Merge remote-tracking branch 'lass/master' into HEAD

47 files changed, 778 insertions, 725 deletions

diff --git a/default.nix b/default.nix
index 5ae8e399e..9368dcd9e 100644
--- a/default.nix
+++ b/default.nix
@@ -1,19 +1,12 @@
-import <nixpkgs/nixos/lib/eval-config.nix> {
-  modules = [
-    (import <nixpkgs/nixos/lib/from-env.nix> "NIXOS_CONFIG" <nixos-config>)
-  ];
-}
-//
-{
+import <nixpkgs/nixos> {} // rec {
   lib = import ./lib;
-  systems = with import ./lib; let
-    ns = getEnv "LOGNAME";
+  systems = with lib; let
+    namespace = getEnv "LOGNAME";
+    systemsDir = <stockholm> + "/${namespace}/1systems";
   in
     genAttrs
-      (attrNames (filterAttrs (_: eq "directory") (readDir (<stockholm> + "/${ns}/1systems"))))
-      (name: let
-        config = import (<stockholm> + "/${ns}/1systems/${name}/config.nix");
-      in import <nixpkgs/nixos/lib/eval-config.nix> {
-        modules = [ config ];
+      (attrNames (filterAttrs (_: eq "directory") (readDir systemsDir)))
+      (name: import <nixpkgs/nixos> {
+        configuration = import (systemsDir + "/${name}/config.nix");
       });
 }
diff --git a/jeschli/5pkgs/simple/default.nix b/jeschli/5pkgs/simple/default.nix
index 1b9d8c235..6ba4fec83 100644
--- a/jeschli/5pkgs/simple/default.nix
+++ b/jeschli/5pkgs/simple/default.nix
@@ -15,10 +15,4 @@ let
     else override;
 in
 
