23 files changed, 301 insertions, 121 deletions

diff --git a/_sources/generated.json b/_sources/generated.json
index 9e718609..c65147bb 100644
--- a/_sources/generated.json
+++ b/_sources/generated.json
@@ -56,6 +56,24 @@
         },
         "version": "v0.2.10"
     },
+    "freerdp": {
+        "cargoLocks": null,
+        "extract": null,
+        "name": "freerdp",
+        "passthru": null,
+        "pinned": false,
+        "src": {
+            "deepClone": false,
+            "fetchSubmodules": false,
+            "leaveDotGit": false,
+            "name": null,
+            "rev": "7f0efb0e9f990c6b1d09e6cf30168433d02d64c0",
+            "sha256": "sha256-8I3D7RL1KEdqun+xhlj4A72j6Iqwzp8APmkD+Z+mIMw=",
+            "type": "git",
+            "url": "https://github.com/FreeRDP/FreeRDP"
+        },
+        "version": "7f0efb0e9f990c6b1d09e6cf30168433d02d64c0"
+    },
     "lesspipe": {
         "cargoLocks": null,
         "extract": null,
@@ -209,11 +227,11 @@
             "name": null,
             "owner": "umlaeute",
             "repo": "v4l2loopback",
-            "rev": "56cca901dcf0a5cb11cc613155cfbe863d5d8421",
-            "sha256": "sha256-NY9elPsoGQVGGDIe2US/HT0ES8NSmb0ohlABc0HEIP0=",
+            "rev": "4aadc417254bfa3b875bf0b69278ce400ce659b2",
+            "sha256": "sha256-nHxIW5BmaZC6g7SElxboTcwtMDF4SCqi11MjYWsUZpo=",
             "type": "github"
         },
-        "version": "56cca901dcf0a5cb11cc613155cfbe863d5d8421"
+        "version": "4aadc417254bfa3b875bf0b69278ce400ce659b2"
     },
     "xcompose": {
         "cargoLocks": null,
diff --git a/_sources/generated.nix b/_sources/generated.nix
index def59267..b077edf5 100644
--- a/_sources/generated.nix
+++ b/_sources/generated.nix
@@ -36,6 +36,18 @@
       sha256 = "sha256-j7/3Llc3jTeJGpOH3Aexm9qcNscuk0mbi4ZCCyzC3+s=";
     });
   };
+  freerdp = {
+    pname = "freerdp";
+    version = "7f0efb0e9f990c6b1d09e6cf30168433d02d64c0";
+    src = fetchgit {
+      url = "https://github.com/FreeRDP/FreeRDP";
+      rev = "7f0efb0e9f990c6b1d09e6cf30168433d02d64c0";
+      fetchSubmodules = false;
+      deepClone = false;
+      leaveDotGit = false;
+      sha256 = "sha256-8I3D7RL1KEdqun+xhlj4A72j6Iqwzp8APmkD+Z+mIMw=";
+    };
+  };
   lesspipe = {
     pname = "lesspipe";
     version = "2.05";
@@ -122,13 +134,13 @@
   };
   v4l2loopback = {
     pname = "v4l2loopback";
-    version = "56cca901dcf0a5cb11cc613155cfbe863d5d8421";
+    version = "4aadc417254bfa3b875bf0b69278ce400ce659b2";
     src = fetchFromGitHub ({
       owner = "umlaeute";
       repo = "v4l2loopback";
-      rev = "56cca901dcf0a5cb11cc613155cfbe863d5d8421";
+      rev = "4aadc417254bfa3b875bf0b69278ce400ce659b2";
       fetchSubmodules = true;
-      sha256 = "sha256-NY9elPsoGQVGGDIe2US/HT0ES8NSmb0ohlABc0HEIP0=";
+      sha256 = "sha256-nHxIW5BmaZC6g7SElxboTcwtMDF4SCqi11MjYWsUZpo=";
     });
   };
   xcompose = {
diff --git a/accounts/gkleen@sif/xmonad/xmonad.hs b/accounts/gkleen@sif/xmonad/xmonad.hs
index c12c590d..f96d659b 100644
--- a/accounts/gkleen@sif/xmonad/xmonad.hs
+++ b/accounts/gkleen@sif/xmonad/xmonad.hs
@@ -194,12 +194,14 @@ hostFromName h
                                               , assign "comm"    $ className =? "Element"
                                               , assign "comm"    $ className =? "Rocket.Chat"
                                               , assign "comm"    $ className =? "Discord"
+                                              , assign "comm"    $ className =? "Rainbow"
                                               , assign "media"   $ (className =? "Alacritty" <&&> resource =? "media")
                                               , assign "monitor" $ className =? "Grafana"
                                               , assign "monitor" $ className =? "Virt-viewer"
