24 files changed, 410 insertions, 140 deletions
diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix
index 05982bd54..4b17c4abd 100644
--- a/krebs/3modules/default.nix
+++ b/krebs/3modules/default.nix
@@ -201,7 +201,7 @@ let
           })
         //
         # GitHub's IPv4 address range is 192.30.252.0/22
-        # Refs https://help.github.com/articles/what-ip-addresses-does-github-use-that-i-should-whitelist/
+        # Refs https://help.github.com/articles/github-s-ip-addresses/
         # 192.30.252.0/22 = 192.30.252.0-192.30.255.255 (1024 addresses)
         # Because line length is limited by OPENSSH_LINE_MAX (= 8192),
         # we split each /24 into its own entry.
diff --git a/krebs/5pkgs/bepasty-client-cli/default.nix b/krebs/5pkgs/bepasty-client-cli/default.nix
index 990f99af6..c58e637b3 100644
--- a/krebs/5pkgs/bepasty-client-cli/default.nix
+++ b/krebs/5pkgs/bepasty-client-cli/default.nix
@@ -1,17 +1,18 @@
-{ lib, pkgs, pythonPackages, fetchurl, ... }:
+{ lib, pkgs, pythonPackages, fetchFromGitHub, ... }:
 
 with pythonPackages; buildPythonPackage rec {
-  name = "bepasty-client-cli-${version}";
-  version = "0.3.0";
+  name = "bepasty-client-cli";
   propagatedBuildInputs = [
     python_magic
     click
     requests2
   ];
 
-  src = fetchurl {
-    url = "https://pypi.python.org/packages/source/b/bepasty-client-cli/bepasty-client-cli-${version}.tar.gz";
-    sha256 = "002kcplyfnmr5pn2ywdfilss0rmbm8wcdzz8hzp03ksy2zr4sdbw";
+  src = fetchFromGitHub {
+    owner = "bepasty";
+    repo = "bepasty-client-cli";
+    rev = "4b7135ba8ba1e17501de08ad7b6aca73c0d949d2";
+    sha256 = "1svchyk9zai1vip9ppm12jm7wfjbdr9ijhgcd2n10xh73jrn9cnc";
   };
 
   meta = {
diff --git a/lass/1systems/icarus.nix b/lass/1systems/icarus.nix
index 3998fc177..7f632e9bf 100644
--- a/lass/1systems/icarus.nix
+++ b/lass/1systems/icarus.nix
@@ -14,15 +14,6 @@ with import <stockholm/lib>;
     ../2configs/fetchWallpaper.nix
     ../2configs/backups.nix
     ../2configs/games.nix
-    #{
-    #  users.extraUsers = {
-    #    root = {
-    #      openssh.authorizedKeys.keys = map readFile [
-    #        ../../krebs/Zpubkeys/uriel.ssh.pub
-    #      ];
-    #    };
-    #  };
-    #}
   ];
 
   krebs.build.host = config.krebs.hosts.icarus;
@@ -32,19 +23,28 @@ with import <stockholm/lib>;
     loader.grub.version = 2;
     loader.grub.device = "/dev/sda";
 
-    initrd.luks.devices = [ { name = "luksroot"; device = "/dev/sda2"; } ];
+    initrd.luks.devices = [ { name = "luksroot"; device = "/dev/sda3"; } ];
     initrd.luks.cryptoModules = [ "aes" "sha512" "sha1" "xts" ];
     initrd.availableKernelModules = [ "xhci_hcd" "ehci_pci" "ahci" "usb_storage" ];
-    #kernelModules = [ "kvm-intel" "msr" ];
   };
   fileSystems = {
     "/" = {
-      device = "/dev/pool/nix";
+      device = "/dev/mapper/pool-root";
       fsType = "btrfs";
+      options = ["defaults" "noatime" "ssd" "compress=lzo"];
+    };
+    "/bku" = {
+      device = "/dev/mapper/pool-bku";
+      fsType = "btrfs";
+      options = ["defaults" "noatime" "ssd" "compress=lzo"];
+    };
+    "/home" = {
+      device = "/dev/mapper/pool-home";
+      fsType = "btrfs";
+      options = ["defaults" "noatime" "ssd" "compress=lzo"];
     };
-
     "/boot" = {
-      device = "/dev/sda1";
+      device = "/dev/sda2";
     };
     "/tmp" = {
       device = "tmpfs";
@@ -54,7 +54,7 @@ with import <stockholm/lib>;
   };
 
