From 714a2e492270d984e8987532c247ae4caf69fce0 Mon Sep 17 00:00:00 2001
From: tv <tv@shackspace.de>
Date: Wed, 21 Oct 2015 22:29:35 +0200
Subject: stockholm: only inherit in out

---
 default.nix | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/default.nix b/default.nix
index c70225174..fc322cb80 100644
--- a/default.nix
+++ b/default.nix
@@ -44,7 +44,7 @@ let stockholm = {
     # Additionally, output lib and pkgs for easy access from the shell.
     # Notice how we're evaluating just the base module to obtain pkgs.
     inherit lib;
-    inherit (eval {}) pkgs;
+    inherit pkgs;
   };
 
   krebs = import ./krebs (current // { inherit lib stockholm; });
@@ -62,6 +62,8 @@ let stockholm = {
       nspath = ns: p: stockholm-path + "/${ns}/${p}";
     };
 
+  inherit (eval {}) pkgs;
+
   # Path resolvers for common and individual files.
   # Example: `upath "3modules"` produces the current user's 3modules directory
   kpath = lib.nspath "krebs";
-- 
cgit v1.2.3


From 5206c11026245b1fe20a66fb5b14165e51195f0b Mon Sep 17 00:00:00 2001
From: tv <tv@shackspace.de>
Date: Wed, 21 Oct 2015 22:43:11 +0200
Subject: wu nixpkgs: f77bf46 -> 9048637

---
 tv/1systems/wu.nix | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/tv/1systems/wu.nix b/tv/1systems/wu.nix
index c691066cb..c687ae52d 100644
--- a/tv/1systems/wu.nix
+++ b/tv/1systems/wu.nix
@@ -10,8 +10,11 @@ with lib;
 
   krebs.build.source = {
     git.nixpkgs = {
-      url = https://github.com/NixOS/nixpkgs;
-      rev = "e916273209560b302ab231606babf5ce1c481f08";
+      #url = https://github.com/NixOS/nixpkgs;
+      #rev = "f77bf46c1e705934a00c52d90cc62a76fbb1f6b5";
+      # Revert "rxvt_unicode: add patch to fix Shift+PgUp/PgDown bug"
+      url = https://github.com/4z3/nixpkgs;
+      rev = "9048637";
     };
     dir.secrets = {
       host = config.krebs.hosts.wu;
-- 
cgit v1.2.3


From fc64fd18cb8677f08d038a086de879fd69f89b8c Mon Sep 17 00:00:00 2001
From: tv <tv@shackspace.de>
Date: Thu, 22 Oct 2015 00:20:16 +0200
Subject: krebs.*: make StrictHostKeyChecking configurable

---
 default.nix       | 5 +++--
 krebs/default.nix | 6 +++++-
 2 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/default.nix b/default.nix
index fc322cb80..b261e51e7 100644
--- a/default.nix
+++ b/default.nix
@@ -17,7 +17,8 @@
 { current-date ? abort "current-date not defined"
 , current-host-name ? abort "current-host-name not defined"
 , current-user-name ? builtins.getEnv "LOGNAME"
-}@current:
+, StrictHostKeyChecking ? "yes"
+}@args:
 
 let stockholm = {
     # The generated scripts to deploy (or infest) systems can be found in the
@@ -47,7 +48,7 @@ let stockholm = {
     inherit pkgs;
   };
 
-  krebs = import ./krebs (current // { inherit lib stockholm; });
+  krebs = import ./krebs (args // { inherit lib stockholm; });
 
   lib =
     let
diff --git a/krebs/default.nix b/krebs/default.nix
index 0b055cd24..08de72294 100644
--- a/krebs/default.nix
+++ b/krebs/default.nix
@@ -3,6 +3,7 @@
 , current-user-name
 , lib
 , stockholm
+, StrictHostKeyChecking ? "yes"
 }:
 
 let out = {
@@ -260,7 +261,10 @@ let out = {
     in out;
 
   rootssh = target: script:
-    "ssh root@${target} -T ${doc ''
+    let
+      flags = "-o StrictHostKeyChecking=${StrictHostKeyChecking}";
+    in
+    "ssh ${flags} root@${target} -T ${doc ''
       set -efu
       ${script}
     ''}";
-- 
cgit v1.2.3


From 4b8ffc1bfd494de1fafde2527a337ad5eb31a27c Mon Sep 17 00:00:00 2001
From: tv <tv@shackspace.de>
Date: Thu, 22 Oct 2015 00:23:02 +0200
Subject: krebs.nixos-install: fail if pkg cannot be found

Collaterally, search in /nix instead of /mnt/nix
---
 krebs/default.nix | 16 ++++++++++------
 1 file changed, 10 insertions(+), 6 deletions(-)

diff --git a/krebs/default.nix b/krebs/default.nix
index 08de72294..40d245f98 100644
--- a/krebs/default.nix
+++ b/krebs/default.nix
@@ -132,16 +132,20 @@ let out = {
           s:.*\(/nix/store/[a-z0-9]*-nix-[0-9.]\+/bin/nix-env\).*:\1:p;T;q
         ')
         echo "nix-env is $nix_env" >&2
-        getchrootpath() {(
+        findpkg() {(
           name=$1
-          path=$(find /mnt/nix/store \
+          path=$(find /nix/store \
               -mindepth 1 -maxdepth 1 -type d -name '*-'"$name"'-*' \
             | head -n 1 | sed s:^/mnt::)
-          echo "$name is $path" >&2
-          echo "$path"
+          if echo "$path" | grep .; then
+            echo "$name is $path" >&2
+          else
+            echo "Error: package not found: $name" >&2
+            exit 1
+          fi
         )}
-        cacert=$(getchrootpath cacert)
-        coreutils=$(getchrootpath coreutils)
+        cacert=$(findpkg cacert)
+        coreutils=$(findpkg coreutils)
         env="$coreutils/bin/env \
             SSL_CERT_FILE=$cacert/etc/ssl/certs/ca-bundle.crt"
         sed -i '
-- 
cgit v1.2.3


