11 files changed, 52 insertions, 29 deletions
diff --git a/tv/1systems/cd.nix b/tv/1systems/cd.nix
index b718d19b8..108006f34 100644
--- a/tv/1systems/cd.nix
+++ b/tv/1systems/cd.nix
@@ -16,11 +16,11 @@ with import <stockholm/lib>;
   networking = {
     interfaces.enp2s1.ip4 = singleton {
       address = let
-        addr = "64.137.177.226";
+        addr = "45.62.237.203";
       in assert config.krebs.build.host.nets.internet.ip4.addr == addr; addr;
       prefixLength = 24;
     };
-    defaultGateway = "64.137.177.1";
+    defaultGateway = "45.62.237.1";
     nameservers = ["8.8.8.8"];
   };
 
diff --git a/tv/1systems/mu.nix b/tv/1systems/mu.nix
index e9a8a131a..fcd0a2178 100644
--- a/tv/1systems/mu.nix
+++ b/tv/1systems/mu.nix
@@ -99,10 +99,10 @@ with import <stockholm/lib>;
 
   programs.ssh.startAgent = false;
 
-  security.setuidPrograms = [
-    "sendmail"  # for cron
-    "slock"
-  ];
+  security.wrappers = {
+    sendmail.source = "${pkgs.exim}/bin/sendmail"; # for cron
+    slock.slock = "${pkgs.slock}/bin/slock";
+  };
 
   security.pam.loginLimits = [
     # for jack
diff --git a/tv/1systems/wu.nix b/tv/1systems/wu.nix
index a9d7e94eb..4cde8b903 100644
--- a/tv/1systems/wu.nix
+++ b/tv/1systems/wu.nix
@@ -157,9 +157,9 @@ with import <stockholm/lib>;
     #jack2
   ];
 
-  security.setuidPrograms = [
-    "sendmail"  # for cron
-  ];
+  security.wrappers = {
+    sendmail.source = "${pkgs.exim}/bin/sendmail"; # for cron
+  };
 
   services.printing.enable = true;
 
diff --git a/tv/1systems/xu.nix b/tv/1systems/xu.nix
index 974d820d5..4b8fe8da2 100644
--- a/tv/1systems/xu.nix
+++ b/tv/1systems/xu.nix
@@ -167,9 +167,9 @@ with import <stockholm/lib>;
     gptfdisk
   ];
 
-  security.setuidPrograms = [
-    "sendmail"  # for cron
-  ];
+  security.wrappers = {
+    sendmail.source = "${pkgs.exim}/bin/sendmail"; # for cron
+  };
 
   services.printing.enable = true;
 
diff --git a/tv/1systems/zu.nix b/tv/1systems/zu.nix
index 59e8b1c7f..194ac2928 100644
--- a/tv/1systems/zu.nix
+++ b/tv/1systems/zu.nix
@@ -167,9 +167,9 @@ with import <stockholm/lib>;
     gptfdisk
   ];
 
-  security.setuidPrograms = [
-    "sendmail"  # for cron
-  ];
+  security.wrappers = {
+    sendmail.source = "${pkgs.exim}/bin/sendmail"; # for cron
+  };
 
   services.printing.enable = true;
 
diff --git a/tv/2configs/default.nix b/tv/2configs/default.nix
index dc26a6c6f..33fb7e492 100644
--- a/tv/2configs/default.nix
+++ b/tv/2configs/default.nix
@@ -14,7 +14,7 @@ with import <stockholm/lib>;
       stockholm.file = "/home/tv/stockholm";
       nixpkgs.git = {
         url = https://github.com/NixOS/nixpkgs;
-        ref = "5d03aab044970e72a9c6cb07dab734c9c2a391e4";
+        ref = "5b0c9d4f92f15f171afa65caf13a29ac1c068a10"; # nixos-17.03
       };
     } // optionalAttrs host.secure {
       secrets-master.file = "/home/tv/secrets/master";
diff --git a/tv/2configs/pulse.nix b/tv/2configs/pulse.nix
index 2a3b5cbc1..418551213 100644
--- a/tv/2configs/pulse.nix
+++ b/tv/2configs/pulse.nix
@@ -76,6 +76,9 @@ in
     };
   };
 
+  # TODO assert that pulse is the only user with "audio" in group/extraGroups
+  # otherwise the audio device can be hijacked while the pulse service restarts
+  # (e.g. when mpv is running) and then the service will fail.
   users = {
     groups.pulse.gid = config.users.users.pulse.uid;
     users.pulse = {
diff --git a/tv/2configs/urlwatch.nix b/tv/2configs/urlwatch.nix
index 6e11e0251..5779240ba 100644
--- a/tv/2configs/urlwatch.nix
+++ b/tv/2configs/urlwatch.nix
@@ -31,7 +31,7 @@ with import <stockholm/lib>;
 
       ## other
 
-      https://nixos.org/channels/nixos-16.09/git-revision
+      https://nixos.org/channels/nixos-17.03/git-revision
       https://nixos.org/channels/nixos-unstable/git-revision
 
