42 files changed, 1138 insertions, 523 deletions

diff --git a/krebs/3modules/fetchWallpaper.nix b/krebs/3modules/fetchWallpaper.nix
index 53fe0839d..e6bb06a95 100644
--- a/krebs/3modules/fetchWallpaper.nix
+++ b/krebs/3modules/fetchWallpaper.nix
@@ -40,9 +40,7 @@ let
     };
   };
 
-  fetchWallpaperScript = pkgs.writeScript "fetchWallpaper" ''
-    #! ${pkgs.bash}/bin/bash
-
+  fetchWallpaperScript = pkgs.writeDash "fetchWallpaper" ''
     mkdir -p ${shell.escape cfg.stateDir}
     curl -s -o ${shell.escape cfg.stateDir}/wallpaper -z ${shell.escape cfg.stateDir}/wallpaper ${shell.escape cfg.url}
     feh --no-fehbg --bg-scale ${shell.escape cfg.stateDir}/wallpaper
diff --git a/krebs/3modules/iptables.nix b/krebs/3modules/iptables.nix
index 9596229de..4b99873a1 100644
--- a/krebs/3modules/iptables.nix
+++ b/krebs/3modules/iptables.nix
@@ -20,6 +20,7 @@ let
     flatten
     length
     hasAttr
+    hasPrefix
     mkEnableOption
     mkOption
     mkIf
@@ -123,7 +124,7 @@ let
 
       buildRule = tn: cn: rule:
         #target validation test:
-        assert (elem rule.target ([ "ACCEPT" "REJECT" "DROP" "QUEUE" "LOG" "RETURN" ] ++ (attrNames ts."${tn}")));
+        assert (elem rule.target ([ "ACCEPT" "REJECT" "DROP" "QUEUE" "LOG" "RETURN" ] ++ (attrNames ts."${tn}"))) || hasPrefix "REDIRECT" rule.target;
 
         #predicate validation test:
         #maybe use iptables-test
diff --git a/krebs/3modules/lass/default.nix b/krebs/3modules/lass/default.nix
index b4686894e..adca66dad 100644
--- a/krebs/3modules/lass/default.nix
+++ b/krebs/3modules/lass/default.nix
@@ -12,6 +12,7 @@ with config.krebs.lib;
           aliases = [
             "dishfire.internet"
           ];
+          ssh.port = 45621;
         };
         retiolum = {
           via = internet;
@@ -44,6 +45,7 @@ with config.krebs.lib;
           aliases = [
             "echelon.internet"
           ];
+          ssh.port = 45621;
         };
         retiolum = {
           via = internet;
@@ -79,6 +81,7 @@ with config.krebs.lib;
           aliases = [
             "prism.internet"
           ];
+          ssh.port = 45621;
         };
         retiolum = {
           via = internet;
@@ -143,6 +146,7 @@ with config.krebs.lib;
           aliases = [
             "cloudkrebs.internet"
           ];
+          ssh.port = 45621;
         };
         retiolum = {
           via = internet;
@@ -174,6 +178,7 @@ with config.krebs.lib;
         gg23 = {
           ip4.addr = "10.23.1.12";
           aliases = ["uriel.gg23"];
+          ssh.port = 45621;
         };
         retiolum = {
           ip4.addr = "10.243.81.176";
@@ -205,6 +210,7 @@ with config.krebs.lib;
         gg23 = {
           ip4.addr = "10.23.1.11";
           aliases = ["mors.gg23"];
+          ssh.port = 45621;
         };
         retiolum = {
           ip4.addr = "10.243.0.2";
diff --git a/krebs/3modules/lass/default.pgp b/krebs/3modules/lass/default.pgp
index 38e2fa8df..6d985f0e2 100644
--- a/krebs/3modules/lass/default.pgp
+++ b/krebs/3modules/lass/default.pgp
@@ -1,52 +1,51 @@
 -----BEGIN PGP PUBLIC KEY BLOCK-----
 Version: GnuPG v2
 
-mQINBFSZ3/oBEADYvRPoLdDkASIArXyWR5ccugJQURxMDgphAGrvj6qskSkn0chF
-gnc/kcQr4aVTaDFdonSyHjYvspDOZm5BgHAICCu1PL8rkMTGS+vHM5dlwnok6IKy
-e2aLjLPq5sHyp4+Zeq1eHe5TQ1cgN0cPdMMnEHd8GQke21pRQ5Vz79s8qRfWlt1Y
-+OQ5uY/52iZ9qJ11/N4bPPe/Zm63sRTpGw14i8UCgBAsMQOG1XPUX2/IJc1CC9+1
-Ohn/hPCbIdCbwOs7/HFFMRWmV6w4ul9gr7Js0owkWAS8FNOactS2i2SSwdONetKs
-UbCVQ1PubPBZvh2Vij/oUBK5BvfNDR6nRYhOjYbt6PW/Q6bjqGecjnlO98dpcqag
-+8bdl1JY9FpE4RzfuRgAFjVbtNztrmm9t6EuOHGZ5ec34TG9+i02ixh0YTEDK/Yt
-my2MfIbGUbeIYRKJscqgxKkL6nv4x0lOvs8nDiUmqztGdSdTGni+BAWZz3+1xaJH
-DTyQ36qYauBb5FWneRTBeagrDOAvvk/WxS+fMFZpnQovevOQBqxEL62fntikmMFn
-ddPgq7R1VPdivvr+BO8yMI8i45Vn9EzIJR02WAp7oAsT966yzopVT4JLT8++CVPh
-/VBrFID9yRyWjW5IJPsMsOt7z3UJaP08ua0UG4uVqo6dT6IdR8jKKxYdvwARAQAB
-tCBsYXNzdWx1cyA8bGFzc3VsdXNAYWlkc2JhbGxzLmRlPokCPQQTAQoAJwUCVJnf
-+gIbAwUJBaOagAULCQgHAwUVCgkICwUWAgMBAAIeAQIXgAAKCRAyqvthRFEnnviI
-D/95QdNgttsly9CUeHKGfNGlJ2NgDepqob/VR2385q7cXCbFftRIsD0vaWYfsQ87
-kbKs3fpeHz8teKqZtMnXYkPIaSK0TcoaqQtyfkmj+agP2YRSkNYonlmmCiCWkodP
-2VnnmRUSwHcgxS14xsUHh13JXsU5nTHDAdJqOxUX6l6Lxb989h7Q8wTn5SX1XRVd
-0U5P7fNXKvVF34J6uGyWraxQLOqJEEzi82F/61hbI6zVPhxu/R+qmiSqgHIlp0ax
-u+8u3eyDVP1q95AMPaL1GsNYDcSl5njbkEbruSmjVcO99cD1ZLAODFJuaa+h/IvQ
-HoPnFL3hRo0SHt/RimokboJL7nx5jT/0y+FtGuPMVKUqiLApOfoeWeHWVKgMLV/0
-1+O4jEDRMNSIClI2YHdgyuQPBuHkaYXrrpDpJnYDEz2qAiijx+xIAPzifxebuVFV
-NQl/XnXlzTmYrt0GHfCrNZa/ZtsqQqnJSRpydjey+ATGgs+3Oqa6z8lHhYx83ST2
-cGsUmSnzk0TnxXmqwWxb3aGA0kO50atrObWwNXud7n3hu4V0FWwfHXUk8gJxtMN6
-IenjLcI0WyLwSKvTazF6GSgtUhwNgON88eiqLS8CWdop4CEyEUfxFoZeQoS72Yzq
-4pSOYPnbRDcBn2zkYaWyCTmf9qvWbZOu0Sl2lfy9n5LiKrkCDQRUmd/6ARAAq+Mt
-/9LohA9Qnz/GjE504h38G3USXgEV9/ctr2PXkc2onW67u45trLSYLyCK6kDq3VIN
-/3uLt8Pr+IL41NntW1exRtqohVeKI38CCqR5RP9tVxLkyxnpA/SPpSvOjWhyBkph
-MRXYta1+nBHwxSaPcc2e+15pk/cYgg0cTY7Nvgo+wL4bgI+b2OHwwIwRov/t4aim
-0y63OaCG82NqWrX7i2ONaR8RsZ8RHLnC+TyFaoj0mdp+vp4WFwxbqcIq+Vvn1m5j
-gPlkzXK4Yrykp2IULGuj+qZyS043FzZYhbxZoE85zIMtQ5gV/ktaP25+YsU1bwb9
-75FQvdMM827bbOJJ67/l96asQNg1TMzosL8/t9xLPDry4YYu8kRIPZgKWvT0Eg1Q
-AWzWJCXplTdPlhj660OCGuuyv/XJIbhqtBVZhIyR7gs6EZHZ6FHax7F41fEWGgSv
-WVAMrjrnG4XYAyCP1yiW1i7/ogCzKXYvV42tzBFuPcza6jhBnU17w5E7nwYaEWgA
-02Ai7aTK9WDAi8j8emQ8XppU9hqEILSvR5tG4R0YOAUbIUplIpnpf8KcEhNy48ei
-MuhiTJBjPyu7bRJoZXvipNPjqhESGlvrcr1QKuEqPLRcfLo3DOt3zgxBqOZZGHKL
-ckaud05wevMPK09F7taLgwBCHOmAxiMa5NQVjL8AEQEAAYkCJQQYAQoADwUCVJnf
-+gIbDAUJBaOagAAKCRAyqvthRFEnngGYD/wP77ax6yczKT/AHEvqyMMRPigLHIHy
-XIWt8uNKwbn1RTXuH9Nj1rtVuj7ck4jscNwmDYeT52ZDxHQjLHWgAG0CBq6afdBi
-VwLur6M7jv0EwY/SMed+QD1+a59kiO8+difwLDF+Q50lYQ4fmSGsfdQ4Qxesm92r
-Y1Q/xFg1K9MNZbItpzYTE4P+ii4kU5BnWwExX2OEhhlrNUjJhA30HvvUID6bsguq
-Jl7mWnGpS5YYqPxiABNI++TzYXQvP95nWGROvdx2vSPuJ756S8VJ81LL7BmQyQzq
-8S/ciHjmgtgLRyncqqXl1uJBqtK+50vEFHxJrANdDNzD+K4S7+23DpRsmEl/2ECQ
-laGsU6HtYbnr+hc1alE4uNMEN1/a75EFI59BISnUm8jIy1nLhcIXMhFh4JuG7kGk
-2ePa4Gv2DafMR8N0WYPIhP3LIIDP0s9gv2QSA+5BmI9OhZDkz9Ubuut1+PMfWCXm
-aNmF2Bh8puTffsFxGJSiQ4CXDzuNRqMR5wB0OCnB/WAnuZhRAJhXmgR8FJY+EvTN
-PcA1QZIZ0hQGVf8eJ5Gx4W1w2Q6mQCGnCy1XtEkZP0BOP0Or5CMtqP/VSuwaF4wh
-4FLYTOLZ7oDr2ErK/bhnpuoPoUU0y3n7AG/nhtmqenlMPLWB246XnEoJMb6Ar8vW
-It6jrzDh3+COSQ==
-=0gFT
+mQINBFcWQhEBEADwt+hHRZxZx05USejn4x5LVWqqg5I2nIzjwI8pVyBra2AmXaMA
+SAImFk1W6oM35rwYmez6TG8QC7RPRUrMHX2aAdDwJ/VtU/b87q0ICwlMxYUnikg1
+tsHV4kRB7ukm+Rs0ECMqZzjwdlbiEEfQ6VPUrIBzDHeD0idkC82DonZ6xe083klH
+LpO36ckBOtyaoZZspzRu5yB76vsbeviVqsQ9WTQ8GoQk1i6FUbTbtOlvjhtx05Rk
+ic66RrfFSM/ElLe5yA96kZd7m/Sn9WIRwRj3clxnT1vAVpMlpISsTutEQtuG3MDX
+tT3EPVSSZEEcY1xxlJF+u1JZu4QqqtH+nczjshv+z3HZdmGd7OGqmgI8D3Ly/Ufi
+Uyz+ewZbhbgy/XSHqwriUbnMuE9OKxx0LqlQLA59+/icT+upW4TexiHKd6PYeSeJ
+kCxUEAmzqxsnilmwbehQrmmhI7uzxT8YxNGjF5mRJ1zOY55praTMKlp3MOxKvVPn
+EZSyWm/22CuUZZEX0XR6TBgkL71VoGrlaezADzhHu9i5yBwbNCuiE2CYcS5IuDf+
+GkoKGtWeLbXTXccWOaIItSzlVUcJx3D009kTXeLEo2T1RPpz41LMvqWkUlZg4CA1
+zMAcudsXDtXGJEvS3dZAaiUUdASktzNL/ltuW/CXITJ0V7UjmA0pOyLDOQARAQAB
+tBlsYXNzdWx1cyA8bGFzc0BsYXNzdWwudXM+iQI3BBMBCAAhBQJXFkIRAhsDBQsJ
+CAcCBhUICQoLAgQWAgMBAh4BAheAAAoJEInoKVKXan5NFVsP/RfU4dychz5eadnN
+/iCybL2eXCkpNbSJaPVqKKmBqY4oDEqK0NekwgOiWXFuFI6BpNyTW5z1a2PaBgF2
+bG5K/k/aGnzUUqH+LhtMCYr90UjJPtsrgi+C5poL4e2EsPN1SASSOSYFtYY1EQCe
+NcYut2foM/PjviJKuS9t/kJxmZn8Vi3+qQKSwys219IQuXqos44aihjnwEL+TR6D
+MgcDCW2QSCqB5kfksjustSihDck8ZkT+nISTrSdZVPzROcyBeswN/UqjOUBZd1p1
+sO7SqDaBnzovRD3G4kyscepPWChnOFCIq9tuE2Mai2QliQ4q1Bn0+8uhLPLG+nQI
+leL/6pFXY9ecjmpqrSAXEysDUgfpiqJzDtv8WC3fY7wl88/ROiHrgF8x5P4PmUMl
+oTfe+BGQar6BNV3rStPsW6Ogm6Mu6WNVXCRIJboM+ev3JdVSGF/ehnmb06EGCIrI
+ahWbMViDSAjOvM92By/RJkP8ADCN2ezvdf86Ubyib5EyRoleu0WHvtO1mLQn0pIP
+cYCGXrnQlkduC7ENS942hLUq976LPH1ZatM26gaN1MKxN03v+6e9E6jtxUH3wWk1
+oDGddTl+zu4fqUxEAA391sPMhp+DTVxXmPKvpnJivKAsL2Hkg0vKQt6VQNEv2Lgm
+G8vdqOcapWLBcddR9d0DpFgkZNQCuQINBFcWQhEBEADgv6HfZQyxuiFpHQbt59s4
+7mA4AmzgjA1GiS73xo16qjwLieKPJWlrgPk4OOwqQpdygZ9LAhH+FIqcGo4wCNKL
+1qiMQeQcFOACvLOfxpv8F1TkOc9IbQUoMPxXEYRK/c0ZtaWpe8dy4QL3tDwS/ovk
+sCZBpvXdpJXDuccfTQ23UPozWKs21JAIKqbO7p5n86VGr0Co07xmBsxOK6ylK8YM
+ftBjugfbxfmFApW2lAsjeDe7J5RY6W5NaeMg/IxTy6wkfoz1UjwtQaRvp1XbWqPz
+Ib+mx8AeRQQXzuVKxS20ZVgazSZHg1PYu9PoKTIWK0NLd68CydcQ4q6F3PjNytFH
+tDM13q5kWmTU0yFy2OWvy4JAq2z02C+Z+/+nffp0ZfsdEeVNm5ZvlDLmOYMWFzDj
+OScYgBYIAvAs3pYV+xl6pxvdTyI3JXed7Q889e36TC3mwUIR4sL+oOfctA7Swzkr
+aU8uMCwIE6ppGsxIcXQt15sUjgM5THXzAQXVkbM8i1x9F0JjP7bFMWcIP1pmqcaO
+6znM2D/wocY+RO3xYj0GLFgRBW2O/pJUWrWHInpO3mrwZeRMGZix5nZH8U6cvfD5
+9SwIVdyKj6sZklcS2JJclBDrAudYUbckAuV7KI1ZWcU4kVS3joYdWcFQO3vOxJW5
+mGXML9roJXeXN664iNBgpQARAQABiQIfBBgBCAAJBQJXFkIRAhsMAAoJEInoKVKX
+an5NGhcP/jkeR/fYPYuYEUWLGBxq2hFhwMssiJ+pwx5Nj+Kh9rLm90LBLCcwBVu0
+ILbaePkPCmin8p9F+AOy11DsWb5lBrlyUqU6+ID9nY/WbNL5ZYl6zIBmuYQ5qFEA
+n5NQD6hLllC6wyOqIeKXrnkvFJMW8+W0aYRQh7hhpAzyJz9gawXWvWY45NhWl3Tm
+S3LfJbA5nM6uZvO0VU7LERgfwTgPSjMwYVQGtktndy9N4Avi1N02l5BEmuZoXwTC
+oQuW6LiAPGE2ztXztyNGnUYUAGMWl22UTezqfU/aOG9Qum+QebwTgBUH4pTgLiV/
+pWxXib517wGkect/0Yd+zcya8lA7x1EzFFMb3i4ToawIz76I2ncIlpC2q31x2nVI
+6fBW4kfu8AR7XW9Yyv+plIuva1AeTf+sMc7FSb5CpOmjjLpUfQ96vZvQwarcEip7
+UmOBoAoFdhtwJotskBOje52AUgDIBWZrIfH1bq7/NjAO73UdR1mJkOpY01qQXkED
+TiLeIBGYqseCbnJNi1PVOVNEOT4Up3/RSjpAu8dBrXKqx7yS8bKlVk3RsIDlgyb4
+rWMc88uBl57YsjSnQN36LN7j0hPpb0TAD1OsPI1pepsKUAPZKA2EAyLXKyQ3oLqN
+DWU4ZWpIi8+RKm3UpWgQ9qN4tuRHvVX/AQjEW1LkhfmR2VIqnrkv
+=fgFG
 -----END PGP PUBLIC KEY BLOCK-----
diff --git a/lass/1systems/cloudkrebs.nix b/lass/1systems/cloudkrebs.nix
index 6cfba567a..1bfb11502 100644
--- a/lass/1systems/cloudkrebs.nix
+++ b/lass/1systems/cloudkrebs.nix
@@ -8,9 +8,9 @@ in {
   imports = [
     ../.
     ../2configs/os-templates/CAC-CentOS-7-64bit.nix
-    ../2configs/base.nix
+    ../2configs/default.nix
+    ../2configs/exim-retiolum.nix
     ../2configs/retiolum.nix
-    ../2configs/fastpoke-pages.nix
     ../2configs/git.nix
     ../2configs/realwallpaper.nix
     {
diff --git a/lass/1systems/dishfire.nix b/lass/1systems/dishfire.nix
index c7d016cd3..b5e551952 100644
--- a/lass/1systems/dishfire.nix
+++ b/lass/1systems/dishfire.nix
@@ -4,9 +4,9 @@
   imports = [
     ../.
     <nixpkgs/nixos/modules/profiles/qemu-guest.nix>
-    ../2configs/base.nix
+    ../2configs/default.nix
+    ../2configs/exim-retiolum.nix
     ../2configs/git.nix
-    ../2configs/websites/fritz.nix
     {
       boot.loader.grub = {
         device = "/dev/vda";
@@ -26,10 +26,19 @@
         fsType = "ext4";
       };
 
