9 files changed, 88 insertions, 71 deletions

diff --git a/lass/2configs/baseX.nix b/lass/2configs/baseX.nix
index 2b7a5c924..ed179ded6 100644
--- a/lass/2configs/baseX.nix
+++ b/lass/2configs/baseX.nix
@@ -2,6 +2,7 @@
 with import <stockholm/lib>;
 let
   user = config.krebs.build.user;
+  xmonad-lass = pkgs.callPackage <stockholm/lass/5pkgs/custom/xmonad-lass> { inherit config; };
 in {
   imports = [
     ./mpv.nix
@@ -84,7 +85,6 @@ in {
     powertop
     push
     rxvt_unicode_with-plugins
-    screengrab
     slock
     sxiv
     timewarrior
@@ -99,6 +99,7 @@ in {
     zathura
 
     cabal2nix
+    xephyrify
   ];
 
   fonts.fonts = with pkgs; [
@@ -129,7 +130,6 @@ in {
   };
 
   systemd.user.services.xmonad = {
-    #wantedBy = [ "graphical-session.target" ];
     environment = {
       DISPLAY = ":${toString config.services.xserver.display}";
       RXVT_SOCKET = "%t/urxvtd-socket";
@@ -137,8 +137,8 @@ in {
     };
     serviceConfig = {
       SyslogIdentifier = "xmonad";
-      ExecStart = "${pkgs.xmonad-lass}/bin/xmonad";
-      ExecStop = "${pkgs.xmonad-lass}/bin/xmonad --shutdown";
+      ExecStart = "${xmonad-lass}/bin/xmonad";
+      ExecStop = "${xmonad-lass}/bin/xmonad --shutdown";
     };
     restartIfChanged = false;
   };
diff --git a/lass/2configs/browsers.nix b/lass/2configs/browsers.nix
index cbbd54b6b..91ee08bfd 100644
--- a/lass/2configs/browsers.nix
+++ b/lass/2configs/browsers.nix
@@ -21,59 +21,32 @@ let
     $BIN "$@"
   '';
 
-  createChromiumUser = name: extraGroups: precedence:
-    let
-      bin = pkgs.writeScriptBin name ''
-        /var/run/wrappers/bin/sudo -u ${name} -i ${pkgs.chromium}/bin/chromium $@
-      '';
-    in {
-      users.extraUsers.${name} = {
-        inherit name;
-        inherit extraGroups;
-        home = "/home/${name}";
-        uid = genid name;
-        useDefaultShell = true;
-        createHome = true;
+  createUser = script: name: groups: precedence: dpi:
+    {
+      lass.xjail.${name} = {
+        inherit script groups dpi;
       };
+      environment.systemPackages = [ config.lass.xjail-bins.${name} ];
       lass.browser.paths.${name} = {
-        path = bin;
+        path = config.lass.xjail-bins.${name};
         inherit precedence;
       };
-      security.sudo.extraConfig = ''
-        ${mainUser.name} ALL=(${name}) NOPASSWD: ALL
-      '';
-      environment.systemPackages = [
-        bin
-      ];
     };
 
-  createFirefoxUser = name: extraGroups: precedence:
-    let
-      bin = pkgs.writeScriptBin name ''
-        /var/run/wrappers/bin/sudo -u ${name} -i ${pkgs.firefox-devedition-bin}/bin/firefox-devedition $@
-      '';
-    in {
-      users.extraUsers.${name} = {
-        inherit name;
-        inherit extraGroups;
-        home = "/home/${name}";
-        uid = genid name;
-        useDefaultShell = true;
-        createHome = true;
-      };
-      lass.browser.paths.${name} = {
-        path = bin;
-        inherit precedence;
-      };
-      security.sudo.extraConfig = ''
-        ${mainUser.name} ALL=(${name}) NOPASSWD: ALL
-      '';
-      environment.systemPackages = [
-        bin
-      ];
-    };
+  createChromiumUser = name: groups: precedence:
+    createUser (pkgs.writeDash name ''
+      ${pkgs.chromium}/bin/chromium "$@"
+    '') name groups precedence 80;
+
+  createFirefoxUser = name: groups: precedence:
+    createUser (pkgs.writeDash name ''
+      ${pkgs.firefox-devedition-bin}/bin/firefox-devedition "$@"
+    '') name groups precedence 80;
 