   services.udev.extraRules = ''
-    SUBSYSTEM=="net", ATTR{address}=="a0:88:b4:29:26:bc", NAME="wl0"
-    SUBSYSTEM=="net", ATTR{address}=="f0:de:f1:0c:a7:63", NAME="et0"
+    SUBSYSTEM=="net", ATTR{address}=="08:11:96:0a:5d:6c", NAME="wl0"
+    SUBSYSTEM=="net", ATTR{address}=="f0:de:f1:71:cb:35", NAME="et0"
   '';
 }
diff --git a/lass/1systems/mors.nix b/lass/1systems/mors.nix
index 012bd359f..dde867eb3 100644
--- a/lass/1systems/mors.nix
+++ b/lass/1systems/mors.nix
@@ -256,11 +256,6 @@ with import <stockholm/lib>;
       fsType = "ext4";
     };
 
-    "/bku" = {
-      device = "/dev/big/backups";
-      fsType = "ext4";
-    };
-
     "/home/games/.local/share/Steam" = {
       device = "/dev/big/steam";
       fsType = "ext4";
@@ -289,7 +284,7 @@ with import <stockholm/lib>;
 
   services.udev.extraRules = ''
     SUBSYSTEM=="net", ATTR{address}=="00:24:d7:f0:a0:0c", NAME="wl0"
-    SUBSYSTEM=="net", ATTR{address}=="f0:de:f1:8f:85:c9", NAME="et0"
+    SUBSYSTEM=="net", ATTR{address}=="f0:de:f1:71:cb:35", NAME="et0"
   '';
 
   #TODO activationScripts seem broken, fix them!
diff --git a/lass/1systems/prism.nix b/lass/1systems/prism.nix
index d07acebee..34d81f099 100644
--- a/lass/1systems/prism.nix
+++ b/lass/1systems/prism.nix
@@ -226,6 +226,39 @@ in {
         enable = true;
       };
     }
+    {
+      users.users.nin = {
+        uid = genid "nin";
+        inherit (config.krebs.users.nin) home;
+        group = "users";
+        createHome = true;
+        useDefaultShell = true;
+        openssh.authorizedKeys.keys = [
+          config.krebs.users.nin.pubkey
+        ];
+        extraGroups = [
+          "libvirtd"
+        ];
+      };
+      krebs.git.rules = [
+        {
+          user = [ config.krebs.users.nin ];
+          repo = [ config.krebs.git.repos.stockholm ];
+          perm = with git; push "refs/heads/nin" [ fast-forward non-fast-forward create delete merge ];
+        }
+      ];
+      krebs.repo-sync.repos.stockholm.nin = {
+        origin.url = "http://cgit.prism/stockholm";
+        origin.ref = "heads/nin";
+        mirror.url = "git@${config.networking.hostName}:stockholm";
+      };
+      krebs.iptables.tables.nat.PREROUTING.rules = [
+        { v6 = false; precedence = 1000; predicate = "-d 213.239.205.240 -p tcp --dport 1337"; target = "DNAT --to-destination 192.168.122.24:22"; }
+      ];
+      krebs.iptables.tables.filter.FORWARD.rules = [
+        { v6 = false; precedence = 1000; predicate = "-d 192.168.122.24 -p tcp --dport 22 -m state --state NEW,ESTABLISHED,RELATED"; target = "ACCEPT"; }
+      ];
+    }
   ];
 
