122 files changed, 9887 insertions, 11 deletions

diff --git a/accounts/gkleen@installer.nix b/accounts/gkleen@installer.nix
new file mode 100644
index 00000000..64629674
--- /dev/null
+++ b/accounts/gkleen@installer.nix
@@ -0,0 +1 @@
+{...}: {}
diff --git a/accounts/gkleen@sif/alacritty.nix b/accounts/gkleen@sif/alacritty.nix
new file mode 100644
index 00000000..3d69d292
--- /dev/null
+++ b/accounts/gkleen@sif/alacritty.nix
@@ -0,0 +1,43 @@
+{
+  font.size = 5.5;
+
+  window.dynamic_padding = true;
+
+  colors = {
+    primary.foreground = "#d9d9d9";
+    primary.background = "#000000";
+    cursor.text = "#000000";
+    cursor.cursor = "#d9d9d9";
+
+    normal = {
+      black = "#000000";
+      red = "#bf4949";
+      green = "#9fb346";
+      yellow = "#e69650";
+      blue = "#759fbf";
+      magenta = "#9b79a6";
+      cyan = "#79a69b";
+      white = "#d9d9d9";
+    };
+
+    bright = {
+      black = "#757a80";
+      red = "#e66e6e";
+      green = "#cbd676";
+      yellow = "#ffa74f";
+      blue = "#98b8d9";
+      magenta = "#ceadd9";
+      cyan = "#a3d9ce";
+      white = "#ffffff";
+    };
+  };
+
+  scrolling.history = 0;
+
+  bell = {
+    duration = 50;
+    color = "#000000";
+  };
+
+  hints.alphabet = "uhetonas";
+}
diff --git a/accounts/gkleen@sif/autorandr-profiles/bstr.nix b/accounts/gkleen@sif/autorandr-profiles/bstr.nix
new file mode 100644
index 00000000..527f8321
--- /dev/null
+++ b/accounts/gkleen@sif/autorandr-profiles/bstr.nix
@@ -0,0 +1,21 @@
+{
+  fingerprint = {
+    "eDP-1-1" = "00ffffffffffff004c83414100000000131d0104b5221378029491ae513eb7240b505400000001010101010101010101010101010101f0d40040f17018803020440058c21000001bf0d40040f17018803020440058c21000001b0000000f00ff093cff093c2c800000000000000000fe0041544e413536575230382d3020011502030f00e3058000e6060501736d0700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ab";
+    "DP-1.3" = "00ffffffffffff000469a3289bdd00000b190104a53e22783a1cb5a3574fa0270d5054bfef00d1c0814081809500b300714f81c0010122cc0050f0703e80181035006d552100001a04740030f2705a80b0588a006d552100001a000000fd001e5018a03c041100f0f838f03c000000fc0041535553205042323837510a2001a8020327714f0102031112130414051f900e0f1d1e23091707830100006a030c0010000078200000565e00a0a0a02950302035006d552100001ee26800a0a0402e60302036006d552100001a011d00bc52d01e20b82855406d552100001e8c0ad090204031200c4055006d55210000180000000000000000000000000000000064";
+  };
+  config = {
+    "DP-1.3" = {
+      enable = true;
+      primary = true;
+      position = "3840x0";
+      rate = "60";
+      mode = "3840x2160";
+    };
+    eDP-1-1 = {
+      enable = true;
+      primary = false;
+      position = "0x0";
+      mode = "3840x2160";
+    };
+  };
+}
diff --git a/accounts/gkleen@sif/autorandr-profiles/def.nix b/accounts/gkleen@sif/autorandr-profiles/def.nix
new file mode 100644
index 00000000..304b4afe
--- /dev/null
+++ b/accounts/gkleen@sif/autorandr-profiles/def.nix
@@ -0,0 +1,13 @@
+{
+  fingerprint = {
+    eDP-1-1 = "00ffffffffffff004c83414100000000131d0104b5221378029491ae513eb7240b505400000001010101010101010101010101010101f0d40040f17018803020440058c21000001bf0d40040f17018803020440058c21000001b0000000f00ff093cff093c2c800000000000000000fe0041544e413536575230382d3020011502030f00e3058000e6060501736d0700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ab";
+  };
+  config = {
+    eDP-1-1 = {
+      enable = true;
+      primary = true;
+      position = "0x0";
+      mode = "3840x2160";
+    };
+  };
+}
diff --git a/accounts/gkleen@sif/backup-patterns b/accounts/gkleen@sif/backup-patterns
new file mode 100644
index 00000000..4436887b
--- /dev/null
+++ b/accounts/gkleen@sif/backup-patterns
@@ -0,0 +1,26 @@
+R .
+
+- pp:.cache
+- pp:.antigen
++ pf:.cabal/config
+- pp:.cabal
++ pf:.stack/config.yaml
+- pp:.stack
+- pp:.nox
+- pp:.local/share/Steam
+- sh:**/.stack-work*
+- sh:**/.~lock.*
+- sh:**/.gup
++ pf:.config/pulse/default.pa
+- pp:.config/pulse
+- pp:.config/Zulip
+- pp:.config/discord
+- pp:.zplug/log
+- pp:.zplug/cache
+- pp:.compose-cache
+- pp:.undo-tree
+- pp:.saves
+- pp:.mozilla
+- pp:Downloads/tmp
+- pp:secret
+- pp:mail
\ No newline at end of file
diff --git a/accounts/gkleen@sif/default.nix b/accounts/gkleen@sif/default.nix
new file mode 100644
index 00000000..a318a8ee
--- /dev/null
+++ b/accounts/gkleen@sif/default.nix
@@ -0,0 +1,236 @@
+{ flake, userName, pkgs, customUtils, lib, config, ... }@inputs:
+let
+  cfg = config.home-manager.users.${userName};
+  xmonad = import ./xmonad pkgs.haskellPackages;
+  emacsclientDesktopItem = pkgs.makeDesktopItem {
+    name = "emacsclient";
+    genericName = "Text Editor";
+    desktopName = "emacsclient";
+    icon = "emacs";
+    mimeType = "text/english;text/plain;text/x-makefile;text/x-c++hdr;text/x-c++src;text/x-chdr;text/x-csrc;text/x-java;text/x-moc;text/x-pascal;text/x-tcl;text/x-tex;application/x-shellscript;text/x-c;text/x-c++;";
+    exec = "${config.home-manager.users.${userName}.programs.emacs.package}/bin/emacsclient -a \"\" %F";
+  };
+  emacsScratch = pkgs.stdenv.mkDerivation rec {
+    pname = "scratch";
+    version = "0077334cc299aa7885f804d88f52cdb1b35caf71";
+
+    src = pkgs.fetchFromGitHub {
+      owner = "ffevotte";
+      repo = "scratch.el";
+      rev = version;
+      sha256 = "sha256-FUkKJ+1COGzgllzzv51yUIjMZI6slOFVExdwWl2ZEBA=";
+    };
+
+    phases = [ "installPhase" ];
+
+    installPhase = ''
+      mkdir -p $out/share/emacs/site-lisp
+      cp $src/scratch.el $out/share/emacs/site-lisp/default.el
+    '';
+  };
+  muteScript = pkgs.stdenv.mkDerivation {
+    name = "mute";
+    src = ./scripts/mute.zsh;
+
+    buildInputs = with pkgs; [ makeWrapper ];
+
+    phases = [ "installPhase" ];
+
+    installPhase = ''
+      mkdir -p $out/bin
+      install -m 0755 $src $out/bin/mute
+      wrapProgram $out/bin/mute \
+        --prefix PATH : ${pkgs.zsh}/bin \
+        --prefix PATH : ${pkgs.findutils}/bin \
+        --prefix PATH : ${pkgs.util-linux}/bin \
+        --prefix PATH : ${pkgs.coreutils}/bin \
+        --prefix PATH : ${pkgs.pulseaudio}/bin
+    '';
+  };
+in {
+  imports = with flake.nixosModules.userProfiles.${userName}; [
+    mpv
+  ];
+  
+  home-manager.users.${userName} = {
+    programs = {
+      ssh = {
+        matchBlocks = import ./ssh-hosts.nix; # customUtils.nixImport { dir = ./ssh-hosts; };
+        extraConfig = ''
+          Match host uniworx3.ifi.lmu.de,uniworx4.ifi.lmu.de,uniworx5.ifi.lmu.de,uni2workgw.ifi.lmu.de,blackbeard.tcs.ifi.lmu.de,gitlab2.rz.ifi.lmu.de,oregon.tcs.ifi.lmu.de !exec "nc -z -w 1 %h %p &>/dev/null"
+            ProxyJump remote.cip.ifi.lmu.de
+
+          Host *
+        '';
+      };
+
+      emacs = {
+        enable = true;
+        extraPackages = epkgs: with epkgs; [
+          evil evil-dvorak undo-tree magit haskell-mode
+          nix-mode yaml-mode json-mode shakespeare-mode
+          smart-mode-line highlight-parentheses highlight-symbol
+          notmuch ag sass-mode lua-mode fira-code-mode use-package
+          use-package-ensure-system-package git-gutter emacsScratch
+        ];
+      };
+      firefox = {
+        enable = true;
+        profiles.default = {
+          settings = {
+            "layout.css.devPixelsPerPx" = "1.75";
+            "browser.tabs.drawInTitlebar" = false;
+            "toolkit.legacyUserProfileCustomizations.stylesheets" = true;
+            "dom.security.https_only_mode" = true;
+          };
+        };
+      };
+
+      alacritty = {
+        enable = true;
+        settings = import ./alacritty.nix;
+      };
+
+      zathura = {
+        enable = true;
+        package = pkgs.zathura.override { useMupdf = false; };
+      };
+
+      mpv.config = {
+        demuxer-max-bytes = 1073741824;
+        demuxer-max-back-bytes = 268435456;
+      };
+
+      autorandr = {
+        enable = true;
+        hooks.postswitch = {
+          # "restart-compton" = "${pkgs.systemd}/bin/systemctl --user try-restart picom";
+          "restart-trays" = ''
+              ${pkgs.coreutils}/bin/sleep 5
+              ${pkgs.systemd}/bin/systemctl --user try-restart trayer xmobar
+            '';
+        };
+        profiles = customUtils.nixImport { dir = ./autorandr-profiles; };
+      };
+
+      zsh.initExtra = "source ${./zshrc}";
+      zsh.dirHashes = {
+        u2w = "$HOME/projects/uni2work";
+        docs = "$HOME/documents";
+        dl = "$HOME/Downloads";
+        flk = "$HOME/config/nixos-flakes";
+        fsk-timi = "$HOME/projects/21s/fsk-timi";
+      };
+
+      obs-studio = {
+        enable = true;
+        plugins = with pkgs; [obs-v4l2sink];
+      };
+    };
+
+    services = {
+      dunst = {
+        settings = import ./dunst-settings.nix inputs;
+        iconTheme = cfg.gtk.iconTheme;
+        enable = true;
+      };
+      emacs.enable = true;
+      gpg-agent = {
+        enable = true;
+        enableSshSupport = true;
+        extraConfig = ''
+          pinentry-program ${pkgs.pinentry-gtk2}/bin/pinentry
+          grab
+        '';
+      };
+      pasystray.enable = true;
+      udiskie = {
+        enable = true;
+        automount = false;
+      };
+      unclutter = {
+        enable = true;
+        timeout = 5;
+      };
+      network-manager-applet.enable = true;
+      blueman-applet.enable = true;
+
+      sxhkd = {
+        enable = true;
+        keybindings = {
+          "button8" = "${muteScript}/bin/mute unmute";
+          "@button8" = "${muteScript}/bin/mute mute";
+          "button9" = "${pkgs.pulseaudio}/bin/pacmd set-sink-mute @DEFAULT_SINK@ 1";
+          "@button9" = "${pkgs.pulseaudio}/bin/pacmd set-sink-mute @DEFAULT_SINK@ 0";
+        };
+      };
+    };
+
+    gtk = {
+      enable = true;
+      font.name = "DejaVu Sans 6";
+      theme = {
+        package = pkgs.equilux-theme;
+        name = "Equilux-compact";
+      };
+      iconTheme = {
+        package = pkgs.paper-icon-theme;
+        name = "Paper";
+      };
+    };
+
+    xsession = {
+      enable = true;
+
+      windowManager.command = "${xmonad}/bin/xmonad";
+
+      initExtra = let
+          lockScript = pkgs.writeScript "lock" ''
+            #!${pkgs.stdenv.shell}
+            ${pkgs.playerctl}/bin/playerctl -a pause
+            exec ${pkgs.xsecurelock}/bin/xsecurelock
+          '';
+        in ''
+             ${pkgs.coreutils}/bin/env XSECURELOCK_WANT_FIRST_KEYPRESS=1 XSECURELOCK_DIM_ALPHA=1 ${pkgs.xss-lock}/bin/xss-lock -l -n ${pkgs.xsecurelock}/libexec/xsecurelock/dimmer -- ${lockScript} &
+             ${pkgs.xorg.xinput}/bin/xinput disable 'Synaptics TM3512-010'
+             ${pkgs.xorg.xset}/bin/xset s 590 10
+           '';
+    };
+
+    xresources.properties = import ./xresources.nix;
+
+    home = {
+      packages = with pkgs; [
+        fira-code powerline-fonts nerdfonts pavucontrol keepassxc
+        youtube-dl sxiv xclip mumble pulseaudio-ctl libnotify synergy
+        xorg.xbacklight screen-message pidgin-with-plugins
+        google-play-music-desktop-player qt5ct playerctl evince
+        thunderbird zulip zoom-us steam steam-run wireshark skype
+        virt-manager rclone cached-nix-shell xournal discord xmonad
+        worktime fira-code-symbols emacsclientDesktopItem libreoffice
+        xournalpp
+      ];
+
+      file = {
+        ".emacs".source = ./emacs.el;
+        ".backup-munin".source = ./backup-patterns;
+        ".mozilla/firefox/default/chrome/userChrome.css".source = ./firefox-chrome.css;
+        ".mozilla/firefox/default/chrome/userContent.css".source = ./firefox-content.css;
+      };
+
+      sessionVariables = {
+        GDK_SCALE = 96.0 / 282.0;
+        QT_AUTO_SCREEN_SCALE_FACTOR = 1;
+        QT_QPA_PLATFORMTHEME = "qt5ct";
+      };
+
+      extraProfileCommands = ''
+        export XDG_DATA_DIRS="${pkgs.gsettings-desktop-schemas}/share/gsettings-schemas/${pkgs.gsettings-desktop-schemas.name}:${pkgs.gtk3}/share/gsettings-schemas/${pkgs.gtk3.name}''${XDG_DATA_DIRS:+:''${XDG_DATA_DIRS}}"
+      '';
+    };
+
+    fonts.fontconfig.enable = true;
+
+    systemd.user = import ./systemd.nix inputs;
+  };
+}
diff --git a/accounts/gkleen@sif/dunst-settings.nix b/accounts/gkleen@sif/dunst-settings.nix
new file mode 100644
index 00000000..8abdfc5a
--- /dev/null
+++ b/accounts/gkleen@sif/dunst-settings.nix
@@ -0,0 +1,67 @@
+{ pkgs, ... }:
+{
+  global = {
+    font = "Monospace 6";
+    markup = "full";
+    format = "<i>%s</i> %p\\n%b";
+    alignment = "left";
+    geometry = "1216x10-32+64";
+    shrink = true;
+    monitor = 0;
+    follow = "none";
+    padding = 6;
+    horizontal_padding = 6;
+    separator_height = 1;
+    separator_color = "frame";
+    idle_threshold = 0;
+
+    transparency = 10;
+
+    frame_width = 1;
+    frame_color = "#999999";
+
+    word_wrap = true;
+    show_age_threshold = 15;
+    show_indicators = false;
+    icon_position = "right";
+    sort = false;
+    sticky_history = false;
+
+    dmenu = "${pkgs.dmenu}/bin/dmenu";
+  };
+  shortcuts = {
+    close = "ctrl+space";
+    close_all = "ctrl+shift+space";
+    history = "ctrl+comma";
+    context = "ctrl+period";
+  };
+  urgency_low = {
+    background = "#000000";
+    foreground = "#999999";
+    timeout = 5;
+  };
+  urgency_normal = {
+    background = "#000000";
+    foreground = "#ffffff";
+    timeout = 15;
+  };
+  urgency_critical = {
+    background = "#900000";
+    foreground = "#ffffff";
+    timeout = 0;
+  };
+  pulseaudio-ctl = {
+    summary = "Volume *";
+    body = "Current is *";
+    set_stack_tag = "volume";
+    history_ignore = true;
+  };
+  mail = {
+    appname = "notmuch";
+    timeout = 0;
+  };
+  zulip = {
+    appname = "Zulip";
+    timeout = 0;
+  };
+}
diff --git a/accounts/gkleen@sif/emacs.el b/accounts/gkleen@sif/emacs.el
new file mode 100644
index 00000000..b22c00f5
--- /dev/null
+++ b/accounts/gkleen@sif/emacs.el
@@ -0,0 +1,178 @@
+(menu-bar-mode -1)
+(scroll-bar-mode -1)
+(tool-bar-mode -1)
+
+(setq inhibit-startup-message t)
+(defalias 'yes-or-no-p 'y-or-n-p)
+
+(set-face-attribute 'default nil :font "FiraCode Nerd Font Mono" :height 49)
+
+(require 'package)
+(setq package-archives nil)
+(package-initialize)
+(require 'use-package)
+(use-package use-package-ensure-system-package :ensure t)
+
+(require 'evil)
+(evil-mode 1)
+
+(global-subword-mode)
+(global-undo-tree-mode)
+(global-fira-code-mode)
+
+(evil-set-undo-system 'undo-tree)
+
+(global-set-key (kbd "RET") 'newline-and-indent)
+(global-set-key (kbd "M-g") 'magit-status)
+(global-set-key (kbd "M-?") 'vc-git-grep)
+
+(require 'git-gutter)
+(global-git-gutter-mode t)
+(custom-set-variables '(git-gutter:update-interval 2))
+(custom-set-variables '(git-gutter:hide-gutter t))
+
+;; (require 'scratch)
+(global-set-key (kbd "C-x B") 'scratch-create)
+(setq initial-major-mode 'scratch-mode)
+(setq initial-scratch-message "")
+
+(global-set-key (kbd "C-x K") 'kill-current-buffer)
+
+(setq backup-directory-alist `(("." . "~/.saves")))
+(setq undo-tree-history-directory-alist `(("." . "~/.undo")))
+(setq delete-old-versions t
+      kept-new-versions 6
+      kept-old-versions 2
+      version-control t)
+
+(setq undo-tree-visualizer-timestamps t
+      undo-tree-visualizer-diff t
+      ;; 10X bump of the undo limits to avoid issues with premature
+      ;; Emacs GC which truncages the undo history very aggresively
+      undo-limit 800000
+      undo-strong-limit 12000000
+      undo-outer-limit 120000000)
+
+(add-hook 'haskell-mode-hook 'haskell-indentation-mode)
+(add-hook 'haskell-mode-hook 'subword-mode)
+(add-hook 'haskell-mode-hook 'highlight-symbol-mode)
+(add-hook 'haskell-mode-hook 'highlight-paretheses-mode)
+
+(add-hook 'js-mode-hook 'highlight-symbol-mode)
+(add-hook 'js-mode-hook 'highlight-parentheses-mode)
+(defun my-js-mode-hook ()
+  "Custom `js-mode' behaviours."
+  (setq js-indent-level 2)
+  )
+(add-hook 'js-mode-hook 'my-js-mode-hook)
+
+(setq undo-tree-auto-save-history t)
+
+(defvar expand-file-name-custom-tilde-alist '(("u2w-dev1" . "/ssh:uni2work-dev1:/home/gkleen/projects/uni2work")))
+(defun my/add-to-tilde-alist (hash)
+  (let* ((tilde:dir (split-string hash "="))
+         (tilde (car tilde:dir))
+         (dir (cadr tilde:dir)))
+    (push (cons tilde dir) expand-file-name-custom-tilde-alist)))
+(mapc #'my/add-to-tilde-alist
+      (split-string (with-output-to-string
+                      (call-process "zsh" nil standard-output nil "-ic" "hash -d"))
+                    "\n" t))
+
+(defadvice expand-file-name (before expand-file-name-custom-tilde
+                             (name &optional default-directory)
+                             activate compile)
+  "User-defined expansions for ~NAME in file names."
+  (save-match-data
+    (when (string-match "\\`\\(\\(.*/\\)?~\\([^:/]+\\)\\)/" name)
+      (let ((replacement (assoc (match-string 3 name) expand-file-name-custom-tilde-alist)))
+        (when replacement
+          (setq name (replace-match (cdr replacement) t t name 1)))))))
+
+(setq notmuch-address-internal-completion '(received nil))
+(setq notmuch-always-prompt-for-sender t)
+(setq notmuch-command "notmuch-ssh")
+(setq notmuch-crypto-process-mime t)
+(setq notmuch-draft-tags '("+draft" "-inbox"))
+(setq notmuch-fcc-dirs nil)
+(setq notmuch-hello-sections '(notmuch-hello-insert-header notmuch-hello-insert-saved-searches))
+(setq notmuch-hello-thousands-separator " ")
+(setq notmuch-identities '("gkleen@yggdrasil.li" "g@141.li" "kleen@cip.ifi.lmu.de" "Gregor.Kleen@stud.ifi.lmu.de" "G.Kleen@campus.lmu.de" "G.Kleen@lmu.de" "gregor.kleen@ifi.lmu.de" "uni2work@ifi.lmu.de" "gregor@kleen.li"))
+(setq notmuch-message-headers '("Subject" "To" "Cc" "Date"))
+(setq notmuch-message-replied-tags '("+replied" "-unread" "-inbox"))
+(setq notmuch-saved-searches
+      (quote
+       ((:name "inbox" :query "tag:inbox" :key "i")
+        (:name "unread" :query "tag:unread AND tag:inbox" :key "u")
+        (:name "drafts" :query "tag:draft" :key "d")
+        (:name "all mail" :query "date:month.." :key "a" :count-query "*")
+        (:name "sent" :query "is:sent" :key "s" :count-query "is:sent")
+      )))
+(setq notmuch-search-oldest-first nil)
+(setq notmuch-show-all-tags-list t)
+(setq notmuch-show-logo nil)
+
+(setq send-mail-function 'sendmail-send-it)
+(setq mail-envelope-from 'header)
+(setq mail-specify-envelope-from 't)
+(setq mail-default-headers nil)
+(setq message-default-headers "")
+(setq message-default-mail-headers "")
+(setq message-sendmail-envelope-from 'header)
+
+(setq highlight-symbol-idle-delay 0)
+
+(setq indent-tabs-mode nil)
+
+(setq ido-enable-flex-matching t)
+(setq ido-everywhere t)
+(ido-mode 1)
+
+(setq tramp-default-method "ssh")
+(customize-set-variable 'tramp-use-ssh-controlmaster-options nil)
+
+(setq direnv-enabled-hosts '("uni2work-dev1"))
+
+(defun tramp-sh-handle-start-file-process@my-direnv (args)
+  "Enable Direnv for hosts in `direnv-enabled-hosts'."
+  (with-parsed-tramp-file-name (expand-file-name default-directory) nil
+    (if (member host direnv-enabled-hosts)
+        (pcase-let ((`(,name ,buffer ,program . ,args) args))
+          `(,name
+            ,buffer
+            "direnv"
+            "exec"
+            ,localname
+            ,program
+            ,@args))
+      args)))
+
+(with-eval-after-load "tramp-sh"
+  (advice-add 'tramp-sh-handle-start-file-process
+              :filter-args #'tramp-sh-handle-start-file-process@my-direnv))
+
+(setq mail-host-address "sif.midgard.yggdrasil")
+(setq user-full-name "Gregor Kleen")
+
+(defun tell-emacsclients-for-buffer-to-die ()
+  "Sends error exit command to every client for the current buffer."
+  (interactive)
+  (dolist (proc server-buffer-clients)
+    (server-send-string proc "-error die")))
+
+(defun kill-buffer-with-special-emacsclient-handling ()
+  "Wrapper around kill-buffer that ensures tell-emacsclients-for-buffer-to-die is on the hooks"
+  (interactive)
+  (add-hook 'kill-buffer-hook 'tell-emacsclients-for-buffer-to-die nil t)
+  (kill-buffer))
+
+;; (global-set-key (kbd "C-x k") 'kill-buffer)
+
+(defun install-emacsclient-wrapped-kill-buffer ()
+  "Installs wrapped kill-buffer with special emacsclient handling.
+Best not to install it unconditionally because the server is not
+necessarily running."
+  (interactive)
+  (global-set-key (kbd "C-x k") 'kill-buffer-with-special-emacsclient-handling))
+
+(add-hook 'server-switch-hook 'install-emacsclient-wrapped-kill-buffer)
diff --git a/accounts/gkleen@sif/firefox-chrome.css b/accounts/gkleen@sif/firefox-chrome.css
new file mode 100644
index 00000000..2d359771
--- /dev/null
+++ b/accounts/gkleen@sif/firefox-chrome.css
@@ -0,0 +1,25 @@
+@namespace url("http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul");
+
+* {
+    font-size:12px;
+}
+
+#sidebar {
+    min-width:20em !important;
+    max-width:20em !important;
+    border-right:1px solid rgba(30,30,30) !important;
+}
+
+#sidebar-header:nth-last-child(2) > *:last-child {
+    visibility: collapse;
+}
+
+#sidebar-splitter {
+    visibility: collapse;
+}
+
+#toolbar-menubar[inactive="true"] + #TabsToolbar {
+  visibility: collapse !important;
+}
+
+#sidebar-box[sidebarcommand="tabcenter-reborn_ariasuni-sidebar-action"] #sidebar-header { visibility: collapse !important; }
diff --git a/accounts/gkleen@sif/firefox-content.css b/accounts/gkleen@sif/firefox-content.css
new file mode 100644
index 00000000..3ac53a9d
--- /dev/null
+++ b/accounts/gkleen@sif/firefox-content.css
@@ -0,0 +1,12 @@
+@-moz-document url("about:blank") {
+  html {
+      background-color: rgb(40,40,40);
+  }
+}
+
+@-moz-document url(about:newtab) {
+    body, #newtab-customize-overlay {
+        background-color: rgb(40,40,40) !important;
+        color: rgb(166,166,166) !important;
+    }
+}
diff --git a/accounts/gkleen@sif/scripts/mute.zsh b/accounts/gkleen@sif/scripts/mute.zsh
new file mode 100755
index 00000000..1b30ad67
--- /dev/null
+++ b/accounts/gkleen@sif/scripts/mute.zsh
@@ -0,0 +1,18 @@
+#!/usr/bin/env zsh
+
+lockFile=~/.mute.flock
+
+case $1 in
+    mute)
+        (
+            flock -n 9 || exit 1
+            sleep 0.2
+            pacmd set-source-mute @DEFAULT_SOURCE@ 1
+        ) 9<>${lockFile} &
+    ;;
+    unmute)
+        set -o pipefail
+        while fuser ${lockFile} 2>/dev/null | cut -d ':' -f 2- | xargs -r -- kill; do sleep 0.001; done
+        pacmd set-source-mute @DEFAULT_SOURCE@ 0
+    ;;
+esac
diff --git a/accounts/gkleen@sif/ssh-hosts.nix b/accounts/gkleen@sif/ssh-hosts.nix
new file mode 100644
index 00000000..1b9fb842
--- /dev/null
+++ b/accounts/gkleen@sif/ssh-hosts.nix
@@ -0,0 +1,237 @@
+{
+  "git.ymir" =
+    { hostname = "ymir.yggdrasil.li";
+      user = "gitolite";
+      identityFile = "~/.ssh/gkleen@sif.midgard.yggdrasil";
+    };
+  "git.yggdrasil.li" =
+    { user = "gitolite";
+      identityFile = "~/.ssh/gkleen@sif.midgard.yggdrasil";
+    };
+  "git.rheperire.org" =
+    { user = "gitolite";
+      identityFile = "~/.ssh/gkleen@sif.midgard.yggdrasil";
+    };
+  "borg.munin" =
+    { hostname = "u120515.your-storagebox.de";
+      user = "u120515";
+      identityFile = "~/.ssh/borg.munin";
+      port = 23;
+    };
+  "munin" =
+    { hostname = "u120515.your-storagebox.de";
+      user = "u120515";
+      identityFile = "~/.ssh/munin";
+    };
+  "ymir" =
+    { hostname = "ymir.yggdrasil.li";
+      identityFile = "~/.ssh/gkleen@sif.midgard.yggdrasil";
+    };
+  "surtr" =
+    { hostname = "surtr.yggdrasil.li";
+      identityFile = "~/.ssh/gkleen@sif.midgard.yggdrasil";
+    };
+  "odin" =
+    { hostname = "odin.asgard.yggdrasil";
+      identityFile = "~/.ssh/gkleen@sif.midgard.yggdrasil";
+    };
+  "init.odin" =
+    { hostname = "odin.asgard.yggdrasil";
+      user = "root";
+      identityFile = "~/.ssh/rsa.gkleen@hel.midgard.yggdrasil";
+      extraOptions = {
+        StrictHostKeyChecking = "off";
+      };
+    };
+  "heimdallr" =
+    { hostname = "heimdallr.asgard.yggdrasil";
+      user = "root";
+      identityFile = "~/.ssh/gkleen@sif.midgard.yggdrasil";
+    };
+  "gitlab2.rz.ifi.lmu.de" =
+    { user = "git";
+      identityFile = "~/.ssh/gkleen@gitlab2.rz.ifi.lmu.de";
+    };
+  "gitlab2.cip.ifi.lmu.de" =
+    { user = "git";
+      identityFile = "~/.ssh/gkleen@sif.midgard.yggdrasil";
+    };
+  "hel".hostname = "hel.midgard.yggdrasil";
+  "blackbeard" =
+    { hostname = "blackbeard.tcs.ifi.lmu.de";
+      user = "pi";
+      identityFile = "~/.ssh/blackbeard";
+    };
+  "github.com" =
+    { user = "git";
+      identityFile = "~/.ssh/gkleen@github.com";
+    };
+  "ullr.playat.ch" =
+    { hostname = "ullr.playat.ch";
+      user = "minecraft";
+      identityFile = "~/.ssh/minecraft@ullr.playat.ch";
+    };
+  "ullr" =
+    { hostname = "185.170.112.70";
+      identityFile = "~/.ssh/gkleen@sif.midgard.yggdrasil";
+    };
+  "testworx" =
+    { hostname = "testworx.tcs.ifi.lmu.de";
+      user = "root";
+      port = 30363;
+      identityFile = "~/.ssh/testworx";
+    };
+  "remote.cip.ifi.lmu.de" =
+    { user = "kleen";
+      identityFile = "~/.ssh/gkleen@sif.midgard.yggdrasil";
+    };
+  "uniworx3" =
+    { hostname = "uniworx3.ifi.lmu.de";
+      user = "root";
+      identityFile = "~/.ssh/uni2work";
+    };
+  "uniworx4" =
+    { hostname = "uniworx4.ifi.lmu.de";
+      user = "root";
+      identityFile = "~/.ssh/uni2work";
+    };
+  "jump.uniworx4" =
+    { hostname = "uniworx4.ifi.lmu.de";
+      user = "sshjump";
+      identityFile = "~/.ssh/sshjump.uni2work";
+    };
+  "uni2workgw" =
+    { hostname = "uni2workgw.ifi.lmu.de";
+      user = "root";
+      identityFile = "~/.ssh/uni2work";
+    };
+  "uniworxdb2" =
+    { hostname = "uniworxdb2";
+      proxyJump = "uniworx4";
+      user = "root";
+      identityFile = "~/.ssh/uni2work";
+    };
+  "uniworx5" =
+    { hostname = "uniworx5.ifi.lmu.de";
+      user = "root";
+      identityFile = "~/.ssh/uni2work";
+    };
+  "gate2" =
+    { hostname = "gate2.tcs.ifi.lmu.de";
+      user = "gkleen";
+      identityFile = "~/.ssh/tcs";
+      serverAliveInterval = 0;
+    };
+  "proxy.gate2" =
+    { hostname = "gate2.tcs.ifi.lmu.de";
+      user = "gkleen";
+      identityFile = "~/.ssh/proxy.gkleen@tcs.ifi.lmu.de";
+      dynamicForwards = [ { port = 8118; } ];
+      serverAliveInterval = 0;
+      extraOptions = {
+        ExitOnForwardFailure = "yes";
+      };
+    };
+  "jump.gate2" = 
+     { hostname = "gate2.tcs.ifi.lmu.de";
+       user = "gkleen";
+       identityFile = "~/.ssh/proxy.gkleen@tcs.ifi.lmu.de";
+       serverAliveInterval = 0;
+       extraOptions = {
+         ExitOnForwardFailure = "yes";
+       };
+     };
+  "gate" =
+    { hostname = "gate.tcs.ifi.lmu.de";
+      user = "gkleen";
+      identityFile = "~/.ssh/tcs";
+    };
+  "proxy.gate" =
+    { hostname = "gate.tcs.ifi.lmu.de";
+      user = "gkleen";
+      identityFile = "~/.ssh/proxy.gkleen@tcs.ifi.lmu.de";
+      dynamicForwards = [ { port = 8118; } ];
+      extraOptions = {
+        ExitOnForwardFailure = "yes";
+      };
+    };
+  "jump.gate" = 
+     { hostname = "gate.tcs.ifi.lmu.de";
+       user = "gkleen";
+       identityFile = "~/.ssh/proxy.gkleen@tcs.ifi.lmu.de";
+       extraOptions = {
+         ExitOnForwardFailure = "yes";
+       };
+     };
+  "oregon" =
+    { hostname = "oregon.tcs.ifi.lmu.de";
+      user = "root";
+      identityFile = "~/.ssh/tcs";
+    };
+  "proxy.oregon" =
+    { hostname = "oregon.tcs.ifi.lmu.de";
+      user = "root";
+      identityFile = "~/.ssh/tcs";
+      dynamicForwards = [ { port = 8113; } ];
+      extraOptions = {
+        ExitOnForwardFailure = "yes";
+      };
+    };
+  "witbank" =
+    { hostname = "witbank.tcs.ifi.lmu.de";
+      user = "uni2work";
+      identityFile = "~/.ssh/letz";
+    };
+  "git.odin" =
+    { hostname = "odin.asgard.yggdrasil";
+      user = "gitolite";
+    };
+  "notmuch.odin" =
+    { hostname = "odin.asgard.yggdrasil";
+      identityFile = "~/.ssh/notmuch.odin.asgard.yggdrasil";
+    };
+  "status.odin" =
+    { hostname = "odin.asgard.yggdrasil";
+      identityFile = "~/.ssh/status.odin.asgard.yggdrasil";
+      extraOptions.ControlPath = "~/.ssh/status-%r@%n:%p";
+    };
+  "moden" =
+    { hostname = "oristano.tcs.ifi.lmu.de";
+      user = "gkleen";
+      port = 30363;
+      identityFile = "~/.ssh/gkleen@oristano.tcs.ifi.lmu.de";
+    };
+  "ubuntu1804" =
+    { hostname = "192.168.122.30";
+      identityFile = "~/.ssh/gkleen@sif.midgard.yggdrasil";
+      forwardAgent = true;
+    };
+  "gitlab.haskell.org" =
+    { hostname = "gitlab.haskell.org";
+      identityFile = "~/.ssh/gkleen@gitlab.haskell.org";
+    };
+  "gitlab.lrz.de" =
+    { hostname = "gitlab.lrz.de";
+      user = "git";
+      identityFile = "~/.ssh/gkleen@gitlab.lrz.de";
+    };
+  "uni2work-dev1" =
+    { hostname = "uni2work-dev1.ifi.lmu.de";
+      user = "gkleen";
+      identityFile = "~/.ssh/uni2work";
+      proxyJump = "jump.uniworx4";
+      localForwards = [
+        { bind = { address = "localhost"; port = 3940; };
+          host = { address = "localhost"; port = 3940; };
+        }
+        { bind = { address = "localhost"; port = 9020; };
+          host = { address = "localhost"; port = 9020; };
+        }
+      ];
+      remoteForwards = [
+        { host = { address = "/run/user/1000/emacs/server"; };
+          bind = { address = "/home/gkleen/.ssh/emacs-server"; };
+        }
+      ];
+    };
+}
diff --git a/accounts/gkleen@sif/store.kdbx.lftp b/accounts/gkleen@sif/store.kdbx.lftp
new file mode 100644
index 00000000..4447aded
--- /dev/null
+++ b/accounts/gkleen@sif/store.kdbx.lftp
@@ -0,0 +1,6 @@
+open ftp://gkleen.keepass@yggdrasil.li/
+
+lcd /home/gkleen
+
+mirror -v --only-newer -f store.kdbx
+mirror -v --reverse --only-newer -f store.kdbx
\ No newline at end of file
diff --git a/accounts/gkleen@sif/systemd.nix b/accounts/gkleen@sif/systemd.nix
new file mode 100644
index 00000000..7faef31a
--- /dev/null
+++ b/accounts/gkleen@sif/systemd.nix
@@ -0,0 +1,80 @@
+{ pkgs, config, userName, ... }:
+let
+  xmobar = import ./xmobar pkgs.haskellPackages;
+  cfg = config.home-manager.users.${userName};
+in {
+  services = {
+    sync-keepass = {
+      Service = {
+        Type = "oneshot";
+        WorkingDirectory = "~";
+        ExecStart = "${pkgs.lftp}/bin/lftp -f ${./store.kdbx.lftp}";
+      };
+    };
+    emacs = {
+      Unit = {
+        After = ["graphical-session-pre.target"];
+      };
+    };
+    trayer = {
+      Service = {
+        Type = "simple";
+        WorkingDirectory = "~";
+        ExecStart = "${pkgs.trayer}/bin/trayer --edge top --align right --SetDockType true --SetPartialStrut true --expand true --width 8 --tint 0x000000 --alpha 0 --transparent true --height 32 --monitor primary";
+        Restart = "always";
+      };
+      Install = {
+        WantedBy = ["graphical-session.target"];
+      };
+    };
+    xmobar = {
+      Service = {
+        Type = "simple";
+        WorkingDirectory = "~";
+        ExecStart = "${xmobar}/bin/xmobar";
+        Restart = "always";
+        Environment = "PATH=${pkgs.worktime}/bin:${pkgs.openssh}/bin";
+
+      };
+      Install = {
+        WantedBy = ["graphical-session.target"];
+      };
+    };
+    dunst = {
+      Service = {
+        Restart = "always";
+      };
+      Install = {
+        WantedBy = ["graphical-session.target"];
+      };
+    };
+    xiccd = {
+      Service = {
+        Type = "simple";
+        WorkingDirectory = "~";
+        ExecStart = "${pkgs.xiccd}/bin/xiccd";
+        Restart = "always";
+      };
+    };
+  };
+  timers = {
+    sync-keepass = {
+      Timer = {
+        OnActiveSec = "1m";
+        OnUnitActiveSec = "1m";
+      };
+
+      Install = {
+        WantedBy = ["default.target"];
+      };
+    };
+  };
+  targets = {
+    graphical-session = {
+      Unit = {
+        BindsTo = ["default.target"];
+        After = ["basic.target"];
+      };
+    };
+  };
+}
diff --git a/accounts/gkleen@sif/xmobar/default.nix b/accounts/gkleen@sif/xmobar/default.nix
new file mode 100644
index 00000000..fcac5e60
--- /dev/null
+++ b/accounts/gkleen@sif/xmobar/default.nix
@@ -0,0 +1,7 @@
+argumentPackages@{ ... }:
+
+let
+  # defaultPackages = (import ./stackage.nix {});
+  # haskellPackages = defaultPackages // argumentPackages;
+  haskellPackages = argumentPackages;
+in haskellPackages.callPackage ./xmobar-yggdrasil.nix {}
diff --git a/accounts/gkleen@sif/xmobar/nixpkgs.nix b/accounts/gkleen@sif/xmobar/nixpkgs.nix
new file mode 100644
index 00000000..783ede00
--- /dev/null
+++ b/accounts/gkleen@sif/xmobar/nixpkgs.nix
@@ -0,0 +1,9 @@
+{ nixpkgs ? import <nixpkgs>
+}:
+
+import ((nixpkgs {}).fetchFromGitHub {
+  owner = "NixOS";
+  repo = "nixpkgs";
+  rev = "10e61bf5be57736035ec7a804cb0bf3d083bf2cf";
+  sha256 = "0fplfm2zx4vk7gs8bdcxnvzkdmpx2w0llqwf8475z9dz9cl132rm";
+})
diff --git a/accounts/gkleen@sif/xmobar/package.yaml b/accounts/gkleen@sif/xmobar/package.yaml
new file mode 100644
index 00000000..b638b6ac
--- /dev/null
+++ b/accounts/gkleen@sif/xmobar/package.yaml
@@ -0,0 +1,13 @@
+name: xmobar-yggdrasil
+
+executables:
+  xmobar:
+    dependencies:
+      - base
+      - xmobar
+
+    main: xmobar.hs
+    source-dirs:
+      - .
+
+    ghc-options: -threaded
diff --git a/accounts/gkleen@sif/xmobar/shell.nix b/accounts/gkleen@sif/xmobar/shell.nix
new file mode 100644
index 00000000..16beb322
--- /dev/null
+++ b/accounts/gkleen@sif/xmobar/shell.nix
@@ -0,0 +1,28 @@
+{ nixpkgs ? import ./nixpkgs.nix {} }:
+
+let
+  inherit (nixpkgs {}) pkgs;
+  haskellPackages = import ./stackage.nix { inherit nixpkgs; };
+
+  drv = haskellPackages.callPackage ./xmobar-yggdrasil.nix {};
+  override = oldAttrs: {
+    nativeBuildInputs = oldAttrs.nativeBuildInputs ++ (with pkgs; []) ++ (with haskellPackages; [ stack cabal-install cabal2nix ]);
+    shellHook = ''
+      export PROMPT_INFO="${oldAttrs.name}"
+
+      if [ -n "$ZSH_VERSION" ]; then
+        autoload -U +X compinit && compinit
+        autoload -U +X bashcompinit && bashcompinit
+      fi
+      eval "$(stack --bash-completion-script stack)"
+
+      ${oldAttrs.shellHook}
+    '';
+  };
+
+  dummy = pkgs.stdenv.mkDerivation {
+    name = "interactive-xmobar-environment";
+    shellHook = "";
+  };
+in pkgs.lib.overrideDerivation dummy override
+  #pkgs.lib.overrideDerivation drv.env override
diff --git a/accounts/gkleen@sif/xmobar/stack.nix b/accounts/gkleen@sif/xmobar/stack.nix
new file mode 100644
index 00000000..17a49e04
--- /dev/null
+++ b/accounts/gkleen@sif/xmobar/stack.nix
@@ -0,0 +1,17 @@
+{ ghc, nixpkgs ? import ./nixpkgs.nix {} }:
+
+let
+  haskellPackages = import ./stackage.nix { inherit nixpkgs; };
+  inherit (nixpkgs {}) pkgs;
+in pkgs.haskell.lib.buildStackProject {
+  inherit ghc;
+  inherit (haskellPackages) stack;
+  name = "stackenv";
+  buildInputs = (with pkgs;
+    [ xorg.libX11 xorg.libXrandr xorg.libXinerama xorg.libXScrnSaver xorg.libXext xorg.libXft
+      cairo
+      glib
+    ]) ++ (with haskellPackages;
+    [ 
+    ]);
+}
diff --git a/accounts/gkleen@sif/xmobar/stack.yaml b/accounts/gkleen@sif/xmobar/stack.yaml
new file mode 100644
index 00000000..b8ed1147
--- /dev/null
+++ b/accounts/gkleen@sif/xmobar/stack.yaml
@@ -0,0 +1,10 @@
+nix:
+  enable: true
+  shell-file: stack.nix
+
+resolver: lts-13.21
+
+packages:
+  - .
+
+extra-deps: []
diff --git a/accounts/gkleen@sif/xmobar/stack.yaml.lock b/accounts/gkleen@sif/xmobar/stack.yaml.lock
new file mode 100644
index 00000000..fcc2f5f3
--- /dev/null
+++ b/accounts/gkleen@sif/xmobar/stack.yaml.lock
@@ -0,0 +1,12 @@
+# This file was autogenerated by Stack.
+# You should not edit this file by hand.
+# For more information, please see the documentation at:
+#   https://docs.haskellstack.org/en/stable/lock_files
+
+packages: []
+snapshots:
+- completed:
+    size: 498180
+    url: https://raw.githubusercontent.com/commercialhaskell/stackage-snapshots/master/lts/13/21.yaml
+    sha256: eff2de19a6d4691ccbf6edc1fba858f1918683047dce0f09adede874bbd2a8f3
+  original: lts-13.21
diff --git a/accounts/gkleen@sif/xmobar/stackage.nix b/accounts/gkleen@sif/xmobar/stackage.nix
new file mode 100644
index 00000000..c162ca2c
--- /dev/null
+++ b/accounts/gkleen@sif/xmobar/stackage.nix
@@ -0,0 +1,31 @@
+{ nixpkgs ? import ./nixpkgs.nix {}
+, snapshot ? "lts-13.21"
+}:
+
+let
+  stackage = import (fetchTarball {
+    url = "https://stackage.serokell.io/zb36jsy3r5h4ydz0pnp00g9vk94dvv03-stackage/default.nix.tar.gz";
+    sha256 = "0h6f80gds0ds77y51hhiadh2h2k8njqq8n0gayp729ana9m9agma";
+  });
+
+  overlays =
+    [ stackage."${snapshot}"
+      (self: super: {
+          haskell = super.haskell // {
+            packages = super.haskell.packages // {
+              "${snapshot}" = super.haskell.packages."${snapshot}".override {
+                overrides = hself: hsuper: {
+                  zip-archive = self.haskell.lib.overrideCabal hsuper.zip-archive (old: {
+                    testToolDepends = old.testToolDepends ++ (with self; [ unzip which ]);
+                  });
+                  alex = self.haskell.lib.dontCheck hsuper.alex;
+                };
+              };
+            };
+          };
+        }
+      )
+    ];
+
+  inherit (nixpkgs { inherit overlays; }) pkgs;
+in pkgs.haskell.packages."${snapshot}"
diff --git a/accounts/gkleen@sif/xmobar/xmobar-yggdrasil.nix b/accounts/gkleen@sif/xmobar/xmobar-yggdrasil.nix
new file mode 100644
index 00000000..852fb8e5
--- /dev/null
+++ b/accounts/gkleen@sif/xmobar/xmobar-yggdrasil.nix
@@ -0,0 +1,13 @@
+{ mkDerivation, base, hpack, lib, xmobar }:
+mkDerivation {
+  pname = "xmobar-yggdrasil";
+  version = "0.0.0";
+  src = ./.;
+  isLibrary = false;
+  isExecutable = true;
+  libraryToolDepends = [ hpack ];
+  executableHaskellDepends = [ base xmobar ];
+  preConfigure = "hpack";
+  license = "unknown";
+  hydraPlatforms = lib.platforms.none;
+}
diff --git a/accounts/gkleen@sif/xmobar/xmobar.hs b/accounts/gkleen@sif/xmobar/xmobar.hs
new file mode 100644
index 00000000..74ce7347
--- /dev/null
+++ b/accounts/gkleen@sif/xmobar/xmobar.hs
@@ -0,0 +1,52 @@
+import Xmobar
+
+import Data.List (intercalate)
+  
+
+main :: IO ()
+main = xmobar config
+  where
+    config = defaultConfig
+      { font             = "xft:FiraCode Nerd Font Mono:style=Regular:pixelsize=21"
+      , position         = OnScreen 0 $ TopP 0 307
+      , bgColor          = "black"
+      , fgColor          = "#808080"
+      , overrideRedirect = False
+      , template =
+          let left = intercalate " | "
+                [ "%XMonadWorkspaces%"
+                , "%XMonadLayout%"
+                , "%XMonadTitle%"
+                ]
+              right = intercalate " | "
+                [ {- "%status%"
+                , -} "%battery%"
+                , "%kbd%"
+                , "%worktime%"
+                , "%worktime-today%"
+                , "%time%"
+                , "%date%"
+                ]
+           in left <> "}{" <> right
+      , commands =
+          [ Run $ NamedXPropertyLog "_XMONAD_WORKSPACES" "XMonadWorkspaces"
+          , Run $ NamedXPropertyLog "_XMONAD_LAYOUT" "XMonadLayout"
+          , Run $ NamedXPropertyLog "_XMONAD_TITLE" "XMonadTitle"
+          , Run $ Date "%H:%M" "time" 50
+          , Run $ Date "%a %b %_d" "date" 50
+          , Run $ Com "worktime" [] "worktime" 1500
+          , Run $ Com "worktime" ["today"] "worktime-today" 1500
+          , Run $ Com "ssh" ["status.odin"] "status" 600
+          , Run $ Kbd [("us(dvp)", "dvp")]
+          , Run $ Battery
+            [ "--template", "<watts> <left> (<timeleft>) AC <acstatus>"
+            , "--suffix", "On"
+            , "--Low", "10"
+            , "--High", "80"
+            , "--low", "darkred"
+            , "--normal", "darkorange"
+            , "--high", "darkgreen"
+            , "-p", "3"
+            ] 50
+          ]
+      }
diff --git a/accounts/gkleen@sif/xmonad/.gitignore b/accounts/gkleen@sif/xmonad/.gitignore
new file mode 100644
index 00000000..c11891cd
--- /dev/null
+++ b/accounts/gkleen@sif/xmonad/.gitignore
@@ -0,0 +1,4 @@
+**/#*#
+**/.stack-work/
+/stack.yaml.lock
+/*.cabal
diff --git a/accounts/gkleen@sif/xmonad/default.nix b/accounts/gkleen@sif/xmonad/default.nix
new file mode 100644
index 00000000..8790c12f
--- /dev/null
+++ b/accounts/gkleen@sif/xmonad/default.nix
@@ -0,0 +1,7 @@
+argumentPackages@{ ... }:
+
+let
+  # defaultPackages = (import ./stackage.nix {});
+  # haskellPackages = defaultPackages // argumentPackages;
+  haskellPackages = argumentPackages;
+in haskellPackages.callPackage ./xmonad-yggdrasil.nix {}
diff --git a/accounts/gkleen@sif/xmonad/lib/XMonad/Mpv.hs b/accounts/gkleen@sif/xmonad/lib/XMonad/Mpv.hs
new file mode 100644
index 00000000..e6accdcc
--- /dev/null
+++ b/accounts/gkleen@sif/xmonad/lib/XMonad/Mpv.hs
@@ -0,0 +1,127 @@
+{-# LANGUAGE DeriveGeneric, OverloadedLists, OverloadedStrings, ViewPatterns, ExistentialQuantification, MultiWayIf #-}
+
+module XMonad.Mpv
+  ( MpvCommand(..), MpvResponse(..), MpvException(..)
+  , mpv
+  , mpvDir
+  , mpvAll, mpvOne
+  , mpvResponse
+  ) where
+
+import Data.Aeson
+
+import Data.Monoid
+
+import Network.Socket hiding (recv)
+import Network.Socket.ByteString
+
+import qualified Data.ByteString as BS
+import qualified Data.ByteString.Char8 as CBS
+import qualified Data.ByteString.Lazy as LBS
+
+import GHC.Generics (Generic)
+import Data.Typeable (Typeable)
+import Data.String (IsString(..))
+
+import Control.Exception
+
+import System.IO.Temp (getCanonicalTemporaryDirectory)
+
+import Control.Monad
+import Control.Exception (bracket)
+import Control.Monad.IO.Class (MonadIO(..))
+
+import System.FilePath
+import System.Directory (getDirectoryContents)
+
+import Data.List
+import Data.Either
+import Data.Maybe
+
+import Debug.Trace
+
+
+data MpvCommand
+  = forall a. ToJSON a => MpvSetProperty String a
+  | MpvGetProperty String
+data MpvResponse
+  = MpvError String
+  | MpvSuccess (Maybe Value)
+  deriving (Read, Show, Generic, Eq)
+data MpvException = MpvException String
+                  | MpvNoValue
+                  | MpvNoParse String
+  deriving (Generic, Typeable, Read, Show)
+instance Exception MpvException
+
+
+instance ToJSON MpvCommand where
+  toJSON (MpvSetProperty name val) = Array ["set_property", fromString name, toJSON val]
+  toJSON (MpvGetProperty name)     = Array ["get_property", fromString name]
+
+instance FromJSON MpvResponse where
+  parseJSON = withObject "response object" $ \obj -> do
+    mval <- obj .:? "data"
+    err <- obj .: "error"
+
+    let ret
+          | err == "success" = MpvSuccess mval
+          | otherwise        = MpvError err
+
+    return ret
+
+mpvSocket :: FilePath -> (Socket -> IO a) -> IO a
+mpvSocket sockPath = withSocketsDo . bracket mkSock close
+  where
+    mkSock = do
+      sock <- socket AF_UNIX Stream defaultProtocol
+      connect sock $ SockAddrUnix (traceId sockPath)
+      return sock
+
+mpvResponse :: FromJSON v => MpvResponse -> IO v
+mpvResponse (MpvError str) = throwIO $ MpvException str
+mpvResponse (MpvSuccess Nothing) = throwIO MpvNoValue
+mpvResponse (MpvSuccess (Just v)) = case fromJSON v of
+  Success v' -> return v'
+  Error str  -> throwIO $ MpvNoParse str
+
+mpv :: FilePath -> MpvCommand -> IO MpvResponse
+mpv sockPath cmd = mpvSocket sockPath $ \sock -> do
+  let message = (`BS.append` "\n") . LBS.toStrict . encode $ Object [("command", toJSON cmd)]
+  traceIO $ show message
+  sendAll sock message
+  let recvAll = do
+        prefix <- recv sock 4096
+        if
+          | (prefix', rest) <- CBS.break (== '\n') prefix
+          , not (BS.null rest) -> return prefix'
+          | BS.null prefix     -> return prefix
+          | otherwise          -> BS.append prefix <$> recvAll
+  response <- recvAll
+  traceIO  $ show response
+  either (ioError . userError) return . traceShowId $ eitherDecodeStrict' response
+
+mpvDir :: Exception e => FilePath -> (FilePath -> [(FilePath, Either e MpvResponse)] -> Maybe MpvCommand) -> IO [(FilePath, Either e MpvResponse)]
+mpvDir dir step = do
+  socks <- filter (".sock" `isSuffixOf`) <$> getDirectoryContents dir
+  go [] socks
+  where
+    go acc [] = return acc
+    go acc (sock:socks)
+      | Just cmd <- step sock acc = do
+          res <- try $ mpv (dir </> sock) cmd
+          go ((sock, res) : acc) socks
+      | otherwise =
+          go acc socks
+
+mpvAll :: FilePath -> MpvCommand -> IO [MpvResponse]
+mpvAll dir cmd = do
+  results <- map snd <$> (mpvDir dir (\_ _ -> Just cmd) :: IO [(FilePath, Either SomeException MpvResponse)])
+  mapM (either throwIO return) results
+
+mpvOne :: FilePath -> MpvCommand -> IO (Maybe MpvResponse)
+mpvOne dir cmd = listToMaybe . snd . partitionEithers . map snd <$> (mpvDir dir step :: IO [(FilePath, Either SomeException MpvResponse)])
+  where
+    step _ results
+      | any (isRight . snd) results = Nothing
+      | otherwise = Just cmd
diff --git a/accounts/gkleen@sif/xmonad/lib/XMonad/Prompt/MyPass.hs b/accounts/gkleen@sif/xmonad/lib/XMonad/Prompt/MyPass.hs
new file mode 100644
index 00000000..1caefae5
--- /dev/null
+++ b/accounts/gkleen@sif/xmonad/lib/XMonad/Prompt/MyPass.hs
@@ -0,0 +1,94 @@
+module XMonad.Prompt.MyPass
+  (
+    -- * Usages
+    -- $usages
+    mkPassPrompt
+  ) where
+
+import Control.Monad (liftM)
+import XMonad.Core
+import XMonad.Prompt ( XPrompt
+                     , showXPrompt
+                     , commandToComplete
+                     , nextCompletion
+                     , getNextCompletion
+                     , XPConfig
+                     , mkXPrompt
+                     , searchPredicate)
+import System.Directory (getHomeDirectory)
+import System.FilePath (takeExtension, dropExtension, combine)
+import System.Posix.Env (getEnv)
+import XMonad.Util.Run (runProcessWithInput)
+
+-- $usages
+-- You can use this module with the following in your @~\/.xmonad\/xmonad.hs@:
+--
+-- > import XMonad.Prompt.Pass
+--
+-- Then add a keybinding for 'passPrompt', 'passGeneratePrompt' or 'passRemovePrompt':
+--
+-- >   , ((modMask x , xK_p)                              , passPrompt xpconfig)
+-- >   , ((modMask x .|. controlMask, xK_p)               , passGeneratePrompt xpconfig)
+-- >   , ((modMask x .|. controlMask  .|. shiftMask, xK_p), passRemovePrompt xpconfig)
+--
+-- For detailed instructions on:
+--
+-- - editing your key bindings, see "XMonad.Doc.Extending#Editing_key_bindings".
+--
+-- - how to setup the password storage, see <http://git.zx2c4.com/password-store/about/>
+--
+
+type Predicate = String -> String -> Bool
+
+getPassCompl :: [String] -> Predicate -> String -> IO [String]
+getPassCompl compls p s
+  | length s <= minL
+  , all ((> minL) . length) compls = return []
+  | otherwise = do return $ filter (p s) compls
+  where
+    minL = 3
+
+type PromptLabel = String
+
+data Pass = Pass PromptLabel
+
+instance XPrompt Pass where
+  showXPrompt       (Pass prompt) = prompt ++ ": "
+  commandToComplete _ c           = c
+  nextCompletion      _           = getNextCompletion
+
+-- | Default password store folder in $HOME/.password-store
+--
+passwordStoreFolderDefault :: String -> String
+passwordStoreFolderDefault home = combine home ".password-store"
+
+-- | Compute the password store's location.
+-- Use the PASSWORD_STORE_DIR environment variable to set the password store.
+-- If empty, return the password store located in user's home.
+--
+passwordStoreFolder :: IO String
+passwordStoreFolder =
+  getEnv "PASSWORD_STORE_DIR" >>= computePasswordStoreDir
+  where computePasswordStoreDir Nothing         = liftM passwordStoreFolderDefault getHomeDirectory
+        computePasswordStoreDir (Just storeDir) = return storeDir
+
+-- | A pass prompt factory
+--
+mkPassPrompt :: PromptLabel -> (String -> X ()) -> XPConfig -> X ()
+mkPassPrompt promptLabel passwordFunction xpconfig = do
+  passwords <- io (passwordStoreFolder >>= getPasswords)
+  mkXPrompt (Pass promptLabel) xpconfig (getPassCompl passwords $ searchPredicate xpconfig) passwordFunction
+
+-- | Retrieve the list of passwords from the password storage 'passwordStoreDir
+getPasswords :: FilePath -> IO [String]
+getPasswords passwordStoreDir = do
+  files <- runProcessWithInput "find" [
+    passwordStoreDir,
+    "-type", "f",
+    "-name", "*.gpg",
+    "-printf", "%P\n"] []
+  return $ map removeGpgExtension $ lines files
+
+removeGpgExtension :: String -> String
+removeGpgExtension file | takeExtension file == ".gpg" = dropExtension file
+                        | otherwise                    = file
diff --git a/accounts/gkleen@sif/xmonad/lib/XMonad/Prompt/MyShell.hs b/accounts/gkleen@sif/xmonad/lib/XMonad/Prompt/MyShell.hs
new file mode 100644
index 00000000..c268f87d
--- /dev/null
+++ b/accounts/gkleen@sif/xmonad/lib/XMonad/Prompt/MyShell.hs
@@ -0,0 +1,105 @@
+module XMonad.Prompt.MyShell
+       ( Shell (..)
+       , shellPrompt
+       , prompt
+       , safePrompt
+       , unsafePrompt
+       , getCommands
+       , getShellCompl
+       , split
+       ) where
+
+import Codec.Binary.UTF8.String (encodeString)
+import Control.Exception as E
+import Control.Monad (forM)
+import Data.List (isPrefixOf)
+import System.Directory (doesDirectoryExist, getDirectoryContents)
+import System.Environment (getEnv)
+import System.Posix.Files (getFileStatus, isDirectory)
+
+import XMonad hiding (config)
+import XMonad.Prompt
+import XMonad.Util.Run
+
+econst :: Monad m => a -> IOException -> m a
+econst = const . return
+
+data Shell = Shell String
+
+instance XPrompt Shell where
+    showXPrompt (Shell q)     = q
+    completionToCommand _ = escape
+
+shellPrompt :: String -> XPConfig -> X ()
+shellPrompt q c = do
+    cmds <- io getCommands
+    mkXPrompt (Shell q) c (getShellCompl cmds) spawn
+
+{- $spawns
+    See safe and unsafeSpawn in "XMonad.Util.Run".
+    prompt is an alias for safePrompt;
+    safePrompt and unsafePrompt work on the same principles, but will use
+    XPrompt to interactively query the user for input; the appearance is
+    set by passing an XPConfig as the second argument. The first argument
+    is the program to be run with the interactive input.
+    You would use these like this:
+
+    >     , ((modm,               xK_b), safePrompt "firefox" greenXPConfig)
+    >     , ((modm .|. shiftMask, xK_c), prompt ("xterm" ++ " -e") greenXPConfig)
+
+    Note that you want to use safePrompt for Firefox input, as Firefox
+    wants URLs, and unsafePrompt for the XTerm example because this allows
+    you to easily start a terminal executing an arbitrary command, like
+    'top'. -}
+
+prompt, unsafePrompt, safePrompt :: String -> FilePath -> XPConfig -> X ()
+prompt = unsafePrompt
+safePrompt q c config = mkXPrompt (Shell q) config (getShellCompl [c]) run
+    where run = safeSpawn c . return
+unsafePrompt q c config = mkXPrompt (Shell q) config (getShellCompl [c]) run
+    where run a = unsafeSpawn $ c ++ " " ++ a
+
+getShellCompl :: [String] -> String -> IO [String]
+getShellCompl cmds s | s == "" || last s == ' ' = return []
+                     | otherwise                = do
+    f     <- fmap lines $ runProcessWithInput "bash" [] ("compgen -A file -- "
+                                                        ++ s ++ "\n")
+    files <- case f of
+               [x] -> do fs <- getFileStatus (encodeString x)
+                         if isDirectory fs then return [x ++ "/"]
+                                           else return [x]
+               _   -> return f
+    return . uniqSort $ files ++ commandCompletionFunction cmds s
+
+commandCompletionFunction :: [String] -> String -> [String]
+commandCompletionFunction cmds str | '/' `elem` str = []
+                                   | otherwise      = filter (isPrefixOf str) cmds
+
+getCommands :: IO [String]
+getCommands = do
+    p  <- getEnv "PATH" `E.catch` econst []
+    let ds = filter (/= "") $ split ':' p
+    es <- forM ds $ \d -> do
+        exists <- doesDirectoryExist d
+        if exists
+            then getDirectoryContents d
+            else return []
+    return . uniqSort . filter ((/= '.') . head) . concat $ es
+
+split :: Eq a => a -> [a] -> [[a]]
+split _ [] = []
+split e l =
+    f : split e (rest ls)
+        where
+          (f,ls) = span (/=e) l
+          rest s | s == []   = []
+                 | otherwise = tail s
+
+escape :: String -> String
+escape []       = ""
+escape (x:xs)
+    | isSpecialChar x = '\\' : x : escape xs
+    | otherwise       = x : escape xs
+
+isSpecialChar :: Char -> Bool
+isSpecialChar =  flip elem " &\\@\"'#?$*()[]{};"
diff --git a/accounts/gkleen@sif/xmonad/lib/XMonad/Prompt/MySsh.hs b/accounts/gkleen@sif/xmonad/lib/XMonad/Prompt/MySsh.hs
new file mode 100644
index 00000000..729941aa
--- /dev/null
+++ b/accounts/gkleen@sif/xmonad/lib/XMonad/Prompt/MySsh.hs
@@ -0,0 +1,246 @@
+module XMonad.Prompt.MySsh
+    ( -- * Usage
+      -- $usage
+      sshPrompt,
+      Ssh,
+      Override (..),
+      mkOverride,
+      Conn (..),
+      moshCmd,
+      moshCmd',
+      sshCmd,
+      inTmux,
+      withEnv
+    ) where
+
+import XMonad
+import XMonad.Util.Run
+import XMonad.Prompt
+
+import System.Directory
+import System.Environment
+import qualified Control.Exception as E
+
+import Control.Monad
+import Data.Maybe
+
+import Text.Parsec.String
+import Text.Parsec
+import Data.Char (isSpace)
+
+econst :: Monad m => a -> E.IOException -> m a
+econst = const . return
+
+-- $usage
+-- 1. In your @~\/.xmonad\/xmonad.hs@:
+--
+-- > import XMonad.Prompt
+-- > import XMonad.Prompt.Ssh
+--
+-- 2. In your keybindings add something like:
+--
+-- >   , ((modm .|. controlMask, xK_s), sshPrompt defaultXPConfig)
+--
+-- Keep in mind, that if you want to use the completion you have to
+-- disable the "HashKnownHosts" option in your ssh_config
+--
+-- For detailed instruction on editing the key binding see
+-- "XMonad.Doc.Extending#Editing_key_bindings".
