From 90eb0c37086b4ebf3c3be97433757409939a853e Mon Sep 17 00:00:00 2001
From: Emelie Graven <emelie@graven.dev>
Date: Sat, 20 Nov 2021 07:18:18 +0100
Subject: [PATCH] Restructure folders, add `mail` host

The entire file structure has been reorganised into stable and unstable
to separate deployments running on either channel. A `mail` host running
Simple Nix Mailserver has also been added for testing to see if it's a
good alternative to soverin as well as SMTP for other services.
---
 .../hosts/grondahl/data/secrets/secrets.nix   | Bin 635 -> 0 bytes
 .../pubkeys/despondos_host_ed25519_key.pub    |   0
 stable/config/common/services/nginx.nix       |  43 +++++
 .../config}/common/services/ssh.nix           |   0
 stable/config/hosts/mail/configuration.nix    |  58 ++++++
 .../data/secrets/mail_noreply_anarkafem_dev   | Bin 0 -> 84 bytes
 .../hosts/mail/data/secrets/secrets.nix       | Bin 0 -> 243 bytes
 stable/config/hosts/mail/data/secrets/ssh_key | Bin 0 -> 421 bytes
 .../hosts/mail/data/secrets/ssh_key.pub       | Bin 0 -> 119 bytes
 .../hosts/mail/hardware-configuration.nix     |  41 +++++
 .../config/hosts/mail}/services/acme.nix      |   0
 stable/config/hosts/mail/services/mail.nix    |  25 +++
 .../config/hosts/mail}/services/restic.nix    |   0
 {config => stable/config}/sources/default.nix |   0
 stable/config/sources/nix/sources.json        |  50 +++++
 .../config}/sources/nix/sources.nix           |   0
 stable/deploy/default.nix                     |  24 +++
 stable/result                                 |   1 +
 .../pubkeys/despondos_host_ed25519_key.pub    |   1 +
 .../config}/common/services/nginx.nix         |   0
 unstable/config/common/services/ssh.nix       |  24 +++
 .../config}/hosts/grondahl/configuration.nix  |   1 +
 .../grondahl/data/secrets/acme_anarkafem_dev  | Bin
 .../hosts/grondahl/data/secrets/email_noreply | Bin 0 -> 83 bytes
 .../hosts/grondahl/data/secrets/restic_pass   | Bin
 .../hosts/grondahl/data/secrets/secrets.nix   | Bin 0 -> 716 bytes
 .../hosts/grondahl/data/secrets/ssh_key       | Bin
 .../hosts/grondahl/data/secrets/ssh_key.pub   | Bin
 .../data/secrets/synapse_macaroon_secret      | Bin
 .../synapse_registration_shared_secret        | Bin
 .../grondahl/data/secrets/turn_shared_secret  | Bin
 .../hosts/grondahl/hardware-configuration.nix |   0
 .../config}/hosts/grondahl/services/acme.nix  |   0
 .../hosts/grondahl/services/coturn.nix        |   0
 .../config/hosts/grondahl/services/mail.nix   |  25 +++
 .../config}/hosts/grondahl/services/nginx.nix |   0
 .../hosts/grondahl/services/postgres.nix      |   0
 .../hosts/grondahl/services/restic.nix        |   0
 .../hosts/grondahl/services/synapse.nix       |   0
 .../config}/hosts/rudiger/configuration.nix   |   0
 .../hosts/rudiger/data/secrets/nc_admin_pass  | Bin
 .../hosts/rudiger/data/secrets/redis_pass     | Bin
 .../hosts/rudiger/data/secrets/restic_pass    | Bin
 .../hosts/rudiger/data/secrets/secrets.nix    | Bin
 .../hosts/rudiger/data/secrets/ssh_key        | Bin
 .../hosts/rudiger/data/secrets/ssh_key.pub    | Bin
 .../hosts/rudiger/hardware-configuration.nix  |   0
 .../config/hosts/rudiger/services/acme.nix    |   9 +
 .../hosts/rudiger/services/nextcloud.nix      |   0
 .../config}/hosts/rudiger/services/nginx.nix  |   0
 .../hosts/rudiger/services/postgres.nix       |   0
 .../config}/hosts/rudiger/services/redis.nix  |   0
 .../config}/hosts/rudiger/services/restic.nix |   0
 .../config}/hosts/wind/configuration.nix      |   0
 .../wind/data/secrets/acme_graven_dev.env     | Bin
 .../hosts/wind/data/secrets/restic_pass       | Bin
 .../hosts/wind/data/secrets/secrets.nix       | Bin
 .../config}/hosts/wind/data/secrets/ssh_key   | Bin
 .../hosts/wind/data/secrets/ssh_key.pub       | Bin
 .../wind/data/secrets/synapse_macaroon_secret | Bin
 .../synapse_registration_shared_secret        | Bin
 .../hosts/wind/data/secrets/ttrss_email_pass  | Bin
 .../wind/data/secrets/turn_shared_secret      | Bin
 .../hosts/wind/data/secrets/vaultwarden_env   | Bin
 .../hosts/wind/hardware-configuration.nix     |   0
 .../config}/hosts/wind/services/acme.nix      |   0
 .../config}/hosts/wind/services/coturn.nix    |   0
 .../config}/hosts/wind/services/gitea.nix     |   0
 .../config}/hosts/wind/services/nginx.nix     |   0
 .../config}/hosts/wind/services/postgres.nix  |   0
 .../config/hosts/wind/services/restic.nix     |  47 +++++
 .../config}/hosts/wind/services/synapse.nix   |   0
 .../config}/hosts/wind/services/ttrss.nix     |   0
 .../hosts/wind/services/vaultwarden.nix       |   0
 unstable/config/sources/default.nix           |  11 ++
 .../config}/sources/nix/sources.json          |   0
 unstable/config/sources/nix/sources.nix       | 174 ++++++++++++++++++
 {deploy => unstable/deploy}/default.nix       |   2 +-
 78 files changed, 535 insertions(+), 1 deletion(-)
 delete mode 100644 config/hosts/grondahl/data/secrets/secrets.nix
 rename {config => stable/config}/common/data/pubkeys/despondos_host_ed25519_key.pub (100%)
 create mode 100644 stable/config/common/services/nginx.nix
 rename {config => stable/config}/common/services/ssh.nix (100%)
 create mode 100644 stable/config/hosts/mail/configuration.nix
 create mode 100644 stable/config/hosts/mail/data/secrets/mail_noreply_anarkafem_dev
 create mode 100644 stable/config/hosts/mail/data/secrets/secrets.nix
 create mode 100644 stable/config/hosts/mail/data/secrets/ssh_key
 create mode 100644 stable/config/hosts/mail/data/secrets/ssh_key.pub
 create mode 100644 stable/config/hosts/mail/hardware-configuration.nix
 rename {config/hosts/rudiger => stable/config/hosts/mail}/services/acme.nix (100%)
 create mode 100644 stable/config/hosts/mail/services/mail.nix
 rename {config/hosts/wind => stable/config/hosts/mail}/services/restic.nix (100%)
 rename {config => stable/config}/sources/default.nix (100%)
 create mode 100644 stable/config/sources/nix/sources.json
 rename {config => stable/config}/sources/nix/sources.nix (100%)
 create mode 100644 stable/deploy/default.nix
 create mode 120000 stable/result
 create mode 100644 unstable/config/common/data/pubkeys/despondos_host_ed25519_key.pub
 rename {config => unstable/config}/common/services/nginx.nix (100%)
 create mode 100644 unstable/config/common/services/ssh.nix
 rename {config => unstable/config}/hosts/grondahl/configuration.nix (98%)
 rename {config => unstable/config}/hosts/grondahl/data/secrets/acme_anarkafem_dev (100%)
 create mode 100644 unstable/config/hosts/grondahl/data/secrets/email_noreply
 rename {config => unstable/config}/hosts/grondahl/data/secrets/restic_pass (100%)
 create mode 100644 unstable/config/hosts/grondahl/data/secrets/secrets.nix
 rename {config => unstable/config}/hosts/grondahl/data/secrets/ssh_key (100%)
 rename {config => unstable/config}/hosts/grondahl/data/secrets/ssh_key.pub (100%)
 rename {config => unstable/config}/hosts/grondahl/data/secrets/synapse_macaroon_secret (100%)
 rename {config => unstable/config}/hosts/grondahl/data/secrets/synapse_registration_shared_secret (100%)
 rename {config => unstable/config}/hosts/grondahl/data/secrets/turn_shared_secret (100%)
 rename {config => unstable/config}/hosts/grondahl/hardware-configuration.nix (100%)
 rename {config => unstable/config}/hosts/grondahl/services/acme.nix (100%)
 rename {config => unstable/config}/hosts/grondahl/services/coturn.nix (100%)
 create mode 100644 unstable/config/hosts/grondahl/services/mail.nix
 rename {config => unstable/config}/hosts/grondahl/services/nginx.nix (100%)
 rename {config => unstable/config}/hosts/grondahl/services/postgres.nix (100%)
 rename {config => unstable/config}/hosts/grondahl/services/restic.nix (100%)
 rename {config => unstable/config}/hosts/grondahl/services/synapse.nix (100%)
 rename {config => unstable/config}/hosts/rudiger/configuration.nix (100%)
 rename {config => unstable/config}/hosts/rudiger/data/secrets/nc_admin_pass (100%)
 rename {config => unstable/config}/hosts/rudiger/data/secrets/redis_pass (100%)
 rename {config => unstable/config}/hosts/rudiger/data/secrets/restic_pass (100%)
 rename {config => unstable/config}/hosts/rudiger/data/secrets/secrets.nix (100%)
 rename {config => unstable/config}/hosts/rudiger/data/secrets/ssh_key (100%)
 rename {config => unstable/config}/hosts/rudiger/data/secrets/ssh_key.pub (100%)
 rename {config => unstable/config}/hosts/rudiger/hardware-configuration.nix (100%)
 create mode 100644 unstable/config/hosts/rudiger/services/acme.nix
 rename {config => unstable/config}/hosts/rudiger/services/nextcloud.nix (100%)
 rename {config => unstable/config}/hosts/rudiger/services/nginx.nix (100%)
 rename {config => unstable/config}/hosts/rudiger/services/postgres.nix (100%)
 rename {config => unstable/config}/hosts/rudiger/services/redis.nix (100%)
 rename {config => unstable/config}/hosts/rudiger/services/restic.nix (100%)
 rename {config => unstable/config}/hosts/wind/configuration.nix (100%)
 rename {config => unstable/config}/hosts/wind/data/secrets/acme_graven_dev.env (100%)
 rename {config => unstable/config}/hosts/wind/data/secrets/restic_pass (100%)
 rename {config => unstable/config}/hosts/wind/data/secrets/secrets.nix (100%)
 rename {config => unstable/config}/hosts/wind/data/secrets/ssh_key (100%)
 rename {config => unstable/config}/hosts/wind/data/secrets/ssh_key.pub (100%)
 rename {config => unstable/config}/hosts/wind/data/secrets/synapse_macaroon_secret (100%)
 rename {config => unstable/config}/hosts/wind/data/secrets/synapse_registration_shared_secret (100%)
 rename {config => unstable/config}/hosts/wind/data/secrets/ttrss_email_pass (100%)
 rename {config => unstable/config}/hosts/wind/data/secrets/turn_shared_secret (100%)
 rename {config => unstable/config}/hosts/wind/data/secrets/vaultwarden_env (100%)
 rename {config => unstable/config}/hosts/wind/hardware-configuration.nix (100%)
 rename {config => unstable/config}/hosts/wind/services/acme.nix (100%)
 rename {config => unstable/config}/hosts/wind/services/coturn.nix (100%)
 rename {config => unstable/config}/hosts/wind/services/gitea.nix (100%)
 rename {config => unstable/config}/hosts/wind/services/nginx.nix (100%)
 rename {config => unstable/config}/hosts/wind/services/postgres.nix (100%)
 create mode 100644 unstable/config/hosts/wind/services/restic.nix
 rename {config => unstable/config}/hosts/wind/services/synapse.nix (100%)
 rename {config => unstable/config}/hosts/wind/services/ttrss.nix (100%)
 rename {config => unstable/config}/hosts/wind/services/vaultwarden.nix (100%)
 create mode 100644 unstable/config/sources/default.nix
 rename {config => unstable/config}/sources/nix/sources.json (100%)
 create mode 100644 unstable/config/sources/nix/sources.nix
 rename {deploy => unstable/deploy}/default.nix (95%)

