WIP: temmie/userweb: add log processor for apache

temmie/userweb: set -i and -t in sendmail wrapper
temmie/userweb: install mod_perl with custom env
2026-05-26 00:12:34 +09:00 · 2026-05-25 18:49:57 +09:00 · 2026-05-25 18:24:23 +09:00 · 2026-05-25 17:05:02 +09:00 · 2026-05-25 16:24:35 +09:00 · 2026-05-25 15:25:26 +09:00
162 changed files with 4041 additions and 7120 deletions
@@ -7,16 +7,13 @@ jobs:
  evals:
    runs-on: debian-latest
    steps:
    - name: Install sudo
      run: apt-get install --update --assume-yes sudo
    - uses: actions/checkout@v6
    - name: Install sudo
      run: apt-get update && apt-get -y install sudo
    - uses: https://github.com/cachix/install-nix-action@v31
    - name: Configure Nix
      run: echo -e "show-trace = true\nmax-jobs = auto\ntrusted-users = root\nexperimental-features = nix-command flakes\nbuild-users-group =" > /etc/nix/nix.conf
    - name: Build topology graph
      run: nix build .#topology -L
@@ -6,8 +6,11 @@ jobs:
  evals:
    runs-on: debian-latest
    steps:
    - name: Install sudo
      run: apt-get install --update --assume-yes sudo
    - uses: actions/checkout@v6
-    - run: apt-get update && apt-get -y install sudo
+
    - uses: https://github.com/cachix/install-nix-action@v31
-    - run: echo -e "show-trace = true\nmax-jobs = auto\ntrusted-users = root\nexperimental-features = nix-command flakes\nbuild-users-group =" > /etc/nix/nix.conf
+
    - run: nix flake check
@@ -10,19 +10,17 @@ keys:
  - &user_vegardbm age1sqs7urnzsdy64efmd0zukzv3gs5pnjksuxd7nqmdwdy5l0nqnunq6hyune
  # Hosts
  - &host_bakke age1syted6kt48sumjjucggh6r3uca4x2ppp4mfungf3lamkt2le05csc99633
  - &host_bekkalokk age12nj59tguy9wg882updc2vjdusx5srnxmjyfaqve4zx6jnnsaw3qsyjq6zd
  - &host_bicep age19nk55kcs7s0358jpkn75xnr57dfq6fq3p43nartvsprx0su22v7qcgcjdx
-  - &host_ildkule age1x28hmzvuv6f2n66c0jtqcca3h9rput8d7j5uek6jcpx8n9egd52sqpejq0
+  - &host_ildkule age102e6y8gah0ntr6fxqnkpepc8ar29p6ls7ks9ka7v8w87q8scm9yqmc2u8d
  - &host_kommode age1mt4d0hg5g76qp7j0884llemy0k2ymr5up8vfudz6vzvsflk5nptqqd32ly
-  - &host_lupine-1 age1fkrypl6fu4ldsa7te4g3v4qsegnk7sd6qhkquuwzh04vguy96qus08902e
+  - &host_lupine-1 age18lta9d683yekz487xwtd99da236d8mgk4ftlmv2jffx858p9qf2s9j868l
-  - &host_lupine-2 age1mu0ej57n4s30ghealhyju3enls83qyjua69986la35t2yh0q2s0seruz5n
+  - &host_lupine-2 age1e0a4ru707v637wzmuxqv0xywmlkhunzgyfy4mrkjc7a23qq8msgq7nqtvt
-  - &host_lupine-3 age1j2u876z8hu87q5npfxzzpfgllyw8ypj66d7cgelmzmnrf3xud34qzkntp9
+  - &host_lupine-3 age1wmrrhd5deatmgflkas636u3rzuk46u9knl02v4t39ncs37xqquhq9vwzye
-  - &host_lupine-4 age1t8zlawqkmhye737pn8yx0z3p9cl947d9ktv2cajdc6hnvn52d3fsc59s2k
+  - &host_lupine-4 age1ml48zztcmnrdrhrdsjrlyxf09jtmjgz46u8td4zm59wn3fm4g57qs4wg0l
-  - &host_lupine-5 age199zkqq4jp4yc3d0hx2q0ksxdtp42xhmjsqwyngh8tswuck34ke3smrfyqu
+  - &host_lupine-5 age12gws5nws69vxryd3kt7q0ayngch90efmhqcrfhnnsmj00lkgxd4qsdkvqn
  - &host_skrott age1lpkju2e053aaddpgsr4ef83epclf4c9tp4m98d35ft2fswr8p4tq2ua0mf
  - &host_ustetind age1hffjafs4slznksefmtqrlj7rdaqgzqncn4un938rhr053237ry8s3rs0v8
  - &host_skrot age1hzkvnktkr8t5gvtq0ccw69e44z5z6wf00n3xhk3hj24emf07je5s6q2evr
  - &host_gluttony age12czfkvuw9pjk5qny5c6m2hjhd634cj9r4dsa3ss5zkux5h4vvc7s7k4urq
 creation_rules:
  # Global secrets
@@ -93,19 +91,6 @@ creation_rules:
      pgp:
      - *user_oysteikt
  - path_regex: secrets/ustetind/[^/]+\.yaml$
    key_groups:
    - age:
      - *host_ustetind
      - *user_danio
      - *user_felixalb
      - *user_pederbs_sopp
      - *user_pederbs_nord
      - *user_pederbs_bjarte
      - *user_vegardbm
      pgp:
      - *user_oysteikt
  - path_regex: secrets/lupine/[^/]+\.yaml$
    key_groups:
    - age:
@@ -123,31 +108,6 @@ creation_rules:
      pgp:
      - *user_oysteikt
  - path_regex: secrets/bakke/[^/]+\.yaml$
    key_groups:
    - age:
      - *host_bakke
      - *user_danio
      - *user_felixalb
      - *user_pederbs_sopp
      - *user_pederbs_nord
      - *user_pederbs_bjarte
      - *user_vegardbm
      pgp:
      - *user_oysteikt
  - path_regex: secrets/skrott/[^/]+\.yaml$
    key_groups:
    - age:
      - *host_skrott
      - *user_danio
      - *user_felixalb
      - *user_pederbs_sopp
      - *user_pederbs_nord
      - *user_pederbs_bjarte
      - *user_vegardbm
      pgp:
      - *user_oysteikt
  - path_regex: secrets/skrot/[^/]+\.yaml$
    key_groups:
    - age:
@@ -160,3 +120,16 @@ creation_rules:
      - *user_vegardbm
      pgp:
      - *user_oysteikt
  - path_regex: secrets/gluttony/[^/]+\.yaml$
    key_groups:
    - age:
      - *host_gluttony
      - *user_danio
      - *user_felixalb
      - *user_pederbs_sopp
      - *user_pederbs_nord
      - *user_pederbs_bjarte
      - *user_vegardbm
      pgp:
      - *user_oysteikt
@@ -39,11 +39,13 @@ revert the changes on the next nightly rebuild (tends to happen when everybody i
 |  bikkje                    | Virtual  | Experimental login box                                    |
 | [brzeczyszczykiewicz][brz] | Physical | Shared music player                                       |
 | [georg][geo]               | Physical | Shared music player                                       |
 | [gluttony][glu]            | Virtual  | General purpose compute                                   |
 | [ildkule][ild]             | Virtual  | Logging and monitoring host, prometheus, grafana, ...     |
 | [kommode][kom]             | Virtual  | Gitea + Gitea pages                                       |
 | [lupine][lup]              | Physical | Gitea CI/CD runners                                       |
 |  shark                     | Virtual  | Test host for authentication, absolutely horrendous       |
-| [skrot/skrott][skr]        | Physical | Kiosk, snacks and soda                                    |
+| [skrot][skr]               | Physical | Kiosk, snacks and soda                                    |
 | [temmie][tem]              | Virtual  | User websites                                             |
 | [wenche][wen]              | Virtual  | Nix-builders, general purpose compute                     |
 ## Documentation
@@ -57,8 +59,10 @@ revert the changes on the next nightly rebuild (tends to happen when everybody i
 [bic]: https://wiki.pvv.ntnu.no/wiki/Maskiner/bicep
 [brz]: https://wiki.pvv.ntnu.no/wiki/Maskiner/brzęczyszczykiewicz
 [geo]: https://wiki.pvv.ntnu.no/wiki/Maskiner/georg
 [glu]: https://wiki.pvv.ntnu.no/wiki/Maskiner/gluttony
 [ild]: https://wiki.pvv.ntnu.no/wiki/Maskiner/ildkule
 [kom]: https://wiki.pvv.ntnu.no/wiki/Maskiner/kommode
 [lup]: https://wiki.pvv.ntnu.no/wiki/Maskiner/lupine
-[skr]: https://wiki.pvv.ntnu.no/wiki/Maskiner/Skrott
+[skr]: https://wiki.pvv.ntnu.no/wiki/Maskiner/Skrot
 [tem]: https://wiki.pvv.ntnu.no/wiki/Maskiner/temmie
 [wen]: https://wiki.pvv.ntnu.no/wiki/Maskiner/wenche
@@ -10,7 +10,10 @@
    (fp /users)
    (fp /modules/snakeoil-certs.nix)
    ./mitigations.nix
    ./flake-input-exporter.nix
    ./hardening.nix
    ./networking.nix
    ./nix.nix
    ./programs.nix
@@ -20,6 +23,7 @@
    ./services/acme.nix
    ./services/auto-upgrade.nix
    ./services/dbus.nix
    ./services/fluentbit.nix
    ./services/fwupd.nix
    ./services/irqbalance.nix
    ./services/journald-upload.nix
@@ -30,7 +34,6 @@
    ./services/postfix.nix
    ./services/prometheus-node-exporter.nix
    ./services/prometheus-systemd-exporter.nix
    ./services/promtail.nix
    ./services/roowho2.nix
    ./services/smartd.nix
    ./services/thermald.nix
@@ -68,18 +71,16 @@
    fi
  '';
  # security.lockKernelModules = true;
  security.protectKernelImage = true;
  security.sudo.execWheelOnly = true;
  security.sudo.extraConfig = ''
    Defaults lecture = never
  '';
  # These are servers, sleep is for the weak
-  systemd.sleep.extraConfig = lib.mkDefault ''
+  systemd.sleep.settings.Sleep = {
-    AllowSuspend=no
+    AllowSuspend = lib.mkDefault false;
-    AllowHibernation=no
+    AllowHibernation = lib.mkDefault false;
-  '';
+  };
  # users.mutableUsers = lib.mkDefault false;
@@ -0,0 +1,71 @@
 { ... }:
 {
  boot.blacklistedKernelModules = [
    # Obscure network protocols
    "appletalk"
    "atm"
    "ax25"
    "batman-adv"
    "can"
    "dccp"
    "ipx"
    "llc"
    "n-hdlc"
    "netrom"
    "p8022"
    "p8023"
    "psnap"
    "rds"
    "rose"
    "sctp"
    "tipc"
    # Filesystems we don't use
    "adfs"
    "affs"
    "befs"
    "bfs"
    "cifs"
    "cramfs"
    "efs"
    "exofs"
    "freevxfs"
    "gfs2"
    "hfs"
    "hfsplus"
    "hpfs"
    "jffs2"
    "jfs"
    "minix"
    "nilfs2"
    "ntfs"
    "omfs"
    "orangefs"
    "qnx4"
    "qnx6"
    "sysv"
    "ubifs"
    "udf"
    "ufs"
    # Legacy hardware
    "pcspkr"
    "floppy"
    "parport"
    "ppdev"
    # Other stuff we don't use
    "firewire-core"
    "firewire-ohci"
    "ksmbd"
    "ib_core"
    "l2tp_eth"
    "l2tp_netlink"
    "l2tp_ppp"
    "nfc"
    "soundwire"
  ];
  # security.lockKernelModules = true;
  security.protectKernelImage = true;
 }
@@ -0,0 +1,24 @@
 { pkgs, lib, ... }:
 let
  modulesToBan = [
    # copy.fail
    "af_alg"
    "algif_aead"
    "algif_hash"
    "algif_rng"
    "algif_skcipher"
    # dirtyfrag / Fragnesia
    "esp4"
    "esp6"
    "rxrpc"
    # PinTheft
    "rds"
  ];
 in
 {
  boot.blacklistedKernelModules = modulesToBan;
  boot.extraModprobeConfig = lib.concatMapStringsSep "\n" (mod: "install ${mod} ${lib.getExe' pkgs.coreutils "false"}") modulesToBan;
 }
@@ -8,6 +8,6 @@
  services.resolved = {
    enable = lib.mkDefault true;
-    dnssec = "false"; # Supposdly this keeps breaking and the default is to allow downgrades anyways...
+    settings.Resolve.DNSSEC = false; # Supposdly this keeps breaking and the default is to allow downgrades anyways...
  };
 }
@@ -1,9 +1,4 @@
-{
+{ lib, config, inputs, ... }:
  lib,
  config,
  inputs,
  ...
 }:
 {
  nix = {
    gc = {
@@ -16,21 +11,16 @@
      allow-dirty = true;
      auto-allocate-uids = true;
      builders-use-substitutes = true;
-      experimental-features = [
+      experimental-features = [ "nix-command" "flakes" "auto-allocate-uids" ];
        "nix-command"
        "flakes"
        "auto-allocate-uids"
      ];
      log-lines = 50;
      use-xdg-base-directories = true;
    };
-    /*
+    /* This makes commandline tools like
-      This makes commandline tools like
+    ** nix run nixpkgs#hello
-      ** nix run nixpkgs#hello
+    ** and nix-shell -p hello
-      ** and nix-shell -p hello
+    ** use the same channel the system
-      ** use the same channel the system
+    ** was built with
      ** was built with
    */
    registry = lib.mkMerge [
      {
@@ -2,7 +2,7 @@
 {
  security.acme = {
    acceptTerms = true;
-    defaults.email = "acme-drift@pvv.ntnu.no";
+    defaults.email = "drift@pvv.ntnu.no";
  };
  # Let's not spam LetsEncrypt in `nixos-rebuild build-vm` mode:
@@ -1,10 +1,4 @@
-{
+{ config, inputs, pkgs, lib, ... }:
  config,
  inputs,
  pkgs,
  lib,
  ...
 }:
 let
  inputUrls = lib.mapAttrs (input: value: value.url) (import "${inputs.self}/flake.nix").inputs;
@@ -22,34 +16,26 @@ in
      # --update-input is deprecated since nix 2.22, and removed in lix 2.90
      # as such we instead use --override-input combined with --refresh
      # https://git.lix.systems/lix-project/lix/issues/400
-    ]
+    ] ++ (lib.pipe inputUrls [
    ++ (lib.pipe inputUrls [
      (lib.intersectAttrs {
        nixpkgs = { };
        nixpkgs-unstable = { };
      })
-      (lib.mapAttrsToList (
+      (lib.mapAttrsToList (input: url: ["--override-input" input url]))
        input: url: [
          "--override-input"
          input
          url
        ]
      ))
      lib.concatLists
    ]);
  };
  # workaround for https://github.com/NixOS/nix/issues/6895
  # via https://git.lix.systems/lix-project/lix/issues/400
-  environment.etc =
+  environment.etc = lib.mkIf (!config.virtualisation.isVmVariant && config.system.autoUpgrade.enable) {
-    lib.mkIf (!config.virtualisation.isVmVariant && config.system.autoUpgrade.enable)
+    "current-system-flake-inputs.json".source
-      {
+      = pkgs.writers.writeJSON "flake-inputs.json" (
-        "current-system-flake-inputs.json".source = pkgs.writers.writeJSON "flake-inputs.json" (
+        lib.flip lib.mapAttrs inputs (name: input:
-          lib.flip lib.mapAttrs inputs (
+          # inputs.*.sourceInfo sans outPath, since writeJSON will otherwise serialize sourceInfo like a derivation
-            name: input:
+          lib.removeAttrs (input.sourceInfo or {}) [ "outPath" ]
-            # inputs.*.sourceInfo sans outPath, since writeJSON will otherwise serialize sourceInfo like a derivation
+            // { store-path = input.outPath; } # comment this line if you don't want to retain a store reference to the flake inputs
-            lib.removeAttrs (input.sourceInfo or { }) [ "outPath" ] // { store-path = input.outPath; } # comment this line if you don't want to retain a store reference to the flake inputs
+        )
-          )
+      );
-        );
+  };
      };
 }
@@ -0,0 +1,135 @@
 { config, lib, ... }:
 let
  cfg = config.services.fluent-bit;
 in
 {
  services.fluent-bit = {
    enable = lib.mkDefault true;
    settings = {
      service = {
        flush = 1;
        log_level = "warn";
        http_server = "on";
        http_listen = "127.0.0.1";
        http_port = 28183;
        # filesystem-backed buffering so logs survives potential outages.
        "storage.path" = "/var/lib/fluent-bit/storage";
        "storage.sync" = "normal";
        "storage.max_chunks_up" = 64;
        "storage.backlog.mem_limit" = "16M";
      };
      pipeline = {
        inputs = [{
          name = "systemd";
          tag = "journal.*";
          db = "/var/lib/fluent-bit/journal.db";
          read_from_tail = true;
          strip_underscores = true;
          lowercase = true;
          max_entries = 1000;
          "storage.type" = "filesystem";
        }];
        filters = [{
          name = "modify";
          match = "journal.*";
          rename = [
            "hostname host"
            "priority level"
            "systemd_unit unit"
          ];
        }] ++ (lib.mapAttrsToList (k: v: {
          name = "modify";
          match = "journal.*";
          condition = "Key_value_equals level ${k}";
          set = "level ${v}";
        }) {
          "7" = "debug";
          "6" = "info";
          "5" = "notice";
          "4" = "warning";
          "3" = "error";
          "2" = "crit";
          "1" = "alert";
          "0" = "emergency";
        });
        outputs = [{
          name = "loki";
          match = "*";
          host = "ildkule.pvv.ntnu.no";
          port = 3100;
          uri = "/loki/api/v1/push";
          compress = "gzip";
          labels = lib.concatStringsSep ", " [
            "job=systemd-journal"
          ];
          label_keys = lib.concatMapStringsSep "," (k: "$" + k) [
            "host"
            "unit"
            "level"
          ];
          # JSON is probably fine for now, then we just extract the keys we want with the grafana web ui
          # line_format = "key_value";
          # drop_single_key = true;
          "storage.total_limit_size" = "256M";
        }];
      };
    };
  };
  systemd.services.fluent-bit = lib.mkIf cfg.enable {
    serviceConfig = {
      StateDirectory = "fluent-bit";
      # NOTE: This hardening might be way too strong for general purpose use, don't upstream this.
      AmbientCapabilities = [ "" ];
      CapabilityBoundingSet = [ "" ];
      DeviceAllow = [ "" ];
      LockPersonality = true;
      # Lua JIT, maybe other things
      MemoryDenyWriteExecute = false;
      NoNewPrivileges = true;
      PrivateDevices = true;
      PrivateMounts = true;
      PrivateTmp = true;
      PrivateUsers = true;
      ProtectClock = true;
      ProtectControlGroups = true;
      ProtectHome = true;
      ProtectHostname = true;
      ProtectKernelLogs = true;
      ProtectKernelModules = true;
      ProtectKernelTunables = true;
      ProtectProc = "invisible";
      ProtectSystem = "strict";
      RestrictAddressFamilies = [
        "AF_INET"
        "AF_INET6"
        "AF_UNIX"
      ];
      RestrictNamespaces = true;
      RestrictRealtime = true;
      RestrictSUIDSGID = true;
      SystemCallArchitectures = "native";
      SystemCallFilter = [
        "@system-service"
        "~@privileged"
        "~@resources"
      ];
      UMask = "0077";
      BindReadOnlyPaths = [
        "/run/systemd/journal"
      ];
    };
  };
 }
@@ -1,4 +1,4 @@
 { ... }:
 {
  services.irqbalance.enable = true;
-}
+}
@@ -1,9 +1,4 @@
-{
+{ config, lib, values, ... }:
  config,
  lib,
  values,
  ...
 }:
 let
  cfg = config.services.journald.upload;
 in
@@ -11,8 +6,7 @@ in
  services.journald.upload = {
    enable = lib.mkDefault true;
    settings.Upload = {
-      # URL = "https://journald.pvv.ntnu.no:${toString config.services.journald.remote.port}";
+      URL = "https://journald.pvv.ntnu.no:${toString config.services.journald.remote.port}";
      URL = "https://${values.hosts.ildkule.ipv4}:${toString config.services.journald.remote.port}";
      ServerKeyFile = "-";
      ServerCertificateFile = "-";
      TrustedCertificateFile = "-";
@@ -1,10 +1,7 @@
 { ... }:
 {
  systemd.services.logrotate = {
-    documentation = [
+    documentation = [ "man:logrotate(8)" "man:logrotate.conf(5)" ];
      "man:logrotate(8)"
      "man:logrotate.conf(5)"
    ];
    unitConfig.RequiresMountsFor = "/var/log";
    serviceConfig.ReadWritePaths = [ "/var/log" ];
  };
@@ -11,10 +11,7 @@
    };
  };
-  networking.firewall.allowedTCPPorts = lib.mkIf config.services.nginx.enable [
+  networking.firewall.allowedTCPPorts = lib.mkIf config.services.nginx.enable [ 80 443 ];
    80
    443
  ];
  services.nginx = {
    recommendedTlsSettings = true;
@@ -12,9 +12,10 @@
    settings.PermitRootLogin = "yes";
  };
-  users.users."root".openssh.authorizedKeys.keys = [
+    users.users."root".openssh.authorizedKeys.keys = [
-    "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCqVt4LCe0YIttr9swFxjkjn37ZDY9JxwVC+2gvfSINDJorOCtqPjDOTD2fTS1Gz08QCwpnLWq2kyvRchu6WgriAbSACpbZZBgxRaF/FVh3oiMVFGnNKGnv6/fdo/vZtu8mUVuqtmTrgLYpZdbR4oD3XiBlDKs7Cv5hPqt95lnP6MNFvE8mICCfd1PwhsABd2IQ5laz3u77/RXhNFJL0Kf2/+6gk9awcLuwHrPdvq7c3BxRHbc9UMRQENyjyQPa7aLe+uJBFLKP51I8VBuDpDacuibQx7nMt6N2UJ2KWI0JxRMHuJNq4S5jidR82aOw9gzGbTv30SKNLMqsZ0xj4LtdqCXDiZF6Lr09PsJYsvnBUFWa14HGcThKDtgwQwBryNViYmfv//0h9+RLZiU0ab+NEwSs7Zh5iAD+vhx64QqNX3tR7Le4SWXh8W0eShU9N78qYdSkiC3Ui7htxeqOocXM/P4AwbnHsLELIvkHdvgchCPvl8ygZa4WJTEWv16+ICskJcAKWGuqjvXAFuwjJJmPp9xLW9O0DFfQhMELiGamQR9wK07yYQVr34iah6qZO7cwhSKyEPFrVPIaNtfDhsjED639F7vmktf26SWNJHWfW0wOHILjI6TgqUvy0JDd8W8w0CHlAfz6Fs2l99NNgNF8dB3vBASbxS0hu/y0PVu/xQ== openstack-sleipner"
+      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCqVt4LCe0YIttr9swFxjkjn37ZDY9JxwVC+2gvfSINDJorOCtqPjDOTD2fTS1Gz08QCwpnLWq2kyvRchu6WgriAbSACpbZZBgxRaF/FVh3oiMVFGnNKGnv6/fdo/vZtu8mUVuqtmTrgLYpZdbR4oD3XiBlDKs7Cv5hPqt95lnP6MNFvE8mICCfd1PwhsABd2IQ5laz3u77/RXhNFJL0Kf2/+6gk9awcLuwHrPdvq7c3BxRHbc9UMRQENyjyQPa7aLe+uJBFLKP51I8VBuDpDacuibQx7nMt6N2UJ2KWI0JxRMHuJNq4S5jidR82aOw9gzGbTv30SKNLMqsZ0xj4LtdqCXDiZF6Lr09PsJYsvnBUFWa14HGcThKDtgwQwBryNViYmfv//0h9+RLZiU0ab+NEwSs7Zh5iAD+vhx64QqNX3tR7Le4SWXh8W0eShU9N78qYdSkiC3Ui7htxeqOocXM/P4AwbnHsLELIvkHdvgchCPvl8ygZa4WJTEWv16+ICskJcAKWGuqjvXAFuwjJJmPp9xLW9O0DFfQhMELiGamQR9wK07yYQVr34iah6qZO7cwhSKyEPFrVPIaNtfDhsjED639F7vmktf26SWNJHWfW0wOHILjI6TgqUvy0JDd8W8w0CHlAfz6Fs2l99NNgNF8dB3vBASbxS0hu/y0PVu/xQ== openstack-sleipner"
-    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICCbgJ0Uwh9VSVhfId7l9i5/jk4CvAK5rbkiab8R+moF root@sleipner"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICCbgJ0Uwh9VSVhfId7l9i5/jk4CvAK5rbkiab8R+moF root@sleipner"
-  ];
+    ];
 }
@@ -1,9 +1,4 @@
-{
+{ config, pkgs, lib, ... }:
  config,
  pkgs,
  lib,
  ...
 }:
 let
  cfg = config.services.postfix;
 in
@@ -1,9 +1,4 @@
-{
+{ config, lib, values, ... }:
  config,
  lib,
  values,
  ...
 }:
 let
  cfg = config.services.prometheus.exporters.node;
 in
@@ -1,9 +1,4 @@
-{
+{ config, lib, values, ... }:
  config,
  lib,
  values,
  ...
 }:
 let
  cfg = config.services.prometheus.exporters.systemd;
 in
@@ -1,47 +0,0 @@
 {
  config,
  lib,
  values,
  ...
 }:
 let
  cfg = config.services.prometheus.exporters.node;
 in
 {
  services.promtail = {
    enable = lib.mkDefault true;
    configuration = {
      server = {
        http_listen_port = 28183;
        grpc_listen_port = 0;
      };
      clients = [
        {
          url = "http://ildkule.pvv.ntnu.no:3100/loki/api/v1/push";
        }
      ];
      scrape_configs = [
        {
          job_name = "systemd-journal";
          journal = {
            max_age = "12h";
            labels = {
              job = "systemd-journal";
              host = config.networking.hostName;
            };
          };
          relabel_configs = [
            {
              source_labels = [ "__journal__systemd_unit" ];
              target_label = "unit";
            }
            {
              source_labels = [ "__journal_priority_keyword" ];
              target_label = "level";
            }
          ];
        }
      ];
    };
  };
 }
@@ -1,9 +1,4 @@
-{
+{ config, pkgs, lib, ... }:
  config,
  pkgs,
  lib,
  ...
 }:
 {
  services.smartd = {
    # NOTE: qemu guests tend not to have SMART-reporting disks. Please override for the
@@ -19,12 +14,9 @@
    };
  };
-  environment.systemPackages = lib.optionals config.services.smartd.enable (
+  environment.systemPackages = lib.optionals config.services.smartd.enable (with pkgs; [
-    with pkgs;
+    smartmontools
-    [
+  ]);
      smartmontools
    ]
  );
  systemd.services.smartd.unitConfig.ConditionVirtualization = "no";
 }
@@ -2,7 +2,7 @@
 {
  # Let's not thermal throttle
  services.thermald.enable = lib.mkIf (lib.all (x: x) [
-    (config.nixpkgs.system == "x86_64-linux")
+      (config.nixpkgs.system == "x86_64-linux")
-    (!config.boot.isContainer or false)
+      (!config.boot.isContainer or false)
-  ]) true;
+    ]) true;
-}
+}
@@ -1,9 +1,4 @@
-{
+{ config, pkgs, lib, ... }:
  config,
  pkgs,
  lib,
  ...
