remove inactive users

This reverts commit 0d40c7d7a7.

.sops.yaml

@@ -15,13 +15,14 @@ keys:
   - &host_bicep age19nk55kcs7s0358jpkn75xnr57dfq6fq3p43nartvsprx0su22v7qcgcjdx
   - &host_ildkule age1x28hmzvuv6f2n66c0jtqcca3h9rput8d7j5uek6jcpx8n9egd52sqpejq0
   - &host_kommode age1mt4d0hg5g76qp7j0884llemy0k2ymr5up8vfudz6vzvsflk5nptqqd32ly
-  - &host_lupine-1 age1fkrypl6fu4ldsa7te4g3v4qsegnk7sd6qhkquuwzh04vguy96qus08902e
-  - &host_lupine-2 age1mu0ej57n4s30ghealhyju3enls83qyjua69986la35t2yh0q2s0seruz5n
-  - &host_lupine-3 age1j2u876z8hu87q5npfxzzpfgllyw8ypj66d7cgelmzmnrf3xud34qzkntp9
-  - &host_lupine-4 age1t8zlawqkmhye737pn8yx0z3p9cl947d9ktv2cajdc6hnvn52d3fsc59s2k
-  - &host_lupine-5 age199zkqq4jp4yc3d0hx2q0ksxdtp42xhmjsqwyngh8tswuck34ke3smrfyqu
+  - &host_lupine-1 age18lta9d683yekz487xwtd99da236d8mgk4ftlmv2jffx858p9qf2s9j868l
+  - &host_lupine-2 age1e0a4ru707v637wzmuxqv0xywmlkhunzgyfy4mrkjc7a23qq8msgq7nqtvt
+  - &host_lupine-3 age1wmrrhd5deatmgflkas636u3rzuk46u9knl02v4t39ncs37xqquhq9vwzye
+  - &host_lupine-4 age1ml48zztcmnrdrhrdsjrlyxf09jtmjgz46u8td4zm59wn3fm4g57qs4wg0l
+  - &host_lupine-5 age12gws5nws69vxryd3kt7q0ayngch90efmhqcrfhnnsmj00lkgxd4qsdkvqn
   - &host_skrott age1lpkju2e053aaddpgsr4ef83epclf4c9tp4m98d35ft2fswr8p4tq2ua0mf
   - &host_ustetind age1hffjafs4slznksefmtqrlj7rdaqgzqncn4un938rhr053237ry8s3rs0v8
+  - &host_skrot age1hzkvnktkr8t5gvtq0ccw69e44z5z6wf00n3xhk3hj24emf07je5s6q2evr
 
 creation_rules:
   # Global secrets
@@ -147,3 +148,15 @@ creation_rules:
       - *user_vegardbm
       pgp:
       - *user_oysteikt
+  - path_regex: secrets/skrot/[^/]+\.yaml$
+    key_groups:
+    - age:
+      - *host_skrot
+      - *user_danio
+      - *user_felixalb
+      - *user_pederbs_sopp
+      - *user_pederbs_nord
+      - *user_pederbs_bjarte
+      - *user_vegardbm
+      pgp:
+      - *user_oysteikt

README.md

@@ -43,7 +43,7 @@ revert the changes on the next nightly rebuild (tends to happen when everybody i
 | [kommode][kom]             | Virtual  | Gitea + Gitea pages                                       |
 | [lupine][lup]              | Physical | Gitea CI/CD runners                                       |
 |  shark                     | Virtual  | Test host for authentication, absolutely horrendous       |
-| [skrott][skr]              | Physical | Kiosk, snacks and soda                                    |
+| [skrot/skrott][skr]        | Physical | Kiosk, snacks and soda                                    |
 | [wenche][wen]              | Virtual  | Nix-builders, general purpose compute                     |
 
 ## Documentation

base/networking.nix

@@ -3,10 +3,6 @@
   systemd.network.enable = true;
   networking.domain = "pvv.ntnu.no";
   networking.useDHCP = false;
-  # networking.search = [ "pvv.ntnu.no" "pvv.org" ];
-  # networking.nameservers = lib.mkDefault [ "129.241.0.200" "129.241.0.201" ];
-  # networking.tempAddresses = lib.mkDefault "disabled";
-  # networking.defaultGateway = values.hosts.gateway;
 
   # The rest of the networking configuration is usually sourced from /values.nix
 

base/services/acme.nix

@@ -2,7 +2,7 @@
 {
   security.acme = {
     acceptTerms = true;
-    defaults.email = "acme-drift@pvv.ntnu.no";
+    defaults.email = "drift@pvv.ntnu.no";
   };
 
   # Let's not spam LetsEncrypt in `nixos-rebuild build-vm` mode:

flake.lock

@@ -1,5 +1,20 @@
 {
   "nodes": {
+    "crane": {
+      "locked": {
+        "lastModified": 1770419512,
+        "narHash": "sha256-o8Vcdz6B6bkiGUYkZqFwH3Pv1JwZyXht3dMtS7RchIo=",
+        "owner": "ipetkov",
+        "repo": "crane",
+        "rev": "2510f2cbc3ccd237f700bb213756a8f35c32d8d7",
+        "type": "github"
+      },
+      "original": {
+        "owner": "ipetkov",
+        "repo": "crane",
+        "type": "github"
+      }
+    },
     "dibbler": {
       "inputs": {
         "nixpkgs": [
@@ -7,11 +22,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1770133120,
-        "narHash": "sha256-RuAWONXb+U3omSsuIPCrPcgj0XYqv+2djG0cnPGEyKg=",
+        "lastModified": 1771267058,
+        "narHash": "sha256-EEL4SmD1b3BPJPsSJJ4wDTXWMumJqbR+BLzhJJG0skE=",
         "ref": "main",
-        "rev": "3123b8b474319bc75ee780e0357dcdea69dc85e6",
-        "revCount": 244,
+        "rev": "e3962d02c78b9c7b4d18148d931a9a4bf22e7902",
+        "revCount": 254,
         "type": "git",
         "url": "https://git.pvv.ntnu.no/Projects/dibbler.git"
       },
@@ -47,11 +62,11 @@
         "nixpkgs-lib": "nixpkgs-lib"
       },
       "locked": {
-        "lastModified": 1765835352,
-        "narHash": "sha256-XswHlK/Qtjasvhd1nOa1e8MgZ8GS//jBoTqWtrS1Giw=",
+        "lastModified": 1772408722,
+        "narHash": "sha256-rHuJtdcOjK7rAHpHphUb1iCvgkU3GpfvicLMwwnfMT0=",
         "owner": "hercules-ci",
         "repo": "flake-parts",
-        "rev": "a34fae9c08a15ad73f295041fec82323541400a9",
+        "rev": "f20dc5d9b8027381c474144ecabc9034d6a839a3",
         "type": "github"
       },
       "original": {
@@ -67,11 +82,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1767906545,
-        "narHash": "sha256-LOf08pcjEQFLs3dLPuep5d1bAXWOFcdfxuk3YMb5KWw=",
+        "lastModified": 1770617355,
+        "narHash": "sha256-lauV1yKA67WxnlbiJiwhOT9xI8nTiUqqrrRlgA+rMis=",
         "ref": "main",
-        "rev": "e55cbe0ce0b20fc5952ed491fa8a553c8afb1bdd",
-        "revCount": 23,
+        "rev": "36af0316a7370d19db05ef7c0a87e826f4a222d5",
+        "revCount": 24,
         "type": "git",
         "url": "https://git.pvv.ntnu.no/Grzegorz/gergle.git"
       },
@@ -89,11 +104,11 @@
         "rust-overlay": "rust-overlay"
       },
       "locked": {
-        "lastModified": 1767906494,
-        "narHash": "sha256-Dd6gtdZfRMAD6JhdX0GdJwIHVaBikePSpQXhIdwLlWI=",
+        "lastModified": 1770617867,
+        "narHash": "sha256-xPLm4C13KUl0zmm1OA+A8UwDSixwtNQ/caRx/WjN+WY=",
         "ref": "main",
-        "rev": "7258822e2e90fea2ea00b13b5542f63699e33a9e",
-        "revCount": 61,
+        "rev": "155752914d81a3a3c02fcfc5d840cfdfda07216d",
+        "revCount": 62,
         "type": "git",
         "url": "https://git.pvv.ntnu.no/Grzegorz/greg-ng.git"
       },
@@ -217,11 +232,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1769018862,
-        "narHash": "sha256-x3eMpPQhZwEDunyaUos084Hx41XwYTi2uHY4Yc4YNlk=",
+        "lastModified": 1774824790,
+        "narHash": "sha256-3R2aoykbutdJ7YQaZiU7uO8w4O8b6RjztTPNo8isLTI=",
         "owner": "oddlama",
         "repo": "nix-topology",
-        "rev": "a15cac71d3399a4c2d1a3482ae62040a3a0aa07f",
+        "rev": "5765ce41be8a4fb5471a57671c2b740a350c5da0",
         "type": "github"
       },
       "original": {
@@ -233,11 +248,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1769724120,
-        "narHash": "sha256-oQBM04hQk1kotfv4qmIG1tHmuwODd1+hqRJE5TELeCE=",
-        "rev": "8ec59ed5093c2a742d7744e9ecf58f358aa4a87d",
+        "lastModified": 1775064210,
+        "narHash": "sha256-bEqbUNAnoyNZzd8rrhS8QETdDWr+vYzZeaggBLmFLIA=",
+        "rev": "9d1c3efdc713c1ed9679796c08a1a8a193e4704e",
         "type": "tarball",
-        "url": "https://releases.nixos.org/nixos/25.11-small/nixos-25.11.4961.8ec59ed5093c/nixexprs.tar.xz"
+        "url": "https://releases.nixos.org/nixos/25.11-small/nixos-25.11.8497.9d1c3efdc713/nixexprs.tar.xz"
       },
       "original": {
         "type": "tarball",
@@ -246,11 +261,11 @@
     },
     "nixpkgs-lib": {
       "locked": {
-        "lastModified": 1765674936,
-        "narHash": "sha256-k00uTP4JNfmejrCLJOwdObYC9jHRrr/5M/a/8L2EIdo=",
+        "lastModified": 1772328832,
+        "narHash": "sha256-e+/T/pmEkLP6BHhYjx6GmwP5ivonQQn0bJdH9YrRB+Q=",
         "owner": "nix-community",
         "repo": "nixpkgs.lib",
-        "rev": "2075416fcb47225d9b68ac469a5c4801a9c4dd85",
+        "rev": "c185c7a5e5dd8f9add5b2f8ebeff00888b070742",
         "type": "github"
       },
       "original": {
@@ -261,11 +276,11 @@
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1769813739,
-        "narHash": "sha256-RmNWW1DQczvDwBHu11P0hGwJZxbngdoymVu7qkwq/2M=",
-        "rev": "16a3cae5c2487b1afa240e5f2c1811f172419558",
+        "lastModified": 1775064351,
+        "narHash": "sha256-KHkwW/A1+H23YBMQGDmPb8cw5LwZFnszVKg5eZ4JWhg=",
+        "rev": "1e6f1bb5bb05d14aea16063ab587c599a68241c2",
         "type": "tarball",
-        "url": "https://releases.nixos.org/nixos/unstable-small/nixos-26.05pre937548.16a3cae5c248/nixexprs.tar.xz"
+        "url": "https://releases.nixos.org/nixos/unstable-small/nixos-26.05pre973082.1e6f1bb5bb05/nixexprs.tar.xz"
       },
       "original": {
         "type": "tarball",
@@ -358,17 +373,18 @@
     },
     "roowho2": {
       "inputs": {
+        "crane": "crane",
         "nixpkgs": [
           "nixpkgs"
         ],
         "rust-overlay": "rust-overlay_3"
       },
       "locked": {
-        "lastModified": 1769834595,
-        "narHash": "sha256-P1jrO7BxHyIKDuOXHuUb7bi4H2TuYnACW5eqf1gG47g=",
+        "lastModified": 1770912859,
+        "narHash": "sha256-wtf7YgthGVDY7dhWe8cO42+CD7Y2Pkngvzirwjwvfzg=",
         "ref": "main",
-        "rev": "def4eec2d59a69b4638b3f25d6d713b703b2fa56",
-        "revCount": 49,
+        "rev": "9361dcf941fabb14e94f472754b0e0a26cc56e13",
+        "revCount": 59,
         "type": "git",
         "url": "https://git.pvv.ntnu.no/Projects/roowho2.git"
       },
@@ -386,11 +402,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1767840362,
-        "narHash": "sha256-ZtsFqUhilubohNZ1TgpQIFsi4biZTwRH9rjZsDRDik8=",
+        "lastModified": 1770606655,
+        "narHash": "sha256-rpJf+kxvLWv32ivcgu8d+JeJooog3boJCT8J3joJvvM=",
         "owner": "oxalica",
         "repo": "rust-overlay",
-        "rev": "d159ea1fc321c60f88a616ac28bab660092a227d",
+        "rev": "11a396520bf911e4ed01e78e11633d3fc63b350e",
         "type": "github"
       },
       "original": {
@@ -448,11 +464,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1769469829,
-        "narHash": "sha256-wFcr32ZqspCxk4+FvIxIL0AZktRs6DuF8oOsLt59YBU=",
+        "lastModified": 1774910634,
+        "narHash": "sha256-B+rZDPyktGEjOMt8PcHKYmgmKoF+GaNAFJhguktXAo0=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "c5eebd4eb2e3372fe12a8d70a248a6ee9dd02eff",
+        "rev": "19bf3d8678fbbfbc173beaa0b5b37d37938db301",
         "type": "github"
       },
       "original": {