+      fileSystems."/srv/http" = {
+        device = "/dev/pool/srv_http";
+        fsType = "ext4";
+      };
+
       fileSystems."/boot" = {
         device = "/dev/vda1";
         fsType = "ext4";
       };
+      fileSystems."/bku" = {
+        device = "/dev/pool/bku";
+        fsType = "ext4";
+      };
     }
     {
       networking.dhcpcd.allowInterfaces = [
@@ -40,6 +49,20 @@
     {
       sound.enable = false;
     }
+    {
+      environment.systemPackages = with pkgs; [
+        mk_sql_pair
+      ];
+    }
+    {
+      imports = [
+        ../2configs/websites/fritz.nix
+      ];
+      krebs.iptables.tables.filter.INPUT.rules = [
+         { predicate = "-p tcp --dport http"; target = "ACCEPT"; }
+         { predicate = "-p tcp --dport https"; target = "ACCEPT"; }
+      ];
+    }
   ];
 
   krebs.build.host = config.krebs.hosts.dishfire;
diff --git a/lass/1systems/echelon.nix b/lass/1systems/echelon.nix
index 80611ee80..97734a7bd 100644
--- a/lass/1systems/echelon.nix
+++ b/lass/1systems/echelon.nix
@@ -8,7 +8,8 @@ in {
   imports = [
     ../.
     ../2configs/os-templates/CAC-CentOS-7-64bit.nix
-    ../2configs/base.nix
+    ../2configs/default.nix
+    ../2configs/exim-retiolum.nix
     ../2configs/retiolum.nix
     ../2configs/realwallpaper-server.nix
     ../2configs/privoxy-retiolum.nix
diff --git a/lass/1systems/helios.nix b/lass/1systems/helios.nix
index cc98c2c5b..0c7c0d8e3 100644
--- a/lass/1systems/helios.nix
+++ b/lass/1systems/helios.nix
@@ -5,6 +5,7 @@ with builtins;
   imports = [
     ../.
     ../2configs/baseX.nix
+    ../2configs/exim-retiolum.nix
     ../2configs/browsers.nix
     ../2configs/programs.nix
     ../2configs/git.nix
diff --git a/lass/1systems/mors.nix b/lass/1systems/mors.nix
index 1f7a13c56..39225abf5 100644
--- a/lass/1systems/mors.nix
+++ b/lass/1systems/mors.nix
@@ -4,6 +4,7 @@
   imports = [
     ../.
     ../2configs/baseX.nix
+    ../2configs/exim-retiolum.nix
     ../2configs/programs.nix
     ../2configs/bitcoin.nix
     ../2configs/browsers.nix
@@ -26,6 +27,8 @@
     ../2configs/libvirt.nix
     ../2configs/fetchWallpaper.nix
     ../2configs/cbase.nix
+    ../2configs/mail.nix
+    ../2configs/krebs-pass.nix
     #../2configs/buildbot-standalone.nix
     {
       #risk of rain port
@@ -33,124 +36,28 @@
         { predicate = "-p tcp --dport 11100"; target = "ACCEPT"; }
       ];
     }
-    {
-      #static-nginx-test
-      imports = [
-        ../3modules/static_nginx.nix
-      ];
-      lass.staticPage."testserver.de" = {
-        #sslEnable = true;
-        #certificate = "${toString <secrets>}/testserver.de/server.cert";
-        #certificate_key = "${toString <secrets>}/testserver.de/server.pem";
-        ssl = {
-          enable = true;
-          certificate = "${toString <secrets>}/testserver.de/server.cert";
-          certificate_key = "${toString <secrets>}/testserver.de/server.pem";
-        };
-      };
-      networking.extraHosts = ''
-        10.243.0.2 testserver.de
-      '';
-    }
     #{
-    #  #wordpress-test
-    #  #imports = singleton (sitesGenerators.createWordpress "testserver.de");
-    #  imports = [
-    #    ../3modules/wordpress_nginx.nix
-    #  ];
-    #  lass.wordpress."testserver.de" = {
-    #    multiSite = {
-    #      "1" = "testserver.de";
-    #      "2" = "bla.testserver.de";
-    #    };
-    #  };
-
     #  services.mysql = {
     #    enable = true;
     #    package = pkgs.mariadb;
     #    rootPassword = "<secrets>/mysql_rootPassword";
     #  };
-    #  networking.extraHosts = ''
-    #    10.243.0.2 testserver.de
-    #  '';
-    #  krebs.iptables.tables.filter.INPUT.rules = [
-    #    { predicate = "-i retiolum -p tcp --dport 80"; target = "ACCEPT"; precedence = 9998; }
-    #  ];
     #}
     #{
-    #  #owncloud-test
-    #  #imports = singleton (sitesGenerators.createWordpress "testserver.de");
-    #  imports = [
-    #    ../3modules/owncloud_nginx.nix
-    #  ];
-    #  lass.owncloud."owncloud-test.de" = {
+    #  services.elasticsearch = {
+    #    enable = true;
+    #    plugins = [
+    #    #  pkgs.elasticsearchPlugins.elasticsearch_kopf
+    #    ];
+    #  };
+    #}
+    #{
+    #  services.postgresql = {
+    #    enable = true;
+    #    package = pkgs.postgresql;
     #  };
-
-    #  #services.mysql = {
-    #  #  enable = true;
-    #  #  package = pkgs.mariadb;
-    #  #  rootPassword = "<secrets>/mysql_rootPassword";
-    #  #};
-    #  networking.extraHosts = ''
-    #    10.243.0.2 owncloud-test.de
-    #  '';
-    #  krebs.iptables.tables.filter.INPUT.rules = [
-    #    { predicate = "-i retiolum -p tcp --dport 80"; target = "ACCEPT"; precedence = 9998; }
-    #  ];
     #}
     {
-      containers.pythonenv = {
-        config = {
-          services.openssh.enable = true;
-          users.users.root.openssh.authorizedKeys.keys = [
-            config.krebs.users.lass.pubkey
-          ];
-
-          environment = {
-            systemPackages = with pkgs; [
-              git
-              libxml2
-              libxslt
-              libzip
-              python27Full
-              python27Packages.buildout
-              stdenv
-              zlib
-            ];
-
-            pathsToLink = [ "/include" ];
-
-            shellInit = ''
-              # help pip to find libz.so when building lxml
-              export LIBRARY_PATH=/var/run/current-system/sw/lib
-              # ditto for header files, e.g. sqlite
-              export C_INCLUDE_PATH=/var/run/current-system/sw/include
-            '';
-          };
-
-        };
-      };
-    }
-    {
-      services.mysql = {
-        enable = true;
-        package = pkgs.mariadb;
-        rootPassword = "<secrets>/mysql_rootPassword";
-      };
-    }
-    {
-      services.elasticsearch = {
-        enable = true;
-        plugins = [
-        #  pkgs.elasticsearchPlugins.elasticsearch_kopf
-        ];
-      };
-    }
-    {
-      services.postgresql = {
-        enable = true;
-        package = pkgs.postgresql;
-      };
     }
   ];
 
