100 files changed, 402 insertions, 1249 deletions

diff --git a/ci.nix b/ci.nix
index 212114538..1aecc8e70 100644
--- a/ci.nix
+++ b/ci.nix
@@ -1,6 +1,6 @@
 # usage: nix-instantiate --eval --json --read-write-mode --strict ci.nix | jq .
-with import ./lib;
 let
+  lib = pkgs.lib;
   pkgs = import <nixpkgs> { overlays = [ (import ./submodules/nix-writers/pkgs) ]; };
   system =
     import <nixpkgs/nixos/lib/eval-config.nix> {
@@ -16,9 +16,9 @@ let
     }
   ;
 
-  ci-systems = filterAttrs (_: v: v.ci) system.config.krebs.hosts;
+  ci-systems = lib.filterAttrs (_: v: v.ci) system.config.krebs.hosts;
 
   build = host: owner:
-  ((import (toString ./. + "/${owner}/krops.nix") { name = host; }).test {target = "${getEnv "HOME"}/stockholm-build";});
+  ((import (toString ./. + "/${owner}/krops.nix") { name = host; }).test {target = "${builtins.getEnv "HOME"}/stockholm-build";});
 
-in mapAttrs (n: h: build n h.owner.name) ci-systems
+in lib.mapAttrs (n: h: build n h.owner.name) ci-systems
diff --git a/default.nix b/default.nix
index 9368dcd9e..45b4f03f6 100644
--- a/default.nix
+++ b/default.nix
@@ -1,7 +1,7 @@
 import <nixpkgs/nixos> {} // rec {
   lib = import ./lib;
   systems = with lib; let
-    namespace = getEnv "LOGNAME";
+    namespace = krebs;
     systemsDir = <stockholm> + "/${namespace}/1systems";
   in
     genAttrs
diff --git a/flake.lock b/flake.lock
index 1f99b2828..c7b051683 100644
--- a/flake.lock
+++ b/flake.lock
@@ -10,11 +10,11 @@
         "treefmt-nix": "treefmt-nix"
       },
       "locked": {
-        "lastModified": 1751515480,
-        "narHash": "sha256-vCYcc/b8WizF6vnjuRVxSiU8hy9L3vOTWDVKpWM7xRE=",
+        "lastModified": 1768927382,
+        "narHash": "sha256-qdmb8Pm73PADLgO8Q06QfyPbEQS6el9Si+dGQc3TB1I=",
         "owner": "Mic92",
         "repo": "buildbot-nix",
-        "rev": "47ad4c7afb169df6f9d48d0df3d7e2f71d9ddd8f",
+        "rev": "eb4e904a8dc1aa12a964752e4fd9977c6aead724",
         "type": "github"
       },
       "original": {
@@ -31,11 +31,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1751413152,
-        "narHash": "sha256-Tyw1RjYEsp5scoigs1384gIg6e0GoBVjms4aXFfRssQ=",
+        "lastModified": 1768135262,
+        "narHash": "sha256-PVvu7OqHBGWN16zSi6tEmPwwHQ4rLPU9Plvs8/1TUBY=",
         "owner": "hercules-ci",
         "repo": "flake-parts",
-        "rev": "77826244401ea9de6e3bac47c2db46005e1f30b5",
+        "rev": "80daad04eddbbf5a4d883996a73f3f542fa437ac",
         "type": "github"
       },
       "original": {
@@ -44,6 +44,21 @@
         "type": "github"
       }
     },
+    "flake-utils": {
+      "locked": {
+        "lastModified": 1676283394,
+        "narHash": "sha256-XX2f9c3iySLCw54rJ/CZs+ZK6IQy7GXNY4nSOyu2QG4=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "3db36a8b464d0c4532ba1c7dda728f4576d6d073",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
     "hercules-ci-effects": {
       "inputs": {
         "flake-parts": [
@@ -56,11 +71,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1748000383,
-        "narHash": "sha256-EaAJhwfJGBncgIV/0NlJviid2DP93cTMc9h0q6P6xXk=",
+        "lastModified": 1768476106,
+        "narHash": "sha256-V0YOJRum50gtKgwavsAfwXc9+XAsJCC7386YZx1sWGQ=",
         "owner": "hercules-ci",
         "repo": "hercules-ci-effects",
-        "rev": "231726642197817d20310b9d39dd4afb9e899489",
+        "rev": "c19e263e6e22ec7379d972f19e6a322f943c73fb",
         "type": "github"
       },
       "original": {
@@ -70,7 +85,12 @@
       }
     },
     "nix-writers": {
-      "flake": false,
+      "inputs": {
+        "flake-utils": "flake-utils",
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
       "locked": {
         "lastModified": 1677612737,
         "narHash": "sha256-UaCKZ4PbMZU6UZH7XNFcjRtd5jheswl66rjZDBfQgp8=",
@@ -87,11 +107,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1751792365,
-        "narHash": "sha256-J1kI6oAj25IG4EdVlg2hQz8NZTBNYvIS0l4wpr9KcUo=",
+        "lastModified": 1768886240,
+        "narHash": "sha256-C2TjvwYZ2VDxYWeqvvJ5XPPp6U7H66zeJlRaErJKoEM=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "1fd8bada0b6117e6c7eb54aad5813023eed37ccb",
+        "rev": "80e4adbcf8992d3fd27ad4964fbb84907f9478b0",
         "type": "github"
       },
       "original": {
@@ -116,11 +136,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1750931469,
-        "narHash": "sha256-0IEdQB1nS+uViQw4k3VGUXntjkDp7aAlqcxdewb/hAc=",
+        "lastModified": 1768158989,
+        "narHash": "sha256-67vyT1+xClLldnumAzCTBvU0jLZ1YBcf4vANRWP3+Ak=",
         "owner": "numtide",
         "repo": "treefmt-nix",
-        "rev": "ac8e6f32e11e9c7f153823abc3ab007f2a65d3e1",
+        "rev": "e96d59dff5c0d7fddb9d113ba108f03c3ef99eca",
         "type": "github"
       },
       "original": {
diff --git a/flake.nix b/flake.nix
index 0b8d875c7..527e4c8ef 100644
--- a/flake.nix
+++ b/flake.nix
@@ -1,10 +1,8 @@
 {
   inputs = {
     nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
-    nix-writers = {
-      url = "git+https://cgit.krebsco.de/nix-writers";
-      flake = false;
-    };
+    nix-writers.url = "git+https://cgit.krebsco.de/nix-writers";
+    nix-writers.inputs.nixpkgs.follows = "nixpkgs";
     # disko.url = "github:nix-community/disko";
     # disko.inputs.nixpkgs.follows = "nixpkgs";
     buildbot-nix.url = "github:Mic92/buildbot-nix";
@@ -43,9 +41,21 @@
     };
     overlays.default = import ./krebs/5pkgs/default.nix;
     packages = let
-      packageNames = self.lib.attrNames (self.lib.mapNixDir (x: null) ./krebs/5pkgs/simple);
-      appliedOverlay = (system: self.overlays.default {} (self.inputs.nixpkgs.legacyPackages.${system} // { lib = self.lib; }));
-    in nixpkgs.lib.genAttrs [ "x86_64-linux" "aarch64-linux" "x86_64-darwin" "aarch64-darwin" ] (system: self.lib.getAttrs packageNames (appliedOverlay system));
+      allNames = self.lib.attrNames (self.lib.mapNixDir (x: null) ./krebs/5pkgs/simple);
+      appliedOverlay = (system:
+        let
+          base = self.inputs.nixpkgs.legacyPackages.${system};
+          # Apply nix-writers overlay with fixpoint so its functions can find each other
+          withWriters = nixpkgs.lib.fix (final: base // nix-writers.overlays.default final base);
+        in self.overlays.default {} (withWriters // { lib = self.lib; }));
+      # Only include derivations in packages output
+      getDerivations = overlay: builtins.listToAttrs (builtins.filter (x: x != null) (map (name:
+        let val = overlay.${name} or null;
+        in if val != null && (val.type or null) == "derivation"
+           then { inherit name; value = val; }
+           else null
+      ) allNames));
+    in nixpkgs.lib.genAttrs [ "x86_64-linux" "aarch64-linux" ] (system: getDerivations (appliedOverlay system));
     lib = import (self.outPath + "/lib/pure.nix") { lib = nixpkgs.lib; };
   };
 }
diff --git a/kartei/lass/neoprism.nix b/kartei/lass/neoprism.nix
index 73eda0762..086362938 100644
--- a/kartei/lass/neoprism.nix
+++ b/kartei/lass/neoprism.nix
@@ -1,5 +1,12 @@
 { r6, w6, ... }:
-{
+rec {
+  extraZones = {
+    "krebsco.de" = ''
+      p         60 IN A ${nets.internet.ip4.addr}
+      c         60 IN A ${nets.internet.ip4.addr}
+      paste     60 IN A ${nets.internet.ip4.addr}
+    '';
+  };
   nets = rec {
     internet = {
       ip4 = rec {
diff --git a/kartei/lass/prism.nix b/kartei/lass/prism.nix
index a44e120b2..33c662bc4 100644
--- a/kartei/lass/prism.nix
+++ b/kartei/lass/prism.nix
@@ -3,9 +3,6 @@ rec {
   extraZones = {
     "krebsco.de" = ''
       cache     60 IN A ${nets.internet.ip4.addr}
-      p         60 IN A ${nets.internet.ip4.addr}
-      c         60 IN A ${nets.internet.ip4.addr}
-      paste     60 IN A ${nets.internet.ip4.addr}
       prism     60 IN A ${nets.internet.ip4.addr}
       social    60 IN A ${nets.internet.ip4.addr}
     '';
diff --git a/kartei/lass/xerxes.nix b/kartei/lass/xerxes.nix
index 96f619a70..985bba5f5 100644
--- a/kartei/lass/xerxes.nix
+++ b/kartei/lass/xerxes.nix
@@ -1,52 +1,6 @@
 { r6, w6, ... }:
 {
   consul = false;
-  nets = rec {
-    retiolum = {
-      ip4.addr = "10.243.1.3";
-      ip6.addr = r6 "3";
-      aliases = [
-        "xerxes.r"
-      ];
-      tinc = {
-        pubkey = ''
-          -----BEGIN RSA PUBLIC KEY-----
-          MIIECgKCBAEArqEaK+m7WZe/9/Vbc+qx2TjkkRJ9lDgDMr1dvj98xb8/EveUME6U
-          MZyAqNjLuKq3CKzJLo02ZmdFs4CT1Hj28p5IC0wLUWn53hrqdy8cCJDvIiKIv+Jk
-          gItsxJyMnRtsdDbB6IFJ08D5ReGdAFJT5lqpN0DZuNC6UQRxzUK5fwKYVVzVX2+W
-          /EZzEPe5XbE69V/Op2XJ2G6byg9KjOzNJyJxyjwVco7OXn1OBNp94NXoFrUO7kxb
-          mTNnh3D+iB4c3qv8woLhmb+Uh/9MbXS14QrSf85ou4kfUjb5gdhjIlzz+jfA/6XO
-          X4t86uv8L5IzrhSGb0TmhrIh5HhUmSKT4RdHJom0LB7EASMR2ZY9AqIG11XmXuhj
-          +2b5INBZSj8Cotv5aoRXiPSaOd7bw7lklYe4ZxAU+avXot9K3/4XVLmi6Wa6Okim
-          hz+MEYjW5gXY+YSUWXOR4o24jTmDjQJpdL83eKwLVAtbrE7TcVszHX6zfMoQZ5M9
-          3EtOkDMxhC+WfkL+DLQAURhgcPTZoaj0cAlvpb0TELZESwTBI09jh/IBMXHBZwI4
-          H1gOD5YENpf0yUbLjVu4p82Qly10y58XFnUmYay0EnEgdPOOVViovGEqTiAHMmm5
-          JixtwJDz7a6Prb+owIg27/eE1/E6hpfXpU8U83qDYGkIJazLnufy32MTFE4T9fI4
-          hS8icFcNlsobZp+1pB3YK4GV5BnvMwOIVXVlP8yMCRTDRWZ4oYmAZ5apD7OXyNwe
-          SUP2mCNNlQCqyjRsxj5S1lZQRy1sLQztU5Sff4xYNK+5aPgJACmvSi3uaJAxBloo
-          4xCCYzxhaBlvwVISJXZTq76VSPybeQ+pmSZFMleNnWOstvevLFeOoH2Is0Ioi1Fe
-          vnu5r0D0VYsb746wyRooiEuOAjBmni8X/je6Vwr1gb/WZfZ23EwYpGyakJdxLNv3
-          Li+LD9vUfOR80WL608sUU45tAx1RAy6QcH/YDtdClbOdK53+cQVTsYnCvDW8uGlO
-          scQWgk+od3qvo6yCPO7pRlEd3nedcPSGh/KjBHao6eP+bsVERp733Vb9qrEVwmxv
-          jlZ1m12V63wHVu9uMAGi9MhK+2Q/l7uLTj03OYpi4NYKL2Bu01VXfoxuauuZLdIJ
-          Z3ZV+qUcjzZI0PBlGxubq6CqVFoSB7nhHUbcdPQ66WUnwoKq0cKmE7VOlJQvJ07u
-          /Wsl8BIsxODVt0rTzEAx0hTd5mJCX7sCawRt+NF+1DZizl9ouebNMkNlsEAg4Ps0
-          bQerZLcOmpYjGa5+lWDwJIMXVIcxwTmQR86stlP/KQm0vdOvH2ZUWTXcYvCYlHkQ
-          sgVnnA2wt+7UpZnEBHy04ry+jYaSsPdYgwIDAQAB
-          -----END RSA PUBLIC KEY-----
-        '';
-        pubkey_ed25519 = "PRtxFg/zw8dmwEGEM+u28N5GWuGNiHSNlaieplVSqQK";
-      };
-    };
-    wiregrill = {
-      ip6.addr = w6 "3";
-      aliases = [
-        "xerxes.w"
-      ];
-      wireguard.pubkey = "UTm8B8YUVvBGqwwxAUMVFsVQFQGQ6jbcXAavZ8LxYT8=";
-    };
-  };
   secure = true;
-  ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE5HyLyaIvVH0qHIQ4ciKhDiElhSqsK+uXcA6lTvL+5n";
-  syncthing.id = "EA76ZHP-DF2I3CJ-NNTFEUH-YGPQK5S-T7FQ6JA-BNQQUNC-GF2YL46-CKOZCQM";
+  ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP017KDMPZgXeb5pwo8sOD9R16vEaHFp523HGyeWPIIa";
 }
diff --git a/kartei/makefu/default.nix b/kartei/makefu/default.nix
index 9df79afbf..e92aeec93 100644
--- a/kartei/makefu/default.nix
+++ b/kartei/makefu/default.nix
@@ -251,6 +251,8 @@ in {
           wikisearch        IN A      ${nets.internet.ip4.addr}
           work.euer         IN A      ${nets.internet.ip4.addr}
           shop.euer         IN A      ${nets.internet.ip4.addr}
+          matrix.euer       IN A      ${nets.internet.ip4.addr}
+          element.euer      IN A      ${nets.internet.ip4.addr}
 
