initial commit

2020-05-21 17:39:38 +02:00 · 2020-05-21 17:39:38 +02:00 · 4751d60fe4
parent 47c8bd6fb0
commit 4751d60fe4
56 changed files with 921 additions and 839 deletions
--- a/65
+++ b/65
@ -1,63 +1,54 @@
 #!/usr/bin/env bash
-if ! [ -e deploy_key ] || ! [ -e secrets.nix ]
+set -xeuo pipefail
+if ! [ -e secrets.nix ]
 then
  git crypt unlock
-	sudo chgrp nixbld deploy_key
-	chmod 640 deploy_key
 fi
-export NIX_PATH="ssh-id-file=$PWD/deploy_key":secrets=$PWD/secrets.nix:yori-nix=$PWD
-function get_channel {
-    case $1 in
-        git)
-	          echo "nixpkgs=https://github.com/NixOS/nixpkgs/archive/master.tar.gz"
-	          ;;
-        stable)
-            echo "nixpkgs=https://nixos.org/channels/nixos-18.03/nixexprs.tar.xz"
-	          ;;
-        checkout)
-            echo "nixpkgs=$PWD/../projects/nixpkgs"
-            ;;
-        channel)
-	          echo "/nix/var/nix/profiles/per-user/root/channels/nixos"
-	          ;;
-    esac
-}
-case $1 in
-    cloc)
-        exec cloc --read-lang-def=deploy/nix_cloc .
-        ;;
+# TODO: remove nixpkgs dependency
+export NIX_PATH=yori-nix=$PWD:nixpkgs=channel:nixos-unstable
+host=$1
+TARGET_HOST=$(nix eval --raw -f vpn.nix ips.$host)
+#TARGET_HOST=192.168.178.1
+case $2 in
    copy-keys)
-        $0 exec "$2" nix build -f "\\<nixpkgs/nixos\\>" config.deployment.keys-copy --out-link copy-keys
-        TARGET_HOST=$(jq -r ".$2.host"<servers.json)
+        $0 exec "$2" nix build -f "<nixpkgs/nixos>" config.deployment.keys-copy --out-link copy-keys
        ./copy-keys/bin/copy-keys "$TARGET_HOST"
        # rm ./copy-keys
        ;;
    exec)
        CHANNEL=$(jq -r ".$2.pkgs"<servers.json)
-        export NIX_PATH="$(get_channel "$CHANNEL"):nixos-config=$PWD/logical/$2.nix:$NIX_PATH"
-        eval "${@:3}"
+        channel_url=$(get_channel "$CHANNEL")
+        export NIX_PATH="$channel_url:nixos-config=$PWD/logical/$2.nix:$NIX_PATH"
+        "${@:3}"
        ;;
    ssh)
-        TARGET_HOST=$(jq -r ".$2.host"<servers.json)
        ssh root@"$TARGET_HOST"
        ;;
    repl)
-        exec "$0" exec "$2" nix repl "\\<nixpkgs\\>" "\\<nixpkgs/nixos\\>"
+        exec "$0" exec "$2" nix repl '<nixpkgs>' '<nixpkgs/nixos>'
        ;; 
    build)
-        exec "$0" exec "$2" nixos-rebuild build
+        nix build -f servers.nix "$host" --show-trace
        ;; 
    copy)
-        TARGET_HOST=$(jq -r ".$2.host"<servers.json)
-        exec "$0" exec "$2" nixos-rebuild build --build-host localhost --target-host root@"$TARGET_HOST"
+        nix copy -f servers.nix "$host" --show-trace --to "ssh://$TARGET_HOST"
+        ;; 
+    test)
+        outPath=$(nix-build servers.nix -A "$host")
+        nix copy -f servers.nix "$host" --show-trace --to "ssh://$TARGET_HOST"
+        ssh root@"$TARGET_HOST" $outPath/bin/switch-to-configuration test
        ;; 
    boot)
-        TARGET_HOST=$(jq -r ".$2.host"<servers.json)
-        exec "$0" exec "$2" nixos-rebuild --build-host localhost --target-host root@"$TARGET_HOST" boot
+        outPath=$(nix-build servers.nix -A "$host")
+        nix copy "$outPath" --show-trace --to "ssh://$TARGET_HOST"
+        ssh root@"$TARGET_HOST" nix-env -p "/nix/var/nix/profiles/system" --set "$outPath"
+        ssh root@"$TARGET_HOST" $outPath/bin/switch-to-configuration boot
        ;;
    switch)
-        TARGET_HOST=$(jq -r ".$2.host"<servers.json)
-        exec "$0" exec "$2" nixos-rebuild --build-host localhost --target-host root@"$TARGET_HOST" switch
+        outPath=$(nix-build servers.nix -A "$host")
+        nix copy "$outPath" --show-trace --to "ssh://$TARGET_HOST"
+        ssh root@"$TARGET_HOST" nix-env -p "/nix/var/nix/profiles/system" --set "$outPath"
+        ssh root@"$TARGET_HOST" $outPath/bin/switch-to-configuration switch
        ;;
    
    
--- a/deploy/nix_cloc
+++ b/deploy/nix_cloc
@ -1,5 +0,0 @@
-Nix
-    filter remove_matches ^\s*#
-    filter remove_inline #.*$
-    extension nix
-    3rd_gen_scale 3.9
--- a/BIN
+++ b/BIN
--- a/keys/wg.ascanius.key
+++ b/keys/wg.ascanius.key
--- a/keys/wg.blackadder.key
+++ b/keys/wg.blackadder.key
--- a/keys/wg.frumar.key
+++ b/keys/wg.frumar.key
--- a/keys/wg.jarvis.key
+++ b/keys/wg.jarvis.key
--- a/keys/wg.pennyworth.key
+++ b/keys/wg.pennyworth.key
--- a/keys/wg.woodhouse.key
+++ b/keys/wg.woodhouse.key
--- a/logical/ascanius.nix
+++ b/logical/ascanius.nix
@ -13,6 +13,7 @@
      "https://cache.nixos.org"
      "https://disciplina.cachix.org"
    ];
+    trustedUsers = [ "root" "lars" ];
  };
  users.users.lars = {
    isNormalUser = true;
@ -20,4 +21,5 @@
      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDBze0fBV/Fpz9bz1WKkbPlj8h526ZfduOcQVlA+7j0+yzlT+jX6nLNjXNmIi6JZoERj8lG4/avkagldj+wwqWrKM2xOMgIUx34i+br5+U4Y7DedljfPV9k8eE55SI4BjfO697V7BhHP4eooRUjNVmqSmRAld06hJzMj7irGWHK+RPrK0M1BvGgSV5pL50jzQGd2unxvNuxSk1rWBNfNEGt6ok0G8/ud0Gw5QbcYWzbbnKBB8JsgBct22txtcgVbRyqftD+vpFl0Oyq4tiQbSHqa8qpFyV/wTf4Cs1Zz7WrqH+2xfx+oUsCOfMKuvCI8FKtriAWEmfOM42bBi50v2kj"
    ];
  };
+  boot.kernelPackages = pkgs.linuxPackages_4_19;
 }
--- a/logical/blackadder.nix
+++ b/logical/blackadder.nix
@ -0,0 +1,42 @@
+{ config, pkgs, lib, ... }:
+{
+  imports =
+    [ ../physical/3950x.nix
+      ../roles/workstation.nix
+    ];
+
+  nixpkgs.overlays = [ (import (builtins.fetchTarball https://github.com/colemickens/nixpkgs-wayland/archive/master.tar.gz)) ];
+  system.stateVersion = "19.09";
+
+  networking.wireguard.interfaces = {
+    wg-lumi = {
+      privateKeyFile = "/home/yorick/engineering/lumi/secrets/devel/vpn/wg/workstations.yorick-homepc.key";
+      ips = [ "10.109.0.18" ];
+      peers = [ {
+        publicKey = "6demp+PX2XyVoMovDj4xHQ2ZHKoj4QAF8maWpjcyzzI=";
+        endpoint = "wg.lumi.guide:31727";
+        allowedIPs = [ "10.96.0.0/12" "10.0.12.0/22" "10.0.1.0/26" ];
+      }];
+      postSetup = "ip link set dev wg-lumi mtu 1408";
+    };
+  };
+
+  # development
+  services.postgresql = {
+    enable = true;
+    enableTCPIP = true;
+    package = pkgs.postgresql_10;
+  };
+  # users.users.pie = {
+  #   isNormalUser = true;
+  #   openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKDpj2GrPpXtAp9Is0wDyQNl8EQnBiITkSAjhf7EjIqX" ];
+  # };
+  # services.nfs.server = {
+  #   enable = true;
+  #   exports = ''
+  #     /export 10.40.0.0/24(insecure,rw,sync,no_subtree_check,crossmnt,fsid=0,no_root_squash)
+  #     /export/nfs/client1 10.40.0.0/24(insecure,rw,sync,no_subtree_check,crossmnt,all_squash,anonuid=0,anongid=0,no_root_squash)
+  #     /export/nfs/client1/nix 10.40.0.0/24(insecure,ro,sync,no_subtree_check,crossmnt)
+  #   '';
+  # };
+}
--- a/logical/frumar.nix
+++ b/logical/frumar.nix
@ -1,19 +1,74 @@
-{ config, pkgs, ... }:
+{ config, pkgs, lib, ... }:
 {
  imports = [ 
-    <yori-nix/physical/fractal.nix>
-    <yori-nix/roles/server.nix>
+    ../physical/fractal.nix
+    ../roles/server.nix
+    ../roles/homeserver.nix
+    ../services/torrent-wg.nix
  ];

-
  system.stateVersion = "15.09";
+  networking.hostId = "0702dbe9";

  services.nginx.enable = true;
-  services.yorick = {
-    public = { enable = true; vhost = "pub.yori.cc"; };
-    gogs   = { enable = true; vhost = "git.yori.cc"; };
-    quassel.enable = true;
+  services.nginx.virtualHosts."${config.networking.hostName}" = {
+    enableACME = lib.mkForce false;
+    forceSSL = lib.mkForce false;
+    default = true;
+  };
+  boot.supportedFilesystems = [ "zfs" ];
+  services.yorick.torrent-vpn = {
+    enable = true; name = "mullvad-nl3"; namespace = "torrent";
+  };
+  services.plex = {
+    enable = true;
+    openFirewall = true;
+  };
+  services.victoriametrics = {
+    enable = true;
+    retentionPeriod = 12;
+  };
+  services.prometheus = {
+    enable = true;
+    extraFlags = [
+      "--web.enable-admin-api"
+    ];
+    # victoriametrics
+    extraConfig.remote_write = [ { url = "http://127.0.0.1:8428/api/v1/write"; } ];
+    scrapeConfigs = [ {
+      job_name = "smartmeter";
+      # prometheus doesn't support mdns :thinking_face:
+      static_configs = [ { targets = [ "192.168.178.30" ]; } ];
+      scrape_interval = "10s";
+    } {
+      job_name = "node";
+      static_configs = [ { targets = [ "localhost:9100" ]; } ];
+    # } {
+    #   job_name = "unifi";
+    #   static_configs = [ { targets = [ "localhost:9130" ]; } ];
+    } {
+      job_name = "thermometer";
+      static_configs = [ { targets = [ "192.168.178.21:8000" ]; } ];  
+    }];
+    exporters.node.enable = true;
+    # exporters.unifi = {
+    #   enable = true;
+    #   unifiAddress = "https://woodhouse.home.yori.cc:8443";
+    #   unifiInsecure = true;
+    #   unifiUsername = "ReadOnlyUser";
+    #   unifiPassword = "ReadOnlyPassword";
+    # };
+  };
+  networking.firewall.interfaces.wg-y.allowedTCPPorts = [ 3000 9090 ];
+  networking.firewall.allowedTCPPorts = [ 1883 ];
+  networking.firewall.allowedUDPPorts = [ 1883 ];
+  services.rabbitmq = {
+    enable = true;
+    plugins = [ "rabbitmq_mqtt" "rabbitmq_management" ];
+  };
+  services.grafana = {
+    enable = true;
+    addr = "0.0.0.0";
+    domain = "grafana.yori.cc";
  };
-  
-
 }
--- a/logical/jarvis.nix
+++ b/logical/jarvis.nix
@ -1,15 +1,30 @@
 { config, pkgs, lib, ... }:
-
 {
  imports =
-    [ <yori-nix/physical/xps9360.nix>
-      <yori-nix/roles/workstation.nix>
+    [ ../physical/xps9360.nix
+      ../roles/workstation.nix
    ];