                                               , assign "monitor" $ (className =? "Alacritty" <&&> resource =? "htop")
                                               , assign "monitor" $ (className =? "Alacritty" <&&> resource =? "monitor")
                                               , assign "monitor" $ className =? "xfreerdp"
+                                              , assign "monitor" $ className =? "org.remmina.Remmina"
                                               , Just $ (className =? "Alacritty" <&&> resource =? "htop") -?> centerFloat
                                               , Just $ (className =? "Scp-dbus-service.py") -?> centerFloat
                                               , Just $ (className =? "Alacritty" <&&> resource =? "log") -?> centerFloat
diff --git a/flake.lock b/flake.lock
index 48609f3c..c5bd114c 100644
--- a/flake.lock
+++ b/flake.lock
@@ -74,22 +74,17 @@
     },
     "home-manager": {
       "inputs": {
-        "flake-compat": [
-          "flake-compat"
-        ],
         "nixpkgs": [
           "nixpkgs"
         ],
-        "nmd": "nmd",
-        "nmt": "nmt",
         "utils": "utils_2"
       },
       "locked": {
-        "lastModified": 1655594877,
-        "narHash": "sha256-AQ39Vlb6zhsJqIRz2cN923+ESBxHmeHMHoPqA80xOCE=",
+        "lastModified": 1656367977,
+        "narHash": "sha256-0hV17V9Up9pnAtPJ+787FhrsPnawxoTPA/VxgjRMrjc=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "5197e5df7d3a148b1ad080235f70800987bc3549",
+        "rev": "3bf16c0fd141c28312be52945d1543f9ce557bb1",
         "type": "github"
       },
       "original": {
@@ -110,11 +105,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1655849525,
-        "narHash": "sha256-j/XrVVistvM+Ua+0tNFvO5z83isL+LBgmBi9XppxuKA=",
+        "lastModified": 1656360098,
+        "narHash": "sha256-QfuZz3RK7oPPIZFC7l72BVIct/NH24hHKqcF0U1LJok=",
         "owner": "DavHau",
         "repo": "mach-nix",
-        "rev": "552d4caa73722b262204319526f9e77f9370f702",
+        "rev": "288338000307fdd23a1fc230a6dd1d5bd4fdde53",
         "type": "github"
       },
       "original": {
@@ -126,11 +121,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1655630673,
-        "narHash": "sha256-kYhka8nZ7hp3Pg6f21SDEcyt7aYfjIIbLlcDKRj2jhk=",
+        "lastModified": 1656875529,
+        "narHash": "sha256-LngTxPQozuYs/FdIoFhm9a1IoL4EqAJIgVcGRhSxtMY=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "baac374635d18c960df37658b0f0b59d0767d468",
+        "rev": "f09a9cdbd3afc01ac03573959560d24bf9ec607b",
         "type": "github"
       },
       "original": {
@@ -142,11 +137,11 @@
     },
     "nixpkgs-21_11": {
       "locked": {
-        "lastModified": 1655562720,
-        "narHash": "sha256-OrN8DkBRZqZMzMuECuQNvSQ5gWoFBCxDvxYXjIQ/pH0=",
+        "lastModified": 1656782578,
+        "narHash": "sha256-1eMCBEqJplPotTo/SZ/t5HU6Sf2I8qKlZi9MX7jv9fw=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "27dffce7eaa9648b4a13a461e786f169a17c0889",
+        "rev": "573603b7fdb9feb0eb8efc16ee18a015c667ab1b",
         "type": "github"
       },
       "original": {
@@ -158,11 +153,11 @@
     },
     "nixpkgs-22_05": {
       "locked": {
-        "lastModified": 1655584987,
-        "narHash": "sha256-YmWxPm6ctu+9nV80DtYtMfOBosNymeTpj8+Z0JTDfhU=",
+        "lastModified": 1656782561,
+        "narHash": "sha256-sZVLNNKIcELllTHqydsckz8HBfVqxeAt51acaaQWLCw=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "57622cb817210146b379adbbd036d3da0d1f367c",
+        "rev": "18038cee44aa0c3c99a2319c3c1c4d16d6612d81",
         "type": "github"
       },
       "original": {
@@ -172,38 +167,6 @@
         "type": "github"
       }
     },
-    "nmd": {
-      "flake": false,
-      "locked": {
