...

17 files changed, 242 insertions, 91 deletions

diff --git a/_sources/generated.json b/_sources/generated.json
index 3f08cb6a..622886db 100644
--- a/_sources/generated.json
+++ b/_sources/generated.json
@@ -153,6 +153,25 @@
         },
         "version": "c1219b6ac3ee3de887e6a36ae41a8e478835ae92"
     },
+    "mpv-subselect": {
+        "cargoLocks": null,
+        "date": "2022-09-10",
+        "extract": null,
+        "name": "mpv-subselect",
+        "passthru": null,
+        "pinned": false,
+        "src": {
+            "deepClone": false,
+            "fetchSubmodules": false,
+            "leaveDotGit": false,
+            "name": null,
+            "rev": "5aa5023ff85e81efef0980202ee06e431203a9a5",
+            "sha256": "sha256-3B7k2Jbx1KW7hkBOkQ5P3sMtj+NfAguAfyB135hmfT4=",
+            "type": "git",
+            "url": "https://github.com/CogentRedTester/mpv-sub-select"
+        },
+        "version": "5aa5023ff85e81efef0980202ee06e431203a9a5"
+    },
     "postfix-mta-sts-resolver": {
         "cargoLocks": null,
         "date": null,
diff --git a/_sources/generated.nix b/_sources/generated.nix
index e472a8e8..e8e2e784 100644
--- a/_sources/generated.nix
+++ b/_sources/generated.nix
@@ -95,6 +95,19 @@
     });
     date = "2022-01-27";
   };
+  mpv-subselect = {
+    pname = "mpv-subselect";
+    version = "5aa5023ff85e81efef0980202ee06e431203a9a5";
+    src = fetchgit {
+      url = "https://github.com/CogentRedTester/mpv-sub-select";
+      rev = "5aa5023ff85e81efef0980202ee06e431203a9a5";
+      fetchSubmodules = false;
+      deepClone = false;
+      leaveDotGit = false;
+      sha256 = "sha256-3B7k2Jbx1KW7hkBOkQ5P3sMtj+NfAguAfyB135hmfT4=";
+    };
+    date = "2022-09-10";
+  };
   postfix-mta-sts-resolver = {
     pname = "postfix-mta-sts-resolver";
     version = "1.1.4";
diff --git a/accounts/gkleen@sif/default.nix b/accounts/gkleen@sif/default.nix
index 2cfaa620..842f7538 100644
--- a/accounts/gkleen@sif/default.nix
+++ b/accounts/gkleen@sif/default.nix
@@ -1,4 +1,7 @@
 { flake, flakeInputs, userName, pkgs, customUtils, lib, config, sources, ... }@inputs:
+
+with lib;
+
 let
   cfg = config.home-manager.users.${userName};
   xmonad = import ./xmonad pkgs.haskell.packages.ghc8107;
@@ -29,16 +32,18 @@ let
         --prefix PATH : ${pkgs.pulseaudio}/bin
     '';
   };
-  wrapElectron = { package, bin ? package.meta.mainProgram or package.pname or (pkgs.lib.strings.nameFromURL package.name "-"), outBin ? bin }: pkgs.runCommand "${package.name}-wrapped" { buildInputs = with pkgs; [ makeWrapper ]; } ''
+  wrapElectron = { package, bin ? package.meta.mainProgram or package.pname or (pkgs.lib.strings.nameFromURL package.name "-"), outBin ? bin, sandbox ? true }: pkgs.runCommand "${package.name}-wrapped" { buildInputs = with pkgs; [ makeWrapper ]; } ''
     mkdir -p "$out/bin"
     makeWrapper ${package}/bin/${bin} $out/bin/${outBin} \
-      --add-flags '--force-device-scale-factor=1.6'
+      --add-flags '--force-device-scale-factor=1.6' \
+      ${optionalString (!sandbox) "--add-flags '--no-sandbox'"}
   '';
-  
+
   wrappedChrome = wrapElectron { package = pkgs.google-chrome; outBin = "google-chrome"; };
   wrappedZulip = wrapElectron { package = pkgs.zulip; bin = "zulip"; outBin = "zulip"; };
   wrappedElementDesktop = wrapElectron { package = pkgs.element-desktop; bin = "element-desktop"; outBin = "element"; };
   wrappedRocketChatDesktop = wrapElectron { package = pkgs.rocketchat-desktop; bin = "rocketchat-desktop"; outBin = "rocketchat"; };
+  wrappedYTMDesktop = wrapElectron { package = pkgs.ytmdesktop; sandbox = false; };
 in {
   imports = with flake.nixosModules.userProfiles.${userName}; [
     mpv yt-dlp (args: import ./xcompose.nix (inputs // args))
@@ -47,7 +52,7 @@ in {
   config = {
     services.xserver = {
       displayManager.defaultSession = "none+xmonad";
-        
+
       windowManager.session = [{
         name = "xmonad";
         start = ''
@@ -155,7 +160,7 @@ in {
 
