9 files changed, 69 insertions, 28 deletions
diff --git a/krebs/1systems/hotdog/config.nix b/krebs/1systems/hotdog/config.nix
index 0a103ed1a..91071ec85 100644
--- a/krebs/1systems/hotdog/config.nix
+++ b/krebs/1systems/hotdog/config.nix
@@ -6,7 +6,6 @@
     ../../../krebs/2configs
     ../../../krebs/2configs/nginx.nix
 
-    ../../../krebs/2configs/buildbot-stockholm.nix
     ../../../krebs/2configs/binary-cache/nixos.nix
     ../../../krebs/2configs/ircd.nix
     ../../../krebs/2configs/reaktor2.nix
@@ -15,6 +14,10 @@
     ../../../krebs/2configs/mud.nix
     ../../../krebs/2configs/repo-sync.nix
 
+    ../../../krebs/2configs/buildbot-stockholm.nix
+    #../../../krebs/2configs/buildbot/master.nix
+    #../../../krebs/2configs/buildbot/worker.nix
+
     ../../../krebs/2configs/cal.nix
     ../../../krebs/2configs/mastodon.nix
 
diff --git a/krebs/2configs/buildbot/master.nix b/krebs/2configs/buildbot/master.nix
new file mode 100644
index 000000000..9598f6fa0
--- /dev/null
+++ b/krebs/2configs/buildbot/master.nix
@@ -0,0 +1,33 @@
+{buildbot-nix,...}:
+let
+  #domain = "buildbot.krebsco.de";
+  domain = "build.hotdog.r";
+in {
+  imports = [
+    buildbot-nix.nixosModules.buildbot-master
+  ];
+
+  #services.nginx.virtualHosts."${domain}" = {
+  #  enableACME = true;
+  #  forceSSL = true;
+  #};
+
+
+  services.buildbot-nix.master = {
+    enable = true;
+    admins = [ "makefu" ];
+    buildSystems = [ "x86_64-linux" "aarch64-linux" ];
+    inherit domain;
+    evalMaxMemorySize = "4096";
+    evalWorkerCount = 16;
+    workersFile = "/var/src/secrets/buildbot/nix-workers";
+    github = {
+      tokenFile = "/var/src/secrets/buildbot/github-token";
+      webhookSecretFile = "/var/src/secrets/buildbot/github-webhook-secret";
+      oauthSecretFile = "/var/src/secrets/buildbot/github-oauth-secret";
+      oauthId = "Ov23lizFP7t7qoE9FuDA";
+      user = "krebs-bob";
+      topic = "buildbot";
+    };
+  };
+}
diff --git a/krebs/2configs/buildbot/worker.nix b/krebs/2configs/buildbot/worker.nix
new file mode 100644
index 000000000..e96c6df14
--- /dev/null
+++ b/krebs/2configs/buildbot/worker.nix
@@ -0,0 +1,11 @@
+{ buildbot-nix, ... }:
+{
+  imports = [
+    buildbot-nix.nixosModules.buildbot-worker
+  ];
+
+  services.buildbot-nix.worker = {
+    enable = true;
+    workerPasswordFile = "/var/src/secrets/nix-worker-file";
+  };
+}
diff --git a/krebs/2configs/default.nix b/krebs/2configs/default.nix
index 5d64555c8..6ca7c732a 100644
--- a/krebs/2configs/default.nix
+++ b/krebs/2configs/default.nix
@@ -28,7 +28,7 @@ with import ../../lib/pure.nix { inherit lib; };
   networking.hostName = config.krebs.build.host.name;
 
   nix.maxJobs = 1;
-  nix.useSandbox = true;
+  nix.settings.sandbox = true;
 
   environment.systemPackages = with pkgs; [
     git
diff --git a/krebs/2configs/matterbridge.nix b/krebs/2configs/matterbridge.nix
index f42921824..aa33f748f 100644
--- a/krebs/2configs/matterbridge.nix
+++ b/krebs/2configs/matterbridge.nix
@@ -1,4 +1,4 @@
-{ pkgs, lib, ...  }: {
+{ pkgs, lib, config, ...  }: {
   services.matterbridge = {
     enable = true;
     configPath = let
diff --git a/krebs/3modules/git.nix b/krebs/3modules/git.nix
index 961b217e1..6d666b6d6 100644
--- a/krebs/3modules/git.nix
+++ b/krebs/3modules/git.nix
@@ -391,12 +391,12 @@ let
       };
     };
 
