Initial commit

106 files changed, 1716 insertions, 0 deletions

diff --git a/localfs/etc/NetworkManager/NetworkManager.conf b/localfs/etc/NetworkManager/NetworkManager.conf
new file mode 100644
index 0000000..3b05c7a
--- /dev/null
+++ b/localfs/etc/NetworkManager/NetworkManager.conf
@@ -0,0 +1,52 @@
+# Configuration file for NetworkManager.
+#
+# See "man 5 NetworkManager.conf" for details.
+#
+# The directories /usr/lib/NetworkManager/conf.d/ and /var/run/NetworkManager/conf.d/
+# can contain additional configuration snippets installed by packages. These files are
+# read before NetworkManager.conf and have thus lowest priority.
+# The directory /etc/NetworkManager/conf.d/ can contain additional configuration
+# snippets. Those snippets are merged last and overwrite the settings from this main
+# file.
+#
+# The files within one conf.d/ directory are read in asciibetical order.
+#
+# If /etc/NetworkManager/conf.d/ contains a file with the same name as
+# /usr/lib/NetworkManager/conf.d/, the latter file is shadowed and thus ignored.
+# Hence, to disable loading a file from /usr/lib/NetworkManager/conf.d/ you can
+# put an empty file to /etc with the same name. The same applies with respect
+# to the directory /var/run/NetworkManager/conf.d where files in /var/run shadow
+# /usr/lib and are themselves shadowed by files under /etc.
+#
+# If two files define the same key, the one that is read afterwards will overwrite
+# the previous one.
+
+[main]
+#plugins=ifcfg-rh,ibft
+#unmanaged-devices=interface-name:sosbr0;interface-name:clusbr0
+unmanaged-devices=interface-name:sosbr0-nic;interface-name:clusbr0
+
+
+[logging]
+# When debugging NetworkManager, enabling debug logging is of great help.
+#
+# Logfiles contain no passwords and little sensitive information. But please
+# check before posting the file online. You can also personally hand over the
+# logfile to a NM developer to treat it confidential. Meet us on #nm on freenode.
+# Please post full logfiles except minimal modifications of private data.
+#
+# You can also change the log-level at runtime via
+#   $ nmcli general logging level TRACE domains ALL
+# However, usually it's cleaner to enable debug logging
+# in the configuration and restart NetworkManager so that
+# debug logging is enabled from the start.
+#
+# You will find the logfiles in syslog, for example via
+#   $ journalctl -u NetworkManager
+#
+# Note that debug logging of NetworkManager can be quite verbose. Some messages
+# might be rate-limited by the logging daemon (see RateLimitIntervalSec, RateLimitBurst
+# in man journald.conf).
+#
+#level=TRACE
+#domains=ALL
diff --git a/localfs/etc/X11/xorg.conf.d/00-keyboard.conf b/localfs/etc/X11/xorg.conf.d/00-keyboard.conf
new file mode 100644
index 0000000..7e5c389
--- /dev/null
+++ b/localfs/etc/X11/xorg.conf.d/00-keyboard.conf
@@ -0,0 +1,9 @@
+# Written by systemd-localed(8), read by systemd-localed and Xorg. It's
+# probably wise not to edit this file manually. Use localectl(1) to
+# instruct systemd-localed to update it.
+Section "InputClass"
+        Identifier "system-keyboard"
+        MatchIsKeyboard "on"
+        Option "XkbLayout" "de,ie,bg,de"
+        Option "XkbVariant" ",,phonetic,ru"
+EndSection
diff --git a/localfs/etc/X11/xorg.conf.d/20-displaylink.conf b/localfs/etc/X11/xorg.conf.d/20-displaylink.conf
new file mode 100644
index 0000000..9d2cfa8
--- /dev/null
+++ b/localfs/etc/X11/xorg.conf.d/20-displaylink.conf
@@ -0,0 +1,38 @@
+Section "Device"
+    Identifier "intel"
+    Driver "modesetting"
+    Option "kmsdev" "/dev/dri/card0"
+    Option "PageFlip" "off"
+    Option "SWCursor" "on"
+    Option "ShadowFB" "true"
+EndSection
+
+Section "Device"
+    Identifier "USB3"
+    BusID "USB"
+    Driver "modesetting"
+    Option "kmsdev" "/dev/dri/card1"
+    Option "PageFlip" "off"
+    Option "SWCursor" "on"
+    Option "ShadowFB" "true"
+EndSection
+
+Section "Device"
+    Identifier "USB3"
+    BusID "USB"
+    Driver "modesetting"
+    Option "kmsdev" "/dev/dri/card2"
+    Option "PageFlip" "off"
+    Option "SWCursor" "on"
+    Option "ShadowFB" "true"
+EndSection
+
+Section "Device"
+    Identifier "USB3"
+    BusID "USB"
+    Driver "modesetting"
+    Option "kmsdev" "/dev/dri/card3"
+    Option "PageFlip" "off"
+    Option "SWCursor" "on"
+    Option "ShadowFB" "true"
+EndSection
diff --git a/localfs/etc/X11/xorg.conf.d/20-intel.conf b/localfs/etc/X11/xorg.conf.d/20-intel.conf
new file mode 100644
index 0000000..bbe28f3
--- /dev/null
+++ b/localfs/etc/X11/xorg.conf.d/20-intel.conf
@@ -0,0 +1,13 @@
+Section "Device" 
+Identifier "Intel Graphics" 
+Driver "Intel" 
+Option "AccelMethod" "sna" 
+Option "TearFree" "false" 
+Option "TripleBuffer" "true" 
+Option "MigrationHeuristic" "greedy" 
+Option "Tiling" "true" 
+Option "Pageflip" "true" 
+Option "ExaNoComposite" "false" 
+Option "Tiling" "true" 
+Option "Pageflip" "true" 
+EndSection
diff --git a/localfs/etc/X11/xorg.conf.d/80-backlight.conf b/localfs/etc/X11/xorg.conf.d/80-backlight.conf
new file mode 100644
index 0000000..0291612
--- /dev/null
+++ b/localfs/etc/X11/xorg.conf.d/80-backlight.conf
@@ -0,0 +1,5 @@
+Section "Device"
+	Identifier  	"Intel Graphics"
+	Driver		"intel"
+	Option		"Backlight" "/sys/class/backlight"
+EndSection
diff --git a/localfs/etc/bashrc.delta b/localfs/etc/bashrc.delta
new file mode 100644
index 0000000..be173ed
--- /dev/null
+++ b/localfs/etc/bashrc.delta
@@ -0,0 +1,3 @@
+# Add this line near the bottom:
+
+PROMPT_COMMAND="history -a;$PROMPT_COMMAND"
diff --git a/localfs/etc/crypttab b/localfs/etc/crypttab
new file mode 100644
index 0000000..0a68703
--- /dev/null
+++ b/localfs/etc/crypttab
@@ -0,0 +1,2 @@
+luks-<uuid> UUID=<uuid> none 
+libvirt UUID=<uuid> /path/to/key luks
diff --git a/localfs/etc/default/grub b/localfs/etc/default/grub
new file mode 100644
index 0000000..b20578a
--- /dev/null
+++ b/localfs/etc/default/grub
@@ -0,0 +1,18 @@
+GRUB_TIMEOUT=5
+GRUB_DISTRIBUTOR="$(sed 's, release .*$,,g' /etc/system-release)"
+GRUB_DEFAULT=saved
+GRUB_DISABLE_SUBMENU=true
+#GRUB_TERMINAL_OUTPUT="console"
+## With plymouth:
+#GRUB_CMDLINE_LINUX="rd.luks.uuid=luks-6e954a90-4449-4697-a452-f70abc6bc87e rd.lvm.lv=system/root rd.lvm.lv=system/swap rd.lvm.lv=system/usr rhgb quiet"
+## ...and without plymouth:
+#GRUB_CMDLINE_LINUX="rd.luks.uuid=luks-6e954a90-4449-4697-a452-f70abc6bc87e rd.lvm.lv=system/root rd.lvm.lv=system/swap rd.lvm.lv=system/usr quiet systemd.show_status=1 acpi_backlight=vendor"
+# chipset is i915. if it doesn't do the trick, simply add nomodeset
+GRUB_CMDLINE_LINUX="rd.luks.uuid=luks-6e954a90-4449-4697-a452-f70abc6bc87e rd.lvm.lv=system/root rd.lvm.lv=system/swap rd.lvm.lv=system/usr quiet rhgb acpi_backlight=vendor" #i915.modeset=0"
+GRUB_DISABLE_RECOVERY="true"
+#GRUB_GFXMODE=2560x1440x32,1920x1080x32,16801050x32,1280x900x32,1280x1024x32m1024x768x24,800x600x24
+GRUB_GFXMODE=1920x1080x24,16801050x24,1280x900x24,1280x1024x24m1024x768x24,800x600x24
+#GRUB_GFXPAYLOAD=1920x1080x24
+GRUB_GFXPAYLOAD_LINUX=keep
+GRUB_THEME="/boot/grub2/themes/elegant-grub2/theme.txt"
+#GRUB_THEME="/boot/grub2/themes/breeze/theme.txt"
diff --git a/localfs/etc/dnf/dnf.conf b/localfs/etc/dnf/dnf.conf
new file mode 100644
index 0000000..4d5402b
--- /dev/null
+++ b/localfs/etc/dnf/dnf.conf
@@ -0,0 +1,7 @@
+[main]
+gpgcheck=1
+# Number of kernels to be kept on the system:
+installonly_limit=2
+clean_requirements_on_remove=True
+
+fastestmirror=true
diff --git a/localfs/etc/dnf/protected.d/dnf.conf b/localfs/etc/dnf/protected.d/dnf.conf
new file mode 100644
index 0000000..6148f6c
--- /dev/null
+++ b/localfs/etc/dnf/protected.d/dnf.conf
@@ -0,0 +1 @@
+dnf
diff --git a/localfs/etc/dnf/protected.d/rpm.conf b/localfs/etc/dnf/protected.d/rpm.conf
new file mode 100644
index 0000000..916f55d
--- /dev/null
+++ b/localfs/etc/dnf/protected.d/rpm.conf
@@ -0,0 +1 @@
+rpm
diff --git a/localfs/etc/dnf/protected.d/storage.conf b/localfs/etc/dnf/protected.d/storage.conf
new file mode 100644
index 0000000..15d7117
--- /dev/null
+++ b/localfs/etc/dnf/protected.d/storage.conf
@@ -0,0 +1,3 @@
+device-mapper
+lvm2
+cryptsetup
diff --git a/localfs/etc/firewalld/direct.xml b/localfs/etc/firewalld/direct.xml
new file mode 100644
index 0000000..dadd4df
--- /dev/null
+++ b/localfs/etc/firewalld/direct.xml
@@ -0,0 +1,8 @@
+<?xml version="1.0" encoding="utf-8"?>
+<direct>
+	<rule ipv="ipv4" table="filter" chain="INPUT" priority="1">-m pkttype --pkt-type multicast -s 225.0.0.0/24 -d 225.0.0.0/24 -j ACCEPT</rule>
+  <passthrough ipv="ipv4">-I FORWARD -i br0 -j ACCEPT</passthrough>
+  <passthrough ipv="ipv4">-I FORWARD -o br0 -j ACCEPT</passthrough>
+  <passthrough ipv="ipv4">-I FORWARD -i sosbr0 -j ACCEPT</passthrough>
+  <passthrough ipv="ipv4">-I FORWARD -o sosbr0 -j ACCEPT</passthrough>
+</direct>
diff --git a/localfs/etc/firewalld/firewalld-server.conf b/localfs/etc/firewalld/firewalld-server.conf
new file mode 100644
index 0000000..5a69506
--- /dev/null
+++ b/localfs/etc/firewalld/firewalld-server.conf
@@ -0,0 +1,57 @@
+# firewalld config file
+
+# default zone
+# The default zone used if an empty zone string is used.
+# Default: public
+DefaultZone=FedoraServer
+
+# Minimal mark
+# Marks up to this minimum are free for use for example in the direct 
+# interface. If more free marks are needed, increase the minimum
+# Default: 100
+MinimalMark=100
+
+# Clean up on exit
+# If set to no or false the firewall configuration will not get cleaned up
+# on exit or stop of firewalld
+# Default: yes
+CleanupOnExit=yes
+
+# Lockdown
+# If set to enabled, firewall changes with the D-Bus interface will be limited
+# to applications that are listed in the lockdown whitelist.
+# The lockdown whitelist file is lockdown-whitelist.xml
+# Default: no
+Lockdown=no
+
+# IPv6_rpfilter
+# Performs a reverse path filter test on a packet for IPv6. If a reply to the
+# packet would be sent via the same interface that the packet arrived on, the 
+# packet will match and be accepted, otherwise dropped.
+# The rp_filter for IPv4 is controlled using sysctl.
+# Default: yes
+IPv6_rpfilter=yes
+
+# IndividualCalls
+# Do not use combined -restore calls, but individual calls. This increases the
+# time that is needed to apply changes and to start the daemon, but is good for
+# debugging.
+# Default: no
+IndividualCalls=no
+
+# LogDenied
+# Add logging rules right before reject and drop rules in the INPUT, FORWARD
+# and OUTPUT chains for the default rules and also final reject and drop rules
+# in zones. Possible values are: all, unicast, broadcast, multicast and off.
