Ildkule/openstack: fix networking

Removes systemd-networkd, and configures proper ipv4 and ipv6 in
openstack.

.editorconfig

@@ -0,0 +1,10 @@
+root = true
+
+[*]
+end_of_line = lf
+insert_final_newline = true
+trim_trailing_whitespace = true
+
+[*.nix]
+indent_style = space
+indent_size = 2

.envrc

@@ -0,0 +1 @@
+use flake

.git-blame-ignore-revs

@@ -0,0 +1 @@
+e00008da1afe0d760badd34bbeddff36bb08c475

.gitignore

@@ -1,2 +1,4 @@
 result*
 /configuration.nix
+/.direnv/
+*.qcow2

.sops.yaml

@@ -4,6 +4,9 @@ keys:
   - &user_felixalb age1mrnldl334l2nszuta6ywvewng0fswv2dz9l5g4qcwe3nj4yxf92qjskdx6
   - &user_oysteikt F7D37890228A907440E1FD4846B9228E814A2AAC
   - &user_eirikwit age1ju7rd26llahz3g8tz7cy5ld52swj8gsmg0flrmrxngc0nj0avq3ssh0sn5
+  - &user_pederbs_sopp age1hmpdk4h69wxpwqk9tkud39f66hprhehxtzhgw97r6dvr7v0mx5jscsuhkn
+  - &user_pederbs_nord age1wrssr4z4g6vl3fd3qme5cewchmmhm0j2xe6wf2meu4r6ycn37anse98mfs
+  - &user_pederbs_bjarte age1zhxul786an743u0fascv4wtc5xduu7qfy803lfs539yzhgmlq5ds2lznt5
 
   # Hosts
   - &host_jokum age1gp8ye4g2mmw3may5xg0zsy7mm04glfz3788mmdx9cvcsdxs9hg0s0cc9kt
@@ -20,17 +23,23 @@ creation_rules:
       - *user_danio
       - *user_felixalb
       - *user_eirikwit
+      - *user_pederbs_sopp
+      - *user_pederbs_nord
+      - *user_pederbs_bjarte
       pgp:
       - *user_oysteikt
 
   # Host specific secrets
-  
+
   - path_regex: secrets/bekkalokk/[^/]+\.yaml$
     key_groups:
     - age:
       - *host_bekkalokk
       - *user_danio
       - *user_felixalb
+      - *user_pederbs_sopp
+      - *user_pederbs_nord
+      - *user_pederbs_bjarte
       pgp:
       - *user_oysteikt
 
@@ -40,6 +49,9 @@ creation_rules:
       - *host_jokum
       - *user_danio
       - *user_felixalb
+      - *user_pederbs_sopp
+      - *user_pederbs_nord
+      - *user_pederbs_bjarte
       pgp:
       - *user_oysteikt
 
@@ -49,14 +61,20 @@ creation_rules:
       - *host_ildkule
       - *user_danio
       - *user_felixalb
+      - *user_pederbs_sopp
+      - *user_pederbs_nord
+      - *user_pederbs_bjarte
       pgp:
       - *user_oysteikt
-  
+
   - path_regex: secrets/bicep/[^/]+\.yaml$
     key_groups:
     - age:
       - *host_bicep
       - *user_danio
       - *user_felixalb
+      - *user_pederbs_sopp
+      - *user_pederbs_nord
+      - *user_pederbs_bjarte
       pgp:
       - *user_oysteikt

README.MD

@@ -26,10 +26,14 @@ Det er sikkert lurt å lage en PR først om du ikke er vandt til nix enda.
 Innen 24h skal alle systemene hente ned den nye konfigurasjonen og deploye den.
 
 Du kan tvinge en maskin til å oppdatere seg før dette ved å kjøre:
-`nixos-rebuild switch --update-input nixpkgs --update-input nixpkgs-unstable --no-write-lock-file --refresh --flake git+https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git --upgrade`
+`nixos-rebuild switch --update-input nixpkgs --update-input nixpkgs-unstable --no-write-lock-file --refresh --upgrade --flake git+https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git`
 
 som root på maskinen.
 
+Hvis du ikke har lyst til å oppdatere alle pakkene (og kanskje måtte vente en stund!) kan du kjøre
+
+`nixos-rebuild switch --override-input nixpkgs nixpkgs --override-input nixpkgs-unstable nixpkgs-unstable --flake git+https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git`
+
 ## Seksjonen for hemmeligheter
 
 For at hemmeligheter ikke skal deles med hele verden i git - eller å være world

base.nix

@@ -1,133 +0,0 @@
-{ config, lib, pkgs, inputs, values, ... }:
-
-{
-  imports = [
-    ./users
-    ./modules/snakeoil-certs.nix
-  ];
-
-  networking.domain = "pvv.ntnu.no";
-  networking.useDHCP = false;
-  # networking.search = [ "pvv.ntnu.no" "pvv.org" ];
-  # networking.nameservers = lib.mkDefault [ "129.241.0.200" "129.241.0.201" ];
-  # networking.tempAddresses = lib.mkDefault "disabled";
-  # networking.defaultGateway = values.hosts.gateway;
-
-  systemd.network.enable = true;
-
-  services.resolved = {
-    enable = lib.mkDefault true;
-    dnssec = "false"; # Supposdly this keeps breaking and the default is to allow downgrades anyways...
-  };
-
-  time.timeZone = "Europe/Oslo";
-
-  i18n.defaultLocale = "en_US.UTF-8";
-  console = {
-    font = "Lat2-Terminus16";
-    keyMap = "no";
-  };
-
-  system.autoUpgrade = {
-    enable = true;
-    flake = "git+https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git";
-    flags = [
-      "--update-input" "nixpkgs"
-      "--update-input" "nixpkgs-unstable"
-      "--no-write-lock-file"
-    ];
-  };
-  nix.gc.automatic = true;
-  nix.gc.options = "--delete-older-than 2d";
-
-  nix.settings.experimental-features = [ "nix-command" "flakes" ];
-
-  /* This makes commandline tools like
-  ** nix run nixpkgs#hello
-  ** and nix-shell -p hello
-  ** use the same channel the system
-  ** was built with
-  */
-  nix.registry = {
-    nixpkgs.flake = inputs.nixpkgs;
-  };
-  nix.nixPath = [ "nixpkgs=${inputs.nixpkgs}" ];
-
-  environment.systemPackages = with pkgs; [
-    file
-    git
-    gnupg
-    htop
-    nano
-    ripgrep
-    rsync
-    screen
-    tmux
-    vim
-    wget
-
-    kitty.terminfo
-  ];
-
-  programs.zsh.enable = true;
-
-  users.groups."drift".name = "drift";
-
-  # Trusted users on the nix builder machines
-  users.groups."nix-builder-users".name = "nix-builder-users";
-
-  services.openssh = {
-    enable = true;
-    extraConfig = ''
-      PubkeyAcceptedAlgorithms=+ssh-rsa
-    '';
-    settings.PermitRootLogin = "yes";
-  };
-
-  # nginx return 444 for all nonexistent virtualhosts
-
-  systemd.services.nginx.after = [ "generate-snakeoil-certs.service" ];
-
-  environment.snakeoil-certs = lib.mkIf config.services.nginx.enable {
-    "/etc/certs/nginx" = {
-      owner = "nginx";
-      group = "nginx";
-    };
-  };
-
-  services.nginx = {
-    recommendedTlsSettings = true;
-    recommendedProxySettings = true;
-    recommendedOptimisation = true;
-    recommendedGzipSettings = true;
-
-    appendConfig = ''
-      pcre_jit on;
-      worker_processes auto;
-      worker_rlimit_nofile 100000;
-    '';
-    eventsConfig = ''
-      worker_connections 2048;
-      use epoll;
-      multi_accept on;
-    '';
-  };
-
-  systemd.services.nginx.serviceConfig = lib.mkIf config.services.nginx.enable {
-    LimitNOFILE = 65536;
-  };
-
-  services.nginx.virtualHosts."_" = lib.mkIf config.services.nginx.enable {
-    sslCertificate = "/etc/certs/nginx.crt";
-    sslCertificateKey = "/etc/certs/nginx.key";
-    addSSL = true;
-    extraConfig = "return 444;";
-  };
-
-  networking.firewall.allowedTCPPorts = lib.mkIf config.services.nginx.enable [ 80 443 ];
-
-  security.acme = {
-    acceptTerms = true;
-    defaults.email = "drift@pvv.ntnu.no";
-  };
-}

base/default.nix

@@ -0,0 +1,60 @@
+{ pkgs, lib, ... }:
+
+{
+  imports = [
+    ../users
+    ../modules/snakeoil-certs.nix
+
+    ./networking.nix
+    ./nix.nix
+
+    ./services/acme.nix
+    ./services/auto-upgrade.nix
+    ./services/irqbalance.nix
+    ./services/logrotate.nix
+    ./services/nginx.nix
+    ./services/openssh.nix
+    ./services/postfix.nix
+    ./services/smartd.nix
+    ./services/thermald.nix
+  ];
+
+  boot.tmp.cleanOnBoot = lib.mkDefault true;
+
+  time.timeZone = "Europe/Oslo";
+
+  i18n.defaultLocale = "en_US.UTF-8";
+  console = {
+    font = "Lat2-Terminus16";
+    keyMap = "no";
+  };
+
+  environment.systemPackages = with pkgs; [
+    file
+    git
+    gnupg
+    htop
+    nano
+    ripgrep
+    rsync
+    screen
+    tmux
+    vim
+    wget
+
+    kitty.terminfo
+  ];
+
+  programs.zsh.enable = true;
+
+  security.sudo.execWheelOnly = true;
+  security.sudo.extraConfig = ''
+    Defaults lecture = never
+  '';
+
+  users.groups."drift".name = "drift";
+
+  # Trusted users on the nix builder machines
+  users.groups."nix-builder-users".name = "nix-builder-users";
+}
+

base/networking.nix

@@ -0,0 +1,16 @@
+{ lib, values, ... }:
+{
+  networking.domain = "pvv.ntnu.no";
+  networking.useDHCP = false;
+  # networking.search = [ "pvv.ntnu.no" "pvv.org" ];
+  # networking.nameservers = lib.mkDefault [ "129.241.0.200" "129.241.0.201" ];
+  # networking.tempAddresses = lib.mkDefault "disabled";
+  # networking.defaultGateway = values.hosts.gateway;
+
+  systemd.network.enable = true;
+
+  services.resolved = {
+    enable = lib.mkDefault true;
+    dnssec = "false"; # Supposdly this keeps breaking and the default is to allow downgrades anyways...
+  };
+}

base/nix.nix

@@ -0,0 +1,34 @@
+{ inputs, ... }:
+{
+  nix = {
+    gc = {
+      automatic = true;
+      options = "--delete-older-than 2d";
+    };
+
+    settings = {
+      allow-dirty = true;
+      auto-optimise-store = true;
+      builders-use-substitutes = true;
+      experimental-features = [ "nix-command" "flakes" ];
+      log-lines = 50;
+      use-xdg-base-directories = true;
+    };
+
+    /* This makes commandline tools like
+    ** nix run nixpkgs#hello
+    ** and nix-shell -p hello
+    ** use the same channel the system
+    ** was built with
+    */
+    registry = {
+      "nixpkgs".flake = inputs.nixpkgs;
+      "nixpkgs-unstable".flake = inputs.nixpkgs-unstable;
+      "pvv-nix".flake = inputs.self;
+    };
+    nixPath = [
+      "nixpkgs=${inputs.nixpkgs}"
+      "unstable=${inputs.nixpkgs-unstable}"
+    ];
+  };
+}

base/services/acme.nix

@@ -0,0 +1,15 @@
+{ ... }:
+{
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = "drift@pvv.ntnu.no";
+  };
+
+  # Let's not spam LetsEncrypt in `nixos-rebuild build-vm` mode:
+  virtualisation.vmVariant = {
+    security.acme.defaults.server = "https://127.0.0.1";
+    security.acme.preliminarySelfsigned = true;
+
+    users.users.root.initialPassword = "root";
+  };
+}

base/services/auto-upgrade.nix

@@ -0,0 +1,12 @@
+{ ... }:
+{
+  system.autoUpgrade = {
+    enable = true;
+    flake = "git+https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git";
+    flags = [
+      "--update-input" "nixpkgs"
+      "--update-input" "nixpkgs-unstable"
+      "--no-write-lock-file"
+    ];
+  };
+}

base/services/irqbalance.nix

@@ -0,0 +1,4 @@
+{ ... }:
+{
+  services.irqbalance.enable = true;
+}

base/services/logrotate.nix

@@ -0,0 +1,42 @@
+{ ... }:
+{
+  # source: https://github.com/logrotate/logrotate/blob/main/examples/logrotate.service
+  systemd.services.logrotate = {
+    documentation = [ "man:logrotate(8)" "man:logrotate.conf(5)" ];
+    unitConfig.RequiresMountsFor = "/var/log";
+    serviceConfig = {
+      Nice = 19;
+      IOSchedulingClass = "best-effort";
+      IOSchedulingPriority = 7;
+
+      ReadWritePaths = [ "/var/log" ];
+
+      AmbientCapabilities = [ "" ];
+      CapabilityBoundingSet = [ "" ];
+      DeviceAllow = [ "" ];
+      LockPersonality = true;
+      MemoryDenyWriteExecute = true;
+      NoNewPrivileges = true; # disable for third party rotate scripts
+      PrivateDevices = true;
+      PrivateNetwork = true; # disable for mail delivery
+      PrivateTmp = true;
+      ProtectClock = true;
+      ProtectControlGroups = true;
+      ProtectHome = true; # disable for userdir logs
+      ProtectHostname = true;
+      ProtectKernelLogs = true;
+      ProtectKernelModules = true;
+      ProtectKernelTunables = true;
+      ProtectProc = "invisible";
+      ProtectSystem = "full";
+      RestrictNamespaces = true;
+      RestrictRealtime = true;
+      RestrictSUIDSGID = true; # disable for creating setgid directories
+      SocketBindDeny = [ "any" ];
+      SystemCallArchitectures = "native";
+      SystemCallFilter = [
+        "@system-service"
+      ];
+    };
+  };
+}

base/services/nginx.nix

@@ -0,0 +1,44 @@
+{ config, lib, ... }:
+{
+  # nginx return 444 for all nonexistent virtualhosts
+
+  systemd.services.nginx.after = [ "generate-snakeoil-certs.service" ];
+
+  environment.snakeoil-certs = lib.mkIf config.services.nginx.enable {
+    "/etc/certs/nginx" = {
+      owner = "nginx";
+      group = "nginx";
+    };
+  };
+
+  networking.firewall.allowedTCPPorts = lib.mkIf config.services.nginx.enable [ 80 443 ];
+
+  services.nginx = {
+    recommendedTlsSettings = true;
+    recommendedProxySettings = true;
+    recommendedOptimisation = true;
+    recommendedGzipSettings = true;
+
+    appendConfig = ''
+      pcre_jit on;
+      worker_processes auto;
+      worker_rlimit_nofile 100000;
+    '';
+    eventsConfig = ''
+      worker_connections 2048;
+      use epoll;
+      multi_accept on;
+    '';
+  };
+
+  systemd.services.nginx.serviceConfig = lib.mkIf config.services.nginx.enable {
+    LimitNOFILE = 65536;
+  };
+
+  services.nginx.virtualHosts."_" = lib.mkIf config.services.nginx.enable {
+    sslCertificate = "/etc/certs/nginx.crt";
+    sslCertificateKey = "/etc/certs/nginx.key";
+    addSSL = true;
+    extraConfig = "return 444;";
+  };
+}

base/services/openssh.nix

@@ -0,0 +1,14 @@
+{ ... }:
+{
+  services.openssh = {
+    enable = true;
+    startWhenNeeded = true;
+    extraConfig = ''
+      PubkeyAcceptedAlgorithms=+ssh-rsa
+      Match Group wheel
+        PasswordAuthentication no
+      Match All
+    '';
+    settings.PermitRootLogin = "yes";
+  };
+}

base/services/postfix.nix

@@ -0,0 +1,23 @@
+{ config, pkgs, lib, ... }:
+let
+  cfg = config.services.postfix;
+in
+{
+  services.postfix = {
+    enable = true;
+
+    hostname = "${config.networking.hostName}.pvv.ntnu.no";
+    domain = "pvv.ntnu.no";
+
+    relayHost = "smtp.pvv.ntnu.no";
+    relayPort = 465;
+
+    config = {
+      smtp_tls_wrappermode = "yes";
+      smtp_tls_security_level = "encrypt";
+    };
+
+    # Nothing should be delivered to this machine
+    destination = [ ];
+  };
+}

base/services/smartd.nix

@@ -0,0 +1,8 @@
+{ config, pkgs, lib, ... }:
+{
+  services.smartd.enable = lib.mkDefault true;
+
+  environment.systemPackages = lib.optionals config.services.smartd.enable (with pkgs; [
+    smartmontools
+  ]);
+}

base/services/thermald.nix

@@ -0,0 +1,8 @@
+{ config, lib, ... }:
+{
+  # Let's not thermal throttle
+  services.thermald.enable = lib.mkIf (lib.all (x: x) [
+      (config.nixpkgs.system == "x86_64-linux")
+      (!config.boot.isContainer or false)
+    ]) true;
+}

flake.lock

@@ -7,11 +7,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1715445235,
-        "narHash": "sha256-SUu+oIWn+xqQIOlwfwNfS9Sek4i1HKsrLJchsDReXwA=",
+        "lastModified": 1725242307,
+        "narHash": "sha256-a2iTMBngegEZvaNAzzxq5Gc5Vp3UWoGUqWtK11Txbic=",
         "owner": "nix-community",
         "repo": "disko",
-        "rev": "159d87ea5b95bbdea46f0288a33c5e1570272725",
+        "rev": "96073e6423623d4a8027e9739d2af86d6422ea7a",
         "type": "github"
       },
       "original": {
@@ -63,15 +63,15 @@
       "inputs": {
         "fix-python": "fix-python",
         "nixpkgs": [
-          "nixpkgs-unstable"
+          "nixpkgs"
         ]
       },
       "locked": {
-        "lastModified": 1715364232,
-        "narHash": "sha256-ZJC3SkanEgbV7p+LFhP+85CviRWOXJNHzZwR/Stb7hE=",
+        "lastModified": 1716065905,
+        "narHash": "sha256-08uhxBzfakfhl/ooc+gMzDupWKYvTeyQZwuvB1SBS7A=",
         "owner": "Programvareverkstedet",
         "repo": "grzegorz",
-        "rev": "3841cda1cdcac470440b06838d56a2eb2256378c",
+        "rev": "0481aef6553ae9aee86e4edb4ca0ed4f2eba2058",
         "type": "github"
       },
       "original": {
@@ -87,11 +87,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1715384651,
-        "narHash": "sha256-7RhckgUTjqeCjWkhiCc1iB+5CBx9fl80d/3O4Jh+5kM=",
+        "lastModified": 1716115695,
+        "narHash": "sha256-aI65l4x+U5v3i/nfn6N3eW5IZodmf4pyAByE7vTJh8I=",
         "owner": "Programvareverkstedet",
         "repo": "grzegorz-clients",
-        "rev": "738a4f3dd887f7c3612e4e772b83cbfa3cde5693",
+        "rev": "b9444658fbb39cd1bf1c61ee5a1d5f0641c49abe",
         "type": "github"
       },
       "original": {
@@ -121,6 +121,21 @@
         "type": "github"
       }
     },
+    "minecraft-data": {
+      "locked": {
+        "lastModified": 1725277886,
+        "narHash": "sha256-Fw4VbbE3EfypQWSgPDFfvVH47BHeg3ptsO715NlUM8Q=",
+        "ref": "refs/heads/master",
+        "rev": "1b4087bd3322a2e2ba84271c8fcc013e6b641a58",
+        "revCount": 2,
+        "type": "git",
+        "url": "https://git.pvv.ntnu.no/Drift/minecraft-data.git"
+      },
+      "original": {
+        "type": "git",
+        "url": "https://git.pvv.ntnu.no/Drift/minecraft-data.git"
+      }
+    },
     "nix-gitea-themes": {
       "inputs": {
         "nixpkgs": [
@@ -143,11 +158,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1719520878,
-        "narHash": "sha256-5BXzNOl2RVHcfS/oxaZDKOi7gVuTyWPibQG0DHd5sSc=",
+        "lastModified": 1725198597,
+        "narHash": "sha256-w3sjCEbnc242ByJ18uebzgjFZY3QU7dZhmLwPsJIZJs=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "a44bedbb48c367f0476e6a3a27bf28f6330faf23",
+        "rev": "3524b030c839db4ea4ba16737789c6fb8a1769c6",
         "type": "github"
       },
       "original": {
@@ -158,27 +173,27 @@
     },
     "nixpkgs-stable": {
       "locked": {
-        "lastModified": 1714858427,
-        "narHash": "sha256-tCxeDP4C1pWe2rYY3IIhdA40Ujz32Ufd4tcrHPSKx2M=",
+        "lastModified": 1721524707,
+        "narHash": "sha256-5NctRsoE54N86nWd0psae70YSLfrOek3Kv1e8KoXe/0=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "b980b91038fc4b09067ef97bbe5ad07eecca1e76",
+        "rev": "556533a23879fc7e5f98dd2e0b31a6911a213171",
         "type": "github"
       },
       "original": {
         "owner": "NixOS",
-        "ref": "release-23.11",
+        "ref": "release-24.05",
         "repo": "nixpkgs",
         "type": "github"
       }
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1715435713,
-        "narHash": "sha256-lb2HqDQGfTdnCCpc1pgF6fkdgIOuBQ0nP8jjVSfLFqg=",
+        "lastModified": 1725183711,
+        "narHash": "sha256-gkjg8FfjL92azt3gzZUm1+v+U4y+wbQE630uIf4Aybo=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "52b40f6c4be12742b1504ca2eb4527e597bf2526",
+        "rev": "a2c345850e5e1d96c62e7fa8ca6c9d77ebad1c37",
         "type": "github"
       },
       "original": {
@@ -194,11 +209,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1693136143,
-        "narHash": "sha256-amHprjftc3y/bg8yf4hITCLa+ez5HIi0yGfR7TU6UIc=",
+        "lastModified": 1723850344,
+        "narHash": "sha256-aT37O9l9eclWEnqxASVNBL1dKwDHZUOqdbA4VO9DJvw=",
         "ref": "refs/heads/main",
-        "rev": "a32894b305f042d561500f5799226afd1faf5abb",
-        "revCount": 9,
+        "rev": "38b66677ab8c01aee10cd59e745af9ce3ea88092",
+        "revCount": 19,
         "type": "git",
         "url": "https://git.pvv.ntnu.no/Projects/calendar-bot.git"
       },
@@ -214,11 +229,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1718404592,
-        "narHash": "sha256-Ud8pD0mxmbfvwBXKy2q3Yp8r1EofaTcodZtI3fbnfDY=",
+        "lastModified": 1725212759,
+        "narHash": "sha256-yZBsefIarFUEhFRj+rCGMp9Zvag3MCafqV/JfGVRVwc=",
         "ref": "refs/heads/master",
-        "rev": "6e4a79ed3ddae8dfc80eb8af1789985d07bcf297",
-        "revCount": 463,
+        "rev": "e7b66b4bc6a89bab74bac45b87e9434f5165355f",
+        "revCount": 473,
         "type": "git",
         "url": "https://git.pvv.ntnu.no/Projects/nettsiden.git"
       },
@@ -233,6 +248,7 @@
         "grzegorz": "grzegorz",
         "grzegorz-clients": "grzegorz-clients",
         "matrix-next": "matrix-next",
+        "minecraft-data": "minecraft-data",
         "nix-gitea-themes": "nix-gitea-themes",
         "nixpkgs": "nixpkgs",
         "nixpkgs-unstable": "nixpkgs-unstable",
@@ -249,11 +265,11 @@
         "nixpkgs-stable": "nixpkgs-stable"
       },
       "locked": {
-        "lastModified": 1715244550,
-        "narHash": "sha256-ffOZL3eaZz5Y1nQ9muC36wBCWwS1hSRLhUzlA9hV2oI=",
+        "lastModified": 1725201042,
+        "narHash": "sha256-lj5pxOwidP0W//E7IvyhbhXrnEUW99I07+QpERnzTS4=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "0dc50257c00ee3c65fef3a255f6564cfbfe6eb7f",
+        "rev": "5db5921e40ae382d6716dce591ea23b0a39d96f7",
         "type": "github"
       },
       "original": {

flake.nix

@@ -24,9 +24,11 @@
     nix-gitea-themes.inputs.nixpkgs.follows = "nixpkgs";
 
     grzegorz.url = "github:Programvareverkstedet/grzegorz";
-    grzegorz.inputs.nixpkgs.follows = "nixpkgs-unstable";
+    grzegorz.inputs.nixpkgs.follows = "nixpkgs";
     grzegorz-clients.url = "github:Programvareverkstedet/grzegorz-clients";
     grzegorz-clients.inputs.nixpkgs.follows = "nixpkgs";
+
+    minecraft-data.url = "git+https://git.pvv.ntnu.no/Drift/minecraft-data.git";
   };
 
   outputs = { self, nixpkgs, nixpkgs-unstable, sops-nix, disko, ... }@inputs:
@@ -37,8 +39,8 @@
       "aarch64-linux"
       "aarch64-darwin"
     ];
-    forAllSystems = f: nixlib.genAttrs systems (system: f system);
-    allMachines = nixlib.mapAttrsToList (name: _: name) self.nixosConfigurations;
+    forAllSystems = f: nixlib.genAttrs systems f;
+    allMachines = builtins.attrNames self.nixosConfigurations;
     importantMachines = [
       "bekkalokk"
       "bicep"
@@ -47,6 +49,8 @@
       "ildkule"
     ];
   in {
+    inherit inputs;
+
     nixosConfigurations = let
       unstablePkgs = nixpkgs-unstable.legacyPackages.x86_64-linux;
       nixosConfig = nixpkgs: name: config: nixpkgs.lib.nixosSystem (nixpkgs.lib.recursiveUpdate
@@ -90,6 +94,7 @@
             heimdal = unstablePkgs.heimdal;
             mediawiki-extensions = final.callPackage ./packages/mediawiki-extensions { };
             simplesamlphp = final.callPackage ./packages/simplesamlphp { };
+            bluemap = final.callPackage ./packages/bluemap.nix { };
           })
           inputs.nix-gitea-themes.overlays.default
           inputs.pvv-nettsiden.overlays.default
@@ -124,6 +129,11 @@
       buskerud = stableNixosConfig "buskerud" { };
     };
 
