From a81091baf194443e71730db19f517c1802fff0b3 Mon Sep 17 00:00:00 2001
From: tv <tv@krebsco.de>
Date: Tue, 22 Nov 2016 18:55:28 +0100
Subject: blessings: 1.0.0 -> 1.1.0

---
 krebs/5pkgs/haskell-overrides/blessings.nix | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/krebs/5pkgs/haskell-overrides/blessings.nix b/krebs/5pkgs/haskell-overrides/blessings.nix
index 5fb57a332..f852b4a44 100644
--- a/krebs/5pkgs/haskell-overrides/blessings.nix
+++ b/krebs/5pkgs/haskell-overrides/blessings.nix
@@ -1,11 +1,11 @@
 { mkDerivation, base, fetchgit, stdenv }:
-mkDerivation {
+mkDerivation rec {
   pname = "blessings";
-  version = "1.0.0";
+  version = "1.1.0";
   src = fetchgit {
     url = http://cgit.ni.krebsco.de/blessings;
-    rev = "25a510dcb38ea9158e9969d56eb66cb1b860ab5f";
-    sha256 = "0xg329h1y68ndg4w3m1jp38pkg3gqg7r19q70gqqj4mswb6qcrqc";
+    rev = "refs/tags/v${version}";
+    sha256 = "1k908zap3694fcxdk4bb29s54b0lhdh557y10ybjskfwnym7szn1";
   };
   libraryHaskellDepends = [ base ];
   doHaddock = false;
-- 
cgit v1.2.3


From f7a6fc6099267c0dbf7d092e11fb7d3b36a2861b Mon Sep 17 00:00:00 2001
From: tv <tv@krebsco.de>
Date: Thu, 24 Nov 2016 19:26:18 +0100
Subject: tv nixpkgs: a6728e1 -> 728a957

---
 tv/2configs/default.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tv/2configs/default.nix b/tv/2configs/default.nix
index b5b1fc240..8852100e2 100644
--- a/tv/2configs/default.nix
+++ b/tv/2configs/default.nix
@@ -14,7 +14,7 @@ with import <stockholm/lib>;
       stockholm.file = "/home/tv/stockholm";
       nixpkgs.git = {
         url = https://github.com/NixOS/nixpkgs;
-        ref = "a6728e15cbca1d11553f01d7c3c477ae2debfd8e";
+        ref = "728a9578e31a0f78f6ad07a3a2ec706ec5290f10";
       };
     } // optionalAttrs host.secure {
       secrets-master.file = "/home/tv/secrets/master";
-- 
cgit v1.2.3


From 6c6d705629f0bd9174db9714de5c84ec695dd843 Mon Sep 17 00:00:00 2001
From: tv <tv@krebsco.de>
Date: Thu, 24 Nov 2016 22:07:28 +0100
Subject: painload: 8df031f -> c113487

---
 krebs/5pkgs/painload/default.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/krebs/5pkgs/painload/default.nix b/krebs/5pkgs/painload/default.nix
index 10fd379c0..136ec4394 100644
--- a/krebs/5pkgs/painload/default.nix
+++ b/krebs/5pkgs/painload/default.nix
@@ -2,6 +2,6 @@
 
 fetchgit {
   url = https://github.com/krebscode/painload;
-  rev = "8df031f810a2776d8c43b03a9793cb49398bd33b";
-  sha256 = "03md5k6fmz0j1ny22iw96dzq7cvijbz24ii85i0h2dhcychdp650";
+  rev = "c113487f73713a03b1a139b22bb34b86234d0495";
+  sha256 = "1irxklnmvm8wsa70ypjahkr8rfqq7357vcy8r0x1sfncs1hy6gr6";
 }
-- 
cgit v1.2.3


From 39b2301f0ac624bf89f5f5b6892450a532c4bdd0 Mon Sep 17 00:00:00 2001
From: tv <tv@krebsco.de>
Date: Thu, 24 Nov 2016 22:38:29 +0100
Subject: tv backup: {xu,zu} pull ni {ejabberd,home}

---
 tv/2configs/backup.nix | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)

diff --git a/tv/2configs/backup.nix b/tv/2configs/backup.nix
index 6dd24b32f..7c91b1cf1 100644
--- a/tv/2configs/backup.nix
+++ b/tv/2configs/backup.nix
@@ -58,6 +58,18 @@ with import <stockholm/lib>;
       dst = { host = config.krebs.hosts.xu; path = "/bku/cd-home"; };
       startAt = "07:00";
     };
+    xu-pull-ni-ejabberd = {
+      method = "pull";
+      src = { host = config.krebs.hosts.ni; path = "/var/ejabberd"; };
+      dst = { host = config.krebs.hosts.xu; path = "/bku/ni-ejabberd"; };
+      startAt = "07:00";
+    };
+    xu-pull-ni-home = {
+      method = "pull";
+      src = { host = config.krebs.hosts.ni; path = "/home"; };
+      dst = { host = config.krebs.hosts.xu; path = "/bku/ni-home"; };
+      startAt = "07:00";
+    };
     zu-home-xu = {
       method = "push";
       src = { host = config.krebs.hosts.zu; path = "/home"; };
@@ -76,6 +88,18 @@ with import <stockholm/lib>;
       dst = { host = config.krebs.hosts.zu; path = "/bku/cd-home"; };
       startAt = "06:30";
     };
+    zu-pull-ni-ejabberd = {
+      method = "pull";
+      src = { host = config.krebs.hosts.ni; path = "/var/ejabberd"; };
+      dst = { host = config.krebs.hosts.zu; path = "/bku/ni-ejabberd"; };
+      startAt = "06:00";
+    };
+    zu-pull-ni-home = {
+      method = "pull";
+      src = { host = config.krebs.hosts.ni; path = "/home"; };
+      dst = { host = config.krebs.hosts.zu; path = "/bku/ni-home"; };
+      startAt = "06:30";
+    };
   } // mapAttrs (_: recursiveUpdate {
     snapshots = {
       minutely = { format = "%Y-%m-%dT%H:%M"; retain = 3; };
-- 
cgit v1.2.3