-  listToAttrs
-    (map
-      (name: nameValuePair (removeSuffix ".nix" name)
-                           (callPackage (./. + "/${name}") {}))
-      (filter
-        (name: name != "default.nix" && !hasPrefix "." name)
-        (attrNames (readDir ./.))))
+  mapNixDir (path: callPackage path {}) ./.
diff --git a/krebs/2configs/news-spam.nix b/krebs/2configs/news-spam.nix
index 88b7e1072..a8c658858 100644
--- a/krebs/2configs/news-spam.nix
+++ b/krebs/2configs/news-spam.nix
@@ -4,161 +4,161 @@
   krebs.newsbot-js.news-spam = {
     urlShortenerHost = "go.lassul.us";
     feeds = pkgs.writeText "feeds" ''
-      [SPAM]aje|http://www.aljazeera.com/Services/Rss/?PostingId=2007731105943979989|#snews
-      [SPAM]allafrica|http://allafrica.com/tools/headlines/rdf/latest/headlines.rdf|#snews
-      [SPAM]antirez|http://antirez.com/rss|#snews
-      [SPAM]archlinux|http://www.archlinux.org/feeds/news/|#snews
-      [SPAM]ars|http://feeds.arstechnica.com/arstechnica/index?format=xml|#snews
-      [SPAM]augustl|http://augustl.com/atom.xml|#snews
-      [SPAM]bbc|http://feeds.bbci.co.uk/news/rss.xml|#snews
-      [SPAM]bdt_aktuelle_themen|http://www.bundestag.de/blueprint/servlet/service/de/14154/asFeed/index.rss|#snews
-      [SPAM]bdt_drucksachen|http://www.bundestag.de/dip21rss/bundestag_drucksachen.rss|#snews
-      [SPAM]bdt_plenarproto|http://www.bundestag.de/rss_feeds/plenarprotokolle.rss|#snews
-      [SPAM]bdt_pressemitteilungen|http://www.bundestag.de/blueprint/servlet/service/de/273112/asFeed/index.rss|#snews
-      [SPAM]bitcoinpakistan|https://bitcoinspakistan.com/feed/|#snews
-      [SPAM]cancer|http://feeds.feedburner.com/ncinewsreleases?format=xml|#snews
-      [SPAM]carta|http://feeds2.feedburner.com/carta-standard-rss|#snews
-      [SPAM]catholic_news|http://feeds.feedburner.com/catholicnewsagency/dailynews|#snews
-      [SPAM]cbc_busi|http://rss.cbc.ca/lineup/business.xml|#snews
-      [SPAM]cbc_offbeat|http://www.cbc.ca/cmlink/rss-offbeat|#snews
-      [SPAM]cbc_pol|http://rss.cbc.ca/lineup/politics.xml|#snews
-      [SPAM]cbc_tech|http://rss.cbc.ca/lineup/technology.xml|#snews
-      [SPAM]cbc_top|http://rss.cbc.ca/lineup/topstories.xml|#snews
-      [SPAM]ccc|http://www.ccc.de/rss/updates.rdf|#snews
-      [SPAM]chan_biz|http://boards.4chan.org/biz/index.rss|#snews
-      [SPAM]chan_g|http://boards.4chan.org/g/index.rss|#snews
-      [SPAM]chan_int|http://boards.4chan.org/int/index.rss|#snews
-      [SPAM]chan_sci|http://boards.4chan.org/sci/index.rss|#snews
-      [SPAM]chan_x|http://boards.4chan.org/x/index.rss|#snews
-      [SPAM]c|http://www.tempolimit-lichtgeschwindigkeit.de/news.xml|#snews
-      [SPAM]cryptogon|http://www.cryptogon.com/?feed=rss2|#snews
-      [SPAM]csm|http://rss.csmonitor.com/feeds/csm|#snews
-      [SPAM]csm_world|http://rss.csmonitor.com/feeds/world|#snews
-      [SPAM]danisch|http://www.danisch.de/blog/feed/|#snews
-      [SPAM]dod|http://www.defense.gov/news/afps2.xml|#snews
-      [SPAM]dwn|http://deutsche-wirtschafts-nachrichten.de/feed/customfeed/|#snews
-      [SPAM]ecat|http://ecat.com/feed|#snews
-      [SPAM]eia_press|http://www.eia.gov/rss/press_rss.xml|#snews
-      [SPAM]eia_today|http://www.eia.gov/rss/todayinenergy.xml|#snews
-      [SPAM]embargowatch|https://embargowatch.wordpress.com/feed/|#snews
-      [SPAM]ethereum-comments|http://blog.ethereum.org/comments/feed|#snews
-      [SPAM]ethereum|http://blog.ethereum.org/feed|#snews
-      [SPAM]europa_ric|http://ec.europa.eu/research/infocentre/rss/infocentre-rss.xml|#snews
-      [SPAM]eu_survei|http://www.eurosurveillance.org/public/RSSFeed/RSS.aspx|#snews
-      [SPAM]exploitdb|http://www.exploit-db.com/rss.xml|#snews
-      [SPAM]fars|http://www.farsnews.com/rss.php|#snews #test
-      [SPAM]faz_feui|http://www.faz.net/rss/aktuell/feuilleton/|#snews
-      [SPAM]faz_politik|http://www.faz.net/rss/aktuell/politik/|#snews
-      [SPAM]faz_wirtschaft|http://www.faz.net/rss/aktuell/wirtschaft/|#snews
-      [SPAM]fbi|https://www.fbi.gov/news/rss.xml|#snews
-      [SPAM]fedreserve|http://www.federalreserve.gov/feeds/press_all.xml|#snews
-      [SPAM]fefe|http://blog.fefe.de/rss.xml|#snews
-      [SPAM]forbes|http://www.forbes.com/forbes/feed2/|#snews
-      [SPAM]forbes_realtime|http://www.forbes.com/real-time/feed2/|#snews
-      [SPAM]fox|http://feeds.foxnews.com/foxnews/latest|#snews
-      [SPAM]geheimorganisation|http://geheimorganisation.org/feed/|#snews
-      [SPAM]GerForPol|http://www.german-foreign-policy.com/de/news/rss-2.0|#snews
-      [SPAM]gmanet|http://www.gmanetwork.com/news/rss/news|#snews
-      [SPAM]golem|http://rss.golem.de/rss.php|#snews
-      [SPAM]google|http://news.google.com/?output=rss|#snews
-      [SPAM]greenpeace|http://feeds.feedburner.com/GreenpeaceNews|#snews
-      [SPAM]guardian_uk|http://feeds.theguardian.com/theguardian/uk-news/rss|#snews
-      [SPAM]gulli|http://ticker.gulli.com/rss/|#snews
-      [SPAM]hackernews|https://news.ycombinator.com/rss|#snews
-      [SPAM]handelsblatt|http://www.handelsblatt.com/contentexport/feed/schlagzeilen|#snews
-      [SPAM]heise|https://www.heise.de/newsticker/heise-atom.xml|#snews
-      [SPAM]hindu_business|http://www.thehindubusinessline.com/?service=rss|#snews
-      [SPAM]hindu|http://www.thehindu.com/?service=rss|#snews
-      [SPAM]ign|http://feeds.ign.com/ign/all|#snews
-      [SPAM]independent|http://www.independent.com/rss/headlines/|#snews
-      [SPAM]indymedia|https://de.indymedia.org/rss.xml|#snews
-      [SPAM]info_libera|http://www.informationliberation.com/rss.xml|#snews
-      [SPAM]klagen-gegen-rundfuckbeitrag|http://klagen-gegen-rundfunkbeitrag.blogspot.com/feeds/posts/default|#snews
-      [SPAM]korea_herald|http://www.koreaherald.com/rss_xml.php|#snews
-      [SPAM]linuxinsider|http://www.linuxinsider.com/perl/syndication/rssfull.pl|#snews
-      [SPAM]lisp|http://planet.lisp.org/rss20.xml|#snews
-      [SPAM]liveleak|http://www.liveleak.com/rss|#snews
-      [SPAM]lolmythesis|http://lolmythesis.com/rss|#snews
-      [SPAM]LtU|http://lambda-the-ultimate.org/rss.xml|#snews
-      [SPAM]lukepalmer|http://lukepalmer.wordpress.com/feed/|#snews
-      [SPAM]mit|http://web.mit.edu/newsoffice/rss-feeds.feed?type=rss|#snews
-      [SPAM]mongrel2_master|https://github.com/zedshaw/mongrel2/commits/master.atom|#snews
-      [SPAM]nds|http://www.nachdenkseiten.de/?feed=atom|#snews
-      [SPAM]netzpolitik|https://netzpolitik.org/feed/|#snews
-      [SPAM]newsbtc|http://newsbtc.com/feed/|#snews
-      [SPAM]nnewsg|http://www.net-news-global.net/rss/rssfeed.xml|#snews
-      [SPAM]npr_busi|http://www.npr.org/rss/rss.php?id=1006|#snews
-      [SPAM]npr_headlines|http://www.npr.org/rss/rss.php?id=1001|#snews
-      [SPAM]npr_pol|http://www.npr.org/rss/rss.php?id=1012|#snews
-      [SPAM]npr_world|http://www.npr.org/rss/rss.php?id=1004|#snews
-      [SPAM]nsa|https://www.nsa.gov/rss.xml|#snews #bullerei
-      [SPAM]nytimes|http://rss.nytimes.com/services/xml/rss/nyt/World.xml|#snews
-      [SPAM]painload|https://github.com/krebs/painload/commits/master.atom|#snews
-      [SPAM]phys|http://phys.org/rss-feed/|#snews
-      [SPAM]piraten|https://www.piratenpartei.de/feed/|#snews
-      [SPAM]polizei_berlin|http://www.berlin.de/polizei/presse-fahndung/_rss_presse.xml|#snews
-      [SPAM]presse_polizei|http://www.presseportal.de/rss/polizei.rss2|#snews
-      [SPAM]presseportal|http://www.presseportal.de/rss/presseportal.rss2|#snews
-      [SPAM]prisonplanet|http://prisonplanet.com/feed.rss|#snews
-      [SPAM]rawstory|http://www.rawstory.com/rs/feed/|#snews
-      [SPAM]reddit_4chan|http://www.reddit.com/r/4chan/new/.rss|#snews
-      [SPAM]reddit_anticonsum|http://www.reddit.com/r/Anticonsumption/new/.rss|#snews
-      [SPAM]reddit_btc|http://www.reddit.com/r/Bitcoin/new/.rss|#snews
-      [SPAM]reddit_consp|http://reddit.com/r/conspiracy/.rss|#snews
-      [SPAM]reddit_haskell|http://www.reddit.com/r/haskell/.rss|#snews
-      [SPAM]reddit_nix|http://www.reddit.com/r/nixos/.rss|#snews
-      [SPAM]reddit_prog|http://www.reddit.com/r/programming/new/.rss|#snews
-      [SPAM]reddit_sci|http://www.reddit.com/r/science/.rss|#snews
-      [SPAM]reddit_tech|http://www.reddit.com/r/technology/.rss|#snews
-      [SPAM]reddit_tpp|http://www.reddit.com/r/twitchplayspokemon/.rss|#snews
-      [SPAM]reddit_world|http://www.reddit.com/r/worldnews/.rss|#snews
-      [SPAM]r-ethereum|http://www.reddit.com/r/ethereum/.rss|#snews
-      [SPAM]reuters|http://feeds.reuters.com/Reuters/worldNews|#snews
-      [SPAM]reuters-odd|http://feeds.reuters.com/reuters/oddlyEnoughNews?format=xml|#snews
-      [SPAM]rt|http://rt.com/rss/news/|#snews
-      [SPAM]schallurauch|http://feeds.feedburner.com/SchallUndRauch|#snews
-      [SPAM]sciencemag|http://news.sciencemag.org/rss/current.xml|#snews
-      [SPAM]scmp|http://www.scmp.com/rss/91/feed|#snews
-      [SPAM]sec-db|http://feeds.security-database.com/SecurityDatabaseToolsWatch|#snews
-      [SPAM]shackspace|http://shackspace.de/atom.xml|#snews
-      [SPAM]shz_news|http://www.shz.de/nachrichten/newsticker/rss|#snews
-      [SPAM]sky_busi|http://feeds.skynews.com/feeds/rss/business.xml|#snews
-      [SPAM]sky_pol|http://feeds.skynews.com/feeds/rss/politics.xml|#snews
-      [SPAM]sky_strange|http://feeds.skynews.com/feeds/rss/strange.xml|#snews
-      [SPAM]sky_tech|http://feeds.skynews.com/feeds/rss/technology.xml|#snews
-      [SPAM]sky_world|http://feeds.skynews.com/feeds/rss/world.xml|#snews
-      [SPAM]slashdot|http://rss.slashdot.org/Slashdot/slashdot|#snews
-      [SPAM]slate|http://feeds.slate.com/slate|#snews
-      [SPAM]spiegel_eil|http://www.spiegel.de/schlagzeilen/eilmeldungen/index.rss|#snews
-      [SPAM]spiegel_top|http://www.spiegel.de/schlagzeilen/tops/index.rss|#snews
-      [SPAM]standardmedia_ke|http://www.standardmedia.co.ke/rss/headlines.php|#snews
-      [SPAM]stern|http://www.stern.de/feed/standard/all/|#snews
-      [SPAM]stz|http://www.stuttgarter-zeitung.de/rss/topthemen.rss.feed|#snews
-      [SPAM]sz_politik|http://rss.sueddeutsche.de/rss/Politik|#snews
-      [SPAM]sz_wirtschaft|http://rss.sueddeutsche.de/rss/Wirtschaft|#snews
-      [SPAM]sz_wissen|http://rss.sueddeutsche.de/rss/Wissen|#snews
-      [SPAM]tagesschau|http://www.tagesschau.de/newsticker.rdf|#snews
-      [SPAM]taz|http://taz.de/Themen-des-Tages/!p15;rss/|#snews
-      [SPAM]telegraph|http://www.telegraph.co.uk/rss.xml|#snews
-      [SPAM]telepolis|http://www.heise.de/tp/rss/news-atom.xml|#snews
-      [SPAM]the_insider|http://www.theinsider.org/rss/news/headlines-xml.asp|#snews
-      [SPAM]tigsource|http://www.tigsource.com/feed/|#snews
-      [SPAM]tinc|http://tinc-vpn.org/news/index.rss|#snews
-      [SPAM]torr_bits|http://feeds.feedburner.com/TorrentfreakBits|#snews
-      [SPAM]torrentfreak|http://feeds.feedburner.com/Torrentfreak|#snews
-      [SPAM]torr_news|http://feed.torrentfreak.com/Torrentfreak/|#snews
-      [SPAM]travel_warnings|http://feeds.travel.state.gov/ca/travelwarnings-alerts|#snews
-      [SPAM]un_afr|http://www.un.org/apps/news/rss/rss_africa.asp|#snews
-      [SPAM]un_am|http://www.un.org/apps/news/rss/rss_americas.asp|#snews
-      [SPAM]un_eu|http://www.un.org/apps/news/rss/rss_europe.asp|#snews
-      [SPAM]un_me|http://www.un.org/apps/news/rss/rss_mideast.asp|#snews
-      [SPAM]un_pac|http://www.un.org/apps/news/rss/rss_asiapac.asp|#snews
-      [SPAM]un_top|http://www.un.org/apps/news/rss/rss_top.asp|#snews
-      [SPAM]us_math_society|http://www.ams.org/cgi-bin/content/news_items.cgi?rss=1|#snews
-      [SPAM]vimperator|https://sites.google.com/a/vimperator.org/www/blog/posts.xml|#snews
-      [SPAM]weechat|http://dev.weechat.org/feed/atom|#snews
-      [SPAM]xkcd|https://xkcd.com/rss.xml|#snews
-      [SPAM]zdnet|http://www.zdnet.com/news/rss.xml|#snews
+      _aje|http://www.aljazeera.com/Services/Rss/?PostingId=2007731105943979989|#snews
+      _allafrica|http://allafrica.com/tools/headlines/rdf/latest/headlines.rdf|#snews
+      _antirez|http://antirez.com/rss|#snews
+      _archlinux|http://www.archlinux.org/feeds/news/|#snews
+      _ars|http://feeds.arstechnica.com/arstechnica/index?format=xml|#snews
+      _augustl|http://augustl.com/atom.xml|#snews
+      _bbc|http://feeds.bbci.co.uk/news/rss.xml|#snews
+      _bdt_aktuelle_themen|http://www.bundestag.de/blueprint/servlet/service/de/14154/asFeed/index.rss|#snews
+      _bdt_drucksachen|http://www.bundestag.de/dip21rss/bundestag_drucksachen.rss|#snews
+      _bdt_plenarproto|http://www.bundestag.de/rss_feeds/plenarprotokolle.rss|#snews
+      _bdt_pressemitteilungen|http://www.bundestag.de/blueprint/servlet/service/de/273112/asFeed/index.rss|#snews
+      _bitcoinpakistan|https://bitcoinspakistan.com/feed/|#snews
+      _cancer|http://feeds.feedburner.com/ncinewsreleases?format=xml|#snews
+      _carta|http://feeds2.feedburner.com/carta-standard-rss|#snews
+      _catholic_news|http://feeds.feedburner.com/catholicnewsagency/dailynews|#snews
+      _cbc_busi|http://rss.cbc.ca/lineup/business.xml|#snews
+      _cbc_offbeat|http://www.cbc.ca/cmlink/rss-offbeat|#snews
+      _cbc_pol|http://rss.cbc.ca/lineup/politics.xml|#snews
+      _cbc_tech|http://rss.cbc.ca/lineup/technology.xml|#snews
+      _cbc_top|http://rss.cbc.ca/lineup/topstories.xml|#snews
+      _ccc|http://www.ccc.de/rss/updates.rdf|#snews
+      _chan_biz|http://boards.4chan.org/biz/index.rss|#snews
+      _chan_g|http://boards.4chan.org/g/index.rss|#snews
+      _chan_int|http://boards.4chan.org/int/index.rss|#snews
+      _chan_sci|http://boards.4chan.org/sci/index.rss|#snews
+      _chan_x|http://boards.4chan.org/x/index.rss|#snews
+      _c|http://www.tempolimit-lichtgeschwindigkeit.de/news.xml|#snews
+      _cryptogon|http://www.cryptogon.com/?feed=rss2|#snews
+      _csm|http://rss.csmonitor.com/feeds/csm|#snews
+      _csm_world|http://rss.csmonitor.com/feeds/world|#snews
+      _danisch|http://www.danisch.de/blog/feed/|#snews
+      _dod|http://www.defense.gov/news/afps2.xml|#snews
+      _dwn|http://deutsche-wirtschafts-nachrichten.de/feed/customfeed/|#snews
+      _ecat|http://ecat.com/feed|#snews
+      _eia_press|http://www.eia.gov/rss/press_rss.xml|#snews
+      _eia_today|http://www.eia.gov/rss/todayinenergy.xml|#snews
+      _embargowatch|https://embargowatch.wordpress.com/feed/|#snews
+      _ethereum-comments|http://blog.ethereum.org/comments/feed|#snews
+      _ethereum|http://blog.ethereum.org/feed|#snews
+      _europa_ric|http://ec.europa.eu/research/infocentre/rss/infocentre-rss.xml|#snews
+      _eu_survei|http://www.eurosurveillance.org/public/RSSFeed/RSS.aspx|#snews
+      _exploitdb|http://www.exploit-db.com/rss.xml|#snews
+      _fars|http://www.farsnews.com/rss.php|#snews #test
+      _faz_feui|http://www.faz.net/rss/aktuell/feuilleton/|#snews
+      _faz_politik|http://www.faz.net/rss/aktuell/politik/|#snews
+      _faz_wirtschaft|http://www.faz.net/rss/aktuell/wirtschaft/|#snews
+      _fbi|https://www.fbi.gov/news/rss.xml|#snews
+      _fedreserve|http://www.federalreserve.gov/feeds/press_all.xml|#snews
+      _fefe|http://blog.fefe.de/rss.xml|#snews
+      _forbes|http://www.forbes.com/forbes/feed2/|#snews
+      _forbes_realtime|http://www.forbes.com/real-time/feed2/|#snews
+      _fox|http://feeds.foxnews.com/foxnews/latest|#snews
+      _geheimorganisation|http://geheimorganisation.org/feed/|#snews
+      _GerForPol|http://www.german-foreign-policy.com/de/news/rss-2.0|#snews
+      _gmanet|http://www.gmanetwork.com/news/rss/news|#snews
+      _golem|http://rss.golem.de/rss.php|#snews
+      _google|http://news.google.com/?output=rss|#snews
+      _greenpeace|http://feeds.feedburner.com/GreenpeaceNews|#snews
+      _guardian_uk|http://feeds.theguardian.com/theguardian/uk-news/rss|#snews
+      _gulli|http://ticker.gulli.com/rss/|#snews
+      _hackernews|https://news.ycombinator.com/rss|#snews
+      _handelsblatt|http://www.handelsblatt.com/contentexport/feed/schlagzeilen|#snews
+      _heise|https://www.heise.de/newsticker/heise-atom.xml|#snews
+      _hindu_business|http://www.thehindubusinessline.com/?service=rss|#snews
+      _hindu|http://www.thehindu.com/?service=rss|#snews
+      _ign|http://feeds.ign.com/ign/all|#snews
+      _independent|http://www.independent.com/rss/headlines/|#snews
+      _indymedia|https://de.indymedia.org/rss.xml|#snews
+      _info_libera|http://www.informationliberation.com/rss.xml|#snews
+      _klagen-gegen-rundfuckbeitrag|http://klagen-gegen-rundfunkbeitrag.blogspot.com/feeds/posts/default|#snews
+      _korea_herald|http://www.koreaherald.com/rss_xml.php|#snews
+      _linuxinsider|http://www.linuxinsider.com/perl/syndication/rssfull.pl|#snews
+      _lisp|http://planet.lisp.org/rss20.xml|#snews
+      _liveleak|http://www.liveleak.com/rss|#snews
+      _lolmythesis|http://lolmythesis.com/rss|#snews
+      _LtU|http://lambda-the-ultimate.org/rss.xml|#snews
+      _lukepalmer|http://lukepalmer.wordpress.com/feed/|#snews
+      _mit|http://web.mit.edu/newsoffice/rss-feeds.feed?type=rss|#snews
+      _mongrel2_master|https://github.com/zedshaw/mongrel2/commits/master.atom|#snews
+      _nds|http://www.nachdenkseiten.de/?feed=atom|#snews
+      _netzpolitik|https://netzpolitik.org/feed/|#snews
+      _newsbtc|http://newsbtc.com/feed/|#snews
+      _nnewsg|http://www.net-news-global.net/rss/rssfeed.xml|#snews
+      _npr_busi|http://www.npr.org/rss/rss.php?id=1006|#snews
+      _npr_headlines|http://www.npr.org/rss/rss.php?id=1001|#snews
+      _npr_pol|http://www.npr.org/rss/rss.php?id=1012|#snews
+      _npr_world|http://www.npr.org/rss/rss.php?id=1004|#snews
+      _nsa|https://www.nsa.gov/rss.xml|#snews #bullerei
+      _nytimes|http://rss.nytimes.com/services/xml/rss/nyt/World.xml|#snews
+      _painload|https://github.com/krebs/painload/commits/master.atom|#snews
+      _phys|http://phys.org/rss-feed/|#snews
+      _piraten|https://www.piratenpartei.de/feed/|#snews
+      _polizei_berlin|http://www.berlin.de/polizei/presse-fahndung/_rss_presse.xml|#snews
+      _presse_polizei|http://www.presseportal.de/rss/polizei.rss2|#snews
+      _presseportal|http://www.presseportal.de/rss/presseportal.rss2|#snews
+      _prisonplanet|http://prisonplanet.com/feed.rss|#snews
+      _rawstory|http://www.rawstory.com/rs/feed/|#snews
+      _reddit_4chan|http://www.reddit.com/r/4chan/new/.rss|#snews
+      _reddit_anticonsum|http://www.reddit.com/r/Anticonsumption/new/.rss|#snews
+      _reddit_btc|http://www.reddit.com/r/Bitcoin/new/.rss|#snews
+      _reddit_consp|http://reddit.com/r/conspiracy/.rss|#snews
+      _reddit_haskell|http://www.reddit.com/r/haskell/.rss|#snews
+      _reddit_nix|http://www.reddit.com/r/nixos/.rss|#snews
+      _reddit_prog|http://www.reddit.com/r/programming/new/.rss|#snews
+      _reddit_sci|http://www.reddit.com/r/science/.rss|#snews
+      _reddit_tech|http://www.reddit.com/r/technology/.rss|#snews
+      _reddit_tpp|http://www.reddit.com/r/twitchplayspokemon/.rss|#snews
+      _reddit_world|http://www.reddit.com/r/worldnews/.rss|#snews
+      _r-ethereum|http://www.reddit.com/r/ethereum/.rss|#snews
+      _reuters|http://feeds.reuters.com/Reuters/worldNews|#snews
+      _reuters-odd|http://feeds.reuters.com/reuters/oddlyEnoughNews?format=xml|#snews
+      _rt|http://rt.com/rss/news/|#snews
+      _schallurauch|http://feeds.feedburner.com/SchallUndRauch|#snews
+      _sciencemag|http://news.sciencemag.org/rss/current.xml|#snews
+      _scmp|http://www.scmp.com/rss/91/feed|#snews
+      _sec-db|http://feeds.security-database.com/SecurityDatabaseToolsWatch|#snews
+      _shackspace|http://shackspace.de/atom.xml|#snews
+      _shz_news|http://www.shz.de/nachrichten/newsticker/rss|#snews
+      _sky_busi|http://feeds.skynews.com/feeds/rss/business.xml|#snews
+      _sky_pol|http://feeds.skynews.com/feeds/rss/politics.xml|#snews
+      _sky_strange|http://feeds.skynews.com/feeds/rss/strange.xml|#snews
+      _sky_tech|http://feeds.skynews.com/feeds/rss/technology.xml|#snews
+      _sky_world|http://feeds.skynews.com/feeds/rss/world.xml|#snews
+      _slashdot|http://rss.slashdot.org/Slashdot/slashdot|#snews
+      _slate|http://feeds.slate.com/slate|#snews
+      _spiegel_eil|http://www.spiegel.de/schlagzeilen/eilmeldungen/index.rss|#snews
+      _spiegel_top|http://www.spiegel.de/schlagzeilen/tops/index.rss|#snews
+      _standardmedia_ke|http://www.standardmedia.co.ke/rss/headlines.php|#snews
+      _stern|http://www.stern.de/feed/standard/all/|#snews
+      _stz|http://www.stuttgarter-zeitung.de/rss/topthemen.rss.feed|#snews
+      _sz_politik|http://rss.sueddeutsche.de/rss/Politik|#snews
+      _sz_wirtschaft|http://rss.sueddeutsche.de/rss/Wirtschaft|#snews
+      _sz_wissen|http://rss.sueddeutsche.de/rss/Wissen|#snews
+      _tagesschau|http://www.tagesschau.de/newsticker.rdf|#snews
+      _taz|http://taz.de/Themen-des-Tages/!p15;rss/|#snews
+      _telegraph|http://www.telegraph.co.uk/rss.xml|#snews
+      _telepolis|http://www.heise.de/tp/rss/news-atom.xml|#snews
+      _the_insider|http://www.theinsider.org/rss/news/headlines-xml.asp|#snews
+      _tigsource|http://www.tigsource.com/feed/|#snews
+      _tinc|http://tinc-vpn.org/news/index.rss|#snews
+      _torr_bits|http://feeds.feedburner.com/TorrentfreakBits|#snews
+      _torrentfreak|http://feeds.feedburner.com/Torrentfreak|#snews
+      _torr_news|http://feed.torrentfreak.com/Torrentfreak/|#snews
+      _travel_warnings|http://feeds.travel.state.gov/ca/travelwarnings-alerts|#snews
+      _un_afr|http://www.un.org/apps/news/rss/rss_africa.asp|#snews
+      _un_am|http://www.un.org/apps/news/rss/rss_americas.asp|#snews
+      _un_eu|http://www.un.org/apps/news/rss/rss_europe.asp|#snews
+      _un_me|http://www.un.org/apps/news/rss/rss_mideast.asp|#snews
+      _un_pac|http://www.un.org/apps/news/rss/rss_asiapac.asp|#snews
+      _un_top|http://www.un.org/apps/news/rss/rss_top.asp|#snews
+      _us_math_society|http://www.ams.org/cgi-bin/content/news_items.cgi?rss=1|#snews
+      _vimperator|https://sites.google.com/a/vimperator.org/www/blog/posts.xml|#snews
+      _weechat|http://dev.weechat.org/feed/atom|#snews
+      _xkcd|https://xkcd.com/rss.xml|#snews
+      _zdnet|http://www.zdnet.com/news/rss.xml|#snews
     '';
   };
 }
diff --git a/krebs/3modules/Reaktor.nix b/krebs/3modules/Reaktor.nix
index 677b6f7b8..669483f3c 100644
--- a/krebs/3modules/Reaktor.nix
+++ b/krebs/3modules/Reaktor.nix
@@ -8,7 +8,7 @@ let
 