 }:
 let
  cfg = config.services.uptimed;
 in
@@ -20,48 +15,45 @@ in
    services.uptimed = {
      enable = true;
-      settings =
+      settings = let
-        let
+        stateDir = "/var/lib/uptimed";
-          stateDir = "/var/lib/uptimed";
+      in {
-        in
+        PIDFILE = "${stateDir}/pid";
-        {
+        SENDMAIL = lib.mkDefault "${pkgs.system-sendmail}/bin/sendmail -t";
-          PIDFILE = "${stateDir}/pid";
+      };
          SENDMAIL = lib.mkDefault "${pkgs.system-sendmail}/bin/sendmail -t";
        };
    };
    systemd.services.uptimed = lib.mkIf (cfg.enable) {
-      serviceConfig =
+      serviceConfig = let
-        let
+        uptimed = pkgs.uptimed.overrideAttrs (prev: {
-          uptimed = pkgs.uptimed.overrideAttrs (prev: {
+          postPatch = ''
-            postPatch = ''
+             substituteInPlace Makefile.am \
-              substituteInPlace Makefile.am \
+               --replace-fail '$(sysconfdir)/uptimed.conf' '/var/lib/uptimed/uptimed.conf'
-                --replace-fail '$(sysconfdir)/uptimed.conf' '/var/lib/uptimed/uptimed.conf'
+             substituteInPlace src/Makefile.am \
-              substituteInPlace src/Makefile.am \
+               --replace-fail '$(sysconfdir)/uptimed.conf' '/var/lib/uptimed/uptimed.conf'
-                --replace-fail '$(sysconfdir)/uptimed.conf' '/var/lib/uptimed/uptimed.conf'
+          '';
-            '';
+        });
          });
-        in
+      in {
-        {
+        Type = "notify";
          Type = "notify";
-          ExecStart = lib.mkForce "${uptimed}/sbin/uptimed -f";
+        ExecStart = lib.mkForce "${uptimed}/sbin/uptimed -f";
-          BindReadOnlyPaths =
+        BindReadOnlyPaths = let
-            let
+          configFile = lib.pipe cfg.settings [
-              configFile = lib.pipe cfg.settings [
+            (lib.mapAttrsToList
-                (lib.mapAttrsToList (
+              (k: v:
-                  k: v: if builtins.isList v then lib.mapConcatStringsSep "\n" (v': "${k}=${v'}") v else "${k}=${v}"
+                if builtins.isList v
-                ))
+                  then lib.mapConcatStringsSep "\n" (v': "${k}=${v'}") v
-                (lib.concatStringsSep "\n")
+                  else "${k}=${v}")
-                (pkgs.writeText "uptimed.conf")
+            )
-              ];
+            (lib.concatStringsSep "\n")
-            in
+            (pkgs.writeText "uptimed.conf")
-            [
+          ];
-              "${configFile}:/var/lib/uptimed/uptimed.conf"
+        in [
-            ];
+          "${configFile}:/var/lib/uptimed/uptimed.conf"
-        };
+        ];
      };
    };
  };
 }
@@ -1,15 +1,8 @@
 { config, fp, lib, ... }:
 {
-  config,
+  sops.defaultSopsFile = let
-  fp,
+    secretsFilePath = fp /secrets/${config.networking.hostName}/${config.networking.hostName}.yaml;
-  lib,
+  in lib.mkIf (builtins.pathExists secretsFilePath) secretsFilePath;
  ...
 }:
 {
  sops.defaultSopsFile =
    let
      secretsFilePath = fp /secrets/${config.networking.hostName}/${config.networking.hostName}.yaml;
    in
    lib.mkIf (builtins.pathExists secretsFilePath) secretsFilePath;
  sops.age = lib.mkIf (config.sops.defaultSopsFile != null) {
    sshKeyPaths = lib.mkDefault [ "/etc/ssh/ssh_host_ed25519_key" ];
@@ -1,5 +1,42 @@
 {
  "nodes": {
    "bro": {
      "inputs": {
        "nixpkgs": [
          "nixpkgs"
        ],
        "rust-overlay": "rust-overlay"
      },
      "locked": {
        "lastModified": 1779629827,
        "narHash": "sha256-nrlB50/oelB8oFx9DhOoXI5z0VoTZGEA6XxYvkvpqDA=",
        "ref": "main",
        "rev": "7d0f35e12e4dec39f981c08fc33515589f41f4a5",
        "revCount": 3,
        "type": "git",
        "url": "https://git.pvv.ntnu.no/Projects/bro.git"
      },
      "original": {
        "ref": "main",
        "type": "git",
        "url": "https://git.pvv.ntnu.no/Projects/bro.git"
      }
    },
    "crane": {
      "locked": {
        "lastModified": 1776635034,
        "narHash": "sha256-OEOJrT3ZfwbChzODfIH4GzlNTtOFuZFWPtW7jIeR8xU=",
        "owner": "ipetkov",
        "repo": "crane",
        "rev": "dc7496d8ea6e526b1254b55d09b966e94673750f",
        "type": "github"
      },
      "original": {
        "owner": "ipetkov",
        "repo": "crane",
        "type": "github"
      }
    },
    "dibbler": {
      "inputs": {
        "nixpkgs": [
@@ -28,16 +65,16 @@
        ]
      },
      "locked": {
-        "lastModified": 1736864502,
+        "lastModified": 1768920986,
-        "narHash": "sha256-ItkIZyebGvNH2dK9jVGzJHGPtb6BSWLN8Gmef16NeY0=",
+        "narHash": "sha256-CNzzBsRhq7gg4BMBuTDObiWDH/rFYHEuDRVOwCcwXw4=",
        "owner": "nix-community",
        "repo": "disko",
-        "rev": "0141aabed359f063de7413f80d906e1d98c0c123",
+        "rev": "de5708739256238fb912c62f03988815db89ec9a",
        "type": "github"
      },
      "original": {
        "owner": "nix-community",
-        "ref": "v1.11.0",
+        "ref": "v1.13.0",
        "repo": "disko",
        "type": "github"
      }
@@ -47,11 +84,11 @@
        "nixpkgs-lib": "nixpkgs-lib"
      },
      "locked": {
-        "lastModified": 1765835352,
+        "lastModified": 1772408722,
-        "narHash": "sha256-XswHlK/Qtjasvhd1nOa1e8MgZ8GS//jBoTqWtrS1Giw=",
+        "narHash": "sha256-rHuJtdcOjK7rAHpHphUb1iCvgkU3GpfvicLMwwnfMT0=",
        "owner": "hercules-ci",
        "repo": "flake-parts",
-        "rev": "a34fae9c08a15ad73f295041fec82323541400a9",
+        "rev": "f20dc5d9b8027381c474144ecabc9034d6a839a3",
        "type": "github"
      },
      "original": {
@@ -63,15 +100,15 @@
    "gergle": {
      "inputs": {
        "nixpkgs": [
-          "nixpkgs"
+          "nixpkgs-unstable"
        ]
      },
      "locked": {
-        "lastModified": 1767906545,
+        "lastModified": 1777067150,
-        "narHash": "sha256-LOf08pcjEQFLs3dLPuep5d1bAXWOFcdfxuk3YMb5KWw=",
+        "narHash": "sha256-vqPz8jCS1zTQlvmgctUFpvnr6f9ISR5h7CPG/HgQvf0=",
        "ref": "main",
-        "rev": "e55cbe0ce0b20fc5952ed491fa8a553c8afb1bdd",
+        "rev": "b452a854fb78d6df9fe062b45e23a968657d115d",
-        "revCount": 23,
+        "revCount": 35,
        "type": "git",
        "url": "https://git.pvv.ntnu.no/Grzegorz/gergle.git"
      },
@@ -84,15 +121,15 @@
    "greg-ng": {
      "inputs": {
        "nixpkgs": [
-          "nixpkgs"
+          "nixpkgs-unstable"
        ],
-        "rust-overlay": "rust-overlay"
+        "rust-overlay": "rust-overlay_2"
      },
      "locked": {
-        "lastModified": 1767906494,
+        "lastModified": 1777019032,
-        "narHash": "sha256-Dd6gtdZfRMAD6JhdX0GdJwIHVaBikePSpQXhIdwLlWI=",
+        "narHash": "sha256-29lw7THThWb5DW01rVRj1b816Apwz/P4m2wVWaSIadU=",
        "ref": "main",
-        "rev": "7258822e2e90fea2ea00b13b5542f63699e33a9e",
+        "rev": "55262afca46c96f75a834d4e00e30d5fb20affb6",
        "revCount": 61,
        "type": "git",
        "url": "https://git.pvv.ntnu.no/Grzegorz/greg-ng.git"
@@ -150,7 +187,7 @@
        "nixpkgs": [
          "nixpkgs"
        ],
-        "rust-overlay": "rust-overlay_2"
+        "rust-overlay": "rust-overlay_3"
      },
      "locked": {
        "lastModified": 1767906976,
@@ -217,11 +254,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1769018862,
+        "lastModified": 1778407980,
-        "narHash": "sha256-x3eMpPQhZwEDunyaUos084Hx41XwYTi2uHY4Yc4YNlk=",
+        "narHash": "sha256-r980BhsReZQe6FkmyNZkwCZpvzARo5jZgTl8HxjAssY=",
        "owner": "oddlama",
        "repo": "nix-topology",
-        "rev": "a15cac71d3399a4c2d1a3482ae62040a3a0aa07f",
+        "rev": "ca0a602f650306d00d6f3e3c76d0f4c48a5c5adc",
        "type": "github"
      },
      "original": {
@@ -233,24 +270,24 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1769724120,
+        "lastModified": 1779622335,
-        "narHash": "sha256-oQBM04hQk1kotfv4qmIG1tHmuwODd1+hqRJE5TELeCE=",
+        "narHash": "sha256-06G98ieM6l+OI7EMhlvchgDBDn+DvIWCNj40LDhKpmc=",
-        "rev": "8ec59ed5093c2a742d7744e9ecf58f358aa4a87d",
+        "rev": "705e9929918b43bd7b715dc0a878ac870449bb03",
        "type": "tarball",
-        "url": "https://releases.nixos.org/nixos/25.11-small/nixos-25.11.4961.8ec59ed5093c/nixexprs.tar.xz"
+        "url": "https://releases.nixos.org/nixos/26.05-small/nixos-26.05beta1.705e9929918b/nixexprs.tar.xz"
      },
      "original": {
        "type": "tarball",
-        "url": "https://nixos.org/channels/nixos-25.11-small/nixexprs.tar.xz"
+        "url": "https://nixos.org/channels/nixos-26.05-small/nixexprs.tar.xz"
      }
    },
    "nixpkgs-lib": {
      "locked": {
-        "lastModified": 1765674936,
+        "lastModified": 1772328832,
-        "narHash": "sha256-k00uTP4JNfmejrCLJOwdObYC9jHRrr/5M/a/8L2EIdo=",
+        "narHash": "sha256-e+/T/pmEkLP6BHhYjx6GmwP5ivonQQn0bJdH9YrRB+Q=",
        "owner": "nix-community",
        "repo": "nixpkgs.lib",
-        "rev": "2075416fcb47225d9b68ac469a5c4801a9c4dd85",
+        "rev": "c185c7a5e5dd8f9add5b2f8ebeff00888b070742",
        "type": "github"
      },
      "original": {
@@ -261,11 +298,11 @@
    },
    "nixpkgs-unstable": {
      "locked": {
-        "lastModified": 1769813739,
+        "lastModified": 1778586796,
-        "narHash": "sha256-RmNWW1DQczvDwBHu11P0hGwJZxbngdoymVu7qkwq/2M=",
+        "narHash": "sha256-XmDljcG4x8slQDlsWOc77pCA1YVuYn8JGumkYlhfTxI=",
-        "rev": "16a3cae5c2487b1afa240e5f2c1811f172419558",
+        "rev": "b25e938b89759b5f9466fc53c4a970244f84dc39",
        "type": "tarball",
-        "url": "https://releases.nixos.org/nixos/unstable-small/nixos-26.05pre937548.16a3cae5c248/nixexprs.tar.xz"
+        "url": "https://releases.nixos.org/nixos/unstable-small/nixos-26.05pre996582.b25e938b8975/nixexprs.tar.xz"
      },
      "original": {
        "type": "tarball",
@@ -300,11 +337,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1769009806,
+        "lastModified": 1778960428,
-        "narHash": "sha256-52xTtAOc9B+MBRMRZ8HI6ybNsRLMlHHLh+qwAbaJjRY=",
+        "narHash": "sha256-YAs3LbFGlBLJW3xHeoQfTq2GBBXTvuSKl2WXDtloczU=",
        "ref": "main",
-        "rev": "aa8adfc6a4d5b6222752e2d15d4a6d3b3b85252e",
+        "rev": "927748790b1f7159adfe32a3ad9ec01d22e9c5a2",
-        "revCount": 575,
+        "revCount": 583,
        "type": "git",
        "url": "https://git.pvv.ntnu.no/Projects/nettsiden.git"
      },
@@ -337,6 +374,7 @@
    },
    "root": {
      "inputs": {
        "bro": "bro",
        "dibbler": "dibbler",
        "disko": "disko",
        "gergle": "gergle",
@@ -358,22 +396,24 @@
    },
    "roowho2": {
      "inputs": {
        "crane": "crane",
        "nixpkgs": [
          "nixpkgs"
        ],
-        "rust-overlay": "rust-overlay_3"
+        "rust-overlay": "rust-overlay_4"
      },
      "locked": {
-        "lastModified": 1769834595,
+        "lastModified": 1778600367,
-        "narHash": "sha256-P1jrO7BxHyIKDuOXHuUb7bi4H2TuYnACW5eqf1gG47g=",
+        "narHash": "sha256-YB0b2xUf4D8792D5Ay//7C3AjHyv+9yoy8K1mTe+wvE=",
        "ref": "main",
-        "rev": "def4eec2d59a69b4638b3f25d6d713b703b2fa56",
+        "rev": "8e5f2849ff7c9616100fe928261512a7ad647939",
-        "revCount": 49,
+        "revCount": 91,
        "type": "git",
        "url": "https://git.pvv.ntnu.no/Projects/roowho2.git"
      },
      "original": {
        "ref": "main",
        "rev": "8e5f2849ff7c9616100fe928261512a7ad647939",
        "type": "git",
        "url": "https://git.pvv.ntnu.no/Projects/roowho2.git"
      }
@@ -381,16 +421,16 @@
    "rust-overlay": {
      "inputs": {
        "nixpkgs": [
-          "greg-ng",
+          "bro",
          "nixpkgs"
        ]
      },
      "locked": {
-        "lastModified": 1767840362,
+        "lastModified": 1779419951,
-        "narHash": "sha256-ZtsFqUhilubohNZ1TgpQIFsi4biZTwRH9rjZsDRDik8=",
+        "narHash": "sha256-dMX0PUslUHPajP6o8FEoRdFv9afq/dec4POR0vVfjK4=",
        "owner": "oxalica",
        "repo": "rust-overlay",
-        "rev": "d159ea1fc321c60f88a616ac28bab660092a227d",
+        "rev": "5b5c521d6cae9ef4aa32f888eb2c0ce595c9be52",
        "type": "github"
      },
      "original": {
@@ -400,6 +440,27 @@
      }
    },
    "rust-overlay_2": {
      "inputs": {
        "nixpkgs": [
          "greg-ng",
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1777000482,
        "narHash": "sha256-CZ5FKUSA8FCJf0h9GWdPJXoVVDL9H5yC74GkVc5ubIM=",
        "owner": "oxalica",
        "repo": "rust-overlay",
        "rev": "403c09094a877e6c4816462d00b1a56ff8198e06",
        "type": "github"
      },
      "original": {
        "owner": "oxalica",
        "repo": "rust-overlay",
        "type": "github"
      }
    },
    "rust-overlay_3": {
      "inputs": {
        "nixpkgs": [
          "minecraft-heatmap",
@@ -420,7 +481,7 @@
        "type": "github"
      }
    },
-    "rust-overlay_3": {
+    "rust-overlay_4": {
      "inputs": {
        "nixpkgs": [
          "roowho2",
@@ -428,11 +489,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1769309768,
+        "lastModified": 1776914043,
-        "narHash": "sha256-AbOIlNO+JoqRJkK1VrnDXhxuX6CrdtIu2hSuy4pxi3g=",
+        "narHash": "sha256-qug5r56yW1qOsjSI99l3Jm15JNT9CvS2otkXNRNtrPI=",
        "owner": "oxalica",
        "repo": "rust-overlay",
-        "rev": "140c9dc582cb73ada2d63a2180524fcaa744fad5",
+        "rev": "2d35c4358d7de3a0e606a6e8b27925d981c01cc3",
        "type": "github"
      },
      "original": {
@@ -448,11 +509,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1769469829,
+        "lastModified": 1777944972,
-        "narHash": "sha256-wFcr32ZqspCxk4+FvIxIL0AZktRs6DuF8oOsLt59YBU=",
+        "narHash": "sha256-VfGRo1qTBKOe3s2gOv8LSoA6Fk19PvBlwQ1ECN0Evn8=",
        "owner": "Mic92",
        "repo": "sops-nix",
-        "rev": "c5eebd4eb2e3372fe12a8d70a248a6ee9dd02eff",
+        "rev": "c591bf665727040c6cc5cb409079acb22dcce33c",
        "type": "github"
      },
      "original": {
@@ -2,13 +2,13 @@
  description = "PVV System flake";
  inputs = {
-    nixpkgs.url = "https://nixos.org/channels/nixos-25.11-small/nixexprs.tar.xz";
+    nixpkgs.url = "https://nixos.org/channels/nixos-26.05-small/nixexprs.tar.xz";
    nixpkgs-unstable.url = "https://nixos.org/channels/nixos-unstable-small/nixexprs.tar.xz";
    sops-nix.url = "github:Mic92/sops-nix/master";
    sops-nix.inputs.nixpkgs.follows = "nixpkgs";
-    disko.url = "github:nix-community/disko/v1.11.0";
+    disko.url = "github:nix-community/disko/v1.13.0";
    disko.inputs.nixpkgs.follows = "nixpkgs";
    nix-topology.url = "github:oddlama/nix-topology/main";
@@ -32,13 +32,13 @@
    minecraft-heatmap.url = "git+https://git.pvv.ntnu.no/Projects/minecraft-heatmap.git?ref=main";
    minecraft-heatmap.inputs.nixpkgs.follows = "nixpkgs";
-    roowho2.url = "git+https://git.pvv.ntnu.no/Projects/roowho2.git?ref=main";
+    roowho2.url = "git+https://git.pvv.ntnu.no/Projects/roowho2.git?ref=main&rev=8e5f2849ff7c9616100fe928261512a7ad647939";
    roowho2.inputs.nixpkgs.follows = "nixpkgs";
    greg-ng.url = "git+https://git.pvv.ntnu.no/Grzegorz/greg-ng.git?ref=main";
-    greg-ng.inputs.nixpkgs.follows = "nixpkgs";
+    greg-ng.inputs.nixpkgs.follows = "nixpkgs-unstable";
    gergle.url = "git+https://git.pvv.ntnu.no/Grzegorz/gergle.git?ref=main";
-    gergle.inputs.nixpkgs.follows = "nixpkgs";
+    gergle.inputs.nixpkgs.follows = "nixpkgs-unstable";
    grzegorz-clients.url = "git+https://git.pvv.ntnu.no/Grzegorz/grzegorz-clients.git?ref=master";
    grzegorz-clients.inputs.nixpkgs.follows = "nixpkgs";
@@ -47,405 +47,347 @@
    qotd.url = "git+https://git.pvv.ntnu.no/Projects/qotd.git?ref=main";
    qotd.inputs.nixpkgs.follows = "nixpkgs";
    bro.url = "git+https://git.pvv.ntnu.no/Projects/bro.git?ref=main";
    bro.inputs.nixpkgs.follows = "nixpkgs";
  };
-  outputs =
+  outputs = {
-    {
+    self,
-      self,
+    nixpkgs,
-      nixpkgs,
+    nixpkgs-unstable,
-      nixpkgs-unstable,
+    sops-nix,
-      sops-nix,
+    disko,
-      disko,
+    ...
-      ...
+  } @ inputs: let
-    }@inputs:
+    inherit (nixpkgs) lib;
-    let
+    systems = [
-      inherit (nixpkgs) lib;
+      "x86_64-linux"
-      systems = [
+      "aarch64-linux"
-        "x86_64-linux"
+      "aarch64-darwin"
-        "aarch64-linux"
+    ];
-        "aarch64-darwin"
+    forAllSystems = f: lib.genAttrs systems f;
-      ];
+    allMachines = builtins.attrNames self.nixosConfigurations;
-      forAllSystems = f: lib.genAttrs systems f;
+    importantMachines = [
-      allMachines = builtins.attrNames self.nixosConfigurations;
+      "bekkalokk"
-      importantMachines = [
+      "bicep"
-        "bekkalokk"
+      "georg"
-        "bicep"
+      "ildkule"
-        "brzeczyszczykiewicz"
+      "kommode"
-        "georg"
+      "lupine-1"
-        "ildkule"
+      "skrot"
-      ];
+    ];
-    in
+  in {
-    {
+    inputs = lib.mapAttrs (_: src: src.outPath) inputs;
      inputs = lib.mapAttrs (_: src: src.outPath) inputs;
-      pkgs = forAllSystems (
+    pkgs = forAllSystems (system:
-        system:
+      import nixpkgs {
-        import nixpkgs {
+        inherit system;
-          inherit system;
+        config.allowUnfreePredicate = pkg:
-          config.allowUnfreePredicate =
+          builtins.elem (lib.getName pkg)
-            pkg:
+          [
-            builtins.elem (lib.getName pkg) [
+            "nvidia-x11"
-              "nvidia-x11"
+            "nvidia-settings"
-              "nvidia-settings"
+            "nvidia-kernel-modules"
-            ];
+          ];
        }
      );
      nixosConfigurations =
        let
          nixosConfig =
            nixpkgs: name: configurationPath:
            extraArgs@{
              localSystem ? "x86_64-linux", # buildPlatform
              crossSystem ? "x86_64-linux", # hostPlatform
              specialArgs ? { },
              modules ? [ ],
              overlays ? [ ],
              enableDefaults ? true,
              ...
            }:
            let
              commonPkgsConfig = {
                inherit localSystem crossSystem;
                config.allowUnfreePredicate =
                  pkg:
                  builtins.elem (lib.getName pkg) [
                    "nvidia-x11"
                    "nvidia-settings"
                  ];
                overlays =
                  (lib.optionals enableDefaults [
                    # Global overlays go here
                    inputs.roowho2.overlays.default
                  ])
                  ++ overlays;
              };
              pkgs = import nixpkgs commonPkgsConfig;
              unstablePkgs = import nixpkgs-unstable commonPkgsConfig;
            in
            lib.nixosSystem (
              lib.recursiveUpdate
                {
                  system = crossSystem;
                  inherit pkgs;
                  specialArgs = {
                    inherit inputs unstablePkgs;
                    values = import ./values.nix;
                    fp = path: ./${path};
                  }
                  // specialArgs;
                  modules = [
                    {
                      networking.hostName = lib.mkDefault name;
                    }
                    configurationPath
                  ]
                  ++ (lib.optionals enableDefaults [
                    sops-nix.nixosModules.sops
                    inputs.roowho2.nixosModules.default
                    self.nixosModules.rsync-pull-targets
                  ])
                  ++ modules;
                }
                (
                  builtins.removeAttrs extraArgs [
                    "localSystem"
                    "crossSystem"
                    "modules"
                    "overlays"
                    "specialArgs"
                    "enableDefaults"
                  ]
                )
            );
          stableNixosConfig =
            name: extraArgs: nixosConfig nixpkgs name ./hosts/${name}/configuration.nix extraArgs;
        in
        {
          bakke = stableNixosConfig "bakke" {
            modules = [
              inputs.disko.nixosModules.disko
            ];
          };
          bicep = stableNixosConfig "bicep" {
            modules = [
              inputs.matrix-next.nixosModules.default
              inputs.pvv-calendar-bot.nixosModules.default
              inputs.minecraft-heatmap.nixosModules.default
              self.nixosModules.gickup
              self.nixosModules.matrix-ooye
            ];
            overlays = [
              inputs.pvv-calendar-bot.overlays.default
              inputs.minecraft-heatmap.overlays.default
              (final: prev: {
                inherit (self.packages.${prev.stdenv.hostPlatform.system}) out-of-your-element;
              })
            ];
          };
          bekkalokk = stableNixosConfig "bekkalokk" {
            overlays = [
              (final: prev: {
                mediawiki-extensions = final.callPackage ./packages/mediawiki-extensions { };
                simplesamlphp = final.callPackage ./packages/simplesamlphp { };
                bluemap = final.callPackage ./packages/bluemap.nix { };
              })
              inputs.pvv-nettsiden.overlays.default
              inputs.qotd.overlays.default
            ];
            modules = [
              inputs.pvv-nettsiden.nixosModules.default
              self.nixosModules.bluemap
              inputs.qotd.nixosModules.default
            ];
          };
          ildkule = stableNixosConfig "ildkule" { };
          #ildkule-unstable = unstableNixosConfig "ildkule" { };
          skrot = stableNixosConfig "skrot" {
            modules = [
              inputs.disko.nixosModules.disko
              inputs.dibbler.nixosModules.default
            ];
            overlays = [ inputs.dibbler.overlays.default ];
          };
          shark = stableNixosConfig "shark" { };
          wenche = stableNixosConfig "wenche" { };
          temmie = stableNixosConfig "temmie" { };
          gluttony = stableNixosConfig "gluttony" { };
          kommode = stableNixosConfig "kommode" {
            overlays = [
              inputs.nix-gitea-themes.overlays.default
            ];
            modules = [
              inputs.nix-gitea-themes.nixosModules.default
              inputs.disko.nixosModules.disko
            ];
          };
          ustetind = stableNixosConfig "ustetind" {
            modules = [
              "${nixpkgs}/nixos/modules/virtualisation/lxc-container.nix"
            ];
          };
          brzeczyszczykiewicz = stableNixosConfig "brzeczyszczykiewicz" {
            modules = [
              inputs.grzegorz-clients.nixosModules.grzegorz-webui
              inputs.gergle.nixosModules.default
              inputs.greg-ng.nixosModules.default
            ];
            overlays = [
              inputs.greg-ng.overlays.default
              inputs.gergle.overlays.default
            ];
          };
          georg = stableNixosConfig "georg" {
            modules = [
              inputs.grzegorz-clients.nixosModules.grzegorz-webui
              inputs.gergle.nixosModules.default
              inputs.greg-ng.nixosModules.default
            ];
            overlays = [
              inputs.greg-ng.overlays.default
              inputs.gergle.overlays.default
            ];
          };
        }
        // (
          let
            skrottConfig = {
              modules = [
                (nixpkgs + "/nixos/modules/installer/sd-card/sd-image-aarch64.nix")
                inputs.dibbler.nixosModules.default
              ];
              overlays = [
                inputs.dibbler.overlays.default
                (final: prev: {
                  # NOTE: Yeetus (these break crosscompile ¯\_(ツ)_/¯)
                  atool = prev.emptyDirectory;
                  micro = prev.emptyDirectory;
                  ncdu = prev.emptyDirectory;
                })
              ];
            };
          in
          {
            skrott = self.nixosConfigurations.skrott-native;
            skrott-native = stableNixosConfig "skrott" (
              skrottConfig
              // {
                localSystem = "aarch64-linux";
                crossSystem = "aarch64-linux";
              }
            );
            skrott-cross = stableNixosConfig "skrott" (
              skrottConfig
              // {
                localSystem = "x86_64-linux";
                crossSystem = "aarch64-linux";
              }
            );
            skrott-x86_64 = stableNixosConfig "skrott" (
              skrottConfig
              // {
                localSystem = "x86_64-linux";
                crossSystem = "x86_64-linux";
              }
            );
          }
        )
        // (
          let
            machineNames = map (i: "lupine-${toString i}") (lib.range 1 5);
            stableLupineNixosConfig =
              name: extraArgs: nixosConfig nixpkgs name ./hosts/lupine/configuration.nix extraArgs;
          in
          lib.genAttrs machineNames (
            name:
            stableLupineNixosConfig name {
              modules = [ { networking.hostName = name; } ];
              specialArgs.lupineName = name;
            }
          )
        );
      nixosModules = {
        bluemap = ./modules/bluemap.nix;
        gickup = ./modules/gickup;
        matrix-ooye = ./modules/matrix-ooye.nix;
        robots-txt = ./modules/robots-txt.nix;
        rsync-pull-targets = ./modules/rsync-pull-targets.nix;
        snakeoil-certs = ./modules/snakeoil-certs.nix;
        snappymail = ./modules/snappymail.nix;
      };
      devShells = forAllSystems (system: {
        default =
          let
            pkgs = import nixpkgs-unstable {
              inherit system;
              overlays = [
                (final: prev: {
                  inherit (inputs.disko.packages.${system}) disko;
                })
              ];
            };
          in
          pkgs.callPackage ./shell.nix { };
        cuda =
          let
            cuda-pkgs = import nixpkgs-unstable {
              inherit system;
              config = {
                allowUnfree = true;
                cudaSupport = true;
              };
            };
          in
          cuda-pkgs.callPackage ./shells/cuda.nix { };
      });
-      packages = {
+    nixosConfigurations = let
-        "x86_64-linux" =
+      nixosConfig = nixpkgs: name: configurationPath: extraArgs @ {
-          let
+        localSystem ? "x86_64-linux", # buildPlatform
-            system = "x86_64-linux";
+        crossSystem ? "x86_64-linux", # hostPlatform
-            pkgs = nixpkgs.legacyPackages.${system};
+        specialArgs ? {},
-          in
+        modules ? [],
-          rec {
+        overlays ? [],
-            default = important-machines;
+        enableDefaults ? true,
-            important-machines = pkgs.linkFarm "important-machines" (
+        ...