           mediengewitter    IN CNAME  over.dose.io.
           nixos.unstable    IN CNAME  krebscode.github.io.
diff --git a/kartei/tv/hosts/fu.nix b/kartei/tv/hosts/fu.nix
index f33da59c9..c3f2f9297 100644
--- a/kartei/tv/hosts/fu.nix
+++ b/kartei/tv/hosts/fu.nix
@@ -20,5 +20,4 @@
   };
   secure = true;
   ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE8T+2Oe6qCE0uEb9H7CWZengyhHK30NelmYmpI4Umpm root@fu";
-  syncthing.id = "F5B3EPT-OEOFYMV-GATESYO-727M6R4-YBXGW6Q-SG3QWC7-PPVFX4C-AY4UKAJ";
 }
diff --git a/kartei/tv/hosts/leg.nix b/kartei/tv/hosts/leg.nix
index c09749302..5841c72d5 100644
--- a/kartei/tv/hosts/leg.nix
+++ b/kartei/tv/hosts/leg.nix
@@ -23,5 +23,4 @@
   };
   secure = true;
   ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGiputkYYQbg8sUHu+dMVOEuqhPYwPhPdmkS6LopPx17 root@leg";
-  syncthing.id = "5IB2U3K-HNQWNA4-ULYNPZF-XC3HX4D-IKQB72L-GNF6U2P-RNL4OMF-BWGDVAU";
 }
diff --git a/kartei/tv/hosts/ne.nix b/kartei/tv/hosts/ne.nix
index 584d7c433..1191fcb71 100644
--- a/kartei/tv/hosts/ne.nix
+++ b/kartei/tv/hosts/ne.nix
@@ -2,8 +2,13 @@
   extraZones = {
     "krebsco.de" = ''
       @ 60 IN MX 5 ne
+      @ 60 IN TXT "v=spf1 mx -all"
       ne 60 IN A ${config.krebs.hosts.ne.nets.internet.ip4.addr}
       ne 60 IN AAAA ${config.krebs.hosts.ne.nets.internet.ip6.addr}
+      cgit 60 IN A ${config.krebs.hosts.ne.nets.internet.ip4.addr}
+      cgit 60 IN AAAA ${config.krebs.hosts.ne.nets.internet.ip6.addr}
+      cgit.ne 60 IN A ${config.krebs.hosts.ne.nets.internet.ip4.addr}
+      search.ne 60 IN AAAA ${config.krebs.hosts.ne.nets.internet.ip6.addr}
       tv 300 IN NS ne
     '';
   };
@@ -11,6 +16,7 @@
     internet = {
       aliases = [
         "ne.i"
+        "cgit.ne.i"
       ];
       ip4 = {
         addr = "159.195.31.38";
@@ -26,14 +32,26 @@
         "ne.m"
       ];
       ip6.addr = "45f:fa21:4bdd:a758:8091:947d:fe84:fac3";
+      via = config.krebs.hosts.ne.nets.internet;
     };
     retiolum = {
       aliases = [
         "ne.r"
+        "cgit.ne.r"
+        "krebs.ne.r"
+        "search.ne.r"
+        "p.ne.r"
+        "p.tv.r"
       ];
+      ip4.addr = "10.243.113.224";
+      via = config.krebs.hosts.ne.nets.internet;
     };
     wiregrill = {
       ip4.addr = "10.244.3.2";
+      via = config.krebs.hosts.ne.nets.internet;
+      wireguard.subnets = [
+        (slib.krebs.genipv6 "wiregrill" "tv" 0).subnetCIDR
+      ];
     };
   };
 }
diff --git a/kartei/tv/hosts/ni.nix b/kartei/tv/hosts/ni.nix
deleted file mode 100644
index 3e3d81c37..000000000
--- a/kartei/tv/hosts/ni.nix
+++ /dev/null
@@ -1,67 +0,0 @@
-{ config, lib, slib, ... }: {
-  extraZones = {
-    "krebsco.de" = ''
-      ni          60 IN A ${config.krebs.hosts.ni.nets.internet.ip4.addr}
-      ni          60 IN AAAA ${config.krebs.hosts.ni.nets.internet.ip6.addr}
-      cgit        60 IN A ${config.krebs.hosts.ni.nets.internet.ip4.addr}
-      cgit        60 IN AAAA ${config.krebs.hosts.ni.nets.internet.ip6.addr}
-      cgit.ni     60 IN A ${config.krebs.hosts.ni.nets.internet.ip4.addr}
-      cgit.ni     60 IN AAAA ${config.krebs.hosts.ni.nets.internet.ip6.addr}
-      search.ni   60 IN A ${config.krebs.hosts.ni.nets.internet.ip4.addr}
-      search.ni   60 IN AAAA ${config.krebs.hosts.ni.nets.internet.ip6.addr}
-      krebsco.de. 60 IN MX 5 ni
-      krebsco.de. 60 IN TXT "v=spf1 mx -all"
-      tv          300 IN NS ni
-    '';
-  };
-  nets = {
-    internet = {
-      ip4 = {
-        addr = "185.162.251.237";
-      };
-      ip6 = {
-        addr = "2a03:4000:1a:cf::1";
-        prefixLength = 64;
-      };
-      aliases = [
-        "ni.i"
-        "cgit.ni.i"
-      ];
-      ssh.port = 11423;
-    };
-    retiolum = {
-      via = config.krebs.hosts.ni.nets.internet;
-      ip4.addr = "10.243.113.223";
-      aliases = [
-        "ni.r"
-        "cgit.ni.r"
-        "krebs.ni.r"
-        "search.ni.r"
-      ];
-      tinc.pubkey = ''
-        -----BEGIN RSA PUBLIC KEY-----
-        MIICCgKCAgEA7NHuW8eLVhpBfL70WwcSGVmv4dijKLJs5cH/BmqK8zN2lpiLKt12
-        bhaE1YEhGoGma7Kef1Fa0V9xUkJy6C1+sVlfWp/LeY8VRSX5E3u36TEl6kl/4zu6
-        Ea/44BoGUSOC9ImxVEX51czA10PFjUSrGFyK0oaRlKNsTwwpNiBOY7/6i74bhn59
-        OIsySRUBd2QPjYhJkiuc7gltVfwt6wteZh8R4w2rluVGYLQPsmN/XEWgJbhzI4im
-        W+3/bdewHVF1soZWtdocPLeXTn5HETX5g8p2V3bwYL37oIwkCcYxOeQtT7W+lNJ2
-        NvIiVh4Phojl4dBUgUQGT0NApMnsaG/4LJpSC4AGiqbsznBdSPhepob7zJggPnWY
-        nfAs+YrUUZp1wovhSgWfYTRglRuyYvWkoGbq411H1efawyZ0gcMr+HQlSn2keQOv
-        lbcvdgOAxQiEcPVixPq3mTeKaSxWyIJGFceuqtnILGifRNvViX0uo9g5rLQ41PrJ
-        9F3azz3gD2Uh73j5pvLU72cge7p1a7epPYWTJYf8oc5JcI3nYTKpSqH8IYaWUjv9
-        q0NwOYFDhYtUcTwdbUNl/tUWKyBcovIe7f40723pHSijiPV2WDZC2M/mOc3dvWKF
-        Mf00uin+7uMuKtnG6+1z5nKb/AWrqN1RZu0rnG/IkZPKwa19HYsYcOkCAwEAAQ==
-        -----END RSA PUBLIC KEY-----
-      '';
-      tinc.pubkey_ed25519 = "nDuK96NlNhcxzlX7G30w/706RxItb+FhkFkz/VhUgCE";
-    };
-    wiregrill = {
-      via = config.krebs.hosts.ni.nets.internet;
-      ip4.addr = "10.244.3.1";
-      wireguard.subnets = [
-        (slib.krebs.genipv6 "wiregrill" "tv" 0).subnetCIDR
-      ];
-    };
-  };
-  ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILGDdcKwFm6udU0/x6XGGb87k9py0VlrxF54HeYu9Izb";
-}
diff --git a/kartei/tv/hosts/pi.nix b/kartei/tv/hosts/pi.nix
index 991bc0086..cfcc71a28 100644
--- a/kartei/tv/hosts/pi.nix
+++ b/kartei/tv/hosts/pi.nix
@@ -1,4 +1,3 @@
 {
   nets.wiregrill.ip4.addr = "10.244.3.102";
-  syncthing.id = "NLR6FLV-2MJQSZ6-4M5QBBB-X2UM225-YGB6IYW-F2EGFV6-D7ZDCWY-27EQAAM";
 }
diff --git a/kartei/tv/hosts/zoppo.nix b/kartei/tv/hosts/zoppo.nix
index 4d312105f..abbcc08dc 100644
--- a/kartei/tv/hosts/zoppo.nix
+++ b/kartei/tv/hosts/zoppo.nix
@@ -20,5 +20,4 @@
   };
   secure = true;
   ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMk5DVtgzKmbJTsJs81GIMYE3YblnJJTc/FtVukKJK4J root@zoppo";
-  syncthing.id = "F4GDV3I-QX6QAA5-32MXHXE-2RJDYBO-RFXGDFR-EGMN4IQ-OJDKL62-NCUWOAQ";
 }
diff --git a/krebs/1systems/hotdog/config.nix b/krebs/1systems/hotdog/config.nix
index 91071ec85..655192077 100644
--- a/krebs/1systems/hotdog/config.nix
+++ b/krebs/1systems/hotdog/config.nix
@@ -5,6 +5,17 @@
     ../../../krebs
     ../../../krebs/2configs
     ../../../krebs/2configs/nginx.nix
+    {
+      # Cherry-pick services.nginx.recommendedTlsSettings to fix:
+      # nginx: [emerg] "ssl_conf_command" directive is not supported on this platform
+      services.nginx.recommendedTlsSettings = lib.mkForce false;
+      services.nginx.appendHttpConfig = ''
+        ssl_session_timeout 1d;
+        ssl_session_cache shared:SSL:10m;
+        ssl_session_tickets off;
+        ssl_prefer_server_ciphers off;
+      '';
+    }
 
     ../../../krebs/2configs/binary-cache/nixos.nix
     ../../../krebs/2configs/ircd.nix
diff --git a/krebs/1systems/ponte/config.nix b/krebs/1systems/ponte/config.nix
index 8bb14d517..5deeb9923 100644
--- a/krebs/1systems/ponte/config.nix
+++ b/krebs/1systems/ponte/config.nix
@@ -8,6 +8,18 @@
     <stockholm/krebs/2configs/nameserver.nix>
   ];
 
+  #networking.defaultGateway6 = {
+  #  address = "fe80::1";
+  #  interface = "ens3";
+  #};
+  #networking.interfaces.ens3.ipv6.addresses = [
+  #  {
+  #    # old: address = "2a03:4000:13:4c::1";
+  #    address = "2a03:4000:1a:cf::1"; #/64"
+  #    prefixLength = 64;
+  #  }
+  #];
+
   networking.firewall.allowedTCPPorts = [ 80 443 ];
   networking.firewall.logRefusedConnections = false;
   networking.firewall.logRefusedUnicastsOnly = false;
diff --git a/krebs/1systems/puyak/config.nix b/krebs/1systems/puyak/config.nix
index 0c361cc42..8e03e3b52 100644
--- a/krebs/1systems/puyak/config.nix
+++ b/krebs/1systems/puyak/config.nix
@@ -31,7 +31,7 @@
     ../../2configs/shack/ssh-keys.nix
 
     # drivedroid.shack for shackphone
-    ../../2configs/shack/drivedroid.nix
+    #../../2configs/shack/drivedroid.nix (FIXME error: attribute 'drivedroid-gen-repo' missing)
     # ../../2configs/shack/nix-cacher.nix
 
     # Say if muell will be collected
@@ -70,7 +70,7 @@
     # ../../2configs/shack/share.nix
 
     # mobile.lounge.mpd.shack
-    ../../2configs/shack/mobile.mpd.nix
+    #../../2configs/shack/mobile.mpd.nix (FIXME Compatibility with CMake < 3.5 has been removed from CMake.)
 
     # hass.shack
     ../../2configs/shack/glados
diff --git a/krebs/2configs/buildbot-stockholm.nix b/krebs/2configs/buildbot-stockholm.nix
index 32452e010..c51d3c651 100644
--- a/krebs/2configs/buildbot-stockholm.nix
+++ b/krebs/2configs/buildbot-stockholm.nix
@@ -19,7 +19,6 @@ with import ../../lib/pure.nix { inherit lib; };
     enable = true;
     repos = {
       disko.urls = [
-        "http://cgit.gum.r/disko"
         "http://cgit.ni.r/disko"
         "http://cgit.orange.r/disko"
       ];
@@ -33,7 +32,6 @@ with import ../../lib/pure.nix { inherit lib; };
         "http://cgit.orange.r/nix-writers"
       ];
       stockholm.urls = [
-        "http://cgit.gum.r/stockholm"
         "http://cgit.ni.r/stockholm"
         "http://cgit.orange.r/stockholm"
       ];
diff --git a/krebs/2configs/hw/x220.nix b/krebs/2configs/hw/x220.nix
index a797673c9..937a20c29 100644
--- a/krebs/2configs/hw/x220.nix
+++ b/krebs/2configs/hw/x220.nix
@@ -17,8 +17,8 @@
   };
 
   hardware.opengl.extraPackages = [
-    pkgs.vaapiIntel
-    pkgs.vaapiVdpau
+    pkgs.intel-vaapi-driver
+    pkgs.libva-vdpau-driver
   ];
 
   services.xserver = {
diff --git a/krebs/2configs/nameserver.nix b/krebs/2configs/nameserver.nix
index fb22dc6f9..c61b5c1b1 100644
--- a/krebs/2configs/nameserver.nix
+++ b/krebs/2configs/nameserver.nix
@@ -70,10 +70,6 @@ in {
           address: ${config.krebs.hosts.ne.nets.internet.ip4.addr}
           key: krebs_transfer_notify_key
 
-        - id: krebscode_ni
-          address: ${config.krebs.hosts.ni.nets.internet.ip4.addr}
-          key: krebs_transfer_notify_key
-
       acl:
         - id: acme_acl
           key: acme
@@ -124,7 +120,6 @@ in {
           notify: henet_ns1
           notify: hostingde_ns1
           notify: krebscode_ne
-          notify: krebscode_ni
           acl: transfer_to_henet_secondary
           acl: transfer_to_hostingde_secondary
           acl: transfer_to_krebscode_secondary
@@ -146,10 +141,14 @@ in {
     '';
   };
 
+  #krebs.systemd.services.knot.restartIfCredentialsChange = true;
   systemd.services."knsupdate-krebsco.de" = {
     serviceConfig = {
       Type = "oneshot";
       SyslogIdentifier = "knsupdate-krebsco.de";
+      #LoadCredential = [
+      #  "keys.conf:/var/src/secrets/knot-keys.conf"
+      #];
       ExecStart = pkgs.writeDash "knsupdate-krebsco.de" /* sh */ ''
         set -efu
 