@@ -158,15 +65,6 @@
 
   networking.wireless.enable = true;
 
-  networking.extraHosts = ''
-    213.239.205.240 wohnprojekt-rhh.de
-    213.239.205.240 karlaskop.de
-    213.239.205.240 makeup.apanowicz.de
-    213.239.205.240 pixelpocket.de
-    213.239.205.240 reich-gebaeudereinigung.de
-    213.239.205.240 o.ubikmedia.de
-  '';
-
   hardware.enableAllFirmware = true;
   nixpkgs.config.allowUnfree = true;
 
@@ -206,7 +104,7 @@
       fsType = "ext4";
     };
 
-    "/mnt/backups" = {
+    "/bku" = {
       device = "/dev/big/backups";
       fsType = "ext4";
     };
@@ -293,6 +191,9 @@
     get
     teamspeak_client
     hashPassword
+    urban
+    mk_sql_pair
+    skype
   ];
 
   #TODO: fix this shit
diff --git a/lass/1systems/prism.nix b/lass/1systems/prism.nix
index 20c919b9b..4c0b4e690 100644
--- a/lass/1systems/prism.nix
+++ b/lass/1systems/prism.nix
@@ -5,12 +5,24 @@ let
 in {
   imports = [
     ../.
-    ../2configs/base.nix
+    ../2configs/default.nix
+    ../2configs/exim-smarthost.nix
     ../2configs/downloading.nix
     ../2configs/git.nix
     ../2configs/ts3.nix
     ../2configs/bitlbee.nix
     ../2configs/weechat.nix
+    ../2configs/privoxy-retiolum.nix
+    {
+      #we need to use old sqlite for buildbot
+      imports = [
+        ../2configs/buildbot-standalone.nix
+      ];
+      krebs.build.source.nixpkgs = lib.mkForce {
+        url = https://github.com/NixOS/nixpkgs;
+        rev = "0d05f172b27e94d9eea3257f42d7e03371e63acc";
+      };
+    }
     {
       users.extraGroups = {
         # ● systemd-tmpfiles-setup.service - Create Volatile Files and Directories
@@ -77,6 +89,18 @@ in {
         device = "/dev/pool/download";
       };
 
+      fileSystems."/srv/http" = {
+        device = "/dev/pool/http";
+      };
+
+      fileSystems."/srv/o.ubikmedia.de-data" = {
+        device = "/dev/pool/owncloud-ubik-data";
+      };
+
+      fileSystems."/bku" = {
+        device = "/dev/pool/bku";
+      };
+
     }
     {
       sound.enable = false;
@@ -117,7 +141,7 @@ in {
     }
     {
       users.users.chat.openssh.authorizedKeys.keys = [
-        "ecdsa-sha2-nistp521 AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAACFBAFhFJUMTfPbv3SzqlT9S67Av/m/ctLfTd3mMhD4O9hZc+t+dZmaHWj3v1KujzMBiDp3Yfo2YdVVZLTwTluHD8yNoQH418Vm01nrYHwOsc5J0br3mb0URZSstPiz6/6Fc+PNCDfQ2skUAWUidWiH+JolROFQ4y2lfpLOw+wsK2jj+Gqx6w== JuiceSSH"
+        "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBBQjn/3n283RZkBs2CFqbpukyQ3zkLIjewRpKttPa5d4PUiT7/vOlutWH5EP4BxXQSoeZStx8D2alGjxfK+nfDvRJGGofpm23cN4j4i24Fcam1y1H7wqRXO1qbz5AB3qPg== JuiceSSH"
         config.krebs.users.lass-uriel.pubkey
       ];
     }
@@ -130,13 +154,13 @@ in {
         ../2configs/websites/domsen.nix
       ];
       krebs.iptables.tables.filter.INPUT.rules = [
-         { predicate = "-p tcp --dport 80"; target = "ACCEPT"; }
+         { predicate = "-p tcp --dport http"; target = "ACCEPT"; }
+         { predicate = "-p tcp --dport https"; target = "ACCEPT"; }
       ];
     }
     {
       services.tor = {
         enable = true;
-        client.enable = true;
       };
     }
   ];
diff --git a/lass/1systems/uriel.nix b/lass/1systems/uriel.nix
index 4e4eca21f..92996c181 100644
--- a/lass/1systems/uriel.nix
+++ b/lass/1systems/uriel.nix
@@ -5,6 +5,7 @@ with builtins;
   imports = [
     ../.
     ../2configs/baseX.nix
+    ../2configs/exim-retiolum.nix
     ../2configs/browsers.nix
     ../2configs/games.nix
     ../2configs/pass.nix
@@ -47,6 +48,11 @@ with builtins;
       fsType = "ext4";
     };
 
+    "/bku" = {
+      device = "/dev/pool/bku";
+      fsType = "ext4";
+    };
+
     "/boot" = {
       device = "/dev/sda1";
     };
diff --git a/lass/2configs/backups.nix b/lass/2configs/backups.nix
new file mode 100644
index 000000000..81dd14ebd
--- /dev/null
+++ b/lass/2configs/backups.nix
@@ -0,0 +1,111 @@
+{ config, lib, ... }:
+with config.krebs.lib;
+{
+
+  krebs.backup.plans = {
+  } // mapAttrs (_: recursiveUpdate {
+    snapshots = {
+      daily    = { format = "%Y-%m-%d"; retain =  7; };
+      weekly   = { format = "%YW%W";    retain =  4; };
+      monthly  = { format = "%Y-%m";    retain = 12; };
+      yearly   = { format = "%Y";                    };
+    };
+  }) {
+    dishfire-http-prism = {
+      method = "pull";
+      src = { host = config.krebs.hosts.dishfire; path = "/srv/http"; };
+      dst = { host = config.krebs.hosts.prism;    path = "/bku/dishfire-http"; };
+      startAt = "03:00";
+    };
+    dishfire-http-mors = {
+      method = "pull";
+      src = { host = config.krebs.hosts.dishfire; path = "/srv/http"; };
+      dst = { host = config.krebs.hosts.mors;     path = "/bku/dishfire-http"; };
+      startAt = "03:05";
+    };
+    dishfire-http-uriel = {
+      method = "pull";
+      src = { host = config.krebs.hosts.dishfire; path = "/srv/http"; };
+      dst = { host = config.krebs.hosts.uriel;    path = "/bku/dishfire-http"; };
+      startAt = "03:10";
+    };
+    dishfire-sql-prism = {
+      method = "pull";
+      src = { host = config.krebs.hosts.dishfire; path = "/bku/sql_dumps"; };
+      dst = { host = config.krebs.hosts.prism;    path = "/bku/dishfire-sql"; };
+      startAt = "03:15";
+    };
+    dishfire-sql-mors = {
+      method = "pull";
+      src = { host = config.krebs.hosts.dishfire; path = "/bku/sql_dumps"; };
+      dst = { host = config.krebs.hosts.mors;     path = "/bku/dishfire-sql"; };
+      startAt = "03:20";
+    };
+    dishfire-sql-uriel = {
+      method = "pull";
+      src = { host = config.krebs.hosts.dishfire; path = "/bku/sql_dumps"; };
+      dst = { host = config.krebs.hosts.uriel;    path = "/bku/dishfire-sql"; };
+      startAt = "03:25";
+    };
+    prism-bitlbee-mors = {
+      method = "pull";
+      src = { host = config.krebs.hosts.prism; path = "/var/lib/bitlbee"; };
+      dst = { host = config.krebs.hosts.mors; path = "/bku/prism-bitlbee"; };
+      startAt = "03:25";
+    };
+    prism-bitlbee-uriel = {
+      method = "pull";
+      src = { host = config.krebs.hosts.prism; path = "/var/lib/bitlbee"; };
+      dst = { host = config.krebs.hosts.uriel; path = "/bku/prism-bitlbee"; };
+      startAt = "03:25";
+    };
+    prism-chat-mors = {
+      method = "pull";
+      src = { host = config.krebs.hosts.prism; path = "/home/chat"; };
+      dst = { host = config.krebs.hosts.mors;  path = "/bku/prism-chat"; };
+      startAt = "03:30";
+    };
+    prism-chat-uriel = {
+      method = "pull";
+      src = { host = config.krebs.hosts.prism; path = "/home/chat"; };
+      dst = { host = config.krebs.hosts.uriel; path = "/bku/prism-chat"; };
+      startAt = "03:35";
+    };
+    prism-sql-mors = {
+      method = "pull";
+      src = { host = config.krebs.hosts.prism; path = "/bku/sql_dumps"; };
+      dst = { host = config.krebs.hosts.mors;  path = "/bku/prism-sql_dumps"; };
+      startAt = "03:40";
+    };
+    prism-sql-uriel = {
+      method = "pull";
+      src = { host = config.krebs.hosts.prism; path = "/bku/sql_dumps"; };
+      dst = { host = config.krebs.hosts.uriel; path = "/bku/prism-sql_dumps"; };
+      startAt = "03:45";
+    };
+    prism-http-mors = {
+      method = "pull";
+      src = { host = config.krebs.hosts.prism; path = "/srv/http"; };
+      dst = { host = config.krebs.hosts.mors;  path = "/bku/prism-http"; };
+      startAt = "03:50";
+    };
+    prism-http-uriel = {
+      method = "pull";
+      src = { host = config.krebs.hosts.prism; path = "/srv/http"; };
+      dst = { host = config.krebs.hosts.uriel; path = "/bku/prism-http"; };
+      startAt = "03:55";
+    };
+    uriel-home-mors = {
+      method = "pull";
+      src = { host = config.krebs.hosts.uriel; path = "/home"; };
+      dst = { host = config.krebs.hosts.mors;  path = "/bku/uriel-home"; };
+      startAt = "04:00";
+    };
+    mors-home-uriel = {
+      method = "push";
+      src = { host = config.krebs.hosts.mors;  path = "/home"; };
+      dst = { host = config.krebs.hosts.uriel; path = "/bku/mors-home"; };
+      startAt = "05:00";
+    };
+  };
+}
diff --git a/lass/2configs/baseX.nix b/lass/2configs/baseX.nix
index 6c52240af..79fc4744f 100644
--- a/lass/2configs/baseX.nix
+++ b/lass/2configs/baseX.nix
@@ -4,7 +4,7 @@ let
   mainUser = config.users.extraUsers.mainUser;
 in {
   imports = [
-    ./base.nix
+    ./default.nix
     #./urxvt.nix
     ./xserver
   ];
@@ -39,6 +39,7 @@ in {
     push
     slock
     sxiv
+    xclip
     xorg.xbacklight
     xsel
     zathura
diff --git a/lass/2configs/buildbot-standalone.nix b/lass/2configs/buildbot-standalone.nix
index 8c71553fe..604d0728d 100644
--- a/lass/2configs/buildbot-standalone.nix
+++ b/lass/2configs/buildbot-standalone.nix
@@ -1,15 +1,16 @@
 { lib, config, pkgs, ... }:
 {
-  #networking.firewall.allowedTCPPorts = [ 8010 9989 ];
-  krebs.buildbot.master = {
+  krebs.buildbot.master = let
+    stockholm-mirror-url = http://cgit.prism/stockholm ;
+  in {
     slaves = {
       testslave = "lasspass";
     };
     change_source.stockholm = ''
-      stockholm_repo = 'http://cgit.mors/stockholm'
+      stockholm_repo = '${stockholm-mirror-url}'
       cs.append(changes.GitPoller(
               stockholm_repo,
-              workdir='stockholm-poller', branch='master',
+              workdir='stockholm-poller', branches=True,
               project='stockholm',
               pollinterval=120))
     '';
@@ -20,10 +21,12 @@
                                     builderNames=["fast-tests"]))
       '';
       fast-tests-scheduler = ''
-        # test the master real quick
+        # test everything real quick
         sched.append(schedulers.SingleBranchScheduler(
-                                    change_filter=util.ChangeFilter(branch="master"),
-                                    name="fast-master-test",
+                                    ## all branches
+                                    change_filter=util.ChangeFilter(branch_re=".*"),
+                                    # treeStableTimer=10,
+                                    name="fast-all-branches",
                                     builderNames=["fast-tests"]))
       '';
     };
@@ -38,7 +41,10 @@
       deps = [ "gnumake", "jq","nix","rsync" ]
       # TODO: --pure , prepare ENV in nix-shell command:
       #                   SSL_CERT_FILE,LOGNAME,NIX_REMOTE
-      nixshell = ["nix-shell", "-I", "stockholm=.", "-p" ] + deps + [ "--run" ]
+      nixshell = ["nix-shell",
+                    "-I", "stockholm=.",
+                    "-I", "nixpkgs=/var/src/nixpkgs",
+                    "-p" ] + deps + [ "--run" ]
 