+    nixosModules = {
+      snakeoil-certs = ./modules/snakeoil-certs.nix;
+      snappymail = ./modules/snappymail.nix;
+    };
+
     devShells = forAllSystems (system: {
       default = nixpkgs.legacyPackages.${system}.callPackage ./shell.nix { };
     });

hosts/bekkalokk/configuration.nix

@@ -3,14 +3,16 @@
   imports = [
     ./hardware-configuration.nix
 
-    ../../base.nix
+    ../../base
     ../../misc/metrics-exporters.nix
 
+    ./services/bluemap/default.nix
     ./services/gitea/default.nix
     ./services/idp-simplesamlphp
     ./services/kerberos
     ./services/mediawiki
     ./services/nginx.nix
+    ./services/phpfpm.nix
     ./services/vaultwarden.nix
     ./services/webmail
     ./services/website
@@ -31,6 +33,8 @@
     address = with values.hosts.bekkalokk; [ (ipv4 + "/25") (ipv6 + "/64") ];
   };
 
+  services.btrfs.autoScrub.enable = true;
+
   # Do not change, even during upgrades.
   # See https://search.nixos.org/options?show=system.stateVersion
   system.stateVersion = "22.11";

hosts/bekkalokk/services/bluemap/default.nix

@@ -0,0 +1,83 @@
+{ config, lib, pkgs, inputs, ... }:
+let
+  vanillaSurvival = "/var/lib/bluemap/vanilla_survival_world";
+in {
+  imports = [
+    ./module.nix # From danio, pending upstreaming
+  ];
+
+  disabledModules = [ "services/web-servers/bluemap.nix" ];
+
+  sops.secrets."bluemap/ssh-key" = { };
+  sops.secrets."bluemap/ssh-known-hosts" = { };
+
+  services.bluemap = {
+    enable = true;
+    eula = true;
+    onCalendar = "*-*-* 05:45:00"; # a little over an hour after auto-upgrade
+
+    host = "minecraft.pvv.ntnu.no";
+
+    maps = {
+      "verden" = {
+        settings = {
+          world = vanillaSurvival;
+          sorting = 0;
+          ambient-light = 0.1;
+          cave-detection-ocean-floor = -5;
+          marker-sets = inputs.minecraft-data.map-markers.vanillaSurvival.verden;
+        };
+      };
+      "underverden" = {
+        settings = {
+          world = "${vanillaSurvival}/DIM-1";
+          sorting = 100;
+          sky-color = "#290000";
+          void-color = "#150000";
+          ambient-light = 0.6;
+          world-sky-light = 0;
+          remove-caves-below-y = -10000;
+          cave-detection-ocean-floor = -5;
+          cave-detection-uses-block-light = true;
+          max-y = 90;
+          marker-sets = inputs.minecraft-data.map-markers.vanillaSurvival.underverden;
+        };
+      };
+      "enden" = {
+        settings = {
+          world = "${vanillaSurvival}/DIM1";
+          sorting = 200;
+          sky-color = "#080010";
+          void-color = "#080010";
+          ambient-light = 0.6;
+          world-sky-light = 0;
+          remove-caves-below-y = -10000;
+          cave-detection-ocean-floor = -5;
+        };
+      };
+    };
+  };
+
+  services.nginx.virtualHosts."minecraft.pvv.ntnu.no" = {
+    enableACME = true;
+    forceSSL = true;
+  };
+
+  # TODO: render somewhere else lmao
+  systemd.services."render-bluemap-maps" = {
+    preStart = ''
+      mkdir -p /var/lib/bluemap/world
+      ${pkgs.rsync}/bin/rsync \
+        -e "${pkgs.openssh}/bin/ssh -o UserKnownHostsFile=$CREDENTIALS_DIRECTORY/ssh-known-hosts -i $CREDENTIALS_DIRECTORY/sshkey" \
+        -avz --no-owner --no-group \
+        root@innovation.pvv.ntnu.no:/ \
+        ${vanillaSurvival}
+    '';
+    serviceConfig = {
+      LoadCredential = [
+        "sshkey:${config.sops.secrets."bluemap/ssh-key".path}"
+        "ssh-known-hosts:${config.sops.secrets."bluemap/ssh-known-hosts".path}"
+      ];
+    };
+  };
+}

hosts/bekkalokk/services/bluemap/module.nix

@@ -0,0 +1,343 @@
+{ config, lib, pkgs, ... }:
+let
+  cfg = config.services.bluemap;
+  format = pkgs.formats.hocon { };
+
+  coreConfig = format.generate "core.conf" cfg.coreSettings;
+  webappConfig = format.generate "webapp.conf" cfg.webappSettings;
+  webserverConfig = format.generate "webserver.conf" cfg.webserverSettings;
+
+  storageFolder = pkgs.linkFarm "storage"
+    (lib.attrsets.mapAttrs' (name: value:
+      lib.nameValuePair "${name}.conf"
+        (format.generate "${name}.conf" value))
+      cfg.storage);
+
+  mapsFolder = pkgs.linkFarm "maps"
+    (lib.attrsets.mapAttrs' (name: value:
+      lib.nameValuePair "${name}.conf"
+        (format.generate "${name}.conf" value.settings))
+      cfg.maps);
+
+  webappConfigFolder = pkgs.linkFarm "bluemap-config" {
+    "maps" = mapsFolder;
+    "storages" = storageFolder;
+    "core.conf" = coreConfig;
+    "webapp.conf" = webappConfig;
+    "webserver.conf" = webserverConfig;
+    "packs" = cfg.resourcepacks;
+    "addons" = cfg.resourcepacks; # TODO
+  };
+
+  renderConfigFolder = name: value: pkgs.linkFarm "bluemap-${name}-config" {
+    "maps" = pkgs.linkFarm "maps" {
+      "${name}.conf" = (format.generate "${name}.conf" value.settings);
+    };
+    "storages" = storageFolder;
+    "core.conf" = coreConfig;
+    "webapp.conf" = format.generate "webapp.conf" (cfg.webappSettings // { "update-settings-file" = false; });
+    "webserver.conf" = webserverConfig;
+    "packs" = value.resourcepacks;
+    "addons" = cfg.resourcepacks; # TODO
+  };
+
+  inherit (lib) mkOption;
+in {
+  options.services.bluemap = {
+    enable = lib.mkEnableOption "bluemap";
+
+    eula = mkOption {
+      type = lib.types.bool;
+      description = ''
+        By changing this option to true you confirm that you own a copy of minecraft Java Edition,
+        and that you agree to minecrafts EULA.
+      '';
+      default = false;
+    };
+
+    defaultWorld = mkOption {
+      type = lib.types.path;
+      description = ''
+        The world used by the default map ruleset.
+        If you configure your own maps you do not need to set this.
+      '';
+      example = lib.literalExpression "\${config.services.minecraft.dataDir}/world";
+    };
+
+    enableRender = mkOption {
+      type = lib.types.bool;
+      description = "Enable rendering";
+      default = true;
+    };
+
+    webRoot = mkOption {
+      type = lib.types.path;
+      default = "/var/lib/bluemap/web";
+      description = "The directory for saving and serving the webapp and the maps";
+    };
+
+    enableNginx = mkOption {
+      type = lib.types.bool;
+      default = true;
+      description = "Enable configuring a virtualHost for serving the bluemap webapp";
+    };
+
+    host = mkOption {
+      type = lib.types.str;
+      default = "bluemap.${config.networking.domain}";
+      defaultText = lib.literalExpression "bluemap.\${config.networking.domain}";
+      description = "Domain to configure nginx for";
+    };
+
+    onCalendar = mkOption {
+      type = lib.types.str;
+      description = ''
+        How often to trigger rendering the map,
+        in the format of a systemd timer onCalendar configuration.
+        See {manpage}`systemd.timer(5)`.
+      '';
+      default = "*-*-* 03:10:00";
+    };
+
+    coreSettings = mkOption {
+      type = lib.types.submodule {
+        freeformType = format.type;
+        options = {
+          data = mkOption {
+            type = lib.types.path;
+            description = "Folder for where bluemap stores its data";
+            default = "/var/lib/bluemap";
+          };
+          metrics = lib.mkEnableOption "Sending usage metrics containing the version of bluemap in use";
+        };
+      };
+      description = "Settings for the core.conf file, [see upstream docs](https://github.com/BlueMap-Minecraft/BlueMap/blob/master/BlueMapCommon/src/main/resources/de/bluecolored/bluemap/config/core.conf).";
+    };
+
+    webappSettings = mkOption {
+      type = lib.types.submodule {
+        freeformType = format.type;
+      };
+      default = {
+        enabled = true;
+        webroot = cfg.webRoot;
+      };
+      defaultText = lib.literalExpression ''
+        {
+          enabled = true;
+          webroot = config.services.bluemap.webRoot;
+        }
+      '';
+      description = "Settings for the webapp.conf file, see [upstream docs](https://github.com/BlueMap-Minecraft/BlueMap/blob/master/BlueMapCommon/src/main/resources/de/bluecolored/bluemap/config/webapp.conf).";
+    };
+
+    webserverSettings = mkOption {
+      type = lib.types.submodule {
+        freeformType = format.type;
+        options = {
+          enabled = mkOption {
+            type = lib.types.bool;
+            description = ''
+              Enable bluemap's built-in webserver.
+              Disabled by default in nixos for use of nginx directly.
+            '';
+            default = false;
+          };
+        };
+      };
+      default = { };
+      description = ''
+        Settings for the webserver.conf file, usually not required.
+        [See upstream docs](https://github.com/BlueMap-Minecraft/BlueMap/blob/master/BlueMapCommon/src/main/resources/de/bluecolored/bluemap/config/webserver.conf).
+      '';
+    };
+
+    maps = mkOption {
+      type = lib.types.attrsOf (lib.types.submodule {
+        options = {
+          resourcepacks = mkOption {
+            type = lib.types.path;
+            default = cfg.resourcepacks;
+            defaultText = lib.literalExpression "config.services.bluemap.resourcepacks";
+            description = "A set of resourcepacks/mods to extract models from loaded in alphabetical order";
+          };
+          settings = mkOption {
+            type = (lib.types.submodule {
+              freeformType = format.type;
+              options = {
+                world = mkOption {
+                  type = lib.types.path;
+                  description = "Path to world folder containing the dimension to render";
+                };
+              };
+            });
+            description = ''
+              Settings for files in `maps/`.
+              See the default for an example with good options for the different world types.
+              For valid values [consult upstream docs](https://github.com/BlueMap-Minecraft/BlueMap/blob/master/BlueMapCommon/src/main/resources/de/bluecolored/bluemap/config/maps/map.conf).
+            '';
+          };
+        };
+      });
+      default = {
+        "overworld".settings = {
+          world = "${cfg.defaultWorld}";
+          ambient-light = 0.1;
+          cave-detection-ocean-floor = -5;
+        };
+
+        "nether".settings = {
+          world = "${cfg.defaultWorld}/DIM-1";
+          sorting = 100;
+          sky-color = "#290000";
+          void-color = "#150000";
+          ambient-light = 0.6;
+          world-sky-light = 0;
+          remove-caves-below-y = -10000;
+          cave-detection-ocean-floor = -5;
+          cave-detection-uses-block-light = true;
+          max-y = 90;
+        };
+
+        "end".settings = {
+          world = "${cfg.defaultWorld}/DIM1";
+          sorting = 200;
+          sky-color = "#080010";
+          void-color = "#080010";
+          ambient-light = 0.6;
+          world-sky-light = 0;
+          remove-caves-below-y = -10000;
+          cave-detection-ocean-floor = -5;
+        };
+      };
+      defaultText = lib.literalExpression ''
+        {
+          "overworld".settings = {
+            world = "''${cfg.defaultWorld}";
+            ambient-light = 0.1;
+            cave-detection-ocean-floor = -5;
+          };
+
+          "nether".settings = {
+            world = "''${cfg.defaultWorld}/DIM-1";
+            sorting = 100;
+            sky-color = "#290000";
+            void-color = "#150000";
+            ambient-light = 0.6;
+            world-sky-light = 0;
+            remove-caves-below-y = -10000;
+            cave-detection-ocean-floor = -5;
+            cave-detection-uses-block-light = true;
+            max-y = 90;
+          };
+
+          "end".settings = {
+            world = "''${cfg.defaultWorld}/DIM1";
+            sorting = 200;
+            sky-color = "#080010";
+            void-color = "#080010";
+            ambient-light = 0.6;
+            world-sky-light = 0;
+            remove-caves-below-y = -10000;
+            cave-detection-ocean-floor = -5;
+          };
+        };
+      '';
+      description = ''
+        map-specific configuration.
+        These correspond to views in the webapp and are usually
+        different dimension of a world or different render settings of the same dimension.
+        If you set anything in this option you must configure all dimensions yourself!
+      '';
+    };
+
+    storage = mkOption {
+      type = lib.types.attrsOf (lib.types.submodule {
+        freeformType = format.type;
+        options = {
+          storage-type = mkOption {
+            type = lib.types.enum [ "FILE" "SQL" ];
+            description = "Type of storage config";
+            default = "FILE";
+          };
+        };
+      });
+      description = ''
+        Where the rendered map will be stored.
+        Unless you are doing something advanced you should probably leave this alone and configure webRoot instead.
+        [See upstream docs](https://github.com/BlueMap-Minecraft/BlueMap/tree/master/BlueMapCommon/src/main/resources/de/bluecolored/bluemap/config/storages)
+      '';
+      default = {
+        "file" = {
+          root = "${cfg.webRoot}/maps";
+        };
+      };
+      defaultText = lib.literalExpression ''
+        {
+          "file" = {
+            root = "''${config.services.bluemap.webRoot}/maps";
+          };
+        }
+      '';
+    };
+
+    resourcepacks = mkOption {
+      type = lib.types.path;
+      default = pkgs.linkFarm "resourcepacks" { };
+      description = ''
+        A set of resourcepacks/mods to extract models from loaded in alphabetical order.
+        Can be overriden on a per-map basis with `services.bluemap.maps.<name>.resourcepacks`.
+      '';
+    };
+  };
+
+
+  config = lib.mkIf cfg.enable {
+    assertions =
+      [ { assertion = config.services.bluemap.eula;
+          message = ''
+            You have enabled bluemap but have not accepted minecraft's EULA.
+            You can achieve this through setting `services.bluemap.eula = true`
+          '';
+        }
+      ];
+
+    services.bluemap.coreSettings.accept-download = cfg.eula;
+
+    systemd.services."render-bluemap-maps" = lib.mkIf cfg.enableRender {
+      serviceConfig = {
+        Type = "oneshot";
+        Group = "nginx";
+        UMask = "026";
+      };
+      script = lib.strings.concatStringsSep "\n" ((lib.attrsets.mapAttrsToList
+        (name: value: "${lib.getExe pkgs.bluemap} -c ${renderConfigFolder name value} -r")
+        cfg.maps) ++ [ "${lib.getExe pkgs.bluemap} -c ${webappConfigFolder} -gs" ]);
+    };
+
+    systemd.timers."render-bluemap-maps" = lib.mkIf cfg.enableRender {
+      wantedBy = [ "timers.target" ];
+      timerConfig = {
+        OnCalendar = cfg.onCalendar;
+        Persistent = true;
+        Unit = "render-bluemap-maps.service";
+      };
+    };
+
+    services.nginx.virtualHosts = lib.mkIf cfg.enableNginx {
+      "${cfg.host}" = {
+        root = config.services.bluemap.webRoot;
+        locations = {
+          "~* ^/maps/[^/]*/tiles/".extraConfig = ''
+            error_page 404 = @empty;
+          '';
+          "@empty".return = "204";
+        };
+      };
+    };
+  };
+
+  meta = {
+    maintainers = with lib.maintainers; [ dandellion h7x4 ];
+  };
+}

hosts/bekkalokk/services/gitea/ci.nix

@@ -15,9 +15,9 @@ let
         enable = true;
         name = "git-runner-${name}"; url = "https://git.pvv.ntnu.no";
         labels = [
-	  "debian-latest:docker://node:18-bullseye"
-	  "ubuntu-latest:docker://node:18-bullseye"
-	];
+          "debian-latest:docker://node:18-bullseye"
+          "ubuntu-latest:docker://node:18-bullseye"
+        ];
         tokenFile = config.sops.secrets."gitea/runners/${name}".path;
       };
     };

hosts/bekkalokk/services/gitea/default.nix

@@ -6,7 +6,8 @@ let
 in {
   imports = [
     ./ci.nix
-    ./import-users.nix
+    ./import-users
+    ./web-secret-provider
   ];
 
   sops.secrets = {
@@ -58,6 +59,7 @@ in {
       service = {
         DISABLE_REGISTRATION = true;
         ENABLE_NOTIFY_MAIL = true;
+        AUTO_WATCH_NEW_REPOS = false;
       };
       admin.DEFAULT_EMAIL_NOTIFICATIONS = "onmention";
       session.COOKIE_SECURE = true;
@@ -135,10 +137,16 @@ in {
     script = let
       logo-svg = ../../../../assets/logo_blue_regular.svg;
       logo-png = ../../../../assets/logo_blue_regular.png;
+      extraLinks = pkgs.writeText "gitea-extra-links.tmpl" ''
+        <a class="item" href="https://www.pvv.ntnu.no/">PVV</a>
+        <a class="item" href="https://wiki.pvv.ntnu.no/">Wiki</a>
+        <a class="item" href="https://git.pvv.ntnu.no/Drift/-/projects/4">Tokyo Drift Issues</a>
+      '';
     in ''
       install -Dm444 ${logo-svg} ${cfg.customDir}/public/assets/img/logo.svg
       install -Dm444 ${logo-png} ${cfg.customDir}/public/assets/img/logo.png
       install -Dm444 ${./loading.apng} ${cfg.customDir}/public/assets/img/loading.png
+      install -Dm444 ${extraLinks} ${cfg.customDir}/templates/custom/extra_links.tmpl
     '';
   };
 }

hosts/bekkalokk/services/gitea/gitea-import-users.py

@@ -1,94 +0,0 @@
-import requests
-import secrets
-import os
-
-EMAIL_DOMAIN = os.getenv('EMAIL_DOMAIN')
-if EMAIL_DOMAIN is None:
-    EMAIL_DOMAIN = 'pvv.ntnu.no'
-
-API_TOKEN = os.getenv('API_TOKEN')
-if API_TOKEN is None:
-    raise Exception('API_TOKEN not set')
-
-GITEA_API_URL = os.getenv('GITEA_API_URL')
-if GITEA_API_URL is None:
-    GITEA_API_URL = 'https://git.pvv.ntnu.no/api/v1'
-
-BANNED_SHELLS = [
-    "/usr/bin/nologin",
-    "/usr/sbin/nologin",
-    "/sbin/nologin",
-    "/bin/false",
-    "/bin/msgsh",
-]
-
-existing_users = {}
-
-
-# This function should only ever be called when adding users
-# from the passwd file
-def add_user(username, name):
-    user = {
-            "full_name": name,
-            "username": username,
-            "login_name": username,
-            "source_id": 1,  # 1 = SMTP
-    }
-
-    if username not in existing_users:
-        user["password"] = secrets.token_urlsafe(32)
-        user["must_change_password"] = False
-        user["visibility"] = "private"
-        user["email"] = username + '@' + EMAIL_DOMAIN
-
-        r = requests.post(GITEA_API_URL + '/admin/users', json=user,
-                          headers={'Authorization': 'token ' + API_TOKEN})
-        if r.status_code != 201:
-            print('ERR: Failed to create user ' + username + ': ' + r.text)
-            return
-
-        print('Created user ' + username)
-        existing_users[username] = user
-
-    else:
-        user["visibility"] = existing_users[username]["visibility"]
-        r = requests.patch(GITEA_API_URL + f'/admin/users/{username}',
-                           json=user,
-                           headers={'Authorization': 'token ' + API_TOKEN})
-        if r.status_code != 200:
-            print('ERR: Failed to update user ' + username + ': ' + r.text)
-            return
-
-        print('Updated user ' + username)
-
-
-def main():
-    # Fetch existing users
-    r = requests.get(GITEA_API_URL + '/admin/users',
-                     headers={'Authorization': 'token ' + API_TOKEN})
-
-    if r.status_code != 200:
-        raise Exception('Failed to get users: ' + r.text)
-
-    for user in r.json():
-        existing_users[user['login']] = user
-
-    # Read the file, add each user
-    with open("/tmp/passwd-import", 'r') as f:
-        for line in f.readlines():
-            uid = int(line.split(':')[2])
-            if uid < 1000:
-                continue
-
-            shell = line.split(':')[-1]
-            if shell in BANNED_SHELLS:
-                continue
-
-            username = line.split(':')[0]
-            name = line.split(':')[4].split(',')[0]
-
-            add_user(username, name)
-
-
-if __name__ == '__main__':
-    main()

