26 files changed, 1567 insertions, 0 deletions

diff --git a/accounts/gkleen@sif.nix b/accounts/gkleen@sif.nix
new file mode 100644
index 00000000..c157af78
--- /dev/null
+++ b/accounts/gkleen@sif.nix
@@ -0,0 +1 @@
+{ ... }: {}
diff --git a/hosts/sif/default.nix b/hosts/sif/default.nix
new file mode 100644
index 00000000..4e9826bd
--- /dev/null
+++ b/hosts/sif/default.nix
@@ -0,0 +1,295 @@
+{ flake, pkgs, customUtils, lib, config, ... }:
+{
+  imports = with flake.nixosModules.systemProfiles; [
+    ./hw.nix
+    ./mail
+    initrd-all-crypto-modules default-locale openssh
+  ];
+
+  config = {
+    nixpkgs = {
+      system = "x86_64-linux";
+      config = {
+        allowUnfree = true;
+      };
+    };
+
+    boot = {
+      initrd = {
+        luks.devices = {
+          nvm0.device = "/dev/disk/by-uuid/fe641e81-0812-4181-a5f6-382ebba509bb";
+          nvm1.device = "/dev/disk/by-uuid/43df1ba8-1728-4193-8855-920a82d4494a";
+        };
+        availableKernelModules = [ "drbg" "nvme" "fbcon" "xhci_pci" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ];
+        kernelModules = [ "dm-raid" "dm-integrity" "dm-snapshot" "dm-thin-pool" ];
+      };
+
+      blacklistedKernelModules = [ "nouveau" ];
+
+      # Use the systemd-boot EFI boot loader.
+      loader = {
+        systemd-boot.enable = true;
+        efi.canTouchEfiVariables = true;
+        timeout = null;
+      };
+
+      plymouth.enable = true;
+
+      kernelPackages = pkgs.linuxPackages_latest;
+      kernelParams = [ "i915.fastboot=1" "intel_pstate=no_hwp" "acpi_backlight=vendor" "thinkpad-acpi.brightness_enable=1" "quiet" ];
+
+      tmpOnTmpfs = true;
+    };
+
+    networking = {
+      domain = "midgard.yggdrasil";
+      hosts = {
+        "127.0.0.1" = [ "sif.midgard.yggdrasil" "sif" ];
+        "::1" = [ "sif.midgard.yggdrasil" "sif" ];
+      };
+
+      firewall = {
+        enable = true;
+        allowedTCPPorts = [ 22 # ssh
+                            8000 # quickserve
+                          ];
+      };
+
+      networkmanager = {
+        enable = true;
+        dhcp = "internal";
+        dns = "dnsmasq";
+        extraConfig = ''
+          [connectivity]
+          uri=https://online.yggdrasil.li
+        '';
+      };
+
+      dhcpcd.enable = false;
+
+      interfaces.yggdrasil = {
+        virtual = true;
+        virtualType = config.services.tinc.networks.yggdrasil.interfaceType;
+        macAddress = "5c:93:21:c3:61:39";
+      };
+    };
+
+    environment.etc."NetworkManager/dnsmasq.d/libvirtd_dnsmasq.conf" = {
+      text = ''
+        server=/sif.libvirt/192.168.122.1
+      '';
+    };
+
+    powerManagement.enable = true;
+
+    environment.systemPackages = with pkgs; [
+      nvtop brightnessctl
+    ];
+
+    services = {
+      tinc.yggdrasil.enable = true;
+
+      uucp = {
+        enable = true;
+        nodeName = "sif";
+        remoteNodes = {
+          "ymir" = {
+            publicKeys = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG6KNtsCOl5fsZ4rV7udTulGMphJweLBoKapzerWNoLY root@ymir"];
+            hostnames = ["ymir.yggdrasil.li" "ymir.niflheim.yggdrasil"];
+          };
+        };
+
+        defaultCommands = lib.mkForce [];
+      };
+
+      avahi.enable = true;
+
+      fwupd.enable = true;
+
+      fprintd.enable = true;
+
+      blueman.enable = true;
+    
+      colord.enable = true;
+    
+      vnstat.enable = true;
+
+      logind = {
+        lidSwitch = "suspend";
+        lidSwitchDocked = "lock";
+        lidSwitchExternalPower = "lock";
+      };
+
+      atd = {
+        enable = true;
+        allowEveryone = true;
+      };
+
+      xserver = {
+        enable = true;
+
+        layout = "us";
+        xkbVariant = "dvp";
+        xkbOptions = "compose:caps";
+
+        displayManager.lightdm = {
+          enable = true;
+          greeters.gtk = {
+            clock-format = "%H:%M %a %b %_d";
+            indicators = ["~host" "~spacer" "~clock" "~session" "~power"];
+            theme = {
+              package = pkgs.equilux-theme;
+              name = "Equilux-compact";
+            };
+            iconTheme = {
+              package = pkgs.paper-icon-theme;
+              name = "Paper";
+            };
+            extraConfig = ''
+              background = #000000
+              user-background = false
+              active-monitor = #cursor
+              hide-user-image = true
+
+              [monitor: DP-2]
+                laptop = true
+            '';
+          };
+        };
+
+        displayManager.setupCommands = ''
+          ${pkgs.xorg.xinput}/bin/xinput disable 'SynPS/2 Synaptics TouchPad'
+        '';
+
+        desktopManager.xterm.enable = true;
+        windowManager.twm.enable = true;
+        displayManager.defaultSession = "xterm+twm";
+
+        wacom.enable = true;
+        libinput.enable = true;
+
+        dpi = 282;
+
+        videoDrivers = [ "nvidia" ];
+
+        screenSection = ''
+          Option "metamodes" "nvidia-auto-select +0+0 { ForceCompositionPipeline = On }"
+        '';
+
+        deviceSection = ''
+          Option "AccelMethod" "SNA"
+          Option "TearFree" "True"
+        '';
+
+        exportConfiguration = true;
+      };
+    };
+
+    users = {
+      users.gkleen.extraGroups = [ "media" ];
+    };
+
+    hardware = {
+      pulseaudio = {
+        enable = true;
+        package = with pkgs; pulseaudioFull;
+        support32Bit = true;
+      };
+
+      bluetooth = {
+        enable = true;   
+        config = {
+          General = {
+            Enable = "Source,Sink,Media,Socket";
+          };
+        };
+      };
+
+      trackpoint = {
+        enable = true;
+        emulateWheel = true;
+        sensitivity = 255;
+        speed = 255;
+      };
+
+      nvidia = {
+        modesetting.enable = true;
+        prime = {
+          nvidiaBusId = "PCI:1:0:0";
+          intelBusId = "PCI:0:2:0";
+          sync.enable = true;
+        };
+      };
+
+      opengl = {
+        enable = true;
+        driSupport32Bit = true;
+        setLdLibraryPath = true;
+      };
+
+      firmware = [ pkgs.firmwareLinuxNonfree ];
+    };
+
+    sound.enable = true;
+
+    nix = {
+      autoOptimiseStore = true;
+      daemonNiceLevel = 10;
+      daemonIONiceLevel = 3;
+    };
+
+    environment.etc."X11/xorg.conf.d/50-wacom.conf".source = lib.mkForce ./wacom.conf;
+
+    systemd.services."ac-plugged" = {
+      description = "Inhibit handling of lid-switch and sleep";
+
+      path = with pkgs; [ systemd coreutils ];
+
+      script = ''
+        exec systemd-inhibit --what=handle-lid-switch --why="AC is connected" --mode=block sleep infinity
+      '';
+
+      serviceConfig = {
+        Type = "simple";
+      };
+    };
+
+    services.udev.extraRules = with pkgs; ''
+      SUBSYSTEM=="power_supply", ENV{POWER_SUPPLY_ONLINE}=="0", RUN+="${systemd}/bin/systemctl --no-block stop ac-plugged.service"
+      SUBSYSTEM=="power_supply", ENV{POWER_SUPPLY_ONLINE}=="1", RUN+="${systemd}/bin/systemctl --no-block start ac-plugged.service"
+    '';
+
+    services.btrfs.autoScrub = {
+      enable = true;
+      fileSystems = [ "/" "/home" ];
+      interval = "weekly";
+    };
+
+    systemd.services."nix-daemon".serviceConfig = {
+      MemoryAccounting = true;
+      MemoryHigh = "50%";
+      MemoryMax = "75%";
+    };
+
+    services.journald.extraConfig = ''
+      SystemMaxUse=100M
+    '';
+
+    services.dbus.packages = with pkgs;
+      [ dbus gnome3.dconf
+      ];
+
+    programs = {
+      light.enable = true;
+      wireshark.enable = true;
+    };
+
+    virtualisation.libvirtd = {
+      enable = true;
+    };
+
+    zramSwap.enable = true;
+
+    system.stateVersion = "20.03";
+  };
+}
diff --git a/hosts/sif/hw.nix b/hosts/sif/hw.nix
new file mode 100644
index 00000000..4a3e6c86
--- /dev/null
+++ b/hosts/sif/hw.nix
@@ -0,0 +1,36 @@
+{ config, lib, pkgs, ... }:
+
+{
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/f094bf06-66f9-40a8-9ab2-2b54d05223d2";
+      fsType = "btrfs";
+    };
+
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/B3A2-D029";
+      fsType = "vfat";
+    };
+
+  fileSystems."/home" =
+    { device = "/dev/disk/by-uuid/9e932072-3c56-4a9c-8da7-3163d2a8bf28";
+      fsType = "btrfs";
+    };
+
+  fileSystems."/var/media" =
+    { device = "/dev/disk/by-uuid/437eca70-d017-4d52-a1fa-2f4c7a87f096";
+      fsType = "btrfs";
+    };
+
+  swapDevices =
+    [ { device = "/dev/disk/by-uuid/50f3f856-cc17-4614-846a-34a14d5006ec"; }
+    ];
+
+  nix.maxJobs = 12;
+  powerManagement.cpuFreqGovernor = "powersave";
+  # High-DPI console
+  console.font = "${pkgs.terminus_font}/share/consolefonts/ter-u28n.psf.gz";
+
+  hardware.cpu.intel.updateMicrocode = true;
+  
+  hardware.enableRedistributableFirmware = true;
+}
diff --git a/hosts/sif/mail/default.nix b/hosts/sif/mail/default.nix
new file mode 100644
index 00000000..2addba9d
--- /dev/null
+++ b/hosts/sif/mail/default.nix
@@ -0,0 +1,66 @@
+{ config, pkgs, ... }:
+{
+  services.postfix = {
+    enable = true;
+    enableSmtp = true;
+    enableSubmission = false;
+    setSendmail = true;
+    networksStyle = "host";
+    hostname = "sif.midgard.yggdrasil";
+    destination = [];
+    relayHost = "uucp:ymir";
+    recipientDelimiter = "+";
+    masterConfig = {
+      uucp = {
+        type = "unix";
+        private = true;