-
+  nixpkgs.overlays = [ (import (builtins.fetchTarball https://github.com/colemickens/nixpkgs-wayland/archive/master.tar.gz)) ];
  system.stateVersion = "17.09";

-  services.xserver.displayManager.sessionCommands = ''
-    ${pkgs.xorg.xrandr}/bin/xrandr --dpi 192
-  '';
+  networking.wireguard.interfaces = {
+    wg-lumi = {
+      privateKeyFile = "/home/yorick/engineering/lumi/secrets/devel/vpn/wg/workstations.yorick.key";
+      ips = [ "10.109.0.10" ];
+      peers = [ {
+        publicKey = "6demp+PX2XyVoMovDj4xHQ2ZHKoj4QAF8maWpjcyzzI=";
+        endpoint = "wg.lumi.guide:31727";
+        allowedIPs = [ "10.96.0.0/12" "10.0.12.0/22" "10.0.1.0/26" ];
+      }];
+      postSetup = "ip link set dev wg-lumi mtu 1371";
+    };
+  };
+
+  # development
+  services.postgresql = {
+    enable = true;
+    enableTCPIP = true;
+    package = pkgs.postgresql_10;
+  };
 }
--- a/logical/pennyworth.nix
+++ b/logical/pennyworth.nix
@ -3,42 +3,51 @@
 # and in the NixOS manual (accessible by running ‘nixos-help’).

 { config, pkgs, lib, ... }:
-
+let
+  sslforward = proxyPass: {
+    forceSSL = true;
+    enableACME = true;
+    locations."/" = {
+      inherit proxyPass;
+      proxyWebsockets = true;
+    };
+  };
+  vpn = import ../vpn.nix;
+in
 {
  imports = [
-    <yori-nix/physical/kassala.nix>
-    <yori-nix/roles/server.nix>
-    ../modules/muflax-blog.nix
+    ../physical/hetznercloud.nix
+    ../roles/server.nix
+    (builtins.fetchTarball {
+      url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/v2.2.1/nixos-mailserver-v2.2.1.tar.gz";
+      sha256 = "03d49v8qnid9g9rha0wg2z6vic06mhp0b049s3whccn1axvs2zzx";
+    })
+   ../modules/muflax-blog.nix
  ];

-  system.stateVersion = "16.03";
+  system.stateVersion = "19.03";
  
  services.nginx.enable = true;
  services.yorick = {
    public = { enable = true; vhost = "pub.yori.cc"; };
    website = { enable = true; vhost = "yorickvanpelt.nl"; };
-    mail = {
-      enable = true;
-      mainUser = "yorick";
-      users.yorick = {
-        password = (import <yori-nix/secrets.nix>).yorick_mailPassword;
-        domains = ["yori.cc" "yorickvanpelt.nl"];
+    git = { enable = true; vhost = "git.yori.cc"; };
+    muflax-church = { enable = true; vhost = "muflax.church"; };
+  };
+  mailserver = rec {
+    enable = true;
+    fqdn = "pennyworth.yori.cc";
+    domains = [ "yori.cc" "yorickvanpelt.nl" ];
+    loginAccounts = {
+      "yorick@yori.cc" = {
+        hashedPassword = (import ../secrets.nix).yorick_mailPassword;
+        catchAll = domains;
+        aliases = [ "@yori.cc" "@yorickvanpelt.nl" ];
      };
    };
-    xmpp = {
-      enable = false;
-      vhost = "yori.cc";
-      admins = [ "yorick@yori.cc" ];
-    };
+    certificateScheme = 3;
+    enableImapSsl = true;
  };
-  services.nginx.virtualHosts."yori.cc" = {
-    enableACME = true;
-    forceSSL = true;
-    globalRedirect = "yorickvanpelt.nl";
-  };
-
-
-

  services.muflax-blog = {
    enable = true;
@ -50,41 +59,36 @@
      private_key = "/root/keys/http.muflax.key";
    };
  };
-  users.extraUsers.git = {
-    createHome = true;
-    home = config.services.gitea.stateDir; extraGroups = [ "git" ]; useDefaultShell = true;};
-  services.gitea = {
-    enable = true;
-    user = "git";
-    database.user = "root";
-    database.name = "gogs";
-    #dump.enable = true; TODO: backups
-    domain = "git.yori.cc";
-    rootUrl = "https://git.yori.cc/";
-    httpAddress = "localhost";
-    cookieSecure = true;
-    extraConfig = ''
-      [service]
-      REGISTER_EMAIL_CONFIRM = false
-      ENABLE_NOTIFY_MAIL = false
-      DISABLE_REGISTRATION = true
-      REQUIRE_SIGNIN_VIEW = false
-      [picture]
-      DISABLE_GRAVATAR = false
-      [mailer]
-      ENABLED = false
-      AVATAR_UPLOAD_PATH = ${config.services.gitea.stateDir}/data/avatars
+  services.nginx.commonHttpConfig = ''
+    access_log off; 
+  '';
+  services.nginx.virtualHosts = {
+    "yori.cc" = {
+      enableACME = true;
+      forceSSL = true;
+      globalRedirect = "yorickvanpelt.nl";
+    };
+    "grafana.yori.cc" = sslforward "http://${vpn.ips.frumar}:3000";
+    "ubiquiti.yori.cc" = sslforward "https://${vpn.ips.woodhouse}:8443";
+    "prometheus.yori.cc" = {
+      # only over vpn
+      listen = [ { addr = "10.209.0.1"; port = 80; } ];
+      locations."/".proxyPass = "http://10.209.0.3:9090";
+    };
+    "pub.yori.cc".locations."/muflax/".extraConfig = ''
+      rewrite ^/muflax/(.*)$ https://alt.muflax.church/$1 permanent;
    '';
  };
-  services.nginx.virtualHosts."git.yori.cc" = {
-    forceSSL = true;
-    enableACME = true;
-    locations."/" = {
-      proxyPass = "http://127.0.0.1:${toString config.services.gitea.httpPort}";
-      extraConfig = ''
-        proxy_buffering off;
-      '';
-    };
-  };
  deployment.keyys = [ <yori-nix/keys/http.muflax.key> ];
+  networking.firewall.allowedUDPPorts = [ 31790 ]; # wg
+  networking.wireguard.interfaces.wg-y.peers =
+    lib.mkForce (lib.mapAttrsToList (machine: publicKey: {
+      inherit publicKey;
+      allowedIPs = [ "${vpn.ips.${machine}}/32" ];
+    }) vpn.keys);
+  boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
+  environment.noXlibs = true;
+  users.users.yorick.packages = with pkgs; [
+    python2 sshfs-fuse weechat
+  ];
 }
--- a/logical/woodhouse.nix
+++ b/logical/woodhouse.nix
@ -1,6 +1,6 @@
 { config, pkgs, lib, ... }:
 let
-  secrets = import <secrets>;
+  #secrets = import <secrets>;
 mkFuseMount = device: opts: {
    # todo:  "ServerAliveCountMax=3" "ServerAliveInterval=30"

@ -16,24 +16,47 @@ in
  imports = [
    <yori-nix/physical/nuc.nix>
    <yori-nix/roles/graphical.nix>
+    #<yori-nix/roles/homeserver.nix>
  ];

-  system.stateVersion = "17.09";
+  # nixpkgs.overlays = [ (import (builtins.fetchTarball https://github.com/colemickens/nixpkgs-wayland/archive/master.tar.gz)) ];
+  # system.stateVersion = "17.09";

  # fuse mounts
  system.fsPackages = [ pkgs.sshfsFuse ];

-
+  # programs.sway = {
+  #   enable = true;
+  #   extraSessionCommands = ''
+  #     export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:${lib.makeLibraryPath (with pkgs; [ libxkbcommon libglvnd wayland ])}
+  #   '';
+  # };
  #fileSystems."/mnt/frumar" = mkFuseMount "yorick@${secrets.hostnames.frumar}:/data/yorick" [];
-  #fileSystems."/mnt/oxygen" = mkFuseMount "yorick@oxygen.obfusk.ch:" [];
-  #fileSystems."/mnt/nyamsas" = mkFuseMount "yorick@nyamsas.quezacotl.nl:" ["port=1337"];
+  hardware.bluetooth.enable = true;