hosts/bekkalokk/services/gitea/import-users/default.nix

@@ -14,6 +14,9 @@ in
     preStart=''${pkgs.rsync}/bin/rsync -e "${pkgs.openssh}/bin/ssh -o UserKnownHostsFile=$CREDENTIALS_DIRECTORY/ssh-known-hosts -i $CREDENTIALS_DIRECTORY/sshkey" -a pvv@smtp.pvv.ntnu.no:/etc/passwd /tmp/passwd-import'';
     serviceConfig = {
       ExecStart = pkgs.writers.writePython3 "gitea-import-users" {
+        flakeIgnore = [
+          "E501" # Line over 80 chars lol
+        ];
         libraries = with pkgs.python3Packages; [ requests ];
       } (builtins.readFile ./gitea-import-users.py);
       LoadCredential=[

hosts/bekkalokk/services/gitea/import-users/gitea-import-users.py

@@ -0,0 +1,198 @@
+import requests
+import secrets
+import os
+
+
+EMAIL_DOMAIN = os.getenv('EMAIL_DOMAIN')
+if EMAIL_DOMAIN is None:
+    EMAIL_DOMAIN = 'pvv.ntnu.no'
+
+
+API_TOKEN = os.getenv('API_TOKEN')
+if API_TOKEN is None:
+    raise Exception('API_TOKEN not set')
+
+
+GITEA_API_URL = os.getenv('GITEA_API_URL')
+if GITEA_API_URL is None:
+    GITEA_API_URL = 'https://git.pvv.ntnu.no/api/v1'
+
+
+def gitea_list_all_users() -> dict[str, dict[str, any]] | None:
+    r = requests.get(
+        GITEA_API_URL + '/admin/users',
+        headers={'Authorization': 'token ' + API_TOKEN}
+    )
+
+    if r.status_code != 200:
+        print('Failed to get users:', r.text)
+        return None
+
+    return {user['login']: user for user in r.json()}
+
+
+def gitea_create_user(username: str, userdata: dict[str, any]) -> bool:
+    r = requests.post(
+        GITEA_API_URL + '/admin/users',
+        json=userdata,
+        headers={'Authorization': 'token ' + API_TOKEN},
+    )
+
+    if r.status_code != 201:
+        print(f'ERR: Failed to create user {username}:', r.text)
+        return False
+
+    return True
+
+
+def gitea_edit_user(username: str, userdata: dict[str, any]) -> bool:
+    r = requests.patch(
+        GITEA_API_URL + f'/admin/users/{username}',
+        json=userdata,
+        headers={'Authorization': 'token ' + API_TOKEN},
+    )
+
+    if r.status_code != 200:
+        print(f'ERR: Failed to update user {username}:', r.text)
+        return False
+
+    return True
+
+
+def gitea_list_teams_for_organization(org: str) -> dict[str, any] | None:
+    r = requests.get(
+        GITEA_API_URL + f'/orgs/{org}/teams',
+        headers={'Authorization': 'token ' + API_TOKEN},
+    )
+
+    if r.status_code != 200:
+        print(f"ERR: Failed to list teams for {org}:", r.text)
+        return None
+
+    return {team['name']: team for team in r.json()}
+
+
+def gitea_add_user_to_organization_team(username: str, team_id: int) -> bool:
+    r = requests.put(
+        GITEA_API_URL + f'/teams/{team_id}/members/{username}',
+        headers={'Authorization': 'token ' + API_TOKEN},
+    )
+
+    if r.status_code != 204:
+        print(f'ERR: Failed to add user {username} to org team {team_id}:', r.text)
+        return False
+
+    return True
+
+
+# If a passwd user has one of the following shells,
+# it is most likely not a PVV user, but rather a system user.
+# Users with these shells should thus be ignored.
+BANNED_SHELLS = [
+    "/usr/bin/nologin",
+    "/usr/sbin/nologin",
+    "/sbin/nologin",
+    "/bin/false",
+    "/bin/msgsh",
+]
+
+
+# Reads out a passwd-file line for line, and filters out
+# real PVV users (as opposed to system users meant for daemons and such)
+def passwd_file_parser(passwd_path):
+    with open(passwd_path, 'r') as f:
+        for line in f.readlines():
+            uid = int(line.split(':')[2])
+            if uid < 1000:
+                continue
+
+            shell = line.split(':')[-1]
+            if shell in BANNED_SHELLS:
+                continue
+
+            username = line.split(':')[0]
+            name = line.split(':')[4].split(',')[0]
+            yield (username, name)
+
+
+# This function either creates a new user in gitea
+# and fills it out with some default information if
+# it does not exist, or ensures that the default information
+# is correct if the user already exists. All user information
+# (including non-default fields) is pulled from gitea and added
+# to the `existing_users` dict
+def add_or_patch_gitea_user(
+    username: str,
+    name: str,
+    existing_users: dict[str, dict[str, any]],
+) -> None:
+    user = {
+        "full_name": name,
+        "username": username,
+        "login_name": username,
+        "source_id": 1,  # 1 = SMTP
+    }
+
+    if username not in existing_users:
+        user["password"] = secrets.token_urlsafe(32)
+        user["must_change_password"] = False
+        user["visibility"] = "private"
+        user["email"] = username + '@' + EMAIL_DOMAIN
+
+        if not gitea_create_user(username, user):
+            return
+
+        print('Created user', username)
+        existing_users[username] = user
+
+    else:
+        user["visibility"] = existing_users[username]["visibility"]
+
+        if not gitea_edit_user(username, user):
+            return
+
+        print('Updated user', username)
+
+
+# This function adds a user to a gitea team (part of organization)
+# if the user is not already part of said team.
+def ensure_gitea_user_is_part_of_team(
+    username: str,
+    org: str,
+    team_name: str,
+) -> None:
+    teams = gitea_list_teams_for_organization(org)
+
+    if teams is None:
+        return
+
+    if team_name not in teams:
+        print(f'ERR: could not find team "{team_name}" in organization "{org}"')
+
+    gitea_add_user_to_organization_team(username, teams[team_name]['id'])
+
+    print(f'User {username} is now part of {org}/{team_name}')
+
+
+# List of teams that all users should be part of by default
+COMMON_USER_TEAMS = [
+    ("Projects", "Members"),
+    ("Kurs", "Members"),
+]
+
+
+def main():
+    existing_users = gitea_list_all_users()
+    if existing_users is None:
+        exit(1)
+
+    for username, name in passwd_file_parser("/tmp/passwd-import"):
+        print(f"Processing {username}")
+        add_or_patch_gitea_user(username, name, existing_users)
+        for org, team_name in COMMON_USER_TEAMS:
+            ensure_gitea_user_is_part_of_team(username, org, team_name)
+        print()
+
+
+if __name__ == '__main__':
+    main()

hosts/bekkalokk/services/gitea/web-secret-provider/default.nix

@@ -0,0 +1,114 @@
+{ config, pkgs, lib, ... }:
+let
+  organizations = [
+    "Drift"
+    "Projects"
+    "Kurs"
+  ];
+
+  giteaCfg = config.services.gitea;
+
+  giteaWebSecretProviderScript = pkgs.writers.writePython3 "gitea-web-secret-provider" {
+    libraries = with pkgs.python3Packages; [ requests ];
+    flakeIgnore = [
+      "E501" # Line over 80 chars lol
+      "E201" # "whitespace after {"
+      "E202" # "whitespace after }"
+      "E251" # unexpected spaces around keyword / parameter equals
+      "W391" # Newline at end of file
+    ];
+    makeWrapperArgs = [
+      "--prefix PATH : ${(lib.makeBinPath [ pkgs.openssh ])}"
+    ];
+  } (builtins.readFile ./gitea-web-secret-provider.py);
+in
+{
+  users.groups."gitea-web" = { };
+  users.users."gitea-web" = {
+    group = "gitea-web";
+    isSystemUser = true;
+  };
+
+  sops.secrets."gitea/web-secret-provider/token" = {
+    owner = "gitea-web";
+    group = "gitea-web";
+    restartUnits = [
+      "gitea-web-secret-provider@"
+    ] ++ (map (org: "gitea-web-secret-provider@${org}") organizations);
+  };
+
+  systemd.slices.system-giteaweb = {
+    description = "Gitea web directories";
+  };
+
+  # https://www.freedesktop.org/software/systemd/man/latest/systemd.unit.html#Specifiers
+  # %i - instance name (after the @)
+  # %d - secrets directory
+  systemd.services."gitea-web-secret-provider@" = {
+    description = "Ensure all repos in %i has an SSH key to push web content";
+    requires = [ "gitea.service" "network.target" ];
+    serviceConfig = {
+      Slice = "system-giteaweb.slice";
+      Type = "oneshot";
+      ExecStart = let
+        args = lib.cli.toGNUCommandLineShell { } {
+          org = "%i";
+          token-path = "%d/token";
+          api-url = "${giteaCfg.settings.server.ROOT_URL}api/v1";
+          key-dir = "/var/lib/gitea-web/keys/%i";
+          authorized-keys-path = "/var/lib/gitea-web/authorized_keys.d/%i";
+          rrsync-script = pkgs.writeShellScript "rrsync-chown" ''
+            ${lib.getExe pkgs.rrsync} -wo "$1"
+            ${pkgs.coreutils}/bin/chown -R gitea-web:gitea-web "$1"
+          '';
+          web-dir = "/var/lib/gitea-web/web";
+        };
+      in "${giteaWebSecretProviderScript} ${args}";
+
+      User = "gitea-web";
+      Group = "gitea-web";
+
+      StateDirectory = "gitea-web";
+      StateDirectoryMode = "0750";
+      LoadCredential = [
+        "token:${config.sops.secrets."gitea/web-secret-provider/token".path}"
+      ];
+
+      NoNewPrivileges = true;
+      PrivateTmp = true;
+      PrivateDevices = true;
+      ProtectSystem = true;
+      ProtectHome = true;
+      ProtectControlGroups = true;
+      ProtectKernelModules = true;
+      ProtectKernelTunables = true;
+      RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
+      RestrictRealtime = true;
+      RestrictSUIDSGID = true;
+      MemoryDenyWriteExecute = true;
+      LockPersonality = true;
+    };
+  };
+
+  systemd.timers."gitea-web-secret-provider@" = {
+    description = "Ensure all repos in %i has an SSH key to push web content";
+    timerConfig = {
+      RandomizedDelaySec = "1h";
+      Persistent = true;
+      Unit = "gitea-web-secret-provider@%i.service";
+      OnCalendar = "daily";
+    };
+  };
+
+  systemd.targets.timers.wants = map (org: "gitea-web-secret-provider@${org}.timer") organizations;
+
+  services.openssh.authorizedKeysFiles = map (org: "/var/lib/gitea-web/authorized_keys.d/${org}") organizations;
+
+  users.users.nginx.extraGroups = [ "gitea-web" ];
+  services.nginx.virtualHosts."pages.pvv.ntnu.no" = {
+    kTLS = true;
+    forceSSL = true;
+    enableACME = true;
+    root = "/var/lib/gitea-web/web";
+  };
+}

hosts/bekkalokk/services/gitea/web-secret-provider/gitea-web-secret-provider.py

@@ -0,0 +1,112 @@
+import argparse
+import hashlib
+import os
+import requests
+import subprocess
+from pathlib import Path
+
+
+def parse_args():
+    parser = argparse.ArgumentParser(description="Generate SSH keys for Gitea repositories and add them as secrets")
+    parser.add_argument("--org", required=True, type=str, help="The organization to generate keys for")
+    parser.add_argument("--token-path", metavar='PATH', required=True, type=Path, help="Path to a file containing the Gitea API token")
+    parser.add_argument("--api-url", metavar='URL', type=str, help="The URL of the Gitea API", default="https://git.pvv.ntnu.no/api/v1")
+    parser.add_argument("--key-dir", metavar='PATH', type=Path, help="The directory to store the generated keys in", default="/run/gitea-web-secret-provider")
+    parser.add_argument("--authorized-keys-path", metavar='PATH', type=Path, help="The path to the resulting authorized_keys file", default="/etc/ssh/authorized_keys.d/gitea-web-secret-provider")
+    parser.add_argument("--rrsync-script", metavar='PATH', type=Path, help="The path to a rrsync script, taking the destination path as its single argument")
+    parser.add_argument("--web-dir", metavar='PATH', type=Path, help="The directory to sync the repositories to", default="/var/www")
+    parser.add_argument("--force", action="store_true", help="Overwrite existing keys")
+    return parser.parse_args()
+
+
+def add_secret(args: argparse.Namespace, token: str, repo: str, name: str, secret: str):
+    result = requests.put(
+        f"{args.api_url}/repos/{args.org}/{repo}/actions/secrets/{name}",
+        json = { 'data': secret },
+        headers = { 'Authorization': 'token ' + token },
+    )
+    if result.status_code not in (201, 204):
+        raise Exception(f"Failed to add secret: {result.json()}")
+
+
+def get_org_repo_list(args: argparse.Namespace, token: str):
+    result = requests.get(
+        f"{args.api_url}/orgs/{args.org}/repos",
+        headers = { 'Authorization': 'token ' + token },
+    )
+    return [repo["name"] for repo in result.json()]
+
+
+def generate_ssh_key(args: argparse.Namespace, repository: str):
+    keyname = hashlib.sha256(args.org.encode() + repository.encode()).hexdigest()
+    key_path = args.key_dir / keyname
+    if not key_path.is_file() or args.force:
+        subprocess.run(
+            [
+                "ssh-keygen",
+                *("-t", "ed25519"),
+                *("-f", key_path),
+                *("-N", ""),
+                *("-C", f"{args.org}/{repository}"),
+            ],
+            check=True,
+            stdin=subprocess.DEVNULL,
+            stdout=subprocess.PIPE,
+            stderr=subprocess.PIPE,
+        )
+        print(f"Generated SSH key for `{args.org}/{repository}`")
+
+    with open(key_path, "r") as f:
+        private_key = f.read()
+
+    pub_key_path = args.key_dir / (keyname + '.pub')
+    with open(pub_key_path, "r") as f:
+        public_key = f.read()
+
+    return private_key, public_key
+
+
+SSH_OPTS = ",".join([
+    "restrict",
+    "no-agent-forwarding",
+    "no-port-forwarding",
+    "no-pty",
+    "no-X11-forwarding",
+])
+
+
+def generate_authorized_keys(args: argparse.Namespace, repo_public_keys: list[tuple[str, str]]):
+    lines = []
+    for repo, public_key in repo_public_keys:
+        command = f"{args.rrsync_script} {args.web_dir}/{args.org}/{repo}"
+        lines.append(f'command="{command}",{SSH_OPTS} {public_key}')
+
+    with open(args.authorized_keys_path, "w") as f:
+        f.writelines(lines)
+
+
+def main():
+    args = parse_args()
+
+    with open(args.token_path, "r") as f:
+        token = f.read().strip()
+
+    os.makedirs(args.key_dir, 0o700, exist_ok=True)
+    os.makedirs(args.authorized_keys_path.parent, 0o700, exist_ok=True)
+
+    repos = get_org_repo_list(args, token)
+    print(f'Found {len(repos)} repositories in `{args.org}`')
+
+    repo_public_keys = []
+    for repo in repos:
+        print(f"Locating key for `{args.org}/{repo}`")
+        private_key, public_key = generate_ssh_key(args, repo)
+        add_secret(args, token, repo, "WEB_SYNC_SSH_KEY", private_key)
+        repo_public_keys.append((repo, public_key))
+
+    generate_authorized_keys(args, repo_public_keys)
+    print(f"Wrote authorized_keys file to `{args.authorized_keys_path}`")
+
+
+if __name__ == "__main__":
+    main()

hosts/bekkalokk/services/idp-simplesamlphp/authpwauth.php

@@ -112,7 +112,7 @@ class PwAuth extends \SimpleSAML\Module\core\Auth\UserPassBase
             array_shift($groups);
             array_shift($groups);
             array_pop($groups);
-	    
+
             $info = posix_getpwnam($uid);
             $group = $info['gid'];
             if (!in_array($group, $groups)) {

hosts/bekkalokk/services/idp-simplesamlphp/config.php

@@ -58,7 +58,7 @@ $config = [
     /*
      * The following settings are *filesystem paths* which define where
      * SimpleSAMLphp can find or write the following things:
-     * - 'cachedir': Where SimpleSAMLphp can write its cache. 
+     * - 'cachedir': Where SimpleSAMLphp can write its cache.
      * - 'loggingdir': Where to write logs. MUST be set to NULL when using a logging
      *                 handler other than `file`.
      * - 'datadir': Storage of general data.

hosts/bekkalokk/services/idp-simplesamlphp/default.nix

@@ -22,78 +22,78 @@ let
       # openssl req -newkey rsa:4096 -new -x509 -days 365 -nodes -out idp.crt -keyout idp.pem
       "metadata/saml20-idp-hosted.php" = pkgs.writeText "saml20-idp-remote.php" ''
         <?php
-	  $metadata['https://idp.pvv.ntnu.no/'] = array(
-	    'host' => '__DEFAULT__',
-	    'privatekey' => '${config.sops.secrets."idp/privatekey".path}',
-	    'certificate' => '${./idp.crt}',
-	    'auth' => 'pwauth',
-	  );
-	?>
+        $metadata['https://idp.pvv.ntnu.no/'] = array(
+          'host' => '__DEFAULT__',
+          'privatekey' => '${config.sops.secrets."idp/privatekey".path}',
+          'certificate' => '${./idp.crt}',
+          'auth' => 'pwauth',
+        );
+        ?>
       '';
 
       "metadata/saml20-sp-remote.php" = pkgs.writeText "saml20-sp-remote.php" ''
         <?php
-	  ${ lib.pipe config.services.idp.sp-remote-metadata [
-             (map (url: ''
-               $metadata['${url}'] = [
-                   'SingleLogoutService' => [
-                       [
-                           'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
-                           'Location' => '${url}module.php/saml/sp/saml2-logout.php/default-sp',
-                       ],
-                       [
-                           'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:SOAP',
-                           'Location' => '${url}module.php/saml/sp/saml2-logout.php/default-sp',
-                       ],
-                   ],
-                   'AssertionConsumerService' => [
-                       [
-                           'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
-                           'Location' => '${url}module.php/saml/sp/saml2-acs.php/default-sp',
-                           'index' => 0,
-                       ],
-                       [
-                           'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact',
-                           'Location' => '${url}module.php/saml/sp/saml2-acs.php/default-sp',
-                           'index' => 1,
-                       ],
-                   ],
-               ];
-	     ''))
-	     (lib.concatStringsSep "\n")
-	  ]}
-	?>
+          ${ lib.pipe config.services.idp.sp-remote-metadata [
+            (map (url: ''
+              $metadata['${url}'] = [
+                'SingleLogoutService' => [
+                  [
+                    'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
+                    'Location' => '${url}module.php/saml/sp/saml2-logout.php/default-sp',
+                  ],
+                  [
+                    'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:SOAP',
+                    'Location' => '${url}module.php/saml/sp/saml2-logout.php/default-sp',
+                  ],
+                ],
+                'AssertionConsumerService' => [
+                  [
+                    'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
+                    'Location' => '${url}module.php/saml/sp/saml2-acs.php/default-sp',
+                    'index' => 0,
+                  ],
+                  [
+                    'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact',
+                    'Location' => '${url}module.php/saml/sp/saml2-acs.php/default-sp',
+                    'index' => 1,
+                  ],
+                ],
+              ];
+            ''))
+            (lib.concatStringsSep "\n")
+          ]}
+        ?>
       '';
 
       "config/authsources.php" = pkgs.writeText "idp-authsources.php" ''
         <?php
           $config = array(
-	    'admin' => array(
-	      'core:AdminPassword'
-	    ),
+            'admin' => array(
+              'core:AdminPassword'
+            ),
             'pwauth' => array(
-               'authpwauth:PwAuth',
-               'pwauth_bin_path' => '${lib.getExe pwAuthScript}',
-               'mail_domain' => '@pvv.ntnu.no',
+              'authpwauth:PwAuth',
+              'pwauth_bin_path' => '${lib.getExe pwAuthScript}',
+              'mail_domain' => '@pvv.ntnu.no',
             ),
           );
-	?>
+        ?>
       '';
 
       "config/config.php" = pkgs.runCommandLocal "simplesamlphp-config.php" { } ''
         cp ${./config.php} "$out"
 
         substituteInPlace "$out" \
-          --replace '$SAML_COOKIE_SECURE' 'true' \
-          --replace '$SAML_COOKIE_SALT' 'file_get_contents("${config.sops.secrets."idp/cookie_salt".path}")' \
-          --replace '$SAML_ADMIN_NAME' '"Drift"' \
-          --replace '$SAML_ADMIN_EMAIL' '"drift@pvv.ntnu.no"' \
-          --replace '$SAML_ADMIN_PASSWORD' 'file_get_contents("${config.sops.secrets."idp/admin_password".path}")' \
-          --replace '$SAML_TRUSTED_DOMAINS' 'array( "idp.pvv.ntnu.no" )' \
-          --replace '$SAML_DATABASE_DSN' '"pgsql:host=postgres.pvv.ntnu.no;port=5432;dbname=idp"' \
-          --replace '$SAML_DATABASE_USERNAME' '"idp"' \
-          --replace '$SAML_DATABASE_PASSWORD' 'file_get_contents("${config.sops.secrets."idp/postgres_password".path}")' \
-          --replace '$CACHE_DIRECTORY' '/var/cache/idp'
+          --replace-warn '$SAML_COOKIE_SECURE' 'true' \
+          --replace-warn '$SAML_COOKIE_SALT' 'file_get_contents("${config.sops.secrets."idp/cookie_salt".path}")' \
+          --replace-warn '$SAML_ADMIN_NAME' '"Drift"' \
+          --replace-warn '$SAML_ADMIN_EMAIL' '"drift@pvv.ntnu.no"' \
+          --replace-warn '$SAML_ADMIN_PASSWORD' 'file_get_contents("${config.sops.secrets."idp/admin_password".path}")' \
+          --replace-warn '$SAML_TRUSTED_DOMAINS' 'array( "idp.pvv.ntnu.no" )' \
+          --replace-warn '$SAML_DATABASE_DSN' '"pgsql:host=postgres.pvv.ntnu.no;port=5432;dbname=idp"' \
+          --replace-warn '$SAML_DATABASE_USERNAME' '"idp"' \
+          --replace-warn '$SAML_DATABASE_PASSWORD' 'file_get_contents("${config.sops.secrets."idp/postgres_password".path}")' \
+          --replace-warn '$CACHE_DIRECTORY' '/var/cache/idp'
       '';
 
       "modules/authpwauth/src/Auth/Source/PwAuth.php" = ./authpwauth.php;
@@ -108,7 +108,7 @@ in
       List of urls point to (simplesamlphp) service profiders, which the idp should trust.
 
