Run shellcheck

update sops keys for skrott
secrets: sops updatekeys
2026-02-08 12:10:53 +01:00 · 2026-02-07 22:17:09 +01:00 · 2026-02-08 05:19:26 +09:00 · 2026-02-07 21:12:03 +01:00 · 2026-02-07 01:46:55 +09:00 · 2026-02-07 00:56:38 +09:00
22 changed files with 110 additions and 487 deletions
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -20,7 +20,7 @@ keys:
  - &host_lupine-3 age1j2u876z8hu87q5npfxzzpfgllyw8ypj66d7cgelmzmnrf3xud34qzkntp9
  - &host_lupine-4 age1t8zlawqkmhye737pn8yx0z3p9cl947d9ktv2cajdc6hnvn52d3fsc59s2k
  - &host_lupine-5 age199zkqq4jp4yc3d0hx2q0ksxdtp42xhmjsqwyngh8tswuck34ke3smrfyqu
-  - &host_skrott age1hlvwswsljxsvrtp4leuw8a8rf8l2q6y06xvxtafvzpq54xm9aegs0kqw2e
+  - &host_skrott age1lpkju2e053aaddpgsr4ef83epclf4c9tp4m98d35ft2fswr8p4tq2ua0mf
  - &host_ustetind age1hffjafs4slznksefmtqrlj7rdaqgzqncn4un938rhr053237ry8s3rs0v8

 creation_rules:
@@ -144,5 +144,6 @@ creation_rules:
      - *user_pederbs_sopp
      - *user_pederbs_nord
      - *user_pederbs_bjarte
+      - *user_vegardbm
      pgp:
      - *user_oysteikt
--- a/base/networking.nix
+++ b/base/networking.nix
@@ -3,10 +3,6 @@
  systemd.network.enable = true;
  networking.domain = "pvv.ntnu.no";
  networking.useDHCP = false;
-  # networking.search = [ "pvv.ntnu.no" "pvv.org" ];
-  # networking.nameservers = lib.mkDefault [ "129.241.0.200" "129.241.0.201" ];
-  # networking.tempAddresses = lib.mkDefault "disabled";
-  # networking.defaultGateway = values.hosts.gateway;

  # The rest of the networking configuration is usually sourced from /values.nix

--- a/docs/secret-management.md
+++ b/docs/secret-management.md
@@ -151,7 +151,7 @@ is up to date, you can do the following:

 ```console
 # Fetch gpg (unless you have it already)
-nix-shell -p gpg
+nix shell nixpkgs#gnupg

 # Import oysteikts key to the gpg keychain
 gpg --import ./keys/oysteikt.pub
--- a/flake.lock
+++ b/flake.lock
@@ -7,11 +7,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1769510541,
-        "narHash": "sha256-jxuQY0anT3YpwpnYB5w7p6EPS6UWIj4vGxzfsOJvC1I=",
+        "lastModified": 1770133120,
+        "narHash": "sha256-RuAWONXb+U3omSsuIPCrPcgj0XYqv+2djG0cnPGEyKg=",
        "ref": "main",
-        "rev": "ec43f67e58f049a709fa2c19601b8c637f38126f",
-        "revCount": 232,
+        "rev": "3123b8b474319bc75ee780e0357dcdea69dc85e6",
+        "revCount": 244,
        "type": "git",
        "url": "https://git.pvv.ntnu.no/Projects/dibbler.git"
      },
--- a/flake.nix
+++ b/flake.nix
@@ -205,8 +205,6 @@
        ];
      };

-      dagali = unstableNixosConfig "dagali" { };
-
      brzeczyszczykiewicz = stableNixosConfig "brzeczyszczykiewicz" {
        modules = [
          inputs.grzegorz-clients.nixosModules.grzegorz-webui
--- a/hosts/bekkalokk/services/mediawiki/default.nix
+++ b/hosts/bekkalokk/services/mediawiki/default.nix
@@ -162,6 +162,24 @@ in {
      $wgDBserver = "${toString cfg.database.host}";
      $wgAllowCopyUploads = true;

+      # Files
+      $wgFileExtensions = [
+        'bmp',
+        'gif',
+        'jpeg',
+        'jpg',
+        'mp3',
+        'odg',
+        'odp',
+        'ods',
+        'odt',
+        'pdf',
+        'png',
+        'tiff',
+        'webm',
+        'webp',
+      ];
+
      # Misc program paths
      $wgFFmpegLocation = '${pkgs.ffmpeg}/bin/ffmpeg';
      $wgExiftool = '${pkgs.exiftool}/bin/exiftool';
@@ -257,6 +275,7 @@ in {
    serviceConfig = {
      BindReadOnlyPaths = [ "/run/credentials/mediawiki-init.service/secret-key:/var/lib/mediawiki/secret.key" ];
      LoadCredential = [ "secret-key:${config.sops.secrets."mediawiki/secret-key".path}" ];
+      UMask = lib.mkForce "0007";
    };
  };

@@ -265,6 +284,7 @@ in {
    serviceConfig = {
      BindReadOnlyPaths = [ "/run/credentials/phpfpm-mediawiki.service/secret-key:/var/lib/mediawiki/secret.key" ];
      LoadCredential = [ "secret-key:${config.sops.secrets."mediawiki/secret-key".path}" ];
+      UMask = lib.mkForce "0007";
    };
  };
 }
--- a/hosts/bekkalokk/services/website/fetch-gallery.nix
+++ b/hosts/bekkalokk/services/website/fetch-gallery.nix
@@ -1,8 +1,14 @@
-{ pkgs, lib, config, ... }:
+{ pkgs, lib, config, values, ... }:
 let
  galleryDir = config.services.pvv-nettsiden.settings.GALLERY.DIR;
  transferDir = "${config.services.pvv-nettsiden.settings.GALLERY.DIR}-transfer";
 in {
+  users.users.${config.services.pvv-nettsiden.user} = {
+    # NOTE: the user unfortunately needs a registered shell for rrsync to function...
+    #       is there anything we can do to remove this?