+
+data Override = Override
+                { oUser :: Maybe String
+                , oHost :: String
+                , oPort :: Maybe Int
+                , oCommand :: Conn -> String
+                }
+
+mkOverride = Override { oUser = Nothing, oHost = "", oPort = Nothing, oCommand = sshCmd }
+sshCmd c = concat
+           [ "ssh -t "
+           , if isJust $ cUser c then (fromJust $ cUser c) ++ "@" else ""
+           , cHost c
+           , if isJust $ cPort c then " -p " ++ (show $ fromJust $ cPort c) else ""
+           , " -- "
+           , cCommand c
+           ]
+moshCmd c = concat
+            [ "mosh "
+            , if isJust $ cUser c then (fromJust $ cUser c) ++ "@" else ""
+            , cHost c
+            , if isJust $ cPort c then " --ssh=\"ssh -p " ++ (show $ fromJust $ cPort c) ++ "\"" else ""
+            , " -- "
+            , cCommand c
+            ]
+moshCmd' p c = concat
+            [ "mosh "
+            , "--server=" ++ p ++ " "
+            , if isJust $ cUser c then (fromJust $ cUser c) ++ "@" else ""
+            , cHost c
+            , if isJust $ cPort c then " --ssh=\"ssh -p " ++ (show $ fromJust $ cPort c) ++ "\"" else ""
+            , " -- "
+            , cCommand c
+            ]
+inTmux Nothing c
+  | null $ cCommand c = c { cCommand = "tmux new-session" }
+  | otherwise = c { cCommand = "tmux new-session \"" ++ (cCommand c) ++  "\"" }
+inTmux (Just h) c
+  | null $ cCommand c = c { cCommand = "tmux new-session -As " <> h }
+  | otherwise = c { cCommand = "tmux new-session \"" ++ (cCommand c) ++  "\"" }
+withEnv :: [(String, String)] -> Conn -> Conn
+withEnv envs c = c { cCommand = "env" ++ (concat $ map (\(n, v) -> ' ' : (n ++ "=" ++ v)) envs) ++ " " ++ (cCommand c) }
+             
+data Conn = Conn
+            { cUser :: Maybe String
+            , cHost :: String
+            , cPort :: Maybe Int
+            , cCommand :: String
+            } deriving (Eq, Show, Read)
+
+data Ssh = Ssh
+
+instance XPrompt Ssh where
+  showXPrompt       Ssh = "SSH to: "
+  commandToComplete _ c = c
+  nextCompletion      _ = getNextCompletion
+
+toConn :: String -> Maybe Conn
+toConn = toConn' . parse connParser "(unknown)"
+toConn' :: Either ParseError Conn -> Maybe Conn
+toConn' (Left _) = Nothing
+toConn' (Right a) = Just a
+
+connParser :: Parser Conn
+connParser = do
+  spaces
+  user' <- optionMaybe $ try $ do
+    str <- many1 $ satisfy (\c -> (not $ isSpace c) && (c /= '@'))
+    char '@'
+    return str
+  host' <- many1 $ satisfy (not . isSpace)
+  port' <- optionMaybe $ try $ do
+    space
+    string "-p"
+    spaces
+    int <- many1 digit
+    (space >> return ()) <|> eof
+    return $ (read int :: Int)
+  spaces
+  command' <- many anyChar
+  eof
+  return $ Conn
+         { cHost = host'
+         , cUser = user'
+         , cPort = port'
+         , cCommand = command'
+         }
+
+sshPrompt :: [Override] -> XPConfig -> X ()
+sshPrompt o c = do
+  sc <- io sshComplList
+  mkXPrompt Ssh c (mkComplFunFromList sc) $ ssh o
+
+ssh :: [Override] -> String -> X ()
+ssh overrides str = do
+  let cmd = applyOverrides overrides str
+  liftIO $ putStr "SSH Command: "
+  liftIO $ putStrLn cmd
+  runInTerm "" cmd
+
+applyOverrides :: [Override] -> String -> String
+applyOverrides [] str = "ssh " ++ str
+applyOverrides (o:os) str = case (applyOverride o str) of
+  Just str -> str
+  Nothing -> applyOverrides os str
+
+applyOverride :: Override -> String -> Maybe String
+applyOverride o str = let
+  conn = toConn str
+  in
+   if isNothing conn then Nothing else
+     case (fromJust conn) `matches` o of
+       True -> Just $ (oCommand o) (fromJust conn)
+       False -> Nothing
+
+matches :: Conn -> Override -> Bool
+a `matches` b = and
+                [ justBool (cUser a) (oUser b) (==)
+                , (cHost a) == (oHost b)
+                , justBool (cPort a) (oPort b) (==)
+                ]
+
+justBool :: Eq a => Maybe a -> Maybe a -> (a -> a -> Bool) -> Bool
+justBool Nothing _ _ = True
+justBool _ Nothing _ = True
+justBool (Just a) (Just b) match = a `match` b
+
+sshComplList :: IO [String]
+sshComplList = uniqSort `fmap` liftM2 (++) sshComplListLocal sshComplListGlobal
+
+sshComplListLocal :: IO [String]
+sshComplListLocal = do
+  h <- getEnv "HOME"
+  s1 <- sshComplListFile $ h ++ "/.ssh/known_hosts"
+  s2 <- sshComplListConf $ h ++ "/.ssh/config"
+  return $ s1 ++ s2
+
+sshComplListGlobal :: IO [String]
+sshComplListGlobal = do
+  env <- getEnv "SSH_KNOWN_HOSTS" `E.catch` econst "/nonexistent"
+  fs <- mapM fileExists [ env
+                        , "/usr/local/etc/ssh/ssh_known_hosts"
+                        , "/usr/local/etc/ssh_known_hosts"
+                        , "/etc/ssh/ssh_known_hosts"
+                        , "/etc/ssh_known_hosts"
+                        ]
+  case catMaybes fs of
+    []    -> return []
+    (f:_) -> sshComplListFile' f
+
+sshComplListFile :: String -> IO [String]
+sshComplListFile kh = do
+  f <- doesFileExist kh
+  if f then sshComplListFile' kh
+       else return []
+
+sshComplListFile' :: String -> IO [String]
+sshComplListFile' kh = do
+  l <- readFile kh
+  return $ map (getWithPort . takeWhile (/= ',') . concat . take 1 . words)
+         $ filter nonComment
+         $ lines l
+
+sshComplListConf :: String -> IO [String]
+sshComplListConf kh = do
+  f <- doesFileExist kh
+  if f then sshComplListConf' kh
+       else return []
+
+sshComplListConf' :: String -> IO [String]
+sshComplListConf' kh = do
+  l <- readFile kh
+  return $ map (!!1)
+         $ filter isHost
+         $ map words
+         $ lines l
+ where
+   isHost ws = take 1 ws == ["Host"] && length ws > 1
+
+fileExists :: String -> IO (Maybe String)
+fileExists kh = do
+  f <- doesFileExist kh
+  if f then return $ Just kh
+       else return Nothing
+
+nonComment :: String -> Bool
+nonComment []      = False
+nonComment ('#':_) = False
+nonComment ('|':_) = False -- hashed, undecodeable
+nonComment _       = True
+
+getWithPort :: String -> String
+getWithPort ('[':str) = host ++ " -p " ++ port
+    where (host,p) = break (==']') str
+          port = case p of
+                   ']':':':x -> x
+                   _         -> "22"
+getWithPort  str = str
diff --git a/accounts/gkleen@sif/xmonad/package.yaml b/accounts/gkleen@sif/xmonad/package.yaml
new file mode 100644
index 00000000..48de1a53
--- /dev/null
+++ b/accounts/gkleen@sif/xmonad/package.yaml
@@ -0,0 +1,30 @@
+name: xmonad-yggdrasil
+
+executables:
+  xmonad:
+    dependencies:
+      - base
+      - xmonad
+      - xmonad-contrib
+      - aeson
+      - bytestring
+      - text
+      - temporary
+      - filepath
+      - directory
+      - network
+      - unix
+      - utf8-string
+      - parsec
+      - process
+      - mtl
+      - X11
+      - transformers
+      - containers
+      - hostname
+      - libnotify
+
+    main: xmonad.hs
+    source-dirs:
+      - .
+      - lib
diff --git a/accounts/gkleen@sif/xmonad/stack.nix b/accounts/gkleen@sif/xmonad/stack.nix
new file mode 100644
index 00000000..17a49e04
--- /dev/null
+++ b/accounts/gkleen@sif/xmonad/stack.nix
@@ -0,0 +1,17 @@
+{ ghc, nixpkgs ? import ./nixpkgs.nix {} }:
+
+let
+  haskellPackages = import ./stackage.nix { inherit nixpkgs; };
+  inherit (nixpkgs {}) pkgs;
+in pkgs.haskell.lib.buildStackProject {
+  inherit ghc;
+  inherit (haskellPackages) stack;
+  name = "stackenv";
+  buildInputs = (with pkgs;
+    [ xorg.libX11 xorg.libXrandr xorg.libXinerama xorg.libXScrnSaver xorg.libXext xorg.libXft
+      cairo
+      glib
+    ]) ++ (with haskellPackages;
+    [ 
+    ]);
+}
diff --git a/accounts/gkleen@sif/xmonad/stack.yaml b/accounts/gkleen@sif/xmonad/stack.yaml
new file mode 100644
index 00000000..b8ed1147
--- /dev/null
+++ b/accounts/gkleen@sif/xmonad/stack.yaml
@@ -0,0 +1,10 @@
+nix:
+  enable: true
+  shell-file: stack.nix
+
+resolver: lts-13.21
+
+packages:
+  - .
+
+extra-deps: []
diff --git a/accounts/gkleen@sif/xmonad/xmonad-yggdrasil.nix b/accounts/gkleen@sif/xmonad/xmonad-yggdrasil.nix
new file mode 100644
index 00000000..d3d72310
--- /dev/null
+++ b/accounts/gkleen@sif/xmonad/xmonad-yggdrasil.nix
@@ -0,0 +1,21 @@
+{ mkDerivation, aeson, base, bytestring, containers, directory
+, filepath, hostname, hpack, mtl, network, parsec, process, lib
+, temporary, transformers, unix, utf8-string, X11, xmonad
+, xmonad-contrib, libnotify
+}:
+mkDerivation {
+  pname = "xmonad-yggdrasil";
+  version = "0.0.0";
+  src = ./.;
+  isLibrary = false;
+  isExecutable = true;
+  libraryToolDepends = [ hpack ];
+  executableHaskellDepends = [
+    aeson base bytestring containers directory filepath hostname mtl
+    network parsec process temporary transformers unix utf8-string X11
+    xmonad xmonad-contrib libnotify
+  ];
+  preConfigure = "hpack";
+  license = "unknown";
+  hydraPlatforms = lib.platforms.none;
+}
diff --git a/accounts/gkleen@sif/xmonad/xmonad.hs b/accounts/gkleen@sif/xmonad/xmonad.hs
new file mode 100644
index 00000000..d21debdf
--- /dev/null
+++ b/accounts/gkleen@sif/xmonad/xmonad.hs
@@ -0,0 +1,895 @@
+{-# LANGUAGE TupleSections, ViewPatterns, OverloadedStrings, FlexibleInstances, UndecidableInstances, MultiWayIf #-}
+
+import XMonad
+import XMonad.Hooks.DynamicLog
+import XMonad.Hooks.ManageDocks
+import XMonad.Util.Run
+import XMonad.Util.Loggers
+import XMonad.Util.EZConfig(additionalKeys)
+import System.IO
+import System.IO.Error
+import System.Environment
+import Data.Map (Map)
+import qualified Data.Map as Map
+import qualified XMonad.StackSet as W
+import System.Exit
+import Control.Monad.State (get)
+-- import XMonad.Layout.Spiral
+import Data.Ratio
+import Data.List
+import Data.Char
+import Data.Maybe (fromMaybe, listToMaybe, maybeToList, catMaybes, isJust)
+import XMonad.Layout.Tabbed
+import XMonad.Prompt
+import XMonad.Prompt.Input
+import XMonad.Util.Scratchpad
+import XMonad.Util.NamedScratchpad
+import Control.Monad (sequence, liftM, liftM2, join, void)
+import XMonad.Util.WorkspaceCompare
+import XMonad.Layout.NoBorders
+import XMonad.Layout.PerWorkspace
+import XMonad.Layout.SimplestFloat
+import XMonad.Layout.Renamed
+import XMonad.Layout.Reflect
+import XMonad.Layout.OnHost
+import XMonad.Layout.Combo
+import XMonad.Layout.ComboP
+import XMonad.Layout.Column
+import XMonad.Layout.TwoPane
+import XMonad.Layout.IfMax
+import XMonad.Layout.LayoutBuilder
+import XMonad.Layout.WindowNavigation
+import XMonad.Layout.Dwindle
+import XMonad.Layout.TrackFloating
+import System.Process
+import System.Directory (removeFile)
+import System.Posix.Files
+import System.FilePath ((</>))
+import Control.Concurrent
+import System.Posix.Process (getProcessID)
+import System.IO.Error
+import System.IO
+import XMonad.Hooks.ManageHelpers hiding (CW)
+import XMonad.Hooks.UrgencyHook as U
+import XMonad.Hooks.EwmhDesktops
+import XMonad.StackSet (RationalRect (..))
+import Control.Monad (when, filterM, (<=<))
+import Graphics.X11.ExtraTypes.XF86
+import XMonad.Util.Cursor
+import XMonad.Actions.Warp
+import XMonad.Actions.FloatKeys
+import XMonad.Util.SpawnOnce
+import System.Directory
+import System.FilePath
+import XMonad.Actions.CopyWindow
+import XMonad.Hooks.ServerMode
+import XMonad.Actions.Commands
+import XMonad.Actions.CycleWS
+import XMonad.Actions.RotSlaves
+import XMonad.Actions.UpdatePointer
+import XMonad.Prompt.Window
+import Data.IORef
+import Data.Monoid
+import Data.String
+import qualified XMonad.Actions.PhysicalScreens as P
+
+import XMonad.Layout.IM
+
+import XMonad.Prompt.MyShell
+import XMonad.Prompt.MyPass
+import XMonad.Prompt.MySsh
+
+import XMonad.Mpv
+
+import Network.HostName
+
+import Control.Applicative ((<$>))
+
+import Libnotify as Notify hiding (appName)
+import qualified Libnotify as Notify (appName)
+import Libnotify (Notification)
+-- import System.Information.Battery
+
+import Data.Int (Int32)
+
+import System.Posix.Process
+import System.Posix.Signals
+import System.Posix.IO as Posix
+import Control.Exception
+
+import System.IO.Unsafe
+
+import Control.Monad.Trans.Class
+import Control.Monad.Trans.Maybe
+
+import Data.Fixed (Micro)
+
+import qualified Data.Text as Text
+import Data.Ord (comparing)
+import Debug.Trace
+
+instance MonadIO m => IsString (m ()) where
+  fromString = spawn
+
+type KeyMap = Map (ButtonMask, KeySym) (X ())
+
+data Host = Host
+            { hName :: HostName
+            , hManageHook :: ManageHook
+            , hWsp :: Integer -> WorkspaceId
+            , hCoWsp :: String -> Maybe WorkspaceId
+            , hKeysMod :: XConfig Layout -> (KeyMap -> KeyMap)
+            , hScreens :: [P.PhysicalScreen]
+            , hKbLayouts :: [(String, Maybe String)]
+            , hCmds :: X [(String, X ())]
+            , hKeyUpKeys :: XConfig Layout -> KeyMap
+            }
+
+defaultHost = Host { hName = "unkown"
+                   , hManageHook = composeOne [manageScratchTerm]
+                   , hWsp = show
+                   , hCoWsp = const Nothing
+                   , hKeysMod = const id
+                   , hScreens = [0,1..]
+                   , hKbLayouts = [ ("us", Just "dvp")
+                                  , ("us", Nothing)
+                                  , ("de", Nothing)
+                                  ]
+                   , hCmds = return []
+                   , hKeyUpKeys = const Map.empty
+                   }
+
+browser :: String
+browser = "env MOZ_USE_XINPUT2=1 firefox"
+
+hostFromName :: HostName -> Host
+hostFromName h@("vali") = defaultHost { hName = h
+                                      , hManageHook = composeOne $ catMaybes [ Just manageScratchTerm
+                                                                             , assign "web"  $ className =? ".dwb-wrapped"
+                                                                             , assign "web"  $ className =? "Chromium"
+                                                                             , assign "work" $ className =? "Emacs"
+                                                                             , assign "media" $ className =? "mpv"
+                                                                             ]
+                                      , hWsp = hWsp
+                                      , hCoWsp = hCoWsp
+                                      , hKeysMod = \conf -> Map.union $ (Map.fromList $ join $ map (spawnBindings conf) [ (xK_d, ["chromium", "chromium $(xclip -o)"])
+                                                                                                                        , (xK_e, ["emacsclient -c"])
+                                                                                                                        ])
+                                                            `Map.union`
+                                                            ( Map.fromList [ ((XMonad.modMask conf .|. controlMask, xK_Return), scratchpadSpawnActionCustom $ (XMonad.terminal conf) ++ " -name scratchpad -title scratchpad -e tmux new-session -D -s scratch")
+                                                                           ] )
+                                      , hScreens = hScreens defaultHost
+                                      }
+  where
+    workspaceNames = Map.fromList [ (2, "web")
+                                  , (3, "work")
+                                  , (10, "media")
+                                  ]
+    hWsp = wspFromMap workspaceNames
+    hCoWsp = coWspFromMap workspaceNames
+    assign wsp test = (\wsp -> test -?> doShift wsp) <$> hCoWsp wsp
+hostFromName h
+  | h `elem` ["hel", "sif"] = defaultHost { hName = h
+                                          , hManageHook = namedScratchpadManageHook scratchpads <+> composeOne (catMaybes
+                                              [ assign "mpv"     $ className =? "mpv"
+                                              , assign "mpv"     $ stringProperty "WM_WINDOW_ROLE" =? "presentation"
+                                              , assign "read"    $ stringProperty "WM_WINDOW_ROLE" =? "presenter"
+                                              , assign "mpv"     $ className =? "factorio"
+                                              , assign "web"     $ className =? "chromium-browser"
+                                              , assign "web"     $ className =? "Google-chrome"
+                                              , assign "work"    $ (appName =? "Devtools" <&&> className =? "Firefox")
+                                              , assign "work"    $ className =? "Postman"
+                                              , assign "web"     $ className =? "Firefox"
+                                              , assign "comm"    $ (className =? "Emacs" <&&> title =? "Mail")
+                                              , assign "comm"    $ className =? "Zulip"
+                                              , assign "comm"    $ className =? "Discord"
+                                              , assign "media"   $ (className =? "Alacritty" <&&> resource =? "media")
+                                              , assign "monitor" $ className =? "Grafana"
+                                              , Just $ (className =? "Alacritty" <&&> resource =? "htop") -?> centerFloat
+                                              , Just $ (className =? "Scp-dbus-service.py") -?> centerFloat
+                                              , Just $ (className =? "Alacritty" <&&> resource =? "log") -?> centerFloat
+                                              , assign "work"    $ className =? "Alacritty"
+                                              , assign' ["work", "uni"] $ (className =? "Emacs" <&&> appName /=? "Edit_with_Emacs_FRAME")
+                                              , assign' ["work", "uni"] $ className =? "jetbrains-idea-ce"
+                                              , assign "read"    $ className =? "llpp"
+                                              , assign "read"    $ className =? "Evince"
+                                              , assign "read"    $ className =? "Zathura"
+                                              , assign "read"    $ className =? "MuPDF"
+                                              , assign "read"    $ className =? "Xournal"
+                                              , assign "read"    $ appName =? "com-trollworks-gcs-app-GCS"
+                                              , assign "read"    $ appName =? "Tux.py"
+                                              , assign "read"    $ className =? "Gnucash"
+                                              , assign "comm"    $ className =? "Skype"
+                                              , assign "comm"    $ className =? "Daily"
+                                              , assign "comm"    $ className =? "Pidgin"
+                                              , assign "comm"    $ className =? "Slack"
+                                              , Just $ (resource =? "xvkbd") -?> doRectFloat $ RationalRect (1 % 8) (3 % 8) (6 % 8) (4 % 8)
+                                              , Just $ (stringProperty "_NET_WM_WINDOW_TYPE" =? "_NET_WM_WINDOW_TYPE_DIALOG") -?> doFloat
+                                              , Just $ (className =? "Dunst") -?> doFloat
+                                              , Just $ (className =? "Xmessage") -?> doCenterFloat
+                                              , Just $ (className =? "Nm-openconnect-auth-dialog") -?> centerFloat
+                                              , Just $ (className =? "Pinentry") -?> doCenterFloat
+                                              , Just $ (className =? "pinentry") -?> doCenterFloat
+                                              , Just $ (appName =? "Edit_with_Emacs_FRAME") -?> centerFloat
+                                              , Just $ (stringProperty "WM_WINDOW_ROLE" =? "GtkFileChooseDialog") -?> centerFloatSmall
+                                              , Just $ (className =? "Nvidia-settings") -?> doCenterFloat
+                                              , Just $ fmap ("Minetest" `isInfixOf`) title -?> doIgnore
+                                              , Just $ fmap ("Automachef" `isInfixOf`) title -?> doIgnore
+                                              , assign "call"    $ className =? "zoom"
+                                              ])
+                                          , hWsp = hWsp
+                                          , hCoWsp = hCoWsp
+                                          , hKeysMod = \conf -> Map.union $ (Map.fromList $ join $ map (spawnBindings conf) [ (xK_e, ["emacsclient -c"])
+                                                                                                                            , (xK_d, [fromString browser, fromString $ browser ++ " $(xclip -o)", fromString $ "notmuch-links"])
+                                                                                                                            , (xK_c, [ inputPrompt xPConfig "dc" ?+ dc ])
+                                                                                                                            , (xK_g, ["pidgin"])
+                                                                                                                            , (xK_s, ["skype"])
+                                                                                                                            -- , (xK_p, [mkPassPrompt "Type password" pwType xPConfig, mkPassPrompt "Show password" pwShow xPConfig, mkPassPrompt "Copy password" pwClip xPConfig])
+                                                                                                                            , (xK_w, ["sudo rewacom"])
+                                                                                                                            , (xK_y, [ "tmux new-window -dt media /var/media/link.hs $(xclip -o)"
+                                                                                                                                     , "tmux new-window -dt media /var/media/download.hs $(xclip -o)"
+                                                                                                                                     , "alacritty --class media -e tmuxp load /var/media"
+                                                                                                                                     ])
+                                                                                                                            , (xK_l, [ "tmux new-window -dt media mpv $(xclip -o)"
+                                                                                                                                     , "tmux new-window -dt media streamlink --retry-open 10 $(xclip -o)"
+                                                                                                                                     ])
+                                                                                                                            , (xK_m, [ "emacsclient -c -F \"'(title . \\\"Mail\\\")\" -e '(notmuch)'"
+                                                                                                                                     , "emacsclient -c -F \"'(title . \\\"Mail\\\")\" -e '(notmuch-mua-new-mail)'"
+                                                                                                                                     , "emacsclient -c -F \"'(title . \\\"Mail\\\")\" -e \"(browse-url-mail \"$(xclip -o)\")\""
+                                                                                                                                     ])
+                                                                                                                            , (xK_Return, ["keynav start,windowzoom", "keynav start"])
+                                                                                                                            , (xK_t, [inputPrompt xPConfig "fuzzytime timer" ?+ fuzzytime, fuzzytime "unset", work_fuzzytime])
+                                                                                                                            , (xK_a, [inputPrompt xPConfig "adjmix" ?+ adjmix])
+                                                                                                                            , (xK_s, [ inputPromptWithCompl xPConfig "start synergy" synergyCompl ?+ synergyStart
+                                                                                                                                     , inputPromptWithCompl xPConfig "stop synergy" synergyCompl ?+ synergyStop
+                                                                                                                                     ])
+                                                                                                                            , (xK_h, [ "alacritty --class htop -e htop"
+                                                                                                                                     , "alacritty --class log -e journalctl -xef"
+                                                                                                                                     ])
+                                                                                                                            , (xK_x, [ "autorandr -c"
+                                                                                                                                     , "autorandr -fl def"
+                                                                                                                                     ])
+                                                                                                                            , (xK_z, [ "zulip -- --force-device-scale-factor=2"
+                                                                                                                                     ])
+                                                                                                                            ])
+                                                                `Map.union`
+                                                                ( Map.fromList [ ((XMonad.modMask conf .|. controlMask, xK_Return), namedScratchpadAction scratchpads "term")
+                                                                               , ((XMonad.modMask conf .|. controlMask, xK_a), namedScratchpadAction scratchpads "pavucontrol")
+                                                                               , ((XMonad.modMask conf .|. controlMask, xK_w), namedScratchpadAction scratchpads "alarms")
+                                                                               , ((XMonad.modMask conf .|. controlMask, xK_b), namedScratchpadAction scratchpads "blueman")
+                                                                               , ((XMonad.modMask conf .|. controlMask, xK_p), namedScratchpadAction scratchpads "keepassxc")
+                                                                               , ((XMonad.modMask conf .|. controlMask, xK_t), namedScratchpadAction scratchpads "toggl")
+                                                                               , ((XMonad.modMask conf .|. controlMask, xK_e), namedScratchpadAction scratchpads "emacs")
+                                                                               , ((XMonad.modMask conf .|. controlMask, xK_m), namedScratchpadAction scratchpads "calendar")
+                                                                               , ((XMonad.modMask conf .|. controlMask, xK_f), namedScratchpadAction scratchpads "music")
+                                                                               , ((XMonad.modMask conf .|. mod1Mask, xK_Up), rotate U)
+                                                                               , ((XMonad.modMask conf .|. mod1Mask, xK_Down), rotate D)
+                                                                               , ((XMonad.modMask conf .|. mod1Mask, xK_Left), rotate L)
+                                                                               , ((XMonad.modMask conf .|. mod1Mask, xK_Right), rotate R)
+                                                                               -- , ((XMonad.modMask conf .|. shiftMask, xK_a), startMute "hel")
+                                                                               ] )
+                                          , hKeyUpKeys = \conf -> Map.fromList [ -- ((XMonad.modMask conf .|. shiftMask, xK_a), stopMute "hel")
+                                                                               ]
+                                          , hScreens = hScreens defaultHost
+                                          , hCmds = return [ ("prev-workspace", prevWS)
+                                                           , ("next-workspace", nextWS)
+                                                           , ("prev-window", rotAllDown)
+                                                           , ("next-window", rotAllUp)
+                                                           , ("banish", banishScreen LowerRight)
+                                                           , ("update-gpg-tty", safeSpawn "gpg-connect-agent" ["UPDATESTARTUPTTY", "/bye"])
+                                                           , ("rescreen", rescreen)
+                                                           , ("repanel", do
+                                                                 spawn "nm-applet"
+                                                                 spawn "blueman-applet"
+                                                                 spawn "pasystray"
+                                                                 spawn "kdeconnect-indicator"
+                                                                 spawn "dunst -print"
+                                                                 spawn "udiskie"
+                                                                 spawn "autocutsel -s PRIMARY"
+                                                                 spawn "autocutsel -s CLIPBOARD"
+                                                             )
+                                                           , ("pause", mediaMpv $ MpvSetProperty "pause" True)
+                                                           , ("unpause", mediaMpv $ MpvSetProperty "pause" False)
+                                                           , ("exit", io $ exitWith ExitSuccess)
+                                                           ]
+                                          }
+  where
+    withGdkScale act = void . xfork $ setEnv "GDK_SCALE" "2" >> act
+    workspaceNames = Map.fromList [ (1, "comm")
+                                  , (2, "web")
+                                  , (3, "work")
+                                  , (4, "read")
+                                  , (5, "monitor")
+                                  , (6, "uni")
+                                  , (8, "call")
+                                  , (9, "media")
+                                  , (10, "mpv")
+                                  ]
+    scratchpads = [ NS "term" "alacritty --class scratchpad --title scratchpad -e tmux new-session -AD -s scratch" (resource =? "scratchpad") centerFloat
+                  , NS "pavucontrol" "pavucontrol" (resource =? "pavucontrol") centerFloat
+                  , NS "alarms" "alarm-clock-applet" (className =? "Alarm-clock-applet" <&&> title =? "Alarms") centerFloat
+                  , NS "blueman" "blueman-manager" (className =? ".blueman-manager-wrapped") centerFloat
+                  , NS "keepassxc" "keepassxc" (className =? "KeePassXC") centerFloat
+                  , NS "toggl" "toggldesktop" (className =? "Toggl Desktop") centerFloat
+                  , NS "calendar" "minetime -- --force-device-scale-factor=1.6" (className =? "MineTime") centerFloat
+                  , NS "emacs" "emacsclient -c -F \"'(title . \\\"Scratchpad\\\")\"" (className =? "Emacs" <&&> title =? "Scratchpad") centerFloat
+                  , NS "music" "google-play-music-desktop-player --force-device-scale-factor=1.6" (className =?  "Google Play Music Desktop Player") centerFloat
+                  ]
+    centerFloat = customFloating $ RationalRect (1 % 16) (1 % 16) (7 % 8) (7 % 8)
+    centerFloatSmall = customFloating $ RationalRect (1 % 4) (1 % 4) (1 % 2) (1 % 2)
+    hWsp = wspFromMap workspaceNames
+    hCoWsp = coWspFromMap workspaceNames
+    assign wsp test = (\wsp -> test -?> doShift wsp) <$> hCoWsp wsp
+    assign' :: [String] -> Query Bool -> Maybe MaybeManageHook
+    assign' wsps test = do
+      wsIds <- mapM hCoWsp wsps
+      return $ test -?> go wsIds
+      where
+        go :: [WorkspaceId] -> ManageHook
+        go wsps = do
+          visWsps <- liftX $ (\wset -> W.tag . W.workspace <$> W.current wset : W.visible wset) <$> gets windowset
+          case (filter (`elem` visWsps) wsps, wsps) of
+            (wsp : _, _) -> doShift wsp
+            (_, wsp : _) -> doShift wsp
+            ([], [])     -> return mempty
+    rotate rot = do
+      safeSpawn "xrandr" ["--output", "eDP-1", "--rotate", xrandrDir]
+      mapM_ rotTouch touchscreens
+      where
+        xrandrDir = case rot of
+          U -> "normal"
+          L -> "left"
+          R -> "right"
+          D -> "inverted"
+        matrix = case rot of
+          U -> [ [ 1,  0,  0]
+               , [ 0,  1,  0]
+               , [ 0,  0,  1]
+               ]
+          L -> [ [ 0, -1,  1]
+               , [ 1,  0,  0]
+               , [ 0,  0,  1]
+               ]
+          R -> [ [ 0,  1,  0]
+               , [-1,  0,  1]
+               , [ 0,  0,  1]
+               ]
+          D -> [ [-1,  0,  1]
+               , [ 0, -1,  1]
+               , [ 0,  0,  1]
+               ]
+        touchscreens = [ "Wacom Co.,Ltd. Pen and multitouch sensor Finger touch"
+                       , "Wacom Co.,Ltd. Pen and multitouch sensor Pen stylus"
+                       , "Wacom Co.,Ltd. Pen and multitouch sensor Pen eraser"
+                       ]
+        rotTouch screen = do
+          safeSpawn "xinput" $ ["set-prop", screen, "Coordinate Transformation Matrix"] ++ map (\n -> show n ++ ",") (concat matrix)
+          safeSpawn "xinput" ["map-to-output", screen, "eDP-1"]
+    withPw f label = io . void . forkProcess $ do
+      uninstallSignalHandlers
+      void $ createSession
+      (dropWhileEnd isSpace -> pw) <- readCreateProcess (proc "pass" ["show", label]) ""
+      void $ f pw
+    pwType :: String -> X ()
+    pwType = withPw $ readCreateProcess (proc "xdotool" ["type", "--clearmodifiers", "--file", "-"])
+    pwClip label = safeSpawn "pass" ["show", "--clip", label]
+    pwShow :: String -> X ()
+    pwShow = withPw $ \pw -> do
+      xmessage <- fromMaybe "xmessage" <$> liftIO (lookupEnv "XMONAD_XMESSAGE")
+      readCreateProcess (proc xmessage ["-file", "-"]) pw
+    fuzzytime str = safeSpawn "fuzzytime" $ "timer" : words str
+    work_fuzzytime = io . void . forkProcess $ do
+      readCreateProcess (proc "worktime" []) "" >>= safeSpawn "fuzzytime" . ("timer" : ) . pure
+    adjmix str = safeSpawn "adjmix" $ words str
+    dc expr = void . xfork $ do
+      result <- readProcess "dc" [] $ expr ++ "f"
+      let
+        (first : rest) = filter (not . null) $ lines result
+        notification = Notify.summary first <> Notify.body (unlines rest) <> Notify.timeout Infinite <> Notify.urgency Normal <> Notify.appName "dc"
+      void $ Notify.display notification
+    synergyCompl = mkComplFunFromList' ["mathw86"]
+    synergyStart host = safeSpawn "systemctl" ["--user", "start", "synergy-rtunnel@" ++ host ++ ".service"]
+    synergyStop host = safeSpawn "systemctl" ["--user", "stop", "synergy-rtunnel@" ++ host ++ ".service"]
+      
+hostFromName _ = defaultHost
+
+-- muteRef :: IORef (Maybe (String, Notification))
+-- {-# NOINLINE muteRef #-}
+-- muteRef = unsafePerformIO $ newIORef Nothing
+
+-- startMute, stopMute :: String -> X ()
+-- startMute sink = liftIO $ do
+--   muted <- isJust <$> readIORef muteRef
+--   when (not muted) $ do
+--     let
+--       notification = Notify.summary "Muted" <> Notify.timeout Infinite <> Notify.urgency Normal
+--       level = "0.0dB"
+--     -- level <- runProcessWithInput "ssh" ["bragi", "cat", "/dev/shm/mix/" ++ sink ++ "/level"] ""
+--     -- callProcess "ssh" ["bragi", "adjmix", "-t", sink, "-o", "0"]
+--     hPutStrLn stderr "Mute"
+--     writeIORef muteRef . Just . (level, ) =<< Notify.display notification
+-- stopMute sink = liftIO $ do
+--   let
+--     unmute (Just (level, notification)) = do
+--       hPutStrLn stderr "Unmute"
+--       -- callProcess "ssh" ["bragi", "adjmix", "-t", sink, "-o", level]
+--       Notify.close notification
+--     unmute Nothing = return ()
+--   muted <- isJust <$> readIORef muteRef
+--   when muted . join . atomicModifyIORef muteRef $ (Nothing, ) . unmute
+
+wspFromMap workspaceNames = \i -> case Map.lookup i workspaceNames of
+  Just str -> show i ++ " " ++ str
+  Nothing -> show i
+
+coWspFromMap workspaceNames = \str -> case filter ((== str) . snd) $ Map.toList workspaceNames of
+  [] -> Nothing
+  [(i, _)] -> Just $ wspFromMap workspaceNames i
+  _ -> Nothing
+
+spawnModifiers = [0, controlMask, shiftMask .|. controlMask]
+spawnBindings :: XConfig layout -> (KeySym, [X ()]) -> [((KeyMask, KeySym), X ())]
+spawnBindings conf (k, cmds) = zipWith (\m cmd -> ((modm .|. mod1Mask .|. m, k), cmd)) spawnModifiers cmds
+  where
+    modm = XMonad.modMask conf
+
+manageScratchTerm = (resource =? "scratchpad" <||> resource =? "keysetup") -?> doRectFloat $ RationalRect (1 % 16) (1 % 16) (7 % 8) (7 % 8)
+
+tabbedLayout t = renamed [Replace "Tabbed"] $ reflectHoriz $ t CustomShrink $ tabbedTheme
+tabbedLayoutHoriz t = renamed [Replace "Tabbed Horiz"] $ reflectVert $ t CustomShrink $ tabbedTheme
+tabbedTheme = def
+  { activeColor = "black"
+  , inactiveColor = "black"
+  , urgentColor = "black"
+  , activeBorderColor = "grey"
+  , inactiveBorderColor = "#202020"
+  , urgentBorderColor = "#bb0000"
+  , activeTextColor = "grey"
+  , inactiveTextColor = "grey"
+  , urgentTextColor = "grey"
+  , decoHeight = 32
+  , fontName = "xft:Fira Mono for Powerline:style=Medium:pixelsize=22.5"
+  }
+
+main :: IO ()
+main = do
+  arguments <- either (const []) id <$> tryIOError getArgs
+  case arguments of
+    ["--command", s] -> do
+      d   <- openDisplay ""
+      rw  <- rootWindow d $ defaultScreen d
+      a   <- internAtom d "XMONAD_COMMAND" False
+      m   <- internAtom d s False
+      allocaXEvent $ \e -> do
+        setEventType e clientMessage
+        setClientMessageEvent e rw a 32 m currentTime
+        sendEvent d rw False structureNotifyMask e
+        sync d False
+    _ -> do
+      -- batteryMon <- xfork $ monitorBattery Nothing Nothing
+      hostname <- getHostName
+      let
+        host = hostFromName hostname
+      setEnv "HOST" hostname
+      let myConfig = withHostUrgency . ewmh $ docks def
+            { manageHook = hManageHook host
+            , terminal = "alacritty"
+            , layoutHook = smartBorders . avoidStruts $ windowNavigation layout'
+            , logHook = do
+                dynamicLogString xmobarPP' >>= writeProps
+                updatePointer (99 % 100, 98 % 100) (0, 0)
+            , modMask = mod4Mask
+            , keys = \conf -> hKeysMod host conf $ myKeys' conf host
+            , workspaces = take (length numKeys) $ map wsp [1..]
+            , startupHook = setDefaultCursor xC_left_ptr
+            , normalBorderColor = "#202020"
+            , focusedBorderColor = "grey"
+            , handleEventHook = fullscreenEventHook <+> (serverModeEventHookCmd' $ hCmds host) <+> keyUpEventHook
+            }
+          writeProps str = do
+            let encodeCChar = map $ fromIntegral . fromEnum
+                atoms = [ "_XMONAD_WORKSPACES"
+                        , "_XMONAD_LAYOUT"
+                        , "_XMONAD_TITLE"
+                        ]
+            (flip mapM_) (zip atoms (lines str)) $ \(atom', content) -> do
+              ustring <- getAtom "UTF8_STRING"
+              atom <- getAtom atom'
+              withDisplay $ \dpy -> io $ do
+                root <- rootWindow dpy $ defaultScreen dpy
+                changeProperty8 dpy root atom ustring propModeReplace $ encodeCChar content
+                sync dpy True
+          wsp = hWsp host
+          -- We can´t define per-host layout modifiers because we lack dependent types
+          layout' = onHost "skadhi" ( onWorkspace (wsp 1) (Full ||| withIM (1%5) (Title "Buddy List") tabbedLayout') $
+                                      onWorkspace (wsp 10) Full $
+                                      onWorkspace (wsp 2) (Full ||| tabbedLayout') $ 
+                                      onWorkspace (wsp 5) tabbedLayout' $
+                                      onWorkspace (wsp 8) (withIM (1%5) (Title "Friends") tabbedLayout') $
+                                      defaultLayouts
+                                    ) $
+                    onHost "vali"   ( onWorkspace (wsp 2) (Full ||| tabbedLayout' ||| combineTwo (TwoPane 0.01 0.57) Full tabbedLayout') $
+                                      onWorkspace (wsp 3) workLayouts $ 
+                                      defaultLayouts
+                                    ) $
+                    onHost "hel"    ( onWorkspace (wsp 1) (withIM (1 % 8) (Title "Buddy List") $ trackFloating tabbedLayout') $
+                                      onWorkspace (wsp 2) (tabbedLayout''' ||| Dwindle R CW 1 (5 % 100)) $
+                                      onWorkspace (wsp 3) workLayouts $
+                                      onWorkspace (wsp 6) workLayouts $
+                                      onWorkspace (wsp 4) (tabbedLayout' ||| tabbedLayoutHoriz' ||| Dwindle R CW 1 (5 % 100)) $
+                                      onWorkspace (wsp 5) (tabbedLayout''' ||| Dwindle R CW 1 (5 % 100)) $
+                                      onWorkspace (wsp 10) (tabbedLayout''' ||| combineTwoP (TwoPane (1 % 100) (3 % 4)) tabbedLayout''' tabbedLayout''' (ClassName "mpv") ||| Dwindle R CW 1 (5 % 100)) $
+                                      defaultLayouts
+                                    ) $
+                    onHost "sif"    ( onWorkspace (wsp 1) (withIM (1 % 8) (Title "Buddy List") $ trackFloating tabbedLayout') $
+                                      onWorkspace (wsp 2) (tabbedLayout''' ||| Dwindle R CW 1 (5 % 100)) $
+                                      onWorkspace (wsp 3) workLayouts $
+                                      onWorkspace (wsp 6) workLayouts $
+                                      onWorkspace (wsp 4) (tabbedLayout' ||| tabbedLayoutHoriz' ||| Dwindle R CW 1 (5 % 100)) $
+                                      onWorkspace (wsp 5) (tabbedLayout''' ||| Dwindle R CW 1 (5 % 100)) $
+                                      onWorkspace (wsp 8) tabbedLayout''' $
+                                      onWorkspace (wsp 10) (tabbedLayout''' ||| combineTwoP (TwoPane (1 % 100) (3 % 4)) tabbedLayout''' tabbedLayout''' (ClassName "mpv") ||| Dwindle R CW 1 (5 % 100)) $
+                                      defaultLayouts
+                                    ) $
+                    defaultLayouts
+          -- tabbedLayout''' = renamed [Replace "Tabbed'"] $ IfMax 1 (noBorders Full) (tabbedLayout tabbedBottomAlways)
+          tabbedLayout''' = tabbedLayout tabbedBottom
+          tabbedLayout' = tabbedLayout tabbedBottomAlways
+          tabbedLayoutHoriz' = tabbedLayoutHoriz tabbedLeftAlways
+          defaultLayouts = {- spiralWithDir East CW (1 % 2) -} Dwindle R CW 1 (5 % 100) ||| tabbedLayout' ||| Full
+          -- workLayouts = {- spiralWithDir East CW (1 % 2) -} Dwindle R CW (2 % 1) (5 % 100) ||| tabbedLayout' ||| Full
+          workLayouts = tabbedLayout' ||| (renamed [Replace "Combined"] $ combineTwoP (TwoPane (1 % 100) (1891 % 2560)) tabbedLayout''' (Column 1.6) (ClassName "Postman" `Or` ClassName "Emacs" `Or` ClassName "jetbrains-idea-ce" `Or` (Resource "Devtools" `And` ClassName "Firefox"))) ||| Full ||| Dwindle R CW 1 (5 % 100) 
+          sqrtTwo = approxRational (sqrt 2) (1 / 2560)
+          xmobarPP' = xmobarPP { ppTitle = shorten 80
+                               , ppSort = (liftM2 (.)) getSortByIndex $ return scratchpadFilterOutWorkspace
+                               , ppUrgent = wrap "(" ")" . xmobarColor "#800000" ""
+                               , ppHiddenNoWindows = xmobarColor "#202020" "" . wrap "(" ")"
+                               , ppVisible = wrap "(" ")" . xmobarColor "#808000" ""
+                               , ppCurrent = wrap "(" ")" . xmobarColor "#008000" ""
+                               , ppHidden = wrap "(" ")"
+                               , ppWsSep = " "
+                               , ppSep = "\n"
+                               }
+          withHostUrgency = case hostname of
+            "hel" -> withUrgencyHookC urgencyHook' $ urgencyConfig { suppressWhen = U.Never, remindWhen = Dont }
+            "sif" -> withUrgencyHookC urgencyHook' $ urgencyConfig { suppressWhen = U.Never, remindWhen = Dont }
+            _ -> id
+          urgencyHook' window = do
+            runQuery ((resource =? "comm" <||> resource =? "Pidgin" <||> className =? "Gajim" <||> className =? "Skype") --> safeSpawn "thinklight" ["Blink", "100"]) window
+            urgencyHook (BorderUrgencyHook { urgencyBorderColor = "#bb0000" }) window
+          shutdown :: SomeException -> IO a
+          shutdown e = do
+            let pids = [ -- batteryMon
+                       ]
+            mapM_ (signalProcess sigTERM) pids
+            mapM_ (getProcessStatus False False) pids
+            throw e
+          keyUpEventHook :: Event -> X All
+          keyUpEventHook event = handle event >> return (All True)
+            where
+              handle (KeyEvent { ev_event_type = t, ev_state = m, ev_keycode = code })
+                | t == keyRelease = withDisplay $ \dpy -> do
+                    s  <- io $ keycodeToKeysym dpy code 0
+                    mClean <- cleanMask m
+                    ks <- asks $ hKeyUpKeys host . config
+                    userCodeDef () $ whenJust (Map.lookup (mClean, s) ks) id
+                | otherwise = return ()
+              handle _ = return ()
+      handle shutdown $ launch myConfig
+  
+secs :: Int -> Int
+secs = (* 1000000)
+
+-- monitorBattery :: Maybe BatteryContext -> Maybe Notification -> IO ()
+-- monitorBattery Nothing n = do
+--   ctx <- batteryContextNew
+--   case ctx of
+--     Nothing -> threadDelay (secs 10) >> monitorBattery Nothing n
+--     Just _  -> monitorBattery ctx n
+-- monitorBattery ctx@(Just ctx') n = do
+--   batInfo <- getBatteryInfo ctx'
+--   case batInfo of
+--     Nothing -> threadDelay (secs 1) >> monitorBattery ctx n
+--     Just batInfo -> do
+--       let n'
+--             | batteryState batInfo == BatteryStateDischarging
+--             , timeLeft <= 1200
+--             , timeLeft > 0 = Just $ summary "Discharging" <> hint "value" percentage <> urgency u <> body (duz timeLeft ++ "left")
+--             | otherwise = Nothing
+--           u
+--             | timeLeft <= 600 = Critical
+--             | timeLeft <= 1800 = Normal
+--             | otherwise = Low
+--           timeLeft = batteryTimeToEmpty batInfo
+--           percentage :: Int32
+--           percentage = round $ batteryPercentage batInfo
+--           ts = [("s", 60), ("m", 60), ("h", 24), ("d", 365), ("y", 1)]
+--           duz ms = ss
+--             where (ss, _) = foldl (\(ss, x) (s, y) -> ((if rem x y > 0 then show (rem x y) ++ s ++ " " else "") ++ ss , quot x y)) ("", ms) ts
+--       case n' of
+--         Just n' -> Notify.display (maybe mempty reuse n <> Notify.appName "monitorBattery" <> n') >>= (\n -> threadDelay (secs 2) >> monitorBattery ctx (Just n))
+--         Nothing -> threadDelay (secs 30) >> monitorBattery ctx n
+
+disableTouchpad, disableTrackpoint, enableTrackpoint, enableTouchpad :: X ()
+enableTouchpad = safeSpawn "xinput" ["enable", "SynPS/2 Synaptics TouchPad"]
+disableTouchpad = safeSpawn "xinput" ["disable", "SynPS/2 Synaptics TouchPad"]
+enableTrackpoint = safeSpawn "xinput" ["enable", "TPPS/2 IBM TrackPoint"]
+disableTrackpoint = safeSpawn "xinput" ["disable", "TPPS/2 IBM TrackPoint"]
+
+isDisabled :: String -> X Bool
+isDisabled str = do
+  out <- runProcessWithInput "xinput" ["list", str] ""
+  return $ "disabled" `isInfixOf` out
+  
+
+spawnKeychain :: X ()
+spawnKeychain = do
+  home <- liftIO getHomeDirectory
+  let keys = (map ((home </>) . (".ssh/" ++)) ["id", "id-rsa"]) ++ ["6B13AA67"]
+  liftIO (maybe (return ()) (setEnv "SSH_ASKPASS") =<< findAskpass)
+  safeSpawn "keychain" . (["--agents", "gpg,ssh"] ++)=<< liftIO (filterM doesFileExist keys)
+  where
+    findAskpass = filter `liftM` readFile "/etc/zshrc"
+    filter = listToMaybe . catMaybes . map (stripPrefix "export SSH_ASKPASS=") . lines
+
+assimilateKeychain :: X ()
+assimilateKeychain = liftIO $ assimilateKeychain' >> return ()
+assimilateKeychain' = tryIOError $ do
+  -- pid <- getProcessID
+  -- tmpDir <- lookupEnv "TMPDIR"
+  -- let tmpDir' = fromMaybe "/tmp" tmpDir
+  --     tmpFile = tmpDir' </> "xmonad-keychain" ++ (show pid) ++ ".env"
+  env <- runProcessWithInput "sh" ["-c", "eval $(keychain --eval --noask --agents gpg,ssh); env"] "" -- > " ++ tmpFile] ""
+  -- env <- readFile tmpFile
+  let envVars = Map.fromList $ map (\(k, v) -> (k, tail' v)) $ map (span (/= '=')) $ envLines
+      envVars' = Map.filterWithKey (\k _ -> k `elem` transfer) envVars
+      transfer = ["SSH_AUTH_SOCK", "SSH_AGENT_PID", "GPG_AGENT_INFO"]
+      envLines = filter (elem '=') $ lines env :: [String]
+  sequence $ map (\(k, c) -> setEnv k c) $ Map.toList envVars'
+  -- removeFile tmpFile
+  where
+    tail' [] = []
+    tail' (x:xs) = xs
+
+
+numKeys = [xK_parenleft, xK_parenright, xK_braceright, xK_plus, xK_braceleft, xK_bracketright, xK_bracketleft, xK_exclam, xK_equal, xK_asterisk]
+
+instance Shrinker CustomShrink where
+  shrinkIt _ "" = [""]
+  shrinkIt s cs
+    | length cs >= 4 = cs : shrinkIt s ((reverse . drop 4 . reverse $ cs) ++ "...")
+    | otherwise = cs : shrinkIt s (init cs)
+
+xPConfig :: XPConfig
+xPConfig = def
+  { font = "xft:Fira Mono for Powerline:style=Medium:pixelsize=22.5"
+  , height = 32
+  , bgColor = "black"
+  , fgColor = "grey"
+  , fgHLight = "green"
+  , bgHLight = "black"
+  , borderColor = "grey"
+  , searchPredicate = (\needle haystack -> all (`isInfixOf` map toLower haystack) . map (map toLower) $ words needle)
+  , position = Top
+  }
+
+sshOverrides host = map (\h -> mkOverride { oHost = h, oCommand = moshCmd . inTmux host} )
+               [ "odin"
+               , "ymir"
+               , "surtr"
+               ]
+               ++
+               map (\h -> mkOverride { oHost = h, oCommand = moshCmd' "/run/current-system/sw/bin/mosh-server" . withEnv [("TERM", "xterm")] . inTmux host} )
+               [ "bragi", "bragi.asgard.yggdrasil"
+               ]
+               ++
+               map (\h -> mkOverride { oHost = h, oCommand = sshCmd . inTmux host } )
+               [ "uni2work-dev1"
+               ]
+               ++
+               map (\h -> mkOverride { oHost = h, oCommand = sshCmd . withEnv [("TERM", "xterm")] . inTmux host } )
+               [ "remote.cip.ifi.lmu.de"
+               , "uniworx3", "uniworx4", "uniworx5", "uniworxdb2"
+               , "testworx"
+               ]
+
+backlight :: (Rational -> Rational) -> X ()
+backlight f = void . xfork . liftIO $ do
+  [   _device
+    , _class
+    , read . Text.unpack -> currentBright
+    , _currentPercentage
+    , read . Text.unpack -> maximumBright
+    ] <- Text.splitOn "," . Text.pack <$> readProcess "brightnessctl" ["-m"] ""
+  let current = currentBright % maximumBright
+      new' = f current * fromIntegral maximumBright
+      new :: Integer
+      new | floor new' < 0 = 0
+          | ceiling new' > maximumBright = maximumBright
+          | new' >= maximumBright % 2 = ceiling new'
+          | otherwise = floor new'
+  callProcess "brightnessctl" ["-m", "s", show new]
+
+cycleThrough :: [Rational] -> (Rational -> Rational)
+cycleThrough opts current = fromMaybe currentOpt $ listToMaybe next'
+  where currentOpt = minimumBy (comparing $ abs . subtract current) opts
+        (_, _ : next') = break (== currentOpt) opts
+
+cycleKbLayout :: [(String, Maybe String)] -> X ()
+cycleKbLayout [] = return ()
+cycleKbLayout layouts = liftIO $ do
+  next <- (getNext . extract) `liftM` runProcessWithInput "setxkbmap" ["-query"] ""
+  let
+    args = case next of
+      (l, Just v) -> [l, v]
+      (l, Nothing) -> [l]
+  safeSpawn "setxkbmap" args
+  where
+    extract :: String -> Maybe (String, Maybe String)
+    extract str = listToMaybe $ do
+      ["layout:", l] <- str'
+      [(l, Just v) | ["variant:", v] <- str'] ++ pure (l, Nothing)
+      where
+        str' = map words $ lines str
+    getNext :: Maybe (String, Maybe String) -> (String, Maybe String)
+    getNext = maybe (head layouts) getNext'
+    getNext' x = case elemIndex x layouts of
+      Nothing -> getNext Nothing
+      Just i -> layouts !! ((i + 1) `mod` length layouts)
+
+mpvAll' :: MpvCommand -> IO [MpvResponse]
+mpvAll' = mpvAll "/var/media/.mpv-ipc"
+
+mpvOne' :: MpvCommand -> IO (Maybe MpvResponse)
+mpvOne' = mpvOne "/var/media/.mpv-ipc"
+
+mediaMpv :: MpvCommand -> X ()
+mediaMpv cmd = void . xfork $ print =<< mpvAll' cmd
+
+mediaMpvTogglePause :: X ()
+mediaMpvTogglePause = void . xfork $ do
+  paused <- mapM mpvResponse <=< mpvAll' $ MpvGetProperty "pause"
+  if
+    | and paused -> print <=< mpvAll' $ MpvSetProperty "pause" False
+    | otherwise  -> print <=< mpvOne' $ MpvSetProperty "pause" True
+
+myKeys' conf host = Map.fromList $
+    -- launch a terminal
+    [ ((modm,               xK_Return), spawn $ (XMonad.terminal conf) ++ " -e tmux")
+    , ((modm .|. shiftMask, xK_Return), spawn $ XMonad.terminal conf)
+ 
+    -- launch dmenu
+    --, ((modm,               xK_d     ), spawn "exe=`dmenu_path | dmenu` && eval \"exec $exe\"")
+    , ((modm,               xK_d     ), shellPrompt "Run: " xPConfig)
+    , ((modm .|. shiftMask, xK_d     ), prompt "Run in Terminal: " ("alacritty" ++ " -e") xPConfig)
+    , ((modm,               xK_at    ), sshPrompt (sshOverrides . Just $ hName host) xPConfig)
+
+    -- close focused window
+    , ((modm .|. shiftMask, xK_q     ), kill)
+    , ((modm .|. controlMask .|. shiftMask, xK_q     ), spawn "xkill")
+ 
+     -- Rotate through the available layout algorithms
+    , ((modm,               xK_space ), sendMessage NextLayout)
+ 
+    --  Reset the layouts on the current workspace to default
+    , ((modm .|. controlMask, xK_r   ), (setLayout $ XMonad.layoutHook conf) >> refresh)
+ 
+    -- Resize viewed windows to the correct size
+    , ((modm,               xK_r     ), refresh)
+
+    -- Move focus to the next window
+    , ((modm,               xK_t     ), windows W.focusDown)
+ 
+    -- Move focus to the previous window
+    , ((modm,               xK_n     ), windows W.focusUp  )
+ 
+    -- Move focus to the master window
+    , ((modm,               xK_m     ), windows W.focusMaster  )
+ 
+    -- Swap the focused window and the master window
+    , ((modm .|. shiftMask, xK_m     ), windows W.swapMaster)
+ 
+    -- Swap the focused window with the next window
+    , ((modm .|. shiftMask, xK_t     ), windows W.swapDown  )
+ 
+    -- Swap the focused window with the previous window
+    , ((modm .|. shiftMask, xK_n     ), windows W.swapUp    )
+
+    -- Swap the focused window with the previous window
+    , ((modm .|. shiftMask .|. controlMask, xK_m), sendMessage SwapWindow)
+
+    , ((modm,                 xK_Right), sendMessage $ Go R)
+    , ((modm,                 xK_Left ), sendMessage $ Go L)
+    , ((modm,                 xK_Up   ), sendMessage $ Go U)
+    , ((modm,                 xK_Down ), sendMessage $ Go D)
+    , ((modm .|. shiftMask  , xK_Right), sendMessage $ Move R)
+    , ((modm .|. shiftMask  , xK_Left ), sendMessage $ Move L)
+    , ((modm .|. shiftMask  , xK_Up   ), sendMessage $ Move U)
+    , ((modm .|. shiftMask  , xK_Down ), sendMessage $ Move D)
+    -- , ((modm .|. controlMask, xK_Right), withFocused $ keysMoveWindow (10, 0))
+    -- , ((modm .|. controlMask, xK_Left ), withFocused $ keysMoveWindow (-10, 0))
+    -- , ((modm .|. controlMask, xK_Up   ), withFocused $ keysMoveWindow (0, -10))
+    -- , ((modm .|. controlMask, xK_Down ), withFocused $ keysMoveWindow (0, 10))
+     -- Shrink the master area
+    , ((modm,               xK_h     ), sendMessage Shrink)
+ 
+    -- Expand the master area
+    , ((modm,               xK_s     ), sendMessage Expand)
+ 
+    -- Push window back into tiling
+    , ((modm .|. shiftMask, xK_space ), withFocused $ windows . W.sink)
+    , ((modm, xK_BackSpace), focusUrgent)
+    , ((modm .|. shiftMask, xK_BackSpace), clearUrgents)
+ 
+    -- Increment the number of windows in the master area
+    , ((modm              , xK_comma ), sendMessage (IncMasterN 1))
+ 
+    -- Deincrement the number of windows in the master area
+    , ((modm              , xK_period), sendMessage (IncMasterN (-1)))
+
+    , ((0, xF86XK_AudioRaiseVolume), safeSpawn "pulseaudio-ctl" ["up", "2"])
+    , ((0, xF86XK_AudioLowerVolume), safeSpawn "pulseaudio-ctl" ["down", "2"])
+    , ((0, xF86XK_AudioMute), safeSpawn "pulseaudio-ctl" ["mute"])
+    , ((0, xF86XK_AudioPause), mediaMpv $ MpvSetProperty "pause" False)
+    , ((0, {-xF86XK_AudioMicMute-} 269025202), safeSpawn "pulseaudio-ctl" ["mute-input"])
+    , ((0, xF86XK_AudioPlay), mediaMpvTogglePause)
+    , ((modm .|. mod1Mask, xK_space), mediaMpvTogglePause)
+
+    , ((0, xF86XK_MonBrightnessDown), backlight (subtract 5))
+    , ((0, xF86XK_MonBrightnessUp), backlight (+ 5))
+
+    , ((modm                , xK_Escape), cycleKbLayout (hKbLayouts host))
+    , ((modm .|. controlMask, xK_Escape), safeSpawn "setxkbmap" $ fst (head $ hKbLayouts host) : maybeToList (snd . head $ hKbLayouts host))
+ 
+    -- Toggle the status bar gap
+    -- Use this binding with avoidStruts from Hooks.ManageDocks.
+    -- See also the statusBar function from Hooks.DynamicLog.
