diff --git a/nodes/fkusei-locutus.py b/nodes/fkusei-locutus.py
new file mode 100644
index 0000000..8654cf8
--- /dev/null
+++ b/nodes/fkusei-locutus.py
@@ -0,0 +1,195 @@
+nodes['fkusei-locutus'] = {
+    'hostname': '10.5.99.29',
+    'bundles': {
+        'arch-with-gui',
+        'bird',
+        'lldp',
+        'lm-sensors',
+        'nfs-client',
+        'systemd-boot',
+        'telegraf-battery-usage',
+        'wireguard',
+        'voc-tracker-worker',
+        'zfs',
+    },
+    'groups': {
+        'arch',
+    },
+    'metadata': {
+        'arch-with-gui': {
+            'autologin_as': 'fkunsmann',
+        },
+        'bird': {
+            'bgp_neighbors': {
+                'smedia': {
+                    'local_as': 4200128002,
+                    'local_ip': '10.200.128.2',
+                    'neighbor_as': 64900,
+                    'neighbor_ip': '10.200.128.1',
+                },
+            },
+        },
+        'firewall': {
+            'port_rules': {
+                # obs websocket thingie - just allow all RFC1918 ips here
+                #'4444': {
+                #    '10.0.0.0/8',
+                #    '172.16.0.0/12',
+                #    '192.168.0.0/16',
+                #},
+                # For the occasional file-share using `python -m http.server`
+                '8000/tcp': {'*'},
+            },
+        },
+        'interfaces': {
+            'eth*': {
+                'dhcp': True,
+            },
+            # there is also wlan0, but that's managed by netctl
+        },
+        'location': 'home', # not actually true, but needed for static dhcp lease
+        'nfs-client': {
+            'mounts': {
+                'nas-storage': {
+                    'mountpoint': '/mnt/nas',
+                    'serverpath': '172.19.138.20:/storage/nas',
+                    'mount_options': {
+                        'retry=0',
+                        'ro',
+                    },
+                },
+            },
+        },
+        'openssh': {
+            'restrict-to': {
+                'rfc1918',
+            },
+        },
+        'pacman': {
+            'packages': {
+                'amd-ucode': {},
+                'xf86-video-amdgpu': {},
+
+                # all that other random stuff one needs
+                'apachedirectorystudio': {},
+                'direnv': {},
+                'freerdp': {},
+                'sdl_ttf': {}, # for compiling testcard
+                'thermald': {},
+            },
+        },
+        'sysctl': {
+            'options': {
+                # accept RA even though forwarding is enabled
+                'net.ipv4.conf.all.accept_ra': '2',
+                'net.ipv4.conf.wlan0.accept_ra': '2',
+            },
+        },
+        'systemd-boot': {
+            'default': 'arch',
+            'entries': {
+                'arch': {
+                    'title': 'Arch Linux',
+                    'linux': '/vmlinuz-linux',
+                    'initrd': [
+                        '/amd-ucode.img',
+                        '/initramfs-linux.img',
+                    ],
+                    'options': {
+                        'net.ifnames=0',
+                        'rw',
+                        'zfs=zroot/system/root',
+                    },
+                },
+                'arch-fallback': {
+                    'title': 'Arch Linux (no ucode, fallback initramfs)',
+                    'linux': '/vmlinuz-linux',
+                    'initrd': [
+                        '/initramfs-linux-fallback.img',
+                    ],
+                    'options': {
+                        'net.ifnames=0',
+                        'rw',
+                        'zfs=zroot/system/root',
+                    },
+                },
+            },
+        },
+        'timezone': 'Europe/Berlin',
+        'users': {
+            'fkunsmann': {
+                'password': vault.decrypt('encrypt$gAAAAABgLmmuQGRUStrQawoPee-758emIYn2u8-8ebrgzNAFSp7ifeFDdXXvs-zL3QogwNYlCtBHboH2xfy1rSj6OF5bbNO-tg=='),
+                'shell': '/usr/bin/fish',
+                'sudo_commands': {
+                    'ALL',
+                },
+            },
+            'sophie': {
+                'delete': True,
+            },
+        },
+        'voc-tracker-worker': {
+            'url': 'https://tracker.c3voc.de/rpc',
+            'token': vault.decrypt('encrypt$gAAAAABiYqaFl4CqOc8DTQIn49Qq0KgAJSzA19GKPNMbyHIjYg0JkvY0sK43ps8CbJWMRR6hJHVK-nP4vrWLwyoWWqt8N8aASMur4odC2s8pEHQKM0TXg4cRwobQz_lyJgrYa2VYdhcD'),
+            'secret': vault.decrypt('encrypt$gAAAAABiYqaYbY-3IbnRk-S25pqxrOGN7ovgPo3kBYz8ZqKDedPRzskKZefpLHxBbCOZKjg1XNT4cKbIs5cPCLdj7HdY4beAhnXl4EHZZdxU1zVC7sJCmz9XOS_Ac0UOgOlUFMiet14U'),
+        },
+        'wireguard': {
+            'privatekey': vault.decrypt('smedia$NotViaThisRepository'),
+            'peers': {
+                'smedia': {
+                    'endpoint': 'wireguard.htz-cloud.kunbox.net:1194',
+                    'their_ip': '10.200.128.1',
+                    'my_ip': '10.200.128.2/20',
+                    'my_port': 51820,
+                    'endpoint': '185.122.180.82:51820',
+                    'psk': vault.decrypt('smedia$NotViaThisRepository'),
+                    'pubkey': vault.decrypt('smedia$NotViaThisRepository'),
+                },
+            },
+        },
+        'zfs': {
+            'pools': {
+                'zroot': {
+                    'when_creating': {
+                        'config': [],
+                    },
+                },
+            },
+            'datasets': {
+                # this is not a complete list, but we can't create that
+                # structure using bundlewrap anyway, so there's no point
+                # in adding it here.