+    useDefaultShell = true;
+  };
+
  # This is pushed from microbel:/var/www/www-gallery/build-gallery.sh
  services.rsync-pull-targets = {
    enable = true;
@@ -11,6 +17,7 @@ in {
      rrsyncArgs.wo = true;
      authorizedKeysAttrs = [
        "restrict"
+        "from=\"microbel.pvv.ntnu.no,${values.hosts.microbel.ipv6},${values.hosts.microbel.ipv4}\""
        "no-agent-forwarding"
        "no-port-forwarding"
        "no-pty"
@@ -40,8 +47,8 @@ in {
      }}

      # Delete files and directories that exists in the gallery that don't exist in the tarball
-      filesToRemove=$(uniq -u <(sort <(find . -not -path "./.thumbnails*") <(tar -tf ${transferDir}/gallery.tar.gz | sed 's|/$||')))
-      while IFS= read fname; do
+      filesToRemove=$(uniq -u <(sort <(find . -not -path "./.thumbnails*") <(tar -tf "${transferDir}/gallery.tar.gz" | sed 's|/$||')))
+      while IFS= read -r fname; do
        rm -f "$fname" ||:
        rm -f ".thumbnails/$fname.png" ||:
      done <<< "$filesToRemove"
@@ -51,7 +58,7 @@ in {
      mkdir -p .thumbnails
      images=$(find . -type f -not -path "./.thumbnails*")

-      while IFS= read fname; do
+      while IFS= read -r fname; do
        # Skip this file if an up-to-date thumbnail already exists
        if [ -f ".thumbnails/$fname.png" ] && \
          [ "$(date -R -r "$fname")" == "$(date -R -r ".thumbnails/$fname.png")" ]
@@ -60,7 +67,7 @@ in {
        fi

        echo "Creating thumbnail for $fname"
-        mkdir -p $(dirname ".thumbnails/$fname")
+        mkdir -p "$(dirname ".thumbnails/$fname")"
        magick -define jpeg:size=200x200 "$fname" -thumbnail 300 -auto-orient ".thumbnails/$fname.png" ||:
        touch -m -d "$(date -R -r "$fname")" ".thumbnails/$fname.png"
      done <<< "$images"
--- a/hosts/bicep/services/mysql/backup.nix
+++ b/hosts/bicep/services/mysql/backup.nix
@@ -57,7 +57,7 @@ in
      rm "$STATE_DIRECTORY/mysql-dump-latest.sql.zst" ||:
      ln -T "$OUT_FILE" "$STATE_DIRECTORY/mysql-dump-latest.sql.zst"

-      while [ "$(find "$STATE_DIRECTORY" -type f -printf '.' | wc -c)" -gt ${toString (rotations + 1)} ]; do
+      while [ "$(find "$STATE_DIRECTORY" -type f -printf '.' | wc -c)" -gt "${toString (rotations + 1)}" ]; do
        rm "$(find "$STATE_DIRECTORY" -type f -printf '%T+ %p\n' | sort | head -n 1 | cut -d' ' -f2)"
      done
    '';
--- a/hosts/bicep/services/postgresql/backup.nix
+++ b/hosts/bicep/services/postgresql/backup.nix
@@ -58,7 +58,7 @@ in
      rm "$STATE_DIRECTORY/postgresql-dump-latest.sql.zst" ||:
      ln -T "$OUT_FILE" "$STATE_DIRECTORY/postgresql-dump-latest.sql.zst"

-      while [ "$(find "$STATE_DIRECTORY" -type f -printf '.' | wc -c)" -gt ${toString (rotations + 1)} ]; do
+      while [ "$(find "$STATE_DIRECTORY" -type f -printf '.' | wc -c)" -gt "${toString (rotations + 1)}" ]; do
        rm "$(find "$STATE_DIRECTORY" -type f -printf '%T+ %p\n' | sort | head -n 1 | cut -d' ' -f2)"
      done
    '';
--- a/hosts/dagali/TODO.md
+++ b/hosts/dagali/TODO.md
@@ -1,78 +0,0 @@
-# Tracking document for new PVV kerberos auth stack
-
-![Bensinstasjon på heimdal](https://bydelsnytt.no/wp-content/uploads/2022/08/esso_heimdal003.jpg)
-
-<div align="center">
-  Bensinstasjon på heimdal
-</div>
-
-### TODO:
-
- [ ] setup heimdal
-  - [x] ensure running with systemd
-  - [x] compile smbk5pwd (part of openldap)
-  - [ ] set `modify -a -disallow-all-tix,requires-pre-auth default` declaratively
-  - [ ] fully initialize PVV.NTNU.NO
-    - [x] `kadmin -l init PVV.NTNU.NO`
-    - [x] add oysteikt/admin@PVV.NTNU.NO principal
-    - [x] add oysteikt@PVV.NTNU.NO principal
-    - [x] add krbtgt/PVV.NTNU.NO@PVV.NTNU.NO principal?
-      - why is this needed, and where is it documented?
-      - `kadmin check` seems to work under sudo?
-      - (it is included by default, just included as error message
-         in a weird state)
-
-    - [x] Ensure client is working correctly
-      - [x] Ensure kinit works on darbu
-      - [x] Ensure kpasswd works on darbu
-      - [x] Ensure kadmin get <user> (and other restricted commands) works on darbu
-
-    - [ ] Ensure kdc is working correctly
-      - [x] Ensure kinit works on dagali
-      - [x] Ensure kpasswd works on dagali
-      - [ ] Ensure kadmin get <user> (and other restricte commands) works on dagali
-
-    - [x] Fix FQDN
-      - https://github.com/NixOS/nixpkgs/issues/94011
-      - https://github.com/NixOS/nixpkgs/issues/261269
-      - Possibly fixed by disabling systemd-resolved
-
- [ ] setup cyrus sasl
-  - [x] ensure running with systemd 
-  - [x] verify GSSAPI support plugin is installed
-    - `nix-shell -p cyrus_sasl --command pluginviewer`
-  - [x] create "host/localhost@PVV.NTNU.NO" and export to keytab
-  - [x] verify cyrus sasl is able to talk to heimdal
-    - `sudo testsaslauthd -u oysteikt -p <password>`
-  - [ ] provide ldap principal to cyrus sasl through keytab
-
- [ ] setup openldap
-  - [x] ensure running with systemd
-  - [ ] verify openldap is able to talk to cyrus sasl
-  - [ ] create user for oysteikt in openldap
-  - [ ] authenticate openldap login through sasl
-    - does this require creating an ldap user?