@@ -170,8 +169,8 @@ in {
           echo server krebsco.de.
           echo zone krebsco.de.
           echo origin krebsco.de.
-          echo add _25._tcp.ni 60 IN TLSA 3 0 1 $certificate_association_data
-          echo add _443._tcp.ni 60 IN TLSA 3 0 1 $certificate_association_data
+          echo add _25._tcp.ne 60 IN TLSA 3 0 1 $certificate_association_data
+          echo add _443._tcp.ne 60 IN TLSA 3 0 1 $certificate_association_data
           echo show
           echo send
           echo answer
diff --git a/krebs/2configs/reaktor2.nix b/krebs/2configs/reaktor2.nix
index faabf7677..600f7cd6d 100644
--- a/krebs/2configs/reaktor2.nix
+++ b/krebs/2configs/reaktor2.nix
@@ -235,20 +235,20 @@ let
     env.TASKDATA = "${stateDir}/${name}";
     commands = rec {
       add.filename = pkgs.writers.writeDash "${name}-task-add" ''
-        ${pkgs.taskwarrior}/bin/task rc:${taskRcFile} add "$1"
+        ${pkgs.taskwarrior2}/bin/task rc:${taskRcFile} add "$1"
       '';
       list.filename = pkgs.writers.writeDash "${name}-task-list" ''
-        ${pkgs.taskwarrior}/bin/task rc:${taskRcFile} export \
+        ${pkgs.taskwarrior2}/bin/task rc:${taskRcFile} export \
           | ${pkgs.jq}/bin/jq -r '
               .[] | select(.id != 0) | "\(.id) \(.description)"
             '
       '';
       delete.filename = pkgs.writers.writeDash "${name}-task-delete" ''
-        ${pkgs.taskwarrior}/bin/task rc:${taskRcFile} delete "$1"
+        ${pkgs.taskwarrior2}/bin/task rc:${taskRcFile} delete "$1"
       '';
       del = delete;
       done.filename = pkgs.writers.writeDash "${name}-task-done" ''
-        ${pkgs.taskwarrior}/bin/task rc:${taskRcFile} done "$1"
+        ${pkgs.taskwarrior2}/bin/task rc:${taskRcFile} done "$1"
       '';
     };
   };
@@ -293,7 +293,7 @@ let
         {
           activate = "always";
           command = {
-            filename = ../5pkgs/simple/Reaktor/scripts/tell-on_join.sh;
+            filename = ../5pkgs/simple/reaktor2-plugins/scripts/tell-on_join.sh;
             env = {
               PATH = makeBinPath [
                 pkgs.coreutils # XXX env, touch
@@ -415,7 +415,7 @@ let
         (generators.command_hook {
           inherit (commands) dance random-emoji nixos-version;
           tell = {
-            filename = ../5pkgs/simple/Reaktor/scripts/tell-on_privmsg.sh;
+            filename = ../5pkgs/simple/reaktor2-plugins/scripts/tell-on_privmsg.sh;
             env = {
               PATH = makeBinPath [
                 pkgs.coreutils # XXX date, env
@@ -456,7 +456,7 @@ in {
           printf 'HTTP/1.1 200 OK\r\n'
           printf 'Connection: close\r\n'
           printf '\r\n'
-          TASKDATA=/var/lib/reaktor2/agenda ${pkgs.taskwarrior}/bin/task rc:${taskRcFile} export
+          TASKDATA=/var/lib/reaktor2/agenda ${pkgs.taskwarrior2}/bin/task rc:${taskRcFile} export
           exit
         ;;
       esac
diff --git a/krebs/2configs/repo-sync.nix b/krebs/2configs/repo-sync.nix
index a488fdfea..1c7ed4719 100644
--- a/krebs/2configs/repo-sync.nix
+++ b/krebs/2configs/repo-sync.nix
@@ -98,7 +98,7 @@ in {
   krebs.secret.files.konsens = {
     path = "/var/lib/konsens/.ssh/id_ed25519";
     owner = konsens-user;
-    source-path = "${config.krebs.secret.directory}/konsens.id_ed25519>";
+    source-path = "${config.krebs.secret.directory}/konsens.id_ed25519";
   };
 
   imports = [
@@ -107,9 +107,10 @@ in {
       desc = "take all computers hostage, they love it";
       section = "configuration";
       remotes = {
-        makefu = "http://cgit.gum.r/stockholm";
-        tv = "http://cgit.ni.r/stockholm";
+        krebs = "https://github.com/krebs/stockholm";
         lassulus = "http://cgit.orange.r/stockholm";
+        makefu = "https://cgit.euer.krebsco.de/makefu/stockholm.git";
+        tv = "http://cgit.ni.r/stockholm";
       };
     })
     ({ krebs.git = defineRepo {
diff --git a/krebs/2configs/shack/worlddomination.nix b/krebs/2configs/shack/worlddomination.nix
index 66a4095db..eba6cc83b 100644
--- a/krebs/2configs/shack/worlddomination.nix
+++ b/krebs/2configs/shack/worlddomination.nix
@@ -3,7 +3,7 @@
 with import ../../../lib/pure.nix { inherit lib; };
 let
   pkg = pkgs.stdenv.mkDerivation {
-    name = "worlddomination-2020-12-01";
+    name = "worlddomination-2025-04-02";
     src = pkgs.fetchFromGitHub {
       owner = "shackspace";
       repo = "worlddomination";
@@ -11,9 +11,8 @@ let
       sha256 = "sha256-AbRqxxY6hYNg4qkk/akuw4f+wJh4nx1hfEA4Lp5B+1E=";
     };
     buildInputs = [
-      (pkgs.python310.withPackages (pythonPackages: with pythonPackages; [
+      (pkgs.python3.withPackages (pythonPackages: with pythonPackages; [
         docopt
-        LinkHeader
         aiocoap
         grequests
         paramiko
@@ -31,16 +30,6 @@ let
   pythonPackages = pkgs.python3Packages;
   # https://github.com/chrysn/aiocoap
 
-  LinkHeader = pythonPackages.buildPythonPackage {
-    name = "LinkHeader-0.4.3";
-    src = pkgs.fetchurl { url = "https://files.pythonhosted.org/packages/27/d4/eb1da743b2dc825e936ef1d9e04356b5701e3a9ea022c7aaffdf4f6b0594/LinkHeader-0.4.3.tar.gz"; sha256 = "7fbbc35c0ba3fbbc530571db7e1c886e7db3d718b29b345848ac9686f21b50c3"; };
-    propagatedBuildInputs = [ ];
-    meta = with pkgs.lib; {
-      homepage = "";
-      license = licenses.bsdOriginal;
-      description = "Parse and format link headers according to RFC 5988 \"Web Linking\"";
-    };
-  };
   wdpath = "/usr/worlddomination/wd.lst";
   esphost = "10.42.24.7"; # esp8266
   afrihost = "10.42.25.201"; # africa
diff --git a/krebs/3modules/ci/default.nix b/krebs/3modules/ci/default.nix
index 899db45c5..18fe46a98 100644
--- a/krebs/3modules/ci/default.nix
+++ b/krebs/3modules/ci/default.nix
@@ -1,5 +1,5 @@
 { config, lib, pkgs, ... }:
-with lib.slib or (import ../../lib/pure.nix { inherit lib; });
+with lib.slib or (import ../../../lib/pure.nix { inherit lib; });
 
 let
   cfg = config.krebs.ci;
@@ -50,7 +50,7 @@ let
               "${url}",
               workdir='${name}-${elemAt(splitString "." url) 1}', branches=True,
               project='${name}',
-              pollinterval=30
+              pollInterval=30
           )
         '') repo.urls
       ) cfg.repos;
diff --git a/krebs/3modules/github/known-hosts.nix b/krebs/3modules/github/known-hosts.nix
index 3725ff2b8..6f10452e9 100644
--- a/krebs/3modules/github/known-hosts.nix
+++ b/krebs/3modules/github/known-hosts.nix
@@ -8,4 +8,5 @@
     ;
     publicKey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCj7ndNxQowgcQnjshcLrqPEiiphnt+VTTvDP6mHBL9j1aNUkY4Ue1gvwnGLVlOhGeYrnZaMgRK6+PKCUXaDbC7qtbW8gIkhL7aGCsOr/C56SJMy/BCZfxd1nWzAOxSDPgVsmerOBYfNqltV9/hWCqBywINIR+5dIg6JTJ72pcEpEjcYgXkE2YEFXV1JHnsKgbLWNlhScqb2UmyRkQyytRLtL+38TGxkxCflmO+5Z8CSSNY7GidjMIZ7Q4zMjA2n1nGrlTDkzwDCsw+wqFPGQA179cnfGWOWRVruj16z6XyvxvjJwbz0wQZ75XK5tKSb7FNyeIEs4TT4jk+S4dhPeAUC5y+bDYirYgM4GC7uEnztnZyaVWQ7B381AK4Qdrwt51ZqExKbQpTUNn+EjqoTwvqNj4kqx5QUCI0ThS/YkOxJCXmPUWZbhjpCg56i+2aB6CmK2JGhn57K5mj0MNdBXA4/WnwH6XoPWJzK5Nyu2zB3nAZp+S5hpQs+p1vN1/wsjk=";
   };
+  # ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl
 }
diff --git a/krebs/3modules/hosts.nix b/krebs/3modules/hosts.nix
index 51aeefb9f..148b58d14 100644
--- a/krebs/3modules/hosts.nix
+++ b/krebs/3modules/hosts.nix
@@ -2,7 +2,6 @@
 with lib; let
   check = hostname: any (domain: hasSuffix ".${domain}" hostname) domains;
   domains = attrNames (filterAttrs (_: slib.eq "hosts") config.krebs.dns.providers);
-  # we need this import because we have infinite recursion otherwise
   slib = lib.slib or (import ../../lib/pure.nix { inherit lib; });
 in {
 
diff --git a/krebs/3modules/iptables.nix b/krebs/3modules/iptables.nix
index 16f1f3c84..1cde42dc3 100644
--- a/krebs/3modules/iptables.nix
+++ b/krebs/3modules/iptables.nix
@@ -19,6 +19,14 @@ let
   api = {
     enable = mkEnableOption "iptables";
 
+    rules4 = mkOption {
+      default = buildTables "v4" cfg.tables;
+    };
+
+    rules6 = mkOption {
+      default = buildTables "v6" cfg.tables;
+    };
+
     #tables.filter.INPUT = {
     # policy = "DROP";
     # rules = [
diff --git a/krebs/3modules/per-user.nix b/krebs/3modules/per-user.nix
index c0368ee85..f83a29acb 100644
--- a/krebs/3modules/per-user.nix
+++ b/krebs/3modules/per-user.nix
@@ -28,7 +28,12 @@ in {
             };
           })
           (filterAttrs (_: per-user: per-user.packages != []) cfg);
-      profiles = ["/etc/per-user/$LOGNAME"];
+
+      # XXX this breaks /etc/pam/environment because $LOGNAME doesn't get
+      # replaced by @{PAM_USER} the way $USER does.
+      # See <nixpkgs/nixos/modules/config/system-environment.nix>
+      #profiles = ["/etc/per-user/$LOGNAME"];
+      profiles = ["/etc/per-user/$USER"];
     };
   };
 }
diff --git a/krebs/3modules/permown.nix b/krebs/3modules/permown.nix
index d65ce2a31..51f5cb752 100644
--- a/krebs/3modules/permown.nix
+++ b/krebs/3modules/permown.nix
@@ -73,6 +73,12 @@ with lib; {
           pkgs.findutils
           pkgs.inotify-tools
         ];
+        # TODO
+        # der code könnte aber bisschen vorbereitet werden, damit man später einfach file-modes einbauen kann
+        # die drei finds müssten zu `find "$ROOT_PATH" -exec ${permown}` {} \;` werden
+        # und der while-block zu:
+        # ${permown} "$path" (egal ob vor oder nach dem if test -d)
+        # und dann müsste man danach nur das permown script bearbeiten
         serviceConfig = {
           ExecStart = pkgs.writeDash "permown" ''
             set -efu
diff --git a/krebs/3modules/reaktor2.nix b/krebs/3modules/reaktor2.nix
index b977df99a..d552178f9 100644
--- a/krebs/3modules/reaktor2.nix
+++ b/krebs/3modules/reaktor2.nix
@@ -69,6 +69,12 @@ with lib.slib or (import ../../lib/pure.nix { inherit lib; }); {
           Group = "reaktor2";
           DynamicUser = true;
           StateDirectory = cfg.username;
+          #ExecStartPre = [
+          #  (pkgs.writeDash "test-dynamic-user" ''
+          #    set -efux
+          #    ${pkgs.coreutils}/bin/id
+          #  '')
+          #];
           ExecStart = let
             configFile = pkgs.writers.writeJSON configFileName configValue;
             configFileName = "${cfg.systemd-service-name}.config.json";
diff --git a/krebs/3modules/repo-sync.nix b/krebs/3modules/repo-sync.nix
index 7b2be4057..62d99e160 100644
--- a/krebs/3modules/repo-sync.nix
+++ b/krebs/3modules/repo-sync.nix
@@ -17,6 +17,7 @@ let
           branches = mkOption {
             type = types.attrsOf (types.submodule ({ config, ... }: {
               options = {
+                smart = mkEnableOption "smart sync behavior";
                 origin = mkOption {
                   type = types.source-types.git;
                 };
diff --git a/krebs/3modules/secret.nix b/krebs/3modules/secret.nix
index 13c4ecaec..ad9ceccbe 100644
--- a/krebs/3modules/secret.nix
+++ b/krebs/3modules/secret.nix
@@ -15,7 +15,7 @@ in {
           secret-file
         else
           secret-file // {
-            source-path = "${config.krebs.secret.directory}/secret-file.source-path";
+            source-path = "${config.krebs.secret.directory}/${secret-file.source-path}";
           }
       );
     };
diff --git a/krebs/3modules/setuid.nix b/krebs/3modules/setuid.nix
index ce41548ae..d13fcccaa 100644
--- a/krebs/3modules/setuid.nix
+++ b/krebs/3modules/setuid.nix
@@ -33,7 +33,7 @@ let
         };
         capabilities = mkOption {
           default = [];
-          type = types.listOf types.str;
+          type = types.listOf types.str; # TODO
         };
         owner = mkOption {
           default = "root";
@@ -52,6 +52,8 @@ let
             merge = mergeOneOption;
           };
         };
+        # TODO clear non-standard wrapperDirs
+        # TODO? allow only wrapperDirs below /run/wrappers?
         wrapperDir = mkOption {
           default = config.security.wrapperDir;
           type = types.absolute-pathname;
@@ -73,13 +75,16 @@ let
         chown ${cfg.owner}:${cfg.group} ${dst}
         chmod ${cfg.mode} ${dst}
         ${optionalString (cfg.capabilities != []) /* sh */ ''
+          set -x
           ${pkgs.libcap.out}/bin/setcap ${concatMapStringsSep "," shell.escape cfg.capabilities} ${dst}
+          set +x
         ''}
       '';
     }));
   };
 
   imp = {
+    # run after "wrappers" so config.security.wrapperDir can be hijacked.
     systemd.services."krebs.setuid" = {
       wantedBy = [ "suid-sgid-wrappers.service" ];
       after = [ "suid-sgid-wrappers.service" ];
diff --git a/krebs/3modules/ssh.nix b/krebs/3modules/ssh.nix
index aba825c29..012b365fb 100644
--- a/krebs/3modules/ssh.nix
+++ b/krebs/3modules/ssh.nix
@@ -62,24 +62,26 @@ let
               }
             ]));
 