  # kodi ports
-  networking.firewall.allowedTCPPorts = [7 8080 9090 9777];
+  networking.firewall.allowedTCPPorts = [7 8080 8443 9090 9777];
  users.users.tv = {
    isNormalUser = true;
    uid = 1043;
    extraGroups = [ "wheel" ];
    hashedPassword = "$6$hD4ESAGS8O1d$yctx6spOPZ0nt/6cgYpsWZ86UoXw3ISRpf2gbdhbl8JgDz6Psjx6JCqJ9NsMi5BHnXlgRRK/z2SVrTjHEsqQR.";
+    packages = with pkgs; [ plex-media-player ];
  };
+  services.xserver.windowManager.i3.enable = true;
+  networking.useNetworkd = true;
+  networking.dhcpcd.enable = false;
+  services.resolved.enable = true;
+  services.nscd.enable = false;
+  networking.interfaces.eno1.useDHCP = true;
+  networking.useDHCP = false;
+  #services.xserver.enable = lib.mkForce false;
+  # services.unifi = {
+  #   enable = true;
+  #   unifiPackage = pkgs.unifiStable;
+  # };
+  # todo: debug:
+  services.resolved.extraConfig = "MulticastDNS=true";
+  systemd.network.networks."40-eno1".networkConfig.MulticastDNS="yes";
+  services.fstrim.enable = true;
 }
--- a/modules/backup.nix
+++ b/modules/backup.nix
@ -1,59 +0,0 @@
-{ config, pkgs, lib, ... }:
-let
-cfg = config.services.backup;
-inherit (lib) mkEnableOption mkOption types mkIf
-flip mapAttrs' nameValuePair;
-in
-{
-
-  options.services.backup = {
-    enable = mkOption { type = types.bool; default = false; };
-    backups = mkOption {
-      type = types.loaOf types.optionSet;
-      options = {
-        dir = mkOption { type = types.str; };
-        remote = mkOption { type = types.str; };
-        keyfile = mkOption { type = types.str; };
-        keyid = mkOption { type = types.str; default = "root"; };
-        exclude = mkOption { type = types.str; default = ""; };
-        interval = mkOption { type = types.str; default = "weekly"; };
-      };
-    };
-  };
-  config = mkIf cfg.enable {
-    # TODO: generate key in pre-start?
-    systemd.services = let
-      sectionToService = name: data: with data; {
-        description = "Back up ${name}";
-        serviceConfig = {
-          IOSchedulingClass="idle";
-          #Type = "oneshot";
-        };
-        script = ''
-          source ${keyfile}
-          ${pkgs.duplicity}/bin/duplicity ${dir} ${remote} \
-            --ssl-cacert-file /etc/ssl/certs/ca-bundle.crt \
-            --encrypt-key ${keyid} \
-            --exclude-filelist ${pkgs.writeText "dupignore" exclude} \
-            --asynchronous-upload \
-            --volsize 100 \
-            --allow-source-mismatch
-        '';
-        after = ["network.target" "network-online.target"];
-        wants = ["network-online.target"];
-      };
-  in flip mapAttrs' cfg.backups (name: data: nameValuePair
-    ("backup-${name}")
-    (sectionToService name data));
-  systemd.timers = flip mapAttrs' cfg.backups (name: data: nameValuePair
-    ("backup-${name}")
-    ({
-      description = "Periodically backups ${name}";
-      wantedBy = [ "timers.target" ];
-      timerConfig = {
-        OnCalendar = data.interval;
-        Unit = "backup-${name}.service";
-      };
-    }));
-  };
-}
--- a/modules/mailz.nix
+++ b/modules/mailz.nix
@ -1,287 +0,0 @@
-# https://github.com/valeriangalliat/nixos-mailz
-# manual actions:
-# run sa-update
-# configure DNS (dkim at /var/lib/dkim/*/default.txt)
-# mkdir /var/empty/.spamassassin
-# chown -R spamd /var/empty/.spamassassin
-# possibly unneeded:
-# chgrp -R vmail /var/spool/mail
-# chmod g+rwx /var/spool/mail
-# TODO: rspamd?
-{ config, lib, pkgs, ... }:
-
-with lib;
-
-let
-  cfg = config.services.mailz;
-  
-  alldomains = lib.concatLists (mapAttrsToList (n: usr: usr.domains) cfg.users);
-
-  files = {
-    credentials = pkgs.writeText "credentials"
-      (concatStringsSep "\n"
-        (flip mapAttrsToList cfg.users
-          (user: options: "${user} ${options.password}")));
-
-    # dovecot2
-    users = pkgs.writeText "users"
-      (concatStringsSep "\n"
-        (flip mapAttrsToList cfg.users
-          (user: options: "${user}:${options.password}:::::")));
-
-    domains = pkgs.writeText "domains"
-      (concatStringsSep "\n" alldomains);
-
-    spamassassinSieve = pkgs.writeText "spamassassin.sieve" ''
-      require "fileinto";
-      if header :contains "X-Spam-Flag" "YES" {
-        fileinto "Spam";
-      }
-    '';
-
-  };
-
-
-in
-
-{
-  options = {
-    services.mailz = {
-      domain = mkOption {
-        default = cfg.networking.hostName;
-        type = types.str;
-        description = "Domain for this mail server.";
-      };
-
-      user = mkOption {
-        default = "vmail";
-        type = types.str;
-      };
-
-      group = mkOption {
-        default = "vmail";
-        type = types.str;
-      };
-
-      uid = mkOption {
-        default = 2000;
-        type = types.int;
-      };
-
-      gid = mkOption {
-        default = 2000;
-        type = types.int;
-      };
-
-      dkimDirectory = mkOption {
-        default = "/var/lib/dkim";
-        type = types.str;
-        description = "Where to store DKIM keys.";
-      };
-
-      dkimBits = mkOption {
-        type = types.int;
-        default = 2048;
-        description = "Size of the generated DKIM key.";
-      };
-
-      mainUser = mkOption {
-        example = "root";
-        type = types.str;
-      };
-
-      keydir = mkOption {
-        type = types.str;
-        description = "The place to look for the ssl key";
-        default = "${config.security.acme.directory}/${cfg.domain}";
-      };
-
-      users = mkOption {
-        default = { };
-        type = types.loaOf types.optionSet;
-        description = ''
-          Attribute set of users.
-        '';
-
-        options = {
-          password = mkOption {
-            type = types.str;
-            description = ''
-              The user password, generated with
-              <literal>smtpctl encrypt</literal>.
-            '';
-          };
-          domains = mkOption {
-            type = types.listOf types.str;
-            example = ["example.com"];
-          };
-
-        };
-
-        example = {
-          "foo" = {
-            password = "encrypted";
-          };
-          "bar" = {
-            password = "encrypted";
-          };
-        };
-      };
-    };
-  };
-
-  config = mkIf (cfg.users != { }) {
-    system.activationScripts.mailz = ''
-      # Make sure SpamAssassin database is present
-      #if ! [ -d /etc/spamassassin ]; then
-      #  cp -r ${pkgs.spamassassin}/share/spamassassin /etc
-      #fi
-
-      # Make sure a DKIM private key exist
-      if ! [ -d ${cfg.dkimDirectory} ]; then
-        mkdir -p ${cfg.dkimDirectory}
-        chmod 700 ${cfg.dkimDirectory}
-        chown ${config.services.rmilter.user} ${cfg.dkimDirectory}
-      fi
-      # Generate missing keys
-      '' +
-      (lib.concatMapStringsSep "\n" (domain: ''
-      if ! [ -e ${cfg.dkimDirectory}/${domain}.default.key ]; then
-        ${pkgs.opendkim}/bin/opendkim-genkey --bits ${toString cfg.dkimBits} --domain ${domain} --directory ${cfg.dkimDirectory} --selector default
-        mv ${cfg.dkimDirectory}/default.private ${cfg.dkimDirectory}/${domain}.default.key 
-        mv ${cfg.dkimDirectory}/default.txt ${cfg.dkimDirectory}/${domain}.default.txt
-        chown ${config.services.rmilter.user} ${cfg.dkimDirectory}/${domain}.default.*
-      fi
-      '') alldomains);
-    services.rspamd.enable = true;
-    services.rmilter = {
-      enable = true;
-      socketActivation = false;
-      #debug = true;
-      rspamd.enable = true;
-      postfix.enable = true;
-      extraConfig = ''
-        dkim {
-            domain {
-              key = ${cfg.dkimDirectory};
-              domain = "*";
-              selector = "default";
-            };
-            header_canon = relaxed;
-            body_canon = relaxed;
-            sign_alg = sha256;
-        };
-      '';
-    };
-
-    services.postfix = {
-      enable = true;
-      destination = alldomains ++ ["$myhostname" "localhost.$mydomain" "$mydomain" "localhost"];
-      sslCert = "${cfg.keydir}/fullchain.pem";
-      sslKey = "${cfg.keydir}/key.pem";
-      postmasterAlias = cfg.mainUser;
-      enableSubmission = true;
-      virtual = lib.concatStringsSep "\n" (lib.mapAttrsToList (name: usr:
-        lib.concatMapStringsSep "\n" (dom: "@${dom} ${name}") usr.domains) cfg.users);
-      extraConfig = ''
-        mailbox_transport = lmtp:unix:dovecot-lmtp
-      '';
-      submissionOptions = {
-        "smtpd_tls_security_level" = "encrypt";
-        "smtpd_sasl_auth_enable" = "yes";
-        "smtpd_sasl_type" = "dovecot";
-        "smtpd_sasl_path" = "/var/lib/postfix/auth";
-        "smtpd_client_restrictions" = "permit_sasl_authenticated,reject";
-        #"milter_macro_daemon_name" = "ORIGINATING";
-      };
-    };
-
-    services.dovecot2 = {
-      enable = true;
-      enablePop3 = false;
-      enableLmtp = true;
-      mailLocation = "maildir:/var/spool/mail/%n";
-      mailUser = cfg.user;
-      mailGroup = cfg.group;
-      modules = [ pkgs.dovecot_pigeonhole ];
-      sslServerCert = "${cfg.keydir}/fullchain.pem";
-      sslServerKey = "${cfg.keydir}/key.pem";
-      enablePAM = false;
-      sieveScripts = { before = files.spamassassinSieve; };
-      extraConfig = ''
-        postmaster_address = postmaster@${head alldomains}
-
-        service lmtp {
-          unix_listener /var/lib/postfix/queue/dovecot-lmtp {
-            mode = 0660
-            user = postfix
-            group = postfix        
-          }
-        }
-        service auth {
-          unix_listener /var/lib/postfix/auth {
-            mode = 0660
-            # Assuming the default Postfix user and group
-            user = postfix
-            group = postfix        
-          }
-        }
-
-        userdb {
-          driver = passwd-file
-          args = username_format=%n ${files.users}
-          default_fields = uid=${cfg.user} gid=${cfg.user} home=/var/spool/mail/%n
-        }
-
-        passdb {
-          driver = passwd-file
-          args = username_format=%n ${files.users}
-        }
-
-        namespace inbox {
-          inbox = yes
-
-          mailbox Sent {
-              auto = subscribe
-              special_use = \Sent
-          }
-
-          mailbox Drafts {
-              auto = subscribe
-              special_use = \Drafts
-          }
-
-          mailbox Spam {
-              auto = create
-              special_use = \Junk
-          }
-
-          mailbox Trash {
-              auto = subscribe
-              special_use = \Trash
-          }
-
-          mailbox Archive {
-              auto = subscribe
-              special_use = \Archive
-          }
-        }
-
-        protocol lmtp {
-          mail_plugins = $mail_plugins sieve
-        }
-      '';
-    };
-
-    users.extraUsers = optional (cfg.user == "vmail") {
-      uid = cfg.uid;
-      group = cfg.group;
-    };
-
-    users.extraGroups = optional (cfg.group == "vmail") {
-      gid = cfg.gid;
-    };
-
-    networking.firewall.allowedTCPPorts = [ 25 587 993 ];
-  };
-}
--- a/modules/nixos-in-place.nix
+++ b/modules/nixos-in-place.nix
@ -8,11 +8,11 @@ in
  options."nixos-in-place" = {
    enable = mkEnableOption "enable nixos-in-place FS";
    rootfs = mkOption {
-      type = types.string;
+      type = types.str;
      description = "device name for root fs";
    };
    swapfs = mkOption {
-      type = types.string;
+      type = types.str;
      description = "device name for root fs";
    };
  };
--- a/modules/tor-hidden-service.nix
+++ b/modules/tor-hidden-service.nix
@ -8,7 +8,7 @@ let
 in {
  options.services.tor.service-keys = mkOption {
    default = {};
-    type = with types; loaOf string;
+    type = with types; loaOf str;
  };

