NWO

2015-07-11 16:55:22 +02:00 · 2015-07-11 16:55:22 +02:00 · d213df5c00
commit d213df5c00
161 changed files with 4912 additions and 0 deletions
--- a/.gitignore
+++ b/.gitignore
@ -0,0 +1 @@
+/.graveyard
--- a/0make/tv/cd.makefile
+++ b/0make/tv/cd.makefile
@ -0,0 +1,4 @@
+deploy_host := root@cd-global
+nixpkgs_url := https://github.com/NixOS/nixpkgs
+nixpkgs_rev := 4c01e6d91993b6de128795f4fbdd25f6227fb870
+secrets_dir := /home/tv/secrets/cd
--- a/0make/tv/mkdir.makefile
+++ b/0make/tv/mkdir.makefile
@ -0,0 +1,4 @@
+deploy_host := root@mkdir
+nixpkgs_url := https://github.com/NixOS/nixpkgs
+nixpkgs_rev := 4c01e6d91993b6de128795f4fbdd25f6227fb870
+secrets_dir := /home/tv/secrets/mkdir
--- a/0make/tv/nomic.makefile
+++ b/0make/tv/nomic.makefile
@ -0,0 +1,4 @@
+deploy_host := root@nomic-local
+nixpkgs_url := https://github.com/NixOS/nixpkgs
+nixpkgs_rev := 4e5e44140bfc27211dffbb3cd727842ab02eb9d6
+secrets_dir := /home/tv/secrets/nomic
--- a/0make/tv/rmdir.makefile
+++ b/0make/tv/rmdir.makefile
@ -0,0 +1,4 @@
+deploy_host := root@rmdir
+nixpkgs_url := https://github.com/NixOS/nixpkgs
+nixpkgs_rev := 4c01e6d91993b6de128795f4fbdd25f6227fb870
+secrets_dir := /home/tv/secrets/rmdir
--- a/0make/tv/wu.makefile
+++ b/0make/tv/wu.makefile
@ -0,0 +1,4 @@
+deploy_host := root@wu
+nixpkgs_url := https://github.com/NixOS/nixpkgs
+nixpkgs_rev := e1af50c4c4c0332136283e9231f0a32ac11f2b90
+secrets_dir := /home/tv/secrets/wu
--- a/1systems/tv/cd.nix
+++ b/1systems/tv/cd.nix
@ -0,0 +1,98 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+{
+  imports = [
+    ../../2configs/tv/CAC-Developer-2.nix
+    ../../2configs/tv/CAC-CentOS-7-64bit.nix
+    ../../2configs/tv/base.nix
+    ../../2configs/tv/consul-server.nix
+    ../../2configs/tv/exim-smarthost.nix
+    ../../2configs/tv/git-public.nix
+    {
+      imports = [ ../../3modules/tv/ejabberd.nix ];
+      tv.ejabberd = {
+        enable = true;
+        hosts = [ "jabber.viljetic.de" ];
+      };
+    }
+    {
+      imports = [ ../../3modules/tv/identity.nix ];
+      tv.identity = {
+        enable = true;
+        self = config.tv.identity.hosts.cd;
+      };
+    }
+    {
+      imports = [ ../../3modules/tv/iptables.nix ];
+      tv.iptables = {
+        enable = true;
+        input-internet-accept-new-tcp = [
+          "ssh"
+          "tinc"
+          "smtp"
+          "xmpp-client"
+          "xmpp-server"
+        ];
+        input-retiolum-accept-new-tcp = [
+          "http"
+        ];
+      };
+    }
+    {
+      imports = [ ../../3modules/tv/retiolum.nix ];
+      tv.retiolum = {
+        enable = true;
+        hosts = ../../Zhosts;
+        connectTo = [
+          "fastpoke"
+          "pigstarter"
+          "ire"
+        ];
+      };
+    }
+  ];
+
+  networking.hostName = "cd";
+  networking.interfaces.enp2s1.ip4 = [
+    {
+      address = "162.219.7.216";
+      prefixLength = 24;
+    }
+  ];
+  networking.defaultGateway = "162.219.7.1";
+  networking.nameservers = [
+    "8.8.8.8"
+  ];
+
+  environment.systemPackages = with pkgs; [
+    git # required for ./deploy, clone_or_update
+    htop
+    iftop
+    iotop
+    iptables
+    mutt    # for mv
+    nethogs
+    rxvt_unicode.terminfo
+    tcpdump
+  ];
+
+  services.journald.extraConfig = ''
+    SystemMaxUse=1G
+    RuntimeMaxUse=128M
+  '';
+
+  users.extraUsers = {
+    mv = {
+      uid = 1338;
+      group = "users";
+      home = "/home/mv";
+      createHome = true;
+      useDefaultShell = true;
+      openssh.authorizedKeys.keys = map readFile [
+        ../../Zpubkeys/mv_vod.ssh.pub
+      ];
+    };
+  };
+}
--- a/1systems/tv/mkdir.nix
+++ b/1systems/tv/mkdir.nix
@ -0,0 +1,76 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+{
+  imports = [
+    ../../2configs/tv/CAC-Developer-1.nix
+    ../../2configs/tv/CAC-CentOS-7-64bit.nix
+    ../../2configs/tv/base.nix
+    ../../2configs/tv/consul-server.nix
+    ../../2configs/tv/exim-smarthost.nix
+    ../../2configs/tv/git-public.nix
+    {
+      imports = [ ../../3modules/tv/identity.nix ];
+      tv.identity = {
+        enable = true;
+        self = config.tv.identity.hosts.mkdir;
+      };
+    }
+    {
+      imports = [ ../../3modules/tv/iptables.nix ];
+      tv.iptables = {
+        enable = true;
+        input-internet-accept-new-tcp = [
+          "ssh"
+          "tinc"
+          "smtp"
+        ];
+        input-retiolum-accept-new-tcp = [
+          "http"
+        ];
+      };
+    }
+    {
+      imports = [ ../../3modules/tv/retiolum.nix ];
+      tv.retiolum = {
+        enable = true;
+        hosts = ../../Zhosts;
+        connectTo = [
+          "cd"
+          "fastpoke"
+          "pigstarter"
+          "ire"
+        ];
+      };
+    }
+  ];
+
+  networking.hostName = "mkdir";
+  networking.interfaces.enp2s1.ip4 = [
+    {
+      address = "162.248.167.241";
+      prefixLength = 24;
+    }
+  ];
+  networking.defaultGateway = "162.248.167.1";
+  networking.nameservers = [
+    "8.8.8.8"
+  ];
+
+  environment.systemPackages = with pkgs; [
+    git # required for ./deploy, clone_or_update
+    htop
+    iftop
+    iotop
+    iptables
+    nethogs
+    rxvt_unicode.terminfo
+    tcpdump
+  ];
+
+  services.journald.extraConfig = ''
+    SystemMaxUse=1G
+    RuntimeMaxUse=128M
+  '';
+}
--- a/1systems/tv/nomic.nix
+++ b/1systems/tv/nomic.nix
@ -0,0 +1,111 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+{
+  imports = [
+    ../../2configs/tv/AO753.nix
+    ../../2configs/tv/base.nix
+    ../../2configs/tv/consul-server.nix
+    ../../2configs/tv/exim-retiolum.nix
+    ../../2configs/tv/git-public.nix
+    {
+      imports = [ ../../3modules/tv/identity.nix ];
+      tv.identity = {
+        enable = true;
+        self = config.tv.identity.hosts.nomic;
+      };
+    }
+    {
+      imports = [ ../../3modules/tv/iptables.nix ];
+      tv.iptables = {
+        enable = true;
+        input-internet-accept-new-tcp = [
+          "ssh"
+          "http"
+          "tinc"
+          "smtp"
+        ];
+      };
+    }
+    {
+      imports = [ ../../3modules/tv/nginx.nix ];
+      tv.nginx = {
+        enable = true;
+        retiolum-locations = [
+          (nameValuePair "~ ^/~(.+?)(/.*)?\$" ''
+            alias /home/$1/public_html$2;
+          '')
+        ];
+      };
+    }
+    {
+      imports = [ ../../3modules/tv/retiolum.nix ];
+      tv.retiolum = {
+        enable = true;
+        hosts = ../../Zhosts;
+        connectTo = [
+          "gum"
+          "pigstarter"
+        ];
+      };
+    }
+  ];
+
+  boot.initrd.luks = {
+    cryptoModules = [ "aes" "sha1" "xts" ];
+    devices = [
+      {
+        name = "luks1";
+        device = "/dev/disk/by-uuid/cac73902-1023-4906-8e95-3a8b245337d4";
+      }
+    ];
+  };
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/de4780fc-0473-4708-81df-299b7383274c";
+      fsType = "btrfs";
+    };
+
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/be3a1d80-3157-4d7c-86cc-ef01b64eff5e";
+      fsType = "ext4";
+    };
+
+  fileSystems."/home" =
+    { device = "/dev/disk/by-uuid/9db9c8ff-51da-4cbd-9f0a-0cd3333bbaff";
+      fsType = "btrfs";
+    };
+
+  swapDevices = [ ];
+
+  nix = {
+    buildCores = 2;
+    maxJobs = 2;
+    daemonIONiceLevel = 1;
+    daemonNiceLevel = 1;
+  };
+
+  # TODO base
+  boot.tmpOnTmpfs = true;
+
+  environment.systemPackages = with pkgs; [
+    (writeScriptBin "play" ''
+      #! /bin/sh
+      set -euf
+      mpv() { exec ${mpv}/bin/mpv "$@"; }
+      case $1 in
+        deepmix)      mpv http://deepmix.ru/deepmix128.pls;;
+        groovesalad)  mpv http://somafm.com/play/groovesalad;;
+        ntslive)      mpv http://listen2.ntslive.co.uk/listen.pls;;
+        *)
+          echo "$0: bad argument: $*" >&2
+          exit 23
+      esac
+    '')
+    rxvt_unicode.terminfo
+    tmux
+  ];
+
+  networking.hostName = "nomic";
+}
--- a/1systems/tv/rmdir.nix
+++ b/1systems/tv/rmdir.nix
@ -0,0 +1,77 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+{
+  imports = [
+    ../../2configs/tv/CAC-Developer-1.nix
+    ../../2configs/tv/CAC-CentOS-7-64bit.nix
+    ../../2configs/tv/base.nix
+    ../../2configs/tv/consul-server.nix
+    ../../2configs/tv/exim-smarthost.nix
+    ../../2configs/tv/git-public.nix
+    {
+      imports = [ ../../3modules/tv/identity.nix ];
+      tv.identity = {
+        enable = true;
+        self = config.tv.identity.hosts.rmdir;
+      };
+    }
+    {
+      imports = [ ../../3modules/tv/iptables.nix ];
+      tv.iptables = {
+        enable = true;
+        input-internet-accept-new-tcp = [
+          "ssh"
+          "tinc"
+          "smtp"
+        ];
+        input-retiolum-accept-new-tcp = [
+          "http"
+        ];
+      };
+    }
+    {
+      imports = [ ../../3modules/tv/retiolum.nix ];
+      tv.retiolum = {
+        enable = true;
+        hosts = ../../Zhosts;
+        connectTo = [
+          "cd"
+          "mkdir"
+          "fastpoke"
+          "pigstarter"
+          "ire"
+        ];
+      };
+    }
+  ];
+
+  networking.hostName = "rmdir";
+  networking.interfaces.enp2s1.ip4 = [
+    {
+      address = "167.88.44.94";
+      prefixLength = 24;
+    }
+  ];
+  networking.defaultGateway = "167.88.44.1";
+  networking.nameservers = [
+    "8.8.8.8"
+  ];
+
+  environment.systemPackages = with pkgs; [
+    git # required for ./deploy, clone_or_update
+    htop
+    iftop
+    iotop
+    iptables
+    nethogs
+    rxvt_unicode.terminfo
+    tcpdump
+  ];
+
+  services.journald.extraConfig = ''
+    SystemMaxUse=1G
+    RuntimeMaxUse=128M
+  '';
+}
--- a/1systems/tv/wu.nix
+++ b/1systems/tv/wu.nix
@ -0,0 +1,388 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+{
+  imports = [
+    ../../2configs/tv/w110er.nix
+    ../../2configs/tv/base.nix
+    ../../2configs/tv/consul-client.nix
+    ../../2configs/tv/exim-retiolum.nix
+    ../../2configs/tv/git-public.nix
+    # TODO git-private.nix
+    ../../2configs/tv/xserver.nix
+    ../../2configs/tv/synaptics.nix # TODO w110er if xserver is enabled
+    {
+      imports = [ ../../3modules/tv/identity.nix ];
+      tv.identity = {
+        enable = true;
+        self = config.tv.identity.hosts.wu;
+      };
+    }
+    {
+      imports = [ ../../3modules/tv/iptables.nix ];
+      tv.iptables = {
+        enable = true;
+        input-internet-accept-new-tcp = [
+          "ssh"
+          "http"
+          "tinc"
+          "smtp"
+        ];
+      };
+    }
+    {
+      imports = [ ../../3modules/tv/nginx.nix ];
+      tv.nginx = {
+        enable = true;
+        retiolum-locations = [
+          (nameValuePair "~ ^/~(.+?)(/.*)?\$" ''
+            alias /home/$1/public_html$2;
+          '')
+        ];
+      };
+    }
+    {
+      imports = [ ../../3modules/tv/retiolum.nix ];
+      tv.retiolum = {
+        enable = true;
+        hosts = ../../Zhosts;
+        connectTo = [
+          "gum"
+          "pigstarter"
+        ];
+      };
+    }
+    {
+      imports = [ ../../3modules/tv/urlwatch.nix ];
+      tv.urlwatch = {
+        enable = true;
+        mailto = "tv@wu.retiolum"; # TODO
+        onCalendar = "*-*-* 05:00:00";
+        urls = [
+          ## nixpkgs maintenance
+
+          # 2014-07-29 when one of the following urls change
+          # then we have to update the package
+
+          # ref src/nixpkgs/pkgs/tools/admin/sec/default.nix
+          http://simple-evcorr.sourceforge.net/
+
+          # ref src/nixpkgs/pkgs/tools/networking/urlwatch/default.nix
+          https://thp.io/2008/urlwatch/
+
+          # 2014-12-20 ref src/nixpkgs/pkgs/tools/networking/tlsdate/default.nix
+          https://api.github.com/repos/ioerror/tlsdate/tags
+
+          # 2015-02-18
+          # ref ~/src/nixpkgs/pkgs/tools/text/qprint/default.nix
+          http://www.fourmilab.ch/webtools/qprint/
+
+          # 2014-09-24 ref https://github.com/4z3/xintmap
+          http://www.mathstat.dal.ca/~selinger/quipper/
+
+          # 2014-12-12 remove nixopsUnstable when nixops get's bumped to 1.3
+          # ref https://github.com/NixOS/nixpkgs/blob/master/pkgs/tools/package-management/nixops/unstable.nix
+          http://nixos.org/releases/nixops/
+
+          ## other
+
+          https://nixos.org/channels/nixos-unstable/git-revision
+
+          ## 2014-10-17
+          ## TODO update ~/src/login/default.nix
+          #http://hackage.haskell.org/package/bcrypt
+          #http://hackage.haskell.org/package/cron
+          #http://hackage.haskell.org/package/hyphenation
+          #http://hackage.haskell.org/package/iso8601-time
+          #http://hackage.haskell.org/package/ixset-typed
+          #http://hackage.haskell.org/package/system-command
+          #http://hackage.haskell.org/package/transformers
+          #http://hackage.haskell.org/package/web-routes-wai
+          #http://hackage.haskell.org/package/web-page
+        ];
+      };
+    }
+    {
+      users.extraGroups = {
+        tv-sub.gid = 1337;
+      };
+
+      users.extraUsers =
+        mapAttrs (name: user: user // {
+          inherit name;
+          home = "/home/${name}";
+          createHome = true;
+          useDefaultShell = true;
+        }) {
+          ff = {
+            uid = 13378001;
+            group = "tv-sub";
+            extraGroups = [
+              "audio"
+              "video"
+            ];
+          };
+
+          cr = {
+            uid = 13378002;
+            group = "tv-sub";
+            extraGroups = [
+              "audio"
+              "video"
+              "bumblebee"
+            ];
+          };
+
+          vimb = {
+            uid = 13378003;
+            group = "tv-sub";
+            extraGroups = [
+              "audio"
+              "video"
+              "bumblebee"
+            ];
+          };
+
+          fa = {
+            uid = 2300001;
+            group = "tv-sub";
+          };
+
+          rl = {
+            uid = 2300002;
+            group = "tv-sub";
+          };
+
+          tief = {
+            uid = 2300702;
+            group = "tv-sub";
+          };
+
+          btc-bitcoind = {
+            uid = 2301001;
+            group = "tv-sub";
+          };
+
+          btc-electrum = {
+            uid = 2301002;
+            group = "tv-sub";
+          };
+
+          ltc-litecoind = {
+            uid = 2301101;
+            group = "tv-sub";
+          };
+
+          eth = {
+            uid = 2302001;
+            group = "tv-sub";
+          };
+
+          emse-hsdb = {
+            uid = 4200101;
+            group = "tv-sub";
+          };
+
+          wine = {
+            uid = 13370400;
+            group = "tv-sub";
+            extraGroups = [
+              "audio"
+              "video"
+              "bumblebee"
+            ];
+          };
+
+          # dwarffortress
+          df = {
+            uid = 13370401;
+            group = "tv-sub";
+            extraGroups = [
+              "audio"
+              "video"
+              "bumblebee"
+            ];
+          };
+
+          # XXX visudo: Warning: Runas_Alias `FTL' referenced but not defined
+          FTL = {
+            uid = 13370402;
+            #group = "tv-sub";
+            extraGroups = [
+              "audio"
+              "video"
+              "bumblebee"
+            ];
+          };
+
+          freeciv = {
+            uid = 13370403;
+            group = "tv-sub";
+          };
+
+          xr = {
+            uid = 13370061;
+            group = "tv-sub";
+            extraGroups = [
+              "audio"
+              "video"
+            ];
+          };
+
+          "23" = {
+            uid = 13370023;
+            group = "tv-sub";
+          };
+
+          electrum = {
+            uid = 13370102;
+            group = "tv-sub";
+          };
+
+          Reaktor = {
+            uid = 4230010;
+            group = "tv-sub";
+          };
+
+          gitolite = {
+            uid = 7700;
+          };
+
+          skype = {
+            uid = 6660001;
+            group = "tv-sub";
+            extraGroups = [
+              "audio"
+            ];
+          };
+
+          onion = {
+            uid = 6660010;
+            group = "tv-sub";
+          };
+
+          zalora = {
+            uid = 1000301;
+            group = "tv-sub";
+            extraGroups = [
+              "audio"
+              # TODO remove vboxusers when hardening is active
+              "vboxusers"
+              "video"
+            ];
+          };
+        };
+
+      security.sudo.extraConfig =
+        let
+          inherit (import ../../4lib/tv { inherit lib pkgs; })
+            isSuffixOf;
+
+          hasMaster = { group ? "", ... }:
+            isSuffixOf "-sub" group;
+
+          masterOf = user : removeSuffix "-sub" user.group;
+        in
+        concatStringsSep "\n"
+          (map (u: "${masterOf u} ALL=(${u.name}) NOPASSWD: ALL")
+               (filter hasMaster (attrValues config.users.extraUsers)));
+    }
+  ];
+
+  boot.initrd.luks = {
+    cryptoModules = [ "aes" "sha512" "xts" ];
+    devices = [
+      { name = "home"; device = "/dev/vg840/enchome"; preLVM = false; }
+    ];
+  };
+
+  fileSystems = {
+    "/" = {
+      device = "/dev/mapper/vg840-wuroot";
+      fsType = "btrfs";
+      options = "defaults,noatime,ssd,compress=lzo";
+    };
+    "/home" = {
+      device = "/dev/mapper/home";
+      options = "defaults,noatime,ssd,compress=lzo";
+    };
+    "/boot" = {
+      device = "/dev/sda1";
+    };
+    "/tmp" = {
+      device = "tmpfs";
+      fsType = "tmpfs";
+      options = "nosuid,nodev,noatime";
+    };
+  };
+
+  nixpkgs.config.firefox.enableAdobeFlash = true;
+  nixpkgs.config.chromium.enablePepperFlash = true;
+
+  nixpkgs.config.allowUnfree = true;
+  hardware.bumblebee.enable = true;
+  hardware.bumblebee.group = "video";
+  hardware.enableAllFirmware = true;
+  hardware.opengl.driSupport32Bit = true;
+  hardware.pulseaudio.enable = true;
+
+  networking.hostName = "wu";
+
+  environment.systemPackages = with pkgs; [
+    xlibs.fontschumachermisc
+    slock
+    ethtool
+    #firefoxWrapper # with plugins
+    #chromiumDevWrapper
+    tinc
+    iptables
+    #jack2
+  ];
+
+  security.setuidPrograms = [
+    "sendmail"  # for cron
+    "slock"
+  ];
+
+  services.printing.enable = true;
+
+  services.journald.extraConfig = ''
+    SystemMaxUse=1G
+    RuntimeMaxUse=128M
+  '';
+
+  # see tmpfiles.d(5)
+  systemd.tmpfiles.rules = [
+    "d /tmp 1777 root root - -" # does this work with mounted /tmp?
+  ];
+
+  virtualisation.libvirtd.enable = true;
+
+  networking.extraHosts = ''
+    192.168.1.1 wrt.gg23 wrt
+    192.168.1.11 mors.gg23
+    192.168.1.12 uriel.gg23
+    192.168.1.23 raspi.gg23 raspi
+    192.168.1.37 wu.gg23
+    192.168.1.110 nomic.gg23
+    192.168.1.124 schnabeldrucker.gg23 schnabeldrucker
+  '';
+
+  services.udev.extraRules = ''
+    SUBSYSTEM=="net", ATTR{address}=="00:90:f5:da:aa:c3", NAME="en0"
+    SUBSYSTEM=="net", ATTR{address}=="a0:88:b4:1b:ae:6c", NAME="wl0"
+
+    # for jack
+    KERNEL=="rtc0", GROUP="audio"
+    KERNEL=="hpet", GROUP="audio"
+  '';
+
+  services.bitlbee.enable = true;
+  services.tor.client.enable = true;
+  services.tor.enable = true;
+  services.virtualboxHost.enable = true;
+
+  # TODO w110er if xserver is enabled
+  services.xserver.vaapiDrivers = [ pkgs.vaapiIntel ];
+}
--- a/2configs/tv/AO753.nix
+++ b/2configs/tv/AO753.nix
@ -0,0 +1,39 @@
+{ config, pkgs, ... }:
+
+{
+  imports = [
+    ../../2configs/tv/smartd.nix
+  ];
+
+  boot.loader.grub = {
+    device = "/dev/sda";
+    splashImage = null;
+  };
+
+  boot.initrd.availableKernelModules = [
+    "ahci"
+  ];
+
+  boot.kernelModules = [
+    "kvm-intel"
+    "wl"
+  ];
+
+  boot.extraModulePackages = [
+    config.boot.kernelPackages.broadcom_sta
+  ];
+
+  networking.wireless.enable = true;
+
+  services.logind.extraConfig = ''
+    HandleHibernateKey=ignore
+    HandleLidSwitch=ignore
+    HandlePowerKey=ignore
+    HandleSuspendKey=ignore
+  '';
+
+  nixpkgs.config = {
+    allowUnfree = false;
+    allowUnfreePredicate = (x: pkgs.lib.hasPrefix "broadcom-sta-" x.name);
+  };
+}
--- a/2configs/tv/CAC-CentOS-7-64bit.nix
+++ b/2configs/tv/CAC-CentOS-7-64bit.nix
@ -0,0 +1,47 @@
+_:
+
+{
+  boot.loader.grub = {
+    device = "/dev/sda";
+    splashImage = null;
+  };
+
+  boot.initrd.availableKernelModules = [
+    "ata_piix"
+    "vmw_pvscsi"
+  ];
+
+  fileSystems."/" = {
+    device = "/dev/centos/root";
+    fsType = "xfs";
+  };
+
+  fileSystems."/boot" = {
+    device = "/dev/sda1";
+    fsType = "xfs";
+  };
+
+  swapDevices = [
+    { device = "/dev/centos/swap"; }
+  ];
+
+  users.extraGroups = {
+    # ● systemd-tmpfiles-setup.service - Create Volatile Files and Directories
+    #    Loaded: loaded (/nix/store/2l33gg7nmncqkpysq9f5fxyhlw6ncm2j-systemd-217/example/systemd/system/systemd-tmpfiles-setup.service)
+    #    Active: failed (Result: exit-code) since Mon 2015-03-16 10:29:18 UTC; 4s ago
+    #      Docs: man:tmpfiles.d(5)
+    #            man:systemd-tmpfiles(8)
+    #   Process: 19272 ExecStart=/nix/store/2l33gg7nmncqkpysq9f5fxyhlw6ncm2j-systemd-217/bin/systemd-tmpfiles --create --remove --boot --exclude-prefix=/dev (code=exited, status=1/FAILURE)
+    #  Main PID: 19272 (code=exited, status=1/FAILURE)
+    # 
+    # Mar 16 10:29:17 cd systemd-tmpfiles[19272]: [/usr/lib/tmpfiles.d/legacy.conf:26] Unknown group 'lock'.
