bekkalokk: remove keycloak

2024-04-10 23:40:02 +02:00
27 changed files with 252 additions and 362 deletions
--- a/base.nix
+++ b/base.nix
@ -88,46 +88,17 @@

  systemd.services.nginx.after = [ "generate-snakeoil-certs.service" ];

-  environment.snakeoil-certs = lib.mkIf config.services.nginx.enable {
+  environment.snakeoil-certs = lib.mkIf (config.services.nginx.enable) {
    "/etc/certs/nginx" = {
      owner = "nginx";
      group = "nginx";
    };
  };

-  services.nginx = {
-    recommendedTlsSettings = true;
-    recommendedProxySettings = true;
-    recommendedOptimisation = true;
-    recommendedGzipSettings = true;
-
-    appendConfig = ''
-      pcre_jit on;
-      worker_processes auto;
-      worker_rlimit_nofile 100000;
-    '';
-    eventsConfig = ''
-      worker_connections 2048;
-      use epoll;
-      multi_accept on;
-    '';
-  };
-
-  systemd.services.nginx.serviceConfig = lib.mkIf config.services.nginx.enable {
-    LimitNOFILE = 65536;
-  };
-
-  services.nginx.virtualHosts."_" = lib.mkIf config.services.nginx.enable {
+  services.nginx.virtualHosts."_" = lib.mkIf (config.services.nginx.enable) {
    sslCertificate = "/etc/certs/nginx.crt";
    sslCertificateKey = "/etc/certs/nginx.key";
    addSSL = true;
    extraConfig = "return 444;";
  };
-
-  networking.firewall.allowedTCPPorts = lib.mkIf config.services.nginx.enable [ 80 443 ];
-
-  security.acme = {
-    acceptTerms = true;
-    defaults.email = "drift@pvv.ntnu.no";
-  };
 }
--- a/flake.lock
+++ b/flake.lock
@ -7,11 +7,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1712798444,
-        "narHash": "sha256-aAksVB7zMfBQTz0q2Lw3o78HM3Bg2FRziX2D6qnh+sk=",
+        "lastModified": 1710169806,
+        "narHash": "sha256-HeWFrRuHpnAiPmIr26OKl2g142HuGerwoO/XtW53pcI=",
        "owner": "nix-community",
        "repo": "disko",
-        "rev": "a297cb1cb0337ee10a7a0f9517954501d8f6f74d",
+        "rev": "fe064a639319ed61cdf12b8f6eded9523abcc498",
        "type": "github"
      },
      "original": {
@ -27,11 +27,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1712875951,
-        "narHash": "sha256-4kcRd2Q2XM4r+U2zp+LADjrzazKpWvs0WrMKPktEEkc=",
+        "lastModified": 1696346665,
+        "narHash": "sha256-J6Tf6a/zhFZ8SereluHLrvgPsIVm2CGHHA8wrbhZB3Y=",
        "owner": "Programvareverkstedet",
        "repo": "grzegorz",
-        "rev": "9eaba26b1671e8810cb135997c867ac3550e685a",
+        "rev": "9b9c3ac7d408ac7c6d67544b201e6b169afacb03",
        "type": "github"
      },
      "original": {
@ -47,11 +47,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1711853301,
-        "narHash": "sha256-KxRNyW/fgq690bt3B+Nz4EKLoubybcuASYyMa41bAPE=",
+        "lastModified": 1693864994,
+        "narHash": "sha256-oLDiWdCKDtEfeGzfAuDTq+n9VWp6JCo67PEESEZ3y8E=",
        "owner": "Programvareverkstedet",
        "repo": "grzegorz-clients",
-        "rev": "c38f2f22a6d47ae2da015351a45d13cbc1eb48e4",
+        "rev": "a38a0b0fb31ad0ad78a91458cb2c7f77f686468f",
        "type": "github"
      },
      "original": {
@ -102,11 +102,11 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1712848736,
-        "narHash": "sha256-CzZwhqyLlebljv1zFS2KWVH/3byHND0LfaO1jKsGuVo=",
+        "lastModified": 1710248792,
+        "narHash": "sha256-yFyWw4na+nJgtXwhHs2SJSy5Lcw94/FcMbBOorlGdfI=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "1d6a23f11e44d0fb64b3237569b87658a9eb5643",
+        "rev": "efbb274f364c918b9937574de879b5874b5833cc",
        "type": "github"
      },
      "original": {
@ -117,11 +117,11 @@
    },
    "nixpkgs-stable": {
      "locked": {
-        "lastModified": 1712437997,
-        "narHash": "sha256-g0whLLwRvgO2FsyhY8fNk+TWenS3jg5UdlWL4uqgFeo=",
+        "lastModified": 1710033658,
+        "narHash": "sha256-yiZiVKP5Ya813iYLho2+CcFuuHpaqKc/CoxOlANKcqM=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "e38d7cb66ea4f7a0eb6681920615dfcc30fc2920",
+        "rev": "b17375d3bb7c79ffc52f3538028b2ec06eb79ef8",
        "type": "github"
      },
      "original": {
@ -133,11 +133,11 @@
    },
    "nixpkgs-unstable": {
      "locked": {
-        "lastModified": 1712837137,
-        "narHash": "sha256-9joaU/GD35J9Utb0ipelQbOcvsw5eoYTmSarLV3MbNk=",
+        "lastModified": 1710247538,
+        "narHash": "sha256-Mm3aCwfAdYgG2zKf5SLRBktPH0swXN1yEetAMn05KAA=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "681d4a87b26b1dcaae7ffe6cf88c9912c575415f",
+        "rev": "21adc4f16a8ab151fec83b9d9368cd62d9de86bc",
        "type": "github"
      },
      "original": {
@ -166,26 +166,6 @@
        "url": "https://git.pvv.ntnu.no/Projects/calendar-bot.git"
      }
    },
-    "pvv-nettsiden": {
-      "inputs": {
-        "nixpkgs": [
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1712834399,
-        "narHash": "sha256-deNJvqboPk3bEoRZ/FyZnxscsf2BpS3/52JM4qXCNSA=",
-        "ref": "refs/heads/master",
-        "rev": "216e153f89f1dbdc4c98a7c1db2a40e52becc901",
-        "revCount": 451,
-        "type": "git",
-        "url": "https://git.pvv.ntnu.no/Projects/nettsiden.git"
-      },
-      "original": {
-        "type": "git",
-        "url": "https://git.pvv.ntnu.no/Projects/nettsiden.git"
-      }
-    },
    "root": {
      "inputs": {
        "disko": "disko",
@ -196,7 +176,6 @@
        "nixpkgs": "nixpkgs",
        "nixpkgs-unstable": "nixpkgs-unstable",
        "pvv-calendar-bot": "pvv-calendar-bot",
-        "pvv-nettsiden": "pvv-nettsiden",
        "sops-nix": "sops-nix"
      }
    },
@ -208,11 +187,11 @@
        "nixpkgs-stable": "nixpkgs-stable"
      },
      "locked": {
-        "lastModified": 1712617241,
-        "narHash": "sha256-a4hbls4vlLRMciv62YrYT/Xs/3Cubce8WFHPUDWwzf8=",
+        "lastModified": 1710195194,
+        "narHash": "sha256-KFxCJp0T6TJOz1IOKlpRdpsCr9xsvlVuWY/VCiAFnTE=",
        "owner": "Mic92",
        "repo": "sops-nix",
-        "rev": "538c114cfdf1f0458f507087b1dcf018ce1c0c4c",
+        "rev": "e52d8117b330f690382f1d16d81ae43daeb4b880",
        "type": "github"
      },
      "original": {
--- a/flake.nix
+++ b/flake.nix
@ -11,9 +11,6 @@
    disko.url = "github:nix-community/disko";
    disko.inputs.nixpkgs.follows = "nixpkgs";