+        privileged = true;
+        chroot = false;
+        command = "pipe";
+        args = [ "flags=Fqhu" "user=uucp" ''argv=${config.security.wrapperDir}/uux -z -a $sender - $nexthop!rmail ($recipient)'' ];
+      };
+    };
+    transport = ''
+      odin.asgard.yggdrasil uucp:odin
+    '';
+    config = {
+      always_bcc = "gkleen+sent@odin.asgard.yggdrasil";
+
+      default_transport = "uucp:ymir";
+
+      inet_interfaces = "loopback-only";
+
+      authorized_submit_users = ["!uucp" "static:anyone"];
+      message_size_limit = "0";
+
+      sender_dependent_default_transport_maps = ''regexp:${pkgs.writeText "sender_relay" ''
+        /@(cip|stud)\.ifi\.(lmu|uni-muenchen)\.de$/ smtp:smtp.ifi.lmu.de
+        /@ifi\.(lmu|uni-muenchen)\.de$/ smtp:smtpin1.ifi.lmu.de:587
+        /@(campus\.)?lmu\.de$/ smtp:postout.lrz.de
+      ''}'';
+      sender_bcc_maps = ''texthash:${pkgs.writeText "sender_bcc" ''
+        uni2work@ifi.lmu.de uni2work@ifi.lmu.de
+        @ifi.lmu.de gregor.kleen@ifi.lmu.de
+      ''}'';
+
+      smtp_sasl_auth_enable = true;
+      smtp_sender_dependent_authentication = true;
+      smtp_sasl_tls_security_options = "noanonymous";
+      smtp_sasl_mechanism_filter = ["plain"];
+      smtp_sasl_password_maps = "texthash:/var/db/postfix/sasl_passwd";
+      smtp_cname_overrides_servername = false;
+      smtp_always_send_ehlo = true;
+
+      smtp_tls_loglevel = "1";
+      smtp_dns_support_level = "dnssec";
+    };
+    useDane = true;
+  };
+
+  sops.secrets.postfix-sasl-passwd = {
+    key = "sasl-passwd";
+    path = "/var/db/postfix/sasl_passwd";
+    owner = "postfix";
+    sopsFile = ./secrets.yaml;
+  };
+}
diff --git a/hosts/sif/mail/secrets.yaml b/hosts/sif/mail/secrets.yaml
new file mode 100644
index 00000000..00422f82
--- /dev/null
+++ b/hosts/sif/mail/secrets.yaml
@@ -0,0 +1,33 @@
+sasl-passwd: ENC[AES256_GCM,data:RDZHUgQJHH7IzJD5j+LOuQb4OuPopUEa6CwDRoD/FqoHFW/YKarF3Hxxu4HKA5GDf3SRrFOcPBXmf+0f1CucUQwJQh4nY4fmDVqrH0UXRowuAkIhYpt0sLXlzrOzSeZz788A9xK4AGPzEOx1va7GOqJIaPJ+pyyzazQsSgCJaFkUMriCfKbZ0zhRCr0pk2RPLOLKGuo2mDFf5c3EZYAn7vEzhZj+B3XbNWotV/JXTX7JPK6GPcsX2RMKEYBdmxZzrMCTTFU23W1DbiDJ01mxJh3ckIX+KTmaWNoVg4Tong1vBe2wxKchXajmykwFLJFR1Kj5wv4uAxy2qNvKtQIF/LJosG6LXcdk5QDQBXUINqswupBdV8lt08mk53JHLJPXcV8RpEHT3NUL,iv:2u203xTmUEfWIJDB2ZkOKzhYQrV4TGT7rfOd0md+VOw=,tag:RJ/iLbbq8B8dMmXGWjok/g==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    lastmodified: '2021-01-02T19:29:40Z'
+    mac: ENC[AES256_GCM,data:g8wNpsFXiGoENSteWa1w1UkF8LQwnwtoeEHskKhGqAlCFtA1cVdyFSItm8/h1/eqJl/NWXRGU25XpZysCAkJi+uCq4bNGjV+gjqeIT8Dv5teQbVwthoFqkE/s3jew35+f29/xxb5Cro6EihlTrs5Lt3wExv2+NUdim1aeNgR+4Q=,iv:bj/igDT7GPiCjj4BwE7ihM8wR8CbJeXu/s550rc+QEw=,tag:KKt6tWlqxu5C/L/ZYbQL3g==,type:str]
+    pgp:
+    -   created_at: '2021-01-02T19:29:14Z'
+        enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hF4Dgwm4NZSaLAcSAQdAE/883Tbc7WXuzOxjm5jVrOSbnYe+BEg75ijtZP2L3UMw
+            4mhqzy576jEQLPGrnMpX2zA2MwFAwGnMwC98sQ4vVTp/xgNQ0VHHNM4GnTi6VoUb
+            0l4BLgQrT6p2ul69ADecadWJsGm6roqMHrpNGZeeczDLOBIzrrwN4sL92jQiEPw9
+            Ih+EXJpJ1K4NouU1VRsfQPqJ6y+i295TnEgunlJeYc/MNQgBT4ABiPZgUZXnkhxl
+            =7rOv
+            -----END PGP MESSAGE-----
+        fp: F1AF20B9511B63F681A14E8D51AEFBCD1DEF68F8
+    -   created_at: '2021-01-02T19:29:14Z'
+        enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hF4DXxoViZlp6dISAQdAGifJ6qk40VdF/WKaYa9v97PdSVkPvHZt+j0G8+ZDJSEw
+            8XC1622ElTWRCZ2bjUwMF77DMgMy3rEr8B7Bj6MnEzDd/Af63Np1cO+7juybxqhz
+            0l4BO6uZ+gCvKg45jWX0GE6ZBkoUTvh24djTngHFyIHDnpCxSB6s+jcYR9otco2F
+            ++E2pcoQR4GuOeyYa/8UsW+RzKWpCfskYbSIt4gAXyCt8ua1y5Rw0DEVdw91uJNC
+            =E/qh
+            -----END PGP MESSAGE-----
+        fp: 30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51
+    unencrypted_suffix: _unencrypted
+    version: 3.6.1
diff --git a/hosts/sif/wacom.conf b/hosts/sif/wacom.conf
new file mode 100644
index 00000000..864409f1
--- /dev/null
+++ b/hosts/sif/wacom.conf
@@ -0,0 +1,15 @@
+Section "InputClass"
+        Identifier "Wacom USB device class"
+        MatchUSBID "056a:*"
+        MatchDevicePath "/dev/input/event*"
+        Driver "wacom"
+EndSection
+
+Section "InputClass"
+        Identifier      "calibration"
+        MatchProduct    "Wacom USB device class"
+        Option  "MinX"  "58"
+        Option  "MaxX"  "30982"
+        Option  "MinY"  "87"
+        Option  "MaxY"  "17328"
+EndSection
\ No newline at end of file
diff --git a/modules/borgbackup/btrfs-snapshots.nix b/modules/borgbackup/btrfs-snapshots.nix
new file mode 100644
index 00000000..96d2b2ba
--- /dev/null
+++ b/modules/borgbackup/btrfs-snapshots.nix
@@ -0,0 +1,52 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+  cfg = config.services.btrfs-snapshots;
+
+  snapshotMount = str: "${str}${cfg.mountSuffix}";
+in {
+  options = {
+
+    services.btrfs-snapshots = {
+      enable = mkEnableOption "a systemd unit for btrfs snapshots";   
+
+      mountSuffix = mkOption {
+        type = types.str;
+        default = ".snapshot";
+      };
+
+      readOnly = mkOption {
+        type = types.bool;
+        default = true;
+      };
+
+      persist = mkOption {
+        type = types.bool;
+        default = false;
+      };
+    };
+
+  };
+
+  
+  config = mkIf cfg.enable {
+    systemd.services."btrfs-snapshot@" = {
+      enable = true;
+
+      unitConfig = {
+        StopWhenUnneeded = !cfg.persist;
+      };
+
+      serviceConfig = with pkgs; {
+        Type = "oneshot";
+        ExecStartPre = "-${btrfs-progs}/bin/btrfs subvolume delete -c ${snapshotMount "%f"}";
+        ExecStart = "${btrfs-progs}/bin/btrfs subvolume snapshot ${optionalString cfg.readOnly "-r"} %f ${snapshotMount "%f"}";
+        RemainAfterExit = true;
+        ExecStop = "${btrfs-progs}/bin/btrfs subvolume delete -c ${snapshotMount "%f"}";
+      };
+    };
+
+  };
+}
diff --git a/modules/borgbackup/default.nix b/modules/borgbackup/default.nix
new file mode 100644
index 00000000..47f8e06d
--- /dev/null
+++ b/modules/borgbackup/default.nix
@@ -0,0 +1,199 @@
+{ config, lib, utils, pkgs, ... }:
+
+with utils;
+with lib;
+
+let
+  cfg = config.services.borgbackup;
+
+  lvmPath = {
+    options = {
+      LV = mkOption {
+        type = types.str;
+      };
+      VG = mkOption {
+        type = types.str;
+      };
+    };
+  };
+
+  pathType = if cfg.snapshots == "lvm" then types.submodule lvmPath else types.path;
+
+  systemdPath = path: escapeSystemdPath (if cfg.snapshots == "lvm" then "${path.VG}-${path.LV}" else path);
+
+  withSuffix = path: path + (if cfg.snapshots == "btrfs" then config.services.btrfs-snapshots.mountSuffix else config.services.lvm-snapshots.mountSuffix);
+
+  mountPoint = if cfg.snapshots == "lvm" then config.services.lvm-snapshots.mountPoint else "";
+
+  targetOptions = {
+    options = {
+      repo = mkOption {
+        type = types.str;
+      };
+    
+      paths = mkOption {
+        type = types.listOf pathType;
+        default = [];
+      };
+
+      prune = mkOption {
+        type = types.attrsOf (types.listOf types.str);
+        default = {};
+      };
+
+      interval = mkOption {
+        type = types.str;
+        default = "6h";
+      };
+
+      jitter = mkOption {
+        type = with types; nullOr str;
+        default = "6h";
+      };
+
+      lock = mkOption {
+        type = types.nullOr types.str;
+        default = "backup";
+      };
+
+      network = mkOption {
+        type = types.bool;
+        default = true;
+      };
+
+      lockWait = mkOption {
+        type = types.int;
+        default = 600;
+      };
+    };
+  };
+in {
+  disabledModules = [ "services/backup/borgbackup.nix" ];
+  
+  options = {
+    services.borgbackup = {
+      snapshots = mkOption {
+        type = types.nullOr (types.enum ["btrfs" "lvm"]);
+        default = null;
+      };
+
+      targets = mkOption {
+        type = types.attrsOf (types.submodule targetOptions);
+        default = {};
+      };
+
+      prefix = mkOption {
+        type = types.str;
+      };
+    };
+  };
+
+  imports =
+    [ ./lvm-snapshots.nix
+      ./btrfs-snapshots.nix
+    ];
+
+  config = mkIf (any (t: t.paths != []) (attrValues cfg.targets)) {
+    services.btrfs-snapshots.enable = mkIf (cfg.snapshots == "btrfs") true;
+
+    services.lvm-snapshots.snapshots = mkIf (cfg.snapshots == "lvm") (listToAttrs (map (path: nameValuePair (path.VG + "-" + path.LV) {
+      inherit (path) LV VG; 
+      mountName = withSuffix (path.VG + "-" + path.LV);
+    }) (unique (flatten (mapAttrsToList (target: tCfg: tCfg.paths) cfg.targets)))));
+
+    systemd.targets."timers-borg" = {
+      wantedBy = [ "timers.target" ];
+    };
+
+    systemd.slices."system-borgbackup" = {};
+  
+    systemd.timers = (listToAttrs (map ({ target, path, tCfg }: nameValuePair "borgbackup-${target}@${systemdPath path}" {
+      requiredBy = [ "timers-borg.target" ];
+
+      timerConfig = {
+        Persistent = false;
+        OnBootSec = tCfg.interval;
+        OnUnitActiveSec = tCfg.interval;
+        RandomizedDelaySec = mkIf (tCfg.jitter != null) tCfg.jitter;
+      };
+    }) (flatten (mapAttrsToList (target: tCfg: map (path: { inherit target path tCfg; }) tCfg.paths) cfg.targets)))) // (mapAttrs' (target: tCfg: nameValuePair "borgbackup-prune-${target}" {
+      enable = tCfg.prune != {};