diff --git a/config/hosts/grondahl/data/secrets/secrets.nix b/config/hosts/grondahl/data/secrets/secrets.nix
deleted file mode 100644
index 0a783ca0ff97cd853d4e0e4d83775c90e0ceb1ad..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 635
zcmV->0)+hlM@dveQdv+`0Q|sj`4%1q-<}8wPsdb;i63O+r9V=wSa>cfw38?U6V&vA
zodqcRW4(9&<xr3CD?UJ`az{Zh1as^GxR&t_x079H^B{YD(fJD{gpZy;l6H(X6I;}(
z%w`uaDt#8xh*$Z^^C6n*XrV!(YOM|x-9y?z!7<`5(Hl@bg`o5QBRN_M+DA2&j@_`R
zfZZ9o`Y6%iiz3+Eu5w|QuM$aJJg{)AW~#O!tnWEFKe>_sn(fI{5`jP3C+6)s|MFL@
z!7E2J6pYr%)K7ozcNAuD7!*7B5PtMx@=DZ;g$I@qI8$b-Bk3~;e`*Uox+61>E-y9=
ze0yzQr;A$#2)opfDpW|h8<i3(-G{{}O3EV(Z1=Pd1+Jmaz9W`rnZ$s=V}!=dZh+6k
zB;s^5d}qaz*`X2$9hIo=hxp7LTabt(w8l)}n5!*^Xf|v?UiWWp<EKgmehqpMllwLV
zZT^-p$s_6oB4*hha_TKzHH%W(q!Ml#T;ySjY-h&JiTUWj^>qTw$*mQIsizN<sbqb!
zXBR>wKc7yn_O7rLJMyd(K0_y_`Ru(PrIdp|-jpXFQwy$2^^|n2ts>w^g8D58Q%DB2
zz2ZxtH+Q+n3;RNVH|0TapF#hi2-ctjdy1lv6O_3)-YFHOqrAr0mxPYo7^S4v(q_R%
z1m933)yWtuuY>I=y?>#3?1w)3IeGKkeY)_Mo5N$DZX=BYZu=B??M3tj+$iI1iWTX+
zNl!t2QXV#!Lw;UQjv~yX#*unZYlyDIGMD#g7##_KDwq=V2%b}oeP#{Aa4=w;H_nT|
V4EUG}f^!qhoOL->ZNZg87EEXCFVFx0