flake.nix

@@ -94,7 +94,6 @@
         }:
         let
           commonPkgsConfig = {
-            inherit localSystem crossSystem;
             config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg)
               [
                 "nvidia-x11"
@@ -104,8 +103,11 @@
               # Global overlays go here
               inputs.roowho2.overlays.default
             ]) ++ overlays;
-          };
-
+          } // (if localSystem != crossSystem then {
+            inherit localSystem crossSystem;
+          } else {
+            system = crossSystem;
+          });
           pkgs = import nixpkgs commonPkgsConfig;
           unstablePkgs = import nixpkgs-unstable commonPkgsConfig;
         in
@@ -184,6 +186,13 @@
       };
       ildkule = stableNixosConfig "ildkule" { };
       #ildkule-unstable = unstableNixosConfig "ildkule" { };
+      skrot = stableNixosConfig "skrot" {
+        modules = [
+          inputs.disko.nixosModules.disko
+          inputs.dibbler.nixosModules.default
+        ];
+        overlays = [inputs.dibbler.overlays.default];
+      };
       shark = stableNixosConfig "shark" { };
       wenche = stableNixosConfig "wenche" { };
       temmie = stableNixosConfig "temmie" { };
@@ -205,8 +214,6 @@
         ];
       };
 
-      dagali = unstableNixosConfig "dagali" { };
-
       brzeczyszczykiewicz = stableNixosConfig "brzeczyszczykiewicz" {
         modules = [
           inputs.grzegorz-clients.nixosModules.grzegorz-webui

hosts/dagali/TODO.md

@@ -1,78 +0,0 @@
-# Tracking document for new PVV kerberos auth stack
-
-![Bensinstasjon på heimdal](https://bydelsnytt.no/wp-content/uploads/2022/08/esso_heimdal003.jpg)
-
-<div align="center">
-  Bensinstasjon på heimdal
-</div>
-
-### TODO:
-
-- [ ] setup heimdal
-  - [x] ensure running with systemd
-  - [x] compile smbk5pwd (part of openldap)
-  - [ ] set `modify -a -disallow-all-tix,requires-pre-auth default` declaratively
-  - [ ] fully initialize PVV.NTNU.NO
-    - [x] `kadmin -l init PVV.NTNU.NO`
-    - [x] add oysteikt/admin@PVV.NTNU.NO principal
-    - [x] add oysteikt@PVV.NTNU.NO principal
-    - [x] add krbtgt/PVV.NTNU.NO@PVV.NTNU.NO principal?
-      - why is this needed, and where is it documented?
-      - `kadmin check` seems to work under sudo?
-      - (it is included by default, just included as error message
-         in a weird state)
-
-    - [x] Ensure client is working correctly
-      - [x] Ensure kinit works on darbu
-      - [x] Ensure kpasswd works on darbu
-      - [x] Ensure kadmin get <user> (and other restricted commands) works on darbu
-
-    - [ ] Ensure kdc is working correctly
-      - [x] Ensure kinit works on dagali
-      - [x] Ensure kpasswd works on dagali
-      - [ ] Ensure kadmin get <user> (and other restricte commands) works on dagali
-
-    - [x] Fix FQDN
-      - https://github.com/NixOS/nixpkgs/issues/94011
-      - https://github.com/NixOS/nixpkgs/issues/261269
-      - Possibly fixed by disabling systemd-resolved
-
-- [ ] setup cyrus sasl
-  - [x] ensure running with systemd 
-  - [x] verify GSSAPI support plugin is installed
-    - `nix-shell -p cyrus_sasl --command pluginviewer`
-  - [x] create "host/localhost@PVV.NTNU.NO" and export to keytab
-  - [x] verify cyrus sasl is able to talk to heimdal
-    - `sudo testsaslauthd -u oysteikt -p <password>`
-  - [ ] provide ldap principal to cyrus sasl through keytab
-
-- [ ] setup openldap
-  - [x] ensure running with systemd
-  - [ ] verify openldap is able to talk to cyrus sasl
-  - [ ] create user for oysteikt in openldap
-  - [ ] authenticate openldap login through sasl
-    - does this require creating an ldap user?
-
-- [ ] fix smbk5pwd integration
-  - [x] add smbk5pwd schemas to openldap
-  - [x] create openldap db for smbk5pwd with overlays
-  - [ ] test to ensure that user sync is working
-  - [ ] test as user source (replace passwd)
-  - [ ] test as PAM auth source
-  - [ ] test as auth source for 3rd party appliation
-
-- [ ] Set up ldap administration panel
-  - Doesn't seem like there are many good ones out there. Maybe phpLDAPAdmin?
-
-- [ ] Set up kerberos SRV DNS entry
-
-### Information and URLS
-
-- OpenLDAP SASL: https://www.openldap.org/doc/admin24/sasl.html
-- Use a keytab: https://kb.iu.edu/d/aumh
-- 2 ways for openldap to auth: https://security.stackexchange.com/questions/65093/how-to-test-ldap-that-authenticates-with-kerberos
-- Cyrus guide OpenLDAP + SASL + GSSAPI: https://www.cyrusimap.org/sasl/sasl/faqs/openldap-sasl-gssapi.html
-- Configuring GSSAPI and Cyrus SASL: https://web.mit.edu/darwin/src/modules/passwordserver_sasl/cyrus_sasl/doc/gssapi.html
-- PVV Kerberos docs: https://wiki.pvv.ntnu.no/wiki/Drift/Kerberos
-- OpenLDAP smbk5pwd source: https://git.openldap.org/nivanova/openldap/-/tree/master/contrib/slapd-modules/smbk5pwd
-- saslauthd(8): https://linux.die.net/man/8/saslauthd