+    
+      requiredBy = [ "timers-borg.target" ];
+
+      timerConfig = {
+        Persistent = false;
+        OnBootSec = tCfg.interval;
+        OnUnitActiveSec = tCfg.interval;
+        RandomizedDelaySec = mkIf (tCfg.jitter != null) tCfg.jitter;
+      };
+    }) cfg.targets);
+
+    systemd.services = (mapAttrs' (target: tCfg: nameValuePair "borgbackup-${target}@" (let
+      deps = flatten [
+        (optional (cfg.snapshots == "btrfs") "btrfs-snapshot@%i.service")
+        (optional tCfg.network "network-online.target")
+      ];
+    in {
+      bindsTo = deps;
+      after = deps;
+
+      path = with pkgs; [borgbackup] ++ optional (tCfg.lock != null) utillinux;
+
+      script = let
+        borgCmd = ''
+          borg create \
+            --lock-wait ${toString tCfg.lockWait} \
+            --stats \
+            --list \
+            --filter 'AME' \
+            --exclude-caches \
+            --keep-exclude-tags \
+            --patterns-from .backup-${target} \
+            --one-file-system \
+            --compression auto,lzma \
+            ${tCfg.repo}::${cfg.prefix}$1-{utcnow}
+        '';
+      in if tCfg.lock == null then borgCmd else "flock -xo /var/lock/${tCfg.lock} ${borgCmd}";
+      scriptArgs = if cfg.snapshots == "lvm" then "%I" else "%i";
+
+      unitConfig = {
+        AssertPathIsDirectory = mkIf (tCfg.lock != null) "/var/lock";
+        DefaultDependencies = false;
+        RequiresMountsFor = mkIf (cfg.snapshots == "lvm") [ "${mountPoint}/${withSuffix "%I"}" ];
+      };
+
+      serviceConfig = {
+        Type = "oneshot";
+        WorkingDirectory = if (cfg.snapshots == null) then "%I" else (if (cfg.snapshots == "lvm") then "${mountPoint}/${withSuffix "%I"}" else "${withSuffix "%f"}");
+        Nice = 15;
+        IOSchedulingClass = 2;
+        IOSchedulingPriority = 7;
+        SuccessExitStatus = [1 2];
+        Slice = "system-borgbackup.slice";
+      };
+    })) cfg.targets) // (mapAttrs' (target: tCfg: nameValuePair "borgbackup-prune-${target}" {
+      enable = tCfg.prune != {};
+    
+      bindsTo = ["network-online.target"];
+      after = ["network-online.target"];
+
+      path = with pkgs; [borgbackup];
+
+      script = concatStringsSep "\n" (mapAttrsToList (path: args: ''
+        borg prune \
+          --lock-wait ${toString tCfg.lockWait} \
+          --list \
+          --stats \
+          --prefix ${escapeShellArg "${cfg.prefix}${path}"} \
+          ${escapeShellArgs args} \
+          ${tCfg.repo}
+      '') tCfg.prune);
+
+      serviceConfig = {
+        Type = "oneshot";
+        Slice = "system-borgbackup.slice";
+      };
+    }) cfg.targets);
+  };
+}
diff --git a/modules/borgbackup/lvm-snapshots.nix b/modules/borgbackup/lvm-snapshots.nix
new file mode 100644
index 00000000..9b2a6562
--- /dev/null
+++ b/modules/borgbackup/lvm-snapshots.nix
@@ -0,0 +1,133 @@
+{ config, lib, utils, pkgs, ... }:
+
+with utils;
+with lib;
+
+let
+  cfg = config.services.lvm-snapshots;
+
+  snapshotMount = name: "${cfg.mountPoint}/${if isNull cfg.snapshots."${name}".mountName then name else cfg.snapshots."${name}".mountName}";
+  snapshotName = name: "${name}-${cfg.mountSuffix}";
+
+  snapshotConfig = {
+    options = {
+      LV = mkOption {
+        type = types.str;
+      };
+
+      VG = mkOption {
+        type = types.str;
+      };
+
+      mountName = mkOption {
+        type = types.nullOr types.str;
+        default = null;
+      };
+      
+      cowSize = mkOption {
+        type = types.str;
+        default = "-l20%ORIGIN";
+      };
+
+      readOnly = mkOption {
+        type = types.bool;
+        default = true;
+      };
+
+      persist = mkOption {
+        type = types.bool;
+        default = false;
+      };
+    };
+  };
+in {
+  options = {
+
+    services.lvm-snapshots = {
+      snapshots = mkOption {
+        type = types.attrsOf (types.submodule snapshotConfig);
+        default = {};
+      };
+
+      mountPoint = mkOption {
+        type = types.path;
+        default = "/mnt";
+      };
+
+      mountSuffix = mkOption {
+        type = types.str;
+        default = "-snapshot";
+      };
+    };
+  };
+
+  
+  config = mkIf (cfg != {}) {
+
+    boot.kernelModules = [ "dm_snapshot" ];
+
+    # system.activationScripts = mapAttrs' (name: scfg: nameValuePair ("lvm-mountpoint" + name) ''
+    #   mkdir -p ${snapshotMount name}
+    # '') cfg.snapshots;
+
+    systemd.services = mapAttrs' (name: scfg: nameValuePair ("lvm-snapshot@" + escapeSystemdPath name) {
+      enable = true;
+
+      description = "LVM-snapshot of ${scfg.VG}/${scfg.LV}";
+
+      bindsTo = ["${escapeSystemdPath "/dev/${scfg.VG}/${scfg.LV}"}.device"];
+      after = ["${escapeSystemdPath "/dev/${scfg.VG}/${scfg.LV}"}.device"];
+
+      unitConfig = {
+        StopWhenUnneeded = !scfg.persist;
+        AssertPathIsDirectory = "/var/lock";
+      };
+
+      path = with pkgs; [ devicemapper utillinux ];
+      
+      script = ''
+        (
+          flock -xn -E 4 9
+          if [[ "$?" -ne 0 ]]; then
+            exit $?
+          fi
+          
+          lvcreate -s ${scfg.cowSize} --name ${snapshotName name} ${scfg.VG}/${scfg.LV}
+
+          sleep infinity &
+        ) 9>/var/lock/lvm-snapshot.${scfg.VG}
+      '';
+      
+      preStart = ''
+        lvremove -f ${scfg.VG}/${snapshotName name}
+      '';
+
+      preStop = ''
+        lvremove -f ${scfg.VG}/${snapshotName name}
+      '';
+
+      serviceConfig = with pkgs; {
+        Type = "forking";
+        RestartForceExitStatus = [ "4" ];
+        RestartSec = "5min";
+      };
+    }) cfg.snapshots;
+
+    systemd.mounts = mapAttrsToList (name: scfg: {
+      enable = true;
+
+      unitConfig = {
+        # AssertPathIsDirectory = snapshotMount name;
+        StopWhenUnneeded = !scfg.persist;
+      };
+
+      bindsTo = [ ("lvm-snapshot@" + escapeSystemdPath name + ".service") ];
+      after = [ ("lvm-snapshot@" + escapeSystemdPath name + ".service") ];
+
+      options = concatStringsSep "," ([ "noauto" ] ++ optional scfg.readOnly "ro");
+
+      where = snapshotMount name;
+      what = "/dev/" + scfg.VG + "/" + snapshotName name;
+    }) cfg.snapshots;
+  };
+}
diff --git a/modules/kill-user.nix b/modules/kill-user.nix
new file mode 100644
index 00000000..dd897b36
--- /dev/null
+++ b/modules/kill-user.nix
@@ -0,0 +1,13 @@
+{ lib, pkgs, config, ... }:
+{
+  options = {
+    systemd.kill-user.enable = lib.mkEnableOption "Systemd kill-user@ services";
+  };
+  
+  config.systemd.services."kill-user@" = lib.mkIf config.systemd.kill-user.enable {
+    serviceConfig = {
+      Type = "oneshot";
+      ExecStart = "${pkgs.systemd}/bin/loginctl kill-user %I";
+    };
+  };
+}
diff --git a/modules/tinc-networkmanager.nix b/modules/tinc-networkmanager.nix
new file mode 100644
index 00000000..ff03abd2
--- /dev/null
+++ b/modules/tinc-networkmanager.nix
@@ -0,0 +1,36 @@
+{ lib, config, pkgs, ... }:
+let
+  cfg = config.services.tinc;
+in {
+  options = {
+    services.tinc.networks = lib.mkOption {
+      type = lib.types.attrsOf (lib.types.submodule {
+        options.nmDispatch = lib.mkOption {
+          type = lib.types.bool;
+          default = config.networking.networkmanager.enable;
+          description = ''
+            Install a network-manager dispatcher script to automatically
+            connect to all remotes when networking is available
+          '';
+        };
+      });
+    };
+  };
+
+  config = {
+    networking.networkmanager.dispatcherScripts = lib.concatLists (lib.flip lib.mapAttrsToList cfg.networks (network: data: lib.optional data.nmDispatch {
+      type = "basic";
+      source = pkgs.writeScript "connect-${network}.sh" ''
+        #!${pkgs.stdenv.shell}
+
+        shopt -s extglob
+
+        case "''${2}" in
+          (?(vpn-)up)
+            ${data.package}/bin/tinc -n ${network} --pidfile /run/tinc.${network}.pid --batch retry
+            ;;
+        esac
+      '';
+    }));
+  };
+}
diff --git a/modules/uucp.nix b/modules/uucp.nix
new file mode 100644
index 00000000..8d8ac1a2
--- /dev/null
+++ b/modules/uucp.nix
@@ -0,0 +1,391 @@
+{ flake, config, lib, pkgs, ... }:
+
+with lib;
+
+let
+  portSpec = name: node: concatStringsSep "\n" (map (port: ''
+    port ${name}.${port}
+    type pipe
+    protocol ${node.protocols}
+    reliable true
+    command ${pkgs.openssh}/bin/ssh -x -o batchmode=yes ${name}.${port}
+  '') node.hostnames);
+  sysSpec = name: node: ''
+    system ${name}
+    time any
+    chat-seven-bit false
+    chat . ""
+    protocol ${node.protocols}
+    command-path ${concatStringsSep " " cfg.commandPath}
+    commands ${concatStringsSep " " node.commands}
+    ${concatStringsSep "\nalternate\n" (map (port: ''
+      port ${name}.${port}
+    '') node.hostnames)}
+  '';
+  sshConfig = name: node: concatStringsSep "\n" (map (port: ''
+    Host ${name}.${port}
+      Hostname ${port}
+      IdentitiesOnly Yes
+      IdentityFile ${cfg.sshKeyDir}/${name}
+  '') node.hostnames);
+  sshKeyGen = name: node: ''
+    if [[ ! -e ${cfg.sshKeyDir}/${name} ]]; then
+      ${pkgs.openssh}/bin/ssh-keygen ${escapeShellArgs node.generateKey} -f ${cfg.sshKeyDir}/${name}
+    fi
+  '';
+  restrictKey = key: ''
+    restrict,command="${chat}" ${key}
+  '';
+  chat = pkgs.writeScript "chat" ''
+    #!${pkgs.stdenv.shell}
+
+    echo .