         zsh.initExtra = "source ${./zshrc}";
         zsh.dirHashes = let
-          flakeHashes = lib.mapAttrs' (n: v: lib.nameValuePair (inputNames.${n} or n) (toString v)) flakeInputs;
+          flakeHashes = mapAttrs' (n: v: nameValuePair (inputNames.${n} or n) (toString v)) flakeInputs;
           inputNames = {
             "nixpkgs" = "nixos";
           };
@@ -193,7 +198,7 @@ in {
           enable = true;
           client = {
             enable = true;
-            arguments = lib.mkForce ["-a" "\"\""];
+            arguments = mkForce ["-a" "\"\""];
           };
         };
         gpg-agent = {
@@ -318,7 +323,7 @@ in {
           fira fira-code powerline-fonts nerdfonts pavucontrol keepassxc
           sxiv xclip mumble pulseaudio-ctl pamixer libnotify synergy
           xorg.xbacklight screen-message
-          ytmdesktop qt5ct playerctl evince
+          wrappedYTMDesktop qt5ct playerctl evince
           thunderbird wrappedZulip zoom-us steam steam-run wireshark
           virt-manager rclone cached-nix-shell xournal xmonad worktime
           fira-code-symbols libreoffice xournalpp wrappedChrome
@@ -403,8 +408,8 @@ in {
         defaultApplications = let
           filters = {
           };
-          filter = n: v: (filters.${n} or lib.id) (lib.filter (d: d != "emacs.desktop") v);
-        in lib.mapAttrs filter (cfg.lib.xdg.mimeAssociations [
+          doFilter = n: v: (filters.${n} or id) (filter (d: d != "emacs.desktop") v);
+        in mapAttrs doFilter (cfg.lib.xdg.mimeAssociations [
           cfg.programs.zathura.package
           pkgs.sxiv
           cfg.programs.emacs.package
diff --git a/accounts/gkleen@sif/ssh-hosts.nix b/accounts/gkleen@sif/ssh-hosts.nix
index 24d1f18c..d041ede0 100644
--- a/accounts/gkleen@sif/ssh-hosts.nix
+++ b/accounts/gkleen@sif/ssh-hosts.nix
@@ -48,6 +48,10 @@
     { user = "git";
       identityFile = "~/.ssh/gkleen@sif.midgard.yggdrasil";
     };
+  "gitlab.ifi.lmu.de" =
+    { user = "git";
+      identityFile = "~/.ssh/kleen@gitlab.ifi.lmu.de";
+    };
   "hel".hostname = "hel.midgard.yggdrasil";
   "blackbeard" =
     { hostname = "blackbeard.tcs.ifi.lmu.de";
diff --git a/accounts/gkleen@sif/xmonad/xmonad.hs b/accounts/gkleen@sif/xmonad/xmonad.hs
index 830bb2dd..3dc017a9 100644
--- a/accounts/gkleen@sif/xmonad/xmonad.hs
+++ b/accounts/gkleen@sif/xmonad/xmonad.hs
@@ -340,7 +340,7 @@ hostFromName h
                   , NS "toggl" "toggldesktop" (className =? "Toggl Desktop") centerFloat
                   , NS "calendar" "minetime -- --force-device-scale-factor=1.6" (className =? "MineTime") centerFloat
                   , NS "emacs" "emacsclient -c -F \"'(title . \\\"Scratchpad\\\")\"" (className =? "Emacs" <&&> title =? "Scratchpad") centerFloat
-                  -- , NS "music" "google-play-music-desktop-player --force-device-scale-factor=1.6" (className =?  "Google Play Music Desktop Player") centerFloat
+                  , NS "music" "ytmdesktop" (className =? "youtube-music-desktop-app") centerFloat
                   ]
     centerFloat = customFloating $ RationalRect (1 % 16) (1 % 16) (7 % 8) (7 % 8)
     centerFloatSmall = customFloating $ RationalRect (1 % 4) (1 % 4) (1 % 2) (1 % 2)
@@ -414,10 +414,10 @@ hostFromName h
         (first : rest) = filter (not . null) $ lines result
         notification = Notify.summary first <> Notify.body (unlines rest) <> Notify.timeout Infinite <> Notify.urgency Normal <> Notify.appName "dc"
       void $ Notify.display notification
-    synergyCompl = mkComplFunFromList' xPConfigMonospace ["mathw86"] 
+    synergyCompl = mkComplFunFromList' xPConfigMonospace ["mathw86"]
     synergyStart host = safeSpawn "systemctl" ["--user", "start", "synergy-rtunnel@" ++ host ++ ".service"]
     synergyStop host = safeSpawn "systemctl" ["--user", "stop", "synergy-rtunnel@" ++ host ++ ".service"]
-      
+
 hostFromName _ = defaultHost
 