+    # Mar 16 10:29:18 cd systemd-tmpfiles[19272]: Two or more conflicting lines for /var/log/journal configured, ignoring.
+    # Mar 16 10:29:18 cd systemd-tmpfiles[19272]: Two or more conflicting lines for /var/log/journal/7b35116927d74ea58785e00b47ac0f0d configured, ignoring.
+    # Mar 16 10:29:18 cd systemd[1]: systemd-tmpfiles-setup.service: main process exited, code=exited, status=1/FAILURE
+    # Mar 16 10:29:18 cd systemd[1]: Failed to start Create Volatile Files and Directories.
+    # Mar 16 10:29:18 cd systemd[1]: Unit systemd-tmpfiles-setup.service entered failed state.
+    # Mar 16 10:29:18 cd systemd[1]: systemd-tmpfiles-setup.service failed.
+    # warning: error(s) occured while switching to the new configuration
+    lock.gid = 10001;
+  };
+}
--- a/2configs/tv/CAC-Developer-1.nix
+++ b/2configs/tv/CAC-Developer-1.nix
@ -0,0 +1,6 @@
+_:
+
+{
+  nix.maxJobs = 1;
+  sound.enable = false;
+}
--- a/2configs/tv/CAC-Developer-2.nix
+++ b/2configs/tv/CAC-Developer-2.nix
@ -0,0 +1,6 @@
+_:
+
+{
+  nix.maxJobs = 2;
+  sound.enable = false;
+}
--- a/2configs/tv/base.nix
+++ b/2configs/tv/base.nix
@ -0,0 +1,175 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+  # "7.4.335" -> "74"
+  majmin = x: concatStrings (take 2 (splitString "." x));
+in
+
+{
+  imports = [
+    {
+      users.extraUsers =
+        mapAttrs (_: h: { hashedPassword = h; })
+                 (import /root/src/secrets/hashedPasswords.nix);
+    }
+    {
+      users.defaultUserShell = "/run/current-system/sw/bin/bash";
+      users.mutableUsers = false;
+    }
+    {
+      users.extraUsers = {
+        root = {
+          openssh.authorizedKeys.keys = map readFile [
+            ../../Zpubkeys/tv_wu.ssh.pub
+          ];
+        };
+        tv = {
+          uid = 1337;
+          group = "users";
+          home = "/home/tv";
+          createHome = true;
+          useDefaultShell = true;
+          extraGroups = [
+            "audio"
+            "video"
+            "wheel"
+          ];
+          openssh.authorizedKeys.keys = map readFile [
+            ../../Zpubkeys/tv_wu.ssh.pub
+          ];
+        };
+      };
+    }
+    {
+      security.sudo.extraConfig = ''
+        Defaults mailto="tv@wu.retiolum"
+      '';
+      time.timeZone = "Europe/Berlin";
+    }
+    {
+      # TODO check if both are required:
+      nix.chrootDirs = [ "/etc/protocols" pkgs.iana_etc.outPath ];
+
+      nix.trustedBinaryCaches = [
+        "https://cache.nixos.org"
+        "http://cache.nixos.org"
+        "http://hydra.nixos.org"
+      ];
+
+      nix.useChroot = true;
+    }
+
+    {
+      environment.systemPackages = with pkgs; [
+        vim
+      ];
+
+      environment.etc."vim/vimrc".text = ''
+        set nocp
+      '';
+
+      environment.etc."vim/vim${majmin pkgs.vim.version}".source =
+          "${pkgs.vim}/share/vim/vim${majmin pkgs.vim.version}";
+
+      # multiple-definition-problem when defining environment.variables.EDITOR
+      environment.extraInit = ''
+        EDITOR=vim
+      '';
+
+      environment.shellAliases = {
+        # alias cal='cal -m3'
+        gp = "${pkgs.pari}/bin/gp -q";
+        df = "df -h";
+        du = "du -h";
+        # alias grep='grep --color=auto'
+
+        # TODO alias cannot contain #\'
+        # "ps?" = "ps ax | head -n 1;ps ax | fgrep -v ' grep --color=auto ' | grep";
+
+        # alias la='ls -lA'
+        lAtr = "ls -lAtr";
+        # alias ll='ls -l'
+        ls = "ls -h --color=auto --group-directories-first";
+        # alias vim='vim -p'
+        # alias vi='vim'
+        # alias view='vim -R'
+        dmesg = "dmesg -L --reltime";
+      };
+
+      environment.variables.VIM = "/etc/vim";
+
+      programs.bash = {
+        interactiveShellInit = ''
+          HISTCONTROL='erasedups:ignorespace'
+          HISTSIZE=65536
+          HISTFILESIZE=$HISTSIZE
+
+          shopt -s checkhash
+          shopt -s histappend histreedit histverify
+          shopt -s no_empty_cmd_completion
+          complete -d cd
+
+          # TODO source bridge
+        '';
+        promptInit = ''
+          case $UID in
+            0)
+              PS1='\[\e[1;31m\]\w\[\e[0m\] '
+              ;;
+            1337)
+              PS1='\[\e[1;32m\]\w\[\e[0m\] '
+              ;;
+            *)
+              PS1='\[\e[1;35m\]\u \[\e[1;32m\]\w\[\e[0m\] '
+              ;;
+          esac
+          if test -n "$SSH_CLIENT"; then
+            PS1='\[\e[35m\]\h'" $PS1"
+          fi
+          if test -n "$SSH_AGENT_PID"; then
+            PS1="ssh-agent[$SSH_AGENT_PID] $PS1"
+          fi
+        '';
+      };
+
+      programs.ssh.startAgent = false;
+    }
+
+    {
+      nixpkgs.config.packageOverrides = pkgs:
+        {
+          nano = pkgs.runCommand "empty" {} "mkdir -p $out";
+        };
+
+      services.cron.enable = false;
+      services.nscd.enable = false;
+      services.ntp.enable = false;
+    }
+
+    {
+      boot.kernel.sysctl = {
+        # Enable IPv6 Privacy Extensions
+        "net.ipv6.conf.all.use_tempaddr" = 2;
+        "net.ipv6.conf.default.use_tempaddr" = 2;
+      };
+    }
+
+    {
+      services.openssh = {
+        enable = true;
+        hostKeys = [
+          { type = "ed25519"; path = "/etc/ssh/ssh_host_ed25519_key"; }
+        ];
+      };
+    }
+
+    {
+      # TODO: exim
+      security.setuidPrograms = [
+        "sendmail"  # for sudo
+      ];
+    }
+  ];
+}
--- a/2configs/tv/consul-client.nix
+++ b/2configs/tv/consul-client.nix
@ -0,0 +1,9 @@
+{ pkgs, ... }:
+
+{
+  imports = [ ./consul-server.nix ];
+
+  tv.consul = {
+    server = pkgs.lib.mkForce false;
+  };
+}
--- a/2configs/tv/consul-server.nix
+++ b/2configs/tv/consul-server.nix
@ -0,0 +1,22 @@
+{ config, ... }:
+
+{
+  imports = [ ../../3modules/tv/consul.nix ];
+  tv.consul = rec {
+    enable = true;
+
+    inherit (config.tv.identity) self;
+    inherit (self) dc;
+
+    server = true;
+
+    hosts = with config.tv.identity.hosts; [
+      # TODO get this list automatically from each host where tv.consul.enable is true
+      cd
+      mkdir
+      nomic
+      rmdir
+      #wu
+    ];
+  };
+}
--- a/2configs/tv/cryptoroot.nix
+++ b/2configs/tv/cryptoroot.nix
@ -0,0 +1,4 @@
+{ ... }:
+
+{
+}
--- a/2configs/tv/exim-retiolum.nix
+++ b/2configs/tv/exim-retiolum.nix
@ -0,0 +1,126 @@
+{ config, pkgs, ... }:
+
+{
+  services.exim =
+    # This configuration makes only sense for retiolum-enabled hosts.
+    # TODO modular configuration
+    assert config.tv.retiolum.enable;
+    let
+      # TODO get the hostname from config.tv.retiolum.
+      retiolumHostname = "${config.networking.hostName}.retiolum";
+    in
+      { enable = true;
+        config = ''
+          primary_hostname = ${retiolumHostname}
+          domainlist local_domains    = @ : localhost
+          domainlist relay_to_domains = *.retiolum
+          hostlist   relay_from_hosts = <; 127.0.0.1 ; ::1
+
+          acl_smtp_rcpt = acl_check_rcpt
+          acl_smtp_data = acl_check_data
+
+          host_lookup = *
+          rfc1413_hosts = *
+          rfc1413_query_timeout = 5s
+
+          log_file_path = syslog
+          syslog_timestamp = false
+          syslog_duplication = false
+
+          begin acl
+
+          acl_check_rcpt:
+            accept  hosts = :
+                    control = dkim_disable_verify
+
+            deny    message       = Restricted characters in address
+                    domains       = +local_domains
+                    local_parts   = ^[.] : ^.*[@%!/|]
+
+            deny    message       = Restricted characters in address
+                    domains       = !+local_domains
+                    local_parts   = ^[./|] : ^.*[@%!] : ^.*/\\.\\./
+
+            accept  local_parts   = postmaster
+                    domains       = +local_domains
+
+            #accept
+            #  hosts = *.retiolum
+            #  domains = *.retiolum
+            #  control = dkim_disable_verify
+
+            #require verify        = sender
+
+            accept  hosts         = +relay_from_hosts
+                    control       = submission
+                    control       = dkim_disable_verify
+
+            accept  authenticated = *
+                    control       = submission
+                    control       = dkim_disable_verify
+
+            require message = relay not permitted
+                    domains = +local_domains : +relay_to_domains
+
+            require verify = recipient
+
+            accept
+
+
+          acl_check_data:
+            accept
+
+
+          begin routers
+
+          retiolum:
+            driver = manualroute
+            domains = ! ${retiolumHostname} : *.retiolum
+            transport = remote_smtp
+            route_list = ^.* $0 byname
+            no_more
+
+          nonlocal:
+            debug_print = "R: nonlocal for $local_part@$domain"
+            driver = redirect
+            domains = ! +local_domains
+            allow_fail
+            data = :fail: Mailing to remote domains not supported
+            no_more
+
+          local_user:
+            # debug_print = "R: local_user for $local_part@$domain"
+            driver = accept
+            check_local_user
+          # local_part_suffix = +* : -*
+          # local_part_suffix_optional
+            transport = home_maildir
+            cannot_route_message = Unknown user
+
+
+          begin transports
+
+          remote_smtp:
+            driver = smtp
+
+          home_maildir:
+            driver = appendfile
+            maildir_format
+            directory = $home/Maildir
+            directory_mode = 0700
+            delivery_date_add
+            envelope_to_add
+            return_path_add
+          # group = mail
+          # mode = 0660
+
+          begin retry
+          *.retiolum             *           F,42d,1m
+          *                      *           F,2h,15m; G,16h,1h,1.5; F,4d,6h
+
+          begin rewrite
+
+          begin authenticators
+        '';
+      };
+}
--- a/2configs/tv/exim-smarthost.nix
+++ b/2configs/tv/exim-smarthost.nix
@ -0,0 +1,474 @@
+{ config, pkgs, ... }:
+
+let
+  inherit (builtins) toFile;
+  inherit (pkgs.lib.attrsets) mapAttrs;
+  inherit (pkgs.lib.strings) concatMapStringsSep;
+in
+
+{
+  services.exim =
+    let
+      retiolumHostname = "${config.networking.hostName}.retiolum";
+
+      internet-aliases = [
+        { from = "tomislav@viljetic.de"; to = "tv@wu.retiolum"; }
+
+        # (mindestens) lisp-stammtisch und elli haben die:
+        { from = "tv@viljetic.de"; to = "tv@wu.retiolum"; }
+
+        { from = "tv@destroy.dyn.shackspace.de"; to = "tv@wu.retiolum"; }
+
+        { from = "mirko@viljetic.de"; to = "mv@cd.retiolum"; }
+
+        # TODO killme (wo wird die benutzt?)
+        { from = "tv@cd.retiolum"; to = "tv@wu.retiolum"; }
+
+        { from = "postmaster@krebsco.de"; to = "tv@wu.retiolum"; }
+      ];
+
+      system-aliases = [
+        { from = "mailer-daemon"; to = "postmaster"; }
+        { from = "postmaster"; to = "root"; }
+        { from = "nobody"; to = "root"; }
+        { from = "hostmaster"; to = "root"; }
+        { from = "usenet"; to = "root"; }
+        { from = "news"; to = "root"; }
+        { from = "webmaster"; to = "root"; }
+        { from = "www"; to = "root"; }
+        { from = "ftp"; to = "root"; }
+        { from = "abuse"; to = "root"; }
+        { from = "noc"; to = "root"; }
+        { from = "security"; to = "root"; }
+        { from = "root"; to = "tv"; }
+        { from = "mirko"; to = "mv"; }
+      ];
+
+      to-lsearch = concatMapStringsSep "\n" ({ from, to }: "${from}: ${to}");
+      lsearch =
+        mapAttrs (name: set: toFile name (to-lsearch set)) {
+          inherit internet-aliases;
+          inherit system-aliases;
+        };
+    in
+    {
+      enable = true;
+      config =
+        ''
+          primary_hostname = ${retiolumHostname}
+
+          # HOST_REDIR contains the real destinations for "local_domains".
+          #HOST_REDIR = /etc/exim4/host_redirect
+
+
+          # Domains not listed in local_domains need to be deliverable remotely.
+          # XXX We abuse local_domains to mean "domains, we're the gateway for".
+          domainlist local_domains    = @ : localhost
+          #: viljetic.de : SHACK_REDIR_HOSTNAME
+          domainlist relay_to_domains =
+          hostlist   relay_from_hosts = <; 127.0.0.1 ; ::1 ; 10.243.13.37
+
+          acl_smtp_rcpt = acl_check_rcpt
+          acl_smtp_data = acl_check_data
+
+          # av_scanner = clamd:/tmp/clamd
+          # spamd_address = 127.0.0.1 783
+
+          # tls_advertise_hosts = *
+          # tls_certificate = /etc/ssl/exim.crt
+          # tls_privatekey = /etc/ssl/exim.pem
+          # (debian) tls_verify_certificates (to check client certs)
+
+          # daemon_smtp_ports = 25 : 465 : 587
+          # tls_on_connect_ports = 465
+
+          # qualify_domain defaults to primary_hostname
+          # qualify_recipient defaults to qualify_domain
+
+          # allow_domain_literals
+
+          never_users = root
+
+          host_lookup = *
+
+          # ident callbacks for all incoming SMTP calls
+          rfc1413_hosts = *
+          rfc1413_query_timeout = 5s
+
+          # sender_unqualified_hosts =
+          # recipient_unqualified_hosts =
+
+          # percent_hack_domains =
+
+          # arch & debian
+          #ignore_bounce_errors_after = 2d
+          #timeout_frozen_after = 7d
+          # debian
+          #smtp_banner = $smtp_active_hostname ESMTP Exim $version_number $tod_full
+          #freeze_tell = postmaster
+          #trusted_users = uucp
+          # arch
+          #split_spool_directory = true
+
+          log_selector = -queue_run +address_rewrite +all_parents +queue_time
+          log_file_path = syslog
+          syslog_timestamp = false
+          syslog_duplication = false
+
+          begin acl
+
+          acl_check_rcpt:
+            # Accept if the source is local SMTP (i.e. not over TCP/IP).
+            # We do this by testing for an empty sending host field.
+            accept  hosts = :
+                    # arch & debian:
+                    control = dkim_disable_verify
+
+            deny    message       = Restricted characters in address
+                    domains       = +local_domains
+                    local_parts   = ^[.] : ^.*[@%!/|]
+
+            deny    message       = Restricted characters in address
+                    domains       = !+local_domains
+                    local_parts   = ^[./|] : ^.*[@%!] : ^.*/\\.\\./
+
+            accept  local_parts   = postmaster
+                    domains       = +local_domains
+
+            ## feature RETIOLUM_MAIL
+            #accept
+            #  hosts = *.retiolum
+            #  domains = *.retiolum
+            #  control = dkim_disable_verify
+
+            #require verify        = sender
+
+            accept  hosts         = +relay_from_hosts
+                    control       = submission
+                    # debian: control = submission/sender_retain
+                    # arch & debian:
+                    control       = dkim_disable_verify
+
+            accept  authenticated = *
+                    control       = submission
+                    control       = dkim_disable_verify
+
+            accept message = relay not permitted 2
+                    recipients = lsearch;${lsearch.internet-aliases}
+
+            require message = relay not permitted
+                    domains = +local_domains : +relay_to_domains
+
+            require
+              message = unknown user
+              verify = recipient/callout
+
+            # deny    message       = rejected because $sender_host_address is in a black list at $dnslist_domain\n$dnslist_text
+            #         dnslists      = black.list.example
+            #
+            # warn    dnslists      = black.list.example
+            #         add_header    = X-Warning: $sender_host_address is in a black list at $dnslist_domain
+            #         log_message   = found in $dnslist_domain
+
+            # Client SMTP Authorization (csa) checks on the sending host.
+            # Such checks do DNS lookups for special SRV records.
+            # require verify = csa
+
+            accept
+
+
+          acl_check_data:
+            # see av_scanner
+            #deny    malware    = *
+            #        message    = This message contains a virus ($malware_name).
+
+            # Add headers to a message if it is judged to be spam. Before enabling this,
+            # you must install SpamAssassin. You may also need to set the spamd_address
+            # option above.
+            #
+            # warn    spam       = nobody
+            #         add_header = X-Spam_score: $spam_score\n\
+            #                      X-Spam_score_int: $spam_score_int\n\
+            #                      X-Spam_bar: $spam_bar\n\
+            #                      X-Spam_report: $spam_report
+
+            # feature HELO_REWRITE
+            # XXX note that the public ip (162.219.5.183) resolves to viljetic.de
+            warn
+              sender_domains = viljetic.de : shackspace.de
+              set acl_m_special_dom = $sender_address_domain
+
+            accept
+
+
+          begin routers
+
+          # feature RETIOLUM_MAIL
+          retiolum:
+            debug_print = "R: retiolum for $local_part@$domain"
+            driver = manualroute
+            domains = ! ${retiolumHostname} : *.retiolum
+            transport = retiolum_smtp
+            route_list = ^.* $0 byname
+            no_more
+
+          internet_aliases:
+            debug_print = "R: internet_aliases for $local_part@$domain"
+            driver = redirect
+            data = ''${lookup{$local_part@$domain}lsearch{${lsearch.internet-aliases}}}
+
+          dnslookup:
+            debug_print = "R: dnslookup for $local_part@$domain"
+            driver = dnslookup
+            domains = ! +local_domains
+            transport = remote_smtp
+            ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8
+            # if ipv6-enabled then instead use:
+            # ignore_target_hosts = <; 0.0.0.0 ; 127.0.0.0/8 ; ::1
+
+            # (debian) same_domain_copy_routing = yes
+            # (debian) ignore private rfc1918 and APIPA addresses
+            # (debian) ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8 : 192.168.0.0/16 :\
+            #                   172.16.0.0/12 : 10.0.0.0/8 : 169.254.0.0/16 :\
+            #                   255.255.255.255
+
+            # Fail and bounce if the router does not find the domain in the DNS.
+            # I.e. no more routers are tried.
+            # There are a few cases where a dnslookup router will decline to accept an
+            # address; if such a router is expected to handle "all remaining non-local
+            # domains", then it is important to set no_more.
+            no_more
+
+          # XXX this is only used because these "well known aliases" goto tv@cd.retiolum
+          # TODO bounce everything, there is no @cd.retiolum
+          system_aliases:
+            debug_print = "R: system_aliases for $local_part@$domain"
+            driver = redirect
+            data = ''${lookup{$local_part}lsearch{${lsearch.system-aliases}}}
+
+          # TODO this is only b/c mv here... send mv's mails somewhere else...
+          local_user:
+            debug_print = "R: local_user for $local_part@$domain"
+            driver = accept
+            check_local_user
+          # local_part_suffix = +* : -*
+          # local_part_suffix_optional
+            transport = home_maildir
+            cannot_route_message = Unknown user
+
+          begin transports
+
+          retiolum_smtp:
+            driver = smtp
+            retry_include_ip_address = false
+            # serialize_hosts = TODO-all-slow-hosts
+
+          remote_smtp:
+            driver = smtp
+            # debian has also stuff for tls, headers_rewrite and more here
+
+            # feature HELO_REWRITE
+            # XXX note that the public ip (162.219.5.183) resolves to viljetic.de
+            helo_data = ''${if eq{$acl_m_special_dom}{}  \
+                                 {$primary_hostname}   \
+                                 {$acl_m_special_dom} }
+
+          home_maildir:
+            driver = appendfile
+            maildir_format
+            maildir_use_size_file
+            directory = $home/Mail
+            directory_mode = 0700
+            delivery_date_add
+            envelope_to_add
+            return_path_add
+
+          begin retry
+          *.retiolum             *           F,42d,1m
+          *                      *           F,2h,15m; G,16h,1h,1.5; F,4d,6h
+
+          begin rewrite
+          begin authenticators
+        '';
+
+
+          # group = mail
+          # mode = 0660
+
+
+          #address_pipe:
+          #  driver = pipe
+          #  return_output
+          #
+          #address_file:
+          #  driver = appendfile
+          #  delivery_date_add
+          #  envelope_to_add
+          #  return_path_add
+          #
+          #address_reply:
+          #  driver = autoreply
+
+
+          #maildrop_pipe:
+          #  debug_print = "T: maildrop_pipe for $local_part@$domain"
+          #  driver = pipe
+          #  path = "/bin:/usr/bin:/usr/local/bin"
+          #  command = "/usr/bin/maildrop"
+          #  return_path_add
+          #  delivery_date_add
+          #  envelope_to_add
+
+
+
+
+
+          ##begin retry
+          # Address or Domain    Error       Retries
+
+          # Our host_redirect destinations might be offline a lot.