From 75122982f04ff023062473d217dca3513cde470f Mon Sep 17 00:00:00 2001
From: tv <tv@krebsco.de>
Date: Thu, 24 Nov 2016 22:40:55 +0100
Subject: tv git: bump

---
 tv/2configs/git.nix | 18 +++++++++++-------
 1 file changed, 11 insertions(+), 7 deletions(-)

diff --git a/tv/2configs/git.nix b/tv/2configs/git.nix
index b6724f40e..48d738365 100644
--- a/tv/2configs/git.nix
+++ b/tv/2configs/git.nix
@@ -29,8 +29,10 @@ let
     cac-api = {
       cgit.desc = "CloudAtCost API command line interface";
     };
+    dic = {
+      cgit.desc = "dict.leo.org command line interface";
+    };
     get = {};
-    hack = {};
     load-env = {};
     loldns = {
       cgit.desc = "toy DNS server";
@@ -40,12 +42,9 @@ let
     netcup = {
       cgit.desc = "netcup command line interface";
     };
-    newsbot-js = {};
-    nixpkgs = {};
     populate = {
       cgit.desc = "source code installer";
     };
-    push = {};
     regfish = {};
     soundcloud = {
       cgit.desc = "SoundCloud command line interface";
@@ -53,8 +52,10 @@ let
     stockholm = {
       cgit.desc = "NixOS configuration";
     };
-    with-tmpdir = {};
-  } // mapAttrs (_: recursiveUpdate { cgit.section = "2. Haskell libraries"; }) {
+  } // mapAttrs (_: recursiveUpdate { cgit.section = "2. Host configurations"; }) {
+    ni = {
+    };
+  } // mapAttrs (_: recursiveUpdate { cgit.section = "3. Haskell libraries"; }) {
     blessings = {};
     mime = {};
     quipper = {};
@@ -63,12 +64,15 @@ let
     web-routes-wai-custom = {};
     xintmap = {};
     xmonad-stockholm = {};
-  } // mapAttrs (_: recursiveUpdate { cgit.section = "3. museum"; }) {
+  } // mapAttrs (_: recursiveUpdate { cgit.section = "4. museum"; }) {
     cgserver = {};
     crude-mail-setup = {};
     dot-xmonad = {};
+    make-snapshot = {};
     nixos-infest = {};
     painload = {};
+    push = {};
+    with-tmpdir = {};
   });
 
   restricted-repos = mapAttrs make-restricted-repo (
-- 
cgit v1.2.3


From edb899745b701c717e9d44785c304f9b791b84d0 Mon Sep 17 00:00:00 2001
From: tv <tv@krebsco.de>
Date: Thu, 24 Nov 2016 22:48:35 +0100
Subject: tv: use gnupg21 everywhere

---
 tv/5pkgs/default.nix | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/tv/5pkgs/default.nix b/tv/5pkgs/default.nix
index 4eb8a10b4..ae47ab0f3 100644
--- a/tv/5pkgs/default.nix
+++ b/tv/5pkgs/default.nix
@@ -35,9 +35,6 @@ with import <stockholm/lib>;
     ff = pkgs.writeDashBin "ff" ''
       exec ${pkgs.firefoxWrapper}/bin/firefox "$@"
     '';
-    gnupg =
-      if elem config.krebs.build.host.name ["xu" "wu"]
-        then super.gnupg21
-        else super.gnupg;
+    gnupg = pkgs.gnupg21;
   };
 }
-- 
cgit v1.2.3


From 8f946dd2fc4d2577fa2ae0c251a1d672bc139077 Mon Sep 17 00:00:00 2001
From: tv <tv@krebsco.de>
Date: Thu, 24 Nov 2016 23:07:48 +0100
Subject: tv binary-cache: replace wu by xu and use hosts.binary-cache.pubkey

