From e5e4d3688c3f768656e62aa4f454372df8775e09 Mon Sep 17 00:00:00 2001
From: Emelie Graven <emelie@graven.dev>
Date: Mon, 22 Nov 2021 14:00:07 +0100
Subject: [PATCH] Add capetillo

Added the hetzner VPS capetillo and enabled nginx,
simple-nixos-mailserver and backups.
---
 .gitattributes                                |   1 +
 .gitignore                                    |   1 +
 .../pubkeys/despondos_host_ed25519_key.pub    |   1 +
 config/common/services/nginx.nix              |  43 +++++
 config/common/services/ssh.nix                |  25 +++
 config/hosts/capetillo/configuration.nix      |  70 +++++++
 .../data/secrets/mail_emelie_nixaalb_org      | Bin 0 -> 83 bytes
 .../data/secrets/mail_noreply_anarkafem_dev   | Bin 0 -> 84 bytes
 .../data/secrets/mail_sebastian_nixaalb_org   | Bin 0 -> 83 bytes
 .../hosts/capetillo/data/secrets/restic_pass  | Bin 0 -> 367 bytes
 .../hosts/capetillo/data/secrets/secrets.nix  | Bin 0 -> 468 bytes
 config/hosts/capetillo/data/secrets/ssh_key   | Bin 0 -> 421 bytes
 .../hosts/capetillo/data/secrets/ssh_key.pub  | Bin 0 -> 113 bytes
 .../capetillo/hardware-configuration.nix      |  42 +++++
 config/hosts/capetillo/services/acme.nix      |   9 +
 config/hosts/capetillo/services/mail.nix      |  32 ++++
 config/hosts/capetillo/services/nginx.nix     |  15 ++
 config/hosts/capetillo/services/restic.nix    |   0
 config/sources/default.nix                    |  10 +
 config/sources/nix/sources.json               |  50 +++++
 config/sources/nix/sources.nix                | 174 ++++++++++++++++++
 deploy/default.nix                            |  23 +++
 22 files changed, 496 insertions(+)
 create mode 100644 .gitattributes
 create mode 100644 .gitignore
 create mode 100644 config/common/data/pubkeys/despondos_host_ed25519_key.pub
 create mode 100644 config/common/services/nginx.nix
 create mode 100644 config/common/services/ssh.nix
 create mode 100644 config/hosts/capetillo/configuration.nix
 create mode 100644 config/hosts/capetillo/data/secrets/mail_emelie_nixaalb_org
 create mode 100644 config/hosts/capetillo/data/secrets/mail_noreply_anarkafem_dev
 create mode 100644 config/hosts/capetillo/data/secrets/mail_sebastian_nixaalb_org
 create mode 100644 config/hosts/capetillo/data/secrets/restic_pass
 create mode 100644 config/hosts/capetillo/data/secrets/secrets.nix
 create mode 100644 config/hosts/capetillo/data/secrets/ssh_key
 create mode 100644 config/hosts/capetillo/data/secrets/ssh_key.pub
 create mode 100644 config/hosts/capetillo/hardware-configuration.nix
 create mode 100644 config/hosts/capetillo/services/acme.nix
 create mode 100644 config/hosts/capetillo/services/mail.nix
 create mode 100644 config/hosts/capetillo/services/nginx.nix
 create mode 100644 config/hosts/capetillo/services/restic.nix
 create mode 100644 config/sources/default.nix
 create mode 100644 config/sources/nix/sources.json
 create mode 100644 config/sources/nix/sources.nix
 create mode 100644 deploy/default.nix

