From 62314e64c259bc6bae39e2bd29ecec2c5e5ea262 Mon Sep 17 00:00:00 2001
From: lassulus <lass@blue.r>
Date: Sun, 7 Oct 2018 20:57:53 +0200
Subject: remove nin

---
 lass/1systems/prism/config.nix | 8 --------
 1 file changed, 8 deletions(-)

(limited to 'lass')

diff --git a/lass/1systems/prism/config.nix b/lass/1systems/prism/config.nix
index bf7de6fc5..808f35b24 100644
--- a/lass/1systems/prism/config.nix
+++ b/lass/1systems/prism/config.nix
@@ -57,13 +57,6 @@ with import <stockholm/lib>;
           config.krebs.users.makefu.pubkey
         ];
       };
-      users.users.nin = {
-        uid = genid "nin";
-        isNormalUser = true;
-        openssh.authorizedKeys.keys = [
-          config.krebs.users.nin.pubkey
-        ];
-      };
       users.extraUsers.dritter = {
         uid = genid "dritter";
         isNormalUser = true;
@@ -119,7 +112,6 @@ with import <stockholm/lib>;
           services.openssh.enable = true;
           users.users.root.openssh.authorizedKeys.keys = [
             config.krebs.users.lass.pubkey
-            config.krebs.users.nin.pubkey
           ];
         };
         autoStart = true;
-- 
cgit v1.3.1


From 84e8732832fb21e248b100b53c0d5d7df45d0d91 Mon Sep 17 00:00:00 2001
From: lassulus <lass@blue.r>
Date: Tue, 9 Oct 2018 13:48:52 +0200
Subject: force test in krops.nix

---
 jeschli/krops.nix | 1 +
 krebs/krops.nix   | 1 +
 lass/krops.nix    | 1 +
 makefu/krops.nix  | 1 +
 tv/krops.nix      | 1 +
 5 files changed, 5 insertions(+)

(limited to 'lass')

diff --git a/jeschli/krops.nix b/jeschli/krops.nix
index 34f3aaa53..d45d57c63 100644
--- a/jeschli/krops.nix
+++ b/jeschli/krops.nix
@@ -29,6 +29,7 @@ in {
 
   # usage: $(nix-build --no-out-link --argstr name HOSTNAME --argstr target PATH -A test)
   test = { target }: pkgs.krops.writeTest "${name}-test" {
+    force = true;
     inherit target;
     source = source { test = true; };
   };
diff --git a/krebs/krops.nix b/krebs/krops.nix
index 89354c1ea..763e76b83 100644
--- a/krebs/krops.nix
+++ b/krebs/krops.nix
@@ -54,6 +54,7 @@
 
   # usage: $(nix-build --no-out-link --argstr name HOSTNAME --argstr target PATH -A test)
   test = { target }: pkgs.krops.writeTest "${name}-test" {
+    force = true;
     inherit target;
     source = source { test = true; };
   };
diff --git a/lass/krops.nix b/lass/krops.nix
index 4e045c6db..13b10e253 100644
--- a/lass/krops.nix
+++ b/lass/krops.nix
@@ -29,6 +29,7 @@ in {
 
   # usage: $(nix-build --no-out-link --argstr name HOSTNAME --argstr target PATH -A test)
   test = { target }: pkgs.krops.writeTest "${name}-test" {
+    force = true;
     inherit target;
     source = source { test = true; };
   };
diff --git a/makefu/krops.nix b/makefu/krops.nix
index 4f55915af..27b7b04ef 100644
--- a/makefu/krops.nix
+++ b/makefu/krops.nix
@@ -83,6 +83,7 @@ in {
 
   # usage: $(nix-build --no-out-link --argstr name HOSTNAME --argstr target PATH -A test)
   test = { target ? target }: pkgs.krops.writeTest "${name}-test" {
+    force = true;
     inherit target;
     source = source { test = true; };
   };
diff --git a/tv/krops.nix b/tv/krops.nix
index 231486ab7..e922630f7 100644
--- a/tv/krops.nix
+++ b/tv/krops.nix
@@ -16,6 +16,7 @@
 
   # usage: $(nix-build --no-out-link --argstr name HOSTNAME --argstr target PATH -A test)
   test = { target }: pkgs.krops.writeTest "tv-krops-${name}-ci" {
+    force = true;
     inherit source target;
   };
 
-- 
cgit v1.3.1


From 67dc10646904d8286ad0a4ac8fecda99893827fd Mon Sep 17 00:00:00 2001
From: lassulus <lass@blue.r>
Date: Tue, 9 Oct 2018 21:12:36 +0200
Subject: Revert "remove nin"

This reverts commit 62314e64c259bc6bae39e2bd29ecec2c5e5ea262.
---
 krebs/3modules/default.nix                  |   1 +
 krebs/3modules/nin/default.nix              | 111 +++++++++
 lass/1systems/prism/config.nix              |   8 +
 nin/0tests/dummysecrets/hashedPasswords.nix |   1 +
 nin/0tests/dummysecrets/ssh.id_ed25519      |   0
 nin/1systems/axon/config.nix                | 132 +++++++++++
 nin/1systems/hiawatha/config.nix            | 126 ++++++++++
 nin/1systems/onondaga/config.nix            |  23 ++
 nin/2configs/ableton.nix                    |  20 ++
 nin/2configs/copyq.nix                      |  38 +++
 nin/2configs/default.nix                    | 173 ++++++++++++++
 nin/2configs/games.nix                      |  70 ++++++
 nin/2configs/git.nix                        |  60 +++++
 nin/2configs/im.nix                         |  19 ++
 nin/2configs/retiolum.nix                   |  28 +++
 nin/2configs/skype.nix                      |  27 +++
 nin/2configs/termite.nix                    |  22 ++
 nin/2configs/vim.nix                        | 355 ++++++++++++++++++++++++++++
 nin/2configs/weechat.nix                    |  21 ++
 nin/default.nix                             |   7 +
 nin/krops.nix                               |  35 +++
 21 files changed, 1277 insertions(+)
 create mode 100644 krebs/3modules/nin/default.nix
 create mode 100644 nin/0tests/dummysecrets/hashedPasswords.nix
 create mode 100644 nin/0tests/dummysecrets/ssh.id_ed25519
 create mode 100644 nin/1systems/axon/config.nix
 create mode 100644 nin/1systems/hiawatha/config.nix
 create mode 100644 nin/1systems/onondaga/config.nix
 create mode 100644 nin/2configs/ableton.nix
 create mode 100644 nin/2configs/copyq.nix
 create mode 100644 nin/2configs/default.nix
 create mode 100644 nin/2configs/games.nix
 create mode 100644 nin/2configs/git.nix
 create mode 100644 nin/2configs/im.nix
 create mode 100644 nin/2configs/retiolum.nix
 create mode 100644 nin/2configs/skype.nix
 create mode 100644 nin/2configs/termite.nix
 create mode 100644 nin/2configs/vim.nix
 create mode 100644 nin/2configs/weechat.nix
 create mode 100644 nin/default.nix
 create mode 100644 nin/krops.nix

(limited to 'lass')

diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix
index e8c5e0457..6307649e3 100644
--- a/krebs/3modules/default.nix
+++ b/krebs/3modules/default.nix
@@ -111,6 +111,7 @@ let
     { krebs = import ./krebs  { inherit config; }; }
     { krebs = import ./lass   { inherit config; }; }
     { krebs = import ./makefu { inherit config; }; }
+    { krebs = import ./nin    { inherit config; }; }
     { krebs = import ./tv     { inherit config; }; }
     {
       krebs.dns.providers = {
diff --git a/krebs/3modules/nin/default.nix b/krebs/3modules/nin/default.nix
new file mode 100644
index 000000000..1531a2c89
--- /dev/null
+++ b/krebs/3modules/nin/default.nix
@@ -0,0 +1,111 @@
+{ config, ... }:
+
+with import <stockholm/lib>;
+
+{
+  hosts = mapAttrs (_: recursiveUpdate {
+    owner = config.krebs.users.nin;
+    ci = true;
+  }) {
+    hiawatha = {
+      cores = 2;
+      nets = {
+        retiolum = {
+          ip4.addr = "10.243.132.96";
+          ip6.addr = "42:0000:0000:0000:0000:0000:0000:2342";
+          aliases = [
+            "hiawatha.r"
+          ];
+          tinc.pubkey = ''
+            -----BEGIN RSA PUBLIC KEY-----
+            MIIBCgKCAQEAucIe5yLzKJ8F982XRpZT6CvyXuPrtnNTmw/E/T6Oyq88m/OVHh6o
+            Viho1XAlJZZwqNniItD0AQB98uFB3+3yA7FepnwwC+PEceIfBG4bTDNyYD3ZCsAB
+            iWpmRar9SQ7LFnoZ6X2lYaJkUD9afmvXqJJLR5MClnRQo5OSqXaFdp7ryWinHP7E
+            UkPSNByu4LbQ9CnBEW8mmCVZSBLb8ezxg3HpJSigmUcJgiDBJ6aj22BsZ5L+j1Sr
+            lvUuaCr8WOS41AYsD5dbTYk7EG42tU5utrOS6z5yHmhbA5r8Ro2OFi/R3Td68BIJ
+            yw/m8sfItBCvjJSMEpKHEDfGMBCfQKltCwIDAQAB
+            -----END RSA PUBLIC KEY-----
+          '';
+        };
+      };
+      ssh.privkey.path = <secrets/ssh.id_ed25519>;
+      ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFizK5kauDlnjm/IzyzLi+W4hLKqjSWMkfuxzLwg6egx";
+    };
+     axon= {
+      cores = 2;
+      nets = {
+        retiolum = {
+          ip4.addr = "10.243.134.66";
+          ip6.addr = "42:0000:0000:0000:0000:0000:0000:1379";
+          aliases = [
+            "axon.r"
+          ];
+          tinc.pubkey = ''
+          -----BEGIN RSA PUBLIC KEY-----
+          MIIECgKCBAEA89h5SLDQL/ENM//3SMzNkVnW4dBdg1GOXs/SdRCTcgygJC0TzsAo
+          glfQhfS+OhFSC/mXAjP8DnN7Ys6zXzMfJgH7TgVRJ8tCo5ETehICA19hMjMFINLj
+          KZhhthPuX7u2Jr4uDMQ0eLJnKVHF4PmHnkA+JGcOqO7VSkgcqPvqPMnJFcMkGWvH
+          L3KAz1KGPHZWrAB2NBDrD/bOZj4L39nS4nJIYVOraP7ze1GTTC7s/0CnZj3qwS5j
+          VdUYgAR+bdxlWm1B1PPOjkslP6UOklQQK4SjK3ceLYb2yM7BVICeznjWCbkbMACY
+          PUSvdxyiD7nZcLvuM3cJ1M45zUK+tAHHDB5FFUUAZ+YY/Xml4+JOINekpQdGQqkN
+          X4VsdRGKpjqi+OXNP4ktDcVkl8uALmNR6TFfAEwQJdjgcMxgJGW9PkqvPl3Mqgoh
+          m89lHPpO0Cpf40o6lZRG42gH1OR7Iy1M234uA08a3eFf+IQutHaOBt/Oi0YeiaQp
+          OtJHmWtpsQRz24/m+uroSUtKZ63sESli28G1jP73Qv7CiB8KvSX0Z4zKJOV/CyaT
+          LLguAyeWdNLtVg4bGRd7VExoWA+Rd9YKHCiE5duhETZk0Hb9WZmgPdM7A0RBb+1H
+          /F9BPKSZFl2e42VEsy8yNmBqO8lL7DVbAjLhtikTpPLcyjNeqN99a8jFX4c5nhIK
+          MVsSLKsmNGQq+dylXMbErsGu3P/OuCZ4mRkC32Kp4qwJ+JMrJc8+ZbhKl6Fhwu0w
+          7DwwoUaRoMqtr2AwR+X67eJsYiOVo5EkqBo6DrWIM6mO2GrWHg5LTBIShn08q/Nm
+          ofPK2TmLdfqBycUR0kRCCPVi82f9aElmg3pzzPJnLAn9JLL43q6l+sefvtr9sTs3
+          1co6m8k5mO8zTb8BCmX2nFMkCopuHeF1nQ33y6woq0D8WsXHfHtbPwN9eYRVrbBF
+          29YBp5E+Q1pQB+0rJ4A5N1I3VUKhDGKc72pbQc8cYoAbDXA+RKYbsFOra5z585dt
+          4HQXpwj3a/JGJYRT6FVbJp4p8PjwAtN9VkpXNl4//3lXQdDD6aQ6ssXaKxVAp2Xj
+          FjPjx6J6ok4mRvofKNAREt4eZUdDub34bff6G0zI7Vls9t4ul0uHsJ6+ic3CG+Yl
+          buLfOkDp4hVCAlMPQ2NJfWKSggoVao7OTBPTMB3NiM56YOPptfZgu2ttDRTyuQ7p
+          hrOwutxoy/abH3hA8bWj1+C23vDtQ2gj0r16SWxpPdb3sselquzKp9NIvtyRVfnG
+          yYZTWRHg9mahMC2P0/wWAQVjKb0LnTib4lSe21uqFkWzp+3/Uu+hiwP5xGez/NIi
+          ahyL7t0D9r9y+i1RPjYWypgyR568fiGheQIDAQAB
+          -----END RSA PUBLIC KEY-----
+          '';
+        };
+      };
+      ssh.privkey.path = <secrets/ssh.id_ed25519>;
+      ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF4ubHA2pQzV4tQq9D1zRTD1xOSR6xZM3z6te+5A1ekc";
+    };
+    onondaga = {
+      cores = 1;
+      nets = {
+        retiolum = {
+          ip4.addr = "10.243.132.55";
+          ip6.addr = "42:0000:0000:0000:0000:0000:0000:1357";
+          aliases = [
+            "onondaga.r"
+            "cgit.onondaga.r"
+          ];
+          tinc.pubkey = ''
+            -----BEGIN RSA PUBLIC KEY-----
+            MIIBCgKCAQEAqj6NPhRVsr8abz9FFx9+ld3amfxN7SRNccbksUOqkufGS0vaupFR
+            OWsgj4Qmt3lQ82YVt5yjx0FZHkAsenCEKM3kYoIb4nipT0e1MWkQ7plVveMfGkiu
+            htaJ1aCbI2Adxfmk4YbyAr8k3G+Zl9t7gTikBRh7cf5PMiu2JhGUZHzx9urR0ieH
+            xyashZFjl4TtIy4q6QTiyST9kfzteh8k7CJ72zfYkdHl9dPlr5Nk22zH9xPkyzmO
+            kCNeknuDqKeTT9erNtRLk6pjEcyutt0y2/Uq6iZ38z5qq9k4JzcMuQ3YPpNy8bxn
+            hVuk2qBu6kBTUW3iLchoh0d4cfFLWLx1SQIDAQAB
+            -----END RSA PUBLIC KEY-----
+          '';
+        };
+      };
+      ssh.privkey.path = <secrets/ssh.id_ed25519>;
+      ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGmQk7AXsYLzjUrOjsuhZ3+gT7FjhPtjwxv5XnuU8GJO";
+    };
+
+  };
+  users = {
+    nin = {
+      mail = "nin@axon.r";
+      pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCl4jHl2dya9Tecot7AcHuk57FiPN0lo8eDa03WmTOCCU7gEJLgpi/zwLxY/K4eXsDgOt8LJwddicgruX2WgIYD3LnwtuN40/U9QqqdBIv/5sYZTcShAK2jyPj0vQJlVUpL7DLxxRH+t4lWeRw/1qaAAVt9jEVbzT5RH233E6+SbXxfnQDhDwOXwD1qfM10BOGh63iYz8/loXG1meb+pkv3HTf5/D7x+/y1XvWRPKuJ2Ml33p2pE3cTd+Tie1O8CREr45I9JOIOKUDQk1klFL5NNXnaQ9h1FRCsnQuoGztoBq8ed6XXL/b8mQ0lqJMxHIoCuDN/HBZYJ0z+1nh8X6XH nin@axon";
+    };
+    nin_h = {
+      mail = "nin@hiawatha.r";
+      pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDicZLUPEVNX7SgqYWcjPo0UESRizEfIvVVbiwa1aApA8x25u/5R3sevcgbIpLHYKDMl5tebny9inr6G2zqB6oq/pocQjHxrPnuLzqjvqeSpbjQjlNWJ9GaHT5koTXZHdkEXGL0vfv1SRDNWUiK0rNymr3GXab4DyrnRnuNl/G1UtLf4Zka94YUD0SSPdS9y6knnRrUWKjGMFBZEbNSgHqMGATPQP9VDwKHIO2OWGfiBAJ4nj/MWj+BxHDleCMY9zbym8yY7p/0PLaUe9eIyLC8MftJ5suuMmASlj+UGWgnqUxWxsMHax9y7CTAc23r1NNCXN5LC6/facGt0rEQrdrTizBgOA1FSHAPCl5f0DBEgWBrRuygEcAueuGWvI8/uvtvQQZLhosDbXEfs/3vm2xoYBe7wH4NZHm+d2LqgIcPXehH9hVQsl6pczngTCJt0Q/6tIMffjhDHeYf6xbe/n3AqFT0PylUSvOw/H5iHws3R6rxtgnOio7yTJ4sq0NMzXCtBY6LYPGnkwf0oKsgB8KavZVnxzF8B1TD4nNi0a7ma7bd1LMzI/oGE6i8kDMROgisIECOcoe8YYJZXIne/wimhhRKZAsd+VrKUo4SzNIavCruCodGAVh2vfrqRJD+HD/aWH7Vr1fCEexquaxeKpRtKGIPW9LRCcEsTilqpZdAiw== nin@hiawatha";
+    };
+  };
+}
diff --git a/lass/1systems/prism/config.nix b/lass/1systems/prism/config.nix
index 808f35b24..bf7de6fc5 100644
--- a/lass/1systems/prism/config.nix
+++ b/lass/1systems/prism/config.nix
@@ -57,6 +57,13 @@ with import <stockholm/lib>;
           config.krebs.users.makefu.pubkey
         ];
       };
+      users.users.nin = {
+        uid = genid "nin";
+        isNormalUser = true;
+        openssh.authorizedKeys.keys = [
+          config.krebs.users.nin.pubkey
+        ];
+      };
       users.extraUsers.dritter = {
         uid = genid "dritter";
         isNormalUser = true;
@@ -112,6 +119,7 @@ with import <stockholm/lib>;
           services.openssh.enable = true;
           users.users.root.openssh.authorizedKeys.keys = [
             config.krebs.users.lass.pubkey
+            config.krebs.users.nin.pubkey
           ];
         };
         autoStart = true;
diff --git a/nin/0tests/dummysecrets/hashedPasswords.nix b/nin/0tests/dummysecrets/hashedPasswords.nix
new file mode 100644
index 000000000..0967ef424
--- /dev/null
+++ b/nin/0tests/dummysecrets/hashedPasswords.nix
@@ -0,0 +1 @@
+{}
diff --git a/nin/0tests/dummysecrets/ssh.id_ed25519 b/nin/0tests/dummysecrets/ssh.id_ed25519
new file mode 100644
index 000000000..e69de29bb
diff --git a/nin/1systems/axon/config.nix b/nin/1systems/axon/config.nix
new file mode 100644
index 000000000..5e81afdbd
--- /dev/null
+++ b/nin/1systems/axon/config.nix
@@ -0,0 +1,132 @@
+# Edit this configuration file to define what should be installed on
+# your system.  Help is available in the configuration.nix(5) man page
+# and in the NixOS manual (accessible by running ‘nixos-help’).
+
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+{
+  imports = [
+    <stockholm/nin>
+    <nixpkgs/nixos/modules/installer/scan/not-detected.nix>
+    #../2configs/copyq.nix
+    <stockholm/nin/2configs/ableton.nix>
+    <stockholm/nin/2configs/games.nix>
+    <stockholm/nin/2configs/git.nix>
+    <stockholm/nin/2configs/retiolum.nix>
+    <stockholm/nin/2configs/termite.nix>
+  ];
+
+  krebs.build.host = config.krebs.hosts.axon;
+
+  boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "sd_mod" "sr_mod" "rtsx_pci_sdmmc" ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/pool/root";
+      fsType = "ext4";
+    };
+
+  fileSystems."/tmp" =
+    { device = "tmpfs";
+      fsType = "tmpfs";
+    };
+
+  fileSystems."/boot" =
+    { device = "/dev/sda1";
+      fsType = "ext2";
+    };
+
+  boot.initrd.luks.devices.crypted.device = "/dev/sda2";
+  boot.initrd.luks.cryptoModules = [ "aes" "sha512" "sha1" "xts" ];
+
+  swapDevices = [ ];
+
+  nix.maxJobs = lib.mkDefault 4;
+  # Use the GRUB 2 boot loader.
+  boot.loader.grub.enable = true;
+  boot.loader.grub.version = 2;
+  # Define on which hard drive you want to install Grub.
+  boot.loader.grub.device = "/dev/sda";
+
+  # Enable the OpenSSH daemon.
+  services.openssh.enable = true;
+
+  # Enable CUPS to print documents.
+  # services.printing.enable = true;
+
+  # nin config
+  time.timeZone = "Europe/Berlin";
+  services.xserver = {
+    enable = true;
+
+    displayManager.lightdm.enable = true;
+  };
+
+  networking.networkmanager.enable = true;
+  #networking.wireless.enable = true;
+
+  hardware.pulseaudio = {
+    enable = true;
+    systemWide = true;
+  };
+
+  hardware.bluetooth.enable = true;
+
+  hardware.opengl.driSupport32Bit = true;
+
+  #nixpkgs.config.steam.java = true;
+
+  environment.systemPackages = with pkgs; [
+    atom
+    chromium
+    firefox
+    git
+    htop
+    keepassx
+    lmms
+    networkmanagerapplet
+    openvpn
+    python
+    ruby
+    steam
+    taskwarrior
+    thunderbird
+    vim
+    virtmanager
+  ];
+
+  nixpkgs.config = {
+
+    allowUnfree = true;
+
+  };
+
+  #services.logind.extraConfig = "HandleLidSwitch=ignore";
+
+  services.xserver.synaptics = {
+    enable = true;
+  };
+
+  services.xserver.displayManager.sessionCommands = ''
+    ${pkgs.xorg.xhost}/bin/xhost + local:
+  '';
+
+  services.xserver.desktopManager.xfce = let
+    xbindConfig = pkgs.writeText "xbindkeysrc" ''
+      "${pkgs.pass}/bin/passmenu --type"
+        Control + p
+  '';
+  in {
+  enable = true;
+      extraSessionCommands = ''
+      ${pkgs.xbindkeys}/bin/xbindkeys -f ${xbindConfig}
+    '';
+  };
+
+ # The NixOS release to be compatible with for stateful data such as databases.
+  system.stateVersion = "17.03";
+
+}
diff --git a/nin/1systems/hiawatha/config.nix b/nin/1systems/hiawatha/config.nix
new file mode 100644
index 000000000..a09eed958
--- /dev/null
+++ b/nin/1systems/hiawatha/config.nix
@@ -0,0 +1,126 @@
+# Edit this configuration file to define what should be installed on
+# your system.  Help is available in the configuration.nix(5) man page
+# and in the NixOS manual (accessible by running ‘nixos-help’).
+
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+{
+  imports = [
+    <stockholm/nin>
+    <nixpkgs/nixos/modules/installer/scan/not-detected.nix>
+    #../2configs/copyq.nix
+    <stockholm/nin/2configs/games.nix>
+    <stockholm/nin/2configs/git.nix>
+    <stockholm/nin/2configs/retiolum.nix>
+    <stockholm/nin/2configs/termite.nix>
+  ];
+
+  krebs.build.host = config.krebs.hosts.hiawatha;
+
+  boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "sd_mod" "sr_mod" "rtsx_pci_sdmmc" ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/b83f8830-84f3-4282-b10e-015c4b76bd9e";
+      fsType = "ext4";
+    };
+
+  fileSystems."/tmp" =
+    { device = "tmpfs";
+      fsType = "tmpfs";
+    };
+
+  fileSystems."/home" =
+    { device = "/dev/fam/home";
+    };
+
+
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/2f319b08-2560-401d-b53c-2abd28f1a010";
+      fsType = "ext2";
+    };
+
+  boot.initrd.luks.devices = [ { name = "luksroot"; device = "/dev/sda2"; } ];
+  boot.initrd.luks.cryptoModules = [ "aes" "sha512" "sha1" "xts" ];
+
+  swapDevices = [ ];
+
+  nix.maxJobs = lib.mkDefault 4;
+  # Use the GRUB 2 boot loader.
+  boot.loader.grub.enable = true;
+  boot.loader.grub.version = 2;
+  # Define on which hard drive you want to install Grub.
+  boot.loader.grub.device = "/dev/sda";
+
+  # Enable the OpenSSH daemon.
+  services.openssh.enable = true;
+
+  # Enable CUPS to print documents.
+  # services.printing.enable = true;
+
+  fileSystems."/home/nin/.local/share/Steam" = {
+    device = "/dev/fam/steam";
+  };
+
+  # nin config
+  time.timeZone = "Europe/Berlin";
+  services.xserver.enable = true;
+
+  networking.networkmanager.enable = true;
+  #networking.wireless.enable = true;
+
+  hardware.pulseaudio = {
+    enable = true;
+    systemWide = true;
+  };
+
+  hardware.bluetooth.enable = true;
+
+  hardware.opengl.driSupport32Bit = true;
+
+  #nixpkgs.config.steam.java = true;
+
+  environment.systemPackages = with pkgs; [
+    firefox
+    git
+    lmms
+    networkmanagerapplet
+    python
+    steam
+    thunderbird
+    vim
+    virtmanager
+  ];
+
+  nixpkgs.config = {
+
+    allowUnfree = true;
+
+  };
+