-    pvv-nettsiden.url = "git+https://git.pvv.ntnu.no/Projects/nettsiden.git";
-    pvv-nettsiden.inputs.nixpkgs.follows = "nixpkgs";
-
    pvv-calendar-bot.url = "git+https://git.pvv.ntnu.no/Projects/calendar-bot.git";
    pvv-calendar-bot.inputs.nixpkgs.follows = "nixpkgs";

@ -29,7 +26,7 @@
    grzegorz-clients.inputs.nixpkgs.follows = "nixpkgs";
  };

-  outputs = { self, nixpkgs, nixpkgs-unstable, pvv-nettsiden, sops-nix, disko, ... }@inputs:
+  outputs = { self, nixpkgs, nixpkgs-unstable, sops-nix, disko, ... }@inputs:
  let
    nixlib = nixpkgs.lib;
    systems = [
@ -64,11 +61,7 @@

          pkgs = import nixpkgs {
            inherit system;
-            overlays = [
-              (import ./overlays/nginx-test.nix
-                (builtins.attrNames self.nixosConfigurations.${name}.config.security.acme.certs)
-              )
-            ] ++ config.overlays or [ ];
+            overlays = [ ] ++ config.overlays or [ ];
          };
        }
        (removeAttrs config [ "modules" "overlays" ])
@ -94,11 +87,9 @@
            simplesamlphp = final.callPackage ./packages/simplesamlphp { };
          })
          inputs.nix-gitea-themes.overlays.default
-          inputs.pvv-nettsiden.overlays.default
        ];
        modules = [
          inputs.nix-gitea-themes.nixosModules.default
-          inputs.pvv-nettsiden.nixosModules.default
        ];
      };
      bob = stableNixosConfig "bob" {
@ -142,7 +133,7 @@

        simplesamlphp = pkgs.callPackage ./packages/simplesamlphp { };

-        # mediawiki-extensions = pkgs.callPackage ./packages/mediawiki-extensions { };
+        mediawiki-extensions = pkgs.callPackage ./packages/mediawiki-extensions { };
      } // nixlib.genAttrs allMachines
        (machine: self.nixosConfigurations.${machine}.config.system.build.toplevel);
    };
--- a/hosts/bekkalokk/configuration.nix
+++ b/hosts/bekkalokk/configuration.nix
@ -6,8 +6,9 @@
    ../../base.nix
    ../../misc/metrics-exporters.nix

-    ./services/website
-    ./services/nginx.nix
+    # TODO: set up authentication for the following:
+    # ./services/website.nix
+    ./services/nginx
    ./services/gitea/default.nix
    ./services/kerberos
    ./services/webmail
@ -23,6 +24,8 @@
  boot.loader.systemd-boot.enable = true;
  boot.loader.efi.canTouchEfiVariables = true;

+  virtualisation.podman.enable = true;
+
  networking.hostName = "bekkalokk";

  systemd.network.networks."30-enp2s0" = values.defaultNetworkConfig // {
--- a/hosts/bekkalokk/services/gitea/ci.nix
+++ b/hosts/bekkalokk/services/gitea/ci.nix
@ -27,5 +27,4 @@ lib.mkMerge [
  (mkRunner "alpha")
  (mkRunner "beta")
  (mkRunner "epsilon")
-  { virtualisation.podman.enable = true; }
 ]
--- a/hosts/bekkalokk/services/gitea/default.nix
+++ b/hosts/bekkalokk/services/gitea/default.nix
@ -59,9 +59,9 @@ in {
  services.nginx.virtualHosts."${domain}" = {
    forceSSL = true;
    enableACME = true;
-    kTLS = true;
    locations."/" = {
      proxyPass = "http://unix:${cfg.settings.server.HTTP_ADDR}";
+      recommendedProxySettings = true;
      extraConfig = ''
        client_max_body_size 512M;
      '';
--- a/hosts/bekkalokk/services/idp-simplesamlphp/default.nix
+++ b/hosts/bekkalokk/services/idp-simplesamlphp/default.nix
@ -22,7 +22,7 @@ let
      # openssl req -newkey rsa:4096 -new -x509 -days 365 -nodes -out idp.crt -keyout idp.pem
      "metadata/saml20-idp-hosted.php" = pkgs.writeText "saml20-idp-remote.php" ''
        <?php
-	  $metadata['https://idp.pvv.ntnu.no/'] = array(
+	  $metadata['https://idp2.pvv.ntnu.no/'] = array(
 	    'host' => '__DEFAULT__',
 	    'privatekey' => '${config.sops.secrets."idp/privatekey".path}',
 	    'certificate' => '${./idp.crt}',
@ -89,7 +89,7 @@ let
          --replace '$SAML_ADMIN_NAME' '"Drift"' \
          --replace '$SAML_ADMIN_EMAIL' '"drift@pvv.ntnu.no"' \
          --replace '$SAML_ADMIN_PASSWORD' 'file_get_contents("${config.sops.secrets."idp/admin_password".path}")' \
-          --replace '$SAML_TRUSTED_DOMAINS' 'array( "idp.pvv.ntnu.no" )' \
+          --replace '$SAML_TRUSTED_DOMAINS' 'array( "idp2.pvv.ntnu.no" )' \
          --replace '$SAML_DATABASE_DSN' '"pgsql:host=postgres.pvv.ntnu.no;port=5432;dbname=idp"' \
          --replace '$SAML_DATABASE_USERNAME' '"idp"' \
          --replace '$SAML_DATABASE_PASSWORD' 'file_get_contents("${config.sops.secrets."idp/postgres_password".path}")' \
@ -177,10 +177,9 @@ in
      };
    };