diff --git a/config/common/data/pubkeys/despondos_host_ed25519_key.pub b/stable/config/common/data/pubkeys/despondos_host_ed25519_key.pub
similarity index 100%
rename from config/common/data/pubkeys/despondos_host_ed25519_key.pub
rename to stable/config/common/data/pubkeys/despondos_host_ed25519_key.pub
diff --git a/stable/config/common/services/nginx.nix b/stable/config/common/services/nginx.nix
new file mode 100644
index 0000000..60f4b8f
--- /dev/null
+++ b/stable/config/common/services/nginx.nix
@@ -0,0 +1,43 @@
+{ ... }:
+{
+    services.nginx = {
+    #enable = true;
+
+    # Use recommended settings
+    recommendedGzipSettings = true;
+    recommendedOptimisation = true;
+    recommendedProxySettings = true;
+    recommendedTlsSettings = true;
+
+    # Only allow PFS-enabled ciphers with AES256
+    sslCiphers = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
+
+    commonHttpConfig = ''
+      # Add HSTS header with preloading to HTTPS requests.
+      # Adding this header to HTTP requests is discouraged
+      map $scheme $hsts_header {
+          https   "max-age=31536000; includeSubdomains; preload";
+      }
+      add_header Strict-Transport-Security $hsts_header;
+
+      # Enable CSP for your services.
+      #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
+
+      # Minimize information leaked to other domains
+      add_header 'Referrer-Policy' 'origin-when-cross-origin';
+
+      # Disable embedding as a frame
+      add_header X-Frame-Options DENY;
+
+      # Prevent injection of code in other mime types (XSS Attacks)
+      add_header X-Content-Type-Options nosniff;
+
+      # Enable XSS protection of the browser.
+      # May be unnecessary when CSP is configured properly (see above)
+      add_header X-XSS-Protection "1; mode=block";
+
+      # This might create errors
+      proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
+    '';
+  };
+}
diff --git a/config/common/services/ssh.nix b/stable/config/common/services/ssh.nix
similarity index 100%
rename from config/common/services/ssh.nix
rename to stable/config/common/services/ssh.nix
diff --git a/stable/config/hosts/mail/configuration.nix b/stable/config/hosts/mail/configuration.nix
new file mode 100644
index 0000000..44fa832
--- /dev/null
+++ b/stable/config/hosts/mail/configuration.nix
@@ -0,0 +1,58 @@
+{ config, pkgs, lib, ... }:
+
+{
+  imports = [ 
+    ./hardware-configuration.nix 
+    ../../common/services/ssh.nix
+    #./services/restic.nix
+    ./services/mail.nix
+    ./services/acme.nix
+    ./data/secrets/secrets.nix
+    ];
+
+  boot.loader.grub.enable = true;
+  boot.loader.grub.version = 2;
+  boot.loader.grub.device = "/dev/sda";
+  boot.supportedFilesystems = ["zfs"];
+  services.zfs.autoSnapshot.enable = true;
+  services.zfs.autoScrub.enable = true;
+
+  networking.hostName = "mail";
+  networking.hostId = "1e04e84b";
+  time.timeZone = "Europe/Copenhagen";
+  networking.useDHCP = false;
+  networking.interfaces.ens3.useDHCP = true;
+  networking.interfaces.ens3.ipv6.addresses = [ { address = "2a01:4f9:c010:624a::1"; prefixLength = 64; } ];
+  networking.defaultGateway6 = { address = "fe80::1"; interface = "ens3"; };
+
+  users.users.emelie = {
+    isNormalUser = true;
+    extraGroups = [ "wheel" ];
+    openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICO4LyBsW1YuUA6i3EL/IZhchSvk7reO4qgRmR/tdQPU emelie@flap"
+    ];
+  };
+
+  security.sudo.wheelNeedsPassword = false;
+
+  environment.systemPackages = with pkgs; [
+    vim
+    htop
+    iotop
+    dig
+  ];
+
+  nix = {
+    autoOptimiseStore = true;
+    trustedUsers = [
+      "root"
+      "@wheel"
+    ];
+  };
+
+
+  # Use hetzner firewall instead
+  networking.firewall.enable = false;
+  system.stateVersion = "21.05";
+
+}
diff --git a/stable/config/hosts/mail/data/secrets/mail_noreply_anarkafem_dev b/stable/config/hosts/mail/data/secrets/mail_noreply_anarkafem_dev
new file mode 100644
index 0000000000000000000000000000000000000000..8756cf3f2276cbca1636b0229d916d111a4ef795
GIT binary patch
literal 84
zcmV-a0IUB1M@dveQdv+`0Pc^+9MvpI8+w7u_}VvORQCEXyd6s^R3r|E#m7zm6%{5|
q({mqbf9fs_3n8=?qC>WAF6DhdM$fR&*AfD(qWZ?X!Y09eK19IY^(CtS

literal 0
HcmV?d00001

diff --git a/stable/config/hosts/mail/data/secrets/secrets.nix b/stable/config/hosts/mail/data/secrets/secrets.nix
new file mode 100644
index 0000000000000000000000000000000000000000..42a986ca7e734c2dba4a35a5db0f2f1585a871ca
GIT binary patch
literal 243
zcmV<P01W>CM@dveQdv+`00EDG9*xQ4Ei|?UE^C2R24`xN%r~Bx%)*p?9=q~SoaHWS
zH%a?RiE<47tn(Qi<{iuuPK5!mnUCf)Wt4ls^#R4%GLKb*W51&K?Cg3&g`|{XOZ{5-
zR8+5q66_o{d;6GU<S|>>=(EzrJ&u1Dlb{=8G@|r}ywuZ%JL+dYbrVnRUeSkCkB?IT
z-vW@u_mysofI<U~1WB!tvpEDHb#s&Ht~yNoUg2zqq`@gu%utq5<pSjwtwL1&-%9ba
t1{}6SW6svAGr{t&x6(U*#(HA$*XFY%suGzP#w#sCeH1V#?ls}vzwF9Tc~1ZU

literal 0
HcmV?d00001

diff --git a/stable/config/hosts/mail/data/secrets/ssh_key b/stable/config/hosts/mail/data/secrets/ssh_key
new file mode 100644
index 0000000000000000000000000000000000000000..d99f226bc12271f176cc53eb8d03e01b2de8dd40
GIT binary patch
literal 421
zcmV;W0b2e5M@dveQdv+`0H><=*~yL<WdfB1T>d0Tz)E!?d}=@aW2PD8v<Dm<pmNPC
z{m6cXd}ww@A2rkqBl##8wg6eT*|Y^yYA4|9&9W}B_y+g|GqP9M_9r@oKf4?x;A5On
zisO?-d_1Wt!lZ!oNj+n)-v5`_!R9k3R)Hx9d4dV|JU*34U1PwIuC!mmJq=EE%5e*Z
zZ7iy8Hh|U)9r;2Xodq9EyV=!q%R$zj6$Iyc$Y`OG;IdzJm~1wZ+r+c>U-T_ewU}9i
z9~Q6}jDRH!jItC7;b#u564}1gBCi$?ar~SZ>f+YQ81f(xRhG_pJxCMC#nDdK&#}f9
zx%p_JaQX|a2Mx7D;$ILmBVFhLUfE{fm!Bk_Lx8x(INdh}p+!oD`+ePj$(RlSSq^@{
zJGcv&@~CclY%?|w#i`sQM6yR`X&*E`_E(IdZy0|V&;}>f)7&@pui+e`dFJD<)Vc0S
z?p|32grd46I4-J{O{MUApSt&5u1%Q48%;NBrN$C4o^;<WMroF2ZjY$F-zDCw+MJXS
P!q#7`<DA*g#<=-V>JH5(

literal 0
HcmV?d00001

diff --git a/stable/config/hosts/mail/data/secrets/ssh_key.pub b/stable/config/hosts/mail/data/secrets/ssh_key.pub
new file mode 100644
index 0000000000000000000000000000000000000000..04225ea49a09a8fa8692a683d04001bd8ff11669
GIT binary patch
literal 119
zcmV--0EqtpM@dveQdv+`0KhLV3(LLCzu{UL`ZY=wx6l`GCfjqD0={-a4R3%4lmA7k
z4BzNr=ze8kSgK5~{aH~1VBiQ!7@%Ts1tq-j8_Pv<+Ez`A*zZu24Yw@J<68{`bugn3
ZH<4nHct7<~;8gL%(u4uSTpKGtOw9_-H3t9y