+          # TODO define fallback destinations(?)
+          #lsearch;${lsearch.internet-aliases} * F,42d,1m
+
+
+          ## begin rewrite
+
+          # just in case (shackspace.de should already do this)
+          #tv@shackspace.de  tv@SHACK_REDIR_HOSTNAME  T
+
+
+          ## begin authenticators
+          #PLAIN:
+          #  driver                  = plaintext
+          #  server_set_id           = $auth2
+          #  server_prompts          = :
+          #  server_condition        = Authentication is not yet configured
+          #  server_advertise_condition = ''${if def:tls_in_cipher }
+
+          #LOGIN:
+          #  driver                  = plaintext
+          #  server_set_id           = $auth1
+          #  server_prompts          = <| Username: | Password:
+          #  server_condition        = Authentication is not yet configured
+          #  server_advertise_condition = ''${if def:tls_in_cipher }
+
+
+
+      };
+
+}
+
+#        config = ''
+#          primary_hostname = ${retiolumHostname}
+#          domainlist local_domains    = @ : localhost
+#          domainlist relay_to_domains = *.retiolum
+#          hostlist   relay_from_hosts = <; 127.0.0.1 ; ::1
+#
+#          acl_smtp_rcpt = acl_check_rcpt
+#          acl_smtp_data = acl_check_data
+#
+#          host_lookup = *
+#          rfc1413_hosts = *
+#          rfc1413_query_timeout = 5s
+#
+#          log_file_path = syslog
+#          syslog_timestamp = false
+#          syslog_duplication = false
+#
+#          begin acl
+#
+#          acl_check_rcpt:
+#            accept  hosts = :
+#                    control = dkim_disable_verify
+#
+#            deny    message       = Restricted characters in address
+#                    domains       = +local_domains
+#                    local_parts   = ^[.] : ^.*[@%!/|]
+#
+#            deny    message       = Restricted characters in address
+#                    domains       = !+local_domains
+#                    local_parts   = ^[./|] : ^.*[@%!] : ^.*/\\.\\./
+#
+#            accept  local_parts   = postmaster
+#                    domains       = +local_domains
+#
+#            #accept
+#            #  hosts = *.retiolum
+#            #  domains = *.retiolum
+#            #  control = dkim_disable_verify
+#
+#            #require verify        = sender
+#
+#            accept  hosts         = +relay_from_hosts
+#                    control       = submission
+#                    control       = dkim_disable_verify
+#
+#            accept  authenticated = *
+#                    control       = submission
+#                    control       = dkim_disable_verify
+#
+#            require message = relay not permitted
+#                    domains = +local_domains : +relay_to_domains
+#
+#            require verify = recipient
+#
+#            accept
+#
+#
+#          acl_check_data:
+#            accept
+#
+#
+#          begin routers
+#
+#          retiolum:
+#            driver = manualroute
+#            domains = ! ${retiolumHostname} : *.retiolum
+#            transport = remote_smtp
+#            route_list = ^.* $0 byname
+#            no_more
+#
+#          nonlocal:
+#            debug_print = "R: nonlocal for $local_part@$domain"
+#            driver = redirect
+#            domains = ! +local_domains
+#            allow_fail
+#            data = :fail: Mailing to remote domains not supported
+#            no_more
+#
+#          local_user:
+#            # debug_print = "R: local_user for $local_part@$domain"
+#            driver = accept
+#            check_local_user
+#          # local_part_suffix = +* : -*
+#          # local_part_suffix_optional
+#            transport = home_maildir
+#            cannot_route_message = Unknown user
+#
+#
+#          begin transports
+#
+#          remote_smtp:
+#            driver = smtp
+#
+#          home_maildir:
+#            driver = appendfile
+#            maildir_format
+#            directory = $home/Maildir
+#            directory_mode = 0700
+#            delivery_date_add
+#            envelope_to_add
+#            return_path_add
+#          # group = mail
+#          # mode = 0660
+#
+#          begin retry
+#          *.retiolum             *           F,42d,1m
+#          *                      *           F,2h,15m; G,16h,1h,1.5; F,4d,6h
+#
+#          begin rewrite
+#
+#          begin authenticators
+#        '';
+#      };
+#}
--- a/2configs/tv/git-public.nix
+++ b/2configs/tv/git-public.nix
@ -0,0 +1,83 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+let
+  inherit (builtins) map readFile;
+  inherit (lib) concatMap listToAttrs;
+  # TODO lib should already include our stuff
+  inherit (import ../../4lib/tv { inherit lib pkgs; }) addNames git;
+
+  public-git-repos = [
+    (public "cgserver")
+    (public "crude-mail-setup")
+    (public "dot-xmonad")
+    (public "hack")
+    (public "load-env")
+    (public "make-snapshot")
+    (public "mime")
+    (public "much")
+    (public "nixos-infest")
+    (public "nixpkgs")
+    (public "painload")
+    (public "regfish")
+    (public' {
+      name = "shitment";
+      desc = "turn all the computers into one computer!";
+    })
+    (public "wai-middleware-time")
+    (public "web-routes-wai-custom")
+  ];
+
+  users = addNames {
+    tv = { pubkey = readFile ../../Zpubkeys/tv_wu.ssh.pub; };
+    lass = { pubkey = readFile ../../Zpubkeys/lass.ssh.pub; };
+    uriel = { pubkey = readFile ../../Zpubkeys/uriel.ssh.pub; };
+    makefu = { pubkey = readFile ../../Zpubkeys/makefu.ssh.pub; };
+  };
+
+  repos = listToAttrs (map ({ repo, ... }: { name = repo.name; value = repo; }) public-git-repos);
+
+  rules = concatMap ({ rules, ... }: rules) public-git-repos;
+
+  public' = { name, desc }:
+    let
+      x = public name;
+    in
+    x // { repo = x.repo // { inherit desc; }; };
+
+  public = repo-name:
+    rec {
+      repo = {
+        name = repo-name;
+        hooks = {
+          post-receive = git.irc-announce {
+            nick = config.networking.hostName; # TODO make this the default
+            channel = "#retiolum";
+            server = "ire.retiolum";
+          };
+        };
+        public = true;
+      };
+      rules = with git; with users; [
+        { user = tv;
+          repo = [ repo ];
+          perm = push "refs/*" [ non-fast-forward create delete merge ];
+        }
+        { user = [ lass makefu uriel ];
+          repo = [ repo ];
+          perm = fetch;
+        }
+      ];
+    };
+
+in
+
+{
+  imports = [
+    ../../3modules/tv/git.nix
+  ];
+  tv.git = {
+    enable = true;
+    inherit repos rules users;
+  };
+}
--- a/2configs/tv/smartd.nix
+++ b/2configs/tv/smartd.nix
@ -0,0 +1,17 @@
+{ config, pkgs, ... }:
+
+{
+  services.smartd = {
+    enable = true;
+    devices = [
+      {
+        device = "DEVICESCAN";
+        options = toString [
+          "-a"
+          "-m tv@wu.retiolum"
+          "-s (O/../.././09|S/../.././04|L/../../6/05)"
+        ];
+      }
+    ];
+  };
+}
--- a/2configs/tv/synaptics.nix
+++ b/2configs/tv/synaptics.nix
@ -0,0 +1,14 @@
+{ config, pkgs, ... }:
+
+{
+  # TODO this is host specific
+  services.xserver.synaptics = {
+    enable = true;
+    twoFingerScroll = true;
+    accelFactor = "0.035";
+    additionalOptions = ''
+      Option "FingerHigh" "60"
+      Option "FingerLow"  "60"
+    '';
+  };
+}
--- a/2configs/tv/urxvt.nix
+++ b/2configs/tv/urxvt.nix
@ -0,0 +1,24 @@
+{ pkgs, ... }:
+
+with builtins;
+
+let
+  users = [ "tv" ];
+  urxvt = pkgs.rxvt_unicode;
+  mkService = user: {
+    description = "urxvt terminal daemon";
+    wantedBy = [ "multi-user.target" ];
+    restartIfChanged = false;
+    serviceConfig = {
+      Restart = "always";
+      User = user;
+      ExecStart = "${urxvt}/bin/urxvtd";
+    };
+  };
+
+in
+
+{
+  environment.systemPackages = [ urxvt ];
+  systemd.services = listToAttrs (map (u: { name = "${u}-urxvtd"; value = mkService u; }) users);
+}
--- a/2configs/tv/w110er.nix
+++ b/2configs/tv/w110er.nix
@ -0,0 +1,42 @@
+{ pkgs, ... }:
+
+{
+  imports = [
+    ../../2configs/tv/smartd.nix
+  ];
+
+  boot.extraModprobeConfig = ''
+    options kvm_intel nested=1
+  '';
+
+  boot.initrd.availableKernelModules = [ "ahci" ];
+  boot.kernelModules = [ "kvm-intel" ];
+
+  boot.loader.gummiboot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = true;
+
+  networking.wireless.enable = true;
+
+  nix = {
+    buildCores = 4;
+    maxJobs = 4;
+    daemonIONiceLevel = 1;
+    daemonNiceLevel = 1;
+  };
+
+  services.logind.extraConfig = ''
+    HandleHibernateKey=ignore
+    HandleLidSwitch=ignore
+    HandlePowerKey=ignore
+    HandleSuspendKey=ignore
+  '';
+
+  system.activationScripts.powertopTunables = ''
+    echo 1 > /sys/module/snd_hda_intel/parameters/power_save
+    echo 1500 > /proc/sys/vm/dirty_writeback_centisecs
+    (cd /sys/bus/pci/devices
+      for i in *; do
+        echo auto > $i/power/control # defaults to 'on'
+      done)
+  '';
+}
--- a/2configs/tv/xserver.nix
+++ b/2configs/tv/xserver.nix
@ -0,0 +1,41 @@
+{ config, pkgs, ... }:
+
+{
+  imports = [
+    ../../2configs/tv/urxvt.nix # TODO via xserver
+  ];
+
+  services.xserver.enable = true;
+
+
+  #fonts.enableFontConfig = true;
+  #fonts.enableFontDir = true;
+  fonts.fonts = [
+    pkgs.xlibs.fontschumachermisc
+  ];
+  #services.xfs.enable = true;
+  #services.xserver.useXFS = "unix/:7100";
+
+  services.xserver.displayManager.desktopManagerHandlesLidAndPower = true;
+
+  #services.xserver.display = 11;
+  #services.xserver.tty = 11;
+  # services.xserver.layout = "us";
+  # services.xserver.xkbOptions = "eurosign:e";
+
+  #services.xserver.multitouch.enable = true;
+
+  services.xserver.windowManager.xmonad.extraPackages = hspkgs: with hspkgs; [
+    X11-xshape
+  ];
+  services.xserver.windowManager.xmonad.enable = true;
+  services.xserver.windowManager.xmonad.enableContribAndExtras = true;
+  services.xserver.windowManager.default = "xmonad";
+  services.xserver.desktopManager.default = "none";
+  services.xserver.desktopManager.xterm.enable = false;
+
+  services.xserver.displayManager.slim.enable = true;
+  #services.xserver.displayManager.auto.enable = true;
+  #services.xserver.displayManager.auto.user = "tv";
+  #services.xserver.displayManager.job.logsXsession = true;
+}
--- a/3modules/tv/consul.nix
+++ b/3modules/tv/consul.nix
@ -0,0 +1,122 @@
+{ config, lib, pkgs, ... }:
+
+# if quorum gets lost, then start any node with a config that doesn't contain bootstrap_expect
+# but -bootstrap
+# TODO consul-bootstrap HOST  that actually does is
+# TODO tools to inspect state of a cluster in outage state
+
+with builtins;
+with lib;
+let
+  cfg = config.tv.consul;
+
+  out = {
+    imports = [ ../../3modules/tv/iptables.nix ];
+    options.tv.consul = api;
+    config = mkIf cfg.enable (mkMerge [
+      imp
+      { tv.iptables.input-retiolum-accept-new-tcp = [ "8300" "8301" ]; }
+      # TODO udp for 8301
+    ]);
+  };
+
+  api = {
+    # TODO inherit (lib) api.options.enable; oder so
+    enable = mkOption {
+      type = types.bool;
+      default = false;
+      description = "enable tv.consul";
+    };
+    dc = mkOption {
+      type = types.unspecified;
+    };
+    hosts = mkOption {
+      type = with types; listOf unspecified;
+    };
+    encrypt-file = mkOption {
+      type = types.str; # TODO path (but not just into store)
+      default = "/root/src/secrets/consul-encrypt.json";
+    };
+    data-dir = mkOption {
+      type = types.str; # TODO path (but not just into store)
+      default = "/var/lib/consul";
+    };
+    self = mkOption {
+      type = types.unspecified;
+    };
+    server = mkOption {
+      type = types.bool;
+      default = false;
+    };
+    GOMAXPROCS = mkOption {
+      type = types.int;
+      default = cfg.self.cores;
+    };
+  };
+
+  consul-config = {
+    datacenter = cfg.dc;
+    data_dir = cfg.data-dir;
+    log_level = "INFO";
+    #node_name =
+    server = cfg.server;
+    bind_addr = cfg.self.addr; # TODO cfg.addr
+    enable_syslog = true;
+    retry_join = map (getAttr "addr") (filter (host: host.fqdn != cfg.self.fqdn) cfg.hosts);
+    leave_on_terminate = true;
+  } // optionalAttrs cfg.server {
+    bootstrap_expect = length cfg.hosts;
+    leave_on_terminate = false;
+  };
+
+  imp = {
+    environment.systemPackages = with pkgs; [
+      consul
+    ];
+
+    systemd.services.consul = {
+      after = [ "network.target" ];
+      wantedBy = [ "multi-user.target" ];
+      path = with pkgs; [
+        consul
+      ];
+      environment = {
+        GOMAXPROCS = toString cfg.GOMAXPROCS;
+      };
+      serviceConfig = {
+        PermissionsStartOnly = "true";
+        SyslogIdentifier = "consul";
+        User = user.name;
+        PrivateTmp = "true";
+        Restart = "always";
+        ExecStartPre = pkgs.writeScript "consul-init" ''
+          #! /bin/sh
+          mkdir -p ${cfg.data-dir}
+          chown consul: ${cfg.data-dir}
+          install -o ${user.name} -m 0400 ${cfg.encrypt-file} /tmp/encrypt.json
+        '';
+        ExecStart = pkgs.writeScript "consul-service" ''
+          #! /bin/sh
+          set -euf
+          exec >/dev/null
+          exec consul agent \
+            -config-file=${toFile "consul.json" (toJSON consul-config)} \
+            -config-file=/tmp/encrypt.json
+        '';
+        #-node=${cfg.self.fqdn} \
+        #ExecStart = "${tinc}/sbin/tincd -c ${confDir} -d 0 -U ${user} -D";
+      };
+    };
+
+    users.extraUsers = singleton {
+      inherit (user) name uid;
+    };
+  };
+
+  user = {
+    name = "consul";
+    uid = 2983239726; # genid consul
+  };
+
+in
+out
--- a/3modules/tv/ejabberd.nix
+++ b/3modules/tv/ejabberd.nix
@ -0,0 +1,171 @@
+{ config, lib, pkgs, ... }:
+
+with builtins;
+with lib;
+let
+  cfg = config.tv.ejabberd;
+
+  out = {
+    options.tv.ejabberd = api;
+    config = mkIf cfg.enable imp;
+  };
+
+  api = {
+    enable = mkOption {
+      type = types.bool;
+      default = false;
+    };
+
+    certFile = mkOption {
+      type = types.str;
+      default = "/root/src/secrets/ejabberd.pem";
+    };
+
+    hosts = mkOption {
+      type = with types; listOf str;
+    };
+  };
+
+  imp = {
+    environment.systemPackages = [ my-ejabberdctl ];
+
+    systemd.services.ejabberd = {
+      wantedBy = [ "multi-user.target" ];
+      after = [ "network.target" ];
+      serviceConfig = {
+        Type = "oneshot";
+        RemainAfterExit = "yes";
+        PermissionsStartOnly = "true";
+        SyslogIdentifier = "ejabberd";
+        User = user.name;
+        PrivateTmp = "true";
+        ExecStartPre = pkgs.writeScript "ejabberd-start" ''
+          #! /bin/sh
+          install -o ${user.name} -m 0400 ${cfg.certFile} /tmp/certfile.pem
+        '';
+        ExecStart = pkgs.writeScript "ejabberd-service" ''
+          #! /bin/sh
+          ${my-ejabberdctl}/bin/ejabberdctl start
+        '';
+      };
+    };
+
+    users.extraUsers = singleton {
+      inherit (user) name uid;
+      home = "/var/ejabberd";
+      createHome = true;
+    };
+  };
+
+  user = {
+    name = "ejabberd";
+    uid = 405222; 
+    # TODO uid = 3483034447; # genid ejabberd
+  };
+
+  my-ejabberdctl = pkgs.writeScriptBin "ejabberdctl" ''
+    #! /bin/sh
+    set -euf
+    exec env \
+        SPOOLDIR=/var/ejabberd \
+        EJABBERD_CONFIG_PATH=${config-file} \
+      ${pkgs.ejabberd}/bin/ejabberdctl \
+        --logs /var/ejabberd \
+        "$@"
+  '';
+
+  config-file = pkgs.writeText "ejabberd.cfg" ''
+    {loglevel, 3}.
+    {hosts, ${toErlang cfg.hosts}}.
+    {listen,
+     [
+      {5222, ejabberd_c2s, [
+          starttls,
+          {certfile, "/tmp/certfile.pem"},
+          {access, c2s},
+          {shaper, c2s_shaper},
+          {max_stanza_size, 65536}
+               ]},
+      {5269, ejabberd_s2s_in, [
+             {shaper, s2s_shaper},
+             {max_stanza_size, 131072}
+            ]},
+      {5280, ejabberd_http, [
+           captcha,
+           http_bind,
+           http_poll,
+           web_admin
+          ]}
+     ]}.
+    {s2s_use_starttls, required}.
+    {s2s_certfile, "/tmp/certfile.pem"}.
+    {auth_method, internal}.
+    {shaper, normal, {maxrate, 1000}}.
+    {shaper, fast, {maxrate, 50000}}.
+    {max_fsm_queue, 1000}.
+    {acl, local, {user_regexp, ""}}.
+    {access, max_user_sessions, [{10, all}]}.
+    {access, max_user_offline_messages, [{5000, admin}, {100, all}]}.
+    {access, local, [{allow, local}]}.
+    {access, c2s, [{deny, blocked},
+             {allow, all}]}.
+    {access, c2s_shaper, [{none, admin},
+              {normal, all}]}.
+    {access, s2s_shaper, [{fast, all}]}.
+    {access, announce, [{allow, admin}]}.
+    {access, configure, [{allow, admin}]}.
+    {access, muc_admin, [{allow, admin}]}.
+    {access, muc_create, [{allow, local}]}.
+    {access, muc, [{allow, all}]}.
+    {access, pubsub_createnode, [{allow, local}]}.
+    {access, register, [{allow, all}]}.
+    {language, "en"}.
+    {modules,
+     [
+      {mod_adhoc,    []},
+      {mod_announce, [{access, announce}]},
+      {mod_blocking,[]},
+      {mod_caps,     []},
+      {mod_configure,[]},
+      {mod_disco,    []},
+      {mod_irc,      []},
+      {mod_http_bind, []},
+      {mod_last,     []},
+      {mod_muc,      [
+          {access, muc},
+          {access_create, muc_create},
+          {access_persistent, muc_create},
+          {access_admin, muc_admin}
+         ]},
+      {mod_offline,  [{access_max_user_messages, max_user_offline_messages}]},
+      {mod_ping,     []},
+      {mod_privacy,  []},
+      {mod_private,  []},
+      {mod_pubsub,   [
+          {access_createnode, pubsub_createnode},
+          {ignore_pep_from_offline, true},
+          {last_item_cache, false},
+          {plugins, ["flat", "hometree", "pep"]}
+         ]},
+      {mod_register, [
+          {welcome_message, {"Welcome!",
+                 "Hi.\nWelcome to this XMPP server."}},
+          {ip_access, [{allow, "127.0.0.0/8"},
+                 {deny, "0.0.0.0/0"}]},
+          {access, register}
+         ]},
+      {mod_roster,   []},
+      {mod_shared_roster,[]},
+      {mod_stats,    []},
+      {mod_time,     []},
+      {mod_vcard,    []},
+      {mod_version,  []}
+     ]}.
+  '';
+
+
+  # XXX this is a placeholder that happens to work the default strings.
+  toErlang = builtins.toJSON;
+
+in
+out
--- a/3modules/tv/git.nix
+++ b/3modules/tv/git.nix
@ -0,0 +1,406 @@
+arg@{ config, pkgs, lib, ... }:
+
+with builtins;
+with lib;
+let
+  cfg = config.tv.git;
+
+  out = {
+    imports = [
+      ../../3modules/tv/nginx.nix
+    ];
+    options.tv.git = api;
+    config = mkIf cfg.enable (mkMerge [
+      imp
+    ]);
+  };
+
+  api = {
+    enable = mkOption {
+      type = types.bool;
+      default = false;
+      description = "Enable Git repository hosting.";
+    };
+    cgit = mkOption {
+      type = types.bool;
+      default = true;
+      description = "Enable cgit."; # TODO better desc; talk about nginx
+    };
+    dataDir = mkOption {
+      type = types.str;
+      default = "/var/lib/git";
+      description = "Directory used to store repositories.";
+    };
+    etcDir = mkOption {
+      type = types.str;
+      default = "/etc/git";
+    };
+    rules = mkOption {
+      type = types.unspecified;
+    };
+    repos = mkOption {
+      type = types.attrsOf (types.submodule ({
+        options = {
+          desc = mkOption {
+            type = types.nullOr types.str;
+            default = null;
+            description = ''
+              Repository description.
+            '';
+          };
+          section = mkOption {
+            type = types.nullOr types.str;
+            default = null;
+            description = ''
+              Repository section.
+            '';
+          };
+          name = mkOption {
+            type = types.str;
+            description = ''
+              Repository name.
+            '';
+          };
+          hooks = mkOption {
+            type = types.attrsOf types.str;
+            description = ''
+              Repository-specific hooks.
+            '';
+          };
+          public = mkOption {
+            type = types.bool;
+            default = false;
+            description = ''
+              Allow everybody to read the repository via HTTP if cgit enabled.
+            '';
+            # TODO allow every configured user to fetch the repository via SSH.
+          };
+        };
+      }));
+
+      default = {};
+
+      example = literalExample ''
+        {
+          testing = {
+            name = "testing";
+            hooks.post-update = '''
+              #! /bin/sh
+              set -euf
+              echo post-update hook: $* >&2
+            ''';
+          };
+          testing2 = { name = "testing2"; };
+        }
+      '';
+
+      description = ''
+        Repositories.
+      '';
+    };
+    users = mkOption {
+      type = types.unspecified;
+    };
+  };
+
+  imp = {
+    system.activationScripts.git-init = "${init-script}";
+    
+    # TODO maybe put all scripts here and then use PATH?