       ## 2014-10-17
diff --git a/tv/2configs/xserver/default.nix b/tv/2configs/xserver/default.nix
index 7dcfecce6..deb929c34 100644
--- a/tv/2configs/xserver/default.nix
+++ b/tv/2configs/xserver/default.nix
@@ -18,7 +18,7 @@ in {
   ];
 
   # TODO dedicated group, i.e. with a single user [per-user-setuid]
-  # TODO krebs.setuid.slock.path vs /var/setuid-wrappers
+  # TODO krebs.setuid.slock.path vs /run/wrappers/bin
   krebs.setuid.slock = {
     filename = "${pkgs.slock}/bin/slock";
     group = "wheel";
diff --git a/tv/5pkgs/q/default.nix b/tv/5pkgs/q/default.nix
index a3a7cd739..2e7aa5cf2 100644
--- a/tv/5pkgs/q/default.nix
+++ b/tv/5pkgs/q/default.nix
@@ -1,7 +1,19 @@
 { pkgs, ... }:
+with import <stockholm/lib>;
 let
   q-cal = let
-    # XXX 23 is the longest line of cal's output
+
+    # Maximum width of cal's output.
+    calwidth = 23;
+
+    # Number of space characters between two calendars.
+    hspace = 2;
+
+    # Return number of columns required to print n calenders side by side.
+    need_width = n:
+      assert n >= 1;
+      n * calwidth + (n - 1) * hspace;
+
     pad = ''{
       ${pkgs.gnused}/bin/sed '
             # rtrim
@@ -10,7 +22,7 @@ let
             # delete last empty line
             ''${/^$/d}
           ' \
-        | ${pkgs.gawk}/bin/awk '{printf "%-23s\n", $0}' \
+        | ${pkgs.gawk}/bin/awk '{printf "%-${toString calwidth}s\n", $0}' \
         | ${pkgs.gnused}/bin/sed '
               # colorize header
               1,2s/.*/[38;5;238;1m&[39;22m/
@@ -20,23 +32,31 @@ let
             '
     }'';
   in ''
+    cols=$(${pkgs.ncurses}/bin/tput cols)
     ${pkgs.coreutils}/bin/paste \
-        <(${pkgs.utillinux}/bin/cal -mw \
+        <(if test $cols -ge ${toString (need_width 3)}; then
+          ${pkgs.utillinux}/bin/cal -mw \
               $(${pkgs.coreutils}/bin/date +'%m %Y' -d 'last month') \
             | ${pad}
-        ) \
-        <(${pkgs.utillinux}/bin/cal -mw \
+        fi) \
+        <(if test $cols -ge ${toString (need_width 1)}; then
+          ${pkgs.utillinux}/bin/cal -mw \
             | ${pkgs.gnused}/bin/sed '
                 # colorize day of month
                 s/\(^\| \)'"$(${pkgs.coreutils}/bin/date +%e)"'\>/[31;1m&[39;22m/
               ' \
             | ${pad}
-        ) \
-        <(${pkgs.utillinux}/bin/cal -mw \
+        fi) \
+        <(if test $cols -ge ${toString (need_width 2)}; then
+          ${pkgs.utillinux}/bin/cal -mw \
               $(${pkgs.coreutils}/bin/date +'%m %Y' -d 'next month') \
             | ${pad}
-        ) \
-      | ${pkgs.gnused}/bin/sed 's/\t/  /g'
+        fi) \
+      | ${pkgs.gnused}/bin/sed '
+          s/^\t//
+          s/\t$//
+          s/\t/${lpad hspace " " ""}/g
+        '
   '';
 
   q-isodate = ''
diff --git a/tv/5pkgs/xmonad-tv/default.nix b/tv/5pkgs/xmonad-tv/default.nix
index c6a622bd1..5ac8f8372 100644
--- a/tv/5pkgs/xmonad-tv/default.nix
+++ b/tv/5pkgs/xmonad-tv/default.nix
@@ -132,7 +132,7 @@ spawnRootTerm :: X ()
 spawnRootTerm =
     forkFile
         urxvtcPath
-        ["-name", "root-urxvt", "-e", "/var/setuid-wrappers/su", "-"]
+        ["-name", "root-urxvt", "-e", "/run/wrappers/bin/su", "-"]
         Nothing
 
 spawnTermAt :: String -> X ()
@@ -143,7 +143,7 @@ spawnTermAt ws = do
 
 myKeys :: XConfig Layout -> Map (KeyMask, KeySym) (X ())
 myKeys conf = Map.fromList $
-    [ ((_4  , xK_Escape ), forkFile "/var/setuid-wrappers/slock" [] Nothing)
+    [ ((_4  , xK_Escape ), forkFile "/run/wrappers/bin/slock" [] Nothing)
     , ((_4S , xK_c      ), kill)
 
     , ((_4  , xK_x      ), chooseAction spawnTermAt)