14 files changed, 76 insertions, 34 deletions
diff --git a/krebs/3modules/bepasty-server.nix b/krebs/3modules/bepasty-server.nix
index e12367b7c..94a509520 100644
--- a/krebs/3modules/bepasty-server.nix
+++ b/krebs/3modules/bepasty-server.nix
@@ -2,10 +2,10 @@
 
 with import <stockholm/lib>;
 let
-  gunicorn = pkgs.pythonPackages.gunicorn;
-  bepasty = pkgs.bepasty;
-  gevent = pkgs.pythonPackages.gevent;
-  python = pkgs.pythonPackages.python;
+  gunicorn = pkgs.python27Packages.gunicorn;
+  bepasty = pkgs.bepasty.override { python3Packages = pkgs.python27Packages; };
+  gevent = pkgs.python27Packages.gevent;
+  python = pkgs.python27Packages.python;
   cfg = config.krebs.bepasty;
 
   out = {
diff --git a/krebs/3modules/ci.nix b/krebs/3modules/ci.nix
index a47dbe611..244de1a0d 100644
--- a/krebs/3modules/ci.nix
+++ b/krebs/3modules/ci.nix
@@ -108,10 +108,12 @@ let
                         name=str(new_step),
                         command=[
                           "${pkgs.writeDash "build-stepper.sh" ''
-                            set -efu
+                            set -xefu
                             profile=${shell.escape profileRoot}/$build_name
                             result=$("$build_script")
-                            ${pkgs.nix}/bin/nix-env -p "$profile" --set "$result"
+                            if [ -n "$result" ]; then
+                              ${pkgs.nix}/bin/nix-env -p "$profile" --set "$result"
+                            fi
                           ''}"
                         ],
                         env={
diff --git a/krebs/3modules/lass/default.nix b/krebs/3modules/lass/default.nix
index a3b8cab39..3396c2802 100644
--- a/krebs/3modules/lass/default.nix
+++ b/krebs/3modules/lass/default.nix
@@ -20,6 +20,7 @@ in {
       extraZones = {
         "krebsco.de" = ''
           cache     IN A ${nets.internet.ip4.addr}
+          p         IN A ${nets.internet.ip4.addr}
           paste     IN A ${nets.internet.ip4.addr}
           prism     IN A ${nets.internet.ip4.addr}
         '';
diff --git a/krebs/3modules/setuid.nix b/krebs/3modules/setuid.nix
index 3ba598a45..97cf21cdd 100644
--- a/krebs/3modules/setuid.nix
+++ b/krebs/3modules/setuid.nix
@@ -21,8 +21,8 @@ let
           default = config._module.args.name;
         };
         envp = mkOption {
-          type = types.attrsOf types.str;
-          default = {};
+          type = types.nullOr (types.attrsOf types.str);
+          default = null;
         };
         filename = mkOption {
           type = mkOptionType {
diff --git a/krebs/5pkgs/simple/kpaste/default.nix b/krebs/5pkgs/simple/kpaste/default.nix
index d6823d584..217cb8a44 100644
--- a/krebs/5pkgs/simple/kpaste/default.nix
+++ b/krebs/5pkgs/simple/kpaste/default.nix
@@ -1,5 +1,6 @@
-{ curl, writeDashBin }:
+{ curl, gnused, writeDashBin }:
 
 writeDashBin "kpaste" ''
-  exec ${curl}/bin/curl -sS http://p.r --data-binary @-
+  ${curl}/bin/curl -sS http://p.r --data-binary @- |
+  ${gnused}/bin/sed '$ {p;s/\<r\>/krebsco.de/}'
 ''
diff --git a/krebs/5pkgs/simple/krebspaste/default.nix b/krebs/5pkgs/simple/krebspaste/default.nix
index a11c8c90a..d97b6a053 100644
--- a/krebs/5pkgs/simple/krebspaste/default.nix
+++ b/krebs/5pkgs/simple/krebspaste/default.nix
@@ -1,6 +1,12 @@
-{ writeDashBin, bepasty-client-cli }:
+{ bepasty-client-cli, gnused, writeDashBin }:
 