 -- muteRef :: IORef (Maybe (String, Notification))
@@ -530,13 +530,13 @@ main = do
           -- We can´t define per-host layout modifiers because we lack dependent types
           layout' = onHost "skadhi" ( onWorkspace (wsp 1) (Full ||| withIM (1%5) (Title "Buddy List") tabbedLayout') $
                                       onWorkspace (wsp 10) Full $
-                                      onWorkspace (wsp 2) (Full ||| tabbedLayout') $ 
+                                      onWorkspace (wsp 2) (Full ||| tabbedLayout') $
                                       onWorkspace (wsp 5) tabbedLayout' $
                                       onWorkspace (wsp 8) (withIM (1%5) (Title "Friends") tabbedLayout') $
                                       defaultLayouts
                                     ) $
                     onHost "vali"   ( onWorkspace (wsp 2) (Full ||| tabbedLayout' ||| combineTwo (TwoPane 0.01 0.57) Full tabbedLayout') $
-                                      onWorkspace (wsp 3) workLayouts $ 
+                                      onWorkspace (wsp 3) workLayouts $
                                       defaultLayouts
                                     ) $
                     onHost "hel"    ( onWorkspace (wsp 1) (withIM (1 % 8) (Title "Buddy List") $ trackFloating tabbedLayout') $
@@ -565,7 +565,7 @@ main = do
           tabbedLayoutHoriz' = tabbedLayoutHoriz tabbedLeftAlways
           defaultLayouts = {- spiralWithDir East CW (1 % 2) -} Dwindle R CW 1 (5 % 100) ||| tabbedLayout' ||| Full
           -- workLayouts = {- spiralWithDir East CW (1 % 2) -} Dwindle R CW (2 % 1) (5 % 100) ||| tabbedLayout' ||| Full
-          workLayouts = tabbedLayout' ||| (renamed [Replace "Combined"] $ combineTwoP (TwoPane (1 % 100) (1891 % 2560)) tabbedLayout''' (Column 1.6) (ClassName "Postman" `Or` ClassName "Emacs" `Or` ClassName "jetbrains-idea-ce" `Or` (Resource "Devtools" `And` ClassName "Firefox"))) ||| Full ||| Dwindle R CW 1 (5 % 100) 
+          workLayouts = tabbedLayout' ||| (renamed [Replace "Combined"] $ combineTwoP (TwoPane (1 % 100) (1891 % 2560)) tabbedLayout''' (Column 1.6) (ClassName "Postman" `Or` ClassName "Emacs" `Or` ClassName "jetbrains-idea-ce" `Or` (Resource "Devtools" `And` ClassName "Firefox"))) ||| Full ||| Dwindle R CW 1 (5 % 100)
           sqrtTwo = approxRational (sqrt 2) (1 / 2560)
           xmobarPP' = xmobarPP { ppTitle = shorten 80
                                , ppSort = (liftM2 (.)) getSortByIndex $ return scratchpadFilterOutWorkspace
@@ -607,7 +607,7 @@ main = do
                 | otherwise = return ()
               handle _ = return ()
       handle shutdown $ launch myConfig =<< getDirectories
-  
+
 secs :: Int -> Int
 secs = (* 1000000)
 
@@ -651,7 +651,7 @@ isDisabled :: String -> X Bool
 isDisabled str = do
   out <- runProcessWithInput "xinput" ["list", str] ""
   return $ "disabled" `isInfixOf` out
-  
+
 
 spawnKeychain :: X ()
 spawnKeychain = do
@@ -790,7 +790,7 @@ myKeys' conf host = Map.fromList $
     -- launch a terminal
     [ ((modm,               xK_Return), spawn $ (XMonad.terminal conf) ++ " -e tmux")
     , ((modm .|. shiftMask, xK_Return), spawn $ XMonad.terminal conf)
- 
+
     -- launch dmenu
     --, ((modm,               xK_d     ), spawn "exe=`dmenu_path | dmenu` && eval \"exec $exe\"")
     , ((modm,               xK_d     ), shellPrompt "Run: " xPConfigMonospace)
@@ -800,31 +800,31 @@ myKeys' conf host = Map.fromList $
     -- close focused window
     , ((modm .|. shiftMask, xK_q     ), kill)
     , ((modm .|. controlMask .|. shiftMask, xK_q     ), spawn "xkill")
- 
+
      -- Rotate through the available layout algorithms
     , ((modm,               xK_space ), sendMessage NextLayout)
- 
+
     --  Reset the layouts on the current workspace to default
     , ((modm .|. controlMask, xK_r   ), (setLayout $ XMonad.layoutHook conf) >> refresh)
- 
+
     -- Resize viewed windows to the correct size
     , ((modm,               xK_r     ), refresh)
 