-      programs.ssh.extraConfig = concatMapStrings
-        (net: ''
-          Host ${toString (net.aliases ++ net.addrs)}
-            Port ${toString net.ssh.port}
-        '')
-        (filter
-          (net: net.ssh.port != 22)
-          (concatMap (host: attrValues host.nets)
-            (mapAttrsToList
-              (_: host: recursiveUpdate host
-                (optionalAttrs (cfg.dns.search-domain != null &&
-                                hasAttr cfg.dns.search-domain host.nets) {
-                  nets."" = host.nets.${cfg.dns.search-domain} // {
-                    aliases = [host.name];
-                    addrs = [];
-                  };
-                }))
-              config.krebs.hosts)));
+      programs.ssh.extraConfig =
+        mkBefore/*<-KILLME*/
+          (concatMapStrings
+            (net: ''
+              Host ${toString (net.aliases ++ net.addrs)}
+                Port ${toString net.ssh.port}
+            '')
+            (filter
+              (net: net.ssh.port != 22)
+              (concatMap (host: attrValues host.nets)
+                (mapAttrsToList
+                  (_: host: recursiveUpdate host
+                    (optionalAttrs (cfg.dns.search-domain != null &&
+                                    hasAttr cfg.dns.search-domain host.nets) {
+                      nets."" = host.nets.${cfg.dns.search-domain} // {
+                        aliases = [host.name];
+                        addrs = [];
+                      };
+                    }))
+                  config.krebs.hosts))));
     }
   ];
 
diff --git a/krebs/3modules/sync-containers3.nix b/krebs/3modules/sync-containers3.nix
index 872f04db2..cbffeb6f3 100644
--- a/krebs/3modules/sync-containers3.nix
+++ b/krebs/3modules/sync-containers3.nix
@@ -358,9 +358,7 @@ in {
       networking.useNetworkd = true;
       services.resolved = {
         enable = true;
-        extraConfig = ''
-          Domains=~.
-        '';
+        settings.Resolve.Domains = [ "~." ];
       };
       systemd.network = {
         enable = true;
diff --git a/krebs/3modules/tinc.nix b/krebs/3modules/tinc.nix
index debbb184b..65f4f6a2b 100644
--- a/krebs/3modules/tinc.nix
+++ b/krebs/3modules/tinc.nix
@@ -1,5 +1,6 @@
-{ config, pkgs, lib, ... }:
-with lib.slib or (import ../../lib/pure.nix { inherit lib; }); {
+{ config, pkgs, lib, ... }: let
+  slib = lib.slib or (import ../../lib/pure.nix { inherit lib; });
+in with slib; {
   options.krebs.tinc = mkOption {
     default = {};
     description = ''
@@ -91,7 +92,7 @@ with lib.slib or (import ../../lib/pure.nix { inherit lib; }); {
         hosts = mkOption {
           type = with types; attrsOf host;
           default =
-            filterAttrs (_: h: hasAttr tinc.config.netname h.nets) config.krebs.hosts;
+            filterAttrs (_: h: hasAttr tinc.config.netname h.nets && h.nets.${tinc.config.netname}.tinc.config or null != null) config.krebs.hosts;
           defaultText = "‹all-hosts-of-‹netname››";
           description = ''
             Hosts to generate <literal>config.krebs.tinc.retiolum.hostsPackage</literal>.
@@ -235,13 +236,14 @@ with lib.slib or (import ../../lib/pure.nix { inherit lib; }); {
               "$CREDENTIALS_DIRECTORY"/rsa_key.priv \
               /etc/tinc/${netname}/
         '';
-        ExecStart = "+" + toString [
-          "${cfg.tincPackage}/sbin/tincd"
-          "-D"
-          "-U ${cfg.username}"
-          "-d 0"
-          "-n ${netname}"
-        ];
+        ExecStart = "+" + pkgs.writers.writeDash "tinc-${netname}" ''
+          set -efu
+          exec ${cfg.tincPackage}/sbin/tincd \
+              -D \
+              -U ${cfg.username} \
+              -d 0 \
+              -n ${netname}
+        '';
         SyslogIdentifier = netname;
         DynamicUser = true;
         User = cfg.username;
diff --git a/krebs/3modules/urlwatch.nix b/krebs/3modules/urlwatch.nix
index 8d3bdfbe0..b2c264a06 100644
--- a/krebs/3modules/urlwatch.nix
+++ b/krebs/3modules/urlwatch.nix
@@ -214,6 +214,7 @@ let
       };
       filter = mkOption {
         default = null;
+        # TODO nullOr subtypes.filter
         type =
           with types;
           nullOr (either str (listOf (pkgs.formats.json {}).type));
diff --git a/krebs/3modules/zones.nix b/krebs/3modules/zones.nix
index 51e559d88..6ac2ebac2 100644
--- a/krebs/3modules/zones.nix
+++ b/krebs/3modules/zones.nix
@@ -10,7 +10,8 @@ with lib; {
     default = {
       "krebsco.de" = /* bindzone */ ''
         $TTL 60
-        @ 3600 IN SOA spam.krebsco.de. spam.krebsco.de. 0 7200 3600 86400 3600
+        @ IN SOA spam.krebsco.de. spam.krebsco.de. 0 7200 3600 86400 3600
+
         @ 3600 IN NS ns1
         @ 3600 IN NS ni
         @ 3600 IN NS ns2.he.net.
diff --git a/krebs/5pkgs/default.nix b/krebs/5pkgs/default.nix
index 8046d9b71..f726475dd 100644
--- a/krebs/5pkgs/default.nix
+++ b/krebs/5pkgs/default.nix
@@ -8,7 +8,10 @@ with stockholm.lib;
 
 fix (foldl' (flip extends) (self: super) (
   [
-    (self: super: { inherit stockholm; })
+    (self: super: {
+      inherit stockholm;
+      inherit (super.writers) writeBash writeBashBin writeDash writeDashBin writeJSON;
+    })
   ]
   ++
   (map
@@ -20,27 +23,7 @@ fix (foldl' (flip extends) (self: super) (
   [
     (self: super: {
       brockman = self.haskellPackages.brockman;
-      reaktor2 = self.haskellPackages.reaktor2.override {
-        blessings =
-          self.haskellPackages.callPackage (
-            { mkDerivation, base, bytestring, extra, fetchgit, hspec, lib
-            , QuickCheck, text, wcwidth
-            }:
-            mkDerivation {
-              pname = "blessings";
-              version = "2.5.0";
-              src = fetchgit {
-                url = "https://cgit.krebsco.de/blessings";
-                sha256 = "1spwm4xjz72c76wkkxxxbvxpgkxam344iwq37js5lhfbb2hbjqbx";
-                rev = "8f9b20f3aa93f7fbba9d24de7732f4cca0119154";
-                fetchSubmodules = true;
-              };
-              libraryHaskellDepends = [ base bytestring extra text wcwidth ];
-              testHaskellDepends = [ base hspec QuickCheck ];
-              license = lib.licenses.mit;
-            }
-          ) {};
-      };
+      reaktor2 = self.haskellPackages.reaktor2;
     })
   ]
 ))
diff --git a/krebs/5pkgs/haskell/blessings/default.nix b/krebs/5pkgs/haskell/blessings/default.nix
new file mode 100644
index 000000000..643f320be
--- /dev/null
+++ b/krebs/5pkgs/haskell/blessings/default.nix
@@ -0,0 +1,16 @@
+{ mkDerivation, base, bytestring, extra, fetchgit, hspec, lib
+, QuickCheck, text, wcwidth
+}:
+mkDerivation {
+  pname = "blessings";
+  version = "2.5.0";
+  src = fetchgit {
+    url = "https://cgit.krebsco.de/blessings";
+    sha256 = "1spwm4xjz72c76wkkxxxbvxpgkxam344iwq37js5lhfbb2hbjqbx";
+    rev = "8f9b20f3aa93f7fbba9d24de7732f4cca0119154";
+    fetchSubmodules = true;
+  };
+  libraryHaskellDepends = [ base bytestring extra text wcwidth ];
+  testHaskellDepends = [ base hspec QuickCheck ];
+  license = lib.licenses.mit;
+}
diff --git a/krebs/5pkgs/haskell/reaktor2/default.nix b/krebs/5pkgs/haskell/reaktor2/default.nix
index f40b3cc89..d75de3a51 100644
--- a/krebs/5pkgs/haskell/reaktor2/default.nix
+++ b/krebs/5pkgs/haskell/reaktor2/default.nix
@@ -1,28 +1,29 @@
 { mkDerivation, aeson, async, attoparsec, base, base64, blessings
-, bytestring, containers, data-default, fetchgit, filepath
-, hashable, lens, lens-aeson, lib, network, network-simple
-, network-simple-tls, network-uri, pcre-light, process, random
-, servant-server, string-conversions, stringsearch, text, time
-, transformers, unagi-chan, unix, unordered-containers, vector, wai
-, warp
+, bytestring, containers, data-default, directory, fetchgit
+, filepath, hashable, http-types, lens, lens-aeson, lib, network
+, network-simple, network-simple-tls, network-uri, pcre-light
+, process, random, servant-server, string-conversions, stringsearch
+, text, time, transformers, unagi-chan, unix, unordered-containers
+, vector, wai, warp
 }:
 mkDerivation {
   pname = "reaktor2";
-  version = "0.4.4";
+  version = "0.4.5";
   src = fetchgit {
     url = "https://cgit.krebsco.de/reaktor2";
-    sha256 = "1r0dbhniq81z2akb3lxng92y288d7pffj5byyq9mbry241np7631";
-    rev = "f50e8b2186042f40392c823845eb3a184d0278de";
+    sha256 = "0arcw06k3hhmcp6kk5lxrzadin3lx6ywxrznicljr92flkgj8isc";
+    rev = "6ff1335c7c9775e1cf167b950b6de97359d3b659";
     fetchSubmodules = true;
   };
   isLibrary = false;
   isExecutable = true;
   executableHaskellDepends = [
     aeson async attoparsec base base64 blessings bytestring containers
-    data-default filepath hashable lens lens-aeson network
-    network-simple network-simple-tls network-uri pcre-light process
-    random servant-server string-conversions stringsearch text time
-    transformers unagi-chan unix unordered-containers vector wai warp
+    data-default directory filepath hashable http-types lens lens-aeson
+    network network-simple network-simple-tls network-uri pcre-light
+    process random servant-server string-conversions stringsearch text
+    time transformers unagi-chan unix unordered-containers vector wai
+    warp
   ];
   license = lib.licenses.mit;
   mainProgram = "reaktor";
diff --git a/krebs/5pkgs/simple/K_belwagen.nix b/krebs/5pkgs/simple/K_belwagen.nix
deleted file mode 100644
index 2f64bb09d..000000000
--- a/krebs/5pkgs/simple/K_belwagen.nix
+++ /dev/null
@@ -1,38 +0,0 @@
-{ lib, pkgs, stdenv }:
-
-stdenv.mkDerivation {
-  pname = "K_belwagen";
-  version = "1.0";
-
-  src = pkgs.painload;
-  sourceRoot = "source/K_belwagen";
-
-  buildInputs = [
-    pkgs.jack1
-    pkgs.pkg-config
-  ];
-
-  patchPhase = ''
-    sed -i '
-      s@^cd@# &@
-      s@^make@# &@
-      s@^jackd@# &@
-      s@^trap@# &@
-
-      s@^set.*@&\nPATH=${lib.makeBinPath [
-        pkgs.bc
-        pkgs.coreutils
-      ]}; export PATH@
-
-      s@\./a\.out@'"$out"'/lib/a.out@
-    ' alarm
-  '';
-
-  installPhase = ''
-    mkdir -p $out/lib
-    mkdir -p $out/bin
-
-    cp alarm $out/bin
-    cp a.out $out/lib
-  '';
-}
diff --git a/krebs/5pkgs/simple/TabFS/src.json b/krebs/5pkgs/simple/TabFS/src.json
index 24e36aef3..931c9ecb8 100644
--- a/krebs/5pkgs/simple/TabFS/src.json
+++ b/krebs/5pkgs/simple/TabFS/src.json
@@ -1,8 +1,6 @@
 {
   "url": "https://cgit.krebsco.de/TabFS",
   "rev": "a6045e0e29b85e3e66c468f3561009ded1db6ec5",
-  "date": "2021-01-14T23:56:09+01:00",
-  "path": "/nix/store/mbcywm1yq5vr7awxqb533faz34minfax-TabFS",
   "sha256": "1z0kj95zh0jl8laa0whra1jys8pws3199sy29vmlv2nxrkz13blv",
   "fetchSubmodules": false,
   "deepClone": false,
diff --git a/krebs/5pkgs/simple/airdcpp-webclient/default.nix b/krebs/5pkgs/simple/airdcpp-webclient/default.nix
index 754fecf9c..f4634b595 100644
--- a/krebs/5pkgs/simple/airdcpp-webclient/default.nix
+++ b/krebs/5pkgs/simple/airdcpp-webclient/default.nix
@@ -4,7 +4,7 @@
 stdenv.mkDerivation rec {
   name = "airdcpp-webclient-${version}";
   version = "2.3.0";
-  
+
   src = fetchurl {
     url = http://web-builds.airdcpp.net/stable/airdcpp_2.3.0_webui-2.3.0_64-bit_portable.tar.gz;
     sha256 = "0yvcl0nc70fghc7vfsgvbpryi5q97arld8adql4way4qa0mdnyv1";
diff --git a/krebs/5pkgs/simple/bepasty-client-cli/default.nix b/krebs/5pkgs/simple/bepasty-client-cli/default.nix
deleted file mode 100644
index 7811ef5fc..000000000
--- a/krebs/5pkgs/simple/bepasty-client-cli/default.nix
+++ /dev/null
@@ -1,23 +0,0 @@
-{ lib, pkgs, pythonPackages, fetchFromGitHub, ... }:
-
-with pythonPackages; buildPythonPackage rec {
-  name = "bepasty-client-cli";
-  propagatedBuildInputs = [
-    python_magic
-    click
-    requests
-  ];
-
-  src = fetchFromGitHub {
-    owner = "bepasty";
-    repo = "bepasty-client-cli";
-    rev = "4b7135ba8ba1e17501de08ad7b6aca73c0d949d2";
-    sha256 = "1svchyk9zai1vip9ppm12jm7wfjbdr9ijhgcd2n10xh73jrn9cnc";
-  };
-
-  meta = {
-    homepage = https://github.com/bepasty/bepasty-client-cli;
-    description = "CLI client for bepasty-server";
-    license = lib.licenses.bsd2;
-  };
-}
diff --git a/krebs/5pkgs/simple/bling/default.nix b/krebs/5pkgs/simple/bling/default.nix
index 1c8610325..186aaa85e 100644
--- a/krebs/5pkgs/simple/bling/default.nix
+++ b/krebs/5pkgs/simple/bling/default.nix
@@ -1,4 +1,7 @@
-{ imagemagick, runCommand, stockholm, ... }:
+{ imagemagick, runCommand, lib, ... }:
+let
+  stockholm.lib = import ../../../../lib/pure.nix { inherit lib; };
+in
 with stockholm.lib;
 
 let
diff --git a/krebs/5pkgs/simple/brain/default.nix b/krebs/5pkgs/simple/brain/default.nix
index d7e36a527..9f183cfe9 100644
--- a/krebs/5pkgs/simple/brain/default.nix
+++ b/krebs/5pkgs/simple/brain/default.nix
@@ -4,25 +4,30 @@ let
   pass = pkgs.pass.withExtensions (ext: [
     ext.pass-otp
   ]);
-in
 