-# TODO use `pkgs.exec` instead?
 writeDashBin "krebspaste" ''
-  exec ${bepasty-client-cli}/bin/bepasty-cli -L 1m --url http://paste.r "$@" | sed '$ s/$/\/+inline/g'
+  ${bepasty-client-cli}/bin/bepasty-cli -L 1m --url http://paste.r "$@" |
+  ${gnused}/bin/sed '
+    $ {
+      s/$/\/+inline/
+      p
+      s/\<r\>/krebsco.de/
+    }
+  '
 ''
diff --git a/lass/1systems/blue/config.nix b/lass/1systems/blue/config.nix
index a287f548b..43c80d52f 100644
--- a/lass/1systems/blue/config.nix
+++ b/lass/1systems/blue/config.nix
@@ -15,9 +15,11 @@ with import <stockholm/lib>;
 
   krebs.syncthing.folders = [
     { id = "contacts"; path = "/home/lass/contacts"; peers = [ "mors" "blue" "green" "phone" ]; }
+    { path = "/home/lass/.weechat"; peers = [ "blue" "green" "mors" ]; }
   ];
   lass.ensure-permissions = [
     { folder = "/home/lass/contacts"; owner = "lass"; group = "syncthing"; }
+    { folder = "/home/lass/.weechat"; owner = "lass"; group = "syncthing"; }
   ];
 
   environment.shellAliases = {
diff --git a/lass/1systems/mors/config.nix b/lass/1systems/mors/config.nix
index fa5fb5518..52bcc9e15 100644
--- a/lass/1systems/mors/config.nix
+++ b/lass/1systems/mors/config.nix
@@ -52,10 +52,12 @@ with import <stockholm/lib>;
       krebs.syncthing.folders = [
         { id = "contacts"; path = "/home/lass/contacts"; peers = [ "mors" "blue" "green" "phone" ]; }
         { id = "the_playlist"; path = "/home/lass/tmp/the_playlist"; peers = [ "mors" "phone" ]; }
+        { path = "/home/lass/.weechat"; peers = [ "blue" "green" "mors" ]; }
       ];
       lass.ensure-permissions = [
         { folder = "/home/lass/contacts"; owner = "lass"; group = "syncthing"; }
         { folder = "/home/lass/tmp/the_playlist"; owner = "lass"; group = "syncthing"; }
+        { folder = "/home/lass/.weechat"; owner = "lass"; group = "syncthing"; }
       ];
     }
     {
diff --git a/lass/2configs/hw/x220.nix b/lass/2configs/hw/x220.nix
index f5651da13..5649041f9 100644
--- a/lass/2configs/hw/x220.nix
+++ b/lass/2configs/hw/x220.nix
@@ -30,8 +30,7 @@
     };
   };
 
-  services.logind.extraConfig = ''
-    HandleLidSwitch=ignore
-  '';
+  services.logind.lidSwitch = "ignore";
+  services.logind.lidSwitchDocked = "ignore";
 
 }
diff --git a/lass/2configs/paste.nix b/lass/2configs/paste.nix
index 293691c0f..3c3d8e636 100644
--- a/lass/2configs/paste.nix
+++ b/lass/2configs/paste.nix
@@ -10,6 +10,16 @@ with import <stockholm/lib>;
       proxy_pass http://localhost:9081;
     '';
   };
+  services.nginx.virtualHosts.paste-readonly = {
+    serverAliases = [ "p.krebsco.de" ];
+    locations."/".extraConfig = ''
+      if ($request_method != GET) {
+        return 403;
+      }
+      proxy_set_header Host $host;
+      proxy_pass http://localhost:9081;
+    '';
+  };
   krebs.htgen.paste = {
     port = 9081;
     script = toString [
diff --git a/lass/2configs/syncthing.nix b/lass/2configs/syncthing.nix
index 842abc195..d8b3c9f90 100644
--- a/lass/2configs/syncthing.nix
+++ b/lass/2configs/syncthing.nix
@@ -4,6 +4,7 @@ with import <stockholm/lib>;
   services.syncthing = {
     enable = true;
     group = "syncthing";
+    configDir = "/var/lib/syncthing";
   };
   krebs.iptables.tables.filter.INPUT.rules = [
     { predicate = "-p tcp --dport 22000"; target = "ACCEPT";}
diff --git a/lass/3modules/usershadow.nix b/lass/3modules/usershadow.nix
index cb2890969..d967a108a 100644
--- a/lass/3modules/usershadow.nix
+++ b/lass/3modules/usershadow.nix
@@ -31,13 +31,20 @@
       session required pam_loginuid.so
     '';
 
-    security.pam.services.dovecot2.text = ''
-      auth required pam_exec.so expose_authtok ${usershadow}/bin/verify_pam ${cfg.pattern}
-      auth required pam_permit.so
-      account required pam_permit.so
-      session required pam_permit.so
-      session required pam_env.so envfile=${config.system.build.pamEnvironment}
-    '';
+    security.pam.services.dovecot2 = {
+      text = ''
+        auth required pam_exec.so debug expose_authtok log=/tmp/lol /run/wrappers/bin/shadow_verify_pam ${cfg.pattern}
+        auth required pam_permit.so
+        account required pam_permit.so
+        session required pam_permit.so
+        session required pam_env.so envfile=${config.system.build.pamEnvironment}
+      '';
+    };
+
+    security.wrappers.shadow_verify_pam = {
+      source = "${usershadow}/bin/verify_pam";
+      owner = "root";
+    };
   };
 