     -- Move focus to the next window
     , ((modm,               xK_t     ), windows W.focusDown)
- 
+
     -- Move focus to the previous window
     , ((modm,               xK_n     ), windows W.focusUp  )
- 
+
     -- Move focus to the master window
     , ((modm,               xK_m     ), windows W.focusMaster  )
- 
+
     -- Swap the focused window and the master window
     , ((modm .|. shiftMask, xK_m     ), windows W.swapMaster)
- 
+
     -- Swap the focused window with the next window
     , ((modm .|. shiftMask, xK_t     ), windows W.swapDown  )
- 
+
     -- Swap the focused window with the previous window
     , ((modm .|. shiftMask, xK_n     ), windows W.swapUp    )
 
@@ -845,18 +845,18 @@ myKeys' conf host = Map.fromList $
     -- , ((modm .|. controlMask, xK_Down ), withFocused $ keysMoveWindow (0, 10))
      -- Shrink the master area
     , ((modm,               xK_h     ), sendMessage Shrink)
- 
+
     -- Expand the master area
     , ((modm,               xK_s     ), sendMessage Expand)
- 
+
     -- Push window back into tiling
     , ((modm .|. shiftMask, xK_space ), withFocused $ windows . W.sink)
     , ((modm, xK_BackSpace), focusUrgent)
     , ((modm .|. shiftMask, xK_BackSpace), clearUrgents)
- 
+
     -- Increment the number of windows in the master area
     , ((modm              , xK_comma ), sendMessage (IncMasterN 1))
- 
+
     -- Deincrement the number of windows in the master area
     , ((modm              , xK_period), sendMessage (IncMasterN (-1)))
 
@@ -875,7 +875,7 @@ myKeys' conf host = Map.fromList $
 
     , ((modm                , xK_Escape), cycleKbLayout (hKbLayouts host))
     , ((modm .|. controlMask, xK_Escape), safeSpawn "setxkbmap" $ fst (head $ hKbLayouts host) : maybeToList (snd . head $ hKbLayouts host))
- 
+
     -- Toggle the status bar gap
     -- Use this binding with avoidStruts from Hooks.ManageDocks.
     -- See also the statusBar function from Hooks.DynamicLog.
@@ -883,10 +883,10 @@ myKeys' conf host = Map.fromList $
     , ((modm              , xK_b     ), sendMessage ToggleStruts)
 
     , ((modm .|. shiftMask, xK_p     ), safeSpawn "playerctl" ["-a", "pause"])
- 
+
     -- Quit xmonad
     , ((modm .|. shiftMask, xK_e     ), io (exitWith ExitSuccess))
- 
+
     -- Restart xmonad
     -- , ((modm .|. shiftMask .|. controlMask, xK_r     ), void . xfork $ recompile False >>= flip when (safeSpawn "xmonad" ["--restart"]))
     , ((modm .|. shiftMask, xK_r     ), void . liftIO $ executeFile "xmonad" True [] Nothing)
@@ -902,7 +902,7 @@ myKeys' conf host = Map.fromList $
     , ((modm              , xK_g     ), windowPrompt xPConfig Bring allWindows)
     ]
     ++
- 
+
     --
     -- mod-[1..9], Switch to workspace N
     --
@@ -924,4 +924,3 @@ myKeys' conf host = Map.fromList $
     modm = XMonad.modMask conf
 
     brCycle = [0, 1 % 100, 1 % 10, 1 % 4, 1 % 2, 3 % 4, 1]
-    
diff --git a/flake.nix b/flake.nix
index 43825563..2f86bb44 100644
--- a/flake.nix
+++ b/flake.nix
@@ -225,6 +225,7 @@
           defaults = mapAttrs (hostname: _: {
             inherit hostname;
             sshUser = "root";
+            sshOpts = [ "-S" "none" ];
 
             profilesOrder = ["system"]; # system first
             profiles = {
diff --git a/hosts/sif/default.nix b/hosts/sif/default.nix
index b38a387c..58f99b9a 100644
--- a/hosts/sif/default.nix
+++ b/hosts/sif/default.nix
@@ -38,6 +38,8 @@ in {
         kernelModules = [ "dm-raid" "dm-integrity" "dm-snapshot" "dm-thin-pool" "dm-mod" "dm-crypt" ];
       };
 
+      supportedFilesystems = [ "nfs" "nfs4" ];
+
       blacklistedKernelModules = [ "nouveau" ];
 