       # prepare addShell function
       def addShell(factory,**kwargs):
@@ -48,13 +54,26 @@
       fast-tests = ''
         f = util.BuildFactory()
         f.addStep(grab_repo)
-        addShell(f,name="mors-eval",env=env,
-                  command=nixshell + ["make -s eval get=krebs.deploy filter=json system=mors"])
+        for i in [ "prism", "mors", "echelon" ]:
+          addShell(f,name="populate-{}".format(i),env=env,
+                  command=nixshell + \
+                            ["{}( make system={} eval.config.krebs.build.populate \
+                               | jq -er .)".format("!" if "failing" in i else "",i)])
+
+        addShell(f,name="build-test-minimal",env=env,
+                  command=nixshell + \
+                            ["nix-instantiate \
+                                  --show-trace --eval --strict --json \
+                                  -I nixos-config=./shared/1systems/test-minimal-deploy.nix  \
+                                  -I secrets=. \
+                                  -A config.system.build.toplevel"]
+                )
 
         bu.append(util.BuilderConfig(name="fast-tests",
               slavenames=slavenames,
               factory=f))
-      '';
+
+            '';
     };
     enable = true;
     web.enable = true;
@@ -72,7 +91,17 @@
     masterhost = "localhost";
     username = "testslave";
     password = "lasspass";
-    packages = with pkgs;[ git nix ];
-    extraEnviron = { NIX_PATH="nixpkgs=${toString <nixpkgs>}"; };
+    packages = with pkgs;[ git nix gnumake jq rsync ];
+    extraEnviron = {
+      NIX_PATH="nixpkgs=/var/src/nixpkgs:nixos-config=./shared/1systems/wolf.nix";
+    };
+  };
+  krebs.iptables = {
+    tables = {
+      filter.INPUT.rules = [
+        { predicate = "-p tcp --dport 8010"; target = "ACCEPT"; }
+        { predicate = "-p tcp --dport 9989"; target = "ACCEPT"; }
+      ];
+    };
   };
 }
diff --git a/lass/2configs/base.nix b/lass/2configs/default.nix
index 8017d4270..2f6ffa18e 100644
--- a/lass/2configs/base.nix
+++ b/lass/2configs/default.nix
@@ -7,10 +7,11 @@ with config.krebs.lib;
     ../2configs/zsh.nix
     ../2configs/mc.nix
     ../2configs/retiolum.nix
+    ./backups.nix
     {
       users.extraUsers =
         mapAttrs (_: h: { hashedPassword = h; })
-                 (import /root/secrets/hashedPasswords.nix);
+                 (import <secrets/hashedPasswords.nix>);
     }
     {
       users.extraUsers = {
@@ -18,7 +19,6 @@ with config.krebs.lib;
           openssh.authorizedKeys.keys = [
             config.krebs.users.lass.pubkey
             config.krebs.users.lass-uriel.pubkey
-            config.krebs.users.lass-helios.pubkey
           ];
         };
         mainUser = {
@@ -45,7 +45,6 @@ with config.krebs.lib;
   krebs = {
     enable = true;
     search-domain = "retiolum";
-    exim-retiolum.enable = true;
     build = {
       user = config.krebs.users.lass;
       source = mapAttrs (_: mkDefault) ({
@@ -55,7 +54,7 @@ with config.krebs.lib;
         stockholm = "/home/lass/stockholm";
         nixpkgs = {
           url = https://github.com/NixOS/nixpkgs;
-          rev = "40c586b7ce2c559374df435f46d673baf711c543";
+          rev = "e781a8257b4312f6b138c7d0511c77d8c06ed819";
           dev = "/home/lass/src/nixpkgs";
         };
       } // optionalAttrs config.krebs.build.host.secure {
@@ -85,9 +84,12 @@ with config.krebs.lib;
     MANPAGER=most
   '';
 
+  nixpkgs.config.allowUnfree = true;
+
   environment.systemPackages = with pkgs; [
   #stockholm
     git
+    gnumake
     jq
     parallel
     proot
@@ -102,12 +104,18 @@ with config.krebs.lib;
 
   #network
     iptables
+    iftop
 
   #stuff for dl
     aria2
 
   #neat utils
     krebspaste
+
+  #unpack stuff
+    p7zip
+    unzip
+    unrar
   ];
 
   programs.bash = {
@@ -145,10 +153,6 @@ with config.krebs.lib;
     '';
   };
 
-  security.setuidPrograms = [
-    "sendmail"
-  ];
-
   services.openssh = {
     enable = true;
     hostKeys = [
@@ -165,6 +169,13 @@ with config.krebs.lib;
   krebs.iptables = {
     enable = true;
     tables = {
+      nat.PREROUTING.rules = [
+        { predicate = "! -i retiolum -p tcp -m tcp --dport 22"; target = "REDIRECT --to-ports 0"; precedence = 100; }
+        { predicate = "-p tcp -m tcp --dport 45621"; target = "REDIRECT --to-ports 22"; precedence = 99; }
+      ];
+      nat.OUTPUT.rules = [
+        { predicate = "-o lo -p tcp -m tcp --dport 45621"; target = "REDIRECT --to-ports 22"; precedence = 100; }
+      ];
       filter.INPUT.policy = "DROP";
       filter.FORWARD.policy = "DROP";
       filter.INPUT.rules = [
diff --git a/lass/2configs/downloading.nix b/lass/2configs/downloading.nix
index 115cb8b61..ccd751413 100644
--- a/lass/2configs/downloading.nix
+++ b/lass/2configs/downloading.nix
@@ -20,6 +20,7 @@ in {
       ];
       openssh.authorizedKeys.keys = [
         config.krebs.users.lass.pubkey
+        config.krebs.users.lass-uriel.pubkey
       ];
     };
 
