From 90eb0c37086b4ebf3c3be97433757409939a853e Mon Sep 17 00:00:00 2001
From: Emelie Graven <emelie@graven.dev>
Date: Sat, 20 Nov 2021 07:18:18 +0100
Subject: [PATCH] Restructure folders, add `mail` host

The entire file structure has been reorganised into stable and unstable
to separate deployments running on either channel. A `mail` host running
Simple Nix Mailserver has also been added for testing to see if it's a
good alternative to soverin as well as SMTP for other services.
---
 .../hosts/grondahl/data/secrets/secrets.nix   | Bin 635 -> 0 bytes
 .../pubkeys/despondos_host_ed25519_key.pub    |   0
 stable/config/common/services/nginx.nix       |  43 +++++
 .../config}/common/services/ssh.nix           |   0
 stable/config/hosts/mail/configuration.nix    |  58 ++++++
 .../data/secrets/mail_noreply_anarkafem_dev   | Bin 0 -> 84 bytes
 .../hosts/mail/data/secrets/secrets.nix       | Bin 0 -> 243 bytes
 stable/config/hosts/mail/data/secrets/ssh_key | Bin 0 -> 421 bytes
 .../hosts/mail/data/secrets/ssh_key.pub       | Bin 0 -> 119 bytes
 .../hosts/mail/hardware-configuration.nix     |  41 +++++
 .../config/hosts/mail}/services/acme.nix      |   0
 stable/config/hosts/mail/services/mail.nix    |  25 +++
 .../config/hosts/mail}/services/restic.nix    |   0
 {config => stable/config}/sources/default.nix |   0
 stable/config/sources/nix/sources.json        |  50 +++++
 .../config}/sources/nix/sources.nix           |   0
 stable/deploy/default.nix                     |  24 +++
 stable/result                                 |   1 +
 .../pubkeys/despondos_host_ed25519_key.pub    |   1 +
 .../config}/common/services/nginx.nix         |   0
 unstable/config/common/services/ssh.nix       |  24 +++
 .../config}/hosts/grondahl/configuration.nix  |   1 +
 .../grondahl/data/secrets/acme_anarkafem_dev  | Bin
 .../hosts/grondahl/data/secrets/email_noreply | Bin 0 -> 83 bytes
 .../hosts/grondahl/data/secrets/restic_pass   | Bin
 .../hosts/grondahl/data/secrets/secrets.nix   | Bin 0 -> 716 bytes
 .../hosts/grondahl/data/secrets/ssh_key       | Bin
 .../hosts/grondahl/data/secrets/ssh_key.pub   | Bin
 .../data/secrets/synapse_macaroon_secret      | Bin
 .../synapse_registration_shared_secret        | Bin
 .../grondahl/data/secrets/turn_shared_secret  | Bin
 .../hosts/grondahl/hardware-configuration.nix |   0
 .../config}/hosts/grondahl/services/acme.nix  |   0
 .../hosts/grondahl/services/coturn.nix        |   0
 .../config/hosts/grondahl/services/mail.nix   |  25 +++
 .../config}/hosts/grondahl/services/nginx.nix |   0
 .../hosts/grondahl/services/postgres.nix      |   0
 .../hosts/grondahl/services/restic.nix        |   0
 .../hosts/grondahl/services/synapse.nix       |   0
 .../config}/hosts/rudiger/configuration.nix   |   0
 .../hosts/rudiger/data/secrets/nc_admin_pass  | Bin
 .../hosts/rudiger/data/secrets/redis_pass     | Bin
 .../hosts/rudiger/data/secrets/restic_pass    | Bin
 .../hosts/rudiger/data/secrets/secrets.nix    | Bin
 .../hosts/rudiger/data/secrets/ssh_key        | Bin
 .../hosts/rudiger/data/secrets/ssh_key.pub    | Bin
 .../hosts/rudiger/hardware-configuration.nix  |   0
 .../config/hosts/rudiger/services/acme.nix    |   9 +
 .../hosts/rudiger/services/nextcloud.nix      |   0
 .../config}/hosts/rudiger/services/nginx.nix  |   0
 .../hosts/rudiger/services/postgres.nix       |   0
 .../config}/hosts/rudiger/services/redis.nix  |   0
 .../config}/hosts/rudiger/services/restic.nix |   0
 .../config}/hosts/wind/configuration.nix      |   0
 .../wind/data/secrets/acme_graven_dev.env     | Bin
 .../hosts/wind/data/secrets/restic_pass       | Bin
 .../hosts/wind/data/secrets/secrets.nix       | Bin
 .../config}/hosts/wind/data/secrets/ssh_key   | Bin
 .../hosts/wind/data/secrets/ssh_key.pub       | Bin
 .../wind/data/secrets/synapse_macaroon_secret | Bin
 .../synapse_registration_shared_secret        | Bin
 .../hosts/wind/data/secrets/ttrss_email_pass  | Bin
 .../wind/data/secrets/turn_shared_secret      | Bin
 .../hosts/wind/data/secrets/vaultwarden_env   | Bin
 .../hosts/wind/hardware-configuration.nix     |   0
 .../config}/hosts/wind/services/acme.nix      |   0
 .../config}/hosts/wind/services/coturn.nix    |   0
 .../config}/hosts/wind/services/gitea.nix     |   0
 .../config}/hosts/wind/services/nginx.nix     |   0
 .../config}/hosts/wind/services/postgres.nix  |   0
 .../config/hosts/wind/services/restic.nix     |  47 +++++
 .../config}/hosts/wind/services/synapse.nix   |   0
 .../config}/hosts/wind/services/ttrss.nix     |   0
 .../hosts/wind/services/vaultwarden.nix       |   0
 unstable/config/sources/default.nix           |  11 ++
 .../config}/sources/nix/sources.json          |   0
 unstable/config/sources/nix/sources.nix       | 174 ++++++++++++++++++
 {deploy => unstable/deploy}/default.nix       |   2 +-
 78 files changed, 535 insertions(+), 1 deletion(-)
 delete mode 100644 config/hosts/grondahl/data/secrets/secrets.nix
 rename {config => stable/config}/common/data/pubkeys/despondos_host_ed25519_key.pub (100%)
 create mode 100644 stable/config/common/services/nginx.nix
 rename {config => stable/config}/common/services/ssh.nix (100%)
 create mode 100644 stable/config/hosts/mail/configuration.nix
 create mode 100644 stable/config/hosts/mail/data/secrets/mail_noreply_anarkafem_dev
 create mode 100644 stable/config/hosts/mail/data/secrets/secrets.nix
 create mode 100644 stable/config/hosts/mail/data/secrets/ssh_key
 create mode 100644 stable/config/hosts/mail/data/secrets/ssh_key.pub
 create mode 100644 stable/config/hosts/mail/hardware-configuration.nix
 rename {config/hosts/rudiger => stable/config/hosts/mail}/services/acme.nix (100%)
 create mode 100644 stable/config/hosts/mail/services/mail.nix
 rename {config/hosts/wind => stable/config/hosts/mail}/services/restic.nix (100%)
 rename {config => stable/config}/sources/default.nix (100%)
 create mode 100644 stable/config/sources/nix/sources.json
 rename {config => stable/config}/sources/nix/sources.nix (100%)
 create mode 100644 stable/deploy/default.nix
 create mode 120000 stable/result
 create mode 100644 unstable/config/common/data/pubkeys/despondos_host_ed25519_key.pub
 rename {config => unstable/config}/common/services/nginx.nix (100%)
 create mode 100644 unstable/config/common/services/ssh.nix
 rename {config => unstable/config}/hosts/grondahl/configuration.nix (98%)
 rename {config => unstable/config}/hosts/grondahl/data/secrets/acme_anarkafem_dev (100%)
 create mode 100644 unstable/config/hosts/grondahl/data/secrets/email_noreply
 rename {config => unstable/config}/hosts/grondahl/data/secrets/restic_pass (100%)
 create mode 100644 unstable/config/hosts/grondahl/data/secrets/secrets.nix
 rename {config => unstable/config}/hosts/grondahl/data/secrets/ssh_key (100%)
 rename {config => unstable/config}/hosts/grondahl/data/secrets/ssh_key.pub (100%)
 rename {config => unstable/config}/hosts/grondahl/data/secrets/synapse_macaroon_secret (100%)
 rename {config => unstable/config}/hosts/grondahl/data/secrets/synapse_registration_shared_secret (100%)
 rename {config => unstable/config}/hosts/grondahl/data/secrets/turn_shared_secret (100%)
 rename {config => unstable/config}/hosts/grondahl/hardware-configuration.nix (100%)
 rename {config => unstable/config}/hosts/grondahl/services/acme.nix (100%)
 rename {config => unstable/config}/hosts/grondahl/services/coturn.nix (100%)
 create mode 100644 unstable/config/hosts/grondahl/services/mail.nix
 rename {config => unstable/config}/hosts/grondahl/services/nginx.nix (100%)
 rename {config => unstable/config}/hosts/grondahl/services/postgres.nix (100%)
 rename {config => unstable/config}/hosts/grondahl/services/restic.nix (100%)
 rename {config => unstable/config}/hosts/grondahl/services/synapse.nix (100%)
 rename {config => unstable/config}/hosts/rudiger/configuration.nix (100%)
 rename {config => unstable/config}/hosts/rudiger/data/secrets/nc_admin_pass (100%)
 rename {config => unstable/config}/hosts/rudiger/data/secrets/redis_pass (100%)
 rename {config => unstable/config}/hosts/rudiger/data/secrets/restic_pass (100%)
 rename {config => unstable/config}/hosts/rudiger/data/secrets/secrets.nix (100%)
 rename {config => unstable/config}/hosts/rudiger/data/secrets/ssh_key (100%)
 rename {config => unstable/config}/hosts/rudiger/data/secrets/ssh_key.pub (100%)
 rename {config => unstable/config}/hosts/rudiger/hardware-configuration.nix (100%)
 create mode 100644 unstable/config/hosts/rudiger/services/acme.nix
 rename {config => unstable/config}/hosts/rudiger/services/nextcloud.nix (100%)
 rename {config => unstable/config}/hosts/rudiger/services/nginx.nix (100%)
 rename {config => unstable/config}/hosts/rudiger/services/postgres.nix (100%)
 rename {config => unstable/config}/hosts/rudiger/services/redis.nix (100%)
 rename {config => unstable/config}/hosts/rudiger/services/restic.nix (100%)
 rename {config => unstable/config}/hosts/wind/configuration.nix (100%)
 rename {config => unstable/config}/hosts/wind/data/secrets/acme_graven_dev.env (100%)
 rename {config => unstable/config}/hosts/wind/data/secrets/restic_pass (100%)
 rename {config => unstable/config}/hosts/wind/data/secrets/secrets.nix (100%)
 rename {config => unstable/config}/hosts/wind/data/secrets/ssh_key (100%)
 rename {config => unstable/config}/hosts/wind/data/secrets/ssh_key.pub (100%)
 rename {config => unstable/config}/hosts/wind/data/secrets/synapse_macaroon_secret (100%)
 rename {config => unstable/config}/hosts/wind/data/secrets/synapse_registration_shared_secret (100%)
 rename {config => unstable/config}/hosts/wind/data/secrets/ttrss_email_pass (100%)
 rename {config => unstable/config}/hosts/wind/data/secrets/turn_shared_secret (100%)
 rename {config => unstable/config}/hosts/wind/data/secrets/vaultwarden_env (100%)
 rename {config => unstable/config}/hosts/wind/hardware-configuration.nix (100%)
 rename {config => unstable/config}/hosts/wind/services/acme.nix (100%)
 rename {config => unstable/config}/hosts/wind/services/coturn.nix (100%)
 rename {config => unstable/config}/hosts/wind/services/gitea.nix (100%)
 rename {config => unstable/config}/hosts/wind/services/nginx.nix (100%)
 rename {config => unstable/config}/hosts/wind/services/postgres.nix (100%)
 create mode 100644 unstable/config/hosts/wind/services/restic.nix
 rename {config => unstable/config}/hosts/wind/services/synapse.nix (100%)
 rename {config => unstable/config}/hosts/wind/services/ttrss.nix (100%)
 rename {config => unstable/config}/hosts/wind/services/vaultwarden.nix (100%)
 create mode 100644 unstable/config/sources/default.nix
 rename {config => unstable/config}/sources/nix/sources.json (100%)
 create mode 100644 unstable/config/sources/nix/sources.nix
 rename {deploy => unstable/deploy}/default.nix (95%)