  config = mkIf (service-keys != {}) {
--- a/modules/victoriametrics.nix
+++ b/modules/victoriametrics.nix
@ -0,0 +1,49 @@
+{ config, pkgs, lib, ... }:
+let cfg = config.services.victoriametrics; in
+{
+  options.services.victoriametrics = with lib; {
+    enable = mkEnableOption "victoriametrics";
+    package = mkOption {
+      type = types.package;
+      default = pkgs.victoriametrics;
+      defaultText = "pkgs.victoriametrics";
+      description = ''
+        The VictoriaMetrics distribution to use.
+      '';
+    };
+    http = mkOption {
+      default = ":8428";
+      type = types.str;
+      description = ''
+        The listen address for the http interface.
+      '';
+    };
+    retentionPeriod = mkOption {
+      type = types.int;
+      default = 1;
+      description = ''
+        Retention period in months.
+      '';
+    };
+    extraOptions = mkOption {
+      type = types.listOf types.str;
+      default = [];
+      description = ''
+        Extra options to pass to VictoriaMetrics. See
+        the README or victoriametrics -help for more
+        information.
+      '';
+    };
+  };
+  config = lib.mkIf cfg.enable {
+    systemd.services.victoriametrics = {
+      description = "VictoriaMetrics time series database";
+      serviceConfig = {
+        StateDirectory = "victoriametrics";
+        DynamicUser = true;
+        ExecStart = "${cfg.package}/bin/victoria-metrics -storageDataPath=/var/lib/victoriametrics -httpListenAddr ${cfg.http} -retentionPeriod ${toString cfg.retentionPeriod} ${lib.concatStringsSep " " cfg.extraOptions}";
+      };
+      wantedBy = [ "multi-user.target" ];
+    };
+  };
+}
--- a/nix/sources.json
+++ b/nix/sources.json
@ -0,0 +1,38 @@
+{
+    "niv": {
+        "branch": "master",
+        "description": "Easy dependency management for Nix projects",
+        "homepage": "https://github.com/nmattia/niv",
+        "owner": "nmattia",
+        "repo": "niv",
+        "rev": "c8f74f44b5f5df2c8f20a1834460d012e74d78f9",
+        "sha256": "0zmhxgl37f1p2aiqjmiccflpgga6phj6vmqs3jd33z0frj6hsy5c",
+        "type": "tarball",
+        "url": "https://github.com/nmattia/niv/archive/c8f74f44b5f5df2c8f20a1834460d012e74d78f9.tar.gz",
+        "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
+    },
+    "nixos-hardware": {
+        "branch": "master",
+        "description": "A collection of NixOS modules covering hardware quirks.",
+        "homepage": "",
+        "owner": "nixos",
+        "repo": "nixos-hardware",
+        "rev": "89c4ddb0e60e5a643ab15f68b2f4ded43134f492",
+        "sha256": "1a0mplnj0zx33f4lm7kwg6z6iwgdkg2pxy58plkj6w59ibfl2l27",
+        "type": "tarball",
+        "url": "https://github.com/nixos/nixos-hardware/archive/89c4ddb0e60e5a643ab15f68b2f4ded43134f492.tar.gz",
+        "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
+    },
+    "nixpkgs": {
+        "branch": "nixos-19.03",
+        "description": "A read-only mirror of NixOS/nixpkgs tracking the released channels. Send issues and PRs to",
+        "homepage": "https://github.com/NixOS/nixpkgs",
+        "owner": "NixOS",
+        "repo": "nixpkgs-channels",
+        "rev": "c8db7a8a16ee9d54103cade6e766509e1d1c8d7b",
+        "sha256": "1b3h4mwpi10blzpvgsc0191k4shaw3nw0qd2p82hygbr8vv4g9dv",
+        "type": "tarball",
+        "url": "https://github.com/NixOS/nixpkgs-channels/archive/c8db7a8a16ee9d54103cade6e766509e1d1c8d7b.tar.gz",
+        "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
+    }
+}
--- a/nix/sources.nix
+++ b/nix/sources.nix
@ -0,0 +1,136 @@
+# This file has been generated by Niv.
+
+let
+
+  #
+  # The fetchers. fetch_<type> fetches specs of type <type>.
+  #
+
+  fetch_file = pkgs: spec:
+    if spec.builtin or true then
+      builtins_fetchurl { inherit (spec) url sha256; }
+    else
+      pkgs.fetchurl { inherit (spec) url sha256; };
+
+  fetch_tarball = pkgs: spec:
+    if spec.builtin or true then
+      builtins_fetchTarball { inherit (spec) url sha256; }
+    else
+      pkgs.fetchzip { inherit (spec) url sha256; };
+
+  fetch_git = spec:
+      builtins.fetchGit { url = spec.repo; inherit (spec) rev ref; };
+
+  fetch_builtin-tarball = spec:
+    builtins.trace
+      ''
+        WARNING:
+          The niv type "builtin-tarball" will soon be deprecated. You should
+          instead use `builtin = true`.
+
+          $ niv modify <package> -a type=tarball -a builtin=true
+      ''
+      builtins_fetchTarball { inherit (spec) url sha256; };
+
+  fetch_builtin-url = spec:
+    builtins.trace
+      ''
+        WARNING:
+          The niv type "builtin-url" will soon be deprecated. You should
+          instead use `builtin = true`.
+
+          $ niv modify <package> -a type=file -a builtin=true
+      ''
+      (builtins_fetchurl { inherit (spec) url sha256; });
+
+  #
+  # Various helpers
+  #
+
+  # The set of packages used when specs are fetched using non-builtins.
+  mkPkgs = sources:
+    if hasNixpkgsPath
+    then
+      if hasThisAsNixpkgsPath
+      then import (builtins_fetchTarball { inherit (mkNixpkgs sources) url sha256; }) {}
+      else import <nixpkgs> {}
+    else
+      import (builtins_fetchTarball { inherit (mkNixpkgs sources) url sha256; }) {};
+
+  mkNixpkgs = sources:
+    if builtins.hasAttr "nixpkgs" sources
+    then sources.nixpkgs
+    else abort
+      ''
+        Please specify either <nixpkgs> (through -I or NIX_PATH=nixpkgs=...) or
+        add a package called "nixpkgs" to your sources.json.
+      '';
+
+  hasNixpkgsPath = (builtins.tryEval <nixpkgs>).success;
+  hasThisAsNixpkgsPath =
+    (builtins.tryEval <nixpkgs>).success && <nixpkgs> == ./.;
+
+  # The actual fetching function.
+  fetch = pkgs: name: spec:
+
+    if ! builtins.hasAttr "type" spec then
+      abort "ERROR: niv spec ${name} does not have a 'type' attribute"
+    else if spec.type == "file" then fetch_file pkgs spec
+    else if spec.type == "tarball" then fetch_tarball pkgs spec
+    else if spec.type == "git" then fetch_git spec
+    else if spec.type == "builtin-tarball" then fetch_builtin-tarball spec
+    else if spec.type == "builtin-url" then fetch_builtin-url spec
+    else
+      abort "ERROR: niv spec ${name} has unknown type ${builtins.toJSON spec.type}";
+
+  # Ports of functions for older nix versions
+
+  # a Nix version of mapAttrs if the built-in doesn't exist
+  mapAttrs = builtins.mapAttrs or (
+    f: set: with builtins;
+    listToAttrs (map (attr: { name = attr; value = f attr set.${attr}; }) (attrNames set))
+  );
+
+  # fetchTarball version that is compatible between all the versions of Nix
+  builtins_fetchTarball = { url, sha256 }@attrs:
+    let
+      inherit (builtins) lessThan nixVersion fetchTarball;
+    in
+      if lessThan nixVersion "1.12" then
+        fetchTarball { inherit url; }
+      else
+        fetchTarball attrs;
+
+  # fetchurl version that is compatible between all the versions of Nix
+  builtins_fetchurl = { url, sha256 }@attrs:
+    let
+      inherit (builtins) lessThan nixVersion fetchurl;
+    in
+      if lessThan nixVersion "1.12" then
+        fetchurl { inherit url; }
+      else
+        fetchurl attrs;
+
+  # Create the final "sources" from the config
+  mkSources = config:
+    mapAttrs (
+      name: spec:
+        if builtins.hasAttr "outPath" spec
+        then abort
+          "The values in sources.json should not have an 'outPath' attribute"
+        else
+          spec // { outPath = fetch config.pkgs name spec; }
+    ) config.sources;
+
+  # The "config" used by the fetchers
+  mkConfig =
+    { sourcesFile ? ./sources.json
+    }: rec {
+      # The sources, i.e. the attribute set of spec name to spec
+      sources = builtins.fromJSON (builtins.readFile sourcesFile);
+      # The "pkgs" (evaluated nixpkgs) to use for e.g. non-builtin fetchers
+      pkgs = mkPkgs sources;
+    };
+in
+mkSources (mkConfig {}) //
+  { __functor = _: settings: mkSources (mkConfig settings); }
--- a/packages/default.nix
+++ b/packages/default.nix
@ -1,16 +1,3 @@
 [ (self: super: {
-  gogitget = super.callPackage ./gogitget.nix {};
-  shallot = super.callPackage ./shallot.nix {};
  yori-cc = super.callPackage ./yori-cc.nix {};
-  gitea = 
-    super.gitea.overrideDerivation (o: rec {
-      version = "1.4.1";
-      name = "gitea-${version}";
-      src = self.fetchFromGitHub {
-        owner = "go-gitea";
-        repo = "gitea";
-        rev = "v${version}";
-        sha256 = "1mid67c4021m7mi4ablx1w5v43831gzn8xpg8n30a4zmr70781wm";
-      };
-    });
 })]
--- a/packages/firmware_qca6174.nix
+++ b/packages/firmware_qca6174.nix
@ -1,14 +0,0 @@
-{ stdenv, fetchurl  }:
-stdenv.mkDerivation rec {
-  target = "QCA6174";
-  branch = "4.4.1.c1";
-  version = "${branch}-00042";
-  name = "${target}-firmware-${version}";
-  src = fetchurl {
-    url = "https://github.com/kvalo/ath10k-firmware/raw/master/${target}/hw3.0/${branch}/firmware-6.bin_RM.${version}-QCARMSWP-1";
-    sha256 = "01vvz3qhqw5l3yilcqgk1spk4y9k4qy7na7a57cbl037r231szdh";
-  };
-  buildCommand = ''
-    install -D $src $out/lib/firmware/ath10k/${target}/hw3.0/firmware-6.bin
-  '';
-}
--- a/packages/gogitget.nix
+++ b/packages/gogitget.nix
@ -1,20 +0,0 @@
-# this is the secure fetchgit, but it actually works
-{ fetchgit, writeScript, openssh, stdenv }: args: derivation ((fetchgit args).drvAttrs // {
-  SSH_AUTH_SOCK = if (builtins.tryEval <ssh-auth-sock>).success
-    then builtins.toString <ssh-auth-sock>
-    else null;
-  GIT_SSH = writeScript "fetchgit-ssh" ''
-    #! ${stdenv.shell}
-    TEMP_ID=$(mktemp)
-    cp ${let
-      sshIdFile = if (builtins.tryEval <ssh-id-file>).success
-        then <ssh-id-file>
-        else builtins.trace ''
-          That didn't work.
-        '' "/var/lib/empty/config";
-    in builtins.toString sshIdFile} $TEMP_ID
-    chown `whoami` $TEMP_ID
-    chmod 400 $TEMP_ID
-    exec -a ssh ${openssh}/bin/ssh -F /dev/null -i $TEMP_ID -o StrictHostKeyChecking=no "$@"
-  '';
-})
--- a/packages/shallot.nix
+++ b/packages/shallot.nix
@ -1,24 +0,0 @@
-with import <nixpkgs> {};
-
-stdenv.mkDerivation {
-  name = "shallot-0.0.3-alpha";
-
-  src = fetchFromGitHub {
-    rev = "831de01b13b309933d32efe8388444ef6a831cfb";
-    owner = "katmagic";
-    repo = "Shallot";
-    sha256 = "0zlgl13vmv6zj1jk5cfjqg66n3qq9yp2202llpgvfl16rzxrlv5r";
-  };
-
-  buildInputs = [openssl];
-
-  buildPhase = ''
-    ./configure
-    make
-  '';
-
-  installPhase = ''
-    mkdir -p $out/bin
-    mv shallot $out/bin
-  '';
-}
--- a/packages/yori-cc.nix
+++ b/packages/yori-cc.nix
@ -1,14 +1,11 @@
 { stdenv, callPackage }:

-let gogitget = callPackage ./gogitget.nix {}; in
-
 stdenv.mkDerivation {
-  name = "yori-cc-1.3.5";
+  name = "yori-cc-1.5";
  
-  src = gogitget {
-    "url" = "git@git.yori.cc:yorick/yori-cc.git";
-    "rev" = "f049e4330dfb64bbbaf700897269c003fce8b5c4";
-    "sha256" = "1x8knlsp7cx52sr15gr0yhj1vl8ncznrqn4nvaycgwmhr1kysffr";
+  src = builtins.fetchGit {
+    url = "git@git.yori.cc:yorick/yori-cc.git";
+    rev = "68c75ab84cceaf98dd8fd0646b97d73f966b8962";
  };
  
  buildInputs = [ ];
--- a/physical/3950x-hardware-config.nix
+++ b/physical/3950x-hardware-config.nix
@ -0,0 +1,38 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, ... }:
+
+{
+  imports =
+    [ <nixpkgs/nixos/modules/installer/scan/not-detected.nix>
+    ];
+
+  boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-amd" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "rpool/root/nixos";
+      fsType = "zfs";
+    };
+
+  fileSystems."/home" =
+    { device = "rpool/home";
+      fsType = "zfs";
+    };
+
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/5D0A-7902";
+      fsType = "vfat";
+    };
+
+  swapDevices =
+    [ { device = "/dev/disk/by-uuid/61a23e27-2cd4-4456-bcde-aec68be04239"; }
+    ];
+
+  nix.maxJobs = lib.mkDefault 32;
+  # High-DPI console
+  #i18n.consoleFont = lib.mkDefault "${pkgs.terminus_font}/share/consolefonts/ter-u28n.psf.gz";
+}
--- a/physical/3950x.nix
+++ b/physical/3950x.nix
@ -0,0 +1,22 @@
+{ config, pkgs, lib, ... }:
+let sources = import ../nix/sources.nix; 
+in
+{
+  imports =
+    [ ./.
+      ./3950x-hardware-config.nix
+      "${sources.nixos-hardware}/common/cpu/amd"
+    ];
+
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = true;
+  boot.supportedFilesystems = [ "zfs" ];
+  boot.kernelModules = [ "nct6775" ];
+  boot.kernelPackages = pkgs.linuxPackages_latest;
+  networking.hostId = "c7736638";
+  services.zfs.autoScrub.enable = true;
+  services.zfs.trim.enable = true;
+
+  networking.useDHCP = false;
+  networking.interfaces.enp9s0.useDHCP = true;
+}
--- a/physical/apu2c4.nix
+++ b/physical/apu2c4.nix
@ -0,0 +1,22 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, ... }:
+
+{
+  boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "ehci_pci" "usb_storage" "sd_mod" "sdhci_pci" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-amd" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/1396f814-6cc2-4988-992a-3558fa1ac5a2";
+      fsType = "ext4";
+    };
+
+  swapDevices =
+    [ { device = "/dev/disk/by-uuid/5f8f358d-f63c-48ad-a322-d1aeb403e4ff"; }
+    ];
+
+  nix.maxJobs = lib.mkDefault 4;
+}
--- a/physical/default.nix
+++ b/physical/default.nix
@ -1,44 +1,3 @@
-{ config, lib, pkgs, ... }:
-let cfg = config.hardware.yorick; in
-with lib;
 {
-  options.hardware.yorick = {
-    cpu = mkOption {
-      type = types.nullOr (types.enum ["intel" "virtual"]);
-    };
-    gpu = mkOption {
-      type = types.nullOr (types.enum ["intel" "nvidia"]);
-      default = null;
-    };
-    laptop = mkEnableOption "laptop settings";
-  };
-  config = mkMerge [
-    (mkIf (cfg.gpu == "intel") {
-      # https://wiki.archlinux.org/index.php/Dell_XPS_13_(9360)#Module-based_Powersaving_Options
-      boot.kernelParams = ["i915.enable_fbc=1" "i915.enable_guc_loading=1" "i915.enable_guc_submission=1" "i915.enable_huc=1" "i915.enable_psr=2"];
-      # now we wait until enable_psr=1 is fixed
-      services.xserver.videoDrivers = ["modesetting"];
-      hardware.opengl.extraPackages = [ pkgs.vaapiIntel ];
-    })
-    (mkIf (cfg.gpu == "nvidia") {
-      boot.kernelModules = ["nvidiabl"];
-      services.xserver.videoDrivers = ["nvidia"];
-      boot.extraModulePackages = [config.boot.kernelPackages.nvidiabl];
-    })
-    (mkIf (cfg.cpu == "intel") {
-      hardware.cpu.intel.updateMicrocode = true;
-      boot.kernelModules = ["kvm-intel"];
-    })
-    (mkIf (cfg.laptop) {
-      services.xserver.libinput.enable = true;
-      
-      networking.wireless.enable = true;
-      hardware.bluetooth.enable = true;
-      # gotta go faster
-      networking.dhcpcd.extraConfig = ''
-        noarp
-      '';
-      services.thermald.enable = true;
-    })
-  ];
+  hardware.enableRedistributableFirmware = true;
 }
--- a/physical/fractal.nix
+++ b/physical/fractal.nix
@ -1,22 +1,21 @@
-# Do not modify this file!  It was generated by ‘nixos-generate-config’
-# and may be overwritten by future invocations.  Please make changes
-# to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, ... }:
-
+let sources = import ../nix/sources.nix;
+in
 {
  imports =
-    [ <nixpkgs/nixos/modules/installer/scan/not-detected.nix>
-      <yori-nix/physical>
+    [ ./.
+      "${sources.nixos-hardware}/common/cpu/intel"
    ];

  boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "usb_storage" "sd_mod" ];
-  hardware.yorick.cpu = "intel";

  # Use the GRUB 2 boot loader.
-  boot.loader.grub.enable = true;
-  boot.loader.grub.version = 2;
-  # Define on which hard drive you want to install Grub.
-  boot.loader.grub.device = "/dev/disk/by-id/ata-Samsung_SSD_850_EVO_250GB_S21PNXAG441016B";
+  boot.loader.grub = {
+    enable = true;
+    version = 2;
+    # Define on which hard drive you want to install Grub.
+    device = "/dev/disk/by-id/ata-Samsung_SSD_850_EVO_250GB_S21PNXAG441016B";
+  };


  fileSystems."/" =
@ -28,6 +27,16 @@
  swapDevices =
    [ { device = "/dev/disk/by-label/nixos-swap"; }
    ];
+  fileSystems."/data" =
+    { device = "frumar-new";
+      fsType = "zfs";
+    };
+
+  fileSystems."/data/plexmedia" =
+    { device = "frumar-new/plexmedia";
+      fsType = "zfs";
+    };

  nix.maxJobs = 4;
+  services.avahi.interfaces = [ "enp2s0" ];
 }
--- a/physical/hetznercloud.nix
+++ b/physical/hetznercloud.nix
@ -0,0 +1,39 @@
+{ config, lib, pkgs, ... }:
+let
+  ipconf = (import ../secrets.nix).ipconf.${config.networking.hostName};
+in
+{
+  imports =
+    # todo: impure:
+    [ <nixpkgs/nixos/modules/profiles/qemu-guest.nix>
+    ];
+
+  boot.kernelPackages = pkgs.linuxPackages_latest;
+  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "sd_mod" "sr_mod" ];
+  boot.kernelModules = [ ];
+  boot.extraModulePackages = [ ];
+  boot.loader.grub = {
+    enable = true;
+    version = 2;
+    device = "/dev/sda";
+  };
+
+  fileSystems."/" =
+    { device = "/dev/sda1";
+      fsType = "ext4";
+    };
+
+  swapDevices = [ ];
+
+  nix.maxJobs = lib.mkDefault 1;
+  #services.nscd.enable = false;
+  networking.dhcpcd.enable = false;
+  systemd.network.enable = true;
+  systemd.network.networks."40-hetzner" = {
+    DHCP = "ipv4";
+    address = [ ipconf.mainIPv6 ];
+    gateway = [ "fe80::1" ];
+    matchConfig.Name = "ens3";
+  };
+  services.fstrim.enable = true;
+}
--- a/physical/hp8570w.nix
+++ b/physical/hp8570w.nix
@ -7,7 +7,7 @@
    ./hp8570w/powerdown.nix
  ];