+    environment.etc."${etc-base}".source =
+      scriptFarm "git-ssh-authorizers" {
+        authorize-command = makeAuthorizeScript (map ({ repo, user, perm }: [
+          (map getName (ensureList user))
+          (map getName (ensureList repo))
+          (map getName perm.allow-commands)
+        ]) cfg.rules);
+    
+        authorize-push = makeAuthorizeScript (map ({ repo, user, perm }: [
+          (map getName (ensureList user))
+          (map getName (ensureList repo))
+          (ensureList perm.allow-receive-ref)
+          (map getName perm.allow-receive-modes)
+        ]) (filter (x: hasAttr "allow-receive-ref" x.perm) cfg.rules));
+      };
+    
+    users.extraUsers = singleton {
+      description = "Git repository hosting user";
+      name = "git";
+      shell = "/bin/sh";
+      openssh.authorizedKeys.keys =
+        mapAttrsToList (_: makeAuthorizedKey git-ssh-command) cfg.users;
+      uid = 112606723; # genid git
+    };
+  };
+
+
+  ensureList = x:
+    if typeOf x == "list" then x else [x];
+
+  getName = x: x.name;
+
+  isPublicRepo = getAttr "public"; # TODO this is also in ./cgit.nix
+
+  makeAuthorizedKey = git-ssh-command: user@{ name, pubkey }:
+    # TODO assert name
+    # TODO assert pubkey
+    let
+      options = concatStringsSep "," [
+        ''command="exec ${git-ssh-command} ${name}"''
+        "no-agent-forwarding"
+        "no-port-forwarding"
+        "no-pty"
+        "no-X11-forwarding"
+      ];
+    in
+    "${options} ${pubkey}";
+
+  # [case-pattern] -> shell-script
+  # Create a shell script that succeeds (exit 0) when all its arguments
+  # match the case patterns (in the given order).
+  makeAuthorizeScript =
+    let
+      # TODO escape
+      to-pattern = x: concatStringsSep "|" (ensureList x);
+      go = i: ps:
+        if ps == []
+          then "exit 0"
+          else ''
+            case ''$${toString i} in ${to-pattern (head ps)})
+            ${go (i + 1) (tail ps)}
+            esac'';
+    in
+    patterns: ''
+      #! /bin/sh
+      set -euf
+      ${concatStringsSep "\n" (map (go 1) patterns)}
+      exit -1
+    '';
+
+  reponames = rules: sort lessThan (unique (map (x: x.repo.name) rules));
+
+  # TODO makeGitHooks that uses runCommand instead of scriptFarm?
+  scriptFarm =
+    farm-name: scripts:
+    let
+      makeScript = script-name: script-string: {
+        name = script-name;
+        path = pkgs.writeScript "${farm-name}_${script-name}" script-string;
+      };
+    in
+    pkgs.linkFarm farm-name (mapAttrsToList makeScript scripts);
+
+
+  git-ssh-command = pkgs.writeScript "git-ssh-command" ''
+    #! /bin/sh
+    set -euf
+
+    PATH=${makeSearchPath "bin" (with pkgs; [
+      coreutils
+      git
+      gnugrep
+      gnused
+      systemd
+    ])}
+
+    abort() {
+      echo "error: $1" >&2
+      systemd-cat -p err -t git echo "error: $1"
+      exit -1
+    }
+
+    GIT_SSH_USER=$1
+
+    systemd-cat -p info -t git echo \
+      "authorizing $GIT_SSH_USER $SSH_CONNECTION $SSH_ORIGINAL_COMMAND"
+
+    # References: The Base Definitions volume of
+    # POSIX.1‐2013, Section 3.278, Portable Filename Character Set
+    portable_filename_bre="^[A-Za-z0-9._-]\\+$"
+
+    command=$(echo "$SSH_ORIGINAL_COMMAND" \
+      | sed -n 's/^\([^ ]*\) '"'"'\(.*\)'"'"'/\1/p' \
+      | grep "$portable_filename_bre" \
+      || abort 'cannot read command')
+
+    GIT_SSH_REPO=$(echo "$SSH_ORIGINAL_COMMAND" \
+      | sed -n 's/^\([^ ]*\) '"'"'\(.*\)'"'"'/\2/p' \
+      | grep "$portable_filename_bre" \
+      || abort 'cannot read reponame')
+
+    ${cfg.etcDir}/authorize-command \
+        "$GIT_SSH_USER" "$GIT_SSH_REPO" "$command" \
+      || abort 'access denied'
+
+    repodir=${escapeShellArg cfg.dataDir}/$GIT_SSH_REPO
+
+    systemd-cat -p info -t git \
+      echo "authorized exec $command $repodir"
+
+    export GIT_SSH_USER
+    export GIT_SSH_REPO
+    exec "$command" "$repodir"
+  '';
+
+  init-script = pkgs.writeScript "git-init" ''
+    #! /bin/sh
+    set -euf
+
+    PATH=${makeSearchPath "bin" (with pkgs; [
+      coreutils
+      findutils
+      gawk
+      git
+      gnugrep
+      gnused
+    ])}
+
+    dataDir=${escapeShellArg cfg.dataDir}
+    mkdir -p "$dataDir"
+
+    # Notice how the presence of hooks symlinks determine whether
+    # we manage a repositry or not.
+
+    # Make sure that no existing repository has hooks.  We can delete
+    # symlinks because we assume we created them.
+    find "$dataDir" -mindepth 2 -maxdepth 2 -name hooks -type l -delete
+    bad_hooks=$(find "$dataDir" -mindepth 2 -maxdepth 2 -name hooks)
+    if echo "$bad_hooks" | grep -q .; then
+      printf 'error: unknown hooks:\n%s\n' \
+        "$(echo "$bad_hooks" | sed 's/^/  /')" \
+        >&2
+      exit -1
+    fi
+
+    # Initialize repositories.
+    ${concatMapStringsSep "\n" (repo:
+      let
+        hooks = scriptFarm "git-hooks" (makeHooks repo);
+      in
+      ''
+        reponame=${escapeShellArg repo.name}
+        repodir=$dataDir/$reponame
+        mode=${toString (if isPublicRepo repo then 0711 else 0700)}
+        if ! test -d "$repodir"; then
+          mkdir -m "$mode" "$repodir"
+          git init --bare --template=/var/empty "$repodir"
+          chown -R git:nogroup "$repodir"
+        fi
+        ln -s ${hooks} "$repodir/hooks"
+      ''
+    ) (attrValues cfg.repos)}
+
+    # Warn about repositories that exist but aren't mentioned in the
+    # current configuration (and thus didn't receive a hooks symlink).
+    unknown_repos=$(find "$dataDir" -mindepth 1 -maxdepth 1 \
+      -type d \! -exec test -e '{}/hooks' \; -print)
+    if echo "$unknown_repos" | grep -q .; then
+      printf 'warning: stale repositories:\n%s\n' \
+        "$(echo "$unknown_repos" | sed 's/^/  /')" \
+        >&2
+    fi
+  '';
+
+  makeHooks = repo: removeAttrs repo.hooks [ "pre-receive" ] // {
+    pre-receive = ''
+      #! /bin/sh
+      set -euf
+
+      PATH=${makeSearchPath "bin" (with pkgs; [
+        coreutils # env
+        git
+        systemd
+      ])}
+
+      accept() {
+        #systemd-cat -p info -t git echo "authorized $1"
+        accept_string="''${accept_string+$accept_string
+      }authorized $1"
+      }
+      reject() {
+        #systemd-cat -p err -t git echo "denied $1"
+        #echo 'access denied' >&2
+        #exit_code=-1
+        reject_string="''${reject_string+$reject_string
+      }access denied: $1"
+      }
+
+      empty=0000000000000000000000000000000000000000
+
+      accept_string=
+      reject_string=
+      while read oldrev newrev ref; do
+
+        if [ $oldrev = $empty ]; then
+          receive_mode=create
+        elif [ $newrev = $empty ]; then
+          receive_mode=delete
+        elif [ "$(git merge-base $oldrev $newrev)" = $oldrev ]; then
+          receive_mode=fast-forward
+        else
+          receive_mode=non-fast-forward
+        fi
+
+        if ${cfg.etcDir}/authorize-push \
+            "$GIT_SSH_USER" "$GIT_SSH_REPO" "$ref" "$receive_mode"; then
+          accept "$receive_mode $ref"
+        else
+          reject "$receive_mode $ref"
+        fi
+      done
+
+      if [ -n "$reject_string" ]; then
+        systemd-cat -p err -t git echo "$reject_string"
+        exit -1
+      fi
+
+      systemd-cat -p info -t git echo "$accept_string"
+
+      ${optionalString (hasAttr "post-receive" repo.hooks) ''
+        # custom post-receive hook
+        ${repo.hooks.post-receive}''}
+    '';
+  };
+
+  etc-base =
+    assert (hasPrefix "/etc/" cfg.etcDir);
+    removePrefix "/etc/" cfg.etcDir;
+
+in
+out
+
+
+
+
+
+
+
+
+
+
+
+#let
+#  inherit (lib) mkIf mkMerge;
+#
+#  cfg = config.tv.git;
+#  arg' = arg // { inherit cfg; };
+#in
+#
+## TODO unify logging of shell scripts to user and journal
+## TODO move all scripts to ${etcDir}, so ControlMaster connections
+##       immediately pick up new authenticators
+## TODO when authorized_keys changes, then restart ssh
+##       (or kill already connected users somehow)
+#
+#{
+#  imports = [
+#    ../../3modules/tv/nginx.nix
+#  ];
+#
+#  options.tv.git = import ./options.nix arg';
+#
+#  config = mkIf cfg.enable (mkMerge [
+#    (import ./config.nix arg')
+#    (mkIf cfg.cgit (import ./cgit.nix arg'))
+#  ]);
+#}
--- a/3modules/tv/identity.nix
+++ b/3modules/tv/identity.nix
@ -0,0 +1,71 @@
+{ lib, ... }:
+
+with lib;
+
+let
+
+  cfg = config.tv.identity;
+
+  out = {
+    options.tv.identity = api;
+    #config = mkIf cfg.enable imp;
+  };
+
+  api = {
+    enable = mkOption {
+      type = types.bool;
+      default = false;
+    };
+    self = mkOption {
+      type = types.unspecified;
+    };
+    hosts = mkOption {
+      type = with types; attrsOf unspecified;
+      default = {
+        cd = {
+          #dc = "cac";
+          dc = "tv";
+          fqdn = "cd.retiolum";
+          addr = "10.243.113.222";
+          #addr6 = "42:4522:25f8:36bb:8ccb:0150:231a:2af3";
+          #internet-addr = "162.219.5.183";
+          cores = 2;
+        };
+        mkdir = {
+          #dc = "cac";
+          dc = "tv";
+          fqdn = "mkdir.retiolum";
+          addr = "10.243.113.223";
+          cores = 1;
+        };
+        nomic = {
+          #dc = "gg";
+          dc = "tv";
+          fqdn = "nomic.retiolum";
+          addr = "10.243.0.110";
+          cores = 2;
+        };
+        rmdir = {
+          #dc = "cac";
+          dc = "tv";
+          fqdn = "rmdir.retiolum";
+          addr = "10.243.113.224";
+          #addr = "42:4522:25f8:36bb:8ccb:0150:231a:2af5";
+          cores = 1;
+        };
+        wu = {
+          #dc = "gg";
+          dc = "tv";
+          fqdn = "wu.retiolum";
+          addr = "10.243.13.37";
+          cores = 8;
+        };
+      };
+    };
+  };
+
+  #imp = {
+  #};
+
+in
+out
--- a/3modules/tv/iptables.nix
+++ b/3modules/tv/iptables.nix
@ -0,0 +1,129 @@
+{ config, lib, pkgs, ... }:
+
+with builtins;
+with lib;
+let
+  cfg = config.tv.iptables;
+
+  out = {
+    options.tv.iptables = api;
+    config = mkIf cfg.enable imp;
+  };
+
+  api = {
+    enable = mkOption {
+      type = types.bool;
+      default = false;
+    };
+
+    input-internet-accept-new-tcp = mkOption {
+      type = with types; listOf str;
+      default = [];
+    };
+
+    input-retiolum-accept-new-tcp = mkOption {
+      type = with types; listOf str;
+      default = [];
+    };
+  };
+
+  imp = {
+    networking.firewall.enable = false;
+
+    systemd.services.tv-iptables = {
+      description = "tv-iptables";
+      wantedBy = [ "network-pre.target" ];
+      before = [ "network-pre.target" ];
+      after = [ "systemd-modules-load.service" ];
+
+      path = with pkgs; [
+        iptables
+      ];
+      
+      restartIfChanged = true;
+      
+      serviceConfig = {
+        Type = "simple";
+        RemainAfterExit = true;
+        Restart = "always";
+        ExecStart = "@${startScript} tv-iptables_start";
+      };
+    };
+  };
+
+
+  accept-new-tcp = port:
+    "-p tcp -m tcp --dport ${port} -m conntrack --ctstate NEW -j ACCEPT";
+
+  rules = iptables-version:
+    pkgs.writeText "tv-iptables-rules${toString iptables-version}" ''
+      *nat
+      :PREROUTING ACCEPT [0:0]
+      :INPUT ACCEPT [0:0]
+      :OUTPUT ACCEPT [0:0]
+      :POSTROUTING ACCEPT [0:0]
+      ${concatMapStringsSep "\n" (rule: "-A PREROUTING ${rule}") ([]
+        ++ [
+          "! -i retiolum -p tcp -m tcp --dport 22 -j REDIRECT --to-ports 0"
+          "-p tcp -m tcp --dport 11423 -j REDIRECT --to-ports 22"
+        ]
+      )}
+      COMMIT
+      *filter
+      :INPUT DROP [0:0]
+      :FORWARD DROP [0:0]
+      :OUTPUT ACCEPT [0:0]
+      :Retiolum - [0:0]
+      ${concatMapStringsSep "\n" (rule: "-A INPUT ${rule}") ([]
+        ++ [
+          "-m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT"
+          "-i lo -j ACCEPT"
+        ]
+        ++ map accept-new-tcp cfg.input-internet-accept-new-tcp
+        ++ ["-i retiolum -j Retiolum"]
+      )}
+      ${concatMapStringsSep "\n" (rule: "-A Retiolum ${rule}") ([]
+        ++ {
+          ip4tables = [
+            "-p icmp -m icmp --icmp-type echo-request -j ACCEPT"
+          ];
+          ip6tables = [
+            "-p ipv6-icmp -m icmp6 --icmpv6-type echo-request -j ACCEPT"
+          ];
+        }."ip${toString iptables-version}tables"
+        ++ map accept-new-tcp cfg.input-retiolum-accept-new-tcp
+        ++ {
+          ip4tables = [
+            "-p tcp -j REJECT --reject-with tcp-reset"
+            "-p udp -j REJECT --reject-with icmp-port-unreachable"
+            "-j REJECT --reject-with icmp-proto-unreachable"
+          ];
+          ip6tables = [
+            "-p tcp -j REJECT --reject-with tcp-reset"
+            "-p udp -j REJECT --reject-with icmp6-port-unreachable"
+            "-j REJECT"
+          ];
+        }."ip${toString iptables-version}tables"
+      )}
+      COMMIT
+    '';
+
+  startScript = pkgs.writeScript "tv-iptables_start" ''
+    #! /bin/sh
+    set -euf
+    iptables-restore < ${rules 4}
+    ip6tables-restore < ${rules 6}
+  '';
+
+in
+out
+
+#let
+#  cfg = config.tv.iptables;
+#  arg' = arg // { inherit cfg; };
+#in
+#
+#{
+#  options.tv.iptables = import ./options.nix arg';
+#  config = lib.mkIf cfg.enable (import ./config.nix arg');
+#}
--- a/3modules/tv/nginx.nix
+++ b/3modules/tv/nginx.nix
@ -0,0 +1,83 @@
+{ config, pkgs, lib, ... }:
+
+with builtins;
+with lib;
+let
+  cfg = config.tv.nginx;
+
+  out = {
+    options.tv.nginx = api;
+    config = mkIf cfg.enable imp;
+  };
+
+  api = {
+    enable = mkOption {
+      type = types.bool;
+      default = false;
+      description = "Enable nginx.";
+    };
+
+    retiolum-locations = mkOption {
+      type = with types; listOf (attrsOf str);
+      default = [];
+    };
+  };
+
+  imp = {
+    services.nginx =
+      let
+        name = config.tv.retiolum.name;
+        qname = "${name}.retiolum";
+      in
+      assert config.tv.retiolum.enable;
+      {
+        enable = true;
+        httpConfig = ''
+          include           ${pkgs.nginx}/conf/mime.types;
+          default_type      application/octet-stream;
+          sendfile          on;
+          keepalive_timeout 65;
+          gzip              on;
+          server {
+            listen 80 default_server;
+            server_name _;
+            location / {
+              return 404;
+            }
+          }
+          server {
+            listen 80;
+            server_name ${name} ${qname};
+
+            ${indent (concatStrings (map to-location cfg.retiolum-locations))}
+
+            location / {
+              return 404;
+            }
+          }
+        '';
+      };
+  };
+
+  
+  indent = replaceChars ["\n"] ["\n  "];
+
+  to-location = { name, value }: ''
+    location ${name} {
+      ${indent value}
+    }
+  '';
+
+in
+out
+
+
+#let
+#  cfg = config.tv.nginx;
+#  arg' = arg // { inherit cfg; };
+#in
+#
+#{
+#  options.tv.nginx = import ./options.nix arg';
+#  config = lib.mkIf cfg.enable (import ./config.nix arg');
+#}
--- a/3modules/tv/retiolum.nix
+++ b/3modules/tv/retiolum.nix
@ -0,0 +1,241 @@
+{ config, pkgs, lib, ... }:
+
+with builtins;
+with lib;
+let
+  cfg = config.tv.retiolum;
+
+  out = {
+    options.tv.retiolum = api;
+    config = mkIf cfg.enable imp;
+  };
+
+  api = {
+    enable = mkOption {
+      type = types.bool;
+      default = false;
+      description = "Enable tinc daemon for Retiolum.";
+    };
+
+    name = mkOption {
+      type = types.str;
+      default = config.networking.hostName;
+      # Description stolen from tinc.conf(5).
+      description = ''
+        This is the name which identifies this tinc daemon.  It must
+        be unique for the virtual private network this daemon will
+        connect to.  The Name may only consist of alphanumeric and
+        underscore characters.  If Name starts with a $, then the
+        contents of the environment variable that follows will be
+        used.  In that case, invalid characters will be converted to
+        underscores.  If Name is $HOST, but no such environment
+        variable exist, the hostname will be read using the
+        gethostnname() system call This is the name which identifies
+        the this tinc daemon.
+      '';
+    };
+
+    generateEtcHosts = mkOption {
+      type = types.str;
+      default = "both";
+      description = ''
+        If set to <literal>short</literal>, <literal>long</literal>, or <literal>both</literal>,
+        then generate entries in <filename>/etc/hosts</filename> from subnets.
+      '';
+    };
+
+    network = mkOption {
+      type = types.str;
+      default = "retiolum";
+      description = ''
+        The tinc network name.
+        It is used to generate long host entries,
+        derive the name of the user account under which tincd runs,
+        and name the TUN device.
+      '';
+    };
+
+    tincPackage = mkOption {
+      type = types.package;
+      default = pkgs.tinc;
+      description = "Tincd package to use.";
+    };
+
+    hosts = mkOption {
+      default = null;
+      description = ''
+        Hosts package or path to use.
+        If a path is given, then it will be used to generate an ad-hoc package.
+      '';
+    };
+
+    iproutePackage = mkOption {
+      type = types.package;
+      default = pkgs.iproute;
+      description = "Iproute2 package to use.";
+    };
+
+
+    privateKeyFile = mkOption {
+      # TODO if it's types.path then it gets copied to /nix/store with
+      #      bad unsafe permissions...
+      type = types.str;
+      default = "/root/src/secrets/retiolum.rsa_key.priv";
+      description = "Generate file with <literal>tincd -K</literal>.";
+    };
+
+    connectTo = mkOption {
+      type = types.listOf types.str;
+      default = [ "fastpoke" "pigstarter" "kheurop" ];
+      description = "TODO describe me";
+    };
+
+  };
+
+  imp = {
+    environment.systemPackages = [ tinc hosts iproute ];
+
+    networking.extraHosts = retiolumExtraHosts;
+
+    systemd.services.retiolum = {
+      description = "Tinc daemon for Retiolum";
+      after = [ "network.target" ];
+      wantedBy = [ "multi-user.target" ];
+      path = [ tinc iproute ];
+      serviceConfig = {
+        PermissionsStartOnly = "true";
+        PrivateTmp = "true";
+        Restart = "always";
+        # TODO we cannot chroot (-R) b/c we use symlinks to hosts
+        #      and the private key.
+        ExecStartPre = pkgs.writeScript "retiolum-init" ''
+          #! /bin/sh
+          install -o ${user} -m 0400 ${cfg.privateKeyFile} /tmp/retiolum-rsa_key.priv
+        '';
+        ExecStart = "${tinc}/sbin/tincd -c ${confDir} -d 0 -U ${user} -D";
+        SyslogIdentifier = "retiolum";
+      };
+    };
+
+    # TODO user.name = "retiolum"
+    users.extraUsers = singleton {
+      name = user;
+      uid = 2961822815; # bin/genid retiolum-tinc
+    };
+  };
+
+
+  tinc = cfg.tincPackage;
+  hostsType = builtins.typeOf cfg.hosts;
+  hosts =
+    if hostsType == "package" then
+      # use package as is
+      cfg.hosts
+    else if hostsType == "path" then
+      # use path to generate a package
+      pkgs.stdenv.mkDerivation {
+        name = "custom-retiolum-hosts";
+        src = cfg.hosts;
+        installPhase = ''
+          mkdir $out
+          find . -name .git -prune -o -type f -print0 | xargs -0 cp --target-directory $out
+        '';
+      }
+    else
+      abort "The option `services.retiolum.hosts' must be set to a package or a path"
+    ;
+  iproute = cfg.iproutePackage;
+
+  retiolumExtraHosts = import (pkgs.runCommand "retiolum-etc-hosts"
+    { }
+    ''
+      generate() {
+        (cd ${hosts}
+          printf \'\'
+          for i in `ls`; do
+            names=$(hostnames $i)
+            for j in `sed -En 's|^ *Aliases *= *(.+)|\1|p' $i`; do
+              names="$names $(hostnames $j)"
+            done
+            sed -En '
+              s|^ *Subnet *= *([^ /]*)(/[0-9]*)? *$|\1  '"$names"'|p
+            ' $i
+          done | sort
+          printf \'\'
+        )
+      }
+
+      case ${cfg.generateEtcHosts} in
+        short)
+          hostnames() { echo "$1"; }
+          generate
+          ;;
+        long)
+          hostnames() { echo "$1.${cfg.network}"; }
+          generate
+          ;;
+        both)
+          hostnames() { echo "$1.${cfg.network} $1"; }
+          generate
+          ;;
+        *)
+          echo '""'
+          ;;
+      esac > $out
+    '');
+
+
+  confDir = pkgs.runCommand "retiolum" {
+    # TODO text
+    executable = true;
+    preferLocalBuild = true;
+  } ''
+    set -euf
+
+    mkdir -p $out
+
+    ln -s ${hosts} $out/hosts
+
+    cat > $out/tinc.conf <<EOF
+    Name = ${cfg.name}
+    Device = /dev/net/tun
+    Interface = ${cfg.network}
+    ${concatStrings (map (c : "ConnectTo = " + c + "\n") cfg.connectTo)}
+    PrivateKeyFile = /tmp/retiolum-rsa_key.priv
+    EOF
+
+    # source: krebscode/painload/retiolum/scripts/tinc_setup/tinc-up
+    cat > $out/tinc-up <<EOF
+    host=$out/hosts/${cfg.name}
+    ${iproute}/sbin/ip link set \$INTERFACE up
+
+    addr4=\$(sed -n 's|^ *Subnet *= *\(10[.][^ ]*\) *$|\1|p' \$host)
+    if [ -n "\$addr4" ];then
+        ${iproute}/sbin/ip -4 addr add \$addr4 dev \$INTERFACE
+        ${iproute}/sbin/ip -4 route add 10.243.0.0/16 dev \$INTERFACE
+    fi
+    addr6=\$(sed -n 's|^ *Subnet *= *\(42[:][^ ]*\) *$|\1|p' \$host)
+    ${iproute}/sbin/ip -6 addr add \$addr6 dev \$INTERFACE
+    ${iproute}/sbin/ip -6 route add 42::/16 dev \$INTERFACE
+    EOF
+
+    chmod +x $out/tinc-up
+  '';
+
+
+  user = cfg.network + "-tinc";
+
+in
+out
+
+
+
+#let
+#  cfg = config.tv.retiolum;
+#  arg' = arg // { inherit cfg; };
+#in
+#
+#{
+#  options.tv.retiolum = import ./options.nix arg';
+#  config = lib.mkIf cfg.enable (import ./config.nix arg');
+#}
--- a/3modules/tv/urlwatch.nix
+++ b/3modules/tv/urlwatch.nix
@ -0,0 +1,156 @@
+{ config, lib, pkgs, ... }:
+
+# TODO multiple users
+# TODO inform about unused caches
+# cache = url: "${cfg.dataDir}/.urlwatch/cache/${hashString "sha1" url}"
+# TODO hooks.py
+
+with builtins;
+with lib;
+
+let
+  cfg = config.tv.urlwatch;
+
+  api = {
+    dataDir = mkOption {
+      type = types.str;
+      default = "/var/lib/urlwatch";
+      description = ''
+        Directory where the urlwatch service should store its state.