   out = {
     options.krebs.Reaktor = api;
-    config = imp;
+    config = mkIf (cfg != {}) imp;
   };
 
   api = mkOption {
diff --git a/krebs/3modules/bepasty-server.nix b/krebs/3modules/bepasty-server.nix
index dd29a4e17..e12367b7c 100644
--- a/krebs/3modules/bepasty-server.nix
+++ b/krebs/3modules/bepasty-server.nix
@@ -143,12 +143,12 @@ let
     ) cfg.servers;
 
     users.extraUsers.bepasty = {
-      uid = genid "bepasty";
+      uid = genid_uint31 "bepasty";
       group = "bepasty";
       home = "/var/lib/bepasty-server";
     };
     users.extraGroups.bepasty = {
-      gid = genid "bepasty";
+      gid = genid_uint31 "bepasty";
     };
   };
 
diff --git a/krebs/3modules/fetchWallpaper.nix b/krebs/3modules/fetchWallpaper.nix
index 5a5065565..e89b86e32 100644
--- a/krebs/3modules/fetchWallpaper.nix
+++ b/krebs/3modules/fetchWallpaper.nix
@@ -53,7 +53,7 @@ let
   imp = {
     users.users.fetchWallpaper = {
       name = "fetchWallpaper";
-      uid = genid "fetchWallpaper";
+      uid = genid_uint31 "fetchWallpaper";
       description = "fetchWallpaper user";
       home = cfg.stateDir;
       createHome = true;
diff --git a/krebs/3modules/github-hosts-sync.nix b/krebs/3modules/github-hosts-sync.nix
index e6db3aa42..3b626dc46 100644
--- a/krebs/3modules/github-hosts-sync.nix
+++ b/krebs/3modules/github-hosts-sync.nix
@@ -57,7 +57,7 @@ let
 
   user = rec {
     name = "github-hosts-sync";
-    uid = genid name;
+    uid = genid_uint31 name;
   };
 
   # TODO move to lib?
diff --git a/krebs/3modules/lass/default.nix b/krebs/3modules/lass/default.nix
index 09c8ba675..44417f006 100644
--- a/krebs/3modules/lass/default.nix
+++ b/krebs/3modules/lass/default.nix
@@ -409,6 +409,66 @@ with import <stockholm/lib>;
         };
       };
     };
+    scardanelli = {
+      monitoring = false;
+      ci = false;
+      external = true;
+      nets = {
+        retiolum = {
+          ip4.addr = "10.243.2.2";
+          ip6.addr = "42:2:5ca:da:3111::1";
+          aliases = [
+            "scardanelli.r"
+          ];
+          tinc.pubkey = ''
+            -----BEGIN PUBLIC KEY-----
+            MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAxM93+YgGhk5PtcOrE7E/
+            MAOMF/c9c4Ps6m8xd4VZat3ru07yH8Yfox1yM6jwZBwIwK2AC9DK0/k3WIvZQUge
+            UKSTiXpE4z/0ceaesugLQ9KTjUty1e/2vQ78bOqmd7EG3aPV2QsjlgpjJ6qQxeFi
+            kjlHoFi9NNBLVkIyaAdlAhwvZuYFmAY/FQEmm6+XOb+Nmo+fccQlG6+NinA2GOg0
+            gdY/dKYxa04Ns/yu7TK3sBQIt6cg/YUk9VpyC4yIIRPMdyVcAPz3Kd2mp23fhSvx
+            we80prWXYtdct4vXaBZm9FUY5y4SL3c0TEScuM73VXtr2tPAxjD5W4XMWhrjnIiY
+            QzoyAquVS9rR4fCaoP+hw3Tjy7Att3voa/YlHEDaendxjZ3nuO0m0vcgOa+SfCNm
+            SqLsqb8to1y8yJ8LnR2og4MbtasxqSe1L9VLTsb4k/AGfmAdlqyG4Q1h5pCBh0GL
+            2F6FbYHzwrwqBvVCz4DTPygPtta5o7THpP50PgojtzNLm1yKWpfdcWeMgGQJSI0f
+            m3yenytM1u0jjw7KbBG79Z3etFNIYZy4Uq/dryEJnwpTFls+zZn9Q3tDEnO4a38Q
+            FgzV0VLQpRM/uf1powSDzoWp+/JYgB9464OKcTsSlVJpi3crxF86xFqqc39U2/u5
+            lM61fOMcVW1KREdWypiDtu8CAwEAAQ==
+            -----END PUBLIC KEY-----
+          '';
+        };
+      };
+    };
+    homeros = {
+      monitoring = false;
+      ci = false;
+      external = true;
+      nets = {
+        retiolum = {
+          ip4.addr = "10.243.2.1";
+          ip6.addr = "42:2::0:3:05::1";
+          aliases = [
+            "homeros.r"
+          ];
+          tinc.pubkey = ''
+            -----BEGIN PUBLIC KEY-----
+            MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAoZq6BwB6rV6EfTf8PWOd
+            ZhEWig5VcK1FcH0qi7KgojAhGSHhWmtFlvRSoGpQrSFRN0g5eTnrrguuTiIs6djc
+            6Al9HMqwSD1IOkqFm8jM4aG5NqjYg3in6blOFarBEOglfnsYHiUPt6T4fERxRZ9v
+            RguEWrishNMSv+D4vclKwctTB/6dQNsTAfnplcyDZ9un/ql9BG2cgU9yqeYLDdXd
+            vRvrWX9eZKGJvTrQmAiKONlSvspr1d28FxcUrUnCsdRLvP3Cc4JZiUhSA7ixFxn3
+            +LgGIZiMKTnl8syrsHk5nvLi5EUER7xkVX8iBlKA4JD4XTZVyBxPB1mJnOCUShQc
+            QK6nVr6auvJbRn7DHHKxDflSBgYt4qaf92+5A4xEsZtgMpmIFH5t6ifGQsQwgYsm
+            fOexviy9gMyZrHjQDUs4smQxxYq3AJLdfOg2jQXeAbgZpCVw5l8YHk3ECoAk7Fvh
+            VMJVPwukErGuVn2LpCHeVyFBXNft4bem1g0gtaf2SuGFEnl7ABetQ0bRwClRSLd7
+            k7PGDbdcCImsWhqyuLpkNcm95DfBrXa12GETm48Wv9jV52C5tfWFmOnJ0mOnvtxX
+            gpizJjFzHz275TVnJHhmIr2DkiGpaIVUL4FRkTslejSJQoUTZfDAvKF2gRyk+n6N
+            mJ/hywVtvLxNkNimyztoKKMCAwEAAQ==
+            -----END PUBLIC KEY-----
+          '';
+        };
+      };
+    };
     turingmachine = {
       monitoring = false;
       ci = false;
@@ -778,9 +838,6 @@ with import <stockholm/lib>;
       mail = "lass@daedalus.r";
       pubkey = builtins.readFile ./ssh/daedalus.rsa;
     };
-    fritz = {
-      pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCz34435NSXgj72YAOL4cIlRq/4yInKEyL9no+gymURoW5x1nkYpP0EK331e7UyQQSOdWOogRo6d7YHcFqNlYWv5xlYcHucIhgJwC4Zda1liVA+v7tSOJz2BjmFvOT3/qlcPS69f3zdLHZooz2C33uHX1FgGRXlxiA8dpqGnSr8o76QLZjuQkuDqr8reOspjO/RHCo2Moq0Xm5q9OgN1WLAZzupqt9A5lx567mRzYsRAr23pUxVN8T/tSCgDlPe4ktEjYX9CXLKfMyh9WuBVi+AuH4GFEWBT+AMpsHeF45w+w956x56mz0F5nYOQNK87gFr+Jr+mh2AF1ot2CxzrfTb fritz@scriptkiddiT540";
-    };
     prism-repo-sync = {
       pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKhpCKTnSq6VDJPB+0NiHu2ZxSKEIxHN6uPAPnbXYNCe";
       mail = "lass@prism.r";
diff --git a/krebs/3modules/tinc_graphs.nix b/krebs/3modules/tinc_graphs.nix
index 8390eccbb..486a0c9cc 100644
--- a/krebs/3modules/tinc_graphs.nix
+++ b/krebs/3modules/tinc_graphs.nix
@@ -124,7 +124,7 @@ let
     };
 
     users.extraUsers.tinc_graphs = {
-      uid = genid "tinc_graphs";
+      uid = genid_uint31 "tinc_graphs";
       home = "/var/spool/tinc_graphs";
     };
     services.nginx = mkIf cfg.nginx.enable {
diff --git a/krebs/3modules/urlwatch.nix b/krebs/3modules/urlwatch.nix
index 463fa26ba..0cec1a2d3 100644
--- a/krebs/3modules/urlwatch.nix
+++ b/krebs/3modules/urlwatch.nix
@@ -183,7 +183,7 @@ let
 
   user = rec {
     name = "urlwatch";
-    uid = genid name;
+    uid = genid_uint31 name;
   };
 
   subtypes.job = types.submodule {
diff --git a/krebs/5pkgs/haskell/default.nix b/krebs/5pkgs/haskell/default.nix
index 7cdf65ea5..e824699f9 100644
--- a/krebs/5pkgs/haskell/default.nix
+++ b/krebs/5pkgs/haskell/default.nix
@@ -1,13 +1,6 @@
 with import <stockholm/lib>;
 let
-  overrides = self: super:
-    listToAttrs
-      (map
-        (name: nameValuePair (removeSuffix ".nix" name)
-                             (self.callPackage (./. + "/${name}") {}))
-        (filter
-          (name: name != "default.nix" && !hasPrefix "." name)
-          (attrNames (readDir ./.))));
+  overrides = self: super: mapNixDir (path: self.callPackage path {}) ./.;
 in
 self: super:
 {
diff --git a/krebs/5pkgs/simple/cabal-read.nix b/krebs/5pkgs/simple/cabal-read.nix
new file mode 100644
index 000000000..f8fc71e05
--- /dev/null
+++ b/krebs/5pkgs/simple/cabal-read.nix
@@ -0,0 +1,35 @@
+{ writeHaskellPackage }:
+
+# Because `sed -n 's/.*\<ghc-options:\s\+\(.*\)/\1/p'` is too simple.
+writeHaskellPackage "cabal-read" {
+  executables.ghc-options = {
+    extra-depends = ["Cabal"];
+    text = /* haskell */ ''
+      module Main (main) where
+      import Data.List
+      import Data.Maybe
+      import Distribution.Compiler
+      import Distribution.PackageDescription.Parsec
+      import Distribution.Types.BuildInfo
+      import Distribution.Types.CondTree
+      import Distribution.Types.Executable
+      import Distribution.Types.GenericPackageDescription
+      import Distribution.Types.UnqualComponentName
+      import Distribution.Verbosity
+      import System.Environment
+      main :: IO ()
+      main = do
+          [path, name] <- getArgs
+
+          desc <- readGenericPackageDescription normal path
+
+          case lookup (mkUnqualComponentName name) (condExecutables desc) of
+            Just exe ->
+              putStrLn . intercalate " " . fromMaybe [] . lookup GHC
+                       . options . buildInfo . condTreeData $ exe
+
+            Nothing ->
+              error ("executable " <> name <> " not found in " <> path)
+    '';
+  };
+}
diff --git a/krebs/5pkgs/simple/default.nix b/krebs/5pkgs/simple/default.nix
index 1b9d8c235..6ba4fec83 100644
--- a/krebs/5pkgs/simple/default.nix
+++ b/krebs/5pkgs/simple/default.nix
@@ -15,10 +15,4 @@ let
     else override;
 in
 
