WIP: idp theme

Co-authored-by: Jørn Åne <yorinad@pvv.ntnu.no>

.sops.yaml

@@ -7,7 +7,7 @@ keys:
 
   # Hosts
   - &host_jokum age1gp8ye4g2mmw3may5xg0zsy7mm04glfz3788mmdx9cvcsdxs9hg0s0cc9kt
-  - &host_ildkule age1x28hmzvuv6f2n66c0jtqcca3h9rput8d7j5uek6jcpx8n9egd52sqpejq0
+  - &host_ildkule age1hn45n46ypyrvypv0mwfnpt9ddrlmw34dwlpf33n8v67jexr3lucq6ahc9x
   - &host_bekkalokk age12nj59tguy9wg882updc2vjdusx5srnxmjyfaqve4zx6jnnsaw3qsyjq6zd
   - &host_bicep age1sl43gc9cw939z5tgha2lpwf0xxxgcnlw7w4xem4sqgmt2pt264vq0dmwx2
 

base.nix

@@ -3,7 +3,6 @@
 {
   imports = [
     ./users
-    ./modules/snakeoil-certs.nix
   ];
 
   networking.domain = "pvv.ntnu.no";
@@ -59,7 +58,6 @@
     gnupg
     htop
     nano
-    ripgrep
     rsync
     screen
     tmux
@@ -84,50 +82,5 @@
     settings.PermitRootLogin = "yes";
   };
 
-  # nginx return 444 for all nonexistent virtualhosts
 
-  systemd.services.nginx.after = [ "generate-snakeoil-certs.service" ];
-
-  environment.snakeoil-certs = lib.mkIf config.services.nginx.enable {
-    "/etc/certs/nginx" = {
-      owner = "nginx";
-      group = "nginx";
-    };
-  };
-
-  services.nginx = {
-    recommendedTlsSettings = true;
-    recommendedProxySettings = true;
-    recommendedOptimisation = true;
-    recommendedGzipSettings = true;
-
-    appendConfig = ''
-      pcre_jit on;
-      worker_processes auto;
-      worker_rlimit_nofile 100000;
-    '';
-    eventsConfig = ''
-      worker_connections 2048;
-      use epoll;
-      multi_accept on;
-    '';
-  };
-
-  systemd.services.nginx.serviceConfig = lib.mkIf config.services.nginx.enable {
-    LimitNOFILE = 65536;
-  };
-
-  services.nginx.virtualHosts."_" = lib.mkIf config.services.nginx.enable {
-    sslCertificate = "/etc/certs/nginx.crt";
-    sslCertificateKey = "/etc/certs/nginx.key";
-    addSSL = true;
-    extraConfig = "return 444;";
-  };
-
-  networking.firewall.allowedTCPPorts = lib.mkIf config.services.nginx.enable [ 80 443 ];
-
-  security.acme = {
-    acceptTerms = true;
-    defaults.email = "drift@pvv.ntnu.no";
-  };
 }

flake.lock

@@ -7,11 +7,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1712798444,
-        "narHash": "sha256-aAksVB7zMfBQTz0q2Lw3o78HM3Bg2FRziX2D6qnh+sk=",
+        "lastModified": 1710169806,
+        "narHash": "sha256-HeWFrRuHpnAiPmIr26OKl2g142HuGerwoO/XtW53pcI=",
         "owner": "nix-community",
         "repo": "disko",
-        "rev": "a297cb1cb0337ee10a7a0f9517954501d8f6f74d",
+        "rev": "fe064a639319ed61cdf12b8f6eded9523abcc498",
         "type": "github"
       },
       "original": {
@@ -27,11 +27,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1712875951,
-        "narHash": "sha256-4kcRd2Q2XM4r+U2zp+LADjrzazKpWvs0WrMKPktEEkc=",
+        "lastModified": 1696346665,
+        "narHash": "sha256-J6Tf6a/zhFZ8SereluHLrvgPsIVm2CGHHA8wrbhZB3Y=",
         "owner": "Programvareverkstedet",
         "repo": "grzegorz",
-        "rev": "9eaba26b1671e8810cb135997c867ac3550e685a",
+        "rev": "9b9c3ac7d408ac7c6d67544b201e6b169afacb03",
         "type": "github"
       },
       "original": {
@@ -47,11 +47,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1711853301,
-        "narHash": "sha256-KxRNyW/fgq690bt3B+Nz4EKLoubybcuASYyMa41bAPE=",
+        "lastModified": 1693864994,
+        "narHash": "sha256-oLDiWdCKDtEfeGzfAuDTq+n9VWp6JCo67PEESEZ3y8E=",
         "owner": "Programvareverkstedet",
         "repo": "grzegorz-clients",
-        "rev": "c38f2f22a6d47ae2da015351a45d13cbc1eb48e4",
+        "rev": "a38a0b0fb31ad0ad78a91458cb2c7f77f686468f",
         "type": "github"
       },
       "original": {
@@ -80,33 +80,13 @@
         "type": "github"
       }
     },
-    "nix-gitea-themes": {
-      "inputs": {
-        "nixpkgs": [
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1712621190,
-        "narHash": "sha256-O8xtza+wPplTmSm0EAPk8Ud9sJ6huVNY6jU21FYHCp4=",
-        "ref": "refs/heads/main",
-        "rev": "812c1fc4061d534a8c7d35271ce32b6c76a9f385",
-        "revCount": 5,
-        "type": "git",
-        "url": "https://git.pvv.ntnu.no/oysteikt/nix-gitea-themes.git"
-      },
-      "original": {
-        "type": "git",
-        "url": "https://git.pvv.ntnu.no/oysteikt/nix-gitea-themes.git"
-      }
-    },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1712848736,
-        "narHash": "sha256-CzZwhqyLlebljv1zFS2KWVH/3byHND0LfaO1jKsGuVo=",
+        "lastModified": 1710248792,
+        "narHash": "sha256-yFyWw4na+nJgtXwhHs2SJSy5Lcw94/FcMbBOorlGdfI=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "1d6a23f11e44d0fb64b3237569b87658a9eb5643",
+        "rev": "efbb274f364c918b9937574de879b5874b5833cc",
         "type": "github"
       },
       "original": {
@@ -117,11 +97,11 @@
     },
     "nixpkgs-stable": {
       "locked": {
-        "lastModified": 1712437997,
-        "narHash": "sha256-g0whLLwRvgO2FsyhY8fNk+TWenS3jg5UdlWL4uqgFeo=",
+        "lastModified": 1710033658,
+        "narHash": "sha256-yiZiVKP5Ya813iYLho2+CcFuuHpaqKc/CoxOlANKcqM=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "e38d7cb66ea4f7a0eb6681920615dfcc30fc2920",
+        "rev": "b17375d3bb7c79ffc52f3538028b2ec06eb79ef8",
         "type": "github"
       },
       "original": {
@@ -133,11 +113,11 @@
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1712837137,
-        "narHash": "sha256-9joaU/GD35J9Utb0ipelQbOcvsw5eoYTmSarLV3MbNk=",
+        "lastModified": 1710247538,
+        "narHash": "sha256-Mm3aCwfAdYgG2zKf5SLRBktPH0swXN1yEetAMn05KAA=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "681d4a87b26b1dcaae7ffe6cf88c9912c575415f",
+        "rev": "21adc4f16a8ab151fec83b9d9368cd62d9de86bc",
         "type": "github"
       },
       "original": {
@@ -166,38 +146,17 @@
         "url": "https://git.pvv.ntnu.no/Projects/calendar-bot.git"
       }
     },
-    "pvv-nettsiden": {
-      "inputs": {
-        "nixpkgs": [
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1712834399,
-        "narHash": "sha256-deNJvqboPk3bEoRZ/FyZnxscsf2BpS3/52JM4qXCNSA=",
-        "ref": "refs/heads/master",
-        "rev": "216e153f89f1dbdc4c98a7c1db2a40e52becc901",
-        "revCount": 451,
-        "type": "git",
-        "url": "https://git.pvv.ntnu.no/Projects/nettsiden.git"
-      },
-      "original": {
-        "type": "git",
-        "url": "https://git.pvv.ntnu.no/Projects/nettsiden.git"
-      }
-    },
     "root": {
       "inputs": {
         "disko": "disko",
         "grzegorz": "grzegorz",
         "grzegorz-clients": "grzegorz-clients",
         "matrix-next": "matrix-next",
-        "nix-gitea-themes": "nix-gitea-themes",
         "nixpkgs": "nixpkgs",
         "nixpkgs-unstable": "nixpkgs-unstable",
         "pvv-calendar-bot": "pvv-calendar-bot",
-        "pvv-nettsiden": "pvv-nettsiden",
-        "sops-nix": "sops-nix"
+        "sops-nix": "sops-nix",
+        "ssp-theme": "ssp-theme"
       }
     },
     "sops-nix": {
@@ -208,11 +167,11 @@
         "nixpkgs-stable": "nixpkgs-stable"
       },
       "locked": {
-        "lastModified": 1712617241,
-        "narHash": "sha256-a4hbls4vlLRMciv62YrYT/Xs/3Cubce8WFHPUDWwzf8=",
+        "lastModified": 1710195194,
+        "narHash": "sha256-KFxCJp0T6TJOz1IOKlpRdpsCr9xsvlVuWY/VCiAFnTE=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "538c114cfdf1f0458f507087b1dcf018ce1c0c4c",
+        "rev": "e52d8117b330f690382f1d16d81ae43daeb4b880",
         "type": "github"
       },
       "original": {
@@ -220,6 +179,22 @@
         "repo": "sops-nix",
         "type": "github"
       }
+    },
+    "ssp-theme": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1509201641,
+        "narHash": "sha256-naNRyPL6PAsZKW2w1Vt9wrHT9inCL/yAFnvpy4glv+c=",
+        "ref": "refs/heads/master",
+        "rev": "bda4314030be5f81aeaf2fb1927aee582f1194d9",
+        "revCount": 5,
+        "type": "git",
+        "url": "https://git.pvv.ntnu.no/Drift/ssp-theme.git"
+      },
+      "original": {
+        "type": "git",
+        "url": "https://git.pvv.ntnu.no/Drift/ssp-theme.git"
+      }
     }
   },
   "root": "root",

flake.nix

@@ -11,25 +11,22 @@
     disko.url = "github:nix-community/disko";
     disko.inputs.nixpkgs.follows = "nixpkgs";
 
-    pvv-nettsiden.url = "git+https://git.pvv.ntnu.no/Projects/nettsiden.git";
-    pvv-nettsiden.inputs.nixpkgs.follows = "nixpkgs";
-
     pvv-calendar-bot.url = "git+https://git.pvv.ntnu.no/Projects/calendar-bot.git";
     pvv-calendar-bot.inputs.nixpkgs.follows = "nixpkgs";
 
     matrix-next.url = "github:dali99/nixos-matrix-modules";
     matrix-next.inputs.nixpkgs.follows = "nixpkgs";
 
-    nix-gitea-themes.url = "git+https://git.pvv.ntnu.no/oysteikt/nix-gitea-themes.git";
-    nix-gitea-themes.inputs.nixpkgs.follows = "nixpkgs";
-
     grzegorz.url = "github:Programvareverkstedet/grzegorz";
     grzegorz.inputs.nixpkgs.follows = "nixpkgs-unstable";
     grzegorz-clients.url = "github:Programvareverkstedet/grzegorz-clients";
     grzegorz-clients.inputs.nixpkgs.follows = "nixpkgs";
+
+    ssp-theme.url = "git+https://git.pvv.ntnu.no/Drift/ssp-theme.git";
+    ssp-theme.flake = false;
   };
 
