Ildkule/openstack: fix networking

Removes systemd-networkd, and configures proper ipv4 and ipv6 in openstack.
grzegorz: follow stable nix channel
2024-09-05 00:24:22 +02:00 · 2024-09-03 13:28:13 +02:00 · 2024-09-03 13:10:36 +02:00 · 2024-09-03 13:07:58 +02:00 · 2024-09-03 13:00:12 +02:00 · 2024-09-02 23:12:24 +02:00
82 changed files with 2057 additions and 661 deletions
--- a/.editorconfig
+++ b/.editorconfig
@ -0,0 +1,10 @@
 root = true
 [*]
 end_of_line = lf
 insert_final_newline = true
 trim_trailing_whitespace = true
 [*.nix]
 indent_style = space
 indent_size = 2
--- a/.envrc
+++ b/.envrc
@ -0,0 +1 @@
 use flake
--- a/.git-blame-ignore-revs
+++ b/.git-blame-ignore-revs
@ -0,0 +1 @@
 e00008da1afe0d760badd34bbeddff36bb08c475
--- a/.gitignore
+++ b/.gitignore
@ -1,2 +1,4 @@
 result*
 /configuration.nix
 /.direnv/
 *.qcow2
--- a/.sops.yaml
+++ b/.sops.yaml
@ -4,6 +4,9 @@ keys:
  - &user_felixalb age1mrnldl334l2nszuta6ywvewng0fswv2dz9l5g4qcwe3nj4yxf92qjskdx6
  - &user_oysteikt F7D37890228A907440E1FD4846B9228E814A2AAC
  - &user_eirikwit age1ju7rd26llahz3g8tz7cy5ld52swj8gsmg0flrmrxngc0nj0avq3ssh0sn5
  - &user_pederbs_sopp age1hmpdk4h69wxpwqk9tkud39f66hprhehxtzhgw97r6dvr7v0mx5jscsuhkn
  - &user_pederbs_nord age1wrssr4z4g6vl3fd3qme5cewchmmhm0j2xe6wf2meu4r6ycn37anse98mfs
  - &user_pederbs_bjarte age1zhxul786an743u0fascv4wtc5xduu7qfy803lfs539yzhgmlq5ds2lznt5
  # Hosts
  - &host_jokum age1gp8ye4g2mmw3may5xg0zsy7mm04glfz3788mmdx9cvcsdxs9hg0s0cc9kt
@ -20,6 +23,9 @@ creation_rules:
      - *user_danio
      - *user_felixalb
      - *user_eirikwit
      - *user_pederbs_sopp
      - *user_pederbs_nord
      - *user_pederbs_bjarte
      pgp:
      - *user_oysteikt
@ -31,6 +37,9 @@ creation_rules:
      - *host_bekkalokk
      - *user_danio
      - *user_felixalb
      - *user_pederbs_sopp
      - *user_pederbs_nord
      - *user_pederbs_bjarte
      pgp:
      - *user_oysteikt
@ -40,6 +49,9 @@ creation_rules:
      - *host_jokum
      - *user_danio
      - *user_felixalb
      - *user_pederbs_sopp
      - *user_pederbs_nord
      - *user_pederbs_bjarte
      pgp:
      - *user_oysteikt
@ -49,6 +61,9 @@ creation_rules:
      - *host_ildkule
      - *user_danio
      - *user_felixalb
      - *user_pederbs_sopp
      - *user_pederbs_nord
      - *user_pederbs_bjarte
      pgp:
      - *user_oysteikt
@ -58,5 +73,8 @@ creation_rules:
      - *host_bicep
      - *user_danio
      - *user_felixalb
      - *user_pederbs_sopp
      - *user_pederbs_nord
      - *user_pederbs_bjarte
      pgp:
      - *user_oysteikt
--- a/README.MD
+++ b/README.MD
@ -26,10 +26,14 @@ Det er sikkert lurt å lage en PR først om du ikke er vandt til nix enda.
 Innen 24h skal alle systemene hente ned den nye konfigurasjonen og deploye den.
 Du kan tvinge en maskin til å oppdatere seg før dette ved å kjøre:
-`nixos-rebuild switch --update-input nixpkgs --update-input nixpkgs-unstable --no-write-lock-file --refresh --flake git+https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git --upgrade`
+`nixos-rebuild switch --update-input nixpkgs --update-input nixpkgs-unstable --no-write-lock-file --refresh --upgrade --flake git+https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git`
 som root på maskinen.
 Hvis du ikke har lyst til å oppdatere alle pakkene (og kanskje måtte vente en stund!) kan du kjøre
 `nixos-rebuild switch --override-input nixpkgs nixpkgs --override-input nixpkgs-unstable nixpkgs-unstable --flake git+https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git`
 ## Seksjonen for hemmeligheter
 For at hemmeligheter ikke skal deles med hele verden i git - eller å være world
--- a/base.nix
+++ b/base.nix
@ -1,133 +0,0 @@
 { config, lib, pkgs, inputs, values, ... }:
 {
  imports = [
    ./users
    ./modules/snakeoil-certs.nix
  ];
  networking.domain = "pvv.ntnu.no";
  networking.useDHCP = false;
  # networking.search = [ "pvv.ntnu.no" "pvv.org" ];
  # networking.nameservers = lib.mkDefault [ "129.241.0.200" "129.241.0.201" ];
  # networking.tempAddresses = lib.mkDefault "disabled";
  # networking.defaultGateway = values.hosts.gateway;
  systemd.network.enable = true;
  services.resolved = {
    enable = lib.mkDefault true;
    dnssec = "false"; # Supposdly this keeps breaking and the default is to allow downgrades anyways...
  };
  time.timeZone = "Europe/Oslo";
  i18n.defaultLocale = "en_US.UTF-8";
  console = {
    font = "Lat2-Terminus16";
    keyMap = "no";
  };
  system.autoUpgrade = {
    enable = true;
    flake = "git+https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git";
    flags = [
      "--update-input" "nixpkgs"
      "--update-input" "nixpkgs-unstable"
      "--no-write-lock-file"
    ];
  };
  nix.gc.automatic = true;
  nix.gc.options = "--delete-older-than 2d";
  nix.settings.experimental-features = [ "nix-command" "flakes" ];
  /* This makes commandline tools like
  ** nix run nixpkgs#hello
  ** and nix-shell -p hello
  ** use the same channel the system
  ** was built with
  */
  nix.registry = {
    nixpkgs.flake = inputs.nixpkgs;
  };
  nix.nixPath = [ "nixpkgs=${inputs.nixpkgs}" ];
  environment.systemPackages = with pkgs; [
    file
    git
    gnupg
    htop
    nano
    ripgrep
    rsync
    screen
    tmux
    vim
    wget
    kitty.terminfo
  ];
  programs.zsh.enable = true;
  users.groups."drift".name = "drift";
  # Trusted users on the nix builder machines
  users.groups."nix-builder-users".name = "nix-builder-users";
  services.openssh = {
    enable = true;
    extraConfig = ''
      PubkeyAcceptedAlgorithms=+ssh-rsa
    '';
    settings.PermitRootLogin = "yes";
  };
  # nginx return 444 for all nonexistent virtualhosts
  systemd.services.nginx.after = [ "generate-snakeoil-certs.service" ];
  environment.snakeoil-certs = lib.mkIf config.services.nginx.enable {
    "/etc/certs/nginx" = {
      owner = "nginx";
      group = "nginx";
    };
  };
  services.nginx = {
    recommendedTlsSettings = true;
    recommendedProxySettings = true;
    recommendedOptimisation = true;
    recommendedGzipSettings = true;
    appendConfig = ''
      pcre_jit on;
      worker_processes auto;
      worker_rlimit_nofile 100000;
    '';
    eventsConfig = ''
      worker_connections 2048;
      use epoll;
      multi_accept on;
    '';
  };
  systemd.services.nginx.serviceConfig = lib.mkIf config.services.nginx.enable {
    LimitNOFILE = 65536;
  };
  services.nginx.virtualHosts."_" = lib.mkIf config.services.nginx.enable {
    sslCertificate = "/etc/certs/nginx.crt";
    sslCertificateKey = "/etc/certs/nginx.key";
    addSSL = true;
    extraConfig = "return 444;";
  };
  networking.firewall.allowedTCPPorts = lib.mkIf config.services.nginx.enable [ 80 443 ];
  security.acme = {
    acceptTerms = true;
    defaults.email = "drift@pvv.ntnu.no";
  };
 }
--- a/base/default.nix
+++ b/base/default.nix
@ -0,0 +1,60 @@
 { pkgs, lib, ... }:
 {
  imports = [
    ../users
    ../modules/snakeoil-certs.nix
    ./networking.nix
    ./nix.nix
    ./services/acme.nix
    ./services/auto-upgrade.nix
    ./services/irqbalance.nix
    ./services/logrotate.nix
    ./services/nginx.nix
    ./services/openssh.nix
    ./services/postfix.nix
    ./services/smartd.nix
    ./services/thermald.nix
  ];
  boot.tmp.cleanOnBoot = lib.mkDefault true;
  time.timeZone = "Europe/Oslo";
  i18n.defaultLocale = "en_US.UTF-8";
  console = {
    font = "Lat2-Terminus16";
    keyMap = "no";
  };
  environment.systemPackages = with pkgs; [
    file
    git
    gnupg
    htop
    nano
    ripgrep
    rsync
    screen
    tmux
    vim
    wget
    kitty.terminfo
  ];
  programs.zsh.enable = true;
  security.sudo.execWheelOnly = true;
  security.sudo.extraConfig = ''
    Defaults lecture = never
  '';
  users.groups."drift".name = "drift";
  # Trusted users on the nix builder machines
  users.groups."nix-builder-users".name = "nix-builder-users";
 }
--- a/base/networking.nix
+++ b/base/networking.nix
@ -0,0 +1,16 @@
 { lib, values, ... }:
 {
  networking.domain = "pvv.ntnu.no";
  networking.useDHCP = false;
  # networking.search = [ "pvv.ntnu.no" "pvv.org" ];
  # networking.nameservers = lib.mkDefault [ "129.241.0.200" "129.241.0.201" ];
  # networking.tempAddresses = lib.mkDefault "disabled";
  # networking.defaultGateway = values.hosts.gateway;
  systemd.network.enable = true;
  services.resolved = {
    enable = lib.mkDefault true;
    dnssec = "false"; # Supposdly this keeps breaking and the default is to allow downgrades anyways...
  };
 }
--- a/base/nix.nix
+++ b/base/nix.nix
@ -0,0 +1,34 @@
 { inputs, ... }:
 {
  nix = {
    gc = {
      automatic = true;
      options = "--delete-older-than 2d";
    };
    settings = {
      allow-dirty = true;
      auto-optimise-store = true;
      builders-use-substitutes = true;
      experimental-features = [ "nix-command" "flakes" ];
      log-lines = 50;
      use-xdg-base-directories = true;
    };
    /* This makes commandline tools like
    ** nix run nixpkgs#hello
    ** and nix-shell -p hello
    ** use the same channel the system
    ** was built with
    */
    registry = {
      "nixpkgs".flake = inputs.nixpkgs;
      "nixpkgs-unstable".flake = inputs.nixpkgs-unstable;
      "pvv-nix".flake = inputs.self;
    };
    nixPath = [
      "nixpkgs=${inputs.nixpkgs}"
      "unstable=${inputs.nixpkgs-unstable}"
    ];
  };
 }
--- a/base/services/acme.nix
+++ b/base/services/acme.nix
@ -0,0 +1,15 @@
 { ... }:
 {
  security.acme = {
    acceptTerms = true;
    defaults.email = "drift@pvv.ntnu.no";
  };
  # Let's not spam LetsEncrypt in `nixos-rebuild build-vm` mode:
  virtualisation.vmVariant = {
    security.acme.defaults.server = "https://127.0.0.1";
    security.acme.preliminarySelfsigned = true;
    users.users.root.initialPassword = "root";
  };
 }
--- a/base/services/auto-upgrade.nix
+++ b/base/services/auto-upgrade.nix
@ -0,0 +1,12 @@
 { ... }:
 {
  system.autoUpgrade = {
    enable = true;
    flake = "git+https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git";
    flags = [
      "--update-input" "nixpkgs"
      "--update-input" "nixpkgs-unstable"
      "--no-write-lock-file"
    ];
  };
 }
--- a/base/services/irqbalance.nix
+++ b/base/services/irqbalance.nix
@ -0,0 +1,4 @@
 { ... }:
 {
  services.irqbalance.enable = true;
 }
--- a/base/services/logrotate.nix
+++ b/base/services/logrotate.nix
@ -0,0 +1,42 @@
 { ... }:
 {
  # source: https://github.com/logrotate/logrotate/blob/main/examples/logrotate.service
  systemd.services.logrotate = {
    documentation = [ "man:logrotate(8)" "man:logrotate.conf(5)" ];
    unitConfig.RequiresMountsFor = "/var/log";
    serviceConfig = {
      Nice = 19;
      IOSchedulingClass = "best-effort";
      IOSchedulingPriority = 7;
      ReadWritePaths = [ "/var/log" ];
      AmbientCapabilities = [ "" ];
      CapabilityBoundingSet = [ "" ];
      DeviceAllow = [ "" ];
      LockPersonality = true;
      MemoryDenyWriteExecute = true;
      NoNewPrivileges = true; # disable for third party rotate scripts
      PrivateDevices = true;
      PrivateNetwork = true; # disable for mail delivery
      PrivateTmp = true;
      ProtectClock = true;
      ProtectControlGroups = true;
      ProtectHome = true; # disable for userdir logs
      ProtectHostname = true;
      ProtectKernelLogs = true;
      ProtectKernelModules = true;
      ProtectKernelTunables = true;
      ProtectProc = "invisible";
      ProtectSystem = "full";
      RestrictNamespaces = true;
      RestrictRealtime = true;
      RestrictSUIDSGID = true; # disable for creating setgid directories
      SocketBindDeny = [ "any" ];
      SystemCallArchitectures = "native";
      SystemCallFilter = [
        "@system-service"
      ];
    };
  };
 }
--- a/base/services/nginx.nix
+++ b/base/services/nginx.nix
@ -0,0 +1,44 @@
 { config, lib, ... }:
 {
  # nginx return 444 for all nonexistent virtualhosts
  systemd.services.nginx.after = [ "generate-snakeoil-certs.service" ];
  environment.snakeoil-certs = lib.mkIf config.services.nginx.enable {
    "/etc/certs/nginx" = {
      owner = "nginx";
      group = "nginx";
    };
  };
  networking.firewall.allowedTCPPorts = lib.mkIf config.services.nginx.enable [ 80 443 ];
  services.nginx = {
    recommendedTlsSettings = true;
    recommendedProxySettings = true;
    recommendedOptimisation = true;
    recommendedGzipSettings = true;
    appendConfig = ''
      pcre_jit on;
      worker_processes auto;
      worker_rlimit_nofile 100000;
    '';
    eventsConfig = ''
      worker_connections 2048;
      use epoll;
      multi_accept on;
    '';
  };
  systemd.services.nginx.serviceConfig = lib.mkIf config.services.nginx.enable {
    LimitNOFILE = 65536;
  };
  services.nginx.virtualHosts."_" = lib.mkIf config.services.nginx.enable {
    sslCertificate = "/etc/certs/nginx.crt";
    sslCertificateKey = "/etc/certs/nginx.key";
    addSSL = true;
    extraConfig = "return 444;";
  };
 }
--- a/base/services/openssh.nix
+++ b/base/services/openssh.nix
@ -0,0 +1,14 @@
 { ... }:
 {
  services.openssh = {
    enable = true;
    startWhenNeeded = true;
    extraConfig = ''
      PubkeyAcceptedAlgorithms=+ssh-rsa
      Match Group wheel
        PasswordAuthentication no
      Match All
    '';
    settings.PermitRootLogin = "yes";
  };
 }
--- a/base/services/postfix.nix
+++ b/base/services/postfix.nix
@ -0,0 +1,23 @@
 { config, pkgs, lib, ... }:
 let
  cfg = config.services.postfix;
 in
 {
  services.postfix = {
    enable = true;
    hostname = "${config.networking.hostName}.pvv.ntnu.no";
    domain = "pvv.ntnu.no";
    relayHost = "smtp.pvv.ntnu.no";
    relayPort = 465;
    config = {
      smtp_tls_wrappermode = "yes";
      smtp_tls_security_level = "encrypt";
    };
    # Nothing should be delivered to this machine
    destination = [ ];
  };
 }
--- a/base/services/smartd.nix
+++ b/base/services/smartd.nix
@ -0,0 +1,8 @@
 { config, pkgs, lib, ... }:
 {
  services.smartd.enable = lib.mkDefault true;
  environment.systemPackages = lib.optionals config.services.smartd.enable (with pkgs; [
    smartmontools
  ]);
 }
--- a/base/services/thermald.nix
+++ b/base/services/thermald.nix
@ -0,0 +1,8 @@
 { config, lib, ... }:
 {
  # Let's not thermal throttle
  services.thermald.enable = lib.mkIf (lib.all (x: x) [
      (config.nixpkgs.system == "x86_64-linux")
      (!config.boot.isContainer or false)
    ]) true;
 }
--- a/flake.lock
+++ b/flake.lock
@ -7,11 +7,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1715445235,
+        "lastModified": 1725242307,
-        "narHash": "sha256-SUu+oIWn+xqQIOlwfwNfS9Sek4i1HKsrLJchsDReXwA=",
+        "narHash": "sha256-a2iTMBngegEZvaNAzzxq5Gc5Vp3UWoGUqWtK11Txbic=",
        "owner": "nix-community",
        "repo": "disko",
-        "rev": "159d87ea5b95bbdea46f0288a33c5e1570272725",
+        "rev": "96073e6423623d4a8027e9739d2af86d6422ea7a",
        "type": "github"
      },
      "original": {
@ -63,15 +63,15 @@
      "inputs": {
        "fix-python": "fix-python",
        "nixpkgs": [
-          "nixpkgs-unstable"
+          "nixpkgs"
        ]
      },
      "locked": {
-        "lastModified": 1715364232,
+        "lastModified": 1716065905,
-        "narHash": "sha256-ZJC3SkanEgbV7p+LFhP+85CviRWOXJNHzZwR/Stb7hE=",
+        "narHash": "sha256-08uhxBzfakfhl/ooc+gMzDupWKYvTeyQZwuvB1SBS7A=",
        "owner": "Programvareverkstedet",
        "repo": "grzegorz",
-        "rev": "3841cda1cdcac470440b06838d56a2eb2256378c",
+        "rev": "0481aef6553ae9aee86e4edb4ca0ed4f2eba2058",
        "type": "github"
      },
      "original": {
@ -87,11 +87,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1715384651,
+        "lastModified": 1716115695,
-        "narHash": "sha256-7RhckgUTjqeCjWkhiCc1iB+5CBx9fl80d/3O4Jh+5kM=",
+        "narHash": "sha256-aI65l4x+U5v3i/nfn6N3eW5IZodmf4pyAByE7vTJh8I=",
        "owner": "Programvareverkstedet",
        "repo": "grzegorz-clients",
-        "rev": "738a4f3dd887f7c3612e4e772b83cbfa3cde5693",
+        "rev": "b9444658fbb39cd1bf1c61ee5a1d5f0641c49abe",
        "type": "github"
      },
      "original": {
@ -121,6 +121,21 @@
        "type": "github"
      }
    },
    "minecraft-data": {
      "locked": {
        "lastModified": 1725277886,
        "narHash": "sha256-Fw4VbbE3EfypQWSgPDFfvVH47BHeg3ptsO715NlUM8Q=",
        "ref": "refs/heads/master",
        "rev": "1b4087bd3322a2e2ba84271c8fcc013e6b641a58",
        "revCount": 2,
        "type": "git",
        "url": "https://git.pvv.ntnu.no/Drift/minecraft-data.git"
      },
      "original": {
        "type": "git",
        "url": "https://git.pvv.ntnu.no/Drift/minecraft-data.git"
      }
    },
    "nix-gitea-themes": {
      "inputs": {
        "nixpkgs": [
@ -143,11 +158,11 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1719520878,
+        "lastModified": 1725198597,
-        "narHash": "sha256-5BXzNOl2RVHcfS/oxaZDKOi7gVuTyWPibQG0DHd5sSc=",
+        "narHash": "sha256-w3sjCEbnc242ByJ18uebzgjFZY3QU7dZhmLwPsJIZJs=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "a44bedbb48c367f0476e6a3a27bf28f6330faf23",
+        "rev": "3524b030c839db4ea4ba16737789c6fb8a1769c6",
        "type": "github"
      },
      "original": {
@ -158,27 +173,27 @@
    },
    "nixpkgs-stable": {
      "locked": {
-        "lastModified": 1714858427,
+        "lastModified": 1721524707,
-        "narHash": "sha256-tCxeDP4C1pWe2rYY3IIhdA40Ujz32Ufd4tcrHPSKx2M=",
+        "narHash": "sha256-5NctRsoE54N86nWd0psae70YSLfrOek3Kv1e8KoXe/0=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "b980b91038fc4b09067ef97bbe5ad07eecca1e76",
+        "rev": "556533a23879fc7e5f98dd2e0b31a6911a213171",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
-        "ref": "release-23.11",
+        "ref": "release-24.05",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "nixpkgs-unstable": {
      "locked": {
-        "lastModified": 1715435713,
+        "lastModified": 1725183711,
-        "narHash": "sha256-lb2HqDQGfTdnCCpc1pgF6fkdgIOuBQ0nP8jjVSfLFqg=",
+        "narHash": "sha256-gkjg8FfjL92azt3gzZUm1+v+U4y+wbQE630uIf4Aybo=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "52b40f6c4be12742b1504ca2eb4527e597bf2526",
+        "rev": "a2c345850e5e1d96c62e7fa8ca6c9d77ebad1c37",
        "type": "github"
      },
      "original": {
@ -194,11 +209,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1693136143,
+        "lastModified": 1723850344,
-        "narHash": "sha256-amHprjftc3y/bg8yf4hITCLa+ez5HIi0yGfR7TU6UIc=",
+        "narHash": "sha256-aT37O9l9eclWEnqxASVNBL1dKwDHZUOqdbA4VO9DJvw=",
        "ref": "refs/heads/main",
-        "rev": "a32894b305f042d561500f5799226afd1faf5abb",
+        "rev": "38b66677ab8c01aee10cd59e745af9ce3ea88092",
-        "revCount": 9,
+        "revCount": 19,
        "type": "git",
        "url": "https://git.pvv.ntnu.no/Projects/calendar-bot.git"
      },
@ -214,11 +229,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1718404592,
+        "lastModified": 1725212759,
-        "narHash": "sha256-Ud8pD0mxmbfvwBXKy2q3Yp8r1EofaTcodZtI3fbnfDY=",
+        "narHash": "sha256-yZBsefIarFUEhFRj+rCGMp9Zvag3MCafqV/JfGVRVwc=",
        "ref": "refs/heads/master",
-        "rev": "6e4a79ed3ddae8dfc80eb8af1789985d07bcf297",
+        "rev": "e7b66b4bc6a89bab74bac45b87e9434f5165355f",
-        "revCount": 463,
+        "revCount": 473,
        "type": "git",
        "url": "https://git.pvv.ntnu.no/Projects/nettsiden.git"
      },
@ -233,6 +248,7 @@
        "grzegorz": "grzegorz",
        "grzegorz-clients": "grzegorz-clients",
        "matrix-next": "matrix-next",
        "minecraft-data": "minecraft-data",
        "nix-gitea-themes": "nix-gitea-themes",
        "nixpkgs": "nixpkgs",
        "nixpkgs-unstable": "nixpkgs-unstable",
@ -249,11 +265,11 @@
        "nixpkgs-stable": "nixpkgs-stable"
      },
      "locked": {
-        "lastModified": 1715244550,
+        "lastModified": 1725201042,
-        "narHash": "sha256-ffOZL3eaZz5Y1nQ9muC36wBCWwS1hSRLhUzlA9hV2oI=",
+        "narHash": "sha256-lj5pxOwidP0W//E7IvyhbhXrnEUW99I07+QpERnzTS4=",
        "owner": "Mic92",
        "repo": "sops-nix",
-        "rev": "0dc50257c00ee3c65fef3a255f6564cfbfe6eb7f",
+        "rev": "5db5921e40ae382d6716dce591ea23b0a39d96f7",
        "type": "github"
      },
      "original": {
--- a/flake.nix
+++ b/flake.nix
@ -24,9 +24,11 @@
    nix-gitea-themes.inputs.nixpkgs.follows = "nixpkgs";
    grzegorz.url = "github:Programvareverkstedet/grzegorz";
-    grzegorz.inputs.nixpkgs.follows = "nixpkgs-unstable";
+    grzegorz.inputs.nixpkgs.follows = "nixpkgs";
    grzegorz-clients.url = "github:Programvareverkstedet/grzegorz-clients";
    grzegorz-clients.inputs.nixpkgs.follows = "nixpkgs";
    minecraft-data.url = "git+https://git.pvv.ntnu.no/Drift/minecraft-data.git";
  };
  outputs = { self, nixpkgs, nixpkgs-unstable, sops-nix, disko, ... }@inputs:
@ -37,8 +39,8 @@
      "aarch64-linux"
      "aarch64-darwin"
    ];
-    forAllSystems = f: nixlib.genAttrs systems (system: f system);
+    forAllSystems = f: nixlib.genAttrs systems f;
-    allMachines = nixlib.mapAttrsToList (name: _: name) self.nixosConfigurations;
+    allMachines = builtins.attrNames self.nixosConfigurations;
    importantMachines = [
      "bekkalokk"
      "bicep"
@ -47,6 +49,8 @@
      "ildkule"
    ];
  in {
    inherit inputs;
    nixosConfigurations = let
      unstablePkgs = nixpkgs-unstable.legacyPackages.x86_64-linux;
      nixosConfig = nixpkgs: name: config: nixpkgs.lib.nixosSystem (nixpkgs.lib.recursiveUpdate
@ -90,6 +94,7 @@
            heimdal = unstablePkgs.heimdal;
            mediawiki-extensions = final.callPackage ./packages/mediawiki-extensions { };
            simplesamlphp = final.callPackage ./packages/simplesamlphp { };
            bluemap = final.callPackage ./packages/bluemap.nix { };
          })
          inputs.nix-gitea-themes.overlays.default
          inputs.pvv-nettsiden.overlays.default
@ -124,6 +129,11 @@
      buskerud = stableNixosConfig "buskerud" { };
    };
    nixosModules = {
      snakeoil-certs = ./modules/snakeoil-certs.nix;
      snappymail = ./modules/snappymail.nix;
    };
    devShells = forAllSystems (system: {
      default = nixpkgs.legacyPackages.${system}.callPackage ./shell.nix { };
    });
--- a/hosts/bekkalokk/configuration.nix
+++ b/hosts/bekkalokk/configuration.nix
@ -3,14 +3,16 @@
  imports = [
    ./hardware-configuration.nix
-    ../../base.nix
+    ../../base
    ../../misc/metrics-exporters.nix
    ./services/bluemap/default.nix
    ./services/gitea/default.nix
    ./services/idp-simplesamlphp
    ./services/kerberos
    ./services/mediawiki
    ./services/nginx.nix
    ./services/phpfpm.nix
    ./services/vaultwarden.nix
    ./services/webmail
    ./services/website
@ -31,6 +33,8 @@
    address = with values.hosts.bekkalokk; [ (ipv4 + "/25") (ipv6 + "/64") ];
  };
  services.btrfs.autoScrub.enable = true;