diff --git a/config/hosts/grondahl/data/secrets/secrets.nix b/config/hosts/grondahl/data/secrets/secrets.nix
deleted file mode 100644
index 0a783ca0ff97cd853d4e0e4d83775c90e0ceb1ad..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 635
zcmZQ@_Y83kiVO&0_;Votr<feu{dpXm{>MYwJLOXzFSQR^8&RRBwPmsfv+$KKO><c_
zekJcM|MxVY|AV%j!?GfGM+27PH;g-`edOCdIX2_7LUrxMpWLb~{qr0qmGzhjM_*ZW
zCQV#lt5)n%NBGZ^pA~1l%2?>QC~GaB=w0Vqjt31N>0gu%ux(xN`M<Jd6xS_x)2V%T
zH>_y5E4k~J#>I!-N;mGTD@vTcUdS`nW<$Z6v{l;_*Sxp1wBI?2Vb<G|AwrGzx744#
zwfg@leC<JPcN3AGYbUSx*S{+lNh^>LvHl@Y_a*6**Ol&8_Gy9^!D*|MUmA1NXK~x^
zQa0|_(>LR(sm_gG-W|=xvHQvdtq_l$(o==B@3tS+@H(Z;o%4MQAM3h>=k_U2OP_h9
z;XrcBv9oy%=Z~m7Dlw@^KRWs5LLm;>sVm;K|2QKXJ)uKo%Q2q^Ggj-iXPD(U#(mGv
zeZ1U@wT`z+VDfJ>mfU~S3{EP)VpU4JDOdDLH`cT}=++XUJgJx`iCsDA$If>Cd~x7w
zDbtygYeidEF6W=TGNpD?y10{y{d~W5-_~sqvHrA1*v?sf+0Qq7<(E!rw!b$;T|St5
zo!8eXC2Q9zJ@9DyrOOfQ!M1hpBku*~<vUMs|8{CHf9hB;-|_zfj%y2;tGgCW5T3Hr
z;-04H(#3m@-I(6ecSmCBl53aJ4!W`24^X*!QbK!u^IOfm^$RQCwA=l%to(eZcGrjL
zvkxcF&r|MY&igG=@z(VV>m7~9xm}_!_jvj{)&|L$O?R$~^Y2qSv-sG=s(|c{bw`Y*
yf6tJR<!sQJA@qe~UT|-18t>r(gM>Ne=eiH@{FuSrR4jaEPN`*R?!l?fVm<(8>@Uy&