-  outputs = { self, nixpkgs, nixpkgs-unstable, pvv-nettsiden, sops-nix, disko, ... }@inputs:
+  outputs = { self, nixpkgs, nixpkgs-unstable, sops-nix, disko, ssp-theme, ... }@inputs:
   let
     nixlib = nixpkgs.lib;
     systems = [
@@ -48,7 +45,6 @@
     ];
   in {
     nixosConfigurations = let
-      unstablePkgs = nixpkgs-unstable.legacyPackages.x86_64-linux;
       nixosConfig = nixpkgs: name: config: nixpkgs.lib.nixosSystem (nixpkgs.lib.recursiveUpdate
         rec {
           system = "x86_64-linux";
@@ -64,11 +60,7 @@
 
           pkgs = import nixpkgs {
             inherit system;
-            overlays = [
-              (import ./overlays/nginx-test.nix
-                (builtins.attrNames self.nixosConfigurations.${name}.config.security.acme.certs)
-              )
-            ] ++ config.overlays or [ ];
+            overlays = [ ] ++ config.overlays or [ ];
           };
         }
         (removeAttrs config [ "modules" "overlays" ])
@@ -89,16 +81,16 @@
       bekkalokk = stableNixosConfig "bekkalokk" {
         overlays = [
           (final: prev: {
-            heimdal = unstablePkgs.heimdal;
+            heimdal = final.callPackage ./packages/heimdal {
+              inherit (final.darwin.apple_sdk.frameworks) CoreFoundation Security SystemConfiguration;
+              autoreconfHook = final.buildPackages.autoreconfHook269;
+	    };
             mediawiki-extensions = final.callPackage ./packages/mediawiki-extensions { };
             simplesamlphp = final.callPackage ./packages/simplesamlphp { };
+	    ssp-theme = final.runCommandLocal "ssp-theme" { } ''
+	      ln -s ${ssp-theme} $out
+	    '';
           })
-          inputs.nix-gitea-themes.overlays.default
-          inputs.pvv-nettsiden.overlays.default
-        ];
-        modules = [
-          inputs.nix-gitea-themes.nixosModules.default
-          inputs.pvv-nettsiden.nixosModules.default
         ];
       };
       bob = stableNixosConfig "bob" {
@@ -133,16 +125,28 @@
     packages = {
       "x86_64-linux" = let
         pkgs = nixpkgs.legacyPackages."x86_64-linux";
-      in rec {
-        default = important-machines;
+      in {
+        default = self.packages.x86_64-linux.important-machines;
         important-machines = pkgs.linkFarm "important-machines"
           (nixlib.getAttrs importantMachines self.packages.x86_64-linux);
         all-machines = pkgs.linkFarm "all-machines"
           (nixlib.getAttrs allMachines self.packages.x86_64-linux);
 
+        #######################
+        # TODO: remove this once nixos 24.05 gets released
+        #######################
+        heimdal = pkgs.callPackage ./packages/heimdal {
+          inherit (pkgs.darwin.apple_sdk.frameworks) CoreFoundation Security SystemConfiguration;
+          autoreconfHook = pkgs.buildPackages.autoreconfHook269;
+	};
+
         simplesamlphp = pkgs.callPackage ./packages/simplesamlphp { };
 
-        # mediawiki-extensions = pkgs.callPackage ./packages/mediawiki-extensions { };
+        mediawiki-extensions = pkgs.callPackage ./packages/mediawiki-extensions { };
+
+	ssp-theme = pkgs.runCommandLocal "ssp-theme" { } ''
+	  ln -s ${ssp-theme} $out
+	'';
       } // nixlib.genAttrs allMachines
         (machine: self.nixosConfigurations.${machine}.config.system.build.toplevel);
     };

hosts/bekkalokk/configuration.nix

@@ -6,8 +6,11 @@
     ../../base.nix
     ../../misc/metrics-exporters.nix
 
-    ./services/website
-    ./services/nginx.nix
+    #./services/keycloak.nix
+
+    # TODO: set up authentication for the following:
+    # ./services/website.nix
+    ./services/nginx
     ./services/gitea/default.nix
     ./services/kerberos
     ./services/webmail
@@ -23,6 +26,8 @@
   boot.loader.systemd-boot.enable = true;
   boot.loader.efi.canTouchEfiVariables = true;
 
+  virtualisation.podman.enable = true;
+
   networking.hostName = "bekkalokk";
 
   systemd.network.networks."30-enp2s0" = values.defaultNetworkConfig // {

hosts/bekkalokk/services/gitea/ci.nix

@@ -27,8 +27,4 @@ lib.mkMerge [
   (mkRunner "alpha")
   (mkRunner "beta")
   (mkRunner "epsilon")
-  {
-    virtualisation.podman.enable = true;
-    networking.firewall.interfaces."podman+".allowedUDPPorts = [ 53 5353 ];
-  }
 ]

hosts/bekkalokk/services/gitea/default.nix

@@ -52,16 +52,14 @@ in {
     };
   };
 
-  services.gitea-themes.monokai = pkgs.gitea-theme-monokai;
-
   environment.systemPackages = [ cfg.package ];
 
   services.nginx.virtualHosts."${domain}" = {
     forceSSL = true;
     enableACME = true;
-    kTLS = true;
     locations."/" = {
       proxyPass = "http://unix:${cfg.settings.server.HTTP_ADDR}";
+      recommendedProxySettings = true;
       extraConfig = ''
         client_max_body_size 512M;
       '';

hosts/bekkalokk/services/idp-simplesamlphp/config.php

@@ -556,6 +556,7 @@ $config = [
     'module.enable' => [
         'admin' => true,
 	'authpwauth' => true,
+	'themepvv' => true,
     ],
 
 
@@ -858,7 +859,7 @@ $config = [
     /*
      * Which theme directory should be used?
      */
-    'theme.use' => 'default',
+    'theme.use' => 'themepvv:pvv',
 
     /*
      * Set this option to the text you would like to appear at the header of each page. Set to false if you don't want

hosts/bekkalokk/services/idp-simplesamlphp/default.nix

@@ -11,8 +11,7 @@ let
         read -r _
         exit 2
       fi
-      kinit --password-file=STDIN "''${user1}@PVV.NTNU.NO" >/dev/null 2>/dev/null
-      kdestroy >/dev/null 2>/dev/null
+      kinit --password-file=STDIN "''${user1}@PVV.NTNU.NO"
     '';
   };
 
@@ -22,7 +21,7 @@ let
       # openssl req -newkey rsa:4096 -new -x509 -days 365 -nodes -out idp.crt -keyout idp.pem
       "metadata/saml20-idp-hosted.php" = pkgs.writeText "saml20-idp-remote.php" ''
         <?php
-	  $metadata['https://idp.pvv.ntnu.no/'] = array(
+	  $metadata['https://idp2.pvv.ntnu.no/'] = array(
 	    'host' => '__DEFAULT__',
 	    'privatekey' => '${config.sops.secrets."idp/privatekey".path}',
 	    'certificate' => '${./idp.crt}',
@@ -89,7 +88,7 @@ let
           --replace '$SAML_ADMIN_NAME' '"Drift"' \
           --replace '$SAML_ADMIN_EMAIL' '"drift@pvv.ntnu.no"' \
           --replace '$SAML_ADMIN_PASSWORD' 'file_get_contents("${config.sops.secrets."idp/admin_password".path}")' \
-          --replace '$SAML_TRUSTED_DOMAINS' 'array( "idp.pvv.ntnu.no" )' \
+          --replace '$SAML_TRUSTED_DOMAINS' 'array( "idp2.pvv.ntnu.no" )' \
           --replace '$SAML_DATABASE_DSN' '"pgsql:host=postgres.pvv.ntnu.no;port=5432;dbname=idp"' \
           --replace '$SAML_DATABASE_USERNAME' '"idp"' \
           --replace '$SAML_DATABASE_PASSWORD' 'file_get_contents("${config.sops.secrets."idp/postgres_password".path}")' \
@@ -97,6 +96,8 @@ let
       '';
 
       "modules/authpwauth/src/Auth/Source/PwAuth.php" = ./authpwauth.php;
+      
+      "modules/themepvv" = pkgs.ssp-theme;
     };
   };
 in
@@ -177,10 +178,9 @@ in
       };
     };
 
-    services.nginx.virtualHosts."idp.pvv.ntnu.no" = {
+    services.nginx.virtualHosts."idp2.pvv.ntnu.no" = {
       forceSSL = true;
       enableACME = true;
-      kTLS = true;
       root = "${package}/share/php/simplesamlphp/public";
       locations =  {
         # based on https://simplesamlphp.org/docs/stable/simplesamlphp-install.html#configuring-nginx
@@ -198,10 +198,6 @@ in
             }
           '';
         };
-        "^~ /simplesaml/".extraConfig = ''
-	  rewrite ^/simplesaml/(.*)$ /$1 redirect;
-	  return 404;
-	'';
       };
     };
   };

hosts/bekkalokk/services/idp-simplesamlphp/metadata.php.nix

@@ -1,18 +1,18 @@
 ''
   <?php
-  $metadata['https://idp.pvv.ntnu.no/'] = [
+  $metadata['https://idp2.pvv.ntnu.no/'] = [
       'metadata-set' => 'saml20-idp-hosted',
-      'entityid' => 'https://idp.pvv.ntnu.no/',
+      'entityid' => 'https://idp2.pvv.ntnu.no/',
       'SingleSignOnService' => [
           [
               'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
-              'Location' => 'https://idp.pvv.ntnu.no/module.php/saml/idp/singleSignOnService',
+              'Location' => 'https://idp2.pvv.ntnu.no/module.php/saml/idp/singleSignOnService',
           ],
       ],
       'SingleLogoutService' => [
           [
               'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
-              'Location' => 'https://idp.pvv.ntnu.no/module.php/saml/idp/singleLogout',
+              'Location' => 'https://idp2.pvv.ntnu.no/module.php/saml/idp/singleLogout',
           ],
       ],
       'NameIDFormat' => [ 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient' ],

hosts/bekkalokk/services/keycloak.nix

@@ -0,0 +1,24 @@
+{ pkgs, config, values, ... }:
+{
+  sops.secrets."keys/postgres/keycloak" = {
+    owner = "keycloak";
+    group = "keycloak";
+    restartUnits = [ "keycloak.service" ];
+  };
+
+  services.keycloak = {
+    enable = true;
+
+    settings = {
+      hostname = "auth.pvv.ntnu.no";
+      # hostname-strict-backchannel = true;
+    };
+
+    database = {
+      host = values.hosts.bicep.ipv4;
+      createLocally = false;
+      passwordFile = config.sops.secrets."keys/postgres/keycloak".path;
+      caCert = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt";
+    };
+  };
+}

hosts/bekkalokk/services/mediawiki/default.nix

@@ -22,7 +22,7 @@
           --replace '$SAML_ADMIN_NAME' '"Drift"' \
           --replace '$SAML_ADMIN_EMAIL' '"drift@pvv.ntnu.no"' \
           --replace '$SAML_ADMIN_PASSWORD' 'file_get_contents("${config.sops.secrets."mediawiki/simplesamlphp/admin_password".path}")' \
-          --replace '$SAML_TRUSTED_DOMAINS' 'array( "wiki.pvv.ntnu.no" )' \
+          --replace '$SAML_TRUSTED_DOMAINS' 'array( "wiki2.pvv.ntnu.no" )' \
           --replace '$SAML_DATABASE_DSN' '"pgsql:host=postgres.pvv.ntnu.no;port=5432;dbname=mediawiki_simplesamlphp"' \
           --replace '$SAML_DATABASE_USERNAME' '"mediawiki_simplesamlphp"' \
           --replace '$SAML_DATABASE_PASSWORD' 'file_get_contents("${config.sops.secrets."mediawiki/simplesamlphp/postgres_password".path}")' \
@@ -31,22 +31,30 @@
     };
   };
 in {
-  services.idp.sp-remote-metadata = [ "https://wiki.pvv.ntnu.no/simplesaml/" ];
+  services.idp.sp-remote-metadata = [ "https://wiki2.pvv.ntnu.no/simplesaml/" ];
 
-  sops.secrets = lib.pipe [
-    "mediawiki/password"
-    "mediawiki/postgres_password"
-    "mediawiki/simplesamlphp/postgres_password"
-    "mediawiki/simplesamlphp/cookie_salt"
-    "mediawiki/simplesamlphp/admin_password"
-  ] [
-    (map (key: lib.nameValuePair key {
+  sops.secrets = {
+    "mediawiki/password" = {
       owner = user;
       group = group;
-      restartUnits = [ "phpfpm-mediawiki.service" ];
-    }))
-    lib.listToAttrs
-  ];
+    };
+    "mediawiki/postgres_password" = {
+      owner = user;
+      group = group;
+    };
+    "mediawiki/simplesamlphp/postgres_password" = {
+      owner = user;
+      group = group;
+    };
+    "mediawiki/simplesamlphp/cookie_salt" = {
+      owner = user;
+      group = group;
+    };
+    "mediawiki/simplesamlphp/admin_password" = {
+      owner = user;
+      group = group;
+    };
+  };
 
   services.mediawiki = {
     enable = true;
@@ -65,10 +73,12 @@ in {
       name = "mediawiki";
     };
 