-
- [ ] fix smbk5pwd integration
-  - [x] add smbk5pwd schemas to openldap
-  - [x] create openldap db for smbk5pwd with overlays
-  - [ ] test to ensure that user sync is working
-  - [ ] test as user source (replace passwd)
-  - [ ] test as PAM auth source
-  - [ ] test as auth source for 3rd party appliation
-
- [ ] Set up ldap administration panel
-  - Doesn't seem like there are many good ones out there. Maybe phpLDAPAdmin?
-
- [ ] Set up kerberos SRV DNS entry
-
-### Information and URLS
-
- OpenLDAP SASL: https://www.openldap.org/doc/admin24/sasl.html
- Use a keytab: https://kb.iu.edu/d/aumh
- 2 ways for openldap to auth: https://security.stackexchange.com/questions/65093/how-to-test-ldap-that-authenticates-with-kerberos
- Cyrus guide OpenLDAP + SASL + GSSAPI: https://www.cyrusimap.org/sasl/sasl/faqs/openldap-sasl-gssapi.html
- Configuring GSSAPI and Cyrus SASL: https://web.mit.edu/darwin/src/modules/passwordserver_sasl/cyrus_sasl/doc/gssapi.html
- PVV Kerberos docs: https://wiki.pvv.ntnu.no/wiki/Drift/Kerberos
- OpenLDAP smbk5pwd source: https://git.openldap.org/nivanova/openldap/-/tree/master/contrib/slapd-modules/smbk5pwd
- saslauthd(8): https://linux.die.net/man/8/saslauthd
--- a/hosts/dagali/configuration.nix
+++ b/hosts/dagali/configuration.nix
@@ -1,51 +0,0 @@
-
-{ config, pkgs, values, lib, ... }:
-{
-  imports = [
-    ./hardware-configuration.nix
-    ../../base.nix
-    ../../misc/metrics-exporters.nix
-
-    ./services/heimdal.nix
-    #./services/openldap.nix
-    ./services/cyrus-sasl.nix
-  ];
-
-  # buskerud does not support efi?
-  # boot.loader.systemd-boot.enable = true;
-  # boot.loader.efi.canTouchEfiVariables = true;
-  boot.loader.grub.enable = true;
-  boot.loader.grub.device = "/dev/sda";
-
-  # resolved messes up FQDN coming from nscd
-  services.resolved.enable = false;
-
-  networking.hostName = "dagali";
-  networking.domain = lib.mkForce "pvv.local";
-  networking.hosts = {
-    "129.241.210.185" = [ "dagali.pvv.local" ];
-  };
-  #networking.search = [ "pvv.ntnu.no" "pvv.org" ];
-  networking.nameservers = [ "129.241.0.200" "129.241.0.201" ];
-  networking.tempAddresses = "disabled";
-  networking.networkmanager.enable = true;
-
-  systemd.network.networks."ens18" = values.defaultNetworkConfig // {
-    matchConfig.Name = "ens18";
-    address = with values.hosts.dagali; [ (ipv4 + "/25") (ipv6 + "/64") ];
-  };
-
-  # List packages installed in system profile
-  environment.systemPackages = with pkgs; [
-    # TODO: consider adding to base.nix
-    nix-output-monitor
-  ];
-
-  # This value determines the NixOS release from which the default
-  # settings for stateful data, like file locations and database versions
-  # on your system were taken. It‘s perfectly fine and recommended to leave
-  # this value at the release version of the first install of this system.
-  # Before changing this value read the documentation for this option
-  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
-  system.stateVersion = "24.05"; # Did you read the comment?
-}
--- a/hosts/dagali/hardware-configuration.nix
+++ b/hosts/dagali/hardware-configuration.nix
@@ -1,33 +0,0 @@
-# Do not modify this file!  It was generated by ‘nixos-generate-config’
-# and may be overwritten by future invocations.  Please make changes
-# to /etc/nixos/configuration.nix instead.
-{ config, lib, pkgs, modulesPath, ... }:
-
-{
-  imports =
-    [ (modulesPath + "/profiles/qemu-guest.nix")
-    ];
-
-  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
-  boot.initrd.kernelModules = [ ];
-  boot.kernelModules = [ ];
-  boot.extraModulePackages = [ ];
-
-  fileSystems."/" =
-    { device = "/dev/disk/by-uuid/4de345e2-be41-4d10-9b90-823b2c77e9b3";
-      fsType = "ext4";
-    };
-
-  swapDevices =
-    [ { device = "/dev/disk/by-uuid/aa4b9a97-a7d8-4608-9f67-4ad084f1baf7"; }
-    ];
-
-  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
-  # (the default) this is the recommended approach. When using systemd-networkd it's
-  # still possible to use this option, but it's recommended to use it in conjunction
-  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
-  networking.useDHCP = lib.mkDefault true;
-  # networking.interfaces.ens18.useDHCP = lib.mkDefault true;
-
-  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
-}
--- a/hosts/dagali/services/cyrus-sasl.nix
+++ b/hosts/dagali/services/cyrus-sasl.nix
@@ -1,21 +0,0 @@
-{ config, ... }:
-let
-  cfg = config.services.saslauthd;
-in
-{
-  # TODO: This is seemingly required for openldap to authenticate
-  #       against kerberos, but I have no idea how to configure it as
-  #       such. Does it need a keytab? There's a binary "testsaslauthd"
-  #       that follows with `pkgs.cyrus_sasl` that might be useful.
-  services.saslauthd = {
-    enable = true;
-    mechanism = "kerberos5";
-    config = ''
-      mech_list: gs2-krb5 gssapi
-      keytab: /etc/krb5.keytab
-    '';
-  };
-
-  # TODO: maybe the upstream module should consider doing this?
-  environment.systemPackages = [ cfg.package ];
-}
--- a/hosts/dagali/services/heimdal.nix
+++ b/hosts/dagali/services/heimdal.nix
@@ -1,100 +0,0 @@
-{ config, pkgs, lib, ... }:
-let
-  realm = "PVV.LOCAL";
-  cfg = config.security.krb5;
-in
-{
-  security.krb5 = {
-    enable = true;
-
-    # NOTE: This is required in order to build smbk5pwd, because of some nested includes.
-    #       We should open an issue upstream (heimdal, not nixpkgs), but this patch
-    #       will do for now.