+    exec ${config.security.wrapperDir}/uucico
+  '';
+
+  nodeCfg = {
+    options = {
+      commands = mkOption {
+        type = types.listOf types.str;
+        default = cfg.defaultCommands;
+        description = "Commands to allow for this remote";
+      };
+
+      protocols = mkOption {
+        type = types.separatedString "";
+              default = cfg.defaultProtocols;
+              description = "UUCP protocols to use for this remote";
+      };
+
+      publicKeys = mkOption {
+        type = types.listOf types.str;
+        default = [];
+        description = "SSH client public keys for this node";
+      };
+
+      generateKey = mkOption {
+        type = types.listOf types.str;
+        default = [ "-t" "ed25519" "-N" "" ];
+        description = "Arguments to pass to `ssh-keygen` to generate a keypair for communication with this host";
+      };
+
+      hostnames = mkOption {
+        type = types.listOf types.str;
+        default = [];
+        description = "Hostnames to try in order when connecting";
+      };
+    };
+  };
+
+  cfg = config.services.uucp;
+in {
+  options = {
+    services.uucp = {
+      enable = mkOption {
+        type = types.bool;
+        default = false;
+        description = ''
+          If enabled we set up an account accesible via uucp over ssh
+        '';
+      };
+
+      nodeName = mkOption {
+        type = types.str;
+        default = "nixos";
+        description = "uucp node name";
+      };
+
+      sshUser = mkOption { 
+        type = types.attrs;
+        default = {};
+        description = "Overrides for the local uucp linux-user";
+      };
+
+      extraSSHConfig = mkOption {
+        type = types.str;
+        default = "";
+        description = "Extra SSH config";
+      };
+
+      remoteNodes = mkOption {
+        type = types.attrsOf (types.submodule nodeCfg);
+        default = {};
+        description = ''
+          Ports to set up
+          Names will probably need to be configured in sshConfig
+        '';
+      };
+
+      commandPath = mkOption {
+        type = types.listOf types.path;
+        default = [ "${pkgs.rmail}/bin" ];
+        description = ''
+          Command search path for all systems
+        '';
+      };
+
+      defaultCommands = mkOption {
+        type = types.listOf types.str;
+        default = ["rmail"];
+        description = "Commands allowed for remotes without explicit override";
+      };
+
+      defaultProtocols = mkOption {
+        type = types.separatedString "";
+              default = "te";
+              description = "UUCP protocol to use within ssh unless overriden";
+      };
+
+      incomingProtocols = mkOption {
+        type = types.separatedString "";
+        default = "te";
+        description = "UUCP protocols to use when called";
+      };
+
+      homeDir = mkOption {
+        type = types.path;
+        default = "/var/uucp";
+        description = "Home of the uucp user";
+      };
+
+      sshKeyDir = mkOption {
+        type = types.path;
+        default = "${cfg.homeDir}/.ssh/";
+        description = "Directory to store ssh keypairs";
+      };
+
+      spoolDir = mkOption {
+        type = types.path;
+        default = "/var/spool/uucp";
+        description = "Spool directory";
+      };
+
+      lockDir = mkOption {
+        type = types.path;
+        default = "/var/spool/uucp";
+        description = "Lock directory";
+      };
+
+      pubDir = mkOption {
+        type = types.path;
+        default = "/var/spool/uucppublic";
+        description = "Public directory";
+      };
+
+      logFile = mkOption {
+        type = types.path;
+        default = "/var/log/uucp";
+        description = "Log file";
+      };
+
+      statFile = mkOption {
+        type = types.path;
+        default = "/var/log/uucp.stat";
+        description = "Statistics file";
+      };
+
+      debugFile = mkOption {
+        type = types.path;
+        default = "/var/log/uucp.debug";
+        description = "Debug file";
+      };
+
+      interval = mkOption {
+        type = types.nullOr types.str;
+        default = "1h";
+        description = ''
+          Specification of when to run `uucico' in format used by systemd timers
+          The default is to do so every hour
+        '';
+      };
+
+      nmDispatch = mkOption {
+        type = types.bool;
+        default = config.networking.networkmanager.enable;
+        description = ''
+          Install a network-manager dispatcher script to automatically
+          call all remotes when networking is available
+        '';
+      };
+
+      extraConfig = mkOption {
+        type = types.lines;
+        default = ''
+          run-uuxqt 1
+        '';
+        description = "Extra configuration to append verbatim to `/etc/uucp/config'";
+      };
+
+      extraSys = mkOption {
+        type = types.lines;
+        default = ''
+          protocol-parameter g packet-size 4096
+        '';
+              description = "Extra configuration to prepend verbatim to `/etc/uucp/sys`";
+      };
+    };
+  };
+
+  config = mkIf cfg.enable {
+    environment.etc."uucp/config" = {
+      text = ''
+        hostname ${cfg.nodeName}
+      
+        spool ${cfg.spoolDir}
+        lockdir ${cfg.lockDir}
+        pubdir ${cfg.pubDir}
+        logfile ${cfg.logFile}
+        statfile ${cfg.statFile}
+        debugfile ${cfg.debugFile}
+        
+        ${cfg.extraConfig}
+      '';
+    };
+
+    users.users."uucp" = {
+      name = "uucp";
+      isSystemUser = true;
+      isNormalUser = false;
+      createHome = true;
+      home = cfg.homeDir;
+      description = "User for uucp over ssh";
+      useDefaultShell = true;
+      openssh.authorizedKeys.keys = map restrictKey (concatLists (mapAttrsToList (name: node: node.publicKeys) cfg.remoteNodes));
+    } // cfg.sshUser;
+
+    system.activationScripts."uucp-sshconfig" = ''
+      mkdir -p ${config.users.users."uucp".home}/.ssh
+      chown ${config.users.users."uucp".name}:${config.users.users."uucp".group} ${config.users.users."uucp".home}/.ssh
+      chmod 700 ${config.users.users."uucp".home}/.ssh
+      ln -fs ${builtins.toFile "ssh-config" ''
+        ${concatStringsSep "\n" (mapAttrsToList sshConfig cfg.remoteNodes)}
+      
+        ${cfg.extraSSHConfig}
+      ''} ${config.users.users."uucp".home}/.ssh/config
+
+      mkdir -p ${cfg.sshKeyDir}
+      chown ${config.users.users."uucp".name}:${config.users.users."uucp".group} ${cfg.sshKeyDir}
+      chmod 700 ${cfg.sshKeyDir}
+
+      ${concatStringsSep "\n" (mapAttrsToList sshKeyGen cfg.remoteNodes)}
+    '';
+
+    system.activationScripts."uucp-logs" = ''
+      touch ${cfg.logFile}
+      chown ${config.users.users."uucp".name}:${config.users.users."uucp".group} ${cfg.logFile}
+      chmod 644 ${cfg.logFile}
+      touch ${cfg.statFile}
+      chown ${config.users.users."uucp".name}:${config.users.users."uucp".group} ${cfg.statFile}