+  #services.logind.extraConfig = "HandleLidSwitch=ignore";
+
+  services.xserver.synaptics = {
+    enable = true;
+  };
+
+
+  services.xserver.desktopManager.xfce = let
+    xbindConfig = pkgs.writeText "xbindkeysrc" ''
+      "${pkgs.pass}/bin/passmenu --type"
+        Control + p
+  '';
+  in {
+    enable = true;
+      extraSessionCommands = ''
+      ${pkgs.xbindkeys}/bin/xbindkeys -f ${xbindConfig}
+    '';
+  };
+
+ # The NixOS release to be compatible with for stateful data such as databases.
+  system.stateVersion = "17.03";
+
+}
diff --git a/nin/1systems/onondaga/config.nix b/nin/1systems/onondaga/config.nix
new file mode 100644
index 000000000..3cd0773ae
--- /dev/null
+++ b/nin/1systems/onondaga/config.nix
@@ -0,0 +1,23 @@
+# Edit this configuration file to define what should be installed on
+# your system.  Help is available in the configuration.nix(5) man page
+# and in the NixOS manual (accessible by running ‘nixos-help’).
+
+{ config, lib, pkgs, ... }:
+
+{
+  imports = [
+    <stockholm/nin>
+    <stockholm/nin/2configs/retiolum.nix>
+    <stockholm/nin/2configs/weechat.nix>
+    <stockholm/nin/2configs/git.nix>
+  ];
+
+  krebs.build.host = config.krebs.hosts.onondaga;
+
+  boot.isContainer = true;
+  networking.useDHCP = false;
+
+  time.timeZone = "Europe/Amsterdam";
+
+  services.openssh.enable = true;
+}
diff --git a/nin/2configs/ableton.nix b/nin/2configs/ableton.nix
new file mode 100644
index 000000000..343a9089d
--- /dev/null
+++ b/nin/2configs/ableton.nix
@@ -0,0 +1,20 @@
+{ config, pkgs, ... }: let
+  mainUser = config.users.extraUsers.nin;
+in {
+  users.users= {
+    ableton = {
+      isNormalUser = true;
+      extraGroups = [
+        "audio"
+        "video"
+      ];
+      packages = [
+        pkgs.wine
+        pkgs.winetricks
+      ];
+    };
+  };
+  security.sudo.extraConfig = ''
+    ${mainUser.name} ALL=(ableton) NOPASSWD: ALL
+  '';
+}
diff --git a/nin/2configs/copyq.nix b/nin/2configs/copyq.nix
new file mode 100644
index 000000000..0616c4025
--- /dev/null
+++ b/nin/2configs/copyq.nix
@@ -0,0 +1,38 @@
+{ config, pkgs, ... }:
+with import <stockholm/lib>;
+let
+  copyqConfig = pkgs.writeDash "copyq-config" ''
+    ${pkgs.copyq}/bin/copyq config check_clipboard true
+    ${pkgs.copyq}/bin/copyq config check_selection true
+    ${pkgs.copyq}/bin/copyq config copy_clipboard true
+    ${pkgs.copyq}/bin/copyq config copy_selection true
+
+    ${pkgs.copyq}/bin/copyq config activate_closes true
+    ${pkgs.copyq}/bin/copyq config clipboard_notification_lines 0
+    ${pkgs.copyq}/bin/copyq config clipboard_tab clipboard
+    ${pkgs.copyq}/bin/copyq config disable_tray true
+    ${pkgs.copyq}/bin/copyq config hide_tabs true
+    ${pkgs.copyq}/bin/copyq config hide_toolbar true
+    ${pkgs.copyq}/bin/copyq config item_popup_interval true
+    ${pkgs.copyq}/bin/copyq config maxitems 1000
+    ${pkgs.copyq}/bin/copyq config move true
+    ${pkgs.copyq}/bin/copyq config text_wrap true
+  '';
+in {
+  systemd.user.services.copyq = {
+    after = [ "graphical.target" ];
+    wants = [ "graphical.target" ];
+    wantedBy = [ "default.target" ];
+    environment = {
+      DISPLAY = ":0";
+    };
+    serviceConfig = {
+      SyslogIdentifier = "copyq";
+      ExecStart = "${pkgs.copyq}/bin/copyq";
+      ExecStartPost = copyqConfig;
+      Restart = "always";
+      RestartSec = "2s";
+      StartLimitBurst = 0;
+    };
+  };
+}
diff --git a/nin/2configs/default.nix b/nin/2configs/default.nix
new file mode 100644
index 000000000..62f499a2d
--- /dev/null
+++ b/nin/2configs/default.nix
@@ -0,0 +1,173 @@
+{ config, lib, pkgs, ... }:
+
+with import <stockholm/lib>;
+{
+  imports = [
+    ../2configs/vim.nix
+    <stockholm/krebs/2configs/binary-cache/nixos.nix>
+    <stockholm/krebs/2configs/binary-cache/prism.nix>
+    {
+      users.extraUsers =
+        mapAttrs (_: h: { hashedPassword = h; })
+                 (import <secrets/hashedPasswords.nix>);
+    }
+    {
+      users.users = {
+        root = {
+          openssh.authorizedKeys.keys = [
+            config.krebs.users.nin.pubkey
+            config.krebs.users.nin_h.pubkey
+          ];
+        };
+        nin = {
+          name = "nin";
+          uid = 1337;
+          home = "/home/nin";
+          group = "users";
+          createHome = true;
+          useDefaultShell = true;
+          extraGroups = [
+            "audio"
+            "fuse"
+          ];
+          openssh.authorizedKeys.keys = [
+            config.krebs.users.nin.pubkey
+            config.krebs.users.nin_h.pubkey
+          ];
+        };
+      };
+    }
+    {
+      environment.variables = {
+        NIX_PATH = mkForce "secrets=/var/src/stockholm/null:/var/src";
+      };
+    }
+    (let ca-bundle = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"; in {
+      environment.variables = {
+        CURL_CA_BUNDLE = ca-bundle;
+        GIT_SSL_CAINFO = ca-bundle;
+        SSL_CERT_FILE = ca-bundle;
+      };
+    })
+  ];
+
+  networking.hostName = config.krebs.build.host.name;
+  nix.maxJobs = config.krebs.build.host.cores;
+
+  krebs = {
+    enable = true;
+    search-domain = "r";
+    build = {
+      user = config.krebs.users.nin;
+    };
+  };
+
+  nix.useSandbox = true;
+
+  users.mutableUsers = false;
+
+  services.timesyncd.enable = true;
+
+  #why is this on in the first place?
+  services.nscd.enable = false;
+
+  boot.tmpOnTmpfs = true;
+  # see tmpfiles.d(5)
+  systemd.tmpfiles.rules = [
+    "d /tmp 1777 root root - -"
+  ];
+
+  # multiple-definition-problem when defining environment.variables.EDITOR
+  environment.extraInit = ''
+    EDITOR=vim
+  '';
+
+  nixpkgs.config.allowUnfree = true;
+
+  environment.shellAliases = {
+    gs = "git status";
+  };
+
+  environment.systemPackages = with pkgs; [
+  #stockholm
+    git
+    gnumake
+    jq
+    proot
+    pavucontrol
+    populate
+    p7zip
+    termite
+    unzip
+    unrar
+    hashPassword
+  ];
+
+  programs.bash = {
+    enableCompletion = true;
+    interactiveShellInit = ''
+      HISTCONTROL='erasedups:ignorespace'
+      HISTSIZE=65536
+      HISTFILESIZE=$HISTSIZE
+
+      shopt -s checkhash
+      shopt -s histappend histreedit histverify
+      shopt -s no_empty_cmd_completion
+      complete -d cd
+    '';
+    promptInit = ''
+      if test $UID = 0; then
+        PS1='\[\033[1;31m\]$PWD\[\033[0m\] '
+      elif test $UID = 1337; then
+        PS1='\[\033[1;32m\]$PWD\[\033[0m\] '
+      else
+        PS1='\[\033[1;33m\]\u@$PWD\[\033[0m\] '
+      fi
+      if test -n "$SSH_CLIENT"; then
+        PS1='\[\033[35m\]\h'" $PS1"
+      fi
+    '';
+  };
+
+  services.openssh = {
+    enable = true;
+    hostKeys = [
+      # XXX bits here make no science
+      { bits = 8192; type = "ed25519"; path = "/etc/ssh/ssh_host_ed25519_key"; }
+    ];
+  };
+
+  services.journald.extraConfig = ''
+    SystemMaxUse=1G
+    RuntimeMaxUse=128M
+  '';
+
+  krebs.iptables = {
+    enable = true;
+    tables = {
+      nat.PREROUTING.rules = [
+        { predicate = "! -i retiolum -p tcp -m tcp --dport 22"; target = "REDIRECT --to-ports 0"; precedence = 100; }
+        { predicate = "-p tcp -m tcp --dport 45621"; target = "REDIRECT --to-ports 22"; precedence = 99; }
+      ];
+      nat.OUTPUT.rules = [
+        { predicate = "-o lo -p tcp -m tcp --dport 45621"; target = "REDIRECT --to-ports 22"; precedence = 100; }
+      ];
+      filter.INPUT.policy = "DROP";
+      filter.FORWARD.policy = "DROP";
+      filter.INPUT.rules = [
+        { predicate = "-m conntrack --ctstate RELATED,ESTABLISHED"; target = "ACCEPT"; precedence = 10001; }
+        { predicate = "-p icmp"; target = "ACCEPT"; precedence = 10000; }
+        { predicate = "-p ipv6-icmp"; target = "ACCEPT"; v4 = false;  precedence = 10000; }
+        { predicate = "-i lo"; target = "ACCEPT"; precedence = 9999; }
+        { predicate = "-p tcp --dport 22"; target = "ACCEPT"; precedence = 9998; }
+        { predicate = "-p tcp -i retiolum"; target = "REJECT --reject-with tcp-reset"; precedence = -10000; }
+        { predicate = "-p udp -i retiolum"; target = "REJECT --reject-with icmp-port-unreachable"; v6 = false; precedence = -10000; }
+        { predicate = "-i retiolum"; target = "REJECT --reject-with icmp-proto-unreachable"; v6 = false; precedence = -10000; }
+      ];
+    };
+  };
+
+  networking.dhcpcd.extraConfig = ''
+    noipv4ll
+  '';
+}
diff --git a/nin/2configs/games.nix b/nin/2configs/games.nix
new file mode 100644
index 000000000..15e17238d
--- /dev/null
+++ b/nin/2configs/games.nix
@@ -0,0 +1,70 @@
+{ config, pkgs, ... }:
+
+let
+  mainUser = config.users.extraUsers.mainUser;
+  vdoom = pkgs.writeDash "vdoom" ''
+    ${pkgs.zandronum}/bin/zandronum \
+      -fov 120 \
+      "$@"
+  '';
+  doom = pkgs.writeDash "doom" ''
+    DOOM_DIR=''${DOOM_DIR:-~/doom/}
+    ${vdoom} \
+      -file $DOOM_DIR/lib/brutalv20.pk3 \
+      "$@"
+  '';
+  doom1 = pkgs.writeDashBin "doom1" ''
+    DOOM_DIR=''${DOOM_DIR:-~/doom/}
+    ${doom} -iwad $DOOM_DIR/wads/stock/doom.wad "$@"
+  '';
+  doom2 = pkgs.writeDashBin "doom2" ''
+    DOOM_DIR=''${DOOM_DIR:-~/doom/}
+    ${doom} -iwad $DOOM_DIR/wads/stock/doom2.wad "$@"
+  '';
+  vdoom1 = pkgs.writeDashBin "vdoom1" ''
+    DOOM_DIR=''${DOOM_DIR:-~/doom/}
+    ${vdoom} -iwad $DOOM_DIR/wads/stock/doom.wad "$@"
+  '';
+  vdoom2 = pkgs.writeDashBin "vdoom2" ''
+    DOOM_DIR=''${DOOM_DIR:-~/doom/}
+    ${vdoom} -iwad $DOOM_DIR/wads/stock/doom2.wad "$@"
+  '';
+
+  doomservercfg = pkgs.writeText "doomserver.cfg" ''
+    skill 7
+    #survival true
+    #sv_maxlives 4
+    #sv_norespawn true
+    #sv_weapondrop true
+    no_jump true
+    #sv_noweaponspawn true
+    sv_sharekeys true
+    sv_survivalcountdowntime 1
+    sv_noteamselect true
+    sv_updatemaster false
+    #sv_coop_loseinventory true
+    #cl_startasspectator false
+    #lms_spectatorview false
+  '';
+
+  vdoomserver = pkgs.writeDashBin "vdoomserver" ''
+    DOOM_DIR=''${DOOM_DIR:-~/doom/}
+
+    ${pkgs.zandronum}/bin/zandronum-server \
+    +exec ${doomservercfg} \
+    "$@"
+  '';
+
+in {
+  environment.systemPackages = with pkgs; [
+    dwarf_fortress
+    doom1
+    doom2
+    vdoom1
+    vdoom2
+    vdoomserver
+  ];
+
+  hardware.pulseaudio.support32Bit = true;
+
+}
diff --git a/nin/2configs/git.nix b/nin/2configs/git.nix
new file mode 100644
index 000000000..aed4a9f48
--- /dev/null
+++ b/nin/2configs/git.nix
@@ -0,0 +1,60 @@
+{ config, lib, pkgs, ... }:
+
+with import <stockholm/lib>;
+
+let
+
+  out = {
+    services.nginx.enable = true;
+    krebs.git = {
+      enable = true;
+      cgit = {
+        settings = {
+          root-title = "public repositories at ${config.krebs.build.host.name}";
+          root-desc = "keep calm and engage";
+        };
+      };
+      repos = mapAttrs (_: s: removeAttrs s ["collaborators"]) repos;
+      rules = rules;
+    };
+
+    krebs.iptables.tables.filter.INPUT.rules = [
+      { predicate = "-i retiolum -p tcp --dport 80"; target = "ACCEPT"; }
+    ];
+  };
+
+  repos = public-repos;
+
+  rules = concatMap make-rules (attrValues repos);
+
+  public-repos = mapAttrs make-public-repo {
+    stockholm = {
+      cgit.desc = "take all the computers hostage, they'll love you!";
+    };
+  };
+
+  make-public-repo = name: { cgit ? {}, ... }: {
+    inherit cgit name;
+    public = true;
+  };
+
+  make-rules =
+    with git // config.krebs.users;
+    repo:
+      singleton {
+        user = [ nin nin_h ];
+        repo = [ repo ];
+        perm = push "refs/*" [ non-fast-forward create delete merge ];
+      } ++
+      optional repo.public {
+        user = attrValues config.krebs.users;
+        repo = [ repo ];
+        perm = fetch;
+      } ++
+      optional (length (repo.collaborators or []) > 0) {
+        user = repo.collaborators;
+        repo = [ repo ];
+        perm = fetch;
+      };
+
+in out
diff --git a/nin/2configs/im.nix b/nin/2configs/im.nix
new file mode 100644
index 000000000..b078dbd53
--- /dev/null
+++ b/nin/2configs/im.nix
@@ -0,0 +1,19 @@
+{ config, lib, pkgs, ... }:
+with import <stockholm/lib>;
+{
+  environment.systemPackages = with pkgs; [
+    (pkgs.writeDashBin "im" ''
+      export PATH=${makeSearchPath "bin" (with pkgs; [
+        tmux
+        gnugrep
+        weechat
+      ])}
+      ssh chat@onondaga
+      if tmux list-sessions -F\#S | grep -q '^im''$'; then
+        exec tmux attach -t im
+      else
+        exec tmux new -s im weechat
+      fi
+    '')
+  ];
+}
diff --git a/nin/2configs/retiolum.nix b/nin/2configs/retiolum.nix
new file mode 100644
index 000000000..821e3cc00
--- /dev/null
+++ b/nin/2configs/retiolum.nix
@@ -0,0 +1,28 @@
+{ ... }:
+
+{
+
+  krebs.iptables = {
+    tables = {
+      filter.INPUT.rules = [
+        { predicate = "-i retiolum -p tcp --dport smtp"; target = "ACCEPT"; }
+        { predicate = "-p tcp --dport tinc"; target = "ACCEPT"; }
+        { predicate = "-p udp --dport tinc"; target = "ACCEPT"; }
+      ];
+    };
+  };
+
+  krebs.tinc.retiolum = {
+    enable = true;
+    connectTo = [
+      "prism"
+      "pigstarter"
+      "gum"
+      "flap"
+    ];
+  };
+
+  nixpkgs.config.packageOverrides = pkgs: {
+    tinc = pkgs.tinc_pre;
+  };
+}
diff --git a/nin/2configs/skype.nix b/nin/2configs/skype.nix
new file mode 100644
index 000000000..621dfae82
--- /dev/null
+++ b/nin/2configs/skype.nix
@@ -0,0 +1,27 @@