  # Do not change, even during upgrades.
  # See https://search.nixos.org/options?show=system.stateVersion
  system.stateVersion = "22.11";
--- a/hosts/bekkalokk/services/bluemap/default.nix
+++ b/hosts/bekkalokk/services/bluemap/default.nix
@ -0,0 +1,83 @@
 { config, lib, pkgs, inputs, ... }:
 let
  vanillaSurvival = "/var/lib/bluemap/vanilla_survival_world";
 in {
  imports = [
    ./module.nix # From danio, pending upstreaming
  ];
  disabledModules = [ "services/web-servers/bluemap.nix" ];
  sops.secrets."bluemap/ssh-key" = { };
  sops.secrets."bluemap/ssh-known-hosts" = { };
  services.bluemap = {
    enable = true;
    eula = true;
    onCalendar = "*-*-* 05:45:00"; # a little over an hour after auto-upgrade
    host = "minecraft.pvv.ntnu.no";
    maps = {
      "verden" = {
        settings = {
          world = vanillaSurvival;
          sorting = 0;
          ambient-light = 0.1;
          cave-detection-ocean-floor = -5;
          marker-sets = inputs.minecraft-data.map-markers.vanillaSurvival.verden;
        };
      };
      "underverden" = {
        settings = {
          world = "${vanillaSurvival}/DIM-1";
          sorting = 100;
          sky-color = "#290000";
          void-color = "#150000";
          ambient-light = 0.6;
          world-sky-light = 0;
          remove-caves-below-y = -10000;
          cave-detection-ocean-floor = -5;
          cave-detection-uses-block-light = true;
          max-y = 90;
          marker-sets = inputs.minecraft-data.map-markers.vanillaSurvival.underverden;
        };
      };
      "enden" = {
        settings = {
          world = "${vanillaSurvival}/DIM1";
          sorting = 200;
          sky-color = "#080010";
          void-color = "#080010";
          ambient-light = 0.6;
          world-sky-light = 0;
          remove-caves-below-y = -10000;
          cave-detection-ocean-floor = -5;
        };
      };
    };
  };
  services.nginx.virtualHosts."minecraft.pvv.ntnu.no" = {
    enableACME = true;
    forceSSL = true;
  };
  # TODO: render somewhere else lmao
  systemd.services."render-bluemap-maps" = {
    preStart = ''
      mkdir -p /var/lib/bluemap/world
      ${pkgs.rsync}/bin/rsync \
        -e "${pkgs.openssh}/bin/ssh -o UserKnownHostsFile=$CREDENTIALS_DIRECTORY/ssh-known-hosts -i $CREDENTIALS_DIRECTORY/sshkey" \
        -avz --no-owner --no-group \
        root@innovation.pvv.ntnu.no:/ \
        ${vanillaSurvival}
    '';
    serviceConfig = {
      LoadCredential = [
        "sshkey:${config.sops.secrets."bluemap/ssh-key".path}"
        "ssh-known-hosts:${config.sops.secrets."bluemap/ssh-known-hosts".path}"
      ];
    };
  };
 }
--- a/hosts/bekkalokk/services/bluemap/module.nix
+++ b/hosts/bekkalokk/services/bluemap/module.nix
@ -0,0 +1,343 @@
 { config, lib, pkgs, ... }:
 let
  cfg = config.services.bluemap;
  format = pkgs.formats.hocon { };
  coreConfig = format.generate "core.conf" cfg.coreSettings;
  webappConfig = format.generate "webapp.conf" cfg.webappSettings;
  webserverConfig = format.generate "webserver.conf" cfg.webserverSettings;
  storageFolder = pkgs.linkFarm "storage"
    (lib.attrsets.mapAttrs' (name: value:
      lib.nameValuePair "${name}.conf"
        (format.generate "${name}.conf" value))
      cfg.storage);
  mapsFolder = pkgs.linkFarm "maps"
    (lib.attrsets.mapAttrs' (name: value:
      lib.nameValuePair "${name}.conf"
        (format.generate "${name}.conf" value.settings))
      cfg.maps);
  webappConfigFolder = pkgs.linkFarm "bluemap-config" {
    "maps" = mapsFolder;
    "storages" = storageFolder;
    "core.conf" = coreConfig;
    "webapp.conf" = webappConfig;
    "webserver.conf" = webserverConfig;
    "packs" = cfg.resourcepacks;
    "addons" = cfg.resourcepacks; # TODO
  };
  renderConfigFolder = name: value: pkgs.linkFarm "bluemap-${name}-config" {
    "maps" = pkgs.linkFarm "maps" {
      "${name}.conf" = (format.generate "${name}.conf" value.settings);
    };
    "storages" = storageFolder;
    "core.conf" = coreConfig;
    "webapp.conf" = format.generate "webapp.conf" (cfg.webappSettings // { "update-settings-file" = false; });
    "webserver.conf" = webserverConfig;
    "packs" = value.resourcepacks;
    "addons" = cfg.resourcepacks; # TODO
  };
  inherit (lib) mkOption;
 in {
  options.services.bluemap = {
    enable = lib.mkEnableOption "bluemap";
    eula = mkOption {
      type = lib.types.bool;
      description = ''
        By changing this option to true you confirm that you own a copy of minecraft Java Edition,
        and that you agree to minecrafts EULA.
      '';
      default = false;
    };
    defaultWorld = mkOption {
      type = lib.types.path;
      description = ''
        The world used by the default map ruleset.
        If you configure your own maps you do not need to set this.
      '';
      example = lib.literalExpression "\${config.services.minecraft.dataDir}/world";
    };
    enableRender = mkOption {
      type = lib.types.bool;
      description = "Enable rendering";
      default = true;
    };
    webRoot = mkOption {
      type = lib.types.path;
      default = "/var/lib/bluemap/web";
      description = "The directory for saving and serving the webapp and the maps";
    };
    enableNginx = mkOption {
      type = lib.types.bool;
      default = true;
      description = "Enable configuring a virtualHost for serving the bluemap webapp";
    };
    host = mkOption {
      type = lib.types.str;
      default = "bluemap.${config.networking.domain}";
      defaultText = lib.literalExpression "bluemap.\${config.networking.domain}";
      description = "Domain to configure nginx for";
    };
    onCalendar = mkOption {
      type = lib.types.str;
      description = ''
        How often to trigger rendering the map,
        in the format of a systemd timer onCalendar configuration.
        See {manpage}`systemd.timer(5)`.
      '';
      default = "*-*-* 03:10:00";
    };
    coreSettings = mkOption {
      type = lib.types.submodule {
        freeformType = format.type;
        options = {
          data = mkOption {
            type = lib.types.path;
            description = "Folder for where bluemap stores its data";
            default = "/var/lib/bluemap";
          };
          metrics = lib.mkEnableOption "Sending usage metrics containing the version of bluemap in use";
        };
      };
      description = "Settings for the core.conf file, [see upstream docs](https://github.com/BlueMap-Minecraft/BlueMap/blob/master/BlueMapCommon/src/main/resources/de/bluecolored/bluemap/config/core.conf).";
    };
    webappSettings = mkOption {
      type = lib.types.submodule {
        freeformType = format.type;
      };
      default = {
        enabled = true;
        webroot = cfg.webRoot;
      };
      defaultText = lib.literalExpression ''
        {
          enabled = true;
          webroot = config.services.bluemap.webRoot;
        }
      '';
      description = "Settings for the webapp.conf file, see [upstream docs](https://github.com/BlueMap-Minecraft/BlueMap/blob/master/BlueMapCommon/src/main/resources/de/bluecolored/bluemap/config/webapp.conf).";
    };
    webserverSettings = mkOption {
      type = lib.types.submodule {
        freeformType = format.type;
        options = {
          enabled = mkOption {
            type = lib.types.bool;
            description = ''
              Enable bluemap's built-in webserver.
              Disabled by default in nixos for use of nginx directly.
            '';
            default = false;
          };
        };
      };
      default = { };
      description = ''
        Settings for the webserver.conf file, usually not required.
        [See upstream docs](https://github.com/BlueMap-Minecraft/BlueMap/blob/master/BlueMapCommon/src/main/resources/de/bluecolored/bluemap/config/webserver.conf).
      '';
    };
    maps = mkOption {
      type = lib.types.attrsOf (lib.types.submodule {
        options = {
          resourcepacks = mkOption {
            type = lib.types.path;
            default = cfg.resourcepacks;
            defaultText = lib.literalExpression "config.services.bluemap.resourcepacks";
            description = "A set of resourcepacks/mods to extract models from loaded in alphabetical order";
          };
          settings = mkOption {
            type = (lib.types.submodule {
              freeformType = format.type;
              options = {
                world = mkOption {
                  type = lib.types.path;
                  description = "Path to world folder containing the dimension to render";
                };
              };
            });
            description = ''
              Settings for files in `maps/`.
              See the default for an example with good options for the different world types.
              For valid values [consult upstream docs](https://github.com/BlueMap-Minecraft/BlueMap/blob/master/BlueMapCommon/src/main/resources/de/bluecolored/bluemap/config/maps/map.conf).
            '';
          };
        };
      });
      default = {
        "overworld".settings = {
          world = "${cfg.defaultWorld}";
          ambient-light = 0.1;
          cave-detection-ocean-floor = -5;
        };
        "nether".settings = {
          world = "${cfg.defaultWorld}/DIM-1";
          sorting = 100;
          sky-color = "#290000";
          void-color = "#150000";
          ambient-light = 0.6;
          world-sky-light = 0;
          remove-caves-below-y = -10000;
          cave-detection-ocean-floor = -5;
          cave-detection-uses-block-light = true;
          max-y = 90;
        };
        "end".settings = {
          world = "${cfg.defaultWorld}/DIM1";
          sorting = 200;
          sky-color = "#080010";
          void-color = "#080010";
          ambient-light = 0.6;
          world-sky-light = 0;
          remove-caves-below-y = -10000;
          cave-detection-ocean-floor = -5;
        };
      };
      defaultText = lib.literalExpression ''
        {
          "overworld".settings = {
            world = "''${cfg.defaultWorld}";
            ambient-light = 0.1;
            cave-detection-ocean-floor = -5;
          };
          "nether".settings = {
            world = "''${cfg.defaultWorld}/DIM-1";
            sorting = 100;
            sky-color = "#290000";
            void-color = "#150000";
            ambient-light = 0.6;
            world-sky-light = 0;
            remove-caves-below-y = -10000;
            cave-detection-ocean-floor = -5;
            cave-detection-uses-block-light = true;
            max-y = 90;
          };
          "end".settings = {
            world = "''${cfg.defaultWorld}/DIM1";
            sorting = 200;
            sky-color = "#080010";
            void-color = "#080010";
            ambient-light = 0.6;
            world-sky-light = 0;
            remove-caves-below-y = -10000;
            cave-detection-ocean-floor = -5;
          };
        };
      '';
      description = ''
        map-specific configuration.
        These correspond to views in the webapp and are usually
        different dimension of a world or different render settings of the same dimension.
        If you set anything in this option you must configure all dimensions yourself!
      '';
    };
    storage = mkOption {
      type = lib.types.attrsOf (lib.types.submodule {
        freeformType = format.type;
        options = {
          storage-type = mkOption {
            type = lib.types.enum [ "FILE" "SQL" ];
            description = "Type of storage config";
            default = "FILE";
          };
        };
      });
      description = ''
        Where the rendered map will be stored.
        Unless you are doing something advanced you should probably leave this alone and configure webRoot instead.
        [See upstream docs](https://github.com/BlueMap-Minecraft/BlueMap/tree/master/BlueMapCommon/src/main/resources/de/bluecolored/bluemap/config/storages)
      '';
      default = {
        "file" = {
          root = "${cfg.webRoot}/maps";
        };
      };
      defaultText = lib.literalExpression ''
        {
          "file" = {
            root = "''${config.services.bluemap.webRoot}/maps";
          };
        }
      '';
    };
    resourcepacks = mkOption {
      type = lib.types.path;
      default = pkgs.linkFarm "resourcepacks" { };
      description = ''
        A set of resourcepacks/mods to extract models from loaded in alphabetical order.
        Can be overriden on a per-map basis with `services.bluemap.maps.<name>.resourcepacks`.
      '';
    };
  };
  config = lib.mkIf cfg.enable {
    assertions =
      [ { assertion = config.services.bluemap.eula;
          message = ''
            You have enabled bluemap but have not accepted minecraft's EULA.
            You can achieve this through setting `services.bluemap.eula = true`
          '';
        }
      ];
    services.bluemap.coreSettings.accept-download = cfg.eula;
    systemd.services."render-bluemap-maps" = lib.mkIf cfg.enableRender {
      serviceConfig = {
        Type = "oneshot";
        Group = "nginx";
        UMask = "026";
      };
      script = lib.strings.concatStringsSep "\n" ((lib.attrsets.mapAttrsToList
        (name: value: "${lib.getExe pkgs.bluemap} -c ${renderConfigFolder name value} -r")
        cfg.maps) ++ [ "${lib.getExe pkgs.bluemap} -c ${webappConfigFolder} -gs" ]);
    };
    systemd.timers."render-bluemap-maps" = lib.mkIf cfg.enableRender {
      wantedBy = [ "timers.target" ];
      timerConfig = {
        OnCalendar = cfg.onCalendar;
        Persistent = true;
        Unit = "render-bluemap-maps.service";
      };
    };
    services.nginx.virtualHosts = lib.mkIf cfg.enableNginx {
      "${cfg.host}" = {
        root = config.services.bluemap.webRoot;
        locations = {
          "~* ^/maps/[^/]*/tiles/".extraConfig = ''
            error_page 404 = @empty;
          '';
          "@empty".return = "204";
        };
      };
    };
  };
  meta = {
    maintainers = with lib.maintainers; [ dandellion h7x4 ];
  };
 }
--- a/hosts/bekkalokk/services/gitea/default.nix
+++ b/hosts/bekkalokk/services/gitea/default.nix
@ -6,7 +6,8 @@ let
 in {
  imports = [
    ./ci.nix
-    ./import-users.nix
+    ./import-users
    ./web-secret-provider
  ];
  sops.secrets = {
@ -58,6 +59,7 @@ in {
      service = {
        DISABLE_REGISTRATION = true;
        ENABLE_NOTIFY_MAIL = true;
        AUTO_WATCH_NEW_REPOS = false;
      };
      admin.DEFAULT_EMAIL_NOTIFICATIONS = "onmention";
      session.COOKIE_SECURE = true;
@ -135,10 +137,16 @@ in {
    script = let
      logo-svg = ../../../../assets/logo_blue_regular.svg;
      logo-png = ../../../../assets/logo_blue_regular.png;
      extraLinks = pkgs.writeText "gitea-extra-links.tmpl" ''
        <a class="item" href="https://www.pvv.ntnu.no/">PVV</a>
        <a class="item" href="https://wiki.pvv.ntnu.no/">Wiki</a>
        <a class="item" href="https://git.pvv.ntnu.no/Drift/-/projects/4">Tokyo Drift Issues</a>
      '';
    in ''
      install -Dm444 ${logo-svg} ${cfg.customDir}/public/assets/img/logo.svg
      install -Dm444 ${logo-png} ${cfg.customDir}/public/assets/img/logo.png
      install -Dm444 ${./loading.apng} ${cfg.customDir}/public/assets/img/loading.png
      install -Dm444 ${extraLinks} ${cfg.customDir}/templates/custom/extra_links.tmpl
    '';
  };
 }
--- a/hosts/bekkalokk/services/gitea/gitea-import-users.py
+++ b/hosts/bekkalokk/services/gitea/gitea-import-users.py
@ -1,94 +0,0 @@
 import requests
 import secrets
 import os
 EMAIL_DOMAIN = os.getenv('EMAIL_DOMAIN')
 if EMAIL_DOMAIN is None:
    EMAIL_DOMAIN = 'pvv.ntnu.no'
 API_TOKEN = os.getenv('API_TOKEN')
 if API_TOKEN is None:
    raise Exception('API_TOKEN not set')
 GITEA_API_URL = os.getenv('GITEA_API_URL')
 if GITEA_API_URL is None:
    GITEA_API_URL = 'https://git.pvv.ntnu.no/api/v1'
 BANNED_SHELLS = [
    "/usr/bin/nologin",
    "/usr/sbin/nologin",
    "/sbin/nologin",
    "/bin/false",
    "/bin/msgsh",
 ]
 existing_users = {}
 # This function should only ever be called when adding users
 # from the passwd file
 def add_user(username, name):
    user = {
            "full_name": name,
            "username": username,
            "login_name": username,
            "source_id": 1,  # 1 = SMTP
    }
    if username not in existing_users:
        user["password"] = secrets.token_urlsafe(32)
        user["must_change_password"] = False
        user["visibility"] = "private"
        user["email"] = username + '@' + EMAIL_DOMAIN
        r = requests.post(GITEA_API_URL + '/admin/users', json=user,
                          headers={'Authorization': 'token ' + API_TOKEN})
        if r.status_code != 201:
            print('ERR: Failed to create user ' + username + ': ' + r.text)
            return
        print('Created user ' + username)
        existing_users[username] = user
    else:
        user["visibility"] = existing_users[username]["visibility"]
        r = requests.patch(GITEA_API_URL + f'/admin/users/{username}',
                           json=user,
                           headers={'Authorization': 'token ' + API_TOKEN})
        if r.status_code != 200:
            print('ERR: Failed to update user ' + username + ': ' + r.text)
            return
        print('Updated user ' + username)
 def main():
    # Fetch existing users
    r = requests.get(GITEA_API_URL + '/admin/users',
                     headers={'Authorization': 'token ' + API_TOKEN})
    if r.status_code != 200:
        raise Exception('Failed to get users: ' + r.text)
    for user in r.json():
        existing_users[user['login']] = user
    # Read the file, add each user
    with open("/tmp/passwd-import", 'r') as f:
        for line in f.readlines():
            uid = int(line.split(':')[2])
            if uid < 1000:
                continue
            shell = line.split(':')[-1]
            if shell in BANNED_SHELLS:
                continue
            username = line.split(':')[0]
            name = line.split(':')[4].split(',')[0]
            add_user(username, name)
 if __name__ == '__main__':
    main()
--- a/hosts/bekkalokk/services/gitea/import-users/default.nix
+++ b/hosts/bekkalokk/services/gitea/import-users/default.nix
@ -14,6 +14,9 @@ in
    preStart=''${pkgs.rsync}/bin/rsync -e "${pkgs.openssh}/bin/ssh -o UserKnownHostsFile=$CREDENTIALS_DIRECTORY/ssh-known-hosts -i $CREDENTIALS_DIRECTORY/sshkey" -a pvv@smtp.pvv.ntnu.no:/etc/passwd /tmp/passwd-import'';
    serviceConfig = {
      ExecStart = pkgs.writers.writePython3 "gitea-import-users" {
        flakeIgnore = [
          "E501" # Line over 80 chars lol
        ];
        libraries = with pkgs.python3Packages; [ requests ];
      } (builtins.readFile ./gitea-import-users.py);
      LoadCredential=[
--- a/hosts/bekkalokk/services/gitea/import-users/gitea-import-users.py
+++ b/hosts/bekkalokk/services/gitea/import-users/gitea-import-users.py
@ -0,0 +1,198 @@
 import requests
 import secrets
 import os
 EMAIL_DOMAIN = os.getenv('EMAIL_DOMAIN')
 if EMAIL_DOMAIN is None:
    EMAIL_DOMAIN = 'pvv.ntnu.no'
 API_TOKEN = os.getenv('API_TOKEN')
 if API_TOKEN is None:
    raise Exception('API_TOKEN not set')
 GITEA_API_URL = os.getenv('GITEA_API_URL')
 if GITEA_API_URL is None:
    GITEA_API_URL = 'https://git.pvv.ntnu.no/api/v1'
 def gitea_list_all_users() -> dict[str, dict[str, any]] | None:
    r = requests.get(
        GITEA_API_URL + '/admin/users',
        headers={'Authorization': 'token ' + API_TOKEN}
    )
    if r.status_code != 200:
        print('Failed to get users:', r.text)
        return None
    return {user['login']: user for user in r.json()}
 def gitea_create_user(username: str, userdata: dict[str, any]) -> bool:
    r = requests.post(
        GITEA_API_URL + '/admin/users',
        json=userdata,
        headers={'Authorization': 'token ' + API_TOKEN},
    )
    if r.status_code != 201:
        print(f'ERR: Failed to create user {username}:', r.text)
        return False
    return True
 def gitea_edit_user(username: str, userdata: dict[str, any]) -> bool:
    r = requests.patch(
        GITEA_API_URL + f'/admin/users/{username}',
        json=userdata,
        headers={'Authorization': 'token ' + API_TOKEN},
    )
    if r.status_code != 200:
        print(f'ERR: Failed to update user {username}:', r.text)
        return False
    return True
 def gitea_list_teams_for_organization(org: str) -> dict[str, any] | None:
    r = requests.get(
        GITEA_API_URL + f'/orgs/{org}/teams',
        headers={'Authorization': 'token ' + API_TOKEN},
    )
    if r.status_code != 200:
        print(f"ERR: Failed to list teams for {org}:", r.text)
        return None
    return {team['name']: team for team in r.json()}
 def gitea_add_user_to_organization_team(username: str, team_id: int) -> bool:
    r = requests.put(
        GITEA_API_URL + f'/teams/{team_id}/members/{username}',
        headers={'Authorization': 'token ' + API_TOKEN},
    )
    if r.status_code != 204:
        print(f'ERR: Failed to add user {username} to org team {team_id}:', r.text)