+      chmod 644 ${cfg.statFile}
+      touch ${cfg.debugFile}
+      chown ${config.users.users."uucp".name}:${config.users.users."uucp".group} ${cfg.debugFile}
+      chmod 644 ${cfg.debugFile}
+    '';
+
+    environment.etc."uucp/port" = {
+      text = ''
+        port ssh
+        type stdin
+        protocol ${cfg.incomingProtocols}
+      '' + concatStringsSep "\n" (mapAttrsToList portSpec cfg.remoteNodes);
+    };
+    environment.etc."uucp/sys" = {
+      text = cfg.extraSys + "\n" + concatStringsSep "\n" (mapAttrsToList sysSpec cfg.remoteNodes);
+    };
+
+    security.wrappers = let
+      wrapper = p: {
+        name = p;
+        value = {
+          source = "${pkgs.uucp}/bin/${p}";
+          owner = "root";
+          group = "root";
+          setuid = true;
+          setgid = false;
+        };
+      };
+    in listToAttrs (map wrapper ["uucico" "cu" "uucp" "uuname" "uustat" "uux" "uuxqt"]);
+
+    nixpkgs.overlays = [(self: super: {
+      uucp = super.stdenv.lib.overrideDerivation super.uucp (oldAttrs: {
+        configureFlags = "--with-newconfigdir=/etc/uucp";
+        patches = [
+          (super.writeText "mailprogram" ''
+             policy.h | 2 +-
+             1 file changed, 1 insertion(+), 1 deletion(-)
+
+            diff --git a/policy.h b/policy.h
+            index 5afe34b..8e92c8b 100644
+            --- a/policy.h
+            +++ b/policy.h
+            @@ -240,7 +240,7 @@
+                the sendmail choice below.  Otherwise, select one of the other
+                choices as appropriate.  */
+             #if 1
+            -#define MAIL_PROGRAM "/usr/lib/sendmail -t"
+            +#define MAIL_PROGRAM "${config.security.wrapperDir}/sendmail -t"
+             /* #define MAIL_PROGRAM "/usr/sbin/sendmail -t" */
+             #define MAIL_PROGRAM_TO_BODY 1
+             #define MAIL_PROGRAM_SUBJECT_BODY 1
+          '')
+        ];
+      });
+      rmail = super.writeScriptBin "rmail" ''
+          #!${super.stdenv.shell}
+
+          # Dummy UUCP rmail command for postfix/qmail systems
+
+          IFS=" " read junk from junk junk junk junk junk junk junk relay
+
+          case "$from" in
+            *[@!]*) ;;
+            *) from="$from@$relay";;
+          esac
+
+          exec ${config.security.wrapperDir}/sendmail -G -i -f "$from" -- "$@"
+        '';
+    })];
+
+    environment.systemPackages = with pkgs; [
+      uucp
+    ];
+
+    systemd.services."uucico@" = {
+      serviceConfig = {
+        User = "uucp";
+        Type = "oneshot";
+        ExecStart = "${config.security.wrapperDir}/uucico -D -S %i";
+      };
+    };
+
+    systemd.timers."uucico@" = {
+      timerConfig.OnActiveSec = cfg.interval;
+      timerConfig.OnUnitActiveSec = cfg.interval;
+    };
+
+    systemd.targets."multi-user" = {
+      wants = mapAttrsToList (name: node: "uucico@${name}.timer") cfg.remoteNodes;
+    };
+
+    systemd.kill-user.enable = true;
+    systemd.targets."sleep" = {
+      after = [ "kill-user@uucp.service" ];
+      wants = [ "kill-user@uucp.service" ];
+    };
+    
+    networking.networkmanager.dispatcherScripts = optional cfg.nmDispatch {
+      type = "basic";
+      source = pkgs.writeScript "callRemotes.sh" ''
+        #!${pkgs.stdenv.shell}
+
+        shopt -s extglob
+
+        case "''${2}" in
+          (?(vpn-)up)
+            ${concatStringsSep "\n    " (mapAttrsToList (name: node: "${pkgs.systemd}/bin/systemctl start uucico@${name}.service") cfg.remoteNodes)}
+            ;;
+        esac
+      '';
+    };
+  };
+}
diff --git a/modules/yggdrasil/default.nix b/modules/yggdrasil/default.nix
new file mode 100644
index 00000000..91a550d6
--- /dev/null
+++ b/modules/yggdrasil/default.nix
@@ -0,0 +1,49 @@
+{ config, lib, customUtils, ... }:
+let
+  cfg = config.services.tinc.yggdrasil;
+in {
+  options = {
+    services.tinc.yggdrasil = lib.mkOption {
+      type = lib.types.submodule {
+        options = {
+          enable = lib.mkEnableOption "Yggdrasil tinc network";
+          
+          connect = lib.mkOption {
+            default = true;
+            type = lib.types.bool;
+            description = ''
+              Connect to central server
+            '';
+          };
+        };
+      };
+    };
+  };
+  
+  config = lib.mkIf cfg.enable {
+    services.tinc.networks.yggdrasil = {
+      name = config.networking.hostName;
+      hostSettings = customUtils.recImport { dir = ./hosts; };
+      debugLevel = 2;
+      interfaceType = "tap";
+      settings = {
+        Mode = "switch";
+        PingTimeout = 30;
+        ConnectTo = lib.mkIf cfg.connect "ymir";
+      };
+    };
+
+    sops.secrets = {
+      tinc-yggdrasil-rsa = {
+        key = "rsa";
+        path = "/etc/tinc/yggdrasil/rsa_key.priv";
+        sopsFile = ./hosts + "/${config.services.tinc.networks.yggdrasil.name}/private-keys.yaml";
+      };
+      tinc-yggdrasil-ed25519 = {
+        key = "ed25519";
+        path = "/etc/tinc/yggdrasil/rsa_key.priv";
+        sopsFile = ./hosts + "/${config.services.tinc.networks.yggdrasil.name}/private-keys.yaml";
+      };
+    };
+  };
+}
diff --git a/modules/yggdrasil/hosts/sif/default.nix b/modules/yggdrasil/hosts/sif/default.nix
new file mode 100644
index 00000000..32b844de
--- /dev/null
+++ b/modules/yggdrasil/hosts/sif/default.nix
@@ -0,0 +1,13 @@
+{
+  settings.Ed25519PublicKey = "qJqty+wiTNcYaHQCvQNiMqXYz30C9M3+LI/qjmU/9hK";
+  rsaPublicKey = ''
+    -----BEGIN RSA PUBLIC KEY-----
+    MIIBCgKCAQEA0ACaacg9EN0hBQct8ZwQ/i6EsXKP4DIwKwabM2rp8azValTHU2uI
+    WW6JRY+Eii6zRx9B5kJ96C4rJJeAGV6lZPAogaC2LbM7lcsZ7oRDWZGaQKcZFNGi
+    laEcDg2dRuDx1W4at0rb03SDLNPt8sXSV6BcK9n/7m7+s9cwM/+PB8FHDMnWvwbC
+    usbP23020s+CVr/PU1z/7J0y3Eat+Acut6x5X8DNewpqV96wQpqdAggbhtYERMFH
+    +i0sa1WUDQtJ6HGChbENRTMlsPJ6lnzXY+J0pzatzzvetLsOljES9uJ8dtk6qBC7
+    KRZo5lvdUwR6j9XiHMQeRerUt23b9ATFXQIDAQAB
+    -----END RSA PUBLIC KEY-----
+  '';
+}
diff --git a/modules/yggdrasil/hosts/sif/private-keys.yaml b/modules/yggdrasil/hosts/sif/private-keys.yaml
new file mode 100644
index 00000000..9be82bc1
--- /dev/null
+++ b/modules/yggdrasil/hosts/sif/private-keys.yaml
@@ -0,0 +1,34 @@
+ed25519: ENC[AES256_GCM,data:1CqB4y6CIm5JUsznpXPqqLJqCKmmoAJOZQTWb7+Jbn0oZMX27qSMK4CchHF7Bmo24EK8rk5EyW5aQLnoxp/2NA62p8SXdaoI8Qgz3EgsQ5QrlJrt1jvERpNs4vttT9V6+aK3Yojr9IuQSvJ4jyKSLrzrTnLzF9pXlaOf1Ru5SxySRWtVzynzurRpdUVS6goE+lb+Irg6x2geV719iQ9bu1C2smeQDREdS+dlfoxp02/pU6kTFA7KAm5vA91HKEfMqfSEzuBgUB0=,iv:n6Yh0zZ9AbT+83P42QNO2rCCISJV5nbO9wYcwaRYD2E=,tag:dJpXV9ZzLSO1B+LsyV3vAg==,type:str]