hosts/dagali/configuration.nix

@@ -1,51 +0,0 @@
-
-{ config, pkgs, values, lib, ... }:
-{
-  imports = [
-    ./hardware-configuration.nix
-    ../../base.nix
-    ../../misc/metrics-exporters.nix
-
-    ./services/heimdal.nix
-    #./services/openldap.nix
-    ./services/cyrus-sasl.nix
-  ];
-
-  # buskerud does not support efi?
-  # boot.loader.systemd-boot.enable = true;
-  # boot.loader.efi.canTouchEfiVariables = true;
-  boot.loader.grub.enable = true;
-  boot.loader.grub.device = "/dev/sda";
-
-  # resolved messes up FQDN coming from nscd
-  services.resolved.enable = false;
-
-  networking.hostName = "dagali";
-  networking.domain = lib.mkForce "pvv.local";
-  networking.hosts = {
-    "129.241.210.185" = [ "dagali.pvv.local" ];
-  };
-  #networking.search = [ "pvv.ntnu.no" "pvv.org" ];
-  networking.nameservers = [ "129.241.0.200" "129.241.0.201" ];
-  networking.tempAddresses = "disabled";
-  networking.networkmanager.enable = true;
-
-  systemd.network.networks."ens18" = values.defaultNetworkConfig // {
-    matchConfig.Name = "ens18";
-    address = with values.hosts.dagali; [ (ipv4 + "/25") (ipv6 + "/64") ];
-  };
-
-  # List packages installed in system profile
-  environment.systemPackages = with pkgs; [
-    # TODO: consider adding to base.nix
-    nix-output-monitor
-  ];
-
-  # This value determines the NixOS release from which the default
-  # settings for stateful data, like file locations and database versions
-  # on your system were taken. It‘s perfectly fine and recommended to leave
-  # this value at the release version of the first install of this system.
-  # Before changing this value read the documentation for this option
-  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
-  system.stateVersion = "24.05"; # Did you read the comment?
-}

hosts/dagali/hardware-configuration.nix

@@ -1,33 +0,0 @@
-# Do not modify this file!  It was generated by ‘nixos-generate-config’
-# and may be overwritten by future invocations.  Please make changes
-# to /etc/nixos/configuration.nix instead.
-{ config, lib, pkgs, modulesPath, ... }:
-
-{
-  imports =
-    [ (modulesPath + "/profiles/qemu-guest.nix")
-    ];
-
-  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
-  boot.initrd.kernelModules = [ ];
-  boot.kernelModules = [ ];
-  boot.extraModulePackages = [ ];
-
-  fileSystems."/" =
-    { device = "/dev/disk/by-uuid/4de345e2-be41-4d10-9b90-823b2c77e9b3";
-      fsType = "ext4";
-    };
-
-  swapDevices =
-    [ { device = "/dev/disk/by-uuid/aa4b9a97-a7d8-4608-9f67-4ad084f1baf7"; }
-    ];
-
-  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
-  # (the default) this is the recommended approach. When using systemd-networkd it's
-  # still possible to use this option, but it's recommended to use it in conjunction
-  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
-  networking.useDHCP = lib.mkDefault true;
-  # networking.interfaces.ens18.useDHCP = lib.mkDefault true;
-
-  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
-}

hosts/dagali/services/cyrus-sasl.nix

@@ -1,21 +0,0 @@
-{ config, ... }:
-let
-  cfg = config.services.saslauthd;
-in
-{
-  # TODO: This is seemingly required for openldap to authenticate
-  #       against kerberos, but I have no idea how to configure it as
-  #       such. Does it need a keytab? There's a binary "testsaslauthd"
-  #       that follows with `pkgs.cyrus_sasl` that might be useful.
-  services.saslauthd = {
-    enable = true;
-    mechanism = "kerberos5";
-    config = ''
-      mech_list: gs2-krb5 gssapi
-      keytab: /etc/krb5.keytab
-    '';
-  };
-
-  # TODO: maybe the upstream module should consider doing this?
-  environment.systemPackages = [ cfg.package ];
-}

hosts/dagali/services/heimdal.nix

@@ -1,100 +0,0 @@
-{ config, pkgs, lib, ... }:
-let
-  realm = "PVV.LOCAL";
-  cfg = config.security.krb5;
-in
-{
-  security.krb5 = {
-    enable = true;
-
-    # NOTE: This is required in order to build smbk5pwd, because of some nested includes.
-    #       We should open an issue upstream (heimdal, not nixpkgs), but this patch
-    #       will do for now.
-    package = pkgs.heimdal.overrideAttrs (prev: {
-      postInstall = prev.postInstall + ''
-        cp include/heim_threads.h $dev/include
-      '';
-    });
-
-    settings = {
-      realms.${realm} = {
-        kdc = [ "dagali.${lib.toLower realm}" ];
-        admin_server = "dagali.${lib.toLower realm}";
-        kpasswd_server = "dagali.${lib.toLower realm}";
-        default_domain = lib.toLower realm;
-        primary_kdc = "dagali.${lib.toLower realm}";
-      };
-
-      kadmin.default_keys = lib.concatStringsSep " " [
-        "aes256-cts-hmac-sha1-96:pw-salt"
-        "aes128-cts-hmac-sha1-96:pw-salt"
-      ];
-
-      libdefaults.default_etypes = lib.concatStringsSep " " [
-        "aes256-cts-hmac-sha1-96"
-        "aes128-cts-hmac-sha1-96"
-      ];
-
-      libdefaults = {
-        default_realm = realm;
-        dns_lookup_kdc = false;
-        dns_lookup_realm = false;
-      };
-
-      domain_realm = {
-        "${lib.toLower realm}" = realm;
-        ".${lib.toLower realm}" = realm;
-      };
-
-      logging = {
-        # kdc = "CONSOLE";
-        kdc = "SYSLOG:DEBUG:AUTH";
-        admin_server = "SYSLOG:DEBUG:AUTH";
-        default = "SYSLOG:DEBUG:AUTH";
-      };
-    };
-  };
-
-  services.kerberos_server = {
-    enable = true;
-    settings = {
-      realms.${realm} = {
-        dbname = "/var/lib/heimdal/heimdal";
-        mkey = "/var/lib/heimdal/m-key";
-        acl = [
-          {
-            principal = "kadmin/admin";
-            access = "all";
-          }
-          {
-            principal = "felixalb/admin";
-            access = "all";
-          }
-          {
-            principal = "oysteikt/admin";
-            access = "all";
-          }
-        ];
-      };
-      # kadmin.default_keys = lib.concatStringsSep " " [
-      #   "aes256-cts-hmac-sha1-96:pw-salt"
-      #   "aes128-cts-hmac-sha1-96:pw-salt"
-      # ];
-
-      # libdefaults.default_etypes = lib.concatStringsSep " " [
-      #   "aes256-cts-hmac-sha1-96"
-      #   "aes128-cts-hmac-sha1-96"
-      # ];
-
-      # password_quality.min_length = 8;
-    };
-  };
-
-  networking.firewall.allowedTCPPorts = [ 88 464 749 ];
-  networking.firewall.allowedUDPPorts = [ 88 464 749 ];
-
-  networking.hosts = {
-    "127.0.0.2" = lib.mkForce [ ];
-    "::1" = lib.mkForce [ ];
-  };
-}

hosts/dagali/services/openldap.nix

@@ -1,121 +0,0 @@
-{ config, pkgs, lib, ... }:
-{
-  services.openldap = let
-    dn = "dc=pvv,dc=ntnu,dc=no";
-    cfg = config.services.openldap;
-
-    heimdal = config.security.krb5.package;
-  in {
-    enable = true;
-
-    # NOTE: this is a custom build of openldap with support for
-    #       perl and kerberos.
-    package = pkgs.openldap.overrideAttrs (prev: {
-      # https://github.com/openldap/openldap/blob/master/configure
-      configureFlags = prev.configureFlags ++ [
-        # Connect to slapd via UNIX socket
-        "--enable-local"
-        # Cyrus SASL
-        "--enable-spasswd"
-        # Reverse hostname lookups
-        "--enable-rlookups"
-        # perl
-        "--enable-perl"
-      ];
-
-      buildInputs = prev.buildInputs ++ [
-        pkgs.perl
-	# NOTE: do not upstream this, it might not work with
-	#       MIT in the same way
-        heimdal
-      ];
-
-      extraContribModules = prev.extraContribModules ++ [
-        # https://git.openldap.org/openldap/openldap/-/tree/master/contrib/slapd-modules
-        "smbk5pwd"
-      ];
-    });
-
-    settings = {
-      attrs = {
-        olcLogLevel = [ "stats" "config" "args" ];
-
-        # olcAuthzRegexp = ''
-        #   gidNumber=.*\\\+uidNumber=0,cn=peercred,cn=external,cn=auth
-        #         "uid=heimdal,${dn2}"
-        # '';
-
-        # olcSaslSecProps = "minssf=0";
-      };
-
-      children = {
-        "cn=schema".includes = let
-          # NOTE: needed for smbk5pwd.so module
-          schemaToLdif = name: path: pkgs.runCommandNoCC name {
-            buildInputs = with pkgs; [ schema2ldif ];
-          } ''
-            schema2ldif "${path}" > $out
-          '';
-
-          hdb-ldif = schemaToLdif "hdb.ldif" "${heimdal.src}/lib/hdb/hdb.schema";
-          samba-ldif = schemaToLdif "samba.ldif" "${heimdal.src}/tests/ldap/samba.schema";
-        in [
-           "${cfg.package}/etc/schema/core.ldif"
-           "${cfg.package}/etc/schema/cosine.ldif"
-           "${cfg.package}/etc/schema/nis.ldif"
-           "${cfg.package}/etc/schema/inetorgperson.ldif"
-           "${hdb-ldif}"
-           "${samba-ldif}"
-        ];
-
-        # NOTE: installation of smbk5pwd.so module
-        #       https://git.openldap.org/openldap/openldap/-/tree/master/contrib/slapd-modules/smbk5pwd
-        "cn=module{0}".attrs = {
-          objectClass = [ "olcModuleList" ];
-          olcModuleLoad = [ "${cfg.package}/lib/modules/smbk5pwd.so" ];
-        };
-
-        # NOTE: activation of smbk5pwd.so module for {1}mdb
-        "olcOverlay={0}smbk5pwd,olcDatabase={1}mdb".attrs = {
-          objectClass = [ "olcOverlayConfig" "olcSmbK5PwdConfig" ];
-          olcOverlay = "{0}smbk5pwd";
-          olcSmbK5PwdEnable = [ "krb5" "samba" ];
-          olcSmbK5PwdMustChange = toString (60 * 60 * 24 * 10000);
-        };
-
-        "olcDatabase={1}mdb".attrs = {
-          objectClass = [ "olcDatabaseConfig" "olcMdbConfig" ];
-
-          olcDatabase = "{1}mdb";
-
-          olcSuffix = dn;
-
-          # TODO: PW is supposed to be a secret, but it's probably fine for testing
-          olcRootDN = "cn=users,${dn}";
-
-          # TODO: replace with proper secret
-          olcRootPW.path = pkgs.writeText "olcRootPW" "pass";
-
-          olcDbDirectory = "/var/lib/openldap/test-smbk5pwd-db";
-          olcDbIndex = "objectClass eq";
-
-          olcAccess = [
-            ''{0}to attrs=userPassword,shadowLastChange
-                by dn.exact=cn=users,${dn} write
-                by self write
-                by anonymous auth
-                by * none''
-
-            ''{1}to dn.base=""
-                by * read''
-
-            /* allow read on anything else */
-            # ''{2}to *
-            #     by cn=users,${dn} write by dn.exact=gidNumber=0+uidNumber=0+cn=peercred,cn=external write
-            #     by * read''
-          ];
-        };
-      };
-    };
-  };
-}