literal 0
HcmV?d00001

diff --git a/stable/config/hosts/mail/hardware-configuration.nix b/stable/config/hosts/mail/hardware-configuration.nix
new file mode 100644
index 0000000..90e8d09
--- /dev/null
+++ b/stable/config/hosts/mail/hardware-configuration.nix
@@ -0,0 +1,41 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/profiles/qemu-guest.nix")
+      (modulesPath + "/profiles/minimal.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "ata_piix" "virtio_pci" "virtio_scsi" "xhci_pci" "sd_mod" "sr_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "rpool/safe/root";
+      fsType = "zfs";
+    };
+
+  fileSystems."/home" =
+    { device = "rpool/safe/home";
+      fsType = "zfs";
+    };
+
+  fileSystems."/var" =
+    { device = "rpool/safe/var";
+      fsType = "zfs";
+    };
+
+  fileSystems."/nix" =
+    { device = "rpool/local/nix";
+      fsType = "zfs";
+    };
+
+  swapDevices =
+    [ { device = "/dev/disk/by-uuid/9c3c66f5-bf5a-4a2a-88a2-fc2ef312d7ef"; }
+    ];
+
+}
diff --git a/config/hosts/rudiger/services/acme.nix b/stable/config/hosts/mail/services/acme.nix
similarity index 100%
rename from config/hosts/rudiger/services/acme.nix
rename to stable/config/hosts/mail/services/acme.nix
diff --git a/stable/config/hosts/mail/services/mail.nix b/stable/config/hosts/mail/services/mail.nix
new file mode 100644
index 0000000..f6f1184
--- /dev/null
+++ b/stable/config/hosts/mail/services/mail.nix
@@ -0,0 +1,25 @@
+{ config, ... }:
+
+{
+  imports = [
+    (builtins.fetchTarball {
+      # Pick a commit from the branch you are interested in
+      url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/5675b122a947b40e551438df6a623efad19fd2e7/nixos-mailserver-5675b122a947b40e551438df6a623efad19fd2e7.tar.gz";
+      # And set its hash
+      sha256 = "1fwhb7a5v9c98nzhf3dyqf3a5ianqh7k50zizj8v5nmj3blxw4pi";
+    })
+  ];
+
+  mailserver = {
+    enable = true;
+    fqdn = "mail.graven.dev";
+    domains = [ "anarkafem.dev" ];
+
+    loginAccounts = {
+      "noreply@anarkafem.dev" = {
+        hashedPasswordFile = config.secrets.files.mail_noreply_anarkafem_dev.file;
+      };
+    };
+    certificateScheme = 3;
+  };
+}
diff --git a/config/hosts/wind/services/restic.nix b/stable/config/hosts/mail/services/restic.nix
similarity index 100%
rename from config/hosts/wind/services/restic.nix
rename to stable/config/hosts/mail/services/restic.nix
diff --git a/config/sources/default.nix b/stable/config/sources/default.nix
similarity index 100%
rename from config/sources/default.nix
rename to stable/config/sources/default.nix
diff --git a/stable/config/sources/nix/sources.json b/stable/config/sources/nix/sources.json
new file mode 100644
index 0000000..3098061
--- /dev/null
+++ b/stable/config/sources/nix/sources.json
@@ -0,0 +1,50 @@
+{
+    "niv": {
+        "branch": "master",
+        "description": "Easy dependency management for Nix projects",
+        "homepage": "https://github.com/nmattia/niv",
+        "owner": "nmattia",
+        "repo": "niv",
+        "rev": "5830a4dd348d77e39a0f3c4c762ff2663b602d4c",
+        "sha256": "1d3lsrqvci4qz2hwjrcnd8h5vfkg8aypq3sjd4g3izbc8frwz5sm",
+        "type": "tarball",
+        "url": "https://github.com/nmattia/niv/archive/5830a4dd348d77e39a0f3c4c762ff2663b602d4c.tar.gz",
+        "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
+    },
+    "nixos-hardware": {
+        "branch": "master",
+        "description": "A collection of NixOS modules covering hardware quirks.",
+        "homepage": "",
+        "owner": "NixOS",
+        "repo": "nixos-hardware",
+        "rev": "5a7e613703ea349fd46b3fa2f3dfe3bd5444d591",
+        "sha256": "088z9p9ycsvnghqbksxrssk43wfsnm9caks9lch90jp2x8c8aw7x",
+        "type": "tarball",
+        "url": "https://github.com/NixOS/nixos-hardware/archive/5a7e613703ea349fd46b3fa2f3dfe3bd5444d591.tar.gz",
+        "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
+    },
+    "nixpkgs": {
+        "branch": "nixos-21.05",
+        "description": "Nix Packages collection",
+        "homepage": "",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "46251a79f752ae1d46ef733e8e9760b6d3429da4",
+        "sha256": "1xsp0xyrf8arjkf4wi09n96kbg0r8igsmzx8bhc1nj4nr078p0pg",
+        "type": "tarball",
+        "url": "https://github.com/NixOS/nixpkgs/archive/46251a79f752ae1d46ef733e8e9760b6d3429da4.tar.gz",
+        "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
+    },
+    "nixus": {
+        "branch": "master",
+        "description": null,
+        "homepage": "",
+        "owner": "Infinisil",
+        "repo": "nixus",
+        "rev": "851b6b7480815afd0032fd15ebcf23e80e1d7e57",
+        "sha256": "1vr39sa7gldwkkhcq70ki878zgnj9z4gvwg85asi2mai0x47f3lb",
+        "type": "tarball",
+        "url": "https://github.com/Infinisil/nixus/archive/851b6b7480815afd0032fd15ebcf23e80e1d7e57.tar.gz",
+        "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
+    }
+}
diff --git a/config/sources/nix/sources.nix b/stable/config/sources/nix/sources.nix
similarity index 100%
rename from config/sources/nix/sources.nix
rename to stable/config/sources/nix/sources.nix
diff --git a/stable/deploy/default.nix b/stable/deploy/default.nix
new file mode 100644
index 0000000..0373339
--- /dev/null
+++ b/stable/deploy/default.nix
@@ -0,0 +1,24 @@
+let
+  sources = import ../config/sources;
+in import "${sources.nixus}" {} ({ config, ... }: {
+
+  defaults = { name, ... }: {
+    configuration = { lib, ... }: {
+      networking.hostName = lib.mkDefault name;
+    };
+
+    # use our nixpkgs from niv
+    nixpkgs = sources.nixpkgs;
+  };
+
+  nodes = {
+    mail = { lib, config, ... }: {
+      host = "emelie@mail.graven.dev";
+      configuration = ../config/hosts/mail/configuration.nix;
+      switchTimeout = 300;
+      successTimeout = 300;
+      #ignoreFailingSystemdUnits = true;
+    };
+  };
+})
+
diff --git a/stable/result b/stable/result
new file mode 120000
index 0000000..fc926f2
--- /dev/null
+++ b/stable/result
@@ -0,0 +1 @@
+/nix/store/i50n7iakdlfmy4s7d90djnz30q4qskh5-deploy
\ No newline at end of file
diff --git a/unstable/config/common/data/pubkeys/despondos_host_ed25519_key.pub b/unstable/config/common/data/pubkeys/despondos_host_ed25519_key.pub
new file mode 100644
index 0000000..6367ffa
--- /dev/null
+++ b/unstable/config/common/data/pubkeys/despondos_host_ed25519_key.pub
@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH+ZQk80BU/OdQfV990yrkFwvsLVbVZ2Itof/qwxjTn7
diff --git a/config/common/services/nginx.nix b/unstable/config/common/services/nginx.nix
similarity index 100%
rename from config/common/services/nginx.nix
rename to unstable/config/common/services/nginx.nix
diff --git a/unstable/config/common/services/ssh.nix b/unstable/config/common/services/ssh.nix
new file mode 100644
index 0000000..2a918d9
--- /dev/null
+++ b/unstable/config/common/services/ssh.nix
@@ -0,0 +1,24 @@
+{ ... }:
+{
+  services.openssh = {
+    enable = true;
+    permitRootLogin = "no";
+    passwordAuthentication = false;
+    challengeResponseAuthentication = false;
+    hostKeys = [ { "path" = "/etc/ssh/ssh_host_ed25519_key"; "type" = "ed25519"; } ];
+    kexAlgorithms = [ "curve25519-sha256" "curve25519-sha256@libssh.org" ];
+    macs = [ "hmac-sha2-512-etm@openssh.com" "hmac-sha2-512-etm@openssh.com" "umac-128-etm@openssh.com" ];
+  };
+
+  programs.ssh.knownHosts = {
+    despondos = {
+      hostNames = [ "despondos.nao.sh" ];
+      publicKeyFile = ../data/pubkeys/despondos_host_ed25519_key.pub;
+    };
+  };
+
+  services.sshguard = {
+    enable = true;
+    blocktime = 300;
+  };
+}
diff --git a/config/hosts/grondahl/configuration.nix b/unstable/config/hosts/grondahl/configuration.nix
similarity index 98%
rename from config/hosts/grondahl/configuration.nix
rename to unstable/config/hosts/grondahl/configuration.nix
index c7a1ea9..4282811 100644
--- a/config/hosts/grondahl/configuration.nix
+++ b/unstable/config/hosts/grondahl/configuration.nix
@@ -12,6 +12,7 @@
     ./services/restic.nix
     ./services/synapse.nix
     ./services/postgres.nix
+    ./services/mail.nix
     ];
 