+# Default: off
+LogDenied=off
+
+# AutomaticHelpers
+# For the secure use of iptables and connection tracking helpers it is
+# recommended to turn AutomaticHelpers off. But this might have side effects on
+# other services using the netfilter helpers as the sysctl setting in
+# /proc/sys/net/netfilter/nf_conntrack_helper will be changed.
+# With the system setting, the default value set in the kernel or with sysctl
+# will be used. Possible values are: yes, no and system.
+# Default: system
+AutomaticHelpers=system
diff --git a/localfs/etc/firewalld/firewalld-standard.conf b/localfs/etc/firewalld/firewalld-standard.conf
new file mode 100644
index 0000000..63df409
--- /dev/null
+++ b/localfs/etc/firewalld/firewalld-standard.conf
@@ -0,0 +1,57 @@
+# firewalld config file
+
+# default zone
+# The default zone used if an empty zone string is used.
+# Default: public
+DefaultZone=public
+
+# Minimal mark
+# Marks up to this minimum are free for use for example in the direct 
+# interface. If more free marks are needed, increase the minimum
+# Default: 100
+MinimalMark=100
+
+# Clean up on exit
+# If set to no or false the firewall configuration will not get cleaned up
+# on exit or stop of firewalld
+# Default: yes
+CleanupOnExit=yes
+
+# Lockdown
+# If set to enabled, firewall changes with the D-Bus interface will be limited
+# to applications that are listed in the lockdown whitelist.
+# The lockdown whitelist file is lockdown-whitelist.xml
+# Default: no
+Lockdown=no
+
+# IPv6_rpfilter
+# Performs a reverse path filter test on a packet for IPv6. If a reply to the
+# packet would be sent via the same interface that the packet arrived on, the 
+# packet will match and be accepted, otherwise dropped.
+# The rp_filter for IPv4 is controlled using sysctl.
+# Default: yes
+IPv6_rpfilter=yes
+
+# IndividualCalls
+# Do not use combined -restore calls, but individual calls. This increases the
+# time that is needed to apply changes and to start the daemon, but is good for
+# debugging.
+# Default: no
+IndividualCalls=no
+
+# LogDenied
+# Add logging rules right before reject and drop rules in the INPUT, FORWARD
+# and OUTPUT chains for the default rules and also final reject and drop rules
+# in zones. Possible values are: all, unicast, broadcast, multicast and off.
+# Default: off
+LogDenied=off
+
+# AutomaticHelpers
+# For the secure use of iptables and connection tracking helpers it is
+# recommended to turn AutomaticHelpers off. But this might have side effects on
+# other services using the netfilter helpers as the sysctl setting in
+# /proc/sys/net/netfilter/nf_conntrack_helper will be changed.
+# With the system setting, the default value set in the kernel or with sysctl
+# will be used. Possible values are: yes, no and system.
+# Default: system
+AutomaticHelpers=system
diff --git a/localfs/etc/firewalld/firewalld-workstation.conf b/localfs/etc/firewalld/firewalld-workstation.conf
new file mode 100644
index 0000000..a162039
--- /dev/null
+++ b/localfs/etc/firewalld/firewalld-workstation.conf
@@ -0,0 +1,58 @@
+# firewalld config file
+
+# default zone
+# The default zone used if an empty zone string is used.
+# Default: public
+#DefaultZone=FedoraWorkstation
+DefaultZone=lokalhorst
+
+# Minimal mark
+# Marks up to this minimum are free for use for example in the direct 
+# interface. If more free marks are needed, increase the minimum
+# Default: 100
+MinimalMark=100
+
+# Clean up on exit
+# If set to no or false the firewall configuration will not get cleaned up
+# on exit or stop of firewalld
+# Default: yes
+CleanupOnExit=yes
+
+# Lockdown
+# If set to enabled, firewall changes with the D-Bus interface will be limited
+# to applications that are listed in the lockdown whitelist.
+# The lockdown whitelist file is lockdown-whitelist.xml
+# Default: no
+Lockdown=no
+
+# IPv6_rpfilter
+# Performs a reverse path filter test on a packet for IPv6. If a reply to the
+# packet would be sent via the same interface that the packet arrived on, the 
+# packet will match and be accepted, otherwise dropped.
+# The rp_filter for IPv4 is controlled using sysctl.
+# Default: yes
+IPv6_rpfilter=yes
+
+# IndividualCalls
+# Do not use combined -restore calls, but individual calls. This increases the
+# time that is needed to apply changes and to start the daemon, but is good for
+# debugging.
+# Default: no
+IndividualCalls=no
+
+# LogDenied
+# Add logging rules right before reject and drop rules in the INPUT, FORWARD
+# and OUTPUT chains for the default rules and also final reject and drop rules
+# in zones. Possible values are: all, unicast, broadcast, multicast and off.
+# Default: off
+LogDenied=all
+
+# AutomaticHelpers
+# For the secure use of iptables and connection tracking helpers it is
+# recommended to turn AutomaticHelpers off. But this might have side effects on
+# other services using the netfilter helpers as the sysctl setting in
+# /proc/sys/net/netfilter/nf_conntrack_helper will be changed.
+# With the system setting, the default value set in the kernel or with sysctl
+# will be used. Possible values are: yes, no and system.
+# Default: system
+AutomaticHelpers=system
diff --git a/localfs/etc/firewalld/firewalld.conf b/localfs/etc/firewalld/firewalld.conf
new file mode 120000
index 0000000..3adf742
--- /dev/null
+++ b/localfs/etc/firewalld/firewalld.conf
@@ -0,0 +1 @@
+firewalld-workstation.conf
\ No newline at end of file
diff --git a/localfs/etc/firewalld/lockdown-whitelist.xml b/localfs/etc/firewalld/lockdown-whitelist.xml
new file mode 100644
index 0000000..65c03c5
--- /dev/null
+++ b/localfs/etc/firewalld/lockdown-whitelist.xml
@@ -0,0 +1,7 @@
+<?xml version="1.0" encoding="utf-8"?>
+<whitelist>
+  <command name="/usr/bin/python3 -Es /usr/bin/firewall-config"/>
+  <selinux context="system_u:system_r:NetworkManager_t:s0"/>
+  <selinux context="system_u:system_r:virtd_t:s0-s0:c0.c1023"/>
+  <user id="0"/>
+</whitelist>
diff --git a/localfs/etc/firewalld/services/check_mk.xml b/localfs/etc/firewalld/services/check_mk.xml
new file mode 100644
index 0000000..8990c3b
--- /dev/null
+++ b/localfs/etc/firewalld/services/check_mk.xml
@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="utf-8"?>
+<service>
+	<short>Check_MK</short>
+	<description>All ports required for Check_MK to work with us being a monitored node only.</description>
+	<!-- 5666 is actually NRPE (not MRPE), so why not. Maybe we'll need that. -->
+	<port protocol="tcp" port="5666"/>
+	<port protocol="tcp" port="6556"/>
+	<port protocol="tcp" port="6557"/>
+</service>
diff --git a/localfs/etc/firewalld/services/nfs.xml b/localfs/etc/firewalld/services/nfs.xml
new file mode 100644
index 0000000..9d1c4bf
--- /dev/null
+++ b/localfs/etc/firewalld/services/nfs.xml
@@ -0,0 +1,7 @@
+<?xml version="1.0" encoding="utf-8"?>
+<service>
+  <short>NFS3</short>
+  <description>The NFS3</description>
+  <port protocol="tcp" port="2049"/>
+  <port protocol="tcp" port="111"/>
+</service>
diff --git a/localfs/etc/firewalld/zones/FedoraWorkstation.xml b/localfs/etc/firewalld/zones/FedoraWorkstation.xml
new file mode 100644
index 0000000..a39d7e8
--- /dev/null
+++ b/localfs/etc/firewalld/zones/FedoraWorkstation.xml
@@ -0,0 +1,16 @@
+<?xml version="1.0" encoding="utf-8"?>
+<zone>
+  <short>Fedora Workstation</short>
+  <description>Unsolicited incoming network packets are rejected from port 1 to 1024, except for select network services. Incoming packets that are related to outgoing network connections are accepted. Outgoing network connections are allowed.</description>
+  <service name="dhcpv6-client"/>
+  <service name="ssh"/>
+  <service name="samba-client"/>
+  <service name="samba"/>
+  <service name="kerberos"/>
+  <service name="http"/>
+  <service name="https"/>
+  <service name="nfs"/>
+  <service name="rpc-bind"/>
+  <port port="1025-65535" protocol="udp"/>
+  <port port="1025-65535" protocol="tcp"/>
+</zone>
diff --git a/localfs/etc/firewalld/zones/FedoraWorkstation.xml.old b/localfs/etc/firewalld/zones/FedoraWorkstation.xml.old
new file mode 100644
index 0000000..5d04d82
--- /dev/null
+++ b/localfs/etc/firewalld/zones/FedoraWorkstation.xml.old
@@ -0,0 +1,15 @@
+<?xml version="1.0" encoding="utf-8"?>
+<zone>
+  <short>Fedora Workstation</short>
+  <description>Unsolicited incoming network packets are rejected from port 1 to 1024, except for select network services. Incoming packets that are related to outgoing network connections are accepted. Outgoing network connections are allowed.</description>
+  <service name="dhcpv6-client"/>
+  <service name="ssh"/>
+  <service name="samba-client"/>
+  <service name="samba"/>
+  <service name="kerberos"/>
+  <service name="http"/>
+  <service name="https"/>
+  <service name="nfs"/>
+  <port port="1025-65535" protocol="udp"/>
+  <port port="1025-65535" protocol="tcp"/>
+</zone>
diff --git a/localfs/etc/firewalld/zones/home.xml b/localfs/etc/firewalld/zones/home.xml
new file mode 100644
index 0000000..f913db4
--- /dev/null
+++ b/localfs/etc/firewalld/zones/home.xml
@@ -0,0 +1,5 @@
+<?xml version="1.0" encoding="utf-8"?>
+<zone target="default">
+  <short>Home</short>
+  <description>For use in home areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
+</zone>
diff --git a/localfs/etc/firewalld/zones/home.xml.old b/localfs/etc/firewalld/zones/home.xml.old
new file mode 100644
index 0000000..d5e38d3
--- /dev/null
+++ b/localfs/etc/firewalld/zones/home.xml.old
@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="utf-8"?>
+<zone target="default">
+  <short>Home</short>
+  <description>For use in home areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
+  <service name="dns"/>
+</zone>
diff --git a/localfs/etc/firewalld/zones/internal.xml b/localfs/etc/firewalld/zones/internal.xml
new file mode 100644
index 0000000..2dff2d4
--- /dev/null
+++ b/localfs/etc/firewalld/zones/internal.xml
@@ -0,0 +1,5 @@
+<?xml version="1.0" encoding="utf-8"?>
+<zone target="default">
+  <short>Internal</short>
+  <description>For use on internal networks. You mostly trust the other computers on the networks to not harm your computer. Only selected incoming connections are accepted.</description>
+</zone>
diff --git a/localfs/etc/firewalld/zones/internal.xml.old b/localfs/etc/firewalld/zones/internal.xml.old
new file mode 100644
index 0000000..f9f3d37
--- /dev/null
+++ b/localfs/etc/firewalld/zones/internal.xml.old
@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="utf-8"?>
+<zone target="default">
+  <short>Internal</short>
+  <description>For use on internal networks. You mostly trust the other computers on the networks to not harm your computer. Only selected incoming connections are accepted.</description>
+  <service name="dns"/>
+</zone>
diff --git a/localfs/etc/firewalld/zones/kvm.xml b/localfs/etc/firewalld/zones/kvm.xml
new file mode 100644
index 0000000..f21de55
--- /dev/null
+++ b/localfs/etc/firewalld/zones/kvm.xml
@@ -0,0 +1,7 @@
+<?xml version="1.0" encoding="utf-8"?>
+<zone target="ACCEPT">
+  <short>KVM</short>
+  <description>LOREM IPSUM HODOR</description>
+  <source address="10.16.25.0/24"/>
+  <source address="172.16.25.0/24"/>
+</zone>
diff --git a/localfs/etc/firewalld/zones/kvm.xml.old b/localfs/etc/firewalld/zones/kvm.xml.old
new file mode 100644
index 0000000..31c90e3
--- /dev/null
+++ b/localfs/etc/firewalld/zones/kvm.xml.old
@@ -0,0 +1,8 @@
+<?xml version="1.0" encoding="utf-8"?>
+<zone target="ACCEPT">
+  <short>KVM</short>
+  <description>LOREM IPSUM HODOR</description>
+  <source address="10.16.25.0/24"/>
+  <source address="172.16.25.0/24"/>
+  <service name="libvirt"/>
+</zone>
diff --git a/localfs/etc/firewalld/zones/lokalhorst.xml b/localfs/etc/firewalld/zones/lokalhorst.xml
new file mode 100644
index 0000000..d52a74c
--- /dev/null
+++ b/localfs/etc/firewalld/zones/lokalhorst.xml
@@ -0,0 +1,8 @@
+<?xml version="1.0" encoding="utf-8"?>
+<zone target="default">
+  <short>lokalhorst</short>
+  <description>Unsolicited incoming network packets are rejected from port 1 to 1024, except for select network services. Incoming packets that are related to outgoing network connections are accepted. Outgoing network connections are allowed.</description>
+  <service name="nfs"/>
+  <port port="1025-65535" protocol="udp"/>
+  <port port="1025-65535" protocol="tcp"/>
+</zone>
diff --git a/localfs/etc/firewalld/zones/lokalhorst.xml.old b/localfs/etc/firewalld/zones/lokalhorst.xml.old
new file mode 100644
index 0000000..f948687
--- /dev/null
+++ b/localfs/etc/firewalld/zones/lokalhorst.xml.old
@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="utf-8"?>
+<zone target="default">
+  <short>lokalhorst</short>
+  <description>Unsolicited incoming network packets are rejected from port 1 to 1024, except for select network services. Incoming packets that are related to outgoing network connections are accepted. Outgoing network connections are allowed.</description>
+  <service name="nfs"/>
+  <service name="rpc-bind"/>
+  <port port="1025-65535" protocol="udp"/>
+  <port port="1025-65535" protocol="tcp"/>
+</zone>
diff --git a/localfs/etc/fstab b/localfs/etc/fstab
new file mode 100644
index 0000000..8bd9c31
--- /dev/null
+++ b/localfs/etc/fstab
@@ -0,0 +1,25 @@
+
+#
+# /etc/fstab
+# Created by anaconda on Fri Nov 24 11:18:27 2017
+#
+# Accessible filesystems, by reference, are maintained under '/dev/disk'
+# See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info
+#
+/dev/mapper/system-root /                       ext4    defaults,x-systemd.device-timeout=0 1 1
+UUID=6c8ae617-7f34-4bef-9fa6-3735571b9c5c /boot                   ext4    defaults        1 2
+UUID=E68B-F495          /boot/efi               vfat    umask=0077,shortname=winnt 0 2
+/dev/mapper/system-home /home                   ext4    defaults,x-systemd.device-timeout=0 1 2
+/dev/mapper/system-tmp  /tmp                    ext4    defaults,x-systemd.device-timeout=0 1 2
+/dev/mapper/system-usr  /usr                    ext4    defaults,x-systemd.device-timeout=0 1 2
+/dev/mapper/system-var  /var                    ext4    defaults,x-systemd.device-timeout=0 1 2
+/dev/mapper/system-varlog /var/log                ext4    defaults,x-systemd.device-timeout=0 1 2
+/dev/mapper/system-swap swap                    swap    defaults,x-systemd.device-timeout=0,pri=666 0 0
+
+# USB GSCHWERDLS
+UUID=5118-E220		/usb/padlock		auto	noauto,defaults,user,nosuid,nodev,nofail,utf8,uid=1557802663,gid=1557802663,umask=027 0 0
+
+# HPE GSCHWERDLS
+UUID=1AE87ABEE87A9829	/elitebook/Windows\040RE\040tools	auto	defaults,ro	0 0
+UUID=E2EA33EEEA33BD9B	/elitebook/Recovery\040Image		auto	defaults,ro	0 0
+UUID=748F-B31A		/elitebook/HP_TOOLS			auto	defaults,ro	0 0
diff --git a/localfs/etc/httpd/conf.d/indexes b/localfs/etc/httpd/conf.d/indexes
new file mode 100644
index 0000000..19b122c
--- /dev/null
+++ b/localfs/etc/httpd/conf.d/indexes
@@ -0,0 +1 @@
+IndexOptions	NameWidth=*
diff --git a/localfs/etc/httpd/conf.d/misc.conf b/localfs/etc/httpd/conf.d/misc.conf
new file mode 100644
index 0000000..70e4fe8
--- /dev/null
+++ b/localfs/etc/httpd/conf.d/misc.conf
@@ -0,0 +1,7 @@
+	header set X-Clacks-Overhead "GNU Terry Pratchett"
+	header set X-Klingons "Well, let me guess. You're either lost, or desperately searching for a good tailor."