hosts/kommode/services/gitea/default.nix

@@ -131,6 +131,7 @@ in {
           "repo.pulls"
           "repo.releases"
         ];
+        ALLOW_FORK_INTO_SAME_OWNER = true;
       };
       picture = {
         DISABLE_GRAVATAR = true;

hosts/lupine/configuration.nix

@@ -1,10 +1,9 @@
-{ fp, values, lupineName, ... }:
+{ fp, values, lib, lupineName, ... }:
 {
   imports = [
     ./hardware-configuration/${lupineName}.nix
 
     (fp /base)
-
     ./services/gitea-runner.nix
   ];
 

hosts/lupine/hardware-configuration/lupine-1.nix

@@ -1,4 +1,4 @@
-# Do not modify this file!  It was generated by 'nixos-generate-config'
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, modulesPath, ... }:
@@ -14,27 +14,28 @@
   boot.extraModulePackages = [ ];
 
   fileSystems."/" =
-    { device = "/dev/disk/by-uuid/a949e2e8-d973-4925-83e4-bcd815e65af7";
-      fsType = "ext4";
+    { device = "/dev/disk/by-uuid/e88adbb7-de01-4f9b-b338-fffed743c259";
+      fsType = "btrfs";
+      options = [ "subvol=@root" "compress=zstd" ];
+    };
+
+  fileSystems."/nix" =
+    { device = "/dev/disk/by-uuid/e88adbb7-de01-4f9b-b338-fffed743c259";
+      fsType = "btrfs";
+      options = [ "subvol=@nix" "compress=zstd" "noatime" ];
     };
 
   fileSystems."/boot" =
     { device = "/dev/disk/by-uuid/81D6-38D3";
       fsType = "vfat";
-      options = [ "fmask=0077" "dmask=0077" ];
+      options = [ "fmask=0022" "dmask=0022" ];
     };
 
   swapDevices =
     [ { device = "/dev/disk/by-uuid/82c2d7fa-7cd0-4398-8cf6-c892bc56264b"; }
     ];
 
-  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
-  # (the default) this is the recommended approach. When using systemd-networkd it's
-  # still possible to use this option, but it's recommended to use it in conjunction
-  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
-  networking.useDHCP = lib.mkDefault true;
-  # networking.interfaces.enp0s31f6.useDHCP = lib.mkDefault true;
-
   nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
   hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
 }
+

hosts/lupine/hardware-configuration/lupine-2.nix

@@ -14,27 +14,27 @@
   boot.extraModulePackages = [ ];
 
   fileSystems."/" =
-    { device = "/dev/disk/by-uuid/aa81d439-800b-403d-ac10-9d2aac3619d0";
-      fsType = "ext4";
+    { device = "/dev/disk/by-uuid/ab2e1a13-8e95-48d8-970c-64fa2fab52d0";
+      fsType = "btrfs";
+      options = [ "subvol=@root" "compress=zstd" ];
+    };
+
+  fileSystems."/nix" =
+    { device = "/dev/disk/by-uuid/ab2e1a13-8e95-48d8-970c-64fa2fab52d0";
+      fsType = "btrfs";
+      options = [ "subvol=@nix" "noatime" "compress=zstd" ];
     };
 
   fileSystems."/boot" =
     { device = "/dev/disk/by-uuid/4A34-6AE5";
       fsType = "vfat";
-      options = [ "fmask=0077" "dmask=0077" ];
+      options = [ "fmask=0022" "dmask=0022" ];
     };
 
   swapDevices =
     [ { device = "/dev/disk/by-uuid/efb7cd0c-c1ae-4a86-8bc2-8e7fd0066650"; }
     ];
 
-  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
-  # (the default) this is the recommended approach. When using systemd-networkd it's
-  # still possible to use this option, but it's recommended to use it in conjunction
-  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
-  networking.useDHCP = lib.mkDefault true;
-  # networking.interfaces.enp0s31f6.useDHCP = lib.mkDefault true;
-
   nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
   hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
 }

hosts/lupine/hardware-configuration/lupine-3.nix

@@ -1,4 +1,4 @@
-# Do not modify this file!  It was generated by 'nixos-generate-config'
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, modulesPath, ... }:
@@ -14,27 +14,28 @@
   boot.extraModulePackages = [ ];
 
   fileSystems."/" =
-    { device = "/dev/disk/by-uuid/39ba059b-3205-4701-a832-e72c0122cb88";
-      fsType = "ext4";
+    { device = "/dev/disk/by-uuid/0a5bda7c-af55-4d3d-9135-7f7cbb78004d";
+      fsType = "btrfs";
+      options = [ "subvol=@root" "compress=zstd" ];
+    };
+
+  fileSystems."/nix" =
+    { device = "/dev/disk/by-uuid/0a5bda7c-af55-4d3d-9135-7f7cbb78004d";
+      fsType = "btrfs";
+      options = [ "subvol=@nix" "noatime" "compress=zstd" ];
     };
 
   fileSystems."/boot" =
     { device = "/dev/disk/by-uuid/63FA-297B";
       fsType = "vfat";
-      options = [ "fmask=0077" "dmask=0077" ];
+      options = [ "fmask=0022" "dmask=0022" ];
     };
 
   swapDevices =
     [ { device = "/dev/disk/by-uuid/9c72eb54-ea8c-4b09-808a-8be9b9a33869"; }
     ];
 
-  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
-  # (the default) this is the recommended approach. When using systemd-networkd it's
-  # still possible to use this option, but it's recommended to use it in conjunction
-  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
-  networking.useDHCP = lib.mkDefault true;
-  # networking.interfaces.enp0s31f6.useDHCP = lib.mkDefault true;
-
   nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
   hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
 }
+

hosts/lupine/hardware-configuration/lupine-4.nix

@@ -14,21 +14,27 @@
   boot.extraModulePackages = [ ];
 
   fileSystems."/" =
-    { device = "/dev/disk/by-uuid/c7bbb293-a0a3-4995-8892-0ec63e8c67dd";
-      fsType = "ext4";
+    { device = "/dev/disk/by-uuid/fcd51970-f040-4c45-94cf-2b372d4599a2";
+      fsType = "btrfs";
+      options = [ "subvol=@root" "compress=zstd" ];
+    };
+
+  fileSystems."/nix" =
+    { device = "/dev/disk/by-uuid/fcd51970-f040-4c45-94cf-2b372d4599a2";
+      fsType = "btrfs";
+      options = [ "subvol=@nix" "noatime" "compress=zstd" ];
+    };
+
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/A22E-E41A";
+      fsType = "vfat";
+      options = [ "fmask=0022" "dmask=0022" ];
     };
 
   swapDevices =
     [ { device = "/dev/disk/by-uuid/a86ffda8-8ecb-42a1-bf9f-926072e90ca5"; }
     ];
 
-  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
-  # (the default) this is the recommended approach. When using systemd-networkd it's
-  # still possible to use this option, but it's recommended to use it in conjunction
-  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
-  networking.useDHCP = lib.mkDefault true;
-  # networking.interfaces.enp0s31f6.useDHCP = lib.mkDefault true;
-
   nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
   hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
 }

hosts/lupine/hardware-configuration/lupine-5.nix

@@ -1,4 +1,4 @@
-# Do not modify this file!  It was generated by 'nixos-generate-config'
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, modulesPath, ... }:
@@ -14,27 +14,27 @@
   boot.extraModulePackages = [ ];
 
   fileSystems."/" =
-    { device = "/dev/disk/by-uuid/5f8418ad-8ec1-4f9e-939e-f3a4c36ef343";
-      fsType = "ext4";
+    { device = "/dev/disk/by-uuid/85830e14-e2c8-4f04-95fa-d6ab22840bc7";
+      fsType = "btrfs";
+      options = [ "subvol=@root" "compress=zstd" ];
+    };
+
+  fileSystems."/nix" =
+    { device = "/dev/disk/by-uuid/85830e14-e2c8-4f04-95fa-d6ab22840bc7";
+      fsType = "btrfs";
+      options = [ "subvol=@nix" "noatime" "compress=zstd" ];
     };
 
   fileSystems."/boot" =
     { device = "/dev/disk/by-uuid/F372-37DF";
       fsType = "vfat";
-      options = [ "fmask=0077" "dmask=0077" ];
+      options = [ "fmask=0022" "dmask=0022" ];
     };
 
   swapDevices =
     [ { device = "/dev/disk/by-uuid/27bf292d-bbb3-48c4-a86e-456e0f1f648f"; }
     ];
 