+    --
+    , ((modm              , xK_b     ), sendMessage ToggleStruts)
+
+    , ((modm .|. shiftMask, xK_p     ), safeSpawn "playerctl" ["-a", "pause"])
+ 
+    -- Quit xmonad
+    , ((modm .|. shiftMask, xK_e     ), io (exitWith ExitSuccess))
+ 
+    -- Restart xmonad
+    -- , ((modm .|. shiftMask .|. controlMask, xK_r     ), void . xfork $ recompile False >>= flip when (safeSpawn "xmonad" ["--restart"]))
+    , ((modm .|. shiftMask, xK_r     ), void . liftIO $ executeFile "xmonad" True [] Nothing)
+    , ((modm .|. shiftMask, xK_l     ), void . xfork $ do
+          sessId <- getEnv "XDG_SESSION_ID"
+          safeSpawn "loginctl" ["lock-session", sessId]
+      )
+    , ((modm .|. shiftMask, xK_s     ), safeSpawn "systemctl" ["suspend"])
+    , ((modm .|. shiftMask, xK_h     ), safeSpawn "systemctl" ["hibernate"])
+    , ((modm .|. shiftMask, xK_b     ), backlight $ cycleThrough [1, 3 % 4, 1 % 2, 1 % 4, 1 % 10, 1 % 100, 0]
+      )
+    , ((modm .|. shiftMask .|. controlMask, xK_b), backlight $ cycleThrough [0, 1 % 100, 1 % 10, 1 % 4, 1 % 2, 3 % 4, 1]
+      )
+    , ((modm, xK_v ), windows copyToAll) -- @@ Make focused window always visible
+    , ((modm .|. shiftMask, xK_v ),  killAllOtherCopies) -- @@ Toggle window state back
+    , ((modm .|. shiftMask, xK_g     ), windowPrompt xPConfig Goto wsWindows)
+    , ((modm .|. shiftMask .|. controlMask, xK_g     ), windowPrompt xPConfig Bring allWindows)
+    ]
+    ++
+ 
+    --
+    -- mod-[1..9], Switch to workspace N
+    --
+    -- mod-[1..9], Switch to workspace N
+    -- mod-shift-[1..9], Move client to workspace N
+    --
+    [((m .|. modm, k), windows $ f i)
+    | (i, k) <- zip (XMonad.workspaces conf) $ numKeys
+    , (f, m) <- [(W.greedyView, 0), (W.shift, shiftMask)]
+    ]
+    ++
+    [((m .|. modm .|. controlMask, k), void . runMaybeT $
+         MaybeT (P.getScreen def i) >>= MaybeT . screenWorkspace >>= lift . windows . f
+     )
+    | (i, k) <- zip (hScreens host) [xK_g, xK_c, xK_r, xK_l]
+    , (f, m) <- [(W.view, 0), (W.shift, shiftMask)]
+    ]
+  where
+    modm = XMonad.modMask conf
+
+    
diff --git a/accounts/gkleen@sif/xresources.nix b/accounts/gkleen@sif/xresources.nix
new file mode 100644
index 00000000..3bd9af2c
--- /dev/null
+++ b/accounts/gkleen@sif/xresources.nix
@@ -0,0 +1,46 @@
+{
+  "Xft.dpi" = 282;
+  "Xft.autohint" = false;
+  "Xft.lcdfilter" = "lcddefault";
+  "Xft.hintstyle" = "hintfull";
+  "Xft.hinting" = true;
+  "Xft.antialias" = true;
+  "Xft.rgba" = "rgb";
+
+  # special
+  "*.foreground" = "#d9d9d9";
+  "*.background" = "#000000";
+  "*.cursorColor" = "#d9d9d9";
+
+  # black
+  "*.color0" = "#000000";
+  "*.color8" = "#757a80";
+
+  # red
+  "*.color1" = "#bf4949";
+  "*.color9" = "#e66e6e";
+
+  # green
+  "*.color2" = "#9fb346";
+  "*.color10" = "#cbd676";
+
+  # yellow
+  "*.color3" = "#e69650";
+  "*.color11" = "#ffa74f";
+
+  # blue
+  "*.color4" = "#759fbf";
+  "*.color12" = "#98b8d9";
+
+  # magenta
+  "*.color5" = "#9b79a6";
+  "*.color13" = "#ceadd9";
+
+  # cyan
+  "*.color6" = "#79a69b";
+  "*.color14" = "#a3d9ce";
+
+  # white
+  "*.color7" = "#d9d9d9";
+  "*.color15" = "#ffffff";
+}
\ No newline at end of file
diff --git a/accounts/gkleen@sif/zshrc b/accounts/gkleen@sif/zshrc
new file mode 100644
index 00000000..d4d75073
--- /dev/null
+++ b/accounts/gkleen@sif/zshrc
@@ -0,0 +1,410 @@
+filebin() {
+    basePath=/srv/www/files
+    ssh ymir find /srv/www/files -type f -printf "$'%T@ %TY-%Tm-%TdT%TH:%TM %P\\\\0'" | sort -zn | cut -z -d ' ' -f 2- \
+        | while IFS= read -r -d $'\0' l; do
+            IFS=' ' read -r t p <<<"${l}"
+            printf "%s https://f.141.li/%s\n" "${t}" "${p}"
+          done
+}
+
+push2bin() {
+    if [[ ${#@} -eq 1 && ! -r ${1} ]]; then
+        uux -p 'ymir!push2bin' $(echo -n "${1:t}" | tr -c $'[:alnum:]+-=.' '_')
+    else
+        for f (${@}); do
+            uux -p 'ymir!push2bin' $(echo -n "${f:t}" | tr -c $'[:alnum:]+-=.' '_') <${f}
+        done
+    fi
+}
+
+genmail() {
+    local baseName=""
+    local target=""
+    if [[ ${#@} -ge 1 ]]; then
+        target=${1}
+        shift
+    fi
+
+    if [[ ${#@} -ge 1 ]]; then
+        baseName=$(pwgen ${@})
+    else
+        baseName=$(pwgen -v -A -0 16 1)
+    fi
+    baseName=$(tr -cd $'[:alnum:]!#$%&*+-/=?^_{|}~.' <<<${baseName})
+    address=${baseName}@141.li
+    insertAddr() {
+      echo "${baseName} gkleen" | ssh ymir tee -a /srv/mail/spm 1>/dev/null \
+    }
+
+    printf "%s\n" ${address}
+    read -q 'cont?Continue [y/N]? ' || return
+
+    insertAddr
+}
+
+s() {
+    dir=$(pwd)
+    [[ ${#@} -ge 1 ]] && dir=$1
+    
+    shellFile=$(findNix ${@})
+    [[ ${#@} -ge 1 ]] && shift
+
+    typeset -a cmd
+    if [[ -d ${dir}/.nix-gc-roots ]]; then
+        cmd=(persistent-nix-shell ${shellFile} ${S_EXTRA_ARGS} ${@})
+    else
+        cmd=(nix-shell ${shellFile} ${S_EXTRA_ARGS} ${@})
+    fi
+
+    if [[ -n "${S_SYSTEMD}" ]]; then
+        systemd-run --user --slice=development.slice --collect -E PATH=${PATH} -p WorkingDirectory=${dir} -- ${cmd}
+    else
+        (
+            cd ${dir}
+
+            exec ${cmd}
+        )
+    fi
+}
+
+sz() {
+    typeset -a S_EXTRA_ARGS
+    S_EXTRA_ARGS=(--run "env __ETC_ZSHENV_SOURCED=1 zsh") s ${@}
+}
+st() {
+    typeset -a S_EXTRA_ARGS
+    S_EXTRA_ARGS=(--run "tmux new-session env __ETC_ZSHENV_SOURCED=1 zsh") s ${@}
+}
+stt() {
+    typeset -a S_EXTRA_ARGS
+    S_SYSTEMD=true S_EXTRA_ARGS=(--run "urxvt -e tmux -S .tmux.sock new-session env __ETC_ZSHENV_SOURCED=1 zsh") s ${@}
+}
+se() {
+    typeset -a S_EXTRA_ARGS
+    S_SYSTEMD=true S_EXTRA_ARGS=(--run "emacs") s ${@}
+}
+
+findNix() {
+    if [[ $#@ -eq 0 ]]; then
+        findNix $(pwd)
+    elif [[ -f "$1" ]]; then
+        print ${1:a}
+    elif [[ -d "$1" && -f "$1"/shell.nix ]]; then
+        print ${1:a}/shell.nix
+    elif [[ -d "$1" && -f "$1"/default.nix ]]; then
+        print ${1:a}/default.nix
+    elif [[ -d "$1" && "$1" != "/" ]]; then
+        findNix ${1:h}
+    else
+        printf "Traversed directories to ‘/’ and found no shell specification\n" >&2
+        return 1
+    fi
+}
+
+dir() {
+    curlArchive=false
+    templateArchive=""
+    repoUrl=""
+    nixShell=""
+    findNix=false
+    dir=""
+    forceShell=false
+    wormhole=false
+    gitWorktree=""
+    notmuchMsg=""
+    quickserve=false
+
+    while getopts ':t:a:s:Sd:ir:wqg:n:' arg; do
+        case $arg in
+            "t") ;;
+            "a")
+                if [[ ${OPTARG} =~ "://" ]]; then
+                    templateArchive=${OPTARG}
+                    curlArchive=true
+                else
+                    templateArchive=${OPTARG:a}
+                fi
+                ;;
+            "s") nixShell=${OPTARG:a} ;;
+            "S") findNix=true ;;
+            "d") dir=${OPTARG} ;;
+            "i") forceShell=true ;;
+            "r") repoUrl=${OPTARG} ;;
+            "w") wormhole=true ;;
+            "g") gitWorktree=${OPTARG} ;;
+            "n") notmuchMsg=${OPTARG} ;;
+            "q") quickserve=true ;;
+            *) printf "Invalid option: %s\n" $arg >&2; exit 2 ;;
+        esac
+    done
+            
+    shift $((OPTIND - 1))
+
+    if [[ -z ${dir} && ${#@} -ge 1 ]]; then
+        dir=${1}
+        shift
+    fi
+
+    [[ -n ${dir} ]] || return 2; 
+
+    if [[ ! -e ${dir} ]]; then
+        if [[ -z "${gitWorktree}" ]]; then
+            mkdir -vp ${dir}
+        else
+            git -C ${gitWorktree} worktree add ${dir}
+        fi
+    else
+        gitWorktree=""
+    fi
+            
+    (
+        cd ${dir}
+        export dir;
+
+        ${findNix} && { nixShell=$(findNix) || return $? }
+
+        [[ -n ${repoUrl} ]] && git clone -- ${repoUrl} .
+        
+        if [[ -n ${templateArchive} ]]; then
+            (
+                archiveFile=""
+                cleanup() {
+                    [[ -n "${archiveFile}" ]] && rm -fv ${archiveFile}
+                }
+                trap cleanup EXIT
+
+                if ${curlArchive}; then
+                    archiveFile=$(mktemp -t "archive.XXXXXXXXXX.${templateArchive:t}")
+
+                    curl -L -o ${archiveFile} ${templateArchive}
+
+                    templateArchive=${archiveFile}
+                fi
+
+                case $(file --brief --mime-type ${templateArchive}) in
+                    application/zip) unzip ${templateArchive} ;;
+                    *) tar -xvaf ${templateArchive} ;;
+                esac
+            )
+        fi
+
+
+        if [[ -n ${notmuchMsg} ]]; then
+            getMimeTypes() {
+                nix-shell -p mailcap --run "find \${buildInputs} -path '*/etc/mime.types' | head -n 1 | xargs -- cat"
+            }
+
+            typeset -a messages
+            messages=(${(z)$(notmuch search --output=messages ${notmuchMsg})})
+            
+            for message (${messages}); do
+              typeset -A notmuchAtts
+              notmuchAtts=()
+
+              while IFS= read -r -d $'\n' line; do
+                  [[ ${line} =~ '(attachment|part)\{ ID: ([0-9]+)' ]] || continue
+                  attId=${match[2]}
+
+                  [[ ${line} =~ 'Content-type: multipart/' ]] && continue
+
+                  fName="part_${attId}"
+                  [[ ${line} =~ 'Filename: (([^,]|,[^ ])+)' ]] && fName=${match[1]}
+
+                  if [[ ${#messages} -gt 1 ]]; then
+                      fName="${message}/${fName}"
+                  fi
+
+                  fExt="${fName:e}"
+                  [[ -n "${fExt}" ]] && fName="${fName:r}"
+
+                  if [[ -z "${fExt}" && ${line} =~ 'Content-type: (([^,]|,[^ ])+)$' ]]; then
+                      fExt=$(getMimeTypes | grep ${match[1]}$'\t' | head -n 1 | awk '{ print $2; }')
+                  fi
+
+                  mkdir -p ${fName:h}
+                  if [[ -n "${fExt}" ]]; then
+                      fName=$(mktemp -p . "${fName}.XXXXXX.${fExt}")
+                  else
+                      fName=$(mktemp -p . "${fName}.XXXXXX")
+                  fi
+
+                  notmuchAtts[${attId}]=${fName}
+              done <<(notmuch show --decrypt=false -- ${message} | tr -d $'\f')
+
+              for attId fName in ${(kv)notmuchAtts}; do
+                  [[ -d ${fName:h} ]] || mkdir -p ${fName:h}
+                  printf "#%d → ‘%s’\n" "${attId}" "${fName}" >&2
+
+                  notmuch show --decrypt=false --part=${attId} -- ${message} | pv -W -D 2 -i 0.1 >${fName}
+              done
+            done
+        fi
+
+
+        ${wormhole} && wormhole receive
+
+        if ${quickserve}; then
+          quickserve --root . --upload . --show-hidden --tar gz
+        fi
+
+        
+        if [[ ${#@} -eq 0 ]] || ${forceShell}; then
+            if [[ ${#@} -gt 0 ]]; then
+                if [[ -z ${nixShell} ]]; then
+                    ${@}
+                else
+                    nix-shell ${nixShell} --run "${@}"
+                fi
+            fi
+
+            cd $(pwd) # Needed for mounting to work
+            
+            isSingleDir() {
+                typeset -a contents
+                contents=(*(N) .*(N))
+                    
+                if [[ ${#contents} -eq 1 && -d ${contents[1]} ]]; then
+                    print ${contents[1]}
+                    return 0
+                else
+                    return 1
+                fi
+            }
+            while d=$(isSingleDir); do cd ${d}; done
+
+            
+            if [[ -z ${nixShell} ]]; then
+                exec -- zsh
+            else
+                exec -- nix-shell ${nixShell} --run zsh
+            fi
+        else
+            if [[ -z ${nixShell} ]]; then
+                exec -- ${@}
+            else
+                exec -- nix-shell ${nixShell} --run "${@}"
+            fi
+        fi
+    )
+}
+
+tmpdir() {
+    cleanup()
+    {
+      cd /
+        unmount() {
+            printf "Unmounting %s\n" ${1} >&2
+            fusermount -u ${1} || umount ${1} || sudo umount ${1}
+        }
+        
+        if mountpoint -q -- ${dir}; then
+            unmount ${dir} || return $?
+        else
+            while read -d $'\0' subDir; do
+                mountpoint -q -- ${subDir} || continue
+                unmount ${subDir} || return $?
+            done <<<$(find ${dir} -xdev -type d -print0 | sort -zr)
+        fi
+        
+        rm -rfv --one-file-system -- ${dir}
+    }
+
+    local tmpdir=""
+
+    while getopts ':t:a:s:Sd:ir:wqg:n:' arg; do
+        case $arg in
+            "t") tmpdir="=${OPTARG}" ;;
+            "?"|":") printf "Invalid option: %s\n" $arg >&2; exit 2 ;;
+        esac
+    done
+            
+    (
+        trap cleanup EXIT
+
+
+        local dir=$(mktemp -ud --tmpdir${tmpdir} ${0}.XXXXXXXXXX || return $?)
+
+        dir -d ${dir} ${@}
+    )
+}
+
+inhibit-sleep() {
+    if systemctl --user is-active prevent-suspend.service 1>/dev/null; then
+        echo "Allowing suspend"
+        systemctl --user stop prevent-suspend.service
+    else
+        echo "Inhibiting suspend"
+        systemctl --user start prevent-suspend.service
+    fi
+}
+
+qr() {
+    qrencode -l M -o - -t ANSIUTF8 $@
+}
+
+clock() {
+    tty-clock -sSbc -C 7 -d 0 -a 100000000
+}
+
+public-ip() {
+    curl -s -H 'Accept: application/json' $@ ifconfig.co | jq -r '.ip'
+}
+
+nix-ghci() {
+    pkgExpr=""
+    if [[ ${#@} -gt 0 ]]; then
+        pkgExpr="${1}"
+        shift
+    fi
+    
+    nix-shell -p "with (import <nixpkgs> {}); pkgs.haskellPackages.ghcWithPackages (p: with p; [${pkgExpr}])" --run "ghci ${@}"
+}
+
+swap() {
+    f1=${1}
+    f2=${2}
+
+    if [[ -z "${f1}" || ! -e "${f1}" ]]; then
+        printf "‘%s’ does not exist\n" "${f1}" >&2
+        return 2
+    fi
+    if [[ -z "${f2}" || ! -e "${f2}" ]]; then
+        printf "‘%s’ does not exist\n" "${f2}" >&2
+        return 2
+    fi
+
+    tmpfile=$(mktemp --dry-run --tmpdir=${f1:h} .swap.XXXXXXXXXX)
+    mv -v ${f1} ${tmpfile}
+    mv -v ${f2} ${f1}
+    mv -v ${tmpfile} ${f2}
+}
+
+l() {
+  exa --binary --git --time-style=iso --long --all --header --group-directories-first --colour=always $@ | less --mouse -FR
+}
+
+re() {
+  systemctl --restart $@
+}
+
+ure() {
+  systemctl --user --restart $@
+}
+
+u2wdb() {
+  ssh -t postgres@uniworxdb2 psql uni2work
+}
+
+alias '..'='cd ..'
+alias -g L='| less'
+alias -g S='&> /dev/null'
+alias -g G='| grep'
+alias -g B='&> /dev/null &'
+alias -g BB='&> /dev/null &!'
+
+export DEFAULT_USER=gkleen
+export EDITOR=emacsclient
+
+bindkey -e
+bindkey ';5C' emacs-forward-word
+bindkey ';5D' emacs-backward-word
\ No newline at end of file
diff --git a/accounts/gkleen@surtr.nix b/accounts/gkleen@surtr.nix
new file mode 100644
index 00000000..64629674
--- /dev/null
+++ b/accounts/gkleen@surtr.nix
@@ -0,0 +1 @@
+{...}: {}
diff --git a/accounts/mherold@surtr.nix b/accounts/mherold@surtr.nix
new file mode 100644
index 00000000..64629674
--- /dev/null
+++ b/accounts/mherold@surtr.nix
@@ -0,0 +1 @@
+{...}: {}
diff --git a/accounts/mkleen@surtr.nix b/accounts/mkleen@surtr.nix
new file mode 100644
index 00000000..64629674
--- /dev/null
+++ b/accounts/mkleen@surtr.nix
@@ -0,0 +1 @@
+{...}: {}
diff --git a/accounts/mwagner@surtr.nix b/accounts/mwagner@surtr.nix
new file mode 100644
index 00000000..64629674
--- /dev/null
+++ b/accounts/mwagner@surtr.nix
@@ -0,0 +1 @@
+{...}: {}
diff --git a/accounts/root@sif.nix b/accounts/root@sif.nix
new file mode 100644
index 00000000..979463ba
--- /dev/null
+++ b/accounts/root@sif.nix
@@ -0,0 +1,18 @@
+{ userName, ... }:
+{
+  home-manager.users.${userName} = {
+    programs.ssh.matchBlocks = {
+      "git.yggdrasil.li" = {
+        user = "gitolite";
+        identityFile = "~/.ssh/sysconf";
+      };
+      "borg.munin" = {
+        hostname = "u120515.your-storagebox.de";
+        user = "u120515";
+        identityFile = "~/.ssh/borg.munin";
+        identitiesOnly = true;
+        port = 23;
+      };
+    };
+  };
+}
diff --git a/accounts/some@surtr.nix b/accounts/some@surtr.nix
new file mode 100644
index 00000000..64629674
--- /dev/null
+++ b/accounts/some@surtr.nix
@@ -0,0 +1 @@
+{...}: {}
diff --git a/accounts/tkleen@surtr.nix b/accounts/tkleen@surtr.nix
new file mode 100644
index 00000000..64629674
--- /dev/null
+++ b/accounts/tkleen@surtr.nix
@@ -0,0 +1 @@
+{...}: {}
diff --git a/accounts/vkleen@surtr.nix b/accounts/vkleen@surtr.nix
new file mode 100644
index 00000000..64629674
--- /dev/null
+++ b/accounts/vkleen@surtr.nix
@@ -0,0 +1 @@
+{...}: {}
diff --git a/flake.lock b/flake.lock
index 2a0a02da..0bbb15e0 100644
--- a/flake.lock
+++ b/flake.lock
@@ -7,11 +7,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1618469593,
-        "narHash": "sha256-fNdt+Q3irnT3pId7PKSSVeR8/9inBrAEg4gpItoRowU=",
+        "lastModified": 1622938142,
+        "narHash": "sha256-eNA2HPZI/iO4MCi/FCs+nRuFbpuMplM93Aj6YA2XCyY=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "ebbbd4f2b50703409543941e7445138dc1e7392e",
+        "rev": "7591c8041d290d4bb99679e9fed2d8061a8f0435",
         "type": "github"
       },
       "original": {
@@ -23,11 +23,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1618681372,
-        "narHash": "sha256-fjiabnBl20D/jc3bU3K16jP21bf5l2fG1rHij0LoHVk=",
+        "lastModified": 1622984109,
+        "narHash": "sha256-geVjAIToERcsjmHQo2tdD0UaLNk+k68nI5XCRmE3tHM=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "c27aea5e879748c79acf3b6681194fcf184e3eba",
+        "rev": "690496c4e545e68482b5c162a03f0a4f97d35373",
         "type": "github"
       },
       "original": {
@@ -51,11 +51,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1618226608,
-        "narHash": "sha256-Hq/lcu48RhE3U6gYYkuT7v6hLHeu1PrasiaBiGkCX+w=",
+        "lastModified": 1622915462,
+        "narHash": "sha256-Hr/DVKUnQt3BTR3o4vzux1Ed1mciKZOrCRWuwORzt4Y=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "ade2f5c17184df9d4c42d36da18a6ed903b4c02d",
+        "rev": "7918c59b392f23665c0b726d4c640d14be4b0b8b",
         "type": "github"
       },
       "original": {
diff --git a/hosts/sif/default.nix b/hosts/sif/default.nix
new file mode 100644
index 00000000..c0b7f50c
--- /dev/null
+++ b/hosts/sif/default.nix
@@ -0,0 +1,355 @@
+{ flake, pkgs, customUtils, lib, config, path, ... }:
+{
+  imports = with flake.nixosModules.systemProfiles; [
+    ./hw.nix
+    ./mail
+    initrd-all-crypto-modules default-locale openssh
+  ];
+
+  config = {
+    nixpkgs = {
+      system = "x86_64-linux";
+      config = {
+        allowUnfree = true;
+      };
+    };
+
+    boot = {
+      initrd = {
+        luks.devices = {
+          nvm0.device = "/dev/disk/by-uuid/fe641e81-0812-4181-a5f6-382ebba509bb";
+          nvm1.device = "/dev/disk/by-uuid/43df1ba8-1728-4193-8855-920a82d4494a";
+        };
+        availableKernelModules = [ "drbg" "nvme" "xhci_pci" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ];
+        kernelModules = [ "dm-raid" "dm-integrity" "dm-snapshot" "dm-thin-pool" ];
+      };
+
+      blacklistedKernelModules = [ "nouveau" ];
+
+      # Use the systemd-boot EFI boot loader.
+      loader = {
+        systemd-boot.enable = true;
+        efi.canTouchEfiVariables = true;
+        timeout = null;
+      };
+
+      plymouth.enable = true;
+
+      kernelPackages = pkgs.linuxPackages_latest;
+      kernelParams = [ "i915.fastboot=1" "intel_pstate=no_hwp" "acpi_backlight=vendor" "thinkpad-acpi.brightness_enable=1" "quiet" ];
+      extraModulePackages = with config.boot.kernelPackages; [ v4l2loopback ];
+      kernelModules = ["v4l2loopback"];
+
+      tmpOnTmpfs = true;
+    };
+
+    networking = {
+      domain = "midgard.yggdrasil";
+      hosts = {
+        "127.0.0.1" = [ "sif.midgard.yggdrasil" "sif" ];
+        "::1" = [ "sif.midgard.yggdrasil" "sif" ];
+      };
+
+      firewall = {
+        enable = true;
+        allowedTCPPorts = [ 22 # ssh
+                            8000 # quickserve
+                          ];
+        allowedUDPPorts = [ 8554 # gopro webcam
+                          ];
+      };
+
+      networkmanager = {
+        enable = true;
+        dhcp = "internal";
+        dns = lib.mkForce "dnsmasq";
+        extraConfig = ''
+          [connectivity]
+          uri=https://online.yggdrasil.li
+        '';
+      };
+
+      wlanInterfaces = {
+        wlan0 = {
+          device = "wlp82s0";
+        };
+      };
+
+      bonds = {
+        "lan" = {
+          interfaces = [ "wlan0" "enp0s31f6" "dock0" ];
+          driverOptions = {
+            miimon = "1000";
+            mode = "active-backup";
+            primary_reselect = "always";
+          };
+        };
+      };
+
+      dhcpcd.enable = false;
+      useDHCP = false;
+      useNetworkd = true;
+
+      interfaces.yggdrasil = {
+        virtual = true;
+        virtualType = config.services.tinc.networks.yggdrasil.interfaceType;
+        macAddress = "5c:93:21:c3:61:39";
+      };
+    };
+
+    systemd.services."NetworkManager-wait-online".enable = false;
+    systemd.services."systemd-networkd-wait-online".enable = false;
+
+    environment.etc."NetworkManager/dnsmasq.d/libvirtd_dnsmasq.conf" = {
+      text = ''
+        server=/sif.libvirt/192.168.122.1
+      '';
+    };
+
+    services.openssh.enable = true;
+
+    powerManagement = {
+      enable = true;
+
+      cpuFreqGovernor = "schedutil";
+    };
+
+    environment.systemPackages = with pkgs; [
+      nvtop brightnessctl config.boot.kernelPackages.v4l2loopback s-tui
+    ];
+
+    services = {
+      tinc.yggdrasil.enable = true;
+
+      uucp = {
+        enable = true;
+        nodeName = "sif";
+        remoteNodes = {
+          "ymir" = {
+            publicKeys = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG6KNtsCOl5fsZ4rV7udTulGMphJweLBoKapzerWNoLY root@ymir"];
+            hostnames = ["ymir.yggdrasil.li" "ymir.niflheim.yggdrasil"];
+          };
+        };
+
+        defaultCommands = lib.mkForce [];
+      };
+
+      avahi.enable = true;
+
+      fwupd.enable = true;
+
+      fprintd.enable = true;
+
+      blueman.enable = true;
+    
+      colord.enable = true;
+    
+      vnstat.enable = true;
+
+      logind = {
+        lidSwitch = "suspend";
+        lidSwitchDocked = "lock";
+        lidSwitchExternalPower = "lock";
+      };
+
+      atd = {
+        enable = true;
+        allowEveryone = true;
+      };
+
+      xserver = {
+        enable = true;
+
+        layout = "us";
+        xkbVariant = "dvp";
+        xkbOptions = "compose:caps";
+
+        displayManager.lightdm = {
+          enable = true;
+          greeters.gtk = {
+            clock-format = "%H:%M %a %b %_d";
+            indicators = ["~host" "~spacer" "~clock" "~session" "~power"];
+            theme = {
+              package = pkgs.equilux-theme;
+              name = "Equilux-compact";
+            };
+            iconTheme = {
+              package = pkgs.paper-icon-theme;
+              name = "Paper";
+            };
+            extraConfig = ''
+              background = #000000
+              user-background = false
+              active-monitor = #cursor
+              hide-user-image = true
+
+              [monitor: DP-2]
+                laptop = true
+            '';
+          };
+        };
+
+        displayManager.setupCommands = ''
+          ${pkgs.xorg.xinput}/bin/xinput disable 'SynPS/2 Synaptics TouchPad'
+        '';
+
+        desktopManager.xterm.enable = true;
+        windowManager.twm.enable = true;
+        displayManager.defaultSession = "xterm+twm";
+
+        wacom.enable = true;
+        libinput.enable = true;
+
+        dpi = 282;
+
+        videoDrivers = [ "nvidia" ];
+
+        screenSection = ''
+          Option "metamodes" "nvidia-auto-select +0+0 { ForceCompositionPipeline = On }"
+        '';
+
+        deviceSection = ''
+          Option "AccelMethod" "SNA"
+          Option "TearFree" "True"
+        '';
+
+        exportConfiguration = true;
+      };
+    };
+
+    users = {
+      users.gkleen.extraGroups = [ "media" ];
+      groups.media = {};
+    };
+
+    hardware = {
+      pulseaudio = {
+        enable = true;
+        package = with pkgs; pulseaudioFull;
+        support32Bit = true;
+      };
+
+      bluetooth = {
+        enable = true;   
+        settings = {
+          General = {
+            Enable = "Source,Sink,Media,Socket";
+          };
+        };
+      };
+
+      trackpoint = {
+        enable = true;
+        emulateWheel = true;
+        sensitivity = 255;
+        speed = 255;
+      };
+
+      nvidia = {
+        modesetting.enable = true;
+        prime = {
+          nvidiaBusId = "PCI:1:0:0";
+          intelBusId = "PCI:0:2:0";
+          sync.enable = true;
+        };
+      };
+
+      opengl = {
+        enable = true;
+        driSupport32Bit = true;
+        setLdLibraryPath = true;
+      };
+
+      firmware = [ pkgs.firmwareLinuxNonfree ];
+    };
+
+    sound.enable = true;
+
+    nix = {
+      autoOptimiseStore = true;
+      daemonNiceLevel = 10;
+      daemonIONiceLevel = 3;
+    };
+
+    environment.etc."X11/xorg.conf.d/50-wacom.conf".source = lib.mkForce ./wacom.conf;
+
+    systemd.services."ac-plugged" = {
+      description = "Inhibit handling of lid-switch and sleep";
+
+      path = with pkgs; [ systemd coreutils ];
+
+      script = ''
+        exec systemd-inhibit --what=handle-lid-switch --why="AC is connected" --mode=block sleep infinity
+      '';
+
+      serviceConfig = {
+        Type = "simple";
+      };
+    };
+
+    services.udev.extraRules = with pkgs; lib.mkAfter ''
+      SUBSYSTEM=="power_supply", ENV{POWER_SUPPLY_ONLINE}=="0", RUN+="${systemd}/bin/systemctl --no-block stop ac-plugged.service"
+      SUBSYSTEM=="power_supply", ENV{POWER_SUPPLY_ONLINE}=="1", RUN+="${systemd}/bin/systemctl --no-block start ac-plugged.service"
+      ACTION=="add", SUBSYSTEM=="net", DEVTYPE!="?*", ATTR{address}=="3c:e1:a1:b9:cd:e5", NAME="dock0"
+    '';
+
+    services.borgbackup = {
+      snapshots = "btrfs";
+      prefix = "yggdrasil.midgard.sif.";
+      targets = {
+        "munin" = {
+          repo = "borg.munin:borg";
+          paths = [ "/home/gkleen" ];
+          prune = {
+            "home" =
+              [ "--keep-within" "24H"
+                "--keep-daily" "31"
+                "--keep-monthly" "12"
+                "--keep-yearly" "-1"
+              ];
+          };
+          keyFile = "/run/secrets/borg-repokey--borg_munin__borg";
+        };
+      };
+    };
+    sops.secrets.borg-repokey--borg_munin__borg = {
+      sopsFile = /. + path + "/modules/borgbackup/repokeys/borg_munin__borg.yaml";
+      key = "key";
+    };
+
+    services.btrfs.autoScrub = {
+      enable = true;
+      fileSystems = [ "/" "/home" ];
+      interval = "weekly";
+    };
+
+    systemd.services."nix-daemon".serviceConfig = {
+      MemoryAccounting = true;
+      MemoryHigh = "50%";
+      MemoryMax = "75%";
+    };
+
+    services.journald.extraConfig = ''
+      SystemMaxUse=100M
+    '';
+
+    services.dbus.packages = with pkgs;
+      [ dbus gnome3.dconf
+      ];
+
+    programs = {
+      light.enable = true;
+      wireshark.enable = true;
+    };
+
+    virtualisation.libvirtd = {
+      enable = true;
+    };
+
+    zramSwap.enable = true;
+
+    services.pcscd.enable = true;
+
+    system.stateVersion = "20.03";
+  };
+}
diff --git a/hosts/sif/hw.nix b/hosts/sif/hw.nix
new file mode 100644
index 00000000..92afb7c9
--- /dev/null
+++ b/hosts/sif/hw.nix
@@ -0,0 +1,35 @@
+{ config, lib, pkgs, ... }:
+
+{
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/f094bf06-66f9-40a8-9ab2-2b54d05223d2";
+      fsType = "btrfs";
+    };
+
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/B3A2-D029";
+      fsType = "vfat";
+    };
+
+  fileSystems."/home" =
+    { device = "/dev/disk/by-uuid/9e932072-3c56-4a9c-8da7-3163d2a8bf28";
+      fsType = "btrfs";
+    };
+
+  fileSystems."/var/media" =
+    { device = "/dev/disk/by-uuid/437eca70-d017-4d52-a1fa-2f4c7a87f096";
+      fsType = "btrfs";
+    };
+
+  swapDevices =
+    [ { device = "/dev/disk/by-uuid/50f3f856-cc17-4614-846a-34a14d5006ec"; }
+    ];
+
+  nix.maxJobs = 12;
+  # High-DPI console
+  console.font = "${pkgs.terminus_font}/share/consolefonts/ter-u28n.psf.gz";
+
+  hardware.cpu.intel.updateMicrocode = true;
+  
+  hardware.enableRedistributableFirmware = true;
+}
diff --git a/hosts/sif/mail/default.nix b/hosts/sif/mail/default.nix
new file mode 100644
index 00000000..29bfb4f1
--- /dev/null
+++ b/hosts/sif/mail/default.nix
@@ -0,0 +1,66 @@
+{ config, pkgs, ... }:
+{
+  services.postfix = {
+    enable = true;
+    enableSmtp = true;
+    enableSubmission = false;
+    setSendmail = true;
+    networksStyle = "host";
+    hostname = "sif.midgard.yggdrasil";
+    destination = [];
+    relayHost = "uucp:ymir";
+    recipientDelimiter = "+";
+    masterConfig = {
+      uucp = {
+        type = "unix";
+        private = true;
+        privileged = true;
+        chroot = false;
+        command = "pipe";
+        args = [ "flags=Fqhu" "user=uucp" ''argv=${config.security.wrapperDir}/uux -z -a $sender - $nexthop!rmail ($recipient)'' ];
+      };
+    };
+    transport = ''
+      odin.asgard.yggdrasil uucp:odin
+    '';
+    config = {
+      always_bcc = "gkleen+sent@odin.asgard.yggdrasil";
+
+      default_transport = "uucp:ymir";
+
+      inet_interfaces = "loopback-only";
+
+      authorized_submit_users = ["!uucp" "static:anyone"];
+      message_size_limit = "0";
+
+      sender_dependent_default_transport_maps = ''regexp:${pkgs.writeText "sender_relay" ''
+        /@(cip|stud)\.ifi\.(lmu|uni-muenchen)\.de$/ smtp:smtp.ifi.lmu.de
+        /@ifi\.(lmu|uni-muenchen)\.de$/ smtp:smtpin1.ifi.lmu.de:587
+        /@(campus\.)?lmu\.de$/ smtp:postout.lrz.de
+      ''}'';
+      sender_bcc_maps = ''regexp:${pkgs.writeText "sender_bcc" ''
+        /^uni2work(-[^@]*)?@ifi\.lmu\.de$/ uni2work@ifi.lmu.de
+        /@ifi\.lmu\.de$/ gregor.kleen@ifi.lmu.de
+      ''}'';
+
+      smtp_sasl_auth_enable = true;
+      smtp_sender_dependent_authentication = true;
+      smtp_sasl_tls_security_options = "noanonymous";
+      smtp_sasl_mechanism_filter = ["plain"];
+      smtp_sasl_password_maps = "regexp:/var/db/postfix/sasl_passwd";
+      smtp_cname_overrides_servername = false;
+      smtp_always_send_ehlo = true;
+      smtp_tls_security_level = "dane";
+
+      smtp_tls_loglevel = "1";
+      smtp_dns_support_level = "dnssec";
+    };
+  };
+
+  sops.secrets.postfix-sasl-passwd = {
+    key = "sasl-passwd";
+    path = "/var/db/postfix/sasl_passwd";
+    owner = "postfix";
+    sopsFile = ./secrets.yaml;
+  };
+}
diff --git a/hosts/sif/mail/secrets.yaml b/hosts/sif/mail/secrets.yaml
new file mode 100644
index 00000000..06a2ad40
--- /dev/null
+++ b/hosts/sif/mail/secrets.yaml
@@ -0,0 +1,33 @@
+sasl-passwd: ENC[AES256_GCM,data:S81uICROGm/E0TC3xJyPXbVLjOO+PsRyJBoWINFZGzeh8F0nXx1ewiiSXtNl9trTbxlSgf5jnBvtbyd75N0OcyqBf0db5tJtvU42DO5I4qFo4R67FzpKzKWMF4AJuFGP1aKkPsPIc41WTfLemKCfbEhVfQj9qEFLR9TC8iqzSZa0bztCuLoKi0vrAO/4JZnzUe3n7FXy+ER6oYK9JoKwaXc9KYdwQC3QYCby2iSq+GvRs7FL4x6/Zr8FzVCXHYMaW/Qg9dCn/g2NnEnOsH0pEASuKRPJKh8x5dtQg9v3jRK6NIDjEkXeuBnSOaeQiAcYc784foIlI7Q=,iv:zCsYZtU51zJR9XqaCvMtc5aGZwSccIrPzhznubEoEjo=,tag:0/v4Cp/0xLrfEX7H953bOA==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    lastmodified: '2021-01-18T09:46:15Z'
+    mac: ENC[AES256_GCM,data:Idvsviv6CGibT+s7TSYUNmYO6gELqahJq33+k8YQhhwDKC6+s3Wqjq3xDkVjPcgq32GQolzmv20s93vQSHVuTKcH9jpXmIlwVZmZFFV7ejuA3QScOqqNNynh1m1ba/eZCGgIZiSlRuv7wqs7wz2uHN9eY3prsDkG1vxpc7UC18g=,iv:S9S/N3vW2TXcNYsc/w+3pDJT+BOQaAw8vgqYwRUtbU4=,tag:jPRXDzy29ewkq/Nzcayfnw==,type:str]
+    pgp:
+    -   created_at: '2021-01-02T19:29:14Z'
+        enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hF4Dgwm4NZSaLAcSAQdAE/883Tbc7WXuzOxjm5jVrOSbnYe+BEg75ijtZP2L3UMw
+            4mhqzy576jEQLPGrnMpX2zA2MwFAwGnMwC98sQ4vVTp/xgNQ0VHHNM4GnTi6VoUb
+            0l4BLgQrT6p2ul69ADecadWJsGm6roqMHrpNGZeeczDLOBIzrrwN4sL92jQiEPw9
+            Ih+EXJpJ1K4NouU1VRsfQPqJ6y+i295TnEgunlJeYc/MNQgBT4ABiPZgUZXnkhxl
+            =7rOv
+            -----END PGP MESSAGE-----
+        fp: F1AF20B9511B63F681A14E8D51AEFBCD1DEF68F8
+    -   created_at: '2021-01-02T19:29:14Z'
+        enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hF4DXxoViZlp6dISAQdAGifJ6qk40VdF/WKaYa9v97PdSVkPvHZt+j0G8+ZDJSEw
+            8XC1622ElTWRCZ2bjUwMF77DMgMy3rEr8B7Bj6MnEzDd/Af63Np1cO+7juybxqhz
+            0l4BO6uZ+gCvKg45jWX0GE6ZBkoUTvh24djTngHFyIHDnpCxSB6s+jcYR9otco2F
+            ++E2pcoQR4GuOeyYa/8UsW+RzKWpCfskYbSIt4gAXyCt8ua1y5Rw0DEVdw91uJNC
+            =E/qh
+            -----END PGP MESSAGE-----
+        fp: 30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51
+    unencrypted_suffix: _unencrypted
+    version: 3.6.1
diff --git a/hosts/sif/wacom.conf b/hosts/sif/wacom.conf
new file mode 100644
index 00000000..864409f1
--- /dev/null
+++ b/hosts/sif/wacom.conf
@@ -0,0 +1,15 @@
+Section "InputClass"
+        Identifier "Wacom USB device class"
+        MatchUSBID "056a:*"
+        MatchDevicePath "/dev/input/event*"
+        Driver "wacom"
+EndSection
+
+Section "InputClass"
+        Identifier      "calibration"
+        MatchProduct    "Wacom USB device class"
+        Option  "MinX"  "58"
+        Option  "MaxX"  "30982"
+        Option  "MinY"  "87"
+        Option  "MaxY"  "17328"
+EndSection
\ No newline at end of file
diff --git a/hosts/surtr/default.nix b/hosts/surtr/default.nix
new file mode 100644
index 00000000..72ed81ae
--- /dev/null
+++ b/hosts/surtr/default.nix
@@ -0,0 +1,126 @@
+{ flake, pkgs, lib, ... }:
+{
+  imports = with flake.nixosModules.systemProfiles; [
+    qemu-guest openssh rebuild-machines ./zfs.nix ./dns ./tls.nix
+  ];
+
+  config = {
+    nixpkgs = {
+      system = "x86_64-linux";
+    };
+
+    networking.hostId = "a64cf4d7";
+    environment.etc."machine-id".text = "a64cf4d793ab0a0ed3892ead609fc0bc";
+
+    boot = {
+      loader.grub = {
+        enable = true;
+        version = 2;
+        device = "/dev/vda";
+      };
+
+      kernelPackages = pkgs.linuxPackages_latest;
+
+      tmpOnTmpfs = true;
+
+      supportedFilesystems = [ "zfs" ];
+      zfs = {
+        enableUnstable = true;
+        devNodes = "/dev"; # /dev/vda2 does not show up in /dev/disk/by-id
+      };
+
+      kernelModules = ["ptp_kvm"];
+    };
+
+    fileSystems = {
+      "/" = {
+        fsType = "tmpfs";
+        options = [ "mode=0755" ];
+      };
+
+      "/boot" =
+        { device = "/dev/disk/by-label/boot";
+          fsType = "vfat";
+        };
+    };
+
+    networking = {
+      hostName = "surtr";
+      domain = "muspelheim.yggdrasil";
+      search = [ "muspelheim.yggdrasil" "yggdrasil" ];
+
+      enableIPv6 = true;
+      dhcpcd.enable = false;
+      useDHCP = false;
+      useNetworkd = true;
+      defaultGateway = { address = "202.61.240.1"; };
+      defaultGateway6 = { address = "fe80::1"; };
+      interfaces."ens3" = {
+        ipv4.addresses = [
+          { address = "202.61.241.61"; prefixLength = 22; }
+        ];
+        ipv6.addresses = [
+          { address = "2a03:4000:52:ada::"; prefixLength = 64; }
+        ];
+      };
+
+      firewall = {
+        enable = true;
+        allowPing = true;
+        allowedTCPPorts = [
+          22 # ssh
+        ];
+        allowedUDPPortRanges = [
+          { from = 60000; to = 61000; } # mosh
+        ];
+      };
+    };
+
+    systemd.network.networks."40-ens3".networkConfig = {
+      Domains = lib.mkForce "~.";
+      DNS = [ "46.38.225.230" "46.38.252.230" "2a03:4000:0:1::e1e6" "2a03:4000:8000::fce6" ];
+    };
+
+    services.timesyncd.enable = false;
+    services.chrony = {
+      enable = true;
+      servers = [];
+      extraConfig = ''
+        pool time.cloudflare.com iburst nts
+        pool nts.ntp.se iburst nts
+        server nts.sth1.ntp.se iburst nts
+        server nts.sth2.ntp.se iburst nts
+        server ptbtime1.ptb.de iburst nts
+        server ptbtime2.ptb.de iburst nts
+        server ptbtime3.ptb.de iburst nts
+
+        refclock PHC /dev/ptp_kvm poll 2 dpoll -2 offset 0 stratum 3
+
+        makestep 0.1 3
+
+        cmdport 0
+      '';
+    };
+
+    services.openssh = {
+      enable = true;
+      passwordAuthentication = false;
+      challengeResponseAuthentication = false;
+      extraConfig = ''
+        AllowGroups ssh
+      '';
+    };
+    users.groups."ssh" = {
+      members = ["root"];
+    };
+
+    security.sudo.extraConfig = ''
+      Defaults lecture = never
+    '';
+
+    nix.gc = {
+      automatic = true;
+      options = "--delete-older-than 30d";
+    };
+  };
+}
diff --git a/hosts/surtr/dns/default.nix b/hosts/surtr/dns/default.nix
new file mode 100644
index 00000000..ce909b72
--- /dev/null
+++ b/hosts/surtr/dns/default.nix
@@ -0,0 +1,92 @@
+{...}:
+{
+  config = {
+    fileSystems."/var/lib/knot" =
+      { device = "surtr/safe/var-lib-knot";
+        fsType = "zfs";
+      };
+
+    systemd.services.knot.unitConfig.RequiresMountsFor = [ "/var/lib/knot" ];
+
+    networking.firewall = {
+      allowedTCPPorts = [
+        53 # DNS
+      ];
+      allowedUDPPorts = [
+        53 # DNS
+      ];
+    };
+    
+    services.knot = {
+      enable = true;
+      extraConfig = ''
+        server:
+          listen: 127.0.0.1@53
+          listen: ::1@53
+          listen: 202.61.241.61@53
+          listen: 2a03:4000:52:ada::@53
+
+        remote:
+          - id: inwx_notify
+            address: 185.181.104.96@53
+
+        acl:
+          - id: inwx_acl
+            address: 185.181.104.96
+            action: transfer
+
+        template:
+          - id: inwx_zone
+            storage: /var/lib/knot
+            zonefile-sync: -1
+            zonefile-load: difference-no-serial
+            serial-policy: dateserial
+            journal-content: all
+            semantic-checks: on
+            dnssec-signing: on
+            notify: [inwx_notify]
+            acl: [inwx_acl]
+
+        policy:
+          - id: rsa
+            algorithm: rsasha256
+            ksk-size: 4096
+            zsk-size: 2048
+            zsk-lifetime: 30d
+
+        zone:
+          - domain: yggdrasil.li
+            template: inwx_zone
+            file: ${./zones/li.yggdrasil.soa}
+
+          - domain: nights.email
+            template: inwx_zone
+            file: ${./zones/email.nights.soa}
+
+          - domain: 141.li
+            template: inwx_zone
+            file: ${./zones/li.141.soa}
+
+          - domain: kleen.li
+            template: inwx_zone
+            file: ${./zones/li.kleen.soa}
+
+          - domain: xmpp.li
+            template: inwx_zone
+            file: ${./zones/li.xmpp.soa}
+
+          - domain: dirty-haskell.org
+            template: inwx_zone
+            file: ${./zones/org.dirty-haskell.soa}
+
+          - domain: praseodym.org
+            template: inwx_zone
+            file: ${./zones/org.praseodym.soa}
+
+          - domain: rheperire.org
+            template: inwx_zone
+            file: ${./zones/org.rheperire.soa}
+      '';
+    };
+  };
+}
diff --git a/hosts/surtr/dns/zones/email.nights.soa b/hosts/surtr/dns/zones/email.nights.soa
new file mode 100644
index 00000000..e0589dd3
--- /dev/null
+++ b/hosts/surtr/dns/zones/email.nights.soa
@@ -0,0 +1,38 @@
+$ORIGIN nights.email.
+$TTL 3600
+@ IN SOA ns.yggdrasil.li. root.yggdrasil.li. (
+  2021053002 ; serial
+  10800      ; refresh
+  3600       ; retry
+  604800     ; expire
+  3600       ; min TTL
+)
+                        IN      NS      ns.yggdrasil.li.
+                        IN      NS      ns.inwx.de.
+                        IN      NS      ns2.inwx.de.
+                        IN      NS      ns3.inwx.eu.
+
+@                       IN      A       188.68.51.254
+@                       IN      AAAA    2a03:4000:6:d004::
+@                       IN      MX      0 ymir.yggdrasil.li.
+@                       IN      TXT     "v=spf1 redirect=yggdrasil.li"
+
+*                       IN      A       188.68.51.254
+*                       IN      AAAA    2a03:4000:6:d004::
+*                       IN      MX      0 ymir.yggdrasil.li.
+*                       IN      TXT     "v=spf1 redirect=yggdrasil.li"
+
+_acme-challenge      30 IN      TXT     ""
+
+ymir._domainkey         IN      TXT     ( 
+  "v=DKIM1;k=rsa;p=MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAq3cCKlk+VPhyAanLZTM0BCzUT/+fmxHioZcFk0uJk1akBYj7BRofR7eVNcLKpm3rwYMQgE+9vJH9p8SV6tws9EcWc8SMCqqGZlREYM7PmLDiTSK/vjCzkygfgFCb0EBNsY2A/fpP4rTeoxrbcBSvMkq97iY5rwyw4wXZVZXLiDaCj23s8POoxTk1ClqUJZJQ5x2"
+  "qzrC0RfN5kLZ9A7Gq2jB09vNxpXHYqABA0bJv88JiZM7hfkp9IafJZ+yCVMaBcJs4DAxnTjNAuFD9gm+qSFVY8+yeXqL6Qjo5PbruhyZRBW8RgRYT8t5n07XRglMGKKGMwOGLanrltcyXqB+GsDZBD36RAAwjFadnxdpDyRv4SgRP7ff2tKRrORYpmpN+mKdqw5j3J/nP6bXV1oAkyh9XQkPEIDi81WT87EZziTElDzVp6A2qFOxqucAovoRk24"
+  "7vlsns1FApFRsp9mja0UZNObyKD1M6tP9Ep7lS76tFGMk+WDvXRJH5LEsyCpu7sSyl1r/O0M4K+KldRCqLlZd7rf8F5P8T0dn1azk05g7F4p0N/y9GNdzXbPZ9u0eZdI7SEdh8ZoOZp7NVZiBFfbWLSS5ZtyA2kbBa4i7GJ/cuAbEKOmqAkeQPiu96TGIcyjkXjS6mTPI+9UmKZYZC+OM8XdJ02y5KRoonCc19ZS8CAwEAAQ=="
+)
+
+_xmpp-client._tcp       IN      SRV     5 0 5222 ymir.yggdrasil.li.
+_xmpp-server._tcp       IN      SRV     5 0 5269 ymir.yggdrasil.li.
+
+_submission._tcp        IN      SRV     5 0 25 ymir.yggdrasil.li.
+_imap._tcp              IN      SRV     5 0 143 ymir.yggdrasil.li.
+_imaps._tcp             IN      SRV     5 0 993 ymir.yggdrasil.li.
diff --git a/hosts/surtr/dns/zones/li.141.soa b/hosts/surtr/dns/zones/li.141.soa
new file mode 100644
index 00000000..6f974439
--- /dev/null
+++ b/hosts/surtr/dns/zones/li.141.soa
@@ -0,0 +1,50 @@
+$ORIGIN 141.li.
+$TTL 3600
+@ IN SOA ns.yggdrasil.li. root.yggdrasil.li. (
+  2021053001 ; serial
+  10800      ; refresh
+  3600       ; retry
+  604800     ; expire
+  3600       ; min TTL
+)
+                        IN      NS      ns.yggdrasil.li.
+                        IN      NS      ns.inwx.de.
+                        IN      NS      ns2.inwx.de.
+                        IN      NS      ns3.inwx.eu.
+
+@                       IN      A       188.68.51.254
+@                       IN      AAAA    2a03:4000:6:d004::
+@                       IN      MX      0 ymir.yggdrasil.li.
+@                       IN      TXT     "v=spf1 redirect=yggdrasil.li"
+
+*                       IN      A       188.68.51.254
+*                       IN      AAAA    2a03:4000:6:d004::
+*                       IN      MX      0 ymir.yggdrasil.li.
+*                       IN      TXT     "v=spf1 redirect=yggdrasil.li"
+
+surtr                   IN      A       202.61.241.61
+surtr                   IN      AAAA    2a03:4000:52:ada::
+surtr                   IN      MX      0 ymir.yggdrasil.li
+surtr                   IN      TXT     "v=spf1 redirect=ullr.yggdrasil.li"
+
+ymir                    IN      A       188.68.51.254
+ymir                    IN      AAAA    2a03:4000:6:d004::
+ymir                    IN      MX      0 ymir.yggdrasil.li
+ymir                    IN      TXT     "v=spf1 redirect=ymir.yggdrasil.li"
+
+_acme-challenge      30 IN      TXT     ""
+
+ymir._domainkey         IN      TXT     ( 
+  "v=DKIM1;k=rsa;p=MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAq3cCKlk+VPhyAanLZTM0BCzUT/+fmxHioZcFk0uJk1akBYj7BRofR7eVNcLKpm3rwYMQgE+9vJH9p8SV6tws9EcWc8SMCqqGZlREYM7PmLDiTSK/vjCzkygfgFCb0EBNsY2A/fpP4rTeoxrbcBSvMkq97iY5rwyw4wXZVZXLiDaCj23s8POoxTk1ClqUJZJQ5x2"
+  "qzrC0RfN5kLZ9A7Gq2jB09vNxpXHYqABA0bJv88JiZM7hfkp9IafJZ+yCVMaBcJs4DAxnTjNAuFD9gm+qSFVY8+yeXqL6Qjo5PbruhyZRBW8RgRYT8t5n07XRglMGKKGMwOGLanrltcyXqB+GsDZBD36RAAwjFadnxdpDyRv4SgRP7ff2tKRrORYpmpN+mKdqw5j3J/nP6bXV1oAkyh9XQkPEIDi81WT87EZziTElDzVp6A2qFOxqucAovoRk24"
+  "7vlsns1FApFRsp9mja0UZNObyKD1M6tP9Ep7lS76tFGMk+WDvXRJH5LEsyCpu7sSyl1r/O0M4K+KldRCqLlZd7rf8F5P8T0dn1azk05g7F4p0N/y9GNdzXbPZ9u0eZdI7SEdh8ZoOZp7NVZiBFfbWLSS5ZtyA2kbBa4i7GJ/cuAbEKOmqAkeQPiu96TGIcyjkXjS6mTPI+9UmKZYZC+OM8XdJ02y5KRoonCc19ZS8CAwEAAQ=="
+)
+
+_xmpp-client._tcp       IN      SRV     5 0 5222 ymir.yggdrasil.li.
+_xmpp-server._tcp       IN      SRV     5 0 5269 ymir.yggdrasil.li.
+
+_infinoted._tcp         IN      SRV     5 0 6523 ymir.yggdrasil.li.
+
+_submission._tcp        IN      SRV     5 0 25 ymir.yggdrasil.li.
+_imap._tcp              IN      SRV     5 0 143 ymir.yggdrasil.li.
+_imaps._tcp             IN      SRV     5 0 993 ymir.yggdrasil.li.
diff --git a/hosts/surtr/dns/zones/li.kleen.soa b/hosts/surtr/dns/zones/li.kleen.soa
new file mode 100644
index 00000000..5a3d2a11
--- /dev/null
+++ b/hosts/surtr/dns/zones/li.kleen.soa
@@ -0,0 +1,40 @@
+$ORIGIN kleen.li.
+$TTL 3600
+@ IN SOA ns.yggdrasil.li. root.yggdrasil.li. (
+  2021053001 ; serial
+  10800      ; refresh
+  3600       ; retry
+  604800     ; expire
+  3600       ; min TTL
+)
+                        IN      NS      ns.yggdrasil.li.
+                        IN      NS      ns.inwx.de.
+                        IN      NS      ns2.inwx.de.
+                        IN      NS      ns3.inwx.eu.
+
+@                       IN      A       188.68.51.254
+@                       IN      AAAA    2a03:4000:6:d004::
+@                       IN      MX      0 ymir.yggdrasil.li.
+@                       IN      TXT     "v=spf1 redirect=yggdrasil.li"
+
+*                       IN      A       188.68.51.254
+*                       IN      AAAA    2a03:4000:6:d004::
+*                       IN      MX      0 ymir.yggdrasil.li.
+*                       IN      TXT     "v=spf1 redirect=yggdrasil.li"
+
+_acme-challenge      30 IN      TXT     ""
+
+ymir._domainkey         IN      TXT     ( 
+  "v=DKIM1;k=rsa;p=MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAq3cCKlk+VPhyAanLZTM0BCzUT/+fmxHioZcFk0uJk1akBYj7BRofR7eVNcLKpm3rwYMQgE+9vJH9p8SV6tws9EcWc8SMCqqGZlREYM7PmLDiTSK/vjCzkygfgFCb0EBNsY2A/fpP4rTeoxrbcBSvMkq97iY5rwyw4wXZVZXLiDaCj23s8POoxTk1ClqUJZJQ5x2"
+  "qzrC0RfN5kLZ9A7Gq2jB09vNxpXHYqABA0bJv88JiZM7hfkp9IafJZ+yCVMaBcJs4DAxnTjNAuFD9gm+qSFVY8+yeXqL6Qjo5PbruhyZRBW8RgRYT8t5n07XRglMGKKGMwOGLanrltcyXqB+GsDZBD36RAAwjFadnxdpDyRv4SgRP7ff2tKRrORYpmpN+mKdqw5j3J/nP6bXV1oAkyh9XQkPEIDi81WT87EZziTElDzVp6A2qFOxqucAovoRk24"
+  "7vlsns1FApFRsp9mja0UZNObyKD1M6tP9Ep7lS76tFGMk+WDvXRJH5LEsyCpu7sSyl1r/O0M4K+KldRCqLlZd7rf8F5P8T0dn1azk05g7F4p0N/y9GNdzXbPZ9u0eZdI7SEdh8ZoOZp7NVZiBFfbWLSS5ZtyA2kbBa4i7GJ/cuAbEKOmqAkeQPiu96TGIcyjkXjS6mTPI+9UmKZYZC+OM8XdJ02y5KRoonCc19ZS8CAwEAAQ=="
+)
+
+_xmpp-client._tcp       IN      SRV     5 0 5222 ymir.yggdrasil.li.
+_xmpp-server._tcp       IN      SRV     5 0 5269 ymir.yggdrasil.li.
+
+_infinoted._tcp         IN      SRV     5 0 6523 ymir.yggdrasil.li.
+
+_submission._tcp        IN      SRV     5 0 25 ymir.yggdrasil.li.
+_imap._tcp              IN      SRV     5 0 143 ymir.yggdrasil.li.
+_imaps._tcp             IN      SRV     5 0 993 ymir.yggdrasil.li.
diff --git a/hosts/surtr/dns/zones/li.xmpp.soa b/hosts/surtr/dns/zones/li.xmpp.soa
new file mode 100644
index 00000000..b123f4a5
--- /dev/null
+++ b/hosts/surtr/dns/zones/li.xmpp.soa
@@ -0,0 +1,40 @@
+$ORIGIN xmpp.li.
+$TTL 3600
+@ IN SOA ns.yggdrasil.li. root.yggdrasil.li. (
+  2021053001 ; serial
+  10800      ; refresh
+  3600       ; retry
+  604800     ; expire
+  3600       ; min TTL
+)
+                        IN      NS      ns.yggdrasil.li.
+                        IN      NS      ns.inwx.de.
+                        IN      NS      ns2.inwx.de.
+                        IN      NS      ns3.inwx.eu.
+
+@                       IN      A       188.68.51.254
+@                       IN      AAAA    2a03:4000:6:d004::
+@                       IN      MX      0 ymir.yggdrasil.li.
+@                       IN      TXT     "v=spf1 redirect=yggdrasil.li"
+
+*                       IN      A       188.68.51.254
+*                       IN      AAAA    2a03:4000:6:d004::
+*                       IN      MX      0 ymir.yggdrasil.li.
+*                       IN      TXT     "v=spf1 redirect=yggdrasil.li"
+
+_acme-challenge      30 IN      TXT     ""
+
+ymir._domainkey         IN      TXT     ( 
+  "v=DKIM1;k=rsa;p=MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAq3cCKlk+VPhyAanLZTM0BCzUT/+fmxHioZcFk0uJk1akBYj7BRofR7eVNcLKpm3rwYMQgE+9vJH9p8SV6tws9EcWc8SMCqqGZlREYM7PmLDiTSK/vjCzkygfgFCb0EBNsY2A/fpP4rTeoxrbcBSvMkq97iY5rwyw4wXZVZXLiDaCj23s8POoxTk1ClqUJZJQ5x2"
+  "qzrC0RfN5kLZ9A7Gq2jB09vNxpXHYqABA0bJv88JiZM7hfkp9IafJZ+yCVMaBcJs4DAxnTjNAuFD9gm+qSFVY8+yeXqL6Qjo5PbruhyZRBW8RgRYT8t5n07XRglMGKKGMwOGLanrltcyXqB+GsDZBD36RAAwjFadnxdpDyRv4SgRP7ff2tKRrORYpmpN+mKdqw5j3J/nP6bXV1oAkyh9XQkPEIDi81WT87EZziTElDzVp6A2qFOxqucAovoRk24"
+  "7vlsns1FApFRsp9mja0UZNObyKD1M6tP9Ep7lS76tFGMk+WDvXRJH5LEsyCpu7sSyl1r/O0M4K+KldRCqLlZd7rf8F5P8T0dn1azk05g7F4p0N/y9GNdzXbPZ9u0eZdI7SEdh8ZoOZp7NVZiBFfbWLSS5ZtyA2kbBa4i7GJ/cuAbEKOmqAkeQPiu96TGIcyjkXjS6mTPI+9UmKZYZC+OM8XdJ02y5KRoonCc19ZS8CAwEAAQ=="
+)
+
+_xmpp-client._tcp       IN      SRV     5 0 5222 ymir.yggdrasil.li.
+_xmpp-server._tcp       IN      SRV     5 0 5269 ymir.yggdrasil.li.
+
+_infinoted._tcp         IN      SRV     5 0 6523 ymir.yggdrasil.li.
+
+_submission._tcp        IN      SRV     5 0 25 ymir.yggdrasil.li.
+_imap._tcp              IN      SRV     5 0 143 ymir.yggdrasil.li.
+_imaps._tcp             IN      SRV     5 0 993 ymir.yggdrasil.li.
diff --git a/hosts/surtr/dns/zones/li.yggdrasil.soa b/hosts/surtr/dns/zones/li.yggdrasil.soa
new file mode 100644
index 00000000..a9b87b76
--- /dev/null
+++ b/hosts/surtr/dns/zones/li.yggdrasil.soa
@@ -0,0 +1,58 @@
+$ORIGIN yggdrasil.li.
+$TTL 3600
+@ IN SOA ns.yggdrasil.li. root.yggdrasil.li. (
+  2021053000 ; serial
+  10800      ; refresh
+  3600       ; retry
+  604800     ; expire
+  3600       ; min TTL
+)
+                        IN      NS      ns.yggdrasil.li.
+                        IN      NS      ns.inwx.de.
+                        IN      NS      ns2.inwx.de.
+                        IN      NS      ns3.inwx.eu.
+
+ns                      IN      A       202.61.241.61
+ns                      IN      AAAA    2a03:4000:52:ada::
+
+@                       IN      A       188.68.51.254
+@                       IN      AAAA    2a03:4000:6:d004::
+@                       IN      MX      0 ymir.yggdrasil.li.
+@                       IN      TXT     "v=spf1 a:mailout.yggdrasil.li -all"
+
+*                       IN      A       188.68.51.254
+*                       IN      AAAA    2a03:4000:6:d004::
+*                       IN      MX      0 ymir.yggdrasil.li.
+*                       IN      TXT     "v=spf1 redirect=yggdrasil.li"
+
+ymir                    IN      A       188.68.51.254
+ymir                    IN      AAAA    2a03:4000:6:d004::
+ymir                    IN      MX      0 ymir.yggdrasil.li.
+ymir                    IN      TXT     "v=spf1 redirect=yggdrasil.li"
+
+surtr                   IN      A       202.61.241.61
+surtr                   IN      AAAA    2a03:4000:52:ada::
+surtr                   IN      MX      0 ymir.yggdrasil.li
+surtr                   IN      TXT     "v=spf1 redirect=ullr.yggdrasil.li"
+
+mailout                 IN      A       188.68.51.254
+mailout                 IN      AAAA    2a03:4000:6:d004::
+mailout                 IN      MX      0 ymir.yggdrasil.li
+mailout                 IN      TXT     "v=spf1 redirect=yggdrasil.li"
+
+_acme-challenge      30 IN      TXT     ""
+
+ymir._domainkey         IN      TXT     ( 
+  "v=DKIM1;k=rsa;p=MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAq3cCKlk+VPhyAanLZTM0BCzUT/+fmxHioZcFk0uJk1akBYj7BRofR7eVNcLKpm3rwYMQgE+9vJH9p8SV6tws9EcWc8SMCqqGZlREYM7PmLDiTSK/vjCzkygfgFCb0EBNsY2A/fpP4rTeoxrbcBSvMkq97iY5rwyw4wXZVZXLiDaCj23s8POoxTk1ClqUJZJQ5x2"
+  "qzrC0RfN5kLZ9A7Gq2jB09vNxpXHYqABA0bJv88JiZM7hfkp9IafJZ+yCVMaBcJs4DAxnTjNAuFD9gm+qSFVY8+yeXqL6Qjo5PbruhyZRBW8RgRYT8t5n07XRglMGKKGMwOGLanrltcyXqB+GsDZBD36RAAwjFadnxdpDyRv4SgRP7ff2tKRrORYpmpN+mKdqw5j3J/nP6bXV1oAkyh9XQkPEIDi81WT87EZziTElDzVp6A2qFOxqucAovoRk24"
+  "7vlsns1FApFRsp9mja0UZNObyKD1M6tP9Ep7lS76tFGMk+WDvXRJH5LEsyCpu7sSyl1r/O0M4K+KldRCqLlZd7rf8F5P8T0dn1azk05g7F4p0N/y9GNdzXbPZ9u0eZdI7SEdh8ZoOZp7NVZiBFfbWLSS5ZtyA2kbBa4i7GJ/cuAbEKOmqAkeQPiu96TGIcyjkXjS6mTPI+9UmKZYZC+OM8XdJ02y5KRoonCc19ZS8CAwEAAQ=="
+)
+
+_xmpp-client._tcp       IN      SRV     5 0 5222 ymir.yggdrasil.li.
+_xmpp-server._tcp       IN      SRV     5 0 5269 ymir.yggdrasil.li.
+
+_infinoted._tcp         IN      SRV     5 0 6523 ymir.yggdrasil.li.
+
+_submission._tcp        IN      SRV     5 0 25 ymir.yggdrasil.li.
+_imap._tcp              IN      SRV     5 0 143 ymir.yggdrasil.li.
+_imaps._tcp             IN      SRV     5 0 993 ymir.yggdrasil.li.
diff --git a/hosts/surtr/dns/zones/org.dirty-haskell.soa b/hosts/surtr/dns/zones/org.dirty-haskell.soa
new file mode 100644
index 00000000..74aed5fd
--- /dev/null
+++ b/hosts/surtr/dns/zones/org.dirty-haskell.soa
@@ -0,0 +1,32 @@
+$ORIGIN dirty-haskell.org.
+$TTL 3600
+@ IN SOA ns.yggdrasil.li. root.yggdrasil.li. (
+  2021053001 ; serial
+  10800      ; refresh
+  3600       ; retry
+  604800     ; expire
+  3600       ; min TTL
+)
+                        IN      NS      ns.yggdrasil.li.
+                        IN      NS      ns.inwx.de.
+                        IN      NS      ns2.inwx.de.
+                        IN      NS      ns3.inwx.eu.
+
+
+@                       IN      A       188.68.51.254
+@                       IN      AAAA    2a03:4000:6:d004::
+@                       IN      MX      10 ymir.yggdrasil.li.
+@                       IN      TXT     "v=spf1 redirect=yggdrasil.li"
+
+*                       IN      A       188.68.51.254
+*                       IN      AAAA    2a03:4000:6:d004::
+*                       IN      MX      0 ymir.yggdrasil.li.