+      '';
+    };
+    enable = mkOption {
+      type = types.bool;
+      default = false;
+      description = ''
+        Whether to enable the urlwatch service.
+        If enabled, then create a timer that calls urlwatch and sends mails
+        whenever something has changed or an error occurs.
+      '';
+    };
+    from = mkOption {
+      type = types.str;
+      default = "${cfg.user}@${config.networking.hostName}.retiolum";
+      description = ''
+        Content of the From: header of the generated mails.
+      '';
+    };
+    mailto = mkOption {
+      type = types.str;
+      description = ''
+        Content of the To: header of the generated mails. [AKA recipient :)]
+      '';
+    };
+    onCalendar = mkOption {
+      type = types.str;
+      description = ''
+        Run urlwatch at this interval.
+        The format is described in systemd.time(7), CALENDAR EVENTS.
+      '';
+      example = "04:23";
+    };
+    urls = mkOption {
+      type = with types; listOf str;
+      description = "URL to watch.";
+      example = [
+        https://nixos.org/channels/nixos-unstable/git-revision
+      ];
+    };
+    user = mkOption {
+      type = types.str;
+      default = "urlwatch";
+      description = "User under which urlwatch runs.";
+    };
+  };
+
+  urlsFile = toFile "urls" (concatStringsSep "\n" cfg.urls);
+
+  impl = {
+    systemd.timers.urlwatch = {
+      wantedBy = [ "timers.target" ];
+      timerConfig = {
+        OnCalendar = cfg.onCalendar;
+        Persistent = "true";
+      };
+    };
+    systemd.services.urlwatch = {
+      path = with pkgs; [
+        coreutils
+        gnused
+        urlwatch
+      ];
+      environment = {
+        HOME = cfg.dataDir;
+        LC_ALL = "en_US.UTF-8";
+        LOCALE_ARCHIVE = "${pkgs.glibcLocales}/lib/locale/locale-archive";
+        SSL_CERT_FILE = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt";
+      };
+      serviceConfig = {
+        User = cfg.user;
+        PermissionsStartOnly = "true";
+        PrivateTmp = "true";
+        Type = "oneshot";
+        ExecStartPre =
+          pkgs.writeScript "urlwatch-prestart" ''
+            #! /bin/sh
+            set -euf
+
+            dataDir=$HOME
+            user=${escapeShellArg cfg.user}
+
+            if ! test -e "$dataDir"; then
+              mkdir -m 0700 -p "$dataDir"
+              chown "$user": "$dataDir"
+            fi
+          '';
+        ExecStart = pkgs.writeScript "urlwatch" ''
+          #! /bin/sh
+          set -euf
+
+          from=${escapeShellArg cfg.from}
+          mailto=${escapeShellArg cfg.mailto}
+          urlsFile=${escapeShellArg urlsFile}
+          user=${escapeShellArg cfg.user}
+
+          cd /tmp
+
+          urlwatch -e --urls="$urlsFile" > changes 2>&1 || :
+
+          if test -s changes; then
+            date=$(date -R)
+            subject=$(sed -n 's/^\(CHANGED\|ERROR\|NEW\): //p' changes \
+              | tr \\n \ )
+            {
+              echo "Date: $date"
+              echo "From: $from"
+              echo "Subject: $subject"
+              echo "To: $mailto"
+              echo
+              cat changes
+            } | /var/setuid-wrappers/sendmail -t
+          fi
+        '';
+      };
+    };
+    users.extraUsers = optionals (cfg.user == "urlwatch") (singleton {
+      name = "urlwatch";
+      uid = 3450919516; # bin/genid urlwatch
+    });
+  };
+
+in
+
+{
+  # TODO
+  #imports = [
+  #  ./exim
+  #];
+  #config = mkIf cfg.enable
+  #  (if config.tv.exim.enable
+  #    then impl
+  #    else throw "tv.exim must be enabled when enabling tv.urlwatch");
+
+  options.tv.urlwatch = api;
+  
+  config = impl;
+}
--- a/4lib/tv/default.nix
+++ b/4lib/tv/default.nix
@ -0,0 +1,62 @@
+{ lib, pkgs, ... }:
+
+with builtins;
+
+let
+  inherit (lib) mapAttrs stringAsChars;
+in
+
+rec {
+  git = import ./git.nix {
+    lib = lib // {
+      inherit addNames;
+    };
+    inherit pkgs;
+  };
+
+  addName = name: set:
+    set // { inherit name; };
+
+  addNames = mapAttrs addName;
+
+
+  # "7.4.335" -> "74"
+  majmin = with lib; x : concatStrings (take 2 (splitString "." x));
+
+
+  concat = xs :
+    if xs == []
+      then ""
+      else head xs + concat (tail xs)
+    ;
+
+  flip = f : x : y : f y x;
+
+  # isSuffixOf :: String -> String -> Bool
+  isSuffixOf =
+    s : xs :
+      let
+        sn = stringLength s;
+        xsn = stringLength xs;
+      in
+        xsn >= sn && substring (xsn - sn) sn xs == s ;
+
+  removeSuffix =
+    s : xs : substring 0 (stringLength xs - stringLength s) xs;
+
+  # setMap :: (String -> a -> b) -> Set String a -> [b]
+  #setMap = f: xs: map (k : f k (getAttr k xs)) (attrNames xs);
+
+  # setToList :: Set k a -> [a]
+  #setToList = setMap (_: v: v);
+
+  shell-escape =
+    let
+      isSafeChar = c: match "[-./0-9_a-zA-Z]" c != null;
+    in
+    stringAsChars (c:
+      if isSafeChar c then c
+      else if c == "\n" then "'\n'"
+      else "\\${c}");
+
+}
--- a/4lib/tv/git.nix
+++ b/4lib/tv/git.nix
@ -0,0 +1,181 @@
+{ lib, pkgs, ... }:
+
+let
+  inherit (lib) addNames escapeShellArg makeSearchPath;
+
+  commands = addNames {
+    git-receive-pack = {};
+    git-upload-pack = {};
+  };
+
+  receive-modes = addNames {
+    fast-forward = {};
+    non-fast-forward = {};
+    create = {};
+    delete = {};
+    merge = {}; # TODO implement in git.nix
+  };
+
+  permissions = {
+    fetch = {
+      allow-commands = [
+        commands.git-upload-pack
+      ];
+    };
+
+    push = ref: extra-modes: {
+      allow-commands = [
+        commands.git-receive-pack
+        commands.git-upload-pack
+      ];
+      allow-receive-ref = ref;
+      allow-receive-modes = [ receive-modes.fast-forward ] ++ extra-modes;
+    };
+  };
+
+  refs = {
+    master = "refs/heads/master";
+    all-heads = "refs/heads/*";
+  };
+
+  irc-announce-script = pkgs.writeScript "irc-announce-script" ''
+    #! /bin/sh
+    set -euf
+
+    export PATH=${makeSearchPath "bin" (with pkgs; [
+      coreutils
+      gawk
+      gnused
+      netcat
+      nettools
+    ])}
+
+    IRC_SERVER=$1
+    IRC_PORT=$2
+    IRC_NICK=$3$$
+    IRC_CHANNEL=$4
+    message=$5
+
+    export IRC_CHANNEL # for privmsg_cat
+
+    # echo2 and cat2 are used output to both, stdout and stderr
+    # This is used to see what we send to the irc server. (debug output)
+    echo2() { echo "$*"; echo "$*" >&2; }
+    cat2() { tee /dev/stderr; }
+
+    # privmsg_cat transforms stdin to a privmsg
+    privmsg_cat() { awk '{ print "PRIVMSG "ENVIRON["IRC_CHANNEL"]" :"$0 }'; }
+
+    # ircin is used to feed the output of netcat back to the "irc client"
+    # so we can implement expect-like behavior with sed^_^
+    # XXX mkselfdestructingtmpfifo would be nice instead of this cruft
+    tmpdir="$(mktemp -d irc-announce_XXXXXXXX)"
+    cd "$tmpdir"
+    mkfifo ircin
+    trap "
+      rm ircin
+      cd '$OLDPWD'
+      rmdir '$tmpdir'
+      trap - EXIT INT QUIT
+    " EXIT INT QUIT
+
+    {
+      echo2 "USER $LOGNAME 0 * :$LOGNAME@$(hostname)"
+      echo2 "NICK $IRC_NICK"
+
+      # wait for MODE message
+      sed -n '/^:[^ ]* MODE /q'
+
+      echo2 "JOIN $IRC_CHANNEL"
+
+      printf '%s' "$message" \
+        | privmsg_cat \
+        | cat2
+
+      echo2 "PART $IRC_CHANNEL"
+
+      # wait for PART confirmation
+      sed -n '/:'"$IRC_NICK"'![^ ]* PART /q'
+
+      echo2 'QUIT :Gone to have lunch'
+    } < ircin \
+      | nc "$IRC_SERVER" "$IRC_PORT" | tee -a ircin
+  '';
+
+  hooks = {
+    # TODO make this a package?
+    irc-announce = { nick, channel, server, port ? 6667 }: ''
+      #! /bin/sh
+      set -euf
+
+      export PATH=${makeSearchPath "bin" (with pkgs; [
+        coreutils
+        git
+        gnused
+      ])}
+
+      nick=${escapeShellArg nick}
+      channel=${escapeShellArg channel}
+      server=${escapeShellArg server}
+      port=${toString port}
+
+      host=$nick
+
+      empty=0000000000000000000000000000000000000000
+
+      unset message
+      while read oldrev newrev ref; do
+
+        if [ $oldrev = $empty ]; then
+          receive_mode=create
+        elif [ $newrev = $empty ]; then
+          receive_mode=delete
+        elif [ "$(git merge-base $oldrev $newrev)" = $oldrev ]; then
+          receive_mode=fast-forward
+        else
+          receive_mode=non-fast-forward
+        fi
+
+        h=$(echo $ref | sed 's:^refs/heads/::')
+
+        # empty_tree=$(git hash-object -t tree /dev/null
+        empty_tree=4b825dc6
+
+        id=$(echo $newrev | cut -b-7)
+        id2=$(echo $oldrev | cut -b-7)
+        if [ $newrev = $empty ]; then id=$empty_tree; fi
+        if [ $oldrev = $empty ]; then id2=$empty_tree; fi
+
+        case $receive_mode in
+          create)
+            #git log --oneline $id2
+            link="http://$host/cgit/$GIT_SSH_REPO/?h=$h"
+            ;;
+          delete)
+            #git log --oneline $id2
+            link="http://$host/cgit/$GIT_SSH_REPO/ ($h)"
+            ;;
+          fast-forward|non-fast-forward)
+            #git diff --stat $id..$id2
+            link="http://$host/cgit/$GIT_SSH_REPO/diff/?h=$h&id=$id&id2=$id2"
+            ;;
+        esac
+
+        #$host $GIT_SSH_REPO $ref $link
+        message="''${message+$message
+      }$GIT_SSH_USER $receive_mode $link"
+      done
+
+      if test -n "''${message-}"; then
+        exec ${irc-announce-script} \
+          "$server" \
+          "$port" \
+          "$nick" \
+          "$channel" \
+          "$message"
+      fi
+    '';
+  };
+
+in
+commands // receive-modes // permissions // refs // hooks
--- a/4lib/tv/modules.nix
+++ b/4lib/tv/modules.nix
@ -0,0 +1,21 @@
+let
+  pkgs = import <nixpkgs> {};
+  inherit (pkgs.lib) concatMap hasAttr;
+in rec {
+
+  no-touch-args = {
+    config = throw "no-touch-args: can't touch config!";
+    lib = throw "no-touch-args: can't touch lib!";
+    pkgs = throw "no-touch-args: can't touch pkgs!";
+  };
+
+  # list-imports : path -> [path]
+  # Return a module's transitive list of imports.
+  # XXX duplicates won't get eliminated from the result.
+  list-imports = path:
+    let module = import path no-touch-args;
+        imports = if hasAttr "imports" module
+                    then concatMap list-imports module.imports
+                    else [];
+    in [path] ++ imports;
+}
--- a/70
+++ b/70
@ -0,0 +1,70 @@
+ifndef system
+$(error unbound variable: system)
+else
+include 0make/tv/$(system).makefile
+.ONESHELL:
+.SHELLFLAGS := -eufc
+.PHONY: deploy
+deploy:;@
+	system_name=$(system)
+	deploy_host=$(deploy_host)
+	nixpkgs_url=$(nixpkgs_url)
+	nixpkgs_rev=$(nixpkgs_rev)
+	secrets_dir=$(secrets_dir)
+
+	prepush(){(
+		dst=$$1
+		src=$$2
+		rsync \
+			--exclude .git \
+			--rsync-path="mkdir -p \"$$dst\" && rsync" \
+			--usermap=\*:0 \
+			--groupmap=\*:0 \
+			--delete-excluded \
+			-vrLptgoD \
+			"$$src/" "$$deploy_host:$$dst"
+	)}
+
+	prepush /root/src/shitment "$$PWD"
+	prepush /root/src/secrets "$$secrets_dir"
+
+	ssh -S none "$$deploy_host" -T env \
+			nixpkgs_url="$$nixpkgs_url" \
+			nixpkgs_rev="$$nixpkgs_rev" \
+			system_name="$$system_name" \
+		sh -euf \
+	<<-\EOF
+		prefetch(){(
+			dst=$$1
+			url=$$2
+			rev=$$3
+			mkdir -p "$$dst"
+			cd "$$dst"
+			if ! test -e .git; then
+				git init
+			fi
+			if ! cur_url=$$(git config remote.origin.url 2>/dev/null); then
+				git remote add origin "$$url"
+			elif test "$$cur_url" != "$$url"; then
+				git remote set-url origin "$$url"
+			fi
+			if test "$$(git rev-parse --verify HEAD 2>/dev/null)" != "$$rev"; then
+				git fetch origin
+				git checkout "$$rev" -- .
+				git checkout -q "$$rev"
+				git submodule init
+				git submodule update
+			fi
+			git clean -dxf
+		)}
+
+		prefetch /root/src/nixpkgs "$$nixpkgs_url" "$$nixpkgs_rev"
+
+		echo build system...
+		NIXOS_CONFIG=/root/src/shitment/1systems/tv/$$system_name.nix \
+		NIX_PATH=src \
+			nix-build -Q -A system '<nixpkgs/nixos>'
+
+		result/bin/switch-to-configuration switch
+	EOF
+endif
--- a/Zhosts/Styx
+++ b/Zhosts/Styx
@ -0,0 +1,10 @@
+Subnet = 10.243.0.42/32
+Compression = 9
+-----BEGIN RSA PUBLIC KEY-----
+MIIBCgKCAQEA4jbOi+HZIGOGNm4aBSwnq4m3Vg3IXHmYUbJx1AzP4a/yvEgswfk6