+rsa: ENC[AES256_GCM,data:7faQJAhoYt3MJidg4TVwysmLGZ4V1fA9NYYKgEMgky4q0Q9tBGhEsA60uj7iKcMMRhGku7feIFkj2+1qjKy+e1Bajfs2rqxgyqYmM6yOTrmorbXBVyrPOTOwJp3yp7O1vIXwoUS9vWIYxFszpfaLL0/8aARYVrYmpxf3gsBfQ4LciM1VKEgjG3uRBf1tDLaNuMNyzdan0DFghwuDojPOXUFv/6yuPxU2U0TagVjwAk4FThGwEasvV454RSm/GmqYtX+P4Vc3pEWNYAK1rXJAuXm1392Uash+HGQ+3ln5N9yWneewgPPr0pePAugxxN0qnwhy5MRKGQE3ZHCZ0beslfOm6pkmYTfww3lKNIJGabMfMD3COoAI7zWebUvksZPsgH6f1olbzABkZdS1s//WNMnWQHGxsWePXkLFe8bfnNXouEXHtLvQ7On0KPyt8y5QBI9bDPpTn92/O9jCevXSttrez4buBdCHFmCE8xgW5JKKEXgMubPPjEF3MABiGu0TMeWM4a1ibY7HfvNrRkO1pE9RhdRT/dFV/MrPxk7P0k16x9H4+QnE7VglfNZO3Wd3bnYxcH7hmAbIzpFnUJvolyNfmynwL2WwaYuBskXASD1FuqpM0tbhantqGyHVPe62+KimU0zDAJ1HMyqhIN0MD1MSXsdoItAsw033GYLB83L8xPatARJR9qEdKwrhmgSDY36AbJ8VI/RUzicZoYdhK8+M7bNGIkD5MgrQO35q+3oa6Xcib+5MtW0RVJKLP4y5/XNkjd4EPl6nahcVi63/FG7LJmO+/I7bkLIAWmIq8BHcXEwbz0womYp404pSfEPr3cy1N5S3yqRdzVxavTJb0PLMpHq2rWuHK2DIY77hEOAt0XcReWYsRkmTl+v9iQLF+D4GBLr+O2oZNJrocNVZYkfdjsrUd2cUOCV7ZQphO5Yc+yKrqzmCqUUvdoJ3vlaPxMXx4LACeMImo1sAFxoOgIpyfklo/bdhi9osiL55I8pAIh5hGes/uCbwaRnW+wbaYcMliCuUO8XelfXwBot8W+0l0wk2zKRSKtYKcX1n/Ax5mIt6mIoQkvyL82lccS9ppJLjt7DYlvK8L6imeV11ATf1ZhSGB3c67/XYik5BXz827Rj29K6fg/CvU65f/bEAuE39gSJ4mHsRl3bvkNLiUMEBrDuZnText33fCbqVA5DUIfqSbLUzXtqNl8vHnlOBICYwjv8PtUMJ6VTCDu33SmtQzJAfnmuewOKAC51FPsyaDhouTKllUaqx34NfEP8k2C8/4oNPgDcLjInm3f43tIuJbScdp8ltNVCLoChS8jbBOvrVYTI0eP+BuAuEfWYldUYq96oH/x9d0yvPqZ1rnwmqg4y6GfkACw6+/QvrDdtcM+1uI86RxZ7KGurb8KG7NPdSWhzz+72+TO5Tq29K8QETLzzalnVzaVWj/xGsjgkslxmDMKxLJQw0o24lgg/R30aU9BL6YwDVi10nu+Tv5kayb/NVLdMNWxfKNg1KZcf8M2ApgonjingbpUlinZ25/IIcQB9lMT4HSyvtGtIqnsPL4SQNsgBLcMzdwbL0EvS3qMAEVWKfUm2v9AA2+RMsKEKtD4UNF2xF7oACJiyTcw/xUOmkaTIZZ2ev0JVb4IYs1qx5Skz+IMAvWQ2FjBMXna5e/LYgBl6kdLSTcDvlymHpbjjuRdRq+uq+ZMXIACyZ+qUnZ0qcfWGPxOCI0hXPc5ac/zSGkPKYiWT/rCSuo+MoijjK4YZ2fub9TCYjZRS+QvLlXOM8F06Or0jQQOveezqJFZdoBGj248BtcPAVbYqfaytIlYjARlhQL/lKaaOrbONk6kIlDpwkhlzO50OkhALItlbW4Aa8zZ/WeXkfkb/6A7NLce42XDoOnvZt9UdYVTRphf8yxjRE2YMwZsmeTIieg8KwwJdnoJIhiQFdVDFgXb2xPZA2CbdvZwGwuFkLWgJUg6H+aHdw39UnNM+S9PYaOQ9oaS7IyeWhXMgP7TKM98uILsBg/Xn9tafHaslQfjVRDEaYtrmDZMYhb+h/MZKngx7uwmUyqHszAYN/M+RMJVy3s4uBu/EufWYVMorunpPEXGYA4Rg1HUuAOvWSvpM3PJG9Wnrazw6xmkwIUSKju5irpWATYmqSX3pPkG5C0sTatszVDAvTs9+/9Xdbney7/6QskSHMph8Kn/Udpq7PPrZWADkIi1k4oibgABOXOWBk5ZbNbiDrZA==,iv:ZUAqvOpcVCXQD2PFzUh0e2m20t6gVT3mYb7S50iV/m8=,tag:AssxMqjVUEwQ4R6Y7eG9Tg==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    lastmodified: '2021-01-02T14:46:16Z'
+    mac: ENC[AES256_GCM,data:Phng7z7UlE6nO3FFIQPOHgKCqDm2uOGL57ryJbokjipSSdoWPinpz0zIJv9Z67b9uOf3CQoGtV4YwcudNkzDBKOyD8uA6RYwCKpbYcZIdiy8DLL46+VT/wq9toTkeDXM6jKupzzOARZhHT8DCOLqW7u8Q3S645cbTJmw0+LMIGk=,iv:y4KEh0+bKhtnSobKVdfaPuRsueNC1lcrEbUGfEAn+Bg=,tag:3Oi4e/hSgPVsoFQpnVQj+g==,type:str]
+    pgp:
+    -   created_at: '2021-01-02T14:45:04Z'
+        enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hF4Dgwm4NZSaLAcSAQdAwWM12Zara3T2xDIX3rhakGxXFyme4LE5QZgE2GjnnWEw
+            T/vhPfsKFCjA2kAmj41NupjvTPL/nzfd7+MrdHRfC462Jrq+UF1W8A4bUa3OMH5J
+            0l4BuFhl93w/VBftvnG8oSBAFCPNDapNADjTVJQStgsZa0/uD93NnCxyQmtuJYsQ
+            URlH0KMT6Kouaec4qk3SqkAHzaIIAukahBHAPf2C5cvXYw7AAOOBOdRaWycsmZDc
+            =S4Ig
+            -----END PGP MESSAGE-----
+        fp: F1AF20B9511B63F681A14E8D51AEFBCD1DEF68F8
+    -   created_at: '2021-01-02T14:45:04Z'
+        enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hF4DXxoViZlp6dISAQdA7apd+ipJ0lUiuPI5Sq6uj6iOQYFfuNDuzse1JFJMfn4w
+            McsGPcbMorZV0OVFmg9vuZ0GP9sb7mkm+oRuY9OeMDEifjWGHJ2UN4TvdEcCO1zx
+            0l4BvYyzFbShlQjge7+nrzVi2lzEvqsozEW76K3arWb/iYLCRyl0/Vhw5WT4K/UE
+            fw4cbqz7JrogVLFNeWSRPk3Y+Dg4Pf9rQnw1EJhUEIczYjnfajPhYe5K4M01mOby
+            =B0n7
+            -----END PGP MESSAGE-----
+        fp: 30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51
+    unencrypted_suffix: _unencrypted
+    version: 3.6.1
diff --git a/modules/yggdrasil/hosts/ymir.nix b/modules/yggdrasil/hosts/ymir.nix
new file mode 100644
index 00000000..b77a9216
--- /dev/null
+++ b/modules/yggdrasil/hosts/ymir.nix
@@ -0,0 +1,19 @@
+{
+  addresses = [{ address = "ymir.yggdrasil.li"; }];
+  settings.Ed25519PublicKey = "b/SobnMqByzHOQeO+iU7OZ1liD8a++knbi5ebNawnaC";
+  rsaPublicKey = ''
+    -----BEGIN RSA PUBLIC KEY-----
+    MIICCgKCAgEAuInSfQf5euFXEVkLLzf9TumQJ+3WRsxX4uKdOXBqrIC7yjSBP8j9
+    ql5rNWPzgXxFF5ERmwW+E3cyzJLU9Htu7r3muqM6nhSZizhCskifPRFc3e5ssSke
+    XhHICHfe90+qvab/hWx/NjkW59bBYIzDuJfq+ijDFMVNgOxaiM2f3/2prUUhP7bN
+    r3wVI8KCkOaknc0SOOmOhLzfJaD5wosqLOjgaNhlro2eMgMjQlxbyW8dVVgjwseR
+    Cl/mpu7r1pSMhS66RFH68wDoC3X81f7Zs9ZGDLTD8KXWhx0qgUMUAH4n6YGY0RM6
+    BZ3qR/3KFRU64QPVAERpb0JdsU9ggCVydHkjrWW23ptHOPAOO5+yQj7tSDCKTRy9
+    dHMQnbtPrgAb6iMhO1XTxA8Hdta1sCHsewsQekarwsA1bmk3hTgi/k8vwoGDUWtk
+    jgiDEPuutfmH4C6qxq9s+6lRboNKH8wgkVGpHiaq7mmePFdhzFdrj4+fYAMZTbil
+    2iygsJ+yFOjA7U+iT6QDK33/MLsrQg0Ue6RPiG1qnDyax7gBAjz52iWkiuSkUXk0
+    E5ImdP4XMILgGcWk8iPq5iRS03edE0pCpxGX3ZZwFE5+CoXgO6wR1ToL1vZEEHMQ
+    SHJPufKjkavPKbejPps/mLaJQVw3W10PAJssB9nxW2aHX3n0ugGaIvMCAwEAAQ==
+    -----END RSA PUBLIC KEY-----
+  '';
+}
diff --git a/overlays/nvidia-kernel-5.7.nix b/overlays/nvidia-kernel-5.7.nix
new file mode 100644
index 00000000..92d3abb3
--- /dev/null
+++ b/overlays/nvidia-kernel-5.7.nix
@@ -0,0 +1,19 @@
+final: prev: {
+  linuxPackages_latest = prev.linuxPackages_latest.extend (self: super: {
+    nvidiaPackages = super.nvidiaPackages // {
+      stable = super.nvidiaPackages.stable.overrideAttrs (attrs: {
+        patches = [
+          (prev.fetchpatch {
+            name = "nvidia-kernel-5.7.patch";
+            url = "https://gitlab.com/snippets/1965550/raw";
+            sha256 = "03iwxhkajk65phc0h5j7v4gr4fjj6mhxdn04pa57am5qax8i2g9w";
+          })
+        ];
+
+        passthru = {
+          inherit (super.nvidiaPackages.stable) settings persistenced persistencedVersion settingsVersion;
+        };
+      });
+    };
+  });
+}
diff --git a/system-profiles/default-locale.nix b/system-profiles/default-locale.nix
new file mode 100644
index 00000000..9775c095
--- /dev/null
+++ b/system-profiles/default-locale.nix
@@ -0,0 +1,7 @@
+{...}:
+{
+  i18n.defaultLocale = "en_US.UTF-8";
+  console.keyMap = "dvp";
+
+  time.timeZone = "Europe/Berlin";
+}
diff --git a/system-profiles/initrd-all-crypto-modules.nix b/system-profiles/initrd-all-crypto-modules.nix
new file mode 100644
index 00000000..6b1da298
--- /dev/null
+++ b/system-profiles/initrd-all-crypto-modules.nix
@@ -0,0 +1,7 @@
+{...}:
+{
+  boot.initrd.luks.cryptoModules = [