-    services.nginx.virtualHosts."idp.pvv.ntnu.no" = {
+    services.nginx.virtualHosts."idp2.pvv.ntnu.no" = {
      forceSSL = true;
      enableACME = true;
-      kTLS = true;
      root = "${package}/share/php/simplesamlphp/public";
      locations =  {
        # based on https://simplesamlphp.org/docs/stable/simplesamlphp-install.html#configuring-nginx
@ -198,10 +197,6 @@ in
            }
          '';
        };
-        "^~ /simplesaml/".extraConfig = ''
-	  rewrite ^/simplesaml/(.*)$ /$1 redirect;
-	  return 404;
-	'';
      };
    };
  };
--- a/hosts/bekkalokk/services/idp-simplesamlphp/metadata.php.nix
+++ b/hosts/bekkalokk/services/idp-simplesamlphp/metadata.php.nix
@ -1,18 +1,18 @@
 ''
  <?php
-  $metadata['https://idp.pvv.ntnu.no/'] = [
+  $metadata['https://idp2.pvv.ntnu.no/'] = [
      'metadata-set' => 'saml20-idp-hosted',
-      'entityid' => 'https://idp.pvv.ntnu.no/',
+      'entityid' => 'https://idp2.pvv.ntnu.no/',
      'SingleSignOnService' => [
          [
              'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
-              'Location' => 'https://idp.pvv.ntnu.no/module.php/saml/idp/singleSignOnService',
+              'Location' => 'https://idp2.pvv.ntnu.no/module.php/saml/idp/singleSignOnService',
          ],
      ],
      'SingleLogoutService' => [
          [
              'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
-              'Location' => 'https://idp.pvv.ntnu.no/module.php/saml/idp/singleLogout',
+              'Location' => 'https://idp2.pvv.ntnu.no/module.php/saml/idp/singleLogout',
          ],
      ],
      'NameIDFormat' => [ 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient' ],
--- a/hosts/bekkalokk/services/mediawiki/default.nix
+++ b/hosts/bekkalokk/services/mediawiki/default.nix
@ -152,7 +152,6 @@ in {
  users.groups.mediawiki.members = [ "nginx" ];

  services.nginx.virtualHosts."wiki.pvv.ntnu.no" = {
-    kTLS = true;
    forceSSL = true;
    enableACME = true;
    locations =  {
--- a/hosts/bekkalokk/services/mediawiki/simplesaml-authsources.php
+++ b/hosts/bekkalokk/services/mediawiki/simplesaml-authsources.php
@ -6,6 +6,6 @@ $config = array(
    'default-sp' => array(
        'saml:SP',
        'entityID' => 'https://wiki.pvv.ntnu.no/simplesaml/',
-        'idp' => 'https://idp.pvv.ntnu.no/',
+        'idp' => 'https://idp2.pvv.ntnu.no/',
    ),
 );
--- a/hosts/bekkalokk/services/nginx.nix
+++ b/hosts/bekkalokk/services/nginx.nix
@ -1,4 +0,0 @@
-{ pkgs, config, ... }:
-{
-  services.nginx.enable = true;
-}
--- a/hosts/bekkalokk/services/nginx/default.nix
+++ b/hosts/bekkalokk/services/nginx/default.nix
@ -0,0 +1,22 @@
+{ pkgs, config, ... }:
+{
+  imports = [
+    ./ingress.nix
+  ];
+
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = "drift@pvv.ntnu.no";
+  };
+
+  services.nginx = {
+    enable = true;
+
+    recommendedTlsSettings = true;
+    recommendedProxySettings = true;
+    recommendedOptimisation = true;
+    recommendedGzipSettings = true;
+  };
+
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
+}
--- a/hosts/bekkalokk/services/nginx/ingress.nix
+++ b/hosts/bekkalokk/services/nginx/ingress.nix
@ -0,0 +1,55 @@
+{ config, lib, ... }:
+{
+  services.nginx.virtualHosts = {
+    "www2.pvv.ntnu.no" = {
+      serverAliases = [ "www2.pvv.org" "pvv.ntnu.no" "pvv.org" ];
+      addSSL = true;
+      enableACME = true;
+
+      locations = {
+        # Proxy home directories
+        "/~" = {
+          extraConfig = ''
+            proxy_redirect off;
+            proxy_pass https://tom.pvv.ntnu.no;
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+          '';
+        };
+
+        # Redirect old wiki entries
+        "/disk".return = "301 https://www.pvv.ntnu.no/pvv/Diskkjøp";
+        "/dok/boker.php".return = "301 https://www.pvv.ntnu.no/pvv/Bokhyllen";
+        "/styret/lover/".return = "301 https://www.pvv.ntnu.no/pvv/Lover";
+        "/styret/".return = "301 https://www.pvv.ntnu.no/pvv/Styret";
+        "/info/".return = "301 https://www.pvv.ntnu.no/pvv/";
+        "/info/maskinpark/".return = "301 https://www.pvv.ntnu.no/pvv/Maskiner";
+        "/medlemssider/meldinn.php".return = "301 https://www.pvv.ntnu.no/pvv/Medlemskontingent";
+        "/diverse/medlems-sider.php".return = "301 https://www.pvv.ntnu.no/pvv/Medlemssider";
+        "/cert/".return = "301 https://www.pvv.ntnu.no/pvv/CERT";
+        "/drift".return = "301 https://www.pvv.ntnu.no/pvv/Drift";
+        "/diverse/abuse.php".return = "301 https://www.pvv.ntnu.no/pvv/CERT/Abuse";
+        "/nerds/".return = "301 https://www.pvv.ntnu.no/pvv/Nerdepizza";
+
+        # TODO: Redirect webmail
+        "/webmail".return = "301 https://webmail.pvv.ntnu.no/squirrelmail";
+
+        # Redirect everything else to the main website
+        "/".return = "301 https://www.pvv.ntnu.no$request_uri";
+
+        # Proxy the matrix well-known files
+        # Host has be set before proxy_pass
+        # The header must be set so nginx on the other side routes it to the right place
+        "/.well-known/matrix/" = {
+          extraConfig = ''
+            proxy_set_header Host matrix.pvv.ntnu.no;
+            proxy_pass https://matrix.pvv.ntnu.no/.well-known/matrix/;
+          '';
+        };
+      };
+    };
+  };
+}
+
--- a/hosts/bekkalokk/services/webmail/default.nix
+++ b/hosts/bekkalokk/services/webmail/default.nix
@ -4,15 +4,12 @@
    ./roundcube.nix
  ];