   krebs.build.host = config.krebs.hosts.prism;
diff --git a/lass/2configs/baseX.nix b/lass/2configs/baseX.nix
index a67c25145..e879e8e58 100644
--- a/lass/2configs/baseX.nix
+++ b/lass/2configs/baseX.nix
@@ -7,6 +7,7 @@ in {
     ./xserver
     ./mpv.nix
     ./power-action.nix
+    ./screenlock.nix
     {
       hardware.pulseaudio = {
         enable = true;
diff --git a/lass/2configs/default.nix b/lass/2configs/default.nix
index 1cb68a985..63114cdb1 100644
--- a/lass/2configs/default.nix
+++ b/lass/2configs/default.nix
@@ -9,7 +9,6 @@ with import <stockholm/lib>;
     ../2configs/mc.nix
     ../2configs/nixpkgs.nix
     ../2configs/vim.nix
-    ../2configs/zsh.nix
     ./backups.nix
     {
       users.extraUsers =
@@ -162,13 +161,17 @@ with import <stockholm/lib>;
     promptInit = ''
       if test $UID = 0; then
         PS1='\[\033[1;31m\]\w\[\033[0m\] '
+        PROMPT_COMMAND='echo -ne "\033]0;$$ $USER@$PWD\007"'
       elif test $UID = 1337; then
         PS1='\[\033[1;32m\]\w\[\033[0m\] '
+        PROMPT_COMMAND='echo -ne "\033]0;$$ $PWD\007"'
       else
         PS1='\[\033[1;33m\]\u@\w\[\033[0m\] '
+        PROMPT_COMMAND='echo -ne "\033]0;$$ $USER@$PWD\007"'
       fi
       if test -n "$SSH_CLIENT"; then
         PS1='\[\033[35m\]\h'" $PS1"
+        PROMPT_COMMAND='echo -ne "\033]0;$$ $HOSTNAME $USER@$PWD\007"'
       fi
     '';
   };
diff --git a/lass/2configs/fetchWallpaper.nix b/lass/2configs/fetchWallpaper.nix
index a724e2e45..fc5acce31 100644
--- a/lass/2configs/fetchWallpaper.nix
+++ b/lass/2configs/fetchWallpaper.nix
@@ -8,5 +8,9 @@ in {
     unitConfig.ConditionPathExists = "!/var/run/ppp0.pid";
     url = "prism/wallpaper.png";
   };
+  systemd.services.fetchWallpaper = {
+    after = [ "xserver.service" ];
+    wantedBy = [ "xserver.service" ];
+  };
 }
 
diff --git a/lass/2configs/git.nix b/lass/2configs/git.nix
index ded0922b8..d7ec39f2d 100644
--- a/lass/2configs/git.nix
+++ b/lass/2configs/git.nix
@@ -56,7 +56,8 @@ let
         channel = "#retiolum";
         server = "ni.r";
         verbose = config.krebs.build.host.name == "prism";
-        branches = [ "master" ];
+        # TODO define branches in some kind of option per repo
+        branches = [ "master" "newest" "nin" ];
       };
     };
   };
diff --git a/lass/2configs/hw/tp-x220.nix b/lass/2configs/hw/tp-x220.nix
index 4a7d0bbcd..44b2dcac1 100644
--- a/lass/2configs/hw/tp-x220.nix
+++ b/lass/2configs/hw/tp-x220.nix
@@ -36,6 +36,7 @@ with import <stockholm/lib>;
   boot = {
     kernelModules = [ "kvm-intel" "acpi_call" "tpm-rng" ];
     extraModulePackages = [ config.boot.kernelPackages.tp_smapi ];
+    kernelParams = [ "acpi_backlight=none" ];
   };
 
   hardware.opengl.extraPackages = [
diff --git a/lass/2configs/nixpkgs.nix b/lass/2configs/nixpkgs.nix
index a33e69bf8..27b7c2439 100644
--- a/lass/2configs/nixpkgs.nix
+++ b/lass/2configs/nixpkgs.nix
@@ -2,7 +2,7 @@
 