-pkgs.write "brain" {
-  "/bin/brain".link = pkgs.writeDash "brain" ''
+  brain = pkgs.writeDash "brain" ''
     PASSWORD_STORE_DIR=$HOME/brain \
     exec ${pass}/bin/pass "$@"
   '';
-  "/bin/brainmenu".link = pkgs.writeDash "brainmenu" ''
+
+  brainmenu = pkgs.writeDash "brainmenu" ''
     PASSWORD_STORE_DIR=$HOME/brain \
     exec ${pass}/bin/passmenu "$@"
   '';
-  "/share/bash-completion/completions/brain".link =
-    pkgs.runCommand "brain-completions" {
-    } /* sh */ ''
-      sed -r '
-        s/\<_pass?(_|\>)/_brain\1/g
-        s/\<__password_store/_brain/g
-        s/\<pass\>/brain/
-        s/\$HOME\/\.password-store/$HOME\/brain/
-      ' < ${pass}/share/bash-completion/completions/pass > $out
-    '';
-}
+
+  completions = pkgs.runCommand "brain-completions" {} ''
+    sed -r '
+      s/\<_pass?(_|\>)/_brain\1/g
+      s/\<__password_store/_brain/g
+      s/\<pass\>/brain/
+      s/\$HOME\/\.password-store/$HOME\/brain/
+    ' < ${pass}/share/bash-completion/completions/pass > $out
+  '';
+in
+
+pkgs.runCommand "brain" {} ''
+  mkdir -p $out/bin $out/share/bash-completion/completions
+  ln -s ${brain} $out/bin/brain
+  ln -s ${brainmenu} $out/bin/brainmenu
+  ln -s ${completions} $out/share/bash-completion/completions/brain
+''
diff --git a/krebs/5pkgs/simple/buildbot-classic-slave/default.nix b/krebs/5pkgs/simple/buildbot-classic-slave/default.nix
deleted file mode 100644
index a48c45ae0..000000000
--- a/krebs/5pkgs/simple/buildbot-classic-slave/default.nix
+++ /dev/null
@@ -1,18 +0,0 @@
-{ coreutils, fetchgit, git, buildbot-classic, python2Packages, ... }:
-
-python2Packages.buildPythonApplication {
-  name = "buildbot-classic-slave-${buildbot-classic.version}";
-  namePrefix = "";
-
-  src = buildbot-classic.src;
-  postUnpack = "sourceRoot=\${sourceRoot}/slave";
-
-  nativeBuildInputs = [ git ];
-  propagatedBuildInputs = [ python2Packages.twisted ];
-  doCheck = false;
-
-  postInstall = ''
-    mkdir -p "$out/share/man/man1"
-    cp docs/buildslave.1 "$out/share/man/man1"
-  '';
-}
diff --git a/krebs/5pkgs/simple/cac-panel/default.nix b/krebs/5pkgs/simple/cac-panel/default.nix
deleted file mode 100644
index 57f58f4de..000000000
--- a/krebs/5pkgs/simple/cac-panel/default.nix
+++ /dev/null
@@ -1,18 +0,0 @@
-{pkgs, python3Packages, ...}:
-
-python3Packages.buildPythonPackage rec {
-  name = "cac-panel-${version}";
-  version = "0.4.4";
-
-  src = pkgs.fetchurl {
-    url = "https://pypi.python.org/packages/source/c/cac-panel/cac-panel-${version}.tar.gz";
-    sha256 = "16bx67fsbgwxciik42jhdnfzxx1xp5b0rimzrif3r7h4fawlnld8";
-  };
-
-  propagatedBuildInputs = with python3Packages; [
-    docopt
-    requests
-    beautifulsoup4
-  ];
-}
-
diff --git a/krebs/5pkgs/simple/certaids.nix b/krebs/5pkgs/simple/certaids.nix
deleted file mode 100644
index 34f4c3e14..000000000
--- a/krebs/5pkgs/simple/certaids.nix
+++ /dev/null
@@ -1,109 +0,0 @@
-{ pkgs }:
-
-pkgs.write "certaids" {
-  "/bin/cert2json".link = pkgs.writeDash "cert2json" ''
-    # usage: cert2json < CERT > JSON
-    set -efu
-
-    ${pkgs.openssl}/bin/openssl crl2pkcs7 -nocrl -certfile /dev/stdin |
-    ${pkgs.openssl}/bin/openssl pkcs7 -print_certs -text |
-    ${pkgs.gawk}/bin/awk -F, -f ${pkgs.writeText "cert2json.awk" ''
-      function abort(msg) {
-        print(msg) > "/dev/stderr"
-        exit 1
-      }
-
-      function toJSON(x,   type, ret) {
-        type = typeof(x)
-        switch (type) {
-          case "array":
-            if (isArray(x)) return arrayToJSON(x)
-            if (isObject(x)) return objectToJSON(x)
-            abort("cannot render array to JSON", x)
-          case "number":
-            return numberToJSON(x)
-          case "string":
-            return stringToJSON(x)
-          case "strnum":
-          case "unassigned":
-          case "regexp":
-          case "untyped":
-          default:
-            abort("cannot render type: " type)
-        }
-      }
-
-      function isArray(x,   i, k) {
-        i = 1
-        for (k in x) {
-          if (k != i++) return 0
-          i++
-        }
-        return 1
-      }
-
-      function isObject(x,   k) {
-        for (k in x) {
-          if (typeof(k) != "string") return 0
-        }
-        return 1
-      }
-
-      function arrayToJSON(x,   k, ret) {
-        ret = "["
-        for (k in x) {
-          ret=ret toJSON(x[k]) ","
-        }
-        sub(/,$/,"",ret)
-        ret=ret "]"
-        return ret
-      }
-
-      function objectToJSON(x,   k,ret) {
-        ret = "{"
-        for (k in x) {
-          ret = ret toJSON(k) ":" toJSON(x[k]) ","
-        }
-        sub(/,$/, "", ret)
-        ret = ret "}"
-        return ret
-      }
-
-      function numberToJSON(x) {
-        return x
-      }
-
-      function stringToJSON(x) {
-        gsub(/\\/, "&&",x)
-        gsub(/\n/, "\\n", x)
-        return "\"" x "\""
-      }
-
-      $1 ~ /^ *(Subject|Issuer):/ {
-        sub(/^ */, "")
-        sub(/: */, ",")
-        key=tolower($1)
-        sub(/[^,]*,/, "")
-
-        # Normalize separators between relative distinguished names.
-        # [1]: RFC2253, 3. Parsing a String back to a Distinguished Name
-        # TODO support any distinguished name
-        gsub(/ *[;,] */, ",")
-
-        for(i = 0; i <= NF; i++) {
-          split($i, a, "=")
-          cache[key][a[1]] = a[2]
-        }
-      }
-
-      /BEGIN CERTIFICATE/,/END CERTIFICATE/{
-        cache["certificate"] = cache["certificate"] $0 "\n"
-      }
-
-      /END CERTIFICATE/{
-        print toJSON(cache)
-        delete cache
-      }
-    ''}
-  '';
-}
diff --git a/krebs/5pkgs/simple/cgit-clear-cache.nix b/krebs/5pkgs/simple/cgit-clear-cache.nix
index 31a2eccb3..e630a4066 100644
--- a/krebs/5pkgs/simple/cgit-clear-cache.nix
+++ b/krebs/5pkgs/simple/cgit-clear-cache.nix
@@ -1,4 +1,8 @@
-{ cache-root ? "/tmp/cgit", findutils, stockholm, writeDashBin }:
+{ cache-root ? "/tmp/cgit", findutils, lib, writeDashBin }:
+
+let
+  stockholm.lib = import ../../../lib/pure.nix { inherit lib; };
+in
 
 writeDashBin "cgit-clear-cache" ''
   set -efu
diff --git a/krebs/5pkgs/simple/collectd-connect-time/default.nix b/krebs/5pkgs/simple/collectd-connect-time/default.nix
index 525388029..abbfae40a 100644
--- a/krebs/5pkgs/simple/collectd-connect-time/default.nix
+++ b/krebs/5pkgs/simple/collectd-connect-time/default.nix
@@ -1,8 +1,10 @@
-{lib, pkgs, pythonPackages, fetchurl, ... }:
+{lib, pkgs, python3Packages, fetchurl, ... }:
 
-pythonPackages.buildPythonPackage rec {
+python3Packages.buildPythonPackage rec {
   name = "collectd-connect-time-${version}";
   version = "0.3.0";
+  pyproject = true;
+  build-system = [ python3Packages.setuptools ];
   src = fetchurl {
     url = "https://pypi.python.org/packages/source/c/collectd-connect-time/collectd-connect-time-${version}.tar.gz";
     sha256 = "0vvrf9py9bwc8hk3scxwg4x2j8jlp2qva0mv4q8d9m4b4mk99c95";
diff --git a/krebs/5pkgs/simple/cunicu.nix b/krebs/5pkgs/simple/cunicu.nix
index 4375a760c..8e193d455 100644
--- a/krebs/5pkgs/simple/cunicu.nix
+++ b/krebs/5pkgs/simple/cunicu.nix
@@ -1,6 +1,6 @@
 { lib, pkgs }:
 
-pkgs.buildGo120Module rec {
+pkgs.buildGoModule rec {
   pname = "cunicu";
   version = "g${lib.substring 0 7 src.rev}";
 
diff --git a/krebs/5pkgs/simple/default.nix b/krebs/5pkgs/simple/default.nix
index 76ad6ff10..e0b9ffdae 100644
--- a/krebs/5pkgs/simple/default.nix
+++ b/krebs/5pkgs/simple/default.nix
@@ -3,8 +3,9 @@ self: super:
 let
   # This callPackage will try to detect obsolete overrides.
   lib = super.stockholm.lib;
+  callPackage' = lib.callPackageWith self;
   callPackage = path: args: let
-    override = self.callPackage path args;
+    override = callPackage' path args;
     upstream = lib.optionalAttrs (override ? "name")
       (super.${(lib.parseDrvName override.name).name} or {});
   in if upstream ? "name" &&
@@ -12,5 +13,15 @@ let
         lib.compareVersions upstream.name override.name != -1
     then lib.trace "Upstream `${upstream.name}' gets overridden by `${override.name}'." override
     else override;
+
+  ## This callPackage will try to detect obsolete overrides.
+  #callPackage = path: args: let
+  #  pname = (parseDrvName override.name).name;
+  #  override = self.callPackage path args;
+  #  upstream = super.${pname} or { name = ""; };
+  #in
+  #  override.overrideAttrs (old: {
+  #    name = warnOldVersion upstream.name old.name;
+  #  });
 in
   lib.mapNixDir (path: callPackage path {}) ./.
diff --git a/krebs/5pkgs/simple/dic/default.nix b/krebs/5pkgs/simple/dic/default.nix
deleted file mode 100644
index 39402c012..000000000
--- a/krebs/5pkgs/simple/dic/default.nix
+++ /dev/null
@@ -1,39 +0,0 @@
-{ fetchgit, lib, stdenv
-, coreutils, curl, gnugrep, gnused, util-linux
-}:
-
-stdenv.mkDerivation {
-  name = "dic";
-
-  src = fetchgit {
-    url = https://cgit.ni.krebsco.de/dic;
-    rev = "refs/tags/v1.1.1";
-    sha256 = "1gbj967a5hj53fdkkxijqgwnl9hb8kskz0cmpjq7v65ffz3v6vag";
-  };
-
-  phases = [
-    "unpackPhase"
-    "installPhase"
-  ];
-
-  installPhase =
-    let
-      path = lib.makeBinPath [
-        coreutils
-        curl
-        gnused
-        gnugrep
-        util-linux
-      ];
-    in
-    ''
-      mkdir -p $out/bin
-
-      sed \
-        's,^main() {$,&\n  PATH=${path}; export PATH,' \
-        < ./dic \
-        > $out/bin/dic
-
-      chmod +x $out/bin/dic
-    '';
-}
diff --git a/krebs/5pkgs/simple/drivedroid-gen-repo/default.nix b/krebs/5pkgs/simple/drivedroid-gen-repo/default.nix
deleted file mode 100644
index dee96d784..000000000
--- a/krebs/5pkgs/simple/drivedroid-gen-repo/default.nix
+++ /dev/null
@@ -1,22 +0,0 @@
-{ fetchurl, lib, stdenv, python3Packages }:
-
-python3Packages.buildPythonPackage rec {
-  name = "drivedroid-gen-repo-${version}";
-  version = "0.4.4";
-
-  propagatedBuildInputs = [
-    python3Packages.docopt
-  ];
-
-  src = fetchurl {
-    url = "https://pypi.python.org/packages/source/d/drivedroid-gen-repo/drivedroid-gen-repo-${version}.tar.gz";
-    sha256 = "09p58hzp61r5fp025lak9z52y0aakmaqpi59p9w5xq42dvy2hnvl";
-  };
-
-  meta = {
-    homepage = http://krebsco.de/;
-    description = "Generate Drivedroid repos";
-    license = lib.licenses.wtfpl;
-  };
-}
-
diff --git a/krebs/5pkgs/simple/ecrypt/default.nix b/krebs/5pkgs/simple/ecrypt/default.nix
deleted file mode 100644
index f83f8cfe7..000000000
--- a/krebs/5pkgs/simple/ecrypt/default.nix
+++ /dev/null
@@ -1,111 +0,0 @@
-{ pkgs, lib }:
-
-#usage: ecrypt mount /var/crypted /var/unencrypted
-pkgs.writers.writeDashBin "ecrypt" ''
-  set -euf
-
-  PATH=${lib.makeBinPath (with pkgs; [
-    coreutils
-    ecryptfs
-    gnused
-    gnugrep
-    jq
-    mount
-    keyutils
-    umount
-  ])}
-
-  # turn echo back on if killed
-  trap 'stty echo' INT
-
-  case "$1" in
-    init)
-      shift
-      mkdir -p "$1" "$2"
-
-      # abort if src or dest are not empty
-      if [ -e "$1"/.cfg.json ]; then
-        echo 'source dir is already configured, aborting'
-        exit 1
-      elif ls -1qA "$2" | grep -q .; then
-        echo 'destination dir is not empty, aborting'
-        exit 1
-      else
-        # we start and exit ecryptfs-manager again to circumvent a bug where mounting the ecryptfs fails
-        echo 4 | ecryptfs-manager
-        stty -echo
-        printf "passphrase: "
-        read  passphrase
-        stty echo
-        sig=$(echo "$passphrase" | ecryptfs-add-passphrase | grep 'Inserted auth tok' | sed 's/.*\[\(.*\)\].*/\1/')
-        mount -t ecryptfs \
-          -o ecryptfs_unlink_sigs,ecryptfs_fnek_sig="$sig",ecryptfs_key_bytes=16,ecryptfs_cipher=aes,ecryptfs_sig="$sig" \
-          "$1" "$2"
-
-        # add sig to json state file
-        jq -n --arg sig "$sig" '{ "sig": $sig }' > "$1"/.cfg.json
-      fi
-      ;;
-
-    mount)
-      shift
-      if ! [ -e "$1"/.cfg.json ]; then
-        echo '.cfg.json missing in src'
-        exit 1
-      fi
-      old_sig=$(cat "$1"/.cfg.json | jq -r .sig)
-
-      # check if key is already in keyring, otherwise add it
-      
-      if keyctl list @u | grep -q "$old_sig"; then
-        echo 'pw already saved'
-      else
-        # we start and exit ecryptfs-manager again to circumvent a bug where mounting the ecryptfs fails
-        echo 4 | ecryptfs-manager
-        stty -echo
-        printf "passphrase: "
-        read  passphrase
-        stty echo
-        new_sig=$(echo "$passphrase" | ecryptfs-add-passphrase | grep 'Inserted auth tok' | sed 's/.*\[\(.*\)\].*/\1/')
-
-        # check if passphrase matches sig
-        if [ "$old_sig" != "$new_sig" ]; then
-          echo 'passphrase does not match sig, bailing out'
-          new_keyid=$(keyctl list @u | grep "$new_sig" | sed 's/\([0-9]*\).*/\1/')
-          keyctl revoke "$new_keyid"
-          keyctl unlink "$new_keyid"
-          exit 1
-        fi
-      fi
-
-      sig=$old_sig
-      keyid=$(keyctl list @u | grep "$sig" | sed 's/\([0-9]*\).*/\1/')
-      if (ls -1qA "$2" | grep -q .); then
-        echo 'destination is not empty, bailing out'
-        exit 1
-      else
-        mount -i -t ecryptfs \
-          -o ecryptfs_passthrough=no,verbose=no,ecryptfs_unlink_sigs,ecryptfs_fnek_sig="$sig",ecryptfs_key_bytes=16,ecryptfs_cipher=aes,ecryptfs_sig="$sig" \
-          "$1" "$2"
-      fi
-      ;;
-
-    unmount)
-      shift
-
-      sig=$(cat "$1"/.cfg.json | jq -r .sig)
-      keyid=$(keyctl list @u | grep "$sig" | sed 's/\s*\([0-9]*\).*/\1/')
-
-      umount "$2" || :
-      keyctl revoke "$keyid"
-      keyctl unlink "$keyid"
-      ;;
-
-    *)
-      echo 'usage:
-        ecrypt init /tmp/src/ /tmp/dst/
-        ecrypt mount /tmp/src/ /tmp/dst/
-        ecrypt unmount /tmp/src/ /tmp/dst/
-      '
-  esac
-''
diff --git a/krebs/5pkgs/simple/eximlog.nix b/krebs/5pkgs/simple/eximlog.nix
deleted file mode 100644
index 9e5ae8d63..000000000
--- a/krebs/5pkgs/simple/eximlog.nix
+++ /dev/null
@@ -1,28 +0,0 @@
-{ jq, stockholm, systemd, writeDashBin }:
-
-let
-  lib = stockholm.lib;
-  user = "exim"; # TODO make this configurable
-in
-
-# TODO execute eximlog only if journalctl doesn't fail
-# bash's set -o pipefail isn't enough
-
-writeDashBin "eximlog" ''
-  ${systemd}/bin/journalctl \
-      -u ${lib.shell.escape user} \
-      -o short-unix \
-      "$@" \
-    |
-  ${jq}/bin/jq -Rr '
-    # Only select lines that start with a timestamp
-    select(test("^[0-9]")) |
-
-    split(" ") |
-    (.[0] | tonumber) as $time |
-    (.[3:] | join(" ")) as $message |
-
-    "\($time | strftime("%Y-%m-%d %H:%M:%S %z")) \($message)"
-
-  '
-''
diff --git a/krebs/5pkgs/simple/font-size.nix b/krebs/5pkgs/simple/font-size.nix
index 21097ed6a..829325192 100644
--- a/krebs/5pkgs/simple/font-size.nix
+++ b/krebs/5pkgs/simple/font-size.nix
@@ -1,3 +1,4 @@
+# TODO kill me in favor of urxvt-resize-font
 { writeDashBin }:
 writeDashBin "font-size" ''
   set -efu
diff --git a/krebs/5pkgs/simple/fortclientsslvpn/default.nix b/krebs/5pkgs/simple/fortclientsslvpn/default.nix
index 1f86d6fe4..b895eef89 100644
--- a/krebs/5pkgs/simple/fortclientsslvpn/default.nix
+++ b/krebs/5pkgs/simple/fortclientsslvpn/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, lib, fetchurl, gnome3, glib, libSM, gdk_pixbuf, libX11, libXinerama, iproute,
+{ stdenv, lib, fetchurl, gtk3, glib, xorg, gdk-pixbuf, iproute2,
   makeWrapper, libredirect, ppp, coreutils, gawk, pango }:
 stdenv.mkDerivation rec {
   name = "forticlientsslvpn";
@@ -31,12 +31,12 @@ stdenv.mkDerivation rec {
   ];
 
   guiLibPath = lib.makeLibraryPath [
-    gnome3.gtk
+    gtk3
     glib
-    libSM
-    gdk_pixbuf
-    libX11
-    libXinerama
+    xorg.libSM
+    gdk-pixbuf
+    xorg.libX11
+    xorg.libXinerama
     pango
   ];
 