-  listToAttrs
-    (map
-      (name: nameValuePair (removeSuffix ".nix" name)
-                           (callPackage (./. + "/${name}") {}))
-      (filter
-        (name: name != "default.nix" && !hasPrefix "." name)
-        (attrNames (readDir ./.))))
+  mapNixDir (path: callPackage path {}) ./.
diff --git a/lass/1systems/archprism/config.nix b/lass/1systems/archprism/config.nix
index bed8961b8..0a2ab1611 100644
--- a/lass/1systems/archprism/config.nix
+++ b/lass/1systems/archprism/config.nix
@@ -6,26 +6,10 @@ with import <stockholm/lib>;
     <stockholm/lass>
     <stockholm/lass/2configs/retiolum.nix>
     <stockholm/lass/2configs/libvirt.nix>
-    {
-      services.nginx.enable = true;
-      imports = [
-        <stockholm/lass/2configs/websites/domsen.nix>
-        <stockholm/lass/2configs/websites/lassulus.nix>
-      ];
-      # needed by domsen.nix ^^
-      lass.usershadow = {
-        enable = true;
-      };
-
-      krebs.iptables.tables.filter.INPUT.rules = [
-         { predicate = "-p tcp --dport http"; target = "ACCEPT"; }
-         { predicate = "-p tcp --dport https"; target = "ACCEPT"; }
-      ];
-    }
     { # TODO make new hfos.nix out of this vv
       boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
       users.users.riot = {
-        uid = genid "riot";
+        uid = genid_uint31 "riot";
         isNormalUser = true;
         extraGroups = [ "libvirtd" ];
         openssh.authorizedKeys.keys = [
@@ -42,153 +26,7 @@ with import <stockholm/lib>;
         { v6 = false; precedence = 1000; predicate = "-d 46.4.114.243"; target = "DNAT --to-destination 192.168.122.179"; }
       ];
     }
-    {
-      users.users.tv = {
-        uid = genid "tv";
-        isNormalUser = true;
-        openssh.authorizedKeys.keys = [
-          config.krebs.users.tv.pubkey
-        ];
-      };
-      users.users.makefu = {
-        uid = genid "makefu";
-        isNormalUser = true;
-        openssh.authorizedKeys.keys = [
-          config.krebs.users.makefu.pubkey
-        ];
-      };
-      users.extraUsers.dritter = {
-        uid = genid "dritter";
-        isNormalUser = true;
-        extraGroups = [
-          "download"
-        ];
-        openssh.authorizedKeys.keys = [
-          "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDnqOWDDk7QkSAvrSLkEoz7dY22+xPyv5JDn2zlfUndfavmTMfZvPx9REMjgULbcCSM4m3Ncf40yUjciDpVleGoEz82+p/ObHAkVWPQyXRS3ZRM2IJJultBHEFc61+61Pi8k3p5pBhPPaig6VncJ4uUuuNqen9jqLesSTVXNtdntU2IvnC8B8k1Kq6fu9q1T2yEOMxkD31D5hVHlqAly0LdRiYvtsRIoCSmRvlpGl70uvPprhQxhtoiEUeDqmIL7BG9x7gU0Swdl7R0/HtFXlFuOwSlNYDmOf/Zrb1jhOpj4AlCliGUkM0iKIJhgH0tnJna6kfkGKHDwuzITGIh6SpZ dritter@Janeway"
-        ];
-      };
-      users.extraUsers.juhulian = {
-        uid = 1339;
-        isNormalUser = true;
-        openssh.authorizedKeys.keys = [
-          "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDBQhLGvfv4hyQ/nqJGy1YgHXPSVl6igeWTroJSvAhUFgoh+rG+zvqY0EahKXNb3sq0/OYDCTJVuucc0hgCg7T2KqTqMtTb9EEkRmCFbD7F7DWZojCrh/an6sHneqT5eFvzAPZ8E5hup7oVQnj5P5M3I9keRHBWt1rq6q0IcOEhsFvne4qJc73aLASTJkxzlo5U8ju3JQOl6474ECuSn0lb1fTrQ/SR1NgF7jV11eBldkS8SHEB+2GXjn4Yrn+QUKOnDp+B85vZmVlJSI+7XR1/U/xIbtAjGTEmNwB6cTbBv9NCG9jloDDOZG4ZvzzHYrlBXjaigtQh2/4mrHoKa5eV juhulian@juhulian"
-        ];
-      };
-      users.users.hellrazor = {
-        uid = genid "hellrazor";
-        isNormalUser = true;
-        extraGroups = [
-          "download"
-        ];
-        openssh.authorizedKeys.keys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDQFaYOWRUvHP6I37q9Dd4PJOq8FNQqAeJZ8pLx0G62uC450kbPGcG80rHHvXmk7HqQP6biJmMg48bOsvXAScPot2Qhp1Qc35CuUqVhLiTvUAsi8l/iJjhjZ23yRGDCAmW5+JIOzIvECkcbMnG7YoYAQ9trNGHe9qwGzQGhpt3QVClE23WtE3PVKRLQx1VbiabSnAm6tXVd2zpUoSdpWt8Gpi2taM4XXJ5+l744MNxFHvDapN5xqpYzwrA34Ii13jNLWcGbtgxESpR+VjnamdWByrkBsW4X5/xn2K1I1FrujaM/DBHV1QMaDKst9V8+uL5X7aYNt0OUBu2eyZdg6aujY2BYovB9uRyR1JIuSbA/a54MM96yN9WirMUufJF/YZrV0L631t9EW8ORyWUo1GRzMuBHVHQlfApj7NCU/jEddUuTqKgwyRgTmMFMUI4M0tRULAB/7pBE1Vbcx9tg6RsKIk8VkskfbBJW9Y6Sx6YoFlxPdgMNIrBefqEjIV62piP7YLMlvfIDCJ7TNd9dLN86XGggZ/nD5zt6SL1o61vVnw9If8pHosppxADPJsJvcdN6fOe16/tFAeE0JRo0jTcyFVTBGfhpey+rFfuW8wtUyuO5WPUxkOn7xMHGMWHJAtWX2vwVIDtLxvqn48B4SmEOpPD6ii+vcpwqAex3ycqBUQ==" ];
-      };
-    }
-    {
-      #hotdog
-      systemd.services."container@hotdog".reloadIfChanged = mkForce false;
-      containers.hotdog = {
-        config = { ... }: {
-          imports = [ <stockholm/lass/2configs/rebuild-on-boot.nix> ];
-          environment.systemPackages = [ pkgs.git ];
-          services.openssh.enable = true;
-          users.users.root.openssh.authorizedKeys.keys = [
-            config.krebs.users.lass.pubkey
-          ];
-        };
-        autoStart = true;
-        enableTun = true;
-        privateNetwork = true;
-        hostAddress = "10.233.2.1";
-        localAddress = "10.233.2.2";
-      };
-    }
-    <stockholm/lass/2configs/exim-smarthost.nix>
-    <stockholm/lass/2configs/ts3.nix>
-    <stockholm/lass/2configs/privoxy-retiolum.nix>
-    <stockholm/lass/2configs/radio.nix>
-    <stockholm/lass/2configs/binary-cache/server.nix>
-    <stockholm/lass/2configs/iodined.nix>
-    <stockholm/lass/2configs/paste.nix>
-    <stockholm/lass/2configs/syncthing.nix>
-    <stockholm/lass/2configs/ciko.nix>
     <stockholm/lass/2configs/container-networking.nix>
-    <stockholm/lass/2configs/monitoring/prometheus-server.nix>
-    { # quasi bepasty.nix
-      imports = [
-        <stockholm/lass/2configs/bepasty.nix>
-      ];
-      krebs.bepasty.servers."paste.r".nginx.extraConfig = ''
-        if ( $server_addr = "${config.krebs.build.host.nets.internet.ip4.addr}" ) {
-          return 403;
-        }
-      '';
-    }
-    {
-      services.tor = {
-        enable = true;
-      };
-    }
-    {
-      lass.ejabberd = {
-        enable = true;
-        hosts = [ "lassul.us" ];
-      };
-      krebs.iptables.tables.filter.INPUT.rules = [
-        { predicate = "-p tcp --dport xmpp-client"; target = "ACCEPT"; }
-        { predicate = "-p tcp --dport xmpp-server"; target = "ACCEPT"; }
-      ];
-    }
-    {
-      imports = [
-        <stockholm/lass/2configs/realwallpaper.nix>
-      ];
-      services.nginx.virtualHosts."lassul.us".locations."/wallpaper.png".extraConfig = ''
-        alias /var/realwallpaper/realwallpaper.png;
-      '';
-    }
-    {
-      users.users.jeschli = {
-        uid = genid "jeschli";
-        isNormalUser = true;
-        openssh.authorizedKeys.keys = with config.krebs.users; [
-          jeschli.pubkey
-          jeschli-bln.pubkey
-          jeschli-bolide.pubkey
-          jeschli-brauerei.pubkey
-        ];
-      };
-      krebs.git.rules = [
-        {
-          user = with config.krebs.users; [
-            jeschli
-            jeschli-bln
-            jeschli-bolide
-            jeschli-brauerei
-          ];
-          repo = [ config.krebs.git.repos.xmonad-stockholm ];
-          perm = with git; push "refs/heads/jeschli*" [ fast-forward non-fast-forward create delete merge ];
-        }
-        {
-          user = with config.krebs.users; [
-            jeschli
-            jeschli-bln
-            jeschli-bolide
-            jeschli-brauerei
-          ];
-          repo = [ config.krebs.git.repos.stockholm ];
-          perm = with git; push "refs/heads/staging/jeschli*" [ fast-forward non-fast-forward create delete merge ];
-        }
-      ];
-    }
-    {
-      krebs.repo-sync.repos.stockholm.timerConfig = {
-        OnBootSec = "5min";
-        OnUnitInactiveSec = "2min";
-        RandomizedDelaySec = "2min";
-      };
-    }
-    <stockholm/lass/2configs/downloading.nix>
-    <stockholm/lass/2configs/minecraft.nix>
     {
       services.taskserver = {
         enable = true;
@@ -201,123 +39,11 @@ with import <stockholm/lib>;
         { predicate = "-p tcp --dport 53589"; target = "ACCEPT"; }
       ];
     }
-    #<stockholm/lass/2configs/go.nix>
-    {
-      environment.systemPackages = [ pkgs.cryptsetup ];
-      systemd.services."container@red".reloadIfChanged = mkForce false;
-      containers.red = {
-        config = { ... }: {
-          environment.systemPackages = [ pkgs.git ];
-          services.openssh.enable = true;
-          users.users.root.openssh.authorizedKeys.keys = [
-            config.krebs.users.lass.pubkey
-          ];
-        };
-        autoStart = false;
-        enableTun = true;
-        privateNetwork = true;
-        hostAddress = "10.233.2.3";
-        localAddress = "10.233.2.4";
-      };
-      services.nginx.virtualHosts."rote-allez-fraktion.de" = {
-        enableACME = true;
-        forceSSL = true;
-        locations."/" = {
-          extraConfig = ''
-            proxy_set_header Host rote-allez-fraktion.de;
-            proxy_pass http://10.233.2.4;
-          '';
-        };
-      };
-    }
-    #{
-    #  imports = [ <stockholm/lass/2configs/backup.nix> ];
-    #  lass.restic = genAttrs [
-    #    "daedalus"
-    #    "icarus"
-    #    "littleT"
-    #    "mors"
-    #    "shodan"
-    #    "skynet"
-    #  ] (dest: {
-    #    dirs = [
-    #      "/home/chat/.weechat"
-    #      "/bku/sql_dumps"
-    #    ];
-    #    passwordFile = (toString <secrets>) + "/restic/${dest}";
-    #    repo = "sftp:backup@${dest}.r:/backups/prism";
-    #    extraArguments = [
-    #      "sftp.command='ssh backup@${dest}.r -i ${config.krebs.build.host.ssh.privkey.path} -s sftp'"
-    #    ];
-    #    timerConfig = {
-    #      OnCalendar = "00:05";
-    #      RandomizedDelaySec = "5h";
-    #    };
-    #  });
-    #}
-    {
-      users.users.download.openssh.authorizedKeys.keys = [
-        "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDB0d0JA20Vqn7I4lCte6Ne2EOmLZyMJyS9yIKJYXNLjbLwkQ4AYoQKantPBkTxR75M09E7d3j5heuWnCjWH45TrfQfe1EOSSC3ppCI6C6aIVlaNs+KhAYZS0m2Y8WkKn+TT5JLEa8yybYVN/RlZPOilpj/1QgjU6CQK+eJ1k/kK+QFXcwN82GDVh5kbTVcKUNp2tiyxFA+z9LY0xFDg/JHif2ROpjJVLQBJ+YPuOXZN5LDnVcuyLWKThjxy5srQ8iDjoxBg7dwLHjby5Mv41K4W61Gq6xM53gDEgfXk4cQhJnmx7jA/pUnsn2ZQDeww3hcc7vRf8soogXXz2KC9maiq0M/svaATsa9Ul4hrKnqPZP9Q8ScSEAUX+VI+x54iWrnW0p/yqBiRAzwsczdPzaQroUFTBxrq8R/n5TFdSHRMX7fYNOeVMjhfNca/gtfw9dYBVquCvuqUuFiRc0I7yK44rrMjjVQRcAbw6F8O7+04qWCmaJ8MPlmApwu2c05VMv9hiJo5p6PnzterRSLCqF6rIdhSnuOwrUIt1s/V+EEZXHCwSaNLaQJnYL0H9YjaIuGz4c8kVzxw4c0B6nl+hqW5y5/B2cuHiumnlRIDKOIzlv8ufhh21iN7QpIsPizahPezGoT1XqvzeXfH4qryo8O4yTN/PWoA+f7o9POU7L6hQ== lhebendanz@nixos"
-        "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACADLPxtB2f2tocXHxD3ul9D1537hTht6/un87JYZNnoYABveasyIcdFIfp5lPJmj3PjwqXNTA4M/3V+ufrpZ91dxFeXWI5mOI4YB3xRu+Elja8g7nfvCz1HrH3sD1equos/7ltQ1GZYvHGw40qD1/ZtOODwRwrYJ7l/DUBrjk/tzXRjm0+ZgyQsb3G9a80cA8d3fiuQDxbAzdoJF46wt36ZfuSMpJ/Td8CbCoLlV/uL9QZemOglyxNxR607qGfRNXF1An+P+fFq24GmdHpMJ00DfjZ/dJRL9QSs7vd07uyB4Qty4VHwRhc46XH6KL7VTF1D3INF/BeBZx90GBxOvpgEji7Zrf7O5eSAjM2Do1+t+Ev2IIuiltB+QqTir4rZcrCBrJ2+zD3DDymKffVi8sz15AvdrFkIplzZxpOcgm9Ns2w/uh8sxeV6J58aoLEVmd2KRUfJFYiS1EuEjYo2OHlj8ltIh3VlfYdWksGpQc71IT0iEWvzvjYcfCda9uzFLKdLfBy4GB8+s4zR2CX9aGDyJaIY1kt/xqDeztnYwW1owG+fLMrDJlq3Mu+KmJljb30jzrOPhFYVZgWenmMFgH2RBzVEmnsR0f2LFVLj6N/a9fpEJ3WhxMOc5Ybdpgg/l9KUdgvWLk6KOtba+z9fuYT1YgwtZBoMgHAdZLmZ/DGtff palo@pepe"
-        "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDGMjbYFmmvpF60YBShyFISbjN+O3e4GPkfsre6xFqz20joi8YqpD/5PtrMsGrPd1ZoZ9qSwXJtbb1WBomFg0xzRSNa1/FliKiE1ilcaB3aUZRtP0OWHIvWD3/YL/0h+/YXDGTfb8FNvpgJmnbN3Q0gw8cwWw+eve5BMyqDhzFvycxO4qDuP2JXkGpdhJqjaYZhP5rPH2mgv1oU1RnOA3A7APZVGf1m6JSmV7FZR514aGlFV+NpsvS29Mib8fcswgpoGhMN6jeh/nf49tp01LUAOmXSqdHIWNOTt3Mt7S4rU7RZwEhswdSRbKdKFRMj+uRkhJ4CPcNuuGtSY3id0Ja7IvrvxNaQUk1L8nBcza709jvSBYWSY5/aGL1ocA/PNWXDpOTp2PWwxkh39aPMqZXPTH3KC4IkRp5SiKibEhdmjnToV7nUAJe4IWn1b7QdoqS03ib0X87DnHWIbvi8UZlImM7pn0rs+rwnOo4lQwrTz7kbBHPaa6XOZAuDYND2728vtcrhwzVrKgiXWbyF6VzvwxPeeStmn1gENvozbj1hl9gbQ1cH/a4pZFBV/OFl/ryzDnB2ghM4acNJazXx/6/us9hX+np1YxIzJaxENj677MLc6HitM2g6XJGaixBQ0U2NNjcjIuQT0ZaeKXsSLnu1Y7+uslbVAwsQ4pJmSxxMMQ== palo@workhorse"
-      ];
-    }
-    {
-    }
-    {
-      lass.nichtparasoup.enable = true;
-      services.nginx = {
-        enable = true;
-        virtualHosts."lol.lassul.us" = {
-          forceSSL = true;
-          enableACME = true;
-          locations."/".extraConfig = ''
-            proxy_pass http://localhost:5001;
-          '';
-        };
-      };
-    }
-    {
-      krebs.iptables.tables.filter.INPUT.rules = [
-         { predicate = "-p udp --dport 51820"; target = "ACCEPT"; }
-      ];
-      krebs.iptables.tables.nat.PREROUTING.rules = [
-        { v6 = false; precedence = 1000; predicate = "-s 10.244.1.0/24"; target = "ACCEPT"; }
-      ];
-      krebs.iptables.tables.filter.FORWARD.rules = [
-        { v6 = false; precedence = 1000; predicate = "-s 10.244.1.0/24"; target = "ACCEPT"; }
-        { v6 = false; precedence = 1000; predicate = "-s 10.243.0.0/16 -d 10.244.1.0/24"; target = "ACCEPT"; }
-      ];
-      krebs.iptables.tables.nat.POSTROUTING.rules = [
-        { v6 = false; predicate = "-s 10.244.1.0/24 ! -d 10.244.1.0/24"; target = "MASQUERADE"; }
-      ];
-      networking.wireguard.interfaces.wg0 = {
-        ips = [ "10.244.1.1/24" ];
-        listenPort = 51820;
-        privateKeyFile = (toString <secrets>) + "/wireguard.key";
-        allowedIPsAsRoutes = true;
-        peers = [
-          {
-            # lass-android
-            allowedIPs = [ "10.244.1.2/32" ];
-            publicKey = "zVunBVOxsMETlnHkgjfH71HaZjjNUOeYNveAVv5z3jw=";
-          }
-        ];
-      };
-    }
     {
       krebs.iptables.tables.filter.INPUT.rules = [
         { predicate = "-p udp --dport 60000:61000"; target = "ACCEPT";}
       ];
     }
-    {
-      services.murmur.enable = true;
-      services.murmur.registerName = "lassul.us";
-      krebs.iptables.tables.filter.INPUT.rules = [
-        { predicate = "-p tcp --dport 64738"; target = "ACCEPT";}
-      ];
-
-    }
   ];
 