-    package = pkgs.heimdal.overrideAttrs (prev: {
-      postInstall = prev.postInstall + ''
-        cp include/heim_threads.h $dev/include
-      '';
-    });
-
-    settings = {
-      realms.${realm} = {
-        kdc = [ "dagali.${lib.toLower realm}" ];
-        admin_server = "dagali.${lib.toLower realm}";
-        kpasswd_server = "dagali.${lib.toLower realm}";
-        default_domain = lib.toLower realm;
-        primary_kdc = "dagali.${lib.toLower realm}";
-      };
-
-      kadmin.default_keys = lib.concatStringsSep " " [
-        "aes256-cts-hmac-sha1-96:pw-salt"
-        "aes128-cts-hmac-sha1-96:pw-salt"
-      ];
-
-      libdefaults.default_etypes = lib.concatStringsSep " " [
-        "aes256-cts-hmac-sha1-96"
-        "aes128-cts-hmac-sha1-96"
-      ];
-
-      libdefaults = {
-        default_realm = realm;
-        dns_lookup_kdc = false;
-        dns_lookup_realm = false;
-      };
-
-      domain_realm = {
-        "${lib.toLower realm}" = realm;
-        ".${lib.toLower realm}" = realm;
-      };
-
-      logging = {
-        # kdc = "CONSOLE";
-        kdc = "SYSLOG:DEBUG:AUTH";
-        admin_server = "SYSLOG:DEBUG:AUTH";
-        default = "SYSLOG:DEBUG:AUTH";
-      };
-    };
-  };
-
-  services.kerberos_server = {
-    enable = true;
-    settings = {
-      realms.${realm} = {
-        dbname = "/var/lib/heimdal/heimdal";
-        mkey = "/var/lib/heimdal/m-key";
-        acl = [
-          {
-            principal = "kadmin/admin";
-            access = "all";
-          }
-          {
-            principal = "felixalb/admin";
-            access = "all";
-          }
-          {
-            principal = "oysteikt/admin";
-            access = "all";
-          }
-        ];
-      };
-      # kadmin.default_keys = lib.concatStringsSep " " [
-      #   "aes256-cts-hmac-sha1-96:pw-salt"
-      #   "aes128-cts-hmac-sha1-96:pw-salt"
-      # ];
-
-      # libdefaults.default_etypes = lib.concatStringsSep " " [
-      #   "aes256-cts-hmac-sha1-96"
-      #   "aes128-cts-hmac-sha1-96"
-      # ];
-
-      # password_quality.min_length = 8;
-    };
-  };
-
-  networking.firewall.allowedTCPPorts = [ 88 464 749 ];
-  networking.firewall.allowedUDPPorts = [ 88 464 749 ];
-
-  networking.hosts = {
-    "127.0.0.2" = lib.mkForce [ ];
-    "::1" = lib.mkForce [ ];
-  };
-}
--- a/hosts/dagali/services/openldap.nix
+++ b/hosts/dagali/services/openldap.nix
@@ -1,121 +0,0 @@
-{ config, pkgs, lib, ... }:
-{
-  services.openldap = let
-    dn = "dc=pvv,dc=ntnu,dc=no";
-    cfg = config.services.openldap;
-
-    heimdal = config.security.krb5.package;
-  in {
-    enable = true;
-
-    # NOTE: this is a custom build of openldap with support for
-    #       perl and kerberos.
-    package = pkgs.openldap.overrideAttrs (prev: {
-      # https://github.com/openldap/openldap/blob/master/configure
-      configureFlags = prev.configureFlags ++ [
-        # Connect to slapd via UNIX socket
-        "--enable-local"
-        # Cyrus SASL
-        "--enable-spasswd"
-        # Reverse hostname lookups
-        "--enable-rlookups"
-        # perl
-        "--enable-perl"
-      ];
-
-      buildInputs = prev.buildInputs ++ [
-        pkgs.perl
-	# NOTE: do not upstream this, it might not work with
-	#       MIT in the same way
-        heimdal
-      ];
-
-      extraContribModules = prev.extraContribModules ++ [
-        # https://git.openldap.org/openldap/openldap/-/tree/master/contrib/slapd-modules
-        "smbk5pwd"
-      ];
-    });
-
-    settings = {
-      attrs = {
-        olcLogLevel = [ "stats" "config" "args" ];
-
-        # olcAuthzRegexp = ''
-        #   gidNumber=.*\\\+uidNumber=0,cn=peercred,cn=external,cn=auth
-        #         "uid=heimdal,${dn2}"
-        # '';
-
-        # olcSaslSecProps = "minssf=0";
-      };
-
-      children = {
-        "cn=schema".includes = let
-          # NOTE: needed for smbk5pwd.so module
-          schemaToLdif = name: path: pkgs.runCommandNoCC name {
-            buildInputs = with pkgs; [ schema2ldif ];
-          } ''
-            schema2ldif "${path}" > $out
-          '';
-
-          hdb-ldif = schemaToLdif "hdb.ldif" "${heimdal.src}/lib/hdb/hdb.schema";
-          samba-ldif = schemaToLdif "samba.ldif" "${heimdal.src}/tests/ldap/samba.schema";
-        in [
-           "${cfg.package}/etc/schema/core.ldif"