-  #TODO: abstract this
+  createQuteUser = name: groups: precedence:
+    createUser (pkgs.writeDash name ''
+      ${pkgs.qutebrowser}/bin/qutebrowser "$@"
+    '') name groups precedence 60;
 
 in {
 
@@ -110,12 +83,13 @@ in {
         }));
       };
     }
+    ( createQuteUser "qb" [ "audio" ] 20 )
     ( createFirefoxUser "ff" [ "audio" ] 10 )
-    ( createChromiumUser "cr" [ "video" "audio" ] 9 )
+    ( createChromiumUser "cr" [ "audio" ] 9 )
     ( createChromiumUser "gm" [ "video" "audio" ] 8 )
-    ( createChromiumUser "wk" [ "video" "audio" ] 0 )
-    ( createChromiumUser "fb" [ "video" "audio" ] 0 )
-    ( createChromiumUser "com" [ "video" "audio" ] 0 )
+    ( createChromiumUser "wk" [ "audio" ] 0 )
+    ( createChromiumUser "fb" [ "audio" ] 0 )
+    ( createChromiumUser "com" [ "audio" ] 0 )
     ( createChromiumUser "fin" [] (-1) )
   ];
 }
diff --git a/lass/2configs/exim-smarthost.nix b/lass/2configs/exim-smarthost.nix
index 4335c7cab..4455d2761 100644
--- a/lass/2configs/exim-smarthost.nix
+++ b/lass/2configs/exim-smarthost.nix
@@ -11,7 +11,6 @@ with import <stockholm/lib>;
     primary_hostname = "lassul.us";
     sender_domains = [
       "lassul.us"
-      "aidsballs.de"
     ];
     relay_from_hosts = map (host: host.nets.retiolum.ip6.addr) [
       config.krebs.hosts.mors
@@ -70,6 +69,16 @@ with import <stockholm/lib>;
       { from = "aws@lassul.us"; to = lass.mail; }
       { from = "reddit@lassul.us"; to = lass.mail; }
       { from = "banggood@lassul.us"; to = lass.mail; }
+      { from = "immoscout@lassul.us"; to = lass.mail; }
+      { from = "gmail@lassul.us"; to = lass.mail; }
+      { from = "amazon@lassul.us"; to = lass.mail; }
+      { from = "humblebundle@lassul.us"; to = lass.mail; }
+      { from = "meetup@lassul.us"; to = lass.mail; }
+      { from = "gebfrei@lassul.us"; to = lass.mail; }
+      { from = "github@lassul.us"; to = lass.mail; }
+      { from = "ovh@lassul.us"; to = lass.mail; }
+      { from = "hetzner@lassul.us"; to = lass.mail; }
+      { from = "allygator@lassul.us"; to = lass.mail; }
     ];
     system-aliases = [
       { from = "mailer-daemon"; to = "postmaster"; }
diff --git a/lass/2configs/mail.nix b/lass/2configs/mail.nix
index c6866c69d..81db59617 100644
--- a/lass/2configs/mail.nix
+++ b/lass/2configs/mail.nix
@@ -8,6 +8,16 @@ let
       logfile ~/.msmtp.log
     account prism
       host prism.r
+    account c-base
+      from lassulus@c-base.org
+      host c-mail.c-base.org
+      port 465
+      tls on
+      tls_starttls off
+      tls_fingerprint 8C:10:A6:AB:1F:82:C4:8F:B1:B4:22:D5:8B:8B:49:9B:59:0B:22:A4
+      auth on
+      user lassulus
+      passwordeval pass show c-base/pass
     account default: prism
   '';
 
@@ -22,25 +32,52 @@ let
 
   mailboxes = {
     c-base = [ "to:c-base.org" ];
+    coins = [
+      "to:btce@lassul.us"
+      "to:coinbase@lassul.us"
+      "to:polo@lassul.us"
+      "to:bitwala@lassul.us"
+      "to:payeer@lassul.us"
+      "to:gatehub@lassul.us"
+      "to:bitfinex@lassul.us"
+      "to:binance@lassul.us"
+      "to:bitcoin.de@lassul.us"
+      "to:robinhood@lassul.us"
+    ];
     dezentrale = [ "to:dezentrale.space" ];
-    kaosstuff = [ "to:gearbest@lassul.us" "to:banggood@lassul.us" ];
+    dhl = [ "to:dhl@lassul.us" ];
+    eloop = [ "to:eloop.org" ];
+    github = [ "to:github@lassul.us" ];
+    gmail = [ "to:gmail@lassul.us" "to:lassulus@gmail.com" "lassulus@googlemail.com" ];
+    kaosstuff = [ "to:gearbest@lassul.us" "to:banggood@lassul.us" "to:tomtop@lassul.us" ];
+    lugs = [ "to:lugs@lug-s.org" ];
     nix-devel = [ "to:nix-devel@googlegroups.com" ];
     patreon = [ "to:patreon@lassul.us" ];
-    security = [ "to:seclists.org" "to:security" "to:bugtraq" ];
+    paypal = [ "to:paypal@lassul.us" ];
+    ptl = [ "to:ptl@posttenebraslab.ch" ];
+    retiolum = [ "to:lass@mors.r" ];
+    security = [ "to:seclists.org" "to:bugtraq" "to:securityfocus@lassul.us" ];
     shack = [ "to:shackspace.de" ];
+    steam = [ "to:steam@lassul.us" ];
+    tinc = [ "to:tinc@tinc-vpn.org" "to:tinc-devel@tinc-vpn.org" ];
     wireguard = [ "to:wireguard@lists.zx2c4" ];
+    zzz = [ "to:pizza@lassul.us" "to:spam@krebsco.de" ];
   };
 