-    webserver = "nginx";
-    nginx.hostName = "wiki.pvv.ntnu.no";
-
-    poolConfig = {
+    # Host through nginx
+    webserver = "none";
+    poolConfig = let
+      listenUser = config.services.nginx.user;
+      listenGroup = config.services.nginx.group;
+    in {
       inherit user group;
       "pm" = "dynamic";
       "pm.max_children" = 32;
@@ -76,6 +86,8 @@ in {
       "pm.start_servers" = 2;
       "pm.min_spare_servers" = 2;
       "pm.max_spare_servers" = 4;
+      "listen.owner" = listenUser;
+      "listen.group" = listenGroup;
 
       "catch_workers_output" = true;
       "php_admin_flag[log_errors]" = true;
@@ -86,11 +98,11 @@ in {
     };
 
     extensions = {
-      inherit (pkgs.mediawiki-extensions) DeleteBatch UserMerge PluggableAuth SimpleSAMLphp VisualEditor;
+      inherit (pkgs.mediawiki-extensions) DeleteBatch UserMerge PluggableAuth SimpleSAMLphp;
     };
 
     extraConfig = ''
-      $wgServer = "https://wiki.pvv.ntnu.no";
+      $wgServer = "https://wiki2.pvv.ntnu.no";
       $wgLocaltimezone = "Europe/Oslo";
 
       # Only allow login through SSO
@@ -105,7 +117,9 @@ in {
       $wgGroupPermissions['*']['edit'] = false;
       $wgGroupPermissions['*']['read'] = true;
 
-      # Allow subdirectories in article URLs
+      # Misc. URL rules
+      $wgUsePathInfo = true;
+      $wgScriptExtension = ".php";
       $wgNamespacesWithSubpages[NS_MAIN] = true;
 
       # Styling
@@ -113,6 +127,7 @@ in {
         "2x" => "/PNG/PVV-logo.png",
         "icon" => "/PNG/PVV-logo.svg",
       );
+      # wfLoadSkin('Timeless');
       $wgDefaultSkin = "vector-2022";
       # from https://github.com/wikimedia/mediawiki-skins-Vector/blob/master/skin.json
       $wgVectorDefaultSidebarVisibleForAnonymousUser = true;
@@ -149,15 +164,56 @@ in {
     mode = "0770";
   };
 
+  # Override because of https://github.com/NixOS/nixpkgs/issues/183097
+  systemd.services.mediawiki-init.script = let
+    # According to module
+    stateDir = "/var/lib/mediawiki";
+    pkg = cfg.finalPackage;
+    mediawikiConfig = config.services.phpfpm.pools.mediawiki.phpEnv.MEDIAWIKI_CONFIG;
+    inherit (lib) optionalString mkForce;
+  in mkForce ''
+    if ! test -e "${stateDir}/secret.key"; then
+      tr -dc A-Za-z0-9 </dev/urandom 2>/dev/null | head -c 64 > ${stateDir}/secret.key
+    fi
+
+    echo "exit( wfGetDB( DB_MASTER )->tableExists( 'user' ) ? 1 : 0 );" | \
+    ${pkgs.php}/bin/php ${pkg}/share/mediawiki/maintenance/eval.php --conf ${mediawikiConfig} && \
+    ${pkgs.php}/bin/php ${pkg}/share/mediawiki/maintenance/install.php \
+      --confpath /tmp \
+      --scriptpath / \
+      --dbserver "${cfg.database.host}" \
+      --dbport ${toString cfg.database.port} \
+      --dbname ${cfg.database.name} \
+      ${optionalString (cfg.database.tablePrefix != null) "--dbprefix ${cfg.database.tablePrefix}"} \
+      --dbuser ${cfg.database.user} \
+      ${optionalString (cfg.database.passwordFile != null) "--dbpassfile ${cfg.database.passwordFile}"} \
+      --passfile ${cfg.passwordFile} \
+      --dbtype ${cfg.database.type} \
+      ${cfg.name} \
+      admin
+
+    ${pkgs.php}/bin/php ${pkg}/share/mediawiki/maintenance/update.php --conf ${mediawikiConfig} --quick
+  '';
+
   users.groups.mediawiki.members = [ "nginx" ];
 
-  services.nginx.virtualHosts."wiki.pvv.ntnu.no" = {
-    kTLS = true;
+  services.nginx.virtualHosts."wiki2.pvv.ntnu.no" = {
     forceSSL = true;
     enableACME = true;
+    root = "${config.services.mediawiki.finalPackage}/share/mediawiki";
     locations =  {
-      "= /wiki/Main_Page" = lib.mkForce {
-        return = "301 /wiki/Programvareverkstedet";
+      "/" = {
+	index = "index.php";
+      };
+
+      "~ /(.+\\.php)" = {
+        extraConfig = ''
+          fastcgi_split_path_info ^(.+\.php)(/.+)$;
+          fastcgi_index index.php;
+          fastcgi_pass unix:${config.services.phpfpm.pools.mediawiki.socket};
+          include ${pkgs.nginx}/conf/fastcgi_params;
+          include ${pkgs.nginx}/conf/fastcgi.conf;
+        '';
       };
 
       # based on https://simplesamlphp.org/docs/stable/simplesamlphp-install.html#configuring-nginx
@@ -179,22 +235,23 @@ in {
         '';
       };
 
+      "/images/".alias = "${config.services.mediawiki.uploadsDir}/";
+
       "= /PNG/PVV-logo.svg".alias = ../../../../assets/logo_blue_regular.svg;
       "= /PNG/PVV-logo.png".alias = ../../../../assets/logo_blue_regular.png;
       "= /favicon.ico".alias = pkgs.runCommandLocal "mediawiki-favicon.ico" {
         buildInputs = with pkgs; [ imagemagick ];
       } ''
         convert \
-          -resize x64 \
-          -gravity center \
-          -crop 64x64+0+0 \
-          ${../../../../assets/logo_blue_regular.png} \
-          -flatten \
-          -colors 256 \
-          -background transparent \
-          $out
+	  -resize x64 \
+	  -gravity center \
+	  -crop 64x64+0+0 \
+	  ${../../../../assets/logo_blue_regular.png} \
+	  -flatten \
+	  -colors 256 \
+	  -background transparent \
+	  $out
       '';
     };
-
   };
 }

hosts/bekkalokk/services/mediawiki/simplesaml-authsources.php

@@ -5,7 +5,7 @@ $config = array(
     ),
     'default-sp' => array(
         'saml:SP',
-        'entityID' => 'https://wiki.pvv.ntnu.no/simplesaml/',
-        'idp' => 'https://idp.pvv.ntnu.no/',
+        'entityID' => 'https://wiki2.pvv.ntnu.no/simplesaml/',
+        'idp' => 'https://idp2.pvv.ntnu.no/',
     ),
 );

hosts/bekkalokk/services/nginx.nix

@@ -1,4 +0,0 @@
-{ pkgs, config, ... }:
-{
-  services.nginx.enable = true;
-}

hosts/bekkalokk/services/nginx/default.nix

@@ -0,0 +1,28 @@
+{ pkgs, config, ... }:
+{
+  imports = [
+    ./ingress.nix
+  ];
+
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = "drift@pvv.ntnu.no";
+  };
+
+  services.nginx = {
+    enable = true;
+
+    recommendedTlsSettings = true;
+    recommendedProxySettings = true;
+    recommendedOptimisation = true;
+    recommendedGzipSettings = true;
+
+    virtualHosts."bekkalokk.pvv.ntnu.no" = {
+      enableACME = true;
+      forceSSL = true;
+      locations."/".return = "301 $scheme://git.pvv.ntnu.no$request_uri";
+    };
+  };
+
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
+}

hosts/bekkalokk/services/nginx/ingress.nix

@@ -0,0 +1,55 @@
+{ config, lib, ... }:
+{
+  services.nginx.virtualHosts = {
+    "www2.pvv.ntnu.no" = {
+      serverAliases = [ "www2.pvv.org" "pvv.ntnu.no" "pvv.org" ];
+      addSSL = true;
+      enableACME = true;
+
+      locations = {
+        # Proxy home directories
+        "/~" = {
+          extraConfig = ''
+            proxy_redirect off;
+            proxy_pass https://tom.pvv.ntnu.no;
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+          '';
+        };
+
+        # Redirect old wiki entries
+        "/disk".return = "301 https://www.pvv.ntnu.no/pvv/Diskkjøp";
+        "/dok/boker.php".return = "301 https://www.pvv.ntnu.no/pvv/Bokhyllen";
+        "/styret/lover/".return = "301 https://www.pvv.ntnu.no/pvv/Lover";
+        "/styret/".return = "301 https://www.pvv.ntnu.no/pvv/Styret";
+        "/info/".return = "301 https://www.pvv.ntnu.no/pvv/";
+        "/info/maskinpark/".return = "301 https://www.pvv.ntnu.no/pvv/Maskiner";
+        "/medlemssider/meldinn.php".return = "301 https://www.pvv.ntnu.no/pvv/Medlemskontingent";
+        "/diverse/medlems-sider.php".return = "301 https://www.pvv.ntnu.no/pvv/Medlemssider";
+        "/cert/".return = "301 https://www.pvv.ntnu.no/pvv/CERT";
+        "/drift".return = "301 https://www.pvv.ntnu.no/pvv/Drift";
+        "/diverse/abuse.php".return = "301 https://www.pvv.ntnu.no/pvv/CERT/Abuse";
+        "/nerds/".return = "301 https://www.pvv.ntnu.no/pvv/Nerdepizza";
+
+        # TODO: Redirect webmail
+        "/webmail".return = "301 https://webmail.pvv.ntnu.no/squirrelmail";
+
+        # Redirect everything else to the main website
+        "/".return = "301 https://www.pvv.ntnu.no$request_uri";
+
+        # Proxy the matrix well-known files
+        # Host has be set before proxy_pass
+        # The header must be set so nginx on the other side routes it to the right place
+        "/.well-known/matrix/" = {
+          extraConfig = ''
+            proxy_set_header Host matrix.pvv.ntnu.no;
+            proxy_pass https://matrix.pvv.ntnu.no/.well-known/matrix/;
+          '';
+        };
+      };
+    };
+  };
+}
+

hosts/bekkalokk/services/openldap.nix

@@ -0,0 +1,6 @@
+{ ... }:
+{
+  services.openldap = {
+    enable = true;
+  };
+}

hosts/bekkalokk/services/webmail/default.nix

@@ -4,15 +4,12 @@
     ./roundcube.nix
   ];
 
-  services.nginx.virtualHosts."webmail.pvv.ntnu.no" = {
+  services.nginx.virtualHosts."webmail2.pvv.ntnu.no" = {
     forceSSL = true;
     enableACME = true;
-    kTLS = true;
-    locations = {
-      "= /".return = "302 https://webmail.pvv.ntnu.no/roundcube";
-      "/afterlogic_lite".return = "302 https://webmail.pvv.ntnu.no/roundcube";
-      "/squirrelmail".return = "302 https://webmail.pvv.ntnu.no/roundcube";
-      "/rainloop".return = "302 https://webmail.pvv.ntnu.no/roundcube";
+    #locations."/" = lib.mkForce { };
+    locations."= /" = {
+      return = "301 https://www.pvv.ntnu.no/mail/";
     };
   };
 }

hosts/bekkalokk/services/webmail/roundcube.nix

@@ -3,7 +3,7 @@
 with lib;
 let
   cfg = config.services.roundcube;
-  domain = "webmail.pvv.ntnu.no";
+  domain = "webmail2.pvv.ntnu.no";
 in 
 {
   services.roundcube = {
@@ -35,7 +35,6 @@ in
   services.nginx.virtualHosts."roundcubeplaceholder.example.com" = lib.mkForce { };
 
   services.nginx.virtualHosts.${domain} = {
-    kTLS = true;
     locations."/roundcube" = {
       tryFiles = "$uri $uri/ =404";
       index = "index.php";

