From c40c6ead1ec8f632ea85c788a4009d6aad646dbf Mon Sep 17 00:00:00 2001
From: lassulus <lassulus@lassul.us>
Date: Mon, 18 Sep 2017 00:04:06 +0200
Subject: l websites lassul.us: use enableACME

---
 lass/2configs/websites/lassulus.nix | 12 +-----------
 1 file changed, 1 insertion(+), 11 deletions(-)

diff --git a/lass/2configs/websites/lassulus.nix b/lass/2configs/websites/lassulus.nix
index 93b817c3b..d37dd5301 100644
--- a/lass/2configs/websites/lassulus.nix
+++ b/lass/2configs/websites/lassulus.nix
@@ -14,14 +14,6 @@ in {
 
   security.acme = {
     certs."lassul.us" = {
-      email = "lass@lassul.us";
-      webroot = "/var/lib/acme/acme-challenges";
-      plugins = [
-        "account_key.json"
-        "key.pem"
-        "fullchain.pem"
-        "full.pem"
-      ];
       allowKeysForGroup = true;
       group = "lasscert";
     };
@@ -71,13 +63,11 @@ in {
   ];
 
   services.nginx.virtualHosts."lassul.us" = {
+    enableACME = true;
     serverAliases = [ "lassul.us" ];
     locations."/".extraConfig = ''
       root /srv/http/lassul.us;
     '';
-    locations."/.well-known/acme-challenge".extraConfig = ''
-      root /var/lib/acme/challenges/lassul.us/;
-    '';
     locations."= /retiolum-hosts.tar.bz2".extraConfig = ''
       alias ${config.krebs.tinc.retiolum.hostsArchive};
     '';
-- 
cgit v1.2.3


From 7e30bd3d1c9ebd7aefde3b00f086806b7a2b287e Mon Sep 17 00:00:00 2001
From: lassulus <lassulus@lassul.us>
Date: Mon, 18 Sep 2017 15:04:25 +0200
Subject: l vim: fetchgit -> fetchFromGitHub

we need this to clone git repos when our key is not authenticated
to github.com
---
 lass/2configs/vim.nix | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/lass/2configs/vim.nix b/lass/2configs/vim.nix
index 29800dbeb..7f36fcd90 100644
--- a/lass/2configs/vim.nix
+++ b/lass/2configs/vim.nix
@@ -106,9 +106,10 @@ let
     pkgs.vimPlugins.undotree
     (pkgs.vimUtils.buildVimPlugin {
       name = "file-line-1.0";
-      src = pkgs.fetchgit {
-        url = git://github.com/bogado/file-line;
-        rev = "refs/tags/1.0";
+      src = pkgs.fetchFromGitHub {
+        owner = "bogado";
+        repo = "file-line";
+        rev = "1.0";
         sha256 = "0z47zq9rqh06ny0q8lpcdsraf3lyzn9xvb59nywnarf3nxrk6hx0";
       };
     })
-- 
cgit v1.2.3


From 49212f1a7b82538dfdc5e55a36538b123d4c3c83 Mon Sep 17 00:00:00 2001
From: lassulus <lassulus@lassul.us>
Date: Tue, 19 Sep 2017 10:05:58 +0200
Subject: l dishfire.r: listen retiolum on 993

---
 krebs/3modules/lass/default.nix | 1 +
 1 file changed, 1 insertion(+)

diff --git a/krebs/3modules/lass/default.nix b/krebs/3modules/lass/default.nix
index 4e2d6df99..5cd1834b2 100644
--- a/krebs/3modules/lass/default.nix
+++ b/krebs/3modules/lass/default.nix
@@ -34,6 +34,7 @@ with import <stockholm/lib>;
             HwgPw5pstabyrsDWXybSYUb+8LcZf+unGwIDAQAB
             -----END RSA PUBLIC KEY-----
           '';
+          tinc.port = 993;
         };
       };
       ssh.privkey.path = <secrets/ssh.id_ed25519>;
-- 
cgit v1.2.3


From f92d4754f462b49a1a69a0e6c0958d29a5e5ae54 Mon Sep 17 00:00:00 2001
From: lassulus <lassulus@lassul.us>
Date: Tue, 19 Sep 2017 10:06:36 +0200
Subject: l hosts: add helios.r