-        "lastModified": 1653339422,
-        "narHash": "sha256-8nc7lcYOgih3YEmRMlBwZaLLJYpLPYKBlewqHqx8ieg=",
-        "owner": "rycee",
-        "repo": "nmd",
-        "rev": "9e7a20e6ee3f6751f699f79c0b299390f81f7bcd",
-        "type": "gitlab"
-      },
-      "original": {
-        "owner": "rycee",
-        "repo": "nmd",
-        "type": "gitlab"
-      }
-    },
-    "nmt": {
-      "flake": false,
-      "locked": {
-        "lastModified": 1648075362,
-        "narHash": "sha256-u36WgzoA84dMVsGXzml4wZ5ckGgfnvS0ryzo/3zn/Pc=",
-        "owner": "rycee",
-        "repo": "nmt",
-        "rev": "d83601002c99b78c89ea80e5e6ba21addcfe12ae",
-        "type": "gitlab"
-      },
-      "original": {
-        "owner": "rycee",
-        "repo": "nmt",
-        "type": "gitlab"
-      }
-    },
     "nvfetcher": {
       "inputs": {
         "flake-compat": [
@@ -232,11 +195,11 @@
     "pypi-deps-db": {
       "flake": false,
       "locked": {
-        "lastModified": 1656230916,
-        "narHash": "sha256-ySccLr2XgC9kiLwt/g+tjGyf03iwnAh1Odj3EZ+mZ/o=",
+        "lastModified": 1656835523,
+        "narHash": "sha256-FrhbCP17ewooEw9HKpvPPLHvpeMIjR/JYBvX1pl8bvM=",
         "owner": "DavHau",
         "repo": "pypi-deps-db",
-        "rev": "76e139c4fc7d8201dd1c437ba15761c982d6d4dd",
+        "rev": "d94f2eb44cb6dd5cf2ce4c50ee6dee7207edebc2",
         "type": "github"
       },
       "original": {
@@ -266,11 +229,11 @@
         "nixpkgs-22_05": "nixpkgs-22_05"
       },
       "locked": {
-        "lastModified": 1655611128,
-        "narHash": "sha256-+Rfr9i0UvQL0hK1npP7X1sf0Zb2C1YDff0acj0lhyWA=",
+        "lastModified": 1656820546,
+        "narHash": "sha256-g+1URmRH75RDAzVUtVb4Ls7X8n1iocAGULtSE7JUdwU=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "6692484ba5339b77c7e62eafcfff2263a5488fb7",
+        "rev": "85907ae7384477e447499f6e942d822d6f2998d8",
         "type": "github"
       },
       "original": {
diff --git a/flake.nix b/flake.nix
index 97fb4204..72c93162 100644
--- a/flake.nix
+++ b/flake.nix
@@ -176,10 +176,11 @@
           };
 
       installerConfig = if pathExists ./installer.nix then "installer.nix" else (if pathExists ./installer then "installer" else null);
+      mkInstallerForSystem = system: (lib.systems.elaborate system).isLinux;
       installers =
         let mkInstallers = system: mapAttrs (mkInstaller system) (installerProfiles system);
             mkInstaller = system: name: {profile, output}: let mkOutput = output; in rec { config = mkNixosConfiguration [profile { config = { nixpkgs.system = system; }; }] ./. installerConfig "installer"; output = mkOutput config; };
-        in forAllSystems (system: _systemPkgs: optionalAttrs (!(isNull installerConfig)) (mkInstallers system));
+        in forAllSystems (system: _systemPkgs: optionalAttrs (!(isNull installerConfig) && mkInstallerForSystem system) (mkInstallers system));
       installerNixosConfigurations = listToAttrs (concatLists (mapAttrsToList (system: mapAttrsToList (profile: { config, ... }: nameValuePair ("installer-${system}-${profile}") config)) installers));
 
       # packages = forAllSystems (system: systemPkgs: composeManyExtensions (attrValues self.overlays) self.legacyPackages.${system} systemPkgs);
@@ -240,5 +241,7 @@
         in mapAttrs (_n: v: if v ? "profiles" then v // { profiles = filterEnabled v.profiles; } else v) (filterEnabled (recursiveUpdate defaults overrides));
 
         checks = builtins.mapAttrs (system: deployLib: deployLib.deployChecks self.deploy) deploy-rs.lib;
+
+        expr = self.nixosConfigurations.surtr.config.systemd.services.uwsgi.serviceConfig.ExecStart;
       };
 }
diff --git a/gup/Gupfile b/gup/Gupfile
new file mode 100644
index 00000000..0c9b6b80
--- /dev/null
+++ b/gup/Gupfile