-           "${cfg.package}/etc/schema/cosine.ldif"
-           "${cfg.package}/etc/schema/nis.ldif"
-           "${cfg.package}/etc/schema/inetorgperson.ldif"
-           "${hdb-ldif}"
-           "${samba-ldif}"
-        ];
-
-        # NOTE: installation of smbk5pwd.so module
-        #       https://git.openldap.org/openldap/openldap/-/tree/master/contrib/slapd-modules/smbk5pwd
-        "cn=module{0}".attrs = {
-          objectClass = [ "olcModuleList" ];
-          olcModuleLoad = [ "${cfg.package}/lib/modules/smbk5pwd.so" ];
-        };
-
-        # NOTE: activation of smbk5pwd.so module for {1}mdb
-        "olcOverlay={0}smbk5pwd,olcDatabase={1}mdb".attrs = {
-          objectClass = [ "olcOverlayConfig" "olcSmbK5PwdConfig" ];
-          olcOverlay = "{0}smbk5pwd";
-          olcSmbK5PwdEnable = [ "krb5" "samba" ];
-          olcSmbK5PwdMustChange = toString (60 * 60 * 24 * 10000);
-        };
-
-        "olcDatabase={1}mdb".attrs = {
-          objectClass = [ "olcDatabaseConfig" "olcMdbConfig" ];
-
-          olcDatabase = "{1}mdb";
-
-          olcSuffix = dn;
-
-          # TODO: PW is supposed to be a secret, but it's probably fine for testing
-          olcRootDN = "cn=users,${dn}";
-
-          # TODO: replace with proper secret
-          olcRootPW.path = pkgs.writeText "olcRootPW" "pass";
-
-          olcDbDirectory = "/var/lib/openldap/test-smbk5pwd-db";
-          olcDbIndex = "objectClass eq";
-
-          olcAccess = [
-            ''{0}to attrs=userPassword,shadowLastChange
-                by dn.exact=cn=users,${dn} write
-                by self write
-                by anonymous auth
-                by * none''
-
-            ''{1}to dn.base=""
-                by * read''
-
-            /* allow read on anything else */
-            # ''{2}to *
-            #     by cn=users,${dn} write by dn.exact=gidNumber=0+uidNumber=0+cn=peercred,cn=external write
-            #     by * read''
-          ];
-        };
-      };
-    };
-  };
-}
--- a/hosts/gluttony/hardware-configuration.nix
+++ b/hosts/gluttony/hardware-configuration.nix
@@ -31,7 +31,7 @@
  };

  fileSystems."/boot" = {
-    device = "/dev/disk/by-uuid/D00A-B488";
+    device = "/dev/disk/by-uuid/933A-3005";
    fsType = "vfat";
    options = [
      "fmask=0077"
--- a/hosts/kommode/services/gitea/customization/default.nix
+++ b/hosts/kommode/services/gitea/customization/default.nix
@@ -50,14 +50,14 @@ in
        sed -i -e 's/24/60/g' "$out/repo/icon.tmpl"
      '';
    in ''
-      install -Dm444 ${logo-svg} ${cfg.customDir}/public/assets/img/logo.svg
-      install -Dm444 ${logo-png} ${cfg.customDir}/public/assets/img/logo.png
-      install -Dm444 ${./loading.apng} ${cfg.customDir}/public/assets/img/loading.png
-      install -Dm444 ${extraLinks} ${cfg.customDir}/templates/custom/extra_links.tmpl
-      install -Dm444 ${extraLinksFooter} ${cfg.customDir}/templates/custom/extra_links_footer.tmpl
-      install -Dm444 ${project-labels} ${cfg.customDir}/options/label/project-labels.yaml
+      install -Dm444 ${logo-svg} "${cfg.customDir}/public/assets/img/logo.svg"
+      install -Dm444 ${logo-png} "${cfg.customDir}/public/assets/img/logo.png"
+      install -Dm444 ${./loading.apng} "${cfg.customDir}/public/assets/img/loading.png"
+      install -Dm444 ${extraLinks} "${cfg.customDir}/templates/custom/extra_links.tmpl"
+      install -Dm444 ${extraLinksFooter} "${cfg.customDir}/templates/custom/extra_links_footer.tmpl"
+      install -Dm444 ${project-labels} "${cfg.customDir}/options/label/project-labels.yaml"

-      "${lib.getExe pkgs.rsync}" -a "${customTemplates}/" ${cfg.customDir}/templates/
+      "${lib.getExe pkgs.rsync}" -a "${customTemplates}/" "${cfg.customDir}/templates/"
    '';
  };
 }
--- a/hosts/kommode/services/gitea/web-secret-provider/default.nix
+++ b/hosts/kommode/services/gitea/web-secret-provider/default.nix
@@ -28,7 +28,7 @@ in
  users.users."gitea-web" = {
    group = "gitea-web";
    isSystemUser = true;
-    shell = pkgs.bash;
+    useDefaultShell = true;
  };

  sops.secrets."gitea/web-secret-provider/token" = {
--- a/modules/matrix-ooye.nix
+++ b/modules/matrix-ooye.nix
@@ -81,7 +81,7 @@ in

        if [[ ! -f ''${REGISTRATION_FILE} ]]; then
          echo "No registration file found at '$REGISTRATION_FILE'"
-          cp --no-preserve=mode,ownership ${baseConfig} ''${REGISTRATION_FILE}