   boot.loader.grub.enable = true;
diff --git a/config/hosts/grondahl/data/secrets/acme_anarkafem_dev b/unstable/config/hosts/grondahl/data/secrets/acme_anarkafem_dev
similarity index 100%
rename from config/hosts/grondahl/data/secrets/acme_anarkafem_dev
rename to unstable/config/hosts/grondahl/data/secrets/acme_anarkafem_dev
diff --git a/unstable/config/hosts/grondahl/data/secrets/email_noreply b/unstable/config/hosts/grondahl/data/secrets/email_noreply
new file mode 100644
index 0000000000000000000000000000000000000000..babe205fdffc5ed70027ac188d4ca5a80652c8ca
GIT binary patch
literal 83
zcmV-Z0IdH2M@dveQdv+`0PSY?KMc6`J8dBlyegkvme_3S&1<s8vx1e(8Mx7S(^6pN
pK}g%$^mYA2zn$&Ul6TZ%4wG0K2;J^+F@_WDzFoLLEx1)k3gw#0Db@f0

literal 0
HcmV?d00001

diff --git a/config/hosts/grondahl/data/secrets/restic_pass b/unstable/config/hosts/grondahl/data/secrets/restic_pass
similarity index 100%
rename from config/hosts/grondahl/data/secrets/restic_pass
rename to unstable/config/hosts/grondahl/data/secrets/restic_pass
diff --git a/unstable/config/hosts/grondahl/data/secrets/secrets.nix b/unstable/config/hosts/grondahl/data/secrets/secrets.nix
new file mode 100644
index 0000000000000000000000000000000000000000..89f5c0189c4ec860b213ee2cb7fbf3083cab9735
GIT binary patch
literal 716
zcmV;-0yF&pM@dveQdv+`06&aCWok;Fb8yIhD1iKse?x^O@}kAP;OQyYLhe88&*6l9
zGE^I5*g;=MO7X)nMTl&udDxAE;8r%&US(LUApRzaG<E^K_#;EkWHPRixr!E~M!|eg
zqg_sHx8IlX<LsEdDCUX+VniOI5|{b6V)-7z(j&!7{06xyJYwpt;LM8w*%&0$Qe-N6
z%#VgUQx(#PY8!NPE6;k9Z}fPJJrDWgg$*Kcc38tQ<jS6c8jwv%m_pc?$caq$t8VTw
z1b#Up$T<Z>=;i0rtMtl3sxnB2M?ae&W;Q~UlE5W0pq+pM)PHc4?H*lElUYAfRJ!na
zMu`^f6|PL%6C0QDIgB~NYH_O#Tm{}}7OP=1dmMS=lu)v)?aN6I*XiM8B}1gl!Yje$
zj6o75<~m38g`Lu5$I6)#oZ!XKxWtkY*W@wr=&NvmcW5}P%}*YbUoVN1VEkbg_5xYH
z9V^UN5;1^vo7-v3o}l?mhn4fgLE3bHw0U6yM+ISQMME{$Ue3llh_$laPZeNp15TK1
z!G`dKxNrl>s#X_lw5l@U?~gwjLEUJ}lsW*gI%tH6nk8EBBvpc3?zRgZIC1jOmt@NM
zE6g#5;3X67+DCI+Dw<}ZQ3lWxNW4dvis9p+9`YEYL4Th&7z`=^_pYRytm0(vlRPRu
z{c$Ep0#|vvQ8ba+wHk*(ZF|X;GYHdslekVJ%EG%p#X2mb@$%|R>YAQ2Kb9kpfU}rY
zGq-{8E*nT*I#y0<UGt4xpSLmss~D<EKjq8vkf1M2E?LO1sd-_+J~d{VnlWvDVTMx;
z3bg$y%QXV6JxCH1^@66Ww%YCWRg}3GH$*Wu(C+3IjO`u>m{v139&GuyoLI7?Em3!_
y#!bomxBN(8HBOH-5usA!hg2wr6gqInx$y>6QXaIbJ|HVnTwj7Ru=}e@3?Bb87h2Z<

