temmie/userweb: add log processor for apache

temmie/userweb: inject users from passwd into httpd sandbox
modules/drumknotty: use correct screen window name for dibbler
2026-06-07 06:03:18 +09:00 · 2026-06-07 05:28:24 +09:00 · 2026-06-05 22:14:02 +02:00 · 2026-06-06 04:43:58 +09:00 · 2026-06-06 04:08:16 +09:00 · 2026-06-06 04:05:26 +09:00
176 changed files with 5638 additions and 7400 deletions
@@ -7,16 +7,13 @@ jobs:
  evals:
    runs-on: debian-latest
    steps:
    - name: Install sudo
      run: apt-get install --update --assume-yes sudo
    - uses: actions/checkout@v6
    - name: Install sudo
      run: apt-get update && apt-get -y install sudo
    - uses: https://github.com/cachix/install-nix-action@v31
    - name: Configure Nix
      run: echo -e "show-trace = true\nmax-jobs = auto\ntrusted-users = root\nexperimental-features = nix-command flakes\nbuild-users-group =" > /etc/nix/nix.conf
    - name: Build topology graph
      run: nix build .#topology -L
@@ -6,8 +6,11 @@ jobs:
  evals:
    runs-on: debian-latest
    steps:
    - name: Install sudo
      run: apt-get install --update --assume-yes sudo
    - uses: actions/checkout@v6
-    - run: apt-get update && apt-get -y install sudo
+
    - uses: https://github.com/cachix/install-nix-action@v31
-    - run: echo -e "show-trace = true\nmax-jobs = auto\ntrusted-users = root\nexperimental-features = nix-command flakes\nbuild-users-group =" > /etc/nix/nix.conf
+
    - run: nix flake check
@@ -10,19 +10,18 @@ keys:
  - &user_vegardbm age1sqs7urnzsdy64efmd0zukzv3gs5pnjksuxd7nqmdwdy5l0nqnunq6hyune
  # Hosts
  - &host_bakke age1syted6kt48sumjjucggh6r3uca4x2ppp4mfungf3lamkt2le05csc99633
  - &host_bekkalokk age12nj59tguy9wg882updc2vjdusx5srnxmjyfaqve4zx6jnnsaw3qsyjq6zd
  - &host_bicep age19nk55kcs7s0358jpkn75xnr57dfq6fq3p43nartvsprx0su22v7qcgcjdx
-  - &host_ildkule age1x28hmzvuv6f2n66c0jtqcca3h9rput8d7j5uek6jcpx8n9egd52sqpejq0
+  - &host_ildkule age102e6y8gah0ntr6fxqnkpepc8ar29p6ls7ks9ka7v8w87q8scm9yqmc2u8d
  - &host_kommode age1mt4d0hg5g76qp7j0884llemy0k2ymr5up8vfudz6vzvsflk5nptqqd32ly
-  - &host_lupine-1 age1fkrypl6fu4ldsa7te4g3v4qsegnk7sd6qhkquuwzh04vguy96qus08902e
+  - &host_lupine-1 age18lta9d683yekz487xwtd99da236d8mgk4ftlmv2jffx858p9qf2s9j868l
-  - &host_lupine-2 age1mu0ej57n4s30ghealhyju3enls83qyjua69986la35t2yh0q2s0seruz5n
+  - &host_lupine-2 age1e0a4ru707v637wzmuxqv0xywmlkhunzgyfy4mrkjc7a23qq8msgq7nqtvt
-  - &host_lupine-3 age1j2u876z8hu87q5npfxzzpfgllyw8ypj66d7cgelmzmnrf3xud34qzkntp9
+  - &host_lupine-3 age1wmrrhd5deatmgflkas636u3rzuk46u9knl02v4t39ncs37xqquhq9vwzye
-  - &host_lupine-4 age1t8zlawqkmhye737pn8yx0z3p9cl947d9ktv2cajdc6hnvn52d3fsc59s2k
+  - &host_lupine-4 age1ml48zztcmnrdrhrdsjrlyxf09jtmjgz46u8td4zm59wn3fm4g57qs4wg0l
-  - &host_lupine-5 age199zkqq4jp4yc3d0hx2q0ksxdtp42xhmjsqwyngh8tswuck34ke3smrfyqu
+  - &host_lupine-5 age12gws5nws69vxryd3kt7q0ayngch90efmhqcrfhnnsmj00lkgxd4qsdkvqn
  - &host_skrott age1lpkju2e053aaddpgsr4ef83epclf4c9tp4m98d35ft2fswr8p4tq2ua0mf
  - &host_ustetind age1hffjafs4slznksefmtqrlj7rdaqgzqncn4un938rhr053237ry8s3rs0v8
  - &host_skrot age1hzkvnktkr8t5gvtq0ccw69e44z5z6wf00n3xhk3hj24emf07je5s6q2evr
  - &host_temmie age10avsdvqger25z0lyzlq8v7xfzcmypkmjsswswaxwqnpnl6x9wcjq0uv2n7
  - &host_gluttony age12czfkvuw9pjk5qny5c6m2hjhd634cj9r4dsa3ss5zkux5h4vvc7s7k4urq
 creation_rules:
  # Global secrets
@@ -93,19 +92,6 @@ creation_rules:
      pgp:
      - *user_oysteikt
  - path_regex: secrets/ustetind/[^/]+\.yaml$
    key_groups:
    - age:
      - *host_ustetind
      - *user_danio
      - *user_felixalb
      - *user_pederbs_sopp
      - *user_pederbs_nord
      - *user_pederbs_bjarte
      - *user_vegardbm
      pgp:
      - *user_oysteikt
  - path_regex: secrets/lupine/[^/]+\.yaml$
    key_groups:
    - age:
@@ -123,31 +109,6 @@ creation_rules:
      pgp:
      - *user_oysteikt
  - path_regex: secrets/bakke/[^/]+\.yaml$
    key_groups:
    - age:
      - *host_bakke
      - *user_danio
      - *user_felixalb
      - *user_pederbs_sopp
      - *user_pederbs_nord
      - *user_pederbs_bjarte
      - *user_vegardbm
      pgp:
      - *user_oysteikt
  - path_regex: secrets/skrott/[^/]+\.yaml$
    key_groups:
    - age:
      - *host_skrott
      - *user_danio
      - *user_felixalb
      - *user_pederbs_sopp
      - *user_pederbs_nord
      - *user_pederbs_bjarte
      - *user_vegardbm
      pgp:
      - *user_oysteikt
  - path_regex: secrets/skrot/[^/]+\.yaml$
    key_groups:
    - age:
@@ -160,3 +121,29 @@ creation_rules:
      - *user_vegardbm
      pgp:
      - *user_oysteikt
  - path_regex: secrets/temmie/[^/]+\.yaml$
    key_groups:
    - age:
      - *host_temmie
      - *user_danio
      - *user_felixalb
      - *user_pederbs_sopp
      - *user_pederbs_nord
      - *user_pederbs_bjarte
      - *user_vegardbm
      pgp:
      - *user_oysteikt
  - path_regex: secrets/gluttony/[^/]+\.yaml$
    key_groups:
    - age:
      - *host_gluttony
      - *user_danio
      - *user_felixalb
      - *user_pederbs_sopp
      - *user_pederbs_nord
      - *user_pederbs_bjarte
      - *user_vegardbm
      pgp:
      - *user_oysteikt
@@ -39,11 +39,13 @@ revert the changes on the next nightly rebuild (tends to happen when everybody i
 |  bikkje                    | Virtual  | Experimental login box                                    |
 | [brzeczyszczykiewicz][brz] | Physical | Shared music player                                       |
 | [georg][geo]               | Physical | Shared music player                                       |
 | [gluttony][glu]            | Virtual  | General purpose compute                                   |
 | [ildkule][ild]             | Virtual  | Logging and monitoring host, prometheus, grafana, ...     |
 | [kommode][kom]             | Virtual  | Gitea + Gitea pages                                       |
 | [lupine][lup]              | Physical | Gitea CI/CD runners                                       |
 |  shark                     | Virtual  | Test host for authentication, absolutely horrendous       |
-| [skrot/skrott][skr]        | Physical | Kiosk, snacks and soda                                    |
+| [skrot][skr]               | Physical | Kiosk, snacks and soda                                    |
 | [temmie][tem]              | Virtual  | User websites                                             |
 | [wenche][wen]              | Virtual  | Nix-builders, general purpose compute                     |
 ## Documentation
@@ -57,8 +59,10 @@ revert the changes on the next nightly rebuild (tends to happen when everybody i
 [bic]: https://wiki.pvv.ntnu.no/wiki/Maskiner/bicep
 [brz]: https://wiki.pvv.ntnu.no/wiki/Maskiner/brzęczyszczykiewicz
 [geo]: https://wiki.pvv.ntnu.no/wiki/Maskiner/georg
 [glu]: https://wiki.pvv.ntnu.no/wiki/Maskiner/gluttony
 [ild]: https://wiki.pvv.ntnu.no/wiki/Maskiner/ildkule
 [kom]: https://wiki.pvv.ntnu.no/wiki/Maskiner/kommode
 [lup]: https://wiki.pvv.ntnu.no/wiki/Maskiner/lupine
-[skr]: https://wiki.pvv.ntnu.no/wiki/Maskiner/Skrott
+[skr]: https://wiki.pvv.ntnu.no/wiki/Maskiner/Skrot
 [tem]: https://wiki.pvv.ntnu.no/wiki/Maskiner/temmie
 [wen]: https://wiki.pvv.ntnu.no/wiki/Maskiner/wenche
@@ -1,6 +1,8 @@
 {
  config,
  pkgs,
  lib,
  inputs,
  fp,
  ...
 }:
@@ -10,7 +12,10 @@
    (fp /users)
    (fp /modules/snakeoil-certs.nix)
    ./mitigations.nix
    ./flake-input-exporter.nix
    ./hardening.nix
    ./networking.nix
    ./nix.nix
    ./programs.nix
@@ -20,6 +25,7 @@
    ./services/acme.nix
    ./services/auto-upgrade.nix
    ./services/dbus.nix
    ./services/fluentbit.nix
    ./services/fwupd.nix
    ./services/irqbalance.nix
    ./services/journald-upload.nix
@@ -30,8 +36,8 @@
    ./services/postfix.nix
    ./services/prometheus-node-exporter.nix
    ./services/prometheus-systemd-exporter.nix
    ./services/promtail.nix
    ./services/roowho2.nix
    ./services/scrutiny-collector.nix
    ./services/smartd.nix
    ./services/thermald.nix
    ./services/uptimed.nix
@@ -39,12 +45,20 @@
    ./services/userdbd.nix
  ];
  system.nixos.tags = lib.optionals (inputs.self.sourceInfo ? dirtyRev) [ "dirty" ];
  specialisation."auto-upgrade".configuration = {
    system.nixos.tags = [ "auto" ];
  };
  boot.tmp.cleanOnBoot = lib.mkDefault true;
  boot.kernelPackages = lib.mkDefault pkgs.linuxPackages_latest;
  boot.loader.systemd-boot.enable = lib.mkDefault true;
  boot.loader.efi.canTouchEfiVariables = lib.mkDefault true;
  services.btrfs.autoScrub.enable = lib.mkDefault (lib.any ({ fsType, ... }: fsType == "btrfs") (lib.attrValues config.fileSystems));
  time.timeZone = "Europe/Oslo";
  i18n.defaultLocale = "en_US.UTF-8";
@@ -68,18 +82,16 @@
    fi
  '';
  # security.lockKernelModules = true;
  security.protectKernelImage = true;
  security.sudo.execWheelOnly = true;
  security.sudo.extraConfig = ''
    Defaults lecture = never
  '';
  # These are servers, sleep is for the weak
-  systemd.sleep.extraConfig = lib.mkDefault ''
+  systemd.sleep.settings.Sleep = {
-    AllowSuspend=no
+    AllowSuspend = lib.mkDefault false;
-    AllowHibernation=no
+    AllowHibernation = lib.mkDefault false;
-  '';
+  };
  # users.mutableUsers = lib.mkDefault false;
@@ -0,0 +1,71 @@
 { ... }:
 {
  boot.blacklistedKernelModules = [
    # Obscure network protocols
    "appletalk"
    "atm"
    "ax25"
    "batman-adv"
    "can"
    "dccp"
    "ipx"
    "llc"
    "n-hdlc"
    "netrom"
    "p8022"
    "p8023"
    "psnap"
    "rds"
    "rose"
    "sctp"
    "tipc"
    # Filesystems we don't use
    "adfs"
    "affs"
    "befs"
    "bfs"
    "cifs"
    "cramfs"
    "efs"
    "exofs"
    "freevxfs"
    "gfs2"
    "hfs"
    "hfsplus"
    "hpfs"
    "jffs2"
    "jfs"
    "minix"
    "nilfs2"
    "ntfs"
    "omfs"
    "orangefs"
    "qnx4"
    "qnx6"
    "sysv"
    "ubifs"
    "udf"
    "ufs"
    # Legacy hardware
    "pcspkr"
    "floppy"
    "parport"
    "ppdev"
    # Other stuff we don't use
    "firewire-core"
    "firewire-ohci"
    "ksmbd"
    "ib_core"
    "l2tp_eth"
    "l2tp_netlink"
    "l2tp_ppp"
    "nfc"
    "soundwire"
  ];
  # security.lockKernelModules = true;
  security.protectKernelImage = true;
 }
@@ -0,0 +1,24 @@
 { pkgs, lib, ... }:
 let
  modulesToBan = [
    # copy.fail
    "af_alg"
    "algif_aead"
    "algif_hash"
    "algif_rng"
    "algif_skcipher"
    # dirtyfrag / Fragnesia
    "esp4"
    "esp6"
    "rxrpc"
    # PinTheft
    "rds"
  ];
 in
 {
  boot.blacklistedKernelModules = modulesToBan;
  boot.extraModprobeConfig = lib.concatMapStringsSep "\n" (mod: "install ${mod} ${lib.getExe' pkgs.coreutils "false"}") modulesToBan;
 }
@@ -8,6 +8,6 @@
  services.resolved = {
    enable = lib.mkDefault true;
-    dnssec = "false"; # Supposdly this keeps breaking and the default is to allow downgrades anyways...
+    settings.Resolve.DNSSEC = false; # Supposdly this keeps breaking and the default is to allow downgrades anyways...
  };
 }
@@ -1,9 +1,4 @@
-{
+{ lib, config, inputs, ... }:
  lib,
  config,
  inputs,
  ...
 }:
 {
  nix = {
    gc = {
@@ -16,17 +11,12 @@
      allow-dirty = true;
      auto-allocate-uids = true;
      builders-use-substitutes = true;
-      experimental-features = [
+      experimental-features = [ "nix-command" "flakes" "auto-allocate-uids" ];
        "nix-command"
        "flakes"
        "auto-allocate-uids"
      ];
      log-lines = 50;
      use-xdg-base-directories = true;
    };
-    /*
+    /* This makes commandline tools like
      This makes commandline tools like
    ** nix run nixpkgs#hello
    ** and nix-shell -p hello
    ** use the same channel the system
@@ -2,7 +2,7 @@
 {
  security.acme = {
    acceptTerms = true;
-    defaults.email = "acme-drift@pvv.ntnu.no";
+    defaults.email = "drift@pvv.ntnu.no";
  };
  # Let's not spam LetsEncrypt in `nixos-rebuild build-vm` mode:
@@ -1,10 +1,4 @@
-{
+{ config, inputs, pkgs, lib, ... }:
  config,
  inputs,
  pkgs,
  lib,
  ...
 }:
 let
  inputUrls = lib.mapAttrs (input: value: value.url) (import "${inputs.self}/flake.nix").inputs;
@@ -19,36 +13,29 @@ in
      "--refresh"
      "--no-write-lock-file"
      "--specialisation auto-upgrade"
      # --update-input is deprecated since nix 2.22, and removed in lix 2.90
      # as such we instead use --override-input combined with --refresh
      # https://git.lix.systems/lix-project/lix/issues/400
-    ]
+    ] ++ (lib.pipe inputUrls [
    ++ (lib.pipe inputUrls [
      (lib.intersectAttrs {
        nixpkgs = { };
        nixpkgs-unstable = { };
      })
-      (lib.mapAttrsToList (
+      (lib.mapAttrsToList (input: url: ["--override-input" input url]))
        input: url: [
          "--override-input"
          input
          url
        ]
      ))
      lib.concatLists
    ]);
  };
  # workaround for https://github.com/NixOS/nix/issues/6895
  # via https://git.lix.systems/lix-project/lix/issues/400
-  environment.etc =
+  environment.etc = lib.mkIf (!config.virtualisation.isVmVariant && config.system.autoUpgrade.enable) {
-    lib.mkIf (!config.virtualisation.isVmVariant && config.system.autoUpgrade.enable)
+    "current-system-flake-inputs.json".source
-      {
+      = pkgs.writers.writeJSON "flake-inputs.json" (
-        "current-system-flake-inputs.json".source = pkgs.writers.writeJSON "flake-inputs.json" (
+        lib.flip lib.mapAttrs inputs (name: input:
          lib.flip lib.mapAttrs inputs (
            name: input:
          # inputs.*.sourceInfo sans outPath, since writeJSON will otherwise serialize sourceInfo like a derivation
-            lib.removeAttrs (input.sourceInfo or { }) [ "outPath" ] // { store-path = input.outPath; } # comment this line if you don't want to retain a store reference to the flake inputs
+          lib.removeAttrs (input.sourceInfo or {}) [ "outPath" ]
            // { store-path = input.outPath; } # comment this line if you don't want to retain a store reference to the flake inputs
        )
      );
  };
@@ -0,0 +1,135 @@
 { config, lib, ... }:
 let
  cfg = config.services.fluent-bit;
 in
 {
  services.fluent-bit = {
    enable = lib.mkDefault true;
    settings = {
      service = {
        flush = 1;
        log_level = "warn";
        http_server = "on";
        http_listen = "127.0.0.1";
        http_port = 28183;
        # filesystem-backed buffering so logs survives potential outages.
        "storage.path" = "/var/lib/fluent-bit/storage";
        "storage.sync" = "normal";
        "storage.max_chunks_up" = 64;
        "storage.backlog.mem_limit" = "16M";
      };
      pipeline = {
        inputs = [{
          name = "systemd";
          tag = "journal.*";
          db = "/var/lib/fluent-bit/journal.db";
          read_from_tail = true;
          strip_underscores = true;
          lowercase = true;
          max_entries = 1000;
          "storage.type" = "filesystem";
        }];
        filters = [{
          name = "modify";
          match = "journal.*";
          rename = [
            "hostname host"
            "priority level"
            "systemd_unit unit"
          ];
        }] ++ (lib.mapAttrsToList (k: v: {
          name = "modify";
          match = "journal.*";
          condition = "Key_value_equals level ${k}";
          set = "level ${v}";
        }) {
          "7" = "debug";
          "6" = "info";
          "5" = "notice";
          "4" = "warning";
          "3" = "error";
          "2" = "crit";
          "1" = "alert";
          "0" = "emergency";
        });
        outputs = [{
          name = "loki";
          match = "*";
          host = "ildkule.pvv.ntnu.no";
          port = 3100;
          uri = "/loki/api/v1/push";
          compress = "gzip";
          labels = lib.concatStringsSep ", " [
            "job=systemd-journal"
          ];
          label_keys = lib.concatMapStringsSep "," (k: "$" + k) [
            "host"
            "unit"
            "level"
          ];
          # JSON is probably fine for now, then we just extract the keys we want with the grafana web ui
          # line_format = "key_value";
          # drop_single_key = true;
          "storage.total_limit_size" = "256M";
        }];
      };
    };
  };
  systemd.services.fluent-bit = lib.mkIf cfg.enable {
    serviceConfig = {
      StateDirectory = "fluent-bit";
      # NOTE: This hardening might be way too strong for general purpose use, don't upstream this.
      AmbientCapabilities = [ "" ];
      CapabilityBoundingSet = [ "" ];
      DeviceAllow = [ "" ];
      LockPersonality = true;
      # Lua JIT, maybe other things
      MemoryDenyWriteExecute = false;
      NoNewPrivileges = true;
      PrivateDevices = true;
      PrivateMounts = true;
      PrivateTmp = true;
      PrivateUsers = true;
      ProtectClock = true;
      ProtectControlGroups = true;
      ProtectHome = true;
      ProtectHostname = true;
      ProtectKernelLogs = true;
      ProtectKernelModules = true;
      ProtectKernelTunables = true;
      ProtectProc = "invisible";
      ProtectSystem = "strict";
      RestrictAddressFamilies = [
        "AF_INET"
        "AF_INET6"
        "AF_UNIX"
      ];
      RestrictNamespaces = true;
      RestrictRealtime = true;
      RestrictSUIDSGID = true;
      SystemCallArchitectures = "native";
      SystemCallFilter = [
        "@system-service"
        "~@privileged"
        "~@resources"
      ];
      UMask = "0077";
      BindReadOnlyPaths = [
        "/run/systemd/journal"
      ];
    };
  };
 }
@@ -1,9 +1,4 @@
-{
+{ config, lib, values, ... }:
  config,
  lib,
  values,
  ...
 }:
 let
  cfg = config.services.journald.upload;
 in
@@ -11,8 +6,7 @@ in
  services.journald.upload = {
    enable = lib.mkDefault true;
    settings.Upload = {
-      # URL = "https://journald.pvv.ntnu.no:${toString config.services.journald.remote.port}";
+      URL = "https://journald.pvv.ntnu.no:${toString config.services.journald.remote.port}";
      URL = "https://${values.hosts.ildkule.ipv4}:${toString config.services.journald.remote.port}";
      ServerKeyFile = "-";
      ServerCertificateFile = "-";
      TrustedCertificateFile = "-";
@@ -1,10 +1,7 @@
 { ... }:
 {
  systemd.services.logrotate = {
-    documentation = [
+    documentation = [ "man:logrotate(8)" "man:logrotate.conf(5)" ];
      "man:logrotate(8)"
      "man:logrotate.conf(5)"
    ];
    unitConfig.RequiresMountsFor = "/var/log";
    serviceConfig.ReadWritePaths = [ "/var/log" ];
  };
@@ -11,10 +11,7 @@
    };
  };
-  networking.firewall.allowedTCPPorts = lib.mkIf config.services.nginx.enable [
+  networking.firewall.allowedTCPPorts = lib.mkIf config.services.nginx.enable [ 80 443 ];
    80
    443
  ];
  services.nginx = {
    recommendedTlsSettings = true;
@@ -18,3 +18,4 @@
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICCbgJ0Uwh9VSVhfId7l9i5/jk4CvAK5rbkiab8R+moF root@sleipner"
    ];
 }
@@ -6,9 +6,12 @@ in
  security.polkit.enable = true;
  environment.etc."polkit-1/rules.d/9-nixos-overrides.rules".text = lib.mkIf cfg.enable ''
-    polkit.addAdminRule(function(action, subject) {
+    polkit.addRule(function(action, subject) {
-        if(subject.isInGroup("wheel")) {
+       if (
-            return ["unix-user:"+subject.user];
+           action.id.startsWith("org.freedesktop.systemd1.") &&
           subject.isInGroup("wheel")
       ) {
           return polkit.Result.AUTH_SELF_KEEP;
         }
     });
  '';
@@ -1,9 +1,4 @@
-{
+{ config, pkgs, lib, ... }:
  config,
  pkgs,
  lib,
  ...
