4 files changed, 6 insertions, 3 deletions

diff --git a/tv/2configs/default.nix b/tv/2configs/default.nix
index dc26a6c6f..33fb7e492 100644
--- a/tv/2configs/default.nix
+++ b/tv/2configs/default.nix
@@ -14,7 +14,7 @@ with import <stockholm/lib>;
       stockholm.file = "/home/tv/stockholm";
       nixpkgs.git = {
         url = https://github.com/NixOS/nixpkgs;
-        ref = "5d03aab044970e72a9c6cb07dab734c9c2a391e4";
+        ref = "5b0c9d4f92f15f171afa65caf13a29ac1c068a10"; # nixos-17.03
       };
     } // optionalAttrs host.secure {
       secrets-master.file = "/home/tv/secrets/master";
diff --git a/tv/2configs/pulse.nix b/tv/2configs/pulse.nix
index 2a3b5cbc1..418551213 100644
--- a/tv/2configs/pulse.nix
+++ b/tv/2configs/pulse.nix
@@ -76,6 +76,9 @@ in
     };
   };
 
+  # TODO assert that pulse is the only user with "audio" in group/extraGroups
+  # otherwise the audio device can be hijacked while the pulse service restarts
+  # (e.g. when mpv is running) and then the service will fail.
   users = {
     groups.pulse.gid = config.users.users.pulse.uid;
     users.pulse = {
diff --git a/tv/2configs/urlwatch.nix b/tv/2configs/urlwatch.nix
index 6e11e0251..5779240ba 100644
--- a/tv/2configs/urlwatch.nix
+++ b/tv/2configs/urlwatch.nix
@@ -31,7 +31,7 @@ with import <stockholm/lib>;
 
       ## other
 
-      https://nixos.org/channels/nixos-16.09/git-revision
+      https://nixos.org/channels/nixos-17.03/git-revision
       https://nixos.org/channels/nixos-unstable/git-revision
 
       ## 2014-10-17
diff --git a/tv/2configs/xserver/default.nix b/tv/2configs/xserver/default.nix
index 7dcfecce6..deb929c34 100644
--- a/tv/2configs/xserver/default.nix
+++ b/tv/2configs/xserver/default.nix
@@ -18,7 +18,7 @@ in {
   ];
 
   # TODO dedicated group, i.e. with a single user [per-user-setuid]
-  # TODO krebs.setuid.slock.path vs /var/setuid-wrappers
+  # TODO krebs.setuid.slock.path vs /run/wrappers/bin
   krebs.setuid.slock = {
     filename = "${pkgs.slock}/bin/slock";
     group = "wheel";