@@ -63,7 +63,7 @@ stdenv.mkDerivation rec {
     cp -r 64bit/. "$out/opt/fortinet"
     wrapProgram $out/opt/fortinet/forticlientsslvpn \
       --set LD_PRELOAD "${libredirect}/lib/libredirect.so" \
-      --set NIX_REDIRECTS /usr/bin/tail=${coreutils}/bin/tail:/usr/sbin/ip=${iproute}/bin/ip:/usr/sbin/pppd=${ppp}/bin/pppd
+      --set NIX_REDIRECTS /usr/bin/tail=${coreutils}/bin/tail:/usr/sbin/ip=${iproute2}/bin/ip:/usr/sbin/pppd=${ppp}/bin/pppd
 
     mkdir -p "$out/bin/"
 
diff --git a/krebs/5pkgs/simple/ftb/default.nix b/krebs/5pkgs/simple/ftb/default.nix
index 8007eaa52..1509961cd 100644
--- a/krebs/5pkgs/simple/ftb/default.nix
+++ b/krebs/5pkgs/simple/ftb/default.nix
@@ -1,7 +1,7 @@
 { fetchurl, lib, stdenv
-, jre, libX11, libXext, libXcursor, libXrandr, libXxf86vm
+, jre, xorg
 , openjdk
-, mesa_glu, openal
+, libGLU, openal
 , useAlsa ? false, alsaOss ? null }:
 with lib;
 
@@ -26,7 +26,7 @@ stdenv.mkDerivation {
     #!${stdenv.shell}
 
     export _JAVA_AWT_WM_NONREPARENTING=1
-    export LD_LIBRARY_PATH=\$LD_LIBRARY_PATH:${makeLibraryPath [ libX11 libXext libXcursor libXrandr libXxf86vm mesa_glu openal ]}
+    export LD_LIBRARY_PATH=\$LD_LIBRARY_PATH:${makeLibraryPath [ xorg.libX11 xorg.libXext xorg.libXcursor xorg.libXrandr xorg.libXxf86vm libGLU openal ]}
     ${if useAlsa then "${alsaOss}/bin/aoss" else "" } \
       ${jre}/bin/java -jar $out/ftb.jar
     EOF
diff --git a/krebs/5pkgs/simple/games-user-env/default.nix b/krebs/5pkgs/simple/games-user-env/default.nix
deleted file mode 100644
index abe770ed1..000000000
--- a/krebs/5pkgs/simple/games-user-env/default.nix
+++ /dev/null
@@ -1,34 +0,0 @@
-{ lib, pkgs, ... }: let
-
-#TODO: make sure env exists prior to running
-env_nix = pkgs.writeText "env.nix" ''
-  { pkgs ? import <nixpkgs> {} }:
-
-  (pkgs.buildFHSUserEnv {
-    name = "simple-x11-env";
-    targetPkgs = pkgs: with pkgs; [
-      coreutils
-    ];
-    multiPkgs = pkgs: with pkgs; [
-      alsaLib
-      zlib
-      xorg.libXxf86vm
-      curl
-      openal
-      openssl_1_0_2
-      xorg.libXext
-      xorg.libX11
-      xorg.libXrandr
-      xorg.libXcursor
-      xorg.libXinerama
-      xorg.libXi
-      mesa_glu
-    ];
-    runScript = "bash";
-  }).env
-'';
-
-
-in pkgs.writeDashBin "games-user-env" ''
-  nix-shell ${env_nix}
-''
diff --git a/krebs/5pkgs/simple/generate-secrets/default.nix b/krebs/5pkgs/simple/generate-secrets/default.nix
deleted file mode 100644
index 8522b5dda..000000000
--- a/krebs/5pkgs/simple/generate-secrets/default.nix
+++ /dev/null
@@ -1,49 +0,0 @@
-{ pkgs }:
-pkgs.writers.writeDashBin "generate-secrets" ''
-  set -eu
-  HOSTNAME="$1"
-  TMPDIR=$(${pkgs.coreutils}/bin/mktemp -d)
-  cd $TMPDIR
-
-  PASSWORD=$(${pkgs.pwgen}/bin/pwgen 25 1)
-  HASHED_PASSWORD=$(echo $PASSWORD | ${pkgs.hashPassword}/bin/hashPassword -s) > /dev/null
-
-  ${pkgs.openssh}/bin/ssh-keygen -t ed25519 -f $TMPDIR/ssh.id_ed25519 -P "" -C "" >/dev/null
-  ${pkgs.tinc_pre}/bin/tinc --config "$TMPDIR" generate-keys 4096 >/dev/null
-  cat <<EOF > $TMPDIR/hashedPasswords.nix
-  {
-    root = "$HASHED_PASSWORD";
-  }
-  EOF
-
-  for x in *; do
-    ${pkgs.coreutils}/bin/cat $x | ${pkgs.brain}/bin/brain insert -m krebs-secrets/$HOSTNAME/$x > /dev/null
-  done
-  echo $PASSWORD | ${pkgs.brain}/bin/brain insert -m hosts/$HOSTNAME/root > /dev/null
-
-  cat <<EOF
-    $HOSTNAME = {
-      owner = config.krebs.users.krebs;
-      nets = {
-        retiolum = {
-          ip4.addr = "10.243.0.changeme";
-          ip6.addr = "42:0:0:0:0:0:0:changeme";
-          aliases = [
-            "$HOSTNAME.r"
-          ];
-          tinc = {
-            pubkey = ${"''"}
-  $(cat $TMPDIR/rsa_key.pub)
-            ${"''"};
-            pubkey_ed25519 = "$(cut -d ' ' -f 3 $TMPDIR/ed25519_key.pub)";
-          };
-        };
-      };
-      ssh.privkey.path = "\''${config.krebs.secret.directory}/ssh.id_ed25519";
-      ssh.pubkey = "$(cat $TMPDIR/ssh.id_ed25519.pub)";
-    };
-  EOF
-
-  rm -rf $TMPDIR
-''
-
diff --git a/krebs/5pkgs/simple/git-hooks/default.nix b/krebs/5pkgs/simple/git-hooks/default.nix
index 3ec43739c..fe159c833 100644
--- a/krebs/5pkgs/simple/git-hooks/default.nix
+++ b/krebs/5pkgs/simple/git-hooks/default.nix
@@ -1,5 +1,7 @@
-{ pkgs, stockholm, ... }:
-
+{ pkgs, lib, ... }:
+let
+  stockholm.lib = import ../../../../lib/pure.nix { inherit lib; };
+in
 with stockholm.lib;
 
 {
@@ -112,6 +114,7 @@ with stockholm.lib;
           git diff --stat $id2..$id \
             | sed '$!s/\(+*\)\(-*\)$/'$(green '\1')$(red '\2')'/'
         )"
+        echo "$(red "$message")"
       ''}
 
     done
diff --git a/krebs/5pkgs/simple/gitignore.nix b/krebs/5pkgs/simple/gitignore.nix
deleted file mode 100644
index b3c750a08..000000000
--- a/krebs/5pkgs/simple/gitignore.nix
+++ /dev/null
@@ -1,46 +0,0 @@
-{ pkgs }:
-
-/* gitignore - Filter for intentionally untracked lines or blocks of code
-
-This is a filter that allows specifying intentionally untracked lines and
-blocks of code that Git should ignore.
-
-Example:
-
-  int main(void) {
-    printf("I would never say derp.\n");
-    //#gitignore-begin
-    printf("DERP!\n");
-    //#gitignore-end
-    printf("DERP!\n"); //#gitignore
-    return 0;
-  }
-
-Installation:
-
-  Define a filter, e.g. in ~/.config/git/config[1]:
-
-      [filter "gitignore"]
-        clean = gitignore
-        smudge = cat
-
-  Assing that filter to some paths, e.g. in ~/.config/git/attributes[2]:
-
-      *.hs filter=gitignore
-      *.c filter=gitignore
-      ...
-
-  [1]: For more information about defining filters see git-config(1).
-  [2]: For more information about assigning filters see gitattributes(5).
-*/
-
-pkgs.execBin "gitignore" {
-  filename = "${pkgs.gnused}/bin/sed";
-  argv = [
-    "gitignore"
-    /* sed */ ''
-      /#gitignore-begin/,/#gitignore-end/d
-      /#gitignore/d
-    ''
-  ];
-}
diff --git a/krebs/5pkgs/simple/gnokii/default.nix b/krebs/5pkgs/simple/gnokii/default.nix
index 995de3468..c11a6be6d 100644
--- a/krebs/5pkgs/simple/gnokii/default.nix
+++ b/krebs/5pkgs/simple/gnokii/default.nix
@@ -1,5 +1,5 @@
 { lib, stdenv, fetchurl, intltool, perl, gettext, libusb-compat-0_1, pkg-config, bluez
-, readline, pcsclite, libical, gtk2, glib, libXpm
+, readline, pcsclite, libical, gtk2, glib, libxpm
 , fetchpatch
 }:
 
@@ -20,7 +20,7 @@ stdenv.mkDerivation rec {
   buildInputs = [
     perl intltool gettext libusb-compat-0_1
     glib gtk2 pkg-config bluez readline
-    libXpm pcsclite libical
+    libxpm pcsclite libical
   ];
 
   meta = {
diff --git a/krebs/5pkgs/simple/goify/default.nix b/krebs/5pkgs/simple/goify/default.nix
index 9c44aaeeb..7cc3d1b86 100644
--- a/krebs/5pkgs/simple/goify/default.nix
+++ b/krebs/5pkgs/simple/goify/default.nix
@@ -1,6 +1,6 @@
-{ pkgs, ... }:
+{ pkgs, writeBashBin, ... }:
 
-pkgs.writeBashBin "goify" ''
+writeBashBin "goify" ''
   set -euf
 
   GO_HOST=''${GO_HOST:-go}
diff --git a/krebs/5pkgs/simple/hashPassword/default.nix b/krebs/5pkgs/simple/hashPassword/default.nix
deleted file mode 100644
index 8d3ba2525..000000000
--- a/krebs/5pkgs/simple/hashPassword/default.nix
+++ /dev/null
@@ -1,15 +0,0 @@
-{ lib, pkgs, ... }:
-
-pkgs.writers.writeDashBin "hashPassword" ''
-  # usage: hashPassword [...]
-  set -euf
-
-  export PATH=${lib.makeBinPath (with pkgs; [
-    coreutils
-    mkpasswd
-    openssl
-  ])}
-
-  salt=$(openssl rand -base64 16 | tr -d '+=' | head -c 16)
-  exec mkpasswd -m sha-512 -S "$salt" "$@"
-''
diff --git a/krebs/5pkgs/simple/htgen-imgur/src/htgen-imgur b/krebs/5pkgs/simple/htgen-imgur/src/htgen-imgur
index 696d1c00d..bdfb3eb61 100644
--- a/krebs/5pkgs/simple/htgen-imgur/src/htgen-imgur
+++ b/krebs/5pkgs/simple/htgen-imgur/src/htgen-imgur
@@ -1,3 +1,4 @@
+# TODO dedup with paste
 find_item() {
   if test ${#1} -ge 7; then
     set -- "$(find "$STATEDIR/items" -mindepth 1 -maxdepth 1 \
@@ -58,6 +59,9 @@ read_uri() {
     $uri |
     capture("^((?<scheme>[^:]*):)?(//(?<authority>[^/]*))?(?<path>[^?#]*)([?](?<query>[^#]*))?([#](?<fragment>.*))?$") |
     . + {
+      #authority: (.authority | if . != null then
+      #  capture("^((?<userinfo>[^@]*)@)?(?<host>[^:]*)(:(?<port>.*))?$")
+      #else . end),
       query: (.query | if . != null then
         split("&") |
         map(split("=") | {key:.[0],value:.[1]}) |
@@ -141,26 +145,26 @@ case "$Method $path" in
           description: $uri.query.description,
           datetime: now,
           type: $info["MIME type"],
-          animated: false,
+          animated: false, # TODO
           width: $info.width,
           height: $info.height,
           size: $info.size,
-          views: 0,
-          bandwidth: 0,
-          vote: null,
-          favorite: false,
-          nsfw: null,
-          section: null,
-          account_url: null,
-          acount_id: 0,
-          is_ad: false,
-          is_most_viral: false,
-          tags: [],
-          ad_type: 0,
-          ad_url: "",
-          in_gallery: false,
+          views: 0, # TODO
+          bandwidth: 0, # TODO
+          vote: null, # TODO
+          favorite: false, # TODO
+          nsfw: null, # TODO
+          section: null, # TODO
+          account_url: null, # TODO
+          acount_id: 0, # TODO
+          is_ad: false, # TODO
+          is_most_viral: false, # TODO
+          tags: [], # TODO
+          ad_type: 0, # TODO
+          ad_url: "", # TODO
+          in_gallery: false, # TODO
           deletehash: @uri "\($id)?deletehash=\($deletehash)",
-          name: "",
+          name: "", # TODO
           link: $link,
         }
       ')
diff --git a/krebs/5pkgs/simple/htgen/default.nix b/krebs/5pkgs/simple/htgen/default.nix
index 1ee13783b..945801bfe 100644
--- a/krebs/5pkgs/simple/htgen/default.nix
+++ b/krebs/5pkgs/simple/htgen/default.nix
@@ -12,7 +12,7 @@ stdenv.mkDerivation rec {
   installPhase = ''
     mkdir -p $out/bin
     {
-      echo '#! ${pkgs.dash}/bin/dash'
+      echo '#! ${pkgs.busybox}/bin/sh'
       echo 'export PATH=${lib.makeBinPath [
         pkgs.coreutils
         pkgs.jq
diff --git a/krebs/5pkgs/simple/internetarchive/default.nix b/krebs/5pkgs/simple/internetarchive/default.nix
deleted file mode 100644
index dfe93befd..000000000
--- a/krebs/5pkgs/simple/internetarchive/default.nix
+++ /dev/null
@@ -1,39 +0,0 @@
-{ lib, pkgs, stdenv, pkgs }:
-with pkgs.python3Packages;
-buildPythonPackage rec {
-  pname = "internetarchive";
-  version = "1.7.3";
-  name = "${pname}-${version}";
-
-  src = fetchPypi {
-    inherit pname version;
-    sha256 = "0x3saklabdx7qrr11h5bjfd75hfbih7pw5gvl2784zvvvrqrz45g";
-  };
-
-  propagatedBuildInputs = [
-    requests
-    jsonpatch
-    docopt
-    clint
-    six
-    schema
-    backports_csv
-  ];
-
-  # check only works when cloned from git repo
-  doCheck = false;
-
-  checkInputs = [
-    pytest
-    responses
-  ];
-
-  prePatch = ''
-    sed -i "s/'schema.*'/'schema>=0.4.0'/" setup.py
-  '';
-
-  meta = with lib; {
-    description = "python library and cli for uploading files to internet archive";
-    license = licenses.agpl3;
-  };
-}
diff --git a/krebs/5pkgs/simple/irc-announce/default.nix b/krebs/5pkgs/simple/irc-announce/default.nix
index 75036d41c..d5eae30c5 100644
--- a/krebs/5pkgs/simple/irc-announce/default.nix
+++ b/krebs/5pkgs/simple/irc-announce/default.nix
@@ -1,4 +1,4 @@
-{ pkgs, lib, ... }:
+{ pkgs, ircaids, ... }:
 
