diff --git a/default.nix b/default.nix
index 97635512..caf55459 100644
--- a/default.nix
+++ b/default.nix
@@ -12,7 +12,7 @@ rec {
   inherit (pkgs) lib;
 
   deploy = import ./lib/deploy.nix {
-    inherit pkgs;
+    inherit pkgs sources;
     inherit (hosts) hosts groups;
   };
 }
diff --git a/hosts/athame/nixos/default.nix b/hosts/athame/nixos/default.nix
index 345ba4e1..3d72844b 100644
--- a/hosts/athame/nixos/default.nix
+++ b/hosts/athame/nixos/default.nix
@@ -6,27 +6,24 @@
     # profiles
     profiles.kat
     # host-specific services 
-    ./postgres.nix
-    ./virtualhosts.nix
-    ./fail2ban.nix
+    #./postgres.nix
+    #./virtualhosts.nix
+    #./fail2ban.nix
     # services 
-    ../../../services/nginx.nix
-    ../../../services/mail.nix
-    ../../../services/asterisk.nix
-    ../../../services/gitea
-    ../../../services/syncplay.nix
-    ../../../services/bitwarden.nix
-    ../../../services/taskserver.nix
-    ../../../services/murmur.nix
-    ../../../services/znc.nix
-    ../../../services/matrix.nix
+    #../../../services/nginx.nix
+    #../../../services/mail.nix
+    #../../../services/asterisk.nix
+    #../../../services/gitea
+    #../../../services/syncplay.nix
+    #../../../services/bitwarden.nix
+    #../../../services/taskserver.nix
+    #../../../services/murmur.nix
+    #../../../services/znc.nix
+    #../../../services/matrix.nix
   ];
 
-  deploy.ssh.host = "athame.kittywit.ch";
-
   boot.loader.grub.enable = true;
   boot.loader.grub.version = 2;
-  boot.loader.grub.device = "/dev/sda";
 
   networking = {
     hostName = "athame";
@@ -37,7 +34,7 @@
   };
 
   networking.firewall.allowedTCPPorts =
-    [ 80 443 5160 5060 8999 64738 1935 53589 5001 ];
+    [ 22 80 443 5160 5060 8999 64738 1935 53589 5001 ];
   networking.firewall.allowedUDPPorts = [ 5160 5060 64738 ];
   networking.firewall.allowedTCPPortRanges = [{
     from = 10000;
diff --git a/hosts/athame/nixos/hw.nix b/hosts/athame/nixos/hw.nix
index 2520050e..ae82a10a 100644
--- a/hosts/athame/nixos/hw.nix
+++ b/hosts/athame/nixos/hw.nix
@@ -1,21 +1,10 @@
-{ config, lib, pkgs, ... }:
-
-{
+{ ... }: {
   imports = [ <nixpkgs/nixos/modules/profiles/qemu-guest.nix> ];
-
   boot.initrd.availableKernelModules =
-    [ "ahci" "xhci_pci" "virtio_pci" "sd_mod" "sr_mod" ];
-  boot.initrd.kernelModules = [ ];
-  boot.kernelModules = [ ];
-  boot.extraModulePackages = [ ];
-
+    [ "ata_piix" "uhci_hcd" "virtio_pci" "sd_mod" "sr_mod" ];
+  boot.loader.grub.device = "/dev/sda";
   fileSystems."/" = {
-    device = "/dev/disk/by-uuid/126049c0-34bd-4d96-a8db-276c5d172abe";
+    device = "/dev/sda1";
     fsType = "ext4";
   };
-
-  swapDevices =
-    [{ device = "/dev/disk/by-uuid/1f19daed-1c51-4b14-bfe8-bd7ea075ed96"; }];
-
-  nix.maxJobs = lib.mkDefault 3;
 }
diff --git a/lib/deploy.nix b/lib/deploy.nix
index 91e9693b..d18a01db 100644
--- a/lib/deploy.nix
+++ b/lib/deploy.nix
@@ -1,22 +1,80 @@
-{ pkgs, hosts, groups }:
+{ pkgs, hosts, sources, groups }:
 
 with pkgs.lib;
 