       # Use the systemd-boot EFI boot loader.
@@ -289,10 +291,6 @@ in {
     ];
 
     services = {
-      udev.packages = with pkgs; [ uhk-agent ];
-
-      # tinc.yggdrasil.enable = true;
-
       uucp = {
         enable = true;
         nodeName = "sif";
@@ -383,9 +381,10 @@ in {
     };
 
     users = {
-      users.gkleen.extraGroups = [ "media" "plugdev" ];
+      users.gkleen.extraGroups = [ "media" "plugdev" "input" ];
       groups.media = {};
       groups.plugdev = {};
+      groups.input = {};
     };
 
     security.rtkit.enable = true;
@@ -501,6 +500,8 @@ in {
       };
 
       firmware = [ pkgs.firmwareLinuxNonfree ];
+
+      keyboard.uhk.enable = true;
     };
 
     sound.enable = true;
diff --git a/hosts/surtr/dns/zones/email.bouncy.soa b/hosts/surtr/dns/zones/email.bouncy.soa
index abf8ef07..3f038b92 100644
--- a/hosts/surtr/dns/zones/email.bouncy.soa
+++ b/hosts/surtr/dns/zones/email.bouncy.soa
@@ -1,7 +1,7 @@
 $ORIGIN bouncy.email.
 $TTL 3600
 @ IN SOA ns.yggdrasil.li. root.yggdrasil.li. (
-  2022071002 ; serial
+  2022100600 ; serial
   10800      ; refresh
   3600       ; retry
   604800     ; expire
@@ -69,7 +69,7 @@ spm			IN	MX	0 mailin.bouncy.email.
 spm                     IN      TXT     "v=spf1 redirect=bouncy.email"
 _acme-challenge.spm     IN      NS      ns.yggdrasil.li.
 
-_mta-sts                IN      TXT     "v=STSv1; id=2022071002"
+_mta-sts                IN      TXT     "v=STSv1; id=2022100600"
 _smtp._tls              IN      TXT     "v=TLSRPTv1; rua=mailto:postmaster@bouncy.email"
 mta-sts                 IN      A       202.61.241.61
 mta-sts                 IN      AAAA    2a03:4000:52:ada::
diff --git a/hosts/surtr/email/default.nix b/hosts/surtr/email/default.nix
index 2fe5b7f0..42b50c88 100644
--- a/hosts/surtr/email/default.nix
+++ b/hosts/surtr/email/default.nix
@@ -412,6 +412,8 @@ in {
       in ''
         mail_home = /var/lib/mail/%u
 
+        mail_plugins = $mail_plugins quota
+
         first_valid_uid = ${toString config.users.users.dovecot2.uid}
         last_valid_uid = ${toString config.users.users.dovecot2.uid}
         first_valid_gid = ${toString config.users.groups.dovecot2.gid}
@@ -473,9 +475,10 @@ in {
             result_failure = return-fail
             result_internalfail = return-fail
           }
+
+          mail_plugins = $mail_plugins sieve
         }
 
-        mail_plugins = $mail_plugins quota
         mailbox_list_index = yes
         postmaster_address = postmaster@yggdrasil.li
         recipient_delimiter =
@@ -732,7 +735,7 @@ in {
               cp ${pkgs.writeText "mta-sts.txt" ''
                 version: STSv1
                 mode: enforce
-                max_age: 604800
+                max_age: 2419200
                 mx: mailin.bouncy.email
               ''} $out/.well-known/mta-sts.txt
             '';
diff --git a/hosts/vidhar/dns/zones/yggdrasil.soa b/hosts/vidhar/dns/zones/yggdrasil.soa
index ffa79ee1..3d9d4d83 100644
--- a/hosts/vidhar/dns/zones/yggdrasil.soa
+++ b/hosts/vidhar/dns/zones/yggdrasil.soa
@@ -1,7 +1,7 @@
 $ORIGIN yggdrasil.
 $TTL 300
 @ IN SOA vidhar.yggdrasil. root.yggdrasil.li. (
-  2022040802 ; serial
+  2022101601 ; serial
   300        ; refresh
   300        ; retry
   300        ; expire
@@ -16,6 +16,7 @@ sif		IN	AAAA	2a03:4000:52:ada:1:2::
 
 grafana.vidhar          IN      CNAME   vidhar.yggdrasil.
 prometheus.vidhar       IN      CNAME   vidhar.yggdrasil.
+nfsroot.vidhar          IN      CNAME   vidhar.lan.yggdrasil.
 
 
 vidhar.lan      IN      A       10.141.0.1
diff --git a/hosts/vidhar/network/default.nix b/hosts/vidhar/network/default.nix
index e69674f4..f19ea9cd 100644
--- a/hosts/vidhar/network/default.nix
+++ b/hosts/vidhar/network/default.nix
@@ -1,4 +1,5 @@
 { pkgs, ... }:
+
 {
   imports = [ ./dsl.nix ./bifrost ./dhcp ];
 