+{ config, lib, pkgs, ... }:
+
+let
+  mainUser = config.users.extraUsers.nin;
+  inherit (import <stockholm/lib>) genid;
+
+in {
+  users.extraUsers = {
+    skype = {
+      name = "skype";
+      uid = genid "skype";
+      description = "user for running skype";
+      home = "/home/skype";
+      useDefaultShell = true;
+      extraGroups = [ "audio" "video" ];
+      createHome = true;
+    };
+  };
+
+  krebs.per-user.skype.packages = [
+    pkgs.skype
+  ];
+
+  security.sudo.extraConfig = ''
+    ${mainUser.name} ALL=(skype) NOPASSWD: ALL
+  '';
+}
diff --git a/nin/2configs/termite.nix b/nin/2configs/termite.nix
new file mode 100644
index 000000000..942446b01
--- /dev/null
+++ b/nin/2configs/termite.nix
@@ -0,0 +1,22 @@
+{ config, pkgs, ... }:
+
+{
+  environment.systemPackages = [
+    pkgs.termite
+  ];
+
+  krebs.per-user.nin.packages = let
+    termitecfg = pkgs.writeTextFile {
+      name = "termite-config";
+      destination = "/etc/xdg/termite/config";
+      text = ''
+        [colors]
+        foreground = #d0d7d0
+        background = #000000
+      '';
+    };
+  in [
+    termitecfg
+  ];
+
+}
diff --git a/nin/2configs/vim.nix b/nin/2configs/vim.nix
new file mode 100644
index 000000000..7b5d37611
--- /dev/null
+++ b/nin/2configs/vim.nix
@@ -0,0 +1,355 @@
+{ config, lib, pkgs, ... }:
+
+with import <stockholm/lib>;
+let
+  out = {
+    environment.systemPackages = [
+      vim
+      pkgs.pythonPackages.flake8
+    ];
+
+    environment.etc.vimrc.source = vimrc;
+
+    environment.variables.EDITOR = mkForce "vim";
+    environment.variables.VIMINIT = ":so /etc/vimrc";
+  };
+
+  vimrc = pkgs.writeText "vimrc" ''
+    set nocompatible
+
+    set autoindent
+    set backspace=indent,eol,start
+    set backup
+    set backupdir=${dirs.backupdir}/
+    set directory=${dirs.swapdir}//
+    set hlsearch
+    set incsearch
+    set laststatus=2
+    set mouse=a
+    set noruler
+    set pastetoggle=<INS>
+    set runtimepath=${extra-runtimepath},$VIMRUNTIME
+    set shortmess+=I
+    set showcmd
+    set showmatch
+    set ttimeoutlen=0
+    set undodir=${dirs.undodir}
+    set undofile
+    set undolevels=1000000
+    set undoreload=1000000
+    set viminfo='20,<1000,s100,h,n${files.viminfo}
+    set visualbell
+    set wildignore+=*.o,*.class,*.hi,*.dyn_hi,*.dyn_o
+    set wildmenu
+    set wildmode=longest,full
+
+    set et ts=2 sts=2 sw=2
+
+    filetype plugin indent on
+
+    set t_Co=256
+    colorscheme hack
+    syntax on
+
+    au Syntax * syn match Garbage containedin=ALL /\s\+$/
+            \ | syn match TabStop containedin=ALL /\t\+/
+            \ | syn keyword Todo containedin=ALL TODO
+
+    au BufRead,BufNewFile *.hs so ${hs.vim}
+
+    au BufRead,BufNewFile *.nix so ${nix.vim}
+
+    au BufRead,BufNewFile /dev/shm/* set nobackup nowritebackup noswapfile
+
+    "Syntastic config
+    let g:syntastic_python_checkers=['flake8']
+
+    nmap <esc>q :buffer 
+    nmap <M-q> :buffer 
+
+    cnoremap <C-A> <Home>
+
+    noremap  <C-c> :q<cr>
+    vnoremap < <gv
+    vnoremap > >gv
+
+    nnoremap <esc>[5^  :tabp<cr>
+    nnoremap <esc>[6^  :tabn<cr>
+    nnoremap <esc>[5@  :tabm -1<cr>
+    nnoremap <esc>[6@  :tabm +1<cr>
+
+    nnoremap <f1> :tabp<cr>
+    nnoremap <f2> :tabn<cr>
+    inoremap <f1> <esc>:tabp<cr>
+    inoremap <f2> <esc>:tabn<cr>
+
+    " <C-{Up,Down,Right,Left>
+    noremap <esc>Oa <nop> | noremap! <esc>Oa <nop>
+    noremap <esc>Ob <nop> | noremap! <esc>Ob <nop>
+    noremap <esc>Oc <nop> | noremap! <esc>Oc <nop>
+    noremap <esc>Od <nop> | noremap! <esc>Od <nop>
+    " <[C]S-{Up,Down,Right,Left>
+    noremap <esc>[a <nop> | noremap! <esc>[a <nop>
+    noremap <esc>[b <nop> | noremap! <esc>[b <nop>
+    noremap <esc>[c <nop> | noremap! <esc>[c <nop>
+    noremap <esc>[d <nop> | noremap! <esc>[d <nop>
+    vnoremap u <nop>
+  '';
+
+  extra-runtimepath = concatMapStringsSep "," (pkg: "${pkg.rtp}") [
+    pkgs.vimPlugins.Syntastic
+    pkgs.vimPlugins.undotree
+    pkgs.vimPlugins.airline
+    (pkgs.vimUtils.buildVimPlugin {
+      name = "file-line-1.0";
+      src = pkgs.fetchgit {
+        url = git://github.com/bogado/file-line;
+        rev = "refs/tags/1.0";
+        sha256 = "0z47zq9rqh06ny0q8lpcdsraf3lyzn9xvb59nywnarf3nxrk6hx0";
+      };
+    })
+    ((rtp: rtp // { inherit rtp; }) (pkgs.writeTextFile (let
+      name = "hack";
+    in {
+      name = "vim-color-${name}-1.0.2";
+      destination = "/colors/${name}.vim";
+      text = /* vim */ ''
+        set background=dark
+        hi clear
+        if exists("syntax_on")
+          syntax clear
+        endif
+
+        let colors_name = ${toJSON name}
+
+        hi Normal       ctermbg=235
+        hi Comment      ctermfg=242
+        hi Constant     ctermfg=062
+        hi Identifier   ctermfg=068
+        hi Function     ctermfg=041
+        hi Statement    ctermfg=167
+        hi PreProc      ctermfg=167
+        hi Type         ctermfg=041
+        hi Delimiter    ctermfg=251
+        hi Special      ctermfg=062
+
+        hi Garbage      ctermbg=088
+        hi TabStop      ctermbg=016
+        hi Todo         ctermfg=174 ctermbg=NONE
+
+        hi NixCode      ctermfg=148
+        hi NixData      ctermfg=149
+        hi NixQuote     ctermfg=150
+
+        hi diffNewFile  ctermfg=207
+        hi diffFile     ctermfg=207
+        hi diffLine     ctermfg=207
+        hi diffSubname  ctermfg=207
+        hi diffAdded    ctermfg=010
+        hi diffRemoved  ctermfg=009
+      '';
+    })))
+    ((rtp: rtp // { inherit rtp; }) (pkgs.writeTextFile (let
+      name = "vim";
+    in {
+      name = "vim-syntax-${name}-1.0.0";
+      destination = "/syntax/${name}.vim";
+      text = /* vim */ ''
+        ${concatMapStringsSep "\n" (s: /* vim */ ''
+          syn keyword vimColor${s} ${s}
+            \ containedin=ALLBUT,vimComment,vimLineComment
+          hi vimColor${s} ctermfg=${s}
+        '') (map (i: lpad 3 "0" (toString i)) (range 0 255))}
+      '';
+    })))
+    ((rtp: rtp // { inherit rtp; }) (pkgs.writeTextFile (let
+      name = "showsyntax";
+    in {
+      name = "vim-plugin-${name}-1.0.0";
+      destination = "/plugin/${name}.vim";
+      text = /* vim */ ''
+        if exists('g:loaded_showsyntax')
+          finish
+        endif
+        let g:loaded_showsyntax = 0
+
+        fu! ShowSyntax()
+          let id = synID(line("."), col("."), 1)
+          let name = synIDattr(id, "name")
+          let transName = synIDattr(synIDtrans(id),"name")
+          if name != transName
+            let name .= " (" . transName . ")"
+          endif
+          echo "Syntax: " . name
+        endfu
+
+        command! -n=0 -bar ShowSyntax :call ShowSyntax()
+      '';
+    })))
+  ];
+
+  dirs = {
+    backupdir = "$HOME/.cache/vim/backup";
+    swapdir   = "$HOME/.cache/vim/swap";
+    undodir   = "$HOME/.cache/vim/undo";
+  };
+  files = {
+    viminfo   = "$HOME/.cache/vim/info";
+  };
+
+  mkdirs = let
+    dirOf = s: let out = concatStringsSep "/" (init (splitString "/" s));
+               in assert out != ""; out;
+    alldirs = attrValues dirs ++ map dirOf (attrValues files);
+  in unique (sort lessThan alldirs);
+
+  vim = pkgs.writeDashBin "vim" ''
+    set -efu
+    (umask 0077; exec ${pkgs.coreutils}/bin/mkdir -p ${toString mkdirs})
+    exec ${pkgs.vim}/bin/vim "$@"
+  '';
+
+
+  hs.vim = pkgs.writeText "hs.vim" ''
+    syn region String start=+\[[[:alnum:]]*|+ end=+|]+
+
+    hi link ConId Identifier
+    hi link VarId Identifier
+    hi link hsDelimiter Delimiter
+  '';
+
+  nix.vim = pkgs.writeText "nix.vim" ''
+    setf nix
+
+    " Ref <nix/src/libexpr/lexer.l>
+    syn match NixID    /[a-zA-Z\_][a-zA-Z0-9\_\'\-]*/
+    syn match NixINT   /\<[0-9]\+\>/
+    syn match NixPATH  /[a-zA-Z0-9\.\_\-\+]*\(\/[a-zA-Z0-9\.\_\-\+]\+\)\+/
+    syn match NixHPATH /\~\(\/[a-zA-Z0-9\.\_\-\+]\+\)\+/
+    syn match NixSPATH /<[a-zA-Z0-9\.\_\-\+]\+\(\/[a-zA-Z0-9\.\_\-\+]\+\)*>/
+    syn match NixURI   /[a-zA-Z][a-zA-Z0-9\+\-\.]*:[a-zA-Z0-9\%\/\?\:\@\&\=\+\$\,\-\_\.\!\~\*\']\+/
+    syn region NixSTRING
+      \ matchgroup=NixSTRING
+      \ start='"'
+      \ skip='\\"'
+      \ end='"'
+    syn region NixIND_STRING
+      \ matchgroup=NixIND_STRING
+      \ start="'''"
+      \ skip="'''\('\|[$]\|\\[nrt]\)"
+      \ end="'''"
+
+    syn match NixOther /[():/;=.,?\[\]]/
+
+    syn match NixCommentMatch /\(^\|\s\)#.*/
+    syn region NixCommentRegion start="/\*" end="\*/"
+
+    hi link NixCode Statement
+    hi link NixData Constant
+    hi link NixComment Comment
+
+    hi link NixCommentMatch NixComment
+    hi link NixCommentRegion NixComment
+    hi link NixID NixCode
+    hi link NixINT NixData
+    hi link NixPATH NixData
+    hi link NixHPATH NixData
+    hi link NixSPATH NixData
+    hi link NixURI NixData
+    hi link NixSTRING NixData
+    hi link NixIND_STRING NixData
+
+    hi link NixEnter NixCode
+    hi link NixOther NixCode
+    hi link NixQuote NixData
+
+    syn cluster nix_has_dollar_curly contains=@nix_ind_strings,@nix_strings
+    syn cluster nix_ind_strings contains=NixIND_STRING
+    syn cluster nix_strings contains=NixSTRING
+
+    ${concatStringsSep "\n" (mapAttrsToList (lang: { extraStart ? null }: let
+      startAlts = filter isString [
+        ''/\* ${lang} \*/''
+        extraStart
+      ];
+      sigil = ''\(${concatStringsSep ''\|'' startAlts}\)[ \t\r\n]*'';
+    in /* vim */ ''
+      syn include @nix_${lang}_syntax syntax/${lang}.vim
+      unlet b:current_syntax
+
+      syn match nix_${lang}_sigil
+        \ X${replaceStrings ["X"] ["\\X"] sigil}\ze\('''\|"\)X
+        \ nextgroup=nix_${lang}_region_IND_STRING,nix_${lang}_region_STRING
+        \ transparent
+
+      syn region nix_${lang}_region_STRING
+        \ matchgroup=NixSTRING
+        \ start='"'
+        \ skip='\\"'
+        \ end='"'
+        \ contained
+        \ contains=@nix_${lang}_syntax
+        \ transparent
+
+      syn region nix_${lang}_region_IND_STRING
+        \ matchgroup=NixIND_STRING
+        \ start="'''"
+        \ skip="'''\('\|[$]\|\\[nrt]\)"
+        \ end="'''"
+        \ contained
+        \ contains=@nix_${lang}_syntax
+        \ transparent
+
+      syn cluster nix_ind_strings
+        \ add=nix_${lang}_region_IND_STRING
+
+      syn cluster nix_strings
+        \ add=nix_${lang}_region_STRING
+
+      syn cluster nix_has_dollar_curly
+        \ add=@nix_${lang}_syntax
+    '') {
+      c = {};
+      cabal = {};
+      haskell = {};
+      sh.extraStart = ''write\(Ba\|Da\)sh[^ \t\r\n]*[ \t\r\n]*"[^"]*"'';
+      vim.extraStart =
+        ''write[^ \t\r\n]*[ \t\r\n]*"\(\([^"]*\.\)\?vimrc\|[^"]*\.vim\)"'';
+    })}
+
+    " Clear syntax that interferes with nixINSIDE_DOLLAR_CURLY.
+    syn clear shVarAssign
+
+    syn region nixINSIDE_DOLLAR_CURLY
+      \ matchgroup=NixEnter
+      \ start="[$]{"
+      \ end="}"
+      \ contains=TOP
+      \ containedin=@nix_has_dollar_curly
+      \ transparent
+
+    syn region nix_inside_curly
+      \ matchgroup=NixEnter
+      \ start="{"
+      \ end="}"
+      \ contains=TOP
+      \ containedin=nixINSIDE_DOLLAR_CURLY,nix_inside_curly
+      \ transparent
+
+    syn match NixQuote /'''\([''$']\|\\.\)/he=s+2
+      \ containedin=@nix_ind_strings
+      \ contained
+
+    syn match NixQuote /\\./he=s+1
+      \ containedin=@nix_strings
+      \ contained
+
+    syn sync fromstart
+
+    let b:current_syntax = "nix"
+
+    set isk=@,48-57,_,192-255,-,'
+    set bg=dark
+  '';
+in
+out
diff --git a/nin/2configs/weechat.nix b/nin/2configs/weechat.nix
new file mode 100644
index 000000000..6c0fb313e
--- /dev/null
+++ b/nin/2configs/weechat.nix
@@ -0,0 +1,21 @@
+{ config, lib, pkgs, ... }:
+
+let
+  inherit (import <stockholm/lib>) genid;
+in {
+  krebs.per-user.chat.packages = with pkgs; [
+    mosh
+    weechat
+    tmux
+  ];
+
+  users.extraUsers.chat = {
+    home = "/home/chat";
+    uid = genid "chat";
+    useDefaultShell = true;
+    createHome = true;
+    openssh.authorizedKeys.keys = [
+      config.krebs.users.nin.pubkey
+    ];
+  };
+}
diff --git a/nin/default.nix b/nin/default.nix
new file mode 100644
index 000000000..c31d6d949
--- /dev/null
+++ b/nin/default.nix
@@ -0,0 +1,7 @@
+_:
+{
+  imports = [
+    ../krebs
+    ./2configs
+  ];
+}
diff --git a/nin/krops.nix b/nin/krops.nix
new file mode 100644
index 000000000..d0074840a
--- /dev/null
+++ b/nin/krops.nix
@@ -0,0 +1,35 @@
+{ name }: let
+  inherit (import ../krebs/krops.nix { inherit name; })
+    krebs-source
+    lib
+    pkgs
+  ;
+
+  source = { test }: lib.evalSource [
+    krebs-source
+    {
+      nixos-config.symlink = "stockholm/nin/1systems/${name}/config.nix";
+      secrets = if test then {
+        file = toString ./0tests/dummysecrets;
+      } else {
+        pass = {
+          dir = "${lib.getEnv "HOME"}/.password-store";
+          name = "hosts/${name}";
+        };
+      };
+    }
+  ];
+
+in {
+  # usage: $(nix-build --no-out-link --argstr name HOSTNAME -A deploy)
+  deploy = pkgs.krops.writeDeploy "${name}-deploy" {
+    source = source { test = false; };
+    target = "root@${name}/var/src";
+  };
+
+  # usage: $(nix-build --no-out-link --argstr name HOSTNAME --argstr target PATH -A test)
+  test = { target }: pkgs.krops.writeTest "${name}-test" {
+    inherit target;
+    source = source { test = true; };
+  };
+}
-- 
cgit v1.3.1