---
 krebs/3modules/tv/default.nix           |  8 +++++++-
 tv/1systems/nomic.nix                   |  1 -
 tv/1systems/wu.nix                      |  1 -
 tv/1systems/xu.nix                      |  2 +-
 tv/1systems/zu.nix                      |  1 -
 tv/2configs/binary-cache/default.nix    | 33 +++++++++++++++++++++++++++++++++
 tv/2configs/wu-binary-cache/client.nix  |  7 -------
 tv/2configs/wu-binary-cache/default.nix | 25 -------------------------
 8 files changed, 41 insertions(+), 37 deletions(-)
 create mode 100644 tv/2configs/binary-cache/default.nix
 delete mode 100644 tv/2configs/wu-binary-cache/client.nix
 delete mode 100644 tv/2configs/wu-binary-cache/default.nix

diff --git a/krebs/3modules/tv/default.nix b/krebs/3modules/tv/default.nix
index 8e266e1b3..b29553c79 100644
--- a/krebs/3modules/tv/default.nix
+++ b/krebs/3modules/tv/default.nix
@@ -351,11 +351,17 @@ with import <stockholm/lib>;
       ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIcJvu8JDVzObLUtlAQg9qVugthKSfitwCljuJ5liyHa";
     };
     xu = {
+      binary-cache = {
+        pubkey = "xu-1:pYRENvaxZqGeImwLA9qHmRwHV4jfKaYx4u1VcZ31x0s=";
+      };
       cores = 4;
       nets = {
         gg23 = {
           ip4.addr = "10.23.1.38";
-          aliases = ["xu.gg23"];
+          aliases = [
+            "cache.xu.gg23"
+            "xu.gg23"
+          ];
           ssh.port = 11423;
         };
         retiolum = {
diff --git a/tv/1systems/nomic.nix b/tv/1systems/nomic.nix
index 6669b5dcf..7d6a1d682 100644
--- a/tv/1systems/nomic.nix
+++ b/tv/1systems/nomic.nix
@@ -15,7 +15,6 @@ with import <stockholm/lib>;
     ../2configs/nginx/public_html.nix
     ../2configs/pulse.nix
     ../2configs/retiolum.nix
-    ../2configs/wu-binary-cache/client.nix
     ../2configs/xserver
   ];
 
diff --git a/tv/1systems/wu.nix b/tv/1systems/wu.nix
index 19db559f1..d5be57bb8 100644
--- a/tv/1systems/wu.nix
+++ b/tv/1systems/wu.nix
@@ -16,7 +16,6 @@ with import <stockholm/lib>;
     ../2configs/nginx/public_html.nix
     ../2configs/pulse.nix
     ../2configs/retiolum.nix
-    ../2configs/wu-binary-cache
     ../2configs/xserver
     {
       environment.systemPackages = with pkgs; [
diff --git a/tv/1systems/xu.nix b/tv/1systems/xu.nix
index a7e0b839d..b6fe6dc5c 100644
--- a/tv/1systems/xu.nix
+++ b/tv/1systems/xu.nix
@@ -15,7 +15,7 @@ with import <stockholm/lib>;
     ../2configs/nginx/public_html.nix
     ../2configs/pulse.nix
     ../2configs/retiolum.nix
-    ../2configs/wu-binary-cache/client.nix
+    ../2configs/binary-cache
     ../2configs/xserver
     ../2configs/xu-qemu0.nix
     {
diff --git a/tv/1systems/zu.nix b/tv/1systems/zu.nix
index 056652e4b..59e8b1c7f 100644
--- a/tv/1systems/zu.nix
+++ b/tv/1systems/zu.nix
@@ -21,7 +21,6 @@ with import <stockholm/lib>;
     ../2configs/nginx/public_html.nix
     ../2configs/pulse.nix
     ../2configs/retiolum.nix
-    ../2configs/wu-binary-cache/client.nix
     ../2configs/xserver
     {
       environment.systemPackages = with pkgs; [
diff --git a/tv/2configs/binary-cache/default.nix b/tv/2configs/binary-cache/default.nix
new file mode 100644
index 000000000..5902f1895
--- /dev/null
+++ b/tv/2configs/binary-cache/default.nix
@@ -0,0 +1,33 @@
+{ config, lib, pkgs, ... }: with import <stockholm/lib>;
+{
+  environment.etc."binary-cache.pubkey".text =
+    config.krebs.build.host.binary-cache.pubkey;
+
+  services.nix-serve = {
+    enable = true;
+    secretKeyFile = config.krebs.secret.files.binary-cache-seckey.path;
+  };
+
+  systemd.services.nix-serve = {
+    requires = ["secret.service"];
+    after = ["secret.service"];
+  };
+
+  krebs.secret.files.binary-cache-seckey = {
+    path = "/run/secret/nix-serve.key";
+    owner.name = "nix-serve";
+    source-path = toString <secrets> + "/nix-serve.key";
+  };
+
+  krebs.nginx = {
+    enable = true;
+    servers.nix-serve = {
+      server-names = [
+        "cache.${config.krebs.build.host.name}.gg23"
+      ];
+      locations = singleton (nameValuePair "/" ''
+        proxy_pass http://localhost:${toString config.services.nix-serve.port};
+      '');
+    };
+  };
+}
diff --git a/tv/2configs/wu-binary-cache/client.nix b/tv/2configs/wu-binary-cache/client.nix
deleted file mode 100644
index 9634c21d4..000000000
--- a/tv/2configs/wu-binary-cache/client.nix
+++ /dev/null
@@ -1,7 +0,0 @@
-_:
-{
-  nix = {
-    binaryCaches = ["http://cache.wu.gg23"];
-    binaryCachePublicKeys = ["cache.wu-1:cdhA201O2R2Ect463vhJFmhpMaNyT/tOvzYvtceT9q8="];
-  };
-}
diff --git a/tv/2configs/wu-binary-cache/default.nix b/tv/2configs/wu-binary-cache/default.nix
deleted file mode 100644
index f039a552b..000000000
--- a/tv/2configs/wu-binary-cache/default.nix
+++ /dev/null
@@ -1,25 +0,0 @@
-{ config, lib, pkgs, ... }: with import <stockholm/lib>;
-{
-  services.nix-serve = assert config.krebs.build.host.name == "wu"; {
-    enable = true;
-    secretKeyFile = config.krebs.secret.files.nix-serve-key.path;
-  };
-  systemd.services.nix-serve = {
-    requires = ["secret.service"];
-    after = ["secret.service"];
-  };
-  krebs.secret.files.nix-serve-key = {
-    path = "/run/secret/nix-serve.key";
-    owner.name = "nix-serve";
-    source-path = toString <secrets> + "/nix-serve.key";
-  };
-  krebs.nginx = {
-    enable = true;
-    servers.nix-serve = {
-      server-names = [ "cache.wu.gg23" ];
-      locations = singleton (nameValuePair "/" ''
-        proxy_pass http://localhost:${toString config.services.nix-serve.port};
-      '');
-    };
-  };
-}
-- 
cgit v1.2.3