hosts/bekkalokk/services/website.nix

@@ -0,0 +1,4 @@
+{ ... }:
+{
+
+}

hosts/bekkalokk/services/website/default.nix

@@ -1,126 +0,0 @@
-{ pkgs, lib, config, ... }:
-let
-  format = pkgs.formats.php { };
-  cfg = config.services.pvv-nettsiden;
-in {
-  imports = [
-    ./fetch-gallery.nix
-  ];
-
-  sops.secrets = lib.genAttrs [
-    "nettsiden/door_secret"
-    "nettsiden/mysql_password"
-    "nettsiden/simplesamlphp/admin_password"
-    "nettsiden/simplesamlphp/cookie_salt"
-  ] (_: {
-    owner = config.services.phpfpm.pools.pvv-nettsiden.user;
-    group = config.services.phpfpm.pools.pvv-nettsiden.group;
-    restartUnits = [ "phpfpm-pvv-nettsiden.service" ];
-  });
-
-  services.idp.sp-remote-metadata = [ "https://${cfg.domainName}/simplesaml/" ];
-
-  services.pvv-nettsiden = {
-    enable = true;
-
-    package = pkgs.pvv-nettsiden.override {
-      extra_files = {
-        "${pkgs.pvv-nettsiden.passthru.simplesamlphpPath}/metadata/saml20-idp-remote.php" = pkgs.writeText "pvv-nettsiden-saml20-idp-remote.php" (import ../idp-simplesamlphp/metadata.php.nix);
-        "${pkgs.pvv-nettsiden.passthru.simplesamlphpPath}/config/authsources.php" = pkgs.writeText "pvv-nettsiden-authsources.php" ''
-          <?php
-          $config = array(
-              'admin' => array(
-                'core:AdminPassword'
-              ),
-              'default-sp' => array(
-                  'saml:SP',
-                  'entityID' => 'https://${cfg.domainName}/simplesaml/',
-                  'idp' => 'https://idp.pvv.ntnu.no/',
-              ),
-          );
-	'';
-      };
-    };
-
-    domainName = "www.pvv.ntnu.no";
-
-    settings = let
-      includeFromSops = path: format.lib.mkRaw "file_get_contents('${config.sops.secrets."nettsiden/${path}".path}')";
-    in {
-      DOOR_SECRET = includeFromSops "door_secret";
-
-      DB = {
-        DSN = "mysql:dbname=www-data_nettside;host=mysql.pvv.ntnu.no";
-        USER = "www-data_nettsi";
-        PASS = includeFromSops "mysql_password";
-      };
-
-      # TODO: set up postgres session for simplesamlphp
-      SAML = {
-        COOKIE_SALT = includeFromSops "simplesamlphp/cookie_salt";
-        COOKIE_SECURE = true;
-        ADMIN_NAME = "PVV Drift";
-        ADMIN_EMAIL = "drift@pvv.ntnu.no";
-        ADMIN_PASSWORD = includeFromSops "simplesamlphp/admin_password";
-        TRUSTED_DOMAINS = [ cfg.domainName ];
-      };
-    };
-  };
-
-  services.phpfpm.pools."pvv-nettsiden".settings = {
-    # "php_admin_value[error_log]" = "stderr";
-    "php_admin_flag[log_errors]" = true;
-    "catch_workers_output" = true;
-  };
-
-  services.nginx.virtualHosts.${cfg.domainName} = {
-    serverAliases = [
-      "pvv.ntnu.no"
-      "www.pvv.org"
-      "pvv.org"
-    ];
-
-    locations = {
-      # Proxy home directories
-      "^~ /~" = {
-        extraConfig = ''
-          proxy_redirect off;
-          proxy_pass https://tom.pvv.ntnu.no;
-          proxy_set_header Host $host;
-          proxy_set_header X-Real-IP $remote_addr;
-          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-          proxy_set_header X-Forwarded-Proto $scheme;
-        '';
-      };
-
-      # Redirect the old webmail/wiki paths from spikkjeposche
-      "^~ /webmail".return = "301 https://webmail.pvv.ntnu.no";
-      "~ /pvv/([^\\n\\r]*)".return = "301 https://wiki.pvv.ntnu.no/wiki/$1";
-      "= /pvv".return = "301 https://wiki.pvv.ntnu.no/";
-
-      # Redirect old wiki entries
-      "/disk".return = "301 https://wiki.pvv.ntnu.no/wiki/Diskkjøp";
-      "/dok/boker.php".return = "301 https://wiki.pvv.ntnu.no/wiki/Bokhyllen";
-      "/styret/lover/".return = "301 https://wiki.pvv.ntnu.no/wiki/Lover";
-      "/styret/".return = "301 https://wiki.pvv.ntnu.no/wiki/Styret";
-      "/info/".return = "301 https://wiki.pvv.ntnu.no/wiki/";
-      "/info/maskinpark/".return = "301 https://wiki.pvv.ntnu.no/wiki/Maskiner";
-      "/medlemssider/meldinn.php".return = "301 https://wiki.pvv.ntnu.no/wiki/Medlemskontingent";
-      "/diverse/medlems-sider.php".return = "301 https://wiki.pvv.ntnu.no/wiki/Medlemssider";
-      "/cert/".return = "301 https://wiki.pvv.ntnu.no/wiki/CERT";
-      "/drift".return = "301 https://wiki.pvv.ntnu.no/wiki/Drift";
-      "/diverse/abuse.php".return = "301 https://wiki.pvv.ntnu.no/wiki/CERT/Abuse";
-      "/nerds/".return = "301 https://wiki.pvv.ntnu.no/wiki/Nerdepizza";
-
-      # Proxy the matrix well-known files
-      # Host has be set before proxy_pass
-      # The header must be set so nginx on the other side routes it to the right place
-      "^~ /.well-known/matrix/" = {
-        extraConfig = ''
-          proxy_set_header Host matrix.pvv.ntnu.no;
-          proxy_pass https://matrix.pvv.ntnu.no/.well-known/matrix/;
-        '';
-      };
-    };
-  };
-}

hosts/bekkalokk/services/website/fetch-gallery.nix

@@ -1,67 +0,0 @@
-{ pkgs, lib, config, ... }:
-let
-  galleryDir = config.services.pvv-nettsiden.settings.GALLERY.DIR;
-  transferDir = "${config.services.pvv-nettsiden.settings.GALLERY.DIR}-transfer";
-in {
-  users.users.${config.services.pvv-nettsiden.user} = {
-    useDefaultShell = true;
-
-    # This is pushed from microbel:/var/www/www-gallery/build-gallery.sh
-    openssh.authorizedKeys.keys = [
-    ''command="${pkgs.rrsync}/bin/rrsync -wo ${transferDir}",restrict,no-agent-forwarding,no-port-forwarding,no-pty,no-X11-forwarding ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIjHhC2dikhWs/gG+m7qP1eSohWzTehn4ToNzDSOImyR gallery-publish''
-    ];
-  };
-
-  systemd.paths.pvv-nettsiden-gallery-update = {
-    wantedBy = [ "multi-user.target" ];
-    pathConfig = {
-      PathChanged = "${transferDir}/gallery.tar.gz";
-      Unit = "pvv-nettsiden-gallery-update.service";
-      MakeDirectory = true;
-    };
-  };
-
-  systemd.services.pvv-nettsiden-gallery-update = {
-    path = with pkgs; [ imagemagick gnutar gzip ];
-
-    script = ''
-      tar ${lib.cli.toGNUCommandLineShell {} {
-        extract = true;
-        file = "${transferDir}/gallery.tar.gz";
-        directory = ".";
-      }}
-
-      # Delete files and directories that exists in the gallery that don't exist in the tarball
-      filesToRemove=$(uniq -u <(sort <(find . -not -path "./.thumbnails*") <(tar -tf ${transferDir}/gallery.tar.gz | sed 's|/$||')))
-      while IFS= read fname; do
-        rm -f "$fname" ||:
-        rm -f ".thumbnails/$fname.png" ||:
-      done <<< "$filesToRemove"
-
-      find . -type d -empty -delete
-
-      mkdir -p .thumbnails
-      images=$(find . -type f -not -path "./.thumbnails*")
-
-      while IFS= read fname; do
-        # Skip this file if an up-to-date thumbnail already exists
-        if [ -f ".thumbnails/$fname.png" ] && \
-           [ "$(date -R -r "$fname")" == "$(date -R -r ".thumbnails/$fname.png")" ]
-        then
-          continue
-        fi
-
-        echo "Creating thumbnail for $fname"
-        mkdir -p $(dirname ".thumbnails/$fname")
-        convert -define jpeg:size=200x200 "$fname" -thumbnail 300 -auto-orient ".thumbnails/$fname.png" ||:
-	touch -m -d "$(date -R -r "$fname")" ".thumbnails/$fname.png"
-      done <<< "$images"
-    '';
-
-    serviceConfig = {
-      WorkingDirectory = galleryDir;
-      User = config.services.pvv-nettsiden.user;
-      Group = config.services.pvv-nettsiden.group;
-    };
-  };
-}

hosts/bicep/services/matrix/element.nix

@@ -5,7 +5,6 @@ in {
   services.nginx.virtualHosts."chat.pvv.ntnu.no" = {
     enableACME = true;
     forceSSL = true;
-    kTLS = true;
 
     root = pkgs.element-web.override {
       conf = {

hosts/bicep/services/matrix/smtp-authenticator/smtp_auth_provider.py

@@ -7,9 +7,6 @@ from synapse import module_api
 
 import re
 
-import logging
-logger = logging.getLogger(__name__)
-
 class SMTPAuthProvider:
     def __init__(self, config: dict, api: module_api):
         self.api = api
@@ -46,13 +43,8 @@ class SMTPAuthProvider:
 
         if result == True:
             userid = self.api.get_qualified_user_id(username)
-
-            userid = await self.api.check_user_exists(userid)
-            if not userid:
-                logger.info(f"user did not exist, registering {username}")
-                userid = await self.api.register_user(username)
-                logger.info(f"registered userid: {userid}")
+            if not self.api.check_user_exists(userid):
+                self.api.register_user(username)
             return (userid, None)
         else:
-            logger.info("returning None")
             return None

hosts/bicep/services/matrix/synapse.nix

@@ -134,6 +134,80 @@ in {
         "129.241.0.0/16"
         "2001:700:300::/44"
       ];
+
+      saml2_config = {
+        sp_config.metadata.remote = [
+          { url = "https://idp.pvv.ntnu.no/simplesaml/saml2/idp/metadata.php"; }
+        ];
+
+        description = [ "Matrix Synapse SP" "en" ];
+        name = [ "Matrix Synapse SP" "en" ];
+
+        ui_info = {
+          display_name = [
+            {
+              lang = "en";
+              text = "PVV Matrix login";
+            }
+          ];
+          description = [
+            {
+              lang = "en";
+              text = "Matrix is a modern free and open federated chat protocol";
+            }
+          ];
+          #information_url = [
+          #  {
+          #    lang = "en";
+          #    text = "";
+          #  };
+          #];
+          #privacy_statement_url = [
+          #  {
+          #    lang = "en";
+          #    text = "";
+          #  };
+          #];
+          keywords = [
+            {
+              lang = "en";
+              text = [ "Matrix" "Element" ];
+            }
+          ];
+          #logo = [
+          #  {
+          #    lang = "en";
+          #    text = "";
+          #    width = "";
+          #    height = "";
+          #  }
+          #];
+        };
+
+        organization = {
+          name = "Programvareverkstedet";
+          display_name = [ "Programvareverkstedet" "en" ];
+          url = "https://www.pvv.ntnu.no";
+        };
+        contact_person = [
+          { given_name = "Drift";
+            sur_name = "King";
+            email_adress = [ "drift@pvv.ntnu.no" ];
+            contact_type = "technical";
+          }
+        ];
+
+        user_mapping_provider = {
+          config = {
+            mxid_source_attribute =  "uid"; # What is this supposed to be?
+            mxid_mapping = "hexencode";
+          };
+        };
+
+        #attribute_requirements = [
+        #  {attribute = "userGroup"; value = "medlem";} # Do we have this?
+        #];
+      };
     };
   };
 
@@ -143,9 +217,6 @@ in {
   services.redis.servers."".enable = true;
   
   services.nginx.virtualHosts."matrix.pvv.ntnu.no" = lib.mkMerge [
-  ({
-    kTLS = true;
-  })
   ({
     locations."/.well-known/matrix/server" = {
       return = ''
@@ -170,8 +241,6 @@ in {
         extraConfig = ''
           allow ${values.hosts.ildkule.ipv4};
           allow ${values.hosts.ildkule.ipv6};
-          allow ${values.hosts.ildkule.ipv4_global};
-          allow ${values.hosts.ildkule.ipv6_global};
           deny all;
         '';
       }))
@@ -183,8 +252,6 @@ in {
       extraConfig = ''
         allow ${values.hosts.ildkule.ipv4};
         allow ${values.hosts.ildkule.ipv6};
-        allow ${values.hosts.ildkule.ipv4_global};
-        allow ${values.hosts.ildkule.ipv6_global};
         deny all;
       '';
     };

hosts/bicep/services/nginx/default.nix

@@ -1,8 +1,15 @@
 { config, values, ... }:
 {
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = "danio@pvv.ntnu.no";
+  };
+
   services.nginx = {
     enable = true;
+
     enableReload = true;
+
     defaultListenAddresses = [
       values.hosts.bicep.ipv4
       "[${values.hosts.bicep.ipv6}]"
@@ -11,5 +18,28 @@
       "127.0.0.2"
       "[::1]"
     ];
+
+    appendConfig = ''
+      pcre_jit on;
+      worker_processes 8;
+      worker_rlimit_nofile 8192;
+    '';
+
+    eventsConfig = ''
+      multi_accept on;
+      worker_connections 4096;
+    '';
+
+    recommendedProxySettings = true;
+    recommendedTlsSettings = true;
+    recommendedGzipSettings = true;
+    recommendedBrotliSettings = true;
+    recommendedOptimisation = true;
+  };
+
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
+
+  systemd.services.nginx.serviceConfig = {
+    LimitNOFILE = 65536;
   };
 }

hosts/ildkule/configuration.nix

@@ -6,8 +6,8 @@
       ../../base.nix
       ../../misc/metrics-exporters.nix
 
-      ./services/monitoring
       ./services/nginx
+      ./services/metrics
     ];
 
   sops.defaultSopsFile = ../../secrets/ildkule/ildkule.yaml;
@@ -15,21 +15,28 @@
   sops.age.keyFile = "/var/lib/sops-nix/key.txt";
   sops.age.generateKey = true;
 