-              lib.getAttrs importantMachines self.packages.${system}
+      }: let
-            );
+        commonPkgsConfig =
-            all-machines = pkgs.linkFarm "all-machines" (lib.getAttrs allMachines self.packages.${system});
+          {
-
+            config.allowUnfreePredicate = pkg:
-            simplesamlphp = pkgs.callPackage ./packages/simplesamlphp { };
+              builtins.elem (lib.getName pkg)
-
+              [
-            bluemap = pkgs.callPackage ./packages/bluemap.nix { };
+                "nvidia-x11"
-
+                "nvidia-settings"
-            out-of-your-element = pkgs.callPackage ./packages/ooye/package.nix { };
+                "nvidia-kernel-modules"
-          }
+              ];
-          //
+            overlays =
-            # Mediawiki extensions
+              (lib.optionals enableDefaults [
-            (lib.pipe null [
+                # Global overlays go here
-              (_: pkgs.callPackage ./packages/mediawiki-extensions { })
+                inputs.roowho2.overlays.default
              (lib.flip builtins.removeAttrs [
                "override"
                "overrideDerivation"
              ])
-              (lib.mapAttrs' (name: lib.nameValuePair "mediawiki-${name}"))
+              ++ overlays;
-            ])
+          }
-          //
+          // (
-            # Machines
+            if localSystem != crossSystem
-            lib.genAttrs allMachines (machine: self.nixosConfigurations.${machine}.config.system.build.toplevel)
+            then {
-          //
+              inherit localSystem crossSystem;
            # Skrott is exception
            {
              skrott = self.packages.${system}.skrott-native-sd;
              skrott-native = self.nixosConfigurations.skrott-native.config.system.build.toplevel;
              skrott-native-sd = self.nixosConfigurations.skrott-native.config.system.build.sdImage;
              skrott-cross = self.nixosConfigurations.skrott-cross.config.system.build.toplevel;
              skrott-cross-sd = self.nixosConfigurations.skrott-cross.config.system.build.sdImage;
              skrott-x86_64 = self.nixosConfigurations.skrott-x86_64.config.system.build.toplevel;
            }
-          //
+            else {
-            # Nix-topology
+              system = crossSystem;
-            (
+            }
-              let
+          );
-                topology' = import inputs.nix-topology {
+        pkgs = import nixpkgs commonPkgsConfig;
-                  pkgs = import nixpkgs {
+        unstablePkgs = import nixpkgs-unstable commonPkgsConfig;
-                    inherit system;
+      in
-                    overlays = [
+        lib.nixosSystem (
-                      inputs.nix-topology.overlays.default
+          lib.recursiveUpdate
-                      (final: prev: {
+          {
-                        inherit (nixpkgs-unstable.legacyPackages.${system}) super-tiny-icons;
+            system = crossSystem;
                      })
                    ];
                  };
-                  specialArgs = {
+            inherit pkgs;
                    values = import ./values.nix;
                  };
-                  modules = [
+            specialArgs =
                    ./topology
                    {
                      nixosConfigurations = lib.mapAttrs (
                        _name: nixosCfg:
                        nixosCfg.extendModules {
                          modules = [
                            inputs.nix-topology.nixosModules.default
                            ./topology/service-extractors/greg-ng.nix
                            ./topology/service-extractors/postgresql.nix
                            ./topology/service-extractors/mysql.nix
                            ./topology/service-extractors/gitea-runners.nix
                          ];
                        }
                      ) self.nixosConfigurations;
                    }
                  ];
                };
              in
              {
-                topology = topology'.config.output;
+                inherit inputs unstablePkgs;
-                topology-png =
+                values = import ./values.nix;
-                  pkgs.runCommand "pvv-config-topology-png"
+                fp = path: ./${path};
                    {
                      nativeBuildInputs = [ pkgs.writableTmpDirAsHomeHook ];
                    }
                    ''
                      mkdir -p "$out"
                      for file in '${topology'.config.output}'/*.svg; do
                        ${lib.getExe pkgs.imagemagick} -density 300 -background none "$file" "$out"/"$(basename "''${file%.svg}.png")"
                      done
                    '';
              }
-            );
+              // specialArgs;
-      };
+
            modules =
              [
                {
                  networking.hostName = lib.mkDefault name;
                }
                configurationPath
              ]
              ++ (lib.optionals enableDefaults [
                sops-nix.nixosModules.sops
                inputs.roowho2.nixosModules.default
                self.nixosModules.rsync-pull-targets
              ])
              ++ modules;
          }
          (builtins.removeAttrs extraArgs [
            "localSystem"
            "crossSystem"
            "modules"
            "overlays"
            "specialArgs"
            "enableDefaults"
          ])
        );
      stableNixosConfig = name: extraArgs:
        nixosConfig nixpkgs name ./hosts/${name}/configuration.nix extraArgs;
    in
      {
        bicep = stableNixosConfig "bicep" {
          modules = [
            inputs.matrix-next.nixosModules.default
            inputs.pvv-calendar-bot.nixosModules.default
            inputs.minecraft-heatmap.nixosModules.default
            self.nixosModules.gickup
            self.nixosModules.matrix-ooye
          ];
          overlays = [
            inputs.pvv-calendar-bot.overlays.default
            inputs.minecraft-heatmap.overlays.default
            (final: prev: {
              inherit (self.packages.${prev.stdenv.hostPlatform.system}) out-of-your-element;
            })
          ];
        };
        bekkalokk = stableNixosConfig "bekkalokk" {
          overlays = [
            (final: prev: {
              mediawiki-extensions = final.callPackage ./packages/mediawiki-extensions {};
              simplesamlphp = final.callPackage ./packages/simplesamlphp {};
            })
            inputs.pvv-nettsiden.overlays.default
            inputs.qotd.overlays.default
          ];
          modules = [
            inputs.pvv-nettsiden.nixosModules.default
            inputs.qotd.nixosModules.default
          ];
        };
        ildkule = stableNixosConfig "ildkule" {
          modules = [
            inputs.disko.nixosModules.disko
          ];
        };
        skrot = stableNixosConfig "skrot" {
          modules = [
            inputs.disko.nixosModules.disko
            inputs.dibbler.nixosModules.default
          ];
          overlays = [inputs.dibbler.overlays.default];
        };
        shark = stableNixosConfig "shark" {};
        wenche = stableNixosConfig "wenche" {};
        temmie = stableNixosConfig "temmie" {
          overlays = [
            inputs.bro.overlays.default
          ];
          modules = [
            inputs.bro.nixosModules.default
          ];
        };
        gluttony = stableNixosConfig "gluttony" {
          overlays = [
            (final: prev: { bluemap = final.callPackage ./packages/bluemap.nix {}; })
          ];
          modules = [ self.nixosModules.bluemap ];
        };
        kommode = stableNixosConfig "kommode" {
          overlays = [
            inputs.nix-gitea-themes.overlays.default
          ];
          modules = [
            inputs.nix-gitea-themes.nixosModules.default
            inputs.disko.nixosModules.disko
          ];
        };
        brzeczyszczykiewicz = stableNixosConfig "brzeczyszczykiewicz" {
          modules = [
            inputs.grzegorz-clients.nixosModules.grzegorz-webui
            inputs.gergle.nixosModules.default
            inputs.greg-ng.nixosModules.default
          ];
          overlays = [
            inputs.greg-ng.overlays.default
            inputs.gergle.overlays.default
          ];
        };
        georg = stableNixosConfig "georg" {
          modules = [
            inputs.grzegorz-clients.nixosModules.grzegorz-webui
            inputs.gergle.nixosModules.default
            inputs.greg-ng.nixosModules.default
          ];
          overlays = [
            inputs.greg-ng.overlays.default
            inputs.gergle.overlays.default
          ];
        };
      }
      // (let
        machineNames = map (i: "lupine-${toString i}") (lib.range 1 5);
        stableLupineNixosConfig = name: extraArgs:
          nixosConfig nixpkgs name ./hosts/lupine/configuration.nix extraArgs;
      in
        lib.genAttrs machineNames (name:
          stableLupineNixosConfig name {
            modules = [{networking.hostName = name;}];
            specialArgs.lupineName = name;
          }));
    nixosModules = {
      bluemap = ./modules/bluemap.nix;
      gickup = ./modules/gickup;
      matrix-ooye = ./modules/matrix-ooye.nix;
      robots-txt = ./modules/robots-txt.nix;
      rsync-pull-targets = ./modules/rsync-pull-targets.nix;
      snakeoil-certs = ./modules/snakeoil-certs.nix;
      snappymail = ./modules/snappymail.nix;
    };
    devShells = forAllSystems (system: {
      default = let
        pkgs = import nixpkgs-unstable {
          inherit system;
          overlays = [
            (final: prev: {
              inherit (inputs.disko.packages.${system}) disko;
            })
          ];
        };
      in
        pkgs.callPackage ./shell.nix {};
      cuda = let
        cuda-pkgs = import nixpkgs-unstable {
          inherit system;
          config = {
            allowUnfree = true;
            cudaSupport = true;
          };
        };
      in
        cuda-pkgs.callPackage ./shells/cuda.nix {};
    });
    packages = {
      "x86_64-linux" = let
        system = "x86_64-linux";
        pkgs = nixpkgs.legacyPackages.${system};
      in
        rec {
          default = important-machines;
          important-machines =
            pkgs.linkFarm "important-machines"
            (lib.getAttrs importantMachines self.packages.${system});
          all-machines =
            pkgs.linkFarm "all-machines"
            (lib.getAttrs allMachines self.packages.${system});
          simplesamlphp = pkgs.callPackage ./packages/simplesamlphp {};
          bluemap = pkgs.callPackage ./packages/bluemap.nix {};
          out-of-your-element = pkgs.callPackage ./packages/ooye/package.nix {};
        }
        //
        # Mediawiki extensions
        (lib.pipe null [
          (_: pkgs.callPackage ./packages/mediawiki-extensions {})
          (lib.flip builtins.removeAttrs ["override" "overrideDerivation"])
          (lib.mapAttrs' (name: lib.nameValuePair "mediawiki-${name}"))
        ])
        //
        # Machines
        lib.genAttrs allMachines
        (machine: self.nixosConfigurations.${machine}.config.system.build.toplevel)
        //
        # Nix-topology
        (let
          topology' = import inputs.nix-topology {
            pkgs = import nixpkgs {
              inherit system;
              overlays = [
                inputs.nix-topology.overlays.default
                (final: prev: {
                  inherit (nixpkgs-unstable.legacyPackages.${system}) super-tiny-icons;
                })
              ];
            };
            specialArgs = {
              values = import ./values.nix;
            };
            modules = [
              ./topology
              {
                nixosConfigurations = lib.mapAttrs (_name: nixosCfg:
                  nixosCfg.extendModules {
                    modules = [
                      inputs.nix-topology.nixosModules.default
                      ./topology/service-extractors/greg-ng.nix
                      ./topology/service-extractors/postgresql.nix
                      ./topology/service-extractors/mysql.nix
                      ./topology/service-extractors/gitea-runners.nix
                    ];
                  })
                self.nixosConfigurations;
              }
            ];
          };
        in {
          topology = topology'.config.output;
          topology-png =
            pkgs.runCommand "pvv-config-topology-png" {
              nativeBuildInputs = [pkgs.writableTmpDirAsHomeHook];
            } ''
              mkdir -p "$out"
              for file in '${topology'.config.output}'/*.svg; do
                ${lib.getExe pkgs.imagemagick} -density 300 -background none "$file" "$out"/"$(basename "''${file%.svg}.png")"
              done
            '';
        });
    };
  };
 }
@@ -1,26 +0,0 @@
 {
  config,
  pkgs,
  values,
  ...
 }:
 {
  imports = [
    ./hardware-configuration.nix
    ../../base
    ./filesystems.nix
  ];
  networking.hostId = "99609ffc";
  systemd.network.networks."30-enp2s0" = values.defaultNetworkConfig // {
    matchConfig.Name = "enp2s0";
    address = with values.hosts.bakke; [
      (ipv4 + "/25")
      (ipv6 + "/64")
    ];
  };
  # Don't change (even during upgrades) unless you know what you are doing.
  # See https://search.nixos.org/options?show=system.stateVersion
  system.stateVersion = "24.05";
 }
@@ -1,83 +0,0 @@
 {
  # https://github.com/nix-community/disko/blob/master/example/boot-raid1.nix
  # Note: Disko was used to create the initial md raid, but is no longer in active use on this host.
  disko.devices = {
    disk = {
      one = {
        type = "disk";
        device = "/dev/disk/by-id/ata-WDC_WD40EFRX-68WT0N0_WD-WCC4E2EER6N6";
        content = {
          type = "gpt";
          partitions = {
            ESP = {
              size = "500M";
              type = "EF00";
              content = {
                type = "mdraid";
                name = "boot";
              };
            };
            mdadm = {
              size = "100%";
              content = {
                type = "mdraid";
                name = "raid1";
              };
            };
          };
        };
      };
      two = {
        type = "disk";
        device = "/dev/disk/by-id/ata-WDC_WD40EFRX-68WT0N0_WD-WCC4E7LPLU71";
        content = {
          type = "gpt";
          partitions = {
            ESP = {
              size = "500M";
              type = "EF00";
              content = {
                type = "mdraid";
                name = "boot";
              };
            };
            mdadm = {
              size = "100%";
              content = {
                type = "mdraid";
                name = "raid1";
              };
            };
          };
        };
      };
    };
    mdadm = {
      boot = {
        type = "mdadm";
        level = 1;
        metadata = "1.0";
        content = {
          type = "filesystem";
          format = "vfat";
          mountpoint = "/boot";
        };
      };
      raid1 = {
        type = "mdadm";
        level = 1;
        content = {
          type = "gpt";
          partitions.primary = {
            size = "100%";
            content = {
              type = "filesystem";
              format = "ext4";
              mountpoint = "/";
            };
          };
        };
      };
    };
  };
 }
@@ -1,26 +0,0 @@
 { pkgs, ... }:
 {
  # Boot drives:
  boot.swraid.enable = true;
  # ZFS Data pool:
  boot = {
    zfs = {
      extraPools = [ "tank" ];
      requestEncryptionCredentials = false;
    };
    supportedFilesystems.zfs = true;
    # Use stable linux packages, these work with zfs
    kernelPackages = pkgs.linuxPackages;
  };
  services.zfs.autoScrub = {
    enable = true;
    interval = "Wed *-*-8..14 00:00:00";
  };
  # NFS Exports:
  #TODO
  # NFS Import mounts:
  #TODO
 }
@@ -1,70 +0,0 @@
 # Do not modify this file!  It was generated by 'nixos-generate-config'
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 {
  config,
  lib,
  pkgs,
  modulesPath,
  ...
 }:
 {
  imports = [
    (modulesPath + "/installer/scan/not-detected.nix")
  ];
  boot.initrd.availableKernelModules = [
    "ehci_pci"
    "ahci"
    "usbhid"
    "usb_storage"
    "sd_mod"
  ];
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ "kvm-intel" ];
  boot.extraModulePackages = [ ];
  fileSystems."/" = {
    device = "/dev/disk/by-uuid/0f63c3d2-fc12-4ed5-a5a5-141bfd67a571";
    fsType = "btrfs";
    options = [ "subvol=root" ];
  };
  fileSystems."/home" = {
    device = "/dev/disk/by-uuid/0f63c3d2-fc12-4ed5-a5a5-141bfd67a571";
    fsType = "btrfs";
    options = [ "subvol=home" ];
  };
  fileSystems."/nix" = {
    device = "/dev/disk/by-uuid/0f63c3d2-fc12-4ed5-a5a5-141bfd67a571";
    fsType = "btrfs";
    options = [
      "subvol=nix"
      "noatime"
    ];
  };
  fileSystems."/boot" = {
    device = "/dev/sdc2";
    fsType = "vfat";
    options = [
      "fmask=0022"
      "dmask=0022"
    ];
  };
  swapDevices = [ ];
  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
  # (the default) this is the recommended approach. When using systemd-networkd it's
  # still possible to use this option, but it's recommended to use it in conjunction
  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
  networking.useDHCP = lib.mkDefault false;
  # networking.interfaces.eno1.useDHCP = lib.mkDefault true;
  # networking.interfaces.enp2s0.useDHCP = lib.mkDefault true;
  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
 }
@@ -1,9 +1,4 @@
-{
+{ fp, pkgs, values, ... }:
  fp,
  pkgs,
  values,
  ...
 }:
 {
  imports = [
    ./hardware-configuration.nix
@@ -26,10 +21,7 @@
  systemd.network.networks."30-enp2s0" = values.defaultNetworkConfig // {
    matchConfig.Name = "enp2s0";
-    address = with values.hosts.bekkalokk; [
+    address = with values.hosts.bekkalokk; [ (ipv4 + "/25") (ipv6 + "/64") ];
      (ipv4 + "/25")
      (ipv6 + "/64")
    ];
  };
  services.btrfs.autoScrub.enable = true;
@@ -1,43 +1,31 @@
 # Do not modify this file!  It was generated by 'nixos-generate-config'
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
-{
+{ config, lib, pkgs, modulesPath, ... }:
  config,
  lib,
  pkgs,
  modulesPath,
  ...
 }:
 {
-  imports = [
+  imports =
-    (modulesPath + "/installer/scan/not-detected.nix")
+    [ (modulesPath + "/installer/scan/not-detected.nix")
-  ];
+    ];
-  boot.initrd.availableKernelModules = [
+  boot.initrd.availableKernelModules = [ "ehci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ];
    "ehci_pci"
    "ahci"
    "usbhid"
    "usb_storage"
    "sd_mod"
  ];
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ "kvm-intel" ];
  boot.extraModulePackages = [ ];
-  fileSystems."/" = {
+  fileSystems."/" =
-    device = "/dev/sda1";
+    { device = "/dev/sda1";
-    fsType = "btrfs";
+      fsType = "btrfs";
-  };
+    };
-  fileSystems."/boot" = {
+  fileSystems."/boot" =
-    device = "/dev/disk/by-uuid/CE63-3B9B";
+    { device = "/dev/disk/by-uuid/CE63-3B9B";
-    fsType = "vfat";
+      fsType = "vfat";
-  };
+    };
-  swapDevices = [
+  swapDevices =
-    { device = "/dev/disk/by-uuid/2df10c7b-0dec-45c6-a728-533f7da7f4b9"; }
+    [ { device = "/dev/disk/by-uuid/2df10c7b-0dec-45c6-a728-533f7da7f4b9"; }
-  ];
+    ];
  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
  # (the default) this is the recommended approach. When using systemd-networkd it's
@@ -1,118 +1,10 @@
-{
+{ values, ... }:
  config,
  lib,
  pkgs,
  inputs,
  ...
 }:
 let
-  vanillaSurvival = "/var/lib/bluemap/vanilla_survival_world";
+  webExport = "/var/lib/bluemap/web";
-  format = pkgs.formats.hocon { };
+in {
-in
+  # NOTE: our version of the module gets added in flake.nix
 {
  # NOTE: our versino of the module gets added in flake.nix
  disabledModules = [ "services/web-apps/bluemap.nix" ];
  sops.secrets."bluemap/ssh-key" = { };
  sops.secrets."bluemap/ssh-known-hosts" = { };
  services.bluemap = {
    enable = true;
    eula = true;
    onCalendar = "*-*-* 05:45:00"; # a little over an hour after auto-upgrade
    host = "minecraft.pvv.ntnu.no";
    maps =
      let
        inherit (inputs.minecraft-kartverket.packages.${pkgs.stdenv.hostPlatform.system}) bluemap-export;
      in
      {
        "verden" = {
          extraHoconMarkersFile = "${bluemap-export}/overworld.hocon";
          settings = {
            world = vanillaSurvival;
            dimension = "minecraft:overworld";
            name = "Verden";
            sorting = 0;
            start-pos = {
              x = 0;
              z = 0;
            };
            ambient-light = 0.1;
            cave-detection-ocean-floor = -5;
          };
        };
        "underverden" = {
          extraHoconMarkersFile = "${bluemap-export}/nether.hocon";
          settings = {
            world = vanillaSurvival;
            dimension = "minecraft:the_nether";
            name = "Underverden";
            sorting = 100;
            start-pos = {
              x = 0;
              z = 0;
            };
            sky-color = "#290000";
            void-color = "#150000";
            sky-light = 1;
            ambient-light = 0.6;
            remove-caves-below-y = -10000;
            cave-detection-ocean-floor = -5;
            cave-detection-uses-block-light = true;
            render-mask = [
              {
                max-y = 90;
              }
            ];
          };
        };
        "enden" = {
          extraHoconMarkersFile = "${bluemap-export}/the-end.hocon";
          settings = {
            world = vanillaSurvival;
            dimension = "minecraft:the_end";
            name = "Enden";
            sorting = 200;
            start-pos = {
              x = 0;
              z = 0;
            };
            sky-color = "#080010";
            void-color = "#080010";
            sky-light = 1;
            ambient-light = 0.6;
            remove-caves-below-y = -10000;
            cave-detection-ocean-floor = -5;
          };
        };
      };
  };
  systemd.services."render-bluemap-maps" = {
    serviceConfig = {
      StateDirectory = [ "bluemap/world" ];
      ExecStartPre =
        let
          rsyncArgs = lib.cli.toCommandLineShellGNU { } {
            archive = true;
            compress = true;
            verbose = true;
            no-owner = true;
            no-group = true;
            rsh = "${pkgs.openssh}/bin/ssh -o UserKnownHostsFile=%d/ssh-known-hosts -i %d/sshkey";
          };
        in
        "${lib.getExe pkgs.rsync} ${rsyncArgs} root@innovation.pvv.ntnu.no:/ ${vanillaSurvival}";
      LoadCredential = [
        "sshkey:${config.sops.secrets."bluemap/ssh-key".path}"
        "ssh-known-hosts:${config.sops.secrets."bluemap/ssh-known-hosts".path}"
      ];
    };
  };
  services.nginx.virtualHosts."minecraft.pvv.ntnu.no" = {
    enableACME = true;
    forceSSL = true;
@@ -128,6 +20,30 @@ in
      quic_retry on;
      add_header Alt-Svc 'h3=":$server_port"; ma=86400';
    '';
    root = webExport;
    locations = {
      "~* ^/maps/[^/]*/tiles/".extraConfig = ''
        error_page 404 = @empty;
      '';
      "@empty".return = "204";
    };
  };
  services.rsync-pull-targets = {
    enable = true;
    locations.${webExport} = {
      user = "root";
      rrsyncArgs.wo = true;
      authorizedKeysAttrs = [
        "restrict"
        "from=\"gluttony.pvv.ntnu.no,${values.hosts.gluttony.ipv6},${values.hosts.gluttony.ipv4}\""
        "no-agent-forwarding"
        "no-port-forwarding"
        "no-pty"
        "no-X11-forwarding"
      ];
      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH5jrqMovXlWaFWZAV/aKyQReHvUQp5kb+7Ja4gnevSr root@gluttony bluemap";
    };
  };
  networking.firewall.allowedUDPPorts = [ 443 ];
@@ -1,16 +1,8 @@
-{
+{ config, pkgs, lib, ... }:
  config,
  pkgs,
  lib,
  ...
 }:
 let
  pwAuthScript = pkgs.writeShellApplication {
    name = "pwauth";
-    runtimeInputs = with pkgs; [
+    runtimeInputs = with pkgs; [ coreutils heimdal ];
      coreutils
      heimdal
    ];
    text = ''
      read -r user1
      user2="$(echo -n "$user1" | tr -c -d '0123456789abcdefghijklmnopqrstuvwxyz')"
@@ -41,7 +33,7 @@ let
      "metadata/saml20-sp-remote.php" = pkgs.writeText "saml20-sp-remote.php" ''
        <?php
-          ${lib.pipe config.services.idp.sp-remote-metadata [
+          ${ lib.pipe config.services.idp.sp-remote-metadata [
            (map (url: ''
              $metadata['${url}'] = [
                'SingleLogoutService' => [
@@ -93,20 +85,14 @@ let
        substituteInPlace "$out" \
          --replace-warn '$SAML_COOKIE_SECURE' 'true' \
-          --replace-warn '$SAML_COOKIE_SALT' 'file_get_contents("${
+          --replace-warn '$SAML_COOKIE_SALT' 'file_get_contents("${config.sops.secrets."idp/cookie_salt".path}")' \
            config.sops.secrets."idp/cookie_salt".path
          }")' \
          --replace-warn '$SAML_ADMIN_NAME' '"Drift"' \
          --replace-warn '$SAML_ADMIN_EMAIL' '"drift@pvv.ntnu.no"' \
-          --replace-warn '$SAML_ADMIN_PASSWORD' 'file_get_contents("${
+          --replace-warn '$SAML_ADMIN_PASSWORD' 'file_get_contents("${config.sops.secrets."idp/admin_password".path}")' \
            config.sops.secrets."idp/admin_password".path
          }")' \
          --replace-warn '$SAML_TRUSTED_DOMAINS' 'array( "idp.pvv.ntnu.no" )' \
          --replace-warn '$SAML_DATABASE_DSN' '"pgsql:host=postgres.pvv.ntnu.no;port=5432;dbname=idp"' \
          --replace-warn '$SAML_DATABASE_USERNAME' '"idp"' \
-          --replace-warn '$SAML_DATABASE_PASSWORD' 'file_get_contents("${
+          --replace-warn '$SAML_DATABASE_PASSWORD' 'file_get_contents("${config.sops.secrets."idp/postgres_password".path}")' \
            config.sops.secrets."idp/postgres_password".path
          }")' \
          --replace-warn '$CACHE_DIRECTORY' '/var/cache/idp'
      '';
@@ -172,25 +158,23 @@ in
    services.phpfpm.pools.idp = {
      user = "idp";
      group = "idp";
-      settings =
+      settings = let
-        let
+        listenUser = config.services.nginx.user;
-          listenUser = config.services.nginx.user;
+        listenGroup = config.services.nginx.group;
-          listenGroup = config.services.nginx.group;
+      in {
-        in
+        "pm" = "dynamic";
-        {
+        "pm.max_children" = 32;
-          "pm" = "dynamic";
+        "pm.max_requests" = 500;
-          "pm.max_children" = 32;
+        "pm.start_servers" = 2;
-          "pm.max_requests" = 500;
+        "pm.min_spare_servers" = 2;
-          "pm.start_servers" = 2;
+        "pm.max_spare_servers" = 4;
-          "pm.min_spare_servers" = 2;
+        "listen.owner" = listenUser;
-          "pm.max_spare_servers" = 4;
+        "listen.group" = listenGroup;
          "listen.owner" = listenUser;
          "listen.group" = listenGroup;
-          "catch_workers_output" = true;
+        "catch_workers_output" = true;
-          "php_admin_flag[log_errors]" = true;
+        "php_admin_flag[log_errors]" = true;
-          # "php_admin_value[error_log]" = "stderr";
+        # "php_admin_value[error_log]" = "stderr";
-        };
+      };
    };
    services.nginx.virtualHosts."idp.pvv.ntnu.no" = {
@@ -198,7 +182,7 @@ in
      enableACME = true;
      kTLS = true;
      root = "${package}/share/php/simplesamlphp/public";
-      locations = {
+      locations =  {
        # based on https://simplesamlphp.org/docs/stable/simplesamlphp-install.html#configuring-nginx
        "/" = {
          alias = "${package}/share/php/simplesamlphp/public/";
@@ -1,9 +1,4 @@
-{
+{ config, pkgs, lib, ... }:
  config,
  pkgs,
  lib,
  ...
 }:
 {
  security.krb5 = {
    enable = true;
@@ -1,12 +1,4 @@
-{
+{ pkgs, lib, fp, config, values, ... }: let
  pkgs,
  lib,
  fp,
  config,
  values,
  ...