@@ -0,0 +1,2 @@
+cabal2nix.gup:
+  hosts/surtr/email/spm/spm.nix
\ No newline at end of file
diff --git a/gup/cabal2nix.gup b/gup/cabal2nix.gup
new file mode 100644
index 00000000..ce623eee
--- /dev/null
+++ b/gup/cabal2nix.gup
@@ -0,0 +1,4 @@
+#!/usr/bin/env zsh
+
+gup -u ${2:h}/package.yaml ${2:r}.cabal
+env -C ${2:h} -- nix run nixos#cabal2nix -- . > $1
\ No newline at end of file
diff --git a/hosts/sif/default.nix b/hosts/sif/default.nix
index 3b5ef6fc..257743fd 100644
--- a/hosts/sif/default.nix
+++ b/hosts/sif/default.nix
@@ -54,6 +54,15 @@ in {
       kernelParams = [ "i915.fastboot=1" "intel_pstate=no_hwp" "acpi_backlight=vendor" "thinkpad-acpi.brightness_enable=1" "quiet" ];
       extraModulePackages = with config.boot.kernelPackages; [ v4l2loopback ];
       kernelModules = ["v4l2loopback"];
+      kernelPatches = [
+        { name = "edac-config";
+          patch = null;
+          extraConfig = ''
+            EDAC y
+            EDAC_IE31200 y
+          '';
+        }
+      ];
 
       tmpOnTmpfs = true;
 
diff --git a/hosts/surtr/default.nix b/hosts/surtr/default.nix
index c9ecc945..87dd27b0 100644
--- a/hosts/surtr/default.nix
+++ b/hosts/surtr/default.nix
@@ -2,7 +2,7 @@
 {
   imports = with flake.nixosModules.systemProfiles; [
     qemu-guest openssh rebuild-machines zfs
-    ./zfs.nix ./dns ./tls ./http.nix ./bifrost ./matrix ./postgresql.nix ./prometheus ./email
+    ./zfs.nix ./dns ./tls ./http ./bifrost ./matrix ./postgresql.nix ./prometheus ./email
   ];
 
   config = {
diff --git a/hosts/surtr/dns/default.nix b/hosts/surtr/dns/default.nix
index 5b439a8f..808c56da 100644
--- a/hosts/surtr/dns/default.nix
+++ b/hosts/surtr/dns/default.nix
@@ -184,7 +184,7 @@ in {
             addACLs = { "rheperire.org" = ["ymir_acme_acl"]; };
           }
           { domain = "bouncy.email";
-            acmeDomains = ["mailin.bouncy.email" "mailsub.bouncy.email" "imap.bouncy.email" "spm.bouncy.email" "bouncy.email"];
+            acmeDomains = ["mailin.bouncy.email" "mailsub.bouncy.email" "imap.bouncy.email" "spm.bouncy.email" "mta-sts.bouncy.email" "bouncy.email"];
           }
         ]}
       '';
diff --git a/hosts/surtr/dns/keys/mta-sts.bouncy.email_acme.yaml b/hosts/surtr/dns/keys/mta-sts.bouncy.email_acme.yaml
new file mode 100644
index 00000000..ee78810d
--- /dev/null
+++ b/hosts/surtr/dns/keys/mta-sts.bouncy.email_acme.yaml
@@ -0,0 +1,26 @@
+{
+        "data": "ENC[AES256_GCM,data:MKHoCzI9odlwPov5Ci9r2IaFCCT7DhOB8EJIFNdgG8xLwdk67SkTQ3kMGXM52EDPWdZ6a90HyKVDgL3O2vl8wbRu49jAIxCYr4t3QhLserNpMikxvAqItivtJKvBL0ah8B4mbjEH1KLou8DZgpDPdL8s+MxTOuYuLBvu/LPGRyabhKVSXmSRIL1iYx7RShe6r2PxiHN6wPmISj9YcwuuWygQRxkEqpybjUQzJe8tYFzuJ19rIUCZ26hI+k3khtFVET4TnouQAdTYXx6I/t/8Q8P7oILPFq4c,iv:w85RawhDWoLtTpWcbHo8W7bXCMa6apQNa4pQLd/whZc=,tag:z3WELFieEDeP9Zrna5brfQ==,type:str]",
+        "sops": {
+                "kms": null,
+                "gcp_kms": null,
+                "azure_kv": null,
+                "hc_vault": null,
+                "age": null,
+                "lastmodified": "2022-07-10T09:38:55Z",
+                "mac": "ENC[AES256_GCM,data:w2Ir2YQgkH0+5jNFW7mHyFVW2VEh98ADI99v6e55U7jKdEn70oF8cv787kMHNqpbwYamO9pSAz14is5Po+n11MH0UxESuU0cE7tfvoaUDIDgHNFVENB9dlKrKmnzXyEbN0+p33EP+/QmKYu4yLGc8t33NqoeD7Mc2McnmXJUvm0=,iv:7N480RaBLjIBXWJZG76VzIEyxm2eIxOi9GoZbGm2H50=,tag:JceWZoMQMwqxTYBRMPRnzA==,type:str]",
+                "pgp": [
+                        {
+                                "created_at": "2022-07-10T09:38:54Z",
+                                "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DyFKFNkTVG5oSAQdAYwPoDNsPVr3pUAih0sMWoebzWi8KQk6nthYKrBvc5mAw\nnuAjBhLc6Tzr8/vf5JbYcPiopd4qgIbPwqW8KAK28EdAz1+VrfM/mpI3wy0lO2YT\n0l4BQBjlvteoUfgV3nYDVbma7hh78Ip7vn0ebzeYCXbGqfCmhZXuZVG9k9rQ+v5t\nenIL1aLxLOBZSbcuDF415MZvKndU5LoQdciVfsFrex8TVzrYKQ62dBr00uysEgTz\n=TPo8\n-----END PGP MESSAGE-----\n",