-  boot.loader.grub.device = "/dev/vda";
-  boot.tmp.cleanOnBoot = true;
-  zramSwap.enable = true;
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = true;
 
   networking.hostName = "ildkule"; # Define your hostname.
-  systemd.network.networks."30-all" = values.defaultNetworkConfig // {
-    matchConfig.Name = "en*";
-    DHCP = "yes";
-    gateway = [ ];
+
+  systemd.network.networks."30-ens18" = values.defaultNetworkConfig // {
+    matchConfig.Name = "ens18";
+    address = with values.hosts.ildkule; [ (ipv4 + "/25") (ipv6 + "/64") ];
   };
 
   # List packages installed in system profile
   environment.systemPackages = with pkgs; [
   ];
 
-  system.stateVersion = "23.11"; # Did you read the comment?
+  # List services that you want to enable:
+
+  # This value determines the NixOS release from which the default
+  # settings for stateful data, like file locations and database versions
+  # on your system were taken. It‘s perfectly fine and recommended to leave
+  # this value at the release version of the first install of this system.
+  # Before changing this value read the documentation for this option
+  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+  system.stateVersion = "21.11"; # Did you read the comment?
 
 }

hosts/ildkule/hardware-configuration.nix

@@ -1,9 +1,37 @@
-{ modulesPath, lib, ... }:
-{
-  imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
-  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi" ];
-  boot.initrd.kernelModules = [ "nvme" ];
-  fileSystems."/" = { device = "/dev/vda1"; fsType = "ext4"; };
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
 
+{
+  imports =
+    [ (modulesPath + "/profiles/qemu-guest.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "sr_mod" "virtio_blk" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/afe70fe4-681a-4675-8cbd-e5d08cdcf5b5";
+      fsType = "ext4";
+    };
+
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/B71A-E5CD";
+      fsType = "vfat";
+    };
+
+  swapDevices = [ ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
   networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.ens18.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
 }

hosts/ildkule/services/metrics/default.nix

@@ -2,9 +2,8 @@
 
 {
   imports = [
+    ./prometheus
     ./grafana.nix
     ./loki.nix
-    ./prometheus
-    ./uptime-kuma.nix
   ];
 }

hosts/ildkule/services/metrics/grafana.nix

@@ -7,6 +7,7 @@ in {
   in {
     "keys/grafana/secret_key" = { inherit owner group; };
     "keys/grafana/admin_password" = { inherit owner group; };
+    "keys/postgres/grafana" = { inherit owner group; };
   };
 
   services.grafana = {
@@ -17,7 +18,7 @@ in {
       secretFile = path: "$__file{${path}}";
     in {
       server = {
-        domain = "grafana.pvv.ntnu.no";
+        domain = "ildkule.pvv.ntnu.no";
         http_port = 2342;
         http_addr = "127.0.0.1";
       };
@@ -26,6 +27,13 @@ in {
         secret_key = secretFile config.sops.secrets."keys/grafana/secret_key".path;
         admin_password = secretFile config.sops.secrets."keys/grafana/admin_password".path;
       };
+
+      database = {
+        type = "postgres";
+        user = "grafana";
+        host = "${values.hosts.bicep.ipv4}:5432";
+        password = secretFile config.sops.secrets."keys/postgres/grafana".path;
+      };
     };
 
     provision = {
@@ -83,7 +91,6 @@ in {
   services.nginx.virtualHosts.${cfg.settings.server.domain} = {
     enableACME = true;
     forceSSL = true;
-    kTLS = true;
     locations = {
       "/" = {
         proxyPass = "http://127.0.0.1:${toString cfg.settings.server.http_port}";

hosts/ildkule/services/monitoring/uptime-kuma.nix

@@ -1,20 +0,0 @@
-{ config, pkgs, lib, ... }:
-let
-  cfg = config.services.uptime-kuma;
-  domain = "status.pvv.ntnu.no";
-in {
-  services.uptime-kuma = {
-    enable = true;
-    settings = {
-      PORT = "5059";
-      HOST = "127.0.1.2";
-    };
-  };
-
-  services.nginx.virtualHosts.${domain} = {
-    enableACME = true;
-    forceSSL = true;
-    kTLS = true;
-    locations."/".proxyPass = "http://${cfg.settings.HOST}:${cfg.settings.PORT}";
-  };
-}

hosts/ildkule/services/nginx/default.nix

@@ -1,7 +1,29 @@
 { config, values, ... }:
 {
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = "drift@pvv.ntnu.no";
+  };
+
   services.nginx = {
     enable = true;
+
     enableReload = true;
+
+    defaultListenAddresses = [
+      values.hosts.ildkule.ipv4
+      "[${values.hosts.ildkule.ipv6}]"
+
+      "127.0.0.1"
+      "127.0.0.2"
+      "[::1]"
+    ];
+
+    recommendedProxySettings = true;
+    recommendedTlsSettings = true;
+    recommendedGzipSettings = true;
+    recommendedOptimisation = true;
   };
+
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
 }

misc/metrics-exporters.nix

@@ -14,8 +14,6 @@
       "::1"
       values.hosts.ildkule.ipv4
       values.hosts.ildkule.ipv6
-      values.hosts.ildkule.ipv4_global
-      values.hosts.ildkule.ipv6_global
     ];
   };
 

modules/grzegorz.nix

@@ -24,12 +24,15 @@ in {
   services.grzegorz-webui.hostName = "${config.networking.fqdn}";
   services.grzegorz-webui.apiBase = "http://${toString grg.listenAddr}:${toString grg.listenPort}/api";
 
+  security.acme.acceptTerms = true;
+  security.acme.defaults.email = "pederbs@pvv.ntnu.no";
+
   services.nginx.enable = true;
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
 
   services.nginx.virtualHosts."${config.networking.fqdn}" = {
     forceSSL = true;
     enableACME = true;
-    kTLS = true;
     serverAliases = [
       "${config.networking.hostName}.pvv.org"
     ];

modules/snakeoil-certs.nix

@@ -1,83 +0,0 @@
-{ config, pkgs, lib, ... }:
-let
-  cfg = config.environment.snakeoil-certs;
-in
-{
-  options.environment.snakeoil-certs = lib.mkOption {
-    default = { };
-    description = "Self signed certs, which are rotated regularly";
-    type = lib.types.attrsOf (lib.types.submodule ({ name, ... }: {
-      options = {
-        owner = lib.mkOption {
-          type = lib.types.str;
-          default = "root";
-        };
-        group = lib.mkOption {
-          type = lib.types.str;
-          default = "root";
-        };
-        mode = lib.mkOption {
-          type = lib.types.str;
-          default = "0660";
-        };
-        daysValid = lib.mkOption {
-          type = lib.types.str;
-          default = "90";
-        };
-        extraOpenSSLArgs = lib.mkOption {
-          type = with lib.types; listOf str;
-          default = [ ];
-        };
-        certificate = lib.mkOption {
-          type = lib.types.str;
-          default = "${name}.crt";
-        };
-        certificateKey = lib.mkOption {
-          type = lib.types.str;
-          default = "${name}.key";
-        };
-	subject = lib.mkOption {
-	  type = lib.types.str;
-	  default = "/C=NO/O=Programvareverkstedet/CN=*.pvv.ntnu.no/emailAddress=drift@pvv.ntnu.no";
-	};
-      };
-    }));
-  };
-
-  config = {
-    systemd.services."generate-snakeoil-certs" = {
-      enable = true;
-      serviceConfig.Type = "oneshot";
-      script = let
-        openssl = lib.getExe pkgs.openssl;
-      in lib.concatMapStringsSep "\n----------------\n" ({ name, value }: ''
-        mkdir -p $(dirname "${value.certificate}") $(dirname "${value.certificateKey}")
-        if ! ${openssl} x509 -checkend 86400 -noout -in ${value.certificate}
-        then
-           echo "Regenerating '${value.certificate}'"
-           ${openssl} req \
-             -newkey rsa:4096 \
-             -new -x509 \
-             -days "${toString value.daysValid}" \
-             -nodes \
-             -subj "${value.subject}" \
-             -out "${value.certificate}" \
-             -keyout "${value.certificateKey}" \
-             ${lib.escapeShellArgs value.extraOpenSSLArgs}
-        fi
-        chown "${value.owner}:${value.group}" "${value.certificate}"
-        chown "${value.owner}:${value.group}" "${value.certificateKey}"
-        chmod "${value.mode}" "${value.certificate}"
-        chmod "${value.mode}" "${value.certificateKey}"
-      '') (lib.attrsToList cfg);
-    };
-    systemd.timers."generate-snakeoil-certs" = {
-      wantedBy = [ "timers.target" ];
-      timerConfig = {
-        OnCalendar = "*-*-* 02:00:00";
-        Persistent = true;
-        Unit = "generate-snakeoil-certs.service";
-      };
-    };
-  };
-}

overlays/nginx-test.nix

@@ -1,28 +0,0 @@
-acme-certs: final: prev:
-  let
-    lib = final.lib;
-    crt = "${final.path}/nixos/tests/common/acme/server/acme.test.cert.pem";
-    key = "${final.path}/nixos/tests/common/acme/server/acme.test.key.pem";
-  in {
-  writers = prev.writers // {
-    writeNginxConfig = name: text: final.runCommandLocal name {
-      nginxConfig = prev.writers.writeNginxConfig name text;
-      nativeBuildInputs = [ final.bubblewrap ];
-    } ''
-      ln -s "$nginxConfig" "$out"
-      set +o pipefail
-      bwrap \
-        --ro-bind "${crt}" "/etc/certs/nginx.crt" \
-        --ro-bind "${key}" "/etc/certs/nginx.key" \
-        --ro-bind "/nix" "/nix" \
-        --ro-bind "/etc/hosts" "/etc/hosts" \
-        --dir "/run/nginx" \
-        --dir "/tmp" \
-        --dir "/var/log/nginx" \
-        ${lib.concatMapStrings (name: "--ro-bind \"${crt}\" \"/var/lib/acme/${name}/fullchain.pem\" \\") acme-certs}
-        ${lib.concatMapStrings (name: "--ro-bind \"${key}\" \"/var/lib/acme/${name}/key.pem\" \\") acme-certs}
-        ${lib.concatMapStrings (name: "--ro-bind \"${crt}\" \"/var/lib/acme/${name}/chain.pem\" \\") acme-certs}
-        ${lib.getExe' final.nginx "nginx"} -t -c "$out" |& grep "syntax is ok"
-    '';
-  };
-}