-  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
-  # (the default) this is the recommended approach. When using systemd-networkd it's
-  # still possible to use this option, but it's recommended to use it in conjunction
-  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
-  networking.useDHCP = lib.mkDefault true;
-  # networking.interfaces.enp0s31f6.useDHCP = lib.mkDefault true;
-
   nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
   hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
 }

hosts/skrot/configuration.nix

@@ -0,0 +1,63 @@
+{
+  fp,
+  lib,
+  config,
+  values,
+  ...
+}:
+
+{
+  imports = [
+    # Include the results of the hardware scan.
+    ./hardware-configuration.nix
+    ./disk-config.nix
+    (fp /base)
+  ];
+
+  boot.consoleLogLevel = 0;
+
+  sops.defaultSopsFile = fp /secrets/skrot/skrot.yaml;
+
+  systemd.network.networks."enp2s0" = values.defaultNetworkConfig // {
+    matchConfig.Name = "enp2s0";
+    address = with values.hosts.skrot; [
+      (ipv4 + "/25")
+      (ipv6 + "/64")
+    ];
+  };
+
+  sops.secrets = {
+    "dibbler/postgresql/password" = {
+      owner = "dibbler";
+      group = "dibbler";
+    };
+  };
+
+  services.dibbler = {
+    enable = true;
+    kioskMode = true;
+    limitScreenWidth = 80;
+    limitScreenHeight = 42;
+
+    settings = {
+      general.quit_allowed = false;
+      database = {
+        type = "postgresql";
+        postgresql = {
+          username = "pvv_vv";
+          dbname = "pvv_vv";
+          host = "postgres.pvv.ntnu.no";
+          password_file = config.sops.secrets."dibbler/postgresql/password".path;
+        };
+      };
+    };
+  };
+
+  systemd.services."serial-getty@ttyUSB0" = lib.mkIf (!config.virtualisation.isVmVariant) {
+    enable = true;
+    wantedBy = [ "getty.target" ]; # to start at boot
+    serviceConfig.Restart = "always"; # restart when session is closed
+  };
+
+  system.stateVersion = "25.11"; # Did you read the comment? Nah bro
+}

hosts/skrot/disk-config.nix

@@ -0,0 +1,41 @@
+{
+  disko.devices = {
+    disk = {
+      main = {
+        device = "/dev/sda";
+        type = "disk";
+        content = {
+          type = "gpt";
+          partitions = {
+            ESP = {
+              type = "EF00";
+              size = "1G";
+              content = {
+                type = "filesystem";
+                format = "vfat";
+                mountpoint = "/boot";
+                mountOptions = [ "umask=0077" ];
+              };
+            };
+            plainSwap = {
+              size = "8G";
+              content = {
+                type = "swap";
+                discardPolicy = "both";
+                resumeDevice = false;
+              };
+            };
+            root = {
+              size = "100%";
+              content = {
+                type = "filesystem";
+                format = "ext4";
+                mountpoint = "/";
+              };
+            };
+          };
+        };
+      };
+    };
+  };
+}

hosts/skrot/hardware-configuration.nix

@@ -0,0 +1,15 @@
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/installer/scan/not-detected.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "sd_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-amd" ];
+  boot.extraModulePackages = [ ];
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}

hosts/skrott/configuration.nix

@@ -59,7 +59,7 @@
   # zramSwap.enable = true;
 
   networking = {
-    hostName = "skrot";
+    hostName = "skrott";
     defaultGateway = values.hosts.gateway;
     defaultGateway6 = values.hosts.gateway6;
     interfaces.eth0 = {

packages/bluemap.nix

@@ -1,12 +1,14 @@
-{ lib, stdenvNoCC, fetchurl, makeWrapper, jre }:
-
+{ lib, stdenvNoCC, fetchurl, makeWrapper, javaPackages }:
+let
+  jre = javaPackages.compiler.temurin-bin.jre-25;
+in
 stdenvNoCC.mkDerivation rec {
   pname = "bluemap";
-  version = "5.15";
+  version = "5.20";
 
   src = fetchurl {
     url = "https://github.com/BlueMap-Minecraft/BlueMap/releases/download/v${version}/BlueMap-${version}-cli.jar";
-    hash = "sha256-g50V/4LtHaHNRMTt+PK/ZTf4Tber2D6ZHJvuAXQLaFI=";
+    hash = "sha256-txDN/vG429BHT09TrSB8uQhmB8irrmvvOXX4OX3OSC0=";
   };
 
   dontUnpack = true;
@@ -15,7 +17,10 @@ stdenvNoCC.mkDerivation rec {
 
   installPhase = ''
     runHook preInstall
-    makeWrapper ${jre}/bin/java $out/bin/bluemap --add-flags "-jar $src"
+
+    makeWrapper ${jre}/bin/java $out/bin/bluemap \
+      --add-flags "-jar $src"
+
     runHook postInstall
   '';
 

packages/ooye/package.nix

@@ -10,22 +10,19 @@ let
 in
 buildNpmPackage {
   pname = "delete-your-element";
-  version = "3.3-unstable-2026-01-21";
+  version = "3.5.1";
   src = fetchFromGitea {
     domain = "git.pvv.ntnu.no";
     owner = "Drift";
     repo = "delete-your-element";
-    rev = "04d7872acb933254c0a4703064b2e08de31cfeb4";
-    hash = "sha256-CkKt+8VYjIhNM76c3mTf7X6d4ob8tB2w8T6xYS7+LuY=";
+    rev = "80ac1d9d79207b6327975a264fcd9747b99a2a5d";
+    hash = "sha256-fcBpUZ+WEMUXyyo/uaArl4D1NJmK95isWqhFSt6HzUU=";
   };
 
   inherit nodejs;
 
-  patches = [ ./fix-lockfile.patch ];
-
-  npmDepsHash = "sha256-tiGXr86x9QNAwhZcxSOox6sP9allyz9QSH3XOZOb3z8=";
+  npmDepsHash = "sha256-EYxJi6ObJQOLyiJq4C3mV6I62ns9l64ZHcdoQxmN5Ao=";
   dontNpmBuild = true;
-  makeCacheWritable = true;
 
   nativeBuildInputs = [ makeWrapper ];
 