diff --git a/.gitattributes b/.gitattributes
new file mode 100644
index 0000000..2376958
--- /dev/null
+++ b/.gitattributes
@@ -0,0 +1 @@
+**/secrets/** filter=git-crypt diff=git-crypt
diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..c4a847d
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1 @@
+/result
diff --git a/config/common/data/pubkeys/despondos_host_ed25519_key.pub b/config/common/data/pubkeys/despondos_host_ed25519_key.pub
new file mode 100644
index 0000000..6367ffa
--- /dev/null
+++ b/config/common/data/pubkeys/despondos_host_ed25519_key.pub
@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH+ZQk80BU/OdQfV990yrkFwvsLVbVZ2Itof/qwxjTn7
diff --git a/config/common/services/nginx.nix b/config/common/services/nginx.nix
new file mode 100644
index 0000000..89a13a4
--- /dev/null
+++ b/config/common/services/nginx.nix
@@ -0,0 +1,43 @@
+{ ... }:
+{
+    services.nginx = {
+    enable = true;
+
+    # Use recommended settings
+    recommendedGzipSettings = true;
+    recommendedOptimisation = true;
+    recommendedProxySettings = true;
+    recommendedTlsSettings = true;
+
+    # Only allow PFS-enabled ciphers with AES256
+    sslCiphers = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
+
+    commonHttpConfig = ''
+      # Add HSTS header with preloading to HTTPS requests.
+      # Adding this header to HTTP requests is discouraged
+      map $scheme $hsts_header {
+          https   "max-age=31536000; includeSubdomains; preload";
+      }
+      add_header Strict-Transport-Security $hsts_header;
+
+      # Enable CSP for your services.
+      #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
+
+      # Minimize information leaked to other domains
+      add_header 'Referrer-Policy' 'same-origin';
+
+      # Disable embedding as a frame
+      add_header X-Frame-Options DENY;
+
+      # Prevent injection of code in other mime types (XSS Attacks)
+      add_header X-Content-Type-Options nosniff;
+
+      # Enable XSS protection of the browser.
+      # May be unnecessary when CSP is configured properly (see above)
+      add_header X-XSS-Protection "1; mode=block";
+
+      # This might create errors
+      proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
+    '';
+  };
+}
diff --git a/config/common/services/ssh.nix b/config/common/services/ssh.nix
new file mode 100644
index 0000000..1f57e0f
--- /dev/null
+++ b/config/common/services/ssh.nix
@@ -0,0 +1,25 @@
+{ ... }:
+{
+  services.openssh = {
+    enable = true;
+    permitRootLogin = "no";
+    passwordAuthentication = false;
+    challengeResponseAuthentication = false;
+    hostKeys = [ { "path" = "/etc/ssh/ssh_host_ed25519_key"; "type" = "ed25519"; } ];
+    kexAlgorithms = [ "curve25519-sha256" "curve25519-sha256@libssh.org" ];
+    macs = [ "hmac-sha2-512-etm@openssh.com" "hmac-sha2-512-etm@openssh.com" "umac-128-etm@openssh.com" ];
+  };
+
+  programs.ssh.knownHosts = {
+    despondos = {
+      hostNames = [ "despondos.nao.sh" ];
+      publicKeyFile = ../data/pubkeys/despondos_host_ed25519_key.pub;
+    };
+  };
+
+  services.sshguard = {
+    enable = true;
+    blocktime = 300;
+  };
+}
+
diff --git a/config/hosts/capetillo/configuration.nix b/config/hosts/capetillo/configuration.nix
new file mode 100644
index 0000000..c35da9d
--- /dev/null
+++ b/config/hosts/capetillo/configuration.nix
@@ -0,0 +1,70 @@
+{ config, pkgs, lib, ... }:
+
+{
+  imports =
+    [ 
+	  ./hardware-configuration.nix
+	  ../../common/services/ssh.nix
+	  ./services/acme.nix
+	  ./services/nginx.nix
+	  ./services/mail.nix
+	  ./data/secrets/secrets.nix
+	];
+
+  boot.loader.grub.enable = true;
+  boot.loader.grub.version = 2;
+  boot.loader.grub.device = "/dev/sda";
+  boot.supportedFilesystems = ["zfs"];
+  services.zfs.autoSnapshot.enable = true;
+  services.zfs.autoScrub.enable = true;
+
+  networking.hostName = "capetillo"; # Define your hostname.
+  networking.hostId = "17a9ec46";
+  time.timeZone = "Europe/Copenhagen";
+  networking.useDHCP = false;
+  networking.interfaces.ens3.useDHCP = true;
+  networking.interfaces.ens3.ipv6.addresses = [ { address = "2a01:4f9:c011:50e2::1"; prefixLength = 64; } ];
+  networking.defaultGateway6 = { address = "fe80::1"; interface = "ens3"; };
+
+  users.users.emelie = {
+    isNormalUser = true;
+    extraGroups = [ "wheel" ];
+    openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICO4LyBsW1YuUA6i3EL/IZhchSvk7reO4qgRmR/tdQPU emelie@flap"
+    ];
+  };
+
+  users.users.deploy = {
+  	isNormalUser = true;
+	extraGroups = [ "wheel" ];
+    openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICO4LyBsW1YuUA6i3EL/IZhchSvk7reO4qgRmR/tdQPU emelie@flap"
+    ];
+  };
+
+  users.groups.backup.members = [ "virtualMail" ];
+
+  security.sudo.wheelNeedsPassword = false;
+
+  environment.systemPackages = with pkgs; [
+    vim
+    htop
+	iotop
+	dig
+  ];
+
+  nix.trustedUsers = [
+    "root"
+	"deploy"
+    "@wheel"
+  ];
+
+  services.openssh.enable = true;
+
+  networking.firewall.allowedTCPPorts = [ 22 80 443 ];
+  # networking.firewall.allowedUDPPorts = [ ... ];
+
+
+  system.stateVersion = "21.05";
+
+}
diff --git a/config/hosts/capetillo/data/secrets/mail_emelie_nixaalb_org b/config/hosts/capetillo/data/secrets/mail_emelie_nixaalb_org
new file mode 100644
index 0000000000000000000000000000000000000000..d66bfcfcd627b981fe3472b6a90e31064473003c
GIT binary patch
literal 83
zcmV-Z0IdH2M@dveQdv+`009J?m*|0JL4561rv*<yl!aaQ$<uq<yQV`*8N+y+mG|;e
p(}izo3Gq3P`G922eJ`e_mgebOq3jw<GZor8lYiTGS8i{;OFuMEC_?}M

