diff --git a/.gitignore b/.gitignore
index 52a88e1..7eb3d42 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,4 +1,7 @@
 challenge-cmdline
 challenge-initrd.img
 challenge-kernel
+server-cmdline
+server-initrd.img
+server-kernel
 tftp/initramfs-login.img
diff --git a/server.yml b/server.yml
new file mode 100644
index 0000000..626ed51
--- /dev/null
+++ b/server.yml
@@ -0,0 +1,242 @@
+kernel:
+  image: linuxkit/kernel:4.9.82
+  cmdline: "console=tty0 console=ttyS0"
+
+init:
+  - linuxkit/init:d899eee3560a40aa3b4bdd67b3bb82703714b2b9
+  - linuxkit/runc:7c39a68490a12cde830e1922f171c451fb08e731
+  - linuxkit/containerd:37e397ebfc6bd5d8e18695b121166ffd0cbfd9f0
+  - linuxkit/ca-certificates:v0.2
+  - linuxkit/firmware:v0.2
+  - linuxkit/getty:v0.2
+
+onboot:
+  - name: sysctl
+    image: linuxkit/sysctl:v0.2
+    binds:
+      - /etc/sysctl.d/:/etc/sysctl.d/:ro
+
+    # Network: exposed
+  - name: netvlan-iface-setup
+    image: linuxkit/ip:v0.2
+    command: ["/bin/sh", "-c", "ip a add 172.23.191.254/18 dev eth0.7; ip link set eth0.7 up;" ]
+    net: new
+    runtime:
+      interfaces:
+        - name: eth0.7
+          add: vlan
+          vlanid: 7
+  - name: ns-iface-setup
+    image: linuxkit/ip:v0.2
+    command: ["/bin/sh", "-c", "ip a add 172.23.0.2/17 dev vethin-validator; ip link set vethin-validator up;" ]
+    net: new
+    runtime:
+      interfaces:
+        - name: vethin-validator
+          add: veth
+          peer: veth-validator
+      bindNS:
+        net: /run/netns/ns
+  - name: bridge-ext-setup
+    image: linuxkit/ip:v0.2
+    command: ["/bin/sh", "-c", "ip a add 192.168.0.46/24 dev br-ext; ip a add 172.23.0.1/17 dev br-ext; ip link set eth0 master br-ext; ip link set veth-validator master br-ext; ip link set br-ext up; ip link set veth-validator up; ip link set eth0 up" ]
+    runtime:
+      interfaces:
+        - name: br-ext
+          add: bridge
+  - name: ns-iface-setup
+    image: linuxkit/ip:v0.2
+    command: ["/bin/sh", "-c", "ip a add 172.23.200.2/24 dev vethin-ns; ip link set vethin-ns up;" ]
+    net: new
+    runtime:
+      interfaces:
+        - name: vethin-ns
+          add: veth
+          peer: veth-ns
+      bindNS:
+        net: /run/netns/ns
+  - name: time-iface-setup
+    image: linuxkit/ip:v0.2
+    command: ["/bin/sh", "-c", "ip a add 172.23.200.3/24 dev vethin-time; ip link set vethin-time up;" ]
+    net: new
+    runtime:
+      interfaces:
+        - name: vethin-time
+          add: veth
+          peer: veth-time
+      bindNS:
+        net: /run/netns/time
+  - name: mail-iface-setup
+    image: linuxkit/ip:v0.2
+    command: ["/bin/sh", "-c", "ip a add 172.23.200.3/24 dev vethin-mail; ip link set vethin-mail up;" ]
+    net: new
+    runtime:
+      interfaces:
+        - name: vethin-mail
+          add: veth
+          peer: veth-mail
+      bindNS:
+        net: /run/netns/mail
+  - name: bridge-int-setup
+    image: linuxkit/ip:v0.2
+    command: ["/bin/sh", "-c", "ip a add 172.23.200.254/24 dev br-int; ip link set veth-ns master br-int; ip link set veth-time master br-int; ip link set veth-mail master br-int; ip link set br-int up; ip link set veth-ns up; ip link set veth-time up; ip link set veth-mail up" ]
+    runtime:
+      interfaces:
+        - name: br-int
+          add: bridge
+
+  - name: fw
+    image: linuxkit/ip:v0.2
+    command: ["/bin/bash", "-c", "/sbin/iptables-restore < /etc/iptables/rules.v4; /sbin/ip6tables-restore < /etc/iptables/rules.v6" ]
+
+services:
+  - name: rngd
+    image: linuxkit/rngd:v0.2
+  - name: sshd
+    image: linuxkit/sshd:v0.2
+
+#  - name: dhcpd
+#    image: nemunaire/tftpd
+#    binds:
+#     - /srv/tftp:/srv/tftp:ro
+
+  - name: tftpd
+    image: nemunaire/tftpd:50bdb5c4e9f17b13d848fc474fd98d3639cb36e9
+    binds:
+     - /srv/tftp:/srv/tftp:ro