From ce34ab4268927d3e93f627b8d61fdc151a01f1aa Mon Sep 17 00:00:00 2001
From: tv <tv@krebsco.de>
Date: Thu, 24 Nov 2016 23:12:13 +0100
Subject: github-hosts-sync: add nettools for painload-8df031f's use of
 hostname

---
 krebs/5pkgs/github-hosts-sync/default.nix | 1 +
 1 file changed, 1 insertion(+)

diff --git a/krebs/5pkgs/github-hosts-sync/default.nix b/krebs/5pkgs/github-hosts-sync/default.nix
index bc4c58bb0..cdfed468c 100644
--- a/krebs/5pkgs/github-hosts-sync/default.nix
+++ b/krebs/5pkgs/github-hosts-sync/default.nix
@@ -19,6 +19,7 @@ stdenv.mkDerivation {
         git
         gnugrep
         gnused
+        nettools
         openssh
         socat
       ]);
-- 
cgit v1.2.3


From 51fcdfac0aa76228f6e17342513e15c772b9e84d Mon Sep 17 00:00:00 2001
From: tv <tv@krebsco.de>
Date: Thu, 24 Nov 2016 23:13:47 +0100
Subject: cd: bring back mx23

---
 krebs/3modules/tv/default.nix | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/krebs/3modules/tv/default.nix b/krebs/3modules/tv/default.nix
index b29553c79..3315dd157 100644
--- a/krebs/3modules/tv/default.nix
+++ b/krebs/3modules/tv/default.nix
@@ -78,7 +78,9 @@ with import <stockholm/lib>;
       extraZones = {
         # TODO generate krebsco.de zone from nets and don't use extraZones at all
         "krebsco.de" = ''
+          krebsco.de. 60 IN MX 5 mx23
           cd          60 IN A ${config.krebs.hosts.cd.nets.internet.ip4.addr}
+          mx23        60 IN A ${config.krebs.hosts.cd.nets.internet.ip4.addr}
         '';
       };
       nets = {
@@ -213,7 +215,6 @@ with import <stockholm/lib>;
     ni = {
       extraZones = {
         "krebsco.de" = ''
-          krebsco.de. 60 IN MX 5 ni
           ni          60 IN A ${config.krebs.hosts.ni.nets.internet.ip4.addr}
           cgit        60 IN A ${config.krebs.hosts.ni.nets.internet.ip4.addr}
           cgit.ni     60 IN A ${config.krebs.hosts.ni.nets.internet.ip4.addr}
-- 
cgit v1.2.3


From d279999a9c1d8247f718883651180bc9fdd9855b Mon Sep 17 00:00:00 2001
From: lassulus <lass@aidsballs.de>
Date: Thu, 24 Nov 2016 23:57:29 +0100
Subject: k 3 nginx: add ssl.acmeEnable option

---
 krebs/3modules/nginx.nix | 45 +++++++++++++++++++++++++++++++++++++++++++--
 1 file changed, 43 insertions(+), 2 deletions(-)

diff --git a/krebs/3modules/nginx.nix b/krebs/3modules/nginx.nix
index 1577c5b64..933c2e513 100644
--- a/krebs/3modules/nginx.nix
+++ b/krebs/3modules/nginx.nix
@@ -53,9 +53,22 @@ let
             default = "";
           };
           ssl = mkOption {
-            type = with types; submodule ({
+            type = with types; submodule ({ config, ... }: {
               options = {
                 enable = mkEnableOption "ssl";
+                acmeEnable = mkOption {
+                  type = bool;
+                  apply = x:
+                    if x && config.enable
+                      #conflicts because of certificate/certificate_key location
+                      then throw "can't use ssl.enable and ssl.acmeEnable together"
+                      else x;
+                  default = false;
+                  description = ''
+                    enables automatical generation of lets-encrypt certificates and setting them as certificate
+                    conflicts with ssl.enable
+                  '';
+                };
                 certificate = mkOption {
                   type = str;
                 };
@@ -95,6 +108,7 @@ let
   };
 
   imp = {
+    security.acme.certs = mapAttrs (_: to-acme) (filterAttrs (_: server: server.ssl.acmeEnable) cfg.servers);
     services.nginx = {
       enable = true;
       httpConfig = ''
@@ -117,13 +131,24 @@ let
 
   indent = replaceChars ["\n"] ["\n  "];
 