literal 0
HcmV?d00001

diff --git a/config/hosts/capetillo/data/secrets/mail_noreply_anarkafem_dev b/config/hosts/capetillo/data/secrets/mail_noreply_anarkafem_dev
new file mode 100644
index 0000000000000000000000000000000000000000..42a7dfbb905d75434fe67645f071c4912bf6fa19
GIT binary patch
literal 84
zcmV-a0IUB1M@dveQdv+`0FRak{~z&8-52Ag^_;7UAJmcg1&vQfc@!Gg8Jj_$V_p3R
q@E}<HIs4;cx9#y9-Il?6IXOauKVN|>?G+EXKeExJFBO;vF9g(Bu_lxN

literal 0
HcmV?d00001

diff --git a/config/hosts/capetillo/data/secrets/mail_sebastian_nixaalb_org b/config/hosts/capetillo/data/secrets/mail_sebastian_nixaalb_org
new file mode 100644
index 0000000000000000000000000000000000000000..f9518c63cd6528234512abc6c99f05b3a6eb576b
GIT binary patch
literal 83
zcmV-Z0IdH2M@dveQdv+`0N%@}$N!T`rB}UKm#|V?{%zhEf=0sK0CI8vB_3Cfc-)xF
piD0YO^W$O-PYvL>BN&>|6guvt<1#?Pc@ah2hTZmFF9}uwx=WHzC^7&5

literal 0
HcmV?d00001

diff --git a/config/hosts/capetillo/data/secrets/restic_pass b/config/hosts/capetillo/data/secrets/restic_pass
new file mode 100644
index 0000000000000000000000000000000000000000..dc303097e3a23164d9773baca233369ad1290d6a
GIT binary patch
literal 367
zcmV-#0g(OxM@dveQdv+`0F~~26(C$|fgaep5*}4l9{Zfwq=Z~B&}Q**b;<e9*P2zO
zdV)=7ly#kDs)=K`!pQP<B@Bq;URboC<CT&852J7BFt#S$k`Nz4()Pdh&x`sg=1M`V
zx#Nbc47Z-}09I|^uv;aI#3{P%5w*Gu!91hb{n#77_k}072!O#)3;B=`_djzgN3Zxk
zyuwzFw&1VijBT)#H_YKoI^9L~{`wtV4>Ikk%QkC|biTHO)g{eYk)O4WehfIDRu+>5
zZZAA#X>op<M}Z<NP6ckOw2J)O_7$7$b&)Z;(^SXig-z!|H*3)0IqJW<z$H!PiQG;I
zYk92aOS;6+CT{<+XTHf6cl+5N--_~pmOS4+6>*9&w<*Yce7ad>_2YW6aJMnW5c@WZ
zbfECvLK*&^5%CrIpWS4A`-&!8q$2Fly4E}I@{!Y`WC2<9_YpIvx4*13cJ%axBH?p2
NbKxU|-hPMcogZfa!|DJ4