diff --git a/lass/2configs/exim-retiolum.nix b/lass/2configs/exim-retiolum.nix
new file mode 100644
index 000000000..ea2f553b8
--- /dev/null
+++ b/lass/2configs/exim-retiolum.nix
@@ -0,0 +1,14 @@
+{ config, lib, pkgs, ... }:
+
+with config.krebs.lib;
+
+{
+  krebs.exim-retiolum.enable = true;
+  krebs.setuid.sendmail = {
+    filename = "${pkgs.exim}/bin/exim";
+    mode = "4111";
+  };
+  krebs.iptables.tables.filter.INPUT.rules = [
+    { predicate = "-i retiolum -p tcp --dport smtp"; target = "ACCEPT"; }
+  ];
+}
diff --git a/lass/2configs/exim-smarthost.nix b/lass/2configs/exim-smarthost.nix
new file mode 100644
index 000000000..2efb6f367
--- /dev/null
+++ b/lass/2configs/exim-smarthost.nix
@@ -0,0 +1,53 @@
+{ config, lib, pkgs, ... }:
+
+with config.krebs.lib;
+
+{
+  krebs.exim-smarthost = {
+    enable = true;
+    dkim = [
+      { domain = "lassul.us"; }
+    ];
+    sender_domains = [
+      "lassul.us"
+      "aidsballs.de"
+    ];
+    relay_from_hosts = map (host: host.nets.retiolum.ip4.addr) [
+      config.krebs.hosts.mors
+      config.krebs.hosts.uriel
+      config.krebs.hosts.helios
+    ];
+    internet-aliases = with config.krebs.users; [
+      { from = "postmaster@lassul.us"; to = lass.mail; } # RFC 822
+      { from = "lass@lassul.us"; to = lass.mail; }
+      { from = "lassulus@lassul.us"; to = lass.mail; }
+      { from = "test@lassul.us"; to = lass.mail; }
+      { from = "outlook@lassul.us"; to = lass.mail; }
+      { from = "steuer@aidsballs.de"; to = lass.mail; }
+      { from = "lass@aidsballs.de"; to = lass.mail; }
+    ];
+    system-aliases = [
+      { from = "mailer-daemon"; to = "postmaster"; }
+      { from = "postmaster"; to = "root"; }
+      { from = "nobody"; to = "root"; }
+      { from = "hostmaster"; to = "root"; }
+      { from = "usenet"; to = "root"; }
+      { from = "news"; to = "root"; }
+      { from = "webmaster"; to = "root"; }
+      { from = "www"; to = "root"; }
+      { from = "ftp"; to = "root"; }
+      { from = "abuse"; to = "root"; }
+      { from = "noc"; to = "root"; }
+      { from = "security"; to = "root"; }
+      { from = "root"; to = "lass"; }
+    ];
+  };
+
+  krebs.setuid.sendmail = {
+    filename = "${pkgs.exim}/bin/exim";
+    mode = "4111";
+  };
+  krebs.iptables.tables.filter.INPUT.rules = [
+    { predicate = "-p tcp --dport smtp"; target = "ACCEPT"; }
+  ];
+}
diff --git a/lass/2configs/fastpoke-pages.nix b/lass/2configs/fastpoke-pages.nix
deleted file mode 100644
index bf6ea8952..000000000
--- a/lass/2configs/fastpoke-pages.nix
+++ /dev/null
@@ -1,101 +0,0 @@
-{ config, lib, pkgs, ... }:
-
-with config.krebs.lib;
-
-let
-  createStaticPage = domain:
-    {
-      krebs.nginx.servers."${domain}" = {
-        server-names = [
-          "${domain}"
-          "www.${domain}"
-        ];
-        locations = [
-          (nameValuePair "/" ''
-            root /var/lib/http/${domain};
-          '')
-        ];
-      };
-      #networking.extraHosts = ''
-      #  10.243.206.102 ${domain}
-      #'';
-      users.extraUsers = {
-        ${domain} = {
-          name = domain;
-          home = "/var/lib/http/${domain}";
-          createHome = true;
-        };
-      };
-    };
-
-in {
-  imports = map createStaticPage [
-    "habsys.de"
-    "pixelpocket.de"
-    "karlaskop.de"
-    "ubikmedia.de"
-    "apanowicz.de"
-  ];
-
-  krebs.iptables = {
-    tables = {
-      filter.INPUT.rules = [
-        { predicate = "-p tcp --dport http"; target = "ACCEPT"; }
-      ];
-    };
-  };
-
-
-  krebs.nginx = {
-    enable = true;
-    servers = {
-      #"habsys.de" = {
-      #  server-names = [
-      #    "habsys.de"
-      #    "www.habsys.de"
-      #  ];
-      #  locations = [
-      #    (nameValuePair "/" ''
-      #      root /var/lib/http/habsys.de;
-      #    '')
-      #  ];
-      #};
-
-      #"karlaskop.de" = {
-      #  server-names = [
-      #    "karlaskop.de"
-      #    "www.karlaskop.de"
-      #  ];
-      #  locations = [
-      #    (nameValuePair "/" ''
-      #      root /var/lib/http/karlaskop.de;
-      #    '')
-      #  ];
-      #};
-
-      #"pixelpocket.de" = {
-      #  server-names = [
-      #    "pixelpocket.de"
-      #    "www.karlaskop.de"
-      #  ];
-      #  locations = [
-      #    (nameValuePair "/" ''
-      #      root /var/lib/http/karlaskop.de;
-      #    '')
-      #  ];
-      #};
-
-    };
-  };
-
-  #services.postgresql = {
-  #  enable = true;
-  #};
-
-  #config.services.vsftpd = {
-  #  enable = true;
-  #  userlistEnable = true;
-  #  userlistFile = pkgs.writeFile "vsftpd-userlist" ''
-  #  '';
-  #};
-}
diff --git a/lass/2configs/games.nix b/lass/2configs/games.nix
index 6043a8759..0eec97922 100644
--- a/lass/2configs/games.nix
+++ b/lass/2configs/games.nix
@@ -13,7 +13,7 @@ in {
       name = "games";
       description = "user playing games";
       home = "/home/games";
-      extraGroups = [ "audio" "video" "input" ];
+      extraGroups = [ "audio" "video" "input" "loot" ];
       createHome = true;
       useDefaultShell = true;
     };
diff --git a/lass/2configs/krebs-pass.nix b/lass/2configs/krebs-pass.nix
new file mode 100644
index 000000000..a605bc84b
--- /dev/null
+++ b/lass/2configs/krebs-pass.nix
@@ -0,0 +1,21 @@
+{ pkgs, ... }:
+
+let
+
+  #TODO: tab-completion
+  krebs-pass = pkgs.writeDashBin "krebs-pass" ''
+    PASSWORD_STORE_DIR=$HOME/.krebs-pass \
+    exec ${pkgs.pass}/bin/pass $@
+  '';
+
+  krebs-passmenu = pkgs.writeDashBin "krebs-passmenu" ''
+    PASSWORD_STORE_DIR=$HOME/.krebs-pass \
+    exec ${pkgs.pass}/bin/passmenu $@
+  '';
+
+in {
+  krebs.per-user.lass.packages = [
+    krebs-pass
+    krebs-passmenu
+  ];
+}
diff --git a/lass/2configs/mail.nix b/lass/2configs/mail.nix
new file mode 100644
index 000000000..3c7dfcaf6
--- /dev/null
+++ b/lass/2configs/mail.nix
@@ -0,0 +1,95 @@
+{ pkgs, ... }:
+
+let
+
+  msmtprc = pkgs.writeText "msmtprc" ''
+    defaults
+      logfile ~/.msmtp.log
+    account prism
+      host prism.r
+    account default: prism
+  '';
+
+  msmtp = pkgs.writeDashBin "msmtp" ''
+    exec ${pkgs.msmtp}/bin/msmtp -C ${msmtprc} $@
+  '';
+
+  muttrc = pkgs.writeText "muttrc" ''
+    # gpg
+    source ${pkgs.mutt-kz}/share/doc/mutt-kz/samples/gpg.rc
+    set pgp_use_gpg_agent = yes
+    set pgp_sign_as = 0x976A7E4D
+    set crypt_autosign = yes
+    set crypt_replyencrypt = yes
+
+    # notmuch
+    set nm_default_uri="notmuch://$HOME/Maildir" # path to the maildir
+    set nm_record = yes
+    set nm_record_tags = "-inbox me archive"
+    set virtual_spoolfile=yes                    # enable virtual folders
+    set sendmail="msmtp"                         # enables parsing of outgoing mail
+    set use_from=yes
+    set envelope_from=yes
+
+    set index_format="%4C %Z %?GI?%GI& ? %[%d/%b]  %-16.15F %?M?(%3M)&     ? %s %> %?g?%g?"
+
+    virtual-mailboxes \
+        "INBOX"     "notmuch://?query=tag:inbox and NOT tag:killed"\
+        "Unread"    "notmuch://?query=tag:unread"\
+        "TODO"      "notmuch://?query=tag:TODO"\
+        "Starred"   "notmuch://?query=tag:*"\
+        "Archive"   "notmuch://?query=tag:archive"\
+        "Sent"      "notmuch://?query=tag:sent"\
+        "Junk"      "notmuch://?query=tag:junk"
+
+    tag-transforms "junk"     "k" \
+                   "unread"   "u" \
+                   "replied"  "↻" \
+                   "TODO"     "T" \
+
+    # notmuch bindings
+    macro index \\\\ "<vfolder-from-query>"                   # looks up a hand made query
+    macro index A "<modify-labels>+archive -unread -inbox\n"  # tag as Archived
+    macro index + "<modify-labels>+*\n<sync-mailbox>"         # tag as starred
+    macro index - "<modify-labels>-*\n<sync-mailbox>"         # tag as unstarred
+
+
+    #killed
+    bind index d noop
+    bind pager d noop
+
+    bind pager S noop
+    macro index S "<modify-labels-then-hide>-inbox -unread +junk\n" # tag as Junk mail
+    macro pager S "<modify-labels-then-hide>-inbox -unread +junk\n" # tag as Junk mail
+
+    bind index t noop
+    bind pager t noop
+    macro index t "<modify-labels>+TODO\n"        # tag as Archived
+
+
+    # sidebar
+    set sidebar_width   = 20
+    set sidebar_visible = yes               # set to "no" to disable sidebar view at startup
+    color sidebar_new yellow default
+    # sidebar bindings
+    bind index <left> sidebar-prev          # got to previous folder in sidebar
+    bind index <right> sidebar-next         # got to next folder in sidebar
+    bind index <space> sidebar-open         # open selected folder from sidebar
+    # sidebar toggle
+    macro index ,@) "<enter-command> set sidebar_visible=no; macro index ~ ,@( 'Toggle sidebar'<Enter>"
+    macro index ,@( "<enter-command> set sidebar_visible=yes; macro index ~ ,@) 'Toggle sidebar'<Enter>"
+    macro index ~ ,@( 'Toggle sidebar'      # toggle the sidebar
+  '';
+
+  mutt = pkgs.writeDashBin "mutt" ''
+    exec ${pkgs.mutt-kz}/bin/mutt -F ${muttrc} $@
+  '';
+
+in {
+  environment.systemPackages = [
+    msmtp
+    mutt
+    pkgs.much
+    pkgs.notmuch
+  ];
+}
diff --git a/lass/2configs/newsbot-js.nix b/lass/2configs/newsbot-js.nix
index d7c68bd7d..636b44395 100644
--- a/lass/2configs/newsbot-js.nix
+++ b/lass/2configs/newsbot-js.nix
@@ -154,7 +154,6 @@ let
     telepolis|http://www.heise.de/tp/rss/news-atom.xml|#news
     the_insider|http://www.theinsider.org/rss/news/headlines-xml.asp|#news
     tigsource|http://www.tigsource.com/feed/|#news
-    times|http://www.thetimes.co.uk/tto/news/rss|#news
     tinc|http://tinc-vpn.org/news/index.rss|#news
     topix_b|http://www.topix.com/rss/wire/de/berlin|#news
     torr_bits|http://feeds.feedburner.com/TorrentfreakBits|#news
diff --git a/lass/2configs/pass.nix b/lass/2configs/pass.nix
index 33eca0a17..5bd2f2f7f 100644
--- a/lass/2configs/pass.nix
+++ b/lass/2configs/pass.nix
@@ -1,10 +1,9 @@
 { config, pkgs, ... }:
 
 {
-  environment.systemPackages = with pkgs; [
+  krebs.per-user.lass.packages = with pkgs; [
     pass
     gnupg1
   ];
 
-  services.xserver.startGnuPGAgent = true;
 }
diff --git a/lass/2configs/websites/domsen.nix b/lass/2configs/websites/domsen.nix
index 109c216c0..a6fdad645 100644
--- a/lass/2configs/websites/domsen.nix
+++ b/lass/2configs/websites/domsen.nix
@@ -1,24 +1,36 @@
-{ config, pkgs, ... }:
+{ config, pkgs, lib, ... }:
 
-{
+let
+  inherit (config.krebs.lib) genid;
+  inherit (import ../../4lib { inherit lib pkgs; })
+    manageCert
+    manageCerts
+    activateACME
+    ssl
+    servePage
+    serveOwncloud
+    serveWordpress;
+
+in {
   imports = [
-    ../../3modules/static_nginx.nix
-    ../../3modules/owncloud_nginx.nix
-    ../../3modules/wordpress_nginx.nix
-  ];
+    ( ssl [ "reich-gebaeudereinigung.de" ])
+    ( servePage [ "reich-gebaeudereinigung.de" ])
 
-  lass.staticPage = {
-    "karlaskop.de" = {};
-    "makeup.apanowicz.de" = {};
-    "pixelpocket.de" = {};
-    "reich-gebaeudereinigung.de" = {};
-  };
+    ( manageCerts [ "karlaskop.de" ])
+    ( servePage [ "karlaskop.de" ])
 
-  lass.owncloud = {
-    "o.ubikmedia.de" = {
-      instanceid = "oc8n8ddbftgh";
-    };
-  };
+    ( ssl [ "makeup.apanowicz.de" ])
+    ( servePage [ "makeup.apanowicz.de" ])
+
+    ( manageCerts [ "pixelpocket.de" ])
+    ( servePage [ "pixelpocket.de" ])
+
+    ( ssl [ "o.ubikmedia.de" ])
+    ( serveOwncloud [ "o.ubikmedia.de" ])
+
+    ( ssl [ "ubikmedia.de" "aldona.ubikmedia.de" "apanowicz.de" "nirwanabluete.de" "aldonasiech.com" "360gradvideo.tv" "ubikmedia.eu" ] )
+    ( serveWordpress [ "ubikmedia.de" "*.ubikmedia.de" "apanowicz.de" "nirwanabluete.de" "aldonasiech.com" "360gradvideo.tv" "ubikmedia.eu" ] )
+  ];
 
   services.mysql = {
     enable = true;
@@ -26,10 +38,41 @@
     rootPassword = toString (<secrets/mysql_rootPassword>);
   };
 
-  #lass.wordpress = {
-  #  "ubikmedia.de" = {
-  #  };
-  #};
+  lass.mysqlBackup = {
+    enable = true;
+    config.domsen = {
+      password = toString (<secrets/mysql_rootPassword>);
+      databases = [
+        "ubikmedia_de"
+        "o_ubikmedia_de"
+      ];
+    };
+  };
+  services.mysqlBackup = {
+    enable = true;
+    databases = [
+      "ubikmedia_de"
+      "o_ubikmedia_de"
+    ];
+    location = "/bku/sql_dumps";
+  };
+
+  users.users.domsen = {
+    uid = genid "domsen";
+    description = "maintenance acc for domsen";
+    home = "/home/domsen";
+    useDefaultShell = true;
+    extraGroups = [ "nginx" ];
+    createHome = true;
+  };
 
+  services.phpfpm.phpIni = pkgs.runCommand "php.ini" {
+     options = ''
+      extension=${pkgs.phpPackages.apcu}/lib/php/extensions/apcu.so
+    '';
+  } ''
+    cat ${pkgs.php}/etc/php-recommended.ini > $out
+    echo "$options" >> $out
+  '';
 }
 
diff --git a/lass/2configs/websites/fritz.nix b/lass/2configs/websites/fritz.nix
index 073f3de14..632aa1e89 100644
--- a/lass/2configs/websites/fritz.nix
+++ b/lass/2configs/websites/fritz.nix
@@ -1,22 +1,57 @@
-{ config, pkgs, ... }:
+{ config, pkgs, lib, ... }:
 
-{
+let
+  inherit (import ../../4lib { inherit lib pkgs; })
+    manageCerts
+    activateACME
+    ssl
+    servePage
+    serveWordpress;
 
+in {
   imports = [
-    ../../3modules/static_nginx.nix
-    ../../3modules/owncloud_nginx.nix
-    ../../3modules/wordpress_nginx.nix
+    #( manageCerts [ "biostase.de" ])
+    #( servePage [ "biostase.de" ])
+
+    #( manageCerts [ "gs-maubach.de" ])
+    #( servePage [ "gs-maubach.de" ])
+
+    #( manageCerts [ "spielwaren-kern.de" ])
+    #( servePage [ "spielwaren-kern.de" ])
+
+    #( manageCerts [ "societyofsimtech.de" ])
+    #( servePage [ "societyofsimtech.de" ])
+
+    #( manageCerts [ "ttf-kleinaspach.de" ])
+    #( servePage [ "ttf-kleinaspach.de" ])
+
+    #( manageCerts [ "edsn.de" ])
+    #( servePage [ "edsn.de" ])
+
+    #( manageCerts [ "eab.berkeley.edu" ])
+    #( servePage [ "eab.berkeley.edu" ])
+
+    ( ssl [ "eastuttgart.de" ])
+    ( serveWordpress [ "eastuttgart.de" ])
+
+    ( ssl [ "habsys.de" "habsys.eu" ])
+    ( servePage [ "habsys.de" "habsys.eu" ])
   ];
 