 {
   krebs.build.source.nixpkgs.git = {
-    url = https://github.com/lassulus/nixpkgs;
-    ref = "d98b556864f2b3a634e39ed1ae29f47c0e3fae35";
+    url = https://github.com/nixos/nixpkgs;
+    ref = "39098270855c171f0824c09d071b606ae991ff87";
   };
 }
diff --git a/lass/2configs/retiolum.nix b/lass/2configs/retiolum.nix
index eba40532d..7a7bf95be 100644
--- a/lass/2configs/retiolum.nix
+++ b/lass/2configs/retiolum.nix
@@ -16,9 +16,9 @@
     enable = true;
     connectTo = [
       "prism"
-      "pigstarter"
       "gum"
-      "flap"
+      "ni"
+      "dishfire"
     ];
   };
 
diff --git a/lass/2configs/screenlock.nix b/lass/2configs/screenlock.nix
new file mode 100644
index 000000000..237127f69
--- /dev/null
+++ b/lass/2configs/screenlock.nix
@@ -0,0 +1,17 @@
+{ pkgs, config, ... }:
+
+{
+  systemd.services.screenlock = {
+    before = [ "sleep.target" ];
+    wantedBy = [ "sleep.target" ];
+    environment = {
+      DISPLAY = ":${toString config.services.xserver.display}";
+    };
+    serviceConfig = {
+      SyslogIdentifier = "screenlock";
+      ExecStart = "${pkgs.i3lock}/bin/i3lock -i /var/lib/wallpaper/wallpaper -f";
+      Type = "forking";
+      User = "lass";
+    };
+  };
+}
diff --git a/lass/2configs/vim.nix b/lass/2configs/vim.nix
index f79e6b807..c3eac8f38 100644
--- a/lass/2configs/vim.nix
+++ b/lass/2configs/vim.nix
@@ -14,6 +14,91 @@ let
     environment.variables.VIMINIT = ":so /etc/vimrc";
   };
 
+  vimrc = pkgs.writeText "vimrc" ''
+    set nocompatible
+
+    set autoindent
+    set backspace=indent,eol,start
+    set backup
+    set backupdir=${dirs.backupdir}/
+    set directory=${dirs.swapdir}//
+    set hlsearch
+    set incsearch
+    set mouse=a
+    set noruler
+    set pastetoggle=<INS>
+    set runtimepath=${extra-runtimepath},$VIMRUNTIME
+    set shortmess+=I
+    set showcmd
+    set showmatch
+    set ttimeoutlen=0
+    set undodir=${dirs.undodir}
+    set undofile
+    set undolevels=1000000
+    set undoreload=1000000
+    set viminfo='20,<1000,s100,h,n${files.viminfo}
+    set visualbell
+    set wildignore+=*.o,*.class,*.hi,*.dyn_hi,*.dyn_o
+    set wildmenu
+    set wildmode=longest,full
+
+    set title
+    set titleold=
+    set titlestring=(vim)\ %t%(\ %M%)%(\ (%{expand(\"%:p:h\")})%)%(\ %a%)\ -\ %{v:servername}
+
+    set et ts=2 sts=2 sw=2
+
+    filetype plugin indent on
+
+    set t_Co=256
+    colorscheme hack
+    syntax on
+
+    au Syntax * syn match Garbage containedin=ALL /\s\+$/
+            \ | syn match TabStop containedin=ALL /\t\+/
+            \ | syn keyword Todo containedin=ALL TODO
+
+    au BufRead,BufNewFile *.hs so ${hs.vim}
+
+    au BufRead,BufNewFile *.nix so ${nix.vim}
+
+    au BufRead,BufNewFile /dev/shm/* set nobackup nowritebackup noswapfile
+
+    "Syntastic config
+    let g:syntastic_python_checkers=['flake8']
+
+    nmap <esc>q :buffer 
+    nmap <M-q> :buffer 
+
+    cnoremap <C-A> <Home>
+
+    noremap  <C-c> :q<cr>
+    vnoremap < <gv
+    vnoremap > >gv
+
+    nnoremap <esc>[5^  :tabp<cr>
+    nnoremap <esc>[6^  :tabn<cr>
+    nnoremap <esc>[5@  :tabm -1<cr>
+    nnoremap <esc>[6@  :tabm +1<cr>
+
+    nnoremap <f1> :tabp<cr>
+    nnoremap <f2> :tabn<cr>
+    inoremap <f1> <esc>:tabp<cr>
+    inoremap <f2> <esc>:tabn<cr>
+
+    " <C-{Up,Down,Right,Left>
+    noremap <esc>Oa <nop> | noremap! <esc>Oa <nop>
+    noremap <esc>Ob <nop> | noremap! <esc>Ob <nop>
+    noremap <esc>Oc <nop> | noremap! <esc>Oc <nop>
+    noremap <esc>Od <nop> | noremap! <esc>Od <nop>
+    " <[C]S-{Up,Down,Right,Left>
+    noremap <esc>[a <nop> | noremap! <esc>[a <nop>
+    noremap <esc>[b <nop> | noremap! <esc>[b <nop>
+    noremap <esc>[c <nop> | noremap! <esc>[c <nop>
+    noremap <esc>[d <nop> | noremap! <esc>[d <nop>
+    vnoremap u <nop>
+  '';
+
   extra-runtimepath = concatMapStringsSep "," (pkg: "${pkg.rtp}") [
     pkgs.vimPlugins.Gundo
     pkgs.vimPlugins.Syntastic
@@ -127,87 +212,6 @@ let
     exec ${pkgs.vim}/bin/vim "$@"
   '';
 