+MP5FXvoY/hZ0NQ0IRzbbJxGbcUdulz0WSjX1C+8uQUZstz+lvYZ4FeCXcdE5cuFM
+ROKAbA4qxO3WOFhPAs4G+K6srDqswmmBSfgPAfOBexEZxHweoBQLOYKUPnBCWf5q
+I1gKWgMVWv6KY/pgYxloarycb8gEd2GsNZcNwoNhRd2G/Tn6idh1qRBI96eaasbV
+P24FEVkPVFVgIGrvFZCICCeQzA4g+Sn4TmgxnTWLQxG4hAHOZQX/ld8u7NHTU9Qm
+PwmjESwfas9Z8UjknrbcaZvuqKrnMp7JwwIDAQAB
+-----END RSA PUBLIC KEY-----
--- a/Zhosts/ThinkArmageddon
+++ b/Zhosts/ThinkArmageddon
@ -0,0 +1,9 @@
+Subnet = 10.243.0.137/32
+-----BEGIN RSA PUBLIC KEY-----
+MIIBCgKCAQEA1EAiyBWICkyB1zHE31fHSbGR1nJJmXSfnrqm9yXRZSGweIKrbsof
+QVcRzM4vsFBRUMBeKW7fzlGcvgXULFRnGelvEl4GRiBMO9odBlBI3t8CjZW7X2N7
+JqCMkB+CRuiHbNYQdRFTozQEfPq+DNh8accD5LjUM6gF0dKUdby5qNeHCfZSxU4v
+YZDRqq/haO4up6m8/S6YhnHPOSaIAu7R7hFaUeB/FPT+s5irKk6WtAiWnIdXb22q
+0zxT4+t9sWFb4V9u/MImggYQVWjk+TfF5KpihBOvExEQsSR8JJcRUJAtN4W0w2Pc
+S4/j9ArKcBj5Wf2qHcJMN5MbwUFW1oMkGwIDAQAB
+-----END RSA PUBLIC KEY-----
--- a/Zhosts/TriBot
+++ b/Zhosts/TriBot
@ -0,0 +1,11 @@
+Subnet = 10.243.117.163
+Subnet = 42:ff05:504f:f27a:3534:9be1:4343:5e95
+
+-----BEGIN RSA PUBLIC KEY-----
+MIIBCgKCAQEAz8pZtvSqDEKo/8IHt71GzWa2oTqZPUv2kRoipUXbJGv3eWpkbd4n
+OpaLuY7MjUveZ39m830t5RAkgB9iChU5wurszgfLrxJ15uibJe+yFJl9O6kuYJr1
+69s12F/v/pPno5eWuXWJ+CdMW8srZB1I/ZIL1/GaptuDoMxu7uBnDbL/NJrpPBSr
+JxCJGHET8jh2++B3cqsBWNGkQjQTM8NwwAup6HQjBrbOQYOAQbcOTMmalc/9JFfO
+LUz63LrCPk5pIeLi+876IdAJBuJsVWwmTbl/D9R6D34Z8bYHIv9mDmO/omckcxX2
+JJgEq5/xlLb2gHt/qfUunbYHIstp/s2bSwIDAQAB
+-----END RSA PUBLIC KEY-----
--- a/Zhosts/ach
+++ b/Zhosts/ach
@ -0,0 +1,11 @@
+Subnet = 10.243.32.89
+Subnet = 42:6bb3:0a07:6777:9aa5:e39c:e140:cb68
+
+-----BEGIN RSA PUBLIC KEY-----
+MIIBCgKCAQEAsTyjNQ5aO2aIKXgkgZSiUb0POtEVoAPFrIkSv5Ci+7AYv+CLXsIr
+TKBfFIg474KZ4MCrX0oA3Z66s9d2UW6mcH5JufW8siRPJvdydqaANyF6Fvk++59R
+GMKR0MGdPGfcxjaw64ChemOZx1T6ODHF7KTgaWRI+Aiz+jWsvVCSKutSwVDJTgJ
+4lub95/gbWckRY6fchkh7rSTfNXXYevbysQYdZaAR/qgquUNt23/ewlagF7uqgZt
+CQx7MHMU2quEdvIfZuUPFWe0yHBb1bZCHYxKXo6XG8I7WdUAFRuwFLTjqgSYPD1j
+EpUyU0+xxfyXB3vWrM/jcw8XKzi04wWHuQIDAQAB
+-----END RSA PUBLIC KEY-----
--- a/Zhosts/air
+++ b/Zhosts/air
@ -0,0 +1,11 @@
+Subnet = 10.243.0.99
+Subnet = 42:32d7:b589:8ae8:57a5:4cde:f49e:851d/128
+
+-----BEGIN RSA PUBLIC KEY-----
+MIIBCgKCAQEA1yNqMyy9C1O031M518kzLYLh+Ox0D2r9UgVSSb9OgpQ85ZJgl7Kb
+SUzlZLbC9CX4O+PmtWvZwtPfLjua9VbVOtUJTB6zTB9Oqe4hTmX0oKIgheGf1rKS
+ylOaLfSz7PaPR3zGms17F4ovLDUBG2rpOyoHJM54T9LyJbPny/t7v/fjAFqu6atK
+1RgER3j3s5oPaRPw0pYR0kiGXayZRL6q7Qc6AXMlMi22sdRI9e1YCMCyC4u1oU6U
+grw7khyPWoEaue9B7fKfG5PixRHHlrsVDdwXEVvH87+/X2IU3H3C1/pslenAQ98i
+qGNJOl2eJ9FHInQjI1cDMgFURcT6i8mGpQIDAQAB
+-----END RSA PUBLIC KEY-----
--- a/Zhosts/alarmpi
+++ b/Zhosts/alarmpi
@ -0,0 +1,11 @@
+Subnet = 10.243.124.187
+Subnet = 42:2de9:fab6:7460:2fee:9199:fa1d:70ea
+
+-----BEGIN RSA PUBLIC KEY-----
+MIIBCgKCAQEAunQOFP1mnEmsmnMYjCwbWdbGe0/hHQs2bxIdwO1RXngXgw/TBBhN
+Xlp75LzPiT0ELF5WBPVclqskT+bl+FOOITH9XDkYzm22jzeLHq3bs3YiZhwzidkO
+Xhq5pwGY4HL4o3SfFtfOHse688qqLXefoc9CfyAIKMCRRAxlzpqNVuZEg1eUcuUJ
+z6gugJj+YyA4V3JGq7GuJDiPPOMrGel0rITMlWtYYtm0jf6deYBPjo+ZogDESlez
+tBmPKNCXynSxb6cV39StUsbUQbLvHgPBrA01T+Hw1DV5eHmWoycvD4IfJqXdfMbc
+BOqRHOlErXGTG5m2EUoU0VSj75zl06gW6wIDAQAB
+-----END RSA PUBLIC KEY-----
--- a/Zhosts/albi10
+++ b/Zhosts/albi10
@ -0,0 +1,11 @@
+Address = 74.122.198.15
+Subnet = 10.243.0.10
+Subnet = 42:aaa9:4ba3:8c43:bdd8:2cc8:29a0:e8e6/128
+-----BEGIN RSA PUBLIC KEY-----
+MIIBCgKCAQEA0Jz5rQ7NpIQWwhDsrZHlJYAnC1k1onl2ln/6CJbdV9t3gG2hlx/9
+0SEARo6sq9fftyzzZd3iY4WK7+zRXJFXHsLmDa6mq8Mme7Yv+YHZoHPTm9c3tN3v
+laiV/qAdoi/sv43DCo7JywI2lTW1pPxuitXuud2ajd7GXuCoRqFRqLtaURorVKkW
+4j9UGpMKrEa+CV9wP5jZ57RSPQ7aMq8D4GiMqKDgUeCZnvXxpYWDOEdGNlpuUcWt
+/erC6u50/vnjUkkHx66OmkZe5AX5MmwNp2q4zC4sTh/BRhqk27AmNl5wbp0kL7/B
+hg+r0F8ckrdLc21sSU36lUIeeFa/S+A06QIDAQAB
+-----END RSA PUBLIC KEY-----
--- a/Zhosts/albi7
+++ b/Zhosts/albi7
@ -0,0 +1,10 @@
+Subnet = 10.243.0.7/32
+Subnet = 42:6c61:6962:6137:626c:3769:000a:1337/128
+-----BEGIN RSA PUBLIC KEY-----
+MIIBCgKCAQEA+SwdWv1anjIaKSnvel9d23tgqye5RguIVfgMnjpMsqOYpFklLIa8
+4wREhVvpiArnIsoTXbKzdeCFgaAbMS6aQ701Pyv7QriVy8m3iUlgqvB/znogxN8U
+z1fqL0jAHLkQkoyZ2a6mUgHpByvUqZNcq6istYLwGnXO3JQrS7U54hHPpXbxwFY5
+0/Wli9OueG4fWaZ9skDa2Faq4c/Lngku+Iv1gBBgII1EDSsgedNWw3YBTmHDFNTZ
+SsORj2ho5nQgdvw42qEINbxpU01jK8XB+jmVEO+ixZZCsWlOeCjl9Zym4MZDRePg
+euTLTbgs/809ElM8V+EzRKSPNR2k6FrBXwIDAQAB
+-----END RSA PUBLIC KEY-----
--- a/Zhosts/almoehi
+++ b/Zhosts/almoehi
@ -0,0 +1,11 @@
+Subnet = 10.243.239.66
+Subnet = 42:0730:2eed:2bb9:9d4b:eeb1:641c:0fe6
+
+-----BEGIN RSA PUBLIC KEY-----
+MIIBCgKCAQEAtyfcqaDrDmsBVh5w4CksDI1Hn/jDcZVyNWZlqxQojjB2SsxH1VyD
+VcpmwyzDSE87CCZPN4xjIbrc+KgjiOVSAu+8Ax4dLqVrP96s5lJUIunVcwd3lQVi
+D7Ol2zDredbXuNi3jb0qBU+/qiK9mp1vTcEXhXmCSTiXIHz0d7vkv9S0h+YgKGMJ
+xBQsyCsEI9uAeGghVwrLcwY0ea6ZJuYz0miIn9+g4D5PROxImBAJV6uvbG0cP8QG
+rLY85YYByk2qKPIXrpec4uc1A/P1+1DSl5I+GEkBBhSmQB71UYCDULfuL4Eu6mFN
+AFAPsSCk8DFo5//lULky24CEkxTtp4rcPwIDAQAB
+-----END RSA PUBLIC KEY-----
--- a/Zhosts/alphalabs
+++ b/Zhosts/alphalabs
@ -0,0 +1,10 @@
+Subnet = 42:0:0:0:0:0:0:a1fa/128
+Subnet = 10.243.1.10/32
+-----BEGIN RSA PUBLIC KEY-----
+MIIBCgKCAQEAvUAbMmmOFn+4kOvJAvmi0R/XCQa1YBlkjUvC6Pmt0Q8gV1DodXjB
+DgwP8yhLcxaVy2Hk82aJvNTUrfMeB2sdt1RJHQiEPQkHthdp8Spm0Px4uTiMjmFB
+ev91xi00eCCGIKsXdh/qso1K7EDHt9MEVHOvSlkawWzoyJ6AaHStW1ElwDdGjZpl
+0YWrhx4Gk5X7pCp3LKkQJFfGtqoqGOVg2JjqK3qMsAdRo6QvYDqjFzARed/D0k55
+kcKXjBJAVxoU/CqGfS/Lr0fL8tdYgXaAXvPO9dbr1t0KyOUY2KRNBePeSvRp/etb
+H0LBPsO9F7PQiPI3DBoWCYgsuj/hBXapvwIDAQAB
+-----END RSA PUBLIC KEY-----
--- a/Zhosts/apfull
+++ b/Zhosts/apfull
@ -0,0 +1,11 @@
+Subnet = 10.243.138.112
+Subnet = 42:0707:afc5:96a3:8215:305e:0474:02fb
+
+-----BEGIN RSA PUBLIC KEY-----
+MIIBCgKCAQEAxNnJB29djjUFUZqM7EQ8kj+IRx/a+2fA0ZdNoUm4ar6t7kTmOc40
+GzGr0zE+QPqQ3abDk7eTmZbU3yUNiAUDzDMD+iqwKAVJnMb8pjXlGmcpdvMuxwbz
+bHeTEaVqBmF4seXlwUKL+waa2Yr1t0YsynCUte8dbcauaD9CY61QjDUP7TQBglmk
+eKq+qbFNKjzIjLQf2iXsl2+dzuFqg4OUaUD0zZJVzjNpKSz24uEK2mD9fSmS3oYF
+yzsNaOKaXr/j+1Xlosxy9Rde/o54UbtZTPYsNdhNgnXmBan4zTv/QnI67Uf9RqiK
+PHsSAkfCj/K7iAOKE/A30xYbd8eV2tPANwIDAQAB
+-----END RSA PUBLIC KEY-----
--- a/Zhosts/bitchctl
+++ b/Zhosts/bitchctl
@ -0,0 +1,11 @@
+Subnet = 10.243.104.101
+Subnet = 42:5ac9:c698:4d1d:6ec5:45b9:647b:a8ee
+
+-----BEGIN RSA PUBLIC KEY-----
+MIIBCgKCAQEAuxd4ZU3y1ZgvI+/7mQkWBlF6VvX6ty8+iKYwmjsSUCclxz3O5DB+
+clps9k+0tQvtKlsxG3lnFQz9fd4Pj0GIuWsAdHRH/hpnb9nYSRePKWy0RBjAZRr4
+8rXqI8NOdkQiIQT8gWw3ujzw/Mau/bV6AWqi+CbeExm+J0bPW/QZlAZ4BEKFvuqK
+U8yOQ38p9s3Dpe4S5JZ3cu54j5f5JygXTZgk2ZW3frJ/JS+lRHfFlIW0ZAuTqn/u
+GD5ahHLbRZPGsG5aSR+agfOVIAHLBnDoFx6AQUr09m4zyMgPEC+Xq/DvdP/Hvuas
+RYRol9qHtNeFJViWIUOQPHypTw2a4Ev7fQIDAQAB
+-----END RSA PUBLIC KEY-----
--- a/Zhosts/bitchextend
+++ b/Zhosts/bitchextend
@ -0,0 +1,11 @@
+Subnet = 10.243.141.142
+Subnet = 42:f8a6:9f59:381d:eedf:d90d:8611:4a9e
+
+-----BEGIN RSA PUBLIC KEY-----
+MIIBCgKCAQEA02Zp9aYkEn5yLSaOhrmuFzObpmWdZfT5OWzE11LUeoCu4rsEZY9T
+DB93iliJpxKYuLnmI49vGfSSzqGs6B2yoh6Y60OsrYrvBSQ2Li3aTOqUTL8GpR6Y
+GivInlr6F5/T+6BEg8paau/1rwRE/r2cJ78AvG1nd+JtRL9Hl4tYPakOVIbRk3D9
+4qDtWDWZS5BdirbaO66wvYxS8ps14LRvyVkjiT7IPMXf8p6rxumXPIr3JtJ6QC/K
+DKuP95v0vztZm3U32hO92NB+mDb0XjGSOaspEl2HX45phad6GnGBPqhGpSv47xDa
+HprcO9uxkGcEhyQtCALWD8THX1SNoNHh0QIDAQAB
+-----END RSA PUBLIC KEY-----
--- a/Zhosts/bitchtop
+++ b/Zhosts/bitchtop
@ -0,0 +1,11 @@
+Subnet = 10.243.12.178
+Subnet = 42:4119:cdae:6fb4:0b58:59c6:a993:17ea
+
+-----BEGIN RSA PUBLIC KEY-----
+MIIBCgKCAQEA3NJmRzOn5e8FwhlcdvjIwZSvCL2eJ/lJ6E3/m/BOy7qUneMwfotE
+DarxHFxd6ccMLK8yH0fUuTC9zKVud6bw5Xfaw8BnFm8QXTr3eSwol3Lq1I8+k06I
+PZ5a3tkdK7bQxOi+v70jGyR9E/Q1D7fP6L/q9L3W2RmNivlvS5qi5LgfxiEkFvgM
+EO1FPfXwTKhBCB5LqFY4e+viyGxjZ+nK55QgacU7MMNEJN0ntvSp4pLepL29q7ZN
+wSRAjZC3PJX5QZtOOtCYAJ0QqsUv8vZPhaObwPfLvGHku2vl9E8TH+HY0DWjvrte
+E9ZjPn19RWRFExiK2KpbfTJezFULhaAQaQIDAQAB
+-----END RSA PUBLIC KEY-----
--- a/Zhosts/box
+++ b/Zhosts/box
@ -0,0 +1,10 @@
+Subnet = 10.243.43.43
+
+-----BEGIN RSA PUBLIC KEY-----
+MIIBCgKCAQEAvUMfRZOPb/zKvALZTyxKQuzowqqJ/HW2lm/RIOKL2uoTUgVX1DJB
+fCLf66e2fHnjnStXuaMDNs1kq2gi4EyK5Q50RxVBq7XayXYqfnFwzTE+Iqape542
+vYSWKLdrxljln8a2EYU7njtcWkTpW+cJIwSHEUkDLAowF87ElQ0gBmyX4p107pow
+jg7zcYierVdQXkI7mO4g2zWsywfhwscbu5hdCp1Fw3wHFDatgyhPj1pJruKe+O3c
+AebF5yQOAsCxAk8ZcwGLmmF5xK7lAeux2Qzu1B4Pkfxi97g1GVLnX+so7PR+vvkQ
+OMzQGIWXtaOqov5q2O1N5RJzng/kCjC/QIDAQAB
+-----END RSA PUBLIC KEY-----
--- a/Zhosts/bridge
+++ b/Zhosts/bridge
@ -0,0 +1,12 @@
+Subnet = 10.243.26.29
+Subnet = 42:927a:3d59:1cb3:29d6:1a08:78d3:812e
+
+-----BEGIN RSA PUBLIC KEY-----
+MIIBCgKCAQEApeeMSYMuXg4o/fNHnG2ftp2WskZLrt63zhRag7U1HqYUnuPqY60d
+VVy9MBTawm6N02nC2Svm3V07ZXaRp/XsXQLx+evZcDjPjnDYgl2ZGX0ir5Cn50bm
+UzhJiMW6/J7AYvucgeAaVJ0YmIwRw6ndYGcxmXWi4TK0jSzhuSLgookWM6iJfbdB
+oaYsjiXisEvNxt7rBlCfacaHMlPhz3gr1gc4IDCwF+RAMM29NUN3OinI+/f56d7b
+/hLZWbimiwtvGVsGLiA2EIcfxQ7aD/LINu+XXMaq7f8QByXj/Lzi7456tDi3pdJg
+lyg9yqRJYt4Zle5PVejn08qiofTUmlEhnwIDAQAB
+-----END RSA PUBLIC KEY-----
+
--- a/Zhosts/c2ft
+++ b/Zhosts/c2ft
@ -0,0 +1,10 @@
+Subnet = 42:e674:8a82:7fe4:fa51:d305:192e:846b/128
+Subnet = 42.221.17.214/32
+-----BEGIN RSA PUBLIC KEY-----
+MIIBCgKCAQEAqS+nvuQnAlhsGHgjKRz0nq2nj9HWwzrA96xnng6UCmkTpFyprM7b
+20vQ5wqcHFAbuZh1dOOb9G2qqsZYE6V1452YLZZLMsnxiJD8kSorHrF6kJid5JjH
+xyyqSvkXaHClQItVjo7rIn5P/Tl+BMt64KaPxpu/4GBVHkCE1apLtaVRnEq5t2DG
+htZuUqzhuLN4TQiSVC++7qY1UQotjLbAQpYxf67np5sKWMOqg5UA+ghuLeO9jpqL
+qKoh2TMzotGwlYBMXVA0jJtQu5Sq/IWKWAyk9zca2LT0W0ZZWYiTl+Ai5urbJgCV
+GvWeJCoBKteIKUHRVNK1RLDFl6/ITOu9XQIDAQAB
+-----END RSA PUBLIC KEY-----
--- a/Zhosts/c2fthome
+++ b/Zhosts/c2fthome
@ -0,0 +1,10 @@
+Address = samularity.mine.nu
+Subnet = 42.44.64.126/32
+-----BEGIN RSA PUBLIC KEY-----
+MIIBCgKCAQEA4ADumWibheOOocw3diK27ww4xfyptLZzlPcih5BJFUPOljXN33th
+1rbFwBr0QyRSad5U+/w1qlTCCqadjNdu+0RPGxbCrEqE3bUlrbES3Fw1ZtyIeuRH
+v6yTQuOzJXyceGGYJpK4JjFgFOggSH35dURDa1+x3pJECyWUAVDknWE5CS7HNufW
+bcREh18LoTUi7SGPeWauDLvVb/eeuDNJkoFj+HWpNqupFXpXUD7vQ+FBTtKO9FZu
+vd/QGYv7gkRGQfma3+2XW9fWgIfE1oS0qf4UfbycaEKMFS5Tn7li3tzCcH9Da4iB
+SsyWm1Hg1UYXccBdDYWYo+vdG59hIjmh8wIDAQAB
+-----END RSA PUBLIC KEY-----
--- a/Zhosts/casino
+++ b/Zhosts/casino
@ -0,0 +1,11 @@
+Subnet = 10.243.0.233
+Subnet = 42:3c1f:ea16:e181:7ab2:c51a:8892:7fb7/128
+
+-----BEGIN RSA PUBLIC KEY-----
+MIIBCgKCAQEAzmZ7x4HVpW8RC3ZkwmNKY/6VGlMKQbpBQtmrUzV1XFxKWZRhH3VI
+NOqlfVpTEaRTorht7R8F1aw9psDDUcg7yuQFcUdoXxBJxwbc1h0FKyZZr5kAIfpS
+ObE0rbBRRqJVAWgztpQAalWC95D73y/+tpHnQ+LRFq9IWeX5+QobaSym1oG4Y0Jz
+STSbw2ksjH8CuWHS5TjZr50Nyx6cH99HABDnadxhLBtQriJPSYRYdWyp7tYrW3jd
+As28mxkyFj0sFV3IJ/bYfZD9KSGg1KjQu+c73xKOBUhNtSHFjUzN5myYGd/nWCw8
+0PUReLrWC1ZHYPzqiwelTHcNJ3UcojpO9wIDAQAB
+-----END RSA PUBLIC KEY-----
--- a/Zhosts/cat1
+++ b/Zhosts/cat1
@ -0,0 +1,11 @@
+Subnet = 10.243.244.32
+Subnet = 42:86cf:a3fb:16b4:edbb:df13:a7a9:cd61
+
+-----BEGIN RSA PUBLIC KEY-----
+MIIBCgKCAQEAyjmB9IyBYexahK+fxSzVNrVxMXroXMc4Fyx16+XOt9hugn24Suht
+06kQwwbpkwjWfIEONzr0UPAbsOWG/Qj3w+dqiC5iqHZWFW/NdBgwunF5+INnEamj
+eIIqei1230C/NNpTph9u3UsT+ZgZnc+r4usEmTpZslvtkVwg20jwT4w3Vq1ws1Jc
+8Ccy8vk4FjgBP88zuvqzjBtTGQMrDgBd68XlGVKOhrvxCebHknbcHWpUz4cN8TX7
+bRNpSUTCSGd2taY6g4cUxiegbTeK2LDVvW/6XtISvJqVVllLD/p661W6gRUlkspv
+phLJc+zNLRxOC624JRivt+Ag5iBI4YP4SQIDAQAB
+-----END RSA PUBLIC KEY-----
--- a/Zhosts/cband
+++ b/Zhosts/cband
@ -0,0 +1,11 @@
+Subnet = 10.243.7.76
+Subnet = 42:c293:090f:df44:0926:c7af:5012:7cd8
+
+-----BEGIN RSA PUBLIC KEY-----
+MIIBCgKCAQEA11kwqXkkDRmxmoZNFDqtUsxK6d/HzTdFC/v1V3fttePuYFiEOhZl
+rLBS3+Eei4CsQrOwnaRBhHdnoOZGEdxJmq3YXDWGoVAn4bEgommCddzssVzWtVMf
+hIntuCExczEMIY+MGzM3QupYxUgRRVjFtvxoC9kKOSlaq0BhkdJiWygzN/NUfqpv
+HgDufoAcORLQInTpmQYEkZO+XmXejcCY/C+VD0MENqj3SijGw9tm2YmInwSwZnwX
+Zjh2xn96QbV9O7bpfGHcLxWhsUyyRC46knbbBXuAdbDsa2TUdzT5D7nb/TLfP412
+agIhk+cwFM24y/ChHdfoUBakKF4wZI3l4wIDAQAB
+-----END RSA PUBLIC KEY-----
--- a/Zhosts/cd
+++ b/Zhosts/cd
@ -0,0 +1,17 @@
+Address = 162.219.7.216
+Subnet = 10.243.113.222
+Subnet = 42:4522:25f8:36bb:8ccb:0150:231a:2af3
+
+-----BEGIN RSA PUBLIC KEY-----
+MIICCgKCAgEAvmCBVNKT/Su4v9nl/Nm3STPo5QxWPg7xEkzIs3Oh39BS8+r6/7UQ
+rebib7mczb+ebZd+Rg2yFoGrWO8cmM0VcLy5bYRMK7in8XroLEjWecNNM4TRfNR4
+e53+LhcPdkxo0A3/D+yiut+A2Mkqe+4VXDm/JhAiAYkZTn7jUtj00Atrc7CWW1gN
+sP3jIgv4+CGftdSYOB4dm699B7OD9XDLci2kOaFqFl4cjDYUok03G0AduUlRx10v
+CKbKOTIdm8C36A902/3ms+Hyzkruu+VagGIZuPSwqXHJPCu7Ju+jarKQstMmpQi0
+PubweWDL0o/Dfz2qT3DuL4xDecIvGE6kv3m41hHJYiK+2/azTSehyPFbsVbL7w0V
+LgKN3usnZNcpTsBWxRGT7nMFSnX2FLDu7d9OfCuaXYxHVFLZaNrpccOq8NF/7Hbk