       :::{.note}
-	Make sure the url ends with a `/`
+      Make sure the url ends with a `/`
       :::
     '';
   };
@@ -132,7 +132,7 @@ in
         owner = "idp";
         group = "idp";
       };
-    };  
+    };
 
     users.groups."idp" = { };
     users.users."idp" = {
@@ -199,9 +199,15 @@ in
           '';
         };
         "^~ /simplesaml/".extraConfig = ''
-	  rewrite ^/simplesaml/(.*)$ /$1 redirect;
-	  return 404;
-	'';
+          rewrite ^/simplesaml/(.*)$ /$1 redirect;
+          return 404;
+        '';
+        "/robots.txt" = {
+          root = pkgs.writeTextDir "robots.txt" ''
+            User-agent: *
+            Disallow: /
+          '';
+        };
       };
     };
   };

hosts/bekkalokk/services/kerberos/pam.nix

@@ -879,15 +879,15 @@ let
 
   inherit (pkgs) pam_krb5 pam_ccreds;
 
-  use_ldap = (config.users.ldap.enable && config.users.ldap.loginPam);
+  use_ldap = config.users.ldap.enable && config.users.ldap.loginPam;
   pam_ldap = if config.users.ldap.daemon.enable then pkgs.nss_pam_ldapd else pkgs.pam_ldap;
 
   # Create a limits.conf(5) file.
   makeLimitsConf = limits:
     pkgs.writeText "limits.conf"
-       (concatMapStrings ({ domain, type, item, value }:
-         "${domain} ${type} ${item} ${toString value}\n")
-         limits);
+      (concatMapStrings ({ domain, type, item, value }:
+        "${domain} ${type} ${item} ${toString value}\n")
+        limits);
 
   limitsType = with lib.types; listOf (submodule ({ ... }: {
     options = {
@@ -935,8 +935,8 @@ let
   }));
 
   motd = if config.users.motdFile == null
-         then pkgs.writeText "motd" config.users.motd
-         else config.users.motdFile;
+    then pkgs.writeText "motd" config.users.motd
+    else config.users.motdFile;
 
   makePAMService = name: service:
     { name = "pam.d/${name}";
@@ -976,20 +976,20 @@ in
             item   = "maxlogins";
             value  = "4";
           }
-       ];
+        ];
 
-     description = lib.mdDoc ''
-       Define resource limits that should apply to users or groups.
-       Each item in the list should be an attribute set with a
-       {var}`domain`, {var}`type`,
-       {var}`item`, and {var}`value`
-       attribute.  The syntax and semantics of these attributes
-       must be that described in {manpage}`limits.conf(5)`.
+      description = lib.mdDoc ''
+        Define resource limits that should apply to users or groups.
+        Each item in the list should be an attribute set with a
+        {var}`domain`, {var}`type`,
+        {var}`item`, and {var}`value`
+        attribute.  The syntax and semantics of these attributes
+        must be that described in {manpage}`limits.conf(5)`.
 
-       Note that these limits do not apply to systemd services,
-       whose limits can be changed via {option}`systemd.extraConfig`
-       instead.
-     '';
+        Note that these limits do not apply to systemd services,
+        whose limits can be changed via {option}`systemd.extraConfig`
+        instead.
+      '';
     };
 
     security.pam.services = mkOption {
@@ -1507,10 +1507,10 @@ in
         runuser = { rootOK = true; unixAuth = false; setEnvironment = false; };
 
         /* FIXME: should runuser -l start a systemd session? Currently
-           it complains "Cannot create session: Already running in a
-           session". */
+            it complains "Cannot create session: Already running in a
+            session". */
         runuser-l = { rootOK = true; unixAuth = false; };
-      } // optionalAttrs (config.security.pam.enableFscrypt) {
+      } // optionalAttrs config.security.pam.enableFscrypt {
         # Allow fscrypt to verify login passphrase
         fscrypt = {};
       };

hosts/bekkalokk/services/mediawiki/default.nix

@@ -17,16 +17,16 @@
         cp ${./simplesaml-config.php} "$out"
 
         substituteInPlace "$out" \
-          --replace '$SAML_COOKIE_SECURE' 'true' \
-          --replace '$SAML_COOKIE_SALT' 'file_get_contents("${config.sops.secrets."mediawiki/simplesamlphp/cookie_salt".path}")' \
-          --replace '$SAML_ADMIN_NAME' '"Drift"' \
-          --replace '$SAML_ADMIN_EMAIL' '"drift@pvv.ntnu.no"' \
-          --replace '$SAML_ADMIN_PASSWORD' 'file_get_contents("${config.sops.secrets."mediawiki/simplesamlphp/admin_password".path}")' \
-          --replace '$SAML_TRUSTED_DOMAINS' 'array( "wiki.pvv.ntnu.no" )' \
-          --replace '$SAML_DATABASE_DSN' '"pgsql:host=postgres.pvv.ntnu.no;port=5432;dbname=mediawiki_simplesamlphp"' \
-          --replace '$SAML_DATABASE_USERNAME' '"mediawiki_simplesamlphp"' \
-          --replace '$SAML_DATABASE_PASSWORD' 'file_get_contents("${config.sops.secrets."mediawiki/simplesamlphp/postgres_password".path}")' \
-          --replace '$CACHE_DIRECTORY' '/var/cache/mediawiki/idp'
+          --replace-warn '$SAML_COOKIE_SECURE' 'true' \
+          --replace-warn '$SAML_COOKIE_SALT' 'file_get_contents("${config.sops.secrets."mediawiki/simplesamlphp/cookie_salt".path}")' \
+          --replace-warn '$SAML_ADMIN_NAME' '"Drift"' \
+          --replace-warn '$SAML_ADMIN_EMAIL' '"drift@pvv.ntnu.no"' \
+          --replace-warn '$SAML_ADMIN_PASSWORD' 'file_get_contents("${config.sops.secrets."mediawiki/simplesamlphp/admin_password".path}")' \
+          --replace-warn '$SAML_TRUSTED_DOMAINS' 'array( "wiki.pvv.ntnu.no" )' \
+          --replace-warn '$SAML_DATABASE_DSN' '"pgsql:host=postgres.pvv.ntnu.no;port=5432;dbname=mediawiki_simplesamlphp"' \
+          --replace-warn '$SAML_DATABASE_USERNAME' '"mediawiki_simplesamlphp"' \
+          --replace-warn '$SAML_DATABASE_PASSWORD' 'file_get_contents("${config.sops.secrets."mediawiki/simplesamlphp/postgres_password".path}")' \
+          --replace-warn '$CACHE_DIRECTORY' '/var/cache/mediawiki/idp'
       '';
     };
   };
@@ -199,7 +199,7 @@ in {
         extraConfig = ''
           location ~ ^/simplesaml/(?<phpfile>.+?\.php)(?<pathinfo>/.*)?$ {
             include ${pkgs.nginx}/conf/fastcgi_params;
-            fastcgi_pass unix:${config.services.phpfpm.pools.mediawiki.socket}; 
+            fastcgi_pass unix:${config.services.phpfpm.pools.mediawiki.socket};
             fastcgi_param SCRIPT_FILENAME ${simplesamlphp}/share/php/simplesamlphp/public/$phpfile;
 
             # Must be prepended with the baseurlpath

hosts/bekkalokk/services/mediawiki/simplesaml-config.php

@@ -58,7 +58,7 @@ $config = [
     /*
      * The following settings are *filesystem paths* which define where
      * SimpleSAMLphp can find or write the following things:
-     * - 'cachedir': Where SimpleSAMLphp can write its cache. 
+     * - 'cachedir': Where SimpleSAMLphp can write its cache.
      * - 'loggingdir': Where to write logs. MUST be set to NULL when using a logging
      *                 handler other than `file`.
      * - 'datadir': Storage of general data.

hosts/bekkalokk/services/phpfpm.nix

@@ -0,0 +1,51 @@
+{ lib, ... }:
+let
+  pools = map (pool: "phpfpm-${pool}") [
+    "idp"
+    "mediawiki"
+    "pvv-nettsiden"
+    "roundcube"
+    "snappymail"
+  ];
+in
+{
+  # Source: https://www.pierreblazquez.com/2023/06/17/how-to-harden-apache-php-fpm-daemons-using-systemd/
+  systemd.services = lib.genAttrs pools (_: {
+    serviceConfig = let
+      caps = [
+        "CAP_NET_BIND_SERVICE"
+        "CAP_SETGID"
+        "CAP_SETUID"
+        "CAP_CHOWN"
+        "CAP_KILL"
+        "CAP_IPC_LOCK"
+        "CAP_DAC_OVERRIDE"
+      ];
+    in {
+      AmbientCapabilities = caps;
+      CapabilityBoundingSet = caps;
+      DeviceAllow = [ "" ];
+      LockPersonality = true;
+      MemoryDenyWriteExecute = false;
+      NoNewPrivileges = true;
+      PrivateMounts = true;
+      ProtectClock = true;
+      ProtectControlGroups = true;
+      ProtectHome = true;
+      ProtectHostname = true;
+      ProtectKernelLogs = true;
+      ProtectKernelModules = true;
+      ProtectKernelTunables = true;
+      RemoveIPC = true;
+      UMask = "0077";
+      RestrictNamespaces = "~mnt";
+      RestrictRealtime = true;
+      RestrictSUIDSGID = true;
+      SystemCallArchitectures = "native";
+      KeyringMode = "private";
+      SystemCallFilter = [
+        "@system-service"
+      ];
+    };
+  });
+}

hosts/bekkalokk/services/vaultwarden.nix

@@ -65,4 +65,40 @@ in {
       proxyWebsockets = true;
     };
   };
+
+  systemd.services.vaultwarden = lib.mkIf cfg.enable {
+    serviceConfig = {
+      AmbientCapabilities = [ "" ];
+      CapabilityBoundingSet = [ "" ];
+      DeviceAllow = [ "" ];
+      LockPersonality = true;
+      NoNewPrivileges = true;
+      # MemoryDenyWriteExecute = true;
+      PrivateMounts = true;
+      PrivateUsers = true;
+      ProcSubset = "pid";
+      ProtectClock = true;
+      ProtectControlGroups = true;
+      ProtectHostname = true;
+      ProtectKernelLogs = true;
+      ProtectKernelModules = true;
+      ProtectKernelTunables = true;
+      ProtectProc = "invisible";
+      RestrictAddressFamilies = [
+        "AF_INET"
+        "AF_INET6"
+        "AF_UNIX"
+      ];
+      RemoveIPC = true;
+      RestrictNamespaces = true;
+      RestrictRealtime = true;
+      RestrictSUIDSGID = true;
+      SystemCallArchitectures = "native";
+      SystemCallFilter = [
+        "@system-service"
+        "~@privileged"
+      ];
+      UMask = "0007";
+    };
+  };
 }

hosts/bekkalokk/services/webmail/roundcube.nix

@@ -4,7 +4,7 @@ with lib;
 let
   cfg = config.services.roundcube;
   domain = "webmail.pvv.ntnu.no";
-in 
+in
 {
   services.roundcube = {
     enable = true;

hosts/bekkalokk/services/website/default.nix

@@ -21,8 +21,8 @@ in {
   services.idp.sp-remote-metadata = [
     "https://www.pvv.ntnu.no/simplesaml/"
     "https://pvv.ntnu.no/simplesaml/"
-    "https://www.pvv.org/simplesaml/" 
-    "https://pvv.org/simplesaml/" 
+    "https://www.pvv.org/simplesaml/"
+    "https://pvv.org/simplesaml/"
   ];
 
   services.pvv-nettsiden = {
@@ -43,7 +43,7 @@ in {
                   'idp' => 'https://idp.pvv.ntnu.no/',
               ),
           );
-	'';
+        '';
       };
     };
 

hosts/bekkalokk/services/website/fetch-gallery.nix

@@ -46,7 +46,7 @@ in {
       while IFS= read fname; do
         # Skip this file if an up-to-date thumbnail already exists
         if [ -f ".thumbnails/$fname.png" ] && \
-           [ "$(date -R -r "$fname")" == "$(date -R -r ".thumbnails/$fname.png")" ]
+          [ "$(date -R -r "$fname")" == "$(date -R -r ".thumbnails/$fname.png")" ]
         then
           continue
         fi
@@ -54,7 +54,7 @@ in {
         echo "Creating thumbnail for $fname"
         mkdir -p $(dirname ".thumbnails/$fname")
         convert -define jpeg:size=200x200 "$fname" -thumbnail 300 -auto-orient ".thumbnails/$fname.png" ||:
-	touch -m -d "$(date -R -r "$fname")" ".thumbnails/$fname.png"
+        touch -m -d "$(date -R -r "$fname")" ".thumbnails/$fname.png"
       done <<< "$images"
     '';
 

hosts/bicep/acmeCert.nix

@@ -1,24 +0,0 @@
-{ values, ... }:
-{
-  users.groups.acme.members = [ "nginx" ];
-
-  security.acme.certs."postgres.pvv.ntnu.no" = {
-    group = "acme";
-    extraDomainNames = [
-      # "postgres.pvv.org"
-      "bicep.pvv.ntnu.no"
-      # "bicep.pvv.org"
-      # values.hosts.bicep.ipv4
-      # values.hosts.bicep.ipv6
-    ];
-  };
-
-  services.nginx = {
-    enable = true;
-    virtualHosts."postgres.pvv.ntnu.no" = {
-      forceSSL = true;
-      enableACME = true;
-      # useACMEHost = "postgres.pvv.ntnu.no";
-    };
-  };
-}

hosts/bicep/configuration.nix

@@ -3,17 +3,14 @@
   imports = [
     ./hardware-configuration.nix
 
-    ../../base.nix
+    ../../base
     ../../misc/metrics-exporters.nix
     ./services/nginx
 
-    ./acmeCert.nix
-
     ./services/mysql.nix
     ./services/postgres.nix
     ./services/mysql.nix
-    # TODO: fix the calendar bot
-    # ./services/calendar-bot.nix
+    ./services/calendar-bot.nix
 
     ./services/matrix
   ];
@@ -37,6 +34,9 @@
     anyInterface = true;
   };
 
+  # There are no smart devices
+  services.smartd.enable = false;
+
   # Do not change, even during upgrades.
   # See https://search.nixos.org/options?show=system.stateVersion
   system.stateVersion = "22.11";

hosts/bicep/services/calendar-bot.nix

@@ -2,11 +2,19 @@
 let
   cfg = config.services.pvv-calendar-bot;
 in {
-  sops.secrets."calendar-bot/matrix_token" = {
-    sopsFile = ../../../secrets/bicep/bicep.yaml;
-    key = "calendar-bot/matrix_token";
-    owner = cfg.user;
-    group = cfg.group;
+  sops.secrets = {
+    "calendar-bot/matrix_token" = {
+      sopsFile = ../../../secrets/bicep/bicep.yaml;
+      key = "calendar-bot/matrix_token";
+      owner = cfg.user;
+      group = cfg.group;
+    };
+    "calendar-bot/mysql_password" = {
+      sopsFile = ../../../secrets/bicep/bicep.yaml;
+      key = "calendar-bot/mysql_password";
+      owner = cfg.user;
+      group = cfg.group;
+    };
   };
 
   services.pvv-calendar-bot = {
@@ -18,6 +26,11 @@ in {
         user = "@bot_calendar:pvv.ntnu.no";
         channel = "!gkNLUIhYVpEyLatcRz:pvv.ntnu.no";
       };
+      database = {
+        host = "mysql.pvv.ntnu.no";
+        user = "calendar-bot";
+        passwordFile = config.sops.secrets."calendar-bot/mysql_password".path;
+      };
       secretsFile = config.sops.secrets."calendar-bot/matrix_token".path;
       onCalendar = "*-*-* 09:00:00";
     };

hosts/bicep/services/matrix/coturn.nix

@@ -26,7 +26,7 @@
 
         "turns:turn.pvv.ntnu.no:5349?transport=tcp"
         "turns:turn.pvv.ntnu.no:5349?transport=udp"
-        
+
         "turns:turn.pvv.ntnu.no:3478?transport=udp"
         "turns:turn.pvv.ntnu.no:3478?transport=tcp"
         "turn:turn.pvv.ntnu.no:3478?transport=udp"
@@ -69,7 +69,7 @@
 
     tls-listening-port = 443;
     alt-tls-listening-port = 5349;
- 
+
     listening-port = 3478;
 
     min-port = 49000;
@@ -116,7 +116,7 @@
       #total-quota=1200
     '';
   };
-  
+
   networking.firewall = {
     interfaces.enp6s0f0 = let
       range = with config.services.coturn; [ {

hosts/bicep/services/matrix/default.nix

@@ -12,6 +12,6 @@
     ./discord.nix
   ];
 
-  
+
 
 }

hosts/bicep/services/matrix/mjolnir.nix

@@ -11,7 +11,7 @@
   services.mjolnir = {
     enable = true;
     pantalaimon.enable = false;
-    homeserverUrl = http://127.0.0.1:8008;
+    homeserverUrl = "https://matrix.pvv.ntnu.no";
     accessTokenFile = config.sops.secrets."matrix/mjolnir/access_token".path;
     managementRoom = "!gsdeCoWjvYRBrzuiRq:pvv.ntnu.no";
     protectedRooms = map (a: "https://matrix.to/#/${a}") [

hosts/bicep/services/matrix/synapse.nix

@@ -141,12 +141,12 @@ in {
 
 
   services.redis.servers."".enable = true;
-  
+
   services.nginx.virtualHosts."matrix.pvv.ntnu.no" = lib.mkMerge [
-  ({
+  {
     kTLS = true;
-  })
-  ({
+  }
+  {
     locations."/.well-known/matrix/server" = {
       return = ''
         200 '{"m.server": "matrix.pvv.ntnu.no:443"}'
@@ -156,16 +156,28 @@ in {
         add_header Access-Control-Allow-Origin *;
       '';
     };
-  })
-  ({
+  }
+  {
+    locations."/_synapse/admin" = {
+      proxyPass = "http://$synapse_backend";
+      extraConfig = ''
+        allow 127.0.0.1;
+        allow ::1;
+        allow ${values.hosts.bicep.ipv4};
+        allow ${values.hosts.bicep.ipv6};
+        deny all;
+      '';
+    };
+  }
+  {
     locations = let
       connectionInfo = w: matrix-lib.workerConnectionResource "metrics" w;
-      socketAddress = w: let c = connectionInfo w; in "${c.host}:${toString (c.port)}";
+      socketAddress = w: let c = connectionInfo w; in "${c.host}:${toString c.port}";
 
       metricsPath = w: "/metrics/${w.type}/${toString w.index}";
       proxyPath = w: "http://${socketAddress w}/_synapse/metrics";
     in lib.mapAttrs' (n: v: lib.nameValuePair
-      (metricsPath v) ({
+      (metricsPath v) {
         proxyPass = proxyPath v;
         extraConfig = ''
           allow ${values.hosts.ildkule.ipv4};
@@ -174,10 +186,10 @@ in {
           allow ${values.hosts.ildkule.ipv6_global};
           deny all;
         '';
-      }))
+      })
       cfg.workers.instances;
-  })
-  ({
+  }
+  {
     locations."/metrics/master/1" = {
       proxyPass = "http://127.0.0.1:9000/_synapse/metrics";
       extraConfig = ''
@@ -202,5 +214,5 @@ in {
             labels = { };
           }]) + "/";
     };
-  })];
+  }];
 }

hosts/bicep/services/mysql.nix

@@ -15,12 +15,12 @@
       mysqld = {
         # PVV allows a lot of connections at the same time
         max_connect_errors = 10000;
-	bind-address = values.services.mysql.ipv4;
-	skip-networking = 0;
+        bind-address = values.services.mysql.ipv4;
+        skip-networking = 0;
 
-	# This was needed in order to be able to use all of the old users
-	# during migration from knakelibrak to bicep in Sep. 2023
-	secure_auth = 0;
+        # This was needed in order to be able to use all of the old users
+        # during migration from knakelibrak to bicep in Sep. 2023
+        secure_auth = 0;
       };
     };
 

hosts/bicep/services/postgres.nix

@@ -1,7 +1,4 @@
 { config, pkgs, ... }:
-let
-  sslCert = config.security.acme.certs."postgres.pvv.ntnu.no";
-in
 {
   services.postgresql = {
     enable = true;
@@ -79,12 +76,16 @@ in
 
   systemd.services.postgresql.serviceConfig = {
     LoadCredential = [
-      "cert:${sslCert.directory}/cert.pem"
-      "key:${sslCert.directory}/key.pem"
+      "cert:/etc/certs/postgres.crt"
+      "key:/etc/certs/postgres.key"
     ];
   };
 
-  users.groups.acme.members = [ "postgres" ];
+  environment.snakeoil-certs."/etc/certs/postgres" = {
+    owner = "postgres";
+    group = "postgres";
+    subject = "/C=NO/O=Programvareverkstedet/CN=postgres.pvv.ntnu.no/emailAddress=drift@pvv.ntnu.no";
+  };
 
   networking.firewall.allowedTCPPorts = [ 5432 ];
   networking.firewall.allowedUDPPorts = [ 5432 ];

hosts/bikkje/configuration.nix

@@ -35,10 +35,10 @@
         # Workaround for bug https://github.com/NixOS/nixpkgs/issues/162686
         useHostResolvConf = mkForce false;
       };
-      
+
       system.stateVersion = "23.11";
       services.resolved.enable = true;
     };
   };
 
-};
+};

hosts/bob/configuration.nix

@@ -3,7 +3,7 @@
   imports = [
       # Include the results of the hardware scan.
       ./hardware-configuration.nix
-      ../../base.nix
+      ../../base
       ../../misc/metrics-exporters.nix
       ./disks.nix
 

hosts/brzeczyszczykiewicz/configuration.nix

@@ -3,7 +3,7 @@
   imports = [
       # Include the results of the hardware scan.
       ./hardware-configuration.nix
-      ../../base.nix
+      ../../base
       ../../misc/metrics-exporters.nix
 
       ./services/grzegorz.nix

hosts/buskerud/configuration.nix

@@ -2,7 +2,7 @@
 {
   imports = [
     ./hardware-configuration.nix
-    ../../base.nix
+    ../../base
     ../../misc/metrics-exporters.nix
 
     ./services/libvirt.nix

hosts/georg/configuration.nix

@@ -3,7 +3,7 @@
   imports = [
       # Include the results of the hardware scan.
       ./hardware-configuration.nix
-      ../../base.nix
+      ../../base
       ../../misc/metrics-exporters.nix
 
       ../../modules/grzegorz.nix

hosts/ildkule/configuration.nix

@@ -1,9 +1,9 @@
-{ config, pkgs, values, ... }:
+{ config, pkgs, lib, values, ... }:
 {
   imports = [
       # Include the results of the hardware scan.
       ./hardware-configuration.nix
-      ../../base.nix
+      ../../base
       ../../misc/metrics-exporters.nix
 
       ./services/monitoring
@@ -19,17 +19,37 @@
   boot.tmp.cleanOnBoot = true;
   zramSwap.enable = true;
 
-  networking.hostName = "ildkule"; # Define your hostname.
-  systemd.network.networks."30-all" = values.defaultNetworkConfig // {
-    matchConfig.Name = "en*";
-    DHCP = "yes";
-    gateway = [ ];
+  # Openstack Neutron and systemd-networkd are not best friends, use something else:
+  systemd.network.enable = lib.mkForce false;
+  networking = let
+    hostConf = values.hosts.ildkule;
+  in {
+    hostName = "ildkule";
+    tempAddresses = "disabled";
+    useDHCP = lib.mkForce true;
+
+    search = values.defaultNetworkConfig.domains;
+    nameservers = values.defaultNetworkConfig.dns;
+    defaultGateway.address = hostConf.ipv4_internal_gw;
+
+    interfaces."ens4" = {
+      ipv4.addresses = [
+        { address = hostConf.ipv4;          prefixLength = 32; }
+        { address = hostConf.ipv4_internal; prefixLength = 24; }
+      ];
+      ipv6.addresses = [
+        { address = hostConf.ipv6;          prefixLength = 64; }
+      ];
+    };
   };
 
   # List packages installed in system profile
   environment.systemPackages = with pkgs; [
   ];
 
+  # No devices with SMART
+  services.smartd.enable = false;
+
   system.stateVersion = "23.11"; # Did you read the comment?
 