-  lass.staticPage = {
-    "biostase.de" = {};
-    "gs-maubach.de" = {};
-    "spielwaren-kern.de" = {};
-    "societyofsimtech.de" = {};
-    "ttf-kleinaspach.de" = {};
-    "edsn.de" = {};
-    "eab.berkeley.edu" = {};
-    "habsys.de" = {};
+  services.mysql = {
+    enable = true;
+    package = pkgs.mariadb;
+    rootPassword = toString (<secrets/mysql_rootPassword>);
+  };
+
+  lass.mysqlBackup = {
+    enable = true;
+    config.fritz = {
+      password = toString (<secrets/mysql_rootPassword>);
+      databases = [
+        "eastuttgart_de"
+      ];
+    };
   };
 
   #lass.owncloud = {
@@ -24,10 +59,4 @@
   #    instanceid = "oc8n8ddbftgh";
   #  };
   #};
-
-  #services.mysql = {
-  #  enable = true;
-  #  package = pkgs.mariadb;
-  #  rootPassword = toString (<secrets/mysql_rootPassword>);
-  #};
 }
diff --git a/lass/2configs/websites/wohnprojekt-rhh.de.nix b/lass/2configs/websites/wohnprojekt-rhh.de.nix
index ac784d4c7..858054531 100644
--- a/lass/2configs/websites/wohnprojekt-rhh.de.nix
+++ b/lass/2configs/websites/wohnprojekt-rhh.de.nix
@@ -1,14 +1,17 @@
-{ config, ... }:
+{ config, pkgs, lib, ... }:
 
-{
+let
+  inherit (config.krebs.lib) genid;
+  inherit (import ../../4lib { inherit lib pkgs; })
+    ssl
+    servePage;
+
+in {
   imports = [
-    ../../3modules/static_nginx.nix
+    ( ssl [ "wohnprojekt-rhh.de" ])
+    ( servePage [ "wohnprojekt-rhh.de" ])
   ];
 
-  lass.staticPage = {
-    "wohnprojekt-rhh.de" = {};
-  };
-
   users.users.laura = {
     home = "/srv/http/wohnprojekt-rhh.de";
     createHome = true;
diff --git a/lass/2configs/xserver/default.nix b/lass/2configs/xserver/default.nix
index 30afd787e..5b89da093 100644
--- a/lass/2configs/xserver/default.nix
+++ b/lass/2configs/xserver/default.nix
@@ -40,10 +40,6 @@ let
       };
     };
 
-    security.setuidPrograms = [
-      "slock"
-    ];
-
     systemd.services.display-manager.enable = false;
 
     services.xserver.enable = true;
@@ -82,12 +78,7 @@ let
 
     # XXX JSON is close enough :)
     XMONAD_WORKSPACES0_FILE = pkgs.writeText "xmonad.workspaces0" (toJSON [
-      "cr"
-      "gm"
-      "ff"
-      "IM"
-      "mail"
-      "stockholm"
+      "dashboard"
     ]);
   };
 
@@ -96,6 +87,7 @@ let
     set -efu
     export PATH; PATH=${makeSearchPath "bin" ([
       pkgs.rxvt_unicode
+      pkgs.i3lock
     ] ++ config.environment.systemPackages)}:/var/setuid-wrappers
     settle() {(
       # Use PATH for a clean journal
diff --git a/lass/3modules/default.nix b/lass/3modules/default.nix
index f891498c2..71e39d874 100644
--- a/lass/3modules/default.nix
+++ b/lass/3modules/default.nix
@@ -1,11 +1,11 @@
 _:
 {
   imports = [
-    ./xresources.nix
     ./folderPerms.nix
+    ./mysql-backup.nix
     ./per-user.nix
     ./urxvtd.nix
-    ./xresources.nix
     ./wordpress_nginx.nix
+    ./xresources.nix
   ];
 }
diff --git a/lass/3modules/mysql-backup.nix b/lass/3modules/mysql-backup.nix
new file mode 100644
index 000000000..d2ae67171
--- /dev/null
+++ b/lass/3modules/mysql-backup.nix
@@ -0,0 +1,86 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+
+  cfg = config.lass.mysqlBackup;
+
+  out = {
+    options.lass.mysqlBackup = api;
+    config = mkIf cfg.enable imp;
+  };
+
+  api = {
+    enable = mkEnableOption "mysqlBackup";
+    config = mkOption {
+      type = with types; attrsOf (submodule ({ config, ... }: {
+        options = {
+          name = mkOption {
+            type = types.str;
+            default = config._module.args.name;
+          };
+          startAt = mkOption {
+            type = with types; nullOr str; # TODO systemd.time(7)'s calendar event
+            default = "*-*-* 01:15:00";
+          };
+          user = mkOption {
+            type = str;
+            default = "root";
+          };
+          password = mkOption {
+            type = nullOr str;
+            default = null;
+            description = ''
+              path to a file containing the mysqlPassword for the specified user.
+            '';
+          };
+          databases = mkOption {
+            type = listOf str;
+            default = [];
+          };
+          location = mkOption {
+            type = str;
+            default = "/bku/sql_dumps";
+          };
+        };
+      }));
+      description = "configuration for mysqlBackup";
+    };
+  };
+
+  imp = {
+
+    #systemd.timers =
+    #  mapAttrs (_: plan: {
+    #  wantedBy = [ "timers.target" ];
+    #  timerConfig = plan.timerConfig;
+    #}) cfg.config;
+
+    systemd.services =
+      mapAttrs' (_: plan: nameValuePair "mysqlBackup-${plan.name}" {
+        path = with pkgs; [
+          mysql
+          gzip
+        ];
+        serviceConfig = rec {
+          ExecStart = start plan;
+          SyslogIdentifier = ExecStart.name;
+          Type = "oneshot";
+          User = plan.user;
+        };
+        startAt = plan.startAt;
+      }) cfg.config;
+  };
+
+
+  start = plan: let
+    backupScript = plan: db:
+      "mysqldump -u ${plan.user} ${optionalString (plan.password != null) "-p$(cat ${plan.password})"} ${db} | gzip -c > ${plan.location}/${db}.gz";
+
+  in pkgs.pkgs.writeDash "mysqlBackup.${plan.name}" ''
+    ${concatMapStringsSep "\n" (backupScript plan) plan.databases}
+  '';
+
+
+in out
diff --git a/lass/4lib/default.nix b/lass/4lib/default.nix
index a751a2995..30cbced49 100644
--- a/lass/4lib/default.nix
+++ b/lass/4lib/default.nix
@@ -1,10 +1,231 @@
-{ lib, ... }:
+{ lib, pkgs, ... }:
 
 with lib;
 
-{
+rec {
 
   getDefaultGateway = ip:
     concatStringsSep "." (take 3 (splitString "." ip) ++ ["1"]);
 
+  manageCerts = domains:
+    let
+      domain = head domains;
+    in {
+      security.acme = {
+        certs."${domain}" = {
+          email = "lassulus@gmail.com";
+          webroot = "/var/lib/acme/challenges/${domain}";
+          plugins = [
+            "account_key.json"
+            "key.pem"
+            "fullchain.pem"
+          ];
+          group = "nginx";
+          allowKeysForGroup = true;
+          extraDomains = genAttrs domains (_: null);
+        };
+      };
+
+      krebs.nginx.servers."${domain}" = {
+        locations = [
+          (nameValuePair "/.well-known/acme-challenge" ''
+            root /var/lib/acme/challenges/${domain}/;
+          '')
+        ];
+      };
+    };
+
+  ssl = domains:
+    {
+      imports = [
+        ( manageCerts domains )
+        ( activateACME (head domains) )
+      ];
+    };
+
+  activateACME = domain:
+    {
+      krebs.nginx.servers."${domain}" = {
+        ssl = {
+          enable = true;
+          certificate = "/var/lib/acme/${domain}/fullchain.pem";
+          certificate_key = "/var/lib/acme/${domain}/key.pem";
+        };
+      };
+    };
+
+  servePage = domains:
+    let
+      domain = head domains;
+    in {
+      krebs.nginx.servers."${domain}" = {
+        server-names = domains;
+        locations = [
+          (nameValuePair "/" ''
+            root /srv/http/${domain};
+          '')
+        ];
+      };
+    };
+
+  serveOwncloud = domains:
+    let
+      domain = head domains;
+    in {
+      krebs.nginx.servers."${domain}" = {
+        server-names = domains;
+        extraConfig = ''
+          # Add headers to serve security related headers
+          add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
+          add_header X-Content-Type-Options nosniff;
+          add_header X-Frame-Options "SAMEORIGIN";
+          add_header X-XSS-Protection "1; mode=block";
+          add_header X-Robots-Tag none;
+
+          # Path to the root of your installation
+          root /srv/http/${domain}/;
+          # set max upload size
+          client_max_body_size 10G;
+          fastcgi_buffers 64 4K;
+
+          # Disable gzip to avoid the removal of the ETag header
+          gzip off;
+
+          # Uncomment if your server is build with the ngx_pagespeed module
+          # This module is currently not supported.
+          #pagespeed off;
+
+          index index.php;
+          error_page 403 /core/templates/403.php;
+          error_page 404 /core/templates/404.php;
+
+          rewrite ^/.well-known/carddav /remote.php/carddav/ permanent;
+          rewrite ^/.well-known/caldav /remote.php/caldav/ permanent;
+
+          # The following 2 rules are only needed for the user_webfinger app.
+          # Uncomment it if you're planning to use this app.
+          rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
+          rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;
+        '';
+        locations = [
+          (nameValuePair "/robots.txt" ''
+            allow all;
+            log_not_found off;
+            access_log off;
+          '')
+          (nameValuePair "~ ^/(build|tests|config|lib|3rdparty|templates|data)/" ''
+            deny all;
+          '')
+
+          (nameValuePair "~ ^/(?:autotest|occ|issue|indie|db_|console)" ''
+            deny all;
+          '')
+
+          (nameValuePair "/" ''
+            rewrite ^/remote/(.*) /remote.php last;
+            rewrite ^(/core/doc/[^\/]+/)$ $1/index.html;
+            try_files $uri $uri/ =404;
+          '')
+
+          (nameValuePair "~ \.php(?:$|/)" ''
+            fastcgi_split_path_info ^(.+\.php)(/.+)$;
+            include ${pkgs.nginx}/conf/fastcgi_params;
+            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+            fastcgi_param PATH_INFO $fastcgi_path_info;
+            fastcgi_param HTTPS on;
+            fastcgi_param modHeadersAvailable true; #Avoid sending the security headers twice
+            fastcgi_pass unix:/srv/http/${domain}/phpfpm.pool;
+            fastcgi_intercept_errors on;
+          '')
+
+          # Adding the cache control header for js and css files
+          # Make sure it is BELOW the location ~ \.php(?:$|/) { block
+          (nameValuePair "~* \.(?:css|js)$" ''
+            add_header Cache-Control "public, max-age=7200";
+            # Add headers to serve security related headers
+            add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
+            add_header X-Content-Type-Options nosniff;
+            add_header X-Frame-Options "SAMEORIGIN";
+            add_header X-XSS-Protection "1; mode=block";
+            add_header X-Robots-Tag none;
+            # Optional: Don't log access to assets
+            access_log off;
+          '')
+
+          # Optional: Don't log access to other assets
+          (nameValuePair "~* \.(?:jpg|jpeg|gif|bmp|ico|png|swf)$" ''
+            access_log off;
+          '')
+        ];
+      };
+      services.phpfpm.poolConfigs."${domain}" = ''
+        listen = /srv/http/${domain}/phpfpm.pool
+        user = nginx
+        group = nginx
+        pm = dynamic
+        pm.max_children = 5
+        pm.start_servers = 2
+        pm.min_spare_servers = 1
+        pm.max_spare_servers = 3
+        listen.owner = nginx
+        listen.group = nginx
+        # errors to journal
+        php_admin_value[error_log] = 'stderr'
+        php_admin_flag[log_errors] = on
+        catch_workers_output = yes
+      '';
+    };
+
+  serveWordpress = domains:
+    let
+      domain = head domains;
+
+    in {
+      krebs.nginx.servers."${domain}" = {
+        server-names = domains;
+        extraConfig = ''
+          root /srv/http/${domain}/;
+          index index.php;
+          access_log /tmp/nginx_acc.log;
+          error_log /tmp/nginx_err.log;
+          error_page 404 /404.html;
+          error_page 500 502 503 504 /50x.html;
+        '';
+        locations = [
+          (nameValuePair "/" ''
+            try_files $uri $uri/ /index.php?$args;
+          '')
+          (nameValuePair "~ \.php$" ''
+            fastcgi_pass unix:/srv/http/${domain}/phpfpm.pool;
+            include ${pkgs.nginx}/conf/fastcgi.conf;
+          '')
+          #(nameValuePair "~ /\\." ''
+          #  deny all;
+          #'')
+          #Directives to send expires headers and turn off 404 error logging.
+          (nameValuePair "~* ^.+\.(xml|ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|css|rss|atom|js|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$" ''
+            access_log off;
+            log_not_found off;
+            expires max;
+          '')
+        ];
+      };
+      services.phpfpm.poolConfigs."${domain}" = ''
+        listen = /srv/http/${domain}/phpfpm.pool
+        user = nginx
+        group = nginx
+        pm = dynamic
+        pm.max_children = 5
+        pm.start_servers = 2
+        pm.min_spare_servers = 1
+        pm.max_spare_servers = 3
+        listen.owner = nginx
+        listen.group = nginx
+        # errors to journal
+        php_admin_value[error_log] = 'stderr'
+        php_admin_flag[log_errors] = on
+        catch_workers_output = yes
+      '';
+    };
+
 }
diff --git a/lass/5pkgs/acronym/default.nix b/lass/5pkgs/acronym/default.nix
index 53d5d015a..9f6f95587 100644
--- a/lass/5pkgs/acronym/default.nix
+++ b/lass/5pkgs/acronym/default.nix
@@ -1,13 +1,16 @@
 { pkgs, ... }:
 