+DDW81W7CvLyJDlp0WLnAawSOGTUTPoYv/2wAapJ89i8QGCueGvEc6o2EcnBVMFEW
+ejWTQzyD816f4RsplnrRqLVlIMbr9Q/n5TvlgjjhX7IMEfMy4+7qLGRQkNbFzgwK
+jxNG2fFSCjOEQitm0gAtx7QRIyvYr6c7/xiHz4AwxYzBmvQsL/OK57NO4+Krwgj5
+Vk8TQ2jGO7J4bB38zaxK+Lrtfl8i1AK1171JqFMhOc34JSJ7T4LWDMECAwEAAQ==
+-----END RSA PUBLIC KEY-----
--- a/Zhosts/cloudkrebs
+++ b/Zhosts/cloudkrebs
@ -0,0 +1,12 @@
+Address = 167.88.34.190
+Subnet = 10.243.206.102
+Subnet = 42:941e:2816:35f4:5c5e:206b:3f0b:f762
+
+-----BEGIN RSA PUBLIC KEY-----
+MIIBCgKCAQEAttUygCu7G6lIA9y+9rfTpLKIy2UgNDglUVoKZYLs8JPjtAtQVbtA
+OcWwwPc8ijLQvwJWa8e/shqSzSIrtOe+HJbRGdXLdBLtOuLKpz+ZFHcS+95RS5aF
+QTehg+QY7pvhbrrwKX936tkMR568suTQG6C8qNC/5jWYO/wIxFMhnQ2iRRKQOq1v
+3aGGPC16KeXKVioY9KoV98S3n1rZW1JK07CIsZU4qb5txtLlW6FplJ7UmhVku1WC
+sgOOj9yi6Zk1t8R2Pwv9gxa3Hc270voj5U+I2hgLV/LjheE8yhQgYHEA4vXerPdO
+TGSATlSmMtE2NYGrKsLM7pKn286aSpXinwIDAQAB
+-----END RSA PUBLIC KEY-----
--- a/Zhosts/darth
+++ b/Zhosts/darth
@ -0,0 +1,12 @@
+Subnet = 10.243.0.84
+Subnet = 42:ff6b:5f0b:460d:2cee:4d05:73f7:5566/128
+
+-----BEGIN RSA PUBLIC KEY-----
+MIIBCgKCAQEAyx5x0jzfhex8EBSFLlOIkP1yJ5cSPLQ3hpPMvN0J7QdVbypU6a9C
+fzGpzBph1sRwXnaqCMe0og5VT3EdFtngbmm6t/CyMhBojkxMQI08m71JT5c07+1U
+OSSLXBXYHcN6cAEYEsvTiSuvP9RoAbUeQQbZryI4wpzzQ7ET1l7k/3eeXAwqRKR6
+xiqn/4597U09QYmllqfplJUBv2pIAIcFlm/KHvNTZGEZS83udfnECwDwgU63PMns
+38yiCpI79kagXyTOGCbkUatt0KNTzGNLAm0CyeFd1AdgUrj8fVg2jQLQlBrze+Gx
+jkphgkVEgMtVMTz8WKfz+Dro3jBfQstIjQIDAQAB
+-----END RSA PUBLIC KEY-----
+
--- a/Zhosts/dei
+++ b/Zhosts/dei
@ -0,0 +1,11 @@
+Subnet = 10.243.247.164
+Subnet = 42:d702:e261:bf4d:2f5f:00e8:bf56:4d50
+
+-----BEGIN RSA PUBLIC KEY-----
+MIIBCgKCAQEAva8pJ7H+ebQFEpqLZhr6hE6OlCRhSlPQwEoWtQLHT/zsgmUEhXcw
+9045IAAgALc1Wf6lVWKwNEBNyLNULUgmkXzgjCG1OuLAn7jWtaNQZT+b6ZM/b2Qn
+hrGdHCcpvW1kpIfho3zMts4dVx28Z85JJlI4ZqfFZWwiuCj+x8OELdqtm2IYryiu
+6dHRR+4WkgEvqL+1YF2RRxXIcSW2wFdZOggjXYobzC2wl9zWkTBPC6lKQjlKlSrV
+ZZBKRwuHloHPt7HJTjWZTX28CbC/P+3l5NyMhfmqtFPZuhC4p7EAWwcXXDz1Gkxl
+w5EbcTz01pePFj5oVfK5aUoi1JFZ9GSZFQIDAQAB
+-----END RSA PUBLIC KEY-----
--- a/Zhosts/destroy
+++ b/Zhosts/destroy
@ -0,0 +1,11 @@
+Subnet = 42:9277:1f1e:7599:ae4b:7cca:b4a3:fe47/128
+Subnet = 10.243.0.31/32
+Compression = 9
+-----BEGIN RSA PUBLIC KEY-----
+MIIBCgKCAQEAofIF/j4ddJEG0sOJJNp6hVXqLpj9FPw6a1vLLqZsn/NuZi3QCZ/w
+xj1nIsQbc1TnPLluHhpn5kuvzb0lThqmPJvX2uXnbq7WH6OvRyN/FV/Gn40txdni
+MFWD53zGlAle1/Jdt+to/+0mvRP8U+dKuggemGljX2nrUxaJgVRVzynvkys5l6vZ
+2oMeO/LnFcAt9ZkMFoqDfKB/RPOqTD9k6Sz8xubVtasQ4ufpQl8Uv6zcYl1PnV7C
+9Pj5MMtQVtRRV8hljImqpERunU6ZsXhyqI9O/cVw9+QkWf7Qh5E0vUKTT9FISyTV
+nmQ9v8JGV2zPDVMmwP1ewyA1W9YhGiFd7QIDAQAB
+-----END RSA PUBLIC KEY-----
--- a/Zhosts/devstar
+++ b/Zhosts/devstar
@ -0,0 +1,11 @@
+Subnet = 10.243.0.133
+Subnet = 42:2be0:92f5:3546:5f0f:8f22:6244:25f4/128
+
+-----BEGIN RSA PUBLIC KEY-----
+MIIBCgKCAQEAwkkmkhGMnI0x5VIgdLwV2SvXO9Bw3Sy1U5AToZiG2dSB+OiwwLir
+JIrTHv4r73lMLROJjQhznq06VMmNviC82178H7/DZqgSqlGU7d9p1Okd5XCs6LI3
+eaL5mYTXFuA+PMHVvYqQ5fDQRQ4KoWmlSV65XUPejPlxtl3FXqOSHVuuBSbka+St
+qLyWLAh9d8AfWjxbAIv41fl6WOyw2IuDc05K36aT/TwzA3ykl+ekNObAjvpI0cxI
+d3j8H8JY5jDcg1hvWT06JqpUcTJRkWLL7BBdQvWySaBcET1Flfo8eYVqVQDK4kU
+XV/tA1ax7YPFBQ7Lh3Ru9nEC45Gv6R4HbwIDAQAB
+-----END RSA PUBLIC KEY-----
--- a/Zhosts/eigenserv
+++ b/Zhosts/eigenserv
@ -0,0 +1,11 @@
+Subnet = 42:c9d8:ab9e:c7fe:43ff:0268:f862:42f7/128
+Subnet = 10.243.0.32/32
+Compression = 9
+-----BEGIN RSA PUBLIC KEY-----
+MIIBCgKCAQEAyy060LWeo6Z+Kp2h5LtyMx+KGdxL9/WjWfc1yf/YZ8lhZutNb+Kd
+u9AHbnrqTRWRslP+toNiC55aJ/KlTBFQA5nBu2DC1KdG71AX5th7bRvUMfEAEG1+
+7MpcyuC8Owvleg/b4Ihr+/kQNbIPPhAraPJU780Oy173jnt+PCIYY+aTnEuO3UBh
+yt3oPhfwMa2ssPL8GfF3YL9Pvh4UEbUu1E7zSOqzCOzH3od5I/G/TjvfHl3u4tEr
+6kWHVqOYaKMJlqYvb7tnw7QjJNFhVneBJN6eMaWfcmTp2G9S+SwOppW3P4yRxrar
+GLWPgEU6to1wduAktecWU/oWambgXb/hUQIDAQAB
+-----END RSA PUBLIC KEY-----
--- a/Zhosts/elvis
+++ b/Zhosts/elvis
@ -0,0 +1,12 @@
+Address = 94.79.154.86
+Subnet = 10.243.228.181
+Subnet = 42:42a3:7ad4:f156:906f:f6f3:943b:7b1d
+
+-----BEGIN RSA PUBLIC KEY-----
+MIIBCgKCAQEAv7wpfzpazvXzKJsDkJ8J9zsTZRoI6LnpSIcO8hLQcHNk6LTWjBy1
+xdnsSe3eQYxNmZPKi28PdbMo4YQlFdewLSB69PP6ZX5ISNXVlCZ5Cend/kfU1fXV
+tcZ4JQCl/adHqg8niLAODfnXhwVjMpllgq6gCg5mVPILy+CZ08OM6Ij7Q5d+3Jr4
+1zMvAXyeuNQcL+MkBveblKC6j/e9fqaK86sUh/4unfgmkB7GWjqFwmoHZepR83o9
+HTBmKxEIDKYjLWVXV1Wph3/JN/65igTtju26cVarUmTtGIhU44NzCi+94+wKuJMU
+Bbjk/CnuWQoU2ABPsxtW3r6m4pSDhypNZQIDAQAB
+-----END RSA PUBLIC KEY-----
--- a/Zhosts/exile
+++ b/Zhosts/exile
@ -0,0 +1,9 @@
+Subnet = 42.116.243.248/32
+-----BEGIN RSA PUBLIC KEY-----
+MIIBCgKCAQEA0H+DslKV6EDCZWBCJs+MFyvTR9Ej0yWthIHKzFrA4qI8rxskrGGP
+xhb16keQLPCAgBVVVmikh3pQVMq1K6ry5Of0uM7rU7crBzRfJ8zpGZXfYlBDFDAd
+Vg8wwDvEYsYCAKrZbYIKb88WR0mT7K47ipTbXd9utzmoWGa/SuGtPkYOigcWYMRN
+4QClPDLdICQvdohVvfd7/LXRNuwrWOJcmtLitTEZY9lo2hhv+ZKs7PBrmpTBhTMY
+N2Et69tVPQh1t7cljf3Esij5AUczv979C9Lvukj8Kb51Et0T9qcGAs/M3b64X7FO
+KjWVVQttj3AkjgLZ5OdYlm7uRRmYmKQ95wIDAQAB
+-----END RSA PUBLIC KEY-----
--- a/Zhosts/exitium_mobilis
+++ b/Zhosts/exitium_mobilis
@ -0,0 +1,10 @@
+Subnet = 42:0:0:0:0:0:0:AFFF/128
+Subnet = 42.127.75.187/32
+-----BEGIN RSA PUBLIC KEY-----
+MIIBCgKCAQEA1zv7tkHIUxJX2FIFcfakvZZYuI3VH56nkQYlpTUzO9WscMF1BgoH
+WKOvHy9QzxAJgqmceroZKbV2PIws/PZgwk7vNGPmmZtzkTuNS+RXd2y1WwKTHpxT
+IZ5TKo9AGuU4dcMLAR2xheCJzTRNoxj4UrUgN1WkAqdKhN0Dysglfb+FuUiMdbop
+rbzsKhJZKnJOnS00Z9K7ZrTWkYQR6nhMuZ0EMggc+pa5NesHfIoeitXQxB7tz9M4
+6O7xE8ZkECdKXmRBGhSU2ghnCqiomDj9l6L6S6Ms8Q0ElPM78RTh1a32Euj9Ffob
+v4gQuzI0fUKe+pbm3VC6B+9awkdd8n1AzwIDAQAB
+-----END RSA PUBLIC KEY-----
--- a/Zhosts/falk
+++ b/Zhosts/falk
@ -0,0 +1,11 @@
+Subnet = 10.243.120.19
+Subnet = 42:845f:0432:a816:c623:fa89:8485:8700
+
+-----BEGIN RSA PUBLIC KEY-----
+MIIBCgKCAQEA961eCQE562VPYjuZtd0+FNRfUghvD2ccjUlihMjzg46GAK+duqK+
+4peWklGOL4eRYQBg6G2VDzWiU2MxXVbXUZaMrxh7fTc3G3LdbqTxzAv3GQKR/6iA
+9bGUf6u4ztVNAcj2mrY3mfs4gMlBQyQ2wcM0ZUpiAMaRB4cdq7I4GVHbYTFYfQuI
+2zdnr0w8AjlMpFFcD0ExsWeppiJsE7iiME/S2VVfh2NrEpAKQbLH9fKrfkiJA/+9
+0VIH9wLLIYngUtQKbvEQ5xgx6ybrg0vO8ZqZ1ZGXYxOQZzWzPP0tvDU0QHSKYSWb
+FjcOf1lWSWjsjHxMl/Gh57hjNJFCbs8yjQIDAQAB
+-----END RSA PUBLIC KEY-----
--- a/Zhosts/fastpoke
+++ b/Zhosts/fastpoke
@ -0,0 +1,12 @@
+Address = 193.22.164.36
+Subnet = 10.243.253.152
+Subnet = 42:422a:194f:ff3b:e196:2f82:5cf5:bc00
+
+-----BEGIN RSA PUBLIC KEY-----
+MIIBCgKCAQEAs4p5xsQYx06v+OkUbc09K6voFAbkvO66QdFoM71E10XyCeLP6iuq
+DaIOFN4GrPR36pgyjqtJ+62G9uR+WsB/y14eio1p1ivDWgcpt5soOZAH5zVRRD9O
+FBDlgVNwIJ6stMHy6OenEKWsfEiZRN3XstnqAqyykzjddglth1tJntn6kbZehzNQ
+ezfIyN4XgaX2fhSu+UnAyLcV8wWnF9cMABjz7eKcSmRJgtG4ZiuDkbgiiEew7+pB
+EPqOVQ80lJvzQKgO4PmVoAjD9A+AHnmLJNPDQQi8nIVilGCT60IX+XT1rt85Zpdy
+rEaeriw/qsVJnberAhDAdQYYuM1ai2H5swIDAQAB
+-----END RSA PUBLIC KEY-----
--- a/Zhosts/filebitch
+++ b/Zhosts/filebitch
@ -0,0 +1,11 @@
+Subnet = 10.243.189.130
+Subnet = 42:c64e:011f:9755:31e1:c3e6:73c0:af2d
+
+-----BEGIN RSA PUBLIC KEY-----
+MIIBCgKCAQEA2VjW30A3uQoo5QwbFTnl5fuGg81DZVu8HXmDwgEkhZYr5Xf3V5/d
+fmPlX1igzatWYX0OylFAY69r0V4dqeTubIf83sz1eqtpXjK4czG8A3wMHEXj5Pzs
+e1Qh8K4rHMEATc7Y/cwpQBi2THn2bhufqgaz94m8HrStCZcKCin3fDMbE01WHWX1
+KFqeBtUd7b9pWbXKlLBNpHTZoGxVQk0Hto9pxYzHecRsbQXykYk3Rw2tSuf0aH99
+oY0i3LjOb+f2oq2S4qVHqHZsMJfDVr+x2/LP1SIcc1lVTztWSSAzZEokE0/ejvXf
+wkquBVHXdl6LuzH+/V1I7OsaMhHShYu1LwIDAQAB
+-----END RSA PUBLIC KEY-----
--- a/Zhosts/filepimp
+++ b/Zhosts/filepimp
@ -0,0 +1,11 @@
+Subnet = 10.243.153.102
+Subnet = 42:4b0b:d990:55ba:8da8:630f:dc0e:aae0
+
+-----BEGIN RSA PUBLIC KEY-----
+MIIBCgKCAQEA43w+A1TMOfugZ/CVwilJn4c36wWSjihaeVe7suZD0DSscKBcbkGg
+3dTCSTnu6Qb9sYd2mKebKXLreO6nhEEoFGsRU0yw/1h8gl7mWYEdTifPfvM5EWwS
+wkN9dJ5njwIUSRyWH7QTsLkiRJVFN2UxEwrhAbo1FJ7yuhRgAKqKJSN4yPVViZwR
+oHyyobvm/i2J+XSiDI9MRo74vNjnDLvO7R6ErIrhOPP1bD9fx3u+UYUfgS0iCO3X
+UN0duBz/faRcl6IRytZOuHaIp30eJ4850ZK8RPz/Dqqj+USMFq60i0oMsuAi/ljB
+8b+eQBt6OXu4MSntxoR8Ja7ht+EOTDnBOwIDAQAB
+-----END RSA PUBLIC KEY-----
--- a/Zhosts/flap
+++ b/Zhosts/flap
@ -0,0 +1,11 @@
+Subnet = 10.243.211.172
+Subnet = 42:472a:3d01:bbe4:4425:567e:592b:065d
+
+-----BEGIN RSA PUBLIC KEY-----
+MIIBCgKCAQEAwtLD+sgTQGO+eh2Ipq2r54J1I0byvfkaTBeBwhtUmWst+lUQUoGy
+2fGReRYsb4ThDLeyK439jZuQBeXSc5r2g0IHBJCSWj3pVxc1HRTa8LASY7QuprQM
+8rSQa2XUtx/KpfM2eVX0yIvLuPTxBoOf/AwklIf+NmL7WCfN7sfZssoakD5a1LGn
+3EtZ2M/4GyoXJy34+B8v7LugeClnW3WDqUBZnNfUnsNWvoldMucxsl4fAhvEehrL
+hGgQMjHFOdKaLyatZOx6Pq4jAna+kiJoq3mVDsB4rcjLuz8XkAUZmVpe5fXAG4hr
+Ig8l/SI6ilu0zCWNSJ/v3wUzksm0P9AJkwIDAQAB
+-----END RSA PUBLIC KEY-----
--- a/Zhosts/foobar
+++ b/Zhosts/foobar
@ -0,0 +1,11 @@
+Subnet = 10.243.135.219
+Subnet = 42:edd1:d518:f7d8:ada3:1ce3:f4f5:a986
+
+-----BEGIN RSA PUBLIC KEY-----
+MIIBCgKCAQEAsCu6xC0OctUKu0UsscOWfyQlMtMrD0Pt/wB+IDOnkEgDKqcTYGXW
+h6VqMqE2cQhV3ThoxqeIPnQzwiMuVd0n2q3ZDexfYvHmqTZoaMrQZJlgY4rDx8jC
+USFqnvtkJbOxFBiS3c5yjOIybGSGDXrAaxmn80xewNIsdSqaY1/2FxKwx1Fn+Kf2
+hIQOEYkdLhwPso+HyNGUwVKjsRVCSWdJSzBHB38cPZRoPpcmRHOTs/Jtx0b4RXQr
+tVYW8i+Jq6hCt9sDLJexP9unPGl30Gn052noj1t4DRCPFpOYSLJFcGU4n/OzYbzY
+O8VB5DjgGK0eyEXvtByxvWYPnuRwSLaH3wIDAQAB
+-----END RSA PUBLIC KEY-----
--- a/Zhosts/fuerkrebs
+++ b/Zhosts/fuerkrebs
@ -0,0 +1,10 @@
+Subnet = 42:0f19:8a1e:7865:721b:2378:bef7:1159/128
+Subnet = 10.243.0.144/32
+-----BEGIN RSA PUBLIC KEY-----
+MIIBCgKCAQEA1HoKqh7HvXCKybe2FNBI/wuOvkZuftL0/DDZfZtPlCRtdcOA4XFj
+hQng5+VE3NG0yKcRs59U8iHSeN9b7Is1YF4q0RtM9YQTDhvS/vfpHDq42ftjMs/e
+MIFvYBGr2WIOzOYPiACURRcaMmoAViqK2Bwda45jORPUGo1afibH9UcDs76lFuaI
+f3mUZvLlqdJEtG040WoT1douGWtUWkCB6/pVUgLAurncOz/XiSI3GFzkMUY+0pT6
+0G34AcYqvdQyxH3x0ebclFlfY2aPStf6bGMejcpRJm4M02xF809DVYlUL3mG6krF
+MdWP85dCQ4V/RL0HdZ9PEjlVhgNOF1aQowIDAQAB
+-----END RSA PUBLIC KEY-----
--- a/Zhosts/go
+++ b/Zhosts/go
@ -0,0 +1,13 @@
+Subnet = 10.243.109.132
+Subnet = 42:f9f0:be1f:b191:116a:3db0:d546:70d2
+# dn42 routing
+Subnet = 172.22.0.0/15
+
+-----BEGIN RSA PUBLIC KEY-----
+MIIBCgKCAQEApKt/lYqRgl4KE1ouSi5nbt7n7FEjECkGtkRhLFDJs0uWNvPj7wEh
+nTtqzk7lJ8upHgmNN+1w98n2bcJ7Qcbz8vCcMEO7MXdlzGH9vet/g6ZgQ/Z1ijHl
+IxYeH7yyBDLoJ2gghMhiSF0cezFDmNKPMhN+cGr9Lou54igK3I5CMIMN8cx0Fu0G
+uLAxvnZfxIzzCnrF9xvZ6i3g/rEcaGjxmAysCW8SQdRmBKlkzQaUbLy39V2Z5y6m
+SWR7gIGgMVCkpSeWUVSi05wgnMhoEu6LEYTBy/3bPK96O/Y7JBVpYUHqk/ya2PNR
+eaHfEpCrKsek4t/5hcLk64Eo/ydzeU+gAQIDAQAB
+-----END RSA PUBLIC KEY-----
--- a/Zhosts/gum
+++ b/Zhosts/gum
@ -0,0 +1,13 @@
+Address= 195.154.108.70
+Subnet = 10.243.0.211
+Subnet = 42:f9f0:0000:0000:0000:0000:0000:70d2
+Aliases = paste
+
+-----BEGIN RSA PUBLIC KEY-----
+MIIBCgKCAQEAvgvzx3rT/3zLuCkzXk1ZkYBkG4lltxrLOLNivohw2XAzrYDIw/ZY
+BTDDcD424EkNOF6g/3tIRWqvVGZ1u12WQ9A/R+2F7i1SsaE4nTxdNlQ5rjy80gO3
+i1ZubMkTGwd1OYjJytYdcMTwM9V9/8QYFiiWqh77Xxu/FhY6PcQqwHxM7SMyZCJ7
+09gtZuR16ngKnKfo2tw6C3hHQtWCfORVbWQq5cmGzCb4sdIKow5BxUC855MulNsS
+u5l+G8wX+UbDI85VSDAtOP4QaSFzLL+U0aaDAmq0NO1QiODJoCo0iPhULZQTFZUa
+OMDYHHfqzluEI7n8ENI4WwchDXH+MstsgwIDAQAB
+-----END RSA PUBLIC KEY-----
--- a/Zhosts/heidi
+++ b/Zhosts/heidi
@ -0,0 +1,11 @@
+Subnet = 10.243.124.21
+Subnet = 42:9898:a8be:ce56:0ee3:b99c:42c5:109e
+
+-----BEGIN RSA PUBLIC KEY-----
+MIIBCgKCAQEAqRLnAJNZ1OoO1bTS58DQgxi1VKgITHIuTW0fVGDvbXnsjPUB3cgx
+1GEVtLc0LN6R9wrPKDaqHS6mkiRSDVScaW/FqkdFhTDaBJy8LfomL9ZmkU9DzkvQ
+jncDjr0WoR+49rJHYsUULp1fe98Ev+y3VwVdJOOH92pAj1CAAUdtfG7XcGyHznYY
+ZNLriGZe3l1AwsWMEflzHLeXcKQ/ZPOrjZ4EFVvfGfdQdJ24UUF3r4sBypYnasmA
+q8lCw9rCrFh1OS6mHLC9qsvGfal6X4x2/xKc5VxZD4MQ/Bp7pBi1kwfHpKoREFKo
+w/Jr3oG/uDxMGIzphGX185ObIkZ1wl/9DwIDAQAB
+-----END RSA PUBLIC KEY-----
--- a/Zhosts/horisa
+++ b/Zhosts/horisa
@ -0,0 +1,12 @@
+Subnet = 10.243.226.213
+Subnet = 42:432e:2379:0cd2:8486:f3b5:335a:5d83
+
+-----BEGIN RSA PUBLIC KEY-----
+MIIBCgKCAQEA1hhBqCku98gimv0yXr6DFwE2HUemigyqX8o7IsPOW5XT/K8o+V40
+Oxk3r0+c7IYREvug/raxoullf5TMJFzTzqzX4njgsiTs25V8D7hVT4jcRKTcXmBn
+XpjtD+tIeDW1E6dIMMDbxKCyfd/qaeg83G7gPobeFYr4JNqQLXrnotlWMO9S13UT
+EgSP2pixv/dGIqX8WRg23YumO8jZKbso/sKKFMIEOJvnh/5EcWb24+q2sDRCitP
+sWJ5j/9M1Naec/Zl27Ac2HyMWRk39F9Oo+iSbc47QvjKTEmn37P4bBg3hY9FSSFo
+M90wG/NRbw1Voz6BgGlwOAoA+Ln0rVKqDQIDAQAB
+-----END RSA PUBLIC KEY-----
+
--- a/Zhosts/horreum_magnus
+++ b/Zhosts/horreum_magnus
@ -0,0 +1,15 @@
+Subnet = 42:0:0:0:0:0:0:affe/128
+Subnet = 42.35.89.21/32
+-----BEGIN RSA PUBLIC KEY-----
+MIICCgKCAgEA4PcEqnw1ZrBgPl0yNO7eQ9aJpV4HKlENVhc/cobLh3dQgbmpw2Qr
+MQODR5qPxY+WmyZiQeU5sh8WutfpVn6xBCmR7QDqA+xpPhe/Y6uqWGDjxNftnetz
+gphYv/nPGj0Dv5mo2HGPFK1VG+kp9k+vlZb3r+03OVFrIVHsUg6qE4e8o7pN4OmF
+O10i85csMyKvSfA/rNHC7RdYP0tVLZTw4ZMTQh5t6zr/foHMr5KPXGVM/hjUWXW+