secrets/lupine/lupine.yaml

@@ -7,126 +7,126 @@ gitea:
         lupine-5: ENC[AES256_GCM,data:+PYUtLBx9MdIebR0nWSNGKKCyKcGpI62BXj7AN1iV4wU4+2awrWZ2Q==,iv:PALEU/sYebhPTO4ZXEm2uV6z9hN678ZxqOSnaHVlyro=,tag:Enb08N6TYlOh+x70pcpJYA==,type:str]
 sops:
     age:
-        - recipient: age1fkrypl6fu4ldsa7te4g3v4qsegnk7sd6qhkquuwzh04vguy96qus08902e
+        - recipient: age18lta9d683yekz487xwtd99da236d8mgk4ftlmv2jffx858p9qf2s9j868l
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXOTAzdEFVNmRWUFNzY211
-            NUpoMnpoVmpCeFIzU3JacDIxcjNYUTBCZTFrCnpFMUtydndyUDY3emdVVEp4dUpy
-            ZWhTRGEvdG9pQ2JvQ3pGL2s0M3Z1WHcKLS0tIExjaWh3MHk5WEZVQS9lYnkyemxE
-            UjhRL0swUnBJNmNzaGtUMjE2WlZ2VDAKYV8T2iXVEr77e0vuV8e8xpbhStxUoM9l
-            Jpn3XiYuoWHk/bmQyjQIQzjB4oqx4TqEnHccSmN3XtUIPGr296zwMg==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJRDdtTmdvRDRPaU53Mjd3
+            S25SeU5rUnZibmh2Y01HZUVhZjVWUVBJVXlvCm1uaURNYURGRUhhc25vSmFodEJC
+            RnRob3VLNHYycDlMRkwya3JJK092UlUKLS0tIFMwMExQZTVxVDAwYzRSaDhTRC80
+            VU5jeTBFcGYvNE9tVUVuNmV5WjMycjgKF9GIvJTczigKH+dbTAOHK0S966/QE/7M
+            HtgdJi9roiyDwI9k56r35/MP3eURffXBWTmc8WZRHTxnhzo1GBpg0A==
             -----END AGE ENCRYPTED FILE-----
-        - recipient: age1mu0ej57n4s30ghealhyju3enls83qyjua69986la35t2yh0q2s0seruz5n
+        - recipient: age1e0a4ru707v637wzmuxqv0xywmlkhunzgyfy4mrkjc7a23qq8msgq7nqtvt
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuVVdmdEdZcTYxajVHQmtF
-            L1pad0ZxVUdlWXVjNHl3eEIxZlNtdlY2WGlBCi9NUUVEakZLV044dldDSkZzaFhS
-            U3FJanBaL0JGV3AyS2daTFNrM0J1M1EKLS0tIGs5ZjRZcVREenN0L2RPaWp5c0s1
-            U3AxOEpvdmozU3RRMGYzZGZOZGVhSWsKHEz+eL/fHgLUuixFIeA2dUAjZekzRIHy
-            NgYmzaWhY7IlPg4mZRIW7hW+ckfr9brdgOR3Gn5Fp3tPbAL9GO7bnQ==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqMGtpL3JJaDN2Qm95b1cz
+            VEF2bHU3VjJLNUQya25lL01qYkFreFpTVGdBCkdHdnBUUjlXOU4yTkE5ZTF2OFll
+            UXNQTWsrQ2FGV21kRkllY2E5S0NRS1kKLS0tIGY1aHkyVE5XbHpLbGVBUVFmNlVy
+            VDcvTUY5YVEvOWFQOG5ULzFlQU9IMTAKQ601N8YNayuYrkZqqsKqlsnHN4rSMzN1
+            sesAmJVuj7ZddGQlzIJC9cydXkssmY5oDIj92J7DXTzhFQlO0o9tfA==
             -----END AGE ENCRYPTED FILE-----
-        - recipient: age1j2u876z8hu87q5npfxzzpfgllyw8ypj66d7cgelmzmnrf3xud34qzkntp9
+        - recipient: age1wmrrhd5deatmgflkas636u3rzuk46u9knl02v4t39ncs37xqquhq9vwzye
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5THp4MkRiUGd0VDVERjU2
-            bmR5OWlkTFFmQUM2QmRNWU5DSUI3eFV4djBVCnF3dTV1aGlMUTd2UWlyUWtXcnlG
-            TFFRdUp4dnpXZ2FLSGZoRUsvRlR6ekUKLS0tIDVBMC9oUnBuQXpkcEZHSUd0NzNp
-            U2czY3YxRG10aW9hVGJsbkJwWTEwV0kKaNQRm6qmIIbztzrmw6nZSA131lxw7PA9
-            MBPmPQmskIbGJ/bQCfZ7Sp/Pe51sL3moA8tWMqGZEVa+xuxa/KEKSQ==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5ZFV6cWN3OEloVmIrWG9Z
+            U0RxNVF0RlJ6UDNMK0psQjVKUkJiR0JUMWxBCll3NHpFempRcCtSYUQzWi9kclFP
+            Z3k5MXdCcTMxT21GL3E3Yk5md0o2cjAKLS0tIFZML05kSm1sVnIyRmpsSmdGbG8z
+            SllNcDVzSE4wTTB5NTNTYXJoemlIMUEKbJwinjEIjgwlShvUr+Jcfay0ha8Ndo6L
+            KM0QvKlcsx5Z6pqyYt6TvnlhyhcljN1IFfoUO5r3E9lYSyanv3HJRA==
             -----END AGE ENCRYPTED FILE-----
-        - recipient: age1t8zlawqkmhye737pn8yx0z3p9cl947d9ktv2cajdc6hnvn52d3fsc59s2k
+        - recipient: age1ml48zztcmnrdrhrdsjrlyxf09jtmjgz46u8td4zm59wn3fm4g57qs4wg0l
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmYUJkQkhJbjU4a3ZNbzJM
-            NGFXS2ZDSjM0Nk9BVVVCNUx0Um9mbmVXT21BCmRjL0pNcUs1NWdxYkQyc25nMG53
-            c1lkaHVyRnloRGZmWk82K3RZVzNnTjAKLS0tIERndWk2TFJWSFUraldwczFOVm13
-            NWRDWGdMNXFraE5ueTM0ZG9hMHpKTjgK4xTJKPcrk3EHwMoXlTHzqeDgx9ZJl962
-            8lyQMOSeICyXLzRgKQWuXssDMuev0CZfvnXeWp8megmXuU5Eq1GW5A==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3SG15dS9JNmRETjBZL001
+            VnNSN1o1ZENwdStLdnMxaGp2OVg4WFVUWmpvClJESk9KVi8rdkU5Q0ZHSnhOell2
+            K1UzMWpOMVUwUFc1STdVUjNsekt6L1UKLS0tIEIyTG9UMWs0UjZIZUpvMFA0ZWlZ
+            THhnZWZNckdTOXNpSjVDUEFWQW8rOE0K5ts7BAbcZ7L3cId+jjbC8ZDOnCEAjFW7
+            lizGlAPolgH6uNpPczneeFBczfU8nnWOcJTpPXQDxXiWv7y0aemJRQ==
             -----END AGE ENCRYPTED FILE-----
-        - recipient: age199zkqq4jp4yc3d0hx2q0ksxdtp42xhmjsqwyngh8tswuck34ke3smrfyqu
+        - recipient: age12gws5nws69vxryd3kt7q0ayngch90efmhqcrfhnnsmj00lkgxd4qsdkvqn
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUY1p6QjViNmdHcjY2and5
-            aEYvOXpxWEtqUnRTNEgxeE44NzZ3VW00OEZFCjJVN0Q4c0FJNEZEaDVXZlNkMTlr
-            cGQ1WWhMY0JCTEVLUDNGMHZFZDAvOU0KLS0tIDE4ZklUMWtKL3JlbzlrUXdvekJt
-            cjhrRmQrQ3g0UG8wKzZHMllidmRaQ0EKVG9D8Fh7xMzNPXecdX6zTfank2/ZNnjl
-            mwxCXnM2e5udtviQURJstLvlCElNtvdY5WdMkUoCXwHoMspPwGByFw==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLQUEwa0cvcndUbnlpTlYr
+            ZUtEdlRKcmlrQU1USlZVeXNXejhBSUdLdGxNCmpzRHpoM1VNemo5angweW9QMGJ2
+            ZGpqZHpWeUwzZWl2NWJnbTBGYlcxZ2MKLS0tIHZJT05EZmI2NGRsZ05sL0Y1VmY1
+            Q1p0b2dJMXNhRFdYdHV3UFhUQzVmQVEK/3E/fDJcuwN8UJq05Dg0YLHhFRLjl4i7
+            98dDpycvPV8Py82q4pNpvI+goZ2T19QcxArSLNLQwd3TqIYvLHB+FA==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1ug30gg4y7ftuya0wdv7q0vh4egn00wlv2th7mt7cgc2ze46wmvyq9lq6ge
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3NGpoWUVmK2ttVno2cG44
-            aGRVSStsc280cGFZL0xERUdrNjJVV01HemdBCmZBSEg0V3FHNVEzWDBId1RYck4w
-            dEd3WnVhUk0wdHRxOE9WUnpaUThLa2MKLS0tIHhWbXJmZ1Y4RWZ3Y1g3dTI0MzMw
-            eGdwemRYSCtoM0FseXhLd0Fzc1dzUG8KdPDyA/XJSgjHFycEwSg7KWX4fMA30CDq
-            GIWYDVDicgzbxjNKcQdGzFvL02B1igogHtuIJn1qE/bNrK6L9PQ3pA==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxOEhSZzhkZ25rL1dZVlRw
+            R0JMaUR2VXQ5cnYvdjRwQjU5VWYwcGRYbUMwClVBYi9nOHZkejBxamxKeHJSZmFC
+            NUFuQkVxS3VCMVZaMERYUG5Ba2FyTjQKLS0tIE5BTlN5MnYzTnlZbXpmNXBOL0NZ
+            TGpFN2xCTWcybnBBL0o2MVFoQzNRMkEKtprwI3p45huVaLJvqTNLU1k17uSObJaA
+            QEL/qzgLr//fSxiMQfJRtvqpcGuL/kTnmU56tJdLVCDAfFvW0OH9gQ==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1mrnldl334l2nszuta6ywvewng0fswv2dz9l5g4qcwe3nj4yxf92qjskdx6
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxTG81cS96bWtOWHJTK0RC
-            WlAzWWdiZkhncWRBVXZtVXdQeTR4WEl5MVJ3CkY5NEpnMmdpVnh1eXBCajhPT1Rr
-            ZWpkUm40WHpFcVdQcStWWVZWZU41VjgKLS0tIGRyUnBsb3FnRE9IL3RkTktjN3dO
-            ZEY3d0I3WVVhQUNPcmhKYW1sVlBGSmsKTsZwHdholYxIhOn49WTdb3pnjT8oTkH5
-            mfayWji2cOBRRRB9X40OaVg8SCIhVAQNdvbn64XaJWqWbXFtXamgLw==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZTWVYY3hPMi85QjhYQWlW
+            R0s0bnVpNEFmalFBS3lISmtWanNPcEpPRlF3CjY2TnliWGJocWtkbjZZQUpPZ3dS
+            TUlDS3JVb09CZ3pUNGZvQkVFMHIreW8KLS0tIE0wS1Q0THdocmw2RGZ1RWtvbjY1
+            a3hmLzNiY2ZQdk5TQzExOGJPeTd0U0kKVqulWO1BniSTpYHa7fYwG0oj+hq+clGq
+            /XlvYUYNIApaAid3G9LrZNL7g3mhq1ANuDGMY7n0Z6/xhysTZwRzEQ==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1hmpdk4h69wxpwqk9tkud39f66hprhehxtzhgw97r6dvr7v0mx5jscsuhkn
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhejJHU2N3cVF0TnNqZytD
-            UERpTmNnT0FJMysvbVYvNGM5ejNVcE5wemhjCjhyYVpsaDJlNHI2aVg1eXZtV21a
-            eHVFL1ljWXRkYlFrTkgvWHhKS2NZOHcKLS0tIEVLRFhKR0tyeUJ3Z3ZoREY2c2VI
-            c29MWkcvUFlzU0VCTnFTV01rWkxDVGsKcyKsGo6Ep7f2dBwaUYoMsqSqQrn3Obzm
-            sDovKBx+Y7+Yn6fnxy3ISQ9FUjupMtKffiO2AAK7AAI3MFjDOUb9zg==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsNkM5ZjRIK2FKL1B3S0tl
+            ZUdzMC9ONStkYnZZRm1VQy9FMVJkNk9SY1IwCnJFTVRTL1FkRlAySmF1ZDdBVUxz
+            M1lOdEhnRjI4blNhL1FYVEJubmQ5YVEKLS0tIEtLWktCQVp1eW10SnhkaUJDYnNv
+            cDdvRVl6a3VhZXhwUkl6eHo0OGxxUDQK5/Z3OCFIb4HOBBxHj0B7a0AuPXgPbuh5
+            TPGvfJpa3Ow/eJSpEdXOm6chTrvPsgGHKYZS75SAgHMP8SHHIPuxuQ==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1wrssr4z4g6vl3fd3qme5cewchmmhm0j2xe6wf2meu4r6ycn37anse98mfs
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPVGVOcE9TdVFDYURFeEE5
-            M0t1Zm95SUZpNzdFR0N3UVYwdG1yOWErUTNBCjB4WWtRdXNJV1FVd0xNODUzTDZD
-            ZXRteEpwendneS95alVhckJyMXZucXMKLS0tIDZLNFdGUTNMTm5KUkF2TWxPNk1O
-            V0FISGRYNmZ0N3dXc3RHdGNpQldOVE0Kkc7MRhVvpKlIVGKRvvPGyW/DzatxM7+Z
-            VP4kAf0Vu6DyKZINDXH5XQh6qxeAccYXhv/QhxdSuCW4bjplMMBSnw==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzVXhHTE83aDFvN3U3Tncz
+            TzlYSVB1NzdvQVY5bU1yZTRhU0V1bXgyZ21RCm1WekpqcHE3cG5sRkM4Z2k4UzFK
+            TlZMOFFrb3BBZ0d3dDMzUzFueDJiZFUKLS0tIHkraEY4STNWbDZmQm4rUnFHWU5a
+            bHpyUUM4NlN3VDhVYVhFNVYyeElqVDQKm44tte4aQ5/0XVMd7IvnahRxdrSePHKn
+            f6EUC0tBdSAifbe8JdCvTz2DDbUbXRxDxZCJ35ATyB0K1AEgcVEVvA==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1zhxul786an743u0fascv4wtc5xduu7qfy803lfs539yzhgmlq5ds2lznt5
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrVDZVbDBOR0d2VDJHY0Q5
-            VkdETUV2dFVWcUM0N3pwU0dlekJqYzZPZEhZCkZWd0dVS25jYm5Eb1hES3Z5SmFk
-            WnVEYmFtRURTa2FUYXhpQkNLUnhjbFUKLS0tIForS3RPcFkvenJNaW9wMFAyOEpP
-            c2g3UlRHc1ljVGZaWVRlTUVORzNoczQKFvxD6ty10YobBU2BuyVpDsqGI1nie4Oh
-            eQbvBEqfTN3zR38ujT6/tLfyNrtj71oGzI9M+vUUGbrmob+/y2VABg==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3VTZXR2hZT2FERFNhNXVs
+            MkREdWxxNWNvZy9jRkp0d2YwNm5IRDY3Zm44CjZ0SC9NWE40TmFtR2NSMUZtMmV2
+            MXJ1SjI0V2lBWElXS1FHUTNRa3g5MVEKLS0tIGhnYW1yd3h5Zk1UYXpzZG1XeUdF
+            Q2VuWG8yOE1ob1Ayd2Z6NllhNnMxK2MK1BzxHusN/Ad0+2ExwK/q8qyPObDL+112
+            o5/LeOh2vA3KQOG7QmlfhOK8NEID2dcWXoK3Kg8H24rowZq+WQryqg==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1sqs7urnzsdy64efmd0zukzv3gs5pnjksuxd7nqmdwdy5l0nqnunq6hyune
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOblRZRERwT1k0cUVkeXlF
-            bXZ6VnU1TmE2dFlaU1IwMXV0V09FZjR1bUFFCnFUa0hzeXhvTjlaSk9lZFZHT1d2
-            RU5NQXJBb1FISTVnSFJheEZLTFNWa28KLS0tIFEzUWFvOXE4WGRkWmxtd1hvUGZu
-            QlBkaCsxdlEyT1hhbVA0c3J4bkhHU0EKbdPpiKgu416P0Ciacs3wkH0OAeHKyzQE
-            ekyNhHHKT7IqJSvEl47PpTIsgk99SrLgImNKY8sDieOqDVuM0bhgTA==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXblVrSXJjVUVtaWltVzQy
+            OGFDR05TNTJEY2M3dUQ5bEtnaVF2dnd3VVdjCmFlL3MwVEFrYml5UE54U3Z5bUNU
+            dVRiUmlZS1lEMms2YzNxRjQ2NzAxdW8KLS0tIFhKS2hZS1Y4a2E0SzY2dHFPTUk0
+            MTc3MVhaU0s5anZPdUg4RlFiZmU4MHcKepCAfP8iMOJ39LL4S8XA18pXAYZgcdLO
+            xNV7kAcdXpywk/ffnWAukwI32LegGQ+efNtysCeESNKomSDtXKtm6Q==
             -----END AGE ENCRYPTED FILE-----
     lastmodified: "2025-12-04T05:53:51Z"
     mac: ENC[AES256_GCM,data:o55keAaJEXVOAGvoMp8FWvtlxMgfF/qR50FGnNM1whYz+5+naRJ1dAOW9NKYHWbtOa/ZXEMTkjoFrTJidAaIXza1Ot8llbTGYh56fsnu0FKZfVM+rvecRDhXKWxiAqyiLUvtUfA2fSg9LGveh2U+0dulcU25sb3Wf0RcFrtM3xI=,iv:3/UllekmGIaluv8y8I6Azd/52dJzk+C5ah6XLJj7Zik=,tag:T5ILXiC5hK++0jGOnHCMYA==,type:str]
     pgp:
-        - created_at: "2026-01-16T06:34:51Z"
+        - created_at: "2026-04-18T16:25:16Z"
           enc: |-
             -----BEGIN PGP MESSAGE-----
 