+#       header set X-XRDS-Location "http://openid.lirion.de/xrds/Lirion"
+	header set X-HANDSHAKE "Scissors cuts paper, paper covers rock, rock crushes lizard, lizard poisons Spock, Spock smashes scissors, scissors decapitates lizard, lizard eats paper, paper disproves Spock, Spock vaporizes rock, and as it always has, rock crushes scissors."
+	header set X-Disclaimer "All Your Base Are Belong To Us"
+	header unset Server
+	header set Server "Woschdsopp/6.66"
diff --git a/localfs/etc/httpd/conf.d/security.conf b/localfs/etc/httpd/conf.d/security.conf
new file mode 100644
index 0000000..60b7bec
--- /dev/null
+++ b/localfs/etc/httpd/conf.d/security.conf
@@ -0,0 +1 @@
+IncludeOptional conf.d/security.d/*.conf
diff --git a/localfs/etc/httpd/conf.d/security.d/csp.conf b/localfs/etc/httpd/conf.d/security.d/csp.conf
new file mode 100644
index 0000000..f26dbc0
--- /dev/null
+++ b/localfs/etc/httpd/conf.d/security.d/csp.conf
@@ -0,0 +1,4 @@
+Header set Content-Security-Policy: "default-src 'self' 'unsafe-inline'; frame-ancestors 'self' jango104 jango104.domain.de; script-src 'self' jango104 jango104.domain.de 'unsafe-inline'; img-src 'self' jango104 jango104.domain.de; child-src 'self' jango104 jango104.domain.de; font-src 'self' jango104 jango104.domain.de; object-src 'self' jango104 jango104.domain.de; connect-src 'self' jango104 jango104.domain.de;"
+#Header always set Content-Security-Policy: "default-src https:; frame-ancestors *.lirion.de;"
+#SSLUseStapling On
+#SSLStaplingCache shmcb:${APACHE_RUN_DIR}/ssl_stapling(32768)
diff --git a/localfs/etc/httpd/conf.d/security.d/hsts.conf b/localfs/etc/httpd/conf.d/security.d/hsts.conf
new file mode 100644
index 0000000..3276a70
--- /dev/null
+++ b/localfs/etc/httpd/conf.d/security.d/hsts.conf
@@ -0,0 +1,4 @@
+# Do not use header always set, it would push HSTS to non-HTTPS even though it's in this tree...
+<IfModule mod_ssl.c>
+	Header set Strict-Transport-Security "max-age=31556926;includeSubDomains;preload"
+</IfModule>
diff --git a/localfs/etc/httpd/conf.d/security.d/maxconns.conf b/localfs/etc/httpd/conf.d/security.d/maxconns.conf
new file mode 100644
index 0000000..c88ca84
--- /dev/null
+++ b/localfs/etc/httpd/conf.d/security.d/maxconns.conf
@@ -0,0 +1 @@
+#MaxConnection all 10
diff --git a/localfs/etc/httpd/conf.d/security.d/signature.conf b/localfs/etc/httpd/conf.d/security.d/signature.conf
new file mode 100644
index 0000000..5c8bc12
--- /dev/null
+++ b/localfs/etc/httpd/conf.d/security.d/signature.conf
@@ -0,0 +1,3 @@
+#SecServerSignature "Woschdsopp/6.66 mod-banana"
+ServerTokens Prod
+TraceEnable Off
diff --git a/localfs/etc/httpd/conf.d/ssl.conf b/localfs/etc/httpd/conf.d/ssl.conf
new file mode 100644
index 0000000..9891aca
--- /dev/null
+++ b/localfs/etc/httpd/conf.d/ssl.conf
@@ -0,0 +1,224 @@
+#
+# When we also provide SSL we have to listen to the 
+# standard HTTPS port in addition.
+#
+Listen 443 https
+
+##
+##  SSL Global Context
+##
+##  All SSL configuration in this context applies both to
+##  the main server and all SSL-enabled virtual hosts.
+##
+
+#   Pass Phrase Dialog:
+#   Configure the pass phrase gathering process.
+#   The filtering dialog program (`builtin' is a internal
+#   terminal dialog) has to provide the pass phrase on stdout.
+SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog
+
+#   Inter-Process Session Cache:
+#   Configure the SSL Session Cache: First the mechanism 
+#   to use and second the expiring timeout (in seconds).
+SSLSessionCache         shmcb:/run/httpd/sslcache(512000)
+SSLSessionCacheTimeout  300
+
+#   Pseudo Random Number Generator (PRNG):
+#   Configure one or more sources to seed the PRNG of the 
+#   SSL library. The seed data should be of good random quality.
+#   WARNING! On some platforms /dev/random blocks if not enough entropy
+#   is available. This means you then cannot use the /dev/random device
+#   because it would lead to very long connection times (as long as
+#   it requires to make more entropy available). But usually those
+#   platforms additionally provide a /dev/urandom device which doesn't
+#   block. So, if available, use this one instead. Read the mod_ssl User
+#   Manual for more details.
+SSLRandomSeed startup file:/dev/urandom  256
+SSLRandomSeed connect builtin
+#SSLRandomSeed startup file:/dev/random  512
+#SSLRandomSeed connect file:/dev/random  512
+#SSLRandomSeed connect file:/dev/urandom 512
+
+#
+# Use "SSLCryptoDevice" to enable any supported hardware
+# accelerators. Use "openssl engine -v" to list supported
+# engine names.  NOTE: If you enable an accelerator and the
+# server does not start, consult the error logs and ensure
+# your accelerator is functioning properly. 
+#
+SSLCryptoDevice builtin
+#SSLCryptoDevice ubsec
+
+##
+## SSL Virtual Host Context
+##
+
+<VirtualHost _default_:443>
+
+# General setup for the virtual host, inherited from global configuration
+#DocumentRoot "/var/www/html"
+#ServerName www.example.com:443
+
+# Use separate log files for the SSL virtual host; note that LogLevel
+# is not inherited from httpd.conf.
+ErrorLog logs/ssl_error_log
+TransferLog logs/ssl_access_log
+LogLevel warn
+
+#   SSL Engine Switch:
+#   Enable/Disable SSL for this virtual host.
+SSLEngine on
+
+#   List the protocol versions which clients are allowed to connect with.
+#   Disable SSLv3 by default (cf. RFC 7525 3.1.1).  TLSv1 (1.0) should be
+#   disabled as quickly as practical.  By the end of 2016, only the TLSv1.2
+#   protocol or later should remain in use.
+#SSLProtocol all -SSLv3
+#SSLProxyProtocol all -SSLv3
+SSLProtocol -all +TLSv1.2
+SSLProxyProtocol -all +TLSv1.2
+
+#   User agents such as web browsers are not configured for the user's
+#   own preference of either security or performance, therefore this
+#   must be the prerogative of the web server administrator who manages
+#   cpu load versus confidentiality, so enforce the server's cipher order.
+SSLHonorCipherOrder on
+
+#   SSL Cipher Suite:
+# List the ciphers that the client is permitted to negotiate.
+# See the mod_ssl documentation for a complete list.
+# The OpenSSL system profile is configured by default.  See
+# update-crypto-policies(8) for more details.
+#SSLCipherSuite PROFILE=SYSTEM
+# Mozilla intermediate recommendation, 2016-09-06. After !DSS, some additional setup:
+SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS:!AES128-SHA:!DES-CBC3-SHA:!AES256-SHA:!AES128-SHA256:!AES256-SHA256:!AES128-SHA256:!AES256-GCM-SHA384:!AES128-GCM-SHA256:!ECDHE-RSA-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA
+SSLProxyCipherSuite PROFILE=SYSTEM
+
+#   Point SSLCertificateFile at a PEM encoded certificate.  If
+#   the certificate is encrypted, then you will be prompted for a
+#   pass phrase.  Note that restarting httpd will prompt again.  Keep
+#   in mind that if you have both an RSA and a DSA certificate you
+#   can configure both in parallel (to also allow the use of DSA
+#   ciphers, etc.)
+#   Some ECC cipher suites (http://www.ietf.org/rfc/rfc4492.txt)
+#   require an ECC certificate which can also be configured in
+#   parallel.
+SSLCertificateFile /etc/pki/tls/certs/localhost.crt
+
+#   Server Private Key:
+#   If the key is not combined with the certificate, use this
+#   directive to point at the key file.  Keep in mind that if
+#   you've both a RSA and a DSA private key you can configure
+#   both in parallel (to also allow the use of DSA ciphers, etc.)
+#   ECC keys, when in use, can also be configured in parallel
+SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
+
+#   Server Certificate Chain:
+#   Point SSLCertificateChainFile at a file containing the
+#   concatenation of PEM encoded CA certificates which form the
+#   certificate chain for the server certificate. Alternatively
+#   the referenced file can be the same as SSLCertificateFile
+#   when the CA certificates are directly appended to the server
+#   certificate for convenience.
+#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
+
+#   Certificate Authority (CA):
+#   Set the CA certificate verification path where to find CA
+#   certificates for client authentication or alternatively one
+#   huge file containing all of them (file must be PEM encoded)
+#SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
+
+#   Client Authentication (Type):
+#   Client certificate verification type and depth.  Types are
+#   none, optional, require and optional_no_ca.  Depth is a
+#   number which specifies how deeply to verify the certificate
+#   issuer chain before deciding the certificate is not valid.