+                                "fp": "7ED22F4AA7BB55728B643DC5471B7D88E4EF66F8"
+                        },
+                        {
+                                "created_at": "2022-07-10T09:38:54Z",
+                                "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdAxFqsAJsqWvEmwQiLdSmcVP29dwQF9uLgGCwQCTtjuQYw\njFRrmwCYoCAMM0J7jExm6h7bVwy3pyGeIuya8X1sf6ZRJczGXvGwByK16kVdfgN2\n0l4BAlEaxS/5F6pMNJ0TMdYBMMGJWEa4H0xSE8DkF4Ep5bdxjaY3Pz09m8HWzJRA\nelshtXB8QcFLRG9BQRcPYd4ZEM+HqUCWF1C+7hBJ2SytDSHNZlXtxfd7ey3Jxg8+\n=oqf0\n-----END PGP MESSAGE-----\n",
+                                "fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51"
+                        }
+                ],
+                "unencrypted_suffix": "_unencrypted",
+                "version": "3.7.3"
+        }
+}
\ No newline at end of file
diff --git a/hosts/surtr/dns/zones/email.bouncy.soa b/hosts/surtr/dns/zones/email.bouncy.soa
index 77acee8b..271a061e 100644
--- a/hosts/surtr/dns/zones/email.bouncy.soa
+++ b/hosts/surtr/dns/zones/email.bouncy.soa
@@ -1,7 +1,7 @@
 $ORIGIN bouncy.email.
 $TTL 3600
 @ IN SOA ns.yggdrasil.li. root.yggdrasil.li. (
-  2022051500 ; serial
+  2022071000 ; serial
   10800      ; refresh
   3600       ; retry
   604800     ; expire
@@ -63,3 +63,11 @@ spm			IN	AAAA	2a03:4000:52:ada::
 spm                     IN      MX      0 mailin.bouncy.email.
 spm                     IN      TXT     "v=spf1 redirect=bouncy.email"
 _acme-challenge.spm     IN      NS      ns.yggdrasil.li.
+
+_mta-sts                IN      TXT     "v=STSv1; id=2022071000"
+_smtp._tls              IN      TXT     "v=TLSRPTv1; rua=mailto:postmaster@bouncy.email"
+mta-sts                 IN      A       202.61.241.61
+mta-sts                 IN      AAAA    2a03:4000:52:ada::
+mta-sts                 IN      MX      0 mailin.bouncy.email.
+mta-sts                 IN      TXT     "v=spf1 redirect=bouncy.email"
+_acme-challenge.mta-sts IN      NS      ns.yggdrasil.li.
diff --git a/hosts/surtr/email/default.nix b/hosts/surtr/email/default.nix
index b952070b..e3437a6b 100644
--- a/hosts/surtr/email/default.nix
+++ b/hosts/surtr/email/default.nix
@@ -580,6 +580,7 @@ in {
       "mailin.bouncy.email" = {};
       "mailsub.bouncy.email" = {};
       "imap.bouncy.email" = {};
+      "mta-sts.bouncy.email" = {};
       "surtr.yggdrasil.li" = {};
     } // listToAttrs (map (domain: nameValuePair "spm.${domain}" {}) spmDomains);
 
@@ -637,13 +638,28 @@ in {
             proxy_set_header SPM-DOMAIN "${domain}";
           '';
         };
-      }) spmDomains);
+      }) spmDomains) // {
+        "mta-sts.bouncy.email" = {
+          locations."/".root = pkgs.runCommand "mta-sts" {} ''
+            mkdir -p $out/.well-known
+            cp ${pkgs.writeText "mta-sts.txt" ''
+              version: STSv1
+              mode: testing
+              mx: mailin.bouncy.email
+              max_age: 604800
+            ''} $out/.well-known/mta-sts.txt
+          '';
+        };
+      };
     };
 
     systemd.services.nginx.serviceConfig.LoadCredential = concatMap (domain: [
       "spm.${domain}.key.pem:${config.security.acme.certs."spm.${domain}".directory}/key.pem"
       "spm.${domain}.pem:${config.security.acme.certs."spm.${domain}".directory}/fullchain.pem"
-    ]) spmDomains;
+    ]) spmDomains ++ [
+      "mta-sts.bouncy.email.key.pem:${config.security.acme.certs."mta-sts.bouncy.email".directory}/key.pem"
+      "mta-sts.bouncy.email.pem:${config.security.acme.certs."mta-sts.bouncy.email".directory}/fullchain.pem"
+    ];
 
     systemd.services.spm = {
       serviceConfig = {
diff --git a/hosts/surtr/http.nix b/hosts/surtr/http/default.nix