-  hardware.yorick = { cpu = "intel"; gpu = "nvidia"; laptop = true; };
+  hardware.yorick = { cpu = "intel"; gpu = "nvidia"; };

  boot = {
    loader.grub = {
@ -48,4 +48,16 @@

  #services.tcsd.enable = true; # it has a TPM. maybe use this?
  #environment.systemPackages = with pkgs; [tpm-tools];
+  services.xserver.libinput.enable = true;
+  
+  networking.wireless.enable = true;
+  hardware.bluetooth.enable = true;
+  # gotta go faster
+  networking.dhcpcd.extraConfig = ''
+    noarp
+  '';
+  services.thermald.enable = true;
+  boot.kernelModules = ["nvidiabl"];
+  services.xserver.videoDrivers = ["nvidia"];
+  boot.extraModulePackages = [config.boot.kernelPackages.nvidiabl];
 }
--- a/physical/kassala.nix
+++ b/physical/kassala.nix
@ -1,50 +0,0 @@
-{ config, lib, pkgs, ... }:
-let
-  ipconf = (import <secrets>).ipconf.${config.networking.hostName};
-in
-{
-  imports = [ ../modules/nixos-in-place.nix <yori-nix/physical> ];
-  "nixos-in-place" = {
-    enable = true;
-    rootfs = "/dev/disk/by-uuid/7165e542-0995-474c-a228-9592339e0604";
-    swapfs = "/dev/disk/by-uuid/baaf824a-bee0-4037-a237-3a69f1db7985";
-  };
-  # fs layout:
-  # before: /nixos/nix/* /boot/grub/menu.lst
-  # after:  /nix/* /old-root/boot/grub/menu.lst
-  boot = {
-    kernelPackages = pkgs.linuxPackages_latest;
-    blacklistedKernelModules = ["coretemp"];
-    # use grub 1, don't install
-    loader.grub = {
-      version = 1;
-      extraPerEntryConfig = "root (hd0,0)"; # do we need this?
-      mirroredBoots = [{
-        path = "/old-root/boot";
-        devices = ["nodev"];
-      }];
-      splashImage = null;
-    };
-    initrd.availableKernelModules = [ "xen_blkfront" ];
-  };
-  sound.enable = false;
-  networking = {
-    usePredictableInterfaceNames = false; # only eth0
-    interfaces.eth0 = {
-      useDHCP = false;
-      inherit (ipconf) ipv4 ipv6;
-    };
-    inherit (ipconf) nameservers;
-    # ideally, it should add a route for this automatically
-    #defaultGateway  = ipconf.gateway4;
-    #defaultGateway6 = ipconf.gateway6;
-  };
-  systemd.services."network-setup".postStart = with ipconf; ''
-    ip route add ${gateway4} dev eth0 || true
-    ip route add default via ${gateway4} || true
-    ip -6 route add ${gateway6} dev eth0 || true
-    ip -6 route add default via ${gateway6} || true
-  '';
-  nix.maxJobs = lib.mkDefault 2;
-  hardware.yorick.cpu = "virtual";
-}
--- a/physical/nixos-hardware.nix
+++ b/physical/nixos-hardware.nix
@ -1,4 +0,0 @@
-builtins.fetchTarball {
-  url = "https://github.com/NixOS/nixos-hardware/archive/d534770be7f699b3332ef09bd043745a38d115ad.tar.gz";
-  sha256 = "0h4xzs0bp0v01rzqm023ia2rgmcxv32jdiinp7ylxxh384vf5h0h";
-}
--- a/physical/nuc.nix
+++ b/physical/nuc.nix
@ -1,40 +1,41 @@
-# Do not modify this file!  It was generated by ‘nixos-generate-config’
-# and may be overwritten by future invocations.  Please make changes
-# to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, ... }:
-
+let sources = import ../nix/sources.nix; 
+in
 {
+
  imports =
    [ <nixpkgs/nixos/modules/installer/scan/not-detected.nix>
    <yori-nix/physical>
+    "${sources.nixos-hardware}/common/cpu/intel"
    ];
-
-  boot.initrd.availableKernelModules = [ "ehci_pci" "ahci" "usb_storage" "usbhid" "sd_mod" ];
-  hardware.yorick = { cpu = "intel"; gpu = "intel"; };
-
  boot.loader.systemd-boot.enable = true;
  boot.loader.efi.canTouchEfiVariables = true;


+  boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+
  fileSystems."/" =
-    { device = "/dev/disk/by-uuid/fa5026b1-0f73-4233-a417-780c65f3f038";
-      fsType = "btrfs";
-      options = ["defaults" "relatime" "discard"];
+    { device = "/dev/disk/by-uuid/3e148654-0ed8-4354-8159-e3499c6fa299";
+      fsType = "ext4";
    };

  fileSystems."/boot" =
-    { device = "/dev/disk/by-uuid/729B-0F6C";
+    { device = "/dev/disk/by-uuid/439E-26EA";
      fsType = "vfat";
    };

-  swapDevices =
-    [ { device = "/dev/disk/by-uuid/086b6aaa-a737-4747-91d6-b4923bf14858"; }
-    ];
+  swapDevices = [ ];

  nix.maxJobs = lib.mkDefault 4;
-  services.xserver.videoDrivers = ["intel"];
-  networking.wireless.enable = true;
-  environment.systemPackages = with pkgs; [
-    btrfs-progs
+  powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
+
+  nixpkgs.config.packageOverrides = pkgs: {
+    vaapiIntel = pkgs.vaapiIntel.override { enableHybridCodec = true; };
+  };
+  hardware.opengl.extraPackages = with pkgs; [
+    intel-media-driver # only available starting nixos-19.03 or the current nixos-unstable
  ];
 }
--- a/physical/xps9360-hardware-config.nix
+++ b/physical/xps9360-hardware-config.nix
@ -22,7 +22,7 @@
    };

  swapDevices =
-    [ { device = "/dev/disk/by-uuid/d9c4c15b-0e9c-47f6-8675-93b1b8de5f9d"; }
+    [ { device = "/dev/disk/by-uuid/198ddaba-a849-41de-993d-862c2d37937a"; }
    ];

  nix.maxJobs = lib.mkDefault 4;
--- a/physical/xps9360.nix
+++ b/physical/xps9360.nix
@ -1,26 +1,43 @@
 { config, lib, pkgs, ... }:
+let sources = import ../nix/sources.nix;
+in
 {
  imports = [
-    "${import ./nixos-hardware.nix}/dell/xps/13-9360"
+    "${sources.nixos-hardware}/dell/xps/13-9360"
    ./xps9360-hardware-config.nix
  ];

  boot.kernelPackages = pkgs.linuxPackages_latest;
-  boot.kernelParams = [ "i915.enable_psr=0" ];
+  boot.kernelModules = [ "i8k" ];
+  boot.extraModprobeConfig = ''
+    options i8k ignore_dmi=1
+  '';
  fileSystems."/".options = ["defaults" "relatime" "discard"];

  boot.initrd.luks.devices."nix-crypt".allowDiscards = true;

-  # intel huc, guc. qca6174 (older firmware)
-  hardware.enableRedistributableFirmware = true;
-
-  # hardware is thermal-limited
-  services.thermald.enable = lib.mkDefault true;
+  services.undervolt = rec {
+    enable = true;
+    coreOffset = "-50";
+    gpuOffset = "-50";
+    uncoreOffset = "-50";
+    analogioOffset = "-50";
+  };
+  services.tlp.extraConfig = ''
+    CPU_SCALING_GOVERNOR_ON_AC=performance
+    CPU_SCALING_GOVERNOR_ON_BAT=powersave
+  '';

  services.xserver.libinput.enable = true;

-  networking.wireless.enable = true;
+  networking.wireless = {
+    enable = false;
+    iwd.enable = true;
+  };
  hardware.bluetooth.enable = true;
+
+  services.udev.packages = [ pkgs.crda ];
+  hardware.firmware = [ pkgs.wireless-regdb ];
  # gotta go faster
  networking.dhcpcd.extraConfig = ''
    noarp
--- a/roles/default.nix
+++ b/roles/default.nix
@ -1,39 +1,41 @@
-let secrets = import <secrets>;
+let secrets = import ../secrets.nix;
 in
-{ config, pkgs, lib, ...}:
+{ config, pkgs, lib, name, ...}:
 let
-  machine = lib.removeSuffix ".nix" (builtins.baseNameOf <nixos-config>);
+  machine = name;
+  vpn = import ../vpn.nix;
 in
 {
 	imports = [
    ../modules/tor-hidden-service.nix
    ../modules/nginx.nix
-    <yori-nix/deploy/keys.nix>
-    <yori-nix/services>
+    ../deploy/keys.nix
+    ../services
  ];
  networking.hostName = secrets.hostnames.${machine};
 	time.timeZone = "Europe/Amsterdam";
 	users.mutableUsers = false;
-	users.extraUsers.root = {
-		openssh.authorizedKeys.keys = config.users.extraUsers.yorick.openssh.authorizedKeys.keys;
+	users.users.root = {
+		openssh.authorizedKeys.keys = config.users.users.yorick.openssh.authorizedKeys.keys;
    # root password is useful from console, ssh has password logins disabled
    hashedPassword = secrets.pennyworth_hashedPassword; # TODO: generate own

 	};
  services.timesyncd.enable = true;
-	users.extraUsers.yorick = {
+	users.users.yorick = {
 	  isNormalUser = true;
 	  uid = 1000;
 	  extraGroups = ["wheel"];
 	  group = "users";
-	  openssh.authorizedKeys.keys = with (import ../sshkeys.nix); [yorick];
+	  openssh.authorizedKeys.keys = with (import ../sshkeys.nix); yorick;
+    hashedPassword = secrets.yorick_hashedPassword;
 	};

  # Nix
  nixpkgs.config.allowUnfree = true;
  nixpkgs.overlays = import ../packages;

-  nix.buildCores = config.nix.maxJobs;
+  #nix.buildCores = config.nix.maxJobs;

  # Networking
  networking.enableIPv6 = true;
@ -47,17 +49,17 @@ in

  environment.systemPackages = with pkgs; [
    # v important.
-    cowsay ponysay
+    cowsay #ponysay
    ed # ed, man!
    sl
    rlwrap

-    vim
+    #vim

    # system stuff
    ethtool inetutils
    pciutils usbutils
-    iotop powertop htop
+    /*iotop*/ powertop htop
    psmisc lsof
    smartmontools hdparm
    lm_sensors
@ -73,19 +75,40 @@ in
    
    # archiving
    xdelta
+    libarchive
    atool
-    unrar p7zip
-    unzip zip

    # network
    nmap mtr bind
    socat netcat-openbsd
    lftp wget rsync

-    git
-    rxvt_unicode.terminfo
+    #gitMinimal
+    #rxvt_unicode.terminfo
  ];
  nix.gc.automatic = true;

-}
+  services.avahi = {
+    ipv6 = true;
+    hostName = machine;
+  };
+  deployment.keyys = [ (<yori-nix/keys>+"/wg.${machine}.key") ];
+  networking.wireguard.interfaces.wg-y = {
+    privateKeyFile = "/root/keys/wg.${machine}.key";
+    ips = [ vpn.ips.${machine} ];
+    listenPort = 31790;
+    peers = [ {
+      publicKey = vpn.keys.pennyworth;
+      endpoint = "pennyworth.yori.cc:31790";
+      allowedIPs = [ "10.209.0.0/24" ];
+      persistentKeepalive = 30;
+    }];
+    postSetup = "ip link set dev wg-y mtu 1371";
+  };
+  security.acme.email = "acme@yori.cc";
+  security.acme.acceptTerms = true;
+  nix.binaryCachePublicKeys =
+    [ "yorick:Pmd0gyrTvVdzpQyb/raHJKdoOag8RLaj434qBgMm4I0=" ];