+
+  - name: nginx
+    image: nginx:alpine
+    capabilities:
+     - CAP_NET_BIND_SERVICE
+     - CAP_CHOWN
+     - CAP_SETUID
+     - CAP_SETGID
+     - CAP_DAC_OVERRIDE
+    binds:
+     - /etc/resolv.conf:/etc/resolv.conf:ro
+     - /etc/nginx/nginx.conf:/etc/nginx/nginx.conf:ro
+
+  - name: login-validator
+    image: nemunaire/adlin-login-validator:1bd441243a095180fd4058e6c7fc8fc38f850ab8-dirty
+    command: ["/bin/login-validator", "-bind=:8081"]
+    binds:
+     - /srv/students.csv:/srv/students.csv:ro
+
+  - name: ns
+    image: nemunaire/unbound:999f99022b07a84063baa48b7143c90186c937d0
+    net: /run/netns/ns
+    binds:
+     - /etc/unbound:/etc/unbound:ro
+
+  - name: time
+    image: linuxkit/openntpd:v0.2
+    net: /run/netns/time
+    binds:
+     - /etc/ntpd.conf:/etc/ntpd.conf:ro
+
+files:
+  - path: root/.ssh/authorized_keys
+    source: ~/.ssh/id_ed25519.pub
+    mode: "0400"
+
+  - path: /srv/students.csv
+    source: students.csv
+    mode: "0400"
+
+  - path: etc/iptables/rules.v6
+    contents: |
+      *filter
+      :INPUT DROP [0:0]
+      :FORWARD DROP [0:0]
+      :OUTPUT DROP [0:0]
+      COMMIT
+    mode: "0440"
+  - path: etc/iptables/rules-admin.v4
+    contents: |
+      *filter
+      :INPUT DROP [0:0]
+      :FORWARD ACCEPT [0:0]
+      :OUTPUT DROP [0:0]
+      [0:0] -A INPUT -i lo -j ACCEPT
+      [0:0] -A INPUT -m conntrack --ctstate INVALID -j DROP
+      [0:0] -A INPUT -p icmp -j ACCEPT
+      [0:0] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+      [0:0] -A INPUT -i eth0 -s 172.23.0.0/17 -p tcp -m conntrack --ctstate NEW -m tcp --dport ssh -j ACCEPT
+      [0:0] -A INPUT -j LOG
+      [0:0] -A FORWARD -j LOG
+      [0:0] -A OUTPUT -o lo -j ACCEPT
+      [0:0] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+      [0:0] -A OUTPUT -j LOG
+      [0:0] -A OUTPUT -j REJECT
+      COMMIT
+    mode: "0440"
+
+  - path: etc/unbound/unbound.conf
+    contents: |
+      server:
+              verbosity: 1
+              interface: 0.0.0.0
+              interface: ::0
+              prefer-ip6: no
+              access-control: 172.23.0.0/16 allow
+              log-queries: yes
+              log-replies: yes
+              hide-identity: yes
+              hide-version: yes
+              qname-minimisation: yes
+              domain-insecure: "."
+              val-permissive-mode: yes
+              root-hints: /etc/unbound/root.hints
+              trust-anchor-file: "/usr/share/dnssec-root/trusted-key.key"
+      remote-control:
+             control-enable: no
+      forward-zone:
+             name: "."
+             forward-addr: 192.168.0.1
+    mode: "0440"
+
+  - path: etc/nginx/nginx.conf
+    contents: |
+      user nginx;
+      worker_processes 2;
+      error_log /var/log/nginxærror.log warn;
+      pid /var/run/nginx.pid;
+      events {
+          worker_connections  1024;
+      }
+      http {
+          include ætc/nginx/mime.types;
+          default_type applicationøctet-stream;
+          log_format  main  '$remoteªddr - $remote_user [$time_local] "$request"'
+              '$status $body_bytes_sent "$http_referer"'
+              '"$http_userªgent""$http_x_forwarded_for"';
+          access_log /var/log/nginxåccess.log  main;
+          sendfile  on;
+          #tcp_nopush     on;
+          keepalive_timeout 65;
+          #gzip  on;
+          server {
+              listen 80 default;
+              listen [::]:80 default;
+              location = /{
+                  return 403;
+              }
+          }
+      }
+    mode: "0440"
+
+  - path: etc/ntpd.conf
+    contents: |
+      listen on *
+      servers pool.ntp.org
+    mode: "0440"
+
+  - path: srv/tftp
+    directory: true
+    mode: "0755"
+
+trust:
+  org:
+    - linuxkit
+    - library