 }:
 let
  cfg = config.services.postfix;
 in
@@ -1,9 +1,4 @@
-{
+{ config, lib, values, ... }:
  config,
  lib,
  values,
  ...
 }:
 let
  cfg = config.services.prometheus.exporters.node;
 in
@@ -1,9 +1,4 @@
-{
+{ config, lib, values, ... }:
  config,
  lib,
  values,
  ...
 }:
 let
  cfg = config.services.prometheus.exporters.systemd;
 in
@@ -1,47 +0,0 @@
 {
  config,
  lib,
  values,
  ...
 }:
 let
  cfg = config.services.prometheus.exporters.node;
 in
 {
  services.promtail = {
    enable = lib.mkDefault true;
    configuration = {
      server = {
        http_listen_port = 28183;
        grpc_listen_port = 0;
      };
      clients = [
        {
          url = "http://ildkule.pvv.ntnu.no:3100/loki/api/v1/push";
        }
      ];
      scrape_configs = [
        {
          job_name = "systemd-journal";
          journal = {
            max_age = "12h";
            labels = {
              job = "systemd-journal";
              host = config.networking.hostName;
            };
          };
          relabel_configs = [
            {
              source_labels = [ "__journal__systemd_unit" ];
              target_label = "unit";
            }
            {
              source_labels = [ "__journal_priority_keyword" ];
              target_label = "level";
            }
          ];
        }
      ];
    };
  };
 }
@@ -0,0 +1,11 @@
 { config, ... }:
 {
  services.scrutiny.collector = {
    enable = !config.services.qemuGuest.enable;
    settings = {
      version = 1;
      host.id = config.networking.hostName;
      api.endpoint = "https://scrutiny.pvv.ntnu.no/";
    };
  };
 }
@@ -1,9 +1,4 @@
-{
+{ config, pkgs, lib, ... }:
  config,
  pkgs,
  lib,
  ...
 }:
 {
  services.smartd = {
    # NOTE: qemu guests tend not to have SMART-reporting disks. Please override for the
@@ -19,12 +14,9 @@
    };
  };
-  environment.systemPackages = lib.optionals config.services.smartd.enable (
+  environment.systemPackages = lib.optionals config.services.smartd.enable (with pkgs; [
    with pkgs;
    [
    smartmontools
-    ]
+  ]);
  );
  systemd.services.smartd.unitConfig.ConditionVirtualization = "no";
 }
@@ -1,9 +1,4 @@
-{
+{ config, pkgs, lib, ... }:
  config,
  pkgs,
  lib,
  ...
 }:
 let
  cfg = config.services.uptimed;
 in
@@ -20,19 +15,16 @@ in
    services.uptimed = {
      enable = true;
-      settings =
+      settings = let
        let
        stateDir = "/var/lib/uptimed";
-        in
+      in {
        {
        PIDFILE = "${stateDir}/pid";
        SENDMAIL = lib.mkDefault "${pkgs.system-sendmail}/bin/sendmail -t";
      };
    };
    systemd.services.uptimed = lib.mkIf (cfg.enable) {
-      serviceConfig =
+      serviceConfig = let
        let
        uptimed = pkgs.uptimed.overrideAttrs (prev: {
          postPatch = ''
             substituteInPlace Makefile.am \
@@ -42,23 +34,23 @@ in
          '';
        });
-        in
+      in {
        {
        Type = "notify";
        ExecStart = lib.mkForce "${uptimed}/sbin/uptimed -f";
-          BindReadOnlyPaths =
+        BindReadOnlyPaths = let
            let
          configFile = lib.pipe cfg.settings [
-                (lib.mapAttrsToList (
+            (lib.mapAttrsToList
-                  k: v: if builtins.isList v then lib.mapConcatStringsSep "\n" (v': "${k}=${v'}") v else "${k}=${v}"
+              (k: v:
-                ))
+                if builtins.isList v
                  then lib.mapConcatStringsSep "\n" (v': "${k}=${v'}") v
                  else "${k}=${v}")
            )
            (lib.concatStringsSep "\n")
            (pkgs.writeText "uptimed.conf")
          ];
-            in
+        in [
            [
          "${configFile}:/var/lib/uptimed/uptimed.conf"
        ];
      };
@@ -1,15 +1,8 @@
 { config, fp, lib, ... }:
 {
-  config,
+  sops.defaultSopsFile = let
  fp,
  lib,
  ...
 }:
 {
  sops.defaultSopsFile =
    let
    secretsFilePath = fp /secrets/${config.networking.hostName}/${config.networking.hostName}.yaml;
-    in
+  in lib.mkIf (builtins.pathExists secretsFilePath) secretsFilePath;
    lib.mkIf (builtins.pathExists secretsFilePath) secretsFilePath;
  sops.age = lib.mkIf (config.sops.defaultSopsFile != null) {
    sshKeyPaths = lib.mkDefault [ "/etc/ssh/ssh_host_ed25519_key" ];
@@ -1,5 +1,42 @@
 {
  "nodes": {
    "bro": {
      "inputs": {
        "nixpkgs": [
          "nixpkgs"
        ],
        "rust-overlay": "rust-overlay"
      },
      "locked": {
        "lastModified": 1779629827,
        "narHash": "sha256-nrlB50/oelB8oFx9DhOoXI5z0VoTZGEA6XxYvkvpqDA=",
        "ref": "main",
        "rev": "7d0f35e12e4dec39f981c08fc33515589f41f4a5",
        "revCount": 3,
        "type": "git",
        "url": "https://git.pvv.ntnu.no/Projects/bro.git"
      },
      "original": {
        "ref": "main",
        "type": "git",
        "url": "https://git.pvv.ntnu.no/Projects/bro.git"
      }
    },
    "crane": {
      "locked": {
        "lastModified": 1776635034,
        "narHash": "sha256-OEOJrT3ZfwbChzODfIH4GzlNTtOFuZFWPtW7jIeR8xU=",
        "owner": "ipetkov",
        "repo": "crane",
        "rev": "dc7496d8ea6e526b1254b55d09b966e94673750f",
        "type": "github"
      },
      "original": {
        "owner": "ipetkov",
        "repo": "crane",
        "type": "github"
      }
    },
    "dibbler": {
      "inputs": {
        "nixpkgs": [
@@ -28,16 +65,16 @@
        ]
      },
      "locked": {
-        "lastModified": 1736864502,
+        "lastModified": 1768920986,
-        "narHash": "sha256-ItkIZyebGvNH2dK9jVGzJHGPtb6BSWLN8Gmef16NeY0=",
+        "narHash": "sha256-CNzzBsRhq7gg4BMBuTDObiWDH/rFYHEuDRVOwCcwXw4=",
        "owner": "nix-community",
        "repo": "disko",
-        "rev": "0141aabed359f063de7413f80d906e1d98c0c123",
+        "rev": "de5708739256238fb912c62f03988815db89ec9a",
        "type": "github"
      },
      "original": {
        "owner": "nix-community",
-        "ref": "v1.11.0",
+        "ref": "v1.13.0",
        "repo": "disko",
        "type": "github"
      }
@@ -47,11 +84,11 @@
        "nixpkgs-lib": "nixpkgs-lib"
      },
      "locked": {
-        "lastModified": 1765835352,
+        "lastModified": 1772408722,
-        "narHash": "sha256-XswHlK/Qtjasvhd1nOa1e8MgZ8GS//jBoTqWtrS1Giw=",
+        "narHash": "sha256-rHuJtdcOjK7rAHpHphUb1iCvgkU3GpfvicLMwwnfMT0=",
        "owner": "hercules-ci",
        "repo": "flake-parts",
-        "rev": "a34fae9c08a15ad73f295041fec82323541400a9",
+        "rev": "f20dc5d9b8027381c474144ecabc9034d6a839a3",
        "type": "github"
      },
      "original": {
@@ -63,15 +100,15 @@
    "gergle": {
      "inputs": {
        "nixpkgs": [
-          "nixpkgs"
+          "nixpkgs-unstable"
        ]
      },
      "locked": {
-        "lastModified": 1767906545,
+        "lastModified": 1777067150,
-        "narHash": "sha256-LOf08pcjEQFLs3dLPuep5d1bAXWOFcdfxuk3YMb5KWw=",
+        "narHash": "sha256-vqPz8jCS1zTQlvmgctUFpvnr6f9ISR5h7CPG/HgQvf0=",
        "ref": "main",
-        "rev": "e55cbe0ce0b20fc5952ed491fa8a553c8afb1bdd",
+        "rev": "b452a854fb78d6df9fe062b45e23a968657d115d",
-        "revCount": 23,
+        "revCount": 35,
        "type": "git",
        "url": "https://git.pvv.ntnu.no/Grzegorz/gergle.git"
      },
@@ -84,15 +121,15 @@
    "greg-ng": {
      "inputs": {
        "nixpkgs": [
-          "nixpkgs"
+          "nixpkgs-unstable"
        ],
-        "rust-overlay": "rust-overlay"
+        "rust-overlay": "rust-overlay_2"
      },
      "locked": {
-        "lastModified": 1767906494,
+        "lastModified": 1777019032,
-        "narHash": "sha256-Dd6gtdZfRMAD6JhdX0GdJwIHVaBikePSpQXhIdwLlWI=",
+        "narHash": "sha256-29lw7THThWb5DW01rVRj1b816Apwz/P4m2wVWaSIadU=",
        "ref": "main",
-        "rev": "7258822e2e90fea2ea00b13b5542f63699e33a9e",
+        "rev": "55262afca46c96f75a834d4e00e30d5fb20affb6",
        "revCount": 61,
        "type": "git",
        "url": "https://git.pvv.ntnu.no/Grzegorz/greg-ng.git"
@@ -124,6 +161,27 @@
        "url": "https://git.pvv.ntnu.no/Grzegorz/grzegorz-clients.git"
      }
    },
    "libdib": {
      "inputs": {
        "nixpkgs": [
          "worblehat",
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1769338528,
        "narHash": "sha256-t18ZoSt9kaI1yde26ok5s7aFLkap1Q9+/2icVh2zuaE=",
        "ref": "refs/heads/main",
        "rev": "7218348163fd8d84df4a6f682c634793e67a3fed",
        "revCount": 13,
        "type": "git",
        "url": "https://git.pvv.ntnu.no/Projects/libdib.git"
      },
      "original": {
        "type": "git",
        "url": "https://git.pvv.ntnu.no/Projects/libdib.git"
      }
    },
    "matrix-next": {
      "inputs": {
        "nixpkgs": [
@@ -150,7 +208,7 @@
        "nixpkgs": [
          "nixpkgs"
        ],
-        "rust-overlay": "rust-overlay_2"
+        "rust-overlay": "rust-overlay_3"
      },
      "locked": {
        "lastModified": 1767906976,
@@ -217,11 +275,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1769018862,
+        "lastModified": 1778407980,
-        "narHash": "sha256-x3eMpPQhZwEDunyaUos084Hx41XwYTi2uHY4Yc4YNlk=",
+        "narHash": "sha256-r980BhsReZQe6FkmyNZkwCZpvzARo5jZgTl8HxjAssY=",
        "owner": "oddlama",
        "repo": "nix-topology",
-        "rev": "a15cac71d3399a4c2d1a3482ae62040a3a0aa07f",
+        "rev": "ca0a602f650306d00d6f3e3c76d0f4c48a5c5adc",
        "type": "github"
      },
      "original": {
@@ -233,24 +291,24 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1769724120,
+        "lastModified": 1779622335,
-        "narHash": "sha256-oQBM04hQk1kotfv4qmIG1tHmuwODd1+hqRJE5TELeCE=",
+        "narHash": "sha256-06G98ieM6l+OI7EMhlvchgDBDn+DvIWCNj40LDhKpmc=",
-        "rev": "8ec59ed5093c2a742d7744e9ecf58f358aa4a87d",
+        "rev": "705e9929918b43bd7b715dc0a878ac870449bb03",
        "type": "tarball",
-        "url": "https://releases.nixos.org/nixos/25.11-small/nixos-25.11.4961.8ec59ed5093c/nixexprs.tar.xz"
+        "url": "https://releases.nixos.org/nixos/26.05-small/nixos-26.05beta1.705e9929918b/nixexprs.tar.xz"
      },
      "original": {
        "type": "tarball",
-        "url": "https://nixos.org/channels/nixos-25.11-small/nixexprs.tar.xz"
+        "url": "https://nixos.org/channels/nixos-26.05-small/nixexprs.tar.xz"
      }
    },
    "nixpkgs-lib": {
      "locked": {
-        "lastModified": 1765674936,
+        "lastModified": 1772328832,
-        "narHash": "sha256-k00uTP4JNfmejrCLJOwdObYC9jHRrr/5M/a/8L2EIdo=",
+        "narHash": "sha256-e+/T/pmEkLP6BHhYjx6GmwP5ivonQQn0bJdH9YrRB+Q=",
        "owner": "nix-community",
        "repo": "nixpkgs.lib",
-        "rev": "2075416fcb47225d9b68ac469a5c4801a9c4dd85",
+        "rev": "c185c7a5e5dd8f9add5b2f8ebeff00888b070742",
        "type": "github"
      },
      "original": {
@@ -261,17 +319,38 @@
    },
    "nixpkgs-unstable": {
      "locked": {
-        "lastModified": 1769813739,
+        "lastModified": 1778586796,
-        "narHash": "sha256-RmNWW1DQczvDwBHu11P0hGwJZxbngdoymVu7qkwq/2M=",
+        "narHash": "sha256-XmDljcG4x8slQDlsWOc77pCA1YVuYn8JGumkYlhfTxI=",
-        "rev": "16a3cae5c2487b1afa240e5f2c1811f172419558",
+        "rev": "b25e938b89759b5f9466fc53c4a970244f84dc39",
        "type": "tarball",
-        "url": "https://releases.nixos.org/nixos/unstable-small/nixos-26.05pre937548.16a3cae5c248/nixexprs.tar.xz"
+        "url": "https://releases.nixos.org/nixos/unstable-small/nixos-26.05pre996582.b25e938b8975/nixexprs.tar.xz"
      },
      "original": {
        "type": "tarball",
        "url": "https://nixos.org/channels/nixos-unstable-small/nixexprs.tar.xz"
      }
    },
    "passwd2systemd-users": {
      "inputs": {
        "nixpkgs": [
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1780764154,
        "narHash": "sha256-Xvf9aBNLYDnbDKdtFjp5GEA/rZwVczHZWbJ0hac8Vv4=",
        "ref": "main",
        "rev": "8b4541be73ee3bd6c60525b2f42605efe89398c9",
        "revCount": 14,
        "type": "git",
        "url": "https://git.pvv.ntnu.no/Projects/passwd2systemd-users.git"
      },
      "original": {
        "ref": "main",
        "type": "git",
        "url": "https://git.pvv.ntnu.no/Projects/passwd2systemd-users.git"
      }
    },
    "pvv-calendar-bot": {
      "inputs": {
        "nixpkgs": [
@@ -279,11 +358,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1764869785,
+        "lastModified": 1779774845,
-        "narHash": "sha256-FGTIpC7gB4lbeL0bfYzn1Ge0PaCpd7VqWBLhJBx0i4A=",
+        "narHash": "sha256-QJU1J4eupwjRrtvWGzRut0GY3woql92RS9O/acWkJkk=",
        "ref": "main",
-        "rev": "8ce7fb0b1918bdb3d1489a40d73895693955e8b2",
+        "rev": "13667cd216db260ab549e6f1b6281aa230d2f9e0",
-        "revCount": 23,
+        "revCount": 29,
        "type": "git",
        "url": "https://git.pvv.ntnu.no/Projects/calendar-bot.git"
      },
@@ -300,11 +379,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1769009806,
+        "lastModified": 1779903528,
-        "narHash": "sha256-52xTtAOc9B+MBRMRZ8HI6ybNsRLMlHHLh+qwAbaJjRY=",
+        "narHash": "sha256-4rajaHeBeQ4PjbNSpslE9G3A5mZM1J/64ls+VoufWZo=",
        "ref": "main",
-        "rev": "aa8adfc6a4d5b6222752e2d15d4a6d3b3b85252e",
+        "rev": "bba7413a1c611d4918fbef4d3aa55e465ca3f3fb",
-        "revCount": 575,
+        "revCount": 585,
        "type": "git",
        "url": "https://git.pvv.ntnu.no/Projects/nettsiden.git"
      },
@@ -337,6 +416,7 @@
    },
    "root": {
      "inputs": {
        "bro": "bro",
        "dibbler": "dibbler",
        "disko": "disko",
        "gergle": "gergle",
@@ -349,31 +429,35 @@
        "nix-topology": "nix-topology",
        "nixpkgs": "nixpkgs",
        "nixpkgs-unstable": "nixpkgs-unstable",
        "passwd2systemd-users": "passwd2systemd-users",
        "pvv-calendar-bot": "pvv-calendar-bot",
        "pvv-nettsiden": "pvv-nettsiden",
        "qotd": "qotd",
        "roowho2": "roowho2",
-        "sops-nix": "sops-nix"
+        "sops-nix": "sops-nix",
        "worblehat": "worblehat"
      }
    },
    "roowho2": {
      "inputs": {
        "crane": "crane",
        "nixpkgs": [
          "nixpkgs"
        ],
-        "rust-overlay": "rust-overlay_3"
+        "rust-overlay": "rust-overlay_4"
      },
      "locked": {
-        "lastModified": 1769834595,
+        "lastModified": 1778600367,
-        "narHash": "sha256-P1jrO7BxHyIKDuOXHuUb7bi4H2TuYnACW5eqf1gG47g=",
+        "narHash": "sha256-YB0b2xUf4D8792D5Ay//7C3AjHyv+9yoy8K1mTe+wvE=",
        "ref": "main",
-        "rev": "def4eec2d59a69b4638b3f25d6d713b703b2fa56",
+        "rev": "8e5f2849ff7c9616100fe928261512a7ad647939",
-        "revCount": 49,
+        "revCount": 91,
        "type": "git",
        "url": "https://git.pvv.ntnu.no/Projects/roowho2.git"
      },
      "original": {
        "ref": "main",
        "rev": "8e5f2849ff7c9616100fe928261512a7ad647939",
        "type": "git",
        "url": "https://git.pvv.ntnu.no/Projects/roowho2.git"
      }
@@ -381,16 +465,16 @@
    "rust-overlay": {
      "inputs": {
        "nixpkgs": [
-          "greg-ng",
+          "bro",
          "nixpkgs"
        ]
      },
      "locked": {
-        "lastModified": 1767840362,
+        "lastModified": 1779419951,
-        "narHash": "sha256-ZtsFqUhilubohNZ1TgpQIFsi4biZTwRH9rjZsDRDik8=",
+        "narHash": "sha256-dMX0PUslUHPajP6o8FEoRdFv9afq/dec4POR0vVfjK4=",
        "owner": "oxalica",
        "repo": "rust-overlay",
-        "rev": "d159ea1fc321c60f88a616ac28bab660092a227d",
+        "rev": "5b5c521d6cae9ef4aa32f888eb2c0ce595c9be52",
        "type": "github"
      },
      "original": {
@@ -400,6 +484,27 @@
      }
    },
    "rust-overlay_2": {
      "inputs": {
        "nixpkgs": [
          "greg-ng",
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1777000482,
        "narHash": "sha256-CZ5FKUSA8FCJf0h9GWdPJXoVVDL9H5yC74GkVc5ubIM=",
        "owner": "oxalica",
        "repo": "rust-overlay",
        "rev": "403c09094a877e6c4816462d00b1a56ff8198e06",
        "type": "github"
      },
      "original": {
        "owner": "oxalica",
        "repo": "rust-overlay",
        "type": "github"
      }
    },
    "rust-overlay_3": {
      "inputs": {
        "nixpkgs": [
          "minecraft-heatmap",
@@ -420,7 +525,7 @@
        "type": "github"
      }
    },
-    "rust-overlay_3": {
+    "rust-overlay_4": {
      "inputs": {
        "nixpkgs": [
          "roowho2",
@@ -428,11 +533,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1769309768,
+        "lastModified": 1776914043,
-        "narHash": "sha256-AbOIlNO+JoqRJkK1VrnDXhxuX6CrdtIu2hSuy4pxi3g=",
+        "narHash": "sha256-qug5r56yW1qOsjSI99l3Jm15JNT9CvS2otkXNRNtrPI=",
        "owner": "oxalica",
        "repo": "rust-overlay",
-        "rev": "140c9dc582cb73ada2d63a2180524fcaa744fad5",
+        "rev": "2d35c4358d7de3a0e606a6e8b27925d981c01cc3",
        "type": "github"
      },
      "original": {
@@ -448,11 +553,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1769469829,
+        "lastModified": 1777944972,
-        "narHash": "sha256-wFcr32ZqspCxk4+FvIxIL0AZktRs6DuF8oOsLt59YBU=",
+        "narHash": "sha256-VfGRo1qTBKOe3s2gOv8LSoA6Fk19PvBlwQ1ECN0Evn8=",
        "owner": "Mic92",
        "repo": "sops-nix",
-        "rev": "c5eebd4eb2e3372fe12a8d70a248a6ee9dd02eff",
+        "rev": "c591bf665727040c6cc5cb409079acb22dcce33c",
        "type": "github"
      },
      "original": {
@@ -461,6 +566,28 @@
        "repo": "sops-nix",
        "type": "github"
      }
    },
    "worblehat": {
      "inputs": {
        "libdib": "libdib",
        "nixpkgs": [
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1773932847,
        "narHash": "sha256-IklIAdlonrmO8/lkDxNIVz9+ORL4pcVotMTxeyvxzoc=",
        "ref": "main",
        "rev": "0871a319f51d3cb0d1abb5b11edb768b39906d3f",
        "revCount": 104,
        "type": "git",
        "url": "https://git.pvv.ntnu.no/Projects/worblehat.git"
      },
      "original": {
        "ref": "main",
        "type": "git",
        "url": "https://git.pvv.ntnu.no/Projects/worblehat.git"
      }
    }
  },
  "root": "root",
@@ -2,13 +2,13 @@
  description = "PVV System flake";
  inputs = {
-    nixpkgs.url = "https://nixos.org/channels/nixos-25.11-small/nixexprs.tar.xz";
+    nixpkgs.url = "https://nixos.org/channels/nixos-26.05-small/nixexprs.tar.xz";
    nixpkgs-unstable.url = "https://nixos.org/channels/nixos-unstable-small/nixexprs.tar.xz";
    sops-nix.url = "github:Mic92/sops-nix/master";
    sops-nix.inputs.nixpkgs.follows = "nixpkgs";
-    disko.url = "github:nix-community/disko/v1.11.0";
+    disko.url = "github:nix-community/disko/v1.13.0";
    disko.inputs.nixpkgs.follows = "nixpkgs";
    nix-topology.url = "github:oddlama/nix-topology/main";
@@ -23,6 +23,9 @@
    dibbler.url = "git+https://git.pvv.ntnu.no/Projects/dibbler.git?ref=main";
    dibbler.inputs.nixpkgs.follows = "nixpkgs";
    worblehat.url = "git+https://git.pvv.ntnu.no/Projects/worblehat.git?ref=main";
    worblehat.inputs.nixpkgs.follows = "nixpkgs";
    matrix-next.url = "github:dali99/nixos-matrix-modules/v0.8.0";
    matrix-next.inputs.nixpkgs.follows = "nixpkgs";
@@ -32,13 +35,13 @@
    minecraft-heatmap.url = "git+https://git.pvv.ntnu.no/Projects/minecraft-heatmap.git?ref=main";
    minecraft-heatmap.inputs.nixpkgs.follows = "nixpkgs";
-    roowho2.url = "git+https://git.pvv.ntnu.no/Projects/roowho2.git?ref=main";
+    roowho2.url = "git+https://git.pvv.ntnu.no/Projects/roowho2.git?ref=main&rev=8e5f2849ff7c9616100fe928261512a7ad647939";
    roowho2.inputs.nixpkgs.follows = "nixpkgs";
    greg-ng.url = "git+https://git.pvv.ntnu.no/Grzegorz/greg-ng.git?ref=main";
-    greg-ng.inputs.nixpkgs.follows = "nixpkgs";
+    greg-ng.inputs.nixpkgs.follows = "nixpkgs-unstable";
    gergle.url = "git+https://git.pvv.ntnu.no/Grzegorz/gergle.git?ref=main";
-    gergle.inputs.nixpkgs.follows = "nixpkgs";
+    gergle.inputs.nixpkgs.follows = "nixpkgs-unstable";
    grzegorz-clients.url = "git+https://git.pvv.ntnu.no/Grzegorz/grzegorz-clients.git?ref=master";
    grzegorz-clients.inputs.nixpkgs.follows = "nixpkgs";
@@ -47,18 +50,21 @@
    qotd.url = "git+https://git.pvv.ntnu.no/Projects/qotd.git?ref=main";
    qotd.inputs.nixpkgs.follows = "nixpkgs";
    bro.url = "git+https://git.pvv.ntnu.no/Projects/bro.git?ref=main";
    bro.inputs.nixpkgs.follows = "nixpkgs";
    passwd2systemd-users.url = "git+https://git.pvv.ntnu.no/Projects/passwd2systemd-users.git?ref=main";
    passwd2systemd-users.inputs.nixpkgs.follows = "nixpkgs";
  };
-  outputs =
+  outputs = {
    {
    self,
    nixpkgs,
    nixpkgs-unstable,
    sops-nix,
    disko,
    ...