literal 0
HcmV?d00001

diff --git a/config/hosts/capetillo/data/secrets/secrets.nix b/config/hosts/capetillo/data/secrets/secrets.nix
new file mode 100644
index 0000000000000000000000000000000000000000..2872c1c12dbe79a33724bc872dd1782d3e854c4f
GIT binary patch
literal 468
zcmV;_0W1ChM@dveQdv+`0NbCmXFia0$SCl<aN>9*L9H^`zGJhRb47wJP@3S@Y&O#u
zY#eeO;xbke8s~(&&{IX@J8^FJwZ+@3R!9r7HeK9UrEqZ;U^SqOQxy%Uj*-l=P2?J<
zw|@@wqcK9t5`*yUAEI(Yi#X7(G>*P)&Y2Le;rnn)nMYhqj^qCS6CT4mAD$sh-(Xcb
zQK2k_v@n3C{tl5?q2qba9A*m+|HTQ1G#kJ4{L3PGgDR0R&SJPqxSEVdsKQ-S%DMQ}
zc9`}4JQ!LzaIHUAnTx3m8U2;26gqA{aDzZx_rJIOs~)jv17m8#+Cq5$I1R1zpkfC`
z4HU=HtC%ZH;CYDDYSHn)*&?Ha%mwihe<Coh!#1k>&Z4YVba2v?qdb1~p7cWSL^&d|
zNthSBd@k})Ad?EY*|lw-J8t@KL)3j4qNGpS1Mu+z3J0<}&b2|p5jFw8u^}h>z)0l|
zpQY{Tv1v8U`q-2`m$WmNBa8gO|7WGDzf1rdJ<(!KS=kk<91)kd_sDE)$nm}f9sWn?
zJ$*`#{@&O_>W&B0d%VpSg4mfTzuL=5%bqc#0<V5La2}ZupwJ_&^vDjKiCZvgZND73
KA{8?2M_M7xkm)@D

literal 0
HcmV?d00001

diff --git a/config/hosts/capetillo/data/secrets/ssh_key b/config/hosts/capetillo/data/secrets/ssh_key
new file mode 100644
index 0000000000000000000000000000000000000000..59511489818940a74a9525590b5c84a17e48411f
GIT binary patch
literal 421
zcmV;W0b2e5M@dveQdv+`0Gt=|EU<dn;$ZYa_qJV%j5#l3*t)6A^7_r?j!ntRz()JV
zU-fWgsMkNE#SO_6r`hPrhpaEGw;&Nq$7qsd6V-wrzp>YE4k88T0Jhu!+dNjWFB(Q<
zp<>?Vob3yKQ}(293N=jwEmGGrL~v)>*(%{Q5uyWwoUJVr<*=u98T3p^*1u0JdM=S*
z4xIkv^4Swp!&KnsflJA*c*uokwHm_>YQN^m89$-@ONd)x={2rPJ31(Gvh=GP<X16}
zSJNa9N}+8ZIA}aVgg1ZEMpR#M#cC@H50f@+%4R6eK6ZFzy}F~)g8Wi=cBfNtTA9^<
z?ln4MZt*tC<%w$YQbS)#i{k>Tk6oHXdu9U#lG|zN7_oxXg4<9iEI_Yw)?bk{O%dgt
z^U9mJ4gBLZRt0E&k8sQ6E`wztYRg@>B?X>(8GtPw)w3$On(wo*ZNEyHejkVG%*1=l
z-y<X-Nl@RaLeLkS#KBHi70}hOyQATKNy%_$ePPeKAE8A@;-ok&i7rNGz1+=un}8uJ
PkuqeisCc=|lIv;@<1Wx<