literal 0
HcmV?d00001

diff --git a/config/hosts/grondahl/data/secrets/ssh_key b/unstable/config/hosts/grondahl/data/secrets/ssh_key
similarity index 100%
rename from config/hosts/grondahl/data/secrets/ssh_key
rename to unstable/config/hosts/grondahl/data/secrets/ssh_key
diff --git a/config/hosts/grondahl/data/secrets/ssh_key.pub b/unstable/config/hosts/grondahl/data/secrets/ssh_key.pub
similarity index 100%
rename from config/hosts/grondahl/data/secrets/ssh_key.pub
rename to unstable/config/hosts/grondahl/data/secrets/ssh_key.pub
diff --git a/config/hosts/grondahl/data/secrets/synapse_macaroon_secret b/unstable/config/hosts/grondahl/data/secrets/synapse_macaroon_secret
similarity index 100%
rename from config/hosts/grondahl/data/secrets/synapse_macaroon_secret
rename to unstable/config/hosts/grondahl/data/secrets/synapse_macaroon_secret
diff --git a/config/hosts/grondahl/data/secrets/synapse_registration_shared_secret b/unstable/config/hosts/grondahl/data/secrets/synapse_registration_shared_secret
similarity index 100%
rename from config/hosts/grondahl/data/secrets/synapse_registration_shared_secret
rename to unstable/config/hosts/grondahl/data/secrets/synapse_registration_shared_secret
diff --git a/config/hosts/grondahl/data/secrets/turn_shared_secret b/unstable/config/hosts/grondahl/data/secrets/turn_shared_secret
similarity index 100%
rename from config/hosts/grondahl/data/secrets/turn_shared_secret
rename to unstable/config/hosts/grondahl/data/secrets/turn_shared_secret
diff --git a/config/hosts/grondahl/hardware-configuration.nix b/unstable/config/hosts/grondahl/hardware-configuration.nix
similarity index 100%
rename from config/hosts/grondahl/hardware-configuration.nix
rename to unstable/config/hosts/grondahl/hardware-configuration.nix
diff --git a/config/hosts/grondahl/services/acme.nix b/unstable/config/hosts/grondahl/services/acme.nix
similarity index 100%
rename from config/hosts/grondahl/services/acme.nix
rename to unstable/config/hosts/grondahl/services/acme.nix
diff --git a/config/hosts/grondahl/services/coturn.nix b/unstable/config/hosts/grondahl/services/coturn.nix
similarity index 100%
rename from config/hosts/grondahl/services/coturn.nix
rename to unstable/config/hosts/grondahl/services/coturn.nix
diff --git a/unstable/config/hosts/grondahl/services/mail.nix b/unstable/config/hosts/grondahl/services/mail.nix
new file mode 100644
index 0000000..3591384
--- /dev/null
+++ b/unstable/config/hosts/grondahl/services/mail.nix
@@ -0,0 +1,25 @@
+{ config, ... }:
+{
+  imports = [
+    (builtins.fetchTarball {
+      # Pick a commit from the branch you are interested in
+      url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/6e8142862f23ab99e1cc57838c02b733361e8d50/nixos-mailserver-6e8142862f23ab99e1cc57838c02b733361e8d50.tar.gz";
+      # And set its hash
+      sha256 = "19qzp8131pid4m3llb6w2v4ayxh25016fpv8yw6wnqng9yvigcw5";
+    })
+  ];
+
+  mailserver = {
+    enable = true;
+    fqdn = "anarkafem.dev";
+    domains = [ "anarkafem.dev" ];
+    loginAccounts = {
+      "noreply@anarkafem.dev" = {
+        hashedPasswordFile = config.secrets.files.email_noreply.file;
+
+      };
+    };
+    certificateScheme = 3;
+  };
+}
+
diff --git a/config/hosts/grondahl/services/nginx.nix b/unstable/config/hosts/grondahl/services/nginx.nix
similarity index 100%
rename from config/hosts/grondahl/services/nginx.nix
rename to unstable/config/hosts/grondahl/services/nginx.nix
diff --git a/config/hosts/grondahl/services/postgres.nix b/unstable/config/hosts/grondahl/services/postgres.nix
similarity index 100%
rename from config/hosts/grondahl/services/postgres.nix
rename to unstable/config/hosts/grondahl/services/postgres.nix
diff --git a/config/hosts/grondahl/services/restic.nix b/unstable/config/hosts/grondahl/services/restic.nix
similarity index 100%
rename from config/hosts/grondahl/services/restic.nix
rename to unstable/config/hosts/grondahl/services/restic.nix
diff --git a/config/hosts/grondahl/services/synapse.nix b/unstable/config/hosts/grondahl/services/synapse.nix
similarity index 100%
rename from config/hosts/grondahl/services/synapse.nix
rename to unstable/config/hosts/grondahl/services/synapse.nix
diff --git a/config/hosts/rudiger/configuration.nix b/unstable/config/hosts/rudiger/configuration.nix
similarity index 100%
rename from config/hosts/rudiger/configuration.nix
rename to unstable/config/hosts/rudiger/configuration.nix
diff --git a/config/hosts/rudiger/data/secrets/nc_admin_pass b/unstable/config/hosts/rudiger/data/secrets/nc_admin_pass
similarity index 100%
rename from config/hosts/rudiger/data/secrets/nc_admin_pass
rename to unstable/config/hosts/rudiger/data/secrets/nc_admin_pass
diff --git a/config/hosts/rudiger/data/secrets/redis_pass b/unstable/config/hosts/rudiger/data/secrets/redis_pass
similarity index 100%
rename from config/hosts/rudiger/data/secrets/redis_pass
rename to unstable/config/hosts/rudiger/data/secrets/redis_pass
diff --git a/config/hosts/rudiger/data/secrets/restic_pass b/unstable/config/hosts/rudiger/data/secrets/restic_pass
similarity index 100%
rename from config/hosts/rudiger/data/secrets/restic_pass
rename to unstable/config/hosts/rudiger/data/secrets/restic_pass
diff --git a/config/hosts/rudiger/data/secrets/secrets.nix b/unstable/config/hosts/rudiger/data/secrets/secrets.nix
similarity index 100%
rename from config/hosts/rudiger/data/secrets/secrets.nix
rename to unstable/config/hosts/rudiger/data/secrets/secrets.nix
diff --git a/config/hosts/rudiger/data/secrets/ssh_key b/unstable/config/hosts/rudiger/data/secrets/ssh_key
similarity index 100%
rename from config/hosts/rudiger/data/secrets/ssh_key
rename to unstable/config/hosts/rudiger/data/secrets/ssh_key
diff --git a/config/hosts/rudiger/data/secrets/ssh_key.pub b/unstable/config/hosts/rudiger/data/secrets/ssh_key.pub
similarity index 100%
rename from config/hosts/rudiger/data/secrets/ssh_key.pub
rename to unstable/config/hosts/rudiger/data/secrets/ssh_key.pub
diff --git a/config/hosts/rudiger/hardware-configuration.nix b/unstable/config/hosts/rudiger/hardware-configuration.nix
similarity index 100%
rename from config/hosts/rudiger/hardware-configuration.nix
rename to unstable/config/hosts/rudiger/hardware-configuration.nix
diff --git a/unstable/config/hosts/rudiger/services/acme.nix b/unstable/config/hosts/rudiger/services/acme.nix
new file mode 100644
index 0000000..62ae467
--- /dev/null
+++ b/unstable/config/hosts/rudiger/services/acme.nix
@@ -0,0 +1,9 @@
+{ config, ... }:
+
+{
+  security.acme = {
+    acceptTerms = true;
+    email = "admin+certs@graven.dev";
+  };
+}
+
diff --git a/config/hosts/rudiger/services/nextcloud.nix b/unstable/config/hosts/rudiger/services/nextcloud.nix
similarity index 100%
rename from config/hosts/rudiger/services/nextcloud.nix
rename to unstable/config/hosts/rudiger/services/nextcloud.nix
diff --git a/config/hosts/rudiger/services/nginx.nix b/unstable/config/hosts/rudiger/services/nginx.nix
similarity index 100%
rename from config/hosts/rudiger/services/nginx.nix
rename to unstable/config/hosts/rudiger/services/nginx.nix
diff --git a/config/hosts/rudiger/services/postgres.nix b/unstable/config/hosts/rudiger/services/postgres.nix
similarity index 100%
rename from config/hosts/rudiger/services/postgres.nix
rename to unstable/config/hosts/rudiger/services/postgres.nix
diff --git a/config/hosts/rudiger/services/redis.nix b/unstable/config/hosts/rudiger/services/redis.nix
similarity index 100%
rename from config/hosts/rudiger/services/redis.nix
rename to unstable/config/hosts/rudiger/services/redis.nix
diff --git a/config/hosts/rudiger/services/restic.nix b/unstable/config/hosts/rudiger/services/restic.nix
similarity index 100%
rename from config/hosts/rudiger/services/restic.nix
rename to unstable/config/hosts/rudiger/services/restic.nix