-  vimrc = pkgs.writeText "vimrc" ''
-    set nocompatible
-
-    set autoindent
-    set backspace=indent,eol,start
-    set backup
-    set backupdir=${dirs.backupdir}/
-    set directory=${dirs.swapdir}//
-    set hlsearch
-    set incsearch
-    set mouse=a
-    set noruler
-    set pastetoggle=<INS>
-    set runtimepath=${extra-runtimepath},$VIMRUNTIME
-    set shortmess+=I
-    set showcmd
-    set showmatch
-    set ttimeoutlen=0
-    set undodir=${dirs.undodir}
-    set undofile
-    set undolevels=1000000
-    set undoreload=1000000
-    set viminfo='20,<1000,s100,h,n${files.viminfo}
-    set visualbell
-    set wildignore+=*.o,*.class,*.hi,*.dyn_hi,*.dyn_o
-    set wildmenu
-    set wildmode=longest,full
-
-    set et ts=2 sts=2 sw=2
-
-    filetype plugin indent on
-
-    set t_Co=256
-    colorscheme hack
-    syntax on
-
-    au Syntax * syn match Garbage containedin=ALL /\s\+$/
-            \ | syn match TabStop containedin=ALL /\t\+/
-            \ | syn keyword Todo containedin=ALL TODO
-
-    au BufRead,BufNewFile *.hs so ${hs.vim}
-
-    au BufRead,BufNewFile *.nix so ${nix.vim}
-
-    au BufRead,BufNewFile /dev/shm/* set nobackup nowritebackup noswapfile
-
-    "Syntastic config
-    let g:syntastic_python_checkers=['flake8']
-
-    nmap <esc>q :buffer 
-    nmap <M-q> :buffer 
-
-    cnoremap <C-A> <Home>
-
-    noremap  <C-c> :q<cr>
-    vnoremap < <gv
-    vnoremap > >gv
-
-    nnoremap <esc>[5^  :tabp<cr>
-    nnoremap <esc>[6^  :tabn<cr>
-    nnoremap <esc>[5@  :tabm -1<cr>
-    nnoremap <esc>[6@  :tabm +1<cr>
-
-    nnoremap <f1> :tabp<cr>
-    nnoremap <f2> :tabn<cr>
-    inoremap <f1> <esc>:tabp<cr>
-    inoremap <f2> <esc>:tabn<cr>
-
-    " <C-{Up,Down,Right,Left>
-    noremap <esc>Oa <nop> | noremap! <esc>Oa <nop>
-    noremap <esc>Ob <nop> | noremap! <esc>Ob <nop>
-    noremap <esc>Oc <nop> | noremap! <esc>Oc <nop>
-    noremap <esc>Od <nop> | noremap! <esc>Od <nop>
-    " <[C]S-{Up,Down,Right,Left>
-    noremap <esc>[a <nop> | noremap! <esc>[a <nop>
-    noremap <esc>[b <nop> | noremap! <esc>[b <nop>
-    noremap <esc>[c <nop> | noremap! <esc>[c <nop>
-    noremap <esc>[d <nop> | noremap! <esc>[d <nop>
-    vnoremap u <nop>
-  '';
-
   hs.vim = pkgs.writeText "hs.vim" ''
     syn region String start=+\[[[:alnum:]]*|+ end=+|]+
 