        return False
    return True
 # If a passwd user has one of the following shells,
 # it is most likely not a PVV user, but rather a system user.
 # Users with these shells should thus be ignored.
 BANNED_SHELLS = [
    "/usr/bin/nologin",
    "/usr/sbin/nologin",
    "/sbin/nologin",
    "/bin/false",
    "/bin/msgsh",
 ]
 # Reads out a passwd-file line for line, and filters out
 # real PVV users (as opposed to system users meant for daemons and such)
 def passwd_file_parser(passwd_path):
    with open(passwd_path, 'r') as f:
        for line in f.readlines():
            uid = int(line.split(':')[2])
            if uid < 1000:
                continue
            shell = line.split(':')[-1]
            if shell in BANNED_SHELLS:
                continue
            username = line.split(':')[0]
            name = line.split(':')[4].split(',')[0]
            yield (username, name)
 # This function either creates a new user in gitea
 # and fills it out with some default information if
 # it does not exist, or ensures that the default information
 # is correct if the user already exists. All user information
 # (including non-default fields) is pulled from gitea and added
 # to the `existing_users` dict
 def add_or_patch_gitea_user(
    username: str,
    name: str,
    existing_users: dict[str, dict[str, any]],
 ) -> None:
    user = {
        "full_name": name,
        "username": username,
        "login_name": username,
        "source_id": 1,  # 1 = SMTP
    }
    if username not in existing_users:
        user["password"] = secrets.token_urlsafe(32)
        user["must_change_password"] = False
        user["visibility"] = "private"
        user["email"] = username + '@' + EMAIL_DOMAIN
        if not gitea_create_user(username, user):
            return
        print('Created user', username)
        existing_users[username] = user
    else:
        user["visibility"] = existing_users[username]["visibility"]
        if not gitea_edit_user(username, user):
            return
        print('Updated user', username)
 # This function adds a user to a gitea team (part of organization)
 # if the user is not already part of said team.
 def ensure_gitea_user_is_part_of_team(
    username: str,
    org: str,
    team_name: str,
 ) -> None:
    teams = gitea_list_teams_for_organization(org)
    if teams is None:
        return
    if team_name not in teams:
        print(f'ERR: could not find team "{team_name}" in organization "{org}"')
    gitea_add_user_to_organization_team(username, teams[team_name]['id'])
    print(f'User {username} is now part of {org}/{team_name}')
 # List of teams that all users should be part of by default
 COMMON_USER_TEAMS = [
    ("Projects", "Members"),
    ("Kurs", "Members"),
 ]
 def main():
    existing_users = gitea_list_all_users()
    if existing_users is None:
        exit(1)
    for username, name in passwd_file_parser("/tmp/passwd-import"):
        print(f"Processing {username}")
        add_or_patch_gitea_user(username, name, existing_users)
        for org, team_name in COMMON_USER_TEAMS:
            ensure_gitea_user_is_part_of_team(username, org, team_name)
        print()
 if __name__ == '__main__':
    main()
--- a/hosts/bekkalokk/services/gitea/web-secret-provider/default.nix
+++ b/hosts/bekkalokk/services/gitea/web-secret-provider/default.nix
@ -0,0 +1,114 @@
 { config, pkgs, lib, ... }:
 let
  organizations = [
    "Drift"
    "Projects"
    "Kurs"
  ];
  giteaCfg = config.services.gitea;
  giteaWebSecretProviderScript = pkgs.writers.writePython3 "gitea-web-secret-provider" {
    libraries = with pkgs.python3Packages; [ requests ];
    flakeIgnore = [
      "E501" # Line over 80 chars lol
      "E201" # "whitespace after {"
      "E202" # "whitespace after }"
      "E251" # unexpected spaces around keyword / parameter equals
      "W391" # Newline at end of file
    ];
    makeWrapperArgs = [
      "--prefix PATH : ${(lib.makeBinPath [ pkgs.openssh ])}"
    ];
  } (builtins.readFile ./gitea-web-secret-provider.py);
 in
 {
  users.groups."gitea-web" = { };
  users.users."gitea-web" = {
    group = "gitea-web";
    isSystemUser = true;
  };
  sops.secrets."gitea/web-secret-provider/token" = {
    owner = "gitea-web";
    group = "gitea-web";
    restartUnits = [
      "gitea-web-secret-provider@"
    ] ++ (map (org: "gitea-web-secret-provider@${org}") organizations);
  };
  systemd.slices.system-giteaweb = {
    description = "Gitea web directories";
  };
  # https://www.freedesktop.org/software/systemd/man/latest/systemd.unit.html#Specifiers
  # %i - instance name (after the @)
  # %d - secrets directory
  systemd.services."gitea-web-secret-provider@" = {
    description = "Ensure all repos in %i has an SSH key to push web content";
    requires = [ "gitea.service" "network.target" ];
    serviceConfig = {
      Slice = "system-giteaweb.slice";
      Type = "oneshot";
      ExecStart = let
        args = lib.cli.toGNUCommandLineShell { } {
          org = "%i";
          token-path = "%d/token";
          api-url = "${giteaCfg.settings.server.ROOT_URL}api/v1";
          key-dir = "/var/lib/gitea-web/keys/%i";
          authorized-keys-path = "/var/lib/gitea-web/authorized_keys.d/%i";
          rrsync-script = pkgs.writeShellScript "rrsync-chown" ''
            ${lib.getExe pkgs.rrsync} -wo "$1"
            ${pkgs.coreutils}/bin/chown -R gitea-web:gitea-web "$1"
          '';
          web-dir = "/var/lib/gitea-web/web";
        };
      in "${giteaWebSecretProviderScript} ${args}";
      User = "gitea-web";
      Group = "gitea-web";
      StateDirectory = "gitea-web";
      StateDirectoryMode = "0750";
      LoadCredential = [
        "token:${config.sops.secrets."gitea/web-secret-provider/token".path}"
      ];
      NoNewPrivileges = true;
      PrivateTmp = true;
      PrivateDevices = true;
      ProtectSystem = true;
      ProtectHome = true;
      ProtectControlGroups = true;
      ProtectKernelModules = true;
      ProtectKernelTunables = true;
      RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
      RestrictRealtime = true;
      RestrictSUIDSGID = true;
      MemoryDenyWriteExecute = true;
      LockPersonality = true;
    };
  };
  systemd.timers."gitea-web-secret-provider@" = {
    description = "Ensure all repos in %i has an SSH key to push web content";
    timerConfig = {
      RandomizedDelaySec = "1h";
      Persistent = true;
      Unit = "gitea-web-secret-provider@%i.service";
      OnCalendar = "daily";
    };
  };
  systemd.targets.timers.wants = map (org: "gitea-web-secret-provider@${org}.timer") organizations;
  services.openssh.authorizedKeysFiles = map (org: "/var/lib/gitea-web/authorized_keys.d/${org}") organizations;
  users.users.nginx.extraGroups = [ "gitea-web" ];
  services.nginx.virtualHosts."pages.pvv.ntnu.no" = {
    kTLS = true;
    forceSSL = true;
    enableACME = true;
    root = "/var/lib/gitea-web/web";
  };
 }
--- a/hosts/bekkalokk/services/gitea/web-secret-provider/gitea-web-secret-provider.py
+++ b/hosts/bekkalokk/services/gitea/web-secret-provider/gitea-web-secret-provider.py
@ -0,0 +1,112 @@
 import argparse
 import hashlib
 import os
 import requests
 import subprocess
 from pathlib import Path
 def parse_args():
    parser = argparse.ArgumentParser(description="Generate SSH keys for Gitea repositories and add them as secrets")
    parser.add_argument("--org", required=True, type=str, help="The organization to generate keys for")
    parser.add_argument("--token-path", metavar='PATH', required=True, type=Path, help="Path to a file containing the Gitea API token")
    parser.add_argument("--api-url", metavar='URL', type=str, help="The URL of the Gitea API", default="https://git.pvv.ntnu.no/api/v1")
    parser.add_argument("--key-dir", metavar='PATH', type=Path, help="The directory to store the generated keys in", default="/run/gitea-web-secret-provider")
    parser.add_argument("--authorized-keys-path", metavar='PATH', type=Path, help="The path to the resulting authorized_keys file", default="/etc/ssh/authorized_keys.d/gitea-web-secret-provider")
    parser.add_argument("--rrsync-script", metavar='PATH', type=Path, help="The path to a rrsync script, taking the destination path as its single argument")
    parser.add_argument("--web-dir", metavar='PATH', type=Path, help="The directory to sync the repositories to", default="/var/www")
    parser.add_argument("--force", action="store_true", help="Overwrite existing keys")
    return parser.parse_args()
 def add_secret(args: argparse.Namespace, token: str, repo: str, name: str, secret: str):
    result = requests.put(
        f"{args.api_url}/repos/{args.org}/{repo}/actions/secrets/{name}",
        json = { 'data': secret },
        headers = { 'Authorization': 'token ' + token },
    )
    if result.status_code not in (201, 204):
        raise Exception(f"Failed to add secret: {result.json()}")
 def get_org_repo_list(args: argparse.Namespace, token: str):
    result = requests.get(
        f"{args.api_url}/orgs/{args.org}/repos",
        headers = { 'Authorization': 'token ' + token },
    )
    return [repo["name"] for repo in result.json()]
 def generate_ssh_key(args: argparse.Namespace, repository: str):
    keyname = hashlib.sha256(args.org.encode() + repository.encode()).hexdigest()
    key_path = args.key_dir / keyname
    if not key_path.is_file() or args.force:
        subprocess.run(
            [
                "ssh-keygen",
                *("-t", "ed25519"),
                *("-f", key_path),
                *("-N", ""),
                *("-C", f"{args.org}/{repository}"),
            ],
            check=True,
            stdin=subprocess.DEVNULL,
            stdout=subprocess.PIPE,
            stderr=subprocess.PIPE,
        )
        print(f"Generated SSH key for `{args.org}/{repository}`")
    with open(key_path, "r") as f:
        private_key = f.read()
    pub_key_path = args.key_dir / (keyname + '.pub')
    with open(pub_key_path, "r") as f:
        public_key = f.read()
    return private_key, public_key
 SSH_OPTS = ",".join([
    "restrict",
    "no-agent-forwarding",
    "no-port-forwarding",
    "no-pty",
    "no-X11-forwarding",
 ])
 def generate_authorized_keys(args: argparse.Namespace, repo_public_keys: list[tuple[str, str]]):
    lines = []
    for repo, public_key in repo_public_keys:
        command = f"{args.rrsync_script} {args.web_dir}/{args.org}/{repo}"
        lines.append(f'command="{command}",{SSH_OPTS} {public_key}')
    with open(args.authorized_keys_path, "w") as f:
        f.writelines(lines)
 def main():
    args = parse_args()
    with open(args.token_path, "r") as f:
        token = f.read().strip()
    os.makedirs(args.key_dir, 0o700, exist_ok=True)
    os.makedirs(args.authorized_keys_path.parent, 0o700, exist_ok=True)
    repos = get_org_repo_list(args, token)
    print(f'Found {len(repos)} repositories in `{args.org}`')
    repo_public_keys = []
    for repo in repos:
        print(f"Locating key for `{args.org}/{repo}`")
        private_key, public_key = generate_ssh_key(args, repo)
        add_secret(args, token, repo, "WEB_SYNC_SSH_KEY", private_key)
        repo_public_keys.append((repo, public_key))
    generate_authorized_keys(args, repo_public_keys)
    print(f"Wrote authorized_keys file to `{args.authorized_keys_path}`")
 if __name__ == "__main__":
    main()
--- a/hosts/bekkalokk/services/idp-simplesamlphp/default.nix
+++ b/hosts/bekkalokk/services/idp-simplesamlphp/default.nix
@ -84,16 +84,16 @@ let
        cp ${./config.php} "$out"
        substituteInPlace "$out" \
-          --replace '$SAML_COOKIE_SECURE' 'true' \
+          --replace-warn '$SAML_COOKIE_SECURE' 'true' \
-          --replace '$SAML_COOKIE_SALT' 'file_get_contents("${config.sops.secrets."idp/cookie_salt".path}")' \
+          --replace-warn '$SAML_COOKIE_SALT' 'file_get_contents("${config.sops.secrets."idp/cookie_salt".path}")' \
-          --replace '$SAML_ADMIN_NAME' '"Drift"' \
+          --replace-warn '$SAML_ADMIN_NAME' '"Drift"' \
-          --replace '$SAML_ADMIN_EMAIL' '"drift@pvv.ntnu.no"' \
+          --replace-warn '$SAML_ADMIN_EMAIL' '"drift@pvv.ntnu.no"' \
-          --replace '$SAML_ADMIN_PASSWORD' 'file_get_contents("${config.sops.secrets."idp/admin_password".path}")' \
+          --replace-warn '$SAML_ADMIN_PASSWORD' 'file_get_contents("${config.sops.secrets."idp/admin_password".path}")' \
-          --replace '$SAML_TRUSTED_DOMAINS' 'array( "idp.pvv.ntnu.no" )' \
+          --replace-warn '$SAML_TRUSTED_DOMAINS' 'array( "idp.pvv.ntnu.no" )' \
-          --replace '$SAML_DATABASE_DSN' '"pgsql:host=postgres.pvv.ntnu.no;port=5432;dbname=idp"' \
+          --replace-warn '$SAML_DATABASE_DSN' '"pgsql:host=postgres.pvv.ntnu.no;port=5432;dbname=idp"' \
-          --replace '$SAML_DATABASE_USERNAME' '"idp"' \
+          --replace-warn '$SAML_DATABASE_USERNAME' '"idp"' \
-          --replace '$SAML_DATABASE_PASSWORD' 'file_get_contents("${config.sops.secrets."idp/postgres_password".path}")' \
+          --replace-warn '$SAML_DATABASE_PASSWORD' 'file_get_contents("${config.sops.secrets."idp/postgres_password".path}")' \
-          --replace '$CACHE_DIRECTORY' '/var/cache/idp'
+          --replace-warn '$CACHE_DIRECTORY' '/var/cache/idp'
      '';
      "modules/authpwauth/src/Auth/Source/PwAuth.php" = ./authpwauth.php;
@ -202,6 +202,12 @@ in
          rewrite ^/simplesaml/(.*)$ /$1 redirect;
          return 404;
        '';
        "/robots.txt" = {
          root = pkgs.writeTextDir "robots.txt" ''
            User-agent: *
            Disallow: /
          '';
        };
      };
    };
  };
--- a/hosts/bekkalokk/services/kerberos/pam.nix
+++ b/hosts/bekkalokk/services/kerberos/pam.nix
@ -879,7 +879,7 @@ let
  inherit (pkgs) pam_krb5 pam_ccreds;
-  use_ldap = (config.users.ldap.enable && config.users.ldap.loginPam);
+  use_ldap = config.users.ldap.enable && config.users.ldap.loginPam;
  pam_ldap = if config.users.ldap.daemon.enable then pkgs.nss_pam_ldapd else pkgs.pam_ldap;