diff --git a/config/common/data/pubkeys/despondos_host_ed25519_key.pub b/stable/config/common/data/pubkeys/despondos_host_ed25519_key.pub
similarity index 100%
rename from config/common/data/pubkeys/despondos_host_ed25519_key.pub
rename to stable/config/common/data/pubkeys/despondos_host_ed25519_key.pub
diff --git a/stable/config/common/services/nginx.nix b/stable/config/common/services/nginx.nix
new file mode 100644
index 0000000..60f4b8f
--- /dev/null
+++ b/stable/config/common/services/nginx.nix
@@ -0,0 +1,43 @@
+{ ... }:
+{
+    services.nginx = {
+    #enable = true;
+
+    # Use recommended settings
+    recommendedGzipSettings = true;
+    recommendedOptimisation = true;
+    recommendedProxySettings = true;
+    recommendedTlsSettings = true;
+
+    # Only allow PFS-enabled ciphers with AES256
+    sslCiphers = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
+
+    commonHttpConfig = ''
+      # Add HSTS header with preloading to HTTPS requests.
+      # Adding this header to HTTP requests is discouraged
+      map $scheme $hsts_header {
+          https   "max-age=31536000; includeSubdomains; preload";
+      }
+      add_header Strict-Transport-Security $hsts_header;
+
+      # Enable CSP for your services.
+      #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
+
+      # Minimize information leaked to other domains
+      add_header 'Referrer-Policy' 'origin-when-cross-origin';
+
+      # Disable embedding as a frame
+      add_header X-Frame-Options DENY;
+
+      # Prevent injection of code in other mime types (XSS Attacks)
+      add_header X-Content-Type-Options nosniff;
+
+      # Enable XSS protection of the browser.
+      # May be unnecessary when CSP is configured properly (see above)
+      add_header X-XSS-Protection "1; mode=block";
+
+      # This might create errors
+      proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
+    '';
+  };
+}
diff --git a/config/common/services/ssh.nix b/stable/config/common/services/ssh.nix
similarity index 100%
rename from config/common/services/ssh.nix
rename to stable/config/common/services/ssh.nix
diff --git a/stable/config/hosts/mail/configuration.nix b/stable/config/hosts/mail/configuration.nix
new file mode 100644
index 0000000..44fa832
--- /dev/null
+++ b/stable/config/hosts/mail/configuration.nix
@@ -0,0 +1,58 @@
+{ config, pkgs, lib, ... }:
+
+{
+  imports = [ 
+    ./hardware-configuration.nix 
+    ../../common/services/ssh.nix
+    #./services/restic.nix
+    ./services/mail.nix
+    ./services/acme.nix
+    ./data/secrets/secrets.nix
+    ];
+
+  boot.loader.grub.enable = true;
+  boot.loader.grub.version = 2;
+  boot.loader.grub.device = "/dev/sda";
+  boot.supportedFilesystems = ["zfs"];
+  services.zfs.autoSnapshot.enable = true;
+  services.zfs.autoScrub.enable = true;
+
+  networking.hostName = "mail";
+  networking.hostId = "1e04e84b";
+  time.timeZone = "Europe/Copenhagen";
+  networking.useDHCP = false;
+  networking.interfaces.ens3.useDHCP = true;
+  networking.interfaces.ens3.ipv6.addresses = [ { address = "2a01:4f9:c010:624a::1"; prefixLength = 64; } ];
+  networking.defaultGateway6 = { address = "fe80::1"; interface = "ens3"; };
+
+  users.users.emelie = {
+    isNormalUser = true;
+    extraGroups = [ "wheel" ];
+    openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICO4LyBsW1YuUA6i3EL/IZhchSvk7reO4qgRmR/tdQPU emelie@flap"
+    ];
+  };
+
+  security.sudo.wheelNeedsPassword = false;
+
+  environment.systemPackages = with pkgs; [
+    vim
+    htop
+    iotop
+    dig
+  ];
+
+  nix = {
+    autoOptimiseStore = true;
+    trustedUsers = [
+      "root"
+      "@wheel"
+    ];
+  };
+
+
+  # Use hetzner firewall instead
+  networking.firewall.enable = false;
+  system.stateVersion = "21.05";
+
+}
diff --git a/stable/config/hosts/mail/data/secrets/mail_noreply_anarkafem_dev b/stable/config/hosts/mail/data/secrets/mail_noreply_anarkafem_dev
new file mode 100644
index 0000000000000000000000000000000000000000..8756cf3f2276cbca1636b0229d916d111a4ef795
GIT binary patch
literal 84
zcmZQ@_Y83kiVO&0c-Mbi=BkdTbXDW&AGgetLcaYn*dyz$8KT11e)PESe^F7j@XN*W
qnf0&qc(@g}h%Iv7maF%)*1_%kh6~q)nAR-%b!^WewS%>GE(ZYK^(CtS

literal 0
HcmV?d00001

diff --git a/stable/config/hosts/mail/data/secrets/secrets.nix b/stable/config/hosts/mail/data/secrets/secrets.nix
new file mode 100644
index 0000000000000000000000000000000000000000..42a986ca7e734c2dba4a35a5db0f2f1585a871ca
GIT binary patch
literal 243
zcmZQ@_Y83kiVO&0VC=7#>pl5c*JK-;UUp+BTYA=%Gv@PVoH;b5R&Mtv|2a?fvdukz
zdv+G_{9E%`Qudkb86m$`#tk$3pP8gisXp+P@#syX{?O*+{fmCQc~j-wx@1a{_ur@=
zAtCGAgx<)QRsWum{KPQ&=8Mgjj@tIsi%(u4oouq`OZ%QHm)opgrQ4SZ`@fC5*dEf~
zAIxx{X~NO(Q}enToS6GqJl9U#Y{{ZfT0HsXIxC+)aSwCammJg#J`*r4@F~+%@wHAN
zfA4#J+{7lc%{lqpwbjN4Kds+>$-4enRno`n&o-;95}GM-Ok3BfR>VN#o$157``-Wn
D%20Vv

literal 0
HcmV?d00001

diff --git a/stable/config/hosts/mail/data/secrets/ssh_key b/stable/config/hosts/mail/data/secrets/ssh_key
new file mode 100644
index 0000000000000000000000000000000000000000..d99f226bc12271f176cc53eb8d03e01b2de8dd40
GIT binary patch
literal 421
zcmZQ@_Y83kiVO&0Sib7}&69oNsZ3K@V*aUk9PlbttjV(fo4ic&$rg4QnFU2>wf~-|
zYpcm9bC);0!ma#MLt-04<o26eSc9|FAG|)hNpIs1wjZp<o5F8=Q@3id-z}r^AbCze
z*W<~qH8v}?4lQZ;;%S?_{@(xTHx52CRu5~`<fv@o{BC16)iXBvz=U;M;t$#K`jwt4
z<ZjE=S(RtjaE(Xyr<3elR(YS@H?J0-cDy!El;wHViHwDl9&Cy)osnZU>GqM$-{QaM
z25y}Z*&;8tL87NYm8WNu2<O9ezO_O(_gzt1FUDW^XO6_HN7qhCd{Phyop!Fm)<gKj
z(TjdJ&Tl*>w)1Dk!h&DiYuS0XIzNgRFjkIz!5DWl?f&%nD)XEhb{w;~YtFXN)vN7y
z?cIixGx!)I`RWc>@8F*CX+>UDj<Fg4(Uo_UT{gL=XUdz{eGBhdm@iQ;ae+<!>g7A;
zU)MjBSycJ#@%k$}-+8`^i)3qAv`fW8Z`D-ar5~#2@A@9Q&UeNUX<zf~rN@K}=9S#n
jb<3QVme;>x?|s#Kt8dMjB5>$h{F=veZk|83<7WT>>JH5(

literal 0
HcmV?d00001

diff --git a/stable/config/hosts/mail/data/secrets/ssh_key.pub b/stable/config/hosts/mail/data/secrets/ssh_key.pub
new file mode 100644
index 0000000000000000000000000000000000000000..04225ea49a09a8fa8692a683d04001bd8ff11669
GIT binary patch
literal 119
zcmZQ@_Y83kiVO&0IH0f3eR}Vi{STugf0=rTZoeR2pmw`>I@7)~C*J%9_R0TUSMl6`
zk?^7}H8En9&-%ZSfy@aHIJ_hlBo(l#?)e~n+O_Cbm~Z!u_W_f6x9gmF9L>v8YOt8!
bd}7js3j42t4?;d3xzxgVI7V9A-sda;3e7bK