+#SSLVerifyClient require
+#SSLVerifyDepth  10
+
+#   Access Control:
+#   With SSLRequire you can do per-directory access control based
+#   on arbitrary complex boolean expressions containing server
+#   variable checks and other lookup directives.  The syntax is a
+#   mixture between C and Perl.  See the mod_ssl documentation
+#   for more details.
+#<Location />
+#SSLRequire (    %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
+#            and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
+#            and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
+#            and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
+#            and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20       ) \
+#           or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
+#</Location>
+
+#   SSL Engine Options:
+#   Set various options for the SSL engine.
+#   o FakeBasicAuth:
+#     Translate the client X.509 into a Basic Authorisation.  This means that
+#     the standard Auth/DBMAuth methods can be used for access control.  The
+#     user name is the `one line' version of the client's X.509 certificate.
+#     Note that no password is obtained from the user. Every entry in the user
+#     file needs this password: `xxj31ZMTZzkVA'.
+#   o ExportCertData:
+#     This exports two additional environment variables: SSL_CLIENT_CERT and
+#     SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
+#     server (always existing) and the client (only existing when client
+#     authentication is used). This can be used to import the certificates
+#     into CGI scripts.
+#   o StdEnvVars:
+#     This exports the standard SSL/TLS related `SSL_*' environment variables.
+#     Per default this exportation is switched off for performance reasons,
+#     because the extraction step is an expensive operation and is usually
+#     useless for serving static content. So one usually enables the
+#     exportation for CGI and SSI requests only.
+#   o StrictRequire:
+#     This denies access when "SSLRequireSSL" or "SSLRequire" applied even
+#     under a "Satisfy any" situation, i.e. when it applies access is denied
+#     and no other module can change it.
+#   o OptRenegotiate:
+#     This enables optimized SSL connection renegotiation handling when SSL
+#     directives are used in per-directory context. 
+#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
+<FilesMatch "\.(cgi|shtml|phtml|php)$">
+    SSLOptions +StdEnvVars
+</FilesMatch>
+<Directory "/var/www/cgi-bin">
+    SSLOptions +StdEnvVars
+</Directory>
+
+#   SSL Protocol Adjustments:
+#   The safe and default but still SSL/TLS standard compliant shutdown
+#   approach is that mod_ssl sends the close notify alert but doesn't wait for
+#   the close notify alert from client. When you need a different shutdown
+#   approach you can use one of the following variables:
+#   o ssl-unclean-shutdown:
+#     This forces an unclean shutdown when the connection is closed, i.e. no
+#     SSL close notify alert is sent or allowed to be received.  This violates
+#     the SSL/TLS standard but is needed for some brain-dead browsers. Use
+#     this when you receive I/O errors because of the standard approach where
+#     mod_ssl sends the close notify alert.
+#   o ssl-accurate-shutdown:
+#     This forces an accurate shutdown when the connection is closed, i.e. a
+#     SSL close notify alert is sent and mod_ssl waits for the close notify
+#     alert of the client. This is 100% SSL/TLS standard compliant, but in
+#     practice often causes hanging connections with brain-dead browsers. Use
+#     this only for browsers where you know that their SSL implementation
+#     works correctly. 
+#   Notice: Most problems of broken clients are also related to the HTTP
+#   keep-alive facility, so you usually additionally want to disable
+#   keep-alive for those clients, too. Use variable "nokeepalive" for this.
+#   Similarly, one has to force some clients to use HTTP/1.0 to workaround
+#   their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
+#   "force-response-1.0" for this.
+BrowserMatch "MSIE [2-5]" \
+         nokeepalive ssl-unclean-shutdown \
+         downgrade-1.0 force-response-1.0
+
+#   Per-Server Logging:
+#   The home of a custom SSL log file. Use this when you want a
+#   compact non-error SSL logfile on a virtual host basis.
+CustomLog logs/ssl_request_log \
+          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
+
+</VirtualHost>
+
diff --git a/localfs/etc/httpd/conf.d/utf8.conf b/localfs/etc/httpd/conf.d/utf8.conf
new file mode 100644
index 0000000..28ca6f8
--- /dev/null
+++ b/localfs/etc/httpd/conf.d/utf8.conf
@@ -0,0 +1 @@
+AddDefaultCharset UTF-8
diff --git a/localfs/etc/httpd/conf.d/vhosts.conf b/localfs/etc/httpd/conf.d/vhosts.conf
new file mode 100644
index 0000000..ab7e544
--- /dev/null
+++ b/localfs/etc/httpd/conf.d/vhosts.conf
@@ -0,0 +1 @@
+IncludeOptional conf.d/vhosts.d/*.conf
diff --git a/localfs/etc/httpd/conf.d/vhosts.d/jango104.conf b/localfs/etc/httpd/conf.d/vhosts.d/jango104.conf
new file mode 100644
index 0000000..b3cade8
--- /dev/null
+++ b/localfs/etc/httpd/conf.d/vhosts.d/jango104.conf
@@ -0,0 +1,140 @@
+AddDefaultCharset UTF-8
+<VirtualHost *:80>
+	ServerAdmin	some.email@comain.de
+	DocumentRoot	"/var/www/vhosts/jango104.domain.de"
+	ServerName	jango104.domain.de
+	ServerAlias	jango104.domain.world jango104.domain.de jango104
+	ErrorLog	"/var/log/httpd/jango104.domain.de-error.log"
+	CustomLog	"/var/log/httpd/jango104.domain.de-access.log" common
+	RewriteEngine on
+	RewriteCond %{HTTPS} !=on
+	RewriteRule .* https://%{SERVER_NAME}%{REQUEST_URI} [NE,R,L]
+</VirtualHost>
+<VirtualHost *:443>
+	ServerAdmin	some.email@domain.de
+	DocumentRoot	"/var/www/vhosts/jango104.domain.de"
+	ServerName	jango104.domain.de
+	ServerAlias	jango104.domain.world jango104.domain.de jango104
+	Alias		"/errors" "/var/www/errors"
+	ErrorLog	"/var/log/httpd/jango104.domain.de-ssl-error.log"
+	CustomLog	"/var/log/httpd/jango104.domain.de-ssl-access.log" common
+	ErrorDocument	401 "/errors/401.html"
+	ErrorDocument	403 "/errors/403.html"
+	ErrorDocument	404 "/errors/404.html"
+	<Directory />
+		Options FollowSymLinks
+		AllowOverride none
+	</Directory>
+	<Directory "/var/www/errors">
+		Options -Indexes
+		AllowOverride None
+		<RequireAll>
+			Require all granted
+		</RequireAll>
+	</Directory>
+	<Directory "/var/www/vhosts/jango104.domain.de">
+		Options Indexes FollowSymLinks MultiViews
+		IndexOptions +ShowForbidden +NameWidth=*
+		AllowOverride None
+		<RequireAll>
+			Require all granted
+		</RequireAll>
+	</Directory>
+	<Directory "/var/www/vhosts/jango104.domain.de/dump_hpe/">
+		Options Indexes FollowSymlinks Multiviews
+		IndexOptions +ShowForbidden +Namewidth=*
+		AllowOverride all
+		<RequireAll>
+			Require all granted
+		</RequireAll>
+	</Directory>
+	<Directory "/var/www/vhosts/jango104.domain.de/dump/">
+		Options Indexes FollowSymlinks Multiviews
+		IndexOptions +ShowForbidden +Namewidth=*
+		AllowOverride all
+		<RequireAll>
+			Require all granted
+		</RequireAll>
+	</Directory>
+	<Directory "/var/www/vhosts/jango104.domain.de/isos/">
+		Options Indexes FollowSymlinks Multiviews
+		IndexOptions +ShowForbidden +Namewidth=*
+		AllowOverride all
+		<RequireAll>
+			Require all granted
+		</RequireAll>
+	</Directory>
+	<Directory "/var/www/vhosts/jango104.domain.de/redhat/">
+		Options Indexes FollowSymlinks Multiviews
+		IndexOptions +ShowForbidden +Namewidth=*
+		AllowOverride all
+		<RequireAll>
+			Require all granted
+		</RequireAll>
+	</Directory>
+	<Directory "/var/www/vhosts/jango104.domain.de/test/">
+		Options Indexes FollowSymlinks Multiviews
+		IndexOptions +ShowForbidden +Namewidth=*
+		AllowOverride all
+		<RequireAll>
+			Require all granted
+		</RequireAll>
+	</Directory>
+	<Directory "/var/www/vhosts/jango104.domain.de/propaganda/">
+		Options Indexes FollowSymlinks Multiviews
+		IndexOptions +ShowForbidden +Namewidth=*
+		AllowOverride all
+		<RequireAll>
+			Require all granted
+		</RequireAll>
+	</Directory>
+	<Directory "/var/www/vhosts/jango104.domain.de/redhat/CD">
+		Options Indexes FollowSymlinks MultiViews
+		IndexOptions +NameWidth=*
+		AllowOverride None
+		AuthType		Basic
+		AuthName		"gibe login"
+		AuthBasicProvider	file
+		AuthUserFile		"/etc/httpd/htaccess.d/redhat"
+		<RequireAll>
+			Require user company
+			Require valid-user
+		</RequireAll>
+	</Directory>
+	<Directory "/var/www/vhosts/jango104.domain.de/redhat/cert">
+		Options Indexes FollowSymlinks MultiViews
+		IndexOptions +NameWidth=*
+		AllowOverride None
+		AuthType		Basic
+		AuthName		"gibe login"
+		AuthBasicProvider	file
+		AuthUserFile		"/etc/httpd/htaccess.d/redhat"
+		<RequireAll>
+			Require user company
+			Require valid-user
+		</RequireAll>
+	</Directory>
+	SSLEngine on
+	SSLProtocol all -SSLv3
+	SSLProxyProtocol all -SSLv3
+	SSLHonorCipherOrder on
+	SSLCipherSuite PROFILE=SYSTEM
+	SSLProxyCipherSuite PROFILE=SYSTEM
+
+	# Feck snakeoil. Root CA and Intermed CA from root server, cert is a) chained and b) set up with higher ciphers.
+	#       (Although, admittedly, there's way worse snakeoils than on Fedora 27, but still it's snakeoil.)
+	SSLCertificateFile		/etc/pki/tls/certs/jango104.crt
+	SSLCertificateKeyFile		/etc/pki/tls/private/jango104.key
+	#SSLCertificateChainFile	/etc/pki/tls/certs/jango104.crt
+	#SSLCertificateChainFile	/etc/pki/tls/certs/server-chain.crt
+	#SSLCACertificateFile		/etc/pki/tls/certs/ca-bundle.crt
+	<FilesMatch "\.(cgi|shtml|phtml|php)$">
+		SSLOptions +StdEnvVars
+	</FilesMatch>
+	<Directory "/var/www/cgi-bin">
+		SSLOptions +StdEnvVars
+	</Directory>
+	BrowserMatch "MSIE [2-5]" \
+		nokeepalive ssl-unclean-shutdown \
+		downgrade-1.0 force-response-1.0
+</VirtualHost>
diff --git a/localfs/etc/httpd/conf.d/welcome.bak b/localfs/etc/httpd/conf.d/welcome.bak
new file mode 100644
index 0000000..5d1e452
--- /dev/null
+++ b/localfs/etc/httpd/conf.d/welcome.bak
@@ -0,0 +1,18 @@
+# 
+# This configuration file enables the default "Welcome" page if there
+# is no default index page present for the root URL.  To disable the
+# Welcome page, comment out all the lines below. 
+#
+# NOTE: if this file is removed, it will be restored on upgrades.
+#
+<LocationMatch "^/+$">
+    Options -Indexes
+    ErrorDocument 403 /.noindex.html
+</LocationMatch>
+
+<Directory /usr/share/httpd/noindex>
+    AllowOverride None
+    Require all granted
+</Directory>
+
+Alias /.noindex.html /usr/share/httpd/noindex/index.html
diff --git a/localfs/etc/httpd/conf.modules.d/00-proxyhtml.conf b/localfs/etc/httpd/conf.modules.d/00-proxyhtml.conf
new file mode 100644
index 0000000..9a9b107
--- /dev/null
+++ b/localfs/etc/httpd/conf.modules.d/00-proxyhtml.conf
@@ -0,0 +1,3 @@
+# This file configures mod_proxy_html and mod_xml2enc:
+LoadModule xml2enc_module modules/mod_xml2enc.so
+LoadModule proxy_html_module modules/mod_proxy_html.so
diff --git a/localfs/etc/httpd/conf.modules.d/10-geoip.conf b/localfs/etc/httpd/conf.modules.d/10-geoip.conf
new file mode 100644
index 0000000..1b70122
--- /dev/null
+++ b/localfs/etc/httpd/conf.modules.d/10-geoip.conf
@@ -0,0 +1 @@
+LoadModule geoip_module modules/mod_geoip.so
diff --git a/localfs/etc/httpd/conf.modules.d/10-limitipconn.conf b/localfs/etc/httpd/conf.modules.d/10-limitipconn.conf
new file mode 100644
index 0000000..545e9b2
--- /dev/null
+++ b/localfs/etc/httpd/conf.modules.d/10-limitipconn.conf
@@ -0,0 +1,15 @@
+# This module will not function unless mod_status is loaded and the
+# "ExtendedStatus On" directive is set. So load only if mod_status is too.