From df6f0392cbdf7923537eb5d328bd345cde11eb53 Mon Sep 17 00:00:00 2001
From: tv <tv@shackspace.de>
Date: Thu, 22 Oct 2015 00:49:51 +0200
Subject: krebs.nixos-install: cacert -> /root/SSL_CERT_FILE

---
 krebs/default.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/krebs/default.nix b/krebs/default.nix
index 40d245f98..31a7f7d04 100644
--- a/krebs/default.nix
+++ b/krebs/default.nix
@@ -146,8 +146,8 @@ let out = {
         )}
         cacert=$(findpkg cacert)
         coreutils=$(findpkg coreutils)
-        env="$coreutils/bin/env \
-            SSL_CERT_FILE=$cacert/etc/ssl/certs/ca-bundle.crt"
+        cp "$cacert"/etc/ssl/certs/ca-bundle.crt /mnt/root/SSL_CERT_FILE
+        env="$coreutils/bin/env SSL_CERT_FILE=/root/SSL_CERT_FILE"
         sed -i '
           s:^NIX_PATH=:chroot $mountPoint '"$env"' &:
           s:^nix-env:'"$nix_env"':
-- 
cgit v1.2.3


From e557bc2e58c3e276656853c42cb00db979570135 Mon Sep 17 00:00:00 2001
From: tv <tv@shackspace.de>
Date: Thu, 22 Oct 2015 01:25:44 +0200
Subject: nomic: bump file systems

---
 tv/1systems/nomic.nix | 13 +++++--------
 1 file changed, 5 insertions(+), 8 deletions(-)

diff --git a/tv/1systems/nomic.nix b/tv/1systems/nomic.nix
index 718f6ae24..210846215 100644
--- a/tv/1systems/nomic.nix
+++ b/tv/1systems/nomic.nix
@@ -64,27 +64,24 @@ with lib;
   ];
 
   boot.initrd.luks = {
-    cryptoModules = [ "aes" "sha1" "xts" ];
+    cryptoModules = [ "aes" "sha512" "xts" ];
     devices = [
-      {
-        name = "luks1";
-        device = "/dev/disk/by-uuid/cac73902-1023-4906-8e95-3a8b245337d4";
-      }
+      { name = "luks1"; device = "/dev/sda2"; }
     ];
   };
 
   fileSystems."/" =
-    { device = "/dev/disk/by-uuid/de4780fc-0473-4708-81df-299b7383274c";
+    { device = "/dev/mapper/nomic1-root";
       fsType = "btrfs";
     };
 
   fileSystems."/boot" =
-    { device = "/dev/disk/by-uuid/be3a1d80-3157-4d7c-86cc-ef01b64eff5e";
+    { device = "/dev/sda1";
       fsType = "ext4";
     };
 
   fileSystems."/home" =
-    { device = "/dev/disk/by-uuid/9db9c8ff-51da-4cbd-9f0a-0cd3333bbaff";
+    { device = "/dev/mapper/nomic1-home";
       fsType = "btrfs";
     };
 
-- 
cgit v1.2.3


From c2e1ab2bd09c204e1fa1c4ecd637c2e5b8a4b9ab Mon Sep 17 00:00:00 2001
From: tv <tv@shackspace.de>
Date: Thu, 22 Oct 2015 01:25:02 +0200
Subject: tv base systemPackages += git

---
 tv/1systems/cd.nix    | 1 -
 tv/1systems/mkdir.nix | 1 -
 tv/1systems/rmdir.nix | 1 -
 tv/1systems/wu.nix    | 1 -
 tv/2configs/base.nix  | 6 ++++++
 5 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/tv/1systems/cd.nix b/tv/1systems/cd.nix
index 12e52cd11..d2b08bef7 100644
--- a/tv/1systems/cd.nix
+++ b/tv/1systems/cd.nix
@@ -114,7 +114,6 @@ with lib;
   ];
 
   environment.systemPackages = with pkgs; [
-    git # required for ./deploy, clone_or_update
     htop
     iftop
     iotop
diff --git a/tv/1systems/mkdir.nix b/tv/1systems/mkdir.nix
index 669dcc2f3..f0c7dc2a0 100644
--- a/tv/1systems/mkdir.nix
+++ b/tv/1systems/mkdir.nix
@@ -88,7 +88,6 @@ in
   ];
 
   environment.systemPackages = with pkgs; [
-    git # required for ./deploy, clone_or_update
     htop
     iftop
     iotop
diff --git a/tv/1systems/rmdir.nix b/tv/1systems/rmdir.nix
index 79e47c539..c52222cd1 100644
--- a/tv/1systems/rmdir.nix
+++ b/tv/1systems/rmdir.nix
@@ -84,7 +84,6 @@ in
   ];
 
   environment.systemPackages = with pkgs; [
-    git # required for ./deploy, clone_or_update
     htop
     iftop
     iotop
diff --git a/tv/1systems/wu.nix b/tv/1systems/wu.nix
index c687ae52d..404fdb3d1 100644
--- a/tv/1systems/wu.nix
+++ b/tv/1systems/wu.nix
@@ -40,7 +40,6 @@ with lib;
 
         # stockholm
         genid
-        git
         gnumake
         hashPassword
         lentil
diff --git a/tv/2configs/base.nix b/tv/2configs/base.nix
index 010d4b326..4de980cf1 100644
--- a/tv/2configs/base.nix
+++ b/tv/2configs/base.nix
@@ -14,6 +14,12 @@ in
   networking.hostName = config.krebs.build.host.name;
 
   imports = [
+    {
+      # stockholm dependencies
+      environment.systemPackages = with pkgs; [
+        git
+      ];
+    }
     {
       # TODO never put hashedPassword into the store
       users.extraUsers =
-- 
cgit v1.2.3


From 9ba8fc142cb14aa3768cb99bf9170f7875beafd1 Mon Sep 17 00:00:00 2001
From: tv <tv@shackspace.de>
Date: Thu, 22 Oct 2015 12:48:17 +0200
Subject: wu nixpkgs: 9048637 -> e916273