packages/heimdal/default.nix

@@ -0,0 +1,178 @@
+{ lib
+, stdenv
+, fetchFromGitHub
+, autoreconfHook
+, pkg-config
+, python3
+, perl
+, bison
+, flex
+, texinfo
+, perlPackages
+
+, openldap
+, libcap_ng
+, sqlite
+, openssl
+, db
+, libedit
+, pam
+, krb5
+, libmicrohttpd
+, cjson
+
+, CoreFoundation
+, Security
+, SystemConfiguration
+
+, curl
+, jdk
+, unzip
+, which
+
+, nixosTests
+
+, withCJSON ? true
+, withCapNG ? stdenv.isLinux
+# libmicrohttpd should theoretically work for darwin as well, but something is broken.
+# It affects tests check-bx509d and check-httpkadmind.
+, withMicroHTTPD ? stdenv.isLinux
+, withOpenLDAP ? true
+, withOpenLDAPAsHDBModule ? false
+, withOpenSSL ? true
+, withSQLite3 ? true
+}:
+
+assert lib.assertMsg (withOpenLDAPAsHDBModule -> withOpenLDAP) ''
+  OpenLDAP needs to be enabled in order to build the OpenLDAP HDB Module.
+'';
+
+stdenv.mkDerivation {
+  pname = "heimdal";
+  version = "7.8.0-unstable-2023-11-29";
+
+  src = fetchFromGitHub {
+    owner = "heimdal";
+    repo = "heimdal";
+    rev = "3253c49544eacb33d5ad2f6f919b0696e5aab794";
+    hash = "sha256-uljzQBzXrZCZjcIWfioqHN8YsbUUNy14Vo+A3vZIXzM=";
+  };
+
+  outputs = [ "out" "dev" "man" "info" ];
+
+  nativeBuildInputs = [
+    autoreconfHook
+    pkg-config
+    python3
+    perl
+    bison
+    flex
+    texinfo
+  ]
+  ++ (with perlPackages; [ JSON ]);
+
+  buildInputs = [ db libedit pam ]
+    ++ lib.optionals (stdenv.isDarwin) [ CoreFoundation Security SystemConfiguration ]
+    ++ lib.optionals (withCJSON) [ cjson ]
+    ++ lib.optionals (withCapNG) [ libcap_ng ]
+    ++ lib.optionals (withMicroHTTPD) [ libmicrohttpd ]
+    ++ lib.optionals (withOpenLDAP) [ openldap ]
+    ++ lib.optionals (withOpenSSL) [ openssl ]
+    ++ lib.optionals (withSQLite3) [ sqlite ];
+
+  doCheck = true;
+  nativeCheckInputs = [
+    curl
+    jdk
+    unzip
+    which
+  ];
+
+  configureFlags = [
+    "--with-libedit-include=${libedit.dev}/include"
+    "--with-libedit-lib=${libedit}/lib"
+    "--with-berkeley-db-include=${db.dev}/include"
+    "--with-berkeley-db"
+
+    "--without-x"
+    "--disable-afs-string-to-key"
+  ] ++ lib.optionals (withCapNG) [
+    "--with-capng"
+  ] ++ lib.optionals (withCJSON) [
+    "--with-cjson=${cjson}"
+  ] ++ lib.optionals (withOpenLDAP) [
+    "--with-openldap=${openldap.dev}"
+  ] ++ lib.optionals (withOpenLDAPAsHDBModule) [
+    "--enable-hdb-openldap-module"
+  ] ++ lib.optionals (withSQLite3) [
+    "--with-sqlite3=${sqlite.dev}"
+  ];
+
+  # (check-ldap) slapd resides within ${openldap}/libexec,
+  #              which is not part of $PATH by default.
+  # (check-ldap) prepending ${openldap}/bin to the path to avoid
+  #              using the default installation of openldap on unsandboxed darwin systems,
+  #              which does not support the new mdb backend at the moment (2024-01-13).
+  # (check-ldap) the bdb backend got deprecated in favour of mdb in openldap 2.5.0,
+  #              but the heimdal tests still seem to expect bdb as the openldap backend.
+  #              This might be fixed upstream in a future update.
+  patchPhase = ''
+    runHook prePatch
+
+    substituteInPlace tests/ldap/slapd-init.in \
+      --replace 'SCHEMA_PATHS="' 'SCHEMA_PATHS="${openldap}/etc/schema '
+    substituteInPlace tests/ldap/check-ldap.in \
+      --replace 'PATH=' 'PATH=${openldap}/libexec:${openldap}/bin:'
+    substituteInPlace tests/ldap/slapd.conf \
+      --replace 'database	bdb' 'database mdb'
+
+    runHook postPatch
+  '';
+
+  # (test_cc) heimdal uses librokens implementation of `secure_getenv` on darwin,
+  #           which expects either USER or LOGNAME to be set.
+  preCheck = lib.optionalString (stdenv.isDarwin) ''
+    export USER=nix-builder
+  '';
+
+  # We need to build hcrypt for applications like samba
+  postBuild = ''
+    (cd include/hcrypto; make -j $NIX_BUILD_CORES)
+    (cd lib/hcrypto; make -j $NIX_BUILD_CORES)
+  '';
+
+  postInstall = ''
+    # Install hcrypto
+    (cd include/hcrypto; make -j $NIX_BUILD_CORES install)
+    (cd lib/hcrypto; make -j $NIX_BUILD_CORES install)
+
+    mkdir -p $dev/bin
+    mv $out/bin/krb5-config $dev/bin/
+
+    # asn1 compilers, move them to $dev
+    mv $out/libexec/heimdal/* $dev/bin
+    rmdir $out/libexec/heimdal
+
+    # compile_et is needed for cross-compiling this package and samba
+    mv lib/com_err/.libs/compile_et $dev/bin
+  '';
+
+  # Issues with hydra
+  #  In file included from hxtool.c:34:0:
+  #  hx_locl.h:67:25: fatal error: pkcs10_asn1.h: No such file or directory
+  #enableParallelBuilding = true;
+
+  passthru = {
+    implementation = "heimdal";
+    tests.nixos = nixosTests.kerberos.heimdal;
+  };
+
+  meta = with lib; {
+    homepage = "https://www.heimdal.software";
+    changelog = "https://github.com/heimdal/heimdal/releases";
+    description = "An implementation of Kerberos 5 (and some more stuff)";
+    license = licenses.bsd3;
+    platforms = platforms.unix;
+    maintainers = with maintainers; [ h7x4 ];
+  };
+}

packages/mediawiki-extensions/default.nix

@@ -4,5 +4,4 @@ lib.makeScope pkgs.newScope (self: {
   PluggableAuth = self.callPackage ./pluggable-auth { };
   SimpleSAMLphp = self.callPackage ./simple-saml-php { };
   UserMerge = self.callPackage ./user-merge { };
-  VisualEditor = self.callPackage ./visual-editor { };
 })

packages/mediawiki-extensions/visual-editor/default.nix

@@ -1,7 +0,0 @@
-{ fetchzip }:
-
-fetchzip {
-  name = "mediawiki-visual-editor-source";
-  url = "https://extdist.wmflabs.org/dist/extensions/VisualEditor-REL1_40-5f8c97e.tar.gz";
-  hash = "sha256-oBMmEDKsFxrD0tpN2dy264IXK164BrZWrNK3v3FNX6w=";
-}