 }:
 let
  cfg = config.services.mediawiki;
  # "mediawiki"
@@ -17,9 +9,7 @@ let
  simplesamlphp = pkgs.simplesamlphp.override {
    extra_files = {
-      "metadata/saml20-idp-remote.php" = pkgs.writeText "mediawiki-saml20-idp-remote.php" (
+      "metadata/saml20-idp-remote.php" = pkgs.writeText "mediawiki-saml20-idp-remote.php" (import ../idp-simplesamlphp/metadata.php.nix);
        import ../idp-simplesamlphp/metadata.php.nix
      );
      "config/authsources.php" = ./simplesaml-authsources.php;
@@ -28,49 +18,36 @@ let
        substituteInPlace "$out" \
          --replace-warn '$SAML_COOKIE_SECURE' 'true' \
-          --replace-warn '$SAML_COOKIE_SALT' 'file_get_contents("${
+          --replace-warn '$SAML_COOKIE_SALT' 'file_get_contents("${config.sops.secrets."mediawiki/simplesamlphp/cookie_salt".path}")' \
            config.sops.secrets."mediawiki/simplesamlphp/cookie_salt".path
          }")' \
          --replace-warn '$SAML_ADMIN_NAME' '"Drift"' \
          --replace-warn '$SAML_ADMIN_EMAIL' '"drift@pvv.ntnu.no"' \
-          --replace-warn '$SAML_ADMIN_PASSWORD' 'file_get_contents("${
+          --replace-warn '$SAML_ADMIN_PASSWORD' 'file_get_contents("${config.sops.secrets."mediawiki/simplesamlphp/admin_password".path}")' \
            config.sops.secrets."mediawiki/simplesamlphp/admin_password".path
          }")' \
          --replace-warn '$SAML_TRUSTED_DOMAINS' 'array( "wiki.pvv.ntnu.no" )' \
          --replace-warn '$SAML_DATABASE_DSN' '"pgsql:host=postgres.pvv.ntnu.no;port=5432;dbname=mediawiki_simplesamlphp"' \
          --replace-warn '$SAML_DATABASE_USERNAME' '"mediawiki_simplesamlphp"' \
-          --replace-warn '$SAML_DATABASE_PASSWORD' 'file_get_contents("${
+          --replace-warn '$SAML_DATABASE_PASSWORD' 'file_get_contents("${config.sops.secrets."mediawiki/simplesamlphp/postgres_password".path}")' \
            config.sops.secrets."mediawiki/simplesamlphp/postgres_password".path
          }")' \
          --replace-warn '$CACHE_DIRECTORY' '/var/cache/mediawiki/idp'
      '';
    };
  };
-in
+in {
 {
  services.idp.sp-remote-metadata = [ "https://wiki.pvv.ntnu.no/simplesaml/" ];
-  sops.secrets =
+  sops.secrets = lib.pipe [
-    lib.pipe
+    "mediawiki/secret-key"
-      [
+    "mediawiki/password"
-        "mediawiki/secret-key"
+    "mediawiki/postgres_password"
-        "mediawiki/password"
+    "mediawiki/simplesamlphp/postgres_password"
-        "mediawiki/postgres_password"
+    "mediawiki/simplesamlphp/cookie_salt"
-        "mediawiki/simplesamlphp/postgres_password"
+    "mediawiki/simplesamlphp/admin_password"
-        "mediawiki/simplesamlphp/cookie_salt"
+  ] [
-        "mediawiki/simplesamlphp/admin_password"
+    (map (key: lib.nameValuePair key {
-      ]
+      owner = user;
-      [
+      group = group;
-        (map (
+      restartUnits = [ "phpfpm-mediawiki.service" ];
-          key:
+    }))
-          lib.nameValuePair key {
+    lib.listToAttrs
-            owner = user;
+  ];
            group = group;
            restartUnits = [ "phpfpm-mediawiki.service" ];
          }
        ))
        lib.listToAttrs
      ];
  services.rsync-pull-targets = {
    enable = true;
@@ -233,18 +210,18 @@ in
      # EXT:WikiEditor
      $wgWikiEditorRealtimePreview = true;
      $wgSecretKey = file_get_contents("${config.sops.secrets."mediawiki/secret-key".path}");
    '';
  };
  # Cache directory for simplesamlphp
  # systemd.services.phpfpm-mediawiki.serviceConfig.CacheDirectory = "mediawiki/simplesamlphp";
-  systemd.tmpfiles.settings."10-mediawiki"."/var/cache/mediawiki/simplesamlphp".d =
+  systemd.tmpfiles.settings."10-mediawiki"."/var/cache/mediawiki/simplesamlphp".d = lib.mkIf cfg.enable {
-    lib.mkIf cfg.enable
+    user = "mediawiki";
-      {
+    group = "mediawiki";
-        user = "mediawiki";
+    mode = "0770";
-        group = "mediawiki";
+  };
        mode = "0770";
      };
  users.groups.mediawiki.members = lib.mkIf cfg.enable [ "nginx" ];
@@ -252,7 +229,7 @@ in
    kTLS = true;
    forceSSL = true;
    enableACME = true;
-    locations = {
+    locations =  {
      "= /wiki/Main_Page" = lib.mkForce {
        return = "301 /wiki/Programvareverkstedet";
      };
@@ -278,22 +255,19 @@ in
      "= /PNG/PVV-logo.svg".alias = fp /assets/logo_blue_regular.svg;
      "= /PNG/PVV-logo.png".alias = fp /assets/logo_blue_regular.png;
-      "= /favicon.ico".alias =
+      "= /favicon.ico".alias = pkgs.runCommandLocal "mediawiki-favicon.ico" {
-        pkgs.runCommandLocal "mediawiki-favicon.ico"
+        buildInputs = with pkgs; [ imagemagick ];
-          {
+      } ''
-            buildInputs = with pkgs; [ imagemagick ];
+        magick \
-          }
+          ${fp /assets/logo_blue_regular.png} \
-          ''
+          -resize x64 \
-            magick \
+          -gravity center \
-              ${fp /assets/logo_blue_regular.png} \
+          -crop 64x64+0+0 \
-              -resize x64 \
+          -flatten \
-              -gravity center \
+          -colors 256 \
-              -crop 64x64+0+0 \
+          -background transparent \
-              -flatten \
+          $out
-              -colors 256 \
+      '';
              -background transparent \
              $out
          '';
    };
  };
@@ -301,10 +275,6 @@ in
  systemd.services.mediawiki-init = lib.mkIf cfg.enable {
    after = [ "sops-install-secrets.service" ];
    serviceConfig = {
      BindReadOnlyPaths = [
        "/run/credentials/mediawiki-init.service/secret-key:/var/lib/mediawiki/secret.key"
      ];
      LoadCredential = [ "secret-key:${config.sops.secrets."mediawiki/secret-key".path}" ];
      UMask = lib.mkForce "0007";
    };
  };
@@ -312,10 +282,6 @@ in
  systemd.services.phpfpm-mediawiki = lib.mkIf cfg.enable {
    after = [ "sops-install-secrets.service" ];
    serviceConfig = {
      BindReadOnlyPaths = [
        "/run/credentials/phpfpm-mediawiki.service/secret-key:/var/lib/mediawiki/secret.key"
      ];
      LoadCredential = [ "secret-key:${config.sops.secrets."mediawiki/secret-key".path}" ];
      UMask = lib.mkForce "0007";
    };
  };
@@ -11,43 +11,41 @@ in
 {
  # Source: https://www.pierreblazquez.com/2023/06/17/how-to-harden-apache-php-fpm-daemons-using-systemd/
  systemd.services = lib.genAttrs pools (_: {
-    serviceConfig =
+    serviceConfig = let
-      let
+      caps = [
-        caps = [
+        "CAP_NET_BIND_SERVICE"
-          "CAP_NET_BIND_SERVICE"
+        "CAP_SETGID"
-          "CAP_SETGID"
+        "CAP_SETUID"
-          "CAP_SETUID"
+        "CAP_CHOWN"
-          "CAP_CHOWN"
+        "CAP_KILL"
-          "CAP_KILL"
+        "CAP_IPC_LOCK"
-          "CAP_IPC_LOCK"
+        "CAP_DAC_OVERRIDE"
-          "CAP_DAC_OVERRIDE"
+      ];
-        ];
+    in {
-      in
+      AmbientCapabilities = caps;
-      {
+      CapabilityBoundingSet = caps;
-        AmbientCapabilities = caps;
+      DeviceAllow = [ "" ];
-        CapabilityBoundingSet = caps;
+      LockPersonality = true;
-        DeviceAllow = [ "" ];
+      MemoryDenyWriteExecute = false;
-        LockPersonality = true;
+      NoNewPrivileges = true;
-        MemoryDenyWriteExecute = false;
+      PrivateMounts = true;
-        NoNewPrivileges = true;
+      ProtectClock = true;
-        PrivateMounts = true;
+      ProtectControlGroups = true;
-        ProtectClock = true;
+      ProtectHome = true;
-        ProtectControlGroups = true;
+      ProtectHostname = true;
-        ProtectHome = true;
+      ProtectKernelLogs = true;
-        ProtectHostname = true;
+      ProtectKernelModules = true;
-        ProtectKernelLogs = true;
+      ProtectKernelTunables = true;
-        ProtectKernelModules = true;
+      RemoveIPC = true;
-        ProtectKernelTunables = true;
+      UMask = "0077";
-        RemoveIPC = true;
+      RestrictNamespaces = "~mnt";
-        UMask = "0077";
+      RestrictRealtime = true;
-        RestrictNamespaces = "~mnt";
+      RestrictSUIDSGID = true;
-        RestrictRealtime = true;
+      SystemCallArchitectures = "native";
-        RestrictSUIDSGID = true;
+      KeyringMode = "private";
-        SystemCallArchitectures = "native";
+      SystemCallFilter = [
-        KeyringMode = "private";
+        "@system-service"
-        SystemCallFilter = [
+      ];
-          "@system-service"
+    };
        ];
      };
  });
 }
@@ -1,52 +1,63 @@
-{
+{ config, pkgs, lib, values, ... }:
  config,
  pkgs,
  lib,
  values,
  ...
 }:
 let
  cfg = config.services.vaultwarden;
  domain = "pw.pvv.ntnu.no";
  address = "127.0.1.2";
  port = 3011;
  wsPort = 3012;
-in
+in {
-{
+  sops.secrets."vaultwarden/rsa_key.pem" = {
  sops.secrets."vaultwarden/environ" = {
    owner = "vaultwarden";
    group = "vaultwarden";
    mode = "440";
    restartUnits = [ "vaultwarden.service" ];
  };
  sops.secrets."vaultwarden/rsa_key.pub.pem" = {
    owner = "vaultwarden";
    group = "vaultwarden";
    mode = "440";
    restartUnits = [ "vaultwarden.service" ];
  };
  sops.secrets."vaultwarden/env/DATABASE_PASSWORD" = { };
  sops.secrets."vaultwarden/env/SMTP_PASSWORD" = { };
  sops.templates."vaultwarden/environment_file" = {
    owner = "vaultwarden";
    group = "vaultwarden";
    mode = "440";
    restartUnits = [ "vaultwarden.service" ];
    content = ''
        DATABASE_URL=postgresql://vaultwarden:${config.sops.placeholder."vaultwarden/env/DATABASE_PASSWORD"}@postgres.pvv.ntnu.no/vaultwarden
        SMTP_PASSWORD=${config.sops.placeholder."vaultwarden/env/SMTP_PASSWORD"}
    '';
  };
  services.vaultwarden = {
    enable = true;
    dbBackend = "postgresql";
-    environmentFile = config.sops.secrets."vaultwarden/environ".path;
+    environmentFile = config.sops.templates."vaultwarden/environment_file".path;
    config = {
-      domain = "https://${domain}";
+      DOMAIN = "https://${domain}";
-      rocketAddress = address;
+      ROCKET_ADDRESS = address;
-      rocketPort = port;
+      ROCKET_PORT = port;
-      websocketEnabled = true;
+      WEBSOCKET_ENABLED = true;
-      websocketAddress = address;
+      WEBSOCKET_ADDRESS = address;
-      websocketPort = wsPort;
+      WEBSOCKET_PORT = wsPort;
-      signupsAllowed = true;
+      SIGNUPS_ALLOWED = true;
-      signupsVerify = true;
+      SIGNUPS_VERIFY = true;
-      signupsDomainsWhitelist = "pvv.ntnu.no";
+      SIGNUPS_DOMAINS_WHITELIST = "pvv.ntnu.no";
-      smtpFrom = "vaultwarden@pvv.ntnu.no";
+      SMTP_FROM = "vaultwarden@pvv.ntnu.no";
-      smtpFromName = "VaultWarden PVV";
+      SMTP_FROM_NAME = "VaultWarden PVV";
-      smtpHost = "smtp.pvv.ntnu.no";
+      SMTP_HOST = "smtp.pvv.ntnu.no";
-      smtpUsername = "vaultwarden";
+      SMTP_USERNAME = "vaultwarden";
-      smtpSecurity = "force_tls";
+      SMTP_SECURITY = "force_tls";
-      smtpAuthMechanism = "Login";
+      SMTP_AUTH_MECHANISM = "Login";
-      # Configured in environ:
+      RSA_KEY_FILENAME = lib.removeSuffix ".pem" config.sops.secrets."vaultwarden/rsa_key.pem".path;
      # databaseUrl = "postgresql://vaultwarden@/vaultwarden";
      # smtpPassword = hemli
    };
  };
@@ -73,40 +84,6 @@ in
    };
  };
  systemd.services.vaultwarden = lib.mkIf cfg.enable {
    serviceConfig = {
      AmbientCapabilities = [ "" ];
      CapabilityBoundingSet = [ "" ];
      DeviceAllow = [ "" ];
      LockPersonality = true;
      NoNewPrivileges = true;
      # MemoryDenyWriteExecute = true;
      PrivateMounts = true;
      PrivateUsers = true;
      ProcSubset = "pid";
      ProtectClock = true;
      ProtectControlGroups = true;
      ProtectHostname = true;
      ProtectKernelLogs = true;
      ProtectKernelModules = true;
      ProtectKernelTunables = true;
      RestrictAddressFamilies = [
        "AF_INET"
        "AF_INET6"
        "AF_UNIX"
      ];
      RemoveIPC = true;
      RestrictNamespaces = true;
      RestrictRealtime = true;
      RestrictSUIDSGID = true;
      SystemCallArchitectures = "native";
      SystemCallFilter = [
        "@system-service"
        "~@privileged"
      ];
    };
  };
  services.rsync-pull-targets = {
    enable = true;
    locations."/var/lib/vaultwarden" = {
@@ -1,10 +1,4 @@
-{
+{ config, values, pkgs, lib, ... }:
  config,
  values,
  pkgs,
  lib,
  ...
 }:
 {
  imports = [
    ./roundcube.nix
@@ -1,9 +1,4 @@
-{
+{ config, pkgs, lib, ... }:
  config,
  pkgs,
  lib,
  ...
 }:
 with lib;
 let
@@ -14,29 +9,25 @@ in
  sops.secrets."roundcube/postgres_password" = {
    owner = "nginx";
    group = "nginx";
    restartUnits = [ "phpfpm-roundcube.service" ];
  };
  sops.secrets."roundcube/des_key" = {
    owner = "nginx";
    group = "nginx";
    restartUnits = [ "phpfpm-roundcube.service" ];
  };
  services.roundcube = {
    enable = true;
-    package = pkgs.roundcube.withPlugins (
+    package = pkgs.roundcube.withPlugins (plugins: with plugins; [
-      plugins: with plugins; [
+      persistent_login
-        persistent_login
+      thunderbird_labels
-        thunderbird_labels
+      contextmenu
-        contextmenu
+      custom_from
-        custom_from
+    ]);
      ]
    );
-    dicts = with pkgs.aspellDicts; [
+    dicts = with pkgs.aspellDicts; [ en en-computers nb nn fr de it ];
      en
      en-computers
      nb
      nn
      fr
      de
      it
    ];
    maxAttachmentSize = 20;
    hostName = "roundcubeplaceholder.example.com";
@@ -54,6 +45,7 @@ in
      $config['mail_domain'] = "pvv.ntnu.no";
      $config['smtp_user'] = "%u";
      $config['support_url'] = "";
      $config['des_key'] = "${config.sops.secrets."roundcube/des_key".path}";
    '';
  };
@@ -69,23 +61,21 @@ in
        ln -s ${cfg.package} $out/roundcube
      '';
      extraConfig = ''
-        location ~ ^/roundcube/(${
+        location ~ ^/roundcube/(${builtins.concatStringsSep "|" [
-          builtins.concatStringsSep "|" [
+        # https://wiki.archlinux.org/title/Roundcube
-            # https://wiki.archlinux.org/title/Roundcube
+        "README"
-            "README"
+        "INSTALL"
-            "INSTALL"
+        "LICENSE"
-            "LICENSE"
+        "CHANGELOG"
-            "CHANGELOG"
+        "UPGRADING"
-            "UPGRADING"
+        "bin"
-            "bin"
+        "SQL"
-            "SQL"
+        ".+\\.md"
-            ".+\\.md"
+        "\\."
-            "\\."
+        "config"
-            "config"
+        "temp"
-            "temp"
+        "logs"
-            "logs"
+        ]})/? {
          ]
        })/? {
          deny all;
        }
@@ -1,15 +1,7 @@
-{
+{ config, lib, fp, pkgs, values, ... }:
  config,
  lib,
  fp,
  pkgs,
  values,
  ...
 }:
 let
  cfg = config.services.snappymail;
-in
+in {
 {
  imports = [ (fp /modules/snappymail.nix) ];
  services.snappymail = {
@@ -1,31 +1,22 @@
-{
+{ pkgs, lib, config, ... }:
  pkgs,
  lib,
  config,
  ...
 }:
 let
  format = pkgs.formats.php { };
  cfg = config.services.pvv-nettsiden;
-in
+in {
 {
  imports = [
    ./fetch-gallery.nix
  ];
-  sops.secrets =
+  sops.secrets = lib.genAttrs [
-    lib.genAttrs
+    "nettsiden/door_secret"
-      [
+    "nettsiden/mysql_password"
-        "nettsiden/door_secret"
+    "nettsiden/simplesamlphp/admin_password"
-        "nettsiden/mysql_password"
+    "nettsiden/simplesamlphp/cookie_salt"
-        "nettsiden/simplesamlphp/admin_password"
+  ] (_: {
-        "nettsiden/simplesamlphp/cookie_salt"
+    owner = config.services.phpfpm.pools.pvv-nettsiden.user;
-      ]
+    group = config.services.phpfpm.pools.pvv-nettsiden.group;
-      (_: {
+    restartUnits = [ "phpfpm-pvv-nettsiden.service" ];
-        owner = config.services.phpfpm.pools.pvv-nettsiden.user;
+  });
        group = config.services.phpfpm.pools.pvv-nettsiden.group;
        restartUnits = [ "phpfpm-pvv-nettsiden.service" ];
      });
  security.acme.certs."www.pvv.ntnu.no" = {
    extraDomainNames = [
@@ -44,59 +35,85 @@ in
    package = pkgs.pvv-nettsiden.override {
      extra_files = {
-        "${pkgs.pvv-nettsiden.passthru.simplesamlphpPath}/metadata/saml20-idp-remote.php" =
+        "${pkgs.pvv-nettsiden.passthru.simplesamlphpPath}/metadata/saml20-idp-remote.php" = pkgs.writeText "pvv-nettsiden-saml20-idp-remote.php" (import ../idp-simplesamlphp/metadata.php.nix);
-          pkgs.writeText "pvv-nettsiden-saml20-idp-remote.php" (import ../idp-simplesamlphp/metadata.php.nix);
+        "${pkgs.pvv-nettsiden.passthru.simplesamlphpPath}/config/authsources.php" = pkgs.writeText "pvv-nettsiden-authsources.php" ''
-        "${pkgs.pvv-nettsiden.passthru.simplesamlphpPath}/config/authsources.php" =
+          <?php
-          pkgs.writeText "pvv-nettsiden-authsources.php" ''
+          $config = array(
-            <?php
+              'admin' => array(
-            $config = array(
+                'core:AdminPassword'
-                'admin' => array(
+              ),
-                  'core:AdminPassword'
+              'default-sp' => array(
-                ),
+                  'saml:SP',
-                'default-sp' => array(
+                  'entityID' => 'https://${cfg.domainName}/simplesaml/',
-                    'saml:SP',
+                  'idp' => 'https://idp.pvv.ntnu.no/',
-                    'entityID' => 'https://${cfg.domainName}/simplesaml/',
+              ),
-                    'idp' => 'https://idp.pvv.ntnu.no/',
+          );
-                ),
+        '';
            );
          '';
      };
    };
    domainName = "www.pvv.ntnu.no";
-    settings =
+    settings = let
-      let
+      includeFromSops = path: format.lib.mkRaw "file_get_contents('${config.sops.secrets."nettsiden/${path}".path}')";
-        includeFromSops =
+    in {
-          path: format.lib.mkRaw "file_get_contents('${config.sops.secrets."nettsiden/${path}".path}')";
+      DOOR_SECRET = includeFromSops "door_secret";
      in
      {
        DOOR_SECRET = includeFromSops "door_secret";
-        DB = {
+      DB = {
-          DSN = "mysql:dbname=www-data_nettside;host=mysql.pvv.ntnu.no";
+        DSN = "mysql:dbname=www-data_nettside;host=mysql.pvv.ntnu.no";
-          USER = "www-data_nettsi";
+        USER = "www-data_nettsi";
-          PASS = includeFromSops "mysql_password";
+        PASS = includeFromSops "mysql_password";
        };
        # TODO: set up postgres session for simplesamlphp
        SAML = {
          COOKIE_SALT = includeFromSops "simplesamlphp/cookie_salt";
          COOKIE_SECURE = true;
          ADMIN_NAME = "PVV Drift";
          ADMIN_EMAIL = "drift@pvv.ntnu.no";
          ADMIN_PASSWORD = includeFromSops "simplesamlphp/admin_password";
          TRUSTED_DOMAINS = [
            "www.pvv.ntnu.no"
          ];
        };
      };
      # TODO: set up postgres session for simplesamlphp
      SAML = {
        COOKIE_SALT = includeFromSops "simplesamlphp/cookie_salt";
        COOKIE_SECURE = true;
        ADMIN_NAME = "PVV Drift";
        ADMIN_EMAIL = "drift@pvv.ntnu.no";
        ADMIN_PASSWORD = includeFromSops "simplesamlphp/admin_password";
        TRUSTED_DOMAINS = [
          "www.pvv.ntnu.no"
        ];
      };
    };
  };
  services.phpfpm.pools."pvv-nettsiden".settings = {
-    # "php_admin_value[error_log]" = "stderr";
+    "php_admin_value[error_log]" = "syslog";
    "php_admin_flag[log_errors]" = true;
    "catch_workers_output" = true;
    "php_admin_value[max_execution_time]" = "30";
    "request_terminate_timeout" = "60s";
    "php_admin_value[sendmail_path]" = let
      fakeSendmail = pkgs.writeShellApplication {
        name = "fake-sendmail";
        text = ''
          TIMESTAMP="$(date +%Y-%m-%d-%H-%M-%S-%N)"
          (
            echo "SENDMAIL ARGS:"
            echo "$@"
            echo "SENDMAIL STDIN:"
            cat -
          ) > "/var/lib/pvv-nettsiden/emails/$TIMESTAMP.mail"
        '';
      };
    in lib.getExe fakeSendmail;
    "php_admin_value[disable_functions]" = lib.concatStringsSep "," [
      "curl_exec"
      "curl_multi_exec"
      "exec"
      "parse_ini_file"
      "passthru"
      "popen"
      "proc_open"
      "shell_exec"
      "show_source"
      "system"
    ];
  };
  services.nginx.virtualHosts."pvv.ntnu.no" = {
@@ -1,15 +1,8 @@
-{
+{ pkgs, lib, config, values, ... }:
  pkgs,
  lib,
  config,
  values,
  ...
 }:
 let
  galleryDir = config.services.pvv-nettsiden.settings.GALLERY.DIR;
  transferDir = "${config.services.pvv-nettsiden.settings.GALLERY.DIR}-transfer";
-in
+in {
 {
  users.users.${config.services.pvv-nettsiden.user} = {
    # NOTE: the user unfortunately needs a registered shell for rrsync to function...
    #       is there anything we can do to remove this?
@@ -44,24 +37,18 @@ in
  };
  systemd.services.pvv-nettsiden-gallery-update = {
-    path = with pkgs; [
+    path = with pkgs; [ imagemagick gnutar gzip ];
      imagemagick
      gnutar
      gzip
    ];
    script = ''
-      tar ${
+      tar ${lib.cli.toCommandLineShellGNU { } {
-        lib.cli.toGNUCommandLineShell { } {
+        extract = true;
-          extract = true;
+        file = "${transferDir}/gallery.tar.gz";
-          file = "${transferDir}/gallery.tar.gz";
+        directory = ".";
-          directory = ".";
+      }}
        }
      }
      # Delete files and directories that exists in the gallery that don't exist in the tarball
-      filesToRemove=$(uniq -u <(sort <(find . -not -path "./.thumbnails*") <(tar -tf ${transferDir}/gallery.tar.gz | sed 's|/$||')))
+      filesToRemove=$(uniq -u <(sort <(find . -not -path './.thumbnails*') <(tar -tf '${transferDir}/gallery.tar.gz' | sed 's|/$||')))
-      while IFS= read fname; do
+      while IFS= read -r fname; do
        rm -f "$fname" ||:
        rm -f ".thumbnails/$fname.png" ||:
      done <<< "$filesToRemove"
@@ -69,9 +56,9 @@ in
      find . -type d -empty -delete
      mkdir -p .thumbnails
-      images=$(find . -type f -not -path "./.thumbnails*")
+      images=$(find . -type f -not -path './.thumbnails*')
-      while IFS= read fname; do
+      while IFS= read -r fname; do
        # Skip this file if an up-to-date thumbnail already exists
        if [ -f ".thumbnails/$fname.png" ] && \
          [ "$(date -R -r "$fname")" == "$(date -R -r ".thumbnails/$fname.png")" ]
@@ -80,7 +67,7 @@ in
        fi
        echo "Creating thumbnail for $fname"
-        mkdir -p $(dirname ".thumbnails/$fname")
+        mkdir -p "$(dirname ".thumbnails/$fname")"
        magick -define jpeg:size=200x200 "$fname" -thumbnail 300 -auto-orient ".thumbnails/$fname.png" ||:
        touch -m -d "$(date -R -r "$fname")" ".thumbnails/$fname.png"
      done <<< "$images"
@@ -1,28 +1,25 @@
 { lib, ... }:
 {
-  services.nginx.virtualHosts =
+  services.nginx.virtualHosts = lib.genAttrs [
-    lib.genAttrs
+    "pvv.ntnu.no"
-      [
+    "www.pvv.ntnu.no"
-        "pvv.ntnu.no"
+    "pvv.org"
-        "www.pvv.ntnu.no"
+    "www.pvv.org"
-        "pvv.org"
+  ] (_: {
-        "www.pvv.org"
+    locations = {
-      ]
+      "^~ /.well-known/" = {
-      (_: {
+        alias = (toString ./root) + "/";
-        locations = {
+      };
          "^~ /.well-known/" = {
            alias = (toString ./root) + "/";
          };
-          # Proxy the matrix well-known files
+      # Proxy the matrix well-known files
-          # Host has be set before proxy_pass
+      # Host has be set before proxy_pass
-          # The header must be set so nginx on the other side routes it to the right place
+      # The header must be set so nginx on the other side routes it to the right place
-          "^~ /.well-known/matrix/" = {
+      "^~ /.well-known/matrix/" = {
-            extraConfig = ''
+        extraConfig = ''
-              proxy_set_header Host matrix.pvv.ntnu.no;
+          proxy_set_header Host matrix.pvv.ntnu.no;
-              proxy_pass https://matrix.pvv.ntnu.no/.well-known/matrix/;
+          proxy_pass https://matrix.pvv.ntnu.no/.well-known/matrix/;
-            '';
+        '';
-          };
+      };
-        };
+    };
-      });
+  });
 }
@@ -1,9 +1,4 @@
-{
+{ fp, pkgs, values, ... }:
  fp,
  pkgs,
  values,
  ...
 }:
 {
  imports = [
    ./hardware-configuration.nix
@@ -24,16 +19,8 @@
  systemd.network.networks."30-ens18" = values.defaultNetworkConfig // {
    #matchConfig.Name = "enp6s0f0";
    matchConfig.Name = "ens18";
-    address =
+    address = with values.hosts.bicep; [ (ipv4 + "/25") (ipv6 + "/64") ]
-      with values.hosts.bicep;
+      ++ (with values.services.turn; [ (ipv4 + "/25") (ipv6 + "/64") ]);
      [
        (ipv4 + "/25")
        (ipv6 + "/64")
      ]
      ++ (with values.services.turn; [
        (ipv4 + "/25")
        (ipv6 + "/64")
      ]);
  };
  systemd.network.wait-online = {
    anyInterface = true;
@@ -1,49 +1,34 @@
 # Do not modify this file!  It was generated by 'nixos-generate-config'
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
-{
+{ config, lib, pkgs, modulesPath, ... }:
  config,
  lib,
  pkgs,
  modulesPath,
  ...