literal 0
HcmV?d00001

diff --git a/stable/config/hosts/mail/hardware-configuration.nix b/stable/config/hosts/mail/hardware-configuration.nix
new file mode 100644
index 0000000..90e8d09
--- /dev/null
+++ b/stable/config/hosts/mail/hardware-configuration.nix
@@ -0,0 +1,41 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/profiles/qemu-guest.nix")
+      (modulesPath + "/profiles/minimal.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "ata_piix" "virtio_pci" "virtio_scsi" "xhci_pci" "sd_mod" "sr_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "rpool/safe/root";
+      fsType = "zfs";
+    };
+
+  fileSystems."/home" =
+    { device = "rpool/safe/home";
+      fsType = "zfs";
+    };
+
+  fileSystems."/var" =
+    { device = "rpool/safe/var";
+      fsType = "zfs";
+    };
+
+  fileSystems."/nix" =
+    { device = "rpool/local/nix";
+      fsType = "zfs";
+    };
+
+  swapDevices =
+    [ { device = "/dev/disk/by-uuid/9c3c66f5-bf5a-4a2a-88a2-fc2ef312d7ef"; }
+    ];
+
+}
diff --git a/config/hosts/rudiger/services/acme.nix b/stable/config/hosts/mail/services/acme.nix
similarity index 100%
rename from config/hosts/rudiger/services/acme.nix
rename to stable/config/hosts/mail/services/acme.nix
diff --git a/stable/config/hosts/mail/services/mail.nix b/stable/config/hosts/mail/services/mail.nix
new file mode 100644
index 0000000..f6f1184
--- /dev/null
+++ b/stable/config/hosts/mail/services/mail.nix
@@ -0,0 +1,25 @@
+{ config, ... }:
+
+{
+  imports = [
+    (builtins.fetchTarball {
+      # Pick a commit from the branch you are interested in
+      url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/5675b122a947b40e551438df6a623efad19fd2e7/nixos-mailserver-5675b122a947b40e551438df6a623efad19fd2e7.tar.gz";
+      # And set its hash
+      sha256 = "1fwhb7a5v9c98nzhf3dyqf3a5ianqh7k50zizj8v5nmj3blxw4pi";
+    })
+  ];
+
+  mailserver = {
+    enable = true;
+    fqdn = "mail.graven.dev";
+    domains = [ "anarkafem.dev" ];
+
+    loginAccounts = {
+      "noreply@anarkafem.dev" = {
+        hashedPasswordFile = config.secrets.files.mail_noreply_anarkafem_dev.file;
+      };
+    };
+    certificateScheme = 3;
+  };
+}
diff --git a/config/hosts/wind/services/restic.nix b/stable/config/hosts/mail/services/restic.nix
similarity index 100%
rename from config/hosts/wind/services/restic.nix
rename to stable/config/hosts/mail/services/restic.nix
diff --git a/config/sources/default.nix b/stable/config/sources/default.nix
similarity index 100%
rename from config/sources/default.nix
rename to stable/config/sources/default.nix
diff --git a/stable/config/sources/nix/sources.json b/stable/config/sources/nix/sources.json
new file mode 100644
index 0000000..3098061
--- /dev/null
+++ b/stable/config/sources/nix/sources.json
@@ -0,0 +1,50 @@
+{
+    "niv": {
+        "branch": "master",
+        "description": "Easy dependency management for Nix projects",
+        "homepage": "https://github.com/nmattia/niv",
+        "owner": "nmattia",
+        "repo": "niv",
+        "rev": "5830a4dd348d77e39a0f3c4c762ff2663b602d4c",
+        "sha256": "1d3lsrqvci4qz2hwjrcnd8h5vfkg8aypq3sjd4g3izbc8frwz5sm",
+        "type": "tarball",
+        "url": "https://github.com/nmattia/niv/archive/5830a4dd348d77e39a0f3c4c762ff2663b602d4c.tar.gz",
+        "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
+    },
+    "nixos-hardware": {
+        "branch": "master",
+        "description": "A collection of NixOS modules covering hardware quirks.",
+        "homepage": "",
+        "owner": "NixOS",
+        "repo": "nixos-hardware",
+        "rev": "5a7e613703ea349fd46b3fa2f3dfe3bd5444d591",
+        "sha256": "088z9p9ycsvnghqbksxrssk43wfsnm9caks9lch90jp2x8c8aw7x",
+        "type": "tarball",
+        "url": "https://github.com/NixOS/nixos-hardware/archive/5a7e613703ea349fd46b3fa2f3dfe3bd5444d591.tar.gz",
+        "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
+    },
+    "nixpkgs": {
+        "branch": "nixos-21.05",
+        "description": "Nix Packages collection",
+        "homepage": "",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "46251a79f752ae1d46ef733e8e9760b6d3429da4",
+        "sha256": "1xsp0xyrf8arjkf4wi09n96kbg0r8igsmzx8bhc1nj4nr078p0pg",
+        "type": "tarball",
+        "url": "https://github.com/NixOS/nixpkgs/archive/46251a79f752ae1d46ef733e8e9760b6d3429da4.tar.gz",
+        "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
+    },
+    "nixus": {
+        "branch": "master",
+        "description": null,
+        "homepage": "",
+        "owner": "Infinisil",
+        "repo": "nixus",
+        "rev": "851b6b7480815afd0032fd15ebcf23e80e1d7e57",
+        "sha256": "1vr39sa7gldwkkhcq70ki878zgnj9z4gvwg85asi2mai0x47f3lb",
+        "type": "tarball",
+        "url": "https://github.com/Infinisil/nixus/archive/851b6b7480815afd0032fd15ebcf23e80e1d7e57.tar.gz",
+        "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
+    }
+}
diff --git a/config/sources/nix/sources.nix b/stable/config/sources/nix/sources.nix
similarity index 100%
rename from config/sources/nix/sources.nix
rename to stable/config/sources/nix/sources.nix
diff --git a/stable/deploy/default.nix b/stable/deploy/default.nix
new file mode 100644
index 0000000..0373339
--- /dev/null
+++ b/stable/deploy/default.nix
@@ -0,0 +1,24 @@
+let
+  sources = import ../config/sources;
+in import "${sources.nixus}" {} ({ config, ... }: {
+
+  defaults = { name, ... }: {
+    configuration = { lib, ... }: {
+      networking.hostName = lib.mkDefault name;
+    };
+
+    # use our nixpkgs from niv
+    nixpkgs = sources.nixpkgs;
+  };
+
+  nodes = {
+    mail = { lib, config, ... }: {
+      host = "emelie@mail.graven.dev";
+      configuration = ../config/hosts/mail/configuration.nix;
+      switchTimeout = 300;
+      successTimeout = 300;
+      #ignoreFailingSystemdUnits = true;
+    };
+  };
+})
+
diff --git a/stable/result b/stable/result
new file mode 120000
index 0000000..fc926f2
--- /dev/null
+++ b/stable/result
@@ -0,0 +1 @@
+/nix/store/i50n7iakdlfmy4s7d90djnz30q4qskh5-deploy
\ No newline at end of file
diff --git a/unstable/config/common/data/pubkeys/despondos_host_ed25519_key.pub b/unstable/config/common/data/pubkeys/despondos_host_ed25519_key.pub
new file mode 100644
index 0000000..6367ffa
--- /dev/null
+++ b/unstable/config/common/data/pubkeys/despondos_host_ed25519_key.pub
@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH+ZQk80BU/OdQfV990yrkFwvsLVbVZ2Itof/qwxjTn7
diff --git a/config/common/services/nginx.nix b/unstable/config/common/services/nginx.nix
similarity index 100%
rename from config/common/services/nginx.nix
rename to unstable/config/common/services/nginx.nix
diff --git a/unstable/config/common/services/ssh.nix b/unstable/config/common/services/ssh.nix
new file mode 100644
index 0000000..2a918d9
--- /dev/null
+++ b/unstable/config/common/services/ssh.nix
@@ -0,0 +1,24 @@
+{ ... }:
+{
+  services.openssh = {
+    enable = true;
+    permitRootLogin = "no";
+    passwordAuthentication = false;
+    challengeResponseAuthentication = false;
+    hostKeys = [ { "path" = "/etc/ssh/ssh_host_ed25519_key"; "type" = "ed25519"; } ];
+    kexAlgorithms = [ "curve25519-sha256" "curve25519-sha256@libssh.org" ];
+    macs = [ "hmac-sha2-512-etm@openssh.com" "hmac-sha2-512-etm@openssh.com" "umac-128-etm@openssh.com" ];
+  };
+
+  programs.ssh.knownHosts = {
+    despondos = {
+      hostNames = [ "despondos.nao.sh" ];
+      publicKeyFile = ../data/pubkeys/despondos_host_ed25519_key.pub;
+    };
+  };
+
+  services.sshguard = {
+    enable = true;
+    blocktime = 300;
+  };
+}
diff --git a/config/hosts/grondahl/configuration.nix b/unstable/config/hosts/grondahl/configuration.nix
similarity index 98%
rename from config/hosts/grondahl/configuration.nix
rename to unstable/config/hosts/grondahl/configuration.nix
index c7a1ea9..4282811 100644
--- a/config/hosts/grondahl/configuration.nix
+++ b/unstable/config/hosts/grondahl/configuration.nix
@@ -12,6 +12,7 @@
     ./services/restic.nix
     ./services/synapse.nix
     ./services/postgres.nix
+    ./services/mail.nix
     ];
 