From 6789205a6da67d62dcd406e6db63d0eced9ef4f0 Mon Sep 17 00:00:00 2001
From: lassulus <lass@blue.r>
Date: Wed, 10 Oct 2018 20:13:07 +0200
Subject: l vim: show damned NBSP

---
 lass/2configs/vim.nix | 4 ++++
 1 file changed, 4 insertions(+)

(limited to 'lass')

diff --git a/lass/2configs/vim.nix b/lass/2configs/vim.nix
index 855c30b3e..4f7bd4437 100644
--- a/lass/2configs/vim.nix
+++ b/lass/2configs/vim.nix
@@ -63,6 +63,8 @@ let
     au Syntax * syn match Garbage containedin=ALL /\s\+$/
             \ | syn match TabStop containedin=ALL /\t\+/
             \ | syn keyword Todo containedin=ALL TODO
+            \ | syn match NBSP '\%xa0'
+            \ | syn match NarrowNBSP '\%u202F'
 
     au BufRead,BufNewFile *.hs so ${hs.vim}
 
@@ -165,6 +167,8 @@ let
 
         hi Garbage      ctermbg=088
         hi TabStop      ctermbg=016
+        hi NBSP         ctermbg=094
+        hi NarrowNBSP   ctermbg=097
         hi Todo         ctermfg=174 ctermbg=NONE
 
         hi NixCode      ctermfg=148
-- 
cgit v1.3.1


From fbf7b22971eeed8683326388bd9fc5bd9d361b2a Mon Sep 17 00:00:00 2001
From: lassulus <lass@blue.r>
Date: Tue, 23 Oct 2018 15:32:38 +0200
Subject: l git: add go & newsbot-js

---
 lass/2configs/git.nix | 24 ++++++++++++++++--------
 1 file changed, 16 insertions(+), 8 deletions(-)

(limited to 'lass')

diff --git a/lass/2configs/git.nix b/lass/2configs/git.nix
index 253c56e48..c5b5c01fb 100644
--- a/lass/2configs/git.nix
+++ b/lass/2configs/git.nix
@@ -50,14 +50,30 @@ let
       cgit.desc = "take a description of your disk layout and produce a format script";
       cgit.section = "software";
     };
+    go = {
+      cgit.desc = "url shortener";
+      cgit.section = "software";
+    };
     krebspage = {
       cgit.desc = "homepage of krebs";
       cgit.section = "configuration";
     };
+    krops = {
+      cgit.desc = "krebs deployment";
+      cgit.section = "software";
+    };
     news = {
       cgit.desc = "take a rss feed and a timeout and print it to stdout";
       cgit.section = "software";
     };
+    newsbot-js = {
+      cgit.desc = "print rss feeds to irc channels";
+      cgit.section = "software";
+    };
+    nix-user-chroot = {
+      cgit.desc = "Fork of nix-user-chroot by lethalman";
+      cgit.section = "software";
+    };
     nix-writers = {
       cgit.desc = "high level writers for nix";
       cgit.section = "software";
@@ -85,14 +101,6 @@ let
       cgit.desc = "Good Music collection + tools";
       cgit.section  = "art";
     };
-    nix-user-chroot = {
-      cgit.desc = "Fork of nix-user-chroot by lethalman";
-      cgit.section = "software";
-    };
-    krops = {
-      cgit.desc = "krebs deployment";
-      cgit.section = "software";
-    };
     xmonad-stockholm = {
       cgit.desc = "krebs xmonad modules";
       cgit.section = "configuration";
-- 
cgit v1.3.1


From 2861c374a49b4b3045577243fa32af048e9b50f1 Mon Sep 17 00:00:00 2001
From: lassulus <lass@blue.r>
Date: Tue, 23 Oct 2018 15:43:02 +0200
Subject: l prism.r: use new physical.nix

---
 lass/1systems/prism/physical.nix | 84 ++++++++++++++++++----------------------
 1 file changed, 38 insertions(+), 46 deletions(-)