 }:
 {
-  imports = [
+  imports =
-    (modulesPath + "/profiles/qemu-guest.nix")
+    [ (modulesPath + "/profiles/qemu-guest.nix")
-  ];
+    ];
-  boot.initrd.availableKernelModules = [
+  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "ahci" "sd_mod" "sr_mod" ];
    "ata_piix"
    "uhci_hcd"
    "ahci"
    "sd_mod"
    "sr_mod"
  ];
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ ];
  boot.extraModulePackages = [ ];
-  fileSystems."/" = {
+  fileSystems."/" =
-    device = "/dev/disk/by-uuid/20e06202-7a09-47cc-8ef6-5e7afe19453a";
+    { device = "/dev/disk/by-uuid/20e06202-7a09-47cc-8ef6-5e7afe19453a";
-    fsType = "ext4";
+      fsType = "ext4";
-  };
+    };
  # temp data disk, only 128gb not enough until we can add another disk to the system.
-  fileSystems."/data" = {
+  fileSystems."/data" =
-    device = "/dev/disk/by-uuid/c81af266-0781-4084-b8eb-c2587cbcf1ba";
+    { device = "/dev/disk/by-uuid/c81af266-0781-4084-b8eb-c2587cbcf1ba";
-    fsType = "ext4";
+      fsType = "ext4";
-  };
+    };
-  fileSystems."/boot" = {
+  fileSystems."/boot" =
-    device = "/dev/disk/by-uuid/198B-E363";
+    { device = "/dev/disk/by-uuid/198B-E363";
-    fsType = "vfat";
+      fsType = "vfat";
-    options = [
+      options = [ "fmask=0022" "dmask=0022" ];
-      "fmask=0022"
+    };
      "dmask=0022"
    ];
  };
  swapDevices = [ ];
@@ -1,14 +1,7 @@
-{
+{ config, fp, lib, pkgs, ... }:
  config,
  fp,
  lib,
  pkgs,
  ...
 }:
 let
  cfg = config.services.pvv-calendar-bot;
-in
+in {
 {
  sops.secrets = {
    "calendar-bot/matrix_token" = {
      sopsFile = fp /secrets/bicep/bicep.yaml;
@@ -1,10 +1,4 @@
-{
+{ config, pkgs, lib, fp, ... }:
  config,
  pkgs,
  lib,
  fp,
  ...
 }:
 let
  cfg = config.services.gickup;
 in
@@ -26,88 +20,79 @@ in
      lfs = false;
    };
-    instances =
+    instances = let
-      let
+      defaultGithubConfig = {
-        defaultGithubConfig = {
+        settings.token_file = config.sops.secrets."gickup/github-token".path;
          settings.token_file = config.sops.secrets."gickup/github-token".path;
        };
        defaultGitlabConfig = {
          # settings.token_file = ...
        };
      in
      {
        "github:Git-Mediawiki/Git-Mediawiki" = defaultGithubConfig;
        "github:NixOS/nixpkgs" = defaultGithubConfig;
        "github:go-gitea/gitea" = defaultGithubConfig;
        "github:heimdal/heimdal" = defaultGithubConfig;
        "github:saltstack/salt" = defaultGithubConfig;
        "github:typst/typst" = defaultGithubConfig;
        "github:unmojang/FjordLauncher" = defaultGithubConfig;
        "github:unmojang/drasl" = defaultGithubConfig;
        "github:yushijinhun/authlib-injector" = defaultGithubConfig;
        "gitlab:mx-puppet/discord/better-discord.js" = defaultGitlabConfig;
        "gitlab:mx-puppet/discord/discord-markdown" = defaultGitlabConfig;
        "gitlab:mx-puppet/discord/matrix-discord-parser" = defaultGitlabConfig;
        "gitlab:mx-puppet/discord/mx-puppet-discord" = defaultGitlabConfig;
        "gitlab:mx-puppet/mx-puppet-bridge" = defaultGitlabConfig;
        "any:glibc" = {
          settings.url = "https://sourceware.org/git/glibc.git";
        };
        "any:out-of-your-element" = {
          settings.url = "https://gitdab.com/cadence/out-of-your-element.git";
        };
        "any:out-of-your-element-module" = {
          settings.url = "https://cgit.rory.gay/nix/OOYE-module.git";
        };
      };
-  };
+      defaultGitlabConfig = {
        # settings.token_file = ...
      };
    in {
      "github:Git-Mediawiki/Git-Mediawiki" = defaultGithubConfig;
      "github:NixOS/nixpkgs" = defaultGithubConfig;
      "github:go-gitea/gitea" = defaultGithubConfig;
      "github:heimdal/heimdal" = defaultGithubConfig;
      "github:saltstack/salt" = defaultGithubConfig;
      "github:typst/typst" = defaultGithubConfig;
      "github:unmojang/FjordLauncher" = defaultGithubConfig;
      "github:unmojang/drasl" = defaultGithubConfig;
      "github:yushijinhun/authlib-injector" = defaultGithubConfig;
-  services.cgit =
+      "gitlab:mx-puppet/discord/better-discord.js" = defaultGitlabConfig;
-    let
+      "gitlab:mx-puppet/discord/discord-markdown" = defaultGitlabConfig;
-      domain = "mirrors.pvv.ntnu.no";
+      "gitlab:mx-puppet/discord/matrix-discord-parser" = defaultGitlabConfig;
-    in
+      "gitlab:mx-puppet/discord/mx-puppet-discord" = defaultGitlabConfig;
-    {
+      "gitlab:mx-puppet/mx-puppet-bridge" = defaultGitlabConfig;
-      ${domain} = {
+
-        enable = true;
+      "any:glibc" = {
-        package = pkgs.callPackage (fp /packages/cgit.nix) { };
+        settings.url = "https://sourceware.org/git/glibc.git";
-        group = "gickup";
+      };
-        scanPath = "${cfg.dataDir}/linktree";
+
-        gitHttpBackend.checkExportOkFiles = false;
+      "any:out-of-your-element" = {
-        settings = {
+        settings.url = "https://gitdab.com/cadence/out-of-your-element.git";
-          enable-commit-graph = true;
+      };
-          enable-follow-links = true;
+
-          enable-http-clone = true;
+      "any:out-of-your-element-module" = {
-          enable-remote-branches = true;
+        settings.url = "https://cgit.rory.gay/nix/OOYE-module.git";
          clone-url = "https://${domain}/$CGIT_REPO_URL";
          remove-suffix = true;
          root-title = "PVVSPPP";
          root-desc = "PVV Speiler Praktisk og Prominent Programvare";
          snapshots = "all";
          logo = "/PVV-logo.png";
        };
      };
    };
  };
  services.cgit = let
    domain = "mirrors.pvv.ntnu.no";
  in {
    ${domain} = {
      enable = true;
      package = pkgs.callPackage (fp /packages/cgit.nix) { };
      group = "gickup";
      scanPath = "${cfg.dataDir}/linktree";
      gitHttpBackend.checkExportOkFiles = false;
      settings = {
        enable-commit-graph = true;
        enable-follow-links = true;
        enable-http-clone = true;
        enable-remote-branches = true;
        clone-url = "https://${domain}/$CGIT_REPO_URL";
        remove-suffix = true;
        root-title = "PVVSPPP";
        root-desc = "PVV Speiler Praktisk og Prominent Programvare";
        snapshots = "all";
        logo = "/PVV-logo.png";
      };
    };
  };
  services.nginx.virtualHosts."mirrors.pvv.ntnu.no" = {
    forceSSL = true;
    enableACME = true;
-    locations."= /PVV-logo.png".alias =
+    locations."= /PVV-logo.png".alias = let
-      let
+      small-pvv-logo = pkgs.runCommandLocal "pvv-logo-96x96" {
-        small-pvv-logo =
+        nativeBuildInputs = [ pkgs.imagemagick ];
-          pkgs.runCommandLocal "pvv-logo-96x96"
+      } ''
-            {
+        magick '${fp /assets/logo_blue_regular.svg}' -resize 96x96 PNG:"$out"
-              nativeBuildInputs = [ pkgs.imagemagick ];
+      '';
-            }
+    in toString small-pvv-logo;
            ''
              magick '${fp /assets/logo_blue_regular.svg}' -resize 96x96 PNG:"$out"
            '';
      in
      toString small-pvv-logo;
  };
  systemd.services."fcgiwrap-cgit-mirrors.pvv.ntnu.no" = {
@@ -1,12 +1,4 @@
-{
+{ config, lib, fp, pkgs, secrets, values, ... }:
  config,
  lib,
  fp,
  pkgs,
  secrets,
  values,
  ...
 }:
 {
  sops.secrets."matrix/coturn/static-auth-secret" = {
@@ -135,31 +127,18 @@
  };
  networking.firewall = {
-    interfaces.enp6s0f0 =
+    interfaces.enp6s0f0 = let
-      let
+      range = with config.services.coturn; [ {
-        range = with config.services.coturn; [
+      from = min-port;
-          {
+      to = max-port;
-            from = min-port;
+    } ];
-            to = max-port;
+    in
-          }
+    {
-        ];
+      allowedUDPPortRanges = range;
-      in
+      allowedUDPPorts = [ 443 3478 3479 5349 ];
-      {
+      allowedTCPPortRanges = range;
-        allowedUDPPortRanges = range;
+      allowedTCPPorts = [ 443 3478 3479 5349 ];
-        allowedUDPPorts = [
+    };
          443
          3478
          3479
          5349
        ];
        allowedTCPPortRanges = range;
        allowedTCPPorts = [
          443
          3478
          3479
          5349
        ];
      };
  };
 }
@@ -1,9 +1,4 @@
-{
+{ config, lib, fp, ... }:
  config,
  lib,
  fp,
  ...
 }:
 let
  cfg = config.services.mx-puppet-discord;
@@ -49,6 +44,7 @@ in
    ];
  };
  services.mx-puppet-discord.enable = false;
  services.mx-puppet-discord.settings = {
    bridge = {
@@ -56,21 +52,16 @@ in
      domain = "pvv.ntnu.no";
      homeserverUrl = "https://matrix.pvv.ntnu.no";
    };
-    provisioning.whitelist = [
+    provisioning.whitelist = [ "@dandellion:dodsorf\\.as" "@danio:pvv\\.ntnu\\.no"];
      "@dandellion:dodsorf\\.as"
      "@danio:pvv\\.ntnu\\.no"
    ];
    relay.whitelist = [ ".*" ];
-    selfService.whitelist = [
+    selfService.whitelist = [ "@danio:pvv\\.ntnu\\.no" "@dandellion:dodsorf\\.as" ];
      "@danio:pvv\\.ntnu\\.no"
      "@dandellion:dodsorf\\.as"
    ];
  };
  services.mx-puppet-discord.serviceDependencies = [
    "matrix-synapse.target"
    "nginx.service"
  ];
  services.matrix-synapse-next.settings = {
    app_service_config_files = [
      config.sops.templates."discord-registration.yaml".path
@@ -1,13 +1,7 @@
-{
+{ config, lib, pkgs, ... }:
  config,
  lib,
  pkgs,
  ...
 }:
 let
  synapse-cfg = config.services.matrix-synapse-next;
-in
+in {
 {
  services.pvv-matrix-well-known.client = {
    "m.homeserver" = {
      base_url = "https://matrix.pvv.ntnu.no";
@@ -27,12 +21,12 @@ in
        default_server_config = config.services.pvv-matrix-well-known.client;
        disable_3pid_login = true;
-        #        integrations_ui_url = "https://dimension.dodsorf.as/riot";
+#        integrations_ui_url = "https://dimension.dodsorf.as/riot";
-        #        integrations_rest_url = "https://dimension.dodsorf.as/api/v1/scalar";
+#        integrations_rest_url = "https://dimension.dodsorf.as/api/v1/scalar";
-        #        integrations_widgets_urls = [
+#        integrations_widgets_urls = [
-        #          "https://dimension.dodsorf.as/widgets"
+#          "https://dimension.dodsorf.as/widgets"
-        #        ];
+#        ];
-        #        integration_jitsi_widget_url = "https://dimension.dodsorf.as/widgets/jitsi";
+#        integration_jitsi_widget_url = "https://dimension.dodsorf.as/widgets/jitsi";
        defaultCountryCode = "NO";
        showLabsSettings = true;
        features = {
@@ -1,11 +1,4 @@
-{
+{ config, lib, fp, unstablePkgs, inputs, ... }:
  config,
  lib,
  fp,
  unstablePkgs,
  inputs,
  ...
 }:
 let
  cfg = config.services.matrix-hookshot;
@@ -107,8 +100,7 @@ in
      };
      serviceBots = [
-        {
+        { localpart = "bot_feeds";
          localpart = "bot_feeds";
          displayname = "Aya";
          avatar = ./feeds.png;
          prefix = "!aya";
@@ -123,44 +115,20 @@ in
      permissions = [
        # Users of the PVV Server
-        {
+        { actor = "pvv.ntnu.no";
-          actor = "pvv.ntnu.no";
+          services = [ { service = "*"; level = "commands"; } ];
          services = [
            {
              service = "*";
              level = "commands";
            }
          ];
        }
        # Members of Medlem space (for people with their own hs)
-        {
+        { actor = "!pZOTJQinWyyTWaeOgK:pvv.ntnu.no";
-          actor = "!pZOTJQinWyyTWaeOgK:pvv.ntnu.no";
+          services = [ { service = "*"; level = "commands"; } ];
          services = [
            {
              service = "*";
              level = "commands";
            }
          ];
        }
        # Members of Drift
-        {
+        { actor = "!eYgeufLrninXxQpYml:pvv.ntnu.no";
-          actor = "!eYgeufLrninXxQpYml:pvv.ntnu.no";
+          services = [ { service = "*"; level = "admin"; } ];
          services = [
            {
              service = "*";
              level = "admin";
            }
          ];
        }
        # Dan bootstrap
-        {
+        { actor = "@dandellion:dodsorf.as";
-          actor = "@dandellion:dodsorf.as";
+          services = [ { service = "*"; level = "admin"; } ];
          services = [
            {
              service = "*";
              level = "admin";
            }
          ];
        }
      ];
    };
@@ -1,9 +1,4 @@
-{
+{ config, lib, fp, ... }:
  config,
  lib,
  fp,
  ...
 }:
 let
  synapseConfig = config.services.matrix-synapse-next;
  matrixDomain = "matrix.pvv.ntnu.no";
@@ -25,12 +20,10 @@ in
  };
  services.pvv-matrix-well-known.client = lib.mkIf cfg.enable {
-    "org.matrix.msc4143.rtc_foci" = [
+    "org.matrix.msc4143.rtc_foci" = [{
-      {
+      type = "livekit";
-        type = "livekit";
+      livekit_service_url = "https://${matrixDomain}/livekit/jwt";
-        livekit_service_url = "https://${matrixDomain}/livekit/jwt";
+    }];
      }
    ];
  };
  services.livekit = {
@@ -50,12 +43,7 @@ in
    keyFile = config.sops.templates."matrix-livekit-keyfile".path;
  };
-  systemd.services.lk-jwt-service.environment.LIVEKIT_FULL_ACCESS_HOMESERVERS = lib.mkIf cfg.enable (
+  systemd.services.lk-jwt-service.environment.LIVEKIT_FULL_ACCESS_HOMESERVERS = lib.mkIf cfg.enable (builtins.concatStringsSep "," [ "pvv.ntnu.no" "dodsorf.as" ]);
    builtins.concatStringsSep "," [
      "pvv.ntnu.no"
      "dodsorf.as"
    ]
  );
  services.nginx.virtualHosts.${matrixDomain} = lib.mkIf cfg.enable {
    locations."^~ /livekit/jwt/" = {
@@ -1,9 +1,4 @@
-{
+{ config, lib, fp, ... }:
  config,
  lib,
  fp,
  ...
 }:
 {
  sops.secrets."matrix/mjolnir/access_token" = {
@@ -1,11 +1,4 @@
-{
+{ config, pkgs, lib, values, fp, ... }:
  config,
  pkgs,
  lib,
  values,
  fp,
  ...
 }:
 let
  cfg = config.services.matrix-ooye;
 in
@@ -1,9 +1,4 @@
-{
+{ lib, buildPythonPackage, fetchFromGitHub, setuptools }:
  lib,
  buildPythonPackage,
  fetchFromGitHub,
  setuptools,
 }:
 buildPythonPackage rec {
  pname = "matrix-synapse-smtp-auth";
@@ -1,9 +1,5 @@
-{
+{ config, lib, pkgs, ... }:
-  config,
+
  lib,
  pkgs,
  ...
 }:
 # This service requires you to have access to endpoints not available over the internet
 # Use an ssh proxy or similar to access this dashboard.
@@ -1,9 +1,4 @@
-{
+{ config, lib, utils, ... }:
  config,
  lib,
  utils,
  ...
 }:
 let
  cfg = config.services.synapse-auto-compressor;
 in
@@ -1,23 +1,13 @@
-{
+{ config, lib, fp, pkgs, values, inputs, ... }:
  config,
  lib,
  fp,
  pkgs,
  values,
  inputs,
  ...
 }:
 let
  cfg = config.services.matrix-synapse-next;
  matrix-lib = inputs.matrix-next.lib;
-  imap0Attrs =
+  imap0Attrs = with lib; f: set:
-    with lib;
+    listToAttrs (imap0 (i: attr: nameValuePair attr (f i attr set.${attr})) (attrNames set));
-    f: set: listToAttrs (imap0 (i: attr: nameValuePair attr (f i attr set.${attr})) (attrNames set));
+in {
 in
 {
  sops.secrets."matrix/synapse/signing_key" = {
    key = "synapse/signing_key";
    sopsFile = fp /secrets/bicep/matrix.yaml;
@@ -33,9 +23,7 @@ in
    owner = config.users.users.matrix-synapse.name;
    group = config.users.users.matrix-synapse.group;
    content = ''
-      registration_shared_secret: ${
+      registration_shared_secret: ${config.sops.placeholder."matrix/synapse/user_registration/registration_shared_secret"}
        config.sops.placeholder."matrix/synapse/user_registration/registration_shared_secret"
      }
    '';
  };
@@ -80,7 +68,7 @@ in
      signing_key_path = config.sops.secrets."matrix/synapse/signing_key".path;
-      media_store_path = "${cfg.dataDir}/media";
+      media_store_path =  "${cfg.dataDir}/media";
      database = {
        name = "psycopg2";
@@ -122,8 +110,7 @@ in
      password_config.enabled = true;
      modules = [
-        {
+        { module = "smtp_auth_provider.SMTPAuthProvider";
          module = "smtp_auth_provider.SMTPAuthProvider";
          config = {
            smtp_host = "smtp.pvv.ntnu.no";
          };
@@ -196,79 +183,61 @@ in
  services.pvv-matrix-well-known.server."m.server" = "matrix.pvv.ntnu.no:443";
  services.nginx.virtualHosts."matrix.pvv.ntnu.no" = lib.mkMerge [
-    {
+  {
-      kTLS = true;
+    kTLS = true;
-    }
+  }
-    {
+  {
-      locations."/_synapse/admin" = {
+    locations."/_synapse/admin" = {
-        proxyPass = "http://$synapse_backend";
+      proxyPass = "http://$synapse_backend";
-        extraConfig = ''
+      extraConfig = ''
-          allow 127.0.0.1;
+        allow 127.0.0.1;
-          allow ::1;
+        allow ::1;
-          allow ${values.hosts.bicep.ipv4};
+        allow ${values.hosts.bicep.ipv4};
-          allow ${values.hosts.bicep.ipv6};
+        allow ${values.hosts.bicep.ipv6};
-          deny all;
+        deny all;
-        '';
+      '';
-      };
+    };
-    }
+  }
-    {
+  {
-      locations =
+    locations = let
-        let
+      connectionInfo = w: matrix-lib.workerConnectionResource "metrics" w;
-          connectionInfo = w: matrix-lib.workerConnectionResource "metrics" w;
+      socketAddress = w: let c = connectionInfo w; in "${c.host}:${toString c.port}";
          socketAddress =
            w:
            let
              c = connectionInfo w;
            in
            "${c.host}:${toString c.port}";
-          metricsPath = w: "/metrics/${w.type}/${toString w.index}";
+      metricsPath = w: "/metrics/${w.type}/${toString w.index}";
-          proxyPath = w: "http://${socketAddress w}/_synapse/metrics";
+      proxyPath = w: "http://${socketAddress w}/_synapse/metrics";
-        in
+    in lib.mapAttrs' (n: v: lib.nameValuePair
-        lib.mapAttrs' (
+      (metricsPath v) {
-          n: v:
+        proxyPass = proxyPath v;
          lib.nameValuePair (metricsPath v) {
            proxyPass = proxyPath v;
            extraConfig = ''
              allow ${values.hosts.ildkule.ipv4};
              allow ${values.hosts.ildkule.ipv6};
              deny all;
            '';
          }
        ) cfg.workers.instances;
    }
    {
      locations."/metrics/master/1" = {
        proxyPass = "http://127.0.0.1:9000/_synapse/metrics";
        extraConfig = ''
          allow ${values.hosts.ildkule.ipv4};
          allow ${values.hosts.ildkule.ipv6};
          deny all;
        '';
-      };
+      })
      cfg.workers.instances;
  }
  {
    locations."/metrics/master/1" = {
      proxyPass = "http://127.0.0.1:9000/_synapse/metrics";
      extraConfig = ''
        allow ${values.hosts.ildkule.ipv4};
        allow ${values.hosts.ildkule.ipv6};
        deny all;
      '';
    };
-      locations."/metrics/" =
+    locations."/metrics/" = let
-        let
+      endpoints = lib.pipe cfg.workers.instances [
-          endpoints =
+        (lib.mapAttrsToList (_: v: v))
-            lib.pipe cfg.workers.instances [
+        (map (w: "${w.type}/${toString w.index}"))
-              (lib.mapAttrsToList (_: v: v))
+        (map (w: "matrix.pvv.ntnu.no/metrics/${w}"))
-              (map (w: "${w.type}/${toString w.index}"))
+      ] ++ [ "matrix.pvv.ntnu.no/metrics/master/1" ];
-              (map (w: "matrix.pvv.ntnu.no/metrics/${w}"))
+    in {
-            ]
+      alias = pkgs.writeTextDir "/config.json"
-            ++ [ "matrix.pvv.ntnu.no/metrics/master/1" ];
+        (builtins.toJSON [
-        in
+          { targets = endpoints;
-        {
+            labels = { };
-          alias =
+          }]) + "/";
-            pkgs.writeTextDir "/config.json" (
+    };
-              builtins.toJSON [
+  }];
                {
                  targets = endpoints;
                  labels = { };
                }
              ]
            )
            + "/";
        };
    }
  ];
 }
@@ -1,9 +1,4 @@
-{
+{ config, pkgs, lib, ... }:
  config,
  pkgs,
  lib,
  ...
 }:
 let
  cfg = config.services.pvv-matrix-well-known;
  format = pkgs.formats.json { };
@@ -1,9 +1,4 @@
-{
+{ config, lib, pkgs, ... }:
  config,
  lib,
  pkgs,
  ...
 }:
 let
  cfg = config.services.minecraft-heatmap;
 in
@@ -32,25 +27,23 @@ in
      "sshkey:${config.sops.secrets."minecraft-heatmap/ssh-key/private".path}"
    ];
-    preStart =
+    preStart = let
-      let
+      knownHostsFile = pkgs.writeText "minecraft-heatmap-known-hosts" ''
-        knownHostsFile = pkgs.writeText "minecraft-heatmap-known-hosts" ''
+        innovation.pvv.ntnu.no ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE9O/y5uqcLKCodg2Q+XfZPH/AoUIyBlDhigImU+4+Kn
-          innovation.pvv.ntnu.no ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE9O/y5uqcLKCodg2Q+XfZPH/AoUIyBlDhigImU+4+Kn
+        innovation.pvv.ntnu.no ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQClR9GvWeVPZHudlnFXhGHUX5sGX9nscsOsotnlQ4uVuGsgvRifsVsuDULlAFXwoV1tYp4vnyXlsVtMddpLI5ANOIDcZ4fgDxpfSQmtHKssNpDcfMhFJbfRVyacipjA4osxTxvLox/yjtVt+URjTHUA1MWzEwc26KfiOvWO5tCBTan7doN/4KOyT05GwBxwzUAwUmoGTacIITck2Y9qp4+xFYqehbXqPdBb15hFyd38OCQhtU1hWV2Yi18+hJ4nyjc/g5pr6mW09ULlFghe/BaTUXrTisYC6bMcJZsTDwsvld9581KPvoNZOTQhZPTEQCZZ1h54fe0ZHuveVB3TIHovZyjoUuaf4uiFOjJVaKRB+Ig+Il6r7tMUn9CyHtus/Nd86E0TFBzoKxM0OFu88oaUlDtZVrUJL5En1lGoimajebb1JPxllFN5hqIT+gVyMY6nRzkcfS7ieny/U4rzXY2rfz98selftgh3LsBywwADv65i+mPw1A/1QdND1R6fV4U=
-          innovation.pvv.ntnu.no ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQClR9GvWeVPZHudlnFXhGHUX5sGX9nscsOsotnlQ4uVuGsgvRifsVsuDULlAFXwoV1tYp4vnyXlsVtMddpLI5ANOIDcZ4fgDxpfSQmtHKssNpDcfMhFJbfRVyacipjA4osxTxvLox/yjtVt+URjTHUA1MWzEwc26KfiOvWO5tCBTan7doN/4KOyT05GwBxwzUAwUmoGTacIITck2Y9qp4+xFYqehbXqPdBb15hFyd38OCQhtU1hWV2Yi18+hJ4nyjc/g5pr6mW09ULlFghe/BaTUXrTisYC6bMcJZsTDwsvld9581KPvoNZOTQhZPTEQCZZ1h54fe0ZHuveVB3TIHovZyjoUuaf4uiFOjJVaKRB+Ig+Il6r7tMUn9CyHtus/Nd86E0TFBzoKxM0OFu88oaUlDtZVrUJL5En1lGoimajebb1JPxllFN5hqIT+gVyMY6nRzkcfS7ieny/U4rzXY2rfz98selftgh3LsBywwADv65i+mPw1A/1QdND1R6fV4U=
+        innovation.pvv.ntnu.no ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNjl3HfsDqmALWCL9uhz9k93RAD2565ndBqUh4N/rvI7MCwEJ6iRCdDev0YzB1Fpg24oriyYoxZRP24ifC2sQf8=
          innovation.pvv.ntnu.no ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNjl3HfsDqmALWCL9uhz9k93RAD2565ndBqUh4N/rvI7MCwEJ6iRCdDev0YzB1Fpg24oriyYoxZRP24ifC2sQf8=
        '';
      in
      ''
        mkdir -p '${cfg.minecraftLogsDir}'
        "${lib.getExe pkgs.rsync}" \
        --archive \
        --verbose \
        --progress \
        --no-owner \
        --no-group \
        --rsh="${pkgs.openssh}/bin/ssh -o UserKnownHostsFile=\"${knownHostsFile}\" -i \"$CREDENTIALS_DIRECTORY\"/sshkey" \
        root@innovation.pvv.ntnu.no:/ \
        '${cfg.minecraftLogsDir}'/
      '';
    in ''
      mkdir -p '${cfg.minecraftLogsDir}'
      "${lib.getExe pkgs.rsync}" \
      --archive \
      --verbose \
      --progress \
      --no-owner \
      --no-group \
      --rsh="${pkgs.openssh}/bin/ssh -o UserKnownHostsFile=\"${knownHostsFile}\" -i \"$CREDENTIALS_DIRECTORY\"/sshkey" \
      root@innovation.pvv.ntnu.no:/ \
      '${cfg.minecraftLogsDir}'/
    '';
  };
 }
@@ -1,10 +1,4 @@
-{
+{ config, lib, pkgs, values, ... }:
  config,
  lib,
  pkgs,
  values,
  ...
 }:
 let
  cfg = config.services.mysql;
  backupDir = "/data/mysql-backups";
@@ -16,10 +10,10 @@ in
  # };
  systemd.tmpfiles.settings."10-mysql-backups".${backupDir}.d = {
-    user = "mysql";
+	  user = "mysql";
-    group = "mysql";
+	  group = "mysql";
-    mode = "700";
+	  mode = "700";
-  };
+	};
  services.rsync-pull-targets = lib.mkIf cfg.enable {
    enable = true;
@@ -50,25 +44,23 @@ in
      zstd
    ];
-    script =
+    script = let
-      let
+      rotations = 2;
-        rotations = 2;
+    in ''
-      in
+      set -euo pipefail
      ''
        set -euo pipefail
-        OUT_FILE="$STATE_DIRECTORY/mysql-dump-$(date --iso-8601).sql.zst"
+      OUT_FILE="$STATE_DIRECTORY/mysql-dump-$(date --iso-8601).sql.zst"
-        mysqldump --all-databases | zstd --compress -9 --rsyncable -o "$OUT_FILE"
+      mysqldump --all-databases | zstd --compress -9 --rsyncable -o "$OUT_FILE"
-        # NOTE: this needs to be a hardlink for rrsync to allow sending it
+      # NOTE: this needs to be a hardlink for rrsync to allow sending it
-        rm "$STATE_DIRECTORY/mysql-dump-latest.sql.zst" ||:
+      rm "$STATE_DIRECTORY/mysql-dump-latest.sql.zst" ||:
-        ln -T "$OUT_FILE" "$STATE_DIRECTORY/mysql-dump-latest.sql.zst"
+      ln -T "$OUT_FILE" "$STATE_DIRECTORY/mysql-dump-latest.sql.zst"
-        while [ "$(find "$STATE_DIRECTORY" -type f -printf '.' | wc -c)" -gt ${toString (rotations + 1)} ]; do
+      while [ "$(find "$STATE_DIRECTORY" -type f -printf '.' | wc -c)" -gt '${toString (rotations + 1)}' ]; do
-          rm "$(find "$STATE_DIRECTORY" -type f -printf '%T+ %p\n' | sort | head -n 1 | cut -d' ' -f2)"
+        rm "$(find "$STATE_DIRECTORY" -type f -printf '%T+ %p\n' | sort | head -n 1 | cut -d' ' -f2)"
-        done
+      done
-      '';
+    '';
    serviceConfig = {
      Type = "oneshot";
@@ -1,10 +1,4 @@
-{
+{ config, pkgs, lib, values, ... }:
  config,
  pkgs,
  lib,
  values,
  ...