Current unstable is really unstable w/system hangs.
---
 tv/1systems/wu.nix | 7 ++-----
 1 file changed, 2 insertions(+), 5 deletions(-)

diff --git a/tv/1systems/wu.nix b/tv/1systems/wu.nix
index 404fdb3d1..89ad257f0 100644
--- a/tv/1systems/wu.nix
+++ b/tv/1systems/wu.nix
@@ -10,11 +10,8 @@ with lib;
 
   krebs.build.source = {
     git.nixpkgs = {
-      #url = https://github.com/NixOS/nixpkgs;
-      #rev = "f77bf46c1e705934a00c52d90cc62a76fbb1f6b5";
-      # Revert "rxvt_unicode: add patch to fix Shift+PgUp/PgDown bug"
-      url = https://github.com/4z3/nixpkgs;
-      rev = "9048637";
+      url = https://github.com/NixOS/nixpkgs;
+      rev = "e916273209560b302ab231606babf5ce1c481f08";
     };
     dir.secrets = {
       host = config.krebs.hosts.wu;
-- 
cgit v1.2.3


From 6a425334c78fe6eb30f21f9757554905f09436fa Mon Sep 17 00:00:00 2001
From: makefu <github@syntax-fehler.de>
Date: Thu, 22 Oct 2015 13:43:20 +0200
Subject: m 2 reaktor/random-emoji: html-decode output

using xmlstarlet
---
 makefu/2configs/Reaktor/random-emoji.nix | 1 +
 makefu/2configs/Reaktor/random-emoji.sh  | 3 ++-
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/makefu/2configs/Reaktor/random-emoji.nix b/makefu/2configs/Reaktor/random-emoji.nix
index b2d99b36b..3113a826b 100644
--- a/makefu/2configs/Reaktor/random-emoji.nix
+++ b/makefu/2configs/Reaktor/random-emoji.nix
@@ -12,6 +12,7 @@ let
                         coreutils
                         gnused
                         gnugrep
+                        xmlstarlet
                         curl]);
 in {
   # TODO: make origin a variable, <- module is generic enough to handle different origins, not only stockholm
diff --git a/makefu/2configs/Reaktor/random-emoji.sh b/makefu/2configs/Reaktor/random-emoji.sh
index 913d615be..386aa68b9 100644
--- a/makefu/2configs/Reaktor/random-emoji.sh
+++ b/makefu/2configs/Reaktor/random-emoji.sh
@@ -2,4 +2,5 @@
 curl http://emojicons.com/random -s | \
   grep data-text | \
   sed -n 's/.*>\(.*\)<\/textarea>/\1/p' | \
-  head -n 1
+  head -n 1 | \
+  xmlstarlet unesc
-- 
cgit v1.2.3


From 9be59a04001698e8e34ae4e2a49e2dea920765b1 Mon Sep 17 00:00:00 2001
From: makefu <github@syntax-fehler.de>
Date: Thu, 22 Oct 2015 15:26:54 +0200
Subject: krebs 3 modules: bepasty-server is a krebs module

---
 krebs/3modules/bepasty-server.nix  | 164 +++++++++++++++++++++++++++++++++++++
 krebs/3modules/default.nix         |   1 +
 makefu/3modules/bepasty-server.nix | 164 -------------------------------------
 makefu/3modules/default.nix        |   1 -
 4 files changed, 165 insertions(+), 165 deletions(-)
 create mode 100644 krebs/3modules/bepasty-server.nix
 delete mode 100644 makefu/3modules/bepasty-server.nix