index af27f178..a77252ff 100644
--- a/hosts/surtr/http.nix
+++ b/hosts/surtr/http/default.nix
@@ -1,13 +1,10 @@
 { config, lib, pkgs, ... }:
 {
+  imports = [
+    ./webdav
+  ];
+  
   config = {
-    security.pam.services."webdav".text = ''
-      auth requisite  pam_succeed_if.so user ingroup webdav quiet_success
-      auth required   pam_unix.so likeauth nullok nodelay quiet
-      account sufficient pam_unix.so quiet
-    '';
-    users.groups."webdav" = {};
-    
     services.nginx = {
       enable = true;
       # package = pkgs.nginxQuic;
@@ -30,50 +27,12 @@
         client_body_temp_path /run/nginx-client-bodies;
       '';
       additionalModules = with pkgs.nginxModules; [ dav pam ];
-      virtualHosts = {
-        "webdav.141.li" = {
-          forceSSL = true;
-          sslCertificate = "/run/credentials/nginx.service/webdav.141.li.pem";
-          sslCertificateKey = "/run/credentials/nginx.service/webdav.141.li.key.pem";
-          sslTrustedCertificate = "/run/credentials/nginx.service/webdav.141.li.chain.pem";
-          locations."/".extraConfig = ''
-            root /srv/files/$remote_user;            
-
-            auth_pam "WebDAV";
-            auth_pam_service_name "webdav";
-          '';
-          extraConfig = ''
-            dav_methods     PUT DELETE MKCOL COPY MOVE;
-            dav_ext_methods PROPFIND OPTIONS;
-            dav_access      user:rw;
-            autoindex on;
-
-            client_max_body_size    0;
-            create_full_put_path    on;
-
-            add_header Strict-Transport-Security "max-age=63072000" always;
-          '';
-        };
-      };
-    };
-    security.acme.domains."webdav.141.li" = {
-      zone = "141.li";
-      certCfg = {
-        postRun = ''
-          ${pkgs.systemd}/bin/systemctl try-restart nginx.service
-        '';
-      };
     };
     systemd.services.nginx = {
       preStart = lib.mkForce config.services.nginx.preStart;
       serviceConfig = {
         SupplementaryGroups = [ "shadow" ];
         ExecReload = lib.mkForce "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
-        LoadCredential = [
-          "webdav.141.li.key.pem:${config.security.acme.certs."webdav.141.li".directory}/key.pem"
-          "webdav.141.li.pem:${config.security.acme.certs."webdav.141.li".directory}/fullchain.pem"
-          "webdav.141.li.chain.pem:${config.security.acme.certs."webdav.141.li".directory}/chain.pem"
-        ];
         RuntimeDirectory = lib.mkForce [ "nginx" "nginx-client-bodies" ];
         RuntimeDirectoryMode = "0750";
 
@@ -95,5 +54,14 @@
         ReadWritePaths = [ "/srv/files" ];
       };
     };
+
+    services.uwsgi = {
+      enable = true;
+      plugins = ["python3"];
+      instance = {
+        type = "emperor";
+        vassals = {};
+      };
+    };
   };
 }
diff --git a/hosts/surtr/http/webdav/default.nix b/hosts/surtr/http/webdav/default.nix
new file mode 100644
index 00000000..f0aec1e9
--- /dev/null
+++ b/hosts/surtr/http/webdav/default.nix
@@ -0,0 +1,96 @@
+{ config, libs, pkgs, flakeInputs, ... }:
+let
+  webdavSocket = config.services.uwsgi.runDir + "/webdav.sock";
+
+  webdavApp = flakeInputs.mach-nix.lib.${config.nixpkgs.system}.buildPythonPackage {
+    ignoreDataOutdated = true;
+    pname = "py-webdav";
+    version = builtins.readFile ./py-webdav/VERSION;
+    src = ./py-webdav;
+    python = "python3";
+    requirements = ''
+      PyNaCl ==1.5.*
+      psycopg ==3.0.*
+      WsgiDAV ==4.0.*
+    '';
+  };
+in {
+  config = {
+    security.pam.services."webdav".text = ''
+      auth requisite  pam_succeed_if.so user ingroup webdav quiet_success
+      auth required   pam_unix.so likeauth nullok nodelay quiet
+      account sufficient pam_unix.so quiet
+    '';
+    users.groups."webdav" = {};