literal 0
HcmV?d00001

diff --git a/config/hosts/capetillo/data/secrets/ssh_key.pub b/config/hosts/capetillo/data/secrets/ssh_key.pub
new file mode 100644
index 0000000000000000000000000000000000000000..6c3b407a2b7d179132834cbc815691ea5915b9a5
GIT binary patch
literal 113
zcmV-%0FM6vM@dveQdv+`0OI;xEi(E3CPw5W+*<M?(||4AbEdUNgEw_58aaDj@B_n$
ztMXzX<*x2^3pxcf?bJpYh7>msevaMl%1=WW8W)>aq6JwS4*PeE-n{?GcHelULXY|F
TT4ZquW6MY(En1jD);M>4PtP;l

literal 0
HcmV?d00001

diff --git a/config/hosts/capetillo/hardware-configuration.nix b/config/hosts/capetillo/hardware-configuration.nix
new file mode 100644
index 0000000..812083f
--- /dev/null
+++ b/config/hosts/capetillo/hardware-configuration.nix
@@ -0,0 +1,42 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/profiles/qemu-guest.nix")
+      (modulesPath + "/profiles/minimal.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "ata_piix" "virtio_pci" "virtio_scsi" "xhci_pci" "sd_mod" "sr_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "rpool/safe/root";
+      fsType = "zfs";
+    };
+
+  fileSystems."/home" =
+    { device = "rpool/safe/home";
+      fsType = "zfs";
+    };
+
+  fileSystems."/var/www" =
+    { device = "rpool/safe/webroot";
+      fsType = "zfs";
+    };
+  fileSystems."/var/vmail" =
+    { device = "rpool/safe/mail";
+      fsType = "zfs";
+    };
+  fileSystems."/nix" =
+    { device = "rpool/local/nix";
+      fsType = "zfs";
+    };
+
+  swapDevices = [ ];
+
+}
diff --git a/config/hosts/capetillo/services/acme.nix b/config/hosts/capetillo/services/acme.nix
new file mode 100644
index 0000000..d8f7b7d
--- /dev/null
+++ b/config/hosts/capetillo/services/acme.nix
@@ -0,0 +1,9 @@
+{ config, ... }:
+
+{
+  security.acme = {
+    acceptTerms = true;
+    email = "admin+certs@nixaalb.org";
+  };
+}
+
diff --git a/config/hosts/capetillo/services/mail.nix b/config/hosts/capetillo/services/mail.nix
new file mode 100644
index 0000000..8058063
--- /dev/null
+++ b/config/hosts/capetillo/services/mail.nix
@@ -0,0 +1,32 @@
+{ config, ... }:
+
+{
+  imports = [
+    (builtins.fetchTarball {
+      # Pick a commit from the branch you are interested in
+      url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/5675b122a947b40e551438df6a623efad19fd2e7/nixos-mailserver-5675b122a947b40e551438df6a623efad19fd2e7.tar.gz";
+      # And set its hash
+      sha256 = "1fwhb7a5v9c98nzhf3dyqf3a5ianqh7k50zizj8v5nmj3blxw4pi";
+    })
+  ];
+
+  mailserver = {
+    enable = true;
+    fqdn = "nixaalb.org";
+    domains = [ "nixaalb.org" ];
+
+    loginAccounts = {
+	  "emelie@nixaalb.org" = {
+	  	hashedPasswordFile = config.secrets.files.mail_emelie_nixaalb_org.file;
+		aliases = [ "admin@nixaalb.org" ];
+	  };
+	  "sebastian@nixaalb.org" = {
+	  	hashedPasswordFile = config.secrets.files.mail_sebastian_nixaalb_org.file;
+	  };
+	  "noreply@anarkafem.dev" = {
+	  	hashedPasswordFile = config.secrets.files.mail_noreply_anarkafem_dev.file;
+	  };
+    };
+    certificateScheme = 3;
+  };
+}
diff --git a/config/hosts/capetillo/services/nginx.nix b/config/hosts/capetillo/services/nginx.nix
new file mode 100644
index 0000000..189e7ae
--- /dev/null
+++ b/config/hosts/capetillo/services/nginx.nix
@@ -0,0 +1,15 @@
+{
+	imports = [ ../../../common/services/nginx.nix ];
+	services.nginx.virtualHosts = {
+		"nixaalb.org" = {
+			enableACME = true;
+			forceSSL = true;
+			root = "/var/www/nixaalb.org/public";
+		};
+		"mta-sts.nixaalb.org" = {
+			enableACME = true;
+			forceSSL = true;
+			root = "/var/www/mta-sts/public";
+		};
+	};
+}