diff --git a/krebs/3modules/bepasty-server.nix b/krebs/3modules/bepasty-server.nix
new file mode 100644
index 000000000..ff32eea60
--- /dev/null
+++ b/krebs/3modules/bepasty-server.nix
@@ -0,0 +1,164 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+let
+  gunicorn = pkgs.pythonPackages.gunicorn;
+  bepasty = pkgs.pythonPackages.bepasty-server;
+  gevent = pkgs.pythonPackages.gevent;
+  python = pkgs.pythonPackages.python;
+  cfg = config.krebs.bepasty;
+
+  out = {
+    options.krebs.bepasty = api;
+    config = mkIf cfg.enable (mkMerge [(mkIf cfg.serveNginx nginx-imp) imp ]) ;
+  };
+
+  api = {
+    enable = mkEnableOption "Bepasty Servers";
+    serveNginx = mkEnableOption "Serve Bepasty Servers with Nginx";
+
+    servers = mkOption {
+      type = with types; attrsOf optionSet;
+      options = singleton {
+        nginx = mkOption {
+          # TODO use the correct type
+          type = with types; attrsOf unspecified;
+          description = ''
+            additional nginx configuration. see krebs.nginx for all options
+          '' ;
+        };
+
+        secretKey = mkOption {
+          type = types.str;
+          description = ''
+            server secret for safe session cookies, must be set.
+          '';
+          default = "";
+        };
+
+        # we create a wsgi socket in $workDir/gunicorn-${name}.wsgi
+        workDir = mkOption {
+          type = types.str;
+          description = ''
+            Path to the working directory (used for sockets and pidfile).
+            Defaults to the users home directory. Must be accessible to nginx,
+            permissions will be set to 755
+          '';
+          default = config.users.extraUsers.bepasty.home;
+        };
+
+        dataDir = mkOption {
+          type = types.str;
+          description = ''
+            Defaults to the new users home dir which defaults to
+            /var/lib/bepasty-server/data
+            '';
+          default = "${config.users.extraUsers.bepasty.home}/data";
+        };
+
+        extraConfig = mkOption {
+          type = types.str;
+          default = "";
+          # TODO configure permissions in separate
+          example = ''
+            PERMISSIONS = {
+              'myadminsecret': 'admin,list,create,read,delete',
+            }
+            MAX_ALLOWED_FILE_SIZE = 5 * 1000 * 1000
+            '';
+        };
+
+        defaultPermissions = mkOption {
+          # TODO: listOf str
+          type = types.str;
+          description = ''
+          default permissions for all unauthenticated users.
+          '';
+          example = "read,create,delete";
+          default = "read";
+        };
+
+      };
+      default = {};
+    };
+
+  };
+
+  imp = {
+    # Configures systemd services for each configured server
+    # environment.systemPackages = [ bepasty gunicorn gevent ];
+    systemd.services = mapAttrs' (name: server:
+      nameValuePair ("bepasty-server-${name}")
+        ({
+          description = "Bepasty Server ${name}";
+          wantedBy = [ "multi-user.target" ];
+          after = [ "network.target" ];
+          restartIfChanged = true;
+          environment = {
+            BEPASTY_CONFIG = "${server.workDir}/bepasty-${name}.conf";
+            PYTHONPATH= "${bepasty}/lib/${python.libPrefix}/site-packages:${gevent}/lib/${python.libPrefix}/site-packages";
+          };
+          serviceConfig = {
+            Type = "simple";
+            PrivateTmp = true;
+
+            ExecStartPre = assert server.secretKey != ""; pkgs.writeScript "bepasty-server.${name}-init" ''
+              #!/bin/sh
+              mkdir -p "${server.dataDir}" "${server.workDir}"
+              chown bepasty:bepasty "${server.workDir}" "${server.dataDir}"
+              cat > "${server.workDir}/bepasty-${name}.conf" <<EOF
+              SITENAME="${name}"
+              STORAGE_FILESYSTEM_DIRECTORY="${server.dataDir}"
+              SECRET_KEY="${server.secretKey}"
+              DEFAULT_PERMISSIONS="${server.defaultPermissions}"
+              ${server.extraConfig}
+              EOF
+            '';
+            ExecStart = ''${gunicorn}/bin/gunicorn bepasty.wsgi --name ${name} \
+              -u bepasty \
+              -g bepasty \
+              --workers 3 --log-level=info \
+              --bind=unix:${server.workDir}/gunicorn-${name}.sock \
+              --pid ${server.workDir}/gunicorn-${name}.pid \
+              -k gevent
+            '';
+          };
+        })
+    ) cfg.servers;
+
+    users.extraUsers.bepasty = {
+      uid = 2796546855; #genid bepasty
+      group = "bepasty";
+      home = "/var/lib/bepasty-server";
+    };
+    users.extraGroups.bepasty = {
+      gid = 2796546855; #genid bepasty
+    };
+  };
+
+  nginx-imp = {
+    assertions = [ { assertion = config.krebs.nginx.enable;
+                      message = "krebs.nginx.enable must be true"; }];
+
+    krebs.nginx.servers = mapAttrs' (name: server:
+      nameValuePair("bepasty-server-${name}")
+      (mkMerge [ server.nginx  {
+        extraConfig = ''
+          client_max_body_size 32M;
+          '';
+        locations = [
+          (nameValuePair ("/")
+          (''
+            proxy_set_header Host $http_host;
+            proxy_pass http://unix:${server.workDir}/gunicorn-${name}.sock;
+          ''))
+          (nameValuePair ("/static/")
+          (''
+            alias ${bepasty}/lib/${python.libPrefix}/site-packages/bepasty/static/;
+          ''))
+          ];
+      }])
+    ) cfg.servers ;
+  };
+in
+out
diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix
index 756245c0b..1f34c8e68 100644
--- a/krebs/3modules/default.nix
+++ b/krebs/3modules/default.nix
@@ -6,6 +6,7 @@ let
 