   krebs.build.host = config.krebs.hosts.archprism;
diff --git a/lass/1systems/icarus/config.nix b/lass/1systems/icarus/config.nix
index 1957c8ba4..d2d4bd3eb 100644
--- a/lass/1systems/icarus/config.nix
+++ b/lass/1systems/icarus/config.nix
@@ -25,9 +25,5 @@
     macchanger
     dpass
   ];
-  services.redshift = {
-    enable = true;
-    provider = "geoclue2";
-  };
   programs.adb.enable = true;
 }
diff --git a/lass/1systems/mors/config.nix b/lass/1systems/mors/config.nix
index cac13be2b..207c7c640 100644
--- a/lass/1systems/mors/config.nix
+++ b/lass/1systems/mors/config.nix
@@ -102,6 +102,7 @@ with import <stockholm/lib>;
     urban
     mk_sql_pair
     remmina
+    transmission
 
     iodine
 
@@ -148,10 +149,6 @@ with import <stockholm/lib>;
   programs.adb.enable = true;
   users.users.mainUser.extraGroups = [ "adbusers" "docker" ];
   virtualisation.docker.enable = true;
-  services.redshift = {
-    enable = true;
-    provider = "geoclue2";
-  };
 
   lass.restic = genAttrs [
     "daedalus"
diff --git a/lass/1systems/prism/config.nix b/lass/1systems/prism/config.nix
index 24fa3fd7a..e2097e93a 100644
--- a/lass/1systems/prism/config.nix
+++ b/lass/1systems/prism/config.nix
@@ -25,7 +25,7 @@ with import <stockholm/lib>;
     { # TODO make new hfos.nix out of this vv
       boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
       users.users.riot = {
-        uid = genid "riot";
+        uid = genid_uint31 "riot";
         isNormalUser = true;
         extraGroups = [ "libvirtd" ];
         openssh.authorizedKeys.keys = [
@@ -44,21 +44,21 @@ with import <stockholm/lib>;
     }
     {
       users.users.tv = {
-        uid = genid "tv";
+        uid = genid_uint31 "tv";
         isNormalUser = true;
         openssh.authorizedKeys.keys = [
           config.krebs.users.tv.pubkey
         ];
       };
       users.users.makefu = {
-        uid = genid "makefu";
+        uid = genid_uint31 "makefu";
         isNormalUser = true;
         openssh.authorizedKeys.keys = [
           config.krebs.users.makefu.pubkey
         ];
       };
       users.extraUsers.dritter = {
-        uid = genid "dritter";
+        uid = genid_uint31 "dritter";
         isNormalUser = true;
         extraGroups = [
           "download"
@@ -75,7 +75,7 @@ with import <stockholm/lib>;
         ];
       };
       users.users.hellrazor = {
-        uid = genid "hellrazor";
+        uid = genid_uint31 "hellrazor";
         isNormalUser = true;
         extraGroups = [
           "download"
@@ -168,7 +168,7 @@ with import <stockholm/lib>;
     }
     {
       users.users.jeschli = {
-        uid = genid "jeschli";
+        uid = genid_uint31 "jeschli";
         isNormalUser = true;
         openssh.authorizedKeys.keys = with config.krebs.users; [
           jeschli.pubkey
@@ -388,7 +388,7 @@ with import <stockholm/lib>;
       system.activationScripts.downloadFolder = ''
         mkdir -p /var/download
         chmod 775 /var/download
-        ln -fs /var/lib/containers/yellow/var/download/finished /var/download/finished || :
+        ln -fnsT /var/lib/containers/yellow/var/download/finished /var/download/finished || :
         chown download: /var/download/finished
       '';
     }
diff --git a/lass/1systems/shodan/config.nix b/lass/1systems/shodan/config.nix
index 8405b0f1f..39c0791fc 100644
--- a/lass/1systems/shodan/config.nix
+++ b/lass/1systems/shodan/config.nix
@@ -8,14 +8,13 @@ with import <stockholm/lib>;
     <stockholm/lass/2configs/mouse.nix>
     <stockholm/lass/2configs/retiolum.nix>
     <stockholm/lass/2configs/baseX.nix>
-    <stockholm/lass/2configs/git.nix>
     <stockholm/lass/2configs/exim-retiolum.nix>
     <stockholm/lass/2configs/browsers.nix>
     <stockholm/lass/2configs/programs.nix>
-    <stockholm/lass/2configs/fetchWallpaper.nix>
     <stockholm/lass/2configs/wine.nix>
     <stockholm/lass/2configs/bitcoin.nix>
     <stockholm/lass/2configs/backup.nix>
+    <stockholm/lass/2configs/blue-host.nix>
   ];
 
   krebs.build.host = config.krebs.hosts.shodan;
diff --git a/lass/1systems/yellow/config.nix b/lass/1systems/yellow/config.nix
index ee14986ac..ff7b23687 100644
--- a/lass/1systems/yellow/config.nix
+++ b/lass/1systems/yellow/config.nix
@@ -32,16 +32,51 @@ with import <stockholm/lib>;
     };
   };
 
+  services.nginx = {
+    enable = true;
+    package = pkgs.nginx.override {
+      modules = with pkgs.nginxModules; [
+        fancyindex
+      ];
+    };
+    virtualHosts."dl" = {
+      default = true;
+      locations."/Nginx-Fancyindex-Theme-dark" = {
+        extraConfig = ''
+          alias ${pkgs.fetchFromGitHub {
+            owner = "Naereen";
+            repo = "Nginx-Fancyindex-Theme";
+            rev = "e84f7d6a32085c2b6238f85f5fdebe9ceb710fc4";
+            sha256 = "0wzl4ws2w8f0749vxfd1c8c21p3jw463wishgfcmaljbh4dwplg6";
+          }}/Nginx-Fancyindex-Theme-dark;
+          autoindex on;
+        '';
+      };
+      locations."/" = {
+        root = "/var/download/finished";
+        extraConfig = ''
+          fancyindex on;
+          fancyindex_header "/Nginx-Fancyindex-Theme-dark/header.html";
+          fancyindex_footer "/Nginx-Fancyindex-Theme-dark/footer.html";
+          dav_methods PUT DELETE MKCOL COPY MOVE;
+
+          create_full_put_path on;
+          dav_access all:r;
+        '';
+      };
+    };
+  };
+
   krebs.iptables = {
     enable = true;
     tables.filter.INPUT.rules = [
+      { predicate = "-p tcp --dport 80"; target = "ACCEPT"; }
       { predicate = "-p tcp --dport 9091"; target = "ACCEPT"; }
       { predicate = "-p tcp --dport 51413"; target = "ACCEPT"; }
       { predicate = "-p udp --dport 51413"; target = "ACCEPT"; }
     ];
   };
 
-  services.nginx.enable = true;
   services.openvpn.servers.nordvpn.config = ''
     client
     dev tun
diff --git a/lass/2configs/binary-cache/server.nix b/lass/2configs/binary-cache/server.nix
index 86158c468..d3775b5df 100644
--- a/lass/2configs/binary-cache/server.nix
+++ b/lass/2configs/binary-cache/server.nix
@@ -26,6 +26,7 @@
       '';
     };
     virtualHosts."cache.krebsco.de" = {
+      forceSSL = true;
       serverAliases = [ "cache.lassul.us" ];
       enableACME = true;
       locations."/".extraConfig = ''
diff --git a/lass/2configs/blue-host.nix b/lass/2configs/blue-host.nix
index fba996743..9cf294afd 100644
--- a/lass/2configs/blue-host.nix
+++ b/lass/2configs/blue-host.nix
@@ -81,6 +81,7 @@ in {
             host = "${host}.r",
             targetdir = "/var/lib/containers/.blue",
             rsync = {
+              archive = true,
               owner = true,
               group = true,
             };
diff --git a/lass/2configs/mail.nix b/lass/2configs/mail.nix
index 9ea91ae19..36e797a96 100644
--- a/lass/2configs/mail.nix
+++ b/lass/2configs/mail.nix
@@ -174,6 +174,16 @@ let
     macro pager a "<modify-labels>-archive\n"  # tag as Archived
 