 }:
 let
  cfg = config.services.mysql;
  dataDir = "/data/mysql";
@@ -42,14 +36,12 @@ in
    #       a password which can be found in /secrets/ildkule/ildkule.yaml
    #       We have also changed both the host and auth plugin of this user
    #       to be 'ildkule.pvv.ntnu.no' and 'mysql_native_password' respectively.
-    ensureUsers = [
+    ensureUsers = [{
-      {
+      name = "prometheus_mysqld_exporter";
-        name = "prometheus_mysqld_exporter";
+      ensurePermissions = {
-        ensurePermissions = {
+        "*.*" = "PROCESS, REPLICATION CLIENT, SELECT, SLAVE MONITOR";
-          "*.*" = "PROCESS, REPLICATION CLIENT, SELECT, SLAVE MONITOR";
+      };
-        };
+    }];
      }
    ];
  };
  networking.firewall.allowedTCPPorts = lib.mkIf cfg.enable [ 3306 ];
@@ -1,10 +1,4 @@
-{
+{ config, lib, pkgs, values, ... }:
  config,
  lib,
  pkgs,
  values,
  ...
 }:
 let
  cfg = config.services.postgresql;
  backupDir = "/data/postgresql-backups";
@@ -17,10 +11,10 @@ in
  # };
  systemd.tmpfiles.settings."10-postgresql-backups".${backupDir}.d = {
-    user = "postgres";
+	  user = "postgres";
-    group = "postgres";
+	  group = "postgres";
-    mode = "700";
+	  mode = "700";
-  };
+	};
  services.rsync-pull-targets = lib.mkIf cfg.enable {
    enable = true;
@@ -51,25 +45,23 @@ in
      cfg.package
    ];
-    script =
+    script = let
-      let
+      rotations = 2;
-        rotations = 2;
+    in ''
-      in
+      set -euo pipefail
      ''
        set -euo pipefail
-        OUT_FILE="$STATE_DIRECTORY/postgresql-dump-$(date --iso-8601).sql.zst"
+      OUT_FILE="$STATE_DIRECTORY/postgresql-dump-$(date --iso-8601).sql.zst"
-        pg_dumpall -U postgres | zstd --compress -9 --rsyncable -o "$OUT_FILE"
+      pg_dumpall -U postgres | zstd --compress -9 --rsyncable -o "$OUT_FILE"
-        # NOTE: this needs to be a hardlink for rrsync to allow sending it
+      # NOTE: this needs to be a hardlink for rrsync to allow sending it
-        rm "$STATE_DIRECTORY/postgresql-dump-latest.sql.zst" ||:
+      rm "$STATE_DIRECTORY/postgresql-dump-latest.sql.zst" ||:
-        ln -T "$OUT_FILE" "$STATE_DIRECTORY/postgresql-dump-latest.sql.zst"
+      ln -T "$OUT_FILE" "$STATE_DIRECTORY/postgresql-dump-latest.sql.zst"
-        while [ "$(find "$STATE_DIRECTORY" -type f -printf '.' | wc -c)" -gt ${toString (rotations + 1)} ]; do
+      while [ "$(find "$STATE_DIRECTORY" -type f -printf '.' | wc -c)" -gt '${toString (rotations + 1)}' ]; do
-          rm "$(find "$STATE_DIRECTORY" -type f -printf '%T+ %p\n' | sort | head -n 1 | cut -d' ' -f2)"
+        rm "$(find "$STATE_DIRECTORY" -type f -printf '%T+ %p\n' | sort | head -n 1 | cut -d' ' -f2)"
-        done
+      done
-      '';
+    '';
    serviceConfig = {
      Type = "oneshot";
@@ -0,0 +1,37 @@
 { config, lib, pkgs, ... }:
 let
  cfg = config.services.postgresql;
 in
 {
  config = lib.mkIf cfg.enable {
    systemd.services = {
      postgresql-repack = {
        requires = [ "postgresql.service" ];
        after = [ "postgresql.target" ];
        description = "Repack all PostgreSQL databases";
        startAt = "Mon 06:00:00";
        serviceConfig = {
          Type = "oneshot";
          User = "postgres";
          Group = "postgres";
          ExecStart = "${lib.getExe cfg.package.pkgs.pg_repack} --host=/run/postgresql --no-kill-backend --wait-timeout=30 --all";
        };
      };
      postgresql-vacuum-analyze = {
        requires = [ "postgresql.service" ];
        after = [ "postgresql.target" ];
        description = "Vacuum and analyze all PostgreSQL databases";
        startAt = "Tue 06:00:00";
        serviceConfig = {
          Type = "oneshot";
          User = "postgres";
          Group = "postgres";
          ExecStart = "${lib.getExe' cfg.package "psql"} --port=${builtins.toString cfg.settings.port} -tAc 'VACUUM ANALYZE'";
        };
      };
    };
  };
 }
@@ -1,19 +1,17 @@
-{
+{ config, lib, pkgs, values, ... }:
  config,
  lib,
  pkgs,
  values,
  ...
 }:
 let
  cfg = config.services.postgresql;
 in
 {
-  imports = [ ./backup.nix ];
+  imports = [
    ./backup.nix
    ./cleanup-timers.nix
  ];
  services.postgresql = {
    enable = true;
    package = pkgs.postgresql_18;
    extensions = ps: with ps; [ pg_repack ];
    enableTCPIP = true;
    authentication = ''
@@ -1,14 +1,8 @@
-{
+{ config, pkgs, values, ... }:
  lib,
  config,
  pkgs,
  values,
  ...
 }:
 {
  networking.nat = {
    enable = true;
-    internalInterfaces = [ "ve-+" ];
+    internalInterfaces = ["ve-+"];
    externalInterface = "ens3";
    # Lazy IPv6 connectivity for the container
    enableIPv6 = true;
@@ -16,11 +10,9 @@
  containers.bikkje = {
    autoStart = true;
-    config =
+    config = { config, pkgs, ... }: {
-      { config, pkgs, ... }:
+      #import packages
-      {
+      packages = with pkgs; [
        #import packages
        packages = with pkgs; [
          alpine
          mutt
          mutt-ics
@@ -30,66 +22,26 @@
          hexchat
          irssi
          pidgin
-        ];
+      ];
-        networking = {
+      networking = {
-          hostName = "bikkje";
+        hostName = "bikkje";
-          firewall = {
+        firewall = {
-            enable = true;
+          enable = true;
-            # Allow SSH and HTTP and ports for email and irc
+          # Allow SSH and HTTP and ports for email and irc
-            allowedTCPPorts = [
+          allowedTCPPorts = [ 80 22 194 994 6665 6666 6667 6668 6669 6697 995 993 25 465 587 110 143 993 995 ];
-              80
+          allowedUDPPorts = [ 80 22 194 994 6665 6666 6667 6668 6669 6697 995 993 25 465 587 110 143 993 995 ];
              22
              194
              994
              6665
              6666
              6667
              6668
              6669
              6697
              995
              993
              25
              465
              587
              110
              143
              993
              995
            ];
            allowedUDPPorts = [
              80
              22
              194
              994
              6665
              6666
              6667
              6668
              6669
              6697
              995
              993
              25
              465
              587
              110
              143
              993
              995
            ];
          };
          # Use systemd-resolved inside the container
          # Workaround for bug https://github.com/NixOS/nixpkgs/issues/162686
          useHostResolvConf = lib.mkForce false;
        };
-
+        # Use systemd-resolved inside the container
-        services.resolved.enable = true;
+        # Workaround for bug https://github.com/NixOS/nixpkgs/issues/162686
-
+        useHostResolvConf = mkForce false;
        # Don't change (even during upgrades) unless you know what you are doing.
        # See https://search.nixos.org/options?show=system.stateVersion
        system.stateVersion = "23.11";
      };
      services.resolved.enable = true;
      # Don't change (even during upgrades) unless you know what you are doing.
      # See https://search.nixos.org/options?show=system.stateVersion
      system.stateVersion = "23.11";
    };
  };
-}
+};
@@ -1,25 +1,16 @@
-{
+{ config, fp, pkgs, values, ... }:
  config,
  fp,
  pkgs,
  values,
  ...
 }:
 {
  imports = [
-    # Include the results of the hardware scan.
+      # Include the results of the hardware scan.
-    ./hardware-configuration.nix
+      ./hardware-configuration.nix
-    (fp /base)
+      (fp /base)
-    ./services/grzegorz.nix
+      ./services/grzegorz.nix
-  ];
+    ];
  systemd.network.networks."30-eno1" = values.defaultNetworkConfig // {
    matchConfig.Name = "eno1";
-    address = with values.hosts.brzeczyszczykiewicz; [
+    address = with values.hosts.brzeczyszczykiewicz; [ (ipv4 + "/25") (ipv6 + "/64") ];
      (ipv4 + "/25")
      (ipv6 + "/64")
    ];
  };
  fonts.fontconfig.enable = true;
@@ -1,45 +1,31 @@
 # Do not modify this file!  It was generated by 'nixos-generate-config'
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
-{
+{ config, lib, pkgs, modulesPath, ... }:
  config,
  lib,
  pkgs,
  modulesPath,
  ...
 }:
 {
-  imports = [
+  imports =
-    (modulesPath + "/installer/scan/not-detected.nix")
+    [ (modulesPath + "/installer/scan/not-detected.nix")
-  ];
+    ];
-  boot.initrd.availableKernelModules = [
+  boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" "sr_mod" ];
    "xhci_pci"
    "ehci_pci"
    "ahci"
    "usbhid"
    "usb_storage"
    "sd_mod"
    "sr_mod"
  ];
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ "kvm-intel" ];
  boot.extraModulePackages = [ ];
-  fileSystems."/" = {
+  fileSystems."/" =
-    device = "/dev/disk/by-uuid/4e8667f8-55de-4103-8369-b94665f42204";
+    { device = "/dev/disk/by-uuid/4e8667f8-55de-4103-8369-b94665f42204";
-    fsType = "ext4";
+      fsType = "ext4";
-  };
+    };
-  fileSystems."/boot" = {
+  fileSystems."/boot" =
-    device = "/dev/disk/by-uuid/82E3-3D03";
+    { device = "/dev/disk/by-uuid/82E3-3D03";
-    fsType = "vfat";
+      fsType = "vfat";
-  };
+    };
-  swapDevices = [
+  swapDevices =
-    { device = "/dev/disk/by-uuid/d0bf9a21-44bc-44a3-ae55-8f0971875883"; }
+    [ { device = "/dev/disk/by-uuid/d0bf9a21-44bc-44a3-ae55-8f0971875883"; }
-  ];
+    ];
  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
  # (the default) this is the recommended approach. When using systemd-networkd it's
@@ -1,25 +1,16 @@
-{
+{ config, fp, pkgs, values, ... }:
  config,
  fp,
  pkgs,
  values,
  ...
 }:
 {
  imports = [
-    # Include the results of the hardware scan.
+      # Include the results of the hardware scan.
-    ./hardware-configuration.nix
+      ./hardware-configuration.nix
-    (fp /base)
+      (fp /base)
-    (fp /modules/grzegorz.nix)
+      (fp /modules/grzegorz.nix)
-  ];
+    ];
  systemd.network.networks."30-eno1" = values.defaultNetworkConfig // {
    matchConfig.Name = "eno1";
-    address = with values.hosts.georg; [
+    address = with values.hosts.georg; [ (ipv4 + "/25") (ipv6 + "/64") ];
      (ipv4 + "/25")
      (ipv6 + "/64")
    ];
  };
  services.spotifyd = {
@@ -1,44 +1,31 @@
 # Do not modify this file!  It was generated by 'nixos-generate-config'
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
-{
+{ config, lib, pkgs, modulesPath, ... }:
  config,
  lib,
  pkgs,
  modulesPath,
  ...
 }:
 {
-  imports = [
+  imports =
-    (modulesPath + "/installer/scan/not-detected.nix")
+    [ (modulesPath + "/installer/scan/not-detected.nix")
-  ];
+    ];
-  boot.initrd.availableKernelModules = [
+  boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "usb_storage" "usbhid" "sd_mod" ];
    "xhci_pci"
    "ehci_pci"
    "ahci"
    "usb_storage"
    "usbhid"
    "sd_mod"
  ];
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ "kvm-intel" ];
  boot.extraModulePackages = [ ];
-  fileSystems."/" = {
+  fileSystems."/" =
-    device = "/dev/disk/by-uuid/33825f0d-5a63-40fc-83db-bfa1ebb72ba0";
+    { device = "/dev/disk/by-uuid/33825f0d-5a63-40fc-83db-bfa1ebb72ba0";
-    fsType = "ext4";
+      fsType = "ext4";
-  };
+    };
-  fileSystems."/boot" = {
+  fileSystems."/boot" =
-    device = "/dev/disk/by-uuid/145E-7362";
+    { device = "/dev/disk/by-uuid/145E-7362";
-    fsType = "vfat";
+      fsType = "vfat";
-  };
+    };
-  swapDevices = [
+  swapDevices =
-    { device = "/dev/disk/by-uuid/7ed27e21-3247-44cd-8bcc-5d4a2efebf57"; }
+    [ { device = "/dev/disk/by-uuid/7ed27e21-3247-44cd-8bcc-5d4a2efebf57"; }
-  ];
+    ];
  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
  # (the default) this is the recommended approach. When using systemd-networkd it's
@@ -7,6 +7,7 @@
 {
  imports = [
    ./hardware-configuration.nix
    ./services/bluemap.nix
    (fp /base)
  ];
@@ -22,7 +22,7 @@
    "sd_mod"
  ];
  boot.initrd.kernelModules = [ "dm-snapshot" ];
-  boot.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-intel" ];
  boot.extraModulePackages = [ ];
  fileSystems."/" = {
@@ -31,7 +31,7 @@
  };
  fileSystems."/boot" = {
-    device = "/dev/disk/by-uuid/933A-3005";
+    device = "/dev/disk/by-uuid/BD97-FCA0";
    fsType = "vfat";
    options = [
      "fmask=0077"
@@ -0,0 +1,113 @@
 { config, lib, pkgs, inputs, ... }:
 let
  vanillaSurvival = "/var/lib/bluemap/vanilla_survival_world";
 in {
  # NOTE: our version of the module gets added in flake.nix
  disabledModules = [ "services/web-apps/bluemap.nix" ];
  sops.secrets."bluemap/ssh-key" = { };
  sops.secrets."bluemap/ssh-known-hosts" = { };
  services.bluemap = {
    enable = true;
    eula = true;
    onCalendar = "*-*-* 05:45:00"; # a little over an hour after auto-upgrade
    enableNginx = false;
    host = "minecraft.pvv.ntnu.no";
    maps = let
      inherit (inputs.minecraft-kartverket.packages.${pkgs.stdenv.hostPlatform.system}) bluemap-export;
    in {
      "verden" = {
        extraHoconMarkersFile = "${bluemap-export}/overworld.hocon";
        settings = {
          world = vanillaSurvival;
          dimension = "minecraft:overworld";
          name = "Verden";
          sorting = 0;
          start-pos = {
            x = 0;
            z = 0;
          };
          ambient-light = 0.1;
          cave-detection-ocean-floor = -5;
        };
      };
      "underverden" = {
        extraHoconMarkersFile = "${bluemap-export}/nether.hocon";
        settings = {
          world = vanillaSurvival;
          dimension = "minecraft:the_nether";
          name = "Underverden";
          sorting = 100;
          start-pos = {
            x = 0;
            z = 0;
          };
          sky-color = "#290000";
          void-color = "#150000";
          sky-light = 1;
          ambient-light = 0.6;
          remove-caves-below-y = -10000;
          cave-detection-ocean-floor = -5;
          cave-detection-uses-block-light = true;
          render-mask = [{
            max-y = 90;
          }];
        };
      };
      "enden" = {
        extraHoconMarkersFile = "${bluemap-export}/the-end.hocon";
        settings = {
          world = vanillaSurvival;
          dimension = "minecraft:the_end";
          name = "Enden";
          sorting = 200;
          start-pos = {
            x = 0;
            z = 0;
          };
          sky-color = "#080010";
          void-color = "#080010";
          sky-light = 1;
          ambient-light = 0.6;
          remove-caves-below-y = -10000;
          cave-detection-ocean-floor = -5;
        };
      };
    };
  };
  systemd.services."render-bluemap-maps" = {
    serviceConfig = {
      StateDirectory = [ "bluemap/world" ];
      ExecStartPre = let
        rsyncArgs = lib.cli.toCommandLineShellGNU { } {
          archive = true;
          compress = true;
          verbose = true;
          no-owner = true;
          no-group = true;
          rsh = "${pkgs.openssh}/bin/ssh -o UserKnownHostsFile=%d/ssh-known-hosts -i %d/sshkey";
        };
      in "${lib.getExe pkgs.rsync} ${rsyncArgs} root@innovation.pvv.ntnu.no:/ ${vanillaSurvival}";
      ExecStartPost = let
        rsyncArgs = lib.cli.toCommandLineShellGNU { } {
          archive = true;
          compress = true;
          verbose = true;
          no-owner = true;
          no-group = true;
          rsh = "${pkgs.openssh}/bin/ssh -o UserKnownHostsFile=%d/ssh-known-hosts -i %d/sshkey";
        };
      in "${lib.getExe pkgs.rsync} ${rsyncArgs} --groupmap=root:nginx ${config.services.bluemap.webRoot}/ root@bekkalokk.pvv.ntnu.no:/";
      LoadCredential = [
        "sshkey:${config.sops.secrets."bluemap/ssh-key".path}"
        "ssh-known-hosts:${config.sops.secrets."bluemap/ssh-known-hosts".path}"
      ];
    };
  };
 }
@@ -5,11 +5,10 @@
  lib,
  values,
  ...
-}:
+}: {
 {
  imports = [
    # Include the results of the hardware scan.
    ./hardware-configuration.nix
    ./disks.nix
    (fp /base)
    ./services/monitoring
@@ -17,44 +16,42 @@
    ./services/journald-remote.nix
  ];
-  boot.loader.systemd-boot.enable = false;
+  boot.loader.grub.enable = true;
-  boot.loader.grub.device = "/dev/vda";
+  boot.loader.systemd-boot.enable = lib.mkForce false;
  boot.tmp.cleanOnBoot = true;
  zramSwap.enable = true;
  # Openstack Neutron and systemd-networkd are not best friends, use something else:
  systemd.network.enable = lib.mkForce false;
-  networking =
+  networking = let
-    let
+    hostConf = values.hosts.ildkule;
-      hostConf = values.hosts.ildkule;
+  in {
-    in
+    tempAddresses = "disabled";
-    {
+    useDHCP = lib.mkForce true;
      tempAddresses = "disabled";
      useDHCP = lib.mkForce true;
-      search = values.defaultNetworkConfig.domains;
+    search = values.defaultNetworkConfig.domains;
-      nameservers = values.defaultNetworkConfig.dns;
+    nameservers = values.defaultNetworkConfig.dns;
-      defaultGateway.address = hostConf.ipv4_internal_gw;
+    defaultGateway.address = hostConf.ipv4_internal_gw;
-      interfaces."ens4" = {
+    interfaces."ens3" = {
-        ipv4.addresses = [
+      ipv4.addresses = [
-          {
+        {
-            address = hostConf.ipv4;
+          address = hostConf.ipv4;
-            prefixLength = 32;
+          prefixLength = 32;
-          }
+        }
-          {
+        {
-            address = hostConf.ipv4_internal;
+          address = hostConf.ipv4_internal;
-            prefixLength = 24;
+          prefixLength = 24;
-          }
+        }
-        ];
+      ];
-        ipv6.addresses = [
+      ipv6.addresses = [
-          {
+        {
-            address = hostConf.ipv6;
+          address = hostConf.ipv6;
-            prefixLength = 64;
+          prefixLength = 64;
-          }
+        }
-        ];
+      ];
      };
    };
  };
  services.qemuGuest.enable = true;
@@ -0,0 +1,27 @@
 {
  disko.devices = {
    disk = {
      sda = {
        device = "/dev/sda";
        type = "disk";
        content = {
          type = "gpt";
          partitions = {
            bios = {
              size = "1M";
              type = "EF02";
            };
            root = {
              size = "100%";
              content = {
                type = "filesystem";
                format = "ext4";
                mountpoint = "/";
              };
            };
          };
        };
      };
    };
  };
 }
@@ -1,21 +1,24 @@
-{ modulesPath, lib, ... }:
+# Do not modify this file!  It was generated by 'nixos-generate-config'
-{
+# and may be overwritten by future invocations.  Please make changes
-  imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
+# to /etc/nixos/configuration.nix instead.
-  boot.initrd.availableKernelModules = [
+{ config, lib, pkgs, modulesPath, ... }:
    "ata_piix"
    "uhci_hcd"
    "xen_blkfront"
    "vmw_pvscsi"
  ];
  boot.initrd.kernelModules = [ "nvme" ];
  fileSystems."/" = {
    device = "/dev/disk/by-uuid/e35eb4ce-aac3-4f91-8383-6e7cd8bbf942";
    fsType = "ext4";
  };
  fileSystems."/data" = {
    device = "/dev/disk/by-uuid/0a4c1234-02d3-4b53-aeca-d95c4c8d534b";
    fsType = "ext4";
  };
 {
  imports =
    [ (modulesPath + "/profiles/qemu-guest.nix")
    ];
  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" ];
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ "kvm-intel" ];
  boot.extraModulePackages = [ ];
  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
  # (the default) this is the recommended approach. When using systemd-networkd it's
  # still possible to use this option, but it's recommended to use it in conjunction
  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
  networking.useDHCP = lib.mkDefault true;
  # networking.interfaces.ens3.useDHCP = lib.mkDefault true;
  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
 }
@@ -1,9 +1,4 @@
-{
+{ config, lib, values, ... }:
  config,
  lib,
  values,
  ...
 }:
 let
  cfg = config.services.journald.remote;
  domainName = "journald.pvv.ntnu.no";
@@ -27,15 +22,13 @@ in
  services.journald.remote = {
    enable = true;
-    settings.Remote =
+    settings.Remote = let
-      let
+      inherit (config.security.acme.certs.${domainName}) directory;
-        inherit (config.security.acme.certs.${domainName}) directory;
+    in {
-      in
+      ServerKeyFile = "/run/credentials/systemd-journal-remote.service/key.pem";
-      {
+      ServerCertificateFile = "/run/credentials/systemd-journal-remote.service/cert.pem";
-        ServerKeyFile = "/run/credentials/systemd-journal-remote.service/key.pem";
+      TrustedCertificateFile = "-";
-        ServerCertificateFile = "/run/credentials/systemd-journal-remote.service/cert.pem";
+    };
        TrustedCertificateFile = "-";
      };
  };
  systemd.sockets."systemd-journal-remote" = {
@@ -54,14 +47,12 @@ in
  systemd.services."systemd-journal-remote" = {
    serviceConfig = {
-      LoadCredential =
+      LoadCredential = let
-        let
+        inherit (config.security.acme.certs.${domainName}) directory;
-          inherit (config.security.acme.certs.${domainName}) directory;
+      in [
-        in
+        "key.pem:${directory}/key.pem"
-        [
+        "cert.pem:${directory}/cert.pem"
-          "key.pem:${directory}/key.pem"
+      ];
          "cert.pem:${directory}/cert.pem"
        ];
    };
  };
 }
@@ -1,44 +1,33 @@
-{
+{ config, pkgs, values, ... }: let
  config,
  pkgs,
  values,
  ...