   usershadow = let {
@@ -46,10 +53,13 @@
       "bytestring"
     ];
     body = pkgs.writeHaskellPackage "passwords" {
+      ghc-options = [
+        "-rtsopts"
+        "-Wall"
+      ];
       executables.verify_pam = {
         extra-depends = deps;
         text = ''
-          import Data.Monoid
           import System.IO
           import Data.Char (chr)
           import System.Environment (getEnv, getArgs)
@@ -72,7 +82,6 @@
       executables.verify_arg = {
         extra-depends = deps;
         text = ''
-          import Data.Monoid
           import System.Environment (getArgs)
           import Crypto.PasswordStore (verifyPasswordWith, pbkdf2)
           import qualified Data.ByteString.Char8 as BS8
diff --git a/lib/types.nix b/lib/types.nix
index 9001bc7c3..23919af38 100644
--- a/lib/types.nix
+++ b/lib/types.nix
@@ -89,7 +89,7 @@ rec {
 
       syncthing.id = mkOption {
         # TODO syncthing id type
-        type = nullOr string;
+        type = nullOr str;
         default = null;
       };
     };
diff --git a/tv/5pkgs/simple/utsushi.nix b/tv/5pkgs/simple/utsushi.nix
index 55e8800a6..0ae4ed880 100644
--- a/tv/5pkgs/simple/utsushi.nix
+++ b/tv/5pkgs/simple/utsushi.nix
@@ -51,13 +51,19 @@ let
     src =
       if stdenv.system == "i686-linux" then
         fetchurl {
-          url = "https://download2.ebz.epson.net/imagescanv3/debian/latest1/deb/x64/imagescan-bundle-debian-9-1.3.21.x86.deb.tar.gz";
-          sha256 = "16xv1pdfm2ryis815fawb7zqg6c4swww726g272ssx044r5dp80r";
+          urls = [
+            "https://download2.ebz.epson.net/imagescanv3/debian/latest1/deb/x86/imagescan-bundle-debian-9-3.55.0.x86.deb.tar.gz"
+            "http://ni.r/~tv/mirrors/epson/imagescan-bundle-debian-9-3.55.0.x86.deb.tar.gz"
+          ];
+          sha256 = "12syk4y8z22hm9r1lgxqp81vd24jbqgmq83b7yiyqfd4wfxb6k3s";
         }
       else if stdenv.system == "x86_64-linux" then
         fetchurl {
-          url = "https://download2.ebz.epson.net/imagescanv3/debian/latest1/deb/x64/imagescan-bundle-debian-9-1.3.21.x64.deb.tar.gz";
-          sha256 = "0zik35h2jwrvkwcmq55wc72imidwdnmn1bayhypzhjcz61rasjg2";
+          urls = [
+            "https://download2.ebz.epson.net/imagescanv3/debian/latest1/deb/x64/imagescan-bundle-debian-9-3.55.0.x64.deb.tar.gz"
+            "http://ni.r/~tv/mirrors/epson/imagescan-bundle-debian-9-3.55.0.x64.deb.tar.gz"
+          ];
+          sha256 = "1wp372hqhzdar6ldxy7s9js2s872x8c5nwq3608dwg9gca11ppc5";
         }
       else throw "${name} is not supported on ${stdenv.system} (only i686-linux and x86_64 linux are supported)";
 
@@ -92,7 +98,7 @@ let
       license = stdenv.lib.licenses.eapl;
       maintainers = [ stdenv.lib.maintainers.tv ];
       platforms = stdenv.lib.platforms.linux;
-      version = "1.1.0";
+      version = "1.1.2";
     };
   };
 
@@ -102,8 +108,11 @@ stdenv.mkDerivation rec {
   name = "utsushi-${meta.version}";
 
   src = fetchurl {
-    url = "http://support.epson.net/linux/src/scanner/imagescanv3/debian/imagescan_${meta.version}.orig.tar.gz";
-    sha256 = "1gmiimwkcyzbkfr25vzqczjhgh90fgxd96agbnkpf9gah1mpd6qj";
+    urls = [
+      "http://support.epson.net/linux/src/scanner/imagescanv3/debian/imagescan_${meta.version}.orig.tar.gz"
+      "http://ni.r/~tv/mirrors/epson/imagescan_${meta.version}.orig.tar.gz"
+    ];
+    sha256 = "0xwl4xp07cigslbi1qc52jsjvxcyvjlx54g812mn7211p01v2h4l";
   };
 
   preConfigure = ''
@@ -203,6 +212,6 @@ stdenv.mkDerivation rec {
     license = stdenv.lib.licenses.gpl3;
     maintainers = [ stdenv.lib.maintainers.tv ];
     platforms = stdenv.lib.platforms.linux;
-    version = "3.54.0";
+    version = "3.55.0";
   };
 }