---
 krebs/3modules/lass/default.nix | 35 +++++++++++++++++++++++++++++++++++
 1 file changed, 35 insertions(+)

diff --git a/krebs/3modules/lass/default.nix b/krebs/3modules/lass/default.nix
index 5cd1834b2..ce19c0a05 100644
--- a/krebs/3modules/lass/default.nix
+++ b/krebs/3modules/lass/default.nix
@@ -295,6 +295,37 @@ with import <stockholm/lib>;
       ssh.privkey.path = <secrets/ssh.id_ed25519>;
       ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEB/MmASvx3i09DY1xFVM5jOhZRZA8rMRqtf8bCIkC+t";
     };
+    helios = {
+      cores = 8;
+      nets = {
+        retiolum = {
+          ip4.addr = "10.243.133.117";
+          ip6.addr = "42:0:0:0:0:0:3:7105";
+          aliases = [
+            "helios.r"
+            "cgit.helios.r"
+          ];
+          tinc.pubkey = ''
+            -----BEGIN RSA PUBLIC KEY-----
+            MIICCgKCAgEAp+SRmP5MoCSYInx4Dm5MLZzNyXVgfo/CDoeUlUT35X0yE7WHGWsG
+            wHPCu+3RWfBUjuqNdb0qiGtRi3Q/LwznwBROPOX8gMXia/DgCLbIjn5Rx081pTIo
+            3epbUCFtNgyDWg8IHF87ZnVBXTYAy5g4tz9u8kw82D8mR18o595TuZ9t5pDc/Kvi
+            fPHZenT6cd6FtL9uankX/jan1PRP9xTrhpE8dAQ6g+7XH7knMK3cno/Ztis5YzHt
+            Ith0bsIjk5of7hhITj0MXtTikjDqWxkpF5mfOK1cG/rC1goTmB9AfcENUBnu9iAM
+            I/alzqk3CEczznLyaOckfx2fRuar912LAdiJ5v7VPztfvN1p3gIxq5M0Rgkq+98B
+            H/s32xNRBPvqoIleKnhwE9gfrCLaAVqpaMkgKRvgsTkSDNYNhh4smQ3eAKKwwDH/
+            QG3sfP8xyNyDFhBtCiDGkf9hNqBBMaKjZoh8DasZNtcfOop3fGw7jmUUbB6cG8cp
+            +EfYbcb5mVpmrIyXgOTwwYcp7tn+zkd4Wa8C9Q98eFTs0HGVGxGX9Hj6PM/kXK4C
+            aIqIQVNpnJ/9cOwT8JFIriG1MWTOXbamUusKTLs8SRp3ZkyM7XUEcLL5HMh09rUw
+            rzEAmE7TywXVhd7j2IaEy+bx2dfGQH2bFoh6Drm6Olo+ySi1utB5dGkCAwEAAQ==
+            -----END RSA PUBLIC KEY-----
+          '';
+        };
+      };
+      secure = true;
+      ssh.privkey.path = <secrets/ssh.id_ed25519>;
+      ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIqpx9jJnn4QMGO8BOrGOLRN1rgpIkR14sQb8S+otWEL";
+    };
     iso = {
       ci = false;
       cores = 1;
@@ -357,6 +388,10 @@ with import <stockholm/lib>;
       pubkey = builtins.readFile ./ssh/mors.rsa;
       pgp.pubkeys.default = builtins.readFile ./pgp/mors.pgp;
     };
+    lass-helios = {
+      mail = "lass@helios.r";
+      pubkey = builtins.readFile ./ssh/helios.rsa;
+    };
     lass-uriel = {
       mail = "lass@uriel.r";
       pubkey = builtins.readFile ./ssh/uriel.rsa;
-- 
cgit v1.2.3


From 1f341a2e5e4a6215213bd239a519f13aa732f4e1 Mon Sep 17 00:00:00 2001
From: lassulus <lassulus@lassul.us>
Date: Tue, 19 Sep 2017 10:06:48 +0200
Subject: l dishfire.r: open port 993 (for tinc)

---
 lass/1systems/dishfire/config.nix | 1 +
 1 file changed, 1 insertion(+)

diff --git a/lass/1systems/dishfire/config.nix b/lass/1systems/dishfire/config.nix
index 416edeb82..25e8759b1 100644
--- a/lass/1systems/dishfire/config.nix
+++ b/lass/1systems/dishfire/config.nix
@@ -88,6 +88,7 @@
       };
       krebs.iptables.tables.filter.INPUT.rules = [
         { predicate = "-p tcp --dport smtp"; target = "ACCEPT"; }
+        { predicate = "-p tcp --dport 993"; target = "ACCEPT"; }
       ];
     }
   ];
-- 
cgit v1.2.3


From 9eff836daa6f6ddf75882d19fe76dec36de38d49 Mon Sep 17 00:00:00 2001
From: lassulus <lassulus@lassul.us>
Date: Tue, 19 Sep 2017 10:21:05 +0200
Subject: l hosts: add helios.r ssh key