-            hQIMA0av/duuklWYAQ//S5CPlAJka09zfxhQCKY9SnHOlkNL3mQxSN9EcxiKFgQD
-            G2/qlFze7CiswTr608TXNQ/lPb+SJHgLrJvcBwISh0MCKKOZtyNjfSIIdR1A/JTE
-            OaA/JCJ76j2W7YWYrL18dY57n7DOMmhf/BZj0hI4PtDqh+dB2vX/U2i3kWdODb/K
-            fowmPrqustOLGAXOhuKegtQ8K5KLsP3NHjrp5TiOYmI7fDVkwvBnqXj52n94pw3n
-            o+HpvmyWFSm7QExGsjbbMbtDEmJJ/u8arx+Tb+ELumrz7QgwXt9ZGoPpJnmz9SsC
-            4MoTF8Ul4HRwMoMyGEQAzb1J32THFKWSUtWaLjNDOW91l/eiLpY0Kk5f1BTVcD4W
-            GsA63BsSqnIDB4Tisz4ZRhaRGY6sxyXHDSnHzVQmKrv3kwTJm8ODA18gu+HZ021h
-            ShG+m81PYrGkeqYwJHnEMfSo4XY4/lHdsZ0yldF8eSjZ2raPbsw+lmadot8mc1eE
-            leiEJOP6+ZOs60dJ+dOwaeCb5CDjFaCrq6c0+6ESWpN354tN9L9DZGLlYIt2AlcM
-            /N/5DO5F81jxlBbxI4IFwRvBDBwO81eQlVtjQB5V1+dbeIaZYS6GN72xHUSjICNJ
-            0Wv8iDwxKRjQI2uol7KmPN0Vr9siMIMAP4yCppnmdxF5VcGbLWNu9lZfxlj5o4fS
-            XgHq8TJTMWKGF2Yq25/5rKmIb/8cCOU8XLNZ3xT4X2dErqV+nWtmXgmNySCphn+C
-            xK/cKHseztzXzffdqCrJCaeo2KmTou+gMyDEmJrVLhrcIMayptt9dc0dgJ12N3s=
-            =pLWS
+            hQIMA0av/duuklWYAQ/+KtiEJNL7M4M8NH+UhisZPM5q7RecKdQde4yjJF5YrXey
+            SNcy98WJJrX4p5ZBccLxJ6IW6UNIxFz7JX227jQDCAbPvGBh0uCJTpSosChJHs7s
+            GUt/7CHfyV2+Z0FJS6iN6AZrE6Kjkkc3Uyp/Wt1va56gQ8Xx9hZHhjjgXEiORYWZ
+            bU7DKvX5n5A7GNkrBTZ/+YKtRqT/m6ZPVWfVnY0rY9KhzfvmmyOpQrB7n/DcdUbf
+            +OhAP7p3UdEWquh9OJOiDRUqo7ykGCw/dYltmt2I9JcGiyKsLyyTTtFWgZSnUCsm
+            DFCGXkFwPOsxE1WxRpl0mR7P77rMvHxJEukUNUW0DMPUjzaaHH8LINukgpOD0hpQ
+            yvfFjRKUG4Ygi4mSmETylll7pD9XBRfihTjJ5vh4VQH5PAHecWtIXgYSso12Zx6v
+            nmvgZTmikSBImEqS/MOM5Zx+esmjlEsgKuXP9HmIwBwHExLGF7U93OGswF3vEW+X
+            GuMguPfwmW/w4fFX8t2Ln9uA/E06SlD7wG9sZji1NkwW/h0/3BEOdcg5MTyQQdNe
+            mn5pyFKoH88Km2ktjVRq10ImUa2ZLyL/6RTHZ+BryXvRDtBW0zzbZhPHVvpCLKbZ
+            lkLSEwVhGFfWaRWfGsEx28MGMKicirZjw/RsRXq19alruLW3entRRRkFV71zeMXS
+            XgESJpGWxo709IBQvsooJ/2VRHnGZNkvJipWc9pPmRYQLrxP9jxX34jcmjkNYX08
+            wcmJ+ioRqPV1qvYfxdnKTtth4g7ePZywDo6FUgiCwaEa8jhR8ISsDM2DCDAg/LA=
+            =3HI1
             -----END PGP MESSAGE-----
           fp: F7D37890228A907440E1FD4846B9228E814A2AAC
     unencrypted_suffix: _unencrypted