  # Create a limits.conf(5) file.
@ -1510,7 +1510,7 @@ in
            it complains "Cannot create session: Already running in a
            session". */
        runuser-l = { rootOK = true; unixAuth = false; };
-      } // optionalAttrs (config.security.pam.enableFscrypt) {
+      } // optionalAttrs config.security.pam.enableFscrypt {
        # Allow fscrypt to verify login passphrase
        fscrypt = {};
      };
--- a/hosts/bekkalokk/services/mediawiki/default.nix
+++ b/hosts/bekkalokk/services/mediawiki/default.nix
@ -17,16 +17,16 @@
        cp ${./simplesaml-config.php} "$out"
        substituteInPlace "$out" \
-          --replace '$SAML_COOKIE_SECURE' 'true' \
+          --replace-warn '$SAML_COOKIE_SECURE' 'true' \
-          --replace '$SAML_COOKIE_SALT' 'file_get_contents("${config.sops.secrets."mediawiki/simplesamlphp/cookie_salt".path}")' \
+          --replace-warn '$SAML_COOKIE_SALT' 'file_get_contents("${config.sops.secrets."mediawiki/simplesamlphp/cookie_salt".path}")' \
-          --replace '$SAML_ADMIN_NAME' '"Drift"' \
+          --replace-warn '$SAML_ADMIN_NAME' '"Drift"' \
-          --replace '$SAML_ADMIN_EMAIL' '"drift@pvv.ntnu.no"' \
+          --replace-warn '$SAML_ADMIN_EMAIL' '"drift@pvv.ntnu.no"' \
-          --replace '$SAML_ADMIN_PASSWORD' 'file_get_contents("${config.sops.secrets."mediawiki/simplesamlphp/admin_password".path}")' \
+          --replace-warn '$SAML_ADMIN_PASSWORD' 'file_get_contents("${config.sops.secrets."mediawiki/simplesamlphp/admin_password".path}")' \
-          --replace '$SAML_TRUSTED_DOMAINS' 'array( "wiki.pvv.ntnu.no" )' \
+          --replace-warn '$SAML_TRUSTED_DOMAINS' 'array( "wiki.pvv.ntnu.no" )' \
-          --replace '$SAML_DATABASE_DSN' '"pgsql:host=postgres.pvv.ntnu.no;port=5432;dbname=mediawiki_simplesamlphp"' \
+          --replace-warn '$SAML_DATABASE_DSN' '"pgsql:host=postgres.pvv.ntnu.no;port=5432;dbname=mediawiki_simplesamlphp"' \
-          --replace '$SAML_DATABASE_USERNAME' '"mediawiki_simplesamlphp"' \
+          --replace-warn '$SAML_DATABASE_USERNAME' '"mediawiki_simplesamlphp"' \
-          --replace '$SAML_DATABASE_PASSWORD' 'file_get_contents("${config.sops.secrets."mediawiki/simplesamlphp/postgres_password".path}")' \
+          --replace-warn '$SAML_DATABASE_PASSWORD' 'file_get_contents("${config.sops.secrets."mediawiki/simplesamlphp/postgres_password".path}")' \
-          --replace '$CACHE_DIRECTORY' '/var/cache/mediawiki/idp'
+          --replace-warn '$CACHE_DIRECTORY' '/var/cache/mediawiki/idp'
      '';
    };
  };
--- a/hosts/bekkalokk/services/phpfpm.nix
+++ b/hosts/bekkalokk/services/phpfpm.nix
@ -0,0 +1,51 @@
 { lib, ... }:
 let
  pools = map (pool: "phpfpm-${pool}") [
    "idp"
    "mediawiki"
    "pvv-nettsiden"
    "roundcube"
    "snappymail"
  ];
 in
 {
  # Source: https://www.pierreblazquez.com/2023/06/17/how-to-harden-apache-php-fpm-daemons-using-systemd/
  systemd.services = lib.genAttrs pools (_: {
    serviceConfig = let
      caps = [
        "CAP_NET_BIND_SERVICE"
        "CAP_SETGID"
        "CAP_SETUID"
        "CAP_CHOWN"
        "CAP_KILL"
        "CAP_IPC_LOCK"
        "CAP_DAC_OVERRIDE"
      ];
    in {
      AmbientCapabilities = caps;
      CapabilityBoundingSet = caps;
      DeviceAllow = [ "" ];
      LockPersonality = true;
      MemoryDenyWriteExecute = false;
      NoNewPrivileges = true;
      PrivateMounts = true;
      ProtectClock = true;
      ProtectControlGroups = true;
      ProtectHome = true;
      ProtectHostname = true;
      ProtectKernelLogs = true;
      ProtectKernelModules = true;
      ProtectKernelTunables = true;
      RemoveIPC = true;
      UMask = "0077";
      RestrictNamespaces = "~mnt";
      RestrictRealtime = true;
      RestrictSUIDSGID = true;
      SystemCallArchitectures = "native";
      KeyringMode = "private";
      SystemCallFilter = [
        "@system-service"
      ];
    };
  });
 }
--- a/hosts/bekkalokk/services/vaultwarden.nix
+++ b/hosts/bekkalokk/services/vaultwarden.nix
@ -65,4 +65,40 @@ in {
      proxyWebsockets = true;
    };
  };
  systemd.services.vaultwarden = lib.mkIf cfg.enable {
    serviceConfig = {
      AmbientCapabilities = [ "" ];
      CapabilityBoundingSet = [ "" ];
      DeviceAllow = [ "" ];
      LockPersonality = true;
      NoNewPrivileges = true;
      # MemoryDenyWriteExecute = true;
      PrivateMounts = true;
      PrivateUsers = true;
      ProcSubset = "pid";
      ProtectClock = true;
      ProtectControlGroups = true;
      ProtectHostname = true;
      ProtectKernelLogs = true;
      ProtectKernelModules = true;
      ProtectKernelTunables = true;
      ProtectProc = "invisible";
      RestrictAddressFamilies = [
        "AF_INET"
        "AF_INET6"
        "AF_UNIX"
      ];
      RemoveIPC = true;
      RestrictNamespaces = true;
      RestrictRealtime = true;
      RestrictSUIDSGID = true;
      SystemCallArchitectures = "native";
      SystemCallFilter = [
        "@system-service"
        "~@privileged"
      ];
      UMask = "0007";
    };
  };
 }
--- a/hosts/bicep/acmeCert.nix
+++ b/hosts/bicep/acmeCert.nix
@ -1,24 +0,0 @@
 { values, ... }:
 {
  users.groups.acme.members = [ "nginx" ];
  security.acme.certs."postgres.pvv.ntnu.no" = {
    group = "acme";
    extraDomainNames = [
      # "postgres.pvv.org"
      "bicep.pvv.ntnu.no"
      # "bicep.pvv.org"
      # values.hosts.bicep.ipv4
      # values.hosts.bicep.ipv6
    ];
  };
  services.nginx = {
    enable = true;
    virtualHosts."postgres.pvv.ntnu.no" = {
      forceSSL = true;
      enableACME = true;
      # useACMEHost = "postgres.pvv.ntnu.no";
    };
  };
 }
--- a/hosts/bicep/configuration.nix
+++ b/hosts/bicep/configuration.nix
@ -3,17 +3,14 @@
  imports = [
    ./hardware-configuration.nix
-    ../../base.nix
+    ../../base
    ../../misc/metrics-exporters.nix
    ./services/nginx
    ./acmeCert.nix
    ./services/mysql.nix
    ./services/postgres.nix
    ./services/mysql.nix
-    # TODO: fix the calendar bot
+    ./services/calendar-bot.nix
    # ./services/calendar-bot.nix
    ./services/matrix
  ];
@ -37,6 +34,9 @@
    anyInterface = true;
  };
  # There are no smart devices
  services.smartd.enable = false;
  # Do not change, even during upgrades.
  # See https://search.nixos.org/options?show=system.stateVersion
  system.stateVersion = "22.11";
--- a/hosts/bicep/services/calendar-bot.nix
+++ b/hosts/bicep/services/calendar-bot.nix
@ -2,12 +2,20 @@
 let
  cfg = config.services.pvv-calendar-bot;
 in {
-  sops.secrets."calendar-bot/matrix_token" = {
+  sops.secrets = {
    "calendar-bot/matrix_token" = {
      sopsFile = ../../../secrets/bicep/bicep.yaml;
      key = "calendar-bot/matrix_token";
      owner = cfg.user;
      group = cfg.group;
    };
    "calendar-bot/mysql_password" = {
      sopsFile = ../../../secrets/bicep/bicep.yaml;
      key = "calendar-bot/mysql_password";
      owner = cfg.user;
      group = cfg.group;
    };
  };
  services.pvv-calendar-bot = {
    enable = true;
@ -18,6 +26,11 @@ in {
        user = "@bot_calendar:pvv.ntnu.no";
        channel = "!gkNLUIhYVpEyLatcRz:pvv.ntnu.no";
      };
      database = {
        host = "mysql.pvv.ntnu.no";
        user = "calendar-bot";
        passwordFile = config.sops.secrets."calendar-bot/mysql_password".path;
      };
      secretsFile = config.sops.secrets."calendar-bot/matrix_token".path;
      onCalendar = "*-*-* 09:00:00";
    };
--- a/hosts/bicep/services/matrix/mjolnir.nix
+++ b/hosts/bicep/services/matrix/mjolnir.nix
@ -11,7 +11,7 @@
  services.mjolnir = {
    enable = true;
    pantalaimon.enable = false;
-    homeserverUrl = http://127.0.0.1:8008;
+    homeserverUrl = "https://matrix.pvv.ntnu.no";
    accessTokenFile = config.sops.secrets."matrix/mjolnir/access_token".path;
    managementRoom = "!gsdeCoWjvYRBrzuiRq:pvv.ntnu.no";
    protectedRooms = map (a: "https://matrix.to/#/${a}") [
--- a/hosts/bicep/services/matrix/synapse.nix
+++ b/hosts/bicep/services/matrix/synapse.nix
@ -143,10 +143,10 @@ in {
  services.redis.servers."".enable = true;
  services.nginx.virtualHosts."matrix.pvv.ntnu.no" = lib.mkMerge [
-  ({
+  {
    kTLS = true;
-  })
+  }
-  ({
+  {
    locations."/.well-known/matrix/server" = {
      return = ''
        200 '{"m.server": "matrix.pvv.ntnu.no:443"}'
@ -156,16 +156,28 @@ in {
        add_header Access-Control-Allow-Origin *;
      '';
    };
-  })
+  }
-  ({
+  {
    locations."/_synapse/admin" = {
      proxyPass = "http://$synapse_backend";
      extraConfig = ''
        allow 127.0.0.1;
        allow ::1;
        allow ${values.hosts.bicep.ipv4};
        allow ${values.hosts.bicep.ipv6};
        deny all;
      '';
    };
  }
  {
    locations = let
      connectionInfo = w: matrix-lib.workerConnectionResource "metrics" w;
-      socketAddress = w: let c = connectionInfo w; in "${c.host}:${toString (c.port)}";
+      socketAddress = w: let c = connectionInfo w; in "${c.host}:${toString c.port}";
      metricsPath = w: "/metrics/${w.type}/${toString w.index}";
      proxyPath = w: "http://${socketAddress w}/_synapse/metrics";
    in lib.mapAttrs' (n: v: lib.nameValuePair
-      (metricsPath v) ({
+      (metricsPath v) {
        proxyPass = proxyPath v;
        extraConfig = ''
          allow ${values.hosts.ildkule.ipv4};
@ -174,10 +186,10 @@ in {
          allow ${values.hosts.ildkule.ipv6_global};
          deny all;
        '';
      }))
      cfg.workers.instances;
      })
-  ({
+      cfg.workers.instances;
  }
  {
    locations."/metrics/master/1" = {
      proxyPass = "http://127.0.0.1:9000/_synapse/metrics";
      extraConfig = ''
@ -202,5 +214,5 @@ in {
            labels = { };
          }]) + "/";
    };
-  })];
+  }];
 }
--- a/hosts/bicep/services/postgres.nix
+++ b/hosts/bicep/services/postgres.nix
@ -1,7 +1,4 @@
 { config, pkgs, ... }:
 let
  sslCert = config.security.acme.certs."postgres.pvv.ntnu.no";
 in
 {
  services.postgresql = {
    enable = true;
@ -79,12 +76,16 @@ in
  systemd.services.postgresql.serviceConfig = {
    LoadCredential = [
-      "cert:${sslCert.directory}/cert.pem"
+      "cert:/etc/certs/postgres.crt"
-      "key:${sslCert.directory}/key.pem"
+      "key:/etc/certs/postgres.key"
    ];
  };
-  users.groups.acme.members = [ "postgres" ];
+  environment.snakeoil-certs."/etc/certs/postgres" = {
    owner = "postgres";
    group = "postgres";
    subject = "/C=NO/O=Programvareverkstedet/CN=postgres.pvv.ntnu.no/emailAddress=drift@pvv.ntnu.no";
  };
  networking.firewall.allowedTCPPorts = [ 5432 ];
  networking.firewall.allowedUDPPorts = [ 5432 ];
--- a/hosts/bob/configuration.nix
+++ b/hosts/bob/configuration.nix
@ -3,7 +3,7 @@
  imports = [
      # Include the results of the hardware scan.
      ./hardware-configuration.nix
-      ../../base.nix
+      ../../base
      ../../misc/metrics-exporters.nix
      ./disks.nix
--- a/hosts/brzeczyszczykiewicz/configuration.nix
+++ b/hosts/brzeczyszczykiewicz/configuration.nix
@ -3,7 +3,7 @@
  imports = [
      # Include the results of the hardware scan.
      ./hardware-configuration.nix
-      ../../base.nix
+      ../../base
      ../../misc/metrics-exporters.nix
      ./services/grzegorz.nix
--- a/hosts/buskerud/configuration.nix
+++ b/hosts/buskerud/configuration.nix
@ -2,7 +2,7 @@
 {
  imports = [
    ./hardware-configuration.nix
-    ../../base.nix
+    ../../base
    ../../misc/metrics-exporters.nix
    ./services/libvirt.nix
--- a/hosts/georg/configuration.nix
+++ b/hosts/georg/configuration.nix
@ -3,7 +3,7 @@
  imports = [
      # Include the results of the hardware scan.
      ./hardware-configuration.nix
-      ../../base.nix
+      ../../base
      ../../misc/metrics-exporters.nix
      ../../modules/grzegorz.nix
--- a/hosts/ildkule/configuration.nix
+++ b/hosts/ildkule/configuration.nix
@ -1,9 +1,9 @@
-{ config, pkgs, values, ... }:
+{ config, pkgs, lib, values, ... }:
 {
  imports = [
      # Include the results of the hardware scan.
      ./hardware-configuration.nix
-      ../../base.nix
+      ../../base
      ../../misc/metrics-exporters.nix
      ./services/monitoring
@ -19,17 +19,37 @@
  boot.tmp.cleanOnBoot = true;
  zramSwap.enable = true;
-  networking.hostName = "ildkule"; # Define your hostname.
+  # Openstack Neutron and systemd-networkd are not best friends, use something else:
-  systemd.network.networks."30-all" = values.defaultNetworkConfig // {
+  systemd.network.enable = lib.mkForce false;
-    matchConfig.Name = "en*";
+  networking = let
-    DHCP = "yes";
+    hostConf = values.hosts.ildkule;
-    gateway = [ ];
+  in {
    hostName = "ildkule";
    tempAddresses = "disabled";
    useDHCP = lib.mkForce true;
    search = values.defaultNetworkConfig.domains;
    nameservers = values.defaultNetworkConfig.dns;
    defaultGateway.address = hostConf.ipv4_internal_gw;
    interfaces."ens4" = {
      ipv4.addresses = [
        { address = hostConf.ipv4;          prefixLength = 32; }
        { address = hostConf.ipv4_internal; prefixLength = 24; }
      ];
      ipv6.addresses = [
        { address = hostConf.ipv6;          prefixLength = 64; }
      ];
    };
  };
  # List packages installed in system profile
  environment.systemPackages = with pkgs; [
  ];
  # No devices with SMART
  services.smartd.enable = false;
  system.stateVersion = "23.11"; # Did you read the comment?
 }
--- a/hosts/ildkule/services/monitoring/grafana.nix
+++ b/hosts/ildkule/services/monitoring/grafana.nix
@ -34,13 +34,13 @@ in {
        {
          name = "Ildkule Prometheus";
          type = "prometheus";
-          url = ("http://${config.services.prometheus.listenAddress}:${toString config.services.prometheus.port}");
+          url = "http://${config.services.prometheus.listenAddress}:${toString config.services.prometheus.port}";
          isDefault = true;
        }
        {
          name = "Ildkule loki";
          type = "loki";
-          url = ("http://${config.services.loki.configuration.server.http_listen_address}:${toString config.services.loki.configuration.server.http_listen_port}");
+          url = "http://${config.services.loki.configuration.server.http_listen_address}:${toString config.services.loki.configuration.server.http_listen_port}";
        }
      ];
      dashboards.settings.providers = [
--- a/hosts/ildkule/services/monitoring/prometheus/default.nix
+++ b/hosts/ildkule/services/monitoring/prometheus/default.nix
@ -6,6 +6,7 @@
    # ./mysqld.nix
    ./node.nix
    ./postgres.nix
    ./systemd.nix
  ];
  services.prometheus = {
--- a/hosts/ildkule/services/monitoring/prometheus/systemd.nix
+++ b/hosts/ildkule/services/monitoring/prometheus/systemd.nix
@ -0,0 +1,18 @@
 { config, ... }: let
  cfg = config.services.prometheus;
 in {
  services.prometheus.scrapeConfigs = [{
    job_name = "systemd";