@@ -69,5 +70,30 @@
         networkConfig.LinkLocalAddressing = "no";
       };
     };
+
+    services.nfs.server = {
+      enable = true;
+      createMountPoints = true;
+
+      statdPort = 4000;
+      lockdPort = 4001;
+      mountdPort = 4002;
+
+      extraNfsdConfig = ''
+        vers3=off
+      '';
+
+      exports = ''
+        /srv/nfs 10.141.0.0/24(ro,async,root_squash,fsid=0) 2a03:4000:52:ada:1::/80(ro,async,root_squash,fsid=0)
+        /srv/nfs/nix-store 10.141.0.0/24(ro,async,root_squash) 2a03:4000:52:ada:1::/80(ro,async,root_squash)
+      '';
+    };
+
+    fileSystems = {
+      "/srv/nfs/nix-store" = {
+        device = "/nix/store";
+        options = [ "bind" ];
+      };
+    };
   };
 }
diff --git a/hosts/vidhar/network/dhcp/default.nix b/hosts/vidhar/network/dhcp/default.nix
index e14b15ac..dfaa4c9f 100644
--- a/hosts/vidhar/network/dhcp/default.nix
+++ b/hosts/vidhar/network/dhcp/default.nix
@@ -26,7 +26,7 @@ with lib;
             { name = "ipxe";
               test = "option[77].hex == 'iPXE'";
               next-server = "10.141.0.1";
-              boot-file-name = "installer-x86_64-linux/netboot.ipxe";
+              boot-file-name = "http://nfsroot.vidhar.yggdrasil/installer-x86_64-linux/netboot.ipxe";
               only-if-required = true;
             }
             { name = "uefi-64";
@@ -229,6 +229,40 @@ with lib;
       sopsFile = ./knot-tsig.json.frag;
     };
 
+    services.nginx.virtualHosts."nfsroot.vidhar.yggdrasil" = {
+      addSSL = false;
+      forceSSL = false;
+      locations."/" = {
+        extraConfig = ''
+          autoindex on;
+        '';
+        root = pkgs.symlinkJoin {
+          name = "nfsroot.vidhar.yggdrasil";
+          paths =
+            (map (system:
+               let
+                 installerBuild = (flake.nixosConfigurations.${"installer-${system}-nfsroot"}.extendModules {
+                   modules = [
+                     ({ ... }: {
+                       config.nfsroot.storeDevice = "10.141.0.1:nix-store";
+                       config.nfsroot.registrationUrl = "http://nfsroot.vidhar.yggdrasil/installer-${system}/registration";
+                     })
+                   ];
+                 }).config.system.build;
+               in builtins.toPath (pkgs.runCommandLocal "install-${system}" {} ''
+                 mkdir -p $out/installer-${system}
+                 install -m 0444 -t $out/installer-${system} \
+                   ${installerBuild.initialRamdisk}/initrd \
+                   ${installerBuild.kernel}/bzImage \
+                   ${installerBuild.netbootIpxeScript}/netboot.ipxe \
+                   ${pkgs.closureInfo { rootPaths = installerBuild.storeContents; }}/registration
+               '')
+              ) ["x86_64-linux"]
+            );
+        };
+      };
+    };
+
     systemd.services."pxe-atftpd" = {
       description = "TFTP Server for PXE Booting";
       after = [ "network.target" ];
@@ -238,44 +272,16 @@ with lib;
           additionalTargets = {
             "bin-i386-efi/ipxe.efi" = "i386-ipxe.efi";
           };
+          additionalOptions = [
+            "NSLOOKUP_CMD"
+          ];
         };
         tftpRoot = pkgs.runCommandLocal "netboot" {} ''
           mkdir -p $out
           install -m 0444 -t $out \
             ${ipxe}/ipxe.efi ${ipxe}/i386-ipxe.efi ${ipxe}/undionly.kpxe
-
-          ${concatMapStringsSep "\n" (system:
-            let
-              installerBuild = (flake.nixosConfigurations.${"installer-${system}-nfsroot"}.extendModules {
-                modules = [
-                  ({ ... }: { config.nfsroot.storeDevice = "vidhar:nix-store"; })
-                ];
-              }).config.system.build;
-            in ''
-              mkdir -p $out/installer-${system}
-              install -m 0444 -t $out/installer-${system} \
-                ${installerBuild.initialRamdisk}/initrd \
-                ${installerBuild.kernel}/bzImage \
-                ${installerBuild.netbootIpxeScript}/netboot.ipxe
-            ''
-          ) ["x86_64-linux"]}
         '';
       in "${pkgs.atftp}/sbin/atftpd --daemon --no-fork --bind-address=10.141.0.1 ${tftpRoot}";
     };
-
-    services.nfs.server = {
-      enable = true;
-      createMountPoints = true;
-      exports = ''
-        /export/nix-root 10.141.0.0/24(ro)
-      '';
-    };
-
-    fileSystems = {
-      "/export/nix-root" = {
-        device = "/nix/store";
-        options = [ "bind" ];
-      };
-    };
   };
 }
diff --git a/hosts/vidhar/network/ruleset.nft b/hosts/vidhar/network/ruleset.nft
index c0da0fa6..473f8a20 100644
--- a/hosts/vidhar/network/ruleset.nft
+++ b/hosts/vidhar/network/ruleset.nft
@@ -78,6 +78,7 @@ table inet filter {
   counter ssh-rx {}
   counter mosh-rx {}
   counter dns-rx {}
+  counter nfs-rx {}
   counter wg-rx {}
   counter yggdrasil-gre-rx {}
   counter ipv6-pd-rx {}
@@ -104,6 +105,7 @@ table inet filter {
   counter ssh-tx {}
   counter mosh-tx {}
   counter dns-tx {}
+  counter nfs-tx {}
   counter wg-tx {}
   counter yggdrasil-gre-tx {}
   counter ipv6-pd-tx {}
@@ -152,7 +154,7 @@ table inet filter {
 