+  nix.trustedUsers = ["@wheel"];
+}
--- a/roles/graphical.nix
+++ b/roles/graphical.nix
@ -1,27 +1,12 @@
 let secrets = import <secrets>;
-in
-{ config, lib, pkgs, ... }:
-{
-  imports = [ <yori-nix/roles> ];
+in { config, lib, pkgs, ... }: {
+  imports = [ ./. ];
  options.yorick.support32bit = with lib;
-    mkOption { type = types.bool; default = false; };
+    mkOption {
+      type = types.bool;
+      default = false;
+    };
  config = {
-  # Enable the X11 windowing system.
-  services.xserver = {
-    enable = true;
-    libinput = {
-      naturalScrolling = true;
-      tappingDragLock = false;
-    };
-    layout = "us";
-    xkbOptions = "caps:escape";
-    displayManager.slim.defaultUser = "yorick";
-    # xkbOptions = "eurosign:e";
-    windowManager.i3 = {
-      enable = true;
-      package = pkgs.i3-gaps;
-    };
-  };
    hardware.opengl = {
      enable = true;
      driSupport32Bit = config.yorick.support32bit;
@ -31,30 +16,37 @@ in
      enable = true;
      support32Bit = config.yorick.support32bit;
    };
-  users.extraUsers.yorick.extraGroups = ["video"];
+    users.users.yorick.extraGroups = [ "video" ];
    # fix backlight permissions
-  services.udev.extraRules = ''
-    ACTION=="add", SUBSYSTEM=="backlight", RUN+="${pkgs.coreutils}/bin/chgrp video /sys/class/backlight/%k/brightness"
-    ACTION=="add", SUBSYSTEM=="backlight", RUN+="${pkgs.coreutils}/bin/chmod g+w /sys/class/backlight/%k/brightness"
-  '';
+    services.udev.extraRules = ''
+      ACTION=="add", SUBSYSTEM=="backlight", RUN+="${pkgs.coreutils}/bin/chgrp video /sys/class/backlight/%k/brightness"
+      ACTION=="add", SUBSYSTEM=="backlight", RUN+="${pkgs.coreutils}/bin/chmod g+w /sys/class/backlight/%k/brightness"
+    '';

-  fonts = {
-    enableFontDir = true;
-    enableGhostscriptFonts = true;
-    fonts = with pkgs; [
-      corefonts  # Micrsoft free fonts
-      inconsolata  # monospaced
-      source-code-pro
-      ubuntu_font_family  # Ubuntu fonts
-      source-han-sans-japanese
-      iosevka
-    ];
+    fonts = {
+      enableFontDir = true;
+      enableGhostscriptFonts = true;
+      fonts = with pkgs; [
+        corefonts # Micrsoft free fonts
+        inconsolata # monospaced
+        source-code-pro
+        ubuntu_font_family # Ubuntu fonts
+        source-han-sans-japanese
+        iosevka
+        font-awesome
+      ];
+    };
+    # spotify
+    networking.firewall.allowedTCPPorts = [ 55025 57621 ];
+    networking.firewall.allowedUDPPorts = [ 55025 57621 ];
+
+    services.openssh.forwardX11 = true;
+
+    programs.sway = {
+      enable = true;
+      extraSessionCommands = ''
+        export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:${lib.makeLibraryPath (with pkgs; [ libxkbcommon libglvnd wayland ])}
+      '';
+    };
  };
-  # spotify
-  networking.firewall.allowedTCPPorts = [55025 57621];
-  networking.firewall.allowedUDPPorts = [55025 57621];
-
-  users.extraUsers.yorick.hashedPassword = secrets.yorick_hashedPassword;
-  services.openssh.forwardX11 = true;
-};
 }
--- a/roles/homeserver.nix
+++ b/roles/homeserver.nix
@ -0,0 +1,17 @@
+{lib, ...}: {
+  users.users.lars = {
+    isNormalUser = true;
+    openssh.authorizedKeys.keys = [
+      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCbieYUtRGQ4nf4glQvrZDn72doP6W2uw2z9VqFq5sZLROXYa4jW8nwx4h+BiArGs+VPwn6lfsP19PX6yNIk74C/SkO26S1Zvbe7ffNusi6PH2BQIOWeAYKk+eZH+ZOeD8z07uDB7QffwRLwzSaPFg+zfRzsMFoXH/GE9qOQ4lnfk8czTZL7zbZf/yS7mDFztClXFciYsVwgRXNiFpfc+9mOkU0oBWtGo/WGUhB0Hds3a4ylyjjVAcC/l1H2bvc/Q3d6bbn23pUFl2V78Yg1B4b1MT34qbBV6whXAQd7KM9tND2ZhpF2XQ7Spi1QlOac0jup+sE+3bbvcjNqTI05DwJO/dX5F2gSAFkvSY4ZPqSX5ilE/hj4DQuhRgLmQdbVl5IFV9aLYqUvJcCqX9jRFMly4YTFXsFz18rGkxOYGZabcE1usBM2zRVDTtEP6Si5ii76Ocvp8aNFBB2Kf1whg8tziTv3kQEQ9fd2sRtE2J3xveJiwXjUBU2uikSOKe8JP47Tb6PYlv7Ty/6OI51aUQn++R72VNajdBJ1r1osp7leqTJ+sXuLlWLo/a7lDpDmgEI7dbxqmpjLcMce0JzqLKlP1Q2U/nkYy86xkjSTH1rNUI2JAbJx3iTcGy7bq12yfjNfcGAqY4GVXvisK1cpbF0RCjaFExwtmzorljHh6ZHjQ=="
+    ];
+  };
+  services.avahi = {
+    enable = true;
+    nssmdns = true;
+    publish = {
+      enable = true;
+      addresses = true;
+    };
+  };
+  networking.firewall.logRefusedConnections = lib.mkForce true;
+}
--- a/roles/server.nix
+++ b/roles/server.nix
@ -1,10 +1,11 @@
 {
-  imports = [ <yori-nix/roles> ];
+  imports = [ ./. ];
  
-  services.nixosManual.enable = false;
+  documentation.nixos.enable = false;
  services.sshguard.enable = true;
+  programs.mosh.enable = true;

  environment.noXlibs = true;
-  networking.firewall.logRefusedConnections = false;    # Silence logging of scanners and knockers
+  networking.firewall.logRefusedConnections = false; # Silence logging of scanners and knockers

 }
--- a/roles/workstation.nix
+++ b/roles/workstation.nix
@ -1,39 +1,45 @@
 { config, lib, pkgs, ... }:
+let
+  nixNetrcFile = pkgs.runCommand "nix-netrc-file"
+{ hostname = "cache.lumi.guide";
+  username = "lumi";
+} ''
+  cat > $out <<EOI
+  machine $hostname
+  login $username
+  password ${builtins.readFile /home/yorick/engineering/lumi/secrets/shared/passwords/nix-serve-password}
+  EOI
+'';
+in
 {
  imports = [
-    <yori-nix/roles/graphical.nix>
+    ./graphical.nix
  ];
-  users.extraUsers.yorick.extraGroups = [ "input" "wireshark" ];
+  users.extraUsers.yorick.extraGroups = [ "input" "wireshark" "dialout" ];
  services.printing = {
    enable = true;
    drivers = [ pkgs.gutenprint ];
  };
-  environment.systemPackages = [pkgs.ghostscript pkgs.yubikey-manager];
-  #services.xserver.displayManager.sessionCommands = ''
-  #  gpg-connect-agent /bye
-  #  unset SSH_AGENT_PID
-  #  export SSH_AUTH_SOCK="''${XDG_RUNTIME_DIR}/gnupg/S.gpg-agent.ssh"
-  #'';
-  virtualisation.virtualbox.host.enable = true;
+  environment.systemPackages = with pkgs; [
+    pkgs.ghostscript pkgs.yubikey-manager
+  ];
+  virtualisation.virtualbox.host.enable = false;
  yorick.support32bit = true;
  # yubikey
  hardware.u2f.enable = true;
  services.pcscd.enable = true;
-  sound.enable = true;
  #environment.systemPackages = [pkgs.yubikey-manager];
  fonts.fonts = [ pkgs.emojione ];
  # bluetooth headphones
  hardware.pulseaudio.package = pkgs.pulseaudioFull;
-  # japanese typing
-  i18n.inputMethod = {
-    enabled = "fcitx";
-    fcitx.engines = with pkgs.fcitx-engines; [ mozc ];
-  };
  programs.wireshark.enable = true;
  nix = {
    gc.automatic = pkgs.lib.mkOverride 30 false;
    binaryCaches = [
      "https://cache.nixos.org"
+      "https://cache.lumi.guide/"
+      "s3://yorick-cache?endpoint=s3.eu-central-1.wasabisys.com&profile=wasabi-private"
+      #"https://nixpkgs-wayland.cachix.org"
    ];
    trustedBinaryCaches = config.nix.binaryCaches ++ [
      "ssh://yorick@jupiter.serokell.io"
@ -45,7 +51,20 @@
      "serokell-1:aIojg2Vxgv7MkzPJoftOO/I8HKX622sT+c0fjnZBLj0="
      "cache.lumi.guide-1:z813xH+DDlh+wvloqEiihGvZqLXFmN7zmyF8wR47BHE="
      "serokell.cachix.org-1:5DscEJD6c1dD1Mc/phTIbs13+iW22AVbx0HqiSb+Lq8="
-      "disciplina.cachix.org-1:zDeIFV5cu22v04EUuRITz/rYxpBCGKY82x0mIyEYjxE="
+      "nixpkgs-wayland.cachix.org-1:3lwxaILxMRkVhehr5StQprHdEo4IrE8sRho9R9HOLYA="
    ];
+    extraOptions = ''
+      netrc-file = ${nixNetrcFile}
+    '';
  };
+  services.avahi = {
+    enable = true;
+    nssmdns = true;
+  };
+  virtualisation.libvirtd.enable = true;
+  users.users.yorick.extraGroups = [ "libvirtd" ];
+  users.users.yorick.shell = pkgs.fish;
+  services.udev.extraRules = ''
+    SUBSYSTEM=="usb", ATTRS{idVendor}=="1209", ATTRS{idProduct}=="5bf0", MODE="0664", GROUP="dialout"
+  '';
 }
--- a/secrets.nix
+++ b/secrets.nix
--- a/servers.json
+++ b/servers.json
@ -1,22 +0,0 @@
-{
-    "pennyworth": {
-        "pkgs": "stable",
-        "host": "pennyworth.yori.cc"
-    },
-    "jarvis": {
-        "pkgs": "channel",
-        "host": "jarvis.home.yori.cc"
-    },
-    "ascanius": {
-        "pkgs": "channel",
-        "host": "ascanius.home.yori.cc"
-    },
-    "woodhouse": {
-        "pkgs": "channel",
-        "host": "woodhouse.home.yori.cc"
-    },
-    "frumar": {
-        "pkgs": "channel",
-        "host": "frumar.yori.cc"
-    }
-}
--- a/servers.nix
+++ b/servers.nix
@ -0,0 +1,24 @@
+let
+  lib = import <nixpkgs/lib>;
+  n = url: conf: let
+    c = import "${url}/nixos/lib/eval-config.nix" {
+      modules = [ ./roles conf ];
+      extraArgs.name = lib.removeSuffix ".nix" (builtins.baseNameOf conf);
+      extraArgs.nixpkgs = url;
+    };
+  in c.config.system.build // c;
+  git = n "https://github.com/NixOS/nixpkgs/archive/master.tar.gz";
+  stable = n (builtins.fetchTarball "channel:nixos-20.03");
+  unstable = n (builtins.fetchTarball "channel:nixos-unstable-small");
+  checkout = n ../projects/nixpkgs;
+  channel = n "/nix/var/nix/profiles/per-user/root/channels/nixos";
+in
+{
+  pennyworth = (unstable ./logical/pennyworth.nix).toplevel;
+  jarvis     = (channel ./logical/jarvis.nix).toplevel;
+  blackadder = (channel ./logical/blackadder.nix).toplevel;
+  ascanius   = (channel ./logical/ascanius.nix).toplevel;
+  woodhouse  = (channel ./logical/woodhouse.nix).toplevel; # 192.168.178.39
+  frumar     = (channel ./logical/frumar.nix).toplevel; # frumar.local
+  zazu       = (stable ./logical/zazu.nix).toplevel;
+}
--- a/services/default.nix
+++ b/services/default.nix
@ -1,10 +1,8 @@
 {
  imports = [
-    ./gogs.nix
-    ./mail.nix
+    ./git.nix
+    ./muflax-church.nix
    ./pub.nix
-    ./quassel.nix
    ./website.nix
-    ./xmpp.nix
  ];
 }
--- a/services/git.nix
+++ b/services/git.nix
@ -0,0 +1,52 @@
+{ config, lib, pkgs, ... }:
+
+let
+  cfg = config.services.yorick.git;
+  inherit (cfg) vhost;
+in
+{
+  options.services.yorick.git = with lib; {
+    enable = mkEnableOption "git";
+    vhost = mkOption { type = types.str; };
+  };
+  config = lib.mkIf cfg.enable {
+    users.extraUsers.git = {
+      createHome = true;
+      home = config.services.gitea.stateDir; extraGroups = [ "git" ]; useDefaultShell = true;
+    };
+    services.gitea = {
+      enable = true;
+      user = "git";
+      database.user = "root";
+      database.name = "gogs";
+      database.createDatabase = false;
+      #dump.enable = true; TODO: backups
+      domain = cfg.vhost;
+      rootUrl = "https://${cfg.vhost}/";
+      httpAddress = "localhost";
+      cookieSecure = true;
+      log.level = "Warn";
+      disableRegistration = true;
+      settings.service = {
+        REGISTER_EMAIL_CONFIRM = false;
+        ENABLE_NOTIFY_MAIL = false;
+        REQUIRE_SIGNIN_VIEW = false;
+      };
+      settings.picture.DISABLE_GRAVATAR = false;
+      settings.mailer = {
+        ENABLED = false;
+        AVATAR_UPLOAD_PATH = "${config.services.gitea.stateDir}/data/avatars";
+      };
+    };
+    services.nginx.virtualHosts.${vhost} = {
+      forceSSL = true;
+      enableACME = true;
+      locations."/" = {
+        proxyPass = "http://127.0.0.1:${toString config.services.gitea.httpPort}";
+        extraConfig = ''
+          proxy_buffering off;
+        '';
+      };
+    };
+  };
+}
--- a/services/gogs.nix
+++ b/services/gogs.nix
@ -5,9 +5,9 @@ in
 {
  options.services.yorick.gogs = with lib; {
    enable = mkEnableOption "gogs";
-    dir = mkOption { type = types.string; default = "/var/gogs"; };
+    dir = mkOption { type = types.str; default = "/var/gogs"; };
    port = mkOption { type = types.int; default = 8001; };
-    vhost = mkOption { type = types.string; };
+    vhost = mkOption { type = types.str; };
  };
  config = lib.mkIf cfg.enable {
    