    static_configs = [
      {
        targets = [
          "ildkule.pvv.ntnu.no:${toString cfg.exporters.node.port}"
          "bicep.pvv.ntnu.no:9101"
          "bekkalokk.pvv.ntnu.no:9101"
          "brzeczyszczykiewicz.pvv.ntnu.no:9101"
          "georg.pvv.ntnu.no:9101"
        ];
      }
    ];
  }];
 }
--- a/hosts/shark/configuration.nix
+++ b/hosts/shark/configuration.nix
@ -3,7 +3,7 @@
  imports = [
      # Include the results of the hardware scan.
      ./hardware-configuration.nix
-      ../../base.nix
+      ../../base
      ../../misc/metrics-exporters.nix
    ];
--- a/25
+++ b/25
@ -0,0 +1,25 @@
 export GUM_FILTER_HEIGHT := "15"
 nom := `if command -v nom >/dev/null; then echo nom; else echo nix; fi`
@_default:
  just "$(gum choose --ordered --header "Pick a recipie..." $(just --summary --unsorted))"
 check:
  nix flake check --keep-going
 build-machine machine=`just _a_machine`:
  {{nom}} build .#nixosConfigurations.{{ machine }}.config.system.build.toplevel
 run-vm machine=`just _a_machine`:
  nixos-rebuild build-vm --flake .#{{ machine }}
  QEMU_NET_OPTS="hostfwd=tcp::8080-:80,hostfwd=tcp::8081-:443,hostfwd=tcp::2222-:22" ./result/bin/run-*-vm
@update-inputs:
  nix eval .#inputs --apply builtins.attrNames --json \
    | jq '.[]' -r \
    | gum choose --no-limit --height=15 \
    | xargs -L 1 nix flake lock --update-input
 _a_machine:
  nix eval .#nixosConfigurations --apply builtins.attrNames --json | jq .[] -r | gum filter
--- a/misc/metrics-exporters.nix
+++ b/misc/metrics-exporters.nix
@ -8,6 +8,26 @@
  };
  systemd.services.prometheus-node-exporter.serviceConfig = {
    IPAddressDeny = "any";
    IPAddressAllow = [
      "127.0.0.1"
      "::1"
      values.hosts.ildkule.ipv4
      values.hosts.ildkule.ipv6
    ];
  };
  services.prometheus.exporters.systemd = {
    enable = true;
    port = 9101;
    extraFlags = [
      "--systemd.collector.enable-restart-count"
      "--systemd.collector.enable-ip-accounting"
    ];
  };
  systemd.services.prometheus-systemd-exporter.serviceConfig = {
    IPAddressDeny = "any";
    IPAddressAllow = [
      "127.0.0.1"
@ -20,7 +40,7 @@
  };
-  networking.firewall.allowedTCPPorts = [ 9100 ];
+  networking.firewall.allowedTCPPorts = [ 9100 9101 ];
  services.promtail = {
    enable = true;
--- a/modules/snakeoil-certs.nix
+++ b/modules/snakeoil-certs.nix
@ -50,7 +50,7 @@ in
      serviceConfig.Type = "oneshot";
      script = let
        openssl = lib.getExe pkgs.openssl;
-      in lib.concatMapStringsSep "\n----------------\n" ({ name, value }: ''
+      in lib.concatMapStringsSep "\n" ({ name, value }: ''
        mkdir -p $(dirname "${value.certificate}") $(dirname "${value.certificateKey}")
        if ! ${openssl} x509 -checkend 86400 -noout -in ${value.certificate}
        then
@ -69,6 +69,8 @@ in
        chown "${value.owner}:${value.group}" "${value.certificateKey}"
        chmod "${value.mode}" "${value.certificate}"
        chmod "${value.mode}" "${value.certificateKey}"
        echo "\n-----------------\n"
      '') (lib.attrsToList cfg);
    };
    systemd.timers."generate-snakeoil-certs" = {
--- a/packages/bluemap.nix
+++ b/packages/bluemap.nix
@ -0,0 +1,30 @@
 { lib, stdenvNoCC, fetchurl, makeWrapper, jre }:
 stdenvNoCC.mkDerivation rec {
  pname = "bluemap";
  version = "5.2";
  src = fetchurl {
    url = "https://github.com/BlueMap-Minecraft/BlueMap/releases/download/v${version}/BlueMap-${version}-cli.jar";
    hash = "sha256-4vld+NBwzBxdwbMtsKuqvO6immkbh4HB//6wdjXaxoU=";
  };
  dontUnpack = true;
  nativeBuildInputs = [ makeWrapper ];
  installPhase = ''
    runHook preInstall
    makeWrapper ${jre}/bin/java $out/bin/bluemap --add-flags "-jar $src"
    runHook postInstall
  '';
  meta = {
    description = "3D minecraft map renderer";
    homepage = "https://bluemap.bluecolored.de/";
    sourceProvenance = with lib.sourceTypes; [ binaryBytecode ];
    license = lib.licenses.mit;
    maintainers = with lib.maintainers; [ dandellion ];
    mainProgram = "bluemap";
  };
 }
--- a/packages/simplesamlphp/default.nix
+++ b/packages/simplesamlphp/default.nix
@ -29,7 +29,7 @@ php.buildComposerProject rec {
      mkdir -p $(dirname "${target_path}")
      cp -r "${source_path}" "${target_path}"
    ''))
-    (lib.concatStringsSep "\n")
+    lib.concatLines
  ];
  postInstall = ''
--- a/secrets/bekkalokk/bekkalokk.yaml
+++ b/secrets/bekkalokk/bekkalokk.yaml
@ -1,10 +1,12 @@
 gitea:
    web-secret-provider:
        token: ENC[AES256_GCM,data:pHmBKxrNcLifl4sjR44AGEElfdachja35Tl/InsqvBWturaeTv4R0w==,iv:emBWfXQs2VNqtpDp5iA5swNC+24AWDYYXo6nvN+Fwx4=,tag:lkhSVSs6IqhHpfDPOX0wQA==,type:str]
    password: ENC[AES256_GCM,data:hlNzdU1ope0t50/3aztyLeXjMHd2vFPpwURX+Iu8f49DOqgSnEMtV+KtLA==,iv:qljRnSnchL5cFmaUAfCH9GQYQxcy5cyWejgk1x6bFgI=,tag:tIhboFU5kZsj5oAQR3hLbw==,type:str]
    database: ENC[AES256_GCM,data:UlS33IdCEyeSvT6ngpmnkBWHuSEqsB//DT+3b7C+UwbD8UXWJlsLf1X8/w==,iv:mPRW5ldyZaHP+y/0vC2JGSLZmlkhgmkvXPk4LazkSDs=,tag:gGk6Z/nbPvzE1zG+tJC8Sw==,type:str]
    email-password: ENC[AES256_GCM,data:KRwC+aL1aPvJuXt91Oq1ttATMnFTnuUy,iv:ats8TygB/2pORkaTZzPOLufZ9UmvVAKoRcWNvYF1z6w=,tag:Do0fA+4cZ3+l7JJyu8hjBg==,type:str]
    passwd-ssh-key: ENC[AES256_GCM,data:L0lF0wvpayss1NU9m3A45cH0bCMQzODTFVrq6EPd1JHx54wIcoaRBYLmxXKXASzBlCg9zlwXMUIk3OQcS3kdzMKL0iqcSL2iicAcKjFIHyrWLqXgwV5pRSP/tRPcVw8KW8gz0bh33EgESs5ReddZ3VZ0Cy1s2YupMRQvBXr89k1+Hv70OWB6P06hvxhv/zKcMGI1N/dWLroMgrQuT9imw4+/Q1RqwzTYeEU+eUn24AM9GjcBg4qf3OI+6g0nXUat/upIYE28iF5J3lbUSmDSmirBLc8xgHLdOyyJPTObWYWYxlSL78T7IqiMm9lI3rtBlpJDDcn/YxZpVqN5bg2154GISNK+uR0TVSLdJ+drdGHIfIX3G78XSxf2L9rbJyRn8MQlgStfdBIQicLavQKVMrmj+XQfvEMez23WbPLjH4oViBQFI+GrOHOGy/f16cz8Sn4n+69OcsOeTxs3tKYdfq6r1XLYSJ/fe/zvxBpaZiyGXljsuyEdIyBL2A8D6uSXe3Nd3/DAdBtceFfIdN1olCdutixzVWgxaJnrel161z5A/4w=,iv:Uy46yY3jFYSvpxrgCHxRMUksnWfhf5DViLMvCXVMMl4=,tag:wFEJ5+icFrOKkc56gY0A5g==,type:str]
    ssh-known-hosts: ENC[AES256_GCM,data:zlRLoelQeumMxGqPmgMTB69X1RVWXIs2jWwc67lk0wrdNOHUs5UzV5TUA1JnQ43RslBU92+js7DkyvE5enGzw7zZE5F1ZYdGv/eCgvkTMC9BoLfzHzP6OzayPLYEt3xJ5PRocN8JUAD55cuu4LgsuebuydHPi2oWOfpbSUBKSeCh6dvk5Pp1XRDprPS5SzGLW8Xjq98QlzmfGv50meI9CDJZVF9Wq/72gkyfgtb3YVdr,iv:AF06TBitHegfWk6w07CdkHklh4ripQCmA45vswDQgss=,tag:zKh7WVXMJN2o9ZIwIkby3Q==,type:str]
-    import-user-env: ENC[AES256_GCM,data:vfaqjGEnUM9VtOPvBurz7nFwzGZt3L2EqijrQej4wiOcGCrRA4tN6kBV6NmhHqlFPsw=,iv:viPGkyOOacCWcgTu25da4qH7DC4wz2qdeC1W2WcMUdI=,tag:BllNqGQoaxqUo3lTz9LGnw==,type:str]
+    import-user-env: ENC[AES256_GCM,data:wArFwTd0ZoB4VXHPpichfnmykxGxN8y2EQsMgOPHv7zsm6A+m2rG9BWDGskQPr5Ns9o=,iv:gPUzYFSNoALJb1N0dsbNlgHIb7+xG7E9ANpmVNZURQ0=,tag:JghfRy2OcDFWKS9zX1XJ9A==,type:str]
    runners:
        alpha: ENC[AES256_GCM,data:gARxCufePz+EMVwEwRsL2iZUfh9HUowWqtb7Juz3fImeeAdbt+k3DvL/Nwgegg==,iv:3fEaWd7v7uLGTy2J7EFQGfN0ztI0uCOJRz5Mw8V5UOU=,tag:Aa6LwWeW2hfDz1SqEhUJpA==,type:str]
        beta: ENC[AES256_GCM,data:DVjS78IKWiWgf+PuijCZKx4ZaEJGhQr7vl+lc7QOg1JlA4p9Kux/tOD8+f2+jA==,iv:tk3Xk7lKWNdZ035+QVIhxXy2iJbHwunI4jRFM4It46E=,tag:9Mr6o//svYEyYhSvzkOXMg==,type:str]
@ -30,6 +32,9 @@ nettsiden:
        admin_password: ENC[AES256_GCM,data:SADr/zN3F0tW339kSK1nD9Pb38rw7hz8,iv:s5jgl1djXd5JKwx1WG/w2Q4STMMpjJP91qxOwAoNcL0=,tag:N8bKnO9N0ei06HDkSGt6XQ==,type:str]
 vaultwarden:
    environ: ENC[AES256_GCM,data:CST5I8x8qAkrTy/wbMLL6aFSPDPIU7aWsD1L1MnIATRmk7fcUhfTSFds7quJmIpb2znsIT/WxNI/V/7UW+9ZdPKI64hfPR8MtvrJcbOhU5Fe2IiytFymFbhcOgWAXjbGzs7knQmpfMxSl98sU71oLkRuFdkousdnh4VQFZhUCYM=,iv:Is6xQ7DGdcAQgrrXCS9NbJk67O2uR82rbKOXBTzZHWw=,tag:XVEjCEM5t8qJl6jL89zrkw==,type:str]
 bluemap:
    ssh-key: ENC[AES256_GCM,data:nPwsT4RYbMbGp2MChLUh6NXW4ckYr7SQcd6Gy2G8CEU+ugew5pt4d6GOK1fyekspDtet3EkPL2F1AsoPFBB2Rv0boARMslAhBqwWSsbBJTXeTEgAABSMxTPJRBtfJucvv426nyIj3uApoknz6mDCQh1OI6mER0fis7MPaM1506HlDlnIT0FV9EairEsaAmbd0yddByGJSccKIza2vW0qWqrz83P+xrakEONxFz0fJlkO5PRXCcQJVBCqWQfnaHNrWeBWv0QA7vAHlT0yjqJCpDRxN2KYrPWsz7sUbB4UZOtykCRM5kKFq73GUaOKqVECJQhcJi6tERhpJELwjjS8MSqvBD90UTKTshGugfuygTaOyUx4wou3atxMR2Rah9+uZ6mBrLAOLX3JKiAtyhFewPMWjd/UhbMPuzNageVBNz2EMpa4POSVwz5MyViKNSgr9cPcNGqmrnjvr/W/lnj6Ec+W80RiXQlADSE4Q6diLLwB9nlHvKs8NTDgv6sUafcPHpJ2+N4Jkb96dE14bMffQ385SI4vLDcQ8xCQ,iv:WdJIHRzjlm8bEldolCx1Q7pZJvjxGkNZALSOy3IjizU=,tag:5ZAikiqttq/76+thG+4LMw==,type:str]
    ssh-known-hosts: ENC[AES256_GCM,data:J6V+NJ9TvYUL2gmcqWWYt8X+n0M7i0RpDpBelWAbFMH64+e9ztHNnC491sm+RogDxqKk0kwQyX2Mz00iq3Gc3wDYyozGOdv3tBKrp7/LcfjUQ9T9hi0yTD3eNV0LAjlAWMTdlW65VGHqGst8ncKbUuVxbBASVlh3A321toZgD+xxUAtNz7qKFa6fDbOS0xLD1+CmTwVp+aPos//QIKzjuk1HqxfBNK82maKtD4JHPS+Y3be2wIEjGWq3H6JYN/RDojD88D/jzo9RwvEjpqLXoOVfy8uX/fbEsgkgfAmPiaG+ePCnchSExEe3a6Y0E+I6YIzvP+tGThJpu4HaT/yW2Rww/jvsxKrXSUhtBZI/SIX5ZAIFB3sFjJXQefJjfNpQTQWhbspLfdemafGaRiDnzVgKDhNL1HNMNsXKDfWa0SLs4//dqerom/QCCNsaqV+4HVzv5x44srChGERadQI/Wh4UG2R19xxbdyIsKPHzv7BhEKufJkjc5upBjWygQrGAkTRHugFpw2Tdkz9yUQSujMkaeRKhVkA+ZUAjwnY5TwqNZBj7U3K2JXoNVHAq194XmrA2dNghh0OmRrvKGwM3HKexX22SXT0bPlpdWRQpMbUgV+uHLMerlDpNMFTIueEBkaF/FWeSW2N5WUrUb1uJ91QcJ8JBgN1riuD1Oxv9RRPrY9VVNJMrYjpAAREN8i8brMTOCJ35s7jnqIei0dNmnNXOoQZPs9kUMeEtUc/Df1E8/aO2Y4yU9gHUuevXnAJWFAiu2IxssgPk6CcNxvapJEmlwkLK/JyuDsWwFxVOHfw5QIEsoDVWXt6eMhquqUgzJI1q7QrTWUQsBb5A5sQKYWQHempOaXuQn1bzA7mU3Gzsr8bNNc6tpy+6j3zTXYR067EX00yqPG+kqRn4QVIuhByxXP3cwXLUG9uD1lsqWrGzs6WCnHr7txhRBXf4WbBVmXModO3uf36cDYEwrUa6yBsARtSl8PJ0UadfY/xULcT5PFvu9+Hi2qj3vp4IU3JCJa9AvXB+11pbSdawprjuDhwQtPwkJ4CQyvZsom3/BOrmwYM5+EyMDIluEQ0z6eDE5buiIVbX6IvXnDCKbrnqVwavX2wqyiDduFLjRfWL/3U2O1yRim78smrDMJABJZvtW+a+GfmlnTd/gnFvS70Fmm/lgtY051ISL/iFx6toJRoBMMiI/Zvy13uQry+w/HbyFl42DIank8tf7kuN3E9M7ADGMubRJJ0AZOcQddrFnR4Gl2nU2+3RS5fLHaBf9QHK6W92/n//xmPkYqrkPacew4eBjUqM32jVGuBpDc964fK9kdtIdw8q5P1s/ph3I79Y24kGeuO1AVJuZvkaTv1Z7GgI9+K9TstKJ9XpRCidLpLSP+uHOWkqcNsQlt6ilTlfHj+MKoD85dKZ315QMmpiuYEvzCSP1aYTb9dpd61Su/IVuM3r2NuINNEZ166YlHQVsLNpDn8E5ahk3ZInOAg6/kaKTmjUI8KEvX4BR3PbbViAlJJb3suJ0oZBGPUlrW5uLRmADvf2mMDVO5zY7/m9DQwxjt4Miu0l8ZaUc0YJQ850lBKucQ==,iv:GI8w7h7xX8gMHuAoWUyrW+BQb85LNlASoYvGBPlCZaI=,tag:WnHNMevfFSMc0ikBZwWn/g==,type:str]
 sops:
    kms: []
    gcp_kms: []
@ -39,53 +44,79 @@ sops:
        - recipient: age12nj59tguy9wg882updc2vjdusx5srnxmjyfaqve4zx6jnnsaw3qsyjq6zd
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDbDc0NXZqYko1Z25qYkhq
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNbjFxWk5lY0kxaStxcnVh
-            T2p4cGZ1bTZRS25YdjJ0K3JhSklCT1NwSHhzCi9MVnM2YTRuUERwTVlaM2lxNEtp
+            SnlYamw5WXBRTkU0ZGFEWnZvME1nZk94TlIwCmlhVGFtckJpN1RZdXRBYkxDbnVS
-            Mk9hcDREcTErZXJtSEI0aE1PV2NDV1EKLS0tIDY2MEN6a3NWb3JpeU5JVkhoOFVR
+            UmZtWENzZWNYRmptY2kwem42ek1LbXcKLS0tIElsRXBmNHNmdjdqTmFLL2ltMnFC
-            MjVqdHg0SnF5N3VEV2U4a2dvbTZjem8K8J6KQMJwpiC8gqlgi29x3dpSORAmuVQ6
+            VG11M3ZpeUJPUGlEQmExOEdSZFJERE0KSIo1pzx8AcoJWEzNzEDoV3eM7194IHxL
-            cX5jXggOoz5vME6BMQ3s/bglZG2pdEgWpGZVbc4x2iMwUWgJLHdgXg==
+            4pCSSztKDCF+XdJZLh5sgudaYLJGtX5n7q1hbuL0wOmotM9bN2YLog==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age17tagmpwqjk3mdy45rfesrfey6h863x8wfq38wh33tkrlrywxducs0k6tpq
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1SHMrVmxsL0orQlk3dy9H
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBybXRjNEM3ZDYwa21LdWpE
-            NDMzWEZYMXhkamVkTy84VGEzUm1BU3lNY2dNCkNwOGJteVQzYlZESGlScTg0RnFx
+            dDg1MUxaeHlJSHRhWk40TndYbHZLWHVsVWk4CkxkRVJ4c1lhaXZodGxhNGhkUy9q
-            emNXbmZhL3BHWThPRUI4MVIzMU1POTgKLS0tIHRmQ0llR1NCSm9KMHZsOGJXYmxk
+            M0I1SHdjeXVXL1E4OXgxS2x0cU9ESFkKLS0tIFpNMjNKLzNDWWtvTkhHRDFSTklH
-            eGpDUlFHdEZmWkZHTEw4Mmk2UWRnUU0Ki5GK2mzDIc2iTryjn6lf5lMqVZcCcxQ2
+            T1k1cXp4NXVvVGdkYXp0VVNJejVJRkkK6K31gqRRvo0mbJy6aCTKotVmrfqZoARG
-            a3Y/o/NMFDhMZpLlEljuWQVnuOyJZ3RSDCFN9BSEkxg05PaoSluUzQ==
+            w6wKe1TJLWJv8RAD3GQrub9MJwQhUG38Jtj1WrXgNMlF24zFPlZDEQ==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1mrnldl334l2nszuta6ywvewng0fswv2dz9l5g4qcwe3nj4yxf92qjskdx6
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZY2ZiazhzdkxNZFZldjBV
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2azhwMEJRZ3JQRnhDNlFR
-            SjBCR2lXdFZZUUpJTnJVWUVMNTcybGQvbmpNClVDOEdMK0JIOUEvaVYxcm4yeVp4
+            a283MitGTTdaMTZURmFYam85TU43RkdXYTI0CnQxWnRUZ2F6MHd1TWlHMDZ4b1p0
-            dVY5b292WVE5L2JXNGQvSENiTjBWVkkKLS0tIGIvdzBxMVNYbGN4ZXBBNDg1bFNB
+            WStOVndGTUpmdncvd1k0WlV3c0xKYmMKLS0tIFpSb1hKbHJyM1dCOVBMa1Jabndp
-            akVjeTNTeGorZjJQOVlMeCtPRUVYL3MK+VMvGxrbzGz4Q3sdaDDWjal+OiK+JYKX
+            NWlGSFhQUngvWG5BQ1lyOFAxanlGdlEKt09a9bMErR3wqbutxhDRfSWp40mmfShJ
-            GHiMXVHQJZu/RrlxMjHKN6V3iaqxZpuvLAEJ2Lzy5EOHPtuiiRyeHQ==
+            KAAO2TEMKkEGFvaxYu+G9rbR37h/ZttikJMvIVlfRzmVADlFwO7eHw==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-05-26T02:07:41Z"
+        - recipient: age1hmpdk4h69wxpwqk9tkud39f66hprhehxtzhgw97r6dvr7v0mx5jscsuhkn
    mac: ENC[AES256_GCM,data:CRaJefV1zcJc6eyzyjTLgd0+Wv46VT8o4iz2YAGU+c2b/Cr97Tj290LoEO6UXTI3uFwVfzii2yZ2l+4FK3nVVriD4Cx1O/9qWcnLa5gfK30U0zof6AsJx8qtGu1t6oiPlGUCF7sT0BW9Wp8cPumrY6cZp9QbhmIDV0o0aJNUNN4=,iv:8OSYV1eG6kYlJD4ovZZhcD1GaYnmy7vHPa/+7egM1nE=,tag:OPI13rpDh2l1ViFj8TBFWg==,type:str]
    pgp:
        - created_at: "2023-05-21T00:28:40Z"
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtYVJLMTZma08xZVo3cEZs
            Ym1FTU9ZdmxlcUxselltWDRwdUhUdU1udnpjCmh4TlJEK09UdlNFLzN0YnN3WGtt
            aGpzd25Vckc1TmVCamQ0ekk2QWpraUEKLS0tIG9CNzBOM1g2aTRlQmt3WWVrTlNB
            ZWsrZy9HSWt4OUdMb3ZZQmNjNGZNZjQKMhvkRnis8P2iV3hoigiN2IXeIFvFuYRK
            FeMG/cNOtAUsOgHMs4xDPqpLrhpay7IEvwQukBxscd/88I8/ZdGeHQ==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1wrssr4z4g6vl3fd3qme5cewchmmhm0j2xe6wf2meu4r6ycn37anse98mfs
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtazZ2RUo3ZjdKeStLWW0r
            bm1NVWJRbjZpZTVRcEFWTnJwYkp2YUN3OTM4CnhRa2RpOS83MW9zaWlUV1M4b21t
            OG5Ub3VkK1dSMkVzN2VtT0JrWkFSTkEKLS0tIGMvOFU2U243RnpUTThRRWthaHpZ
            SjBhZjJpNGlUclF3bXRKOXk0KzlHdzQKp/asp39bRfNXyetc3ySVpnzfO6it9D/e
            XWyhq0yKRFAC8yMYeAuA4kIcNM4DGRc0PnwA/ce3IgHsV1ZNdvdWfg==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1zhxul786an743u0fascv4wtc5xduu7qfy803lfs539yzhgmlq5ds2lznt5
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnT3lTUEFaN3pOMGhsQ1Ra
            SVZ6cE90a1BteXgzaldsN3ZTSGZpZXlyWHdvClhJM2ZDRHR0VzVSQXd0b1drK3hG
            aW8zUWlHcVFkTFpJYXpxWlAwVHV0ckUKLS0tIGVmR0g2Vk56dlZCU01Dd3NzUFZU
            UHpLRkdQTnhkeGlWVG9VS1hkWktyckEKAdwnA9URLYZ50lMtXrU9Q09d0L3Zfsyr
            4UsvjjdnFtsXwEZ9ZzOQrpiN0Oz24s3csw5KckDni6kslaloJZsLGg==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2024-09-01T01:33:50Z"
    mac: ENC[AES256_GCM,data:PkcOD9hJWD5tILO9PuZkOgIoujt4q2qtHBB9KF8ikrNKo0yw24Jf1ceI5/+BHCxhdi8sF4qQM/zty61zqwNaBsvrsLUkdWDwUDsuJQa1KKZiCEZPqYBc+qGIQ5wNPsU2zJ0c8+wU8H0LtGqKOH9GmaQtTdm0Rt2IcexV823uTjQ=,iv:GYTI85OgqnN8iUc6OOXO7Sz2XIthWJtz8zwMuWutEYs=,tag:2rhfhjXXzZLzoVlkINo0ZQ==,type:str]
    pgp:
        - created_at: "2024-08-04T00:03:28Z"
          enc: |-
            -----BEGIN PGP MESSAGE-----
-            hQIMA0av/duuklWYAQ//TewS5bITIo3bx0HEM0p8bwnSJAmNqGJmuILXg4k8eszF
+            hQIMA0av/duuklWYAQ/7BlyYej03uyhLheXS406h3Ew7v7D+rHHvHjiw3FCJxHoC
-            JHS9eCfU/Vz4Z8eMDJjntFIWvNCl0QOycvp37uNaqPedDE3v1nNpCxOZ76vLT9I5
+            1revUrMa/M6iTNQteaBvBcYVR4+SpUpRyN/6BSzEQBrNhUBR+70VWL2yzeeb6Bw7
-            smXKpRmfgYxQAkWQRJ6aUV+DoVjSY/hT9JWD7u4uWgavG5D7/3SwiJC3uM0/8mxM
+            GBtuyS7O3DEd0froE3aFETR0NfQ1FfcndOBd3SDKOsCgL5nfJSyOPQtr1OMLKzoW
-            gwbp5eVEO0mTvXZsmqIRJ00NKX+RIMuUZFvzu3ajGywZfQxFs7zUhx7Lc6ry/MYI
+            +CARt457xEx0KY7IIpN6e57IT7bVjJx5UuDcN0ZncUyuGUAKHdn0nAHzWqiSZV9w
-            FFrbXssgpH8U9dHMgBsGzeyQS4qQLGFHJuNBBzz48U+Dr5EgHqZ2ZXZschW+40qX
+            bIftLJ936zvBOhhl3DkzvALnI9+//KPSMM3o/1ti07FoAx8cK2w83VA5Ia9qeNkB
-            TH8d4qyOROTiHKpKp3+nUoRiz1JPkJ0rqHg+9hOrFNpl1NZQ6w1UOc+0Ki6ZAwMd
+            wfVuE6f5a2KP/KrfnVCfvweMh/MIEUGb14XEaniyYwvlW5vwF9YgPH6HGc0c+lH6
-            yNF733/I+OaI2b4nxhG+la6U9Z1fOat3BPRoxp8ZlLRrPq8ljxV78TMVfv7/lPO6
+            UWy8+Iw7kXkUEJuhtNWyBPJeVKheSBieoWUBZZAK4uWUpChJxfc5M3+P3mgzTIP+
-            MZopBmSOeV19t/QypYi2pl+QYRaVs2QaBFotulob+KbKpWC4T2tMEMnPngsTxOhk
+            7P04xdtS0GwrNwMBiQFqc56hoYDAwMYbn9lFzM3LLq+h8Ztg2G4X9LXjD956TP5C
-            26VY5ahIp01QbewPxylpY6r1jx1tb8KcMmsGlaLrgOo9Q526bh5QGRDx9NCj064c
+            bPV7BFcjTSaAt1TDJcDJRxfrtx6Mo/DLknpGTMRM0UfQ/22uMz2GAH38L0C7lD9B
-            uJ2ed7hY9tNHs6qN/94rcr1hOAq5kVh+36UvJBZYQuxwIXIws4Xw+obzoKVAAqEC
+            RrKlpDuMKzj/LUihO33Ry9J0IpZ3XF6oaSl/+P+uO9QYNxA/zkuxuSWfqoysldyN
-            qEZWL1NB0hXynom7Vc2e2MzT2guogXDHvlCDHjtt9ekGcmU+tQ/JdgTOJ93hEInS
+            bSo1dHGapY/+PVMjM0E/2Dkk9T2IbQUlkVxPrlvuUd3YfrJ7bCva2GDjLvXSp7LS
-            XgEjcd1xpnzebDo9SpNBq/J/uSKAKLPOI2y+LZzvs6oiFtc4QLcgGors38x9SiAP
+            XgGgLgrj54YoOn4uUFsxzDIS7yVps3fCkByVtc1Lc3C8uPPF1B+jOX7O87kZOHag
-            JSiQnUAC9XZtiugGdCOVy6MG1x3smAafW6kcH7yr+vWoJoQLbbF60PhuhAJ0N4Q=
+            XvT2ze2ITfdxPzoyZO1nWVIGO8rAtQ/vK/Iv2/hHtc4gfzL+gy7GeUWGHkvZ1Kk=
-            =3iQC
+            =wDmH
            -----END PGP MESSAGE-----
          fp: F7D37890228A907440E1FD4846B9228E814A2AAC
    unencrypted_suffix: _unencrypted
-    version: 3.8.1
+    version: 3.9.0
--- a/secrets/bicep/bicep.yaml
+++ b/secrets/bicep/bicep.yaml
@ -1,5 +1,6 @@
 calendar-bot:
    matrix_token: ENC[AES256_GCM,data:zJv9sw6pEzb9hxKT682wsD87HC9iejbps2wl2Z5QW1XZUSBHdcqyg1pxd+jFKTeKGQ==,iv:zDbvF1H98NsECjCtGXS+Y9HIhXowzz9HF9mltqnArog=,tag:/ftcOSQ13ElkVJBxYIMUGQ==,type:str]
    mysql_password: ENC[AES256_GCM,data:Gqag8yOgPH3ntoT5TmaqJWv1j+si2qIyz5Ryfw5E2A==,iv:kQDcxnPfwJQcFovI4f87UDt18F8ah3z5xeY86KmdCyY=,tag:A1sCSNXJziAmtUWohqwJgg==,type:str]
 mysql:
    password: ENC[AES256_GCM,data:KqEe0TVdeMIzPKsmFg9x0X9xWijnOk306ycyXTm2Tpqo/O0F,iv:Y+hlQ8n1ZIP9ncXBzd2kCSs/DWVTWhiEluFVwZFKRCA=,tag:xlaUk0Wftk62LpYE5pKNQw==,type:str]
 sops:
@ -11,52 +12,79 @@ sops:
        - recipient: age1sl43gc9cw939z5tgha2lpwf0xxxgcnlw7w4xem4sqgmt2pt264vq0dmwx2
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2RFpLOEtUQ0ZLeUdmTGxl
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiOVc1eXg1bU9BZmc0cXhM
-            VXlTOG82Ly8vdjdldnB0dGFzTkdxUHNML1VJCmxDWHhyMHYrbmtMVWVJYTdrWjVn
+            L0dpbVBvQTNzcnFWcktSaW5rQXhnZks4dlhRCmVla3kzWDlJN2V0dDFYWkxJUUVo
-            aE5qWWtHWSszYnNWc3l2VmFwUGl4R3MKLS0tIG9ocThFNm1pcUtMNHNlMlFsS2lx
+            RTlqNWM4c0lmbkc3cUM0dTgyWGpSNWcKLS0tIEx4SkxDdTFGUi9OQ0NRVGxXeSs4
-            MDhubWVxamxlSVk0dUtIWnhyUlBNM00KRunPljgLCHkwn4HCPGpkNbLitCIF7hYL
+            b3Zaa3p1MnU1UTk1T3hmejVkM2RDLzAKmk63I60GEenLt0l4FHmz9mBAumw105Qs
-            jRYVzu+Wddd13A4QfvHvAI7bJB5Zsv/xwmggVlICG1pky7gPNDwGcA==
+            mDbQBfAj1m1FTE6tl38J8wVyFI8LT550bqYdymvnT2mnEIAIP/04ag==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age17tagmpwqjk3mdy45rfesrfey6h863x8wfq38wh33tkrlrywxducs0k6tpq
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvem5LODRyU0VlcElOS0tY
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5dmJpdUxVcllPYXpxRlN6
-            a1FaNHc0SDJLQ1llalBqQ2VEQjZpbUFyd0hNCldQNUpTdFZ5NTlxWU9icXN2Mm5a
+            ZnYyc25sbjdWNUNEQnE3UU5Ea0JPK3o0Ukc0CnFIOU0rOU5lV0tGb2NuNnQzejhw
-            S0JQOUkvdEZRK3NBOGpEZkJleTB1TXMKLS0tIHdVcFRETFlBVWI3TTZYZGJMMkcv
+            cTBkOFJHTXJIMFhzZ0tpODJ6N1pJRTgKLS0tIEhPVlBMcjdHNVRKWDhkTXFTOFFu
-            RkRXTTVURDRFNjFvci8zRVpqbkxVclEKW86hoVO0grt2x5YMt/YnmDI6J0QFKjZZ
+            NUREdmFNR2NkY0Uzcm9tbmhteHFtSTgKSUTGoNb2/0rljN7oojVk1fMAulK669ud
-            Mnmd/Z1S6a+rajCy0GkeM+Q8AbBqBrNei2H5Xp1PlxNyicGib6+Ngg==
+            fpacGQFBJzJOusx29YC01W6mn8TW8Cdw6mKmS3QEsYYx7S4HpX0v1g==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1mrnldl334l2nszuta6ywvewng0fswv2dz9l5g4qcwe3nj4yxf92qjskdx6
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4bHNiY3ZCNHZsYlUrOHMy
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRUmNyQWU2Ym5NMjJnUUpu
-            OG55QjVmQVUxbXl0bkdNQ0FEais5Sng0ZkRBCm5KdmMvNmN6VmdsREZrbGd4ZFpM
+            Vi9yeWhFM0NDTGZtRThXQWMxYVI2aEUrNUVvCklxTldQRnp4dTVXMjRXWU5DNWhz
-            VVpsQk43MlBxU042ZkE4L1hHK1R4RVEKLS0tIGttL01XcG1IUnBMbUVqKzJMK09o
+            dzllOXp1RVRaMDFNWExuK01maFk0blEKLS0tIC9hUENybThmWlBab3IwSTQxSHBj
-            QmVlRnJhSk4xYWFVbGVxdlFxSDlXSGMKJvjMDaX4Aa98gT+GPjGaKKdnG67jNG3C
+            Q0IyL20vdlRBNWZyNXc3MGVtcUNza1UKLDq74TMy5hXhimnDA06/Ku5RJQcDvkjn
-            nLsbxU4vNpFvjF4WI5vdvIQe5UGzoCYQZp3oHFnGq+Jp/hJ1HFF0GQ==
+            QKSGCxZ6FJ/io22qNiw0vDRzTfW1Dz+9/Yog3Pi870IcAljkdmoxEA==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-09-05T23:28:56Z"
+        - recipient: age1hmpdk4h69wxpwqk9tkud39f66hprhehxtzhgw97r6dvr7v0mx5jscsuhkn
    mac: ENC[AES256_GCM,data:pCWTkmCQgBOqhejK2sCLQ3H8bRXmXlToQxYmOG0IWDo2eGiZOLuIkZ1/1grYgfxAGiD4ysJod0nJuvo+eAsMeYAy6QJVtrOqO2d9V2NEdzLckXyYvwyJyZoFbNC5EW9471V0m4jLRSh5821ckNo/wtWFR11wfO15tI3MqtD1rtA=,iv:QDnckPl0LegaH0b7V4WAtmVXaL4LN+k3uKHQI2dkW7E=,tag:mScUQBR0ZHl1pi/YztrvFg==,type:str]
    pgp:
        - created_at: "2023-08-27T00:12:42Z"
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOTUpYam1KQ2laek42V1NE
            eUY2TlY2Q0JNTHR6QUEvZEhhem5ZKzhPQ0JFClZldDE3dDVIeTQrOVpJNGI5dDlR
            YStuTlRDcXdiWE9LdThaUERnbEpkU28KLS0tIDNidFQ3ZTdINXpTZGljZmh3Q1ky
            Ynk3aUtFOFdGV1NHb2d4YXJXb0xNYU0K07jwIfF+US++qz9rKn0TgR/vZam12vvr
            lq5s694hHkSRmAP5uJ4lNQKUkacH9qlBXB+aU+D98vKRDGYIkKhlQg==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1wrssr4z4g6vl3fd3qme5cewchmmhm0j2xe6wf2meu4r6ycn37anse98mfs
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjaURPbENOQ2l2N2lsd2l4
            aUdQNlUyWjNFM2JhcXF1Z1NJZ0lzZWFjYmhNCnF0VmZzd0hJSjJvekpzN3hoYnlq
            UDg0VHVlMUFTc2xNdGtLb2VXVzBySHMKLS0tIHdVWjlnTmdxSGpMR09zOFpVYmZF
            M3ljcDgyUHB3Zm00bUxWeHRvK3o1bE0KGWWaSuPmvzA4PqBg3y+XOpnVCkv34eV3
            ZEnPJood5bkBlVqfiBbwJaF98rCH1f5WI6S0NA/5ol5kckDpfwpePg==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1zhxul786an743u0fascv4wtc5xduu7qfy803lfs539yzhgmlq5ds2lznt5
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMczFnbUlONTI0M083bzNB
            RVdYQ3ZIT2dwbVJVS3pjZjc4d1htMVQxZGtZCjlPejdVNFVrV0t2MjJ5NEZuYklt
            U0ZiUWgzdytMSHd1N3FPdmNmb3B3UkEKLS0tIGtPdmhpT0NQSGpPWWVublF6dVZt
            cTh5bnJ3WW90aXRCSUp6NHFYeU1tZ0kK4afdtJwGNu6wLRI0fuu+mBVeqVeB0rgX
            0q5hwyzjiRnHnyjF38CmcGgydSfDRmF6P+WIMbCwXC6LwfRhAmBGPg==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2024-08-15T21:18:33Z"
    mac: ENC[AES256_GCM,data:uR5HgeDAYqoqB9kk1V6p0T30+v6WpQJi4+qIeCDRnoUPnQKUVR10hvBhICck+E+Uh8p+tGhM6Uf3YrAJAV0ZCUiNJjtwDJQQLUDT53vdOAXN4xADCQqNuhgVwVMaruoTheEiwOswRuhFeEwy0gBj3Ze2pu47lueHYclmEzumLeQ=,iv:t0UyXN2YaR2m7M/pV2wTLJG5wVfqTIUs7wSQMmyeTVw=,tag:O7dIffzrDAXz3kGx5uazhw==,type:str]
    pgp:
        - created_at: "2024-08-04T00:03:40Z"
          enc: |-
            -----BEGIN PGP MESSAGE-----
-            hQIMA0av/duuklWYAQ//edQVXnTS4Xarwt14tF6yyhWM9/JFSVWW97lTO6xTNe5S
+            hQIMA0av/duuklWYAQ//XP1HnmkjG/wdSC2lQm2XJkB5hMU+eJxglsPVaQpqTODr
-            jNROmF/tHl29IPX0/QHXj/d4jMF/nteHdD53nD9s312CPOBv3SEwl4e7hfMf3rUN
+            dtVslBr/4nvCLypWhwYCG4jSz9YHU1sI9kDOsuo7PtwCrhfefeOL6CO+O40ECFMR
-            4YOahX9J4ryoB+ZleK5leoYSsWaVBDJfERMkYT9Ta/xv4EC5zHBTlZDpLRuS04eZ
+            CEMmPLrTXg3LV3TzulchXY6x72LRzJ/aJ1Ra/6sGmffL7JHJ7vHz+U63oXyYivdX
-            W5MG57TKBC0oifPvhCuv22OURNUp9t/bysSuKgU1v0Czu6ozuVgw9AO8G+PstFpW
+            9zsxP+iGRpQBK6wcA+Wg30rFV1ENE77H5Wh3PGRRXBSVE1fF6I3USgOxlQvGGnK8
-            7lyIMUNJQ7g3hiKDrrPPYcrKTeBbhxTINObe29nv00y0lycnfx3PxWrXpBoyv82y
+            cobLecH6V2TwSAptVcGk1gEmn6RUZdxATBnt0vE/Wr/zxZLuoRJgxmiwXuL5+kYW
-            xRgtalVvlYre1w6IFkqDFtpJD6N3zPFnPq4ZQ0nHN7A943Kxli5JnlkRH9Ak098K
+            QjCvCgAAEyFJtDRycwPPpDtTCBECPV97Ryev0Z8PdrYHfjNcgNVgDwNH9L3TuIEY
-            PuykZ+V2X+qFNf4LS+Gnjx9wZKaLEChMaDhILUDKuUcwPIU5EiaaBOS1Y8NQ4Lha
+            QL/f/+9PgNuUjf/7nktn1c5eAvmMyKJCiy9yKYZ1H9ynwN5Bxf+KJflVtTWbdJJo
-            pzyWzvpejV87Qvg2iog9UYLsK33GuxcFzYaklnknrI+9SotM7LRGQTVkVOwykh86
+            ITXP2RyU2ttM2WjAM87E0HJD3XZ9x9I8Se/f5eQbg2Om7E2HXYr/v2uWf2ByRn5y
-            8d+Sake0J/1xjOcxUNbaYreTA3myyklVlvoybyNOdSzxGveEq3KvGgcORnQxYwe3
+            PV232/rR/whf/vpiwChDsBT97ZfZJibU8Xot7WMkQhgjCJaYH0wzYcrnvg3EIAo6
-            QDoCdVNTmU5ELwDPALVMenDr7VixN085oJkYqZJ6v5E0K1Bhtrb6PItoC5Kea55s
+            MBN1ufKNAp8BoXrM2P4yu+UOjrN8O+54Sxg7CSwg/a/ldDdjUnsGfbf3vzY1EJcY
-            zWP+0rYxFx884cqpf8/JuC1Jbs1DpljqMMW9aD6A0htzOwEyHzDKWxy7zxCJrgjS
+            2lhLZ8sOQyl+Ppe095pcTLvcYp2FOihf6d3i7GGG6Q9Uh2Ljs7EB02GDKP1XozjS
-            XgFHIr6sG1geqUzIhw8NzUpdOkdlQ6YFKP3MsUfxIqPHWVQWt1+LLvA5BX/wXIe6
+            XgEsx/GScE/PE15VKlOHhrrF7OJj8P+uvlriVqk/MSWUVO2+X1yS09gXFtazLZBo
-            kPTa9qXwmK7Hrh5TyPPEjrO16qT3UE0nvRAI0s79L6U+99xXfhKIXhg2OMSZCR8=
+            yqK2yWAOsjFnrMv4A8YHM7COkKvJ9BGdefsoGQu1O838/T7R9+e1OK9iDhfbcMM=
-            =xnr5
+            =vMG8
            -----END PGP MESSAGE-----
          fp: F7D37890228A907440E1FD4846B9228E814A2AAC
    unencrypted_suffix: _unencrypted
-    version: 3.7.3
+    version: 3.9.0
--- a/secrets/bicep/matrix.yaml
+++ b/secrets/bicep/matrix.yaml
@ -19,51 +19,78 @@ sops:
        - recipient: age1sl43gc9cw939z5tgha2lpwf0xxxgcnlw7w4xem4sqgmt2pt264vq0dmwx2
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSZ1dKNy93WmNTVkNzOE50
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJcndkMFhyZzdCK0JDN2FZ
-            SGQ3d1NvcXlMeW9LQ3JCT05aQk5qSTNIUVR3CmlDeE1wTUUzQVZrREdEeDZSeW15
+            ME4rTWo5dm9yVGFSQS92M0FpaW5WMGpzRm13CnZ3OEluNWNnMHJWaTBuZXc1dk9X
-            dEsyd0w5OUpabEZHNm54UDlmaU41V00KLS0tIGJZTXhVdUJJS0VIdGdnV21DUlhL
+            VXRDOHlXUmloYUVYT2pzT2llYU8rK2sKLS0tIENJVUgxUzFxTFg0S1BScm5tNU5x
-            MjNrRytKUXBXZWhPN2dpUk4wYUJyemsK5sspkZA7AOkVtq4e8p7QhtG2yLZE2TG0
+            M09CZ0Y3NTQzUVY2ZXA3cG9pYUx1SG8KkZXHZmB5yBh/zoMBMdMwlHyjIQE31EK7
-            qOhodWBMqi9VWnwg6HTKtQK6hfZ17McB93J4wtciCFGB7Pa8d79TFw==
+            cwAfWYVLjk0CDM1JScTCy7RoQpbqNsMWFyUpu1p+1N0FE8IgefOU6w==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age17tagmpwqjk3mdy45rfesrfey6h863x8wfq38wh33tkrlrywxducs0k6tpq
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEZ1l6SDdpdXl2cFNubjBn
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTekd4bHhLeVh3RkNsRjBu
-            eTU0UCtGTWhFYWIybk0yaGswKyt2clJQekhZCkVkbXdrM1QwaGZ4TXFpOTE1eEJJ
+            V2h0azluRmJzalZGdy9MR2RENkY2WkpyakN3CkdFWHB3cUhQYkZlU2Q3d1ZtcUlr
-            dUZKampwMjFzQXJqUUx0RTVwQzFoVnMKLS0tIEErNjhFZzhrVTJucXgwSVp2RlFi
+            UTBzUU1lVFZZaHUrUENiWlFCYXErT3cKLS0tIEZUcVNRN1QwdnNPYnI0ejRyNDBJ
-            QllFM3MxbXBBbFNTQkNKWHhyQ09EVGcKJIJ3DB8YmhlL+6sNhp38PojDBcDItsR1
+            QXJzMmFkdDh3SHJCSjlCQmVSKy9McU0Ki8UxAzALy7EPr6Nve8UGLmOCqstCcOfP
-            SKyJC3nTJjwtPD/8P0LivCTn9Gi0Yjd5HVIXq/76RF4aB85HLZLgSg==
+            OkTpjXFcTBJ9wMj1ZXCoH3KYqvJSu0gvB97phnkN9X8aXkf2DsOCfQ==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1mrnldl334l2nszuta6ywvewng0fswv2dz9l5g4qcwe3nj4yxf92qjskdx6
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwY2VLT3Ara1dXTk5EVXBi
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwT05zbjVqY0NNQ2ozdEhx
-            b1l6ekd2cEp0TzgrclVNMmR6bXBtZ2Z5V3k0CjRkd0JIUzBCd2NvWDJDU0FyRzR6
+            MWFlMWpvMUorR2RnY1Nva3h3VHRjZTJiQlFjCjNtUzZxRlRlZkxGNncyQVExSVN4
-            MHJUSis3RHlBSm1raFRSaUY2NHpmWlkKLS0tIEk3VDhLSnU5YjRzNWFtb1ZMcy9o
+            UTJINkxHZU13aXpOdDhRNW56M3RXMUUKLS0tIHBqWHNIZ0dYTWNaclVDVk5sS3I5
-            cGxZVnFhdXRka2drTGdkVk1iM0pFL1kK2ry7b2cLYPfntWi/BV3K2O+mHt3242Ef
+            YlFkckxlcjROank3eXdtdWhMY2N2Sm8Khqzk4NUSeaPBYkMbHBhBkagFBQs7Z9MX
-            sI2JLLQYHeAhxjFdCzP1RDR+Wu/pRxZje6xuTZ9I9TKNmm+LhAXHQw==
+            HYLiY5pOdCkOteDSOGlqSdiKI7yVNsETjDXeXybLHk/RNaJbhvhqwg==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1hmpdk4h69wxpwqk9tkud39f66hprhehxtzhgw97r6dvr7v0mx5jscsuhkn
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQNUU3aE84RnpaR1pET1l1
            b2dDYjZmSVd3N05iMTloKzVTc3phOVVGYlRrCkpGMUZhL0Ywd1dEZm5TYStCNjlX
            ZUJnWU8yZ0htbHowMzNBekNRSDBjWVkKLS0tIDlXczh1VDNsdDYzTDMvK1U3TWxQ
            V2tXdk9BUG50c2ZCMVRoY0hxeFlkYkkK+XdRap/LtxzZ3q4ulPRb3LQyeeuO0mu8
            So+7G2acSDhcNqZtW4jsu/NzSNqcv1bwd4XcKe7xqVDVYRpN8LBb2Q==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1wrssr4z4g6vl3fd3qme5cewchmmhm0j2xe6wf2meu4r6ycn37anse98mfs
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhMW8wMi9rdStMSkx5dlpL
            V250UlpET1k0NmZzaFpYRG15OG9NWVBKMGtnClFxeERxc1kvS1QxNTc0WFFQTDU4
            UmNGaTluelF4NElXUWhHQ3ZnN2FYa1EKLS0tIEJHT1FZZEFwc3lxYWJFc083ZG92
            TllFaWFqOXZhVldlcVJwQ09TSGRFMzQK+smZIE1hYx8urWrAqqAb9zId6ZblQesr
            pc7lDe5AAumIh8t8tzFwl72XtSMrStDqaneibbRjr0N39L0xN/nhTw==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1zhxul786an743u0fascv4wtc5xduu7qfy803lfs539yzhgmlq5ds2lznt5
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnZ2gvZXFXNmdod1IxWm1o
            djN2Sm1iVkpHYTJ4LzdLWVI3dGJIZTdQK0VrCjJqVnA5NFlXVGFFUDhXdE9GZmRJ
            K3ZNTnVDZ2w2NjZEemRNUnVoaXJhN28KLS0tIFVxa0NBNlVVNlBDZ1pxSWRZNFY5
            WEh5NFN6SFF1TlltdWFWTGw4MHRHUkUKrKIvC87xjEmwxPQhH8dN+ZuaJTCgPY28
            pR62KxmoKFICLTHPpYP3euiAx5M9BWvgvCnA/US/5klpk8MtlreNFA==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2023-10-22T00:31:46Z"
    mac: ENC[AES256_GCM,data:UpnaUfRxvdyzBy5x4EC3w5LQ1qWxILTQhpyVPd9whTzQMAivAHT0pVmP9aE4T9w3NcWTaghp+f70GmQXx/OCC6DsRCWtU9pFHRj12YUowM3yB5lVTOomOLZQ9m4gUXw5I2GZHWBJn8CyosDcBMlXz2tiR91v/8Ulh6sDSAO86U0=,iv:5GcgRvbpqDEslZruKHM/TcMaF52A5X7AK41DEbrsRIQ=,tag:ndDgCRyX1aDRnzEUNmpoMw==,type:str]
    pgp:
-        - created_at: "2023-05-06T21:31:39Z"
+        - created_at: "2024-08-04T00:03:46Z"
-          enc: |