secrets/bekkalokk/bekkalokk.yaml

@@ -15,18 +15,13 @@ mediawiki:
         postgres_password: ENC[AES256_GCM,data:FzykBVtJbA+Bey1GE5VqnSuv2GeobH1j,iv:wayQH3+y0FYFkr3JjmulI53SADk0Ikur/2mUS5kFrTk=,tag:d+nQ/se2bDA5aaQfBicnPQ==,type:str]
         cookie_salt: ENC[AES256_GCM,data:BioRPAvL4F9ORBJDFdqHot81RhVpAOf32v1ah3pvOLq8E88bxGyKFQZxAwpIL3UkWQIsWMnEerm5MEMYL1C2OQ==,iv:yMVqiPTQ8hO1IVAax6PIkD0V9YTOEunwDTtnGcmy6Kc=,tag:Z4+bZF4olLlkx7YpXeQiUw==,type:str]
         admin_password: ENC[AES256_GCM,data:4eUXvcO7NLOWke9XShfKzj+x3FvqPONa,iv:3iZ+BTBTZ7yMJ0HT14cEMebKZattWUcYEevRsl/6WOk=,tag:CU0iDhPP2ndztdX5U5A4cw==,type:str]
+keycloak:
+    database: ENC[AES256_GCM,data:76+AZnNR5EiturTP7BdOCKE90bFFkfGlRtviSP5NHxPbb3RfFPJEMlwtzA==,iv:nS7VTossHdlrHjPeethhX+Ysp9ukrb5JD7kjG28OFpY=,tag:OMpiEv9nQA7v6lWJfNxEEw==,type:str]
 idp:
     cookie_salt: ENC[AES256_GCM,data:cyV6HDCPHKQIa8T1+rFBFh6EuHtG5B508lg6uFYENK7qVpYuiTUIokdVQhY8SRLs2mECx/ampgnUHxCRB/Cc/A==,iv:QRrRUhzRQrLkmg38rrYtCEfF8U4/7ZHZUDSEq++BlbI=,tag:fLqFSLd+CKqJvmCh1fx8vg==,type:str]
     admin_password: ENC[AES256_GCM,data:Vf33Oenk6x6BIij1uW8RQDjTPcKhUVYA,iv:RNeyCNpTAYdBPrZwE3Y6CCjoAML/3XUvjfJCrr06IEU=,tag:zVOrx1oXnEyr/VwFCFaCDQ==,type:str]
     postgres_password: ENC[AES256_GCM,data:HGwKLbn/umPLPgH+qpXtugvXzOcXdlhK,iv:ypTW0VLSape8K5aCYu3BdjG/oMmqvfDSLw9uGLthb0Q=,tag:qlDMGz59qzMwEwBYxsC0XQ==,type:str]
     privatekey: ENC[AES256_GCM,data:pK74wjuk9lt2PNJIzi6NpPBkxcSRsBZJl28BElUiri2zz17CY81x66CMlFsNjvzKB3JVX+b28FHFuSsEpd/mAPtmzZPR+CoWBHvU+OrSYYoufBxexRTtXzu0vx/KFL4X5tsb+GCgfm72CM+u9dElYHJzn3teBUmZc0pIoF29slTuwF+iZrbFwaieECxXMjHC9f+ivxWQsOvYFjhmAwgjBw/LsfURgLxZwcIRiiKsN41P2WtR9a/hjN53sJnihL9VZw/Xbbynm+bDmaAwhKUAZR28TU9Q1PTfNPEAOMoRgKF4MFuhQ5o0Cxq8RRz7fwCcCTV2sK4jgL7gKiy/gI/K41ybPQPon3NrDj3U2G1VhNgBfSNaTHgygiWI08HGWRHk83eJPHp3Ph8/A774g15SE10BXkL12n0kzodsZWYu3ybrhp167vL/ZW3xUnvFFlm4dTX/ndwS5rp1dIW0a5/0EDwMoGIJw94W5ph5sK9YoUTXwLdAJ9UWRZKQGk6iJstq2BMEBAN2BCSPHS2cflMjoVV4KKX1eq6s8/w6YFzCSQkt3+pGQ3DmiOaaqiv7sUfxyfMDzDcuTVETYRhsvr1ChfBFNn1yoH8BffeVTI2Ei3Edek1vXcg05mHxslhCmzQ4U4us0agtpm2Ar6ppvuedJHLWLFz8pgWSENeGdRcbz0CXiy7lIEYW4uQBru4MAjQ+ZQhz/F4L6At60Q4NelYMDxryQ8LxV0fA/ba2llwl8bDHDFDYkxu3/IaaWG8bp1i6gqvEao3/CRpPt/OAJGAHO3HViPm6xmWlWinUEatNlgCoDotkc56eZU/Af/P7R0QPQF0PpEIDHPcNjc/HcfheUXzJSzkD7wja8VB6rtqdRHFC793QsgdHJMJ+/bvJWZSQciSwaY3PBKLLuB6vrn7VD2NB4cE6beaGwneiAn83lAV+I4cJMDQFLkhWm8LIC7JIZKq/7eBfDEmajWEBL6wSbomBi/UGbA+FyvOokYYMemwVu1JGULcz9Lvn6pxkftQlN0gqE3MncrcZ/l59fepbka/z8oqH6i+3nKdaEh6D+WudD/0xiJSdXAVM6jGrxQtFc1R+OmGTTKJB4aLqgcM25YQ760wKavx5+B52pSki7XdYLmb6Xbnnv7AnyCNmGcpcj795P7qasE2sVokqq9a2PZD7VhP9TPHGtEO6QkkNV5gLxGsGvmshMM8KQgjK60HPQuSfHFVN/SlcOKvvH5ec8sBuYUt24xcDPewV9cXZwjcmwufFOVbC72FTEmU5qvmKobJTGjjbhWsHwpopESctmXuArIcVPsX5jSe3C9Y+9tjbkBGW6/+o8pTfodsjioXevVDXwjVBmGYk8xjZtF6/xfhpWvfunDXgEhnpT4i6ikoQiva8Mw8NvLe8U8Ivr6qCDE4ys4RTs56aw/CJHzydKjX96ZPzim52fAIJvEt1HvMvQx/O/q00h0WujYBcSBivYDtl7hC2fl6pBvM7fjipbeF04idkAKKXf4j6SGunx4hWq+eIA5tnlG8XVZZKIpdXKLgarvWs5pLlTSAK5ckF/yddcik7gAZc+pwo8kCAXIXPisX/yw9cZhI51PNTG1yxtPHAWKgULYLoWcnBCGTmPVXmj6IhpGuNuQ18TTpEtwnrMmcGq6aG/M2ZI+oq0q6suJUWwsCKUVM/TS6SKXEArzDtOMdXgyyDC/H3u+w3Bt/DwALLacq6lwoKBJZxQ6ewv3+ZkLcOkMRKu97hgV+rKmFqdPXqs+Skrf2MRl48sUCPIUXhD46ocFNpemcXcr73G7AxmmFLT6T4ZFm69K6eftUP6FsgUwbed+SaWTeptaG+wueL1NECoXafGlJAmXkjbBdWVgF2oMQFP3Kau135fiqmHpoWGzG5UhKxshTTtRIvbG/296NOkNZWBT/VzjwZti3IUka7HjC3leu28IlLsN0fsNPjQc2uIR3uVsR020g6et0m/Nys9gHDWXG/aCAYKhrgU8w37ZHBs383rkl4uUIYJH61SmTS4JP/wgh/+Q1aU8gXaZ8/Bc0BZUJdF3JR48fjkuMi2A8q5vkTQ1yFCvbBTtdg336v5tZc/xOW5/pt0W1Y7IgPFwHNh4iPAtKQZ3Qybh5PXs4N80YeYFWIjV6Ai0uY4yPdwYPfd1pRdpf3Ll+bhnbDPg0ye4f9lAhSR/cAZpft7BTd6W6jCv8QfWZcDmoBGZy68GZsYfCJ3QAo6szxzDtuyp7WMJRxioPt1EVA9q+8Rp7hHmZosoZOIUV+q3W5yZymL/PXZABiIc2OW9kryNlxQlBo79CSLGdXWeMq3dN1MSWoKJzxEseQqtSY5E1DYQosT1+3B8DXm77WSLMuB6OLjEz760y8jyIiLTGAVslcOb5XNfrQf5+l52nxCl/uSZo9FxiKg7ip0v3PZLuFSTSEaR2R2WeSuv/KoXi7WxFiG6VskpyL5jMhBwjepExFVosrOi4XugqR8vD3byTYUnmQvWJyyrI2LqQsYsa3o65SIO4g8SMKRsJJ8WWHpywLjF00HJSWiGRu8bQguvDTQd3UP6lgudzpubERXuUIBiMPqBKFJ1QTWA6N/t7dxR7NVaSexrGmY4ZSoIBKb9Jnge/+lkKrO9CgqDQpTAAvwwBZpFOV7EYLZNRpW+F8HaCNMeql7V/nFqdaaNdm9yLBhXbaeujalyiLtvBCghe330JVjbBTYWiRulJ2xnlX4GLzORBRIVHJYjxEKzCeVW7J2wAKkJ6gx5rlfDOd6r+Tf+1L8ZZoJEdBhIW7flslxo4amGRTI9QGJKVCIq/hrUGEgIAKsDsqTd21lVdhy+EDM+gumO7FbMcqVPRpwmQMFAZbJgH6TeS46tA4XQJGbwQhhBaqVb3jz7OJVOZ9C3/XfxPPpK4B2OyqINKNIRfyZ0fSmGlIT4LPf2IUEDCEKuPd3ClX51qNnVAPt/MbooF++Vp91KImdqCHwdiAygZTH9u91UN8S9IW8vo0XE4eAgdInjOM+IzUPhC+G8i6UNHbOpfQ7dntDc2nCv4nFKLjLZrgpm2kFrQ60/gDlbXBFF2eRcfYkSQSxVLWC4kWF1ce9YZf/j6erm6GnsQiyNoePe/Nb0v2f5DAR+9yoSJEOAi/AHacA9Dq5kfcoOYCrLkoc17SKQYmy/M9m5Mh3inI/O4wbUQrYDKHT0j77BJnkY11M6AiEF9YC0F4lCV4hIefQ3PnI4nmmo9b8rHnqvmrwUZrcOom6Zp+A7ydo4t0Bw1cDzEwJfpcb3JjpFi7F32/vHHLtGuPDvcJqkhw8VLuaAWAcEPJcIHJ+vAKCGWtDH7yQEOhFq4touwyPYDWBA5tqPY2xkFIAImFRhyLtTQupiNbZVR4G4dj24l8uQl2iz9aoDbJlNhoT+9YhwrKrYdM6hqnvpmiYqLIM+2kijZ8JmBS0BWNLCr+6rnbZbEB5e1ezokice8HQ1XcXbsegcI+eJ+gfDhYKw75VVyOd1Uy/pjLCCwQTywTIbf3iSuETvs3YjQrET1m7GJm3q8G4dx2M9c2B7R6B0ej06pkC4WwzFg3hEG6z2BaNrkopKkoE99bjoB2VHkgGTe+YM1Q3t+jA8IB7XNlnVH82AJ6eDMqgGSWBZiGxwx0KVUMg7cTi0iD6JNSYea0ykw+fh7Mj+8N0zhmzdUjdNBwZqxHVUbqIhUhk6meGRN5EASyt6qR329AqzbKaloS2VqjLjDkSEMhQfL4jHa8yPp8Cyj6EjgM2n5LnZs0u/43eh0h4ig3zQYMkwrHixI5hNQTBwSm3QnNpr3OnXAlypCPbCTiMC5sxHfrSTFkmjduT29aZ5qHQOc5zYG5bE2CmhWJdCOZm1s1mUT+Pxbxf4m/sh8w7TwnA+leD1rUvwYfyl5WI8f071vPcg62uTwScxr+TErvdzAkg9HElnsO6km0IncHIh79zexCR51CrtrZAVxc1gnnDtTLsaKmcEDkqIY4U2cUv+1CtPWz7IfKea9B56x+bFY32pwqYeXCHdDVfBGSMuM7mqZUBu+3jETSbglozYrukbgjftdWob3s/hR0WB0lH9uwkugfoGVonasPkmPvBhuvozkCLvP9aplqwUoL74D4JhHFLciPvV+Cmw5ag1WtErB89Oimm3tnOpynCJwZTQM+NVgBtKjom0qOnyn7l0vYIKQFJwV2k5w+RfrX5EOOjFfg9D2u+gHgmrqzaSl6kk2dHlQYmfeP+nJxiH7eGO5D3ooYHp7JKZBAaJHcAWWpgqVL/L8pjSJLCPRGBF/5DnfggwFdNprl3LqYnr4io+Wp4+Du74uvQHNpojrUQ4j7Qp330rSbCK9iX5v14zYr6RlqKe5CtTqHjPzuL8CxFUI1ImHgViNpff4=,iv:8cb1FcIm0oGkcrfLNqXamx4aDA3owBZoHur8+uFsdmA=,tag:oFPP/Yene6QrxFDKlmoVcA==,type:str]
-nettsiden:
-    mysql_password: ENC[AES256_GCM,data:Uv74HhWtYRbaFHcfh0Rk/Q==,iv:/lRTaMepwpJKZJWHnwb98Ywa1zP4e2EqYGmwI7BCl1I=,tag:ZnE0u2/65zdkONcoiBGSOQ==,type:str]
-    door_secret: ENC[AES256_GCM,data:t0jEN1WnyEi10KRSg4Dlcd7IuIMBiOU7riOdYSZjvZTQqPijRYIoMEQ6OemIkD1Yg67uISTxnjxP,iv:Ss02VGKRa4oZMubbi8IfQDAjh3h295+n07vOx/IZGBs=,tag:OvdxqIUdYi/cR7IjopSVQQ==,type:str]
-    simplesamlphp:
-        postgres_password: ENC[AES256_GCM,data:SvbrdHF4vQ94DgoEfy67QS5oziAsMT8H,iv:LOHBqMecA6mgV3NMfmfTh3zDGiDve+t3+uaO53dIxt4=,tag:9ffz84ozIqytNdGB1COMhA==,type:str]
-        cookie_salt: ENC[AES256_GCM,data:VmODSLOP1YDBrpHdk/49qx9BS+aveEYDQ1D24d4zCi06kZsCENCr+vdPAnTeM1pw98RTr3yZAEQTh4s90b6v8Q==,iv:vRClu6neyYPFdtD63kjnvK2iNOIHMbh+9qEGph7CI60=,tag:66fgppVxY0egs4+9XfDBPA==,type:str]
-        admin_password: ENC[AES256_GCM,data:SADr/zN3F0tW339kSK1nD9Pb38rw7hz8,iv:s5jgl1djXd5JKwx1WG/w2Q4STMMpjJP91qxOwAoNcL0=,tag:N8bKnO9N0ei06HDkSGt6XQ==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -60,8 +55,8 @@ sops:
             akVjeTNTeGorZjJQOVlMeCtPRUVYL3MK+VMvGxrbzGz4Q3sdaDDWjal+OiK+JYKX
             GHiMXVHQJZu/RrlxMjHKN6V3iaqxZpuvLAEJ2Lzy5EOHPtuiiRyeHQ==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-04-14T21:58:31Z"
-    mac: ENC[AES256_GCM,data:+o7YvaaKTjN/uZT5mv3z9FgIbXwG4NPJePWwRmtkBINn9X+vrCmYOXqWhKw7qfInn4Ftcg0FA7cYFZe5Pv8MNp+f8v1yoiLrVX12cxmEYtqTXJz7pNeD2st1YjGJKihNi2/fyCCf4YBCGN+8Ze//HeVf7/tfWNB+ysyC9g9Tze4=,iv:C6XBCVXn8GuNeaWGdJRnUIh1us0i8fSoxu9Sx7Feb58=,tag:W0RLPPv7eP5kCNrhMG3z7A==,type:str]
+    lastmodified: "2024-03-30T21:22:02Z"
+    mac: ENC[AES256_GCM,data:o3buZqOYZXiNyJ7zDtaBDFwbtP5i0QNvHxVVxtVWdLdRASVmau/ZXdQ8MNsExe6gUF4dS6Sv7QYXRfUO7ccmUDP4zABlIOcxjwsRTs5lE45S6pVIB98OIAODHdyl6LVsgxEkhdPmSoYRjLIWO56KlKArxPQGiprCI7AIBe6DYik=,iv:sAEeBMuJ8JwI3STZuy4miZhXA9Lopbof+3aaprtWVJ4=,tag:LBIRH7KwZ0CuuXuioVL10Q==,type:str]
     pgp:
         - created_at: "2023-05-21T00:28:40Z"
           enc: |