secrets/skrot/skrot.yaml

@@ -0,0 +1,93 @@
+dibbler:
+    postgresql:
+        password: ENC[AES256_GCM,data:3X9A3jOpFVRuBg0gRiCEsZVKfLI=,iv:XC7LBNUhALk9IEhItV8fO5p/m7VKL0REBY1W2IZt7G4=,tag:l18R7EhbOlucZHFQiEvpHw==,type:str]
+sops:
+    age:
+        - recipient: age1hzkvnktkr8t5gvtq0ccw69e44z5z6wf00n3xhk3hj24emf07je5s6q2evr
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvTk5YU3Z2Yy9HS1R4ME5I
+            UU1PRWVncHJYcXY5RlFpOWVQUWZsdy93ZDFBCnlxWkpaL1g5WmNSckNYd202WE40
+            RkwwSEM1YUNNZmozejlrdW8yY1JiekkKLS0tIHVWY0JKZm9CNWhzVGl4cG82UXZs
+            ZnllQzJiK1ZkRmFndmtYdW9IclFWY1EK82f1iGt3nt8dJnEQlMujNqConf6Qq6GX
+            hqoqPoc2EM4kun28Bbpq4pAY7eEPRrWFqOkjYVvgIRoS88D7xT3LWg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1ug30gg4y7ftuya0wdv7q0vh4egn00wlv2th7mt7cgc2ze46wmvyq9lq6ge
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5WTJIOUcxRlBuNmRrNUZo
+            MXFxeVJBTEhDK00yTUw1U2dHckNFYWZKWkhNCnYxYmtrUEVvd1RaYUI5WTRTRW16
+            S2NhbDdpdDZhSkVWeUhjZDhKd3ZpTmcKLS0tIFovWm5lOXBzcnN3Zm5GQlBhNmlp
+            eTB4WldMNW9GNUwwaEUzRThsemxRVzQKGpa0J2PBzDRdHijm0e3nFAaxQCHUjz+L
+            KataXJEMCijJ6k+7vpb5QMxe2jB1J2PMxNGFp0bWAy2Al3p/Ez2Kww==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1mrnldl334l2nszuta6ywvewng0fswv2dz9l5g4qcwe3nj4yxf92qjskdx6
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZaW1ZSXhVeFVTQW9WYzVh
+            WkVUM2JkOU5VNU9oQXE2Y2pvcFlOWTdvbnpJClduS0RHL2xja291a2doQ0wzbzhQ
+            NmJOSGVvQUdxM3IvaS8zRW1VbVhvYmsKLS0tIHoyOUdvT0xXWXo3SWcyQ1lqTmJS
+            ZUdnS2RvOXI1dGNYQTl6ZHE1cUdMWHMK4ycAJQLyKCgJIzjQ02bPjz4Ct9eO6ivw
+            kfWhyMaoWwM9PhFcwSak0cLpX0C/IOzSzO78pf3WhG16pV7aXapdog==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1hmpdk4h69wxpwqk9tkud39f66hprhehxtzhgw97r6dvr7v0mx5jscsuhkn
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqaml0OVlhcUJSU1hSY3lP
+            bkM0cUV4Z2ZLeERHZ3BUNExuYS9KSU5CekQ4CmQ3SE1vdDBtdFJ6czZYR3U5Tk1X
+            SFJmTVlERjBzV0hFalFLMmVLQzNNdXMKLS0tIDdJLzZveFdnYTI0azk1UXJZLzZF
+            Sy9XbjhwOFR6SFpaNHZLd3ZxdmxOVUEKBBbGmdVVlKHxO+/iODznLP3+dJGppybW
+            +1k9uenVHzie+pDKcrQpSyX2WDnmgg7hUAUiXPuz1eEWmwbRJnU/5w==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1wrssr4z4g6vl3fd3qme5cewchmmhm0j2xe6wf2meu4r6ycn37anse98mfs
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXK01vOVV5YlhsZ2ljYS91
+            OUVEaEpTbXFKOHVNVDVoMTlrS05wRmsyM2dvCjZHOXlCUGowd0J4UlQzSzM5dWJ0
+            eU50SHdtZ2ZyUE1JVHdvODFxWDYvRWsKLS0tIDhlRVQ0Mm5Ua0J2aExqMzRyUGlP
+            RUR6Yi9SUDFCUkZmRk5hYTVFeGloZXcKY/XtaSoW8Pu2wS4oistLSc0T5JvMnt+w
+            s3yfe/zx9/1K6OtbeljF9FZVOB/dOamvk+Qlfl0T5qush7/WgGzErA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1zhxul786an743u0fascv4wtc5xduu7qfy803lfs539yzhgmlq5ds2lznt5
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOM0pFb2tRTURtWmp6elRN
+            M0xtajlzMTNPMnppcGhJMVlsNHdwWmNGbFVFCnlxM1JQTkR2elAvdytKUEJ3djBS
+            UnlhL0tLLzY3Z05RU3phNDZIOGtTMFEKLS0tIEpOZDUxU1JQVXJTbmVFQlVkOUcy
+            eWlyWGhaS1JCNitUSVVScFk2WGEvOG8K2rpYPGx5jhyyRK4UkeJR96wDFr4Frzsr
+            QWz7fYZRWKWf0H0qn+bm9IfVJiBAlS5i16D1FnipZVmdWefFaZSEPg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1sqs7urnzsdy64efmd0zukzv3gs5pnjksuxd7nqmdwdy5l0nqnunq6hyune
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJVFV0WVZrK0wzbnhkcmcz
+            c2lIdVlKcFpoYjZIWlNPN0M5N2g2WG9YdlRJCjg5YlNoSzQ5YW5yRUVSeTEzRThY
+            WklKQzlzRXdrUUlFNzF4M1BFZCtPT28KLS0tIDlUOTVIQVZJNFJwTnQxN0Z1ZlQx
+            MmxPMWNPYzJiOFRqY2VYczhvRm5IR3cKpUVV+zsMolsHI2YK9YqC6ecNT6QXv0TV
+            d1SpXRAexZBeWCCHBjSdvQBl8AT4EwrAIP2M2o++6i5DaGoGiEIWZQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2026-02-10T20:02:28Z"
+    mac: ENC[AES256_GCM,data:i8CjVxoD7zdkLNJlI9DCo/tDV5DUI7JdpozLtYZzI7Cu51GayaE2Y3Wg4de6P0L7C3FER04WfRe/h+G9PLZICX/CfSipQysyrEq3Pjt9IKsjytDhP9VYJ36QFGF0PuHUQAMSLts/tAoAvLue6MP+V82l5js9ghvyBrzyBGxoyJw=,iv:QFNxvCYxrSkwy7iT+2BEacNPftDXju1cibprVPDjic0=,tag:496E+oCy/VwTylyaWhQD+A==,type:str]
+    pgp:
+        - created_at: "2026-02-10T20:01:32Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA0av/duuklWYARAAnSjSeI8BybEl1PwNt3KTGcUjpCI+XZPWgNWuvjIymVBv
+            ZgNESNktJB4loNvd/+TIADE7TqGFQK9ev6IPRoDHHkSMdmJ9Bc/lu2HPO+rJa1yD
+            vLXbjf8vRa+GkBDV8DTrPPFvSrHY+jv9vQIzY3nQPKMlyV58E85N262q/2gJUfm9
+            cy/dYE2BUWMQC1DfiGbBRC4xGHhp94XccOMBkIpchP+BL90ZVpocnxeSrSjBsSLE
+            wuhMQPRQSI4PFm8ZYajf6tF001HDa5zaqF1lqkTxtxypDDUr8BVb9n/ObaD8omDI
+            QHQUiPmVgpDs7w2Ph5UgJxK1c+dOcG+mXsl1CHOLldA29sNzDBuh94PKfRl1B3cY
+            KPoPIqntdn59zzRDbuVJxWeJal7Ffynwsrx4h7w7muIR/FYeaFphsokE5Q6gqwTO
+            ZqWY2tuQ0CFRtMl7HB7ZVdSsKv6D5DlesXPXdrhQBKRrNylBpSBmcZH8KRAuHGNj
+            4GFZRN++GFuq54d7wB689kn+F7+pbNom7CDILXiCrz8+9DjFw0maDRoas8OaUyW6
+            kfyJe/YnK94EyCPitkJWYc9uvA2t9y25Rm9uUSvh7WnTFAEK9mJLOal4VgHbqCtg
+            zSGbdw79U4H0Umbi5eSCvEYNtv7eBzKaS/t6irfDRr1WajNhThcd1wmnvjZYxl3S
+            XgHOucYvQvxXjqG0B0Qbd12ucYthPO1+gozEzWxJx2wtiL3gClPYOaiteRlO/XQA
+            WTG6A36X3IxB6qW8lEx12geyjHxFYb82BjyrBnnlj+YcViIBpPQqd8Dz6sl4Rls=
+            =tCoI
+            -----END PGP MESSAGE-----
+          fp: F7D37890228A907440E1FD4846B9228E814A2AAC
+    unencrypted_suffix: _unencrypted
+    version: 3.11.0

topology/default.nix

@@ -228,7 +228,7 @@ in {
         (mkConnection "demiurgen" "eno1")
         (mkConnection "sanctuary" "ethernet_0")
         (mkConnection "torskas" "eth0")
-        (mkConnection "skrot" "eth0")
+        (mkConnection "skrott" "eth0")
         (mkConnection "homeassistant" "eth0")
         (mkConnection "orchid" "eth0")
         (mkConnection "principal" "em0")

users/alfhj.nix

@@ -1,12 +0,0 @@
-{ config, pkgs, ... }:
-
-{
-  users.users.alfhj = {
-    isNormalUser = true;
-    extraGroups = [ "wheel" ];
-    shell = if config.programs.zsh.enable then pkgs.zsh else pkgs.bash;
-    openssh.authorizedKeys.keys = [
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMCAYE0U3sFizm/NSbKCs0jEhZ1mpAWPcijFevejiFL1 alfhj"
-    ];
-  };
-}

users/amalieem.nix

@@ -1,12 +0,0 @@
-{ config, pkgs, ... }:
-
-{
-  users.users.amalieem = {
-    isNormalUser = true;
-    extraGroups = [ "wheel" ];
-    shell = if config.programs.zsh.enable then pkgs.zsh else pkgs.bash;
-    openssh.authorizedKeys.keys = [
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPsMtFIj4Dem/onwMoWYbosOcU4y7A5nTjVwqWaU33E1 amalieem@matey-aug22"
-    ];
-  };
-}

values.nix

@@ -40,10 +40,6 @@ in rec {
       ipv4 = pvv-ipv4 168;
       ipv6 = pvv-ipv6 168;
     };
-    dagali = {
-      ipv4 = pvv-ipv4 185;
-      ipv6 = pvv-ipv6 185;
-    };
     ildkule = {
       ipv4 = "129.241.153.213";
       ipv4_internal = "192.168.12.209";
@@ -89,6 +85,10 @@ in rec {
       ipv4 = pvv-ipv4 235;
       ipv6 = pvv-ipv6 235;
     };
+    skrot = {
+      ipv4 = pvv-ipv4 237;
+      ipv6 = pvv-ipv6 237;
+    };
     temmie = {
       ipv4 = pvv-ipv4 167;
       ipv6 = pvv-ipv6 167;