-    }@inputs:
+  } @ inputs: let
    let
    inherit (nixpkgs) lib;
    systems = [
      "x86_64-linux"
@@ -70,48 +76,57 @@
    importantMachines = [
      "bekkalokk"
      "bicep"
        "brzeczyszczykiewicz"
      "georg"
      "ildkule"
      "kommode"
      "lupine-1"
      "skrot"
    ];
-    in
+  in {
    {
    inputs = lib.mapAttrs (_: src: src.outPath) inputs;
-      pkgs = forAllSystems (
+    pkgs = forAllSystems (system:
        system:
      import nixpkgs {
        inherit system;
-          config.allowUnfreePredicate =
+        config.allowUnfreePredicate = pkg:
-            pkg:
+          builtins.elem (lib.getName pkg)
-            builtins.elem (lib.getName pkg) [
+          [
            "nvidia-x11"
            "nvidia-settings"
            "nvidia-kernel-modules"
          ];
-        }
+      });
      );
-      nixosConfigurations =
+    apps = forAllSystems (system: let
-        let
+      pkgs = nixpkgs.legacyPackages.${system};
-          nixosConfig =
+    in {
-            nixpkgs: name: configurationPath:
+      gitea-workflows = {
-            extraArgs@{
+        type = "app";
        meta.description = "Run all gitea workflows locally";
        program = toString (pkgs.writeShellScript "pvv-nixos-config-run-gitea-worflows" ''
          ${lib.getExe pkgs.gitea-actions-runner} exec -i node:current-trixie
        '');
      };
    });
    nixosConfigurations = let
      nixosConfig = nixpkgs: name: configurationPath: extraArgs @ {
        localSystem ? "x86_64-linux", # buildPlatform
        crossSystem ? "x86_64-linux", # hostPlatform
-              specialArgs ? { },
+        specialArgs ? {},
-              modules ? [ ],
+        modules ? [],
-              overlays ? [ ],
+        overlays ? [],
        enableDefaults ? true,
        ...
-            }:
+      }: let
-            let
+        commonPkgsConfig =
-              commonPkgsConfig = {
+          {
-                inherit localSystem crossSystem;
+            config.allowUnfreePredicate = pkg:
-                config.allowUnfreePredicate =
+              builtins.elem (lib.getName pkg)
-                  pkg:
+              [
                  builtins.elem (lib.getName pkg) [
                "nvidia-x11"
                "nvidia-settings"
                "nvidia-kernel-modules"
              ];
            overlays =
              (lib.optionals enableDefaults [
@@ -119,8 +134,16 @@
                inputs.roowho2.overlays.default
              ])
              ++ overlays;
-              };
+          }
-
+          // (
            if localSystem != crossSystem
            then {
              inherit localSystem crossSystem;
            }
            else {
              system = crossSystem;
            }
          );
        pkgs = import nixpkgs commonPkgsConfig;
        unstablePkgs = import nixpkgs-unstable commonPkgsConfig;
      in
@@ -131,14 +154,16 @@
            inherit pkgs;
-                  specialArgs = {
+            specialArgs =
              {
                inherit inputs unstablePkgs;
                values = import ./values.nix;
                fp = path: ./${path};
              }
              // specialArgs;
-                  modules = [
+            modules =
              [
                {
                  networking.hostName = lib.mkDefault name;
                }
@@ -151,27 +176,20 @@
              ])
              ++ modules;
          }
-                (
+          (builtins.removeAttrs extraArgs [
                  builtins.removeAttrs extraArgs [
            "localSystem"
            "crossSystem"
            "modules"
            "overlays"
            "specialArgs"
            "enableDefaults"
-                  ]
+          ])
                )
        );
-          stableNixosConfig =
+      stableNixosConfig = name: extraArgs:
-            name: extraArgs: nixosConfig nixpkgs name ./hosts/${name}/configuration.nix extraArgs;
+        nixosConfig nixpkgs name ./hosts/${name}/configuration.nix extraArgs;
    in
      {
          bakke = stableNixosConfig "bakke" {
            modules = [
              inputs.disko.nixosModules.disko
            ];
          };
        bicep = stableNixosConfig "bicep" {
          modules = [
            inputs.matrix-next.nixosModules.default
@@ -186,37 +204,61 @@
            (final: prev: {
              inherit (self.packages.${prev.stdenv.hostPlatform.system}) out-of-your-element;
            })
            (final: prev: {
              # See https://git.pvv.ntnu.no/Drift/issues/issues/369
              mjolnir = prev.mjolnir.override {
                nodejs = prev.nodejs_22;
              };
            })
          ];
        };
        bekkalokk = stableNixosConfig "bekkalokk" {
          overlays = [
            (final: prev: {
-                mediawiki-extensions = final.callPackage ./packages/mediawiki-extensions { };
+              mediawiki-extensions = final.callPackage ./packages/mediawiki-extensions {};
-                simplesamlphp = final.callPackage ./packages/simplesamlphp { };
+              simplesamlphp = final.callPackage ./packages/simplesamlphp {};
                bluemap = final.callPackage ./packages/bluemap.nix { };
            })
            inputs.pvv-nettsiden.overlays.default
            inputs.qotd.overlays.default
          ];
          modules = [
            inputs.pvv-nettsiden.nixosModules.default
              self.nixosModules.bluemap
            inputs.qotd.nixosModules.default
          ];
        };
-          ildkule = stableNixosConfig "ildkule" { };
+        ildkule = stableNixosConfig "ildkule" {
          #ildkule-unstable = unstableNixosConfig "ildkule" { };
          skrot = stableNixosConfig "skrot" {
          modules = [
            inputs.disko.nixosModules.disko
              inputs.dibbler.nixosModules.default
          ];
            overlays = [ inputs.dibbler.overlays.default ];
        };
-          shark = stableNixosConfig "shark" { };
+        skrot = stableNixosConfig "skrot" {
-          wenche = stableNixosConfig "wenche" { };
+          modules = [
-          temmie = stableNixosConfig "temmie" { };
+            self.nixosModules.drumknotty
-          gluttony = stableNixosConfig "gluttony" { };
+            inputs.disko.nixosModules.disko
          ];
          overlays =
          [
            inputs.dibbler.overlays.default
            inputs.worblehat.overlays.default
          ];
        };
        shark = stableNixosConfig "shark" {};
        wenche = stableNixosConfig "wenche" {};
        temmie = stableNixosConfig "temmie" {
          overlays = [
            inputs.bro.overlays.default
            inputs.passwd2systemd-users.overlays.default
          ];
          modules = [
            inputs.bro.nixosModules.default
          ];
        };
        gluttony = stableNixosConfig "gluttony" {
          overlays = [
            (final: prev: { bluemap = final.callPackage ./packages/bluemap.nix {}; })
          ];
          modules = [ self.nixosModules.bluemap ];
        };
        kommode = stableNixosConfig "kommode" {
          overlays = [
@@ -228,12 +270,6 @@
          ];
        };
          ustetind = stableNixosConfig "ustetind" {
            modules = [
              "${nixpkgs}/nixos/modules/virtualisation/lxc-container.nix"
            ];
          };
        brzeczyszczykiewicz = stableNixosConfig "brzeczyszczykiewicz" {
          modules = [
            inputs.grzegorz-clients.nixosModules.grzegorz-webui
@@ -257,63 +293,16 @@
          ];
        };
      }
-        // (
+      // (let
          let
            skrottConfig = {
              modules = [
                (nixpkgs + "/nixos/modules/installer/sd-card/sd-image-aarch64.nix")
                inputs.dibbler.nixosModules.default
              ];
              overlays = [
                inputs.dibbler.overlays.default
                (final: prev: {
                  # NOTE: Yeetus (these break crosscompile ¯\_(ツ)_/¯)
                  atool = prev.emptyDirectory;
                  micro = prev.emptyDirectory;
                  ncdu = prev.emptyDirectory;
                })
              ];
            };
          in
          {
            skrott = self.nixosConfigurations.skrott-native;
            skrott-native = stableNixosConfig "skrott" (
              skrottConfig
              // {
                localSystem = "aarch64-linux";
                crossSystem = "aarch64-linux";
              }
            );
            skrott-cross = stableNixosConfig "skrott" (
              skrottConfig
              // {
                localSystem = "x86_64-linux";
                crossSystem = "aarch64-linux";
              }
            );
            skrott-x86_64 = stableNixosConfig "skrott" (
              skrottConfig
              // {
                localSystem = "x86_64-linux";
                crossSystem = "x86_64-linux";
              }
            );
          }
        )
        // (
          let
        machineNames = map (i: "lupine-${toString i}") (lib.range 1 5);
-            stableLupineNixosConfig =
+        stableLupineNixosConfig = name: extraArgs:
-              name: extraArgs: nixosConfig nixpkgs name ./hosts/lupine/configuration.nix extraArgs;
+          nixosConfig nixpkgs name ./hosts/lupine/configuration.nix extraArgs;
      in
-          lib.genAttrs machineNames (
+        lib.genAttrs machineNames (name:
            name:
          stableLupineNixosConfig name {
-              modules = [ { networking.hostName = name; } ];
+            modules = [{networking.hostName = name;}];
            specialArgs.lupineName = name;
-            }
+          }));
          )
        );
    nixosModules = {
      bluemap = ./modules/bluemap.nix;
@@ -323,11 +312,11 @@
      rsync-pull-targets = ./modules/rsync-pull-targets.nix;
      snakeoil-certs = ./modules/snakeoil-certs.nix;
      snappymail = ./modules/snappymail.nix;
      drumknotty = ./modules/drumknotty;
    };
    devShells = forAllSystems (system: {
-        default =
+      default = let
          let
        pkgs = import nixpkgs-unstable {
          inherit system;
          overlays = [
@@ -337,9 +326,8 @@
          ];
        };
      in
-          pkgs.callPackage ./shell.nix { };
+        pkgs.callPackage ./shell.nix {};
-        cuda =
+      cuda = let
          let
        cuda-pkgs = import nixpkgs-unstable {
          inherit system;
          config = {
@@ -348,55 +336,43 @@
          };
        };
      in
-          cuda-pkgs.callPackage ./shells/cuda.nix { };
+        cuda-pkgs.callPackage ./shells/cuda.nix {};
    });
    packages = {
-        "x86_64-linux" =
+      "x86_64-linux" = let
          let
        system = "x86_64-linux";
        pkgs = nixpkgs.legacyPackages.${system};
      in
        rec {
          default = important-machines;
-            important-machines = pkgs.linkFarm "important-machines" (
+          important-machines =
-              lib.getAttrs importantMachines self.packages.${system}
+            pkgs.linkFarm "important-machines"
-            );
+            (lib.getAttrs importantMachines self.packages.${system});
-            all-machines = pkgs.linkFarm "all-machines" (lib.getAttrs allMachines self.packages.${system});
+          all-machines =
            pkgs.linkFarm "all-machines"
            (lib.getAttrs allMachines self.packages.${system});
-            simplesamlphp = pkgs.callPackage ./packages/simplesamlphp { };
+          simplesamlphp = pkgs.callPackage ./packages/simplesamlphp {};
-            bluemap = pkgs.callPackage ./packages/bluemap.nix { };
+          bluemap = pkgs.callPackage ./packages/bluemap.nix {};
-            out-of-your-element = pkgs.callPackage ./packages/ooye/package.nix { };
+          out-of-your-element = pkgs.callPackage ./packages/ooye/package.nix {};
        }
        //
        # Mediawiki extensions
        (lib.pipe null [
-              (_: pkgs.callPackage ./packages/mediawiki-extensions { })
+          (_: pkgs.callPackage ./packages/mediawiki-extensions {})
-              (lib.flip builtins.removeAttrs [
+          (lib.flip builtins.removeAttrs ["override" "overrideDerivation"])
                "override"
                "overrideDerivation"
              ])
          (lib.mapAttrs' (name: lib.nameValuePair "mediawiki-${name}"))
        ])
        //
        # Machines
-            lib.genAttrs allMachines (machine: self.nixosConfigurations.${machine}.config.system.build.toplevel)
+        lib.genAttrs allMachines
-          //
+        (machine: self.nixosConfigurations.${machine}.config.system.build.toplevel)
            # Skrott is exception
            {
              skrott = self.packages.${system}.skrott-native-sd;
              skrott-native = self.nixosConfigurations.skrott-native.config.system.build.toplevel;
              skrott-native-sd = self.nixosConfigurations.skrott-native.config.system.build.sdImage;
              skrott-cross = self.nixosConfigurations.skrott-cross.config.system.build.toplevel;
              skrott-cross-sd = self.nixosConfigurations.skrott-cross.config.system.build.sdImage;
              skrott-x86_64 = self.nixosConfigurations.skrott-x86_64.config.system.build.toplevel;
            }
        //
        # Nix-topology
-            (
+        (let
              let
          topology' = import inputs.nix-topology {
            pkgs = import nixpkgs {
              inherit system;
@@ -415,8 +391,7 @@
            modules = [
              ./topology
              {
-                      nixosConfigurations = lib.mapAttrs (
+                nixosConfigurations = lib.mapAttrs (_name: nixosCfg:
                        _name: nixosCfg:
                  nixosCfg.extendModules {
                    modules = [
                      inputs.nix-topology.nixosModules.default
@@ -425,27 +400,23 @@
                      ./topology/service-extractors/mysql.nix
                      ./topology/service-extractors/gitea-runners.nix
                    ];
-                        }
+                  })
-                      ) self.nixosConfigurations;
+                self.nixosConfigurations;
              }
            ];
          };
-              in
+        in {
              {
          topology = topology'.config.output;
          topology-png =
-                  pkgs.runCommand "pvv-config-topology-png"
+            pkgs.runCommand "pvv-config-topology-png" {
-                    {
+              nativeBuildInputs = [pkgs.writableTmpDirAsHomeHook];
-                      nativeBuildInputs = [ pkgs.writableTmpDirAsHomeHook ];
+            } ''
                    }
                    ''
              mkdir -p "$out"
              for file in '${topology'.config.output}'/*.svg; do
                ${lib.getExe pkgs.imagemagick} -density 300 -background none "$file" "$out"/"$(basename "''${file%.svg}.png")"
              done
            '';
-              }
+        });
            );
    };
  };
 }
@@ -1,26 +0,0 @@
 {
  config,
  pkgs,
  values,
  ...
 }:
 {
  imports = [
    ./hardware-configuration.nix
    ../../base
    ./filesystems.nix
  ];
  networking.hostId = "99609ffc";
  systemd.network.networks."30-enp2s0" = values.defaultNetworkConfig // {
    matchConfig.Name = "enp2s0";
    address = with values.hosts.bakke; [
      (ipv4 + "/25")
      (ipv6 + "/64")
    ];
  };
  # Don't change (even during upgrades) unless you know what you are doing.
  # See https://search.nixos.org/options?show=system.stateVersion
  system.stateVersion = "24.05";
 }
@@ -1,83 +0,0 @@
 {
  # https://github.com/nix-community/disko/blob/master/example/boot-raid1.nix
  # Note: Disko was used to create the initial md raid, but is no longer in active use on this host.
  disko.devices = {
    disk = {
      one = {
        type = "disk";
        device = "/dev/disk/by-id/ata-WDC_WD40EFRX-68WT0N0_WD-WCC4E2EER6N6";
        content = {
          type = "gpt";
          partitions = {
            ESP = {
              size = "500M";
              type = "EF00";
              content = {
                type = "mdraid";
                name = "boot";
              };
            };
            mdadm = {
              size = "100%";
              content = {
                type = "mdraid";
                name = "raid1";
              };
            };
          };
        };
      };
      two = {
        type = "disk";
        device = "/dev/disk/by-id/ata-WDC_WD40EFRX-68WT0N0_WD-WCC4E7LPLU71";
        content = {
          type = "gpt";
          partitions = {
            ESP = {
              size = "500M";
              type = "EF00";
              content = {
                type = "mdraid";
                name = "boot";
              };
            };
            mdadm = {
              size = "100%";
              content = {
                type = "mdraid";
                name = "raid1";
              };
            };
          };
        };
      };
    };
    mdadm = {
      boot = {
        type = "mdadm";
        level = 1;
        metadata = "1.0";
        content = {
          type = "filesystem";
          format = "vfat";
          mountpoint = "/boot";
        };
      };
      raid1 = {
        type = "mdadm";
        level = 1;
        content = {
          type = "gpt";
          partitions.primary = {
            size = "100%";
            content = {
              type = "filesystem";
              format = "ext4";
              mountpoint = "/";
            };
          };
        };
      };
    };
  };
 }
@@ -1,26 +0,0 @@
 { pkgs, ... }:
 {
  # Boot drives:
  boot.swraid.enable = true;
  # ZFS Data pool:
  boot = {
    zfs = {
      extraPools = [ "tank" ];
      requestEncryptionCredentials = false;
    };
    supportedFilesystems.zfs = true;
    # Use stable linux packages, these work with zfs
    kernelPackages = pkgs.linuxPackages;
  };
  services.zfs.autoScrub = {
    enable = true;
    interval = "Wed *-*-8..14 00:00:00";
  };
  # NFS Exports:
  #TODO
  # NFS Import mounts:
  #TODO
 }
@@ -1,70 +0,0 @@
 # Do not modify this file!  It was generated by 'nixos-generate-config'
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 {
  config,
  lib,
  pkgs,
  modulesPath,
  ...
 }:
 {
  imports = [
    (modulesPath + "/installer/scan/not-detected.nix")
  ];
  boot.initrd.availableKernelModules = [
    "ehci_pci"
    "ahci"
    "usbhid"
    "usb_storage"
    "sd_mod"
  ];
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ "kvm-intel" ];
  boot.extraModulePackages = [ ];
  fileSystems."/" = {
    device = "/dev/disk/by-uuid/0f63c3d2-fc12-4ed5-a5a5-141bfd67a571";
    fsType = "btrfs";
    options = [ "subvol=root" ];
  };
  fileSystems."/home" = {
    device = "/dev/disk/by-uuid/0f63c3d2-fc12-4ed5-a5a5-141bfd67a571";
    fsType = "btrfs";
    options = [ "subvol=home" ];
  };
  fileSystems."/nix" = {
    device = "/dev/disk/by-uuid/0f63c3d2-fc12-4ed5-a5a5-141bfd67a571";
    fsType = "btrfs";
    options = [
      "subvol=nix"
      "noatime"
    ];
  };
  fileSystems."/boot" = {
    device = "/dev/sdc2";
    fsType = "vfat";
    options = [
      "fmask=0022"
      "dmask=0022"
    ];
  };
  swapDevices = [ ];
  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
  # (the default) this is the recommended approach. When using systemd-networkd it's
  # still possible to use this option, but it's recommended to use it in conjunction
  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
  networking.useDHCP = lib.mkDefault false;
  # networking.interfaces.eno1.useDHCP = lib.mkDefault true;
  # networking.interfaces.enp2s0.useDHCP = lib.mkDefault true;
  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
 }
@@ -1,9 +1,4 @@
-{
+{ fp, pkgs, values, ... }:
  fp,
  pkgs,
  values,
  ...