   out = {
     imports = [
+      ./bepasty-server.nix
       ./build.nix
       ./exim-retiolum.nix
       ./exim-smarthost.nix
diff --git a/makefu/3modules/bepasty-server.nix b/makefu/3modules/bepasty-server.nix
deleted file mode 100644
index ff32eea60..000000000
--- a/makefu/3modules/bepasty-server.nix
+++ /dev/null
@@ -1,164 +0,0 @@
-{ config, lib, pkgs, ... }:
-
-with lib;
-let
-  gunicorn = pkgs.pythonPackages.gunicorn;
-  bepasty = pkgs.pythonPackages.bepasty-server;
-  gevent = pkgs.pythonPackages.gevent;
-  python = pkgs.pythonPackages.python;
-  cfg = config.krebs.bepasty;
-
-  out = {
-    options.krebs.bepasty = api;
-    config = mkIf cfg.enable (mkMerge [(mkIf cfg.serveNginx nginx-imp) imp ]) ;
-  };
-
-  api = {
-    enable = mkEnableOption "Bepasty Servers";
-    serveNginx = mkEnableOption "Serve Bepasty Servers with Nginx";
-
-    servers = mkOption {
-      type = with types; attrsOf optionSet;
-      options = singleton {
-        nginx = mkOption {
-          # TODO use the correct type
-          type = with types; attrsOf unspecified;
-          description = ''
-            additional nginx configuration. see krebs.nginx for all options
-          '' ;
-        };
-
-        secretKey = mkOption {
-          type = types.str;
-          description = ''
-            server secret for safe session cookies, must be set.
-          '';
-          default = "";
-        };
-
-        # we create a wsgi socket in $workDir/gunicorn-${name}.wsgi
-        workDir = mkOption {
-          type = types.str;
-          description = ''
-            Path to the working directory (used for sockets and pidfile).
-            Defaults to the users home directory. Must be accessible to nginx,
-            permissions will be set to 755
-          '';
-          default = config.users.extraUsers.bepasty.home;
-        };
-
-        dataDir = mkOption {
-          type = types.str;
-          description = ''
-            Defaults to the new users home dir which defaults to
-            /var/lib/bepasty-server/data
-            '';
-          default = "${config.users.extraUsers.bepasty.home}/data";
-        };
-
-        extraConfig = mkOption {
-          type = types.str;
-          default = "";
-          # TODO configure permissions in separate
-          example = ''
-            PERMISSIONS = {
-              'myadminsecret': 'admin,list,create,read,delete',
-            }
-            MAX_ALLOWED_FILE_SIZE = 5 * 1000 * 1000
-            '';
-        };
-
-        defaultPermissions = mkOption {
-          # TODO: listOf str
-          type = types.str;
-          description = ''
-          default permissions for all unauthenticated users.
-          '';
-          example = "read,create,delete";
-          default = "read";
-        };
-
-      };
-      default = {};
-    };
-
-  };
-
-  imp = {
-    # Configures systemd services for each configured server
-    # environment.systemPackages = [ bepasty gunicorn gevent ];
-    systemd.services = mapAttrs' (name: server:
-      nameValuePair ("bepasty-server-${name}")
-        ({
-          description = "Bepasty Server ${name}";
-          wantedBy = [ "multi-user.target" ];
-          after = [ "network.target" ];
-          restartIfChanged = true;
-          environment = {
-            BEPASTY_CONFIG = "${server.workDir}/bepasty-${name}.conf";
-            PYTHONPATH= "${bepasty}/lib/${python.libPrefix}/site-packages:${gevent}/lib/${python.libPrefix}/site-packages";
-          };
-          serviceConfig = {
-            Type = "simple";
-            PrivateTmp = true;
-
-            ExecStartPre = assert server.secretKey != ""; pkgs.writeScript "bepasty-server.${name}-init" ''
-              #!/bin/sh
-              mkdir -p "${server.dataDir}" "${server.workDir}"
-              chown bepasty:bepasty "${server.workDir}" "${server.dataDir}"
-              cat > "${server.workDir}/bepasty-${name}.conf" <<EOF
-              SITENAME="${name}"
-              STORAGE_FILESYSTEM_DIRECTORY="${server.dataDir}"
-              SECRET_KEY="${server.secretKey}"
-              DEFAULT_PERMISSIONS="${server.defaultPermissions}"
-              ${server.extraConfig}
-              EOF
-            '';
-            ExecStart = ''${gunicorn}/bin/gunicorn bepasty.wsgi --name ${name} \
-              -u bepasty \
-              -g bepasty \
-              --workers 3 --log-level=info \
-              --bind=unix:${server.workDir}/gunicorn-${name}.sock \
-              --pid ${server.workDir}/gunicorn-${name}.pid \
-              -k gevent
-            '';
-          };
-        })
-    ) cfg.servers;
-
-    users.extraUsers.bepasty = {
-      uid = 2796546855; #genid bepasty
-      group = "bepasty";
-      home = "/var/lib/bepasty-server";
-    };
-    users.extraGroups.bepasty = {
-      gid = 2796546855; #genid bepasty
-    };
-  };
-
-  nginx-imp = {
-    assertions = [ { assertion = config.krebs.nginx.enable;
-                      message = "krebs.nginx.enable must be true"; }];
-
-    krebs.nginx.servers = mapAttrs' (name: server:
-      nameValuePair("bepasty-server-${name}")
-      (mkMerge [ server.nginx  {
-        extraConfig = ''
-          client_max_body_size 32M;
-          '';
-        locations = [
-          (nameValuePair ("/")
-          (''
-            proxy_set_header Host $http_host;
-            proxy_pass http://unix:${server.workDir}/gunicorn-${name}.sock;
-          ''))
-          (nameValuePair ("/static/")
-          (''
-            alias ${bepasty}/lib/${python.libPrefix}/site-packages/bepasty/static/;
-          ''))
-          ];
-      }])
-    ) cfg.servers ;
-  };
-in
-out
diff --git a/makefu/3modules/default.nix b/makefu/3modules/default.nix
index 3ac325b29..598365c39 100644
--- a/makefu/3modules/default.nix
+++ b/makefu/3modules/default.nix
@@ -3,7 +3,6 @@ _:
 {
   imports = [
     ./tinc_graphs.nix
-    ./bepasty-server.nix
   ];
 }
 
-- 
cgit v1.2.3


From 9bb3069f69ed801d98034a2effcb4d88f279a92f Mon Sep 17 00:00:00 2001
From: makefu <github@syntax-fehler.de>
Date: Thu, 22 Oct 2015 15:33:05 +0200
Subject: krebs 3 tinc_graphs: mv from makefu 3 tinc_graphs

---
 krebs/3modules/default.nix      |   1 +
 krebs/3modules/tinc_graphs.nix  | 145 ++++++++++++++++++++++++++++++++++++++++
 makefu/1systems/wry.nix         |   2 +-
 makefu/3modules/default.nix     |   1 -
 makefu/3modules/tinc_graphs.nix | 145 ----------------------------------------
 5 files changed, 147 insertions(+), 147 deletions(-)
 create mode 100644 krebs/3modules/tinc_graphs.nix
 delete mode 100644 makefu/3modules/tinc_graphs.nix

diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix
index 1f34c8e68..5c5bec005 100644
--- a/krebs/3modules/default.nix
+++ b/krebs/3modules/default.nix
@@ -18,6 +18,7 @@ let
       ./retiolum-bootstrap.nix
       ./realwallpaper.nix
       ./retiolum.nix
+      ./tinc_graphs.nix
       ./urlwatch.nix
     ];
     options.krebs = api;
diff --git a/krebs/3modules/tinc_graphs.nix b/krebs/3modules/tinc_graphs.nix
new file mode 100644
index 000000000..a6c628353
--- /dev/null
+++ b/krebs/3modules/tinc_graphs.nix
@@ -0,0 +1,145 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+let
+  cfg = config.krebs.tinc_graphs;
+  internal_dir = "${cfg.workingDir}/internal";
+  external_dir = "${cfg.workingDir}/external";
+
+  out = {
+    options.krebs.tinc_graphs = api;
+    config = mkIf cfg.enable imp ;
+  };
+
+  api = {
+    enable = mkEnableOption "tinc graphs";
+
+    geodbPath = mkOption {
+      type = types.str;
+      description = "Path to geocitydb, defaults to geolite-legacy";
+      default = "${pkgs.geolite-legacy}/share/GeoIP/GeoIPCity.dat";
+    };
+
+    nginx = {
+      enable = mkEnableOption "enable tinc_graphs to be served with nginx";
+
+      anonymous = {
+        server-names = mkOption {
+          type = with types; listOf str;
+          description = "hostnames which serve anonymous graphs";
+          default = [ "graphs.${config.krebs.build.host.name}" ];
+        };
+
+        listen = mkOption {
+          # use the type of the nginx listen option
+          type = with types; listOf str;
+          description = "listen address for anonymous graphs";
+          default = [ "80" ];
+        };
+
+      };
+
+      complete = {
+        server-names = mkOption {
+          type = with types; listOf str;
+          description = "hostname which serves complete graphs";
+          default = [ "graphs.${config.krebs.build.host.name}" ];
+        };
+
+        listen = mkOption {
+          type = with types; listOf str;
+          description = "listen address for complete graphs";
+          default = [ "127.0.0.1:80" ];
+        };
+
+      };
+    };
+
+    workingDir = mkOption {
+      type = types.str;
+      description = ''
+        Path to working dir, will create interal and external/.
+        Defaults to the new users home dir which defaults to
+        /var/cache/tinc_graphs'';
+      default = config.users.extraUsers.tinc_graphs.home;
+    };
+
+    timerConfig = mkOption {
+      type = with types; attrsOf str;
+      default = {
+        OnCalendar = "*:0/15";
+      };
+    };
+  };
+
+  imp = {
+    environment.systemPackages = [ pkgs.tinc_graphs];
+    systemd.timers.tinc_graphs = {
+      description = "Build Tinc Graphs via via timer";
+      wantedBy = [ "timers.target"];
+      timerConfig = cfg.timerConfig;
+    };
+    systemd.services.tinc_graphs = {
+      description = "Build Tinc Graphs";
+      environment = {
+        EXTERNAL_FOLDER = external_dir;
+        INTERNAL_FOLDER = internal_dir;
+        GEODB = cfg.geodbPath;
+        TINC_HOSTPATH=config.krebs.retiolum.hosts;
+      };
+
+      restartIfChanged = true;
+
+      serviceConfig = {
+        Type = "simple";
+
+        ExecStartPre = pkgs.writeScript "tinc_graphs-init" ''
+          #!/bin/sh
+          if ! test -e "${cfg.workingDir}/internal/index.html"; then
+            cp -fr "$(${pkgs.tinc_graphs}/bin/tincstats-static-dir)/internal/" "${internal_dir}"
+          fi
+        '';
+
+        ExecStart = "${pkgs.tinc_graphs}/bin/all-the-graphs";
+
+        ExecStartPost = pkgs.writeScript "tinc_graphs-post" ''
+          #!/bin/sh
+          # TODO: this may break if workingDir is set to something stupid
+          # this is needed because homedir is created with 700
+          chmod 755  "${cfg.workingDir}"
+        '';
+        PrivateTmp = "yes";
+
+        User = "root"; # tinc cannot be queried as user,
+                       #  seems to be a tinc-pre issue
+      };
+    };
+
+    users.extraUsers.tinc_graphs = {
+      uid = 3925439960; #genid tinc_graphs
+      home = "/var/spool/tinc_graphs";
+      createHome = true;
+    };
+
+    krebs.nginx.servers = mkIf cfg.nginx.enable {
+      tinc_graphs_complete = mkMerge [ cfg.nginx.complete  {
+        locations = [
+          (nameValuePair "/" ''
+            autoindex on;
+            root ${internal_dir};
+          '')
+        ];
+      }] ;
+      tinc_graphs_anonymous = mkMerge [ cfg.nginx.anonymous {
+        locations = [
+          (nameValuePair "/" ''
+            autoindex on;
+            root ${external_dir};
+          '')
+        ];
+      }];
+    };
+  };
+
+in
+out
diff --git a/makefu/1systems/wry.nix b/makefu/1systems/wry.nix
index 63b1f47f7..6627d87b5 100644
--- a/makefu/1systems/wry.nix
+++ b/makefu/1systems/wry.nix
@@ -40,7 +40,7 @@ in {
   krebs.retiolum-bootstrap.enable = true;
 
   nixpkgs.config.packageOverrides = pkgs: { tinc = pkgs.tinc_pre; };
-  makefu.tinc_graphs = {
+  krebs.tinc_graphs = {
     enable = true;
     nginx = {
       enable = true;
diff --git a/makefu/3modules/default.nix b/makefu/3modules/default.nix
index 598365c39..a8a1f69d0 100644
--- a/makefu/3modules/default.nix
+++ b/makefu/3modules/default.nix
@@ -2,7 +2,6 @@ _:
 