+<IfModule mod_status.c>
+
+    # This is always needed
+    ExtendedStatus On
+
+    # mod_limitipconn configuration
+    LoadModule limitipconn_module modules/mod_limitipconn.so
+
+    # A global default configuration doesn't make much sense. See the README
+    # from the mod_limitipconn package for configuration examples.
+
+</IfModule>
+
diff --git a/localfs/etc/httpd/run b/localfs/etc/httpd/run
new file mode 120000
index 0000000..ae7face
--- /dev/null
+++ b/localfs/etc/httpd/run
@@ -0,0 +1 @@
+/run/httpd
\ No newline at end of file
diff --git a/localfs/etc/libvirt.key b/localfs/etc/libvirt.key
new file mode 100644
index 0000000..838d666
--- /dev/null
+++ b/localfs/etc/libvirt.key
@@ -0,0 +1,7 @@
+This should be a file with sufficient urandom data to be added to the libvirt luks container. Result:
+the libvirt LVM PV is encrypted, but will automatically unlocked once the parent OS is unlocked.
+(Do NOT have the parent OS reside on an unencrypted drive, lel.)
+
+...
+
+Did you expect my luks key here? Better go to DXC for such disconcerting hurry-scurry ;)
diff --git a/localfs/etc/logrotate.d/clamav-update b/localfs/etc/logrotate.d/clamav-update
new file mode 100644
index 0000000..0de6062
--- /dev/null
+++ b/localfs/etc/logrotate.d/clamav-update
@@ -0,0 +1,4 @@
+/var/log/freshclam.log {
+        monthly
+        notifempty
+}
diff --git a/localfs/etc/logrotate.d/httpd b/localfs/etc/logrotate.d/httpd
new file mode 100644
index 0000000..90c024d
--- /dev/null
+++ b/localfs/etc/logrotate.d/httpd
@@ -0,0 +1,15 @@
+/var/log/httpd/*log {
+    daily
+    rotate 365
+    missingok
+    notifempty
+    sharedscripts
+    delaycompress
+    compresscmd /bin/xz
+    compressext .xz
+    dateext
+    dateformat -%Y-%m-%d
+    postrotate
+        /bin/systemctl reload httpd.service > /dev/null 2>/dev/null || true
+    endscript
+}
diff --git a/localfs/etc/profile.d/netcatandquit.sh b/localfs/etc/profile.d/netcatandquit.sh
new file mode 100644
index 0000000..5410051
--- /dev/null
+++ b/localfs/etc/profile.d/netcatandquit.sh
@@ -0,0 +1,15 @@
+#!/bin/sh
+
+# Harald Pfeiffer, 2017-04-17
+# Quick helper to have an ncat command available which, similarly to netcat -z,
+# terminates the ncat connection as soon as there's a successful establishment.
+#
+# tl;dr fek incomplete replacements 凸ಠ_ಠ)凸
+
+
+# Let's check whether "echo -e" outputs "echo -e", we then will quit
+# 	(no escape sequences mean no escape, lel.)
+echo -e "moo"|grep -- "-e moo" >/dev/null 2>&1
+[ "$?" -eq 0 ]&&exit 0
+
+alias ncquit='echo -ne "\e[3;12r\e[3H"|ncat'
diff --git a/localfs/etc/profile.d/shellhist.sh b/localfs/etc/profile.d/shellhist.sh
new file mode 100644
index 0000000..4e377fd
--- /dev/null
+++ b/localfs/etc/profile.d/shellhist.sh
@@ -0,0 +1,28 @@
+export HISTTIMEFORMAT="%F %T: "
+export HISTSIZE=5000
+if [ -z "$PROMPT_COMMAND" ]; then
+	case $TERM in
+		xterm*|vte*)
+			if [ -e /etc/sysconfig/bash-prompt-xterm ]; then
+				PROMPT_COMMAND=/etc/sysconfig/bash-prompt-xterm
+			elif [ "${VTE_VERSION:-0}" -ge 3405 ]; then
+				PROMPT_COMMAND="__vte_prompt_command"
+			else
+				PROMPT_COMMAND='printf "\033]0;%s@%s:%s\007" "${USER}" "${HOSTNAME%%.*}" "${PWD/#$HOME/~}"'
+			fi
+		;;
+		screen*)
+			if [ -e /etc/sysconfig/bash-prompt-xterm ]; then
+				PROMPT_COMMAND=/etc/sysconfig/bash-prompt-xterm
+			else
+				PROMPT_COMMAND='printf "\033]0;%s@%s:%s\007" "${USER}" "${HOSTNAME%%.*}" "${PWD/#$HOME/~}"'
+			fi
+		;;
+		*)
+			[ -e /etc/sysconfig/bash-prompt-default ] && PROMPT_COMMAND=/etc/sysconfig/bash-prompt-default
+		;;
+	esac
+fi
+# ...and now that we have the prompt, make sure history gets updated every time you fire away a command,
+# 	not only on GRACEFUL session ends.
+export PROMPT_COMMAND="history -a;history -c;history -r;$PROMPT_COMMAND"
diff --git a/localfs/etc/profile.d/taskd.sh b/localfs/etc/profile.d/taskd.sh
new file mode 100644
index 0000000..266737a
--- /dev/null
+++ b/localfs/etc/profile.d/taskd.sh
@@ -0,0 +1 @@
+export TASKDDATA=/var/taskd
diff --git a/localfs/etc/samba/smb.conf b/localfs/etc/samba/smb.conf
new file mode 100644
index 0000000..2b779c1
--- /dev/null
+++ b/localfs/etc/samba/smb.conf
@@ -0,0 +1,33 @@
+[global]
+	server string = jango104
+	security = user
+	map to guest = bad user
+	workgroup = streichelz00
+	; Ist auf Fedora eh nobody.
+	;guest account = nobody
+	load printers = no
+	browseable = yes
+	writeable = yes
+	enable core files = no
+[hodenkobold]
+	comment = Ich bin de Maik und de Trainer
+	path = /srv/samba/public
+	available = yes
+	read only = yes
+	browseable = yes
+	public = yes
+	writeable = yes
+	guest ok = yes
+	inherit acls = yes
+	hosts allow = 10.0.0.0/8
+[isos]
+	comment = ISO-Normung is the shit
+	path = /srv/samba/isos
+	available = yes
+	read only = yes
+	browseable = yes
+	public = yes
+	writeable = no
+	guest ok = yes
+	inherit acls = yes
+	hosts allow = 10.0.0.0/8
diff --git a/localfs/etc/selinux/targeted/contexts/files/file_contexts.local b/localfs/etc/selinux/targeted/contexts/files/file_contexts.local
new file mode 100644
index 0000000..62db84e
--- /dev/null
+++ b/localfs/etc/selinux/targeted/contexts/files/file_contexts.local
@@ -0,0 +1,15 @@
+# This file is auto-generated by libsemanage
+# Do not edit directly.
+
+/usr/lib/chromium-browser    system_u:object_r:bin_t:s0
+/usr/lib/chromium-browser/chromium-browser.sh    system_u:object_r:bin_t:s0
+/usr/lib/chrome-sandbox    system_u:object_r:chrome_sandbox_exec_t:s0
+/www/docs/jango104.domain.de(/.*)?    system_u:object_r:httpd_sys_content_t:s0
+/usr/share/dnfdaemon/dnfdaemon-system    system_u:object_r:rpm_exec_t:s0
+/var/srv/samba(/.*)?    system_u:object_r:samba_share_t:s0
+/var/lib/libvirt/isos(/.*)?    system_u:object_r:public_content_t:s0
+/var/srv/samba/public(/.*)?    system_u:object_r:public_content_t:s0
+/var/srv/nfs(/.*)?    system_u:object_r:public_content_t:s0
+/var/lib/nfs(/.*)?    system_u:object_r:nfsd_fs_t:s0
+/var/srv/samba/redhat(/.*)?    system_u:object_r:public_content_t:s0
+/var/srv/common(/.*)?    system_u:object_r:public_content_t:s0
diff --git a/localfs/etc/ssh/sshd_config b/localfs/etc/ssh/sshd_config
new file mode 100644
index 0000000..084402b
--- /dev/null
+++ b/localfs/etc/ssh/sshd_config
@@ -0,0 +1,161 @@
+#	$OpenBSD: sshd_config,v 1.101 2017/03/14 07:19:07 djm Exp $
+
+# This is the sshd server system-wide configuration file.  See
+# sshd_config(5) for more information.
+
+# This sshd was compiled with PATH=/usr/local/bin:/usr/bin
+
+# The strategy used for options in the default sshd_config shipped with
+# OpenSSH is to specify options with their default value where
+# possible, but leave them commented.  Uncommented options override the
+# default value.
+
+# If you want to change the port on a SELinux system, you have to tell
+# SELinux about this change.
+# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
+#
+#Port 22
+#AddressFamily any
+#ListenAddress 0.0.0.0
+#ListenAddress ::
+
+#HostKey /etc/ssh/ssh_host_rsa_key
+#HostKey /etc/ssh/ssh_host_dsa_key
+#HostKey /etc/ssh/ssh_host_ecdsa_key
+HostKey /etc/ssh/ssh_host_ed25519_key
+
+# Ciphers and keying
+#RekeyLimit default none
+
+# System-wide Crypto policy:
+# If this system is following system-wide crypto policy, the changes to
+# Ciphers, MACs, KexAlgoritms and GSSAPIKexAlgorithsm will not have any
+# effect here. They will be overridden by command-line options passed on
+# the server start up.
+# To opt out, uncomment a line with redefinition of  CRYPTO_POLICY=
+# variable in  /etc/sysconfig/sshd  to overwrite the policy.
+# For more information, see manual page for update-crypto-policies(8).
+
+# Logging
+#SyslogFacility AUTH
+SyslogFacility AUTHPRIV
+#LogLevel INFO
+
+# Authentication:
+
+#LoginGraceTime 2m
+PermitRootLogin prohibit-password
+#StrictModes yes
+#MaxAuthTries 6
+#MaxSessions 10
+
+#PubkeyAuthentication yes
+
+# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
+# but this is overridden so installations will only check .ssh/authorized_keys
+AuthorizedKeysFile	.ssh/authorized_keys
+
+#AuthorizedPrincipalsFile none
+
+#AuthorizedKeysCommand none
+#AuthorizedKeysCommandUser nobody
+
+# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
+#HostbasedAuthentication no
+# Change to yes if you don't trust ~/.ssh/known_hosts for
+# HostbasedAuthentication
+#IgnoreUserKnownHosts no
+# Don't read the user's ~/.rhosts and ~/.shosts files
+#IgnoreRhosts yes
+
+# To disable tunneled clear text passwords, change to no here!
+#PasswordAuthentication yes
+#PermitEmptyPasswords no
+PasswordAuthentication no
+
+# Change to no to disable s/key passwords
+#ChallengeResponseAuthentication yes
+ChallengeResponseAuthentication no
+
+# Kerberos options
+#KerberosAuthentication no
+#KerberosOrLocalPasswd yes
+#KerberosTicketCleanup yes
+#KerberosGetAFSToken no
+#KerberosUseKuserok yes
+
+# GSSAPI options
+GSSAPIAuthentication yes
+GSSAPICleanupCredentials no
+#GSSAPIStrictAcceptorCheck yes
+#GSSAPIKeyExchange no
+#GSSAPIEnablek5users no
+
+# Set this to 'yes' to enable PAM authentication, account processing,
+# and session processing. If this is enabled, PAM authentication will
+# be allowed through the ChallengeResponseAuthentication and
+# PasswordAuthentication.  Depending on your PAM configuration,
+# PAM authentication via ChallengeResponseAuthentication may bypass
+# the setting of "PermitRootLogin without-password".
+# If you just want the PAM account and session checks to run without
+# PAM authentication, then enable this but set PasswordAuthentication
+# and ChallengeResponseAuthentication to 'no'.
+# WARNING: 'UsePAM no' is not supported in Fedora and may cause several
+# problems.