 }:
 {
  imports = [
    ./hardware-configuration.nix
@@ -12,6 +7,7 @@
    ./services/alps.nix
    ./services/bluemap.nix
    ./services/radicale.nix
    ./services/idp-simplesamlphp
    ./services/kerberos.nix
    ./services/mediawiki
@@ -26,14 +22,9 @@
  systemd.network.networks."30-enp2s0" = values.defaultNetworkConfig // {
    matchConfig.Name = "enp2s0";
-    address = with values.hosts.bekkalokk; [
+    address = with values.hosts.bekkalokk; [ (ipv4 + "/25") (ipv6 + "/64") ];
      (ipv4 + "/25")
      (ipv6 + "/64")
    ];
  };
  services.btrfs.autoScrub.enable = true;
  # Don't change (even during upgrades) unless you know what you are doing.
  # See https://search.nixos.org/options?show=system.stateVersion
  system.stateVersion = "25.11";
@@ -1,42 +1,30 @@
 # Do not modify this file!  It was generated by 'nixos-generate-config'
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
-{
+{ config, lib, pkgs, modulesPath, ... }:
  config,
  lib,
  pkgs,
  modulesPath,
  ...
 }:
 {
-  imports = [
+  imports =
-    (modulesPath + "/installer/scan/not-detected.nix")
+    [ (modulesPath + "/installer/scan/not-detected.nix")
    ];
-  boot.initrd.availableKernelModules = [
+  boot.initrd.availableKernelModules = [ "ehci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ];
    "ehci_pci"
    "ahci"
    "usbhid"
    "usb_storage"
    "sd_mod"
  ];
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ "kvm-intel" ];
  boot.extraModulePackages = [ ];
-  fileSystems."/" = {
+  fileSystems."/" =
-    device = "/dev/sda1";
+    { device = "/dev/sda1";
      fsType = "btrfs";
    };
-  fileSystems."/boot" = {
+  fileSystems."/boot" =
-    device = "/dev/disk/by-uuid/CE63-3B9B";
+    { device = "/dev/disk/by-uuid/CE63-3B9B";
      fsType = "vfat";
    };
-  swapDevices = [
+  swapDevices =
-    { device = "/dev/disk/by-uuid/2df10c7b-0dec-45c6-a728-533f7da7f4b9"; }
+    [ { device = "/dev/disk/by-uuid/2df10c7b-0dec-45c6-a728-533f7da7f4b9"; }
    ];
  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
@@ -1,118 +1,10 @@
-{
+{ values, ... }:
  config,
  lib,
  pkgs,
  inputs,
  ...
 }:
 let
-  vanillaSurvival = "/var/lib/bluemap/vanilla_survival_world";
+  webExport = "/var/lib/bluemap/web";
-  format = pkgs.formats.hocon { };
+in {
-in
+  # NOTE: our version of the module gets added in flake.nix
 {
  # NOTE: our versino of the module gets added in flake.nix
  disabledModules = [ "services/web-apps/bluemap.nix" ];
  sops.secrets."bluemap/ssh-key" = { };
  sops.secrets."bluemap/ssh-known-hosts" = { };
  services.bluemap = {
    enable = true;
    eula = true;
    onCalendar = "*-*-* 05:45:00"; # a little over an hour after auto-upgrade
    host = "minecraft.pvv.ntnu.no";
    maps =
      let
        inherit (inputs.minecraft-kartverket.packages.${pkgs.stdenv.hostPlatform.system}) bluemap-export;
      in
      {
        "verden" = {
          extraHoconMarkersFile = "${bluemap-export}/overworld.hocon";
          settings = {
            world = vanillaSurvival;
            dimension = "minecraft:overworld";
            name = "Verden";
            sorting = 0;
            start-pos = {
              x = 0;
              z = 0;
            };
            ambient-light = 0.1;
            cave-detection-ocean-floor = -5;
          };
        };
        "underverden" = {
          extraHoconMarkersFile = "${bluemap-export}/nether.hocon";
          settings = {
            world = vanillaSurvival;
            dimension = "minecraft:the_nether";
            name = "Underverden";
            sorting = 100;
            start-pos = {
              x = 0;
              z = 0;
            };
            sky-color = "#290000";
            void-color = "#150000";
            sky-light = 1;
            ambient-light = 0.6;
            remove-caves-below-y = -10000;
            cave-detection-ocean-floor = -5;
            cave-detection-uses-block-light = true;
            render-mask = [
              {
                max-y = 90;
              }
            ];
          };
        };
        "enden" = {
          extraHoconMarkersFile = "${bluemap-export}/the-end.hocon";
          settings = {
            world = vanillaSurvival;
            dimension = "minecraft:the_end";
            name = "Enden";
            sorting = 200;
            start-pos = {
              x = 0;
              z = 0;
            };
            sky-color = "#080010";
            void-color = "#080010";
            sky-light = 1;
            ambient-light = 0.6;
            remove-caves-below-y = -10000;
            cave-detection-ocean-floor = -5;
          };
        };
      };
  };
  systemd.services."render-bluemap-maps" = {
    serviceConfig = {
      StateDirectory = [ "bluemap/world" ];
      ExecStartPre =
        let
          rsyncArgs = lib.cli.toCommandLineShellGNU { } {
            archive = true;
            compress = true;
            verbose = true;
            no-owner = true;
            no-group = true;
            rsh = "${pkgs.openssh}/bin/ssh -o UserKnownHostsFile=%d/ssh-known-hosts -i %d/sshkey";
          };
        in
        "${lib.getExe pkgs.rsync} ${rsyncArgs} root@innovation.pvv.ntnu.no:/ ${vanillaSurvival}";
      LoadCredential = [
        "sshkey:${config.sops.secrets."bluemap/ssh-key".path}"
        "ssh-known-hosts:${config.sops.secrets."bluemap/ssh-known-hosts".path}"
      ];
    };
  };
  services.nginx.virtualHosts."minecraft.pvv.ntnu.no" = {
    enableACME = true;
    forceSSL = true;
@@ -128,6 +20,30 @@ in
      quic_retry on;
      add_header Alt-Svc 'h3=":$server_port"; ma=86400';
    '';
    root = webExport;
    locations = {
      "~* ^/maps/[^/]*/tiles/".extraConfig = ''
        error_page 404 = @empty;
      '';
      "@empty".return = "204";
    };
  };
  services.rsync-pull-targets = {
    enable = true;
    locations.${webExport} = {
      user = "root";
      rrsyncArgs.wo = true;
      authorizedKeysAttrs = [
        "restrict"
        "from=\"gluttony.pvv.ntnu.no,${values.hosts.gluttony.ipv6},${values.hosts.gluttony.ipv4}\""
        "no-agent-forwarding"
        "no-port-forwarding"
        "no-pty"
        "no-X11-forwarding"
      ];
      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH5jrqMovXlWaFWZAV/aKyQReHvUQp5kb+7Ja4gnevSr root@gluttony bluemap";
    };
  };
  networking.firewall.allowedUDPPorts = [ 443 ];
@@ -1,16 +1,8 @@
-{
+{ config, pkgs, lib, ... }:
  config,
  pkgs,
  lib,
  ...
 }:
 let
  pwAuthScript = pkgs.writeShellApplication {
    name = "pwauth";
-    runtimeInputs = with pkgs; [
+    runtimeInputs = with pkgs; [ coreutils heimdal ];
      coreutils
      heimdal
    ];
    text = ''
      read -r user1
      user2="$(echo -n "$user1" | tr -c -d '0123456789abcdefghijklmnopqrstuvwxyz')"
@@ -41,7 +33,7 @@ let
      "metadata/saml20-sp-remote.php" = pkgs.writeText "saml20-sp-remote.php" ''
        <?php
-          ${lib.pipe config.services.idp.sp-remote-metadata [
+          ${ lib.pipe config.services.idp.sp-remote-metadata [
            (map (url: ''
              $metadata['${url}'] = [
                'SingleLogoutService' => [
@@ -93,20 +85,14 @@ let
        substituteInPlace "$out" \
          --replace-warn '$SAML_COOKIE_SECURE' 'true' \
-          --replace-warn '$SAML_COOKIE_SALT' 'file_get_contents("${
+          --replace-warn '$SAML_COOKIE_SALT' 'file_get_contents("${config.sops.secrets."idp/cookie_salt".path}")' \
            config.sops.secrets."idp/cookie_salt".path
          }")' \
          --replace-warn '$SAML_ADMIN_NAME' '"Drift"' \
          --replace-warn '$SAML_ADMIN_EMAIL' '"drift@pvv.ntnu.no"' \
-          --replace-warn '$SAML_ADMIN_PASSWORD' 'file_get_contents("${
+          --replace-warn '$SAML_ADMIN_PASSWORD' 'file_get_contents("${config.sops.secrets."idp/admin_password".path}")' \
            config.sops.secrets."idp/admin_password".path
          }")' \
          --replace-warn '$SAML_TRUSTED_DOMAINS' 'array( "idp.pvv.ntnu.no" )' \
          --replace-warn '$SAML_DATABASE_DSN' '"pgsql:host=postgres.pvv.ntnu.no;port=5432;dbname=idp"' \
          --replace-warn '$SAML_DATABASE_USERNAME' '"idp"' \
-          --replace-warn '$SAML_DATABASE_PASSWORD' 'file_get_contents("${
+          --replace-warn '$SAML_DATABASE_PASSWORD' 'file_get_contents("${config.sops.secrets."idp/postgres_password".path}")' \
            config.sops.secrets."idp/postgres_password".path
          }")' \
          --replace-warn '$CACHE_DIRECTORY' '/var/cache/idp'
      '';
@@ -172,12 +158,10 @@ in
    services.phpfpm.pools.idp = {
      user = "idp";
      group = "idp";
-      settings =
+      settings = let
        let
        listenUser = config.services.nginx.user;
        listenGroup = config.services.nginx.group;
-        in
+      in {
        {
        "pm" = "dynamic";
        "pm.max_children" = 32;
        "pm.max_requests" = 500;
@@ -1,9 +1,4 @@
-{
+{ config, pkgs, lib, ... }:
  config,
  pkgs,
  lib,
  ...
 }:
 {
  security.krb5 = {
    enable = true;
@@ -1,12 +1,4 @@
-{
+{ pkgs, lib, fp, config, values, ... }: let
  pkgs,
  lib,
  fp,
  config,
  values,
  ...
 }:
 let
  cfg = config.services.mediawiki;
  # "mediawiki"
@@ -17,9 +9,7 @@ let
  simplesamlphp = pkgs.simplesamlphp.override {
    extra_files = {
-      "metadata/saml20-idp-remote.php" = pkgs.writeText "mediawiki-saml20-idp-remote.php" (
+      "metadata/saml20-idp-remote.php" = pkgs.writeText "mediawiki-saml20-idp-remote.php" (import ../idp-simplesamlphp/metadata.php.nix);
        import ../idp-simplesamlphp/metadata.php.nix
      );
      "config/authsources.php" = ./simplesaml-authsources.php;
@@ -28,47 +18,34 @@ let
        substituteInPlace "$out" \
          --replace-warn '$SAML_COOKIE_SECURE' 'true' \
-          --replace-warn '$SAML_COOKIE_SALT' 'file_get_contents("${
+          --replace-warn '$SAML_COOKIE_SALT' 'file_get_contents("${config.sops.secrets."mediawiki/simplesamlphp/cookie_salt".path}")' \
            config.sops.secrets."mediawiki/simplesamlphp/cookie_salt".path
          }")' \
          --replace-warn '$SAML_ADMIN_NAME' '"Drift"' \
          --replace-warn '$SAML_ADMIN_EMAIL' '"drift@pvv.ntnu.no"' \
-          --replace-warn '$SAML_ADMIN_PASSWORD' 'file_get_contents("${
+          --replace-warn '$SAML_ADMIN_PASSWORD' 'file_get_contents("${config.sops.secrets."mediawiki/simplesamlphp/admin_password".path}")' \
            config.sops.secrets."mediawiki/simplesamlphp/admin_password".path
          }")' \
          --replace-warn '$SAML_TRUSTED_DOMAINS' 'array( "wiki.pvv.ntnu.no" )' \
          --replace-warn '$SAML_DATABASE_DSN' '"pgsql:host=postgres.pvv.ntnu.no;port=5432;dbname=mediawiki_simplesamlphp"' \
          --replace-warn '$SAML_DATABASE_USERNAME' '"mediawiki_simplesamlphp"' \
-          --replace-warn '$SAML_DATABASE_PASSWORD' 'file_get_contents("${
+          --replace-warn '$SAML_DATABASE_PASSWORD' 'file_get_contents("${config.sops.secrets."mediawiki/simplesamlphp/postgres_password".path}")' \
            config.sops.secrets."mediawiki/simplesamlphp/postgres_password".path
          }")' \
          --replace-warn '$CACHE_DIRECTORY' '/var/cache/mediawiki/idp'
      '';
    };
  };
-in
+in {
 {
  services.idp.sp-remote-metadata = [ "https://wiki.pvv.ntnu.no/simplesaml/" ];
-  sops.secrets =
+  sops.secrets = lib.pipe [
    lib.pipe
      [
    "mediawiki/secret-key"
    "mediawiki/password"
    "mediawiki/postgres_password"
    "mediawiki/simplesamlphp/postgres_password"
    "mediawiki/simplesamlphp/cookie_salt"
    "mediawiki/simplesamlphp/admin_password"
-      ]
+  ] [
-      [
+    (map (key: lib.nameValuePair key {
        (map (
          key:
          lib.nameValuePair key {
      owner = user;
      group = group;
      restartUnits = [ "phpfpm-mediawiki.service" ];
-          }
+    }))
        ))
    lib.listToAttrs
  ];
@@ -130,6 +107,7 @@ in
        CodeEditor
        CodeMirror
        DeleteBatch
        PdfHandler
        PluggableAuth
        Popups
        Scribunto
@@ -204,12 +182,17 @@ in
      ];
      # Misc program paths
-      $wgFFmpegLocation = '${pkgs.ffmpeg}/bin/ffmpeg';
+      $wgFFmpegLocation = '${lib.getExe pkgs.ffmpeg}';
-      $wgExiftool = '${pkgs.exiftool}/bin/exiftool';
+      $wgExiftool = '${lib.getExe pkgs.exiftool}';
-      $wgExiv2Command = '${pkgs.exiv2}/bin/exiv2';
+      $wgExiv2Command = '${lib.getExe pkgs.exiv2}';
      # See https://gist.github.com/sergejmueller/088dce028b6dd120a16e
-      $wgJpegTran = '${pkgs.mozjpeg}/bin/jpegtran';
+      $wgJpegTran = '${lib.getExe' pkgs.mozjpeg "jpegtran"}';
-      $wgGitBin = '${pkgs.git}/bin/git';
+      $wgGitBin = '${lib.getExe pkgs.git}';
      $wgDiff3 = '${lib.getExe' pkgs.diffutils "diff3"}';
      $wgDiff = '${lib.getExe' pkgs.diffutils "diff"}';
      $wgUseImageMagick = true;
      $wgImageMagickConvertCommand = '${lib.getExe pkgs.imagemagick}';
      # Debugging
      $wgShowExceptionDetails = false;
@@ -233,14 +216,21 @@ in
      # EXT:WikiEditor
      $wgWikiEditorRealtimePreview = true;
      # EXT:PdfHandler
      $wgPdfProcessor = '${lib.getExe pkgs.ghostscript_headless}';
      $wgPdfPostProcessor = $wgImageMagickConvertCommand;
      $wgPdfInfo = '${lib.getExe' pkgs.poppler-utils "pdfinfo"}';
      $wgPdftoText = '${lib.getExe' pkgs.poppler-utils "pdftotext"}';
      # Override key from hardcoded config in nixpkgs
      $wgSecretKey = file_get_contents("${config.sops.secrets."mediawiki/secret-key".path}");
    '';
  };
  # Cache directory for simplesamlphp
  # systemd.services.phpfpm-mediawiki.serviceConfig.CacheDirectory = "mediawiki/simplesamlphp";
-  systemd.tmpfiles.settings."10-mediawiki"."/var/cache/mediawiki/simplesamlphp".d =
+  systemd.tmpfiles.settings."10-mediawiki"."/var/cache/mediawiki/simplesamlphp".d = lib.mkIf cfg.enable {
    lib.mkIf cfg.enable
      {
    user = "mediawiki";
    group = "mediawiki";
    mode = "0770";
@@ -278,12 +268,9 @@ in
      "= /PNG/PVV-logo.svg".alias = fp /assets/logo_blue_regular.svg;
      "= /PNG/PVV-logo.png".alias = fp /assets/logo_blue_regular.png;
-      "= /favicon.ico".alias =
+      "= /favicon.ico".alias = pkgs.runCommandLocal "mediawiki-favicon.ico" {
        pkgs.runCommandLocal "mediawiki-favicon.ico"
          {
        buildInputs = with pkgs; [ imagemagick ];
-          }
+      } ''
          ''
        magick \
          ${fp /assets/logo_blue_regular.png} \
          -resize x64 \
@@ -301,10 +288,6 @@ in
  systemd.services.mediawiki-init = lib.mkIf cfg.enable {
    after = [ "sops-install-secrets.service" ];
    serviceConfig = {
      BindReadOnlyPaths = [
        "/run/credentials/mediawiki-init.service/secret-key:/var/lib/mediawiki/secret.key"
      ];
      LoadCredential = [ "secret-key:${config.sops.secrets."mediawiki/secret-key".path}" ];
      UMask = lib.mkForce "0007";
    };
  };
@@ -312,10 +295,6 @@ in
  systemd.services.phpfpm-mediawiki = lib.mkIf cfg.enable {
    after = [ "sops-install-secrets.service" ];
    serviceConfig = {
      BindReadOnlyPaths = [
        "/run/credentials/phpfpm-mediawiki.service/secret-key:/var/lib/mediawiki/secret.key"
      ];
      LoadCredential = [ "secret-key:${config.sops.secrets."mediawiki/secret-key".path}" ];
      UMask = lib.mkForce "0007";
    };
  };
@@ -11,8 +11,7 @@ in
 {
  # Source: https://www.pierreblazquez.com/2023/06/17/how-to-harden-apache-php-fpm-daemons-using-systemd/
  systemd.services = lib.genAttrs pools (_: {
-    serviceConfig =
+    serviceConfig = let
      let
      caps = [
        "CAP_NET_BIND_SERVICE"
        "CAP_SETGID"
@@ -22,8 +21,7 @@ in
        "CAP_IPC_LOCK"
        "CAP_DAC_OVERRIDE"
      ];
-      in
+    in {
      {
      AmbientCapabilities = caps;
      CapabilityBoundingSet = caps;
      DeviceAllow = [ "" ];
@@ -0,0 +1,40 @@
 { config, lib, ... }:
 let
  domain = "dav.pvv.ntnu.no";
  radicalePort = 5232;
 in {
  services.radicale = {
    enable = true;
    settings = {
      server = {
        hosts = [ "127.0.0.1:${toString radicalePort}" ];
      };
      auth = {
        type = "imap";
        imap_host = "imap.pvv.ntnu.no";
        imap_security = "tls";
      };
      storage = {
        filesystem_folder = "/var/lib/radicale/collections";
      };
    };
  };
  services.nginx.virtualHosts."${domain}" = {
    forceSSL = true;
    enableACME = true;
    kTLS = true;
    extraConfig = ''
      client_max_body_size 128M;
    '';
    locations."/" = {
      proxyPass = "http://127.0.0.1:${toString radicalePort}";
      proxyWebsockets = true;
    };
  };
 }
@@ -1,52 +1,63 @@
-{
+{ config, pkgs, lib, values, ... }:
  config,
  pkgs,
  lib,
  values,
  ...
 }:
 let
  cfg = config.services.vaultwarden;
  domain = "pw.pvv.ntnu.no";
  address = "127.0.1.2";
  port = 3011;
  wsPort = 3012;
-in
+in {
-{
+  sops.secrets."vaultwarden/rsa_key.pem" = {
  sops.secrets."vaultwarden/environ" = {
    owner = "vaultwarden";
    group = "vaultwarden";
    mode = "440";
    restartUnits = [ "vaultwarden.service" ];
  };
  sops.secrets."vaultwarden/rsa_key.pub.pem" = {
    owner = "vaultwarden";
    group = "vaultwarden";
    mode = "440";
    restartUnits = [ "vaultwarden.service" ];
  };
  sops.secrets."vaultwarden/env/DATABASE_PASSWORD" = { };
  sops.secrets."vaultwarden/env/SMTP_PASSWORD" = { };
  sops.templates."vaultwarden/environment_file" = {
    owner = "vaultwarden";
    group = "vaultwarden";
    mode = "440";
    restartUnits = [ "vaultwarden.service" ];
    content = ''
        DATABASE_URL=postgresql://vaultwarden:${config.sops.placeholder."vaultwarden/env/DATABASE_PASSWORD"}@postgres.pvv.ntnu.no/vaultwarden
        SMTP_PASSWORD=${config.sops.placeholder."vaultwarden/env/SMTP_PASSWORD"}
    '';
  };
  services.vaultwarden = {
    enable = true;
    dbBackend = "postgresql";
-    environmentFile = config.sops.secrets."vaultwarden/environ".path;
+    environmentFile = config.sops.templates."vaultwarden/environment_file".path;
    config = {
-      domain = "https://${domain}";
+      DOMAIN = "https://${domain}";
-      rocketAddress = address;
+      ROCKET_ADDRESS = address;
-      rocketPort = port;
+      ROCKET_PORT = port;
-      websocketEnabled = true;
+      WEBSOCKET_ENABLED = true;
-      websocketAddress = address;
+      WEBSOCKET_ADDRESS = address;
-      websocketPort = wsPort;
+      WEBSOCKET_PORT = wsPort;
-      signupsAllowed = true;
+      SIGNUPS_ALLOWED = true;
-      signupsVerify = true;
+      SIGNUPS_VERIFY = true;
-      signupsDomainsWhitelist = "pvv.ntnu.no";
+      SIGNUPS_DOMAINS_WHITELIST = "pvv.ntnu.no";
-      smtpFrom = "vaultwarden@pvv.ntnu.no";
+      SMTP_FROM = "vaultwarden@pvv.ntnu.no";
-      smtpFromName = "VaultWarden PVV";
+      SMTP_FROM_NAME = "VaultWarden PVV";
-      smtpHost = "smtp.pvv.ntnu.no";
+      SMTP_HOST = "smtp.pvv.ntnu.no";
-      smtpUsername = "vaultwarden";
+      SMTP_USERNAME = "vaultwarden";
-      smtpSecurity = "force_tls";
+      SMTP_SECURITY = "force_tls";
-      smtpAuthMechanism = "Login";
+      SMTP_AUTH_MECHANISM = "Login";
-      # Configured in environ:
+      RSA_KEY_FILENAME = lib.removeSuffix ".pem" config.sops.secrets."vaultwarden/rsa_key.pem".path;
      # databaseUrl = "postgresql://vaultwarden@/vaultwarden";
      # smtpPassword = hemli
    };
  };
@@ -73,40 +84,6 @@ in
    };
  };
  systemd.services.vaultwarden = lib.mkIf cfg.enable {
    serviceConfig = {
      AmbientCapabilities = [ "" ];
      CapabilityBoundingSet = [ "" ];
      DeviceAllow = [ "" ];
      LockPersonality = true;
      NoNewPrivileges = true;
      # MemoryDenyWriteExecute = true;
      PrivateMounts = true;
      PrivateUsers = true;
      ProcSubset = "pid";
      ProtectClock = true;
      ProtectControlGroups = true;
      ProtectHostname = true;
      ProtectKernelLogs = true;
      ProtectKernelModules = true;
      ProtectKernelTunables = true;
      RestrictAddressFamilies = [
        "AF_INET"
        "AF_INET6"
        "AF_UNIX"
      ];
      RemoveIPC = true;
      RestrictNamespaces = true;
      RestrictRealtime = true;
      RestrictSUIDSGID = true;
      SystemCallArchitectures = "native";
      SystemCallFilter = [
        "@system-service"
        "~@privileged"
      ];
    };
  };
  services.rsync-pull-targets = {
    enable = true;
    locations."/var/lib/vaultwarden" = {
@@ -1,10 +1,4 @@
-{
+{ config, values, pkgs, lib, ... }:
  config,
  values,
  pkgs,
  lib,
  ...