   boot.loader.grub.enable = true;
diff --git a/config/hosts/grondahl/data/secrets/acme_anarkafem_dev b/unstable/config/hosts/grondahl/data/secrets/acme_anarkafem_dev
similarity index 100%
rename from config/hosts/grondahl/data/secrets/acme_anarkafem_dev
rename to unstable/config/hosts/grondahl/data/secrets/acme_anarkafem_dev
diff --git a/unstable/config/hosts/grondahl/data/secrets/email_noreply b/unstable/config/hosts/grondahl/data/secrets/email_noreply
new file mode 100644
index 0000000000000000000000000000000000000000..babe205fdffc5ed70027ac188d4ca5a80652c8ca
GIT binary patch
literal 83
zcmZQ@_Y83kiVO&0c$@a!o@d85>s&>FJzDc)r`^bTbvAp`vCU0W&q(gLSaCTh;i;p?
q?OR_;|GMm-`}WeL@+(PvlOv=!?!GHDY!iO7FLsB6?v79ouBQN+$|=?W

literal 0
HcmV?d00001

diff --git a/config/hosts/grondahl/data/secrets/restic_pass b/unstable/config/hosts/grondahl/data/secrets/restic_pass
similarity index 100%
rename from config/hosts/grondahl/data/secrets/restic_pass
rename to unstable/config/hosts/grondahl/data/secrets/restic_pass
diff --git a/unstable/config/hosts/grondahl/data/secrets/secrets.nix b/unstable/config/hosts/grondahl/data/secrets/secrets.nix
new file mode 100644
index 0000000000000000000000000000000000000000..89f5c0189c4ec860b213ee2cb7fbf3083cab9735
GIT binary patch
literal 716
zcmZQ@_Y83kiVO&0u<vn5&GMRGTyUaJqv6kldgoTvPm7N3eehEAhSNLyH|HO=)Eb3I
zC*N?4clY{u*wD2jXGP_W-sT5kW>?};Bi1PVQ|mM-W8C{g+4)?G(YlE{yTq2b9jpmh
z9P5{}{r>cikKfGLtMROhDal1{k<j#?+mn9E9lE4^)cX(HPA!|HS8E@f>1Mnsp>icC
zMXTyef17o%=%tP<>5>xd^Hr1czf^SF^8b9?%BxgZ7IE0<$*FlwQWJbVXE@!MaiY`b
z+v>b`hAefKN+&E?U0ytWetGqmQ%<XlJlfsuXDg(cIZc^#K-Fl$+y<sA^#xPj%EkIm
zj<gR7+4Z5)tyAo+=sKU<!qU?}TJ~5T$|_vV8^d}pLu_@TakWh4<0%1~*1SFK$$$Oj
z!xUBLC1(z4AAH*5D5Uz#%Kc00+)F9PPt6pb^Wf-(9Y-b!U4LTu@x|(bhVl%H)o1<X
zro`)aPEPofDE5sha-XdBnQ$S)hSJ%$GtbOh@YAP#>gU6bw@MneR3<XHvnJ-aI-6dP
zJ9o^wW9z27{-Oza%ziU+4z_)0-BG}Na#fgk&X!e158wCOOFG`oI6cLRVS`mhOXn=r
zs1GWkO)>Abam!j1e!4I{<<w8@Glp#sRE6K(axae7nw7RFknMu7#~%0TT@N2GkozRD
z*s*@Txde|E!}oPdX0Lga@_w?7mfhb%H4mon%H4q`6K`&nYIn@7J~`Ex<8sa99e&EE
z4(+x-YNfOI<EK~NuV&3Nwx6cl->`W`sPXp34|>ubaaLh|S+SpcW9Dx+Vp=V+%FF)g
z=}!|D==<nJp4hOmGV!3DY1*t=hPic#ZNa=;TmEXDHf36C>melawQ1SvZMWWj4V|)6
z+}y>`?83WeVm)u=IA(+yo5|(;+&(8_(-Pgl@^#02PyX5d$0Nbiuir#)VbJ6D5REnw
ftAgV@KeB}c$!%F>r=T4a6W?UC;rD7U9=ZPjGZ$Ld