-  services.nginx.virtualHosts."webmail.pvv.ntnu.no" = {
+  services.nginx.virtualHosts."webmail2.pvv.ntnu.no" = {
    forceSSL = true;
    enableACME = true;
-    kTLS = true;
-    locations = {
-      "= /".return = "302 https://webmail.pvv.ntnu.no/roundcube";
-      "/afterlogic_lite".return = "302 https://webmail.pvv.ntnu.no/roundcube";
-      "/squirrelmail".return = "302 https://webmail.pvv.ntnu.no/roundcube";
-      "/rainloop".return = "302 https://webmail.pvv.ntnu.no/roundcube";
+    #locations."/" = lib.mkForce { };
+    locations."= /" = {
+      return = "301 https://www.pvv.ntnu.no/mail/";
    };
  };
 }
--- a/hosts/bekkalokk/services/webmail/roundcube.nix
+++ b/hosts/bekkalokk/services/webmail/roundcube.nix
@ -3,7 +3,7 @@
 with lib;
 let
  cfg = config.services.roundcube;
-  domain = "webmail.pvv.ntnu.no";
+  domain = "webmail2.pvv.ntnu.no";
 in 
 {
  services.roundcube = {
@ -35,7 +35,6 @@ in
  services.nginx.virtualHosts."roundcubeplaceholder.example.com" = lib.mkForce { };

  services.nginx.virtualHosts.${domain} = {
-    kTLS = true;
    locations."/roundcube" = {
      tryFiles = "$uri $uri/ =404";
      index = "index.php";
--- a/hosts/bekkalokk/services/website.nix
+++ b/hosts/bekkalokk/services/website.nix
@ -0,0 +1,4 @@
+{ ... }:
+{
+
+}
--- a/hosts/bekkalokk/services/website/default.nix
+++ b/hosts/bekkalokk/services/website/default.nix
@ -1,126 +0,0 @@
-{ pkgs, lib, config, ... }:
-let
-  format = pkgs.formats.php { };
-  cfg = config.services.pvv-nettsiden;
-in {
-  imports = [
-    ./fetch-gallery.nix
-  ];
-
-  sops.secrets = lib.genAttrs [
-    "nettsiden/door_secret"
-    "nettsiden/mysql_password"
-    "nettsiden/simplesamlphp/admin_password"
-    "nettsiden/simplesamlphp/cookie_salt"
-  ] (_: {
-    owner = config.services.phpfpm.pools.pvv-nettsiden.user;
-    group = config.services.phpfpm.pools.pvv-nettsiden.group;
-    restartUnits = [ "phpfpm-pvv-nettsiden.service" ];
-  });
-
-  services.idp.sp-remote-metadata = [ "https://${cfg.domainName}/simplesaml/" ];
-
-  services.pvv-nettsiden = {
-    enable = true;
-
-    package = pkgs.pvv-nettsiden.override {
-      extra_files = {
-        "${pkgs.pvv-nettsiden.passthru.simplesamlphpPath}/metadata/saml20-idp-remote.php" = pkgs.writeText "pvv-nettsiden-saml20-idp-remote.php" (import ../idp-simplesamlphp/metadata.php.nix);
-        "${pkgs.pvv-nettsiden.passthru.simplesamlphpPath}/config/authsources.php" = pkgs.writeText "pvv-nettsiden-authsources.php" ''
-          <?php
-          $config = array(
-              'admin' => array(
-                'core:AdminPassword'
-              ),
-              'default-sp' => array(
-                  'saml:SP',
-                  'entityID' => 'https://${cfg.domainName}/simplesaml/',
-                  'idp' => 'https://idp.pvv.ntnu.no/',
-              ),
-          );
-	'';
-      };
-    };
-
-    domainName = "www.pvv.ntnu.no";
-
-    settings = let
-      includeFromSops = path: format.lib.mkRaw "file_get_contents('${config.sops.secrets."nettsiden/${path}".path}')";
-    in {
-      DOOR_SECRET = includeFromSops "door_secret";
-
-      DB = {
-        DSN = "mysql:dbname=www-data_nettside;host=mysql.pvv.ntnu.no";
-        USER = "www-data_nettsi";
-        PASS = includeFromSops "mysql_password";
-      };
-
-      # TODO: set up postgres session for simplesamlphp
-      SAML = {
-        COOKIE_SALT = includeFromSops "simplesamlphp/cookie_salt";
-        COOKIE_SECURE = true;
-        ADMIN_NAME = "PVV Drift";
-        ADMIN_EMAIL = "drift@pvv.ntnu.no";
-        ADMIN_PASSWORD = includeFromSops "simplesamlphp/admin_password";
-        TRUSTED_DOMAINS = [ cfg.domainName ];
-      };
-    };
-  };
-
-  services.phpfpm.pools."pvv-nettsiden".settings = {
-    # "php_admin_value[error_log]" = "stderr";
-    "php_admin_flag[log_errors]" = true;
-    "catch_workers_output" = true;
-  };
-
-  services.nginx.virtualHosts.${cfg.domainName} = {
-    serverAliases = [
-      "pvv.ntnu.no"
-      "www.pvv.org"
-      "pvv.org"
-    ];
-
-    locations = {
-      # Proxy home directories
-      "^~ /~" = {
-        extraConfig = ''
-          proxy_redirect off;
-          proxy_pass https://tom.pvv.ntnu.no;
-          proxy_set_header Host $host;
-          proxy_set_header X-Real-IP $remote_addr;
-          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-          proxy_set_header X-Forwarded-Proto $scheme;
-        '';
-      };
-
-      # Redirect the old webmail/wiki paths from spikkjeposche
-      "^~ /webmail".return = "301 https://webmail.pvv.ntnu.no";
-      "~ /pvv/([^\\n\\r]*)".return = "301 https://wiki.pvv.ntnu.no/wiki/$1";
-      "= /pvv".return = "301 https://wiki.pvv.ntnu.no/";
-
-      # Redirect old wiki entries
-      "/disk".return = "301 https://wiki.pvv.ntnu.no/wiki/Diskkjøp";
-      "/dok/boker.php".return = "301 https://wiki.pvv.ntnu.no/wiki/Bokhyllen";
-      "/styret/lover/".return = "301 https://wiki.pvv.ntnu.no/wiki/Lover";
-      "/styret/".return = "301 https://wiki.pvv.ntnu.no/wiki/Styret";
-      "/info/".return = "301 https://wiki.pvv.ntnu.no/wiki/";
-      "/info/maskinpark/".return = "301 https://wiki.pvv.ntnu.no/wiki/Maskiner";
-      "/medlemssider/meldinn.php".return = "301 https://wiki.pvv.ntnu.no/wiki/Medlemskontingent";
-      "/diverse/medlems-sider.php".return = "301 https://wiki.pvv.ntnu.no/wiki/Medlemssider";
-      "/cert/".return = "301 https://wiki.pvv.ntnu.no/wiki/CERT";
-      "/drift".return = "301 https://wiki.pvv.ntnu.no/wiki/Drift";
-      "/diverse/abuse.php".return = "301 https://wiki.pvv.ntnu.no/wiki/CERT/Abuse";
-      "/nerds/".return = "301 https://wiki.pvv.ntnu.no/wiki/Nerdepizza";
-
-      # Proxy the matrix well-known files
-      # Host has be set before proxy_pass
-      # The header must be set so nginx on the other side routes it to the right place
-      "^~ /.well-known/matrix/" = {
-        extraConfig = ''
-          proxy_set_header Host matrix.pvv.ntnu.no;
-          proxy_pass https://matrix.pvv.ntnu.no/.well-known/matrix/;
-        '';
-      };
-    };
-  };
-}
--- a/hosts/bekkalokk/services/website/fetch-gallery.nix
+++ b/hosts/bekkalokk/services/website/fetch-gallery.nix
@ -1,67 +0,0 @@
-{ pkgs, lib, config, ... }:
-let
-  galleryDir = config.services.pvv-nettsiden.settings.GALLERY.DIR;
-  transferDir = "${config.services.pvv-nettsiden.settings.GALLERY.DIR}-transfer";
-in {
-  users.users.${config.services.pvv-nettsiden.user} = {
-    useDefaultShell = true;
-
-    # This is pushed from microbel:/var/www/www-gallery/build-gallery.sh
-    openssh.authorizedKeys.keys = [
-    ''command="${pkgs.rrsync}/bin/rrsync -wo ${transferDir}",restrict,no-agent-forwarding,no-port-forwarding,no-pty,no-X11-forwarding ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIjHhC2dikhWs/gG+m7qP1eSohWzTehn4ToNzDSOImyR gallery-publish''
-    ];
-  };
-
-  systemd.paths.pvv-nettsiden-gallery-update = {
-    wantedBy = [ "multi-user.target" ];
-    pathConfig = {
-      PathChanged = "${transferDir}/gallery.tar.gz";
-      Unit = "pvv-nettsiden-gallery-update.service";
-      MakeDirectory = true;
-    };
-  };
-
-  systemd.services.pvv-nettsiden-gallery-update = {
-    path = with pkgs; [ imagemagick gnutar gzip ];
-
-    script = ''
-      tar ${lib.cli.toGNUCommandLineShell {} {
-        extract = true;
-        file = "${transferDir}/gallery.tar.gz";
-        directory = ".";
-      }}
-
-      # Delete files and directories that exists in the gallery that don't exist in the tarball
-      filesToRemove=$(uniq -u <(sort <(find . -not -path "./.thumbnails*") <(tar -tf ${transferDir}/gallery.tar.gz | sed 's|/$||')))
-      while IFS= read fname; do
-        rm -f "$fname" ||:
-        rm -f ".thumbnails/$fname.png" ||:
-      done <<< "$filesToRemove"
-
-      find . -type d -empty -delete
-
-      mkdir -p .thumbnails
-      images=$(find . -type f -not -path "./.thumbnails*")
-
-      while IFS= read fname; do
-        # Skip this file if an up-to-date thumbnail already exists
-        if [ -f ".thumbnails/$fname.png" ] && \
-           [ "$(date -R -r "$fname")" == "$(date -R -r ".thumbnails/$fname.png")" ]
-        then
-          continue
-        fi
-
-        echo "Creating thumbnail for $fname"
-        mkdir -p $(dirname ".thumbnails/$fname")
-        convert -define jpeg:size=200x200 "$fname" -thumbnail 300 -auto-orient ".thumbnails/$fname.png" ||:
-	touch -m -d "$(date -R -r "$fname")" ".thumbnails/$fname.png"
-      done <<< "$images"
-    '';
-
-    serviceConfig = {
-      WorkingDirectory = galleryDir;
-      User = config.services.pvv-nettsiden.user;
-      Group = config.services.pvv-nettsiden.group;
-    };
-  };
-}
--- a/hosts/bicep/services/matrix/element.nix
+++ b/hosts/bicep/services/matrix/element.nix
@ -5,7 +5,6 @@ in {
  services.nginx.virtualHosts."chat.pvv.ntnu.no" = {
    enableACME = true;
    forceSSL = true;
-    kTLS = true;

