nodes['kunsi-p14s'] = {
    'hostname': 'localhost',
    'bundles': {
        'arch-with-gui',
        'backup-client',
        'lldp',
        'lm-sensors',
        'nfs-client',
        'openvpn-client',
        'systemd-boot',
        'telegraf-battery-usage',
        'vmhost',
        'voc-tracker-worker',
        'zfs',
    },
    'groups': {
        'arch',
    },
    'metadata': {
        'arch-with-gui': {
            'autologin_as': 'kunsi',
        },
        'backup-client': {
            # only alert people if we're missing more than a week of backups
            'one_backup_every_hours': 7 * 24,
        },
        'firewall': {
            'port_rules': {
                # obs websocket thingie - just allow all RFC1918 ips here
                #'4444': {
                #    '10.0.0.0/8',
                #    '172.16.0.0/12',
                #    '192.168.0.0/16',
                #},
                # For the occasional file-share using `python -m http.server`
                '8000': {'*'},
            },
        },
        'interfaces': {
            'br0': {
                #'ips': {'10.73.100.103/16'},
                #'gateway4': '10.73.0.254',
                'dhcp': True,
            },
            # there is also wlp3s0, but that's managed by netctl
        },
        'nfs-client': {
            'mounts': {
                'nas-scansnap': {
                    'mountpoint': '/mnt/scansnap',
                    'serverpath': '172.19.138.20:/srv/scansnap',
                    'mount_options': {
                        'retry=0',
                        'rw',
                    },
                },
                'nas-storage': {
                    'mountpoint': '/mnt/nas',
                    'serverpath': '172.19.138.20:/storage/nas',
                    'mount_options': {
                        'retry=0',
                        'ro',
                    },
                },
            },
        },
        'openssh': {
            'restrict-to': {
                'rfc1918',
                'ipv6',
            },
        },
        'openvpn-client': {
            'configs': {
                'c3voc': {
                    'running': None,
                    'enabled': False,
                },
                'smedia-priv': {
                    'running': None,
                    'enabled': False,
                },
            },
        },
        'pacman': {
            'no_extract': {
                'etc/sudoers.d/ctdb', # samba junk
            },
            'packages': {
                # for hardware support
                'amd-ucode': {},
                'mesa': {},

                # various video drivers
                'libva-mesa-driver': {},
                'mesa-vdpau': {},
                'xf86-video-amdgpu': {},

                # all that other random stuff one needs
                'abcde': {},
                'apachedirectorystudio': {},
                'claws-mail': {},
                'claws-mail-themes': {},
                'ferdi-bin': {},
                'gumbo-parser': {}, # for claws litehtml
                'perl-musicbrainz-discid': {}, # for abcde
                'perl-webservice-musicbrainz': {}, # for abcde
            },
        },
        'sysctl': {
            'options': {
                # XXX temp, try to find out why the system randomly
                # hangs when using wifi, but only after suspending or
                # switching from ethernet.
                'net.ipv6.conf.wlp3s0.disable_ipv6': '1',
            },
        },
        'systemd-boot': {
            'default': 'arch',
            'entries': {
                'arch': {
                    'title': 'Arch Linux',
                    'linux': '/vmlinuz-linux',
                    'initrd': [
                        '/amd-ucode.img',
                        '/initramfs-linux.img',
                    ],
                    'options': {
                        'zfs=zroot/system/root',
                        'rw',
                    },
                },
                'arch-fallback': {
                    'title': 'Arch Linux (no ucode, fallback initramfs)',
                    'linux': '/vmlinuz-linux',
                    'initrd': [
                        '/initramfs-linux-fallback.img',
                    ],
                    'options': {
                        'zfs=zroot/system/root',
                        'rw',
                    },
                },
            },
        },
        'systemd-networkd': {
            'bridges': {
                'br0': {
                    'match': {
                        'enp2s0f0',
                        'enp5s0',
                    },
                },
            },
        },
        'timezone': 'Europe/Berlin',
        'users': {
            'kunsi': {
                'password': vault.decrypt('encrypt$gAAAAABgLmmuQGRUStrQawoPee-758emIYn2u8-8ebrgzNAFSp7ifeFDdXXvs-zL3QogwNYlCtBHboH2xfy1rSj6OF5bbNO-tg=='),
                'shell': '/usr/bin/fish',
            },
            'sophie': {
                'delete': True,
            },
        },
        'voc-tracker-worker': {
            'url': 'https://tracker.c3voc.de/rpc',
            'token': vault.decrypt('encrypt$gAAAAABiYqaFl4CqOc8DTQIn49Qq0KgAJSzA19GKPNMbyHIjYg0JkvY0sK43ps8CbJWMRR6hJHVK-nP4vrWLwyoWWqt8N8aASMur4odC2s8pEHQKM0TXg4cRwobQz_lyJgrYa2VYdhcD'),
            'secret': vault.decrypt('encrypt$gAAAAABiYqaYbY-3IbnRk-S25pqxrOGN7ovgPo3kBYz8ZqKDedPRzskKZefpLHxBbCOZKjg1XNT4cKbIs5cPCLdj7HdY4beAhnXl4EHZZdxU1zVC7sJCmz9XOS_Ac0UOgOlUFMiet14U'),
        },
        'zfs': {
            'pools': {
                'zroot': {
                    'when_creating': {
                        'config': [{
                            'devices': [
                                '/dev/disk/by-id/nvme-UMIS_RPETJ1T24MGE2QDQ_SS0L25218X3RC1BG1182-part2',
                            ],
                        }],
                        'ashift': 12,
                    },
                },
            },
            'datasets': {
                # this is not a complete list, but we can't create that
                # structure using bundlewrap anyway, so there's no point
                # in adding it here.
                'zroot': {
                    'compression': 'lz4',
                    'relatime': 'on',
                    'xattr': 'sa',
                    'primarycache': 'metadata'
                    # encryption is enabled, too.
                },
                'zroot/movies': {
                    'mountpoint': '/media/movies',
                },
                'zroot/system/journal': {
                    'mountpoint': '/var/log/journal',
                    'acltype': 'posix',
                },
                'zroot/system/libvirt': {
                    'mountpoint': '/var/lib/libvirt',
                    'needed_by': {
                        'bundle:vmhost',
                    },
                },
                'zroot/system/video': {
                    'mountpoint': '/video',
                    'needed_by': {
                        'bundle:voc-tracker-worker',
                    },
                },
                'zroot/system/root': {
                    'canmount': 'noauto',
                    'mountpoint': '/',
                },
                'zroot/user/kunsi': {
                    'mountpoint': '/home/kunsi',
                },
            },
            'snapshots': {
                'retain_per_dataset': {
                    'zroot/user/kunsi': {
                        # juuuuuuuust to be sure
                        'hourly': 100,
                    },
                },
                'snapshot_never': {
                    'zroot/movies',
                    'zroot/system/journal',
                    'zroot/system/video',
                },
            },
        },
    },
    'os': 'arch',
}