literal 0
HcmV?d00001

diff --git a/config/hosts/grondahl/data/secrets/ssh_key b/unstable/config/hosts/grondahl/data/secrets/ssh_key
similarity index 100%
rename from config/hosts/grondahl/data/secrets/ssh_key
rename to unstable/config/hosts/grondahl/data/secrets/ssh_key
diff --git a/config/hosts/grondahl/data/secrets/ssh_key.pub b/unstable/config/hosts/grondahl/data/secrets/ssh_key.pub
similarity index 100%
rename from config/hosts/grondahl/data/secrets/ssh_key.pub
rename to unstable/config/hosts/grondahl/data/secrets/ssh_key.pub
diff --git a/config/hosts/grondahl/data/secrets/synapse_macaroon_secret b/unstable/config/hosts/grondahl/data/secrets/synapse_macaroon_secret
similarity index 100%
rename from config/hosts/grondahl/data/secrets/synapse_macaroon_secret
rename to unstable/config/hosts/grondahl/data/secrets/synapse_macaroon_secret
diff --git a/config/hosts/grondahl/data/secrets/synapse_registration_shared_secret b/unstable/config/hosts/grondahl/data/secrets/synapse_registration_shared_secret
similarity index 100%
rename from config/hosts/grondahl/data/secrets/synapse_registration_shared_secret
rename to unstable/config/hosts/grondahl/data/secrets/synapse_registration_shared_secret
diff --git a/config/hosts/grondahl/data/secrets/turn_shared_secret b/unstable/config/hosts/grondahl/data/secrets/turn_shared_secret
similarity index 100%
rename from config/hosts/grondahl/data/secrets/turn_shared_secret
rename to unstable/config/hosts/grondahl/data/secrets/turn_shared_secret
diff --git a/config/hosts/grondahl/hardware-configuration.nix b/unstable/config/hosts/grondahl/hardware-configuration.nix
similarity index 100%
rename from config/hosts/grondahl/hardware-configuration.nix
rename to unstable/config/hosts/grondahl/hardware-configuration.nix
diff --git a/config/hosts/grondahl/services/acme.nix b/unstable/config/hosts/grondahl/services/acme.nix
similarity index 100%
rename from config/hosts/grondahl/services/acme.nix
rename to unstable/config/hosts/grondahl/services/acme.nix
diff --git a/config/hosts/grondahl/services/coturn.nix b/unstable/config/hosts/grondahl/services/coturn.nix
similarity index 100%
rename from config/hosts/grondahl/services/coturn.nix
rename to unstable/config/hosts/grondahl/services/coturn.nix
diff --git a/unstable/config/hosts/grondahl/services/mail.nix b/unstable/config/hosts/grondahl/services/mail.nix
new file mode 100644
index 0000000..3591384
--- /dev/null
+++ b/unstable/config/hosts/grondahl/services/mail.nix
@@ -0,0 +1,25 @@
+{ config, ... }:
+{
+  imports = [
+    (builtins.fetchTarball {
+      # Pick a commit from the branch you are interested in
+      url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/6e8142862f23ab99e1cc57838c02b733361e8d50/nixos-mailserver-6e8142862f23ab99e1cc57838c02b733361e8d50.tar.gz";
+      # And set its hash
+      sha256 = "19qzp8131pid4m3llb6w2v4ayxh25016fpv8yw6wnqng9yvigcw5";
+    })
+  ];
+
+  mailserver = {
+    enable = true;
+    fqdn = "anarkafem.dev";
+    domains = [ "anarkafem.dev" ];
+    loginAccounts = {
+      "noreply@anarkafem.dev" = {
+        hashedPasswordFile = config.secrets.files.email_noreply.file;
+
+      };
+    };
+    certificateScheme = 3;
+  };
+}
+
diff --git a/config/hosts/grondahl/services/nginx.nix b/unstable/config/hosts/grondahl/services/nginx.nix
similarity index 100%
rename from config/hosts/grondahl/services/nginx.nix
rename to unstable/config/hosts/grondahl/services/nginx.nix
diff --git a/config/hosts/grondahl/services/postgres.nix b/unstable/config/hosts/grondahl/services/postgres.nix
similarity index 100%
rename from config/hosts/grondahl/services/postgres.nix
rename to unstable/config/hosts/grondahl/services/postgres.nix
diff --git a/config/hosts/grondahl/services/restic.nix b/unstable/config/hosts/grondahl/services/restic.nix
similarity index 100%
rename from config/hosts/grondahl/services/restic.nix
rename to unstable/config/hosts/grondahl/services/restic.nix
diff --git a/config/hosts/grondahl/services/synapse.nix b/unstable/config/hosts/grondahl/services/synapse.nix
similarity index 100%
rename from config/hosts/grondahl/services/synapse.nix
rename to unstable/config/hosts/grondahl/services/synapse.nix
diff --git a/config/hosts/rudiger/configuration.nix b/unstable/config/hosts/rudiger/configuration.nix
similarity index 100%
rename from config/hosts/rudiger/configuration.nix
rename to unstable/config/hosts/rudiger/configuration.nix
diff --git a/config/hosts/rudiger/data/secrets/nc_admin_pass b/unstable/config/hosts/rudiger/data/secrets/nc_admin_pass
similarity index 100%
rename from config/hosts/rudiger/data/secrets/nc_admin_pass
rename to unstable/config/hosts/rudiger/data/secrets/nc_admin_pass
diff --git a/config/hosts/rudiger/data/secrets/redis_pass b/unstable/config/hosts/rudiger/data/secrets/redis_pass
similarity index 100%
rename from config/hosts/rudiger/data/secrets/redis_pass
rename to unstable/config/hosts/rudiger/data/secrets/redis_pass
diff --git a/config/hosts/rudiger/data/secrets/restic_pass b/unstable/config/hosts/rudiger/data/secrets/restic_pass
similarity index 100%
rename from config/hosts/rudiger/data/secrets/restic_pass
rename to unstable/config/hosts/rudiger/data/secrets/restic_pass
diff --git a/config/hosts/rudiger/data/secrets/secrets.nix b/unstable/config/hosts/rudiger/data/secrets/secrets.nix
similarity index 100%
rename from config/hosts/rudiger/data/secrets/secrets.nix
rename to unstable/config/hosts/rudiger/data/secrets/secrets.nix
diff --git a/config/hosts/rudiger/data/secrets/ssh_key b/unstable/config/hosts/rudiger/data/secrets/ssh_key
similarity index 100%
rename from config/hosts/rudiger/data/secrets/ssh_key
rename to unstable/config/hosts/rudiger/data/secrets/ssh_key
diff --git a/config/hosts/rudiger/data/secrets/ssh_key.pub b/unstable/config/hosts/rudiger/data/secrets/ssh_key.pub
similarity index 100%
rename from config/hosts/rudiger/data/secrets/ssh_key.pub
rename to unstable/config/hosts/rudiger/data/secrets/ssh_key.pub
diff --git a/config/hosts/rudiger/hardware-configuration.nix b/unstable/config/hosts/rudiger/hardware-configuration.nix
similarity index 100%
rename from config/hosts/rudiger/hardware-configuration.nix
rename to unstable/config/hosts/rudiger/hardware-configuration.nix
diff --git a/unstable/config/hosts/rudiger/services/acme.nix b/unstable/config/hosts/rudiger/services/acme.nix
new file mode 100644
index 0000000..62ae467
--- /dev/null
+++ b/unstable/config/hosts/rudiger/services/acme.nix
@@ -0,0 +1,9 @@
+{ config, ... }:
+
+{
+  security.acme = {
+    acceptTerms = true;
+    email = "admin+certs@graven.dev";
+  };
+}
+
diff --git a/config/hosts/rudiger/services/nextcloud.nix b/unstable/config/hosts/rudiger/services/nextcloud.nix
similarity index 100%
rename from config/hosts/rudiger/services/nextcloud.nix
rename to unstable/config/hosts/rudiger/services/nextcloud.nix
diff --git a/config/hosts/rudiger/services/nginx.nix b/unstable/config/hosts/rudiger/services/nginx.nix
similarity index 100%
rename from config/hosts/rudiger/services/nginx.nix
rename to unstable/config/hosts/rudiger/services/nginx.nix
diff --git a/config/hosts/rudiger/services/postgres.nix b/unstable/config/hosts/rudiger/services/postgres.nix
similarity index 100%
rename from config/hosts/rudiger/services/postgres.nix
rename to unstable/config/hosts/rudiger/services/postgres.nix
diff --git a/config/hosts/rudiger/services/redis.nix b/unstable/config/hosts/rudiger/services/redis.nix
similarity index 100%
rename from config/hosts/rudiger/services/redis.nix
rename to unstable/config/hosts/rudiger/services/redis.nix
diff --git a/config/hosts/rudiger/services/restic.nix b/unstable/config/hosts/rudiger/services/restic.nix
similarity index 100%
rename from config/hosts/rudiger/services/restic.nix
rename to unstable/config/hosts/rudiger/services/restic.nix