diff --git a/config/hosts/capetillo/services/restic.nix b/config/hosts/capetillo/services/restic.nix
new file mode 100644
index 0000000..e69de29
diff --git a/config/sources/default.nix b/config/sources/default.nix
new file mode 100644
index 0000000..6bf04c6
--- /dev/null
+++ b/config/sources/default.nix
@@ -0,0 +1,10 @@
+let
+  sources = import ./nix/sources.nix;
+
+  # just use standard pkgs from sources
+  # so that we have our applyPattches function
+  pkgs = import sources.nixpkgs {};
+
+in {
+  nixus = sources.nixus;
+} // sources
diff --git a/config/sources/nix/sources.json b/config/sources/nix/sources.json
new file mode 100644
index 0000000..88375ac
--- /dev/null
+++ b/config/sources/nix/sources.json
@@ -0,0 +1,50 @@
+{
+    "niv": {
+        "branch": "master",
+        "description": "Easy dependency management for Nix projects",
+        "homepage": "https://github.com/nmattia/niv",
+        "owner": "nmattia",
+        "repo": "niv",
+        "rev": "5830a4dd348d77e39a0f3c4c762ff2663b602d4c",
+        "sha256": "1d3lsrqvci4qz2hwjrcnd8h5vfkg8aypq3sjd4g3izbc8frwz5sm",
+        "type": "tarball",
+        "url": "https://github.com/nmattia/niv/archive/5830a4dd348d77e39a0f3c4c762ff2663b602d4c.tar.gz",
+        "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
+    },
+    "nixos-hardware": {
+        "branch": "master",
+        "description": "A collection of NixOS modules covering hardware quirks.",
+        "homepage": "",
+        "owner": "nixos",
+        "repo": "nixos-hardware",
+        "rev": "08cda8e3a5a4e685af525e5a589dfeb74267d505",
+        "sha256": "0bf3mbss7c3lyf5h8g1vwjbs0cg4h0c8ixbaz1kv24ahyy8n61y3",
+        "type": "tarball",
+        "url": "https://github.com/nixos/nixos-hardware/archive/08cda8e3a5a4e685af525e5a589dfeb74267d505.tar.gz",
+        "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
+    },
+    "nixpkgs": {
+        "branch": "release-21.05",
+        "description": "Nix Packages collection",
+        "homepage": "",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "02ee434b10ef3e55b92ed2fbf0f1f9d0d20d2f6d",
+        "sha256": "163xpxkav524pq7wbc6sbsl9fkzc4wshpjq0h7vq7csnsb8w6p77",
+        "type": "tarball",
+        "url": "https://github.com/NixOS/nixpkgs/archive/02ee434b10ef3e55b92ed2fbf0f1f9d0d20d2f6d.tar.gz",
+        "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
+    },
+    "nixus": {
+        "branch": "master",
+        "description": null,
+        "homepage": "",
+        "owner": "infinisil",
+        "repo": "nixus",
+        "rev": "851b6b7480815afd0032fd15ebcf23e80e1d7e57",
+        "sha256": "1vr39sa7gldwkkhcq70ki878zgnj9z4gvwg85asi2mai0x47f3lb",
+        "type": "tarball",
+        "url": "https://github.com/infinisil/nixus/archive/851b6b7480815afd0032fd15ebcf23e80e1d7e57.tar.gz",
+        "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
+    }
+}
diff --git a/config/sources/nix/sources.nix b/config/sources/nix/sources.nix
new file mode 100644
index 0000000..1938409
--- /dev/null
+++ b/config/sources/nix/sources.nix
@@ -0,0 +1,174 @@
+# This file has been generated by Niv.
+
+let
+
+  #
+  # The fetchers. fetch_<type> fetches specs of type <type>.
+  #
+
+  fetch_file = pkgs: name: spec:
+    let
+      name' = sanitizeName name + "-src";
+    in
+      if spec.builtin or true then
+        builtins_fetchurl { inherit (spec) url sha256; name = name'; }
+      else
+        pkgs.fetchurl { inherit (spec) url sha256; name = name'; };
+
+  fetch_tarball = pkgs: name: spec:
+    let
+      name' = sanitizeName name + "-src";
+    in
+      if spec.builtin or true then
+        builtins_fetchTarball { name = name'; inherit (spec) url sha256; }
+      else
+        pkgs.fetchzip { name = name'; inherit (spec) url sha256; };
+
+  fetch_git = name: spec:
+    let
+      ref =
+        if spec ? ref then spec.ref else
+          if spec ? branch then "refs/heads/${spec.branch}" else
+            if spec ? tag then "refs/tags/${spec.tag}" else
+              abort "In git source '${name}': Please specify `ref`, `tag` or `branch`!";
+    in
+      builtins.fetchGit { url = spec.repo; inherit (spec) rev; inherit ref; };
+
+  fetch_local = spec: spec.path;
+
+  fetch_builtin-tarball = name: throw
+    ''[${name}] The niv type "builtin-tarball" is deprecated. You should instead use `builtin = true`.
+        $ niv modify ${name} -a type=tarball -a builtin=true'';
+
+  fetch_builtin-url = name: throw
+    ''[${name}] The niv type "builtin-url" will soon be deprecated. You should instead use `builtin = true`.
+        $ niv modify ${name} -a type=file -a builtin=true'';
+
+  #
+  # Various helpers
+  #
+
+  # https://github.com/NixOS/nixpkgs/pull/83241/files#diff-c6f540a4f3bfa4b0e8b6bafd4cd54e8bR695
+  sanitizeName = name:
+    (
+      concatMapStrings (s: if builtins.isList s then "-" else s)
+        (
+          builtins.split "[^[:alnum:]+._?=-]+"
+            ((x: builtins.elemAt (builtins.match "\\.*(.*)" x) 0) name)
+        )
+    );
+
+  # The set of packages used when specs are fetched using non-builtins.
+  mkPkgs = sources: system:
+    let
+      sourcesNixpkgs =
+        import (builtins_fetchTarball { inherit (sources.nixpkgs) url sha256; }) { inherit system; };
+      hasNixpkgsPath = builtins.any (x: x.prefix == "nixpkgs") builtins.nixPath;
+      hasThisAsNixpkgsPath = <nixpkgs> == ./.;
+    in
+      if builtins.hasAttr "nixpkgs" sources
+      then sourcesNixpkgs
+      else if hasNixpkgsPath && ! hasThisAsNixpkgsPath then
+        import <nixpkgs> {}
+      else
+        abort
+          ''
+            Please specify either <nixpkgs> (through -I or NIX_PATH=nixpkgs=...) or
+            add a package called "nixpkgs" to your sources.json.
+          '';
+
+  # The actual fetching function.
+  fetch = pkgs: name: spec:
+
+    if ! builtins.hasAttr "type" spec then
+      abort "ERROR: niv spec ${name} does not have a 'type' attribute"
+    else if spec.type == "file" then fetch_file pkgs name spec
+    else if spec.type == "tarball" then fetch_tarball pkgs name spec
+    else if spec.type == "git" then fetch_git name spec
+    else if spec.type == "local" then fetch_local spec
+    else if spec.type == "builtin-tarball" then fetch_builtin-tarball name
+    else if spec.type == "builtin-url" then fetch_builtin-url name
+    else
+      abort "ERROR: niv spec ${name} has unknown type ${builtins.toJSON spec.type}";
+
+  # If the environment variable NIV_OVERRIDE_${name} is set, then use
+  # the path directly as opposed to the fetched source.
+  replace = name: drv:
+    let
+      saneName = stringAsChars (c: if isNull (builtins.match "[a-zA-Z0-9]" c) then "_" else c) name;
+      ersatz = builtins.getEnv "NIV_OVERRIDE_${saneName}";
+    in
+      if ersatz == "" then drv else
+        # this turns the string into an actual Nix path (for both absolute and
+        # relative paths)
+        if builtins.substring 0 1 ersatz == "/" then /. + ersatz else /. + builtins.getEnv "PWD" + "/${ersatz}";
+
+  # Ports of functions for older nix versions