---
 krebs/3modules/lass/ssh/helios.rsa | 1 +
 1 file changed, 1 insertion(+)
 create mode 100644 krebs/3modules/lass/ssh/helios.rsa

diff --git a/krebs/3modules/lass/ssh/helios.rsa b/krebs/3modules/lass/ssh/helios.rsa
new file mode 100644
index 000000000..58f81726c
--- /dev/null
+++ b/krebs/3modules/lass/ssh/helios.rsa
@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAEZgGZE0z5+0A42GHI2VYrN9Ra60EwlKqARZUi9e0pbiQxwKi42Y3+Jy2UIAB9rUW51Pw0K6L2FzHZyk9w4fMWjAB+OSaGi8CViGOrBmP8Xm0TSd6a725RSOKTH1jv4u54W6+VQcZpe4RepsuasvN4Rd3FYz1O0ffiroPYS0Hs7ui3HG5rZZsz+FArJ/s2mL525P9VQwMlCAdrepWXgGSPSa/ogmhMCSRttV5R0WCnvXYA4aq45scxjxIWXu/Y/FggslSpRGEnRChHiua5kPWqREC1eNbMOjYJc7OxDIZjzcwHcDHH3U1oIBEjNY8UqMFy3t87cm0BTH9yA6qQnkexCmbRGA0mnAJ1XskgL6KcZuYw+zRo6zVmnZCgRyheenBJhQy/28ZDSwCDBOayl6tAbWivesUZb0/nqucvbdRxTDd6nbSH8q8Cp1qZvP1yrhZ9X2m4Rm66UenHOPOEiyOoVQgfYb2EFHsYVN62shGcfaaL8g4rjUXsUJEheGX5ll5MOMSclUhI8Zk31APq/xuLGGIn+tipjOSX2OVZrSE+KkgitMxOOF1kx33IQGnBKQD8K/a9vVmpTrTAnfXR5oJrXp+XRZ3viXr0rUkG5KfS/zjL8ZC8ckeSkX75BLbPbimUa6TfA/lddipb76zOOOREiD4Sw+MkGDh5xnzwxMY05fjOUmk/v++WcOTTNyrknygdaC8Qx0Gv4Wxmcd+LzmIc5wZZjenwYhp4KpR55EIP966uBUcD+HlkHZnNNZUzOJA8NE+oPQbaM3qCuThe9q9hVYt08/rZ9ANwgb/ChCwEOYLNnofdgrvDb91qenwEUiE9wy79Dwgqh2SRAMN4ZTxRrVjw3potBMRuNc5HMDDXbKfGF1T6O+vBPpcQ8x+rztBDpF/lqjGqoCqyFNG/VnFHFZ5kjLkLmx6S69iRL7wg/KI1NA14tdSLJZ2qDqo5n8rbnGeAWTQB8ZgzhPO39fyOYGCdTJ8e2dIDEw8SUWaVsTnkc/PHOcGAMt2LrL6USszrLSQgU4ediPBWJjX4jk2wxLRPyBz8Z2QLWrsxV0bh1CstIsbBh1p8jMXAKJ+UXqzRWGR5T6d7lensqM0/uWqzu++w6/whQQh9Hzs6GX8l+ELMn0szkRaM9dZpAz5p9HHdYkANwsIIe8CPznRvudQ0CPManTQsjR8GZ3RjGx002VUdbDh5xx7P9Efsa6m8kkNCbUNMSHjmvC9M2sR5ww2WsnvpGBCU8sNYf4y9QvKI1LIYkG1MObhEKHyf5wxFp25bwHyxPkHGULhJKM/MdDT42flddEJCTEwiCPVuaJsr7Adr6Oni4kzY+S7CiP7YArM0v2Vg9mgVmi11koF9hcZ6zyyKAWVviDRLVIA0/eY66T/FiSS/g12zW1keuhFipNEWyZdD/r8LwfDpInAAqN5g65dx6eoyoB6AZatEwwsnn6zcDP51B1q0TC9Y+TXK5TSBE50oFxa2SLu4Gj7YOi1AoRqKxSPVktE= lass@helios
-- 
cgit v1.2.3


From 797535fc1ff1dd88239e06ecee861d228107c6e9 Mon Sep 17 00:00:00 2001
From: lassulus <lassulus@lassul.us>
Date: Tue, 19 Sep 2017 11:30:57 +0200
Subject: git: add repo.admins option

---
 krebs/3modules/git.nix | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/krebs/3modules/git.nix b/krebs/3modules/git.nix
index 93211d9d4..610c20bb4 100644
--- a/krebs/3modules/git.nix
+++ b/krebs/3modules/git.nix
@@ -186,6 +186,17 @@ let
     };
     repo = types.submodule ({ config, ... }: {
       options = {
+        admins = mkOption {
+          type = types.listOf types.user;
+          default = [];
+          description = ''
+            List of users that should be able to do everything with this repo.
+
+            This option is currently not used by krebs.git but instead can be
+            used to create rules.  See e.g. <stockholm/lass/2configs/git.nix> for
+            an example.
+          '';
+        };
         cgit = {
           desc = mkOption {
             type = types.nullOr types.str;
-- 
cgit v1.2.3


From ca89d9a176cdbda04bacecf809bf2346a615891e Mon Sep 17 00:00:00 2001
From: lassulus <lassulus@lassul.us>
Date: Tue, 19 Sep 2017 11:42:50 +0200
Subject: l git: use repo.admins