+*                       IN      TXT     "v=spf1 redirect=yggdrasil.li"
+
+_acme-challenge      30 IN      TXT     ""
+
+ymir._domainkey         IN      TXT     ( 
+  "v=DKIM1;k=rsa;p=MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAq3cCKlk+VPhyAanLZTM0BCzUT/+fmxHioZcFk0uJk1akBYj7BRofR7eVNcLKpm3rwYMQgE+9vJH9p8SV6tws9EcWc8SMCqqGZlREYM7PmLDiTSK/vjCzkygfgFCb0EBNsY2A/fpP4rTeoxrbcBSvMkq97iY5rwyw4wXZVZXLiDaCj23s8POoxTk1ClqUJZJQ5x2"
+  "qzrC0RfN5kLZ9A7Gq2jB09vNxpXHYqABA0bJv88JiZM7hfkp9IafJZ+yCVMaBcJs4DAxnTjNAuFD9gm+qSFVY8+yeXqL6Qjo5PbruhyZRBW8RgRYT8t5n07XRglMGKKGMwOGLanrltcyXqB+GsDZBD36RAAwjFadnxdpDyRv4SgRP7ff2tKRrORYpmpN+mKdqw5j3J/nP6bXV1oAkyh9XQkPEIDi81WT87EZziTElDzVp6A2qFOxqucAovoRk24"
+  "7vlsns1FApFRsp9mja0UZNObyKD1M6tP9Ep7lS76tFGMk+WDvXRJH5LEsyCpu7sSyl1r/O0M4K+KldRCqLlZd7rf8F5P8T0dn1azk05g7F4p0N/y9GNdzXbPZ9u0eZdI7SEdh8ZoOZp7NVZiBFfbWLSS5ZtyA2kbBa4i7GJ/cuAbEKOmqAkeQPiu96TGIcyjkXjS6mTPI+9UmKZYZC+OM8XdJ02y5KRoonCc19ZS8CAwEAAQ=="
+)
diff --git a/hosts/surtr/dns/zones/org.praseodym.soa b/hosts/surtr/dns/zones/org.praseodym.soa
new file mode 100644
index 00000000..6f2c676f
--- /dev/null
+++ b/hosts/surtr/dns/zones/org.praseodym.soa
@@ -0,0 +1,45 @@
+$ORIGIN praseodym.org.
+$TTL 3600
+@ IN SOA ns.yggdrasil.li. root.yggdrasil.li. (
+  2021053000 ; serial
+  10800      ; refresh
+  3600       ; retry
+  604800     ; expire
+  3600       ; min TTL
+)
+                        IN      NS      ns.yggdrasil.li.
+                        IN      NS      ns.inwx.de.
+                        IN      NS      ns2.inwx.de.
+                        IN      NS      ns3.inwx.eu.
+
+@                       IN      A       188.68.51.254
+@                       IN      AAAA    2a03:4000:6:d004::
+@                       IN      MX      0 ymir.yggdrasil.li.
+@                       IN      TXT     "v=spf1 redirect=yggdrasil.li"
+
+*                       IN      A       188.68.51.254
+*                       IN      AAAA    2a03:4000:6:d004::
+*                       IN      MX      0 ymir.yggdrasil.li.
+*                       IN      TXT     "v=spf1 redirect=yggdrasil.li"
+
+surtr                   IN      A       202.61.241.61
+surtr                   IN      AAAA    2a03:4000:52:ada::
+surtr                   IN      MX      0 ymir.yggdrasil.li
+surtr                   IN      TXT     "v=spf1 redirect=ullr.yggdrasil.li"
+
+_acme-challenge      30 IN      TXT     ""
+
+ymir._domainkey         IN      TXT     ( 
+  "v=DKIM1;k=rsa;p=MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAq3cCKlk+VPhyAanLZTM0BCzUT/+fmxHioZcFk0uJk1akBYj7BRofR7eVNcLKpm3rwYMQgE+9vJH9p8SV6tws9EcWc8SMCqqGZlREYM7PmLDiTSK/vjCzkygfgFCb0EBNsY2A/fpP4rTeoxrbcBSvMkq97iY5rwyw4wXZVZXLiDaCj23s8POoxTk1ClqUJZJQ5x2"
+  "qzrC0RfN5kLZ9A7Gq2jB09vNxpXHYqABA0bJv88JiZM7hfkp9IafJZ+yCVMaBcJs4DAxnTjNAuFD9gm+qSFVY8+yeXqL6Qjo5PbruhyZRBW8RgRYT8t5n07XRglMGKKGMwOGLanrltcyXqB+GsDZBD36RAAwjFadnxdpDyRv4SgRP7ff2tKRrORYpmpN+mKdqw5j3J/nP6bXV1oAkyh9XQkPEIDi81WT87EZziTElDzVp6A2qFOxqucAovoRk24"
+  "7vlsns1FApFRsp9mja0UZNObyKD1M6tP9Ep7lS76tFGMk+WDvXRJH5LEsyCpu7sSyl1r/O0M4K+KldRCqLlZd7rf8F5P8T0dn1azk05g7F4p0N/y9GNdzXbPZ9u0eZdI7SEdh8ZoOZp7NVZiBFfbWLSS5ZtyA2kbBa4i7GJ/cuAbEKOmqAkeQPiu96TGIcyjkXjS6mTPI+9UmKZYZC+OM8XdJ02y5KRoonCc19ZS8CAwEAAQ=="
+)
+
+_xmpp-client._tcp       IN      SRV     5 0 5222 ymir.yggdrasil.li.
+_xmpp-server._tcp       IN      SRV     5 0 5269 ymir.yggdrasil.li.
+
+_infinoted._tcp         IN      SRV     5 0 6523 ymir.yggdrasil.li.
+
+_submission._tcp        IN      SRV     5 0 25 ymir.yggdrasil.li.
+_imap._tcp              IN      SRV     5 0 143 ymir.yggdrasil.li.
+_imaps._tcp             IN      SRV     5 0 993 ymir.yggdrasil.li.
diff --git a/hosts/surtr/dns/zones/org.rheperire.soa b/hosts/surtr/dns/zones/org.rheperire.soa
new file mode 100644
index 00000000..43b1e862
--- /dev/null
+++ b/hosts/surtr/dns/zones/org.rheperire.soa
@@ -0,0 +1,25 @@
+$ORIGIN rheperire.org.
+$TTL 3600
+@ IN SOA ns.yggdrasil.li. root.yggdrasil.li. (
+  2021053010 ; serial
+  10800      ; refresh
+  3600       ; retry
+  604800     ; expire
+  3600       ; min TTL
+)
+                        IN      NS      ns.yggdrasil.li.
+                        IN      NS      ns.inwx.de.
+                        IN      NS      ns2.inwx.de.
+                        IN      NS      ns3.inwx.eu.
+
+@                       IN      A       188.68.51.254
+@                       IN      AAAA    2a03:4000:6:d004::
+@                       IN      MX      0 ymir.yggdrasil.li.
+@                       IN      TXT     "v=spf1 redirect=yggdrasil.li"
+
+*                       IN      A       188.68.51.254
+*                       IN      AAAA    2a03:4000:6:d004::
+*                       IN      MX      0 ymir.yggdrasil.li.
+*                       IN      TXT     "v=spf1 redirect=yggdrasil.li"
+
+_acme-challenge      30 IN      TXT     ""
diff --git a/hosts/surtr/tls.nix b/hosts/surtr/tls.nix
new file mode 100644
index 00000000..9581dd60
--- /dev/null
+++ b/hosts/surtr/tls.nix
@@ -0,0 +1,70 @@
+{ config, pkgs, ... }:
+let
+  knotCfg = config.services.knot;
+  
+  knotDNSCredentials = zone: pkgs.writeText "lego-credentials" ''
+    EXEC_PATH=${knotDNSExec zone}/bin/update-dns.sh
+    EXEC_PROPAGATION_TIMEOUT=300
+    EXEC_POLLING_INTERVAL=5
+  '';
+  knotDNSExec = zone: pkgs.writeScriptBin "update-dns.sh" ''
+    #!${pkgs.zsh}/bin/zsh -xe
+
+    mode=$1
+    fqdn=$2
+    challenge=$3
+
+    owner=''${fqdn%".${zone}."}
+
+    commited=
+    function abort() {
+      [[ -n "''${commited}" ]] || ${knotCfg.cliWrappers}/bin/knotc zone-abort "${zone}"
+    }
+
+    ${knotCfg.cliWrappers}/bin/knotc zone-begin "${zone}"
+    trap abort EXIT
+
+    case "''${mode}" in
+      present)
+        ${knotCfg.cliWrappers}/bin/knotc zone-unset ${zone} "''${owner}" TXT '""'
+        ${knotCfg.cliWrappers}/bin/knotc zone-set ${zone} "''${owner}" 30 TXT "''${challenge}"
+        ;;
+      cleanup)
+        ${knotCfg.cliWrappers}/bin/knotc zone-unset ${zone} "''${owner}" TXT "''${challenge}"
+        ${knotCfg.cliWrappers}/bin/knotc zone-set ${zone} "''${owner}" 30 TXT '""'
+        ;;
+      *)
+        exit 2
+        ;;
+    esac
+
+    ${knotCfg.cliWrappers}/bin/knotc zone-commit "${zone}"
+    commited=yes
+  '';
+in {
+  config = {
+    fileSystems."/var/lib/acme" =
+      { device = "surtr/safe/var-lib-acme";
+        fsType = "zfs";
+      };
+
+    security.acme = {
+      server = "https://acme-staging-v02.api.letsencrypt.org/directory";
+      
+      acceptTerms = true;
+      preliminarySelfsigned = false;
+      email = "phikeebaogobaegh@141.li";
+      certs = {
+        "rheperire.org" = {
+          domain = "rheperire.org";
+          extraDomainNames = [ "*.rheperire.org" ];
+          dnsProvider = "exec";
+          credentialsFile = knotDNSCredentials "rheperire.org";
+          dnsResolver = "1.1.1.1:53";
+        };
+      };
+    };
+
+    users.groups."knot".members = [ "acme" ];
+  };
+}
diff --git a/hosts/surtr/zfs.nix b/hosts/surtr/zfs.nix
new file mode 100644
index 00000000..3cbd0cf0
--- /dev/null
+++ b/hosts/surtr/zfs.nix
@@ -0,0 +1,101 @@
+{ pkgs, config, ... }:
+let
+  snapshotNames = ["frequent" "hourly" "daily" "monthly" "yearly"];
+  snapshotCount = {
+    frequent = 24;
+    hourly = 24;
+    daily = 30;
+    monthly = 12;
+    yearly = 5;
+  };
+  snapshotTimerConfig = {
+    frequent = { OnCalendar = "*:0/5 UTC"; Persistent = true; };
+    hourly = { OnCalendar = "hourly UTC"; Persistent = true; };
+    daily = { OnCalendar = "daily UTC"; Persistent = true; };
+    monthly = { OnCalendar = "monthly UTC"; Persistent = true; };
+    yearly = { OnCalendar = "yearly UTC"; Persistent = true; };
+  };
+  snapshotDescr = {
+    frequent = "few minutes";
+    hourly = "hour";
+    daily = "day";
+    monthly = "month";
+    yearly = "year";
+  };
+
+  zfs = config.boot.zfs.package;
+
+  autosnapPackage = pkgs.zfstools.override { inherit zfs; };
+in {
+  config = {
+    fileSystems = {
+      "/nix" =
+        { device = "surtr/local/nix";
+          fsType = "zfs";
+        };
+
+      "/root" =
+        { device = "surtr/safe/home-root";
+          fsType = "zfs";
+          neededForBoot = true;
+        };
+
+      "/var/lib/systemd" =
+        { device = "surtr/local/var-lib-systemd";
+          fsType = "zfs";
+          neededForBoot = true;
+        };
+      
+      "/var/lib/nixos" =
+        { device = "surtr/local/var-lib-nixos";
+          fsType = "zfs";
+          neededForBoot = true;
+        };
+
+      "/var/log" =
+        { device = "surtr/local/var-log";
+          fsType = "zfs";
+        };
+
+      "/home" =
+        { device = "surtr/safe/home";
+          fsType = "zfs";
+        };
+    };
+
+    systemd.services =
+      let mkSnapService = snapName: {
+            name = "zfs-snapshot-${snapName}";
+            value = {
+              description = "ZFS auto-snapshot every ${snapshotDescr.${snapName}}";
+              after = [ "zfs-import.target" ];
+              serviceConfig = {
+                Type = "oneshot";
+                ExecStart = "${autosnapPackage}/bin/zfs-auto-snapshot -k -p -u ${snapName} ${toString snapshotCount.${snapName}}";
+              };
+              restartIfChanged = false;
+
+              preStart = ''
+                ${zfs}/bin/zfs set com.sun:auto-snapshot=true surtr/safe
+              '';
+            };
+          };
+      in builtins.listToAttrs (map mkSnapService snapshotNames);
+
+    systemd.timers =
+      let mkSnapTimer = snapName: {
+            name = "zfs-snapshot-${snapName}";
+            value = {
+              wantedBy = [ "timers.target" ];
+              timerConfig = snapshotTimerConfig.${snapName};
+            };
+          };
+      in builtins.listToAttrs (map mkSnapTimer snapshotNames);
+
+    services.zfs.trim.enable = false;
+    services.zfs.autoScrub = {
+      enable = true;
+      interval = "Sun *-*-1..7 04:00:00";
+    };
+  };
+}
diff --git a/installer.nix b/installer.nix
index 64629674..3987e8ab 100644
--- a/installer.nix
+++ b/installer.nix
@@ -1 +1,17 @@
-{...}: {}
+{ flake, ... }: {
+  imports = with flake.nixosModules.systemProfiles; [
+    default-locale
+  ];
+
+  config = {
+    networking.firewall = {
+      enable = true;
+      allowedTCPPorts = [ 22 # ssh
+                        ];
+    };
+
+    systemd.services."sshd".wantedBy = ["multi-user.target"]; 
+
+    services.qemuGuest.enable = true;
+  };
+}
diff --git a/modules/borgbackup/btrfs-snapshots.nix b/modules/borgbackup/btrfs-snapshots.nix
new file mode 100644
index 00000000..96d2b2ba
--- /dev/null
+++ b/modules/borgbackup/btrfs-snapshots.nix
@@ -0,0 +1,52 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+  cfg = config.services.btrfs-snapshots;
+
+  snapshotMount = str: "${str}${cfg.mountSuffix}";
+in {
+  options = {
+
+    services.btrfs-snapshots = {
+      enable = mkEnableOption "a systemd unit for btrfs snapshots";   
+
+      mountSuffix = mkOption {
+        type = types.str;
+        default = ".snapshot";
+      };
+
+      readOnly = mkOption {
+        type = types.bool;
+        default = true;
+      };
+
+      persist = mkOption {
+        type = types.bool;
+        default = false;
+      };
+    };
+
+  };
+
+  
+  config = mkIf cfg.enable {
+    systemd.services."btrfs-snapshot@" = {
+      enable = true;
+
+      unitConfig = {
+        StopWhenUnneeded = !cfg.persist;
+      };
+
+      serviceConfig = with pkgs; {
+        Type = "oneshot";
+        ExecStartPre = "-${btrfs-progs}/bin/btrfs subvolume delete -c ${snapshotMount "%f"}";
+        ExecStart = "${btrfs-progs}/bin/btrfs subvolume snapshot ${optionalString cfg.readOnly "-r"} %f ${snapshotMount "%f"}";
+        RemainAfterExit = true;
+        ExecStop = "${btrfs-progs}/bin/btrfs subvolume delete -c ${snapshotMount "%f"}";
+      };
+    };
+
+  };
+}
diff --git a/modules/borgbackup/default.nix b/modules/borgbackup/default.nix
new file mode 100644
index 00000000..a0419d0e
--- /dev/null
+++ b/modules/borgbackup/default.nix
@@ -0,0 +1,206 @@
+{ config, lib, utils, pkgs, ... }:
+
+with utils;
+with lib;
+
+let
+  cfg = config.services.borgbackup;
+
+  lvmPath = {
+    options = {
+      LV = mkOption {
+        type = types.str;
+      };
+      VG = mkOption {
+        type = types.str;
+      };
+    };
+  };
+
+  pathType = if cfg.snapshots == "lvm" then types.submodule lvmPath else types.path;
+
+  systemdPath = path: escapeSystemdPath (if cfg.snapshots == "lvm" then "${path.VG}-${path.LV}" else path);
+
+  withSuffix = path: path + (if cfg.snapshots == "btrfs" then config.services.btrfs-snapshots.mountSuffix else config.services.lvm-snapshots.mountSuffix);
+
+  mountPoint = if cfg.snapshots == "lvm" then config.services.lvm-snapshots.mountPoint else "";
+
+  targetOptions = {
+    options = {
+      repo = mkOption {
+        type = types.str;
+      };
+    
+      paths = mkOption {
+        type = types.listOf pathType;
+        default = [];
+      };
+
+      prune = mkOption {
+        type = types.attrsOf (types.listOf types.str);
+        default = {};
+      };
+
+      interval = mkOption {
+        type = types.str;
+        default = "6h";
+      };
+
+      jitter = mkOption {
+        type = with types; nullOr str;
+        default = "6h";
+      };
+
+      lock = mkOption {
+        type = types.nullOr types.str;
+        default = "backup";
+      };
+
+      network = mkOption {
+        type = types.bool;
+        default = true;
+      };
+
+      lockWait = mkOption {
+        type = types.int;
+        default = 600;
+      };
+
+      keyFile = mkOption {
+        type = types.nullOr types.path;
+        default = null;
+      };
+    };
+  };
+in {
+  disabledModules = [ "services/backup/borgbackup.nix" ];
+  
+  options = {
+    services.borgbackup = {
+      snapshots = mkOption {
+        type = types.nullOr (types.enum ["btrfs" "lvm"]);
+        default = null;
+      };
+
+      targets = mkOption {
+        type = types.attrsOf (types.submodule targetOptions);
+        default = {};
+      };
+
+      prefix = mkOption {
+        type = types.str;
+      };
+    };
+  };
+
+  imports =
+    [ ./lvm-snapshots.nix
+      ./btrfs-snapshots.nix
+    ];
+
+  config = mkIf (any (t: t.paths != []) (attrValues cfg.targets)) {
+    services.btrfs-snapshots.enable = mkIf (cfg.snapshots == "btrfs") true;
+
+    services.lvm-snapshots.snapshots = mkIf (cfg.snapshots == "lvm") (listToAttrs (map (path: nameValuePair (path.VG + "-" + path.LV) {
+      inherit (path) LV VG; 
+      mountName = withSuffix (path.VG + "-" + path.LV);
+    }) (unique (flatten (mapAttrsToList (target: tCfg: tCfg.paths) cfg.targets)))));
+
+    systemd.targets."timers-borg" = {
+      wantedBy = [ "timers.target" ];
+    };
+
+    systemd.slices."system-borgbackup" = {};
+  
+    systemd.timers = (listToAttrs (map ({ target, path, tCfg }: nameValuePair "borgbackup-${target}@${systemdPath path}" {
+      requiredBy = [ "timers-borg.target" ];
+
+      timerConfig = {
+        Persistent = false;
+        OnBootSec = tCfg.interval;
+        OnUnitActiveSec = tCfg.interval;
+        RandomizedDelaySec = mkIf (tCfg.jitter != null) tCfg.jitter;
+      };
+    }) (flatten (mapAttrsToList (target: tCfg: map (path: { inherit target path tCfg; }) tCfg.paths) cfg.targets)))) // (mapAttrs' (target: tCfg: nameValuePair "borgbackup-prune-${target}" {
+      enable = tCfg.prune != {};
+    
+      requiredBy = [ "timers-borg.target" ];
+
+      timerConfig = {
+        Persistent = false;
+        OnBootSec = tCfg.interval;
+        OnUnitActiveSec = tCfg.interval;
+        RandomizedDelaySec = mkIf (tCfg.jitter != null) tCfg.jitter;
+      };
+    }) cfg.targets);
+
+    systemd.services = (mapAttrs' (target: tCfg: nameValuePair "borgbackup-${target}@" (let
+      deps = flatten [
+        (optional (cfg.snapshots == "btrfs") "btrfs-snapshot@%i.service")
+        (optional tCfg.network "network-online.target")
+      ];
+    in {
+      bindsTo = deps;
+      after = deps;
+
+      path = with pkgs; [borgbackup] ++ optional (tCfg.lock != null) utillinux;
+
+      script = let
+        borgCmd = ''
+          borg create \
+            --lock-wait ${toString tCfg.lockWait} \
+            --stats \
+            --list \
+            --filter 'AME' \
+            --exclude-caches \
+            --keep-exclude-tags \
+            --patterns-from .backup-${target} \
+            --one-file-system \
+            --compression auto,lzma \
+            ${tCfg.repo}::${cfg.prefix}$1-{utcnow}
+        '';
+      in if tCfg.lock == null then borgCmd else "flock -xo /var/lock/${tCfg.lock} ${borgCmd}";
+      scriptArgs = if cfg.snapshots == "lvm" then "%I" else "%i";
+
+      unitConfig = {
+        AssertPathIsDirectory = mkIf (tCfg.lock != null) "/var/lock";
+        DefaultDependencies = false;
+        RequiresMountsFor = mkIf (cfg.snapshots == "lvm") [ "${mountPoint}/${withSuffix "%I"}" ];
+      };
+
+      serviceConfig = {
+        Type = "oneshot";
+        WorkingDirectory = if (cfg.snapshots == null) then "%I" else (if (cfg.snapshots == "lvm") then "${mountPoint}/${withSuffix "%I"}" else "${withSuffix "%f"}");
+        Nice = 15;
+        IOSchedulingClass = 2;
+        IOSchedulingPriority = 7;
+        SuccessExitStatus = [1 2];
+        Slice = "system-borgbackup.slice";
+        Environment = lib.mkIf (tCfg.keyFile != null) "BORG_KEY_FILE=${tCfg.keyFile}";
+      };
+    })) cfg.targets) // (mapAttrs' (target: tCfg: nameValuePair "borgbackup-prune-${target}" {
+      enable = tCfg.prune != {};
+    
+      bindsTo = ["network-online.target"];
+      after = ["network-online.target"];
+
+      path = with pkgs; [borgbackup];
+
+      script = concatStringsSep "\n" (mapAttrsToList (path: args: ''
+        borg prune \
+          --lock-wait ${toString tCfg.lockWait} \
+          --list \
+          --stats \
+          --prefix ${escapeShellArg "${cfg.prefix}${path}"} \
+          ${escapeShellArgs args} \
+          ${tCfg.repo}
+      '') tCfg.prune);
+
+      serviceConfig = {
+        Type = "oneshot";
+        Slice = "system-borgbackup.slice";
+        Environment = lib.mkIf (tCfg.keyFile != null) "BORG_KEY_FILE=${tCfg.keyFile}";
+      };
+    }) cfg.targets);
+  };
+}
diff --git a/modules/borgbackup/lvm-snapshots.nix b/modules/borgbackup/lvm-snapshots.nix
new file mode 100644
index 00000000..9b2a6562
--- /dev/null
+++ b/modules/borgbackup/lvm-snapshots.nix
@@ -0,0 +1,133 @@
+{ config, lib, utils, pkgs, ... }:
+
+with utils;
+with lib;
+
+let
+  cfg = config.services.lvm-snapshots;
+
+  snapshotMount = name: "${cfg.mountPoint}/${if isNull cfg.snapshots."${name}".mountName then name else cfg.snapshots."${name}".mountName}";
+  snapshotName = name: "${name}-${cfg.mountSuffix}";
+
+  snapshotConfig = {
+    options = {
+      LV = mkOption {
+        type = types.str;
+      };
+
+      VG = mkOption {
+        type = types.str;
+      };
+
+      mountName = mkOption {
+        type = types.nullOr types.str;
+        default = null;
+      };
+      
+      cowSize = mkOption {
+        type = types.str;
+        default = "-l20%ORIGIN";
+      };
+
+      readOnly = mkOption {
+        type = types.bool;
+        default = true;
+      };
+
+      persist = mkOption {
+        type = types.bool;
+        default = false;
+      };
+    };
+  };
+in {
+  options = {
+
+    services.lvm-snapshots = {
+      snapshots = mkOption {
+        type = types.attrsOf (types.submodule snapshotConfig);
+        default = {};
+      };
+
+      mountPoint = mkOption {
+        type = types.path;
+        default = "/mnt";
+      };
+
+      mountSuffix = mkOption {
+        type = types.str;
+        default = "-snapshot";
+      };
+    };
+  };
+
+  
+  config = mkIf (cfg != {}) {
+
+    boot.kernelModules = [ "dm_snapshot" ];
+
+    # system.activationScripts = mapAttrs' (name: scfg: nameValuePair ("lvm-mountpoint" + name) ''
+    #   mkdir -p ${snapshotMount name}
+    # '') cfg.snapshots;
+
+    systemd.services = mapAttrs' (name: scfg: nameValuePair ("lvm-snapshot@" + escapeSystemdPath name) {
+      enable = true;
+
+      description = "LVM-snapshot of ${scfg.VG}/${scfg.LV}";
+
+      bindsTo = ["${escapeSystemdPath "/dev/${scfg.VG}/${scfg.LV}"}.device"];
+      after = ["${escapeSystemdPath "/dev/${scfg.VG}/${scfg.LV}"}.device"];
+
+      unitConfig = {
+        StopWhenUnneeded = !scfg.persist;
+        AssertPathIsDirectory = "/var/lock";
+      };
+
+      path = with pkgs; [ devicemapper utillinux ];
+      
+      script = ''
+        (
+          flock -xn -E 4 9
+          if [[ "$?" -ne 0 ]]; then
+            exit $?
+          fi
+          
+          lvcreate -s ${scfg.cowSize} --name ${snapshotName name} ${scfg.VG}/${scfg.LV}
+
+          sleep infinity &
+        ) 9>/var/lock/lvm-snapshot.${scfg.VG}
+      '';
+      
+      preStart = ''
+        lvremove -f ${scfg.VG}/${snapshotName name}
+      '';
+
+      preStop = ''
+        lvremove -f ${scfg.VG}/${snapshotName name}
+      '';
+
+      serviceConfig = with pkgs; {
+        Type = "forking";
+        RestartForceExitStatus = [ "4" ];
+        RestartSec = "5min";
+      };
+    }) cfg.snapshots;
+
+    systemd.mounts = mapAttrsToList (name: scfg: {
+      enable = true;
+
+      unitConfig = {
+        # AssertPathIsDirectory = snapshotMount name;
+        StopWhenUnneeded = !scfg.persist;
+      };
+
+      bindsTo = [ ("lvm-snapshot@" + escapeSystemdPath name + ".service") ];
+      after = [ ("lvm-snapshot@" + escapeSystemdPath name + ".service") ];
+
+      options = concatStringsSep "," ([ "noauto" ] ++ optional scfg.readOnly "ro");
+
+      where = snapshotMount name;
+      what = "/dev/" + scfg.VG + "/" + snapshotName name;
+    }) cfg.snapshots;
+  };
+}
diff --git a/modules/borgbackup/repokeys/borg_munin__borg.yaml b/modules/borgbackup/repokeys/borg_munin__borg.yaml
new file mode 100644
index 00000000..f302fe06
--- /dev/null
+++ b/modules/borgbackup/repokeys/borg_munin__borg.yaml
@@ -0,0 +1,33 @@
+key: ENC[AES256_GCM,data:mxh+Jtxx+HyD246yPwo0vy7vSTz3IG8VmfbxPMwqJRreh9ZwkGnH5aCTDOvWOHIrkmzaRMF3oCi1P8D29+abMUZdt0MuJ3UE6iL8+SXlflR+WACgALM2Df+x9B3BwQM3yeoCiWG+ebr0iQPHM3jqqpkjoRv1CcythxG2deZueur9lzgC2CwG1g3O8Prnl9z0JQGOa+gjic8Zwfn38B1BECeNPrbjzICGBOrSbN/6EnfBDygI2QzseamzK2I6R6jT+QxHvkl+Zi1m2TRB+4o82VgTjPhIReJyT7PrlDnUyrKObhCOlb3v+LiSdp16IPIDVs968kyDzgyi7QPOpGr+5tutWCZrau5xhPDrONKByl/0nVVwEZfRIYATvEXtn5okJru/mglcpeD0I7AtLt+Vfv9CB9pQczvkHo0cDtgudQDf9ADt/nkmqHugm5VfMg9m9aGbKqzXt6pPOMsXSbS43K7wgDaduLZ/PW4Ookx9gTNLtJHnZ64GBorOv4QSrZIZF8pE1FsQdUhmp/YzVhaNBnjCr+Jh77sYjoOwzF77Xy+VP2C/yVIf492P+FcgkSj6XhYYqHffpFW9l/xmUvyQF5gjj2k5T21UvgChhI1HeLPzQ7W9+xuGSMtg58aD/VPe1loCy8zLITNl71bneararRS5vItoZyzMdmIRMLAZD1klPmDNe1yufTpubOXzNYbWUqFUZtwH/mDL5GRZBD9dqs2b3F26c1CUyw==,iv:NJBHesKSZ1zuKk8qHnYKqIwMnFkH+rkQD1bam5XpLXU=,tag:EiYbIFY/r/eTSTJIhYV+GA==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    lastmodified: '2021-01-02T20:38:48Z'
+    mac: ENC[AES256_GCM,data:3rkFTOk3r2dx3hOqu1u7XIIibTDfqNlRcWY9X2N/LFa/BKojgDt5tcpbphV4HqWvl8nS+fPcVrIElJfQ/QGFEOx68G95BhByntT9+JhSbHJt73dGnCSroZCw5QefdydREGvA5n00Vo9yT9IMvQsQbmpRzo6hcrSSUvagZqmZckA=,iv:F/HllDzyxgulIWZbfz9bFKR+SFg4PoaUYZ5N5hfIzw0=,tag:h2NXmvj/thhBg1rIkwdXXA==,type:str]
+    pgp:
+    -   created_at: '2021-01-02T20:38:09Z'
+        enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hF4Dgwm4NZSaLAcSAQdAwmvyXlr9MyfPfLgkfQkoktKBV2WA2xhZrGL7NeeGfhAw
+            REk+clJ9WgiJ0iceRAONPnEjeiK0J6Fsj+5Ulq8flFGkoj5Pta0pm/9fudKmcPdC
+            0l4BF0G5LSpG1EmY+LmVdSdas16rWgthnojoXPvbbHG6jZs3aDETshdiN8Bdlqsf
+            aVhq2LYzscnYezNcdernR4uojtiFny8qcmdF3tFacr+mkgfgIQr0W9yWFhDH15gm
+            =4TwU
+            -----END PGP MESSAGE-----
+        fp: F1AF20B9511B63F681A14E8D51AEFBCD1DEF68F8
+    -   created_at: '2021-01-02T20:38:09Z'
+        enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hF4DXxoViZlp6dISAQdAruPXj9IsllEN7R5jk4gF7bW0ZirhvX7qsu22/6HbSw8w
+            66RwN3WGjYO1CcVbHKuLqVVaUBCnrR/4XHN0JYUaqjubrSZBTWFKTBFsKSTT0LZq
+            0l4BKcsXrbGpYC5+yQvg0RHJ7LplxpKOmqMY8KGckvGnVf2xg7k6wuWQREFzqwt+
+            lOa3x+xFy9c0JwE8AafyKjb/cgqJiMb96lhsH57BpXJa2E39ImQbXqzDzdx2jEUt
+            =3rxi
+            -----END PGP MESSAGE-----
+        fp: 30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51
+    unencrypted_suffix: _unencrypted
+    version: 3.6.1
diff --git a/modules/kill-user.nix b/modules/kill-user.nix
new file mode 100644
index 00000000..dd897b36
--- /dev/null
+++ b/modules/kill-user.nix
@@ -0,0 +1,13 @@
+{ lib, pkgs, config, ... }:
+{
+  options = {
+    systemd.kill-user.enable = lib.mkEnableOption "Systemd kill-user@ services";
+  };
+  
+  config.systemd.services."kill-user@" = lib.mkIf config.systemd.kill-user.enable {
+    serviceConfig = {
+      Type = "oneshot";
+      ExecStart = "${pkgs.systemd}/bin/loginctl kill-user %I";
+    };
+  };
+}
diff --git a/modules/knot.nix b/modules/knot.nix
new file mode 100644
index 00000000..a4691324
--- /dev/null
+++ b/modules/knot.nix
@@ -0,0 +1,126 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+  cfg = config.services.knot;
+
+  configFile = pkgs.writeTextFile {
+    name = "knot.conf";
+    text = (concatMapStringsSep "\n" (file: "include: ${file}") cfg.keyFiles) + "\n" +
+           cfg.extraConfig;
+    checkPhase = lib.optionalString (cfg.keyFiles == []) ''
+      ${cfg.package}/bin/knotc --config=$out conf-check
+    '';
+  };
+
+  socketFile = "/run/knot/knot.sock";
+
+  knot-cli-wrappers = pkgs.stdenv.mkDerivation {
+    name = "knot-cli-wrappers";
+    buildInputs = [ pkgs.makeWrapper ];
+    buildCommand = ''
+      mkdir -p $out/bin
+      makeWrapper ${cfg.package}/bin/knotc "$out/bin/knotc" \
+        --add-flags "--config=${configFile}" \
+        --add-flags "--socket=${socketFile}"
+      makeWrapper ${cfg.package}/bin/keymgr "$out/bin/keymgr" \
+        --add-flags "--config=${configFile}"
+      for executable in kdig khost kjournalprint knsec3hash knsupdate kzonecheck
+      do
+        ln -s "${cfg.package}/bin/$executable" "$out/bin/$executable"
+      done
+      mkdir -p "$out/share"
+      ln -s '${cfg.package}/share/man' "$out/share/"
+    '';
+  };
+in {
+  disabledModules = [ "services/networking/knot.nix" ];
+
+  options = {
+    services.knot = {
+      enable = mkEnableOption "Knot authoritative-only DNS server";
+
+      extraArgs = mkOption {
+        type = types.listOf types.str;
+        default = [];
+        description = ''
+          List of additional command line paramters for knotd
+        '';
+      };
+
+      keyFiles = mkOption {
+        type = types.listOf types.path;
+        default = [];
+        description = ''
+          A list of files containing additional configuration
+          to be included using the include directive. This option
+          allows to include configuration like TSIG keys without
+          exposing them to the nix store readable to any process.
+          Note that using this option will also disable configuration
+          checks at build time.
+        '';
+      };
+
+      extraConfig = mkOption {
+        type = types.lines;
+        default = "";
+        description = ''
+          Extra lines to be added verbatim to knot.conf
+        '';
+      };
+
+      package = mkOption {
+        type = types.package;
+        default = pkgs.knot-dns;
+        defaultText = "pkgs.knot-dns";
+        description = ''
+          Which Knot DNS package to use
+        '';
+      };
+
+      cliWrappers = mkOption {
+        readOnly = true;
+        type = types.package;
+        default = knot-cli-wrappers;
+        defaultText = "knot-cli-wrappers";
+      };
+    };
+  };
+
+  config = mkIf cfg.enable {
+    users.users.knot = {
+      isSystemUser = true;
+      group = "knot";
+      description = "Knot daemon user";
+    };
+
+    users.groups.knot.gid = null;
+    systemd.services.knot = {
+      unitConfig.Documentation = "man:knotd(8) man:knot.conf(5) man:knotc(8) https://www.knot-dns.cz/docs/${cfg.package.version}/html/";
+      description = cfg.package.meta.description;
+      wantedBy = [ "multi-user.target" ];
+      wants = [ "network.target" ];
+      after = ["network.target" ];
+
+      serviceConfig = {
+        Type = "notify";
+        ExecStart = "${cfg.package}/bin/knotd --config=${configFile} --socket=${socketFile} ${concatStringsSep " " cfg.extraArgs}";
+        ExecReload = "${cfg.cliWrappers}/bin/knotc reload";
+        CapabilityBoundingSet = "CAP_NET_BIND_SERVICE CAP_SETPCAP";
+        AmbientCapabilities = "CAP_NET_BIND_SERVICE CAP_SETPCAP";
+        NoNewPrivileges = true;
+        User = "knot";
+        RuntimeDirectory = "knot";
+        StateDirectory = "knot";
+        StateDirectoryMode = "0700";
+        PrivateDevices = true;
+        RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6";
+        SystemCallArchitectures = "native";
+        Restart = "on-abort";
+      };
+    };
+
+    environment.systemPackages = [ cfg.cliWrappers ];
+  };
+}
diff --git a/modules/luksroot.nix b/modules/luksroot.nix
new file mode 100644
index 00000000..abaee692
--- /dev/null
+++ b/modules/luksroot.nix
@@ -0,0 +1,1075 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+  luks = config.boot.initrd.luks;
+  kernelPackages = config.boot.kernelPackages;
+
+  commonFunctions = ''
+    die() {
+        echo "$@" >&2
+        exit 1
+    }
+
+    dev_exist() {
+        local target="$1"
+        if [ -e $target ]; then
+            return 0
+        else
+            local uuid=$(echo -n $target | sed -e 's,UUID=\(.*\),\1,g')
+            blkid --uuid $uuid >/dev/null
+            return $?
+        fi
+    }
+
+    wait_target() {
+        local name="$1"
+        local target="$2"
+        local secs="''${3:-10}"
+        local desc="''${4:-$name $target to appear}"
+
+        if ! dev_exist $target; then
+            echo -n "Waiting $secs seconds for $desc..."
+            local success=false;
+            for try in $(seq $secs); do
+                echo -n "."
+                sleep 1
+                if dev_exist $target; then
+                    success=true
+                    break
+                fi
+            done
+            if [ $success == true ]; then
+                echo " - success";
+                return 0
+            else
+                echo " - failure";
+                return 1
+            fi
+        fi
+        return 0
+    }
+
+    wait_yubikey() {
+        local secs="''${1:-10}"
+
+        ykinfo -v 1>/dev/null 2>&1
+        if [ $? != 0 ]; then
+            echo -n "Waiting $secs seconds for YubiKey to appear..."
+            local success=false
+            for try in $(seq $secs); do
+                echo -n .
+                sleep 1
+                ykinfo -v 1>/dev/null 2>&1
+                if [ $? == 0 ]; then
+                    success=true
+                    break
+                fi
+            done
+            if [ $success == true ]; then
+                echo " - success";
+                return 0
+            else
+                echo " - failure";
+                return 1
+            fi
+        fi
+        return 0
+    }
+
+    wait_gpgcard() {
+        local secs="''${1:-10}"
+
+        gpg --card-status > /dev/null 2> /dev/null
+        if [ $? != 0 ]; then
+            echo -n "Waiting $secs seconds for GPG Card to appear"
+            local success=false
+            for try in $(seq $secs); do
+                echo -n .
+                sleep 1
+                gpg --card-status > /dev/null 2> /dev/null
+                if [ $? == 0 ]; then
+                    success=true
+                    break
+                fi
+            done
+            if [ $success == true ]; then
+                echo " - success";
+                return 0
+            else
+                echo " - failure";
+                return 1
+            fi
+        fi
+        return 0
+    }
+  '';
+
+  preCommands = ''
+    # A place to store crypto things
+
+    # A ramfs is used here to ensure that the file used to update
+    # the key slot with cryptsetup will never get swapped out.
+    # Warning: Do NOT replace with tmpfs!
+    mkdir -p /crypt-ramfs
+    mount -t ramfs none /crypt-ramfs
+
+    # Cryptsetup locking directory
+    mkdir -p /run/cryptsetup
+
+    # For YubiKey salt storage
+    mkdir -p /crypt-storage
+
+    ${optionalString luks.gpgSupport ''
+    export GPG_TTY=$(tty)
+    export GNUPGHOME=/crypt-ramfs/.gnupg
+
+    gpg-agent --daemon --scdaemon-program $out/bin/scdaemon > /dev/null 2> /dev/null
+    ''}
+
+    # Disable all input echo for the whole stage. We could use read -s
+    # instead but that would ocasionally leak characters between read
+    # invocations.
+    stty -echo
+  '';
+
+  postCommands = ''
+    stty echo
+    umount /crypt-storage 2>/dev/null
+    umount /crypt-ramfs 2>/dev/null
+  '';
+
+  openCommand = name': { name, device, header, keyFile, keyFileSize, keyFileOffset, allowDiscards, yubikey, gpgCard, fido2, clevis, dmi, fallbackToPassword, preOpenCommands, postOpenCommands, ... }: assert name' == name;
+  let
+    csopen   = "cryptsetup luksOpen ${device} ${name} ${optionalString allowDiscards "--allow-discards"} ${optionalString (header != null) "--header=${header}"}";
+    cschange = "cryptsetup luksChangeKey ${device} ${optionalString (header != null) "--header=${header}"}";
+  in ''
+    # Wait for luksRoot (and optionally keyFile and/or header) to appear, e.g.
+    # if on a USB drive.
+    wait_target "device" ${device} || die "${device} is unavailable"
+
+    ${optionalString (header != null) ''
+      wait_target "header" ${header} || die "${header} is unavailable"
+    ''}
+
+    do_open_passphrase() {
+        local passphrase
+
+        while true; do
+            echo -n "Passphrase for ${device}: "
+            passphrase=
+            while true; do
+                if [ -e /crypt-ramfs/passphrase ]; then
+                    echo "reused"
+                    passphrase=$(cat /crypt-ramfs/passphrase)
+                    break
+                else
+                    # ask cryptsetup-askpass
+                    echo -n "${device}" > /crypt-ramfs/device
+
+                    # and try reading it from /dev/console with a timeout
+                    IFS= read -t 1 -r passphrase
+                    if [ -n "$passphrase" ]; then
+                       ${if luks.reusePassphrases then ''
+                         # remember it for the next device
+                         echo -n "$passphrase" > /crypt-ramfs/passphrase
+                       '' else ''
+                         # Don't save it to ramfs. We are very paranoid
+                       ''}
+                       echo
+                       break
+                    fi
+                fi
+            done
+            echo -n "Verifying passphrase for ${device}..."
+            echo -n "$passphrase" | ${csopen} --key-file=-
+            if [ $? == 0 ]; then
+                echo " - success"
+                ${if luks.reusePassphrases then ''
+                  # we don't rm here because we might reuse it for the next device
+                '' else ''
+                  rm -f /crypt-ramfs/passphrase
+                ''}
+                break
+            else
+                echo " - failure"
+                # ask for a different one
+                rm -f /crypt-ramfs/passphrase
+            fi
+        done
+    }
+
+    # LUKS
+    open_normally() {
+        ${if (keyFile != null) then ''
+        if wait_target "key file" ${keyFile}; then
+            ${csopen} --key-file=${keyFile} \
+              ${optionalString (keyFileSize != null) "--keyfile-size=${toString keyFileSize}"} \
+              ${optionalString (keyFileOffset != null) "--keyfile-offset=${toString keyFileOffset}"}
+        else
+            ${if fallbackToPassword then "echo" else "die"} "${keyFile} is unavailable"
+            echo " - failing back to interactive password prompt"
+            do_open_passphrase
+        fi
+        '' else ''
+        do_open_passphrase
+        ''}
+    }
+
+    ${optionalString (luks.yubikeySupport && (yubikey != null)) ''
+    # YubiKey
+    rbtohex() {
+        ( od -An -vtx1 | tr -d ' \n' )
+    }
+
+    hextorb() {
+        ( tr '[:lower:]' '[:upper:]' | sed -e 's/\([0-9A-F]\{2\}\)/\\\\\\x\1/gI' | xargs printf )
+    }
+
+    do_open_yubikey() {
+        # Make all of these local to this function
+        # to prevent their values being leaked
+        local salt
+        local iterations
+        local k_user
+        local challenge
+        local response
+        local k_luks
+        local opened
+        local new_salt
+        local new_iterations
+        local new_challenge
+        local new_response
+        local new_k_luks
+
+        mount -t ${yubikey.storage.fsType} ${yubikey.storage.device} /crypt-storage || \
+          die "Failed to mount YubiKey salt storage device"
+
+        salt="$(cat /crypt-storage${yubikey.storage.path} | sed -n 1p | tr -d '\n')"
+        iterations="$(cat /crypt-storage${yubikey.storage.path} | sed -n 2p | tr -d '\n')"
+        challenge="$(echo -n $salt | openssl-wrap dgst -binary -sha512 | rbtohex)"
+        response="$(ykchalresp -${toString yubikey.slot} -x $challenge 2>/dev/null)"
+
+        for try in $(seq 3); do
+            ${optionalString yubikey.twoFactor ''
+            echo -n "Enter two-factor passphrase: "
+            k_user=
+            while true; do
+                if [ -e /crypt-ramfs/passphrase ]; then
+                    echo "reused"
+                    k_user=$(cat /crypt-ramfs/passphrase)
+                    break
+                else
+                    # Try reading it from /dev/console with a timeout
+                    IFS= read -t 1 -r k_user
+                    if [ -n "$k_user" ]; then
+                       ${if luks.reusePassphrases then ''
+                         # Remember it for the next device
+                         echo -n "$k_user" > /crypt-ramfs/passphrase
+                       '' else ''
+                         # Don't save it to ramfs. We are very paranoid
+                       ''}
+                       echo
+                       break
+                    fi
+                fi
+            done
+            ''}
+
+            if [ ! -z "$k_user" ]; then
+                k_luks="$(echo -n $k_user | pbkdf2-sha512 ${toString yubikey.keyLength} $iterations $response | rbtohex)"
+            else
+                k_luks="$(echo | pbkdf2-sha512 ${toString yubikey.keyLength} $iterations $response | rbtohex)"
+            fi
+
+            echo -n "$k_luks" | hextorb | ${csopen} --key-file=-
+
+            if [ $? == 0 ]; then
+                opened=true
+                ${if luks.reusePassphrases then ''
+                  # We don't rm here because we might reuse it for the next device
+                '' else ''
+                  rm -f /crypt-ramfs/passphrase
+                ''}
+                break
+            else
+                opened=false
+                echo "Authentication failed!"
+            fi
+        done
+
+        [ "$opened" == false ] && die "Maximum authentication errors reached"
+
+        echo -n "Gathering entropy for new salt (please enter random keys to generate entropy if this blocks for long)..."
+        for i in $(seq ${toString yubikey.saltLength}); do
+            byte="$(dd if=/dev/random bs=1 count=1 2>/dev/null | rbtohex)";
+            new_salt="$new_salt$byte";
+            echo -n .
+        done;
+        echo "ok"
+
+        new_iterations="$iterations"
+        ${optionalString (yubikey.iterationStep > 0) ''
+        new_iterations="$(($new_iterations + ${toString yubikey.iterationStep}))"
+        ''}
+
+        new_challenge="$(echo -n $new_salt | openssl-wrap dgst -binary -sha512 | rbtohex)"
+
+        new_response="$(ykchalresp -${toString yubikey.slot} -x $new_challenge 2>/dev/null)"
+
+        if [ ! -z "$k_user" ]; then
+            new_k_luks="$(echo -n $k_user | pbkdf2-sha512 ${toString yubikey.keyLength} $new_iterations $new_response | rbtohex)"
+        else
+            new_k_luks="$(echo | pbkdf2-sha512 ${toString yubikey.keyLength} $new_iterations $new_response | rbtohex)"
+        fi
+
+        echo -n "$new_k_luks" | hextorb > /crypt-ramfs/new_key
+        echo -n "$k_luks" | hextorb | ${cschange} --key-file=- /crypt-ramfs/new_key
+
+        if [ $? == 0 ]; then
+            echo -ne "$new_salt\n$new_iterations" > /crypt-storage${yubikey.storage.path}
+        else
+            echo "Warning: Could not update LUKS key, current challenge persists!"
+        fi
+
+        rm -f /crypt-ramfs/new_key
+        umount /crypt-storage
+    }
+
+    open_with_hardware() {
+        if wait_yubikey ${toString yubikey.gracePeriod}; then
+            do_open_yubikey
+        else
+            echo "No YubiKey found, falling back to non-YubiKey open procedure"
+            open_normally
+        fi
+    }
+    ''}
+
+    ${optionalString (luks.gpgSupport && (gpgCard != null)) ''
+
+    do_open_gpg_card() {
+        # Make all of these local to this function
+        # to prevent their values being leaked
+        local pin
+        local opened
+
+        gpg --import /gpg-keys/${device}/pubkey.asc > /dev/null 2> /dev/null
+
+        gpg --card-status > /dev/null 2> /dev/null
+
+        for try in $(seq 3); do
+            echo -n "PIN for GPG Card associated with device ${device}: "
+            pin=
+            while true; do
+                if [ -e /crypt-ramfs/passphrase ]; then
+                    echo "reused"
+                    pin=$(cat /crypt-ramfs/passphrase)
+                    break
+                else
+                    # and try reading it from /dev/console with a timeout
+                    IFS= read -t 1 -r pin
+                    if [ -n "$pin" ]; then
+                       ${if luks.reusePassphrases then ''
+                         # remember it for the next device
+                         echo -n "$pin" > /crypt-ramfs/passphrase
+                       '' else ''
+                         # Don't save it to ramfs. We are very paranoid
+                       ''}
+                       echo
+                       break
+                    fi
+                fi
+            done
+            echo -n "Verifying passphrase for ${device}..."
+            echo -n "$pin" | gpg -q --batch --passphrase-fd 0 --pinentry-mode loopback -d /gpg-keys/${device}/cryptkey.gpg 2> /dev/null | ${csopen} --key-file=- > /dev/null 2> /dev/null
+            if [ $? == 0 ]; then
+                echo " - success"
+                ${if luks.reusePassphrases then ''
+                  # we don't rm here because we might reuse it for the next device
+                '' else ''
+                  rm -f /crypt-ramfs/passphrase
+                ''}
+                break
+            else
+                echo " - failure"
+                # ask for a different one
+                rm -f /crypt-ramfs/passphrase
+            fi
+        done
+
+        [ "$opened" == false ] && die "Maximum authentication errors reached"
+    }
+
+    open_with_hardware() {
+        if wait_gpgcard ${toString gpgCard.gracePeriod}; then
+            do_open_gpg_card
+        else
+            echo "No GPG Card found, falling back to normal open procedure"
+            open_normally
+        fi
+    }
+    ''}
+
+    ${optionalString (luks.fido2Support && (fido2.credential != null)) ''
+
+    open_with_hardware() {
+      local passsphrase
+
+        ${if fido2.passwordLess then ''
+          export passphrase=""
+        '' else ''
+          read -rsp "FIDO2 salt for ${device}: " passphrase
+          echo
+        ''}
+        ${optionalString (lib.versionOlder kernelPackages.kernel.version "5.4") ''
+          echo "On systems with Linux Kernel < 5.4, it might take a while to initialize the CRNG, you might want to use linuxPackages_latest."
+          echo "Please move your mouse to create needed randomness."
+        ''}
+          echo "Waiting for your FIDO2 device..."
+          fido2luks open ${device} ${name} ${fido2.credential} --await-dev ${toString fido2.gracePeriod} --salt string:$passphrase
+        if [ $? -ne 0 ]; then
+          echo "No FIDO2 key found, falling back to normal open procedure"
+          open_normally
+        fi
+    }
+    ''}
+
+    ${optionalString (luks.clevisSupport && clevis) ''
+
+    open_with_hardware() {
+      mkdir -p /crypt-ramfs/clevis
+
+      TMPDIR=/crypt-ramfs/clevis clevis luks unlock -d ${device} -n ${name}
+
+      if [ $? -ne 0 ]; then
+        echo "Unlocking with clevis failed, falling back to normal open procedure"
+        open_normally
+      fi
+    }
+
+    ''}
+
+    ${optionalString (luks.dmiSupport && dmi) ''
+
+    open_with_hardware() {
+      dmidecode -s system-uuid > /crypt-ramfs/passphrase
+
+      ${csopen} --key-file=- < /crypt-ramfs/passphrase > /dev/null 2> /dev/null
+
+      if [ $? -ne 0 ]; then
+        echo "Unlocking with system-uuid failed, falling back to normal open procedure"
+        rm -f /crypt-ramfs/passphrase
+        open_normally
+      ${optionalString (!luks.reusePassphrases) ''
+        else
+          rm -f /crypt-ramfs/passphrase
+      ''}
+      fi
+    }
+
+    ''}
+
+    # commands to run right before we mount our device
+    ${preOpenCommands}
+
+    ${if (luks.yubikeySupport && (yubikey != null)) || (luks.gpgSupport && (gpgCard != null)) || (luks.fido2Support && (fido2.credential != null)) || (luks.clevisSupport && clevis) || (luks.dmiSupport && dmi) then ''
+    open_with_hardware
+    '' else ''
+    open_normally
+    ''}
+
+    # commands to run right after we mounted our device
+    ${postOpenCommands}
+  '';
+
+  askPass = pkgs.writeScriptBin "cryptsetup-askpass" ''
+    #!/bin/sh
+
+    ${commonFunctions}
+
+    while true; do
+        wait_target "luks" /crypt-ramfs/device 10 "LUKS to request a passphrase" || die "Passphrase is not requested now"
+        device=$(cat /crypt-ramfs/device)
+
+        echo -n "Passphrase for $device: "
+        IFS= read -rs passphrase
+        echo
+
+        rm /crypt-ramfs/device
+        echo -n "$passphrase" > /crypt-ramfs/passphrase
+    done
+  '';
+
+  preLVM = filterAttrs (n: v: v.preLVM) luks.devices;
+  postLVM = filterAttrs (n: v: !v.preLVM) luks.devices;
+
+in
+{
+  disabledModules = [ "system/boot/luksroot.nix" ];
+  
+  imports = [
+    (mkRemovedOptionModule [ "boot" "initrd" "luks" "enable" ] "")
+  ];
+
+  options = {
+
+    boot.initrd.luks.mitigateDMAAttacks = mkOption {
+      type = types.bool;
+      default = true;
+      description = ''
+        Unless enabled, encryption keys can be easily recovered by an attacker with physical
+        access to any machine with PCMCIA, ExpressCard, ThunderBolt or FireWire port.
+        More information is available at <link xlink:href="http://en.wikipedia.org/wiki/DMA_attack"/>.
+
+        This option blacklists FireWire drivers, but doesn't remove them. You can manually
+        load the drivers if you need to use a FireWire device, but don't forget to unload them!
+      '';
+    };
+
+    boot.initrd.luks.cryptoModules = mkOption {
+      type = types.listOf types.str;
+      default =
+        [ "aes" "aes_generic" "blowfish" "twofish"
+          "serpent" "cbc" "xts" "lrw" "sha1" "sha256" "sha512"
+          "af_alg" "algif_skcipher"
+        ];
+      description = ''
+        A list of cryptographic kernel modules needed to decrypt the root device(s).
+        The default includes all common modules.
+      '';
+    };
+
+    boot.initrd.luks.forceLuksSupportInInitrd = mkOption {
+      type = types.bool;
+      default = false;
+      internal = true;
+      description = ''
+        Whether to configure luks support in the initrd, when no luks
+        devices are configured.
+      '';
+    };
+
+    boot.initrd.luks.reusePassphrases = mkOption {
+      type = types.bool;
+      default = true;
+      description = ''
+        When opening a new LUKS device try reusing last successful
+        passphrase.
+
+        Useful for mounting a number of devices that use the same
+        passphrase without retyping it several times.
+
+        Such setup can be useful if you use <command>cryptsetup
+        luksSuspend</command>. Different LUKS devices will still have
+        different master keys even when using the same passphrase.
+      '';
+    };
+
+    boot.initrd.luks.devices = mkOption {
+      default = { };
+      example = { luksroot.device = "/dev/disk/by-uuid/430e9eff-d852-4f68-aa3b-2fa3599ebe08"; };
+      description = ''
+        The encrypted disk that should be opened before the root
+        filesystem is mounted. Both LVM-over-LUKS and LUKS-over-LVM
+        setups are supported. The unencrypted devices can be accessed as
+        <filename>/dev/mapper/<replaceable>name</replaceable></filename>.
+      '';
+
+      type = with types; attrsOf (submodule (
+        { name, ... }: { options = {
+
+          name = mkOption {
+            visible = false;
+            default = name;
+            example = "luksroot";
+            type = types.str;
+            description = "Name of the unencrypted device in <filename>/dev/mapper</filename>.";
+          };
+
+          device = mkOption {
+            example = "/dev/disk/by-uuid/430e9eff-d852-4f68-aa3b-2fa3599ebe08";
+            type = types.str;
+            description = "Path of the underlying encrypted block device.";
+          };
+
+          header = mkOption {
+            default = null;
+            example = "/root/header.img";
+            type = types.nullOr types.str;
+            description = ''
+              The name of the file or block device that
+              should be used as header for the encrypted device.
+            '';
+          };
+
+          keyFile = mkOption {
+            default = null;
+            example = "/dev/sdb1";
+            type = types.nullOr types.str;
+            description = ''
+              The name of the file (can be a raw device or a partition) that
+              should be used as the decryption key for the encrypted device. If
+              not specified, you will be prompted for a passphrase instead.
+            '';
+          };
+
+          keyFileSize = mkOption {
+            default = null;
+            example = 4096;
+            type = types.nullOr types.int;
+            description = ''
+              The size of the key file. Use this if only the beginning of the
+              key file should be used as a key (often the case if a raw device
+              or partition is used as key file). If not specified, the whole
+              <literal>keyFile</literal> will be used decryption, instead of just
+              the first <literal>keyFileSize</literal> bytes.
+            '';
+          };
+
+          keyFileOffset = mkOption {
+            default = null;
+            example = 4096;
+            type = types.nullOr types.int;
+            description = ''
+              The offset of the key file. Use this in combination with
+              <literal>keyFileSize</literal> to use part of a file as key file
+              (often the case if a raw device or partition is used as a key file).
+              If not specified, the key begins at the first byte of
+              <literal>keyFile</literal>.
+            '';
+          };
+
+          # FIXME: get rid of this option.
+          preLVM = mkOption {
+            default = true;
+            type = types.bool;
+            description = "Whether the luksOpen will be attempted before LVM scan or after it.";
+          };
+
+          allowDiscards = mkOption {
+            default = false;
+            type = types.bool;
+            description = ''
+              Whether to allow TRIM requests to the underlying device. This option
+              has security implications; please read the LUKS documentation before
+              activating it.
+            '';
+          };
+
+          fallbackToPassword = mkOption {
+            default = false;
+            type = types.bool;
+            description = ''
+              Whether to fallback to interactive passphrase prompt if the keyfile
+              cannot be found. This will prevent unattended boot should the keyfile
+              go missing.
+            '';
+          };
+
+          gpgCard = mkOption {
+            default = null;
+            description = ''
+              The option to use this LUKS device with a GPG encrypted luks password by the GPG Smartcard.
+              If null (the default), GPG-Smartcard will be disabled for this device.
+            '';
+
+            type = with types; nullOr (submodule {
+              options = {
+                gracePeriod = mkOption {
+                  default = 10;
+                  type = types.int;
+                  description = "Time in seconds to wait for the GPG Smartcard.";
+                };
+
+                encryptedPass = mkOption {
+                  default = "";
+                  type = types.path;
+                  description = "Path to the GPG encrypted passphrase.";
+                };
+
+                publicKey = mkOption {
+                  default = "";
+                  type = types.path;
+                  description = "Path to the Public Key.";
+                };
+              };
+            });
+          };
+
+          fido2 = {
+            credential = mkOption {
+              default = null;
+              example = "f1d00200d8dc783f7fb1e10ace8da27f8312d72692abfca2f7e4960a73f48e82e1f7571f6ebfcee9fb434f9886ccc8fcc52a6614d8d2";
+              type = types.nullOr types.str;
+              description = "The FIDO2 credential ID.";
+            };
+
+            gracePeriod = mkOption {
+              default = 10;
+              type = types.int;
+              description = "Time in seconds to wait for the FIDO2 key.";
+            };
+
+            passwordLess = mkOption {
+              default = false;
+              type = types.bool;
+              description = ''
+                Defines whatever to use an empty string as a default salt.
+
+                Enable only when your device is PIN protected, such as <link xlink:href="https://trezor.io/">Trezor</link>.
+              '';
+            };
+          };
+
+          yubikey = mkOption {
+            default = null;
+            description = ''
+              The options to use for this LUKS device in YubiKey-PBA.
+              If null (the default), YubiKey-PBA will be disabled for this device.
+            '';
+
+            type = with types; nullOr (submodule {
+              options = {
+                twoFactor = mkOption {
+                  default = true;
+                  type = types.bool;
+                  description = "Whether to use a passphrase and a YubiKey (true), or only a YubiKey (false).";
+                };
+
+                slot = mkOption {
+                  default = 2;
+                  type = types.int;
+                  description = "Which slot on the YubiKey to challenge.";
+                };
+
+                saltLength = mkOption {
+                  default = 16;
+                  type = types.int;
+                  description = "Length of the new salt in byte (64 is the effective maximum).";
+                };
+
+                keyLength = mkOption {
+                  default = 64;
+                  type = types.int;
+                  description = "Length of the LUKS slot key derived with PBKDF2 in byte.";
+                };
+
+                iterationStep = mkOption {
+                  default = 0;
+                  type = types.int;
+                  description = "How much the iteration count for PBKDF2 is increased at each successful authentication.";
+                };
+
+                gracePeriod = mkOption {
+                  default = 10;
+                  type = types.int;
+                  description = "Time in seconds to wait for the YubiKey.";
+                };
+
+                /* TODO: Add to the documentation of the current module:
+
+                   Options related to the storing the salt.
+                */
+                storage = {
+                  device = mkOption {
+                    default = "/dev/sda1";
+                    type = types.path;
+                    description = ''
+                      An unencrypted device that will temporarily be mounted in stage-1.
+                      Must contain the current salt to create the challenge for this LUKS device.
+                    '';
+                  };
+
+                  fsType = mkOption {
+                    default = "vfat";
+                    type = types.str;
+                    description = "The filesystem of the unencrypted device.";
+                  };
+
+                  path = mkOption {
+                    default = "/crypt-storage/default";
+                    type = types.str;
+                    description = ''
+                      Absolute path of the salt on the unencrypted device with
+                      that device's root directory as "/".
+                    '';
+                  };
+                };
+              };
+            });
+          };
+
+          clevis = mkOption {
+            type = types.bool;
+            default = false;
+            description = ''
+              Unlock device via clevis (e.g. with a tpm)
+            '';
+          };
+
+          dmi = mkOption {
+            type = types.bool;
+            default = false;
+            description = ''
+              Unlock device via system-uuid (via dmidecode)
+            '';
+          };
+
+          preOpenCommands = mkOption {
+            type = types.lines;
+            default = "";
+            example = ''
+              mkdir -p /tmp/persistent
+              mount -t zfs rpool/safe/persistent /tmp/persistent
+            '';
+            description = ''
+              Commands that should be run right before we try to mount our LUKS device.
+              This can be useful, if the keys needed to open the drive is on another partion.
+            '';
+          };
+
+          postOpenCommands = mkOption {
+            type = types.lines;
+            default = "";
+            example = ''
+              umount /tmp/persistent
+            '';
+            description = ''
+              Commands that should be run right after we have mounted our LUKS device.
+            '';
+          };
+        };
+      }));
+    };
+
+    boot.initrd.luks.gpgSupport = mkOption {
+      default = false;
+      type = types.bool;
+      description = ''
+        Enables support for authenticating with a GPG encrypted password.
+      '';
+    };
+
+    boot.initrd.luks.yubikeySupport = mkOption {
+      default = false;
+      type = types.bool;
+      description = ''
+            Enables support for authenticating with a YubiKey on LUKS devices.
+            See the NixOS wiki for information on how to properly setup a LUKS device
+            and a YubiKey to work with this feature.
+          '';
+    };
+
+    boot.initrd.luks.fido2Support = mkOption {
+      default = false;
+      type = types.bool;
+      description = ''
+        Enables support for authenticating with FIDO2 devices.