    root = pkgs.element-web.override {
      conf = {
--- a/hosts/bicep/services/matrix/smtp-authenticator/smtp_auth_provider.py
+++ b/hosts/bicep/services/matrix/smtp-authenticator/smtp_auth_provider.py
@ -7,9 +7,6 @@ from synapse import module_api

 import re

-import logging
-logger = logging.getLogger(__name__)
-
 class SMTPAuthProvider:
    def __init__(self, config: dict, api: module_api):
        self.api = api
@ -46,13 +43,8 @@ class SMTPAuthProvider:

        if result == True:
            userid = self.api.get_qualified_user_id(username)
-
-            userid = await self.api.check_user_exists(userid)
-            if not userid:
-                logger.info(f"user did not exist, registering {username}")
-                userid = await self.api.register_user(username)
-                logger.info(f"registered userid: {userid}")
+            if not self.api.check_user_exists(userid):
+                self.api.register_user(username)
            return (userid, None)
        else:
-            logger.info("returning None")
            return None
--- a/hosts/bicep/services/matrix/synapse.nix
+++ b/hosts/bicep/services/matrix/synapse.nix
@ -134,6 +134,80 @@ in {
        "129.241.0.0/16"
        "2001:700:300::/44"
      ];
+
+      saml2_config = {
+        sp_config.metadata.remote = [
+          { url = "https://idp.pvv.ntnu.no/simplesaml/saml2/idp/metadata.php"; }
+        ];
+
+        description = [ "Matrix Synapse SP" "en" ];
+        name = [ "Matrix Synapse SP" "en" ];
+
+        ui_info = {
+          display_name = [
+            {
+              lang = "en";
+              text = "PVV Matrix login";
+            }
+          ];
+          description = [
+            {
+              lang = "en";
+              text = "Matrix is a modern free and open federated chat protocol";
+            }
+          ];
+          #information_url = [
+          #  {
+          #    lang = "en";
+          #    text = "";
+          #  };
+          #];
+          #privacy_statement_url = [
+          #  {
+          #    lang = "en";
+          #    text = "";
+          #  };
+          #];
+          keywords = [
+            {
+              lang = "en";
+              text = [ "Matrix" "Element" ];
+            }
+          ];
+          #logo = [
+          #  {
+          #    lang = "en";
+          #    text = "";
+          #    width = "";
+          #    height = "";
+          #  }
+          #];
+        };
+
+        organization = {
+          name = "Programvareverkstedet";
+          display_name = [ "Programvareverkstedet" "en" ];
+          url = "https://www.pvv.ntnu.no";
+        };
+        contact_person = [
+          { given_name = "Drift";
+            sur_name = "King";
+            email_adress = [ "drift@pvv.ntnu.no" ];
+            contact_type = "technical";
+          }
+        ];
+
+        user_mapping_provider = {
+          config = {
+            mxid_source_attribute =  "uid"; # What is this supposed to be?
+            mxid_mapping = "hexencode";
+          };
+        };
+
+        #attribute_requirements = [
+        #  {attribute = "userGroup"; value = "medlem";} # Do we have this?
+        #];
+      };
    };
  };