+    "serpent_generic" "algif_rng" "authencesn" "crct10dif_generic" "blowfish_generic" "aegis128" "crc32c_generic" "md4" "lz4hc" "cbc" "adiantum" "authenc" "seqiv" "ecdh_generic" "842" "pcbc" "curve25519-generic" "sha256_generic" "cmac" "async_tx" "async_raid6_recov" "async_memcpy" "async_xor" "gcm" "ccm" "async_pq" "sha512_generic" "echainiv" "anubis" "blowfish_common" "algif_hash" "tgr192" "ghash-generic" "crypto_simd" "michael_mic" "ansi_cprng" "cast_common" "rmd128" "sm4_generic" "twofish_common" "wp512" "zstd" "cast5_generic" "algif_skcipher" "crc32_generic" "sm3_generic" "nhpoly1305" "cryptd" "twofish_generic" "crypto_user" "af_alg" "des_generic" "rmd320" "salsa20_generic" "xts" "xxhash_generic" "ecrdsa_generic" "deflate" "rmd256" "camellia_generic" "lrw" "xor" "gf128mul" "ecc" "arc4" "crypto_engine" "ecb" "lz4" "xcbc" "aes_ti" "khazad" "streebog_generic" "cast6_generic" "blake2b_generic" "keywrap" "chacha_generic" "tea" "aes_generic" "fcrypt" "cts" "chacha20poly1305" "essiv" "hmac" "vmac" "poly1305_generic" "sha3_generic" "rmd160" "algif_aead" "ctr" "crct10dif_common" "jitterentropy_rng" "pcrypt" "serpent-avx-x86_64" "cast5-avx-x86_64" "twofish-x86_64-3way" "sha1-ssse3" "seed" "cfb" "blake2s_generic" "ofb" "cast6-avx-x86_64" "twofish-x86_64" "drbg" "serpent-sse2-x86_64" "camellia-aesni-avx2" "crct10dif-pclmul" "sha256-ssse3" "sha512-ssse3" "crc32-pclmul" "camellia-x86_64" "curve25519-x86_64" "nhpoly1305-avx2" "ghash-clmulni-intel" "poly1305-x86_64" "aegis128-aesni" "camellia-aesni-avx-x86_64" "blowfish-x86_64" "nhpoly1305-sse2" "crc32c-intel" "aesni-intel" "blake2s-x86_64" "twofish-avx-x86_64" "glue_helper" "chacha-x86_64" "serpent-avx2" "des3_ede-x86_64" "asym_tpm" "pkcs7_test_key" "tpm_key_parser"
+    "encrypted_keys"
+  ];
+}
diff --git a/system-profiles/openssh/default.nix b/system-profiles/openssh/default.nix
new file mode 100644
index 00000000..4db3d7db
--- /dev/null
+++ b/system-profiles/openssh/default.nix
@@ -0,0 +1,36 @@
+{ customUtils, lib, config, hostName, ... }:
+{
+  services.openssh = {
+    enable = true;
+    knownHosts = lib.zipAttrsWith (_name: values: builtins.head values) (lib.mapAttrsToList (name: lib.mapAttrs' (type: value: lib.nameValuePair "${name}-${type}" value)) (customUtils.recImport { dir = ./known-hosts; }));
+
+    hostKeys = [
+      { path = "/etc/ssh/ssh_host_rsa_key";
+        type = "rsa";
+      }
+      { path = "/etc/ssh/ssh_host_ed25519_key";
+        type = "ed25519";
+      }
+    ];
+  };
+
+  sops.secrets = {
+    ssh_host_rsa_key = {
+        key = "rsa";
+        path = "/etc/ssh/ssh_host_rsa_key";
+        sopsFile = ./host-keys + "/${hostName}.yaml";
+    };
+    ssh_host_ed25519_key = {
+        key = "ed25519";
+        path = "/etc/ssh/ssh_host_ed25519_key";
+        sopsFile = ./host-keys + "/${hostName}.yaml";
+    };
+  };
+
+  environment.etc = {
+    "ssh/ssh_host_rsa_key.pub".text = config.services.openssh.knownHosts."${hostName}-rsa".publicKey;
+    "ssh/ssh_host_ed25519_key.pub".text = config.services.openssh.knownHosts."${hostName}-ed25519".publicKey;
+  };
+
+  systemd.user.services."ssh-agent".enable = lib.mkForce false; # ssh-agent should be done via home-manager
+}
diff --git a/system-profiles/openssh/host-keys/sif.yaml b/system-profiles/openssh/host-keys/sif.yaml
new file mode 100644
index 00000000..ddef6dd5
--- /dev/null
+++ b/system-profiles/openssh/host-keys/sif.yaml
@@ -0,0 +1,34 @@
+ed25519: ENC[AES256_GCM,data:R7Ejs0DrCJOtEquvxuPCpwrOvV1xwCRtSMgzt7H6Dbv5z3zp94Ei8WKRPfju9dSz/4etHa1FV+1Zy7pAExWOOLU6qvaj4ZQa1FEMnJH76SN974D0hp2TON1l7QS/uRfopJJ0vnzITeCmeQcvvv0Rdz7ZUmyfPv8e76/k3h7FsGndu4wEkVg1/0a+E2dNST+/cp+l8RjXljYTiVLAByaMNz1XoK6wupef40Ce11zAGSmJS57gCwmc2yyq01sgnwex1TeDi+Pd43dTR/21n7AssqnpZGsSqpC4+RzHnxP3YGHN1dLTjHZ5fWW+zEHJZ/lG2eW4Gful+TnQ3fw2SHCjW/9BxpCjzo8GAByuJEr569fRXXAiDnmLG8GXGCpQDgSpjdkL4bFEDs0Uss3ydJEmwL3DaNkr/SHUyovwE2k5KnfIt6v0uEH+HsDSPRQpVoOgn7q3GgDmqwADfGt8MStdFVo3el/s6Rs+Q6r/ukYYu+Mon7Akv7HPGAnHDBSGOPBwy/a5Di3AA0TH/CHCmNdv,iv:HD2JAEUDz5BvZDOMAxb83UjoGZBewdePfSktD5Vh7qw=,tag:CIcXaGYLFeJrp+AU3dpStQ==,type:str]
+rsa: ENC[AES256_GCM,data:48rCmH0Id6ACaz4oGNfb72sIhfP5P8flVU4DniyTnRbaS98CIg9B3Utj7kZQYwFOOT/esQY7o/82udh8vW2j3D5eF6HfJPZa6ata5SV5b0HIZd+HMNEz2eo4FQ+ev5JWRA0I0FlYMYM/3+w855d2qolHc+voQf/+g4edlU460hx9rbhyn4injrGFdK/AxCNUwB1YXSB+UzRAV3p3U6IXd4ULQydWjJnm5lePZdBEa2q5ZKggFUVoF59fCrKPuxoRuiQTFB9UX2cRxS/MDp70m76NuxP93wGNFRfqWsVxZW7d5WH42ifLYTpIdnB0nRV4VcYdZbVxSTH2/CdRTrQ+BXut4pEsrxq91k6H3EM1FhYYDYTO+fOoKhpe/uidBTuqf3m2A7pM4zdZoTfT/0dcOxIDbtDl+2xfZEiXwXPEsoPAzLcnA23CasY0rc3I+xFgI2yIa+DFUXTiwOuqMbTRooacYVGWa5UsYO0JztizNNgp+GApxBu5fco3J2TVVBIaOpoeRZsX3BlT/8NdR3DBw00ERdj3UVBOUCNV9s++3BfnQgXDdSk/FJ0otrgXQgYxiUN6jbldP+vxt/b4S+tALu7iVApjS0UHP76zvnYotcW57UCX0Gpf9zJc2jPjxGmtIkenVSNB9ZufRg0zvGQ1qN6Ct3j/U2Ka/mfs5AE8PXYC6wFxqlOB5P5OdmVXF9srtnTirgeWbsA4Jeg+OvwAq9DbIvKDDHk0miVMu7JRsPsuCpGjgA1hHHunqFJ6vwKwKvF9k1kCmd61Kgj5MuF4BDnfRC4V22g84eO0ojJH2vU8vzjF9k5MA5zznGYgojZAtQnCXcC3k9CFbPjJE8fqk4fJ3kKoZZy+M3d4rn7JY4HZfjVs2iHZtQv7CskAi9JSULPCEirRsMnzm7jvKVUm0viS4E8dWeUoEDtMnZ1PU/IeWxlJua9hkzWmH3HqigmUq22SBTVJeb24KXyLJcvaeOsoQMOwmdJm7VUYqM8h9L8iomFf1bbExgfmhN20ACCs39sgW6wrW3ODmW85BiC/QkdApxEk65fjL+T23fN1KbXf9la/xz2FCXGUdgKMjUc+HdCtOB7VgvIehfRKodgq4l9E0zIkukT+4RdHiEA0GVga9sesLsLVtgM0UzBca7Sx9NSxEjRNrOxABohu30WPaFHoIOGg+szpD3GOGI4EpmwPK3NEjfG/RTG0ncTf910Shr9OTO69DUcoN9RVR/j6Kq7+WG9G9KxiSn2Qa0F5KFj+Pq5oIPIvGR4YkMPAvlWvvXtfTwweLr8OsNpd716WKap75iykjleeE7qGWPiFtyaiBn98VzZ9e85I8gPVCZcDTtMNXxATYDd1q0yzKV87dOL2SuzC1a2t8htb3lQuugemSfXcoLlYTdZloCClb63oLbLkDtmfd3WCpUFFlYSIxbnamixqdeLeiSL7FwkF/QpUhw0ILm+EQrZGiQ+JcOyPiiJQTDmtcAS6LbprHmapMeQCMtP3/Jk6WdfN5Jhj0x7feVJfATIoLPx0aqox7ekbU4aSzZ/8qjxlMqBcsHUEKfKCoZdVOwuklEKPhPJzGAyom/FNIVrU4EjSxcPtotMP/munJ1BWHFL5UJWPoTAZHz3Ywt50e9Fpwz9coo5NbPhRtFqVs4bOeFqJb1kq6/gPMY7J57+QSetcbBJvwVzCBsQSHoUHgvnIn7kAwM8QbfpilKZd5McL6AiGUtQbAgalXtptnnI/U59IJ8ILkdffQioM0PmzXRdTcSpe6pS6M60stQPwFE4Z9+LHr5LBuuM34YkCq1jd4EMWti+KbEFzipvdAfCYLVdacCqPXzEg3mZ00A/xCXkKk4GDpOIbC3u2T6d5UyIY6b5aX1ZJEbTa1ndVU41+Rt5z0x8tuJkqNVRK8VJ2aVqc8t+o7Ga9IRV9YcIPtDWYcVRt6zTz+DqFEmTRrnBO0AwXdT+eGrMn6X3Nj+DIjPf2B5Nve/98PyRZDRlXkcAKe5FLrVqh1d888MX7pfH+BK8I4kmFokqitxKMw63aeakjpotgN1jUdMtZR9weo6pp4TCStQwlRA41fMLgjxiiZquiajxz1zTlYKr2CVpaw6fDLkBvUw44+ZNHHn75O1/lCuT6MmK9Bu1TwsNsNd4JQSpeY0KHF6VZM0EaS3rIsnZz61X02fdpmo6Nw0mFtB4AidghSI1l+tKVVMnYJqB48eU0w+PHhdkWsi6F3Agp4L4043tWr1o4+WGBnOnx0/rNUEEu30Dtwsty0V87k1c5GRo8PKnzSHtis+QaDOL+xSIVMhsFOcuLV+VhVm84NWjgpKcCb++NInR2BbAwNRBArdIaOfQVw/HlkfnAJNWmOr6y8db1PEPNQVPVflb8bfMsZjZpBy6w1JN2Y15ZL7L0tltyUyDomT3IfMURpIW6OoyaIQS+T6NAkqq0bOllnkRnBziTNae57zl/iNg4AlWtq0NRSed0ls7Dr3yYe5Y+JvGmuW+HEA1r1/Yp9ZYQrhAc6qmAZU4+XuOgANr/4tRFA2091M05+Ow0QMquZr5odLlSyVxDU+5P/+lxb4U2ltLg/lcDeTT7qJZt3vqNVRaWg+864uUO5GFtq56x+egmYpXrgGtIRjABA6oxEHRH8RENeVMIpriv0KQ0WrGvlCnZYOMkydN1YBIX9B5gXZQBDzN3POKyo7KiBtcyMi+iOkH15AaB6G5yZymckAsfVzA/VPi/M115vjOtcqK/yyYbKpzF5ZybRlDlwsWww8aymN5i9b6q0ZI1iQoV/8P8lnal1ziYABr1s30ZqYByZ3PS1OIg6Qc/UtFT8C0OhtBPtwPEy/Xalvtqhl8/9y4Yuv6D5MNCwbL5oQ2JafEaFCOslGklg0ORCwgF+Ho5ZcZPB1tK2c424wde+KBDrBDfDrrCrYoxpeuvpFoRyy0DF3xh+25OkBfxb7+VXQxn3wXDBR7Yr1tuBLQUlbiZ0d4uPj9Pw7RA4UQTMXCRfmUiHP2nTdCbBg41M/5Cx6xaOzXJPOrkvsCZnXvNpc7+nkynsHYMqOuuWuuedh4WMU7YEPZt4CasJ5iofrhjzJNI5G5+rTMwaLTNA5AM2hi9DPqvFOaRUv/noYlTxtBT3LzUfgprPYnCKQd4j+6wO/bfbrlQq8WFH+RwFw4W0eMTJRFYFF2ctX0HOi9TOyTTHh/4l/mzTi4OaeFi5GsboDeczeh4acQCt5IjJih4qRnB7fdQy7PF8ccNuGvKWpN2mnDZJnoCrjbX8ihwzePzYPkUQ/ZKUI4KWVuixiis8b+CH0p92/dSOzGvP2MeQVMwRMpqk2EZdj3oE/gYG7RvfgM12N5ZLAUACczbwS17rquSwgznojewY+g/8oTolY81w4P/hPqX6FhWVeeZZaBJVKVDJSm4Aqp67FSYtoOHkEsOROtqklA7JVourGOgU6DfHlaSGGU6khAPv0smaYgi7+8tztNHoaaGSrtWU5+fxEzfD+NrOLm6Wz+ZZNvxWMMwrwkdeYqSc1tJACNo6CDtN/Tx+ZZCVVE+O+Qi5HFHx13c/ChQhRVMCha0VS8sYMokcZ5H2FLFLApOpwYLLFAiNwWr18PxRf3830xRwSM5bbASl9XLz2xxrbzpApDz5EDvvWJ/lPqnxYxVKCY9cEmDLuRtpEezTUpC8t6LqxhkqCTGiHjto668Mx8OTCDI8ys/D2qOFojbDyYIzl3l+AiVucXHXUrOkPJhhiOufiR6rks5UYqC6Mffb14e8JAY4IGsszmPqVY0hFS9AWp/aHuQ61stnMmhNxUw11fCDuUd4R+NvQlWSmN4Nyv0JmC6rHaa+Y/FEIQTCmFRiutTX+0nLPwJYKx+oQYklRDZ1DLtqMcF7PPUZGSFnZGGLN6UxoDhmrwz6NYwn+bBViL6iWFIgLbpRme/3TFBplDVIDUsSmbqsiysOmtzjw3y4YgiYmlZoEc//WK109KVrQUDSKKpjCMki6wsJ+27v5rlvhyBrG8QMUqWtTTB7Xu63iRrlASXcLk8Y99ehrxw/R3bjyXu5jHe0sowoKATerpiukBIOBTzPyFWQp/8MG6wWTzDM+HyGrAoCnkC3RanF56ldyqBzbqMbBIOx+fRWWuUl27YTwWLaPoZbO/+kgwzmguUj+bfqxExa4OTiMamLoZQh3LfIIJhQMd6MR1SDpRNg6D4YI7ftzrgQIe/CjjlWAfzkgeaPLx7Qeer0Te7wdJymWnQs5NBNAdWGcBgAS7/h4JZPBaqvd8KYPl2cg0Mv9k6+ogExv8YAz25rRPaJB1pKbhB5bkNIBRbUzCUhD3nk5uumvgKS0p6qn8hcD1CqEPt+ZH2CemlP5wjt9aHxplVZgG5vFZX0SREGDTSKwQoUbig1cHmRMOkO7vgS3B8eB7/J1UK3QeQe6roQSM80kbcLYH2flUmqQluGO1ZZDUttlp0ACP2lwlaBysp4X3KYPIwiHf1mXH/EQqgt305FNiKynDV6or7VWYQe5CXvTGg,iv:X57Ayvq6r0m1SGeVrBH8WCZ7TihobLLhy7spX4NIly8=,tag:caDTP5SwuWJAWGpwr9x0eQ==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    lastmodified: '2021-01-02T19:05:26Z'