---
 lass/2configs/git.nix | 17 +++++++++++------
 1 file changed, 11 insertions(+), 6 deletions(-)

diff --git a/lass/2configs/git.nix b/lass/2configs/git.nix
index 7bce93ae1..3991acadc 100644
--- a/lass/2configs/git.nix
+++ b/lass/2configs/git.nix
@@ -14,7 +14,7 @@ let
           root-desc = "keep calm and engage";
         };
       };
-      repos = mapAttrs (_: s: removeAttrs s ["collaborators"]) repos;
+      repos = repos;
       rules = rules;
     };
 
@@ -87,8 +87,8 @@ let
     public = true;
   };
 
-  make-restricted-repo = name: { collaborators ? [], announce ? false, hooks ? {}, ... }: {
-    inherit collaborators name;
+  make-restricted-repo = name: { admins ? [], collaborators ? [], announce ? false, hooks ? {}, ... }: {
+    inherit admins collaborators name;
     public = false;
     hooks = optionalAttrs announce {
       post-receive = pkgs.git-hooks.irc-announce {
@@ -111,15 +111,20 @@ let
         repo = [ repo ];
         perm = push "refs/*" [ non-fast-forward create delete merge ];
       } ++
-      optional repo.public {
-        user = attrValues config.krebs.users;
+      optional (length (repo.admins or []) > 0) {
+        user = repo.admins;
         repo = [ repo ];
-        perm = fetch;
+        perm = push "refs/*" [ non-fast-forward create delete merge ];
       } ++
       optional (length (repo.collaborators or []) > 0) {
         user = repo.collaborators;
         repo = [ repo ];
         perm = fetch;
+      } ++
+      optional repo.public {
+        user = attrValues config.krebs.users;
+        repo = [ repo ];
+        perm = fetch;
       };
 
 in out
-- 
cgit v1.2.3


From 79c5b963555dd617d88584cb5250f9744ff2a402 Mon Sep 17 00:00:00 2001
From: lassulus <lassulus@lassul.us>
Date: Tue, 19 Sep 2017 11:45:33 +0200
Subject: l: use the same font everywhere

---
 lass/2configs/baseX.nix      |  6 ++++++
 lass/2configs/xresources.nix |  4 ++--
 lass/5pkgs/default.nix       |  4 ++--
 lass/5pkgs/xmonad-lass.nix   | 17 +++++++++++------
 4 files changed, 21 insertions(+), 10 deletions(-)

diff --git a/lass/2configs/baseX.nix b/lass/2configs/baseX.nix
index 3a99e65a0..0e0273dcc 100644
--- a/lass/2configs/baseX.nix
+++ b/lass/2configs/baseX.nix
@@ -27,6 +27,12 @@ in {
         lass ALL= (root) NOPASSWD:SETENV: ${pkgs.sshuttle}/bin/.sshuttle-wrapped
       '';
     }
+    { #font magic
+      options.lass.myFont = mkOption {
+        type = types.str;
+        default = "-schumacher-clean-*-*-*-*-*-*-*-*-*-*-iso10646-1";
+      };
+    }
   ];
 
   users.extraUsers.mainUser.extraGroups = [ "audio" "video" ];
diff --git a/lass/2configs/xresources.nix b/lass/2configs/xresources.nix
index 2fbc31677..adbcd353d 100644
--- a/lass/2configs/xresources.nix
+++ b/lass/2configs/xresources.nix
@@ -8,8 +8,8 @@ let
     URxvt*scrollBar: false
     URxvt*urgentOnBell: true
     URxvt*SaveLines: 4096
-    URxvt*font: -*-clean-*-*-*-*-*-*-*-*-*-*-iso10646-1
-    URxvt*boldFont: -*-clean-*-*-*-*-*-*-*-*-*-*-iso10646-1
+    URxvt*font: ${config.lass.myFont}
+    URxvt*boldFont: ${config.lass.myFont}
 
     ! ref https://github.com/muennich/urxvt-perls
     URxvt.perl-lib: ${pkgs.urxvt_perls}/lib/urxvt/perl
diff --git a/lass/5pkgs/default.nix b/lass/5pkgs/default.nix
index 6e6ba56fa..a339d3bf4 100644
--- a/lass/5pkgs/default.nix
+++ b/lass/5pkgs/default.nix
@@ -1,4 +1,4 @@
-{ pkgs, ... }@args:
+{ config, pkgs, ... }@args:
 