--- a/services/mail.nix
+++ b/services/mail.nix
@ -1,38 +0,0 @@
-{ config, pkgs, lib, ... }:
-let
-cfg = config.services.yorick.mail;
-in
-{
-  imports = [
-    ../modules/mailz.nix
-    ../modules/backup.nix
-  ];
-  options.services.yorick.mail = with lib; {
-    enable = mkEnableOption "mail service";
-    mainUser = mkOption { type = types.string; };
-    users = mkOption {};
-  };
-  config = lib.mkIf cfg.enable {
-    # email
-    services.mailz = rec {
-      domain = config.networking.hostName;
-      keydir = "${config.security.acme.directory}/${domain}";
-      inherit (cfg) mainUser users;
-    };
-    security.acme.certs.${config.networking.hostName}.postRun = ''
-      systemctl reload dovecot2.service postfix.service
-    '';
-    services.backup = {
-      enable = true;
-      backups = {
-        mail = {
-          dir = "/var/spool/mail";
-          remote = "webdavs://mail@yorickvp.stackstorage.com/remote.php/webdav//mail_bak";
-          keyfile = "/var/backup/creds";
-          interval = "daily";
-        };
-      };
-    };
-
-  };
-}
--- a/services/pub.nix
+++ b/services/pub.nix
@ -3,7 +3,7 @@ let cfg = config.services.yorick.public; in
 {
  options.services.yorick.public = {
    enable = lib.mkEnableOption "public hosting";
-    vhost = lib.mkOption { type = lib.types.string; };
+    vhost = lib.mkOption { type = lib.types.str; };
  };
  #imports = [../modules/nginx.nix];
  config = lib.mkIf cfg.enable {
--- a/services/website.nix
+++ b/services/website.nix
@ -9,10 +9,10 @@ in
  options.services.yorick = {
    website = {
      enable = mkEnableOption "yoricc website";
-      vhost = mkOption { type = types.string; };
+      vhost = mkOption { type = types.str; };
      pkg = mkOption { type = types.package; default = yoricc; };
    };
-    redirect = mkOption { type = types.loaOf types.string; default = []; };
+    redirect = mkOption { type = types.loaOf types.str; default = []; };
  };
  config.services.nginx.virtualHosts = with cfg; mkIf enable {
    ${vhost} = {
--- a/services/xmpp.nix
+++ b/services/xmpp.nix
@ -8,8 +8,8 @@ in
 {
  options.services.yorick.xmpp = with lib; {
    enable = mkEnableOption "xmpp";
-    vhost = mkOption { type = types.string; };
-    admins = mkOption { type = types.listOf types.string; };
+    vhost = mkOption { type = types.str; };
+    admins = mkOption { type = types.listOf types.str; };
  };
  config = lib.mkIf cfg.enable {
    # XMPP
--- a/sshkeys.nix
+++ b/sshkeys.nix
@ -1,5 +1,5 @@
 {
 	public = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCZv+hBDmjxF8h9Gxwvy0o7sMgOsqwp8pVj9AlpG90Y7agvkOm2IGtFueVfiDe0yWPXT0/EIiVWcPhWwcVkbY/BkypPJSMLnlcQ6ld+aO1g+BtdDaVuxcTSvQ77UCT2p+wftxoq1EiUdlhTsXpPucrBd+5NOde+jlPBE4qChIAf2zhOIByJAGT+M4Ie3eV4p5S9LB9CMI4s32gNUBbSA8UDmkjpBXkf9a1TZzdkOGWUmUFXt53/O8LZlGK9kkA5TsjM2xaxDjCLWf5wEcey4JsEggi1prE4aB68Q7+kdbvDiVSEFyZn0A/A9RXHBRAgW8yPdh+EGC56iDW/wkGxWBY5";
 	deploy = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDGGQytwzcR2DrnYQlnZSbXNpSClCFFvy4gqak8r7u8nYplu5azdq6yNN5TRAEoseiTl2WbdnwgVNluze5FF8a5p2XDyu754YF9nyNbQvzWt5dyjFLemDbj5vAzUnQY+52L9qwo5OK3oG2qZx76T7B5CnEN/JDJxGT3xveRyVUSTnNj/N0iiYVsOcEzGpkdKf/5QOGHuZWJrqwz2CNalKbXAJU9mEOHAH+fSxSmf99YCwwF+GyfYUL3eGIZ9CP1pUQX0CZKq8APW+rLlXJuGOrLTNYWd2jTzea95oiyMQeDhidTeyyPWi2GI32tRHVegg6wMzFo7b/m1f/BI18h9psn";
-	yorick = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDo1N5E6qkb3McJOvv0PqI7E8iYLAcjil5RWc+zeTtN/";
+	yorick = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDo1N5E6qkb3McJOvv0PqI7E8iYLAcjil5RWc+zeTtN/" "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDFQm2OJ8PlnDHfI7FV3hddXP0t2jgKAiCnnuWIc+LK4dnyGmlC/ihIe9KhSENZEnzVAXnYAMOoOvpkVa5p0Itf1n0anCK3k2vDq0Jz9nY3ZXmkSHE09QGCpSG8kU6j+zWJPo2jWYNtxYMRmmHAuzzOdlPY9Q199PEvHVaqzpSVhIdhqhEcmap8oqHW6KbJu+17nLGGQB5XiTB1SlTxbg62copA9KMcvQzNGIooKs5QyrU/B0g05EfbogH7xOLbwYAK676DTUBEcKpEUYFMMv+DBcU4cH2EI6UTLxI5ohrS1pxk20zu5nTRMlQRUETpWN4EbEPfOzF8FW1YOwdttfCas8D6Y6t9gA4o8GpylBG9AElVw7VyOFeBR+AtchormH+wH6nZEvzs6wg2d84I8xo5qYGUJIQS7OYxypjlY01IFCCa/7rjzXGDmdWAP/UEu85ys9FSryn9Ey5DXDQOqhMHguOwQDUyaArWyRCCBzKbx6cPZw2D9bLfDxbnaC2/5dVyxHJXoWmwneX2E/UT5QwtG1nyLShIZhYgO9lfDpO61Mz9Jjap3sj6mJPxHZc5SGye0j47xV6kX4vbSgfoSHHnasaI3fR2ZBS7tnfq1ebxXqFFSPHK6uHjLgDHtkMisvjOVZnybuXB296pjv6K1o2G3qlUnImOqfxZxvuy4Xl/mw== cardno:000607186578"];
 }
--- a/vpn.nix
+++ b/vpn.nix
@ -0,0 +1,21 @@
+{
+  ips = {
+    pennyworth = "10.209.0.1";
+    jarvis = "10.209.0.2";
+    frumar = "10.209.0.3";
+    woodhouse = "10.209.0.4";
+    ascanius = "10.209.0.5";
+    blackadder = "10.209.0.6";
+    zazu = "10.209.0.7";
+  };
+  keys = {
+    # for i in wg.*.key; do echo $(echo $i | cut -d. -f2) = \"$(wg pubkey < $i)\"\;; done
+    ascanius = "zZ3gegDspSKBJutp99VzODZNcJ1qQF3OH2nrlxhICwI=";
+    blackadder = "+SfIbW9/MmA5iIVUUzkKPeWmZvwhP8y9qWo67o2UZUA=";
+    frumar = "UpFw4KmrvmOWdMOJ+LHvMzgN7cQMnasqlkzF8/apoGI=";
+    jarvis = "2/Qaq5uiy8uGGnZLIfjeomL47XjZCsJ1dDFDD9Nlq3E=";
+    pennyworth = "XoeUMsiSOWBFEFuAu+S4iQd3MzkyGhIj9dtxzZ0I500=";
+    woodhouse = "ICzlnC4zKUYvpQ0o5AFq2rG7CCqWUFVn3UqkLSoYNgI=";
+    zazu = "6X5EdNMO1MtFi18LCRGZ2cBD0d50Wq+pwkwVubjY1Ew=";
+  };
+}