+ujSxUam6JxS1wk1zFp72Vd3X+JQH1eaDHidm3BBVAvCynyhUyaQh7nSjIDWZdGqQ
+GmBcj0M05o1tVGV/7sgQUTNHiLaX6vE35hQoq0Jr2bhfIzjhESLl7HuBMpvDntLE
+Tv+c/R3qryTNBBHFZOvYU0qx7I0cq5NLx4BqUXd6EykQvLZ53TyjFlINGQuEZXsj
+LOtyAj4n2EEg6WmSUhrB+tyowqumdT8ltemuhZ2zDmimep9EvMiZOVns8VkTqmBw
+lRzatTHS5tv6NieDzWTBuMqZiWjgpK8GILUn5e/ecIT2xTSVvo0jzIBwKtFpwf+X
+CkBB0tNlYYmDmHJxiKWBsgw27BFmQI59h3wGHXHSDRgShLBjNH62Lm6omDwivDJQ
+CJaTYPIsL8sdoCglCIV9NwUkj8tM+cvxZiZjvB3zizNxL57ZqpAcNGsCAwEAAQ==
+-----END RSA PUBLIC KEY-----
--- a/Zhosts/incept
+++ b/Zhosts/incept
@ -0,0 +1,13 @@
+Address = 77.95.224.63
+#Address = incept.krebsco.de
+Address = 2a00:7b80:3008:3::fafc:241
+Subnet = 10.243.0.174
+Subnet = 42:a2fc:1c89:65c7:6e60:1f62:eaf9:e9b6/128
+-----BEGIN RSA PUBLIC KEY-----
+MIIBCgKCAQEAvy4J8CewsXeFkFOLqDwiTN+3fF0yjmP5ZVtrLrPJn7Ux75elTdn3
+iLcJYTgaO1/dmw8fPD5DkNnb3wiadZiFGXpsTd1jD69mHcn/6RY/0Fcne9qDiqgp
+vafpUD5UP7/7S+l5kkD6n7HVRblLXJIJk6Z8RCRN8OGyfjMM1IKeoR8kR1+85fpf
+C28fnU3Nz3YJDazOaMD7aGiyGZDRyY+wRjbWtMXE/NH8ydN148ZpFaMvBjM7fl/B
+q8XS5Rs9lFlW2jpex+W2DNq5t4QRMUDrLgD0gug0UiYCYw4IJg7OiI3g6vwjSDtq
+hRxpQ4nq3avmTR/NWzZ97PP4eXTCIQhiQQIDAQAB
+-----END RSA PUBLIC KEY-----
--- a/Zhosts/ire
+++ b/Zhosts/ire
@ -0,0 +1,12 @@
+Address = 198.147.23.143
+Subnet = 10.243.231.66
+Subnet = 42:b912:0f42:a82d:0d27:8610:e89b:490c
+
+-----BEGIN RSA PUBLIC KEY-----
+MIIBCgKCAQEAwofjmP/XBf5pwsJlWklkSzI+Bo0I0B9ONc7/j+zpbmMRkwbWk4X7
+rVLt1cWvTY15ujg2u8l0o6OgEbIkc6rslkD603fv1sEAd0KOv7iKLgRpE9qfSvAt
+6YpiSv+mxEMTpH0g36OmBfOJ10uT+iHDB/FfxmgGJx//jdJADzLjjWC6ID+iGkGU
+1Sf+yHXF7HRmQ29Yak8LYVCJpGC5bQfWIMSL5lujLq4NchY2d+NZDkuvh42Ayr0K
+LPflnPBQ3XnKHKtSsnFR2vaP6q+d3Opsq/kzBnAkjL26jEuFK1v7P/HhNhJoPzwu
+nKKWj/W/k448ce374k5ycjvKm0c6baAC/wIDAQAB
+-----END RSA PUBLIC KEY-----
--- a/Zhosts/ire2
+++ b/Zhosts/ire2
@ -0,0 +1,9 @@
+
+-----BEGIN RSA PUBLIC KEY-----
+MIIBCgKCAQEAwXkn0H/+BUiARYSzZCpjqEwGeDZsbRHoWcRNlmlP6XjPMbKKQBHf
+gdERPevhoGaNtQdW6SEA5xb1cJDHZILHZtpJ63hs6999gB9x/n4x7eR6C9d7HPDD
+rGv+tBdwo8QWOIQIVnSAr6WdduSg2CyZbHd6d2Xd12vrfqJxnODSUHibrUusEc/D
+XBK2n1un3znzk7P+KT0xXMtNPU2678tGuwsvSIOoDfDx9+2xuxGANeqvEOeSAgg/
+SUH5CbcAFI2/4AKWP4e/yxM26YoKdz1Fu/hx7WqKwYmPERrgcr8ienx4WFGG83AJ
+CmiYwO23L4qSp1KZT8SbGDh2YpamZg2BZwIDAQAB
+-----END RSA PUBLIC KEY-----
--- a/Zhosts/irkel
+++ b/Zhosts/irkel
@ -0,0 +1,12 @@
+Subnet = 10.243.253.117
+Subnet = 42:1970:cb1b:d9e2:4603:c1fe:ee00:8145
+Address = 2a01:4f8:140:21cb::5
+
+-----BEGIN RSA PUBLIC KEY-----
+MIIBCgKCAQEA1i2XcUold9p5aa4qGv2o3hMwlIt4+CBxuOwnzMOp4WjJyGWBrQiM
+Lw9qpwvc0W6c/MYTAUzkq42766jlYRzA/yse0/DeKJvF5BrCk36eH9R2okK1A7K5
+tk725pTf6D37mkjbiupo7FFfHNGjFdSH7174ZpK/N81YWgrGo1cQUU8JJKGgFv6S
+XZWiWbJWKnLW/a4zyg7wnkH3KlvOAthSNgyrVqZazi6gTJ12kZTg9DGg+Q7iTdi5
+oXc4hilymCdF2fDfmG7M3naaRQKntjlpJmc2Au7wTVXj3525c3Ms+1k//HlX8DQK
+a93ZJA25nfpoYznx73lz/IASO2n/jn/3mwIDAQAB
+-----END RSA PUBLIC KEY-----
--- a/Zhosts/juhulian
+++ b/Zhosts/juhulian
@ -0,0 +1,11 @@
+Subnet = 10.243.0.38
+Subnet = 42:449f:b00a:e973:514c:3e9f:97ed:aac2/128
+
+-----BEGIN RSA PUBLIC KEY-----
+MIIBCgKCAQEAnNyOsNItOzNQndheZ3ppOMWvIOuO1wgLXArINS1ORcgIAJmLpqDI
+whsZFCVifwAXsdeBJyyZOPZrc2PQ4F3KB9ByX6PQ9jqAhun1aE9SDDqp+woOrTlP
+BtJ/8zAmRhrfak61TxpeTndLk95xOLaCwvS2P4SJLIcyutTbbFdBCqpu7cFUGOOP
+qCKLX7/mv2L+GNmQAnWZ5HwXQzBS6gNaNIcQ8mPCUAIZgRU2T83x/tnyH1RlATK2
+lYUWRM0ie+dRMhiDcwmmZrwYl8wzyvuBPEr/p8ZBM2tua8GlQzJUJl44AiAcx3w9
+0EB5MIRL5Qb0yBvXD0yR+bDizqvhd40LvQIDAQAB
+-----END RSA PUBLIC KEY-----
--- a/Zhosts/k2
+++ b/Zhosts/k2
@ -0,0 +1,28 @@
+Subnet = 10.243.97.72
+Subnet = 42:717e:2a17:e7ff:eb6f:b760:5af4:7da9
+
+
+-----BEGIN RSA PUBLIC KEY-----
+MIIECgKCBAEA53djolgdUlLom7SDi+x1jscvLduf+fzPNlVRk0c6UtR54iHpzVrg
+7OT+PZEAirhWrHyhQQIRoKRK6vRKMwm0PfrMjQXo+1zhBVD/JiPzVGSBfETqVI8E
+jeCS7EaKsZ8gRdWZ4QkDfaQhdWA2RrvVcwpVVxMkjYsHj3EtaHkWGcJs1JAuOsK5
+Zo8ZbxpzgcNz3tiFR4PSp+N3ARE7t2sj8U6z2lk/0TIff3To56u8rDasUGAKf3Rp
+okQmG0EGgTN+qJs/dwIdeKtxcZrRCVd68shphiYE9wC4WXELgJJ8jo4tIiZRu7n4
+lXRn9zQYY2lax4OlBZSkRiaPEISwv5Vv48/H+I1vRaEhx02QL/PnODWSlqMNGiic
+wMBh+DdvQIXRm1W0xxlsY2YOo7GdCywJyLDue6v7ykmQBFgYqP/gVrsoR1y68IdS
+3/dT0lYhrNL+PwKjI0iXPBvA018yw0Dvdgup681C9nzdyvd7y9NorxjeE9Gl9/yd
+X6W8ZE2WIAsli2wGsZLuedcn0mZ25flXbFn6OhrPhP++Kub5IBid/iT60KvxY6H1
+l/DEBJJmFJBsBvFPyFXoEkPJSD/Uc/2veMlb/ues4ur0eBMVML1ZaiK0EzdBYfCv
+kgnVwQG6c5+0XkMk3x5kQ93E0Mr5whILK2upI2tBygAN/SpTsoNXvOFIHw/Ksmcl
+Eqly4P7DtQ9Lu+1DkoLa4ltcejZj0Jjy1j3AI59v0p3Ygx2OWHFv4H5GVjq1T2Pk
+1IAU8X2UTNmcQw5UReJxkNdREOw/XI2pNSBKBDOCMKXH4+a7P3GwheadQiVU5z/Z
+ie/wbsAtp8MGd67aN/i2nrTQfk7RZzIec/UG1XhlQPmJAVIfS5QnFnw+cTAMtYeU
+wHHe4Q3m2+bikBFoqdhJo93Ut5ywGeueKXSyJX6I5AXiiiWnme+IHuNH0G5568yO
+bA9OwDLt4C2U6BFEQtHBA0I8Hh2RT9ObrLUVBUK1aAujLvGvfPhq8QYCcWDJsvxm
+/uAJGb8UdPScTEjftYTWIc1/jikIpK70qOeKiQfxT91hQEBw5mgMCRnAy4m9OjCI
+ntVpHGpylesZWM/na8gZe4lo2dXI7tc2urpqyOThkbpYXNdlNG4F/QcuP90QmiV1
+hyriyHPjbSwIRM3aX7Y/WKwzky0swW+J6mW78yqa5Gt4SzDQxd3KHDAP5lZuFgEM
+aHLOkmOoYlOxWi8eOIWByoH77GFyudeH0EMZV8pwCOTw3GUa1ehhOUlDD6i3CH1/
+gJOQjoKC/ndny8Qz/S+tCLjRHIpQAx36yLME3AvXoKXctuZsZy/9CAsLt9tLZJI5
+AqC/vsOcurKsk1i4GtwuCFnu3qr4OvhwywIDAQAB
+-----END RSA PUBLIC KEY-----
--- a/Zhosts/kabinett
+++ b/Zhosts/kabinett
@ -0,0 +1,11 @@
+Subnet = 10.243.213.120
+Subnet = 42:e792:1d5c:c89f:f932:e954:6ada:1dbf
+
+-----BEGIN RSA PUBLIC KEY-----
+MIIBCgKCAQEA1sVtqyeCdKB1nabs0FOC62J+J+grP5B/3/s1cuAxcJmER+NaT/Kv
+rvQeB13BmrIjfJTBaezdR+wp0RiPB7s/aMPjWwS5rzh3KhSFk2SFpnLjB2WIpKqs
+N9TQEf2xB0TBWHqcpSqSthjP3SOGNP7gt5l0D13QIHkRQ2xX1PqYikkYi07cQLO4
+rwXrlEBOY8Dn0GR37NA0k+zt0AIdJ78zXHNjVn5hRj8aLGKB0q/FOtdMNRYEGD40
+An82Y2sW+b7U6Tnrw43TOO+AP/OrclEjmNDTRqYLiVAeFHXKjwbCsSlof0qmoipZ
+H+nbsB3qkFpNEy1cA9c/pqHfSpqV3WihRQIDAQAB
+-----END RSA PUBLIC KEY-----
--- a/Zhosts/kaepsele
+++ b/Zhosts/kaepsele
@ -0,0 +1,11 @@
+Subnet = 10.243.166.2
+Subnet = 42:0b9d:6660:d07c:2bb7:4e91:1a01:2e7d
+
+-----BEGIN RSA PUBLIC KEY-----
+MIIBCgKCAQEAxj7kaye4pGLou7mVRTVgtcWFjuEosJlxVg24gM7nU1EaoRnBD93/
+Y3Je7BSUbz5xMXr5SFTPSkitInL7vU+jDOf2bEpqv+uUJAJIz85494oPS9xocdWo
+rQsrQRAtOg4MLD+YIoAxQm2Mc4nt2CSE1+UP4uXGxpuh0c051b+9Kmwv1bTyHB9y
+y01VSkDvNyHk5eA+RGDiujBAzhi35hzTlQgCJ3REOBiq4YmE1d3qpk3oNiYUcrcu
+yFzQrSRIfhXjuzIR+wxqS95HDUsewSwt9HgkjJzYF5sQZSea0/XsroFqZyTJ8iB5
+FQx2emBqB525cWKOt0f5jgyjklhozhJyiwIDAQAB
+-----END RSA PUBLIC KEY-----
--- a/Zhosts/kalle
+++ b/Zhosts/kalle
@ -0,0 +1,11 @@
+Subnet = 10.243.154.218
+Subnet = 42:05bb:0d2f:4f25:2c6c:1217:6264:dee0
+
+-----BEGIN RSA PUBLIC KEY-----
+MIIBCgKCAQEAtILSBsb+ISWiyUjJHWN5JWNY7Z5hxxxFADQbK/1ZdlCdeIorQI2j
+gDHdWgck9NasXXa04I+5jw2eDLjU26+r+T1vP/fdOg5yLOgnknL4jkHFVCb/ScRM
+2JZAEXLSAz6g33ks2snQzuyAPTEvZhp49+PN9VmX0JBr/ErKGZzFKVVU+gREVRKa
+fOC4+daKrmRzZWg9DFaH5DIrIEiXidixuX/boHprJeULdp81NbnymXxhc929UWbV
+5g8BnuTlKqDDM7stJC4dwKizrv6wXuH6GD0OsDiU8JcoxV3jvM16NmgtAe9BKH1q
+tg1fIY6f67eIihr3Lnjb3UPw3UqwFXosGQIDAQAB
+-----END RSA PUBLIC KEY-----
--- a/Zhosts/karthus
+++ b/Zhosts/karthus
@ -0,0 +1,10 @@
+Subnet = 10.243.42.13                                           
+Subnet = 42:42:42:42:23:23:23:23                                
+-----BEGIN RSA PUBLIC KEY-----                                  
+MIIBCgKCAQEAtGL2Gu8Dw/NsgJNcu4XY9eWUM8prL0JC1UfnACXuOCPns+Bdm/dG
+uVTHdejjxv6y4FjWNCoD+45lP31QfBIqIOtUsfz/4ox9bvyTOUWQCe0NtBs2SMyO
+O1eWSD4cnNfskYdyOHQbD+KSSiksyzaZdcqqx9FgWo1VT0f+oElnZ4nLBKRNBguN
+GwVLjreE0GSxhcV2r6oHsaT+udvQ/PlQgn/zia2tKT+OI54WDJGXsKEvwRRnaRz5
+33Di58g3dffo0i7B3S889sa5B7l1kh229cw24Gc0AOtmm8Vacle6iTw3Eg0uLzxM
+nKpOma0+K7CoE4IqSZy350iTgheHwq+y0QIDAQAB                        
+-----END RSA PUBLIC KEY-----                                    
--- a/Zhosts/khackplug
+++ b/Zhosts/khackplug
@ -0,0 +1,11 @@
+Subnet = 10.243.217.107
+Subnet = 42:ebe3:90b0:539a:6ef0:0910:b724:00b1
+                                                                                                                               │
+-----BEGIN RSA PUBLIC KEY-----
+MIIBCgKCAQEAvytShP1vgYLDYJhiC26Vc1/cVJOptUnuyTc8Id9vkCkgHZRpKs3T
+jO2KRaQMDWMXfXkMfVp84/2Q85hpUzYqXQHaNzitg9nHGR2n+a6zfwNKWAm6n2WK
+AMsPf1weamzs6EfCm5WztqenoHKNUxpzXVyLJES/WK6e5ba7FEpszZx+ydoc5GjL
+kezqch5p+U/J2JoUx3aIpQuWvc0i/4KYOuGzlWgUYLNyqL1m3gBkahiPuOtzf9Ul
+EP8QY/GQa1HTFuhLS0Y5nVjZvWnjVVEloXbq9SD2I2fc4GD4+F8wtFMsJyEF2qxY
+XfSLTlpHaJbSBNiopQyWG62RZda/p0yq3QIDAQAB
+-----END RSA PUBLIC KEY-----                                                                                                   
--- a/Zhosts/kheurop
+++ b/Zhosts/kheurop
@ -0,0 +1,12 @@
+Address = 91.250.101.180
+Subnet = 10.243.78.78
+Subnet = 42:bcd9:7340:9628:9604:7068:5061:4976
+
+-----BEGIN RSA PUBLIC KEY-----
+MIIBCgKCAQEAqIFB0Nk2eSg/K/dJGOEegtezhn5P1RUi1ZgxoZoTR6K4T/tSbD2u
+gjPU53mhRN622lLayMMXtWVKdhO4IUu3mKfemA/8/fy7Qu9T51UUS+NXu/4g5X3W
+Jg2a37TrnQUrsqNud7QQhPTGF8L0+UT2mHlfRYggtAO1J2pSWtsqDiMAOD+89zvg
+Gta8aMdaFPhdkfboaHH6mVJBFOkrjQJE4RiUzwZS24PKh6gRJV4cENdcNRYdVwhv
+dOM+SWzPZXDTAVyG6HptvSdfDUKi4hJY4yS+TIf9j7yR0YpUie3CsbN4a9jP2KVt
+/NhzZ9nNaEv6O8Nk+7Zu8OaxUPgctEFYfQIDAQAB
+-----END RSA PUBLIC KEY-----
--- a/Zhosts/kiosk
+++ b/Zhosts/kiosk
@ -0,0 +1,12 @@
+Address = 2003:6a:674e:1001:211:25ff:fe05:a54d/64
+Subnet = 10.243.232.122
+Subnet = 42:1ad1:b481:00f5:aab8:f8cc:51fe:4b87
+
+-----BEGIN RSA PUBLIC KEY-----
+MIIBCgKCAQEAwohazY/T/cp5Na3zLEWhz9Lnz78PladH7CMN+1TLzNXgK96bPvrN
+6ktxIFc0s4m/jWW1AZOjxxGZGmwvaGag9XH8NLMmaqtd2NpASI4c801wEVLuNpss
+gqPAIhDdDWV0WmiDiHe96qQuBVNGv7jlHTuNghwlmgLF0csRDiZZDHn5Bq7plAJB
+0kQSspvq7UpBzVHVlDefIIe15/Yyt9IC21S1o746ZIZ8RYCG63Mnbcs4vfShVxJX
+NnD9++HJV39NA9ozR0bDQUw6s0rVHH/n5iWaktJZ23r2TG3O+7ZZj4QHmkng/Xow
+pgIjcpIWlaqfG29Gl43SWgsVnphemvyP3QIDAQAB
+-----END RSA PUBLIC KEY-----
--- a/Zhosts/krebsplug
+++ b/Zhosts/krebsplug
@ -0,0 +1,10 @@
+Subnet = 10.243.0.182
+
+-----BEGIN RSA PUBLIC KEY-----
+MIIBCgKCAQEAyd4FnOIEcUDQDudDOhU4wwKT+lqV4RJMfg9QgZC2O3xTGvzsFeRG
+aSMIDMkPzhJ/ggIWAzC+IM2kBv+YCRhu4zOnzWIo5IaC8Me2TZ1JhZ0nZN1YzEGD
+LmBsnngO5L1VnWLYSKRALa5Kv6wQHHz0T6PlsvBQ8SWDG3IKIe/gOFz7eh1Z+ss/
+5XaiYeLMmukEuuilOJZhfDiZPmYOeFI5w7YTM+8Iz/oZRyf8P57pjN21R3feoyTm
+WusgHUuRLRqSUHdYu/E36EyZ9Oc0WPk5yLUhstkPaS1Y35xMEhZfQQpIruQxOst1
+fgiOQg/gKmizzgzdCbfAf13dknkWsqoc0wIDAQAB
+-----END RSA PUBLIC KEY-----
--- a/Zhosts/kvasir
+++ b/Zhosts/kvasir
@ -0,0 +1,11 @@
+Subnet = 10.243.103.166
+Subnet = 42:c039:e082:3c01:2577:a367:7097:6824
+
+-----BEGIN RSA PUBLIC KEY-----
+MIIBCgKCAQEA4Jp39vupT7tRf+o6H/ucM01lUwgd0UBCqnapUHZhWKVSAde91lxU
+Z49unHxUrfQMzuJkY3MgsS/fyIC9eBHexwRpLnhc56p7d+tmLk1WZ2ysLifNi/k+
+AOvyBcwT3u/59VJGDcAyJwXeoX6CvX9nxUshGqQ2mkVUwbZEt5lLwtiDMnp2K5rg
+dqQK6tBrmzup/yzppPPRSPwMfGi9Gv8T5OrWqwr78I7WiVkH9LBpudJqJHPFVreF
+TTsN9a/4OWJGZ01M23IGcO6eCnynOIP7gxsmUEwSSxK7MEy2kxBKi/2+OtsCUOpT
+QQRFu/MTVEFXl/cl5XyXOMQadMZEB6MjwwIDAQAB
+-----END RSA PUBLIC KEY-----
--- a/Zhosts/laqueus
+++ b/Zhosts/laqueus
@ -0,0 +1,11 @@
+Subnet = 42:0:0:0:0:0:0:1a1a/128
+Subnet = 10.243.0.12/32
+
+-----BEGIN RSA PUBLIC KEY-----
+MIIBCgKCAQEAy9lnH4qDSYeNbpzpcQyq2LzzxkVy2N1vGgKkVttzx0cgMvyRm3aX
+wlacS+3ILBZ3tw+JuCKR9gjRluwKkqoReEINcAam/GbubJ6QBpV54goYm7YGOIuf
+GkbWVk7Kts67KWWhZDzEL30GRv94K6e+m8e7rhnqrTgPyPk3oSwHzvPy1oaf6bTI
+Y/aDQjohFVvQZxF8joKhAE8JrzjKAn8yXmX8VlGW53XBXAb88Ggkr5raMZ24Rcc4
+pdkOc7sFfVImH/ASwkcPi2xX0adlz937lD7rkn5/Q9B9AwsHb1yQKJgWEeYWOQ8C
+F0SzpZiwHz5qB+eg3wMT0ZnvPJKitshyjQIDAQAB
+-----END RSA PUBLIC KEY-----
--- a/Zhosts/linuxatom
+++ b/Zhosts/linuxatom
@ -0,0 +1,11 @@
+Subnet = 10.243.173.58
+Subnet = 42:1c07:1a24:1a26:c799:3b44:a8f5:59ea
+
+-----BEGIN RSA PUBLIC KEY-----
+MIIBCgKCAQEAvGy172meTuwHfGZLVHi04+7jb+GRumqNRowffrmMOxFAq6wiL1E6
+7NfJFSc2/wmLZdTCnAtScVicVFZ8UEK2Uv/WMdevJWP63LxUOXpSFtoxNAlpSk9e
+rzwxWj3VxHru7EZA6gu45ff4/seApy/jDy+hceOmOiG5z8VudoRYWe98IoO1ua0E
+rtz415WP0xN+Mb4mGU48JSLYZkOHVIvkf+VVF5jXFbbnH+w0kkTuRMMp6Z7ETvdZ
+RU9nKJ55sflkPhs1/ttU4cYkci55YPVGl7GCCr6Xw4oerIz/jHnzBGroh/wDpEXm
+6RxpsC6DnVQUW3zw0DXuSKoAy0UoQPYqQwIDAQAB
+-----END RSA PUBLIC KEY-----
--- a/Zhosts/luminos
+++ b/Zhosts/luminos
@ -0,0 +1,11 @@
+Subnet = 42:23:42:23:42:23:42:23
+Subnet = 10.243.42.129
+
+-----BEGIN RSA PUBLIC KEY-----
+MIIBCgKCAQEAuxgY9SfSCyCuTw2bPtC/He2/NZDYQOcGd8+5Bo6h1/h2pU+qKPQB
+0digU617dG2NVMaT0qmzEz86e2avr0PQsyfhmHO8JNOTqwjyQzKcv3iA+B0jU7Gh
+F/PaW+e+0O+a3LO27FCA0uuxEHyWaXqk53a3wKmjo4fuVy1QKOOoiaFaYLaaTgmm
+8OJG+AKWR/ArihpopgAHFjiqB89xWVw5CgxHDwfzVcmI9SOAaEuTfL065XM4uoH/
+LnbtoyT8zN+He1AlaEJMUaWdo8SWfjBFyVrT1zRQ+0S47tlTCW8Neb0KKs+m9d0G
+rAdv6+iFmQzpv76cgYQw2+AkqkUF8Y8xSwIDAQAB
+-----END RSA PUBLIC KEY-----
--- a/Show More
+++ b/Show More