diff --git a/lass/2configs/websites/domsen.nix b/lass/2configs/websites/domsen.nix
index 71eae5b71..e79973a66 100644
--- a/lass/2configs/websites/domsen.nix
+++ b/lass/2configs/websites/domsen.nix
@@ -57,14 +57,15 @@ in {
       "www.illucloud.de"
       "www.illucloud.com"
       "www.ubikmedia.de"
+      "aldona2.ubikmedia.de"
       "apanowicz.ubikmedia.de"
-      "karlaskop.ubikmedia.de"
-      "nb.ubikmedia.de"
       "cinevita.ubikmedia.de"
       "factscloud.ubikmedia.de"
-      "youthtube.ubikmedia.de"
-      "aldona2.ubikmedia.de"
       "illucloud.ubikmedia.de"
+      "joemisch.ubikmedia.de"
+      "karlaskop.ubikmedia.de"
+      "nb.ubikmedia.de"
+      "youthtube.ubikmedia.de"
     ])
   ];
 
@@ -111,17 +112,26 @@ in {
     '';
     internet-aliases = [
       { from = "dominik@apanowicz.de"; to = "dominik_a@gmx.de"; }
+      { from = "dma@ubikmedia.de"; to = "domsen"; }
+      { from = "dma@ubikmedia.eu"; to = "domsen"; }
       { from = "mail@jla-trading.com"; to = "jla-trading"; }
+      { from = "jms@ubikmedia.eu"; to = "jms"; }
+      { from = "ms@ubikmedia.eu"; to = "ms"; }
+      { from = "nrg@ubikmedia.eu"; to = "nrg"; }
+      { from = "ubik@ubikmedia.eu"; to = "domsen, jms, ms, nrg"; }
+
+      { from = "testuser@lassul.us"; to = "testuser"; }
     ];
     sender_domains = [
       "jla-trading.com"
+      "ubikmedia.eu"
     ];
     ssl_cert = "/var/lib/acme/lassul.us/fullchain.pem";
     ssl_key = "/var/lib/acme/lassul.us/key.pem";
   };
 
   users.users.domsen = {
-    uid = genid "domsen";
+    uid = genid_signed "domsen";
     description = "maintenance acc for domsen";
     home = "/home/domsen";
     useDefaultShell = true;
@@ -130,10 +140,38 @@ in {
   };
 
   users.users.jla-trading = {
-    uid = genid "jla-trading";
+    uid = genid_signed "jla-trading";
     home = "/home/jla-trading";
     useDefaultShell = true;
     createHome = true;
   };
+
+  users.users.jms = {
+    uid = genid_signed "jms";
+    home = "/home/jms";
+    useDefaultShell = true;
+    createHome = true;
+  };
+
+  users.users.ms = {
+    uid = genid_signed "ms";
+    home = "/home/ms";
+    useDefaultShell = true;
+    createHome = true;
+  };
+
+  users.users.nrg = {
+    uid = genid_signed "nrg";
+    home = "/home/nrg";
+    useDefaultShell = true;
+    createHome = true;
+  };
+
+  users.users.testuser = {
+    uid = genid_signed "testuser";
+    home = "/home/testuser";
+    useDefaultShell = true;
+    createHome = true;
+  };
 }
 
diff --git a/lass/2configs/websites/lassulus.nix b/lass/2configs/websites/lassulus.nix
index cfdda05db..024d2eeb2 100644
--- a/lass/2configs/websites/lassulus.nix
+++ b/lass/2configs/websites/lassulus.nix
@@ -83,6 +83,7 @@ in {
     locations."/tinc".extraConfig = ''
       alias ${config.krebs.tinc_graphs.workingDir}/external;
     '';
+    # TODO make this work!
     locations."= /ddate".extraConfig = let
       script = pkgs.writeBash "test" ''
         echo "hello world"
@@ -100,6 +101,14 @@ in {
       fastcgi_param SCRIPT_NAME ${script};
     '';
 