 }:
 {
  imports = [
    ./roundcube.nix
@@ -16,8 +10,9 @@
    enableACME = true;
    kTLS = true;
    locations = {
-      "= /".return = "302 https://webmail.pvv.ntnu.no/roundcube";
+      # "= /".return = "302 https://webmail.pvv.ntnu.no/roundcube";
      "/roundcube".return = "302 https://webmail.pvv.ntnu.no/";
      "/afterlogic_lite".return = "302 https://webmail.pvv.ntnu.no/roundcube";
      "/squirrelmail".return = "302 https://webmail.pvv.ntnu.no/roundcube";
      "/rainloop".return = "302 https://snappymail.pvv.ntnu.no/";
@@ -1,9 +1,4 @@
-{
+{ config, pkgs, lib, ... }:
  config,
  pkgs,
  lib,
  ...
 }:
 with lib;
 let
@@ -14,31 +9,27 @@ in
  sops.secrets."roundcube/postgres_password" = {
    owner = "nginx";
    group = "nginx";
    restartUnits = [ "phpfpm-roundcube.service" ];
  };
  sops.secrets."roundcube/des_key" = {
    owner = "nginx";
    group = "nginx";
    restartUnits = [ "phpfpm-roundcube.service" ];
  };
  services.roundcube = {
    enable = true;
-    package = pkgs.roundcube.withPlugins (
+    package = pkgs.roundcube.withPlugins (plugins: with plugins; [
      plugins: with plugins; [
      persistent_login
      thunderbird_labels
      contextmenu
      custom_from
-      ]
+    ]);
    );
-    dicts = with pkgs.aspellDicts; [
+    dicts = with pkgs.aspellDicts; [ en en-computers nb nn fr de it ];
      en
      en-computers
      nb
      nn
      fr
      de
      it
    ];
    maxAttachmentSize = 20;
-    hostName = "roundcubeplaceholder.example.com";
+    hostName = domain;
    database = {
      host = "postgres.pvv.ntnu.no";
@@ -54,49 +45,13 @@ in
      $config['mail_domain'] = "pvv.ntnu.no";
      $config['smtp_user'] = "%u";
      $config['support_url'] = "";
      $config['des_key'] = "${config.sops.secrets."roundcube/des_key".path}";
    '';
  };
-  services.nginx.virtualHosts."roundcubeplaceholder.example.com" = lib.mkForce { };
+  # TODO: move this back to `webmail.pvv.ntnu.no/roundcube` subpath
  services.nginx.virtualHosts.${domain} = {
    kTLS = true;
    locations."/roundcube" = {
      tryFiles = "$uri $uri/ =404";
      index = "index.php";
      root = pkgs.runCommandLocal "roundcube-dir" { } ''
        mkdir -p $out
        ln -s ${cfg.package} $out/roundcube
      '';
      extraConfig = ''
        location ~ ^/roundcube/(${
          builtins.concatStringsSep "|" [
            # https://wiki.archlinux.org/title/Roundcube
            "README"
            "INSTALL"
            "LICENSE"
            "CHANGELOG"
            "UPGRADING"
            "bin"
            "SQL"
            ".+\\.md"
            "\\."
            "config"
            "temp"
            "logs"
          ]
        })/? {
          deny all;
        }
        location ~ ^/roundcube/(.+\.php)(/?.*)$ {
          fastcgi_split_path_info ^/roundcube(/.+\.php)(/.+)$;
          include ${config.services.nginx.package}/conf/fastcgi_params;
          include ${config.services.nginx.package}/conf/fastcgi.conf;
          fastcgi_index index.php;
          fastcgi_pass unix:${config.services.phpfpm.pools.roundcube.socket};
        }
      '';
    };
  };
 }
@@ -1,15 +1,7 @@
-{
+{ config, lib, fp, pkgs, values, ... }:
  config,
  lib,
  fp,
  pkgs,
  values,
  ...
 }:
 let
  cfg = config.services.snappymail;
-in
+in {
 {
  imports = [ (fp /modules/snappymail.nix) ];
  services.snappymail = {
@@ -1,27 +1,18 @@
-{
+{ pkgs, lib, config, ... }:
  pkgs,
  lib,
  config,
  ...
 }:
 let
  format = pkgs.formats.php { };
  cfg = config.services.pvv-nettsiden;
-in
+in {
 {
  imports = [
    ./fetch-gallery.nix
  ];
-  sops.secrets =
+  sops.secrets = lib.genAttrs [
    lib.genAttrs
      [
    "nettsiden/door_secret"
    "nettsiden/mysql_password"
    "nettsiden/simplesamlphp/admin_password"
    "nettsiden/simplesamlphp/cookie_salt"
-      ]
+  ] (_: {
      (_: {
    owner = config.services.phpfpm.pools.pvv-nettsiden.user;
    group = config.services.phpfpm.pools.pvv-nettsiden.group;
    restartUnits = [ "phpfpm-pvv-nettsiden.service" ];
@@ -44,10 +35,8 @@ in
    package = pkgs.pvv-nettsiden.override {
      extra_files = {
-        "${pkgs.pvv-nettsiden.passthru.simplesamlphpPath}/metadata/saml20-idp-remote.php" =
+        "${pkgs.pvv-nettsiden.passthru.simplesamlphpPath}/metadata/saml20-idp-remote.php" = pkgs.writeText "pvv-nettsiden-saml20-idp-remote.php" (import ../idp-simplesamlphp/metadata.php.nix);
-          pkgs.writeText "pvv-nettsiden-saml20-idp-remote.php" (import ../idp-simplesamlphp/metadata.php.nix);
+        "${pkgs.pvv-nettsiden.passthru.simplesamlphpPath}/config/authsources.php" = pkgs.writeText "pvv-nettsiden-authsources.php" ''
        "${pkgs.pvv-nettsiden.passthru.simplesamlphpPath}/config/authsources.php" =
          pkgs.writeText "pvv-nettsiden-authsources.php" ''
          <?php
          $config = array(
              'admin' => array(
@@ -65,12 +54,9 @@ in
    domainName = "www.pvv.ntnu.no";
-    settings =
+    settings = let
-      let
+      includeFromSops = path: format.lib.mkRaw "file_get_contents('${config.sops.secrets."nettsiden/${path}".path}')";
-        includeFromSops =
+    in {
          path: format.lib.mkRaw "file_get_contents('${config.sops.secrets."nettsiden/${path}".path}')";
      in
      {
      DOOR_SECRET = includeFromSops "door_secret";
      DB = {
@@ -94,14 +80,46 @@ in
  };
  services.phpfpm.pools."pvv-nettsiden".settings = {
-    # "php_admin_value[error_log]" = "stderr";
+    "php_admin_value[error_log]" = "syslog";
    "php_admin_flag[log_errors]" = true;
    "catch_workers_output" = true;
    "php_admin_value[max_execution_time]" = "30";
    "request_terminate_timeout" = "60s";
    "php_admin_value[sendmail_path]" = let
      fakeSendmail = pkgs.writeShellApplication {
        name = "fake-sendmail";
        text = ''
          TIMESTAMP="$(date +%Y-%m-%d-%H-%M-%S-%N)"
          (
            echo "SENDMAIL ARGS:"
            echo "$@"
            echo "SENDMAIL STDIN:"
            cat -
          ) > "/var/lib/pvv-nettsiden/emails/$TIMESTAMP.mail"
        '';
      };
    in lib.getExe fakeSendmail;
    "php_admin_value[disable_functions]" = lib.concatStringsSep "," [
      "curl_exec"
      "curl_multi_exec"
      "exec"
      "parse_ini_file"
      "passthru"
      "popen"
      "proc_open"
      "shell_exec"
      "show_source"
      "system"
    ];
  };
  services.nginx.virtualHosts."pvv.ntnu.no" = {
    globalRedirect = cfg.domainName;
    redirectCode = 307;
    kTLS = true;
    forceSSL = true;
    useACMEHost = "www.pvv.ntnu.no";
  };
@@ -109,6 +127,7 @@ in
  services.nginx.virtualHosts."www.pvv.org" = {
    globalRedirect = cfg.domainName;
    redirectCode = 307;
    kTLS = true;
    forceSSL = true;
    useACMEHost = "www.pvv.ntnu.no";
  };
@@ -116,11 +135,13 @@ in
  services.nginx.virtualHosts."pvv.org" = {
    globalRedirect = cfg.domainName;
    redirectCode = 307;
    kTLS = true;
    forceSSL = true;
    useACMEHost = "www.pvv.ntnu.no";
  };
  services.nginx.virtualHosts.${cfg.domainName} = {
    kTLS = true;
    locations = {
      # Proxy home directories
      "^~ /~" = {
@@ -1,15 +1,8 @@
-{
+{ pkgs, lib, config, values, ... }:
  pkgs,
  lib,
  config,
  values,
  ...
 }:
 let
  galleryDir = config.services.pvv-nettsiden.settings.GALLERY.DIR;
  transferDir = "${config.services.pvv-nettsiden.settings.GALLERY.DIR}-transfer";
-in
+in {
 {
  users.users.${config.services.pvv-nettsiden.user} = {
    # NOTE: the user unfortunately needs a registered shell for rrsync to function...
    #       is there anything we can do to remove this?
@@ -44,24 +37,31 @@ in
  };
  systemd.services.pvv-nettsiden-gallery-update = {
-    path = with pkgs; [
+    serviceConfig = {
-      imagemagick
+      WorkingDirectory = galleryDir;
      User = config.services.pvv-nettsiden.user;
      Group = config.services.pvv-nettsiden.group;
      ExecStart = lib.getExe (pkgs.writeShellApplication {
        name = "pvv-nettsiden-gallery-update-exec-start.sh";
        runtimeInputs = with pkgs; [
          coreutils
          findutils
          gnused
          gnutar
          gzip
          imagemagick
        ];
-
+        text = ''
-    script = ''
+          tar ${lib.cli.toCommandLineShellGNU { } {
      tar ${
        lib.cli.toGNUCommandLineShell { } {
            extract = true;
            file = "${transferDir}/gallery.tar.gz";
            directory = ".";
-        }
+          }}
      }
          # Delete files and directories that exists in the gallery that don't exist in the tarball
-      filesToRemove=$(uniq -u <(sort <(find . -not -path "./.thumbnails*") <(tar -tf ${transferDir}/gallery.tar.gz | sed 's|/$||')))
+          filesToRemove="$(uniq -u <(sort <(find . -not -path './.thumbnails*') <(tar -tf '${transferDir}/gallery.tar.gz' | sed 's|/$||')))"
-      while IFS= read fname; do
+          while IFS= read -r fname; do
            rm -f "$fname" ||:
            rm -f ".thumbnails/$fname.png" ||:
          done <<< "$filesToRemove"
@@ -69,9 +69,9 @@ in
          find . -type d -empty -delete
          mkdir -p .thumbnails
-      images=$(find . -type f -not -path "./.thumbnails*")
+          images="$(find . -type f -not -path './.thumbnails*')"
-      while IFS= read fname; do
+          while IFS= read -r fname; do
            # Skip this file if an up-to-date thumbnail already exists
            if [ -f ".thumbnails/$fname.png" ] && \
              [ "$(date -R -r "$fname")" == "$(date -R -r ".thumbnails/$fname.png")" ]
@@ -80,16 +80,12 @@ in
            fi
            echo "Creating thumbnail for $fname"
-        mkdir -p $(dirname ".thumbnails/$fname")
+            mkdir -p "$(dirname ".thumbnails/$fname")"
            magick -define jpeg:size=200x200 "$fname" -thumbnail 300 -auto-orient ".thumbnails/$fname.png" ||:
            touch -m -d "$(date -R -r "$fname")" ".thumbnails/$fname.png"
          done <<< "$images"
        '';
-
+      });
    serviceConfig = {
      WorkingDirectory = galleryDir;
      User = config.services.pvv-nettsiden.user;
      Group = config.services.pvv-nettsiden.group;
      AmbientCapabilities = [ "" ];
      CapabilityBoundingSet = [ "" ];
@@ -1,14 +1,11 @@
 { lib, ... }:
 {
-  services.nginx.virtualHosts =
+  services.nginx.virtualHosts = lib.genAttrs [
    lib.genAttrs
      [
    "pvv.ntnu.no"
    "www.pvv.ntnu.no"
    "pvv.org"
    "www.pvv.org"
-      ]
+  ] (_: {
      (_: {
    locations = {
      "^~ /.well-known/" = {
        alias = (toString ./root) + "/";
@@ -1,9 +1,4 @@
-{
+{ fp, pkgs, values, ... }:
  fp,
  pkgs,
  values,
  ...
 }:
 {
  imports = [
    ./hardware-configuration.nix
@@ -24,16 +19,8 @@
  systemd.network.networks."30-ens18" = values.defaultNetworkConfig // {
    #matchConfig.Name = "enp6s0f0";
    matchConfig.Name = "ens18";
-    address =
+    address = with values.hosts.bicep; [ (ipv4 + "/25") (ipv6 + "/64") ]
-      with values.hosts.bicep;
+      ++ (with values.services.turn; [ (ipv4 + "/25") (ipv6 + "/64") ]);
      [
        (ipv4 + "/25")
        (ipv6 + "/64")
      ]
      ++ (with values.services.turn; [
        (ipv4 + "/25")
        (ipv6 + "/64")
      ]);
  };
  systemd.network.wait-online = {
    anyInterface = true;
@@ -1,48 +1,33 @@
 # Do not modify this file!  It was generated by 'nixos-generate-config'
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
-{
+{ config, lib, pkgs, modulesPath, ... }:
  config,
  lib,
  pkgs,
  modulesPath,
  ...
 }:
 {
-  imports = [
+  imports =
-    (modulesPath + "/profiles/qemu-guest.nix")
+    [ (modulesPath + "/profiles/qemu-guest.nix")
    ];
-  boot.initrd.availableKernelModules = [
+  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "ahci" "sd_mod" "sr_mod" ];
    "ata_piix"
    "uhci_hcd"
    "ahci"
    "sd_mod"
    "sr_mod"
  ];
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ ];
  boot.extraModulePackages = [ ];
-  fileSystems."/" = {
+  fileSystems."/" =
-    device = "/dev/disk/by-uuid/20e06202-7a09-47cc-8ef6-5e7afe19453a";
+    { device = "/dev/disk/by-uuid/20e06202-7a09-47cc-8ef6-5e7afe19453a";
      fsType = "ext4";
    };
  # temp data disk, only 128gb not enough until we can add another disk to the system.
-  fileSystems."/data" = {
+  fileSystems."/data" =
-    device = "/dev/disk/by-uuid/c81af266-0781-4084-b8eb-c2587cbcf1ba";
+    { device = "/dev/disk/by-uuid/c81af266-0781-4084-b8eb-c2587cbcf1ba";
      fsType = "ext4";
    };
-  fileSystems."/boot" = {
+  fileSystems."/boot" =
-    device = "/dev/disk/by-uuid/198B-E363";
+    { device = "/dev/disk/by-uuid/198B-E363";
      fsType = "vfat";
-    options = [
+      options = [ "fmask=0022" "dmask=0022" ];
      "fmask=0022"
      "dmask=0022"
    ];
    };
  swapDevices = [ ];
@@ -1,14 +1,7 @@
-{
+{ config, fp, lib, pkgs, ... }:
  config,
  fp,
  lib,
  pkgs,
  ...
 }:
 let
  cfg = config.services.pvv-calendar-bot;
-in
+in {
 {
  sops.secrets = {
    "calendar-bot/matrix_token" = {
      sopsFile = fp /secrets/bicep/bicep.yaml;
@@ -1,10 +1,4 @@
-{
+{ config, pkgs, lib, fp, ... }:
  config,
  pkgs,
  lib,
  fp,
  ...
 }:
 let
  cfg = config.services.gickup;
 in
@@ -26,16 +20,14 @@ in
      lfs = false;
    };
-    instances =
+    instances = let
      let
      defaultGithubConfig = {
        settings.token_file = config.sops.secrets."gickup/github-token".path;
      };
      defaultGitlabConfig = {
        # settings.token_file = ...
      };
-      in
+    in {
      {
      "github:Git-Mediawiki/Git-Mediawiki" = defaultGithubConfig;
      "github:NixOS/nixpkgs" = defaultGithubConfig;
      "github:go-gitea/gitea" = defaultGithubConfig;
@@ -66,11 +58,9 @@ in
    };
  };
-  services.cgit =
+  services.cgit = let
    let
    domain = "mirrors.pvv.ntnu.no";
-    in
+  in {
    {
    ${domain} = {
      enable = true;
      package = pkgs.callPackage (fp /packages/cgit.nix) { };
@@ -93,21 +83,17 @@ in
  };
  services.nginx.virtualHosts."mirrors.pvv.ntnu.no" = {
    kTLS = true;
    forceSSL = true;
    enableACME = true;
-    locations."= /PVV-logo.png".alias =
+    locations."= /PVV-logo.png".alias = let
-      let
+      small-pvv-logo = pkgs.runCommandLocal "pvv-logo-96x96" {
        small-pvv-logo =
          pkgs.runCommandLocal "pvv-logo-96x96"
            {
        nativeBuildInputs = [ pkgs.imagemagick ];
-            }
+      } ''
            ''
        magick '${fp /assets/logo_blue_regular.svg}' -resize 96x96 PNG:"$out"
      '';
-      in
+    in toString small-pvv-logo;
      toString small-pvv-logo;
  };
  systemd.services."fcgiwrap-cgit-mirrors.pvv.ntnu.no" = {
@@ -1,12 +1,4 @@
-{
+{ config, lib, fp, pkgs, secrets, values, ... }:
  config,
  lib,
  fp,
  pkgs,
  secrets,
  values,
  ...
 }:
 {
  sops.secrets."matrix/coturn/static-auth-secret" = {
@@ -135,30 +127,17 @@
  };
  networking.firewall = {
-    interfaces.enp6s0f0 =
+    interfaces.enp6s0f0 = let
-      let
+      range = with config.services.coturn; [ {
        range = with config.services.coturn; [
          {
      from = min-port;
      to = max-port;
-          }
+    } ];
        ];
    in
    {
      allowedUDPPortRanges = range;
-        allowedUDPPorts = [
+      allowedUDPPorts = [ 443 3478 3479 5349 ];
          443
          3478
          3479
          5349
        ];
      allowedTCPPortRanges = range;
-        allowedTCPPorts = [
+      allowedTCPPorts = [ 443 3478 3479 5349 ];
          443
          3478
          3479
          5349
        ];
    };
  };
@@ -1,9 +1,4 @@
-{
+{ config, lib, fp, ... }:
  config,
  lib,
  fp,
  ...
 }:
 let
  cfg = config.services.mx-puppet-discord;
@@ -49,6 +44,7 @@ in
    ];
  };
  services.mx-puppet-discord.enable = false;
  services.mx-puppet-discord.settings = {
    bridge = {
@@ -56,21 +52,16 @@ in
      domain = "pvv.ntnu.no";
      homeserverUrl = "https://matrix.pvv.ntnu.no";
    };
-    provisioning.whitelist = [
+    provisioning.whitelist = [ "@dandellion:dodsorf\\.as" "@danio:pvv\\.ntnu\\.no"];
      "@dandellion:dodsorf\\.as"
      "@danio:pvv\\.ntnu\\.no"
    ];
    relay.whitelist = [ ".*" ];
-    selfService.whitelist = [
+    selfService.whitelist = [ "@danio:pvv\\.ntnu\\.no" "@dandellion:dodsorf\\.as" ];
      "@danio:pvv\\.ntnu\\.no"
      "@dandellion:dodsorf\\.as"
    ];
  };
  services.mx-puppet-discord.serviceDependencies = [
    "matrix-synapse.target"
    "nginx.service"
  ];
  services.matrix-synapse-next.settings = {
    app_service_config_files = [
      config.sops.templates."discord-registration.yaml".path
@@ -1,13 +1,7 @@
-{
+{ config, lib, pkgs, ... }:
  config,
  lib,
  pkgs,
  ...