@ -143,9 +217,6 @@ in {
  services.redis.servers."".enable = true;
  
  services.nginx.virtualHosts."matrix.pvv.ntnu.no" = lib.mkMerge [
-  ({
-    kTLS = true;
-  })
  ({
    locations."/.well-known/matrix/server" = {
      return = ''
--- a/hosts/bicep/services/nginx/default.nix
+++ b/hosts/bicep/services/nginx/default.nix
@ -1,8 +1,15 @@
 { config, values, ... }:
 {
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = "danio@pvv.ntnu.no";
+  };
+
  services.nginx = {
    enable = true;
+
    enableReload = true;
+
    defaultListenAddresses = [
      values.hosts.bicep.ipv4
      "[${values.hosts.bicep.ipv6}]"
@ -11,5 +18,28 @@
      "127.0.0.2"
      "[::1]"
    ];
+
+    appendConfig = ''
+      pcre_jit on;
+      worker_processes 8;
+      worker_rlimit_nofile 8192;
+    '';
+
+    eventsConfig = ''
+      multi_accept on;
+      worker_connections 4096;
+    '';
+
+    recommendedProxySettings = true;
+    recommendedTlsSettings = true;
+    recommendedGzipSettings = true;
+    recommendedBrotliSettings = true;
+    recommendedOptimisation = true;
+  };
+
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
+
+  systemd.services.nginx.serviceConfig = {
+    LimitNOFILE = 65536;
  };
 }
--- a/hosts/ildkule/services/metrics/grafana.nix
+++ b/hosts/ildkule/services/metrics/grafana.nix
@ -91,7 +91,6 @@ in {
  services.nginx.virtualHosts.${cfg.settings.server.domain} = {
    enableACME = true;
    forceSSL = true;
-    kTLS = true;
    locations = {
      "/" = {
        proxyPass = "http://127.0.0.1:${toString cfg.settings.server.http_port}";
--- a/hosts/ildkule/services/nginx/default.nix
+++ b/hosts/ildkule/services/nginx/default.nix
@ -1,8 +1,15 @@
 { config, values, ... }:
 {
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = "drift@pvv.ntnu.no";
+  };
+
  services.nginx = {
    enable = true;
+
    enableReload = true;
+
    defaultListenAddresses = [
      values.hosts.ildkule.ipv4
      "[${values.hosts.ildkule.ipv6}]"
@ -11,5 +18,12 @@
      "127.0.0.2"
      "[::1]"
    ];
+
+    recommendedProxySettings = true;
+    recommendedTlsSettings = true;
+    recommendedGzipSettings = true;
+    recommendedOptimisation = true;
  };
+
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
 }
--- a/modules/grzegorz.nix
+++ b/modules/grzegorz.nix
@ -24,12 +24,15 @@ in {
  services.grzegorz-webui.hostName = "${config.networking.fqdn}";
  services.grzegorz-webui.apiBase = "http://${toString grg.listenAddr}:${toString grg.listenPort}/api";

+  security.acme.acceptTerms = true;
+  security.acme.defaults.email = "pederbs@pvv.ntnu.no";
+
  services.nginx.enable = true;
+  networking.firewall.allowedTCPPorts = [ 80 443 ];