+    locations."/init".extraConfig = let
+      initscript = pkgs.init.override {
+        pubkey = config.krebs.users.lass.pubkey;
+      };
+    in ''
+      alias ${initscript};
+    '';
+
     enableSSL = true;
     extraConfig = "listen 80;";
     sslCertificate = "/var/lib/acme/lassul.us/fullchain.pem";
diff --git a/lass/2configs/zsh.nix b/lass/2configs/zsh.nix
index 442a1d4d9..4d33aa79d 100644
--- a/lass/2configs/zsh.nix
+++ b/lass/2configs/zsh.nix
@@ -118,5 +118,5 @@
       fi
     '';
   };
-  users.users.${config.krebs.build.user.name}.shell = "/run/current-system/sw/bin/zsh";
+  users.users.mainUser.shell = "/run/current-system/sw/bin/zsh";
 }
diff --git a/lass/5pkgs/default.nix b/lass/5pkgs/default.nix
index 0beda7481..e47e3126a 100644
--- a/lass/5pkgs/default.nix
+++ b/lass/5pkgs/default.nix
@@ -1,4 +1,4 @@
-{ pkgs, ... }:
+{ pkgs, ... }@args:
 
 {
   nixpkgs.config.packageOverrides = rec {
@@ -11,6 +11,7 @@
       ublock = pkgs.callPackage ./firefoxPlugins/ublock.nix {};
       vimperator = pkgs.callPackage ./firefoxPlugins/vimperator.nix {};
     };
+    init = pkgs.callPackage ./init/default.nix args;
     mk_sql_pair = pkgs.callPackage ./mk_sql_pair/default.nix {};
     mpv-poll = pkgs.callPackage ./mpv-poll/default.nix {};
     pop = pkgs.callPackage ./pop/default.nix {};
diff --git a/lass/5pkgs/init/default.nix b/lass/5pkgs/init/default.nix
new file mode 100644
index 000000000..d0339f811
--- /dev/null
+++ b/lass/5pkgs/init/default.nix
@@ -0,0 +1,159 @@
+{ pkgs, lib, pubkey ? "", disk ? "/dev/sda", vgname ? "pool", luksmap ? "luksmap", keyfile ? "/root/keyfile", ... }:
+
+with lib;
+
+pkgs.writeText "init" ''
+  #! /bin/sh
+  # usage: curl xu/~tv/init | sh
+  set -efu
+  # TODO nix-env -f '<nixpkgs>' -iA jq # if not exists (also version)
+  #       install at tmp location
+
+
+  case $(cat /proc/cmdline) in
+     *' root=LABEL=NIXOS_ISO '*) :;;
+     *) echo Error: unknown operating system >&2; exit 1;;
+  esac
+
+  keyfile=${keyfile}
+
+  disk=${disk}
+
+  bootdev=${disk}2
+
+  luksdev=${disk}3
+  luksmap=/dev/mapper/${luksmap}
+
+  vgname=${vgname}
+
+  rootdev=/dev/mapper/${vgname}-root
+  homedev=/dev/mapper/${vgname}-home
+  bkudev=/dev/mapper/${vgname}-bku
+
+  #
+  #generate keyfile
+  #
+
+  if ! test -e "$keyfile"; then
+    dd if=/dev/urandom bs=512 count=2048 of=$keyfile
+  fi
+
+  #
+  # partitioning
+  #
+
+  # http://en.wikipedia.org/wiki/GUID_Partition_Table
+  # undo:
+  #   dd if=/dev/zero bs=512 count=34 of=/dev/sda
+  # TODO zero last 34 blocks (lsblk -bno SIZE /dev/sda)
+  if ! test "$(blkid -o value -s PTTYPE "$disk")" = gpt; then
+    parted -a optimal "$disk" \
+        mklabel gpt \