 {
   nixpkgs.config.packageOverrides = rec {
@@ -20,7 +20,7 @@
     rs = pkgs.callPackage ./rs/default.nix {};
     urban = pkgs.callPackage ./urban/default.nix {};
     xml2json = pkgs.callPackage ./xml2json/default.nix {};
-    xmonad-lass = import ./xmonad-lass.nix { inherit pkgs; };
+    xmonad-lass = import ./xmonad-lass.nix { inherit config pkgs; };
     yt-next = pkgs.callPackage ./yt-next/default.nix {};
   };
 }
diff --git a/lass/5pkgs/xmonad-lass.nix b/lass/5pkgs/xmonad-lass.nix
index 67a1dc787..db439192a 100644
--- a/lass/5pkgs/xmonad-lass.nix
+++ b/lass/5pkgs/xmonad-lass.nix
@@ -1,4 +1,4 @@
-{ pkgs, ... }:
+{ config, pkgs, ... }:
 pkgs.writeHaskell "xmonad-lass" {
   executables.xmonad = {
     extra-depends = [
@@ -40,7 +40,7 @@ import XMonad.Hooks.UrgencyHook (SpawnUrgencyHook(..), withUrgencyHook)
 import XMonad.Layout.FixedColumn (FixedColumn(..))
 import XMonad.Layout.Minimize (minimize, minimizeWindow, MinimizeMsg(RestoreNextMinimizedWin))
 import XMonad.Layout.NoBorders (smartBorders)
-import XMonad.Prompt (autoComplete, searchPredicate, XPConfig)
+import XMonad.Prompt (autoComplete, font, searchPredicate, XPConfig)
 import XMonad.Prompt.Window (windowPromptGoto, windowPromptBringCopy)
 import XMonad.Util.EZConfig (additionalKeysP)
 import XMonad.Layout.SimpleFloat (simpleFloat)
@@ -51,7 +51,7 @@ urxvtcPath :: FilePath
 urxvtcPath = "${pkgs.rxvt_unicode}/bin/urxvtc"
 
 myFont :: String
-myFont = "-schumacher-*-*-*-*-*-*-*-*-*-*-*-iso10646-*"
+myFont = "${config.lass.myFont}"
 
 main :: IO ()
 main = getArgs >>= \case
@@ -107,8 +107,8 @@ myKeyMap =
     , ("M4-C-k", spawn "${pkgs.xorg.xkill}/bin/xkill")
 
     , ("M4-a", focusUrgent)
-    , ("M4-S-r", renameWorkspace    def)
-    , ("M4-S-a", addWorkspacePrompt def)
+    , ("M4-S-r", renameWorkspace    myXPConfig)
+    , ("M4-S-a", addWorkspacePrompt myXPConfig)
     , ("M4-S-<Backspace>", removeEmptyWorkspace)
     , ("M4-S-c", kill1)
     , ("M4-<Esc>", toggleWS)
@@ -141,8 +141,13 @@ forkFile :: FilePath -> [String] -> Maybe [(String, String)] -> X ()
 forkFile path args env =
     xfork (executeFile path False args env) >> return ()
 
+myXPConfig :: XPConfig
+myXPConfig = def
+    { font = myFont
+    }
+
 autoXPConfig :: XPConfig
-autoXPConfig = def
+autoXPConfig = myXPConfig
     { autoComplete = Just 5000
     }
 
-- 
cgit v1.2.3


From c83cd3492a180e41c071e31ae8e4225b5c2083fc Mon Sep 17 00:00:00 2001
From: lassulus <lassulus@lassul.us>
Date: Tue, 19 Sep 2017 11:46:29 +0200
Subject: l: add dpass + bindings

---
 lass/5pkgs/default.nix       |  1 +
 lass/5pkgs/dpass/default.nix | 12 ++++++++++++
 lass/5pkgs/xmonad-lass.nix   |  1 +
 3 files changed, 14 insertions(+)
 create mode 100644 lass/5pkgs/dpass/default.nix

diff --git a/lass/5pkgs/default.nix b/lass/5pkgs/default.nix
index a339d3bf4..46633ba1a 100644
--- a/lass/5pkgs/default.nix
+++ b/lass/5pkgs/default.nix
@@ -3,6 +3,7 @@
 {
   nixpkgs.config.packageOverrides = rec {
     acronym = pkgs.callPackage ./acronym/default.nix {};
+    dpass = pkgs.callPackage ./dpass {};
     ejabberd = pkgs.callPackage ./ejabberd {
       erlang = pkgs.erlangR16;
     };
diff --git a/lass/5pkgs/dpass/default.nix b/lass/5pkgs/dpass/default.nix
new file mode 100644
index 000000000..7e75d50c7
--- /dev/null
+++ b/lass/5pkgs/dpass/default.nix
@@ -0,0 +1,12 @@
+{ pass, writeOut, writeDash, ... }:
+
+writeOut "dsco-pass" {
+  "/bin/dpass".link = writeDash "dpass" ''
+    PASSWORD_STORE_DIR=$HOME/.dpasswordstore \
+    exec ${pass}/bin/pass $@
+  '';
+  "/bin/dpassmenu".link = writeDash "dpassmenu" ''
+    PASSWORD_STORE_DIR=$HOME/.dpasswordstore \
+    exec ${pass}/bin/passmenu $@
+  '';
+}
diff --git a/lass/5pkgs/xmonad-lass.nix b/lass/5pkgs/xmonad-lass.nix
index db439192a..bf737dc5e 100644
--- a/lass/5pkgs/xmonad-lass.nix
+++ b/lass/5pkgs/xmonad-lass.nix
@@ -99,6 +99,7 @@ myKeyMap =
     , ("M4-C-p", spawn "${pkgs.scrot}/bin/scrot ~/public_html/scrot.png")
     , ("M4-p", spawn "${pkgs.pass}/bin/passmenu --type")
     , ("M4-o", spawn "${pkgs.brain}/bin/brainmenu --type")
+    , ("M4-i", spawn "${pkgs.dpass}/bin/dpassmenu --type")
     , ("<XF86AudioRaiseVolume>", spawn "${pkgs.pulseaudioLight.out}/bin/pactl -- set-sink-volume @DEFAULT_SINK@ +4%")
     , ("<XF86AudioLowerVolume>", spawn "${pkgs.pulseaudioLight.out}/bin/pactl -- set-sink-volume @DEFAULT_SINK@ -4%")
     , ("<XF86MonBrightnessDown>", spawn "${pkgs.xorg.xbacklight}/bin/xbacklight -time 0 -dec 1%")
-- 
cgit v1.2.3