+      '';
+    };
+
+    boot.initrd.luks.clevisSupport = mkOption {
+      default = false;
+      type = types.bool;
+      description = ''
+        Enables support for unlocking luks volumes via clevis (e.g. with a tpm)
+      '';
+    };
+    
+    boot.initrd.luks.dmiSupport = mkOption {
+      default = false;
+      type = types.bool;
+      description = ''
+        Enables support for unlocking luks volumes via system-uuid (via dmidecode)
+      '';
+    };
+
+  };
+
+  config = mkIf (luks.devices != {} || luks.forceLuksSupportInInitrd) {
+
+    assertions =
+      [ { assertion = !(luks.gpgSupport && luks.yubikeySupport);
+          message = "YubiKey and GPG Card may not be used at the same time.";
+        }
+
+        { assertion = !(luks.gpgSupport && luks.fido2Support);
+          message = "FIDO2 and GPG Card may not be used at the same time.";
+        }
+
+        { assertion = !(luks.gpgSupport && luks.clevisSupport);
+          message = "Clevis and GPG Card may not be used at the same time.";
+        }
+        
+        { assertion = !(luks.gpgSupport && luks.dmiSupport);
+          message = "DMI and GPG Card may not be used at the same time.";
+        }
+
+        { assertion = !(luks.fido2Support && luks.yubikeySupport);
+          message = "FIDO2 and YubiKey may not be used at the same time.";
+        }
+
+        { assertion = !(luks.fido2Support && luks.clevisSupport);
+          message = "FIDO2 and Clevis may not be used at the same time.";
+        }
+
+        { assertion = !(luks.fido2Support && luks.dmiSupport);
+          message = "FIDO2 and DMI may not be used at the same time.";
+        }
+
+        { assertion = !(luks.yubikeySupport && luks.clevisSupport);
+          message = "Clevis and YubiKey may not be used at the same time.";
+        }
+
+        { assertion = !(luks.yubikeySupport && luks.dmiSupport);
+          message = "DMI and YubiKey may not be used at the same time.";
+        }
+
+      ];
+
+    # actually, sbp2 driver is the one enabling the DMA attack, but this needs to be tested
+    boot.blacklistedKernelModules = optionals luks.mitigateDMAAttacks
+      ["firewire_ohci" "firewire_core" "firewire_sbp2"];
+
+    # Some modules that may be needed for mounting anything ciphered
+    boot.initrd.availableKernelModules = [ "dm_mod" "dm_crypt" "cryptd" "input_leds" ]
+      ++ luks.cryptoModules
+      # workaround until https://marc.info/?l=linux-crypto-vger&m=148783562211457&w=4 is merged
+      # remove once 'modprobe --show-depends xts' shows ecb as a dependency
+      ++ (if builtins.elem "xts" luks.cryptoModules then ["ecb"] else []);
+
+    # copy the cryptsetup binary and it's dependencies
+    boot.initrd.extraUtilsCommands =
+      let
+        extraUtils = config.system.build.extraUtils;
+
+        ipkgs = pkgs.appendOverlays [
+          (final: prev: {
+            tpm2-tss = prev.tpm2-tss.overrideAttrs (oldAttrs: {
+              doCheck = false;
+              patches = [];
+              postPatch = ''
+                patchShebangs script
+              '';
+              configureFlags = [];
+            });
+          })
+        ];
+      in ''
+           copy_bin_and_libs ${pkgs.cryptsetup}/bin/cryptsetup
+           copy_bin_and_libs ${askPass}/bin/cryptsetup-askpass
+           sed -i s,/bin/sh,$out/bin/sh, $out/bin/cryptsetup-askpass
+
+           ${optionalString luks.yubikeySupport ''
+             copy_bin_and_libs ${pkgs.yubikey-personalization}/bin/ykchalresp
+             copy_bin_and_libs ${pkgs.yubikey-personalization}/bin/ykinfo
+             copy_bin_and_libs ${pkgs.openssl.bin}/bin/openssl
+
+             cc -O3 -I${pkgs.openssl.dev}/include -L${pkgs.openssl.out}/lib ${./pbkdf2-sha512.c} -o pbkdf2-sha512 -lcrypto
+             strip -s pbkdf2-sha512
+             copy_bin_and_libs pbkdf2-sha512
+
+             mkdir -p $out/etc/ssl
+             cp -pdv ${pkgs.openssl.out}/etc/ssl/openssl.cnf $out/etc/ssl
+
+             cat > $out/bin/openssl-wrap <<EOF
+             #!$out/bin/sh
+             export OPENSSL_CONF=$out/etc/ssl/openssl.cnf
+             $out/bin/openssl "\$@"
+             EOF
+             chmod +x $out/bin/openssl-wrap
+           ''}
+
+           ${optionalString luks.fido2Support ''
+             copy_bin_and_libs ${pkgs.fido2luks}/bin/fido2luks
+           ''}
+
+
+           ${optionalString luks.gpgSupport ''
+             copy_bin_and_libs ${pkgs.gnupg}/bin/gpg
+             copy_bin_and_libs ${pkgs.gnupg}/bin/gpg-agent
+             copy_bin_and_libs ${pkgs.gnupg}/libexec/scdaemon
+
+             ${concatMapStringsSep "\n" (x:
+               if x.gpgCard != null then
+                 ''
+                   mkdir -p $out/secrets/gpg-keys/${x.device}
+                   cp -a ${x.gpgCard.encryptedPass} $out/secrets/gpg-keys/${x.device}/cryptkey.gpg
+                   cp -a ${x.gpgCard.publicKey} $out/secrets/gpg-keys/${x.device}/pubkey.asc
+                 ''
+               else ""
+               ) (attrValues luks.devices)
+             }
+           ''}
+
+           ${optionalString luks.clevisSupport ''
+             for bin in ${ipkgs.tpm2-tools}/bin/* ${ipkgs.jose}/bin/* ${ipkgs.libpwquality}/bin/*; do
+               if [ -L $bin ]; then
+                 cp -v $bin $out/bin
+               else
+                 copy_bin_and_libs $bin
+               fi
+             done
+
+             copy_bin_and_libs ${ipkgs.bash}/bin/bash
+             for bin in ${ipkgs.clevis}/bin/* ${ipkgs.clevis}/bin/.*; do
+               [ -f $bin -o -L $bin ] || continue
+
+               substitute $bin $out/bin/$(basename $bin) \
+                 --replace ${ipkgs.bash}/bin $out/bin \
+                 --replace ${ipkgs.clevis}/bin $out/bin \
+                 --replace ${ipkgs.tpm2-tools}/bin $out/bin \
+                 --replace ${ipkgs.jose}/bin $out/bin \
+                 --replace ${ipkgs.libpwquality}/bin $out/bin \
+                 --replace ${ipkgs.coreutils}/bin $out/bin
+
+               [ -x $bin ] && chmod +x $out/bin/$(basename $bin)
+             done
+
+             for lib in ${ipkgs.tpm2-tss}/lib/*.so*; do
+               if [ -f $lib ]; then
+                 patchelf --output $out/lib/$(basename $lib) $lib \
+                   --set-rpath $out/lib
+               else
+                 cp -pdv $lib $out/lib
+               fi
+             done
+           ''}
+
+           ${optionalString luks.dmiSupport ''
+             copy_bin_and_libs ${pkgs.dmidecode}/bin/dmidecode
+           ''}
+    '';
+
+    boot.initrd.extraUtilsCommandsTest = ''
+      $out/bin/cryptsetup --version
+      ${optionalString luks.yubikeySupport ''
+        $out/bin/ykchalresp -V
+        $out/bin/ykinfo -V
+        $out/bin/openssl-wrap version
+      ''}
+      ${optionalString luks.gpgSupport ''
+        $out/bin/gpg --version
+        $out/bin/gpg-agent --version
+        $out/bin/scdaemon --version
+      ''}
+      ${optionalString luks.fido2Support ''
+        $out/bin/fido2luks --version
+      ''}
+      ${optionalString luks.clevisSupport ''
+        $out/bin/jose alg
+      ''}
+      ${optionalString luks.dmiSupport ''
+        $out/bin/dmidecode --version
+      ''}
+    '';
+
+    boot.initrd.preFailCommands = postCommands;
+    boot.initrd.preLVMCommands = commonFunctions + preCommands + concatStrings (mapAttrsToList openCommand preLVM) + postCommands;
+    boot.initrd.postDeviceCommands = commonFunctions + preCommands + concatStrings (mapAttrsToList openCommand postLVM) + postCommands;
+
+    environment.systemPackages = [ pkgs.cryptsetup ];
+  };
+}
diff --git a/modules/networkd.nix b/modules/networkd.nix
new file mode 100644
index 00000000..d0a48f98
--- /dev/null
+++ b/modules/networkd.nix
@@ -0,0 +1,297 @@
+{ config, lib, utils, pkgs, ... }:
+
+with utils;
+with lib;
+
+let
+
+  cfg = config.networking;
+  interfaces = attrValues cfg.interfaces;
+
+  interfaceIps = i:
+    i.ipv4.addresses
+    ++ optionals cfg.enableIPv6 i.ipv6.addresses;
+
+  dhcpStr = useDHCP: if useDHCP == true || useDHCP == null then "yes" else "no";
+
+  slaves =
+    concatLists (map (bond: bond.interfaces) (attrValues cfg.bonds))
+    ++ concatLists (map (bridge: bridge.interfaces) (attrValues cfg.bridges))
+    ++ map (sit: sit.dev) (attrValues cfg.sits)
+    ++ map (vlan: vlan.interface) (attrValues cfg.vlans)
+    # add dependency to physical or independently created vswitch member interface
+    # TODO: warn the user that any address configured on those interfaces will be useless
+    ++ concatMap (i: attrNames (filterAttrs (_: config: config.type != "internal") i.interfaces)) (attrValues cfg.vswitches);
+
+in
+
+{
+  disabledModules = [ "tasks/network-interfaces-systemd.nix" ];
+
+  config = mkIf cfg.useNetworkd {
+
+    assertions = [ {
+      assertion = cfg.defaultGatewayWindowSize == null;
+      message = "networking.defaultGatewayWindowSize is not supported by networkd.";
+    } {
+      assertion = cfg.vswitches == {};
+      message = "networking.vswitches are not supported by networkd.";
+    } {
+      assertion = cfg.defaultGateway == null || cfg.defaultGateway.interface == null;
+      message = "networking.defaultGateway.interface is not supported by networkd.";
+    } {
+      assertion = cfg.defaultGateway6 == null || cfg.defaultGateway6.interface == null;
+      message = "networking.defaultGateway6.interface is not supported by networkd.";
+    } {
+      assertion = cfg.useDHCP == false;
+      message = ''
+        networking.useDHCP is not supported by networkd.
+        Please use per interface configuration and set the global option to false.
+      '';
+    } ] ++ flip mapAttrsToList cfg.bridges (n: { rstp, ... }: {
+      assertion = !rstp;
+      message = "networking.bridges.${n}.rstp is not supported by networkd.";
+    });
+
+    networking.dhcpcd.enable = mkDefault false;
+
+    systemd.network =
+      let
+        domains = cfg.search ++ (optional (cfg.domain != null) cfg.domain);
+        genericNetwork = override:
+          let gateways = optional (cfg.defaultGateway != null && (cfg.defaultGateway.address or "") != "") cfg.defaultGateway.address
+            ++ optional (cfg.defaultGateway6 != null && (cfg.defaultGateway6.address or "") != "") cfg.defaultGateway6.address;
+          in optionalAttrs (gateways != [ ]) {
+            routes = override (map (gateway: {
+              routeConfig = {
+                Gateway = gateway;
+                GatewayOnLink = false;
+              };
+            }) gateways);
+          } // optionalAttrs (domains != [ ]) {
+            domains = override domains;
+          };
+      in mkMerge [ {
+        enable = true;
+      }
+      (mkMerge (forEach interfaces (i: {
+        netdevs = mkIf i.virtual ({
+          "40-${i.name}" = {
+            netdevConfig = {
+              Name = i.name;
+              Kind = i.virtualType;
+            };
+            "${i.virtualType}Config" = optionalAttrs (i.virtualOwner != null) {
+              User = i.virtualOwner;
+            };
+          };
+        });
+        networks."40-${i.name}" = mkMerge [ (genericNetwork mkDefault) {
+          name = mkDefault i.name;
+          DHCP = mkForce (dhcpStr
+            (if i.useDHCP != null then i.useDHCP else false));
+          address = forEach (interfaceIps i)
+            (ip: "${ip.address}/${toString ip.prefixLength}");
+          networkConfig.IPv6PrivacyExtensions = "kernel";
+          linkConfig = optionalAttrs (i.macAddress != null) {
+            MACAddress = i.macAddress;
+          } // optionalAttrs (i.mtu != null) {
+            MTUBytes = toString i.mtu;
+          };
+        }];
+      })))
+      (mkMerge (flip mapAttrsToList cfg.bridges (name: bridge: {
+        netdevs."40-${name}" = {
+          netdevConfig = {
+            Name = name;
+            Kind = "bridge";
+          };
+        };
+        networks = listToAttrs (forEach bridge.interfaces (bi:
+          nameValuePair "40-${bi}" (mkMerge [ (genericNetwork (mkOverride 999)) {
+            DHCP = mkOverride 0 (dhcpStr false);
+            networkConfig.Bridge = name;
+          } ])));
+      })))
+      (mkMerge (flip mapAttrsToList cfg.bonds (name: bond: {
+        netdevs."40-${name}" = {
+          netdevConfig = {
+            Name = name;
+            Kind = "bond";
+          };
+          bondConfig = let
+            # manual mapping as of 2017-02-03
+            # man 5 systemd.netdev [BOND]
+            # to https://www.kernel.org/doc/Documentation/networking/bonding.txt
+            # driver options.
+            driverOptionMapping = let
+              trans = f: optName: { valTransform = f; optNames = [optName]; };
+              simp  = trans id;
+              ms    = trans (v: v + "ms");
+              in {
+                Mode                       = simp "mode";
+                TransmitHashPolicy         = simp "xmit_hash_policy";
+                LACPTransmitRate           = simp "lacp_rate";
+                MIIMonitorSec              = ms "miimon";
+                UpDelaySec                 = ms "updelay";
+                DownDelaySec               = ms "downdelay";
+                LearnPacketIntervalSec     = simp "lp_interval";
+                AdSelect                   = simp "ad_select";
+                FailOverMACPolicy          = simp "fail_over_mac";
+                ARPValidate                = simp "arp_validate";
+                # apparently in ms for this value?! Upstream bug?
+                ARPIntervalSec             = simp "arp_interval";
+                ARPIPTargets               = simp "arp_ip_target";
+                ARPAllTargets              = simp "arp_all_targets";
+                PrimaryReselectPolicy      = simp "primary_reselect";
+                ResendIGMP                 = simp "resend_igmp";
+                PacketsPerSlave            = simp "packets_per_slave";
+                GratuitousARP = { valTransform = id;
+                                  optNames = [ "num_grat_arp" "num_unsol_na" ]; };
+                AllSlavesActive            = simp "all_slaves_active";
+                MinLinks                   = simp "min_links";
+              };
+
+            do = bond.driverOptions;
+            assertNoUnknownOption = let
+              knownOptions = flatten (mapAttrsToList (_: kOpts: kOpts.optNames)
+                                                     driverOptionMapping);
+              # options that apparently don’t exist in the networkd config
+              unknownOptions = [ "primary" ];
+              assertTrace = bool: msg: if bool then true else builtins.trace msg false;
+              in assert all (driverOpt: assertTrace
+                               (elem driverOpt (knownOptions ++ unknownOptions))
+                               "The bond.driverOption `${driverOpt}` cannot be mapped to the list of known networkd bond options. Please add it to the mapping above the assert or to `unknownOptions` should it not exist in networkd.")
+                            (mapAttrsToList (k: _: k) do); "";
+            # get those driverOptions that have been set
+            filterSystemdOptions = filterAttrs (sysDOpt: kOpts:
+                                     any (kOpt: do ? ${kOpt}) kOpts.optNames);
+            # build final set of systemd options to bond values
+            buildOptionSet = mapAttrs (_: kOpts: with kOpts;
+                               # we simply take the first set kernel bond option
+                               # (one option has multiple names, which is silly)
+                               head (map (optN: valTransform (do.${optN}))
+                                 # only map those that exist
+                                 (filter (o: do ? ${o}) optNames)));
+            in seq assertNoUnknownOption
+                   (buildOptionSet (filterSystemdOptions driverOptionMapping));
+
+        };
+
+        networks = listToAttrs (forEach bond.interfaces (bi:
+          nameValuePair "40-${bi}" (mkMerge [ (genericNetwork (mkOverride 999)) {
+            DHCP = mkOverride 0 (dhcpStr false);
+            networkConfig.Bond = name;
+          } ])));
+      })))
+      (mkMerge (flip mapAttrsToList cfg.macvlans (name: macvlan: {
+        netdevs."40-${name}" = {
+          netdevConfig = {
+            Name = name;
+            Kind = "macvlan";
+          };
+          macvlanConfig = optionalAttrs (macvlan.mode != null) { Mode = macvlan.mode; };
+        };
+        networks."40-${macvlan.interface}" = (mkMerge [ (genericNetwork (mkOverride 999)) {
+          macvlan = [ name ];
+        } ]);
+      })))
+      (mkMerge (flip mapAttrsToList cfg.sits (name: sit: {
+        netdevs."40-${name}" = {
+          netdevConfig = {
+            Name = name;
+            Kind = "sit";
+          };
+          tunnelConfig =
+            (optionalAttrs (sit.remote != null) {
+              Remote = sit.remote;
+            }) // (optionalAttrs (sit.local != null) {
+              Local = sit.local;
+            }) // (optionalAttrs (sit.ttl != null) {
+              TTL = sit.ttl;
+            });
+        };
+        networks = mkIf (sit.dev != null) {
+          "40-${sit.dev}" = (mkMerge [ (genericNetwork (mkOverride 999)) {
+            tunnel = [ name ];
+          } ]);
+        };
+      })))
+      (mkMerge (flip mapAttrsToList cfg.vlans (name: vlan: {
+        netdevs."40-${name}" = {
+          netdevConfig = {
+            Name = name;
+            Kind = "vlan";
+          };
+          vlanConfig.Id = vlan.id;
+        };
+        networks."40-${vlan.interface}" = (mkMerge [ (genericNetwork (mkOverride 999)) {
+          vlan = [ name ];
+        } ]);
+      })))
+    ];
+
+    # We need to prefill the slaved devices with networking options
+    # This forces the network interface creator to initialize slaves.
+    networking.interfaces = listToAttrs (map (i: nameValuePair i { }) slaves);
+
+    systemd.services = let
+      # We must escape interfaces due to the systemd interpretation
+      subsystemDevice = interface:
+        "sys-subsystem-net-devices-${escapeSystemdPath interface}.device";
+      # support for creating openvswitch switches
+      createVswitchDevice = n: v: nameValuePair "${n}-netdev"
+          (let
+            deps = map subsystemDevice (attrNames (filterAttrs (_: config: config.type != "internal") v.interfaces));
+            ofRules = pkgs.writeText "vswitch-${n}-openFlowRules" v.openFlowRules;
+          in
+          { description = "Open vSwitch Interface ${n}";
+            wantedBy = [ "network.target" (subsystemDevice n) ];
+            # and create bridge before systemd-networkd starts because it might create internal interfaces
+            before = [ "systemd-networkd.service" ];
+            # shutdown the bridge when network is shutdown
+            partOf = [ "network.target" ];
+            # requires ovs-vswitchd to be alive at all times
+            bindsTo = [ "ovs-vswitchd.service" ];
+            # start switch after physical interfaces and vswitch daemon
+            after = [ "network-pre.target" "ovs-vswitchd.service" ] ++ deps;
+            wants = deps; # if one or more interface fails, the switch should continue to run
+            serviceConfig.Type = "oneshot";
+            serviceConfig.RemainAfterExit = true;
+            path = [ pkgs.iproute2 config.virtualisation.vswitch.package ];
+            preStart = ''
+              echo "Resetting Open vSwitch ${n}..."
+              ovs-vsctl --if-exists del-br ${n} -- add-br ${n} \
+                        -- set bridge ${n} protocols=${concatStringsSep "," v.supportedOpenFlowVersions}
+            '';
+            script = ''
+              echo "Configuring Open vSwitch ${n}..."
+              ovs-vsctl ${concatStrings (mapAttrsToList (name: config: " -- add-port ${n} ${name}" + optionalString (config.vlan != null) " tag=${toString config.vlan}") v.interfaces)} \
+                ${concatStrings (mapAttrsToList (name: config: optionalString (config.type != null) " -- set interface ${name} type=${config.type}") v.interfaces)} \
+                ${concatMapStrings (x: " -- set-controller ${n} " + x)  v.controllers} \
+                ${concatMapStrings (x: " -- " + x) (splitString "\n" v.extraOvsctlCmds)}
+
+
+              echo "Adding OpenFlow rules for Open vSwitch ${n}..."
+              ovs-ofctl --protocols=${v.openFlowVersion} add-flows ${n} ${ofRules}
+            '';
+            postStop = ''
+              echo "Cleaning Open vSwitch ${n}"
+              echo "Shuting down internal ${n} interface"
+              ip link set ${n} down || true
+              echo "Deleting flows for ${n}"
+              ovs-ofctl --protocols=${v.openFlowVersion} del-flows ${n} || true
+              echo "Deleting Open vSwitch ${n}"
+              ovs-vsctl --if-exists del-br ${n} || true
+            '';
+          });
+    in mapAttrs' createVswitchDevice cfg.vswitches
+      // {
+            "network-local-commands" = {
+              after = [ "systemd-networkd.service" ];
+              bindsTo = [ "systemd-networkd.service" ];
+          };
+      };
+  };
+
+}
diff --git a/modules/tinc-networkmanager.nix b/modules/tinc-networkmanager.nix
new file mode 100644
index 00000000..ff03abd2
--- /dev/null
+++ b/modules/tinc-networkmanager.nix
@@ -0,0 +1,36 @@
+{ lib, config, pkgs, ... }:
+let
+  cfg = config.services.tinc;
+in {
+  options = {
+    services.tinc.networks = lib.mkOption {
+      type = lib.types.attrsOf (lib.types.submodule {
+        options.nmDispatch = lib.mkOption {
+          type = lib.types.bool;
+          default = config.networking.networkmanager.enable;
+          description = ''
+            Install a network-manager dispatcher script to automatically
+            connect to all remotes when networking is available
+          '';
+        };
+      });
+    };
+  };
+
+  config = {
+    networking.networkmanager.dispatcherScripts = lib.concatLists (lib.flip lib.mapAttrsToList cfg.networks (network: data: lib.optional data.nmDispatch {
+      type = "basic";
+      source = pkgs.writeScript "connect-${network}.sh" ''
+        #!${pkgs.stdenv.shell}
+
+        shopt -s extglob
+
+        case "''${2}" in
+          (?(vpn-)up)
+            ${data.package}/bin/tinc -n ${network} --pidfile /run/tinc.${network}.pid --batch retry
+            ;;
+        esac
+      '';
+    }));
+  };
+}
diff --git a/modules/uucp.nix b/modules/uucp.nix
new file mode 100644
index 00000000..0334a3db
--- /dev/null
+++ b/modules/uucp.nix
@@ -0,0 +1,391 @@
+{ flake, config, lib, pkgs, ... }:
+
+with lib;
+
+let
+  portSpec = name: node: concatStringsSep "\n" (map (port: ''
+    port ${name}.${port}
+    type pipe
+    protocol ${node.protocols}
+    reliable true
+    command ${pkgs.openssh}/bin/ssh -x -o batchmode=yes ${name}.${port}
+  '') node.hostnames);
+  sysSpec = name: node: ''
+    system ${name}
+    time any
+    chat-seven-bit false
+    chat . ""
+    protocol ${node.protocols}
+    command-path ${concatStringsSep " " cfg.commandPath}
+    commands ${concatStringsSep " " node.commands}
+    ${concatStringsSep "\nalternate\n" (map (port: ''
+      port ${name}.${port}
+    '') node.hostnames)}
+  '';
+  sshConfig = name: node: concatStringsSep "\n" (map (port: ''
+    Host ${name}.${port}
+      Hostname ${port}
+      IdentitiesOnly Yes
+      IdentityFile ${cfg.sshKeyDir}/${name}
+  '') node.hostnames);
+  sshKeyGen = name: node: ''
+    if [[ ! -e ${cfg.sshKeyDir}/${name} ]]; then
+      ${pkgs.openssh}/bin/ssh-keygen ${escapeShellArgs node.generateKey} -f ${cfg.sshKeyDir}/${name}
+    fi
+  '';
+  restrictKey = key: ''
+    restrict,command="${chat}" ${key}
+  '';
+  chat = pkgs.writeScript "chat" ''
+    #!${pkgs.stdenv.shell}
+
+    echo .
+    exec ${config.security.wrapperDir}/uucico
+  '';
+
+  nodeCfg = {
+    options = {
+      commands = mkOption {
+        type = types.listOf types.str;
+        default = cfg.defaultCommands;
+        description = "Commands to allow for this remote";
+      };
+
+      protocols = mkOption {
+        type = types.separatedString "";
+              default = cfg.defaultProtocols;
+              description = "UUCP protocols to use for this remote";
+      };
+
+      publicKeys = mkOption {
+        type = types.listOf types.str;
+        default = [];
+        description = "SSH client public keys for this node";
+      };
+
+      generateKey = mkOption {
+        type = types.listOf types.str;
+        default = [ "-t" "ed25519" "-N" "" ];
+        description = "Arguments to pass to `ssh-keygen` to generate a keypair for communication with this host";
+      };
+
+      hostnames = mkOption {
+        type = types.listOf types.str;
+        default = [];
+        description = "Hostnames to try in order when connecting";
+      };
+    };
+  };
+
+  cfg = config.services.uucp;
+in {
+  options = {
+    services.uucp = {
+      enable = mkOption {
+        type = types.bool;
+        default = false;
+        description = ''
+          If enabled we set up an account accesible via uucp over ssh
+        '';
+      };
+
+      nodeName = mkOption {
+        type = types.str;
+        default = "nixos";
+        description = "uucp node name";
+      };
+
+      sshUser = mkOption { 
+        type = types.attrs;
+        default = {};
+        description = "Overrides for the local uucp linux-user";
+      };
+
+      extraSSHConfig = mkOption {
+        type = types.str;
+        default = "";
+        description = "Extra SSH config";
+      };
+
+      remoteNodes = mkOption {
+        type = types.attrsOf (types.submodule nodeCfg);
+        default = {};
+        description = ''
+          Ports to set up
+          Names will probably need to be configured in sshConfig
+        '';
+      };
+
+      commandPath = mkOption {
+        type = types.listOf types.path;
+        default = [ "${pkgs.rmail}/bin" ];
+        description = ''
+          Command search path for all systems
+        '';
+      };
+
+      defaultCommands = mkOption {
+        type = types.listOf types.str;
+        default = ["rmail"];
+        description = "Commands allowed for remotes without explicit override";
+      };
+
+      defaultProtocols = mkOption {
+        type = types.separatedString "";
+              default = "te";
+              description = "UUCP protocol to use within ssh unless overriden";
+      };
+
+      incomingProtocols = mkOption {
+        type = types.separatedString "";
+        default = "te";
+        description = "UUCP protocols to use when called";
+      };
+
+      homeDir = mkOption {
+        type = types.path;
+        default = "/var/uucp";
+        description = "Home of the uucp user";
+      };
+
+      sshKeyDir = mkOption {
+        type = types.path;
+        default = "${cfg.homeDir}/.ssh/";
+        description = "Directory to store ssh keypairs";
+      };
+
+      spoolDir = mkOption {
+        type = types.path;
+        default = "/var/spool/uucp";
+        description = "Spool directory";
+      };
+
+      lockDir = mkOption {
+        type = types.path;
+        default = "/var/spool/uucp";
+        description = "Lock directory";
+      };
+
+      pubDir = mkOption {
+        type = types.path;
+        default = "/var/spool/uucppublic";
+        description = "Public directory";
+      };
+
+      logFile = mkOption {
+        type = types.path;
+        default = "/var/log/uucp";
+        description = "Log file";
+      };
+
+      statFile = mkOption {
+        type = types.path;
+        default = "/var/log/uucp.stat";
+        description = "Statistics file";
+      };
+
+      debugFile = mkOption {
+        type = types.path;
+        default = "/var/log/uucp.debug";
+        description = "Debug file";
+      };
+
+      interval = mkOption {
+        type = types.nullOr types.str;
+        default = "1h";
+        description = ''
+          Specification of when to run `uucico' in format used by systemd timers
+          The default is to do so every hour
+        '';
+      };
+
+      nmDispatch = mkOption {
+        type = types.bool;
+        default = config.networking.networkmanager.enable;
+        description = ''
+          Install a network-manager dispatcher script to automatically
+          call all remotes when networking is available
+        '';
+      };
+
+      extraConfig = mkOption {
+        type = types.lines;
+        default = ''
+          run-uuxqt 1
+        '';
+        description = "Extra configuration to append verbatim to `/etc/uucp/config'";
+      };
+
+      extraSys = mkOption {
+        type = types.lines;
+        default = ''
+          protocol-parameter g packet-size 4096
+        '';
+              description = "Extra configuration to prepend verbatim to `/etc/uucp/sys`";
+      };
+    };
+  };
+
+  config = mkIf cfg.enable {
+    environment.etc."uucp/config" = {
+      text = ''
+        hostname ${cfg.nodeName}
+      
+        spool ${cfg.spoolDir}
+        lockdir ${cfg.lockDir}
+        pubdir ${cfg.pubDir}
+        logfile ${cfg.logFile}
+        statfile ${cfg.statFile}
+        debugfile ${cfg.debugFile}
+        
+        ${cfg.extraConfig}
+      '';
+    };
+
+    users.users."uucp" = {
+      name = "uucp";
+      isSystemUser = true;
+      isNormalUser = false;
+      createHome = true;
+      home = cfg.homeDir;
+      description = "User for uucp over ssh";
+      useDefaultShell = true;
+      openssh.authorizedKeys.keys = map restrictKey (concatLists (mapAttrsToList (name: node: node.publicKeys) cfg.remoteNodes));
+    } // cfg.sshUser;
+
+    system.activationScripts."uucp-sshconfig" = ''
+      mkdir -p ${config.users.users."uucp".home}/.ssh
+      chown ${config.users.users."uucp".name}:${config.users.users."uucp".group} ${config.users.users."uucp".home}/.ssh
+      chmod 700 ${config.users.users."uucp".home}/.ssh
+      ln -fs ${builtins.toFile "ssh-config" ''
+        ${concatStringsSep "\n" (mapAttrsToList sshConfig cfg.remoteNodes)}
+      
+        ${cfg.extraSSHConfig}
+      ''} ${config.users.users."uucp".home}/.ssh/config
+
+      mkdir -p ${cfg.sshKeyDir}
+      chown ${config.users.users."uucp".name}:${config.users.users."uucp".group} ${cfg.sshKeyDir}
+      chmod 700 ${cfg.sshKeyDir}
+
+      ${concatStringsSep "\n" (mapAttrsToList sshKeyGen cfg.remoteNodes)}
+    '';
+
+    system.activationScripts."uucp-logs" = ''
+      touch ${cfg.logFile}
+      chown ${config.users.users."uucp".name}:${config.users.users."uucp".group} ${cfg.logFile}
+      chmod 644 ${cfg.logFile}
+      touch ${cfg.statFile}
+      chown ${config.users.users."uucp".name}:${config.users.users."uucp".group} ${cfg.statFile}
+      chmod 644 ${cfg.statFile}
+      touch ${cfg.debugFile}
+      chown ${config.users.users."uucp".name}:${config.users.users."uucp".group} ${cfg.debugFile}
+      chmod 644 ${cfg.debugFile}
+    '';
+
+    environment.etc."uucp/port" = {
+      text = ''
+        port ssh
+        type stdin
+        protocol ${cfg.incomingProtocols}
+      '' + concatStringsSep "\n" (mapAttrsToList portSpec cfg.remoteNodes);
+    };
+    environment.etc."uucp/sys" = {
+      text = cfg.extraSys + "\n" + concatStringsSep "\n" (mapAttrsToList sysSpec cfg.remoteNodes);
+    };
+
+    security.wrappers = let
+      wrapper = p: {
+        name = p;
+        value = {
+          source = "${pkgs.uucp}/bin/${p}";
+          owner = "root";
+          group = "root";
+          setuid = true;
+          setgid = false;
+        };
+      };
+    in listToAttrs (map wrapper ["uucico" "cu" "uucp" "uuname" "uustat" "uux" "uuxqt"]);
+
+    nixpkgs.overlays = [(self: super: {
+      uucp = super.lib.overrideDerivation super.uucp (oldAttrs: {
+        configureFlags = "--with-newconfigdir=/etc/uucp";
+        patches = [
+          (super.writeText "mailprogram" ''
+             policy.h | 2 +-
+             1 file changed, 1 insertion(+), 1 deletion(-)
+
+            diff --git a/policy.h b/policy.h
+            index 5afe34b..8e92c8b 100644
+            --- a/policy.h
+            +++ b/policy.h
+            @@ -240,7 +240,7 @@
+                the sendmail choice below.  Otherwise, select one of the other
+                choices as appropriate.  */
+             #if 1
+            -#define MAIL_PROGRAM "/usr/lib/sendmail -t"
+            +#define MAIL_PROGRAM "${config.security.wrapperDir}/sendmail -t"
+             /* #define MAIL_PROGRAM "/usr/sbin/sendmail -t" */
+             #define MAIL_PROGRAM_TO_BODY 1
+             #define MAIL_PROGRAM_SUBJECT_BODY 1
+          '')
+        ];
+      });
+      rmail = super.writeScriptBin "rmail" ''
+          #!${super.stdenv.shell}
+
+          # Dummy UUCP rmail command for postfix/qmail systems
+
+          IFS=" " read junk from junk junk junk junk junk junk junk relay
+
+          case "$from" in
+            *[@!]*) ;;
+            *) from="$from@$relay";;
+          esac
+
+          exec ${config.security.wrapperDir}/sendmail -G -i -f "$from" -- "$@"
+        '';
+    })];
+
+    environment.systemPackages = with pkgs; [
+      uucp
+    ];
+
+    systemd.services."uucico@" = {
+      serviceConfig = {
+        User = "uucp";
+        Type = "oneshot";
+        ExecStart = "${config.security.wrapperDir}/uucico -D -S %i";
+      };
+    };
+
+    systemd.timers."uucico@" = {
+      timerConfig.OnActiveSec = cfg.interval;
+      timerConfig.OnUnitActiveSec = cfg.interval;
+    };
+
+    systemd.targets."multi-user" = {
+      wants = mapAttrsToList (name: node: "uucico@${name}.timer") cfg.remoteNodes;
+    };
+
+    systemd.kill-user.enable = true;
+    systemd.targets."sleep" = {
+      after = [ "kill-user@uucp.service" ];
+      wants = [ "kill-user@uucp.service" ];
+    };
+    
+    networking.networkmanager.dispatcherScripts = optional cfg.nmDispatch {
+      type = "basic";
+      source = pkgs.writeScript "callRemotes.sh" ''
+        #!${pkgs.stdenv.shell}
+
+        shopt -s extglob
+
+        case "''${2}" in
+          (?(vpn-)up)
+            ${concatStringsSep "\n    " (mapAttrsToList (name: node: "${pkgs.systemd}/bin/systemctl start uucico@${name}.service") cfg.remoteNodes)}
+            ;;
+        esac
+      '';
+    };
+  };
+}
diff --git a/modules/yggdrasil/default.nix b/modules/yggdrasil/default.nix
new file mode 100644
index 00000000..f4100e73
--- /dev/null
+++ b/modules/yggdrasil/default.nix
@@ -0,0 +1,50 @@
+{ config, lib, customUtils, ... }:
+let
+  cfg = config.services.tinc.yggdrasil;
+in {
+  options = {
+    services.tinc.yggdrasil = lib.mkOption {
+      default = {};
+      type = lib.types.submodule {
+        options = {
+          enable = lib.mkEnableOption "Yggdrasil tinc network";
+          
+          connect = lib.mkOption {
+            default = true;
+            type = lib.types.bool;
+            description = ''
+              Connect to central server
+            '';
+          };
+        };
+      };
+    };
+  };
+  
+  config = lib.mkIf cfg.enable {
+    services.tinc.networks.yggdrasil = {
+      name = config.networking.hostName;
+      hostSettings = customUtils.nixImport { dir = ./hosts; };
+      debugLevel = 2;
+      interfaceType = "tap";
+      settings = {
+        Mode = "switch";
+        PingTimeout = 30;
+        ConnectTo = lib.mkIf cfg.connect "ymir";
+      };
+    };
+
+    sops.secrets = {
+      tinc-yggdrasil-rsa = {
+        key = "rsa";
+        path = "/etc/tinc/yggdrasil/rsa_key.priv";
+        sopsFile = ./hosts + "/${config.services.tinc.networks.yggdrasil.name}/private-keys.yaml";
+      };
+      tinc-yggdrasil-ed25519 = {
+        key = "ed25519";
+        path = "/etc/tinc/yggdrasil/rsa_key.priv";
+        sopsFile = ./hosts + "/${config.services.tinc.networks.yggdrasil.name}/private-keys.yaml";
+      };
+    };
+  };
+}
diff --git a/modules/yggdrasil/hosts/sif/default.nix b/modules/yggdrasil/hosts/sif/default.nix
new file mode 100644
index 00000000..32b844de
--- /dev/null
+++ b/modules/yggdrasil/hosts/sif/default.nix
@@ -0,0 +1,13 @@
+{
+  settings.Ed25519PublicKey = "qJqty+wiTNcYaHQCvQNiMqXYz30C9M3+LI/qjmU/9hK";
+  rsaPublicKey = ''
+    -----BEGIN RSA PUBLIC KEY-----
+    MIIBCgKCAQEA0ACaacg9EN0hBQct8ZwQ/i6EsXKP4DIwKwabM2rp8azValTHU2uI
+    WW6JRY+Eii6zRx9B5kJ96C4rJJeAGV6lZPAogaC2LbM7lcsZ7oRDWZGaQKcZFNGi
+    laEcDg2dRuDx1W4at0rb03SDLNPt8sXSV6BcK9n/7m7+s9cwM/+PB8FHDMnWvwbC
+    usbP23020s+CVr/PU1z/7J0y3Eat+Acut6x5X8DNewpqV96wQpqdAggbhtYERMFH
+    +i0sa1WUDQtJ6HGChbENRTMlsPJ6lnzXY+J0pzatzzvetLsOljES9uJ8dtk6qBC7
+    KRZo5lvdUwR6j9XiHMQeRerUt23b9ATFXQIDAQAB
+    -----END RSA PUBLIC KEY-----
+  '';
+}
diff --git a/modules/yggdrasil/hosts/sif/private-keys.yaml b/modules/yggdrasil/hosts/sif/private-keys.yaml
new file mode 100644
index 00000000..9be82bc1
--- /dev/null
+++ b/modules/yggdrasil/hosts/sif/private-keys.yaml
@@ -0,0 +1,34 @@
+ed25519: ENC[AES256_GCM,data:1CqB4y6CIm5JUsznpXPqqLJqCKmmoAJOZQTWb7+Jbn0oZMX27qSMK4CchHF7Bmo24EK8rk5EyW5aQLnoxp/2NA62p8SXdaoI8Qgz3EgsQ5QrlJrt1jvERpNs4vttT9V6+aK3Yojr9IuQSvJ4jyKSLrzrTnLzF9pXlaOf1Ru5SxySRWtVzynzurRpdUVS6goE+lb+Irg6x2geV719iQ9bu1C2smeQDREdS+dlfoxp02/pU6kTFA7KAm5vA91HKEfMqfSEzuBgUB0=,iv:n6Yh0zZ9AbT+83P42QNO2rCCISJV5nbO9wYcwaRYD2E=,tag:dJpXV9ZzLSO1B+LsyV3vAg==,type:str]
+rsa: ENC[AES256_GCM,data:7faQJAhoYt3MJidg4TVwysmLGZ4V1fA9NYYKgEMgky4q0Q9tBGhEsA60uj7iKcMMRhGku7feIFkj2+1qjKy+e1Bajfs2rqxgyqYmM6yOTrmorbXBVyrPOTOwJp3yp7O1vIXwoUS9vWIYxFszpfaLL0/8aARYVrYmpxf3gsBfQ4LciM1VKEgjG3uRBf1tDLaNuMNyzdan0DFghwuDojPOXUFv/6yuPxU2U0TagVjwAk4FThGwEasvV454RSm/GmqYtX+P4Vc3pEWNYAK1rXJAuXm1392Uash+HGQ+3ln5N9yWneewgPPr0pePAugxxN0qnwhy5MRKGQE3ZHCZ0beslfOm6pkmYTfww3lKNIJGabMfMD3COoAI7zWebUvksZPsgH6f1olbzABkZdS1s//WNMnWQHGxsWePXkLFe8bfnNXouEXHtLvQ7On0KPyt8y5QBI9bDPpTn92/O9jCevXSttrez4buBdCHFmCE8xgW5JKKEXgMubPPjEF3MABiGu0TMeWM4a1ibY7HfvNrRkO1pE9RhdRT/dFV/MrPxk7P0k16x9H4+QnE7VglfNZO3Wd3bnYxcH7hmAbIzpFnUJvolyNfmynwL2WwaYuBskXASD1FuqpM0tbhantqGyHVPe62+KimU0zDAJ1HMyqhIN0MD1MSXsdoItAsw033GYLB83L8xPatARJR9qEdKwrhmgSDY36AbJ8VI/RUzicZoYdhK8+M7bNGIkD5MgrQO35q+3oa6Xcib+5MtW0RVJKLP4y5/XNkjd4EPl6nahcVi63/FG7LJmO+/I7bkLIAWmIq8BHcXEwbz0womYp404pSfEPr3cy1N5S3yqRdzVxavTJb0PLMpHq2rWuHK2DIY77hEOAt0XcReWYsRkmTl+v9iQLF+D4GBLr+O2oZNJrocNVZYkfdjsrUd2cUOCV7ZQphO5Yc+yKrqzmCqUUvdoJ3vlaPxMXx4LACeMImo1sAFxoOgIpyfklo/bdhi9osiL55I8pAIh5hGes/uCbwaRnW+wbaYcMliCuUO8XelfXwBot8W+0l0wk2zKRSKtYKcX1n/Ax5mIt6mIoQkvyL82lccS9ppJLjt7DYlvK8L6imeV11ATf1ZhSGB3c67/XYik5BXz827Rj29K6fg/CvU65f/bEAuE39gSJ4mHsRl3bvkNLiUMEBrDuZnText33fCbqVA5DUIfqSbLUzXtqNl8vHnlOBICYwjv8PtUMJ6VTCDu33SmtQzJAfnmuewOKAC51FPsyaDhouTKllUaqx34NfEP8k2C8/4oNPgDcLjInm3f43tIuJbScdp8ltNVCLoChS8jbBOvrVYTI0eP+BuAuEfWYldUYq96oH/x9d0yvPqZ1rnwmqg4y6GfkACw6+/QvrDdtcM+1uI86RxZ7KGurb8KG7NPdSWhzz+72+TO5Tq29K8QETLzzalnVzaVWj/xGsjgkslxmDMKxLJQw0o24lgg/R30aU9BL6YwDVi10nu+Tv5kayb/NVLdMNWxfKNg1KZcf8M2ApgonjingbpUlinZ25/IIcQB9lMT4HSyvtGtIqnsPL4SQNsgBLcMzdwbL0EvS3qMAEVWKfUm2v9AA2+RMsKEKtD4UNF2xF7oACJiyTcw/xUOmkaTIZZ2ev0JVb4IYs1qx5Skz+IMAvWQ2FjBMXna5e/LYgBl6kdLSTcDvlymHpbjjuRdRq+uq+ZMXIACyZ+qUnZ0qcfWGPxOCI0hXPc5ac/zSGkPKYiWT/rCSuo+MoijjK4YZ2fub9TCYjZRS+QvLlXOM8F06Or0jQQOveezqJFZdoBGj248BtcPAVbYqfaytIlYjARlhQL/lKaaOrbONk6kIlDpwkhlzO50OkhALItlbW4Aa8zZ/WeXkfkb/6A7NLce42XDoOnvZt9UdYVTRphf8yxjRE2YMwZsmeTIieg8KwwJdnoJIhiQFdVDFgXb2xPZA2CbdvZwGwuFkLWgJUg6H+aHdw39UnNM+S9PYaOQ9oaS7IyeWhXMgP7TKM98uILsBg/Xn9tafHaslQfjVRDEaYtrmDZMYhb+h/MZKngx7uwmUyqHszAYN/M+RMJVy3s4uBu/EufWYVMorunpPEXGYA4Rg1HUuAOvWSvpM3PJG9Wnrazw6xmkwIUSKju5irpWATYmqSX3pPkG5C0sTatszVDAvTs9+/9Xdbney7/6QskSHMph8Kn/Udpq7PPrZWADkIi1k4oibgABOXOWBk5ZbNbiDrZA==,iv:ZUAqvOpcVCXQD2PFzUh0e2m20t6gVT3mYb7S50iV/m8=,tag:AssxMqjVUEwQ4R6Y7eG9Tg==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    lastmodified: '2021-01-02T14:46:16Z'
+    mac: ENC[AES256_GCM,data:Phng7z7UlE6nO3FFIQPOHgKCqDm2uOGL57ryJbokjipSSdoWPinpz0zIJv9Z67b9uOf3CQoGtV4YwcudNkzDBKOyD8uA6RYwCKpbYcZIdiy8DLL46+VT/wq9toTkeDXM6jKupzzOARZhHT8DCOLqW7u8Q3S645cbTJmw0+LMIGk=,iv:y4KEh0+bKhtnSobKVdfaPuRsueNC1lcrEbUGfEAn+Bg=,tag:3Oi4e/hSgPVsoFQpnVQj+g==,type:str]
+    pgp:
+    -   created_at: '2021-01-02T14:45:04Z'
+        enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hF4Dgwm4NZSaLAcSAQdAwWM12Zara3T2xDIX3rhakGxXFyme4LE5QZgE2GjnnWEw
+            T/vhPfsKFCjA2kAmj41NupjvTPL/nzfd7+MrdHRfC462Jrq+UF1W8A4bUa3OMH5J
+            0l4BuFhl93w/VBftvnG8oSBAFCPNDapNADjTVJQStgsZa0/uD93NnCxyQmtuJYsQ
+            URlH0KMT6Kouaec4qk3SqkAHzaIIAukahBHAPf2C5cvXYw7AAOOBOdRaWycsmZDc
+            =S4Ig
+            -----END PGP MESSAGE-----
+        fp: F1AF20B9511B63F681A14E8D51AEFBCD1DEF68F8
+    -   created_at: '2021-01-02T14:45:04Z'
+        enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hF4DXxoViZlp6dISAQdA7apd+ipJ0lUiuPI5Sq6uj6iOQYFfuNDuzse1JFJMfn4w
+            McsGPcbMorZV0OVFmg9vuZ0GP9sb7mkm+oRuY9OeMDEifjWGHJ2UN4TvdEcCO1zx
+            0l4BvYyzFbShlQjge7+nrzVi2lzEvqsozEW76K3arWb/iYLCRyl0/Vhw5WT4K/UE
+            fw4cbqz7JrogVLFNeWSRPk3Y+Dg4Pf9rQnw1EJhUEIczYjnfajPhYe5K4M01mOby
+            =B0n7
+            -----END PGP MESSAGE-----
+        fp: 30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51
+    unencrypted_suffix: _unencrypted
+    version: 3.6.1
diff --git a/modules/yggdrasil/hosts/ymir.nix b/modules/yggdrasil/hosts/ymir.nix
new file mode 100644
index 00000000..b77a9216
--- /dev/null
+++ b/modules/yggdrasil/hosts/ymir.nix
@@ -0,0 +1,19 @@
+{
+  addresses = [{ address = "ymir.yggdrasil.li"; }];
+  settings.Ed25519PublicKey = "b/SobnMqByzHOQeO+iU7OZ1liD8a++knbi5ebNawnaC";
+  rsaPublicKey = ''
+    -----BEGIN RSA PUBLIC KEY-----
+    MIICCgKCAgEAuInSfQf5euFXEVkLLzf9TumQJ+3WRsxX4uKdOXBqrIC7yjSBP8j9
+    ql5rNWPzgXxFF5ERmwW+E3cyzJLU9Htu7r3muqM6nhSZizhCskifPRFc3e5ssSke
+    XhHICHfe90+qvab/hWx/NjkW59bBYIzDuJfq+ijDFMVNgOxaiM2f3/2prUUhP7bN
+    r3wVI8KCkOaknc0SOOmOhLzfJaD5wosqLOjgaNhlro2eMgMjQlxbyW8dVVgjwseR
+    Cl/mpu7r1pSMhS66RFH68wDoC3X81f7Zs9ZGDLTD8KXWhx0qgUMUAH4n6YGY0RM6
+    BZ3qR/3KFRU64QPVAERpb0JdsU9ggCVydHkjrWW23ptHOPAOO5+yQj7tSDCKTRy9
+    dHMQnbtPrgAb6iMhO1XTxA8Hdta1sCHsewsQekarwsA1bmk3hTgi/k8vwoGDUWtk
+    jgiDEPuutfmH4C6qxq9s+6lRboNKH8wgkVGpHiaq7mmePFdhzFdrj4+fYAMZTbil
+    2iygsJ+yFOjA7U+iT6QDK33/MLsrQg0Ue6RPiG1qnDyax7gBAjz52iWkiuSkUXk0
+    E5ImdP4XMILgGcWk8iPq5iRS03edE0pCpxGX3ZZwFE5+CoXgO6wR1ToL1vZEEHMQ
+    SHJPufKjkavPKbejPps/mLaJQVw3W10PAJssB9nxW2aHX3n0ugGaIvMCAwEAAQ==
+    -----END RSA PUBLIC KEY-----
+  '';
+}
diff --git a/overlays/clevis.nix b/overlays/clevis.nix
new file mode 100644
index 00000000..a786340c
--- /dev/null
+++ b/overlays/clevis.nix
@@ -0,0 +1,37 @@
+final: prev:
+{
+  clevis = prev.clevis.overrideAttrs (oldAttrs: {
+    buildInputs = (oldAttrs.buildInputs or []) ++ [final.tpm2-tools];
+    nativeBuildInputs = (oldAttrs.nativeBuildInputs or []) ++ [final.makeWrapper];
+
+    preFixup = ''
+      ${oldAttrs.preFixup or ""}
+
+      for bin in $out/bin/*; do
+        test -x $bin || continue
+
+        substituteInPlace $bin \
+          --replace /bin/cat ${final.coreutils}/bin/cat
+
+        wrapProgram $bin \
+          --prefix PATH : ${final.tpm2-tools}/bin \
+          --prefix PATH : ${final.jose}/bin \
+          --prefix PATH : ${final.libpwquality}/bin
+      done
+    '';
+  });
+
+  tpm2-tools = prev.tpm2-tools.overrideAttrs (oldAttrs: {
+    fixupPhase = ''
+      ${oldAttrs.fixupPhase or ""}
+
+      for wrapper in $out/bin/tpm2_*; do
+        symlink=.''${wrapper}-wrapped
+
+        test -h $symlink || continue
+
+        mv -v $symlink $wrapper
+      done
+    '';
+  });
+}
diff --git a/overlays/nerdfonts.nix b/overlays/nerdfonts.nix
new file mode 100644
index 00000000..28581d72
--- /dev/null
+++ b/overlays/nerdfonts.nix
@@ -0,0 +1,5 @@
+final: prev: {
+  nerdfonts = prev.nerdfonts.override {
+    fonts = ["FiraMono" "FiraCode"];
+  };
+}
diff --git a/overlays/nvidia-kernel-5.7.nix b/overlays/nvidia-kernel-5.7.nix
new file mode 100644
index 00000000..92d3abb3
--- /dev/null
+++ b/overlays/nvidia-kernel-5.7.nix
@@ -0,0 +1,19 @@
+final: prev: {
+  linuxPackages_latest = prev.linuxPackages_latest.extend (self: super: {
+    nvidiaPackages = super.nvidiaPackages // {
+      stable = super.nvidiaPackages.stable.overrideAttrs (attrs: {
+        patches = [
+          (prev.fetchpatch {
+            name = "nvidia-kernel-5.7.patch";
+            url = "https://gitlab.com/snippets/1965550/raw";
+            sha256 = "03iwxhkajk65phc0h5j7v4gr4fjj6mhxdn04pa57am5qax8i2g9w";
+          })
+        ];
+
+        passthru = {
+          inherit (super.nvidiaPackages.stable) settings persistenced persistencedVersion settingsVersion;
+        };
+      });
+    };
+  });
+}
diff --git a/overlays/persistent-nix-shell/default.nix b/overlays/persistent-nix-shell/default.nix
new file mode 100644
index 00000000..60396335
--- /dev/null
+++ b/overlays/persistent-nix-shell/default.nix
@@ -0,0 +1,19 @@
+final: prev: {
+  persistent-nix-shell = prev.stdenv.mkDerivation {
+    name = "persistent-nix-shell";
+    src = ./persistent-nix-shell;
+
+    phases = [ "buildPhase" "installPhase" ];
+
+    inherit (final) zsh;
+
+    buildPhase = ''
+      substituteAll $src persistent-nix-shell
+    '';
+
+    installPhase = ''
+      install -m 0755 -D -t $out/bin \
+        persistent-nix-shell
+    '';
+  };
+}
diff --git a/overlays/persistent-nix-shell/persistent-nix-shell b/overlays/persistent-nix-shell/persistent-nix-shell
new file mode 100644
index 00000000..a17f6de6
--- /dev/null
+++ b/overlays/persistent-nix-shell/persistent-nix-shell
@@ -0,0 +1,20 @@
+#!@zsh@/bin/zsh
+
+set -e
+
+gcrootsDir=${PWD}/.nix-gc-roots
+
+if [[ ${#@} -ge 1 ]]; then
+  shellFile=${1}
+  shift
+else
+  shellFile=${PWD}/shell.nix
+fi
+
+set -x
+mkdir -p ${gcrootsDir}
+nix-instantiate ${shellFile} --indirect --add-root ${gcrootsDir}/shell.drv
+nix-store --indirect --add-root ${gcrootsDir}/shell.dep --realise $(nix-store --query --references ${gcrootsDir}/shell.drv)
+set +x
+
+exec nix-shell $(readlink ${gcrootsDir}/shell.drv) ${@}
diff --git a/overlays/pidgin.nix b/overlays/pidgin.nix
new file mode 100644
index 00000000..d346c7a1
--- /dev/null
+++ b/overlays/pidgin.nix
@@ -0,0 +1,15 @@
+final: prev:
+let
+  mucHistory = prev.fetchpatch {
+    url = "https://developer.pidgin.im/raw-attachment/ticket/16524/0001-only-request-unseed-chat-history-from-jabber-group-c.patch";
+    sha256 = "083wvmq7417xz55fxxhllqwql1hgjvin2sak08844121yw1jvc44";
+  };
+in {
+  pidgin-with-plugins = import (/. + prev.path + "/pkgs/applications/networking/instant-messengers/pidgin/wrapper.nix") {
+    inherit (prev) makeWrapper symlinkJoin;
+    plugins = with final; [ purple-lurch pidgin-carbons pidgin-opensteamworks pidgin-xmpp-receipts ];
+    pidgin = prev.pidgin.overrideAttrs (oldAttrs: {
+      patches = (oldAttrs.patches or []) ++ [mucHistory];
+    });
+  };
+}
diff --git a/overlays/urxvt/52-osc.pl b/overlays/urxvt/52-osc.pl
new file mode 100644
index 00000000..3292e8c4
--- /dev/null
+++ b/overlays/urxvt/52-osc.pl
@@ -0,0 +1,41 @@
+#! perl
+
+=head1 NAME
+
+52-osc - Implement OSC 32 ; Interact with X11 clipboard
+
+=head1 SYNOPSIS
+
+   urxvt -pe 52-osc
+
+=head1 DESCRIPTION
+
+This extension implements OSC 52 for interacting with system clipboard
+
+Most code stolen from:
+http://ailin.tucana.uberspace.de/static/nei/*/Code/urxvt/
+
+=cut
+
+use MIME::Base64;
+use Encode;
+
+sub on_osc_seq {
+    my ($term, $op, $args) = @_;
+    return () unless $op eq 52;
+
+    my ($clip, $data) = split ';', $args, 2;
+    if ($data eq '?') {
+        # my $data_free = $term->selection();
+        # Encode::_utf8_off($data_free); # XXX
+        # $term->tt_write("\e]52;$clip;".encode_base64($data_free, '')."\a");
+    }
+    else {
+        my $data_decoded = decode_base64($data);
+        Encode::_utf8_on($data_decoded); # XXX
+        $term->selection($data_decoded, $clip =~ /c|^$/);
+        $term->selection_grab(urxvt::CurrentTime, $clip =~ /c|^$/);
+    }
+
+    ()
+}
diff --git a/overlays/urxvt/default.nix b/overlays/urxvt/default.nix
new file mode 100644
index 00000000..3c57d000
--- /dev/null
+++ b/overlays/urxvt/default.nix
@@ -0,0 +1,21 @@
+final: prev: {
+  rxvt_unicode-with-plugins = prev.rxvt-unicode.override {
+    configure = { availablePlugins, ... }: {
+        plugins = [ final.urxvt_osc_52 ] ++ builtins.attrValues availablePlugins;
+      };
+    };
+  urxvt_osc_52 = prev.stdenv.mkDerivation {
+    name = "rxvt_unicode-osc_52-0";
+    src = ./52-osc.pl;
+    unpackPhase = ''
+      cp $src 52-osc
+    '';
+    buildPhase = ''
+      sed -i 's|#! perl|#! ${final.perl}/bin/perl|g' 52-osc
+    '';
+    installPhase = ''
+      mkdir -p $out/lib/urxvt/perl
+      cp 52-osc $out/lib/urxvt/perl 
+    '';
+  };
+}
diff --git a/overlays/v4l2loopback.nix b/overlays/v4l2loopback.nix
new file mode 100644
index 00000000..335f86a3
--- /dev/null
+++ b/overlays/v4l2loopback.nix
@@ -0,0 +1,37 @@
+final: prev: {
+  linuxPackages_latest = prev.linuxPackages_latest.extend (self: super: {
+    v4l2loopback = super.stdenv.mkDerivation rec {
+      name = "v4l2loopback-${version}-${self.kernel.version}";
+      version = "f62fb9076b6313e5eb82fdcaceadb6b3052f346e";
+
+      src = prev.fetchFromGitHub {
+        owner = "umlaeute";
+        repo = "v4l2loopback";
+        rev = "${version}";
+        sha256 = "VRFtimQQtT8vd1dx5KtUDkmXo3DSOybhNLcAIxQba44=";
+        fetchSubmodules = true;
+      };
+
+      hardeningDisable = [ "format" "pic" ];
+
+      preBuild = ''
+        substituteInPlace Makefile --replace "modules_install" "INSTALL_MOD_PATH=$out modules_install"
+        sed -i '/depmod/d' Makefile
+        export PATH=${final.kmod}/sbin:$PATH
+      '';
+
+      nativeBuildInputs = self.kernel.moduleBuildDependencies;
+      buildInputs = [ final.kmod ];
+
+      makeFlags = [
+        "KERNELRELEASE=${self.kernel.modDirVersion}"
+        "KERNEL_DIR=${self.kernel.dev}/lib/modules/${self.kernel.modDirVersion}/build"
+      ];
+
+      postInstall = ''
+        mkdir -p $out/bin
+        install -m0755 utils/v4l2loopback-ctl $out/bin
+      '';
+    };
+  });
+}
diff --git a/overlays/worktime/default.nix b/overlays/worktime/default.nix
new file mode 100644
index 00000000..ab6fb40a
--- /dev/null
+++ b/overlays/worktime/default.nix
@@ -0,0 +1,19 @@
+final: prev: {
+  worktime = prev.stdenv.mkDerivation rec {
+    name = "worktime";
+    src = ./worktime.py;
+
+    phases = [ "buildPhase" "installPhase" ];
+
+    python = prev.python39.withPackages (ps: with ps; [pyxdg dateutil uritools requests configparser tabulate]);
+
+    buildPhase = ''
+      substituteAll $src worktime
+    '';
+
+    installPhase = ''
+      install -m 0755 -D -t $out/bin \
+        worktime
+    '';
+  };
+}
diff --git a/overlays/worktime/worktime.py b/overlays/worktime/worktime.py
new file mode 100755
index 00000000..c7b013f9
--- /dev/null
+++ b/overlays/worktime/worktime.py
@@ -0,0 +1,430 @@
+#!@python@/bin/python
+
+import requests
+from requests.exceptions import HTTPError
+from requests.auth import HTTPBasicAuth
+from datetime import *
+from xdg import (BaseDirectory)
+import configparser
+from uritools import uricompose
+
+from dateutil.easter import *
+from dateutil.tz import *
+from dateutil.parser import isoparse
+
+from enum import Enum
+
+from math import (copysign, ceil)
+
+import calendar
+
+import argparse
+
+from copy import deepcopy
+
+import sys
+
+from tabulate import tabulate
+
+class TogglAPISection(Enum):
+    TOGGL = '/api/v8'
+    REPORTS = '/reports/api/v2'
+
+class TogglAPIError(Exception):
+    def __init__(self, http_error, response):
+        self.http_error = http_error
+        self.response = response
+
+    def __str__(self):
+        if not self.http_error is None:
+            return str(self.http_error)
+        else:
+            return self.response.text
+
+class TogglAPI(object):
+    def __init__(self, api_token, workspace_id):
+        self._api_token = api_token
+        self._workspace_id = workspace_id
+
+    def _make_url(self, api=TogglAPISection.TOGGL, section=['time_entries', 'current'], params={}):
+        if api is TogglAPISection.REPORTS:
+          params.update({'user_agent': 'worktime', 'workspace_id': self._workspace_id})
+
+        api_path = api.value
+        section_path = '/'.join(section)
+        uri = uricompose(scheme='https', host='api.track.toggl.com', path=f"{api_path}/{section_path}", query=params)
+
+        return uri
+
+    def _query(self, url, method):
+
+        headers = {'content-type': 'application/json'}
+        response = None
+
+        if method == 'GET':
+            response = requests.get(url, headers=headers, auth=HTTPBasicAuth(self._api_token, 'api_token'))
+        elif method == 'POST':
+            response = requests.post(url, headers=headers, auth=HTTPBasicAuth(self._api_token, 'api_token'))
+        else:
+            raise ValueError(f"Undefined HTTP method “{method}”")
+
+        response.raise_for_status()
+
+        return response
+
+    def get_billable_hours(self, start_date, end_date=datetime.now(timezone.utc), rounding=False):
+        billable_acc = timedelta(milliseconds = 0)
+        step = timedelta(days = 365)
+
+        for req_start in [start_date + x * step for x in range(0, ceil((end_date - start_date) / step))]:
+          req_end = end_date
+          if end_date > req_start + step:
+            req_end = datetime.combine((req_start + step).astimezone(timezone.utc).date(), time(tzinfo=timezone.utc))
+          elif req_start > start_date:
+            req_start = datetime.combine(req_start.astimezone(timezone.utc).date(), time(tzinfo=timezone.utc)) + timedelta(days = 1)
+
+          url = self._make_url(api = TogglAPISection.REPORTS, section = ['summary'], params={'since': req_start.astimezone(timezone.utc).isoformat(), 'until': req_end.astimezone(timezone.utc).isoformat(), 'rounding': rounding})
+          r = self._query(url = url, method='GET')
+          if not r or not r.json():
+              raise TogglAPIError(r)
+          billable_acc += timedelta(milliseconds=r.json()['total_billable']) if r.json()['total_billable'] else timedelta(milliseconds=0)
+
+        return billable_acc
+
+    def get_running_clock(self, now=datetime.now(timezone.utc)):
+        url = self._make_url(api = TogglAPISection.TOGGL, section = ['time_entries', 'current'])
+        r = self._query(url = url, method='GET')
+
+        if not r or not r.json():
+            raise TogglAPIError(r)
+
+        if not r.json()['data'] or not r.json()['data']['billable']:
+            return None
+
+        start = isoparse(r.json()['data']['start'])
+
+        return now - start if start <= now else None
+
+class Worktime(object):
+    time_worked = timedelta()
+    running_entry = None
+    now = datetime.now(tzlocal())
+    time_pulled_forward = timedelta()
+    is_workday = False
+    include_running = True
+    time_to_work = None
+    force_day_to_work = True
+
+    @staticmethod
+    def holidays(year):
+      holidays = dict()