+          enc: |-
            -----BEGIN PGP MESSAGE-----
-            hQIMA0av/duuklWYARAAmj8qTRTeTXx9PNtqOFwCGmLlKGhj860JPE3BUR2n3QOE
+            hQIMA0av/duuklWYAQ//TtjTsxf5xHnu4g5Y22qvyMud17MN4j4hCoLXjRSbzG8K
-            h9fdVJa9yqK7Lshyuf2t1HbgG+Ah4p4BaO5gYGsMLV9ybZpyNFuCgSZ3DZ4zSfxM
+            /E+0Gs08P3QqV6DddmLvxeAcnLBTAdE4XCMFsRX9eK0BLqPe++yoamOpoPe896zm
-            GSqelcHJF5qbV5gwoJvtyVFV3qtKD9FpOJwh9MfEVe98VkoISCQsPl3CHDH4ot0l
+            BW2BXn/oemGdOFVOf43LRuMEYn32pjg4RNzR4bn3om2TY3S0nr7GP5J9B1QrSPfH
-            zKa56vOReHRmaCid2LNsN0nHlh1KPpwn7HdgaKyiPFexMFe4L/Q56UrlZx9XyPOb
+            AFdR78MwX7PrOkkh4jSLPftjAI8jUtvS/TzX8AXnzy1A8xSkWxww00GMvTvSSAwZ
-            AJ91ayfI6jWH8Hj0xxyqx0shdA74nJ/Y6ZB3JxLXnGuPvAlC3XJRQUImqYsa7p11
+            wxU6fePkLwuxVwZVqI5pdsjAscwy7FE7NWDgE9GMIxxwAJRRwJcsJ+eVM6ykWMyq
-            4Hus4hRAGEJGpmpxhazInHkWOT5ECtzxMd5LlUSq0AGYlEWJL+jtnrvy86HqpYRj
+            Xqo24kWkAqgs7vbxU55gOqPVHN50M22fQ4+RYaLnLyj6BO+0WegW1OmK88q0flaA
-            jpMfwsuwY7dJ0Tll05+goWqn0zB0yZjax71Ynky/ie5Iv8FKaUHHh2HWAzqjUaKg
+            QADZHLGrsuiVgc4KxHskwQou1RuHZnPUSqn+Nhnsp8rtAfboHS28v7ekRNTmhTWG
-            6Yp3hzmMdP61fAm7ka4mxQLXQ0lrUbVnOk+pkaTrVrhcQial3W3lIgIhyo0EVi2V
+            qPVPlOlVnY0AemohDjBnk3o4rCxJhviL9KTjmAtIGTK03Fqzk2v23H3+LRo/rocm
-            Z7yEFkec7XZieMklhkL7tq9SJlWJYG1T+bavD7JSWjOXu+NlSP1hLKytM7xjp5jH
+            gQCXzN6Igdwn7n9x8wXmuO6iL9Jftu4MoaQ0W55hZiBfh8pG76TGdNhycZr2T40w
-            qZMEsjOaUEPvIO8Kd1f8MpLLe/+EhtmQJJMN8lwA8t/N+aOVYsW1GCspwX5mI+Ob
+            MBnRX3ydwH2T+y2pGM9tJY+nlgGsyTiOw01SN7/mio3YdCSvChXTkV3PaX28u+CJ
-            ZCIPkmeBz+UhJvqFD9QwWB44VWH7429VCg9hL+iWR2UfIUQHQhRFWD3604QBppzS
+            5TaYLM2IP8W5DJU3r3dV3I3JYED1O5Arq7Xrv5Z4qr8vwamnCN6SZGe2qCqxTOrS
-            XgHEqjgLremZkvBsTAZsaLrTFlm7KwgjZsAkA5k+RZR5SH7xCXoSUSMnM8pWTway
+            XgEHGwiK1pFQIBxkI0gFmGX0ckd1NYUfsUCyYrFkcAsicWetBhdlgMjLc86bVHwQ
-            24M8mPHKyshggzR5B50YME5BY1qVKtOMEmTjwN5gpn4CQDcsQ7A3eafZg7uGd64=
+            7p4iGLGsr7GZEArBnP0J5Ee+Hr9MCiW/OCLY4M4jlTsyimlsdgDgyr+RqoOnvig=
-            =4DU6
+            =SRZU
            -----END PGP MESSAGE-----
          fp: F7D37890228A907440E1FD4846B9228E814A2AAC
    unencrypted_suffix: _unencrypted
--- a/secrets/ildkule/ildkule.yaml
+++ b/secrets/ildkule/ildkule.yaml
@ -26,51 +26,78 @@ sops:
        - recipient: age1x28hmzvuv6f2n66c0jtqcca3h9rput8d7j5uek6jcpx8n9egd52sqpejq0
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBURkY4WTZhQzJoREpxV1Vr
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNbW1FZmt2ZDRZcWs4SEkr
-            aUExZ1dxNkIyMkJtUXpqOWtTT1J0MGpmMkY4ClR4Wm1FTmhKN2pIMENRdERrWVY2
+            R3ZDaUgyVlVvRHNNRTZCS2pxQThsT0NmYkFJCkk1Y1NpT1RSTFp1MWJ4aVNrelVx
-            SUlHblpEc3VackMrbFpHUUJwM2ltZHcKLS0tIEovMEtiOWc1L2tzZDh3ekZKbStr
+            blYvS0l3ZHczaVcvZDE3U0k4ejVtZmsKLS0tIC84WEE0WERiTCtKNTN0NmZUbDhV
-            NEFkcW03ZTRJODNxTlVuUnFlcFFUUncKEZzOeUtRsZiuugTLzG2xU4eJ3XtVuop7
+            c1QwV1l5b1ZQNitFRnFhQmIzSWNZd2MKokg6XMIFfjxB6sO8EBjBc7E7Ur3zBw1o
-            hhlDBL/YoFn/CO3HjqFdCVv33QoPu7KKMeV52pbVEnv93mvdEeFxVA==
+            akXuA4I1Xw2H1W8B6HkVSDp4BpBEe8xi0z8TUmzkA9/IBoypG5EJKA==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age17tagmpwqjk3mdy45rfesrfey6h863x8wfq38wh33tkrlrywxducs0k6tpq
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSY3cxSGFvdDdWcFVLRTRy
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrQzVtTFRFTnNNQTFXL2dF
-            Zng2VnhjZlFkc1RQN0NqUjJGeW02WlFaMlFZCjVZc2x2UXNXS1I2WDBxeHdjNUdr
+            UC84d1o5Z0p2by80QW9Sck8zVHJvMjdjd25nCitBRWtzVVdTUU85RzFpN1FmOVQ1
-            WnZGc0l5NlArekUwUGU3Qkdub25EVm8KLS0tIDB2bGo3ZURtZ0pSZjFzcGpOdW5D
+            SlNESXBKc1BUdTRaWk5nSENvUXdraWMKLS0tIDlkUFZRVUV2Qi9iSUpFRmN1Tm5S
-            aTI3aTBUS0d1MzFmMTVMbUlFYTR4VlUKzOvNCAzan1GTXjoRxeySkUYIYtI4Mpvu
+            dW9lTkxsNXBBN0wwZ0NFbThRdzlvOU0KbLzteBt0VTr825sfKLNs3i3FT0/dgn2z
-            MC0Q8e350SyoOsrF7fUvw+Ru68fDMLW27H6Ly36xP7D3eo/h4eZVXw==
+            kOpJQf7KZKEVBkInUOkPmobtw6oM9vfWha035tTJPYjWy+Lp939tBw==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1mrnldl334l2nszuta6ywvewng0fswv2dz9l5g4qcwe3nj4yxf92qjskdx6
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFbDBYMDNQcWkySC8vN05t
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCR25sQzNkMHhETzY5cXRm
-            U3hLMjlYVUE3Zms3U2R4R0VnMUtFcmVQclZvClY4aWZEYWZPdkltMElkUWxQeUtP
+            Y3QzYXZOemFTTmN3aTVpODlQclB1Y0JRNlRRCi9wQWVGUVFYd3ppMUVMdUVQNnBC
-            TEF0a0txbVQ4d3lrelp3cG9TbG5OSkEKLS0tIHR1V3JIVEwwUjM3RVdES2pQUmhP
+            bVVRVHlsTWIzMitqNlQxN2NKcWl3a28KLS0tIEJrNk44TEN0ZzJ5L0JaKzFZaE9M
-            T1MwME1tbGQ2NysrOEVNYVZRT1R0YmcKFpfe9GfH7s779CNQswRm/W7zwYO6wK11
+            MmxPN3RUT0hDRW9MSm92LzZJY1lCZlUKM+r/35me5K74KkidKLUTZxqMqR++izHK
-            z6IGPxtBlUGdshYiHA1BEz7fMVg3ZolL2D98cTNMM24U89Gssiw9qw==
+            69gXZEHY+ZSvJ+9IBzcIxcFdSFyVUAN7wobBWZGDxmGJRClS/8jcHw==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1hmpdk4h69wxpwqk9tkud39f66hprhehxtzhgw97r6dvr7v0mx5jscsuhkn
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXbzZHMHVqVkVrTVdiUmli
            OVhhVTZhbVRVU3VKd1Jxa0Y5dlFReXQ0QmlZCkVtVEhCcVlHamozeDYrQlVvRjlZ
            YUNXM3FML2ZLOW5PZ0tpZjlPc2lpdlkKLS0tIHVXZHoyRmlscSt2TlpLb2lDd3Bt
            bmJJS3JPWlVMd0FRaExUZEZMdXk5N0kKY6qYVva2aOkvo1huKH50gkT1iQAUhZCB
            ieUD1aQumHe1OYVeEWJCf2nYgApwq1tPjea5nqc4VzOogTbLVcKMFA==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1wrssr4z4g6vl3fd3qme5cewchmmhm0j2xe6wf2meu4r6ycn37anse98mfs
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrNWc0RVNQRzJkRTBKS2xD
            R3ArQ2lkc3F3QXN3bldZbkJMaFhoaDI4Mm1RClhuSmdRbWxlM1lxOURRWWVocC9X
            dWFSOG5yN2x3Vm9CZ0pSN1BLTWk1ZmsKLS0tIHRpRmJmL3FmaTFpL0czV0tIOWhX
            NHZLaEx3dEozc21MR3ROWHRBQzR3T00KQQiQ4SxpyMTDZyGY7TZrdQEioZAB+BQ/
            u24WgbBdSP6VDvqmq2gG8BqZ3Aog2/7SQ0CVzrsimAoXi7YCWCTetA==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1zhxul786an743u0fascv4wtc5xduu7qfy803lfs539yzhgmlq5ds2lznt5
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVcERwTTJmdlgvZjhWeTBP
            eGJ0aG5RQ0xrRVBSMldEMEFpUHo0TnM1aFNzCkhReEZ2dWVGelNadjdITCthcTZn
            RzlQZmh0MzF5RmZGRW5UVXhYL3RHRFkKLS0tIEtrV1ZjQkovZFlmcDM2OUNYaHZx
            WDRSdDZRa1lIbEVTdDlhU1dwUXUzQTgK5iE4Cf/zjsPYHKcqYA0rFqY0TNcCnzNU
            vTM+cEPaA+/FXTwLfPpaiSkg5Fq8k2XdeMQsjQnglTBSWCwAJin27g==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2024-04-20T23:41:59Z"
    mac: ENC[AES256_GCM,data:38Ask+adT2FshF8DYEfCWeVWt4KiaJsTXhF7Ib3xxdfQ6vAixM2OXTaK/qqUvN6gQok9TFF+HMJBJ+jezV00nVcKUYn04FaU2/D2zdam44eEEYEEovmfAZ6vbC+CiDv4d/DCc3hnYtDZCEgUTfP4gsZ9rLZFAOwaOFWRJxcDi6Y=,iv:BzuWdTjn6LhscNeouHjM7IYKxTahA8PzzlHSCYZ618s=,tag:BWtPbNwzdOJb788eOO5ZNA==,type:str]
    pgp:
-        - created_at: "2024-04-20T23:15:17Z"
+        - created_at: "2024-08-04T00:03:54Z"
          enc: |-
            -----BEGIN PGP MESSAGE-----
-            hQIMA0av/duuklWYAQ/+LSTWjii2dblTAkuqHan3uuuRRpt1ppmHEgHYkQZD+RzE
+            hQIMA0av/duuklWYARAAs0o2EHlphoU4JcO5fhmplhmHQp7GXjaUc5zakGACrl0w
-            g+ljNaM/BPqci7Kr1NHFDw+cU2MYm/40Tz63l1cvfE3NEoVefsmoA5voNI3G/bx/
+            0NVVLXf3hlb3saPgbRkf+ugVXd5dRDYfa3vbIDKpQwHVLSNVrVb7M8eIc0RXM41q
-            LTAe2aacPwO/TNoLtrCgRkzNyKXluUkM9OoIvkvB5DEGjYbe82+gI5Zi+NbW9N/p
+            MqpueXLo6YfxbgOvsfNlgCvDFgMoBMVv/rWz0QGTj8VCvD5AkxiLQJxZ8TnlKn0w
-            5ilr9Cc1jvIivjZMGGPLRgkAc/twOOuyrZlsFd9kddAL9YFO7wpd/dko886y1jE5
+            NF6yQ7LCGgKVU8YHpKYjPmmDU/VegRYVe6wz4ackk0MZ5ITSFXF4qOG93Uj2SZfe
-            jz9n9F4SKYOcgLPqZuG1iZ8qaA2zGT2bP2caai/QJAmL90stQCiRWtQgB8KeWugm
+            ocpPYZ9BrOnxzCYd9ZS1yUmMRLRC61l66oG1hGrBTN7fcmHZaycCdcvABWOB/fxJ
-            nRFBm5BLamtoqjXXwzdtXGKbFAhvL5/h+kPxnJDjylfFVbgCpoWJ/fxdE5xxxZtq
+            940zMb5NYK6whToCWY++m3I6123k+/vLJe+3NoFc/wYdvpnxVqLZqijxYPZZkbRN
-            zCcGCQQsaa85eWkBByhu7TdwyAW7bJCm8z6kfFPGqhNDkS8ifxnEWm6ulgYVokiL
+            gCtRE67AFWny0VQ2k1CGzBGbRAxM2EtIfDlbNgMUNBNuGST4tgxApp5QEa1yecHC
-            WVBvuQCd1s8KSExs6zNWGcGlqgvcbovHXyVlmLeqZfBA7i/vYqksZtBT47rG7nCS
+            mr3jDhR8UuFdIrq2sTz/uMUptTrsB3oaZmfuZ47pCVHtDNc2ri4U1gsI6oI03utO
-            YGfHy69yVrMdj4KrLuMXNfjtS92hkQqWmCyl5X5zOSJXqEL2dorMzSZn89gK4nL4
+            u/q6nMHiJlf8HUwI59GemBaHTiMgzKl0REAoV3SpdfjWSDZiro42au6E20M1dgup
-            V4zOKkKtsj2MqynYn/XAoUf3AfYs2wtRhJiU+r/q+rx9Hx31H8mnUuUerT58yQCY
+            rQG8Gz33QnIHg5ezEHcTSeHk3SgMTbAqQy7/aD3pqI6wEgXqU2neDFZEkNu4FnzD
-            mAkjIhTzvZcWIalQo7xnZhos4p1IYaA7MAuGC6HxuWVaOsyiFkRaKwB9svWyZ/DS
+            ofnm1oAGnbOIH2+SFtd33hDe/2nuFBo3CYEyz/fezhbMwCwoA4Iwd7FBQW4ideXS
-            XAFID3fQ1xfNyYsW8nvXQmvZubnhE+dAQPaiAFP9ujY4RVXWBFOrV6NAs7y/LID/
+            XAGU2gt1hdPfgMQ55GeRI01C2dqiLQOpvTHy2uBl9ekPtSw2Ws27hVhdHvU7B5ZG
-            89lpfWN87JWSJWUk6DCD3AQ+1GiBCFy7uswUJkG4zou1RQBSl7X88ziVDILU
+            Jr388jC5d5dKGNv1I8nVNlfmPvb4hwGazrHdCYiQdwrpggajFtWD/LIgUcW2
-            =tXkN
+            =aK5J
            -----END PGP MESSAGE-----
          fp: F7D37890228A907440E1FD4846B9228E814A2AAC
    unencrypted_suffix: _unencrypted
--- a/secrets/jokum/jokum.yaml
+++ b/secrets/jokum/jokum.yaml
@ -19,51 +19,78 @@ sops:
        - recipient: age1gp8ye4g2mmw3may5xg0zsy7mm04glfz3788mmdx9cvcsdxs9hg0s0cc9kt
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXY29wUXJnMURlWk4rUTRh
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmLzAzMzNCdGxSMVdiNUVK
-            alZsb0xSTlI2MFFTb3B4dzhDT2l5M1pLMWg4CkgzT1h0VHBMTTNhRTJRNEZLWWlk
+            SFlJeTEyRW5SenQrMnFGZEJ5TGJxNDIvSmhzCkdBUnYvNDVxZ1ZNSkYxanZQY3Iw
-            dyt0aCt0c3NTR1ovS1FIM1VBTW9Ha0kKLS0tIHN0eDNqbzJXQUZFcTFGaFEyME5t
+            akhuK01haFVRTUlKcjloVU9QVmhldGMKLS0tIDZmMjk1WlNNYUFXN2pWQ0oxRjRv
-            djJpWDlRNGhGemZXR0tMc0RhYVZpMWcKG/Airf45TgfJ82vPfXxMLtRRLPvZR/Iu
+            bzFmcnJUaUJmU2pCZTRnRTZZZHVkQnMKrKLbYFE2+0rj5BUchhYtWghzbRJTFDaY
-            teoToXtddxFVY675nFy0gfq9P21qHJ7MvTYwVBhQAT/TitTZ/q2u9A==
+            +RQpJC+5gSinmUuP3nMGR2bv+gL9v/EOJKeVrC7/sZM9mQeXI36CUg==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age17tagmpwqjk3mdy45rfesrfey6h863x8wfq38wh33tkrlrywxducs0k6tpq
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxQnlmMVE1aDRycXNmclk4
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtU0xjY0NEelJvaFJEdjl0
-            OWgyQzhDdzJrdlEvL2NzeURoa3hZa3lEMzJJCk11ai90L0ZGd3U2VUhHdm1mQ1VC
+            YVVDYXFxbFg4d241ZjdRRjZVM1lJd0R3NldJCjJQRW9EOGMrcHRUNlRhNEJ3cWhS
-            eCt0WjVKVEt0N0tkRHl1QW4vRWdtMG8KLS0tIEVjVER2QXlIbnZXQUNONzlGbnRl
+            UWlycHYvaXA4TkxEVjZ1QThQUTlrcjAKLS0tIHNXWk1mQWJFcmU1Qmp4a3YrRngy
-            dDZ4RGFqaktTZ05yNjhqUlhqQmpBcncKTSSe5rZhV/+tsgk3xlV7nEphS8qhxucz
+            LzZ3bU1nd0FLa0hNR25CY0hzNS9GZjQKRoRMDXESUtwRGDat2gJ9Fjqy/m6FThzk
-            0O1J0U8FEdyfrwF2AOobsf4YIgtTrb20gyXsTdPwIbsQToJ+YqVAgQ==
+            k6byBSt605skrUd2YQZ+JF9cUs6p9y9Fm6t+HfK/kHQ7jchiS3ZLmQ==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1mrnldl334l2nszuta6ywvewng0fswv2dz9l5g4qcwe3nj4yxf92qjskdx6
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxeDVwdHEvUk1JTW9FSkx2
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuSjFQb0I4eHlhL0NMN1ZF
-            VmlxejM0ZkJmZ3JkemQ2cnkvenY2ZmRJRFZzCmFHbUJzZ0VjYWZuelZHei9SWUo2
+            WldhZ2ZiTTZDMXM3aXgxeHUyZm43dmVVNlFvCnQzd0VYdVd1azB4dlJkdDd3bE0r
-            bjhPSUNrRW5JTWhVWnRzOU9sY25BMlEKLS0tIDF3M3ZFei9qczdDaGVsV0hrTWVU
+            VHlwMFZzaUhkVzhhanl4cWxGWUlDWFEKLS0tIFdWck9qVVRoTWZsK2RNYzF2WEhN
-            NktTc2Y4ZDV4VGlza1FVdXBQUUVPZUkKYs9b4a+yAzI5kpv0X5/Ogg8sH0zdTim7
+            eFpOY1UzWHpYb3p4eDNRU1VSdnJyZ0UKrF9vihQPmmv4nrDf+tPAssfZLNJbdK1L
-            fXnkXZfAJ9oL/0qjVzFZA3j5aQX0xKMffSE/SFcQxUY2sISnwh1Tfw==
+            N4IlFTUPchiPW1ss22bjtiooekHAuP4ygePYLKlKEi3w1SsKa9REGg==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1hmpdk4h69wxpwqk9tkud39f66hprhehxtzhgw97r6dvr7v0mx5jscsuhkn
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEZEhYTVRBWVJkYndjOEZq
            WlF1UCtJN3Uwb0FNdHJITTdiTXZVRWQyUFh3CkJOOHRHSHhXdW5uTEhVeTFHWWNi
            QTd1cW5YTkFJZTRaN2RaMnRKQi93T1UKLS0tIEwzSnVleWduTkRhMnduNVFEMjFL
            NmVHOFd6eVhXdTQ3RE1adkhUaHB3TVEKPFmS1njkM6FPToIKML396vfM3T39co/v
            mvyOUCq921mTIzlPfVpfpXd9pmiyMKi/spDS4xZ2nFLyHMhXMKW20A==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1wrssr4z4g6vl3fd3qme5cewchmmhm0j2xe6wf2meu4r6ycn37anse98mfs
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXbDVRaU9pTkROV0VoNm5p
            VUhsenhxR1cyTFZVeDJZd1gvVUx6TXdQY3hzCnBwUDZmaE5FdFdVODZFN0lxbTdB
            dXRBVHpUak00RnZBRUpGeFRuajhZK2cKLS0tIGRaODBlM1FnRU5iV0RrWDlEMHUr
            U3AybkRZV2EzVjE1QktEcjdwNG00dXcKnWaJwHyA4Q5RFgOWg3wbPwL4E8Mgijph
            wCuujSzIUMGBqIBzr6ADbQ38lnUSKjGz8EQyrIa4/vILXzuJ/44SbQ==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1zhxul786an743u0fascv4wtc5xduu7qfy803lfs539yzhgmlq5ds2lznt5
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyQ3RYV2tYVy9ubFQ2cTg3
            L0xqNlcycHZiU2hlRGxmd05EZldMa0xMWENzCkhHdmR0dVRYMjZkdit0Mjc4dy9X
            ZEtLY3hrbUZjaXpCdHBhVm9wZkJ0WlUKLS0tIHdsNHhNSEZVSHRuWE9tOXdoY3ZK
            Ti9TOVhUWVdsVmw2U2ZvazVKajJSRTAKnAxtMLh5U4xL3UsLehdo2JMBRcX9Vy+X
            oWlgVviORYtHaaU7Y9MFTmhV3OS+He38wX0l4NZOI0d8mZ/6uJ1JMA==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2023-02-13T00:12:03Z"
    mac: ENC[AES256_GCM,data:FolV94dIwYSL5r1ZHTPdmqMKVTAhrnePG+5M4S1H/wBYbED3sr6oPPmmxwiwm5E4K0YR1+ou4yR/vGTV3lfRdxIGWhfAT0WW8WGTZVIlcJCEk5H7Rels6rkma12BCjZ1zOGjZZCcFTm+4NI2KNv+zTc29zry4539jkkxk+8Skog=,iv:KBxSFVaFI3S5J9xG2Lc7FINUI8TRKxPtrbP3f2wXkHo=,tag:TWAtix03ZnB71+O7cF8b4A==,type:str]
    pgp:
-        - created_at: "2023-03-26T11:12:37Z"
+        - created_at: "2024-08-04T00:04:00Z"
-          enc: |
+          enc: |-
            -----BEGIN PGP MESSAGE-----
-            hQIMA0av/duuklWYAQ/9GHLOAfLgTqVmfJACvt9xMqlzfrXyiACTJg+J5BD8hEtn
+            hQIMA0av/duuklWYAQ//QIfxaAOVl0QStvZe6irI0GHS8+7EExn88dP1QdMnVijv
-            oe2clo/fO9u6df42hk/szQTQH4rJULdxvUNiBzYS0XbWCa+iWzpiOPN+bQZKoV3X
+            W/IiVffs/Bb0t0hcNFY3SaU4ea+zOT5bdMOlQGA383hTYvwXXdI+uSFmn3hrysZS
-            U4sFrHMT0ledUg62rlTbOmqpvLivoP6//DEqHAWl2weUvpplBRFzTFwICo+2+Jjo
+            eY7394Z9c8jubEDXfJOHTt0mbpfzOglZjiCcQYnZlhkgOzilDXMCjVsjVvuAN0bz
-            18dzdYyBa5sxJ/KZKUoNsxRaCFgXs5L6qTuqzmZpnhnH1pKNW3D6e6Hfb0BmebUy
+            MFN/DjC50fIdlaeWe7h7NgK3Mu9j39tUrgDCGn2YlCycxcpPz8+83Ge8bOnyskZs
-            wt5NgxWJ/4dHFK84i93E1vxPbSusvQ++6JCSWgZtOwZJehnz5AeHgdDBzcHeJY8O
+            P/04wfkOGSrwb1ingxHjZP9lR2NABdqOqSBzC+x7EQs6xNAmC4XayeTnASBDYp8B
-            Idq+QrvRsqjisDNvd7blmBleup1Ai0l/CzEtTEYd/h/QipaT1rVaPOP4H/lnHZmO
+            +H/3Hiv1nWtS//PQr/5+KHR1/iLaSNI2fUAUFimIwEQTU1vpMaV2tVmJtpmSQRAg
