diff --git a/flake.lock b/flake.lock
index 8f880fef..dfb01914 100644
--- a/flake.lock
+++ b/flake.lock
@@ -2,11 +2,11 @@
   "nodes": {
     "nixos-hardware": {
       "locked": {
-        "lastModified": 1613453906,
-        "narHash": "sha256-w6oeQ3OTCKxRAG9KtjK+ErxpvUhNr48binO99JVQP9Q=",
+        "lastModified": 1614460257,
+        "narHash": "sha256-hFR865O5gIuFNiwFyx/K2g8AeLvGy/f3/SHalF85zuM=",
         "owner": "NixOS",
         "repo": "nixos-hardware",
-        "rev": "115770eed0c0fa50c1277cd0f7fe0f15501dbc43",
+        "rev": "c9b965a43e582765f797f8b75d50cb2874b30f30",
         "type": "github"
       },
       "original": {
@@ -16,11 +16,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1613993207,
-        "narHash": "sha256-a8Cjsz1QkVGb9TUNynphGhM1TbUc//T86gnnB5Ggjwg=",
+        "lastModified": 1614778866,
+        "narHash": "sha256-+l8uyXAxYgR3ZMUpBFs4ZVDcbLsw/TSgAwk9iNYiWNY=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "6198890f0d451f7d02e8c9bd28ab5e66ad2523d3",
+        "rev": "c14bb3039f25d463cd24a47d88b4a86b33561788",
         "type": "github"
       },
       "original": {
diff --git a/flake.nix b/flake.nix
index acb5e0aa..0d208479 100644
--- a/flake.nix
+++ b/flake.nix
@@ -8,8 +8,7 @@
 
   outputs = { self, nixpkgs, secrets, nixos-hardware }:
     let
-      forAllSystems =
-        nixpkgs.lib.genAttrs [ "aarch64-linux" "x86_64-linux" ];
+      forAllSystems = nixpkgs.lib.genAttrs [ "aarch64-linux" "x86_64-linux" ];
 
       hostRegistry = import ./host-registry.nix;
     in {
@@ -54,6 +53,8 @@
 
           pulsebert-nixos-rebuild = mkDeploy "pulsebert" "pulsebert.hq.c3d2.de";
           pulsebert-wake = mkWake "pulsebert";
+
+          yggdrasil-nixos-rebuild = mkDeploy "yggdrasil" "172.20.72.62";
         });
 
       nixosConfigurations = let
@@ -104,6 +105,15 @@
           system = "aarch64-linux";
         };
 
+        yggdrasil = nixosSystem' {
+          modules = [
+            ./hosts/containers/yggdrasil
+            ./lib/lxc-container.nix
+            ./lib/users/emery.nix
+          ];
+          system = "x86_64-linux";
+        };
+
       };
 
       nixosModules.c3d2 = import ./lib;
diff --git a/host-registry.nix b/host-registry.nix
index 04627fd1..1f559f41 100644
--- a/host-registry.nix
+++ b/host-registry.nix
@@ -46,29 +46,33 @@ rec {
       '';
     };
     server4 = {
-      ip4 = "172.22.99.15";
-      ip6 = "2a02:8106:208:5201::15";
+      ip4 = "172.22.99.14";
+      ip6 = "2a02:8106:208:5201::14";
       publicKey = ''
         ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBGUwIWqP92toOSuV16wSN46t05RUKu609pqV2aexj8+DTO/hM8QWrhv51/jQG6TGmabZNlXbEvKMt48mW69uy48=
       '';
     };
     server5 = {
-      ip4 = "172.22.99.16";
-      ip6 = "2a02:8106:208:5201::16";
+      ip4 = "172.22.99.15";
+      ip6 = "2a02:8106:208:5201::15";
       publicKey = ''
         ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBB1qxi7ROlXvbmmeBJvNqyJdGDZG35e38RHujtqqDJXORwhy63LdW5jlv/09fNRj4nQMvKwdY5Oew2xgTzkaDwE=
       '';
     };
     server6 = {
-      ip4 = "172.22.99.17";
-      ip6 = "2a02:8106:208:5201::17";
+      ip4 = "172.22.99.16";
+      ip6 = "2a02:8106:208:5201::16";
       publicKey = ''
         ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBKQCZ7f7bqRC6B72oMu7BCItZxZnWsqx9Th/2iBRvtIFggr4YNi7Pbw3cc68NVbm0u7feUUgH5LDiXVpig3b7Gw=
       '';
     };
     storage.publicKey =
       "storage.ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBbjG4uY8A0IJHRKjiQwt9JbuLDNVaTcwNJN8J4z6mgX";
-
+    yggdrasil = {
+      ip4 = "172.20.72.62";
+      ip6 = "2a02:8106:208:5281:9000::1";
+      ygg = "201:4561:bb58:4dac:5f6a:7b23:44f:a5ef";
+    };
   };
 
   hqGlobal = builtins.attrNames hosts;
diff --git a/hosts/containers/yggdrasil/default.nix b/hosts/containers/yggdrasil/default.nix
new file mode 100644
index 00000000..5c6d040b
--- /dev/null
+++ b/hosts/containers/yggdrasil/default.nix
@@ -0,0 +1,81 @@
+{ hostRegistry, ... }:
+
+let
+  yggAddress = "201:4561:bb58:4dac:5f6a:7b23:44f:a5ef";
+  yggPrefix = "301:4561:bb58:4dac"; # 301:4561:bb58:4dac::/64
+  # taken from the output of "yggdrasilctl getself".
+in {
+
+  boot.kernel.sysctl."net.ipv6.conf.all.forwarding" = 1;
+  # Forward traffic under the prefix.
+
+  boot.postBootCommands = ''
+    if [ ! -c /dev/net/tun ]; then
+      mkdir -p /dev/net
+      mknod -m 666 /dev/net/tun c 10 200
+    fi
+  '';
+
+  c3d2 = { isInHq = true; };
+
+  networking = let host = hostRegistry.hosts.yggdrasil;
+  in {
+    hostName = "yggdrasil";
+    defaultGateway = "172.20.72.6";
+    defaultGateway6 = "2a02:8106:208:5281::b:0";
+    nameservers = [ "172.20.73.8" ];
+    interfaces.eth0 = {
+      ipv4 = {
+        addresses = [{
+          address = host.ip4;
+          prefixLength = 26;
+        }];
+      };
+      ipv6 = {
+        addresses = [
+          {
+            address = host.ip6;
+            prefixLength = 64;
+          }
+          {
+            address = yggPrefix + "::1";
+            prefixLength = 64;
+          }
+        ];
+      };
+    };
+  };
+
+  services.yggdrasil = {
+    enable = true;
+    persistentKeys = true;
+    config = {
+      Peers = [
+        # deutschland
+        "tcp://45.11.19.26:5001"
+
+        # czechia
+        "tcp://[2a03:3b40:fe:ab::1]:46370"
+        "tcp://[2a05:9403::8b]:7743"
+
+        # polen
+        "tcp://[2001:41d0:601:1100::cf2]:37145"
+      ];
+      NodeInfo = {
+        # This information is visible to the network.
+        name = "y.c3d2.de";
+        location = "Dresden";
+        email = "ehmry@c3d2.de";
+      };
+    };
+  };
+
+  services.nginx = {
+    enable = true;
+    virtualHosts."y.c3d2.de" = {
+      default = true;
+      locations."/".proxyPass = "https://c3d2.de";
+    };
+  };
+
+}