+
+      y_easter = datetime.combine(easter(year), time(), tzinfo=tzlocal())
+
+      # Legal holidays in munich, bavaria
+      holidays[datetime(year, 1, 1, tzinfo=tzlocal()).date()] = 1
+      holidays[datetime(year, 1, 6, tzinfo=tzlocal()).date()] = 1
+      holidays[(y_easter+timedelta(days=-2)).date()] = 1
+      holidays[(y_easter+timedelta(days=+1)).date()] = 1
+      holidays[datetime(year, 5, 1, tzinfo=tzlocal()).date()] = 1
+      holidays[(y_easter+timedelta(days=+39)).date()] = 1
+      holidays[(y_easter+timedelta(days=+50)).date()] = 1
+      holidays[(y_easter+timedelta(days=+60)).date()] = 1
+      holidays[datetime(year, 8, 15, tzinfo=tzlocal()).date()] = 1
+      holidays[datetime(year, 10, 3, tzinfo=tzlocal()).date()] = 1
+      holidays[datetime(year, 11, 1, tzinfo=tzlocal()).date()] = 1
+      holidays[datetime(year, 12, 25, tzinfo=tzlocal()).date()] = 1
+      holidays[datetime(year, 12, 26, tzinfo=tzlocal()).date()] = 1
+
+      return holidays
+
+    @staticmethod
+    def config():
+        config = configparser.ConfigParser()
+        config_dir = BaseDirectory.load_first_config('worktime')
+        config.read(f"{config_dir}/worktime.ini")
+        return config
+
+    def __init__(self, start_datetime=None, end_datetime=None, now=None, include_running=True, force_day_to_work=True, **kwargs):
+      self.include_running = include_running
+      self.force_day_to_work = force_day_to_work
+        
+      if now:
+        self.now = now
+        
+      config = Worktime.config()
+      config_dir = BaseDirectory.load_first_config('worktime')
+      api = TogglAPI(api_token=config['TOGGL']['ApiToken'], workspace_id=config['TOGGL']['Workspace'])
+      date_format = config.get('WORKTIME', 'DateFormat', fallback='%Y-%m-%d')
+
+      start_date = start_datetime or datetime.strptime(config['WORKTIME']['StartDate'], date_format).replace(tzinfo=tzlocal())
+      end_date = end_datetime or self.now
+
+      try:
+          with open(f"{config_dir}/reset", 'r') as reset:
+              for line in reset:
+                  stripped_line = line.strip()
+                  reset_date = datetime.strptime(stripped_line, date_format).replace(tzinfo=tzlocal())
+
+                  if reset_date > start_date and reset_date < end_date:
+                      start_date = reset_date
+      except IOError as e:
+          if e.errno != 2:
+              raise e
+              
+
+      hours_per_week = float(config.get('WORKTIME', 'HoursPerWeek', fallback=40))
+      workdays = set([int(d.strip()) for d in config.get('WORKTIME', 'Workdays', fallback='1,2,3,4,5').split(',')])
+      time_per_day = timedelta(hours = hours_per_week) / len(workdays)
+
+      holidays = dict()
+
+      for year in range(start_date.year, end_date.year + 1):
+          holidays |= {k: v * time_per_day for k, v in Worktime.holidays(year).items()}
+
+      try:
+          with open(f"{config_dir}/excused", 'r') as excused:
+              for line in excused:
+                  stripped_line = line.strip()
+                  if stripped_line:
+                      splitLine = stripped_line.split(' ')
+                      if len(splitLine) == 2:
+                          [hours, date] = splitLine
+                          day = datetime.strptime(date, date_format).replace(tzinfo=tzlocal()).date()
+                          holidays[day] = timedelta(hours = float(hours))
+                      else:
+                          holidays[datetime.strptime(stripped_line, date_format).replace(tzinfo=tzlocal()).date()] = time_per_day
+      except IOError as e:
+          if e.errno != 2:
+              raise e
+
+      pull_forward = dict()
+      
+      start_day = start_date.date()
+      end_day = end_date.date()
+
+      try:
+          with open(f"{config_dir}/pull-forward", 'r') as excused:
+              for line in excused:
+                  stripped_line = line.strip()
+                  if stripped_line:
+                      [hours, date] = stripped_line.split(' ')
+                      constr = date.split(',')
+                      for d in [start_day + timedelta(days = x) for x in range(0, (end_day - start_day).days + 1 + int(timedelta(hours = float(hours)).total_seconds() / 60 * (7 / len(workdays)) * 2))]:
+                          for c in constr:
+                              if c in calendar.day_abbr:
+                                  if not d.strftime('%a') == c: break
+                              elif "--" in c:
+                                  [fromDay,toDay] = c.split('--')
+                                  if fromDay != "":
+                                      fromDay = datetime.strptime(fromDay, date_format).replace(tzinfo=tzlocal()).date()
+                                      if not fromDay <= d: break
+                                  if toDay != "":
+                                      toDay = datetime.strptime(toDay, date_format).replace(tzinfo=tzlocal()).date()
+                                      if not d <= toDay: break
+                              else:
+                                  if not d == datetime.strptime(c, date_format).replace(tzinfo=tzlocal()).date(): break
+                          else:
+                              if d >= end_date.date():
+                                  pull_forward[d] = min(timedelta(hours = float(hours)), time_per_day - (holidays[d] if d in holidays else timedelta())) 
+      except IOError as e:
+          if e.errno != 2:
+              raise e
+
+      days_to_work = dict()
+
+      if pull_forward:
+          end_day = max(end_day, max(list(pull_forward)))
+          
+      for day in [start_day + timedelta(days = x) for x in range(0, (end_day - start_day).days + 1)]:
+          if day.isoweekday() in workdays:
+              time_to_work = time_per_day
+              if day in holidays.keys():
+                time_to_work -= holidays[day]
+              if time_to_work > timedelta():
+                days_to_work[day] = time_to_work
+
+      extra_days_to_work = dict()
+
+      try:
+          with open(f"{config_dir}/days-to-work", 'r') as extra_days_to_work_file:
+              for line in extra_days_to_work_file:
+                  stripped_line = line.strip()
+                  if stripped_line:
+                      splitLine = stripped_line.split(' ')
+                      if len(splitLine) == 2:
+                          [hours, date] = splitLine
+                          day = datetime.strptime(date, date_format).replace(tzinfo=tzlocal()).date()
+                          extra_days_to_work[day] = timedelta(hours = float(hours))
+                      else:
+                          extra_days_to_work[datetime.strptime(stripped_line, date_format).replace(tzinfo=tzlocal()).date()] = time_per_day
+      except IOError as e:
+          if e.errno != 2:
+              raise e
+
+
+      self.is_workday = self.now.date() in days_to_work or self.now.date() in extra_days_to_work
+
+      self.time_worked = timedelta()
+
+      if self.include_running:
+          self.running_entry = api.get_running_clock(self.now)
+
+      if self.running_entry:
+          self.time_worked += self.running_entry
+
+      if self.running_entry and self.include_running and self.force_day_to_work and not (self.now.date() in days_to_work or self.now.date() in extra_days_to_work):
+          extra_days_to_work[self.now.date()] = timedelta()
+
+      self.time_to_work = sum([days_to_work[day] for day in days_to_work.keys() if day <= end_date.date()], timedelta())
+      for day in [d for d in list(pull_forward) if d > end_date.date()]:
+          days_forward = set([d for d in days_to_work.keys() if d >= end_date.date() and d < day and (not d in pull_forward or d == end_date.date())])
+          extra_days_forward = set([d for d in extra_days_to_work.keys() if d >= end_date.date() and d < day and (not d in pull_forward or d == end_date.date())])
+          days_forward = days_forward.union(extra_days_forward)
+
+          extra_day_time_left = timedelta()
+          for extra_day in extra_days_forward:
+              day_time = max(timedelta(), time_per_day - extra_days_to_work[extra_day])
+              extra_day_time_left += day_time
+          extra_day_time = min(extra_day_time_left, pull_forward[day])
+          time_forward = pull_forward[day] - extra_day_time
+          if extra_day_time_left > timedelta():
+            for extra_day in extra_days_forward:
+                day_time = max(timedelta(), time_per_day - extra_days_to_work[extra_day])
+                extra_days_to_work[extra_day] += extra_day_time * (day_time / extra_day_time_left)
+          
+          hours_per_day_forward = time_forward / len(days_forward) if len(days_forward) > 0 else timedelta()
+          days_forward.discard(end_date.date())
+
+          self.time_pulled_forward += time_forward - hours_per_day_forward * len(days_forward)
+
+      if end_date.date() in extra_days_to_work:
+          self.time_pulled_forward += extra_days_to_work[end_date.date()]
+          
+      self.time_to_work += self.time_pulled_forward
+
+      self.time_worked += api.get_billable_hours(start_date, self.now, rounding = config.getboolean('WORKTIME', 'rounding', fallback=True))
+
+def worktime(**args):
+    worktime = Worktime(**args)
+
+    def format_worktime(worktime):
+      def difference_string(difference):
+        total_minutes_difference = round(difference / timedelta(minutes = 1))
+        (hours_difference, minutes_difference) = divmod(abs(total_minutes_difference), 60)
+        sign = '' if total_minutes_difference >= 0 else '-'
+
+        difference_string = f"{sign}"
+        if hours_difference != 0:
+            difference_string += f"{hours_difference}h"
+        if hours_difference == 0 or minutes_difference != 0:
+            difference_string += f"{minutes_difference}m"
+
+        return difference_string
+
+      difference = worktime.time_to_work - worktime.time_worked
+      total_minutes_difference = 5 * ceil(difference / timedelta(minutes = 5))
+
+      if worktime.running_entry and abs(difference) < timedelta(days = 1) and (total_minutes_difference > 0 or abs(worktime.running_entry) >= abs(difference)) :
+          clockout_time = worktime.now + difference
+          clockout_time += (5 - clockout_time.minute % 5) * timedelta(minutes = 1)
+          clockout_time = clockout_time.replace(second = 0, microsecond = 0)
+
+          if total_minutes_difference >= 0:
+            difference_string = difference_string(total_minutes_difference * timedelta(minutes = 1))
+            return "{difference_string}/{clockout_time}".format(difference_string = difference_string, clockout_time = clockout_time.strftime("%H:%M"))
+          else:
+            difference_string = difference_string(abs(total_minutes_difference) * timedelta(minutes = 1))
+            return "{clockout_time}/{difference_string}".format(difference_string = difference_string, clockout_time = clockout_time.strftime("%H:%M"))
+      else:
+          if worktime.running_entry:
+              difference_string = difference_string(abs(total_minutes_difference) * timedelta(minutes = 1))
+              indicator = '↓' if total_minutes_difference >= 0 else '↑' # '\u25b6'
+
+              return f"{indicator}{difference_string}"
+          else:
+              difference_string = difference_string(total_minutes_difference * timedelta(minutes = 1))
+              if worktime.is_workday:
+                  return difference_string
+              else:
+                  return f"({difference_string})"
+
+    if worktime.time_pulled_forward >= timedelta(minutes = 15):
+        worktime_no_pulled_forward = deepcopy(worktime)
+        worktime_no_pulled_forward.time_to_work -= worktime_no_pulled_forward.time_pulled_forward
+        worktime_no_pulled_forward.time_pulled_forward = timedelta()
+
+        difference_string = format_worktime(worktime)
+        difference_string_no_pulled_forward = format_worktime(worktime_no_pulled_forward)
+
+        print(f"{difference_string_no_pulled_forward}…{difference_string}")
+    else:
+        print(format_worktime(worktime))
+
+def time_worked(now, **args):
+    then = now.replace(hour = 0, minute = 0, second = 0, microsecond = 0)
+    if now.time() == time():
+        now = now + timedelta(days = 1)
+
+    then = Worktime(**dict(args, now = then))
+    now = Worktime(**dict(args, now = now))
+
+    worked = now.time_worked - then.time_worked
+
+    if args['do_round']:
+      total_minutes_difference = 5 * ceil(worked / timedelta(minutes = 5))
+      (hours_difference, minutes_difference) = divmod(abs(total_minutes_difference), 60)
+      sign = '' if total_minutes_difference >= 0 else '-'
+
+      difference_string = f"{sign}"
+      if hours_difference != 0:
+        difference_string += f"{hours_difference}h"
+      if hours_difference == 0 or minutes_difference != 0:
+        difference_string += f"{minutes_difference}m"
+
+      print(difference_string)
+    else:
+      print(worked)
+
+def diff(now, **args):
+    now = now.replace(hour = 0, minute = 0, second = 0, microsecond = 0)
+    then = now - timedelta.resolution
+
+    then = Worktime(**dict(args, now = then, include_running = False))
+    now = Worktime(**dict(args, now = now, include_running = False))
+
+    print(now.time_to_work - then.time_to_work)
+
+def holidays(now, **args):
+    config = Worktime.config()
+    date_format = config.get('WORKTIME', 'DateFormat', fallback='%Y-%m-%d')
+
+    table_data = []
+    
+    holidays = Worktime.holidays(now.year)
+    for k, v in holidays.items():
+        kstr = k.strftime(date_format)
+        
+        table_data += [[kstr, v]]
+    print(tabulate(table_data, tablefmt="plain"))
+          
+def main():
+    parser = argparse.ArgumentParser(prog = "worktime", description = 'Track worktime using toggl API')
+    parser.add_argument('--time', dest = 'now', metavar = 'TIME', type = lambda s: datetime.fromisoformat(s).replace(tzinfo=tzlocal()), help = 'Time to calculate status for (default: current time)', default = datetime.now(tzlocal()))
+    parser.add_argument('--no-running', dest = 'include_running', action = 'store_false')
+    parser.add_argument('--no-force-day-to-work', dest = 'force_day_to_work', action = 'store_false')
+    subparsers = parser.add_subparsers(help = 'Subcommands')
+    parser.set_defaults(cmd = worktime)
+    time_worked_parser = subparsers.add_parser('time_worked', aliases = ['time', 'worked', 'today'])
+    time_worked_parser.add_argument('--no-round', dest = 'do_round', action = 'store_false')
+    time_worked_parser.set_defaults(cmd = time_worked)
+    diff_parser = subparsers.add_parser('diff')
+    diff_parser.set_defaults(cmd = diff)
+    holidays_parser = subparsers.add_parser('holidays')
+    holidays_parser.set_defaults(cmd = holidays)
+    args = parser.parse_args()
+
+    args.cmd(**vars(args))
+
+if __name__ == "__main__":
+    sys.exit(main())
diff --git a/system-profiles/core.nix b/system-profiles/core.nix
index c31ba0c4..5b78c0fd 100644
--- a/system-profiles/core.nix
+++ b/system-profiles/core.nix
@@ -44,7 +44,7 @@ in {
     nix = {
       package = pkgs.nixUnstable;
       useSandbox = true;
-      allowedUsers = [ "@wheel" ];
+      allowedUsers = [ "*" ];
       trustedUsers = [ "root" "@wheel" ];
       extraOptions = ''
         experimental-features = nix-command flakes ca-references
diff --git a/system-profiles/default-locale.nix b/system-profiles/default-locale.nix
new file mode 100644
index 00000000..4359bd9a
--- /dev/null
+++ b/system-profiles/default-locale.nix
@@ -0,0 +1,7 @@
+{...}:
+{
+  i18n.defaultLocale = "en_US.UTF-8";
+  console.keyMap = "dvorak-programmer";
+
+  time.timeZone = "Europe/Berlin";
+}
diff --git a/system-profiles/initrd-all-crypto-modules.nix b/system-profiles/initrd-all-crypto-modules.nix
new file mode 100644
index 00000000..ede68e9f
--- /dev/null
+++ b/system-profiles/initrd-all-crypto-modules.nix
@@ -0,0 +1,17 @@
+{ pkgs, config, ...}:
+let
+  moduleList = builtins.fromJSON (builtins.readFile (pkgs.runCommandCC "crypto-modules" { buildInputs = with pkgs; [ jq ]; } ''
+    echo "[]" > $out
+    while IFS= read -r -d $'\0' file; do
+      unpacked=$(basename "''${file}" .xz)
+      xz -cd "''${file}" > "''${unpacked}"
+
+      module=$(readelf -Wp .gnu.linkonce.this_module "''${unpacked}" | sed -rn '/\[\s*[0-9]+\] /{ s/^[^]]*\]\s*//; p; q; }')
+      jq '. + [ $name ]' $out --arg name "''${module}" > out.json && mv out.json $out
+    done < <(find ${config.system.modulesTree}/lib/modules/*/kernel{,/arch/*}/crypto -iname '*.ko.xz' -print0 | sort -z)
+  ''));
+in {
+  boot.initrd.luks.cryptoModules = moduleList ++ [
+    "encrypted_keys"
+  ];
+}
diff --git a/system-profiles/openssh/default.nix b/system-profiles/openssh/default.nix
new file mode 100644
index 00000000..09ff58f7
--- /dev/null
+++ b/system-profiles/openssh/default.nix
@@ -0,0 +1,41 @@
+{ customUtils, lib, config, hostName, pkgs, ... }:
+{
+  config = {
+    programs.ssh.knownHosts = lib.zipAttrsWith (_name: values: builtins.head values) (lib.mapAttrsToList (name: lib.mapAttrs' (type: value: lib.nameValuePair "${name}-${type}" value)) (customUtils.nixImport { dir = ./known-hosts; }));
+
+    systemd.user.services."ssh-agent".enable = lib.mkForce false; # ssh-agent should be done via home-manager
+
+    services.openssh = lib.mkIf config.services.openssh.enable {
+      hostKeys = [
+        { path = "/etc/ssh/ssh_host_rsa_key";
+          type = "rsa";
+        }
+        { path = "/etc/ssh/ssh_host_ed25519_key";
+          type = "ed25519";
+        }
+      ];
+    };
+
+    sops.secrets = lib.mkIf config.services.openssh.enable {
+      ssh_host_rsa_key = {
+          key = "rsa";
+          path = "/etc/ssh/ssh_host_rsa_key";
+          sopsFile = ./host-keys + "/${hostName}.yaml";
+      };
+      ssh_host_ed25519_key = {
+          key = "ed25519";
+          path = "/etc/ssh/ssh_host_ed25519_key";
+          sopsFile = ./host-keys + "/${hostName}.yaml";
+      };
+    };
+
+    environment.etc = lib.mkIf config.services.openssh.enable {
+      "ssh/ssh_host_rsa_key.pub".text = config.services.openssh.knownHosts."${hostName}-rsa".publicKey;
+      "ssh/ssh_host_ed25519_key.pub".text = config.services.openssh.knownHosts."${hostName}-ed25519".publicKey;
+    };
+
+    environment.systemPackages = lib.mkIf config.services.openssh.enable (with pkgs; [
+      rxvt_unicode.terminfo alacritty.terminfo
+    ]);
+  };
+}
diff --git a/system-profiles/openssh/host-keys/sif.yaml b/system-profiles/openssh/host-keys/sif.yaml
new file mode 100644
index 00000000..ddef6dd5
--- /dev/null
+++ b/system-profiles/openssh/host-keys/sif.yaml
@@ -0,0 +1,34 @@
+ed25519: ENC[AES256_GCM,data:R7Ejs0DrCJOtEquvxuPCpwrOvV1xwCRtSMgzt7H6Dbv5z3zp94Ei8WKRPfju9dSz/4etHa1FV+1Zy7pAExWOOLU6qvaj4ZQa1FEMnJH76SN974D0hp2TON1l7QS/uRfopJJ0vnzITeCmeQcvvv0Rdz7ZUmyfPv8e76/k3h7FsGndu4wEkVg1/0a+E2dNST+/cp+l8RjXljYTiVLAByaMNz1XoK6wupef40Ce11zAGSmJS57gCwmc2yyq01sgnwex1TeDi+Pd43dTR/21n7AssqnpZGsSqpC4+RzHnxP3YGHN1dLTjHZ5fWW+zEHJZ/lG2eW4Gful+TnQ3fw2SHCjW/9BxpCjzo8GAByuJEr569fRXXAiDnmLG8GXGCpQDgSpjdkL4bFEDs0Uss3ydJEmwL3DaNkr/SHUyovwE2k5KnfIt6v0uEH+HsDSPRQpVoOgn7q3GgDmqwADfGt8MStdFVo3el/s6Rs+Q6r/ukYYu+Mon7Akv7HPGAnHDBSGOPBwy/a5Di3AA0TH/CHCmNdv,iv:HD2JAEUDz5BvZDOMAxb83UjoGZBewdePfSktD5Vh7qw=,tag:CIcXaGYLFeJrp+AU3dpStQ==,type:str]
+rsa: ENC[AES256_GCM,data:48rCmH0Id6ACaz4oGNfb72sIhfP5P8flVU4DniyTnRbaS98CIg9B3Utj7kZQYwFOOT/esQY7o/82udh8vW2j3D5eF6HfJPZa6ata5SV5b0HIZd+HMNEz2eo4FQ+ev5JWRA0I0FlYMYM/3+w855d2qolHc+voQf/+g4edlU460hx9rbhyn4injrGFdK/AxCNUwB1YXSB+UzRAV3p3U6IXd4ULQydWjJnm5lePZdBEa2q5ZKggFUVoF59fCrKPuxoRuiQTFB9UX2cRxS/MDp70m76NuxP93wGNFRfqWsVxZW7d5WH42ifLYTpIdnB0nRV4VcYdZbVxSTH2/CdRTrQ+BXut4pEsrxq91k6H3EM1FhYYDYTO+fOoKhpe/uidBTuqf3m2A7pM4zdZoTfT/0dcOxIDbtDl+2xfZEiXwXPEsoPAzLcnA23CasY0rc3I+xFgI2yIa+DFUXTiwOuqMbTRooacYVGWa5UsYO0JztizNNgp+GApxBu5fco3J2TVVBIaOpoeRZsX3BlT/8NdR3DBw00ERdj3UVBOUCNV9s++3BfnQgXDdSk/FJ0otrgXQgYxiUN6jbldP+vxt/b4S+tALu7iVApjS0UHP76zvnYotcW57UCX0Gpf9zJc2jPjxGmtIkenVSNB9ZufRg0zvGQ1qN6Ct3j/U2Ka/mfs5AE8PXYC6wFxqlOB5P5OdmVXF9srtnTirgeWbsA4Jeg+OvwAq9DbIvKDDHk0miVMu7JRsPsuCpGjgA1hHHunqFJ6vwKwKvF9k1kCmd61Kgj5MuF4BDnfRC4V22g84eO0ojJH2vU8vzjF9k5MA5zznGYgojZAtQnCXcC3k9CFbPjJE8fqk4fJ3kKoZZy+M3d4rn7JY4HZfjVs2iHZtQv7CskAi9JSULPCEirRsMnzm7jvKVUm0viS4E8dWeUoEDtMnZ1PU/IeWxlJua9hkzWmH3HqigmUq22SBTVJeb24KXyLJcvaeOsoQMOwmdJm7VUYqM8h9L8iomFf1bbExgfmhN20ACCs39sgW6wrW3ODmW85BiC/QkdApxEk65fjL+T23fN1KbXf9la/xz2FCXGUdgKMjUc+HdCtOB7VgvIehfRKodgq4l9E0zIkukT+4RdHiEA0GVga9sesLsLVtgM0UzBca7Sx9NSxEjRNrOxABohu30WPaFHoIOGg+szpD3GOGI4EpmwPK3NEjfG/RTG0ncTf910Shr9OTO69DUcoN9RVR/j6Kq7+WG9G9KxiSn2Qa0F5KFj+Pq5oIPIvGR4YkMPAvlWvvXtfTwweLr8OsNpd716WKap75iykjleeE7qGWPiFtyaiBn98VzZ9e85I8gPVCZcDTtMNXxATYDd1q0yzKV87dOL2SuzC1a2t8htb3lQuugemSfXcoLlYTdZloCClb63oLbLkDtmfd3WCpUFFlYSIxbnamixqdeLeiSL7FwkF/QpUhw0ILm+EQrZGiQ+JcOyPiiJQTDmtcAS6LbprHmapMeQCMtP3/Jk6WdfN5Jhj0x7feVJfATIoLPx0aqox7ekbU4aSzZ/8qjxlMqBcsHUEKfKCoZdVOwuklEKPhPJzGAyom/FNIVrU4EjSxcPtotMP/munJ1BWHFL5UJWPoTAZHz3Ywt50e9Fpwz9coo5NbPhRtFqVs4bOeFqJb1kq6/gPMY7J57+QSetcbBJvwVzCBsQSHoUHgvnIn7kAwM8QbfpilKZd5McL6AiGUtQbAgalXtptnnI/U59IJ8ILkdffQioM0PmzXRdTcSpe6pS6M60stQPwFE4Z9+LHr5LBuuM34YkCq1jd4EMWti+KbEFzipvdAfCYLVdacCqPXzEg3mZ00A/xCXkKk4GDpOIbC3u2T6d5UyIY6b5aX1ZJEbTa1ndVU41+Rt5z0x8tuJkqNVRK8VJ2aVqc8t+o7Ga9IRV9YcIPtDWYcVRt6zTz+DqFEmTRrnBO0AwXdT+eGrMn6X3Nj+DIjPf2B5Nve/98PyRZDRlXkcAKe5FLrVqh1d888MX7pfH+BK8I4kmFokqitxKMw63aeakjpotgN1jUdMtZR9weo6pp4TCStQwlRA41fMLgjxiiZquiajxz1zTlYKr2CVpaw6fDLkBvUw44+ZNHHn75O1/lCuT6MmK9Bu1TwsNsNd4JQSpeY0KHF6VZM0EaS3rIsnZz61X02fdpmo6Nw0mFtB4AidghSI1l+tKVVMnYJqB48eU0w+PHhdkWsi6F3Agp4L4043tWr1o4+WGBnOnx0/rNUEEu30Dtwsty0V87k1c5GRo8PKnzSHtis+QaDOL+xSIVMhsFOcuLV+VhVm84NWjgpKcCb++NInR2BbAwNRBArdIaOfQVw/HlkfnAJNWmOr6y8db1PEPNQVPVflb8bfMsZjZpBy6w1JN2Y15ZL7L0tltyUyDomT3IfMURpIW6OoyaIQS+T6NAkqq0bOllnkRnBziTNae57zl/iNg4AlWtq0NRSed0ls7Dr3yYe5Y+JvGmuW+HEA1r1/Yp9ZYQrhAc6qmAZU4+XuOgANr/4tRFA2091M05+Ow0QMquZr5odLlSyVxDU+5P/+lxb4U2ltLg/lcDeTT7qJZt3vqNVRaWg+864uUO5GFtq56x+egmYpXrgGtIRjABA6oxEHRH8RENeVMIpriv0KQ0WrGvlCnZYOMkydN1YBIX9B5gXZQBDzN3POKyo7KiBtcyMi+iOkH15AaB6G5yZymckAsfVzA/VPi/M115vjOtcqK/yyYbKpzF5ZybRlDlwsWww8aymN5i9b6q0ZI1iQoV/8P8lnal1ziYABr1s30ZqYByZ3PS1OIg6Qc/UtFT8C0OhtBPtwPEy/Xalvtqhl8/9y4Yuv6D5MNCwbL5oQ2JafEaFCOslGklg0ORCwgF+Ho5ZcZPB1tK2c424wde+KBDrBDfDrrCrYoxpeuvpFoRyy0DF3xh+25OkBfxb7+VXQxn3wXDBR7Yr1tuBLQUlbiZ0d4uPj9Pw7RA4UQTMXCRfmUiHP2nTdCbBg41M/5Cx6xaOzXJPOrkvsCZnXvNpc7+nkynsHYMqOuuWuuedh4WMU7YEPZt4CasJ5iofrhjzJNI5G5+rTMwaLTNA5AM2hi9DPqvFOaRUv/noYlTxtBT3LzUfgprPYnCKQd4j+6wO/bfbrlQq8WFH+RwFw4W0eMTJRFYFF2ctX0HOi9TOyTTHh/4l/mzTi4OaeFi5GsboDeczeh4acQCt5IjJih4qRnB7fdQy7PF8ccNuGvKWpN2mnDZJnoCrjbX8ihwzePzYPkUQ/ZKUI4KWVuixiis8b+CH0p92/dSOzGvP2MeQVMwRMpqk2EZdj3oE/gYG7RvfgM12N5ZLAUACczbwS17rquSwgznojewY+g/8oTolY81w4P/hPqX6FhWVeeZZaBJVKVDJSm4Aqp67FSYtoOHkEsOROtqklA7JVourGOgU6DfHlaSGGU6khAPv0smaYgi7+8tztNHoaaGSrtWU5+fxEzfD+NrOLm6Wz+ZZNvxWMMwrwkdeYqSc1tJACNo6CDtN/Tx+ZZCVVE+O+Qi5HFHx13c/ChQhRVMCha0VS8sYMokcZ5H2FLFLApOpwYLLFAiNwWr18PxRf3830xRwSM5bbASl9XLz2xxrbzpApDz5EDvvWJ/lPqnxYxVKCY9cEmDLuRtpEezTUpC8t6LqxhkqCTGiHjto668Mx8OTCDI8ys/D2qOFojbDyYIzl3l+AiVucXHXUrOkPJhhiOufiR6rks5UYqC6Mffb14e8JAY4IGsszmPqVY0hFS9AWp/aHuQ61stnMmhNxUw11fCDuUd4R+NvQlWSmN4Nyv0JmC6rHaa+Y/FEIQTCmFRiutTX+0nLPwJYKx+oQYklRDZ1DLtqMcF7PPUZGSFnZGGLN6UxoDhmrwz6NYwn+bBViL6iWFIgLbpRme/3TFBplDVIDUsSmbqsiysOmtzjw3y4YgiYmlZoEc//WK109KVrQUDSKKpjCMki6wsJ+27v5rlvhyBrG8QMUqWtTTB7Xu63iRrlASXcLk8Y99ehrxw/R3bjyXu5jHe0sowoKATerpiukBIOBTzPyFWQp/8MG6wWTzDM+HyGrAoCnkC3RanF56ldyqBzbqMbBIOx+fRWWuUl27YTwWLaPoZbO/+kgwzmguUj+bfqxExa4OTiMamLoZQh3LfIIJhQMd6MR1SDpRNg6D4YI7ftzrgQIe/CjjlWAfzkgeaPLx7Qeer0Te7wdJymWnQs5NBNAdWGcBgAS7/h4JZPBaqvd8KYPl2cg0Mv9k6+ogExv8YAz25rRPaJB1pKbhB5bkNIBRbUzCUhD3nk5uumvgKS0p6qn8hcD1CqEPt+ZH2CemlP5wjt9aHxplVZgG5vFZX0SREGDTSKwQoUbig1cHmRMOkO7vgS3B8eB7/J1UK3QeQe6roQSM80kbcLYH2flUmqQluGO1ZZDUttlp0ACP2lwlaBysp4X3KYPIwiHf1mXH/EQqgt305FNiKynDV6or7VWYQe5CXvTGg,iv:X57Ayvq6r0m1SGeVrBH8WCZ7TihobLLhy7spX4NIly8=,tag:caDTP5SwuWJAWGpwr9x0eQ==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    lastmodified: '2021-01-02T19:05:26Z'
+    mac: ENC[AES256_GCM,data:yJGzs0W0R+b6WPkUaQc9cxeTBBEXot0ffUAG77Of88kREFsD5ams9qEDCs8LhPhMtLSH5L8bqMLF28n2w6d9gf41NDBl/oj+XTJE26c4D+MWF2A0fqTvwv1l3524TfavVU8iur0bCbytNfcHSZ3zCQAYElswOGupO+K0Y3hwKKI=,iv:jHSgQV6Jg2Yckp8G0Z23Ny74ZQxZ/+C/neXKrEWUVak=,tag:DhOr2cVhIq8i4JAO+fdXxA==,type:str]
+    pgp:
+    -   created_at: '2021-01-02T19:04:29Z'
+        enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hF4Dgwm4NZSaLAcSAQdArkswGx9w0Rbfp1N89qALAbPMhboirsnlNvms/FomXiUw
+            taW9n4oEJ5oW2UYzNNn72SwF1jYbrqczAbxt3dM9PSz1gHFoh+ZJhGokVFJvJ7sO
+            0l4BEOkWmL/9uyOiCq574nH6OxxTPu9C4GNU8lv/Z/qJ+oAocJkGknsIJzd8M5ax
+            Fo/HqAGGfvnH3RI5FO3tTxfAKlfxlO2MJ2lsCypJuez5WewPnaTPjTbogjhzG2aQ
+            =HXLp
+            -----END PGP MESSAGE-----
+        fp: F1AF20B9511B63F681A14E8D51AEFBCD1DEF68F8
+    -   created_at: '2021-01-02T19:04:29Z'
+        enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hF4DXxoViZlp6dISAQdAUSTwFAciB+Yh2IieFoN/xmQd+GU/g+cuKej6cZk78TUw
+            ETM8c1TSovML5q9usUX0pl/AbRBwp2In47RMkTn4Mul1XxJuXhgCnrc5swwYrS+h
+            0l4BOxJ3bF/yYyKfGrmc/mNe51sdHH+fgQ9IXaQhcopw4kyZqvBXhJF/oP/mhnOL
+            VMhsfg50ol1XmXVefyo5JPedbzABm3vRZv9U+/zvKNJxIro2hWchd5CxvzN4l/MR
+            =30r5
+            -----END PGP MESSAGE-----
+        fp: 30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51
+    unencrypted_suffix: _unencrypted
+    version: 3.6.1
diff --git a/system-profiles/openssh/host-keys/surtr.yaml b/system-profiles/openssh/host-keys/surtr.yaml
new file mode 100644
index 00000000..d31fda3c
--- /dev/null
+++ b/system-profiles/openssh/host-keys/surtr.yaml
@@ -0,0 +1,37 @@
+dsa: ENC[AES256_GCM,data:+2nv7zqZ47EhQnZ5x8no5J/0r1iWgmSxBMkiYig18JgdZa77lj9y05EubUlELJlGcqcQMD97xFKQdU9BRMGn2Bq0IeK3nBoENkDEp7ksmn6c+hh2GVCDDk5sQnNl1yQB0bo7TEHRddJe+xbAWZ2LGFRyc+ApBWCtqBnQ12+58dY2VarcogT0tNPaga76Mz6K31V6g9PAhiEL9hFl8F3p/ptgsdIArX6xI6+g/tRkE056EuPsqiAXbMagm2dBQOEUiicUEqpgMvnLhlre3FkRWWotrGtGsB0Sum4BY1mrTxaXJf/J5kt4DrPconjooSkzQPImTPtO1cXIHmmAWiQIOJ6xon3dXB2pq4KpWs4wVZ1a2OMXrgAkUCDsYwNQiyv85YREaMvo7J1nfbrP2VRRdPcP3XgbwXkcqzt0r9LYq17bYHxJmhrP9Si7wCwBkCkGxgyLhMTmXQjKairqRqM+5lnHa44bQ2AhMmq4iKCkSJo7fUXOdDNX0n61PFJSOT/UVsHiVDlqcpcSm/GcARcObdVWmXvjw81pmMTjMlAmLupU5yPiWTZr5lMTG42hDO1Yjq9fuA6tN+Op9duVaWc6YiA7qDSTEpGtGmb4wObAgelCfuUTTo+Wp77lqTAeL2eGfuSAKDMb6z3NfCpSpgvJMWhGJtqJfKd2Cu87P06UUgmnyyjVazVTUWmT/ALX6rosUmGChbx5SSQ8tin/jQdIoq4Qs3hR+7AtBil7DF9fpUfHy8OmP/BKbgihuZa1+n9fyiLnw4QfKGFWmmoh06upSrAu3fYofVe1iYuZUUTP/NNUxn/JxbYn2OrQ9PY7GVcFdRBtyU+R8aQ/bawlcwnaIIQOA04iip1P5tgQ8CWCzuHFyP+d9Eun9oD6wPvSoNWXAftochNU6Ol8MQ8ESe22hrO19TrirgxEGwOTVFVLIV1kLlRZ+eCcY3HI/Mq9hnu9KndrMcLsPnjPyzsPo/CmeIOxryT1lY+LKU2mJT0pLq4j1Mt3QrjOuruM4fSYrS5DdDWTXP1Gk5GiULyd12RQFQVznRlYMy6BcSUmRgTWezX+o0dt18aJGNsm0UpS3yjL8BQpatpxq8LxCp9pNhuIyfF3HyjyNeTX1be60XmblYPr+w6OK8sV83p7TTGYVe9xzp0HC87+SBRTWN6SUCkmVrdhzbEBaDZG1a5Ldvar1QbAZF8riUMHnGarh2ZX6Gv2acsnMV5qb8t/HlK3rCKtYk27ok8ENFQqNIpMvVtoxKNPLNBRMNz8KG77fSnYoGmDFVlY82mrDBqvfbHbZgd3wb6WO3xu0KYY8Vc+ymcFromXBxYOhliNAHxYWNRJPfbXEqGRmA2/P5H0yWPdqL29JLX7SeW6+xzWUY5LWDSHBd2qTl8FdWIddAl8jBs2IiNUIGAUayNLNCSjgbVXOsdk8Hx9aQs5RmwFzXX+jBCeYRXdkN5HLFP8o+9hkWbBv4vIRrJxrRvRAVEoP55ZLhFZakrQ52NQwA2Z2SlFnMgSbs9jzDuMRjhX6kkuiE4DdbCkEfkhaqWDY46PGpfhNJ1LTWJZjTLuwvSwb6toyhEzRdpZGHX9ZCGR39h8GtLD/NVvYx4+8rgvWEah8Aizh5PtmjxJD03dQBuFSpnniuxYyEzRiQPK0QcvDerBRzUFC45CCBOdvbf2EcaQygkRCyoAC4hQ5KE/0sWKlotg0zOtwh3Yd+yts4AA4Hmf8Mx3i4hTlG90hVccdPULr9M613V9VmD95+Vz1ugxM5QwTvMvqNh4WI86hX4RfpgulxVYrQOAKZjgTlGnUNu3wZK7X8P9PGOCt/QkfXIXMA==,iv:+x4eD9lw/b2GvLV8Wsp+UZY+lqCN1oknXCbTGwnQNqU=,tag:pU67QbCxEmUc/mT1gzTTsQ==,type:str]
+ecdsa: ENC[AES256_GCM,data:obC22x4LSu8YAbqioGx+6SMggFZyT5SDLN+XyOyoTP9OxP8OV73yWp4G36jJqxri9uRtdZbhy+sMXwNEErvN4p9H3pPv0H9KiqJf3Lbs/7pqGT5xbWD4f5A9BcXVwi7qk9XQIDtLfyL6YsQnyOFRO2/bWKY/CpvZOxhyRCkt3s4PsuTRRNvPfmuGbH4OgKDB8aIzNtracLpYakQtg9hI9izQetE4rf758QR6E76C4h5/J7SBzzPh2TfDYesVjjM8PwR7elN8ee8bfpQLKhyqA+FGSInLWrPho+7vBVLC2IYHOShbCXX19XXp9w/vefFGdBIKE7yEaKpCIavW4g1ZVt3UJJC9th/yVUDMpwp7/L72qgwgH7/tO4X5fT6NhUnhJA7xl+eiqe5/SpVCJwyYduTZHAlLlMAM4moF134vj3clsDb2fkV1AoZYeUtxCmbKVDy9lD12FqJ+mfTJ+bc3SZTCBR1ZeBMu/6u/xNzl3TLTfuJ5bW9VFa7vCy48di9mtcr5BhEU7u4C9T7RzoVNDjstxyoc5grqX4Q7GPOcmghV21QE49nsvdQTUxQejtZ/83lY5h/7nhzfd12mHR99cZhiZdwdJZoK8XKWwgjkXLXQF353+KShgFNmBs/8SyqAjNP66wUPO+YW/S7c7HoDiPIN9n/Za4erCg==,iv:agx+d66Pv5KOqzuzQFLMiywyh3REDzXrGW/F6lAm9tE=,tag:ozfiD2P6knpu+QQpSo+GCg==,type:str]
+ed25519: ENC[AES256_GCM,data:oFbZx5F797BF/lmKgfdX6ByB2/wBe8gfzJ2gc6m56vgBKFVIs1aIaOFHcUkeJ5wGfSVTZ4C6zv8bTPouIEDSEkFXT9rUXXUbnQ4tCw7BtpfJv40uZWEror5L8vLGzDV5kBs3TaD96ceAdzIF4psQpsyLhhJTtM8h6tJOs5JpDIG3BMXzVkaSAUCsYLIK9iqkyhVCDidqUm+A9Tke6NP5Oqq90n5q7hamPPwpzMFAFl6z5rf6jH3KTSOk+X98VT6vuInuoKc4ODLfGx1AQPJou4GGEOuFkbmsyA7CPZgNsgfnn13nR3CBqiioyzUJwBww3HAfyA2+ZvXhT4fQwAyM/o72F1gpL+LyPzHKPw4IR7f5+WGgoJjs/ORCvPbPG9jpkFEXKOUEgNFO881eIFizBYHvGc7zQS0rD5SspzSqETJ7zRqeB5EpANvZ2Fpv4adJKHZ/o0McMjr9meAxtV6Iunp2EG8tT1/QvuZZ+dFB1Uitpwt2fpd5iFX0uTeSB3gMPgWz3fvx207Bp/SprQdO,iv:vNu2tRvwkBUdgVSnkPli8NMlXNKfbrnf+MsPbnrDF58=,tag:oWYTDKymFM8YRSXwKdc5wg==,type:str]
+rsa: ENC[AES256_GCM,data:RBq1mV5XP4J7ETvRI/BLi1+MwqowUflN12h5T8csVejTLVjNDb03TbPMyH0mACPFK5fNDO+9vQ9HC6riIOiSZkXCjwkP//HdF8XqfAg4GrB+Y21fALDF4+Hmux/SrdJfL+JQ4iKWc1zI/bXZOX686/gdDC/dBFLbBD2Tc+n2yqRY6qDAqHZev7epAUtF0w5DTU+Oyt1tcuP73U+oqNs1C8o8zlKAfOgfSAS03sA0WDJJDWCwlnqAnP/Oh4MmUxAobi5afrJLLnmotCsvBCWN8a+zjR5PanGXINv8O1Fhi/ehKauM51zL7IZfKpjZxHS3IzjcTsGKJKP3QE6e8tYojKAPmZac/xcmsDTG/qZC4z7Tp0u6haENbZo+5kK8QyWLZr7b0yUqIYq4s7Y1/dMv3VO+EdmEKfVugg+W2+J9YsZNEkOuAptfKgM3eklry5YrkUVPy8U2nNyahVPzZExfFmjGGmKhdita8SLpD6s+ang0D5GIU8QmfAcrEqIqsCWn202BTdb77NMsfziTmRsJxdTtB5ZmeQL611uL2GI06Th6WqN96I+7eh0hze5TySaDRasKpnqWKnfg0UcoPaw8qW39CXWlZ1sqjlJP82lDs1rKkAeBDcB6YU+mtQnpfSPdGMOHnMNJ97tY4JhdJW4QCqR5Lr/m2aKxOwoc+BQqT4lSymBqPkolDYrBS+pHMHF6MS8TPsdBHt/6bFEiCzXBEmDe/Hx3eNVuT/YQJSBJzF9g98X0/79fkBMi+yI857d/a93cGzddQ1jLjS1yT6Qr+eegozNfeJPzdOSYbIh2xaYZ4MjUiO0LQr44DXOCA+y2viOpi44EvLqqqqDWHf5bcLfljVVF2bgzS54MThC0qlllNDaFpDSUdDQbVYgu8V2D8yCW/WuS+FPtvqIcSL3ZVsE1KgLplIXOdAOlw7YTisjOaXU1uwJNBYfxWlNjiiV/BtJ8rs53i9uPJN5oZ3cRh14mjAoJAhajamN3+xaXo85clthH9B3qSacduzsinsKiy4gL00Fi2WY3MKKbjaWL/JuELqvD37EibQ7HXffWPTBzc7zILRBetW57w44vMCX3kr0ESGzdtfVLsb7/WY937LACkkFIs7puWcgBJVwhAAEvTeOl11ynPKGDEjHah1wTNvWlpe6v4ko3zwNJOVp3lk9M0fwrNbS1jz4HKU+NGPrZS1/nOUd3YjJXCXzJTcq7hhhsBQYOw8+CT3EeWPURj0L0Ddo/a7MZgdTnN325iPqGErDx0F6UkAR8KcyT2M7AWqF0XRYsGDRs99siRF2aQ8UTq2IX5NE8lLG/QtyPrvVTV/tOX285Jt9C5yRufbNcGKUrXPB+SQM2eH0ip6QTvZ+CYfbGO2VIR7RISTUHKKNPMEMGOz5ZQaPc+8qMfFP7+1lz+fkZ7n+ZSVj9GI/GkbDHNERBos7JBSeG3hvVgraGKeanmHerRxlX42GEF8cQvMEjrCGp+PZPMcEmM7c5/5yJ0iYNyk3ES8LP2ax0XoGpWPxA67WNdzNiDd2JSLwHytxaPf3U5FO5rWLj4byrjDRoOZs0maIsVkEkABcCEyN7t20WzhBmnrx8fkrULXgeIcbQjFcL1x6UW2FS1AUWnHu23XoFxFu4HHIPYZdL70DdsoJr5MS0oZ92oBhaQAXE8nP3RLIMm8yZTqnYuTNzXo3ap9iXyFX+Srp4UvVPyHj8hO3LsXeX6TDQL5R93VMtv9EMQVksSLJU+kLeoKqkMivSAEtD9Zt/GYQdXoXjInY7NpDCha9NBSg+5N2vtVeojI7q/g6Oimq+uT2dRB+62lOd635xgnMRTlwwwkdNI9t1vLcuGStnzWMzYAQhf+TS3LPx7+JGeR8/TXMSoegFf+64hXFJRnxLJTjpfHAJkk0pQ02XAWObab6GVLj8uDcra9cDAKKDftVRX7gOC0k+Vt7vWxkfVPYb8F0EMa2MVm/qYUzcxtnCrxYljtzqXU4UDgw7jUb1yxzI1scU04MaQknfQammw0Lk+ICPEdEX2sJGiG9zH4acCdyqW77QL3tJouCaKPdd6cVq20cyfgjNYT6zbkdlmXTz960Nx9zT4mmk6ngoYwvR1g4nub6Fgo6JDA3AIU7e+uxbO83+I+0jmyOePqkbbJs3igIGekm4M5nl5MhnFyEOr0UrcEKqgp/suRZf/As4UqOHf2NAjP2CMtnHwB8Ug40j5blU/s38ILfdD/Vd87gwZFpx5QCsJjVC+ucuINl4V5WbRBkbIID6ZrLGXoVzYYVqY6oNAF93fl2xCSZykdkVdBaJvSbpz8wbzimjV7nUL2Bxu+sJN7809DTpgwyGutQJ4f9CgpAb0+g2TCGdvbvB+Uh5H62iQaZDsaD8guusrIEkxjW83V/38DYaWe/Wh3CTfTqRqgDxql22n6a33qlU+k0F/het07ZhqtQ8bwL8QATDYg9zxCfRgr4YiMFQ1evS1qCOF8KWnRa2ApOO0qPJJ49DxJeFMD29pXhmxtrBPJelSeZqDUYVx8Ns0n72hh6FxBkRItntU6HGAtC+aZCi3h5HnUKyRTb63tJwm7OGkVltP5QaFT0nE1Tv2FdQSKFcLvnMCcx+P9VJ0dPXShbCv6JMdxQuqRIR3RRI5D6cv4O4HZKxtMuiZmsZySRFbSG033TGDEJKShlT5CleowW+21dHZeAWGLR9d/ScRE2i1Z69O4SgoZPyDpwHTb5jB+47oh0HNvUIvskyHfp57HkcUCmszZHf4wPblUjr33hCpk0k48mQfVEjekdRxojE7FTbDIERFZPb6tMDuUnhM7p7CE96A2ka0/renFPA8czLGOTltyxQmaCc0ZOV4nlUJ0m6L5dcXSPjpfm81y23GJJVy0DCY0tZ5YKT2C+5EEhL1gx0pWZ7Tf844FmwCfXaUIkxNkAKV4c/hBlvdAev6unXUj6LdsHEg8GqlV3KCAeG0wG9CnspmUnSrgNDSfa3AkFjTKXzLtLXa+FYTq8GNEyvrMQq/cWrHNU6kDr6Q+CH86U8J7kVepwbSTi49TvTxgkY8DiOlufv7EPa6CmgEYGNybMWhvdZ+rghVyp7botR30Wab/T7eHnUd+0CQHKaQmJ/eHBxIfJToQrchyXTM+VrehI7EQqn2HzeuSt5SneMtgNS71p+jgdrAO7w1LhJy7TDutGGPsW5ln5aT509OhwSUF5ZzJTTVytwb0QsBeGq+2DyrGwxQoaBOgXOFyI4Slryeb1+BC2ednybYRpve75cWUJ1RBxq9TrD8HSesOUE4tTH0DLhe211NLDCSzQ8wk4jVaPr+us4YKEAiBjL6TSWMg3ZdHDIcQVO4o8iXSlM4mDpRU56JODuQLJtBAMVPDkj1Ybj18qIhJ1ZO5YZmUfTQPXtv9heGRQI4MB00RmF8VTXafyqu07DY3bM2RPj9r/1ygEXq2sNXFQ2v2Q0Hai+sl9xU8djdvL8zhTNUWHyewhYnA==,iv:aSdbpsJoDerPqWTSWp0bQIcLChCzeoeGSTKEzvfzafo=,tag:LeOxrwyXdJyj7M0FRn25QQ==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age: []
+    lastmodified: "2021-05-15T13:05:09Z"
+    mac: ENC[AES256_GCM,data:ATdT6u3dMOgaBVg7cS5tpaA0fyoQdlW/jSzwPjm1mi7j5rNkilIiqIR+C159MrI5eeApkyOpzQP2lIAlANjbO+TlO2YIYd0Ue8pdoEZGQvDyWv3AARLfdlaPzFAGAnBnjihVmKp2kQjfmcSJkASBQM8e89R1PsAKGhH5xS5b0zM=,iv:UyMsuxYWVs/Q9/HTfPtjDNf+tUOHSAqA3klFt7yewYQ=,tag:Vu8xY4NVdw6MvjDWZwiO4A==,type:str]
+    pgp:
+        - created_at: "2021-05-15T13:03:47Z"
+          enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hF4DXxoViZlp6dISAQdAr0a9IJdY95UvcmMkCS73pQZVdjqHnVTTcpCXYuqkmiYw
+            rTIqyEsqpoSrkR57LBNX98ix99H/hvj6x8+dsv+K/nJQ9Jjs921UW2HJ8hPMD44Q
+            0l4B2MyG+We3OClbt8BJmDo38/+/k9zSBdW2zbYEr4zhG7SCw0BryrPJwGAW54KT
+            1fdnNwzN5jdFRObhkq8I725IaU4d7GYrpVebw29HP2fd0Uf+62iBToraRJNj3sxL
+            =JRkx
+            -----END PGP MESSAGE-----
+          fp: 30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51
+        - created_at: "2021-05-15T13:03:47Z"
+          enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hF4DyFKFNkTVG5oSAQdAINIHQVygfLGVo2gdlKCoojmD5layNM6K/QlQR/CsaTsw
+            SY+3psZUwnwwe7QRnt2gHSOUgYrG6/nhiCAfxoZBQZ6zm+v0IUdbRKEJhhGJnHfV
+            0l4BUMxGLYHapIPjzTUwYQv9rF30zO7pJ3vU+4zkReNOcPzENLGX1uZu/1aULOcO
+            F33lTLP2B9B7pjvPoetJiuds3jO7JZrN3mFhIf7MTZyg5dMBbDSnUMJ6NIW+ug5F
+            =SAFL
+            -----END PGP MESSAGE-----
+          fp: 7ED22F4AA7BB55728B643DC5471B7D88E4EF66F8
+    unencrypted_suffix: _unencrypted
+    version: 3.7.1
diff --git a/system-profiles/openssh/known-hosts/sif.nix b/system-profiles/openssh/known-hosts/sif.nix
new file mode 100644
index 00000000..8326d389
--- /dev/null
+++ b/system-profiles/openssh/known-hosts/sif.nix
@@ -0,0 +1,16 @@
+let
+  hostNames = ["sif.asgard.yggdrasil" "sif.faraday.asgard.yggdrasil" "sif.midgard.yggdrasil"];
+in {
+  rsa = {
+    inherit hostNames;
+    publicKey = ''
+      ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCeFqJep1CuWakcoiAkz4bSaHbAIwM89Er46o3KUpjCWGTmDmhJyBiG38pupcctH0awwElkX09GsNx230mTtjT6qcxN+vGsGMJIqFD+/7ZobSLJDHYCo6Jx23jZUjg1SqxYjwB5ooWGI61Vh6SaOy8WRrUn0q8rJyd9SEC+3tJlKO5QqRi/Vnwzj47m+YjGz2UlqJ9a4GeRh1O5SiGx5jd4a/VoeK1XJcW94XeWpPQdUGnVYUXZn9cwYVrogmXdr18ImnPxghsQg4xwS2A6KMjUw9m56XkqIq7vTslmL9JaYcjlSCHbsSVq9+Wu1oKxoyndN7Sim7SkAZwHFUEMBNlontBitgYl6z10VdKX739os6h07uXjGEs+mPk4/CkGZhvhnErV2T9FO+65jnU3mZkeX5tfJHqJ8PnDch2JD6O7+Mjpce4zs/x3mwH36peER6iiIBYGlSF0AlUDShdqj+fPWFu6gZ9piOAZ2L3YXDA0ulM6pL69SbulrUNOwtTy6LkBfKDwpaQK1KO1VOYBaKa7s+krOJXW18k+tpfo4aKSeTuwvykMPndKMKvxcsxNymkGo2AzLw017Qgshzv9rRbLNMBFd85S3krakGyBVL0HAVrAdkjvsWqj5FnHAjgBc1AZnZPbJu3g9/wm7k8rPMV0jxKMpW+zxjVFYDhFUWYp9w==
+    '';
+  };
+  ed25519 = {
+    inherit hostNames;
+    publicKey = ''
+      ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOfiwlzGcNQjamtIwv7fmXnddjajraeovaM6gRNui1+v
+    '';
+  };
+}
diff --git a/system-profiles/openssh/known-hosts/surtr.nix b/system-profiles/openssh/known-hosts/surtr.nix
new file mode 100644
index 00000000..8d227b44
--- /dev/null
+++ b/system-profiles/openssh/known-hosts/surtr.nix
@@ -0,0 +1,28 @@
+let
+  hostNames = ["surtr.muspelheim.yggdrasil" "surtr.yggdrasil.li"];
+in {
+  dsa = {
+    inherit hostNames;
+    publicKey = ''
+      ssh-dss AAAAB3NzaC1kc3MAAACBAIgY3WWK/yD1QzQMako4FDkD22YODiCA/d7Ga14xpx7ujSPQJ0PqFd1aTPhrEZdy6pMnL82chGJD/oeurAacBxeuUouKvr10vtpaDJpcvqr/9m4zsx0OSeHl9M5PuSumjEXL/bsF/QSeo9Vp8uznLgHP/oglP8OI4Qsdh/0wisK1AAAAFQD04cH0JaWgJEUePcuYd02KW7t4aQAAAIBkFCGDPkJedRdJRy+l2OW6H7XdCQnA814cWOGaUItw5IVWz6KlVGPlETrBtRJhrgiwApy1Sk2rHxmuHCirAFS6FCZ5ct5wHKV2L/1CDphJzsYql9hUBTgevEpuAg9Kn1WjtcV+t+3LO9URD64BKHzpvtM2I5hAU4Zu6G2OV150MQAAAIB7B3lRZBxkDfb5x4cjitzFXN3FUzBcl0SD6/TJ+TH2lbTONMIXdT9zHw5BfEz3ObcScxCT2g99bvkxDwPNFRAorLAlEhCYB2zUV5QnJd8ZpIB3AFbokUxq+Q8fs5tU16Wv9TQ4oYmY3m9UAEqVz6ph562Ss+axO9qfSlNZX8feGA==
+    '';
+  };
+  ecdsa = {
+    inherit hostNames;
+    publicKey = ''
+      ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBKLjbW8GWc7dF8HD8QrFZpZJop2xvFgvZnYfIl/slFASvphD6MBOHq3jx0+Tuk51xd4mvByTwoh8eokLZJidkZQ=
+    '';
+  };
+  ed25519 = {
+    inherit hostNames;
+    publicKey = ''
+      ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO2LOAbV3XuAqJpXVY+YUnLIbhRsmAUmVQT3MioXGGgj
+    '';
+  };
+  rsa = {
+    inherit hostNames;
+    publicKey = ''
+      ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQClFn6IDsDjuLXpThBtrRj+HLkNAwuBc4BgNqqIXkSRXy1FhDVgdI2iXKnJJLT/MWBMz73+QEYI+nDV6cxMCu292sZal+EAkyXJG6gQ9/rboucTuMWosrifAYabY4jUY79vYOiQGHG3XMIVjTQE8dRoXASzPKcok7PHftuW2qUu6ti7s3tqxY89Ez0cUz7jIECR7zHpIHZQbPd7z9luWOwZZc/eUGGWSxxz6idSPi/Adjk4FS56kIBk/uq9bZ8ylE/nwuJFUV90GzIr2nIQAcg6UVjYkw22+tA8BKzkS5Kx9ur7jVAhgs1qavKGnkYBuE4MvfjDzrkxRtlIPOjUQ3uuqYXkkkdMCooDl6+oKvN8dug6+cMdXn3/Q63cA0ols5rJz8iAtBoPRI8b835BWZcYHCk2aF2xT5hmB+GVhnFRZP8p9cRlr0jhYRjJKp80gTT7BPlMAQ0Sfmz5jLPd7X9yInKXCXdzxLTWvGqDq4GpunWVR6rgDMq5AswIcNhcwCc=
+    '';
+  };
+}
diff --git a/system-profiles/openssh/known-hosts/ymir.nix b/system-profiles/openssh/known-hosts/ymir.nix
new file mode 100644
index 00000000..f29baf1d
--- /dev/null
+++ b/system-profiles/openssh/known-hosts/ymir.nix
@@ -0,0 +1,16 @@
+let
+  hostNames = ["ymir.yggdrasil.li" "ymir.niflheim.yggdrasil"];
+in {
+  rsa = {
+    inherit hostNames;
+    publicKey = ''
+      ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDNr7oFNneR3sVuAhdbnU83PuG6gTU6rDmiz+qykkRUr5Qdtm0NIr9lI7nhoO/MaALWmkMXsBGjvJ2UxvY959g0wQRHJZnuJDwOMo3YJjfuDGMTtp8ikzd646uMHQB+y/xb4dou6f0INr94eRsZcji7AQgZQnyWVV3DZuSADBfNK0Tx6sT6IdbJXaCwYoexnfSfzDdu3i5zMuReF4zdkFUEfAdcbOM8Cr0Abnn4+iLVrof/QaOEuZDC+Pf5QUhkAArETdavSCUIbV6+1md0jz/T8yalgrTCsYOoEUbSPwM/8vmiYDWSo/tvAf3KnVIPjjK2UFz7Qu0HyK0y1dBEXoYLGZ1ep4x67aE4zy7GlR2GZdAYilHknugZB+/kvYGDEixHFfcUh/uvF5PY8sm63C6HUBT1s/aQHXGHgE4uUru6YvbU3UW3fRdslABY/atZ9gc3MuKu9Zk27b1SYfAAoK1R8rKsOKWqUWvvMVCfKBNKqqb7+30q75iGeneB8Tb1C9lToyDG2Yl5p+Gpfnj8YmaU/xFm0HFEC42crRbaQyz01LmupHWf8VwH/O2LsjztAF9b4Oe2q/NwqQAF+h5hIm2tfM2fzxHGCmw1sFYf6dEdkyV5pge/IJrnuQn27iO06tRC6tvrt/ocbpwEEOk/3WWpAWW4oT8L5ceh7iAXrCRWpw==
+    '';
+  };
+  ed25519 = {
+    inherit hostNames;
+    publicKey = ''
+      ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDeBBux2bIXnS/RUv+Y/NCpzI/SCW0KOJSzf48KDiEZD
+    '';
+  };
+}
diff --git a/system-profiles/qemu-guest.nix b/system-profiles/qemu-guest.nix
new file mode 100644
index 00000000..8654eba0
--- /dev/null
+++ b/system-profiles/qemu-guest.nix
@@ -0,0 +1,10 @@
+{ ... }:
+{
+  config = {
+    boot.initrd = {
+      kernelModules = [ "virtio_net" "virtio_pci" "virtio_mmio" "virtio_blk" "virtio_scsi" "9p" "9pnet_virtio" "virtio_balloon" "virtio_console" "virtio_rng" ];
+    };
+
+    services.qemuGuest.enable = true;
+  };
+}
diff --git a/system-profiles/rebuild-machines/default.nix b/system-profiles/rebuild-machines/default.nix
new file mode 100644
index 00000000..53bba06b
--- /dev/null
+++ b/system-profiles/rebuild-machines/default.nix
@@ -0,0 +1,66 @@
+{ pkgs, hostName, ... }:
+let
+  rebuildScript = pkgs.stdenv.mkDerivation {
+    name = "rebuild-${hostName}";
+
+    src = ./rebuild-machine.zsh;
+
+    buildInputs = with pkgs; [ makeWrapper ];
+
+    phases = [ "buildPhase" "installPhase" ];
+
+    inherit (pkgs) zsh;
+    inherit hostName;
+
+    buildPhase = ''
+      substituteAll $src rebuild-machine.zsh
+    '';
+
+    installPhase = ''
+      mkdir -p $out/bin
+      install -m 0755 rebuild-machine.zsh $out/bin/rebuild-${hostName}
+    '';
+  };
+in {
+  home-manager.users."root" = {
+    programs.ssh = {
+      enable = true;
+      matchBlocks = {
+        "machines" = {
+          hostname = "git.yggdrasil.li";
+          user = "gitolite";
+          identityFile = "/root/.ssh/machines";
+        };
+      };
+    };
+  };
+
+  sops.secrets = {
+    rebuild-machines = {
+      path = "/root/.ssh/machines";
+      sopsFile = ./ssh + "/${hostName}/private";
+      format = "binary";
+    };
+  };
+
+  system.activationScripts.rebuild-machines-publickey = ''
+    install -m 0644 ${./ssh + "/${hostName}/public"} /root/.ssh/machines.pub
+  '';
+
+  environment.systemPackages = [ rebuildScript ];
+
+  services.openssh.knownHosts = {
+    rsa = {
+      hostNames = [ "git.yggdrasil.li" ];
+      publicKey = ''
+        ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDNr7oFNneR3sVuAhdbnU83PuG6gTU6rDmiz+qykkRUr5Qdtm0NIr9lI7nhoO/MaALWmkMXsBGjvJ2UxvY959g0wQRHJZnuJDwOMo3YJjfuDGMTtp8ikzd646uMHQB+y/xb4dou6f0INr94eRsZcji7AQgZQnyWVV3DZuSADBfNK0Tx6sT6IdbJXaCwYoexnfSfzDdu3i5zMuReF4zdkFUEfAdcbOM8Cr0Abnn4+iLVrof/QaOEuZDC+Pf5QUhkAArETdavSCUIbV6+1md0jz/T8yalgrTCsYOoEUbSPwM/8vmiYDWSo/tvAf3KnVIPjjK2UFz7Qu0HyK0y1dBEXoYLGZ1ep4x67aE4zy7GlR2GZdAYilHknugZB+/kvYGDEixHFfcUh/uvF5PY8sm63C6HUBT1s/aQHXGHgE4uUru6YvbU3UW3fRdslABY/atZ9gc3MuKu9Zk27b1SYfAAoK1R8rKsOKWqUWvvMVCfKBNKqqb7+30q75iGeneB8Tb1C9lToyDG2Yl5p+Gpfnj8YmaU/xFm0HFEC42crRbaQyz01LmupHWf8VwH/O2LsjztAF9b4Oe2q/NwqQAF+h5hIm2tfM2fzxHGCmw1sFYf6dEdkyV5pge/IJrnuQn27iO06tRC6tvrt/ocbpwEEOk/3WWpAWW4oT8L5ceh7iAXrCRWpw==
+      '';
+    };
+    ed25519 = {
+      hostNames = [ "git.yggdrasil.li" ];
+      publicKey = ''
+        ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDeBBux2bIXnS/RUv+Y/NCpzI/SCW0KOJSzf48KDiEZD
+      '';
+    };
+  };
+}
diff --git a/system-profiles/rebuild-machines/rebuild-machine.zsh b/system-profiles/rebuild-machines/rebuild-machine.zsh
new file mode 100644
index 00000000..80cc7a2f
--- /dev/null
+++ b/system-profiles/rebuild-machines/rebuild-machine.zsh
@@ -0,0 +1,9 @@
+#!@zsh@/bin/zsh
+
+set -o errexit
+
+if [[ $(whoami) != "root" ]]; then
+    exec sudo -H -- $0 $@
+fi
+
+exec nixos-rebuild --refresh --flake 'git+ssh://machines/nixos?ref=flakes#@hostName@' ${@:-switch}
diff --git a/system-profiles/rebuild-machines/ssh/surtr/private b/system-profiles/rebuild-machines/ssh/surtr/private
new file mode 100644
index 00000000..40651674
--- /dev/null
+++ b/system-profiles/rebuild-machines/ssh/surtr/private
@@ -0,0 +1,26 @@
+{
+        "data": "ENC[AES256_GCM,data:6iBi0nQMKJccWxpWkJcWIdpQ4qitMgewFs0LAUU7PFH268hoCkmiWgfq+ZJ1E4hfgAMqTmiS+FJUnYyAGaHHghPCMjHLaNaoS25GjQM3S0pUFd56zGipP0xkii4HaiEGEpcxmXuGHnfrJgJZIHSsl8KRaLRJUKmIl7uorN0nGo6A2R+DKljExXRpH/ZSZj5dCoTu8tVCwnKxgDh9rDhEKCYIl1XnTKV8U8KeT9M7KJt6VWA5mmYhziv0No2U8g22T1ZQP+ATIqGXzbDUDEjY+kg7q6Om0ZsWBL2mJ7U88V/BBMymeYrJiawxrjXzG1VtsnMC7pn8F5BgHCz8x3lUIi2/wlWdqKEUp+TuKEMeuGLdaAifdeFKG/qnFBtNQLxcScvilXAH4w2L+yjCnJbdKoGk1GdJl1U/a2lEXmzbwSQ7Gxlq2rSDpTRW91Gr6I/JXJS6vpq8XRv1faHDGGW+AuNArP9P85/d/S7Fv/UeRQ7vNi30ePG6LjTN+0ajhqwv2YEocArFj+1I8vY3RSQ0PVj27Cwcc582BBmhRZNccgI7AL8=,iv:IwcMztAFDpOE23dYEzjJiv6qhk9E0/Qb/xgwbtt9xt0=,tag:qYMBaoUtkUDR1taehr7Y/g==,type:str]",
+        "sops": {
+                "kms": null,
+                "gcp_kms": null,
+                "azure_kv": null,
+                "hc_vault": null,
+                "age": null,
+                "lastmodified": "2021-05-15T17:58:53Z",
+                "mac": "ENC[AES256_GCM,data:N/CM/+4b02tRBFqFioX/FRPPj4bG3QGltIg7KZk7BYrl+5rJ/6QKL1g+CqsLTteRAbHiluBNFMT/dUBSmiQ+So95sUTc+rICRNKmxCX5GFxw3Kr5/y4r9W/sw/NOSXQD4+dctkhKmzg9NFR+T4pLM8W4KErtV384Wy3ccAW/g8g=,iv:Rr4rDloQRRsLTErUNbB1OIKbi5qyh2gU1y55sU7ecTY=,tag:sYHPOKcAWNfjz26X+w4r3g==,type:str]",
+                "pgp": [
+                        {
+                                "created_at": "2021-05-15T17:58:52Z",
+                                "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdAJOYE8FC5GREn7xoQfuSMvow0GwajGfi4bw+FEydrDhAw\n+F8ryseAyQPgVouzlO2aItBy20dYYNs6zkcfnuZemDdBSpQQmahtXBs5Dt3wGhvg\n0l4BPJeJ3cpuLDQMFnNfTOLJRdoR0kvxVHJBBYJ+Jn4ArPrpiMReJvyLl7i83wDb\nsb+WCcu83IFLM/oInb22cto3shATTLgr30hq65+RwAXlGBNmoAT0HH9MDsgq+VQw\n=nsV9\n-----END PGP MESSAGE-----\n",
+                                "fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51"
+                        },
+                        {
+                                "created_at": "2021-05-15T17:58:52Z",
+                                "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DyFKFNkTVG5oSAQdA12ftTan1dZSX50t5H1/LdTse+nhePZS6RxqV7WcRi04w\nyiqJt+C6AFBZl4esCqHQjpPnmkb5pvI2/P9e8bvK8uszIF35KC+r55LAaB2RXkr2\n0l4BX0fPwE6XNtiBn2hQo7KYnci6s25itij+uppRyu6Cnc3Hi4Emro4MFBBJlot8\no773ulk8jmOeR2k9fLDSMQ0EO+3zZbm7zz/fK46SyFzBIAPvCx0fEpXi0ZdLES2k\n=rULf\n-----END PGP MESSAGE-----\n",
+                                "fp": "7ED22F4AA7BB55728B643DC5471B7D88E4EF66F8"
+                        }
+                ],
+                "unencrypted_suffix": "_unencrypted",
+                "version": "3.7.1"
+        }
+}
\ No newline at end of file
diff --git a/system-profiles/rebuild-machines/ssh/surtr/public b/system-profiles/rebuild-machines/ssh/surtr/public
new file mode 100644
index 00000000..323e8398
--- /dev/null
+++ b/system-profiles/rebuild-machines/ssh/surtr/public
@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM5HJRwdwtmIqx8HRK0AKIq+vSCHvGv98rOmraSGwnTL rebuild-machines@surtr
diff --git a/system-profiles/sudo.nix b/system-profiles/sudo.nix
new file mode 100644
index 00000000..f2401b9f
--- /dev/null
+++ b/system-profiles/sudo.nix
@@ -0,0 +1,39 @@
+{ ... }:
+{
+  security.sudo.extraRules = [
+    { groups = "wheel";
+      commands = map (command: { inherit command; options = "NOPASSWD"; }) [
+        "/run/current-system/sw/sbin/shutdown"
+        "/run/current-system/sw/sbin/reboot"
+        "/run/current-system/sw/sbin/halt"
+        "/run/current-system/sw/bin/systemctl"
+      ];
+    }
+  ];
+
+  users.extraGroups.network = {};
+
+  security.polkit = {
+    enable = true;
+    extraConfig = ''
+      polkit.addRule(function(action, subject) {
+        if (    action.id == "org.freedesktop.systemd1.manage-units"
+             && subject.isInGroup("wheel")
+           ) {
+          return polkit.Result.YES;
+        }
+      });
+
+      polkit.addRule(function(action, subject) {
+        if ((action.id == "org.blueman.rfkill.setstate" ||
+             action.id == "org.blueman.network.setup" ||
+             action.id == "org.freedesktop.NetworkManager.settings.modify.system"
+            ) && subject.local
+            && subject.active && subject.isInGroup("network")
+           ) {
+          return polkit.Result.YES;
+        }
+      });
+    '';
+  };
+}
diff --git a/user-profiles/core.nix b/user-profiles/core.nix
index 8611a0bd..fb80343d 100644
--- a/user-profiles/core.nix
+++ b/user-profiles/core.nix
@@ -7,6 +7,7 @@
     
     config = {
       manual.manpages.enable = true;
+      home.stateVersion = "20.09";
     };
   };
 }
diff --git a/user-profiles/direnv.nix b/user-profiles/direnv.nix
new file mode 100644
index 00000000..2c1e58d6
--- /dev/null
+++ b/user-profiles/direnv.nix
@@ -0,0 +1,9 @@
+{ userName, ... }:
+{
+  home-manager.users.${userName} = {
+    programs.direnv = {
+      enable = true;
+      enableNixDirenvIntegration = true;
+    };
+  };
+}
diff --git a/user-profiles/mpv/default.nix b/user-profiles/mpv/default.nix
new file mode 100644
index 00000000..6b0ea076
--- /dev/null
+++ b/user-profiles/mpv/default.nix
@@ -0,0 +1,85 @@
+{ config, userName, pkgs, ... }:
+{
+  home-manager.users.${userName}.programs.mpv = {
+    enable = true;
+    bindings = {
+      "CTRL+n" = "af toggle \"lavfi=[dynaudnorm=f=100:g=31:s=20.0]\"";
+    };
+    config = {
+      ytdl = true;
+      ytdl-format = "bestvideo[width<=2560][height<=1440][fps<=60][protocol!=http_dash_segments]+bestaudio[protocol!=http_dash_segments]/best[width<=2560][height<=1440][fps<=60][protocol!=http_dash_segments]/best[protocol!=http_dash_segments]";
+      ytdl-raw-options = "netrc=,mark-watched=,cookies=${config.home-manager.users.${userName}.home.homeDirectory}/Downloads/cookies.txt";
+      sub = false;
+      osd-font = "DejaVu Sans";
+      vo = "gpu";
+      hwdec = "auto";
+      force-window = "yes";
+      script-opts = "osc-layout=topbar,vidscale=no,deadzonesize=0.9";
+      af = "lavfi=[dynaudnorm=f=100:g=31:s=20.0]";
+    };
+    scripts = let
+        reload = pkgs.stdenv.mkDerivation rec {
+          version = "2b8a719f";
+          pname = "reload";
+          name = "${pname}-${version}";
+
+          src = pkgs.fetchFromGitHub {
+            owner = "4e6";
+            repo = "mpv-reload";
+            rev = "2b8a719fe166d6d42b5f1dd64761f97997b54a86";
+            sha256 = "19ycvnwzf8vgv0g63d4k1ll6hlfrd92is9gl8hzfic7w32ycphbg";
+          };
+
+          installPhase = ''
+            install -d $out/share/mpv/scripts
+            install -m 0644 reload.lua $out/share/mpv/scripts/${passthru.scriptName}
+          '';
+
+          passthru.scriptName = "reload.lua";
+        };
+        autosave = pkgs.stdenv.mkDerivation rec {
+          version = "744c3ee6";
+          pname = "autosave";
+          name = "${pname}-${version}.lua";
+
+          src = pkgs.fetchzip {
+            url = "https://gist.github.com/CyberShadow/2f71a97fb85ed42146f6d9f522bc34ef/archive/744c3ee61d2f0a8e9bb4e308dec6897215ae4704.zip";
+            hash = "sha256-yxA8wgzdS7SyKLoNTWN87ShsBfPKUflbOu4Y0jS2G3I=";
+            # url = "https://gist.github.com/Hakkin/5489e511bd6c8068a0fc09304c9c5a82/archive/7a19f7cdb6dd0b1c6878b41e13b244e2503c15fc.zip";
+            # sha256 = "0bv9wjrqm2ragd7rp8vw768bja2ghascwlljd6rzzf2ybi10fxs2";
+          };
+
+          installPhase = ''
+            install -d $out/share/mpv/scripts
+            install -m 0644 autosave.lua $out/share/mpv/scripts/${passthru.scriptName}
+          '';
+
+          passthru.scriptName = "autosave.lua";
+        };
+        mpris = pkgs.stdenv.mkDerivation rec {
+          version = "0.4";
+          pname = "mpv-mpris";
+          name = "${pname}-${version}.so";
+
+          src = pkgs.fetchFromGitHub {
+            owner = "hoyon";
+            repo = "mpv-mpris";
+            rev = version;
+            sha256 = "1fr3jvja8s2gdpx8qyk9r17977flms3qpm8zci62nd9r5wjdvr5i";
+          };
+
+          installPhase = ''
+            install -d $out/share/mpv/scripts
+            install -m 0644 mpris.so $out/share/mpv/scripts/${passthru.scriptName}
+          '';
+
+          nativeBuildInputs = with pkgs; [ pkgconfig glib mpv ];
+
+          passthru.scriptName = "mpris.so";
+        };
+      in [ reload
+           autosave
+           mpris
+         ];
+  };
+}
diff --git a/user-profiles/tmux/default.nix b/user-profiles/tmux/default.nix
new file mode 100644
index 00000000..9e66cadd
--- /dev/null
+++ b/user-profiles/tmux/default.nix
@@ -0,0 +1,26 @@
+{ userName, pkgs, lib, ... }:
+{
+  home-manager.users.${userName} = {
+    programs.tmux = {
+      enable = true;
+      clock24 = true;
+      historyLimit = 50000;
+      extraConfig = lib.readFile (pkgs.stdenv.mkDerivation {
+        name = "tmux.conf";
+        src = ./tmux.conf;
+
+        buildInputs = with pkgs; [ makeWrapper ];
+
+        phases = [ "installPhase" ];
+
+        inherit (pkgs) zsh;
+        mandb = pkgs.man-db;
+        
+        installPhase = ''
+          substituteAll $src $out
+        '';
+      });
+      tmuxp.enable = true;
+    };
+  };
+}
diff --git a/user-profiles/tmux/tmux.conf b/user-profiles/tmux/tmux.conf
new file mode 100644
index 00000000..f9a3e11f
--- /dev/null
+++ b/user-profiles/tmux/tmux.conf
@@ -0,0 +1,25 @@
+set-option -g history-limit 50000
+set-option -g status-bg black
+set-option -g status-fg white
+set-option -g clock-mode-colour white
+set-option -g clock-mode-style 24
+set-option -g bell-action any
+set-option -g default-shell @zsh@/bin/zsh
+set-option -g update-environment 'DISPLAY SSH_ASKPASS SSH_AUTH_SOCK SSH_AGENT_PID SSH_CONNECTION WINDOWID XAUTHORITY PROMPT_INFO PATH PGHOST PGLOG'
+set-option -g mouse on
+set-option -g set-clipboard on
+set-option -g terminal-overrides 'rxvt-uni*:XT:Ms=\E]52;%p1%s;%p2%s\007'
+
+## determine if we should enable 256-colour support
+if "[[ ''${TERM} =~ 256color || ''${TERM} == fbterm || ''${TERM} =~ alacritty ]]" 'set -g default-terminal tmux-256color'
+
+set-option -g status-right ""
+
+bind / command-prompt "split-window -h 'exec @mandb@/bin/man %%'"
+bind C clock-mode
+bind r respawn-pane -k
+
+bind -n M-Left select-pane -L
+bind -n M-Right select-pane -R
+bind -n M-Up select-pane -U
+bind -n M-Down select-pane -D
\ No newline at end of file
diff --git a/user-profiles/utils.nix b/user-profiles/utils.nix
new file mode 100644
index 00000000..5407276a
--- /dev/null
+++ b/user-profiles/utils.nix
@@ -0,0 +1,25 @@
+{ userName, pkgs, ... }:
+{
+  home-manager.users.${userName} = {
+    programs = {
+      htop = {
+        enable = true;
+        settings = {
+          delay = 5;
+          highlightBaseName = true;
+          treeView = true;
+        };
+      };
+
+      jq.enable = true;
+    };
+
+    home.packages = with pkgs; [
+      autossh usbutils pciutils exa ag pwgen unzip magic-wormhole
+      qrencode tty-clock dnsutils openssl sshfs psmisc mosh tree
+      vnstat file pv bc fast-cli zip nmap aspell aspellDicts.de
+      aspellDicts.en borgbackup man-pages rsync socat telnet yq
+      cached-nix-shell persistent-nix-shell rage
+    ];
+  };
+}
diff --git a/user-profiles/zsh/default.nix b/user-profiles/zsh/default.nix
new file mode 100644
index 00000000..88873c1a
--- /dev/null
+++ b/user-profiles/zsh/default.nix
@@ -0,0 +1,31 @@
+{ userName, pkgs, customUtils, lib, config, ... }:
+let
+  dotDir = ".config/zsh";
+  p10kZsh = "${dotDir}/.p10k.zsh";
+  cfg = config.home-manager.users.${userName};
+in {
+  home-manager.users.${userName} = {
+    programs.zsh = {
+      inherit dotDir;
+      enable = true;
+      autocd = true;
+      enableCompletion = true;
+      
+      plugins = [
+        { name = "powerlevel10k";
+          file = "share/zsh-powerlevel10k/powerlevel10k.zsh-theme";
+          src = pkgs.zsh-powerlevel10k;
+        }
+      ];
+      initExtraBeforeCompInit = ''
+        source "${cfg.home.homeDirectory}/${p10kZsh}"
+      '';
+      initExtra = lib.mkAfter ''
+        source ${./zshrc}
+        source "${pkgs.zsh-syntax-highlighting}/share/zsh-syntax-highlighting/zsh-syntax-highlighting.zsh"
+      '';
+    };
+
+    home.file.${p10kZsh}.source = ./p10k.zsh;
+  };
+}
diff --git a/user-profiles/zsh/p10k.zsh b/user-profiles/zsh/p10k.zsh
new file mode 100644
index 00000000..e3b364c2
--- /dev/null
+++ b/user-profiles/zsh/p10k.zsh
@@ -0,0 +1,1578 @@
+# Generated by Powerlevel10k configuration wizard on 2021-01-03 at 15:43 CET.