 }

hosts/ildkule/services/monitoring/dashboards/node-exporter-full.json

@@ -23187,4 +23187,4 @@
   "uid": "rYdddlPWk",
   "version": 9,
   "weekStart": ""
-}
+}

hosts/ildkule/services/monitoring/dashboards/postgres.json

@@ -3164,4 +3164,4 @@
   "title": "PostgreSQL Database",
   "uid": "000000039",
   "version": 1
-}
+}

hosts/ildkule/services/monitoring/grafana.nix

@@ -34,13 +34,13 @@ in {
         {
           name = "Ildkule Prometheus";
           type = "prometheus";
-          url = ("http://${config.services.prometheus.listenAddress}:${toString config.services.prometheus.port}");
-         isDefault = true;
+          url = "http://${config.services.prometheus.listenAddress}:${toString config.services.prometheus.port}";
+          isDefault = true;
         }
         {
           name = "Ildkule loki";
           type = "loki";
-          url = ("http://${config.services.loki.configuration.server.http_listen_address}:${toString config.services.loki.configuration.server.http_listen_port}");
+          url = "http://${config.services.loki.configuration.server.http_listen_address}:${toString config.services.loki.configuration.server.http_listen_port}";
         }
       ];
       dashboards.settings.providers = [
@@ -56,13 +56,13 @@ in {
           url = "https://raw.githubusercontent.com/matrix-org/synapse/develop/contrib/grafana/synapse.json";
           options.path = dashboards/synapse.json;
         }
-	# TODO: enable once https://github.com/NixOS/nixpkgs/pull/242365 gets merged
-	# {
-	#   name = "MySQL";
-	#   type = "file";
-	#   url = "https://raw.githubusercontent.com/prometheus/mysqld_exporter/main/mysqld-mixin/dashboards/mysql-overview.json";
-	#   options.path = dashboards/mysql.json;
-	# }
+        # TODO: enable once https://github.com/NixOS/nixpkgs/pull/242365 gets merged
+        # {
+        #   name = "MySQL";
+        #   type = "file";
+        #   url = "https://raw.githubusercontent.com/prometheus/mysqld_exporter/main/mysqld-mixin/dashboards/mysql-overview.json";
+        #   options.path = dashboards/mysql.json;
+        # }
         {
           name = "Postgresql";
           type = "file";

hosts/ildkule/services/monitoring/loki.nix

@@ -58,7 +58,7 @@ in {
       };
 
       limits_config = {
-	allow_structured_metadata = false;
+        allow_structured_metadata = false;
         reject_old_samples = true;
         reject_old_samples_max_age = "72h";
       };

hosts/ildkule/services/monitoring/prometheus/default.nix

@@ -6,6 +6,7 @@
     # ./mysqld.nix
     ./node.nix
     ./postgres.nix
+    ./systemd.nix
   ];
 
   services.prometheus = {

hosts/ildkule/services/monitoring/prometheus/postgres.nix

@@ -38,7 +38,7 @@ in {
   };
 
   systemd.services.prometheus-postgres-exporter-knakelibrak.serviceConfig = let
-    localCfg = config.services.prometheus.exporters.postgres; 
+    localCfg = config.services.prometheus.exporters.postgres;
   in lib.recursiveUpdate config.systemd.services.prometheus-postgres-exporter.serviceConfig {
       EnvironmentFile = config.sops.secrets."keys/postgres/postgres_exporter_knakelibrak_env".path;
       ExecStart = ''

hosts/ildkule/services/monitoring/prometheus/systemd.nix

@@ -0,0 +1,18 @@
+{ config, ... }: let
+  cfg = config.services.prometheus;
+in {
+  services.prometheus.scrapeConfigs = [{
+    job_name = "systemd";
+    static_configs = [
+      {
+        targets = [
+          "ildkule.pvv.ntnu.no:${toString cfg.exporters.node.port}"
+          "bicep.pvv.ntnu.no:9101"
+          "bekkalokk.pvv.ntnu.no:9101"
+          "brzeczyszczykiewicz.pvv.ntnu.no:9101"
+          "georg.pvv.ntnu.no:9101"
+        ];
+      }
+    ];
+  }];
+}

hosts/shark/configuration.nix

@@ -3,7 +3,7 @@
   imports = [
       # Include the results of the hardware scan.
       ./hardware-configuration.nix
-      ../../base.nix
+      ../../base
       ../../misc/metrics-exporters.nix
     ];
 

justfile

@@ -0,0 +1,25 @@
+export GUM_FILTER_HEIGHT := "15"
+nom := `if command -v nom >/dev/null; then echo nom; else echo nix; fi`
+
+@_default:
+  just "$(gum choose --ordered --header "Pick a recipie..." $(just --summary --unsorted))"
+
+check:
+  nix flake check --keep-going
+
+build-machine machine=`just _a_machine`:
+  {{nom}} build .#nixosConfigurations.{{ machine }}.config.system.build.toplevel
+
+run-vm machine=`just _a_machine`:
+  nixos-rebuild build-vm --flake .#{{ machine }}
+  QEMU_NET_OPTS="hostfwd=tcp::8080-:80,hostfwd=tcp::8081-:443,hostfwd=tcp::2222-:22" ./result/bin/run-*-vm
+
+@update-inputs:
+  nix eval .#inputs --apply builtins.attrNames --json \
+    | jq '.[]' -r \
+    | gum choose --no-limit --height=15 \
+    | xargs -L 1 nix flake lock --update-input
+
+
+_a_machine:
+  nix eval .#nixosConfigurations --apply builtins.attrNames --json | jq .[] -r | gum filter

misc/metrics-exporters.nix

@@ -14,13 +14,33 @@
       "::1"
       values.hosts.ildkule.ipv4
       values.hosts.ildkule.ipv6
-      values.hosts.ildkule.ipv4_global
-      values.hosts.ildkule.ipv6_global
     ];
   };
 
 
-  networking.firewall.allowedTCPPorts = [ 9100 ];
+  services.prometheus.exporters.systemd = {
+    enable = true;
+    port = 9101;
+    extraFlags = [
+      "--systemd.collector.enable-restart-count"
+      "--systemd.collector.enable-ip-accounting"
+    ];
+  };
+
+  systemd.services.prometheus-systemd-exporter.serviceConfig = {
+    IPAddressDeny = "any";
+    IPAddressAllow = [
+      "127.0.0.1"
+      "::1"
+      values.hosts.ildkule.ipv4
+      values.hosts.ildkule.ipv6
+      values.hosts.ildkule.ipv4_global
+      values.hosts.ildkule.ipv6_global
+    ];
+  };
+  
+
+  networking.firewall.allowedTCPPorts = [ 9100 9101 ];
 
   services.promtail = {
     enable = true;

misc/rust-motd.nix

@@ -32,7 +32,7 @@
             color = "red";
             command = "hostname | ${pkgs.toilet}/bin/toilet -f mono9";
           };
-          
+
           service_status = {
             Accounts = "accounts-daemon";
             Cron = "cron";
@@ -40,16 +40,16 @@
             Matrix = "matrix-synapse";
             sshd = "sshd";
           };
-          
+
           uptime = {
             prefix = "Uptime: ";
           };
-          
+
           # Not relevant for server
           # user_service_status = {
           #   Gpg-agent = "gpg-agent";
           # };
-          
+
           filesystems = let
             inherit (lib.attrsets) attrNames listToAttrs nameValuePair;
             inherit (lib.lists) imap1;
@@ -61,7 +61,7 @@
             getName = i: v: if (v.label != null) then v.label else "<? ${toString i}>";
           in
             imap1Attrs' (i: n: v: nameValuePair (getName i v) n) fileSystems;
-          
+
           memory = {
             swap_pos = "beside"; # or "below" or "none"
           };
@@ -70,14 +70,14 @@
             inherit (lib.lists) imap1;
             inherit (lib.attrsets) filterAttrs nameValuePair attrValues listToAttrs;
             inherit (config.users) users;
-            
+
             normalUsers = filterAttrs (n: v: v.isNormalUser || n == "root") users;
             userNPVs = imap1 (index: user: nameValuePair user.name index) (attrValues normalUsers);
           in listToAttrs userNPVs;
 
           last_run = {};
         };
-      
+
         toml = pkgs.formats.toml {};
 
       in toml.generate "rust-motd.toml" cfg;

modules/snakeoil-certs.nix

@@ -36,10 +36,10 @@ in
           type = lib.types.str;
           default = "${name}.key";
         };
-	subject = lib.mkOption {
-	  type = lib.types.str;
-	  default = "/C=NO/O=Programvareverkstedet/CN=*.pvv.ntnu.no/emailAddress=drift@pvv.ntnu.no";
-	};
+        subject = lib.mkOption {
+          type = lib.types.str;
+          default = "/C=NO/O=Programvareverkstedet/CN=*.pvv.ntnu.no/emailAddress=drift@pvv.ntnu.no";
+        };
       };
     }));
   };
@@ -50,25 +50,27 @@ in
       serviceConfig.Type = "oneshot";
       script = let
         openssl = lib.getExe pkgs.openssl;
-      in lib.concatMapStringsSep "\n----------------\n" ({ name, value }: ''
+      in lib.concatMapStringsSep "\n" ({ name, value }: ''
         mkdir -p $(dirname "${value.certificate}") $(dirname "${value.certificateKey}")
         if ! ${openssl} x509 -checkend 86400 -noout -in ${value.certificate}
         then
-           echo "Regenerating '${value.certificate}'"
-           ${openssl} req \
-             -newkey rsa:4096 \
-             -new -x509 \
-             -days "${toString value.daysValid}" \
-             -nodes \
-             -subj "${value.subject}" \
-             -out "${value.certificate}" \
-             -keyout "${value.certificateKey}" \
-             ${lib.escapeShellArgs value.extraOpenSSLArgs}
+          echo "Regenerating '${value.certificate}'"
+          ${openssl} req \
+            -newkey rsa:4096 \
+            -new -x509 \
+            -days "${toString value.daysValid}" \
+            -nodes \
+            -subj "${value.subject}" \
+            -out "${value.certificate}" \
+            -keyout "${value.certificateKey}" \
+            ${lib.escapeShellArgs value.extraOpenSSLArgs}
         fi
         chown "${value.owner}:${value.group}" "${value.certificate}"
         chown "${value.owner}:${value.group}" "${value.certificateKey}"
         chmod "${value.mode}" "${value.certificate}"
         chmod "${value.mode}" "${value.certificateKey}"
+
+        echo "\n-----------------\n"
       '') (lib.attrsToList cfg);
     };
     systemd.timers."generate-snakeoil-certs" = {

packages/bluemap.nix

@@ -0,0 +1,30 @@
+{ lib, stdenvNoCC, fetchurl, makeWrapper, jre }:
+
+stdenvNoCC.mkDerivation rec {
+  pname = "bluemap";
+  version = "5.2";
+
+  src = fetchurl {
+    url = "https://github.com/BlueMap-Minecraft/BlueMap/releases/download/v${version}/BlueMap-${version}-cli.jar";
+    hash = "sha256-4vld+NBwzBxdwbMtsKuqvO6immkbh4HB//6wdjXaxoU=";
+  };
+
+  dontUnpack = true;
+
+  nativeBuildInputs = [ makeWrapper ];
+
+  installPhase = ''
+    runHook preInstall
+    makeWrapper ${jre}/bin/java $out/bin/bluemap --add-flags "-jar $src"
+    runHook postInstall
+  '';
+
+  meta = {
+    description = "3D minecraft map renderer";
+    homepage = "https://bluemap.bluecolored.de/";
+    sourceProvenance = with lib.sourceTypes; [ binaryBytecode ];
+    license = lib.licenses.mit;
+    maintainers = with lib.maintainers; [ dandellion ];
+    mainProgram = "bluemap";
+  };
+}

packages/simplesamlphp/default.nix

@@ -29,7 +29,7 @@ php.buildComposerProject rec {
       mkdir -p $(dirname "${target_path}")
       cp -r "${source_path}" "${target_path}"
     ''))
-    (lib.concatStringsSep "\n")
+    lib.concatLines
   ];
 
   postInstall = ''

secrets/bekkalokk/bekkalokk.yaml

@@ -1,10 +1,12 @@
 gitea:
+    web-secret-provider:
+        token: ENC[AES256_GCM,data:pHmBKxrNcLifl4sjR44AGEElfdachja35Tl/InsqvBWturaeTv4R0w==,iv:emBWfXQs2VNqtpDp5iA5swNC+24AWDYYXo6nvN+Fwx4=,tag:lkhSVSs6IqhHpfDPOX0wQA==,type:str]
     password: ENC[AES256_GCM,data:hlNzdU1ope0t50/3aztyLeXjMHd2vFPpwURX+Iu8f49DOqgSnEMtV+KtLA==,iv:qljRnSnchL5cFmaUAfCH9GQYQxcy5cyWejgk1x6bFgI=,tag:tIhboFU5kZsj5oAQR3hLbw==,type:str]
     database: ENC[AES256_GCM,data:UlS33IdCEyeSvT6ngpmnkBWHuSEqsB//DT+3b7C+UwbD8UXWJlsLf1X8/w==,iv:mPRW5ldyZaHP+y/0vC2JGSLZmlkhgmkvXPk4LazkSDs=,tag:gGk6Z/nbPvzE1zG+tJC8Sw==,type:str]
     email-password: ENC[AES256_GCM,data:KRwC+aL1aPvJuXt91Oq1ttATMnFTnuUy,iv:ats8TygB/2pORkaTZzPOLufZ9UmvVAKoRcWNvYF1z6w=,tag:Do0fA+4cZ3+l7JJyu8hjBg==,type:str]
     passwd-ssh-key: ENC[AES256_GCM,data:L0lF0wvpayss1NU9m3A45cH0bCMQzODTFVrq6EPd1JHx54wIcoaRBYLmxXKXASzBlCg9zlwXMUIk3OQcS3kdzMKL0iqcSL2iicAcKjFIHyrWLqXgwV5pRSP/tRPcVw8KW8gz0bh33EgESs5ReddZ3VZ0Cy1s2YupMRQvBXr89k1+Hv70OWB6P06hvxhv/zKcMGI1N/dWLroMgrQuT9imw4+/Q1RqwzTYeEU+eUn24AM9GjcBg4qf3OI+6g0nXUat/upIYE28iF5J3lbUSmDSmirBLc8xgHLdOyyJPTObWYWYxlSL78T7IqiMm9lI3rtBlpJDDcn/YxZpVqN5bg2154GISNK+uR0TVSLdJ+drdGHIfIX3G78XSxf2L9rbJyRn8MQlgStfdBIQicLavQKVMrmj+XQfvEMez23WbPLjH4oViBQFI+GrOHOGy/f16cz8Sn4n+69OcsOeTxs3tKYdfq6r1XLYSJ/fe/zvxBpaZiyGXljsuyEdIyBL2A8D6uSXe3Nd3/DAdBtceFfIdN1olCdutixzVWgxaJnrel161z5A/4w=,iv:Uy46yY3jFYSvpxrgCHxRMUksnWfhf5DViLMvCXVMMl4=,tag:wFEJ5+icFrOKkc56gY0A5g==,type:str]
     ssh-known-hosts: ENC[AES256_GCM,data:zlRLoelQeumMxGqPmgMTB69X1RVWXIs2jWwc67lk0wrdNOHUs5UzV5TUA1JnQ43RslBU92+js7DkyvE5enGzw7zZE5F1ZYdGv/eCgvkTMC9BoLfzHzP6OzayPLYEt3xJ5PRocN8JUAD55cuu4LgsuebuydHPi2oWOfpbSUBKSeCh6dvk5Pp1XRDprPS5SzGLW8Xjq98QlzmfGv50meI9CDJZVF9Wq/72gkyfgtb3YVdr,iv:AF06TBitHegfWk6w07CdkHklh4ripQCmA45vswDQgss=,tag:zKh7WVXMJN2o9ZIwIkby3Q==,type:str]
-    import-user-env: ENC[AES256_GCM,data:vfaqjGEnUM9VtOPvBurz7nFwzGZt3L2EqijrQej4wiOcGCrRA4tN6kBV6NmhHqlFPsw=,iv:viPGkyOOacCWcgTu25da4qH7DC4wz2qdeC1W2WcMUdI=,tag:BllNqGQoaxqUo3lTz9LGnw==,type:str]
+    import-user-env: ENC[AES256_GCM,data:wArFwTd0ZoB4VXHPpichfnmykxGxN8y2EQsMgOPHv7zsm6A+m2rG9BWDGskQPr5Ns9o=,iv:gPUzYFSNoALJb1N0dsbNlgHIb7+xG7E9ANpmVNZURQ0=,tag:JghfRy2OcDFWKS9zX1XJ9A==,type:str]
     runners:
         alpha: ENC[AES256_GCM,data:gARxCufePz+EMVwEwRsL2iZUfh9HUowWqtb7Juz3fImeeAdbt+k3DvL/Nwgegg==,iv:3fEaWd7v7uLGTy2J7EFQGfN0ztI0uCOJRz5Mw8V5UOU=,tag:Aa6LwWeW2hfDz1SqEhUJpA==,type:str]
         beta: ENC[AES256_GCM,data:DVjS78IKWiWgf+PuijCZKx4ZaEJGhQr7vl+lc7QOg1JlA4p9Kux/tOD8+f2+jA==,iv:tk3Xk7lKWNdZ035+QVIhxXy2iJbHwunI4jRFM4It46E=,tag:9Mr6o//svYEyYhSvzkOXMg==,type:str]
@@ -30,6 +32,9 @@ nettsiden:
         admin_password: ENC[AES256_GCM,data:SADr/zN3F0tW339kSK1nD9Pb38rw7hz8,iv:s5jgl1djXd5JKwx1WG/w2Q4STMMpjJP91qxOwAoNcL0=,tag:N8bKnO9N0ei06HDkSGt6XQ==,type:str]
 vaultwarden:
     environ: ENC[AES256_GCM,data:CST5I8x8qAkrTy/wbMLL6aFSPDPIU7aWsD1L1MnIATRmk7fcUhfTSFds7quJmIpb2znsIT/WxNI/V/7UW+9ZdPKI64hfPR8MtvrJcbOhU5Fe2IiytFymFbhcOgWAXjbGzs7knQmpfMxSl98sU71oLkRuFdkousdnh4VQFZhUCYM=,iv:Is6xQ7DGdcAQgrrXCS9NbJk67O2uR82rbKOXBTzZHWw=,tag:XVEjCEM5t8qJl6jL89zrkw==,type:str]
+bluemap:
+    ssh-key: ENC[AES256_GCM,data:nPwsT4RYbMbGp2MChLUh6NXW4ckYr7SQcd6Gy2G8CEU+ugew5pt4d6GOK1fyekspDtet3EkPL2F1AsoPFBB2Rv0boARMslAhBqwWSsbBJTXeTEgAABSMxTPJRBtfJucvv426nyIj3uApoknz6mDCQh1OI6mER0fis7MPaM1506HlDlnIT0FV9EairEsaAmbd0yddByGJSccKIza2vW0qWqrz83P+xrakEONxFz0fJlkO5PRXCcQJVBCqWQfnaHNrWeBWv0QA7vAHlT0yjqJCpDRxN2KYrPWsz7sUbB4UZOtykCRM5kKFq73GUaOKqVECJQhcJi6tERhpJELwjjS8MSqvBD90UTKTshGugfuygTaOyUx4wou3atxMR2Rah9+uZ6mBrLAOLX3JKiAtyhFewPMWjd/UhbMPuzNageVBNz2EMpa4POSVwz5MyViKNSgr9cPcNGqmrnjvr/W/lnj6Ec+W80RiXQlADSE4Q6diLLwB9nlHvKs8NTDgv6sUafcPHpJ2+N4Jkb96dE14bMffQ385SI4vLDcQ8xCQ,iv:WdJIHRzjlm8bEldolCx1Q7pZJvjxGkNZALSOy3IjizU=,tag:5ZAikiqttq/76+thG+4LMw==,type:str]
+    ssh-known-hosts: ENC[AES256_GCM,data:J6V+NJ9TvYUL2gmcqWWYt8X+n0M7i0RpDpBelWAbFMH64+e9ztHNnC491sm+RogDxqKk0kwQyX2Mz00iq3Gc3wDYyozGOdv3tBKrp7/LcfjUQ9T9hi0yTD3eNV0LAjlAWMTdlW65VGHqGst8ncKbUuVxbBASVlh3A321toZgD+xxUAtNz7qKFa6fDbOS0xLD1+CmTwVp+aPos//QIKzjuk1HqxfBNK82maKtD4JHPS+Y3be2wIEjGWq3H6JYN/RDojD88D/jzo9RwvEjpqLXoOVfy8uX/fbEsgkgfAmPiaG+ePCnchSExEe3a6Y0E+I6YIzvP+tGThJpu4HaT/yW2Rww/jvsxKrXSUhtBZI/SIX5ZAIFB3sFjJXQefJjfNpQTQWhbspLfdemafGaRiDnzVgKDhNL1HNMNsXKDfWa0SLs4//dqerom/QCCNsaqV+4HVzv5x44srChGERadQI/Wh4UG2R19xxbdyIsKPHzv7BhEKufJkjc5upBjWygQrGAkTRHugFpw2Tdkz9yUQSujMkaeRKhVkA+ZUAjwnY5TwqNZBj7U3K2JXoNVHAq194XmrA2dNghh0OmRrvKGwM3HKexX22SXT0bPlpdWRQpMbUgV+uHLMerlDpNMFTIueEBkaF/FWeSW2N5WUrUb1uJ91QcJ8JBgN1riuD1Oxv9RRPrY9VVNJMrYjpAAREN8i8brMTOCJ35s7jnqIei0dNmnNXOoQZPs9kUMeEtUc/Df1E8/aO2Y4yU9gHUuevXnAJWFAiu2IxssgPk6CcNxvapJEmlwkLK/JyuDsWwFxVOHfw5QIEsoDVWXt6eMhquqUgzJI1q7QrTWUQsBb5A5sQKYWQHempOaXuQn1bzA7mU3Gzsr8bNNc6tpy+6j3zTXYR067EX00yqPG+kqRn4QVIuhByxXP3cwXLUG9uD1lsqWrGzs6WCnHr7txhRBXf4WbBVmXModO3uf36cDYEwrUa6yBsARtSl8PJ0UadfY/xULcT5PFvu9+Hi2qj3vp4IU3JCJa9AvXB+11pbSdawprjuDhwQtPwkJ4CQyvZsom3/BOrmwYM5+EyMDIluEQ0z6eDE5buiIVbX6IvXnDCKbrnqVwavX2wqyiDduFLjRfWL/3U2O1yRim78smrDMJABJZvtW+a+GfmlnTd/gnFvS70Fmm/lgtY051ISL/iFx6toJRoBMMiI/Zvy13uQry+w/HbyFl42DIank8tf7kuN3E9M7ADGMubRJJ0AZOcQddrFnR4Gl2nU2+3RS5fLHaBf9QHK6W92/n//xmPkYqrkPacew4eBjUqM32jVGuBpDc964fK9kdtIdw8q5P1s/ph3I79Y24kGeuO1AVJuZvkaTv1Z7GgI9+K9TstKJ9XpRCidLpLSP+uHOWkqcNsQlt6ilTlfHj+MKoD85dKZ315QMmpiuYEvzCSP1aYTb9dpd61Su/IVuM3r2NuINNEZ166YlHQVsLNpDn8E5ahk3ZInOAg6/kaKTmjUI8KEvX4BR3PbbViAlJJb3suJ0oZBGPUlrW5uLRmADvf2mMDVO5zY7/m9DQwxjt4Miu0l8ZaUc0YJQ850lBKucQ==,iv:GI8w7h7xX8gMHuAoWUyrW+BQb85LNlASoYvGBPlCZaI=,tag:WnHNMevfFSMc0ikBZwWn/g==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -39,53 +44,79 @@ sops:
         - recipient: age12nj59tguy9wg882updc2vjdusx5srnxmjyfaqve4zx6jnnsaw3qsyjq6zd
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDbDc0NXZqYko1Z25qYkhq
-            T2p4cGZ1bTZRS25YdjJ0K3JhSklCT1NwSHhzCi9MVnM2YTRuUERwTVlaM2lxNEtp
-            Mk9hcDREcTErZXJtSEI0aE1PV2NDV1EKLS0tIDY2MEN6a3NWb3JpeU5JVkhoOFVR
-            MjVqdHg0SnF5N3VEV2U4a2dvbTZjem8K8J6KQMJwpiC8gqlgi29x3dpSORAmuVQ6
-            cX5jXggOoz5vME6BMQ3s/bglZG2pdEgWpGZVbc4x2iMwUWgJLHdgXg==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNbjFxWk5lY0kxaStxcnVh
+            SnlYamw5WXBRTkU0ZGFEWnZvME1nZk94TlIwCmlhVGFtckJpN1RZdXRBYkxDbnVS
+            UmZtWENzZWNYRmptY2kwem42ek1LbXcKLS0tIElsRXBmNHNmdjdqTmFLL2ltMnFC
+            VG11M3ZpeUJPUGlEQmExOEdSZFJERE0KSIo1pzx8AcoJWEzNzEDoV3eM7194IHxL
+            4pCSSztKDCF+XdJZLh5sgudaYLJGtX5n7q1hbuL0wOmotM9bN2YLog==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age17tagmpwqjk3mdy45rfesrfey6h863x8wfq38wh33tkrlrywxducs0k6tpq
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1SHMrVmxsL0orQlk3dy9H
-            NDMzWEZYMXhkamVkTy84VGEzUm1BU3lNY2dNCkNwOGJteVQzYlZESGlScTg0RnFx
-            emNXbmZhL3BHWThPRUI4MVIzMU1POTgKLS0tIHRmQ0llR1NCSm9KMHZsOGJXYmxk
-            eGpDUlFHdEZmWkZHTEw4Mmk2UWRnUU0Ki5GK2mzDIc2iTryjn6lf5lMqVZcCcxQ2
-            a3Y/o/NMFDhMZpLlEljuWQVnuOyJZ3RSDCFN9BSEkxg05PaoSluUzQ==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBybXRjNEM3ZDYwa21LdWpE
+            dDg1MUxaeHlJSHRhWk40TndYbHZLWHVsVWk4CkxkRVJ4c1lhaXZodGxhNGhkUy9q
+            M0I1SHdjeXVXL1E4OXgxS2x0cU9ESFkKLS0tIFpNMjNKLzNDWWtvTkhHRDFSTklH
+            T1k1cXp4NXVvVGdkYXp0VVNJejVJRkkK6K31gqRRvo0mbJy6aCTKotVmrfqZoARG
+            w6wKe1TJLWJv8RAD3GQrub9MJwQhUG38Jtj1WrXgNMlF24zFPlZDEQ==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1mrnldl334l2nszuta6ywvewng0fswv2dz9l5g4qcwe3nj4yxf92qjskdx6
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZY2ZiazhzdkxNZFZldjBV
-            SjBCR2lXdFZZUUpJTnJVWUVMNTcybGQvbmpNClVDOEdMK0JIOUEvaVYxcm4yeVp4
-            dVY5b292WVE5L2JXNGQvSENiTjBWVkkKLS0tIGIvdzBxMVNYbGN4ZXBBNDg1bFNB
-            akVjeTNTeGorZjJQOVlMeCtPRUVYL3MK+VMvGxrbzGz4Q3sdaDDWjal+OiK+JYKX
-            GHiMXVHQJZu/RrlxMjHKN6V3iaqxZpuvLAEJ2Lzy5EOHPtuiiRyeHQ==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2azhwMEJRZ3JQRnhDNlFR
+            a283MitGTTdaMTZURmFYam85TU43RkdXYTI0CnQxWnRUZ2F6MHd1TWlHMDZ4b1p0
+            WStOVndGTUpmdncvd1k0WlV3c0xKYmMKLS0tIFpSb1hKbHJyM1dCOVBMa1Jabndp
+            NWlGSFhQUngvWG5BQ1lyOFAxanlGdlEKt09a9bMErR3wqbutxhDRfSWp40mmfShJ
+            KAAO2TEMKkEGFvaxYu+G9rbR37h/ZttikJMvIVlfRzmVADlFwO7eHw==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-05-26T02:07:41Z"
-    mac: ENC[AES256_GCM,data:CRaJefV1zcJc6eyzyjTLgd0+Wv46VT8o4iz2YAGU+c2b/Cr97Tj290LoEO6UXTI3uFwVfzii2yZ2l+4FK3nVVriD4Cx1O/9qWcnLa5gfK30U0zof6AsJx8qtGu1t6oiPlGUCF7sT0BW9Wp8cPumrY6cZp9QbhmIDV0o0aJNUNN4=,iv:8OSYV1eG6kYlJD4ovZZhcD1GaYnmy7vHPa/+7egM1nE=,tag:OPI13rpDh2l1ViFj8TBFWg==,type:str]
-    pgp:
-        - created_at: "2023-05-21T00:28:40Z"
+        - recipient: age1hmpdk4h69wxpwqk9tkud39f66hprhehxtzhgw97r6dvr7v0mx5jscsuhkn
           enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtYVJLMTZma08xZVo3cEZs
+            Ym1FTU9ZdmxlcUxselltWDRwdUhUdU1udnpjCmh4TlJEK09UdlNFLzN0YnN3WGtt
+            aGpzd25Vckc1TmVCamQ0ekk2QWpraUEKLS0tIG9CNzBOM1g2aTRlQmt3WWVrTlNB
+            ZWsrZy9HSWt4OUdMb3ZZQmNjNGZNZjQKMhvkRnis8P2iV3hoigiN2IXeIFvFuYRK
+            FeMG/cNOtAUsOgHMs4xDPqpLrhpay7IEvwQukBxscd/88I8/ZdGeHQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1wrssr4z4g6vl3fd3qme5cewchmmhm0j2xe6wf2meu4r6ycn37anse98mfs
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtazZ2RUo3ZjdKeStLWW0r
+            bm1NVWJRbjZpZTVRcEFWTnJwYkp2YUN3OTM4CnhRa2RpOS83MW9zaWlUV1M4b21t
+            OG5Ub3VkK1dSMkVzN2VtT0JrWkFSTkEKLS0tIGMvOFU2U243RnpUTThRRWthaHpZ
+            SjBhZjJpNGlUclF3bXRKOXk0KzlHdzQKp/asp39bRfNXyetc3ySVpnzfO6it9D/e
+            XWyhq0yKRFAC8yMYeAuA4kIcNM4DGRc0PnwA/ce3IgHsV1ZNdvdWfg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1zhxul786an743u0fascv4wtc5xduu7qfy803lfs539yzhgmlq5ds2lznt5
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnT3lTUEFaN3pOMGhsQ1Ra
+            SVZ6cE90a1BteXgzaldsN3ZTSGZpZXlyWHdvClhJM2ZDRHR0VzVSQXd0b1drK3hG
+            aW8zUWlHcVFkTFpJYXpxWlAwVHV0ckUKLS0tIGVmR0g2Vk56dlZCU01Dd3NzUFZU
+            UHpLRkdQTnhkeGlWVG9VS1hkWktyckEKAdwnA9URLYZ50lMtXrU9Q09d0L3Zfsyr
+            4UsvjjdnFtsXwEZ9ZzOQrpiN0Oz24s3csw5KckDni6kslaloJZsLGg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-09-01T01:33:50Z"
+    mac: ENC[AES256_GCM,data:PkcOD9hJWD5tILO9PuZkOgIoujt4q2qtHBB9KF8ikrNKo0yw24Jf1ceI5/+BHCxhdi8sF4qQM/zty61zqwNaBsvrsLUkdWDwUDsuJQa1KKZiCEZPqYBc+qGIQ5wNPsU2zJ0c8+wU8H0LtGqKOH9GmaQtTdm0Rt2IcexV823uTjQ=,iv:GYTI85OgqnN8iUc6OOXO7Sz2XIthWJtz8zwMuWutEYs=,tag:2rhfhjXXzZLzoVlkINo0ZQ==,type:str]
+    pgp:
+        - created_at: "2024-08-04T00:03:28Z"
+          enc: |-
             -----BEGIN PGP MESSAGE-----
 