 {
   imports = [
-    ./tinc_graphs.nix
   ];
 }
 
diff --git a/makefu/3modules/tinc_graphs.nix b/makefu/3modules/tinc_graphs.nix
deleted file mode 100644
index 1f87f00cc..000000000
--- a/makefu/3modules/tinc_graphs.nix
+++ /dev/null
@@ -1,145 +0,0 @@
-{ config, lib, pkgs, ... }:
-
-with lib;
-let
-  cfg = config.makefu.tinc_graphs;
-  internal_dir = "${cfg.workingDir}/internal";
-  external_dir = "${cfg.workingDir}/external";
-
-  out = {
-    options.makefu.tinc_graphs = api;
-    config = mkIf cfg.enable imp ;
-  };
-
-  api = {
-    enable = mkEnableOption "tinc graphs";
-
-    geodbPath = mkOption {
-      type = types.str;
-      description = "Path to geocitydb, defaults to geolite-legacy";
-      default = "${pkgs.geolite-legacy}/share/GeoIP/GeoIPCity.dat";
-    };
-
-    nginx = {
-      enable = mkEnableOption "enable tinc_graphs to be served with nginx";
-
-      anonymous = {
-        server-names = mkOption {
-          type = with types; listOf str;
-          description = "hostnames which serve anonymous graphs";
-          default = [ "graphs.${config.krebs.build.host.name}" ];
-        };
-
-        listen = mkOption {
-          # use the type of the nginx listen option
-          type = with types; listOf str;
-          description = "listen address for anonymous graphs";
-          default = [ "80" ];
-        };
-
-      };
-
-      complete = {
-        server-names = mkOption {
-          type = with types; listOf str;
-          description = "hostname which serves complete graphs";
-          default = [ "graphs.${config.krebs.build.host.name}" ];
-        };
-
-        listen = mkOption {
-          type = with types; listOf str;
-          description = "listen address for complete graphs";
-          default = [ "127.0.0.1:80" ];
-        };
-
-      };
-    };
-
-    workingDir = mkOption {
-      type = types.str;
-      description = ''
-        Path to working dir, will create interal and external/.
-        Defaults to the new users home dir which defaults to
-        /var/cache/tinc_graphs'';
-      default = config.users.extraUsers.tinc_graphs.home;
-    };
-
-    timerConfig = mkOption {
-      type = with types; attrsOf str;
-      default = {
-        OnCalendar = "*:0/15";
-      };
-    };
-  };
-
-  imp = {
-    environment.systemPackages = [ pkgs.tinc_graphs];
-    systemd.timers.tinc_graphs = {
-      description = "Build Tinc Graphs via via timer";
-      wantedBy = [ "timers.target"];
-      timerConfig = cfg.timerConfig;
-    };
-    systemd.services.tinc_graphs = {
-      description = "Build Tinc Graphs";
-      environment = {
-        EXTERNAL_FOLDER = external_dir;
-        INTERNAL_FOLDER = internal_dir;
-        GEODB = cfg.geodbPath;
-        TINC_HOSTPATH=config.krebs.retiolum.hosts;
-      };
-
-      restartIfChanged = true;
-
-      serviceConfig = {
-        Type = "simple";
-
-        ExecStartPre = pkgs.writeScript "tinc_graphs-init" ''
-          #!/bin/sh
-          if ! test -e "${cfg.workingDir}/internal/index.html"; then
-            cp -fr "$(${pkgs.tinc_graphs}/bin/tincstats-static-dir)/internal/" "${internal_dir}"
-          fi
-        '';
-
-        ExecStart = "${pkgs.tinc_graphs}/bin/all-the-graphs";
-
-        ExecStartPost = pkgs.writeScript "tinc_graphs-post" ''
-          #!/bin/sh
-          # TODO: this may break if workingDir is set to something stupid
-          # this is needed because homedir is created with 700
-          chmod 755  "${cfg.workingDir}"
-        '';
-        PrivateTmp = "yes";
-
-        User = "root"; # tinc cannot be queried as user,
-                       #  seems to be a tinc-pre issue
-      };
-    };
-
-    users.extraUsers.tinc_graphs = {
-      uid = 3925439960; #genid tinc_graphs
-      home = "/var/spool/tinc_graphs";
-      createHome = true;
-    };
-
-    krebs.nginx.servers = mkIf cfg.nginx.enable {
-      tinc_graphs_complete = mkMerge [ cfg.nginx.complete  {
-        locations = [
-          (nameValuePair "/" ''
-            autoindex on;
-            root ${internal_dir};
-          '')
-        ];
-      }] ;
-      tinc_graphs_anonymous = mkMerge [ cfg.nginx.anonymous {
-        locations = [
-          (nameValuePair "/" ''
-            autoindex on;
-            root ${external_dir};
-          '')
-        ];
-      }];
-    };
-  };
-
-in
-out
-- 
cgit v1.2.3


From be39c6d8494724c6d7c87b826830f626aada15d8 Mon Sep 17 00:00:00 2001
From: makefu <github@syntax-fehler.de>
Date: Thu, 22 Oct 2015 16:14:37 +0200
Subject: krebs 3 bepasty-server: styling

---
 krebs/3modules/bepasty-server.nix | 102 +++++++++++++++++++-------------------
 1 file changed, 51 insertions(+), 51 deletions(-)

diff --git a/krebs/3modules/bepasty-server.nix b/krebs/3modules/bepasty-server.nix
index ff32eea60..c99c3d11a 100644
--- a/krebs/3modules/bepasty-server.nix
+++ b/krebs/3modules/bepasty-server.nix
@@ -10,7 +10,10 @@ let
 
   out = {
     options.krebs.bepasty = api;
-    config = mkIf cfg.enable (mkMerge [(mkIf cfg.serveNginx nginx-imp) imp ]) ;
+    config = mkIf cfg.enable (mkMerge [
+      (mkIf cfg.serveNginx nginx-imp)
+      imp
+    ]);
   };
 
   api = {
@@ -25,7 +28,7 @@ let
           type = with types; attrsOf unspecified;
           description = ''
             additional nginx configuration. see krebs.nginx for all options
-          '' ;
+          '';
         };
 
         secretKey = mkOption {
@@ -52,7 +55,7 @@ let
           description = ''
             Defaults to the new users home dir which defaults to
             /var/lib/bepasty-server/data
-            '';
+          '';
           default = "${config.users.extraUsers.bepasty.home}/data";
         };
 