+  to-acme = { server-names, ssl, ... }:
+    optionalAttrs ssl.acmeEnable {
+      email = "lassulus@gmail.com";
+      webroot = "${config.security.acme.directory}/${head server-names}";
+    };
+
   to-location = { name, value }: ''
     location ${name} {
       ${indent value}
     }
   '';
 
-  to-server = { server-names, listen, locations, extraConfig, ssl, ... }: ''
+  to-server = { server-names, listen, locations, extraConfig, ssl, ... }: let
+    domain = head server-names;
+    acmeLocation = optionalAttrs ssl.acmeEnable (nameValuePair "/.well-known/acme-challenge" ''
+      root ${config.security.acme.certs.${domain}.webroot};
+    '');
+  in ''
     server {
       server_name ${toString (unique server-names)};
       ${concatMapStringsSep "\n" (x: indent "listen ${x};") listen}
@@ -142,7 +167,23 @@ let
         ssl_ciphers ${ssl.ciphers};
         ssl_protocols ${toString ssl.protocols};
       '')}
+      ${optionalString ssl.acmeEnable (indent ''
+        ${optionalString ssl.force_encryption ''
+          if ($scheme = http){
+            return 301 https://$server_name$request_uri;
+          }
+        ''}
+        listen 443 ssl;
+        ssl_certificate ${config.security.acme.directory}/${domain}/fullchain.pem;
+        ssl_certificate_key ${config.security.acme.directory}/${domain}/key.pem;
+        ${optionalString ssl.prefer_server_ciphers ''
+          ssl_prefer_server_ciphers On;
+        ''}
+        ssl_ciphers ${ssl.ciphers};
+        ssl_protocols ${toString ssl.protocols};
+      '')}
       ${indent extraConfig}
+      ${optionalString ssl.acmeEnable (indent (to-location acmeLocation))}
       ${indent (concatMapStrings to-location locations)}
     }
   '';
-- 
cgit v1.2.3


From e5270a24055a4065ca43a15a48e4efad527bc740 Mon Sep 17 00:00:00 2001
From: lassulus <lass@aidsballs.de>
Date: Thu, 24 Nov 2016 23:58:49 +0100
Subject: l 2 nixpkgs: 0195ab8 -> ee52e98

---
 lass/2configs/nixpkgs.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lass/2configs/nixpkgs.nix b/lass/2configs/nixpkgs.nix
index e665b6c6f..caca98746 100644
--- a/lass/2configs/nixpkgs.nix
+++ b/lass/2configs/nixpkgs.nix
@@ -3,6 +3,6 @@
 {
   krebs.build.source.nixpkgs.git = {
     url = https://github.com/nixos/nixpkgs;
-    ref = "0195ab84607ac3a3aa07a79d2d6c2781b1bb6731";
+    ref = "ee52e9809185bdf44452f2913e3f6ef839c15c4e";
   };
 }
-- 
cgit v1.2.3


From ab684bf6d8af062e64638aa529da82a62c394e84 Mon Sep 17 00:00:00 2001
From: lassulus <lass@aidsballs.de>
Date: Fri, 25 Nov 2016 00:00:50 +0100
Subject: l 2 websites util: disable deprecated ssl stuff

---
 lass/2configs/websites/util.nix | 41 +++++++++++++++++++++--------------------
 1 file changed, 21 insertions(+), 20 deletions(-)

diff --git a/lass/2configs/websites/util.nix b/lass/2configs/websites/util.nix
index 55be8a8d9..3356fe9a8 100644
--- a/lass/2configs/websites/util.nix
+++ b/lass/2configs/websites/util.nix
@@ -8,28 +8,29 @@ rec {
     let
       domain = head domains;
     in {
-      security.acme = {
-        certs."${domain}" = {
-          email = "lassulus@gmail.com";
-          webroot = "/var/lib/acme/challenges/${domain}";
-          plugins = [
-            "account_key.json"
-            "key.pem"
-            "fullchain.pem"
-          ];
-          group = "nginx";
-          allowKeysForGroup = true;
-          extraDomains = genAttrs domains (_: null);
-        };
-      };
+      #security.acme = {
+      #  certs."${domain}" = {
+      #    email = "lassulus@gmail.com";
+      #    webroot = "/var/lib/acme/challenges/${domain}";
+      #    plugins = [
+      #      "account_key.json"
+      #      "key.pem"
+      #      "fullchain.pem"
+      #    ];
+      #    group = "nginx";
+      #    allowKeysForGroup = true;
+      #    extraDomains = genAttrs domains (_: null);
+      #  };
+      #};
 
       krebs.nginx.servers."${domain}" = {
+        ssl.acmeEnable = true;
         server-names = domains;
-        locations = [
-          (nameValuePair "/.well-known/acme-challenge" ''
-            root /var/lib/acme/challenges/${domain}/;
-          '')
-        ];
+        #locations = [
+        #  (nameValuePair "/.well-known/acme-challenge" ''
+        #    root /var/lib/acme/challenges/${domain}/;
+        #  '')
+        #];
       };
     };
 