-            hQIMA0av/duuklWYAQ//TewS5bITIo3bx0HEM0p8bwnSJAmNqGJmuILXg4k8eszF
-            JHS9eCfU/Vz4Z8eMDJjntFIWvNCl0QOycvp37uNaqPedDE3v1nNpCxOZ76vLT9I5
-            smXKpRmfgYxQAkWQRJ6aUV+DoVjSY/hT9JWD7u4uWgavG5D7/3SwiJC3uM0/8mxM
-            gwbp5eVEO0mTvXZsmqIRJ00NKX+RIMuUZFvzu3ajGywZfQxFs7zUhx7Lc6ry/MYI
-            FFrbXssgpH8U9dHMgBsGzeyQS4qQLGFHJuNBBzz48U+Dr5EgHqZ2ZXZschW+40qX
-            TH8d4qyOROTiHKpKp3+nUoRiz1JPkJ0rqHg+9hOrFNpl1NZQ6w1UOc+0Ki6ZAwMd
-            yNF733/I+OaI2b4nxhG+la6U9Z1fOat3BPRoxp8ZlLRrPq8ljxV78TMVfv7/lPO6
-            MZopBmSOeV19t/QypYi2pl+QYRaVs2QaBFotulob+KbKpWC4T2tMEMnPngsTxOhk
-            26VY5ahIp01QbewPxylpY6r1jx1tb8KcMmsGlaLrgOo9Q526bh5QGRDx9NCj064c
-            uJ2ed7hY9tNHs6qN/94rcr1hOAq5kVh+36UvJBZYQuxwIXIws4Xw+obzoKVAAqEC
-            qEZWL1NB0hXynom7Vc2e2MzT2guogXDHvlCDHjtt9ekGcmU+tQ/JdgTOJ93hEInS
-            XgEjcd1xpnzebDo9SpNBq/J/uSKAKLPOI2y+LZzvs6oiFtc4QLcgGors38x9SiAP
-            JSiQnUAC9XZtiugGdCOVy6MG1x3smAafW6kcH7yr+vWoJoQLbbF60PhuhAJ0N4Q=
-            =3iQC
+            hQIMA0av/duuklWYAQ/7BlyYej03uyhLheXS406h3Ew7v7D+rHHvHjiw3FCJxHoC
+            1revUrMa/M6iTNQteaBvBcYVR4+SpUpRyN/6BSzEQBrNhUBR+70VWL2yzeeb6Bw7
+            GBtuyS7O3DEd0froE3aFETR0NfQ1FfcndOBd3SDKOsCgL5nfJSyOPQtr1OMLKzoW
+            +CARt457xEx0KY7IIpN6e57IT7bVjJx5UuDcN0ZncUyuGUAKHdn0nAHzWqiSZV9w
+            bIftLJ936zvBOhhl3DkzvALnI9+//KPSMM3o/1ti07FoAx8cK2w83VA5Ia9qeNkB
+            wfVuE6f5a2KP/KrfnVCfvweMh/MIEUGb14XEaniyYwvlW5vwF9YgPH6HGc0c+lH6
+            UWy8+Iw7kXkUEJuhtNWyBPJeVKheSBieoWUBZZAK4uWUpChJxfc5M3+P3mgzTIP+
+            7P04xdtS0GwrNwMBiQFqc56hoYDAwMYbn9lFzM3LLq+h8Ztg2G4X9LXjD956TP5C
+            bPV7BFcjTSaAt1TDJcDJRxfrtx6Mo/DLknpGTMRM0UfQ/22uMz2GAH38L0C7lD9B
+            RrKlpDuMKzj/LUihO33Ry9J0IpZ3XF6oaSl/+P+uO9QYNxA/zkuxuSWfqoysldyN
+            bSo1dHGapY/+PVMjM0E/2Dkk9T2IbQUlkVxPrlvuUd3YfrJ7bCva2GDjLvXSp7LS
+            XgGgLgrj54YoOn4uUFsxzDIS7yVps3fCkByVtc1Lc3C8uPPF1B+jOX7O87kZOHag
+            XvT2ze2ITfdxPzoyZO1nWVIGO8rAtQ/vK/Iv2/hHtc4gfzL+gy7GeUWGHkvZ1Kk=
+            =wDmH
             -----END PGP MESSAGE-----
           fp: F7D37890228A907440E1FD4846B9228E814A2AAC
     unencrypted_suffix: _unencrypted
-    version: 3.8.1
-
+    version: 3.9.0

secrets/bicep/bicep.yaml

@@ -1,5 +1,6 @@
 calendar-bot:
     matrix_token: ENC[AES256_GCM,data:zJv9sw6pEzb9hxKT682wsD87HC9iejbps2wl2Z5QW1XZUSBHdcqyg1pxd+jFKTeKGQ==,iv:zDbvF1H98NsECjCtGXS+Y9HIhXowzz9HF9mltqnArog=,tag:/ftcOSQ13ElkVJBxYIMUGQ==,type:str]
+    mysql_password: ENC[AES256_GCM,data:Gqag8yOgPH3ntoT5TmaqJWv1j+si2qIyz5Ryfw5E2A==,iv:kQDcxnPfwJQcFovI4f87UDt18F8ah3z5xeY86KmdCyY=,tag:A1sCSNXJziAmtUWohqwJgg==,type:str]
 mysql:
     password: ENC[AES256_GCM,data:KqEe0TVdeMIzPKsmFg9x0X9xWijnOk306ycyXTm2Tpqo/O0F,iv:Y+hlQ8n1ZIP9ncXBzd2kCSs/DWVTWhiEluFVwZFKRCA=,tag:xlaUk0Wftk62LpYE5pKNQw==,type:str]
 sops:
@@ -11,52 +12,79 @@ sops:
         - recipient: age1sl43gc9cw939z5tgha2lpwf0xxxgcnlw7w4xem4sqgmt2pt264vq0dmwx2
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2RFpLOEtUQ0ZLeUdmTGxl
-            VXlTOG82Ly8vdjdldnB0dGFzTkdxUHNML1VJCmxDWHhyMHYrbmtMVWVJYTdrWjVn
-            aE5qWWtHWSszYnNWc3l2VmFwUGl4R3MKLS0tIG9ocThFNm1pcUtMNHNlMlFsS2lx
-            MDhubWVxamxlSVk0dUtIWnhyUlBNM00KRunPljgLCHkwn4HCPGpkNbLitCIF7hYL
-            jRYVzu+Wddd13A4QfvHvAI7bJB5Zsv/xwmggVlICG1pky7gPNDwGcA==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiOVc1eXg1bU9BZmc0cXhM
+            L0dpbVBvQTNzcnFWcktSaW5rQXhnZks4dlhRCmVla3kzWDlJN2V0dDFYWkxJUUVo
+            RTlqNWM4c0lmbkc3cUM0dTgyWGpSNWcKLS0tIEx4SkxDdTFGUi9OQ0NRVGxXeSs4
+            b3Zaa3p1MnU1UTk1T3hmejVkM2RDLzAKmk63I60GEenLt0l4FHmz9mBAumw105Qs
+            mDbQBfAj1m1FTE6tl38J8wVyFI8LT550bqYdymvnT2mnEIAIP/04ag==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age17tagmpwqjk3mdy45rfesrfey6h863x8wfq38wh33tkrlrywxducs0k6tpq
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvem5LODRyU0VlcElOS0tY
-            a1FaNHc0SDJLQ1llalBqQ2VEQjZpbUFyd0hNCldQNUpTdFZ5NTlxWU9icXN2Mm5a
-            S0JQOUkvdEZRK3NBOGpEZkJleTB1TXMKLS0tIHdVcFRETFlBVWI3TTZYZGJMMkcv
-            RkRXTTVURDRFNjFvci8zRVpqbkxVclEKW86hoVO0grt2x5YMt/YnmDI6J0QFKjZZ
-            Mnmd/Z1S6a+rajCy0GkeM+Q8AbBqBrNei2H5Xp1PlxNyicGib6+Ngg==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5dmJpdUxVcllPYXpxRlN6
+            ZnYyc25sbjdWNUNEQnE3UU5Ea0JPK3o0Ukc0CnFIOU0rOU5lV0tGb2NuNnQzejhw
+            cTBkOFJHTXJIMFhzZ0tpODJ6N1pJRTgKLS0tIEhPVlBMcjdHNVRKWDhkTXFTOFFu
+            NUREdmFNR2NkY0Uzcm9tbmhteHFtSTgKSUTGoNb2/0rljN7oojVk1fMAulK669ud
+            fpacGQFBJzJOusx29YC01W6mn8TW8Cdw6mKmS3QEsYYx7S4HpX0v1g==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1mrnldl334l2nszuta6ywvewng0fswv2dz9l5g4qcwe3nj4yxf92qjskdx6
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4bHNiY3ZCNHZsYlUrOHMy
-            OG55QjVmQVUxbXl0bkdNQ0FEais5Sng0ZkRBCm5KdmMvNmN6VmdsREZrbGd4ZFpM
-            VVpsQk43MlBxU042ZkE4L1hHK1R4RVEKLS0tIGttL01XcG1IUnBMbUVqKzJMK09o
-            QmVlRnJhSk4xYWFVbGVxdlFxSDlXSGMKJvjMDaX4Aa98gT+GPjGaKKdnG67jNG3C
-            nLsbxU4vNpFvjF4WI5vdvIQe5UGzoCYQZp3oHFnGq+Jp/hJ1HFF0GQ==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRUmNyQWU2Ym5NMjJnUUpu
+            Vi9yeWhFM0NDTGZtRThXQWMxYVI2aEUrNUVvCklxTldQRnp4dTVXMjRXWU5DNWhz
+            dzllOXp1RVRaMDFNWExuK01maFk0blEKLS0tIC9hUENybThmWlBab3IwSTQxSHBj
+            Q0IyL20vdlRBNWZyNXc3MGVtcUNza1UKLDq74TMy5hXhimnDA06/Ku5RJQcDvkjn
+            QKSGCxZ6FJ/io22qNiw0vDRzTfW1Dz+9/Yog3Pi870IcAljkdmoxEA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-09-05T23:28:56Z"
-    mac: ENC[AES256_GCM,data:pCWTkmCQgBOqhejK2sCLQ3H8bRXmXlToQxYmOG0IWDo2eGiZOLuIkZ1/1grYgfxAGiD4ysJod0nJuvo+eAsMeYAy6QJVtrOqO2d9V2NEdzLckXyYvwyJyZoFbNC5EW9471V0m4jLRSh5821ckNo/wtWFR11wfO15tI3MqtD1rtA=,iv:QDnckPl0LegaH0b7V4WAtmVXaL4LN+k3uKHQI2dkW7E=,tag:mScUQBR0ZHl1pi/YztrvFg==,type:str]
-    pgp:
-        - created_at: "2023-08-27T00:12:42Z"
+        - recipient: age1hmpdk4h69wxpwqk9tkud39f66hprhehxtzhgw97r6dvr7v0mx5jscsuhkn
           enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOTUpYam1KQ2laek42V1NE
+            eUY2TlY2Q0JNTHR6QUEvZEhhem5ZKzhPQ0JFClZldDE3dDVIeTQrOVpJNGI5dDlR
+            YStuTlRDcXdiWE9LdThaUERnbEpkU28KLS0tIDNidFQ3ZTdINXpTZGljZmh3Q1ky
+            Ynk3aUtFOFdGV1NHb2d4YXJXb0xNYU0K07jwIfF+US++qz9rKn0TgR/vZam12vvr
+            lq5s694hHkSRmAP5uJ4lNQKUkacH9qlBXB+aU+D98vKRDGYIkKhlQg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1wrssr4z4g6vl3fd3qme5cewchmmhm0j2xe6wf2meu4r6ycn37anse98mfs
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjaURPbENOQ2l2N2lsd2l4
+            aUdQNlUyWjNFM2JhcXF1Z1NJZ0lzZWFjYmhNCnF0VmZzd0hJSjJvekpzN3hoYnlq
+            UDg0VHVlMUFTc2xNdGtLb2VXVzBySHMKLS0tIHdVWjlnTmdxSGpMR09zOFpVYmZF
+            M3ljcDgyUHB3Zm00bUxWeHRvK3o1bE0KGWWaSuPmvzA4PqBg3y+XOpnVCkv34eV3
+            ZEnPJood5bkBlVqfiBbwJaF98rCH1f5WI6S0NA/5ol5kckDpfwpePg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1zhxul786an743u0fascv4wtc5xduu7qfy803lfs539yzhgmlq5ds2lznt5
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMczFnbUlONTI0M083bzNB
+            RVdYQ3ZIT2dwbVJVS3pjZjc4d1htMVQxZGtZCjlPejdVNFVrV0t2MjJ5NEZuYklt
+            U0ZiUWgzdytMSHd1N3FPdmNmb3B3UkEKLS0tIGtPdmhpT0NQSGpPWWVublF6dVZt
+            cTh5bnJ3WW90aXRCSUp6NHFYeU1tZ0kK4afdtJwGNu6wLRI0fuu+mBVeqVeB0rgX
+            0q5hwyzjiRnHnyjF38CmcGgydSfDRmF6P+WIMbCwXC6LwfRhAmBGPg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-08-15T21:18:33Z"
+    mac: ENC[AES256_GCM,data:uR5HgeDAYqoqB9kk1V6p0T30+v6WpQJi4+qIeCDRnoUPnQKUVR10hvBhICck+E+Uh8p+tGhM6Uf3YrAJAV0ZCUiNJjtwDJQQLUDT53vdOAXN4xADCQqNuhgVwVMaruoTheEiwOswRuhFeEwy0gBj3Ze2pu47lueHYclmEzumLeQ=,iv:t0UyXN2YaR2m7M/pV2wTLJG5wVfqTIUs7wSQMmyeTVw=,tag:O7dIffzrDAXz3kGx5uazhw==,type:str]
+    pgp:
+        - created_at: "2024-08-04T00:03:40Z"
+          enc: |-
             -----BEGIN PGP MESSAGE-----
 