-    services.fcgiwrap = {
-      enable = true;
-      user = cfg.cgit.fcgiwrap.user.name;
-      group = cfg.cgit.fcgiwrap.group.name;
-      # socketAddress = "/run/fcgiwrap.sock" (default)
-      # socketType = "unix" (default)
+    services.fcgiwrap.instances.cgit = {
+      process.user = cfg.cgit.fcgiwrap.user.name;
+      process.group = cfg.cgit.fcgiwrap.group.name;
+      socket.user = cfg.cgit.fcgiwrap.user.name;
+      socket.group = config.services.nginx.group;
+      socket.mode = "0660";
     };
 
     environment.etc."cgitrc".text = let
@@ -460,7 +460,7 @@ let
         fastcgi_param       PATH_INFO       $uri;
         fastcgi_param       QUERY_STRING    $args;
         fastcgi_param       HTTP_HOST       $server_name;
-        fastcgi_pass        unix:${config.services.fcgiwrap.socketAddress};
+        fastcgi_pass        unix:${config.services.fcgiwrap.instances.cgit.socket.address};
       '';
       # Smart HTTP transport.  Regex based on.
       # https://github.com/git/git/blob/v2.27.0/http-backend.c#L708-L721
@@ -480,7 +480,7 @@ let
         }};
         fastcgi_param PATH_INFO $fastcgi_script_name;
         fastcgi_param SCRIPT_FILENAME ${pkgs.git}/bin/git-http-backend;
-        fastcgi_pass unix:${config.services.fcgiwrap.socketAddress};
+        fastcgi_pass unix:${config.services.fcgiwrap.instances.cgit.socket.address};
       '';
       locations."/static/".extraConfig = ''
         root ${pkgs.cgit}/cgit;
diff --git a/krebs/3modules/upstream/desktop-managers/default.nix b/krebs/3modules/upstream/desktop-managers/default.nix
index 22e75439d..5fd39086c 100644
--- a/krebs/3modules/upstream/desktop-managers/default.nix
+++ b/krebs/3modules/upstream/desktop-managers/default.nix
@@ -1,6 +1,5 @@
 {
   imports = [
     ./coma.nix
-    ./none.nix
   ];
 }
diff --git a/krebs/3modules/upstream/desktop-managers/none.nix b/krebs/3modules/upstream/desktop-managers/none.nix
deleted file mode 100644
index 77f7ad513..000000000
--- a/krebs/3modules/upstream/desktop-managers/none.nix
+++ /dev/null
@@ -1,11 +0,0 @@
-{ lib, ... }:
-# Replace upstream none desktop-manager by a real none, that doesn't pull in
-# any dependencies.
-{
-  disabledModules = lib.singleton "services/x11/desktop-managers/none.nix";
-  config.services.xserver.desktopManager.session = lib.singleton {
-    name = "none";
-    bgSupport = true;
-    start = "";
-  };
-}
diff --git a/krebs/5pkgs/simple/brain/default.nix b/krebs/5pkgs/simple/brain/default.nix
index aca06c407..d7e36a527 100644
--- a/krebs/5pkgs/simple/brain/default.nix
+++ b/krebs/5pkgs/simple/brain/default.nix
@@ -1,16 +1,22 @@
-{ pass, runCommand, write, writeDash, ... }:
+{ pkgs }:
 
-write "brain" {
-  "/bin/brain".link = writeDash "brain" ''
+let
+  pass = pkgs.pass.withExtensions (ext: [
+    ext.pass-otp
+  ]);
+in
+
+pkgs.write "brain" {
+  "/bin/brain".link = pkgs.writeDash "brain" ''
     PASSWORD_STORE_DIR=$HOME/brain \
     exec ${pass}/bin/pass "$@"
   '';
-  "/bin/brainmenu".link = writeDash "brainmenu" ''
+  "/bin/brainmenu".link = pkgs.writeDash "brainmenu" ''
     PASSWORD_STORE_DIR=$HOME/brain \
     exec ${pass}/bin/passmenu "$@"
   '';
   "/share/bash-completion/completions/brain".link =
-    runCommand "brain-completions" {
+    pkgs.runCommand "brain-completions" {
     } /* sh */ ''
       sed -r '
         s/\<_pass?(_|\>)/_brain\1/g