+    
+    services.nginx = {
+      upstreams."py-webdav" = {
+        servers = {
+          "unix://${webdavSocket}" = {};
+        };
+      };
+      
+      virtualHosts."webdav.141.li" = {
+        forceSSL = true;
+        sslCertificate = "/run/credentials/nginx.service/webdav.141.li.pem";
+        sslCertificateKey = "/run/credentials/nginx.service/webdav.141.li.key.pem";
+        sslTrustedCertificate = "/run/credentials/nginx.service/webdav.141.li.chain.pem";
+        locations = {
+          "/".extraConfig = ''
+            root /srv/files/$remote_user;            
+
+            auth_pam "WebDAV";
+            auth_pam_service_name "webdav";
+          '';
+
+          "/py/".extraConfig = ''
+            rewrite ^/py(.*) $1 break;
+
+            include ${config.services.nginx.package}/conf/uwsgi_params;
+            uwsgi_param SCRIPT_NAME /py;
+            uwsgi_pass py-webdav;
+          '';
+        };
+        extraConfig = ''
+          dav_methods     PUT DELETE MKCOL COPY MOVE;
+          dav_ext_methods PROPFIND OPTIONS;
+          dav_access      user:rw;
+          autoindex on;
+
+          client_max_body_size    0;
+          create_full_put_path    on;
+
+          add_header Strict-Transport-Security "max-age=63072000" always;
+        '';
+      };
+    };
+    security.acme.domains."webdav.141.li" = {
+      certCfg = {
+        postRun = ''
+          ${pkgs.systemd}/bin/systemctl try-restart nginx.service
+        '';
+      };
+    };
+
+    systemd.services.nginx.serviceConfig.LoadCredential = [
+      "webdav.141.li.key.pem:${config.security.acme.certs."webdav.141.li".directory}/key.pem"
+      "webdav.141.li.pem:${config.security.acme.certs."webdav.141.li".directory}/fullchain.pem"
+      "webdav.141.li.chain.pem:${config.security.acme.certs."webdav.141.li".directory}/chain.pem"
+    ];
+
+
+    services.uwsgi.instance.vassals.webdav = {
+      type = "normal";
+      socket = webdavSocket;
+      listen = 1024;
+      master = true;
+      vacuum = true;
+      chown-socket = "${config.services.nginx.user}:${config.services.uwsgi.group}";
+      
+      plugins = ["python3"];
+      pythonPackages = self: [webdavApp];
+      module = "webdav";
+      callable = "app";
+    };
+  };
+}
diff --git a/hosts/surtr/http/webdav/py-webdav/.gitignore b/hosts/surtr/http/webdav/py-webdav/.gitignore
new file mode 100644
index 00000000..ed8ebf58
--- /dev/null
+++ b/hosts/surtr/http/webdav/py-webdav/.gitignore
@@ -0,0 +1 @@
+__pycache__
\ No newline at end of file
diff --git a/hosts/surtr/http/webdav/py-webdav/VERSION b/hosts/surtr/http/webdav/py-webdav/VERSION
new file mode 100644
index 00000000..6e8bf73a
--- /dev/null
+++ b/hosts/surtr/http/webdav/py-webdav/VERSION
@@ -0,0 +1 @@
+0.1.0
diff --git a/hosts/surtr/http/webdav/py-webdav/setup.py b/hosts/surtr/http/webdav/py-webdav/setup.py
new file mode 100644
index 00000000..dbe345c1
--- /dev/null
+++ b/hosts/surtr/http/webdav/py-webdav/setup.py
@@ -0,0 +1,17 @@
+import setuptools
+
+with open('VERSION', 'r', encoding='utf-8') as version_file:
+    version = version_file.read().strip()
+
+setuptools.setup(
+    name="py-webdav",
+    version=version,
+    package_dir={"": "."},
+    packages=setuptools.find_packages(),
+    python_requires=">=3.8",
+    install_requires=[
+        "PyNaCl ==1.5.*",
+        "psycopg ==3.0.*",
+        "WsgiDAV ==4.0.*",
+    ],
+)
diff --git a/hosts/surtr/http/webdav/py-webdav/webdav/__init__.py b/hosts/surtr/http/webdav/py-webdav/webdav/__init__.py
new file mode 100644
index 00000000..398378e2
--- /dev/null
+++ b/hosts/surtr/http/webdav/py-webdav/webdav/__init__.py
@@ -0,0 +1 @@
+from .webdav import app
diff --git a/hosts/surtr/http/webdav/py-webdav/webdav/webdav.py b/hosts/surtr/http/webdav/py-webdav/webdav/webdav.py