 }:
 let
  cfg = config.services.grafana;
-in
+in {
-{
+  sops.secrets = let
-  sops.secrets =
+    owner = "grafana";
-    let
+    group = "grafana";
-      owner = "grafana";
+  in {
-      group = "grafana";
+    "keys/grafana/secret_key" = { inherit owner group; };
-    in
+    "keys/grafana/admin_password" = { inherit owner group; };
-    {
+  };
      "keys/grafana/secret_key" = { inherit owner group; };
      "keys/grafana/admin_password" = { inherit owner group; };
    };
  services.grafana = {
    enable = true;
-    settings =
+    settings = let
-      let
+      # See https://grafana.com/docs/grafana/latest/setup-grafana/configure-grafana/#file-provider
-        # See https://grafana.com/docs/grafana/latest/setup-grafana/configure-grafana/#file-provider
+      secretFile = path: "$__file{${path}}";
-        secretFile = path: "$__file{${path}}";
+    in {
-      in
+      server = {
-      {
+        domain = "grafana.pvv.ntnu.no";
-        server = {
+        http_port = 2342;
-          domain = "grafana.pvv.ntnu.no";
+        http_addr = "127.0.0.1";
          http_port = 2342;
          http_addr = "127.0.0.1";
        };
        security = {
          secret_key = secretFile config.sops.secrets."keys/grafana/secret_key".path;
          admin_password = secretFile config.sops.secrets."keys/grafana/admin_password".path;
        };
      };
      security = {
        secret_key = secretFile config.sops.secrets."keys/grafana/secret_key".path;
        admin_password = secretFile config.sops.secrets."keys/grafana/admin_password".path;
      };
    };
    provision = {
      enable = true;
      datasources.settings.datasources = [
@@ -3,8 +3,7 @@
 let
  cfg = config.services.loki;
  stateDir = "/data/monitoring/loki";
-in
+in {
 {
  services.loki = {
    enable = true;
    configuration = {
@@ -1,8 +1,6 @@
-{ config, ... }:
+{ config, ... }: let
 let
  stateDir = "/data/monitoring/prometheus";
-in
+in {
 {
  imports = [
    ./exim.nix
    ./gitea.nix
@@ -23,6 +21,7 @@ in
  fileSystems."/var/lib/prometheus2" = {
    device = stateDir;
    fsType = "bind";
    options = [ "bind" ];
  };
 }
@@ -5,11 +5,9 @@
      {
        job_name = "exim";
        scrape_interval = "15s";
-        static_configs = [
+        static_configs = [{
-          {
+          targets = [ "microbel.pvv.ntnu.no:9636" ];
-            targets = [ "microbel.pvv.ntnu.no:9636" ];
+        }];
          }
        ];
      }
    ];
  };
@@ -1,18 +1,16 @@
 { ... }:
 {
-  services.prometheus.scrapeConfigs = [
+  services.prometheus.scrapeConfigs = [{
-    {
+    job_name = "gitea";
-      job_name = "gitea";
+    scrape_interval = "60s";
-      scrape_interval = "60s";
+    scheme = "https";
      scheme = "https";
-      static_configs = [
+    static_configs = [
-        {
+      {
-          targets = [
+        targets = [
-            "git.pvv.ntnu.no:443"
+          "git.pvv.ntnu.no:443"
-          ];
+        ];
-        }
+      }
-      ];
+    ];
-    }
+  }];
  ];
 }
@@ -1,5 +1,4 @@
-{ config, ... }:
+{ config, ... }: let
 let
  cfg = config.services.prometheus;
  mkHostScrapeConfig = name: ports: {
@@ -10,98 +9,29 @@ let
  defaultNodeExporterPort = 9100;
  defaultSystemdExporterPort = 9101;
  defaultNixosExporterPort = 9102;
-in
+in {
-{
+  services.prometheus.scrapeConfigs = [{
-  services.prometheus.scrapeConfigs = [
+    job_name = "base_info";
-    {
+    static_configs = [
-      job_name = "base_info";
+      (mkHostScrapeConfig "ildkule" [ cfg.exporters.node.port cfg.exporters.systemd.port defaultNixosExporterPort ])
      static_configs = [
        (mkHostScrapeConfig "ildkule" [
          cfg.exporters.node.port
          cfg.exporters.systemd.port
          defaultNixosExporterPort
        ])
-        (mkHostScrapeConfig "bekkalokk" [
+      (mkHostScrapeConfig "bekkalokk" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
-          defaultNodeExporterPort
+      (mkHostScrapeConfig "bicep" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
-          defaultSystemdExporterPort
+      (mkHostScrapeConfig "brzeczyszczykiewicz" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
-          defaultNixosExporterPort
+      (mkHostScrapeConfig "georg" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
-        ])
+      (mkHostScrapeConfig "gluttony" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
-        (mkHostScrapeConfig "bicep" [
+      (mkHostScrapeConfig "kommode" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
-          defaultNodeExporterPort
+      (mkHostScrapeConfig "lupine-1" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
-          defaultSystemdExporterPort
+      (mkHostScrapeConfig "lupine-2" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
-          defaultNixosExporterPort
+      (mkHostScrapeConfig "lupine-3" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
-        ])
+      (mkHostScrapeConfig "lupine-4" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
-        (mkHostScrapeConfig "brzeczyszczykiewicz" [
+      (mkHostScrapeConfig "lupine-5" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
-          defaultNodeExporterPort
+      (mkHostScrapeConfig "temmie" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
-          defaultSystemdExporterPort
+      (mkHostScrapeConfig "wenche" [ defaultNodeExporterPort defaultSystemdExporterPort defaultNixosExporterPort ])
          defaultNixosExporterPort
        ])
        (mkHostScrapeConfig "georg" [
          defaultNodeExporterPort
          defaultSystemdExporterPort
          defaultNixosExporterPort
        ])
        (mkHostScrapeConfig "gluttony" [
          defaultNodeExporterPort
          defaultSystemdExporterPort
          defaultNixosExporterPort
        ])
        (mkHostScrapeConfig "kommode" [
          defaultNodeExporterPort
          defaultSystemdExporterPort
          defaultNixosExporterPort
        ])
        (mkHostScrapeConfig "lupine-1" [
          defaultNodeExporterPort
          defaultSystemdExporterPort
          defaultNixosExporterPort
        ])
        (mkHostScrapeConfig "lupine-2" [
          defaultNodeExporterPort
          defaultSystemdExporterPort
          defaultNixosExporterPort
        ])
        (mkHostScrapeConfig "lupine-3" [
          defaultNodeExporterPort
          defaultSystemdExporterPort
          defaultNixosExporterPort
        ])
        (mkHostScrapeConfig "lupine-4" [
          defaultNodeExporterPort
          defaultSystemdExporterPort
          defaultNixosExporterPort
        ])
        (mkHostScrapeConfig "lupine-5" [
          defaultNodeExporterPort
          defaultSystemdExporterPort
          defaultNixosExporterPort
        ])
        (mkHostScrapeConfig "temmie" [
          defaultNodeExporterPort
          defaultSystemdExporterPort
          defaultNixosExporterPort
        ])
        (mkHostScrapeConfig "ustetind" [
          defaultNodeExporterPort
          defaultSystemdExporterPort
          defaultNixosExporterPort
        ])
        (mkHostScrapeConfig "wenche" [
          defaultNodeExporterPort
          defaultSystemdExporterPort
          defaultNixosExporterPort
        ])
-        (mkHostScrapeConfig "skrott" [
+      (mkHostScrapeConfig "hildring" [ defaultNodeExporterPort ])
-          defaultNodeExporterPort
+      (mkHostScrapeConfig "isvegg" [ defaultNodeExporterPort ])
-          defaultSystemdExporterPort
+      (mkHostScrapeConfig "microbel" [ defaultNodeExporterPort ])
-        ])
+    ];
-
+  }];
        (mkHostScrapeConfig "hildring" [ defaultNodeExporterPort ])
        (mkHostScrapeConfig "isvegg" [ defaultNodeExporterPort ])
        (mkHostScrapeConfig "microbel" [ defaultNodeExporterPort ])
      ];
    }
  ];
 }
@@ -1,44 +1,40 @@
 { ... }:
 {
-  services.prometheus.scrapeConfigs = [
+  services.prometheus.scrapeConfigs = [{
-    {
+    job_name = "synapse";
-      job_name = "synapse";
+    scrape_interval = "15s";
-      scrape_interval = "15s";
+    scheme = "https";
      scheme = "https";
-      http_sd_configs = [
+    http_sd_configs = [{
-        {
+      url = "https://matrix.pvv.ntnu.no/metrics/config.json";
-          url = "https://matrix.pvv.ntnu.no/metrics/config.json";
+    }];
        }
      ];
-      relabel_configs = [
+    relabel_configs = [
-        {
+      {
-          source_labels = [ "__address__" ];
+        source_labels = [ "__address__" ];
-          regex = "[^/]+(/.*)";
+        regex = "[^/]+(/.*)";
-          target_label = "__metrics_path__";
+        target_label = "__metrics_path__";
-        }
+      }
-        {
+      {
-          source_labels = [ "__address__" ];
+        source_labels = [ "__address__" ];
-          regex = "([^/]+)/.*";
+        regex = "([^/]+)/.*";
-          target_label = "instance";
+        target_label = "instance";
-        }
+      }
-        {
+      {
-          source_labels = [ "__address__" ];
+        source_labels = [ "__address__" ];
-          regex = "[^/]+\\/+[^/]+/(.*)/\\d+$";
+        regex = "[^/]+\\/+[^/]+/(.*)/\\d+$";
-          target_label = "job";
+        target_label = "job";
-        }
+      }
-        {
+      {
-          source_labels = [ "__address__" ];
+        source_labels = [ "__address__" ];
-          regex = "[^/]+\\/+[^/]+/.*/(\\d+)$";
+        regex = "[^/]+\\/+[^/]+/.*/(\\d+)$";
-          target_label = "index";
+        target_label = "index";
-        }
+      }
-        {
+      {
-          source_labels = [ "__address__" ];
+        source_labels = [ "__address__" ];
-          regex = "([^/]+)/.*";
+        regex = "([^/]+)/.*";
-          target_label = "__address__";
+        target_label = "__address__";
-        }
+      }
-      ];
+    ];
-    }
+  }];
  ];
 }
@@ -1,42 +1,36 @@
-{ config, ... }:
+{ config, ... }: let
 let
  cfg = config.services.prometheus;
-in
+in {
 {
  sops = {
    secrets."config/mysqld_exporter_password" = { };
    templates."mysqld_exporter.conf" = {
      restartUnits = [ "prometheus-mysqld-exporter.service" ];
-      content =
+      content = let
-        let
+        inherit (config.sops) placeholder;
-          inherit (config.sops) placeholder;
+      in ''
-        in
+        [client]
-        ''
+        host = mysql.pvv.ntnu.no
-          [client]
+        port = 3306
-          host = mysql.pvv.ntnu.no
+        user = prometheus_mysqld_exporter
-          port = 3306
+        password = ${placeholder."config/mysqld_exporter_password"}
-          user = prometheus_mysqld_exporter
+      '';
          password = ${placeholder."config/mysqld_exporter_password"}
        '';
    };
  };
  services.prometheus = {
-    scrapeConfigs = [
+    scrapeConfigs = [{
-      {
+      job_name = "mysql";
-        job_name = "mysql";
+      scheme = "http";
-        scheme = "http";
+      metrics_path = cfg.exporters.mysqld.telemetryPath;
-        metrics_path = cfg.exporters.mysqld.telemetryPath;
+      static_configs = [
-        static_configs = [
+        {
-          {
+          targets = [
-            targets = [
+            "localhost:${toString cfg.exporters.mysqld.port}"
-              "localhost:${toString cfg.exporters.mysqld.port}"
+          ];
-            ];
+        }
-          }
+      ];
-        ];
+    }];
      }
    ];
    exporters.mysqld = {
      enable = true;
@@ -1,17 +1,9 @@
-{
+{ pkgs, lib, config, values, ... }: let
  pkgs,
  lib,
  config,
  values,
  ...
 }:
 let
  cfg = config.services.prometheus;
-in
+in {
 {
  sops.secrets = {
-    "keys/postgres/postgres_exporter_env" = { };
+    "keys/postgres/postgres_exporter_env" = {};
-    "keys/postgres/postgres_exporter_knakelibrak_env" = { };
+    "keys/postgres/postgres_exporter_knakelibrak_env" = {};
  };
  services.prometheus = {
@@ -19,26 +11,22 @@ in
      {
        job_name = "postgres";
        scrape_interval = "15s";
-        static_configs = [
+        static_configs = [{
-          {
+          targets = [ "localhost:${toString cfg.exporters.postgres.port}" ];
-            targets = [ "localhost:${toString cfg.exporters.postgres.port}" ];
+          labels = {
-            labels = {
+            server = "bicep";
-              server = "bicep";
+          };
-            };
+        }];
          }
        ];
      }
      {
        job_name = "postgres-knakelibrak";
        scrape_interval = "15s";
-        static_configs = [
+        static_configs = [{
-          {
+          targets = [ "localhost:${toString (cfg.exporters.postgres.port + 1)}" ];
-            targets = [ "localhost:${toString (cfg.exporters.postgres.port + 1)}" ];
+          labels = {
-            labels = {
+            server = "knakelibrak";
-              server = "knakelibrak";
+          };
-            };
+        }];
          }
        ];
      }
    ];
@@ -49,11 +37,9 @@ in
    };
  };
-  systemd.services.prometheus-postgres-exporter-knakelibrak.serviceConfig =
+  systemd.services.prometheus-postgres-exporter-knakelibrak.serviceConfig = let
-    let
+    localCfg = config.services.prometheus.exporters.postgres;
-      localCfg = config.services.prometheus.exporters.postgres;
+  in lib.recursiveUpdate config.systemd.services.prometheus-postgres-exporter.serviceConfig {
    in
    lib.recursiveUpdate config.systemd.services.prometheus-postgres-exporter.serviceConfig {
      EnvironmentFile = config.sops.secrets."keys/postgres/postgres_exporter_knakelibrak_env".path;
      ExecStart = ''
        ${pkgs.prometheus-postgres-exporter}/bin/postgres_exporter \
@@ -1,15 +1,9 @@
-{
+{ config, pkgs, lib, ... }:
  config,
  pkgs,
  lib,
  ...
 }:
 let
  cfg = config.services.uptime-kuma;
  domain = "status.pvv.ntnu.no";
  stateDir = "/data/monitoring/uptime-kuma";
-in
+in {
 {
  services.uptime-kuma = {
    enable = true;
    settings = {
@@ -25,8 +19,9 @@ in
    locations."/".proxyPass = "http://${cfg.settings.HOST}:${cfg.settings.PORT}";
  };
-  fileSystems."/var/lib/uptime-kuma" = {
+  fileSystems."/var/lib/private/uptime-kuma" = {
    device = stateDir;
    fsType = "bind";
    options = [ "bind" ];
  };
 }
@@ -1,9 +1,4 @@
-{
+{ pkgs, values, fp, ... }:
  pkgs,
  values,
  fp,
  ...
 }:
 {
  imports = [
    # Include the results of the hardware scan.
@@ -17,10 +12,7 @@
  systemd.network.networks."30-ens18" = values.defaultNetworkConfig // {
    matchConfig.Name = "ens18";
-    address = with values.hosts.kommode; [
+    address = with values.hosts.kommode; [ (ipv4 + "/25") (ipv6 + "/64") ];
      (ipv4 + "/25")
      (ipv6 + "/64")
    ];
  };
  services.btrfs.autoScrub.enable = true;
@@ -1,27 +1,14 @@
 # Do not modify this file!  It was generated by 'nixos-generate-config'
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
-{
+{ config, lib, pkgs, modulesPath, ... }:
  config,
  lib,
  pkgs,
  modulesPath,
  ...
 }:
 {
-  imports = [
+  imports =
-    (modulesPath + "/profiles/qemu-guest.nix")
+    [ (modulesPath + "/profiles/qemu-guest.nix")
-  ];
+    ];
-  boot.initrd.availableKernelModules = [
+  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
    "ata_piix"
    "uhci_hcd"
    "virtio_pci"
    "virtio_scsi"
    "sd_mod"
    "sr_mod"
  ];
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ ];
  boot.extraModulePackages = [ ];
@@ -1,10 +1,4 @@
-{
+{ config, pkgs, lib, fp, ... }:
  config,
  pkgs,
  lib,
  fp,
  ...
 }:
 let
  cfg = config.services.gitea;
 in
@@ -74,59 +68,54 @@ in
    wantedBy = [ "gitea.service" ];
    requiredBy = [ "gitea.service" ];
-    serviceConfig = {
+    serviceConfig =  {
      Type = "oneshot";
      User = cfg.user;
      Group = cfg.group;
    };
-    script =
+    script = let
-      let
+      logo-svg = fp /assets/logo_blue_regular.svg;
-        logo-svg = fp /assets/logo_blue_regular.svg;
+      logo-png = fp /assets/logo_blue_regular.png;
        logo-png = fp /assets/logo_blue_regular.png;
-        extraLinks = pkgs.writeText "gitea-extra-links.tmpl" ''
+      extraLinks = pkgs.writeText "gitea-extra-links.tmpl" ''
-          <a class="item" href="https://git.pvv.ntnu.no/Drift/-/projects/4">Tokyo Drift Issues</a>
+        <a class="item" href="https://git.pvv.ntnu.no/Drift/-/projects/4">Tokyo Drift Issues</a>
        '';
        extraLinksFooter = pkgs.writeText "gitea-extra-links-footer.tmpl" ''
          <a class="item" href="https://www.pvv.ntnu.no/">PVV</a>
          <a class="item" href="https://wiki.pvv.ntnu.no/">Wiki</a>
          <a class="item" href="https://wiki.pvv.ntnu.no/wiki/Tjenester/Kodelager">PVV Gitea Howto</a>
        '';
        project-labels = (pkgs.formats.yaml { }).generate "gitea-project-labels.yaml" {
          labels = lib.importJSON ./labels/projects.json;
        };
        customTemplates =
          pkgs.runCommandLocal "gitea-templates"
            {
              nativeBuildInputs = with pkgs; [
                coreutils
                gnused
              ];
            }
            ''
              # Bigger icons
              install -Dm444 "${cfg.package.src}/templates/repo/icon.tmpl" "$out/repo/icon.tmpl"
              sed -i -e 's/24/60/g' "$out/repo/icon.tmpl"
            '';
      in
      ''
        install -Dm444 ${logo-svg} ${cfg.customDir}/public/assets/img/logo.svg
        install -Dm444 ${logo-png} ${cfg.customDir}/public/assets/img/logo.png
        install -Dm444 ${./loading.apng} ${cfg.customDir}/public/assets/img/loading.png
        install -Dm444 ${extraLinks} ${cfg.customDir}/templates/custom/extra_links.tmpl
        install -Dm444 ${extraLinksFooter} ${cfg.customDir}/templates/custom/extra_links_footer.tmpl
        install -Dm444 ${project-labels} ${cfg.customDir}/options/label/project-labels.yaml
        install -Dm644 ${./emotes/bruh.png} ${cfg.customDir}/public/assets/img/emoji/bruh.png
        install -Dm644 ${./emotes/huh.gif} ${cfg.customDir}/public/assets/img/emoji/huh.png
        install -Dm644 ${./emotes/grr.png} ${cfg.customDir}/public/assets/img/emoji/grr.png
        install -Dm644 ${./emotes/okiedokie.jpg} ${cfg.customDir}/public/assets/img/emoji/okiedokie.png
        "${lib.getExe pkgs.rsync}" -a "${customTemplates}/" ${cfg.customDir}/templates/
      '';
      extraLinksFooter = pkgs.writeText "gitea-extra-links-footer.tmpl" ''
        <a class="item" href="https://www.pvv.ntnu.no/">PVV</a>
        <a class="item" href="https://wiki.pvv.ntnu.no/">Wiki</a>
        <a class="item" href="https://wiki.pvv.ntnu.no/wiki/Tjenester/Kodelager">PVV Gitea Howto</a>
      '';
      project-labels = (pkgs.formats.yaml { }).generate "gitea-project-labels.yaml" {
        labels = lib.importJSON ./labels/projects.json;
      };
      customTemplates = pkgs.runCommandLocal "gitea-templates" {
        nativeBuildInputs = with pkgs; [
          coreutils
          gnused
        ];
      } ''
        # Bigger icons
        install -Dm444 '${cfg.package.src}/templates/repo/icon.tmpl' "$out/repo/icon.tmpl"
        sed -i -e 's/24/60/g' "$out/repo/icon.tmpl"
      '';
    in ''
      install -Dm444 '${logo-svg}' '${cfg.customDir}/public/assets/img/logo.svg'
      install -Dm444 '${logo-png}' '${cfg.customDir}/public/assets/img/logo.png'
      install -Dm444 '${./loading.apng}' '${cfg.customDir}/public/assets/img/loading.png'
      install -Dm444 '${extraLinks}' '${cfg.customDir}/templates/custom/extra_links.tmpl'
      install -Dm444 '${extraLinksFooter}' '${cfg.customDir}/templates/custom/extra_links_footer.tmpl'
      install -Dm444 '${project-labels}' '${cfg.customDir}/options/label/project-labels.yaml'
      install -Dm644 '${./emotes/bruh.png}' '${cfg.customDir}/public/assets/img/emoji/bruh.png'
      install -Dm644 '${./emotes/huh.gif}' '${cfg.customDir}/public/assets/img/emoji/huh.png'
      install -Dm644 '${./emotes/grr.png}' '${cfg.customDir}/public/assets/img/emoji/grr.png'
      install -Dm644 '${./emotes/okiedokie.jpg}' '${cfg.customDir}/public/assets/img/emoji/okiedokie.png'
      '${lib.getExe pkgs.rsync}' -a '${customTemplates}/' '${cfg.customDir}/templates/'
    '';
  };
 }
@@ -1,17 +1,9 @@
-{
+{ config, values, lib, pkgs, unstablePkgs, ... }:
  config,
  values,
  lib,
  pkgs,
  unstablePkgs,
  ...
 }:
 let
  cfg = config.services.gitea;
  domain = "git.pvv.ntnu.no";
-  sshPort = 2222;
+  sshPort  = 2222;
-in
+in {
 {
  imports = [
    ./customization
    ./gpg.nix
@@ -19,21 +11,19 @@ in
    ./web-secret-provider
  ];
-  sops.secrets =
+  sops.secrets = let
-    let
+    defaultConfig = {
-      defaultConfig = {
+      owner = "gitea";
-        owner = "gitea";
+      group = "gitea";
-        group = "gitea";
+      restartUnits = [ "gitea.service" ];
        restartUnits = [ "gitea.service" ];
      };
    in
    {
      "gitea/database" = defaultConfig;
      "gitea/email-password" = defaultConfig;
      "gitea/lfs-jwt-secret" = defaultConfig;
      "gitea/oauth2-jwt-secret" = defaultConfig;
      "gitea/secret-key" = defaultConfig;
    };
  in {
    "gitea/database" = defaultConfig;
    "gitea/email-password" = defaultConfig;
    "gitea/lfs-jwt-secret" = defaultConfig;
    "gitea/oauth2-jwt-secret" = defaultConfig;
    "gitea/secret-key" = defaultConfig;
  };
  services.gitea = {
    enable = true;
@@ -54,7 +44,7 @@ in
    # https://docs.gitea.com/administration/config-cheat-sheet
    settings = {
      server = {
-        DOMAIN = domain;
+        DOMAIN   = domain;
        ROOT_URL = "https://${domain}/";
        PROTOCOL = "http+unix";
        SSH_PORT = sshPort;
@@ -141,11 +131,9 @@ in
          "repo.pulls"
          "repo.releases"
        ];
        ALLOW_FORK_INTO_SAME_OWNER = true;
      };
      picture = {
        DISABLE_GRAVATAR = true;
        ENABLE_FEDERATED_AVATAR = false;
        AVATAR_MAX_FILE_SIZE = 1024 * 1024 * 5;
        # NOTE: go any bigger than this, and gitea will freeze your gif >:(
        AVATAR_MAX_ORIGIN_SIZE = 1024 * 1024 * 2;
@@ -225,33 +213,24 @@ in
  };
  systemd.services.gitea-dump = {
-    serviceConfig.ExecStart =
+    serviceConfig.ExecStart = let
-      let
+      args = lib.cli.toCommandLineShellGNU { } {
-        args = lib.cli.toGNUCommandLineShell { } {
+        type = cfg.dump.type;
          type = cfg.dump.type;
-          # This should be declarative on nixos, no need to backup.
+        # This should be declarative on nixos, no need to backup.
-          skip-custom-dir = true;
+        skip-custom-dir = true;
-          # This can be regenerated, no need to backup
+        # This can be regenerated, no need to backup
-          skip-index = true;
+        skip-index = true;
-          # Logs are stored in the systemd journal
+        # Logs are stored in the systemd journal
-          skip-log = true;
+        skip-log = true;
-        };
+      };
-      in
+    in lib.mkForce "${lib.getExe cfg.package} dump ${args}";
      lib.mkForce "${lib.getExe cfg.package} ${args}";
-    # Only keep n backup files at a time
+    # Only keep a single backup file at a time.
-    postStop =
+    postStop = ''
-      let
+      ${lib.getExe' pkgs.coreutils "mv"} '${cfg.dump.backupDir}'/gitea-dump-*.tar.gz gitea-dump.tar.gz
-        cu = prog: "'${lib.getExe' pkgs.coreutils prog}'";
+    '';
        backupCount = 3;
      in
      ''
        for file in $(${cu "ls"} -t1 '${cfg.dump.backupDir}' | ${cu "sort"} --reverse | ${cu "tail"} -n+${toString (backupCount + 1)}); do
          ${cu "rm"} "$file"
        done
      '';
  };
 }
@@ -1,9 +1,4 @@
-{
+{ config, pkgs, lib, ... }:
  config,
  pkgs,
  lib,
  ...
 }:
 let
  cfg = config.services.gitea;
  GNUPGHOME = "${config.users.users.gitea.home}/gnupg";
@@ -1,9 +1,4 @@
-{
+{ config, pkgs, lib, ... }:
  config,
  pkgs,
  lib,
  ...
 }:
 let
  cfg = config.services.gitea;
 in
@@ -16,7 +11,7 @@ in
  systemd.services.gitea-import-users = lib.mkIf cfg.enable {
    enable = true;
-    preStart = ''${pkgs.rsync}/bin/rsync -e "${pkgs.openssh}/bin/ssh -o UserKnownHostsFile=$CREDENTIALS_DIRECTORY/ssh-known-hosts -i $CREDENTIALS_DIRECTORY/sshkey" -a pvv@smtp.pvv.ntnu.no:/etc/passwd /run/gitea-import-users/passwd'';
+    preStart=''${pkgs.rsync}/bin/rsync -e "${pkgs.openssh}/bin/ssh -o UserKnownHostsFile=$CREDENTIALS_DIRECTORY/ssh-known-hosts -i $CREDENTIALS_DIRECTORY/sshkey" -a pvv@smtp.pvv.ntnu.no:/etc/passwd /run/gitea-import-users/passwd'';
    environment.PASSWD_FILE_PATH = "/run/gitea-import-users/passwd";
    serviceConfig = {
      ExecStart = pkgs.writers.writePython3 "gitea-import-users" {
@@ -25,12 +20,12 @@ in
        ];
        libraries = with pkgs.python3Packages; [ requests ];
      } (builtins.readFile ./gitea-import-users.py);
-      LoadCredential = [
+      LoadCredential=[
        "sshkey:${config.sops.secrets."gitea/passwd-ssh-key".path}"
        "ssh-known-hosts:${config.sops.secrets."gitea/ssh-known-hosts".path}"
      ];
-      DynamicUser = "yes";
+      DynamicUser="yes";
-      EnvironmentFile = config.sops.secrets."gitea/import-user-env".path;
+      EnvironmentFile=config.sops.secrets."gitea/import-user-env".path;
      RuntimeDirectory = "gitea-import-users";
    };
  };
@@ -1,9 +1,4 @@
-{
+{ config, pkgs, lib, ... }:
  config,
  pkgs,
  lib,
  ...
 }:
 let
  organizations = [
    "Drift"
@@ -41,8 +36,7 @@ in
    group = "gitea-web";
    restartUnits = [
      "gitea-web-secret-provider@"
-    ]
+    ] ++ (map (org: "gitea-web-secret-provider@${org}") organizations);
    ++ (map (org: "gitea-web-secret-provider@${org}") organizations);
  };
  systemd.slices.system-giteaweb = {
@@ -54,30 +48,25 @@ in
  # %d - secrets directory
  systemd.services."gitea-web-secret-provider@" = {
    description = "Ensure all repos in %i has an SSH key to push web content";
-    requires = [
+    requires = [ "gitea.service" "network.target" ];
      "gitea.service"
      "network.target"
    ];
    serviceConfig = {
      Slice = "system-giteaweb.slice";
      Type = "oneshot";
-      ExecStart =
+      ExecStart = let
-        let
+        args = lib.cli.toCommandLineShellGNU { } {
-          args = lib.cli.toGNUCommandLineShell { } {
+          org = "%i";
-            org = "%i";
+          token-path = "%d/token";
-            token-path = "%d/token";
+          api-url = "${giteaCfg.settings.server.ROOT_URL}api/v1";
-            api-url = "${giteaCfg.settings.server.ROOT_URL}api/v1";
+          key-dir = "/var/lib/gitea-web/keys/%i";
-            key-dir = "/var/lib/gitea-web/keys/%i";
+          authorized-keys-path = "/var/lib/gitea-web/authorized_keys.d/%i";
-            authorized-keys-path = "/var/lib/gitea-web/authorized_keys.d/%i";
+          rrsync-script = pkgs.writeShellScript "rrsync-chown" ''
-            rrsync-script = pkgs.writeShellScript "rrsync-chown" ''
+            mkdir -p "$1"
-              mkdir -p "$1"
+            ${lib.getExe pkgs.rrsync} -wo "$1"
-              ${lib.getExe pkgs.rrsync} -wo "$1"
+            ${pkgs.coreutils}/bin/chown -R gitea-web:gitea-web "$1"
-              ${pkgs.coreutils}/bin/chown -R gitea-web:gitea-web "$1"
+          '';
-            '';
+          web-dir = "/var/lib/gitea-web/web";
-            web-dir = "/var/lib/gitea-web/web";
+        };
-          };
+      in "${giteaWebSecretProviderScript} ${args}";
        in
        "${giteaWebSecretProviderScript} ${args}";
      User = "gitea-web";
      Group = "gitea-web";
@@ -96,10 +85,7 @@ in
      ProtectControlGroups = true;
      ProtectKernelModules = true;
      ProtectKernelTunables = true;
-      RestrictAddressFamilies = [
+      RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
        "AF_INET"
        "AF_INET6"
      ];
      RestrictRealtime = true;
      RestrictSUIDSGID = true;
      MemoryDenyWriteExecute = true;
@@ -119,9 +105,7 @@ in
  systemd.targets.timers.wants = map (org: "gitea-web-secret-provider@${org}.timer") organizations;
-  services.openssh.authorizedKeysFiles = map (
+  services.openssh.authorizedKeysFiles = map (org: "/var/lib/gitea-web/authorized_keys.d/${org}") organizations;
    org: "/var/lib/gitea-web/authorized_keys.d/${org}"
  ) organizations;
  users.users.nginx.extraGroups = [ "gitea-web" ];
  services.nginx.virtualHosts."pages.pvv.ntnu.no" = {
@@ -1,15 +1,9 @@
-{
+{ fp, values, lib, lupineName, ... }:
  fp,
  values,
  lupineName,
  ...
 }:
 {
  imports = [
    ./hardware-configuration/${lupineName}.nix
    (fp /base)
    ./services/gitea-runner.nix
  ];
@@ -17,10 +11,7 @@
  systemd.network.networks."30-enp0s31f6" = values.defaultNetworkConfig // {
    matchConfig.Name = "enp0s31f6";
-    address = with values.hosts.${lupineName}; [
+    address = with values.hosts.${lupineName}; [ (ipv4 + "/25") (ipv6 + "/64") ];
      (ipv4 + "/25")
      (ipv6 + "/64")
    ];
    networkConfig.LLDP = false;
  };
  systemd.network.wait-online = {
@@ -1,54 +1,41 @@
 # Do not modify this file!  It was generated by 'nixos-generate-config'
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
-{
+{ config, lib, pkgs, modulesPath, ... }:
  config,
  lib,
  pkgs,
  modulesPath,
  ...