From 2d1160c0623461ea94d2f573d114909b64ab2b4d Mon Sep 17 00:00:00 2001
From: lassulus <lassulus@lassul.us>
Date: Tue, 19 Sep 2017 11:51:22 +0200
Subject: l retiolum: open configured tinc port

---
 lass/1systems/dishfire/config.nix |  1 -
 lass/2configs/retiolum.nix        | 10 ++++++----
 2 files changed, 6 insertions(+), 5 deletions(-)

diff --git a/lass/1systems/dishfire/config.nix b/lass/1systems/dishfire/config.nix
index 25e8759b1..416edeb82 100644
--- a/lass/1systems/dishfire/config.nix
+++ b/lass/1systems/dishfire/config.nix
@@ -88,7 +88,6 @@
       };
       krebs.iptables.tables.filter.INPUT.rules = [
         { predicate = "-p tcp --dport smtp"; target = "ACCEPT"; }
-        { predicate = "-p tcp --dport 993"; target = "ACCEPT"; }
       ];
     }
   ];
diff --git a/lass/2configs/retiolum.nix b/lass/2configs/retiolum.nix
index e7779f53e..fb76c5735 100644
--- a/lass/2configs/retiolum.nix
+++ b/lass/2configs/retiolum.nix
@@ -1,12 +1,14 @@
-{ pkgs, ... }:
+{ config, pkgs, ... }:
 
 {
 
   krebs.iptables = {
     tables = {
-      filter.INPUT.rules = [
-        { predicate = "-p tcp --dport tinc"; target = "ACCEPT"; }
-        { predicate = "-p udp --dport tinc"; target = "ACCEPT"; }
+      filter.INPUT.rules = let
+        tincport = toString config.krebs.build.host.nets.retiolum.tinc.port;
+      in [
+        { predicate = "-p tcp --dport ${tincport}"; target = "ACCEPT"; }
+        { predicate = "-p udp --dport ${tincport}"; target = "ACCEPT"; }
       ];
     };
   };
-- 
cgit v1.2.3


From 5148cc92280181fe60d3694b6409fefa710764b6 Mon Sep 17 00:00:00 2001
From: lassulus <lassulus@lassul.us>
Date: Tue, 19 Sep 2017 12:19:15 +0200
Subject: l hosts: add helios pgp key

---
 krebs/3modules/lass/pgp/helios.pgp | 51 ++++++++++++++++++++++++++++++++++++++
 1 file changed, 51 insertions(+)
 create mode 100644 krebs/3modules/lass/pgp/helios.pgp