+
+  # a Nix version of mapAttrs if the built-in doesn't exist
+  mapAttrs = builtins.mapAttrs or (
+    f: set: with builtins;
+    listToAttrs (map (attr: { name = attr; value = f attr set.${attr}; }) (attrNames set))
+  );
+
+  # https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/lists.nix#L295
+  range = first: last: if first > last then [] else builtins.genList (n: first + n) (last - first + 1);
+
+  # https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/strings.nix#L257
+  stringToCharacters = s: map (p: builtins.substring p 1 s) (range 0 (builtins.stringLength s - 1));
+
+  # https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/strings.nix#L269
+  stringAsChars = f: s: concatStrings (map f (stringToCharacters s));
+  concatMapStrings = f: list: concatStrings (map f list);
+  concatStrings = builtins.concatStringsSep "";
+
+  # https://github.com/NixOS/nixpkgs/blob/8a9f58a375c401b96da862d969f66429def1d118/lib/attrsets.nix#L331
+  optionalAttrs = cond: as: if cond then as else {};
+
+  # fetchTarball version that is compatible between all the versions of Nix
+  builtins_fetchTarball = { url, name ? null, sha256 }@attrs:
+    let
+      inherit (builtins) lessThan nixVersion fetchTarball;
+    in
+      if lessThan nixVersion "1.12" then
+        fetchTarball ({ inherit url; } // (optionalAttrs (!isNull name) { inherit name; }))
+      else
+        fetchTarball attrs;
+
+  # fetchurl version that is compatible between all the versions of Nix
+  builtins_fetchurl = { url, name ? null, sha256 }@attrs:
+    let
+      inherit (builtins) lessThan nixVersion fetchurl;
+    in
+      if lessThan nixVersion "1.12" then
+        fetchurl ({ inherit url; } // (optionalAttrs (!isNull name) { inherit name; }))
+      else
+        fetchurl attrs;
+
+  # Create the final "sources" from the config
+  mkSources = config:
+    mapAttrs (
+      name: spec:
+        if builtins.hasAttr "outPath" spec
+        then abort
+          "The values in sources.json should not have an 'outPath' attribute"
+        else
+          spec // { outPath = replace name (fetch config.pkgs name spec); }
+    ) config.sources;
+
+  # The "config" used by the fetchers
+  mkConfig =
+    { sourcesFile ? if builtins.pathExists ./sources.json then ./sources.json else null
+    , sources ? if isNull sourcesFile then {} else builtins.fromJSON (builtins.readFile sourcesFile)
+    , system ? builtins.currentSystem
+    , pkgs ? mkPkgs sources system
+    }: rec {
+      # The sources, i.e. the attribute set of spec name to spec
+      inherit sources;
+
+      # The "pkgs" (evaluated nixpkgs) to use for e.g. non-builtin fetchers
+      inherit pkgs;
+    };
+
+in
+mkSources (mkConfig {}) // { __functor = _: settings: mkSources (mkConfig settings); }
diff --git a/deploy/default.nix b/deploy/default.nix
new file mode 100644
index 0000000..dad5a6d
--- /dev/null
+++ b/deploy/default.nix
@@ -0,0 +1,23 @@
+let
+  sources = import ../config/sources;
+in import "${sources.nixus}" {} ({ config, ... }: {
+
+  defaults = { name, ... }: {
+    configuration = { lib, ... }: {
+      networking.hostName = lib.mkDefault name;
+    };
+
+    # use our nixpkgs from niv
+    nixpkgs = sources.nixpkgs;
+  };
+
+  nodes = {
+    capetillo = { lib, config, ... }: {
+      host = "deploy@nixaalb.org";
+      configuration = ../config/hosts/capetillo/configuration.nix;
+      switchTimeout = 300;
+      successTimeout = 300;
+      #ignoreFailingSystemdUnits = true;
+    };
+  };
+})