@@ -37,7 +38,7 @@ rec {
     {
       imports = [
         ( manageCerts domains )
-        ( activateACME (head domains) )
+        #( activateACME (head domains) )
       ];
     };
 
-- 
cgit v1.2.3


From 2ea9b739ac64773de0a490736d6e1bdf556c6b60 Mon Sep 17 00:00:00 2001
From: lassulus <lass@aidsballs.de>
Date: Fri, 25 Nov 2016 00:07:55 +0100
Subject: l 3 usershadow: update passwd to behave correctly

---
 lass/3modules/usershadow.nix | 29 ++++++++++++++++++++---------
 1 file changed, 20 insertions(+), 9 deletions(-)

diff --git a/lass/3modules/usershadow.nix b/lass/3modules/usershadow.nix
index a8ab1c52a..c0be053ab 100644
--- a/lass/3modules/usershadow.nix
+++ b/lass/3modules/usershadow.nix
@@ -70,9 +70,7 @@
         extra-depends = deps;
         text = ''
           import Data.Monoid
-          import System.IO
-          import Data.Char (chr)
-          import System.Environment (getEnv, getArgs)
+          import System.Environment (getArgs)
           import Crypto.PasswordStore (verifyPasswordWith, pbkdf2)
           import qualified Data.ByteString.Char8 as BS8
           import System.Exit (exitFailure, exitSuccess)
@@ -96,16 +94,29 @@
           import System.Environment (getEnv)
           import Crypto.PasswordStore (makePasswordWith, pbkdf2)
           import qualified Data.ByteString.Char8 as BS8
-          import System.IO (stdin, hSetEcho, putStrLn)
+          import System.IO (stdin, stdout, hSetEcho, hFlush, putStr, putStrLn)
+          import Control.Exception (bracket_)
 
           main :: IO ()
           main = do
             home <- getEnv "HOME"
-            putStrLn "password:"
-            hSetEcho stdin False
-            password <- BS8.hGetLine stdin
-            hash <- makePasswordWith pbkdf2 password 10
-            BS8.writeFile (home ++ "/.shadow") hash
+            mb_password <- bracket_ (hSetEcho stdin False) (hSetEcho stdin True) $ do
+              putStr "Enter new UNIX password: "
+              hFlush stdout
+              password <- BS8.hGetLine stdin
+              putStrLn ""
+              putStr "Retype new UNIX password: "
+              hFlush stdout
+              password2 <- BS8.hGetLine stdin
+              return $ if password == password2
+                then Just password
+                else Nothing
+            case mb_password of
+              Just password -> do
+                hash <- makePasswordWith pbkdf2 password 10
+                BS8.writeFile (home ++ "/.shadow") hash
+                putStrLn "passwd: all authentication tokens updated successfully."
+              Nothing -> putStrLn "Sorry, passwords do not match"
         '';
       };
     };
-- 
cgit v1.2.3


From d59facd88c7d33d0ac125eb93392d2a67b46aea4 Mon Sep 17 00:00:00 2001
From: tv <tv@krebsco.de>
Date: Fri, 25 Nov 2016 00:15:13 +0100
Subject: writeOut: add support for text checking

---
 krebs/5pkgs/builders.nix | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/krebs/5pkgs/builders.nix b/krebs/5pkgs/builders.nix
index 5860b9a15..77055d16a 100644
--- a/krebs/5pkgs/builders.nix
+++ b/krebs/5pkgs/builders.nix
@@ -91,6 +91,7 @@ rec {
 
     writers.text =
       { path
+      , check ? null
       , executable ? false
       , mode ? if executable then "0755" else "0644"
       , text
@@ -102,6 +103,9 @@ rec {
         var = "file_${hashString "sha1" path}";
         val = text;
         install = /* sh */ ''
+          ${optionalString (check != null) /* sh */ ''
+            ${check} ''$${var}Path
+          ''}
           ${pkgs.coreutils}/bin/install -m ${mode} -D ''$${var}Path $out${path}
         '';
       };
-- 
cgit v1.2.3


From b3c6e9a2bde5d1c911d1bb17ca3218acab7285b8 Mon Sep 17 00:00:00 2001
From: tv <tv@krebsco.de>
Date: Fri, 25 Nov 2016 00:17:57 +0100
Subject: writeBash*: use shellcheck (for warnings only)

---
 krebs/5pkgs/builders.nix | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/krebs/5pkgs/builders.nix b/krebs/5pkgs/builders.nix
index 77055d16a..49d04be4d 100644
--- a/krebs/5pkgs/builders.nix
+++ b/krebs/5pkgs/builders.nix
@@ -37,7 +37,17 @@ rec {
       };
     };
 