+                'zroot': {
+                    'compression': 'lz4',
+                    'relatime': 'on',
+                    'xattr': 'sa',
+                    'primarycache': 'metadata'
+                    # encryption is enabled, too.
+                },
+                'zroot/system/journal': {
+                    'mountpoint': '/var/log/journal',
+                    'acltype': 'posix',
+                },
+                'zroot/system/root': {
+                    'canmount': 'noauto',
+                    'mountpoint': '/',
+                },
+                'zroot/user/fkunsmann': {
+                    'mountpoint': '/home/fkunsmann',
+                },
+            },
+            'snapshots': {
+                'retain_per_dataset': {
+                    'zroot/user/fkunsmann': {
+                        # juuuuuuuust to be sure
+                        'hourly': 100,
+                    },
+                },
+                'snapshot_never': {
+                    'zroot/system/journal',
+                },
+            },
+        },
+    },
+    'os': 'arch',
+}
diff --git a/nodes/kunsi-seibert-x1.py b/nodes/kunsi-seibert-x1.py
deleted file mode 100644
index 19ec8bf..0000000
--- a/nodes/kunsi-seibert-x1.py
+++ /dev/null
@@ -1,67 +0,0 @@
-# work laptop. Only apply interactively.
-
-nodes['kunsi-seibert-x1'] = {
-    'dummy': True,
-    'hostname': '172.19.138.240',
-    'bundles': {
-        'basic',
-        'lldp',
-        'lm-sensors',
-        'nfs-client',
-        'pacman',
-        'openssh',
-        'sudo',
-        'systemd',
-        'telegraf',
-        'telegraf-battery-usage',
-        'users',
-    },
-    'groups': set(),
-    'metadata': {
-        'timezone': 'Europe/Berlin',
-        'icinga_options': {
-            'exclude_from_monitoring': True,
-        },
-        'locale': {
-            'default': 'en_DK.UTF-8',
-        },
-        'lldp': {
-            'hostname': 'fkunsmann-seibertmedia',
-        },
-        'nfs-client': {
-            'mounts': {
-                'nas-storage': {
-                    'mountpoint': '/mnt/nas',
-                    'serverpath': '172.19.138.20:/storage/nas',
-                    'mount_options': {
-                        'retry=0',
-                        'ro',
-                    },
-                },
-            },
-        },
-        'pacman': {
-            'install_gui': True,
-        },
-        'telegraf': {
-            'influxdb_url': 'https://influxdb.kunsmann.eu/',
-            'influxdb_token': vault.decrypt('encrypt$gAAAAABgg9Ag632Xyuc6SWXaR1uH2tLOChmVKAoBIikhjntSSD2qJFL_eouVQGXCLH2HEuSbSdEXcTPn2qmhOiA9jmFdoDSbVbQUsp0EID1wLsWYG_Um2KOxZSF-tn9eDZlgShQYySjzO3nQRmdlJpVLUnGHsiwv_sHD2FstXGpfzTPZq5_egUqEc0K2X-aN2J6BTYc2fZAN'),
-            'influxdb_org': vault.decrypt('encrypt$gAAAAABgg9hyjz4XtvG8NBw9uYxiumS3v7YKIrtc9tTTABg1f9R22gzn55q8ULP9X3wlsPMUQs_DH7CgGv9neYmvVAriRoyd8g=='),
-            'influxdb_bucket': vault.decrypt('encrypt$gAAAAABgg9iMnq0nKpODMiMN4NtUw231iqpbyDXV-O8epOAGDSL4jcf3CaSa2bLZzH2fJFaKWjW-dpVd384x6KqSQU19XpfsWA=='),
-        },
-        'users': {
-            'kunsi': {
-                'password': vault.decrypt('encrypt$gAAAAABgLmmuQGRUStrQawoPee-758emIYn2u8-8ebrgzNAFSp7ifeFDdXXvs-zL3QogwNYlCtBHboH2xfy1rSj6OF5bbNO-tg=='),
-                'shell': '/usr/bin/fish',
-                'ssh_pubkey': {
-                    # work key
-                    'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICYst1HK+gJYhNxzqJGnz4iB73pa89Xz2yH+8wufOcsA',
-                },
-            },
-            'sophie': {
-                'delete': True,
-            },
-        },
-    },
-    'os': 'arch',
-}