(limited to 'lass')

diff --git a/lass/1systems/prism/physical.nix b/lass/1systems/prism/physical.nix
index 83f127c22..56348d0ab 100644
--- a/lass/1systems/prism/physical.nix
+++ b/lass/1systems/prism/physical.nix
@@ -3,27 +3,39 @@
   imports = [
     ./config.nix
     {
-      networking.interfaces.et0.ipv4.addresses = [
-        {
-          address = config.krebs.build.host.nets.internet.ip4.addr;
+      boot.kernelParams = [ "net.ifnames=0" ];
+      networking = {
+        defaultGateway = "46.4.114.225";
+        # Use google's public DNS server
+        nameservers = [ "8.8.8.8" ];
+        interfaces.eth0 = {
+          ipAddress = "46.4.114.247";
           prefixLength = 27;
-        }
-        {
-          address = "46.4.114.243";
-          prefixLength = 27;
-        }
-      ];
-      networking.defaultGateway = "46.4.114.225";
-      networking.nameservers = [
-        "8.8.8.8"
-      ];
-      services.udev.extraRules = ''
-        SUBSYSTEM=="net", ATTR{address}=="08:60:6e:e7:87:04", NAME="et0"
-      '';
+        };
+      };
+      # TODO use this network config
+      #networking.interfaces.et0.ipv4.addresses = [
+      #  {
+      #    address = config.krebs.build.host.nets.internet.ip4.addr;
+      #    prefixLength = 27;
+      #  }
+      #  {
+      #    address = "46.4.114.243";
+      #    prefixLength = 27;
+      #  }
+      #];
+      #networking.defaultGateway = "46.4.114.225";
+      #networking.nameservers = [
+      #  "8.8.8.8"
+      #];
+      #services.udev.extraRules = ''
+      #  SUBSYSTEM=="net", ATTR{address}=="08:60:6e:e7:87:04", NAME="et0"
+      #'';
     }
     {
       imports = [ <nixpkgs/nixos/modules/installer/scan/not-detected.nix> ];
 
+      networking.hostId = "fb4173ea";
       boot.loader.grub = {
         devices = [
           "/dev/sda"
@@ -40,45 +52,25 @@
 
       boot.kernelModules = [ "kvm-intel" ];
 
-      fileSystems."/" = {
-        device = "/dev/pool/nix_root";
-        fsType = "ext4";
-      };
-
-      fileSystems."/tmp" = {
-        device = "tmpfs";
-        fsType = "tmpfs";
-        options = ["nosuid" "nodev" "noatime"];
-      };
-
-      fileSystems."/var/download" = {
-        device = "/dev/pool/download";
-        fsType = "ext4";
-      };
+      sound.enable = false;
+      nixpkgs.config.allowUnfree = true;
+      time.timeZone = "Europe/Berlin";
 
-      fileSystems."/srv/http" = {
-        device = "/dev/pool/http";
-        fsType = "ext4";
+      fileSystems."/" = {
+        device = "rpool/root/nixos";
+        fsType = "zfs";
       };
 
       fileSystems."/home" = {
-        device = "/dev/pool/home";
-        fsType = "ext4";
+        device = "rpool/home";
+        fsType = "zfs";
       };
 
-      fileSystems."/bku" = {
-        device = "/dev/pool/bku";
+      fileSystems."/boot" = {
+        device = "/dev/disk/by-uuid/b67c3370-1597-4ce8-8a46-e257ca32150d";
         fsType = "ext4";
       };
 
-      swapDevices = [
-        { label = "swap1"; }
-        { label = "swap2"; }
-      ];
-
-      sound.enable = false;
-      nixpkgs.config.allowUnfree = true;
-      time.timeZone = "Europe/Berlin";
     }
   ];
 
-- 
cgit v1.3.1


From fbf45bca1f13696019386144d5796cca80bb0351 Mon Sep 17 00:00:00 2001
From: lassulus <lass@blue.r>
Date: Tue, 23 Oct 2018 15:43:39 +0200
Subject: l mail: add notmuch to pkgs

---
 lass/2configs/mail.nix | 1 +
 1 file changed, 1 insertion(+)

(limited to 'lass')

diff --git a/lass/2configs/mail.nix b/lass/2configs/mail.nix
index 9246abfed..e50689254 100644
--- a/lass/2configs/mail.nix
+++ b/lass/2configs/mail.nix
@@ -210,6 +210,7 @@ in {
   environment.systemPackages = [
     msmtp
     mutt
+    pkgs.notmuch
     pkgs.much
     tag-new-mails
     tag-old-mails
-- 
cgit v1.3.1


From 9aaa04783aa3eb339822f2fe80353758fa433ff9 Mon Sep 17 00:00:00 2001
From: lassulus <lass@blue.r>
Date: Tue, 23 Oct 2018 15:43:58 +0200
Subject: l urxvt: fix saveLines

---
 lass/2configs/urxvt.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'lass')

diff --git a/lass/2configs/urxvt.nix b/lass/2configs/urxvt.nix
index fa63ddf25..82f3fb2e6 100644
--- a/lass/2configs/urxvt.nix
+++ b/lass/2configs/urxvt.nix
@@ -5,7 +5,7 @@ with import <stockholm/lib>;
   services.urxvtd.enable = true;
 
   krebs.xresources.resources.urxvt = ''
-    URxvt*SaveLines: 1000000
+    URxvt.saveLines:            100000
     URxvt*scrollBar:            false
     URxvt*urgentOnBell:         true
     URxvt.perl-ext-common:      default,clipboard,url-select,keyboard-select
-- 
cgit v1.3.1


From 55439da05492618e190d7fad361fd550c50619e8 Mon Sep 17 00:00:00 2001
From: lassulus <lass@blue.r>
Date: Tue, 23 Oct 2018 15:44:33 +0200
Subject: l websites domsen: ensure databases & users exist

---
 lass/2configs/websites/domsen.nix | 6 ++++++
 1 file changed, 6 insertions(+)

(limited to 'lass')

diff --git a/lass/2configs/websites/domsen.nix b/lass/2configs/websites/domsen.nix
index e1c1313ea..828cab95f 100644
--- a/lass/2configs/websites/domsen.nix
+++ b/lass/2configs/websites/domsen.nix
@@ -66,6 +66,12 @@ in {
     ])
   ];
 
+  services.mysql.ensureDatabases = [ "ubikmedia_de" "o_ubikmedia_de" ];
+  services.mysql.ensureUsers = [
+    { ensurePermissions = { "ubikmedia_de.*" = "ALL"; }; name = "nginx"; }
+    { ensurePermissions = { "o_ubikmedia_de.*" = "ALL"; }; name = "nginx"; }
+  ];
+
   services.nginx.virtualHosts."ubikmedia.de".locations."/piwika".extraConfig = ''
     try_files $uri $uri/ /index.php?$args;
   '';
-- 
cgit v1.3.1


From 153648682697aafe89ef7eb69805ae8e6a25bc39 Mon Sep 17 00:00:00 2001
From: lassulus <lass@blue.r>
Date: Tue, 23 Oct 2018 15:45:09 +0200
Subject: l websites lassulus: add lass-mors to auhtorized keys

---
 lass/2configs/websites/lassulus.nix | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

(limited to 'lass')

diff --git a/lass/2configs/websites/lassulus.nix b/lass/2configs/websites/lassulus.nix
index 4c29831a2..b72b20928 100644
--- a/lass/2configs/websites/lassulus.nix
+++ b/lass/2configs/websites/lassulus.nix
@@ -145,8 +145,9 @@ in {
     home = "/srv/http/lassul.us";
     useDefaultShell = true;
     createHome = true;
-    openssh.authorizedKeys.keys = [
-      config.krebs.users.lass.pubkey
+    openssh.authorizedKeys.keys = with config.krebs.users; [
+      lass.pubkey
+      lass-mors.pubkey
     ];
   };
 }
-- 
cgit v1.3.1


From fc799f61f17014e61f5bd602c5e44f7412660c28 Mon Sep 17 00:00:00 2001
From: lassulus <lass@blue.r>
Date: Tue, 23 Oct 2018 15:45:38 +0200
Subject: l krops: add optional target argument to deploy

---
 lass/krops.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'lass')

diff --git a/lass/krops.nix b/lass/krops.nix
index 13b10e253..a898164c3 100644
--- a/lass/krops.nix
+++ b/lass/krops.nix
@@ -22,9 +22,9 @@
 
 in {
   # usage: $(nix-build --no-out-link --argstr name HOSTNAME -A deploy)
-  deploy = pkgs.krops.writeDeploy "${name}-deploy" {
+  deploy = { target ? "root@${name}/var/src" }: pkgs.krops.writeDeploy "${name}-deploy" {
     source = source { test = false; };
-    target = "root@${name}/var/src";
+    inherit target;
   };
 
   # usage: $(nix-build --no-out-link --argstr name HOSTNAME --argstr target PATH -A test)
-- 
cgit v1.3.1


From 24f4e8dcf0eca55378fa018a9ed980625222653d Mon Sep 17 00:00:00 2001
From: lassulus <lass@blue.r>
Date: Tue, 23 Oct 2018 15:47:06 +0200
Subject: l xjail: use sudo again until fixed

---
 lass/3modules/xjail.nix | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

(limited to 'lass')

diff --git a/lass/3modules/xjail.nix b/lass/3modules/xjail.nix
index 5b450ed42..974e11c6e 100644
--- a/lass/3modules/xjail.nix
+++ b/lass/3modules/xjail.nix
@@ -120,10 +120,13 @@ with import <stockholm/lib>;
           ${pkgs.coreutils}/bin/kill $WM_PID
           ${pkgs.coreutils}/bin/kill $XEPHYR_PID
         '';
+        # TODO fix xephyr which doesn't honor resizes anymore
         sudo_ = pkgs.writeDash "${cfg.name}-sudo" (if cfg.vglrun then ''
           /var/run/wrappers/bin/sudo -u ${cfg.name} -i ${vglrun_} "$@"
         '' else ''
-          /var/run/wrappers/bin/sudo -u ${cfg.name} -i env DISPLAY=:${cfg.display} ${cfg.script} "$@"
+          #/var/run/wrappers/bin/sudo -u ${cfg.name} -i env DISPLAY=:${cfg.display} ${cfg.script} "$@"
+          /var/run/wrappers/bin/sudo -u ${cfg.name} -i ${cfg.script} "$@"
+
         '');
         vglrun_ = pkgs.writeDash "${cfg.name}-vglrun" ''
           DISPLAY=:${cfg.display} ${pkgs.virtualgl}/bin/vglrun ${cfg.extraVglrunArgs} ${cfg.script} "$@"
@@ -163,7 +166,7 @@ with import <stockholm/lib>;
 
     lass.xjail-bins = mapAttrs' (name: cfg:
       nameValuePair name (pkgs.writeScriptBin cfg.name ''
-        ${scripts.${name}.existing} "$@"
+        ${scripts.${name}.sudo} "$@"
       '')
     ) config.lass.xjail;
   };
-- 
cgit v1.3.1


From e39e8318b647a737fe759aa37ef35d18901c8efd Mon Sep 17 00:00:00 2001
From: lassulus <lassulus@lassul.us>
Date: Sun, 4 Nov 2018 18:26:04 +0100
Subject: l: prism.r -> archprism.r, new prism.r

---
 krebs/3modules/lass/default.nix      |  42 ++++-
 lass/1systems/archprism/config.nix   | 356 +++++++++++++++++++++++++++++++++++
 lass/1systems/archprism/physical.nix |  77 ++++++++
 3 files changed, 474 insertions(+), 1 deletion(-)
 create mode 100644 lass/1systems/archprism/config.nix
 create mode 100644 lass/1systems/archprism/physical.nix

(limited to 'lass')