+UsePAM yes
+
+#AllowAgentForwarding yes
+#AllowTcpForwarding yes
+#GatewayPorts no
+X11Forwarding yes
+#X11DisplayOffset 10
+#X11UseLocalhost yes
+#PermitTTY yes
+#PrintMotd yes
+#PrintLastLog yes
+#TCPKeepAlive yes
+#UseLogin no
+#PermitUserEnvironment no
+#Compression delayed
+#ClientAliveInterval 0
+#ClientAliveCountMax 3
+#ShowPatchLevel no
+#UseDNS no
+#PidFile /var/run/sshd.pid
+#MaxStartups 10:30:100
+#PermitTunnel no
+#ChrootDirectory none
+#VersionAddendum none
+
+# no default banner path
+#Banner none
+
+# Accept locale-related environment variables
+AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
+AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
+AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
+AcceptEnv XMODIFIERS
+
+# override default of no subsystems
+Subsystem	sftp	/usr/libexec/openssh/sftp-server
+
+# Example of overriding settings on a per-user basis
+#Match User anoncvs
+#	X11Forwarding no
+#	AllowTcpForwarding no
+#	PermitTTY no
+#	ForceCommand cvs server
+
+# okay, yoda won't come in here, but we want this secure :)
+Compression delayed
+#Compression no
+#Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
+# aes256-ctr for PuTTY :(
+Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com #,aes256-ctr
+# hmac-sha2-256 for putty and Enterprise Linux :(
+#MACs hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256
+MACs hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com
+#KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
+KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
+#pubkeyacceptedkeytypes ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-512
+pubkeyacceptedkeytypes ssh-ed25519-cert-v01@openssh.com,ssh-ed25519
diff --git a/localfs/etc/sssd/sssd.conf b/localfs/etc/sssd/sssd.conf
new file mode 100644
index 0000000..7e86c46
--- /dev/null
+++ b/localfs/etc/sssd/sssd.conf
@@ -0,0 +1,47 @@
+[sssd]
+domains = whatever.de
+config_file_version = 2
+services = nss, pam
+default_domain_suffix = WHATEVER.DE
+
+[domain/whatever.de]
+ad_domain = whatever.de
+krb5_realm = WHATEVER.DE
+realmd_tags = manages-system joined-with-adcli 
+cache_credentials = True
+id_provider = ad
+krb5_store_password_if_offline = True
+default_shell = /bin/bash
+ldap_id_mapping = True
+use_fully_qualified_names = True
+access_provider = simple
+dyndns_update = false
+dyndns_refresh_interval = 43200
+dyndns_update_ptr = false
+dyndns_ttl = 300
+simple_allow_users = ad_user1, ad_user2, ad_user3, ad_user4, ad_user5
+fallback_homedir = /home/%d/%u
+#full_name_format = %1$s@%2$s
+full_name_format = %1$s
+override_homedir = /home/%u
+enumerate = False
+# do this if your Windows Admins are too lazy to properly
+# configure AD round robin. I was in an environment where
+# this was the case :( -->
+ad_server = server1
+ad_backup_server = server2
+
+[nss]
+filter_groups = root
+filter_users = root
+reconnection_retries = 1
+entry_cache_timeout = 300
+entry_cache_nowait_percentage = 75
+
+[pam]
+reconnection_retries = 2
+# adjust the expiration to a proper value in the likes of
+# offline_time + remote_work + windows_admins_laziness + mtbf
+offline_credentials_expiration = 21
+offline_failed_login_attempts = 3
+offline_failed_login_delay = 5
diff --git a/localfs/etc/sudoers.d/dnf b/localfs/etc/sudoers.d/dnf
new file mode 100644
index 0000000..1167684
--- /dev/null
+++ b/localfs/etc/sudoers.d/dnf
@@ -0,0 +1 @@
+%maint ALL=(ALL) NOPASSWD:/usr/bin/dnf needs-restarting -color true,/usr/bin/dnf needs-restarting -C --color true,/usr/bin/dnf --refresh -y upgrade --color true
diff --git a/localfs/etc/sudoers.d/firewallcmd-completion b/localfs/etc/sudoers.d/firewallcmd-completion
new file mode 100644
index 0000000..ecafb0d
--- /dev/null
+++ b/localfs/etc/sudoers.d/firewallcmd-completion
@@ -0,0 +1,2 @@
+%wheel ALL=(ALL) NOPASSWD:/usr/bin/firewall-cmd --state
+%wheel@implicit_files ALL=(ALL) NOPASSWD:/usr/bin/firewall-cmd --state
diff --git a/localfs/etc/sudoers.d/insults b/localfs/etc/sudoers.d/insults
new file mode 100644
index 0000000..8c445e5
--- /dev/null
+++ b/localfs/etc/sudoers.d/insults
@@ -0,0 +1 @@
+Defaults insults
diff --git a/localfs/etc/sudoers.d/inxi b/localfs/etc/sudoers.d/inxi
new file mode 100644
index 0000000..dfa1230
--- /dev/null
+++ b/localfs/etc/sudoers.d/inxi
@@ -0,0 +1,2 @@
+%wheel ALL=(ALL) NOPASSWD:/usr/bin/inxi -bmc24,/usr/bin/inxi -bmc7,/usr/bin/inxi -bmc12,/usr/bin/inxi -bmc5
+%wheel@implicit_files ALL=(ALL) NOPASSWD:/usr/bin/inxi -bmc24,/usr/bin/inxi -bmc7,/usr/bin/inxi -bmc12,/usr/bin/inxi -bmc5
diff --git a/localfs/etc/sudoers.d/network b/localfs/etc/sudoers.d/network
new file mode 100644
index 0000000..8f293a2
--- /dev/null
+++ b/localfs/etc/sudoers.d/network
@@ -0,0 +1 @@
+%wheel ALL=(ALL) NOPASSWD:/bin/systemctl restart network NetworkManager,/bin/systemctl restart network*,/bin/systemctl restart NetworkManager*
diff --git a/localfs/etc/sudoers.d/shutdown b/localfs/etc/sudoers.d/shutdown
new file mode 100644
index 0000000..4fbe5bd
--- /dev/null
+++ b/localfs/etc/sudoers.d/shutdown
@@ -0,0 +1 @@
+%wheel ALL=(ALL) NOPASSWD:/sbin/reboot,/sbin/poweroff,/bin/systemctl reboot,/bin/systemctl poweroff,/sbin/shutdown -r now,/sbin/shutdown -P now
diff --git a/localfs/etc/sysconfig/network-scripts/.gitignore b/localfs/etc/sysconfig/network-scripts/.gitignore
new file mode 100644
index 0000000..d238de3
--- /dev/null
+++ b/localfs/etc/sysconfig/network-scripts/.gitignore
@@ -0,0 +1 @@
+keys-*
diff --git a/localfs/etc/sysconfig/network-scripts/ifcfg-CISCO-default b/localfs/etc/sysconfig/network-scripts/ifcfg-CISCO-default
new file mode 100644
index 0000000..0db37f2
--- /dev/null
+++ b/localfs/etc/sysconfig/network-scripts/ifcfg-CISCO-default
@@ -0,0 +1,20 @@
+DEVICE=br0-cisco
+STP=yes
+BRIDGING_OPTS=priority=32768
+TYPE=Bridge
+PROXY_METHOD=none
+BROWSER_ONLY=no
+BOOTPROTO=none
+DEFROUTE=yes
+IPV4_FAILURE_FATAL=no
+IPV6INIT=yes
+IPV6_AUTOCONF=yes
+IPV6_DEFROUTE=yes
+IPV6_FAILURE_FATAL=no
+IPV6_ADDR_GEN_MODE=stable-privacy
+NAME=br0-ciscodef
+UUID=f61c4b46-fe22-4137-8849-18bd3c76fbc8
+ONBOOT=no
+IPADDR=192.168.1.16
+PREFIX=24
+DELAY=9
diff --git a/localfs/etc/sysconfig/network-scripts/ifcfg-br0-default b/localfs/etc/sysconfig/network-scripts/ifcfg-br0-default
new file mode 100644
index 0000000..2b2624c
--- /dev/null
+++ b/localfs/etc/sysconfig/network-scripts/ifcfg-br0-default
@@ -0,0 +1,20 @@
+TYPE=Bridge
+PROXY_METHOD=none
+BROWSER_ONLY=no
+BOOTPROTO=dhcp
+DEFROUTE=yes
+IPV4_FAILURE_FATAL=no
+IPV6INIT=yes
+IPV6_AUTOCONF=yes
+IPV6_DEFROUTE=yes
+IPV6_FAILURE_FATAL=no
+IPV6_ADDR_GEN_MODE=stable-privacy
+NAME=br0-default
+UUID=af9c618a-4f14-4086-9c6e-aca123374161
+ONBOOT=yes
+AUTOCONNECT_PRIORITY=1
+DEVICE=br0
+NM_CONTROLLED=yes
+STP=yes
+BRIDGING_OPTS=priority=32768
+ZONE=lokalhorst
diff --git a/localfs/etc/sysconfig/network-scripts/ifcfg-br0-example1 b/localfs/etc/sysconfig/network-scripts/ifcfg-br0-example1
new file mode 100644
index 0000000..352fbb3
--- /dev/null
+++ b/localfs/etc/sysconfig/network-scripts/ifcfg-br0-example1
@@ -0,0 +1,20 @@
+TYPE=Bridge
+PROXY_METHOD=none
+BROWSER_ONLY=no
+BOOTPROTO=dhcp
+DEFROUTE=yes
+IPV4_FAILURE_FATAL=no
+IPV6INIT=yes
+IPV6_AUTOCONF=yes
+IPV6_DEFROUTE=yes
+IPV6_FAILURE_FATAL=no
+IPV6_ADDR_GEN_MODE=stable-privacy
+NAME=br0-example1
+UUID=56b3bc94-65f8-4688-8ba1-e6e0967137c5
+ONBOOT=no
+AUTOCONNECT_PRIORITY=1
+DEVICE=br0
+NM_CONTROLLED=yes
+STP=no
+DOMAIN="domain1.local domain2.de"
+ZONE=lokalhorst
diff --git a/localfs/etc/sysconfig/network-scripts/ifcfg-enp0s31f6-default b/localfs/etc/sysconfig/network-scripts/ifcfg-enp0s31f6-default
new file mode 100644
index 0000000..147f3a5
--- /dev/null
+++ b/localfs/etc/sysconfig/network-scripts/ifcfg-enp0s31f6-default
@@ -0,0 +1,9 @@
+TYPE=Ethernet
+NAME=enp0s31f6-default
+UUID=b1823a65-9f5e-4bfa-a0ea-835072f74308
+DEVICE=enp0s31f6
+ONBOOT=yes
+BRIDGE_UUID=af9c618a-4f14-4086-9c6e-aca123374161
+BRIDGE=br0
+ZONE=FedoraWorkstation
+NM_CONTROLLED=yes
diff --git a/localfs/etc/sysconfig/network-scripts/ifcfg-lo b/localfs/etc/sysconfig/network-scripts/ifcfg-lo
new file mode 100644
index 0000000..cb4f3f9
--- /dev/null
+++ b/localfs/etc/sysconfig/network-scripts/ifcfg-lo
@@ -0,0 +1,9 @@
+DEVICE=lo
+IPADDR=127.0.0.1
+NETMASK=255.0.0.0
+NETWORK=127.0.0.0
+# If you're having problems with gated making 127.0.0.0/8 a martian,
+# you can change this to something else (255.255.255.255, for example)
+BROADCAST=127.255.255.255
+ONBOOT=yes
+NAME=loopback
diff --git a/localfs/etc/sysconfig/network-scripts/ifcfg-wlp1s0-Brueckengandalf b/localfs/etc/sysconfig/network-scripts/ifcfg-wlp1s0-Brueckengandalf
new file mode 100644
index 0000000..66fc6ee
--- /dev/null
+++ b/localfs/etc/sysconfig/network-scripts/ifcfg-wlp1s0-Brueckengandalf
@@ -0,0 +1,12 @@
+ESSID=Gabbergandalf
+MODE=Managed
+KEY_MGMT=WPA-PSK
+MAC_ADDRESS_RANDOMIZATION=default
+TYPE=Wireless
+NAME=wlp1s0-Brueckengandalf
+UUID=7414be92-9eea-4d3a-ae6c-f8de93409467
+DEVICE=wlp1s0
+ONBOOT=yes
+BRIDGE=wbr0
+BRIDGE_UUID=e4452e33-d9d9-42dd-b43e-188d704e03e3
+ZONE=lokalhorst
diff --git a/localfs/etc/sysconfig/network-scripts/ifcfg-wlp1s0-dingeling b/localfs/etc/sysconfig/network-scripts/ifcfg-wlp1s0-dingeling
new file mode 100644
index 0000000..62f28a7
--- /dev/null
+++ b/localfs/etc/sysconfig/network-scripts/ifcfg-wlp1s0-dingeling
@@ -0,0 +1,19 @@
+ESSID=alivieskan-elaeimistoe
+MODE=Managed
+KEY_MGMT=WPA-PSK
+MAC_ADDRESS_RANDOMIZATION=default
+TYPE=Wireless
+PROXY_METHOD=none
+BROWSER_ONLY=no
+BOOTPROTO=dhcp
+DEFROUTE=yes
+IPV4_FAILURE_FATAL=no
+IPV6INIT=yes
+IPV6_AUTOCONF=yes
+IPV6_DEFROUTE=yes
+IPV6_FAILURE_FATAL=no
+IPV6_ADDR_GEN_MODE=stable-privacy
+NAME=wlp1s0-dingeling
+UUID=3edf5aaa-3f2a-4abf-bd51-510fa885bc6b
+DEVICE=wlp1s0
+ONBOOT=no