+    mac: ENC[AES256_GCM,data:yJGzs0W0R+b6WPkUaQc9cxeTBBEXot0ffUAG77Of88kREFsD5ams9qEDCs8LhPhMtLSH5L8bqMLF28n2w6d9gf41NDBl/oj+XTJE26c4D+MWF2A0fqTvwv1l3524TfavVU8iur0bCbytNfcHSZ3zCQAYElswOGupO+K0Y3hwKKI=,iv:jHSgQV6Jg2Yckp8G0Z23Ny74ZQxZ/+C/neXKrEWUVak=,tag:DhOr2cVhIq8i4JAO+fdXxA==,type:str]
+    pgp:
+    -   created_at: '2021-01-02T19:04:29Z'
+        enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hF4Dgwm4NZSaLAcSAQdArkswGx9w0Rbfp1N89qALAbPMhboirsnlNvms/FomXiUw
+            taW9n4oEJ5oW2UYzNNn72SwF1jYbrqczAbxt3dM9PSz1gHFoh+ZJhGokVFJvJ7sO
+            0l4BEOkWmL/9uyOiCq574nH6OxxTPu9C4GNU8lv/Z/qJ+oAocJkGknsIJzd8M5ax
+            Fo/HqAGGfvnH3RI5FO3tTxfAKlfxlO2MJ2lsCypJuez5WewPnaTPjTbogjhzG2aQ
+            =HXLp
+            -----END PGP MESSAGE-----
+        fp: F1AF20B9511B63F681A14E8D51AEFBCD1DEF68F8
+    -   created_at: '2021-01-02T19:04:29Z'
+        enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hF4DXxoViZlp6dISAQdAUSTwFAciB+Yh2IieFoN/xmQd+GU/g+cuKej6cZk78TUw
+            ETM8c1TSovML5q9usUX0pl/AbRBwp2In47RMkTn4Mul1XxJuXhgCnrc5swwYrS+h
+            0l4BOxJ3bF/yYyKfGrmc/mNe51sdHH+fgQ9IXaQhcopw4kyZqvBXhJF/oP/mhnOL
+            VMhsfg50ol1XmXVefyo5JPedbzABm3vRZv9U+/zvKNJxIro2hWchd5CxvzN4l/MR
+            =30r5
+            -----END PGP MESSAGE-----
+        fp: 30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51
+    unencrypted_suffix: _unencrypted
+    version: 3.6.1
diff --git a/system-profiles/openssh/known-hosts/sif.nix b/system-profiles/openssh/known-hosts/sif.nix
new file mode 100644
index 00000000..8326d389
--- /dev/null
+++ b/system-profiles/openssh/known-hosts/sif.nix
@@ -0,0 +1,16 @@
+let
+  hostNames = ["sif.asgard.yggdrasil" "sif.faraday.asgard.yggdrasil" "sif.midgard.yggdrasil"];
+in {
+  rsa = {
+    inherit hostNames;
+    publicKey = ''
+      ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCeFqJep1CuWakcoiAkz4bSaHbAIwM89Er46o3KUpjCWGTmDmhJyBiG38pupcctH0awwElkX09GsNx230mTtjT6qcxN+vGsGMJIqFD+/7ZobSLJDHYCo6Jx23jZUjg1SqxYjwB5ooWGI61Vh6SaOy8WRrUn0q8rJyd9SEC+3tJlKO5QqRi/Vnwzj47m+YjGz2UlqJ9a4GeRh1O5SiGx5jd4a/VoeK1XJcW94XeWpPQdUGnVYUXZn9cwYVrogmXdr18ImnPxghsQg4xwS2A6KMjUw9m56XkqIq7vTslmL9JaYcjlSCHbsSVq9+Wu1oKxoyndN7Sim7SkAZwHFUEMBNlontBitgYl6z10VdKX739os6h07uXjGEs+mPk4/CkGZhvhnErV2T9FO+65jnU3mZkeX5tfJHqJ8PnDch2JD6O7+Mjpce4zs/x3mwH36peER6iiIBYGlSF0AlUDShdqj+fPWFu6gZ9piOAZ2L3YXDA0ulM6pL69SbulrUNOwtTy6LkBfKDwpaQK1KO1VOYBaKa7s+krOJXW18k+tpfo4aKSeTuwvykMPndKMKvxcsxNymkGo2AzLw017Qgshzv9rRbLNMBFd85S3krakGyBVL0HAVrAdkjvsWqj5FnHAjgBc1AZnZPbJu3g9/wm7k8rPMV0jxKMpW+zxjVFYDhFUWYp9w==
+    '';
+  };
+  ed25519 = {
+    inherit hostNames;
+    publicKey = ''
+      ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOfiwlzGcNQjamtIwv7fmXnddjajraeovaM6gRNui1+v
+    '';
+  };
+}
diff --git a/system-profiles/openssh/known-hosts/ymir.nix b/system-profiles/openssh/known-hosts/ymir.nix
new file mode 100644
index 00000000..f29baf1d
--- /dev/null
+++ b/system-profiles/openssh/known-hosts/ymir.nix
@@ -0,0 +1,16 @@
+let
+  hostNames = ["ymir.yggdrasil.li" "ymir.niflheim.yggdrasil"];
+in {
+  rsa = {
+    inherit hostNames;
+    publicKey = ''
+      ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDNr7oFNneR3sVuAhdbnU83PuG6gTU6rDmiz+qykkRUr5Qdtm0NIr9lI7nhoO/MaALWmkMXsBGjvJ2UxvY959g0wQRHJZnuJDwOMo3YJjfuDGMTtp8ikzd646uMHQB+y/xb4dou6f0INr94eRsZcji7AQgZQnyWVV3DZuSADBfNK0Tx6sT6IdbJXaCwYoexnfSfzDdu3i5zMuReF4zdkFUEfAdcbOM8Cr0Abnn4+iLVrof/QaOEuZDC+Pf5QUhkAArETdavSCUIbV6+1md0jz/T8yalgrTCsYOoEUbSPwM/8vmiYDWSo/tvAf3KnVIPjjK2UFz7Qu0HyK0y1dBEXoYLGZ1ep4x67aE4zy7GlR2GZdAYilHknugZB+/kvYGDEixHFfcUh/uvF5PY8sm63C6HUBT1s/aQHXGHgE4uUru6YvbU3UW3fRdslABY/atZ9gc3MuKu9Zk27b1SYfAAoK1R8rKsOKWqUWvvMVCfKBNKqqb7+30q75iGeneB8Tb1C9lToyDG2Yl5p+Gpfnj8YmaU/xFm0HFEC42crRbaQyz01LmupHWf8VwH/O2LsjztAF9b4Oe2q/NwqQAF+h5hIm2tfM2fzxHGCmw1sFYf6dEdkyV5pge/IJrnuQn27iO06tRC6tvrt/ocbpwEEOk/3WWpAWW4oT8L5ceh7iAXrCRWpw==
+    '';
+  };
+  ed25519 = {
+    inherit hostNames;
+    publicKey = ''
+      ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDeBBux2bIXnS/RUv+Y/NCpzI/SCW0KOJSzf48KDiEZD
+    '';
+  };
+}
diff --git a/system-profiles/sudo.nix b/system-profiles/sudo.nix
new file mode 100644
index 00000000..f2401b9f
--- /dev/null
+++ b/system-profiles/sudo.nix
@@ -0,0 +1,39 @@
+{ ... }:
+{
+  security.sudo.extraRules = [
+    { groups = "wheel";
+      commands = map (command: { inherit command; options = "NOPASSWD"; }) [
+        "/run/current-system/sw/sbin/shutdown"
+        "/run/current-system/sw/sbin/reboot"
+        "/run/current-system/sw/sbin/halt"
+        "/run/current-system/sw/bin/systemctl"
+      ];
+    }
+  ];
+
+  users.extraGroups.network = {};
+
+  security.polkit = {
+    enable = true;
+    extraConfig = ''
+      polkit.addRule(function(action, subject) {
+        if (    action.id == "org.freedesktop.systemd1.manage-units"
+             && subject.isInGroup("wheel")
+           ) {
+          return polkit.Result.YES;
+        }
+      });
+
+      polkit.addRule(function(action, subject) {
+        if ((action.id == "org.blueman.rfkill.setstate" ||
+             action.id == "org.blueman.network.setup" ||
+             action.id == "org.freedesktop.NetworkManager.settings.modify.system"
+            ) && subject.local
+            && subject.active && subject.isInGroup("network")
+           ) {
+          return polkit.Result.YES;
+        }
+      });
+    '';
+  };
+}
diff --git a/users/gkleen/default.nix b/users/gkleen/default.nix
new file mode 100644
index 00000000..03e4a64b
--- /dev/null
+++ b/users/gkleen/default.nix
@@ -0,0 +1,7 @@
+{ userName, pkgs, ... }:
+{
+  users.users.${userName} = {
+    hashedPassword = "$6$rounds=500000$dOMgCU7DAk$yQFYGOURTEt12387LIYBnFKSWmtwXMUk1LJWnV0m7OFt.y2TnxQn2abdGA5dhwG9EmMB5wZGXf4J5F71c746C/";
+    extraGroups = ["wheel" "networkmanager"];
+  };
+}
diff --git a/users/root.nix b/users/root.nix
new file mode 100644
index 00000000..88cc6b26
--- /dev/null
+++ b/users/root.nix
@@ -0,0 +1 @@
+import ./gkleen