-  tag-mails = pkgs.writeDashBin "nm-init-tag" ''
+  tag-new-mails = pkgs.writeDashBin "nm-tag-init" ''
     ${pkgs.notmuch}/bin/notmuch new
     ${concatMapStringsSep "\n" (i: ''${pkgs.notmuch}/bin/notmuch tag -inbox +${i.name} -- tag:inbox ${concatMapStringsSep " or " (f: "${f}") i.value}'') (mapAttrsToList nameValuePair mailboxes)}
   '';
 
+  tag-old-mails = pkgs.writeDashBin "nm-tag-old" ''
+    ${concatMapStringsSep "\n" (i: ''${pkgs.notmuch}/bin/notmuch tag -inbox -archive +${i.name} -- ${concatMapStringsSep " or " (f: "${f}") i.value}'') (mapAttrsToList nameValuePair mailboxes)}
+  '';
+
   muttrc = pkgs.writeText "muttrc" ''
     # gpg
-    source ${pkgs.neomutt}/share/doc/mutt/samples/gpg.rc
+    source ${pkgs.neomutt}/share/doc/neomutt/samples/gpg.rc
     set pgp_use_gpg_agent = yes
-    set pgp_sign_as = 0x976A7E4D
+    set pgp_sign_as = 0xDC2A43EF4F11E854B44D599A89E82952976A7E4D
     set crypt_autosign = yes
     set crypt_replyencrypt = yes
     set crypt_verify_sig = yes
@@ -158,7 +195,7 @@ let
     name = "mutt";
     paths = [
       (pkgs.writeDashBin "mutt" ''
-        exec ${pkgs.neomutt}/bin/mutt -F ${muttrc} $@
+        exec ${pkgs.neomutt}/bin/neomutt -F ${muttrc} $@
       '')
       pkgs.neomutt
     ];
@@ -170,6 +207,7 @@ in {
     mutt
     pkgs.much
     pkgs.notmuch
-    tag-mails
+    tag-new-mails
+    tag-old-mails
   ];
 }
diff --git a/lass/2configs/privoxy.nix b/lass/2configs/privoxy.nix
index 33e8d1e46..e0a086421 100644
--- a/lass/2configs/privoxy.nix
+++ b/lass/2configs/privoxy.nix
@@ -3,10 +3,5 @@
 {
   services.privoxy = {
     enable = true;
-    extraConfig = ''
-      #use polipo
-      forward / localhost:8123
-    '';
   };
-  services.polipo.enable = true;
 }
diff --git a/lass/2configs/security-workarounds.nix b/lass/2configs/security-workarounds.nix
index c3d07d5fe..537c8a59b 100644
--- a/lass/2configs/security-workarounds.nix
+++ b/lass/2configs/security-workarounds.nix
@@ -5,6 +5,4 @@ with import <stockholm/lib>;
   boot.extraModprobeConfig = ''
     install dccp /run/current-system/sw/bin/false
   '';
-
-  boot.kernelPackages = pkgs.linuxPackages_latest;
 }
diff --git a/lass/2configs/virtualbox.nix b/lass/2configs/virtualbox.nix
index f7d196057..8171def2d 100644
--- a/lass/2configs/virtualbox.nix
+++ b/lass/2configs/virtualbox.nix
@@ -6,6 +6,8 @@ let
 in {
   #services.virtualboxHost.enable = true;
   virtualisation.virtualbox.host.enable = true;
+  nixpkgs.config.virtualbox.enableExtensionPack = true;
+  virtualisation.virtualbox.host.enableHardening = false;
 
   users.extraUsers = {
     virtual = {
diff --git a/lass/2configs/websites/domsen.nix b/lass/2configs/websites/domsen.nix
index 9ece2af77..7a72499c9 100644
--- a/lass/2configs/websites/domsen.nix
+++ b/lass/2configs/websites/domsen.nix
@@ -49,6 +49,7 @@ in {
       "www.ubikmedia.eu"
       "www.youthtube.xyz"
       "www.ubikmedia.de"
+      "www.joemisch.com"
       "www.weirdwednesday.de"
 
       "aldona2.ubikmedia.de"
@@ -63,6 +64,7 @@ in {
       "weirdwednesday.ubikmedia.de"
       "freemonkey.ubikmedia.de"
       "jarugadesign.ubikmedia.de"
+      "crypto4art.ubikmedia.de"
     ])
   ];
 
diff --git a/lass/2configs/websites/fritz.nix b/lass/2configs/websites/fritz.nix
index aa57a9857..14d6ce9ec 100644
--- a/lass/2configs/websites/fritz.nix
+++ b/lass/2configs/websites/fritz.nix
@@ -12,9 +12,8 @@ let
   ;
 
   msmtprc = pkgs.writeText "msmtprc" ''
-    account localhost
+    account default
       host localhost
-    account default: localhost
   '';
 
   sendmail = pkgs.writeDash "msmtp" ''