  services.nginx.virtualHosts."${config.networking.fqdn}" = {
    forceSSL = true;
    enableACME = true;
-    kTLS = true;
    serverAliases = [
      "${config.networking.hostName}.pvv.org"
    ];
--- a/overlays/nginx-test.nix
+++ b/overlays/nginx-test.nix
@ -1,28 +0,0 @@
-acme-certs: final: prev:
-  let
-    lib = final.lib;
-    crt = "${final.path}/nixos/tests/common/acme/server/acme.test.cert.pem";
-    key = "${final.path}/nixos/tests/common/acme/server/acme.test.key.pem";
-  in {
-  writers = prev.writers // {
-    writeNginxConfig = name: text: final.runCommandLocal name {
-      nginxConfig = prev.writers.writeNginxConfig name text;
-      nativeBuildInputs = [ final.bubblewrap ];
-    } ''
-      ln -s "$nginxConfig" "$out"
-      set +o pipefail
-      bwrap \
-        --ro-bind "${crt}" "/etc/certs/nginx.crt" \
-        --ro-bind "${key}" "/etc/certs/nginx.key" \
-        --ro-bind "/nix" "/nix" \
-        --ro-bind "/etc/hosts" "/etc/hosts" \
-        --dir "/run/nginx" \
-        --dir "/tmp" \
-        --dir "/var/log/nginx" \
-        ${lib.concatMapStrings (name: "--ro-bind \"${crt}\" \"/var/lib/acme/${name}/fullchain.pem\" \\") acme-certs}
-        ${lib.concatMapStrings (name: "--ro-bind \"${key}\" \"/var/lib/acme/${name}/key.pem\" \\") acme-certs}
-        ${lib.concatMapStrings (name: "--ro-bind \"${crt}\" \"/var/lib/acme/${name}/chain.pem\" \\") acme-certs}
-        ${lib.getExe' final.nginx "nginx"} -t -c "$out" |& grep "syntax is ok"
-    '';
-  };
-}
--- a/secrets/bekkalokk/bekkalokk.yaml
+++ b/secrets/bekkalokk/bekkalokk.yaml
@ -20,13 +20,6 @@ idp:
    admin_password: ENC[AES256_GCM,data:Vf33Oenk6x6BIij1uW8RQDjTPcKhUVYA,iv:RNeyCNpTAYdBPrZwE3Y6CCjoAML/3XUvjfJCrr06IEU=,tag:zVOrx1oXnEyr/VwFCFaCDQ==,type:str]
    postgres_password: ENC[AES256_GCM,data:HGwKLbn/umPLPgH+qpXtugvXzOcXdlhK,iv:ypTW0VLSape8K5aCYu3BdjG/oMmqvfDSLw9uGLthb0Q=,tag:qlDMGz59qzMwEwBYxsC0XQ==,type:str]
    privatekey: ENC[AES256_GCM,data:pK74wjuk9lt2PNJIzi6NpPBkxcSRsBZJl28BElUiri2zz17CY81x66CMlFsNjvzKB3JVX+b28FHFuSsEpd/mAPtmzZPR+CoWBHvU+OrSYYoufBxexRTtXzu0vx/KFL4X5tsb+GCgfm72CM+u9dElYHJzn3teBUmZc0pIoF29slTuwF+iZrbFwaieECxXMjHC9f+ivxWQsOvYFjhmAwgjBw/LsfURgLxZwcIRiiKsN41P2WtR9a/hjN53sJnihL9VZw/Xbbynm+bDmaAwhKUAZR28TU9Q1PTfNPEAOMoRgKF4MFuhQ5o0Cxq8RRz7fwCcCTV2sK4jgL7gKiy/gI/K41ybPQPon3NrDj3U2G1VhNgBfSNaTHgygiWI08HGWRHk83eJPHp3Ph8/A774g15SE10BXkL12n0kzodsZWYu3ybrhp167vL/ZW3xUnvFFlm4dTX/ndwS5rp1dIW0a5/0EDwMoGIJw94W5ph5sK9YoUTXwLdAJ9UWRZKQGk6iJstq2BMEBAN2BCSPHS2cflMjoVV4KKX1eq6s8/w6YFzCSQkt3+pGQ3DmiOaaqiv7sUfxyfMDzDcuTVETYRhsvr1ChfBFNn1yoH8BffeVTI2Ei3Edek1vXcg05mHxslhCmzQ4U4us0agtpm2Ar6ppvuedJHLWLFz8pgWSENeGdRcbz0CXiy7lIEYW4uQBru4MAjQ+ZQhz/F4L6At60Q4NelYMDxryQ8LxV0fA/ba2llwl8bDHDFDYkxu3/IaaWG8bp1i6gqvEao3/CRpPt/OAJGAHO3HViPm6xmWlWinUEatNlgCoDotkc56eZU/Af/P7R0QPQF0PpEIDHPcNjc/HcfheUXzJSzkD7wja8VB6rtqdRHFC793QsgdHJMJ+/bvJWZSQciSwaY3PBKLLuB6vrn7VD2NB4cE6beaGwneiAn83lAV+I4cJMDQFLkhWm8LIC7JIZKq/7eBfDEmajWEBL6wSbomBi/UGbA+FyvOokYYMemwVu1JGULcz9Lvn6pxkftQlN0gqE3MncrcZ/l59fepbka/z8oqH6i+3nKdaEh6D+WudD/0xiJSdXAVM6jGrxQtFc1R+OmGTTKJB4aLqgcM25YQ760wKavx5+B52pSki7XdYLmb6Xbnnv7AnyCNmGcpcj795P7qasE2sVokqq9a2PZD7VhP9TPHGtEO6QkkNV5gLxGsGvmshMM8KQgjK60HPQuSfHFVN/SlcOKvvH5ec8sBuYUt24xcDPewV9cXZwjcmwufFOVbC72FTEmU5qvmKobJTGjjbhWsHwpopESctmXuArIcVPsX5jSe3C9Y+9tjbkBGW6/+o8pTfodsjioXevVDXwjVBmGYk8xjZtF6/xfhpWvfunDXgEhnpT4i6ikoQiva8Mw8NvLe8U8Ivr6qCDE4ys4RTs56aw/CJHzydKjX96ZPzim52fAIJvEt1HvMvQx/O/q00h0WujYBcSBivYDtl7hC2fl6pBvM7fjipbeF04idkAKKXf4j6SGunx4hWq+eIA5tnlG8XVZZKIpdXKLgarvWs5pLlTSAK5ckF/yddcik7gAZc+pwo8kCAXIXPisX/yw9cZhI51PNTG1yxtPHAWKgULYLoWcnBCGTmPVXmj6IhpGuNuQ18TTpEtwnrMmcGq6aG/M2ZI+oq0q6suJUWwsCKUVM/TS6SKXEArzDtOMdXgyyDC/H3u+w3Bt/DwALLacq6lwoKBJZxQ6ewv3+ZkLcOkMRKu97hgV+rKmFqdPXqs+Skrf2MRl48sUCPIUXhD46ocFNpemcXcr73G7AxmmFLT6T4ZFm69K6eftUP6FsgUwbed+SaWTeptaG+wueL1NECoXafGlJAmXkjbBdWVgF2oMQFP3Kau135fiqmHpoWGzG5UhKxshTTtRIvbG/296NOkNZWBT/VzjwZti3IUka7HjC3leu28IlLsN0fsNPjQc2uIR3uVsR020g6et0m/Nys9gHDWXG/aCAYKhrgU8w37ZHBs383rkl4uUIYJH61SmTS4JP/wgh/+Q1aU8gXaZ8/Bc0BZUJdF3JR48fjkuMi2A8q5vkTQ1yFCvbBTtdg336v5tZc/xOW5/pt0W1Y7IgPFwHNh4iPAtKQZ3Qybh5PXs4N80YeYFWIjV6Ai0uY4yPdwYPfd1pRdpf3Ll+bhnbDPg0ye4f9lAhSR/cAZpft7BTd6W6jCv8QfWZcDmoBGZy68GZsYfCJ3QAo6szxzDtuyp7WMJRxioPt1EVA9q+8Rp7hHmZosoZOIUV+q3W5yZymL/PXZABiIc2OW9kryNlxQlBo79CSLGdXWeMq3dN1MSWoKJzxEseQqtSY5E1DYQosT1+3B8DXm77WSLMuB6OLjEz760y8jyIiLTGAVslcOb5XNfrQf5+l52nxCl/uSZo9FxiKg7ip0v3PZLuFSTSEaR2R2WeSuv/KoXi7WxFiG6VskpyL5jMhBwjepExFVosrOi4XugqR8vD3byTYUnmQvWJyyrI2LqQsYsa3o65SIO4g8SMKRsJJ8WWHpywLjF00HJSWiGRu8bQguvDTQd3UP6lgudzpubERXuUIBiMPqBKFJ1QTWA6N/t7dxR7NVaSexrGmY4ZSoIBKb9Jnge/+lkKrO9CgqDQpTAAvwwBZpFOV7EYLZNRpW+F8HaCNMeql7V/nFqdaaNdm9yLBhXbaeujalyiLtvBCghe330JVjbBTYWiRulJ2xnlX4GLzORBRIVHJYjxEKzCeVW7J2wAKkJ6gx5rlfDOd6r+Tf+1L8ZZoJEdBhIW7flslxo4amGRTI9QGJKVCIq/hrUGEgIAKsDsqTd21lVdhy+EDM+gumO7FbMcqVPRpwmQMFAZbJgH6TeS46tA4XQJGbwQhhBaqVb3jz7OJVOZ9C3/XfxPPpK4B2OyqINKNIRfyZ0fSmGlIT4LPf2IUEDCEKuPd3ClX51qNnVAPt/MbooF++Vp91KImdqCHwdiAygZTH9u91UN8S9IW8vo0XE4eAgdInjOM+IzUPhC+G8i6UNHbOpfQ7dntDc2nCv4nFKLjLZrgpm2kFrQ60/gDlbXBFF2eRcfYkSQSxVLWC4kWF1ce9YZf/j6erm6GnsQiyNoePe/Nb0v2f5DAR+9yoSJEOAi/AHacA9Dq5kfcoOYCrLkoc17SKQYmy/M9m5Mh3inI/O4wbUQrYDKHT0j77BJnkY11M6AiEF9YC0F4lCV4hIefQ3PnI4nmmo9b8rHnqvmrwUZrcOom6Zp+A7ydo4t0Bw1cDzEwJfpcb3JjpFi7F32/vHHLtGuPDvcJqkhw8VLuaAWAcEPJcIHJ+vAKCGWtDH7yQEOhFq4touwyPYDWBA5tqPY2xkFIAImFRhyLtTQupiNbZVR4G4dj24l8uQl2iz9aoDbJlNhoT+9YhwrKrYdM6hqnvpmiYqLIM+2kijZ8JmBS0BWNLCr+6rnbZbEB5e1ezokice8HQ1XcXbsegcI+eJ+gfDhYKw75VVyOd1Uy/pjLCCwQTywTIbf3iSuETvs3YjQrET1m7GJm3q8G4dx2M9c2B7R6B0ej06pkC4WwzFg3hEG6z2BaNrkopKkoE99bjoB2VHkgGTe+YM1Q3t+jA8IB7XNlnVH82AJ6eDMqgGSWBZiGxwx0KVUMg7cTi0iD6JNSYea0ykw+fh7Mj+8N0zhmzdUjdNBwZqxHVUbqIhUhk6meGRN5EASyt6qR329AqzbKaloS2VqjLjDkSEMhQfL4jHa8yPp8Cyj6EjgM2n5LnZs0u/43eh0h4ig3zQYMkwrHixI5hNQTBwSm3QnNpr3OnXAlypCPbCTiMC5sxHfrSTFkmjduT29aZ5qHQOc5zYG5bE2CmhWJdCOZm1s1mUT+Pxbxf4m/sh8w7TwnA+leD1rUvwYfyl5WI8f071vPcg62uTwScxr+TErvdzAkg9HElnsO6km0IncHIh79zexCR51CrtrZAVxc1gnnDtTLsaKmcEDkqIY4U2cUv+1CtPWz7IfKea9B56x+bFY32pwqYeXCHdDVfBGSMuM7mqZUBu+3jETSbglozYrukbgjftdWob3s/hR0WB0lH9uwkugfoGVonasPkmPvBhuvozkCLvP9aplqwUoL74D4JhHFLciPvV+Cmw5ag1WtErB89Oimm3tnOpynCJwZTQM+NVgBtKjom0qOnyn7l0vYIKQFJwV2k5w+RfrX5EOOjFfg9D2u+gHgmrqzaSl6kk2dHlQYmfeP+nJxiH7eGO5D3ooYHp7JKZBAaJHcAWWpgqVL/L8pjSJLCPRGBF/5DnfggwFdNprl3LqYnr4io+Wp4+Du74uvQHNpojrUQ4j7Qp330rSbCK9iX5v14zYr6RlqKe5CtTqHjPzuL8CxFUI1ImHgViNpff4=,iv:8cb1FcIm0oGkcrfLNqXamx4aDA3owBZoHur8+uFsdmA=,tag:oFPP/Yene6QrxFDKlmoVcA==,type:str]
-nettsiden:
-    mysql_password: ENC[AES256_GCM,data:Uv74HhWtYRbaFHcfh0Rk/Q==,iv:/lRTaMepwpJKZJWHnwb98Ywa1zP4e2EqYGmwI7BCl1I=,tag:ZnE0u2/65zdkONcoiBGSOQ==,type:str]
-    door_secret: ENC[AES256_GCM,data:t0jEN1WnyEi10KRSg4Dlcd7IuIMBiOU7riOdYSZjvZTQqPijRYIoMEQ6OemIkD1Yg67uISTxnjxP,iv:Ss02VGKRa4oZMubbi8IfQDAjh3h295+n07vOx/IZGBs=,tag:OvdxqIUdYi/cR7IjopSVQQ==,type:str]
-    simplesamlphp:
-        postgres_password: ENC[AES256_GCM,data:SvbrdHF4vQ94DgoEfy67QS5oziAsMT8H,iv:LOHBqMecA6mgV3NMfmfTh3zDGiDve+t3+uaO53dIxt4=,tag:9ffz84ozIqytNdGB1COMhA==,type:str]
-        cookie_salt: ENC[AES256_GCM,data:VmODSLOP1YDBrpHdk/49qx9BS+aveEYDQ1D24d4zCi06kZsCENCr+vdPAnTeM1pw98RTr3yZAEQTh4s90b6v8Q==,iv:vRClu6neyYPFdtD63kjnvK2iNOIHMbh+9qEGph7CI60=,tag:66fgppVxY0egs4+9XfDBPA==,type:str]
-        admin_password: ENC[AES256_GCM,data:SADr/zN3F0tW339kSK1nD9Pb38rw7hz8,iv:s5jgl1djXd5JKwx1WG/w2Q4STMMpjJP91qxOwAoNcL0=,tag:N8bKnO9N0ei06HDkSGt6XQ==,type:str]
 sops:
    kms: []
    gcp_kms: []
@ -60,8 +53,8 @@ sops:
            akVjeTNTeGorZjJQOVlMeCtPRUVYL3MK+VMvGxrbzGz4Q3sdaDDWjal+OiK+JYKX
            GHiMXVHQJZu/RrlxMjHKN6V3iaqxZpuvLAEJ2Lzy5EOHPtuiiRyeHQ==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-04-14T21:58:31Z"
-    mac: ENC[AES256_GCM,data:+o7YvaaKTjN/uZT5mv3z9FgIbXwG4NPJePWwRmtkBINn9X+vrCmYOXqWhKw7qfInn4Ftcg0FA7cYFZe5Pv8MNp+f8v1yoiLrVX12cxmEYtqTXJz7pNeD2st1YjGJKihNi2/fyCCf4YBCGN+8Ze//HeVf7/tfWNB+ysyC9g9Tze4=,iv:C6XBCVXn8GuNeaWGdJRnUIh1us0i8fSoxu9Sx7Feb58=,tag:W0RLPPv7eP5kCNrhMG3z7A==,type:str]
+    lastmodified: "2024-04-10T21:39:18Z"
+    mac: ENC[AES256_GCM,data:Ejj3xyINoWotU4oRrsP2oMGoKDMGJLCrx0AXhWerw7PJyHbXiKlDrABABHyuTgogA7KjKQjmZnxh689gpfYVnPogSV7zGHP07/dHrbaxsXek95uv4avzXNilXKbRfF8fyrmTuEcQi3S7UA+aVgTuVOQt/X+nGtI/K4inTuYIM4w=,iv:3vqp9jaJw9bm2GGCcxdLr11h1nhrfpwEbKNu+tGfNFY=,tag:dG3xRa7spbSuYAaaNija/Q==,type:str]
    pgp:
        - created_at: "2023-05-21T00:28:40Z"
          enc: |