diff --git a/config/hosts/wind/configuration.nix b/unstable/config/hosts/wind/configuration.nix
similarity index 100%
rename from config/hosts/wind/configuration.nix
rename to unstable/config/hosts/wind/configuration.nix
diff --git a/config/hosts/wind/data/secrets/acme_graven_dev.env b/unstable/config/hosts/wind/data/secrets/acme_graven_dev.env
similarity index 100%
rename from config/hosts/wind/data/secrets/acme_graven_dev.env
rename to unstable/config/hosts/wind/data/secrets/acme_graven_dev.env
diff --git a/config/hosts/wind/data/secrets/restic_pass b/unstable/config/hosts/wind/data/secrets/restic_pass
similarity index 100%
rename from config/hosts/wind/data/secrets/restic_pass
rename to unstable/config/hosts/wind/data/secrets/restic_pass
diff --git a/config/hosts/wind/data/secrets/secrets.nix b/unstable/config/hosts/wind/data/secrets/secrets.nix
similarity index 100%
rename from config/hosts/wind/data/secrets/secrets.nix
rename to unstable/config/hosts/wind/data/secrets/secrets.nix
diff --git a/config/hosts/wind/data/secrets/ssh_key b/unstable/config/hosts/wind/data/secrets/ssh_key
similarity index 100%
rename from config/hosts/wind/data/secrets/ssh_key
rename to unstable/config/hosts/wind/data/secrets/ssh_key
diff --git a/config/hosts/wind/data/secrets/ssh_key.pub b/unstable/config/hosts/wind/data/secrets/ssh_key.pub
similarity index 100%
rename from config/hosts/wind/data/secrets/ssh_key.pub
rename to unstable/config/hosts/wind/data/secrets/ssh_key.pub
diff --git a/config/hosts/wind/data/secrets/synapse_macaroon_secret b/unstable/config/hosts/wind/data/secrets/synapse_macaroon_secret
similarity index 100%
rename from config/hosts/wind/data/secrets/synapse_macaroon_secret
rename to unstable/config/hosts/wind/data/secrets/synapse_macaroon_secret
diff --git a/config/hosts/wind/data/secrets/synapse_registration_shared_secret b/unstable/config/hosts/wind/data/secrets/synapse_registration_shared_secret
similarity index 100%
rename from config/hosts/wind/data/secrets/synapse_registration_shared_secret
rename to unstable/config/hosts/wind/data/secrets/synapse_registration_shared_secret
diff --git a/config/hosts/wind/data/secrets/ttrss_email_pass b/unstable/config/hosts/wind/data/secrets/ttrss_email_pass
similarity index 100%
rename from config/hosts/wind/data/secrets/ttrss_email_pass
rename to unstable/config/hosts/wind/data/secrets/ttrss_email_pass
diff --git a/config/hosts/wind/data/secrets/turn_shared_secret b/unstable/config/hosts/wind/data/secrets/turn_shared_secret
similarity index 100%
rename from config/hosts/wind/data/secrets/turn_shared_secret
rename to unstable/config/hosts/wind/data/secrets/turn_shared_secret
diff --git a/config/hosts/wind/data/secrets/vaultwarden_env b/unstable/config/hosts/wind/data/secrets/vaultwarden_env
similarity index 100%
rename from config/hosts/wind/data/secrets/vaultwarden_env
rename to unstable/config/hosts/wind/data/secrets/vaultwarden_env
diff --git a/config/hosts/wind/hardware-configuration.nix b/unstable/config/hosts/wind/hardware-configuration.nix
similarity index 100%
rename from config/hosts/wind/hardware-configuration.nix
rename to unstable/config/hosts/wind/hardware-configuration.nix
diff --git a/config/hosts/wind/services/acme.nix b/unstable/config/hosts/wind/services/acme.nix
similarity index 100%
rename from config/hosts/wind/services/acme.nix
rename to unstable/config/hosts/wind/services/acme.nix
diff --git a/config/hosts/wind/services/coturn.nix b/unstable/config/hosts/wind/services/coturn.nix
similarity index 100%
rename from config/hosts/wind/services/coturn.nix
rename to unstable/config/hosts/wind/services/coturn.nix
diff --git a/config/hosts/wind/services/gitea.nix b/unstable/config/hosts/wind/services/gitea.nix
similarity index 100%
rename from config/hosts/wind/services/gitea.nix
rename to unstable/config/hosts/wind/services/gitea.nix
diff --git a/config/hosts/wind/services/nginx.nix b/unstable/config/hosts/wind/services/nginx.nix
similarity index 100%
rename from config/hosts/wind/services/nginx.nix
rename to unstable/config/hosts/wind/services/nginx.nix
diff --git a/config/hosts/wind/services/postgres.nix b/unstable/config/hosts/wind/services/postgres.nix
similarity index 100%
rename from config/hosts/wind/services/postgres.nix
rename to unstable/config/hosts/wind/services/postgres.nix
diff --git a/unstable/config/hosts/wind/services/restic.nix b/unstable/config/hosts/wind/services/restic.nix
new file mode 100644
index 0000000..083e4cc
--- /dev/null
+++ b/unstable/config/hosts/wind/services/restic.nix
@@ -0,0 +1,47 @@
+{ config, ... }:
+
+{
+
+  services.restic.backups = {
+    "gitea" = {
+      paths = [ "/var/lib/gitea" ];
+      repository = "sftp:restic@despondos.nao.sh:/etheria/backup/wind/gitea";
+      initialize = true;
+      pruneOpts = [ "--keep-daily 7" "--keep-weekly 5" "--keep-monthly 12" "--keep-yearly 75" ];
+      timerConfig = { "OnCalendar" = "02:15"; };
+      extraOptions = [ "sftp.command='ssh restic@despondos.nao.sh -i ${config.secrets.files.ssh_key.file} -s sftp'" ];
+      passwordFile = builtins.toString config.secrets.files.restic_pass.file;
+      user = "gitea";
+    };
+    "postgres" = {
+      paths = [ "/var/lib/postgresql/backup" ];
+      repository = "sftp:restic@despondos.nao.sh:/etheria/backup/wind/postgres";
+      initialize = true;
+      pruneOpts = [ "--keep-daily 7" "--keep-weekly 5" "--keep-monthly 12" "--keep-yearly 75" ];
+      timerConfig = { "OnCalendar" = "03:00"; };
+      extraOptions = [ "sftp.command='ssh restic@despondos.nao.sh -i ${config.secrets.files.ssh_key.file} -s sftp'" ];
+      passwordFile = builtins.toString config.secrets.files.restic_pass.file;
+      user = "postgres";
+    };
+    "synapse" = {
+      paths = [ "/var/lib/matrix-synapse" ];
+      repository = "sftp:restic@despondos.nao.sh:/etheria/backup/wind/synapse";
+      initialize = true;
+      pruneOpts = [ "--keep-daily 7" "--keep-weekly 5" "--keep-monthly 12" "--keep-yearly 75" ];
+      timerConfig = { "OnCalendar" = "03:30"; };
+      extraOptions = [ "sftp.command='ssh restic@despondos.nao.sh -i ${config.secrets.files.ssh_key.file} -s sftp'" ];
+      passwordFile = builtins.toString config.secrets.files.restic_pass.file;
+      user = "matrix-synapse";
+    };
+    "vaultwarden" = {
+      paths = [ "/var/lib/bitwarden_rs" ];
+      repository = "sftp:restic@despondos.nao.sh:/etheria/backup/wind/vaultwarden";
+      initialize = true;
+      pruneOpts = [ "--keep-daily 7" "--keep-weekly 5" "--keep-monthly 12" "--keep-yearly 75" ];
+      timerConfig = { "OnCalendar" = "23:45"; };
+      extraOptions = [ "sftp.command='ssh restic@despondos.nao.sh -i ${config.secrets.files.ssh_key.file} -s sftp'" ];
+      passwordFile = builtins.toString config.secrets.files.restic_pass.file;
+      user = "vaultwarden";
+    };
+  };
+}
diff --git a/config/hosts/wind/services/synapse.nix b/unstable/config/hosts/wind/services/synapse.nix
similarity index 100%
rename from config/hosts/wind/services/synapse.nix
rename to unstable/config/hosts/wind/services/synapse.nix
diff --git a/config/hosts/wind/services/ttrss.nix b/unstable/config/hosts/wind/services/ttrss.nix
similarity index 100%
rename from config/hosts/wind/services/ttrss.nix
rename to unstable/config/hosts/wind/services/ttrss.nix
diff --git a/config/hosts/wind/services/vaultwarden.nix b/unstable/config/hosts/wind/services/vaultwarden.nix
similarity index 100%
rename from config/hosts/wind/services/vaultwarden.nix
rename to unstable/config/hosts/wind/services/vaultwarden.nix
diff --git a/unstable/config/sources/default.nix b/unstable/config/sources/default.nix
new file mode 100644
index 0000000..ccd3ba8
--- /dev/null
+++ b/unstable/config/sources/default.nix
@@ -0,0 +1,11 @@
+let
+  sources = import ./nix/sources.nix;
