122 files changed, 607 insertions, 594 deletions

diff --git a/krebs/2configs/hw/x220.nix b/krebs/2configs/hw/x220.nix
index 3780e0d7..bb273652 100644
--- a/krebs/2configs/hw/x220.nix
+++ b/krebs/2configs/hw/x220.nix
@@ -22,8 +22,6 @@ with import <stockholm/lib>;
     pkgs.vaapiVdpau
   ];
 
-  security.rngd.enable = mkDefault true;
-
   services.xserver = {
     videoDriver = "intel";
   };
diff --git a/krebs/2configs/ircd.nix b/krebs/2configs/ircd.nix
index d4ac9e42..d26aa596 100644
--- a/krebs/2configs/ircd.nix
+++ b/krebs/2configs/ircd.nix
@@ -61,7 +61,7 @@
       };
 
       privset "op" {
-        privs = oper:admin;
+        privs = oper:admin, oper:general;
       };
 
       operator "aids" {
diff --git a/krebs/2configs/news.nix b/krebs/2configs/news.nix
index 2da3e6fc..84a39f95 100644
--- a/krebs/2configs/news.nix
+++ b/krebs/2configs/news.nix
@@ -68,6 +68,7 @@
     wantedBy = [ "multi-user.target" ];
   };
 
+  systemd.services.brockman.bindsTo = [ "solanum.service" ];
   systemd.services.brockman.serviceConfig.LimitNOFILE = 16384;
   systemd.services.brockman.environment.BROCKMAN_LOG_LEVEL = "DEBUG";
   krebs.brockman = {
diff --git a/krebs/2configs/reaktor2.nix b/krebs/2configs/reaktor2.nix
index 2823aabe..14e0a3d7 100644
--- a/krebs/2configs/reaktor2.nix
+++ b/krebs/2configs/reaktor2.nix
@@ -119,6 +119,7 @@ in {
   users.users.reaktor2 = {
     uid = genid_uint31 "reaktor2";
     home = stateDir;
+    isSystemUser = true;
   };
 
   krebs.reaktor2 = {
diff --git a/krebs/2configs/shack/muell_mail.nix b/krebs/2configs/shack/muell_mail.nix
index 48156471..95145020 100644
--- a/krebs/2configs/shack/muell_mail.nix
+++ b/krebs/2configs/shack/muell_mail.nix
@@ -12,6 +12,7 @@ let
 in {
   users.users.muell_mail = {
     inherit home;
+    isSystemUser = true;
     createHome = true;
   };
   systemd.services.muell_mail = {
diff --git a/krebs/2configs/shack/muellshack.nix b/krebs/2configs/shack/muellshack.nix
index e894b939..b032b429 100644
--- a/krebs/2configs/shack/muellshack.nix
+++ b/krebs/2configs/shack/muellshack.nix
@@ -13,6 +13,7 @@ let
 in {
   users.users.muellshack = {
     inherit home;
+    isSystemUser = true;
     createHome = true;
   };
   services.nginx.virtualHosts."muell.shack" = {
diff --git a/krebs/2configs/shack/node-light.nix b/krebs/2configs/shack/node-light.nix
index 4a981ea8..2e69d5aa 100644
--- a/krebs/2configs/shack/node-light.nix
+++ b/krebs/2configs/shack/node-light.nix
@@ -14,6 +14,7 @@ in {
   networking.firewall.allowedUDPPorts = [ 2342 ];
   users.users.node-light = {
     inherit home;
+    isSystemUser = true;
     createHome = true;
   };
   services.nginx.virtualHosts."lounge.light.shack" = {
diff --git a/krebs/2configs/shack/powerraw.nix b/krebs/2configs/shack/powerraw.nix
index cc3692e8..43c74358 100644
--- a/krebs/2configs/shack/powerraw.nix
+++ b/krebs/2configs/shack/powerraw.nix
@@ -14,7 +14,10 @@ let
 in {
   # receive response from light.shack / standby.shack
   networking.firewall.allowedUDPPorts = [ 11111 ];
-  users.users.powermeter.extraGroups = [ "dialout" ];
+  users.users.powermeter = {
+    extraGroups = [ "dialout" ];
+    isSystemUser = true;
+  };
 
   # we make sure that usb-ttl has the correct permissions
   # creates /dev/powerraw
diff --git a/krebs/2configs/shack/s3-power.nix b/krebs/2configs/shack/s3-power.nix
index f3ea67f7..0ce8a878 100644
--- a/krebs/2configs/shack/s3-power.nix
+++ b/krebs/2configs/shack/s3-power.nix
@@ -14,6 +14,7 @@ in {
   users.users.s3_power = {
     inherit home;
     createHome = true;
+    isSystemUser = true;
   };
   systemd.services.s3-power = {
     startAt = "daily";
diff --git a/krebs/2configs/shack/shackDNS.nix b/krebs/2configs/shack/shackDNS.nix
index 807bb7e6..c9cdfd24 100644
--- a/krebs/2configs/shack/shackDNS.nix
+++ b/krebs/2configs/shack/shackDNS.nix
@@ -30,6 +30,7 @@ in {
   users.users.shackDNS = {
     inherit home;
     createHome = true;
+    isSystemUser = true;
   };
   services.nginx.virtualHosts."leases.shack" = {