-            hQIMA0av/duuklWYAQ//edQVXnTS4Xarwt14tF6yyhWM9/JFSVWW97lTO6xTNe5S
-            jNROmF/tHl29IPX0/QHXj/d4jMF/nteHdD53nD9s312CPOBv3SEwl4e7hfMf3rUN
-            4YOahX9J4ryoB+ZleK5leoYSsWaVBDJfERMkYT9Ta/xv4EC5zHBTlZDpLRuS04eZ
-            W5MG57TKBC0oifPvhCuv22OURNUp9t/bysSuKgU1v0Czu6ozuVgw9AO8G+PstFpW
-            7lyIMUNJQ7g3hiKDrrPPYcrKTeBbhxTINObe29nv00y0lycnfx3PxWrXpBoyv82y
-            xRgtalVvlYre1w6IFkqDFtpJD6N3zPFnPq4ZQ0nHN7A943Kxli5JnlkRH9Ak098K
-            PuykZ+V2X+qFNf4LS+Gnjx9wZKaLEChMaDhILUDKuUcwPIU5EiaaBOS1Y8NQ4Lha
-            pzyWzvpejV87Qvg2iog9UYLsK33GuxcFzYaklnknrI+9SotM7LRGQTVkVOwykh86
-            8d+Sake0J/1xjOcxUNbaYreTA3myyklVlvoybyNOdSzxGveEq3KvGgcORnQxYwe3
-            QDoCdVNTmU5ELwDPALVMenDr7VixN085oJkYqZJ6v5E0K1Bhtrb6PItoC5Kea55s
-            zWP+0rYxFx884cqpf8/JuC1Jbs1DpljqMMW9aD6A0htzOwEyHzDKWxy7zxCJrgjS
-            XgFHIr6sG1geqUzIhw8NzUpdOkdlQ6YFKP3MsUfxIqPHWVQWt1+LLvA5BX/wXIe6
-            kPTa9qXwmK7Hrh5TyPPEjrO16qT3UE0nvRAI0s79L6U+99xXfhKIXhg2OMSZCR8=
-            =xnr5
+            hQIMA0av/duuklWYAQ//XP1HnmkjG/wdSC2lQm2XJkB5hMU+eJxglsPVaQpqTODr
+            dtVslBr/4nvCLypWhwYCG4jSz9YHU1sI9kDOsuo7PtwCrhfefeOL6CO+O40ECFMR
+            CEMmPLrTXg3LV3TzulchXY6x72LRzJ/aJ1Ra/6sGmffL7JHJ7vHz+U63oXyYivdX
+            9zsxP+iGRpQBK6wcA+Wg30rFV1ENE77H5Wh3PGRRXBSVE1fF6I3USgOxlQvGGnK8
+            cobLecH6V2TwSAptVcGk1gEmn6RUZdxATBnt0vE/Wr/zxZLuoRJgxmiwXuL5+kYW
+            QjCvCgAAEyFJtDRycwPPpDtTCBECPV97Ryev0Z8PdrYHfjNcgNVgDwNH9L3TuIEY
+            QL/f/+9PgNuUjf/7nktn1c5eAvmMyKJCiy9yKYZ1H9ynwN5Bxf+KJflVtTWbdJJo
+            ITXP2RyU2ttM2WjAM87E0HJD3XZ9x9I8Se/f5eQbg2Om7E2HXYr/v2uWf2ByRn5y
+            PV232/rR/whf/vpiwChDsBT97ZfZJibU8Xot7WMkQhgjCJaYH0wzYcrnvg3EIAo6
+            MBN1ufKNAp8BoXrM2P4yu+UOjrN8O+54Sxg7CSwg/a/ldDdjUnsGfbf3vzY1EJcY
+            2lhLZ8sOQyl+Ppe095pcTLvcYp2FOihf6d3i7GGG6Q9Uh2Ljs7EB02GDKP1XozjS
+            XgEsx/GScE/PE15VKlOHhrrF7OJj8P+uvlriVqk/MSWUVO2+X1yS09gXFtazLZBo
+            yqK2yWAOsjFnrMv4A8YHM7COkKvJ9BGdefsoGQu1O838/T7R9+e1OK9iDhfbcMM=
+            =vMG8
             -----END PGP MESSAGE-----
           fp: F7D37890228A907440E1FD4846B9228E814A2AAC
     unencrypted_suffix: _unencrypted
-    version: 3.7.3
+    version: 3.9.0

secrets/bicep/matrix.yaml

@@ -19,51 +19,78 @@ sops:
         - recipient: age1sl43gc9cw939z5tgha2lpwf0xxxgcnlw7w4xem4sqgmt2pt264vq0dmwx2
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSZ1dKNy93WmNTVkNzOE50
-            SGQ3d1NvcXlMeW9LQ3JCT05aQk5qSTNIUVR3CmlDeE1wTUUzQVZrREdEeDZSeW15
-            dEsyd0w5OUpabEZHNm54UDlmaU41V00KLS0tIGJZTXhVdUJJS0VIdGdnV21DUlhL
-            MjNrRytKUXBXZWhPN2dpUk4wYUJyemsK5sspkZA7AOkVtq4e8p7QhtG2yLZE2TG0
-            qOhodWBMqi9VWnwg6HTKtQK6hfZ17McB93J4wtciCFGB7Pa8d79TFw==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJcndkMFhyZzdCK0JDN2FZ
+            ME4rTWo5dm9yVGFSQS92M0FpaW5WMGpzRm13CnZ3OEluNWNnMHJWaTBuZXc1dk9X
+            VXRDOHlXUmloYUVYT2pzT2llYU8rK2sKLS0tIENJVUgxUzFxTFg0S1BScm5tNU5x
+            M09CZ0Y3NTQzUVY2ZXA3cG9pYUx1SG8KkZXHZmB5yBh/zoMBMdMwlHyjIQE31EK7
+            cwAfWYVLjk0CDM1JScTCy7RoQpbqNsMWFyUpu1p+1N0FE8IgefOU6w==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age17tagmpwqjk3mdy45rfesrfey6h863x8wfq38wh33tkrlrywxducs0k6tpq
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEZ1l6SDdpdXl2cFNubjBn
-            eTU0UCtGTWhFYWIybk0yaGswKyt2clJQekhZCkVkbXdrM1QwaGZ4TXFpOTE1eEJJ
-            dUZKampwMjFzQXJqUUx0RTVwQzFoVnMKLS0tIEErNjhFZzhrVTJucXgwSVp2RlFi
-            QllFM3MxbXBBbFNTQkNKWHhyQ09EVGcKJIJ3DB8YmhlL+6sNhp38PojDBcDItsR1
-            SKyJC3nTJjwtPD/8P0LivCTn9Gi0Yjd5HVIXq/76RF4aB85HLZLgSg==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTekd4bHhLeVh3RkNsRjBu
+            V2h0azluRmJzalZGdy9MR2RENkY2WkpyakN3CkdFWHB3cUhQYkZlU2Q3d1ZtcUlr
+            UTBzUU1lVFZZaHUrUENiWlFCYXErT3cKLS0tIEZUcVNRN1QwdnNPYnI0ejRyNDBJ
+            QXJzMmFkdDh3SHJCSjlCQmVSKy9McU0Ki8UxAzALy7EPr6Nve8UGLmOCqstCcOfP
+            OkTpjXFcTBJ9wMj1ZXCoH3KYqvJSu0gvB97phnkN9X8aXkf2DsOCfQ==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1mrnldl334l2nszuta6ywvewng0fswv2dz9l5g4qcwe3nj4yxf92qjskdx6
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwY2VLT3Ara1dXTk5EVXBi
-            b1l6ekd2cEp0TzgrclVNMmR6bXBtZ2Z5V3k0CjRkd0JIUzBCd2NvWDJDU0FyRzR6
-            MHJUSis3RHlBSm1raFRSaUY2NHpmWlkKLS0tIEk3VDhLSnU5YjRzNWFtb1ZMcy9o
-            cGxZVnFhdXRka2drTGdkVk1iM0pFL1kK2ry7b2cLYPfntWi/BV3K2O+mHt3242Ef
-            sI2JLLQYHeAhxjFdCzP1RDR+Wu/pRxZje6xuTZ9I9TKNmm+LhAXHQw==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwT05zbjVqY0NNQ2ozdEhx
+            MWFlMWpvMUorR2RnY1Nva3h3VHRjZTJiQlFjCjNtUzZxRlRlZkxGNncyQVExSVN4
+            UTJINkxHZU13aXpOdDhRNW56M3RXMUUKLS0tIHBqWHNIZ0dYTWNaclVDVk5sS3I5
+            YlFkckxlcjROank3eXdtdWhMY2N2Sm8Khqzk4NUSeaPBYkMbHBhBkagFBQs7Z9MX
+            HYLiY5pOdCkOteDSOGlqSdiKI7yVNsETjDXeXybLHk/RNaJbhvhqwg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1hmpdk4h69wxpwqk9tkud39f66hprhehxtzhgw97r6dvr7v0mx5jscsuhkn
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQNUU3aE84RnpaR1pET1l1
+            b2dDYjZmSVd3N05iMTloKzVTc3phOVVGYlRrCkpGMUZhL0Ywd1dEZm5TYStCNjlX
+            ZUJnWU8yZ0htbHowMzNBekNRSDBjWVkKLS0tIDlXczh1VDNsdDYzTDMvK1U3TWxQ
+            V2tXdk9BUG50c2ZCMVRoY0hxeFlkYkkK+XdRap/LtxzZ3q4ulPRb3LQyeeuO0mu8
+            So+7G2acSDhcNqZtW4jsu/NzSNqcv1bwd4XcKe7xqVDVYRpN8LBb2Q==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1wrssr4z4g6vl3fd3qme5cewchmmhm0j2xe6wf2meu4r6ycn37anse98mfs
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhMW8wMi9rdStMSkx5dlpL
+            V250UlpET1k0NmZzaFpYRG15OG9NWVBKMGtnClFxeERxc1kvS1QxNTc0WFFQTDU4
+            UmNGaTluelF4NElXUWhHQ3ZnN2FYa1EKLS0tIEJHT1FZZEFwc3lxYWJFc083ZG92
+            TllFaWFqOXZhVldlcVJwQ09TSGRFMzQK+smZIE1hYx8urWrAqqAb9zId6ZblQesr
+            pc7lDe5AAumIh8t8tzFwl72XtSMrStDqaneibbRjr0N39L0xN/nhTw==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1zhxul786an743u0fascv4wtc5xduu7qfy803lfs539yzhgmlq5ds2lznt5
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnZ2gvZXFXNmdod1IxWm1o
+            djN2Sm1iVkpHYTJ4LzdLWVI3dGJIZTdQK0VrCjJqVnA5NFlXVGFFUDhXdE9GZmRJ
+            K3ZNTnVDZ2w2NjZEemRNUnVoaXJhN28KLS0tIFVxa0NBNlVVNlBDZ1pxSWRZNFY5
+            WEh5NFN6SFF1TlltdWFWTGw4MHRHUkUKrKIvC87xjEmwxPQhH8dN+ZuaJTCgPY28
+            pR62KxmoKFICLTHPpYP3euiAx5M9BWvgvCnA/US/5klpk8MtlreNFA==
             -----END AGE ENCRYPTED FILE-----
     lastmodified: "2023-10-22T00:31:46Z"
     mac: ENC[AES256_GCM,data:UpnaUfRxvdyzBy5x4EC3w5LQ1qWxILTQhpyVPd9whTzQMAivAHT0pVmP9aE4T9w3NcWTaghp+f70GmQXx/OCC6DsRCWtU9pFHRj12YUowM3yB5lVTOomOLZQ9m4gUXw5I2GZHWBJn8CyosDcBMlXz2tiR91v/8Ulh6sDSAO86U0=,iv:5GcgRvbpqDEslZruKHM/TcMaF52A5X7AK41DEbrsRIQ=,tag:ndDgCRyX1aDRnzEUNmpoMw==,type:str]
     pgp:
-        - created_at: "2023-05-06T21:31:39Z"
-          enc: |
+        - created_at: "2024-08-04T00:03:46Z"
+          enc: |-
             -----BEGIN PGP MESSAGE-----
 
-            hQIMA0av/duuklWYARAAmj8qTRTeTXx9PNtqOFwCGmLlKGhj860JPE3BUR2n3QOE
-            h9fdVJa9yqK7Lshyuf2t1HbgG+Ah4p4BaO5gYGsMLV9ybZpyNFuCgSZ3DZ4zSfxM
-            GSqelcHJF5qbV5gwoJvtyVFV3qtKD9FpOJwh9MfEVe98VkoISCQsPl3CHDH4ot0l
-            zKa56vOReHRmaCid2LNsN0nHlh1KPpwn7HdgaKyiPFexMFe4L/Q56UrlZx9XyPOb
-            AJ91ayfI6jWH8Hj0xxyqx0shdA74nJ/Y6ZB3JxLXnGuPvAlC3XJRQUImqYsa7p11
-            4Hus4hRAGEJGpmpxhazInHkWOT5ECtzxMd5LlUSq0AGYlEWJL+jtnrvy86HqpYRj
-            jpMfwsuwY7dJ0Tll05+goWqn0zB0yZjax71Ynky/ie5Iv8FKaUHHh2HWAzqjUaKg
-            6Yp3hzmMdP61fAm7ka4mxQLXQ0lrUbVnOk+pkaTrVrhcQial3W3lIgIhyo0EVi2V
-            Z7yEFkec7XZieMklhkL7tq9SJlWJYG1T+bavD7JSWjOXu+NlSP1hLKytM7xjp5jH
-            qZMEsjOaUEPvIO8Kd1f8MpLLe/+EhtmQJJMN8lwA8t/N+aOVYsW1GCspwX5mI+Ob
-            ZCIPkmeBz+UhJvqFD9QwWB44VWH7429VCg9hL+iWR2UfIUQHQhRFWD3604QBppzS
-            XgHEqjgLremZkvBsTAZsaLrTFlm7KwgjZsAkA5k+RZR5SH7xCXoSUSMnM8pWTway
-            24M8mPHKyshggzR5B50YME5BY1qVKtOMEmTjwN5gpn4CQDcsQ7A3eafZg7uGd64=
-            =4DU6
+            hQIMA0av/duuklWYAQ//TtjTsxf5xHnu4g5Y22qvyMud17MN4j4hCoLXjRSbzG8K
+            /E+0Gs08P3QqV6DddmLvxeAcnLBTAdE4XCMFsRX9eK0BLqPe++yoamOpoPe896zm
+            BW2BXn/oemGdOFVOf43LRuMEYn32pjg4RNzR4bn3om2TY3S0nr7GP5J9B1QrSPfH
+            AFdR78MwX7PrOkkh4jSLPftjAI8jUtvS/TzX8AXnzy1A8xSkWxww00GMvTvSSAwZ
+            wxU6fePkLwuxVwZVqI5pdsjAscwy7FE7NWDgE9GMIxxwAJRRwJcsJ+eVM6ykWMyq
+            Xqo24kWkAqgs7vbxU55gOqPVHN50M22fQ4+RYaLnLyj6BO+0WegW1OmK88q0flaA
+            QADZHLGrsuiVgc4KxHskwQou1RuHZnPUSqn+Nhnsp8rtAfboHS28v7ekRNTmhTWG
+            qPVPlOlVnY0AemohDjBnk3o4rCxJhviL9KTjmAtIGTK03Fqzk2v23H3+LRo/rocm
+            gQCXzN6Igdwn7n9x8wXmuO6iL9Jftu4MoaQ0W55hZiBfh8pG76TGdNhycZr2T40w
+            MBnRX3ydwH2T+y2pGM9tJY+nlgGsyTiOw01SN7/mio3YdCSvChXTkV3PaX28u+CJ
+            5TaYLM2IP8W5DJU3r3dV3I3JYED1O5Arq7Xrv5Z4qr8vwamnCN6SZGe2qCqxTOrS
+            XgEHGwiK1pFQIBxkI0gFmGX0ckd1NYUfsUCyYrFkcAsicWetBhdlgMjLc86bVHwQ
+            7p4iGLGsr7GZEArBnP0J5Ee+Hr9MCiW/OCLY4M4jlTsyimlsdgDgyr+RqoOnvig=
+            =SRZU
             -----END PGP MESSAGE-----
           fp: F7D37890228A907440E1FD4846B9228E814A2AAC
     unencrypted_suffix: _unencrypted

secrets/ildkule/ildkule.yaml

@@ -26,51 +26,78 @@ sops:
         - recipient: age1x28hmzvuv6f2n66c0jtqcca3h9rput8d7j5uek6jcpx8n9egd52sqpejq0
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBURkY4WTZhQzJoREpxV1Vr
-            aUExZ1dxNkIyMkJtUXpqOWtTT1J0MGpmMkY4ClR4Wm1FTmhKN2pIMENRdERrWVY2
-            SUlHblpEc3VackMrbFpHUUJwM2ltZHcKLS0tIEovMEtiOWc1L2tzZDh3ekZKbStr
-            NEFkcW03ZTRJODNxTlVuUnFlcFFUUncKEZzOeUtRsZiuugTLzG2xU4eJ3XtVuop7
-            hhlDBL/YoFn/CO3HjqFdCVv33QoPu7KKMeV52pbVEnv93mvdEeFxVA==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNbW1FZmt2ZDRZcWs4SEkr
+            R3ZDaUgyVlVvRHNNRTZCS2pxQThsT0NmYkFJCkk1Y1NpT1RSTFp1MWJ4aVNrelVx
+            blYvS0l3ZHczaVcvZDE3U0k4ejVtZmsKLS0tIC84WEE0WERiTCtKNTN0NmZUbDhV
+            c1QwV1l5b1ZQNitFRnFhQmIzSWNZd2MKokg6XMIFfjxB6sO8EBjBc7E7Ur3zBw1o
+            akXuA4I1Xw2H1W8B6HkVSDp4BpBEe8xi0z8TUmzkA9/IBoypG5EJKA==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age17tagmpwqjk3mdy45rfesrfey6h863x8wfq38wh33tkrlrywxducs0k6tpq
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSY3cxSGFvdDdWcFVLRTRy
-            Zng2VnhjZlFkc1RQN0NqUjJGeW02WlFaMlFZCjVZc2x2UXNXS1I2WDBxeHdjNUdr
-            WnZGc0l5NlArekUwUGU3Qkdub25EVm8KLS0tIDB2bGo3ZURtZ0pSZjFzcGpOdW5D
-            aTI3aTBUS0d1MzFmMTVMbUlFYTR4VlUKzOvNCAzan1GTXjoRxeySkUYIYtI4Mpvu
-            MC0Q8e350SyoOsrF7fUvw+Ru68fDMLW27H6Ly36xP7D3eo/h4eZVXw==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrQzVtTFRFTnNNQTFXL2dF
+            UC84d1o5Z0p2by80QW9Sck8zVHJvMjdjd25nCitBRWtzVVdTUU85RzFpN1FmOVQ1
+            SlNESXBKc1BUdTRaWk5nSENvUXdraWMKLS0tIDlkUFZRVUV2Qi9iSUpFRmN1Tm5S
+            dW9lTkxsNXBBN0wwZ0NFbThRdzlvOU0KbLzteBt0VTr825sfKLNs3i3FT0/dgn2z
+            kOpJQf7KZKEVBkInUOkPmobtw6oM9vfWha035tTJPYjWy+Lp939tBw==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1mrnldl334l2nszuta6ywvewng0fswv2dz9l5g4qcwe3nj4yxf92qjskdx6
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFbDBYMDNQcWkySC8vN05t
-            U3hLMjlYVUE3Zms3U2R4R0VnMUtFcmVQclZvClY4aWZEYWZPdkltMElkUWxQeUtP
-            TEF0a0txbVQ4d3lrelp3cG9TbG5OSkEKLS0tIHR1V3JIVEwwUjM3RVdES2pQUmhP
-            T1MwME1tbGQ2NysrOEVNYVZRT1R0YmcKFpfe9GfH7s779CNQswRm/W7zwYO6wK11
-            z6IGPxtBlUGdshYiHA1BEz7fMVg3ZolL2D98cTNMM24U89Gssiw9qw==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCR25sQzNkMHhETzY5cXRm
+            Y3QzYXZOemFTTmN3aTVpODlQclB1Y0JRNlRRCi9wQWVGUVFYd3ppMUVMdUVQNnBC
+            bVVRVHlsTWIzMitqNlQxN2NKcWl3a28KLS0tIEJrNk44TEN0ZzJ5L0JaKzFZaE9M
+            MmxPN3RUT0hDRW9MSm92LzZJY1lCZlUKM+r/35me5K74KkidKLUTZxqMqR++izHK
+            69gXZEHY+ZSvJ+9IBzcIxcFdSFyVUAN7wobBWZGDxmGJRClS/8jcHw==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1hmpdk4h69wxpwqk9tkud39f66hprhehxtzhgw97r6dvr7v0mx5jscsuhkn
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXbzZHMHVqVkVrTVdiUmli
+            OVhhVTZhbVRVU3VKd1Jxa0Y5dlFReXQ0QmlZCkVtVEhCcVlHamozeDYrQlVvRjlZ
+            YUNXM3FML2ZLOW5PZ0tpZjlPc2lpdlkKLS0tIHVXZHoyRmlscSt2TlpLb2lDd3Bt
+            bmJJS3JPWlVMd0FRaExUZEZMdXk5N0kKY6qYVva2aOkvo1huKH50gkT1iQAUhZCB
+            ieUD1aQumHe1OYVeEWJCf2nYgApwq1tPjea5nqc4VzOogTbLVcKMFA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1wrssr4z4g6vl3fd3qme5cewchmmhm0j2xe6wf2meu4r6ycn37anse98mfs
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrNWc0RVNQRzJkRTBKS2xD
+            R3ArQ2lkc3F3QXN3bldZbkJMaFhoaDI4Mm1RClhuSmdRbWxlM1lxOURRWWVocC9X
+            dWFSOG5yN2x3Vm9CZ0pSN1BLTWk1ZmsKLS0tIHRpRmJmL3FmaTFpL0czV0tIOWhX
+            NHZLaEx3dEozc21MR3ROWHRBQzR3T00KQQiQ4SxpyMTDZyGY7TZrdQEioZAB+BQ/
+            u24WgbBdSP6VDvqmq2gG8BqZ3Aog2/7SQ0CVzrsimAoXi7YCWCTetA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1zhxul786an743u0fascv4wtc5xduu7qfy803lfs539yzhgmlq5ds2lznt5
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVcERwTTJmdlgvZjhWeTBP
+            eGJ0aG5RQ0xrRVBSMldEMEFpUHo0TnM1aFNzCkhReEZ2dWVGelNadjdITCthcTZn
+            RzlQZmh0MzF5RmZGRW5UVXhYL3RHRFkKLS0tIEtrV1ZjQkovZFlmcDM2OUNYaHZx
+            WDRSdDZRa1lIbEVTdDlhU1dwUXUzQTgK5iE4Cf/zjsPYHKcqYA0rFqY0TNcCnzNU
+            vTM+cEPaA+/FXTwLfPpaiSkg5Fq8k2XdeMQsjQnglTBSWCwAJin27g==
             -----END AGE ENCRYPTED FILE-----
     lastmodified: "2024-04-20T23:41:59Z"
     mac: ENC[AES256_GCM,data:38Ask+adT2FshF8DYEfCWeVWt4KiaJsTXhF7Ib3xxdfQ6vAixM2OXTaK/qqUvN6gQok9TFF+HMJBJ+jezV00nVcKUYn04FaU2/D2zdam44eEEYEEovmfAZ6vbC+CiDv4d/DCc3hnYtDZCEgUTfP4gsZ9rLZFAOwaOFWRJxcDi6Y=,iv:BzuWdTjn6LhscNeouHjM7IYKxTahA8PzzlHSCYZ618s=,tag:BWtPbNwzdOJb788eOO5ZNA==,type:str]
     pgp:
-        - created_at: "2024-04-20T23:15:17Z"
+        - created_at: "2024-08-04T00:03:54Z"
           enc: |-
             -----BEGIN PGP MESSAGE-----
 