 }:
 let
  synapse-cfg = config.services.matrix-synapse-next;
-in
+in {
 {
  services.pvv-matrix-well-known.client = {
    "m.homeserver" = {
      base_url = "https://matrix.pvv.ntnu.no";
@@ -27,12 +21,12 @@ in
        default_server_config = config.services.pvv-matrix-well-known.client;
        disable_3pid_login = true;
-        #        integrations_ui_url = "https://dimension.dodsorf.as/riot";
+#        integrations_ui_url = "https://dimension.dodsorf.as/riot";
-        #        integrations_rest_url = "https://dimension.dodsorf.as/api/v1/scalar";
+#        integrations_rest_url = "https://dimension.dodsorf.as/api/v1/scalar";
-        #        integrations_widgets_urls = [
+#        integrations_widgets_urls = [
-        #          "https://dimension.dodsorf.as/widgets"
+#          "https://dimension.dodsorf.as/widgets"
-        #        ];
+#        ];
-        #        integration_jitsi_widget_url = "https://dimension.dodsorf.as/widgets/jitsi";
+#        integration_jitsi_widget_url = "https://dimension.dodsorf.as/widgets/jitsi";
        defaultCountryCode = "NO";
        showLabsSettings = true;
        features = {
@@ -1,11 +1,4 @@
-{
+{ config, lib, fp, unstablePkgs, inputs, ... }:
  config,
  lib,
  fp,
  unstablePkgs,
  inputs,
  ...
 }:
 let
  cfg = config.services.matrix-hookshot;
@@ -29,6 +22,7 @@ in
  sops.templates."hookshot-registration.yaml" = {
    owner = config.users.users.matrix-synapse.name;
    group = config.users.groups.keys-matrix-registrations.name;
    mode = "0440";
    restartUnits = [ "matrix-hookshot.service" ];
    content = ''
      id: matrix-hookshot
@@ -56,12 +50,59 @@ in
  systemd.services.matrix-hookshot = {
    serviceConfig = {
      DynamicUser = true;
      SupplementaryGroups = [
        config.users.groups.keys-matrix-registrations.name
      ];
      LoadCredential = [
        "passkey.pem:${config.sops.secrets."matrix/hookshot/passkey".path}"
      ];
      RuntimeDirectory = [ "matrix-hookshot/root-mnt" ];
      RootDirectory = "/run/matrix-hookshot/root-mnt";
      BindReadOnlyPaths = [
        config.sops.templates."hookshot-registration.yaml".path
        builtins.storeDir
        "/etc"
        "/run/nscd"
        "/var/run/nscd"
      ];
      AmbientCapabilities = "";
      CapabilityBoundingSet = "";
      LockPersonality = true;
      MemoryDenyWriteExecute = false; # node needs this
      NoNewPrivileges = true;
      PrivateDevices = true;
      PrivateMounts = true;
      PrivateTmp = true;
      PrivateUsers = true;
      ProcSubset = "pid";
      ProtectClock = true;
      ProtectControlGroups = true;
      ProtectHome = true;
      ProtectHostname = true;
      ProtectKernelLogs = true;
      ProtectKernelModules = true;
      ProtectKernelTunables = true;
      ProtectProc = "invisible";
      ProtectSystem = "strict";
      RemoveIPC = true;
      RestrictAddressFamilies = [
        "AF_INET"
        "AF_INET6"
        "AF_UNIX"
      ];
      RestrictNamespaces = true;
      RestrictRealtime = true;
      RestrictSUIDSGID = true;
      SystemCallArchitectures = "native";
      SystemCallFilter = [
        "@system-service"
        "~@privileged"
        "~@resources"
      ];
      UMask = "0077";
    };
  };
@@ -107,8 +148,7 @@ in
      };
      serviceBots = [
-        {
+        { localpart = "bot_feeds";
          localpart = "bot_feeds";
          displayname = "Aya";
          avatar = ./feeds.png;
          prefix = "!aya";
@@ -123,44 +163,20 @@ in
      permissions = [
        # Users of the PVV Server
-        {
+        { actor = "pvv.ntnu.no";
-          actor = "pvv.ntnu.no";
+          services = [ { service = "*"; level = "commands"; } ];
          services = [
            {
              service = "*";
              level = "commands";
            }
          ];
        }
        # Members of Medlem space (for people with their own hs)
-        {
+        { actor = "!pZOTJQinWyyTWaeOgK:pvv.ntnu.no";
-          actor = "!pZOTJQinWyyTWaeOgK:pvv.ntnu.no";
+          services = [ { service = "*"; level = "commands"; } ];
          services = [
            {
              service = "*";
              level = "commands";
            }
          ];
        }
        # Members of Drift
-        {
+        { actor = "!eYgeufLrninXxQpYml:pvv.ntnu.no";
-          actor = "!eYgeufLrninXxQpYml:pvv.ntnu.no";
+          services = [ { service = "*"; level = "admin"; } ];
          services = [
            {
              service = "*";
              level = "admin";
            }
          ];
        }
        # Dan bootstrap
-        {
+        { actor = "@dandellion:dodsorf.as";
-          actor = "@dandellion:dodsorf.as";
+          services = [ { service = "*"; level = "admin"; } ];
          services = [
            {
              service = "*";
              level = "admin";
            }
          ];
        }
      ];
    };
@@ -178,6 +194,7 @@ in
  };
  services.nginx.virtualHosts."hookshot.pvv.ntnu.no" = {
    kTLS = true;
    enableACME = true;
    addSSL = true;
    locations."/" = {
@@ -1,9 +1,4 @@
-{
+{ config, lib, fp, ... }:
  config,
  lib,
  fp,
  ...
 }:
 let
  synapseConfig = config.services.matrix-synapse-next;
  matrixDomain = "matrix.pvv.ntnu.no";
@@ -25,12 +20,10 @@ in
  };
  services.pvv-matrix-well-known.client = lib.mkIf cfg.enable {
-    "org.matrix.msc4143.rtc_foci" = [
+    "org.matrix.msc4143.rtc_foci" = [{
      {
      type = "livekit";
      livekit_service_url = "https://${matrixDomain}/livekit/jwt";
-      }
+    }];
    ];
  };
  services.livekit = {
@@ -50,12 +43,7 @@ in
    keyFile = config.sops.templates."matrix-livekit-keyfile".path;
  };
-  systemd.services.lk-jwt-service.environment.LIVEKIT_FULL_ACCESS_HOMESERVERS = lib.mkIf cfg.enable (
+  systemd.services.lk-jwt-service.environment.LIVEKIT_FULL_ACCESS_HOMESERVERS = lib.mkIf cfg.enable (builtins.concatStringsSep "," [ "pvv.ntnu.no" "dodsorf.as" ]);
    builtins.concatStringsSep "," [
      "pvv.ntnu.no"
      "dodsorf.as"
    ]
  );
  services.nginx.virtualHosts.${matrixDomain} = lib.mkIf cfg.enable {
    locations."^~ /livekit/jwt/" = {
@@ -1,9 +1,4 @@
-{
+{ config, lib, fp, ... }:
  config,
  lib,
  fp,
  ...
 }:
 {
  sops.secrets."matrix/mjolnir/access_token" = {
@@ -59,4 +54,53 @@
    # TODO: Fix upstream module in nixpkgs
    pantalaimon.username = "bot_admin";
  };
  systemd.services.mjolnir.serviceConfig = {
    DynamicUser = true;
    RuntimeDirectory = [ "mjolnir/root-mnt" ];
    RootDirectory = "/run/mjolnir/root-mnt";
    BindReadOnlyPaths = [
      config.sops.secrets."matrix/mjolnir/access_token".path
      builtins.storeDir
      "/etc"
      "/run/nscd"
      "/var/run/nscd"
    ];
    AmbientCapabilities = "";
    CapabilityBoundingSet = "";
    LockPersonality = true;
    MemoryDenyWriteExecute = false; # node needs this
    NoNewPrivileges = true;
    PrivateDevices = true;
    PrivateMounts = true;
    PrivateTmp = true;
    PrivateUsers = true;
    ProcSubset = "pid";
    ProtectClock = true;
    ProtectControlGroups = true;
    ProtectHome = true;
    ProtectHostname = true;
    ProtectKernelLogs = true;
    ProtectKernelModules = true;
    ProtectKernelTunables = true;
    ProtectProc = "invisible";
    ProtectSystem = "strict";
    RemoveIPC = true;
    RestrictAddressFamilies = [
      "AF_INET"
      "AF_INET6"
      "AF_UNIX"
    ];
    RestrictNamespaces = true;
    RestrictRealtime = true;
    RestrictSUIDSGID = true;
    SystemCallArchitectures = "native";
    SystemCallFilter = [
      "@system-service"
      "~@privileged"
      "~@resources"
    ];
    UMask = "0077";
  };
 }
@@ -1,11 +1,4 @@
-{
+{ config, pkgs, lib, values, fp, ... }:
  config,
  pkgs,
  lib,
  values,
  fp,
  ...
 }:
 let
  cfg = config.services.matrix-ooye;
 in
@@ -63,6 +56,55 @@ in
    enableSynapseIntegration = false;
  };
  systemd.services."matrix-ooye" = {
    serviceConfig = {
      RuntimeDirectory = [ "matrix-ooye/root-mnt" ];
      RootDirectory = "/run/matrix-ooye/root-mnt";
      BindReadOnlyPaths = [
        builtins.storeDir
        "/etc"
        "/run/nscd"
        "/var/run/nscd"
      ];
      AmbientCapabilities = "";
      CapabilityBoundingSet = "";
      LockPersonality = true;
      MemoryDenyWriteExecute = false; # node needs this
      NoNewPrivileges = true;
      PrivateDevices = true;
      PrivateMounts = true;
      PrivateTmp = true;
      PrivateUsers = true;
      ProcSubset = "pid";
      ProtectClock = true;
      ProtectControlGroups = true;
      ProtectHome = true;
      ProtectHostname = true;
      ProtectKernelLogs = true;
      ProtectKernelModules = true;
      ProtectKernelTunables = true;
      ProtectProc = "invisible";
      ProtectSystem = "strict";
      RemoveIPC = true;
      RestrictAddressFamilies = [
        "AF_INET"
        "AF_INET6"
        "AF_UNIX"
      ];
      RestrictNamespaces = true;
      RestrictRealtime = true;
      RestrictSUIDSGID = true;
      SystemCallArchitectures = "native";
      SystemCallFilter = [
        "@system-service"
        "~@privileged"
        "~@resources"
      ];
      UMask = "0077";
    };
  };
  systemd.services."matrix-synapse" = {
    after = [
      "matrix-ooye-pre-start.service"
@@ -87,6 +129,7 @@ in
  };
  services.nginx.virtualHosts."ooye.pvv.ntnu.no" = {
    kTLS = true;
    forceSSL = true;
    enableACME = true;
    locations."/".proxyPass = "http://localhost:${cfg.socket}";
@@ -1,9 +1,4 @@
-{
+{ lib, buildPythonPackage, fetchFromGitHub, setuptools }:
  lib,
  buildPythonPackage,
  fetchFromGitHub,
  setuptools,
 }:
 buildPythonPackage rec {
  pname = "matrix-synapse-smtp-auth";
@@ -1,9 +1,5 @@
-{
+{ config, lib, pkgs, ... }:
-  config,
+
  lib,
  pkgs,
  ...
 }:
 # This service requires you to have access to endpoints not available over the internet
 # Use an ssh proxy or similar to access this dashboard.
@@ -1,9 +1,4 @@
-{
+{ config, lib, utils, ... }:
  config,
  lib,
  utils,
  ...
 }:
 let
  cfg = config.services.synapse-auto-compressor;
 in
@@ -1,23 +1,13 @@
-{
+{ config, lib, fp, pkgs, values, inputs, ... }:
  config,
  lib,
  fp,
  pkgs,
  values,
  inputs,
  ...
 }:
 let
  cfg = config.services.matrix-synapse-next;
  matrix-lib = inputs.matrix-next.lib;
-  imap0Attrs =
+  imap0Attrs = with lib; f: set:
-    with lib;
+    listToAttrs (imap0 (i: attr: nameValuePair attr (f i attr set.${attr})) (attrNames set));
-    f: set: listToAttrs (imap0 (i: attr: nameValuePair attr (f i attr set.${attr})) (attrNames set));
+in {
 in
 {
  sops.secrets."matrix/synapse/signing_key" = {
    key = "synapse/signing_key";
    sopsFile = fp /secrets/bicep/matrix.yaml;
@@ -33,9 +23,7 @@ in
    owner = config.users.users.matrix-synapse.name;
    group = config.users.users.matrix-synapse.group;
    content = ''
-      registration_shared_secret: ${
+      registration_shared_secret: ${config.sops.placeholder."matrix/synapse/user_registration/registration_shared_secret"}
        config.sops.placeholder."matrix/synapse/user_registration/registration_shared_secret"
      }
    '';
  };
@@ -122,8 +110,7 @@ in
      password_config.enabled = true;
      modules = [
-        {
+        { module = "smtp_auth_provider.SMTPAuthProvider";
          module = "smtp_auth_provider.SMTPAuthProvider";
          config = {
            smtp_host = "smtp.pvv.ntnu.no";
          };
@@ -212,30 +199,22 @@ in
    };
  }
  {
-      locations =
+    locations = let
        let
      connectionInfo = w: matrix-lib.workerConnectionResource "metrics" w;
-          socketAddress =
+      socketAddress = w: let c = connectionInfo w; in "${c.host}:${toString c.port}";
            w:
            let
              c = connectionInfo w;
            in
            "${c.host}:${toString c.port}";
      metricsPath = w: "/metrics/${w.type}/${toString w.index}";
      proxyPath = w: "http://${socketAddress w}/_synapse/metrics";
-        in
+    in lib.mapAttrs' (n: v: lib.nameValuePair
-        lib.mapAttrs' (
+      (metricsPath v) {
          n: v:
          lib.nameValuePair (metricsPath v) {
        proxyPass = proxyPath v;
        extraConfig = ''
          allow ${values.hosts.ildkule.ipv4};
          allow ${values.hosts.ildkule.ipv6};
          deny all;
        '';
-          }
+      })
-        ) cfg.workers.instances;
+      cfg.workers.instances;
  }
  {
    locations."/metrics/master/1" = {
@@ -247,28 +226,18 @@ in
      '';
    };
-      locations."/metrics/" =
+    locations."/metrics/" = let
-        let
+      endpoints = lib.pipe cfg.workers.instances [
          endpoints =
            lib.pipe cfg.workers.instances [
        (lib.mapAttrsToList (_: v: v))
        (map (w: "${w.type}/${toString w.index}"))
        (map (w: "matrix.pvv.ntnu.no/metrics/${w}"))
-            ]
+      ] ++ [ "matrix.pvv.ntnu.no/metrics/master/1" ];
-            ++ [ "matrix.pvv.ntnu.no/metrics/master/1" ];
+    in {
-        in
+      alias = pkgs.writeTextDir "/config.json"
-        {
+        (builtins.toJSON [
-          alias =
+          { targets = endpoints;
            pkgs.writeTextDir "/config.json" (
              builtins.toJSON [
                {
                  targets = endpoints;
            labels = { };
-                }
+          }]) + "/";
              ]
            )
            + "/";
    };
-    }
+  }];
  ];
 }
@@ -1,9 +1,4 @@
-{
+{ config, pkgs, lib, ... }:
  config,
  pkgs,
  lib,
  ...
 }:
 let
  cfg = config.services.pvv-matrix-well-known;
  format = pkgs.formats.json { };
@@ -1,9 +1,4 @@
-{
+{ config, lib, pkgs, ... }:
  config,
  lib,
  pkgs,
  ...
 }:
 let
  cfg = config.services.minecraft-heatmap;
 in
@@ -28,29 +23,28 @@ in
  };
  systemd.services.minecraft-heatmap-ingest-logs = lib.mkIf cfg.enable {
-    serviceConfig.LoadCredential = [
+    serviceConfig = {
      LoadCredential = [
        "sshkey:${config.sops.secrets."minecraft-heatmap/ssh-key/private".path}"
      ];
-
+      ExecStartPre = let
    preStart =
      let
        knownHostsFile = pkgs.writeText "minecraft-heatmap-known-hosts" ''
          innovation.pvv.ntnu.no ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE9O/y5uqcLKCodg2Q+XfZPH/AoUIyBlDhigImU+4+Kn
          innovation.pvv.ntnu.no ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQClR9GvWeVPZHudlnFXhGHUX5sGX9nscsOsotnlQ4uVuGsgvRifsVsuDULlAFXwoV1tYp4vnyXlsVtMddpLI5ANOIDcZ4fgDxpfSQmtHKssNpDcfMhFJbfRVyacipjA4osxTxvLox/yjtVt+URjTHUA1MWzEwc26KfiOvWO5tCBTan7doN/4KOyT05GwBxwzUAwUmoGTacIITck2Y9qp4+xFYqehbXqPdBb15hFyd38OCQhtU1hWV2Yi18+hJ4nyjc/g5pr6mW09ULlFghe/BaTUXrTisYC6bMcJZsTDwsvld9581KPvoNZOTQhZPTEQCZZ1h54fe0ZHuveVB3TIHovZyjoUuaf4uiFOjJVaKRB+Ig+Il6r7tMUn9CyHtus/Nd86E0TFBzoKxM0OFu88oaUlDtZVrUJL5En1lGoimajebb1JPxllFN5hqIT+gVyMY6nRzkcfS7ieny/U4rzXY2rfz98selftgh3LsBywwADv65i+mPw1A/1QdND1R6fV4U=
          innovation.pvv.ntnu.no ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNjl3HfsDqmALWCL9uhz9k93RAD2565ndBqUh4N/rvI7MCwEJ6iRCdDev0YzB1Fpg24oriyYoxZRP24ifC2sQf8=
        '';
-      in
+        rsyncArgs = lib.cli.toCommandLineShellGNU { } {
-      ''
+          archive = true;
-        mkdir -p '${cfg.minecraftLogsDir}'
+          verbose = true;
-        "${lib.getExe pkgs.rsync}" \
+          progress = true;
-        --archive \
+          no-owner = true;
-        --verbose \
+          no-group = true;
-        --progress \
+        };
-        --no-owner \
+        sshCommand = ''${pkgs.openssh}/bin/ssh -o UserKnownHostsFile='${knownHostsFile}' -i \"$CREDENTIALS_DIRECTORY\"/sshkey'';
-        --no-group \
+      in [
-        --rsh="${pkgs.openssh}/bin/ssh -o UserKnownHostsFile=\"${knownHostsFile}\" -i \"$CREDENTIALS_DIRECTORY\"/sshkey" \
+        "${lib.getExe' pkgs.coreutils "mkdir"} -p '${cfg.minecraftLogsDir}'"
-        root@innovation.pvv.ntnu.no:/ \
+        "${lib.getExe pkgs.rsync} ${rsyncArgs} --rsh=\"${sshCommand}\" root@innovation.pvv.ntnu.no:/ '${cfg.minecraftLogsDir}'/"
-        '${cfg.minecraftLogsDir}'/
+      ];
-      '';
+    };
  };
 }
@@ -1,10 +1,4 @@
-{
+{ config, lib, pkgs, values, ... }:
  config,
  lib,
  pkgs,
  values,
  ...
 }:
 let
  cfg = config.services.mysql;
  backupDir = "/data/mysql-backups";
@@ -50,11 +44,9 @@ in
      zstd
    ];
-    script =
+    script = let
      let
      rotations = 2;
-      in
+    in ''
      ''
      set -euo pipefail
      OUT_FILE="$STATE_DIRECTORY/mysql-dump-$(date --iso-8601).sql.zst"
@@ -65,7 +57,7 @@ in
      rm "$STATE_DIRECTORY/mysql-dump-latest.sql.zst" ||:
      ln -T "$OUT_FILE" "$STATE_DIRECTORY/mysql-dump-latest.sql.zst"
-        while [ "$(find "$STATE_DIRECTORY" -type f -printf '.' | wc -c)" -gt ${toString (rotations + 1)} ]; do
+      while [ "$(find "$STATE_DIRECTORY" -type f -printf '.' | wc -c)" -gt '${toString (rotations + 1)}' ]; do
        rm "$(find "$STATE_DIRECTORY" -type f -printf '%T+ %p\n' | sort | head -n 1 | cut -d' ' -f2)"
      done
    '';
@@ -1,10 +1,4 @@
-{
+{ config, pkgs, lib, values, ... }:
  config,
  pkgs,
  lib,
  values,
  ...
 }:
 let
  cfg = config.services.mysql;
  dataDir = "/data/mysql";
@@ -29,6 +23,9 @@ in
        bind-address = values.services.mysql.ipv4;
        skip-networking = 0;
        # Useful for the mysqld prometheus exporter
        userstat = 1;
        # This was needed in order to be able to use all of the old users
        # during migration from knakelibrak to bicep in Sep. 2023
        secure_auth = 0;
@@ -42,14 +39,12 @@ in
    #       a password which can be found in /secrets/ildkule/ildkule.yaml
    #       We have also changed both the host and auth plugin of this user
    #       to be 'ildkule.pvv.ntnu.no' and 'mysql_native_password' respectively.
-    ensureUsers = [
+    ensureUsers = [{
      {
      name = "prometheus_mysqld_exporter";
      ensurePermissions = {
        "*.*" = "PROCESS, REPLICATION CLIENT, SELECT, SLAVE MONITOR";
      };
-      }
+    }];
    ];
  };
  networking.firewall.allowedTCPPorts = lib.mkIf cfg.enable [ 3306 ];
@@ -79,4 +74,16 @@ in
      ];
    };
  };
  services.logrotate = lib.mkIf (cfg.settings.mysqld.slow-query-log == 1) {
    enable = true;
    settings.mysql-slowlog = {
      files = [ cfg.settings.mysqld.slow-query-log-file ];
      frequency = "weekly";
      rotate = 12;
      create = "0660 mysql mysql";
      minsize = "1M";
      compress = true;
    };
  };
 }
@@ -1,10 +1,4 @@
-{
+{ config, lib, pkgs, values, ... }:
  config,
  lib,
  pkgs,
  values,
  ...