+
+  # just use standard pkgs from sources
+  # so that we have our applyPattches function
+  pkgs = import sources.nixpkgs {};
+
+in {
+  nixus = sources.nixus;
+} // sources
+
diff --git a/config/sources/nix/sources.json b/unstable/config/sources/nix/sources.json
similarity index 100%
rename from config/sources/nix/sources.json
rename to unstable/config/sources/nix/sources.json
diff --git a/unstable/config/sources/nix/sources.nix b/unstable/config/sources/nix/sources.nix
new file mode 100644
index 0000000..1938409
--- /dev/null
+++ b/unstable/config/sources/nix/sources.nix
@@ -0,0 +1,174 @@
+# This file has been generated by Niv.
+
+let
+
+  #
+  # The fetchers. fetch_<type> fetches specs of type <type>.
+  #
+
+  fetch_file = pkgs: name: spec:
+    let
+      name' = sanitizeName name + "-src";
+    in
+      if spec.builtin or true then
+        builtins_fetchurl { inherit (spec) url sha256; name = name'; }
+      else
+        pkgs.fetchurl { inherit (spec) url sha256; name = name'; };
+
+  fetch_tarball = pkgs: name: spec:
+    let
+      name' = sanitizeName name + "-src";
+    in
+      if spec.builtin or true then
+        builtins_fetchTarball { name = name'; inherit (spec) url sha256; }
+      else
+        pkgs.fetchzip { name = name'; inherit (spec) url sha256; };
+
+  fetch_git = name: spec:
+    let
+      ref =
+        if spec ? ref then spec.ref else
+          if spec ? branch then "refs/heads/${spec.branch}" else
+            if spec ? tag then "refs/tags/${spec.tag}" else
+              abort "In git source '${name}': Please specify `ref`, `tag` or `branch`!";
+    in
+      builtins.fetchGit { url = spec.repo; inherit (spec) rev; inherit ref; };
+
+  fetch_local = spec: spec.path;
+
+  fetch_builtin-tarball = name: throw
+    ''[${name}] The niv type "builtin-tarball" is deprecated. You should instead use `builtin = true`.
+        $ niv modify ${name} -a type=tarball -a builtin=true'';
+
+  fetch_builtin-url = name: throw
+    ''[${name}] The niv type "builtin-url" will soon be deprecated. You should instead use `builtin = true`.
+        $ niv modify ${name} -a type=file -a builtin=true'';
+
+  #
+  # Various helpers
+  #
+
+  # https://github.com/NixOS/nixpkgs/pull/83241/files#diff-c6f540a4f3bfa4b0e8b6bafd4cd54e8bR695
+  sanitizeName = name:
+    (
+      concatMapStrings (s: if builtins.isList s then "-" else s)
+        (
+          builtins.split "[^[:alnum:]+._?=-]+"
+            ((x: builtins.elemAt (builtins.match "\\.*(.*)" x) 0) name)
+        )
+    );
+
+  # The set of packages used when specs are fetched using non-builtins.
+  mkPkgs = sources: system:
+    let
+      sourcesNixpkgs =
+        import (builtins_fetchTarball { inherit (sources.nixpkgs) url sha256; }) { inherit system; };
+      hasNixpkgsPath = builtins.any (x: x.prefix == "nixpkgs") builtins.nixPath;
+      hasThisAsNixpkgsPath = <nixpkgs> == ./.;
+    in
+      if builtins.hasAttr "nixpkgs" sources
+      then sourcesNixpkgs
+      else if hasNixpkgsPath && ! hasThisAsNixpkgsPath then
+        import <nixpkgs> {}
+      else
+        abort
+          ''
+            Please specify either <nixpkgs> (through -I or NIX_PATH=nixpkgs=...) or
+            add a package called "nixpkgs" to your sources.json.
+          '';
+
+  # The actual fetching function.
+  fetch = pkgs: name: spec:
+
+    if ! builtins.hasAttr "type" spec then
+      abort "ERROR: niv spec ${name} does not have a 'type' attribute"
+    else if spec.type == "file" then fetch_file pkgs name spec
+    else if spec.type == "tarball" then fetch_tarball pkgs name spec
+    else if spec.type == "git" then fetch_git name spec
+    else if spec.type == "local" then fetch_local spec
+    else if spec.type == "builtin-tarball" then fetch_builtin-tarball name
+    else if spec.type == "builtin-url" then fetch_builtin-url name
+    else
+      abort "ERROR: niv spec ${name} has unknown type ${builtins.toJSON spec.type}";
+
+  # If the environment variable NIV_OVERRIDE_${name} is set, then use
+  # the path directly as opposed to the fetched source.
+  replace = name: drv:
+    let
+      saneName = stringAsChars (c: if isNull (builtins.match "[a-zA-Z0-9]" c) then "_" else c) name;
+      ersatz = builtins.getEnv "NIV_OVERRIDE_${saneName}";
+    in
+      if ersatz == "" then drv else
+        # this turns the string into an actual Nix path (for both absolute and
+        # relative paths)
+        if builtins.substring 0 1 ersatz == "/" then /. + ersatz else /. + builtins.getEnv "PWD" + "/${ersatz}";
+
+  # Ports of functions for older nix versions
+
+  # a Nix version of mapAttrs if the built-in doesn't exist
+  mapAttrs = builtins.mapAttrs or (
+    f: set: with builtins;
+    listToAttrs (map (attr: { name = attr; value = f attr set.${attr}; }) (attrNames set))
+  );
+
+  # https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/lists.nix#L295
+  range = first: last: if first > last then [] else builtins.genList (n: first + n) (last - first + 1);
+
+  # https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/strings.nix#L257
+  stringToCharacters = s: map (p: builtins.substring p 1 s) (range 0 (builtins.stringLength s - 1));
+
+  # https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/strings.nix#L269
+  stringAsChars = f: s: concatStrings (map f (stringToCharacters s));
+  concatMapStrings = f: list: concatStrings (map f list);
+  concatStrings = builtins.concatStringsSep "";
+
+  # https://github.com/NixOS/nixpkgs/blob/8a9f58a375c401b96da862d969f66429def1d118/lib/attrsets.nix#L331
+  optionalAttrs = cond: as: if cond then as else {};
+
+  # fetchTarball version that is compatible between all the versions of Nix
+  builtins_fetchTarball = { url, name ? null, sha256 }@attrs:
+    let
+      inherit (builtins) lessThan nixVersion fetchTarball;
+    in
+      if lessThan nixVersion "1.12" then
+        fetchTarball ({ inherit url; } // (optionalAttrs (!isNull name) { inherit name; }))
+      else
+        fetchTarball attrs;
+
+  # fetchurl version that is compatible between all the versions of Nix
+  builtins_fetchurl = { url, name ? null, sha256 }@attrs:
+    let
+      inherit (builtins) lessThan nixVersion fetchurl;
+    in
+      if lessThan nixVersion "1.12" then
+        fetchurl ({ inherit url; } // (optionalAttrs (!isNull name) { inherit name; }))
+      else
+        fetchurl attrs;
+
+  # Create the final "sources" from the config
+  mkSources = config:
+    mapAttrs (
+      name: spec:
+        if builtins.hasAttr "outPath" spec
+        then abort
+          "The values in sources.json should not have an 'outPath' attribute"
+        else
+          spec // { outPath = replace name (fetch config.pkgs name spec); }
+    ) config.sources;
+
+  # The "config" used by the fetchers
+  mkConfig =
+    { sourcesFile ? if builtins.pathExists ./sources.json then ./sources.json else null
+    , sources ? if isNull sourcesFile then {} else builtins.fromJSON (builtins.readFile sourcesFile)
+    , system ? builtins.currentSystem
+    , pkgs ? mkPkgs sources system
+    }: rec {
+      # The sources, i.e. the attribute set of spec name to spec
+      inherit sources;
+
+      # The "pkgs" (evaluated nixpkgs) to use for e.g. non-builtin fetchers
+      inherit pkgs;
+    };
+
+in
+mkSources (mkConfig {}) // { __functor = _: settings: mkSources (mkConfig settings); }
diff --git a/deploy/default.nix b/unstable/deploy/default.nix
similarity index 95%
rename from deploy/default.nix
rename to unstable/deploy/default.nix
index ee07e2e..3fdc041 100644
--- a/deploy/default.nix
+++ b/unstable/deploy/default.nix
@@ -1,5 +1,5 @@
 let
-  sources = import ../config/sources;
+  sources = import ../unstable/config/sources;
 in import "${sources.nixus}" {} ({ config, ... }: {
 
   defaults = { name, ... }: {