 pkgs.writeScriptBin "acronym" ''
+
   #! ${pkgs.bash}/bin/bash
 
   acro=$1
 
   curl -s http://www.acronymfinder.com/$acro.html \
-  | grep 'class="result-list__body__rank"' \
-  | sed 's/.*title="\([^"]*\)".*/\1/' \
-  | sed 's/^.* - //' \
-  | sed "s/&#39;/'/g"
+    | grep 'class="result-list__body__rank"' \
+    | sed '
+      s/.*title="\([^"]*\)".*/\1/
+      s/^.* - //
+      s/&#39;/'\'''/g
+    '
 ''
diff --git a/lass/5pkgs/default.nix b/lass/5pkgs/default.nix
index 0c9dd94ca..1dacf6c7a 100644
--- a/lass/5pkgs/default.nix
+++ b/lass/5pkgs/default.nix
@@ -8,7 +8,9 @@
       ublock = pkgs.callPackage ./firefoxPlugins/ublock.nix {};
       vimperator = pkgs.callPackage ./firefoxPlugins/vimperator.nix {};
     };
+    mk_sql_pair = pkgs.callPackage ./mk_sql_pair/default.nix {};
     mpv-poll = pkgs.callPackage ./mpv-poll/default.nix {};
+    urban = pkgs.callPackage ./urban/default.nix {};
     xmonad-lass =
       let src = pkgs.writeNixFromCabal "xmonad-lass.nix" ./xmonad-lass; in
       pkgs.haskellPackages.callPackage src {};
diff --git a/lass/5pkgs/mk_sql_pair/default.nix b/lass/5pkgs/mk_sql_pair/default.nix
new file mode 100644
index 000000000..a9f0d2797
--- /dev/null
+++ b/lass/5pkgs/mk_sql_pair/default.nix
@@ -0,0 +1,19 @@
+{ pkgs, ... }:
+
+pkgs.writeScriptBin "mk_sql_pair" ''
+  #!/bin/sh
+
+  name=$1
+  password=$2
+
+  if [ $# -ne 2 ]; then
+    echo '$1=name, $2=password'
+    exit 23;
+  fi
+
+  cat <<EOF
+    create database $name;
+    create user $name;
+    grant all on $name.* to $name@'localhost' identified by '$password';
+  EOF
+''
diff --git a/lass/5pkgs/urban/default.nix b/lass/5pkgs/urban/default.nix
new file mode 100644
index 000000000..fb8adaed9
--- /dev/null
+++ b/lass/5pkgs/urban/default.nix
@@ -0,0 +1,21 @@
+{ pkgs, ... }:
+
+pkgs.writeScriptBin "urban" ''
+  #!/bin/sh
+  set -euf
+  term=$1
+  curl -LsS 'http://www.urbandictionary.com/define.php?term='"$term" \
+    | sed 's/<\/\?a\>[^>]*>//g' \
+    | sed 's/<\([^>]*\)>/\n<\1\n/g' \
+    | grep . \
+    | sed -n '/<div class=.meaning./,/<\/div/p' \
+    | sed 's/<div class=.meaning./-----/' \
+    | grep -v '^</div\>' \
+    | grep -v '^<br\>' \
+    | sed '
+      s/&quot;/"/g
+      s/&#39;/'\'''/g
+      s/&gt;/>/g
+      s/&lt;/>/g
+    '
+''
diff --git a/lass/5pkgs/xmonad-lass/Main.hs b/lass/5pkgs/xmonad-lass/Main.hs
index 503df3be7..277034240 100644
--- a/lass/5pkgs/xmonad-lass/Main.hs
+++ b/lass/5pkgs/xmonad-lass/Main.hs
@@ -5,49 +5,33 @@
 
 
 module Main where
+import XMonad
 
+import qualified XMonad.StackSet as W
 import Control.Exception
-import Text.Read (readEither)
-import XMonad
+import Data.List (isInfixOf)
+import System.Environment (getArgs, withArgs, getEnv)
 import System.IO (hPutStrLn, stderr)
-import System.Environment (getArgs, withArgs, getEnv, getEnvironment)
-import System.Posix.Process (executeFile)
-import XMonad.Actions.DynamicWorkspaces ( addWorkspacePrompt, renameWorkspace
-                                        , removeEmptyWorkspace)
-import XMonad.Actions.GridSelect
+import Text.Read (readEither)
+import XMonad.Actions.CopyWindow (copy, kill1)
 import XMonad.Actions.CycleWS (toggleWS)
---import XMonad.Actions.CopyWindow ( copy )
-import XMonad.Layout.NoBorders ( smartBorders )
-import qualified XMonad.StackSet as W
-import Data.Map (Map)
-import qualified Data.Map as Map
--- TODO import XMonad.Layout.WorkspaceDir
+import XMonad.Actions.DynamicWorkspaces ( addWorkspacePrompt, renameWorkspace, removeEmptyWorkspace)
+import XMonad.Actions.DynamicWorkspaces (withWorkspace)
+import XMonad.Actions.GridSelect (GSConfig(..), gridselectWorkspace, navNSearch)
+import XMonad.Hooks.FloatNext (floatNext)
+import XMonad.Hooks.FloatNext (floatNextHook)
+import XMonad.Hooks.ManageDocks (avoidStruts, ToggleStruts(ToggleStruts))
+import XMonad.Hooks.Place (placeHook, smart)
+import XMonad.Hooks.UrgencyHook (focusUrgent)
 import XMonad.Hooks.UrgencyHook (SpawnUrgencyHook(..), withUrgencyHook)
--- import XMonad.Layout.Tabbed
---import XMonad.Layout.MouseResizableTile
-import XMonad.Layout.Reflect (reflectVert)
 import XMonad.Layout.FixedColumn (FixedColumn(..))
-import XMonad.Hooks.Place (placeHook, smart)
-import XMonad.Hooks.FloatNext (floatNextHook)
-import XMonad.Actions.PerWorkspaceKeys (chooseAction)
-import XMonad.Layout.PerWorkspace (onWorkspace)
---import XMonad.Layout.BinarySpacePartition
+import XMonad.Layout.Minimize (minimize, minimizeWindow, MinimizeMsg(RestoreNextMinimizedWin))
+import XMonad.Layout.NoBorders (smartBorders)
+import XMonad.Prompt (autoComplete, searchPredicate, XPConfig)
+import XMonad.Prompt.Window (windowPromptGoto, windowPromptBringCopy)
+import XMonad.Stockholm.Shutdown (sendShutdownEvent, handleShutdownEvent)
 import XMonad.Util.EZConfig (additionalKeysP)
 
-import XMonad.Prompt (autoComplete, defaultXPConfig, XPConfig, mkXPrompt)
-import XMonad.Hooks.UrgencyHook (focusUrgent, withUrgencyHook, urgencyBorderColor, BorderUrgencyHook(BorderUrgencyHook))
-import XMonad.Actions.DynamicWorkspaces (addWorkspacePrompt, removeEmptyWorkspace, renameWorkspace, withWorkspace)
-import XMonad.Hooks.FloatNext (floatNext, floatNextHook)
-import XMonad.Prompt.Workspace
-import XMonad.Actions.CopyWindow (copy, kill1)
-import qualified Data.Map as M
-import XMonad.Hooks.ManageDocks (avoidStruts, manageDocks, ToggleStruts(ToggleStruts))
-
---import XMonad.Actions.Submap
-import XMonad.Stockholm.Pager
-import XMonad.Stockholm.Rhombus
-import XMonad.Stockholm.Shutdown
-
 
 myTerm :: String
 myTerm = "urxvtc"
@@ -67,18 +51,12 @@ mainNoArgs :: IO ()
 mainNoArgs = do
     workspaces0 <- getWorkspaces0
     xmonad'
-        -- $ withUrgencyHookC dzenUrgencyHook { args = ["-bg", "magenta", "-fg", "magenta", "-h", "2"], duration = 500000 }
-        --                   urgencyConfig { remindWhen = Every 1 }
-        -- $ withUrgencyHook borderUrgencyHook "magenta"
-        -- $ withUrgencyHookC BorderUrgencyHook { urgencyBorderColor = "magenta" } urgencyConfig { suppressWhen = Never }
         $ withUrgencyHook (SpawnUrgencyHook "echo emit Urgency ")
         $ def
             { terminal          = myTerm
             , modMask           = mod4Mask
             , workspaces        = workspaces0
             , layoutHook = smartBorders $ myLayoutHook
-            -- , handleEventHook   = myHandleEventHooks <+> handleTimerEvent
-            --, handleEventHook   = handleTimerEvent
             , manageHook        = placeHook (smart (1,0)) <+> floatNextHook
             , startupHook       = spawn "echo emit XMonadStartup"
             , normalBorderColor  = "#1c1c1c"
@@ -88,7 +66,7 @@ mainNoArgs = do
 
 myLayoutHook = defLayout
   where
-    defLayout = (avoidStruts $ Tall 1 (3/100) (1/2) ||| Full ||| Mirror (Tall 1 (3/100) (1/2))) ||| FixedColumn 2 80 80 1
+    defLayout = minimize $ ((avoidStruts $ Tall 1 (3/100) (1/2) ||| Full ||| Mirror (Tall 1 (3/100) (1/2))) ||| FixedColumn 2 80 80 1)
 
 
 xmonad' :: (LayoutClass l Window, Read (l Window)) => XConfig l -> IO ()
@@ -96,7 +74,7 @@ xmonad' conf = do
     path <- getEnv "XMONAD_STATE"
     try (readFile path) >>= \case
         Right content -> do
-            hPutStrLn stderr ("resuming from " ++ path)
+            hPutStrLn stderr ("resuming from " ++ path ++ "; state = " ++ show content)
             withArgs ("--resume" : lines content) (xmonad conf)
         Left e -> do
             hPutStrLn stderr (displaySomeException e)
@@ -118,19 +96,19 @@ displaySomeException :: SomeException -> String
 displaySomeException = displayException
 
 
+myKeyMap :: [([Char], X ())]
 myKeyMap =
-    [ ("M4-<F11>", spawn "/var/setuid-wrappers/slock")
+    [ ("M4-<F11>", spawn "i3lock -i /var/lib/wallpaper/wallpaper -f")
     , ("M4-p", spawn "passmenu --type")
-    --, ("M4-r", spawn "exe=$(yeganesh -x) && eval \"exec $exe\"")
     , ("<XF86AudioRaiseVolume>", spawn "pactl -- set-sink-volume 0 +4%")
     , ("<XF86AudioLowerVolume>", spawn "pactl -- set-sink-volume 0 -4%")
     , ("<XF86AudioMute>", spawn "pactl -- set-sink-mute 0 toggle")
     , ("<XF86AudioMicMute>", spawn "pactl -- set-source-mute 1 toggle")
-    , ("<XF86Launch1>", gridselectWorkspace myWSConfig W.view)
+    , ("<XF86Launch1>", gridselectWorkspace gridConfig W.view)
 