 
+    bind index U noop
+    bind index u noop
+    bind pager U noop
+    bind pager u noop
+    macro index U "<modify-labels>+unread\n"
+    macro index u "<modify-labels>-unread\n"
+    macro pager U "<modify-labels>+unread\n"
+    macro pager u "<modify-labels>-unread\n"
+
+
     bind index t noop
     bind pager t noop
     macro index t "<modify-labels>"        # tag as Archived
diff --git a/lass/2configs/radio.nix b/lass/2configs/radio.nix
index 85faded14..987632cd1 100644
--- a/lass/2configs/radio.nix
+++ b/lass/2configs/radio.nix
@@ -5,7 +5,6 @@ with import <stockholm/lib>;
 let
   name = "radio";
   mainUser = config.users.extraUsers.mainUser;
-  inherit (import <stockholm/lib>) genid;
 
   admin-password = import <secrets/icecast-admin-pw>;
   source-password = import <secrets/icecast-source-pw>;
@@ -31,7 +30,7 @@ in {
     "${name}" = rec {
       inherit name;
       group = name;
-      uid = genid name;
+      uid = genid_uint31 name;
       description = "radio manager";
       home = "/home/${name}";
       useDefaultShell = true;
diff --git a/lass/2configs/websites/fritz.nix b/lass/2configs/websites/fritz.nix
deleted file mode 100644
index 14d6ce9ec..000000000
--- a/lass/2configs/websites/fritz.nix
+++ /dev/null
@@ -1,70 +0,0 @@
-{ config, pkgs, lib, ... }:
-
-with lib;
-let
-  inherit (import <stockholm/lib>)
-    genid
-    head
-  ;
-  inherit (import <stockholm/lass/2configs/websites/util.nix> {inherit lib pkgs;})
-    servePage
-    serveWordpress
-  ;
-
-  msmtprc = pkgs.writeText "msmtprc" ''
-    account default
-      host localhost
-  '';
-
-  sendmail = pkgs.writeDash "msmtp" ''
-    exec ${pkgs.msmtp}/bin/msmtp --read-envelope-from -C ${msmtprc} "$@"
-  '';
-
-in {
-
-  services.nginx.enable = true;
-
-  imports = [
-    ./default.nix
-    ./sqlBackup.nix
-
-    (serveWordpress [ "radical-dreamers.de" "www.radical-dreamers.de" ])
-
-    (serveWordpress [ "gs-maubach.de" "www.gs-maubach.de" ])
-
-    (serveWordpress [ "spielwaren-kern.de" "www.spielwaren-kern.de" ])
-
-    (servePage [ "familienpraxis-korntal.de" "www.familienpraxis-korntal.de" ])
-
-    (serveWordpress [ "ttf-kleinaspach.de" "www.ttf-kleinaspach.de" ])
-
-    (serveWordpress [ "eastuttgart.de" "www.eastuttgart.de" ])
-
-    (serveWordpress [ "goldbarrendiebstahl.radical-dreamers.de" ])
-  ];
-
-  lass.mysqlBackup.config.all.databases = [
-    "eastuttgart_de"
-    "radical_dreamers_de"
-    "spielwaren_kern_de"
-    "ttf_kleinaspach_de"
-  ];
-
-  users.users.root.openssh.authorizedKeys.keys = [
-    config.krebs.users.fritz.pubkey
-  ];
-
-  users.users.goldbarrendiebstahl = {
-    home = "/srv/http/goldbarrendiebstahl.radical-dreamers.de";
-    uid = genid "goldbarrendiebstahl";
-    createHome = true;
-    useDefaultShell = true;
-    openssh.authorizedKeys.keys = [
-      config.krebs.users.fritz.pubkey
-    ];
-  };
-
-  services.phpfpm.phpOptions = ''
-    sendmail_path = ${sendmail} -t
-  '';
-}
diff --git a/lass/2configs/websites/lassulus.nix b/lass/2configs/websites/lassulus.nix
index 6470d86f7..17af0d00d 100644
--- a/lass/2configs/websites/lassulus.nix
+++ b/lass/2configs/websites/lassulus.nix
@@ -3,7 +3,7 @@
 with lib;
 let
   inherit (import <stockholm/lib>)
-    genid
+    genid_uint31
   ;
 
 in {
@@ -22,7 +22,7 @@ in {
   krebs.tinc_graphs.enable = true;
 
   users.users.lass-stuff = {
-    uid = genid "lass-stuff";
+    uid = genid_uint31 "lass-stuff";
     description = "lassul.us blog cgi stuff";
     home = "/var/empty";
   };
@@ -124,7 +124,7 @@ in {
   };
 
   users.users.blog = {
-    uid = genid "blog";
+    uid = genid_uint31 "blog";
     description = "lassul.us blog deployment";
     home = "/srv/http/lassul.us";
     useDefaultShell = true;
diff --git a/lass/3modules/xjail.nix b/lass/3modules/xjail.nix
index 974e11c6e..f6ce7ccc9 100644
--- a/lass/3modules/xjail.nix
+++ b/lass/3modules/xjail.nix
@@ -142,7 +142,7 @@ with import <stockholm/lib>;
 
     users.users = mapAttrs' (_: cfg:
       nameValuePair cfg.name {
-        uid = genid cfg.name;
+        uid = genid_uint31 cfg.name;
         home = "/home/${cfg.name}";
         useDefaultShell = true;
         createHome = true;
diff --git a/lass/5pkgs/custom/xmonad-lass/default.nix b/lass/5pkgs/custom/xmonad-lass/default.nix
index c020f975c..f86a4a69b 100644
--- a/lass/5pkgs/custom/xmonad-lass/default.nix
+++ b/lass/5pkgs/custom/xmonad-lass/default.nix
@@ -113,6 +113,7 @@ myKeyMap =
     , ("M4-p", spawn "${pkgs.pass}/bin/passmenu --type")
     , ("M4-o", spawn "${pkgs.brain}/bin/brainmenu --type")
     , ("M4-i", spawn "${pkgs.dpass}/bin/dpassmenu --type")
+    , ("M4-z", spawn "${pkgs.emot-menu}/bin/emoticons")
 
     , ("<XF86AudioMute>", spawn "${pkgs.pulseaudioLight.out}/bin/pactl -- set-sink-mute @DEFAULT_SINK@ toggle")
     , ("<XF86AudioRaiseVolume>", spawn "${pkgs.pulseaudioLight.out}/bin/pactl -- set-sink-volume @DEFAULT_SINK@ +4%")
diff --git a/lass/5pkgs/emot-menu/default.nix b/lass/5pkgs/emot-menu/default.nix
new file mode 100644
index 000000000..d5d84e456
--- /dev/null
+++ b/lass/5pkgs/emot-menu/default.nix
@@ -0,0 +1,31 @@
+{ coreutils, dmenu, gnused, writeDashBin, writeText, xdotool }: let
+
+  emoticons = writeText "emoticons" ''
+¯\(°_o)/¯ | dunno lol shrug dlol
+¯\_(ツ)_/¯ | dunno lol shrug dlol
+( ͡° ͜ʖ ͡°) | lenny
+¯\_( ͡° ͜ʖ ͡°)_/¯ | lenny shrug dlol
+( ﾟдﾟ) | aaah sad noo
+ヽ(^o^)丿 | hi yay hello
+(^o^; | ups hehe
+(^∇^) | yay
+┗(｀皿´)┛ | angry argh
+ヾ(^_^) byebye!! | bye
+<(^.^<) <(^.^)> (>^.^)> (7^.^)7 (>^.^<) | dance
+(-.-)Zzz... | sleep
+(∩╹□╹∩) | oh noes woot
+™ | tm
+ζ | zeta
+(╯°□°）╯ ┻━┻ | table flip
+(」゜ロ゜)」 | why woot
+  '';
+
+in
+writeDashBin "emoticons" ''
+  set -efu
+
+  data=$(${coreutils}/bin/cat ${emoticons})
+  emoticon=$(echo "$data" | ${dmenu}/bin/dmenu | ${gnused}/bin/sed 's/ | .*//')
+  ${xdotool}/bin/xdotool type -- "$emoticon"
+  exit 0
+''
diff --git a/lass/5pkgs/fzfmenu/default.nix b/lass/5pkgs/fzfmenu/default.nix
index 6b5899359..905a5ce6b 100644
--- a/lass/5pkgs/fzfmenu/default.nix
+++ b/lass/5pkgs/fzfmenu/default.nix
@@ -12,8 +12,20 @@ pkgs.writeDashBin "fzfmenu" ''
       shift
       break
       ;;
+      -l)
+      # no reason to filter number of lines
+      LINES="$2"
+      shift
+      shift
+      break
+      ;;
+      -i)
+      # we do this anyway
+      shift
+      break
+      ;;
       *)
-      echo "Unknown option $1"
+      echo "Unknown option $1" >&2
       shift
       ;;
   esac
diff --git a/lib/default.nix b/lib/default.nix
index a40225c49..348d47e85 100644
--- a/lib/default.nix
+++ b/lib/default.nix
@@ -5,6 +5,7 @@ let
     evalSource = import ./eval-source.nix;
 
     git = import ./git.nix { inherit lib; };
+    krops = import ../submodules/krops/lib;
     shell = import ./shell.nix { inherit lib; };
     types = nixpkgs-lib.types // import ./types.nix { inherit lib; };
 
@@ -12,8 +13,9 @@ let
     ne = x: y: x != y;
     mod = x: y: x - y * (x / y);
 
-    genid = import ./genid.nix { inherit lib; };
-    genid_uint31 = x: ((lib.genid x) + 16777216) / 2;
+    genid = lib.genid_uint32; # TODO remove
+    genid_uint31 = x: ((lib.genid_uint32 x) + 16777216) / 2;
+    genid_uint32 = import ./genid.nix { inherit lib; };
 
     lpad = n: c: s:
       if lib.stringLength s < n
@@ -44,6 +46,23 @@ let
 
     indent = replaceChars ["\n"] ["\n  "];
 
+    mapNixDir = f: x: {
+      list = foldl' mergeAttrs {} (map (mapNixDir1 f) x);
+      path = mapNixDir1 f x;
+    }.${typeOf x};
+
+    mapNixDir1 = f: dirPath:
+      listToAttrs
+        (map
+          (relPath: let
+            name = removeSuffix ".nix" relPath;
+            path = dirPath + "/${relPath}";
+          in
+            nameValuePair name (f path))
+          (filter
+            (name: name != "default.nix" && !hasPrefix "." name)
+            (attrNames (readDir dirPath))));
+
     # https://tools.ietf.org/html/rfc5952
     normalize-ip6-addr =
       let
diff --git a/lib/types.nix b/lib/types.nix
index d663d2512..016853300 100644
--- a/lib/types.nix
+++ b/lib/types.nix
@@ -3,7 +3,7 @@
 let
   inherit (lib)
     all any attrNames concatMapStringsSep concatStringsSep const filter flip
-    genid hasSuffix head isInt isString length mergeOneOption mkOption
+    genid_uint31 hasSuffix head isInt isString length mergeOneOption mkOption
     mkOptionType optional optionalAttrs optionals range splitString
     stringLength substring test testString typeOf;
   inherit (lib.types)
@@ -365,7 +365,7 @@ rec {
       };
       uid = mkOption {
         type = int;
-        default = genid config.name;
+        default = genid_uint31 config.name;
       };
     };
   });
@@ -377,7 +377,7 @@ rec {
       };
       gid = mkOption {
         type = int;
-        default = genid config.name;
+        default = genid_uint31 config.name;
       };
     };
   });
diff --git a/submodules/krops b/submodules/krops
-Subproject 6f49342b2d5973478f1f5eb6f8d6307059e7bcf
+Subproject 140bdfdf6c87c1822e0c4ec8f497a20ad1d4cf1
diff --git a/tv/2configs/bash/default.nix b/tv/2configs/bash/default.nix
index b75ad8bfc..d7673931c 100644
--- a/tv/2configs/bash/default.nix
+++ b/tv/2configs/bash/default.nix
@@ -13,6 +13,20 @@ with import <stockholm/lib>;
       shopt -s histappend histreedit histverify
       shopt -s no_empty_cmd_completion
       complete -d cd
+
+      case $UID in
+        ${shell.escape (toString config.krebs.users.tv.uid)})
+          if test ''${SHLVL-1} = 1; then
+            case ''${XMONAD_SPAWN_WORKSPACE-} in
+              stockholm)
+                cd ~/stockholm
+              ;;
+            esac
+          fi
+
+          export NIX_PATH="stockholm=$HOME/stockholm:$NIX_PATH"
+        ;;
+      esac
     '';
     promptInit = /* sh */ ''
       case $UID in
@@ -32,14 +46,6 @@ with import <stockholm/lib>;
       if test -n "$SSH_AGENT_PID"; then
         PS1="ssh-agent[$SSH_AGENT_PID] $PS1"
       fi
-
-      if test ''${SHLVL-1} = 1; then
-        case ''${XMONAD_SPAWN_WORKSPACE-} in
-          stockholm)
-            cd ~/stockholm
-          ;;
-        esac
-      fi
     '';
   };
 }
diff --git a/tv/2configs/default.nix b/tv/2configs/default.nix
index d9ddc90d0..484a337b7 100644
--- a/tv/2configs/default.nix
+++ b/tv/2configs/default.nix
@@ -87,11 +87,6 @@ with import <stockholm/lib>;
           export SYSTEM="$1"
           exec nix-shell -I stockholm="$PWD" --run 'deploy --system="$SYSTEM"'
         '';
-        reload = "systemctl reload";
-        restart = "systemctl restart";
-        start = "systemctl start";
-        status = "systemctl status";
-        stop = "systemctl stop";
       };
 
       environment.variables = {
diff --git a/tv/2configs/pulse.nix b/tv/2configs/pulse.nix
index c051b4261..2e679bd14 100644
--- a/tv/2configs/pulse.nix
+++ b/tv/2configs/pulse.nix
@@ -95,7 +95,7 @@ in
   users = {
     groups.pulse.gid = config.users.users.pulse.uid;
     users.pulse = {
-      uid = genid "pulse";
+      uid = genid_uint31 "pulse";
       group = "pulse";
       extraGroups = [ "audio" ];
       home = "${runDir}/home";
diff --git a/tv/2configs/vim.nix b/tv/2configs/vim.nix
index a5641f094..3794628c1 100644
--- a/tv/2configs/vim.nix
+++ b/tv/2configs/vim.nix
@@ -129,7 +129,7 @@ let {
         command! -n=0 -bar ShowSyntax :call ShowSyntax()
       '';
     })))
-    ((rtp: rtp // { inherit rtp; }) (pkgs.write "vim-tv" {
+    ((rtp: rtp // { inherit rtp; }) (pkgs.write "vim-syntax-nix-nested" {
       "/syntax/haskell.vim".text = /* vim */ ''
         syn region String start=+\[[[:alnum:]]*|+ end=+|]+
 