diff --git a/localfs/etc/sysconfig/network-scripts/ifcfg-wlp1s0-hotspot b/localfs/etc/sysconfig/network-scripts/ifcfg-wlp1s0-hotspot
new file mode 100644
index 0000000..bebf891
--- /dev/null
+++ b/localfs/etc/sysconfig/network-scripts/ifcfg-wlp1s0-hotspot
@@ -0,0 +1,19 @@
+DEVICE=wlp1s0
+ESSID=adesch1337_gabbergandalf
+MODE=Ap
+KEY_MGMT=WPA-PSK
+WPA_ALLOW_WPA2=yes
+CIPHER_PAIRWISE=CCMP
+CIPHER_GROUP=CCMP
+SSID_HIDDEN=yes
+MAC_ADDRESS_RANDOMIZATION=default
+TYPE=Wireless
+PROXY_METHOD=none
+BROWSER_ONLY=no
+BOOTPROTO=shared
+DEFROUTE=yes
+IPV4_FAILURE_FATAL=no
+IPV6INIT=no
+NAME=wlp1s0-hotspot
+UUID=7c06c296-cb84-4794-a11b-0d2aded13039
+ONBOOT=no
diff --git a/localfs/etc/sysconfig/network-scripts/ifcfg-wlp1s0-peap-gtc b/localfs/etc/sysconfig/network-scripts/ifcfg-wlp1s0-peap-gtc
new file mode 100644
index 0000000..68220ce
--- /dev/null
+++ b/localfs/etc/sysconfig/network-scripts/ifcfg-wlp1s0-peap-gtc
@@ -0,0 +1,23 @@
+ESSID=hpeinternet
+MODE=Managed
+KEY_MGMT=WPA-EAP
+MAC_ADDRESS_RANDOMIZATION=default
+TYPE=Wireless
+IEEE_8021X_EAP_METHODS=PEAP
+IEEE_8021X_IDENTITY=some.address@hpe.com
+IEEE_8021X_INNER_AUTH_METHODS=GTC
+PROXY_METHOD=auto
+BROWSER_ONLY=no
+BOOTPROTO=dhcp
+DEFROUTE=yes
+IPV4_FAILURE_FATAL=no
+IPV6INIT=yes
+IPV6_AUTOCONF=yes
+IPV6_DEFROUTE=yes
+IPV6_FAILURE_FATAL=no
+IPV6_PRIVACY=no
+IPV6_ADDR_GEN_MODE=stable-privacy
+NAME=wlp1s0-hpeinternet
+UUID=8a48a95b-d227-45f3-a62b-37eb6ae05d76
+DEVICE=wlp1s0
+ONBOOT=no
diff --git a/localfs/etc/sysconfig/network-scripts/ifcfg-wlp1s0-peap-mschapv2 b/localfs/etc/sysconfig/network-scripts/ifcfg-wlp1s0-peap-mschapv2
new file mode 100644
index 0000000..496e90e
--- /dev/null
+++ b/localfs/etc/sysconfig/network-scripts/ifcfg-wlp1s0-peap-mschapv2
@@ -0,0 +1,23 @@
+ESSID=MobD
+MODE=Managed
+KEY_MGMT=WPA-EAP
+MAC_ADDRESS_RANDOMIZATION=default
+TYPE=Wireless
+IEEE_8021X_EAP_METHODS=PEAP
+IEEE_8021X_IDENTITY=some.address@some.domain
+IEEE_8021X_INNER_AUTH_METHODS=MSCHAPV2
+PROXY_METHOD=auto
+BROWSER_ONLY=no
+BOOTPROTO=dhcp
+DEFROUTE=yes
+IPV4_FAILURE_FATAL=no
+IPV6INIT=yes
+IPV6_AUTOCONF=yes
+IPV6_DEFROUTE=yes
+IPV6_FAILURE_FATAL=no
+IPV6_PRIVACY=no
+IPV6_ADDR_GEN_MODE=stable-privacy
+NAME=wlp1s0-mobd
+UUID=b437164d-fbeb-4b84-9c3c-7767696c0c0a
+DEVICE=wlp1s0
+ONBOOT=no
diff --git a/localfs/etc/sysconfig/network-scripts/ifcfg-wlp1s0-telekom-free b/localfs/etc/sysconfig/network-scripts/ifcfg-wlp1s0-telekom-free
new file mode 100644
index 0000000..bc1a3b3
--- /dev/null
+++ b/localfs/etc/sysconfig/network-scripts/ifcfg-wlp1s0-telekom-free
@@ -0,0 +1,18 @@
+ESSID=Telekom_free
+MODE=Managed
+MAC_ADDRESS_RANDOMIZATION=default
+TYPE=Wireless
+PROXY_METHOD=none
+BROWSER_ONLY=no
+BOOTPROTO=dhcp
+DEFROUTE=yes
+IPV4_FAILURE_FATAL=no
+IPV6INIT=yes
+IPV6_AUTOCONF=yes
+IPV6_DEFROUTE=yes
+IPV6_FAILURE_FATAL=no
+IPV6_ADDR_GEN_MODE=stable-privacy
+NAME=wlp1s0-telekom-free
+UUID=2141a44d-1697-4142-8d17-f45f5047d403
+DEVICE=wlp1s0
+ONBOOT=no
diff --git a/localfs/etc/sysctl.d/93-disable-ipv6.conf b/localfs/etc/sysctl.d/93-disable-ipv6.conf
new file mode 100644
index 0000000..30b2d9b
--- /dev/null
+++ b/localfs/etc/sysctl.d/93-disable-ipv6.conf
@@ -0,0 +1,2 @@
+net.ipv6.conf.all.disable_ipv6=1
+net.ipv6.conf.default.disable_ipv6=1
diff --git a/localfs/etc/sysctl.d/94-bridgenotables.conf b/localfs/etc/sysctl.d/94-bridgenotables.conf
new file mode 100644
index 0000000..7b81020
--- /dev/null
+++ b/localfs/etc/sysctl.d/94-bridgenotables.conf
@@ -0,0 +1,4 @@
+# Those don't exist anymore
+#net.bridge.bridge-nf-call-ip6tables=0
+#net.bridge.bridge-nf-call-iptables=0
+#net.bridge.bridge-nf-call-arptables=0
diff --git a/localfs/etc/sysctl.d/95-forwarding.conf b/localfs/etc/sysctl.d/95-forwarding.conf
new file mode 100644
index 0000000..d0d7f8d
--- /dev/null
+++ b/localfs/etc/sysctl.d/95-forwarding.conf
@@ -0,0 +1,6 @@
+net.ipv4.conf.all.forwarding=1
+net.ipv6.conf.all.forwarding=1
+net.ipv4.conf.all.mc_forwarding=1
+net.ipv6.conf.all.mc_forwarding=1
+# https://husse.in/uncategorized/setup-a-kvm-vps-host-lvm-on-software-raid1-and-a-virtual-pfsense-router/
+net.ipv4.tcp_ecn=0
diff --git a/localfs/etc/sysctl.d/96-noredir.conf b/localfs/etc/sysctl.d/96-noredir.conf
new file mode 100644
index 0000000..ba999b2
--- /dev/null
+++ b/localfs/etc/sysctl.d/96-noredir.conf
@@ -0,0 +1,4 @@
+net.ipv4.conf.br0.send_redirects=0
+net.ipv4.conf.sosbr0.send_redirects=0
+net.ipv4.conf.clusbr0.send_redirects=0
+net.ipv4.conf.all.send_redirects=0
diff --git a/localfs/etc/sysctl.d/97-transmission.conf b/localfs/etc/sysctl.d/97-transmission.conf
new file mode 100644
index 0000000..7862332
--- /dev/null
+++ b/localfs/etc/sysctl.d/97-transmission.conf
@@ -0,0 +1,2 @@
+net.core.wmem_max = 1048576
+net.core.rmem_max = 4194304
diff --git a/localfs/etc/sysctl.d/99-sysctl.conf b/localfs/etc/sysctl.d/99-sysctl.conf
new file mode 100644
index 0000000..41c0c41
--- /dev/null
+++ b/localfs/etc/sysctl.d/99-sysctl.conf
@@ -0,0 +1,10 @@
+# sysctl settings are defined through files in
+# /usr/lib/sysctl.d/, /run/sysctl.d/, and /etc/sysctl.d/.
+#
+# Vendors settings live in /usr/lib/sysctl.d/.
+# To override a whole file, create a new file with the same in
+# /etc/sysctl.d/ and put new settings there. To override
+# only specific settings, add a file with a lexically later
+# name in /etc/sysctl.d/ and put new settings there.
+#
+# For more information, see sysctl.conf(5) and sysctl.d(5).
diff --git a/localfs/etc/systemd/system/cluster-muromachi.target b/localfs/etc/systemd/system/cluster-muromachi.target
new file mode 100644
index 0000000..ec63edc
--- /dev/null
+++ b/localfs/etc/systemd/system/cluster-muromachi.target
@@ -0,0 +1,6 @@
+[Unit]
+Description=Cluster "muromachi_cl"
+BindsTo=kvm-clustervm@centoscl0.service kvm-clustervm@centoscl1.service kvm-clustervm@centoscl2.service
+
+[Install]
+WantedBy=multi-user.target
diff --git a/localfs/etc/systemd/system/freshclam.service b/localfs/etc/systemd/system/freshclam.service
new file mode 100644
index 0000000..a14de83
--- /dev/null
+++ b/localfs/etc/systemd/system/freshclam.service
@@ -0,0 +1,15 @@
+[Unit]
+Description=ClamAV database updater (freshclam)
+Wants=network.target
+Requires=network.target
+After=network.target
+
+[Service]
+Type=forking
+ExecStart=/usr/local/sbin/freshclamd start
+ExecStop=/usr/local/sbin/freshclamd stop
+TimeoutStartSec=10s
+TimeoutStopSec=30s
+
+[Install]
+WantedBy=multi-user.target
diff --git a/localfs/etc/systemd/system/kvm-arch.service b/localfs/etc/systemd/system/kvm-arch.service
new file mode 100644
index 0000000..597548f
--- /dev/null
+++ b/localfs/etc/systemd/system/kvm-arch.service
@@ -0,0 +1,12 @@
+[Unit]
+Description=virtual machine triskel05 (Arch)
+Requires=libvirtd.service libvirt-guests.service lvm2-lvmetad.service
+
+[Service]
+Type=oneshot
+ExecStart=/bin/virsh start arch
+ExecStop=/bin/virsh shutdown arch
+RemainAfterExit=yes
+
+[Install]
+WantedBy=multi-user.target
diff --git a/localfs/etc/systemd/system/kvm-clustervm@.service b/localfs/etc/systemd/system/kvm-clustervm@.service
new file mode 100644
index 0000000..f21cbcd
--- /dev/null
+++ b/localfs/etc/systemd/system/kvm-clustervm@.service
@@ -0,0 +1,31 @@
+# Work in progress:
+# - Start needs to be more sophisticated in reaction to state of domains
+# - Stop should not just do a post-sleep, but instead the post section should
+#   carry a script polling the state of the machine and hammering it into the
+#   coffing after a certain timeout
+[Unit]
+Description=VM %i (with cluster inside)
+Wants=kvm-infravm@iscsi.service
+After=kvm-infravm@iscsi.service
+Wants=lvm2-monitor.service
+Requires=libvirtd.service
+Requires=kvm-firewall.service
+Requires=kvm-network@sosaria05.service
+Requires=kvm-network@san-cluster.service
+After=kvm-firewall.service
+After=libvirtd.service
+After=lvm2-monitor.service
+After=kvm-network@sosaria05.service
+After=kvm-network@san-cluster.service
+PartOf=cluster-muromachi.target
+
+[Service]
+Type=oneshot
+ExecStart=/usr/local/bin/kvmhelper -q vm-start %i
+ExecStop=/usr/local/bin/kvmhelper -q vm-stop %i
+RemainAfterExit=yes
+TimeoutStartSec=10s
+TimeoutStopSec=60s
+
+[Install]
+WantedBy=cluster-muromachi.target
diff --git a/localfs/etc/systemd/system/kvm-debian.service b/localfs/etc/systemd/system/kvm-debian.service
new file mode 100644
index 0000000..1347a0b
--- /dev/null
+++ b/localfs/etc/systemd/system/kvm-debian.service
@@ -0,0 +1,12 @@
+[Unit]
+Description=virtual machine balinorgel05 (Debian stable)
+Requires=libvirtd.service libvirt-guests.service lvm2-lvmetad.service
+
+[Service]
+Type=oneshot
+ExecStart=/bin/virsh start debian
+ExecStop=/bin/virsh shutdown debian
+RemainAfterExit=yes
+
+[Install]
+WantedBy=multi-user.target
diff --git a/localfs/etc/systemd/system/kvm-firewall.service b/localfs/etc/systemd/system/kvm-firewall.service
new file mode 100644
index 0000000..b68ede5
--- /dev/null
+++ b/localfs/etc/systemd/system/kvm-firewall.service
@@ -0,0 +1,21 @@
+[Unit]
+Description=virtual machine cthulhu05 (Debian Firewall)
+Wants=lvm2-monitor.service
+Requires=libvirtd.service
+Requires=kvm-network@sosaria05.service
+Requires=kvm-network@san-cluster.service
+After=libvirtd.service
+After=lvm2-monitor.service
+After=kvm-network@sosaria05.service
+After=kvm-network@san-cluster.service
+
+[Service]
+Type=oneshot
+ExecStart=/usr/local/bin/kvmhelper -q vm-start firewall
+ExecStop=/usr/local/bin/kvmhelper -q vm-stop firewall
+RemainAfterExit=yes
+TimeoutStartSec=10s
+TimeoutStopSec=60s
+
+[Install]
+WantedBy=multi-user.target
diff --git a/localfs/etc/systemd/system/kvm-guestmount.service b/localfs/etc/systemd/system/kvm-guestmount.service
new file mode 100644
index 0000000..fab979f
--- /dev/null
+++ b/localfs/etc/systemd/system/kvm-guestmount.service
@@ -0,0 +1,13 @@
+[Unit]
+Description=Mount KVM domains' boot partitions for direct boots
+Requires=libvirtd.service lvm2-lvmetad.service