 }:
 {
-  imports = [
+  imports =
-    (modulesPath + "/installer/scan/not-detected.nix")
+    [ (modulesPath + "/installer/scan/not-detected.nix")
-  ];
+    ];
-  boot.initrd.availableKernelModules = [
+  boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "sd_mod" ];
    "xhci_pci"
    "ahci"
    "usbhid"
    "sd_mod"
  ];
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ "kvm-intel" ];
  boot.extraModulePackages = [ ];
-  fileSystems."/" = {
+  fileSystems."/" =
-    device = "/dev/disk/by-uuid/a949e2e8-d973-4925-83e4-bcd815e65af7";
+    { device = "/dev/disk/by-uuid/e88adbb7-de01-4f9b-b338-fffed743c259";
-    fsType = "ext4";
+      fsType = "btrfs";
-  };
+      options = [ "subvol=@root" "compress=zstd" ];
    };
-  fileSystems."/boot" = {
+  fileSystems."/nix" =
-    device = "/dev/disk/by-uuid/81D6-38D3";
+    { device = "/dev/disk/by-uuid/e88adbb7-de01-4f9b-b338-fffed743c259";
-    fsType = "vfat";
+      fsType = "btrfs";
-    options = [
+      options = [ "subvol=@nix" "compress=zstd" "noatime" ];
-      "fmask=0077"
+    };
-      "dmask=0077"
+
  fileSystems."/boot" =
    { device = "/dev/disk/by-uuid/81D6-38D3";
      fsType = "vfat";
      options = [ "fmask=0022" "dmask=0022" ];
    };
  swapDevices =
    [ { device = "/dev/disk/by-uuid/82c2d7fa-7cd0-4398-8cf6-c892bc56264b"; }
    ];
  };
  swapDevices = [
    { device = "/dev/disk/by-uuid/82c2d7fa-7cd0-4398-8cf6-c892bc56264b"; }
  ];
  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
  # (the default) this is the recommended approach. When using systemd-networkd it's
  # still possible to use this option, but it's recommended to use it in conjunction
  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
  networking.useDHCP = lib.mkDefault true;
  # networking.interfaces.enp0s31f6.useDHCP = lib.mkDefault true;
  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
 }
@@ -1,53 +1,39 @@
 # Do not modify this file!  It was generated by 'nixos-generate-config'
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
-{
+{ config, lib, pkgs, modulesPath, ... }:
  config,
  lib,
  pkgs,
  modulesPath,
  ...
 }:
 {
-  imports = [
+  imports =
-    (modulesPath + "/installer/scan/not-detected.nix")
+    [ (modulesPath + "/installer/scan/not-detected.nix")
-  ];
+    ];
-  boot.initrd.availableKernelModules = [
+  boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "sd_mod" ];
    "xhci_pci"
    "ahci"
    "usbhid"
    "sd_mod"
  ];
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ "kvm-intel" ];
  boot.extraModulePackages = [ ];
-  fileSystems."/" = {
+  fileSystems."/" =
-    device = "/dev/disk/by-uuid/aa81d439-800b-403d-ac10-9d2aac3619d0";
+    { device = "/dev/disk/by-uuid/ab2e1a13-8e95-48d8-970c-64fa2fab52d0";
-    fsType = "ext4";
+      fsType = "btrfs";
-  };
+      options = [ "subvol=@root" "compress=zstd" ];
    };
-  fileSystems."/boot" = {
+  fileSystems."/nix" =
-    device = "/dev/disk/by-uuid/4A34-6AE5";
+    { device = "/dev/disk/by-uuid/ab2e1a13-8e95-48d8-970c-64fa2fab52d0";
-    fsType = "vfat";
+      fsType = "btrfs";
-    options = [
+      options = [ "subvol=@nix" "noatime" "compress=zstd" ];
-      "fmask=0077"
+    };
-      "dmask=0077"
+
  fileSystems."/boot" =
    { device = "/dev/disk/by-uuid/4A34-6AE5";
      fsType = "vfat";
      options = [ "fmask=0022" "dmask=0022" ];
    };
  swapDevices =
    [ { device = "/dev/disk/by-uuid/efb7cd0c-c1ae-4a86-8bc2-8e7fd0066650"; }
    ];
  };
  swapDevices = [
    { device = "/dev/disk/by-uuid/efb7cd0c-c1ae-4a86-8bc2-8e7fd0066650"; }
  ];
  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
  # (the default) this is the recommended approach. When using systemd-networkd it's
  # still possible to use this option, but it's recommended to use it in conjunction
  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
  networking.useDHCP = lib.mkDefault true;
  # networking.interfaces.enp0s31f6.useDHCP = lib.mkDefault true;
  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
@@ -1,54 +1,41 @@
 # Do not modify this file!  It was generated by 'nixos-generate-config'
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
-{
+{ config, lib, pkgs, modulesPath, ... }:
  config,
  lib,
  pkgs,
  modulesPath,
  ...
 }:
 {
-  imports = [
+  imports =
-    (modulesPath + "/installer/scan/not-detected.nix")
+    [ (modulesPath + "/installer/scan/not-detected.nix")
-  ];
+    ];
-  boot.initrd.availableKernelModules = [
+  boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "sd_mod" ];
    "xhci_pci"
    "ahci"
    "usbhid"
    "sd_mod"
  ];
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ "kvm-intel" ];
  boot.extraModulePackages = [ ];
-  fileSystems."/" = {
+  fileSystems."/" =
-    device = "/dev/disk/by-uuid/39ba059b-3205-4701-a832-e72c0122cb88";
+    { device = "/dev/disk/by-uuid/0a5bda7c-af55-4d3d-9135-7f7cbb78004d";
-    fsType = "ext4";
+      fsType = "btrfs";
-  };
+      options = [ "subvol=@root" "compress=zstd" ];
    };
-  fileSystems."/boot" = {
+  fileSystems."/nix" =
-    device = "/dev/disk/by-uuid/63FA-297B";
+    { device = "/dev/disk/by-uuid/0a5bda7c-af55-4d3d-9135-7f7cbb78004d";
-    fsType = "vfat";
+      fsType = "btrfs";
-    options = [
+      options = [ "subvol=@nix" "noatime" "compress=zstd" ];
-      "fmask=0077"
+    };
-      "dmask=0077"
+
  fileSystems."/boot" =
    { device = "/dev/disk/by-uuid/63FA-297B";
      fsType = "vfat";
      options = [ "fmask=0022" "dmask=0022" ];
    };
  swapDevices =
    [ { device = "/dev/disk/by-uuid/9c72eb54-ea8c-4b09-808a-8be9b9a33869"; }
    ];
  };
  swapDevices = [
    { device = "/dev/disk/by-uuid/9c72eb54-ea8c-4b09-808a-8be9b9a33869"; }
  ];
  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
  # (the default) this is the recommended approach. When using systemd-networkd it's
  # still possible to use this option, but it's recommended to use it in conjunction
  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
  networking.useDHCP = lib.mkDefault true;
  # networking.interfaces.enp0s31f6.useDHCP = lib.mkDefault true;
  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
 }
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
oysteikt	6bc767de6a	WIP: temmie/userweb: add log processor for apache Eval nix flake / evals (push) Successful in 4m36s Details	2026-05-26 00:12:34 +09:00
oysteikt	18ab1ef982	temmie/userweb: set `-i` and `-t` in sendmail wrapper Build topology graph / evals (push) Successful in 2m23s Details Eval nix flake / evals (push) Successful in 4m9s Details	2026-05-25 18:49:57 +09:00
oysteikt	5023edeb13	temmie/userweb: install `mod_perl` with custom env Build topology graph / evals (push) Successful in 2m23s Details Eval nix flake / evals (push) Successful in 4m2s Details	2026-05-25 18:24:23 +09:00
oysteikt	0d8c26c548	temmie/userweb: send `propagatedBuildInputs` through perl env wrapper Build topology graph / evals (push) Successful in 2m22s Details Eval nix flake / evals (push) Successful in 4m40s Details	2026-05-25 17:05:02 +09:00
oysteikt	bd244e7797	temmie/userweb: add `www2` server alias Build topology graph / evals (push) Successful in 3m56s Details Eval nix flake / evals (push) Successful in 4m49s Details	2026-05-25 16:24:35 +09:00
oysteikt	e9220bb31e	temmie/userweb: use `www-data`s UID + GID for backwards compat Build topology graph / evals (push) Successful in 2m21s Details Eval nix flake / evals (push) Successful in 4m36s Details	2026-05-25 15:25:26 +09:00
oysteikt	6beb9c62c3	temmie/userweb: use bro to proxy sendmail requests out of sandbox Build topology graph / evals (push) Successful in 2m42s Details Eval nix flake / evals (push) Successful in 4m7s Details	2026-05-25 15:02:40 +09:00
oysteikt	7429b334ca	README: add `temmie` to machine overview Build topology graph / evals (push) Successful in 2m44s Details Eval nix flake / evals (push) Successful in 6m12s Details	2026-05-25 11:59:17 +09:00
oysteikt	1595f67c55	flake.nix: allow `nvidia-kernel-modules` for wenche Build topology graph / evals (push) Successful in 2m39s Details Eval nix flake / evals (push) Successful in 6m20s Details	2026-05-25 11:35:25 +09:00
oysteikt	3f5eadcb87	base/resolved: use RFC42 format Build topology graph / evals (push) Successful in 2m42s Details Eval nix flake / evals (push) Failing after 3m12s Details	2026-05-25 10:40:04 +09:00
oysteikt	70c0ad8724	base: use RFC42 format for `systemd.sleep`	2026-05-25 10:40:04 +09:00
oysteikt	61ea0181a1	packages/mediawiki-extensions: REL1_44 -> REL1_45	2026-05-25 10:40:04 +09:00
oysteikt	3e22c1a47e	nixpkgs 26.05 🎉	2026-05-25 10:40:02 +09:00
vegardbm	0319858cad	Merge branch 'gluttony-bluemap' Build topology graph / evals (push) Successful in 2m57s Details Eval nix flake / evals (push) Successful in 4m18s Details	2026-05-25 03:32:15 +02:00
vegardbm	efd50868e0	bekkalokk: add back config added through bluemap module Eval nix flake / evals (pull_request) Successful in 5m24s Details Eval nix flake / evals (push) Successful in 4m26s Details	2026-05-25 03:28:49 +02:00
vegardbm	7a23cf7f25	bekkalokk: remove bluemap	2026-05-25 03:28:30 +02:00
vegardbm	57963fadd7	gluttony: add private key and set public key for bekkalokk	2026-05-25 03:22:13 +02:00
vegardbm	792f111a5d	bekkalokk: pull rendered map from gluttony	2026-05-25 03:22:13 +02:00
vegardbm	b27859c0fa	gluttony: export rendered bluemap to bekkalokk	2026-05-25 03:22:09 +02:00
vegardbm	eb0eb6d93b	add bekkalokk to known_hosts	2026-05-25 03:20:25 +02:00
vegardbm	6a943dd7b0	bluemap: set group to nginx only if nginx is enabled	2026-05-25 03:20:25 +02:00
vegardbm	c59c00f3fc	gluttony: setup bluemap	2026-05-25 03:20:21 +02:00
oysteikt	53670b4d05	flake.nix/inputs/disko: v1.11.0 -> v1.13.0 Eval nix flake / evals (push) Successful in 6m2s Details Build topology graph / evals (push) Successful in 2m51s Details	2026-05-24 23:05:48 +09:00
oysteikt	d92a5f13ad	base/journald-upload: fix target url Eval nix flake / evals (push) Successful in 4m18s Details Build topology graph / evals (push) Successful in 4m11s Details	2026-05-24 16:41:54 +09:00
oysteikt	16d3251ee2	shells/cuda: fix deprecated package attr warnings Eval nix flake / evals (push) Successful in 4m17s Details Build topology graph / evals (push) Successful in 4m19s Details	2026-05-24 15:23:33 +09:00
danio	09163b77da	Revert "bicep/matrix/livekit: open the rtc ports" Build topology graph / evals (push) Successful in 2m49s Details Eval nix flake / evals (push) Successful in 5m24s Details This reverts commit `4a67eddf52`.	2026-05-23 23:23:41 +02:00
vegardbm	6cca1db3b3	bekkalokk: fix permissions for mediawiki secrets Build topology graph / evals (push) Successful in 2m29s Details Eval nix flake / evals (push) Successful in 4m21s Details Eval nix flake / evals (pull_request) Successful in 3m49s Details	2026-05-22 20:21:24 +02:00
vegardbm	bfd83c4c64	uptime-kuma: wants to use /var/lib/private for state Build topology graph / evals (push) Successful in 2m32s Details Eval nix flake / evals (push) Successful in 3m49s Details	2026-05-22 17:58:00 +02:00
oysteikt	9a6fdecb03	kommode/gitea/dump: only keep a single dump at a time Eval nix flake / evals (push) Successful in 3m54s Details Build topology graph / evals (push) Successful in 3m59s Details	2026-05-22 18:27:57 +09:00
oysteikt	82ab97fb45	bekkalokk/roundcube: restart service on changed sops secrets Build topology graph / evals (push) Successful in 3m35s Details Eval nix flake / evals (push) Successful in 3m49s Details	2026-05-22 18:10:44 +09:00
oysteikt	543fd19f8d	bekkalokk/vaultwarden: restart service on changed sops secrets	2026-05-22 18:10:40 +09:00
oysteikt	6f99fa575d	bekkalokk/vaultwarden: render environment_file as sops template Eval nix flake / evals (push) Successful in 4m1s Details	2026-05-22 18:02:13 +09:00
oysteikt	3141b1f76b	bekkalokk/vaultwarden: remove redundant hardening Eval nix flake / evals (push) Successful in 3m51s Details This has already been upstreamed	2026-05-22 17:51:03 +09:00
oysteikt	475f6a8c9b	bekkalokk/vaultwarden: add rsa key to sops Eval nix flake / evals (push) Successful in 4m25s Details	2026-05-22 17:49:31 +09:00
oysteikt	9c1687f8f2	bekkalokk/vaultwarden: use envvar keys It seems like the nixpkgs module is compensating for previous config that might've ended up in a file, which are now being turned into screaming snake case environment variables. Let's just name them as they are supposed to be named instead of having the upstream module translate them.	2026-05-22 17:08:31 +09:00
oysteikt	0f53bcd731	bekkalokk/roundcube: add des_key to sops	2026-05-22 17:08:31 +09:00
felixalb	f433ae1e15	ustetind: remove from sops Build topology graph / evals (push) Successful in 2m30s Details Eval nix flake / evals (push) Successful in 4m45s Details rg -. to the rescue	2026-05-22 10:01:15 +02:00
oysteikt	5745648f87	bicep/postgres/repack: use local unix socket Build topology graph / evals (push) Successful in 2m48s Details Eval nix flake / evals (push) Successful in 4m22s Details	2026-05-22 15:59:59 +09:00
oysteikt	2c34a93abf	bicep/postgres/repack: don't kill connections on timeout Eval nix flake / evals (push) Successful in 3m51s Details Build topology graph / evals (push) Successful in 3m56s Details	2026-05-22 15:57:57 +09:00
oysteikt	9ebc947eab	ustetind: bai bai 👋 Build topology graph / evals (push) Successful in 2m48s Details Eval nix flake / evals (push) Successful in 6m47s Details	2026-05-22 15:41:28 +09:00
oysteikt	6fcc19f0a2	base/fluentbit: init Build topology graph / evals (push) Successful in 2m51s Details Eval nix flake / evals (push) Successful in 4m7s Details	2026-05-22 15:32:13 +09:00
oysteikt	9224f04bd1	base/promtail: remove	2026-05-22 15:32:13 +09:00
vegardbm	9c93f15569	change agekey for ildkule and update keys Build topology graph / evals (push) Successful in 2m31s Details Eval nix flake / evals (push) Successful in 5m8s Details update keys	2026-05-21 17:27:11 +02:00
oysteikt	5d6c153007	kommode/gitea: fix dump command Build topology graph / evals (push) Successful in 2m33s Details Eval nix flake / evals (push) Successful in 4m1s Details	2026-05-21 17:54:54 +09:00
oysteikt	8b483a92f8	ildkule: set `fsType` for bindmounts	2026-05-21 17:52:47 +09:00
oysteikt	0d7f05e56d	bicep/postgres: add cleanup timers Build topology graph / evals (push) Successful in 2m53s Details Eval nix flake / evals (push) Successful in 4m6s Details	2026-05-21 04:14:34 +09:00
danio	4a67eddf52	bicep/matrix/livekit: open the rtc ports Build topology graph / evals (push) Successful in 3m55s Details Eval nix flake / evals (push) Successful in 4m8s Details	2026-05-20 20:04:33 +02:00
oysteikt	08a23bd380	base/hardening: ban a few more modules Build topology graph / evals (push) Successful in 2m53s Details Eval nix flake / evals (push) Successful in 4m2s Details	2026-05-20 23:15:25 +09:00
oysteikt	28b67c3578	base/mitigations: blacklist modules for copyfail and pintheft	2026-05-20 23:15:25 +09:00
vegardbm	e5804c043a	README: add gluttony Build topology graph / evals (push) Successful in 2m52s Details Eval nix flake / evals (push) Successful in 4m7s Details	2026-05-20 06:24:26 +02:00
vegardbm	9c227f3022	update gluttony IPs and boot device Build topology graph / evals (push) Successful in 2m54s Details Eval nix flake / evals (push) Successful in 4m7s Details	2026-05-20 06:07:41 +02:00
felixalb	69fdf709d7	grr: fix the heccin quotes Build topology graph / evals (push) Successful in 3m53s Details Eval nix flake / evals (push) Successful in 4m7s Details	2026-05-19 16:38:34 +02:00
adriangl	30ec70fa5f	fix: ildkule grub duplicated devices, format nix files Build topology graph / evals (push) Successful in 4m1s Details Eval nix flake / evals (push) Successful in 4m40s Details	2026-05-19 16:26:36 +02:00
adriangl	1024b428ac	feat: ildkule disco config Eval nix flake / evals (push) Failing after 2m24s Details Build topology graph / evals (push) Successful in 2m29s Details	2026-05-19 12:16:39 +02:00
adriangl	1e6b692fbf	fix: updated ildkule config and ips to match trd1 new setup Build topology graph / evals (push) Successful in 2m39s Details Eval nix flake / evals (push) Successful in 4m42s Details	2026-05-19 11:37:05 +02:00
vegardbm	beac6e91dd	flake.lock: bump pvv-nettsiden Build topology graph / evals (push) Successful in 2m55s Details Eval nix flake / evals (push) Successful in 4m38s Details	2026-05-17 16:58:04 +02:00
oysteikt	0fd41c214a	flake.{nix,lock}: bump deps Eval nix flake / evals (push) Successful in 4m7s Details Build topology graph / evals (push) Successful in 6m27s Details	2026-05-13 01:19:35 +09:00
oysteikt	5c1ee958ea	flake.{nix,lock}: bump roowho2 Build topology graph / evals (push) Successful in 2m34s Details Eval nix flake / evals (push) Successful in 4m7s Details	2026-05-12 00:25:55 +09:00
oysteikt	d8e97715c9	flake.lock: bump pvv-nettsiden	2026-05-12 00:24:56 +09:00
oysteikt	33297b0436	treewide: `lib.cli.toGNUCommandLineShell` -> `lib.cli.toCommandLineShellGNU` Build topology graph / evals (push) Successful in 2m33s Details Eval nix flake / evals (push) Successful in 4m7s Details	2026-05-11 23:09:50 +09:00
oysteikt	be33c95c83	bekkalokk/website: more logging, specify timeouts, ban spooky funcs, fake sendmail Build topology graph / evals (push) Successful in 2m33s Details Eval nix flake / evals (push) Successful in 4m5s Details	2026-05-11 21:14:08 +09:00
oysteikt	2abf36a9af	packages/simplesamlphp: 2.4.3 -> 2.5.0 Build topology graph / evals (push) Successful in 2m52s Details Eval nix flake / evals (push) Successful in 4m1s Details	2026-05-11 16:12:15 +09:00
oysteikt	a60be532ce	packages/mediawiki-extensions: bump all	2026-05-11 16:11:10 +09:00
oysteikt	9c142fd56f	kommode/gitea: remove deprecated config options Build topology graph / evals (push) Successful in 2m34s Details Eval nix flake / evals (push) Successful in 4m37s Details	2026-05-11 16:00:51 +09:00
oysteikt	b98e8679e6	temmie/userweb: set same phpOptions for env and apache Build topology graph / evals (push) Successful in 2m30s Details Eval nix flake / evals (push) Successful in 4m3s Details	2026-05-11 14:54:56 +09:00
oysteikt	ea092ec0b3	temmie/userweb: pass userdir user to sendmail through custom envvar Build topology graph / evals (push) Successful in 2m49s Details Eval nix flake / evals (push) Successful in 4m38s Details	2026-05-11 14:26:47 +09:00
oysteikt	5e50b617fb	temmie/userweb: switch from postfix to nullmailer Build topology graph / evals (push) Successful in 2m51s Details Eval nix flake / evals (push) Successful in 4m36s Details	2026-05-11 13:52:58 +09:00
oysteikt	258c5a7b25	temmie/userweb: set up sendmail wrapper Build topology graph / evals (push) Successful in 3m48s Details Eval nix flake / evals (push) Successful in 4m5s Details	2026-05-11 12:26:39 +09:00
oysteikt	b9eda3dc56	temmie/userweb: reduce package list Build topology graph / evals (push) Successful in 2m59s Details Eval nix flake / evals (push) Successful in 4m5s Details	2026-05-11 10:17:09 +09:00
vegardbm	2fcaf5893f	fix deprecation warning for mediawiki update script Build topology graph / evals (push) Successful in 2m56s Details Eval nix flake / evals (push) Successful in 5m1s Details	2026-05-09 20:40:14 +02:00
oysteikt	b009da31af	temmie/userweb: deny a bunch of spooky directories by default Build topology graph / evals (push) Successful in 3m57s Details Eval nix flake / evals (push) Successful in 5m13s Details It should still be possible for the user to re-enable these with `.htaccess`	2026-05-10 03:33:43 +09:00
oysteikt	e9a267e2a3	temmie/userweb: ignore collisions in fhs env Build topology graph / evals (push) Successful in 3m51s Details Eval nix flake / evals (push) Successful in 4m14s Details	2026-05-10 03:02:27 +09:00
oysteikt	338c2f2531	temmie/userweb: adjust perl and php env This adds and removes a few packages to make the environments closer to how they are on tom	2026-05-10 03:02:26 +09:00
felixalb	8db3034baf	Run shellcheck Eval nix flake / evals (pull_request) Successful in 4m11s Details Build topology graph / evals (push) Successful in 2m53s Details Eval nix flake / evals (push) Successful in 4m7s Details	2026-05-08 09:31:35 +02:00
oysteikt	f64f9c944e	topology: hook skrot up to the switch at the office Build topology graph / evals (push) Successful in 2m51s Details Eval nix flake / evals (push) Successful in 4m9s Details	2026-05-08 16:27:01 +09:00
oysteikt	baeb1e5e60	base/hardening: move hardening options from base/default Build topology graph / evals (push) Successful in 3m57s Details Eval nix flake / evals (push) Successful in 4m45s Details	2026-05-08 16:23:17 +09:00
oysteikt	86ca8dcdc3	base/hardening: ban a bunch more unimportant kernel modules	2026-05-08 16:23:17 +09:00
danio	11d1f8b442	bakke: the owls sick motorbike Build topology graph / evals (push) Successful in 4m7s Details Eval nix flake / evals (pull_request) Successful in 4m40s Details Eval nix flake / evals (push) Successful in 4m11s Details	2026-05-08 03:07:09 +02:00
felixalb	d8115c4031	bakke: add shading	2026-05-08 03:06:06 +02:00
felixalb	0d41326d9f	bakke: rest of the owl	2026-05-08 03:06:06 +02:00
felixalb	7baf3ffcb4	bakke: uninit	2026-05-08 03:06:06 +02:00
danio	45f10be9b4	secrets: delete skrott Build topology graph / evals (push) Successful in 3m53s Details Eval nix flake / evals (push) Successful in 4m26s Details	2026-05-08 03:01:11 +02:00
danio	06cd860d2f	README: change skrot link to point to skrot, not skrott Build topology graph / evals (push) Successful in 2m33s Details Eval nix flake / evals (push) Successful in 4m21s Details	2026-05-08 02:38:54 +02:00
danio	ebd8b871f4	skrott: yeetus deletus Build topology graph / evals (push) Successful in 2m43s Details Eval nix flake / evals (push) Successful in 4m59s Details	2026-05-08 01:08:48 +02:00
danio	14994485c5	base: mitigate dirtyfrag	2026-05-08 01:03:45 +02:00
oysteikt	f2752ee9a6	.gitea/workflows/*: remove redundant config Build topology graph / evals (push) Successful in 2m58s Details Eval nix flake / evals (push) Successful in 5m7s Details All of the extra config is now being included by default with the github action	2026-05-06 23:34:22 +09:00
oysteikt	bb20f32df8	.gitea/workflows: simplify some steps Build topology graph / evals (push) Successful in 4m34s Details Eval nix flake / evals (push) Successful in 5m57s Details	2026-04-29 08:34:38 +09:00
oysteikt	f83ae6de37	flake.lock: bump roowho2 Build topology graph / evals (push) Successful in 2m54s Details Eval nix flake / evals (push) Successful in 4m42s Details	2026-04-29 08:29:02 +09:00
oysteikt	f490e64516	flake.nix: bump greg-ng and gergle Build topology graph / evals (push) Successful in 2m58s Details Eval nix flake / evals (push) Successful in 6m25s Details Also follow unstable nixpkgs in order to use bleeding edge flutter	2026-04-25 07:09:41 +09:00
vegardbm	61c6639d3a	remove inactive users Build topology graph / evals (push) Successful in 2m50s Details Eval nix flake / evals (push) Successful in 4m39s Details	2026-04-23 14:18:52 +02:00
oysteikt	eee7e9ad7b	lupine/gitea-runner: register docker images for alpine v3.23 and ubuntu 26.04 Build topology graph / evals (push) Successful in 2m38s Details Eval nix flake / evals (push) Successful in 4m39s Details	2026-04-23 21:05:23 +09:00
oysteikt	3160d64167	packages/bluemap: 5.15 -> 5.20 Build topology graph / evals (push) Successful in 2m58s Details Eval nix flake / evals (push) Successful in 5m6s Details	2026-04-19 05:31:15 +09:00
oysteikt	23355317d6	lupine-3: update hardware config Build topology graph / evals (push) Successful in 2m54s Details Eval nix flake / evals (push) Successful in 5m14s Details	2026-04-19 01:26:25 +09:00
oysteikt	683e4b2dbc	lupine-3: update sops key	2026-04-19 01:26:12 +09:00
oysteikt	f52cf697cc	lupine-5: update hardware config Build topology graph / evals (push) Failing after 2m33s Details Eval nix flake / evals (push) Successful in 5m18s Details	2026-04-19 00:38:32 +09:00
oysteikt	8a9e92c706	lupine-5: update sops key	2026-04-19 00:38:24 +09:00
oysteikt	6dce8bac0e	lupine-4: re-enable gitea runner Build topology graph / evals (push) Successful in 3m4s Details Eval nix flake / evals (push) Successful in 5m41s Details	2026-04-19 00:22:30 +09:00
oysteikt	e2abbf224b	lupine-{1,2,4}: update hardware config Build topology graph / evals (push) Failing after 1s Details Eval nix flake / evals (push) Failing after 51s Details	2026-04-18 23:58:53 +09:00
oysteikt	a399f23785	lupine-{1,2,4}: update sops keys	2026-04-18 23:58:43 +09:00
oysteikt	69a22e2ba0	flake.lock: bump Build topology graph / evals (push) Successful in 4m4s Details Eval nix flake / evals (push) Successful in 10m52s Details	2026-04-02 13:06:30 +09:00
oysteikt	6be23feeca	packages/ooye: 3.3-unstable-2026-01-21 -> 3.5.1 Build topology graph / evals (push) Successful in 4m0s Details Eval nix flake / evals (push) Successful in 8m39s Details	2026-04-02 12:44:43 +09:00
vegardbm	1bfd4fe595	avoid using lupine-4 for gitea actions Build topology graph / evals (push) Successful in 3m25s Details Eval nix flake / evals (push) Successful in 10m2s Details	2026-03-26 06:05:41 +01:00
felixalb	2efe4a1d1e	Revert "base/acme: use different email alias for account" Build topology graph / evals (push) Successful in 3m27s Details Eval nix flake / evals (push) Successful in 8m41s Details This reverts commit `0d40c7d7a7`.	2026-03-22 12:52:33 +01:00
oysteikt	6ef02bd485	kommode/gitea: allow me to go fork myself Eval nix flake / evals (push) Failing after 4m1s Details Build topology graph / evals (push) Successful in 4m7s Details	2026-03-10 14:50:56 +09:00
vegardbm	6b1fb4c065	only cross-compile when necessary Build topology graph / evals (push) Successful in 3m59s Details Eval nix flake / evals (push) Successful in 10m4s Details This fixes issues with rebuilding georg and brzeczyszczykiewicz. Reviewed-on: #128 Reviewed-by: Oystein Kristoffer Tveit <oysteikt@pvv.ntnu.no> Co-authored-by: Vegard Bieker Matthey <VegardMatthey@protonmail.com> Co-committed-by: Vegard Bieker Matthey <VegardMatthey@protonmail.com>	2026-02-21 21:14:04 +01:00