diff --git a/krebs/3modules/lass/pgp/helios.pgp b/krebs/3modules/lass/pgp/helios.pgp
new file mode 100644
index 000000000..dc6d07d6b
--- /dev/null
+++ b/krebs/3modules/lass/pgp/helios.pgp
@@ -0,0 +1,51 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQINBFm/8D0BEAC+kY6ELukGkQh4xJ+haYGYi6FdCCUgM+BqAXQ9s7FnzyrNCbTq
+x5O2b3Np96NANCCWSMIcAIXt/AzfvxY7awtsFNlXolMMMEdkHbEXQCgJahK1P5iD
+q7DWlwwXNy+oPdl7ZGtfhK+d698aI6eFS0SamElH4B4IFaGzSXC0ec1Cva+3QM1d
+FPRmRByMllTxEcxI6P1gIAtZGXwPLPGVPYuoRQFM+3w+VPgBcWTLPYcLyvLj0r8o
+Gv/JSyZHNEu5Rtyl+8G6/8W/u7+J4lzO4V6Y6+UPomvfyCkreqsQp/bB8Nw9LYN2
+zNttaxM5zu7FBY2e+OwFsxNC5nnIvSVY2qYUps6Lxuv1cxKY+3lZKhMcc8+p+j2g
+QNdfys3Hk4fdZ5YBaQ/v30kS7ZpAkILCYw7g5HJ18pdoULNWYMUaJF/1Qim2mU72
+5wuCzwsWyA6BQFoBSlDPQ24ypGMVKynl6Xh3uGG/K1OcTvhUgzF3J+jcntOY698b
+4Lum/zffWQsVuXZlroydMjtn7Pfr3W8nzLynhCTWruW8+irb/Qut8q04KjfR0UyE
+hdc+kohQemfhk4y0CA0xuzRBRxagKo2LUFTUL312r2TZV+vLWtdToV3HzDuFJokq
+FCxoVm/4M6BQQ3IxDHBVO6BmqIlAGq9cheao3t9XciERPMSHXZzZKV/3CQARAQAB
+tA1sYXNzQGhlbGlvcy5yiQJOBBMBCAA4FiEEwAWygS5dtGA5vC/hQM6NxyLSe0oF
+Alm/8D0CGwMFCwkIBwIGFQgJCgsCBBYCAwECHgECF4AACgkQQM6NxyLSe0rm5hAA
+jxqcevdjJt+b4FstIiiNhhjU62/9Tl4qoKgR1/BwAIfDoMWduPrw9ldQky36O923
+VMYKiZBoUzdXRLzL0ay/ewXdSONllUwnFLvil78SQOuJTe5JKM6N0IiEVSEhNjRr
+zylFk7SpY2MOIc0p3eHutD4oq0PcWnOer5R1z7u0mVJRYVoJOu7IIxqj7jb8JRAh
+FbLBbu2mFBcXMLKyWFCTB4nROeoTBcfKTnBuDYhaIEUCLo2RpMYqBJiVJvvFLglA
+XowKFjuE/g5Yne2GB5zx1GVRkjZsE9mGL7L5mlyucMwYqWeJzkNfB7cz58ZFN9EG
+9hzUlaEahPxnC6/AeF9ev/9/SF6bPM/nq36xBXj7W5lOewc5p5GigHkh94VN+bdw
+/KluD5rUErO+v3ag+5Tr8FzjtbjlARRo/vz5YWRGS4yqGiXlUUchAPEzflLYxfD1
+CSH+i0eWMrm5t+BYiPZHL8DSbGI1BM5EhHZ69dS7bUAO1qL7oQObQv+755fLV6+q
++ir7GHuxtNma58PS+BDiWJnIqmDJ029u188YM4dGL+EWF2AS4cUh2y6CZCOq77Gt
+NmMCZyQjg2KB1jsL5XHySB14/uN3vlSSz9V+ZT/sAK09Z4atfYNnMHBAbC00GSbH
+VqQf+OIascVZWAzqExk4fjnVYjTaoIZHaNd5aT/61S25Ag0EWb/wPQEQAJwoiiHG
+NhuBFBEjZYJsONfJayGE4qWSU//54gJaitSgDLV8G0NYQrxqSNAZMAux6g9BSSrD
+s/LbN5U1KgKpLTHjiSXUFoQFZ44AeTSQkUeelbtMVz13ohjpDInkye3sM9Jr4Zw+
+wwgg3zRi49YR6EU78c81ehPjVyxBPg2mmguBShz1zn5r6GjzniU4p3P5Hwf5F+eu
+kRekG9hlCbVz+Ibl8U/t1JQZBqSIX45svdIYqeal5LWSgUG4o8gbenggNFPi3Olz
+IOoTRMGKe6HCjTzv+xML7Q9bCMkUdyIfrrG0QDj3g+VZmZYAXdKjLLujAAU18Sh0
+SekPenVE0DNvmB7HHw+Bo+4aq6wWC9+BDb31NpJzNY64zEuUZsnustEmAXM2UIKS
+HRzfgnZRRyD99H128a95FNpZrG5H+QgpdTE4PxsZn6fFtCRy6/a/W79VfCdHCahz
+ptthyMeE81uZ28VTBXOHgK8Wawt3xjJCRksCau3xNUgRuSPoAWUPY2tLrJ9wKbxp
+uL4fY8x8M2d9G4U03DfQDGP9JUskqLThnJf7Jo42XTmkJd9hRBL0kMCIfolEcyEh
+pSQqbevUnFRiipv1x90Tn9Cax06ZkHkovuyIniRve/MvX8mCzzlUv1bjVNC0d71+
+z3G8fXlhDZGCkLQu6M1MlmUZxu05UfQnk5kBABEBAAGJAjYEGAEIACAWIQTABbKB
+Ll20YDm8L+FAzo3HItJ7SgUCWb/wPQIbDAAKCRBAzo3HItJ7SuI3D/0Y3A2+ZbeH
+q3SCAXBs4yOv7cffT4KwDHIC2vp9I868xj0Fw9hCdN1X9Y6hfj6nilI4EKW5ozsg
+xs1kqGlclqqpag5ZmFbD1y/DzEpgdlysDJPgdD9FlF0mN+tTS543d0SOyydD2N8X
+el5h4T2VaEBYfwKoDyN7LnCtGoiUSE3Nw99BNJ7zGma+46NRUWjv1eByMMhxvXJF
+ASKn4Ok1olhINH43tQ3TGx9XdG19GS0+OnyOlfdagKwma73A2caUAyjIXBrmR5NU
+Pb3aiyMzxm6DpCupqWkQgCC/EG8HgYhPGJ6TAK2QfMWX1TjERcPGtVbTE7BbRNLd
+LdaIuo+5ROVseBTYDC8VbACkV7eh1fVhUmpZa81uQotCRJ+jsYGT4Lyon44roSGn
+7G+rYgS2yv/2JXSTMBa45MReEPCgkSwZ6u9jvbs7vWzao+4tILsgO9RqNw1kiN9o
+LMLMVVCFmgNMCHxegmNIJYRryQkFZA5vQR2gPS3FYY3NfVGhFHMvsOK+jx415o2O
+gF76EJcexglPWhyqBc5meyw1x6pjoPTNGLnFzH1rdyyYilUyFexy3TSam60Ov/Aj
+cszX0D4M2Fnk9ncSq03ujflVYpVTNtkSVH0K9OY7rwjp78WycxiYzk1OQHogh18L
+Du4S2e/am91kQGaz490BV9XNw4I70e4dQQ==
+=gkzg
+-----END PGP PUBLIC KEY BLOCK-----
-- 
cgit v1.2.3