-(mapAttrs (name: hosts: ''
-  #!${pkgs.runtimeShell}
-  export PATH=
-  nix build --no-link ${
-    concatMapStringsSep " " (host:
-      builtins.unsafeDiscardStringContext
-      host.config.system.build.toplevel.drvPath) hosts
-  }
-  ${concatMapStrings (host: ''
-    echo "deploying ${host.config.networking.hostName}..."
-    ${host.config.system.build.deployScript} 
-    PID_LIST+=" $!"
-  '') hosts}
-  # FIXME: remove jobs from PIDLIST once they finish
-  trap "kill $PID_LIST" SIGINT
-  wait $PID_LIST
-'') groups)
-// (mapAttrs (name: host: host.config.system.build.deployScript) hosts)
+let
+  pkgsModule = { ... }: { config._module.args = { pkgs = mkDefault pkgs; }; };
+
+  tfEval = config:
+    (evalModules {
+      modules = [ pkgsModule (sources.tf-nix + "/modules") ] ++ toList config;
+      specialArgs = { };
+    }).config;
+
+  tf = tfEval ({ config, ... }: {
+    deps = { enable = true; };
+
+    state = { file = toString ../private/files/tf/terraform.tfstate; };
+
+    runners.lazy = {
+      file = ../.;
+      args = [ "--show-trace" ];
+      attrPrefix = "deploy.tf.runners.run.";
+    };
+
+    terraform = {
+      dataDir = toString ../private/files/tf/tfdata;
+      logPath = toString ../private/files/tf/terraform.log;
+    };
+
+    variables.hcloud_token = {
+      type = "string";
+      value.shellCommand = "bitw get infra/hcloud_token";
+    };
+
+    providers.hcloud = { inputs.token = config.variables.hcloud_token.ref; };
+
+    resources = with config.resources; {
+      hcloud_ssh_key = {
+        provider = "hcloud";
+        type = "ssh_key";
+        inputs = {
+          name = "yubikey";
+          public_key =
+            "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCocjQqiDIvzq+Qu3jkf7FXw5piwtvZ1Mihw9cVjdVcsra3U2c9WYtYrA3rS50N3p00oUqQm9z1KUrvHzdE+03ZCrvaGdrtYVsaeoCuuvw7qxTQRbItTAEsfRcZLQ5c1v/57HNYNEsjVrt8VukMPRXWgl+lmzh37dd9w45cCY1QPi+JXQQ/4i9Vc3aWSe4X6PHOEMSBHxepnxm5VNHm4PObGcVbjBf0OkunMeztd1YYA9sEPyEK3b8IHxDl34e5t6NDLCIDz0N/UgzCxSxoz+YJ0feQuZtud/YLkuQcMxW2dSGvnJ0nYy7SA5DkW1oqcy6CGDndHl5StOlJ1IF9aGh0gGkx5SRrV7HOGvapR60RphKrR5zQbFFka99kvSQgOZqSB3CGDEQGHv8dXKXIFlzX78jjWDOBT67vA/M9BK9FS2iNnBF5x6shJ9SU5IK4ySxq8qvN7Us8emkN3pyO8yqgsSOzzJT1JmWUAx0tZWG/BwKcFBHfceAPQl6pwxx28TM3BTBRYdzPJLTkAy48y6iXW6UYdfAPlShy79IYjQtEThTuIiEzdzgYdros0x3PDniuAP0KOKMgbikr0gRa6zahPjf0qqBnHeLB6nHAfaVzI0aNbhOg2bdOueE1FX0x48sjKqjOpjlIfq4WeZp9REr2YHEsoLFOBfgId5P3BPtpBQ== cardno:000612078454";
+        };
+      };
+
+      athame = {
+        provider = "hcloud";
+        type = "server";
+        inputs = {
+          name = "athame-testing";
+          image = "ubuntu-20.04";
+          server_type = "cpx21";
+          location = "nbg1";
+          backups = false;
+          ssh_keys = [ (hcloud_ssh_key.refAttr "id") ];
+        };
+        connection = { host = config.lib.tf.terraformSelf "ipv4_address"; };
+        provisioners = [
+          {
+            remote-exec.command =
+              "curl https://raw.githubusercontent.com/elitak/nixos-infect/master/nixos-infect | NO_REBOOT=true PROVIDER=hetznercloud NIX_CHANNEL=nixos-20.09 bash 2>&1 | tee /tmp/infect.log";
+          }
+          {
+            remote-exec.command = "reboot";
+            onFailure = "continue";
+          }
+        ];
+      };
+    };
+
+    deploy.systems.athame = with config.resources; {
+      nixosConfig = hosts.athame.config;
+      connection = athame.connection.set;
+      triggers.copy.athame = athame.refAttr "id";
+      triggers.secrets.athame = athame.refAttr "id";
+    };
+  });
+in { inherit tf; }
diff --git a/lib/hosts.nix b/lib/hosts.nix
index 56608d7c..9486a2f1 100644
--- a/lib/hosts.nix
+++ b/lib/hosts.nix
@@ -10,7 +10,7 @@ rec {
   hostConfig = hostName:
     { config, ... }: {
       _module.args = { inherit hosts groups; };
-      imports = [ ../nixos.nix ../modules/nixos ../modules/nixos/deploy ];
+      imports = [ ../nixos.nix ../modules/nixos ];
       networking = { inherit hostName; };
       nixpkgs.pkgs = import pkgsPath {
         inherit (config.nixpkgs) config;
diff --git a/modules/nixos/default.nix b/modules/nixos/default.nix
index 44b96a6d..0ef3391c 100644
--- a/modules/nixos/default.nix
+++ b/modules/nixos/default.nix
@@ -2,7 +2,6 @@
 