+          cp --no-preserve=mode,ownership "${baseConfig}" ''${REGISTRATION_FILE}
        fi

        echo "After if statement"
@@ -116,7 +116,7 @@ in
        fi

        shred -u ''${REGISTRATION_FILE}
-        cp --no-preserve=mode,ownership ${baseConfig} ''${REGISTRATION_FILE}
+        cp --no-preserve=mode,ownership "${baseConfig}" ''${REGISTRATION_FILE}

        ${lib.getExe pkgs.jq} '.as_token = "'$AS_TOKEN'" | .hs_token = "'$HS_TOKEN'" | .ooye.discord_token = "'$DISCORD_TOKEN'" | .ooye.discord_client_secret = "'$DISCORD_CLIENT_SECRET'"' ''${REGISTRATION_FILE} > ''${REGISTRATION_FILE}.tmp

--- a/modules/snakeoil-certs.nix
+++ b/modules/snakeoil-certs.nix
@@ -51,8 +51,8 @@ in
      script = let
        openssl = lib.getExe pkgs.openssl;
      in lib.concatMapStringsSep "\n" ({ name, value }: ''
-        mkdir -p $(dirname "${value.certificate}") $(dirname "${value.certificateKey}")
-        if ! ${openssl} x509 -checkend 86400 -noout -in ${value.certificate}
+        mkdir -p "$(dirname "${value.certificate}")" "$(dirname "${value.certificateKey}")"
+        if ! ${openssl} x509 -checkend 86400 -noout -in "${value.certificate}"
        then
          echo "Regenerating '${value.certificate}'"
          ${openssl} req \
--- a/secrets/skrott/skrott.yaml
+++ b/secrets/skrott/skrott.yaml
@@ -3,81 +3,90 @@ dibbler:
        password: ENC[AES256_GCM,data:2n85TO709GJc7/qoYp2RXO8Ttfo=,iv:5ZCZPEQQXPGYfDd1qPhDwDfm1Gds1M8PEX9IiCsHcrw=,tag:PAseyFBAe56pLj5Uv8Jd7A==,type:str]
 sops:
    age:
-        - recipient: age1hlvwswsljxsvrtp4leuw8a8rf8l2q6y06xvxtafvzpq54xm9aegs0kqw2e
+        - recipient: age1lpkju2e053aaddpgsr4ef83epclf4c9tp4m98d35ft2fswr8p4tq2ua0mf
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4WllOQ1dRSUJ6a1pvNFg2
-            N0YrQVBtMFZKRml0dG5PUGVhcU9VUXVHc25nClNFSXowUVRRVVhNeHUrTVVZRGRC
-            YkpVYlcrZm1NTE1IT1pSTDdOZGNHYlEKLS0tIHlJbkNBb3o0TlJlbEtsQ2ZsYlJn
-            Wis3T2V5QVYvQi9laUdoaE1DbUZZZE0K/liRzp6TJeufyTzemv+zBTOwzkeJRID4
-            ZviYwwODWopB9/rCd8sIQaNXvEtvuXNWwcV1/p8DsJ9NHwqtdYHpmw==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNdjk1L1N4QU5SK3pjTit6
+            V0hIZHhyOW9Rc2xWdE9yN0tmMG93V0IzZzA4Ck5OSUlRTE5mVGZtMTl3NDh1QzA2
+            Uk9RVnRENmVnQUZuQUVSeGxBS0VaK2sKLS0tIHRHbUUzcmlQbW0weXU0eWJKVmVT
+            ZUxJKzV3UDVVSW11SHRrWGxOSmgrZk0KyWxjEmCvNhiZfgXfObQfQ5riscy0mLFn
+            3pslIN7fbxgxnEVyAhl9FOUS65GrmWrrhvN0pkIpgMw1cqtCrZHxyw==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1ug30gg4y7ftuya0wdv7q0vh4egn00wlv2th7mt7cgc2ze46wmvyq9lq6ge
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByY0dTMWc2VEVRdTJyOXo4
-            R3BYb1VETHI2RktGVnVJUzg4WUsxbTNsK2tVCjVqVml3d29lK21wUXFnRm5GNHdX
-            blV4NEFZU01ZS3Qwc2FSMlVDRlU0SEEKLS0tIExwWXFJZGRTaTBSbjZtdTBXSXNJ
-            TUhJWkIrdGg5UDdDQkdnQk50YTQ0M0UKqoMwtPlOSIqMcLvII/EVuZGrNDeULJHK
-            l7xCzQM0n72E/zxPuO7koVXVcUNwn4kNQCRLOHLcuqx2ZRD8Oc+zNA==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoVFh2WC9iVHpURDBzckdB
+            UjVGcHkyR3V6VHVMbXc4c21ob1lSMDRWeW44ClgzRXhLY2RYN2hleDNLWHoyeXVm
+            T2xJMlNZMml2NGZDNmlQWGp6RXJRQ1EKLS0tIGNmK0lGdjRLM3l4S3JVazZ0MkFU
+            SzZOMFNvcGZRcjJsU242cnZ4NU9OZmcKxlRdhZlXP4KQBHFLFt195H5R33hLuQ0O
+            bVHtQk00IZmMPq4R4aOc0WMkuJxcFaLi0YDQigcFtReSvWDhTHns7A==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1mrnldl334l2nszuta6ywvewng0fswv2dz9l5g4qcwe3nj4yxf92qjskdx6
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxNy8rcHpJclk1b0h2T0dw
-            U0pBYlJvQXlZTG1PeTRCV2hONEJlUWFqdUIwClJ4QnQyOGt4d1NEcVZYek9JUC9X
-            UW0wNjArK2YvZDRMMGpRU1N1dk9jSDQKLS0tIGJMbkZxLzZBVm4wNXVTNFpoRDNo
-            a3dwemI2Wlh2RE8zN0xsbmY5YnJUeTAKhkSpB4RgrfbDpK7IwLs1KGXCj8v0Rze3
-            YZh3BHW2WZLS7uQcIe/tnpIHwPrQnadKeYIw7xBmXu9dWyim9/5RyQ==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBua0cvc21qeFp4d1NZZ0Vw
+            aWhldXVjUm1wSmJPdnpZV1JvTVowSWw4RVU0CngzUWkrcXA1TkpZN1M4QVBCS0pX
+            Z0w5aURoQU9Xck1RckNsRTlGeWk2N2cKLS0tIFlSdG05V2l6eStURDJVTXEzc0Zh
+            U2tFemF1djFGeVFQYWg5NjFhdW13Vm8K/QztsuBUcmJNBta3R7uYHGzqKOCRus3s
+            bFd2AOC0PNqvAe8e5q2XYf87MUt/U6AaFjroaDpoC3IUI2+qLJDXDA==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1hmpdk4h69wxpwqk9tkud39f66hprhehxtzhgw97r6dvr7v0mx5jscsuhkn
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxUnA5SXNucGN4bi9zeGlU