-            hQIMA0av/duuklWYAQ/+LSTWjii2dblTAkuqHan3uuuRRpt1ppmHEgHYkQZD+RzE
-            g+ljNaM/BPqci7Kr1NHFDw+cU2MYm/40Tz63l1cvfE3NEoVefsmoA5voNI3G/bx/
-            LTAe2aacPwO/TNoLtrCgRkzNyKXluUkM9OoIvkvB5DEGjYbe82+gI5Zi+NbW9N/p
-            5ilr9Cc1jvIivjZMGGPLRgkAc/twOOuyrZlsFd9kddAL9YFO7wpd/dko886y1jE5
-            jz9n9F4SKYOcgLPqZuG1iZ8qaA2zGT2bP2caai/QJAmL90stQCiRWtQgB8KeWugm
-            nRFBm5BLamtoqjXXwzdtXGKbFAhvL5/h+kPxnJDjylfFVbgCpoWJ/fxdE5xxxZtq
-            zCcGCQQsaa85eWkBByhu7TdwyAW7bJCm8z6kfFPGqhNDkS8ifxnEWm6ulgYVokiL
-            WVBvuQCd1s8KSExs6zNWGcGlqgvcbovHXyVlmLeqZfBA7i/vYqksZtBT47rG7nCS
-            YGfHy69yVrMdj4KrLuMXNfjtS92hkQqWmCyl5X5zOSJXqEL2dorMzSZn89gK4nL4
-            V4zOKkKtsj2MqynYn/XAoUf3AfYs2wtRhJiU+r/q+rx9Hx31H8mnUuUerT58yQCY
-            mAkjIhTzvZcWIalQo7xnZhos4p1IYaA7MAuGC6HxuWVaOsyiFkRaKwB9svWyZ/DS
-            XAFID3fQ1xfNyYsW8nvXQmvZubnhE+dAQPaiAFP9ujY4RVXWBFOrV6NAs7y/LID/
-            89lpfWN87JWSJWUk6DCD3AQ+1GiBCFy7uswUJkG4zou1RQBSl7X88ziVDILU
-            =tXkN
+            hQIMA0av/duuklWYARAAs0o2EHlphoU4JcO5fhmplhmHQp7GXjaUc5zakGACrl0w
+            0NVVLXf3hlb3saPgbRkf+ugVXd5dRDYfa3vbIDKpQwHVLSNVrVb7M8eIc0RXM41q
+            MqpueXLo6YfxbgOvsfNlgCvDFgMoBMVv/rWz0QGTj8VCvD5AkxiLQJxZ8TnlKn0w
+            NF6yQ7LCGgKVU8YHpKYjPmmDU/VegRYVe6wz4ackk0MZ5ITSFXF4qOG93Uj2SZfe
+            ocpPYZ9BrOnxzCYd9ZS1yUmMRLRC61l66oG1hGrBTN7fcmHZaycCdcvABWOB/fxJ
+            940zMb5NYK6whToCWY++m3I6123k+/vLJe+3NoFc/wYdvpnxVqLZqijxYPZZkbRN
+            gCtRE67AFWny0VQ2k1CGzBGbRAxM2EtIfDlbNgMUNBNuGST4tgxApp5QEa1yecHC
+            mr3jDhR8UuFdIrq2sTz/uMUptTrsB3oaZmfuZ47pCVHtDNc2ri4U1gsI6oI03utO
+            u/q6nMHiJlf8HUwI59GemBaHTiMgzKl0REAoV3SpdfjWSDZiro42au6E20M1dgup
+            rQG8Gz33QnIHg5ezEHcTSeHk3SgMTbAqQy7/aD3pqI6wEgXqU2neDFZEkNu4FnzD
+            ofnm1oAGnbOIH2+SFtd33hDe/2nuFBo3CYEyz/fezhbMwCwoA4Iwd7FBQW4ideXS
+            XAGU2gt1hdPfgMQ55GeRI01C2dqiLQOpvTHy2uBl9ekPtSw2Ws27hVhdHvU7B5ZG
+            Jr388jC5d5dKGNv1I8nVNlfmPvb4hwGazrHdCYiQdwrpggajFtWD/LIgUcW2
+            =aK5J
             -----END PGP MESSAGE-----
           fp: F7D37890228A907440E1FD4846B9228E814A2AAC
     unencrypted_suffix: _unencrypted

secrets/jokum/jokum.yaml

@@ -19,51 +19,78 @@ sops:
         - recipient: age1gp8ye4g2mmw3may5xg0zsy7mm04glfz3788mmdx9cvcsdxs9hg0s0cc9kt
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXY29wUXJnMURlWk4rUTRh
-            alZsb0xSTlI2MFFTb3B4dzhDT2l5M1pLMWg4CkgzT1h0VHBMTTNhRTJRNEZLWWlk
-            dyt0aCt0c3NTR1ovS1FIM1VBTW9Ha0kKLS0tIHN0eDNqbzJXQUZFcTFGaFEyME5t
-            djJpWDlRNGhGemZXR0tMc0RhYVZpMWcKG/Airf45TgfJ82vPfXxMLtRRLPvZR/Iu
-            teoToXtddxFVY675nFy0gfq9P21qHJ7MvTYwVBhQAT/TitTZ/q2u9A==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmLzAzMzNCdGxSMVdiNUVK
+            SFlJeTEyRW5SenQrMnFGZEJ5TGJxNDIvSmhzCkdBUnYvNDVxZ1ZNSkYxanZQY3Iw
+            akhuK01haFVRTUlKcjloVU9QVmhldGMKLS0tIDZmMjk1WlNNYUFXN2pWQ0oxRjRv
+            bzFmcnJUaUJmU2pCZTRnRTZZZHVkQnMKrKLbYFE2+0rj5BUchhYtWghzbRJTFDaY
+            +RQpJC+5gSinmUuP3nMGR2bv+gL9v/EOJKeVrC7/sZM9mQeXI36CUg==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age17tagmpwqjk3mdy45rfesrfey6h863x8wfq38wh33tkrlrywxducs0k6tpq
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxQnlmMVE1aDRycXNmclk4
-            OWgyQzhDdzJrdlEvL2NzeURoa3hZa3lEMzJJCk11ai90L0ZGd3U2VUhHdm1mQ1VC
-            eCt0WjVKVEt0N0tkRHl1QW4vRWdtMG8KLS0tIEVjVER2QXlIbnZXQUNONzlGbnRl
-            dDZ4RGFqaktTZ05yNjhqUlhqQmpBcncKTSSe5rZhV/+tsgk3xlV7nEphS8qhxucz
-            0O1J0U8FEdyfrwF2AOobsf4YIgtTrb20gyXsTdPwIbsQToJ+YqVAgQ==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtU0xjY0NEelJvaFJEdjl0
+            YVVDYXFxbFg4d241ZjdRRjZVM1lJd0R3NldJCjJQRW9EOGMrcHRUNlRhNEJ3cWhS
+            UWlycHYvaXA4TkxEVjZ1QThQUTlrcjAKLS0tIHNXWk1mQWJFcmU1Qmp4a3YrRngy
+            LzZ3bU1nd0FLa0hNR25CY0hzNS9GZjQKRoRMDXESUtwRGDat2gJ9Fjqy/m6FThzk
+            k6byBSt605skrUd2YQZ+JF9cUs6p9y9Fm6t+HfK/kHQ7jchiS3ZLmQ==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1mrnldl334l2nszuta6ywvewng0fswv2dz9l5g4qcwe3nj4yxf92qjskdx6
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxeDVwdHEvUk1JTW9FSkx2
-            VmlxejM0ZkJmZ3JkemQ2cnkvenY2ZmRJRFZzCmFHbUJzZ0VjYWZuelZHei9SWUo2
-            bjhPSUNrRW5JTWhVWnRzOU9sY25BMlEKLS0tIDF3M3ZFei9qczdDaGVsV0hrTWVU
-            NktTc2Y4ZDV4VGlza1FVdXBQUUVPZUkKYs9b4a+yAzI5kpv0X5/Ogg8sH0zdTim7
-            fXnkXZfAJ9oL/0qjVzFZA3j5aQX0xKMffSE/SFcQxUY2sISnwh1Tfw==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuSjFQb0I4eHlhL0NMN1ZF
+            WldhZ2ZiTTZDMXM3aXgxeHUyZm43dmVVNlFvCnQzd0VYdVd1azB4dlJkdDd3bE0r
+            VHlwMFZzaUhkVzhhanl4cWxGWUlDWFEKLS0tIFdWck9qVVRoTWZsK2RNYzF2WEhN
+            eFpOY1UzWHpYb3p4eDNRU1VSdnJyZ0UKrF9vihQPmmv4nrDf+tPAssfZLNJbdK1L
+            N4IlFTUPchiPW1ss22bjtiooekHAuP4ygePYLKlKEi3w1SsKa9REGg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1hmpdk4h69wxpwqk9tkud39f66hprhehxtzhgw97r6dvr7v0mx5jscsuhkn
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEZEhYTVRBWVJkYndjOEZq
+            WlF1UCtJN3Uwb0FNdHJITTdiTXZVRWQyUFh3CkJOOHRHSHhXdW5uTEhVeTFHWWNi
+            QTd1cW5YTkFJZTRaN2RaMnRKQi93T1UKLS0tIEwzSnVleWduTkRhMnduNVFEMjFL
+            NmVHOFd6eVhXdTQ3RE1adkhUaHB3TVEKPFmS1njkM6FPToIKML396vfM3T39co/v
+            mvyOUCq921mTIzlPfVpfpXd9pmiyMKi/spDS4xZ2nFLyHMhXMKW20A==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1wrssr4z4g6vl3fd3qme5cewchmmhm0j2xe6wf2meu4r6ycn37anse98mfs
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXbDVRaU9pTkROV0VoNm5p
+            VUhsenhxR1cyTFZVeDJZd1gvVUx6TXdQY3hzCnBwUDZmaE5FdFdVODZFN0lxbTdB
+            dXRBVHpUak00RnZBRUpGeFRuajhZK2cKLS0tIGRaODBlM1FnRU5iV0RrWDlEMHUr
+            U3AybkRZV2EzVjE1QktEcjdwNG00dXcKnWaJwHyA4Q5RFgOWg3wbPwL4E8Mgijph
+            wCuujSzIUMGBqIBzr6ADbQ38lnUSKjGz8EQyrIa4/vILXzuJ/44SbQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1zhxul786an743u0fascv4wtc5xduu7qfy803lfs539yzhgmlq5ds2lznt5
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyQ3RYV2tYVy9ubFQ2cTg3
+            L0xqNlcycHZiU2hlRGxmd05EZldMa0xMWENzCkhHdmR0dVRYMjZkdit0Mjc4dy9X
+            ZEtLY3hrbUZjaXpCdHBhVm9wZkJ0WlUKLS0tIHdsNHhNSEZVSHRuWE9tOXdoY3ZK
+            Ti9TOVhUWVdsVmw2U2ZvazVKajJSRTAKnAxtMLh5U4xL3UsLehdo2JMBRcX9Vy+X
+            oWlgVviORYtHaaU7Y9MFTmhV3OS+He38wX0l4NZOI0d8mZ/6uJ1JMA==
             -----END AGE ENCRYPTED FILE-----
     lastmodified: "2023-02-13T00:12:03Z"
     mac: ENC[AES256_GCM,data:FolV94dIwYSL5r1ZHTPdmqMKVTAhrnePG+5M4S1H/wBYbED3sr6oPPmmxwiwm5E4K0YR1+ou4yR/vGTV3lfRdxIGWhfAT0WW8WGTZVIlcJCEk5H7Rels6rkma12BCjZ1zOGjZZCcFTm+4NI2KNv+zTc29zry4539jkkxk+8Skog=,iv:KBxSFVaFI3S5J9xG2Lc7FINUI8TRKxPtrbP3f2wXkHo=,tag:TWAtix03ZnB71+O7cF8b4A==,type:str]
     pgp:
-        - created_at: "2023-03-26T11:12:37Z"
-          enc: |
+        - created_at: "2024-08-04T00:04:00Z"
+          enc: |-
             -----BEGIN PGP MESSAGE-----
 
-            hQIMA0av/duuklWYAQ/9GHLOAfLgTqVmfJACvt9xMqlzfrXyiACTJg+J5BD8hEtn
-            oe2clo/fO9u6df42hk/szQTQH4rJULdxvUNiBzYS0XbWCa+iWzpiOPN+bQZKoV3X
-            U4sFrHMT0ledUg62rlTbOmqpvLivoP6//DEqHAWl2weUvpplBRFzTFwICo+2+Jjo
-            18dzdYyBa5sxJ/KZKUoNsxRaCFgXs5L6qTuqzmZpnhnH1pKNW3D6e6Hfb0BmebUy
-            wt5NgxWJ/4dHFK84i93E1vxPbSusvQ++6JCSWgZtOwZJehnz5AeHgdDBzcHeJY8O
-            Idq+QrvRsqjisDNvd7blmBleup1Ai0l/CzEtTEYd/h/QipaT1rVaPOP4H/lnHZmO
-            f0HWGxhPCDfiuLK43DBExrj1QUq4LVUZf145fRGMWZfHtlzHM+4dY+/ijyUi7pFY
-            cenrE3/Iz8gaUWqRdaYqK/O/vrHq/siUS8IiWY53ALUF+DlBMuRrtc76T/fkSKbR
-            LuO7MnOnNyBy5HT+MQii1Tat7ODtPXlky+N5leVQQVAUMHrI6ETWAQlctBjDZXyT
-            UzXh8WVT+pijxNYDqUVMJ4d43AuHKayf2m0PftOZv+Q8n5ZqwUoQN6WbpsLvDFTU
-            4XweZaChhoq4K68o6vpOb5b7x+vlisiL2j+kYAgMjlWk1vkDY/GsHY8USi0Rj17S
-            XAGAULPvLDP+ohieT6dP2xLvzu4ghrySCTF6LjQ9sN2gHWfcV2FVw+anA3mxOLGK
-            P4hOgPPfiP/0O9H0KSHq0gXjhBkackFVAOPixvSAJdvkooVW+PisHjl59Jd6
-            =exZj
+            hQIMA0av/duuklWYAQ//QIfxaAOVl0QStvZe6irI0GHS8+7EExn88dP1QdMnVijv
+            W/IiVffs/Bb0t0hcNFY3SaU4ea+zOT5bdMOlQGA383hTYvwXXdI+uSFmn3hrysZS
+            eY7394Z9c8jubEDXfJOHTt0mbpfzOglZjiCcQYnZlhkgOzilDXMCjVsjVvuAN0bz
+            MFN/DjC50fIdlaeWe7h7NgK3Mu9j39tUrgDCGn2YlCycxcpPz8+83Ge8bOnyskZs
+            P/04wfkOGSrwb1ingxHjZP9lR2NABdqOqSBzC+x7EQs6xNAmC4XayeTnASBDYp8B
+            +H/3Hiv1nWtS//PQr/5+KHR1/iLaSNI2fUAUFimIwEQTU1vpMaV2tVmJtpmSQRAg
+            MpwljVoCSWvhmU4oZU8ObTjcMy58YfWHIOcIN2HHgWBVdITve3sca6J1VHs0rWFm
+            4tqPElsfa59WPy3HKLGg8pPahoBlj4X1PGJVHxXBMJsPnbX0gg6V7ajQaVdOsJAF
+            LMgAel7eNq0KBzk/rrVRoV5ii2lipUtKmb+FKTXKvSnwgqhVNkRppsl9BqgeXvTR
+            P7AsKnNgQBydz9vDTkDOuspyTluDmhXkwNQyhjH0enPAyeQWN2qs/A8qgmfdTXff
+            TzvlfOEy/6r4zl7V+L+qcw0pYrzi5K2CtemN8TlGhRvAYgiURY/78kD6EGrjMLLS
+            XAHBQn0q8dYgKf2uA0JcfNehgpI5fr3gZxQFKhnuXkXRa5h9hMn1mzdhtO4VyN1e
+            d8eL57iFeApC9SAmAGMOz0DBbskD470qnYObUliViWQpcj2VR6W4BwZG28QX
+            =iviy
             -----END PGP MESSAGE-----
           fp: F7D37890228A907440E1FD4846B9228E814A2AAC
     unencrypted_suffix: _unencrypted

shell.nix

@@ -1,9 +1,14 @@
 { pkgs ? import <nixpkgs> {} }:
-pkgs.mkShell {
-  nativeBuildInputs = with pkgs; [
+pkgs.mkShellNoCC {
+  packages = with pkgs; [
+    just
+    jq
+    gum
     sops
     gnupg
+    statix
     openstackclient
+    editorconfig-checker
   ];
 
   shellHook = ''

statix.toml

@@ -0,0 +1,24 @@
+ignore = [".direnv"]
+nix_version = '2.18' # '2.4'
+disabled = [
+    # "bool_comparison", # W01
+    # "empty_let_in", # W02
+    "manual_inherit", # W03
+    "manual_inherit_from", # W04
+    # "legacy_let_syntax", # W05
+    "collapsible_let_in", # W06
+    # "eta_reduction", # W07
+    # "useless_parens", # W08
+    "empty_pattern", # W10
+    # "redundant_pattern_bind", # W11
+    # "unquoted_uri", # W12
+    # "deprecated_is_null", # W13
+    # "empty_inherit", # W14
+    # "faster_groupby", # W15
+    # "faster_zipattrswith", # W16
+    # "deprecated_to_path", # W17
+    # "bool_simplification", # W18
+    # "useless_has_attr", # W19
+    "repeated_keys", # W20
+    "empty_list_concat", # W23
+]

users/amalieem.nix

@@ -3,10 +3,10 @@
 {
   users.users.amalieem = {
     isNormalUser = true;
-    extraGroups = [ "wheel" ]; 
+    extraGroups = [ "wheel" ];
     shell = pkgs.zsh;
     openssh.authorizedKeys.keys = [
       "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPsMtFIj4Dem/onwMoWYbosOcU4y7A5nTjVwqWaU33E1 amalieem@matey-aug22"
     ];
   };
-}
+}

users/jonmro.nix

@@ -3,7 +3,7 @@
 {
   users.users.jonmro = {
     isNormalUser = true;
-    extraGroups = [ "wheel" "drift" "nix-builder-users" ]; 
+    extraGroups = [ "wheel" "drift" "nix-builder-users" ];
     shell = pkgs.zsh;
     openssh.authorizedKeys.keys = [
       "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEm5PfYmfl/0fnAP/3coVlvTw3/TYNLT6r/NwJHZbLAK jonrodtang@gmail.com"

users/pederbs.nix

@@ -0,0 +1,37 @@
+{ pkgs, ... }:
+{
+  users.users.pederbs = {
+    isNormalUser = true;
+    description = "kul kis";
+    extraGroups = [
+      "wheel"
+      "drift"
+      "nix-builder-users"
+    ];
+
+    packages = with pkgs; [
+      atool
+      bat
+      edir
+      fd
+      htop
+      jq
+      micro
+      ncdu
+      ripgrep
+      sd
+      tmux
+      wget
+      xe
+      yq
+    ];
+
+    openssh.authorizedKeys.keys = [
+      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC+qv5MogWwOgctQfQeHxUHF2ij6UA8BR4DLXtZClnw6A1CtOjAtZeAW62C8q9OKaIKDO0hqd2vLBkgEno4smqBDJ2ThwKuXrhiHqJzCkXZqIKKx79mpTo7aRpFgkJ7328Ee+tbqa65coL98WRhLnDg69NDaOfSCmH85/D0kuyTG7mYIMdBtFXB/IU0QC9USCSGcUGSnQAEx8S0vaXL7JP043kfEfeqwsea598qX+LFa2UfGwgLBpiWi4QEfYy6fviz2TFkbRYKQImybidzUHZkljjPupqu8U4dIx/jsJM/vew717xZPCU0ZCho77TIU+bYSitD5mjnzuD7LrAdbFgnhkD2sQlD/hUW40kPVT/Tq3DrpDRKC9tniiTaIQV1Pe0k82XwYrvV/hTl8T1ed6TuzhmUggqowAbJRbaBIa1zI672AFFQM8OBIN59ZlLy3V2RZW4fvQk2/xMRdVBT0W5Upx+9rCbH9LCGWL8gNNA/PRJ0L9Ts6cq8kf4tFhFQQrk= pbsds@bjarte"
+      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCo5/9uHIKhhpVbcLSKslj9wdBiV4YaY/tydTfypNZBMMP2U54640t8JvHHkxCZRur8AqYupellxAqkmKn516Ut0WvfQcNgF7ieI66JHkK1j7kSFHHG1nkJHslwCh2PeYtfx5zHZZq8X9v/UjVGY182BC4BHC5zixmNiUvvc+N24BRT4NwslFmMYVcTdoNBSJXPgte4uUd+FZrAnHQrjYdJVANgI4i1d11mxlDFgJrPJj30KaIDxHAsAWgCEqGLMDO9N1cpGGbXVeXfoGvv+vdCXgbyA8BK7wWwXvy5HlvhpEJo8g84r6uKMMkEf+K1MpTiaNjdu+7/sKD/ZOyDB4RgCBs0DskouWRi+xfxABaKBj6706Z3hpj+GfpuSXrHKgGYXIL4cZHaAlz8GVsN1mUL4eJ12Sk14Od2QUHbzp7TDz5eaWuczPs5W9qXwNDMZcmBBZ3mkt9ZYPvAPRjeLpAKhhA9xPL3hbob5hhAENTWsFRFJEgpm8l362XFIOLHr/M= pbsds@rocm"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDpuDBMll1viLKd/wm1lCy9iozyKeXMBHDwhdJOpeRLe pbsds@nord"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOm2UFDD+qsnKvlBBZ/nhBqY9yeLewwF/bexD2SUL7E3 pbsds@sopp"
+      #"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILocbYCqu63RT2+mE0l+ZWWw9RVHNcydtLXbLklg6oPe pederbs@pvv"
+    ];
+  };
+}

values.nix

@@ -30,11 +30,10 @@ in rec {
       ipv6 = pvv-ipv6 168;
     };
     ildkule = {
-      ipv4 = "10.212.25.209";
-      ipv6 = "2001:700:300:6025:f816:3eff:feee:812d";
-
-      ipv4_global = "129.241.153.213";
-      ipv6_global = "2001:700:300:6026:f816:3eff:fe58:f1e8";
+      ipv4 = "129.241.153.213";
+      ipv4_internal = "192.168.12.209";
+      ipv4_internal_gw = "192.168.12.1";
+      ipv6 = "2001:700:300:6026:f816:3eff:fe58:f1e8";
     };
     bicep = {
       ipv4 = pvv-ipv4 209;
@@ -66,11 +65,11 @@ in rec {
   };
 
   defaultNetworkConfig = {
-    networkConfig.IPv6AcceptRA = "no";
-    gateway = [ hosts.gateway ];
-    dns = [ "129.241.0.200" "129.241.0.201" ];
+    dns = [ "129.241.0.200" "129.241.0.201" "2001:700:300:1900::200" "2001:700:300:1900::201" ];
     domains = [ "pvv.ntnu.no" "pvv.org" ];
+    gateway = [ hosts.gateway ];
+
+    networkConfig.IPv6AcceptRA = "no";
     DHCP = "no";
   };
-
 }