@@ -239,26 +239,58 @@ let {
           " This is required because containedin isn't transitive.
           syn cluster nix_has_dollar_curly
             \ add=@nix_${lang}_syntax
-        '') {
+        '') (let
+
+          capitalize = s: let
+            xs = stringToCharacters s;
+          in
+            toUpper (head xs) + concatStrings (tail xs);
+
+          alts = xs: ''\(${concatStringsSep ''\|'' xs}\)'';
+          def = k: ''${k}[ \t\r\n]*='';
+          writer = k: ''write${k}[^ \t\r\n]*[ \t\r\n]*\("[^"]*"\|[a-z]\+\)'';
+
+        in {
           c = {};
           cabal = {};
           diff = {};
           haskell = {};
-          jq.extraStart = concatStringsSep ''\|'' [
-            ''writeJq.*''
+          jq.extraStart = alts [
+            (writer "Jq")
             ''write[^ \t\r\n]*[ \t\r\n]*"[^"]*\.jq"''
           ];
+          javascript.extraStart = ''/\* js \*/'';
           lua = {};
-          sed.extraStart = ''writeSed[^ \t\r\n]*[ \t\r\n]*"[^"]*"'';
-          sh.extraStart = concatStringsSep ''\|'' [
-            ''write\(A\|Ba\|Da\)sh[^ \t\r\n]*[ \t\r\n]*\("[^"]*"\|[a-z]\+\)''
-            ''[a-z]*Phase[ \t\r\n]*=''
+          python.extraStart = ''/\* py \*/'';
+          sed.extraStart = writer "Sed";
+          sh.extraStart = let
+            phases = [
+              "unpack"
+              "patch"
+              "configure"
+              "build"
+              "check"
+              "install"
+              "fixup"
+              "installCheck"
+              "dist"
+            ];
+            shells = [
+              "ash"
+              "bash"
+              "dash"
+            ];
+          in alts [
+            (def "shellHook")
+            (def "${alts phases}Phase")
+            (def "${alts ["pre" "post"]}${alts (map capitalize phases)}")
+            (writer (alts (map capitalize shells)))
           ];
           yaml = {};
           vim.extraStart =
             ''write[^ \t\r\n]*[ \t\r\n]*"\(\([^"]*\.\)\?vimrc\|[^"]*\.vim\)"'';
           xdefaults = {};
-        })}
+        }))}
 
         " Clear syntax that interferes with nixINSIDE_DOLLAR_CURLY.
         syn clear shVarAssign
diff --git a/tv/2configs/xserver/default.nix b/tv/2configs/xserver/default.nix
index a44ece8b1..8d4b13fad 100644
--- a/tv/2configs/xserver/default.nix
+++ b/tv/2configs/xserver/default.nix
@@ -24,17 +24,6 @@ in {
     pkgs.xlibs.fontschumachermisc
   ];
 
-  # TODO dedicated group, i.e. with a single user [per-user-setuid]
-  # TODO krebs.setuid.slock.path vs /run/wrappers/bin
-  krebs.setuid.slock = {
-    filename = "${pkgs.slock}/bin/slock";
-    group = "wheel";
-    envp = {
-      DISPLAY = ":${toString config.services.xserver.display}";
-      USER = cfg.user.name;
-    };
-  };
-
   services.xserver = {
 
     # Don't install feh into systemPackages
@@ -57,7 +46,9 @@ in {
 
   systemd.services.display-manager.enable = false;
 
-  systemd.services.xmonad = {
+  systemd.services.xmonad = let
+    xmonad = "${pkgs.haskellPackages.xmonad-tv}/bin/xmonad";
+  in {
     wantedBy = [ "graphical.target" ];
     requires = [ "xserver.service" ];
     environment = {
@@ -93,6 +84,14 @@ in {
         "za" "zh" "zj" "zs"
       ]);
     };
+    path = [
+      config.tv.slock.package
+      pkgs.fzmenu
+      pkgs.pulseaudioLight.out
+      pkgs.rxvt_unicode
+      pkgs.xcalib
+      "/run/wrappers" # for su
+    ];
     serviceConfig = {
       SyslogIdentifier = "xmonad";
       ExecStartPre = "${pkgs.coreutils}/bin/mkdir -p ${toString [
@@ -100,8 +99,8 @@ in {
         "\${XMONAD_CONFIG_DIR}"
         "\${XMONAD_DATA_DIR}"
       ]}";
-      ExecStart = "${pkgs.xmonad-tv}/bin/xmonad-${currentSystem}";
-      ExecStop = "${pkgs.xmonad-tv}/bin/xmonad-${currentSystem} --shutdown";
+      ExecStart = "@${xmonad} xmonad-${currentSystem} ";
+      ExecStop = "@${xmonad} xmonad-${currentSystem} --shutdown";
       User = cfg.user.name;
       WorkingDirectory = cfg.user.home;
     };
@@ -147,4 +146,9 @@ in {
       User = cfg.user.name;
     };
   };
+
+  tv.slock = {
+    enable = true;
+    user = cfg.user;
+  };
 }
diff --git a/tv/3modules/default.nix b/tv/3modules/default.nix
index 6172feb03..f53a58e9a 100644
--- a/tv/3modules/default.nix
+++ b/tv/3modules/default.nix
@@ -6,6 +6,7 @@
     ./hosts.nix
     ./iptables.nix
     ./nixpkgs-overlays.nix
+    ./slock.nix
     ./x0vncserver.nix
   ];
 }
diff --git a/tv/3modules/slock.nix b/tv/3modules/slock.nix
new file mode 100644
index 000000000..1c84b1e9e
--- /dev/null
+++ b/tv/3modules/slock.nix
@@ -0,0 +1,71 @@
+with import <stockholm/lib>;
+{ config, pkgs, ... }: let
+  cfg = config.tv.slock;
+in {
+  options.tv.slock = {
+    enable = mkEnableOption "tv.slock";
+    package = mkOption {
+      default = pkgs.execBin "slock" rec {
+        filename = "${pkgs.systemd}/bin/systemctl";
+        argv = [ filename "start" "slock-${cfg.user.name}.service" ];
+      };
+      type = types.package;
+    };
+    user = mkOption {
+      type = types.user;
+    };
+  };
+  config = mkIf cfg.enable {
+    security.polkit.extraConfig = /* js */ ''
+      polkit.addRule(function(action, subject) {
+        if (action.id == "org.freedesktop.systemd1.manage-units" &&
+            action.lookup("unit") == "slock-${cfg.user.name}.service" &&
+            subject.user == ${toJSON cfg.user.name}) {
+          return polkit.Result.YES;
+        }
+      });
+    '';
+    systemd.services."slock-${cfg.user.name}" = {
+      environment = {
+        DISPLAY = ":${toString config.services.xserver.display}";
+        LD_PRELOAD = pkgs.runCommandCC "slock-${cfg.user.name}.so" {
+          passAsFile = ["text"];
+          text = /* c */ ''
+            #include <shadow.h>
+            #include <unistd.h>
+
+            static struct spwd entry = {
+              .sp_namp = "",
+              .sp_pwdp =
+                ${toC config.users.users.${cfg.user.name}.hashedPassword},
+              .sp_lstchg = 0,
+              .sp_min = 0,
+              .sp_max = 0,
+              .sp_warn = 0,
+              .sp_inact = 0,
+              .sp_expire = 0,
+              .sp_flag = 0,
+            };
+
+            extern struct spwd *getspnam(const char *name) { return &entry; }
+            extern int setgroups(size_t size, const gid_t *list) { return 0; }
+            extern int setgid(gid_t gid) { return 0; }
+            extern int setuid(uid_t uid) { return 0; }
+          '';
+        } /* sh */ ''
+          gcc -Wall -shared -o $out -xc "$textPath"
+        '';
+      };
+      restartIfChanged = false;
+      serviceConfig = {
+        ExecStart = "${pkgs.slock}/bin/slock";
+        OOMScoreAdjust = -1000;
+        Restart = "on-failure";
+        RestartSec = "100ms";
+        StartLimitBurst = 0;
+        SyslogIdentifier = "slock";
+        User = cfg.user.name;
+      };
+    };
+  };
+}
diff --git a/tv/5pkgs/haskell/default.nix b/tv/5pkgs/haskell/default.nix
new file mode 100644
index 000000000..fcede2f9c
--- /dev/null
+++ b/tv/5pkgs/haskell/default.nix
@@ -0,0 +1,20 @@
+with import <stockholm/lib>;
+let
+  overrides = self: super:
+    mapNixDir (path: self.callPackage path {}) [
+      <stockholm/krebs/5pkgs/haskell>
+      ./.
+    ];
+in
+  self: super: {
+    haskell = super.haskell // {
+      packages = mapAttrs (name: value:
+        if hasAttr "override" value
+          then value.override { inherit overrides; }
+          else value
+      ) super.haskell.packages;
+    };
+    haskellPackages = super.haskellPackages.override {
+      inherit overrides;
+    };
+  }
diff --git a/tv/5pkgs/haskell/xmonad-tv/default.nix b/tv/5pkgs/haskell/xmonad-tv/default.nix
new file mode 100644
index 000000000..42eb13d41
--- /dev/null
+++ b/tv/5pkgs/haskell/xmonad-tv/default.nix
@@ -0,0 +1,15 @@
+{ mkDerivation, base, containers, directory, extra, stdenv, unix
+, X11, xmonad, xmonad-contrib, xmonad-stockholm
+}:
+mkDerivation {
+  pname = "xmonad-tv";
+  version = "1.0.0";
+  src = ./src;
+  isLibrary = false;
+  isExecutable = true;
+  executableHaskellDepends = [
+    base containers directory extra unix X11 xmonad xmonad-contrib
+    xmonad-stockholm
+  ];
+  license = stdenv.lib.licenses.mit;
+}
diff --git a/tv/5pkgs/haskell/xmonad-tv/shell.nix b/tv/5pkgs/haskell/xmonad-tv/shell.nix
new file mode 100644
index 000000000..6ca00bc05
--- /dev/null
+++ b/tv/5pkgs/haskell/xmonad-tv/shell.nix
@@ -0,0 +1,83 @@
+{ compiler ? "default" }: let
+
+  stockholm = import <stockholm>;
+
+  inherit (stockholm.systems.${lib.krops.getHostName}) config pkgs;
+  inherit (stockholm) lib;
+
+  haskellPackages =
+    if compiler == "default"
+      then pkgs.haskellPackages
+      else pkgs.haskell.packages.${compiler};
+
+  xmonadDrv = haskellPackages.callPackage (import ./.) {};
+
+in
+
+  lib.overrideDerivation xmonadDrv.env (oldAttrs: {
+    shellHook = ''
+      pkg_name=${lib.shell.escape (lib.baseNameOf (toString ./.))}
+
+      WORKDIR=${toString ./src}
+      CACHEDIR=$HOME/tmp/$pkg_name
+      HISTFILE=$CACHEDIR/bash_history
+
+      mkdir -p "$CACHEDIR"
+
+      config_XMONAD_CACHE_DIR=${lib.shell.escape
+        config.systemd.services.xmonad.environment.XMONAD_CACHE_DIR
+      }
+
+      xmonad=$CACHEDIR/xmonad-${lib.currentSystem}
+
+      xmonad_build() {(
+        set -efu
+        cd "$WORKDIR"
+        options=$(
+          ${pkgs.cabal-read}/bin/ghc-options "$WORKDIR/$pkg_name.cabal" xmonad
+        )
+        ghc $options \
+            -odir "$CACHEDIR" \
+            -hidir "$CACHEDIR" \
+            -o "$xmonad" \
+            main.hs
+      )}
+
+      xmonad_restart() {(
+        set -efu
+        cd "$WORKDIR"
+        if systemctl --quiet is-active xmonad; then
+          sudo systemctl stop xmonad
+          cp -b "$config_XMONAD_CACHE_DIR"/xmonad.state "$CACHEDIR"/
+          echo "xmonad.state: $(cat "$CACHEDIR"/xmonad.state)"
+        else
+          "$xmonad" --shutdown || :
+        fi
+        "$xmonad" &
+        echo xmonad pid: $! >&2
+      )}
+
+      xmonad_yield() {(
+        set -efu
+        if ! systemctl --quiet is-active xmonad; then
+          "$xmonad" --shutdown
+          cp -b "$CACHEDIR"/xmonad.state "$config_XMONAD_CACHE_DIR"/
+          sudo systemctl start xmonad
+        else
+          echo "xmonad.service is already running" >&2
+          exit -1
+        fi
+      )}
+
+      export PATH=${config.systemd.services.xmonad.path}:$PATH
+      export SHELL=/run/current-system/sw/bin/bash
+
+      export XMONAD_CACHE_DIR="$CACHEDIR"
+      export XMONAD_DATA_DIR="$CACHEDIR"
+      export XMONAD_CONFIG_DIR=/var/empty
+
+      unset XMONAD_STARTUP_HOOK
+
+      cd "$WORKDIR"
+    '';
+  })
diff --git a/tv/5pkgs/haskell/xmonad-tv/src/Helpers/Path.hs b/tv/5pkgs/haskell/xmonad-tv/src/Helpers/Path.hs
new file mode 100644
index 000000000..1029d60be
--- /dev/null
+++ b/tv/5pkgs/haskell/xmonad-tv/src/Helpers/Path.hs
@@ -0,0 +1,15 @@
+module Helpers.Path where
+
+import qualified Data.List
+import qualified System.Directory
+import qualified System.IO.Unsafe
+
+
+findExecutable :: String -> FilePath
+findExecutable =
+    System.IO.Unsafe.unsafePerformIO . find
+  where
+    find name =
+        maybe failure id <$> System.Directory.findExecutable name
+      where
+        failure = error (Data.List.intercalate " " [name, "not found"])
diff --git a/tv/5pkgs/haskell/xmonad-tv/src/Paths.hs b/tv/5pkgs/haskell/xmonad-tv/src/Paths.hs
new file mode 100644
index 000000000..3a879b5d0
--- /dev/null
+++ b/tv/5pkgs/haskell/xmonad-tv/src/Paths.hs
@@ -0,0 +1,25 @@
+module Paths where
+
+import Helpers.Path
+
+
+otpmenu :: FilePath
+otpmenu = findExecutable "otpmenu"
+
+pactl :: FilePath
+pactl = findExecutable "pactl"
+
+passmenu :: FilePath
+passmenu = findExecutable "passmenu"
+
+slock :: FilePath
+slock = findExecutable "slock"
+
+su :: FilePath
+su = findExecutable "su"
+
+urxvtc :: FilePath
+urxvtc = findExecutable "urxvtc"
+
+xcalib :: FilePath
+xcalib = findExecutable "xcalib"
diff --git a/tv/5pkgs/simple/xmonad-tv/default.nix b/tv/5pkgs/haskell/xmonad-tv/src/main.hs
index edfee98a0..b7d4e9bca 100644
--- a/tv/5pkgs/simple/xmonad-tv/default.nix
+++ b/tv/5pkgs/haskell/xmonad-tv/src/main.hs
@@ -1,23 +1,10 @@
-{ pkgs, ... }:
-pkgs.writeHaskellPackage "xmonad-tv" {
-  executables."xmonad-${builtins.currentSystem}" = {
-    extra-depends = [
-      "containers"
-      "extra"
-      "unix"
-      "X11"
-      "xmonad"
-      "xmonad-contrib"
-      "xmonad-stockholm"
-    ];
-    text = /* haskell */ ''
 {-# LANGUAGE DeriveDataTypeable #-} -- for XS
 {-# LANGUAGE FlexibleContexts #-} -- for xmonad'
 {-# LANGUAGE LambdaCase #-}
 {-# LANGUAGE ScopedTypeVariables #-}
 