From e822f88199f11fe75e2a38a0e5f9806a8c9ba5cf Mon Sep 17 00:00:00 2001
From: lassulus <lassulus@lassul.us>
Date: Tue, 19 Sep 2017 12:34:43 +0200
Subject: l: add helios.r config + source

---
 lass/1systems/helios/config.nix | 86 +++++++++++++++++++++++++++++++++++++++++
 lass/1systems/helios/source.nix |  4 ++
 2 files changed, 90 insertions(+)
 create mode 100644 lass/1systems/helios/config.nix
 create mode 100644 lass/1systems/helios/source.nix

diff --git a/lass/1systems/helios/config.nix b/lass/1systems/helios/config.nix
new file mode 100644
index 000000000..89949bcbf
--- /dev/null
+++ b/lass/1systems/helios/config.nix
@@ -0,0 +1,86 @@
+with import <stockholm/lib>;
+{ config, lib, pkgs, ... }:
+
+{
+  imports = [
+    <stockholm/lass>
+    <stockholm/lass/2configs/baseX.nix>
+    <stockholm/lass/2configs/browsers.nix>
+    <stockholm/lass/2configs/mouse.nix>
+    <stockholm/lass/2configs/pass.nix>
+    <stockholm/lass/2configs/retiolum.nix>
+    <stockholm/lass/2configs/otp-ssh.nix>
+    <stockholm/lass/2configs/git.nix>
+    { # automatic hardware detection
+      boot.initrd.availableKernelModules = [ "xhci_pci" "nvme" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ];
+      boot.kernelModules = [ "kvm-intel" ];
+
+      fileSystems."/" =
+        { device = "/dev/pool/root";
+          fsType = "btrfs";
+        };
+
+      fileSystems."/boot" =
+        { device = "/dev/disk/by-uuid/1F60-17C6";
+          fsType = "vfat";
+        };
+
+      fileSystems."/home" =
+        { device = "/dev/pool/home";
+          fsType = "btrfs";
+        };
+
+      nix.maxJobs = lib.mkDefault 8;
+      powerManagement.cpuFreqGovernor = "powersave";
+    }
+    { # crypto stuff
+      boot.initrd.luks = {
+        cryptoModules = [ "aes" "sha512" "sha1" "xts" ];
+        devices =  [{
+           name = "luksroot";
+           device = "/dev/nvme0n1p3";
+        }];
+      };
+    }
+    {
+      services.xserver.dpi = 200;
+      fonts.fontconfig.dpi = 200;
+      lass.myFont = "-schumacher-clean-*-*-*-*-26-*-*-*-*-*-iso10646-1";
+    }
+  ];
+  krebs.build.host = config.krebs.hosts.helios;
+
+  krebs.git.rules = [
+    {
+      user = [ config.krebs.users.lass-helios ];
+      repo = [ config.krebs.git.repos.stockholm ];
+      perm = with git; push "refs/heads/*" [ fast-forward non-fast-forward create delete merge ];
+    }
+  ];
+
+  # Use the systemd-boot EFI boot loader.
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = true;
+
+  networking.wireless.enable = true;
+  hardware.enableRedistributableFirmware = true;
+
+  environment.systemPackages = with pkgs; [
+    vim
+    rxvt_unicode
+    git
+    rsync
+    hashPassword
+    thunderbird
+    dpass
+  ];
+
+  users.users = {
+    root.openssh.authorizedKeys.keys = [
+      config.krebs.users.lass-helios.pubkey
+    ];
+  };
+
+  programs.ssh.startAgent = lib.mkForce true;
+
+}
diff --git a/lass/1systems/helios/source.nix b/lass/1systems/helios/source.nix
new file mode 100644
index 000000000..bfe4dca4c
--- /dev/null
+++ b/lass/1systems/helios/source.nix
@@ -0,0 +1,4 @@
+import <stockholm/lass/source.nix> {
+  name = "helios";
+  secure = true;
+}
-- 
cgit v1.2.3