diff --git a/config/hosts/wind/configuration.nix b/unstable/config/hosts/wind/configuration.nix
similarity index 100%
rename from config/hosts/wind/configuration.nix
rename to unstable/config/hosts/wind/configuration.nix
diff --git a/config/hosts/wind/data/secrets/acme_graven_dev.env b/unstable/config/hosts/wind/data/secrets/acme_graven_dev.env
similarity index 100%
rename from config/hosts/wind/data/secrets/acme_graven_dev.env
rename to unstable/config/hosts/wind/data/secrets/acme_graven_dev.env
diff --git a/config/hosts/wind/data/secrets/restic_pass b/unstable/config/hosts/wind/data/secrets/restic_pass
similarity index 100%
rename from config/hosts/wind/data/secrets/restic_pass
rename to unstable/config/hosts/wind/data/secrets/restic_pass
diff --git a/config/hosts/wind/data/secrets/secrets.nix b/unstable/config/hosts/wind/data/secrets/secrets.nix
similarity index 100%
rename from config/hosts/wind/data/secrets/secrets.nix
rename to unstable/config/hosts/wind/data/secrets/secrets.nix
diff --git a/config/hosts/wind/data/secrets/ssh_key b/unstable/config/hosts/wind/data/secrets/ssh_key
similarity index 100%
rename from config/hosts/wind/data/secrets/ssh_key
rename to unstable/config/hosts/wind/data/secrets/ssh_key
diff --git a/config/hosts/wind/data/secrets/ssh_key.pub b/unstable/config/hosts/wind/data/secrets/ssh_key.pub
similarity index 100%
rename from config/hosts/wind/data/secrets/ssh_key.pub
rename to unstable/config/hosts/wind/data/secrets/ssh_key.pub
diff --git a/config/hosts/wind/data/secrets/synapse_macaroon_secret b/unstable/config/hosts/wind/data/secrets/synapse_macaroon_secret
similarity index 100%
rename from config/hosts/wind/data/secrets/synapse_macaroon_secret
rename to unstable/config/hosts/wind/data/secrets/synapse_macaroon_secret
diff --git a/config/hosts/wind/data/secrets/synapse_registration_shared_secret b/unstable/config/hosts/wind/data/secrets/synapse_registration_shared_secret
similarity index 100%
rename from config/hosts/wind/data/secrets/synapse_registration_shared_secret
rename to unstable/config/hosts/wind/data/secrets/synapse_registration_shared_secret
diff --git a/config/hosts/wind/data/secrets/ttrss_email_pass b/unstable/config/hosts/wind/data/secrets/ttrss_email_pass
similarity index 100%
rename from config/hosts/wind/data/secrets/ttrss_email_pass
rename to unstable/config/hosts/wind/data/secrets/ttrss_email_pass
diff --git a/config/hosts/wind/data/secrets/turn_shared_secret b/unstable/config/hosts/wind/data/secrets/turn_shared_secret
similarity index 100%
rename from config/hosts/wind/data/secrets/turn_shared_secret
rename to unstable/config/hosts/wind/data/secrets/turn_shared_secret
diff --git a/config/hosts/wind/data/secrets/vaultwarden_env b/unstable/config/hosts/wind/data/secrets/vaultwarden_env
similarity index 100%
rename from config/hosts/wind/data/secrets/vaultwarden_env
rename to unstable/config/hosts/wind/data/secrets/vaultwarden_env
diff --git a/config/hosts/wind/hardware-configuration.nix b/unstable/config/hosts/wind/hardware-configuration.nix
similarity index 100%
rename from config/hosts/wind/hardware-configuration.nix
rename to unstable/config/hosts/wind/hardware-configuration.nix
diff --git a/config/hosts/wind/services/acme.nix b/unstable/config/hosts/wind/services/acme.nix
similarity index 100%
rename from config/hosts/wind/services/acme.nix
rename to unstable/config/hosts/wind/services/acme.nix
diff --git a/config/hosts/wind/services/coturn.nix b/unstable/config/hosts/wind/services/coturn.nix
similarity index 100%
rename from config/hosts/wind/services/coturn.nix
rename to unstable/config/hosts/wind/services/coturn.nix
diff --git a/config/hosts/wind/services/gitea.nix b/unstable/config/hosts/wind/services/gitea.nix
similarity index 100%
rename from config/hosts/wind/services/gitea.nix
rename to unstable/config/hosts/wind/services/gitea.nix
diff --git a/config/hosts/wind/services/nginx.nix b/unstable/config/hosts/wind/services/nginx.nix
similarity index 100%
rename from config/hosts/wind/services/nginx.nix
rename to unstable/config/hosts/wind/services/nginx.nix
diff --git a/config/hosts/wind/services/postgres.nix b/unstable/config/hosts/wind/services/postgres.nix
similarity index 100%
rename from config/hosts/wind/services/postgres.nix
rename to unstable/config/hosts/wind/services/postgres.nix
diff --git a/unstable/config/hosts/wind/services/restic.nix b/unstable/config/hosts/wind/services/restic.nix
new file mode 100644
index 0000000..083e4cc
--- /dev/null
+++ b/unstable/config/hosts/wind/services/restic.nix
@@ -0,0 +1,47 @@
+{ config, ... }:
+
+{
+
+  services.restic.backups = {
+    "gitea" = {
+      paths = [ "/var/lib/gitea" ];
+      repository = "sftp:restic@despondos.nao.sh:/etheria/backup/wind/gitea";
+      initialize = true;
+      pruneOpts = [ "--keep-daily 7" "--keep-weekly 5" "--keep-monthly 12" "--keep-yearly 75" ];
+      timerConfig = { "OnCalendar" = "02:15"; };
+      extraOptions = [ "sftp.command='ssh restic@despondos.nao.sh -i ${config.secrets.files.ssh_key.file} -s sftp'" ];
+      passwordFile = builtins.toString config.secrets.files.restic_pass.file;
+      user = "gitea";
+    };
+    "postgres" = {
+      paths = [ "/var/lib/postgresql/backup" ];
+      repository = "sftp:restic@despondos.nao.sh:/etheria/backup/wind/postgres";
+      initialize = true;
+      pruneOpts = [ "--keep-daily 7" "--keep-weekly 5" "--keep-monthly 12" "--keep-yearly 75" ];
+      timerConfig = { "OnCalendar" = "03:00"; };
+      extraOptions = [ "sftp.command='ssh restic@despondos.nao.sh -i ${config.secrets.files.ssh_key.file} -s sftp'" ];
+      passwordFile = builtins.toString config.secrets.files.restic_pass.file;
+      user = "postgres";
+    };
+    "synapse" = {
+      paths = [ "/var/lib/matrix-synapse" ];
+      repository = "sftp:restic@despondos.nao.sh:/etheria/backup/wind/synapse";
+      initialize = true;
+      pruneOpts = [ "--keep-daily 7" "--keep-weekly 5" "--keep-monthly 12" "--keep-yearly 75" ];
+      timerConfig = { "OnCalendar" = "03:30"; };
+      extraOptions = [ "sftp.command='ssh restic@despondos.nao.sh -i ${config.secrets.files.ssh_key.file} -s sftp'" ];
+      passwordFile = builtins.toString config.secrets.files.restic_pass.file;
+      user = "matrix-synapse";
+    };
+    "vaultwarden" = {
+      paths = [ "/var/lib/bitwarden_rs" ];
+      repository = "sftp:restic@despondos.nao.sh:/etheria/backup/wind/vaultwarden";
+      initialize = true;
+      pruneOpts = [ "--keep-daily 7" "--keep-weekly 5" "--keep-monthly 12" "--keep-yearly 75" ];
+      timerConfig = { "OnCalendar" = "23:45"; };
+      extraOptions = [ "sftp.command='ssh restic@despondos.nao.sh -i ${config.secrets.files.ssh_key.file} -s sftp'" ];
+      passwordFile = builtins.toString config.secrets.files.restic_pass.file;
+      user = "vaultwarden";
+    };
+  };
+}
diff --git a/config/hosts/wind/services/synapse.nix b/unstable/config/hosts/wind/services/synapse.nix
similarity index 100%
rename from config/hosts/wind/services/synapse.nix
rename to unstable/config/hosts/wind/services/synapse.nix
diff --git a/config/hosts/wind/services/ttrss.nix b/unstable/config/hosts/wind/services/ttrss.nix
similarity index 100%
rename from config/hosts/wind/services/ttrss.nix
rename to unstable/config/hosts/wind/services/ttrss.nix
diff --git a/config/hosts/wind/services/vaultwarden.nix b/unstable/config/hosts/wind/services/vaultwarden.nix
similarity index 100%
rename from config/hosts/wind/services/vaultwarden.nix
rename to unstable/config/hosts/wind/services/vaultwarden.nix
diff --git a/unstable/config/sources/default.nix b/unstable/config/sources/default.nix
new file mode 100644
index 0000000..ccd3ba8
--- /dev/null
+++ b/unstable/config/sources/default.nix
@@ -0,0 +1,11 @@
+let
+  sources = import ./nix/sources.nix;