+        mkpart no-fs 0 1024KiB \
+        set 1 bios_grub on \
+        mkpart ext2 1025KiB 1024MiB \
+        mkpart primary 1024MiB 100%
+  fi
+
+  if ! test "$(blkid -o value -s PARTLABEL "$bootdev")" = ext2; then
+    echo zonk
+    exit 23
+  fi
+
+  if ! test "$(blkid -o value -s PARTLABEL "$luksdev")" = primary; then
+    echo zonk2
+    exit 23
+  fi
+
+  if ! cryptsetup isLuks "$luksdev"; then
+    # aes xts-plain64
+    cryptsetup luksFormat "$luksdev" "$keyfile" \
+        -h sha512 \
+        --iter-time 5000
+  fi
+
+  if ! test -e "$luksmap"; then
+    cryptsetup luksOpen "$luksdev" "$(basename "$luksmap")" \
+        --key-file "$keyfile"
+  fi
+  # cryptsetup close
+
+  if ! test "$(blkid -o value -s TYPE "$luksmap")" = LVM2_member; then
+    pvcreate "$luksmap"
+  fi
+
+  if ! vgdisplay -s "$vgname"; then vgcreate "$vgname" "$luksmap"; fi
+
+  lvchange -a y /dev/mapper/"$vgname"
+
+  if ! test -e "$rootdev"; then lvcreate -L 100G -n root "$vgname"; fi
+  if ! test -e "$homedev"; then lvcreate -L 100G -n home "$vgname"; fi
+  if ! test -e "$bkudev"; then lvcreate -L 200G -n bku "$vgname"; fi
+
+  # lvchange -a n "$vgname"
+
+
+  #
+  # formatting
+  #
+
+  if ! test "$(blkid -o value -s TYPE "$bootdev")" = ext2; then
+    mkfs.ext2 "$bootdev"
+  fi
+
+  if ! test "$(blkid -o value -s TYPE "$rootdev")" = btrfs; then
+    mkfs.btrfs "$rootdev"
+  fi
+
+  if ! test "$(blkid -o value -s TYPE "$homedev")" = btrfs; then
+    mkfs.btrfs "$homedev"
+  fi
+
+  if ! test "$(blkid -o value -s TYPE "$bkudev")" = btrfs; then
+    mkfs.btrfs "$bkudev"
+  fi
+
+
+  if ! test "$(lsblk -n -o MOUNTPOINT "$rootdev")" = /mnt; then
+    mount "$rootdev" /mnt
+  fi
+  if ! test "$(lsblk -n -o MOUNTPOINT "$bootdev")" = /mnt/boot; then
+    mkdir -m 0000 -p /mnt/boot
+    mount "$bootdev" /mnt/boot
+  fi
+  if ! test "$(lsblk -n -o MOUNTPOINT "$homedev")" = /mnt/home; then
+    mkdir -m 0000 -p /mnt/home
+    mount "$homedev" /mnt/home
+  fi
+  if ! test "$(lsblk -n -o MOUNTPOINT "$bkudev")" = /mnt/bku; then
+    mkdir -m 0000 -p /mnt/bku
+    mount "$bkudev" /mnt/bku
+  fi
+
+  # umount -R /mnt
+
+  #
+  # dependencies for stockholm
+  #
+
+  nix-env -iA nixos.git
+
+  mkdir -p /mnt/var/src
+  touch /mnt/var/src/.populate
+
+  #
+  # print all the infos
+  #
+
+  parted "$disk" print
+  lsblk "$disk"
+
+  key='${pubkey}'
+  if [ "$(cat /root/.ssh/authorized_keys 2>/dev/null)" != "$key" ]; then
+    mkdir -p /root/.ssh
+    echo "$key" > /root/.ssh/authorized_keys
+  fi
+  systemctl start sshd
+  ip route
+  echo READY.
+''
diff --git a/lass/5pkgs/xmonad-lass.nix b/lass/5pkgs/xmonad-lass.nix
index 2f2be6762..cf8eaf058 100644
--- a/lass/5pkgs/xmonad-lass.nix
+++ b/