 {
   imports = [
-    ./deploy
     (sources.tf-nix + "/modules/nixos/secrets.nix")
     (sources.tf-nix + "/modules/nixos/secrets-users.nix")
   ];
diff --git a/nix/sources.json b/nix/sources.json
index 86c75150..2ea9c94d 100644
--- a/nix/sources.json
+++ b/nix/sources.json
@@ -124,10 +124,10 @@
         "homepage": null,
         "owner": "arcnmx",
         "repo": "tf-nix",
-        "rev": "32dae16c0aaba3412905bd80968888a767071808",
-        "sha256": "1c0vg42j096jp65b6indynh2y77xfv8nrfrnbv4llxfjsmd6w3lq",
+        "rev": "f8388c58aa7759dede5163a011fb1a08e7c27fc8",
+        "sha256": "0n0cp2hz00naz78dxi3b7ayrjv4l0001sc1k08w01aw2p400wpyc",
         "type": "tarball",
-        "url": "https://github.com/arcnmx/tf-nix/archive/32dae16c0aaba3412905bd80968888a767071808.tar.gz",
+        "url": "https://github.com/arcnmx/tf-nix/archive/f8388c58aa7759dede5163a011fb1a08e7c27fc8.tar.gz",
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     }
 }
diff --git a/profiles/common/nixos/ssh.nix b/profiles/common/nixos/ssh.nix
index 5178b613..17c6c644 100644
--- a/profiles/common/nixos/ssh.nix
+++ b/profiles/common/nixos/ssh.nix
@@ -3,7 +3,7 @@
 {
   services.openssh = {
     enable = true;
-    ports = lib.mkDefault [ 62954 ];
+    #ports = lib.mkDefault [ 62954 ];
     passwordAuthentication = false;
     challengeResponseAuthentication = false;
     permitRootLogin = lib.mkDefault "prohibit-password";
diff --git a/profiles/kat/nixos.nix b/profiles/kat/nixos.nix
index 53c78400..44deaabe 100644
--- a/profiles/kat/nixos.nix
+++ b/profiles/kat/nixos.nix
@@ -3,7 +3,7 @@
 {
   home-manager.users.kat = { imports = [ ./home.nix ]; };
 
-  deploy.profile.kat = true; 
+  deploy.profile.kat = true;
 
   users.users.kat = {
     uid = 1000;
diff --git a/profiles/laptop/home.nix b/profiles/laptop/home.nix
index 0835e093..2c9b6743 100644
--- a/profiles/laptop/home.nix
+++ b/profiles/laptop/home.nix
@@ -1,5 +1,5 @@
 { lib, ... }:
 
-{ 
+{
   deploy.profile.laptop = true;
 }