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+# Test phase, only using arch. Will do a script later on when the amount is > 1
+ExecStart=/usr/bin/guestmount -r -o allow_other -o ro -m /dev/sda2:/:acl,user_xattr -a /dev/libvirt/arch-boot /var/lib/libvirt/boot/arch
+ExecStop=/usr/bin/guestunmount /var/lib/libvirt/boot/arch
+
+[Install]
+WantedBy=multi-user.target
diff --git a/localfs/etc/systemd/system/kvm-infravm@.service b/localfs/etc/systemd/system/kvm-infravm@.service
new file mode 100644
index 0000000..29f8321
--- /dev/null
+++ b/localfs/etc/systemd/system/kvm-infravm@.service
@@ -0,0 +1,23 @@
+[Unit]
+Description=Infrastructural VM %i
+Wants=lvm2-monitor.service
+Requires=libvirtd.service
+Requires=kvm-firewall.service
+Requires=kvm-network@sosaria05.service
+Requires=kvm-network@san-cluster.service
+After=kvm-firewall.service
+After=libvirtd.service
+After=lvm2-monitor.service
+After=kvm-network@sosaria05.service
+After=kvm-network@san-cluster.service
+
+[Service]
+Type=oneshot
+ExecStart=/usr/local/bin/kvmhelper -q vm-start %i
+ExecStop=/usr/local/bin/kvmhelper -q vm-stop %i
+RemainAfterExit=yes
+TimeoutStartSec=10s
+TimeoutStopSec=60s
+
+[Install]
+WantedBy=multi-user.target
diff --git a/localfs/etc/systemd/system/kvm-jango105.service b/localfs/etc/systemd/system/kvm-jango105.service
new file mode 100644
index 0000000..416c1af
--- /dev/null
+++ b/localfs/etc/systemd/system/kvm-jango105.service
@@ -0,0 +1,12 @@
+[Unit]
+Description=virtual machine jango105 (Windows 10)
+Requires=libvirtd.service libvirt-guests.service lvm2-lvmetad.service
+
+[Service]
+Type=oneshot
+ExecStart=/bin/virsh start jango105
+ExecStop=/bin/virsh shutdown jango105
+RemainAfterExit=yes
+
+[Install]
+WantedBy=multi-user.target
diff --git a/localfs/etc/systemd/system/kvm-opensuse.service b/localfs/etc/systemd/system/kvm-opensuse.service
new file mode 100644
index 0000000..217dbbe
--- /dev/null
+++ b/localfs/etc/systemd/system/kvm-opensuse.service
@@ -0,0 +1,12 @@
+[Unit]
+Description=virtual machine loukaniko05 (OpenSUSE Leap)
+Requires=libvirtd.service libvirt-guests.service lvm2-lvmetad.service
+
+[Service]
+Type=oneshot
+ExecStart=/bin/virsh start opensuse
+ExecStop=/bin/virsh shutdown opensuse
+RemainAfterExit=yes
+
+[Install]
+WantedBy=multi-user.target
diff --git a/localfs/etc/yum.repos.d/_copr_gregw-i3desktop.repo b/localfs/etc/yum.repos.d/_copr_gregw-i3desktop.repo
new file mode 100644
index 0000000..32e3a46
--- /dev/null
+++ b/localfs/etc/yum.repos.d/_copr_gregw-i3desktop.repo
@@ -0,0 +1,10 @@
+[gregw-i3desktop]
+name=Copr repo for i3desktop owned by gregw
+baseurl=https://copr-be.cloud.fedoraproject.org/results/gregw/i3desktop/fedora-$releasever-$basearch/
+type=rpm-md
+skip_if_unavailable=True
+gpgcheck=1
+gpgkey=https://copr-be.cloud.fedoraproject.org/results/gregw/i3desktop/pubkey.gpg
+repo_gpgcheck=0
+enabled=1
+enabled_metadata=1
\ No newline at end of file
diff --git a/localfs/etc/yum.repos.d/_copr_markand-RetroArch.repo b/localfs/etc/yum.repos.d/_copr_markand-RetroArch.repo
new file mode 100644
index 0000000..10eab66
--- /dev/null
+++ b/localfs/etc/yum.repos.d/_copr_markand-RetroArch.repo
@@ -0,0 +1,10 @@
+[markand-RetroArch]
+name=Copr repo for RetroArch owned by markand
+baseurl=https://copr-be.cloud.fedoraproject.org/results/markand/RetroArch/fedora-$releasever-$basearch/
+type=rpm-md
+skip_if_unavailable=True
+gpgcheck=1
+gpgkey=https://copr-be.cloud.fedoraproject.org/results/markand/RetroArch/pubkey.gpg
+repo_gpgcheck=0
+enabled=1
+enabled_metadata=1
\ No newline at end of file
diff --git a/localfs/etc/yum.repos.d/_copr_plambri-desktop-apps.repo b/localfs/etc/yum.repos.d/_copr_plambri-desktop-apps.repo
new file mode 100644
index 0000000..05115bd
--- /dev/null
+++ b/localfs/etc/yum.repos.d/_copr_plambri-desktop-apps.repo
@@ -0,0 +1,10 @@
+[plambri-desktop-apps]
+name=Copr repo for desktop-apps owned by plambri
+baseurl=https://copr-be.cloud.fedoraproject.org/results/plambri/desktop-apps/fedora-$releasever-$basearch/
+type=rpm-md
+skip_if_unavailable=True
+gpgcheck=1
+gpgkey=https://copr-be.cloud.fedoraproject.org/results/plambri/desktop-apps/pubkey.gpg
+repo_gpgcheck=0
+enabled=1
+enabled_metadata=1
\ No newline at end of file
diff --git a/localfs/etc/yum.repos.d/_copr_taw-Riot.repo b/localfs/etc/yum.repos.d/_copr_taw-Riot.repo
new file mode 100644
index 0000000..b72b0b8
--- /dev/null
+++ b/localfs/etc/yum.repos.d/_copr_taw-Riot.repo
@@ -0,0 +1,10 @@
+[taw-Riot]
+name=Copr repo for Riot owned by taw
+baseurl=https://copr-be.cloud.fedoraproject.org/results/taw/Riot/fedora-$releasever-$basearch/
+type=rpm-md
+skip_if_unavailable=True
+gpgcheck=1
+gpgkey=https://copr-be.cloud.fedoraproject.org/results/taw/Riot/pubkey.gpg
+repo_gpgcheck=0
+enabled=1
+enabled_metadata=1
\ No newline at end of file
diff --git a/localfs/etc/yum.repos.d/_copr_wyvie-compton-master.repo b/localfs/etc/yum.repos.d/_copr_wyvie-compton-master.repo
new file mode 100644
index 0000000..c382d58
--- /dev/null
+++ b/localfs/etc/yum.repos.d/_copr_wyvie-compton-master.repo
@@ -0,0 +1,10 @@
+[wyvie-compton-master]
+name=Copr repo for compton-master owned by wyvie
+baseurl=https://copr-be.cloud.fedoraproject.org/results/wyvie/compton-master/fedora-$releasever-$basearch/
+type=rpm-md
+skip_if_unavailable=True
+gpgcheck=1
+gpgkey=https://copr-be.cloud.fedoraproject.org/results/wyvie/compton-master/pubkey.gpg
+repo_gpgcheck=0
+enabled=1
+enabled_metadata=1
\ No newline at end of file
diff --git a/localfs/etc/yum.repos.d/adobe-linux-x86_64.repo b/localfs/etc/yum.repos.d/adobe-linux-x86_64.repo
new file mode 100644
index 0000000..4570c79
--- /dev/null
+++ b/localfs/etc/yum.repos.d/adobe-linux-x86_64.repo
@@ -0,0 +1,7 @@
+[adobe-linux-x86_64]
+name=Adobe Systems Incorporated
+baseurl=http://linuxdownload.adobe.com/linux/x86_64/
+enabled=1
+gpgcheck=1
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-adobe-linux
+
diff --git a/localfs/etc/yum.repos.d/docker-ce-fallback.repo b/localfs/etc/yum.repos.d/docker-ce-fallback.repo
new file mode 100644
index 0000000..84385f5
--- /dev/null
+++ b/localfs/etc/yum.repos.d/docker-ce-fallback.repo
@@ -0,0 +1,6 @@
+[docker-ce-stable-26]
+name=Docker CE Stable - Fed26 - $basearch
+baseurl=https://download.docker.com/linux/fedora/26/$basearch/stable
+enabled=1
+gpgcheck=1
+gpgkey=https://download.docker.com/linux/fedora/gpg
diff --git a/localfs/etc/yum.repos.d/dotnetdev.repo b/localfs/etc/yum.repos.d/dotnetdev.repo
new file mode 100644
index 0000000..531ba52
--- /dev/null
+++ b/localfs/etc/yum.repos.d/dotnetdev.repo
@@ -0,0 +1,6 @@
+[packages-microsoft-com-prod]
+name=packages-microsoft-com-prod
+baseurl=https://packages.microsoft.com/yumrepos/microsoft-rhel7.4-prod
+enabled=1
+gpgcheck=1
+gpgkey=https://packages.microsoft.com/keys/microsoft.asc
diff --git a/localfs/etc/yum.repos.d/home:zhonghuaren.repo b/localfs/etc/yum.repos.d/home:zhonghuaren.repo
new file mode 100644
index 0000000..a5d5779
--- /dev/null
+++ b/localfs/etc/yum.repos.d/home:zhonghuaren.repo
@@ -0,0 +1,7 @@
+[home_zhonghuaren]
+name=RPM Sphere (Fedora_26)
+type=rpm-md
+baseurl=http://download.opensuse.org/repositories/home:/zhonghuaren/Fedora_26/
+gpgcheck=1
+gpgkey=http://download.opensuse.org/repositories/home:/zhonghuaren/Fedora_26/repodata/repomd.xml.key
+enabled=1
diff --git a/localfs/etc/yum.repos.d/keybase.repo b/localfs/etc/yum.repos.d/keybase.repo
new file mode 100644
index 0000000..8c5094c
--- /dev/null
+++ b/localfs/etc/yum.repos.d/keybase.repo
@@ -0,0 +1,7 @@
+[keybase]
+name=keybase
+baseurl=http://prerelease.keybase.io/rpm/x86_64
+enabled=1
+gpgcheck=1
+gpgkey=https://keybase.io/docs/server_security/code_signing_key.asc
+metadata_expire=60
diff --git a/localfs/etc/yum.repos.d/skype-stable.repo b/localfs/etc/yum.repos.d/skype-stable.repo
new file mode 100644
index 0000000..20e6469
--- /dev/null
+++ b/localfs/etc/yum.repos.d/skype-stable.repo
@@ -0,0 +1,6 @@
+[skype-stable]
+name=skype (stable)
+baseurl=https://repo.skype.com/rpm/stable/
+enabled=1
+gpgcheck=1
+gpgkey=https://repo.skype.com/data/SKYPE-GPG-KEY
diff --git a/localfs/etc/yum.repos.d/telred-fedora-27.repo b/localfs/etc/yum.repos.d/telred-fedora-27.repo
new file mode 100644
index 0000000..05c6c2d
--- /dev/null
+++ b/localfs/etc/yum.repos.d/telred-fedora-27.repo
@@ -0,0 +1,6 @@
+[telred-fedora-27]
+name=TEL.RED software repository for Fedora 27
+baseurl=https://tel.red/repos/fedora/27/
+enabled=1
+gpgcheck=1
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-TELRED
diff --git a/localfs/etc/yum.repos.d/telred-fedora-27.repo.rpmsave b/localfs/etc/yum.repos.d/telred-fedora-27.repo.rpmsave
new file mode 100644
index 0000000..15c947f
--- /dev/null
+++ b/localfs/etc/yum.repos.d/telred-fedora-27.repo.rpmsave
@@ -0,0 +1,6 @@
+[telred-fedora-27]
+name=TEL.RED software repository for Fedora 28
+baseurl=https://tel.red/repos/fedora/28/
+enabled=1
+gpgcheck=1
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-TELRED
diff --git a/localfs/etc/yum.repos.d/telred-fedora-28.repo b/localfs/etc/yum.repos.d/telred-fedora-28.repo
new file mode 100644
index 0000000..d292c00
--- /dev/null
+++ b/localfs/etc/yum.repos.d/telred-fedora-28.repo
@@ -0,0 +1,6 @@
+[telred-fedora-28]
+name=TEL.RED software repository for Fedora 28
+baseurl=https://tel.red/repos/fedora/28/
+enabled=1
+gpgcheck=1
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-TELRED
diff --git a/localfs/etc/yum.repos.d/vivaldi.repo b/localfs/etc/yum.repos.d/vivaldi.repo
new file mode 100644
index 0000000..d24e9e9
--- /dev/null
+++ b/localfs/etc/yum.repos.d/vivaldi.repo
@@ -0,0 +1,6 @@
+[vivaldi]
+name=vivaldi
+baseurl=http://repo.vivaldi.com/archive/rpm/x86_64
+enabled=1
+gpgcheck=1
+gpgkey=http://repo.vivaldi.com/archive/linux_signing_key.pub