 }:
 let
  cfg = config.services.postgresql;
  backupDir = "/data/postgresql-backups";
@@ -51,11 +45,9 @@ in
      cfg.package
    ];
-    script =
+    script = let
      let
      rotations = 2;
-      in
+    in ''
      ''
      set -euo pipefail
      OUT_FILE="$STATE_DIRECTORY/postgresql-dump-$(date --iso-8601).sql.zst"
@@ -66,7 +58,7 @@ in
      rm "$STATE_DIRECTORY/postgresql-dump-latest.sql.zst" ||:
      ln -T "$OUT_FILE" "$STATE_DIRECTORY/postgresql-dump-latest.sql.zst"
-        while [ "$(find "$STATE_DIRECTORY" -type f -printf '.' | wc -c)" -gt ${toString (rotations + 1)} ]; do
+      while [ "$(find "$STATE_DIRECTORY" -type f -printf '.' | wc -c)" -gt '${toString (rotations + 1)}' ]; do
        rm "$(find "$STATE_DIRECTORY" -type f -printf '%T+ %p\n' | sort | head -n 1 | cut -d' ' -f2)"
      done
    '';
@@ -0,0 +1,37 @@
 { config, lib, pkgs, ... }:
 let
  cfg = config.services.postgresql;
 in
 {
  config = lib.mkIf cfg.enable {
    systemd.services = {
      postgresql-repack = {
        requires = [ "postgresql.service" ];
        after = [ "postgresql.target" ];
        description = "Repack all PostgreSQL databases";
        startAt = "Mon 06:00:00";
        serviceConfig = {
          Type = "oneshot";
          User = "postgres";
          Group = "postgres";
          ExecStart = "${lib.getExe cfg.package.pkgs.pg_repack} --host=/run/postgresql --no-kill-backend --wait-timeout=30 --all";
        };
      };
      postgresql-vacuum-analyze = {
        requires = [ "postgresql.service" ];
        after = [ "postgresql.target" ];
        description = "Vacuum and analyze all PostgreSQL databases";
        startAt = "Tue 06:00:00";
        serviceConfig = {
          Type = "oneshot";
          User = "postgres";
          Group = "postgres";
          ExecStart = "${lib.getExe' cfg.package "psql"} --port=${builtins.toString cfg.settings.port} -tAc 'VACUUM ANALYZE'";
        };
      };
    };
  };
 }
@@ -1,19 +1,17 @@
-{
+{ config, lib, pkgs, values, ... }:
  config,
  lib,
  pkgs,
  values,
  ...
 }:
 let
  cfg = config.services.postgresql;
 in
 {
-  imports = [ ./backup.nix ];
+  imports = [
    ./backup.nix
    ./cleanup-timers.nix
  ];
  services.postgresql = {
    enable = true;
    package = pkgs.postgresql_18;
    extensions = ps: with ps; [ pg_repack ];
    enableTCPIP = true;
    authentication = ''
@@ -1,14 +1,8 @@
-{
+{ config, pkgs, values, ... }:
  lib,
  config,
  pkgs,
  values,
  ...
 }:
 {
  networking.nat = {
    enable = true;
-    internalInterfaces = [ "ve-+" ];
+    internalInterfaces = ["ve-+"];
    externalInterface = "ens3";
    # Lazy IPv6 connectivity for the container
    enableIPv6 = true;
@@ -16,9 +10,7 @@
  containers.bikkje = {
    autoStart = true;
-    config =
+    config = { config, pkgs, ... }: {
      { config, pkgs, ... }:
      {
      #import packages
      packages = with pkgs; [
          alpine
@@ -38,51 +30,33 @@
          enable = true;
          # Allow SSH and HTTP and ports for email and irc
          allowedTCPPorts = [
-              80
+            22 # SSH
-              22
+            80 # HTTP
-              194
+
-              994
+            # IRC
            194 # IRC
            994 # IRC (TLS)
            6697 # IRC (SSL)
            6665
            6666
            6667
            6668
            6669
-              6697
+
-              995
+            # EMAIL
-              993
+            25  # STMP
-              25
+            465 # STMP (SSL)
-              465
+            587 # STMP (TLS/STARTTLS)
-              587
+            110 # POP3
-              110
+            995 # POP3 (SSL/TLS)
-              143
+            143 # IMAP
-              993
+            993 # IMAP (SSL/TLS)
              995
            ];
            allowedUDPPorts = [
              80
              22
              194
              994
              6665
              6666
              6667
              6668
              6669
              6697
              995
              993
              25
              465
              587
              110
              143
              993
              995
          ];
          allowedUDPPorts = [ 80 22 194 994 6665 6666 6667 6668 6669 6697 995 993 25 465 587 110 143 993 995 ];
        };
        # Use systemd-resolved inside the container
        # Workaround for bug https://github.com/NixOS/nixpkgs/issues/162686
-          useHostResolvConf = lib.mkForce false;
+        useHostResolvConf = mkForce false;
      };
      services.resolved.enable = true;
@@ -92,4 +66,4 @@
      system.stateVersion = "23.11";
    };
  };
-}
+};
@@ -1,10 +1,4 @@
-{
+{ config, fp, pkgs, values, ... }:
  config,
  fp,
  pkgs,
  values,
  ...
 }:
 {
  imports = [
      # Include the results of the hardware scan.
@@ -16,10 +10,7 @@
  systemd.network.networks."30-eno1" = values.defaultNetworkConfig // {
    matchConfig.Name = "eno1";
-    address = with values.hosts.brzeczyszczykiewicz; [
+    address = with values.hosts.brzeczyszczykiewicz; [ (ipv4 + "/25") (ipv6 + "/64") ];
      (ipv4 + "/25")
      (ipv6 + "/64")
    ];
  };
  fonts.fontconfig.enable = true;
@@ -1,44 +1,30 @@
 # Do not modify this file!  It was generated by 'nixos-generate-config'
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
-{
+{ config, lib, pkgs, modulesPath, ... }:
  config,
  lib,
  pkgs,
  modulesPath,
  ...
 }:
 {
-  imports = [
+  imports =
-    (modulesPath + "/installer/scan/not-detected.nix")
+    [ (modulesPath + "/installer/scan/not-detected.nix")
    ];
-  boot.initrd.availableKernelModules = [
+  boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" "sr_mod" ];
    "xhci_pci"
    "ehci_pci"
    "ahci"
    "usbhid"
    "usb_storage"
    "sd_mod"
    "sr_mod"
  ];
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ "kvm-intel" ];
  boot.extraModulePackages = [ ];
-  fileSystems."/" = {
+  fileSystems."/" =
-    device = "/dev/disk/by-uuid/4e8667f8-55de-4103-8369-b94665f42204";
+    { device = "/dev/disk/by-uuid/4e8667f8-55de-4103-8369-b94665f42204";
      fsType = "ext4";
    };
-  fileSystems."/boot" = {
+  fileSystems."/boot" =
-    device = "/dev/disk/by-uuid/82E3-3D03";
+    { device = "/dev/disk/by-uuid/82E3-3D03";
      fsType = "vfat";
    };
-  swapDevices = [
+  swapDevices =
-    { device = "/dev/disk/by-uuid/d0bf9a21-44bc-44a3-ae55-8f0971875883"; }
+    [ { device = "/dev/disk/by-uuid/d0bf9a21-44bc-44a3-ae55-8f0971875883"; }
    ];
  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
@@ -1,10 +1,4 @@
-{
+{ config, fp, pkgs, values, ... }:
  config,
  fp,
  pkgs,
  values,
  ...
 }:
 {
  imports = [
      # Include the results of the hardware scan.
@@ -16,10 +10,7 @@
  systemd.network.networks."30-eno1" = values.defaultNetworkConfig // {
    matchConfig.Name = "eno1";
-    address = with values.hosts.georg; [
+    address = with values.hosts.georg; [ (ipv4 + "/25") (ipv6 + "/64") ];
      (ipv4 + "/25")
      (ipv6 + "/64")
    ];
  };
  services.spotifyd = {
@@ -1,43 +1,30 @@
 # Do not modify this file!  It was generated by 'nixos-generate-config'
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
-{
+{ config, lib, pkgs, modulesPath, ... }:
  config,
  lib,
  pkgs,
  modulesPath,
  ...
 }:
 {
-  imports = [
+  imports =
-    (modulesPath + "/installer/scan/not-detected.nix")
+    [ (modulesPath + "/installer/scan/not-detected.nix")
    ];
-  boot.initrd.availableKernelModules = [
+  boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "usb_storage" "usbhid" "sd_mod" ];
    "xhci_pci"
    "ehci_pci"
    "ahci"
    "usb_storage"
    "usbhid"
    "sd_mod"
  ];
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ "kvm-intel" ];
  boot.extraModulePackages = [ ];
-  fileSystems."/" = {
+  fileSystems."/" =
-    device = "/dev/disk/by-uuid/33825f0d-5a63-40fc-83db-bfa1ebb72ba0";
+    { device = "/dev/disk/by-uuid/33825f0d-5a63-40fc-83db-bfa1ebb72ba0";
      fsType = "ext4";
    };
-  fileSystems."/boot" = {
+  fileSystems."/boot" =
-    device = "/dev/disk/by-uuid/145E-7362";
+    { device = "/dev/disk/by-uuid/145E-7362";
      fsType = "vfat";
    };
-  swapDevices = [
+  swapDevices =
-    { device = "/dev/disk/by-uuid/7ed27e21-3247-44cd-8bcc-5d4a2efebf57"; }
+    [ { device = "/dev/disk/by-uuid/7ed27e21-3247-44cd-8bcc-5d4a2efebf57"; }
    ];
  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
@@ -7,6 +7,7 @@
 {
  imports = [
    ./hardware-configuration.nix
    ./services/bluemap.nix
    (fp /base)
  ];
@@ -22,7 +22,7 @@
    "sd_mod"
  ];
  boot.initrd.kernelModules = [ "dm-snapshot" ];
-  boot.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-intel" ];
  boot.extraModulePackages = [ ];
  fileSystems."/" = {
@@ -31,7 +31,7 @@
  };
  fileSystems."/boot" = {
-    device = "/dev/disk/by-uuid/933A-3005";
+    device = "/dev/disk/by-uuid/BD97-FCA0";
    fsType = "vfat";
    options = [
      "fmask=0077"
@@ -0,0 +1,113 @@
 { config, lib, pkgs, inputs, ... }:
 let
  vanillaSurvival = "/var/lib/bluemap/vanilla_survival_world";
 in {
  # NOTE: our version of the module gets added in flake.nix
  disabledModules = [ "services/web-apps/bluemap.nix" ];
  sops.secrets."bluemap/ssh-key" = { };
  sops.secrets."bluemap/ssh-known-hosts" = { };
  services.bluemap = {
    enable = true;
    eula = true;
    onCalendar = "*-*-* 05:45:00"; # a little over an hour after auto-upgrade
    enableNginx = false;
    host = "minecraft.pvv.ntnu.no";
    maps = let
      inherit (inputs.minecraft-kartverket.packages.${pkgs.stdenv.hostPlatform.system}) bluemap-export;
    in {
      "verden" = {
        extraHoconMarkersFile = "${bluemap-export}/overworld.hocon";
        settings = {
          world = vanillaSurvival;
          dimension = "minecraft:overworld";
          name = "Verden";
          sorting = 0;
          start-pos = {
            x = 0;
            z = 0;
          };
          ambient-light = 0.1;
          cave-detection-ocean-floor = -5;
        };
      };
      "underverden" = {
        extraHoconMarkersFile = "${bluemap-export}/nether.hocon";
        settings = {
          world = vanillaSurvival;
          dimension = "minecraft:the_nether";
          name = "Underverden";
          sorting = 100;
          start-pos = {
            x = 0;
            z = 0;
          };
          sky-color = "#290000";
          void-color = "#150000";
          sky-light = 1;
          ambient-light = 0.6;
          remove-caves-below-y = -10000;
          cave-detection-ocean-floor = -5;
          cave-detection-uses-block-light = true;
          render-mask = [{
            max-y = 90;
          }];
        };
      };
      "enden" = {
        extraHoconMarkersFile = "${bluemap-export}/the-end.hocon";
        settings = {
          world = vanillaSurvival;
          dimension = "minecraft:the_end";
          name = "Enden";
          sorting = 200;
          start-pos = {
            x = 0;
            z = 0;
          };
          sky-color = "#080010";
          void-color = "#080010";
          sky-light = 1;
          ambient-light = 0.6;
          remove-caves-below-y = -10000;
          cave-detection-ocean-floor = -5;
        };
      };
    };
  };
  systemd.services."render-bluemap-maps" = {
    serviceConfig = {
      StateDirectory = [ "bluemap/world" ];
      ExecStartPre = let
        rsyncArgs = lib.cli.toCommandLineShellGNU { } {
          archive = true;
          compress = true;
          verbose = true;
          no-owner = true;
          no-group = true;
          rsh = "${pkgs.openssh}/bin/ssh -o UserKnownHostsFile=%d/ssh-known-hosts -i %d/sshkey";
        };
      in "${lib.getExe pkgs.rsync} ${rsyncArgs} root@innovation.pvv.ntnu.no:/ ${vanillaSurvival}";
      ExecStartPost = let
        rsyncArgs = lib.cli.toCommandLineShellGNU { } {
          archive = true;
          compress = true;
          verbose = true;
          no-owner = true;
          no-group = true;
          rsh = "${pkgs.openssh}/bin/ssh -o UserKnownHostsFile=%d/ssh-known-hosts -i %d/sshkey";
        };
      in "${lib.getExe pkgs.rsync} ${rsyncArgs} --groupmap=root:nginx ${config.services.bluemap.webRoot}/ root@bekkalokk.pvv.ntnu.no:/";
      LoadCredential = [
        "sshkey:${config.sops.secrets."bluemap/ssh-key".path}"
        "ssh-known-hosts:${config.sops.secrets."bluemap/ssh-known-hosts".path}"
      ];
    };
  };
 }
@@ -5,11 +5,10 @@
  lib,
  values,
  ...
-}:
+}: {
 {
  imports = [
    # Include the results of the hardware scan.
    ./hardware-configuration.nix
    ./disks.nix
    (fp /base)
    ./services/monitoring
@@ -17,18 +16,16 @@
    ./services/journald-remote.nix
  ];
-  boot.loader.systemd-boot.enable = false;
+  boot.loader.grub.enable = true;
-  boot.loader.grub.device = "/dev/vda";
+  boot.loader.systemd-boot.enable = lib.mkForce false;
  boot.tmp.cleanOnBoot = true;
  zramSwap.enable = true;
  # Openstack Neutron and systemd-networkd are not best friends, use something else:
  systemd.network.enable = lib.mkForce false;
-  networking =
+  networking = let
    let
    hostConf = values.hosts.ildkule;
-    in
+  in {
    {
    tempAddresses = "disabled";
    useDHCP = lib.mkForce true;
@@ -36,7 +33,7 @@
    nameservers = values.defaultNetworkConfig.dns;
    defaultGateway.address = hostConf.ipv4_internal_gw;
-      interfaces."ens4" = {
+    interfaces."ens3" = {
      ipv4.addresses = [
        {
          address = hostConf.ipv4;
@@ -0,0 +1,27 @@
 {
  disko.devices = {
    disk = {
      sda = {
        device = "/dev/sda";
        type = "disk";
        content = {
          type = "gpt";
          partitions = {
            bios = {
              size = "1M";
              type = "EF02";
            };
            root = {
              size = "100%";
              content = {
                type = "filesystem";
                format = "ext4";
                mountpoint = "/";
              };
            };
          };
        };
      };
    };
  };
 }
@@ -1,21 +1,24 @@
-{ modulesPath, lib, ... }:
+# Do not modify this file!  It was generated by 'nixos-generate-config'
-{
+# and may be overwritten by future invocations.  Please make changes
-  imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
+# to /etc/nixos/configuration.nix instead.
-  boot.initrd.availableKernelModules = [
+{ config, lib, pkgs, modulesPath, ... }:
    "ata_piix"
    "uhci_hcd"
    "xen_blkfront"
    "vmw_pvscsi"
  ];
  boot.initrd.kernelModules = [ "nvme" ];
  fileSystems."/" = {
    device = "/dev/disk/by-uuid/e35eb4ce-aac3-4f91-8383-6e7cd8bbf942";
    fsType = "ext4";
  };
  fileSystems."/data" = {
    device = "/dev/disk/by-uuid/0a4c1234-02d3-4b53-aeca-d95c4c8d534b";
    fsType = "ext4";
  };
 {
  imports =
    [ (modulesPath + "/profiles/qemu-guest.nix")
    ];
  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" ];
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ "kvm-intel" ];
  boot.extraModulePackages = [ ];
  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
  # (the default) this is the recommended approach. When using systemd-networkd it's
  # still possible to use this option, but it's recommended to use it in conjunction
  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
  networking.useDHCP = lib.mkDefault true;
  # networking.interfaces.ens3.useDHCP = lib.mkDefault true;
  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
 }
@@ -1,9 +1,4 @@
-{
+{ config, lib, values, ... }:
  config,
  lib,
  values,
  ...
 }:
 let
  cfg = config.services.journald.remote;
  domainName = "journald.pvv.ntnu.no";
@@ -27,11 +22,9 @@ in
  services.journald.remote = {
    enable = true;
-    settings.Remote =
+    settings.Remote = let
      let
      inherit (config.security.acme.certs.${domainName}) directory;
-      in
+    in {
      {
      ServerKeyFile = "/run/credentials/systemd-journal-remote.service/key.pem";
      ServerCertificateFile = "/run/credentials/systemd-journal-remote.service/cert.pem";
      TrustedCertificateFile = "-";
@@ -54,11 +47,9 @@ in
  systemd.services."systemd-journal-remote" = {
    serviceConfig = {
-      LoadCredential =
+      LoadCredential = let
        let
        inherit (config.security.acme.certs.${domainName}) directory;
-        in
+      in [
        [
        "key.pem:${directory}/key.pem"
        "cert.pem:${directory}/cert.pem"
      ];
@@ -5,6 +5,7 @@
    ./grafana.nix
    ./loki.nix
    ./prometheus
    ./scrutiny.nix
    ./uptime-kuma.nix
  ];
 }
@@ -1,19 +1,10 @@
-{
+{ config, pkgs, values, ... }: let
  config,
  pkgs,
  values,
  ...
 }:
 let
  cfg = config.services.grafana;
-in
+in {
-{
+  sops.secrets = let
  sops.secrets =
    let
    owner = "grafana";
    group = "grafana";
-    in
+  in {
    {
    "keys/grafana/secret_key" = { inherit owner group; };
    "keys/grafana/admin_password" = { inherit owner group; };
  };
@@ -21,12 +12,10 @@ in
  services.grafana = {
    enable = true;
-    settings =
+    settings = let
      let
      # See https://grafana.com/docs/grafana/latest/setup-grafana/configure-grafana/#file-provider
      secretFile = path: "$__file{${path}}";
-      in
+    in {
      {
      server = {
        domain = "grafana.pvv.ntnu.no";
        http_port = 2342;
@@ -3,8 +3,7 @@
 let
  cfg = config.services.loki;
  stateDir = "/data/monitoring/loki";
-in
+in {
 {
  services.loki = {
    enable = true;
    configuration = {
@@ -1,8 +1,6 @@
-{ config, ... }:
+{ config, ... }: let
 let
  stateDir = "/data/monitoring/prometheus";
-in
+in {
 {
  imports = [
    ./exim.nix
    ./gitea.nix
@@ -23,6 +21,7 @@ in
  fileSystems."/var/lib/prometheus2" = {
    device = stateDir;
    fsType = "bind";
    options = [ "bind" ];
  };
 }
@@ -1,16 +1,12 @@
 { ... }:
 {
-  services.prometheus = {
+  services.prometheus.scrapeConfigs = [{
    scrapeConfigs = [
      {
    job_name = "exim";
    scrape_interval = "15s";
-        static_configs = [
+    scheme = "http";
-          {
+
    static_configs = [{
      targets = [ "microbel.pvv.ntnu.no:9636" ];
-          }
+    }];
-        ];
+  }];
      }
    ];
  };
 }
@@ -1,7 +1,6 @@
 { ... }:
 {
-  services.prometheus.scrapeConfigs = [
+  services.prometheus.scrapeConfigs = [{
    {
    job_name = "gitea";
    scrape_interval = "60s";
    scheme = "https";
@@ -13,6 +12,5 @@
        ];
      }
    ];
-    }
+  }];
  ];
 }
@@ -1,5 +1,4 @@
-{ config, ... }:
+{ config, ... }: let
 let
  cfg = config.services.prometheus;
  mkHostScrapeConfig = name: ports: {
@@ -10,98 +9,29 @@ let
  defaultNodeExporterPort = 9100;
  defaultSystemdExporterPort = 9101;
  defaultNixosExporterPort = 9102;
-in
+in {
-{
+  services.prometheus.scrapeConfigs = [{
  services.prometheus.scrapeConfigs = [
    {
    job_name = "base_info";
    static_configs = [
-        (mkHostScrapeConfig "ildkule" [
+      (mkHostScrapeConfig "ildkule" [ cfg.exporters.node.port cfg.exporters.systemd.port defaultNixosExporterPort ])
          cfg.exporters.node.port
          cfg.exporters.systemd.port
          defaultNixosExporterPort
        ])
-        (mkHostScrapeConfig "bekkalokk" [
+      (mkHostScrapeConfig "bekkalokk" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
-          defaultNodeExporterPort
+      (mkHostScrapeConfig "bicep" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
-          defaultSystemdExporterPort
+      (mkHostScrapeConfig "brzeczyszczykiewicz" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
-          defaultNixosExporterPort
+      (mkHostScrapeConfig "georg" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
-        ])
+      (mkHostScrapeConfig "gluttony" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
-        (mkHostScrapeConfig "bicep" [
+      (mkHostScrapeConfig "kommode" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
-          defaultNodeExporterPort
+      (mkHostScrapeConfig "lupine-1" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
-          defaultSystemdExporterPort
+      (mkHostScrapeConfig "lupine-2" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
-          defaultNixosExporterPort
+      (mkHostScrapeConfig "lupine-3" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
-        ])
+      (mkHostScrapeConfig "lupine-4" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
-        (mkHostScrapeConfig "brzeczyszczykiewicz" [
+      (mkHostScrapeConfig "lupine-5" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
-          defaultNodeExporterPort
+      (mkHostScrapeConfig "temmie" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
-          defaultSystemdExporterPort
+      (mkHostScrapeConfig "wenche" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
          defaultNixosExporterPort
        ])
        (mkHostScrapeConfig "georg" [
          defaultNodeExporterPort
          defaultSystemdExporterPort
          defaultNixosExporterPort
        ])
        (mkHostScrapeConfig "gluttony" [
          defaultNodeExporterPort
          defaultSystemdExporterPort
          defaultNixosExporterPort
        ])
        (mkHostScrapeConfig "kommode" [
          defaultNodeExporterPort
          defaultSystemdExporterPort
          defaultNixosExporterPort
        ])
        (mkHostScrapeConfig "lupine-1" [
          defaultNodeExporterPort
          defaultSystemdExporterPort
          defaultNixosExporterPort
        ])
        (mkHostScrapeConfig "lupine-2" [
          defaultNodeExporterPort
          defaultSystemdExporterPort
          defaultNixosExporterPort
        ])
        (mkHostScrapeConfig "lupine-3" [
          defaultNodeExporterPort
          defaultSystemdExporterPort
          defaultNixosExporterPort
        ])
        (mkHostScrapeConfig "lupine-4" [
          defaultNodeExporterPort
          defaultSystemdExporterPort
          defaultNixosExporterPort
        ])
        (mkHostScrapeConfig "lupine-5" [
          defaultNodeExporterPort
          defaultSystemdExporterPort
          defaultNixosExporterPort
        ])
        (mkHostScrapeConfig "temmie" [
          defaultNodeExporterPort
          defaultSystemdExporterPort
          defaultNixosExporterPort
        ])
        (mkHostScrapeConfig "ustetind" [
          defaultNodeExporterPort
          defaultSystemdExporterPort
          defaultNixosExporterPort
        ])
        (mkHostScrapeConfig "wenche" [
          defaultNodeExporterPort
          defaultSystemdExporterPort
          defaultNixosExporterPort
        ])
        (mkHostScrapeConfig "skrott" [
          defaultNodeExporterPort
          defaultSystemdExporterPort
        ])
      (mkHostScrapeConfig "hildring" [ defaultNodeExporterPort ])
      (mkHostScrapeConfig "isvegg" [ defaultNodeExporterPort ])
      (mkHostScrapeConfig "microbel" [ defaultNodeExporterPort ])
    ];
-    }
+  }];
  ];
 }
@@ -1,16 +1,13 @@
 { ... }:
 {
-  services.prometheus.scrapeConfigs = [
+  services.prometheus.scrapeConfigs = [{
    {
    job_name = "synapse";
    scrape_interval = "15s";
    scheme = "https";
-      http_sd_configs = [
+    http_sd_configs = [{
        {
      url = "https://matrix.pvv.ntnu.no/metrics/config.json";
-        }
+    }];
      ];
    relabel_configs = [
      {
@@ -39,6 +36,5 @@
        target_label = "__address__";
      }
    ];
-    }
+  }];
  ];
 }
@@ -1,18 +1,14 @@
-{ config, ... }:
+{ config, ... }: let
 let
  cfg = config.services.prometheus;
-in
+in {
 {
  sops = {
    secrets."config/mysqld_exporter_password" = { };
    templates."mysqld_exporter.conf" = {
      restartUnits = [ "prometheus-mysqld-exporter.service" ];
-      content =
+      content = let
        let
        inherit (config.sops) placeholder;
-        in
+      in ''
        ''
        [client]
        host = mysql.pvv.ntnu.no
        port = 3306
@@ -23,8 +19,7 @@ in
  };
  services.prometheus = {
-    scrapeConfigs = [
+    scrapeConfigs = [{
      {
      job_name = "mysql";
      scheme = "http";
      metrics_path = cfg.exporters.mysqld.telemetryPath;
@@ -35,8 +30,7 @@ in
          ];
        }
      ];
-      }
+    }];
    ];
    exporters.mysqld = {
      enable = true;
@@ -1,17 +1,9 @@
-{
+{ pkgs, lib, config, values, ... }: let
  pkgs,
  lib,
  config,
  values,
  ...