-            f0HWGxhPCDfiuLK43DBExrj1QUq4LVUZf145fRGMWZfHtlzHM+4dY+/ijyUi7pFY
+            MpwljVoCSWvhmU4oZU8ObTjcMy58YfWHIOcIN2HHgWBVdITve3sca6J1VHs0rWFm
-            cenrE3/Iz8gaUWqRdaYqK/O/vrHq/siUS8IiWY53ALUF+DlBMuRrtc76T/fkSKbR
+            4tqPElsfa59WPy3HKLGg8pPahoBlj4X1PGJVHxXBMJsPnbX0gg6V7ajQaVdOsJAF
-            LuO7MnOnNyBy5HT+MQii1Tat7ODtPXlky+N5leVQQVAUMHrI6ETWAQlctBjDZXyT
+            LMgAel7eNq0KBzk/rrVRoV5ii2lipUtKmb+FKTXKvSnwgqhVNkRppsl9BqgeXvTR
-            UzXh8WVT+pijxNYDqUVMJ4d43AuHKayf2m0PftOZv+Q8n5ZqwUoQN6WbpsLvDFTU
+            P7AsKnNgQBydz9vDTkDOuspyTluDmhXkwNQyhjH0enPAyeQWN2qs/A8qgmfdTXff
-            4XweZaChhoq4K68o6vpOb5b7x+vlisiL2j+kYAgMjlWk1vkDY/GsHY8USi0Rj17S
+            TzvlfOEy/6r4zl7V+L+qcw0pYrzi5K2CtemN8TlGhRvAYgiURY/78kD6EGrjMLLS
-            XAGAULPvLDP+ohieT6dP2xLvzu4ghrySCTF6LjQ9sN2gHWfcV2FVw+anA3mxOLGK
+            XAHBQn0q8dYgKf2uA0JcfNehgpI5fr3gZxQFKhnuXkXRa5h9hMn1mzdhtO4VyN1e
-            P4hOgPPfiP/0O9H0KSHq0gXjhBkackFVAOPixvSAJdvkooVW+PisHjl59Jd6
+            d8eL57iFeApC9SAmAGMOz0DBbskD470qnYObUliViWQpcj2VR6W4BwZG28QX
-            =exZj
+            =iviy
            -----END PGP MESSAGE-----
          fp: F7D37890228A907440E1FD4846B9228E814A2AAC
    unencrypted_suffix: _unencrypted
--- a/shell.nix
+++ b/shell.nix
@ -1,9 +1,14 @@
 { pkgs ? import <nixpkgs> {} }:
-pkgs.mkShell {
+pkgs.mkShellNoCC {
-  nativeBuildInputs = with pkgs; [
+  packages = with pkgs; [
    just
    jq
    gum
    sops
    gnupg
    statix
    openstackclient
    editorconfig-checker
  ];
  shellHook = ''
--- a/statix.toml
+++ b/statix.toml
@ -0,0 +1,24 @@
 ignore = [".direnv"]
 nix_version = '2.18' # '2.4'
 disabled = [
    # "bool_comparison", # W01
    # "empty_let_in", # W02
    "manual_inherit", # W03
    "manual_inherit_from", # W04
    # "legacy_let_syntax", # W05
    "collapsible_let_in", # W06
    # "eta_reduction", # W07
    # "useless_parens", # W08
    "empty_pattern", # W10
    # "redundant_pattern_bind", # W11
    # "unquoted_uri", # W12
    # "deprecated_is_null", # W13
    # "empty_inherit", # W14
    # "faster_groupby", # W15
    # "faster_zipattrswith", # W16
    # "deprecated_to_path", # W17
    # "bool_simplification", # W18
    # "useless_has_attr", # W19
    "repeated_keys", # W20
    "empty_list_concat", # W23
 ]
--- a/users/pederbs.nix
+++ b/users/pederbs.nix
@ -0,0 +1,37 @@
 { pkgs, ... }:
 {
  users.users.pederbs = {
    isNormalUser = true;
    description = "kul kis";
    extraGroups = [
      "wheel"
      "drift"
      "nix-builder-users"
    ];
    packages = with pkgs; [
      atool
      bat
      edir
      fd
      htop
      jq
      micro
      ncdu
      ripgrep
      sd
      tmux
      wget
      xe
      yq
    ];
    openssh.authorizedKeys.keys = [
      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC+qv5MogWwOgctQfQeHxUHF2ij6UA8BR4DLXtZClnw6A1CtOjAtZeAW62C8q9OKaIKDO0hqd2vLBkgEno4smqBDJ2ThwKuXrhiHqJzCkXZqIKKx79mpTo7aRpFgkJ7328Ee+tbqa65coL98WRhLnDg69NDaOfSCmH85/D0kuyTG7mYIMdBtFXB/IU0QC9USCSGcUGSnQAEx8S0vaXL7JP043kfEfeqwsea598qX+LFa2UfGwgLBpiWi4QEfYy6fviz2TFkbRYKQImybidzUHZkljjPupqu8U4dIx/jsJM/vew717xZPCU0ZCho77TIU+bYSitD5mjnzuD7LrAdbFgnhkD2sQlD/hUW40kPVT/Tq3DrpDRKC9tniiTaIQV1Pe0k82XwYrvV/hTl8T1ed6TuzhmUggqowAbJRbaBIa1zI672AFFQM8OBIN59ZlLy3V2RZW4fvQk2/xMRdVBT0W5Upx+9rCbH9LCGWL8gNNA/PRJ0L9Ts6cq8kf4tFhFQQrk= pbsds@bjarte"
      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCo5/9uHIKhhpVbcLSKslj9wdBiV4YaY/tydTfypNZBMMP2U54640t8JvHHkxCZRur8AqYupellxAqkmKn516Ut0WvfQcNgF7ieI66JHkK1j7kSFHHG1nkJHslwCh2PeYtfx5zHZZq8X9v/UjVGY182BC4BHC5zixmNiUvvc+N24BRT4NwslFmMYVcTdoNBSJXPgte4uUd+FZrAnHQrjYdJVANgI4i1d11mxlDFgJrPJj30KaIDxHAsAWgCEqGLMDO9N1cpGGbXVeXfoGvv+vdCXgbyA8BK7wWwXvy5HlvhpEJo8g84r6uKMMkEf+K1MpTiaNjdu+7/sKD/ZOyDB4RgCBs0DskouWRi+xfxABaKBj6706Z3hpj+GfpuSXrHKgGYXIL4cZHaAlz8GVsN1mUL4eJ12Sk14Od2QUHbzp7TDz5eaWuczPs5W9qXwNDMZcmBBZ3mkt9ZYPvAPRjeLpAKhhA9xPL3hbob5hhAENTWsFRFJEgpm8l362XFIOLHr/M= pbsds@rocm"
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDpuDBMll1viLKd/wm1lCy9iozyKeXMBHDwhdJOpeRLe pbsds@nord"
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOm2UFDD+qsnKvlBBZ/nhBqY9yeLewwF/bexD2SUL7E3 pbsds@sopp"
      #"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILocbYCqu63RT2+mE0l+ZWWw9RVHNcydtLXbLklg6oPe pederbs@pvv"
    ];
  };
 }
--- a/values.nix
+++ b/values.nix
@ -30,11 +30,10 @@ in rec {
      ipv6 = pvv-ipv6 168;
    };
    ildkule = {
-      ipv4 = "10.212.25.209";
+      ipv4 = "129.241.153.213";
-      ipv6 = "2001:700:300:6025:f816:3eff:feee:812d";
+      ipv4_internal = "192.168.12.209";
-
+      ipv4_internal_gw = "192.168.12.1";
-      ipv4_global = "129.241.153.213";
+      ipv6 = "2001:700:300:6026:f816:3eff:fe58:f1e8";
      ipv6_global = "2001:700:300:6026:f816:3eff:fe58:f1e8";
    };
    bicep = {
      ipv4 = pvv-ipv4 209;
@ -66,11 +65,11 @@ in rec {
  };
  defaultNetworkConfig = {
-    networkConfig.IPv6AcceptRA = "no";
+    dns = [ "129.241.0.200" "129.241.0.201" "2001:700:300:1900::200" "2001:700:300:1900::201" ];
    gateway = [ hosts.gateway ];
    dns = [ "129.241.0.200" "129.241.0.201" ];
    domains = [ "pvv.ntnu.no" "pvv.org" ];
    gateway = [ hosts.gateway ];
    networkConfig.IPv6AcceptRA = "no";
    DHCP = "no";
  };
 }
Author	SHA1	Message	Date
Felix Albrigtsen	ca287b95c9	Ildkule/openstack: fix networking Removes systemd-networkd, and configures proper ipv4 and ipv6 in openstack.	2024-09-05 00:24:22 +02:00
Daniel Lovbrotte Olsen	7e95b77e15	grzegorz: follow stable nix channel It broke because sanic	2024-09-03 13:28:13 +02:00
Daniel Lovbrotte Olsen	669733309b	ildkule: get systemd stats from more machines	2024-09-03 13:10:36 +02:00
Daniel Lovbrotte Olsen	4ed12573ff	ildkule: fix system activation by disabling smartd	2024-09-03 13:07:58 +02:00
Daniel Lovbrotte Olsen	8418cc016c	fix biceps systemd units failing on activation	2024-09-03 13:00:12 +02:00
Daniel Lovbrotte Olsen	b4c602e31c	metrics: install systemd exporter	2024-09-02 23:12:24 +02:00
Daniel Lovbrotte Olsen	3a0b8e270d	bekkalokk/idp: Disallow bots	2024-09-02 23:11:44 +02:00
Daniel Lovbrotte Olsen	9505223dc9	justfile: fix flake input updating	2024-09-02 19:33:15 +02:00
Daniel Lovbrotte Olsen	201784fa21	bluemap on bekkalokk 💀	2024-09-02 15:11:32 +02:00
Daniel Lovbrotte Olsen	ccefcb01fa	flake.lock update	2024-09-02 14:12:39 +02:00
Daniel Lovbrotte Olsen	f7e2c74f89	base: enable rebuilding nixos-config without updating the channels used	2024-09-01 22:10:58 +02:00
Felix Albrigtsen	161265d346	Bekkalokk/Nettsiden: deploy #78	2024-09-01 20:13:56 +02:00
Oystein Kristoffer Tveit	f85d18769f	common: clean `/tmp` on boot by default	2024-09-01 03:29:46 +02:00
Oystein Kristoffer Tveit	b47a626427	common/openssh: socket activate	2024-09-01 03:21:13 +02:00
Oystein Kristoffer Tveit	4d65b9fd1d	common/sudo: misc config	2024-09-01 03:17:15 +02:00
Oystein Kristoffer Tveit	f3e094520e	common/postfix: init	2024-09-01 03:13:18 +02:00
Oystein Kristoffer Tveit	69f98933a4	common/smartd: add `smartctl` to environment packages	2024-09-01 01:55:38 +02:00
Oystein Kristoffer Tveit	bf2959c68d	common/nix: flesh out	2024-09-01 01:44:59 +02:00
Oystein Kristoffer Tveit	17f0268d12	common/irqbalance: init	2024-09-01 01:39:35 +02:00
Oystein Kristoffer Tveit	ebce0eb67a	common/smartd: init	2024-09-01 01:23:15 +02:00
Oystein Kristoffer Tveit	b48230e811	bekkalokk/btrfs: scrubbalubba dubdub	2024-09-01 01:04:28 +02:00
Daniel Lovbrotte Olsen	914eb35c5a	add a route for /_synapse/admin, point mjolnir at it This is whitelisted to just bicep As a side-effect it's also much easier to use synapse-admin now	2024-09-01 00:34:42 +02:00
Oystein Kristoffer Tveit	8610a59f35	base.nix: split into multiple files	2024-08-31 22:28:17 +02:00
Oystein Kristoffer Tveit	bd42412b94	bekkalokk/gitea/import-users: refactor + add members to groups	2024-08-27 22:07:29 +02:00
Daniel Lovbrotte Olsen	ef3b146b58	bekkalokk/gitea: don't autowatch all members to all projects	2024-08-27 09:26:00 +02:00
Oystein Kristoffer Tveit	bb4662b345	modules/snakeoil-certs: fix lmao	2024-08-26 20:43:34 +02:00
Oystein Kristoffer Tveit	5b1c04e4b8	bicep/postgres: use snakeoil certs	2024-08-26 20:43:34 +02:00
Oystein Kristoffer Tveit	3fa7f67027	bekkalokk/gitea-web: host pages	2024-08-26 20:36:03 +02:00
Oystein Kristoffer Tveit	b0f555667c	bekkalokk/gitea: set up gitea-web sync units	2024-08-26 20:36:03 +02:00
Oystein Kristoffer Tveit	ef418bf125	base/logrotate: systemd hardening + more	2024-08-22 23:00:45 +02:00
Oystein Kristoffer Tveit	945d53cdb4	bekkalokk/vaultwarden: systemd hardening	2024-08-22 22:59:32 +02:00
Oystein Kristoffer Tveit	cf3b62e01e	bekkalokk/phpfpm-*: systemd hardening	2024-08-22 22:58:48 +02:00
Oystein Kristoffer Tveit	c12a47cee0	flake.nix: bump calendar bot	2024-08-17 01:19:46 +02:00
Oystein Kristoffer Tveit	b9ef27565f	Bump calendar-bot	2024-08-16 09:16:26 +02:00
Oystein Kristoffer Tveit	f5c99b58c8	bicep/calendar-bot: reactivate	2024-08-15 23:22:50 +02:00
Peder Bergebakken Sundt	c780f7954c	Merge pull request 'justfile: add recipe `run-vm`' (!64 ) from run-vm into main Reviewed-on: #64 Reviewed-by: Oystein Kristoffer Tveit <oysteikt@pvv.ntnu.no>	2024-08-15 21:14:29 +02:00
Oystein Kristoffer Tveit	d64d8edd68	bekkalokk/gitea: add some extra tabs	2024-08-14 17:36:19 +02:00
Peder Bergebakken Sundt	4de7bd09bd	Merge pull request 'enable thermald on physical machines' (!61 ) from thermald into main Reviewed-on: #61 Reviewed-by: Oystein Kristoffer Tveit <oysteikt@pvv.ntnu.no>	2024-08-14 17:31:44 +02:00
Peder Bergebakken Sundt	0f5c48902b	Merge pull request 'users: disable password login for users in @wheel' (!62 ) from fix-deploy into main Reviewed-on: #62 Reviewed-by: Oystein Kristoffer Tveit <oysteikt@pvv.ntnu.no>	2024-08-14 17:31:08 +02:00
Peder Bergebakken Sundt	2ff69dfec6	justfile: add recipe `run-vm`	2024-08-14 17:25:55 +02:00
Peder Bergebakken Sundt	36a8868f94	users: disable password login for users in @wheel	2024-08-11 03:42:26 +02:00
Peder Bergebakken Sundt	fe3e5d6a3d	enable thermald on physical machines	2024-08-10 23:55:29 +02:00
Peder Bergebakken Sundt	2f3bcaf124	shell.nix: fix typo	2024-08-10 18:15:31 +02:00
Peder Bergebakken Sundt	c6684d5146	Merge pull request 'justfile: init' (!56 ) from justfile into main Reviewed-on: #56 Reviewed-by: Oystein Kristoffer Tveit <oysteikt@pvv.ntnu.no>	2024-08-07 12:22:04 +02:00
Peder Bergebakken Sundt	f6cb934ffb	Merge pull request 'flake.nix: simplify allMachines' (!59 ) from attrnames into main Reviewed-on: #59 Reviewed-by: Daniel Lovbrotte Olsen <danio@pvv.ntnu.no>	2024-08-04 23:44:54 +02:00
Peder Bergebakken Sundt	9625258942	Merge pull request 'flake.nix: export snakeoil-certs and snappymail nixos modules' (!58 ) from export-modules into main Reviewed-on: #58 Reviewed-by: Daniel Lovbrotte Olsen <danio@pvv.ntnu.no>	2024-08-04 23:44:19 +02:00
Peder Bergebakken Sundt	34637e383a	justfile: add update-inputs recipe	2024-08-04 17:19:40 +02:00
Peder Bergebakken Sundt	0bfa6ac329	flake.nix: export inputs	2024-08-04 17:19:33 +02:00
Peder Bergebakken Sundt	2c3261de74	flake.nix: simplify allMachines	2024-08-04 17:11:21 +02:00
Peder Bergebakken Sundt	c2e6f294ea	flake.nix: export snakeoil-certs and snappymail nixos modules	2024-08-04 16:48:21 +02:00
Peder Bergebakken Sundt	41e94695f0	Merge pull request 'editorconfig' (!55 ) from editorconfig into main Reviewed-on: #55 Reviewed-by: Oystein Kristoffer Tveit <oysteikt@pvv.ntnu.no>	2024-08-04 16:20:23 +02:00
Peder Bergebakken Sundt	c6b4ea9929	add .git-blame-ignore-revs	2024-08-04 04:39:17 +02:00
Peder Bergebakken Sundt	9dbf5d56f5	fix whitespacing issues	2024-08-04 04:37:23 +02:00
Peder Bergebakken Sundt	64b5bb548b	editorconfig: init	2024-08-04 04:35:25 +02:00
Peder Bergebakken Sundt	261c8e0811	Merge pull request 'Run statix' (!54 ) from statix into main Reviewed-on: #54 Reviewed-by: Daniel Lovbrotte Olsen <danio@pvv.ntnu.no>	2024-08-04 04:26:23 +02:00
Peder Bergebakken Sundt	4476cdcbbc	justfile: init	2024-08-04 03:28:17 +02:00
Peder Bergebakken Sundt	f475243b94	Merge pull request 'sops: add pederbs' (!51 ) from pederbs-sops into main Reviewed-on: #51 Reviewed-by: Oystein Kristoffer Tveit <oysteikt@pvv.ntnu.no>	2024-08-04 02:56:31 +02:00
Peder Bergebakken Sundt	f382109b4a	Merge pull request 'users: add pederbs' (!49 ) from user-pederbs into main Reviewed-on: #49 Reviewed-by: Oystein Kristoffer Tveit <oysteikt@pvv.ntnu.no>	2024-08-04 02:46:59 +02:00
Peder Bergebakken Sundt	e5e3100639	Merge pull request 'direnv: yes' (!50 ) from direnv into main Reviewed-on: #50 Reviewed-by: Oystein Kristoffer Tveit <oysteikt@pvv.ntnu.no>	2024-08-04 02:46:18 +02:00
Peder Bergebakken Sundt	5853e42c1b	Merge pull request 'SimpleSamlPHP: use concatLines' (!53 ) from concatlines into main Reviewed-on: #53 Reviewed-by: Oystein Kristoffer Tveit <oysteikt@pvv.ntnu.no>	2024-08-04 02:46:01 +02:00
Peder Bergebakken Sundt	d59aa08986	Merge pull request 'shell.nix: remove cc' (!52 ) from shell-cc into main Reviewed-on: #52 Reviewed-by: Oystein Kristoffer Tveit <oysteikt@pvv.ntnu.no>	2024-08-04 02:44:52 +02:00
Oystein Kristoffer Tveit	95a5603f27	secrets: run `sops updatekeys` on everything	2024-08-04 02:04:29 +02:00
Peder Bergebakken Sundt	1714681532	`statix fix`	2024-08-04 01:46:00 +02:00
Peder Bergebakken Sundt	314c7960d1	statix: init	2024-08-04 01:45:20 +02:00
Peder Bergebakken Sundt	43d353190c	SimpleSamlPHP: use concatLines	2024-08-04 01:42:32 +02:00
Peder Bergebakken Sundt	eb74d011db	shell.nix: remove cc	2024-08-04 01:30:02 +02:00
Peder Bergebakken Sundt	b52de48455	sops: add pederbs	2024-08-04 01:24:54 +02:00
Peder Bergebakken Sundt	510f385f4a	direnv: yes	2024-08-04 01:19:22 +02:00
Peder Bergebakken Sundt	e25ba96096	users: add pederbs	2024-08-04 00:58:11 +02:00
Oystein Kristoffer Tveit	53040bada1	flake.lock: update pvv-nettsiden	2024-08-04 00:09:32 +02:00
Felix Albrigtsen	2030d4de39	fix-openstack-networking (!47 ) Fix networking in Openstack. This rewrites the systemd-networkd config, fixing both dhcp and manual address/route configurations. Now, everything should behave predictably, routing NTNU-internal and NTNU-global addresses separately and properly across both ipv4 and ipv6. Reviewed-on: #47	2024-07-31 11:23:00 +02:00
Felix Albrigtsen	c7797bdd04	Merge pull request 'SimpleSAMLPHP/MediaWiki: Update deprecated --replace' (!48 ) from fix-replace-warn into main Reviewed-on: #48 Reviewed-by: Oystein Kristoffer Tveit <oysteikt@pvv.ntnu.no>	2024-07-28 23:30:44 +02:00
Felix Albrigtsen	615b5fc1f1	SimpleSAMLPHP/MediaWiki: Update deprecated --replace	2024-07-28 23:28:33 +02:00
Oystein Kristoffer Tveit	a0a837e26d	Merge pull request 'bekkalokk/gitea: direct non-logged-in users to the explore tab' (!46 ) from gitea-explore into main Reviewed-on: #46 Reviewed-by: Felix Albrigtsen <felixalb@pvv.ntnu.no> Reviewed-by: Oystein Kristoffer Tveit <oysteikt@pvv.ntnu.no>	2024-07-28 23:10:38 +02:00