 pkgs.writers.writeDashBin "irc-announce" ''
   set -euf
@@ -15,7 +15,7 @@ pkgs.writers.writeDashBin "irc-announce" ''
   fi
 
   printf %s "$message" |
-  ${pkgs.ircaids}/bin/ircsink \
+  ${ircaids}/bin/ircsink \
       --nick="$IRC_NICK" \
       --port="$IRC_PORT" \
       --server="$IRC_SERVER" \
diff --git a/krebs/5pkgs/simple/krebspaste/default.nix b/krebs/5pkgs/simple/krebspaste/default.nix
deleted file mode 100644
index d97b6a053..000000000
--- a/krebs/5pkgs/simple/krebspaste/default.nix
+++ /dev/null
@@ -1,12 +0,0 @@
-{ bepasty-client-cli, gnused, writeDashBin }:
-
-writeDashBin "krebspaste" ''
-  ${bepasty-client-cli}/bin/bepasty-cli -L 1m --url http://paste.r "$@" |
-  ${gnused}/bin/sed '
-    $ {
-      s/$/\/+inline/
-      p
-      s/\<r\>/krebsco.de/
-    }
-  '
-''
diff --git a/krebs/5pkgs/simple/logf/default.nix b/krebs/5pkgs/simple/logf/default.nix
deleted file mode 100644
index 36a7fed2f..000000000
--- a/krebs/5pkgs/simple/logf/default.nix
+++ /dev/null
@@ -1,112 +0,0 @@
-{ lib, pkgs, ... }:
-
-let
-  default-host-colors = pkgs.writeJSON "logf.default-host-colors.json" {
-  };
-  default-prio-colors = pkgs.writeJSON "logf.default-prio-colors.json" {
-    "0" = 196; # emerg
-    "1" = 160; # alert
-    "2" = 124; # crit
-    "3" = 009; # err
-    "4" = 011; # warning
-    "5" = 255; # notice
-    "6" = 250; # info
-    "7" = 139; # debug
-    "-" = 005; # undefined priority
-  };
-  default-urgent = pkgs.writeJSON "logf.default-urgent.json" [
-  ];
-in
-
-pkgs.writeDashBin "logf" ''
-  export LOGF_HOST_COLORS LOGF_PRIO_COLORS LOGF_URGENT
-  LOGF_HOST_COLORS=$(cat "''${LOGF_HOST_COLORS-${default-host-colors}}")
-  LOGF_PRIO_COLORS=$(cat "''${LOGF_PRIO_COLORS-${default-prio-colors}}")
-  LOGF_URGENT=$(cat "''${LOGF_URGENT-${default-urgent}}")
-  printf '%s\0' "$@" \
-    | ${pkgs.findutils}/bin/xargs -0 -P 0 -n 1 ${pkgs.writeDash "logf-remote" ''
-        target=$1
-        target_host=$(echo "$1" | sed 's/^.*@//;s/\..*//')
-        exec 3>&1
-        2>&1 1>&3 ssh "$target" -T \
-            -o PreferredAuthentications=publickey \
-            -o StrictHostKeyChecking=yes \
-            exec journalctl -af -n 0 -o json \
-          | stdbuf -oL jq -Rcf ${pkgs.writeJq "logf-remote-error.jq" ''
-              {
-                PRIORITY: "4",
-                MESSAGE: .,
-                SYSLOG_IDENTIFIER: env.target_host,
-              }
-            ''}
-        sleep 10m
-        exec "$0" "$@"
-      ''} \
-    | ${pkgs.jq}/bin/jq -Rrf ${pkgs.writeJq "logf-filter.jq" ''
-        (env.LOGF_HOST_COLORS | fromjson) as $host_colors |
-        (env.LOGF_PRIO_COLORS | fromjson) as $prio_colors |
-        (env.LOGF_URGENT | fromjson | map("(\(.))") | join("|"))
-          as $urgent_regex |
-
-        def when(c; f): if c then f else . end;
-
-        # anaphoric gsub
-        def agsub(re; f):
-          # Don't try empty regex: https://github.com/stedolan/jq/issues/1206
-          when(re != ""; gsub("(?<it>\(re))"; .it | f));
-
-        # :: [int] -> sgr
-        def sgr: "\u001b[\(map(tostring) | join(";"))m";
-
-        # :: sgr
-        def rst: [] | sgr;
-
-        # :: int -> sgr
-        def fg(i): [38,5,i]|sgr;
-        # TODO def fg(r;g;b): [38,2,r,g,b]|sgr;
-        # http://cvs.schmorp.de/rxvt-unicode/src/command.C?revision=1.570&view=markup&sortby=log&sortdir=down
-
-        # (sgr; sgr) | (null; any) :: str -> str
-        def col(a; b): when(a != null; a + . + b);
-        def col(a): col(a; rst);
-
-
-        def p_time:
-          ._SOURCE_REALTIME_TIMESTAMP
-          | if . != null then . | fromjson | . / 1000000 else now end
-          | gmtime
-          | todateiso8601
-          | col(fg(237));
-
-        def p_host:
-          ._HOSTNAME
-          | if . != null then . else "-" end
-          | col($host_colors[.]|when(. != null; fg(.)));
-
-        def p_ident:
-          if .SYSLOG_IDENTIFIER != null then .SYSLOG_IDENTIFIER
-          else ._COMM end
-          | col(fg(244));
-
-        def p_message:
-          fg($prio_colors[if has("PRIORITY") then .PRIORITY else "-" end])
-            as $prio_c |
-          .MESSAGE
-          | sub("\r$"; "")
-          | agsub($urgent_regex; "\(.)\u0007" | col(fg(219); $prio_c))
-          | col($prio_c);
-
-        try fromjson catch {
-          _SOURCE_REALTIME_TIMESTAMP: now | tostring | sub("[.]"; ""),
-          SYSLOG_IDENTIFIER: "logf/journalctl",
-          MESSAGE: .,
-        } |
-
-        [ p_time
-        , p_host
-        , p_ident
-        , p_message
-        ]
-        | join(" ")
-      ''}
-''
diff --git a/krebs/5pkgs/simple/netcup/default.nix b/krebs/5pkgs/simple/netcup/default.nix
deleted file mode 100644
index 750e9cfa9..000000000
--- a/krebs/5pkgs/simple/netcup/default.nix
+++ /dev/null
@@ -1,33 +0,0 @@
-{ coreutils, curl, fetchgit, gawk, gnugrep, gnused, jq, stdenv, stockholm, w3m, ... }:
-with stockholm.lib;
-
-let
-  readJSON = path: fromJSON (readFile path);
-  sed.escape = replaceStrings ["/"] ["\\/"]; # close enough
-  PATH = makeBinPath [
-    coreutils
-    curl
-    gawk
-    gnugrep
-    gnused
-    jq
-    w3m
-  ];
-in
-stdenv.mkDerivation {
-  name = "netcup-1.0.0";
-  src = fetchgit {
-    url = "http://cgit.ni.krebsco.de/netcup";
-    rev = "refs/tags/v1.0.0";
-    sha256 = "1rn7bncfhjw0bqjbvj38m7lks4nyf5qcvkj9dg0zr99ba6dylzx5";
-  };
-  phases = [ "unpackPhase" "patchPhase" "installPhase" ];
-  patchPhase = ''
-    path=${shell.escape (sed.escape PATH)}
-    sed -i "1s/.*/&\nPATH=$path/" vcp
-  '';
-  installPhase = ''
-    mkdir -p $out/bin
-    cp vcp $out/bin
-  '';
-}
diff --git a/krebs/5pkgs/simple/nixos-format-error.nix b/krebs/5pkgs/simple/nixos-format-error.nix
deleted file mode 100644
index a28f7245f..000000000
--- a/krebs/5pkgs/simple/nixos-format-error.nix
+++ /dev/null
@@ -1,107 +0,0 @@
-{ pkgs }:
-
-pkgs.writeGawkBin "nixos-format-error" ''
-  # usage: nixos-rebuild ... 2>&1 | nixos-format-error
-
-  function out() {
-    print
-    next
-  }
-
-  BEGIN {
-    IDLE = 0
-    ACTIVE = 1
-    PASSIVE = 2
-    ERROR = 3
-
-    start_state = IDLE
-
-    state = start_state
-  }
-
-  END {
-    if (trace_count)
-      for (i = trace_count - 1; i >= 0; i--)
-        print trace[i]
-  }
-
-  state == PASSIVE {
-    out()
-  }
-
-  state == IDLE {
-    if ($0 ~ /^building the system configuration\.\.\.
?$/) {
-      state = ACTIVE
-    }
-    out()
-  }
-
-  state == ACTIVE {
-    if ($1 ~ /(\[[0-9;]+m)?error:(\[[0-9;]m)?/) {
-      state = ERROR
-      sub(/^/,"\x1b[31;1m"); sub(/$/,"\x1b[m")
-      trace[trace_count++] = $0
-
-      "stty -F /dev/tty size" |& getline
-      COLUMNS = gensub(/.* ([0-9]+)$/, "\\1", "1")
-
-      next
-    }
-    if ($0 ~ /^these [0-9]+ derivations will be built:/) {
-      state = PASSIVE
-    }
-    if ($0 == "activating the configuration...") {
-      state = PASSIVE
-    }
-    out()
-  }
-
-  state == ERROR {
-    sub(/
$/, "")
-    gsub(/\[[0-9;]*m/, "")
-
-    if ($0 ~ /^\s*at /) {
-      location = gensub(/^\s*at (.*):$/,"\\1","1")
-      content = ""
-      lnumcol = gensub(/^.*:([0-9]+:[0-9]+)$/,"\\1","1",location)
-      lnum = gensub(/:.*/,"","1",lnumcol)
-      col = gensub(/.*:/,"","1",lnumcol)
-      next
-    }
-
-    if ($1 == lnum "|") {
-      content = gensub(/^\s*[0-9]+\|(.*)/,"\\1","1")
-
-      location = sprintf("%50s", location)
-
-      preview_size = COLUMNS - length(location " ")
-
-      prefix = gensub(/^\s*/,"","1",substr(content, 1, col))
-      infix = gensub(/^([0-9a-zA-Z]+|.).*$/, "\\1", "1", substr(content, col + 1))
-      suffix = substr(content, col + length(infix) + 1)
-
-      if (length(prefix infix suffix) > preview_size) {
-        n = (preview_size - length(infix)) / 2 - length(" ")
-        prefix = substr(prefix, length(prefix) - n + 1)
-        if (prefix != "") { prefix = "…" prefix }
-        suffix = substr(suffix, 1, n)
-        if (suffix != "") { suffix = suffix "…" }
-      }
-
-      preview = \
-        "\x1b[38;5;244m" prefix "\x1b[m" \
-        "\x1b[38;5;230m" infix "\x1b[m" \
-        "\x1b[38;5;244m" suffix "\x1b[m"
-
-      trace[trace_count++] = location " " preview
-      next
-    }
-
-    if ($0 == "") next
-    if ($0 ~ /^\s*… (from|while)/) next
-    if ($0 ~ /^\s*([0-9]*)\|/) next
-
-    trace[trace_count++] = $0
-    next
-  }
-''
diff --git a/krebs/5pkgs/simple/ovh-zone/default.nix b/krebs/5pkgs/simple/ovh-zone/default.nix
index bc0e45cb9..a31611ea2 100644
--- a/krebs/5pkgs/simple/ovh-zone/default.nix
+++ b/krebs/5pkgs/simple/ovh-zone/default.nix
@@ -6,9 +6,11 @@
 ## diff future.sorted current.sorted
 
 python3Packages.buildPythonPackage rec {
-  name = "ovh-zone-${version}";
+  pname = "ovh-zone";
   version = "0.4.4";
-  propagatedBuildInputs = with pkgs.python3Packages;[
+  pyproject = true;
+  build-system = [ python3Packages.setuptools ];
+  dependencies = with pkgs.python3Packages;[
     ovh
     docopt
   ];
diff --git a/krebs/5pkgs/simple/python-dnsstamps.nix b/krebs/5pkgs/simple/python-dnsstamps.nix
index 18d08fec8..314e11610 100644
--- a/krebs/5pkgs/simple/python-dnsstamps.nix
+++ b/krebs/5pkgs/simple/python-dnsstamps.nix
@@ -3,6 +3,8 @@
 python3Packages.buildPythonPackage rec {
   pname = "dnsstamps";
   version = "1.3.0";
+  pyproject = true;
+  build-system = [ python3Packages.setuptools ];
 
   src = python3Packages.fetchPypi {
     inherit pname version;
diff --git a/krebs/5pkgs/simple/qrscan.nix b/krebs/5pkgs/simple/qrscan.nix
deleted file mode 100644
index df9a98053..000000000
--- a/krebs/5pkgs/simple/qrscan.nix
+++ /dev/null
@@ -1,7 +0,0 @@
-{ pkgs }:
-
-pkgs.writeDashBin "qrscan" ''
-  set -efu
-
-  ${pkgs.zbar}/bin/zbarcam -1 | ${pkgs.gnused}/bin/sed -n 's/^QR-Code://p'
-''
diff --git a/krebs/5pkgs/simple/reaktor2-plugins.nix b/krebs/5pkgs/simple/reaktor2-plugins/default.nix
index 5b7be5d33..73c46755f 100644
--- a/krebs/5pkgs/simple/reaktor2-plugins.nix
+++ b/krebs/5pkgs/simple/reaktor2-plugins/default.nix
@@ -15,7 +15,7 @@ with stockholm.lib;
   commands = {
 
     random-emoji = {
-      filename = stockholm.outPath + "/krebs/5pkgs/simple/Reaktor/scripts/random-emoji.sh";
+      filename = ./scripts/random-emoji.sh;
       env = {
         PATH = makeBinPath (with pkgs; [ coreutils gnused gnugrep xmlstarlet wget ]);
       };
@@ -35,10 +35,10 @@ with stockholm.lib;
     };
 