@@ -65,14 +68,14 @@ let
               'myadminsecret': 'admin,list,create,read,delete',
             }
             MAX_ALLOWED_FILE_SIZE = 5 * 1000 * 1000
-            '';
+          '';
         };
 
         defaultPermissions = mkOption {
           # TODO: listOf str
           type = types.str;
           description = ''
-          default permissions for all unauthenticated users.
+            default permissions for all unauthenticated users.
           '';
           example = "read,create,delete";
           default = "read";
@@ -88,42 +91,42 @@ let
     # Configures systemd services for each configured server
     # environment.systemPackages = [ bepasty gunicorn gevent ];
     systemd.services = mapAttrs' (name: server:
-      nameValuePair ("bepasty-server-${name}")
-        ({
-          description = "Bepasty Server ${name}";
-          wantedBy = [ "multi-user.target" ];
-          after = [ "network.target" ];
-          restartIfChanged = true;
-          environment = {
-            BEPASTY_CONFIG = "${server.workDir}/bepasty-${name}.conf";
-            PYTHONPATH= "${bepasty}/lib/${python.libPrefix}/site-packages:${gevent}/lib/${python.libPrefix}/site-packages";
-          };
-          serviceConfig = {
-            Type = "simple";
-            PrivateTmp = true;
-
-            ExecStartPre = assert server.secretKey != ""; pkgs.writeScript "bepasty-server.${name}-init" ''
-              #!/bin/sh
-              mkdir -p "${server.dataDir}" "${server.workDir}"
-              chown bepasty:bepasty "${server.workDir}" "${server.dataDir}"
-              cat > "${server.workDir}/bepasty-${name}.conf" <<EOF
-              SITENAME="${name}"
-              STORAGE_FILESYSTEM_DIRECTORY="${server.dataDir}"
-              SECRET_KEY="${server.secretKey}"
-              DEFAULT_PERMISSIONS="${server.defaultPermissions}"
-              ${server.extraConfig}
-              EOF
-            '';
-            ExecStart = ''${gunicorn}/bin/gunicorn bepasty.wsgi --name ${name} \
-              -u bepasty \
-              -g bepasty \
-              --workers 3 --log-level=info \
-              --bind=unix:${server.workDir}/gunicorn-${name}.sock \
-              --pid ${server.workDir}/gunicorn-${name}.pid \
-              -k gevent
-            '';
-          };
-        })
+      nameValuePair "bepasty-server-${name}" {
+        description = "Bepasty Server ${name}";
+        wantedBy = [ "multi-user.target" ];
+        after = [ "network.target" ];
+        restartIfChanged = true;
+        environment = {
+          BEPASTY_CONFIG = "${server.workDir}/bepasty-${name}.conf";
+          PYTHONPATH= "${bepasty}/lib/${python.libPrefix}/site-packages:${gevent}/lib/${python.libPrefix}/site-packages";
+        };
+
+        serviceConfig = {
+          Type = "simple";
+          PrivateTmp = true;
+
+          ExecStartPre = assert server.secretKey != ""; pkgs.writeScript "bepasty-server.${name}-init" ''
+            #!/bin/sh
+            mkdir -p "${server.dataDir}" "${server.workDir}"
+            chown bepasty:bepasty "${server.workDir}" "${server.dataDir}"
+            cat > "${server.workDir}/bepasty-${name}.conf" <<EOF
+            SITENAME="${name}"
+            STORAGE_FILESYSTEM_DIRECTORY="${server.dataDir}"
+            SECRET_KEY="${server.secretKey}"
+            DEFAULT_PERMISSIONS="${server.defaultPermissions}"
+            ${server.extraConfig}
+            EOF
+          '';
+          ExecStart = ''${gunicorn}/bin/gunicorn bepasty.wsgi --name ${name} \
+            -u bepasty \
+            -g bepasty \
+            --workers 3 --log-level=info \
+            --bind=unix:${server.workDir}/gunicorn-${name}.sock \
+            --pid ${server.workDir}/gunicorn-${name}.pid \
+            -k gevent
+          '';
+        };
+      }
     ) cfg.servers;
 
     users.extraUsers.bepasty = {
@@ -137,8 +140,8 @@ let
   };
 
   nginx-imp = {
-    assertions = [ { assertion = config.krebs.nginx.enable;
-                      message = "krebs.nginx.enable must be true"; }];
+    assertions = [{ assertion = config.krebs.nginx.enable;
+                     message = "krebs.nginx.enable must be true"; }];
 
     krebs.nginx.servers = mapAttrs' (name: server:
       nameValuePair("bepasty-server-${name}")
@@ -147,18 +150,15 @@ let
           client_max_body_size 32M;
           '';
         locations = [
-          (nameValuePair ("/")
-          (''
+          (nameValuePair "/" ''
             proxy_set_header Host $http_host;
             proxy_pass http://unix:${server.workDir}/gunicorn-${name}.sock;
-          ''))
-          (nameValuePair ("/static/")
-          (''
+           '')
+          (nameValuePair "/static/" ''
             alias ${bepasty}/lib/${python.libPrefix}/site-packages/bepasty/static/;
-          ''))
+          '')
           ];
-      }])
-    ) cfg.servers ;
+      }])) cfg.servers ;
   };
 in
 out
-- 
cgit v1.2.3


From f092e6acb4500569eccee7aed65b521adb3b07b6 Mon Sep 17 00:00:00 2001
From: makefu <github@syntax-fehler.de>
Date: Thu, 22 Oct 2015 17:17:04 +0200
Subject: krebs 3 zones: remove empty lines

---
 krebs/3modules/default.nix | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix
index 5c5bec005..075db1826 100644
--- a/krebs/3modules/default.nix
+++ b/krebs/3modules/default.nix
@@ -105,10 +105,14 @@ let
 
       # Implements environment.etc."zones/<zone-name>"
       environment.etc = let
+        stripEmptyLines = s: concatStringsSep "\n"
+          (remove "\n" (remove "" (splitString "\n" s)));
         all-zones = foldAttrs (sum: current: sum + "\n" +current ) ""
-          ([cfg.zone-head-config] ++ combined-hosts) ;
+          ([cfg.zone-head-config] ++ combined-hosts);
         combined-hosts = (mapAttrsToList (name: value: value.extraZones)  cfg.hosts );
-      in lib.mapAttrs' (name: value: nameValuePair (("zones/" + name)) ({ text=value; })) all-zones;
+      in lib.mapAttrs' (name: value: nameValuePair
+        ("zones/" + name)
+        { text=(stripEmptyLines value); }) all-zones;
 
       krebs.exim-smarthost.internet-aliases = let
         format = from: to:
-- 
cgit v1.2.3

[cgit] Unable to lock slot /tmp/cgit/d5000000.lock: No such file or directory (2)