secrets/ildkule/ildkule.yaml

@@ -15,6 +15,7 @@ keys:
         secret_key: ENC[AES256_GCM,data:+WoAJbDBEgKs0RoHT+7oEELAVQ+/2Xt+5RTMSXg23moCqVRx+Gzll9P5Drw=,iv:AkRn/Y20iEe5i1T+84wAgLCTFtAox2G3giyawAkltAw=,tag:BZbt5Wb5lYLIJBm/pfP4GQ==,type:str]
         admin_password: ENC[AES256_GCM,data:ttKwfC4WuXeL/6x4,iv:x1X+e3z08CR992GzC62YnFIN7SGrE81/nDNrgcgVzx0=,tag:YajUoy61kYbpeGeC7yNrXQ==,type:str]
     postgres:
+        grafana: ENC[AES256_GCM,data:D6qkg98WZYzKYegSNBb31v8o+KHisGmJ+ab5Ut7EMtsJz36kUup5RS4EbtM=,iv:rfE1uH1QycKMTpSq2p1ntQ2BIvptAh2J3l/QcQhiuLo=,tag:QxmGFcekjFRPf6orN86IxQ==,type:str]
         postgres_exporter_env: ENC[AES256_GCM,data:8MEoikoA6tFNm9qZbk0DFWANd7nRs5QSqrsGLoLKPIc1xykJaXTlyP5v8ywVGR8j7bfPs4p6QfpUIWK8CCnfQ1QhsFPXUMksl8p+K+xuMakYZr9OoWigGqvOHpFb9blfBN1FBdRrk38REXWAMUn74KSRI9v+0i5lpC4=,iv:anpjWVUadKfSAm9XbkeAKu+jAk+LxcpVYQ+gUe5szYw=,tag:4tzb/8B/e1uVoqTsQGlcKA==,type:str]
         postgres_exporter_knakelibrak_env: ENC[AES256_GCM,data:xjC7DGXrW2GIJq8XioIZb+jSe/Hzcz0tv9cUHmX/n1nhI+D64lYt+EKnq1+RX/vJzU4sTaKjveKBh88Qqnv6RQm+MZC//dIxcvnnAdl50qnHZyBCaFFEzSNI8I8vGyArMk8Ja72clBq3kMpUz/pLBP0qDrjblKDoWkU=,iv:ZW98hJy8A5t4Oxtu17R3tM7gou183VLbgBsHA8LFuJY=,tag:VMOvQz3X/XDylV1YFg2Jsg==,type:str]
 sops:
@@ -23,55 +24,55 @@ sops:
     azure_kv: []
     hc_vault: []
     age:
-        - recipient: age1x28hmzvuv6f2n66c0jtqcca3h9rput8d7j5uek6jcpx8n9egd52sqpejq0
+        - recipient: age1mrnldl334l2nszuta6ywvewng0fswv2dz9l5g4qcwe3nj4yxf92qjskdx6
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBURkY4WTZhQzJoREpxV1Vr
-            aUExZ1dxNkIyMkJtUXpqOWtTT1J0MGpmMkY4ClR4Wm1FTmhKN2pIMENRdERrWVY2
-            SUlHblpEc3VackMrbFpHUUJwM2ltZHcKLS0tIEovMEtiOWc1L2tzZDh3ekZKbStr
-            NEFkcW03ZTRJODNxTlVuUnFlcFFUUncKEZzOeUtRsZiuugTLzG2xU4eJ3XtVuop7
-            hhlDBL/YoFn/CO3HjqFdCVv33QoPu7KKMeV52pbVEnv93mvdEeFxVA==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrN3lJM2xWTUZ3UkRBaENI
+            VmJiWDlQbHd0VUNYdllPdURyQmUvL3lKMzJzCkZlRFVxbmNLOVNqUFg1akJQQlBP
+            VmdOMUdjZ1M4U2lLVEpGaGI5NjNTR2MKLS0tIDRlQUtucEZhZmRYbmpadVdKK01v
+            cWxCQlBRR1VaZTBDQnkzNGE0WGttWm8KK5s/coWNsdCP5lKQ8LMK7/3ku179+Lg1
+            4ujTVn4LhvXy6JvgGTWS/UbMmJjJebVxkulzf5St3YMMs2mcIYjOtA==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age17tagmpwqjk3mdy45rfesrfey6h863x8wfq38wh33tkrlrywxducs0k6tpq
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSY3cxSGFvdDdWcFVLRTRy
-            Zng2VnhjZlFkc1RQN0NqUjJGeW02WlFaMlFZCjVZc2x2UXNXS1I2WDBxeHdjNUdr
-            WnZGc0l5NlArekUwUGU3Qkdub25EVm8KLS0tIDB2bGo3ZURtZ0pSZjFzcGpOdW5D
-            aTI3aTBUS0d1MzFmMTVMbUlFYTR4VlUKzOvNCAzan1GTXjoRxeySkUYIYtI4Mpvu
-            MC0Q8e350SyoOsrF7fUvw+Ru68fDMLW27H6Ly36xP7D3eo/h4eZVXw==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSa25taGsxdlhrUS96cXBi
+            cUo3WDVmdEhKN256THJhS2tHSitDRkVraDJNCmhGZzlFUDFkN0JKNkFWUlVLVzcz
+            MjFhcDdmcmpxdTA3V3JRREFNVmNUbEEKLS0tIFNSU2xNZzN2Y1ZzR2hFM0dOK0Zy
+            Tmk4bXd0ZHhPemxDSDREb3IvSjFza1EKsjtC6J3kYGRe8oLAoUZmg1BUmpkMyC98
+            uYq+IQmfJt48R/MKDei00j1w3zIK5+E5GU4o8+jILzwfpzYUUZWwiA==
             -----END AGE ENCRYPTED FILE-----
-        - recipient: age1mrnldl334l2nszuta6ywvewng0fswv2dz9l5g4qcwe3nj4yxf92qjskdx6
+        - recipient: age1hn45n46ypyrvypv0mwfnpt9ddrlmw34dwlpf33n8v67jexr3lucq6ahc9x
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFbDBYMDNQcWkySC8vN05t
-            U3hLMjlYVUE3Zms3U2R4R0VnMUtFcmVQclZvClY4aWZEYWZPdkltMElkUWxQeUtP
-            TEF0a0txbVQ4d3lrelp3cG9TbG5OSkEKLS0tIHR1V3JIVEwwUjM3RVdES2pQUmhP
-            T1MwME1tbGQ2NysrOEVNYVZRT1R0YmcKFpfe9GfH7s779CNQswRm/W7zwYO6wK11
-            z6IGPxtBlUGdshYiHA1BEz7fMVg3ZolL2D98cTNMM24U89Gssiw9qw==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPb09qTTc4cjRMcjIzRmxu
+            RzZWTDBNTGdvaEc2VFJPakYvakRMK1RnS1FnCktHRVkwZGlUUXl4UTBRcGxMQzdn
+            QVBCYVdlWEw5NW9tNytJTGIzRlpwa0UKLS0tIGdDdUtFMUgyT0phMXBxZE41Y1h4
+            a2hQVVprakt5NURpNXdQUjREczJKWTgKn60yrLqco9brlqigAolO8rEkww9z3y3u
+            KmefLVZCGfoko+fnKLVE9UKFS/tAowqgPS1qE76u1Mmkk6yqZoG9rg==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-04-20T23:41:59Z"
-    mac: ENC[AES256_GCM,data:38Ask+adT2FshF8DYEfCWeVWt4KiaJsTXhF7Ib3xxdfQ6vAixM2OXTaK/qqUvN6gQok9TFF+HMJBJ+jezV00nVcKUYn04FaU2/D2zdam44eEEYEEovmfAZ6vbC+CiDv4d/DCc3hnYtDZCEgUTfP4gsZ9rLZFAOwaOFWRJxcDi6Y=,iv:BzuWdTjn6LhscNeouHjM7IYKxTahA8PzzlHSCYZ618s=,tag:BWtPbNwzdOJb788eOO5ZNA==,type:str]
+    lastmodified: "2023-07-08T12:46:19Z"
+    mac: ENC[AES256_GCM,data:bQWG/GgSIv5LdhGTsyx3ENOAywtYVKjzK6nxOnUEZvD+RSi6jxj9Wze7qOhXvgjKWCz/cZj5oSuMQNRyoI8p8xJdxf0+UNdX8uPT05HiKuF7CBcXzprjKri/H6yFp87epOM9fMdn7ZUACn/iT1IZBo+5OuMtDnqVUm/GEmMcsog=,iv:ll/vEeiXsD3crbbxEFsJlxGbm9dZDUPC4GeO95RZZX4=,tag:TGCA721vK9EY3xlY6zIeIg==,type:str]
     pgp:
-        - created_at: "2024-04-20T23:15:17Z"
-          enc: |-
+        - created_at: "2023-01-21T19:52:08Z"
+          enc: |
             -----BEGIN PGP MESSAGE-----
 
-            hQIMA0av/duuklWYAQ/+LSTWjii2dblTAkuqHan3uuuRRpt1ppmHEgHYkQZD+RzE
-            g+ljNaM/BPqci7Kr1NHFDw+cU2MYm/40Tz63l1cvfE3NEoVefsmoA5voNI3G/bx/
-            LTAe2aacPwO/TNoLtrCgRkzNyKXluUkM9OoIvkvB5DEGjYbe82+gI5Zi+NbW9N/p
-            5ilr9Cc1jvIivjZMGGPLRgkAc/twOOuyrZlsFd9kddAL9YFO7wpd/dko886y1jE5
-            jz9n9F4SKYOcgLPqZuG1iZ8qaA2zGT2bP2caai/QJAmL90stQCiRWtQgB8KeWugm
-            nRFBm5BLamtoqjXXwzdtXGKbFAhvL5/h+kPxnJDjylfFVbgCpoWJ/fxdE5xxxZtq
-            zCcGCQQsaa85eWkBByhu7TdwyAW7bJCm8z6kfFPGqhNDkS8ifxnEWm6ulgYVokiL
-            WVBvuQCd1s8KSExs6zNWGcGlqgvcbovHXyVlmLeqZfBA7i/vYqksZtBT47rG7nCS
-            YGfHy69yVrMdj4KrLuMXNfjtS92hkQqWmCyl5X5zOSJXqEL2dorMzSZn89gK4nL4
-            V4zOKkKtsj2MqynYn/XAoUf3AfYs2wtRhJiU+r/q+rx9Hx31H8mnUuUerT58yQCY
-            mAkjIhTzvZcWIalQo7xnZhos4p1IYaA7MAuGC6HxuWVaOsyiFkRaKwB9svWyZ/DS
-            XAFID3fQ1xfNyYsW8nvXQmvZubnhE+dAQPaiAFP9ujY4RVXWBFOrV6NAs7y/LID/
-            89lpfWN87JWSJWUk6DCD3AQ+1GiBCFy7uswUJkG4zou1RQBSl7X88ziVDILU
-            =tXkN
+            hQIMA0av/duuklWYAQ//Sw5EHNbC9iPXcHSULYVmSMOQCAH7GSGvaaFvey/KffPD
+            5gbFr00vIi1JfjYXmYfn3KKpUfs/mMMo5NzYU2Ou5fWcPsqFLXOwubebuf61X6p7
+            7YfLYQMnjgBzkpb972AJl2tWUlcBcOz89tIw3oMi8R5vvXjRjEdDY8Yp+Z2Apj9V
+            YJCoSIe6RLBlubMs4I6VIOaTaKIM1DWthg95dozlShXYsEgFTYaJ6FbN9RuZOZPa
+            KzFs2DXtbylXXJtiCArQCHnOgA1Jnp80VvMYLO1ldteQhqGdmnxnqwjETx/uqy4l
+            QE31LcRf2JFKi0BBJdQfEqBGW9LD4Mjfwi6tWbHq4Mn29u8IT6z5HJIB99JRAV/9
+            RfBPzF7UVLq2baWxDwG/M6TvZlVJPdAyhJ5QqhkVdrWir7D1D108u+cgtJWw+vlS
+            cP3hT73LWCo2bXUrHXxFnrWdDQQSDpew/x2cTHUNvqdqLZgMJWdZgh+mXOQLjzHP
+            xGkjt0ae5/CEnUIse/Qt3SyoKN3rGVKJgoQ4D0AeBFU5z7NEOx7Ebl9t6IgVnJIB
+            sDJXg+7jJ8A0V1xGan6BP8dFi7m0aAJH0xi8RB9jC1ZRVNxUjFow3Szh0JQ7u2P5
+            4jZ3FT4tWzPzLQsgJUd/H41QyKSd3ke4VMf97mEKULJ7prtXdyxQfRDcE93UgVXS
+            XAF0u7pIl+O2RlJtki+UvuwVDszPBRSmGmfiQa4vsYfXahO4fmBjhdl2hdLtz82F
+            dh+dPu+RSD9OKwIhUwsDLtWWlI/4BvIB1yXbQxP2MyjZm3uVf1CtgUHyjWw8
+            =rri5
             -----END PGP MESSAGE-----
           fp: F7D37890228A907440E1FD4846B9228E814A2AAC
     unencrypted_suffix: _unencrypted
-    version: 3.8.1
+    version: 3.7.3

users/adriangl.nix

@@ -6,21 +6,15 @@
     extraGroups = [
       "wheel"
       "drift"
-      "nix-builder-users"
     ];
 
     packages = with pkgs; [
+      eza
       neovim
-      htop
-      ripgrep
-      vim
-      foot.terminfo
     ];
 
     openssh.authorizedKeys.keys = [
       "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFa5y7KyLn2tjxed1czMbyM5scnEpo9v/GfnhL/28ckM legolas"
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICf7SlyHR6KgP7+IeFr/Iuiu2lL5vaSlzqPonaO8XU0J gunalx@aragon"
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEj+Y0RUrSaF8gUW8m2BY6i8e7/0bUWhu8u8KW+AoHDh gunalx@nixos"
     ];
   };
 }

values.nix

@@ -30,11 +30,8 @@ in rec {
       ipv6 = pvv-ipv6 168;
     };
     ildkule = {
-      ipv4 = "10.212.25.209";
-      ipv6 = "2001:700:300:6025:f816:3eff:feee:812d";
-
-      ipv4_global = "129.241.153.213";
-      ipv6_global = "2001:700:300:6026:f816:3eff:fe58:f1e8";
+      ipv4 = pvv-ipv4 187;
+      ipv6 = pvv-ipv6 "1:187";
     };
     bicep = {
       ipv4 = pvv-ipv4 209;