     stockholm-issue = {
-      filename = stockholm.outPath + "/krebs/5pkgs/simple/Reaktor/scripts/random-issue.sh";
+      filename = ./scripts/random-issue.sh;
       env = {
         PATH = makeBinPath (with pkgs; [ coreutils git gnused haskellPackages.lentil ]);
-        origin = "http://cgit.gum/stockholm";
+        origin = "https://cgit.krebsco.de/stockholm";
         state_dir = "/tmp/stockholm-issue";
       };
     };
@@ -59,7 +59,7 @@ with stockholm.lib;
         filename = pkgs.writers.writeDash "sed-plugin" ''
           set -efu
           exec ${pkgs.python3}/bin/python \
-            ${./Reaktor/scripts/sed-plugin.py} "$@"
+            ${./scripts/sed-plugin.py} "$@"
         '';
       };
     };
@@ -68,7 +68,7 @@ with stockholm.lib;
       activate = "match";
       pattern = "^(.*Shack.*)$";
       arguments = [1];
-      command.filename = stockholm.outPath + "/krebs/5pkgs/simple/Reaktor/scripts/shack-correct.sh";
+      command.filename = ./scripts/shack-correct.sh;
     };
 
 
diff --git a/krebs/5pkgs/simple/Reaktor/scripts/random-emoji.sh b/krebs/5pkgs/simple/reaktor2-plugins/scripts/random-emoji.sh
index 6f3dd4a3f..6f3dd4a3f 100755
--- a/krebs/5pkgs/simple/Reaktor/scripts/random-emoji.sh
+++ b/krebs/5pkgs/simple/reaktor2-plugins/scripts/random-emoji.sh
diff --git a/krebs/5pkgs/simple/Reaktor/scripts/random-issue.sh b/krebs/5pkgs/simple/reaktor2-plugins/scripts/random-issue.sh
index 5c47c6156..5c47c6156 100755
--- a/krebs/5pkgs/simple/Reaktor/scripts/random-issue.sh
+++ b/krebs/5pkgs/simple/reaktor2-plugins/scripts/random-issue.sh
diff --git a/krebs/5pkgs/simple/Reaktor/scripts/sed-plugin.py b/krebs/5pkgs/simple/reaktor2-plugins/scripts/sed-plugin.py
index 4925b25bb..4925b25bb 100755
--- a/krebs/5pkgs/simple/Reaktor/scripts/sed-plugin.py
+++ b/krebs/5pkgs/simple/reaktor2-plugins/scripts/sed-plugin.py
diff --git a/krebs/5pkgs/simple/Reaktor/scripts/shack-correct.sh b/krebs/5pkgs/simple/reaktor2-plugins/scripts/shack-correct.sh
index d500b3cb3..d500b3cb3 100755
--- a/krebs/5pkgs/simple/Reaktor/scripts/shack-correct.sh
+++ b/krebs/5pkgs/simple/reaktor2-plugins/scripts/shack-correct.sh
diff --git a/krebs/5pkgs/simple/Reaktor/scripts/tell-on_join.sh b/krebs/5pkgs/simple/reaktor2-plugins/scripts/tell-on_join.sh
index 6978e38c6..6978e38c6 100755
--- a/krebs/5pkgs/simple/Reaktor/scripts/tell-on_join.sh
+++ b/krebs/5pkgs/simple/reaktor2-plugins/scripts/tell-on_join.sh
diff --git a/krebs/5pkgs/simple/Reaktor/scripts/tell-on_privmsg.sh b/krebs/5pkgs/simple/reaktor2-plugins/scripts/tell-on_privmsg.sh
index fc05bdefb..fc05bdefb 100755
--- a/krebs/5pkgs/simple/Reaktor/scripts/tell-on_privmsg.sh
+++ b/krebs/5pkgs/simple/reaktor2-plugins/scripts/tell-on_privmsg.sh
diff --git a/krebs/5pkgs/simple/realwallpaper/default.nix b/krebs/5pkgs/simple/realwallpaper/default.nix
index 5364a37dc..44e888879 100644
--- a/krebs/5pkgs/simple/realwallpaper/default.nix
+++ b/krebs/5pkgs/simple/realwallpaper/default.nix
@@ -1,8 +1,10 @@
-{ pkgs, ... }:
+{ pkgs, nomads-cloud, ... }:
 pkgs.writers.writeDashBin "generate-wallpaper" ''
   set -euf
 
-  export PATH=${with pkgs; lib.makeBinPath [
+  export PATH=${pkgs.lib.makeBinPath ([
+    nomads-cloud
+  ] ++ (with pkgs; [
     coreutils
     curl
     gnugrep
@@ -12,9 +14,8 @@ pkgs.writers.writeDashBin "generate-wallpaper" ''
     imagemagick
     inkscape
     jq
-    nomads-cloud
     xplanet
-  ]}
+  ]))}
 
   # usage: getimg FILENAME URL
   fetch() {
diff --git a/krebs/5pkgs/simple/repo-sync/default.nix b/krebs/5pkgs/simple/repo-sync/default.nix
index 5dc5ecb98..1c88c2e91 100644
--- a/krebs/5pkgs/simple/repo-sync/default.nix
+++ b/krebs/5pkgs/simple/repo-sync/default.nix
@@ -2,19 +2,19 @@
 
 with python3Packages; buildPythonPackage rec {
   name = "repo-sync-${version}";
-  version = "0.2.7";
+  version = "1.0.0";
   pyproject = true;
   build-system = [ python3Packages.setuptools ];
   propagatedBuildInputs = [
     docopt
-    GitPython
+    gitpython
     pkgs.git
   ];
   src = fetchFromGitHub {
     owner = "krebs";
     repo = "repo-sync";
     rev = version;
-    sha256 = "1qjf1jmxf7xzwskybdys4vqncnwj9f3xwk1gv354zrla68s533cw";
+    hash = "sha256-dkhPUaCL+tZn5rF7NN8A6NK/0tz669dLLYRGtRxO+fM=";
   };
   meta = {
     homepage = http://github.com/makefu/repo-sync;
diff --git a/krebs/5pkgs/simple/ssh-audit.nix b/krebs/5pkgs/simple/ssh-audit.nix
index 4574eb644..286282107 100644
--- a/krebs/5pkgs/simple/ssh-audit.nix
+++ b/krebs/5pkgs/simple/ssh-audit.nix
@@ -4,6 +4,8 @@ python3Packages.buildPythonPackage rec {
   inherit (meta) version;
 
   pname = "ssh-audit";
+  pyproject = true;
+  build-system = [ python3Packages.setuptools ];
 
   src = fetchFromGitHub {
     owner = "arthepsy";
diff --git a/krebs/5pkgs/simple/tinc_graphs/default.nix b/krebs/5pkgs/simple/tinc_graphs/default.nix
index 953804dd0..11079a9a3 100644
--- a/krebs/5pkgs/simple/tinc_graphs/default.nix
+++ b/krebs/5pkgs/simple/tinc_graphs/default.nix
@@ -1,10 +1,12 @@
 { fetchFromGitHub, lib, pkgs, python3Packages, stdenv }:
 
 python3Packages.buildPythonPackage rec {
-  name = "tinc_graphs-${version}";
+  pname = "tinc_graphs";
   version = "0.4.0";
+  pyproject = true;
+  build-system = [ python3Packages.setuptools ];
 
-  propagatedBuildInputs = with pkgs;[
+  dependencies = with pkgs;[
     python3Packages.pygeoip
     ## ${geolite-legacy}/share/GeoIP/GeoIPCity.dat
   ];
diff --git a/krebs/5pkgs/simple/treq/default.nix b/krebs/5pkgs/simple/treq/default.nix
index 7cb826a51..8689479b3 100644
--- a/krebs/5pkgs/simple/treq/default.nix
+++ b/krebs/5pkgs/simple/treq/default.nix
@@ -1,14 +1,16 @@
-{ stdenv, fetchurl, pythonPackages }:
+{ stdenv, fetchurl, python3Packages }:
 
-pythonPackages.buildPythonPackage rec {
+python3Packages.buildPythonPackage rec {
   name = "${pname}-${version}";
   pname = "treq";
   version = "15.1.0";
+  pyproject = true;
+  build-system = [ python3Packages.setuptools ];
   src = fetchurl {
     url = "mirror://pypi/t/${pname}/${name}.tar.gz";
     sha256= "425a47d5d52a993d51211028fb6ade252e5fbea094e878bb4b644096a7322de8";
   };
-  propagatedBuildInputs = with pythonPackages; [
+  propagatedBuildInputs = with python3Packages; [
     twisted
     pyopenssl
     requests
diff --git a/krebs/5pkgs/simple/ukrepl.nix b/krebs/5pkgs/simple/ukrepl.nix
index bdea4181f..da1c05c92 100644
--- a/krebs/5pkgs/simple/ukrepl.nix
+++ b/krebs/5pkgs/simple/ukrepl.nix
@@ -1,5 +1,5 @@
-{ lib, pkgs,stdenv }:
-let 
+{ lib, pkgs, stdenv }:
+let
   src = pkgs.fetchFromGitHub {
     owner = "makefu";
     repo = "ukrepl";
@@ -7,5 +7,5 @@ let
     hash = "sha256:1lnhkf02f18fvf3l2fcszvs4x115lql17akabd5ph9ff9z33k8rv";
   };
 in
-  pkgs.writers.writePython3Bin "ukrepl" {} (builtins.readFile (src + "/ukrepl"))
+  pkgs.writers.writePython3Bin "ukrepl" {} (src + "/ukrepl")
 
diff --git a/krebs/5pkgs/simple/untilport/default.nix b/krebs/5pkgs/simple/untilport/default.nix
index 2930fd1eb..d299ec807 100644
--- a/krebs/5pkgs/simple/untilport/default.nix
+++ b/krebs/5pkgs/simple/untilport/default.nix
@@ -1,6 +1,6 @@
-{ pkgs, ... }:
+{ libressl, writeDashBin, ... }:
 
-pkgs.writeDashBin "untilport" ''
+writeDashBin "untilport" ''
   set -euf
 
   usage() {
@@ -13,6 +13,6 @@ pkgs.writeDashBin "untilport" ''
   if [ $# -ne 2 ]; then
     usage
   else
-    until ${pkgs.libressl.nc}/bin/nc -z "$@"; do sleep 1; done
+    until ${libressl.nc}/bin/nc -z "$@"; do sleep 1; done
   fi
 ''
diff --git a/krebs/5pkgs/simple/urix.nix b/krebs/5pkgs/simple/urix.nix
index 73ea3e665..9ac3a115c 100644
--- a/krebs/5pkgs/simple/urix.nix
+++ b/krebs/5pkgs/simple/urix.nix
@@ -1,14 +1,13 @@
-{ pkgs, stockholm }:
+{ pkgs, lib, writeDash }:
+
+let
+  stockholm.lib = import ../../../lib/pure.nix { inherit lib; };
+in
 
 # urix - URI eXtractor
 # Extract all the URIs from standard input and write them to standard output!
 # usage: urix < SOMEFILE
 
-pkgs.execBin "urix" {
-  filename = "${pkgs.gnugrep}/bin/grep";
-  argv = [
-    "urix"
-    "-Eo"
-    "\\b${stockholm.lib.uri.posix-extended-regex}\\b"
-  ];
-}
+writeDash "urix" ''
+  exec ${pkgs.gnugrep}/bin/grep -Eo '\b${stockholm.lib.uri.posix-extended-regex}\b'
+''
diff --git a/krebs/5pkgs/simple/with-tmpdir/default.nix b/krebs/5pkgs/simple/with-tmpdir/default.nix
deleted file mode 100644
index 9862671f8..000000000
--- a/krebs/5pkgs/simple/with-tmpdir/default.nix
+++ /dev/null
@@ -1,29 +0,0 @@
-{ stdenv, fetchgit, coreutils, dash, ... }:
-
-stdenv.mkDerivation {
-  name = "with-tmpdir-1";
-
-  src = fetchgit {
-    url = http://cgit.ni.krebsco.de/with-tmpdir;
-    rev = "3243c02ed8cd27a04c080bd39560204980f6c16a";
-    sha256 = "80ee6cafb2c337999ddcd1e41747d6256b7cfcea605358c2046eb7e3729555c6";
-  };
-
-  phases = [
-    "unpackPhase"
-    "installPhase"
-  ];
-
-  installPhase = ''
-    mkdir -p $out/bin
-
-    { echo '#! ${dash}/bin/dash'
-      echo 'OLDPATH=$PATH'
-      echo 'PATH=${coreutils}/bin'
-      sed '$s/^/#/' ./with-tmpdir
-      echo '(PATH=$OLDPATH; exec "$@")'
-    } > $out/bin/with-tmpdir
-
-    chmod +x $out/bin/with-tmpdir
-  '';
-}
diff --git a/lib/default.nix b/lib/default.nix
deleted file mode 100644
index f9f2f1579..000000000
--- a/lib/default.nix
+++ /dev/null
@@ -1 +0,0 @@
-import ./impure.nix
diff --git a/lib/eval-source.nix b/lib/eval-source.nix
index ff853185b..93320a218 100644
--- a/lib/eval-source.nix
+++ b/lib/eval-source.nix
@@ -1,4 +1,5 @@
-with import <stockholm/lib>;
+{ lib }:
+with lib;
 let
   eval = _file: source: evalModules {
     modules = singleton {
diff --git a/lib/impure.nix b/lib/impure.nix
deleted file mode 100644
index 3f95c375f..000000000
--- a/lib/impure.nix
+++ /dev/null
@@ -1,3 +0,0 @@
-import ./pure.nix {
-  lib = import <nixpkgs/lib>;
-}
diff --git a/lib/pure.nix b/lib/pure.nix
index 3fe51cd54..6b5f229e6 100644
--- a/lib/pure.nix
+++ b/lib/pure.nix
@@ -9,7 +9,7 @@ let
       };
     in filterAttrsRecursive (name: _: !hasPrefix "_" name) eval.config;
 
-    evalSource = import ./eval-source.nix;
+    evalSource = import ./eval-source.nix { lib = stockholm.lib; };
 
     evalSubmodule = submodule: modules: let
       prefix = ["evalSubmodule"];
@@ -37,7 +37,7 @@ let
 
     eq = x: y: x == y;
     ne = x: y: x != y;
-    mod = x: y: x - y * (x / y);
+    #mod = x: y: x - y * (x / y);
 
     on = b: u: x: y: b (u x) (u y);
 
diff --git a/lib/types.nix b/lib/types.nix
index ad8421b18..f0165c523 100644
--- a/lib/types.nix
+++ b/lib/types.nix
@@ -1,5 +1,4 @@
 { lib, ... }:
-
 let
   inherit (lib)
     all any attrNames concatMapStringsSep concatStringsSep const filter flip
@@ -198,9 +197,32 @@ rec {
       };
       tinc = mkOption {
         type = let net = config; in nullOr (submodule ({ config, ... }: {
+          config = {
+            config = 
+              #assert (with builtins; trace "xxxxxx ${toJSON config.subnets}" true);
+              concatStringsSep "\n" (
+                (optionals (net.via != null)
+                  (map (a: "Address = ${a} ${toString config.port}") net.via.addrs))
+                ++
+                (map (a: "Subnet = ${a}") config.subnets)
+                ++
+                (map (a: "Subnet = ${a}") net.addrs)
+                ++
+                [config.extraConfig]
+                ++
+                [config.pubkey]
+                ++
+                optional (config.pubkey_ed25519 != null) ''
+                  Ed25519PublicKey = ${config.pubkey_ed25519}
+                ''
+                ++
+                optional (config.weight != null) "Weight = ${toString config.weight}"
+              );
+          };
           options = {
             config = mkOption {
               type = str;
+              # TODO: readOnly = true;
               default = concatStringsSep "\n" (
                 (optionals (net.via != null)
                   (map (a: "Address = ${a} ${toString config.port}") net.via.addrs))