 
-module Main where
+module Main (main) where
 
 import System.Exit (exitFailure)
 
@@ -31,50 +18,54 @@ import System.Environment (getArgs, getEnv, getEnvironment, lookupEnv)
 import System.Posix.Process (executeFile)
 import XMonad.Actions.DynamicWorkspaces ( addWorkspacePrompt, renameWorkspace
                                         , removeEmptyWorkspace)
-import XMonad.Actions.GridSelect
 import XMonad.Actions.CycleWS (toggleWS)
 import XMonad.Layout.NoBorders ( smartBorders )
+import XMonad.Layout.ResizableTile (ResizableTall(ResizableTall))
+import XMonad.Layout.ResizableTile (MirrorResize(MirrorExpand,MirrorShrink))
 import qualified XMonad.StackSet as W
 import Data.Map (Map)
 import qualified Data.Map as Map
 import XMonad.Hooks.UrgencyHook (SpawnUrgencyHook(..), withUrgencyHook)
 import XMonad.Hooks.ManageHelpers (doCenterFloat)
-import XMonad.Layout.FixedColumn (FixedColumn(..))
 import XMonad.Hooks.Place (placeHook, smart)
 import XMonad.Actions.PerWorkspaceKeys (chooseAction)
 
 import XMonad.Stockholm.Pager
-import XMonad.Stockholm.Rhombus
 import XMonad.Stockholm.Shutdown
+import qualified Paths
 
 
-amixerPath :: FilePath
-amixerPath = "${pkgs.alsaUtils}/bin/amixer"
-
-urxvtcPath :: FilePath
-urxvtcPath = "${pkgs.rxvt_unicode}/bin/urxvtc"
-
 myFont :: String
 myFont = "-schumacher-*-*-*-*-*-*-*-*-*-*-*-iso10646-*"
 
+
 main :: IO ()
 main = getArgs >>= \case
     [] -> mainNoArgs
     ["--shutdown"] -> shutdown
     args -> hPutStrLn stderr ("bad arguments: " <> show args) >> exitFailure
 
+
 mainNoArgs :: IO ()
 mainNoArgs = do
+    let width = 1366
     workspaces0 <- getWorkspaces0
     handleShutdownEvent <- newShutdownEventHandler
     xmonad
         $ withUrgencyHook (SpawnUrgencyHook "echo emit Urgency ")
         $ def
-            { terminal          = urxvtcPath
+            { terminal          = Paths.urxvtc
             , modMask           = mod4Mask
             , keys              = myKeys
             , workspaces        = workspaces0
-            , layoutHook        = smartBorders $ FixedColumn 1 20 80 10 ||| Full
+            , layoutHook =
+                smartBorders $
+                  ResizableTall
+                    1
+                    (10 * 6 / width)
+                    ((80 * 6 + 2 * (1+1+1))/width) []
+                  |||
+                  Full
             , manageHook =
                 composeAll
                   [ appName =? "fzmenu-urxvt" --> doCenterFloat
@@ -102,6 +93,7 @@ getWorkspaces0 =
   where
     warn msg = hPutStrLn stderr ("getWorkspaces0: " ++ msg) >> return []
 
+
 displaySomeException :: SomeException -> String
 displaySomeException = displayException
 
@@ -110,76 +102,56 @@ forkFile :: FilePath -> [String] -> Maybe [(String, String)] -> X ()
 forkFile path args env =
     xfork (executeFile path False args env) >> return ()
 
+
 spawnRootTerm :: X ()
 spawnRootTerm =
     forkFile
-        urxvtcPath
-        ["-name", "root-urxvt", "-e", "/run/wrappers/bin/su", "-"]
+        Paths.urxvtc
+        ["-name", "root-urxvt", "-e", Paths.su, "-"]
         Nothing
 
+
 spawnTermAt :: String -> X ()
 spawnTermAt ws = do
     env <- io getEnvironment
     let env' = ("XMONAD_SPAWN_WORKSPACE", ws) : env
-    forkFile urxvtcPath [] (Just env')
+    forkFile Paths.urxvtc [] (Just env')
+
 
 myKeys :: XConfig Layout -> Map (KeyMask, KeySym) (X ())
 myKeys conf = Map.fromList $
-    [ ((_4  , xK_Escape ), forkFile "/run/wrappers/bin/slock" [] Nothing)
+    [ ((_4  , xK_Escape ), forkFile Paths.slock [] Nothing)
     , ((_4S , xK_c      ), kill)
 
-    , ((_4  , xK_o      ), forkFile "${pkgs.fzmenu}/bin/otpmenu" [] Nothing)
-    , ((_4  , xK_p      ), forkFile "${pkgs.fzmenu}/bin/passmenu" [] Nothing)
+    , ((_4  , xK_o      ), forkFile Paths.otpmenu [] Nothing)
+    , ((_4  , xK_p      ), forkFile Paths.passmenu [] Nothing)
 
     , ((_4  , xK_x      ), chooseAction spawnTermAt)
     , ((_4C , xK_x      ), spawnRootTerm)
 
-    --, ((_4  , xK_F1     ), withFocused jojo)
-    --, ((_4  , xK_F1     ), printAllGeometries)
-
     , ((0   , xK_Menu   ), gets windowset >>= allWorkspaceNames >>= pager pagerConfig (windows . W.view) )
     , ((_S  , xK_Menu   ), gets windowset >>= allWorkspaceNames >>= pager pagerConfig (windows . W.shift) )
     , ((_C  , xK_Menu   ), toggleWS)
-    , ((_4  , xK_Menu   ), rhombus horseConfig (liftIO . hPutStrLn stderr) ["Correct", "Horse", "Battery", "Staple", "Stuhl", "Tisch"] )
-    
-    -- %! Rotate through the available layout algorithms
+
     , ((_4  , xK_space  ), sendMessage NextLayout)
-    , ((_4S , xK_space  ), setLayout $ XMonad.layoutHook conf) -- reset layout
-
-    ---- BinarySpacePartition
-    --, ((_4  , xK_l), sendMessage $ ExpandTowards R)
-    --, ((_4  , xK_h), sendMessage $ ExpandTowards L)
-    --, ((_4  , xK_j), sendMessage $ ExpandTowards D)
-    --, ((_4  , xK_k), sendMessage $ ExpandTowards U)
-    --, ((_4S , xK_l), sendMessage $ ShrinkFrom R)
-    --, ((_4S , xK_h), sendMessage $ ShrinkFrom L)
-    --, ((_4S , xK_j), sendMessage $ ShrinkFrom D)
-    --, ((_4S , xK_k), sendMessage $ ShrinkFrom U)
-    --, ((_4  , xK_n), sendMessage Rotate)
-    --, ((_4S , xK_n), sendMessage Swap)
-
-    ---- mouseResizableTile
-    --, ((_4    , xK_u), sendMessage ShrinkSlave)
-    --, ((_4    , xK_i), sendMessage ExpandSlave)
-
-    -- move focus up or down the window stack
-    --, ((_4  , xK_m      ), windows W.focusMaster)
+    , ((_4M , xK_space  ), resetLayout)
+
+    , ((_4  , xK_m      ), windows W.focusMaster)
     , ((_4  , xK_j      ), windows W.focusDown)
     , ((_4  , xK_k      ), windows W.focusUp)
 
-    -- modifying the window order
     , ((_4S , xK_m      ), windows W.swapMaster)
     , ((_4S , xK_j      ), windows W.swapDown)
     , ((_4S , xK_k      ), windows W.swapUp)
 
-    -- resizing the master/slave ratio
-    , ((_4  , xK_h      ), sendMessage Shrink) -- %! Shrink the master area
-    , ((_4  , xK_l      ), sendMessage Expand) -- %! Expand the master area
+    , ((_4M , xK_h      ), sendMessage Shrink)
+    , ((_4M , xK_l      ), sendMessage Expand)
+
+    , ((_4M , xK_j      ), sendMessage MirrorShrink)
+    , ((_4M , xK_k      ), sendMessage MirrorExpand)
 
-    -- floating layer support
-    , ((_4  , xK_t      ), withFocused $ windows . W.sink)  -- make tiling
+    , ((_4  , xK_t      ), withFocused $ windows . W.sink)
 
-    -- increase or decrease number of windows in the master area
     , ((_4  , xK_comma  ), sendMessage $ IncMasterN 1)
     , ((_4  , xK_period ), sendMessage $ IncMasterN (-1))
 
@@ -188,13 +160,12 @@ myKeys conf = Map.fromList $
     , ((_4  , xK_Delete ), removeEmptyWorkspace)
 
     , ((_4  , xK_Return ), toggleWS)
-    --,  (0   , xK_Menu   ) & \k -> (k, gridselectWorkspace wsGSConfig { gs_navigate = makeGSNav k } W.view)
-    --,  (_4  , xK_v      ) & \k -> (k, gridselectWorkspace wsGSConfig { gs_navigate = makeGSNav k } W.view)
-    --,  (_4S , xK_v      ) & \k -> (k, gridselectWorkspace wsGSConfig { gs_navigate = makeGSNav k } W.shift)
-    --,  (_4  , xK_b      ) & \k -> (k, goToSelected        wGSConfig  { gs_navigate = makeGSNav k })
-    , ((noModMask, xF86XK_AudioLowerVolume), amixer ["sset", "Master", "5%-"])
-    , ((noModMask, xF86XK_AudioRaiseVolume), amixer ["sset", "Master", "5%+"])
-    , ((noModMask, xF86XK_AudioMute), amixer ["sset", "Master", "toggle"])
+
+    , ((0, xF86XK_AudioLowerVolume), audioLowerVolume)
+    , ((0, xF86XK_AudioRaiseVolume), audioRaiseVolume)
+    , ((0, xF86XK_AudioMute), audioMute)
+
+    , ((_4, xK_Prior), forkFile Paths.xcalib ["-invert", "-alter"] Nothing)
     ]
     where
     _4 = mod4Mask
@@ -207,18 +178,19 @@ myKeys conf = Map.fromList $
     _4CM = _4 .|. _C .|. _M
     _4SM = _4 .|. _S .|. _M
 
-    amixer args = forkFile amixerPath args Nothing
+    pactl args = forkFile Paths.pactl args Nothing
+    audioLowerVolume = pactl ["--", "set-sink-volume", "@DEFAULT_SINK@", "-5%"]
+    audioRaiseVolume = pactl ["--", "set-sink-volume", "@DEFAULT_SINK@", "+5%"]
+    audioMute = pactl ["--", "set-sink-mute", "@DEFAULT_SINK@", "toggle"]
+
+    resetLayout = setLayout $ XMonad.layoutHook conf
 
 
 pagerConfig :: PagerConfig
 pagerConfig = def
     { pc_font           = myFont
     , pc_cellwidth      = 64
-    --, pc_cellheight     = 36 -- TODO automatically keep screen aspect
-    --, pc_borderwidth    = 1
-    --, pc_matchcolor     = "#f0b000"
     , pc_matchmethod    = MatchPrefix
-    --, pc_colors         = pagerWorkspaceColors
     , pc_windowColors   = windowColors
     }
     where
@@ -229,34 +201,6 @@ pagerConfig = def
             then ("#402020", snd y)
             else y
 
-horseConfig :: RhombusConfig
-horseConfig = def
-    { rc_font           = myFont
-    , rc_cellwidth      = 64
-    --, rc_cellheight     = 36 -- TODO automatically keep screen aspect
-    --, rc_borderwidth    = 1
-    --, rc_matchcolor     = "#f0b000"
-    , rc_matchmethod    = MatchPrefix
-    --, rc_colors         = pagerWorkspaceColors
-    --, rc_paint          = myPaint
-    }
-
-wGSConfig :: GSConfig Window
-wGSConfig = def
-    { gs_cellheight = 20
-    , gs_cellwidth = 192
-    , gs_cellpadding = 5
-    , gs_font = myFont
-    , gs_navigate = navNSearch
-    }
-
-
-(&) :: a -> (a -> c) -> c
-(&) = flip ($)
 
 allWorkspaceNames :: W.StackSet i l a sid sd -> X [i]
-allWorkspaceNames ws =
-    return $ map W.tag (W.hidden ws) ++ [W.tag $ W.workspace $ W.current ws]
-  '';
-  };
-}
+allWorkspaceNames = return . map W.tag . W.workspaces
diff --git a/tv/5pkgs/haskell/xmonad-tv/src/xmonad-tv.cabal b/tv/5pkgs/haskell/xmonad-tv/src/xmonad-tv.cabal
new file mode 100644
index 000000000..f10bc4aeb
--- /dev/null
+++ b/tv/5pkgs/haskell/xmonad-tv/src/xmonad-tv.cabal
@@ -0,0 +1,25 @@
+name: xmonad-tv
+version: 1.0.0
+license: MIT
+author: tv <tv@krebsco.de>
+maintainer: tv <tv@krebsco.de>
+build-type: Simple
+cabal-version: >=1.10
+
+executable xmonad
+  main-is: main.hs
+  build-depends:
+    base,
+    containers,
+    directory,
+    extra,
+    unix,
+    X11,
+    xmonad,
+    xmonad-contrib,
+    xmonad-stockholm
+  other-modules:
+    Helpers.Path,
+    Paths
+  default-language: Haskell2010
+  ghc-options: -O2 -Wall -threaded
diff --git a/tv/5pkgs/simple/default.nix b/tv/5pkgs/simple/default.nix
index 1b9d8c235..6ba4fec83 100644
--- a/tv/5pkgs/simple/default.nix
+++ b/tv/5pkgs/simple/default.nix
@@ -15,10 +15,4 @@ let
     else override;
 in
 
-  listToAttrs
-    (map
-      (name: nameValuePair (removeSuffix ".nix" name)
-                           (callPackage (./. + "/${name}") {}))
-      (filter
-        (name: name != "default.nix" && !hasPrefix "." name)
-        (attrNames (readDir ./.))))
+  mapNixDir (path: callPackage path {}) ./.