-            TzJPUGk5SWVONFVVYnNnejJBdFJmL3d1S0Y0Ci9SOVZmVUMzRWNicGN2dE5aRy80
-            MFh3MUNTSE5EWEhQcUFsUENDdWlWYkkKLS0tIDYrb2RzVm9OTHlzKzBCdEtPYnF3
-            L2VmNm5ITEUwUVJ3WXRmVGZnY0RSNE0KraXjJSZ9HKV8SO93khWVjBJcEYQLI0Rm
-            lQuagfkZ5oaedsPGNqaXWo/cd3g2SZOfhmmRxY9R9gxmnjpP4L6gGg==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkcUVib2tsd3lNS0VmOGNS
+            WWR6NDE5RWw3bStqVjRtdWFSM1E2QUp2cEg0Cm0zdjE3eVpUS3M1L241akM3cyta
+            WGVFVGtQVnQ1d2U1QVRSYXE1YUYrTU0KLS0tIGRTK29EdzVka3hmaFIrSnVUQ1c5
+            c0YxcWZIRHRxZEVjVk9MckJMVisyS28KGH6+9IXIBeXrrZ3AoL3zU1v6EA5TNwN5
+            8DgPO9+yfVesZiEJ0MNhs6tXAA4ODInpU1CUdsjKWRA6/QXBbmEUQw==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1wrssr4z4g6vl3fd3qme5cewchmmhm0j2xe6wf2meu4r6ycn37anse98mfs
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKTlgxOGJwbDYrbXNDWmNY
-            YzZGTTdlQXBFRUEySW1Rd0Z4bi90akZIOGpBCjdseUJIeGlJZVB1WDNFeU5LZDE0
-            cExQSFBPTWlUbVRjREdJaXROTjRwWTgKLS0tIENPM2VnZGtyaUowZmx5ZVdZVjRz
-            SW9kSTVBbDJUWHBzV0xBYTlReGloSkEKq6Q3HVKRnw2B0CUvgXlUkQUBgmCNLP80
-            fY5/ePAWZKt4P6TxzPNFH3aANWcnVC2/QxF2RgYfDXKKp1AVlAIlTA==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLS0RnMDNOZzBIZzF4VG1R
+            T083bXFOdE1JSzl0SE1SUGlxdnFFQVluWVgwCnRLMThOSU45RTRFMVZybm9YV01n
+            K1pCMThGUFhMMzZhUEszRlZlK2FoQXcKLS0tIHdJRGw4aEU5UkgrU3ZEZXl4bDhi
+            dCtIVkdSWmg1dGNzNmhjZDBiWUJVWkEKSZySabmhM3HDXdduzFGAbOPR6m1CjwWb
+            ttMA9hTvl+T/UqYjxSHj8hmsyTfDY7a4sfHaFcMBJMJrjuEllm/L9g==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1zhxul786an743u0fascv4wtc5xduu7qfy803lfs539yzhgmlq5ds2lznt5
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvS2gzN0ZyakcyVjlYRUZU
-            OFNmUHhsTysxV0JIV1JlM3hLNW9KRm9oY0gwCkh3SWxUV3ZqRXluVVRyRC9OQzVa
-            ODE0NnE2ZHdZc1Qrdkp0YWZFZ0xnMWMKLS0tIFFsNElqVlZ3Sm56b2ZNcEpQMXo4
-            RGJCWmpyd1g1NC9Ud3I3TWRBZ2llblEKVrHE0kPVjapor98D4Z1gCtQsuWS/iAuE
-            5cje1AZdpYVdHoRtzRxKwPekfm9xa/knzFckjjO0JizTQWTPYg0gsQ==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEYmF6cm5xUHVKMWw3MHJD
+            cWsvZTNWUjRZNDQxbFdDWGh5dUpCc2lGTTNjCm1uV0FCVEgxOG5WbXJUdXlkYTZW
+            KzFzaDNma3RJWEtlUmFHNGxNVUFKN28KLS0tIFFCSi82Q3EvV01UeHg4bG96K1Jm
+            S2JrZlcwcGsrTzdFTDlHcktJd0hmUVUKt0W/8r+L1m25kHKbh5RcweKbl4JB5xqX
+            DYUhUW1Rh1EI63CgVzriz4HZjuNGiuqG9cFv72wIg9Hl2lBPpkC4LQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1sqs7urnzsdy64efmd0zukzv3gs5pnjksuxd7nqmdwdy5l0nqnunq6hyune
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQYUtHY1djWno1MG1zQTRB
+            ZHNjbitQbTUwVjFkZWtHU0gwUFFMTTIrQUVZCkUwd3UrbmpyMndXcVl6MEFsSktX
+            L1ZBM2ZPbGMycXd0MDRyWGI1SHh2NVkKLS0tIHFKcS82cUJYZ2V6dHJ6djJSajFy
+            RkIzYUI3dUZjenpxRnplOTZKZmhoS0kKDw9Zuf57k+MAINMReYcCN1DoTtFMgKGJ
+            CWwkNN59Ojgz757xS+2cmK6oxAkDRcN+KZc3sANdj0LY//rXq/UJgw==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2026-01-25T14:03:57Z"
    mac: ENC[AES256_GCM,data:RBf3LjVNSclsPN7I4QPaDUjWbKlaccjk3rzsRNdRe3+OvJSd7MsS9RfpUFCqUtO7ZkkocXHmkHA8z8LNxs6vejT9czMsLLQD14qHZS6fFdTnToOx3Kt5UuviPO/2UryVI+6HWORkH1aqFJhzkSMop2TO5mzuOTfbCEBLYUUuS6s=,iv:NQs8O1hIbjzGBTZo+gCuisj3edraFGk/Y146HmfPmQY=,tag:4g9IXw2UFC5V9EIHuWJqdA==,type:str]
    pgp:
-        - created_at: "2026-01-26T04:52:39Z"
+        - created_at: "2026-02-07T21:15:24Z"
          enc: |-
            -----BEGIN PGP MESSAGE-----

-            hQIMA0av/duuklWYARAAtSg5bRhk7DN14CpdTtG9XPwQfZAP2EvCpFqXcU1LnIqi
-            odRqr1vzFlgXH/A/36C/c/JN7M0673PWivUidiMU38/WExgzxPTe/mpwoTHqRRgG
-            aSP5or2UjhwbN7M844JGbTMNAIUh9bVG2/Qm6cLFhv2HalAVhhnWsbIdJIjUmpjU
-            cMjCfxO36uTVp1SajeJKd9x9n+AbWY84SzN/7HYrFcJQomOyb6FcioIwHcIe2YdN
-            GEdNkA13+hTNBR2ZYW3wrPxr39qK4R3mEJambwZLhQfRwUaqIB6PqvXICdqeLbRc
-            2OfzR5oN5HE3Z7QGwDDM8x8diegLYUyTyY3yhJ8PcCs44mXL2XN6XGefgNWuxxDd
-            o8189NRNXD2xloiIcbBJQ6Mpix+qlEI4VRnaxiGI3huv/vpKqSxBZFCu4x4kxGwj
-            OuaX3cPsvjzj0WEFsAvmrUB/Qdabfhhdm1TgY1PqoXfCudyLuDYqRg8sjIIUjmtA
-            /EyXTO6Ah+vc/NP3mLcHeFAh91Lzvxvm6jEmpN7/jg9zbIzs0jNeVchFYxxVZuRn
-            J6ySrkQ5x4FC1DdJlxv36uOLdbsosgia8q3WHOfbt/Lyp/n1RuQX2Kjysi/C79ap
-            xYaozqRmuJIy4Ph4PbhA737PFS4GEyKsHfvskWeGvpGiu/XHP+R+AfE45Mac1O/S
-            XgEgpNsTDb4GS70fjYBjaSyLcgCeAhqt4Mm4O3UTrYWLfziVLMI7vl9zTznGmY9n
-            fS70cnezoSWVj9Nfz+EmmsRWwAYRebzqLWaAtPmrrS5IbWZkLgpay7ga1y9cACo=