diff --git a/krebs/3modules/lass/default.nix b/krebs/3modules/lass/default.nix
index 4d382cfd3..9b9f052a5 100644
--- a/krebs/3modules/lass/default.nix
+++ b/krebs/3modules/lass/default.nix
@@ -38,7 +38,7 @@ with import <stockholm/lib>;
       };
       nets = rec {
         internet = {
-          ip4.addr = "46.4.114.247";
+          ip4.addr = "95.216.1.150";
           aliases = [
             "prism.i"
             "paste.i"
@@ -87,6 +87,46 @@ with import <stockholm/lib>;
       ssh.privkey.path = <secrets/ssh.id_ed25519>;
       ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAsANFdMi825qWQXQbWLYuNZ6/fARt3lnh1KStQHQQMD";
     };
+
+    archprism = {
+      cores = 1;
+      nets = rec {
+        internet = {
+          ip4.addr = "46.4.114.247";
+          aliases = [
+            "archprism.i"
+          ];
+          ssh.port = 45621;
+        };
+        retiolum = {
+          via = internet;
+          ip4.addr = "10.243.0.123";
+          ip6.addr = "42:0:0:0:0:0:0:123";
+          aliases = [
+            "archprism.r"
+          ];
+          tinc.pubkey = ''
+            -----BEGIN PUBLIC KEY-----
+            MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA6dK0jsPSb7kWMGjfyWbG
+            wQYYt8vi5pY/1/Ohk0iy84+mfb1SCJdm5IOC4WXgHtmfd468OluUpU5etAu13D3n
+            f0iDeCuohH0uTjP+EojnKrAXYTiTRpySqXjVmhaWwFyMAACFdzKFb9cgMoByrP0U
+            5qruBcupK8Zwxt+Pe8IadRpPuOmz/bMYS7r+NKwybttoIX+YVm4myNzqdtMT77+H
+            BYR2mzW99T5YI54YZoCe0+XiIEQsosd6IL/9dP0+6vku6nHLD4qb81Q9AgaT+hte
+            s/ivHL+Fe2GULEQUi8aoEfXrPwnGFVY+QYxLw2G9A0Gfe9KnYBXDn99HXUGcFu2l
+            x7duN6mnT3WNC6VReh9m5+rPMnih/3l82W0tH1lBWUtdKcxx6yhkyUFgKOvkm4UP
+            gf1+EIpxf+bM7jlWylKGc+bD+dTMFV+tzHE6qHlcnzdZQrhYd0zjOXGnm4Kl1ec5
+            GSlpmqTcjgR+42l6frAENo3fndqYw1WkDtswImDz3Wjuco7BiOULHTJvQN+Ao1DI
+            l2MQDOWJoN4eYIE4XPqLSvdOSavHQB2WGv+dFDDpWOxnDLNi19aubtynIfpGJXxV
+            L8s9kUTG00Hdv08BG06hGt0+2Sy1PTVniDcTftHKmEOPS6Y5rJzQih7JdakSUQCc
+            6j/HwgWTf85Io/tbVMTNtkECAwEAAQ==
+            -----END PUBLIC KEY-----
+          '';
+        };
+      };
+      ssh.privkey.path = <secrets/ssh.id_ed25519>;
+      ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAsANFdMi825qWQXQbWLYuNZ6/fARt3lnh1KStQHQQMD";
+    };
+
     domsen-nas = {
       ci = false;
       monitoring = false;
diff --git a/lass/1systems/archprism/config.nix b/lass/1systems/archprism/config.nix
new file mode 100644
index 000000000..0a286c6f0
--- /dev/null
+++ b/lass/1systems/archprism/config.nix
@@ -0,0 +1,356 @@
+{ config, lib, pkgs, ... }:
+with import <stockholm/lib>;
+
+{
+  imports = [
+    <stockholm/lass>
+    <stockholm/lass/2configs/retiolum.nix>
+    <stockholm/lass/2configs/libvirt.nix>
+    {
+      services.nginx.enable = true;
+      imports = [
+        <stockholm/lass/2configs/websites/domsen.nix>
+        <stockholm/lass/2configs/websites/lassulus.nix>
+      ];
+      # needed by domsen.nix ^^
+      lass.usershadow = {
+        enable = true;
+      };
+
+      krebs.iptables.tables.filter.INPUT.rules = [
+         { predicate = "-p tcp --dport http"; target = "ACCEPT"; }
+         { predicate = "-p tcp --dport https"; target = "ACCEPT"; }
+      ];
+    }
+    { # TODO make new hfos.nix out of this vv
+      boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
+      users.users.riot = {
+        uid = genid "riot";
+        isNormalUser = true;
+        extraGroups = [ "libvirtd" ];
+        openssh.authorizedKeys.keys = [
+          "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC6o6sdTu/CX1LW2Ff5bNDqGEAGwAsjf0iIe5DCdC7YikCct+7x4LTXxY+nDlPMeGcOF88X9/qFwdyh+9E4g0nUAZaeL14Uc14QDqDt/aiKjIXXTepxE/i4JD9YbTqStAnA/HYAExU15yqgUdj2dnHu7OZcGxk0ZR1OY18yclXq7Rq0Fd3pN3lPP1T4QHM9w66r83yJdFV9szvu5ral3/QuxQnCNohTkR6LoJ4Ny2RbMPTRtb+jPbTQYTWUWwV69mB8ot5nRTP4MRM9pu7vnoPF4I2S5DvSnx4C5zdKzsb7zmIvD4AmptZLrXj4UXUf00Xf7Js5W100Ne2yhYyhq+35 riot@lagrange"
+        ];
+      };
+
+      # TODO write function for proxy_pass (ssl/nonssl)
+
+      krebs.iptables.tables.filter.FORWARD.rules = [
+        { v6 = false; precedence = 1000; predicate = "-d 192.168.122.92"; target = "ACCEPT"; }
+      ];
+      krebs.iptables.tables.nat.PREROUTING.rules = [
+        { v6 = false; precedence = 1000; predicate = "-d 46.4.114.243"; target = "DNAT --to-destination 192.168.122.92"; }
+      ];
+    }
+    {
+      users.users.tv = {
+        uid = genid "tv";
+        isNormalUser = true;
+        openssh.authorizedKeys.keys = [
+          config.krebs.users.tv.pubkey
+        ];
+      };
+      users.users.makefu = {
+        uid = genid "makefu";
+        isNormalUser = true;
+        openssh.authorizedKeys.keys = [
+          config.krebs.users.makefu.pubkey
+        ];
+      };
+      users.users.nin = {
+        uid = genid "nin";
+        isNormalUser = true;
+        openssh.authorizedKeys.keys = [
+          config.krebs.users.nin.pubkey
+        ];
+      };
+      users.extraUsers.dritter = {
+        uid = genid "dritter";
+        isNormalUser = true;
+        extraGroups = [
+          "download"
+        ];
+        openssh.authorizedKeys.keys = [
+          "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDnqOWDDk7QkSAvrSLkEoz7dY22+xPyv5JDn2zlfUndfavmTMfZvPx9REMjgULbcCSM4m3Ncf40yUjciDpVleGoEz82+p/ObHAkVWPQyXRS3ZRM2IJJultBHEFc61+61Pi8k3p5pBhPPaig6VncJ4uUuuNqen9jqLesSTVXNtdntU2IvnC8B8k1Kq6fu9q1T2yEOMxkD31D5hVHlqAly0LdRiYvtsRIoCSmRvlpGl70uvPprhQxhtoiEUeDqmIL7BG9x7gU0Swdl7R0/HtFXlFuOwSlNYDmOf/Zrb1jhOpj4AlCliGUkM0iKIJhgH0tnJna6kfkGKHDwuzITGIh6SpZ dritter@Janeway"
+        ];
+      };
+      users.extraUsers.juhulian = {
+        uid = 1339;
+        isNormalUser = true;
+        openssh.authorizedKeys.keys = [
+          "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDBQhLGvfv4hyQ/nqJGy1YgHXPSVl6igeWTroJSvAhUFgoh+rG+zvqY0EahKXNb3sq0/OYDCTJVuucc0hgCg7T2KqTqMtTb9EEkRmCFbD7F7DWZojCrh/an6sHneqT5eFvzAPZ8E5hup7oVQnj5P5M3I9keRHBWt1rq6q0IcOEhsFvne4qJc73aLASTJkxzlo5U8ju3JQOl6474ECuSn0lb1fTrQ/SR1NgF7jV11eBldkS8SHEB+2GXjn4Yrn+QUKOnDp+B85vZmVlJSI+7XR1/U/xIbtAjGTEmNwB6cTbBv9NCG9jloDDOZG4ZvzzHYrlBXjaigtQh2/4mrHoKa5eV juhulian@juhulian"
+        ];
+      };
+      users.users.hellrazor = {
+        uid = genid "hellrazor";
+        isNormalUser = true;
+        extraGroups = [
+          "download"
+        ];
+        openssh.authorizedKeys.keys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDQFaYOWRUvHP6I37q9Dd4PJOq8FNQqAeJZ8pLx0G62uC450kbPGcG80rHHvXmk7HqQP6biJmMg48bOsvXAScPot2Qhp1Qc35CuUqVhLiTvUAsi8l/iJjhjZ23yRGDCAmW5+JIOzIvECkcbMnG7YoYAQ9trNGHe9qwGzQGhpt3QVClE23WtE3PVKRLQx1VbiabSnAm6tXVd2zpUoSdpWt8Gpi2taM4XXJ5+l744MNxFHvDapN5xqpYzwrA34Ii13jNLWcGbtgxESpR+VjnamdWByrkBsW4X5/xn2K1I1FrujaM/DBHV1QMaDKst9V8+uL5X7aYNt0OUBu2eyZdg6aujY2BYovB9uRyR1JIuSbA/a54MM96yN9WirMUufJF/YZrV0L631t9EW8ORyWUo1GRzMuBHVHQlfApj7NCU/jEddUuTqKgwyRgTmMFMUI4M0tRULAB/7pBE1Vbcx9tg6RsKIk8VkskfbBJW9Y6Sx6YoFlxPdgMNIrBefqEjIV62piP7YLMlvfIDCJ7TNd9dLN86XGggZ/nD5zt6SL1o61vVnw9If8pHosppxADPJsJvcdN6fOe16/tFAeE0JRo0jTcyFVTBGfhpey+rFfuW8wtUyuO5WPUxkOn7xMHGMWHJAtWX2vwVIDtLxvqn48B4SmEOpPD6ii+vcpwqAex3ycqBUQ==" ];
+      };
+    }
+    {
+      #hotdog
+      systemd.services."container@hotdog".reloadIfChanged = mkForce false;
+      containers.hotdog = {
+        config = { ... }: {
+          imports = [ <stockholm/lass/2configs/rebuild-on-boot.nix> ];
+          environment.systemPackages = [ pkgs.git ];
+          services.openssh.enable = true;
+          users.users.root.openssh.authorizedKeys.keys = [
+            config.krebs.users.lass.pubkey
+          ];
+        };
+        autoStart = true;
+        enableTun = true;
+        privateNetwork = true;
+        hostAddress = "10.233.2.1";
+        localAddress = "10.233.2.2";
+      };
+    }
+    {
+      #onondaga
+      systemd.services."container@onondaga".reloadIfChanged = mkForce false;
+      containers.onondaga = {
+        config = { ... }: {
+          imports = [ <stockholm/lass/2configs/rebuild-on-boot.nix> ];
+          environment.systemPackages = [ pkgs.git ];
+          services.openssh.enable = true;
+          users.users.root.openssh.authorizedKeys.keys = [
+            config.krebs.users.lass.pubkey
+            config.krebs.users.nin.pubkey
+          ];
+        };
+        autoStart = true;
+        enableTun = true;
+        privateNetwork = true;
+        hostAddress = "10.233.2.5";
+        localAddress = "10.233.2.6";
+      };
+    }
+    <stockholm/lass/2configs/exim-smarthost.nix>
+    <stockholm/lass/2configs/ts3.nix>
+    <stockholm/lass/2configs/privoxy-retiolum.nix>
+    <stockholm/lass/2configs/radio.nix>
+    <stockholm/lass/2configs/binary-cache/server.nix>
+    <stockholm/lass/2configs/iodined.nix>
+    <stockholm/lass/2configs/paste.nix>
+    <stockholm/lass/2configs/syncthing.nix>
+    <stockholm/lass/2configs/reaktor-coders.nix>
+    <stockholm/lass/2configs/ciko.nix>
+    <stockholm/lass/2configs/container-networking.nix>
+    <stockholm/lass/2configs/monitoring/prometheus-server.nix>
+    { # quasi bepasty.nix
+      imports = [
+        <stockholm/lass/2configs/bepasty.nix>
+      ];
+      krebs.bepasty.servers."paste.r".nginx.extraConfig = ''
+        if ( $server_addr = "${config.krebs.build.host.nets.internet.ip4.addr}" ) {
+          return 403;
+        }
+      '';
+    }
+    {
+      services.tor = {
+        enable = true;
+      };
+    }
+    {
+      lass.ejabberd = {
+        enable = true;
+        hosts = [ "lassul.us" ];
+      };
+      krebs.iptables.tables.filter.INPUT.rules = [
+        { predicate = "-p tcp --dport xmpp-client"; target = "ACCEPT"; }
+        { predicate = "-p tcp --dport xmpp-server"; target = "ACCEPT"; }
+      ];
+    }
+    {
+      imports = [
+        <stockholm/lass/2configs/realwallpaper.nix>
+      ];
+      services.nginx.virtualHosts."lassul.us".locations."/wallpaper.png".extraConfig = ''
+        alias /var/realwallpaper/realwallpaper.png;
+      '';
+    }
+    {
+      users.users.jeschli = {
+        uid = genid "jeschli";
+        isNormalUser = true;
+        openssh.authorizedKeys.keys = with config.krebs.users; [
+          jeschli.pubkey
+          jeschli-bln.pubkey
+          jeschli-bolide.pubkey