+# Based on romkatv/powerlevel10k/config/p10k-lean.zsh.
+# Wizard options: nerdfont-complete + powerline, small icons, unicode, lean, 24h time,
+# 2 lines, solid, no frame, darkest-ornaments, sparse, many icons, concise,
+# transient_prompt, instant_prompt=quiet.
+# Type `p10k configure` to generate another config.
+#
+# Config for Powerlevel10k with lean prompt style. Type `p10k configure` to generate
+# your own config based on it.
+#
+# Tip: Looking for a nice color? Here's a one-liner to print colormap.
+#
+#   for i in {0..255}; do print -Pn "%K{$i}  %k%F{$i}${(l:3::0:)i}%f " ${${(M)$((i%6)):#3}:+$'\n'}; done
+
+# Temporarily change options.
+'builtin' 'local' '-a' 'p10k_config_opts'
+[[ ! -o 'aliases'         ]] || p10k_config_opts+=('aliases')
+[[ ! -o 'sh_glob'         ]] || p10k_config_opts+=('sh_glob')
+[[ ! -o 'no_brace_expand' ]] || p10k_config_opts+=('no_brace_expand')
+'builtin' 'setopt' 'no_aliases' 'no_sh_glob' 'brace_expand'
+
+() {
+  emulate -L zsh -o extended_glob
+
+  # Unset all configuration options. This allows you to apply configuration changes without
+  # restarting zsh. Edit ~/.p10k.zsh and type `source ~/.p10k.zsh`.
+  unset -m '(POWERLEVEL9K_*|DEFAULT_USER)~POWERLEVEL9K_GITSTATUS_DIR'
+
+  # Zsh >= 5.1 is required.
+  autoload -Uz is-at-least && is-at-least 5.1 || return
+
+  # The list of segments shown on the left. Fill it with the most important segments.
+  typeset -g POWERLEVEL9K_LEFT_PROMPT_ELEMENTS=(
+    # =========================[ Line #1 ]=========================
+    # os_icon                 # os identifier
+    context                 # user@hostname
+    dir                     # current directory
+    vcs                     # git status
+    # =========================[ Line #2 ]=========================
+    newline                 # \n
+    context                 # user@hostname
+    dir
+    prompt_char             # prompt symbol
+  )
+
+  # The list of segments shown on the right. Fill it with less important segments.
+  # Right prompt on the last prompt line (where you are typing your commands) gets
+  # automatically hidden when the input line reaches it. Right prompt above the
+  # last prompt line gets hidden if it would overlap with left prompt.
+  typeset -g POWERLEVEL9K_RIGHT_PROMPT_ELEMENTS=(
+    # =========================[ Line #1 ]=========================
+    status                  # exit code of the last command
+    command_execution_time  # duration of the last command
+    time                    # current time
+    background_jobs         # presence of background jobs
+    # =========================[ Line #2 ]=========================
+    newline
+    direnv                  # direnv status (https://direnv.net/)
+    asdf                    # asdf version manager (https://github.com/asdf-vm/asdf)
+    virtualenv              # python virtual environment (https://docs.python.org/3/library/venv.html)
+    anaconda                # conda environment (https://conda.io/)
+    pyenv                   # python environment (https://github.com/pyenv/pyenv)
+    goenv                   # go environment (https://github.com/syndbg/goenv)
+    nodenv                  # node.js version from nodenv (https://github.com/nodenv/nodenv)
+    nvm                     # node.js version from nvm (https://github.com/nvm-sh/nvm)
+    nodeenv                 # node.js environment (https://github.com/ekalinin/nodeenv)
+    # node_version          # node.js version
+    # go_version            # go version (https://golang.org)
+    # rust_version          # rustc version (https://www.rust-lang.org)
+    # dotnet_version        # .NET version (https://dotnet.microsoft.com)
+    # php_version           # php version (https://www.php.net/)
+    # laravel_version       # laravel php framework version (https://laravel.com/)
+    # java_version          # java version (https://www.java.com/)
+    # package               # name@version from package.json (https://docs.npmjs.com/files/package.json)
+    rbenv                   # ruby version from rbenv (https://github.com/rbenv/rbenv)
+    rvm                     # ruby version from rvm (https://rvm.io)
+    fvm                     # flutter version management (https://github.com/leoafarias/fvm)
+    luaenv                  # lua version from luaenv (https://github.com/cehoffman/luaenv)
+    jenv                    # java version from jenv (https://github.com/jenv/jenv)
+    plenv                   # perl version from plenv (https://github.com/tokuhirom/plenv)
+    phpenv                  # php version from phpenv (https://github.com/phpenv/phpenv)
+    scalaenv                # scala version from scalaenv (https://github.com/scalaenv/scalaenv)
+    haskell_stack           # haskell version from stack (https://haskellstack.org/)
+    kubecontext             # current kubernetes context (https://kubernetes.io/)
+    terraform               # terraform workspace (https://www.terraform.io)
+    aws                     # aws profile (https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-profiles.html)
+    aws_eb_env              # aws elastic beanstalk environment (https://aws.amazon.com/elasticbeanstalk/)
+    azure                   # azure account name (https://docs.microsoft.com/en-us/cli/azure)
+    gcloud                  # google cloud cli account and project (https://cloud.google.com/)
+    google_app_cred         # google application credentials (https://cloud.google.com/docs/authentication/production)
+    nordvpn                 # nordvpn connection status, linux only (https://nordvpn.com/)
+    ranger                  # ranger shell (https://github.com/ranger/ranger)
+    nnn                     # nnn shell (https://github.com/jarun/nnn)
+    vim_shell               # vim shell indicator (:sh)
+    midnight_commander      # midnight commander shell (https://midnight-commander.org/)
+    nix_shell               # nix shell (https://nixos.org/nixos/nix-pills/developing-with-nix-shell.html)
+    # vpn_ip                # virtual private network indicator
+    # load                  # CPU load
+    # disk_usage            # disk usage
+    # ram                   # free RAM
+    # swap                  # used swap
+    todo                    # todo items (https://github.com/todotxt/todo.txt-cli)
+    timewarrior             # timewarrior tracking status (https://timewarrior.net/)
+    taskwarrior             # taskwarrior task count (https://taskwarrior.org/)
+    status                  # exit code of the last command
+    command_execution_time  # duration of the last command
+    time                    # current time
+    background_jobs         # presence of background jobs
+    # ip                    # ip address and bandwidth usage for a specified network interface
+    # public_ip             # public IP address
+    # proxy                 # system-wide http/https/ftp proxy
+    # battery               # internal battery
+    # wifi                  # wifi speed
+    # example               # example user-defined segment (see prompt_example function below)
+  )
+
+  # Defines character set used by powerlevel10k. It's best to let `p10k configure` set it for you.
+  typeset -g POWERLEVEL9K_MODE=nerdfont-complete
+  # When set to `moderate`, some icons will have an extra space after them. This is meant to avoid
+  # icon overlap when using non-monospace fonts. When set to `none`, spaces are not added.
+  typeset -g POWERLEVEL9K_ICON_PADDING=none
+
+  # Basic style options that define the overall look of your prompt. You probably don't want to
+  # change them.
+  typeset -g POWERLEVEL9K_BACKGROUND=                            # transparent background
+  typeset -g POWERLEVEL9K_{LEFT,RIGHT}_{LEFT,RIGHT}_WHITESPACE=  # no surrounding whitespace
+  typeset -g POWERLEVEL9K_{LEFT,RIGHT}_SUBSEGMENT_SEPARATOR=' '  # separate segments with a space
+  typeset -g POWERLEVEL9K_{LEFT,RIGHT}_SEGMENT_SEPARATOR=        # no end-of-line symbol
+
+  # When set to true, icons appear before content on both sides of the prompt. When set
+  # to false, icons go after content. If empty or not set, icons go before content in the left
+  # prompt and after content in the right prompt.
+  #
+  # You can also override it for a specific segment:
+  #
+  #   POWERLEVEL9K_STATUS_ICON_BEFORE_CONTENT=false
+  #
+  # Or for a specific segment in specific state:
+  #
+  #   POWERLEVEL9K_DIR_NOT_WRITABLE_ICON_BEFORE_CONTENT=false
+  typeset -g POWERLEVEL9K_ICON_BEFORE_CONTENT=true
+
+  # Add an empty line before each prompt.
+  typeset -g POWERLEVEL9K_PROMPT_ADD_NEWLINE=true
+
+  # Connect left prompt lines with these symbols.
+  typeset -g POWERLEVEL9K_MULTILINE_FIRST_PROMPT_PREFIX=
+  typeset -g POWERLEVEL9K_MULTILINE_NEWLINE_PROMPT_PREFIX=
+  typeset -g POWERLEVEL9K_MULTILINE_LAST_PROMPT_PREFIX=
+  # Connect right prompt lines with these symbols.
+  typeset -g POWERLEVEL9K_MULTILINE_FIRST_PROMPT_SUFFIX=
+  typeset -g POWERLEVEL9K_MULTILINE_NEWLINE_PROMPT_SUFFIX=
+  typeset -g POWERLEVEL9K_MULTILINE_LAST_PROMPT_SUFFIX=
+
+  # The left end of left prompt.
+  typeset -g POWERLEVEL9K_LEFT_PROMPT_FIRST_SEGMENT_START_SYMBOL=
+  # The right end of right prompt.
+  typeset -g POWERLEVEL9K_RIGHT_PROMPT_LAST_SEGMENT_END_SYMBOL=
+
+  # Ruler, a.k.a. the horizontal line before each prompt. If you set it to true, you'll
+  # probably want to set POWERLEVEL9K_PROMPT_ADD_NEWLINE=false above and
+  # POWERLEVEL9K_MULTILINE_FIRST_PROMPT_GAP_CHAR=' ' below.
+  typeset -g POWERLEVEL9K_SHOW_RULER=false
+  typeset -g POWERLEVEL9K_RULER_CHAR='─'        # reasonable alternative: '·'
+  typeset -g POWERLEVEL9K_RULER_FOREGROUND=238
+
+  # Filler between left and right prompt on the first prompt line. You can set it to '·' or '─'
+  # to make it easier to see the alignment between left and right prompt and to separate prompt
+  # from command output. It serves the same purpose as ruler (see above) without increasing
+  # the number of prompt lines. You'll probably want to set POWERLEVEL9K_SHOW_RULER=false
+  # if using this. You might also like POWERLEVEL9K_PROMPT_ADD_NEWLINE=false for more compact
+  # prompt.
+  typeset -g POWERLEVEL9K_MULTILINE_FIRST_PROMPT_GAP_CHAR='─'
+  if [[ $POWERLEVEL9K_MULTILINE_FIRST_PROMPT_GAP_CHAR != ' ' ]]; then
+    # The color of the filler.
+    typeset -g POWERLEVEL9K_MULTILINE_FIRST_PROMPT_GAP_FOREGROUND=238
+    # Add a space between the end of left prompt and the filler.
+    typeset -g POWERLEVEL9K_LEFT_PROMPT_LAST_SEGMENT_END_SYMBOL=' '
+    # Add a space between the filler and the start of right prompt.
+    typeset -g POWERLEVEL9K_RIGHT_PROMPT_FIRST_SEGMENT_START_SYMBOL=' '
+    # Start filler from the edge of the screen if there are no left segments on the first line.
+    typeset -g POWERLEVEL9K_EMPTY_LINE_LEFT_PROMPT_FIRST_SEGMENT_END_SYMBOL='%{%}'
+    # End filler on the edge of the screen if there are no right segments on the first line.
+    typeset -g POWERLEVEL9K_EMPTY_LINE_RIGHT_PROMPT_FIRST_SEGMENT_START_SYMBOL='%{%}'
+  fi
+
+  #################################[ os_icon: os identifier ]##################################
+  # OS identifier color.
+  typeset -g POWERLEVEL9K_OS_ICON_FOREGROUND=
+  # Custom icon.
+  # typeset -g POWERLEVEL9K_OS_ICON_CONTENT_EXPANSION='⭐'
+
+  ################################[ prompt_char: prompt symbol ]################################
+  typeset -g POWERLEVEL9K_PROMPT_CHAR_{OK,ERROR}_{VIINS,VICMD,VIVIS,VIOWR}_FOREGROUND=2
+  # Default prompt symbol.
+  typeset -g POWERLEVEL9K_PROMPT_CHAR_{OK,ERROR}_VIINS_CONTENT_EXPANSION='❯'
+  # Prompt symbol in command vi mode.
+  typeset -g POWERLEVEL9K_PROMPT_CHAR_{OK,ERROR}_VICMD_CONTENT_EXPANSION='❮'
+  # Prompt symbol in visual vi mode.
+  typeset -g POWERLEVEL9K_PROMPT_CHAR_{OK,ERROR}_VIVIS_CONTENT_EXPANSION='V'
+  # Prompt symbol in overwrite vi mode.
+  typeset -g POWERLEVEL9K_PROMPT_CHAR_{OK,ERROR}_VIOWR_CONTENT_EXPANSION='▶'
+  typeset -g POWERLEVEL9K_PROMPT_CHAR_OVERWRITE_STATE=true
+  # No line terminator if prompt_char is the last segment.
+  typeset -g POWERLEVEL9K_PROMPT_CHAR_LEFT_PROMPT_LAST_SEGMENT_END_SYMBOL=''
+  # No line introducer if prompt_char is the first segment.
+  typeset -g POWERLEVEL9K_PROMPT_CHAR_LEFT_PROMPT_FIRST_SEGMENT_START_SYMBOL=
+
+  ##################################[ dir: current directory ]##################################
+  # Default current directory color.
+  typeset -g POWERLEVEL9K_DIR_FOREGROUND=31
+  # If directory is too long, shorten some of its segments to the shortest possible unique
+  # prefix. The shortened directory can be tab-completed to the original.
+  typeset -g POWERLEVEL9K_SHORTEN_STRATEGY=truncate_to_unique
+  # Replace removed segment suffixes with this symbol.
+  typeset -g POWERLEVEL9K_SHORTEN_DELIMITER=
+  # Color of the shortened directory segments.
+  typeset -g POWERLEVEL9K_DIR_SHORTENED_FOREGROUND=103
+  # Color of the anchor directory segments. Anchor segments are never shortened. The first
+  # segment is always an anchor.
+  typeset -g POWERLEVEL9K_DIR_ANCHOR_FOREGROUND=39
+  # Display anchor directory segments in bold.
+  typeset -g POWERLEVEL9K_DIR_ANCHOR_BOLD=true
+  # Don't shorten directories that contain any of these files. They are anchors.
+  local anchor_files=(
+    .bzr
+    .citc
+    .git
+    .hg
+    .node-version
+    .python-version
+    .go-version
+    .ruby-version
+    .lua-version
+    .java-version
+    .perl-version
+    .php-version
+    .tool-version
+    .shorten_folder_marker
+    .svn
+    .terraform
+    CVS
+    Cargo.toml
+    composer.json
+    go.mod
+    package.json
+    stack.yaml
+  )
+  typeset -g POWERLEVEL9K_SHORTEN_FOLDER_MARKER="(${(j:|:)anchor_files})"
+  # If set to "first" ("last"), remove everything before the first (last) subdirectory that contains
+  # files matching $POWERLEVEL9K_SHORTEN_FOLDER_MARKER. For example, when the current directory is
+  # /foo/bar/git_repo/nested_git_repo/baz, prompt will display git_repo/nested_git_repo/baz (first)
+  # or nested_git_repo/baz (last). This assumes that git_repo and nested_git_repo contain markers
+  # and other directories don't.
+  #
+  # Optionally, "first" and "last" can be followed by ":<offset>" where <offset> is an integer.
+  # This moves the truncation point to the right (positive offset) or to the left (negative offset)
+  # relative to the marker. Plain "first" and "last" are equivalent to "first:0" and "last:0"
+  # respectively.
+  typeset -g POWERLEVEL9K_DIR_TRUNCATE_BEFORE_MARKER=false
+  # Don't shorten this many last directory segments. They are anchors.
+  typeset -g POWERLEVEL9K_SHORTEN_DIR_LENGTH=1
+  # Shorten directory if it's longer than this even if there is space for it. The value can
+  # be either absolute (e.g., '80') or a percentage of terminal width (e.g, '50%'). If empty,
+  # directory will be shortened only when prompt doesn't fit or when other parameters demand it
+  # (see POWERLEVEL9K_DIR_MIN_COMMAND_COLUMNS and POWERLEVEL9K_DIR_MIN_COMMAND_COLUMNS_PCT below).
+  # If set to `0`, directory will always be shortened to its minimum length.
+  typeset -g POWERLEVEL9K_DIR_MAX_LENGTH=30%
+  # When `dir` segment is on the last prompt line, try to shorten it enough to leave at least this
+  # many columns for typing commands.
+  typeset -g POWERLEVEL9K_DIR_MIN_COMMAND_COLUMNS=40
+  # When `dir` segment is on the last prompt line, try to shorten it enough to leave at least
+  # COLUMNS * POWERLEVEL9K_DIR_MIN_COMMAND_COLUMNS_PCT * 0.01 columns for typing commands.
+  typeset -g POWERLEVEL9K_DIR_MIN_COMMAND_COLUMNS_PCT=50
+  # If set to true, embed a hyperlink into the directory. Useful for quickly
+  # opening a directory in the file manager simply by clicking the link.
+  # Can also be handy when the directory is shortened, as it allows you to see
+  # the full directory that was used in previous commands.
+  typeset -g POWERLEVEL9K_DIR_HYPERLINK=false
+
+  # Enable special styling for non-writable and non-existent directories. See POWERLEVEL9K_LOCK_ICON
+  # and POWERLEVEL9K_DIR_CLASSES below.
+  typeset -g POWERLEVEL9K_DIR_SHOW_WRITABLE=v3
+
+  # The default icon shown next to non-writable and non-existent directories when
+  # POWERLEVEL9K_DIR_SHOW_WRITABLE is set to v3.
+  # typeset -g POWERLEVEL9K_LOCK_ICON='⭐'
+
+  # POWERLEVEL9K_DIR_CLASSES allows you to specify custom icons and colors for different
+  # directories. It must be an array with 3 * N elements. Each triplet consists of:
+  #
+  #   1. A pattern against which the current directory ($PWD) is matched. Matching is done with
+  #      extended_glob option enabled.
+  #   2. Directory class for the purpose of styling.
+  #   3. An empty string.
+  #
+  # Triplets are tried in order. The first triplet whose pattern matches $PWD wins.
+  #
+  # If POWERLEVEL9K_DIR_SHOW_WRITABLE is set to v3, non-writable and non-existent directories
+  # acquire class suffix _NOT_WRITABLE and NON_EXISTENT respectively.
+  #
+  # For example, given these settings:
+  #
+  #   typeset -g POWERLEVEL9K_DIR_CLASSES=(
+  #     '~/work(|/*)'  WORK     ''
+  #     '~(|/*)'       HOME     ''
+  #     '*'            DEFAULT  '')
+  #
+  # Whenever the current directory is ~/work or a subdirectory of ~/work, it gets styled with one
+  # of the following classes depending on its writability and existence: WORK, WORK_NOT_WRITABLE or
+  # WORK_NON_EXISTENT.
+  #
+  # Simply assigning classes to directories doesn't have any visible effects. It merely gives you an
+  # option to define custom colors and icons for different directory classes.
+  #
+  #   # Styling for WORK.
+  #   typeset -g POWERLEVEL9K_DIR_WORK_VISUAL_IDENTIFIER_EXPANSION='⭐'
+  #   typeset -g POWERLEVEL9K_DIR_WORK_FOREGROUND=31
+  #   typeset -g POWERLEVEL9K_DIR_WORK_SHORTENED_FOREGROUND=103
+  #   typeset -g POWERLEVEL9K_DIR_WORK_ANCHOR_FOREGROUND=39
+  #
+  #   # Styling for WORK_NOT_WRITABLE.
+  #   typeset -g POWERLEVEL9K_DIR_WORK_NOT_WRITABLE_VISUAL_IDENTIFIER_EXPANSION='⭐'
+  #   typeset -g POWERLEVEL9K_DIR_WORK_NOT_WRITABLE_FOREGROUND=31
+  #   typeset -g POWERLEVEL9K_DIR_WORK_NOT_WRITABLE_SHORTENED_FOREGROUND=103
+  #   typeset -g POWERLEVEL9K_DIR_WORK_NOT_WRITABLE_ANCHOR_FOREGROUND=39
+  #
+  #   # Styling for WORK_NON_EXISTENT.
+  #   typeset -g POWERLEVEL9K_DIR_WORK_NON_EXISTENT_VISUAL_IDENTIFIER_EXPANSION='⭐'
+  #   typeset -g POWERLEVEL9K_DIR_WORK_NON_EXISTENT_FOREGROUND=31
+  #   typeset -g POWERLEVEL9K_DIR_WORK_NON_EXISTENT_SHORTENED_FOREGROUND=103
+  #   typeset -g POWERLEVEL9K_DIR_WORK_NON_EXISTENT_ANCHOR_FOREGROUND=39
+  #
+  # If a styling parameter isn't explicitly defined for some class, it falls back to the classless
+  # parameter. For example, if POWERLEVEL9K_DIR_WORK_NOT_WRITABLE_FOREGROUND is not set, it falls
+  # back to POWERLEVEL9K_DIR_FOREGROUND.
+  #
+  typeset -g POWERLEVEL9K_DIR_CLASSES=()
+
+  # Custom prefix.
+  # typeset -g POWERLEVEL9K_DIR_PREFIX='%fin '
+
+  #####################################[ vcs: git status ]######################################
+  # Branch icon. Set this parameter to '\uF126 ' for the popular Powerline branch icon.
+  typeset -g POWERLEVEL9K_VCS_BRANCH_ICON=''
+
+  # Untracked files icon. It's really a question mark, your font isn't broken.
+  # Change the value of this parameter to show a different icon.
+  typeset -g POWERLEVEL9K_VCS_UNTRACKED_ICON='?'
+
+  # Formatter for Git status.
+  #
+  # Example output: master ⇣42⇡42 *42 merge ~42 +42 !42 ?42.
+  #
+  # You can edit the function to customize how Git status looks.
+  #
+  # VCS_STATUS_* parameters are set by gitstatus plugin. See reference:
+  # https://github.com/romkatv/gitstatus/blob/master/gitstatus.plugin.zsh.
+  function my_git_formatter() {
+    emulate -L zsh
+
+    if [[ -n $P9K_CONTENT ]]; then
+      # If P9K_CONTENT is not empty, use it. It's either "loading" or from vcs_info (not from
+      # gitstatus plugin). VCS_STATUS_* parameters are not available in this case.
+      typeset -g my_git_format=$P9K_CONTENT
+      return
+    fi
+
+    if (( $1 )); then
+      # Styling for up-to-date Git status.
+      local       meta='%f'     # default foreground
+      local      clean='%76F'   # green foreground
+      local   modified='%178F'  # yellow foreground
+      local  untracked='%39F'   # blue foreground
+      local conflicted='%196F'  # red foreground
+    else
+      # Styling for incomplete and stale Git status.
+      local       meta='%244F'  # grey foreground
+      local      clean='%244F'  # grey foreground
+      local   modified='%244F'  # grey foreground
+      local  untracked='%244F'  # grey foreground
+      local conflicted='%244F'  # grey foreground
+    fi
+
+    local res
+    local where  # branch or tag
+    if [[ -n $VCS_STATUS_LOCAL_BRANCH ]]; then
+      res+="${clean}${(g::)POWERLEVEL9K_VCS_BRANCH_ICON}"
+      where=${(V)VCS_STATUS_LOCAL_BRANCH}
+    elif [[ -n $VCS_STATUS_TAG ]]; then
+      res+="${meta}#"
+      where=${(V)VCS_STATUS_TAG}
+    fi
+
+    # If local branch name or tag is at most 32 characters long, show it in full.
+    # Otherwise show the first 12 … the last 12.
+    # Tip: To always show local branch name in full without truncation, delete the next line.
+    (( $#where > 32 )) && where[13,-13]="…"
+
+    res+="${clean}${where//\%/%%}"  # escape %
+
+    # Display the current Git commit if there is no branch or tag.
+    # Tip: To always display the current Git commit, remove `[[ -z $where ]] &&` from the next line.
+    [[ -z $where ]] && res+="${meta}@${clean}${VCS_STATUS_COMMIT[1,8]}"
+
+    # Show tracking branch name if it differs from local branch.
+    if [[ -n ${VCS_STATUS_REMOTE_BRANCH:#$VCS_STATUS_LOCAL_BRANCH} ]]; then
+      res+="${meta}:${clean}${(V)VCS_STATUS_REMOTE_BRANCH//\%/%%}"  # escape %
+    fi
+
+    # ⇣42 if behind the remote.
+    (( VCS_STATUS_COMMITS_BEHIND )) && res+=" ${clean}⇣${VCS_STATUS_COMMITS_BEHIND}"
+    # ⇡42 if ahead of the remote; no leading space if also behind the remote: ⇣42⇡42.
+    (( VCS_STATUS_COMMITS_AHEAD && !VCS_STATUS_COMMITS_BEHIND )) && res+=" "
+    (( VCS_STATUS_COMMITS_AHEAD  )) && res+="${clean}⇡${VCS_STATUS_COMMITS_AHEAD}"
+    # ⇠42 if behind the push remote.
+    (( VCS_STATUS_PUSH_COMMITS_BEHIND )) && res+=" ${clean}⇠${VCS_STATUS_PUSH_COMMITS_BEHIND}"
+    (( VCS_STATUS_PUSH_COMMITS_AHEAD && !VCS_STATUS_PUSH_COMMITS_BEHIND )) && res+=" "
+    # ⇢42 if ahead of the push remote; no leading space if also behind: ⇠42⇢42.
+    (( VCS_STATUS_PUSH_COMMITS_AHEAD  )) && res+="${clean}⇢${VCS_STATUS_PUSH_COMMITS_AHEAD}"
+    # *42 if have stashes.
+    (( VCS_STATUS_STASHES        )) && res+=" ${clean}*${VCS_STATUS_STASHES}"
+    # 'merge' if the repo is in an unusual state.
+    [[ -n $VCS_STATUS_ACTION     ]] && res+=" ${conflicted}${VCS_STATUS_ACTION}"
+    # ~42 if have merge conflicts.
+    (( VCS_STATUS_NUM_CONFLICTED )) && res+=" ${conflicted}~${VCS_STATUS_NUM_CONFLICTED}"
+    # +42 if have staged changes.
+    (( VCS_STATUS_NUM_STAGED     )) && res+=" ${modified}+${VCS_STATUS_NUM_STAGED}"
+    # !42 if have unstaged changes.
+    (( VCS_STATUS_NUM_UNSTAGED   )) && res+=" ${modified}!${VCS_STATUS_NUM_UNSTAGED}"
+    # ?42 if have untracked files. It's really a question mark, your font isn't broken.
+    # See POWERLEVEL9K_VCS_UNTRACKED_ICON above if you want to use a different icon.
+    # Remove the next line if you don't want to see untracked files at all.
+    (( VCS_STATUS_NUM_UNTRACKED  )) && res+=" ${untracked}${(g::)POWERLEVEL9K_VCS_UNTRACKED_ICON}${VCS_STATUS_NUM_UNTRACKED}"
+    # "─" if the number of unstaged files is unknown. This can happen due to
+    # POWERLEVEL9K_VCS_MAX_INDEX_SIZE_DIRTY (see below) being set to a non-negative number lower
+    # than the number of files in the Git index, or due to bash.showDirtyState being set to false
+    # in the repository config. The number of staged and untracked files may also be unknown
+    # in this case.
+    (( VCS_STATUS_HAS_UNSTAGED == -1 )) && res+=" ${modified}─"
+
+    typeset -g my_git_format=$res
+  }
+  functions -M my_git_formatter 2>/dev/null
+
+  # Don't count the number of unstaged, untracked and conflicted files in Git repositories with
+  # more than this many files in the index. Negative value means infinity.
+  #
+  # If you are working in Git repositories with tens of millions of files and seeing performance
+  # sagging, try setting POWERLEVEL9K_VCS_MAX_INDEX_SIZE_DIRTY to a number lower than the output
+  # of `git ls-files | wc -l`. Alternatively, add `bash.showDirtyState = false` to the repository's
+  # config: `git config bash.showDirtyState false`.
+  typeset -g POWERLEVEL9K_VCS_MAX_INDEX_SIZE_DIRTY=-1
+
+  # Don't show Git status in prompt for repositories whose workdir matches this pattern.
+  # For example, if set to '~', the Git repository at $HOME/.git will be ignored.
+  # Multiple patterns can be combined with '|': '~(|/foo)|/bar/baz/*'.
+  # typeset -g POWERLEVEL9K_VCS_DISABLED_WORKDIR_PATTERN='~'
+
+  # Disable the default Git status formatting.
+  typeset -g POWERLEVEL9K_VCS_DISABLE_GITSTATUS_FORMATTING=true
+  # Install our own Git status formatter.
+  typeset -g POWERLEVEL9K_VCS_CONTENT_EXPANSION='${$((my_git_formatter(1)))+${my_git_format}}'
+  typeset -g POWERLEVEL9K_VCS_LOADING_CONTENT_EXPANSION='${$((my_git_formatter(0)))+${my_git_format}}'
+  # Enable counters for staged, unstaged, etc.
+  typeset -g POWERLEVEL9K_VCS_{STAGED,UNSTAGED,UNTRACKED,CONFLICTED,COMMITS_AHEAD,COMMITS_BEHIND}_MAX_NUM=-1
+
+  # Icon color.
+  typeset -g POWERLEVEL9K_VCS_VISUAL_IDENTIFIER_COLOR=76
+  typeset -g POWERLEVEL9K_VCS_LOADING_VISUAL_IDENTIFIER_COLOR=244
+  # Custom icon.
+  # typeset -g POWERLEVEL9K_VCS_VISUAL_IDENTIFIER_EXPANSION='⭐'
+  # Custom prefix.
+  # typeset -g POWERLEVEL9K_VCS_PREFIX='%fon '
+
+  # Show status of repositories of these types. You can add svn and/or hg if you are
+  # using them. If you do, your prompt may become slow even when your current directory
+  # isn't in an svn or hg reposotiry.
+  typeset -g POWERLEVEL9K_VCS_BACKENDS=(git)
+
+  # These settings are used for repositories other than Git or when gitstatusd fails and
+  # Powerlevel10k has to fall back to using vcs_info.
+  typeset -g POWERLEVEL9K_VCS_CLEAN_FOREGROUND=76
+  typeset -g POWERLEVEL9K_VCS_UNTRACKED_FOREGROUND=76
+  typeset -g POWERLEVEL9K_VCS_MODIFIED_FOREGROUND=178
+
+  ##########################[ status: exit code of the last command ]###########################
+  # Enable OK_PIPE, ERROR_PIPE and ERROR_SIGNAL status states to allow us to enable, disable and
+  # style them independently from the regular OK and ERROR state.
+  typeset -g POWERLEVEL9K_STATUS_EXTENDED_STATES=true
+
+  # Status on success. No content, just an icon. No need to show it if prompt_char is enabled as
+  # it will signify success by turning green.
+  typeset -g POWERLEVEL9K_STATUS_OK=false
+  typeset -g POWERLEVEL9K_STATUS_OK_FOREGROUND=70
+  typeset -g POWERLEVEL9K_STATUS_OK_VISUAL_IDENTIFIER_EXPANSION='✔'
+
+  # Status when some part of a pipe command fails but the overall exit status is zero. It may look
+  # like this: 1|0.
+  typeset -g POWERLEVEL9K_STATUS_OK_PIPE=true
+  typeset -g POWERLEVEL9K_STATUS_OK_PIPE_FOREGROUND=70
+  typeset -g POWERLEVEL9K_STATUS_OK_PIPE_VISUAL_IDENTIFIER_EXPANSION='✔'
+
+  # Status when it's just an error code (e.g., '1'). No need to show it if prompt_char is enabled as
+  # it will signify error by turning red.
+  typeset -g POWERLEVEL9K_STATUS_ERROR=true
+  typeset -g POWERLEVEL9K_STATUS_ERROR_FOREGROUND=160
+  typeset -g POWERLEVEL9K_STATUS_ERROR_VISUAL_IDENTIFIER_EXPANSION='✘'
+
+  # Status when the last command was terminated by a signal.
+  typeset -g POWERLEVEL9K_STATUS_ERROR_SIGNAL=true
+  typeset -g POWERLEVEL9K_STATUS_ERROR_SIGNAL_FOREGROUND=160
+  # Use terse signal names: "INT" instead of "SIGINT(2)".
+  typeset -g POWERLEVEL9K_STATUS_VERBOSE_SIGNAME=false
+  typeset -g POWERLEVEL9K_STATUS_ERROR_SIGNAL_VISUAL_IDENTIFIER_EXPANSION='✘'
+
+  # Status when some part of a pipe command fails and the overall exit status is also non-zero.
+  # It may look like this: 1|0.
+  typeset -g POWERLEVEL9K_STATUS_ERROR_PIPE=true
+  typeset -g POWERLEVEL9K_STATUS_ERROR_PIPE_FOREGROUND=160
+  typeset -g POWERLEVEL9K_STATUS_ERROR_PIPE_VISUAL_IDENTIFIER_EXPANSION='✘'
+
+  ###################[ command_execution_time: duration of the last command ]###################
+  # Show duration of the last command if takes at least this many seconds.
+  typeset -g POWERLEVEL9K_COMMAND_EXECUTION_TIME_THRESHOLD=3
+  # Show this many fractional digits. Zero means round to seconds.
+  typeset -g POWERLEVEL9K_COMMAND_EXECUTION_TIME_PRECISION=0
+  # Execution time color.
+  typeset -g POWERLEVEL9K_COMMAND_EXECUTION_TIME_FOREGROUND=101
+  # Duration format: 1d 2h 3m 4s.
+  typeset -g POWERLEVEL9K_COMMAND_EXECUTION_TIME_FORMAT='d h m s'
+  # Custom icon.
+  # typeset -g POWERLEVEL9K_COMMAND_EXECUTION_TIME_VISUAL_IDENTIFIER_EXPANSION='⭐'
+  # Custom prefix.
+  # typeset -g POWERLEVEL9K_COMMAND_EXECUTION_TIME_PREFIX='%ftook '
+
+  #######################[ background_jobs: presence of background jobs ]#######################
+  # Don't show the number of background jobs.
+  typeset -g POWERLEVEL9K_BACKGROUND_JOBS_VERBOSE=false
+  # Background jobs color.
+  typeset -g POWERLEVEL9K_BACKGROUND_JOBS_FOREGROUND=70
+  # Custom icon.
+  # typeset -g POWERLEVEL9K_BACKGROUND_JOBS_VISUAL_IDENTIFIER_EXPANSION='⭐'
+
+  #######################[ direnv: direnv status (https://direnv.net/) ]########################
+  # Direnv color.
+  typeset -g POWERLEVEL9K_DIRENV_FOREGROUND=178
+  # Custom icon.
+  # typeset -g POWERLEVEL9K_DIRENV_VISUAL_IDENTIFIER_EXPANSION='⭐'
+
+  ###############[ asdf: asdf version manager (https://github.com/asdf-vm/asdf) ]###############
+  # Default asdf color. Only used to display tools for which there is no color override (see below).
+  # Tip:  Override this parameter for ${TOOL} with POWERLEVEL9K_ASDF_${TOOL}_FOREGROUND.
+  typeset -g POWERLEVEL9K_ASDF_FOREGROUND=66
+
+  # There are four parameters that can be used to hide asdf tools. Each parameter describes
+  # conditions under which a tool gets hidden. Parameters can hide tools but not unhide them. If at
+  # least one parameter decides to hide a tool, that tool gets hidden. If no parameter decides to
+  # hide a tool, it gets shown.
+  #
+  # Special note on the difference between POWERLEVEL9K_ASDF_SOURCES and
+  # POWERLEVEL9K_ASDF_PROMPT_ALWAYS_SHOW. Consider the effect of the following commands:
+  #
+  #   asdf local  python 3.8.1
+  #   asdf global python 3.8.1
+  #
+  # After running both commands the current python version is 3.8.1 and its source is "local" as
+  # it takes precedence over "global". If POWERLEVEL9K_ASDF_PROMPT_ALWAYS_SHOW is set to false,
+  # it'll hide python version in this case because 3.8.1 is the same as the global version.
+  # POWERLEVEL9K_ASDF_SOURCES will hide python version only if the value of this parameter doesn't
+  # contain "local".
+
+  # Hide tool versions that don't come from one of these sources.
+  #
+  # Available sources:
+  #
+  # - shell   `asdf current` says "set by ASDF_${TOOL}_VERSION environment variable"
+  # - local   `asdf current` says "set by /some/not/home/directory/file"
+  # - global  `asdf current` says "set by /home/username/file"
+  #
+  # Note: If this parameter is set to (shell local global), it won't hide tools.
+  # Tip:  Override this parameter for ${TOOL} with POWERLEVEL9K_ASDF_${TOOL}_SOURCES.
+  typeset -g POWERLEVEL9K_ASDF_SOURCES=(shell local global)
+
+  # If set to false, hide tool versions that are the same as global.
+  #
+  # Note: The name of this parameter doesn't reflect its meaning at all.
+  # Note: If this parameter is set to true, it won't hide tools.
+  # Tip:  Override this parameter for ${TOOL} with POWERLEVEL9K_ASDF_${TOOL}_PROMPT_ALWAYS_SHOW.
+  typeset -g POWERLEVEL9K_ASDF_PROMPT_ALWAYS_SHOW=false
+
+  # If set to false, hide tool versions that are equal to "system".
+  #
+  # Note: If this parameter is set to true, it won't hide tools.
+  # Tip: Override this parameter for ${TOOL} with POWERLEVEL9K_ASDF_${TOOL}_SHOW_SYSTEM.
+  typeset -g POWERLEVEL9K_ASDF_SHOW_SYSTEM=true
+
+  # If set to non-empty value, hide tools unless there is a file matching the specified file pattern
+  # in the current directory, or its parent directory, or its grandparent directory, and so on.
+  #
+  # Note: If this parameter is set to empty value, it won't hide tools.
+  # Note: SHOW_ON_UPGLOB isn't specific to asdf. It works with all prompt segments.
+  # Tip: Override this parameter for ${TOOL} with POWERLEVEL9K_ASDF_${TOOL}_SHOW_ON_UPGLOB.
+  #
+  # Example: Hide nodejs version when there is no package.json and no *.js files in the current
+  # directory, in `..`, in `../..` and so on.
+  #
+  #   typeset -g POWERLEVEL9K_ASDF_NODEJS_SHOW_ON_UPGLOB='*.js|package.json'
+  typeset -g POWERLEVEL9K_ASDF_SHOW_ON_UPGLOB=
+
+  # Ruby version from asdf.
+  typeset -g POWERLEVEL9K_ASDF_RUBY_FOREGROUND=168
+  # typeset -g POWERLEVEL9K_ASDF_RUBY_VISUAL_IDENTIFIER_EXPANSION='⭐'
+  # typeset -g POWERLEVEL9K_ASDF_RUBY_SHOW_ON_UPGLOB='*.foo|*.bar'
+
+  # Python version from asdf.
+  typeset -g POWERLEVEL9K_ASDF_PYTHON_FOREGROUND=37
+  # typeset -g POWERLEVEL9K_ASDF_PYTHON_VISUAL_IDENTIFIER_EXPANSION='⭐'
+  # typeset -g POWERLEVEL9K_ASDF_PYTHON_SHOW_ON_UPGLOB='*.foo|*.bar'
+
+  # Go version from asdf.
+  typeset -g POWERLEVEL9K_ASDF_GOLANG_FOREGROUND=37
+  # typeset -g POWERLEVEL9K_ASDF_GOLANG_VISUAL_IDENTIFIER_EXPANSION='⭐'
+  # typeset -g POWERLEVEL9K_ASDF_GOLANG_SHOW_ON_UPGLOB='*.foo|*.bar'
+
+  # Node.js version from asdf.
+  typeset -g POWERLEVEL9K_ASDF_NODEJS_FOREGROUND=70
+  # typeset -g POWERLEVEL9K_ASDF_NODEJS_VISUAL_IDENTIFIER_EXPANSION='⭐'
+  # typeset -g POWERLEVEL9K_ASDF_NODEJS_SHOW_ON_UPGLOB='*.foo|*.bar'
+
+  # Rust version from asdf.
+  typeset -g POWERLEVEL9K_ASDF_RUST_FOREGROUND=37
+  # typeset -g POWERLEVEL9K_ASDF_RUST_VISUAL_IDENTIFIER_EXPANSION='⭐'
+  # typeset -g POWERLEVEL9K_ASDF_RUST_SHOW_ON_UPGLOB='*.foo|*.bar'
+
+  # .NET Core version from asdf.
+  typeset -g POWERLEVEL9K_ASDF_DOTNET_CORE_FOREGROUND=134
+  # typeset -g POWERLEVEL9K_ASDF_DOTNET_CORE_VISUAL_IDENTIFIER_EXPANSION='⭐'
+  # typeset -g POWERLEVEL9K_ASDF_DOTNET_SHOW_ON_UPGLOB='*.foo|*.bar'
+
+  # Flutter version from asdf.
+  typeset -g POWERLEVEL9K_ASDF_FLUTTER_FOREGROUND=38
+  # typeset -g POWERLEVEL9K_ASDF_FLUTTER_VISUAL_IDENTIFIER_EXPANSION='⭐'
+  # typeset -g POWERLEVEL9K_ASDF_FLUTTER_SHOW_ON_UPGLOB='*.foo|*.bar'
+
+  # Lua version from asdf.
+  typeset -g POWERLEVEL9K_ASDF_LUA_FOREGROUND=32
+  # typeset -g POWERLEVEL9K_ASDF_LUA_VISUAL_IDENTIFIER_EXPANSION='⭐'
+  # typeset -g POWERLEVEL9K_ASDF_LUA_SHOW_ON_UPGLOB='*.foo|*.bar'
+
+  # Java version from asdf.
+  typeset -g POWERLEVEL9K_ASDF_JAVA_FOREGROUND=32
+  # typeset -g POWERLEVEL9K_ASDF_JAVA_VISUAL_IDENTIFIER_EXPANSION='⭐'
+  # typeset -g POWERLEVEL9K_ASDF_JAVA_SHOW_ON_UPGLOB='*.foo|*.bar'
+
+  # Perl version from asdf.
+  typeset -g POWERLEVEL9K_ASDF_PERL_FOREGROUND=67
+  # typeset -g POWERLEVEL9K_ASDF_PERL_VISUAL_IDENTIFIER_EXPANSION='⭐'
+  # typeset -g POWERLEVEL9K_ASDF_PERL_SHOW_ON_UPGLOB='*.foo|*.bar'
+
+  # Erlang version from asdf.
+  typeset -g POWERLEVEL9K_ASDF_ERLANG_FOREGROUND=125
+  # typeset -g POWERLEVEL9K_ASDF_ERLANG_VISUAL_IDENTIFIER_EXPANSION='⭐'
+  # typeset -g POWERLEVEL9K_ASDF_ERLANG_SHOW_ON_UPGLOB='*.foo|*.bar'
+
+  # Elixir version from asdf.
+  typeset -g POWERLEVEL9K_ASDF_ELIXIR_FOREGROUND=129
+  # typeset -g POWERLEVEL9K_ASDF_ELIXIR_VISUAL_IDENTIFIER_EXPANSION='⭐'
+  # typeset -g POWERLEVEL9K_ASDF_ELIXIR_SHOW_ON_UPGLOB='*.foo|*.bar'
+
+  # Postgres version from asdf.
+  typeset -g POWERLEVEL9K_ASDF_POSTGRES_FOREGROUND=31
+  # typeset -g POWERLEVEL9K_ASDF_POSTGRES_VISUAL_IDENTIFIER_EXPANSION='⭐'
+  # typeset -g POWERLEVEL9K_ASDF_POSTGRES_SHOW_ON_UPGLOB='*.foo|*.bar'
+
+  # PHP version from asdf.
+  typeset -g POWERLEVEL9K_ASDF_PHP_FOREGROUND=99
+  # typeset -g POWERLEVEL9K_ASDF_PHP_VISUAL_IDENTIFIER_EXPANSION='⭐'
+  # typeset -g POWERLEVEL9K_ASDF_PHP_SHOW_ON_UPGLOB='*.foo|*.bar'
+
+  # Haskell version from asdf.
+  typeset -g POWERLEVEL9K_ASDF_HASKELL_FOREGROUND=172
+  # typeset -g POWERLEVEL9K_ASDF_HASKELL_VISUAL_IDENTIFIER_EXPANSION='⭐'
+  # typeset -g POWERLEVEL9K_ASDF_HASKELL_SHOW_ON_UPGLOB='*.foo|*.bar'
+
+  # Julia version from asdf.
+  typeset -g POWERLEVEL9K_ASDF_JULIA_FOREGROUND=70
+  # typeset -g POWERLEVEL9K_ASDF_JULIA_VISUAL_IDENTIFIER_EXPANSION='⭐'
+  # typeset -g POWERLEVEL9K_ASDF_JULIA_SHOW_ON_UPGLOB='*.foo|*.bar'
+
+  ##########[ nordvpn: nordvpn connection status, linux only (https://nordvpn.com/) ]###########
+  # NordVPN connection indicator color.
+  typeset -g POWERLEVEL9K_NORDVPN_FOREGROUND=39
+  # Hide NordVPN connection indicator when not connected.
+  typeset -g POWERLEVEL9K_NORDVPN_{DISCONNECTED,CONNECTING,DISCONNECTING}_CONTENT_EXPANSION=
+  typeset -g POWERLEVEL9K_NORDVPN_{DISCONNECTED,CONNECTING,DISCONNECTING}_VISUAL_IDENTIFIER_EXPANSION=
+  # Custom icon.
+  # typeset -g POWERLEVEL9K_NORDVPN_VISUAL_IDENTIFIER_EXPANSION='⭐'
+
+  #################[ ranger: ranger shell (https://github.com/ranger/ranger) ]##################
+  # Ranger shell color.
+  typeset -g POWERLEVEL9K_RANGER_FOREGROUND=178
+  # Custom icon.
+  # typeset -g POWERLEVEL9K_RANGER_VISUAL_IDENTIFIER_EXPANSION='⭐'
+
+  ######################[ nnn: nnn shell (https://github.com/jarun/nnn) ]#######################
+  # Nnn shell color.
+  typeset -g POWERLEVEL9K_NNN_FOREGROUND=72
+  # Custom icon.
+  # typeset -g POWERLEVEL9K_NNN_VISUAL_IDENTIFIER_EXPANSION='⭐'
+
+  ###########################[ vim_shell: vim shell indicator (:sh) ]###########################
+  # Vim shell indicator color.
+  typeset -g POWERLEVEL9K_VIM_SHELL_FOREGROUND=34
+  # Custom icon.
+  # typeset -g POWERLEVEL9K_VIM_SHELL_VISUAL_IDENTIFIER_EXPANSION='⭐'
+
+  ######[ midnight_commander: midnight commander shell (https://midnight-commander.org/) ]######
+  # Midnight Commander shell color.
+  typeset -g POWERLEVEL9K_MIDNIGHT_COMMANDER_FOREGROUND=178
+  # Custom icon.
+  # typeset -g POWERLEVEL9K_MIDNIGHT_COMMANDER_VISUAL_IDENTIFIER_EXPANSION='⭐'
+
+  #[ nix_shell: nix shell (https://nixos.org/nixos/nix-pills/developing-with-nix-shell.html) ]##
+  # Nix shell color.
+  typeset -g POWERLEVEL9K_NIX_SHELL_FOREGROUND=74
+
+  # Tip: If you want to see just the icon without "pure" and "impure", uncomment the next line.
+  # typeset -g POWERLEVEL9K_NIX_SHELL_CONTENT_EXPANSION=
+
+  # Custom icon.
+  # typeset -g POWERLEVEL9K_NIX_SHELL_VISUAL_IDENTIFIER_EXPANSION='⭐'
+
+  ##################################[ disk_usage: disk usage ]##################################
+  # Colors for different levels of disk usage.