 
     ct state invalid log level debug prefix "drop invalid input: " counter name invalid-rx drop
-    
+
 
     iifname lo counter name rx-lo accept
     iif != lo ip daddr 127.0.0.1/8 counter name invalid-local4-rx reject
@@ -165,8 +167,9 @@ table inet filter {
     iifname { lan, mgmt, dsl, yggdrasil, bifrost } tcp dport 22 counter name ssh-rx accept
     iifname { lan, mgmt, dsl, yggdrasil, bifrost } udp dport 60000-61000 counter name mosh-rx accept
 
-    iifname { lan, mgmt, dmz01, yggdrasil } tcp dport 53 counter name dns-rx accept
-    iifname { lan, mgmt, dmz01, yggdrasil } udp dport 53 counter name dns-rx accept
+    iifname { lan, mgmt, dmz01, yggdrasil } meta l4proto { tcp, udp } th dport 53 counter name dns-rx accept
+
+    iifname { lan, yggdrasil } tcp dport 2049 counter name nfs-rx accept
 
     iifname { lan, mgmt, dsl } meta protocol ip udp dport 51820 counter name wg-rx accept
     iifname { lan, mgmt, dsl } meta protocol ip6 udp dport 51821 counter name wg-rx accept
@@ -182,7 +185,8 @@ table inet filter {
     iifname lan tcp dport { 445, 139, 5357 } counter name samba-rx accept
 
     iifname yggdrasil tcp dport { 80, 443 } counter name http-rx accept
-    
+    iifname lan tcp dport 80 counter name http-rx accept
+
     iifname { lan, mgmt } udp dport 69 counter name tftp-rx accept
 
     ct state {established, related} counter name established-rx accept
@@ -209,8 +213,9 @@ table inet filter {
     tcp sport 22 counter name ssh-tx
     udp sport 60000-61000 counter name mosh-tx
 
-    tcp sport 53 counter name dns-tx
-    udp sport 53 counter name dns-tx
+    meta l4proto {tcp, udp} th sport 53 counter name dns-tx
+
+    tcp sport 2049 counter name nfs-tx
 
     meta protocol ip udp sport 51820 counter name wg-tx
     meta protocol ip6 udp sport {51821,51822} counter name wg-tx
@@ -225,7 +230,7 @@ table inet filter {
     udp sport { 137, 138, 3702 } counter name samba-tx accept
     tcp sport { 445, 139, 5357 } counter name samba-tx accept
 
-    tcp sport {80,443} counter name http-tx accept
+    tcp sport { 80, 443 } counter name http-tx accept
 
     udp sport 69 counter name tftp-tx accept
     udp dport 69 counter name tftp-tx accept
diff --git a/installer-profiles/nfsroot.nix b/installer-profiles/nfsroot.nix
index 9db415a8..2688a8d0 100644
--- a/installer-profiles/nfsroot.nix
+++ b/installer-profiles/nfsroot.nix
@@ -16,7 +16,17 @@ in {
     nfsroot = {
       storeDevice = mkOption {
         type = types.str;
+        default = "nfsroot:nix-store";
       };
+
+      registrationUrl = mkOption {
+        type = types.str;
+        default = "http://nfsroot/nix-registration";
+      };
+    };
+
+    system.build = {
+      storeContents = mkOption {};
     };
   };
 
@@ -67,14 +77,26 @@ in {
         ];
       };
 
+    nix.extraOptions = ''
+      use-sqlite-wal = false
+    '';
+
     boot.initrd.availableKernelModules = [ "nfs" "nfsv4" "overlay" ];
     boot.initrd.supportedFilesystems = [ "nfs" "nfsv4" "overlay" ];
+    services.rpcbind.enable = mkImageMediaOverride false;
 
     boot.initrd.network.enable = true;
-    boot.initrd.network.flushBeforeStage2 = false; # otherwise nfs dosen't work
+    boot.initrd.network.flushBeforeStage2 = false; # otherwise nfs doesn't work
+    boot.initrd.postMountCommands = ''
+      mkdir -p /mnt-root/etc/
+      cp /etc/resolv.conf /mnt-root/etc/resolv.conf
+    '';
     networking.useDHCP = true;
+    networking.resolvconf.enable = false;
 