-  writeBash = makeScriptWriter "${pkgs.bash}/bin/bash";
+  writeBash = name: text:
+    assert (with types; either absolute-pathname filename).check name;
+    pkgs.writeOut (baseNameOf name) {
+      ${optionalString (types.absolute-pathname.check name) name} = {
+        check = pkgs.writeDash "shellcheck.sh" ''
+          ${pkgs.haskellPackages.ShellCheck}/bin/shellcheck "$1" || :
+        '';
+        executable = true;
+        text = "#! ${pkgs.bash}/bin/bash\n${text}";
+      };
+    };
 
   writeBashBin = name:
     assert types.filename.check name;
-- 
cgit v1.2.3


From 77cb4502d7b1692fdb22923dca6ef9c11d046860 Mon Sep 17 00:00:00 2001
From: lassulus <lass@aidsballs.de>
Date: Fri, 25 Nov 2016 00:22:34 +0100
Subject: l 2 mail: SC2068

---
 lass/2configs/mail.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lass/2configs/mail.nix b/lass/2configs/mail.nix
index c637b08fb..872acc003 100644
--- a/lass/2configs/mail.nix
+++ b/lass/2configs/mail.nix
@@ -12,7 +12,7 @@ let
 
   msmtp = pkgs.writeBashBin "msmtp" ''
     ${pkgs.coreutils}/bin/tee >(${pkgs.notmuch}/bin/notmuch insert +sent) | \
-      ${pkgs.msmtp}/bin/msmtp -C ${msmtprc} $@
+      ${pkgs.msmtp}/bin/msmtp -C ${msmtprc} "$@"
   '';
 
   muttrc = pkgs.writeText "muttrc" ''
-- 
cgit v1.2.3


From d98faa8340f852ea96c7da60cda766db0dd2499c Mon Sep 17 00:00:00 2001
From: lassulus <lass@aidsballs.de>
Date: Fri, 25 Nov 2016 00:28:21 +0100
Subject: l 2 repo-sync: use FQDN for tv's repo

---
 lass/2configs/repo-sync.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lass/2configs/repo-sync.nix b/lass/2configs/repo-sync.nix
index baa4bb380..765769936 100644
--- a/lass/2configs/repo-sync.nix
+++ b/lass/2configs/repo-sync.nix
@@ -41,7 +41,7 @@ let
           mirror.url = "${mirror}${name}";
         };
         tv = {
-          origin.url = "http://cgit.ni.i/${name}";
+          origin.url = "http://cgit.ni.r/${name}";
           mirror.url = "${mirror}${name}";
         };
         lassulus = {
-- 
cgit v1.2.3


From 9bae4d80c83bbea14671fbbffe3c3faaa56dbba8 Mon Sep 17 00:00:00 2001
From: tv <tv@krebsco.de>
Date: Fri, 25 Nov 2016 23:58:28 +0100
Subject: dic: 1.0.0 -> 1.0.1

---
 krebs/5pkgs/dic/default.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/krebs/5pkgs/dic/default.nix b/krebs/5pkgs/dic/default.nix
index ea70f34d7..963786f0c 100644
--- a/krebs/5pkgs/dic/default.nix
+++ b/krebs/5pkgs/dic/default.nix
@@ -5,8 +5,8 @@ stdenv.mkDerivation {
 
   src = fetchgit {
     url = http://cgit.ni.krebsco.de/dic;
-    rev = "refs/tags/v1.0.0";
-    sha256 = "0f3f5dqpw5y79p2k68qw6jdlkrnapqs3nvnc41zwacyhgppiww0k";
+    rev = "refs/tags/v1.0.1";
+    sha256 = "1686mba1z4m7vq70w26qpl00z1cz286c9bya9ql36g6w2pbcs8d3";
   };
 
   phases = [
-- 
cgit v1.2.3


From eb7d02406476e1b4002f05d4ac106593ce4e29ce Mon Sep 17 00:00:00 2001
From: lassulus <lass@aidsballs.de>
Date: Sat, 26 Nov 2016 19:09:34 +0100
Subject: k 3 iptables: remove obsolete asserts & style

---
 krebs/3modules/iptables.nix | 40 +++++++---------------------------------
 1 file changed, 7 insertions(+), 33 deletions(-)

diff --git a/krebs/3modules/iptables.nix b/krebs/3modules/iptables.nix
index b610ff3d1..d48ff6f2b 100644
--- a/krebs/3modules/iptables.nix
+++ b/krebs/3modules/iptables.nix
@@ -1,5 +1,7 @@
 { config, lib, pkgs, ... }:
 
+with import <stockholm/lib>;
+
 let
   inherit (pkgs) writeText;
 
@@ -7,27 +9,6 @@ let
     elem
   ;
 