new file mode 100644
index 00000000..783f5d82
--- /dev/null
+++ b/hosts/surtr/http/webdav/py-webdav/webdav/webdav.py
@@ -0,0 +1,5 @@
+def app(env, start_response):
+    start_response('200 Success', [('Content-Type', 'text/plain; charset=utf-8')])
+    return [ bytes(f'{key}: {value}\n', 'utf8')
+             for key, value in env.items()
+           ]
diff --git a/hosts/surtr/matrix/default.nix b/hosts/surtr/matrix/default.nix
index 9c9c3565..a469be69 100644
--- a/hosts/surtr/matrix/default.nix
+++ b/hosts/surtr/matrix/default.nix
@@ -140,11 +140,9 @@ with lib;
     services.nginx = {
       recommendedProxySettings = true;
 
-      upstreams = {
-        "matrix-synapse" = {
-          servers = {
-            "127.0.0.1:8008" = {};
-          };
+      upstreams."matrix-synapse" = {
+        servers = {
+          "127.0.0.1:8008" = {};
         };
       };
 
diff --git a/hosts/surtr/tls/tsig_keys/mta-sts.bouncy.email b/hosts/surtr/tls/tsig_keys/mta-sts.bouncy.email
new file mode 100644
index 00000000..ce10db57
--- /dev/null
+++ b/hosts/surtr/tls/tsig_keys/mta-sts.bouncy.email
@@ -0,0 +1,26 @@
+{
+        "data": "ENC[AES256_GCM,data:v0QhyJhcbR+ouKYAxvTYWltoA7vmltvb8oTYs0vecTVMx2j2+UkAjw8xJ4qD,iv:007nDkrj4kvYJMa+W3YysDOXws9UZspC3w5vaTGI/II=,tag:Gzpj7bubRknVBNOfQYvoYg==,type:str]",
+        "sops": {
+                "kms": null,
+                "gcp_kms": null,
+                "azure_kv": null,
+                "hc_vault": null,
+                "age": null,
+                "lastmodified": "2022-07-10T09:39:02Z",
+                "mac": "ENC[AES256_GCM,data:7dvWXtZd++BwWH6Qaw0WzRhxVVT9U8PFyE9MJ1E/NssSfkAZHaxDpV1kgRaHJav4lIjvUq83oWxBkEcnasfg6zF12xawxbCckf597r3ctndGtyyHLk0b0xBciiJRR8rFKeB81nKTiDzEA7ydfgbkPIktB/4xgi4vke5WHWPQ2Xs=,iv:NTTWRPUFvhDL5KndTwPEB4c3NCw6X9nDdWVPcowVN+Y=,tag:BO+TEaTY0RvptmlF9yhQfQ==,type:str]",
+                "pgp": [
+                        {
+                                "created_at": "2022-07-10T09:39:02Z",
+                                "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DyFKFNkTVG5oSAQdA1eY+DFYwuexG+2C53SzO1qsn60d1UOeBgeBojLbKwSQw\n55k9cM4vYE50bRrnqEfEXn45u2qYj4NIl2WhfJ4luwvNcmLmqvQCKDOKblOEe6Qi\n0l4B6zMGpHNTSkbaKB/Y2zRpczJxRBJz/cEuimbHs57nMQKpFGst5tMvsGilq4tq\nE8iC77K6S+OFJmJulJ/Rw4Yrg+raZ0KkpVKo+hOOKEi2QaWdBLf6dL+NdH2Qpxqu\n=iJRT\n-----END PGP MESSAGE-----\n",
+                                "fp": "7ED22F4AA7BB55728B643DC5471B7D88E4EF66F8"
+                        },
+                        {
+                                "created_at": "2022-07-10T09:39:02Z",
+                                "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdAMl+sivtfp0HDutQ2ENSGsoqeIG1//4F0TrmX3GlFVysw\nSA3Env4jdFAtHplG9/6J6PTtnRZNvnqlwoq3Gz1kEIdf8DhQP7/8uPzi2mJz916n\n0l4BOuQfwtJn/M6a7T4xWW4fPh/CgTD8e0TNV4lYboW/YwAhCgOSaRKnObMzGquR\nJ6Fx6q7+y2Be3zpHdOMHpQ1OmEVmysLRo4DeuV6WYDqSOqSklNMVi6D9b+KIQAJo\n=jbRk\n-----END PGP MESSAGE-----\n",
+                                "fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51"
+                        }
+                ],
+                "unencrypted_suffix": "_unencrypted",
+                "version": "3.7.3"
+        }
+}
\ No newline at end of file
diff --git a/nvfetcher.toml b/nvfetcher.toml
index bc3095ca..c723654e 100644
--- a/nvfetcher.toml
+++ b/nvfetcher.toml
@@ -53,4 +53,8 @@ fetch.github = "po5/chapterskip"
 [lesspipe]
 src.github = "wofr06/lesspipe"
 src.prefix = "v"
-fetch.url = "https://github.com/wofr06/lesspipe/archive/refs/tags/v$ver.tar.gz"
\ No newline at end of file
+fetch.url = "https://github.com/wofr06/lesspipe/archive/refs/tags/v$ver.tar.gz"
+
+[freerdp]
+src.git = "https://github.com/FreeRDP/FreeRDP"
+fetch.git = "https://github.com/FreeRDP/FreeRDP"
\ No newline at end of file