+          jeschli-brauerei.pubkey
+        ];
+      };
+      krebs.git.rules = [
+        {
+          user = with config.krebs.users; [
+            jeschli
+            jeschli-bln
+            jeschli-bolide
+            jeschli-brauerei
+          ];
+          repo = [ config.krebs.git.repos.xmonad-stockholm ];
+          perm = with git; push "refs/heads/jeschli*" [ fast-forward non-fast-forward create delete merge ];
+        }
+        {
+          user = with config.krebs.users; [
+            jeschli
+            jeschli-bln
+            jeschli-bolide
+            jeschli-brauerei
+          ];
+          repo = [ config.krebs.git.repos.stockholm ];
+          perm = with git; push "refs/heads/staging/jeschli*" [ fast-forward non-fast-forward create delete merge ];
+        }
+      ];
+    }
+    {
+      krebs.repo-sync.repos.stockholm.timerConfig = {
+        OnBootSec = "5min";
+        OnUnitInactiveSec = "2min";
+        RandomizedDelaySec = "2min";
+      };
+    }
+    <stockholm/lass/2configs/downloading.nix>
+    <stockholm/lass/2configs/minecraft.nix>
+    {
+      services.taskserver = {
+        enable = true;
+        fqdn = "lassul.us";
+        listenHost = "::";
+        listenPort = 53589;
+        organisations.lass.users = [ "lass" "android" ];
+      };
+      krebs.iptables.tables.filter.INPUT.rules = [
+        { predicate = "-p tcp --dport 53589"; target = "ACCEPT"; }
+      ];
+    }
+    #<stockholm/lass/2configs/go.nix>
+    {
+      environment.systemPackages = [ pkgs.cryptsetup ];
+      systemd.services."container@red".reloadIfChanged = mkForce false;
+      containers.red = {
+        config = { ... }: {
+          environment.systemPackages = [ pkgs.git ];
+          services.openssh.enable = true;
+          users.users.root.openssh.authorizedKeys.keys = [
+            config.krebs.users.lass.pubkey
+          ];
+        };
+        autoStart = false;
+        enableTun = true;
+        privateNetwork = true;
+        hostAddress = "10.233.2.3";
+        localAddress = "10.233.2.4";
+      };
+      services.nginx.virtualHosts."rote-allez-fraktion.de" = {
+        enableACME = true;
+        forceSSL = true;
+        locations."/" = {
+          extraConfig = ''
+            proxy_set_header Host rote-allez-fraktion.de;
+            proxy_pass http://10.233.2.4;
+          '';
+        };
+      };
+    }
+    #{
+    #  imports = [ <stockholm/lass/2configs/backup.nix> ];
+    #  lass.restic = genAttrs [
+    #    "daedalus"
+    #    "icarus"
+    #    "littleT"
+    #    "mors"
+    #    "shodan"
+    #    "skynet"
+    #  ] (dest: {
+    #    dirs = [
+    #      "/home/chat/.weechat"
+    #      "/bku/sql_dumps"
+    #    ];
+    #    passwordFile = (toString <secrets>) + "/restic/${dest}";
+    #    repo = "sftp:backup@${dest}.r:/backups/prism";
+    #    extraArguments = [
+    #      "sftp.command='ssh backup@${dest}.r -i ${config.krebs.build.host.ssh.privkey.path} -s sftp'"
+    #    ];
+    #    timerConfig = {
+    #      OnCalendar = "00:05";
+    #      RandomizedDelaySec = "5h";
+    #    };
+    #  });
+    #}
+    {
+      users.users.download.openssh.authorizedKeys.keys = [
+        "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDB0d0JA20Vqn7I4lCte6Ne2EOmLZyMJyS9yIKJYXNLjbLwkQ4AYoQKantPBkTxR75M09E7d3j5heuWnCjWH45TrfQfe1EOSSC3ppCI6C6aIVlaNs+KhAYZS0m2Y8WkKn+TT5JLEa8yybYVN/RlZPOilpj/1QgjU6CQK+eJ1k/kK+QFXcwN82GDVh5kbTVcKUNp2tiyxFA+z9LY0xFDg/JHif2ROpjJVLQBJ+YPuOXZN5LDnVcuyLWKThjxy5srQ8iDjoxBg7dwLHjby5Mv41K4W61Gq6xM53gDEgfXk4cQhJnmx7jA/pUnsn2ZQDeww3hcc7vRf8soogXXz2KC9maiq0M/svaATsa9Ul4hrKnqPZP9Q8ScSEAUX+VI+x54iWrnW0p/yqBiRAzwsczdPzaQroUFTBxrq8R/n5TFdSHRMX7fYNOeVMjhfNca/gtfw9dYBVquCvuqUuFiRc0I7yK44rrMjjVQRcAbw6F8O7+04qWCmaJ8MPlmApwu2c05VMv9hiJo5p6PnzterRSLCqF6rIdhSnuOwrUIt1s/V+EEZXHCwSaNLaQJnYL0H9YjaIuGz4c8kVzxw4c0B6nl+hqW5y5/B2cuHiumnlRIDKOIzlv8ufhh21iN7QpIsPizahPezGoT1XqvzeXfH4qryo8O4yTN/PWoA+f7o9POU7L6hQ== lhebendanz@nixos"
+        "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACADLPxtB2f2tocXHxD3ul9D1537hTht6/un87JYZNnoYABveasyIcdFIfp5lPJmj3PjwqXNTA4M/3V+ufrpZ91dxFeXWI5mOI4YB3xRu+Elja8g7nfvCz1HrH3sD1equos/7ltQ1GZYvHGw40qD1/ZtOODwRwrYJ7l/DUBrjk/tzXRjm0+ZgyQsb3G9a80cA8d3fiuQDxbAzdoJF46wt36ZfuSMpJ/Td8CbCoLlV/uL9QZemOglyxNxR607qGfRNXF1An+P+fFq24GmdHpMJ00DfjZ/dJRL9QSs7vd07uyB4Qty4VHwRhc46XH6KL7VTF1D3INF/BeBZx90GBxOvpgEji7Zrf7O5eSAjM2Do1+t+Ev2IIuiltB+QqTir4rZcrCBrJ2+zD3DDymKffVi8sz15AvdrFkIplzZxpOcgm9Ns2w/uh8sxeV6J58aoLEVmd2KRUfJFYiS1EuEjYo2OHlj8ltIh3VlfYdWksGpQc71IT0iEWvzvjYcfCda9uzFLKdLfBy4GB8+s4zR2CX9aGDyJaIY1kt/xqDeztnYwW1owG+fLMrDJlq3Mu+KmJljb30jzrOPhFYVZgWenmMFgH2RBzVEmnsR0f2LFVLj6N/a9fpEJ3WhxMOc5Ybdpgg/l9KUdgvWLk6KOtba+z9fuYT1YgwtZBoMgHAdZLmZ/DGtff palo@pepe"
+        "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDGMjbYFmmvpF60YBShyFISbjN+O3e4GPkfsre6xFqz20joi8YqpD/5PtrMsGrPd1ZoZ9qSwXJtbb1WBomFg0xzRSNa1/FliKiE1ilcaB3aUZRtP0OWHIvWD3/YL/0h+/YXDGTfb8FNvpgJmnbN3Q0gw8cwWw+eve5BMyqDhzFvycxO4qDuP2JXkGpdhJqjaYZhP5rPH2mgv1oU1RnOA3A7APZVGf1m6JSmV7FZR514aGlFV+NpsvS29Mib8fcswgpoGhMN6jeh/nf49tp01LUAOmXSqdHIWNOTt3Mt7S4rU7RZwEhswdSRbKdKFRMj+uRkhJ4CPcNuuGtSY3id0Ja7IvrvxNaQUk1L8nBcza709jvSBYWSY5/aGL1ocA/PNWXDpOTp2PWwxkh39aPMqZXPTH3KC4IkRp5SiKibEhdmjnToV7nUAJe4IWn1b7QdoqS03ib0X87DnHWIbvi8UZlImM7pn0rs+rwnOo4lQwrTz7kbBHPaa6XOZAuDYND2728vtcrhwzVrKgiXWbyF6VzvwxPeeStmn1gENvozbj1hl9gbQ1cH/a4pZFBV/OFl/ryzDnB2ghM4acNJazXx/6/us9hX+np1YxIzJaxENj677MLc6HitM2g6XJGaixBQ0U2NNjcjIuQT0ZaeKXsSLnu1Y7+uslbVAwsQ4pJmSxxMMQ== palo@workhorse"
+      ];
+    }
+    {
+    }
+    {
+      lass.nichtparasoup.enable = true;
+      services.nginx = {
+        enable = true;
+        virtualHosts."lol.lassul.us" = {
+          forceSSL = true;
+          enableACME = true;
+          locations."/".extraConfig = ''
+            proxy_pass http://localhost:5001;
+          '';
+        };
+      };
+    }
+    {
+      krebs.iptables.tables.filter.INPUT.rules = [
+         { predicate = "-p udp --dport 51820"; target = "ACCEPT"; }
+      ];
+      krebs.iptables.tables.nat.PREROUTING.rules = [
+        { v6 = false; precedence = 1000; predicate = "-s 10.244.1.0/24"; target = "ACCEPT"; }
+      ];
+      krebs.iptables.tables.filter.FORWARD.rules = [
+        { v6 = false; precedence = 1000; predicate = "-s 10.244.1.0/24"; target = "ACCEPT"; }
+        { v6 = false; precedence = 1000; predicate = "-s 10.243.0.0/16 -d 10.244.1.0/24"; target = "ACCEPT"; }
+      ];
+      krebs.iptables.tables.nat.POSTROUTING.rules = [
+        { v6 = false; predicate = "-s 10.244.1.0/24 ! -d 10.244.1.0/24"; target = "MASQUERADE"; }
+      ];
+      networking.wireguard.interfaces.wg0 = {
+        ips = [ "10.244.1.1/24" ];
+        listenPort = 51820;
+        privateKeyFile = (toString <secrets>) + "/wireguard.key";
+        allowedIPsAsRoutes = true;
+        peers = [
+          {
+            # lass-android
+            allowedIPs = [ "10.244.1.2/32" ];
+            publicKey = "zVunBVOxsMETlnHkgjfH71HaZjjNUOeYNveAVv5z3jw=";
+          }
+        ];
+      };
+    }
+    {
+      krebs.iptables.tables.filter.INPUT.rules = [
+        { predicate = "-p udp --dport 60000:61000"; target = "ACCEPT";}
+      ];
+    }
+    {
+      services.murmur.enable = true;
+      services.murmur.registerName = "lassul.us";
+      krebs.iptables.tables.filter.INPUT.rules = [
+        { predicate = "-p tcp --dport 64738"; target = "ACCEPT";}
+      ];
+
+    }
+  ];
+
+  krebs.build.host = config.krebs.hosts.archprism;
+  services.earlyoom = {
+    enable = true;
+    freeMemThreshold = 5;
+  };
+}
diff --git a/lass/1systems/archprism/physical.nix b/lass/1systems/archprism/physical.nix
new file mode 100644
index 000000000..56348d0ab
--- /dev/null
+++ b/lass/1systems/archprism/physical.nix
@@ -0,0 +1,77 @@
+{ config, lib, pkgs, ... }:
+{
+  imports = [
+    ./config.nix
+    {
+      boot.kernelParams = [ "net.ifnames=0" ];
+      networking = {
+        defaultGateway = "46.4.114.225";
+        # Use google's public DNS server
+        nameservers = [ "8.8.8.8" ];
+        interfaces.eth0 = {
+          ipAddress = "46.4.114.247";
+          prefixLength = 27;
+        };
+      };
+      # TODO use this network config
+      #networking.interfaces.et0.ipv4.addresses = [
+      #  {
+      #    address = config.krebs.build.host.nets.internet.ip4.addr;
+      #    prefixLength = 27;
+      #  }
+      #  {
+      #    address = "46.4.114.243";
+      #    prefixLength = 27;
+      #  }
+      #];
+      #networking.defaultGateway = "46.4.114.225";
+      #networking.nameservers = [
+      #  "8.8.8.8"
+      #];
+      #services.udev.extraRules = ''
+      #  SUBSYSTEM=="net", ATTR{address}=="08:60:6e:e7:87:04", NAME="et0"
+      #'';
+    }
+    {
+      imports = [ <nixpkgs/nixos/modules/installer/scan/not-detected.nix> ];
+
+      networking.hostId = "fb4173ea";
+      boot.loader.grub = {
+        devices = [
+          "/dev/sda"
+          "/dev/sdb"
+        ];
+        splashImage = null;
+      };
+
+      boot.initrd.availableKernelModules = [
+        "ata_piix"
+        "vmw_pvscsi"
+        "ahci" "sd_mod"
+      ];
+
+      boot.kernelModules = [ "kvm-intel" ];
+
+      sound.enable = false;
+      nixpkgs.config.allowUnfree = true;
+      time.timeZone = "Europe/Berlin";
+
+      fileSystems."/" = {
+        device = "rpool/root/nixos";
+        fsType = "zfs";
+      };
+
+      fileSystems."/home" = {
+        device = "rpool/home";
+        fsType = "zfs";
+      };
+
+      fileSystems."/boot" = {
+        device = "/dev/disk/by-uuid/b67c3370-1597-4ce8-8a46-e257ca32150d";
+        fsType = "ext4";
+      };
+
+    }
+  ];
+
+}
-- 
cgit v1.3.1


From 5297f29d422aebc10727c929126d54f4aee8daee Mon Sep 17 00:00:00 2001
From: lassulus <lassulus@lassul.us>
Date: Sun, 4 Nov 2018 19:13:46 +0100
Subject: l baseX: remove broken pkgs.push

---
 lass/2configs/baseX.nix | 1 -
 1 file changed, 1 deletion(-)

(limited to 'lass')

diff --git a/lass/2configs/baseX.nix b/lass/2configs/baseX.nix
index e8a2539f3..9b44e8f0e 100644
--- a/lass/2configs/baseX.nix
+++ b/lass/2configs/baseX.nix
@@ -74,7 +74,6 @@ in {
     nmap
     pavucontrol
     powertop
-    push
     rxvt_unicode_with-plugins
     sxiv
     taskwarrior
-- 
cgit v1.3.1