+  typeset -g POWERLEVEL9K_DISK_USAGE_NORMAL_FOREGROUND=35
+  typeset -g POWERLEVEL9K_DISK_USAGE_WARNING_FOREGROUND=220
+  typeset -g POWERLEVEL9K_DISK_USAGE_CRITICAL_FOREGROUND=160
+  # Thresholds for different levels of disk usage (percentage points).
+  typeset -g POWERLEVEL9K_DISK_USAGE_WARNING_LEVEL=90
+  typeset -g POWERLEVEL9K_DISK_USAGE_CRITICAL_LEVEL=95
+  # If set to true, hide disk usage when below $POWERLEVEL9K_DISK_USAGE_WARNING_LEVEL percent.
+  typeset -g POWERLEVEL9K_DISK_USAGE_ONLY_WARNING=false
+  # Custom icon.
+  # typeset -g POWERLEVEL9K_DISK_USAGE_VISUAL_IDENTIFIER_EXPANSION='⭐'
+
+  ######################################[ ram: free RAM ]#######################################
+  # RAM color.
+  typeset -g POWERLEVEL9K_RAM_FOREGROUND=66
+  # Custom icon.
+  # typeset -g POWERLEVEL9K_RAM_VISUAL_IDENTIFIER_EXPANSION='⭐'
+
+  #####################################[ swap: used swap ]######################################
+  # Swap color.
+  typeset -g POWERLEVEL9K_SWAP_FOREGROUND=96
+  # Custom icon.
+  # typeset -g POWERLEVEL9K_SWAP_VISUAL_IDENTIFIER_EXPANSION='⭐'
+
+  ######################################[ load: CPU load ]######################################
+  # Show average CPU load over this many last minutes. Valid values are 1, 5 and 15.
+  typeset -g POWERLEVEL9K_LOAD_WHICH=5
+  # Load color when load is under 50%.
+  typeset -g POWERLEVEL9K_LOAD_NORMAL_FOREGROUND=66
+  # Load color when load is between 50% and 70%.
+  typeset -g POWERLEVEL9K_LOAD_WARNING_FOREGROUND=178
+  # Load color when load is over 70%.
+  typeset -g POWERLEVEL9K_LOAD_CRITICAL_FOREGROUND=166
+  # Custom icon.
+  # typeset -g POWERLEVEL9K_LOAD_VISUAL_IDENTIFIER_EXPANSION='⭐'
+
+  ################[ todo: todo items (https://github.com/todotxt/todo.txt-cli) ]################
+  # Todo color.
+  typeset -g POWERLEVEL9K_TODO_FOREGROUND=110
+  # Hide todo when the total number of tasks is zero.
+  typeset -g POWERLEVEL9K_TODO_HIDE_ZERO_TOTAL=true
+  # Hide todo when the number of tasks after filtering is zero.
+  typeset -g POWERLEVEL9K_TODO_HIDE_ZERO_FILTERED=false
+
+  # Todo format. The following parameters are available within the expansion.
+  #
+  # - P9K_TODO_TOTAL_TASK_COUNT     The total number of tasks.
+  # - P9K_TODO_FILTERED_TASK_COUNT  The number of tasks after filtering.
+  #
+  # These variables correspond to the last line of the output of `todo.sh -p ls`:
+  #
+  #   TODO: 24 of 42 tasks shown
+  #
+  # Here 24 is P9K_TODO_FILTERED_TASK_COUNT and 42 is P9K_TODO_TOTAL_TASK_COUNT.
+  #
+  # typeset -g POWERLEVEL9K_TODO_CONTENT_EXPANSION='$P9K_TODO_FILTERED_TASK_COUNT'
+
+  # Custom icon.
+  # typeset -g POWERLEVEL9K_TODO_VISUAL_IDENTIFIER_EXPANSION='⭐'
+
+  ###########[ timewarrior: timewarrior tracking status (https://timewarrior.net/) ]############
+  # Timewarrior color.
+  typeset -g POWERLEVEL9K_TIMEWARRIOR_FOREGROUND=110
+  # If the tracked task is longer than 24 characters, truncate and append "…".
+  # Tip: To always display tasks without truncation, delete the following parameter.
+  # Tip: To hide task names and display just the icon when time tracking is enabled, set the
+  # value of the following parameter to "".
+  typeset -g POWERLEVEL9K_TIMEWARRIOR_CONTENT_EXPANSION='${P9K_CONTENT:0:24}${${P9K_CONTENT:24}:+…}'
+
+  # Custom icon.
+  # typeset -g POWERLEVEL9K_TIMEWARRIOR_VISUAL_IDENTIFIER_EXPANSION='⭐'
+
+  ##############[ taskwarrior: taskwarrior task count (https://taskwarrior.org/) ]##############
+  # Taskwarrior color.
+  typeset -g POWERLEVEL9K_TASKWARRIOR_FOREGROUND=74
+  
+  # Taskwarrior segment format. The following parameters are available within the expansion.
+  #
+  # - P9K_TASKWARRIOR_PENDING_COUNT   The number of pending tasks: `task +PENDING count`.
+  # - P9K_TASKWARRIOR_OVERDUE_COUNT   The number of overdue tasks: `task +OVERDUE count`.
+  #
+  # Zero values are represented as empty parameters.
+  #
+  # The default format:
+  #
+  #   '${P9K_TASKWARRIOR_OVERDUE_COUNT:+"!$P9K_TASKWARRIOR_OVERDUE_COUNT/"}$P9K_TASKWARRIOR_PENDING_COUNT'
+  #
+  # typeset -g POWERLEVEL9K_TASKWARRIOR_CONTENT_EXPANSION='$P9K_TASKWARRIOR_PENDING_COUNT'
+
+  # Custom icon.
+  # typeset -g POWERLEVEL9K_TASKWARRIOR_VISUAL_IDENTIFIER_EXPANSION='⭐'
+
+  ##################################[ context: user@hostname ]##################################
+  # Context color when running with privileges.
+  typeset -g POWERLEVEL9K_CONTEXT_ROOT_FOREGROUND=178
+  # Context color in SSH without privileges.
+  typeset -g POWERLEVEL9K_CONTEXT_{REMOTE,REMOTE_SUDO}_FOREGROUND=31
+  # Default context color (no privileges, no SSH).
+  typeset -g POWERLEVEL9K_CONTEXT_FOREGROUND=31
+
+  # Context format when running with privileges: bold user@hostname.
+  typeset -g POWERLEVEL9K_CONTEXT_ROOT_TEMPLATE='%B%n@%m'
+  # Context format when in SSH without privileges: user@hostname.
+  typeset -g POWERLEVEL9K_CONTEXT_{REMOTE,REMOTE_SUDO}_TEMPLATE='%n@%m'
+  # Default context format (no privileges, no SSH): user@hostname.
+  typeset -g POWERLEVEL9K_CONTEXT_TEMPLATE='%n@%m'
+
+  # Don't show context unless running with privileges or in SSH.
+  # Tip: Remove the next line to always show context.
+  typeset -g POWERLEVEL9K_CONTEXT_{DEFAULT,SUDO}_{CONTENT,VISUAL_IDENTIFIER}_EXPANSION=
+
+  # Custom icon.
+  # typeset -g POWERLEVEL9K_CONTEXT_VISUAL_IDENTIFIER_EXPANSION='⭐'
+  # Custom prefix.
+  # typeset -g POWERLEVEL9K_CONTEXT_PREFIX='%fwith '
+
+  ###[ virtualenv: python virtual environment (https://docs.python.org/3/library/venv.html) ]###
+  # Python virtual environment color.
+  typeset -g POWERLEVEL9K_VIRTUALENV_FOREGROUND=37
+  # Don't show Python version next to the virtual environment name.
+  typeset -g POWERLEVEL9K_VIRTUALENV_SHOW_PYTHON_VERSION=false
+  # If set to "false", won't show virtualenv if pyenv is already shown.
+  # If set to "if-different", won't show virtualenv if it's the same as pyenv.
+  typeset -g POWERLEVEL9K_VIRTUALENV_SHOW_WITH_PYENV=false
+  # Separate environment name from Python version only with a space.
+  typeset -g POWERLEVEL9K_VIRTUALENV_{LEFT,RIGHT}_DELIMITER=
+  # Custom icon.
+  # typeset -g POWERLEVEL9K_VIRTUALENV_VISUAL_IDENTIFIER_EXPANSION='⭐'
+
+  #####################[ anaconda: conda environment (https://conda.io/) ]######################
+  # Anaconda environment color.
+  typeset -g POWERLEVEL9K_ANACONDA_FOREGROUND=37
+
+  # Anaconda segment format. The following parameters are available within the expansion.
+  #
+  # - CONDA_PREFIX                 Absolute path to the active Anaconda/Miniconda environment.
+  # - CONDA_DEFAULT_ENV            Name of the active Anaconda/Miniconda environment.
+  # - CONDA_PROMPT_MODIFIER        Configurable prompt modifier (see below).
+  # - P9K_ANACONDA_PYTHON_VERSION  Current python version (python --version).
+  #
+  # CONDA_PROMPT_MODIFIER can be configured with the following command:
+  #
+  #   conda config --set env_prompt '({default_env}) '
+  #
+  # The last argument is a Python format string that can use the following variables:
+  #
+  # - prefix       The same as CONDA_PREFIX.
+  # - default_env  The same as CONDA_DEFAULT_ENV.
+  # - name         The last segment of CONDA_PREFIX.
+  # - stacked_env  Comma-separated list of names in the environment stack. The first element is
+  #                always the same as default_env.
+  #
+  # Note: '({default_env}) ' is the default value of env_prompt.
+  #
+  # The default value of POWERLEVEL9K_ANACONDA_CONTENT_EXPANSION expands to $CONDA_PROMPT_MODIFIER
+  # without the surrounding parentheses, or to the last path component of CONDA_PREFIX if the former
+  # is empty.
+  typeset -g POWERLEVEL9K_ANACONDA_CONTENT_EXPANSION='${${${${CONDA_PROMPT_MODIFIER#\(}% }%\)}:-${CONDA_PREFIX:t}}'
+
+  # Custom icon.
+  # typeset -g POWERLEVEL9K_ANACONDA_VISUAL_IDENTIFIER_EXPANSION='⭐'
+
+  ################[ pyenv: python environment (https://github.com/pyenv/pyenv) ]################
+  # Pyenv color.
+  typeset -g POWERLEVEL9K_PYENV_FOREGROUND=37
+  # Hide python version if it doesn't come from one of these sources.
+  typeset -g POWERLEVEL9K_PYENV_SOURCES=(shell local global)
+  # If set to false, hide python version if it's the same as global:
+  # $(pyenv version-name) == $(pyenv global).
+  typeset -g POWERLEVEL9K_PYENV_PROMPT_ALWAYS_SHOW=false
+  # If set to false, hide python version if it's equal to "system".
+  typeset -g POWERLEVEL9K_PYENV_SHOW_SYSTEM=true
+
+  # Pyenv segment format. The following parameters are available within the expansion.
+  #
+  # - P9K_CONTENT                Current pyenv environment (pyenv version-name).
+  # - P9K_PYENV_PYTHON_VERSION   Current python version (python --version).
+  #
+  # The default format has the following logic:
+  #
+  # 1. Display "$P9K_CONTENT $P9K_PYENV_PYTHON_VERSION" if $P9K_PYENV_PYTHON_VERSION is not
+  #   empty and unequal to $P9K_CONTENT.
+  # 2. Otherwise display just "$P9K_CONTENT".
+  typeset -g POWERLEVEL9K_PYENV_CONTENT_EXPANSION='${P9K_CONTENT}${${P9K_PYENV_PYTHON_VERSION:#$P9K_CONTENT}:+ $P9K_PYENV_PYTHON_VERSION}'
+
+  # Custom icon.
+  # typeset -g POWERLEVEL9K_PYENV_VISUAL_IDENTIFIER_EXPANSION='⭐'
+
+  ################[ goenv: go environment (https://github.com/syndbg/goenv) ]################
+  # Goenv color.
+  typeset -g POWERLEVEL9K_GOENV_FOREGROUND=37
+  # Hide go version if it doesn't come from one of these sources.
+  typeset -g POWERLEVEL9K_GOENV_SOURCES=(shell local global)
+  # If set to false, hide go version if it's the same as global:
+  # $(goenv version-name) == $(goenv global).
+  typeset -g POWERLEVEL9K_GOENV_PROMPT_ALWAYS_SHOW=false
+  # If set to false, hide go version if it's equal to "system".
+  typeset -g POWERLEVEL9K_GOENV_SHOW_SYSTEM=true
+  # Custom icon.
+  # typeset -g POWERLEVEL9K_GOENV_VISUAL_IDENTIFIER_EXPANSION='⭐'
+
+  ##########[ nodenv: node.js version from nodenv (https://github.com/nodenv/nodenv) ]##########
+  # Nodenv color.
+  typeset -g POWERLEVEL9K_NODENV_FOREGROUND=70
+  # Hide node version if it doesn't come from one of these sources.
+  typeset -g POWERLEVEL9K_NODENV_SOURCES=(shell local global)
+  # If set to false, hide node version if it's the same as global:
+  # $(nodenv version-name) == $(nodenv global).
+  typeset -g POWERLEVEL9K_NODENV_PROMPT_ALWAYS_SHOW=false
+  # If set to false, hide node version if it's equal to "system".
+  typeset -g POWERLEVEL9K_NODENV_SHOW_SYSTEM=true
+  # Custom icon.
+  # typeset -g POWERLEVEL9K_NODENV_VISUAL_IDENTIFIER_EXPANSION='⭐'
+
+  ##############[ nvm: node.js version from nvm (https://github.com/nvm-sh/nvm) ]###############
+  # Nvm color.
+  typeset -g POWERLEVEL9K_NVM_FOREGROUND=70
+  # Custom icon.
+  # typeset -g POWERLEVEL9K_NVM_VISUAL_IDENTIFIER_EXPANSION='⭐'
+
+  ############[ nodeenv: node.js environment (https://github.com/ekalinin/nodeenv) ]############
+  # Nodeenv color.
+  typeset -g POWERLEVEL9K_NODEENV_FOREGROUND=70
+  # Don't show Node version next to the environment name.
+  typeset -g POWERLEVEL9K_NODEENV_SHOW_NODE_VERSION=false
+  # Separate environment name from Node version only with a space.
+  typeset -g POWERLEVEL9K_NODEENV_{LEFT,RIGHT}_DELIMITER=
+  # Custom icon.
+  # typeset -g POWERLEVEL9K_NODEENV_VISUAL_IDENTIFIER_EXPANSION='⭐'
+
+  ##############################[ node_version: node.js version ]###############################
+  # Node version color.
+  typeset -g POWERLEVEL9K_NODE_VERSION_FOREGROUND=70
+  # Show node version only when in a directory tree containing package.json.
+  typeset -g POWERLEVEL9K_NODE_VERSION_PROJECT_ONLY=true
+  # Custom icon.
+  # typeset -g POWERLEVEL9K_NODE_VERSION_VISUAL_IDENTIFIER_EXPANSION='⭐'
+
+  #######################[ go_version: go version (https://golang.org) ]########################
+  # Go version color.
+  typeset -g POWERLEVEL9K_GO_VERSION_FOREGROUND=37
+  # Show go version only when in a go project subdirectory.
+  typeset -g POWERLEVEL9K_GO_VERSION_PROJECT_ONLY=true
+  # Custom icon.
+  # typeset -g POWERLEVEL9K_GO_VERSION_VISUAL_IDENTIFIER_EXPANSION='⭐'
+
+  #################[ rust_version: rustc version (https://www.rust-lang.org) ]##################
+  # Rust version color.
+  typeset -g POWERLEVEL9K_RUST_VERSION_FOREGROUND=37
+  # Show rust version only when in a rust project subdirectory.
+  typeset -g POWERLEVEL9K_RUST_VERSION_PROJECT_ONLY=true
+  # Custom icon.
+  # typeset -g POWERLEVEL9K_RUST_VERSION_VISUAL_IDENTIFIER_EXPANSION='⭐'
+
+  ###############[ dotnet_version: .NET version (https://dotnet.microsoft.com) ]################
+  # .NET version color.
+  typeset -g POWERLEVEL9K_DOTNET_VERSION_FOREGROUND=134
+  # Show .NET version only when in a .NET project subdirectory.
+  typeset -g POWERLEVEL9K_DOTNET_VERSION_PROJECT_ONLY=true
+  # Custom icon.
+  # typeset -g POWERLEVEL9K_DOTNET_VERSION_VISUAL_IDENTIFIER_EXPANSION='⭐'
+
+  #####################[ php_version: php version (https://www.php.net/) ]######################
+  # PHP version color.
+  typeset -g POWERLEVEL9K_PHP_VERSION_FOREGROUND=99
+  # Show PHP version only when in a PHP project subdirectory.
+  typeset -g POWERLEVEL9K_PHP_VERSION_PROJECT_ONLY=true
+  # Custom icon.
+  # typeset -g POWERLEVEL9K_PHP_VERSION_VISUAL_IDENTIFIER_EXPANSION='⭐'
+
+  ##########[ laravel_version: laravel php framework version (https://laravel.com/) ]###########
+  # Laravel version color.
+  typeset -g POWERLEVEL9K_LARAVEL_VERSION_FOREGROUND=161
+  # Custom icon.
+  # typeset -g POWERLEVEL9K_LARAVEL_VERSION_VISUAL_IDENTIFIER_EXPANSION='⭐'
+
+  ####################[ java_version: java version (https://www.java.com/) ]####################
+  # Java version color.
+  typeset -g POWERLEVEL9K_JAVA_VERSION_FOREGROUND=32
+  # Show java version only when in a java project subdirectory.
+  typeset -g POWERLEVEL9K_JAVA_VERSION_PROJECT_ONLY=true
+  # Show brief version.
+  typeset -g POWERLEVEL9K_JAVA_VERSION_FULL=false
+  # Custom icon.
+  # typeset -g POWERLEVEL9K_JAVA_VERSION_VISUAL_IDENTIFIER_EXPANSION='⭐'
+
+  ###[ package: name@version from package.json (https://docs.npmjs.com/files/package.json) ]####
+  # Package color.
+  typeset -g POWERLEVEL9K_PACKAGE_FOREGROUND=117
+  # Package format. The following parameters are available within the expansion.
+  #
+  # - P9K_PACKAGE_NAME     The value of `name` field in package.json.
+  # - P9K_PACKAGE_VERSION  The value of `version` field in package.json.
+  #
+  # typeset -g POWERLEVEL9K_PACKAGE_CONTENT_EXPANSION='${P9K_PACKAGE_NAME//\%/%%}@${P9K_PACKAGE_VERSION//\%/%%}'
+  # Custom icon.
+  # typeset -g POWERLEVEL9K_PACKAGE_VISUAL_IDENTIFIER_EXPANSION='⭐'
+
+  #############[ rbenv: ruby version from rbenv (https://github.com/rbenv/rbenv) ]##############
+  # Rbenv color.
+  typeset -g POWERLEVEL9K_RBENV_FOREGROUND=168
+  # Hide ruby version if it doesn't come from one of these sources.
+  typeset -g POWERLEVEL9K_RBENV_SOURCES=(shell local global)
+  # If set to false, hide ruby version if it's the same as global:
+  # $(rbenv version-name) == $(rbenv global).
+  typeset -g POWERLEVEL9K_RBENV_PROMPT_ALWAYS_SHOW=false
+  # If set to false, hide ruby version if it's equal to "system".
+  typeset -g POWERLEVEL9K_RBENV_SHOW_SYSTEM=true
+  # Custom icon.
+  # typeset -g POWERLEVEL9K_RBENV_VISUAL_IDENTIFIER_EXPANSION='⭐'
+
+  #######################[ rvm: ruby version from rvm (https://rvm.io) ]########################
+  # Rvm color.
+  typeset -g POWERLEVEL9K_RVM_FOREGROUND=168
+  # Don't show @gemset at the end.
+  typeset -g POWERLEVEL9K_RVM_SHOW_GEMSET=false
+  # Don't show ruby- at the front.
+  typeset -g POWERLEVEL9K_RVM_SHOW_PREFIX=false
+  # Custom icon.
+  # typeset -g POWERLEVEL9K_RVM_VISUAL_IDENTIFIER_EXPANSION='⭐'
+
+  ###########[ fvm: flutter version management (https://github.com/leoafarias/fvm) ]############
+  # Fvm color.
+  typeset -g POWERLEVEL9K_FVM_FOREGROUND=38
+  # Custom icon.
+  # typeset -g POWERLEVEL9K_FVM_VISUAL_IDENTIFIER_EXPANSION='⭐'
+
+  ##########[ luaenv: lua version from luaenv (https://github.com/cehoffman/luaenv) ]###########
+  # Lua color.
+  typeset -g POWERLEVEL9K_LUAENV_FOREGROUND=32
+  # Hide lua version if it doesn't come from one of these sources.
+  typeset -g POWERLEVEL9K_LUAENV_SOURCES=(shell local global)
+  # If set to false, hide lua version if it's the same as global:
+  # $(luaenv version-name) == $(luaenv global).
+  typeset -g POWERLEVEL9K_LUAENV_PROMPT_ALWAYS_SHOW=false
+  # If set to false, hide lua version if it's equal to "system".
+  typeset -g POWERLEVEL9K_LUAENV_SHOW_SYSTEM=true
+  # Custom icon.
+  # typeset -g POWERLEVEL9K_LUAENV_VISUAL_IDENTIFIER_EXPANSION='⭐'
+
+  ###############[ jenv: java version from jenv (https://github.com/jenv/jenv) ]################
+  # Java color.
+  typeset -g POWERLEVEL9K_JENV_FOREGROUND=32
+  # Hide java version if it doesn't come from one of these sources.
+  typeset -g POWERLEVEL9K_JENV_SOURCES=(shell local global)
+  # If set to false, hide java version if it's the same as global:
+  # $(jenv version-name) == $(jenv global).
+  typeset -g POWERLEVEL9K_JENV_PROMPT_ALWAYS_SHOW=false
+  # If set to false, hide java version if it's equal to "system".
+  typeset -g POWERLEVEL9K_JENV_SHOW_SYSTEM=true
+  # Custom icon.
+  # typeset -g POWERLEVEL9K_JENV_VISUAL_IDENTIFIER_EXPANSION='⭐'
+
+  ###########[ plenv: perl version from plenv (https://github.com/tokuhirom/plenv) ]############
+  # Perl color.
+  typeset -g POWERLEVEL9K_PLENV_FOREGROUND=67
+  # Hide perl version if it doesn't come from one of these sources.
+  typeset -g POWERLEVEL9K_PLENV_SOURCES=(shell local global)
+  # If set to false, hide perl version if it's the same as global:
+  # $(plenv version-name) == $(plenv global).
+  typeset -g POWERLEVEL9K_PLENV_PROMPT_ALWAYS_SHOW=false
+  # If set to false, hide perl version if it's equal to "system".
+  typeset -g POWERLEVEL9K_PLENV_SHOW_SYSTEM=true
+  # Custom icon.
+  # typeset -g POWERLEVEL9K_PLENV_VISUAL_IDENTIFIER_EXPANSION='⭐'
+
+  ############[ phpenv: php version from phpenv (https://github.com/phpenv/phpenv) ]############
+  # PHP color.
+  typeset -g POWERLEVEL9K_PHPENV_FOREGROUND=99
+  # Hide php version if it doesn't come from one of these sources.
+  typeset -g POWERLEVEL9K_PHPENV_SOURCES=(shell local global)
+  # If set to false, hide php version if it's the same as global:
+  # $(phpenv version-name) == $(phpenv global).
+  typeset -g POWERLEVEL9K_PHPENV_PROMPT_ALWAYS_SHOW=false
+  # If set to false, hide php version if it's equal to "system".
+  typeset -g POWERLEVEL9K_PHPENV_SHOW_SYSTEM=true
+  # Custom icon.
+  # typeset -g POWERLEVEL9K_PHPENV_VISUAL_IDENTIFIER_EXPANSION='⭐'
+
+  #######[ scalaenv: scala version from scalaenv (https://github.com/scalaenv/scalaenv) ]#######
+  # Scala color.
+  typeset -g POWERLEVEL9K_SCALAENV_FOREGROUND=160
+  # Hide scala version if it doesn't come from one of these sources.
+  typeset -g POWERLEVEL9K_SCALAENV_SOURCES=(shell local global)
+  # If set to false, hide scala version if it's the same as global:
+  # $(scalaenv version-name) == $(scalaenv global).
+  typeset -g POWERLEVEL9K_SCALAENV_PROMPT_ALWAYS_SHOW=false
+  # If set to false, hide scala version if it's equal to "system".
+  typeset -g POWERLEVEL9K_SCALAENV_SHOW_SYSTEM=true
+  # Custom icon.
+  # typeset -g POWERLEVEL9K_SCALAENV_VISUAL_IDENTIFIER_EXPANSION='⭐'
+
+  ##########[ haskell_stack: haskell version from stack (https://haskellstack.org/) ]###########
+  # Haskell color.
+  typeset -g POWERLEVEL9K_HASKELL_STACK_FOREGROUND=172
+  # Hide haskell version if it doesn't come from one of these sources.
+  #
+  #   shell:  version is set by STACK_YAML
+  #   local:  version is set by stack.yaml up the directory tree
+  #   global: version is set by the implicit global project (~/.stack/global-project/stack.yaml)
+  typeset -g POWERLEVEL9K_HASKELL_STACK_SOURCES=(shell local)
+  # If set to false, hide haskell version if it's the same as in the implicit global project.
+  typeset -g POWERLEVEL9K_HASKELL_STACK_ALWAYS_SHOW=true
+  # Custom icon.
+  # typeset -g POWERLEVEL9K_HASKELL_STACK_VISUAL_IDENTIFIER_EXPANSION='⭐'
+
+  #############[ kubecontext: current kubernetes context (https://kubernetes.io/) ]#############
+  # Show kubecontext only when the the command you are typing invokes one of these tools.
+  # Tip: Remove the next line to always show kubecontext.
+  typeset -g POWERLEVEL9K_KUBECONTEXT_SHOW_ON_COMMAND='kubectl|helm|kubens|kubectx|oc|istioctl|kogito|k9s|helmfile'
+
+  # Kubernetes context classes for the purpose of using different colors, icons and expansions with
+  # different contexts.
+  #
+  # POWERLEVEL9K_KUBECONTEXT_CLASSES is an array with even number of elements. The first element
+  # in each pair defines a pattern against which the current kubernetes context gets matched.
+  # More specifically, it's P9K_CONTENT prior to the application of context expansion (see below)
+  # that gets matched. If you unset all POWERLEVEL9K_KUBECONTEXT_*CONTENT_EXPANSION parameters,
+  # you'll see this value in your prompt. The second element of each pair in
+  # POWERLEVEL9K_KUBECONTEXT_CLASSES defines the context class. Patterns are tried in order. The
+  # first match wins.
+  #
+  # For example, given these settings:
+  #
+  #   typeset -g POWERLEVEL9K_KUBECONTEXT_CLASSES=(
+  #     '*prod*'  PROD
+  #     '*test*'  TEST
+  #     '*'       DEFAULT)
+  #
+  # If your current kubernetes context is "deathray-testing/default", its class is TEST
+  # because "deathray-testing/default" doesn't match the pattern '*prod*' but does match '*test*'.
+  #
+  # You can define different colors, icons and content expansions for different classes:
+  #
+  #   typeset -g POWERLEVEL9K_KUBECONTEXT_TEST_FOREGROUND=28
+  #   typeset -g POWERLEVEL9K_KUBECONTEXT_TEST_VISUAL_IDENTIFIER_EXPANSION='⭐'
+  #   typeset -g POWERLEVEL9K_KUBECONTEXT_TEST_CONTENT_EXPANSION='> ${P9K_CONTENT} <'
+  typeset -g POWERLEVEL9K_KUBECONTEXT_CLASSES=(
+      # '*prod*'  PROD    # These values are examples that are unlikely
+      # '*test*'  TEST    # to match your needs. Customize them as needed.
+      '*'       DEFAULT)
+  typeset -g POWERLEVEL9K_KUBECONTEXT_DEFAULT_FOREGROUND=134
+  # typeset -g POWERLEVEL9K_KUBECONTEXT_DEFAULT_VISUAL_IDENTIFIER_EXPANSION='⭐'
+
+  # Use POWERLEVEL9K_KUBECONTEXT_CONTENT_EXPANSION to specify the content displayed by kubecontext
+  # segment. Parameter expansions are very flexible and fast, too. See reference:
+  # http://zsh.sourceforge.net/Doc/Release/Expansion.html#Parameter-Expansion.
+  #
+  # Within the expansion the following parameters are always available:
+  #
+  # - P9K_CONTENT                The content that would've been displayed if there was no content
+  #                              expansion defined.
+  # - P9K_KUBECONTEXT_NAME       The current context's name. Corresponds to column NAME in the
+  #                              output of `kubectl config get-contexts`.
+  # - P9K_KUBECONTEXT_CLUSTER    The current context's cluster. Corresponds to column CLUSTER in the
+  #                              output of `kubectl config get-contexts`.
+  # - P9K_KUBECONTEXT_NAMESPACE  The current context's namespace. Corresponds to column NAMESPACE
+  #                              in the output of `kubectl config get-contexts`. If there is no
+  #                              namespace, the parameter is set to "default".
+  # - P9K_KUBECONTEXT_USER       The current context's user. Corresponds to column AUTHINFO in the
+  #                              output of `kubectl config get-contexts`.
+  #
+  # If the context points to Google Kubernetes Engine (GKE) or Elastic Kubernetes Service (EKS),
+  # the following extra parameters are available:
+  #
+  # - P9K_KUBECONTEXT_CLOUD_NAME     Either "gke" or "eks".
+  # - P9K_KUBECONTEXT_CLOUD_ACCOUNT  Account/project ID.
+  # - P9K_KUBECONTEXT_CLOUD_ZONE     Availability zone.
+  # - P9K_KUBECONTEXT_CLOUD_CLUSTER  Cluster.
+  #
+  # P9K_KUBECONTEXT_CLOUD_* parameters are derived from P9K_KUBECONTEXT_CLUSTER. For example,
+  # if P9K_KUBECONTEXT_CLUSTER is "gke_my-account_us-east1-a_my-cluster-01":
+  #
+  #   - P9K_KUBECONTEXT_CLOUD_NAME=gke
+  #   - P9K_KUBECONTEXT_CLOUD_ACCOUNT=my-account
+  #   - P9K_KUBECONTEXT_CLOUD_ZONE=us-east1-a
+  #   - P9K_KUBECONTEXT_CLOUD_CLUSTER=my-cluster-01
+  #
+  # If P9K_KUBECONTEXT_CLUSTER is "arn:aws:eks:us-east-1:123456789012:cluster/my-cluster-01":
+  #
+  #   - P9K_KUBECONTEXT_CLOUD_NAME=eks
+  #   - P9K_KUBECONTEXT_CLOUD_ACCOUNT=123456789012
+  #   - P9K_KUBECONTEXT_CLOUD_ZONE=us-east-1
+  #   - P9K_KUBECONTEXT_CLOUD_CLUSTER=my-cluster-01
+  typeset -g POWERLEVEL9K_KUBECONTEXT_DEFAULT_CONTENT_EXPANSION=
+  # Show P9K_KUBECONTEXT_CLOUD_CLUSTER if it's not empty and fall back to P9K_KUBECONTEXT_NAME.
+  POWERLEVEL9K_KUBECONTEXT_DEFAULT_CONTENT_EXPANSION+='${P9K_KUBECONTEXT_CLOUD_CLUSTER:-${P9K_KUBECONTEXT_NAME}}'
+  # Append the current context's namespace if it's not "default".
+  POWERLEVEL9K_KUBECONTEXT_DEFAULT_CONTENT_EXPANSION+='${${:-/$P9K_KUBECONTEXT_NAMESPACE}:#/default}'
+
+  # Custom prefix.
+  # typeset -g POWERLEVEL9K_KUBECONTEXT_PREFIX='%fat '
+
+  ################[ terraform: terraform workspace (https://www.terraform.io) ]#################
+  # Don't show terraform workspace if it's literally "default".
+  typeset -g POWERLEVEL9K_TERRAFORM_SHOW_DEFAULT=false
+  # POWERLEVEL9K_TERRAFORM_CLASSES is an array with even number of elements. The first element
+  # in each pair defines a pattern against which the current terraform workspace gets matched.
+  # More specifically, it's P9K_CONTENT prior to the application of context expansion (see below)
+  # that gets matched. If you unset all POWERLEVEL9K_TERRAFORM_*CONTENT_EXPANSION parameters,
+  # you'll see this value in your prompt. The second element of each pair in
+  # POWERLEVEL9K_TERRAFORM_CLASSES defines the workspace class. Patterns are tried in order. The
+  # first match wins.
+  #
+  # For example, given these settings:
+  #
+  #   typeset -g POWERLEVEL9K_TERRAFORM_CLASSES=(
+  #     '*prod*'  PROD
+  #     '*test*'  TEST
+  #     '*'       OTHER)
+  #
+  # If your current terraform workspace is "project_test", its class is TEST because "project_test"
+  # doesn't match the pattern '*prod*' but does match '*test*'.
+  #
+  # You can define different colors, icons and content expansions for different classes:
+  #
+  #   typeset -g POWERLEVEL9K_TERRAFORM_TEST_FOREGROUND=28
+  #   typeset -g POWERLEVEL9K_TERRAFORM_TEST_VISUAL_IDENTIFIER_EXPANSION='⭐'
+  #   typeset -g POWERLEVEL9K_TERRAFORM_TEST_CONTENT_EXPANSION='> ${P9K_CONTENT} <'
+  typeset -g POWERLEVEL9K_TERRAFORM_CLASSES=(
+      # '*prod*'  PROD    # These values are examples that are unlikely
+      # '*test*'  TEST    # to match your needs. Customize them as needed.
+      '*'         OTHER)
+  typeset -g POWERLEVEL9K_TERRAFORM_OTHER_FOREGROUND=38
+  # typeset -g POWERLEVEL9K_TERRAFORM_OTHER_VISUAL_IDENTIFIER_EXPANSION='⭐'
+
+  #[ aws: aws profile (https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-profiles.html) ]#
+  # Show aws only when the the command you are typing invokes one of these tools.
+  # Tip: Remove the next line to always show aws.
+  typeset -g POWERLEVEL9K_AWS_SHOW_ON_COMMAND='aws|awless|terraform|pulumi|terragrunt'
+
+  # POWERLEVEL9K_AWS_CLASSES is an array with even number of elements. The first element
+  # in each pair defines a pattern against which the current AWS profile gets matched.
+  # More specifically, it's P9K_CONTENT prior to the application of context expansion (see below)
+  # that gets matched. If you unset all POWERLEVEL9K_AWS_*CONTENT_EXPANSION parameters,
+  # you'll see this value in your prompt. The second element of each pair in
+  # POWERLEVEL9K_AWS_CLASSES defines the profile class. Patterns are tried in order. The
+  # first match wins.
+  #
+  # For example, given these settings:
+  #
+  #   typeset -g POWERLEVEL9K_AWS_CLASSES=(
+  #     '*prod*'  PROD
+  #     '*test*'  TEST
+  #     '*'       DEFAULT)
+  #
+  # If your current AWS profile is "company_test", its class is TEST
+  # because "company_test" doesn't match the pattern '*prod*' but does match '*test*'.
+  #
+  # You can define different colors, icons and content expansions for different classes:
+  #
+  #   typeset -g POWERLEVEL9K_AWS_TEST_FOREGROUND=28
+  #   typeset -g POWERLEVEL9K_AWS_TEST_VISUAL_IDENTIFIER_EXPANSION='⭐'
+  #   typeset -g POWERLEVEL9K_AWS_TEST_CONTENT_EXPANSION='> ${P9K_CONTENT} <'
+  typeset -g POWERLEVEL9K_AWS_CLASSES=(
+      # '*prod*'  PROD    # These values are examples that are unlikely
+      # '*test*'  TEST    # to match your needs. Customize them as needed.
+      '*'       DEFAULT)
+  typeset -g POWERLEVEL9K_AWS_DEFAULT_FOREGROUND=208
+  # typeset -g POWERLEVEL9K_AWS_DEFAULT_VISUAL_IDENTIFIER_EXPANSION='⭐'
+
+  #[ aws_eb_env: aws elastic beanstalk environment (https://aws.amazon.com/elasticbeanstalk/) ]#
+  # AWS Elastic Beanstalk environment color.
+  typeset -g POWERLEVEL9K_AWS_EB_ENV_FOREGROUND=70
+  # Custom icon.
+  # typeset -g POWERLEVEL9K_AWS_EB_ENV_VISUAL_IDENTIFIER_EXPANSION='⭐'
+
+  ##########[ azure: azure account name (https://docs.microsoft.com/en-us/cli/azure) ]##########
+  # Show azure only when the the command you are typing invokes one of these tools.
+  # Tip: Remove the next line to always show azure.
+  typeset -g POWERLEVEL9K_AZURE_SHOW_ON_COMMAND='az|terraform|pulumi|terragrunt'
+  # Azure account name color.
+  typeset -g POWERLEVEL9K_AZURE_FOREGROUND=32
+  # Custom icon.
+  # typeset -g POWERLEVEL9K_AZURE_VISUAL_IDENTIFIER_EXPANSION='⭐'
+
+  ##########[ gcloud: google cloud account and project (https://cloud.google.com/) ]###########
+  # Show gcloud only when the the command you are typing invokes one of these tools.
+  # Tip: Remove the next line to always show gcloud.
+  typeset -g POWERLEVEL9K_GCLOUD_SHOW_ON_COMMAND='gcloud|gcs'
+   # Google cloud color.
+  typeset -g POWERLEVEL9K_GCLOUD_FOREGROUND=32
+
+  # Google cloud format. Change the value of POWERLEVEL9K_GCLOUD_PARTIAL_CONTENT_EXPANSION and/or
+  # POWERLEVEL9K_GCLOUD_COMPLETE_CONTENT_EXPANSION if the default is too verbose or not informative
+  # enough. You can use the following parameters in the expansions. Each of them corresponds to the
+  # output of `gcloud` tool.
+  #
+  #   Parameter                | Source
+  #   -------------------------|--------------------------------------------------------------------
+  #   P9K_GCLOUD_CONFIGURATION | gcloud config configurations list --format='value(name)'
+  #   P9K_GCLOUD_ACCOUNT       | gcloud config get-value account
+  #   P9K_GCLOUD_PROJECT_ID    | gcloud config get-value project
+  #   P9K_GCLOUD_PROJECT_NAME  | gcloud projects describe $P9K_GCLOUD_PROJECT_ID --format='value(name)'
+  #
+  # Note: ${VARIABLE//\%/%%} expands to ${VARIABLE} with all occurrences of '%' replaced with '%%'.
+  #
+  # Obtaining project name requires sending a request to Google servers. This can take a long time
+  # and even fail. When project name is unknown, P9K_GCLOUD_PROJECT_NAME is not set and gcloud
+  # prompt segment is in state PARTIAL. When project name gets known, P9K_GCLOUD_PROJECT_NAME gets
+  # set and gcloud prompt segment transitions to state COMPLETE.
+  #
+  # You can customize the format, icon and colors of gcloud segment separately for states PARTIAL
+  # and COMPLETE. You can also hide gcloud in state PARTIAL by setting
+  # POWERLEVEL9K_GCLOUD_PARTIAL_VISUAL_IDENTIFIER_EXPANSION and
+  # POWERLEVEL9K_GCLOUD_PARTIAL_CONTENT_EXPANSION to empty.
+  typeset -g POWERLEVEL9K_GCLOUD_PARTIAL_CONTENT_EXPANSION='${P9K_GCLOUD_PROJECT_ID//\%/%%}'
+  typeset -g POWERLEVEL9K_GCLOUD_COMPLETE_CONTENT_EXPANSION='${P9K_GCLOUD_PROJECT_NAME//\%/%%}'
+
+  # Send a request to Google (by means of `gcloud projects describe ...`) to obtain project name
+  # this often. Negative value disables periodic polling. In this mode project name is retrieved
+  # only when the current configuration, account or project id changes.
+  typeset -g POWERLEVEL9K_GCLOUD_REFRESH_PROJECT_NAME_SECONDS=60
+
+  # Custom icon.
+  # typeset -g POWERLEVEL9K_GCLOUD_VISUAL_IDENTIFIER_EXPANSION='⭐'
+
+  #[ google_app_cred: google application credentials (https://cloud.google.com/docs/authentication/production) ]#
+  # Show google_app_cred only when the the command you are typing invokes one of these tools.
+  # Tip: Remove the next line to always show google_app_cred.
+  typeset -g POWERLEVEL9K_GOOGLE_APP_CRED_SHOW_ON_COMMAND='terraform|pulumi|terragrunt'
+
+  # Google application credentials classes for the purpose of using different colors, icons and
+  # expansions with different credentials.
+  #
+  # POWERLEVEL9K_GOOGLE_APP_CRED_CLASSES is an array with even number of elements. The first
+  # element in each pair defines a pattern against which the current kubernetes context gets
+  # matched. More specifically, it's P9K_CONTENT prior to the application of context expansion
+  # (see below) that gets matched. If you unset all POWERLEVEL9K_GOOGLE_APP_CRED_*CONTENT_EXPANSION
+  # parameters, you'll see this value in your prompt. The second element of each pair in
+  # POWERLEVEL9K_GOOGLE_APP_CRED_CLASSES defines the context class. Patterns are tried in order.
+  # The first match wins.
+  #
+  # For example, given these settings:
+  #
+  #   typeset -g POWERLEVEL9K_GOOGLE_APP_CRED_CLASSES=(
+  #     '*:*prod*:*'  PROD
+  #     '*:*test*:*'  TEST
+  #     '*'           DEFAULT)
+  #
+  # If your current Google application credentials is "service_account deathray-testing x@y.com",
+  # its class is TEST because it doesn't match the pattern '* *prod* *' but does match '* *test* *'.
+  #
+  # You can define different colors, icons and content expansions for different classes:
+  #
+  #   typeset -g POWERLEVEL9K_GOOGLE_APP_CRED_TEST_FOREGROUND=28
+  #   typeset -g POWERLEVEL9K_GOOGLE_APP_CRED_TEST_VISUAL_IDENTIFIER_EXPANSION='⭐'
+  #   typeset -g POWERLEVEL9K_GOOGLE_APP_CRED_TEST_CONTENT_EXPANSION='$P9K_GOOGLE_APP_CRED_PROJECT_ID'
+  typeset -g POWERLEVEL9K_GOOGLE_APP_CRED_CLASSES=(
+      # '*:*prod*:*'  PROD    # These values are examples that are unlikely
+      # '*:*test*:*'  TEST    # to match your needs. Customize them as needed.
+      '*'             DEFAULT)
+  typeset -g POWERLEVEL9K_GOOGLE_APP_CRED_DEFAULT_FOREGROUND=32
+  # typeset -g POWERLEVEL9K_GOOGLE_APP_CRED_DEFAULT_VISUAL_IDENTIFIER_EXPANSION='⭐'
+
+  # Use POWERLEVEL9K_GOOGLE_APP_CRED_CONTENT_EXPANSION to specify the content displayed by
+  # google_app_cred segment. Parameter expansions are very flexible and fast, too. See reference:
+  # http://zsh.sourceforge.net/Doc/Release/Expansion.html#Parameter-Expansion.
+  #
+  # You can use the following parameters in the expansion. Each of them corresponds to one of the
+  # fields in the JSON file pointed to by GOOGLE_APPLICATION_CREDENTIALS.
+  #
+  #   Parameter                        | JSON key file field
+  #   ---------------------------------+---------------
+  #   P9K_GOOGLE_APP_CRED_TYPE         | type
+  #   P9K_GOOGLE_APP_CRED_PROJECT_ID   | project_id
+  #   P9K_GOOGLE_APP_CRED_CLIENT_EMAIL | client_email
+  #
+  # Note: ${VARIABLE//\%/%%} expands to ${VARIABLE} with all occurrences of '%' replaced by '%%'.
+  typeset -g POWERLEVEL9K_GOOGLE_APP_CRED_DEFAULT_CONTENT_EXPANSION='${P9K_GOOGLE_APP_CRED_PROJECT_ID//\%/%%}'
+
+  ###############################[ public_ip: public IP address ]###############################
+  # Public IP color.
+  typeset -g POWERLEVEL9K_PUBLIC_IP_FOREGROUND=94
+  # Custom icon.
+  # typeset -g POWERLEVEL9K_PUBLIC_IP_VISUAL_IDENTIFIER_EXPANSION='⭐'
+
+  ########################[ vpn_ip: virtual private network indicator ]#########################
+  # VPN IP color.
+  typeset -g POWERLEVEL9K_VPN_IP_FOREGROUND=81
+  # When on VPN, show just an icon without the IP address.
+  # Tip: To display the private IP address when on VPN, remove the next line.
+  typeset -g POWERLEVEL9K_VPN_IP_CONTENT_EXPANSION=
+  # Regular expression for the VPN network interface. Run `ifconfig` or `ip -4 a show` while on VPN
+  # to see the name of the interface.
+  typeset -g POWERLEVEL9K_VPN_IP_INTERFACE='(gpd|wg|(.*tun))[0-9]*'
+  # If set to true, show one segment per matching network interface. If set to false, show only
+  # one segment corresponding to the first matching network interface.
+  # Tip: If you set it to true, you'll probably want to unset POWERLEVEL9K_VPN_IP_CONTENT_EXPANSION.
+  typeset -g POWERLEVEL9K_VPN_IP_SHOW_ALL=false
+  # Custom icon.
+  # typeset -g POWERLEVEL9K_VPN_IP_VISUAL_IDENTIFIER_EXPANSION='⭐'
+
+  ###########[ ip: ip address and bandwidth usage for a specified network interface ]###########
+  # IP color.
+  typeset -g POWERLEVEL9K_IP_FOREGROUND=38
+  # The following parameters are accessible within the expansion:
+  #
+  #   Parameter             | Meaning
+  #   ----------------------+---------------
+  #   P9K_IP_IP         | IP address
+  #   P9K_IP_INTERFACE  | network interface
+  #   P9K_IP_RX_BYTES   | total number of bytes received
+  #   P9K_IP_TX_BYTES   | total number of bytes sent
+  #   P9K_IP_RX_RATE    | receive rate (since last prompt)
+  #   P9K_IP_TX_RATE    | send rate (since last prompt)
+  typeset -g POWERLEVEL9K_IP_CONTENT_EXPANSION='$P9K_IP_IP${P9K_IP_RX_RATE:+ %70F⇣$P9K_IP_RX_RATE}${P9K_IP_TX_RATE:+ %215F⇡$P9K_IP_TX_RATE}'
+  # Show information for the first network interface whose name matches this regular expression.
+  # Run `ifconfig` or `ip -4 a show` to see the names of all network interfaces.
+  typeset -g POWERLEVEL9K_IP_INTERFACE='e.*'
+  # Custom icon.
+  # typeset -g POWERLEVEL9K_IP_VISUAL_IDENTIFIER_EXPANSION='⭐'
+
+  #########################[ proxy: system-wide http/https/ftp proxy ]##########################
+  # Proxy color.
+  typeset -g POWERLEVEL9K_PROXY_FOREGROUND=68
+  # Custom icon.
+  # typeset -g POWERLEVEL9K_PROXY_VISUAL_IDENTIFIER_EXPANSION='⭐'
+
+  ################################[ battery: internal battery ]#################################
+  # Show battery in red when it's below this level and not connected to power supply.
+  typeset -g POWERLEVEL9K_BATTERY_LOW_THRESHOLD=20
+  typeset -g POWERLEVEL9K_BATTERY_LOW_FOREGROUND=160
+  # Show battery in green when it's charging or fully charged.
+  typeset -g POWERLEVEL9K_BATTERY_{CHARGING,CHARGED}_FOREGROUND=70
+  # Show battery in yellow when it's discharging.
+  typeset -g POWERLEVEL9K_BATTERY_DISCONNECTED_FOREGROUND=178
+  # Battery pictograms going from low to high level of charge.
+  typeset -g POWERLEVEL9K_BATTERY_STAGES='\uf58d\uf579\uf57a\uf57b\uf57c\uf57d\uf57e\uf57f\uf580\uf581\uf578'
+  # Don't show the remaining time to charge/discharge.
+  typeset -g POWERLEVEL9K_BATTERY_VERBOSE=false
+
+  #####################################[ wifi: wifi speed ]#####################################
+  # WiFi color.
+  typeset -g POWERLEVEL9K_WIFI_FOREGROUND=68
+  # Custom icon.
+  # typeset -g POWERLEVEL9K_WIFI_VISUAL_IDENTIFIER_EXPANSION='⭐'
+
+  # Use different colors and icons depending on signal strength ($P9K_WIFI_BARS).
+  #
+  #   # Wifi colors and icons for different signal strength levels (low to high).
+  #   typeset -g my_wifi_fg=(68 68 68 68 68)                           # <-- change these values
+  #   typeset -g my_wifi_icon=('WiFi' 'WiFi' 'WiFi' 'WiFi' 'WiFi')     # <-- change these values
+  #
+  #   typeset -g POWERLEVEL9K_WIFI_CONTENT_EXPANSION='%F{${my_wifi_fg[P9K_WIFI_BARS+1]}}$P9K_WIFI_LAST_TX_RATE Mbps'
+  #   typeset -g POWERLEVEL9K_WIFI_VISUAL_IDENTIFIER_EXPANSION='%F{${my_wifi_fg[P9K_WIFI_BARS+1]}}${my_wifi_icon[P9K_WIFI_BARS+1]}'
+  #
+  # The following parameters are accessible within the expansions:
+  #
+  #   Parameter             | Meaning
+  #   ----------------------+---------------
+  #   P9K_WIFI_SSID         | service set identifier, a.k.a. network name
+  #   P9K_WIFI_LINK_AUTH    | authentication protocol such as "wpa2-psk" or "none"; empty if unknown
+  #   P9K_WIFI_LAST_TX_RATE | wireless transmit rate in megabits per second
+  #   P9K_WIFI_RSSI         | signal strength in dBm, from -120 to 0
+  #   P9K_WIFI_NOISE        | noise in dBm, from -120 to 0
+  #   P9K_WIFI_BARS         | signal strength in bars, from 0 to 4 (derived from P9K_WIFI_RSSI and P9K_WIFI_NOISE)
+
+  ####################################[ time: current time ]####################################
+  # Current time color.
+  typeset -g POWERLEVEL9K_TIME_FOREGROUND=66
+  # Format for the current time: 09:51:02. See `man 3 strftime`.
+  typeset -g POWERLEVEL9K_TIME_FORMAT='%D{%H:%M}'
+  # If set to true, time will update when you hit enter. This way prompts for the past
+  # commands will contain the start times of their commands as opposed to the default
+  # behavior where they contain the end times of their preceding commands.
+  typeset -g POWERLEVEL9K_TIME_UPDATE_ON_COMMAND=false
+  # Custom icon.
+  typeset -g POWERLEVEL9K_TIME_VISUAL_IDENTIFIER_EXPANSION=''
+  # Custom prefix.
+  # typeset -g POWERLEVEL9K_TIME_PREFIX='%fat '
+
+  # Example of a user-defined prompt segment. Function prompt_example will be called on every
+  # prompt if `example` prompt segment is added to POWERLEVEL9K_LEFT_PROMPT_ELEMENTS or
+  # POWERLEVEL9K_RIGHT_PROMPT_ELEMENTS. It displays an icon and orange text greeting the user.
+  #
+  # Type `p10k help segment` for documentation and a more sophisticated example.
+  function prompt_example() {
+    p10k segment -f 208 -i '⭐' -t 'hello, %n'
+  }
+
+  # User-defined prompt segments may optionally provide an instant_prompt_* function. Its job
+  # is to generate the prompt segment for display in instant prompt. See
+  # https://github.com/romkatv/powerlevel10k/blob/master/README.md#instant-prompt.
+  #
+  # Powerlevel10k will call instant_prompt_* at the same time as the regular prompt_* function
+  # and will record all `p10k segment` calls it makes. When displaying instant prompt, Powerlevel10k
+  # will replay these calls without actually calling instant_prompt_*. It is imperative that
+  # instant_prompt_* always makes the same `p10k segment` calls regardless of environment. If this
+  # rule is not observed, the content of instant prompt will be incorrect.
+  #
+  # Usually, you should either not define instant_prompt_* or simply call prompt_* from it. If
+  # instant_prompt_* is not defined for a segment, the segment won't be shown in instant prompt.
+  function instant_prompt_example() {
+    # Since prompt_example always makes the same `p10k segment` calls, we can call it from
+    # instant_prompt_example. This will give us the same `example` prompt segment in the instant
+    # and regular prompts.
+    prompt_example
+  }
+
+  # User-defined prompt segments can be customized the same way as built-in segments.
+  # typeset -g POWERLEVEL9K_EXAMPLE_FOREGROUND=208
+  # typeset -g POWERLEVEL9K_EXAMPLE_VISUAL_IDENTIFIER_EXPANSION='⭐'
+
+  # Transient prompt works similarly to the builtin transient_rprompt option. It trims down prompt
+  # when accepting a command line. Supported values:
+  #
+  #   - off:      Don't change prompt when accepting a command line.
+  #   - always:   Trim down prompt when accepting a command line.
+  #   - same-dir: Trim down prompt when accepting a command line unless this is the first command
+  #               typed after changing current working directory.
+  typeset -g POWERLEVEL9K_TRANSIENT_PROMPT=off
+
+  function p10k-on-pre-prompt() { p10k display '1'=show '2/left/(dir|context)'=hide '2/right/*'=show '2/right/(status|command_execution_time|time|background_jobs)'=hide }
+  function p10k-on-post-prompt() { p10k display '2/left/(dir|context|prompt_char)'=show 'empty_line|1'=hide '2/right/*'=hide '2/right/(status|command_execution_time|time|background_jobs)'=show }
+
+  # Instant prompt mode.
+  #
+  #   - off:     Disable instant prompt. Choose this if you've tried instant prompt and found
+  #              it incompatible with your zsh configuration files.
+  #   - quiet:   Enable instant prompt and don't print warnings when detecting console output
+  #              during zsh initialization. Choose this if you've read and understood
+  #              https://github.com/romkatv/powerlevel10k/blob/master/README.md#instant-prompt.
+  #   - verbose: Enable instant prompt and print a warning when detecting console output during
+  #              zsh initialization. Choose this if you've never tried instant prompt, haven't
+  #              seen the warning, or if you are unsure what this all means.
+  typeset -g POWERLEVEL9K_INSTANT_PROMPT=quiet
+
+  # Hot reload allows you to change POWERLEVEL9K options after Powerlevel10k has been initialized.
+  # For example, you can type POWERLEVEL9K_BACKGROUND=red and see your prompt turn red. Hot reload
+  # can slow down prompt by 1-2 milliseconds, so it's better to keep it turned off unless you
+  # really need it.
+  typeset -g POWERLEVEL9K_DISABLE_HOT_RELOAD=true
+
+  # If p10k is already loaded, reload configuration.
+  # This works even with POWERLEVEL9K_DISABLE_HOT_RELOAD=true.
+  (( ! $+functions[p10k] )) || p10k reload
+}
+
+# Tell `p10k configure` which file it should overwrite.
+typeset -g POWERLEVEL9K_CONFIG_FILE=${${(%):-%x}:a}
+
+(( ${#p10k_config_opts} )) && setopt ${p10k_config_opts[@]}
+'builtin' 'unset' 'p10k_config_opts'
diff --git a/user-profiles/zsh/zshrc b/user-profiles/zsh/zshrc
new file mode 100644
index 00000000..3660ef27
--- /dev/null
+++ b/user-profiles/zsh/zshrc
@@ -0,0 +1,26 @@
+fancy-ctrl-z () {
+  emulate -LR zsh
+  if [[ $#BUFFER -eq 0 ]]; then
+    [[ -n $(jobs -s) ]] && bg
+    zle redisplay
+  else
+    zle push-input
+  fi
+}
+zle -N fancy-ctrl-z
+bindkey '^Z' fancy-ctrl-z
+
+function fancy-ctrl-d() {
+  zle || exit 0
+  [[ -n $BUFFER ]] && return
+  typeset -g precmd_functions=(fancy-ctrl-d)
+  zle accept-line
+}
+zle -N fancy-ctrl-d
+bindkey '^D' fancy-ctrl-d
+setopt ignore_eof
+
+# word navigation for urxvt
+bindkey -e
+bindkey ';5C' emacs-forward-word
+bindkey ';5D' emacs-backward-word
\ No newline at end of file
diff --git a/users/gkleen/authorized-keys/gkleen-sif.pub b/users/gkleen/authorized-keys/gkleen-sif.pub
new file mode 100644
index 00000000..e9aaf215
--- /dev/null
+++ b/users/gkleen/authorized-keys/gkleen-sif.pub
@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKrHPERae+OUTNOzNf9d2767ljFCm5hgmQw48Dj4RrlU gkleen@sif.midgard.yggdrasil
diff --git a/users/gkleen/default.nix b/users/gkleen/default.nix
new file mode 100644
index 00000000..7cf00b89
--- /dev/null
+++ b/users/gkleen/default.nix
@@ -0,0 +1,46 @@
+{ flake, userName, pkgs, customUtils, lib, ... }:
+{
+  imports = with flake.nixosModules.userProfiles.${userName}; [
+    zsh tmux utils direnv
+  ];
+  
+  users.users.${userName} = {
+    description = "Gregor Kleen";
+    extraGroups = [ "wheel" "networkmanager" "lp" "dialout" "audio" "video" "xmpp" "mail" "ssh" "vboxusers" "libvirtd" "wireshark" "games"];
+    createHome = true;
+    home = "/home/${userName}";
+    shell = "${pkgs.zsh}/bin/zsh";
+    isNormalUser = true;
+    openssh.authorizedKeys.keyFiles = let dir = ./authorized-keys; in lib.mapAttrsToList (n: _: dir + "/${n}") (builtins.readDir dir);
+    hashedPassword = "$6$rounds=500000$dOMgCU7DAk$yQFYGOURTEt12387LIYBnFKSWmtwXMUk1LJWnV0m7OFt.y2TnxQn2abdGA5dhwG9EmMB5wZGXf4J5F71c746C/";
+  };
+
+  home-manager.users.${userName} = {
+    programs = {
+      git = {
+        enable = true;
+        userEmail = "gkleen@yggdrasil.li";
+        userName = "Gregor Kleen";
+        delta.enable = true;
+        extraConfig = {
+          pull.rebase = false;
+          submodule.recurse = true;
+        };
+      };
+
+      ssh = {
+        enable = true;
+        controlMaster = "auto";
+        controlPersist = "30m";
+        serverAliveInterval = 6;
+        serverAliveCountMax = 10;
+        hashKnownHosts = true;
+        extraConfig = ''
+          IdentitiesOnly true
+        '';
+      };
+
+      gpg.enable = true;
+    };
+  };
+}
diff --git a/users/mherold.nix b/users/mherold.nix
new file mode 100644
index 00000000..54b11aab
--- /dev/null
+++ b/users/mherold.nix
@@ -0,0 +1,9 @@
+{ userName, ... }:
+{
+  users.users.${userName} = {
+    description = "Magdalena Kleen";
+    extraGroups = ["xmpp" "mail"];
+    hashedPassword = "$6$rounds=500000$y5qNae9r/U/7$HbSrmPcrPl9OQvRFMeo8PDYar32Y1i/C1R5di82rN4PPQZYxg/W.anHSI5Xws6fOQmDtvGsT0lCe4NFNxuTF41";
+    isNormalUser = true;
+  };
+}
diff --git a/users/mkleen.nix b/users/mkleen.nix
new file mode 100644
index 00000000..09e1e618
--- /dev/null
+++ b/users/mkleen.nix
@@ -0,0 +1,9 @@
+{ userName, ... }:
+{
+  users.users.${userName} = {
+    description = "Martin Kleen";
+    extraGroups = ["xmpp"];
+    hashedPassword = "$6$rounds=500000$bBm24zrmoktFD$kGLJA0I9q.jPgLSFej/1aqIyBo/KotXhA0pflByzF5LG/Vw9Vt0yfDvVYEHR6rTplJWYotdYaJXY3b4wnh9n.0";
+    isNormalUser = true;
+  };
+}
diff --git a/users/mwagner.nix b/users/mwagner.nix
new file mode 100644
index 00000000..258b4c32
--- /dev/null
+++ b/users/mwagner.nix
@@ -0,0 +1,9 @@
+{ userName, ... }:
+{
+  users.users.${userName} = {
+    description = "Max Wagner";
+    extraGroups = ["xmpp" "mail"];
+    hashedPassword = "$6$rounds=500000$5l71DQxKPXJ$UDUyiQur9QcmsXrV5r0gD5AWWpsJLe37bhV5NhZMjN4yh5aZjE4uqm8AXemuYTx3kKi.SWaRTglLIVvgDYf5l1";
+    isNormalUser = true;
+  };
+}
diff --git a/users/root.nix b/users/root.nix
new file mode 100644
index 00000000..be331141
--- /dev/null
+++ b/users/root.nix
@@ -0,0 +1,52 @@
+{ flake, lib, config, hostName, userName, pkgs, ... }:
+let
+  haveGKleen = flake.nixosModules.accounts ? "gkleen@${hostName}";
+in {
+  imports = with flake.nixosModules.userProfiles.${userName}; [
+    zsh tmux direnv utils
+  ];
+
+  users.users.${userName} = lib.mkIf haveGKleen {
+    inherit (config.users.users."gkleen") hashedPassword shell;
+    openssh.authorizedKeys.keyFiles = config.users.users."gkleen".openssh.authorizedKeys.keyFiles;
+  };
+
+  home-manager.users.${userName} = {
+    programs = {
+      git = {
+        enable = true;
+        userEmail = "gkleen@yggdrasil.li";
+        userName = "Gregor Kleen";
+        delta.enable = true;
+        extraConfig = {
+          pull.rebase = false;
+        };
+      };
+
+      ssh = {
+        enable = true;
+        controlMaster = "auto";
+        controlPersist = "30m";
+        serverAliveInterval = 6;
+        hashKnownHosts = true;
+        extraConfig = ''
+          IdentitiesOnly true
+          ServerAliveCountMax 10
+        '';
+      };
+
+      gpg.enable = true;
+    };
+
+    services = {
+      gpg-agent = {
+        enable = true;
+        enableSshSupport = true;
+        extraConfig = ''
+          pinentry-program ${pkgs.pinentry-curses}/bin/pinentry
+          grab
+        '';
+      };
+    };
+  };
+}
diff --git a/users/some.nix b/users/some.nix
new file mode 100644
index 00000000..02742e86
--- /dev/null
+++ b/users/some.nix
@@ -0,0 +1,9 @@
+{ userName, ... }:
+{
+  users.users.${userName} = {
+    description = "SomeNights";
+    extraGroups = ["xmpp" "mail"];
+    hashedPassword = "$6$rounds=500000$ZOKcPFUxFCCxbS$PSjgCpHs5GfmmusjTVEBY89NFS.hvY21.iuscfiXW8R.B2UW6ScyrIWWWPJkL4ZfI.6pKwXuf01gxazmDjy251";
+    isNormalUser = true;
+  };
+}
diff --git a/users/tkleen.nix b/users/tkleen.nix
new file mode 100644
index 00000000..debe2138
--- /dev/null
+++ b/users/tkleen.nix
@@ -0,0 +1,9 @@
+{ userName, ... }:
+{
+  users.users.${userName} = {
+    description = "Tatjana Kleen";
+    extraGroups = ["xmpp"];
+    hashedPassword = "$6$rounds=500000$K/MclfEm/LEplrSt$jKakA8dwOggI7ZB5ZwnCHVjvTGw6/VJZGVIlQGmuLoDvz24.pCnrl29xeUGItFhy6vpbjeb9GoG76RwdgI33H/";
+    isNormalUser = true;
+  };
+}
diff --git a/users/vkleen.nix b/users/vkleen.nix
new file mode 100644
index 00000000..e9717816
--- /dev/null
+++ b/users/vkleen.nix
@@ -0,0 +1,9 @@
+{ userName, ... }:
+{
+  users.users.${userName} = {
+   description = "vkleen";
+   extraGroups = ["xmpp"];
+   hashedPassword = "$6$rounds=500000$wOgtkxOshMT$3wT9nRqSCZRr9MkZcDQjMM3YbAekqCxEF0TwYcmjLqUk8Z44jeWQS96H/r3SKCfKWWcIWcQNp/dAxQ/QlcKAv.";
+   isNormalUser = true;
+  };
+}