     , ("M4-a", focusUrgent)
-    , ("M4-S-r", renameWorkspace    defaultXPConfig)
-    , ("M4-S-a", addWorkspacePrompt defaultXPConfig)
+    , ("M4-S-r", renameWorkspace    def)
+    , ("M4-S-a", addWorkspacePrompt def)
     , ("M4-S-<Backspace>", removeEmptyWorkspace)
     , ("M4-S-c", kill1)
     , ("M4-<Esc>", toggleWS)
@@ -139,66 +117,34 @@ myKeyMap =
     , ("M4-f", floatNext True)
     , ("M4-b", sendMessage ToggleStruts)
 
-    , ("M4-v", withWorkspace myXPConfig (windows . W.view))
-    , ("M4-S-v", withWorkspace myXPConfig (windows . W.shift))
-    , ("M4-C-v", withWorkspace myXPConfig (windows . copy))
+    , ("M4-v", withWorkspace autoXPConfig (windows . W.view))
+    , ("M4-S-v", withWorkspace autoXPConfig (windows . W.shift))
+    , ("M4-C-v", withWorkspace autoXPConfig (windows . copy))
 
-    -- , (_4 , xK_q      ) & \k -> (k, goToSelected myCNConfig { gs_navigate = makeGSNav k }                   )
-    -- , (_4S, xK_q      ) & \k -> (k, bringSelected myCNConfig { gs_navigate = makeGSNav k }                  )
-    -- , (_4C, xK_q      ) & \k -> (k, withSelectedWindow ( \a -> get >>= \s -> put s { windowset = copyWindow a (W.tag $ W.workspace $ W.current $ windowset s) (windowset s) } ) myCNConfig { gs_navigate = makeGSNav k } )
+    , ("M4-m", withFocused minimizeWindow)
+    , ("M4-S-m", sendMessage RestoreNextMinimizedWin)
+
+    , ("M4-q", windowPromptGoto infixAutoXPConfig)
+    , ("M4-C-q", windowPromptBringCopy infixAutoXPConfig)
 
-    --, ("M4-<F1>", perWorkspaceAction workspaceConfigs)
     , ("M4-S-q", return ())
     ]
 
-myGSConfig = defaultGSConfig
-    { gs_cellheight = 50
-    , gs_cellpadding = 2
-    , gs_navigate = navNSearch
-    , gs_font = myFont
-    }
-
-myXPConfig :: XPConfig
-myXPConfig = defaultXPConfig
+autoXPConfig :: XPConfig
+autoXPConfig = def
     { autoComplete = Just 5000
     }
 
-myWSConfig = myGSConfig
-    { gs_cellwidth = 50
+infixAutoXPConfig :: XPConfig
+infixAutoXPConfig = autoXPConfig
+    { searchPredicate = isInfixOf
     }
 
-pagerConfig :: PagerConfig
-pagerConfig = def
-    { pc_font           = myFont
-    , pc_cellwidth      = 64
-    --, pc_cellheight     = 36 -- TODO automatically keep screen aspect
-    --, pc_borderwidth    = 1
-    --, pc_matchcolor     = "#f0b000"
-    , pc_matchmethod    = MatchPrefix
-    --, pc_colors         = pagerWorkspaceColors
-    , pc_windowColors   = windowColors
-    }
-    where
-    windowColors _ _ _ True _ = ("#ef4242","#ff2323")
-    windowColors wsf m c u wf = do
-        let y = defaultWindowColors wsf m c u wf
-        if m == False && wf == True
-            then ("#402020", snd y)
-            else y
-
-wGSConfig :: GSConfig Window
-wGSConfig = def
-    { gs_cellheight = 20
-    , gs_cellwidth = 192
-    , gs_cellpadding = 5
-    , gs_font = myFont
+gridConfig :: GSConfig WorkspaceId
+gridConfig = def
+    { gs_cellwidth = 50
+    , gs_cellheight = 50
+    , gs_cellpadding = 2
     , gs_navigate = navNSearch
+    , gs_font = myFont
     }
-
-
-(&) :: a -> (a -> c) -> c
-(&) = flip ($)
-
-allWorkspaceNames :: W.StackSet i l a sid sd -> X [i]
-allWorkspaceNames ws =
-    return $ map W.tag (W.hidden ws) ++ [W.tag $ W.workspace $ W.current ws]
diff --git a/lass/5pkgs/xmonad-lass/Util/PerWorkspaceConfig.hs b/lass/5pkgs/xmonad-lass/Util/PerWorkspaceConfig.hs
deleted file mode 100644
index bba7c8c60..000000000
--- a/lass/5pkgs/xmonad-lass/Util/PerWorkspaceConfig.hs
+++ /dev/null
@@ -1,52 +0,0 @@
-module Util.PerWorkspaceConfig
-  ( WorkspaceConfig (..)
-  , WorkspaceConfigs
-  , switchToWorkspace
-  , defaultWorkspaceConfig
-  , perWorkspaceAction
-  , perWorkspaceTermAction
---  , myLayoutHack
-  )
-where
-
-import XMonad
-import XMonad.Core (LayoutClass)
-import Control.Monad (when)
-
-import qualified Data.Map as M
-import qualified XMonad.StackSet as W
-
-data WorkspaceConfig l =
-  WorkspaceConfig
-    { switchAction :: X ()
-    , startAction  :: X ()
-    , keyAction    :: X ()
-    , termAction   :: X ()
-    }
-
-type WorkspaceConfigs l = M.Map WorkspaceId (WorkspaceConfig l)
-
-defaultWorkspaceConfig = WorkspaceConfig
-                             { switchAction = return ()
-                             , startAction  = return ()
-                             , keyAction    = return ()
-                             , termAction   = spawn "urxvtc"
-                             }
-
-whenLookup wsId cfg a =
-    when (M.member wsId cfg) (a $ cfg M.! wsId)
-
-switchToWorkspace :: WorkspaceConfigs l -> WorkspaceId -> X ()
-switchToWorkspace cfg wsId = do
-  windows $ W.greedyView wsId
-  wins <- gets (W.integrate' . W.stack . W.workspace . W.current . windowset)
-  when (null wins) $ whenLookup wsId cfg startAction
-  whenLookup wsId cfg switchAction
-
-perWorkspaceAction :: WorkspaceConfigs l -> X ()
-perWorkspaceAction cfg = withWindowSet $ \s -> whenLookup (W.currentTag s) cfg keyAction
-
-perWorkspaceTermAction :: WorkspaceConfigs l -> X ()
-perWorkspaceTermAction cfg = withWindowSet $ \s -> case M.lookup (W.currentTag s) cfg of
-                                                       Just x -> termAction x
-                                                       _      -> termAction defaultWorkspaceConfig
diff --git a/makefu/1systems/gum.nix b/makefu/1systems/gum.nix
index 7bac4398c..17b2b5093 100644
--- a/makefu/1systems/gum.nix
+++ b/makefu/1systems/gum.nix
@@ -41,6 +41,8 @@ in {
     ];
   };
 
+  makefu.taskserver.enable = true;
+
   krebs.nginx.servers.cgit = {
     server-names = [ "cgit.euer.krebsco.de" ];
     listen = [ "${external-ip}:80" "${internal-ip}:80" ];
@@ -86,6 +88,8 @@ in {
           21032
           # tinc-retiolum
           21031
+          # taskserver
+          53589
         ];
         allowedUDPPorts = [
           # tinc
diff --git a/makefu/3modules/default.nix b/makefu/3modules/default.nix
index f007a8418..0a10b1532 100644
--- a/makefu/3modules/default.nix
+++ b/makefu/3modules/default.nix
@@ -4,6 +4,7 @@ _:
   imports = [
     ./snapraid.nix
     ./umts.nix
+    ./taskserver.nix
   ];
 }
 
diff --git a/makefu/3modules/taskserver.nix b/makefu/3modules/taskserver.nix
new file mode 100644
index 000000000..41247fff3
--- /dev/null
+++ b/makefu/3modules/taskserver.nix
@@ -0,0 +1,60 @@
+{ config, lib, pkgs, ... }:
+
+with config.krebs.lib;
+let
+  cfg = config.makefu.taskserver;
+
+  out = {
+    options.makefu.taskserver = api;
+    config = lib.mkIf cfg.enable imp;
+  };
+
+  api = {
+    enable = mkEnableOption "taskserver";
+
+    workingDir = mkOption {
+      type = types.str;
+      default = "/var/lib/taskserver";
+    };
+
+    package = mkOption {
+      type = types.package;
+      default = pkgs.taskserver;
+    };
+
+
+  };
+
+  imp = {
+    environment.systemPackages = [ cfg.package ];
+    systemd.services.taskserver = {
+      description = "taskd server";
+      after = [ "network.target" ];
+      wantedBy = [ "multi-user.target" ];
+      restartIfChanged = true;
+      unitConfig = {
+        Documentation = "http://taskwarrior.org/docs/#taskd" ;
+        # https://taskwarrior.org/docs/taskserver/configure.html
+        ConditionPathExists = "${cfg.workingDir}/config";
+      };
+      serviceConfig = {
+        Type = "simple";
+        ExecStart = "${cfg.package}/bin/taskd server --data ${cfg.workingDir}";
+        WorkingDirectory = cfg.workingDir;
+        PrivateTmp = true;
+        InaccessibleDirectories = "/home /boot /opt /mnt /media";
+        User = "taskd";
+      };
+    };
+
+    users.users.taskd = {
+      uid = genid "taskd";
+      home = cfg.workingDir;
+      createHome = true;
+    };
+    users.groups.taskd.gid = genid "taskd";
+  };
+
+in
+out
+
diff --git a/makefu/5pkgs/default.nix b/makefu/5pkgs/default.nix
index 8caab433e..fff92725e 100644
--- a/makefu/5pkgs/default.nix
+++ b/makefu/5pkgs/default.nix
@@ -9,8 +9,9 @@ in
     alsa-hdspconf = callPackage ./alsa-tools { alsaToolTarget="hdspconf";};
     alsa-hdsploader = callPackage ./alsa-tools { alsaToolTarget="hdsploader";};
     awesomecfg = callPackage ./awesomecfg {};
-    nodemcu-uploader = callPackage ./nodemcu-uploader {};
     mycube-flask = callPackage ./mycube-flask {};
+    nodemcu-uploader = callPackage ./nodemcu-uploader {};
     tw-upload-plugin = callPackage ./tw-upload-plugin {};
+    taskserver = callPackage ./taskserver {};
   };
 }
diff --git a/makefu/5pkgs/taskserver/default.nix b/makefu/5pkgs/taskserver/default.nix
new file mode 100644
index 000000000..a1502b4d6
--- /dev/null
+++ b/makefu/5pkgs/taskserver/default.nix
@@ -0,0 +1,43 @@
+{ stdenv, fetchurl, cmake, libuuid, gnutls, makeWrapper }:
+
+stdenv.mkDerivation rec {
+  name = "taskserver-${version}";
+  version = "1.1.0";
+
+  enableParallelBuilding = true;
+
+  src = fetchurl {
+    url = "http://www.taskwarrior.org/download/taskd-${version}.tar.gz";
+    sha256 = "1d110q9vw8g5syzihxymik7hd27z1592wkpz55kya6lphzk8i13v";
+  };
+
+  patchPhase = ''
+    pkipath=$out/share/taskd/pki
+    mkdir -p $pkipath
+    cp -r pki/* $pkipath
+    echo "patching paths in pki/generate"
+    sed -i "s#^\.#$pkipath#" $pkipath/generate
+    for f in $pkipath/generate* ;do
+      i=$(basename $f)
+      echo patching $i
+      sed -i \
+          -e 's/which/type -p/g' \
+          -e 's#^\. ./vars#if test -e ./vars;then . ./vars; else echo "cannot find ./vars - copy the template from '$pkipath'/vars into the working directory";exit 1; fi#' $f
+
+      echo wrapping $i
+      makeWrapper  $pkipath/$i $out/bin/taskd-pki-$i \
+        --prefix PATH : ${gnutls}/bin/
+    done
+  '';
+
+  buildInputs = [ makeWrapper ];
+  nativeBuildInputs = [ cmake libuuid gnutls ];
+
+  meta = {
+    description = "Server for synchronising Taskwarrior clients";
+    homepage = http://taskwarrior.org;
+    license = stdenv.lib.licenses.mit;
+    platforms = stdenv.lib.platforms.linux;
+    maintainers = with stdenv.lib.maintainers; [ matthiasbeyer makefu ];
+  };
+}