-            =0Z+d
+            hQIMA0av/duuklWYARAAsIJXQn91VrFoSuu0ppgC79T2juR6mA7H5Z2NSGypbild
+            BsNPlWy+q8rpctGkria2Jm37Wz8Qu+sUNQ8Y2w6Z8Bv+M5tks62wc7qBjJkcZKmw
+            IjumrbsEmKQsZKS2YzGFcTjuwpBTGnACAMjUTz1rqnRcaq4U8Wqfi+mmf81yRSnR
+            F0emN015EmGCAUQYD6YRFMAw0PGbP3HiQrXQxdmv8zObbCg9d3+ZozurqFO2RmB4
+            SeZIUEtxgVDuMsr87AmHgbCr8Ux9eZmHU0qv+ejgbnXE7/MaUbppa1gy3RdcwHqG
+            DaETVa6YLUQqP9GOuTVy4gVr3AHtaGwMYRz30gjgQuoGUlQOG1U38PRtqe/94iHF
+            1lo14e31BSfHTnv66vupvWdfDXZme/1rOBJw0lM8Q+wHHJrr3mKmiLus85bJsMD7
+            M4Cn+5n3lE4kSrup8Y5fOsYSwq1WM9GYUfkVR+x2eHNmNdXLVHS0No6kA2TpKeqg
+            zbTyL59i+VBPfANCPehVYxFv7JM9pTFYQXDzMEAJcFerWBmB70HUoYXPZxeDEpiC
+            6seUT9lXM733QGbxwZLXRhXX4sDhJ7rMQJOvrxSvVDhiJx+Arqhz5srM8FlQHdjG
+            kfC507phCarRqXoef55G4trYjrr3zf+sWHRnPuh1IdFch3U+2CMrBUZIRU+C1nXS
+            XgHnubHvfLECTWfeEZUQvZaTtio1K3NSWqv/KBivBBRMfNI20A5erQXnocCYXB7o
+            RYisThHMQomNI7bT8vbf5/N/xlqEra5par0SDX16jl4FuU6dgKRuQ3SrpzFjQTA=
+            =ySHN
            -----END PGP MESSAGE-----
          fp: F7D37890228A907440E1FD4846B9228E814A2AAC
    unencrypted_suffix: _unencrypted
--- a/values.nix
+++ b/values.nix
@@ -40,10 +40,6 @@ in rec {
      ipv4 = pvv-ipv4 168;
      ipv6 = pvv-ipv6 168;
    };
-    dagali = {
-      ipv4 = pvv-ipv4 185;
-      ipv6 = pvv-ipv6 185;
-    };
    ildkule = {
      ipv4 = "129.241.153.213";
      ipv4_internal = "192.168.12.209";
@@ -95,7 +91,7 @@ in rec {
    };
    gluttony = {
      ipv4 = "129.241.100.118";
-      ipv4_internal = "192.168.20.11";
+      ipv4_internal = "192.168.20.77";
      ipv4_internal_gw = "192.168.20.1";
      ipv6 = "2001:700:305:aa07::3b3";
    };
Author	SHA1	Message	Date
Felix Albrigtsen	81b458d59c	Run shellcheck Some checks failed Eval nix flake / evals (push) Successful in 8m32s Details Eval nix flake / evals (pull_request) Failing after 3h12m41s Details	2026-02-08 12:10:53 +01:00
Vegard Bieker Matthey	35907be4f2	update sops keys for skrott All checks were successful Build topology graph / evals (push) Successful in 4m2s Details Eval nix flake / evals (push) Successful in 8m37s Details	2026-02-07 22:17:09 +01:00
h7x4	210f74dc59	secrets: sops updatekeys All checks were successful Build topology graph / evals (push) Successful in 5m52s Details Eval nix flake / evals (push) Successful in 8m46s Details	2026-02-08 05:19:26 +09:00
Vegard Bieker Matthey	d35de940c1	update gpg install cmd for secrets Some checks failed Build topology graph / evals (push) Successful in 3m30s Details Eval nix flake / evals (push) Has been cancelled Details	2026-02-07 21:12:03 +01:00
h7x4	daa4b9e271	bekkalokk/mediawiki: adjust umask All checks were successful Build topology graph / evals (push) Successful in 3m23s Details Eval nix flake / evals (push) Successful in 10m11s Details	2026-02-07 01:46:55 +09:00
h7x4	12eb0b3f53	bekkalokk/mediawiki: allow uploading more filetypes All checks were successful Build topology graph / evals (push) Successful in 3m55s Details Eval nix flake / evals (push) Successful in 8m46s Details	2026-02-07 00:56:38 +09:00
h7x4	02bdb8d45b	kommode/gitea/web: use default login shell All checks were successful Build topology graph / evals (push) Successful in 6m45s Details Eval nix flake / evals (push) Successful in 8m47s Details	2026-02-05 13:25:06 +09:00
h7x4	a5143c0aaa	bekkalokk/nettsiden: fix gallery rsync target Some checks failed Build topology graph / evals (push) Successful in 3m30s Details Eval nix flake / evals (push) Has been cancelled Details	2026-02-05 13:19:29 +09:00
Vegard Bieker Matthey	561404cd87	bump dibbler All checks were successful Build topology graph / evals (push) Successful in 9m45s Details Eval nix flake / evals (push) Successful in 10m18s Details	2026-02-04 04:11:56 +01:00
System administrator	3338b4cd61	gluttony: fix ipv4 addr All checks were successful Build topology graph / evals (push) Successful in 3m23s Details Eval nix flake / evals (push) Successful in 8m41s Details	2026-02-03 21:05:53 +01:00
Vegard Bieker Matthey	2354dcf578	gluttony: update disk id All checks were successful Eval nix flake / evals (pull_request) Successful in 8m50s Details Build topology graph / evals (push) Successful in 5m45s Details Eval nix flake / evals (push) Successful in 10m1s Details	2026-02-03 16:18:43 +01:00