 
+    system.build.storeContents = [config.system.build.toplevel];
+
     system.build.netbootIpxeScript = pkgs.writeTextDir "netboot.ipxe" ''
       #!ipxe
       # Use the cmdline variable to allow the user to specify custom kernel params
@@ -86,6 +108,10 @@ in {
 
     boot.postBootCommands =
       ''
+        # After booting, register the contents of the Nix store on NFS
+        # in the Nix database in the tmpfs.
+        ${pkgs.curl}/bin/curl ${escapeShellArg cfg.registrationUrl} | ${config.nix.package.out}/bin/nix-store --load-db
+
         # nixos-rebuild also requires a "system" profile and an
         # /etc/NIXOS tag.
         touch /etc/NIXOS
diff --git a/installer/ruleset.nft b/installer/ruleset.nft
index 803ce9fd..7b38a059 100644
--- a/installer/ruleset.nft
+++ b/installer/ruleset.nft
@@ -60,7 +60,7 @@ table inet filter {
 
 
     ct state invalid log level debug prefix "drop invalid input: " counter drop
-    
+
 
     iifname lo counter accept
     iif != lo ip daddr 127.0.0.1/8 counter reject
@@ -73,7 +73,7 @@ table inet filter {
     udp dport 60000-61000 counter accept
 
 
-    ct state {established, related} counter name established-rx accept
+    ct state {established, related} counter accept
 
 
     limit name lim_reject log level debug prefix "drop input: " counter drop
diff --git a/nvfetcher.toml b/nvfetcher.toml
index ccdd78dd..7cd52c29 100644
--- a/nvfetcher.toml
+++ b/nvfetcher.toml
@@ -14,6 +14,10 @@ fetch.git = "https://gist.github.com/2f71a97fb85ed42146f6d9f522bc34ef.git"
 src.github = "hoyon/mpv-mpris"
 fetch.github = "hoyon/mpv-mpris"
 
+[mpv-subselect]
+src.git = "https://github.com/CogentRedTester/mpv-sub-select"
+fetch.git = "https://github.com/CogentRedTester/mpv-sub-select"
+
 [emacs-scratch_el]
 src.git = "https://github.com/ffevotte/scratch.el"
 fetch.github = "ffevotte/scratch.el"
diff --git a/user-profiles/mpv/default.nix b/user-profiles/mpv/default.nix
index 0c87b6e7..9c9d077b 100644
--- a/user-profiles/mpv/default.nix
+++ b/user-profiles/mpv/default.nix
@@ -7,8 +7,10 @@
     };
     config = {
       ytdl = true;
-      sub = false;
-      osd-font = "DejaVu Sans";
+      subs-with-matching-audio = false;
+      audio-display = false;
+      osd-font = "Fira Sans";
+      sub-font = "Fira Sans";
       # vo = "gpu";
       hwdec = "auto";
       force-window = "yes";
@@ -18,8 +20,36 @@
         "vidscale=no"
         "deadzonesize=0.9"
         "ytdl_hook-ytdl_path=${pkgs.yt-dlp}/bin/yt-dlp"
-        "chapterskip-skip=sponsor;intro;endcard"
-        "chapterskip-categories=sponsor>%[SponsorBlock%]: .*Sponsor.*;intro>%[SponsorBlock%]: .*Intro Animation.*;endcard>%[SponsorBlock%]: .*Endcards.*"
+        "chapterskip-skip=sponsor;intro;endcard;interact"
+        "chapterskip-categories=sponsor>%[SponsorBlock%]: .*Sponsor.*;intro>%[SponsorBlock%]: .*Intro Animation.*;endcard>%[SponsorBlock%]: .*Endcards.*;interact>%[SponsorBlock%]: .*Interaction Reminder.*"
+        "sub_select-config=${pkgs.writeTextDir "sub-select.json" (builtins.toJSON [
+          {
+            alang = "*";
+            slang = "forced";
+          }
+          {
+            alang = ["jpn" "ja"];
+            slang = "eng?";
+            blacklist = [ "sign" ];
+          }
+          {
+            alang = ["jpn" "ja"];
+            slang = "und";
+            blacklist = [ "sign" ];
+          }
+          {
+            alang = ["eng?" "deu?"];
+            slang = "no";
+          }
+          {
+            alang = "*";
+            slang = "eng?";
+          }
+          {
+            alang = "*";
+            slang = "und";
+          }
+        ])}"
       ];
     };
     scripts = [
@@ -65,6 +95,14 @@
 
         passthru.scriptName = "chapterskip.lua";
       }))
+      (pkgs.stdenv.mkDerivation (sources.mpv-subselect // rec {
+        installPhase = ''
+          install -d $out/share/mpv/scripts
+          install -m 0644 sub-select.lua $out/share/mpv/scripts/${passthru.scriptName}
+        '';
+
+        passthru.scriptName = "sub-select.lua";
+      }))
     ];
   };
 }