nix.nix
@ -133,8 +133,9 @@ with import <stockholm/lib>;
        (writer "Jq")
        (writerExt "jq")
      ];
-      javascript.extraStart = comment "jq";
+      javascript.extraStart = comment "js";
      lua = {};
      markdown.extraStart = writerExt "md";
      #nginx = {};
      python.extraStart = alts [
        (comment "py")
--- a/tv/dummy_secrets/o2.pin
+++ b/tv/dummy_secrets/o2.pin
@ -0,0 +1 @@
 AT