 }:
 let
  cfg = config.services.prometheus;
-in
+in {
 {
  sops.secrets = {
-    "keys/postgres/postgres_exporter_env" = { };
+    "keys/postgres/postgres_exporter_env" = {};
-    "keys/postgres/postgres_exporter_knakelibrak_env" = { };
+    "keys/postgres/postgres_exporter_knakelibrak_env" = {};
  };
  services.prometheus = {
@@ -19,26 +11,22 @@ in
      {
        job_name = "postgres";
        scrape_interval = "15s";
-        static_configs = [
+        static_configs = [{
          {
          targets = [ "localhost:${toString cfg.exporters.postgres.port}" ];
          labels = {
            server = "bicep";
          };
-          }
+        }];
        ];
      }
      {
        job_name = "postgres-knakelibrak";
        scrape_interval = "15s";
-        static_configs = [
+        static_configs = [{
          {
          targets = [ "localhost:${toString (cfg.exporters.postgres.port + 1)}" ];
          labels = {
            server = "knakelibrak";
          };
-          }
+        }];
        ];
      }
    ];
@@ -49,11 +37,9 @@ in
    };
  };
-  systemd.services.prometheus-postgres-exporter-knakelibrak.serviceConfig =
+  systemd.services.prometheus-postgres-exporter-knakelibrak.serviceConfig = let
    let
    localCfg = config.services.prometheus.exporters.postgres;
-    in
+  in lib.recursiveUpdate config.systemd.services.prometheus-postgres-exporter.serviceConfig {
    lib.recursiveUpdate config.systemd.services.prometheus-postgres-exporter.serviceConfig {
      EnvironmentFile = config.sops.secrets."keys/postgres/postgres_exporter_knakelibrak_env".path;
      ExecStart = ''
        ${pkgs.prometheus-postgres-exporter}/bin/postgres_exporter \
@@ -0,0 +1,40 @@
 { config, values, ... }:
 let
  cfg = config.services.scrutiny;
 in
 {
  services.scrutiny = {
    enable = true;
    settings = {
      web.listen = {
        host = "127.0.0.1";
        port = 18293;
        basepath = "";
      };
      # notify.urls = [
      #   "matrix://username:password@host:port/[?rooms=!roomID1[,roomAlias2]]"
      # ];
    };
  };
  services.nginx.virtualHosts."scrutiny.pvv.ntnu.no" = {
    kTLS = true;
    enableACME = true;
    forceSSL = true;
    locations."/" = {
      proxyPass = "http://${cfg.settings.web.listen.host}:${toString cfg.settings.web.listen.port}";
    };
    # TODO: allow website access to the outside world, but restrict input api
    extraConfig = ''
      allow ${values.hosts.ildkule.ipv4}/32;
      allow ${values.hosts.ildkule.ipv6}/128;
      allow 127.0.0.1/32;
      allow ::1/128;
      allow ${values.ipv4-space};
      allow ${values.ipv6-space};
      deny all;
    '';
  };
 }
@@ -1,15 +1,9 @@
-{
+{ config, pkgs, lib, values, ... }:
  config,
  pkgs,
  lib,
  ...
 }:
 let
  cfg = config.services.uptime-kuma;
  domain = "status.pvv.ntnu.no";
  stateDir = "/data/monitoring/uptime-kuma";
-in
+in {
 {
  services.uptime-kuma = {
    enable = true;
    settings = {
@@ -25,8 +19,26 @@ in
    locations."/".proxyPass = "http://${cfg.settings.HOST}:${cfg.settings.PORT}";
  };
-  fileSystems."/var/lib/uptime-kuma" = {
+  fileSystems."/var/lib/private/uptime-kuma" = {
    device = stateDir;
    fsType = "bind";
    options = [ "bind" ];
  };
  services.rsync-pull-targets = {
    enable = true;
    locations.${stateDir} = {
      user = "root";
      rrsyncArgs.ro = true;
      authorizedKeysAttrs = [
        "restrict"
        "from=\"principal.pvv.ntnu.no,${values.hosts.principal.ipv6},${values.hosts.principal.ipv4}\""
        "no-agent-forwarding"
        "no-port-forwarding"
        "no-pty"
        "no-X11-forwarding"
      ];
      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJXzcDm6cVr4NmWzUSroy33FlielKqaG83wY0RCMC0p/ uptime_kuma rsync backup";
    };
  };
 }
@@ -1,9 +1,4 @@
-{
+{ pkgs, values, fp, ... }:
  pkgs,
  values,
  fp,
  ...
 }:
 {
  imports = [
    # Include the results of the hardware scan.
@@ -17,14 +12,9 @@
  systemd.network.networks."30-ens18" = values.defaultNetworkConfig // {
    matchConfig.Name = "ens18";
-    address = with values.hosts.kommode; [
+    address = with values.hosts.kommode; [ (ipv4 + "/25") (ipv6 + "/64") ];
      (ipv4 + "/25")
      (ipv6 + "/64")
    ];
  };
  services.btrfs.autoScrub.enable = true;
  services.qemuGuest.enable = true;
  # Don't change (even during upgrades) unless you know what you are doing.
@@ -1,27 +1,14 @@
 # Do not modify this file!  It was generated by 'nixos-generate-config'
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
-{
+{ config, lib, pkgs, modulesPath, ... }:
  config,
  lib,
  pkgs,
  modulesPath,
  ...
 }:
 {
-  imports = [
+  imports =
-    (modulesPath + "/profiles/qemu-guest.nix")
+    [ (modulesPath + "/profiles/qemu-guest.nix")
    ];
-  boot.initrd.availableKernelModules = [
+  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
    "ata_piix"
    "uhci_hcd"
    "virtio_pci"
    "virtio_scsi"
    "sd_mod"
    "sr_mod"
  ];
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ ];
  boot.extraModulePackages = [ ];
@@ -1,10 +1,4 @@
-{
+{ config, pkgs, lib, fp, ... }:
  config,
  pkgs,
  lib,
  fp,
  ...
 }:
 let
  cfg = config.services.gitea;
 in
@@ -78,10 +72,9 @@ in
      Type = "oneshot";
      User = cfg.user;
      Group = cfg.group;
-    };
+      PrivateNetwork = true;
-    script =
+      ExecStart = let
      let
        logo-svg = fp /assets/logo_blue_regular.svg;
        logo-png = fp /assets/logo_blue_regular.png;
@@ -99,34 +92,32 @@ in
          labels = lib.importJSON ./labels/projects.json;
        };
-        customTemplates =
+        customTemplates = pkgs.runCommandLocal "gitea-templates" {
          pkgs.runCommandLocal "gitea-templates"
            {
          nativeBuildInputs = with pkgs; [
            coreutils
            gnused
          ];
-            }
+        } ''
            ''
          # Bigger icons
-              install -Dm444 "${cfg.package.src}/templates/repo/icon.tmpl" "$out/repo/icon.tmpl"
+          install -Dm444 '${cfg.package.src}/templates/repo/icon.tmpl' "$out/repo/icon.tmpl"
          sed -i -e 's/24/60/g' "$out/repo/icon.tmpl"
        '';
-      in
+        install = lib.getExe' pkgs.coreutils "install";
-      ''
+      in [
-        install -Dm444 ${logo-svg} ${cfg.customDir}/public/assets/img/logo.svg
+        "${install} -Dm444 '${logo-svg}' '${cfg.customDir}/public/assets/img/logo.svg'"
-        install -Dm444 ${logo-png} ${cfg.customDir}/public/assets/img/logo.png
+        "${install} -Dm444 '${logo-png}' '${cfg.customDir}/public/assets/img/logo.png'"
-        install -Dm444 ${./loading.apng} ${cfg.customDir}/public/assets/img/loading.png
+        "${install} -Dm444 '${./loading.apng}' '${cfg.customDir}/public/assets/img/loading.png'"
-        install -Dm444 ${extraLinks} ${cfg.customDir}/templates/custom/extra_links.tmpl
+        "${install} -Dm444 '${extraLinks}' '${cfg.customDir}/templates/custom/extra_links.tmpl'"
-        install -Dm444 ${extraLinksFooter} ${cfg.customDir}/templates/custom/extra_links_footer.tmpl
+        "${install} -Dm444 '${extraLinksFooter}' '${cfg.customDir}/templates/custom/extra_links_footer.tmpl'"
-        install -Dm444 ${project-labels} ${cfg.customDir}/options/label/project-labels.yaml
+        "${install} -Dm444 '${project-labels}' '${cfg.customDir}/options/label/project-labels.yaml'"
-        install -Dm644 ${./emotes/bruh.png} ${cfg.customDir}/public/assets/img/emoji/bruh.png
+        "${install} -Dm644 '${./emotes/bruh.png}' '${cfg.customDir}/public/assets/img/emoji/bruh.png'"
-        install -Dm644 ${./emotes/huh.gif} ${cfg.customDir}/public/assets/img/emoji/huh.png
+        "${install} -Dm644 '${./emotes/huh.gif}' '${cfg.customDir}/public/assets/img/emoji/huh.png'"
-        install -Dm644 ${./emotes/grr.png} ${cfg.customDir}/public/assets/img/emoji/grr.png
+        "${install} -Dm644 '${./emotes/grr.png}' '${cfg.customDir}/public/assets/img/emoji/grr.png'"
-        install -Dm644 ${./emotes/okiedokie.jpg} ${cfg.customDir}/public/assets/img/emoji/okiedokie.png
+        "${install} -Dm644 '${./emotes/okiedokie.jpg}' '${cfg.customDir}/public/assets/img/emoji/okiedokie.png'"
-        "${lib.getExe pkgs.rsync}" -a "${customTemplates}/" ${cfg.customDir}/templates/
+        "${lib.getExe pkgs.rsync} -a '${customTemplates}/' '${cfg.customDir}/templates/'"
-      '';
+      ];
    };
  };
 }
@@ -1,17 +1,9 @@
-{
+{ config, values, lib, pkgs, unstablePkgs, ... }:
  config,
  values,
  lib,
  pkgs,
  unstablePkgs,
  ...
 }:
 let
  cfg = config.services.gitea;
  domain = "git.pvv.ntnu.no";
  sshPort  = 2222;
-in
+in {
 {
  imports = [
    ./customization
    ./gpg.nix
@@ -19,15 +11,13 @@ in
    ./web-secret-provider
  ];
-  sops.secrets =
+  sops.secrets = let
    let
    defaultConfig = {
      owner = "gitea";
      group = "gitea";
      restartUnits = [ "gitea.service" ];
    };
-    in
+  in {
    {
    "gitea/database" = defaultConfig;
    "gitea/email-password" = defaultConfig;
    "gitea/lfs-jwt-secret" = defaultConfig;
@@ -141,16 +131,17 @@ in
          "repo.pulls"
          "repo.releases"
        ];
        ALLOW_FORK_INTO_SAME_OWNER = true;
      };
      picture = {
        DISABLE_GRAVATAR = true;
        ENABLE_FEDERATED_AVATAR = false;
        AVATAR_MAX_FILE_SIZE = 1024 * 1024 * 5;
        # NOTE: go any bigger than this, and gitea will freeze your gif >:(
        AVATAR_MAX_ORIGIN_SIZE = 1024 * 1024 * 2;
      };
      actions.ENABLED = true;
      webhook.ALLOWED_HOST_LIST = lib.concatStringsSep "," [
        "external"
      ];
    };
    dump = {
@@ -225,9 +216,8 @@ in
  };
  systemd.services.gitea-dump = {
-    serviceConfig.ExecStart =
+    serviceConfig.ExecStart = let
-      let
+      args = lib.cli.toCommandLineShellGNU { } {
        args = lib.cli.toGNUCommandLineShell { } {
        type = cfg.dump.type;
        # This should be declarative on nixos, no need to backup.
@@ -239,19 +229,11 @@ in
        # Logs are stored in the systemd journal
        skip-log = true;
      };
-      in
+    in lib.mkForce "${lib.getExe cfg.package} dump ${args}";
      lib.mkForce "${lib.getExe cfg.package} ${args}";
-    # Only keep n backup files at a time
+    # Only keep a single backup file at a time.
-    postStop =
+    postStop = ''
-      let
+      ${lib.getExe' pkgs.coreutils "mv"} '${cfg.dump.backupDir}'/gitea-dump-*.tar.gz gitea-dump.tar.gz
        cu = prog: "'${lib.getExe' pkgs.coreutils prog}'";
        backupCount = 3;
      in
      ''
        for file in $(${cu "ls"} -t1 '${cfg.dump.backupDir}' | ${cu "sort"} --reverse | ${cu "tail"} -n+${toString (backupCount + 1)}); do
          ${cu "rm"} "$file"
        done
    '';
  };
 }
@@ -1,9 +1,4 @@
-{
+{ config, pkgs, lib, ... }:
  config,
  pkgs,
  lib,
  ...
 }:
 let
  cfg = config.services.gitea;
  GNUPGHOME = "${config.users.users.gitea.home}/gnupg";
@@ -43,11 +38,11 @@ in
      Type = "oneshot";
      User = cfg.user;
      PrivateNetwork = true;
      ExecStart = [
        "${lib.getExe pkgs.gnupg} --import '${config.sops.secrets."gitea/gpg-signing-key-public".path}'"
        "${lib.getExe pkgs.gnupg} --import '${config.sops.secrets."gitea/gpg-signing-key-private".path}'"
      ];
    };
    script = ''
      ${lib.getExe pkgs.gnupg} --import ${config.sops.secrets."gitea/gpg-signing-key-public".path}
      ${lib.getExe pkgs.gnupg} --import ${config.sops.secrets."gitea/gpg-signing-key-private".path}
    '';
  };
  services.gitea.settings."repository.signing" = {
@@ -55,6 +50,8 @@ in
    SIGNING_NAME = "PVV Git";
    SIGNING_EMAIL = "gitea@git.pvv.ntnu.no";
    INITIAL_COMMIT = "always";
    MERGES = lib.concatStringsSep "," [ "always" ];
    CRUD_ACTIONS = lib.concatStringsSep "," [ "always" ];
    WIKI = "always";
  };
 }
@@ -1,9 +1,4 @@
-{
+{ config, pkgs, lib, ... }:
  config,
  pkgs,
  lib,
  ...
 }:
 let
  cfg = config.services.gitea;
 in
@@ -16,21 +11,21 @@ in
  systemd.services.gitea-import-users = lib.mkIf cfg.enable {
    enable = true;
    preStart = ''${pkgs.rsync}/bin/rsync -e "${pkgs.openssh}/bin/ssh -o UserKnownHostsFile=$CREDENTIALS_DIRECTORY/ssh-known-hosts -i $CREDENTIALS_DIRECTORY/sshkey" -a pvv@smtp.pvv.ntnu.no:/etc/passwd /run/gitea-import-users/passwd'';
    environment.PASSWD_FILE_PATH = "/run/gitea-import-users/passwd";
    serviceConfig = {
      ExecStartPre = ''${pkgs.rsync}/bin/rsync -e "${pkgs.openssh}/bin/ssh -o UserKnownHostsFile=$CREDENTIALS_DIRECTORY/ssh-known-hosts -i $CREDENTIALS_DIRECTORY/sshkey" -a pvv@smtp.pvv.ntnu.no:/etc/passwd /run/gitea-import-users/passwd'';
      ExecStart = pkgs.writers.writePython3 "gitea-import-users" {
        flakeIgnore = [
          "E501" # Line over 80 chars lol
        ];
        libraries = with pkgs.python3Packages; [ requests ];
      } (builtins.readFile ./gitea-import-users.py);
-      LoadCredential = [
+      LoadCredential=[
        "sshkey:${config.sops.secrets."gitea/passwd-ssh-key".path}"
        "ssh-known-hosts:${config.sops.secrets."gitea/ssh-known-hosts".path}"
      ];
-      DynamicUser = "yes";
+      DynamicUser="yes";
-      EnvironmentFile = config.sops.secrets."gitea/import-user-env".path;
+      EnvironmentFile=config.sops.secrets."gitea/import-user-env".path;
      RuntimeDirectory = "gitea-import-users";
    };
  };
@@ -1,9 +1,4 @@
-{
+{ config, pkgs, lib, ... }:
  config,
  pkgs,
  lib,
  ...
 }:
 let
  organizations = [
    "Drift"
@@ -41,8 +36,7 @@ in
    group = "gitea-web";
    restartUnits = [
      "gitea-web-secret-provider@"
-    ]
+    ] ++ (map (org: "gitea-web-secret-provider@${org}") organizations);
    ++ (map (org: "gitea-web-secret-provider@${org}") organizations);
  };
  systemd.slices.system-giteaweb = {
@@ -54,16 +48,12 @@ in
  # %d - secrets directory
  systemd.services."gitea-web-secret-provider@" = {
    description = "Ensure all repos in %i has an SSH key to push web content";
-    requires = [
+    requires = [ "gitea.service" "network.target" ];
      "gitea.service"
      "network.target"
    ];
    serviceConfig = {
      Slice = "system-giteaweb.slice";
      Type = "oneshot";
-      ExecStart =
+      ExecStart = let
-        let
+        args = lib.cli.toCommandLineShellGNU { } {
          args = lib.cli.toGNUCommandLineShell { } {
          org = "%i";
          token-path = "%d/token";
          api-url = "${giteaCfg.settings.server.ROOT_URL}api/v1";
@@ -76,8 +66,7 @@ in
          '';
          web-dir = "/var/lib/gitea-web/web";
        };
-        in
+      in "${giteaWebSecretProviderScript} ${args}";
        "${giteaWebSecretProviderScript} ${args}";
      User = "gitea-web";
      Group = "gitea-web";
@@ -96,10 +85,7 @@ in
      ProtectControlGroups = true;
      ProtectKernelModules = true;
      ProtectKernelTunables = true;
-      RestrictAddressFamilies = [
+      RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
        "AF_INET"
        "AF_INET6"
      ];
      RestrictRealtime = true;
      RestrictSUIDSGID = true;
      MemoryDenyWriteExecute = true;
@@ -119,9 +105,7 @@ in
  systemd.targets.timers.wants = map (org: "gitea-web-secret-provider@${org}.timer") organizations;
-  services.openssh.authorizedKeysFiles = map (
+  services.openssh.authorizedKeysFiles = map (org: "/var/lib/gitea-web/authorized_keys.d/${org}") organizations;
    org: "/var/lib/gitea-web/authorized_keys.d/${org}"
  ) organizations;
  users.users.nginx.extraGroups = [ "gitea-web" ];
  services.nginx.virtualHosts."pages.pvv.ntnu.no" = {
@@ -1,35 +1,29 @@
-{
+{ fp, values, lib, lupineName, ... }:
  fp,
  values,
  lupineName,
  ...
 }:
 {
  imports = [
    ./hardware-configuration/${lupineName}.nix
    (fp /base)
    ./services/gitea-runner.nix
  ];
  sops.defaultSopsFile = fp /secrets/lupine/lupine.yaml;
  boot.binfmt.emulatedSystems = [
    "aarch64-linux"
    "armv7l-linux"
    "i686-linux"
  ];
  systemd.network.networks."30-enp0s31f6" = values.defaultNetworkConfig // {
    matchConfig.Name = "enp0s31f6";
-    address = with values.hosts.${lupineName}; [
+    address = with values.hosts.${lupineName}; [ (ipv4 + "/25") (ipv6 + "/64") ];
      (ipv4 + "/25")
      (ipv6 + "/64")
    ];
    networkConfig.LLDP = false;
  };
  systemd.network.wait-online = {
    anyInterface = true;
  };
  # There are no smart devices
  services.smartd.enable = false;
  # Don't change (even during upgrades) unless you know what you are doing.
  # See https://search.nixos.org/options?show=system.stateVersion
  system.stateVersion = "25.05";
--- a/Show More
+++ b/Show More