+
+  # just use standard pkgs from sources
+  # so that we have our applyPattches function
+  pkgs = import sources.nixpkgs {};
+
+in {
+  nixus = sources.nixus;
+} // sources
+
diff --git a/config/sources/nix/sources.json b/unstable/config/sources/nix/sources.json
similarity index 100%
rename from config/sources/nix/sources.json
rename to unstable/config/sources/nix/sources.json
diff --git a/unstable/config/sources/nix/sources.nix b/unstable/config/sources/nix/sources.nix
new file mode 100644
index 0000000..1938409
--- /dev/null
+++ b/unstable/config/sources/nix/sources.nix
@@ -0,0 +1,174 @@
+# This file has been generated by Niv.
+
+let
+
+  #
+  # The fetchers. fetch_<type> fetches specs of type <type>.
+  #
+
+  fetch_file = pkgs: name: spec:
+    let
+      name' = sanitizeName name + "-src";
+    in
+      if spec.builtin or true then
+        builtins_fetchurl { inherit (spec) url sha256; name = name'; }
+      else
+        pkgs.fetchurl { inherit (spec) url sha256; name = name'; };
+
+  fetch_tarball = pkgs: name: spec:
+    let
+      name' = sanitizeName name + "-src";
+    in
+      if spec.builtin or true then
+        builtins_fetchTarball { name = name'; inherit (spec) url sha256; }
+      else
+        pkgs.fetchzip { name = name'; inherit (spec) url sha256; };
+
+  fetch_git = name: spec:
+    let
+      ref =
+        if spec ? ref then spec.ref else
+          if spec ? branch then "refs/heads/${spec.branch}" else
+            if spec ? tag then "refs/tags/${spec.tag}" else
+              abort "In git source '${name}': Please specify `ref`, `tag` or `branch`!";
+    in
+      builtins.fetchGit { url = spec.repo; inherit (spec) rev; inherit ref; };
+
+  fetch_local = spec: spec.path;
+
+  fetch_builtin-tarball = name: throw
+    ''[${name}] The niv type "builtin-tarball" is deprecated. You should instead use `builtin = true`.
+        $ niv modify ${name} -a type=tarball -a builtin=true'';
+
+  fetch_builtin-url = name: throw
+    ''[${name}] The niv type "builtin-url" will soon be deprecated. You should instead use `builtin = true`.
+        $ niv modify ${name} -a type=file -a builtin=true'';
+
+  #
+  # Various helpers
+  #
+
+  # https://github.com/NixOS/nixpkgs/pull/83241/files#diff-c6f540a4f3bfa4b0e8b6bafd4cd54e8bR695
+  sanitizeName = name:
+    (
+      concatMapStrings (s: if builtins.isList s then "-" else s)
+        (
+          builtins.split "[^[:alnum:]+._?=-]+"
+            ((x: builtins.elemAt (builtins.match "\\.*(.*)" x) 0) name)
+        )
+    );
+
+  # The set of packages used when specs are fetched using non-builtins.
+  mkPkgs = sources: system:
+    let
+      sourcesNixpkgs =
+        import (builtins_fetchTarball { inherit (sources.nixpkgs) url sha256; }) { inherit system; };
+      hasNixpkgsPath = builtins.any (x: x.prefix == "nixpkgs") builtins.nixPath;
+      hasThisAsNixpkgsPath = <nixpkgs> == ./.;
+    in
+      if builtins.hasAttr "nixpkgs" sources
+      then sourcesNixpkgs
+      else if hasNixpkgsPath && ! hasThisAsNixpkgsPath then
+        import <nixpkgs> {}
+      else
+        abort
+          ''
+            Please specify either <nixpkgs> (through -I or NIX_PATH=nixpkgs=...) or
+            add a package called "nixpkgs" to your sources.json.
+          '';
+
+  # The actual fetching function.
+  fetch = pkgs: name: spec:
+
+    if ! builtins.hasAttr "type" spec then
+      abort "ERROR: niv spec ${name} does not have a 'type' attribute"
+    else if spec.type == "file" then fetch_file pkgs name spec
+    else if spec.type == "tarball" then fetch_tarball pkgs name spec
+    else if spec.type == "git" then fetch_git name spec
+    else if spec.type == "local" then fetch_local spec
+    else if spec.type == "builtin-tarball" then fetch_builtin-tarball name
+    else if spec.type == "builtin-url" then fetch_builtin-url name
+    else
+      abort "ERROR: niv spec ${name} has unknown type ${builtins.toJSON spec.type}";
+
+  # If the environment variable NIV_OVERRIDE_${name} is set, then use
+  # the path directly as opposed to the fetched source.
+  replace = name: drv:
+    let
+      saneName = stringAsChars (c: if isNull (builtins.match "[a-zA-Z0-9]" c) then "_" else c) name;
+      ersatz = builtins.getEnv "NIV_OVERRIDE_${saneName}";
+    in
+      if ersatz == "" then drv else
+        # this turns the string into an actual Nix path (for both absolute and
+        # relative paths)
+        if builtins.substring 0 1 ersatz == "/" then /. + ersatz else /. + builtins.getEnv "PWD" + "/${ersatz}";
+
+  # Ports of functions for older nix versions
+
+  # a Nix version of mapAttrs if the built-in doesn't exist
+  mapAttrs = builtins.mapAttrs or (
+    f: set: with builtins;
+    listToAttrs (map (attr: { name = attr; value = f attr set.${attr}; }) (attrNames set))
+  );
+
+  # https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/lists.nix#L295
+  range = first: last: if first > last then [] else builtins.genList (n: first + n) (last - first + 1);
+
+  # https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/strings.nix#L257
+  stringToCharacters = s: map (p: builtins.substring p 1 s) (range 0 (builtins.stringLength s - 1));
+
+  # https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/strings.nix#L269
+  stringAsChars = f: s: concatStrings (map f (stringToCharacters s));
+  concatMapStrings = f: list: concatStrings (map f list);
+  concatStrings = builtins.concatStringsSep "";
+
+  # https://github.com/NixOS/nixpkgs/blob/8a9f58a375c401b96da862d969f66429def1d118/lib/attrsets.nix#L331
+  optionalAttrs = cond: as: if cond then as else {};
+
+  # fetchTarball version that is compatible between all the versions of Nix
+  builtins_fetchTarball = { url, name ? null, sha256 }@attrs:
+    let
+      inherit (builtins) lessThan nixVersion fetchTarball;
+    in
+      if lessThan nixVersion "1.12" then
+        fetchTarball ({ inherit url; } // (optionalAttrs (!isNull name) { inherit name; }))
+      else
+        fetchTarball attrs;
+
+  # fetchurl version that is compatible between all the versions of Nix
+  builtins_fetchurl = { url, name ? null, sha256 }@attrs:
+    let
+      inherit (builtins) lessThan nixVersion fetchurl;
+    in
+      if lessThan nixVersion "1.12" then
+        fetchurl ({ inherit url; } // (optionalAttrs (!isNull name) { inherit name; }))
+      else
+        fetchurl attrs;
+
+  # Create the final "sources" from the config
+  mkSources = config:
+    mapAttrs (
+      name: spec:
+        if builtins.hasAttr "outPath" spec
+        then abort
+          "The values in sources.json should not have an 'outPath' attribute"
+        else
+          spec // { outPath = replace name (fetch config.pkgs name spec); }
+    ) config.sources;
+
+  # The "config" used by the fetchers
+  mkConfig =
+    { sourcesFile ? if builtins.pathExists ./sources.json then ./sources.json else null
+    , sources ? if isNull sourcesFile then {} else builtins.fromJSON (builtins.readFile sourcesFile)
+    , system ? builtins.currentSystem
+    , pkgs ? mkPkgs sources system
+    }: rec {
+      # The sources, i.e. the attribute set of spec name to spec
+      inherit sources;
+
+      # The "pkgs" (evaluated nixpkgs) to use for e.g. non-builtin fetchers
+      inherit pkgs;
+    };
+
+in
+mkSources (mkConfig {}) // { __functor = _: settings: mkSources (mkConfig settings); }
diff --git a/deploy/default.nix b/unstable/deploy/default.nix
similarity index 95%
rename from deploy/default.nix
rename to unstable/deploy/default.nix
index ee07e2e..3fdc041 100644
--- a/deploy/default.nix
+++ b/unstable/deploy/default.nix
@@ -1,5 +1,5 @@
 let
-  sources = import ../config/sources;
+  sources = import ../unstable/config/sources;
 in import "${sources.nixus}" {} ({ config, ... }: {
 
   defaults = { name, ... }: {