-  inherit (lib)
-    concatMapStringsSep
-    concatStringsSep
-    attrNames
-    unique
-    fold
-    any
-    attrValues
-    catAttrs
-    filter
-    flatten
-    length
-    hasAttr
-    hasPrefix
-    mkEnableOption
-    mkOption
-    mkIf
-    types
-    sort
-  ;
-
   cfg = config.krebs.iptables;
 
   out = {
@@ -93,7 +74,7 @@ let
         Type = "simple";
         RemainAfterExit = true;
         Restart = "always";
-        ExecStart = "@${startScript} krebs-iptables_start";
+        ExecStart = startScript;
       };
     };
   };
@@ -123,13 +104,6 @@ let
 
 
       buildRule = tn: cn: rule:
-        #target validation test:
-        assert (elem rule.target ([ "ACCEPT" "REJECT" "DROP" "QUEUE" "LOG" "RETURN" ] ++ (attrNames ts."${tn}"))) || hasPrefix "REDIRECT" rule.target || hasPrefix "DNAT" rule.target;
-
-        #predicate validation test:
-        #maybe use iptables-test
-        #TODO: howto exit with evaluation error by shellscript?
-          #apperantly not possible from nix because evalatution wouldn't be deterministic.
         "${rule.predicate} -j ${rule.target}";
 
       buildTable = tn:
@@ -149,7 +123,7 @@ let
 
 #=====
 
-  rules4 = iptables-version:
+  rules = iptables-version:
     let
       #TODO: find out good defaults.
       tables-defaults = {
@@ -171,14 +145,14 @@ let
       tables = tables-defaults // cfg.tables;
 
     in
-      writeText "krebs-iptables-rules${toString iptables-version}" ''
+      pkgs.writeText "krebs-iptables-rules${iptables-version}" ''
         ${buildTables iptables-version tables}
       '';
 
   startScript = pkgs.writeDash "krebs-iptables_start" ''
     set -euf
-    iptables-restore < ${rules4 4}
-    ip6tables-restore < ${rules4 6}
+    iptables-restore < ${rules "v4"}
+    ip6tables-restore < ${rules "v6"}
   '';
 
 in
-- 
cgit v1.2.3


From 2070da74ab09d5dacaf62c3d8a72adab41c0be37 Mon Sep 17 00:00:00 2001
From: lassulus <lass@aidsballs.de>
Date: Sat, 26 Nov 2016 19:10:02 +0100
Subject: k 3 iptables: add v4 and v6 options per rule

---
 krebs/3modules/iptables.nix | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/krebs/3modules/iptables.nix b/krebs/3modules/iptables.nix
index d48ff6f2b..a4a4de6f9 100644
--- a/krebs/3modules/iptables.nix
+++ b/krebs/3modules/iptables.nix
@@ -46,6 +46,14 @@ let
                   type = int;
                   default = 0;
                 };
+                v4 = mkOption {
+                  type = bool;
+                  default = true;
+                };
+                v6 = mkOption {
+                  type = bool;
+                  default = true;
+                };
               };
             })));
             default = null;
@@ -90,7 +98,8 @@ let
 
       buildChain = tn: cn:
         let
-          sortedRules = sort (a: b: a.precedence > b.precedence) ts."${tn}"."${cn}".rules;
+          filteredRules = filter (r: r."${v}") ts."${tn}"."${cn}".rules;
+          sortedRules = sort (a: b: a.precedence > b.precedence) filteredRules;
 
         in
           #TODO: double check should be unneccessary, refactor!
-- 
cgit v1.2.3


From 2b42e312d9c709701b7ba41f569e2041b1f975b8 Mon Sep 17 00:00:00 2001
From: lassulus <lass@aidsballs.de>
Date: Sat, 26 Nov 2016 19:10:23 +0100
Subject: l 2: reject the correct way with iptables

---
 lass/2configs/default.nix | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/lass/2configs/default.nix b/lass/2configs/default.nix
index a7d2a6cef..21a2ec038 100644
--- a/lass/2configs/default.nix
+++ b/lass/2configs/default.nix
@@ -194,7 +194,9 @@ with import <stockholm/lib>;
         { predicate = "-p icmp"; target = "ACCEPT"; precedence = 10000; }
         { predicate = "-i lo"; target = "ACCEPT"; precedence = 9999; }
         { predicate = "-p tcp --dport 22"; target = "ACCEPT"; precedence = 9998; }
-        { predicate = "-i retiolum"; target = "REJECT"; precedence = -10000; }
+        { predicate = "-p tcp -i retiolum"; target = "REJECT --reject-with tcp-reset"; precedence = -10000; }
+        { predicate = "-p udp -i retiolum"; target = "REJECT --reject-with icmp-port-unreachable"; v6 = false; precedence = -10000; }
+        { predicate = "-i retiolum"; target = "REJECT --reject-with icmp-proto-unreachable"; v6 = false; precedence = -10000; }
       ];
     };
   };
-- 
cgit v1.2.3


From da3022389d1da7ac9c2ca42eb2d16582b96e0074 Mon Sep 17 00:00:00 2001
From: lassulus <lass@aidsballs.de>
Date: Sun, 27 Nov 2016 13:20:27 +0100
Subject: l 1 helios: enable pulseaudio

---
 lass/1systems/helios.nix | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/lass/1systems/helios.nix b/lass/1systems/helios.nix
index 82db8ef7b..4472816e3 100644
--- a/lass/1systems/helios.nix
+++ b/lass/1systems/helios.nix
@@ -28,6 +28,9 @@ with import <stockholm/lib>;
       services.xserver.enable = true;
       services.xserver.desktopManager.xfce.enable = true;
       networking.wireless.enable = true;
+      hardware.pulseaudio = {
+        enable = true;
+      };
       users.users.ferret = {
         uid = genid "ferret";
         home = "/home/ferret";
-- 
cgit v1.2.3